PNG
�
���
IHDR�������������x����sBIT����|�d��� pHYs�������+������tEXtSoftware�www.inkscape.org<���,tEXtComment�
File Manager
File Manager
Viewing File: x509.js
// Copyright 2017 Joyent, Inc.
module.exports = {
read: read,
verify: verify,
sign: sign,
signAsync: signAsync,
write: write
};
var assert = require('assert-plus');
var asn1 = require('asn1');
var Buffer = require('safer-buffer').Buffer;
var algs = require('../algs');
var utils = require('../utils');
var Key = require('../key');
var PrivateKey = require('../private-key');
var pem = require('./pem');
var Identity = require('../identity');
var Signature = require('../signature');
var Certificate = require('../certificate');
var pkcs8 = require('./pkcs8');
/*
* This file is based on RFC5280 (X.509).
*/
/* Helper to read in a single mpint */
function readMPInt(der, nm) {
assert.strictEqual(der.peek(), asn1.Ber.Integer,
nm + ' is not an Integer');
return (utils.mpNormalize(der.readString(asn1.Ber.Integer, true)));
}
function verify(cert, key) {
var sig = cert.signatures.x509;
assert.object(sig, 'x509 signature');
var algParts = sig.algo.split('-');
if (algParts[0] !== key.type)
return (false);
var blob = sig.cache;
if (blob === undefined) {
var der = new asn1.BerWriter();
writeTBSCert(cert, der);
blob = der.buffer;
}
var verifier = key.createVerify(algParts[1]);
verifier.write(blob);
return (verifier.verify(sig.signature));
}
function Local(i) {
return (asn1.Ber.Context | asn1.Ber.Constructor | i);
}
function Context(i) {
return (asn1.Ber.Context | i);
}
var SIGN_ALGS = {
'rsa-md5': '1.2.840.113549.1.1.4',
'rsa-sha1': '1.2.840.113549.1.1.5',
'rsa-sha256': '1.2.840.113549.1.1.11',
'rsa-sha384': '1.2.840.113549.1.1.12',
'rsa-sha512': '1.2.840.113549.1.1.13',
'dsa-sha1': '1.2.840.10040.4.3',
'dsa-sha256': '2.16.840.1.101.3.4.3.2',
'ecdsa-sha1': '1.2.840.10045.4.1',
'ecdsa-sha256': '1.2.840.10045.4.3.2',
'ecdsa-sha384': '1.2.840.10045.4.3.3',
'ecdsa-sha512': '1.2.840.10045.4.3.4',
'ed25519-sha512': '1.3.101.112'
};
Object.keys(SIGN_ALGS).forEach(function (k) {
SIGN_ALGS[SIGN_ALGS[k]] = k;
});
SIGN_ALGS['1.3.14.3.2.3'] = 'rsa-md5';
SIGN_ALGS['1.3.14.3.2.29'] = 'rsa-sha1';
var EXTS = {
'issuerKeyId': '2.5.29.35',
'altName': '2.5.29.17',
'basicConstraints': '2.5.29.19',
'keyUsage': '2.5.29.15',
'extKeyUsage': '2.5.29.37'
};
function read(buf, options) {
if (typeof (buf) === 'string') {
buf = Buffer.from(buf, 'binary');
}
assert.buffer(buf, 'buf');
var der = new asn1.BerReader(buf);
der.readSequence();
if (Math.abs(der.length - der.remain) > 1) {
throw (new Error('DER sequence does not contain whole byte ' +
'stream'));
}
var tbsStart = der.offset;
der.readSequence();
var sigOffset = der.offset + der.length;
var tbsEnd = sigOffset;
if (der.peek() === Local(0)) {
der.readSequence(Local(0));
var version = der.readInt();
assert.ok(version <= 3,
'only x.509 versions up to v3 supported');
}
var cert = {};
cert.signatures = {};
var sig = (cert.signatures.x509 = {});
sig.extras = {};
cert.serial = readMPInt(der, 'serial');
der.readSequence();
var after = der.offset + der.length;
var certAlgOid = der.readOID();
var certAlg = SIGN_ALGS[certAlgOid];
if (certAlg === undefined)
throw (new Error('unknown signature algorithm ' + certAlgOid));
der._offset = after;
cert.issuer = Identity.parseAsn1(der);
der.readSequence();
cert.validFrom = readDate(der);
cert.validUntil = readDate(der);
cert.subjects = [Identity.parseAsn1(der)];
der.readSequence();
after = der.offset + der.length;
cert.subjectKey = pkcs8.readPkcs8(undefined, 'public', der);
der._offset = after;
/* issuerUniqueID */
if (der.peek() === Local(1)) {
der.readSequence(Local(1));
sig.extras.issuerUniqueID =
buf.slice(der.offset, der.offset + der.length);
der._offset += der.length;
}
/* subjectUniqueID */
if (der.peek() === Local(2)) {
der.readSequence(Local(2));
sig.extras.subjectUniqueID =
buf.slice(der.offset, der.offset + der.length);
der._offset += der.length;
}
/* extensions */
if (der.peek() === Local(3)) {
der.readSequence(Local(3));
var extEnd = der.offset + der.length;
der.readSequence();
while (der.offset < extEnd)
readExtension(cert, buf, der);
assert.strictEqual(der.offset, extEnd);
}
assert.strictEqual(der.offset, sigOffset);
der.readSequence();
after = der.offset + der.length;
var sigAlgOid = der.readOID();
var sigAlg = SIGN_ALGS[sigAlgOid];
if (sigAlg === undefined)
throw (new Error('unknown signature algorithm ' + sigAlgOid));
der._offset = after;
var sigData = der.readString(asn1.Ber.BitString, true);
if (sigData[0] === 0)
sigData = sigData.slice(1);
var algParts = sigAlg.split('-');
sig.signature = Signature.parse(sigData, algParts[0], 'asn1');
sig.signature.hashAlgorithm = algParts[1];
sig.algo = sigAlg;
sig.cache = buf.slice(tbsStart, tbsEnd);
return (new Certificate(cert));
}
function readDate(der) {
if (der.peek() === asn1.Ber.UTCTime) {
return (utcTimeToDate(der.readString(asn1.Ber.UTCTime)));
} else if (der.peek() === asn1.Ber.GeneralizedTime) {
return (gTimeToDate(der.readString(asn1.Ber.GeneralizedTime)));
} else {
throw (new Error('Unsupported date format'));
}
}
function writeDate(der, date) {
if (date.getUTCFullYear() >= 2050 || date.getUTCFullYear() < 1950) {
der.writeString(dateToGTime(date), asn1.Ber.GeneralizedTime);
} else {
der.writeString(dateToUTCTime(date), asn1.Ber.UTCTime);
}
}
/* RFC5280, section 4.2.1.6 (GeneralName type) */
var ALTNAME = {
OtherName: Local(0),
RFC822Name: Context(1),
DNSName: Context(2),
X400Address: Local(3),
DirectoryName: Local(4),
EDIPartyName: Local(5),
URI: Context(6),
IPAddress: Context(7),
OID: Context(8)
};
/* RFC5280, section 4.2.1.12 (KeyPurposeId) */
var EXTPURPOSE = {
'serverAuth': '1.3.6.1.5.5.7.3.1',
'clientAuth': '1.3.6.1.5.5.7.3.2',
'codeSigning': '1.3.6.1.5.5.7.3.3',
/* See https://github.com/joyent/oid-docs/blob/master/root.md */
'joyentDocker': '1.3.6.1.4.1.38678.1.4.1',
'joyentCmon': '1.3.6.1.4.1.38678.1.4.2'
};
var EXTPURPOSE_REV = {};
Object.keys(EXTPURPOSE).forEach(function (k) {
EXTPURPOSE_REV[EXTPURPOSE[k]] = k;
});
var KEYUSEBITS = [
'signature', 'identity', 'keyEncryption',
'encryption', 'keyAgreement', 'ca', 'crl'
];
function readExtension(cert, buf, der) {
der.readSequence();
var after = der.offset + der.length;
var extId = der.readOID();
var id;
var sig = cert.signatures.x509;
if (!sig.extras.exts)
sig.extras.exts = [];
var critical;
if (der.peek() === asn1.Ber.Boolean)
critical = der.readBoolean();
switch (extId) {
case (EXTS.basicConstraints):
der.readSequence(asn1.Ber.OctetString);
der.readSequence();
var bcEnd = der.offset + der.length;
var ca = false;
if (der.peek() === asn1.Ber.Boolean)
ca = der.readBoolean();
if (cert.purposes === undefined)
cert.purposes = [];
if (ca === true)
cert.purposes.push('ca');
var bc = { oid: extId, critical: critical };
if (der.offset < bcEnd && der.peek() === asn1.Ber.Integer)
bc.pathLen = der.readInt();
sig.extras.exts.push(bc);
break;
case (EXTS.extKeyUsage):
der.readSequence(asn1.Ber.OctetString);
der.readSequence();
if (cert.purposes === undefined)
cert.purposes = [];
var ekEnd = der.offset + der.length;
while (der.offset < ekEnd) {
var oid = der.readOID();
cert.purposes.push(EXTPURPOSE_REV[oid] || oid);
}
/*
* This is a bit of a hack: in the case where we have a cert
* that's only allowed to do serverAuth or clientAuth (and not
* the other), we want to make sure all our Subjects are of
* the right type. But we already parsed our Subjects and
* decided if they were hosts or users earlier (since it appears
* first in the cert).
*
* So we go through and mutate them into the right kind here if
* it doesn't match. This might not be hugely beneficial, as it
* seems that single-purpose certs are not often seen in the
* wild.
*/
if (cert.purposes.indexOf('serverAuth') !== -1 &&
cert.purposes.indexOf('clientAuth') === -1) {
cert.subjects.forEach(function (ide) {
if (ide.type !== 'host') {
ide.type = 'host';
ide.hostname = ide.uid ||
ide.email ||
ide.components[0].value;
}
});
} else if (cert.purposes.indexOf('clientAuth') !== -1 &&
cert.purposes.indexOf('serverAuth') === -1) {
cert.subjects.forEach(function (ide) {
if (ide.type !== 'user') {
ide.type = 'user';
ide.uid = ide.hostname ||
ide.email ||
ide.components[0].value;
}
});
}
sig.extras.exts.push({ oid: extId, critical: critical });
break;
case (EXTS.keyUsage):
der.readSequence(asn1.Ber.OctetString);
var bits = der.readString(asn1.Ber.BitString, true);
var setBits = readBitField(bits, KEYUSEBITS);
setBits.forEach(function (bit) {
if (cert.purposes === undefined)
cert.purposes = [];
if (cert.purposes.indexOf(bit) === -1)
cert.purposes.push(bit);
});
sig.extras.exts.push({ oid: extId, critical: critical,
bits: bits });
break;
case (EXTS.altName):
der.readSequence(asn1.Ber.OctetString);
der.readSequence();
var aeEnd = der.offset + der.length;
while (der.offset < aeEnd) {
switch (der.peek()) {
case ALTNAME.OtherName:
case ALTNAME.EDIPartyName:
der.readSequence();
der._offset += der.length;
break;
case ALTNAME.OID:
der.readOID(ALTNAME.OID);
break;
case ALTNAME.RFC822Name:
/* RFC822 specifies email addresses */
var email = der.readString(ALTNAME.RFC822Name);
id = Identity.forEmail(email);
if (!cert.subjects[0].equals(id))
cert.subjects.push(id);
break;
case ALTNAME.DirectoryName:
der.readSequence(ALTNAME.DirectoryName);
id = Identity.parseAsn1(der);
if (!cert.subjects[0].equals(id))
cert.subjects.push(id);
break;
case ALTNAME.DNSName:
var host = der.readString(
ALTNAME.DNSName);
id = Identity.forHost(host);
if (!cert.subjects[0].equals(id))
cert.subjects.push(id);
break;
default:
der.readString(der.peek());
break;
}
}
sig.extras.exts.push({ oid: extId, critical: critical });
break;
default:
sig.extras.exts.push({
oid: extId,
critical: critical,
data: der.readString(asn1.Ber.OctetString, true)
});
break;
}
der._offset = after;
}
var UTCTIME_RE =
/^([0-9]{2})([0-9]{2})([0-9]{2})([0-9]{2})([0-9]{2})([0-9]{2})?Z$/;
function utcTimeToDate(t) {
var m = t.match(UTCTIME_RE);
assert.ok(m, 'timestamps must be in UTC');
var d = new Date();
var thisYear = d.getUTCFullYear();
var century = Math.floor(thisYear / 100) * 100;
var year = parseInt(m[1], 10);
if (thisYear % 100 < 50 && year >= 60)
year += (century - 1);
else
year += century;
d.setUTCFullYear(year, parseInt(m[2], 10) - 1, parseInt(m[3], 10));
d.setUTCHours(parseInt(m[4], 10), parseInt(m[5], 10));
if (m[6] && m[6].length > 0)
d.setUTCSeconds(parseInt(m[6], 10));
return (d);
}
var GTIME_RE =
/^([0-9]{4})([0-9]{2})([0-9]{2})([0-9]{2})([0-9]{2})([0-9]{2})?Z$/;
function gTimeToDate(t) {
var m = t.match(GTIME_RE);
assert.ok(m);
var d = new Date();
d.setUTCFullYear(parseInt(m[1], 10), parseInt(m[2], 10) - 1,
parseInt(m[3], 10));
d.setUTCHours(parseInt(m[4], 10), parseInt(m[5], 10));
if (m[6] && m[6].length > 0)
d.setUTCSeconds(parseInt(m[6], 10));
return (d);
}
function zeroPad(n, m) {
if (m === undefined)
m = 2;
var s = '' + n;
while (s.length < m)
s = '0' + s;
return (s);
}
function dateToUTCTime(d) {
var s = '';
s += zeroPad(d.getUTCFullYear() % 100);
s += zeroPad(d.getUTCMonth() + 1);
s += zeroPad(d.getUTCDate());
s += zeroPad(d.getUTCHours());
s += zeroPad(d.getUTCMinutes());
s += zeroPad(d.getUTCSeconds());
s += 'Z';
return (s);
}
function dateToGTime(d) {
var s = '';
s += zeroPad(d.getUTCFullYear(), 4);
s += zeroPad(d.getUTCMonth() + 1);
s += zeroPad(d.getUTCDate());
s += zeroPad(d.getUTCHours());
s += zeroPad(d.getUTCMinutes());
s += zeroPad(d.getUTCSeconds());
s += 'Z';
return (s);
}
function sign(cert, key) {
if (cert.signatures.x509 === undefined)
cert.signatures.x509 = {};
var sig = cert.signatures.x509;
sig.algo = key.type + '-' + key.defaultHashAlgorithm();
if (SIGN_ALGS[sig.algo] === undefined)
return (false);
var der = new asn1.BerWriter();
writeTBSCert(cert, der);
var blob = der.buffer;
sig.cache = blob;
var signer = key.createSign();
signer.write(blob);
cert.signatures.x509.signature = signer.sign();
return (true);
}
function signAsync(cert, signer, done) {
if (cert.signatures.x509 === undefined)
cert.signatures.x509 = {};
var sig = cert.signatures.x509;
var der = new asn1.BerWriter();
writeTBSCert(cert, der);
var blob = der.buffer;
sig.cache = blob;
signer(blob, function (err, signature) {
if (err) {
done(err);
return;
}
sig.algo = signature.type + '-' + signature.hashAlgorithm;
if (SIGN_ALGS[sig.algo] === undefined) {
done(new Error('Invalid signing algorithm "' +
sig.algo + '"'));
return;
}
sig.signature = signature;
done();
});
}
function write(cert, options) {
var sig = cert.signatures.x509;
assert.object(sig, 'x509 signature');
var der = new asn1.BerWriter();
der.startSequence();
if (sig.cache) {
der._ensure(sig.cache.length);
sig.cache.copy(der._buf, der._offset);
der._offset += sig.cache.length;
} else {
writeTBSCert(cert, der);
}
der.startSequence();
der.writeOID(SIGN_ALGS[sig.algo]);
if (sig.algo.match(/^rsa-/))
der.writeNull();
der.endSequence();
var sigData = sig.signature.toBuffer('asn1');
var data = Buffer.alloc(sigData.length + 1);
data[0] = 0;
sigData.copy(data, 1);
der.writeBuffer(data, asn1.Ber.BitString);
der.endSequence();
return (der.buffer);
}
function writeTBSCert(cert, der) {
var sig = cert.signatures.x509;
assert.object(sig, 'x509 signature');
der.startSequence();
der.startSequence(Local(0));
der.writeInt(2);
der.endSequence();
der.writeBuffer(utils.mpNormalize(cert.serial), asn1.Ber.Integer);
der.startSequence();
der.writeOID(SIGN_ALGS[sig.algo]);
if (sig.algo.match(/^rsa-/))
der.writeNull();
der.endSequence();
cert.issuer.toAsn1(der);
der.startSequence();
writeDate(der, cert.validFrom);
writeDate(der, cert.validUntil);
der.endSequence();
var subject = cert.subjects[0];
var altNames = cert.subjects.slice(1);
subject.toAsn1(der);
pkcs8.writePkcs8(der, cert.subjectKey);
if (sig.extras && sig.extras.issuerUniqueID) {
der.writeBuffer(sig.extras.issuerUniqueID, Local(1));
}
if (sig.extras && sig.extras.subjectUniqueID) {
der.writeBuffer(sig.extras.subjectUniqueID, Local(2));
}
if (altNames.length > 0 || subject.type === 'host' ||
(cert.purposes !== undefined && cert.purposes.length > 0) ||
(sig.extras && sig.extras.exts)) {
der.startSequence(Local(3));
der.startSequence();
var exts = [];
if (cert.purposes !== undefined && cert.purposes.length > 0) {
exts.push({
oid: EXTS.basicConstraints,
critical: true
});
exts.push({
oid: EXTS.keyUsage,
critical: true
});
exts.push({
oid: EXTS.extKeyUsage,
critical: true
});
}
exts.push({ oid: EXTS.altName });
if (sig.extras && sig.extras.exts)
exts = sig.extras.exts;
for (var i = 0; i < exts.length; ++i) {
der.startSequence();
der.writeOID(exts[i].oid);
if (exts[i].critical !== undefined)
der.writeBoolean(exts[i].critical);
if (exts[i].oid === EXTS.altName) {
der.startSequence(asn1.Ber.OctetString);
der.startSequence();
if (subject.type === 'host') {
der.writeString(subject.hostname,
Context(2));
}
for (var j = 0; j < altNames.length; ++j) {
if (altNames[j].type === 'host') {
der.writeString(
altNames[j].hostname,
ALTNAME.DNSName);
} else if (altNames[j].type ===
'email') {
der.writeString(
altNames[j].email,
ALTNAME.RFC822Name);
} else {
/*
* Encode anything else as a
* DN style name for now.
*/
der.startSequence(
ALTNAME.DirectoryName);
altNames[j].toAsn1(der);
der.endSequence();
}
}
der.endSequence();
der.endSequence();
} else if (exts[i].oid === EXTS.basicConstraints) {
der.startSequence(asn1.Ber.OctetString);
der.startSequence();
var ca = (cert.purposes.indexOf('ca') !== -1);
var pathLen = exts[i].pathLen;
der.writeBoolean(ca);
if (pathLen !== undefined)
der.writeInt(pathLen);
der.endSequence();
der.endSequence();
} else if (exts[i].oid === EXTS.extKeyUsage) {
der.startSequence(asn1.Ber.OctetString);
der.startSequence();
cert.purposes.forEach(function (purpose) {
if (purpose === 'ca')
return;
if (KEYUSEBITS.indexOf(purpose) !== -1)
return;
var oid = purpose;
if (EXTPURPOSE[purpose] !== undefined)
oid = EXTPURPOSE[purpose];
der.writeOID(oid);
});
der.endSequence();
der.endSequence();
} else if (exts[i].oid === EXTS.keyUsage) {
der.startSequence(asn1.Ber.OctetString);
/*
* If we parsed this certificate from a byte
* stream (i.e. we didn't generate it in sshpk)
* then we'll have a ".bits" property on the
* ext with the original raw byte contents.
*
* If we have this, use it here instead of
* regenerating it. This guarantees we output
* the same data we parsed, so signatures still
* validate.
*/
if (exts[i].bits !== undefined) {
der.writeBuffer(exts[i].bits,
asn1.Ber.BitString);
} else {
var bits = writeBitField(cert.purposes,
KEYUSEBITS);
der.writeBuffer(bits,
asn1.Ber.BitString);
}
der.endSequence();
} else {
der.writeBuffer(exts[i].data,
asn1.Ber.OctetString);
}
der.endSequence();
}
der.endSequence();
der.endSequence();
}
der.endSequence();
}
/*
* Reads an ASN.1 BER bitfield out of the Buffer produced by doing
* `BerReader#readString(asn1.Ber.BitString)`. That function gives us the raw
* contents of the BitString tag, which is a count of unused bits followed by
* the bits as a right-padded byte string.
*
* `bits` is the Buffer, `bitIndex` should contain an array of string names
* for the bits in the string, ordered starting with bit #0 in the ASN.1 spec.
*
* Returns an array of Strings, the names of the bits that were set to 1.
*/
function readBitField(bits, bitIndex) {
var bitLen = 8 * (bits.length - 1) - bits[0];
var setBits = {};
for (var i = 0; i < bitLen; ++i) {
var byteN = 1 + Math.floor(i / 8);
var bit = 7 - (i % 8);
var mask = 1 << bit;
var bitVal = ((bits[byteN] & mask) !== 0);
var name = bitIndex[i];
if (bitVal && typeof (name) === 'string') {
setBits[name] = true;
}
}
return (Object.keys(setBits));
}
/*
* `setBits` is an array of strings, containing the names for each bit that
* sould be set to 1. `bitIndex` is same as in `readBitField()`.
*
* Returns a Buffer, ready to be written out with `BerWriter#writeString()`.
*/
function writeBitField(setBits, bitIndex) {
var bitLen = bitIndex.length;
var blen = Math.ceil(bitLen / 8);
var unused = blen * 8 - bitLen;
var bits = Buffer.alloc(1 + blen); // zero-filled
bits[0] = unused;
for (var i = 0; i < bitLen; ++i) {
var byteN = 1 + Math.floor(i / 8);
var bit = 7 - (i % 8);
var mask = 1 << bit;
var name = bitIndex[i];
if (name === undefined)
continue;
var bitVal = (setBits.indexOf(name) !== -1);
if (bitVal) {
bits[byteN] |= mask;
}
}
return (bits);
}
�b�� �IDATxytVսϓ�22� ��A@�I�R�:hCi�Z[v*E:WũZA ^d�Q�e�Q @ !�jZ'>gsV仿$|?g)&x-E�IENT ;�@x�T.i%-X�}�Sv��S5.r/��UHz^_$-W"�w)Ɗ/�@Z &IoX��P$K}��JzX:;`�� �&, �ŋui,e6mX
�Եr��Kb1ԗ)����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A������݀!I*]R;I2$e�Z#ORZSrr�6mteffu*((Pu'v{����DIߔ4^pIm��'77WEEE�;vƎ�4-����$]'RI{���\I&G� ��:IHJ
�DWBB=\WRm�
��o$K(V�9��ABB.�}jѢv��`^?IOȅ}���ڶmG�}T#FJ`5��6$-���ھ}F�I&v;0(h;��Б����38CӧOWf!;�A
�i:F��_m�9s&�|��q�%=#���wZprrrl��a
�A� &��P\\СC[A#�!� {��olF}
`E2}�MK/v�V��)i�{��4BffV\|ۭX��`�b�@kɶ@��%i$K���z5zhmX���[��IXZ��` 'b%$�r5�M4º��/l
ԃ�ߖ��xhʔ)[@=}
K6IM}^��5k㏷݆z
ΗÿO:gdGBmyT/�@+Vɶ�纽zl.yit뭷zV��0[Y^�>Wsqs}\/�@$(T7f.Inݺi����R$푔n.�~?H))\Z��RW'Mo~v
Ov�6oԃ���xz!��S,&xm/yɞԟ?'ua�S�ѽb,�8GלKboi&3�t7Y,�)JJ�����c[nzӳd�E�&K�sZLӄ��I���?�@���&�%ӟ۶mSMMњ0�iؐSZ,���|J+N
�~�,0A�0!5%Q-�YQQa�3��}$_vVr�f9f?S��8`��z���D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����d�qP,تmMmg��1V?�rSI꒟]u|l
R�CyEf٢9�jURbztѰ!m5~tGj2DhG*{H9)꒟ר3:(+3\?/;TUݭʴ~S6lڧUJ�*�i$d(#=Yݺd{,p|3B))���q:vN0Y.jkק6;Sɶ�VzHJJЀ-utѹսk>QUU�\~]fFnK?�&ߡ�5b=z9)^|u�_k-[��y%ZNU6 7Mi�:]ۦ�tk�[n
�X(e6��Bb."8cۭ|~te��uu�w|ήI-5"~U�k;ZicEm�N/:]M>
��c�Q^uiƞ�??Ң�p�c#��TUU3UakNwA`�:�Y_V-8.KKfRi�tv*
�9S6ֿj,Ճ�NOMߤ]z^fOh|<>�@Å5���_�/Iu?{SY4hK�/2�]�4%it5�q]GGe��2%iR|
�W&�f��*^]??v�q[LgE_3f}Fxu~}qd-ږFxu~I N��>\;͗O֊:̗WJ�@���Bh�W�=y�|GgwܷH_NY�?)�Tdi'?խw�hlmQi� ��!SUUs�w4kӺe�4rfxu�-[nHt�MFj}H_u~w>)oV}(T'ebʒv3_[+vn����@Ȭ\S}ot}w=k�HFnxg�S 0eޢm�~l}u�qZf�F��oZuuEg
�`z�t~?�b;t%�>WTkķh[����2eG8LIWx,�^\thr�l^Ϊ�{�=dž�<}qV@ �⠨W�y^L�F_>0Uk��D�uʫuCs$)I��v�:IK�;��6ֲ4{^6����եm+l��3>݆�uM 9�u�����?>Zc�}g~qhKwڭ�e���FMM~pМuq�ǿz6Tb@8�@Y|jx]�(^]gf}�M"tG
����-w.@�vOqh~/HII�`���S[l.6nØXL9v�U���cOoB\�xo�Ǥ'T&I��Ǎ�Qw_wpv[kmO{w~>#=P1P�ɞa-we:iǏlHo꒟f9SzH?+shk%Fs:����q��VhqY�`jvO'ρ?PyX3lх]˾uV{ݞ]1,MzYNW~̈́�joYn}ȚF߾mS]F� z+EDxm/���d{F�{-W-4wY듏:??_gPf
^3��ecg ���ҵs�8R2מz�@T�A�N�Gj)}CNi/R~}c:5{!�ZHӋӾ�6}T]��G�]7W6^�n
9*,Y�qOZj�:P?Q� D���FL|?-^.Ɵ7��}fFhxe2Ps���cz1�&�5\��cn[=Vn�[ĶE鎀u�ˌd3GII ��k;lNmشOuuRVfBE]ۣ��e���Ӷu�
:X-[(�e�r4~LHi6�:Ѻ@ԅ��r���ST�0�trk%$Č�0���ez"� *�z�"�T/X9|8.C5Feg}�C�Q%͞�ˣJ�v�L/?�����j^��h��&��9xF`њZ�(��&��yF&Iݻf�g�����#W;3^{Wo^4'v������V[[K';+mӍִ]��AC�@��W?1^{එyh�����+^]fm~iԵ]��AB�@WTk̏t�uR?l.OIHiYyԶ]��Aˀ�7c:q}ힽaf6Z~қ�m(+sK4{^6}T�*UUu]�n.:kx{:2 ��_m=�sAߤU@?���Z-Vކе��z왍Nэ{�|5��� pڶn�b
p-@sPg]0G7fy-M{GCF'%{4`���=$-Ge\��eU:m+Zt'W�jO!O�AF�@ik&t݆�ϥ�_
e}=]��"���Wz_.͜E3leW�������Fih|t-wZۍ-uw=6���YN�{6|}��|�*={Ѽn.�S��.�z1z�jۻTH]흾 D�uD�v��mvK�.`���V]yY~sI@t?/ϓ. �����m&[�"��+P?MzovV�ЫG3-�G�RR��[�(!!\_,�^%?v�@���ҵő
m`Y)te�m8GM��x.))A]Y�i`ViW`��?^�~!�S#^+ѽ��GZj?Vģ����0.))AlzL*�]�OXrY���`DBBLOj{-MH'ii-ϰ�o�k7^��
�)쭡��b]UXS�ְmռY|5�*cֽk�0B7镹%ڽP#�8nȎq}mJr23�_>�l�E5$iwui+ ��H~F`�IjƵ�@q
��\�� ��@#qG�0"��.�0"����� l���������`������.�0!����� ,��AQ�HN6�qz�kKJ#�o;`Xv�2>,tێJJ7Z/*�A���.@fفjMzk�g�����@Tv�ZH3Zxu6Ra'%O?/�d���Q�5x�Yk�U]Rֽkق@���Da�S^RS�ּ5�|BeHNN͘p
��H�v���cYcC5:y
#`οb;�z����2��.!kr}gUWkyZn=�f ����P�v��s�n3p~�;4p˚=ē~NmI] ��¾�0lH[_L�hs�h_�ғߤ�c_њe��c)��g�7V�IZ5�yrgk̞W#IjӪv>՞y睝M8[��|�]\շ�8M�6%|@P����ZڨI-m>=k�=��'a�iRo-x�?>Q.����}�`Ȏ:Wsm�u u� ��>
.@,&;�+!!�˱tﭧD����Qw�RW\v�F\~Q7>sp���Yw�$�%A~;~}6���¾�g��&if_��=j,v+U���L�1(tW�a�ke�:�@Ș>j$Gq2t7S?v�L|]u/ .(�0�E��6Mk6hiۺzښOr�ifޱxm/Gx>� �Lal%%~{lBsR4*�}{0Z/�tN�IɚpV�^#�Lf:u@k#RS�u
=S^ZyuR/�.@n&z~B=0eg�뺆#�,Þ[����B�/?H �uUf7y
Wy}Bw�egל`�Wh(||`l`.;Ws�?V@"�c:iɍL֯PGv�6z�ctM̠':wuW��;d=;E�veD}9J�@���B(�0iհ���bvP1{\P&G7DIy�_$-Q��jm~Yrr&]C�Dv%��bh|�Yzni�_���R�;kg}nJOIIw��y�u�L}{ЌNj}:+3Y?:W�J/N+Rzd=hb�;d�j͒suݔ@NKMԄ�jqzC5�@y°h�L�m;*5ezᕏ=ep
�XL�n?מ:r`��۵�tŤZ|1v`V뽧_csج'ߤ%oTuumk%%%h)uy]Nk�[n
�'b2 ��l.=�͜E%�gf$[c;s:�V-͞WߤWh-j7]4��=F-X]>ZLSi[Y*We;�Zan(Ӈ�W|e(HNNP�5[=
r4tP�
�&0<�p�c#�`vTNV
GFqvTi�*�Tyam$ߏWyE*�VJKMTfF�w�����>'�$-ؽ.Ho.8c�"@���D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A~�j*�֘,��N;Pi3599h=g�oض��L��giJ5փy~�}&Zd9�p֚
e:|hL`�`b/d9�p?�fgg+%%hMg�Xosج�, �ΩOl0Zh=x�djL���mhݻ��o��O��[g_l,�8a]٭+ӧ0�$I�]����c]:粹:Teꢢ"5a^Kgh,&�=��=�՟�^߶ߢE�ܹS J}I%:8��
IDAT~,9/ʃ�PW'Mo�}zNƍ쨓zPb��NZ~^z�=4mswg;5 Y�~�SVMR��XUյڱRf?s:w
;�6��H:º���i�5�-maM�&O�3�;�1IKeam��Zh͛7+##v+c� ~u~ca]�GnF'ټL~����PPPbn
v�oC���4R,�ӟgg��%hq}�@#M4IÇ��� �Oy^xM��Zx
) ���yO�w��@HkN˖-Sǎ�mb]X�@�n+i͖��!++K3gd\��$mt$^���Yf��J�\�8PRF��)77Wא!Cl����$i:��@@_o�G��� I{$# ��8磌ŋ9�1A�(�Im7��֭>}ߴJq�7ޗt^� -[ԩSj*�}�%]&'
-��ɓ'ꫯVzzvB#;�a
�7@GxI{�jƌ�.LÇ�WBB7�`O"I$�/@R���@�eee@���۷��>}0���,ɒ2$53Xs|cS~r�pTYYY}� k�Hc��%&k�.], �@��A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A������@lT<%''*Lo^={رc5h %$�+CnܸQ3fҥK}vUVVs9G�
R,_{�xˇ�3��o߾;TTTd�}�馛]uuuG~iԩ�@4����bn�vmv�fϞ�/Peeeq}}�z���a
�I~,誫{UWW뮻}_~YƍSMMMYχ��֝waw��\�ď�cxꩧtE�ƍ�կ_?۷5�@u���?�1kNׯWzz/wy>}zj3 k��(ٺu�q_Zvf̘:~��AB�Q&r|��!�%KҥKg�����Ԟ={<_X-z� !�C�yFUUz~��AB�QIIIjݺ�W��$���UXXDٳZ~��AB�Qƍec�W��$<�(~<��RSSvZujjjԧO�ZQu�@4 8m&&&jԩg��$�ď�1h ͟?_{768��@��g
�=�@���`)))5o6m�3����)��ѣƌ�J;wҿUTT��/KZR{��~a=�@��0o<*狔�iFɶ[ˎ�;T]]��OX�@�?K.ۈxN ����������p����������p����������p����������p����������p����������p����������p����������p����������p����������p����������p����������p����������p����������p����������p����������p����������pP���fl߾]��,{ァk۶mڿo5�����BTӦMӴiӴ|r D����B2e�|An�!D��y'tkΝ[A��� $***t5'
"���!駟�oa�D�����nΝ�:t֭[g�D����ШQ�0����6qD;@���� x M6v�(����Piizm�Z����4e�w��"��@��������̴ixf������[~-F���ٱc�&I�Z����2|n�!�?�$��@{[�HTɏ����#@h�����Ȏ����I�#�_m��(���F��/6Z3�z'\r,�����r!;�w2Z3j=~�G���Y�7"I$i����I.����p_"����?���p�����N`�����y�D���D�����?:��� �_����������������������� �G����ÿa���b7�����J�!���Bx���@0 ���Bo�����
����cG���������@`1C�����[���@0G����
����@`0C�����_���u�����V1 ���aC���X����>���W�` ���|�������`!���<�����S�`"���<�.�����`#���c�����`�?�����c�A����������C���4
?����c���� �p#����~���@0����?:���0���8&����_�M���Q1���J�h#����?���/`���7;����I����������q�7���a�w���Q����A����1�H���p
�!��#�<���8/#��@1Ul7��=S=K.4Z�?�E����_$i�@��������!���1�!E���4�?���`����P_�� ��������@��B���ă�1���0#���:�"����a�U,xb��F�Y1
[n��|��n
���#'��v��EH:`�x��b
��#��v����D��4�Y hi.i&�EΖv#��O�� H��4�IŶ�}:Ik��h��@�tZRF���#�(tXҙ��zZ ?�I3l7��q��@õ|ۍ�1,�G��puY�� �Ꮿ@�hJv#��x��xk$
v#�9��5�}_$��c �S#=+"K�{F�*m7`#�%H:NRS��p6I?sIՖ{A�p$I�$�I:QRv2$Z�@UJ*$]<��F�O4�����IENDB`