From 490a0b97c708c36dfbc6f5ec5d44182f751b5e07 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maxime=20B=C3=A9dard?= Date: Mon, 17 Apr 2023 17:29:27 -0400 Subject: [PATCH 01/44] Detail the file structure of frame encrypted files --- doc/RecordingControl.xml | 72 ++++++++++++++++++++++++++++++++++++++-- 1 file changed, 69 insertions(+), 3 deletions(-) diff --git a/doc/RecordingControl.xml b/doc/RecordingControl.xml index e1080ed8e..ec5c4a9cc 100644 --- a/doc/RecordingControl.xml +++ b/doc/RecordingControl.xml @@ -182,6 +182,7 @@ Change Request 2061, 2063, 2065, 2109 RFC 6381 — The 'Codecs' and 'Profiles' Parameters for "Bucket" Media Types <> ONVIF Core Specification <> ONVIF Schedule Service Specification <> + W3C "cenc" Initialization Data Format <> Terms and Definitions @@ -2001,10 +2002,10 @@ secfrac = "." 1*6DIGIT -
- Encryption +
+ Frame Encryption - A device signaling support for recording to an external target with encryption shall support writing encrypted files according to ISO/IEC 23001-7 (common encryption in ISO base media file format files). + A device signaling support for recording to an external target with frame encryption shall support writing encrypted files according to ISO/IEC 23001-7 (common encryption in ISO base media file format files). Each Encryption entry configured for a recording covers a distinct set of tracks for which to apply the encryption, identified by the Track element. If an encryption entry contains no Track elements, it covers all tracks of the recording. If an encryption entry contains one or more Track elements, it covers the tracks indicated by the track tokens contained in these elements. @@ -2038,6 +2039,71 @@ secfrac = "." 1*6DIGIT If an encryption entry is reconfigured for an active recording, the device shall continue to use the old configuration for any open segments and shall start to use the new configuration for new segments. +
+ Encryption Keys Storage + + When frame encryption is configured, the device shall store relevant information about the encryption keys used in the files with "Protection system specific header" (or 'pssh') boxes [ISO/IEC 23001-7]. + +
+ Standard CENC system + + When a file is frame encrypted a pssh "CENC" box SHALL be present in the file according to [W3C "cenc" Initialization Data Format]. This is independant of the Frame Encryption Mode (CENC or CBCS).
+ "Version" field SHALL be "1" and the "SystemID" field SHALL be "1077efec-c0b2-4d02-ace3-3c1e52e2fb4b".
+ The "KID_count" SHALL be "1" with "KID" field equal to the value of KID configured for the encryption entry as the key identifier. + +
+
+ Key rotation system + + When key rotation is configured (see section X.Y) an additional pssh box SHALL be present in the file, defined here.
+ "Version" field SHALL be "1" and the "SystemID" field SHALL be "ca774354-6f98-41b6-b17a-b15f7bbf678a".
+ The "KID_count" SHALL be "1" with "KID" field equal to a generated UUID by the device. This "KID" SHOULD be the same in all files until the symmetric key changes.
+ "DataSize" SHALL be the size of the following "Data" byte array, containing this binary structure: + + + + + CertificateThumbprintSize (uint) + + + Size of the CertificateThumbprint field. SHALL be '20'. + + + + + CertificateThumbprint (byte[CertificateThumbprintSize]) + + + Thumbprint of the certificate used to encrypted the symmetric key (Computed using SHA-1). + + + + + EncryptedKeySize (uint) + + + Size of the EncryptedKey field. Valid values depend on the encryption algorithm used by the Certificate. + + + + + EncryptedKey (byte[EncryptedKeySize]) + + + The symmetric key (identified by KID) used for frame encryption, encrypted with the Certificate. + + + + + + + This data structure and its containing "pssh" box defined here allow for a client application to decrypt the symmetric key and then decrypt the frames with it. The presence of the CENC pssh is highly recommended by W3C as it increase compatibility with standard players. However, if key rotation is being used the client application may not have access to the symmetric key generated by the device. The second "pssh" box contains the required information to obtain the symmetric key, provided it has access to the Certificate's private key (directly or through a key server, for example). A client application would be aware of this fact indicated by the presence of the second "pssh" box. This box SHOULD not be present if the symmetric key was configured by the user (no key rotation). Additionnal "pssh" boxes COULD be present to support alternative DRM systems. + + + Note that DRM systems and client implementations are outside the scope of this specification. + +
+
Object attributes From 060043fd9de1b6d72292b0754f506233f6481975 Mon Sep 17 00:00:00 2001 From: Jean-Francois Levesque Date: Fri, 31 Mar 2023 04:36:44 -0400 Subject: [PATCH 02/44] Support key rotation for cloud recording --- doc/RecordingControl.xml | 7 ++++++- wsdl/ver10/schema/onvif.xsd | 5 +++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/doc/RecordingControl.xml b/doc/RecordingControl.xml index ec5c4a9cc..eb3596a2c 100644 --- a/doc/RecordingControl.xml +++ b/doc/RecordingControl.xml @@ -2033,8 +2033,13 @@ secfrac = "." 1*6DIGIT The device shall create an individual initialization vector for each segment. - The device shall encrypt with the Key configured for the encryption entry as the encryption key. The device shall interpret the KID configured for the encryption entry as a 16-byte hexadecimal value and use this value as the key identifier. + When KeyRotationDuration is not set, the device shall encrypt with the Key configured for the encryption entry as the encryption key, otherwise the device shall generate a new encryption key at the specified interval as defined by KeyRotationDuration. + KeyRotationDuration must be a positive duration value. + New segments shall use the latest generated key for its encryption. + + When KeyRotationDuration is set, the Key shall be the public key from an asymmetric key pair, with the private key only known by the client. + The client shall use the private key to decrypt the key file containing the keys generated to encrypt the tracks. If an encryption entry is reconfigured for an active recording, the device shall continue to use the old configuration for any open segments and shall start to use the new configuration for new segments. diff --git a/wsdl/ver10/schema/onvif.xsd b/wsdl/ver10/schema/onvif.xsd index 56c50796e..9bd23f3a2 100755 --- a/wsdl/ver10/schema/onvif.xsd +++ b/wsdl/ver10/schema/onvif.xsd @@ -7693,6 +7693,11 @@ and sample rate. + + + Frequency at which the device shall generate a new key to encrypt a new segment. If not specified, key rotation is disabled. + + From 32bdfbc23c671a40940b28783a7da25b9ccb4db5 Mon Sep 17 00:00:00 2001 From: Jean-Francois Levesque Date: Thu, 6 Apr 2023 13:35:05 -0400 Subject: [PATCH 03/44] Clarify usage of sym key generated by key rotation --- doc/RecordingControl.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/RecordingControl.xml b/doc/RecordingControl.xml index eb3596a2c..e36f1f773 100644 --- a/doc/RecordingControl.xml +++ b/doc/RecordingControl.xml @@ -2034,7 +2034,7 @@ secfrac = "." 1*6DIGIT The device shall create an individual initialization vector for each segment. The device shall interpret the KID configured for the encryption entry as a 16-byte hexadecimal value and use this value as the key identifier. - When KeyRotationDuration is not set, the device shall encrypt with the Key configured for the encryption entry as the encryption key, otherwise the device shall generate a new encryption key at the specified interval as defined by KeyRotationDuration. + When KeyRotationDuration is not set, the device shall encrypt with the Key configured for the encryption entry, otherwise the device shall generate a new encryption key at the specified interval as defined by KeyRotationDuration. KeyRotationDuration must be a positive duration value. New segments shall use the latest generated key for its encryption. From 51a188f13bb4afa6c1760d6c275636458287d342 Mon Sep 17 00:00:00 2001 From: Jean-Francois Levesque Date: Wed, 19 Apr 2023 09:23:09 -0400 Subject: [PATCH 04/44] Review formatting and wording of the latest changes --- doc/RecordingControl.xml | 42 +++++++++++++++++++++++++++------------- 1 file changed, 29 insertions(+), 13 deletions(-) diff --git a/doc/RecordingControl.xml b/doc/RecordingControl.xml index e36f1f773..f8f3314a1 100644 --- a/doc/RecordingControl.xml +++ b/doc/RecordingControl.xml @@ -2037,9 +2037,8 @@ secfrac = "." 1*6DIGIT When KeyRotationDuration is not set, the device shall encrypt with the Key configured for the encryption entry, otherwise the device shall generate a new encryption key at the specified interval as defined by KeyRotationDuration. KeyRotationDuration must be a positive duration value. New segments shall use the latest generated key for its encryption. - + When KeyRotationDuration is set, the Key shall be the public key from an asymmetric key pair, with the private key only known by the client. - The client shall use the private key to decrypt the key file containing the keys generated to encrypt the tracks. If an encryption entry is reconfigured for an active recording, the device shall continue to use the old configuration for any open segments and shall start to use the new configuration for new segments. @@ -2047,23 +2046,34 @@ secfrac = "." 1*6DIGIT
Encryption Keys Storage - When frame encryption is configured, the device shall store relevant information about the encryption keys used in the files with "Protection system specific header" (or 'pssh') boxes [ISO/IEC 23001-7]. + When frame encryption is configured, the device shall store relevant information about the encryption keys used in the files with 'Protection system specific header' (or 'pssh') boxes [ISO/IEC 23001-7].
Standard CENC system - When a file is frame encrypted a pssh "CENC" box SHALL be present in the file according to [W3C "cenc" Initialization Data Format]. This is independant of the Frame Encryption Mode (CENC or CBCS).
- "Version" field SHALL be "1" and the "SystemID" field SHALL be "1077efec-c0b2-4d02-ace3-3c1e52e2fb4b".
- The "KID_count" SHALL be "1" with "KID" field equal to the value of KID configured for the encryption entry as the key identifier. + When a file is frame encrypted a pssh 'CENC' box SHALL be present in the file according to [W3C 'cenc' Initialization Data Format]. + This is independent of the EncryptionMode. + + + 'Version' field SHALL be '1' and the 'SystemID' field SHALL be '1077efec-c0b2-4d02-ace3-3c1e52e2fb4b'. + + + The 'KID_count' SHALL be '1' with 'KID' field equal to the value of KID configured for the encryption entry as the key identifier.
Key rotation system - When key rotation is configured (see section X.Y) an additional pssh box SHALL be present in the file, defined here.
- "Version" field SHALL be "1" and the "SystemID" field SHALL be "ca774354-6f98-41b6-b17a-b15f7bbf678a".
- The "KID_count" SHALL be "1" with "KID" field equal to a generated UUID by the device. This "KID" SHOULD be the same in all files until the symmetric key changes.
- "DataSize" SHALL be the size of the following "Data" byte array, containing this binary structure: + When KeyRotationDuration is configured (see , an additional pssh box SHALL be present in the MP4 file, as defined here. + + + 'Version' field SHALL be '1' and the 'SystemID' field SHALL be 'ca774354-6f98-41b6-b17a-b15f7bbf678a'. + + + The 'KID_count' SHALL be '1' with 'KID' field equal to a generated UUID by the device. This 'KID' SHOULD be the same in all segments until the symmetric key changes. + + + 'DataSize' SHALL be the size of the following 'Data' byte array, containing this binary structure: @@ -2087,7 +2097,7 @@ secfrac = "." 1*6DIGIT EncryptedKeySize (uint) - Size of the EncryptedKey field. Valid values depend on the encryption algorithm used by the Certificate. + Size of the EncryptedKey field. Valid values depend on the encryption algorithm used by the certificate. @@ -2095,14 +2105,20 @@ secfrac = "." 1*6DIGIT EncryptedKey (byte[EncryptedKeySize]) - The symmetric key (identified by KID) used for frame encryption, encrypted with the Certificate. + The symmetric key (identified by KID) used for frame encryption, encrypted using the public key of the certificate. - This data structure and its containing "pssh" box defined here allow for a client application to decrypt the symmetric key and then decrypt the frames with it. The presence of the CENC pssh is highly recommended by W3C as it increase compatibility with standard players. However, if key rotation is being used the client application may not have access to the symmetric key generated by the device. The second "pssh" box contains the required information to obtain the symmetric key, provided it has access to the Certificate's private key (directly or through a key server, for example). A client application would be aware of this fact indicated by the presence of the second "pssh" box. This box SHOULD not be present if the symmetric key was configured by the user (no key rotation). Additionnal "pssh" boxes COULD be present to support alternative DRM systems. + This data structure and its containing 'pssh' box defined here allows for a client application to decrypt the symmetric key and then decrypt the frames with it. + The presence of the CENC 'pssh' box is highly recommended by W3C as it increases compatibility with standard players. + However, if KeyRotationDuration is being used, the client application may not have access to the symmetric key generated by the device. + The second 'pssh' box contains the required information to obtain the symmetric key, provided it has access to the certificate's private key (directly or through a key server, for example). + A client application would be aware of this fact indicated by the presence of the second 'pssh' box. + This box SHOULD not be present if the symmetric key was configured by the user (no key rotation). + Additionnal 'pssh' boxes COULD be present to support alternative DRM systems. Note that DRM systems and client implementations are outside the scope of this specification. From 127560b91d4f0971d247a50053fcfd91b7669568 Mon Sep 17 00:00:00 2001 From: Jean-Francois Levesque Date: Fri, 28 Apr 2023 08:33:33 -0400 Subject: [PATCH 05/44] Clarified wording for the initialization vector --- doc/RecordingControl.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/RecordingControl.xml b/doc/RecordingControl.xml index f8f3314a1..adfff9329 100644 --- a/doc/RecordingControl.xml +++ b/doc/RecordingControl.xml @@ -2032,7 +2032,7 @@ secfrac = "." 1*6DIGIT - The device shall create an individual initialization vector for each segment. + The device shall create a unique initialization vector for each segment. The device shall interpret the KID configured for the encryption entry as a 16-byte hexadecimal value and use this value as the key identifier. When KeyRotationDuration is not set, the device shall encrypt with the Key configured for the encryption entry, otherwise the device shall generate a new encryption key at the specified interval as defined by KeyRotationDuration. KeyRotationDuration must be a positive duration value. From 1a7d3fdfa43d8f67c4176ad02243583d3058db76 Mon Sep 17 00:00:00 2001 From: Jean-Francois Levesque Date: Tue, 23 May 2023 11:37:09 -0400 Subject: [PATCH 06/44] Add certificateId to the data model --- doc/RecordingControl.xml | 3 +-- wsdl/ver10/schema/onvif.xsd | 5 +++++ 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/doc/RecordingControl.xml b/doc/RecordingControl.xml index adfff9329..e2c92bda5 100644 --- a/doc/RecordingControl.xml +++ b/doc/RecordingControl.xml @@ -2037,8 +2037,7 @@ secfrac = "." 1*6DIGIT When KeyRotationDuration is not set, the device shall encrypt with the Key configured for the encryption entry, otherwise the device shall generate a new encryption key at the specified interval as defined by KeyRotationDuration. KeyRotationDuration must be a positive duration value. New segments shall use the latest generated key for its encryption. - - When KeyRotationDuration is set, the Key shall be the public key from an asymmetric key pair, with the private key only known by the client. + The device shall include one or more PSSH boxes as defined in when frame encryption is configured. If an encryption entry is reconfigured for an active recording, the device shall continue to use the old configuration for any open segments and shall start to use the new configuration for new segments. diff --git a/wsdl/ver10/schema/onvif.xsd b/wsdl/ver10/schema/onvif.xsd index 9bd23f3a2..cf9ad2df7 100755 --- a/wsdl/ver10/schema/onvif.xsd +++ b/wsdl/ver10/schema/onvif.xsd @@ -7693,6 +7693,11 @@ and sample rate. + + + List of certificates used to encrypt the symmetric key for the PSSH box. + + Frequency at which the device shall generate a new key to encrypt a new segment. If not specified, key rotation is disabled. From 6a3141eca97d902badc32eb8055160a344b58536 Mon Sep 17 00:00:00 2001 From: Jean-Francois Levesque Date: Mon, 12 Jun 2023 13:57:11 -0400 Subject: [PATCH 07/44] Update pssh box to support multiple certificates --- doc/RecordingControl.xml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/doc/RecordingControl.xml b/doc/RecordingControl.xml index e2c92bda5..8160733d0 100644 --- a/doc/RecordingControl.xml +++ b/doc/RecordingControl.xml @@ -2075,6 +2075,27 @@ secfrac = "." 1*6DIGIT 'DataSize' SHALL be the size of the following 'Data' byte array, containing this binary structure: + + + EncryptedKeyEntryCount (uint) + + + Number of entries containing encryption information required to decrypt the symmetric key. SHALL be 1 or more. + + + + + EncryptedKeyEntry ([EncryptionEntryCount]) + + + A list of entries containing encryption information required to decrypt the symmetric key. + + + + + + + The EncryptedKeyEntry model is defined as: CertificateThumbprintSize (uint) From 8e197fd942b2599b1fe0a39a01508a6212ebadb7 Mon Sep 17 00:00:00 2001 From: Jean-Francois Levesque Date: Thu, 15 Jun 2023 08:49:08 -0400 Subject: [PATCH 08/44] Rename and change type for CertificateId in RecordingEncryption --- wsdl/ver10/schema/onvif.xsd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wsdl/ver10/schema/onvif.xsd b/wsdl/ver10/schema/onvif.xsd index cf9ad2df7..5de8ed60e 100755 --- a/wsdl/ver10/schema/onvif.xsd +++ b/wsdl/ver10/schema/onvif.xsd @@ -7693,7 +7693,7 @@ and sample rate. - + List of certificates used to encrypt the symmetric key for the PSSH box. From 3c565d8dd3b72b222d23069bd07539d19607de79 Mon Sep 17 00:00:00 2001 From: Jean-Francois Levesque Date: Thu, 22 Jun 2023 10:32:34 -0400 Subject: [PATCH 09/44] Apply code review suggestions --- doc/RecordingControl.xml | 10 +++++----- wsdl/ver10/schema/onvif.xsd | 7 ++++++- 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/doc/RecordingControl.xml b/doc/RecordingControl.xml index 7ad47906e..a1c212d89 100644 --- a/doc/RecordingControl.xml +++ b/doc/RecordingControl.xml @@ -2011,7 +2011,7 @@ secfrac = "." 1*6DIGIT
- Frame Encryption + Frame encryption A device signaling support for recording to an external target with frame encryption shall support writing encrypted files according to ISO/IEC 23001-7 (common encryption in ISO base media file format files). Each Encryption entry configured for a recording covers a distinct set of tracks for which to apply the encryption, identified by the Track element. @@ -2051,7 +2051,7 @@ secfrac = "." 1*6DIGIT If an encryption entry is reconfigured for an active recording, the device shall continue to use the old configuration for any open segments and shall start to use the new configuration for new segments.
- Encryption Keys Storage + Encryption keys storage When frame encryption is configured, the device shall store relevant information about the encryption keys used in the files with 'Protection system specific header' (or 'pssh') boxes [ISO/IEC 23001-7]. @@ -2093,7 +2093,7 @@ secfrac = "." 1*6DIGIT - EncryptedKeyEntry ([EncryptionEntryCount]) + EncryptedKeyEntries (EncryptedKeyEntry[EncryptionEntryCount]) A list of entries containing encryption information required to decrypt the symmetric key. @@ -2145,8 +2145,8 @@ secfrac = "." 1*6DIGIT However, if KeyRotationDuration is being used, the client application may not have access to the symmetric key generated by the device. The second 'pssh' box contains the required information to obtain the symmetric key, provided it has access to the certificate's private key (directly or through a key server, for example). A client application would be aware of this fact indicated by the presence of the second 'pssh' box. - This box SHOULD not be present if the symmetric key was configured by the user (no key rotation). - Additionnal 'pssh' boxes COULD be present to support alternative DRM systems. + This box should not be present if the symmetric key was configured by the user (no key rotation). + Additionnal 'pssh' boxes may be present to support alternative DRM systems. Note that DRM systems and client implementations are outside the scope of this specification. diff --git a/wsdl/ver10/schema/onvif.xsd b/wsdl/ver10/schema/onvif.xsd index 14cf9fe96..92331f894 100755 --- a/wsdl/ver10/schema/onvif.xsd +++ b/wsdl/ver10/schema/onvif.xsd @@ -7671,7 +7671,12 @@ and sample rate. - + + + + + + Key ID of the associated key for encryption. From e23cca761adb0297d77005e9e70c6a0fac042577 Mon Sep 17 00:00:00 2001 From: Jean-Francois Levesque Date: Mon, 10 Jul 2023 14:06:09 -0400 Subject: [PATCH 10/44] Update the specification and wording to explicitely define the 2 encryption methods --- doc/RecordingControl.xml | 28 ++++++++++--------- wsdl/ver10/schema/onvif.xsd | 54 +++++++++++++++++++++++-------------- 2 files changed, 49 insertions(+), 33 deletions(-) diff --git a/doc/RecordingControl.xml b/doc/RecordingControl.xml index a1c212d89..10ac9bd9a 100644 --- a/doc/RecordingControl.xml +++ b/doc/RecordingControl.xml @@ -2040,14 +2040,20 @@ secfrac = "." 1*6DIGIT - The device shall create a unique initialization vector for each segment. - The device shall interpret the KID configured for the encryption entry as a 16-byte hexadecimal value and use this value as the key identifier. - When KeyRotationDuration is not set, the device shall encrypt with the Key configured for the encryption entry, otherwise the device shall generate a new encryption key at the specified interval as defined by KeyRotationDuration. - KeyRotationDuration must be a positive duration value. - New segments shall use the latest generated key for its encryption. - The device shall include one or more PSSH boxes as defined in when frame encryption is configured. + StaticKey or Certificate elements are mutually exclusive. + + + When using StaticKey then the device shall interpret the configured KID for the encryption entry as a 16-byte hexadecimal value and use this value as the key identifier. + The device shall include a Standard CENC PSSH box. + + + When using Certificate then the device shall generate a KID/Key pair and encrypt the Key with each certificate public key defined in the configuration. The encrypted keys shall be stored in the file using a Key rotation system PSSH box. + When KeyRotationDuration is set then the device shall generate a new KID/Key pair at the specified time interval as defined by KeyRotationDuration. + New segments shall use the latest generated Key for its encryption. + The device shall create a unique initialization vector for each segment. + Each encrypted file shall include the moov box containing the required PSSH box(es) according to the encryption entry configuration. If an encryption entry is reconfigured for an active recording, the device shall continue to use the old configuration for any open segments and shall start to use the new configuration for new segments.
@@ -2055,7 +2061,7 @@ secfrac = "." 1*6DIGIT When frame encryption is configured, the device shall store relevant information about the encryption keys used in the files with 'Protection system specific header' (or 'pssh') boxes [ISO/IEC 23001-7]. -
+
Standard CENC system When a file is frame encrypted a pssh 'CENC' box SHALL be present in the file according to [W3C 'cenc' Initialization Data Format]. @@ -2068,11 +2074,8 @@ secfrac = "." 1*6DIGIT The 'KID_count' SHALL be '1' with 'KID' field equal to the value of KID configured for the encryption entry as the key identifier.
-
+
Key rotation system - - When KeyRotationDuration is configured (see , an additional pssh box SHALL be present in the MP4 file, as defined here. - 'Version' field SHALL be '1' and the 'SystemID' field SHALL be 'ca774354-6f98-41b6-b17a-b15f7bbf678a'. @@ -2142,10 +2145,9 @@ secfrac = "." 1*6DIGIT This data structure and its containing 'pssh' box defined here allows for a client application to decrypt the symmetric key and then decrypt the frames with it. The presence of the CENC 'pssh' box is highly recommended by W3C as it increases compatibility with standard players. - However, if KeyRotationDuration is being used, the client application may not have access to the symmetric key generated by the device. + However, if Certificate is being used, the client application may not have access to the symmetric key generated by the device. The second 'pssh' box contains the required information to obtain the symmetric key, provided it has access to the certificate's private key (directly or through a key server, for example). A client application would be aware of this fact indicated by the presence of the second 'pssh' box. - This box should not be present if the symmetric key was configured by the user (no key rotation). Additionnal 'pssh' boxes may be present to support alternative DRM systems. diff --git a/wsdl/ver10/schema/onvif.xsd b/wsdl/ver10/schema/onvif.xsd index 92331f894..2b333c2e4 100755 --- a/wsdl/ver10/schema/onvif.xsd +++ b/wsdl/ver10/schema/onvif.xsd @@ -8,12 +8,13 @@ Recipients of this document may copy, distribute, publish, or display this docum THIS DOCUMENT IS PROVIDED "AS IS," AND THE CORPORATION AND ITS MEMBERS AND THEIR AFFILIATES, MAKE NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO, WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, OR TITLE; THAT THE CONTENTS OF THIS DOCUMENT ARE SUITABLE FOR ANY PURPOSE; OR THAT THE IMPLEMENTATION OF SUCH CONTENTS WILL NOT INFRINGE ANY PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS. IN NO EVENT WILL THE CORPORATION OR ITS MEMBERS OR THEIR AFFILIATES BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE OR CONSEQUENTIAL DAMAGES, ARISING OUT OF OR RELATING TO ANY USE OR DISTRIBUTION OF THIS DOCUMENT, WHETHER OR NOT (1) THE CORPORATION, MEMBERS OR THEIR AFFILIATES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, OR (2) SUCH DAMAGES WERE REASONABLY FORESEEABLE, AND ARISING OUT OF OR RELATING TO ANY USE OR DISTRIBUTION OF THIS DOCUMENT. THE FOREGOING DISCLAIMER AND LIMITATION ON LIABILITY DO NOT APPLY TO, INVALIDATE, OR LIMIT REPRESENTATIONS AND WARRANTIES MADE BY THE MEMBERS AND THEIR RESPECTIVE AFFILIATES TO THE CORPORATION AND OTHER MEMBERS IN CERTAIN WRITTEN POLICIES OF THE CORPORATION. --> - + + @@ -7668,20 +7669,19 @@ and sample rate. - - + + + + + + - - - - - - + Key ID of the associated key for encryption. - + Key for encrypting content. @@ -7689,23 +7689,37 @@ and sample rate. - + + + + + - - Optional list of track tokens to be encrypted. - If no track tokens are specified, all tracks are encrypted and no other encryption configurations shall exist for the recording. - Each track shall only be contained in one encryption configuration. - + List of certificates used to encrypt the symmetric key for the PSSH box. - + - List of certificates used to encrypt the symmetric key for the PSSH box. + + Frequency at which the device shall generate a new key to encrypt a new segment. + If not specified, key rotation is disabled. + KeyRotationDuration must be a positive duration value. - + + + + + + + + - Frequency at which the device shall generate a new key to encrypt a new segment. If not specified, key rotation is disabled. + + Optional list of track tokens to be encrypted. + If no track tokens are specified, all tracks are encrypted and no other encryption configurations shall exist for the recording. + Each track shall only be contained in one encryption configuration. + From af7c1366cb3a5e03fe4b791c41412a9be1b86c13 Mon Sep 17 00:00:00 2001 From: Jean-Francois Levesque Date: Mon, 24 Jul 2023 14:15:33 -0400 Subject: [PATCH 11/44] Update box definition by using ISOBMFF syntax --- doc/RecordingControl.xml | 138 +++++++++++++++++---------------------- 1 file changed, 60 insertions(+), 78 deletions(-) diff --git a/doc/RecordingControl.xml b/doc/RecordingControl.xml index 10ac9bd9a..b53d61338 100644 --- a/doc/RecordingControl.xml +++ b/doc/RecordingControl.xml @@ -2064,95 +2064,77 @@ secfrac = "." 1*6DIGIT
Standard CENC system - When a file is frame encrypted a pssh 'CENC' box SHALL be present in the file according to [W3C 'cenc' Initialization Data Format]. + When a file is frame encrypted exactly one pssh box of type 'CENC' box shall be present in the file according to [W3C 'cenc' Initialization Data Format]. This is independent of the EncryptionMode. + Additionnal types of 'pssh' boxes may be present to support alternative DRM systems, such as . - - 'Version' field SHALL be '1' and the 'SystemID' field SHALL be '1077efec-c0b2-4d02-ace3-3c1e52e2fb4b'. - - - The 'KID_count' SHALL be '1' with 'KID' field equal to the value of KID configured for the encryption entry as the key identifier. - +
+ Syntax + + See example of a CENC pssh box by W3C. +
+
+ Semantics + Version shall be '1'. + Flags shall be '0'. + SystemID shall be '1077efec-c0b2-4d02-ace3-3c1e52e2fb4b'. + KID_count be equal to the number of different keys used in the file. + KID, one for each RecordingEncryption. + DataSize shall be '0'. +
Key rotation system - 'Version' field SHALL be '1' and the 'SystemID' field SHALL be 'ca774354-6f98-41b6-b17a-b15f7bbf678a'. - - - The 'KID_count' SHALL be '1' with 'KID' field equal to a generated UUID by the device. This 'KID' SHOULD be the same in all segments until the symmetric key changes. - - - 'DataSize' SHALL be the size of the following 'Data' byte array, containing this binary structure: - - - - - EncryptedKeyEntryCount (uint) - - - Number of entries containing encryption information required to decrypt the symmetric key. SHALL be 1 or more. - - - - - EncryptedKeyEntries (EncryptedKeyEntry[EncryptionEntryCount]) - - - A list of entries containing encryption information required to decrypt the symmetric key. - - - - + The box contains the required information to obtain the symmetric key, provided it has access to the certificate's private key (directly or through a key server, for example) and then decrypt the frames with it. - The EncryptedKeyEntry model is defined as: - - - CertificateThumbprintSize (uint) - - - Size of the CertificateThumbprint field. SHALL be '20'. - - - - - CertificateThumbprint (byte[CertificateThumbprintSize]) - - - Thumbprint of the certificate used to encrypted the symmetric key (Computed using SHA-1). - - - - - EncryptedKeySize (uint) - - - Size of the EncryptedKey field. Valid values depend on the encryption algorithm used by the certificate. - - - - - EncryptedKey (byte[EncryptedKeySize]) - - - The symmetric key (identified by KID) used for frame encryption, encrypted using the public key of the certificate. - - - - - - - This data structure and its containing 'pssh' box defined here allows for a client application to decrypt the symmetric key and then decrypt the frames with it. - The presence of the CENC 'pssh' box is highly recommended by W3C as it increases compatibility with standard players. - However, if Certificate is being used, the client application may not have access to the symmetric key generated by the device. - The second 'pssh' box contains the required information to obtain the symmetric key, provided it has access to the certificate's private key (directly or through a key server, for example). - A client application would be aware of this fact indicated by the presence of the second 'pssh' box. Additionnal 'pssh' boxes may be present to support alternative DRM systems. - - Note that DRM systems and client implementations are outside the scope of this specification. +
+ Syntax + +
+
+ Semantics + Version shall be '1'. + Flags shall be '0'. + SystemID shall be 'ca774354-6f98-41b6-b17a-b15f7bbf678a'. + KID_count shall be '1'. + KID is the generated UUID by the device. This KID should be the same in all segments until the symmetric key changes. + DataSize is the size in bytes of all the other fields present in this box following this field. + EncryptedKeyEntryCount Number of entries containing encryption information required to decrypt the symmetric key. Shall be 1 or more. + CertificateThumbprintSize Size of the CertificateThumbprint field. Shall be '20'. + CertificateThumbprint Thumbprint of the certificate used to encrypted the symmetric key (Computed using SHA-1). + EncryptedKeySize Size of the EncryptedKey field. Valid values depend on the encryption algorithm used by the certificate. + EncryptedKey The symmetric key (identified by KID) used for frame encryption, encrypted using the public key of the certificate. +
From ac2c8637af300f2053fe7e7bd2814539179defb6 Mon Sep 17 00:00:00 2001 From: Jean-Francois Levesque Date: Mon, 24 Jul 2023 14:16:13 -0400 Subject: [PATCH 12/44] Add padding for encryption key --- doc/RecordingControl.xml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/doc/RecordingControl.xml b/doc/RecordingControl.xml index b53d61338..fea0d7289 100644 --- a/doc/RecordingControl.xml +++ b/doc/RecordingControl.xml @@ -187,6 +187,7 @@ Change Request 2061, 2063, 2065, 2109 ISO/IEC 23001-7:2016 — Information technology — MPEG systems technologies — Part 7: Common encryption in ISO base media file format files <> ISO 8601-1:2019 — Date and time — Representations for information interchange — Part 1: Basic rules <> RFC 5234 — Augmented BNF for Syntax Specifications: ABNF <> + RFC 5652 — Cryptographic Message Syntax (CMS) <> RFC 6381 — The 'Codecs' and 'Profiles' Parameters for "Bucket" Media Types <> ONVIF Core Specification <> ONVIF Schedule Service Specification <> @@ -2133,7 +2134,7 @@ aligned(8) class KeyRotationSystemHeaderBox extends FullBox('pssh', version=1, f CertificateThumbprintSize Size of the CertificateThumbprint field. Shall be '20'. CertificateThumbprint Thumbprint of the certificate used to encrypted the symmetric key (Computed using SHA-1). EncryptedKeySize Size of the EncryptedKey field. Valid values depend on the encryption algorithm used by the certificate. - EncryptedKey The symmetric key (identified by KID) used for frame encryption, encrypted using the public key of the certificate. + EncryptedKey The symmetric key (identified by KID) used for frame encryption, encrypted using the public key of the certificate. Padding is done according to [RFC 5652].
From 470f3c9c7e2164a267829987972a221d6f8d3370 Mon Sep 17 00:00:00 2001 From: Jean-Francois Levesque Date: Thu, 27 Jul 2023 10:11:06 -0400 Subject: [PATCH 13/44] Fix link reference --- doc/RecordingControl.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/RecordingControl.xml b/doc/RecordingControl.xml index fea0d7289..99c94847a 100644 --- a/doc/RecordingControl.xml +++ b/doc/RecordingControl.xml @@ -2082,7 +2082,7 @@ aligned(8) class ProtectionSystemSpecificHeaderBox extends FullBox('pssh', versi unsigned int(32) DataSize = 0; } ]]> - See example of a CENC pssh box by W3C. + See W3C "cenc" Initialization Data Format for an example of this box.
Semantics From f5860a273d16c7234e87a5118f36f913d850ea92 Mon Sep 17 00:00:00 2001 From: Jean-Francois Levesque Date: Thu, 27 Jul 2023 10:35:21 -0400 Subject: [PATCH 14/44] Update CENC to only require the box when using static key encryption --- doc/RecordingControl.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/RecordingControl.xml b/doc/RecordingControl.xml index 99c94847a..599ec71f5 100644 --- a/doc/RecordingControl.xml +++ b/doc/RecordingControl.xml @@ -2065,9 +2065,9 @@ secfrac = "." 1*6DIGIT
Standard CENC system - When a file is frame encrypted exactly one pssh box of type 'CENC' box shall be present in the file according to [W3C 'cenc' Initialization Data Format]. + When a file is frame encrypted using a StaticKey then exactly one pssh box of type 'CENC' box shall be present in the file according to [W3C 'cenc' Initialization Data Format]. This is independent of the EncryptionMode. - Additionnal types of 'pssh' boxes may be present to support alternative DRM systems, such as . + Additionnal types of 'pssh' boxes may be present to support alternative DRM systems.
Syntax From b8f1adbb8e35a673742ada1ea4835ce380667b12 Mon Sep 17 00:00:00 2001 From: Jean-Francois Levesque Date: Thu, 27 Jul 2023 10:47:56 -0400 Subject: [PATCH 15/44] Update asymmetric key system description --- doc/RecordingControl.xml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/doc/RecordingControl.xml b/doc/RecordingControl.xml index 599ec71f5..0c057f242 100644 --- a/doc/RecordingControl.xml +++ b/doc/RecordingControl.xml @@ -2095,9 +2095,12 @@ aligned(8) class ProtectionSystemSpecificHeaderBox extends FullBox('pssh', versi
- Key rotation system + Asymmetric key system - The box contains the required information to obtain the symmetric key, provided it has access to the certificate's private key (directly or through a key server, for example) and then decrypt the frames with it. + The box contains the encrypted symmetric key and the list of certificates that can be used to decrypt it. + The symmetric key is encrypted once for each configured certificate using the public key. + The client needs access to at least one of the certificates' private key to decrypt it (e.g. directly or through a key server). + The client can then decrypt the frames using this symmetric key. Additionnal 'pssh' boxes may be present to support alternative DRM systems. From dfa96bf7c0513d54970f68949d9e96b88a0ae9ed Mon Sep 17 00:00:00 2001 From: Jean-Francois Levesque Date: Mon, 31 Jul 2023 13:13:22 -0400 Subject: [PATCH 16/44] Update WSDL to return to old data model --- wsdl/ver10/schema/onvif.xsd | 31 +++++++++++++------------------ 1 file changed, 13 insertions(+), 18 deletions(-) diff --git a/wsdl/ver10/schema/onvif.xsd b/wsdl/ver10/schema/onvif.xsd index 2b333c2e4..375ee8bdc 100755 --- a/wsdl/ver10/schema/onvif.xsd +++ b/wsdl/ver10/schema/onvif.xsd @@ -7674,23 +7674,6 @@ and sample rate. - - - - - Key ID of the associated key for encryption. - - - - - - Key for encrypting content. - The device shall not include this parameter when reading. - - - - - @@ -7711,7 +7694,19 @@ and sample rate. - + + + Key ID of the associated key for encryption. + + + + + + Key for encrypting content. + The device shall not include this parameter when reading. + + + From 709cf987cf6370ea85f1dfc73f65e4036b50fa14 Mon Sep 17 00:00:00 2001 From: Jean-Francois Levesque Date: Mon, 31 Jul 2023 13:25:55 -0400 Subject: [PATCH 17/44] Update spec to revert data model so as not to break compatibility --- doc/RecordingControl.xml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/doc/RecordingControl.xml b/doc/RecordingControl.xml index 0c057f242..b44dc197f 100644 --- a/doc/RecordingControl.xml +++ b/doc/RecordingControl.xml @@ -2041,10 +2041,10 @@ secfrac = "." 1*6DIGIT - StaticKey or Certificate elements are mutually exclusive. + Key/KID and Certificate elements of the encryption entry are mutually exclusive. - When using StaticKey then the device shall interpret the configured KID for the encryption entry as a 16-byte hexadecimal value and use this value as the key identifier. + When using Key/KID then the device shall interpret the configured KID for the encryption entry as a 16-byte hexadecimal value and use this value as the key identifier. The device shall include a Standard CENC PSSH box. @@ -2065,7 +2065,7 @@ secfrac = "." 1*6DIGIT
Standard CENC system - When a file is frame encrypted using a StaticKey then exactly one pssh box of type 'CENC' box shall be present in the file according to [W3C 'cenc' Initialization Data Format]. + When a file is frame encrypted using a Key/KID then exactly one pssh box of type 'CENC' box shall be present in the file according to [W3C 'cenc' Initialization Data Format]. This is independent of the EncryptionMode. Additionnal types of 'pssh' boxes may be present to support alternative DRM systems. From 8475e50db44e40bcd1fc187863b35d41c3b4331d Mon Sep 17 00:00:00 2001 From: Jean-Francois Levesque Date: Thu, 3 Aug 2023 10:14:39 -0400 Subject: [PATCH 18/44] Fixed typo and remove unused type --- doc/RecordingControl.xml | 9 +++++---- wsdl/ver10/schema/onvif.xsd | 5 ----- 2 files changed, 5 insertions(+), 9 deletions(-) diff --git a/doc/RecordingControl.xml b/doc/RecordingControl.xml index b44dc197f..cab3f14a0 100644 --- a/doc/RecordingControl.xml +++ b/doc/RecordingControl.xml @@ -2048,8 +2048,8 @@ secfrac = "." 1*6DIGIT The device shall include a Standard CENC PSSH box. - When using Certificate then the device shall generate a KID/Key pair and encrypt the Key with each certificate public key defined in the configuration. The encrypted keys shall be stored in the file using a Key rotation system PSSH box. - When KeyRotationDuration is set then the device shall generate a new KID/Key pair at the specified time interval as defined by KeyRotationDuration. + When using Certificate then the device shall generate a KID/Key pair and encrypt the Key with each certificate public key defined in the configuration. The encrypted keys shall be stored in the file using a Asymmetric key system PSSH box. + When KeyRotationDuration is set then the device shall generate a new KID/Key pair at the specified time interval as defined by KeyRotationDuration, but still use the current key until the segment is finished. New segments shall use the latest generated Key for its encryption. @@ -2076,7 +2076,7 @@ aligned(8) class ProtectionSystemSpecificHeaderBox extends FullBox('pssh', versi { unsigned int(8)[16] SystemID; unsigned int(32) KID_count; - for (i=1; i <= KID_count; i++){ + for (i=1; i <= KID_count; i++) { unsigned int(8)[16] KID; } unsigned int(32) DataSize = 0; @@ -2101,6 +2101,7 @@ aligned(8) class ProtectionSystemSpecificHeaderBox extends FullBox('pssh', versi The symmetric key is encrypted once for each configured certificate using the public key. The client needs access to at least one of the certificates' private key to decrypt it (e.g. directly or through a key server). The client can then decrypt the frames using this symmetric key. + If tracks are encrypted using different keys, then one AsymmetricKeySystemHeaderBox will be present per KID. Additionnal 'pssh' boxes may be present to support alternative DRM systems. @@ -2109,7 +2110,7 @@ aligned(8) class ProtectionSystemSpecificHeaderBox extends FullBox('pssh', versi
Syntax - - - - - From 1181d9091f3d9ac1a92d704bf36cc4a31a9cc857 Mon Sep 17 00:00:00 2001 From: Jean-Francois Levesque Date: Wed, 23 Aug 2023 14:16:21 -0400 Subject: [PATCH 19/44] Rename Certificate to AsymmetricEncryption element in wsdl --- doc/RecordingControl.xml | 4 ++-- wsdl/ver10/schema/onvif.xsd | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/doc/RecordingControl.xml b/doc/RecordingControl.xml index cab3f14a0..b8631f6bf 100644 --- a/doc/RecordingControl.xml +++ b/doc/RecordingControl.xml @@ -2041,14 +2041,14 @@ secfrac = "." 1*6DIGIT - Key/KID and Certificate elements of the encryption entry are mutually exclusive. + Key/KID and AsymmetricEncryption elements of the encryption entry are mutually exclusive. When using Key/KID then the device shall interpret the configured KID for the encryption entry as a 16-byte hexadecimal value and use this value as the key identifier. The device shall include a Standard CENC PSSH box. - When using Certificate then the device shall generate a KID/Key pair and encrypt the Key with each certificate public key defined in the configuration. The encrypted keys shall be stored in the file using a Asymmetric key system PSSH box. + When using AsymmetricEncryption then the device shall generate a KID/Key pair and encrypt the Key with each certificate public key defined in the configuration. The encrypted keys shall be stored in the file using a Asymmetric key system PSSH box. When KeyRotationDuration is set then the device shall generate a new KID/Key pair at the specified time interval as defined by KeyRotationDuration, but still use the current key until the segment is finished. New segments shall use the latest generated Key for its encryption. diff --git a/wsdl/ver10/schema/onvif.xsd b/wsdl/ver10/schema/onvif.xsd index 35a854f13..4784fc2de 100755 --- a/wsdl/ver10/schema/onvif.xsd +++ b/wsdl/ver10/schema/onvif.xsd @@ -7669,7 +7669,7 @@ and sample rate. - + @@ -7702,7 +7702,7 @@ and sample rate. - + From a223d7af212627f4e96af811857487030df03661 Mon Sep 17 00:00:00 2001 From: Jean-Francois Levesque Date: Thu, 7 Sep 2023 10:12:16 -0400 Subject: [PATCH 20/44] Add mention that full key must be used for encryption --- doc/RecordingControl.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/RecordingControl.xml b/doc/RecordingControl.xml index b8631f6bf..1135323a6 100644 --- a/doc/RecordingControl.xml +++ b/doc/RecordingControl.xml @@ -2098,7 +2098,7 @@ aligned(8) class ProtectionSystemSpecificHeaderBox extends FullBox('pssh', versi Asymmetric key system The box contains the encrypted symmetric key and the list of certificates that can be used to decrypt it. - The symmetric key is encrypted once for each configured certificate using the public key. + The symmetric key is encrypted once for each configured certificate using the public key (using their nominal encryption length). The client needs access to at least one of the certificates' private key to decrypt it (e.g. directly or through a key server). The client can then decrypt the frames using this symmetric key. If tracks are encrypted using different keys, then one AsymmetricKeySystemHeaderBox will be present per KID. From 6760db7f87ac59e213620c508ec049545daa9a71 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20M=C3=A9lan=C3=A7on?= Date: Tue, 25 Mar 2025 14:49:28 -0400 Subject: [PATCH 21/44] Capabilities & fix advanced security in onvif.xsd --- doc/RecordingControl.xml | 6 +++--- wsdl/ver10/recording.wsdl | 7 +++++++ wsdl/ver10/schema/onvif.xsd | 4 ++-- 3 files changed, 12 insertions(+), 5 deletions(-) diff --git a/doc/RecordingControl.xml b/doc/RecordingControl.xml index 874cbba53..236f356f3 100644 --- a/doc/RecordingControl.xml +++ b/doc/RecordingControl.xml @@ -2125,11 +2125,11 @@ secfrac = "." 1*6DIGIT When using Key/KID then the device shall interpret the configured KID for the encryption entry as a 16-byte hexadecimal value and use this value as the key identifier. - The device shall include a Standard CENC PSSH box. + The device shall include a Standard CENC PSSH box according to . - When using AsymmetricEncryption then the device shall generate a KID/Key pair and encrypt the Key with each certificate public key defined in the configuration. The encrypted keys shall be stored in the file using a Asymmetric key system PSSH box. - When KeyRotationDuration is set then the device shall generate a new KID/Key pair at the specified time interval as defined by KeyRotationDuration, but still use the current key until the segment is finished. + When using AsymmetricEncryption then the device shall generate a KID/Key pair and encrypt the Key with each certificate public key defined in the configuration. The encrypted keys shall be stored in the file using the Asymmetric key system PSSH box as defined in . + When KeyRotationDuration is set then the device shall generate a new KID/Key pair at the specified time interval, but still use the current key until the segment is finished. New segments shall use the latest generated Key for its encryption. diff --git a/wsdl/ver10/recording.wsdl b/wsdl/ver10/recording.wsdl index 68e8dd453..794eb1350 100644 --- a/wsdl/ver10/recording.wsdl +++ b/wsdl/ver10/recording.wsdl @@ -139,6 +139,13 @@ IN NO EVENT WILL THE CORPORATION OR ITS MEMBERS OR THEIR AFFILIATES BE LIABLE FO + + + + Indicates if the device supports asymmetric encryption. + + + diff --git a/wsdl/ver10/schema/onvif.xsd b/wsdl/ver10/schema/onvif.xsd index 94d488d7c..bbc289a9f 100755 --- a/wsdl/ver10/schema/onvif.xsd +++ b/wsdl/ver10/schema/onvif.xsd @@ -7683,7 +7683,7 @@ and sample rate. - + List of certificates used to encrypt the symmetric key for the PSSH box. @@ -7714,7 +7714,6 @@ and sample rate. - @@ -7724,6 +7723,7 @@ and sample rate. + From 8ee1e37ac45d1a7d64d600f2707c4356fa9d1cd3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20M=C3=A9lan=C3=A7on?= Date: Tue, 25 Mar 2025 14:51:57 -0400 Subject: [PATCH 22/44] Cleanup references --- doc/RecordingControl.xml | 1 - 1 file changed, 1 deletion(-) diff --git a/doc/RecordingControl.xml b/doc/RecordingControl.xml index 236f356f3..8447f1938 100644 --- a/doc/RecordingControl.xml +++ b/doc/RecordingControl.xml @@ -195,7 +195,6 @@ Change Request 2061, 2063, 2065, 2109 ISO/IEC 23001-7:2016 — Information technology — MPEG systems technologies — Part 7: Common encryption in ISO base media file format files <> ISO 8601-1:2019 — Date and time — Representations for information interchange — Part 1: Basic rules <> RFC 5234 — Augmented BNF for Syntax Specifications: ABNF <> - RFC 5652 — Cryptographic Message Syntax (CMS) <> RFC 6381 — The 'Codecs' and 'Profiles' Parameters for "Bucket" Media Types <> ONVIF Core Specification <> ONVIF Schedule Service Specification <> From 48f27444c9018aff098161f9fb53b30666e6e5a6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20M=C3=A9lan=C3=A7on?= Date: Wed, 7 May 2025 10:18:29 -0400 Subject: [PATCH 23/44] Add RSA & EC encryption strategies to recording --- doc/RecordingControl.xml | 195 +++++++++++------- .../hpkeEncryption.excalidraw.svg | 2 + 2 files changed, 121 insertions(+), 76 deletions(-) create mode 100644 doc/media/RecordingControl/hpkeEncryption.excalidraw.svg diff --git a/doc/RecordingControl.xml b/doc/RecordingControl.xml index 8447f1938..2ad488187 100644 --- a/doc/RecordingControl.xml +++ b/doc/RecordingControl.xml @@ -98,7 +98,7 @@ Hasan Timucin Ozdemir - Added 5.21 ExportRecordedData command and corresponding capability flag in 5.24 Capabilitites + Added 5.21 ExportRecordedData command and corresponding capability flag in 5.24 Capabilitites Added 5.22 StopExportRecordedData Added 5.23 GetExportRecordedDataStatus @@ -390,7 +390,7 @@ Change Request 2061, 2063, 2065, 2109
External targets - The target interface allows configuration for devices that support recording to external storage targets. + The target interface allows configuration for devices that support recording to external storage targets. For authentication configuration see the related storage configuration APIs of the core specification. @@ -540,7 +540,7 @@ Change Request 2061, 2063, 2065, 2109 AutoCreateReceiver: If a request includes this field set to true and no source token is provided, the device shall create a receiver object (through the receiver service) and assign the ReceiverReference to the - SourceToken field. A device shall never report this parameter in a + SourceToken field. A device shall never report this parameter in a RecordingJobConfiguration. A device may reject a request that neither contains a SourceToken nor AutoCreateRecevier set to true. SourceTag: If the received RTSP stream contains multiple tracks of the same type, the SourceTag differentiates between those Tracks. @@ -552,7 +552,7 @@ Change Request 2061, 2063, 2065, 2109 Event recording A device signalling support for EventRecording via its capabilities shall support controling recording job activity via the EventFilter with the following set of - parameters: + parameters: @@ -1496,7 +1496,7 @@ Change Request 2061, 2063, 2065, 2109 duration on its next segment. The override duration shall not exceed 1 hour. - When a new override request is sent before the previous override has expired, the new override shall replace the + When a new override request is sent before the previous override has expired, the new override shall replace the previous override and the new expiration shall apply. @@ -1681,14 +1681,14 @@ Change Request 2061, 2063, 2065, 2109 Recording job state changes If the state field of the RecordingJobStateInformation structure changes, a device shall provide the following event: Topic: tns1:RecordingConfig/JobState - - - - - - - - + + + + + + + + ]]> The ElementItem Information shall be provided whenever the state of the different tracks is not unique. It can be omitted when the state of all tracks of a recording is consistent. @@ -1697,35 +1697,35 @@ Change Request 2061, 2063, 2065, 2109 Configuration changes If the configuration of a recording is changed, a device shall provide the following event: Topic: tns1:RecordingConfig/RecordingConfiguration - - - - - - - + + + + + + + ]]> If the configuration of a track is changed, a device shall provide the following event: Topic: tns1:RecordingConfig/TrackConfiguration - - - - - - - - + + + + + + + + ]]> If the configuration of a recording job is changed, a device shall provide the following event: Topic: tns1:RecordingConfig/RecordingJobConfiguration - - - - - - - + + + + + + + ]]>
@@ -1733,15 +1733,15 @@ Change Request 2061, 2063, 2065, 2109 Data deletion Whenever data is deleted, a device shall provide the following event: Topic: tns1:RecordingConfig/DeleteTrackData - - - - - - - - - + + + + + + + + + ]]>
@@ -1749,44 +1749,44 @@ Change Request 2061, 2063, 2065, 2109 Recording and track creation and deletion Whenever a recording is created, a device shall provide the following event: Topic: tns1:RecordingConfig/CreateRecording - - - - - - + + + + + + ]]> Whenever a recording is deleted, a device shall provide the following event: Topic: tns1:RecordingConfig/DeleteRecording - - - - - - + + + + + + ]]> Whenever a track is created, a device shall provide the following event: Topic: tns1:RecordingConfig/CreateTrack - - - - - - - + + + + + + + ]]> Whenever a track is deleted, a device shall provide the following event: Topic: tns1:RecordingConfig/DeleteTrack - - - - - - - + + + + + + + ]]>
@@ -1954,7 +1954,7 @@ SetRecordingJobMode(JobToken, Active) SegmentDuration configured for the recording, the device shall close the open segment of this span and open a new segment for this span. When closing the open segment of a span and opening a new segment for this span, there shall be no time gap - between the two segments. Note that the actual segment duration may vary and can be plus or + between the two segments. Note that the actual segment duration may vary and can be plus or minus one GOP size from the configured duration because a segment must start with an I-Frame. The device shall generate each segment as a fragmented MP4 file according to ISO/IEC 14496-12, the ISO base media file format. @@ -2194,13 +2194,24 @@ aligned(8) class AsymmetricKeySystemHeaderBox extends FullBox('pssh', version=1, unsigned int(8)[16] SystemID; unsigned int(32) KID_count = 1; unsigned int(8)[16] KID; - unsigned int(32) DataSize; unsigned int(32) EncryptedKeyEntryCount; for (i=1; i <= EncryptedKeyEntryCount; i++) { + unsigned int(16) CertificateThumbprintAlgorithm; unsigned int(32) CertificateThumbprintSize; unsigned int(8)[CertificateThumbprintSize] CertificateThumbprint; - unsigned int(32) EncryptedKeySize; - unsigned int(8)[EncryptedKeySize] EncryptedKey; + unsigned int(16) EncryptionVersion; + unsigned int(32) EncryptionDataSize; + if (EncryptionVersion == 1) { + unsigned int(8)[EncryptionDataSize] EncryptedKey; + } else if (EncryptionVersion == 2) { + unsigned int(16) HpkeKem; + unsigned int(16) HpkeKdf; + unsigned int(16) HpkeAead; + unsigned int(8)[EncapsulatedSharedSecretSize] EncapsulatedSharedSecret; + unsigned int(16) EncryptedKeySize + unsigned int(8)[EncryptedKeySize] EncryptedKey; + } + } } ]]> @@ -2214,10 +2225,42 @@ aligned(8) class AsymmetricKeySystemHeaderBox extends FullBox('pssh', version=1, KID is the generated UUID by the device. This KID should be the same in all segments until the symmetric key changes. DataSize is the size in bytes of all the other fields present in this box following this field. EncryptedKeyEntryCount Number of entries containing encryption information required to decrypt the symmetric key. Shall be 1 or more. - CertificateThumbprintSize Size of the CertificateThumbprint field. Shall be '20'. + CertificateThumbprintAlgorithm defines the algorithm used to compute the thumbprint of the certificates. Those values are defined in the Security Baseline specification + CertificateThumbprintSize Size of the CertificateThumbprint field. CertificateThumbprint Thumbprint of the certificate used to encrypted the symmetric key (Computed using SHA-1). + EncryptionVersion defines the encryption strategy used to encrypt the symmetric key for this certificate. + EncryptionDataSize defines the number of bytes used by the following bytes for this certificate. The next certificates, if any, will start after this number of bytes. + EncryptedKey The symmetric key (identified by KID) used for frame encryption, encrypted using the public key of the certificate according to the encryption version. + HpkeKem defines the KEM algorithm identifier used to encrypt the key with the current certificate. + HpkeHkdf defines the HKDF algorithm identifier used to encrypt the key with the current certificate. + HpkeAead defines the AEAD algorithm identifier used to encrypt the key with the current certificate. + EncapsulatedSharedSecret is the HPKE shared secret value necessary to decrypt the encrypted key according to RFC 9180. EncryptedKeySize Size of the EncryptedKey field. Valid values depend on the encryption algorithm used by the certificate. - EncryptedKey The symmetric key (identified by KID) used for frame encryption, encrypted using the public key of the certificate. Padding is done according to [RFC 5652]. +
+
+ Encryption Version 1 + + This version is defined for use when the certificate contains an RSA public key. When using this version, + the symmetric key is directly encrypted using the public key of the certificate and the RSA-OEAP padding scheme + as defined in [RFC 5652]. + +
+
+ Encryption Version 2 + + This version is defined for the use of the HPKE algorithm as defined in [RFC 9180]. It is used + when the certificate contains an EC public key. Using the public key of the certificate and the + algorithms defined in the HpkeKem, HpkeHkdf, and HpkeAead fields, + the EncapsulatedSharedSecret field is derived using the Base mode of HPKE. + +
+ Encryption using HPKE algorithm + + + + + +
diff --git a/doc/media/RecordingControl/hpkeEncryption.excalidraw.svg b/doc/media/RecordingControl/hpkeEncryption.excalidraw.svg new file mode 100644 index 000000000..9b342966a --- /dev/null +++ b/doc/media/RecordingControl/hpkeEncryption.excalidraw.svg @@ -0,0 +1,2 @@ +eyJ2ZXJzaW9uIjoiMSIsImVuY29kaW5nIjoiYnN0cmluZyIsImNvbXByZXNzZWQiOnRydWUsImVuY29kZWQiOiJ4nO1daXNcdTAwMWFLlv3ev8Lh/tpU53Zz6YiJXHRJSLL2zdY2PaFAgFx1MDAwNFx1MDAxNptYtHX0f597sS2qqKyigFx1MDAxMtK0oP3c71x1MDAwMSplVeY959zMu/zrL1++fO0/d6pf//Hla/WpXFxq1Cvd0uPXv9H7XHUwMDBm1W6v3m7hR2L43732oFtcdTAwMWV+s9bvd3r/+Pvfm6XuXbXfaZTK1eCh3lx1MDAxYpRcdTAwMWG9/qBSb1x1MDAwN+V28+/1frXZ+2/6e7/UrP5Xp92s9LvB6JdcdTAwMTSqlXq/3f31u6qNarPa6vfw6v+D//3ly7+Gf+Mn9Vxu/UbBn2q8VzzeOXbrm8+Du97q+d7L8EeHX/pzXHUwMDBi3Wq5X2rdNqqjj57wfVA2sM6BtNZcdTAwMWGjNbx++oyfXHUwMDE2pFx1MDAwYoyTwLWVTFx1MDAxOWB29PljvdKv4Xc4g8BI0IY7Z5hhkr9+pVat39b6+Fx1MDAxZMNcdTAwMDMwXHUwMDAwkjNcdTAwMDZcdTAwMTacev3Gr1x1MDAxMf3jXHUwMDBie32n1++276pr7Vx1MDAwNt4/XHUwMDBl+6/ixlWVXHUwMDFhXHL6ulS+u+22XHUwMDA3rcrrd/rdUqvXKXXxKY2+d1NvNE76z8Or4/zgg/069jvOft+AXHUwMDE4ez/pp/CX3tZa1Vx1MDAxZc3E6Fx1MDAxZdudUrnef1x1MDAxZT6I0V3QXGI7W5XhpP3vaExdnO4tmrXWoNF4fbveqlRpLr6WdOS3tSq/f9ufXHUwMDE5XHUwMDFmTaf8/c6/R2OvVunCglkljFx1MDAxNWY0wtBiZWr83f12a7hwLVx1MDAxOClccsjR/NZ7RVxcev3hVW9w+VZHU0BDW1x1MDAxZl+W4aVcdTAwMTlZef3q02heQlx1MDAwYnerKo5Wa51Oq3BwfNg5vLh6en6of3393r//5r/sr1x1MDAxZj7Y3N7GMYvV9o9iqfBQXHUwMDE2q73d++hv+fP7S91u+zF03d//NpqWQadS+nWf3CithdDcXHUwMDE5p18/b9Rbd+Nz1miX70aP5i+hXHUwMDAxj5mn/y5j5lx1MDAxOXlIvyzTqIBcdCOdc5xcdTAwMTlcdTAwMGU2apnCXHUwMDA1aExcdTAwMDa4XHUwMDE0XHUwMDA2XHUwMDE0SFx1MDAxMzNMgEBcdTAwMTnnXHUwMDE0WjfnhltcdTAwMDNxw1x1MDAwNLY0Rb8pXHUwMDFhvylGvv3b5rh1WoFxXGY8NsdVos0pyyzn2rhZbC7P5TtajbRcbvHuXHUwMDBmXHUwMDA31416+Z+tnepzaFx1MDAxYdut/kn9pTpcdTAwMDSSyLtcdTAwMWKlZr1Bz1x1MDAxZFwiV1pp1G/pXHUwMDExfC3joKvdr+Hn0K8j2b1+oVmvVMLMVMaLluqtancrXHUwMDBixbW79dt6q9T4XHUwMDFlXHUwMDE5/ZfI4EuDfvu42vs1/H53UFxyP57qtz/2wFx1MDAwM1x1MDAwMSnG/MIrlXqtILdcdTAwMDd7R3XBu/3Hzad2Zq7VkqPNOmaNUopcdTAwMTk1Mll6dpKZgFupmFx1MDAwNMO1Q1x1MDAxNI9TrYZcdTAwMDBcdTAwMWPStWNCKukzaFx1MDAwNFxyXHUwMDAwZixcdTAwMTejXHUwMDBmJ1t2XHUwMDE1WVvyT2LZdm6StTiJStuQ4Y7sXHUwMDFktFx1MDAxZH/3j71cdTAwMGLmOHJcdTAwMTaXi+PY6vrz5eVW+6n9fHS6t+12jrZcdTAwMWKbN1k5dqPIdky78Hh/1dg7X9mrbD/D2WpeXHUwMDFja1CihJ7EXFxcdTAwMWPrv8tcZlx1MDAxY4uwXHUwMDFkSG21NE4wrqyLWiR3gVx1MDAwMpxmxZ1OsEipXHUwMDAz/IJ1XHUwMDE2KVpYx3TcJKfi2E9liS47x1rLUOpcdTAwMDCTPpNjMbH7x+TwR5R0MjRz+VDs1Ks3RrHrrXKp01x1MDAxYjTouv9sndRwPitfTqrlbrX/XHUwMDExKHdcdTAwMDLTjVNuprvJh4PVpTtbWX1UTvJ9qZVcdTAwMTjA1XkjM1x1MDAwNyumXHUwMDAyy5TSzFx1MDAxOamlXHUwMDE4ibPMXHUwMDFj7PArwlx0QT9cdTAwMWXh2VeLl9NwL4o1Xlx1MDAxNp/E4lfm5l6OgtqiXHUwMDAxai/5qti7r0igpVx1MDAxNOCUnVx0XG5mY9+z5tZ65Ue7X29elHm/t7p1f1Dbycq+u3dcdTAwMTcr8PPoO1Pl1pl+Kcty87GZjX1Tr1veq6zsfbs7O7ttXHJOjlrll/7awV1erFx1MDAwZfhcdTAwMTeosF3Pzur+p5eB1ZVggVx1MDAwM0BcdTAwMDPnSNzCRve0JFx1MDAxN1x1MDAxM208XHUwMDAzq0+lrz+Vja9mZ3WOZmzRJJ3XmHmM7Ee0rq1cdTAwMDAhgc9izHmu31x1MDAxOK9/OCafwJfjTP6m3H38+GO7uMbUwf3t8dZuca+qtlx1MDAxYt+z71Wj/1xmSLnKgOMo2aM7Yo65wGrrOFx1MDAwNylcdTAwMTlcdTAwMWatqFerVixQxipATY+rzus+26XXnGDVa/MzN1ipmVTg2yZcdTAwMDOX6DY7QnJmXHUwMDE26DVvP+y+bD1cdTAwMWQ3zq/2V/dPXHUwMDFi1bP79lElK7+29+DhbGNwXFysb5yt/6hcdTAwMWRV+sXCRX5eM0dXNVx1MDAxZn7132VcdTAwMDZ+XHUwMDA1XHUwMDEwgVx1MDAwNqO4UIKE8JhcdTAwMWRylW6Hzlx1MDAwNoI7J5RcdTAwMTPagLG+86KlXHUwMDE5Jpnh6Vx1MDAxNOwqmUOaRLHjMbiwXHUwMDEwXHUwMDFlMzhw0lx1MDAxOXSS8neap1xcvDFyRTez+9z55WM+N5vVfvdcdTAwMDPtUk8gN4/LPOle8iHdw82Lo/tD9rTWOj4unGz1XHUwMDA3XHUwMDBmh1vPmUlXoL/LpCQ5rZAzWdRhNlJcdTAwMDbkjHHaJLOjz0aca1x1MDAwM8NcdTAwMTXnPMlXNlwiwMVcdTAwMDZcdTAwMWM0XHUwMDAyXHUwMDAyvpZnw1x0lr8+P1x1MDAwMVuSTVxmJ8ODXHUwMDA34Vx1MDAxM6Nxtc0tbb0pvUBcbt4/XdVcdTAwMWI77ULh8HaPN9vQuN1sy6xcdTAwMTS8Vm6fXHUwMDFk7+3uXHUwMDFmnX8/sdfnW/d8IFx1MDAwZXKjYE6eYT5cdTAwMTTsv8tcZlx1MDAxNCxcdTAwMWNcdTAwMDSOM2RhK4xcdTAwMWRcdTAwMGbbQEtFq9NcdTAwMTbZXHUwMDE1lIxbpVPoXHUwMDFmO8eB61+GXHUwMDE5N8vlwXCSXHUwMDFkbmQnYLBWWHQ5fILXxGXwXHUwMDFme8OJU5wpm7dzO/XKjTu3XHUwMDFmjnQnkFvMu31Tpr29Ms+qaG6aa1x1MDAwZvul2537+5Pv5W9xc67US812q1x1MDAxMrVo4CaQKLyckESmYoS19PS0c1x1MDAwMVx1MDAwN8GcXHUwMDAyXHLouY6WxmhfXHUwMDFhmVZpo4FLbbhcdTAwMWSJ8lebRlx1MDAxZVx1MDAwZThcIodcdTAwMTbSoFx1MDAxMHNmZFVcdTAwMTm2sKr0v09i4ztZuVYkca3GqcLn7DV9q9n4u6++rqUoO1jkXHUwMDExcWG11+x0T/bva6fHZc7Ld4XO03VWpv357fpktX36beO2dFDkJzu7RXktszFt6nVcdTAwMDe9h5XD8s7V/kPxpHfUvD0rr972crjuXHUwMDFjyiD1um/q9GtcdTAwMTBS5nRU7p/tXGaKXHUwMDAzjFxmgDHtXGZcdTAwMTPOgo7iXHUwMDEzKo1cdTAwMDCVhlwiIY+fmpGWfI1G01xiYI725JVcdTAwMDLpdVx1MDAwNabbUv9MeLSbXXNI5HmjbfwgjICHJ/r8XHUwMDA25YZChslbc0y9dmOaY2V9pfhcdTAwMTGUxlx1MDAwNHJcdTAwMWZXXHUwMDFh0WHndPT98/KCNU5h6+5s5ZFtrVx1MDAxN86/7T7koi+sXGasM9wxQFmgwjtGS33xe37ztOe9ufVcdTAwMDUwafFcdTAwMTHHj8hcYlx1MDAwMkCMv/uqL4RxjFx1MDAxYpgp5HQ2fXH/UN/7/u3wkp2WN75vnP1Ygyq/WkCYd+p151xibUu97ptcdTAwMWWuXHUwMDBm43pNXHUwMDE4OWbXXHUwMDAx/lnJolx1MDAwMyxcdTAwMGKMQFx1MDAxZMC04Hxs44ErXHUwMDExILqA5cOzXHUwMDAxJeI6XHUwMDAwMYIyRSw4vFx1MDAxZK7mP1r/TLixP8Xeg5BaKemNSZfxXHUwMDFkwNe9PsdcdTAwMDRHYJkpXHUwMDBmJM+1XHUwMDFi01x1MDAwMTvre1x1MDAxZkFcdTAwMDZM4OBxXHUwMDE5XHUwMDEwXHUwMDE5dT4qYGfzflC/eyhcXFfU1eDu8GKrflqfVVx1MDAwNYzW9vPQNnmgOdNcdTAwMDbnn4NxOm6+S1x1MDAxOZCjOVx1MDAxZswtXHUwMDAzuEVcdTAwMDRlknnTvXCEiVx1MDAxYlxyXHUwMDFjQGpcdTAwMWWOp31zIXBzUF/pdzfd4fVj4Vx1MDAxOaB4eNU6Ue9cdTAwMWRccrdW3njeuL36Lp5cdTAwMWWa3fLORunsYvc0h+vuble6XHUwMDBmvcJB+am/ufZYPj3YgEotVyFgw+Axu1x1MDAxMPDPSiYhwFx1MDAwM6ZoQ8ChQ2/lXGIrhlCiXHUwMDFkelx1MDAxNJJpXHRKk1TwXHRcdTAwMDFmXHUwMDFjOlx1MDAxZJJLhXiyXHUwMDE0XHUwMDAyUyDHYXYhIDizUoajnUZcYuF0cohcdTAwMWSTgiOw5Fx1MDAxZWI39eKNK4HixkdQXHUwMDAyXHUwMDEzeDimXHUwMDA0wqPOR1x0pHtHY1x1MDAwMFx1MDAxMzFezVTAkP+Zw1x1MDAxZrfMRY1XXHUwMDFhJHAjXHUwMDAwr80ss85cdTAwMTNLXHUwMDE3SFxcXHUwMDFmSlx1MDAwYnRDpfGG0klcdTAwMTdoYS1+bFxyXHUwMDA3XHTTXHUwMDFj7H8qWz6aX1x1MDAwNTCUdJJ7QnqG9p9s40ooXHUwMDA0bjObXG54XHUwMDEztd9p18dFxujfvoyWzPA/Xv/9f//m/XbiKqVXbH2Orlx1MDAxNmPgRqnXX2s3m/U+3uYhXHIxXHUwMDA2tv1St7+Kk1pv3UYn73f9hiyZrEPgKlx1MDAwZuj2XHUwMDBiLGBMXHUwMDE4XHUwMDAwbZE8yVnmTIS+d1vqXHUwMDEwflx1MDAwN1x1MDAxNFnDKFx1MDAwMkeBwP+PrZBqqzJ5VOk+TWhUOChDUVx1MDAwM8pwJHXLXHUwMDE517ExcUFJrpR1bqRAXHUwMDE3Qqj4sqWHtUKoVKuWYpaBQ1x1MDAwZX82XHUwMDBlX9XGdfsxk7Rxx/p2teI6tetcdTAwMWJWbFx1MDAxNlx1MDAwZouyeOhxlHxnXHUwMDFkJkDfXGJcdTAwMDBNSklcdTAwMWVKL3tcdTAwMWWqXHUwMDEyXHUwMDE3XGJccjg7mnHESVx1MDAxZVx1MDAwZrBcdTAwMDBcdTAwMWRQLFx1MDAxM6g/WUJLbZNcdTAwMWRcdTAwMGa/Z9c2XHUwMDFj9Vx0Zfd5j1m5TtzlXHUwMDAwa1xmdzrHVKBfK87Y4+NeyVxyXi6LrmNcdTAwMWVXXHUwMDFld7v7Vzl4XHUwMDEzK1x1MDAwN/3zzafi8V7j0FxmXG4vRz9v9+5z8ya4NGHmmDWXMVx1MDAwZknWqN70U1x1MDAwNFm/3UlSY5HherNcdTAwMTPzXHUwMDE2X+lcdTAwMWVpmvhCUEF40VxcW8Ypfjq6XHQjlVxuXHUwMDEw9Vx1MDAxNVf0XHUwMDA1J+N7MIhOiD7AnbBcdTAwMDZcdTAwMWSsXHUwMDEw/ozyXHUwMDE4UMGR7udWWU5xXGJLsPGDzY/5xVx1MDAxN7q4wkE4x3iEQVolii+cP8thNlxmelx1MDAxM/cqV+mVuEbpXHUwMDE1W52LkF7peVBcdTAwMTGRg09cdTAwMTHpYThCUGy0x/mqcWyAz5hKOaBcdTAwMTZA/n+9gSl1V7pcdTAwMDdcdTAwMTnVXZqh2DLkj1tcdTAwMTA+LchVoFx1MDAxNb4k+naavHd4L911fnrvJDy2L2r3lzf7x41cdTAwMDM4aJ9lXHUwMDBlONdcdTAwMDLlXHUwMDE1p0drXGZFJESzS5DuXHUwMDAzi4ucMlx08Nkz30H15Fx1MDAwNG09TXTrp0revMiKh4lR5kpbp4CDb0fa8cRiSEh05MXMlnTi106TNqT7vYd6wa41zfeH7lx1MDAwZlNsXVq7kTnN6602jueIqJss9UA7LnPaOPY/vVxm3lx1MDAxNWJvwLjV0lFcdTAwMTlcdTAwMDZcdTAwMTTvY1x1MDAwNm4nXHUwMDE5uJJcdTAwMDFQJDMw7lx1MDAxMkLJplxuX/9UXHUwMDA2fjmNd4VcdTAwMGaY6sb5TNm6xPh1pCflgFx1MDAwYpl/dvaUyzfmqexUn7/8TrzCXHUwMDAxf5go9lx0jFx1MDAxOdtKjtzFW1x1MDAxNDprXHUwMDFjls/q5d3q2Y+X3W+r7b013d/uZ6bwWJGVaNLYksPf1sSv5+ZwLlx1MDAxNGhN+Zo+y085NLKGa/KGXHUwMDE2XHUwMDE4X9b8sbmpV1x1MDAwNt9bV1c/zlx1MDAxZlc2XHUwMDFlz15qW1x1MDAwYjimTb3uXHUwMDFj8etZWFxci1D20FxcLO5/elx1MDAxOVhcXFHmp1x1MDAwNIdsrpGFWbR0XHUwMDFhXHUwMDFhdyDTTZyLQHJKQjNmuM3qiSRZ1lhJMvHyXHUwMDE0LC5cdTAwMWTQZr3z23JihIhgXGJcdTAwMDJG4Fxm5c7iUy7fXHUwMDE4i6+WetUvv8b5XHUwMDAxyHtcdTAwMDJXjpO3b/D5kHa6S5J6XHUwMDFjLNHnZsNjMieRdaPHwSAouYMpTlx1MDAwMZt08Fx1MDAxMzNma1x1MDAwMs1cdTAwMDAhgdJcdTAwMTalMJ5cdTAwMWRJrVx1MDAwMmdcdTAwMTVcdTAwMTfWXHUwMDAy/r1cZlxuSzTtSlb2TtyRVFx1MDAwMlx1MDAwNVx1MDAxMzfeiFx1MDAwZlx1MDAxZVx1MDAwZdmLxX5ai1BccvxNXG5cdTAwMTK//55k4iqlV2x9jq5cdTAwMTZj5Nz2JKfYXHUwMDAwXHUwMDE0yjLnNO2KUVx1MDAxMZ34/lx1MDAxZlx1MDAwNEaj8WraVKabiIu7THuS6a5IZEhKXHTGhlx1MDAwNY1xxSnpYkOSgVOSa1x1MDAxYzo9UPwnvk+6oC3JdJ2XXHUwMDA2jcidXHUwMDAxXHUwMDE1a1aU/GZcdTAwMWSPXHUwMDFl1oBcdTAwMDD61DL8R9pwOsbrYVxyXHUwMDBiXHUwMDAwYVMqfEqMy1Cd9lx1MDAxMTTagFx1MDAxOXw5XHUwMDA2YFx1MDAxOITQd1x0jVx1MDAxMWiszlxyjVx1MDAxY8HI4ar1OjaOJ0OjQY1rXCJRdP9R0FhIXFym9Iot0Fx1MDAwZoWNXHUwMDE0KqPojIlbKqrOwI7S116hyFx1MDAwNE5qsJKA39Kx02zomK71ooNcdTAwMTJcYlx1MDAxN05LXHUwMDA1VlimmfCEyrxcdTAwMTdcdTAwMWOmbzKnKkWn8Glbqlx1MDAxY1wiXHJcdTAwMTc6XHUwMDFhXHUwMDFho0FcdTAwMDXIqyhcdTAwMTRpc1d6lKJcdTAwMDJcXEqImFx1MDAwMqxcdTAwMDaHzOCBQ1x1MDAxN+CFXHUwMDE5XHUwMDE1O+A4qSHfcVx0h1x1MDAxMTi8mVx1MDAxZlx1MDAwZVHMM2pcdTAwMTbjy1x1MDAxNqbWXHUwMDE0iXiI0+I0asncj6+14GymXHUwMDFhJfniYeI6pVdshS5cdTAwMDJcdTAwMGYzXHUwMDBis2HoIOI1tSVhljuFXHUwMDE4JD3gXHUwMDEzSJx6jX9cdTAwMThcdTAwMTeGXCL1Z4PE9LzoqIZl3Cow+IdcbuqrOEpzTZF12mrOjEadbjwrdzFcYpm+gZdcdTAwMWXd41x1MDAwMrw5rVEuoK+hXbTNh1x1MDAwNlx1MDAxNOooQpCNwFCiZFxmXCI1clx1MDAxNVxuZqAqQJI5jy9thltvtKmDXHUwMDE0M107rU9cdTAwMDWQtzlEVoNgXHUwMDE2/NlcdTAwMTNIc4nlxp3R1ojwPld++MhHXHUwMDBm5r3wMWmN0mt8dS5cdTAwMDJcdTAwMWMz6zKSZej+S3TVUKQwZkNDf3WkXHUwMDA16UiUicMsZlx1MDAxNo9fzlx1MDAxN1x1MDAxN1x0r41CmLaW6rlxpFx1MDAxNVx1MDAxM1x1MDAxYpSlXHJcdTAwMDDEdG4oKElcdTAwMGL3XsCYXkEnXHUwMDE1XHUwMDE4hVxurKVypOjzqEid7WFcdFx1MDAxOXRBrEY+woXF8SnEgdHaQFo0XHUwMDAxfFx1MDAwZdRv0IeMMqDMVMpqcdYhXHUwMDBihvTJXHUwMDEyXHUwMDFiI9hYz1x1MDAwMVx1MDAxYtGOrGTCi43okiWKRyuGykrlnnbyMcAxcZ3Sq1x1MDAxMF+ii1x1MDAwMMj0OnlcdTAwMTGAZE4rztDR04CiUHpCXHJtwLlcdTAwMDJcdTAwMDGGcVx1MDAwMOXg7ZUjKlX0NVx1MDAxY8WTgqFzqbh0RGSnepfMyKH0NTq+blx1MDAxN4OQ6bXA0rPyWFx1MDAwMIxzalOiYscwXHUwMDE2laNcdTAwMDaJnIowabRHOYpAXG4phUBiVjh/0npcdTAwMTBcdTAwMTJcdTAwMWRcdTAwMWJHLV1cdTAwMTXX5PyF6kQtXHUwMDAxMlx1MDAwMpA/51x1MDAwN0hcdMjVSGXeWlxcyfU/cWbQq6TmJf+Z+Ji8TOlcdTAwMTVboIuAx2mgSDLKaKewdoFcdTAwMTjIVFxcQXJcdTAwMTdYfOSo/mnHXHUwMDE4gX42fEwvKFx1MDAxZVx1MDAxZJSR6Heit0/tMZw0njGpXHUwMDAwtbo21oCWiKHvXHUwMDA2j+mll9Lh0SFcdTAwMTE44ZT5Vb1cIlx1MDAwMo+C4saRWHFKrHXSeWNOWCBcdTAwMDHltUL3ZHhi4/GtTUDddFxyXHUwMDFk6lhkv+XuY1x1MDAwMj42clx1MDAxMJCGo1xi1N4+mlIm1yjSWtEhXHUwMDA1zzsyxVCu8Oii75a2nLhM6Vx1MDAxNVugi8DHKTKEnTVcXFF3REnoKL1KXHLhXHUwMDA3XHUwMDAx3qBcdTAwMTFT2/FcdTAwMTmzZ9JbXHUwMDE0RsakpEGf3rDfziXEx1x1MDAxNCBsXHUwMDBlXHUwMDBma8BccmucvlvyTHpcdTAwMDW5VHjk6FpYSipDXHUwMDA3XHUwMDAznYuoey0kutdCKepcdTAwMDBglVx1MDAxNKNcYoJQYD31JyaHRVFcdFeQ/q1HhaRNU4fOgTPLxMJcdTAwMDR4bM5cdTAwMGaPoOmQjTFcdTAwMWY8KpZ8Vi25tFrZ2do1/D84q05ep/SKrdBcdTAwMGaFj1x1MDAwNVx1MDAxZaA609RVmIqsXHTF41x1MDAwMEnqUWnKn2DOKSbjUi1bVYesXHSPXHUwMDA16osmuERh5SxcYo2up1x1MDAwNyGRk5RG1U47XHUwMDE2wrF324A8Xt3sr1xyrlx1MDAwZu7v26tcdTAwMWLdZv3o+Pabx72mwMkoPlprhmmUUlx1MDAwYuesZdFzmVx1MDAwMuhcdTAwMDClsTFGMUH8XHUwMDE0l48jTHiFQ7xOgFx1MDAwZbszmlwi5sOe3lx1MDAxMlx1MDAwZSNw2MrBm5aKc/AmIyVnWaNDXHUwMDA0KJRk3lg41IozNYrMXHUwMDE1XHUwMDBiI9+OLcY8kW/cmFx1MDAxMz6ZXG5cdTAwMDTos1x1MDAxNEt3tfPzxz7fKbVcdTAwMGZ17bhTvajXz/bilp6QhERHdyijgYBt2Co0XHUwMDFhuVeQLqBtXHUwMDA2ri069Fx1MDAwNp3GkTs5SkOCXHUwMDAwnHXOMSH9XHIjjVxuXHUwMDAwmImkKC1cdTAwMWLmREy/ndX0XHUwMDEz05GQdozWjPtcdTAwMGVcdTAwMWFs/PjhtY9cdTAwMGUztL9cdTAwMDRcdTAwMGJMKe7dqe3V1t31U++lxVx1MDAxZtXT/s2L/Z41aahzyl4urm7lfe/qUvW6h+X+o9iL/pY5akaiw1x1MDAxNapcdTAwMGI+V9KQ/y5jhlx1MDAxOU9cdTAwMWHiTGvqXHUwMDA3ZzQ6ZFaNXHUwMDFmXHUwMDAxXHUwMDE2hFx0gM7+tGCQZJNcdTAwMTl6My+bVyXZYsdvi968ISVcdPpEfFx1MDAxZubrsN9HXCLjKo5ik0JF83Y/pl3Bo1x1MDAwNVx1MDAxOa5cdTAwMDPUXHUwMDFiNEq/ui5+tE7NXHUwMDEz+M5b1WjS3eSTWdR8Or/7dvxcdTAwMDKDrW5tq1wioONcdTAwMWFsXG4mRlxyXHUwMDE2OG6p/a/QRo41ZM/ExFxmguFhKnfOMMOkp6Ka4Vx1MDAwMdDGMJpcdNjpoqI+XHUwMDE1XHUwMDA2dOfmY2c1p/NcdTAwMWJf81x01MXJWlxccGUlX2TR6c21nrza0eulzefCrTl0snt3u5GVkJtlfvqtvM5aO4+d4suNWtk9rp3lRch59pH032VcdTAwMTZClkxcdTAwMDa0XHUwMDA1T1x1MDAxMfSW2myPXHUwMDExslx1MDAwYtCaXGbgdFx1MDAxYlx1MDAxOJZ5jpmmYYFGhSypJzuL2N2SjyfaYm9cbj5cdTAwMTZOUeH+ePY9SV2TaHXI4aiRlcibjufvJnnYrT/gNT9MXHUwMDE1jlx0LDfOv7+H/1x1MDAxNuU3XHUwMDA2/On+du3SXFxcXK+fXHUwMDE0L1x1MDAxZvqrvf2tetyevS1cdTAwMWU4XHUwMDE1z1x1MDAxME6aXyjNxo5JrVxutLbAJKPqXHUwMDFhzFfbedniIT9cdTAwMDNcdTAwMWbMve+FuohFg0FC+14u8Vx1MDAxNEDRXHUwMDBlM75mMvvZuLZcdTAwMGXVluvayr08Ll/f1S67TbdysFx1MDAwMOf3rTg89brl0tbD2k3XtF+uVHmgVzdXtlu5VfjQjvNQ9NdcXNrAPytZtIGQXCJAT1xcOVx1MDAxY1x1MDAwZbp0KprrRb2eXHUwMDFjinUntUWY8LSZXrZ6+jI7cDxkV1x1MDAwNlx1MDAxNmdcdTAwMDe1m293TKW0gkPUVpbl3mV66rVcdTAwMWLTXHUwMDA1XHUwMDFmpNPTXHUwMDA0XHUwMDEyXkCnp3RMTItcdTAwMDWg3L1cdTAwMDCEUNpp4VwiXHUwMDA1soc1hlx1MDAxZPrjgpJcdEhcYoDxXHUwMDE4r4bAotlTuXdcdTAwMTFcdTAwMTF6I1VcdTAwMGaB4lx1MDAxMn+YMZKYbHn2lWDKj3NrXHUwMDAww1x1MDAxOVhEUV/WuozHXHUwMDA3jLI0gcwxXFzG671tPN8spIQ1Sq/Y6lx1MDAxY10sxr+5hVx1MDAwMaTv4H1cdIckoYRGn1kwkCiyQYPnxFx1MDAxZNFBXHSnJaWQM9o+iy2PTHFcdTAwMDDpOFx1MDAxNlx1MDAxOZRmgtpcdTAwMTbgI0M+t56MdVx1MDAxZFiplFx1MDAxNFx1MDAxNvBcdTAwMGbiy7uFSaXLulRolFJcdTAwMDaMU1x1MDAxYmtmlFxi1yZcdTAwMWI2rqIsJLQ2Q41DrFaeXHUwMDFjdlxcWlx1MDAxY1x1MDAxZpKj8u3CXCLEerBRXHUwMDA0hlGyXHUwMDEzTTMzdlnSI1x1MDAwMVx1MDAxYp/ySEOiXHUwMDEzJSd851x1MDAxNDK5XHUwMDA3XHUwMDA0N+gkW2Vzb3WJK8ra91x1MDAwN8dC4jKlV2yBLlx1MDAwMlx1MDAxZdM3WL5EI5JAc8ukkqDwXHUwMDE2eDyg3Vx1MDAwNThsoH7yTjKB9/LG6DiMknI0XCJmXHUwMDA01YLxpI5a1HMgUHQ7/Fwi0dJ7weNcdTAwMWGvQf9656ZW2n8s3MJcdTAwMWFUdjY8QfZJXHUwMDA3NrSFxFxmpenTS7Bo6Fx1MDAwND5cdTAwMDDUllx1MDAwNklJK6BFXHUwMDFmQ8gs9VvlVK7fZyru+JxcdTAwMTVcdTAwMTNcdTAwMTNcdTAwMGZowKFcXKTIcVx1MDAwZiR6wu1HiZnoXHUwMDBlcGP4XHUwMDAyXHUwMDBmaLrXnetaX+u+qtTa/XJ9V+/8PF3AJkzqdVvdm6Ni8WZT7K+sra+fn/5od/c+5OaO/+nF7NyzuYNzXHUwMDFkUFx1MDAxNJtcdTAwMTRcXFx1MDAwMYroqFxuklxcTDLxXGZxXHUwMDE4y/qtSSb+4jdx7+5cdTAwMGVcdTAwMTiDTrz3sFXLxDBcZlLw0nHIPVxifO7tnVx1MDAwZlx1MDAxN3cxgSzHN3reNNJcIlx1MDAxZNFS/Vx1MDAxYUGaTlKGtKC2Oi5q0UKqQKJ+XHUwMDEx2uAsOuWJb0a3XGKoJ4NcdTAwMTT4h4XDMEYxXHUwMDE2+CtcdTAwMDRQXz90XHUwMDEyuVXL0jN+XHUwMDAzv2ZsbseGZlxuqJq6z6+Jw8Goca9cdTAwMWSWXlNvsrH7/k09XHUwMDEzVym9YutzdLVcdTAwMTgx5+bWTLHBwjiVXHUwMDEy5VQ5XHKnkFx1MDAxYk+lXHUwMDE3Llx1MDAwM66sXHUwMDE1yIfSoPs2ayHXdFSLjoq6XaG34oxVKFx1MDAxYZVnUFx1MDAwMfWXVVx1MDAxY5jW1K3bvVthrlav/+2xvv5cXLyBVVx1MDAwYnLtZPugfpNJ8VxirVx1MDAwMyqFTjnZjmpXRPFcdTAwMTFcdTAwMTCZtWGghGJ4h56mnjZA7Ux1evCv5XHWlHjIp4h0MVpzrZzynWhcdJfcQkqju4liNnfJY1FGzVx1MDAxNXharH7sXHUwMDA2mWPjyymIRVx1MDAxZlx1MDAxNFx1MDAwNodcdTAwMTXGXHUwMDFmXHUwMDBld9X2dWvvmO16pMwsQSzauYBcdTAwMDPVX0SClOFcdTAwMDZFyyCW3zOcq/Ha+XdpaVx1MDAxYbTS/lpR8cblo1x1MDAxY1x1MDAwZURb0Fx1MDAwYuwnM6hcdTAwMTVWyq1vu7fnl+ubm89H31i7YLJuXHUwMDFjbK03fuiWOuupnXNzoy5cdTAwMWFba1x1MDAwM1x1MDAxNf0tM21I3Fx1MDAxZe0119Rm/75wtrntentboqOaOVxc93hwUDjvXGaO6lx1MDAwN1fVTf5Y/tZ9Ps0j6ubhflPvbJ2Jh8OXk/vj3mp/ZVds5rqBMo1cdTAwMTBNXHUwMDAzKe9sZ5JcdTAwMTPD0u9cZlBPoHbgXHUwMDEwLdZkgHpmUIIyXHUwMDA3R1nKcTmhXHUwMDExwpyjXHJsldDFbiknXHUwMDEyXHUwMDExyWWXXHUwMDEzkmrcJpxcdTAwMGZxplx1MDAxMlx1MDAwM2So/TJcYlx1MDAxZKrG+O6O1Fx1MDAxZj2xsr5S/FxiOydcdTAwMTMoflxcZkSHnY/KOD/6/rR6Umnu7ezJuvmx8nJxcH6Uj8pQ1KLKcjRfILlvbdwnWMqMPI16ZX6ZoTXlXHUwMDExKW89cyGSa2ZwXHUwMDA0bHotTmfcXGbOq/frO/2aO6ny07vu2U1nMMjKr/2bXHUwMDFhPNw8XGY6slK8UHtb+kfHnOTB25u96/uKvqw9rjbsj1LtWPPTh1x1MDAxY6779lx1MDAwNyo56Vx1MDAwMf+sZNJcdTAwMDNSXHUwMDA0TqFcdTAwMWWgXHKEcN/3IZRQllxmvmk0il2A8HBD0bLMoFx1MDAxZaDyLYp2/pZ6YFxu6FjNrlx1MDAwN6xlXG5cdTAwMDQ3vmC6tPZYhkrls3Ao5UeRXHUwMDAzO8WNj6BcdTAwMDYmUHEsYDY86nzEQO25tb6/c3t1Zc43j4pcdTAwMWLXl8X9XHKPXHUwMDE4SMxTNTpcdTAwMThGyyqjwClcdTAwMTO14WXb2je24bW541x1MDAxZTjnylHvXGJ/P1x1MDAxM5lcdTAwMWP5IJ2lcD+5wI2G4vVBfeN44+Xn2dZBQ6r177X+/vF7XHUwMDBigDk2MLJcdTAwMTC1XHUwMDA1lVNcclxu/9PLRNTWXHUwMDA1zClB7f5cdTAwMTDTxbiVL/vPv6mVXHUwMDE3szM1XHUwMDA3XHUwMDA2VnDBvK47XHUwMDBm0ds4VSuwUlx1MDAxYZU/VU+5gONU/TFcdTAwMWLQTyDOxTegr7ObNXtZZ0/m9HnzZ0GLwX37PjuTM3AoxjV1XCJzknFcdTAwMWJNa18y+Vx1MDAxYtv4+txMLlx1MDAxOKMolVx1MDAwNCZPOTDgZthu1IpcdTAwMDXGMPZ1+2Tz7Oz48LHVOOjW7srXW93D93a55zgyWCyT+59eXHUwMDE2JmfUacNcdTAwMTjHQVjruImGKS970L+xlW9kZ3IhXHUwMDA0UXLCXHUwMDFlvE0uXHUwMDE5wyVYhPDZXCKSJy1gOcVcdTAwMDKOMfnHakI/gS9cdTAwMTfXhD7dMUlcdTAwMGZgRGFuXHUwMDAxNFOgqP5tvFx1MDAwYr3R1G6aYjxcdTAwMTjEzZmqTJFcdTAwMWW36MdzKblnXHUwMDA3jVxuOlpuXHUwMDAwqIVDJC12uaFcdTAwMTY17s2sXHUwMDE0nrJcdTAwMTcvmFImXHUwMDFjglx1MDAxYzJ6q5NcdTAwMGbelLHacifzP3ibVb7n21x1MDAxZippndIrtkJHV4vRcn69RVN37r5E+9BcdTAwMWIqJm21QVx1MDAwZktbXHUwMDE26k3wO1ZQXHUwMDA1XHUwMDE0SGidkUKA5p5K0ZniXHUwMDE3012SyJjUMGbPKpBMcOXiXHKreEClg5HkwejhXHUwMDFl+7t1P0lXe+nwyFXAJK5cdTAwMWMtnTAwvm8hqFatkFx1MDAwNrRQ0oRStl4z+l0ggVx1MDAxYVxyUp9sXHUwMDEziv9cdTAwMWWho1x0rJNotVx1MDAwMlx1MDAxNVx1MDAxNYXXLtExXHUwMDAxXHUwMDFkv82NjpqCXHUwMDE1qeGjXHUwMDBmXHUwMDFjwSWDI/WtxIVuPo5cIso3bTVpmdIrtkA/XHUwMDE0OFx1MDAwZVx1MDAxYtFzXG47p8RUhCNcdTAwMTZKuX1tLkq3XHUwMDA2tLfgXHUwMDEw4dGcZ0PHdL1cdTAwMTdcdTAwMWSU0Fx1MDAxNtAjpq1cdTAwMTBLLU/j8PheaJi+25yexa/Qd5OcW4JDx8R4l+WJjehcdTAwMDXSlFbD6oZWK6l8Ozw2UMhcdTAwMTjoWTpcXHEslCO3xMMoXHUwMDFlbs2vXHUwMDE2qfgkzqpcdTAwMWZcdTAwMTBtWjdRVCQkRfLPd/lcdTAwMTBqsZC8UulcdTAwMTVbo4uAxMzaLNaL3uD/v10v+vR4tKiOnbJcdTAwMTc9c/FcdTAwMDJcdTAwMDNcdTAwMGJCyfSdvPQyUEpcdTAwMDXSKlxcy+htUF+TMZSM9qL3aEZcYqjRoeWc0n6Y9nWEolwiceC0M5RWY9VSNCaB5PbcIInsjfKPJWCkSVx1MDAxNI3WUaMhkXtcdTAwMTeUXHUwMDBmolx1MDAxOVx1MDAxM1cpvWLrc1x1MDAxMVx1MDAwMJlZno33o3dxcMypXHUwMDFmfWZsjPWjXHUwMDE3XHUwMDEwl4zRfvTGU31lUe2gUjNcdTAwMTjSwZGKymtcXFx1MDAxOChcdTAwMWWo3lNcdTAwMDRcdTAwMWJccvpcdTAwMWGcc2DSaiOYjlx1MDAwN+xpXHUwMDE5WPTEXHRjOVx1MDAxMoinXCI9o1x1MDAxYTtGOKCmUlx1MDAxNnlwWVx1MDAwNipcdFx1MDAxYndy2G506OXgNHpPXGZdcuwv1UHUXFzNWCr34ydMJ61Telx1MDAxNeJLdFx1MDAxMfBYXbu7KW+en1xmKo+FtedBffWgW7hOwlwiSUVccpyzXHUwMDA2J1x1MDAxN5T1lF3ijNrG4OyjmVKXXHUwMDEwYd5cXD5cIskoKs7Hh20thCdlXHUwMDFh5aNcdTAwMTDGXG6FklZTV4v3Qsj0XFysXHQlJXhcdTAwMDBIPchcdTAwMDZOoH5cdTAwMWbZ0K9S4jag4lC0lU27wfEsTElcdTAwMWJcIoYrsGhd4bbUoUgpXHUwMDE3MKHxXHUwMDEyyCGMXHUwMDFhly2PZJIwcnd+jORcdTAwMDZwNrjvRFx1MDAwNp3HRP2Iy1x1MDAxOOGD5d6P/mNcdTAwMDBkIXGZ0iu+QFx1MDAxN4GQU6k16jVvhKBkNnSvQ5Wgv4SKSihH503GSYVSU8eXSCaE3DlWXHUwMDE3xyuXrLP72G0+9U7Ead2eJVxyyylOe7hcdTAwMWNAgXImrmxVgJ9Tj2hDnaIlxGF7UUUlUtNTJlbdcUJax1ArXHUwMDFhraIpZFLJQHDrnFx1MDAwMcVVqLLGK0RcbkpA41x1MDAxMilcdTAwMTgpWmrFfOcyyG/4MFxyk0hwXHUwMDEytFxclt1Jwsi9+TFcdTAwMTLEME/PW31CxdXla8NcdTAwMDXgZFviP1x1MDAxNCST1ym94it0XHUwMDExIDlNiVx1MDAxYo5a7VcnWCMphCSORshcdTAwMDKSkWCjkqLcKjnj0cxcdTAwMTSH6Yxq61x0i9yj3Vx1MDAxMFx1MDAwMn3AzVx1MDAwNGosq5zUqNTVu2FkumafXHUwMDE0ketAI1x1MDAwM1x1MDAwMdhh58dwaMfQ2Vx1MDAxNlx1MDAwNmFSW1x1MDAwM4iTnmL0qD1cdTAwMDJFJ2pI0c76O7FOXHUwMDE1y/OZmkxds/35w3G5slx1MDAxNHjgi9+zOvlsxjjKjF5oXm2lV9+otddbzavH+82jvZPtPbe1s4B6XHUwMDE4MZiLIzlcYimn6Vx1MDAxOZ1ijf67jFljPGjWXHUwMDE5XHUwMDEzoIq1wCk6S+oxQ5RcItVcdTAwMTCdxY+RXHUwMDAx0Fx1MDAxZESf1ljPppdZ2mGSXHUwMDFkXHUwMDFl+O3QXHUwMDE3MGtcdTAwMTDtUVTGXHUwMDFim9NnKjmPXSnHmIT8Q+emXbujpThqV0r5XCLDXqXPzWa1362XP0z+y1x1MDAwNHLztF6ddC/5RNOm+1uT63hcdTAwMWJcdTAwMTdIztBJIaHhbLTdsmMusNpS6T8pXHUwMDE593SCU5a6NXPOk3JgXGY6P4Zq3CCkUKnwaVx1MDAxY5MqQz3JP4vtXHUwMDFmzs3BaPboSnIvJKDbkdzogPIjQGu7wNxWflje7l/u3Z+4ypV+3LzeXd0o9/7jikf57zJcdTAwMDNcdCP36oBcdTAwMGVshaSIdje2a4BcdTAwMWVWIGFYw1eh5cZcctOpwFx1MDAwMeWtcP3LNuOWOVVcdTAwMDbq5zLFo+w0PERNQM/MX1AmvkdcdTAwMTBcbtNU0jI+m/J902pcdTAwMTFcdTAwMWaPfSewXFysXHUwMDAw95tSrt7ePN3oVn4+NZ62y40tVrkpf3/KTLmCmYBOxVFmXHUwMDFiZ1xyg6hlXHUwMDE3lKK2VEYrXHUwMDAxXHUwMDBlvXqnPZX1QVx1MDAwNNJcdTAwMTnppLVCK+1JY5mqd8bn0tjHc/PsMFx1MDAxY1x1MDAwM5SLt1x1MDAwZfpKQfRJXHUwMDE271B2u1x1MDAxOc9IZiPZh11XaG5cdTAwMWXtXHUwMDBmVrYvT1xuTyfnjTt1NVxyXHUwMDE5UnM0XGIlPc5Fhv7RZCBDOmSUjlE5V60lx8dcdTAwMWY1XHUwMDE56SaajFx1MDAwNsqMcIrqZVPpJFx1MDAxMTeZqfI4P5fJnEzBh8iFXHUwMDE258L6bCN5b5w7R0dUkHOI7vTrN0aGW63OoN/7XGIkOIF3xklwfOD5kF9l705WX5yt7f1w5crl7V3p6nFtXG7yg1x1MDAwMCh3QyqljVx1MDAxOKu6UNCBQU2L7ijaMrfozXioXHUwMDBmv8NQXHUwMDEyXHUwMDBiUNZJ5lx1MDAwYqpa9o1KNORcdTAwMWbzc1x1MDAxZlx1MDAxYbjQXGa8TqaM12FcdFVdsIIweoH0t9K4aT+eNNeUOzbr/drFTnHv+O7d6M8/miz0xyHAXHUwMDE1j8BcbtpKzW00r6/Ax63GYzZSXHUwMDA3mjtrrcSL6Fx1MDAxY1pcdTAwMTN8KrM5nYL/ND5kYcOpQCH+S1x1MDAxNodcbj03y9lsRUnemFx1MDAwMJG1mtVKXHUwMDFkL/wheHBcdTAwMDJcdTAwMDXFedA7/nzo8Mx9f95fwVx1MDAwN73baojawcmgpipiXG46TPVcdTAwMDUlXHUwMDBiLFx1MDAxMNQ6hsbrI8N8/cDPtclzllx1MDAwM1x1MDAxN3KUIehSeHtcdTAwMTbIxJolNFdGWT1TOPFsVHg7WGteVe7Pi8Xq3kPvfkX3T46e3o1cbv2jyUKFSlx1MDAwNlxuRSTSj1x1MDAwMs2Mi4bkS0g3XHUwMDE4y1x1MDAwMkdccnqcXHUwMDAztDpvMe6pWPBzXHUwMDE5zPlcdTAwMTQsKCRcdTAwMDXSMOUv55OoXHUwMDEyjWLconV8PFx1MDAxNjxcdTAwMTj0P4pcdTAwMWY4gXPG+S828qmZ7y+/geFrqdM56eOTfYVJXFxL9crYU/j1Xr/aXHUwMDE5PYHhW3vtSnW9VbpujD/lr1x1MDAwZvXq42rcdP56M3xcdTAwMTFKXHJhhMymOoTof//l3/9cdTAwMDc8sO/XIn0=PublicKeyEncapsulatedShared SecretShared SecretEncryptedSymmetricKeySymmetricKeyAEADKEMKDFEncapKey EncryptionKeyBase NonceEncapsulatedShared SecretPrivateKeyKEMShared SecretDecapAEADKDFKey EncryptionKeyBase NonceEncryptedSymmetricKeySymmetricKeyInputsIntermediatesOutputs \ No newline at end of file From fb256ba013a1d24f0404b74082924978c4d3a73e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20M=C3=A9lan=C3=A7on?= Date: Wed, 7 May 2025 11:03:09 -0400 Subject: [PATCH 24/44] Small cleanups --- doc/RecordingControl.xml | 2 +- doc/media/RecordingControl/hpkeEncryption.excalidraw.svg | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/doc/RecordingControl.xml b/doc/RecordingControl.xml index 2ad488187..88cec082c 100644 --- a/doc/RecordingControl.xml +++ b/doc/RecordingControl.xml @@ -2254,7 +2254,7 @@ aligned(8) class AsymmetricKeySystemHeaderBox extends FullBox('pssh', version=1, the EncapsulatedSharedSecret field is derived using the Base mode of HPKE.
- Encryption using HPKE algorithm + Encryption (Left) and Decryption (Right) using the HPKE algorithm diff --git a/doc/media/RecordingControl/hpkeEncryption.excalidraw.svg b/doc/media/RecordingControl/hpkeEncryption.excalidraw.svg index 9b342966a..218dfaae6 100644 --- a/doc/media/RecordingControl/hpkeEncryption.excalidraw.svg +++ b/doc/media/RecordingControl/hpkeEncryption.excalidraw.svg @@ -1,2 +1,2 @@ -eyJ2ZXJzaW9uIjoiMSIsImVuY29kaW5nIjoiYnN0cmluZyIsImNvbXByZXNzZWQiOnRydWUsImVuY29kZWQiOiJ4nO1daXNcdTAwMWFLlv3ev8Lh/tpU53Zz6YiJXHRJSLL2zdY2PaFAgFx1MDAwNFx1MDAxNptYtHX0f597sS2qqKyigFx1MDAxMtK0oP3c71x1MDAwMSplVeY959zMu/zrL1++fO0/d6pf//Hla/WpXFxq1Cvd0uPXv9H7XHUwMDBm1W6v3m7hR2L43732oFtcdTAwMWV+s9bvd3r/+Pvfm6XuXbXfaZTK1eCh3lx1MDAxYpRcdTAwMWG9/qBSb1x1MDAwN+V28+/1frXZ+2/6e7/UrP5Xp92s9LvB6JdcdTAwMTSqlXq/3f31u6qNarPa6vfw6v+D//3ly7+Gf+Mn9Vxu/UbBn2q8VzzeOXbrm8+Du97q+d7L8EeHX/pzXHUwMDBi3Wq5X2rdNqqjj57wfVA2sM6BtNZcdTAwMWGjNbx++oyfXHUwMDE2pFx1MDAwYoyTwLWVTFx1MDAxOWB29PljvdKv4Xc4g8BI0IY7Z5hhkr9+pVat39b6+Fx1MDAxZMNcdTAwMDMwXHUwMDAwkjNcdTAwMDZcdTAwMTacev3Gr1x1MDAxMf3jXHUwMDBie32n1++276pr7Vx1MDAwNt4/XHUwMDBl+6/ixlWVXHUwMDFhXHL6ulS+u+22XHUwMDA3rcrrd/rdUqvXKXXxKY2+d1NvNE76z8Or4/zgg/069jvOft+AXHUwMDE4ez/pp/CX3tZa1Vx1MDAxZc3E6Fx1MDAxZdudUrnef1x1MDAxZT6I0V3QXGI7W5XhpP3vaExdnO4tmrXWoNF4fbveqlRpLr6WdOS3tSq/f9ufXHUwMDE5XHUwMDFmTaf8/c6/R2OvVunCglkljFx1MDAxNWY0wtBiZWr83f12a7hwLVx1MDAxOClccsjR/NZ7RVxcev3hVW9w+VZHU0BDW1x1MDAxZl+W4aVcdTAwMTlZef3q02heQlx1MDAwYnerKo5Wa51Oq3BwfNg5vLh6en6of3393r//5r/sr1x1MDAxZj7Y3N7GMYvV9o9iqfBQXHUwMDE2q73d++hv+fP7S91u+zF03d//NpqWQadS+nWf3CithdDcXHUwMDE5p18/b9Rbd+Nz1miX70aP5i+hXHUwMDAxj5mn/y5j5lx1MDAxOXlIvyzTqIBcdCOdc5xcdTAwMTlcdTAwMGU2apnCXHUwMDA1aExcdTAwMDa4XHUwMDE0XHUwMDA2XHUwMDE0SFx1MDAxMzNMgEBcdTAwMTnnXHUwMDE0WjfnhltcdTAwMDNxw1x1MDAwNLY0Rb8pXHUwMDFhvylGvv3b5rh1WoFxXGY8NsdVos0pyyzn2rhZbC7P5TtajbRcbvHuXHUwMDBmXHUwMDA31416+Z+tnepzaFx1MDAxYdut/kn9pTpcdTAwMDSSyLtcdTAwMWKlZr1Bz1x1MDAxZFwiV1pp1G/pXHUwMDExfC3joKvdr+Hn0K8j2b1+oVmvVMLMVMaLluqtancrXHUwMDBixbW79dt6q9T4XHUwMDFlXHUwMDE5/ZfI4EuDfvu42vs1/H53UFxyP57qtz/2wFx1MDAwM1x1MDAwMSnG/MIrlXqtILdcdTAwMDd7R3XBu/3Hzad2Zq7VkqPNOmaNUopcdTAwMTk1Mll6dpKZgFupmFx1MDAwNMO1Q1x1MDAxNI9TrYZcdTAwMDBcdTAwMWPStWNCKukzaFx1MDAwNFxyXHUwMDAwZixcdTAwMTejXHUwMDBmJ1t2XHUwMDE1WVvyT2LZdm6StTiJStuQ4Y7sXHUwMDFktFx1MDAxZH/3j71cdTAwMGLmOHJcdTAwMTaXi+PY6vrz5eVW+6n9fHS6t+12jrZcdTAwMWKbN1k5dqPIdky78Hh/1dg7X9mrbD/D2WpeXHUwMDFja1CihJ7EXFxcdTAwMWPrv8tcZlx1MDAxY4uwXHUwMDFkSG21NE4wrqyLWiR3gVx1MDAwMpxmxZ1OsEipXHUwMDAz/IJ1XHUwMDE2KVpYx3TcJKfi2E9liS47x1rLUOpcdTAwMDCTPpNjMbH7x+TwR5R0MjRz+VDs1Ks3RrHrrXKp01x1MDAxYjTouv9sndRwPitfTqrlbrX/XHUwMDExKHdcdTAwMDLTjVNuprvJh4PVpTtbWX1UTvJ9qZVcdTAwMTjA1XkjM1x1MDAwNyumXHUwMDAyy5TSzFx1MDAxOamlXHUwMDE4ibPMXHUwMDFj7PArwlx0QT9cdTAwMWXh2VeLl9NwL4o1Xlx1MDAxNp/E4lfm5l6OgtqiXHUwMDAxai/5qti7r0igpVx1MDAxNOCUnVx0XG5mY9+z5tZ65Ue7X29elHm/t7p1f1Dbycq+u3dcdTAwMTcr8PPoO1Pl1pl+Kcty87GZjX1Tr1veq6zsfbs7O7ttXHJOjlrll/7awV1erFx1MDAwZfhcdTAwMTeosF3Pzur+p5eB1ZVggVx1MDAwM0BcdTAwMDPnSNzCRve0JFx1MDAxN1x1MDAxM208XHUwMDAzq0+lrz+Vja9mZ3WOZmzRJJ3XmHmM7Ee0rq1cdTAwMDAhgc9izHmu31x1MDAxOK9/OCafwJfjTP6m3H38+GO7uMbUwf3t8dZuca+qtlx1MDAxYt+z71Wj/1xmSLnKgOMo2aM7Yo65wGrrOFx1MDAwNylcdTAwMTlcdTAwMWatqFerVixQxipATY+rzus+26XXnGDVa/MzN1ipmVTg2yZcdTAwMDOX6DY7QnJmXHUwMDE26DVvP+y+bD1cdTAwMWQ3zq/2V/dPXHUwMDFi1bP79lElK7+29+DhbGNwXFysb5yt/6hcdTAwMWRV+sXCRX5eM0dXNVx1MDAxZn7132VcdTAwMDZ+XHUwMDA1XHUwMDEwgVx1MDAwNqO4UIKE8JhcdTAwMWRylW6Hzlx1MDAwNoI7J5RcdTAwMTPagLG+86KlXHUwMDE5Jpnh6Vx1MDAxNOwqmUOaRLHjMbiwXHUwMDEwXHUwMDFlMzhw0lx1MDAxOXSS8neap1xcvDFyRTez+9z55WM+N5vVfvdcdTAwMDPtUk8gN4/LPOle8iHdw82Lo/tD9rTWOj4unGz1XHUwMDA3XHUwMDBmh1vPmUlXoL/LpCQ5rZAzWdRhNlJcdTAwMDbkjHHaJLOjz0aca1x1MDAwM8NcdTAwMTXnPMlXNlwiwMVcdTAwMDZcdTAwMWM0XHUwMDAyXHUwMDAyvpZnw1x0lr8+P1x1MDAwMVuSTVxmJ8ODXHUwMDA34Vx1MDAxM6Nxtc0tbb0pvUBcbt4/XdVcdTAwMWI77ULh8HaPN9vQuN1sy6xcdTAwMTS8Vm6fXHUwMDFk7+3uXHUwMDFmnX8/sdfnW/d8IFx1MDAwZXKjYE6eYT5cdTAwMTTsv8tcZlx1MDAxNCxcdTAwMWNcdTAwMDSOM2RhK4xcdTAwMWRcdTAwMGbbQEtFq9NcdTAwMTbZXHUwMDE1lIxbpVPoXHUwMDFmO8eB61+GXHUwMDE5N8vlwXCSXHUwMDFkbmQnYLBWWHQ5fILXxGXwXHUwMDFme8OJU5wpm7dzO/XKjTu3XHUwMDFmjnQnkFvMu31Tpr29Ms+qaG6aa1x1MDAwZvul2537+5Pv5W9xc67US812q1x1MDAxMrVo4CaQKLyckESmYoS19PS0c1x1MDAwMVx1MDAwN8GcXHUwMDAyXHLouY6WxmhfXHUwMDFhmVZpo4FLbbhcdTAwMWSJ8lebRlx1MDAxZVx1MDAwZThcIodcdTAwMTbSoFx1MDAxMHNmZFVcdTAwMTm2sKr0v09i4ztZuVYkca3GqcLn7DV9q9n4u6++rqUoO1jkXHUwMDExcWG11+x0T/bva6fHZc7Ld4XO03VWpv357fpktX36beO2dFDkJzu7RXktszFt6nVcdTAwMDe9h5XD8s7V/kPxpHfUvD0rr972crjuXHUwMDFjyiD1um/q9GtcdTAwMTBS5nRU7p/tXGaKXHUwMDAzjFxmgDHtXGZcdTAwMTPOgo7iXHUwMDEzKo1cdTAwMDCVhlwiIY+fmpGWfI1G01xiYI725JVcdTAwMDLpdVx1MDAwNabbUv9MeLSbXXNI5HmjbfwgjICHJ/r8XHUwMDA25YZChslbc0y9dmOaY2V9pfhcdTAwMTGUxlx1MDAwNHJcdTAwMWZXXHUwMDFh0WHndPT98/KCNU5h6+5s5ZFtrVx1MDAxN86/7T7koi+sXGasM9wxQFmgwjtGS33xe37ztOe9ufVcdTAwMDUwafFcdTAwMTHHj8hcYlx1MDAwMkCMv/uqL4RxjFx1MDAxYpgp5HQ2fXH/UN/7/u3wkp2WN75vnP1Ygyq/WkCYd+p151xibUu97ptcdTAwMWWuXHUwMDBm43pNXHUwMDE4OWbXXHUwMDAx/lnJolx1MDAwMyxcdTAwMGKMQFx1MDAxZMC04Hxs44ErXHUwMDExILqA5cOzXHUwMDAxJeI6XHUwMDAwMYIyRSw4vFx1MDAxZK7mP1r/TLixP8Xeg5BaKemNSZfxXHUwMDFkwNe9PsdcdTAwMDRHYJkpXHUwMDBmJM+1XHUwMDFi01x1MDAwMTvre1x1MDAxZkFcdTAwMDZM4OBxXHUwMDE5XHUwMDEwXHUwMDE5dT4qYGfzflC/eyhcXFfU1eDu8GKrflqfVVx1MDAwNYzW9vPQNnmgOdNcdTAwMDbnn4NxOm6+S1x1MDAxOZCjOVx1MDAxZswtXHUwMDAzuEVcdTAwMDRlknnTvXCEiVx1MDAxYlxyXHUwMDFjQGpcdTAwMWWOp31zIXBzUF/pdzfd4fVj4Vx1MDAxOaB4eNU6Ue9cdTAwMWRccrdW3njeuL36Lp5cdTAwMWWa3fLORunsYvc0h+vuble6XHUwMDBmvcJB+am/ufZYPj3YgEotVyFgw+Axu1x1MDAxMPDPSiYhwFx1MDAwM6ZoQ8ChQ2/lXGIrhlCiXHUwMDFkelx1MDAxNJJpXHRKk1TwXHRcdTAwMDFmXHUwMDFjOlx1MDAxZJJLhXiyXHUwMDE0XHUwMDAyUyDHYXYhIDizUoajnUZcYuF0cohcdTAwMWSTgiOw5Fx1MDAxZWI39eKNK4HixkdQXHUwMDAyXHUwMDEzeDimXHUwMDA0wqPOR1x0pHtHY1x1MDAwMFx1MDAxMzFezVTAkP+Zw1x1MDAxZrfMRY1XXHUwMDFhJHAjXHUwMDAwr80ss85cdTAwMTNLXHUwMDE3SFxcXHUwMDFmSlx1MDAwYnRDpfGG0klcdTAwMTdoYS1+bFxyXHUwMDA3XHTTXHUwMDFj7H8qWz6aX1x1MDAwNTCUdJJ7QnqG9p9s40ooXHUwMDA0bjObXG54XHUwMDEztd9p18dFxujfvoyWzPA/Xv/9f//m/XbiKqVXbH2Orlx1MDAxNmPgRqnXX2s3m/U+3uYhXHIxXHUwMDA2tv1St7+Kk1pv3UYn73f9hiyZrEPgKlx1MDAwZuj2XHUwMDBiLGBMXHUwMDE4XHUwMDAwbZE8yVnmTIS+d1vqXHUwMDEwflx1MDAwN1x1MDAxNFnDKFx1MDAwMkeBwP+PrZBqqzJ5VOk+TWhUOChDUVx1MDAwM8pwJHXLXHUwMDE517ExcUFJrpR1bqRAXHUwMDE3Qqj4sqWHtUKoVKuWYpaBQ1x1MDAwZX82XHUwMDBlX9XGdfsxk7Rxx/p2teI6tetcdTAwMWJWbFx1MDAxNlx1MDAwZouyeOhxlHxnXHUwMDFkJkDfXGJcdTAwMDBNSklcdTAwMWVKL3tcdTAwMWWqXHUwMDEyXHUwMDE3XGJccjg7mnHESVx1MDAxZVx1MDAwZrBcdTAwMDBcdTAwMWRQLFx1MDAxM6g/WUJLbZNcdTAwMWRcdTAwMGa/Z9c2XHUwMDFj9Vx0Zfd5j1m5TtzlXHUwMDAwa1xmdzrHVKBfK87Y4+NeyVxyXi6LrmNcdTAwMWVXXHUwMDFld7v7Vzl4XHUwMDEzK1x1MDAwN/3zzafi8V7j0FxmXG4vRz9v9+5z8ya4NGHmmDWXMVx1MDAwZknWqN70U1x1MDAwNFm/3UlSY5HherNcdTAwMTPzXHUwMDE2X+lcdTAwMWVpmvhCUEF40VxcW8Ypfjq6XHQjlVxuXHUwMDEw9Vx1MDAxNVf0XHUwMDA1J+N7MIhOiD7AnbBcdTAwMDZcdTAwMWSsXHUwMDEw/ozyXHUwMDE4UMGR7udWWU5xXGJLsPGDzY/5xVx1MDAxN7q4wkE4x3iEQVolii+cP8thNlxmelx1MDAxM/cqV+mVuEbpXHUwMDE1W52LkF7peVBcdTAwMTGRg09cdTAwMTHpYThCUGy0x/mqcWyAz5hKOaBcdTAwMTZA/n+9gSl1V7pcdTAwMDdcdTAwMTnVXZqh2DLkj1tcdTAwMTA+LchVoFx1MDAxNb4k+naavHd4L911fnrvJDy2L2r3lzf7x41cdTAwMDM4aJ9lXHUwMDBlONdcdTAwMDLlXHUwMDE1p0drXGZFJESzS5DuXHUwMDAzi4ucMlx08Nkz30H15Fx1MDAwNG09TXTrp0revMiKh4lR5kpbp4CDb0fa8cRiSEh05MXMlnTi106TNqT7vYd6wa41zfeH7lx1MDAwZlNsXVq7kTnN6602jueIqJss9UA7LnPaOPY/vVxm3lx1MDAxNWJvwLjV0lFcdTAwMTlcdTAwMDZcdTAwMTTvY1x1MDAwNm4nXHUwMDE5uJJcdTAwMDFQJDMw7lx1MDAxMkLJplxuX/9UXHUwMDA2fjmNd4VcdTAwMGaY6sb5TNm6xPh1pCflgFx1MDAwYpl/dvaUyzfmqexUn7/8TrzCXHUwMDAxf5go9lx0jFx1MDAxOdtKjtzFW1x1MDAxNDprXHUwMDFjls/q5d3q2Y+X3W+r7b013d/uZ6bwWJGVaNLYksPf1sSv5+ZwLlx1MDAxNGhN+Zo+y085NLKGa/KGXHUwMDE2XHUwMDE4X9b8sbmpV1x1MDAwNt9bV1c/zlx1MDAxZlc2XHUwMDFlz15qW1x1MDAwYjimTb3uXHUwMDFj8etZWFxci1D20FxcLO5/elx1MDAxOVhcXFHmp1x1MDAwNIdsrpGFWbR0XHUwMDFhXHUwMDFhdyDTTZyLQHJKQjNmuM3qiSRZ1lhJMvHyXHUwMDE0LC5cdTAwMWTQZr3z23JihIhgXGJcdTAwMDJG4Fxm5c7iUy7fXHUwMDE4i6+WetUvv8b5XHUwMDAxyHtcdTAwMDJXjpO3b/D5kHa6S5J6XHUwMDFjLNHnZsNjMieRdaPHwSAouYMpTlx1MDAwMZt08Fx1MDAxMzNma1x1MDAwMs1cdTAwMDAhgdJcdTAwMTalMJ5cdTAwMWRJrVx1MDAwMmdcdTAwMTVcdTAwMTfWXHUwMDAy/r1cZlxuSzTtSlb2TtyRVFx1MDAwMlx1MDAwNVx1MDAxMzfeiFx1MDAwZlx1MDAxZVx1MDAwZdmLxX5ai1BccvxNXG5cdTAwMTK//55k4iqlV2x9jq5cdTAwMTZj5Nz2JKfYXHUwMDAwXHUwMDE0yjLnNO2KUVx1MDAxMZ34/lx1MDAxZlx1MDAwNEaj8WraVKabiIu7THuS6a5IZEhKXHTGhlx1MDAwNY1xxSnpYkOSgVOSa1x1MDAxYzo9UPwnvk+6oC3JdJ2XXHUwMDA2jcidXHUwMDAxXHUwMDE1a1aU/GZcdTAwMWSPXHUwMDFl1oBcdTAwMDD61DL8R9pwOsbrYVxyXHUwMDBiXHUwMDAwYVMqfEqMy1Cd9lx1MDAxMTTagFx1MDAxOXw5XHUwMDA2YFx1MDAxOITQd1x0jVx1MDAxMWiszlxyjVx1MDAxY8HI4ar1OjaOJ0OjQY1rXCJRdP9R0FhIXFym9Iot0Fx1MDAwZoWNXHUwMDE0KqPojIlbKqrOwI7S116hyFx1MDAwNE5qsJKA39Kx02zomK71ooNcdTAwMTJcYlx1MDAxN05LXHUwMDA1VlimmfCEyrxcdTAwMTdcdTAwMWOmbzKnKkWn8Glbqlx1MDAxY1wiXHJcdTAwMTc6XHUwMDFhXHUwMDFho0FcdTAwMDXIqyhcdTAwMTRpc1d6lKJcdTAwMDJcXEqImFx1MDAwMqxcdTAwMDaHzOCBQ1x1MDAxN+CFXHUwMDE5XHUwMDE1O+A4qSHfcVx0h1x1MDAxMTi8mVx1MDAxZlx1MDAwZVHMM2pcdTAwMTbjy1x1MDAxNqbWXHUwMDE0iXiI0+I0asncj6+14GymXHUwMDFhJfniYeI6pVdshS5cdTAwMDJcdTAwMGYzXHUwMDBis2HoIOI1tSVhljuFXHUwMDE4JD3gXHUwMDEzSJx6jX9cdTAwMThcdTAwMTeGXCL1Z4PE9LzoqIZl3Cow+IdcbuqrOEpzTZF12mrOjEadbjwrdzFcYpm+gZdcdTAwMWXd41x1MDAwMrw5rVEuoK+hXbTNh1x1MDAwNlx1MDAxNOooQpCNwFCiZFxmXCI1clx1MDAxNVxuZqAqQJI5jy9thltvtKmDXHUwMDE0M107rU9cdTAwMDWQtzlEVoNgXHUwMDE2/NlcdTAwMTNIc4nlxp3R1ojwPld++MhHXHUwMDBm5r3wMWmN0mt8dS5cdTAwMDJcdTAwMWMz6zKSZej+S3TVUKQwZkNDf3WkXHUwMDA16UiUicMsZlx1MDAxNo9fzlx1MDAxN1x1MDAxN1x0r41CmLaW6rlxpFx1MDAxNVx1MDAxM1x1MDAxYpSlXHJcdTAwMDDEdG4oKElcdTAwMGL3XsCYXkEnXHUwMDE1XHUwMDE4hVxurKVypOjzqEid7WFcdFx1MDAxOXRBrEY+woXF8SnEgdHaQFo0XHUwMDAxfFx1MDAwZdRv0IeMMqDMVMpqcdYhXHUwMDBihvTJXHUwMDEyXHUwMDFiI9hYz1x1MDAwMVx1MDAxYtGOrGTCi43okiWKRyuGykrlnnbyMcAxcZ3Sq1x1MDAxMF+ii1x1MDAwMMj0OnlcdTAwMTGAZE4rztDR04CiUHpCXHJtwLlcdTAwMDJcdTAwMDGGcVx1MDAwMOXg7ZUjKlX0NVx1MDAxY8WTgqFzqbh0RGSnepfMyKH0NTq+blx1MDAxN4OQ6bXA0rPyWFx1MDAwMIxzalOiYscwXHUwMDE2laNcdTAwMDaJnIowabRHOYpAXG4phUBiVjh/0npcdTAwMTBcdTAwMTJcdTAwMWRcdTAwMWJHLV1cdTAwMTXX5PyF6kQtXHUwMDAxMlx1MDAwMpA/51x1MDAwN0hcdMjVSGXeWlxcyfU/cWbQq6TmJf+Z+Ji8TOlcdTAwMTVboIuAx2mgSDLKaKewdoFcdTAwMTjIVFxcQXJcdTAwMTdYfOSo/mnHXHUwMDE4gX42fEwvKFx1MDAxZVx1MDAxZJSR6Heit0/tMZw0njGpXHUwMDAwtbo21oCWiKHvXHUwMDA2j+mll9Lh0SFcdTAwMTE44ZT5Vb1cIlx1MDAwMo+C4saRWHFKrHXSeWNOWCBcdTAwMDHltUL3ZHhi4/GtTUDddFxyXHUwMDFk6lhkv+XuY1x1MDAwMj42clx1MDAxMJCGo1xi1N4+mlIm1yjSWtEhXHUwMDA1zzsyxVCu8Oii75a2nLhM6Vx1MDAxNVugi8DHKTKEnTVcXFF3REnoKL1KXHLhXHUwMDA3XHUwMDAx3qBcdTAwMTFT2/FcdTAwMTmzZ9JbXHUwMDE0RsakpEGf3rDfziXEx1x1MDAxNCBsXHUwMDBlXHUwMDBma8BccmucvlvyTHpcdTAwMDW5VHjk6FpYSipDXHUwMDA3XHUwMDAznYuoey0kutdCKepcdTAwMDBglVx1MDAxNKNcYoJQYD31JyaHRVFcdFeQ/q1HhaRNU4fOgTPLxMJcdTAwMDR4bM5cdTAwMGaPoOmQjTFcdTAwMWY8KpZ8Vi25tFrZ2do1/D84q05ep/SKrdBcdTAwMGaFj1x1MDAwNVx1MDAxZaA609RVmIqsXHTF41x1MDAwMEnqUWnKn2DOKSbjUi1bVYesXHSPXHUwMDA16osmuERh5SxcYo2up1x1MDAwNyGRk5RG1U47XHUwMDE2wrF324A8Xt3sr1xyrlx1MDAwZu7v26tcdTAwMWLdZv3o+Pabx72mwMkoPlprhmmUUlx1MDAwYuesZdFzmVx1MDAwMuhcdTAwMDClsTFGMUH8XHUwMDE0l48jTHiFQ7xOgFx1MDAwZbszmlwi5sOe3lx1MDAxMlx1MDAwZSNw2MrBm5aKc/AmIyVnWaNDXHUwMDA0KJRk3lg41IozNYrMXHUwMDE1XHUwMDBiI9+OLcY8kW/cmFx1MDAxMz6ZXG5cdTAwMDTos1x1MDAxNEt3tfPzxz7fKbVcdTAwMGZ17bhTvajXz/bilp6QhERHdyijgYBt2Co0XHUwMDFhuVeQLqBtXHUwMDA2ri069Fx1MDAwNp3GkTs5SkOCXHUwMDAwnHXOMSH9XHIjjVxuXHUwMDAwmImkKC1cdTAwMWLmREy/ndX0XHUwMDEz05GQdozWjPtcdTAwMGVcdTAwMWFs/PjhtY9cdTAwMGUztL9cdTAwMDRcdTAwMGJMKe7dqe3V1t31U++lxVx1MDAxZtXT/s2L/Z41aahzyl4urm7lfe/qUvW6h+X+o9iL/pY5akaiw1x1MDAxNapcdTAwMGI+V9KQ/y5jhlx1MDAxOU9cdTAwMWHiTGvqXHUwMDA3ZzQ6ZFaNXHUwMDFmXHUwMDAxXHUwMDE2hFx0gM7+tGCQZJNcdTAwMTl6My+bVyXZYsdvi968ISVcdPpEfFx1MDAxZubrsN9HXCLjKo5ik0JF83Y/pl3Bo1x1MDAwNVx1MDAxOa5cdTAwMDPUXHUwMDFiNEq/ui5+tE7NXHUwMDEz+M5b1WjS3eSTWdR8Or/7dvxcdTAwMDKDrW5tq1wioONcdTAwMWFsXG4mRlxyXHUwMDE2OG6p/a/QRo41ZM/ExFxmguFhKnfOMMOkp6Ka4Vx1MDAwMdDGMJpcdNjpoqI+XHUwMDE1XHUwMDA2dOfmY2c1p/NcdTAwMWJf81x01MXJWlxccGUlX2TR6c21nrza0eulzefCrTl0snt3u5GVkJtlfvqtvM5aO4+d4suNWtk9rp3lRch59pH032VcdTAwMTZClkxcdTAwMDa0XHUwMDA1T1x1MDAxMfSW2myPXHUwMDExslx1MDAwYtCaXGbgdFx1MDAxYlx1MDAxOJZ5jpmmYYFGhSypJzuL2N2SjyfaYm9cbj5cdTAwMTZOUeH+ePY9SV2TaHXI4aiRlcibjufvJnnYrT/gNT9MXHUwMDE1jlx0LDfOv7+H/1x1MDAxNuU3XHUwMDA2/On+du3SXFxcXK+fXHUwMDE0L1x1MDAxZvqrvf2tetyevS1cdTAwMWU4XHUwMDE1z1x1MDAxME6aXyjNxo5JrVxutLbAJKPqXHUwMDFhzFfbedniIT9cdTAwMDNcdTAwMWbMve+FuohFg0FC+14u8Vx1MDAxNEDRXHUwMDBlM75mMvvZuLZcdTAwMGXVluvayr08Ll/f1S67TbdysFx1MDAwMOf3rTg89brl0tbD2k3XtF+uVHmgVzdXtlu5VfjQjvNQ9NdcXNrAPytZtIGQXCJAT1xcOVx1MDAxY1x1MDAwZbp0KprrRb2eXHUwMDFjinUntUWY8LSZXrZ6+jI7cDxkV1x1MDAwNlx1MDAxNmdcdTAwMDe1m293TKW0gkPUVpbl3mV66rVcdTAwMWLTXHUwMDA1XHUwMDFmpNPTXHUwMDA0XHUwMDEyXkCnp3RMTItcdTAwMDWg3L1cdTAwMDCEUNpp4VwiXHUwMDA1soc1hlx1MDAxZPrjgpJcdEhcYoDxXHUwMDE4r4bAotlTuXdcdTAwMTFcdTAwMTF6I1VcdTAwMGaB4lx1MDAxMn+YMZKYbHn2lWDKj3NrXHUwMDAww1x1MDAxOVhEUV/WuozHXHUwMDA3jLI0gcwxXFzG671tPN8spIQ1Sq/Y6lx1MDAxY10sxr+5hVx1MDAwMaTv4H1cdIckoYRGn1kwkCiyQYPnxFx1MDAxZNFBXHSnJaWQM9o+iy2PTHFcdTAwMDDpOFx1MDAxNlx1MDAxOZRmgtpcdTAwMTbgI0M+t56MdVx1MDAxZFiplFx1MDAxNFx1MDAxNvBcdTAwMGbiy7uFSaXLulRolFJcdTAwMDaMU1x1MDAxYmtmlFxi1yZcdTAwMWI2rqIsJLQ2Q41DrFaeXHUwMDFjdlxcWlx1MDAxY1x1MDAxZpKj8u3CXCLEerBRXHUwMDA0hlGyXHUwMDEzTTMzdlnSI1x1MDAwMVx1MDAxYp/ySEOiXHUwMDEzJSd851x1MDAxNDK5XHUwMDA3XHUwMDA0N+gkW2Vzb3WJK8ra91x1MDAwN8dC4jKlV2yBLlx1MDAwMlx1MDAxZdM3WL5EI5JAc8ukkqDwXHUwMDE2eDyg3Vx1MDAwNThsoH7yTjKB9/LG6DiMknI0XCJmXHUwMDA01YLxpI5a1HMgUHQ7/Fwi0dJ7weNcdTAwMWGvQf9656ZW2n8s3MJcdTAwMWFUdjY8QfZJXHUwMDA3NrSFxFxmpenTS7Bo6Fx1MDAwND5cdTAwMDDUllx1MDAwNklJK6BFXHUwMDFmQ8gs9VvlVK7fZyru+JxcdTAwMTVcdTAwMTNcdTAwMTNcdTAwMGZowKFcXKTIcVx1MDAwZiR6wu1HiZnoXHUwMDBlcGP4XHUwMDAyXHUwMDBmaLrXnetaX+u+qtTa/XJ9V+/8PF3AJkzqdVvdm6Ni8WZT7K+sra+fn/5od/c+5OaO/+nF7NyzuYNzXHUwMDFkUFx1MDAxNJtcdTAwMTRcXFx1MDAwMYroqFxuklxcTDLxXGZxXHUwMDE4y/qtSSb+4jdx7+5cdTAwMGVcdTAwMTiDTrz3sFXLxDBcZlLw0nHIPVxifO7tnVx1MDAwZlx1MDAxN3cxgSzHN3reNNJcIlx1MDAxZNFS/Vx1MDAxYUGaTlKGtKC2Oi5q0UKqQKJ+XHUwMDEx2uAsOuWJb0a3XGKoJ4NcdTAwMTT4h4XDMEYxXHUwMDE2+CtcdTAwMDRQXz90XHUwMDEyuVXL0jN+XHUwMDAzv2ZsbseGZlxuqJq6z6+Jw8Goca9cdTAwMWSWXlNvsrH7/k09XHUwMDEzVym9YutzdLVcdTAwMTgx5+bWTLHBwjiVXHUwMDEy5VQ5XHKnkFx1MDAxYk+lXHUwMDE3Llx1MDAwM66sXHUwMDE1yIfSoPs2ayHXdFSLjoq6XaG34oxVKFx1MDAxYZVnUFx1MDAwMfWXVVx1MDAxY5jW1K3bvVthrlav/+2xvv5cXLyBVVx1MDAwYnLtZPugfpNJ8VxirVx1MDAwMyqFTjnZjmpXRPFcdTAwMTFcdTAwMTCZtWGghGJ4h56mnjZA7Ux1evCv5XHWlHjIp4h0MVpzrZzynWhcdJfcQkqju4liNnfJY1FGzVx1MDAxNXharH7sXHUwMDA2mWPjyymIRVx1MDAxZlx1MDAxNFx1MDAwNodcdTAwMTXGXHUwMDFmXHUwMDBld9X2dWvvmO16pMwsQSzauYBcdTAwMDPVX0SClOFcdTAwMDZFyyCW3zOcq/Ha+XdpaVx1MDAxYbTS/lpR8cblo1x1MDAxY1x1MDAwZURb0Fx1MDAwYuwnM6hcdTAwMTVWyq1vu7fnl+ubm89H31i7YLJuXHUwMDFjbK03fuiWOuupnXNzoy5cdTAwMWFba1x1MDAwM1x1MDAxNf0tM21I3Fx1MDAxZe0119Rm/75wtrntentboqOaOVxc93hwUDjvXGaO6lx1MDAwN1fVTf5Y/tZ9Ps0j6ubhflPvbJ2Jh8OXk/vj3mp/ZVds5rqBMo1cdTAwMTBNXHUwMDAzKe9sZ5JcdTAwMTPD0u9cZlBPoHbgXHUwMDEwLdZkgHpmUIIyXHUwMDA3R1nKcTmhXHUwMDExwpyjXHJsldDFbiknXHUwMDEyXHUwMDExyWWXXHUwMDEzkmrcJpxcdTAwMGZxplx1MDAxMlx1MDAwM2So/TJcYlx1MDAxZKrG+O6O1Fx1MDAxZj2xsr5S/FxiOydcdTAwMTMoflxcZkSHnY/KOD/6/rR6Umnu7ezJuvmx8nJxcH6Uj8pQ1KLKcjRfILlvbdwnWMqMPI16ZX6ZoTXlXHUwMDExKW89cyGSa2ZwXHUwMDA0bHotTmfcXGbOq/frO/2aO6ny07vu2U1nMMjKr/2bXHUwMDFhPNw8XGY6slK8UHtb+kfHnOTB25u96/uKvqw9rjbsj1LtWPPTh1x1MDAxY6779lx1MDAwNyo56Vx1MDAwMf+sZNJcdTAwMDNSXHUwMDA0TqFcdTAwMWWgXHKEcN/3IZRQllxmvmk0il2A8HBD0bLMoFx1MDAxZaDyLYp2/pZ6YFxu6FjNrlx1MDAwN6xlXG5cdTAwMDQ3vmC6tPZYhkrls3Ao5UeRXHUwMDAzO8WNj6BcdTAwMDYmUHEsYDY86nzEQO25tb6/c3t1Zc43j4pcdTAwMWLXl8X9XHKPXHUwMDE4SMxTNTpcdTAwMThGyyqjwClcdTAwMTO14WXb2je24bW541x1MDAxZTjnylHvXGJ/P1x1MDAxM5lcdTAwMWP5IJ2lcD+5wI2G4vVBfeN44+Xn2dZBQ6r177X+/vF7XHUwMDBigDk2MLJcdTAwMTC1XHUwMDA1lVNcclxu/9PLRNTWXHUwMDA1zClB7f5cdTAwMTDTxbiVL/vPv6mVXHUwMDE3szM1XHUwMDA3XHUwMDA2VnDBvK47XHUwMDBm0ds4VSuwUlx1MDAxYZU/VU+5gONU/TFcdTAwMWLQTyDOxTegr7ObNXtZZ0/m9HnzZ0GLwX37PjuTM3AoxjV1XCJzknFcdTAwMWJNa18y+Vx1MDAxYtv4+txMLlx1MDAxOKMolVx1MDAwNCZPOTDgZthu1IpcdTAwMDXGMPZ1+2Tz7Oz48LHVOOjW7srXW93D93a55zgyWCyT+59eXHUwMDE2JmfUacNcdTAwMTjHQVjruImGKS970L+xlW9kZ3IhXHUwMDA0UXLCXHUwMDFlvE0uXHUwMDE5wyVYhPDZXCKSJy1gOcVcdTAwMDKOMfnHakI/gS9cdTAwMTfXhD7dMUlcdTAwMGZgRGFuXHUwMDAxNFOgqP5tvFx1MDAwYr3R1G6aYjxcdTAwMTjEzZmqTJFcdTAwMWW36MdzKblnXHUwMDA3jVxuOlpuXHUwMDAwqIVDJC12uaFcdTAwMTY17s2sXHUwMDE0nrJcdTAwMTcvmFImXHUwMDFjglx1MDAxYzJ6q5NcdTAwMGbelLHacifzP3ibVb7n21x1MDAxZippndIrtkJHV4vRcn69RVN37r5E+9BcdTAwMWIqJm21QVx1MDAwZktbXHUwMDE26k3wO1ZQXHUwMDA1XHUwMDE0SGidkUKA5p5K0ZniXHUwMDE3012SyJjUMGbPKpBMcOXiXHKreEClg5HkwejhXHUwMDFl+7t1P0lXe+nwyFXAJK5cdTAwMWMtnTAwvm8hqFatkFx1MDAwNrRQ0oRStl4z+l0ggVx1MDAxYVxyUp9sXHUwMDEziv9cdTAwMWWho1x0rJNotVx1MDAwMlx1MDAxNVx1MDAxNYXXLtExXHUwMDAxXHUwMDFkv82NjpqCXHUwMDE1qeGjXHUwMDBmXHUwMDFjwSWDI/WtxIVuPo5cIso3bTVpmdIrtkA/XHUwMDE0OFx1MDAwZVx1MDAxYtFzXG47p8RUhCNcdTAwMTZKuX1tLkq3XHUwMDA2tLfgXHUwMDEw4dGcZ0PHdL1cdTAwMTdcdTAwMWSU0Fx1MDAxNtAjpq1cdTAwMTBLLU/j8PheaJi+25yexa/Qd5OcW4JDx8R4l+WJjehcdTAwMDXSlFbD6oZWK6l8Ozw2UMhcdTAwMTjoWTpcXHEslCO3xMMoXHUwMDFlbs2vXHUwMDE2qfgkzqpcdTAwMWZcdTAwMTBtWjdRVCQkRfLPd/lcdTAwMTBqsZC8UulcdTAwMTVbo4uAxMzaLNaL3uD/v10v+vR4tKiOnbJcdTAwMTc9c/FcdTAwMDJcdTAwMDNcdTAwMGJCyfSdvPQyUEpcdTAwMDXSKlxcy+htUF+TMZSM9qL3aEZcYqjRoeWc0n6Y9nWEolwiceC0M5RWY9VSNCaB5PbcIInsjfKPJWCkSVx1MDAxNI3WUaMhkXtcdTAwMTeUXHUwMDBmolx1MDAxOVx1MDAxM1cpvWLrc1x1MDAxMVx1MDAwMJlZno33o3dxcMypXHUwMDFmfWZsjPWjXHUwMDE3XHUwMDEwl4zRfvTGU31lUe2gUjNcdTAwMTjSwZGKymtcXFx1MDAxOChcdTAwMWWo3lNcdTAwMDRcdTAwMWJccvpcdTAwMWGcc2DSaiOYjlx1MDAwN+xpXHUwMDE5WPTEXHRjOVx1MDAxMoinXCI9o1x1MDAxYTtGOKCmUlx1MDAxNnlwWVx1MDAwNipcdFx1MDAxYndy2G506OXgNHpPXGZdcuwv1UHUXFzNWCr34ydMJ61Telx1MDAxNeJLdFx1MDAxMfBYXbu7KW+en1xmKo+FtedBffWgW7hOwlwiSUVccpyzXHUwMDA2J1x1MDAxN5T1lF3ijNrG4OyjmVKXXHUwMDEwYd5cXD5cIskoKs7Hh20thCdlXHUwMDFh5aNcdTAwMTDGXG6FklZTV4v3Qsj0XFysXHQlJXhcdTAwMDBIPchcdTAwMDZOoH5cdTAwMWbZ0K9S4jag4lC0lU27wfEsTElcdTAwMWJcIoYrsGhd4bbUoUgpXHUwMDE3MKHxXHUwMDEyyCGMXHUwMDFhly2PZJIwcnd+jORcdTAwMDZwNrjvRFx1MDAwNp3HRP2Iy1x1MDAxOOGD5d6P/mNcdTAwMDBkIXGZ0iu+QFx1MDAxN4GQU6k16jVvhKBkNnSvQ5Wgv4SKSihH503GSYVSU8eXSCaE3DlWXHUwMDE3xyuXrLP72G0+9U7Ead2eJVxyyylOe7hcdTAwMWNAgXImrmxVgJ9Tj2hDnaIlxGF7UUUlUtNTJlbdcUJax1ArXHUwMDFhraIpZFLJQHDrnFx1MDAwMcVVqLLGK0RcbkpA41x1MDAxMilcdTAwMTgpWmrFfOcyyG/4MFxyk0hwXHUwMDEytFxclt1Jwsi9+TFcdTAwMTLEME/PW31CxdXla8NcdTAwMDXgZFviP1x1MDAxNCST1ym94it0XHUwMDExIDlNiVx1MDAxYo5a7VcnWCMphCSORshcdTAwMDKSkWCjkqLcKjnj0cxcdTAwMTSH6Yxq61x0i9yj3Vx1MDAxMFx1MDAwMn3AzVx1MDAwNGosq5zUqNTVu2FkumafXHUwMDE0ketAI1x1MDAwM1x1MDAwMdhh58dwaMfQ2Vx1MDAxNlx1MDAwNmFSW1x1MDAwM4iTnmL0qD1cdTAwMDJFJ2pI0c76O7FOXHUwMDE1y/OZmkxds/35w3G5slx1MDAxNHjgi9+zOvlsxjjKjF5oXm2lV9+otddbzavH+82jvZPtPbe1s4B6XHUwMDE4MZiLIzlcYimn6Vx1MDAxOZ1ijf67jFljPGjWXHUwMDE5XHUwMDEzoIq1wCk6S+oxQ5RcItVcdTAwMTCdxY+RXHUwMDAx0Fx1MDAxZESf1ljPppdZ2mGSXHUwMDFkXHUwMDFl+O3QXHUwMDE3MGtcdTAwMTDtUVTGXHUwMDFim9NnKjmPXSnHmIT8Q+emXbujpThqV0r5XCLDXqXPzWa1362XP0z+y1x1MDAwNHLztF6ddC/5RNOm+1uT63hcdTAwMWJcdTAwMTdIztBJIaHhbLTdsmMusNpS6T8pXHUwMDE593SCU5a6NXPOk3JgXGY6P4Zq3CCkUKnwaVx1MDAxY5MqQz3JP4vtXHUwMDFmzs3BaPboSnIvJKDbkdzogPIjQGu7wNxWflje7l/u3Z+4ypV+3LzeXd0o9/7jikf57zJcdTAwMDNcdCP36oBcdTAwMGVshaSIdje2a4BcdTAwMWVWIGFYw1eh5cZcctOpwFx1MDAwMeWtcP3LNuOWOVVcdTAwMDbq5zLFo+w0PERNQM/MX1AmvkdcdTAwMTBcbtNU0jI+m/J902pcdTAwMTFcdTAwMWaPfSewXFysXHUwMDAw95tSrt7ePN3oVn4+NZ62y40tVrkpf3/KTLmCmYBOxVFmXHUwMDFiZ1xyg6hlXHUwMDE3lKK2VEYrXHUwMDAxXHUwMDBlvXqnPZX1QVx1MDAwNNJcdTAwMTnppLVCK+1JY5mqd8bn0tjHc/PsMFx1MDAxY1x1MDAwM5SLt1x1MDAwZfpKQfRJXHUwMDE271B2u1x1MDAxOc9IZiPZh11XaG5cdTAwMWXtXHUwMDBmVrYvT1xuTyfnjTt1NVxyXHUwMDE5UnM0XGIlPc5Fhv7RZCBDOmSUjlE5V60lx8dcdTAwMWY1XHUwMDE56SaajFx1MDAwNsqMcIrqZVPpJFx1MDAxMTeZqfI4P5fJnEzBh8iFXHUwMDE258L6bCN5b5w7R0dUkHOI7vTrN0aGW63OoN/7XGIkOIF3xklwfOD5kF9l705WX5yt7f1w5crl7V3p6nFtXG7yg1x1MDAwMCh3QyqljVx1MDAxOKu6UNCBQU2L7ijaMrfozXioXHUwMDBmv8NQXHUwMDEyXHUwMDBiUNZJ5lx1MDAwYqpa9o1KNORcdTAwMWbzc1x1MDAxZlx1MDAxYbjQXGa8TqaM12FcdFVdsIIweoH0t9K4aT+eNNeUOzbr/drFTnHv+O7d6M8/miz0xyHAXHUwMDE1j8BcbtpKzW00r6/Ax63GYzZSXHUwMDA3mjtrrcSL6Fx1MDAxY1pcdTAwMTN8KrM5nYL/ND5kYcOpQCH+S1x1MDAxNodcbj03y9lsRUnemFx1MDAwMJG1mtVKXHUwMDFkL/wheHBcdTAwMDJcdTAwMDXFedA7/nzo8Mx9f95fwVx1MDAwN73baojawcmgpipiXG46TPVcdTAwMDUlXHUwMDBiLFx1MDAxMNQ6hsbrI8N8/cDPtclzllx1MDAwM1x1MDAxN3KUIehSeHtcdTAwMTbIxJolNFdGWT1TOPFsVHg7WGteVe7Pi8Xq3kPvfkX3T46e3o1cbv2jyUKFSlx1MDAwNlxuRSTSj1x1MDAwMs2Mi4bkS0g3XHUwMDE4y1x1MDAwMkdccnqcXHUwMDAztDpvMe6pWPBzXHUwMDE5zPlcdTAwMTQsKCRcdTAwMDXSMOUv55OoXHUwMDEyjWLconV8PFx1MDAxNjxcdTAwMTj0P4pcdTAwMWY4gXPG+S828qmZ7y+/geFrqdM56eOTfYVJXFxL9crYU/j1Xr/aXHUwMDE5PYHhW3vtSnW9VbpujD/lr1x1MDAwZvXq42rcdP56M3xcdTAwMTFKXHJhhMymOoTof//l3/9cdTAwMDc8sO/XIn0=PublicKeyEncapsulatedShared SecretShared SecretEncryptedSymmetricKeySymmetricKeyAEADKEMKDFEncapKey EncryptionKeyBase NonceEncapsulatedShared SecretPrivateKeyKEMShared SecretDecapAEADKDFKey EncryptionKeyBase NonceEncryptedSymmetricKeySymmetricKeyInputsIntermediatesOutputs \ No newline at end of file +eyJ2ZXJzaW9uIjoiMSIsImVuY29kaW5nIjoiYnN0cmluZyIsImNvbXByZXNzZWQiOnRydWUsImVuY29kZWQiOiJ4nO19aXNcIkuS7ff+XHUwMDE1ZTVfm+xYPLY2ezamldK+ldaZMVx1MDAxOVx1MDAwMiS4YpFYtI31f3/uVJXIJCOTXHUwMDA0UohpQdetvlx1MDAxN1AqMiP8nONcdTAwMTG+/O/fvn373nt9qH7/57fv1ZdyqVGvdErP3/9O7z9VO916u4VcdTAwMWaJwX932/1OefDNWq/30P3nP/7RLHXuq72HRqlcXFxynurdfqnR7fUr9XZQbjf/Ue9Vm93/pL/3S83q/3toNyu9TjD8JYVqpd5rd379rmqj2qy2el28+n/hf3/79r+Dv/GTeoV+o+AvNd5dP945dlx1MDAxYsXX/n139WLvbfCjgy/9uYVOtdwrte5cdTAwMWHV4Ucv+L5cdTAwMDJcdTAwMWJY55S01lx1MDAxYaO1ev/0XHUwMDE1Py1IXHUwMDE3XHUwMDE4J1x1MDAxNddWMjCK2eHnz/VKr4bf4UxcdTAwMDVGKm24c4ZcdTAwMTkm+ftXatX6Xa2H3zE8UEYpyVx1MDAxOVNWOXj/xq9cdTAwMTH981x1MDAxYnt/p9vrtO+ra+1cdTAwMDbeP1x1MDAwZfs/xK2rXHUwMDAyXGZcdTAwMDd9Uyrf33Xa/Vbl/Tu9TqnVfSh18Clccr93W280Tnqvg6vj/OCD/T7yO85/34BcdTAwMTh5P+mn8Jfe1VrVLs3E8Fx1MDAxZdtcdTAwMGalcr33OnhcdTAwMTDDu6BcdTAwMTE+bFVcdTAwMDaT9j/DMXVwurdo1lr9RuP97XqrUqW5+F7Skd/Wqvz+bX9mfDid8vc7/1x1MDAxYY69WqVcdTAwMGJcdTAwMGJmQVx1MDAxOCvMcIShxcpg9N39dmuwcK0yUlx1MDAxYSWH81vvruPS61xyrnqLy7c6nFx1MDAwMlx1MDAxYdrG6LJcZi/NyMrrVV+G81x1MDAxMlq4W1VxtFp7eGhcdTAwMTVcdTAwMGWOXHUwMDBmXHUwMDFmXHUwMDBlL69fXp/q39+/96+/+y/764dcdTAwMGaK29s4ZrHaPl0vXHUwMDE1nspitbv7XHUwMDE4/S1/fn+p02k/h677+9+G09J/qJR+3Sc3oLVcdTAwMTCaO+P0++eNeut+dM5cdTAwMWHt8v3w0fwtNOBcdTAwMTHz9N9lzDwjXHUwMDBm6ZdlXHUwMDFhXGKYMNI5x5nhykYtU7hcdTAwMDCNySguhVGgpIlcdTAwMTmmUlx1MDAwMVx1MDAxOOdcdTAwMDCtm3PDrVFxw1RsaYp+UzR+U4x8+7fNces0KOOY8thcdTAwMWOHRJtcdTAwMDPLLOfauGlsLs/lO1xcjbRcbvHuXHUwMDBm+zeNevm/WzvV19A0tlu9k/pbdVx1MDAwMCSRdzdLzXqDnruKXFxppVG/o0fwvYyDrna+h59Dr45k9/6FZr1SXHQzU1x1MDAxOS9aqreqna0sXHUwMDE01+7U7+qtUuNnZPTfXCKDL/V77eNq99fwe51+Nfx4qj/+2Fx1MDAwM1x1MDAwZoRKMeY3XqnUa1x1MDAwNbnd3zuqXHUwMDBi3uk9XHUwMDE3X9qZuVZLjjbrmDVcdTAwMDDAXGZcZk2Wnp1kJuBWXHUwMDAyk8pw7Vx1MDAxMMXjVKtVoFx1MDAxY9K1Y0KC9Fx1MDAxOTSChlLMWC6GXHUwMDFmjrfsKrK25F/Esu3MJGtxXHUwMDEyQduQ4Vx1MDAwZe1daTv67lx1MDAxZntcdTAwMTfMceQsLufHsdWN16urrfZL+/XobG/b7Vx1MDAxY203irdZOXZzne2YduH58bqxd7GyV9l+VeereXGsQYlcdTAwMTJ6XHUwMDEyM3Gs/y4zcCzCdiC11dI4wThYXHUwMDE3tUjuXHUwMDAyUDjNwJ1OsEipXHUwMDAz/IJ1XHUwMDE2KVpYx3TcJCfi2C9liS47x1rLUOooJn0mx2Ji94/J4Y+AdDI0c/lQ7MSrN0axXHUwMDFirXLpodtv0HX/u3VSw/msfDupljvV3lwiUO5cdTAwMTimXHUwMDFipdxMd5NcdTAwMGZcdTAwMDfDlTtfWX1cdTAwMDYn+b7UIPrq+qKRmYOBQWBcdTAwMTmAZs5ILcVQnGXmYIdfXHUwMDExTlxi+vFcYs++W7ychHtRrPGy+FwiXHUwMDE2vzIz93JcdTAwMTTUXHUwMDE2XHJQe8lcdTAwMTdi774jgZZSKFx1MDAwN3YqKJiOfc+bW1x1MDAxYpXTdq/evCzzXnd16/GgtpOVfXfvL1fUX0c/XHUwMDE5lFvn+q0sy83nZjb2Tb1uea+ysvfj/vz8rtU/OWqV33prXHUwMDA393mxusK/XHUwMDE0hO16elb3P71cZqxcdTAwMGWCXHUwMDA1Tik0cI7ELWx0T0tyMdbGM7D6RPr6S9n4anZW52jGXHUwMDE2TdJ5jZnHyH5I69pcbiWk4tNcdTAwMThznus3xutcdTAwMGLH5GP4cpTJP5S7j59Pt9fXXHUwMDE4XHUwMDFjPN5cdTAwMWRv7a7vVWG78TP7XjX6z1xuKVx1MDAxN4xyXHUwMDFjJXt0R8wxXHUwMDE3WG1cdTAwMWTnSkrGhyvq3aqBXHUwMDA1YCwo1PS46rzus116zVx0Vr02O3MrKzWToHzbZMolus2OkJyZOXrN20+7b1svx42L6/3V/bNG9fyxfVTJyq/tPfV0vtk/Xq9vnm+c1o4qvfXCZX5eM0dXNVx1MDAxZn7132VcdTAwMDZ+VUpcdTAwMDRaXHUwMDE54Fx1MDAwMlx1MDAwNFx04Vx1MDAxMTvkkG6Hzlx1MDAwNoI7J8BcdG2Usb7zoqVcdTAwMTkmmeHZXHUwMDA07CqZQ5pEseMxuLBcdTAwMTBcdTAwMWUxOOWkM+gk5e80T7h4Y+SKbmbn9eGXj/nabFZ7nVx1MDAwNdqlXHUwMDFlQ25cdTAwMWWXedy95EO6h8XLo8dD9rLWOj4unGz1+k+HW6+ZSVegv8ukJDlccsiZLOowXHUwMDFiKVx1MDAwM3LGOG2S2eFnQ861geHAOU/ylY1cYnCxKa40XHUwMDAyXHUwMDAyvpZnw1x0lr8xO1x1MDAwMVuSTVxmJ8ODXHUwMDA34Vx1MDAxM6NRtc0tbb2BniNcdTAwMDXvn63qzZ12oXB4t8ebbdW4K7ZlVlxuXiu3z4/3dvePLn6e2JuLrUfeXHUwMDE3XHUwMDA3uVEwJ88wXHUwMDFmXG7232VcdTAwMDZcblx1MDAxNk5cdTAwMDWOM2RhK4xcdTAwMWRccttAS0Wr01x1MDAxNtlVgYxbpVx1MDAwM/SPneOK61+GXHUwMDE5N8vlwXCSXHUwMDFkbmYnYGWtsOhy+Fx1MDAwNK+Jy+A/9oZcdTAwMTNcdTAwMDecgc3buZ145cad24Uj3THkXHUwMDE2824/lGnvrs0rrJvb5trTfulu5/Hx5Gf5R9ycK/VSs92qRC1acVx1MDAxM0hcdTAwMTReTkhcIlMxxFp6etq5gCvBXHUwMDFjKK3Qc1x1MDAxZC6N4b40Mi1oo1x1MDAxNZfacDtcdTAwMTTl7zaNPFx1MDAxY3BEXHUwMDBlLaRBIebM0KoybGFV6X9fxMZ3snKtSOJajVOFz9lr+laz0XfffV1LUXZqnkfEhdVu86Fzsv9YOzsuc16+Lzy83GRl2r9+3Jysts9+bN6VXHUwMDBl1vnJzu66vJHZmDb1uv3u08pheed6/2n9pHvUvDsvr951c7juXGbKIPW6XHUwMDFm6vRrJaTM6ajcP9tcdTAwMTlcdTAwMTSHMjJQjGlnmHBW6Sg+odJcYlBpXHUwMDAwXHR5/NRcZrXkezSaRlx1MDAwMHO0J1x1MDAwZqCk11x1MDAxNZhsS/0r4dFuds0hkeeNtvGDMFx1MDAwMlx1MDAxZZ7o81x1MDAxYpRcdTAwMWKAXGaTt+aYeO3GNMfKxsr6XCIojTHkPqo0osPO6ej7r6tL1jhTW/fnK89sa6Nw8WP3KVx1MDAxN31hZWCd4Y4plFx1MDAwNVx1MDAxMN4xWuqL3/Obpz3vzawvXHUwMDE0k1x1MDAxNlx1MDAxZnH8iIwgQInRd9/1hTCOcaOmXG45nU5fPD7V937+OLxiZ+XNn5vnp2uqyq/nXHUwMDEw5p163Vx1MDAxOULbUq/7oYfrg7heXHUwMDEzRo7pdYB/VrLoXHUwMDAwy1x1MDAwMiNQXHUwMDA3MC04XHUwMDFm2XjgIFx1MDAwMkRcdTAwMTdl+eBsXHUwMDAwRFxcXHUwMDA3IEZQpohVXHUwMDBlb4fD7EfrX1x0N/Yn2HtcdTAwMTBSXHUwMDAzSG9MuozvXHUwMDAwvu/1OSY4XHUwMDAyy1R5IHmu3ZhcdTAwMGXY2dhbXHUwMDA0XHUwMDE5MIaDR2VAZNT5qICd4mO/fv9UuKnAdf/+8HKrflafVlx1MDAwNVxm1/brwDZ5oDnTXHUwMDA2558r43TcfJcyIEdzPphZXHUwMDA2cItcYsok86Z74VxiXHUwMDEzN1x1MDAxYbhSUvNwPO2HXHUwMDBigduD+kqvU3SHN8+FV6XWXHUwMDBmr1sn8NnRcGvlzdfNu+uf4uWp2SnvbJbOL3fPcrju7nal89QtXHUwMDFjlF96xbXn8tnBpqrUclx1MDAxNVx1MDAwMjZcZlx1MDAxZdNcdTAwMGJcdTAwMDH/rGRcdTAwMTJcdTAwMDI8YEBcdTAwMWJcdTAwMDJcdTAwMGVcdTAwMWR6K4dYMYBcdTAwMTLt0KOQTEtcdTAwMDWapIJPXGIw49DpkFxcXHUwMDAy4slSXGJMgFx1MDAxY4fZhYDgzEpcdTAwMTmOdlx1MDAxYVwihNPJIXZMXG6OwJJ7iN3EizeuXHUwMDA01jdcdTAwMTdBXHSM4eGYXHUwMDEyXGKPOlx1MDAxZiWQ7lx1MDAxZI1cdTAwMDBMxHg1g4Ah/zOHP26Zi1x1MDAxYa80SOBGKLw2s8w6TyxdIHF9gFx1MDAxNuiGSuNccqWTLtDCWvzYXHUwMDFhrqSa5GD/S9ny0ewqgKGkk9xcdTAwMTPSM7D/ZFx1MDAxYlx1MDAwN1x1MDAwMVxi3GY6XHUwMDE18CFq/6FdXHUwMDFmXHUwMDE1XHUwMDE5w3/7NlxcMoP/eP/3//m799uJq5ResfU5vFqMgVx1MDAxYqVub63dbNZ7eJuHNMRcdTAwMTjY9kqd3ipOar11XHUwMDE3nbzf9Vx1MDAxYrJkslx1MDAwZYCr3KfbL7CAMWGU0lx1MDAxNsmTnGXOROh7d6VcdTAwMDfC74BcImtcdTAwMThF4IBcdTAwMTL4/7FcdTAwMTVSbVXGjyrdp1x0jVxuXHUwMDA3ZShqXHUwMDAwXGZHUreccVx1MDAxZFx1MDAxYlx1MDAxM1x1MDAxN5TkSlnnRlxudCFcdTAwMDTEly09rFx1MDAxNUKlWrVcdTAwMTSzXGZcdTAwMWNy+LNR+Ko2btrPmaRNumZMg0ewXHUwMDEwXHUwMDAwrmJtXHUwMDE5p1xix6ibJFx1MDAwMVx1MDAwMpxcdTAwMTdAR1x1MDAwN7/gZNxLMiZQTCh0pK1BXHTEh9g3jDRGjCVmRlx1MDAwNW85nVx1MDAxNC7h0Vx1MDAwZo+ns8MjilD0R8NZgEN41JBcYo84f5YrnXdcdTAwMTjk9Fx1MDAwMihXcExcXKP0iq3OeYBjeqZCXHUwMDA0hvApXHUwMDFh7lx1MDAwNiNUwIa7XHUwMDEw7yhkXHUwMDAzfMaUbC1cdTAwMTS6XHUwMDE48H5cdTAwMDNcdTAwMTNcImO6xotcIqNmXGKHhlx1MDAxNLNVwofWXHUwMDFjXHUwMDAyXHL4kqi+NOlr9VnIeHH26KR6bl/WXHUwMDFlr273j1x1MDAxYlx1MDAwN+qgfZ45JFRcdTAwMGJcdTAwMTdcYk6P1lx1MDAxODozjMZ/KydcdTAwMDOLi5xiffHZM99R0vhcdTAwMTRKPUn82ZdKr7rMioeJcaCgLbrsXFz59oxcdTAwMWNPLFeCREc6Y7qw8PfRTbRl1Os+1Vx1MDAwYnataX4+dU7NeuvK2s3MiVx1MDAxOFx1MDAxZrW1M0PMS1xmOz1cdGiOy5y2dvxPL2blvrJcYqjhuNXSUaK0MKNcdTAwMDZux1x1MDAxOTjIQFGsoWLcJVx1MDAwNHtMXHUwMDE0YPqlXGb8KvveXHUwMDBl/jZkQWu8pmxdYoQp0lx1MDAxMzjFhcw/f3LC5TtcXI1/tkmqr99+p0bggFx1MDAxNybOdFxmY8Y2e1wid/FcdTAwMTGliFx1MDAxYYfl83p5t3p++rb7Y7W9t6Z7273MXHUwMDE0XHUwMDFlK4NcdTAwMTBN61hy+Mea+M3MXHUwMDFjzlx1MDAwNSitKaPKZ/kp27pcdTAwMTZdd/KG5lx1MDAxOFx1MDAwMdI8LVx1MDAxNvVK/2fr+vr04nll8/n8rbY1h4OU1OvOXHUwMDEwYZqFxbVcYsX3z8Ti/qeXgcWBcrOkcsjmXHUwMDFhWZhFi1x1MDAxYqFxXHUwMDA3Mt3EuVxiJKc0XHUwMDExg1x1MDAxZZRcdTAwMDXpOetdVkFIMvHyXHUwMDA0LC6dou0057flxDNcXMFcdTAwMTBcdTAwMDSMwFx1MDAxOcqdxSdcXL4xXHUwMDE2Xy11q99+jXNcdTAwMDHIe1xmV46St2/w+ZB2ukuSemAj0edmg41sJ5F1o1x1MDAwNzZKUPg1XHUwMDAzTiFVtDVcdTAwMWIzZmtcdTAwMDLNXHUwMDE0Qlx1MDAwMiVcdTAwMTZJYTw7klx1MDAxYVx1MDAwMmeBXHUwMDBia1x1MDAxNf69XGbbSDTtSlb2TtyRXHUwMDA0gYKJXHUwMDFi75ksXHUwMDBmXHUwMDA31cSis6xFqFb8Q0qGfv6eZOIqpVdsfVx1MDAwZa9cdTAwMTZj5Nz2JCfYXHUwMDAwXHUwMDE0YJlzmnbFqMxFfP9PXHUwMDA1RqPxatpUppuIi7tMe5LprkhkSFx1MDAwMIKxQclRXFxxIF1sSDJwILnGodNcdTAwMDPFf+L7pPM6rEnVeWnQiNxcdTAwMTlQOVWg9Fx1MDAxNOt49LBGXHRFn1qG/0hcdTAwMWJcdTAwMGWYfj+sYYFC2JSAT4lxXHUwMDE5qqQ8hEZcdTAwMWIwgy/HlDJMhdB3XHSNXHUwMDExaKzOXGaNXHUwMDFjwcjhqvU6No4nQ6NBjWtcInEu/1bQWEhcXKb0ii3QhcJGOsxcdTAwMDY6Y+KWylx1MDAxZTNlh1x0Ju9QZFx1MDAwMie1spKA39Kx03TomK71ooNcdTAwMTJcYlx1MDAxN05LUFZYppnwXHUwMDFjZn9cdTAwMTZcdTAwMWOmbzKnKkVcdTAwMDf4tC3l9kvDcflG3T5cdTAwMDVcdTAwMDHyKlxuRdrclVx1MDAxZaVcYlxul1x1MDAxMlwiplBWK4fM4IFDXHUwMDE34IVcdTAwMTmlI3Oc1JDvuITDXGJcdTAwMWPezlx1MDAwZYco5lx1MDAxObVz8OXzUfH4RDzEaXFcdTAwMWG1ZO7H11pwNlVcdTAwMTWBfPEwcZ3SK7ZC54GHmYXZILhcdTAwMDfxmlx1MDAxYVx1MDAwNzDLXHUwMDFkIFx1MDAwNklcdTAwMGb4XHUwMDA0XHUwMDEyp17jXHUwMDFmxoWhWNrpIDE9czGqYVx1MDAxObegXGb+oZLXXHUwMDEwR2muXHUwMDExNSkoiTOjUadcdTAwMWLPyp1cdTAwMGZCpm/gpUf3uFx1MDAwMG9Oa5RcdTAwMGLoa2hcdTAwMTctxK9cdTAwMTVcbnVcdTAwMTQhyEbKUCpTXGZcIjVyXHUwMDE1XG5mRXU6JHNcdTAwMWVf2lxmtt5oU1x1MDAwNylmsoY3X1xuIO9yiH1Uglnlj29GmkssXGLsjLbo8qjc9Vwi5cVcclx1MDAxZsxn4WPSXHUwMDFhpdfo6pxcdTAwMDc4ZtZlJMvQ/ZfoqqFIYcyGhv7uSFx1MDAwYtKRKFx1MDAxM1x1MDAwN3mGLFx1MDAxZWGYLy5cdTAwMTJeXHUwMDFiQJi2lioucaRcdTAwMTVcdTAwMTNcdTAwMWKUpVxyXHUwMDAwxHRuKChJXHUwMDBi91nAmF7jXCJcdTAwMTVcdTAwMThcdTAwMDVcdTAwMDTWUsFA9HkgUlx0d1DkXHUwMDAxXVx1MDAxMKuRj3BhcXxcbnFgtDaQXHUwMDE2TVx1MDAwMJ9cdTAwMDN1XHUwMDA08yGjXGYod4zizp11yIIhfbLExlxiNtZzwEa0IyuZ8GIjumSJ4tGKgbKC3Fx1MDAwM8NcdTAwMTdcdTAwMDNcdTAwMWNcdTAwMTPXKb1cbvElOlx1MDAwZoBMr2RcdTAwMTVcdTAwMDFI5jRwho6eVihcbqUn1NBcdTAwMDacg1x1MDAxMsowrlx1MDAxNDj18cpcdTAwMTGVKvpcdTAwMWGO4kmVoXOpuHREZKeKdMzIgfQ1Or5u54OQ6dV60vNmWKBcdTAwMTjn1EhcdTAwMDBixzBcdTAwMTaVo1ZcdTAwMTI5XHUwMDE1YdJoj3JcdTAwMTSBXHUwMDE0UlxugcRcZjh/0npcdTAwMTBcdTAwMTJcdTAwMWRcdTAwMWJHTVx1MDAxN4Frcv5ClVxcllx1MDAwMFx1MDAxOVx1MDAwMci/Zlx1MDAwN0ipkKuRyrzVcpIr9OHMoFdJ7Vx1MDAwNf498TF5mdIrtkDnXHUwMDAxj5NAkWSUc0ph7Vx1MDAwMjGQQVxcQXJcdTAwMTdYfOSo/mnHXHUwMDE4gX46fEwv+Vx1MDAxYlx1MDAxZJSR6Heit09cdTAwMDXsnTSeMUGAWl1cdTAwMWJrlJaIoZ9cdTAwMDaP6cVR0uHRIVx1MDAxMTjhwPzKL4/Ao6C4cSRWnFx1MDAxMmuddN6YXHUwMDEzXHUwMDE2SIXyXHUwMDFh0D1cdTAwMTmc2Hh8a1x1MDAxM1C/S0OHOlx1MDAxNtlvufuYgI+NXHUwMDFjXHUwMDA0pOEoXHUwMDAytbfTnZTJVUS0XHUwMDA2OqTgeUemXHUwMDE4yuZcdTAwMWJe9NNcdTAwMTJcdTAwMGJcdTAwMTOXKb1iXHUwMDBidFx1MDAxZfg4QVx1MDAwZZ+zhlx1MDAwM/Uvk4SO0qvUXHUwMDEwflx1MDAxMOBcclx1MDAxYTE1XHUwMDA2njJ7Jr2JWGRMIFxy+vSG/XYuVXxMXHUwMDAxwubgsEa5QVx1MDAxNcJPS55Jr/GUXG6PXHUwMDFjXVx1MDAwYktJZehgoHNcdTAwMTF1r4VE91pcdTAwMDBQjW5cdTAwMGJSXGYjXGJCgfXUQZRcdTAwMWNcdTAwMTagXCKLSvq3XHUwMDFlXHUwMDAxSZumXHUwMDBlnVx1MDAwM2eWiYVcdPDYnFx1MDAxZFx1MDAxZZWmQzbGfPBcYiz5rFpyaTXY6Vxuqv9cdTAwMWY4q05ep/SKrdCFwsdcdTAwMDJcdTAwMGZQnWnq+0llkFx1MDAwNPA4QJJ6XHUwMDA0TflcdTAwMTPMOWAyLtWy5V1nTXgsUOdcIsElXG4rZ5XQ6Hp6XHUwMDEwXHUwMDEyOVx0NKp22rFcdTAwMTCOfdpcdTAwMDbk8Wqxt9a/OXh8bK9udpr1o+O7XHUwMDFmXHUwMDFl95pcdTAwMDIno/horVx1MDAxOaRRSi2cs5ZFz2VcbkpcdTAwMDcojY0xwFx1MDAwNPFTXFw+XHUwMDBlMeFcdTAwMWRcdTAwMGXxOlx1MDAwMTrszmiKmFx1MDAwZnt6SziMwGErXHUwMDA3b1pcdTAwMDLnypuMlJxljVx1MDAwZZFCoSTzxsKBVpyqlVuuWFx1MDAxOPl2bDHmiXyjxpzwyUQgQJ+lWLqrXVxcPPf4Tql9qGvHXHUwMDBm1ct6/XwvbulcdElIdHSHMlpcdTAwMTGwXHKa+UUj91xu0lx1MDAwNbTNwLVFh96g0zh0Jz+8I/qXamnRzmr6ielISDtGa8Z9XHUwMDA3XHI2fvzw3umCXHUwMDE52l9Sc0wp7t7D9mrr/ual+9biz/Cyf/tmf2ZNXHUwMDFhejhjb5fXd/Kxe31cdTAwMDXdzmG59yz2or9lhqpu6HCFKvfOlDTkv8uYYcaThjjTmjo2XHUwMDE5jVx1MDAwZZmF0SPAgjCBorM/LZhKssm8e6J/KVt8mCBvXGIkQZ+I78N8XHUwMDFmVORPZFxc4Cg2KVQ0b/dj0lx1MDAxNTxcXJD/N7qij+G7T+yK3ny5uP9x/Kb6W53aVkWoXHUwMDA312BcdTAwMTMwMWqwwHFLXHI6hTZypGVyJiZmKlx1MDAxOFx1MDAxY6Zy51xmMyy0KIdUzFx1MDAwM0VcdTAwMWLDaCbKTlx1MDAxNlx1MDAxNfWlMKAzM1x1MDAxZjurOZ3f+MrDXHUwMDFikVjig1x1MDAwYsHBSj7PsrDFta683tFcdTAwMWKl4mvhzlx1MDAxYzrZub/bzErIzTI/+1HeYK2d54f1t1tY2T2unedFyHl2evPfZVx1MDAxNkKWTFx1MDAwNrRcdTAwMDVPXHUwMDEx9JZcdTAwMWHhjlx1MDAxMLJcdTAwMGLQmozC6TZqUIg1ZpqGXHUwMDA1XHUwMDFhXHUwMDE1sqSuySxid0s+XHUwMDFla4vdXHT4WDig0trx7HuSuibR6pDDUSODyJuOZ+/3dtipP+E1XHUwMDE3plxux1x1MDAxOJZcdTAwMWLl39/D/4jyXHUwMDFiff7yeLd2ZS5vNk7Wr556q939rXrcnr1F2DlcdTAwMTXPXHUwMDEwjjqYXHUwMDEzSrORY1JcdTAwMGKB1lYxyai6XHUwMDA281VfXVx1MDAxNmHPz8D7M+97oS5i0WCQ0L5Xcl9zoFx1MDAxZGZ8TWX203FtXVVbrmMrj/K4fHNfu+o03crBXHUwMDFjnN+P4vDU65ZLW09rt1x1MDAxZNN+u4ZyX69cdTAwMTZXtlu5VfjQjvNQ9NdM2sA/K1m0gZBcIkBPXHUwMDFjXHUwMDFjXHUwMDBlXHUwMDA3XTqI5npRN1x1MDAxNodi3UltXHUwMDExJjyNYJfNWL5NXHUwMDBmXHUwMDFjT9mVgcXZQe3m21x1MDAxZIOUZk2I2mBZ7n1gJ167MV2wIL1YxpDwXHUwMDFjerGkY2JaLFx1MDAwMOXuXHUwMDA1Slxi0E5cdTAwMGInzIjLjVx1MDAxZbfjgpJcdEhcYijjMV6tXHUwMDAyi2ZPXHUwMDA1mUVE6FxyVb1cboBL/GHGSGKy5dlXgik/z6xcdTAwMDFcZmfKXCKK+rLWZTw+YJilqchcdTAwMWPDZbw+28bzzUJKWKP0iq3O4cVi/JtbXHUwMDE4QPpcdTAwMGXet3BIXHUwMDEySmj0mVx1MDAwNVNcdTAwMTJFttLKc+KO6Fx1MDAwMMJpSSnkjLbPYssjU1x1MDAxY0A6jkVcdTAwMDalmUBXXuEjQz63nox1XHUwMDFkWFx0IIVV+Fx1MDAwN/Hl08Kk0mVdKjRKKVx1MDAwM8ap0SwzIMK1yVx1MDAwNq1lKFx1MDAwYlx0rc1QaX+rwZPDjkuL40NyVL5dWIRYXHUwMDBmNorAMEp2omlmxi5LeiRg40tcdTAwMWVpSHSi5ITvnELq5ChSg06yXHUwMDA1m3szOlxcUdZ+PjhcdTAwMTZcdTAwMTKXKb1iXHUwMDBidFx1MDAxZfCYvsHyLVx1MDAxYZGkNLdMglSAt8DjXHUwMDAx7S7AYSvq+OwkXHUwMDEzeC9cdTAwMWaMjoMoKUcjYkZQLVx1MDAxOE/qqEU9p1x1MDAwNIpuh18kWvoseFxc4zXVu9m5rZX2n1x1MDAwYndqTVV2Nj1B9klcdTAwMDc2tIXEXGal6dNLsGjoXHUwMDA0Plx1MDAwMNSWXHUwMDA2SUmDokVcdTAwMWZDyCz1W+VErt9XKu74mlx1MDAxNVx1MDAxM1x1MDAxM1x1MDAwZmiUQ7lIkeNcdTAwMWVI9ITbXHUwMDBmXHUwMDEzM9FcdTAwMWTgxvA5XHUwMDFl0HRuXHUwMDFlbmo9rXtQqbV75fqu3vnrbFx1MDAwZZswqddtdW6P1tdvi2J/ZW1j4+LstN3ZW8jNXHUwMDFk/9OL2blnc1x1MDAwN+c6oCg2KTgoXHUwMDE00VFcdTAwMTUkuVx1MDAxOGfiXHUwMDE54jCW9VuTTPzNb+Le3Vx1MDAxZGVcZjrx3sNWLVx1MDAxM8MwSMFLx1XuQeAzb+8sXFzcxVx1MDAxOLJcdTAwMWPd6PnQSIt0REv1a1x1MDAwNGk6SVx1MDAxOdKC2uq4qEVcdTAwMGJcdIFE/VwitMFZdOCJb0a3SFFPXHUwMDA2KfBcdTAwMGZcdTAwMGKHYVxmYyzwV1xiRZ230EnkXHUwMDE2lqVn/Fx1MDAwNn7D2MyOXHLNlKJq6j6/Jlx1MDAwZVx1MDAwN8PWmnZQelxyPmRj9/Pb7iWuUnrF1ufwajFizs2tmWCDhXEqJcqpcppcdTAwMWM0yfakx8mAg7VcdTAwMDL5UFx1MDAxYXTfpi3kmo5q0VFRtyv0VpyxgKJcdTAwMTE8g1xuqFx1MDAwMyRwxbSmfrru81xuc+mDQv+wwvjT4S5s37T2jtmuXHUwMDA3IKc5XHUwMDFh11x1MDAwZb1cdTAwMTZFVd3Q7GS47cnyaPzXu/lCpJ1974emQYP2V6CJNyxcdTAwMWRGhluHUzTHLlx1MDAxNf1aYaXc+rF7d3G1USy+XHUwMDFl/WDtgsnqjmxtNE51XHUwMDBizruwc2Fu4bKxtdaHXHUwMDFj3Jy7o73mXHUwMDFhXHUwMDE0e4+F8+K26+5tiVx1MDAwN8ij7flx/6Bw8dA/qlx1MDAxZlxcV4v8ufyj83qWx1n+02NR72ydi6fDt5PH4+5qb2VXXHUwMDE0c3XLJqG3NJDyznZcdTAwMTa3TFxmXG5KM/TDpVCIydFcdTAwMTIwRlElfkp75MpR7mNcZqGURlxic462xSChN9byzD1cdTAwMTGRXFx2t0xS5cyEXWfOIPHYnZq6KqFDNd4+XZ79ccxWNlbWXHUwMDE3wVx1MDAxZlx1MDAxYkPxo/5YdNj5uGFcdTAwMTdHP19WTyrNvZ09WTenK2+XXHUwMDA3XHUwMDE3R/moXGagxjeWo/kqiomxNn72vpRcdTAwMTl5XHUwMDFh9crsMkNryk5cdTAwMDBvlWQhkjPxOVx1MDAwMja95qczbvtcdTAwMTfVx42dXs2dVPnZfef89qHfz8qvvduaerp96j/Iyvol7G3p01x1MDAwN3OSXHUwMDA3b1x1MDAxN7s3j1x1MDAxNX1Ve15t2NNS7Vjzs6dcdTAwMWOu+/HbtDnpXHUwMDAx/6xk0lx1MDAwM1JcdTAwMDRcdTAwMGVQXHUwMDBmgECwgJGzaoq9xzeNRrGrVHi4oVx1MDAxODxmUFx1MDAwZlBRXGKg/YSlXHUwMDFlmFx1MDAwMDpWs+tcdTAwMDFrXHUwMDE5KMGNL0QnremOoVx1MDAwMtwsXHUwMDFjoLUocmBnfXNcdTAwMTHUwFx1MDAxOCqOheGFR52PXHUwMDE4qL22NvZ37q6vzUXxaH3z5mp9f9MjXHUwMDA2XHUwMDEys9+MXHUwMDBlXHUwMDA2MXhgQDkwUVx1MDAxYl42w/xgXHUwMDFiXpv5NJVzXHUwMDBljirS+7skyOTzVOksXHUwMDA1XHUwMDExyTluNKzfXHUwMDFj1DePN9/+Ot86aEjY+Fnr7Vx1MDAxZn+2XHUwMDAwmGFcdTAwMDMjXHUwMDBiUVtcdTAwMDU5Zbb7n14morYuYFx1MDAwZVx1MDAwNDVcdTAwMTFDTFx1MDAxN6NWvuxq/aFWvp6dqbliylxujo6Z15xD9DZK1aCslPh37lQ94Vx1MDAwMo5T9WK2tVx1MDAxZUOc829rXWe3a/aqzl7M2Wvxr4JcdTAwMTb9x/ZjdiZnyqFcdTAwMTjX1N/IScZtNFl2yeRcdTAwMWZs41x1MDAxYjMzuWCMzr5cdTAwMTOYPOXAgJtBXHUwMDEzQyvmXHUwMDE4XHUwMDE51dPtk+L5+fHhc6tx0Kndl2+2Ooef7XLPcGQwXyb3P70sTM6ofr8xjithreMmXHUwMDFh/LjsbP3BVr6ZncmFXHUwMDEwRMlcdHvwNrlcdTAwMTBcdTAwMDWXylwihE9cdTAwMTfnOG5cdTAwMDHLXHRcdTAwMTZwjMlcdTAwMTertfVcdTAwMTi+nF9r63THJD0sXG6FuVVKM1BAVTXjva2Npia2XHUwMDFhnXOm4uZMtWtIj1v047mU3LODRmXiLDdKUWH4SLLdckMtatzFrFx1MDAxNJ6yXHUwMDE3L1x1MDAxOIBcdFx1MDAwNzaGjN7q5IM3MFZb7mT+XHUwMDA3b9PK93y7ziStU3rFVujwajFazq9jYerO3bdod2tDJWqtNuhhactCXHUwMDE1z39HIEFA4UnWXHUwMDE5KYTS3FN/NlNUVLpLXHUwMDEyXHUwMDE5XHUwMDEz0JY78reSTHBw8TY4PKCCpEjyyujBXHUwMDFl+6f1VEhXe+nwyCFgXHUwMDEyV46WTlx1MDAxODW6byGoXHUwMDAyppBGaVx1MDAwMdKEXHUwMDEyQd7zhF0gXHUwMDE1tS+j7rsmXHUwMDE0VTpER1x1MDAxM1gn0WpcdTAwMDUqKlxu2luiY1x1MDAwMjr+mFx1MDAxOVx1MDAxZFx1MDAxMY+oXHUwMDFjQ7w6XHUwMDFmjVC5ZHCkbni40M3iKKJ8k+GSlim9Ylx1MDAwYnShwHHQ3ppTMCuluyFcdTAwMWOxUFwi33vLQro1RXtcdTAwMGJcdTAwMGVcdTAwMTFcdTAwMWXNeTp0TNd70UFcdG1cdTAwMTV6xLRcdTAwMTViqZFiXHUwMDFjXHUwMDFlP1x1MDAwYlxy03eb03ODXHUwMDAxfTfqJE5w6JhcdTAwMTjt3Tq2vbVAmtIwqJlmNUjw7fDYXHUwMDAwkDHQs3S44lgo82aJh1E83JpdLVJJO5xVPyDatFx1MDAxZYWoSEiK5Fx1MDAxZkW/XHUwMDEwarGQvFLpXHUwMDE1W6PzgMTM2izW4drg/39cXIfr9Hi0qI6dsMM1c/G05TmhZPpOXnpxXHUwMDE5gEBawLWM3lx1MDAwNnVLXHUwMDE4Qcloh2uPZlRcdTAwMDG1T7OcUzJcdTAwMDHTvj4zVHpKOe2MoWRWWIrGJJDcnlx1MDAxOSSRvVH+sVx1MDAwNIw0iaLROmpfXCJy762wIJoxcZXSK7Y+51x1MDAwMZCZ5dlol2tcdTAwMTdcdTAwMDfHnLpcXGfGxliXa6HikjHa5dp4ajrMq8lMalx1MDAwNkM6OFKpao1cdTAwMGJcdTAwMDPFXHUwMDAzVZGJYKNBX4Nzrpi02lxipuNcdTAwMDF7Wlx1MDAwNlx1MDAxNj1xwliOXHUwMDA04qlzzahyh1x1MDAxMU5Rq1x1MDAxYYs8uCwuk4SNOzlsNzr0cnBcdTAwMWG9J4YuOfaXqqtpXHUwMDBlU1x1MDAxNuBcXPw0zKR1Sq9CfInOXHUwMDAzXHUwMDFlq2v3t+XixUm/8lxcWHvt11dcdTAwMGY6hZskLJKUKu2cNTi5XG6sp5hcdTAwMGJn1IxcdTAwMDJnXHUwMDFmzZR6XHUwMDBmXGJcdTAwMTNbJHnLRyRcdTAwMTmgkl98UCxfeFx1MDAxMjFRPlxuYaiBOlx1MDAxN5pq5X9cdTAwMTZCpudijUlU54FC6kE2cFx1MDAwMvX70IZ+XHUwMDE1KLZcdTAwMDGVnKGtbNpcco5nYUraXHUwMDEwMVx1MDAxY5RF61xuN7tcckVKuYBcdI2XQFx1MDAwZWHUXHUwMDBlaXkkk4SRu7NjJDdcbmeD+05k0HlM1I+4jFx1MDAxMT5Y7l2uXHUwMDE3XHUwMDAzIFx1MDAwYonLlF7xXHUwMDA1Olx1MDAwZoScSK1RXHUwMDA3ayNcdTAwMDQls6F7XHUwMDFkqi/7LZSqXHUwMDBljs6bjJOAUlPHl0gmhNw5hsvjlSv2sPvcab50T8RZ3Z4nXHLLXHUwMDAxpz1cXK5cdTAwMTQocCaubCHAz6nzrKH+s1LFYXtOXHUwMDEwmZ6eMraWh1x1MDAxM9I6hlrRaFx1MDAxOCnfXG4yXHUwMDEw3DpnXHUwMDE0cFxi5eu/Q6SgXHUwMDA0NC6RgpGipVx1MDAwNuY7l0F+w4dpmESCk0rLZTGPJIzcm1x1MDAxZCOVXHUwMDE45OmBL1VcdTAwMWTi6vK9jLviZFvi31x1MDAxNCST1ym94it0XHUwMDFlIDlJ4VxmjlrtV39JIymEJI5GyFx1MDAwMpKRYKNChdyCnPJoZoLDdEZcdTAwMTW7hEXu0W5cdTAwMDCBPuBmXHUwMDAyNZZcdTAwMDUnNSp1+DSMTNfs41wicp3SyEBK2UE/uXBox8DZXHUwMDE2XHUwMDA2YVJbo1x1MDAxMCc9Ja5Re1x1MDAwNEAnakjRzvr7O05cdTAwMTTL85Va19yw/dnDcTlYXG488MXvWZ18NmNcdTAwMWNlRs81r7bSrW/W2lx1MDAxYq3m9fNj8WjvZHvPbe3MoVx1MDAxZUZcZubiSK6ElJN0ok2xRv9dxqwxXHUwMDFlNOuMXHRQxVrFKTpL6lx1MDAxMUOUXCLVXHUwMDEwncWPkVx1MDAwMdBcdTAwMWREn9ZYz6aXWdphklx1MDAxZFx1MDAxZfjt0Fx1MDAxNzBrXHUwMDEw7VFUxtsl02eQnMdcdTAwMGXgXHUwMDE4kyr/0LlJ1+5wKVx1MDAwZZsgUr7IoFx1MDAwM+Jrs1ntderlhcl/XHUwMDE5Q26eho7j7iWfaNp0f2t8dWDjXHUwMDAyyVx1MDAxOTopJDScjTZxdcxcdTAwMDVWWyooJiXjnv5SYKlcdTAwMDcs5zwpXHUwMDA3xqDzY6jGXHJCXG5cdTAwMTUgnsQxqTLUk/yr2P7hzFx1MDAxY4xmj64k90JcdTAwMDK6XHUwMDFkyeXTKT9CaW3nmNvKXHUwMDBmy9u9q73HXHUwMDEzV7nWz8Wb3dXNcvffrniU/y4zkDByr1x1MDAwZejAVkiKaHcju1x1MDAwNuhhXHUwMDA1UlxyKoNcdTAwMDJabtwwXHUwMDFkXHUwMDA0TlHeXG7Xv2wzbplcdTAwMTNloH4tUzzKTsNcdTAwMDPUVOiZ+Vx1MDAwYsrE91xiQmGaIC3j0ynfXHUwMDBmrVx1MDAxNrF47DuG5WJlfT+UcvV28WyzU/nrpfGyXW5sscpt+edLZspcdTAwMTXMXHUwMDA0dCqOMts4a8K9tVx1MDAwN21aXHUwMDAxqNmN0SCUQ6/eaU+9biVcdTAwMDLpjHTSWqFBe9JYJqrI/7U09vHMPDtcYsdQ4OJcckm+U1x1MDAxMH2SxTuU3W7KM5LpSPZp11x1MDAxNZrFo/3+yvbVSeHl5KJxXHUwMDBm15OQIbVcXFKhpMeZyNA/mlxmZEiHjNIxKueqteT4+KMmI91Yk9GKMiNcdTAwMWO1JHdUOknETWaiPM6vZTInXHUwMDEz8CFyocW5sD7bSN5cdTAwMWKnXvAgwnV6cyHDyddvjFxmt1pcdTAwMGb9XndcdTAwMTFIcFxm74yS4OjA8yG/yt69rL45W9s7deXK1d196fp5bVx1MDAwMvJTgaLcXHJcdKCNXHUwMDE4qbpQ0IFBTYvuKNoyt+jNeKhcdTAwMGa/w1BcdTAwMTJcdTAwMGJcdTAwMDXWSeZcdTAwMGKqWnajSTTk09m5XHUwMDBmXHJcXGimvE6mjNdhXHRVXbCCMHqO9LfSuG0/nzTXwFx1MDAxZJuNXu1yZ33v+P7T6M8/miz0x1WAK1x1MDAxZYFVaSs1t9G8vlx1MDAwMlx1MDAxZrVcdTAwMWGP2UhcdTAwMWRo7qy1XHUwMDEyL6Jz6N/7pczmbFx1MDAwMv7T+JCFXHKnXHUwMDAyhfgvWVx1MDAxY1x1MDAwMnpulrPpipJ8MFx1MDAwMVwiazWrlTpeeCF4cFxmXHUwMDA1xXnQO/586PDc/XzdX8FcdTAwMDe922qI2sFJv1x1MDAwNlx1MDAxNTFcdTAwMDFcdTAwMWSm+oKSXHUwMDA1Vlx1MDAxMdQ6hsbrI8N8/cCvtclznlx1MDAwM1x1MDAxN3KUIehSeHtcdTAwMTbIxJolNFdcdTAwMDasniqceDoqvOuvNa8rj1x1MDAxN+vr1b2n7uOK7p1cdTAwMWO9fFx1MDAxYVx1MDAxNfpHk4VcbkFcdTAwMDaAXCJcdTAwMTLpXHUwMDA3lGbGRUPypUo3XHUwMDE4y1x1MDAwMmfQXHUwMDBidE6h1XmLcU/Egl/LYC4mYEEhKZCGgb+cT6JKNMC4RetYPFx1MDAxNjzo91x1MDAxNsVcdTAwMGZcdTAwMWPDOaP8XHUwMDE3XHUwMDFi+cTM97ffwPC99PBw0sMn+1x1MDAwZZO4luqVkafw671e9WH4XHUwMDA0XHUwMDA2b+21K9WNVummMfqUvz/Vq8+rcdP5j9vBi1BqXHUwMDAwI2Q21Vx1MDAwMUT/62//+v+eTvAqIn0=PublicKeyEncapsulatedShared SecretShared SecretEncryptedSymmetricKeySymmetricKeyAEADKEMKDFKey EncryptionKeyBase NonceEncapsulatedShared SecretPrivateKeyKEMShared SecretAEADKDFKey EncryptionKeyBase NonceEncryptedSymmetricKeySymmetricKeyInputsIntermediatesOutputs \ No newline at end of file From e308c445fdce8ff8f7a3dd8988abde28a86a9f62 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20M=C3=A9lan=C3=A7on?= Date: Thu, 8 May 2025 08:48:58 -0400 Subject: [PATCH 25/44] Remove obsolete mention to SHA-1 --- doc/RecordingControl.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/RecordingControl.xml b/doc/RecordingControl.xml index 88cec082c..db78ad812 100644 --- a/doc/RecordingControl.xml +++ b/doc/RecordingControl.xml @@ -2227,7 +2227,7 @@ aligned(8) class AsymmetricKeySystemHeaderBox extends FullBox('pssh', version=1, EncryptedKeyEntryCount Number of entries containing encryption information required to decrypt the symmetric key. Shall be 1 or more. CertificateThumbprintAlgorithm defines the algorithm used to compute the thumbprint of the certificates. Those values are defined in the Security Baseline specification CertificateThumbprintSize Size of the CertificateThumbprint field. - CertificateThumbprint Thumbprint of the certificate used to encrypted the symmetric key (Computed using SHA-1). + CertificateThumbprint Thumbprint of the certificate used to encrypted the symmetric key. EncryptionVersion defines the encryption strategy used to encrypt the symmetric key for this certificate. EncryptionDataSize defines the number of bytes used by the following bytes for this certificate. The next certificates, if any, will start after this number of bytes. EncryptedKey The symmetric key (identified by KID) used for frame encryption, encrypted using the public key of the certificate according to the encryption version. From 3d534196c7eb8437da3fc384cb9653dced60494c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20M=C3=A9lan=C3=A7on?= Date: Thu, 8 May 2025 08:52:44 -0400 Subject: [PATCH 26/44] Describe how the EncapsulatedSharedSecretSize is calculated --- doc/RecordingControl.xml | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/RecordingControl.xml b/doc/RecordingControl.xml index db78ad812..5a07520b8 100644 --- a/doc/RecordingControl.xml +++ b/doc/RecordingControl.xml @@ -2234,6 +2234,7 @@ aligned(8) class AsymmetricKeySystemHeaderBox extends FullBox('pssh', version=1, HpkeKem defines the KEM algorithm identifier used to encrypt the key with the current certificate. HpkeHkdf defines the HKDF algorithm identifier used to encrypt the key with the current certificate. HpkeAead defines the AEAD algorithm identifier used to encrypt the key with the current certificate. + EncapsulatedSharedSecretSize is implicitly defined to the Nenc parameter of the HpkeKem algorithm. EncapsulatedSharedSecret is the HPKE shared secret value necessary to decrypt the encrypted key according to RFC 9180. EncryptedKeySize Size of the EncryptedKey field. Valid values depend on the encryption algorithm used by the certificate.
From 7de1b7d96c87b9c5d997f36dfc4e8ad7ac69ef45 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20M=C3=A9lan=C3=A7on?= Date: Wed, 21 May 2025 08:29:03 -0400 Subject: [PATCH 27/44] Clarifications on encryption diagram --- doc/media/RecordingControl/hpkeEncryption.excalidraw.svg | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/media/RecordingControl/hpkeEncryption.excalidraw.svg b/doc/media/RecordingControl/hpkeEncryption.excalidraw.svg index 218dfaae6..f4b59847a 100644 --- a/doc/media/RecordingControl/hpkeEncryption.excalidraw.svg +++ b/doc/media/RecordingControl/hpkeEncryption.excalidraw.svg @@ -1,2 +1,2 @@ -eyJ2ZXJzaW9uIjoiMSIsImVuY29kaW5nIjoiYnN0cmluZyIsImNvbXByZXNzZWQiOnRydWUsImVuY29kZWQiOiJ4nO19aXNcIkuS7ff+XHUwMDE1ZTVfm+xYPLY2ezamldK+ldaZMVx1MDAxOVx1MDAwMiS4YpFYtI31f3/uVJXIJCOTXHUwMDA0UohpQdetvlx1MDAxN1AqMiP8nONcdTAwMTG+/O/fvn373nt9qH7/57fv1ZdyqVGvdErP3/9O7z9VO916u4VcdTAwMWaJwX932/1OefDNWq/30P3nP/7RLHXuq72HRqlcXFxynurdfqnR7fUr9XZQbjf/Ue9Vm93/pL/3S83q/3toNyu9TjD8JYVqpd5rd379rmqj2qy2el28+n/hf3/79r+Dv/GTeoV+o+AvNd5dP945dlx1MDAxYsXX/n139WLvbfCjgy/9uYVOtdwrte5cdTAwMWHV4Ucv+L5cdTAwMDJcdTAwMWJY55S01lx1MDAxYaO1ev/0XHUwMDE1Py1IXHUwMDE3XHUwMDE4J1x1MDAxNddWMjCK2eHnz/VKr4bf4UxcdTAwMDVGKm24c4ZcdTAwMTkm+ftXatX6Xa2H3zE8UEYpyVx1MDAxOVNWOXj/xq9cdTAwMTH981x1MDAxYnt/p9vrtO+ra+1cdTAwMDbeP1x1MDAwZfs/xK2rXHUwMDAyXGZcdTAwMDd9Uyrf33Xa/Vbl/Tu9TqnVfSh18Clccr93W280Tnqvg6vj/OCD/T7yO85/34BcdTAwMTh5P+mn8Jfe1VrVLs3E8Fx1MDAxZdtcdTAwMGalcr33OnhcdTAwMTDDu6BcdTAwMTE+bFVcdTAwMDaT9j/DMXVwurdo1lr9RuP97XqrUqW5+F7Skd/Wqvz+bX9mfDid8vc7/1x1MDAxYY69WqVcdTAwMGJcdTAwMGJmQVx1MDAxOCvMcIShxcpg9N39dmuwcK0yUlx1MDAxYSWH81vvruPS61xyrnqLy7c6nFx1MDAwMlx1MDAxYdrG6LJcZi/NyMrrVV+G81x1MDAxMlq4W1VxtFp7eGhcdTAwMTVcdTAwMGWOXHUwMDBmXHUwMDFmXHUwMDBlL69fXp/q39+/96+/+y/764dcdTAwMGaK29s4ZrHaPl0vXHUwMDE1nspitbv7XHUwMDE4/S1/fn+p02k/h677+9+G09J/qJR+3Sc3oLVcdTAwMTCaO+P0++eNeut+dM5cdTAwMWHt8v3w0fwtNOBcdTAwMTHz9N9lzDwjXHUwMDBm6ZdlXHUwMDFhXGKYMNI5x5nhykYtU7hcdTAwMDCNySguhVGgpIlcdTAwMTmmUlx1MDAwMVx1MDAxOOdcdTAwMDCtm3PDrVFxw1RsaYp+UzR+U4x8+7fNces0KOOY8thcdTAwMWOHRJtcdTAwMDPLLOfauGlsLs/lO1xcjbRcbvHuXHUwMDBm+zeNevm/WzvV19A0tlu9k/pbdVx1MDAwMCSRdzdLzXqDnruKXFxppVG/o0fwvYyDrna+h59Dr45k9/6FZr1SXHQzU1x1MDAxOS9aqreqna0sXHUwMDE01+7U7+qtUuNnZPTfXCKDL/V77eNq99fwe51+Nfx4qj/+2Fx1MDAwM1x1MDAwZoRKMeY3XqnUa1x1MDAwNbnd3zuqXHUwMDBi3uk9XHUwMDE3X9qZuVZLjjbrmDVcdTAwMDDAXGZcZk2Wnp1kJuBWXHUwMDAyk8pw7Vx1MDAxMMXjVKtVoFx1MDAxY9K1Y0KC9Fx1MDAxOTSChlLMWC6GXHUwMDFmjrfsKrK25F/Esu3MJGtxXHUwMDEyQduQ4Vx1MDAwZe1daTv67lx1MDAxZntcdTAwMTfMceQsLufHsdWN16urrfZL+/XobG/b7Vx1MDAxY203irdZOXZzne2YduH58bqxd7GyV9l+VeereXGsQYlcdTAwMTJ6XHUwMDEyM3Gs/y4zcCzCdiC11dI4wThYXHUwMDE3tUjuXHUwMDAyUDjNwJ1OsEipXHUwMDAz/IJ1XHUwMDE2KVpYx3TcJCfi2C9liS47x1rLUOooJn0mx2Ji94/J4Y+AdDI0c/lQ7MSrN0axXHUwMDFirXLpodtv0HX/u3VSw/msfDupljvV3lwiUO5cdTAwMTimXHUwMDFipdxMd5NcdTAwMGZcdTAwMDfDlTtfWX1cdTAwMDYn+b7UIPrq+qKRmYOBQWBcdTAwMTmAZs5ILcVQnGXmYIdfXHUwMDExTlxi+vFcYs++W7ychHtRrPGy+FwiXHUwMDE2vzIz93JcdTAwMTTUXHUwMDE2XHJQe8lcdTAwMTdi774jgZZSKFx1MDAwN3YqKJiOfc+bW1x1MDAxYpXTdq/evCzzXnd16/GgtpOVfXfvL1fUX0c/XHUwMDE5lFvn+q0sy83nZjb2Tb1uea+ysvfj/vz8rtU/OWqV33prXHUwMDA393mxusK/XHUwMDE0hO16elb3P71cZqxcdTAwMGWCXHUwMDA1Tik0cI7ELWx0T0tyMdbGM7D6RPr6S9n4anZW52jGXHUwMDE2TdJ5jZnHyH5I69pcbiWk4tNcdTAwMThznus3xutcdTAwMGLH5GP4cpTJP5S7j59Pt9fXXHUwMDE4XHUwMDFjPN5cdTAwMWRv7a7vVWG78TP7XjX6z1xuKVx1MDAxN4xyXHUwMDFjJXt0R8wxXHUwMDE3WG1cdTAwMWTnSkrGhyvq3aqBXHUwMDA1YCwo1PS46rzus116zVx0Vr02O3MrKzWToHzbZMolus2OkJyZOXrN20+7b1svx42L6/3V/bNG9fyxfVTJyq/tPfV0vtk/Xq9vnm+c1o4qvfXCZX5eM0dXNVx1MDAxZn7132VcdTAwMDZ+VUpcdTAwMDRaXHUwMDE54Fx1MDAwMlx1MDAwNFx04Vx1MDAxMTvkkG6Hzlx1MDAwNoI7J8BcdG2Usb7zoqVcdTAwMTkmmeHZXHUwMDA07CqZQ5pEseMxuLBcdTAwMTBcdTAwMWUxOOWkM+gk5e80T7h4Y+SKbmbn9eGXj/nabFZ7nVx1MDAwNdqlXHUwMDFlQ25cdTAwMWWXedy95EO6h8XLo8dD9rLWOj4unGz1+k+HW6+ZSVegv8ukJDlccsiZLOowXHUwMDFiKVx1MDAwM3LGOG2S2eFnQ861geHAOU/ylY1cYnCxKa40XHUwMDAyXHUwMDAyvpZnw1x0lr8xO1x1MDAwMVuSTVxmJ8ODXHUwMDA34Vx1MDAxM6NRtc0tbb2BniNcdTAwMDXvn63qzZ12oXB4t8ebbdW4K7ZlVlxuXiu3z4/3dvePLn6e2JuLrUfeXHUwMDE3XHUwMDA3uVEwJ88wXHUwMDFmXG7232VcdTAwMDZcblx1MDAxNk5cdTAwMDWOM2RhK4xcdTAwMWRccttAS0Wr01x1MDAxNtlVgYxbpVx1MDAwM/SPneOK61+GXHUwMDE5N8vlwXCSXHUwMDFkbmYnYGWtsOhy+Fx1MDAwNK+Jy+A/9oZcdTAwMTNcdTAwMDecgc3buZ145cad24Uj3THkXHUwMDE2824/lGnvrs0rrJvb5trTfulu5/Hx5Gf5R9ycK/VSs92qRC1acVx1MDAxM0hcdTAwMTReTkhcIlMxxFp6etq5gCvBXHUwMDFjKK3Qc1x1MDAxZC6N4b40Mi1oo1x1MDAxNZfacDtcdTAwMTTl7zaNPFx1MDAxY3BEXHUwMDBlLaRBIebM0KoybGFV6X9fxMZ3snKtSOJajVOFz9lr+laz0XfffV1LUXZqnkfEhdVu86Fzsv9YOzsuc16+Lzy83GRl2r9+3Jysts9+bN6VXHUwMDBl1vnJzu66vJHZmDb1uv3u08pheed6/2n9pHvUvDsvr951c7juXGbKIPW6XHUwMDFm6vRrJaTM6ajcP9tcdTAwMTlcdTAwMTSHMjJQjGlnmHBW6Sg+odJcYlBpXHUwMDAwXHR5/NRcZrXkezSaRlx1MDAwMHO0J1x1MDAwZqCk11x1MDAxNZhsS/0r4dFuds0hkeeNtvGDMFx1MDAwMlx1MDAxZZ7o81x1MDAxYpRcdTAwMWKAXGaTt+aYeO3GNMfKxsr6XCIojTHkPqo0osPO6ej7r6tL1jhTW/fnK89sa6Nw8WP3KVx1MDAxN31hZWCd4Y4plFx1MDAwNVx1MDAxMN4xWuqL3/Obpz3vzawvXHUwMDE0k1x1MDAxNlx1MDAxZnH8iIwgQInRd9/1hTCOcaOmXG45nU5fPD7V937+OLxiZ+XNn5vnp2uqyq/nXHUwMDEw5p163Vx1MDAxOULbUq/7oYfrg7heXHUwMDEzRo7pdYB/VrLoXHUwMDAwy1x1MDAwMiNQXHUwMDA3MC04XHUwMDFm2XjgIFx1MDAwMkRcdTAwMTdl+eBsXHUwMDAwRFxcXHUwMDA3IEZQpohVXHUwMDBlb4fD7EfrX1x0N/Yn2HtcdTAwMTBSXHUwMDAzSG9MuozvXHUwMDAwvu/1OSY4XHUwMDAyy1R5IHmu3ZhcdTAwMGXY2dhbXHUwMDA0XHUwMDE5MIaDR2VAZNT5qICd4mO/fv9UuKnAdf/+8HKrflafVlx1MDAwNVxm1/brwDZ5oDnTXHUwMDA2558r43TcfJcyIEdzPphZXHUwMDA2cItcYsok86Z74VxiXHUwMDEzN1x1MDAxYbhSUvNwPO2HXHUwMDBigduD+kqvU3SHN8+FV6XWXHUwMDBmr1sn8NnRcGvlzdfNu+uf4uWp2SnvbJbOL3fPcrju7nal89QtXHUwMDFjlF96xbXn8tnBpqrUclx1MDAxNVx1MDAwMjZcZlx1MDAxZdNcdTAwMGJcdTAwMDH/rGRcdTAwMTJcdTAwMDI8YEBcdTAwMWJcdTAwMDJcdTAwMGVcdTAwMWR6K4dYMYBcdTAwMTLt0KOQTEtcdTAwMDWapIJPXGIw49DpkFxcXHUwMDAy4slSXGJMgFx1MDAxY4fZhYDgzEpcdTAwMTmOdlx1MDAxYVwihNPJIXZMXG6OwJJ7iN3EizeuXHUwMDA01jdcdTAwMTdBXHSM4eGYXHUwMDEyXGKPOlx1MDAxZiWQ7lx1MDAxZI1cdTAwMDBMxHg1g4Ah/zOHP26Zi1x1MDAxYa80SOBGKLw2s8w6TyxdIHF9gFx1MDAxNuiGSuNccqWTLtDCWvzYXHUwMDFhrqSa5GD/S9ny0ewqgKGkk9xcdTAwMTPSM7D/ZFx1MDAxYlx1MDAwN1x1MDAwMVxi3GY6XHUwMDE18CFq/6FdXHUwMDFmXHUwMDE1XHUwMDE5w3/7NlxcMoP/eP/3//m799uJq5ResfU5vFqMgVx1MDAxYqVub63dbNZ7eJuHNMRcdTAwMTjY9kqd3ipOar11XHUwMDE3nbzf9Vx1MDAxYrJkslx1MDAwZYCr3KfbL7CAMWGU0lx1MDAxNsmTnGXOROh7d6VcdTAwMDfC74BcImtcdTAwMThF4IBcdTAwMTL4/7FcdTAwMTVSbVXGjyrdp1x0jVxuXHUwMDA3ZShqXHUwMDAwXGZHUreccVx1MDAxZFx1MDAxYlx1MDAxM1x1MDAxN5TkSlnnRlxudCFcdTAwMDTEly09rFx1MDAxNUKlWrVcdTAwMTSzXGZcdTAwMWNy+LNR+Ko2btrPmaRNumZMg0ewXHUwMDEwXHUwMDAwrmJtXHUwMDE5p1xix6ibJFx1MDAwMVx1MDAwMpxcdTAwMTdAR1x1MDAwN7/gZNxLMiZQTCh0pK1BXHTEh9g3jDRGjCVmRlx1MDAwNW85nVx1MDAxNC7h0Vx1MDAwZo+ns8MjilD0R8NZgEN41JBcYo84f5YrnXdcdTAwMTjk9Fx1MDAwMihXcExcXKP0iq3OeYBjeqZCXHUwMDA0hvApXHUwMDFh7lx1MDAwNiNUwIa7XHUwMDEw7yhkXHUwMDAzfMaUbC1cdTAwMTS6XHUwMDE48H5cdTAwMDNcdTAwMTNcImO6xotcIqNmXGKHhlx1MDAxNLNVwofWXHUwMDFjXHUwMDAyXHL4kqi+NOlr9VnIeHH26KR6bl/WXHUwMDFlr273j1x1MDAxYlx1MDAwN+qgfZ45JFRcdTAwMGJcdTAwMTdcYk6P1lx1MDAxODozjMZ/KydcdTAwMDOLi5xiffHZM99R0vhcdTAwMTRKPUn82ZdKr7rMioeJcaCgLbrsXFz59oxcdTAwMWNPLFeCREc6Y7qw8PfRTbRl1Os+1Vx1MDAwYnataX4+dU7NeuvK2s3MiVx1MDAxOFx1MDAxZrW1M0PMS1xmOz1cdGiOy5y2dvxPL2blvrJcYqjhuNXSUaK0MKNcdTAwMDZux1x1MDAxOTjIQFGsoWLcJVx1MDAwNHtMXHUwMDE0YPqlXGb8KvveXHUwMDBl/jZkQWu8pmxdYoQp0lx1MDAxMzjFhcw/f3LC5TtcXI1/tkmqr99+p0bggFx1MDAxNybOdFxmY8Y2e1wid/FcdTAwMTGliFx1MDAxYYfl83p5t3p++rb7Y7W9t6Z7273MXHUwMDE0XHUwMDFlK4NcdTAwMTBN61hy+Mea+M3MXHUwMDFjzlx1MDAwNSitKaPKZ/kp27pcdTAwMTZdd/KG5lx1MDAxOFx1MDAwMdI8LVx1MDAxNvVK/2fr+vr04nll8/n8rbY1h4OU1OvOXHUwMDEwYZqFxbVcYsX3z8Ti/qeXgcWBcrOkcsjmXHUwMDFhWZhFi1x1MDAxYqFxXHUwMDA3Mt3EuVxiJKc0XHUwMDExg1x1MDAxZZRcdTAwMDXpOetdVkFIMvHyXHUwMDA0LC6dou0057flxDNcXMFcdTAwMTBcdTAwMDSMwFx1MDAxOcqdxSdcXL4xXHUwMDE2Xy11q99+jXNcdTAwMDHIe1xmV46St2/w+ZB2ukuSemAj0edmg41sJ5F1o1x1MDAwNzZKUPg1XHUwMDAzTiFVtDVcdTAwMWIzZmtcdTAwMDLNXHUwMDE0Qlx1MDAwMiVcdTAwMTZJYTw7klx1MDAxYVx1MDAwMmeBXHUwMDBia1x1MDAxNf69XGbbSDTtSlb2TtyRXHUwMDA0gYKJXHUwMDFi75ksXHUwMDBmXHUwMDA31cSis6xFqFb8Q0qGfv6eZOIqpVdsfVx1MDAwZa9cdTAwMTZj5Nz2JCfYXHUwMDAwXHUwMDE0YJlzmnbFqMxFfP9PXHUwMDA1RqPxatpUppuIi7tMe5LprkhkSFx1MDAwMIKxQclRXFxxIF1sSDJwILnGodNcdTAwMDPFf+L7pPM6rEnVeWnQiNxcdTAwMTlQOVWg9Fx1MDAxNOt49LBGXHRFn1qG/0hcdTAwMWJcdTAwMGWYfj+sYYFC2JSAT4lxXHUwMDE5qqQ8hEZcdTAwMWIwgy/HlDJMhdB3XHSNXHUwMDExaKzOXGaNXHUwMDFjwcjhqvU6No4nQ6NBjWtcInEu/1bQWEhcXKb0ii3QhcJGOsxcdTAwMDY6Y+KWylx1MDAxZTNlh1x0Ju9QZFx1MDAwMie1spKA39Kx03TomK71ooNcdTAwMTJcYlx1MDAxN05LUFZYppnwXHUwMDFjZn9cdTAwMTZcdTAwMWOmbzKnKkVcdTAwMDf4tC3l9kvDcflG3T5cdTAwMDVcdTAwMDHyKlxuRdrclVx1MDAxZaVcYlxul1x1MDAxMlwiplBWK4fM4IFDXHUwMDE34IVcdTAwMTmlI3Oc1JDvuITDXGJcdTAwMWPezlx1MDAwZYco5lx1MDAxObVz8OXzUfH4RDzEaXFcdTAwMWG1ZO7H11pwNlVcdTAwMTWBfPEwcZ3SK7ZC54GHmYXZILhcdTAwMDfxmlx1MDAxYVx1MDAwNzDLXHUwMDFkIFx1MDAwNklcdTAwMGb4XHUwMDA0XHUwMDEyp17jXHUwMDFmxoWhWNrpIDE9czGqYVx1MDAxObegXGb+oZLXXHUwMDEwR2muXHUwMDExNSkoiTOjUadcdTAwMWLPyp1cdTAwMGZCpm/gpUf3uFx1MDAwMG9Oa5RcdTAwMGLoa2hcdTAwMTctxK9cdTAwMTVcbnVcdTAwMTQhyEbKUCpTXGZcIjVyXHUwMDE1XG5mRXU6JHNcdTAwMWVf2lxmtt5oU1x1MDAwNylmsoY3X1xuIO9yiH1Uglnlj29GmkssXGLsjLbo8qjc9Vwi5cVcclx1MDAxZsxn4WPSXHUwMDFhpdfo6pxcdTAwMDc4ZtZlJMvQ/ZfoqqFIYcyGhv7uSFx1MDAwYtKRKFx1MDAxM1x1MDAwN3mGLFx1MDAxZWGYLy5cdTAwMTJeXHUwMDFiQJi2lioucaRcdTAwMTVcdTAwMTNcdTAwMWKUpVxyXHUwMDAwxHRuKChJXHUwMDBi91nAmF7jXCJcdTAwMTVcdTAwMThcdTAwMDVcdTAwMDTWUsFA9HkgUlx0d1DkXHUwMDAxXVx1MDAxMKuRj3BhcXxcbnFgtDaQXHUwMDE2TVx1MDAwMJ9cdTAwMDN1XHUwMDA08yGjXGYod4zizp11yIIhfbLExlxiNtZzwEa0IyuZ8GIjumSJ4tGKgbKC3Fx1MDAwM8NcdTAwMTdcdTAwMDNcdTAwMWNcdTAwMTPXKb1cbvElOlx1MDAwZoBMr2RcdTAwMTVcdTAwMDFI5jRwho6eVihcbqUn1NBcdTAwMDacg1x1MDAxMsowrlx1MDAxNDj18cpcdTAwMTGVKvpcdTAwMWGO4kmVoXOpuHREZKeKdMzIgfQ1Or5u54OQ6dV60vNmWKBcdTAwMTjn1EhcdTAwMDBixzBcdTAwMTaVo1ZcdTAwMTI5XHUwMDE1YdJoj3JcdTAwMTSBXHUwMDE0UlxugcRcZjh/0npcdTAwMTBcdTAwMTJcdTAwMWRcdTAwMWJHTVx1MDAxN4Frcv5ClVxcllx1MDAwMFx1MDAxOVx1MDAwMci/Zlx1MDAwN0ipkKuRyrzVcpIr9OHMoFdJ7Vx1MDAwNf498TF5mdIrtkDnXHUwMDAxj5NAkWSUc0ph7Vx1MDAwMjGQQVxcQXJcdTAwMTdYfOSo/mnHXHUwMDE4gX46fEwv+Vx1MDAxYlx1MDAxZJSR6Heit09cdTAwMDXsnTSeMUGAWl1cdTAwMWJrlJaIoZ9cdTAwMDaP6cVR0uHRIVx1MDAxMTjhwPzKL4/Ao6C4cSRWnFx1MDAxMmuddN6YXHUwMDEzXHUwMDE2SIXyXHUwMDFh0D1cdTAwMTmc2Hh8a1x1MDAxM1C/S0OHOlx1MDAxNtlvufuYgI+NXHUwMDFjXHUwMDA0pOEoXHUwMDAytbfTnZTJVUS0XHUwMDA2OqTgeUemXHUwMDE4yuZcdTAwMWJe9NNcdTAwMTJcdTAwMGJcdTAwMTOXKb1iXHUwMDBidFx1MDAxZfg4QVx1MDAwZZ+zhlx1MDAwM/Uvk4SO0qvUXHUwMDEwflx1MDAxMOBcclx1MDAxYTE1XHUwMDA2njJ7Jr2JWGRMIFxy+vSG/XYuVXxMXHUwMDAxwubgsEa5QVx1MDAxNcJPS55Jr/GUXG6PXHUwMDFjXVx1MDAwYktJZehgoHNcdTAwMTF1r4VE91pcdTAwMDBQjW5cdTAwMGJSXGYjXGJCgfXUQZRcdTAwMWNcdTAwMTagXCKLSvq3XHUwMDFlXHUwMDAxSZumXHUwMDBlnVx1MDAwM2eWiYVcdPDYnFx1MDAxZFx1MDAxZZWmQzbGfPBcYiz5rFpyaTXY6Vxuqv9cdTAwMWY4q05ep/SKrdCFwsdcdTAwMDJcdTAwMGZQnWnq+0llkFx1MDAwNPA4QJJ6XHUwMDA0TflcdTAwMTPMOWAyLtWy5V1nTXgsUOdcIsElXG4rZ5XQ6Hp6XHUwMDEwXHUwMDEyOVx0NKp22rFcdTAwMTCOfdpcdTAwMDbk8Wqxt9a/OXh8bK9udpr1o+O7XHUwMDFmXHUwMDFl95pcdTAwMDIno/horVx1MDAxOaRRSi2cs5ZFz2VcbkpcdTAwMDcojY0xwFx1MDAwNPFTXFw+XHUwMDBlMeFcdTAwMWRcdTAwMGXxOlx1MDAwMTrszmiKmFx1MDAwZnt6SziMwGErXHUwMDA3b1pcdTAwMDLnypuMlJxljVx1MDAwZZFCoSTzxsKBVpyqlVuuWFx1MDAxOPl2bDHmiXyjxpzwyUQgQJ+lWLqrXVxcPPf4Tql9qGvHXHUwMDBm1ct6/XwvbulcdElIdHSHMlpcdTAwMTGwXHKa+UUj91xu0lx1MDAwNbTNwLVFh96g0zh0Jz+8I/qXamnRzmr6ielISDtGa8Z9XHUwMDA3XHI2fvzw3umCXHUwMDE52l9Sc0wp7t7D9mrr/ual+9biz/Cyf/tmf2ZNXHUwMDFhejhjb5fXd/Kxe31cdTAwMDXdzmG59yz2or9lhqpu6HCFKvfOlDTkv8uYYcaThjjTmjo2XHUwMDE5jVx1MDAwZZmF0SPAgjCBorM/LZhKssm8e6J/KVt8mCBvXGIkQZ+I78N8XHUwMDFmVORPZFxc4Cg2KVQ0b/dj0lx1MDAxNTxcXJD/N7qij+G7T+yK3ny5uP9x/Kb6W53aVkWoXHUwMDA312BcdTAwMTMwMWqwwHFLXHI6hTZypGVyJiZmKlx1MDAxOFx1MDAxY6Zy51xmMyy0KIdUzFx1MDAwM0VcdTAwMWLDaCbKTlx1MDAxNlx1MDAxNfWlMKAzM1x1MDAxZjurOZ3f+MrDXHUwMDFikVjig1x1MDAwYsHBSj7PsrDFta683tFcdTAwMWKl4mvhzlx1MDAxYzrZub/bzErIzTI/+1HeYK2d54f1t1tY2T2unedFyHl2evPfZVx1MDAxNkKWTFx1MDAwNrRcdTAwMDVPXHUwMDEx9JZcdTAwMWHhjlx1MDAxMLJcdTAwMGLQmozC6TZqUIg1ZpqGXHUwMDA1XHUwMDFhXHUwMDE1sqSuySxid0s+XHUwMDFla4vdXHT4WDig0trx7HuSuibR6pDDUSODyJuOZ+/3dtipP+E1XHUwMDE3plxux1x1MDAxOJZcdTAwMWLl39/D/4jyXHUwMDFiff7yeLd2ZS5vNk7Wr556q939rXrcnr1F2DlcdTAwMTXPXHUwMDEwjjqYXHUwMDEzSrORY1JcdTAwMGKB1lYxyai6XHUwMDA281VfXVx1MDAxNmHPz8D7M+97oS5i0WCQ0L5Xcl9zoFx1MDAxZGZ8TWX203FtXVVbrmMrj/K4fHNfu+o03crBXHUwMDFjnN+P4vDU65ZLW09rt1x1MDAxZNN+u4ZyX69cdTAwMTZXtlu5VfjQjvNQ9NdM2sA/K1m0gZBcIkBPXHUwMDFjXHUwMDFjXHUwMDBlXHUwMDA3XTqI5npRN1x1MDAxNodi3UltXHUwMDExJjyNYJfNWL5NXHUwMDBmXHUwMDFjT9mVgcXZQe3m21x1MDAxZIOUZk2I2mBZ7n1gJ167MV2wIL1YxpDwXHUwMDFjerGkY2JaLFx1MDAwMOXuXHUwMDA1Slxi0E5cdTAwMGInzIjLjVx1MDAxZbfjgpJcdEhcYijjMV6tXHUwMDAyi2ZPXHUwMDA1mUVE6FxyVb1cboBL/GHGSGKy5dlXgik/z6xcdTAwMDFcZmfKXCKK+rLWZTw+YJilqchcdTAwMWPDZbw+28bzzUJKWKP0iq3O4cVi/JtbXHUwMDE4QPpcdTAwMGXet3BIXHUwMDEySmj0mVx1MDAwNVNcdTAwMTJFttLKc+KO6Fx1MDAwMMJpSSnkjLbPYssjU1x1MDAxY0A6jkVcdTAwMDalmUBXXuEjQz63nox1XHUwMDFkWFx0IIVV+Fx1MDAwN/Hl08Kk0mVdKjRKKVx1MDAwM8ap0SwzIMK1yVx1MDAwNq1lKFx1MDAwYlx0rc1QaX+rwZPDjkuL40NyVL5dWIRYXHUwMDBmNorAMEp2omlmxi5LeiRg40tcdTAwMWVpSHSi5ITvnELq5ChSg06yXHUwMDA1m3szOlxcUdZ+PjhcdTAwMTZcdTAwMTKXKb1iXHUwMDBidFx1MDAxZfCYvsHyLVx1MDAxYZGkNLdMglSAt8DjXHUwMDAx7S7AYSvq+OwkXHUwMDEzeC9cdTAwMWaMjoMoKUcjYkZQLVx1MDAxOE/qqEU9p1x1MDAwNIpuh18kWvoseFxc4zXVu9m5rZX2n1x1MDAwYndqTVV2Nj1B9klcdTAwMDc2tIXEXGal6dNLsGjoXHUwMDA0Plx1MDAwMNSWXHUwMDA2SUmDokVcdTAwMWZDyCz1W+VErt9XKu74mlx1MDAxNVx1MDAxM1x1MDAxM1x1MDAwZmiUQ7lIkeNcdTAwMWVI9ITbXHUwMDBmXHUwMDEzM9FcdTAwMWTgxvA5XHUwMDFl0HRuXHUwMDFlbmo9rXtQqbV75fqu3vnrbFx1MDAwZZswqddtdW6P1tdvi2J/ZW1j4+LstN3ZW8jNXHUwMDFk/9OL2blnc1x1MDAwN+c6oCg2KTgoXHUwMDE00VFcdTAwMTUkuVx1MDAxOGfiXHUwMDE54jCW9VuTTPzNb+Le3Vx1MDAxZGVcZjrx3sNWLVx1MDAxM8MwSMFLx1XuQeAzb+8sXFzcxVx1MDAxOLJcdTAwMWPd6PnQSIt0REv1a1x1MDAwNGk6SVx1MDAxOdKC2uq4qEVcdTAwMGJcdIFE/VwitMFZdOCJb0a3SFFPXHUwMDA2KfBcdTAwMGZcdTAwMGKHYVxmYyzwV1xiRZ230EnkXHUwMDE2lqVn/Fx1MDAwNn7D2MyOXHLNlKJq6j6/Jlx1MDAwZVx1MDAwN8PWmnZQelxyPmRj9/Pb7iWuUnrF1ufwajFizs2tmWCDhXEqJcqpcppcdTAwMWM0yfakx8mAg7VcdTAwMDL5UFx1MDAxYXTfpi3kmo5q0VFRtyv0VpyxgKJcdTAwMTE8g1xuqFx1MDAwMyRwxbSmfrru81xuc+mDQv+wwvjT4S5s37T2jtmuXHUwMDA3IKc5XHUwMDFh11x1MDAwZb1cdTAwMTZFVd3Q7GS47cnyaPzXu/lCpJ1974emQYP2V6CJNyxcdTAwMWRGhluHUzTHLlx1MDAxNf1aYaXc+rF7d3G1USy+XHUwMDFl/WDtgsnqjmxtNE51XHUwMDBizruwc2Fu4bKxtdaHXHUwMDFj3Jy7o73mXHUwMDFhXHUwMDE0e4+F8+K26+5tiVx1MDAwN8ij7flx/6Bw8dA/qlx1MDAxZlxcV4v8ufyj83qWx1n+02NR72ydi6fDt5PH4+5qb2VXXHUwMDE0c3XLJqG3NJDyznZcdTAwMTa3TFxmXG5KM/TDpVCIydFcdTAwMTIwRlElfkp75MpR7mNcZqGURlxic462xSChN9byzD1cdTAwMTGRXFx2t0xS5cyEXWfOIPHYnZq6KqFDNd4+XZ79ccxWNlbWXHUwMDE3wVx1MDAxZlx1MDAxYkPxo/5YdNj5uGFcdTAwMTdHP19WTyrNvZ09WTenK2+XXHUwMDA3XHUwMDE3R/moXGagxjeWo/kqiomxNn72vpRcdTAwMTl5XHUwMDFh9crsMkNryk5cdTAwMDBvlWQhkjPxOVx1MDAwMja95qczbvtcdTAwMTfVx42dXs2dVPnZfef89qHfz8qvvduaerp96j/Iyvol7G3p01x1MDAwN3OSXHUwMDA3b1x1MDAxN7s3j1x1MDAxNX1Ve15t2NNS7Vjzs6dcdTAwMWOu+/HbtDnpXHUwMDAx/6xk0lx1MDAwM1JcdTAwMDRcdTAwMGVQXHUwMDBmgECwgJGzaoq9xzeNRrGrVHi4oVx1MDAxODxmUFx1MDAwZlBRXGKg/YSlXHUwMDFlmFx1MDAwMDpWs+tcdTAwMDFrXHUwMDE5KMGNL0QnremOoVx1MDAwMtwsXHUwMDFjoLUocmBnfXNcdTAwMTHUwFx1MDAxOCqOheGFR52PXHUwMDE4qL22NvZ37q6vzUXxaH3z5mp9f9MjXHUwMDA2XHUwMDEys9+MXHUwMDBlXHUwMDA2MXhgQDkwUVx1MDAxYl42w/xgXHUwMDFiXpv5NJVzXHUwMDBljirS+7skyOTzVOksXHUwMDA1XHUwMDExyTluNKzfXHUwMDFj1DePN9/+Ot86aEjY+Fnr7Vx1MDAxZn+2XHUwMDAwmGFcdTAwMDMjXHUwMDBiUVtcdTAwMDU5Zbb7n14morYuYFx1MDAwZVx1MDAwNDVcdTAwMTFDTFx1MDAxN6NWvuxq/aFWvp6dqbliylxujo6Z15xD9DZK1aCslPh37lQ94Vx1MDAwMo5T9WK2tVx1MDAxZUOc829rXWe3a/aqzl7M2Wvxr4JcdTAwMTb9x/ZjdiZnyqFcdTAwMTjX1N/IScZtNFl2yeRcdTAwMWZs41x1MDAxYjMzuWCMzr5cdTAwMTOYPOXAgJtBXHUwMDEzQyvmXHUwMDE4XHUwMDE51dPtk+L5+fHhc6tx0Kndl2+2Ooef7XLPcGQwXyb3P70sTM6ofr8xjithreMmXHUwMDFh/LjsbP3BVr6ZncmFXHUwMDEwRMlcdHvwNrlcdTAwMTBcdTAwMDWXylwihE9cdTAwMTfnOG5cdTAwMDHLXHRcdTAwMTZwjMlcdTAwMTertfVcdTAwMTi+nF9r63THJD0sXG6FuVVKM1BAVTXjva2Npia2XHUwMDFhnXOm4uZMtWtIj1v047mU3LODRmXiLDdKUWH4SLLdckMtatzFrFx1MDAxNJ6yXHUwMDE3L1x1MDAxOIBcdFx1MDAwNzaGjN7q5IM3MFZb7mT+XHUwMDA3b9PK93y7ziStU3rFVujwajFazq9jYerO3bdod2tDJWqtNuhhactCXHUwMDE1z39HIEFA4UnWXHUwMDE5KYTS3FN/NlNUVLpLXHUwMDEyXHUwMDE5XHUwMDEz0JY78reSTHBw8TY4PKCCpEjyyujBXHUwMDFl+6f1VEhXe+nwyCFgXHUwMDEyV46WTlx1MDAxODW6byGoXHUwMDAyppBGaVx1MDAwMdKEXHUwMDEyQd7zhF0gXHUwMDE1tS+j7rsmXHUwMDE0VTpER1x1MDAxM1gn0WpcdTAwMDUqKlxu2luiY1x1MDAwMjr+mFx1MDAxOVx1MDAxZFx1MDAxMY+oXHUwMDFjQ7w6XHUwMDFmjVC5ZHCkbni40M3iKKJ8k+GSlim9Ylx1MDAwYnShwHHQ3ppTMCuluyFcdTAwMWOxUFwi33vLQro1RXtcdTAwMGJcdTAwMGVcdTAwMTFcdTAwMWXNeTp0TNd70UFcdG1cdTAwMTV6xLRcdTAwMTViqZFiXHUwMDFjXHUwMDFlP1x1MDAwYlxy03eb03ODXHUwMDAxfTfqJE5w6JhcdTAwMTjt3Tq2vbVAmtIwqJlmNUjw7fDYXHUwMDAwkDHQs3S44lgo82aJh1E83JpdLVJJO5xVPyDatFx1MDAxZYWoSEiK5Fx1MDAxZkW/XHUwMDEwarGQvFLpXHUwMDE1W6PzgMTM2izW4drg/39cXIfr9Hi0qI6dsMM1c/G05TmhZPpOXnpxXHUwMDE5gEBawLWM3lx1MDAwNnVLXHUwMDE4Qcloh2uPZlRcdTAwMDG1T7OcUzJcdTAwMDHTvj4zVHpKOe2MoWRWWIrGJJDcnlx1MDAxOSSRvVH+sVx1MDAwNIw0iaLROmpfXCJy762wIJoxcZXSK7Y+51x1MDAwMZCZ5dlol2tcdTAwMTdcdTAwMDfHnLpcXGfGxliXa6HikjHa5dp4ajrMq8lMalx1MDAwNkM6OFKpao1cdTAwMGJcdTAwMDPFXHUwMDAzVZGJYKNBX4Nzrpi02lxipuNcdTAwMDF7Wlx1MDAwNlx1MDAxNj1xwliOXHUwMDA04qlzzahyh1x1MDAxMU5Rq1x1MDAxYYs8uCwuk4SNOzlsNzr0cnBcdTAwMWG9J4YuOfaXqqtpXHUwMDBlU1x1MDAxNuBcXPw0zKR1Sq9CfInOXHUwMDAzXHUwMDFlq2v3t+XixUm/8lxcWHvt11dcdTAwMGY6hZskLJKUKu2cNTi5XG6sp5hcdTAwMGJn1IxcdTAwMDJnXHUwMDFmzZR6XHUwMDBmXGJcdTAwMTNbJHnLRyRcdTAwMTmgkl98UCxfeFx1MDAxMjFRPlxuYaiBOlx1MDAxN5pq5X9cdTAwMTZCpudijUlU54FC6kE2cFx1MDAwMvX70IZ+XHUwMDE1KLZcdTAwMDGVnKGtbNpcco5nYUraXHUwMDEwMVx1MDAxY5RF61xuN7tcckVKuYBcdI2XQFx1MDAwZWHUXHUwMDBlaXkkk4SRu7NjJDdcbmeD+05k0HlM1I+4jFx1MDAxMT5Y7l2uXHUwMDE3XHUwMDAzIFx1MDAwYonLlF7xXHUwMDA1Olx1MDAwZoScSK1RXHUwMDA3ayNcdTAwMDQls6F7XHUwMDFkqi/7LZSqXHUwMDBljs6bjJOAUlPHl0gmhNw5hsvjlSv2sPvcab50T8RZ3Z4nXHLLXHUwMDAxpz1cXK5cdTAwMTQocCaubCHAz6nzrKH+s1LFYXtOXHUwMDEwmZ6eMraWh1x1MDAxM9I6hlrRaFx1MDAxOCnfXG4yXHUwMDEw3DpnXHUwMDE0cFxi5eu/Q6SgXHUwMDA0NC6RgpGipVx1MDAwNuY7l0F+w4dpmESCk0rLZTGPJIzcm1x1MDAxZCOVXHUwMDE45OmBL1VcdTAwMWTi6vK9jLviZFvi31x1MDAxNCST1ym94it0XHUwMDFlIDlJ4VxmjlrtV39JIymEJI5GyFx1MDAwMpKRYKNChdyCnPJoZoLDdEZcdTAwMTW7hEXu0W5cdTAwMDCBPuBmXHUwMDAyNZZcdTAwMDUnNSp1+DSMTNfs41wicp3SyEBK2UE/uXBox8DZXHUwMDE2XHUwMDA2YVJbo1x1MDAxMCc9Ja5Re1x1MDAwNEAnakjRzvr7O05cdTAwMTTL85Va19yw/dnDcTlYXG488MXvWZ18NmNcdTAwMWNlRs81r7bSrW/W2lx1MDAxYq3m9fNj8WjvZHvPbe3MoVx1MDAxZUZcZubiSK6ElJN0ok2xRv9dxqwxXHUwMDFlNOuMXHRQxVrFKTpL6lx1MDAxMUOUXCLVXHUwMDEwncWPkVx1MDAwMdBcdTAwMWREn9ZYz6aXWdphklx1MDAxZFx1MDAxZfjt0Fx1MDAxNzBrXHUwMDEw7VFUxtsl02eQnMdcdTAwMGXgXHUwMDE4kyr/0LlJ1+5wKVx1MDAwZZsgUr7IoFx1MDAwM+Jrs1ntderlhcl/XHUwMDE5Q26eho7j7iWfaNp0f2t8dWDjXHUwMDAyyVx1MDAxOTopJDScjTZxdcxcdTAwMDVWWyooJiXjnv5SYKlcdTAwMDcs5zwpXHUwMDA3xqDzY6jGXHJCXG5cdTAwMTUgnsQxqTLUk/yr2P7hzFx1MDAxY4xmj64k90JcdTAwMDK6XHUwMDFkyeXTKT9CaW3nmNvKXHUwMDBmy9u9q73HXHUwMDEzV7nWz8Wb3dXNcvffrniU/y4zkDByr1x1MDAwZejAVkiKaHcju1x1MDAwNuhhXHUwMDA1UlxyKoNcdTAwMDJabtwwXHUwMDFkXHUwMDA0TlHeXG7Xv2wzbplcdTAwMTNloH4tUzzKTsNcdTAwMDPUVOiZ+Vx1MDAwYsrE91xiQmGaIC3j0ynfXHUwMDBmrVx1MDAxNrF47DuG5WJlfT+UcvV28WyzU/nrpfGyXW5sscpt+edLZspcdTAwMTXMXHUwMDA0dCqOMts4a8K9tVx1MDAwN21aXHUwMDAxqNmN0SCUQ6/eaU+9biVcdTAwMDLpjHTSWqFBe9JYJqrI/7U09vHMPDtcYsdQ4OJcckm+U1x1MDAxMH2SxTuU3W7KM5LpSPZp11x1MDAxNZrFo/3+yvbVSeHl5KJxXHUwMDBm15OQIbVcXFKhpMeZyNA/mlxmZEiHjNIxKueqteT4+KMmI91Yk9GKMiNcdTAwMWO1JHdUOknETWaiPM6vZTInXHUwMDEz8CFyocW5sD7bSN5cdTAwMWKnXvAgwnV6cyHDyddvjFxmt1pcdTAwMGb9XndcdTAwMTFIcFxm74yS4OjA8yG/yt69rL45W9s7deXK1d196fp5bVx1MDAwMvJTgaLcXHJcdKCNXHUwMDE4qbpQ0IFBTYvuKNoyt+jNeKhcdTAwMGa/w1BcdTAwMTJcdTAwMGJcdTAwMDXWSeZcdTAwMGKqWnajSTTk09m5XHUwMDBmXHJcXGimvE6mjNdhXHRVXbCCMHqO9LfSuG0/nzTXwFx1MDAxZJuNXu1yZ33v+P7T6M8/miz0x1WAK1x1MDAxZYFVaSs1t9G8vlx1MDAwMlx1MDAxZrVcdTAwMWGP2UhcdTAwMWRo7qy1XHUwMDEyL6Jz6N/7pczmbFx1MDAwMv7T+JCFXHKnXHUwMDAyhfgvWVx1MDAxY1x1MDAwMnpulrPpipJ8MFx1MDAwMVwiazWrlTpeeCF4cFxmXHUwMDA1xXnQO/586PDc/XzdX8FcdTAwMDe922qI2sFJv1x1MDAwNlx1MDAxNTFcdTAwMDFcdTAwMWSm+oKSXHUwMDA1Vlx1MDAxMdQ6hsbrI8N8/cCvtclznlx1MDAwM1x1MDAxN3KUIehSeHtcdTAwMTbIxJolNFdcdTAwMDasniqceDoqvOuvNa8rj1x1MDAxN+vr1b2n7uOK7p1cdTAwMWO9fFx1MDAxYVx1MDAxNfpHk4VcbkFcdTAwMDaAXCJcdTAwMTLpXHUwMDA3lGbGRUPypUo3XHUwMDE4y1x1MDAwMmfQXHUwMDBidE6h1XmLcU/Egl/LYC4mYEEhKZCGgb+cT6JKNMC4RetYPFx1MDAxNjzo91x1MDAxNsVcdTAwMGZcdTAwMWPDOaP8XHUwMDE3XHUwMDFi+cTM97ffwPC99PBw0sMn+1x1MDAwZZO4luqVkafw671e9WH4XHUwMDA0XHUwMDA2b+21K9WNVummMfqUvz/Vq8+rcdP5j9vBi1BqXHUwMDAwI2Q21Vx1MDAwMUT/62//+v+eTvAqIn0=PublicKeyEncapsulatedShared SecretShared SecretEncryptedSymmetricKeySymmetricKeyAEADKEMKDFKey EncryptionKeyBase NonceEncapsulatedShared SecretPrivateKeyKEMShared SecretAEADKDFKey EncryptionKeyBase NonceEncryptedSymmetricKeySymmetricKeyInputsIntermediatesOutputs \ No newline at end of file +eyJ2ZXJzaW9uIjoiMSIsImVuY29kaW5nIjoiYnN0cmluZyIsImNvbXByZXNzZWQiOnRydWUsImVuY29kZWQiOiJ4nO1daVPjWpL93r+CqPnaVt8t79JcdTAwMTFcdTAwMTNcdTAwMTPsxb5VsU1PXHUwMDEwxjbYXHUwMDBmL+CFbaL/+2SaKiRZV7KMhWFcbrtf13tlXHUwMDFicaWbeU5m3lxc/vdvXHUwMDBiXHUwMDBi3/pPt7Vv/1xc+FZ7rJSbjWq3/PDt7/T+fa3ba3Ta+JFcdTAwMTj+vddcdTAwMTl0K8Nv1vv9294///GPVrl7U+vfNsuVWnDf6Fxyys1ef1BtdIJKp/WPRr/W6v1cdTAwMTf9uVtu1f7zttOq9rtB+EtKtWqj3+m+/K5as9aqtfs9vPp/499cdTAwMTdcdTAwMTb+d/gnftKo0m9cdTAwMTT8sc57K4dbh251/Wlw01s63XlcdTAwMWX+6PBLv2+hW6v0y+3rZi386Fx1MDAxMd9cdTAwMDchXHUwMDAzYNZJ0FYzqe3rp0/4aUm6wOBnXFxbyZTBL8Lr51x1MDAwZo1qv47f4aBcdTAwMDP6grGKMVx1MDAxMM6FX6nXXHUwMDFh1/U+fsfwXHUwMDAwXGaA5Phcclx1MDAwYk69fuNlRf9cXGCv7/T63c5NbbnTxPvHZf+HuHI1pcJFX5YrN9fdzqBdff1Ov1tu927LXXxK4feuXHUwMDFhzeZR/2l4ddxcdTAwMWZ8sN9GfsfJr1x1MDAxYlx1MDAxMCPvp/1cdTAwMTT+0ut6u9ajneCv73Zuy5VGn1x1MDAxZVx1MDAxNt7c67u0wtuN6nDT/idcXFNcdTAwMTe3e4N2rT1oNl/fbrSrNdqLb2VcdTAwMWT7be3qr9/2e8fD7ZS/3vl3uPZajS4smFXCWGHCXHUwMDE1hsIqgY2+u9tpXHUwMDBmXHUwMDA1VzCluVGOhz/X6K2g7PWHl71C+a2Fe0BrW1x1MDAxZJXLqGzGRK9fe1xmNyZcIrlcdTAwMWI1cbBUv71tl/ZcdTAwMGX3b/fPLlx1MDAxZZ/uXHUwMDFi316/9++/+y/78sN765ubXHUwMDE2jFjq/FxcKZfuK2Kpt31cdTAwMTf/Lb9/f7nb7TxErvvrv8J9XHUwMDE53FbLL/eJj8CgqFx1MDAwM2eaharQbLRvRjet2anchI/mb5FcdTAwMDWP6Kf/Llx1MDAxM/pcdTAwMTl7SC+qqWygmVFCadIqJeKqKVxcgNpkgEthQIG0MqmaTFx1MDAwN5I7h9/jQjvUv6RqRkRirowxZTR+ZYx9+5fWceu0XHUwMDAy41x1MDAxOPi0jos0rePKXHUwMDFhXHJcdTAwMDCRvZtA64pcdTAwMTTgUFx1MDAxZUlcdTAwMGXx9pdr3X7jqlHB6/6rvT+4bDYqXHUwMDBiW7WnyJ522v2jxvNcdTAwMGJ4xN5dK7dcdTAwMWFN2lx1MDAwNIhddbHZuKbn8a2CN1Drfos+lD7+oubrXHUwMDE3Wo1qNUpUXHUwMDE1vGi50a51N/IwXqfbuG60y81cdTAwMWZ576Q86HdcdTAwMGVrvZd76XdcdTAwMDe16HOrff+tKTxcdTAwMTCQoefPvFpt1Etyc7Bz0Fx1MDAxMLzbf1h/7OTmYS05qrNj1iilUOlNTNklM1x1MDAwMbdSMVx0hmuHXGKf1HVcclx1MDAwMTjrUNuFVNL4WFhcdTAwMDVcdTAwMDDMWC7CXHUwMDBmx+t8jUku+Vx1MDAxN9F5OzVcdTAwMDFb3ESF1pDzIFx1MDAwMUTMq1x1MDAwNP86jnTG31x1MDAwNFx1MDAwNG+j39rq0/n5Ruex83RwvLPptlx1MDAwZTab61d56XdthW2ZTunh7qK5c7q4U918gpOlXCLoV2shXGaaL5EnMVx1MDAxNf367zJcdTAwMDf9XCKgXHUwMDA3aFx1MDAwZmtpnGBcYtQurpHcXHUwMDA1XG5wm1x1MDAxNXc6RSOlXHUwMDBl8Fx1MDAwYtZZZriwjukp2fdLaaLLz77WXCLfoW0rfSrHXHUwMDEyhvAr+UpQ0snIzk3PvW+S3lx1MDAwNPeutivl296gSdf9V/uojvtZXTiqVbq1/mfg3zFMN8q/ue6mXHUwMDE4XHUwMDBlVufuZHHpQTnJd6VWYlx1MDAwMFx1MDAxN6fN3Fx1MDAxY6yYXG4sU0ozZ6SWXCJ0U3NzsMOvXGInXHUwMDA0/XiMZ181Xk7CvdxcdTAwMTleXHUwMDExX0TjXHUwMDE3p+ZezpWyqIDaS74q8e4rXHUwMDEyaClcdTAwMDU4NMZnx74nrY3V6s9Ov9E6q/B+b2njbq++lZd9t2/OXHUwMDE24a+DXHUwMDFmTFXaJ/q5XCIrrYdWPvbNvG5lp7q48/3m5OS6PTg6aFee+8t7N0WxOuBcdTAwMWagonr9dlb3P71cdTAwMWOsrlx1MDAwNFx1MDAwYlx1MDAxY1x1MDAwMCo4R+JcdTAwMTaReNZcdTAwMGKri7E6noPVJ7Kvv5SOL+VndY5qbFElnVeZeYLsQ1rXVoCQ8KZIVpHym+D1T8fkY/hylMnflbtcdTAwMGZcdTAwMWZ+bq4sM7V3d324sb2yU1ObzVx1MDAxZvnj2Og/XHUwMDAzUq4y4Dia7PE4tmMusNo6zkFKxkOJetVqxVx1MDAwMmWsXHUwMDAytOlR6rzus517zSlavTw9c4OVmklcdTAwMDW+XHUwMDAwXHUwMDFhuFS32Vx1MDAxMZIzM0OvefN++3nj8bB5erG7tHvcrJ3cdVx1MDAwZap5+bWzXHUwMDAz9ydrg8OVxtrJ6s/6QbW/Ujorzmvm6KpcdTAwMTbDr/67zMGvXHUwMDAwXCLQYFx1MDAxNFx1MDAxN0qQITyih1xcZeuhs4Hgzlx05YQ2YKwnYG3mapimhsdcdTAwMTOwq2RcdTAwMGVpkluf01x1MDAxYzWER1x1MDAxNFx1MDAwZZx0XHUwMDA2naTineZcdIU3Qa7oZnafbl98zKdWq9bvNir/an+SkPVcdTAwMThy87jM4+6lXHUwMDE40t1fPzu422ePy+3Dw9LRRn9wv7/xlJt0XHUwMDA1+rtMSjKnXHUwMDE1ciaLO8xGyoCcMU5BMlx1MDAxYn5cdTAwMTZyrlxyXGZXnPM0X9mIXHUwMDAwhVxyOGhcdTAwMDRcdTAwMDR8zc+NUzR/dXpcdTAwMDK2ZDYxzn3nxsbp0XdfrW1uKfSm9FxmKXj3eEmvbXVKpf3rXHUwMDFk3upA83q9I/NS8HKlc3K4s717cPrjyF6ebtzxgdgrjII5eYbFULD/LnNQsHBcdTAwMTA4zpCFrTBW67iLi5qKWqctsisomdRKp9A/do5cdTAwMDPXL4qZVMv5kXGaXHUwMDFlruUnYLBWWHQ5fFx1MDAwNq9JmsG/9VxyN05xpmzRzu3Ekpt0bj9cdTAwMWTpjiG3hHf7rkx7fWGe1Iq5ai3f75avt+7ujn5UvifVudootzrtalxco4GbQKLh5YQkMlx1MDAxNSHW0tPTzlx1MDAwNVx1MDAxY1x1MDAwNHNcbjSg51x1MDAxYYpGXHUwMDE4l0amVdpo4FJcdTAwMWJuQ6P8VaeRh1x1MDAwM47IoYU0aIg5XHUwMDEzalWOXHUwMDEwVo3+90V0fCsv14o0rtW4VficvapvdWqKlrOUgVx1MDAwN7M8XCIuLfVat92j3bv68WGF88pN6fbxMi/T/vX98mipc/x97bq8t8KPtrZX5KXMx7SZ11x1MDAxZPTuXHUwMDE39ytbXHUwMDE3u/crR72D1vVJZem6V8B1p7BcZjKv+65Ov1x1MDAwNiFlQUfl/t3OYXGAoSRSpp1hwlnQcXxCSyNAS0ORIY+fmtCW/I1PoFx1MDAxMcBcdTAwMWPF5JVcdTAwMDLpdVx1MDAwNSZcdTAwMGKpfyU82s5vc0jkeaNt8iCMgIen+vxcdTAwMDbNXHKFXGZTtM0xsewmbI7F1cWVz2BpjCH3UUsjvuyCjr7/Oj9jzWPYuDlZfGBcdTAwMWKrpdPv2/eF2Fx1MDAxN1ZcdTAwMDbWXHUwMDE57ii5XHUwMDFijU9fnuncvihOn3emti+ASYuPOHlERlx1MDAxMFx1MDAwMKnJqE5cdTAwMTjHuIFcdTAwMTBcdTAwMWTe3b64u2/s/Pi+f86OK2s/1k5+LkONX8wgXHUwMDAzPPO6U6S2ZV73XVx1MDAwZtc1d8aZKHK83Vx1MDAwZfDvSlx1MDAxZTvAssBcYrRcdTAwMDOYXHUwMDE2nI9cdTAwMDRcdTAwMWW4XHUwMDEyXHUwMDAxolx1MDAwYlg+PFx1MDAxYlBcImlcdTAwMDcgRiDOoI3g8Ha4mv5o/Svhxu5cdTAwMDSxXHUwMDA3IbVSMiVbPT1hzjHBXHUwMDExWMJcdTAwMWYryFx1MDAwZZhUdlx1MDAxM3bA1urOZzBcdTAwMDPGcPCoXHUwMDE5XHUwMDEwW3UxVsDW+t2gcXNfuqyqi8HN/tlG47jxVisgXm+iOFx1MDAwZjRn2uD+czBOJ9V3blx1MDAwNlx1MDAxNKjOe1ObXHUwMDAx3FwigjLJvKVguMLUQFx1MDAwM1x1MDAwN5CaR/Np391cdTAwMTC42mss9rvrbv/yofRcdTAwMDSwsn/RPlJcdTAwMWadXHK3XFxZe1q7vvghXHUwMDFl71vdytZa+eRs+7iA625vVrv3vdJe5bG/vvxQOd5bg2q9UEOgoNI1/67kMlx1MDAwNHjAXHUwMDE0XHUwMDA1XHUwMDA03LAyLcSKIZRoh1x1MDAxZYVkWoLSZCr4XGZcdTAwMDFmXHUwMDFjOlx1MDAxZJJLhXgyN1x1MDAwNCZAjv38hoDgzKJcdTAwMGJufIaA0+kpdkxcbo7AUniK3cTCm7RcdTAwMDRW1j6DJTCGh1x1MDAxM5ZAdNXFWFx1MDAwMtne0VxiwMSUVzNcdTAwMTFcYu0sioVjxvCRUjRcYpxCjWRCXHUwMDE4pFx1MDAxN+UxXHUwMDAzXHUwMDAyLiV+XHUwMDBlXG45RmtjwkPGV+2ldDvBXHJcdTAwMTWEW67RKlxiLzPX5pg2XHUwMDFmTG9cdTAwMDcwNOok9yT10HYmc+V/a7lcdTAwMDLU8GLLY36XpnJcdTAwMTaV6bw6fttpjFx1MDAxYVx1MDAxOeF/LYRcdTAwMDIz/Mvrf//P373fTpdSeiXlM7xegoOb5V5/udNqNfp4o/u0yFx1MDAwNNz2y93+XHUwMDEybmqjfVx1MDAxZN+8X91cdTAwMWTyXHUwMDE0tlx1MDAwZaGrMqBcdTAwMDdQYlx1MDAwMWPCXHUwMDAwNW1cdTAwMTCc3GXOROR71+VbQvCAcmtIUbVcdTAwMDKB/05ISK1dXHUwMDFkv6psryayKlxclKG8XHUwMDAxZTjSuuUs1OrXNXFBZa7KOTBSoFx1MDAxMyFUUmzpYS1cdTAwMTIu1WvlhGbgkqOfjVx1MDAwMlitedl5yGXcZFuNWVx1MDAwMKmsXG6kpSpdwKdr4tFSqVSA26JIZixqXrKCwJhcdTAwMDCEoSRI/FxuM1x1MDAxZdvGXHUwMDFhdJJA4Vx1MDAwZoNcdTAwMWGG7Ofg6Fx1MDAwN8ef04MjXHUwMDFhoeiPRmEuXHUwMDA0R1SbNHBEerRIr65IXHUwMDBi6Fx1MDAxM6FjmozSKyGds4DG7EqFXHUwMDE4XGKhXHUwMDE5abgjy5YjuIdRiFdcZrJcdTAwMDFcdTAwMWGZVGwtXHUwMDAwXVxmJe3bcDHbxovjomZcYoaGLGZcdTAwMGLCh9VcXFx1MDAwNVrhS5JJRfY1fFx1MDAxNC6eXHUwMDFl3zlcdFx1MDAwZp2z+t351e5hc1x1MDAwZvY6J7lTQrVwXHUwMDAxXHUwMDEyJz5aZFRcdTAwMGUj+d/gZGDRyqdcXF989sx3lDS+hFJPkn/2pcqrzvLiYWpcdTAwMWWo0lx1MDAxNl12XHUwMDBlvpiR42r03Vc4lJqsjLelhb+ubqKQUb933yjZ5Zb5cd/9aVba59au5S7EeK/Qzlx1MDAxNDkvXHTs9Fx1MDAxNKA5Llx1MDAwYlxu7fifXkLLfW1cdTAwMTHQguNWS0eF0shcdTAwMTEjXG5uxym4klx1MDAwMVCuITDuUpI9Jkow/VJcbn6eP7aDv1xyWdBcdTAwMWGvKluXatkgPSlcdTAwMDdcXMji6ycnXHUwMDE031BcdTAwMWF/h0lqT1x1MDAwYr9KI3DBnybPdFxmYyaCPbG7eI9WRM39ykmjsl07+fm8/X2ps7Os+5v93Fx1MDAxNJ5og1x1MDAxMC/rmHP4+6r45dRcdTAwMWPOhVx1MDAwMq2posqn+Vx1MDAxOWFdi447eUMzzFx1MDAwMGn9XFxf14uDXHUwMDFm7YuLn6dcdTAwMGaLa1x1MDAwZifP9Y1cdTAwMTlcdTAwMWOkZF53ilxm0zwsrkUkv38qXHUwMDE29z+9XHUwMDFjLK6oNkuCQzanvoAs3txcYpU7kNkqzsWwsyBHM58rq6TnrHfeXHUwMDA1IU3FK1x1MDAxM7C4dEDBNOfX5Yx+nlxiXHUwMDAyRrhCXHUwMDAzXHUwMDE0b1x1MDAxMt9cdTAwMDSLL5V7tYWXdX5cdTAwMDLyXHUwMDFlw5Wj5O1bfDGkne2SZFx1MDAxZdhI4luFOq20U1aOmOTCXHUwMDA0Slx1MDAwMeDnwFGlk8psTVx1MDAwMIDAb510XFyLSIJnSNcqcCiEiFx1MDAxN+jbRy4xj0fGXHUwMDE0u5qXu1PjkUqgucSN90SWc5eu70j6jPD8XHUwMDBmPa5JlVF6jUhneK1cdTAwMDRcdTAwMWJcdTAwMTdcdTAwMTaPnCD4J5RluDaKiFGLi2TsXHUwMDBmXHUwMDAyo/G2tOWgrVx1MDAwNZU07HLFI7PdkNiSlFx1MDAxMoxcctuNorwp6Vx1MDAxMkuSgVNcdTAwMTKfs7KUo4X/T8ZIZ3VMk2njZcFcIvJmIKlywaGRQ6GKXHUwMDExWFx1MDAwNPxcdTAwMTSstVx1MDAwMnCDPOfYhlx1MDAwNcO+YILjt9ApXHUwMDBlcSaERVx1MDAxYtDWolx1MDAxOWSVcTxCtnNgjFx1MDAwMWNtamDkXHUwMDAyLVWUWq9T40QqMHLKI5JcImqz/FHAWEpcdTAwMTVTeiVcdTAwMDT0U2EjXHUwMDFkYyumJeeWWlx1MDAxZTO8gVxirv+CXCJcdTAwMTM4qcFKNGyEtcryhITkQsdsOy++KDEkXHUwMDEzqcBcbstcdTAwMTA5PMfYXHUwMDFmXHUwMDA1h9lcdTAwMDHmTCvRKXza0lA6gFFShZo+dPlAXHUwMDA1wig0MSiwK5knOVx1MDAxZlx1MDAwMqaFJCZcdTAwMTPcauE5t6a4XHUwMDBmqpq0hjN0LiOIO4fDXHUwMDE4XHUwMDFjXk1cdTAwMGaHmlx1MDAxYbxcdTAwMGLDfbV8nGdk9ShcdTAwMGJcdTAwMDRf79Jx/k1cclx1MDAwNIqFw1QxpVdCQGdcdTAwMDGHue2yYVZcdTAwMGZl3FmHe4tmXHUwMDBiQpD0YE8gcec1/sO4MJRG+zZEzC5ajJuwXGb9SzD4XHUwMDBmdbtWSZDmXHUwMDFhQZOykTgzyEbceFx1MDAwNHc2XHUwMDAwmVx1MDAxZLvLTutxgVx1MDAwNqJSoyh0reJZy1x1MDAxYdBOR1x1MDAxYlx1MDAwNMlcYlxm2MhQh99cYqmRqpAv0GjGh8SlL2vZSHRcdTAwMDeMdFShh56Km5c/pCDkdVx1MDAwMWmPIJhcdTAwMDV/cjNcdTAwMTdcdTAwMTl9wZnDn+JQaHbzJ4LIVDGlV0JAZ4GQuW0zMs3QxJWOSzRUXHUwMDE4s5GkzVdnWpAtiabisM6QJfNcdTAwMGKLXHUwMDA1R1x1MDAwMm2jXHUwMDEwq62ljksoWGGodiHMOMKnjcDOXHIlJWnhPlxuXHUwMDFks3tcXGSio1CBtdQwkDujYp1wh01cdTAwMWXQXHJcdTAwMTlcdTAwMGWyYUxSl5IkOlpcdTAwMWJIXHUwMDAwOnNwXHUwMDE2/+05MJCBYoKjh2dcdTAwMTg6dIA+wVx1MDAxY1x1MDAxZP3o2ChcdTAwMDBcdTAwMWRRjXC3hFx1MDAxN1x1MDAxZKPBjlx1MDAxMXQkV1pcYqf+UPsxTUrpVUpcbugs0DG7jVVcZlx1MDAxZFx1MDAxOYVAmaZcdTAwMDJccjRcdTAwMGKlJ8/QXHUwMDA2nCtAXHUwMDEzhyHBKSS6d7dcdTAwMWTRVrXWOOBcdTAwMGV/K1x1MDAxZEoljUeEdWpHx4xcdTAwMWNcdTAwMWG/r1x1MDAxOaUzh8fsVj3jimbQp1x1MDAxOHZQQPLkce9cdTAwMWFFKdBIXHUwMDEyiP9oPEZcdTAwMGbzfqOjwL1DPbBcZuXKaFx1MDAxNDNPtFx1MDAxMV1cdTAwMWJKO5aCXHUwMDA0UEY8vzk6xtDxr+nRUVx1MDAwMvI0krm3U1x1MDAwZaR2yuHDJCdcdTAwMWKd/vRHXHUwMDA1XHUwMDFi06WUXqPyOVx1MDAwYnCcXHUwMDA0iCSjclNr0PZFXHUwMDA0ZCppPHJcdTAwMTdYfOJcdTAwMDKRXHUwMDFmrVx1MDAxODBJOy1cdTAwMTc6Znf7jS/KSLTD0dun3vVOXHUwMDFhz5pUYFx1MDAxNNfGXHUwMDFh0Fx1MDAxMlx1MDAxMfTDwDG7L0omOHJcdTAwMWVcYi6kME5cdTAwMGImXVx1MDAxY1x1MDAxY4XQgUSvmlx1MDAwMtiAPof0lFx1MDAxNDKkZY62J+InQ8dcdTAwMGU81qNlgZJcXPFh3Vx1MDAxMWg7d61T4LFZgPGI7rGS2jvkTiZcdTAwMTNOX7PEOVx1MDAxNZT+sUUz6VJKr4R8zlx1MDAwMlx1MDAxZSeo3aPTIY04hI4qlf54y1x0XHUwMDE1aIR2QzUqhpuEeORcdTAwMDLH7OlhsSXR6Fty98lcdTAwMWZcdTAwMDFf1PGjoDC7lVPmobSj2kEjXHUwMDAxUd8g8sVjjEKYgHqdXHUwMDBiXHRcdTAwMTSlZtKTeScgQLG3TnBcdTAwMWFhpJinutrYwKJcdTAwMDNDNZ9aKyUm6Zv+paCwNT1cdTAwMTRcdTAwMDLF0FxmYz4o9IwzXHQtRcWYle8y+PdcdTAwMTNAYSldTOmVXHUwMDEw0E+FhSVcdTAwMDRD9PDpzEPQ/E/h91mpWT662oC7XGLujX507rLGXHUwMDEysYdmjtqhUFx1MDAxOaFcdTAwMGLPb1/XJFx1MDAxMMNpVCngU1x1MDAxNVx1MDAwMjn6o+DxcGm9vzy43Lu76yytdVuNg8Pr71x1MDAxZTeasiPj6Iie07BWUtLEc1x1MDAxYlxyXHUwMDAwXHUwMDBlR56DXHUwMDBlXGYxkEHPXHUwMDAzXHJhXHUwMDBmOoaS/1xuhnhcdTAwMWTaKmc0pcVHXbo5XHUwMDE4xsCwXYDbLFx1MDAxNY9cdTAwMWScRLAwvexA0Il0lOuKyVRGXHUwMDExUfpN89pcboXC2LdcdTAwMTPCWCTwjSpzyidcdTAwMTOBXHUwMDAwfZah6a5+evrQ51vlzr6uXHUwMDFm3tbOXHUwMDFhjZOdpKanVFx1MDAxYdFcdTAwMTFcdTAwMWSFW5EjXib2xVvOlaRcdTAwMGKMw7c1XHUwMDEyXHUwMDFi9T6PdEx/97HnX2puRSev6qfWXHUwMDFjaXTutWbc29M+ecjwOs6CXHUwMDE5ylmHXHUwMDE51lxy927U5lL75vKx99zmXHUwMDBm6nH36tn+yFtcdTAwMTl0e8yezy6u5V3v4lxc9br7lf6D2In/lilat6FXXHUwMDEwOTibqjLIf5dcdMVMVlx1MDAwNqH9qGkskyHDx6rRc75cdTAwMTJ6KIA+LFpcdTAwMThcZtJ0sujB519KXHUwMDE3bycoXHUwMDBlUpKgL1qqXHUwMDFiXHUwMDFkXCKTXHUwMDFlplZcdTAwMWNtTcdcbs2JfZNcdTAwMDSHXHUwMDAy+f9j9PlcdTAwMTi++8DR563H05vvh88w2OjWN6pcdTAwMDJuXZNNwMRog1x1MDAwNXRyQS2xtJEjc5FzMTGDwEig3ivoPdFcdTAwMDGAh4p5XHUwMDAwXHUwMDA2gNpqXHUwMDAxOk3zeW4pXHUwMDE40J2aj53VlOkofD3gjUjt48GF4Mri/syw9+v6ck9ebOnV8vpT6drsO9m9uV7LS8itXG4//l5ZZe2th9uV5yu1uH1YPymKkItcdTAwMWPn5r/LPIQsmSTf31CqvKVptyOE7Fx1MDAwMtQmXHUwMDAzuN1cdTAwMDaG3VZcdTAwMTOqSSVcdTAwMDJoIUtcdTAwMWGNzGJ6N+fjsbrYm4CPKS9cdTAwMDb5OFliT6auSdU65HCqQlx1MDAxMkXT8fRD3fa7jXu85qdptTGG5Ub599fy36PHxoA/3l0vn5uzy9WjlfP7/lJvd6OR1Gdvp3WKXHUwMDFiXHUwMDA2wtGYckLpqNf0ki1cdTAwMTIoboRkzFAycqR/97zT+q99LlLBXHUwMDA3U8e90C5iwzC3R+0hPdFYKivQmtIzdH5cdTAwMWJQa7uurd7Jw8rlTf2823KLezNwft+LwzOvWylv3C9fdU3n+UJVXHUwMDA2eml9cbNdSFx1MDAxYlx1MDAwZjpoQfW1RVxyXvPvSlx1MDAxZdtASFx1MDAxMaAnrqjEXHUwMDBmXbqRoi7qtaWpXHUwMDEy5qXBLeNJ02A+cmXh7chxn980sLg9dOzrQYisU0LcXHUwMDE4muHLis4nm1h6XHUwMDEzlsEnXHUwMDE5uTKGhmcwciVcdTAwMWJcdTAwMTWzclx1MDAwMdBcZjBcdTAwMDFN2pDDtslyZO5cdTAwMWH63I5cdTAwMGKqXHUwMDE5XHUwMDAwJtHCTyqv1oGgrDGpwTHGhMdcZlx1MDAwMFx1MDAxZJBDz1xykFx1MDAxNWDnp19puvwwtVx1MDAxNWA4XHUwMDAzizDqbbOe3jpcdTAwMTOoiVx1MDAxMlx1MDAxM6zoxlx1MDAxZGg+Rtuvfli1UZqM0ishneHVXHUwMDEyXGZcXFhcdTAwMWVAdlxmbyGagETNIyRcYlx1MDAwNrh8XHUwMDAzOlx1MDAwNOqF1zxcdTAwMDBEXHUwMDA3JZyWVC3OKICWXHUwMDEwj1xciVx1MDAwMNk4XHUwMDE2W5RG9HZcdTAwMGVcdTAwMThDb1x1MDAxZS3IZIGoXHUwMDBlrFRKXG7kXHUwMDBlXHUwMDBiID6ulXC2YZdcdI1SUiZcdTAwMDBaNlx1MDAxY9evYFx1MDAxNFx1MDAxYU3A0TlcdTAwMDKgUlxyhVx1MDAwZVBcdTAwMTJcdTAwMWFZgNuBksXRXHUwMDAxQncpxL1cdTAwMTBcdTAwMWFtIClDxTjykCDiRM2hMVx1MDAwNo2PRVRcdTAwMWLRkZJcdTAwMTO+g1xuXHUwMDE5SYJcdTAwMWLFRoGYirv/h2JjKVVK6ZWQz1mAY3aAZSGekFx1MDAwNJpbJlx1MDAxNaogc5YnU9ddwNB4obHOXHUwMDBlTU5m39hoPTc20pqo+kZJZoQ0UnrqQy1acyBQplx1MDAxY36R7K6PXHUwMDAyx2Veh/7l1lW9vPtQuoZlqG6tedLp01x1MDAwZWwohMRcZlx1MDAxNeTTS7B46lx1MDAwND5cdTAwMDBq4I+UpFx1MDAxNVA0MFx1MDAwMZB5mrTKeVx1MDAwN8dcdTAwMTRIfMpcdTAwMGKJqVx1MDAwNzSAXHUwMDFh7VA9/KHi1PZcdTAwMWScnFx1MDAwMW5cZp/hXHUwMDAxTffy9rLe17qvqvVOv9LY1lt/XHUwMDFkzyBcYpN53Xb36mBl5Wpd7C4ur66eXHUwMDFl/+x0d1xu69GqXHUwMDFk55FcdTAwMDY3U1x1MDAwNXf8Ty+h557gXHUwMDBl7nVAWWxcdTAwMTJccmj0XHUwMDEy9IhccsTFOFx1MDAxNc+RhzFv0pqm4s9+XHUwMDE191x1MDAwNnfIfdH+w1YtU9MwyH6X6P1cdTAwMTWd+Dix9IbC+CtM8unyLsaQ5WiY510zLbJcdTAwMTEt06tB0yOwliYnWEs9uOK5VUJcdTAwMDJ6nFLTjGWLtotnxK5cZqhM3tL4XHUwMDFhLYBcdTAwMWFcXCRV2vDAaaql5lxcolM970noV/BLxqb2a1x1MDAwNFx1MDAxZMFRy3SfW1x1MDAxM3EwRrNcdTAwMWVBaVxu2Vx1MDAxN92S8JO4NelCSq9R8Vxmr5bg5cK8mlx0oiuMM6NcdTAwMTTXXHUwMDE0ylx1MDAxOVx1MDAwZcL21H7gXHIqa1x1MDAwNdIh9Tpxb23YmlxyavFV0UQrdFacsbTTyrOogGY8Klx1MDAwZUxrKlx1MDAxMnFcdTAwMWbXgUvvlVx1MDAwNvtVxu/3t9XmZXvnkG178PEtJ+PaodNcdTAwMDJcdTAwMDJcdTAwMWY5ap2MjjaZn4y/vFssQtrpIz+0XHJaaX+bmeRI0jAx3Drcolx1MDAxOU6iXHUwMDE41EuLlfb37evT89X19aeD76xTMnm9kY3V5k/dVic9tXVqrtRZc2N5oFxu8HKuXHUwMDBmdlrLar1/VzpZ33S9nVxycauKXHUwMDE4bX442Cud3lx1MDAwZVx1MDAwZVx1MDAxYXtcdTAwMTe1df5Q+d59Oi7iKP/+bl1vbZyI+/3no7vD3lJ/cVusXHUwMDE36pWFXHUwMDEyM5VX5t/tPF6ZXHUwMDEwXHUwMDEwKCRaRp1cdTAwMDJcdTAwMTGT41x1MDAxNbxcdTAwMDZMQIadXHUwMDA1XHUwMDBlXHUwMDBl/YKkXHRcdTAwMDdcdTAwMWEhjHpcdTAwMTIjWqfMv5qfuKdcIpLL75VJapGZXHUwMDEyc87qcEVzW0HoSFx1MDAxZrdcIv2ySeQ34Zctri6ufFx1MDAwNndsXGbFj7pj8WVcdTAwMTfjhZ1cdTAwMWX8eFxcOqq2drZ2ZMP8XFx8Pts7PSjGylBk4EmKmSiH5lx1MDAxZECyXdPczChSqVx1MDAxN6c3M7Sm4lx1MDAwNOXthuypj1x0dV3oYf7UXGZz8K5cdTAwMDantbvVrX7dXHUwMDFk1fjxTffk6nYwyEuw/as63F/dXHUwMDBmbmV15UztbOift+aoXGLiXu9d3lX1ef1hqWl/luuHmlx1MDAxZt9cdTAwMTdw3XdcdTAwMGLTXHUwMDE2nYPn35VcXFx1MDAwNoFcdTAwMTSBU2hcdTAwMTAooVikOfJcdTAwMGKWoLuLeMLRN7dcdTAwMGVM8qBcdTAwMWFRgtGIXHUwMDAy/Fx1MDAwZbltvqbBc3MgXHUwMDE1OZbym1x1MDAwM9YyXHUwMDA11JrMXHUwMDA3XHUwMDEx0dFcdTAwMWSjXHUwMDEwXHUwMDAxUlpcdTAwMWJcdTAwMWSb92lS8FbWPoMxMIaJXHUwMDEzKXjRVVx1MDAxN2NcdTAwMGLUn9qru1vXXHUwMDE3XHUwMDE35nT9YGXt8nxld81jXHUwMDBipNa+XHUwMDE5jdaAoNCKXHUwMDAyp0xcXIPn8y7fWYeXpz5L5ZwrR53n/cNcdTAwMTBk+mmqdFZpXHUwMDFhZjw7+l+53GusXHUwMDFkrj3/dbKx15Rq9Ue9v3v40fQ/RfxcIpumX/xcdTAwMWVcdTAwMGKqoLp2/9PLRdPWUfdKgTvOjVx1MDAxNWJUy+eDq99Vy1fyMzVcdTAwMDdcdTAwMDZW+Fr0XHUwMDBm1Tl91pOhZkxcdTAwMTL/LJCq3yTASar+nJOrx1x1MDAxMOfsJ1c32NWyPW+wR3P8tP5XSYvBXecuP5MzcGiKa1x1MDAxYWPkJON2ZOTbnMnfV8dXp2ZywVx1MDAxODWXT2HyjPNcdTAwMDJuhrNcbq2YYV5UX3eO1k9OXHUwMDBl91x1MDAxZtrNvW79pnK50d3/aId7ilx1MDAxM4PZMrn/6eVhckZN+qmNLFxiS1NK4qmP8+HV76zla/mZXFxcYkGUnFx1MDAxMoK36W0ouFx1MDAwNItcdTAwMTD+tizHcVx1MDAwMjyV0/25pleP4cvZTa/Odkyyk6LQMLfkvyFf48bHtVx1MDAxOVU8XHUwMDAwNL2NokmtnviZhcBwamzhXGZI6iXnYWyFtG+U4Vx1MDAwMrlcdTAwMWSAz9vhpqn2el5cdTAwMDLPXGLEXHUwMDBipvBRgy9cdTAwMTeSW51O4FxcM8Zp8kqBKv87KUp+fEfcVDmlV0JCw6slSLm4uYSZcbuF+Fxia0PdaXH70L/SlkWK+H6lXHUwMDFmqYByk+zLqF3N2Vx1MDAxYicnZDsksTVR22CG7I2bS1x1MDAwNYbJfuVcdTAwMTR4XHUwMDFmUjxcdTAwMTg9jLB/2OSEbFsvXHUwMDFiXHUwMDFjuUS50Vo7KeP5XHUwMDA0L+ioKTVMWq2Q2aK5nq91cC5g2kouaF6R1szn0Fx1MDAxOHxQVOgotTPaqjk8psHj96nhXHUwMDExbVx1MDAxMNRcdTAwMWadbM1HK1x1MDAwNJeeKk6TXHUwMDAznC58rswnXHUwMDAxx1KqmNIrIaCfXG5cdTAwMWSHQ6zJeFFU64Z4xFwiVXyvQ1x0aUQgUGjBKc2kS5bk5oLHbHMvviihLaBDTJFcdTAwMTCaypeE7Fx1MDAwZqt8y1x1MDAwZTZnl1x1MDAwNStcdTAwMTFcYmk08lx1MDAxMT5MxkbSQ8dcdTAwMGaxxlx1MDAxZreU90GdTamzgqdcdTAwMTWatoFwilNJN7OGqfnpa1x1MDAxYVx1MDAxZW5Mby5SPzvcVT8gWpV+KiuQ1qkh5buUXHUwMDA2f/xcdTAwMWPCUrqk0isho7OAxNzGWWKQtcF/v98g6+xstLghO+Ega+aSNcszQsnsQF52X1x1MDAxOaVcdTAwMDLJ8clLwF2Q8ZOu0TnWnrYy+Fx1MDAwNcesljRA3Vxu4ZtjLVx1MDAwMqo8lPalXHUwMDA0XCLyK+ZcdTAwMThcdTAwMTnHyM2pMZJG6nLHUiDSJFx1MDAxY+3X9nKoVFx1MDAxY3XrXHUwMDBmRchUKaVXQj5ngY+5rbPRMdYuiY1cdTAwMDWNsc5cco2JMdZcdTAwMDKSXHUwMDE2Y3yMtfH0c5jVgJnM8oVsbKQ21ehOXHUwMDFiSTWYUsTDjVx1MDAwNn1ccq5cdTAwMTn1w2NoObNk5q+WgVx1MDAxM8i5+ICQQ6SvXHUwMDAwk1x1MDAwNdZSIyhcdTAwMGL4MIn55nOs09Bxq4CAo0M0wo30nlx1MDAxOLrk22FcdTAwMTN83H90fu2fio9pgkqvUlJGZ4GQteWbq8r66dGg+lBaflx1MDAxYTSW9rqlyzQ4koZcdTAwMGXpnDVuOC7P08uFM5pFgVx1MDAwZlx1MDAxYpdPo1x1MDAwN8RcdTAwMWJHXHUwMDEyTmBAMq1cdTAwMTT1++LDXvnCU4iJXHUwMDA2pKD5iVxujVpNrfI/XG4ks2uxxtSpo22uaOqioCpLXHUwMDFityCtsoFcdTAwMWSGadCOZCpcdTAwMTKUXG6nWVvQ+POM3HCHhoivM6FcdTAwMGJQOvEpSuUsjVx1MDAxYpmDZFxuSG5PXHUwMDBmklx1MDAxY3dRXHUwMDAx91x1MDAxZMqIaLP/0cbk6FoqpyP1XHUwMDEzf1x1MDAxNESW0uWUXlx0XHSdXHUwMDA1RE5ksdGsalx1MDAwNHiqZlx1MDAxYtbUe/pcdTAwMTPKXHUwMDAwXHUwMDE3L+hcdTAwMDREUlx1MDAxZIJOykguiNw6VGeHi+fsdvuh23rsXHUwMDFkieOGPUlbllNcYo80I1x1MDAxOFx1MDAxNChnktatXG7wczTLjVx1MDAxMWScQ1x1MDAxMrdnhJHZ5SljMFJcdTAwMDToRYOkqVdoXHUwMDE3x3t5SCVcdTAwMDN0TJwzoLiS0Vx1MDAwMuhcdTAwMTAkpVx1MDAwMmqEXHUwMDAw6KqzSIQ2XHUwMDEyiiRcdTAwMTimXHUwMDAwXHUwMDEwUiDq4rxDYVx1MDAxYUTuTFx1MDAwZpEghmV6ytuiWaamqkihiSD/0IOZVFx1MDAxOaXXqHTOXHUwMDAyXHUwMDFlJ+mZwdFMe5ksaSSaiCqJQ1x1MDAxMq1MRrZcdTAwMWG1KORWyTeey0xwlM6oV5ew1PLRiWjkLFxu2UxcYiascogtXHUwMDE25eGj0DHbXFxcdTAwMWaXjetAI/dcdTAwMDBcZkfoWifjybhGXHUwMDE4XHUwMDA0SI0uXHUwMDE4XCJkRL3CdHtq5miRQMBcIvt6JzvaSY5mvtLQmku2O30qLjrISG7e2XI2klx1MDAwNJ1IxHVUXHUwMDE0bcxcZitqq73GWr2z2m5dPNytXHUwMDFm7Fx1MDAxY23uuI2tXHUwMDE5tMJIwFxcMt9cdTAwMTBcdTAwMWQoOclcZtpcZm3032VCXHUwMDFik1x0s85cZqfKW+CUmyX1iFwiSpGpiM7ix87RVHp0Z00kxyQ8XHKY62GaXHUwMDFl7vn10Jcsa1x1MDAxMO2ldclByfSZSm0mxtFDY1xm7dDC21VMKruhKIbjXHUwMDBmqVZkOPvwqdWq9buNyqepfVx1MDAxOUNunlGO4+6lmEzabE9rfF9g4+jsj1pccuI+ulx1MDAxMbfEMVx1MDAxN1htqZeYlIwnIzdcYvo0/ZVTXCKuv/7FiMBcdTAwMTlqb4OQQq2HJ0lcdTAwMTerMYk+6FfR/f2pOVx1MDAxONVcdTAwMWWdSO6FXHUwMDA0LjJq1qk2XHUwMDAydLTt/buTMN+vbPbPd+6OXFz1Qj+sX24vrVV6f1xc3yj/XeYgYeReXHUwMDFkcFxuxyPMM1x1MDAxN/Uzh4op0JlcdTAwMDKLTlx1MDAwMTpcXOBRTKdcdTAwMDJcdTAwMDdUs8L1i24mNXOi6tOvpYpcdTAwMDf5aXiImoCemb+XTDI+XHUwMDEwXHUwMDE2k6OiUjv/z9c36vOx71x1MDAxOJZLNPR9V8rVm+vHa93qX4/Nx81Kc4NVryo/XHUwMDFlc1OuYCagM3E0s42zJjpVezigVUnqXHUwMDAwYzRcdTAwMDVK0Kt3nra+iNaBdEY6aa3Q0ca/b+vF/7Vs7MOpeXaYjFx1MDAwMcpp7yD1dF9XMlx1MDAwNbhnZoZFp/fbrtRaP9hcdTAwMWQsbp5cdTAwMWaVXHUwMDFlj06bN+pioq5JUoroqMqp6NC/mlx1MDAxY3Q4PGF0jHq5ai05bkBcXGmkXHUwMDFkqzRcdTAwMWFcdTAwMDJcdTAwMDRpR+PIXHUwMDFkNU7yZGJMVMX5tZTmaFx1MDAwMkZENrS4XHUwMDE31qdcdTAwMWQyXTuEYvJdTlx1MDAwZidcdTAwMTXgXHUwMDA0XHUwMDFmbrRvXHUwMDA3/d5n4MEx1DPKg6NcdTAwMGIvhv+qOzey9uxsfeenq1TPr2/KXHUwMDE3XHUwMDBmy1x1MDAxM/BcdTAwMWZcdTAwMDRcdTAwMDBoNUmltFx1MDAxMSNNXHUwMDE3SjowaNaiR4rKzC06NFx1MDAxZfbD7zC0ilx1MDAwNSjrcH89tu18XHUwMDE0Taom/5ye/lDDhWbg9TNl+lx1MDAwMGOOuz2sxpihm7nYvOo8XHUwMDFjtZaVOzSr/frZ1srO4c0k7qBcdTAwMTlcdTAwMWWtTdIlP0Nz/KvJw39cdTAwMWNcdTAwMDKUeERW0Fbq0Vx1MDAxNJtcdTAwMTJcdTAwMWbVXHUwMDFhj9pIXHUwMDFkaO6sRUhEX7+A2b1fSm2OJyBATcXnlmlv/kyyV8lv/VDovFnO3taTpEhcdPZcdTAwMTAgslarVm3ghT9cdTAwMDVcdTAwMGaOoaAkXHUwMDBmetdfXGZcdTAwMWSeuFx1MDAxZk+7i/igt9tNUd87XHUwMDFh1FVVTECHme6gZIFcdTAwMDWCWsdo0Mu7u4JfK85zUlx1MDAwMFx1MDAxN3I0Q9Cn8E4sSM9cdTAwMDOhvTLK6jf1XHUwMDFle1x1MDAxYlx1MDAxNV5cdTAwMGaWW1x1MDAxN9W705WV2s59725R949cdTAwMGVcdTAwMWU/jFxu/avJQ4VcdTAwMTQgQSNcdTAwMTLpR4FmxsVT8iVkK4xlgTPoXHUwMDA2Olx1MDAwN6h13lbcXHUwMDEzseDXUpjTXHRYUEjKpWHJoszhWlKtRKNcdTAwMTinXHUwMDA2XHUwMDA1n49cdTAwMDX3XHUwMDA2/c/iXHUwMDA3juGcUf5LrLwgR7B3fmyadbkkXHUwMDBlV+1SXHUwMDE3rpv9XHUwMDFmXHUwMDFieXRcdTAwMTiEXHUwMDBirOBog1xusHKkI1fJyYDmVTMuXHUwMDA17pzlnrE9iFx1MDAwMdZxhz9cbmAppjatXHUwMDBi+KXSXHUwMDFmzybIMqBOeX5LNiOUQ/04lXau6CbYkmZoTTWqMOxH6VdjXHUwMDFie3ecXHUwMDFhN2tX/VxmJe53btM0OLbmlOSB2Fwii9FYtlTe+W621k56p/3b7d5cdTAwMTJs/+hW82gsZWhcdTAwMDc0W1x1MDAxYuVcdTAwMGaJ07rwQeXWWVx1MDAxZCB3OyWoyFRcdE/8da6yqSp7nl9lneP4dIX1XHUwMDFkSEaeelwiXHUwMDA3wGhcdTAwMDBebFx1MDAwZr1idHal9v9AZ32LnFhn//bL/P5Wvr096uNzfHVGUHBcdTAwMWHVXHUwMDExW+PlvX7tNrzZ4Vs7nWpttV2+bI4+02/3jdrDUlJP/uNq+FwiX2BcYlx1MDAxYqQjtaEj9O+//fv/XHUwMDAw6UDT6iJ9CertificatePublic KeyEncapsulatedShared SecretShared SecretEncryptedSymmetricKeySymmetricKeyAEADKEMKDFKey EncryptionKeyBase NonceEncapsulatedShared SecretPrivateKeyKEMShared SecretAEADKDFKey EncryptionKeyBase NonceEncryptedSymmetricKeySymmetricKeyInputsIntermediatesOutputsEncryptionDecryption \ No newline at end of file From 11719b85a799357bb4f841e5733b259dfef9558f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20M=C3=A9lan=C3=A7on?= Date: Wed, 21 May 2025 08:33:50 -0400 Subject: [PATCH 28/44] Clarifications on configuration & schemes names --- doc/RecordingControl.xml | 2 +- wsdl/ver10/schema/onvif.xsd | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/doc/RecordingControl.xml b/doc/RecordingControl.xml index 5a07520b8..69cd12c32 100644 --- a/doc/RecordingControl.xml +++ b/doc/RecordingControl.xml @@ -2142,7 +2142,7 @@ secfrac = "." 1*6DIGIT When frame encryption is configured, the device shall store relevant information about the encryption keys used in the files with 'Protection system specific header' (or 'pssh') boxes [ISO/IEC 23001-7].
- Standard CENC system + Common Encryption standard system When a file is frame encrypted using a Key/KID then exactly one pssh box of type 'CENC' box shall be present in the file according to [W3C 'cenc' Initialization Data Format]. This is independent of the EncryptionMode. diff --git a/wsdl/ver10/schema/onvif.xsd b/wsdl/ver10/schema/onvif.xsd index bbc289a9f..e45d35fab 100755 --- a/wsdl/ver10/schema/onvif.xsd +++ b/wsdl/ver10/schema/onvif.xsd @@ -7703,13 +7703,13 @@ and sample rate. - Key ID of the associated key for encryption. + Key ID of the associated key for encryption. This parameter is ignored when AsymmetricEncryption is configured. - Key for encrypting content. + Key for encrypting content. This parameter is ignored when AsymmetricEncryption is configured. The device shall not include this parameter when reading. From ee82c33028e7398b9b8cfeac7315d317e3808d54 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20M=C3=A9lan=C3=A7on?= Date: Mon, 26 May 2025 09:45:58 -0400 Subject: [PATCH 29/44] Undo unrelated styling changes --- doc/RecordingControl.xml | 142 +++++++++++++++++++-------------------- 1 file changed, 71 insertions(+), 71 deletions(-) diff --git a/doc/RecordingControl.xml b/doc/RecordingControl.xml index 69cd12c32..7fe9a4eae 100644 --- a/doc/RecordingControl.xml +++ b/doc/RecordingControl.xml @@ -98,7 +98,7 @@ Hasan Timucin Ozdemir - Added 5.21 ExportRecordedData command and corresponding capability flag in 5.24 Capabilitites + Added 5.21 ExportRecordedData command and corresponding capability flag in 5.24 Capabilitites Added 5.22 StopExportRecordedData Added 5.23 GetExportRecordedDataStatus @@ -390,7 +390,7 @@ Change Request 2061, 2063, 2065, 2109
External targets - The target interface allows configuration for devices that support recording to external storage targets. + The target interface allows configuration for devices that support recording to external storage targets. For authentication configuration see the related storage configuration APIs of the core specification. @@ -540,7 +540,7 @@ Change Request 2061, 2063, 2065, 2109 AutoCreateReceiver: If a request includes this field set to true and no source token is provided, the device shall create a receiver object (through the receiver service) and assign the ReceiverReference to the - SourceToken field. A device shall never report this parameter in a + SourceToken field. A device shall never report this parameter in a RecordingJobConfiguration. A device may reject a request that neither contains a SourceToken nor AutoCreateRecevier set to true. SourceTag: If the received RTSP stream contains multiple tracks of the same type, the SourceTag differentiates between those Tracks. @@ -552,7 +552,7 @@ Change Request 2061, 2063, 2065, 2109 Event recording A device signalling support for EventRecording via its capabilities shall support controling recording job activity via the EventFilter with the following set of - parameters: + parameters: @@ -1496,7 +1496,7 @@ Change Request 2061, 2063, 2065, 2109 duration on its next segment. The override duration shall not exceed 1 hour. - When a new override request is sent before the previous override has expired, the new override shall replace the + When a new override request is sent before the previous override has expired, the new override shall replace the previous override and the new expiration shall apply. @@ -1681,14 +1681,14 @@ Change Request 2061, 2063, 2065, 2109 Recording job state changes If the state field of the RecordingJobStateInformation structure changes, a device shall provide the following event: Topic: tns1:RecordingConfig/JobState - - - - - - - - + + + + + + + + ]]> The ElementItem Information shall be provided whenever the state of the different tracks is not unique. It can be omitted when the state of all tracks of a recording is consistent. @@ -1697,35 +1697,35 @@ Change Request 2061, 2063, 2065, 2109 Configuration changes If the configuration of a recording is changed, a device shall provide the following event: Topic: tns1:RecordingConfig/RecordingConfiguration - - - - - - - + + + + + + + ]]> If the configuration of a track is changed, a device shall provide the following event: Topic: tns1:RecordingConfig/TrackConfiguration - - - - - - - - + + + + + + + + ]]> If the configuration of a recording job is changed, a device shall provide the following event: Topic: tns1:RecordingConfig/RecordingJobConfiguration - - - - - - - + + + + + + + ]]>
@@ -1733,15 +1733,15 @@ Change Request 2061, 2063, 2065, 2109 Data deletion Whenever data is deleted, a device shall provide the following event: Topic: tns1:RecordingConfig/DeleteTrackData - - - - - - - - - + + + + + + + + + ]]>
@@ -1749,44 +1749,44 @@ Change Request 2061, 2063, 2065, 2109 Recording and track creation and deletion Whenever a recording is created, a device shall provide the following event: Topic: tns1:RecordingConfig/CreateRecording - - - - - - + + + + + + ]]> Whenever a recording is deleted, a device shall provide the following event: Topic: tns1:RecordingConfig/DeleteRecording - - - - - - + + + + + + ]]> Whenever a track is created, a device shall provide the following event: Topic: tns1:RecordingConfig/CreateTrack - - - - - - - + + + + + + + ]]> Whenever a track is deleted, a device shall provide the following event: Topic: tns1:RecordingConfig/DeleteTrack - - - - - - - + + + + + + + ]]>
@@ -1954,7 +1954,7 @@ SetRecordingJobMode(JobToken, Active) SegmentDuration configured for the recording, the device shall close the open segment of this span and open a new segment for this span. When closing the open segment of a span and opening a new segment for this span, there shall be no time gap - between the two segments. Note that the actual segment duration may vary and can be plus or + between the two segments. Note that the actual segment duration may vary and can be plus or minus one GOP size from the configured duration because a segment must start with an I-Frame. The device shall generate each segment as a fragmented MP4 file according to ISO/IEC 14496-12, the ISO base media file format. From 0f223bda1d7e19dff87deb20e44cc723878c7c8f Mon Sep 17 00:00:00 2001 From: jmelancongen <115079765+jmelancongen@users.noreply.github.com> Date: Mon, 26 May 2025 10:47:38 -0400 Subject: [PATCH 30/44] Update doc/RecordingControl.xml Co-authored-by: Sriram Bhetanabottla --- doc/RecordingControl.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/RecordingControl.xml b/doc/RecordingControl.xml index 7fe9a4eae..c6d15a888 100644 --- a/doc/RecordingControl.xml +++ b/doc/RecordingControl.xml @@ -2093,7 +2093,7 @@ secfrac = "." 1*6DIGIT
Frame encryption - A device signaling support for recording to an external target with frame encryption shall support writing encrypted files according to ISO/IEC 23001-7 (common encryption in ISO base media file format files). + A device signaling support for recording to an external target with frame encryption shall support creating encrypted files according to ISO/IEC 23001-7 (common encryption in ISO base media file format files). Each Encryption entry configured for a recording covers a distinct set of tracks for which to apply the encryption, identified by the Track element. If an encryption entry contains no Track elements, it covers all tracks of the recording. If an encryption entry contains one or more Track elements, it covers the tracks indicated by the track tokens contained in these elements. From 10dd6ac3fbc6024f16672e8649391e0a614624b5 Mon Sep 17 00:00:00 2001 From: jmelancongen <115079765+jmelancongen@users.noreply.github.com> Date: Tue, 27 May 2025 13:49:02 -0400 Subject: [PATCH 31/44] Fix typo Co-authored-by: Sriram Bhetanabottla --- doc/RecordingControl.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/RecordingControl.xml b/doc/RecordingControl.xml index c6d15a888..d37beb75c 100644 --- a/doc/RecordingControl.xml +++ b/doc/RecordingControl.xml @@ -2146,7 +2146,7 @@ secfrac = "." 1*6DIGIT When a file is frame encrypted using a Key/KID then exactly one pssh box of type 'CENC' box shall be present in the file according to [W3C 'cenc' Initialization Data Format]. This is independent of the EncryptionMode. - Additionnal types of 'pssh' boxes may be present to support alternative DRM systems. + Additional types of 'pssh' boxes may be present to support alternative DRM systems.
Syntax @@ -2183,7 +2183,7 @@ aligned(8) class ProtectionSystemSpecificHeaderBox extends FullBox('pssh', versi If tracks are encrypted using different keys, then one AsymmetricKeySystemHeaderBox will be present per KID. - Additionnal 'pssh' boxes may be present to support alternative DRM systems. + Additional 'pssh' boxes may be present to support alternative DRM systems. Note that DRM systems and client implementations are outside the scope of this specification.
From 892a08b3af4d4b5024dd34e37556595a476914f5 Mon Sep 17 00:00:00 2001 From: jmelancongen <115079765+jmelancongen@users.noreply.github.com> Date: Wed, 28 May 2025 08:17:27 -0400 Subject: [PATCH 32/44] Apply suggestions from code review Co-authored-by: Sriram Bhetanabottla --- doc/RecordingControl.xml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/doc/RecordingControl.xml b/doc/RecordingControl.xml index d37beb75c..0ca6e7c8e 100644 --- a/doc/RecordingControl.xml +++ b/doc/RecordingControl.xml @@ -2093,10 +2093,10 @@ secfrac = "." 1*6DIGIT
Frame encryption - A device signaling support for recording to an external target with frame encryption shall support creating encrypted files according to ISO/IEC 23001-7 (common encryption in ISO base media file format files). + A device signaling support for recording with frame encryption via EncryptionEntryLimit shall support creating encrypted files according to ISO/IEC 23001-7 (common encryption in ISO base media file format files). Each Encryption entry configured for a recording covers a distinct set of tracks for which to apply the encryption, identified by the Track element. - If an encryption entry contains no Track elements, it covers all tracks of the recording. - If an encryption entry contains one or more Track elements, it covers the tracks indicated by the track tokens contained in these elements. + If an encryption entry does not contain any Track element, all tracks of the recording shall be encrypted using the same encryption entry. + If an encryption entry contains one or more Track elements, specified tracks indicated by the track tokens of the recording shall be encrypted using the encryption entry. The device shall encrypt the covered tracks with the scheme given by the Mode configured for the encryption entry: @@ -2127,7 +2127,7 @@ secfrac = "." 1*6DIGIT The device shall include a Standard CENC PSSH box according to . - When using AsymmetricEncryption then the device shall generate a KID/Key pair and encrypt the Key with each certificate public key defined in the configuration. The encrypted keys shall be stored in the file using the Asymmetric key system PSSH box as defined in . + When using AsymmetricEncryption then the device shall generate a KID/Key pair and encrypt the Key with each certificate defined in the configuration. The encrypted keys shall be stored in the file using the Asymmetric key system PSSH box as defined in . When KeyRotationDuration is set then the device shall generate a new KID/Key pair at the specified time interval, but still use the current key until the segment is finished. New segments shall use the latest generated Key for its encryption. From 03669715901c43831a16c1f549382b86ea986178 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20M=C3=A9lan=C3=A7on?= Date: Thu, 29 May 2025 14:46:09 -0400 Subject: [PATCH 33/44] Add RFC & IANA references --- doc/RecordingControl.xml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/doc/RecordingControl.xml b/doc/RecordingControl.xml index 0ca6e7c8e..995b38b54 100644 --- a/doc/RecordingControl.xml +++ b/doc/RecordingControl.xml @@ -189,6 +189,7 @@ Change Request 2061, 2063, 2065, 2109 Normative references + IANA Algorithm registry for Hybrid Public Key Encryption (HPKE) <> ISO/IEC 14496-12:2022 — Information technology — Coding of audio-visual objects — Part 12: ISO base media file format <> ISO/IEC 14496-14:2020 — Information technology — Coding of audio-visual objects — Part 14: MP4 file format <> ISO/IEC 23000-19:2020 — Information technology — Multimedia application format (MPEG-A) — Part 19: Common media application format (CMAF) for segmented media <> @@ -196,6 +197,7 @@ Change Request 2061, 2063, 2065, 2109 ISO 8601-1:2019 — Date and time — Representations for information interchange — Part 1: Basic rules <> RFC 5234 — Augmented BNF for Syntax Specifications: ABNF <> RFC 6381 — The 'Codecs' and 'Profiles' Parameters for "Bucket" Media Types <> + RFC 9180 — Hybrid Public Key Encryption (HPKE) <> ONVIF Core Specification <> ONVIF Schedule Service Specification <> W3C "cenc" Initialization Data Format <> @@ -2231,9 +2233,9 @@ aligned(8) class AsymmetricKeySystemHeaderBox extends FullBox('pssh', version=1, EncryptionVersion defines the encryption strategy used to encrypt the symmetric key for this certificate. EncryptionDataSize defines the number of bytes used by the following bytes for this certificate. The next certificates, if any, will start after this number of bytes. EncryptedKey The symmetric key (identified by KID) used for frame encryption, encrypted using the public key of the certificate according to the encryption version. - HpkeKem defines the KEM algorithm identifier used to encrypt the key with the current certificate. - HpkeHkdf defines the HKDF algorithm identifier used to encrypt the key with the current certificate. - HpkeAead defines the AEAD algorithm identifier used to encrypt the key with the current certificate. + HpkeKem defines the KEM algorithm identifier according to IANA used to encrypt the key with the current certificate. + HpkeHkdf defines the HKDF algorithm identifier according to IANA used to encrypt the key with the current certificate. + HpkeAead defines the AEAD algorithm identifier according to IANA used to encrypt the key with the current certificate. EncapsulatedSharedSecretSize is implicitly defined to the Nenc parameter of the HpkeKem algorithm. EncapsulatedSharedSecret is the HPKE shared secret value necessary to decrypt the encrypted key according to RFC 9180. EncryptedKeySize Size of the EncryptedKey field. Valid values depend on the encryption algorithm used by the certificate. From af34ca4a0029e818802bb47bc9efb79235004a2d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20M=C3=A9lan=C3=A7on?= Date: Thu, 19 Jun 2025 14:25:15 -0400 Subject: [PATCH 34/44] Add fault for ambiguous configuration --- doc/RecordingControl.xml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/doc/RecordingControl.xml b/doc/RecordingControl.xml index 995b38b54..ca814e91e 100644 --- a/doc/RecordingControl.xml +++ b/doc/RecordingControl.xml @@ -772,6 +772,8 @@ Change Request 2061, 2063, 2065, 2109 The configuration is invalid. env:Sender - ter:InvalidArgVal - ter:NoRecording The RecordingToken does not reference an existing recording. + env:Sender - ter:InvalidArgVal - ter:AmbiguousConfiguration + Key/KID and AsymmetricEncryption are mutually exclusive configuration parameters From 9078d6e58d652f4b45cf6adaa89b2ce47c1e0046 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20M=C3=A9lan=C3=A7on?= Date: Thu, 14 Aug 2025 14:25:12 -0400 Subject: [PATCH 35/44] Apply review --- doc/RecordingControl.xml | 25 +++++++++++++++---------- 1 file changed, 15 insertions(+), 10 deletions(-) diff --git a/doc/RecordingControl.xml b/doc/RecordingControl.xml index ca814e91e..1dfe875ca 100644 --- a/doc/RecordingControl.xml +++ b/doc/RecordingControl.xml @@ -749,6 +749,9 @@ Change Request 2061, 2063, 2065, 2109
SetRecordingConfiguration SetRecordingConfiguration shall change the configuration of a recording + + Key/KID and AsymmetricEncryption elements of the encryption entry are mutually exclusive. + request @@ -2094,14 +2097,19 @@ secfrac = "." 1*6DIGIT
-
- Frame encryption +
+ Encryption - A device signaling support for recording with frame encryption via EncryptionEntryLimit shall support creating encrypted files according to ISO/IEC 23001-7 (common encryption in ISO base media file format files). - Each Encryption entry configured for a recording covers a distinct set of tracks for which to apply the encryption, identified by the Track element. - If an encryption entry does not contain any Track element, all tracks of the recording shall be encrypted using the same encryption entry. - If an encryption entry contains one or more Track elements, specified tracks indicated by the track tokens of the recording shall be encrypted using the encryption entry. - The device shall encrypt the covered tracks with the scheme given by the Mode configured for the encryption entry: + A device signaling support for encrypted recording via SupportedEncryptionModes shall support + creating encrypted files according to ISO/IEC 23001-7 (common encryption in ISO base media file format files). + Each Encryption entry configured for a recording covers a distinct set of tracks for which + to apply the encryption, identified by the Track element. + If an encryption entry does not contain any Track element, all tracks of the recording shall + be encrypted using the same encryption entry. + If an encryption entry contains one or more Track elements, specified tracks indicated by the + track tokens of the recording shall be encrypted using the encryption entry. + The device shall encrypt the covered tracks with the scheme given by the Mode configured for + the encryption entry: @@ -2123,9 +2131,6 @@ secfrac = "." 1*6DIGIT - - Key/KID and AsymmetricEncryption elements of the encryption entry are mutually exclusive. - When using Key/KID then the device shall interpret the configured KID for the encryption entry as a 16-byte hexadecimal value and use this value as the key identifier. The device shall include a Standard CENC PSSH box according to . From 2c4293130f12fa61b2db31a52f2a4ae155824e17 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20M=C3=A9lan=C3=A7on?= Date: Tue, 19 Aug 2025 14:55:03 -0400 Subject: [PATCH 36/44] Complete review --- doc/RecordingControl.xml | 207 +++++++++++++++++++-------------------- 1 file changed, 100 insertions(+), 107 deletions(-) diff --git a/doc/RecordingControl.xml b/doc/RecordingControl.xml index 1dfe875ca..09e8bc452 100644 --- a/doc/RecordingControl.xml +++ b/doc/RecordingControl.xml @@ -2101,14 +2101,14 @@ secfrac = "." 1*6DIGIT Encryption A device signaling support for encrypted recording via SupportedEncryptionModes shall support - creating encrypted files according to ISO/IEC 23001-7 (common encryption in ISO base media file format files). + creating encrypted segments according to [ISO/IEC 23001-7]. Each Encryption entry configured for a recording covers a distinct set of tracks for which to apply the encryption, identified by the Track element. If an encryption entry does not contain any Track element, all tracks of the recording shall be encrypted using the same encryption entry. If an encryption entry contains one or more Track elements, specified tracks indicated by the track tokens of the recording shall be encrypted using the encryption entry. - The device shall encrypt the covered tracks with the scheme given by the Mode configured for + The device shall encrypt the tracks with the scheme given by the Mode configured for the encryption entry: @@ -2132,34 +2132,20 @@ secfrac = "." 1*6DIGIT - When using Key/KID then the device shall interpret the configured KID for the encryption entry as a 16-byte hexadecimal value and use this value as the key identifier. - The device shall include a Standard CENC PSSH box according to . + The device shall create a unique initialization vector for each fragment present in a segment. + Each encrypted segment shall include the moov box containing the required PSSH box(es) according to the encryption entry configuration. + If an encryption entry is reconfigured for an active recording, the device shall continue to use the old configuration + for any open segments and shall start to use the new configuration for new segments. - - When using AsymmetricEncryption then the device shall generate a KID/Key pair and encrypt the Key with each certificate defined in the configuration. The encrypted keys shall be stored in the file using the Asymmetric key system PSSH box as defined in . - When KeyRotationDuration is set then the device shall generate a new KID/Key pair at the specified time interval, but still use the current key until the segment is finished. - New segments shall use the latest generated Key for its encryption. - - - The device shall create a unique initialization vector for each segment. - Each encrypted file shall include the moov box containing the required PSSH box(es) according to the encryption entry configuration. - If an encryption entry is reconfigured for an active recording, the device shall continue to use the old configuration for any open segments and shall start to use the new configuration for new segments. - -
- Encryption keys storage +
+ CENC Initialization Data Format - When frame encryption is configured, the device shall store relevant information about the encryption keys used in the files with 'Protection system specific header' (or 'pssh') boxes [ISO/IEC 23001-7]. + All encrypted segments shall include one pssh box following the [W3C 'cenc' Initialization Data Format]. + Additional types of 'pssh' boxes may be present to support alternative DRM systems. -
- Common Encryption standard system - - When a file is frame encrypted using a Key/KID then exactly one pssh box of type 'CENC' box shall be present in the file according to [W3C 'cenc' Initialization Data Format]. - This is independent of the EncryptionMode. - Additional types of 'pssh' boxes may be present to support alternative DRM systems. - -
- Syntax - + Syntax + - See W3C "cenc" Initialization Data Format for an example of this box. -
-
- Semantics - Version shall be '1'. - Flags shall be '0'. - SystemID shall be '1077efec-c0b2-4d02-ace3-3c1e52e2fb4b'. - KID_count be equal to the number of different keys used in the file. - KID, one for each RecordingEncryption. - DataSize shall be '0'. -
+ ]]> + See W3C "cenc" Initialization Data Format for an example of this box.
-
- Asymmetric key system - - The box contains the encrypted symmetric key and the list of certificates that can be used to decrypt it. - The symmetric key is encrypted once for each configured certificate using the public key (using their nominal encryption length). - The client needs access to at least one of the certificates' private key to decrypt it (e.g. directly or through a key server). - The client can then decrypt the frames using this symmetric key. - If tracks are encrypted using different keys, then one AsymmetricKeySystemHeaderBox will be present per KID. - - - Additional 'pssh' boxes may be present to support alternative DRM systems. - Note that DRM systems and client implementations are outside the scope of this specification. - -
- Syntax - + Semantics + Version shall be '1'. + Flags shall be '0'. + SystemID shall be '1077efec-c0b2-4d02-ace3-3c1e52e2fb4b'. + KID_count be equal to the number of different keys used in the segment. + KID, one for each RecordingEncryption. + DataSize shall be '0'. +
+
+
+ Asymmetric key system + + When AsymmetricEncryption is set, the device shall generate a Key/KID pair + and encrypt each segment with that generated key. If the KeyRotationDuration is set, + then the device shall generate a new Key/KID pair at the specified time interval, + but still use the current key until the segment is finished. New segments shall use the latest generated + Key for its encryption. + + + The device shall also include in each segment a pssh box containing the information needed to play the segment. + This box contains the encrypted symmetric key and the list of certificates that can be used to decrypt it. + The symmetric key is encrypted once for each configured certificate using their public key. + The client needs access to at least one of the certificates' private key to decrypt it, either directly or through a key server. + The client can then decrypt the frames using this symmetric key. + If tracks are encrypted using different keys, then one AsymmetricKeySystemHeaderBox shall be present per KID. + + + Additional 'pssh' boxes may be present to support alternative DRM systems. + Note that DRM systems and client implementations are outside the scope of this specification. + +
+ Syntax + -
-
- Semantics - Version shall be '1'. - Flags shall be '0'. - SystemID shall be 'ca774354-6f98-41b6-b17a-b15f7bbf678a'. - KID_count shall be '1'. - KID is the generated UUID by the device. This KID should be the same in all segments until the symmetric key changes. - DataSize is the size in bytes of all the other fields present in this box following this field. - EncryptedKeyEntryCount Number of entries containing encryption information required to decrypt the symmetric key. Shall be 1 or more. - CertificateThumbprintAlgorithm defines the algorithm used to compute the thumbprint of the certificates. Those values are defined in the Security Baseline specification - CertificateThumbprintSize Size of the CertificateThumbprint field. - CertificateThumbprint Thumbprint of the certificate used to encrypted the symmetric key. - EncryptionVersion defines the encryption strategy used to encrypt the symmetric key for this certificate. - EncryptionDataSize defines the number of bytes used by the following bytes for this certificate. The next certificates, if any, will start after this number of bytes. - EncryptedKey The symmetric key (identified by KID) used for frame encryption, encrypted using the public key of the certificate according to the encryption version. - HpkeKem defines the KEM algorithm identifier according to IANA used to encrypt the key with the current certificate. - HpkeHkdf defines the HKDF algorithm identifier according to IANA used to encrypt the key with the current certificate. - HpkeAead defines the AEAD algorithm identifier according to IANA used to encrypt the key with the current certificate. - EncapsulatedSharedSecretSize is implicitly defined to the Nenc parameter of the HpkeKem algorithm. - EncapsulatedSharedSecret is the HPKE shared secret value necessary to decrypt the encrypted key according to RFC 9180. - EncryptedKeySize Size of the EncryptedKey field. Valid values depend on the encryption algorithm used by the certificate. -
-
- Encryption Version 1 - - This version is defined for use when the certificate contains an RSA public key. When using this version, - the symmetric key is directly encrypted using the public key of the certificate and the RSA-OEAP padding scheme - as defined in [RFC 5652]. - -
-
- Encryption Version 2 - - This version is defined for the use of the HPKE algorithm as defined in [RFC 9180]. It is used - when the certificate contains an EC public key. Using the public key of the certificate and the - algorithms defined in the HpkeKem, HpkeHkdf, and HpkeAead fields, - the EncapsulatedSharedSecret field is derived using the Base mode of HPKE. - -
- Encryption (Left) and Decryption (Right) using the HPKE algorithm - - - - - -
-
+ ]]> +
+
+ Semantics + Version shall be '1'. + Flags shall be '0'. + SystemID shall be 'ca774354-6f98-41b6-b17a-b15f7bbf678a'. + KID_count shall be '1'. + KID is the generated UUID by the device. This KID should be the same in all segments until the symmetric key changes. + DataSize is the size in bytes of all the other fields present in this box following this field. + EncryptedKeyEntryCount Number of entries containing encryption information required to decrypt the symmetric key. Shall be 1 or more. + CertificateThumbprintAlgorithm defines the algorithm used to compute the thumbprint of the certificates. Those values are defined in the Security Baseline specification + CertificateThumbprintSize Size of the CertificateThumbprint field. + CertificateThumbprint Thumbprint of the certificate used to encrypted the symmetric key. + EncryptionVersion defines the encryption strategy used to encrypt the symmetric key for this certificate. + EncryptionDataSize defines the number of bytes used by the following bytes for this certificate. The next certificates, if any, will start after this number of bytes. + EncryptedKey The symmetric key (identified by KID) used for frame encryption, encrypted using the public key of the certificate according to the encryption version. + HpkeKem defines the KEM algorithm identifier according to IANA used to encrypt the key with the current certificate. + HpkeHkdf defines the HKDF algorithm identifier according to IANA used to encrypt the key with the current certificate. + HpkeAead defines the AEAD algorithm identifier according to IANA used to encrypt the key with the current certificate. + EncapsulatedSharedSecretSize is implicitly defined to the Nenc parameter of the HpkeKem algorithm. + EncapsulatedSharedSecret is the HPKE shared secret value necessary to decrypt the encrypted key according to RFC 9180. + EncryptedKeySize Size of the EncryptedKey field. Valid values depend on the encryption algorithm used by the certificate. +
+
+ Encryption Version 1 + + This version is defined for use when the certificate contains an RSA public key. When using this version, + the symmetric key is directly encrypted using the public key of the certificate and the RSA-OEAP padding scheme + as defined in [RFC 5652]. + +
+
+ Encryption Version 2 + + This version is defined for the use of the HPKE algorithm as defined in [RFC 9180]. It is used + when the certificate contains an EC public key. Using the public key of the certificate and the + algorithms defined in the HpkeKem, HpkeHkdf, and HpkeAead fields, + the EncapsulatedSharedSecret field is derived using the Base mode of HPKE. + +
+ Encryption (Left) and Decryption (Right) using the HPKE algorithm + + + + + +
From 71f244b5ce893c4087a614eded4a1dc2171fa126 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20M=C3=A9lan=C3=A7on?= Date: Tue, 19 Aug 2025 14:55:57 -0400 Subject: [PATCH 37/44] Remove useless certificate thumbprint algorithm field in PSSH --- doc/RecordingControl.xml | 2 -- 1 file changed, 2 deletions(-) diff --git a/doc/RecordingControl.xml b/doc/RecordingControl.xml index 09e8bc452..576540ee7 100644 --- a/doc/RecordingControl.xml +++ b/doc/RecordingControl.xml @@ -2200,7 +2200,6 @@ aligned(8) class AsymmetricKeySystemHeaderBox extends FullBox('pssh', version=1, unsigned int(8) DataSize; unsigned int(32) EncryptedKeyEntryCount; for (i=1; i <= EncryptedKeyEntryCount; i++) { - unsigned int(16) CertificateThumbprintAlgorithm; unsigned int(32) CertificateThumbprintSize; unsigned int(8)[CertificateThumbprintSize] CertificateThumbprint; unsigned int(8) EncryptionVersion; @@ -2228,7 +2227,6 @@ aligned(8) class AsymmetricKeySystemHeaderBox extends FullBox('pssh', version=1, KID is the generated UUID by the device. This KID should be the same in all segments until the symmetric key changes. DataSize is the size in bytes of all the other fields present in this box following this field. EncryptedKeyEntryCount Number of entries containing encryption information required to decrypt the symmetric key. Shall be 1 or more. - CertificateThumbprintAlgorithm defines the algorithm used to compute the thumbprint of the certificates. Those values are defined in the Security Baseline specification CertificateThumbprintSize Size of the CertificateThumbprint field. CertificateThumbprint Thumbprint of the certificate used to encrypted the symmetric key. EncryptionVersion defines the encryption strategy used to encrypt the symmetric key for this certificate. From 845d4b48ecdda73f2dfef35773a4fff343548e0c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20M=C3=A9lan=C3=A7on?= Date: Mon, 25 Aug 2025 09:30:38 -0400 Subject: [PATCH 38/44] Unify the naming of parameters for Encryption V1 and V2 --- doc/RecordingControl.xml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/doc/RecordingControl.xml b/doc/RecordingControl.xml index 576540ee7..8e2f0167f 100644 --- a/doc/RecordingControl.xml +++ b/doc/RecordingControl.xml @@ -2204,8 +2204,8 @@ aligned(8) class AsymmetricKeySystemHeaderBox extends FullBox('pssh', version=1, unsigned int(8)[CertificateThumbprintSize] CertificateThumbprint; unsigned int(8) EncryptionVersion; if (EncryptionVersion == 1) { - unsigned int(32) EncryptionDataSize; - unsigned int(8)[EncryptionDataSize] EncryptedKey; + unsigned int(16) EncryptedKeySize; + unsigned int(8)[EncryptedKeySize] EncryptedKey; } else if (EncryptionVersion == 2) { unsigned int(16) HpkeKem; unsigned int(16) HpkeKdf; @@ -2230,7 +2230,6 @@ aligned(8) class AsymmetricKeySystemHeaderBox extends FullBox('pssh', version=1, CertificateThumbprintSize Size of the CertificateThumbprint field. CertificateThumbprint Thumbprint of the certificate used to encrypted the symmetric key. EncryptionVersion defines the encryption strategy used to encrypt the symmetric key for this certificate. - EncryptionDataSize defines the number of bytes used by the following bytes for this certificate. The next certificates, if any, will start after this number of bytes. EncryptedKey The symmetric key (identified by KID) used for frame encryption, encrypted using the public key of the certificate according to the encryption version. HpkeKem defines the KEM algorithm identifier according to IANA used to encrypt the key with the current certificate. HpkeHkdf defines the HKDF algorithm identifier according to IANA used to encrypt the key with the current certificate. From b264e7d76279ee8bf3a048aeb92debcf500e0ca5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20M=C3=A9lan=C3=A7on?= Date: Mon, 25 Aug 2025 09:36:40 -0400 Subject: [PATCH 39/44] Reword Key/KID in the Asymmetric section to differentiate with the config values --- doc/RecordingControl.xml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/doc/RecordingControl.xml b/doc/RecordingControl.xml index 8e2f0167f..db3e4fa9a 100644 --- a/doc/RecordingControl.xml +++ b/doc/RecordingControl.xml @@ -2140,8 +2140,8 @@ secfrac = "." 1*6DIGIT
CENC Initialization Data Format - All encrypted segments shall include one pssh box following the [W3C 'cenc' Initialization Data Format]. - Additional types of 'pssh' boxes may be present to support alternative DRM systems. + All encrypted segments shall include one PSSH box following the [W3C 'cenc' Initialization Data Format]. + Additional types of 'PSSH' boxes may be present to support alternative DRM systems.
Syntax @@ -2171,22 +2171,22 @@ aligned(8) class ProtectionSystemSpecificHeaderBox extends FullBox('pssh', versi
Asymmetric key system - When AsymmetricEncryption is set, the device shall generate a Key/KID pair - and encrypt each segment with that generated key. If the KeyRotationDuration is set, - then the device shall generate a new Key/KID pair at the specified time interval, + When AsymmetricEncryption is set, the device shall generate its own key + and encrypt each segment with it. A KID shall also be generated for use in the PSSH boxes. If the KeyRotationDuration is set, + then the device shall generate a new Key and KID at the specified time interval, but still use the current key until the segment is finished. New segments shall use the latest generated Key for its encryption. - The device shall also include in each segment a pssh box containing the information needed to play the segment. - This box contains the encrypted symmetric key and the list of certificates that can be used to decrypt it. + The device shall also include in each segment an AsymmetricKeySystemHeaderBox PSSH box containing the information needed to play the segment. + This box contains the KID, the encrypted symmetric key and the list of certificates that can be used to decrypt it. The symmetric key is encrypted once for each configured certificate using their public key. The client needs access to at least one of the certificates' private key to decrypt it, either directly or through a key server. The client can then decrypt the frames using this symmetric key. If tracks are encrypted using different keys, then one AsymmetricKeySystemHeaderBox shall be present per KID. - Additional 'pssh' boxes may be present to support alternative DRM systems. + Additional 'PSSH' boxes may be present to support alternative DRM systems. Note that DRM systems and client implementations are outside the scope of this specification.
From 6ab7fa4fa9d1c425cddbb9c6971ba1acaade561c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20M=C3=A9lan=C3=A7on?= Date: Tue, 26 Aug 2025 09:19:21 -0400 Subject: [PATCH 40/44] Update the SystemId for Asymmetric Encryption due to prior art --- doc/RecordingControl.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/RecordingControl.xml b/doc/RecordingControl.xml index db3e4fa9a..541bf690f 100644 --- a/doc/RecordingControl.xml +++ b/doc/RecordingControl.xml @@ -2222,7 +2222,7 @@ aligned(8) class AsymmetricKeySystemHeaderBox extends FullBox('pssh', version=1, Semantics Version shall be '1'. Flags shall be '0'. - SystemID shall be 'ca774354-6f98-41b6-b17a-b15f7bbf678a'. + SystemID shall be 'a4852bd0-80fc-484e-b9e1-78a74d49f5ce'. KID_count shall be '1'. KID is the generated UUID by the device. This KID should be the same in all segments until the symmetric key changes. DataSize is the size in bytes of all the other fields present in this box following this field. From 1cd325cd2896e26bc00e4747b179bde9eb998e6c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20M=C3=A9lan=C3=A7on?= Date: Tue, 26 Aug 2025 09:27:46 -0400 Subject: [PATCH 41/44] Rename EncryptedKey to EncryptedSymmetricKey to match diagram --- doc/RecordingControl.xml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/doc/RecordingControl.xml b/doc/RecordingControl.xml index 541bf690f..f4a8b61d3 100644 --- a/doc/RecordingControl.xml +++ b/doc/RecordingControl.xml @@ -2204,15 +2204,15 @@ aligned(8) class AsymmetricKeySystemHeaderBox extends FullBox('pssh', version=1, unsigned int(8)[CertificateThumbprintSize] CertificateThumbprint; unsigned int(8) EncryptionVersion; if (EncryptionVersion == 1) { - unsigned int(16) EncryptedKeySize; - unsigned int(8)[EncryptedKeySize] EncryptedKey; + unsigned int(16) EncryptedSymmetricKeySize; + unsigned int(8)[EncryptedSymmetricKeySize] EncryptedSymmetricKey; } else if (EncryptionVersion == 2) { unsigned int(16) HpkeKem; unsigned int(16) HpkeKdf; unsigned int(16) HpkeAead; unsigned int(8)[EncapsulatedSharedSecretSize] EncapsulatedSharedSecret; - unsigned int(16) EncryptedKeySize - unsigned int(8)[EncryptedKeySize] EncryptedKey; + unsigned int(16) EncryptedSymmetricKeySize; + unsigned int(8)[EncryptedSymmetricKeySize] EncryptedSymmetricKey; } } } @@ -2230,13 +2230,13 @@ aligned(8) class AsymmetricKeySystemHeaderBox extends FullBox('pssh', version=1, CertificateThumbprintSize Size of the CertificateThumbprint field. CertificateThumbprint Thumbprint of the certificate used to encrypted the symmetric key. EncryptionVersion defines the encryption strategy used to encrypt the symmetric key for this certificate. - EncryptedKey The symmetric key (identified by KID) used for frame encryption, encrypted using the public key of the certificate according to the encryption version. HpkeKem defines the KEM algorithm identifier according to IANA used to encrypt the key with the current certificate. HpkeHkdf defines the HKDF algorithm identifier according to IANA used to encrypt the key with the current certificate. HpkeAead defines the AEAD algorithm identifier according to IANA used to encrypt the key with the current certificate. EncapsulatedSharedSecretSize is implicitly defined to the Nenc parameter of the HpkeKem algorithm. EncapsulatedSharedSecret is the HPKE shared secret value necessary to decrypt the encrypted key according to RFC 9180. - EncryptedKeySize Size of the EncryptedKey field. Valid values depend on the encryption algorithm used by the certificate. + EncryptedSymmetricKeySize Size of the EncryptedSymmetricKey field. Valid values depend on the encryption algorithm used by the certificate. + EncryptedSymmetricKey The symmetric key (identified by KID) used for frame encryption, encrypted using the public key of the certificate according to the encryption version.
Encryption Version 1 From 30d0690559f8af00271817d0ae45139d886f1fb8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20M=C3=A9lan=C3=A7on?= Date: Tue, 2 Sep 2025 15:00:51 -0400 Subject: [PATCH 42/44] Add AdditionalInfo configuration field --- doc/RecordingControl.xml | 9 +++++++++ doc/media/RecordingControl/hpkeEncryption.excalidraw.svg | 4 ++-- wsdl/ver10/schema/onvif.xsd | 8 ++++++++ 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/doc/RecordingControl.xml b/doc/RecordingControl.xml index f4a8b61d3..0a937eb9e 100644 --- a/doc/RecordingControl.xml +++ b/doc/RecordingControl.xml @@ -2210,6 +2210,8 @@ aligned(8) class AsymmetricKeySystemHeaderBox extends FullBox('pssh', version=1, unsigned int(16) HpkeKem; unsigned int(16) HpkeKdf; unsigned int(16) HpkeAead; + unsigned int(16) InfoSize; + unsigned int(8)[InfoSize] Info; unsigned int(8)[EncapsulatedSharedSecretSize] EncapsulatedSharedSecret; unsigned int(16) EncryptedSymmetricKeySize; unsigned int(8)[EncryptedSymmetricKeySize] EncryptedSymmetricKey; @@ -2233,6 +2235,8 @@ aligned(8) class AsymmetricKeySystemHeaderBox extends FullBox('pssh', version=1, HpkeKem defines the KEM algorithm identifier according to IANA used to encrypt the key with the current certificate. HpkeHkdf defines the HKDF algorithm identifier according to IANA used to encrypt the key with the current certificate. HpkeAead defines the AEAD algorithm identifier according to IANA used to encrypt the key with the current certificate. + InfoSize is the size in bytes of the Info field. + Info is the value configured by the AdditionalInfo configuration field encoded as UTF-8. EncapsulatedSharedSecretSize is implicitly defined to the Nenc parameter of the HpkeKem algorithm. EncapsulatedSharedSecret is the HPKE shared secret value necessary to decrypt the encrypted key according to RFC 9180. EncryptedSymmetricKeySize Size of the EncryptedSymmetricKey field. Valid values depend on the encryption algorithm used by the certificate. @@ -2254,6 +2258,11 @@ aligned(8) class AsymmetricKeySystemHeaderBox extends FullBox('pssh', version=1, algorithms defined in the HpkeKem, HpkeHkdf, and HpkeAead fields, the EncapsulatedSharedSecret field is derived using the Base mode of HPKE. + + The AdditionalInfo field of the AsymmetricEncryption configuration is to be + used as the info parameter of the HPKE key derivation function. If the field is missing, + the device shall use an empty string. +
Encryption (Left) and Decryption (Right) using the HPKE algorithm diff --git a/doc/media/RecordingControl/hpkeEncryption.excalidraw.svg b/doc/media/RecordingControl/hpkeEncryption.excalidraw.svg index f4b59847a..75c520333 100644 --- a/doc/media/RecordingControl/hpkeEncryption.excalidraw.svg +++ b/doc/media/RecordingControl/hpkeEncryption.excalidraw.svg @@ -1,2 +1,2 @@ -eyJ2ZXJzaW9uIjoiMSIsImVuY29kaW5nIjoiYnN0cmluZyIsImNvbXByZXNzZWQiOnRydWUsImVuY29kZWQiOiJ4nO1daVPjWpL93r+CqPnaVt8t79JcdTAwMTFcdTAwMTNcdTAwMTPsxb5VsU1PXHUwMDEwxjbYXHUwMDBmL+CFbaL/+2SaKiRZV7KMhWFcbrtf13tlXHUwMDFicaWbeU5m3lxc/vdvXHUwMDBiXHUwMDBi3/pPt7Vv/1xc+FZ7rJSbjWq3/PDt7/T+fa3ba3Ta+JFcdTAwMTj+vddcdTAwMTl0K8Nv1vv9294///GPVrl7U+vfNsuVWnDf6Fxyys1ef1BtdIJKp/WPRr/W6v1cdTAwMTf9uVtu1f7zttOq9rtB+EtKtWqj3+m+/K5as9aqtfs9vPp/499cdTAwMTdcdTAwMTb+d/gnftKo0m9cdTAwMTT8sc57K4dbh251/Wlw01s63XlcdTAwMWX+6PBLv2+hW6v0y+3rZi386Fx1MDAxMd9cdTAwMDchXHUwMDAzYNZJ0FYzqe3rp0/4aUm6wOBnXFxbyZTBL8Lr51x1MDAwZo1qv47f4aBcdTAwMDP6grGKMVx1MDAxMM6FX6nXXHUwMDFh1/U+fsfwXHUwMDAwXGaA5Phcclx1MDAwYk69fuNlRf9cXGCv7/T63c5NbbnTxPvHZf+HuHI1pcJFX5YrN9fdzqBdff1Ov1tu927LXXxK4feuXHUwMDFhzeZR/2l4ddxcdTAwMWZ8sN9GfsfJr1x1MDAxYlx1MDAxMCPvp/1cdTAwMTT+0ut6u9ajneCv73Zuy5VGn1x1MDAxZVx1MDAxNt7c67u0wtuN6nDT/idcXFNcdTAwMTe3e4N2rT1oNl/fbrSrNdqLb2VcdTAwMWT7be3qr9/2e8fD7ZS/3vl3uPZajS4smFXCWGHCXHUwMDE1hsIqgY2+u9tpXHUwMDBmXHUwMDA1VzCluVGOhz/X6K2g7PWHl71C+a2Fe0BrW1x1MDAxZJXLqGzGRK9fe1xmNyZcIrlcdTAwMWI1cbBUv71tl/ZcdTAwMGX3b/fPLlx1MDAxZZ/uXHUwMDFi316/9++/+y/78sN765ubXHUwMDE2jFjq/FxcKZfuK2Kpt31cdTAwMTf/Lb9/f7nb7TxErvvrv8J9XHUwMDE53FbLL/eJj8CgqFx1MDAwM2eaharQbLRvRjet2anchI/mb5FcdTAwMDWP6Kf/Llx1MDAxM/pcdTAwMTl7SC+qqWygmVFCadIqJeKqKVxcgNpkgEthQIG0MqmaTFx1MDAwN5I7h9/jQjvUv6RqRkRirowxZTR+ZYx9+5fWceu0XHUwMDAy41x1MDAxOPi0jos0rePKXHUwMDFhXHJcdTAwMDCRvZtA64pcdTAwMTTgUFx1MDAxZUlcdTAwMGXx9pdr3X7jqlHB6/6rvT+4bDYqXHUwMDBiW7WnyJ522v2jxvNcdTAwMGJ4xN5dK7dcdTAwMWFN2lx1MDAwNIhddbHZuKbn8a2CN1Drfos+lD7+oubrXHUwMDE3Wo1qNUpUXHUwMDE1vGi50a51N/IwXqfbuG60y81cdTAwMWZ576Q86HdcdTAwMGVrvZd76XdcdTAwMDe16HOrff+tKTxcdTAwMTCQoefPvFpt1Etyc7Bz0Fx1MDAxMLzbf1h/7OTmYS05qrNj1iilUOlNTNklM1x1MDAwMbdSMVx0hmuHXGKf1HVcclx1MDAwMTjrUNuFVNL4WFhcdTAwMDVcdTAwMDDMWC7CXHUwMDBmx+t8jUku+Vx1MDAxN9F5OzVcdTAwMDFb3ESF1pDzIFx1MDAwMUTMq1x1MDAwNP86jnTG31x1MDAwNFx1MDAwNG+j39rq0/n5Ruex83RwvLPptlx1MDAwZTab61d56XdthW2ZTunh7qK5c7q4U918gpOlXCLoV2shXGaaL5EnMVx1MDAxNf367zJcdTAwMDf9XCKgXHUwMDA3aFx1MDAwZmtpnGBcYtQurpHcXHUwMDA1XG5wm1x1MDAxNXc6RSOlXHUwMDBl8Fx1MDAwYtZZZriwjukp2fdLaaLLz77WXCLfoW0rfSrHXHUwMDEyhvAr+UpQ0snIzk3PvW+S3lx1MDAwNPeutivl296gSdf9V/uojvtZXTiqVbq1/mfg3zFMN8q/ue6mXHUwMDE4XHUwMDBlVufuZHHpQTnJd6VWYlx1MDAwMFx1MDAxN6fN3Fx1MDAxY6yYXG4sU0ozZ6SWXCJ0U3NzsMOvXGInXHUwMDA0/XiMZ181Xk7CvdxcdTAwMTleXHUwMDExX0TjXHUwMDE3p+ZezpWyqIDaS74q8e4rXHUwMDEyaClcdTAwMDU4NMZnx74nrY3V6s9Ov9E6q/B+b2njbq++lZd9t2/OXHUwMDE24a+DXHUwMDFmTFXaJ/q5XCIrrYdWPvbNvG5lp7q48/3m5OS6PTg6aFee+8t7N0WxOuBcdTAwMWagonr9dlb3P71cdTAwMWOsrlx1MDAwNFx1MDAwYlx1MDAxY1x1MDAwMCo4R+JcdTAwMTaReNZcdTAwMGKri7E6noPVJ7Kvv5SOL+VndY5qbFElnVeZeYLsQ1rXVoCQ8KZIVpHym+D1T8fkY/hylMnflbtcdTAwMGZcdTAwMWZ+bq4sM7V3d324sb2yU1ObzVx1MDAxZvnj2Og/XHUwMDAzUq4y4Dia7PE4tmMusNo6zkFKxkOJetVqxVx1MDAwMmWsXHUwMDAytOlR6rzus517zSlavTw9c4OVmklcdTAwMDW+XHUwMDAwXHUwMDFhuFS32Vx1MDAxMZIzM0OvefN++3nj8bB5erG7tHvcrJ3cdVx1MDAwZap5+bWzXHUwMDAz9ydrg8OVxtrJ6s/6QbW/Ujorzmvm6KpcdTAwMTbDr/67zMGvXHUwMDAwXCLQYFx1MDAxNFx1MDAxN0qQITyih1xcZeuhs4Hgzlx05YQ2YKwnYG3mapimhsdcdTAwMTOwq2RcdTAwMGVpkluf01x1MDAxYzWER1x1MDAxNFx1MDAwZZx0XHUwMDA2naTineZcdIU3Qa7oZnafbl98zKdWq9bvNir/an+SkPVcdTAwMThy87jM4+6lXHUwMDE40t1fPzu422ePy+3Dw9LRRn9wv7/xlJt0XHUwMDA1+rtMSjKnXHUwMDE1ciaLO8xGyoCcMU5BMlx1MDAxYn5cdTAwMTZyrlxyXGZXnPM0X9mIXHUwMDAwhVxyOGhcdTAwMDRcdTAwMDR8zc+NUzR/dXpcdTAwMDK2ZDYxzn3nxsbp0XdfrW1uKfSm9FxmKXj3eEmvbXVKpf3rXHUwMDFk3upA83q9I/NS8HKlc3K4s717cPrjyF6ebtzxgdgrjII5eYbFULD/LnNQsHBcdTAwMTA4zpCFrTBW67iLi5qKWqctsisomdRKp9A/do5cdTAwMDPXL4qZVMv5kXGaXHUwMDFlruUnYLBWWHQ5fFx1MDAwNq9JmsG/9VxyN05xpmzRzu3Ekpt0bj9cdTAwMWTpjiG3hHf7rkx7fWGe1Iq5ai3f75avt+7ujn5UvifVudootzrtalxco4GbQKLh5YQkMlx1MDAxNSHW0tPTzlx1MDAwNVx1MDAxY1x1MDAwNHNcbjSg51x1MDAxYYpGXHUwMDE4l0amVdpo4FJcdTAwMWJuQ6P8VaeRh1x1MDAwM47IoYU0aIg5XHUwMDEzalWOXHUwMDEwVo3+90V0fCsv14o0rtW4VficvapvdWqKlrOUgVx1MDAwN7M8XCIuLfVat92j3bv68WGF88pN6fbxMi/T/vX98mipc/x97bq8t8KPtrZX5KXMx7SZ11x1MDAxZPTuXHUwMDE39ytbXHUwMDE3u/crR72D1vVJZem6V8B1p7BcZjKv+65Ov1x1MDAwNiFlQUfl/t3OYXGAoSRSpp1hwlnQcXxCSyNAS0ORIY+fmtCW/I1PoFx1MDAxMcBcdTAwMWPF5JVcdTAwMDLpdVx1MDAwNSZcdTAwMGKpfyU82s5vc0jkeaNt8iCMgIen+vxcdTAwMDbNXHKFXGZTtM0xsewmbI7F1cWVz2BpjCH3UUsjvuyCjr7/Oj9jzWPYuDlZfGBcdTAwMWKrpdPv2/eF2Fx1MDAxN1ZcdTAwMDbWXHUwMDE57ii5XHUwMDFijU9fnuncvihOn3emti+ASYuPOHlERlx1MDAxMFx1MDAwMKnJqE5cdTAwMTjHuIFcdTAwMTBcdTAwMWTe3b64u2/s/Pi+f86OK2s/1k5+LkONX8wgXHUwMDAzPPO6U6S2ZV73XVx1MDAwZtc1d8aZKHK83Vx1MDAwZfDvSlx1MDAxZTvAssBcYrRcdTAwMDOYXHUwMDE2nI9cdTAwMDRcdTAwMWW4XHUwMDEyXHUwMDAxolx1MDAwYlg+PFx1MDAxYlBcImlcdTAwMDcgRiDOoI3g8Ha4mv5o/Svhxu5cdTAwMDSxXHUwMDA3IbVSMiVbPT1hzjHBXHUwMDExWMJcdTAwMWYryFx1MDAwZZhUdlx1MDAxM3bA1urOZzBcdTAwMDPGcPCoXHUwMDE5XHUwMDEwW3UxVsDW+t2gcXNfuqyqi8HN/tlG47jxVisgXm+iOFx1MDAwZjRn2uD+czBOJ9V3blx1MDAwNlx1MDAxNKjOe1ObXHUwMDAx3FwigjLJvKVguMLUQFx1MDAwM1x1MDAwN5CaR/Np391cdTAwMTC42mss9rvrbv/yofRcdTAwMDSwsn/RPlJcdTAwMWadXHK3XFxZe1q7vvghXHUwMDFl71vdytZa+eRs+7iA625vVrv3vdJe5bG/vvxQOd5bg2q9UEOgoNI1/67kMlx1MDAwNHjAXHUwMDE0XHUwMDA1XHUwMDA03LAyLcSKIZRoh1x1MDAxZYVkWoLSZCr4XGZcdTAwMDFmXHUwMDFjOlx1MDAxZJJLhXgyN1x1MDAwNCZAjv38hoDgzKJcdTAwMGJufIaA0+kpdkxcbo7AUniK3cTCm7RcdTAwMDRW1j6DJTCGh1x1MDAxM5ZAdNXFWFx1MDAwMtne0VxiwMSUVzNcdTAwMTFcYu0sioVjxvCRUjRcYpxCjWRCXHUwMDE4pFx1MDAxN+UxXHUwMDAzXHUwMDAyLiV+XHUwMDBlXG45RmtjwkPGV+2ldDvBXHJcdTAwMTWEW67RKlxiLzPX5pg2XHUwMDFmTG9cdTAwMDcwNOok9yT10HYmc+V/a7lcdTAwMDLU8GLLY36XpnJcdTAwMTaV6bw6fttpjFx1MDAxYVx1MDAxOeF/LYRcdTAwMDIz/Mvrf//P373fTpdSeiXlM7xegoOb5V5/udNqNfp4o/u0yFx1MDAwNNz2y93+XHUwMDEybmqjfVx1MDAxZN+8X91cdTAwMWTyXHUwMDE0tlx1MDAwZaGrMqBcdTAwMDdQYlx1MDAwMWPCXHUwMDAwNW1cdTAwMTCc3GXOROR71+VbQvCAcmtIUbVcdTAwMDKB/05ISK1dXHUwMDFkv6psryayKlxclKG8XHUwMDAxZTjSuuUs1OrXNXFBZa7KOTBSoFx1MDAxMyFUUmzpYS1cdTAwMTIu1WvlhGbgkqOfjVx1MDAwMlitedl5yGXcZFuNWVx1MDAwMKmsXG6kpSpdwKdr4tFSqVSA26JIZixqXrKCwJhcdTAwMDCEoSRI/FxuM1x1MDAxZdvGXHUwMDFhdJJA4Vx1MDAwZoNcdTAwMWGG7Ofg6Fx1MDAwN8ef04MjXHUwMDFhoeiPRmEuXHUwMDA0R1SbNHBEerRIr65IXHUwMDBi6Fx1MDAxM6FjmozSKyGds4DG7EqFXHUwMDE4XGKhXHUwMDE5abgjy5YjuIdRiFdcZrJcdTAwMDFcdTAwMWGZVGwtXHUwMDAwXVxmJe3bcDHbxovjomZcYoaGLGZcdTAwMGLCh9VcXFx1MDAwNVrhS5JJRfY1fFx1MDAxNC6eXHUwMDFl3zlcdFx1MDAwZp2z+t351e5hc1x1MDAwZvY6J7lTQrVwXHUwMDAxXHUwMDEyJz5aZFRcdTAwMGUj+d/gZGDRyqdcXF989sx3lDS+hFJPkn/2pcqrzvLiYWpcdTAwMWWo0lx1MDAxNl12XHUwMDBlvpiR42r03Vc4lJqsjLelhb+ubqKQUb933yjZ5Zb5cd/9aVba59au5S7EeK/Qzlx1MDAxNDkvXHTs9Fx1MDAxNKA5Llx1MDAwYlxu7fifXkLLfW1cdTAwMTHQguNWS0eF0shcdTAwMTEjXG5uxym4klx1MDAwMVCuITDuUpI9Jkow/VJcbn6eP7aDv1xyWdBcdTAwMWGvKluXatkgPSlcdTAwMDdcXMji6ycnXHUwMDE031BcdTAwMWF/h0lqT1x1MDAwYr9KI3DBnybPdFxmYyaCPbG7eI9WRM39ykmjsl07+fm8/X2ps7Os+5v93Fx1MDAxNJ5og1x1MDAxMC/rmHP4+6r45dRcdTAwMWPOhVx1MDAwMq2posqn+Vx1MDAxOWFdi447eUMzzFx1MDAwMGn9XFxf14uDXHUwMDFm7YuLn6dcdTAwMGaLa1x1MDAwZifP9Y1cdTAwMTlcdTAwMWOkZF53ilxm0zwsrkUkv38qXHUwMDE29z+9XHUwMDFjLK6oNkuCQzanvoAs3txcYpU7kNkqzsWwsyBHM58rq6TnrHfeXHUwMDA1IU3FK1x1MDAxM7C4dEDBNOfX5Yx+nlxiXHUwMDAyRrhCXHUwMDAzXHUwMDE0b1x1MDAxMt9cdTAwMDSLL5V7tYWXdX5cdTAwMDLyXHUwMDFlw5Wj5O1bfDGkne2SZFx1MDAxZdhI4luFOq20U1aOmOTCXHUwMDA0Slx1MDAwMeDnwFGlk8psTVx1MDAwMIDAb510XFyLSIJnSNcqcCiEiFx1MDAxN+jbRy4xj0fGXHUwMDE0u5qXu1PjkUqgucSN90SWc5eu70j6jPD8XHUwMDBmPa5JlVF6jUhneK1cdTAwMDRcdTAwMWJcdTAwMTdcdTAwMTaPnCD4J5RluDaKiFGLi2TsXHUwMDBmXHUwMDAyo/G2tOWgrVx1MDAwNZU07HLFI7PdkNiSlFx1MDAxMoxcctuNorwp6Vx1MDAxMkuSgVNcdTAwMTKfs7KUo4X/T8ZIZ3VMk2njZcFcIvJmIKlywaGRQ6GKXHUwMDExWFx1MDAwNPxcdTAwMTSstVx1MDAwMnCDPOfYhlx1MDAwNcO+YILjt9ApXHUwMDBlcSaERVx1MDAxYtDWolx1MDAxOWSVcTxCtnNgjFx1MDAwMWNtamDkXHUwMDAyLVWUWq9T40QqMHLKI5JcImqz/FHAWEpcdTAwMTVTeiVcdTAwMDT0U2EjXHUwMDFkYyumJeeWWlx1MDAxZTO8gVxirv+CXCJcdTAwMTM4qcFKNGyEtcryhITkQsdsOy++KDEkXHUwMDEzqcBcbstcdTAwMTA5PMfYXHUwMDFmXHUwMDA1h9lcdTAwMDHmTCvRKXza0lA6gFFShZo+dPlAXHUwMDA1wig0MSiwK5knOVx1MDAxZlx1MDAwMqaFJCZcdTAwMTPcauE5t6a4XHUwMDBmqpq0hjN0LiOIO4fDXHUwMDE4XHUwMDFjXk1cdTAwMGaHmlx1MDAxYbxcdTAwMGLDfbV8nGdk9ShcdTAwMGJcdTAwMDRf79Jx/k1cclx1MDAwNIqFw1QxpVdCQGdcdTAwMDGHue2yYVZcdTAwMGZl3FmHe4tmXHUwMDBiQpD0YE8gcec1/sO4MJRG+zZEzC5ajJuwXGb9SzD4XHUwMDBmdbtWSZDmXHUwMDFhQZOykTgzyEbceFx1MDAwNHc2XHUwMDAwmVx1MDAxZLvLTutxgVx1MDAwNqJSoyh0reJZy1x1MDAxYdBOR1x1MDAxYlx1MDAwNMlcYlxm2MhQh99cYqmRqpAv0GjGh8SlL2vZSHRcdTAwMDeMdFShh56Km5c/pCDkdVx1MDAwMWmPIJhcdTAwMDV/cjNcdTAwMTdcdTAwMTl9wZnDn+JQaHbzJ4LIVDGlV0JAZ4GQuW0zMs3QxJWOSzRUXHUwMDE4s5GkzVdnWpAtiabisM6QJfNcdTAwMGKLXHUwMDA1R1x1MDAwMm2jXHUwMDEwq62ljksoWGGodiHMOMKnjcDOXHIlJWnhPlxuXHUwMDFks3tcXGSio1CBtdQwkDujYp1wh01cdTAwMWXQXHJcdTAwMTlcdTAwMGWyYUxSl5IkOlpcdTAwMWJIXHUwMDAwOnNwXHUwMDE2/+05MJCBYoKjh2dcdTAwMTg6dIA+wVx1MDAxY1x1MDAxZP3o2ChcdTAwMDBcdTAwMWRRjXC3hFx1MDAxN1x1MDAxZKPBjlx1MDAxMXQkV1pcYqf+UPsxTUrpVUpcbugs0DG7jVVcZlx1MDAxZFx1MDAxOYVAmaZcdTAwMDJccjRcdTAwMGKlJ8/QXHUwMDA2nCtAXHUwMDEzhyHBKSS6d7dcdTAwMWTRVrXWOOBcdTAwMGV/K1x1MDAxZEoljUeEdWpHx4xcdTAwMWNcdTAwMWG/r1x1MDAxOaUzh8fsVj3jimbQp1x1MDAxOHZQQPLkce9cdTAwMWFFKdBIXHUwMDEyiP9oPEZcdTAwMGbzfqOjwL1DPbBcZuXKaFx1MDAxNDNPtFx1MDAxMV1cdTAwMWJKO5aCXHUwMDA0UEY8vzk6xtDxr+nRUVx1MDAwMvI0krm3U1x1MDAwZaR2yuHDJCdcdTAwMWKd/vRHXHUwMDA1XHUwMDFi06WUXqPyOVx1MDAwYnCcXHUwMDA0iCSjclNr0PZFXHUwMDA0ZCppPHJcdTAwMTdYfOJcdTAwMDKRXHUwMDFmrVx1MDAxODBJOy1cdTAwMTc6Znf7jS/KSLTD0dun3vVOXHUwMDFhz5pUYFx1MDAxNNfGXHUwMDFh0Fx1MDAxMlx1MDAxMfTDwDG7L0omOHJcdTAwMWVcYi6kME5cdTAwMGImXVx1MDAxY1x1MDAxY4XQgUSvmlx1MDAwMtiAPof0lFx1MDAxNDKkZY62J+InQ8dcdTAwMGU81qNlgZJcXPFh3Vx1MDAxMWg7d61T4LFZgPGI7rGS2jvkTiZcdTAwMTNOX7PEOVx1MDAxNZT+sUUz6VJKr4R8zlx1MDAwMlx1MDAxZSeo3aPTIY04hI4qlf54y1x0XHUwMDE1aIR2QzUqhpuEeORcdTAwMDLH7OlhsSXR6Fty98lcdTAwMWZcdTAwMDFf1PGjoDC7lVPmobSj2kEjXHUwMDAxUd8g8sVjjEKYgHqdXHUwMDBiXHRcdTAwMTSlZtKTeScgQLG3TnBcdTAwMWFhpJinutrYwKJcdTAwMDNDNZ9aKyUm6Zv+paCwNT1cdTAwMTRcdTAwMDLF0FxmYz4o9IwzXHQtRcWYle8y+PdcdTAwMTNAYSldTOmVXHUwMDEw0E+FhSVcdTAwMDRD9PDpzEPQ/E/h91mpWT662oC7XGLujX507rLGXHUwMDEysYdmjtqhUFx1MDAxOaFcdTAwMGLPb1/XJFx1MDAxMMNpVCngU1x1MDAxNVx1MDAwMjn6o+DxcGm9vzy43Lu76yytdVuNg8Pr71x1MDAxZTeasiPj6Iie07BWUtLEc1x1MDAxYlxyXHUwMDAwXHUwMDBlR56DXHUwMDBlXGYxkEHPXHUwMDAzXHJhXHUwMDBmOoaS/1xuhnhcdTAwMWTaKmc0pcVHXbo5XHUwMDE4xsCwXYDbLFx1MDAxNY9cdTAwMWScRLAwvexA0Il0lOuKyVRGXHUwMDExUfpN89pcboXC2LdcdTAwMTPCWCTwjSpzyidcdTAwMTOBXHUwMDAwfZah6a5+evrQ51vlzr6uXHUwMDFm3tbOXHUwMDFhjZOdpKanVFx1MDAxYdFcdTAwMTFcdTAwMWSFW5EjXib2xVvOlaRcdTAwMGKMw7c1XHUwMDEyXHUwMDFi9T6PdEx/97HnX2puRSev6qfWXHUwMDFjaXTutWbc29M+ecjwOs6CXHUwMDE5ylmHXHUwMDE51lxy927U5lL75vKx99zmXHUwMDBm6nH36tn+yFtcdTAwMTl0e8yezy6u5V3v4lxc9br7lf6D2In/lilat6FXXHUwMDEwOTibqjLIf5dcdMVMVlx1MDAwNqH9qGkskyHDx6rRc75cdTAwMTJ6KIA+LFpcdTAwMThcZtJ0sujB519KXHUwMDE3bycoXHUwMDBlUpKgL1qqXHUwMDFiXHUwMDFkXCKTXHUwMDFlplZcdTAwMWNtTcdcbs2JfZNcdTAwMDSHXHUwMDAy+f9j9PlcdTAwMTi++8DR563H05vvh88w2OjWN6pcdTAwMDJuXZNNwMRog1x1MDAwNXRyQS2xtJEjc5FzMTGDwEig3ivoPdFcdTAwMDGAh4p5XHUwMDAwXHUwMDA2gNpqXHUwMDAxOk3zeW4pXHUwMDE40J2aj53VlOkofD3gjUjt48GF4Mri/syw9+v6ck9ebOnV8vpT6drsO9m9uV7LS8itXG4//l5ZZe2th9uV5yu1uH1YPymKkItcdTAwMWPn5r/LPIQsmSTf31CqvKVptyOE7Fx1MDAwMtQmXHUwMDAzuN1cdTAwMDaG3VZcdTAwMTOqSSVcdTAwMDJoIUtcdTAwMWGNzGJ6N+fjsbrYm4CPKS9cdTAwMDb5OFliT6auSdU65HCqQlx1MDAxMkXT8fRD3fa7jXu85qdptTGG5Ub599fy36PHxoA/3l0vn5uzy9WjlfP7/lJvd6OR1Gdvp3WKXHUwMDFiXHUwMDA2wtGYckLpqNf0ki1cdTAwMTIoboRkzFAycqR/97zT+q99LlLBXHUwMDA3U8e90C5iwzC3R+0hPdFYKivQmtIzdH5cdTAwMWJQa7uurd7Jw8rlTf2823KLezNwft+LwzOvWylv3C9fdU3n+UJVXHUwMDA2eml9cbNdSFx1MDAxYlx1MDAwZjpoQfW1RVxyXvPvSlx1MDAxZdtASFx1MDAxMaAnrqjEXHUwMDBmXbqRoi7qtaWpXHUwMDEy5qXBLeNJ02A+cmXh7chxn980sLg9dOzrQYisU0LcXHUwMDE4muHLis4nm1h6XHUwMDEzlsEnXHUwMDE5uTKGhmcwciVcdTAwMWJcdTAwMTWzclx1MDAwMdBcZjBcdTAwMDFN2pDDtslyZO5cdTAwMWH63I5cdTAwMGKqXHUwMDE5XHUwMDAwJtHCTyqv1oGgrDGpwTHGhMdcZlx1MDAwMFx1MDAxZJBDz1xykFx1MDAxNWDnp19puvwwtVx1MDAxNWA4XHUwMDAzizDqbbOe3jpcdTAwMTOoiVx1MDAxMlx1MDAxM6zoxlx1MDAxZGg+Rtuvfli1UZqM0ishneHVXHUwMDEyXGZcXFhcdTAwMWVAdlxmbyGagETNIyRcYlx1MDAwNrh8XHUwMDAzOlx1MDAwNOqF1zxcdTAwMDBEXHUwMDA3JZyWVC3OKICWXHUwMDEwj1xciVx1MDAwMNk4XHUwMDE2W5RG9HZcdTAwMGVcdTAwMThDb1x1MDAxZS3IZIGoXHUwMDBlrFRKXG7kXHUwMDBlXHUwMDBiID6ulXC2YZdcdI1SUiZcdTAwMDBaNlx1MDAxY9evYFx1MDAxNFx1MDAxYU3A0TlcdTAwMDKgUlxyhVx1MDAwZVBcdTAwMTJcdTAwMWFZgNuBksXRXHUwMDAxQncpxL1cdTAwMTBcdTAwMWFtIClDxTjykCDiRM2hMVx1MDAwNo2PRVRcdTAwMWLRkZJcdTAwMTO+g1xuXHUwMDE5SYJcdTAwMWLFRoGYirv/h2JjKVVK6ZWQz1mAY3aAZSGekFx1MDAwNJpbJlx1MDAxNaogc5YnU9ddwNB4obHOXHUwMDBlTU5m39hoPTc20pqo+kZJZoQ0UnrqQy1acyBQplx1MDAxY36R7K6PXHUwMDAyx2Veh/7l1lW9vPtQuoZlqG6tedLp01x1MDAwZWwohMRcZlx1MDAxNeTTS7B46lx1MDAwND5cdTAwMDBq4I+UpFx1MDAxNVA0MFx1MDAwMZB5mrTKeVx1MDAwN8dcdTAwMTRIfMpcdTAwMGKJqVx1MDAwNzSAXHUwMDFh7VA9/KHi1PZcdTAwMWScnFx1MDAwMW5cZp/hXHUwMDAxTffy9rLe17qvqvVOv9LY1lt/XHUwMDFkzyBcYpN53Xb36mBl5Wpd7C4ur66eXHUwMDFl/+x0d1xu69GqXHUwMDFk55FcdTAwMDY3U1x1MDAwNXf8Ty+h557gXHUwMDBl7nVAWWxcdTAwMTJccmj0XHUwMDEy9IhccsTFOFx1MDAxNc+RhzFv0pqm4s9+XHUwMDE191x1MDAwNnfIfdH+w1YtU9MwyH6X6P1cdTAwMTWd+Dix9IbC+CtM8unyLsaQ5WiY510zLbJcdTAwMTEt06tB0yOwliYnWEs9uOK5VUJcdTAwMDJ6nFLTjGWLtotnxK5cZqhM3tL4XHUwMDFhLYBcdTAwMWFcXCRV2vDAaaql5lxcolM970noV/BLxqb2a1x1MDAwNFx1MDAxZMFRy3SfW1x1MDAxM3EwRrNcdTAwMWVBaVxu2Vx1MDAxN92S8JO4NelCSq9R8Vxmr5bg5cK8mlx0oiuMM6NcdTAwMTTXXHUwMDE0ylx1MDAxOVx1MDAwZcL21H7gXHIqa1x1MDAwNdIh9Tpxb23YmlxyavFV0UQrdFacsbTTyrOogGY8Klx1MDAwZUxrKlx1MDAxMnFcdTAwMWbXgUvvlVx1MDAwNvtVxu/3t9XmZXvnkG178PEtJ+PaodNcdTAwMDJcdTAwMDJcdTAwMWY5ap2MjjaZn4y/vFssQtrpIz+0XHJaaX+bmeRI0jAx3Drcolx1MDAxOU6iXHUwMDE41EuLlfb37evT89X19aeD76xTMnm9kY3V5k/dVic9tXVqrtRZc2N5oFxu8HKuXHUwMDBmdlrLar1/VzpZ33S9nVxycauKXHUwMDE4bX442Cud3lx1MDAwZVx1MDAwZVx1MDAxYXtcdTAwMTe1df5Q+d59Oi7iKP/+bl1vbZyI+/3no7vD3lJ/cVusXHUwMDE36pWFXHUwMDEyM5VX5t/tPF6ZXHUwMDEwXHUwMDEwKCRaRp1cdTAwMDJcdTAwMTGT41x1MDAxNbxcdTAwMDZMQIadXHUwMDA1XHUwMDBlXHUwMDBl/YKkXHRcdTAwMDdcdTAwMWEhjHpcdTAwMTIjWqfMv5qfuKdcIpLL75VJapGZXHUwMDEyc87qcEVzW0HoSFx1MDAxZrdcIv2ySeQ34Zctri6ufFx1MDAwNndsXGbFj7pj8WVcdTAwMTfjhZ1cdTAwMWX8eFxcOqq2drZ2ZMP8XFx8Pts7PSjGylBk4EmKmSiH5lx1MDAxZECyXdPczChSqVx1MDAxN6c3M7Sm4lx1MDAwNOXthuypj1x0dV3oYf7UXGZz8K5cdTAwMDantbvVrX7dXHUwMDFk1fjxTffk6nYwyEuw/as63F/dXHUwMDBmbmV15UztbOift+aoXGLiXu9d3lX1ef1hqWl/luuHmlx1MDAxZt9cdTAwMTdw3XdcdTAwMGLTXHUwMDE2nYPn35VcXFx1MDAwNoFcdTAwMTSBU2hcdTAwMTAooVikOfJcdTAwMGKWoLuLeMLRN7dcdTAwMGVM8qBcdTAwMWFRgtGIXHUwMDAy/Fx1MDAwZbltvqbBc3MgXHUwMDE1OZbym1x1MDAwM9YyXHUwMDA11JrMXHUwMDA3XHUwMDEx0dFcdTAwMWSjXHUwMDEwXHUwMDAxUlpcdTAwMWJcdTAwMWSb92lS8FbWPoMxMIaJXHUwMDEzKXjRVVx1MDAxN2NcdTAwMGLUn9qru1vXXHUwMDE3XHUwMDE35nT9YGXt8nxld81jXHUwMDBipNa+XHUwMDE5jdaAoNCKXHUwMDAyp0xcXIPn8y7fWYeXpz5L5ZwrR53n/cNcdTAwMTBk+mmqdFZpXHUwMDFhZjw7+l+53GusXHUwMDFkrj3/dbKx15Rq9Ue9v3v40fQ/RfxcIpumX/xcdTAwMWVcdTAwMGKqoLp2/9PLRdPWUfdKgTvOjVx1MDAxNWJUy+eDq99Vy1fyMzVcdTAwMDdcdTAwMDZW+Fr0XHUwMDBm1Tl91pOhZkxcdTAwMTL/LJCq3yTASar+nJOrx1x1MDAxMOfsJ1c32NWyPW+wR3P8tP5XSYvBXecuP5MzcGiKa1x1MDAxYWPkJON2ZOTbnMnfV8dXp2ZywVx1MDAxODWXT2HyjPNcdTAwMDJuhrNcbq2YYV5UX3eO1k9OXHUwMDBl91x1MDAxZtrNvW79pnK50d3/aId7ilx1MDAxM4PZMrn/6eVhckZN+qmNLFxiS1NK4qmP8+HV76zla/mZXFxcYkGUnFx1MDAxMoK36W0ouFx1MDAwNItcdTAwMTD+tizHcVx1MDAwMjyV0/25pleP4cvZTa/Odkyyk6LQMLfkvyFf48bHtVx1MDAxOVU8XHUwMDAwNL2NokmtnviZhcBwamzhXGZI6iXnYWyFtG+U4Vx1MDAwMrlcdTAwMWSAz9vhpqn2el5cdTAwMDLPXGLEXHUwMDBipvBRgy9cdTAwMTeSW51O4FxcM8Zp8kqBKv87KUp+fEfcVDmlV0JCw6slSLm4uYSZcbuF+Fxia0PdaXH70L/SlkWK+H6lXHUwMDFmqYByk+zLqF3N2Vx1MDAxYicnZDsksTVR22CG7I2bS1x1MDAwNYbJfuVcdTAwMTR4XHUwMDFmUjxcdTAwMTg9jLB/2OSEbFsvXHUwMDFiXHUwMDFjuUS50Vo7KeP5XHUwMDA0L+ioKTVMWq2Q2aK5nq91cC5g2kouaF6R1szn0Fx1MDAxOHxQVOgotTPaqjk8psHj96nhXHUwMDExbVx1MDAxMNRcdTAwMWadbM1HK1x1MDAwNJeeKk6TXHUwMDAznC58rswnXHUwMDAxx1KqmNIrIaCfXG5cdTAwMWSHQ6zJeFFU64Z4xFwiVXyvQ1x0aUQgUGjBKc2kS5bk5oLHbHMvviihLaBDTJFcdTAwMTCaypeE7Fx1MDAwZqt8y1x1MDAwZTZnl1x1MDAwNStcdTAwMTFcYmk08lx1MDAxMT5MxkbSQ8dcdTAwMGaxxlx1MDAxZreU90GdTamzgqdcdTAwMTWatoFwilNJN7OGqfnpa1x1MDAxYVx1MDAxZW5Mby5SPzvcVT8gWpV+KiuQ1qkh5buUXHUwMDA2f/xcdTAwMWPCUrqk0isho7OAxNzGWWKQtcF/v98g6+xstLghO+Ega+aSNcszQsnsQF52X1x1MDAxOaVcdTAwMDLJ8clLwF2Q8ZOu0TnWnrYy+Fx1MDAwNcesljRA3Vxu4ZtjLVx1MDAwMqo8lPalXHUwMDA0XCLyK+ZcdTAwMThcdTAwMTnHyM2pMZJG6nLHUiDSJFx1MDAxY+3X9nKoVFx1MDAxY3XrXHUwMDBmRchUKaVXQj5ngY+5rbPRMdYuiY1cdTAwMDWNsc5cco2JMdZcdTAwMDKSXHUwMDE2Y3yMtfH0c5jVgJnM8oVsbKQ21ehOXHUwMDFiSTWYUsTDjVx1MDAwNn1ccq5cdTAwMTn1w2NoObNk5q+WgVx1MDAxM8i5+ICQQ6SvXHUwMDAwk1x1MDAwNdZSIyhcdTAwMGL4MIn55nOs09Bxq4CAo0M0wo30nlx1MDAxOLrk22FcdTAwMTN83H90fu2fio9pgkqvUlJGZ4GQteWbq8r66dGg+lBaflx1MDAxYTSW9rqlyzQ4koZcdTAwMGXpnDVuOC7P08uFM5pFgVx1MDAwZlx1MDAxYpdPo1x1MDAwN8RcdTAwMWJHXHUwMDEyTmBAMq1cdTAwMTT1++LDXvnCU4iJXHUwMDA2pKD5iVxujVpNrfI/XG4ks2uxxtSpo22uaOqioCpLXHUwMDFityCtsoFcdTAwMWSGadCOZCpcdTAwMTKUXG6nWVvQ+POM3HCHhoivM6FcdTAwMGJQOvEpSuUsjVx1MDAxYpmDZFxuSG5PXHUwMDBmklx1MDAxY3dRXHUwMDAx91x1MDAxZMqIaLP/0cbk6FoqpyP1XHUwMDEzf1x1MDAxNESW0uWUXlx0XHSdXHUwMDA1RE5ksdGsalx1MDAwNHiqZlx1MDAxYtbUe/pcdTAwMTPKXHUwMDAwXHUwMDE3L+hcdTAwMDREUlx1MDAxZIJOykguiNw6VGeHi+fsdvuh23rsXHUwMDFkieOGPUlbllNcYo80I1x1MDAxOFx1MDAxNChnktatXG7wczTLjVx1MDAxMWScQ1x1MDAxMrdnhJHZ5SljMFJcdTAwMDToRYOkqVdoXHUwMDE3x3t5SCVcdTAwMDN0TJwzoLiS0Vx1MDAwMuhcdTAwMTAkpVx1MDAwMmqEXHUwMDAw6KqzSIQ2XHUwMDEyiiRcdTAwMTimXHUwMDAwXHUwMDEwUiDq4rxDYVx1MDAxYUTuTFx1MDAwZpEghmV6ytuiWaamqkihiSD/0IOZVFx1MDAxOaXXqHTOXHUwMDAyXHUwMDFlJ+mZwdFMe5ksaSSaiCqJQ1x1MDAxMq1MRrZcdTAwMWG1KORWyTeey0xwlM6oV5ew1PLRiWjkLFxu2UxcYiascogtXHUwMDE25eGj0DHbXFxcdTAwMWaXjetAI/dcdTAwMDBcZkfoWifjybhGXHUwMDE4XHUwMDA0SI0uXHUwMDE4XCJkRL3CdHtq5miRQMBcIvt6JzvaSY5mvtLQmku2O30qLjrISG7e2XI2klx1MDAwNJ1IxHVUXHUwMDE0bcxcZitqq73GWr2z2m5dPNytXHUwMDFm7Fx1MDAxY23uuI2tXHUwMDE5tMJIwFxcMt9cdTAwMTBcdTAwMWQoOclcZtpcZm3032VCXHUwMDFik1x0s85cZqfKW+CUmyX1iFwiSpGpiM7ix87RVHp0Z00kxyQ8XHKY62GaXHUwMDFl7vn10Jcsa1x1MDAxMO2ldclByfSZSm0mxtFDY1xm7dDC21VMKruhKIbjXHUwMDBmqVZkOPvwqdWq9buNyqepfVx1MDAxOUNunlGO4+6lmEzabE9rfF9g4+jsj1pccuI+ulx1MDAxMbfEMVx1MDAxN1htqZeYlIwnIzdcYvo0/ZVTXCKuv/7FiMBcdTAwMTlqb4OQQq2HJ0lcdTAwMTerMYk+6FfR/f2pOVx1MDAxONVcdTAwMWWdSO6FXHUwMDA0LjJq1qk2XHUwMDAydLTt/buTMN+vbPbPd+6OXFz1Qj+sX24vrVV6f1xc3yj/XeYgYeReXHUwMDFkcFxuxyPMM1x1MDAxN/Uzh4op0JlcdTAwMDKLTlx1MDAwMTpcXOBRTKdcdTAwMDJcdTAwMDdUs8L1i24mNXOi6tOvpYpcdTAwMDf5aXiImoCemb+XTDI+XHUwMDEwXHUwMDE2k6OiUjv/z9c36vOx71x1MDAxOJZLNPR9V8rVm+vHa93qX4/Nx81Kc4NVryo/XHUwMDFlc1OuYCagM3E0s42zJjpVezigVUnqXHUwMDAwYzRcdTAwMDVK0Kt3nra+iNaBdEY6aa3Q0ca/b+vF/7Vs7MOpeXaYjFx1MDAwMcpp7yD1dF9XMlx1MDAwNbhnZoZFp/fbrtRaP9hcdTAwMWQsbp5cdTAwMWaVXHUwMDFlj06bN+pioq5JUoroqMqp6NC/mlx1MDAxY3Q4PGF0jHq5ai05bkBcXGmkXHUwMDFkqzRcdTAwMWFcdTAwMDJcdTAwMDRpR+PIXHUwMDFkNU7yZGJMVMX5tZTmaFx1MDAwMkZENrS4XHUwMDE31qdcdTAwMWQyXTuEYvJdTlx1MDAwZidcdTAwMTXgXHUwMDA0XHUwMDFmbrRvXHUwMDA3/d5n4MEx1DPKg6NcdTAwMGIvhv+qOzey9uxsfeenq1TPr2/KXHUwMDE3XHUwMDBmy1x1MDAxM/BcdTAwMWZcdTAwMDRcdTAwMDBoNUmltFx1MDAxMSNNXHUwMDE3SjowaNaiR4rKzC06NFx1MDAxZfbD7zC0ilx1MDAwNSjrcH89tu18XHUwMDE0Taom/5ye/lDDhWbg9TNl+lx1MDAwMGOOuz2sxpihm7nYvOo8XHUwMDFjtZaVOzSr/frZ1srO4c0k7qBcdTAwMTlcdTAwMWWtTdIlP0Nz/KvJw39cdTAwMWNcdTAwMDKUeERW0Fbq0Vx1MDAxNJtcdTAwMTJcdTAwMWbVXHUwMDFhj9pIXHUwMDFkaO6sRUhEX7+A2b1fSm2OJyBATcXnlmlv/kyyV8lv/VDovFnO3taTpEhcdPZcdTAwMTAgslarVm3ghT9cdTAwMDVcdTAwMGaOoaAkXHUwMDBmetdfXGZcdTAwMWSeuFx1MDAxZk+7i/igt9tNUd87XHUwMDFh1FVVTECHme6gZIFcdTAwMDWCWsdo0Mu7u4JfK85zUlx1MDAwMFx1MDAxN3I0Q9Cn8E4sSM9cdTAwMDOhvTLK6jf1XHUwMDFle1x1MDAxYlx1MDAxNV5cdTAwMGaWW1x1MDAxN9W705WV2s59725R949cdTAwMGVcdTAwMWU/jFxu/avJQ4VcdTAwMTQgQSNcdTAwMTLpR4FmxsVT8iVkK4xlgTPoXHUwMDA2Olx1MDAwN6h13lbcXHUwMDEzseDXUpjTXHRYUEjKpWHJoszhWlKtRKNcdTAwMTinXHUwMDA2XHUwMDA1n49cdTAwMDX3XHUwMDA2/c/iXHUwMDA3juGcUf5LrLwgR7B3fmyadbkkXHUwMDBlV+1SXHUwMDE3rpv9XHUwMDFmXHUwMDFieXRcdTAwMTiEXHUwMDBirOBog1xusHKkI1fJyYDmVTMuXHUwMDA17pzlnrE9iFx1MDAwMdZxhz9cbmAppjatXHUwMDBi+KXSXHUwMDFmzybIMqBOeX5LNiOUQ/04lXau6CbYkmZoTTWqMOxH6VdjXHUwMDFie3ecXHUwMDFhN2tX/VxmJe53btM0OLbmlOSB2Fwii9FYtlTe+W621k56p/3b7d5cdTAwMTJs/+hW82gsZWhcdTAwMDc0W1x1MDAxYuVcdTAwMGaJ07rwQeXWWVx1MDAxZCB3OyWoyFRcdE/8da6yqSp7nl9lneP4dIX1XHUwMDFkSEaeelwiXHUwMDA3wGhcdTAwMDBebFx1MDAwZr1idHal9v9AZ32LnFhn//bL/P5Wvr096uNzfHVGUHBcdTAwMWHVXHUwMDExW+PlvX7tNrzZ4Vs7nWpttV2+bI4+02/3jdrDUlJP/uNq+FwiX2BcYlx1MDAxYqQjtaEj9O+//fv/XHUwMDAw6UDT6iJ9CertificatePublic KeyEncapsulatedShared SecretShared SecretEncryptedSymmetricKeySymmetricKeyAEADKEMKDFKey EncryptionKeyBase NonceEncapsulatedShared SecretPrivateKeyKEMShared SecretAEADKDFKey EncryptionKeyBase NonceEncryptedSymmetricKeySymmetricKeyInputsIntermediatesOutputsEncryptionDecryption \ No newline at end of file +eyJ2ZXJzaW9uIjoiMSIsImVuY29kaW5nIjoiYnN0cmluZyIsImNvbXByZXNzZWQiOnRydWUsImVuY29kZWQiOiJ4nO1daXPiSpb93r+iovpro87t5tJcdTAwMTFcdTAwMTNcdTAwMTPey/tWXqc7XHUwMDFjXHUwMDE4sKHMYrN46+j/PvfiKiOhlFx1MDAxMCBjZlxm/V71K8BySpn3nHMz7/Lvv3z79r37cl/5/o9v3yvPpWK9Vm5cdTAwMTefvv+N3n+stDu1Vlx1MDAxMz9cdTAwMTL9v3davXap/81qt3vf+cff/94otu8q3ft6sVRcdFx1MDAxZWudXrHe6fbKtVZQajX+XutWXHUwMDFhnf+mP/eKjcp/3bdcdTAwMWHlbjtcdTAwMTj8kkKlXFzrttpvv6tSrzQqzW5cdTAwMDev/j/492/f/t3/XHUwMDEzP6mV6Tdcbv5cXOWd1aPtI7e28dK76yyf7772f7T/pT+30K6UusXmbb0y+OhcdTAwMTnfXHUwMDA3IVx1MDAwM2DWSdBWM6nt+6cv+GlBusDgZ1xcW8mUwS/C++dPtXK3it/hoFx1MDAwM/qCsYoxXHUwMDEwzlxyvlKt1G6rXfyO4Vx1MDAwMVx1MDAxOFx1MDAwMMnxXHUwMDFiXHUwMDE2nHr/xtuI/vGNvb/T6bZbd5WVVlx1MDAxZO9cdTAwMWaH/Vdx4ypKXHJcdTAwMDZ9XSzd3bZbvWb5/TvddrHZuS+28Slccr53U6vXj7sv/avj/OCD/T70O85+34BcdTAwMTh6P+mn8JfeVpuVXHUwMDBlzVx1MDAwNH9/t3VfLNW69LDw5t7fpVx1MDAxMd5vlvuT9q/BmNo43Zs0a81evf7+dq1ZrtBcXHwv6shva5Z//7Y/Mz6YTvn7nf9cZsZeqdCFXHUwMDA1s0pcdTAwMTgrzGCEg8UqgVxyv7vXavZcdTAwMTeuYEpzo1x1MDAxY1x1MDAxZvxcXK2zimuv27/sXHKu38pgXHUwMDBlaGxrw+syvDYjS69beVx1MDAxZUxMaOVuVsThcvX+vlnYPzq4P7i4en55rH1//95//ua/7NtcdTAwMGbvb2xtWTBiuXWyWiw8lsRyZ+ch+lv+/P5iu916XG5d9/d/XHLmpXdfLr7dJz5cdTAwMDKDS1x1MDAxZDjTbGBcbvVa82540uqt0t3g0fwlNOAh+/TfZcw+I1x1MDAwZunNNJVccjQzSihNVqVE1DSFXHUwMDBi0JpcZnApXGYokFbGTZPpQHLn8HtcXGiH9lx1MDAxNzfN0JJYXHUwMDE4Y8RcdTAwMTiN31x1MDAxOCPf/m113DqtwDhcdTAwMDY+q+NcIsnquLJGXHUwMDAzQGjuxrC6PFx1MDAxN/BgPdI6xNtfqbS7tZtaXHSv+8/mQe+6Xit92668hOa01excdTAwMWXXXt/AI/LuerFRq9MkQOSqS/XaLT2P7yW8gUr7e/ihdPFcdTAwMTfV37/QqJXLYaIq4UWLtWalvZmF8Vrt2m2tWaz/zHonxV63dVTpvN1Lt92rhJ9b5cdcdTAwMWZL4YGAXHUwMDE0O3/l5XKtWpBbvd3DmuDt7tPGcyszXHUwMDBma8nRnFx1MDAxZLNGKYVGb1wixi6ZXHS4lYpJMFxcO0T4uK1rXGLAWYfWLqSSxsfCKlx1MDAwMGDGcjH4cLTNV5jkkn9cdTAwMTGbt1NcdTAwMTOwxUlUqIacXHUwMDA3XHQgJK9i/Os40lx1MDAxOZ9cYlxiJqPfytrL5eVm67n1cni6u+W2XHUwMDBmt+pcdTAwMWI3Wel3fZVtm1bh6eGqvnu+tFveeoGz5TzoV2shXGbKl9CTmIp+/XeZgX5cdTAwMTHQXHUwMDAz1MNaXHUwMDFhJ1x1MDAxOFx1MDAwMrWLWiR3gVx1MDAwMpxmxZ1OsEipXHUwMDAz/IJ1llx1MDAxOS6sY3pK9v1Sluiys6+1yHeobaXP5FhMXGK/k69cdTAwMDQlnVxmzdz03DvR6o1x71qzVLzv9Op03X82j6s4n+Vvx5VSu9KdXHUwMDA3/lx1MDAxZMF0w/yb6W7y4WB16c6Wlp+Uk3xPaiV6cHVez8zBiqnAMqU0c0ZqKVx1MDAwNm5qZlx1MDAwZXb4XHUwMDE14YSgXHUwMDFmj/Dsu8XLcbiXO8NL4otY/NLU3Mu5Ulx1MDAxNlxyUHvJV8XefUdcdTAwMDItpVx1MDAwMIdifHbse9bYXFwrn7S6tcZFiXc7y5tcdTAwMGb71e2s7Ltzd7FcdTAwMDS/XHUwMDBlfzJVap7p15IsNZ5cdTAwMWHZ2Df1uqXd8tLuj7uzs9tm7/iwWXrtruzf5cXqgH+AXG7b9eSs7n96XHUwMDE5WF1cdFx1MDAxNjhcdTAwMDA0cI7ELUL7WW+sLkbaeFx1MDAwNlZcdTAwMWZLX38pXHUwMDFiX87O6lx1MDAxY83Yokk6rzHzXHUwMDE42Vx1MDAwZmhdW1x1MDAwMULCRDtZea7fXHUwMDE4r89cdTAwMWSTj+DLYSb/UO4+ejrZWl1hav/h9mhzZ3W3orbqP7PvY6P/XGZIucqA4yjZo/vYjrnAaus4XHUwMDA3KVx1MDAxOVx1MDAxZqyod6tWLFDGKkBNj6vO6z7bhdecYNUr0zM3WKmZVODbQFx1MDAwM5foNjtCcmZm6DVvPe68bj5cdTAwMWbVz6/2lvdO65Wzh9ZhOSu/tnbh8Wy9d7RaWz9bO6lcdTAwMWWWu6uFi/y8Zo6uaj786r/LXGb8XG4gXHUwMDAyXHJGcaFcdTAwMDRcdOEhO+Qq3Vx1MDAwZZ1cclx1MDAwNHdOKCe0XHUwMDAxYz1cdTAwMWLWZmGGSWZ4Olx1MDAwNrtK5pAmufU5zWEhPGRw4KQz6CTl7zSPuXhj5IpuZvvl/s3HfGk0Kt12rfTP5pxsWY8gN4/LPOpe8iHdg42Lw4dcdTAwMDP2vNI8OipcdTAwMWNvdnuPXHUwMDA3my+ZSVc4XGJQMqPgUqClk4O1RI/SSFx1MDAxOZAzxmmTzFx1MDAwZYTTgHNtYLjinCf5ykZcdTAwMDS42ICDRkDA1+LcOMHy16YnYEuyiXHuOze2yfvWXHUwMDFjgdox9JdcdTAwMDbT9+FcdTAwMTS8d7qs17dbhcLB7S5vtKB+u9GSWSl4pdQ6O9rd2Ts8/3lsr883XHUwMDFmeE/s50DBoK10TKHPmNPGtf8uM1CwXHUwMDE05MQ6hFWQzlpcdTAwMTfdxjJKodVpi+xcbkrGrdIp9I+d48D1m2HGzXJxZJxkh+vZXHRcdTAwMTisXHUwMDE1XHUwMDE2XVx1MDAwZZ/gtVwikX858q9gzk1mb3ku3bh3O3esO4LdYu7th1Lt7ZV5UavmprHyuFe83X54OP5Z+lx1MDAxMbfncq3YaDXLUZNcdTAwMDZuXHUwMDAy5FdcdTAwMTTGkthURIlWO1x1MDAxN3DAVYEsXGboulx1MDAwZVx1MDAxNvdgY1x1MDAxYalWaaOBS224XHUwMDFkwPm7USNcdTAwMTFcdTAwMDdcdTAwMWNcdF1cdTAwMGJpUIk5MzCrXGZ7WFx1MDAxNfrfXHUwMDE3MfLtrGQrkshW41Thc/bbvk6MXHUwMDE2UVx1MDAxNNWhmJoh1Vx1MDAxNpY7jfv28d5D9fSoxHnprnD/fJ2Van/9uD5ebp3+WL8t7q/y4+2dVXkts1Ft6nV7ncelg9L21d7j6nHnsHF7Vlq+7eRw3SmkQep1P8rrJ9y2yFx1MDAwNlx1MDAxMHKkp5JcdTAwMWP+2c4gOcBQXHUwMDE0KdPOMOEs+lx1MDAwMlHJXHUwMDAxJkCpoUjJ46dmsGP+XHUwMDA3n0AjgDnalFdcbqTXXHUwMDE3XHUwMDE4b0/9K+HRTnbRgdLQXHUwMDE49NZ8W+qWJ4pcdTAwMGWjLNJcdTAwMDOIvHfUNVxiKafSXHUwMDFjS2tLq/OgNEaQ+7DSiFx1MDAwZTuns+9fl1x1MDAxN6x+XG6bd2dLT2xzrXD+Y+cxXHUwMDE3fWFlYJ3hjqK7jeK+QNOFvsjPnnen1lx1MDAxN8CIXHUwMDE3XFz8jIwgXHUwMDAwXHUwMDEy9YVcdTAwMTPGMaSVXHUwMDAxOny4vnh4rO3+/HFwyU5L6z/Xz05WoMKvZlx1MDAxMFx1MDAwMp563Sli21Kv+6Gn65o740xcdTAwMTg5JtdcdTAwMDH+WcmiXHUwMDAzLFx1MDAwYoxAXHUwMDFkwLTgXFxHXHUwMDBm17lcdTAwMTJcdTAwMDGiXHUwMDBiWN4/XHUwMDFjUFwirlx1MDAwM1x1MDAxMCNcdTAwMTBnUCM4vFx1MDAxZK6mP1v/SrixN8bmg5BaKZlcdTAwMTCunlx1MDAxYzHnmOBcYiw57j1MtnZjOmB7bXdcdTAwMWVkwFxiXHUwMDBlXHUwMDFlllx1MDAwMZFR56NcdTAwMDK2N1x1MDAxZXq1u8fCdVld9e5cdTAwMGUuNmuntUlVQDThRHFcdTAwMTFIg7YtXGapNqM9O/pcdTAwMGJcdTAwMTmQnznvTy1cdTAwMDO4RVx1MDAwNGWSeXPBcISJQkBwifBcdTAwMWQ5k/lwJXCzX1vqtjfcwfVT4Vx1MDAwNWD14Kp5rD47XHUwMDFlbqW0/rJ+e/VTPD822qXt9eLZxc5pXHUwMDBl193ZKrdcdTAwMWY7hf3Sc3dj5al0ur9cdTAwMGXlalx1MDAwZddddq5qZaeze/l4enLX3m42tsRTbjtcclx1MDAxNmTId59KYfhnO5PC4Fx1MDAwMVO00+D6OW+D8fQxyrBAg2RWXCKCWcGYV2Iw49CdkVxcKkSqhcRcdTAwMThcdTAwMDOTXHUwMDBlsktcZsFpXHUwMDE2woFUXHUwMDAz7HEh7ojlwVx1MDAxOIuOpoRcdTAwMWNcdTAwMDNcZiZbvXGNsbo+XHUwMDBmXHUwMDFhY1x1MDAwNMPHNEZ41PlojHS/a1xiYVwi1quZXGKEdlx1MDAxNpeFY8bwoSw3XGKcQotkQqDOYCpuvKhcdTAwMWSkxM9BMbRtbcxgXHUwMDFkvVsvRfJcdG4o19xyjXpjcJmFNUes+XB6hcFQLkruiVx1MDAxN6LpjIfhXHUwMDBmTjKYgXwzb/5kvXJcdTAwMTZe01lt/L5VXHUwMDFiVi+D//o2WDD9v7z/97/+5v128iqlV3x9XHUwMDBlrlx1MDAxNyPherHTXWk1XHUwMDFhtS7e6Fx1MDAwMVxyMlx1MDAwNrfdYru7jJNaa95GJ+934YgsObN96Cr16Fx1MDAwMVx1MDAxNFiAytBcdTAwMDDVg1x1MDAxMJxcdTAwMWNxPlx1MDAxMIq01or3hOBcdTAwMDGF7ZChalx1MDAwNVx1MDAwMv8/tkIqzfLoUaX7S6FR4aBcZoUkKMM105azgVW/j1x0/Vx1MDAxM8acclx1MDAwZYxcdTAwMTRcdTAwMGX9Slx1MDAxNV+29LCWXGKXqpVizDJwyOHPhlx1MDAwMaxSv249ZVI36XI0XHIglVWBtNzik0dxXHUwMDEy2WvtI6RSXHUwMDAxToyiVWPR9uJcYmlMoLVcdTAwMDUnKKROhlLiXHUwMDA2YcwmoCujL49ut1WhRNVcdTAwMDU8RuDxZHp41Fx1MDAxMtDXlfFwXHUwMDBl4sJcdTAwMTC/xURcdTAwMTAwwaybLK75Q0RQrlx1MDAwMJm0SOlcdTAwMTVbnrNAx/Q8iFxiXHUwMDBlXHShXHJ3JG7RRNlgi+NcdTAwMWSGbGCcpVRuXHUwMDAx6GUoaSeDxnSZXHUwMDE3hUbNXHUwMDEwXHUwMDBmXHJSKrcgfHDNVaBcdTAwMTW+JKkqzuRvefdcdNB4fvrgJDy1LqpcdTAwMGaXN3tH9X3Yb51lXHUwMDBlONXCXHUwMDA1yJ34aJFUOVxmRZeDk4FcdTAwMTVIWMbRs2e+c6rRXHSaepzoti+VvHWRXHUwMDE1XHUwMDEwXHUwMDEzo0yVtui2c/BtSDme6Fx1MDAxNFwi0ZHQmCzo/H10Y21HdTuPtYJdaZifj+1cdTAwMTOz2ry0dj1zmsdHbVx1MDAxYk1cdTAwMTFQXHUwMDEzw05PepvjMqeaR/6nXHUwMDE3s3Jf0Vx1MDAwNVx1MDAxNHHcaukoXHJbmGFcdTAwMDO3o1xmXFzJXHUwMDAwKDtcdTAwMTNcdTAwMTh3XHSRJGOFr34pXHUwMDAzv8y+vYO/XHJZ0Fx1MDAxYa8pW1x1MDAxN9v1XHUwMDE5bC0z5YBcdTAwMGKZf3bmmMt3sFx1MDAxYf/slFRevv1OvMBcdTAwMDHPTVx1MDAxMOtcYsaM7fdE7uIjXG5cdTAwMWTVXHUwMDBmSme10k7l7OR158dya3dFd7e6mSk8VmQhXHUwMDFhnr7g8I818eupOZxcdTAwMGJcdTAwMDVaU76Wz/J1cl62Rd+d3KFcdTAwMTmGlzRONjb0Uu9n8+rq5Pxpaf3p7LW6+dmHNFOEr2ZhcS1CuVx1MDAwMVOxuP/pZWBxRZlfXHUwMDEyXHUwMDFjsjlVXHUwMDFkZNHSSWjcgUw3cTpq5pSEYtCDskp6XHUwMDBlklx1MDAxNzVcdTAwMTaSTLw0XHUwMDA2i0tcdTAwMDe0n+b8tpxSLVx1MDAxNEHAXGKcodxZfMzlXHUwMDFiY/HlYqfy7W2cc0DeI7hymLx9g8+HtNNdktQzXHUwMDFi6chcXJVcdTAwMDbLmXQuemaDPnjArFSGNnPAes5srFx0XHUwMDE0ij6hqYpcdTAwMWEwX3lgrVx1MDAwMilp71x1MDAxZXBVMYDF+WuCaZezsnfilqRcdTAwMTIomLjxXHUwMDFly3LuXHUwMDEyQ79cdTAwMTQ3aKKSz8+xbK47komLlF6x5Tm4WoyQc9uSXHUwMDFjY/9PKMuc07QpRjU04tt/XHUwMDEwXHUwMDE47aTTluMzt6Di2i7TlmS6J1x1MDAxMlx1MDAxOZJSgrF+PVNcXHBKutiQZOBwNWlcdTAwMWM6xYDhv/Ft0llcdTAwMWTWpMq8NGRE6lxmXHUwMDA03lx1MDAwM1x1MDAwM1x1MDAwMVxuXHUwMDFkkSFPRuiAIbcyXFxYQplQXHUwMDEx4PezXHUwMDFhqjkj6chbWnRkfCpHXHUwMDFiKkuD5mok7XrKgfktkDGCjJWpkZFcdTAwMGJcdTAwMTSruGq9fo1cdTAwMTPJQbFKXHUwMDFiY7WW/0+hsZC4TOlcdTAwMTVboHOFjXSYrZiWnFuqqczA2tBh028oMoGTKG6kslJYi4Y8XHUwMDE5OqZLveigXHUwMDA0Sm6npVx1MDAwMnygTDPhOcz+LDhM32NOXHUwMDE1ik7h00ZcdTAwMTGohZRa6KhQ1KBcdTAwMDJh6GCP9nalLzJcdTAwMGboJIvK2Vx1MDAwYkBI9Vx1MDAxNaunrVx1MDAxZolilEkq68NcdTAwMTdomICGN9OjoaZcdTAwMDLywnBfqiA++UTXkE5urVGQ51x1MDAwNu9cdTAwMWJcdTAwMWNqXG7p/Hw4TFxcpvRcdTAwMWFeoLNAw8yyrFx1MDAxZtpDYXf4LJnliOhSSVx1MDAwZvRcdTAwMDRcdTAwMTJnXuM/jFx1MDAwYoOWOqFcXEzPiYwqWMYtamv8h6ppqzhGc42YSSFJnFx1MDAxOU3BvZ6FO1x1MDAxYnxM371Lj+1xgaZcdTAwMWGFiI+U9DJULklcdTAwMDPKdJQgyEVg0NeO60XkWmdcdTAwMTmyhXLIXHUwMDFjPrloJDlcdTAwMDPIK4yahlx1MDAwMCxCXHUwMDFmXHUwMDEzXHUwMDAw8jaH0EdcdTAwMTCMXHUwMDE0mteTXHUwMDE2yclcdTAwMTVcdTAwMTS9RUeUucvF+cDHpEVKr9jynFx1MDAwNTxm1mUkyzhDZ1x1MDAxNZHbScZsKGzz3ZFcdTAwMTakI1Em9nNcdTAwMThZPMIwX2QkxDb4INFr11RcclGwwfbbt0HAXHUwMDExPlREdZx+SaXSXFx8yc5cdTAwMDZcdTAwMWHT62ekQiPwgGvpXHUwMDFjilx1MDAwN6csRFx1MDAxM0eNoalB58yhQDdWxVx1MDAxM880XHUwMDBm+mVccowwlHdcdTAwMTaKaVx1MDAxY5xcdTAwMTdcdTAwMDRcbpdcdTAwMWXKXHUwMDEyraxlTphcdTAwMDU2JmBjLVx1MDAwN2xEM7KSXHT/LiNPXGZ8pFx1MDAxZmRMWvMh1a0mqt2cLzgmrVN6XHUwMDE14kt0XHUwMDE2+JheJCuCj8xpxZmmrVx1MDAwMFSF0lx1MDAxM2hoXHUwMDAzjuwmwDBcdTAwMGWgXHUwMDFjfLx0RKlq8UFcdTAwMDJ3+FvpVCquXHUwMDFkXHUwMDExPajaXHUwMDFkM7Kvfd9cdTAwMWbrzFx1MDAwMTK9XHUwMDEw0KjEXHUwMDE5hYSpXGZcYq6EiW41XCJgXHUwMDA2XHUwMDFh1ToqS4OLR8Tr6vajqtAxd4Dki0LBk/WGflxyXHUwMDE14KHMXqJcdTAwMTLLXHUwMDE3pzBcdFx1MDAwMPlreoAkKyeN7y3EXHUwMDAzidU2QVPejMkzXHUwMDAxf560Y+IqpVd8fc5cdTAwMDJcdTAwMWTHQVwiyVx1MDAxNFx1MDAxZKZcdTAwMWKG2lZcdTAwMDBTcf3IXWC5USh9KTNcdTAwMTJMXFyqZYLH9GrC0UFcdTAwMTmJfid6+1RcdTAwMWLfSeNcdTAwMTmTXG6M4tog6WqJXHUwMDEw+mnomF52JVx1MDAxNVx1MDAxZDlcdTAwMGZcdTAwMDRcdTAwMTdSXHUwMDE4p1x1MDAwNZOhU0yyeHS1XHUwMDAziV61QItcdTAwMDNupCdrhjNcdTAwMWLQJrE0XHUwMDE2XHUwMDE4enbg8a0tXHUwMDBilOSK95OP0GpcdTAwMTaFXHUwMDBiXHUwMDEy4LGeg340XHUwMDFjlNTeJnoyXHUwMDFlcvpcdTAwMWUnzimr1ORcdTAwMWGVMk95hYmrlF6x9TlcdTAwMGJ4XHUwMDFjI4FcdTAwMGYnh2s6JUWgXHUwMDExIbZ5XHUwMDA3XCJcdTAwMTegdNTo7Fx1MDAxOcpSMe+bp2OCY3p3ssiQqLUuefx08lx1MDAwZr5dx8+CwvRKUaln0o5cdTAwMTJcYo1cdTAwMDREfYPIXHUwMDE3rY8ghFx0qJa6kCCEtEx6Yu9cdTAwMDRcdTAwMDS47K1cdTAwMTO0ge1cdTAwMTTzpFhcdTAwMWJcdTAwMWKgZHCU+Km1XG47Vlx1MDAwYiiMQGFjeihcdTAwMDStqTA780Ghp13Kuyct0JG28kNcdTAwMWFcdTAwMGLPXHUwMDAxXHUwMDE0XHUwMDE2kpcpvWJcdTAwMGJ0rrCwgGBomKMzXHUwMDBmQf1Fhd9ppWL8+m1cdTAwMTNcdTAwMTXchI505sTGXHUwMDAysYdmjmqiUFwioVM8NiaBXHUwMDE4/lx1MDAxNlx1MDAxZiW0XHUwMDEwyNGfXHUwMDA1j0fLXHUwMDFi3ZXe9f7DQ2t5vd2oXHUwMDFkXHUwMDFl3f7w+NFcdTAwMTRcdTAwMWZcdTAwMTlFR2tNP1tSUkd1a1n0iLpcdTAwMDA6MMRARjFhXCJcdTAwMDc0f9BxsPLfwVx1MDAxMK9DU+WMpsD4sEu3XHUwMDAww1xiXHUwMDE4NnNwm6XiXHUwMDFjvDlHKjnxQFgwXHUwMDExrssnVlx1MDAxOZeI0p+/p1x1MDAxOPl2bDHmXHR8w8ac8MlYIECfpVi6q56fP3X5drF1oKtH95WLWu1sN27pXHS5RnRGXHUwMDE3SFx1MDAwMKpn1u9cYlx1MDAxOK1oV5AuMFx1MDAwZd/WSGzKXHUwMDAwXHUwMDBiXHUwMDE1ZP/wtupfqi9GK6vpJ2ZcdTAwMWRpdO5pi9PfLiNRXHUwMDA2IZcp4tBcdTAwMTlmXHUwMDBld+7U1nLz7vq589rkT+p57+bV/syaXHUwMDFidH/KXi+ubuVD5+pSddpcdTAwMDel7pPYjf6WKUrEoldcdTAwMDDj7PKlXHUwMDE4pv8uY4ZcdTAwMTnPXHJC/aip7ZMh4WNVuKNm3ybRQ1x1MDAwMSo9SGG1STaZd2P1L2WL92OkXHUwMDA3KUnQXHUwMDE3XHUwMDBlxVx1MDAxYlidgeQmNap/XG7B8mxSM9lcblx1MDAxZSzI/1x1MDAxYq3VR/DdJ7ZWbzyf3/04eoXeZru6WVx1MDAxNnDv6mxcZiZGXHKG3oOlLp9CXHUwMDFiOdR3OVx1MDAxM1x1MDAxMzNcYoxcdTAwMDSqvoLek2G++FDDXHUwMDAzMFx1MDAwMFRbXHUwMDBi0Gla9ItLwID21HzsrEZRJYSvxLxcdTAwMTGJlTy4XHUwMDEwXFxZnJ9cdTAwMTl2bN1Y6cirbb1W3Hgp3JpcdTAwMDMn23e361lcdLlR4qc/Smusuf10v/p6o5Z2jqpneVx1MDAxMbLhxGL5XHUwMDEwsv8us1x1MDAxMLJkknx/Q5HylrrpXHUwMDBlXHUwMDExslx1MDAwYtCaXGZQxCv0a67GTJOqrqJCltR6mUXsbsHHI22xM1x1MDAwNlx1MDAxZlx1MDAwYqeoPHc8yZ6krkm0OuRw1MhqsnLOea7fXHUwMDE4XHUwMDFkXHUwMDFmtGuPeM25KbYxguWG+ff38D+iykaPPz/crlxcmovrtePVy8fucmdvs1x1MDAxNrdnbyF32jdcZoSjNuiE0mGv6S1cXCRQnFxurzEjKWlw0S/uQ1xyvDf1vlx1MDAxN+pcItbf5vaYPbDE41CprEA1pWfo/Nag0nRtW36QR6Xru+plu+GW9mfg/H5cdTAwMTSHp163VNx8XFy5aZvW65Uq9fTyxtJWM5dCXHUwMDFldNCC5mvH6o2VgiX+WcmiXHKEXHUwMDE0XHUwMDAxeuLKaUcunYpGVlC1LU2Zx29Vblx1MDAxOY9Lg0VHl2+TI8djdmlgKWhcdTAwMTTdI1x1MDAwZkKknVx1MDAxMuLEXGJjNZuoJk+eqzemXGbmpKPLXGJcdTAwMWGeQUeXdFRMi1x1MDAwNUBcdTAwMTlgXHUwMDAyqTnIfu1kOdTWXHJ9bsdcdTAwMDXF0lx1MDAwMZOo8OPGq3UgKGpManCMMeGRXHUwMDAxoFx1MDAwM3LouVx1MDAwMVJcdTAwMDF2cfqVZMtPU6tcdTAwMDDDXHUwMDE59CM1PTYuk4tnXHUwMDAylVFiguVdbFx1MDAxZOVjuFx1MDAwMOunhdQnrVF6xVbn4GoxXHUwMDA2zi1cdTAwMGUgfVx1MDAwZu9bOFx1MDAwMFx0RTR6zYJcdTAwMDFcdTAwMGXfgIZQ2ZE/cVx1MDAwMIhcdTAwMGVKOC0pWZyiYydcZlx1MDAwNEjHscigNKK3c8BcdTAwMTh686gg41x0ojqwUikpkDssgPi8YsLpwi5cdTAwMTVcdTAwMWGlpEhcdTAwMDBUNlx1MDAxY8evYFx1MDAxOFx1MDAxYU3A0TlcdTAwMDJ8SVDoXHUwMDAwxaGRXHUwMDA1OFx1MDAxZLiyKJtcdTAwMTPdJU/GXHUwMDEx2EBShIpx5CFByIlaQGNcdTAwMDRcdTAwMWGf80g4oiMlT5VcdTAwMGWaTJ2Yb0TVsmn2/59iYyFxldIrtj5nXHUwMDAxjulcdTAwMWIs36JcdTAwMDFJoLllUqFcdDJneTx03Vx1MDAwNVxmxVx1MDAwYnWNdpJcbuZPWGo9MzbSmIyjXHUwMDExMSOkkdKTXCJqUc2BwDXl8Iukuz5cdTAwMGJcdTAwMWNXeFx1MDAxNbrX2zfV4t5T4Vx1MDAxNlagvL3uXHSnTzqwoS0kZighn17hfOY+QDJcdTAwMTOg2SAlaVx1MDAwNbRcdTAwMWJcdTAwMThcdTAwMDPILGVa5Vie31eq4fiSXHUwMDE1XHUwMDEyXHUwMDEzXHUwMDBmaFx1MDAwMC3aoXn4t4pcdTAwMTM783ByXHUwMDA2uDF8hlx1MDAwNzTt6/vralfrripXW91SbUdv/zqdwSZM6nWb7ZvD1dWbXHKxt7SytnZ+etJq7+ZWpVU7zkVOrfT8Ty9m557NXHUwMDFknOug34FcdTAwMDNcdTAwMDU0elx0ekhcdTAwMDNxMcrEM8RhLMq0Jpn4q9/EvZs75L5o/2FruO5YLFx1MDAxZEZSNVx1MDAwM8g78HHs1TtYjL+3SeYu7mJcdTAwMDRZXHUwMDBlb/N8aKRFOqKlejUoPVx1MDAwMmupd4K1Rsmh2upCXHUwMDAyepxSU1x1MDAwYmeL2kXHTVqi36OZpVx1MDAwNjZaXHUwMDAw1biIm7ThgdOUTM25RKd6YFx1MDAxZVx1MDAwYrcmbODXjE3t11xiOoKjouk+t0Ykplx0a1CatuzzPO+dI7cmeZHSa3h5XHUwMDBlrlx1MDAxNuPl3LyaMXZXXHUwMDE4Z0Yprmkrp99n25P7gTeorFx1MDAxNUiH0lx1MDAwMHOT1mtNXHUwMDA3teioqKdcdTAwMTU6K85YmmnlXHUwMDE5VECNXHUwMDFlXHUwMDE1XHUwMDA3pjUlibjPq8Cl91x1MDAwYr2DMuOPXHUwMDA3O2rrurl7xHY8+DjJybh26LSAwEeOVifDzU1cdTAwMTYn42/v5ouQdvqdXHUwMDFmmlx1MDAwNipO7kFIzmxyXHUwMDA3UipXzuxk+XF+v2GUm9OrXHUwMDE2lkrNXHUwMDFmO7fnl2tcdTAwMWJcdTAwMWIvhz9Yq2CyuiOba/VcdTAwMTPdVGdcdTAwMWS1fW5u1EV9c6WncnBzblx1MDAwZndcdTAwMWIraqP7UDjb2HKd3U1xr/LonH7U2y+c3/dcdTAwMGVr+1eVXHL+VPrRfjnN4yz/8WFDb2+eiceD1+OHo85yd2lHbOTglr2VwZDS2pxaYPlnO4tbhlx1MDAwYjNQyLRMSmQ3XHUwMDBl0Vx1MDAxNF5cdTAwMDMmIGVngYNDxyCu4UAjhjmqlaFUQlx1MDAwYqzFkXtcIiS57G6ZpFx1MDAxYZlcdJvOlFKehD3Uu1x1MDAxNYRcdTAwMGXVcsvTMTNjrN+YY7a0trQ6XHUwMDBm/thcYo5cdTAwMWb2x6LDzsdccjs//Pm8fFxcbuxu78qaOVl6vdg/P8xHZijqb2NcdTAwMThqKCOklFx1MDAxZVx1MDAxYl7IjDxteml6maE1JScobzVkIZNzT6lqI+L0RFx1MDAxNUkmk1x1MDAxOTe988rD2na36o4r/PSufXZz3+tlpdfuTVx1MDAxNVx1MDAxZW9cdTAwMWV797K8eqF2N/XJvTnOg7Y3OtdcdTAwMGZlfVl9Wq7bk2L1SPPTx1x1MDAxY647xS5t6nXFr4dtvr1z6E5vNzY2mm1nb1x1MDAxZjZzk1x1MDAxOVQ2dlx1MDAxY5hOQSn/bGeSXHUwMDE5Ulx1MDAwNE6hzFBCsVDN5TeEopB+kMxSreVQqaNQWFx1MDAxZjOoMbjk5FxmwlwirG9cdTAwMWM8Ws6uMaxlXG5cdTAwMDQ3vqBcdTAwMWbOXbLGXHUwMDAwS/Ww5Me0XHUwMDEwn0pjbK+uz4PEXHUwMDE4we+xyL7wqPNRXHUwMDE41Zfm2t727dWVOd84XFxdv75cXN1b9yiMxJQ6o1FjXGLasVHglIla8KKR5lx1MDAwN1x1MDAxYvHK1Ee0nHPlqKC9v8eCTD6klc4qTV2SZycrVq/3a+tH66+/zjb361Kt/ax2944+W1ZMsSuSStO/vSlcdTAwMGIqp3R5/9PLRNPWXHUwMDA1zCmBM05MLIatfNFcdTAwMTH7Q618NTtVc2BIulQhyWvOIXpcdTAwMWIyZ0M1niT+mVx1MDAxZlVPtoDjVD2fLbFHXHUwMDEw5+xbYtfYzYq9rLFnc/qy8augRe+h9ZCdyVx1MDAxOTiU4pqaIznJuFx1MDAxZGqxuWDyj7XxtamZXFwwJoRTXHRMzmxypVxm0++AaMVcZs8hurp1vHF2dnTw1Kzvt6t3pevN9sFnO/JTnEPMlsn9Ty9cdTAwMGKTM0tcdTAwMDG3xnFcdTAwMTDWOm6iXHUwMDExlYuu2Fx1MDAxZmzl69mZXFxcYkGUnLCxb5OrW3BcdFx1MDAxNiF8suDJUVx1MDAwYniqdLr5aos9gi9n11x1MDAxNjvdMUmPtUJhbpijhmXMXHUwMDAyi57SgTCBNVx1MDAxMj+l+Hun4ztoXHUwMDE2XHUwMDAyNGFj0Ng1OO4pmaEhUHS8pKkkjtSL9JEky97Iyt8p2/uCKWXCoZIhi7c6OdJKkS9cdTAwMGVqov39XHUwMDBm2WXLty12wlwipdfw8lx1MDAxY1xcK0bI+bU6TN2z+1x1MDAxNm2KbajgrdVcdTAwMDZ9K21ZKC/wd0STXG4o3Mk6I4VcdTAwMDDN2YTNXHUwMDE40p2RyJioXHUwMDEyMUPmXHUwMDA2yShnMV5cdTAwMDKdXHUwMDA3VN9cdTAwMTTpXHUwMDFkjO5vr39aM4Z0nZdcdTAwMGWMXHUwMDFj/Vx1MDAxNaPB9o+jXHUwMDFkXHUwMDFm2rGg6Fx1MDAwNqVcdTAwMWPyq3aOXHJcIs1cdTAwMDapdS5cdTAwMTBUvVx1MDAxYZ9cdTAwMDE6RUb6oNH2+/riQ9RUmWBcdTAwMTGDmoiNP6bGRk3tKqn9nFx1MDAwZlx1MDAxYcElQiNcdTAwMTVcbidBa3OsLTBP2FhIXFyn9Iqt0LmCx35fbE5cdTAwMDXIKX9cdTAwMGVcdTAwMDGJhTJcdTAwMDPfe1x1MDAxZFLnQaB9XHUwMDA1vD0mXTzNN1x1MDAxMz6ma73ooIS2gN4wbYNY6sBcdTAwMThcdTAwMDfIz8LD9J3m9FRjJVx1MDAwMk6xhlx1MDAwNpzioIdCTof6YsfxXHUwMDEwf1xcXGJOXHUwMDAxQ9RXTYTwNIyHwlxihlx1MDAxZVx1MDAwYkNa4XrR2zBcdFx1MDAwZjen14pUXCJcdTAwMGYn1Vx1MDAwZog2OezLXHUwMDFhRlXIP6Z510TOYc6NsZPWKb1iK3RcdTAwMTZ4mFmaxTpjo8vGPq4zdnp0W1TGjtlcdTAwMTmbuXhcdTAwMTL0jCAyfVx1MDAwYi+9UI1S/TJcdTAwMTdcZsePy3loZ2x0Y+y+m2JJ5lx1MDAwM1x1MDAxZKhcdTAwMGUsc5C0JFx1MDAwMkM9N5w0wqE3s2hZk4SQW1MjJDK35I4lXHUwMDAwZHKZSsGowLsyk22Gzz9CJi5TesVcdTAwMTboLFx1MDAwMDKzNlx1MDAxYu6N7eLgmFNv7MzYXHUwMDE4640tIK5cdTAwMTejvbGNp0LErFrWpOZDpIMjo1x1MDAxNlx1MDAxNIBcdTAwMWVcdTAwMDbyJ7rOUXQ0yKzSoYrEXHUwMDFi7Ld+i6OjXGZAWFx0eFx1MDAwNcssfs9cdTAwMTOsR6HEmtooXHUwMDExfVODtsVuY1x1MDAxMj5u57Db6NDLwen0nlx1MDAxNoY3i2PnXHUwMDBi1DZcdTAwMDGxI8fEgd/tsSPVgT9cciBcdTAwMTNXKr1cbvFFOlx1MDAwYoysrNzdlDbOj3vlp8LKS6+2vN8uXFwnXHUwMDAxkjR0Quescf1cdTAwMTZ8nvownFF/XHUwMDBinH+maS6VmLDN4Vx1MDAxOFx1MDAxYZJpQlxyJMF+/X3hSe5EXHIpqCejQl2rqfz+Z8FkenrXiNx3OkC1XHUwMDAylTDSvXBDNY+VXHIsoOtcdTAwMDFakcCPi0hcdTAwMTFQ/Fx1MDAwNFj8TCoute9IXHUwMDA2KFx1MDAxNotyd3HaXGbjuFx1MDAxMlx1MDAxNzCZXHUwMDAwkzvTwySCXHUwMDEzV8B9ZzLkRiaipJJ9XHUwMDA1XHUwMDA1uVx1MDAxZsrMh4wsJK9UesXX6CxQcizZRi2wjaA5XHUwMDE0/VR9T9lDXHUwMDE5KGdcdTAwMDWdgtAtclx1MDAxZF8lmVBy+0hdXHUwMDFjLV2y+52nduO5cyxOa/YsaVhOIUJS62FAOnQmLnFVgJ9cdTAwMDPrXHUwMDFmiDEpIVx1MDAwZd0zgsn0tJdcdTAwMTEwKVx1MDAwMu2YtVxm9bKCoVgzqWQguHXOgEI7Up7UNFxuQrHUflx1MDAxOL1cdTAwMTUrlfZV/dFIcpZKUFxig0/L6kVV2CSY3J1cdTAwMWUmQfTz/5S39nO8XCL0XHUwMDAwJlx1MDAxOWhpNct9P3I+zmeS1ym9Yit0XHUwMDE2IDlOQVx1MDAwZfRcdTAwMDP4W9tKg/pcXKs4XHUwMDFhSZSbjERcdTAwMWLVP0S4l1x1MDAxM1x1MDAxZdCMcajOqFx1MDAxMJiwVE/S9SHQXHUwMDA33ExcYiascpJEuvo0jEzX7aNictHfRjWJ91xu1lx1MDAxYT1cdTAwMTTdY4RBlNTogiBMhs6nXHUwMDA3MfdUKFx1MDAxMtFcdTAwMTXx1Vl/10g7jnT8Slxyca7Z3vTxuFxcIVxiaW/fOutcdTAwMTJcdTAwMDPxqYSscTTpk0Di+/DGisYtd2rr1dZas3H19LBxuHu8tes2t2dQZSOGctNvXG6kXHUwMDE4o/8uY8ZcdTAwMTiPmnXGXHUwMDA0XG4kNVil/lx1MDAxMS5qh1Kk2qGz+LFz1PBcdTAwMWW9Wlx1MDAxM1xuXHUwMDEzXHUwMDE5nFx1MDAwYizMMMlcZvf9ZuhcdTAwMGKYNYj1SPzxXHUwMDFlzPSZSVxmXHUwMDExQWdcdTAwMWNcdFrkWaBwyu2sUJtISlx1MDAxN+l3VXxpNCrddq00N+kvI5jN0yRy1L3kXHUwMDEzTJvubI2uOGxcdTAwMWNKNkZFXGZRZThcdTAwMWItXuiYXHUwMDBirLZUpUxKXHUwMDE2aoU0IF1LfWU550kpMFx1MDAwNlx1MDAxZGdDdXM0XCJcdTAwMDK+xjlcdTAwMDOsMIlu6Fcx/YOpXHUwMDE52CiLfiT3XCJcdTAwMDJcdTAwMDVcdTAwMDUmUjClR4DWk0WNTUbB/KC01b3cfTh25Sv9tHG9s7xe6nx2QarJXG76pFin/y4zUDBcdTAwMTdMXHUwMDA33Fx1MDAxYcouY8yFXHUwMDFkzb5hXG5cdTAwMWVIsOhcdTAwMTFIhZZcdTAwMWI3TKdcdTAwMDJcdTAwMDeUtsL1m23GLXOsXHUwMDA01K9liofZWbiPmqiU4onj/VmMb1x1MDAxMFxm8snRUClRYf5cblLNXHUwMDFm+45guVip4Fx1MDAwZqVcXL21cbreLv96rj9vleqbrHxT+vmcmXJcdTAwMDUzXHUwMDAxnY2jyDbOmnC/7n7rVyVcdTAwMDPFpdEoplx1MDAxY7r0zlMwXHUwMDE40TqQzkgnrVx1MDAxNTpcXFJ4sir/X0tiXHUwMDFmTc2z/aBcZlBOe1u0J3u6XHUwMDEyNTLO2WTlYSaj2cdcdTAwMWRXaGxcdTAwMWPu9Za2Lo9cdTAwMGLPx+f1O3U1Vk9EKUW4XHTmVHToXHUwMDFmTVx1MDAwNjrsnzM6RlVitZY8fFx1MDAxMPXWytyONFx1MDAxYVxyXHUwMDAxgrSjRueOiid5imyPlcj5tYzmeFxmRkQ2tDhcdTAwMTfWZ1x1MDAxZDLZOoRiXHUwMDEybUrmeII42Vx1MDAwMo7x4WbzvtftzFx1MDAwM1x1MDAwZo6gnmFcdTAwMWVcdTAwMWNcdTAwMWV4PvxX3r2TlVdnq7snrlS+vL0rXj2tjMF/XHUwMDEwXHUwMDAwoGqSSmkjhs7CXG46MChr0SNFY+ZWecqgoStcdTAwMTlcdTAwMTiGqliAslx1MDAwZefXo21cdTAwMTdNblx1MDAxMi35ZHr6Q1x1MDAwYlx1MDAxN5qB18+Uya2ROc62IJCeoZu5VL9pPVx1MDAxZDdWlDsya93qxfbq7tHdOO6gofr7Mqf6xP7RZOE/XHUwMDBlXHUwMDAxrnhEVtpr09xG8/tcbnzYajxmI3WgubNcdTAwMTYhXHUwMDExff1cdTAwMWO6XHUwMDAyfymzOVx1MDAxZINcdTAwMDA1PmRhmfZcdTAwMDbRxMuVvJdHR+fNcpZnJPZkK9hDgMhajUq5hlx1MDAxN55cdTAwMGJcdTAwMWVcdTAwMWNBQXFcdTAwMWX0jj9cdTAwMWY6PHM/X/aW8EHvNOuiun/cq6qyXHUwMDE4g1x1MDAwZVPdQclcdTAwMDJcdTAwMGJcdTAwMDS1julw5cmPclx1MDAwNb/WPs9ZXHUwMDBlXFzIUYagT+HthSCT0y5wroyyeoaHnre9lcZV+eF8dbWy+9h5WNLd48PnT6NC/2iyUCFtkKCIRPpRoJlx0dB8XHTpXHUwMDA2Y1ngXGa6gc5cdTAwMDFanbfI91gs+LVcZuZ8XGZcdTAwMTZcdTAwMTSSXHUwMDAyaZjyXHUwMDE39ElUiUYxbtE65o9cdTAwMDX3e9158Vx1MDAwM0dwzjD/xUaekyPYuTw19apcXFx1MDAxNkdrdrlccrf17s/NLDZcZsJcdTAwMDVWcMrVXHUwMDA3K4eKclx1MDAxNZxcZqhcdTAwMTM241LgzFnuaVxihFx1MDAxOGBcdTAwMWSntC1cdTAwMDBLe2rTuoBfKv7xYowgXHUwMDAzKpbnV7IpWzlUklNp5/K04f5WXHUwMDBldeeaqlx04qAkpd+MbeTdUWZcXK/cdFOMuNu6T7LgyJhcdTAwMTOCXHUwMDA3XCKDzMdi2XJx94fZXj/rnHfvdzrLsPOzXc5isVx1MDAxNKRcdTAwMWRQ125cXH9InDZUgiSzzepcdTAwMDC52ykhkLWV8Oy/Lkw20WQvs5usc5xcdTAwMWFtxdtw0S0lp7nRpjjwfMvo5WOzq5X/XHUwMDAzNutcdTAwMWJkPjbLt57XXHUwMDBlSr3btVx1MDAxZmbpdmdrZ+P+sp29p7hwXHUwMDEwSE7VhFAto5s41HJcdTAwMDKNXHUwMDEy/1x1MDAxNVxcM+coO8FcdTAwMTdX+5EhPl/rXHUwMDE0pTh9iI9jXHUwMDE0l+nNz+JMJkb9XHUwMDE5kP1cdTAwMDJoM+yJUzl7lDXdWln99aN12NiuvqhSaSdrhM+yc1UrO53dy8fTk7v2drOxJZ6iv2WaIFtkIVx1MDAxNTbGyf1Y/11mYFSpTOAofNMhXHUwMDFiMlx1MDAxZIrO+tNcdTAwMGJGSVBUzlJIr2GiXHUwMDA2ltRyjjEnjFx091x1MDAxZF5cdTAwMWNojjbF6+yEStVzXHUwMDFj1946lVxid0kmJ1x1MDAxOKOyXHUwMDFhfLKGXHUwMDExeS7fXHUwMDE4o242b1rz4MaOoLb4Nm542PmwqzyuXHUwMDFlXHUwMDFk752vnZ3s3b1end7WcF16XG7oJGasiEAwrcBcdTAwMDC3SkM0LGHBrjM16fLU7EpcdTAwMDWmtOJCJHR+Smw5ZyhcdTAwMDUvkirx4fT6unN0WNh7XS4/XHUwMDE0jrf5RrF6cvHUnJ9WazltXHUwMDEz++8yi8OK6Fx1MDAxYlgrXHUwMDAxzYqytYfqWy349YONsZKdX5VGUSus8Vx1MDAxZaF4ykO/n5dcdTAwMDKuM55nQ9fJlu/c0utcYm6bXHUwMDA1vabr+LSkeaVcXGCprFx1MDAwYuXLg5RD1GplYLVcdTAwMDDmNGNcdTAwMTQ6XHUwMDE2t18tXHUwMDAzLtHnRf61VLjBXHUwMDEzJsRcdTAwMDLLqOSBNZKyXHUwMDE3nVx1MDAxZaylxVx1MDAwNlTUnm+zkmtizjyZKpOeXHUwMDBla/1cdTAwMTEmWrlghmnJNMyPjM67/pJ/mdKrXHUwMDEwX6GD68WYOLec+XRd/i2ana4oaMFStXennYhnp+tcdTAwMDB1MXC0VFx1MDAwN85cdTAwMThcdTAwMWQvr56tqsjGQ69291i4Lqur3t3BxWbttPaYMCaqooFajqH3pbVccpWHfVx1MDAxZpRcdTAwMGI0PlTg/SpNwnpcbkLNKGM+XYmNrFFnqZiEkUaEefBcciB5XHUwMDAwVGxEM2GshpBUee9Zb1x1MDAwMkdcdTAwMDFjKHdR9DrPhjxqJFBCoyBGS8H1XHUwMDA3sCjhmVx1MDAwNJC1qVx1MDAwMZI7NG9cbvLzeVx1MDAxZjZx515qRn0rJ1x1MDAwYiWZ//p0Sau0/8Px9TlcdTAwMGJ4TNdVISiiXHUwMDAyRyCpeZTrR2hcdTAwMTlh4vjYXHUwMDBmh6a7k8YhOk6Kj+NUXHUwMDE0YdRkmlx1MDAxYqtQQiE0XHUwMDBiT9VlXHUwMDFlMGEtZVx1MDAxOFKQtVx1MDAxNvE6J/lcdTAwMDPkX37P1vfi/f1xXHUwMDE3V+P77aJV1spDXCL67b1u5X4goPtv7bbKlbVm8bo+vDK/P9YqT8txXHUwMDEw+utN/0U+bv/uXGKAKn3b/c9f/vO/f4BcZu0ifQ==CertificatePublic KeyEncapsulatedShared SecretShared SecretEncryptedSymmetricKeySymmetricKeyAEADKEMKDFKey EncryptionKeyBase NonceEncapsulatedShared SecretPrivateKeyKEMShared SecretAEADKDFKey EncryptionKeyBase NonceEncryptedSymmetricKeySymmetricKeyInputsIntermediatesOutputsEncryptionDecryptionInfoInfo \ No newline at end of file diff --git a/wsdl/ver10/schema/onvif.xsd b/wsdl/ver10/schema/onvif.xsd index e45d35fab..8120115e6 100755 --- a/wsdl/ver10/schema/onvif.xsd +++ b/wsdl/ver10/schema/onvif.xsd @@ -7696,6 +7696,14 @@ and sample rate. KeyRotationDuration must be a positive duration value. + + + + Additional information related to the asymmetric encryption that will be used as + part of the key encryption. A device shall support at least 256 characters. + + + From ea178b0d56d2a084fe5f43a3bf2adeae96815011 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20M=C3=A9lan=C3=A7on?= Date: Tue, 9 Sep 2025 15:32:51 -0400 Subject: [PATCH 43/44] Move the Info field last in box for backward compatibility --- doc/RecordingControl.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/RecordingControl.xml b/doc/RecordingControl.xml index ebb7dd049..5b5b629e5 100644 --- a/doc/RecordingControl.xml +++ b/doc/RecordingControl.xml @@ -2243,12 +2243,12 @@ aligned(8) class AsymmetricKeySystemHeaderBox extends FullBox('pssh', version=1, HpkeKem defines the KEM algorithm identifier according to IANA used to encrypt the key with the current certificate. HpkeHkdf defines the HKDF algorithm identifier according to IANA used to encrypt the key with the current certificate. HpkeAead defines the AEAD algorithm identifier according to IANA used to encrypt the key with the current certificate. - InfoSize is the size in bytes of the Info field. - Info is the value configured by the AdditionalInfo configuration field encoded as UTF-8. EncapsulatedSharedSecretSize is implicitly defined to the Nenc parameter of the HpkeKem algorithm. EncapsulatedSharedSecret is the HPKE shared secret value necessary to decrypt the encrypted key according to RFC 9180. EncryptedSymmetricKeySize Size of the EncryptedSymmetricKey field. Valid values depend on the encryption algorithm used by the certificate. EncryptedSymmetricKey The symmetric key (identified by KID) used for frame encryption, encrypted using the public key of the certificate according to the encryption version. + InfoSize is the size in bytes of the Info field. + Info is the value configured by the AdditionalInfo configuration field encoded as UTF-8.
Encryption Version 1 From 9f56a5f03279f333862c8f4b308c0909fe14ce2b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20M=C3=A9lan=C3=A7on?= Date: Tue, 9 Sep 2025 15:37:55 -0400 Subject: [PATCH 44/44] Do it for real --- doc/RecordingControl.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/RecordingControl.xml b/doc/RecordingControl.xml index 5b5b629e5..f3fe141f4 100644 --- a/doc/RecordingControl.xml +++ b/doc/RecordingControl.xml @@ -2218,11 +2218,11 @@ aligned(8) class AsymmetricKeySystemHeaderBox extends FullBox('pssh', version=1, unsigned int(16) HpkeKem; unsigned int(16) HpkeKdf; unsigned int(16) HpkeAead; - unsigned int(16) InfoSize; - unsigned int(8)[InfoSize] Info; unsigned int(8)[EncapsulatedSharedSecretSize] EncapsulatedSharedSecret; unsigned int(16) EncryptedSymmetricKeySize; unsigned int(8)[EncryptedSymmetricKeySize] EncryptedSymmetricKey; + unsigned int(16) InfoSize; + unsigned int(8)[InfoSize] Info; } } }