hV ddlZddlZddlZddlZddlZddlmZmZddlm Z m Z m Z m Z m Z mZddlmZmZmZmZddlmZmZddlmZddlmZddlmZmZdd lmZd d l m!Z!m"Z"d d l#m$Z$m%Z%m&Z&m'Z'd dl(m)Z)m*Z*m+Z+m,Z,m-Z-m.Z.m/Z/m0Z0m1Z1m2Z2d dl3m4Z4m5Z5d dl6m7Z7m8Z8ej9e:Z;Gdde,ej<Z=Gdde=e7Z>Gdde=e8Z? e!j@dZA e!j@dZB d8dZCd8dZD ejEGddejFZG d9deHdeIfd ZJ d:d"eHd#ejKfd$ZL d;d%e ejKdeHdeId&ejMfd'ZNGd(d)ZOGd*d+ejPZQGd,d-eOe4ZRe4jSeRd.ejMd/eOd&e e eHe eIffd0ZTd1e!jUfd2ZVd3ZWd4ZXd5ZYe0jSGd6d7e0ZZdS)<N)sha1sha256)DictListOptionalSetTupleUnion)algoscmscorex509)PrivateKeyInfoPublicKeyAlgorithm) serialization)PKCS1v15) RSAPrivateKey RSAPublicKey)pkcs12)genericmisc)aes_cbc_decryptaes_cbc_encrypt as_signed rc4_encrypt) ALL_PERMS AuthResult AuthStatus CryptFilterCryptFilterBuilderCryptFilterConfigurationIdentityCryptFilterSecurityHandlerSecurityHandlerVersionbuild_crypt_filter)SerialisableCredentialSerialisedCredential)AESCryptFilterMixinRC4CryptFilterMixinceZdZUdZdZeded<ddddfd Zed e fd Z fd Z e dfd e ejfd Zd efdZd efdZfdZxZS)PubKeyCryptFiltera Crypt filter for use with public key security handler. These are a little more independent than their counterparts for the standard security handlers, since different crypt filters can cater to different sets of recipients. :param recipients: List of CMS objects encoding recipient information for this crypt filters. :param acts_as_default: Indicates whether this filter is intended to be used in ``/StrF`` or ``/StmF``. :param encrypt_metadata: Whether this crypt filter should encrypt document-level metadata. .. warning:: See :class:`.SecurityHandler` for some background on the way pyHanko interprets this value. NPubKeySecurityHandler_handlerFT) recipientsacts_as_defaultencrypt_metadatac ||_||_||_d|_dx|_|_t jdi|dS)NF)r0r1r2_pubkey_auth_failed _shared_key_recp_key_seedsuper__init__)selfr0r1r2kwargs __class__s Z/var/www/html/Sam_Eipo/venv/lib/python3.11/site-packages/pyhanko/pdf_utils/crypt/pubkey.pyr9zPubKeyCryptFilter.__init__>sW%. 0#( 1554.""6"""""returnc|jSN)r5r:s r= _auth_failedzPubKeyCryptFilter._auth_failedMs ''r>ct|tstt|dx|_|_dSrA) isinstancer. TypeErrorr8_set_security_handlerr6r7)r:handlerr<s r=rGz'PubKeyCryptFilter._set_security_handlerQsI'#899 O %%g...1554...r>certscf|js|jrtjd|j t jd|_g|_|j|jtjdt||jt||j|}|j |dS)a Add recipients to this crypt filter. This always adds one full CMS object to the Recipients array :param certs: A list of recipient certificates. :param perms: The permission bits to assign to the listed recipients. :param ignore_key_usage: If ``False``, the *keyEncipherment* key usage extension is required. zCA non-default crypt filter cannot have multiple sets of recipients.NzYAdding recipients after deriving the shared key or before authenticating is not possible.)include_permissionsignore_key_usage) r1r0rPdfErrorsecrets token_bytesr7r6construct_recipient_cmsrappend)r:rIpermsrMnew_cmss r=add_recipientsz PubKeyCryptFilter.add_recipientsWs$#  -  ? "#*"5b"9"9D  DO   '4+>+F-9 *    e   $ 4-     w'''''r>c|jD]:}t||\}}|#||_ttj|cS;ttjS)a Authenticate to this crypt filter in particular. If used in ``/StmF`` or ``/StrF``, you don't need to worry about calling this method directly. :param credential: The :class:`.EnvelopeKeyDecrypter` to authenticate with. :return: An :class:`AuthResult` object indicating the level of access obtained. )r0read_seed_from_recipient_cmsr7rr USERFAILED)r: credentialrecpseedrSs r= authenticatezPubKeyCryptFilter.authenticatesfO : :D6tZHHKD%&*#!*/599999 *+,,,r>c|jJ|jtjd|jjt jkrt}nt}| |j|j D])}| | *|j s|j r| d|d|jS)Nz&No seed available; authenticate first.s)r/r7rrNversionr&AES256rrupdater0dumpr2r1digestkeylen)r:mdr[s r=derive_shared_encryption_keyz.PubKeyCryptFilter.derive_shared_encryption_keys}(((   &- HII I = $:$A A ABBB $%&&&O # #D IIdiikk " " " "$ +)= + II) * * *yy{{=T[=))r>c4t}tj|jdz|d<tjd|jD}|jr||d<n |d|d<tj|j |d<|S)N/Lengthc3bK|]*}tj|V+dSrArByteStringObjectrb.0r[s r= z2PubKeyCryptFilter.as_pdf_object..sF) ) 6:G $TYY[[ 1 1) ) ) ) ) ) r> /Recipientsr/EncryptMetadata) r8 as_pdf_objectr NumberObjectrd ArrayObjectr0r1 BooleanObjectr2)r:resultr0r<s r=rrzPubKeyCryptFilter.as_pdf_objects&&((#0qAAy() ) >Bo) ) )      2$.F= ! !%/qMF= !%,%:  !& & !" r>)__name__ __module__ __qualname____doc__r/r__annotations__r9propertyboolrCrGrrr CertificaterUrr]bytesrfrr __classcell__r<s@r=r-r-'s2(37Hh./666  # # # # # # #(d(((X(66666 )()(D$%)()()()(V-*----& *e * * * *r>r-ceZdZdZdS)PubKeyAESCryptFilterz< AES crypt filter for public key security handlers. Nrwrxryrzr4r>r=rr Dr>rceZdZdZdS)PubKeyRC4CryptFilterz< RC4 crypt filter for public key security handlers. Nrr4r>r=rrrr>rz/DefaultCryptFilterz/DefEmbeddedFileTc jttt|d||ittSNT)rdr1r0r2)default_stream_filterdefault_string_filter)r#DEFAULT_CRYPT_FILTERrrdr0r2s r=_pubkey_rc4_configrG # "6 $%!1 ### 32    r>c jttt|d||ittSr)r#rrrs r=_pubkey_aes_configrrr>creZdZdZejdZejdZejdZdS)PubKeyAdbeSubFilterz{ Enum describing the different subfilters that can be used for public key encryption in the PDF specification. z/adbe.pkcs7.s3z/adbe.pkcs7.s4z/adbe.pkcs7.s5N) rwrxryrzr NameObjectS3S4S5r4r>r=rrsS  , - -B  , - -B  , - -BBBr>rr\rScdt|dksJ||rtjd|ndzS)NrK)lenstructpack)r\rSrLs r=construct_envelope_contentr s9 t99???? /BK6;tU+++ LLr>F envelope_keycertc |j}|d}|dj}|dkrtd|dt|dksJ|s4|j}| d|jvr"t jd|jjdtj |j }t|tsJ||t }t!jd t!j|j|jd i} t!jdt!jd i} t!jd t!jd| | |diS)N algorithmrsaz3Certificate public key must be of type 'rsa', not ''. key_enciphermentzCertificate for subject z8 does not have the 'key_encipherment' key usage bit set.paddingissuer_and_serial_number)issuer serial_numberrsaes_pkcs1v15ktrir)r_ridkey_encryption_algorithm encrypted_key) public_keynativeNotImplementedErrorrkey_usage_valuer PdfWriteErrorsubjecthuman_friendlyrload_der_public_keyrbrErencryptrr RecipientIdentifierIssuerAndSerialNumberrrKeyEncryptionAlgorithmKeyEncryptionAlgorithmId RecipientInfoKeyTransRecipientInfo) rrrMpubkeypubkey_algo_infoalgorithm_name key_usagepub_keyencrypted_dataralgos r=_recipient_infors_F+1++>%k29N! '" ' ' '   |   " " " " (   2):J J J$F4<+FFFF  /0D0D0F0FGGG g| , ,,, ,__\8::_FFN  ! &(A;9KLL))   C  % c23CDDE  D   C- 04%3     r> certificatesr?c t|||}tjd t |d\}} fd|D}t jt jd|d} t jt j d| |d} t j d || d } t j t j d | d S) N)rLr)ivc4g|]}t|S))rM)r)rnrrrMs r= z+construct_recipient_cms..is9   d=MNNNr> aes256_cbc)r parametersdata) content_typecontent_encryption_algorithmencrypted_contentr)r_recipient_infosencrypted_content_infoenveloped_data)rcontent) rrOrPrr EncryptionAlgorithmr EncryptionAlgorithmIdEncryptedContentInfo ContentType EnvelopedData ContentInfo) rr\rSrLrMenvelope_contentrencrypted_envelope_content rec_infosrrrrs ` @r=rQrQHs=,2 e)<&r**L%4&4&&&"B"  I  "4\BB    D !5OF33,0!;  &(&<  N ?O,<==%    r>cFeZdZdZdejfdZdedej defdZ dS) EnvelopeKeyDecrypterz General credential class for use with public key security handlers. This allows the key decryption process to happen offline, e.g. on a smart card. :param cert: The recipient's certificate. rc||_dSrA)r)r:rs r=r9zEnvelopeKeyDecrypter.__init__s  r>r algo_paramsr?ct)a Invoke the actual key decryption algorithm. :param encrypted_key: Payload to decrypt. :param algo_params: Specification of the encryption algorithm as a CMS object. :return: The decrypted payload. )r)r:rrs r=decryptzEnvelopeKeyDecrypter.decrypts "!r>N) rwrxryrzrr~r9rr rrr4r>r=rrskT- "" "141K "  " " " " " "r>rc(eZdZdefdejfgZdS)_PrivKeyAndCertkeyrN)rwrxryrrr~_fieldsr4r>r=rrs%~&1A(BCGGGr>rceZdZdZedefdZdefdZedefdZ de j de ffd Z edd Zedd Zd edejdefdZxZS)SimpleEnvelopeKeyDecrypterz Implementation of :class:`.EnvelopeKeyDecrypter` where the private key is an RSA key residing in memory. :param cert: The recipient's certificate. :param private_key: The recipient's private key. r?cdS)N raw_privkeyr4clss r=get_namez#SimpleEnvelopeKeyDecrypter.get_names}r>cb|j|jd}t|S)N)rr) private_keyrrrb)r:valuess r= _ser_valuez%SimpleEnvelopeKeyDecrypter._ser_values.)49==v&&++---r>rc t|}|d}|d}n'#t$r}tjd|d}~wwxYwt ||S)Nrrz-Failed to decode serialised pubkey credentialrr)rload ValueErrorr PdfReadErrorr)rrdecodedrres r= _deser_valuez'SimpleEnvelopeKeyDecrypter._deser_values} %**400G%.C6?DD   #?  *tEEEEs*- AA  ArrcXt|||_dSrA)r8r9r)r:rrr<s r=r9z#SimpleEnvelopeKeyDecrypter.__init__s) +6r>Ncddlm} |||}ddlm}||}nA#ttt f$r'}t d|Yd}~dSd}~wwxYwt||S) a Load a key decrypter using key material from files on disk. :param key_file: File containing the recipient's private key. :param cert_file: File containing the recipient's certificate. :param key_passphrase: Passphrase for the key file, if applicable. :return: An instance of :class:`.SimpleEnvelopeKeyDecrypter`. )load_private_key_from_pemder) passphrase)load_cert_from_pemderz%Could not load cryptographic materialexc_infoNr) keysrrIOErrorrrFloggererrorr)key_file cert_filekey_passphraserrrrrs r=rzSimpleEnvelopeKeyDecrypter.loads 988888 66^K 6 5 5 5 5 5((33DDY/    LL@1L M M M44444 *tMMMMs'A%A  A%c t|d5}|}dddn #1swxYwYtj||\}}}ddlm}m} ||}| |}nE#tttf$r+} t d|d| Yd} ~ dSd} ~ wwxYwt||S) aZ Load a key decrypter using key material from a PKCS#12 file on disk. :param pfx_file: Path to the PKCS#12 file containing the key material. :param passphrase: Passphrase for the private key, if applicable. :return: An instance of :class:`.SimpleEnvelopeKeyDecrypter`. rbNr))_translate_pyca_cryptography_cert_to_asn1(_translate_pyca_cryptography_key_to_asn1zCould not open PKCS#12 file .rr) openreadrload_key_and_certificatesrr rrrrFrrr) rpfx_filerf pfx_bytesrr other_certsr rrs r= load_pkcs12z&SimpleEnvelopeKeyDecrypter.load_pkcs12sJ h%% %FFHH  % % % % % % % % % % % % % % %/5/O:00 ,[$          =rA)rwrxryrz classmethodstrrrrrrr~rr9 staticmethodrrr rrrrs@r=rrsI[.E.... F F F F[ F7T-7N777777NNN\N6NNN[N@C"C141KC CCCCCCCCr>r recipient_cms decrypterc|dj}|dkrtjd|z|d}|d}|dD]}|j}t |t jstd|dj}t |t jstd |d }|d j} |j j |krb|j j | krR | |d j|d } n'#t$r} tjd| d} ~ wwxYwndS|d} |dj} | j}n$#tt f$r| dj}YnwxYwdt"i} ddlm}||j|j|jdn##t0$r|dvrtdYnwxYw||vr||}| j}|| | |}n/|dkrt5| | }ntjd|d|dd}d}t7|dkr#t9jd|ddd}||fS)Nrrz7Recipient CMS content type must be enveloped data, not rrrz4RecipientInfo must be of type KeyTransRecipientInfo.rz;Recipient identifier must be of type IssuerAndSerialNumber.rrrrzFailed to decrypt envelope key)NNrrraesr) symmetric)des tripledesrc2z0DES, 3DES and RC2 require oscrypto to be presentrc4zCipher z is not allowed in PDF 2.0.rKr)rrrchosenrEr rrrrrrr Exceptionencryption_cipherrKeyErrorroscryptor$rades_cbc_pkcs5_decrypttripledes_cbc_pkcs5_decryptrc2_cbc_pkcs5_decrypt ImportError encryption_ivrrrunpack)r r!redrrec_inforissuer_and_serialrserialrrrr cipher_namewith_ivr$decryption_funrrr\rSs r=rWrW4sK!07L''' E    *)4B 89()$ 9:: %F !K.+S-FGG %M #8,"?3: N !V + +,66  Q(00)034    Q Q Q'(HIIqP Q Ez %;&%D"8" /,  !///;'. /o&G&&&&&&  6&B 6        5 5 5%B  6 5 g -   ./I2NN   l,FGG >k > > >    3B3.s834Q-..r>rqTr0r2)r-rrrErrlget)r<r0recipient_objsr2s r=_read_generic_pubkey_cf_inforFs M*     <    *g677# ] 8BNzz"4d;;(>N O OOs *cl|dd}td|dz|dt|S)Nri(rhrdr1r4)rDrrF)r<r1 keylen_bitss r=_build_legacy_pubkey_cfrKsN**Y++K  a'   'v . .  r>c:tdd|dt|S)NrIr4rrFr<r1s r=_build_aes128_pubkey_cfrP6  '   'v . .  r>c:tdd|dt|S)NrrIr4rNrOs r=_build_aes256_pubkey_cfrSrQr>c eZdZUdZejdeejdeejdeejddiZ e eje fe d<e dejd d ed d fd eejd ed dfdZ d%dedededdeeffd Ze d efdZe d eefdZe dejded e fdZ!e dejd edffd Z"e dejfdZ#e dejfdZ$e dejfdZ%d Z&ed fd eejfd!Z' d&d"e(e)e*fd e+fd#Z,d e-fd$Z.xZ/S)'r.z Security handler for public key encryption in PDF. As with the standard security handler, you essentially shouldn't ever have to instantiate these yourself (see :meth:`build_from_certs`). z/V2z/AESV2z/AESV3z /IdentityctSrA)r$)___s r=zPubKeySecurityHandler.s 7J7L7Lr>_known_crypt_filtersrMTFrIrSr?c  |r tjn tj} d} |tjkr'|rt d|d} nt |d|} ||| |f|| dd| } | |||| S)a Create a new public key security handler. This method takes many parameters, but only ``certs`` is mandatory. The default behaviour is to create a public key encryption handler where the underlying symmetric encryption is provided by AES-256. Any remaining keyword arguments will be passed to the constructor. :param certs: The recipients' certificates. :param keylen_bytes: The key length (in bytes). This is only relevant for legacy security handlers. :param version: The security handler version to use. :param use_aes: Use AES-128 instead of RC4 (only meaningful if the ``version`` parameter is :attr:`~.SecurityHandlerVersion.RC4_OR_AES128`). :param use_crypt_filters: Whether to use crypt filters. This is mandatory for security handlers of version :attr:`~.SecurityHandlerVersion.RC4_OR_AES128` or higher. :param perms: Permission flags (as a 4-byte signed integer). :param encrypt_metadata: Whether to encrypt document metadata. .. warning:: See :class:`.SecurityHandler` for some background on the way pyHanko interprets this value. :param ignore_key_usage: If ``False``, the *keyEncipherment* key usage extension is required. :return: An instance of :class:`.PubKeySecurityHandler`. NrM)r2r0rC)r2crypt_filter_configrErSrM)rrrr& RC4_OR_AES128rrrU) rrI keylen_bytesr_use_aesuse_crypt_filtersrSr2rMr; subfiltercfcshs r=build_from_certsz&PubKeySecurityHandler.build_from_certssd! (  " "$'   ,: : : ()9d) #%5 S    . #      %u?OPPP r>Nr_pubkey_handler_subfilterr[r#rEc|tjkr$|tjkrt jd|}|tjkrtd||}nZ|tjkrt|||}n7|tj krtd||}nt jdt |||||||_ ||_d|_dS)NzESubfilter /adbe.pkcs7.s5 is required for security handlers beyond V4.)rdr2r0rz1Failed to impute a reasonable crypt filter config)r2compat_entries)r&r]rrrrNRC4_40rRC4_LONGER_KEYSr`rr8r9rar2r6) r:r_re legacy_keylenr2r[rErhr<s r=r9zPubKeySecurityHandler.__init__#sD -; ; ;(,?,BBB-   &0777&8%5-'''## 2BBB&8(%5-'''## 2999'9%5-'''## mG    -)    2 0r>c*tjdS)Nz /Adobe.PubSec)rrrs r=rzPubKeySecurityHandler.get_name]s!/222r>c$dtDS)Nch|] }|j Sr4)valuerAs r= zCPubKeySecurityHandler.support_generic_subfilters..cs555A555r>)rrs r=support_generic_subfiltersz0PubKeySecurityHandler.support_generic_subfiltersas55!45555r>r<r1c^t|j||}|tjd|S)NzJAn absent CFM or CFM of /None doesn't make sense in a PubSec CF dictionary)r'rYrr)rr<r1cfs r=read_cf_dictionaryz(PubKeySecurityHandler.read_cf_dictionaryesE  $fo   :#'  r> encrypt_dictc t|}||}|$|tjkrt jd|$|tjkrt jd|S)Nz=Crypt filters require /adbe.pkcs7.s5 as the declared handler.z./adbe.pkcs7.s5 handler requires crypt filters.)r8process_crypt_filters_determine_subfilterrrrr)rrurbrar<s r=rwz+PubKeySecurityHandler.process_crypt_filtersssgg++L99,,\:: ?y,?,BBB# [Y*=*@@@#@  r>c|dd}|dzdkrtjd|dz}tj|dd}|dtd }t ||| S) Nrirhrz"Key length must be a multiple of 8rpcd|DS)NcVg|]&}tj|j'Sr4r?rAs r=rzSPubKeySecurityHandler.gather_pub_key_metadata....s+MMMA--a.>??MMMr>r4)lsts r=rXz?PubKeySecurityHandler.gather_pub_key_metadata..sMMMMMr>rqTdefault)rkrEr2)rDrrN get_and_applyr}dict)rrurJrdr0r2s r=gather_pub_key_metadataz-PubKeySecurityHandler.gather_pub_key_metadatas"&&y#66 !O ! !- DEE E!'   M M  (55 d6   %-    r>c tj|dtd|vr tjn tjS#t $rtjd|dzwxYw)N /SubFilterz/CFr~z8Invalid /SubFilter in public key encryption dictionary: )rrrrrrr)rrus r=rxz*PubKeySecurityHandler._determine_subfilters %# ,,(**,/       #J|,-  s 69(A!ctj|d}td|||||d||S)N/V)r_rer[r4)r& from_numberr.rxrwr)rruvs r=instantiate_from_pdf_objectz1PubKeySecurityHandler.instantiate_from_pdf_objectsr # .|D/A B B$ %(%=%=l%K%K # 9 9, G G  )),77    r>ctj}tj||d<|jj|d<|j|d<|js|jtj krtj |j dz|d<|jtj krtj |j|d<|jtjkr-||jnV|}t)|t*st,tjd|jD|d<|S) Nz/Filterrrrhrirqc3bK|]*}tj|V+dSrArkrms r=roz6PubKeySecurityHandler.as_pdf_object..sI88(55888888r>rp)rDictionaryObjectrrraror_rr_compat_entriesr&rjrsrdrur2rrrar[get_stream_filterrEr-rFrtr0)r:rv default_cfs r=rrz#PubKeySecurityHandler.as_pdf_objectsY)++#.t}}??y#~3||1133t   F|5EEE ' 4T[1_ E EF9  <0@ @ @)0)>%**F% & >03 3 3 MM$2@@BB C C C C//11Jj*;<< $+$788&1888%%F= ! r>c|jD]0}t|ts||||1dS)Nr\)r[standard_filtersrEr-rU)r:rIrSrMrss r=rUz$PubKeySecurityHandler.add_recipientssl*;;==  Bb"344    U5E       r>rZc>t|trQtj|}t|ts%t jdt|d|}n|}d}|j D]W}t|ts| |}|j tjkr|cS|j ||jz}Xt|tr||_t#tjt'|S)a Authenticate a user to this security handler. :param credential: The credential to use (an instance of :class:`.EnvelopeKeyDecrypter` in this case). :param id1: First part of the document ID. Public key encryption handlers ignore this key. :return: An :class:`AuthResult` object indicating the level of access obtained. zRPubkey authentication credential must be an instance of EnvelopeKeyDecrypter, not rl)rEr)r( deserialiserrrtyper[rr-r]statusr rYpermission_flags _credentialrrXr)r:rZid1deser_credentialactual_credentialrSrsrvs r=r]z"PubKeySecurityHandler.authenticates9( j"6 7 7 +5A*MM .0DEE 'K156F1G1GKKK!1   * *;;== 1 1Bb"344 __%677F} 111 &200 ')? @ @ 10D */9U+;+;<<c>|jjSrA)r[get_for_stream shared_keyrBs r=get_file_encryption_keyz-PubKeySecurityHandler.get_file_encryption_keys'6688CCr>)TNNTrA)0rwrxryrzrrrKrPrSrYrr"r{rr&r`rrrr~intrdrrlistr9rrrrqrr}r!rtrwrrxrrrrUr rr)rr]rrrrs@r=r.r.sb 5!!#:8$$&=8$$&=;'')L)L J$w13EEF&-MMD$%MM !MMM[MhDH)-8 8 '8 #68 &&@A 8 !8 8 8 8 8 8 t3333[363s8666[6 - @D     [ "3 , -[" 73K   [ .0H[$  "3    [  > D$%( .=.=.0DDE.=  .=.=.=.=`DDDDDDDDDr>r.)NT)T)F)TF)[abcenumloggingrOrhashlibrrtypingrrrrr r asn1cryptor r r rasn1crypto.keysrrcryptography.hazmat.primitivesr1cryptography.hazmat.primitives.asymmetric.paddingr-cryptography.hazmat.primitives.asymmetric.rsarr,cryptography.hazmat.primitives.serializationrrr_utilrrrrapirrr r!r"r#r$r%r&r'cred_serr(r) filter_mixinsr*r+ getLoggerrwrABCr-rrrrDEF_EMBEDDED_FILErruniqueEnumrrrrr~rrrQrSequencerrregisterrWrrFrKrPrSr.r4r>r=rs  ::::::::::::::::------------>>>>>>>>888888FFFFFF@?????KKKKKKKKKKKK                        CBBBBBBBCCCCCCCC  8 $ $KKKKK SWKKK\     ,.A        ,.A    *w)*?@@ 'G&'9::          .....$).. .26MM MMMMMCH444#/4444v DDt'(D D D  _ DDDDP""""""""<DDDDDdmDDD|C|C|C|C|C!57M|C|C|C~  :;;;c?c/Cc 8E?HSM )*ccccL P)A P P P P XDXDXDXDXDOXDXDXDXDXDr>