From a7ed99084fb738c9af7fa8c43ae98b4cce7b135f Mon Sep 17 00:00:00 2001
From: Eric <71648843+sbplat@users.noreply.github.com>
Date: Thu, 24 Oct 2024 02:08:09 -0400
Subject: [PATCH] visual certificate signing (#2084)

add visual digital signature
---
 .../api/security/CertSignController.java      | 173 +++++++++++++++---
 .../resources/static/images/signature.png     | Bin 0 -> 19683 bytes
 .../templates/security/cert-sign.html         |   2 +-
 3 files changed, 150 insertions(+), 25 deletions(-)
 create mode 100644 src/main/resources/static/images/signature.png

diff --git a/src/main/java/stirling/software/SPDF/controller/api/security/CertSignController.java b/src/main/java/stirling/software/SPDF/controller/api/security/CertSignController.java
index c37fcc9c..b36f8c90 100644
--- a/src/main/java/stirling/software/SPDF/controller/api/security/CertSignController.java
+++ b/src/main/java/stirling/software/SPDF/controller/api/security/CertSignController.java
@@ -1,8 +1,11 @@
 package stirling.software.SPDF.controller.api.security;
 
+import java.awt.Color;
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
+import java.io.File;
 import java.io.IOException;
+import java.io.InputStream;
 import java.io.InputStreamReader;
 import java.io.OutputStream;
 import java.security.KeyStore;
@@ -14,12 +17,38 @@ import java.security.UnrecoverableKeyException;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
 import java.util.Calendar;
+import java.util.List;
 
 import org.apache.pdfbox.examples.signature.CreateSignatureBase;
 import org.apache.pdfbox.pdmodel.PDDocument;
+import org.apache.pdfbox.pdmodel.PDPage;
+import org.apache.pdfbox.pdmodel.PDPageContentStream;
+import org.apache.pdfbox.pdmodel.PDResources;
+import org.apache.pdfbox.pdmodel.common.PDRectangle;
+import org.apache.pdfbox.pdmodel.common.PDStream;
+import org.apache.pdfbox.pdmodel.font.PDFont;
+import org.apache.pdfbox.pdmodel.font.PDType1Font;
+import org.apache.pdfbox.pdmodel.font.Standard14Fonts.FontName;
+import org.apache.pdfbox.pdmodel.graphics.blend.BlendMode;
+import org.apache.pdfbox.pdmodel.graphics.form.PDFormXObject;
+import org.apache.pdfbox.pdmodel.graphics.image.PDImageXObject;
+import org.apache.pdfbox.pdmodel.graphics.state.PDExtendedGraphicsState;
+import org.apache.pdfbox.pdmodel.interactive.annotation.PDAnnotationWidget;
+import org.apache.pdfbox.pdmodel.interactive.annotation.PDAppearanceDictionary;
+import org.apache.pdfbox.pdmodel.interactive.annotation.PDAppearanceStream;
 import org.apache.pdfbox.pdmodel.interactive.digitalsignature.PDSignature;
+import org.apache.pdfbox.pdmodel.interactive.digitalsignature.SignatureOptions;
+import org.apache.pdfbox.pdmodel.interactive.form.PDAcroForm;
+import org.apache.pdfbox.pdmodel.interactive.form.PDField;
+import org.apache.pdfbox.pdmodel.interactive.form.PDSignatureField;
+import org.apache.pdfbox.util.Matrix;
 import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
+import org.bouncycastle.asn1.x500.RDN;
+import org.bouncycastle.asn1.x500.X500Name;
+import org.bouncycastle.asn1.x500.style.BCStyle;
+import org.bouncycastle.asn1.x500.style.IETFUtils;
 import org.bouncycastle.jce.provider.BouncyCastleProvider;
 import org.bouncycastle.openssl.PEMDecryptorProvider;
 import org.bouncycastle.openssl.PEMEncryptedKeyPair;
@@ -35,6 +64,7 @@ import org.bouncycastle.pkcs.PKCSException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.core.io.ClassPathResource;
 import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.ModelAttribute;
 import org.springframework.web.bind.annotation.PostMapping;
@@ -62,13 +92,103 @@ public class CertSignController {
     }
 
     class CreateSignature extends CreateSignatureBase {
+        File imageFile;
+
         public CreateSignature(KeyStore keystore, char[] pin)
                 throws KeyStoreException,
-                        UnrecoverableKeyException,
-                        NoSuchAlgorithmException,
-                        IOException,
-                        CertificateException {
+                UnrecoverableKeyException,
+                NoSuchAlgorithmException,
+                IOException,
+                CertificateException {
             super(keystore, pin);
+            ClassPathResource resource = new ClassPathResource("static/images/signature.png");
+            imageFile = resource.getFile();
+        }
+
+        public InputStream createVisibleSignature(PDDocument srcDoc, PDSignature signature, Integer pageNumber,
+                Boolean showImage) throws IOException {
+            // modified from org.apache.pdfbox.examples.signature.CreateVisibleSignature2
+            try (PDDocument doc = new PDDocument()) {
+                PDPage page = new PDPage(srcDoc.getPage(pageNumber).getMediaBox());
+                doc.addPage(page);
+                PDAcroForm acroForm = new PDAcroForm(doc);
+                doc.getDocumentCatalog().setAcroForm(acroForm);
+                PDSignatureField signatureField = new PDSignatureField(acroForm);
+                PDAnnotationWidget widget = signatureField.getWidgets().get(0);
+                List<PDField> acroFormFields = acroForm.getFields();
+                acroForm.setSignaturesExist(true);
+                acroForm.setAppendOnly(true);
+                acroForm.getCOSObject().setDirect(true);
+                acroFormFields.add(signatureField);
+
+                PDRectangle rect = new PDRectangle(0, 0, 200, 50);
+
+                widget.setRectangle(rect);
+
+                // from PDVisualSigBuilder.createHolderForm()
+                PDStream stream = new PDStream(doc);
+                PDFormXObject form = new PDFormXObject(stream);
+                PDResources res = new PDResources();
+                form.setResources(res);
+                form.setFormType(1);
+                PDRectangle bbox = new PDRectangle(rect.getWidth(), rect.getHeight());
+                float height = bbox.getHeight();
+                form.setBBox(bbox);
+                PDFont font = new PDType1Font(FontName.TIMES_BOLD);
+
+                // from PDVisualSigBuilder.createAppearanceDictionary()
+                PDAppearanceDictionary appearance = new PDAppearanceDictionary();
+                appearance.getCOSObject().setDirect(true);
+                PDAppearanceStream appearanceStream = new PDAppearanceStream(form.getCOSObject());
+                appearance.setNormalAppearance(appearanceStream);
+                widget.setAppearance(appearance);
+
+                try (PDPageContentStream cs = new PDPageContentStream(doc, appearanceStream)) {
+                    if (showImage) {
+                        cs.saveGraphicsState();
+                        PDExtendedGraphicsState extState = new PDExtendedGraphicsState();
+                        extState.setBlendMode(BlendMode.MULTIPLY);
+                        extState.setNonStrokingAlphaConstant(0.5f);
+                        cs.setGraphicsStateParameters(extState);
+                        cs.transform(Matrix.getScaleInstance(0.08f, 0.08f));
+                        PDImageXObject img = PDImageXObject.createFromFileByExtension(imageFile,
+                                doc);
+                        cs.drawImage(img, 100, 0);
+                        cs.restoreGraphicsState();
+                    }
+
+                    // show text
+                    float fontSize = 10;
+                    float leading = fontSize * 1.5f;
+                    cs.beginText();
+                    cs.setFont(font, fontSize);
+                    cs.setNonStrokingColor(Color.black);
+                    cs.newLineAtOffset(fontSize, height - leading);
+                    cs.setLeading(leading);
+
+                    X509Certificate cert = (X509Certificate) getCertificateChain()[0];
+
+                    // https://stackoverflow.com/questions/2914521/
+                    X500Name x500Name = new X500Name(cert.getSubjectX500Principal().getName());
+                    RDN cn = x500Name.getRDNs(BCStyle.CN)[0];
+                    String name = IETFUtils.valueToString(cn.getFirst().getValue());
+
+                    String date = signature.getSignDate().getTime().toString();
+                    String reason = signature.getReason();
+
+                    cs.showText("Signed by " + name);
+                    cs.newLine();
+                    cs.showText(date);
+                    cs.newLine();
+                    cs.showText(reason);
+
+                    cs.endText();
+                }
+
+                ByteArrayOutputStream baos = new ByteArrayOutputStream();
+                doc.save(baos);
+                return new ByteArrayInputStream(baos.toByteArray());
+            }
         }
     }
 
@@ -80,10 +200,7 @@ public class CertSignController {
     }
 
     @PostMapping(consumes = "multipart/form-data", value = "/cert-sign")
-    @Operation(
-            summary = "Sign PDF with a Digital Certificate",
-            description =
-                    "This endpoint accepts a PDF file, a digital certificate and related information to sign the PDF. It then returns the digitally signed PDF file. Input:PDF Output:PDF Type:SISO")
+    @Operation(summary = "Sign PDF with a Digital Certificate", description = "This endpoint accepts a PDF file, a digital certificate and related information to sign the PDF. It then returns the digitally signed PDF file. Input:PDF Output:PDF Type:SISO")
     public ResponseEntity<byte[]> signPDFWithCert(@ModelAttribute SignPDFWithCertRequest request)
             throws Exception {
         MultipartFile pdf = request.getFileInput();
@@ -97,7 +214,7 @@ public class CertSignController {
         String reason = request.getReason();
         String location = request.getLocation();
         String name = request.getName();
-        Integer pageNumber = request.getPageNumber();
+        Integer pageNumber = request.getPageNumber() - 1;
 
         if (certType == null) {
             throw new IllegalArgumentException("Cert type must be provided");
@@ -112,7 +229,7 @@ public class CertSignController {
                 PrivateKey privateKey = getPrivateKeyFromPEM(privateKeyFile.getBytes(), password);
                 Certificate cert = (Certificate) getCertificateFromPEM(certFile.getBytes());
                 ks.setKeyEntry(
-                        "alias", privateKey, password.toCharArray(), new Certificate[] {cert});
+                        "alias", privateKey, password.toCharArray(), new Certificate[] { cert });
                 break;
             case "PKCS12":
                 ks = KeyStore.getInstance("PKCS12");
@@ -126,11 +243,10 @@ public class CertSignController {
                 throw new IllegalArgumentException("Invalid cert type: " + certType);
         }
 
-        // TODO: page number
-
         CreateSignature createSignature = new CreateSignature(ks, password.toCharArray());
         ByteArrayOutputStream baos = new ByteArrayOutputStream();
-        sign(pdfDocumentFactory, pdf.getBytes(), baos, createSignature, name, location, reason);
+        sign(pdfDocumentFactory, pdf.getBytes(), baos, createSignature, showSignature, pageNumber, name, location,
+                reason);
         return WebResponseUtils.boasToWebResponse(
                 baos,
                 Filenames.toSimpleFileName(pdf.getOriginalFilename()).replaceFirst("[.][^.]+$", "")
@@ -142,6 +258,8 @@ public class CertSignController {
             byte[] input,
             OutputStream output,
             CreateSignature instance,
+            Boolean showSignature,
+            Integer pageNumber,
             String name,
             String location,
             String reason) {
@@ -154,7 +272,17 @@ public class CertSignController {
             signature.setReason(reason);
             signature.setSignDate(Calendar.getInstance());
 
-            doc.addSignature(signature, instance);
+            if (showSignature) {
+                SignatureOptions signatureOptions = new SignatureOptions();
+                signatureOptions
+                        .setVisualSignature(instance.createVisibleSignature(doc, signature, pageNumber, true));
+                signatureOptions.setPage(pageNumber);
+
+                doc.addSignature(signature, instance, signatureOptions);
+
+            } else {
+                doc.addSignature(signature, instance);
+            }
             doc.saveIncremental(output);
         } catch (Exception e) {
             logger.error("exception", e);
@@ -163,22 +291,19 @@ public class CertSignController {
 
     private PrivateKey getPrivateKeyFromPEM(byte[] pemBytes, String password)
             throws IOException, OperatorCreationException, PKCSException {
-        try (PEMParser pemParser =
-                new PEMParser(new InputStreamReader(new ByteArrayInputStream(pemBytes)))) {
+        try (PEMParser pemParser = new PEMParser(new InputStreamReader(new ByteArrayInputStream(pemBytes)))) {
             Object pemObject = pemParser.readObject();
             JcaPEMKeyConverter converter = new JcaPEMKeyConverter().setProvider("BC");
             PrivateKeyInfo pkInfo;
             if (pemObject instanceof PKCS8EncryptedPrivateKeyInfo) {
-                InputDecryptorProvider decProv =
-                        new JceOpenSSLPKCS8DecryptorProviderBuilder().build(password.toCharArray());
+                InputDecryptorProvider decProv = new JceOpenSSLPKCS8DecryptorProviderBuilder()
+                        .build(password.toCharArray());
                 pkInfo = ((PKCS8EncryptedPrivateKeyInfo) pemObject).decryptPrivateKeyInfo(decProv);
             } else if (pemObject instanceof PEMEncryptedKeyPair) {
-                PEMDecryptorProvider decProv =
-                        new JcePEMDecryptorProviderBuilder().build(password.toCharArray());
-                pkInfo =
-                        ((PEMEncryptedKeyPair) pemObject)
-                                .decryptKeyPair(decProv)
-                                .getPrivateKeyInfo();
+                PEMDecryptorProvider decProv = new JcePEMDecryptorProviderBuilder().build(password.toCharArray());
+                pkInfo = ((PEMEncryptedKeyPair) pemObject)
+                        .decryptKeyPair(decProv)
+                        .getPrivateKeyInfo();
             } else {
                 pkInfo = ((PEMKeyPair) pemObject).getPrivateKeyInfo();
             }
diff --git a/src/main/resources/static/images/signature.png b/src/main/resources/static/images/signature.png
new file mode 100644
index 0000000000000000000000000000000000000000..1adfcedc3c2fe809dcbecedf3253d103094e9d65
GIT binary patch
literal 19683
zcmbq*hgVb2^Y%>$5I`YxrB~@iK<N-VNC%}0s8ms^N++QxReF)$1QewRNQY3Ri6E$`
zbR>WvEht4o^1Jc#J?}s89?ucT-I;lIW_EV=*?SUiW}<hVnvEI&fb$0W+7<u+1%HJC
za0>9p@1ReA!5<X24fV7EBI#dAS5*c87(Fx4*0>(@eY=pd;QEcIy25V;9T|_Vj?aF(
z7`xMc<7pE*jxSD_IzjQyhw>NB7cRR$$P|XB!+O!w2^Ta30<DudtCgnZ^s|$KuP=25
zykhq((Zc3;6L*i!!hGD^7dtmYcZnVA1)(44^$?nH-kATt|KiLouG<{vGY1FXOk}F?
z@pD}GIT$?JQ-;R}Br;dzD622NIZnA5F<z$)n!2DchQkqBHO(b`*Tnb}4h~pZ*Jr<6
z(^meK_37Fg)4G^eg*elmAp;0Y$@qEbQE>+j7s51qFK~1v!jgrs2^&?re6RWLNTUv?
z(u1X(OCWZ+_x`azh*qoXP8KeWs_XAtf?do}8E^W03RV5(ZWT?tDW_ooaFXd*ra#-K
zjm%f=1KlGC^El(MZ1I(9j?8dn;e#Bpgr^u<(x8_ur=6XcQTbD`1l;`}u0JVVmLsad
zms^I_v8W06Pd_OMcR`!_4CZ48sV%2hlq61@;fC~P$6h4JHQExRWhz*<lb`bfih<l|
z*pp}o4My;hVZ35KMjBK<rgv89$Z}?2>~j?0YT$j@;9E<(zS-#bI37#I8)I{6C5}IW
zPd#HxcyZ4sHQ-2UR3@qVu?MctCqCRFgz$k`1I{~;xzEIeZ~nPW(0HiRDc*gbMf}uC
z5E&sF#AyxcK=co7`>wvKuqtrRpOg#4<dpej?0&9!(&kU{{w0XcNnu#Wu2W{+Ij^t|
z>qllAB5w?@O*^%gfsZ#N15y-LoK_=F9)kd<^R9kd-c}0`zcHidTS2c0|0w5}zl|yg
z9zF4|!!I}NCAw&Y8yL8={t<)Ms(`asGz_Def7f!VG2T2muP3rzAoVGOs*Mi><sw*%
zA^bsMPY&0we3+ljzSdnC_E58Eo4nQxl=E~iEyFk1n1{SvEEsD!ZDCZ|;*!IQBG1yJ
z#BxAiTkPX2mP|oJ{Q1e4vuukiESnz(9Y(+~*o`k!uCCTqB8_`L3>OoA`#3CvpRSls
zWaYS`-a5RNH&?Zl?2bR@>iIzm`js~oq51kE4Oc1|WjMo&_dg_gVh}XXJ$E9Ur&-!J
z=gtC|N-Itr3RjjtfDagT<~6P7i8s5ysY`PI=5Bl}*`z?7>aL#K@fe|bj)QhMGP9dv
zxN&}HUJK4k5z?W)aXhOs`)Kr>g;wqerw*9D=O|Z^*@5K0{c`9v<7mscQp>#?_}6!e
zv*<RMIa0}N-Dm<id1F=;#%YH=36CZqim8U(YbF9QsrOhTVrhvfWd2C^UzSz5t;$rq
z0$MLc#qm1klojrHbV1lGXdlv5CMk+d7K}+{n(l)rE}BU?!?M@biABoK5Sk2d%2jmk
z9+)WE9eLoNp&dk_L5N$VC4`E1HI9XD_#`PEkZm+Gj~FR5g}>RHRRzaC)B_X{afsW8
zOw25VH88ttm;f72zX5vn&;4hLMuejayc10qJX?xo`@Auz=eLVxEc`kpiHbhY$GflN
zc7%0;Ju}DE><FhV=dCjx`&U)RGoB*+%|6BE8Ja7NG++#}&kS)I*1at4Ky3MERi!s2
zOQzFI*u#;l*loXrF1O6vM62vB{q!yiiZXsC*VfGFqW%YbvN5R~@4{EpP^mho?Dmo5
zIa{B!u=?$_W!g!}P=7zv=tBxjewKTOYo&28s@mB0wDUGm@^OO?s|fv;u1In$cB2P%
za9v;^#yn6m0E>N?rh|GFhVJ4sm3wuI<|aDxSdFIKM?H7Gv|ps|duIGJbH%;%vM@y@
z8rMbI#nG2hFDKTpXK6y0cqx+G&EpF?b{AV8*QyY%E;eUS$|H4;ug;$ys0O1yze<pC
zc`{FU!|`EJ<xAx+&fL>JpQlo*N>O@G9&YT36+MsHP}zhi`tJ~I+>2ziz3UI!!;qg3
zQYnU6PMicoQQhUj?wxsc@1J>FR%2(+<ja3s9^N;Xn4x;`gUT?jh}wxO)zYQ$rZBf|
z`D*|02t*N3#3o){+}S=XcWnGtR8%TlB=YDq`OVeS?zDHp`0V4VOmt|_CPUfB+3@N8
zmT0z?N$jyb@buefqj#u3m1XBLeU5yLa<=X|rao32ZFOB#x_T-${q+=`D$d$nhF9z!
zF^M49oRsWWA3Rm@g*+IXsr&Y8#~|Ts?6MnJam-nge@<a%R4S-O-kTBXRw0UAg~83C
zuFDvHZgKXYR_I2t!BsJ4q6R}fp1fJ(lE6umFOt^h2!NyC)X%P;yK}&!X_pd${E$F9
zD&lY5MTuo6P~uA8<WdR&P-luyH(|k}jQ)G1!~}Q%E9YI|j<W|v_<@jsBXIGc0b#45
zH^E7BlX1E{l~3Dsst)Q7%UAij*j>Mw=E$Rr=4lFIc|b+MtLu?Xu*(x>5gNTd`3pPT
z_r7ZeveT&mNWd<a+E*cDl4HQvoNn0jyUTieW!ouyXb}oPQ$JZlyuZh6pmr9PkEKo?
zp=uqnh;+7xW1l2cgP%db0bKp}$-6u+l+Co9dfqFg0pQ3lEU<3lEyVW14i=(lod4^W
zI^hv3ohWF?zmIN0frF^Wm{u@ww60E!b$Ai@M*LI+_vH1DQW)rvN5kQeow8j0L#vHf
z`P-{vTG;a!RxC*vAN(;`vam~Vk=x8}-w(!zxl&cofdbwq5iSvgT~CShM-B<N#r+dJ
zSbDe=05ou6B?&F-A(if5fRY&Y%9|lRp*#=zkAeZ{IE%1L62K&=cVoKSql)?cApk^r
z4URrL|2;{7qiu#@%D#Slzj)sn0>FBPg>TtC6;PU3G*~dY#U%_XeilWM_q6Hg3z6~U
zi@N@TzSDs;X`tM%vSs~O`>X5RB4e0mv2f7Vnlh*Fvw|-bKZlpa@b{Y;vEz-ol>Z*M
z*xXu{@=*5Q6D6u(-GYCF4fT@&2;e|wX97jAW=p}hjyid-$wtOffNHWYK#tFk>#gYF
zM)R@ETo*tLHn3*0OZ&K%Z*Keb0BBq@AHo^D%I$%q5t`~coxmF7)aa-|ue}}&pdCVe
zjQUb|K&0v?kR&tQ4{!v1M!P?j7(8Am7zy@Z&c?dTO!)XqP0nB&QkN+|q{fB#Z|J>d
z%;XcR(+`;FDa(ZmiwC|WV|`u#*tuNex2wi0<2%AmoyMafAoxTS`I7JIbV4@U-<Ga1
zEz(C93X6TJm}?p~q)adNk&!+zySU@~;Q2)f#2*)R#ot6`Iv9wuguWv6QPaC>VoJ~j
zQcFnL4Bh#f`$#VIWcD8GJ`ZRUptU1&ZsFF_%2P-re#Oq<F4+u41E4;I4KX0UMp?ph
zZGwP1;9lVc064(W%vjR@F*;k$>tw942z$OhD;5C#==;?gNSI2jlzRnyy_d2Nko4Ly
z0rna`c~db|!lSzh2U(md;KvX&%bQu#N{R6{98uCc0z@eM*J=h7s+!8K#P2Lx^^SwN
z2k0!mvjxsP4I8sij*i^kVW7T}!a{&@@>%8SZ`0stc5YCW2V?#Zakgn~&+o_U?Ei1f
zM8y?jCb0J!ocj#|MnWwC*2%oeJYq}NJ7YS~^-ZVD==q4tHJ<73RafFrX{`9G-XSFY
z^K}4|E6@1ICJOwk$3GULC|RXwe6WqdNy~%Kp{bKh=rRZ6fIL@-bI~@LcMv#?r?(F9
zE>Sd=g*wl^KTlFGAOO$~jmuSCTp$qbQisNANuQ0{=(H6c$_+x1SQYO_Bsue<mT$Yy
zRma~zCg<mVmADt^1+sit2#?u%9T2nCAQp4FX8-tffimWF|5l&u?WDb=aE+i#Cd@^-
zjWI{#ZGER7DEnHR{W^lyBY0HmFoG(wj*LaDtEh<I3d<28F?%Y9&wUqFuea7>%v(RG
zsuPHh{D#Vp?RkL7fq(>mx^2%WChY9HfW~My1?rf_iIKjCBgkbgIh!D^2#27ee4frm
zH=4yE!<a=@dV*PS{;|JKnqJW2nSM|uhJ%%ECbi@77CupX|MCznP#btH2pmRHdYH-@
zLB8JO_HWesqF8C)DLx;)%fxk(y&eAZ$_a}kjhfjdLzVB|Bks{jqrEa!dz~tV1md>s
zay!;)na$VD!TWfYA8>Oi=--ELdnQW(Wplq$FW<WsHasU0JE7WNMDJ*ua98nf|HlEi
zU}ExMFFQk#Z9vTFN1>RlsWBbDs`5591Q75VVwNf7X&M0U3GsfUpZg=3ac8WSsYtH~
zv5;Fwg?b~k-!LJdi=afs?{zBKx5h3=6`Yx*j4{k0pw7c}z`et&f5Il9u$xBFR(pPo
z`+EgNJ<Rp|2Kjh}7nowDYb#2p4(8(A)ecT@bfhluWV&b#f!=NXR%)yiNMFnD!?M8Y
zepPZ*Hst4)8An)RV$Aw})oRqRW$OY0n3r9!lFmDn`^yT1pAwSTIqkF;R(A}g7#&Z7
zIVy_n{r1L-gdC#1SwEN*w$joA;ne8<%gGd1f>g-KF<9N$=qJZ1>bwNbP9M+9t~FP5
z92G^SjhK!$M&8B)8-`&1@}0lCCq6zwRFzj6NF=@wU|T%=%==T{NE5R4#5s4*=-K<<
z0JMbtlJKF3oG=v7eYb<CeN~sG^&uetnmVJ|*KbUahn!Cinj#!J;OOR4KzQ^48xsWJ
zpL%H)^hAvZZ&+|qJYs-1hi~bZ|GAmV(2`|q;4qh@iX!w!;MkyRgd&D}(s-Yr_GL*#
zZts<+fX5Lt8pn1%0YIBu{T?fgz|7e@Ne~`ra5TkA!4Sax89>-)vIGunaLkai(kyn;
z$y(s!q9X<(11P|!DP)g2b)xxzl9?N4LPY{$b)B_|D|%dc1H93=o)3|5^gDiF_n)|5
zk<-o<Zn(B~iNF{Af%az>9IJfD+J`XY>=hvS$kPl4{Fa+TeQE1E>K$tMEtW@b$T^@<
ze9Z5#3rBxB1;VsRRx-#!I?LZ(&7RS~7SqN>dk^+9uD0s|O$$`Myre07@j0uaLl7Pt
z%G!V+cLqzpj=fC*JXFY?o&L!)<HUoHI8m$+Mef(dI6V%3KAN$c4n)wEPLQwLh9neC
z7jV1Zjf0#*1_cIF6a*vy!-Q5k1n_hQP_QCRWHn@%ICtOzVY0-tuuu~FT<2&&aj0`+
zhX*L_A9q@5uZ=AFq8Ds$&w)Q+^;72o*rcEjf=Igk<ra5?H_YjUYxKFU%|2KuiP#(o
zj|4o#fJf>ed}MQ)eRs%^sYwlfI&$hujmisq<p3WZAdeb7&sC;D4-8+r*-lN|@`-o$
zbRFfPUF$zO44q>K{WAo~Az^dzsvy3Z*I6nzof1V2^gf45yK^1Ep(SsD%xTi&a(v3q
zOL+ex>sR31A4mdqnDOu^z~k(qa}tFPz(a%Omi9Pdzs7M+oNmE-an(@+XmW(v7=WHf
zp2%*dZqcK2>-;bvAej%|b)_UgOgB?J#fc50*`*uwv1d@}ZPy)E81e@gQYA1i(MHaJ
zaN_H4H906Hv)`4Bl#7`^=VamN%A~j7tUr<vIcIP$9>;$Z0nuizEal5(ol-z1A5kOU
z)K!A&^%-~jQ%3q~uA#5pL4I_<$<g^k$ZwYi_)d);-xncyOeyr#DOBr+mKrZapLwA7
z-toKSb%F*U#|1I_LNf3?q<RtExI%gA(t@X_w50CYcr&L3#>)#}I@Kj1ysmb%HKzk(
zshRXU;iqk9K`)oLrGVjPg^1>pLS|w6TmIn_gRw;@u7nJ-N4TSKL=P?b1MguWNxQI~
z&0o15Gy2L-;49lOWM$F;D8f@7F@Phi0eg~sdhU_>4<q^nZF^?)bq$W!g0u^Iv3}~j
zKpw8(_M!>s+SH9sl!hL?L%qTeY>I-7DMu%r`l#w-z(X8JE+nnoc-k}d{Y>%syEmzj
z?*<{k!|@71TtRW6)R4){%U50HNq*qdB3Auj<!yWHRSrBSTR|)6LoS4<A2EYKn0nSp
zTDEz8vU@tXT}wbe43yGO%pdtW@d9=<JvslLo<CbWN___ccxKF@5;!;51p<%&oJc-w
zdb_vV`a?(B=91>eP2JHN=t`>bT+8`of+o;(ldR+`hLi~&WQzw<9Kys0NDf5o8q{~}
z{v23;E0dbPVJb+E?=L&4x9yoqejSYicxWqGVqMfn9xMjQ9$kQzh?Fy(29i+JETO`a
zn@J$7I8<ilhgF{d9?DSALKR8H&u5EbwQ}C1FtJijT$%AN2Jxo=cqHh=N$CCrq3p_i
zv-5FUqc5UH!a+$DXnic0)=QHu#K@c$OTtgII1jA_Ala1^dLA;#lHZW?zo#vW%(ra6
z)X-1CTzZXGmb&*CcCNsXTO#Oi5~%S-f>gV9%$+MWjK-V;kl<r;;6n%c6jZ@MN`W;W
zqCXau4^0(~BO}HCgIWsdS-~wmj(tlzur~kcAX@$%?W_5a3{E^wOV+`?U_><*@c7WQ
zGmkP!1gqN4U-`d^;aTb{&UT-SD_hqQz_=cu^x&9T0*vhPM?MbW%PFAjUlz2b3ARWJ
zXi}#uG0btAE`tL?g!zYb*kX!Oz7%-p6;oIxMjU^qDCGycn(lECUXR~Yl^@S|DY3_^
zQOB3SM~{O^NYK`*RrxOR0^d`>-DB6o9M*$-QNfh_`BG%o*n$LJ$|#xJbBoRQQP^*R
ziVPMSCF-M}WHIZ_y%rbV#h0|7SO~bq(^I<FEzAYN(Q7J;rTrKX2>LB6@sGOd2+ox9
zPIiRvGQ)D{p82wp#8|)#XG((4!1LN6c#UuVqw2nIKVUnmFl4}!z+cD3O~O#;?Lidr
z0&gGl+ik{ahVuzdJ2vaZayMEhR1CEgx44Vd;K9&JyB|xxA~=q?pe1K)0LVX)P`3-y
z(u*DnUIJd;mh&@9MB%lUH@_LmqpFS{M5<`YcN>;dvFIsvaP@bQoZYC$`3FNXw_He+
z9QQt9H{yuejrgiiSGSJ&X6v4~R1o}xP+itqFMGrdEs5SnXQ`8>^%!%;{mKb4T%nM8
zgKBsFDB*VgZI0j${55)fP(1I<b*8{y181Oq(+ENuNxQMjx5o*pYm8_Cs^DmxZ(icl
z6Zt0Pn4@k=oz|v48z@gzQ7a`qFg^n?F|B?C4P3D%(kU2fyFj=SvPRVvh>XiBgrFZp
ziPJ*KDDH@Rsh*K{chq4>)};DxOkg(E3lN5i@0tTsy=GX9NA63j@>ewE;r)7B#0(=v
zyIv5=#_jV+4GjpGIyUK(u{5rpGZk@f26>x;9{X|yc8U;di@a(xW|eX_4>R7Iy(l=P
zgG>&ofro>579Bu5_TZT}A0PL-w9)o~m&35{iCV%O%(WS(d7&XyM+Q%6U=NQC+=jWA
zxwL`b`xi^bAIXvI&`vy@5wa%yERprwn^PHPOP_gZ26OAI>@b!29DpFr_vVuCg9;sb
zU~8PHE-x7fE#dcr8%2EdXIB;MoW7H+Hga9QXoaM-$3sUk8$|M2o+!oI^V1QKk)ZY8
z`BrT|8RCu6s_m|u8d@2{O73XDklap?RpsO=P^*{UgY|dvw;QREVnN&?pT1A4SvyGd
z37T({I~&j+@jy#*3W3lmQj#_kRf(EoS*Wi+-H#Oi_@H)9_H}~tsC)V<=3?P!wfb)+
z&p~~L%bX#_SXj@|*9`pj5sKIMt~&iAO1V=G*;Z$I6eVcd3*bmrBgI<;YFRmE;qWbn
z9L8f+^D5))0WT!ng#K3B`6ia)I}~a*J&OS7U^YPKry;o1zt{o7^1bobYmAadwJs+E
zFsJZnOsHWo)#0W@-<X3UQ9xE<S1SVb&jgP1jFjg}OkDHFJSJ9vg%0J)5~n{a>gbC=
ziJmEa`YT)`QE?682k$<U#HfPPqz8}vpoASIfUU;MiqgIui+&ZzO*p)7&_mUw?eSRI
zz1W2U<X3l-feoy5iL56{Jq=LT<(PRv1CSA*yZdH8&=d*%TQJuuEzN2vQ#Y|JuLt~&
zoR6R-1)8E*McEPD$1dlcgE>Y##e~Yxkg0ylLHCF?9(U0LUBAeD)kx#kY0w{kOfdlE
z@zKO@=J@%HH1zb}#QHfQo>x%mAIuS6Fr<(rkeo;YEAv8Z<t+lJ8R!jNp9hC#p$YE8
zKVl3UgaD}zOM$w;Z-15^Bq{aJEk8CqCkXr;jn=CTUfM0{OO9MG5aO$N^9zptOzWZv
zJQxdjbecs9%f)Ma=H?bRQE;)@p%R9rwoNv|&dX~(S=NK{=A*4Zr*!TjD`axa1U>U_
z4c05OCGJau9mH8;^g8a<aYxm`=i%*W+3uWZ)Eo`I8IG2`P%exrC*@k$=I1s;im}BD
zD@$#-yM)7^5sJ8tjEnQIQFS*Cj2N_p<{fs{hctBT*WXGy$Z(-T(5^GR^QFBMw){3J
zS>5Dic^%+4FK~61lLYnY=lQCFyS@;8E@Hj=@vOVYU;VQ%DSqhQd;JJgFb|+53Ol7F
z!{VDtTldDOkj|Ti_-)xi^Fr;tt`koh^zKX4o;@G%7x9nX0sZs@aFChwhaw!8mwk#y
zJfH6jCHkf**K~1&nV$R6q76Lgh3N!8BQ5vHb)1-l5FomFOCEnF+h*^Kc{gET>G14l
z=&@gf9$0l$d>YkBThx~ekk;$Tz^6}DPa?^CLJw-d;o%ZDA3YY1|NQ(CK&R5@69;TW
z?I+-vNb&zs8ooT(@ZS0@GW>8d63lW`A_jH!5Pp2xB|?QhS~xv9Ljd7PfN=8iKNpCg
z114B28un((1#X?=qs7ezSl2POQ8f6qerlyM*u^e&g$iRhp(S*X`dK|v#B{o$3PPlo
zPc<<bbwO;RF{&IHvlgEENsac`I2zdSpkJ~frOXpx*m9vk1ZZcW46c9L9#y!-L*qoj
z5n2H6IE$|vX$^;C*ujW7)_)V4Bo$*=$*yNR6WSqOYw3i_fzo#F4j)5}i9VpxGWX8s
z39#V`bCw}ZaE;wtmI^ub!V6-;-SalJMkg}bn=y@f=h4372-Q<K+N2v=|ILY1OUCZ4
zS7(=G3Gy`b3DW6oj=lxpKpfS{=(&Fxorbi@{8D?3Hp2k9@mXHyjq!2_$Zg=*A>SPT
zl}mV!kYPG2`ufK=Fj&#W4}U<~4+|bd97$Dg43Vd5ogL86`+ADCEgijH#5#!M?Rf|R
zy+hvPU91I$Et^*%*p3ElP2RD_F2#)W*-oZ;ks$!F2#Oa9Yovns@R4^0`-+PR@Sc};
zIVA@^BU0rb4zglh;lRQ_0AbY+rzMmS0B3?$)3xJI5_hpV3=Tpdm*xsXo}`ir^;`Cm
zTjV^aD+t?m&7e9=q!&2?@Ja&2OF)QQll#KvqI52AieLhI9v_tZ!aoW+NP#@!slt-Z
zzw&u4!J(|Fme)^Q9GZqTS?*X@GY`AYJ44F@RGyxj?2aK>_#?6;)~KB;et5mUS|L+=
zRL6IPY58K1Vlgcg>YOJ6xGIuD^2-oiWyt~zXpACT9k|5h%!BH>t-QtN9(z$EfFH>K
z6KOlI*gMy$nT^|YliOgKPmFdjr6)K??u|`|sj@mSIo;{KLIFo>z<S&Q|FtwG<l-uJ
znIp!&wAtwENDf*pu0VFjdVQE~N|qDjoN&R-l;u1!7!p$q`Ae!~A@0!O^lMH4B33(w
z2RC9te?itHsICjb3&4<0mVgE+;tNV>`a5z=fLEfH!5eGXkm)@RUgz@=@JJI*;bF-~
z@<|sbq^|u78tSYW{Gyt1IhY$xEKi}Cxk#o^c>#f*O9nDYk^A!n@?iUm4N}ay#klbE
z$i9A*)F%Zc-_KY2zQuP@0+8VyI9l}@Y3Vvp?kx{((;$_2Xn&fU^QZVk*dG(st}BEd
zuH=EcR=-M}@V}aAfTvT*ya_>a$cWMk8YadNd-Y-tj=3B#Xuw4q`1P5D&A_26MCj^y
zXQtPDR5->Dd#49jmcb($_oE+e*${|+ICaUt&0G0=y>EOltS4cmWJh`Li^?+RgAQT0
zagc~KxNP!fhUDCbRS>RVhwP<1IV8seEnC+xNa^Wsh{G(%#$6?!M3R6PQfvfV%Y&j7
zHq1HrxTRRSc>@On!&jB`fRZc`pd<V|DeR{~&TV4OZQ|Io%%5xnyce&Hy~@)i|FC4I
z2Q2N;qu-KHdxo{pvS9ys*}1u{klJX<hsz~L)vvzYgG10{(E1`$l8uA))Yh}<A(cM)
zfJRHExY%6>Ibm)zi5nOscjhOVDq4y&&t(QPjL5fiNVRBoB63SZZwCVFNl$t!k`L~s
z=s~p5Aq&>u6u7Amtfbzd-=o=G;w}5Sv*ZZ!(Skri!(-4Ck|81>*^eCX)6XBKuG(Ah
z<@W-478)vaI6G(s9iq7;NLC{R#Pu)p@l3?|76(Wk!Jy9Mkgpn`Q|eLfJxA*4<VT(i
zJY?U}DUAn_5myj-xO88xA*+5kIyl(G?-!}=c=QGQ#2Qc|t9hWhh**oZjuK)wr42W@
z_O1iJIzX^MUJA7Hs8rbLk0<}15HkA7+wGe3wv(TCAMDV<dafs#XG(!d4dj*Xuvts4
zN1-xFOW?f_?c4Kw$M4~4?ApNlCW<9PFsad6@Gb>aRWNgm3`f$L`@-+4?=Zr8j`@MB
zSg(K2eYpZ&3ya0y<%fWzjL55M#)!6fMDaO3fWnDvj}%6vp*w7N`}TQ$ATIh+jQcpt
zhuZm8Cj_7+WA_F{YMds&uOaIuu3}(3w4UahG*m~q?j#~YmkCWe!2ou%e8<O(+QGpU
zaidd-AVH<YZV6qm_gOE}0Fo{Ni(tk9O_9W%(gyrYb6*ve#!0?0hh28;QX{_&D|lgI
z07Q`Ll?TlUGNn_k>O3h6dS9;~iqtHbl&M>N5CA{Chl@0q!)|I}uqf2}CVKRLKeWv<
zMo{v{X}K&=_I+!kIiiJ@c<G89c7a(3#NR^*V9q4#s*R1H77#z_ER{@gJIR9iWbA?l
z@LL=>B>`tRliSPNVjq*SXFw}FOPFGoTwX!)!jMDYb_57$_znn%Q=uiX5WlacBU8*t
zFdm>?hpord!vbU$Y?v+-9i|5h^q|XWpJbwIhkQY5r2US~Vz+v^0Z5)u1gqS0S@Zgm
z4Gi##@X@fuub4cZQ--5!gEY(|3^G9GK^$jUH(bz`skD+Rz4;-%TE(9TYPbkFo-QUl
zy#z8s%&Y7-M`CG&JqCDh1;djsj)g}98|#MXsHnxM=ODY%sfR3$>->`(SL-;Vuf=Ef
z!HR`)aY?x~5In*Ld+pske|u*RRZ0RwImoM-QOT7`$|7-oTI}aPeX?k>7zA*B3^iQH
zUibl>0j>=mEhkD?tZHEq80YL#qawbI72#VjB$?adqamvtu~t)=WYVaNSjzcO)DOH*
ztqzaa3R=a5@lO)f&P5ncPUmHhJri4es9@jEb2p8_#7VuS!s;YCdadkl4!Cjy@GXs8
zU~x1*Syb5=JHyslTxa^JPZ~z<pc;~penO*Tl<j7(4RRclGR#-{J~y%+or9*{aGMX?
zk{=&)!c`zvsz|~8=D?v4mKirf86L`)DjpXdJisfndv?smKtjRZ88R(FRC$hnJj?lj
z#GtIMAWFBqnLakyyb}ccq*D}*ec1cDq5zj}d>!T_R%;BCHhCZis%`r&h1?<ME>h58
z1@mEJcPybnzs>j2&cDG)Id$FMrej!cR<zeYu2Gc@toLOq4wr6wec^n6Hy}zuK$3RT
zAY+anj=c2DZ}9D@!-t-t>@lY^Xb+0%JXl;<${|A!80mw{oI3?(UYjxu^fs-Swb-@(
zE$CB?0-g`P7pwDZ#D6A72YiDdAiz^~R+V)J^LAeYYKD3)Kk1hWG2nqElnkPun^W6r
zH;h}H)jfID>S+oC9yCOk?7qXqHy{=C_(14(9IMyS9g9EbSm8(<7IktXJ`;n7^2ik(
zY6D33SZea(zp-&vGe57x5V2sp6|^Qc#|TGS7-4>iE{h+w*b|;Y5v|#z!BtyiD|}|Q
zUJUd|j&zpTzgPOgM_<m-!I4ou1Z!&RDD0ws3FCG=fUeb9vH=f8edV}S1+N73+d*EH
zhipd>=%nQIYV(iU+fEEvZhRg&8V+30fwezm?R9^W=+Ts(-jc5H>C@0r@)8#kkg*|b
z&SGNMw1FNEKC?;lV{cCJ(S)wdW}N|E9@FgA?|OipI5AO@`2+JvHs<dc${9Kin!Yu`
zT2Hh4b|xX6Zr!r)5^HP&pZtt6)c1mvV^F*}YPZ{E4D<6GddtHE1{k4FKUwN{{89)m
zb9fsU-mc~+e7k?CZI2Hm!<UdJPQHGl*t(Vd7-~;&@cXN(zSE1^BOTnsQHzt*Te4&o
z1(tmomA+5;0l&&3l(`+YP7)9o75#gWgu_#h+$0gDYg6kj{;B$$0NF~3;O2_y9~;lw
z`(89Xi4FL~oX{x|6th$fIQYgFY6su6IHNo^Cv!*Mu};<77s>sGnHCZy*Fu`>0VB07
zhh>K~lNS69$C4}bK>eI#bRjnQAX?|=?1A><xw}{CFX~ea@OH!$756;6XAUtN!+5+j
zbSc4OS%KayPh%J$o@BTqw}IK(E&CmPVw(mT;62EUHT>bO>w9Kr2vin?o4gx!s(2wB
zCI{jH<VJh;RkfFjLUn$Ia^ICCi_@BIJuP~7#fum6%s*S4DEJ{MOPvOw2WkE)s@2+n
zO*xHtmE@~djib^s&dh#$izk7#mWlA5Rasd_f~XoBBLwg$E?1&jyfTw8{5wa-sK~@a
z_u`}phebv#TnJ{T30$I6P-e&0$)vs027q+-iyJ|id$gSnF<8we58L-RnUXAp%pC1D
zE@MgH?n#}EL%~yAPK<ZSWe~!rH_9=)31T{{6}kR-$mDac=Tk2XBXtLQ=ht0oH8QAs
z1|q5wnTuZ!Tbwik;8Ggi8%BoZEmh>`=*(9Sxbj>~jf~z~3}T!qq9W&+#ZEwxFn}ji
zX0qbd9$lMZW<-M#%h9__S3P14$a#MMmUZyC#E6csa_z#~0&xJaN->e^E}u+2JpGGy
z7%9U;TVsxU$5DHkk*a54`tKOdsc0ML4&i|UsXtUHLW%|Y`1KNPZrn`ZL#uFHYm*;-
z>&gIm7IYWm@Sj6H?qkCKoF1{H^?%3fUVO&2F{cw#bWw7KN^aE*W+Y1Me|^x_X8572
zFC;Dpyzx*JMLnc(c5?sD0A3e257s!eymWQB9JGqy#8^Iw*y0k38(w|sX>^{4R&*!A
zAw!o1&ARGY*d~q|X-U&xU2hVE0<lvs>mNc=GlwVUj|*kO9QM(T+CTNU^Yx+rVzk|2
zwM$AeF90KjpG<GU2rCZRm=GYfxKjIH<M+oHbA!t4$XPv0^=o5f`?l|Ew~9d>o?t&S
zO!Ly;%SC{PIYHDr(1XD^9zcq{h+S$@q~7~`FQV$+Q;Of45~FKUOw3zXo6l9CF7yf&
zuYJG#jAY2=jZrkthY8*DR1Sn!Lxm2bsd2#k1SD$671mWEUWq67!FEvk*K4hG?)^x)
z{yaLKoJYn}bS5bh=G<oxKG2ZTBtq1M-t@Qzb|bu2R(|zB6Y|?BH_qPm;;vxM)lnN+
zu&HQF)EX%WY;^=%pYJ*Ua@oTk&`f(ojvPeIpT|3XThP{zct}r^Qy~FyV~L%jWA&}M
zfCSzhed)yCfHnz0f%|4VhnEC^H~O~tSCELtdnn1TTA5OTZ`&lxAHJ8Obxq9nE8K7Z
z-W3O>+x%VTs~K~OfFPb38G<cTHXtsRPL5IJrGl#}7c7di=2LRc-qa2+WfJU}TQOV1
z`99sS0g86N8H$G!?~IROJRwWQ|Jgj;FS`WM2in;4-FtwDmV$eNb9w`1S&Es!oj5JI
z3(J2eUjiF1@$BS0U$e5oFiAjycFPCIkrvHCZNkmU$J_pIE+Her&D;Fneh}noSuvx3
zwfcRs6i`7$i4%`lHY)$6H4>WHc|~3XVn(I*8;-e|44-?L0<MmSU}Q6w+9z{>je7j&
z31XBS=!b1HrLFVkZ*LtyzO)zxK+KLB1B*XgN1D`&ls#AorK<Vp@lcAAk^a?dY~ExV
zpt4wAWrN!ZE6hR_i2M_O3K$iGF%r;k`YKpJ&Utb^;0@POOi`@Q*Ua-tJOGy2fl-Mb
z?Kf1+ll}fwKLuM?1lf~k0~7vHoKZn~I`AT9DCvj%d-_tLqW9gv1tiC9LGxNlPB^+~
z%xQ4zJg1fx=<y;TiL<x?xc-tIc5{M4L-9nee$S%~sJ(_^Nagp7BR6d2l4C)?8R8OR
z!JKt_gZ+gm3jj7F!}-{~w3jsK=MC*9t)ayOKDmjQ&p-OV+m^JA{MHWFs3kv7j+7wk
z_;gjR<E*JZCWF1Ag=l|KwhqCT@udOsK`{Lm#QzP;QY+Vf*M;=6yXE2M1OOBHnJ8VT
zb1Kd{_nI<j1?Y|Cz7Nvp4Yrv^h3|HA6T{h8dyR5gfgf?vAz?Bz8aw39ujdN=KNbW&
zH6w`1Pm|2>0b08gXh4o3bLcxR-!0e)-Ld;I4On&LxVG?Y{9)=Hh=({aSXTsfLXK=@
z-;M*XrXI_znwY=cZ`7S)LSGBEN!<Oub$qii?6&hPjV$BrSnrD!M6OEK7Edfxx;g*N
zs1xqyjT@h(JoLcs7<_B5gbd^_#s!hyH@AMGC@}Y%Q|Yjy-~TqTc(d7Z^!4lconHkH
zTUhneoBUa%4f&ayHo&71HgmJM8{p7<{oH}eD-??H$u?uX>E-}{?9x50LUu?{?bhYn
z%dcC`-5?lK0$uvDpg&#!4iT>J$dQ7Zhg36{=Z~K@z6ozs!Dz@sQ^|up3;}!#-7?#7
z1CaFd_IsR<zyq3baCT8aQtb+2P(%*e6?f3{;pTCnY*+Y!q3k#>AW}jtHiJBb@i-Fd
zF22Rzzz<C&fgWss@#|MW!zI9v%BJ)B&TZ>qpF#u3v#aHwCoYdCSM9!ZAhTsaUoPwz
z#TDOK!qG*v_})5`^3(;r!HkYL)A{pG!mmLPvg!F~Fc})Ln^d@@pnRv;o6VTxlSEn@
zg^U#N6stZvjICoRWd{3h=#fEq1QYtYfi`rMReW{1kasla^>96KL5o9yN*cUe%O(!h
zv2~O7>{8DrJ}5A9PfE;s%i8Dr)bP7s3}-=ae7WXx7gdcvX+<)e2v{x(NCB?gVFQcm
z{m{Jvhw?j5a6VvPCmm-6x;@u&ZMCeJo1EuHdMf%^yL4(DnFVVzV~Cr3^*dk+5qyhb
z21!Bg{Gh6QFzRAmZW%rwR-#-3dQk?-L$_~W52OpM9a7Kis~(?O&bKQjCSLs`P8->=
zv&J@@3Ji=9E3Azz3E}`~Nv9gScehrsM8=L+h3v!1k?Emy33=jgK|qm-(iAfd`hf?y
zvuamxGHrZ=uz5rjlmn+GV)nWI>N>Q<;s(a<xVHTXMuTDNis;OJxmZBJ09$SPczS0^
zN#7FqgmaQUW6sFJTys`>3ZkQa5jy6@3kEEevNMK@``schMAKB=YXp~q(&1xG^*{ey
z2-ue=db)`dk1ql(Q*q$Qh!5~ra1?`p$2NiBQFfo88h%uMf`_ZF+K3$A^5r{i6jKO5
z_P;Gaf4#B6EM9!MCeIN0;3ETgi<O8mFs!<|a8=<|vB&03pwqgZ+_xGk-ELX>jJPsZ
zDS`S|B`7YZU<?2Y!RSOX>#K0$qW9YF6yEUs$sspQjLcuf%Cvz}|8b>dm1@QrO=_rg
z^&O%8<>#JmlK)A6*>4z2(D}1g^D^zcUn<?%@PSl)_#VNONQf{!)N_6yPK!NIUsKYL
z6d~8ME%~oLhuDuvI%Kv3&$X1J5cZB7i`8GJ#E95RgRIXF^Gqi^L}-_VidWQ(Swtqd
zO$(YQ@c;ESQ;g^%^-sD0L&@DgcJyHz^ycF0G7`ai6G^#$C5RmH(d+LU+e|aWQR@S&
zM>eJS8!AOheoeek;H9_Z!J%?HGx}`6foqI8vYn+b6I%>pPV+avXW43+A&km-4AzTq
zbMudN9$MgKJu`a7k@ZT0%d93VUwuS5oQ|7*vHR=qD!D^N!ET<ZO(-JRo8!oXp*W%a
zlF__ZDb8A?f(l$EdO+pGJ!{aH?0ja+bkw^#InM$YFtcyU_%1YuoxBSApqdgY_Yudf
zK6n>fhhs1XlY%W1+y|~ehAS0bSh5y%SLJSHs0XWfJupa<R2%sec8rl5-9zyW|G5ly
zWv^`rqAed|z_ieCnLB8B(DKs+%Am>Ra$V_uNLX=Le-3KKo3Fh|->KN;t`eT8a^w!h
z?sCXR6zhyRF|o!bSN(_aNea`I;`@f@3*)rj;_Z0wNe<j*HXiR4N%zYypQcKx4}H4E
zp&%iXCQn?Ku>ZGE5a@G=2;9$4<UA67!<{PEZ+wZ{yJHHs&Z&KJauz<b$Wv`qJ9U<G
zp^YhaBb|9Je>;n~;b$d@`g2N@u|q(XZl&&s1mKiU3uutpgQX##+013UJ5}tLv~SX#
z<a`MF7BpB)<_AC5mJ!-mbBmaE=W*5;W*;b7I!6+YOx>|+Jeu?3fatTd>6ZM;vh7n|
zGP)W5ijys*_(l4V^w#n#>MnEJmV_?itSFH_6EzJkpXn$#K=)YAe6iU`3>c4#Xhk0T
z;Pc&1;V-5cN{5P>vff;~8F8bOmCt|m$!Wt|94dK*nC44IGT5713(SQj3c{S#Kl^ug
z{T}?;hx&ZOHV5)YK>guFRC;`d&cptyC#R!)N7H2XD>Qs<Qgj*-v_C^a6e>_??l84Q
z%oNFb?1PqquEP*RsvZrQdbciN)VeBt$S=R;uBE;tcx1<sf!|Bf!jo%1q%j(p*OQuD
zp8`Z$h3KSE>y{H1e<>|Z$oRlF8!uUvIz4*qN?uZNg^W3}UN~RYT3c6DNRv)Q0P1fV
zv52*%-c?+u+O=Jm^CvvsM@dL;G`Ff`c1jy)tJ@)*#_P7B26qgjk5&vp-4euG6K2P;
zD2Q|hg*E_2b*XEK&%Dt!lyNql%u`xTi9YtLh1!|&Ykcu@ygdOtXg~YkIK_k4ZvVZU
zkjh06t6Ph>r?zf-(!vW67(Ku<2V^(~DEMOfsZs)nBYQ4M`*F~)jWr*0qP|a;P(+S~
zL56#;Hg%m2fHfUKsn5D7nBy-+upyXQ;_fq6oWY@~FL$R?l+`3a_K$~ibTPd6)R*X9
zPN%Bd+kyda*qXS(d&MAF4GT!)BFCQ?S1L~_Vo&#a^@NXNx&ipPQj&_^8qcQ!AoCY2
z9PBNARBT6}Q@PeA6gR}UVQ@+h<B9$>%K7y*56B%xyr`~znxbagjo)1#SEoAE=1W7B
zlQd}D{Zh;N*1koE(jTqxJd#+MFG4)!s{E9ZPfYn322MhHlW_djK2Sgk@)FHq<H#|(
z5SEC;?D8)A$J+6Hg+E?|Mp}EQfsBkDaQlYw|NM1f^U=s=j!-rMx7JPhdH$E(z-P&9
zmKf!K1D}nW8RS7r?)V|O9thGB?7bTwoh+UrUtx>kwc3KcF;FuHj$b+lApZXAL3lPQ
zV8vO`Pq=Wu;ce{MZl_+W>M{$Q(?}B58<bw}zQ3|j=lP#`D<*a$06|%9&Md<Cp<LPi
zXq=ebVJ|||hI{f;wSOn7+h}ZoN@)gIB%9;Fw?gugSYFQxcanjxljLLU2n%}<m2W-2
zqxM8=^blxq#Mu)6H7>tlwn%%QmYsZJYDdfvyJE~<N~^u*dQ{2B+k?uUAoJrAiEG=9
z`+i?JJvvH{gP~-#&F_l@u{W^Uj1XV;hG*j*Q}54nh597J?9jdM>}4j|A%>sa*r*p|
zR!Wk^6}M><voT=@M>@1a`6AyDFj-^SR$D+HfqrdqI5pPrE3jD<@-j-n#+pmCz<W&c
zZ@_}&B0gL&7GY4}pda-{mtNFU1w;`)HDZ|uBW2paGH{~;n?3()=%mG-ee4LloP}{x
zMOm9hAtIi>1Np6NvvtpDMqmKKW=?nF2cCAW#Gd(Z33N7;bP>|642;h;vFS{X-yZDn
z_@{Vy&-`BqE>(M3QJZ22U&M)+m)N@OFi+WQ>F;c!Qu942a>VBHNvfN<992y`9N?`F
zV|%p$zsd1@)N6~NzXi8H-XhwsRD}4R2x(GBrHUC$PRNnb094RanlM%eo<Q;kc@EH~
z9LmOUTk{)^ymMWrHkL&`cSVUv&)ch-4DYWb^gxkOz$ycg**f7`i{7XEi{F&=AuBvD
z_x?WaaF_DRCO&N$Fq~!=_R{qX*@$4`9g13tuLn|j0L7uoxSsR!@d*`Uvn-J=8q`Mo
zv>yZ25g+<AL8<eo#GIE>HjmIf%RzMIazp9PzdR}G<oih0JmQaD2WX$Xp3#|KlgQ12
z4D{Bom?^ndKa@Xd`>V99+=OS;35)`-Jt=aENy~kb-23EyV9?j;GTqw4FGer~c*Riq
z=!YA9yZeiWtnVGeYs85bwrg19OxNs3<h|6>=hUzDEtHj2FHSxJrKhXcll9^!Z=zV4
z$E@VChaNFTF>yQzd0w~v8v<t3tJ<^*@iF!53o^Z5hKqQfg)x;TRPuv|CXlyMvdv7o
zAXr^~qd_51kZQ%5X>_sR&bONIA2Y$B;G$|nz!;5Xhr^lOK0bg!q(|){8z-1uW!)0K
zzh$>bg(Qwen<Qe~u%h&>CoEouJ6SVujJOF(_`7y+;;~GmBus;Q`dl}1)jKa4yf(<^
z+qf<q)pDNYW8ebwTlTB#ND4&ky{<nU?GIZHFWG{xkBniiANPMe^wdM(Z5d$!CbB`$
zv<wfWDByxE#j5-5NPCL-je-`P?e?ci8IXa}!8Ss}3%CP{Oxfj<CBcA7^V3%_r_5uz
zxJ<WwJVCK%9{VMB;vi);Uj3OO8xoM9wf)!FUv+5scyR>eM@L-yq+(0Y(roy1)6sI|
zy*`tkPndM+t34G#QD(i!J<?r!zO?!EoXq$v<wtKn9O`b0>(Gv&#;%IE)(xm1tbWhL
zqV|#W9*%_gR2mKGX*sRaa(LaeKMYbos`*MSTzg~TROk10p!WO|<NGukW%pXjR0PcN
z#rLz=Rl0cR!cDPk_&0c|r#UEOc1WmzAUy4bw=Vs;2HNG_CJqfiygg3ZH@ZOdnNrQ!
z$H;rm{(djAl$ElLLk+l=0vKlO1E_9{sq>6so@+8FKhwXv;mySBl4K4umHr-^%?}5L
zOMi0lDQsAo*Vb~rcsbUEc+Nu?B2Kv57G2)%9{oyL>nyhG#OZ-SBhHkGkvd9Em)-^}
zAArY6D&GWJR_AzMNc-1WiuU}b=^qK0U1GFKlhENuD1EC*?WXlF2X%=o;^UW@C~p|A
zGw3)u!O|yBK%)Y!5lgGbe<N`-i%eITZ>%Ar<OWNpelV8maWU>NhWI~iI$d)TjjG7v
zGqd|BBlwNaEz&$@mAsc-6ctU9f8JRl9W->aENtzSu^0T2eE)O4`iC7aGTmjhxxyV<
z!3$I+{pa`zMJL#5sq9^_D!d|9h2h6M8@HHv9U|z?>mh*Q_tB0Yf?p+48xB2X%@Ru(
z9Gz(9<RgzS!A#Y~-*`8p^J0tN0lY}|DSUs$Z|8(>BM0kbm0J%y7o<w!6G)P0QqCno
zaq$f7D}TH@WvH_{a*OZp7v%>1SC)vVIWUdB|0%mYVqvaCAa5JTZFgd;{;Z*j#EA^H
zgd0zxlUz?&VEqzSbFA^&5vKk0;5*1d<b@sZMRL~o$w`oDeJ;Y+yu@gJ(@t{ps?T^C
z2Zzaa-ovud?WaD44l-+s^qt}LcoSmN@roY71Y`!&DXm6ui!(Na_!35q`e8XO9*&xd
zc{mhkKiTYg*hkeT#F|Ks&81k5<)RlX*B!!?r*x~DUKe)|SYJrgu9%TZ(XLG`r@9ea
zO4!=OIJI@!Tn}qdAQX$C{Mv;tDvA;?rks68MS+pNkCd|)mGgZF?uGoCk?G;3IMGrD
zantM2DJEFu#q_ioc~AK$06?yd5{=&C4N>CY2DxUza6#v*6rlCrBZ@Jn@Pj&*__XH&
z(g~@THTE9guA20QK>+mcF%0n{-zv>6jgIS^7VTisRXarWYd*L*AOHsdmlyc1`<W=d
zRZYY*HxB^|TfIimZvc4G0V&;jaiVXN?k}NFqMtR7(w!fBKGDB-bzBz#0Qx`1F&OyR
zEuyax3o2AV0DdLPJf;BN*CofU0RTLMICWLEU&Ur8LL%@aJ{M~Q-jzAr^D1c$*ZK*Y
zQ5avHnm9(UM7Ff^2GYNUqnfABosN!<5(?eG@B;$YgsMO4t$0R=#^khI|24a(JOGgD
za8f*H9Wx&pPH($8PURlupbwoshf{Y_jJ5ioP|=dw33;wUQi9gy7d$r3OuS}R54mgp
z!F`QCEtoo9TeJWZS2@c0lQ}G$O7nI)Lby&P>z{ZND&$UahRy)vT)zK_yFSA+x8Y%7
zC~3n3fcPwwjRdhetIW7Tg3?IVMH>+XUg^oPfio@HzD3MnTf`f>^m1PluobnwD+x|`
zAUIK%gsI7q&~-YDqx&WCQmqrusF4%ZBOHY<uIVoR@38|x)s%_8$}}6*<&mGo=N?s(
zVIEW8%PK}u{<i9)2Pt|iW9kK<8?Vs{MtVLu{K}d*NI;g8B1G%B7pN&^OIYX<ywcE`
zZ&_$;bP4{q$juqT1L9iR!&%3k8G2d8XA7UCh1_D&aAsOYl)e2g=yGC2E>)f9UpuPa
z;!I)NFt8E`{3qv3B=uEAsugb=hV9EP$!1=7z{LA@FySv#Ou8rwzyKQlM2-SGhOmRW
z`-uCE)%Rs2so1EZ+E~SQ4sP5yqr6XY_bbdvpt@sB4yzE@QaL};kRFul7tI5iM!*Vn
zup3bzY`csveO;^3r28}CoB+HcJI_tuf}whIp>hOVUCw`SPPN&@yC0R#Z>QUWz<FoO
z;mf1nDLrJs1hRSfmH2h%DHdaqjUR1>@z66c#V9dSMMdh-UwgIr_oEBwwR(>ez3eMu
zMD3Aup4G6t(l1lf=l;zcEjR`qbQ|zD!K?AOFSdnjZHO49%8OH(F%)(rcr0KkIazaZ
z#OQLo8zswpJ9c;8AZnkSS3cd$&Qd*x1q>=WYZS9}xy)t1Vb>m9hx*qL57ZKzmj@Fn
zKL4Scx=pfv?IiH0=oqR^oM@`E_1b{D5grxKDwb_k_scX93|$W&)~Pz1C~AwlZ@$Qt
z%Lpqsk$vWD8WY}|mq&a)Nb<mAd7{qPcPXMaSYJQMj;G!<@UStCCdvN7F196x9XK6^
zH{Gg<tGyd<`Xkdlog<lV!xHhk+vd$OCmU%ZZc;?k><Cs+gH0B{!Q{MLKbx1a?58U#
z+W)k?=9pJ(!<iZ~oD+t#IKH;A>iYZOKe@02DRCx28kRHJ_K-q_xF=_?$GPsqquTW7
zlNxO<TUZ}C$$@WA0!B83iUV~;FsXT2qb7UgqTfZ;KRM*{6e<zM{D`C};a7U;Lnsbo
z&v0Gf`gr|g5EE};l=Fwd1nk>a>mMBjwzb;>iHdYL0nRKU{xLDB##YL%GF)UhPQc?5
z+$+~jU!Q@EtFlX9mycUzaet3|awH!`I&55GfU$@*Ukg6ll=YBI=Y^O(+5;#ioAHLM
z;zo`5Mt=C^SEjNXzNRr#fBzCI+w?1S0W~b|xe|K4hv_r~mI(X(pA_`UNq;CCFR@A|
zlx%rEX}?lDWhamUU0TyPSJHcz7?oW1d!DY_d`zAGc6(}!15KY2tW@#Umrg^kG$ZOB
zF_k2Ue^NOzvs-8kRU;05zeJu|`vo0vbBJb1N7N91)7vGwi0fRPy`z!}@wX=kZsrre
zKV9*?+LUYy16Qyd?AACy8uCE}E5kJkC`u6P>?OfCzvX!rl-G++WCl+XGHfmVX%o>G
zdGz`T2Mec_{`0z}79R`V=Ej)AWOw3uh!b9(;^|Kx0$agIGM6?yHXns;HwKL~>+5_G
zh%|?hnaI9QthGB5zOMsPq*rHWRh~l{Vs3^XponAH;LNUGx<u7>LFf3Bcsaa%k?~f(
zOT_D2+tF`scy-Y5Mrc~5{St@0Z=COqX5(SU?jl@$#?Q+9yTozLHaWCP4B(bz!5mZP
zx-50y>R7!ZSKpfj`u!d%jqX*rN<BmdoOI)2HWp*c@xF4^Hiy%|IZs1Y<CwSI?dJ2&
zTW9*Vf6unIwonF)^xKsX+&wj}@4&_Ht9s!FU^DRcR^to1MSWL`RXcEZ8^#sELo1}U
z%U;cx#??3~o3RjfJvhtCAEQTARazl3mV}DNMS=?01eS$r)b|N%z9TQykdbH(>F=rj
zvqg-~=4~G*eN)D2{}v_J65yFl%=a0=5sf(Bul;sr>V;3A%g17_$~U|9msCG7)|(QI
zse=IG*9n3?A5J>&mW$)p?&-t8FBzFWH(OTh{fyhbgV6i+yYajy;`VRw?I#=$r9Na(
zatw9245lW#zYvv?>~lf5lR@^5RG8H!<ADJ(A_7gRgk<>2Wd3*b_07-hEpcnl1;{)N
zpylw3EHT^yX`^r1_1=B){^fMz#vdBCsAu*7F7qJx1(|?3K?>8{7?L4=_T}qWnKo9K
zSP~zoJoHmvj!|6AJdgF}u5*Rjn-yX7{fl&gXxJ!fO|0WPSdhNH5HhI$F4zC$|4KRg
zf2Q|7jw>!EWJGl&ZJ8o6H{o={vO{hn#tBO`sU^8PjpkBgCmV8qlervsb6+x!k|~|c
zp&KS99QQYcAsp#z&Nj`y*LPii!u9?6^LTvUH_ylG^Z7g;@6RidyRonOd>ygM4w=5a
z)Npc6J{+wc^DBEwLSRHl{oib3UsH#4^KDLpi}YJ$?NGSR&rfd668=55s~-!!4<;<w
ztM@_lW-RqQ6^vgUD9gVD7g(iuHpLD2G_4sAMYI$$HtDE*;{KD;hm?`9`FrZWIEy&~
zpjQXKn&ee{L}y35vXe&ZW54F$8p&bf4P}=QEriGM%p|+EdjPudE09sZV<#U7wpX~I
zZyDdf2u`Gl?KNwrp2t*5zHnV*u@*<RS&y6ON#(3@Cx}Z!G%f^gM0YD9l%0!MsTpf9
zxGZAq!<_t`JkFj5au1=-8bOW`=@ii$L%D`1u}4XZ!Dqn3Pm^Su63`HwsK&H%uI{pl
zg&LC+sl3=%Mx(&Ot6*&@xo$ap4)NuWZESf;o;=ICr{Qy>`}soldq#s76K;FWF)j|X
zQ)PQC&N>(fYI-X0FRwmNItoiX;5c$YUxi@t=;r!7wuDVzyoEw|ywFmX>sI~NjFTpN
zKDdvfTpz;GtyMtduKuNT{{yViXX#MU_8I_frOTrzm>WU5iztqmMCy!AS@`!?obj!I
z;k6+yG+YK;WB-I|kXA5rYW%3PTt2y%+CJy5#Kqu9N0nPju8*u={S-0UPu<$w0J+`|
z;Fj)6BcXe^N&I0g#r)(>dU9b%a~F0xk0rP04ky|5^m(q2<^?wuHt$TUo7_?=$)e|<
zG6sMaZqodn6nQtCwBlVTYn<(U?CGr8O?6_(PSlmua3>AxE^vP&pGx-JO59JK4|cx)
zuh}jh#>?*1D=paGJH1pv{)Q~3C<N?9;q{Rg&RVUtj7wyt`FCTLBC%MVtMplztGqY7
zm-@O>?e;ja%qGbH&<!WJz_w?NVIrvlFknCrTjaXMT&vWlKeICkXxuRE^}T7RZT7wa
zeDon?nf*mGeZ?(9RVDsy1q|bSFelr%IW!3R3rZ~8M_%ZvJ@>b}h<O-rdYF$19Nd(b
z-Jo~VS?4TQY9?DO4|ZcNi$aE2Vr>sJ*7?lL<}v~F)k6t#D1C8Gqra}sOPta+qxcz@
z%B^yC(X<SZ!U0va+x}#?2cYiW@gArP&UyMg4H4B*%r!fsaM~tP%FFO;CcO*)&{;nS
z?a-BI<wBqEY4d14yO_2VEyJdq0fP(>42G3d8M)rrQteMyJghorrlU{Gja~KS&RvF+
zL$d=l(ULJ9dEx6IWJD8j2Z8=Qb;A9ZXB335muprdKqdKgaEqTxqPc+)nYu8n;u($B
zTu@lmG#<@mY`(<Tc)-l_RXdxu16gGubDeE&;w;l_%1?Ovx7}d!L!Y_{aZDheiL>uq
zG;FuIJx-2+LOf35|1-IzkChZ1hJ1C7X+Y1m2KXs~k@H3iwcd)rT3Ir%P5R`bCv@Bu
zA0;Zf@WdGL&#_zeJfW*YQE^fufQZtE-St_W&>kg-Sc8Y@ekWG-GbOZ%h|;^aN-WG;
z#hxW$1(Z%S0}RaqCw}_$r#*Ai)_mn7;6X3`+Xd_6q%ml<V_+$IMeq6b;d<&q#$kGv
zLiwuwNAizADzN^oJDX+?EYq?{a{=|1)APZa3a%eqBcz$?{&>!E>KqpXc}n5nI!ol$
z0t4{)qwsJ4fU~BD=vgKXaXF$|9|fdW5fjv|3NE(+-<9~`IsSRzD*E-6l@qxWFziK5
zGNqNsuSd^6P9VIL$rrpl)$CP34!{A+bnt?^(6p1o2m|LLBK=j*`_IsqsjZKXCuM2E
zJE|TxtnI1G)Egmt{c!^SH+7n3RZFIdJC5Mz!f;H}x*hGS5i<##<@GDZ(TxxQSeE&n
zQo{r{^bJ3$aEj2l6p5EIsYVxw!njuW4>=0Q``3sL(#SdPBw>S~uK>v-lCFCYR_B3U
zscIWA0n3EG&|Fw@e=Fh`BwI5w+UZ$?1HFQF(;aq6{AmldT01Z>Pm5-Mdz#V#F$zN#
zr0Gq>-bYZv_<*|Ft7g~T0^tv)5}r=0h*W<;1gLT3eG!mdl0Gb+SiJ|D{UW&LS+7X3
z^@Cu6tQ6QZW<m<kZC$;GypJtWn#Li|eq$Q-ex+9Ij@w!w><r0L5&A*UA?Y7zqQ!d_
z92a<0jG6b1&izkN-PBB!7x>0kf8YOBR33qixufZc6Zo6}u?=f;<}4(;P>8>sJ2{}j
z3~G_kXkYGk27>ImcEX0(clfWktqrDVS!T<%scS1j)&QK?wK6{MdtR?^7%hzpgGxAB
zk{UJp5#ekD7)I+L%@&7!Zw>anDJ&s@lkL?vTBB7&xO6F&Wg=k$wf~>T7nCMEuv9|5
Xmg%Tio`5CDL7$7`Ifr^|K>U9JudKk&

literal 0
HcmV?d00001

diff --git a/src/main/resources/templates/security/cert-sign.html b/src/main/resources/templates/security/cert-sign.html
index 173cd06d..4c3a34d0 100644
--- a/src/main/resources/templates/security/cert-sign.html
+++ b/src/main/resources/templates/security/cert-sign.html
@@ -71,7 +71,7 @@
                     <label for="name" th:text="#{certSign.name}"></label> <input type="text" class="form-control" id="name" name="name">
                   </div>
                   <div class="mb-3">
-                    <label for="pageNumber" th:text="#{pageNum}"></label> <input type="number" class="form-control" id="pageNumber" name="pageNumber" min="1" disabled>
+                    <label for="pageNumber" th:text="#{pageNum}"></label> <input type="number" class="form-control" id="pageNumber" name="pageNumber" min="1">
                   </div>
                 </div>
                 <div class="mb-3 text-left">