From 46930d7a851ed62e5e4e257a081e7cfa32db8e79 Mon Sep 17 00:00:00 2001 From: Melisa Carranza Zuniga Date: Fri, 11 Feb 2022 13:43:18 +0100 Subject: [PATCH] Adding flags and logic to sign updateable SEPolicy in APEX Verify with command: sign_apex --container_key=testdata/testkey --payload_key=testdata/testkey_RSA4096.key --sepolicy_key=testdata/testkey_RSA4096.key --sepolicy_cert=testdata/testkey.x509.pem $OUT/system/apex/com.android.sepolicy.apex $OUT/test/sepolicy.apex Test: mma and run sign_apex Change-Id: I8cc5bbc09058b57e463b1d40d4953d62e0438389 --- tools/releasetools/apex_utils.py | 100 ++++++++++++++++++---- tools/releasetools/sign_apex.py | 32 ++++++- tools/releasetools/test_sign_apex.py | 18 ++++ tools/releasetools/testdata/sepolicy.apex | Bin 0 -> 303104 bytes 4 files changed, 132 insertions(+), 18 deletions(-) create mode 100644 tools/releasetools/testdata/sepolicy.apex diff --git a/tools/releasetools/apex_utils.py b/tools/releasetools/apex_utils.py index 2a39f656df..69d6c137f1 100644 --- a/tools/releasetools/apex_utils.py +++ b/tools/releasetools/apex_utils.py @@ -54,7 +54,7 @@ class ApexSigningError(Exception): class ApexApkSigner(object): """Class to sign the apk files and other files in an apex payload image and repack the apex""" - def __init__(self, apex_path, key_passwords, codename_to_api_level_map, avbtool=None, sign_tool=None): + def __init__(self, apex_path, key_passwords, codename_to_api_level_map, avbtool=None, sign_tool=None, fsverity_tool=None): self.apex_path = apex_path if not key_passwords: self.key_passwords = dict() @@ -65,8 +65,9 @@ class ApexApkSigner(object): OPTIONS.search_path, "bin", "debugfs_static") self.avbtool = avbtool if avbtool else "avbtool" self.sign_tool = sign_tool + self.fsverity_tool = fsverity_tool if fsverity_tool else "fsverity" - def ProcessApexFile(self, apk_keys, payload_key, signing_args=None): + def ProcessApexFile(self, apk_keys, payload_key, signing_args=None, is_sepolicy=False, sepolicy_key=None, sepolicy_cert=None): """Scans and signs the payload files and repack the apex Args: @@ -84,10 +85,14 @@ class ApexApkSigner(object): self.debugfs_path, 'list', self.apex_path] entries_names = common.RunAndCheckOutput(list_cmd).split() apk_entries = [name for name in entries_names if name.endswith('.apk')] + sepolicy_entries = [] + if is_sepolicy: + sepolicy_entries = [name for name in entries_names if + name.startswith('./etc/SEPolicy') and name.endswith('.zip')] # No need to sign and repack, return the original apex path. - if not apk_entries and self.sign_tool is None: - logger.info('No apk file to sign in %s', self.apex_path) + if not apk_entries and not sepolicy_entries and self.sign_tool is None: + logger.info('No payload (apk or zip) file to sign in %s', self.apex_path) return self.apex_path for entry in apk_entries: @@ -101,15 +106,16 @@ class ApexApkSigner(object): logger.warning('Apk path does not contain the intended directory name:' ' %s', entry) - payload_dir, has_signed_content = self.ExtractApexPayloadAndSignContents( - apk_entries, apk_keys, payload_key, signing_args) + payload_dir, has_signed_content = self.ExtractApexPayloadAndSignContents(apk_entries, + apk_keys, payload_key, sepolicy_entries, sepolicy_key, sepolicy_cert, signing_args) if not has_signed_content: logger.info('No contents has been signed in %s', self.apex_path) return self.apex_path return self.RepackApexPayload(payload_dir, payload_key, signing_args) - def ExtractApexPayloadAndSignContents(self, apk_entries, apk_keys, payload_key, signing_args): + def ExtractApexPayloadAndSignContents(self, apk_entries, apk_keys, payload_key, + sepolicy_entries, sepolicy_key, sepolicy_cert, signing_args): """Extracts the payload image and signs the containing apk files.""" if not os.path.exists(self.debugfs_path): raise ApexSigningError( @@ -141,6 +147,11 @@ class ApexApkSigner(object): codename_to_api_level_map=self.codename_to_api_level_map) has_signed_content = True + for entry in sepolicy_entries: + sepolicy_key = sepolicy_key if sepolicy_key else payload_key + self.SignSePolicy(payload_dir, entry, sepolicy_key, sepolicy_cert) + has_signed_content = True + if self.sign_tool: logger.info('Signing payload contents in apex %s with %s', self.apex_path, self.sign_tool) # Pass avbtool to the custom signing tool @@ -154,6 +165,36 @@ class ApexApkSigner(object): return payload_dir, has_signed_content + def SignSePolicy(self, payload_dir, sepolicy_zip, sepolicy_key, sepolicy_cert): + sepolicy_sig = sepolicy_zip + '.sig' + sepolicy_fsv_sig = sepolicy_zip + '.fsv_sig' + + policy_zip_path = os.path.join(payload_dir, sepolicy_zip) + sig_out_path = os.path.join(payload_dir, sepolicy_sig) + sig_old = sig_out_path + '.old' + if os.path.exists(sig_out_path): + os.rename(sig_out_path, sig_old) + sign_cmd = ['openssl', 'dgst', '-sign', sepolicy_key, '-keyform', 'PEM', '-sha256', + '-out', sig_out_path, '-binary', policy_zip_path] + common.RunAndCheckOutput(sign_cmd) + if os.path.exists(sig_old): + os.remove(sig_old) + + if not sepolicy_cert: + logger.info('No cert provided for SEPolicy, skipping fsverity sign') + return + + fsv_sig_out_path = os.path.join(payload_dir, sepolicy_fsv_sig) + fsv_sig_old = fsv_sig_out_path + '.old' + if os.path.exists(fsv_sig_out_path): + os.rename(fsv_sig_out_path, fsv_sig_old) + + fsverity_cmd = [self.fsverity_tool, 'sign', policy_zip_path, fsv_sig_out_path, + '--key=' + sepolicy_key, '--cert=' + sepolicy_cert] + common.RunAndCheckOutput(fsverity_cmd) + if os.path.exists(fsv_sig_old): + os.remove(fsv_sig_old) + def RepackApexPayload(self, payload_dir, payload_key, signing_args=None): """Rebuilds the apex file with the updated payload directory.""" apex_dir = common.MakeTempDir() @@ -324,7 +365,9 @@ def ParseApexPayloadInfo(avbtool, payload_path): def SignUncompressedApex(avbtool, apex_file, payload_key, container_key, container_pw, apk_keys, codename_to_api_level_map, - no_hashtree, signing_args=None, sign_tool=None): + no_hashtree, signing_args=None, sign_tool=None, + is_sepolicy=False, sepolicy_key=None, sepolicy_cert=None, + fsverity_tool=None): """Signs the current uncompressed APEX with the given payload/container keys. Args: @@ -337,6 +380,10 @@ def SignUncompressedApex(avbtool, apex_file, payload_key, container_key, no_hashtree: Don't include hashtree in the signed APEX. signing_args: Additional args to be passed to the payload signer. sign_tool: A tool to sign the contents of the APEX. + is_sepolicy: Indicates if the apex is a sepolicy.apex + sepolicy_key: Key to sign a sepolicy zip. + sepolicy_cert: Cert to sign a sepolicy zip. + fsverity_tool: fsverity path to sign sepolicy zip. Returns: The path to the signed APEX file. @@ -345,8 +392,9 @@ def SignUncompressedApex(avbtool, apex_file, payload_key, container_key, # the apex file after signing. apk_signer = ApexApkSigner(apex_file, container_pw, codename_to_api_level_map, - avbtool, sign_tool) - apex_file = apk_signer.ProcessApexFile(apk_keys, payload_key, signing_args) + avbtool, sign_tool, fsverity_tool) + apex_file = apk_signer.ProcessApexFile( + apk_keys, payload_key, signing_args, is_sepolicy, sepolicy_key, sepolicy_cert) # 2a. Extract and sign the APEX_PAYLOAD_IMAGE entry with the given # payload_key. @@ -400,7 +448,9 @@ def SignUncompressedApex(avbtool, apex_file, payload_key, container_key, def SignCompressedApex(avbtool, apex_file, payload_key, container_key, container_pw, apk_keys, codename_to_api_level_map, - no_hashtree, signing_args=None, sign_tool=None): + no_hashtree, signing_args=None, sign_tool=None, + is_sepolicy=False, sepolicy_key=None, sepolicy_cert=None, + fsverity_tool=None): """Signs the current compressed APEX with the given payload/container keys. Args: @@ -412,6 +462,10 @@ def SignCompressedApex(avbtool, apex_file, payload_key, container_key, codename_to_api_level_map: A dict that maps from codename to API level. no_hashtree: Don't include hashtree in the signed APEX. signing_args: Additional args to be passed to the payload signer. + is_sepolicy: Indicates if the apex is a sepolicy.apex + sepolicy_key: Key to sign a sepolicy zip. + sepolicy_cert: Cert to sign a sepolicy zip. + fsverity_tool: fsverity path to sign sepolicy zip. Returns: The path to the signed APEX file. @@ -438,7 +492,11 @@ def SignCompressedApex(avbtool, apex_file, payload_key, container_key, codename_to_api_level_map, no_hashtree, signing_args, - sign_tool) + sign_tool, + is_sepolicy, + sepolicy_key, + sepolicy_cert, + fsverity_tool) # 3. Compress signed original apex. compressed_apex_file = common.MakeTempFile(prefix='apex-container-', @@ -466,7 +524,8 @@ def SignCompressedApex(avbtool, apex_file, payload_key, container_key, def SignApex(avbtool, apex_data, payload_key, container_key, container_pw, apk_keys, codename_to_api_level_map, - no_hashtree, signing_args=None, sign_tool=None): + no_hashtree, signing_args=None, sign_tool=None, + is_sepolicy=False, sepolicy_key=None, sepolicy_cert=None, fsverity_tool=None): """Signs the current APEX with the given payload/container keys. Args: @@ -478,6 +537,9 @@ def SignApex(avbtool, apex_data, payload_key, container_key, container_pw, codename_to_api_level_map: A dict that maps from codename to API level. no_hashtree: Don't include hashtree in the signed APEX. signing_args: Additional args to be passed to the payload signer. + sepolicy_key: Key to sign a sepolicy zip. + sepolicy_cert: Cert to sign a sepolicy zip. + fsverity_tool: fsverity path to sign sepolicy zip. Returns: The path to the signed APEX file. @@ -503,7 +565,11 @@ def SignApex(avbtool, apex_data, payload_key, container_key, container_pw, no_hashtree=no_hashtree, apk_keys=apk_keys, signing_args=signing_args, - sign_tool=sign_tool) + sign_tool=sign_tool, + is_sepolicy=is_sepolicy, + sepolicy_key=sepolicy_key, + sepolicy_cert=sepolicy_cert, + fsverity_tool=fsverity_tool) elif apex_type == 'COMPRESSED': return SignCompressedApex( avbtool, @@ -515,7 +581,11 @@ def SignApex(avbtool, apex_data, payload_key, container_key, container_pw, no_hashtree=no_hashtree, apk_keys=apk_keys, signing_args=signing_args, - sign_tool=sign_tool) + sign_tool=sign_tool, + is_sepolicy=is_sepolicy, + sepolicy_key=sepolicy_key, + sepolicy_cert=sepolicy_cert, + fsverity_tool=fsverity_tool) else: # TODO(b/172912232): support signing compressed apex raise ApexInfoError('Unsupported apex type {}'.format(apex_type)) diff --git a/tools/releasetools/sign_apex.py b/tools/releasetools/sign_apex.py index 66f5e0513a..01ee80b25b 100755 --- a/tools/releasetools/sign_apex.py +++ b/tools/releasetools/sign_apex.py @@ -42,6 +42,15 @@ Usage: sign_apex [flags] input_apex_file output_apex_file --sign_tool Optional flag that specifies a custom signing tool for the contents of the apex. + + --sepolicy_key + Optional flag that specifies the sepolicy signing key, defaults to payload_key. + + --sepolicy_cert + Optional flag that specifies the sepolicy signing cert. + + --fsverity_tool + Optional flag that specifies the path to fsverity tool to sign SEPolicy, defaults to fsverity. """ import logging @@ -55,7 +64,8 @@ logger = logging.getLogger(__name__) def SignApexFile(avbtool, apex_file, payload_key, container_key, no_hashtree, - apk_keys=None, signing_args=None, codename_to_api_level_map=None, sign_tool=None): + apk_keys=None, signing_args=None, codename_to_api_level_map=None, sign_tool=None, + sepolicy_key=None, sepolicy_cert=None, fsverity_tool=None): """Signs the given apex file.""" with open(apex_file, 'rb') as input_fp: apex_data = input_fp.read() @@ -70,7 +80,11 @@ def SignApexFile(avbtool, apex_file, payload_key, container_key, no_hashtree, no_hashtree=no_hashtree, apk_keys=apk_keys, signing_args=signing_args, - sign_tool=sign_tool) + sign_tool=sign_tool, + is_sepolicy=apex_file.endswith("sepolicy.apex"), + sepolicy_key=sepolicy_key, + sepolicy_cert=sepolicy_cert, + fsverity_tool=fsverity_tool) def main(argv): @@ -106,6 +120,12 @@ def main(argv): options['extra_apks'].update({n: key}) elif o == '--sign_tool': options['sign_tool'] = a + elif o == '--sepolicy_key': + options['sepolicy_key'] = a + elif o == '--sepolicy_cert': + options['sepolicy_cert'] = a + elif o == '--fsverity_tool': + options['fsverity_tool'] = a else: return False return True @@ -121,6 +141,9 @@ def main(argv): 'payload_key=', 'extra_apks=', 'sign_tool=', + 'sepolicy_key=', + 'sepolicy_cert=', + 'fsverity_tool=' ], extra_option_handler=option_handler) @@ -141,7 +164,10 @@ def main(argv): signing_args=options.get('payload_extra_args'), codename_to_api_level_map=options.get( 'codename_to_api_level_map', {}), - sign_tool=options.get('sign_tool', None)) + sign_tool=options.get('sign_tool', None), + sepolicy_key=options.get('sepolicy_key', None), + sepolicy_cert=options.get('sepolicy_cert', None), + fsverity_tool=options.get('fsverity_tool', None)) shutil.copyfile(signed_apex, args[1]) logger.info("done.") diff --git a/tools/releasetools/test_sign_apex.py b/tools/releasetools/test_sign_apex.py index 8470f202c5..c344e22058 100644 --- a/tools/releasetools/test_sign_apex.py +++ b/tools/releasetools/test_sign_apex.py @@ -71,3 +71,21 @@ class SignApexTest(test_utils.ReleaseToolsTestCase): False, codename_to_api_level_map={'S': 31, 'Tiramisu' : 32}) self.assertTrue(os.path.exists(signed_apex)) + + @test_utils.SkipIfExternalToolsUnavailable() + def test_SignApexWithSepolicy(self): + test_apex = os.path.join(self.testdata_dir, 'sepolicy.apex') + payload_key = os.path.join(self.testdata_dir, 'testkey_RSA4096.key') + container_key = os.path.join(self.testdata_dir, 'testkey') + sepolicy_key = os.path.join(self.testdata_dir, 'testkey_RSA4096.key') + sepolicy_cert = os.path.join(self.testdata_dir, 'testkey.x509.pem') + signed_test_apex = sign_apex.SignApexFile( + 'avbtool', + test_apex, + payload_key, + container_key, + False, + None, + sepolicy_key=sepolicy_key, + sepolicy_cert=sepolicy_cert) + self.assertTrue(os.path.exists(signed_test_apex)) diff --git a/tools/releasetools/testdata/sepolicy.apex b/tools/releasetools/testdata/sepolicy.apex new file mode 100644 index 0000000000000000000000000000000000000000..f7d267d08d11f9c6e197278aa3f1431621116e94 GIT binary patch literal 303104 zcmeI*2|N{F<3I3wx%MUd(kh`%T>DZXQkE>CqD0pg+4rTzQY4j$nK_rcgZW1FStLfiCV8J1HmE&7;)>g2JQfDb$Gw5P$##AOHaf zKmY;|fB*y_009U<00Izzz@J`#b|FvwdoIa8<(7^*OzQ|C-@1tleneUvVQkE_pGcq$ ze;Xf<{B4+xHcFi^kJ{6uc3U+FgzfyIZO4bLTGQ2zw5Q*rGp0uW%fsY6(DKgyJr_Th z<9{k+A_S4&OeQZ=cX9;AApijgKmY;|fB*y_@GlUco#WF}JL+%#1lsvOZTLqxSMy^S zLlA%f1Rwwb2tWV=5P$##AOHaf{9hFq3m(sT$QS|yAOHafKmY;|fB*y_009U<00Izz z00bZa0SG_<0uX=z1Rwwb2tWV=|7Qgz?pvTe|2ol4#QhceZ3Q~0l&`ncgB2G-EFqm z+xl30sd@)```Ei$J2<)6t9t+Zy!YQpj!6)J00bZa0SNqu2~;kl7D(gAx!;fT4?2R# zcv;7rh9*ot|DioE$~Zp#pZg~=Dfy4}PfYmVJ^y(_EB{2}HWRC)_8XY!{>$?}YP;G0 zbP$=egnxDU(?h%HIcb$SDRj{j|I6}^xAQY8-G6sfWKx2ENBQ}Gedu{SNB>CqC)y60 zRD}Q5sK}(b{~hK3*3i?h8Tm)b&+%)L|F1ETNvZxF<+q-c2ioXAQhv@qNcZ235}B0X zUtNCM^Z)DwBApbq|81C#PKr80`)udS#;QRmoGB6eo0SG_<0uX=z z1Rwwb2tWV=5cu~B(Au#4`T2i#!nf!DX>B_S5vCALwT<0foNNOZ$;n9tIe8FhZ61mc z1SiK!Ie7b7dpm6=OrcIcKZW;q(`nNXAOHafKmY;|fB*y_009U<00I#B_Xrs4)06nV zuX?t!)vJY4%G5Dh$3yMLTlc5EEY8~2-Oa~7z{gwK&fZV@`wQr#$0z$x8~$hc`4w~a z9^+RGtZ5S_-ZaPh>w3PgaJ(llu^taEcMp3npTOVN^|#aTPNea+r+9cwO29n+;*#04 zGW-^}sYBzr_5PkaDO)EOvFc^4^t0I+8onmIkRCMSxmTzcJWYn!{pQZ|SLdv_?%vhg^ zIby)z%xdb|tf<|$0{l^aXym`<$J>!2tDs1#yh2lS)^*m=V;$)Yv#nc&2_lOntit5TP|?6-AO2dLp!3w~txqByAN}9na;OQ$LwYE!H@>=Gwxh}E zzs>#aKW&Sc2DD{Y;c$BKgn!6Ed_#q=#;#zSiT{dTaXASzoiR-6j3S|7ED?P>L}}TA_JOdGYgSTI+N}!?X_xwV#~twTU=` zZKHrD7hCmwjinNonJK9yXB+rAUav6!vMD%RwOd0VCFs_fhJ<#52MhMz=$FWr;ikuRIQYuSs1a-O{xPMy8Dp}i$eV3v+s-5jGv<526Pt8VZ~ ziwVw2Xzp0Ads_8vw8FO8V=6~Y?wgP_`5!*$S!!A1R(PH6kdjcuzRVo+qLHHT(Wma+ zUe#$E>uwjNS3iDLF=}#P_NDs!N=vk*OA0e?UN_kK?kRn@w>}@!o9C}z_beS#?-q_N znUUI|{$$-H)|Z>E#E7-!Uaz?HyvIq6_2k2oAyw-s+=tt@6kWbO)Vb9~quOY}VR@GT z_AzIdW18hg%VdTaXO!(`UR3#T^}E#6z_-d`Hyn>XmVR?#zeA$VC9_I9Zhh;4)eG*j zuRWymAN`3(;UEA32tWV=5P$##AOL~Cs=yS1!u!P?4*4<1joyr~?;%Z@Nq9R);`*Xj z))imwH!ZJ>X3<;!;+9;j2We5m$MeVR`dWOn#C%S;3@mM$l5m}TXTBR950B*>!F#LU zs3tmmXtQG2<9XyllkzFfBZ)`0?)H*++tWBej3^;%do7g_i4h`Mo^ibKvSs(vJ!#X^ zTsi`8%B`PEw6UmB$S=!}JQUQ)##qOE;K>~V%R9}57GcMu3YQxc$!d($)LD_Q_T0Zb z$RG70*YN&^ZeEFxz1Ls%a^GT=W_LP0kly+C=Z05qXZUCoodE z?!C`O8%=4>{?a+8WX#j~H|Rbm>FUZn4tESVB6nFUqoMPfoYE^#&0fO}p#&9@yP3N8 zp^p^3Eo$$LFL%F?k>9~%(Y0AO>7mfz%fhrmm3yVy8`EY#ky;|ZD3x2|{Kfm5X4jwJ zm)fUj+h5tDG}4x{`kH(9K|kg2H_?)1dXCrGE~mSPWUWZLYoA>fBi>NSICUi2g|jf> zeCoWX<~uVrpXonrzxqj>vF-uG`{=HqrjqWeC)olotCVF1av4`}54@e08ojeJe9hLA z+B3|Hj=dgvcw-^G(Sd56OEXg?+k_>^2cjMdR-{NDb}emwS2M?Nb)-^nZ1`BO?;Vjo zQL(3j8*S@MRtjpWq&f3*zB6(;Fwi%D#hHMl$gmZmkCX*v*Zfttdz2dj5P$##AOHaf zKmY;|fWTi(fK{0KJGs=vZ|1+<9Z$PYn2YG8p-6UcP$J9N$fzjE$}8B~*^tR(85t#8 zc^gF)83!8$B?kpXMT&~DgRQKsgRO#tikyv&ot(UiqN0t1gPfh*UyT#xg#ZK~009U< z00Izz00bZa0SG_<0uX=z1Rwwb2tWV=5P$##AOHafKmY;|fB*y_009U<00Izz00bZa z0SG_<0uX=z1Rwwb2tWV=5P$##AOHafKmY;|fB*y_009U<00Izz00bZa0SG_<0uX=z z1Rwwb2tWV=5P$##AOHafKmY;|fB*y_009U<00Izz00bZa0SG_<0uX=z1Rwwb2tWV= z5P$##AOHafKmY;|fB*y_009U<00Izz00bZa0SG_<0uX=z1Rwwb2tWV=5P$##AOHaf zKmY;|fB*y_009U<00Izz00bZa0SG_<0uX=z1Rwwb2tWV=5P$##AOHafKmY;|fB*y_ z009U<00Izz00bZa0SG_<0uX=z1Rwwb2tWV=5P$##AOHafKmY;|fB*y_009U<00Izz z00bZa0SG_<0uX=z1Rwwb2tWV=5P$##AOHafKmY;|fB*y_009U<00Izz00bZa0SG_< z0uX=z1Rwwb2tWV=5P$##AOHafKmY;|fB*y_009U<00Izz00bZa0SG_<0uX=z1Rwwb z2tWV=5P$##AOHafKmY;|fB*y_009U<00Izz00bZa0SG_<0uX=z1Rwwb2tWV=5P$## zAOHafKmY;|fB*y_009U<00Izz00bZa0SG_<0uX=z1Rwwb2tWV=5P$##AOHafKmY;| zfB*y_009U<00Izz00bZa0SG_<0uX=z1Rwwb2tWV=5P$##AOHafKmY;|fB*y_009U< z00Izz00bZa0SG_<0uX=z1Rwwb2tWV=5P$##AOHafKmY;|fB*y_009U<00Izz00bZa z0SG_<0uX=z1Rwwb2tWV=5P$##AOHafKmY;|fB*y_009U<00Izz00bZa0SG_<0uX=z z1Rwwb2tWV=5P$##AOHafKmY;|fB*y_009U<00Izz00bZa0SG_<0uX=z1Rwwb2tWV= z5P$##AOHafKmY;|fB*y_009U<00Izz00bZa0SG_<0uX=z1Rwwb2tWV=5P$##AOHaf zKmY;|fB*y_009U<00Izz00bZa0SG_<0uX=z1Rwwb2tWV=5P$##AOHafKmY;|fB*y_ z009U<00Izz00bZa0SG_<0uX=z1Rwwb2tWV=5P$##AOHafKmY;|fB*y_009U<00Izz z00bZa0SG_<0uX=z1Rwwb2tWV=5P$##AOHafKmY;|fB*y_009U<00Izz00bZa0SG_< z0uX=z1Rwwb2tWV=5P$##AOHafKmY;|fB*y_009U<00Izz00bZa0SG_<0uX=z1Rwwb z2tWV=5P$##AOHafKmY;|fB*y_009U<00Izz00bZa0SG_<0uX=z1Rwwb2tWV=5P$## zAOHafKmY;|fB*y_009U<00Mt{fq<794<$aveAO%Cu1vdi<-OwLOrElLF$*qnNuT6= zxtIG4Nr|s`h}l(KykWF0W#{^}bB9!`hT0Wt{n`4m83`BFP0}xZY@WI9=6)sLK1=JC z&dk%BrapDPQ1zCqQgcS4V@g*TyM}XKI_lDiTQrSQT%Lt z+}&M7WTa%JXc_re2dz(Q=q`ziRT00`SG3kU=)OMpWmoj7p4^H)@jfyodW0>jEHHO& z;*!)UHJ>_bg4G=6ElyDN3R0!4Y5K$!KKwRdLvoV*vajdO94?yn=aDNj?kWXtTp;>U z^#1BJ%h(9d0=a}EJh2kXqEhr26|DwHYNBhl493o^8CETdFGvZFj=L&xbJdl7S7+OP zobkTE&-=vm7~wq;+SzWGFDy2@f00;TH9bY4VE-Qf#YTyc#wS1cF?k-Mf281(_=sL~Yl0w+<#BLA!$sXD5nkW|8Ceu3Gfg zV&fyTsU7uVzQG+=;|8L2BuZUOMDM6?SllqboZTgLDP8+o-=b3fxgV@%MYfh^-mmYy za9Lid;+R^lilJ_A-#Y!Fq`i5AI-dHZ{W^DCZnP9>JPvtk9VQSQdiUlYR;A*us^{kN zbuTvQS;@5Tk`7H(Ez9ds=Xshp&o3{)@l`Hc?KANdulVGBAzw{A9V^QDOdf?5BqT=4 znTFP`P1{@1_a>{3>*eQ|FWIsO3nC8->9N?iE57J!@-Q?|zt!l{v86*_H(S}RMf+;5 zeC&I}xZ?@JtG_%gJ5~Mc{YlQJ^x{Dkb@~0Yl%-^^Gpx z$9DhqKe##A@wd#cKnMlO}{86Dn} z+`W>&GH$`V9??Ho`NT)}`{$p)NAa)^kaD&UB-pyUN>SYGyxg7aq`d7t++Cb(1IHJ@ zMUd%NSbQisWWHd3}vfeq@% z<4fx$=C#!pI(&9cnR~VD_SSfTa!GQ1!{UNq=Ge@0s)-q;vpx(7VVH*;@xWLwl~Wb~xPw=KeXTS86Z?N2L|tu8n$ zQOm#AY%@bxv;}P-OGhTjpAm4z8m)mJy#cIAN87PV_8MGvhv80JGYx&h%$!G zunvD>*Sy4lIpo=FcbAkD=jcwN=Qg$BSN`|X?s5l9ojID_7|Jy_)w!XRp*zT;(p)Ag zu#v2~IYBREo$jHCWSRQ;(Rc6isvQtnwS_I|#@&p71-_f-1wFJle6-2t>qz&`t0%Oy zl25JaQms&b6_s^=Z*9R)yOt!I~dbVqK^OUAJ5n?+?&N6~50u{4%Cw=RNN?`>g%s+PxJNl-VTg^A(R+ zChdBaqQ|{NB+uMX*pX5(J?tfSMEHrh{hd2IYd>3PZYsWZTd&>M<-EkwprLX$7bRz{ zE5~+U@m;n=QGlC1?WC>SmQCW9Y8jWFkQBKfb}F9~v-4?kc*@6?_?|g>w@nIa3yUvk z>ofa_T8$)2ZjCtMv4I>TV!32nzyl?cXGdj3dvW0I2LDFo9?@b~G5$@%hQwN_BEAl# z)%ATrO}gvN?DIZk?#j13vOz`Nrn9s4tux!n&0T|Z!hDqObFCYvCB+l+D2!R_k3~J* za6T(uZ^u-Xp!sq#=So&3b!3N0SrK+~FLxStPzV?EJUVcnmA0|xP7PozS#Yn7qf&{ypMM&wq2)iikMm8A(c5ZI4v*lPFI{R zv2b?Voasp)Q_1HwH}gH>pV#ToDn=xRPvbH;Y?Cb=S`M>@0SG_<0uX=z1Rwwb2tWV=5P$## zAOHafKmY;|_{$4Wf4_I2B24`LNFYr7-bk9DVGfxX`lG(FK0S$*Kp6ksZni3$u_Et0 z>TI-*lh8E9%ii1F*UQ%4TZ-c4ZL9F8VaoVVn18ebW85P$##AOHafKmY;|fB*y_ z@TV1^Be0Ku+oxraNSIFj`zcVbDol*it`qPPn3-u83TCVRG!KE7I+%mi@a$Pad{D{h7`k|X z-Kuh-km5awOH2ozvy_H1$TO`m&05~NL)Rj$UGmdY69YJkMV8nN1ZAtoB_f^ul zshoOwb$P1W^KbcHJ$;(_72UJ`)s4ZCJr7)07j*Y9sa6UuE-`$Z@%oLX=$Z4bm(KL6 zFIUnmGK@QDSg>ZDtja>iT89HUrRZ5Wx==3IPwv}rgyuZM5y zHd`Cs&B6V09;}P9 zUYZWaX}biEWyhb(>-*C8E;N^7qR`Y>5d2oU%*9GguCs56LGtHdg0Vgmb7-5`SOK-( z&8gRq{&t=7Q0ts_hqtwjuak?NwUe8JyOf8`{)4r8*EIOTSM!PKC*yI$Cnn@+PPxE0)1H}hn_W_ye&{pQNNF^}iVYy~5>ANL#HD;cg5 zpYHS2-nUPta!FH6^{tJHa(Q1WhnHp+?57u~znu_hwuRrK@vTF%$PUo41;s+0D)E z{oW>({Vd0t^j`Ml=~gEnNqVj3ruXWYM$6W%BXwdH)RkIOyT6?+wux+c_}Wk(10XV! zK7OG+|A2e`anC>Q`TuL*^H1B0bh75vb5M^l%zyVdL)*C-Xqzotq-(fBT1(r+Ov-eH z>)qRKFEqFqpD*U=f8M@NsGWg{Y{JP%PjSj^c6-I6aLHh5d$^mw&HE3O)a7zfoog4Y z*&eL>GS)PDfnlDIO|?#p5h+93f3aND>Tp}nmTmI8X04dn7`oX)3UsvsY+g*~h{rHG_!qJGkB@A~x$Toi6*W)a;>SxjGJXsXBYNq9j z?Yt`0?nN)-vo7<^>x+HeK@-RN!cA~Ce=j$2otr~aMWm&jyuj>8U$8ON*H8y*`14HJ@n&HTN z+YS5I&WZYvs@m=pn%SpW6vW@TdzLVwUxWT?$Bkc9n((=z4f#Q3P2C`C) zo_-lY$GAPd} zGFdiXo-D7ZD6^NRQ$bOItR%nNi|K4Zq7eT>8e&rzBRah;WV-x9FSE zzV^|lp@4fk6P3)~ysmpy8o&KR^1017_AXsm=U|;vwW039l1|}gZlgy}#f-VP#O3u8zM=3&|7WOJXBxta!)sIN7t>!-yBYs=Yh zewtiXXLCj3?eLBKyB1?s)p9bj(rzQR4WAk{1cZw7w@KPaiq4E-r(En&b?YUynkO9A z$!S}1e~x2A0FPL1&Aotz6i;jVwF+$0HZO8YQqwWj?7t4qx(c9t^tKm6Jbj@MY>=PS>~Vc(}g?_fD7F+%zg){OplRloy|D z^31xDlIURc4g~*Q1fK&$+YK1GUfyNT^w<)l%nLvtG$k7ZD<+FwLK%* z9u>Udp|*-R>DDM&#%|4OuU?t0>1q5Qy{i=-^)gx*8SY42Q1&UMJUhMWiS0WR-6Egh ztYF*GBKa%p=kD@%=V+f^urbj=g?}br#VkATFI}BC7t}NLC%k=qPMSOS?7M_Q-_g|T zR)^y|+gnFG+|8z~tlb>^L@DZkrO``Acdo4uk{)w;bVpt(dAU2^Zi#e)r*?Ku!WLDz z%dOWMu3Fejv$adlmN^^ZQO<6CP2#3^rKA_D`FUY^sj2BQQEMYa6UwqwPGszfp=?jC zpZnR{d3|kqy!}&q%S>6L%=Y&Cg@c{muO#IKnLCo__S@c`6SHG=6Xl_0S*PlZ>bI{? z3!0uWQI86!zO=FY^6QSXfqimYPIMMWweHwdkt(6meX)3WU9VDxtA9Y<{A|`Gr6r}B z!E=m0Yg#-@n>x$NZiZ@pb#F#k^ib{?%V_Nl4xTUkcR2H#U5wd$S6$5itZ?mppV(0a zXEnhhaf{3fm82p{adVXS`m+xU5=gU>YiifWy(|B06j}9PAUIe0Qmcgb^jGWTE#%s> z1|2BCE>vW2`mxa0{agJHtqWJ`tSJ&dxp&J0{Y$fkzB-9oC8jI) z-YBSa?G~J6X%{f~DBWLR{9BUfqf3R6)FW3hFr<@v3eHeaO8#^Uv{vMCj zL(^+m4`me8#fn_q@Fu=ZJmA66%-MHzm@5{X)N?Gc4+}J!x_>L1*Ko7LjNMER+Ka0$ zw3=8l-n}olG~M1Zzwq(y7?QblOuc_1xAWkL)>f6Arz6u&woTJbTUGV-)V4=&d!H_y zTCJ0BwqC82A~-wa?2!0NtNPlu*%#*p0|jVIph zZDiUxb^67)c~g=UE;SECKWVpC`lwu6YAka5bayK8$m^bPS2@zQo_F3I1ioX9>B|o< z@ijUS6zg(FG^2vAj38 zY@R=A7FScNb?Ke)VvKQLR#$0Ot#f05TPAC!%PY>3DMuA7#vZBppVsQ^TB>h%sbe&? z@zvV5FE(dQtH>u`2)IhpDqrO#bZN!lZ2pJ=<&%bcu9hnYN0-+hsJ_-Rvz>gqC$=H; z+GD-<#-bd?%uKS+LlOl0wlK(9ygGIGwPeA&T`B1fRY8ZF7t64yZdQ_#w&SUEbJcun zF7#}aKD36tX?cswlWUj6%!PG`1>$zRMiozw+@9yJ(>l0$iy23#Syf3j)8!W{*T`{S zcRu#f{pstPXs6Dq)Q0E)36aCT$A&q(+opJP8Vvcf3zF=_Lj15~xyJyi6>C-|- z$f2LfGpHNR3{H{&iBHFZuy*NO$rU-=5e(@*!r3g<`?$%Ww`tSokV3DJL(4<{aGsN) z$I?R+{-j$%*iWB0c3M$*NepCqB5~~J&4c>+qi!BVLQrn}zFy<&%NSM*HME?~C2olF zTR%6GKlN&%ktiSkSW6u}%leA+MIV`%y<9|`US4y1l0zbt&)1e@*1x*r;>jJ^$IFEz zMGW&yxj(FF7Q48%wd1jYY%w$RH zjrXBJy3hMhv6lt=2<`|n5?-qHL6phM!EKen&bG4k5zO1(8!dW0`-OJ3%fj;luXfso z7~i{2?#sNoWx8&oAFKJ<;HhCXv3qr7l(odlNW@_t0afF5oQ?+U)cqRmz9x=={&IS1 zpBC7u`#WZ8N89hwp03(^NW@3Hbq9$xYq4g3_U$p}9o*a6stnzYx|&8?6Z#FOSw9mC zVpW-u^!41k&!*i43+QBa&kJ2=Kq+VNd*c_7$W}+6A60+6uf@E0RP%X`F?(p{rE88e zOjy1$T>qf1u>MUx?`_fb-R}uQ=6#RCH{@{g>~z&#uueB*p4zQ1RovQaDb^|Pnu(DI zL>KcnBr@>de0(j3u=3ezzPumXrIp&N?N?-f>Ij30p6n?N}$T__-hvyoh z*OE=C&vv!A!sj_*&I7lmY%^P!Uec8k-l}vgIPQz{oVv9+SGIYRmMWjvcs!2ntEb-w z)#0~GvxI$G@)nyXcPMU~7P~1`jA}sLjbQikU+i8cj-!>1rUMhl(E%JsaU8{Q6vxs3 z@Z+cu^-wuBHWo}feohQeK8{}QE!199wu~}OTTUWoo78rW#7nQ2-?wKA=aXpS%5hHZ z3ZKVNFldz2cVquvX*EtY+qmgAmgl&}D&OT6c#(t{tM0IslKt0hn#)iVIpmZ|X%k2= zKSdwdu+y!ldH!7b0@G_VgKP%n-d(jHS-6PdbhS!XR|;fa5l6 z&lkIbC_lk^9T%1uuHbMs@g=7D~MOs((fe`*PBa_XO(9ilZ+_9Lh* z|DO6=gJqKw{@ifQudCgqL;77CMUzwi++GB&aho4utKQ_))TVAGC;z!A16rdJKZ2&w zPsx93V!~LTf!Z_$fxtrjdpMgq;6Wnra{fq%AqYSK0uX=z1Rwwb2tWV=5crD;{67s4 B@BaV* literal 0 HcmV?d00001