pg ddlZddlZddlZddlZddlmZddlmZddl m Z m Z ddl m Z mZmZmZmZmZmZddlmZmZmZddlmZmZmZmZddlmZmZdd l m!Z!ejd d d Z"Gd d e#Z$deedej%eeddfdZ&de!dej%ej'e!e(ej)e*fddfdZ+dejdejfdZ,GddZ-GddZ.Gddej/Z0Gdde#Z1Gdd ej2!Z3e34ej3Gd"d#ej2!Z5e54ej5Gd$d%e5Z6Gd&d'ej2!Z7e74ej7Gd(d)ej2!Z8e84ej8 d;d*e(d+ej9de3fd,Z: d;d*e(d+ej9de3fd-Z; d;d*e(d+ej9de8fd.Z< d;d*e(d+ej9de8fd/Z= d;d*e(d+ej9de7fd0Z> d;d*e(d+ej9de7fd1Z?Gd2d3Z@Gd4d5ZAGd6d7ZBGd8d9ZCde*fd:ZDdS)<N)utils)x509)hashes serialization)dsaeced25519ed448rsax25519x448)#CERTIFICATE_ISSUER_PUBLIC_KEY_TYPESCERTIFICATE_PRIVATE_KEY_TYPESCERTIFICATE_PUBLIC_KEY_TYPES) Extension ExtensionType Extensions_make_sequence_methods)Name _ASN1Type)ObjectIdentifieric,eZdZdededdffd ZxZS)AttributeNotFoundmsgoidreturnNcftt||||_dSN)superr__init__r)selfrr __class__s 8/usr/lib/python3/dist-packages/cryptography/x509/base.pyr!zAttributeNotFound.__init__*s- &&//444)__name__ __module__ __qualname__strrr! __classcell__r#s@r$rr)sSC&64r%r extension extensionsrcN|D]!}|j|jkrtd"dS)Nz$This extension has already been set.)r ValueError)r,r-es r$_reject_duplicate_extensionr1/sD EE 5IM ! !CDD D "EEr%r attributescB|D]\}}}||krtddS)Nz$This attribute has already been set.)r/)rr2attr_oid_s r$_reject_duplicate_attributer69sD%EE!Q s??CDD D EEr%timec|jD|}|r|ntj}|d|z S|S)zNormalizes a datetime to a naive datetime in UTC. time -- datetime to normalize. Assumed to be in UTC if not timezone aware. N)tzinfo)r9 utcoffsetdatetime timedeltareplace)r7offsets r$_convert_to_naive_utc_timer?EsP  {!!!;x'9';';||4|((611 r%c eZdZejjfdedededdfdZ e defdZ e defdZde fd Z d edefd Zdefd ZdS) Attributervalue_typerNc0||_||_||_dSr)_oid_valuerC)r"rrBrCs r$r!zAttribute.__init__Ts    r%c|jSr)rEr"s r$rz Attribute.oid^s yr%c|jSr)rFrHs r$rBzAttribute.valuebs {r%cBd|j|jS)Nz)formatrrBrHs r$__repr__zAttribute.__repr__fs077$*MMMr%otherct|tstS|j|jko|j|jko|j|jkSr) isinstancerANotImplementedrrBrCr"rMs r$__eq__zAttribute.__eq__isO%++ "! ! H ! * ek) * ek) r%cDt|j|j|jfSr)hashrrBrCrHs r$__hash__zAttribute.__hash__ssTXtz4:6777r%)r&r'r(r UTF8StringrBrbytesintr!propertyrr)rLobjectboolrRrUr%r$rArASs  )/     %XuXN#NNNN F t    8#888888r%rAcneZdZdejeddfdZed\ZZ Z de fdZ de defdZdS) Attributesr2rNc.t||_dSr)list _attributes)r"r2s r$r!zAttributes.__init__xs ++r%rac6d|jS)Nz)rKrarHs r$rLzAttributes.__repr__s!(()9:::r%rcp|D]}|j|kr|cStd||)NzNo {} attribute was found)rrrK)r"rattrs r$get_attribute_for_oidz Attributes.get_attribute_for_oidsK  Dx3  ; B B3 G GMMMr%)r&r'r(typingIterablerAr!r__len____iter__ __getitem__r)rLrrer\r%r$r^r^ws,OI., ,,,, &<%;M%J%J"GX{;#;;;;N)9NiNNNNNNr%r^ceZdZdZdZdS)VersionrN)r&r'r(v1v3r\r%r$rlrls B BBBr%rlc,eZdZdededdffd ZxZS)InvalidVersionrparsed_versionrNcftt||||_dSr)r rqr!rr)r"rrrr#s r$r!zInvalidVersion.__init__s/ nd##,,S111,r%)r&r'r(r)rXr!r*r+s@r$rqrqsR-C------------r%rqceZdZejdejdefdZej de fdZ ej de fdZ ejdefdZej dejfdZej dejfdZej defd Zej defd Zej dejejfd Zej defd Zej defd Zej defdZej defdZej defdZejde de!fdZ"ejde fdZ#ejde$j%defdZ&dS) Certificate algorithmrcdSz4 Returns bytes using digest passed. Nr\r"rvs r$ fingerprintzCertificate.fingerprintr%cdS)z3 Returns certificate serial number Nr\rHs r$ serial_numberzCertificate.serial_numberr{r%cdS)z1 Returns the certificate version Nr\rHs r$versionzCertificate.versionr{r%cdSz( Returns the public key Nr\rHs r$ public_keyzCertificate.public_keyr{r%cdS)z? Not before time (represented as UTC datetime) Nr\rHs r$not_valid_beforezCertificate.not_valid_beforer{r%cdS)z> Not after time (represented as UTC datetime) Nr\rHs r$not_valid_afterzCertificate.not_valid_afterr{r%cdS)z1 Returns the issuer name object. Nr\rHs r$issuerzCertificate.issuerr{r%cdSz2 Returns the subject name object. Nr\rHs r$subjectzCertificate.subjectr{r%cdSzt Returns a HashAlgorithm corresponding to the type of the digest signed in the certificate. Nr\rHs r$signature_hash_algorithmz$Certificate.signature_hash_algorithmr{r%cdSzJ Returns the ObjectIdentifier of the signature algorithm. Nr\rHs r$signature_algorithm_oidz#Certificate.signature_algorithm_oidr{r%cdS)z/ Returns an Extensions object. Nr\rHs r$r-zCertificate.extensionsr{r%cdSz. Returns the signature bytes. Nr\rHs r$ signaturezCertificate.signaturer{r%cdS)zR Returns the tbsCertificate payload bytes as defined in RFC 5280. Nr\rHs r$tbs_certificate_bytesz!Certificate.tbs_certificate_bytesr{r%cdS)zh Returns the tbsCertificate payload bytes with the SCT list extension stripped. Nr\rHs r$tbs_precertificate_bytesz$Certificate.tbs_precertificate_bytesr{r%rMcdSz" Checks equality. Nr\rQs r$rRzCertificate.__eq__r{r%cdSz" Computes a hash. Nr\rHs r$rUzCertificate.__hash__r{r%encodingcdS)zB Serializes the certificate to PEM or DER format. Nr\r"rs r$ public_byteszCertificate.public_bytesr{r%N)'r&r'r(abcabstractmethodr HashAlgorithmrWrzabstractpropertyrXr}rlrrrr;rrrrrrfOptionalrrrrr-rrrrZr[rRrUrEncodingrr\r%r$rurus V%9 e      s            8      ("3      !2                  - .      )9      J      5      u      %      F t      #      ]%;       r%ru) metaclassceZdZejdefdZejdejfdZejde fdZ dS)RevokedCertificatercdS)zG Returns the serial number of the revoked certificate. Nr\rHs r$r}z RevokedCertificate.serial_numberr{r%cdS)zH Returns the date of when this certificate was revoked. Nr\rHs r$revocation_datez"RevokedCertificate.revocation_date r{r%cdS)zW Returns an Extensions object containing a list of Revoked extensions. Nr\rHs r$r-zRevokedCertificate.extensionsr{r%N) r&r'r(rrrXr}r;rrr-r\r%r$rrs s      !2      J      r%rceZdZdedejdefdZedefdZedejfdZ edefdZ d S) _RawRevokedCertificater}rr-c0||_||_||_dSr_serial_number_revocation_date _extensionsr"r}rr-s r$r!z_RawRevokedCertificate.__init__" , /%r%rc|jSr)rrHs r$r}z$_RawRevokedCertificate.serial_number)s ""r%c|jSr)rrHs r$rz&_RawRevokedCertificate.revocation_date-s $$r%c|jSr)rrHs r$r-z!_RawRevokedCertificate.extensions1s r%N) r&r'r(rXr;rr!rYr}rr-r\r%r$rrs&&"*& &&&&#s###X#%!2%%%X% J   X   r%rceZdZejdejdefdZejde j defdZ ejde de jefdZejde je j fdZejdefd Zejdefd Zejde jejfd Zejdejfd Zejdefd ZejdefdZejdefdZejdedefdZ ejde fdZ!e j"de defdZ#e j"de$de j%efdZ#ejde j&e e$fde j&ee j%effdZ#ejde j'efdZ(ejde)defdZ*dS)CertificateRevocationListrrcdS)z: Serializes the CRL to PEM or DER format. Nr\rs r$rz&CertificateRevocationList.public_bytes7r{r%rvcdSrxr\rys r$rzz%CertificateRevocationList.fingerprint=r{r%r}cdS)zs Returns an instance of RevokedCertificate or None if the serial_number is not in the CRL. Nr\)r"r}s r$(get_revoked_certificate_by_serial_numberzBCertificateRevocationList.get_revoked_certificate_by_serial_numberCr{r%cdSrr\rHs r$rz2CertificateRevocationList.signature_hash_algorithmLr{r%cdSrr\rHs r$rz1CertificateRevocationList.signature_algorithm_oidUr{r%cdS)zC Returns the X509Name with the issuer of this CRL. Nr\rHs r$rz CertificateRevocationList.issuer[r{r%cdS)z? Returns the date of next update for this CRL. Nr\rHs r$ next_updatez%CertificateRevocationList.next_updatear{r%cdS)z? Returns the date of last update for this CRL. Nr\rHs r$ last_updatez%CertificateRevocationList.last_updategr{r%cdS)zS Returns an Extensions object containing a list of CRL extensions. Nr\rHs r$r-z$CertificateRevocationList.extensionsmr{r%cdSrr\rHs r$rz#CertificateRevocationList.signaturesr{r%cdS)zO Returns the tbsCertList payload bytes as defined in RFC 5280. Nr\rHs r$tbs_certlist_bytesz,CertificateRevocationList.tbs_certlist_bytesyr{r%rMcdSrr\rQs r$rRz CertificateRevocationList.__eq__r{r%cdS)z< Number of revoked certificates in the CRL. Nr\rHs r$rhz!CertificateRevocationList.__len__r{r%idxcdSrr\r"rs r$rjz%CertificateRevocationList.__getitem__ r%cdSrr\rs r$rjz%CertificateRevocationList.__getitem__rr%cdS)zS Returns a revoked certificate (or slice of revoked certificates). Nr\rs r$rjz%CertificateRevocationList.__getitem__r{r%cdS)z8 Iterator over the revoked certificates Nr\rHs r$riz"CertificateRevocationList.__iter__r{r%rcdS)zQ Verifies signature of revocation list against given public key. Nr\)r"rs r$is_signature_validz,CertificateRevocationList.is_signature_validr{r%N)+r&r'r(rrrrrWrrrrzrXrfrrrrrrrrrr;rrrr-rrrZr[rRrhoverloadrjsliceListUnionIteratorrirrr\r%r$rr6s ]%;       V%9 e        + ,      - .      )9            V_X->?      X.      J      5      E      F t           _ s '9   _  _ u 5G)H   _   <U + (&+6H*II J      &/*<=      =       r%rc2eZdZejdedefdZejdefdZ ejde fdZ ej de fdZej dejejfdZej defdZej defd Zej defd Zejd ejdefd Zej defd Zej defdZej defdZ ejdedefdZ!dS)CertificateSigningRequestrMrcdSrr\rQs r$rRz CertificateSigningRequest.__eq__r{r%cdSrr\rHs r$rUz"CertificateSigningRequest.__hash__r{r%cdSrr\rHs r$rz$CertificateSigningRequest.public_keyr{r%cdSrr\rHs r$rz!CertificateSigningRequest.subjectr{r%cdSrr\rHs r$rz2CertificateSigningRequest.signature_hash_algorithmr{r%cdSrr\rHs r$rz1CertificateSigningRequest.signature_algorithm_oidr{r%cdS)z@ Returns the extensions in the signing request. Nr\rHs r$r-z$CertificateSigningRequest.extensionsr{r%cdS)z/ Returns an Attributes object. Nr\rHs r$r2z$CertificateSigningRequest.attributesr{r%rcdS)z; Encodes the request to PEM or DER format. Nr\rs r$rz&CertificateSigningRequest.public_bytesr{r%cdSrr\rHs r$rz#CertificateSigningRequest.signaturer{r%cdS)zd Returns the PKCS#10 CertificationRequestInfo bytes as defined in RFC 2986. Nr\rHs r$tbs_certrequest_bytesz/CertificateSigningRequest.tbs_certrequest_bytesr{r%cdS)z8 Verifies signature of signing request. Nr\rHs r$rz,CertificateSigningRequest.is_signature_validr{r%rcdS)z: Get the attribute value for a given OID. Nr\)r"rs r$rez/CertificateSigningRequest.get_attribute_for_oidr{r%N)"r&r'r(rrrZr[rRrXrUrrrrrrfrrrrrrrr-r^r2rrrWrrrrrer\r%r$rrsg F t      #      8            - .      )9      J      J      ]%;       5      u      D      )9 e      r%rdatabackendc*tj|Sr) rust_x509load_pem_x509_certificaterrs r$rr  .t 4 44r%c*tj|Sr)rload_der_x509_certificaters r$rr rr%c*tj|Sr)rload_pem_x509_csrrs r$rr  &t , ,,r%c*tj|Sr)rload_der_x509_csrrs r$rrrr%c*tj|Sr)rload_pem_x509_crlrs r$rr"rr%c*tj|Sr)rload_der_x509_crlrs r$rr)rr%c HeZdZdggfdejedejeedejej e e eje ffdZ deddfdZd ed eddfd Zdd d e de dejeddfdZ ddedejejdejdefdZdS) CertificateSigningRequestBuilderN subject_namer-r2c0||_||_||_dS)zB Creates an empty X.509 certificate request (v1). N) _subject_namerra)r"rr-r2s r$r!z)CertificateSigningRequestBuilder.__init__0s"*%%r%namerct|tstd|jt dt ||j|jS)zF Sets the certificate requestor's distinguished name. Expecting x509.Name object.N&The subject name may only be set once.)rOr TypeErrorrr/rrrar"rs r$rz-CertificateSigningRequestBuilder.subject_name?s\$%% ;9:: :   )EFF F/ $"D$4   r%extvalcriticalct|tstdt|j||}t ||jt|j|j|gz|j S)zE Adds an X.509 extension to the certificate request. "extension must be an ExtensionType) rOrrrrr1rrrrar"r r r,s r$ add_extensionz.CertificateSigningRequestBuilder.add_extensionKsw &-00 B@AA Afj(F;; #It/?@@@/     { *     r%)_tagrrBrcnt|tstdt|tstd|$t|tstdt ||j||j}nd}t|j |j |j|||fgzS)zK Adds an X.509 attribute with an OID and associated value. zoid must be an ObjectIdentifierzvalue must be bytesNztag must be _ASN1Type) rOrrrWrr6rarBrrr)r"rrBrtags r$ add_attributez.CertificateSigningRequestBuilder.add_attribute]s#/00 ?=>> >%'' 3122 2  JtY$?$? 344 4#C)9:::  *CCC/      eS 12 2   r% private_keyrvrcZ|jtdtj|||S)zF Signs the request using the requestor's private key. Nz/A CertificateSigningRequest must have a subject)rr/rcreate_x509_csrr"rrvrs r$signz%CertificateSigningRequestBuilder.sign}s1   %NOO O({IFFFr%r)r&r'r(rfrrrrrTuplerrWrXr!rr[rrrrrrAnyrrr\r%r$rr/s/3<>  & &od+ &K - 89 &K L)5&/#2FF G & & & &    *L      # /3 +    .,0      oi(  ,     H# G G2 G?6#78 G G # G G G G G Gr%rceZdZUejeeed<ddddddgfdeje deje deje deje deje j deje j d ejeed dfd Z d e d dfd Zd e d dfdZde d dfdZde d dfdZde j d dfdZde j d dfdZdeded dfdZ ddedejejdejd efdZdS)CertificateBuilderrN issuer_namerrr}rrr-rctj|_||_||_||_||_||_||_||_ dSr) rlro_version _issuer_namer _public_keyr_not_valid_before_not_valid_afterr)r"rrrr}rrr-s r$r!zCertificateBuilder.__init__sK  ')%+!1 /%r%rc t|tstd|jt dt ||j|j|j|j |j |j S)z3 Sets the CA's distinguished name. rN%The issuer name may only be set once.) rOrrrr/rrr rr!r"rrs r$rzCertificateBuilder.issuer_namesv$%% ;9:: :   (DEE E!         "  !     r%c t|tstd|jt dt |j||j|j|j |j |j S)z: Sets the requestor's distinguished name. rNr) rOrrrr/rrr rr!r"rrs r$rzCertificateBuilder.subject_namesv$%% ;9:: :   )EFF F!         "  !     r%keyc lt|tjtjt jtjtj tj tjfstd|jt#dt%|j|j||j|j|j|jS)zT Sets the requestor's public key (as found in the signing request). zExpecting one of DSAPublicKey, RSAPublicKey, EllipticCurvePublicKey, Ed25519PublicKey, Ed448PublicKey, X25519PublicKey, or X448PublicKey.Nz$The public key may only be set once.)rOr DSAPublicKeyr RSAPublicKeyrEllipticCurvePublicKeyr Ed25519PublicKeyr Ed448PublicKeyr X25519PublicKeyr X448PublicKeyrr r/rrrrr!r"r)r"r&s r$rzCertificateBuilder.public_keys   )($&"     !    'CDD D!         "  !     r%numberc Tt|tstd|jt d|dkrt d|dkrt dt |j|j|j ||j |j |j S)z5 Sets the certificate serial number. 'Serial number must be of integral type.N'The serial number may only be set once.rz%The serial number should be positive.3The serial number should not be more than 159 bits.) rOrXrrr/ bit_lengthrrrr r!r"rr"r/s r$r}z CertificateBuilder.serial_numbers&#&& GEFF F   *FGG G Q;;DEE E     # % %H "         "  !     r%r7c zt|tjstd|jt dt |}|t krt d|j||jkrt dt|j |j |j |j ||j|j S)z7 Sets the certificate activation time. Expecting datetime object.Nz*The not valid before may only be set once.z>The not valid before date must be on or after 1950 January 1).zBThe not valid before date must be before the not valid after date.)rOr;rr!r/r?_EARLIEST_UTC_TIMEr"rrrr rrr"r7s r$rz#CertificateBuilder.not_valid_befores $ 122 :899 9  ! -IJJ J)$// $ $ $$   ,8M1M1M "           !     r%c zt|tjstd|jt dt |}|t krt d|j||jkrt dt|j |j |j |j |j||j S)z7 Sets the certificate expiration time. r8Nz)The not valid after may only be set once.zB<>&&_T*&od+&O$@A & s+ & !/(*;< & ):;&K - 89& &&&&&  )=    $  *>    $# )#  # # # # J C ,@    6 %     > H$5 :N    @ # /3     4# OO2O?6#78O O  OOOOOOr%rc eZdZUejeeed<ejeed<dddggfdej e dej e j dej e j dejeedejef d Z de d dfd Z de j d dfd Zde j d dfd Zdeded dfdZded dfdZ ddedej ejdejd efdZdS) CertificateRevocationListBuilderr_revoked_certificatesNrrrr-revoked_certificatescL||_||_||_||_||_dSr)r _last_update _next_updaterrB)r"rrrr-rCs r$r!z)CertificateRevocationListBuilder.__init__|s2(''%%9"""r%rct|tstd|jt dt ||j|j|j|j S)Nrr$) rOrrrr/rArErFrrB)r"rs r$rz,CertificateRevocationListBuilder.issuer_namesj+t,, ;9:: :   (DEE E/         &    r%cbt|tjstd|jt dt |}|t krt d|j||jkrt dt|j ||j|j |j S)Nr8!Last update may only be set once.8The last update date must be on or after 1950 January 1.z9The last update date must be before the next update date.) rOr;rrEr/r?r9rFrArrrB)r"rs r$rz,CertificateRevocationListBuilder.last_updates+x'899 :899 9   (@AA A0== + + +M    ([4;L-L-LK 0         &    r%cbt|tjstd|jt dt |}|t krt d|j||jkrt dt|j |j||j |j S)Nr8rIrJz8The next update date must be after the last update date.) rOr;rrFr/r?r9rErArrrB)r"rs r$rz,CertificateRevocationListBuilder.next_updates+x'899 :899 9   (@AA A0== + + +M    ([4;L-L-LJ 0         &    r%r r ct|tstdt|j||}t ||jt|j|j |j |j|gz|j S)zM Adds an X.509 extension to the certificate revocation list. r ) rOrrrrr1rrArrErFrBr s r$rz.CertificateRevocationListBuilder.add_extensions &-00 B@AA Afj(F;; #It/?@@@/         { *  &    r%revoked_certificatect|tstdt|j|j|j|j|j|gzS)z8 Adds a revoked certificate to the CRL. z)Must be an instance of RevokedCertificate) rOrrrArrErFrrB)r"rMs r$add_revoked_certificatez8CertificateRevocationListBuilder.add_revoked_certificatesa -/ABB IGHH H/          &*=)> >    r%rrvrc|jtd|jtd|jtdt j|||S)NzA CRL must have an issuer namez"A CRL must have a last update timez"A CRL must have a next update time)rr/rErFrcreate_x509_crlrs r$rz%CertificateRevocationListBuilder.signsa   $=>> >   $ABB B   $ABB B({IFFFr%r)r&r'r(rfrrrr?rrrr;r!rrrr[rrOrrrrrrr\r%r$rArAxsY}56666!;'9::::.2:>:><>@B : :_T* :_X%67 :_X%67 : K - 89 : %k*<= : : : :    +      #, +    0 #, +    0 # /3 +    & #5 +    *# GG2G?6#78G G # GGGGGGr%rAc eZdZddgfdejedejejdejee fdZ deddfdZ d ejddfd Z d e d e ddfd ZddejdefdZdS)RevokedCertificateBuilderNr}rr-c0||_||_||_dSrrrs r$r!z"RevokedCertificateBuilder.__init__rr%r/rc$t|tstd|jt d|dkrt d|dkrt dt ||j|jS)Nr1r2rz$The serial number should be positiver3r4) rOrXrrr/r5rSrrr6s r$r}z'RevokedCertificateBuilder.serial_number s&#&& GEFF F   *FGG G Q;;CDD D     # % %H ) D)4+;   r%r7ct|tjstd|jt dt |}|t krt dt|j||j S)Nr8z)The revocation date may only be set once.z7The revocation date must be on or after 1950 January 1.) rOr;rrr/r?r9rSrrr:s r$rz)RevokedCertificateBuilder.revocation_dates$ 122 :899 9  ,HII I)$// $ $ $L )  t'7   r%r r ct|tstdt|j||}t ||jt|j|j |j|gzS)Nr ) rOrrrrr1rrSrrr s r$rz'RevokedCertificateBuilder.add_extension,sw&-00 B@AA Afj(F;; #It/?@@@(    !   { *   r%rc|jtd|jtdt|j|jt |jS)Nz/A revoked certificate must have a serial numberz1A revoked certificate must have a revocation date)rr/rrrr)r"rs r$buildzRevokedCertificateBuilder.build:sf   &NOO O  (C &    ! t' ( (   r%r)r&r'r(rfrrXr;rrrr!r}rr[rrrrYr\r%r$rSrSs/3>B<> &&s+& ):;&K - 89 &&&& C ,G    $ % $     #  /3  $        VZ  3E       r%rScbttjdddz S)Nbigr)rX from_bytesosurandomr\r%r$random_serial_numberr`Hs# >>"*R..% 0 0A 55r%r)Err;r^rf cryptographyr"cryptography.hazmat.bindings._rustrrcryptography.hazmat.primitivesrr)cryptography.hazmat.primitives.asymmetricrrr r r r r /cryptography.hazmat.primitives.asymmetric.typesrrrcryptography.x509.extensionsrrrrcryptography.x509.namerrcryptography.x509.oidrr9 Exceptionrrr1rrWrrXr6r?rAr^EnumrlrqABCMetaruregisterrrrrrrrrrrrrrrArSr`r\r%r$rms   @@@@@@@@@@@@@@  32222222222222'X&tQ22  E'E Im45E EEEE E  E  %ufoc.BBC E  E E E E X%6 8;L    !8!8!8!8!8!8!8!8HNNNNNNNN(     ej   -----Y--- i i i i i CKi i i i Z Y*+++     3;    *I8999     /   0q q q q q #+q q q q h""9#FGGGQ Q Q Q Q #+Q Q Q Q j""9#FGGG (,55 5 *55555(,55 5 *55555(,-- - *-----(,-- - *-----(,-- - *-----(,-- - *----- YGYGYGYGYGYGYGYGxjOjOjOjOjOjOjOjOZDGDGDGDGDGDGDGDGNF F F F F F F F R6c666666r%