From 0b7a217f22411c522fd6d5b5d03bebd96a5ebe9c Mon Sep 17 00:00:00 2001
From: Matt Cobb <reachcobb@gmail.com>
Date: Tue, 30 Nov 2021 14:44:30 -0800
Subject: [PATCH] Cobb/ls 26157.saml vuln (#5)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* bugfix: New sometimes selected the wrong EntityDescriptor when parsing a metadata file with multiple EntityDescriptor's underneath a EntitiesDescriptor tag

* Add syntax highlight

* expose CookieMaxAge in samlsp Options

* Enable persistent name id format (#107)

* Enable persistent name id format

* add ability to set the domain for the cookies (#95)

* Fixed script hash to remove JS console errors when redirecting (#117)

@RichardKnop PR#94

* saml{sp,idp}: add httpOnly and secure flag (conditionally) to cookies (#116)

* Use dep package manager (#114)

* use dep package manager
* updated travis

* Fix example code so that it compiles (#118)

* expose ForceAuthn (#119)

* fix validUntil in SPSSODescriptor

fixes #123

* samlsp.Middleware.SecureCookie option (#128)

* remove cruft

* update README

* fix some minor lint / style errors

* samlsp: use current time for the JWT rather than the IssueInstant from the assertion (#130)

fixes #122

jwt-go not support leeway parameter

* travis cleanup: remove older go versions (#132)

* samlsp: remove X-Saml headers in favor of attaching Claims to request context (#131)

* samlsp: move the setting and reading of cookies into an interface (#133)

We’ve had a bunch of changes requesting the ability to customize
how cookies are set and it is getting a little messy. This change
moves the code to setting and reading cookies into two interfaces
which you can extend/customize.

* add field to IdpAuthnRequest so you can externally control the “current” time (#136)

The default is obviously the current time, but for various reasons you may wish to evaluate the
response at a different reference time, for example processing a response that has been deferred.

We can’t use the global TimeNow() thunk, which is designed for testing, because it isn’t safe to modify concurrently.

* idp: handle assertions where no ACS url is specified (#139)

* add test cases for SAML comment injection (#140)

ref: CVE-2017-11427
ref: CVE-2017-11428
ref: CVE-2017-11429
ref: CVE-2017-11430
ref: CVE-2018-0489
ref: CVE-2018-7340
ref: https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations

* Update PGP key in README.md

* make MaxIssueDelay configurable at runtime (mini-hack)

* Remove the default xmlns from the expected output because the encoder does not reset the default.  Should resolve the test for issue 152. (#158)

* Added Travis badge (#159)

* Fixed some typos in the README.md file. (#160)

* dep ensure [ch16254] (#156)

* add the ability to use custom cookie names and domain

* fix missing time on IDP-initiated IdpAuthnRequest (#147)

* added godoc badge to README.md (#143)

* made selected binding configureable (#144)

* Fix AES decryption (#142)

Fix AES decryption by decrypting the EncryptedKey from the response, and passing
the decrypted key to the data encryption.

* idp: Allow intermediates to be encoded in signature (#127)

* idp: Make signature method configurable (#126)

* Removed %s format for claims audience not matching Provider EntityID for #154 (#161)

* add support for a logout URL binding

* add stale integration

ref: https://probot.github.io/apps/stale/

* add support for other external middleware (#184)

Changed samlsp/middleware.go to move the request handling part of the RequireAccount method out into a separate public method attached to the middleware type which can be used as a stand alone HTTP RequestHandler. That way the Handler can be used with other middleware chains which provide their own http.Handler wrapper methods.

* #192: Support multiple IdP signing certificates

* #192: Account for Go/check changes.

* Handle root URL's with trailing slash

* #194: Properly default EncryptionMethod/DigestMethod when not present.

* Allow AudienceRestriction to be missing

re #198

* Don't include the port with the domain when setting the cookie (#202)

* update value of UnspecifiedNameIDFormat and EmailAddressNameIDFormat (#217)

* Don't require Destination attribute in response when response is not signed (#213)

* Destination is checked only if this is a signed SAML request, as that is the only case in which a Destination attribute is required.
* Check Destination when present, even if response unsigned

* Replaces testshib.org with samltest.id in the README (#211)

Fixes #201

* Set the default domain for cookies properly (#187)

Fixes #186.

* Separate response validation from the Middleware so that ServiceProvider can be used standalone to validate requests. Also fix IDPInitiated requestids bug since Standalone validation may not have possibleRequestIds.

* Adding support for eduPersonScopedAffiliation

* Add in actual attribute evaluation for eduPersonScopedAffiliation.

* Fix typo for idp example path in readme (#170)

* omit validUntil if empty (#190)

* Prevent panic caused by IDP-initiated login (#183)

* - Check if IDP-initiated login is allowed and if so assume that the RelayState is a deep-link.
- Guard against an IDP-initiated request that may not have the request ID in the claims.
- Attempt to retrieve a state value using the RelayState first before checking if IDP-initiated flow is allowed.

* Only address the panic in IDP-initiated login (#1)

This change undoes some of the changes made in 4908b2671cdbd0cc707f66eadcc570c438d8919e, to just address the panic for IDP-initiated logins.

I'll file an issue in the `crewjam/saml` repo about the other issue blocking IDP-initiated logins, which is how to support relay states from the IDP.

* SP: Add capability to provide intermediate certs (#178)

* remove bad import

* remove log junk

* fix compile error

* Gopkg -> go.mod

* tests: convert from go-check to testify

* lint with golangci-lint

* lint with golangci-lint

* fix go.mod

* fix travis configuration

* fix travis configuration

* Use RS256 rather than HS256

Using HS256 with the RSA private key (serialised as ASN.1 according
to PKCS1) as the secret is unconventional and perhaps dangerous. The
string of bytes isn't entirely random given that it starts with the
version number. The encoded RSA key will be larger than the block size
of the underlying hash and so to create a secret, the RSA key will be
hashed.

A more important problem is that we should be able to validate a jwt
issued by the middleware with just the RSA public key. By moving to
RS256, we can validate jwts without sharing the private key.

Fix randomBytes: should ensure that the entire buffer is full.

* Add Single Logout data structure

* Set session NameID based on email

* update test expectations

* removed mandatory check for validating embedded certificate for rsa

* Rename validateRSAKey to validateRSAKeyIfPresent

Now that the validation is optional, the previous name did not
accurately reflected the intention.

* Removes unused dependencies

Ran go mod tidy to remove golangci-lint as that isn't actally needed for
this project. Its inclusion result in a huge number of dependencies to
be imported.

* travis: pin golangci-lint version

* Bump github.com/beevik/etree from 1.0.1 to 1.1.0

Bumps [github.com/beevik/etree](https://github.com/beevik/etree) from 1.0.1 to 1.1.0.
- [Release notes](https://github.com/beevik/etree/releases)
- [Changelog](https://github.com/beevik/etree/blob/master/RELEASE_NOTES.md)
- [Commits](https://github.com/beevik/etree/compare/v1.0.1...v1.1.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* update test expectations

* Return status code if not success

* Make cert optional for ServiceProvider.Metadata()

* Add test case from OneLogin

This adds a test case provided by @fredipevcin in [https://github.com/crewjam/saml/pull/25](PR25) that
makes sure we can parse cases where the assertion is signed rather than the whole message. This
has been supported for a while, but it is nice to ensure that the compatibility at issue continues to work.

* Remove 'Failing' from certificate missing check

* (Add tests for) Destination is checked only if this is a signed SAML request, as that is the only case in which a Destination attribute is required.

* update readme to reflect our inability to produce encrypted assertions

re #179

* fix bad merge

* golangci: require comments, add a few missing ones

* golangci: require comments, add a few missing ones

* update test expectations

* schema: don't include empty Format attributes in samlp:NameIDPolicyElement

fixes #177

* make ValidDuration configurable for IDP. (#235)

* refactor samlsp package to be more modular (#230)

This change splits the Middleware component into three interfaces (in addition to the saml.ServiceProvider):

* RequestTracker which handles tracking pending authn requests.
* Session which handles issuing session cookies.
* OnError which handles reporting errors to both the user and any logging.

The default implementations of RequestTracker and Session use http cookie to encode JWTs, but further delegate the encoding/verification of the JWTs to codec interfaces which allow further customization, again with default implementations.

This should make the *samlsp* package easier to extend to fit more use cases.

Fixes #231

* Add optional callback for signature verification (#237)

Fixes #234

* AllowIDPInitiated=true allows both IDP-initiated and normal (#240)

* Bump github.com/kr/pretty from 0.1.0 to 0.2.0 (#243)

Bumps [github.com/kr/pretty](https://github.com/kr/pretty) from 0.1.0 to 0.2.0.
- [Release notes](https://github.com/kr/pretty/releases)
- [Commits](https://github.com/kr/pretty/compare/v0.1.0...v0.2.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* add HTTPOnly bool to CookieSessionProvider (#248)

* feat(slo): add logout response request validation (#247)

* fix(slo): fix SessionIndex attribute in LogoutRequest (#245)

* clean up README about breaking changes

* feat(slo): add Bytes() and Deflate() functions for LogoutRequest (#251)

Bytes() is needed in for returning a byte array for POST Binding.
Deflate() is needed for compressing using gzip algorithm a LogoutRequest
byte array.

* fix(sp): no check for InResponseTo for if IDPInitiated is true (#259)

* Add EntityID (#258)

* feat: add Post / Redirect methods for LogoutRequest (#260)

* Update README.md (#261)

* Bump github.com/stretchr/testify from 1.4.0 to 1.5.0 (#263)

Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.4.0 to 1.5.0.
- [Release notes](https://github.com/stretchr/testify/releases)
- [Commits](https://github.com/stretchr/testify/compare/v1.4.0...v1.5.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Bump github.com/stretchr/testify from 1.5.0 to 1.5.1 (#264)

Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.5.0 to 1.5.1.
- [Release notes](https://github.com/stretchr/testify/releases)
- [Commits](https://github.com/stretchr/testify/compare/v1.5.0...v1.5.1)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Include a path when clearing the cookie (#278)

Some browsers will refuse to remove a cookie that doesn't include the path

* SessionNotOnOrAfter is serialized to XML if set (#292)

It is currently possible to set SessionNotOnOrAfter directly on the Go
structure, but it is not serialized to or deserialized from XML.

* Fixes handling signed response with encrypted assertions (#273)

When the response is signed, the verification must happen before the assertion is decrypted since the encrypted XML is used in the signature digest.
The response signature is sufficient unless the assertion is also signed in which case both must be valid.

* Bump github.com/kr/pretty from 0.2.0 to 0.2.1 (#294)

Bumps [github.com/kr/pretty](https://github.com/kr/pretty) from 0.2.0 to 0.2.1.
- [Release notes](https://github.com/kr/pretty/releases)
- [Commits](https://github.com/kr/pretty/compare/v0.2.0...v0.2.1)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>

* Bump github.com/stretchr/testify from 1.5.1 to 1.6.1 (#288)

Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.5.1 to 1.6.1.
- [Release notes](https://github.com/stretchr/testify/releases)
- [Commits](https://github.com/stretchr/testify/compare/v1.5.1...v1.6.1)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>

* Add support for signed authnRequest (#296)

* Fixes handling signed response with encrypted assertions

When the response is signed, the verification must happen before the assertion is decrypted since the encrypted XML is used in the signature digest.
The response signature is sufficient unless the assertion is also signed in which case both must be valid.

* Add support for signed authnRequests

* Update metadata.go (#297)

Renamed LocalizedName & LocalizedURI Lang attributes -> `xml:"http://www.w3.org/XML/1998/namespace lang,attr"`

fixes #295

* Allows configuring SameSite for session cookie (#276)

Fixes #275

* fix lint errors & update test expectations

* update README re: security issues

* fix test expectation for go 1.15

* remove output cruft from xmlenc test

* [SECURITY] bump version of goxmldsig [CVE-2020-15216]

There was a signature validation bypass in goxmldsig, which saml uses to
authenticate assertions. This change increments the dependent version of
goxmldsig to a version that is no longer affected.

For more information:

https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7

* Merge pull request from GHSA-4hq8-gmxx-h6w9

This change validates that the XML input we receive is safe to parse before
passing it to the standard library's XML parsing functions or the etree DOM
parsing functions.

This validation mitigates critical vulnerabilities in `encoding/xml` - CVE-2020-29509, CVE-2020-29510, and CVE-2020-29511.

TODO: is there going to be a go.mod version assigned to this on release?

* fix version of xml-roundtrip-validator in go.mod

* add SignLogoutResponse SignLogoutRequest MakeLogoutResponse

* add SessionIndex to claims Attributes

* Include a domain when clearing the cookie

* identity_provider: extend session with CustomAttributes (#310)

* add xUserId and xAccountId for session

* add CustomAttributes for idp session content

* fix: logout response element Response -> LogoutResponse (#305)

* Spread the use of option SameSite to tracking cookies (#302)

* fix formatting

* travis -> github actions

* fix typo in README

* update test expectations

* Stop validating InResponseTo when AllowIDPInitiated is set

With this change we no longer validate InResponseTo when AllowIDPInitiated is set. Here's why:

The SAML specification does not provide clear guidance for handling InResponseTo for IDP-initiated requests where there is no request to be in response to. The specification says:

   InResponseTo [Optional]
       The ID of a SAML protocol message in response to which an attesting entity can present the
       assertion. For example, this attribute might be used to correlate the assertion to a SAML
       request that resulted in its presentation.

The initial thought was that we should specify a single empty string in possibleRequestIDs for IDP-initiated  requests so that we would ensure that an InResponseTo was *not* provided in those cases where it wasn't expected. Even that turns out to be frustrating for users. And in practice some IDPs (e.g. Rippling)  set a specific non-empty value for InResponseTo in IDP-initiated requests.

Finally, it is unclear that there is significant security value in checking InResponseTo when we allow  IDP initiated assertions.

This issue has been reported quite a few times, including:

Fixes #291 #286 #300 #301 #286

* set cookie domain when clearing request tracker cookie (#321)

* samlsp: make middleware endpoints public (#323)

* samlsp: remove deprecated fields (#324)

* remove deprecated fields
* update readme

* add test that we can marshal an AuthnStatement without SessionNotOnOrAfter being set

re #312

* samlsp: fix validating response with no issuer element (#328)

* in tests, replace long strings with files we read from testdata/

* replace testify (which is more or less unmaintained) with gotest.tools

* remove redundant []byte conversions

* explicitly copy loop iterator variables

This silences a warning from golangci-lint

* fix spelling of test data file

* add maintainer action to update dependencies

* adjust maintainer action to update dependencies

* Update go.mod

* upgrade github.com/crewjam/httperr from v0.0.0-20190612203328-a946449404da to v0.2.0
* upgrade github.com/dchest/uniuri from v0.0.0-20160212164326-8902c56451e9 to v0.0.0-20200228104902-7aecb25e1fe5
* upgrade github.com/mattermost/xml-roundtrip-validator from v0.0.0-20201213122252-bcd7e1b9601e to v0.0.0-20201219040909-8fd2afad43d1
* upgrade github.com/zenazn/goji from v0.9.1-0.20160507202103-64eb34159fe5 to v1.0.1
* upgrade golang.org/x/crypto from v0.0.0-20200622213623-75b288015ac9 to v0.0.0-20201221181555-eec23a3978ad

* Fix AuthN Request signing for HTTP-Redirect binding (#339)

* Fix signing for HTTP-Redirect binding

The currently implemented behavior for signing AuthN Requests where
an enveloped signature is added in the XML Document, is appropriate
only when the HTTP-POST binding is used.
Signing for authentication requests when the HTTP-Redirect binding
is in use, is described in
http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf
section 3.4.4.1 and involves generating a signature of the deflated
form of the AuthN request along with some other URL parameters, mainly
because of URL length considerations.

This commit implements proper AuthNRequest signing support according
to the specification.

* Add comment for function

* linter is picky :)

* SplitHostPort on DeleteSession (#335)

* Add explicit tests for XSW (#338)

XML Signature Wrapping attacks are unfortunately still very common
in SAML implementations. crewjam/saml is not vulnerable to any XSW
attacks as goxmldsig and this library's use of goxmldsig are safe.

This commit adds a number of tests against common XSW attacks, so
that these can serve as verification of the current safe state,
prevent future regressions in crewjam/saml and detect possible
future regressions in goxmldsig

The numbering of the permutations of the XSW attack follows that
of https://github.com/CompassSecurity/SAMLRaider and a visual
depiction is available in
https://github.com/CompassSecurity/SAMLRaider/blob/5b9eace70e88d0af17b86c26c2cad1178b08c7d0/src/main/resources/xswlist.png

* Custom relayState generator (#337)

* Update go.mod (#331)

* upgrade github.com/mattermost/xml-roundtrip-validator from v0.0.0-20201219040909-8fd2afad43d1 to v0.1.0
* upgrade golang.org/x/crypto from v0.0.0-20201221181555-eec23a3978ad to v0.0.0-20210317152858-513c2a44f670

Co-authored-by: Github Actions <noreply@github.com>

* Bump github.com/google/go-cmp from 0.5.4 to 0.5.5 (#336)

* Bump github.com/google/go-cmp from 0.5.4 to 0.5.5

Bumps [github.com/google/go-cmp](https://github.com/google/go-cmp) from 0.5.4 to 0.5.5.
- [Release notes](https://github.com/google/go-cmp/releases)
- [Commits](https://github.com/google/go-cmp/compare/v0.5.4...v0.5.5)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
Co-authored-by: Ross Kinder <ross@kndr.org>

* update README (#340)

fixes #333

* Update go.mod (#342)

* upgrade golang.org/x/crypto from v0.0.0-20210317152858-513c2a44f670 to v0.0.0-20210322153248-0c34fe9e7dc2

Co-authored-by: Github Actions <noreply@github.com>

* Update go.mod (#343)

Co-authored-by: crewjam <crewjam@users.noreply.github.com>

* Change dgrijalva/jwt-go imported module to form3tech-oss/jwt-go. (#344)

* Change dgrijalva/jwt-go imported module to form3tech-oss/jwt-go.

dgrijalva/jwt-go is abandoned (https://github.com/dgrijalva/jwt-go/issues/457) with an outstanding security vulnerability (https://github.com/dgrijalva/jwt-go/issues/422).

form3tech-oss/jwt-go is a fork that has fixed the vulnerability.

* Upgrade to GitHub-native Dependabot (#346)

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>

* Make SP check more certs in IDP metadata (#353)

From
https://www.oasis-open.org/committees/download.php/56785/sstc-saml-metadata-errata-2.0-wd-05.pdf
```
[E62]A use value of "signing" means that the contained key information is applicable to both signing
and TLS/SSL operations performed by the entity when acting in the enclosing role.

A use value of "encryption" means that the contained key information is suitable for use in wrapping
encryption keys for use by the entity when acting in the enclosing role.

If the use attribute is omitted, then the contained key information is applicable to both of the above uses.
```

We need to include certificates both when they have a "use" attribute of
"signing" as well as when the "use" attribute is missing.

Fixes #352

SAML input from @simmel.

* bring monorepo lightstep/saml changes into lightstep forked saml repo #LS-26157

* Fix merge problems

* Fix valid until tests

* req.now may not be initialized in MakeResponse() so use Now()

* use TimeNow()

* req.now not guaranteed to be defined. Use TimeNow() in IdpAuthnRequest() and MakeAssertion()

* Remove old code from comments, remove commented out Skip(broken)

* use upstream's new validateDestination, but modify it to use urlsMatchModuloPortNumbers(). Add clock kew to notOnOrAfter

Co-authored-by: Donald Hoelle <donald@restlessbandit.com>
Co-authored-by: Umayr Shahid <umayr.shahid@gmail.com>
Co-authored-by: Dustin Decker <sevoma@gmail.com>
Co-authored-by: Ross Kinder <ross@kndr.org>
Co-authored-by: Bryce Fisher <bryce.fisher@live.com>
Co-authored-by: Sevki <s@sevki.org>
Co-authored-by: Paul Tötterman <ptman@users.noreply.github.com>
Co-authored-by: Lucas <subandroid@users.noreply.github.com>
Co-authored-by: Beyang Liu <beyang@sourcegraph.com>
Co-authored-by: Nao YONASHIRO <owan.orisano@gmail.com>
Co-authored-by: Darrel Herbst <dherbst@gmail.com>
Co-authored-by: Neha Malviya <neha0912@gmail.com>
Co-authored-by: Josh Silvas <joshua.silvas@rackspace.com>
Co-authored-by: ☃ Elliot Shepherd <elliot@identitii.com>
Co-authored-by: Christoph Hack <tux21b@users.noreply.github.com>
Co-authored-by: Volkan Gürel <volkangurel@users.noreply.github.com>
Co-authored-by: Andrew Pilloud <apilloud@users.noreply.github.com>
Co-authored-by: jb <jdbrokaw@gmail.com>
Co-authored-by: Stephen Kress <stephen.kress@rstudio.com>
Co-authored-by: Geoff Bourne <geoff.bourne@rackspace.com>
Co-authored-by: Robin Wood <robin@digi.ninja>
Co-authored-by: Noval Agung Prayogo <novalagung@users.noreply.github.com>
Co-authored-by: Chris Vermilion <christopher.vermilion@gmail.com>
Co-authored-by: Joe Siltberg <joe@joesiltberg.se>
Co-authored-by: Daniel Cormier <dcormier@users.noreply.github.com>
Co-authored-by: Tom Bruno <24335+tebruno99@users.noreply.github.com>
Co-authored-by: Shane Jeffery <sjeffery@treetopllc.com>
Co-authored-by: ferhat elmas <elmas.ferhat@gmail.com>
Co-authored-by: Christopher Goulet <christophergoulet@outlook.com>
Co-authored-by: Praneet Loke <1466314+praneetloke@users.noreply.github.com>
Co-authored-by: Benjamin Schubert <brm.schubert@gmail.com>
Co-authored-by: Stevie Johnstone <stevie@jazznetworks.com>
Co-authored-by: Ryan Zhang <ryan.zhang@docker.com>
Co-authored-by: Grace Noah <gracenoahgh@gmail.com>
Co-authored-by: Jon Gyllensward <jon.gyllensward@grafana.com>
Co-authored-by: gotjosh <josue@grafana.com>
Co-authored-by: Leonard Gram <leo@xlson.com>
Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
Co-authored-by: Michael Rauh <michael.rauh@ecsec.de>
Co-authored-by: Matthew Steffen <msteffen@pachyderm.io>
Co-authored-by: Bryce Fisher <bfisher-sub@novetta.com>
Co-authored-by: Jan Szumiec <jan.szumiec@gmail.com>
Co-authored-by: aspeteRakete <fdubrownik@gmail.com>
Co-authored-by: Joe Siltberg <git@joesiltberg.se>
Co-authored-by: David Goeke <github@waygate.org>
Co-authored-by: Daniel Hochman <danielhochman@users.noreply.github.com>
Co-authored-by: Mathieu Mailhos <mathieumailhos@gmail.com>
Co-authored-by: miketonks <miketonks99@gmail.com>
Co-authored-by: (0x794E6).toString(36) <andypeng2010@gmail.com>
Co-authored-by: Andreas Fritzler <afritzler@users.noreply.github.com>
Co-authored-by: Ron Kuris <swcafe@gmail.com>
Co-authored-by: Andy Lindeman <andy@lindeman.io>
Co-authored-by: Ricardo Andrade <ricardofandrade@users.noreply.github.com>
Co-authored-by: bstrueb <bstrueb@gmail.com>
Co-authored-by: Ross Kinder <ross@grooveid.com>
Co-authored-by: neilli-sable <omprand.serbei@gmail.com>
Co-authored-by: Alex Yan <yanhao1991@gmail.com>
Co-authored-by: Alan Shreve <alan@inconshreveable.com>
Co-authored-by: AlekseyZolotuhin <5293057+sly-roar@users.noreply.github.com>
Co-authored-by: Alexander Zobnin <alexanderzobnin@gmail.com>
Co-authored-by: Github Actions <noreply@github.com>
Co-authored-by: Ioannis Kakavas <ikakavas@protonmail.com>
Co-authored-by: yuki2006 <yagfair@gmail.com>
Co-authored-by: Harold Alcala <harold.dev@gmail.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: crewjam <crewjam@users.noreply.github.com>
Co-authored-by: Bay Grabowski <baygrabowski@gmail.com>
Co-authored-by: Patrik Lundin <patrik@sigterm.se>
---
 .github/dependabot.yml                        |    7 +
 .github/stale.yml                             |   17 +
 .github/workflows/go.yml                      |   24 +
 .github/workflows/maint.yml                   |   34 +
 .gitignore                                    |    5 +
 .golangci.yml                                 |   78 +
 .travis.yml                                   |    6 -
 NOTES.md                                      |   21 -
 README.md                                     |  189 +-
 duration_test.go                              |   49 +-
 example/idp/idp.go                            |    5 +-
 example/service.go                            |   14 +-
 example/trivial/trivial.go                    |   33 +-
 go.mod                                        |   25 +
 go.sum                                        |   54 +
 identity_provider.go                          |  192 +-
 identity_provider_test.go                     |  701 ++---
 metadata.go                                   |    8 +-
 metadata_test.go                              |   65 +-
 saml.go                                       |  162 +-
 saml_gen.go                                   |    2 +-
 samlidp/samlidp.go                            |    3 +-
 samlidp/samlidp_test.go                       |   88 +-
 samlidp/service.go                            |    3 +-
 samlidp/service_test.go                       |   38 +-
 samlidp/session.go                            |   27 +-
 samlidp/session_test.go                       |   42 +-
 samlidp/shortcut_test.go                      |   51 +-
 samlidp/testdata/http_metadata_response.html  |   25 +
 samlidp/testdata/http_sso_response.html       |    1 +
 samlidp/testdata/idp_cert.pem                 |   13 +
 samlidp/testdata/idp_key.pem                  |   15 +
 samlidp/testdata/sp_cert.pem                  |   13 +
 samlidp/testdata/sp_key.pem                   |   15 +
 samlidp/testdata/sp_metadata.xml              |    1 +
 samlidp/user.go                               |    1 +
 samlidp/user_test.go                          |   27 +-
 samlidp/util.go                               |   21 +-
 samlidp/util_test.go                          |   23 +
 samlsp/error.go                               |   25 +
 samlsp/fetch_metadata.go                      |   75 +
 samlsp/fetch_metadata_test.go                 |   46 +
 samlsp/middleware.go                          |  395 +--
 samlsp/middleware_test.go                     |  500 +--
 samlsp/new.go                                 |  128 +
 samlsp/request_tracker.go                     |   46 +
 samlsp/request_tracker_cookie.go              |  111 +
 samlsp/request_tracker_jwt.go                 |   75 +
 samlsp/samlsp.go                              |  120 -
 samlsp/samlsp_test.go                         |  556 +---
 samlsp/session.go                             |   89 +
 samlsp/session_cookie.go                      |   99 +
 samlsp/session_cookie_test.go                 |   47 +
 samlsp/session_jwt.go                         |  143 +
 samlsp/testdata/authn_request.url             |    1 +
 samlsp/testdata/cert.pem                      |   13 +
 samlsp/testdata/expected_authn_request.xml    |    1 +
 .../expected_authn_request_secure.xml         |    1 +
 .../testdata/expected_middleware_metadata.xml |   17 +
 .../expected_post_binding_response.html       |    1 +
 samlsp/testdata/idp_metadata.xml              |  116 +
 samlsp/testdata/key.pem                       |   15 +
 samlsp/testdata/saml_response.xml             |    9 +
 samlsp/testdata/testshib_metadata.xml         |  378 +++
 samlsp/testdata/token.json                    |   48 +
 samlsp/util.go                                |   16 +
 schema.go                                     |  237 +-
 schema_test.go                                |   84 +-
 service_provider.go                           |  927 +++++-
 service_provider_test.go                      | 1477 +++++++--
 testdata/SP_AuthnRequest                      |    1 +
 testdata/SP_IDPMetadata                       |  118 +
 testdata/SP_SamlResponse                      |    9 +
 testdata/TestCanParseMetadata_metadata.xml    |    1 +
 .../TestCanProduceMetadataEntityID_metadata   |    6 +
 .../TestCanProduceMetadataNoCerts_metadata    |    6 +
 testdata/TestCanProduceSPMetadata_expected    |   20 +
 ...uestWithExistingSession_http_response_body |    1 +
 ...eRequestWithExistingSession_decodedRequest |    1 +
 ...uestWithExistingSession_http_response_body |    1 +
 ...leRequestWithNewSession_http_response_body |    2 +
 ...HandleUnencryptedResponse_idp_metadata.xml |    1 +
 ...estIDPCanHandleUnencryptedResponse_request |    1 +
 ...stIDPCanHandleUnencryptedResponse_response |   83 +
 ...estIDPIDPInitiatedExistingSession_response |    1 +
 testdata/TestIDPMakeResponse_request_buffer   |    1 +
 testdata/TestIDPMakeResponse_response.xml     |   27 +
 ...estIDPMarshalAssertion_encrypted_assertion |    1 +
 .../TestIDPNoDestination_idp_metadata.xml     |    1 +
 testdata/TestIDPNoDestination_request         |    1 +
 ...estIDPRequestedAttributes_idp_metadata.xml |    1 +
 .../TestIDPWriteResponse_RequestBuffer.xml    |    1 +
 testdata/TestIDPWriteResponseresponse.html    |    1 +
 ...seEncryptedAssertionBothSigned_IDPMetadata |   21 +
 ...ponseEncryptedAssertionBothSigned_response |    1 +
 ...sponseEncryptedSignedAssertion_IDPMetadata |   21 +
 ...aResponseEncryptedSignedAssertion_response |    1 +
 ...gnedResponseEncryptedAssertion_IDPMetadata |   21 +
 ...aSignedResponseEncryptedAssertion_response |    1 +
 ...estSPCanHandleOneloginResponse_IDPMetadata |   41 +
 .../TestSPCanHandleOneloginResponse_response  |    1 +
 ...stSPCanHandlePlaintextResponse_IDPMetadata |   30 +
 .../TestSPCanHandlePlaintextResponse_response |    1 +
 ...SPCanProduceMetadataWithBothCerts_metadata |   24 +
 ...ProduceMetadataWithEncryptionCert_metadata |   17 +
 .../TestSPCanProducePostLogoutRequest_form    |    1 +
 .../TestSPCanProducePostLogoutResponse_form   |    1 +
 testdata/TestSPCanProducePostRequest_form     |    1 +
 ...roduceRedirectLogoutRequest_decodedRequest |    1 +
 ...duceRedirectLogoutResponse_decodedResponse |    1 +
 ...PCanProduceRedirectRequest_decoded_request |    1 +
 ...uceSignedRequestPostBinding_decodedRequest |    1 +
 ...ignedRequestRedirectBinding_decodedRequest |    1 +
 ...ceSignedRequestRedirectBinding_queryString |    1 +
 ...rldAssertionSignedNotResponse_idp_metadata |    1 +
 ...alWorldAssertionSignedNotResponse_response |    5 +
 ...nfoHasRSAPublicKeyNotX509Cert_idp_metadata |    1 +
 ...KeyInfoHasRSAPublicKeyNotX509Cert_response |    9 +
 .../TestSPRejectsInjectedComment_IDPMetadata  |   30 +
 .../TestSPRejectsInjectedComment_response     |    1 +
 ...TestSPRejectsMalformedResponse_IDPMetadata |   30 +
 .../TestSPRejectsMalformedResponse_response   |    1 +
 testdata/TestSPResponseWithNoIssuer_response  |    9 +
 ...HandleSignedAssertionsResponse_IDPMetadata |   20 +
 ...CanHandleSignedAssertionsResponse_response |    1 +
 ...TestXswPermutationEightIsRejected_response |    1 +
 .../TestXswPermutationFiveIsRejected_response |    1 +
 .../TestXswPermutationFourIsRejected_response |    1 +
 .../TestXswPermutationNineIsRejected_response |    1 +
 .../TestXswPermutationOneIsRejected_response  |    1 +
 ...TestXswPermutationSevenIsRejected_response |    1 +
 .../TestXswPermutationSixIsRejected_response  |    1 +
 ...TestXswPermutationThreeIsRejected_response |    1 +
 .../TestXswPermutationTwoIsRejected_response  |    1 +
 testdata/cert_2017.pem                        |   20 +
 testdata/idp_authn_request.xml                |    1 +
 testdata/idp_cert.pem                         |   13 +
 testdata/idp_key.pem                          |   15 +
 testdata/idp_new_session_response             |    2 +
 testdata/key_2017.pem                         |   27 +
 testdata/sp_cert.pem                          |   13 +
 testdata/sp_key.pem                           |   15 +
 testsaml/equals_any.go                        |   31 -
 testsaml/parse.go                             |   17 +-
 time.go                                       |    4 +
 time_test.go                                  |   72 +-
 time_test_114.go                              |    6 +
 time_test_115.go                              |    6 +
 util.go                                       |    4 +-
 vendor/github.com/beevik/etree/.travis.yml    |    4 +-
 vendor/github.com/beevik/etree/CONTRIBUTORS   |    2 +
 vendor/github.com/beevik/etree/LICENSE        |    2 +-
 vendor/github.com/beevik/etree/README.md      |    4 +-
 vendor/github.com/beevik/etree/etree.go       |  794 ++++-
 vendor/github.com/beevik/etree/etree_test.go  |  426 ---
 .../github.com/beevik/etree/example_test.go   |   62 -
 vendor/github.com/beevik/etree/helpers.go     |  110 +-
 vendor/github.com/beevik/etree/path.go        |  196 +-
 vendor/github.com/beevik/etree/path_test.go   |  173 --
 vendor/github.com/dchest/uniuri/.travis.yml   |    1 -
 .../github.com/dchest/uniuri/uniuri_test.go   |  102 -
 vendor/github.com/dgrijalva/jwt-go/.gitignore |    4 -
 .../github.com/dgrijalva/jwt-go/.travis.yml   |   13 -
 vendor/github.com/dgrijalva/jwt-go/LICENSE    |    8 -
 .../dgrijalva/jwt-go/MIGRATION_GUIDE.md       |   97 -
 vendor/github.com/dgrijalva/jwt-go/README.md  |   85 -
 .../dgrijalva/jwt-go/VERSION_HISTORY.md       |  111 -
 vendor/github.com/dgrijalva/jwt-go/claims.go  |  134 -
 .../dgrijalva/jwt-go/cmd/jwt/README.md        |   13 -
 .../dgrijalva/jwt-go/cmd/jwt/app.go           |  282 --
 .../dgrijalva/jwt-go/cmd/jwt/args.go          |   23 -
 vendor/github.com/dgrijalva/jwt-go/doc.go     |    4 -
 vendor/github.com/dgrijalva/jwt-go/ecdsa.go   |  147 -
 .../github.com/dgrijalva/jwt-go/ecdsa_test.go |  100 -
 .../dgrijalva/jwt-go/ecdsa_utils.go           |   67 -
 vendor/github.com/dgrijalva/jwt-go/errors.go  |   59 -
 .../dgrijalva/jwt-go/example_test.go          |  114 -
 vendor/github.com/dgrijalva/jwt-go/hmac.go    |   94 -
 .../dgrijalva/jwt-go/hmac_example_test.go     |   66 -
 .../github.com/dgrijalva/jwt-go/hmac_test.go  |   91 -
 .../dgrijalva/jwt-go/http_example_test.go     |  216 --
 .../github.com/dgrijalva/jwt-go/map_claims.go |   94 -
 vendor/github.com/dgrijalva/jwt-go/none.go    |   52 -
 .../github.com/dgrijalva/jwt-go/none_test.go  |   72 -
 vendor/github.com/dgrijalva/jwt-go/parser.go  |  131 -
 .../dgrijalva/jwt-go/parser_test.go           |  261 --
 .../dgrijalva/jwt-go/request/doc.go           |    7 -
 .../dgrijalva/jwt-go/request/extractor.go     |   81 -
 .../jwt-go/request/extractor_example_test.go  |   32 -
 .../jwt-go/request/extractor_test.go          |   91 -
 .../dgrijalva/jwt-go/request/oauth2.go        |   28 -
 .../dgrijalva/jwt-go/request/request.go       |   24 -
 .../dgrijalva/jwt-go/request/request_test.go  |  103 -
 vendor/github.com/dgrijalva/jwt-go/rsa.go     |  100 -
 vendor/github.com/dgrijalva/jwt-go/rsa_pss.go |  126 -
 .../dgrijalva/jwt-go/rsa_pss_test.go          |   96 -
 .../github.com/dgrijalva/jwt-go/rsa_test.go   |  176 --
 .../github.com/dgrijalva/jwt-go/rsa_utils.go  |   69 -
 .../dgrijalva/jwt-go/signing_method.go        |   35 -
 .../dgrijalva/jwt-go/test/ec256-private.pem   |    5 -
 .../dgrijalva/jwt-go/test/ec256-public.pem    |    4 -
 .../dgrijalva/jwt-go/test/ec384-private.pem   |    6 -
 .../dgrijalva/jwt-go/test/ec384-public.pem    |    5 -
 .../dgrijalva/jwt-go/test/ec512-private.pem   |    7 -
 .../dgrijalva/jwt-go/test/ec512-public.pem    |    6 -
 .../dgrijalva/jwt-go/test/helpers.go          |   42 -
 .../dgrijalva/jwt-go/test/hmacTestKey         |    1 -
 .../dgrijalva/jwt-go/test/sample_key          |   27 -
 .../dgrijalva/jwt-go/test/sample_key.pub      |    9 -
 vendor/github.com/dgrijalva/jwt-go/token.go   |  108 -
 .../github.com/jonboulle/clockwork/.gitignore |    2 +
 .../jonboulle/clockwork/.travis.yml           |    5 -
 .../github.com/jonboulle/clockwork/README.md  |   67 +-
 .../jonboulle/clockwork/clockwork.go          |   28 +-
 .../jonboulle/clockwork/clockwork_test.go     |  129 -
 .../jonboulle/clockwork/example_test.go       |   49 -
 vendor/github.com/kr/pretty/License           |    2 -
 vendor/github.com/kr/pretty/diff_test.go      |  213 --
 vendor/github.com/kr/pretty/example_test.go   |   20 -
 vendor/github.com/kr/pretty/formatter.go      |    5 +-
 vendor/github.com/kr/pretty/formatter_test.go |  288 --
 vendor/github.com/kr/pretty/pretty.go         |    2 +-
 vendor/github.com/kr/text/cmd/agg/doc.go      |   73 -
 vendor/github.com/kr/text/cmd/agg/main.go     |  112 -
 vendor/github.com/kr/text/cmd/agg/num.go      |   99 -
 vendor/github.com/kr/text/cmd/agg/string.go   |   74 -
 vendor/github.com/kr/text/colwriter/Readme    |    5 -
 vendor/github.com/kr/text/colwriter/column.go |  147 -
 .../kr/text/colwriter/column_test.go          |   90 -
 vendor/github.com/kr/text/indent_test.go      |  119 -
 vendor/github.com/kr/text/mc/Readme           |    9 -
 vendor/github.com/kr/text/mc/mc.go            |   62 -
 vendor/github.com/kr/text/wrap_test.go        |   62 -
 .../russellhaering/goxmldsig/.travis.yml      |    7 +-
 .../russellhaering/goxmldsig/README.md        |    2 +-
 .../goxmldsig/canonicalize_test.go            |   66 -
 .../goxmldsig/etreeutils/canonicalize.go      |    2 +-
 .../goxmldsig/etreeutils/namespace.go         |   81 +-
 .../russellhaering/goxmldsig/run_test.sh      |    0
 .../russellhaering/goxmldsig/sign_test.go     |  139 -
 .../russellhaering/goxmldsig/validate.go      |  117 +-
 .../russellhaering/goxmldsig/validate_test.go |  205 --
 vendor/github.com/zenazn/goji/.travis.yml     |   46 +-
 vendor/github.com/zenazn/goji/bind/bind.go    |   34 +-
 .../github.com/zenazn/goji/example/.gitignore |    1 -
 .../github.com/zenazn/goji/example/README.md  |   10 -
 vendor/github.com/zenazn/goji/example/main.go |  177 --
 .../zenazn/goji/example/middleware.go         |   47 -
 .../github.com/zenazn/goji/example/models.go  |   49 -
 .../zenazn/goji/graceful/graceful.go          |   17 +-
 .../goji/graceful/listener/conn_test.go       |  198 --
 .../goji/graceful/listener/fake_test.go       |  123 -
 .../goji/graceful/listener/listener_test.go   |  156 -
 .../goji/graceful/listener/race_test.go       |  103 -
 .../zenazn/goji/graceful/middleware_test.go   |   71 -
 .../github.com/zenazn/goji/graceful/signal.go |   56 +-
 .../github.com/zenazn/goji/web/bench_test.go  |  166 -
 .../zenazn/goji/web/example_test.go           |   69 -
 .../zenazn/goji/web/func_equal_test.go        |   84 -
 .../github.com/zenazn/goji/web/match_test.go  |   50 -
 .../github.com/zenazn/goji/web/middleware.go  |    5 +-
 .../goji/web/middleware/nocache_test.go       |   29 -
 .../goji/web/middleware/options_test.go       |  112 -
 .../goji/web/middleware/subrouter_test.go     |   28 -
 .../goji/web/middleware/urlquery_test.go      |   53 -
 .../zenazn/goji/web/middleware12_test.go      |   52 -
 .../zenazn/goji/web/middleware_test.go        |  204 --
 .../zenazn/goji/web/mutil/writer_proxy.go     |   24 +-
 vendor/github.com/zenazn/goji/web/mux_test.go |   45 -
 .../zenazn/goji/web/pattern_test.go           |  188 --
 .../zenazn/goji/web/router_middleware_test.go |   35 -
 .../github.com/zenazn/goji/web/router_test.go |  326 --
 vendor/golang.org/x/crypto/.gitattributes     |   10 -
 vendor/golang.org/x/crypto/.gitignore         |    2 -
 vendor/golang.org/x/crypto/CONTRIBUTING.md    |   31 -
 vendor/golang.org/x/crypto/README.md          |   21 -
 vendor/golang.org/x/crypto/acme/acme.go       | 1058 -------
 vendor/golang.org/x/crypto/acme/acme_test.go  | 1352 --------
 .../x/crypto/acme/autocert/autocert.go        |  973 ------
 .../x/crypto/acme/autocert/autocert_test.go   |  757 -----
 .../x/crypto/acme/autocert/cache.go           |  130 -
 .../x/crypto/acme/autocert/cache_test.go      |   58 -
 .../x/crypto/acme/autocert/example_test.go    |   36 -
 .../x/crypto/acme/autocert/listener.go        |  160 -
 .../x/crypto/acme/autocert/renewal.go         |  124 -
 .../x/crypto/acme/autocert/renewal_test.go    |  191 --
 vendor/golang.org/x/crypto/acme/jws.go        |  153 -
 vendor/golang.org/x/crypto/acme/jws_test.go   |  319 --
 vendor/golang.org/x/crypto/acme/types.go      |  329 --
 vendor/golang.org/x/crypto/acme/types_test.go |   63 -
 vendor/golang.org/x/crypto/argon2/argon2.go   |  228 --
 .../golang.org/x/crypto/argon2/argon2_test.go |  233 --
 vendor/golang.org/x/crypto/argon2/blake2b.go  |   53 -
 .../x/crypto/argon2/blamka_amd64.go           |   61 -
 .../golang.org/x/crypto/argon2/blamka_amd64.s |  252 --
 .../x/crypto/argon2/blamka_generic.go         |  163 -
 .../golang.org/x/crypto/argon2/blamka_ref.go  |   15 -
 .../golang.org/x/crypto/bcrypt/bcrypt_test.go |  243 --
 vendor/golang.org/x/crypto/blake2b/blake2b.go |  221 --
 .../x/crypto/blake2b/blake2bAVX2_amd64.go     |   43 -
 .../x/crypto/blake2b/blake2bAVX2_amd64.s      |  762 -----
 .../x/crypto/blake2b/blake2b_amd64.go         |   25 -
 .../x/crypto/blake2b/blake2b_amd64.s          |  290 --
 .../x/crypto/blake2b/blake2b_generic.go       |  179 --
 .../x/crypto/blake2b/blake2b_ref.go           |   11 -
 .../x/crypto/blake2b/blake2b_test.go          |  798 -----
 vendor/golang.org/x/crypto/blake2b/blake2x.go |  177 --
 .../golang.org/x/crypto/blake2b/register.go   |   32 -
 vendor/golang.org/x/crypto/blake2s/blake2s.go |  187 --
 .../x/crypto/blake2s/blake2s_386.go           |   35 -
 .../golang.org/x/crypto/blake2s/blake2s_386.s |  460 ---
 .../x/crypto/blake2s/blake2s_amd64.go         |   40 -
 .../x/crypto/blake2s/blake2s_amd64.s          |  463 ---
 .../x/crypto/blake2s/blake2s_generic.go       |  174 --
 .../x/crypto/blake2s/blake2s_ref.go           |   17 -
 .../x/crypto/blake2s/blake2s_test.go          | 1002 ------
 vendor/golang.org/x/crypto/blake2s/blake2x.go |  178 --
 .../golang.org/x/crypto/blake2s/register.go   |   21 -
 .../x/crypto/blowfish/blowfish_test.go        |  274 --
 vendor/golang.org/x/crypto/blowfish/cipher.go |    8 +
 vendor/golang.org/x/crypto/bn256/bn256.go     |  408 ---
 .../golang.org/x/crypto/bn256/bn256_test.go   |  304 --
 vendor/golang.org/x/crypto/bn256/constants.go |   44 -
 vendor/golang.org/x/crypto/bn256/curve.go     |  278 --
 .../golang.org/x/crypto/bn256/example_test.go |   43 -
 vendor/golang.org/x/crypto/bn256/gfp12.go     |  200 --
 vendor/golang.org/x/crypto/bn256/gfp2.go      |  219 --
 vendor/golang.org/x/crypto/bn256/gfp6.go      |  296 --
 vendor/golang.org/x/crypto/bn256/optate.go    |  395 ---
 vendor/golang.org/x/crypto/bn256/twist.go     |  249 --
 vendor/golang.org/x/crypto/cast5/cast5.go     |  526 ----
 .../golang.org/x/crypto/cast5/cast5_test.go   |  106 -
 .../chacha20poly1305/chacha20poly1305.go      |   83 -
 .../chacha20poly1305_amd64.go                 |  127 -
 .../chacha20poly1305/chacha20poly1305_amd64.s | 2714 -----------------
 .../chacha20poly1305_generic.go               |   70 -
 .../chacha20poly1305_noasm.go                 |   15 -
 .../chacha20poly1305/chacha20poly1305_test.go |  182 --
 .../chacha20poly1305_vectors_test.go          |  332 --
 vendor/golang.org/x/crypto/codereview.cfg     |    1 -
 vendor/golang.org/x/crypto/cryptobyte/asn1.go |  732 -----
 .../x/crypto/cryptobyte/asn1/asn1.go          |   46 -
 .../x/crypto/cryptobyte/asn1_test.go          |  300 --
 .../golang.org/x/crypto/cryptobyte/builder.go |  309 --
 .../x/crypto/cryptobyte/cryptobyte_test.go    |  428 ---
 .../x/crypto/cryptobyte/example_test.go       |  154 -
 .../golang.org/x/crypto/cryptobyte/string.go  |  167 -
 .../x/crypto/curve25519/const_amd64.h         |    8 -
 .../x/crypto/curve25519/const_amd64.s         |   20 -
 .../x/crypto/curve25519/cswap_amd64.s         |   65 -
 .../x/crypto/curve25519/curve25519.go         |  834 -----
 .../x/crypto/curve25519/curve25519_test.go    |   39 -
 vendor/golang.org/x/crypto/curve25519/doc.go  |   23 -
 .../x/crypto/curve25519/freeze_amd64.s        |   73 -
 .../x/crypto/curve25519/ladderstep_amd64.s    | 1377 ---------
 .../x/crypto/curve25519/mont25519_amd64.go    |  240 --
 .../x/crypto/curve25519/mul_amd64.s           |  169 -
 .../x/crypto/curve25519/square_amd64.s        |  132 -
 vendor/golang.org/x/crypto/ed25519/ed25519.go |  181 --
 .../x/crypto/ed25519/ed25519_test.go          |  183 --
 .../ed25519/internal/edwards25519/const.go    | 1422 ---------
 .../internal/edwards25519/edwards25519.go     | 1771 -----------
 .../x/crypto/ed25519/testdata/sign.input.gz   |  Bin 50330 -> 0 bytes
 .../golang.org/x/crypto/hkdf/example_test.go  |   61 -
 vendor/golang.org/x/crypto/hkdf/hkdf.go       |   75 -
 vendor/golang.org/x/crypto/hkdf/hkdf_test.go  |  370 ---
 .../internal/chacha20/chacha_generic.go       |  198 --
 .../x/crypto/internal/chacha20/chacha_test.go |   33 -
 .../golang.org/x/crypto/md4/example_test.go   |   20 -
 vendor/golang.org/x/crypto/md4/md4.go         |  118 -
 vendor/golang.org/x/crypto/md4/md4_test.go    |   71 -
 vendor/golang.org/x/crypto/md4/md4block.go    |   89 -
 vendor/golang.org/x/crypto/nacl/auth/auth.go  |   58 -
 .../x/crypto/nacl/auth/auth_test.go           |  172 --
 .../x/crypto/nacl/auth/example_test.go        |   36 -
 vendor/golang.org/x/crypto/nacl/box/box.go    |  103 -
 .../golang.org/x/crypto/nacl/box/box_test.go  |   78 -
 .../x/crypto/nacl/box/example_test.go         |   95 -
 .../x/crypto/nacl/secretbox/example_test.go   |   53 -
 .../x/crypto/nacl/secretbox/secretbox.go      |  166 -
 .../x/crypto/nacl/secretbox/secretbox_test.go |  154 -
 vendor/golang.org/x/crypto/ocsp/ocsp.go       |  778 -----
 vendor/golang.org/x/crypto/ocsp/ocsp_test.go  |  875 ------
 .../x/crypto/openpgp/armor/armor.go           |  219 --
 .../x/crypto/openpgp/armor/armor_test.go      |   95 -
 .../x/crypto/openpgp/armor/encode.go          |  160 -
 .../x/crypto/openpgp/canonical_text.go        |   59 -
 .../x/crypto/openpgp/canonical_text_test.go   |   52 -
 .../x/crypto/openpgp/clearsign/clearsign.go   |  376 ---
 .../openpgp/clearsign/clearsign_test.go       |  210 --
 .../x/crypto/openpgp/elgamal/elgamal.go       |  122 -
 .../x/crypto/openpgp/elgamal/elgamal_test.go  |   49 -
 .../x/crypto/openpgp/errors/errors.go         |   72 -
 vendor/golang.org/x/crypto/openpgp/keys.go    |  636 ----
 .../golang.org/x/crypto/openpgp/keys_test.go  |  419 ---
 .../x/crypto/openpgp/packet/compressed.go     |  123 -
 .../crypto/openpgp/packet/compressed_test.go  |   41 -
 .../x/crypto/openpgp/packet/config.go         |   91 -
 .../x/crypto/openpgp/packet/encrypted_key.go  |  199 --
 .../openpgp/packet/encrypted_key_test.go      |  146 -
 .../x/crypto/openpgp/packet/literal.go        |   89 -
 .../x/crypto/openpgp/packet/ocfb.go           |  143 -
 .../x/crypto/openpgp/packet/ocfb_test.go      |   46 -
 .../openpgp/packet/one_pass_signature.go      |   73 -
 .../x/crypto/openpgp/packet/opaque.go         |  162 -
 .../x/crypto/openpgp/packet/opaque_test.go    |   67 -
 .../x/crypto/openpgp/packet/packet.go         |  537 ----
 .../x/crypto/openpgp/packet/packet_test.go    |  255 --
 .../x/crypto/openpgp/packet/private_key.go    |  380 ---
 .../crypto/openpgp/packet/private_key_test.go |  270 --
 .../x/crypto/openpgp/packet/public_key.go     |  748 -----
 .../crypto/openpgp/packet/public_key_test.go  |  202 --
 .../x/crypto/openpgp/packet/public_key_v3.go  |  279 --
 .../openpgp/packet/public_key_v3_test.go      |   82 -
 .../x/crypto/openpgp/packet/reader.go         |   76 -
 .../x/crypto/openpgp/packet/signature.go      |  731 -----
 .../x/crypto/openpgp/packet/signature_test.go |   78 -
 .../x/crypto/openpgp/packet/signature_v3.go   |  146 -
 .../openpgp/packet/signature_v3_test.go       |   92 -
 .../openpgp/packet/symmetric_key_encrypted.go |  155 -
 .../packet/symmetric_key_encrypted_test.go    |  117 -
 .../openpgp/packet/symmetrically_encrypted.go |  290 --
 .../packet/symmetrically_encrypted_test.go    |  123 -
 .../x/crypto/openpgp/packet/userattribute.go  |   91 -
 .../openpgp/packet/userattribute_test.go      |  109 -
 .../x/crypto/openpgp/packet/userid.go         |  160 -
 .../x/crypto/openpgp/packet/userid_test.go    |   87 -
 vendor/golang.org/x/crypto/openpgp/read.go    |  442 ---
 .../golang.org/x/crypto/openpgp/read_test.go  |  613 ----
 vendor/golang.org/x/crypto/openpgp/s2k/s2k.go |  273 --
 .../x/crypto/openpgp/s2k/s2k_test.go          |  137 -
 vendor/golang.org/x/crypto/openpgp/write.go   |  378 ---
 .../golang.org/x/crypto/openpgp/write_test.go |  273 --
 .../x/crypto/otr/libotr_test_helper.c         |  197 --
 vendor/golang.org/x/crypto/otr/otr.go         | 1415 ---------
 vendor/golang.org/x/crypto/otr/otr_test.go    |  470 ---
 vendor/golang.org/x/crypto/otr/smp.go         |  572 ----
 vendor/golang.org/x/crypto/pbkdf2/pbkdf2.go   |   77 -
 .../golang.org/x/crypto/pbkdf2/pbkdf2_test.go |  176 --
 .../golang.org/x/crypto/pkcs12/bmp-string.go  |   50 -
 .../x/crypto/pkcs12/bmp-string_test.go        |   63 -
 vendor/golang.org/x/crypto/pkcs12/crypto.go   |  131 -
 .../golang.org/x/crypto/pkcs12/crypto_test.go |  125 -
 vendor/golang.org/x/crypto/pkcs12/errors.go   |   23 -
 .../crypto/pkcs12/internal/rc2/bench_test.go  |   27 -
 .../x/crypto/pkcs12/internal/rc2/rc2.go       |  271 --
 .../x/crypto/pkcs12/internal/rc2/rc2_test.go  |   92 -
 vendor/golang.org/x/crypto/pkcs12/mac.go      |   45 -
 vendor/golang.org/x/crypto/pkcs12/mac_test.go |   42 -
 vendor/golang.org/x/crypto/pkcs12/pbkdf.go    |  170 --
 .../golang.org/x/crypto/pkcs12/pbkdf_test.go  |   34 -
 vendor/golang.org/x/crypto/pkcs12/pkcs12.go   |  346 ---
 .../golang.org/x/crypto/pkcs12/pkcs12_test.go |  138 -
 vendor/golang.org/x/crypto/pkcs12/safebags.go |   57 -
 .../golang.org/x/crypto/poly1305/poly1305.go  |   33 -
 .../x/crypto/poly1305/poly1305_test.go        |  159 -
 .../golang.org/x/crypto/poly1305/sum_amd64.go |   22 -
 .../golang.org/x/crypto/poly1305/sum_amd64.s  |  125 -
 .../golang.org/x/crypto/poly1305/sum_arm.go   |   22 -
 vendor/golang.org/x/crypto/poly1305/sum_arm.s |  427 ---
 .../golang.org/x/crypto/poly1305/sum_ref.go   |  141 -
 .../x/crypto/ripemd160/ripemd160.go           |    6 +-
 .../x/crypto/ripemd160/ripemd160_test.go      |   64 -
 .../x/crypto/ripemd160/ripemd160block.go      |   64 +-
 .../x/crypto/salsa20/salsa/hsalsa20.go        |  144 -
 .../x/crypto/salsa20/salsa/salsa2020_amd64.s  |  889 ------
 .../x/crypto/salsa20/salsa/salsa208.go        |  199 --
 .../x/crypto/salsa20/salsa/salsa20_amd64.go   |   24 -
 .../x/crypto/salsa20/salsa/salsa20_ref.go     |  234 --
 .../x/crypto/salsa20/salsa/salsa_test.go      |   54 -
 vendor/golang.org/x/crypto/salsa20/salsa20.go |   54 -
 .../x/crypto/salsa20/salsa20_test.go          |  139 -
 .../x/crypto/scrypt/example_test.go           |   26 -
 vendor/golang.org/x/crypto/scrypt/scrypt.go   |  244 --
 .../golang.org/x/crypto/scrypt/scrypt_test.go |  162 -
 vendor/golang.org/x/crypto/sha3/doc.go        |   66 -
 vendor/golang.org/x/crypto/sha3/hashes.go     |   65 -
 vendor/golang.org/x/crypto/sha3/keccakf.go    |  412 ---
 .../golang.org/x/crypto/sha3/keccakf_amd64.go |   13 -
 .../golang.org/x/crypto/sha3/keccakf_amd64.s  |  390 ---
 vendor/golang.org/x/crypto/sha3/register.go   |   18 -
 vendor/golang.org/x/crypto/sha3/sha3.go       |  192 --
 vendor/golang.org/x/crypto/sha3/sha3_test.go  |  311 --
 vendor/golang.org/x/crypto/sha3/shake.go      |   60 -
 .../sha3/testdata/keccakKats.json.deflate     |  Bin 521342 -> 0 bytes
 vendor/golang.org/x/crypto/sha3/xor.go        |   16 -
 .../golang.org/x/crypto/sha3/xor_generic.go   |   28 -
 .../golang.org/x/crypto/sha3/xor_unaligned.go |   58 -
 .../golang.org/x/crypto/ssh/agent/client.go   |  683 -----
 .../x/crypto/ssh/agent/client_test.go         |  379 ---
 .../x/crypto/ssh/agent/example_test.go        |   41 -
 .../golang.org/x/crypto/ssh/agent/forward.go  |  103 -
 .../golang.org/x/crypto/ssh/agent/keyring.go  |  215 --
 .../x/crypto/ssh/agent/keyring_test.go        |   76 -
 .../golang.org/x/crypto/ssh/agent/server.go   |  523 ----
 .../x/crypto/ssh/agent/server_test.go         |  259 --
 .../x/crypto/ssh/agent/testdata_test.go       |   64 -
 .../golang.org/x/crypto/ssh/benchmark_test.go |  123 -
 vendor/golang.org/x/crypto/ssh/buffer.go      |   97 -
 vendor/golang.org/x/crypto/ssh/buffer_test.go |   87 -
 vendor/golang.org/x/crypto/ssh/certs.go       |  519 ----
 vendor/golang.org/x/crypto/ssh/certs_test.go  |  335 --
 vendor/golang.org/x/crypto/ssh/channel.go     |  633 ----
 vendor/golang.org/x/crypto/ssh/cipher.go      |  771 -----
 vendor/golang.org/x/crypto/ssh/cipher_test.go |  131 -
 vendor/golang.org/x/crypto/ssh/client.go      |  278 --
 vendor/golang.org/x/crypto/ssh/client_auth.go |  510 ----
 .../x/crypto/ssh/client_auth_test.go          |  628 ----
 vendor/golang.org/x/crypto/ssh/client_test.go |  166 -
 vendor/golang.org/x/crypto/ssh/common.go      |  383 ---
 vendor/golang.org/x/crypto/ssh/connection.go  |  143 -
 vendor/golang.org/x/crypto/ssh/doc.go         |   21 -
 .../golang.org/x/crypto/ssh/example_test.go   |  320 --
 vendor/golang.org/x/crypto/ssh/handshake.go   |  646 ----
 .../golang.org/x/crypto/ssh/handshake_test.go |  559 ----
 vendor/golang.org/x/crypto/ssh/kex.go         |  540 ----
 vendor/golang.org/x/crypto/ssh/kex_test.go    |   50 -
 vendor/golang.org/x/crypto/ssh/keys.go        | 1031 -------
 vendor/golang.org/x/crypto/ssh/keys_test.go   |  500 ---
 .../x/crypto/ssh/knownhosts/knownhosts.go     |  546 ----
 .../crypto/ssh/knownhosts/knownhosts_test.go  |  329 --
 vendor/golang.org/x/crypto/ssh/mac.go         |   61 -
 .../golang.org/x/crypto/ssh/mempipe_test.go   |  110 -
 vendor/golang.org/x/crypto/ssh/messages.go    |  766 -----
 .../golang.org/x/crypto/ssh/messages_test.go  |  288 --
 vendor/golang.org/x/crypto/ssh/mux.go         |  330 --
 vendor/golang.org/x/crypto/ssh/mux_test.go    |  505 ---
 vendor/golang.org/x/crypto/ssh/server.go      |  582 ----
 vendor/golang.org/x/crypto/ssh/session.go     |  647 ----
 .../golang.org/x/crypto/ssh/session_test.go   |  774 -----
 vendor/golang.org/x/crypto/ssh/streamlocal.go |  115 -
 vendor/golang.org/x/crypto/ssh/tcpip.go       |  465 ---
 vendor/golang.org/x/crypto/ssh/tcpip_test.go  |   20 -
 .../x/crypto/ssh/terminal/terminal.go         |  951 ------
 .../x/crypto/ssh/terminal/terminal_test.go    |  350 ---
 .../golang.org/x/crypto/ssh/terminal/util.go  |  116 -
 .../x/crypto/ssh/terminal/util_bsd.go         |   12 -
 .../x/crypto/ssh/terminal/util_linux.go       |   10 -
 .../x/crypto/ssh/terminal/util_plan9.go       |   58 -
 .../x/crypto/ssh/terminal/util_solaris.go     |  128 -
 .../x/crypto/ssh/terminal/util_windows.go     |   97 -
 .../x/crypto/ssh/test/agent_unix_test.go      |   59 -
 .../x/crypto/ssh/test/banner_test.go          |   32 -
 .../golang.org/x/crypto/ssh/test/cert_test.go |   77 -
 .../x/crypto/ssh/test/dial_unix_test.go       |  128 -
 vendor/golang.org/x/crypto/ssh/test/doc.go    |    7 -
 .../x/crypto/ssh/test/forward_unix_test.go    |  194 --
 .../x/crypto/ssh/test/session_test.go         |  443 ---
 .../x/crypto/ssh/test/test_unix_test.go       |  298 --
 .../x/crypto/ssh/test/testdata_test.go        |   64 -
 .../golang.org/x/crypto/ssh/testdata/doc.go   |    8 -
 .../golang.org/x/crypto/ssh/testdata/keys.go  |  198 --
 .../golang.org/x/crypto/ssh/testdata_test.go  |   63 -
 vendor/golang.org/x/crypto/ssh/transport.go   |  353 ---
 .../golang.org/x/crypto/ssh/transport_test.go |  113 -
 vendor/golang.org/x/crypto/tea/cipher.go      |  108 -
 vendor/golang.org/x/crypto/tea/tea_test.go    |   93 -
 vendor/golang.org/x/crypto/twofish/twofish.go |  342 ---
 .../x/crypto/twofish/twofish_test.go          |  129 -
 vendor/golang.org/x/crypto/xtea/block.go      |   66 -
 vendor/golang.org/x/crypto/xtea/cipher.go     |   82 -
 vendor/golang.org/x/crypto/xtea/xtea_test.go  |  229 --
 vendor/golang.org/x/crypto/xts/xts.go         |  137 -
 vendor/golang.org/x/crypto/xts/xts_test.go    |  105 -
 vendor/gopkg.in/check.v1/.gitignore           |    4 -
 vendor/gopkg.in/check.v1/.travis.yml          |    3 -
 vendor/gopkg.in/check.v1/LICENSE              |   25 -
 vendor/gopkg.in/check.v1/README.md            |   20 -
 vendor/gopkg.in/check.v1/TODO                 |    2 -
 vendor/gopkg.in/check.v1/benchmark.go         |  187 --
 vendor/gopkg.in/check.v1/benchmark_test.go    |   91 -
 vendor/gopkg.in/check.v1/bootstrap_test.go    |   82 -
 vendor/gopkg.in/check.v1/check.go             |  873 ------
 vendor/gopkg.in/check.v1/check_test.go        |  207 --
 vendor/gopkg.in/check.v1/checkers.go          |  458 ---
 vendor/gopkg.in/check.v1/checkers_test.go     |  272 --
 vendor/gopkg.in/check.v1/export_test.go       |   19 -
 vendor/gopkg.in/check.v1/fixture_test.go      |  484 ---
 vendor/gopkg.in/check.v1/foundation_test.go   |  335 --
 vendor/gopkg.in/check.v1/helpers.go           |  231 --
 vendor/gopkg.in/check.v1/helpers_test.go      |  519 ----
 vendor/gopkg.in/check.v1/printer.go           |  168 -
 vendor/gopkg.in/check.v1/printer_test.go      |  104 -
 vendor/gopkg.in/check.v1/reporter.go          |   88 -
 vendor/gopkg.in/check.v1/reporter_test.go     |  159 -
 vendor/gopkg.in/check.v1/run.go               |  175 --
 vendor/gopkg.in/check.v1/run_test.go          |  419 ---
 xmlenc/cbc.go                                 |    3 +-
 xmlenc/decrypt.go                             |    5 +-
 xmlenc/decrypt_test.go                        |   79 +-
 xmlenc/digest.go                              |    2 +-
 xmlenc/encrypt_test.go                        |   63 +-
 xmlenc/fuzz_test.go                           |   10 +-
 xmlenc/pubkey.go                              |   17 +-
 xmlenc/test_data/plaintext.xml                |   24 -
 xmlenc/testdata/cert.pem                      |   13 +
 xmlenc/testdata/ciphertext.xml                |   21 +
 .../encrypt-data-aes128-cbc.data              |    0
 .../encrypt-data-aes128-cbc.xml               |    0
 xmlenc/testdata/input.xml                     |    9 +
 xmlenc/testdata/key.pem                       |   15 +
 xmlenc/testdata/plaintext.xml                 |   19 +
 xmlenc/{test_data => testdata}/rsapriv.pem    |    0
 xmlenc/{test_data => testdata}/rsapub.pem     |    0
 xmlenc/xmlenc.go                              |    3 +-
 xmlenc/xmlenc_test.go                         |   53 +-
 606 files changed, 7693 insertions(+), 89378 deletions(-)
 create mode 100644 .github/dependabot.yml
 create mode 100644 .github/stale.yml
 create mode 100644 .github/workflows/go.yml
 create mode 100644 .github/workflows/maint.yml
 create mode 100644 .golangci.yml
 delete mode 100644 .travis.yml
 delete mode 100644 NOTES.md
 create mode 100644 go.mod
 create mode 100644 go.sum
 create mode 100644 samlidp/testdata/http_metadata_response.html
 create mode 100644 samlidp/testdata/http_sso_response.html
 create mode 100644 samlidp/testdata/idp_cert.pem
 create mode 100644 samlidp/testdata/idp_key.pem
 create mode 100644 samlidp/testdata/sp_cert.pem
 create mode 100644 samlidp/testdata/sp_key.pem
 create mode 100644 samlidp/testdata/sp_metadata.xml
 create mode 100644 samlidp/util_test.go
 create mode 100644 samlsp/error.go
 create mode 100644 samlsp/fetch_metadata.go
 create mode 100644 samlsp/fetch_metadata_test.go
 create mode 100644 samlsp/new.go
 create mode 100644 samlsp/request_tracker.go
 create mode 100644 samlsp/request_tracker_cookie.go
 create mode 100644 samlsp/request_tracker_jwt.go
 delete mode 100644 samlsp/samlsp.go
 create mode 100644 samlsp/session.go
 create mode 100644 samlsp/session_cookie.go
 create mode 100644 samlsp/session_cookie_test.go
 create mode 100644 samlsp/session_jwt.go
 create mode 100644 samlsp/testdata/authn_request.url
 create mode 100644 samlsp/testdata/cert.pem
 create mode 100644 samlsp/testdata/expected_authn_request.xml
 create mode 100644 samlsp/testdata/expected_authn_request_secure.xml
 create mode 100644 samlsp/testdata/expected_middleware_metadata.xml
 create mode 100644 samlsp/testdata/expected_post_binding_response.html
 create mode 100644 samlsp/testdata/idp_metadata.xml
 create mode 100644 samlsp/testdata/key.pem
 create mode 100644 samlsp/testdata/saml_response.xml
 create mode 100644 samlsp/testdata/testshib_metadata.xml
 create mode 100644 samlsp/testdata/token.json
 create mode 100644 samlsp/util.go
 create mode 100644 testdata/SP_AuthnRequest
 create mode 100644 testdata/SP_IDPMetadata
 create mode 100644 testdata/SP_SamlResponse
 create mode 100644 testdata/TestCanParseMetadata_metadata.xml
 create mode 100644 testdata/TestCanProduceMetadataEntityID_metadata
 create mode 100644 testdata/TestCanProduceMetadataNoCerts_metadata
 create mode 100644 testdata/TestCanProduceSPMetadata_expected
 create mode 100644 testdata/TestIDPCanHandlePostRequestWithExistingSession_http_response_body
 create mode 100644 testdata/TestIDPCanHandleRequestWithExistingSession_decodedRequest
 create mode 100644 testdata/TestIDPCanHandleRequestWithExistingSession_http_response_body
 create mode 100644 testdata/TestIDPCanHandleRequestWithNewSession_http_response_body
 create mode 100644 testdata/TestIDPCanHandleUnencryptedResponse_idp_metadata.xml
 create mode 100644 testdata/TestIDPCanHandleUnencryptedResponse_request
 create mode 100644 testdata/TestIDPCanHandleUnencryptedResponse_response
 create mode 100644 testdata/TestIDPIDPInitiatedExistingSession_response
 create mode 100644 testdata/TestIDPMakeResponse_request_buffer
 create mode 100644 testdata/TestIDPMakeResponse_response.xml
 create mode 100644 testdata/TestIDPMarshalAssertion_encrypted_assertion
 create mode 100644 testdata/TestIDPNoDestination_idp_metadata.xml
 create mode 100644 testdata/TestIDPNoDestination_request
 create mode 100644 testdata/TestIDPRequestedAttributes_idp_metadata.xml
 create mode 100644 testdata/TestIDPWriteResponse_RequestBuffer.xml
 create mode 100644 testdata/TestIDPWriteResponseresponse.html
 create mode 100644 testdata/TestSPCanHandleOktaResponseEncryptedAssertionBothSigned_IDPMetadata
 create mode 100644 testdata/TestSPCanHandleOktaResponseEncryptedAssertionBothSigned_response
 create mode 100644 testdata/TestSPCanHandleOktaResponseEncryptedSignedAssertion_IDPMetadata
 create mode 100644 testdata/TestSPCanHandleOktaResponseEncryptedSignedAssertion_response
 create mode 100644 testdata/TestSPCanHandleOktaSignedResponseEncryptedAssertion_IDPMetadata
 create mode 100644 testdata/TestSPCanHandleOktaSignedResponseEncryptedAssertion_response
 create mode 100644 testdata/TestSPCanHandleOneloginResponse_IDPMetadata
 create mode 100644 testdata/TestSPCanHandleOneloginResponse_response
 create mode 100644 testdata/TestSPCanHandlePlaintextResponse_IDPMetadata
 create mode 100644 testdata/TestSPCanHandlePlaintextResponse_response
 create mode 100644 testdata/TestSPCanProduceMetadataWithBothCerts_metadata
 create mode 100644 testdata/TestSPCanProduceMetadataWithEncryptionCert_metadata
 create mode 100644 testdata/TestSPCanProducePostLogoutRequest_form
 create mode 100644 testdata/TestSPCanProducePostLogoutResponse_form
 create mode 100644 testdata/TestSPCanProducePostRequest_form
 create mode 100644 testdata/TestSPCanProduceRedirectLogoutRequest_decodedRequest
 create mode 100644 testdata/TestSPCanProduceRedirectLogoutResponse_decodedResponse
 create mode 100644 testdata/TestSPCanProduceRedirectRequest_decoded_request
 create mode 100644 testdata/TestSPCanProduceSignedRequestPostBinding_decodedRequest
 create mode 100644 testdata/TestSPCanProduceSignedRequestRedirectBinding_decodedRequest
 create mode 100644 testdata/TestSPCanProduceSignedRequestRedirectBinding_queryString
 create mode 100644 testdata/TestSPRealWorldAssertionSignedNotResponse_idp_metadata
 create mode 100644 testdata/TestSPRealWorldAssertionSignedNotResponse_response
 create mode 100644 testdata/TestSPRealWorldKeyInfoHasRSAPublicKeyNotX509Cert_idp_metadata
 create mode 100644 testdata/TestSPRealWorldKeyInfoHasRSAPublicKeyNotX509Cert_response
 create mode 100644 testdata/TestSPRejectsInjectedComment_IDPMetadata
 create mode 100644 testdata/TestSPRejectsInjectedComment_response
 create mode 100644 testdata/TestSPRejectsMalformedResponse_IDPMetadata
 create mode 100644 testdata/TestSPRejectsMalformedResponse_response
 create mode 100644 testdata/TestSPResponseWithNoIssuer_response
 create mode 100644 testdata/TestServiceProviderCanHandleSignedAssertionsResponse_IDPMetadata
 create mode 100644 testdata/TestServiceProviderCanHandleSignedAssertionsResponse_response
 create mode 100644 testdata/TestXswPermutationEightIsRejected_response
 create mode 100644 testdata/TestXswPermutationFiveIsRejected_response
 create mode 100644 testdata/TestXswPermutationFourIsRejected_response
 create mode 100644 testdata/TestXswPermutationNineIsRejected_response
 create mode 100644 testdata/TestXswPermutationOneIsRejected_response
 create mode 100644 testdata/TestXswPermutationSevenIsRejected_response
 create mode 100644 testdata/TestXswPermutationSixIsRejected_response
 create mode 100644 testdata/TestXswPermutationThreeIsRejected_response
 create mode 100644 testdata/TestXswPermutationTwoIsRejected_response
 create mode 100644 testdata/cert_2017.pem
 create mode 100644 testdata/idp_authn_request.xml
 create mode 100644 testdata/idp_cert.pem
 create mode 100644 testdata/idp_key.pem
 create mode 100644 testdata/idp_new_session_response
 create mode 100644 testdata/key_2017.pem
 create mode 100644 testdata/sp_cert.pem
 create mode 100644 testdata/sp_key.pem
 delete mode 100644 testsaml/equals_any.go
 create mode 100644 time_test_114.go
 create mode 100644 time_test_115.go
 delete mode 100644 vendor/github.com/beevik/etree/etree_test.go
 delete mode 100644 vendor/github.com/beevik/etree/example_test.go
 delete mode 100644 vendor/github.com/beevik/etree/path_test.go
 delete mode 100644 vendor/github.com/dchest/uniuri/uniuri_test.go
 delete mode 100644 vendor/github.com/dgrijalva/jwt-go/.gitignore
 delete mode 100644 vendor/github.com/dgrijalva/jwt-go/.travis.yml
 delete mode 100644 vendor/github.com/dgrijalva/jwt-go/LICENSE
 delete mode 100644 vendor/github.com/dgrijalva/jwt-go/MIGRATION_GUIDE.md
 delete mode 100644 vendor/github.com/dgrijalva/jwt-go/README.md
 delete mode 100644 vendor/github.com/dgrijalva/jwt-go/VERSION_HISTORY.md
 delete mode 100644 vendor/github.com/dgrijalva/jwt-go/claims.go
 delete mode 100644 vendor/github.com/dgrijalva/jwt-go/cmd/jwt/README.md
 delete mode 100644 vendor/github.com/dgrijalva/jwt-go/cmd/jwt/app.go
 delete mode 100644 vendor/github.com/dgrijalva/jwt-go/cmd/jwt/args.go
 delete mode 100644 vendor/github.com/dgrijalva/jwt-go/doc.go
 delete mode 100644 vendor/github.com/dgrijalva/jwt-go/ecdsa.go
 delete mode 100644 vendor/github.com/dgrijalva/jwt-go/ecdsa_test.go
 delete mode 100644 vendor/github.com/dgrijalva/jwt-go/ecdsa_utils.go
 delete mode 100644 vendor/github.com/dgrijalva/jwt-go/errors.go
 delete mode 100644 vendor/github.com/dgrijalva/jwt-go/example_test.go
 delete mode 100644 vendor/github.com/dgrijalva/jwt-go/hmac.go
 delete mode 100644 vendor/github.com/dgrijalva/jwt-go/hmac_example_test.go
 delete mode 100644 vendor/github.com/dgrijalva/jwt-go/hmac_test.go
 delete mode 100644 vendor/github.com/dgrijalva/jwt-go/http_example_test.go
 delete mode 100644 vendor/github.com/dgrijalva/jwt-go/map_claims.go
 delete mode 100644 vendor/github.com/dgrijalva/jwt-go/none.go
 delete mode 100644 vendor/github.com/dgrijalva/jwt-go/none_test.go
 delete mode 100644 vendor/github.com/dgrijalva/jwt-go/parser.go
 delete mode 100644 vendor/github.com/dgrijalva/jwt-go/parser_test.go
 delete mode 100644 vendor/github.com/dgrijalva/jwt-go/request/doc.go
 delete mode 100644 vendor/github.com/dgrijalva/jwt-go/request/extractor.go
 delete mode 100644 vendor/github.com/dgrijalva/jwt-go/request/extractor_example_test.go
 delete mode 100644 vendor/github.com/dgrijalva/jwt-go/request/extractor_test.go
 delete mode 100644 vendor/github.com/dgrijalva/jwt-go/request/oauth2.go
 delete mode 100644 vendor/github.com/dgrijalva/jwt-go/request/request.go
 delete mode 100644 vendor/github.com/dgrijalva/jwt-go/request/request_test.go
 delete mode 100644 vendor/github.com/dgrijalva/jwt-go/rsa.go
 delete mode 100644 vendor/github.com/dgrijalva/jwt-go/rsa_pss.go
 delete mode 100644 vendor/github.com/dgrijalva/jwt-go/rsa_pss_test.go
 delete mode 100644 vendor/github.com/dgrijalva/jwt-go/rsa_test.go
 delete mode 100644 vendor/github.com/dgrijalva/jwt-go/rsa_utils.go
 delete mode 100644 vendor/github.com/dgrijalva/jwt-go/signing_method.go
 delete mode 100644 vendor/github.com/dgrijalva/jwt-go/test/ec256-private.pem
 delete mode 100644 vendor/github.com/dgrijalva/jwt-go/test/ec256-public.pem
 delete mode 100644 vendor/github.com/dgrijalva/jwt-go/test/ec384-private.pem
 delete mode 100644 vendor/github.com/dgrijalva/jwt-go/test/ec384-public.pem
 delete mode 100644 vendor/github.com/dgrijalva/jwt-go/test/ec512-private.pem
 delete mode 100644 vendor/github.com/dgrijalva/jwt-go/test/ec512-public.pem
 delete mode 100644 vendor/github.com/dgrijalva/jwt-go/test/helpers.go
 delete mode 100644 vendor/github.com/dgrijalva/jwt-go/test/hmacTestKey
 delete mode 100644 vendor/github.com/dgrijalva/jwt-go/test/sample_key
 delete mode 100644 vendor/github.com/dgrijalva/jwt-go/test/sample_key.pub
 delete mode 100644 vendor/github.com/dgrijalva/jwt-go/token.go
 delete mode 100644 vendor/github.com/jonboulle/clockwork/.travis.yml
 delete mode 100644 vendor/github.com/jonboulle/clockwork/clockwork_test.go
 delete mode 100644 vendor/github.com/jonboulle/clockwork/example_test.go
 delete mode 100644 vendor/github.com/kr/pretty/diff_test.go
 delete mode 100644 vendor/github.com/kr/pretty/example_test.go
 delete mode 100644 vendor/github.com/kr/pretty/formatter_test.go
 delete mode 100644 vendor/github.com/kr/text/cmd/agg/doc.go
 delete mode 100644 vendor/github.com/kr/text/cmd/agg/main.go
 delete mode 100644 vendor/github.com/kr/text/cmd/agg/num.go
 delete mode 100644 vendor/github.com/kr/text/cmd/agg/string.go
 delete mode 100644 vendor/github.com/kr/text/colwriter/Readme
 delete mode 100644 vendor/github.com/kr/text/colwriter/column.go
 delete mode 100644 vendor/github.com/kr/text/colwriter/column_test.go
 delete mode 100644 vendor/github.com/kr/text/indent_test.go
 delete mode 100644 vendor/github.com/kr/text/mc/Readme
 delete mode 100644 vendor/github.com/kr/text/mc/mc.go
 delete mode 100644 vendor/github.com/kr/text/wrap_test.go
 delete mode 100644 vendor/github.com/russellhaering/goxmldsig/canonicalize_test.go
 mode change 100755 => 100644 vendor/github.com/russellhaering/goxmldsig/run_test.sh
 delete mode 100644 vendor/github.com/russellhaering/goxmldsig/sign_test.go
 delete mode 100644 vendor/github.com/russellhaering/goxmldsig/validate_test.go
 delete mode 100644 vendor/github.com/zenazn/goji/example/.gitignore
 delete mode 100644 vendor/github.com/zenazn/goji/example/README.md
 delete mode 100644 vendor/github.com/zenazn/goji/example/main.go
 delete mode 100644 vendor/github.com/zenazn/goji/example/middleware.go
 delete mode 100644 vendor/github.com/zenazn/goji/example/models.go
 delete mode 100644 vendor/github.com/zenazn/goji/graceful/listener/conn_test.go
 delete mode 100644 vendor/github.com/zenazn/goji/graceful/listener/fake_test.go
 delete mode 100644 vendor/github.com/zenazn/goji/graceful/listener/listener_test.go
 delete mode 100644 vendor/github.com/zenazn/goji/graceful/listener/race_test.go
 delete mode 100644 vendor/github.com/zenazn/goji/graceful/middleware_test.go
 delete mode 100644 vendor/github.com/zenazn/goji/web/bench_test.go
 delete mode 100644 vendor/github.com/zenazn/goji/web/example_test.go
 delete mode 100644 vendor/github.com/zenazn/goji/web/func_equal_test.go
 delete mode 100644 vendor/github.com/zenazn/goji/web/match_test.go
 delete mode 100644 vendor/github.com/zenazn/goji/web/middleware/nocache_test.go
 delete mode 100644 vendor/github.com/zenazn/goji/web/middleware/options_test.go
 delete mode 100644 vendor/github.com/zenazn/goji/web/middleware/subrouter_test.go
 delete mode 100644 vendor/github.com/zenazn/goji/web/middleware/urlquery_test.go
 delete mode 100644 vendor/github.com/zenazn/goji/web/middleware12_test.go
 delete mode 100644 vendor/github.com/zenazn/goji/web/middleware_test.go
 delete mode 100644 vendor/github.com/zenazn/goji/web/mux_test.go
 delete mode 100644 vendor/github.com/zenazn/goji/web/pattern_test.go
 delete mode 100644 vendor/github.com/zenazn/goji/web/router_middleware_test.go
 delete mode 100644 vendor/github.com/zenazn/goji/web/router_test.go
 delete mode 100644 vendor/golang.org/x/crypto/.gitattributes
 delete mode 100644 vendor/golang.org/x/crypto/.gitignore
 delete mode 100644 vendor/golang.org/x/crypto/CONTRIBUTING.md
 delete mode 100644 vendor/golang.org/x/crypto/README.md
 delete mode 100644 vendor/golang.org/x/crypto/acme/acme.go
 delete mode 100644 vendor/golang.org/x/crypto/acme/acme_test.go
 delete mode 100644 vendor/golang.org/x/crypto/acme/autocert/autocert.go
 delete mode 100644 vendor/golang.org/x/crypto/acme/autocert/autocert_test.go
 delete mode 100644 vendor/golang.org/x/crypto/acme/autocert/cache.go
 delete mode 100644 vendor/golang.org/x/crypto/acme/autocert/cache_test.go
 delete mode 100644 vendor/golang.org/x/crypto/acme/autocert/example_test.go
 delete mode 100644 vendor/golang.org/x/crypto/acme/autocert/listener.go
 delete mode 100644 vendor/golang.org/x/crypto/acme/autocert/renewal.go
 delete mode 100644 vendor/golang.org/x/crypto/acme/autocert/renewal_test.go
 delete mode 100644 vendor/golang.org/x/crypto/acme/jws.go
 delete mode 100644 vendor/golang.org/x/crypto/acme/jws_test.go
 delete mode 100644 vendor/golang.org/x/crypto/acme/types.go
 delete mode 100644 vendor/golang.org/x/crypto/acme/types_test.go
 delete mode 100644 vendor/golang.org/x/crypto/argon2/argon2.go
 delete mode 100644 vendor/golang.org/x/crypto/argon2/argon2_test.go
 delete mode 100644 vendor/golang.org/x/crypto/argon2/blake2b.go
 delete mode 100644 vendor/golang.org/x/crypto/argon2/blamka_amd64.go
 delete mode 100644 vendor/golang.org/x/crypto/argon2/blamka_amd64.s
 delete mode 100644 vendor/golang.org/x/crypto/argon2/blamka_generic.go
 delete mode 100644 vendor/golang.org/x/crypto/argon2/blamka_ref.go
 delete mode 100644 vendor/golang.org/x/crypto/bcrypt/bcrypt_test.go
 delete mode 100644 vendor/golang.org/x/crypto/blake2b/blake2b.go
 delete mode 100644 vendor/golang.org/x/crypto/blake2b/blake2bAVX2_amd64.go
 delete mode 100644 vendor/golang.org/x/crypto/blake2b/blake2bAVX2_amd64.s
 delete mode 100644 vendor/golang.org/x/crypto/blake2b/blake2b_amd64.go
 delete mode 100644 vendor/golang.org/x/crypto/blake2b/blake2b_amd64.s
 delete mode 100644 vendor/golang.org/x/crypto/blake2b/blake2b_generic.go
 delete mode 100644 vendor/golang.org/x/crypto/blake2b/blake2b_ref.go
 delete mode 100644 vendor/golang.org/x/crypto/blake2b/blake2b_test.go
 delete mode 100644 vendor/golang.org/x/crypto/blake2b/blake2x.go
 delete mode 100644 vendor/golang.org/x/crypto/blake2b/register.go
 delete mode 100644 vendor/golang.org/x/crypto/blake2s/blake2s.go
 delete mode 100644 vendor/golang.org/x/crypto/blake2s/blake2s_386.go
 delete mode 100644 vendor/golang.org/x/crypto/blake2s/blake2s_386.s
 delete mode 100644 vendor/golang.org/x/crypto/blake2s/blake2s_amd64.go
 delete mode 100644 vendor/golang.org/x/crypto/blake2s/blake2s_amd64.s
 delete mode 100644 vendor/golang.org/x/crypto/blake2s/blake2s_generic.go
 delete mode 100644 vendor/golang.org/x/crypto/blake2s/blake2s_ref.go
 delete mode 100644 vendor/golang.org/x/crypto/blake2s/blake2s_test.go
 delete mode 100644 vendor/golang.org/x/crypto/blake2s/blake2x.go
 delete mode 100644 vendor/golang.org/x/crypto/blake2s/register.go
 delete mode 100644 vendor/golang.org/x/crypto/blowfish/blowfish_test.go
 delete mode 100644 vendor/golang.org/x/crypto/bn256/bn256.go
 delete mode 100644 vendor/golang.org/x/crypto/bn256/bn256_test.go
 delete mode 100644 vendor/golang.org/x/crypto/bn256/constants.go
 delete mode 100644 vendor/golang.org/x/crypto/bn256/curve.go
 delete mode 100644 vendor/golang.org/x/crypto/bn256/example_test.go
 delete mode 100644 vendor/golang.org/x/crypto/bn256/gfp12.go
 delete mode 100644 vendor/golang.org/x/crypto/bn256/gfp2.go
 delete mode 100644 vendor/golang.org/x/crypto/bn256/gfp6.go
 delete mode 100644 vendor/golang.org/x/crypto/bn256/optate.go
 delete mode 100644 vendor/golang.org/x/crypto/bn256/twist.go
 delete mode 100644 vendor/golang.org/x/crypto/cast5/cast5.go
 delete mode 100644 vendor/golang.org/x/crypto/cast5/cast5_test.go
 delete mode 100644 vendor/golang.org/x/crypto/chacha20poly1305/chacha20poly1305.go
 delete mode 100644 vendor/golang.org/x/crypto/chacha20poly1305/chacha20poly1305_amd64.go
 delete mode 100644 vendor/golang.org/x/crypto/chacha20poly1305/chacha20poly1305_amd64.s
 delete mode 100644 vendor/golang.org/x/crypto/chacha20poly1305/chacha20poly1305_generic.go
 delete mode 100644 vendor/golang.org/x/crypto/chacha20poly1305/chacha20poly1305_noasm.go
 delete mode 100644 vendor/golang.org/x/crypto/chacha20poly1305/chacha20poly1305_test.go
 delete mode 100644 vendor/golang.org/x/crypto/chacha20poly1305/chacha20poly1305_vectors_test.go
 delete mode 100644 vendor/golang.org/x/crypto/codereview.cfg
 delete mode 100644 vendor/golang.org/x/crypto/cryptobyte/asn1.go
 delete mode 100644 vendor/golang.org/x/crypto/cryptobyte/asn1/asn1.go
 delete mode 100644 vendor/golang.org/x/crypto/cryptobyte/asn1_test.go
 delete mode 100644 vendor/golang.org/x/crypto/cryptobyte/builder.go
 delete mode 100644 vendor/golang.org/x/crypto/cryptobyte/cryptobyte_test.go
 delete mode 100644 vendor/golang.org/x/crypto/cryptobyte/example_test.go
 delete mode 100644 vendor/golang.org/x/crypto/cryptobyte/string.go
 delete mode 100644 vendor/golang.org/x/crypto/curve25519/const_amd64.h
 delete mode 100644 vendor/golang.org/x/crypto/curve25519/const_amd64.s
 delete mode 100644 vendor/golang.org/x/crypto/curve25519/cswap_amd64.s
 delete mode 100644 vendor/golang.org/x/crypto/curve25519/curve25519.go
 delete mode 100644 vendor/golang.org/x/crypto/curve25519/curve25519_test.go
 delete mode 100644 vendor/golang.org/x/crypto/curve25519/doc.go
 delete mode 100644 vendor/golang.org/x/crypto/curve25519/freeze_amd64.s
 delete mode 100644 vendor/golang.org/x/crypto/curve25519/ladderstep_amd64.s
 delete mode 100644 vendor/golang.org/x/crypto/curve25519/mont25519_amd64.go
 delete mode 100644 vendor/golang.org/x/crypto/curve25519/mul_amd64.s
 delete mode 100644 vendor/golang.org/x/crypto/curve25519/square_amd64.s
 delete mode 100644 vendor/golang.org/x/crypto/ed25519/ed25519.go
 delete mode 100644 vendor/golang.org/x/crypto/ed25519/ed25519_test.go
 delete mode 100644 vendor/golang.org/x/crypto/ed25519/internal/edwards25519/const.go
 delete mode 100644 vendor/golang.org/x/crypto/ed25519/internal/edwards25519/edwards25519.go
 delete mode 100644 vendor/golang.org/x/crypto/ed25519/testdata/sign.input.gz
 delete mode 100644 vendor/golang.org/x/crypto/hkdf/example_test.go
 delete mode 100644 vendor/golang.org/x/crypto/hkdf/hkdf.go
 delete mode 100644 vendor/golang.org/x/crypto/hkdf/hkdf_test.go
 delete mode 100644 vendor/golang.org/x/crypto/internal/chacha20/chacha_generic.go
 delete mode 100644 vendor/golang.org/x/crypto/internal/chacha20/chacha_test.go
 delete mode 100644 vendor/golang.org/x/crypto/md4/example_test.go
 delete mode 100644 vendor/golang.org/x/crypto/md4/md4.go
 delete mode 100644 vendor/golang.org/x/crypto/md4/md4_test.go
 delete mode 100644 vendor/golang.org/x/crypto/md4/md4block.go
 delete mode 100644 vendor/golang.org/x/crypto/nacl/auth/auth.go
 delete mode 100644 vendor/golang.org/x/crypto/nacl/auth/auth_test.go
 delete mode 100644 vendor/golang.org/x/crypto/nacl/auth/example_test.go
 delete mode 100644 vendor/golang.org/x/crypto/nacl/box/box.go
 delete mode 100644 vendor/golang.org/x/crypto/nacl/box/box_test.go
 delete mode 100644 vendor/golang.org/x/crypto/nacl/box/example_test.go
 delete mode 100644 vendor/golang.org/x/crypto/nacl/secretbox/example_test.go
 delete mode 100644 vendor/golang.org/x/crypto/nacl/secretbox/secretbox.go
 delete mode 100644 vendor/golang.org/x/crypto/nacl/secretbox/secretbox_test.go
 delete mode 100644 vendor/golang.org/x/crypto/ocsp/ocsp.go
 delete mode 100644 vendor/golang.org/x/crypto/ocsp/ocsp_test.go
 delete mode 100644 vendor/golang.org/x/crypto/openpgp/armor/armor.go
 delete mode 100644 vendor/golang.org/x/crypto/openpgp/armor/armor_test.go
 delete mode 100644 vendor/golang.org/x/crypto/openpgp/armor/encode.go
 delete mode 100644 vendor/golang.org/x/crypto/openpgp/canonical_text.go
 delete mode 100644 vendor/golang.org/x/crypto/openpgp/canonical_text_test.go
 delete mode 100644 vendor/golang.org/x/crypto/openpgp/clearsign/clearsign.go
 delete mode 100644 vendor/golang.org/x/crypto/openpgp/clearsign/clearsign_test.go
 delete mode 100644 vendor/golang.org/x/crypto/openpgp/elgamal/elgamal.go
 delete mode 100644 vendor/golang.org/x/crypto/openpgp/elgamal/elgamal_test.go
 delete mode 100644 vendor/golang.org/x/crypto/openpgp/errors/errors.go
 delete mode 100644 vendor/golang.org/x/crypto/openpgp/keys.go
 delete mode 100644 vendor/golang.org/x/crypto/openpgp/keys_test.go
 delete mode 100644 vendor/golang.org/x/crypto/openpgp/packet/compressed.go
 delete mode 100644 vendor/golang.org/x/crypto/openpgp/packet/compressed_test.go
 delete mode 100644 vendor/golang.org/x/crypto/openpgp/packet/config.go
 delete mode 100644 vendor/golang.org/x/crypto/openpgp/packet/encrypted_key.go
 delete mode 100644 vendor/golang.org/x/crypto/openpgp/packet/encrypted_key_test.go
 delete mode 100644 vendor/golang.org/x/crypto/openpgp/packet/literal.go
 delete mode 100644 vendor/golang.org/x/crypto/openpgp/packet/ocfb.go
 delete mode 100644 vendor/golang.org/x/crypto/openpgp/packet/ocfb_test.go
 delete mode 100644 vendor/golang.org/x/crypto/openpgp/packet/one_pass_signature.go
 delete mode 100644 vendor/golang.org/x/crypto/openpgp/packet/opaque.go
 delete mode 100644 vendor/golang.org/x/crypto/openpgp/packet/opaque_test.go
 delete mode 100644 vendor/golang.org/x/crypto/openpgp/packet/packet.go
 delete mode 100644 vendor/golang.org/x/crypto/openpgp/packet/packet_test.go
 delete mode 100644 vendor/golang.org/x/crypto/openpgp/packet/private_key.go
 delete mode 100644 vendor/golang.org/x/crypto/openpgp/packet/private_key_test.go
 delete mode 100644 vendor/golang.org/x/crypto/openpgp/packet/public_key.go
 delete mode 100644 vendor/golang.org/x/crypto/openpgp/packet/public_key_test.go
 delete mode 100644 vendor/golang.org/x/crypto/openpgp/packet/public_key_v3.go
 delete mode 100644 vendor/golang.org/x/crypto/openpgp/packet/public_key_v3_test.go
 delete mode 100644 vendor/golang.org/x/crypto/openpgp/packet/reader.go
 delete mode 100644 vendor/golang.org/x/crypto/openpgp/packet/signature.go
 delete mode 100644 vendor/golang.org/x/crypto/openpgp/packet/signature_test.go
 delete mode 100644 vendor/golang.org/x/crypto/openpgp/packet/signature_v3.go
 delete mode 100644 vendor/golang.org/x/crypto/openpgp/packet/signature_v3_test.go
 delete mode 100644 vendor/golang.org/x/crypto/openpgp/packet/symmetric_key_encrypted.go
 delete mode 100644 vendor/golang.org/x/crypto/openpgp/packet/symmetric_key_encrypted_test.go
 delete mode 100644 vendor/golang.org/x/crypto/openpgp/packet/symmetrically_encrypted.go
 delete mode 100644 vendor/golang.org/x/crypto/openpgp/packet/symmetrically_encrypted_test.go
 delete mode 100644 vendor/golang.org/x/crypto/openpgp/packet/userattribute.go
 delete mode 100644 vendor/golang.org/x/crypto/openpgp/packet/userattribute_test.go
 delete mode 100644 vendor/golang.org/x/crypto/openpgp/packet/userid.go
 delete mode 100644 vendor/golang.org/x/crypto/openpgp/packet/userid_test.go
 delete mode 100644 vendor/golang.org/x/crypto/openpgp/read.go
 delete mode 100644 vendor/golang.org/x/crypto/openpgp/read_test.go
 delete mode 100644 vendor/golang.org/x/crypto/openpgp/s2k/s2k.go
 delete mode 100644 vendor/golang.org/x/crypto/openpgp/s2k/s2k_test.go
 delete mode 100644 vendor/golang.org/x/crypto/openpgp/write.go
 delete mode 100644 vendor/golang.org/x/crypto/openpgp/write_test.go
 delete mode 100644 vendor/golang.org/x/crypto/otr/libotr_test_helper.c
 delete mode 100644 vendor/golang.org/x/crypto/otr/otr.go
 delete mode 100644 vendor/golang.org/x/crypto/otr/otr_test.go
 delete mode 100644 vendor/golang.org/x/crypto/otr/smp.go
 delete mode 100644 vendor/golang.org/x/crypto/pbkdf2/pbkdf2.go
 delete mode 100644 vendor/golang.org/x/crypto/pbkdf2/pbkdf2_test.go
 delete mode 100644 vendor/golang.org/x/crypto/pkcs12/bmp-string.go
 delete mode 100644 vendor/golang.org/x/crypto/pkcs12/bmp-string_test.go
 delete mode 100644 vendor/golang.org/x/crypto/pkcs12/crypto.go
 delete mode 100644 vendor/golang.org/x/crypto/pkcs12/crypto_test.go
 delete mode 100644 vendor/golang.org/x/crypto/pkcs12/errors.go
 delete mode 100644 vendor/golang.org/x/crypto/pkcs12/internal/rc2/bench_test.go
 delete mode 100644 vendor/golang.org/x/crypto/pkcs12/internal/rc2/rc2.go
 delete mode 100644 vendor/golang.org/x/crypto/pkcs12/internal/rc2/rc2_test.go
 delete mode 100644 vendor/golang.org/x/crypto/pkcs12/mac.go
 delete mode 100644 vendor/golang.org/x/crypto/pkcs12/mac_test.go
 delete mode 100644 vendor/golang.org/x/crypto/pkcs12/pbkdf.go
 delete mode 100644 vendor/golang.org/x/crypto/pkcs12/pbkdf_test.go
 delete mode 100644 vendor/golang.org/x/crypto/pkcs12/pkcs12.go
 delete mode 100644 vendor/golang.org/x/crypto/pkcs12/pkcs12_test.go
 delete mode 100644 vendor/golang.org/x/crypto/pkcs12/safebags.go
 delete mode 100644 vendor/golang.org/x/crypto/poly1305/poly1305.go
 delete mode 100644 vendor/golang.org/x/crypto/poly1305/poly1305_test.go
 delete mode 100644 vendor/golang.org/x/crypto/poly1305/sum_amd64.go
 delete mode 100644 vendor/golang.org/x/crypto/poly1305/sum_amd64.s
 delete mode 100644 vendor/golang.org/x/crypto/poly1305/sum_arm.go
 delete mode 100644 vendor/golang.org/x/crypto/poly1305/sum_arm.s
 delete mode 100644 vendor/golang.org/x/crypto/poly1305/sum_ref.go
 delete mode 100644 vendor/golang.org/x/crypto/ripemd160/ripemd160_test.go
 delete mode 100644 vendor/golang.org/x/crypto/salsa20/salsa/hsalsa20.go
 delete mode 100644 vendor/golang.org/x/crypto/salsa20/salsa/salsa2020_amd64.s
 delete mode 100644 vendor/golang.org/x/crypto/salsa20/salsa/salsa208.go
 delete mode 100644 vendor/golang.org/x/crypto/salsa20/salsa/salsa20_amd64.go
 delete mode 100644 vendor/golang.org/x/crypto/salsa20/salsa/salsa20_ref.go
 delete mode 100644 vendor/golang.org/x/crypto/salsa20/salsa/salsa_test.go
 delete mode 100644 vendor/golang.org/x/crypto/salsa20/salsa20.go
 delete mode 100644 vendor/golang.org/x/crypto/salsa20/salsa20_test.go
 delete mode 100644 vendor/golang.org/x/crypto/scrypt/example_test.go
 delete mode 100644 vendor/golang.org/x/crypto/scrypt/scrypt.go
 delete mode 100644 vendor/golang.org/x/crypto/scrypt/scrypt_test.go
 delete mode 100644 vendor/golang.org/x/crypto/sha3/doc.go
 delete mode 100644 vendor/golang.org/x/crypto/sha3/hashes.go
 delete mode 100644 vendor/golang.org/x/crypto/sha3/keccakf.go
 delete mode 100644 vendor/golang.org/x/crypto/sha3/keccakf_amd64.go
 delete mode 100644 vendor/golang.org/x/crypto/sha3/keccakf_amd64.s
 delete mode 100644 vendor/golang.org/x/crypto/sha3/register.go
 delete mode 100644 vendor/golang.org/x/crypto/sha3/sha3.go
 delete mode 100644 vendor/golang.org/x/crypto/sha3/sha3_test.go
 delete mode 100644 vendor/golang.org/x/crypto/sha3/shake.go
 delete mode 100644 vendor/golang.org/x/crypto/sha3/testdata/keccakKats.json.deflate
 delete mode 100644 vendor/golang.org/x/crypto/sha3/xor.go
 delete mode 100644 vendor/golang.org/x/crypto/sha3/xor_generic.go
 delete mode 100644 vendor/golang.org/x/crypto/sha3/xor_unaligned.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/agent/client.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/agent/client_test.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/agent/example_test.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/agent/forward.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/agent/keyring.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/agent/keyring_test.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/agent/server.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/agent/server_test.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/agent/testdata_test.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/benchmark_test.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/buffer.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/buffer_test.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/certs.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/certs_test.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/channel.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/cipher.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/cipher_test.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/client.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/client_auth.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/client_auth_test.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/client_test.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/common.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/connection.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/doc.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/example_test.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/handshake.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/handshake_test.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/kex.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/kex_test.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/keys.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/keys_test.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/knownhosts/knownhosts.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/knownhosts/knownhosts_test.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/mac.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/mempipe_test.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/messages.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/messages_test.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/mux.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/mux_test.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/server.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/session.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/session_test.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/streamlocal.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/tcpip.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/tcpip_test.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/terminal/terminal.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/terminal/terminal_test.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/terminal/util.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/terminal/util_bsd.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/terminal/util_linux.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/terminal/util_plan9.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/terminal/util_solaris.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/terminal/util_windows.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/test/agent_unix_test.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/test/banner_test.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/test/cert_test.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/test/dial_unix_test.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/test/doc.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/test/forward_unix_test.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/test/session_test.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/test/test_unix_test.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/test/testdata_test.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/testdata/doc.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/testdata/keys.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/testdata_test.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/transport.go
 delete mode 100644 vendor/golang.org/x/crypto/ssh/transport_test.go
 delete mode 100644 vendor/golang.org/x/crypto/tea/cipher.go
 delete mode 100644 vendor/golang.org/x/crypto/tea/tea_test.go
 delete mode 100644 vendor/golang.org/x/crypto/twofish/twofish.go
 delete mode 100644 vendor/golang.org/x/crypto/twofish/twofish_test.go
 delete mode 100644 vendor/golang.org/x/crypto/xtea/block.go
 delete mode 100644 vendor/golang.org/x/crypto/xtea/cipher.go
 delete mode 100644 vendor/golang.org/x/crypto/xtea/xtea_test.go
 delete mode 100644 vendor/golang.org/x/crypto/xts/xts.go
 delete mode 100644 vendor/golang.org/x/crypto/xts/xts_test.go
 delete mode 100644 vendor/gopkg.in/check.v1/.gitignore
 delete mode 100644 vendor/gopkg.in/check.v1/.travis.yml
 delete mode 100644 vendor/gopkg.in/check.v1/LICENSE
 delete mode 100644 vendor/gopkg.in/check.v1/README.md
 delete mode 100644 vendor/gopkg.in/check.v1/TODO
 delete mode 100644 vendor/gopkg.in/check.v1/benchmark.go
 delete mode 100644 vendor/gopkg.in/check.v1/benchmark_test.go
 delete mode 100644 vendor/gopkg.in/check.v1/bootstrap_test.go
 delete mode 100644 vendor/gopkg.in/check.v1/check.go
 delete mode 100644 vendor/gopkg.in/check.v1/check_test.go
 delete mode 100644 vendor/gopkg.in/check.v1/checkers.go
 delete mode 100644 vendor/gopkg.in/check.v1/checkers_test.go
 delete mode 100644 vendor/gopkg.in/check.v1/export_test.go
 delete mode 100644 vendor/gopkg.in/check.v1/fixture_test.go
 delete mode 100644 vendor/gopkg.in/check.v1/foundation_test.go
 delete mode 100644 vendor/gopkg.in/check.v1/helpers.go
 delete mode 100644 vendor/gopkg.in/check.v1/helpers_test.go
 delete mode 100644 vendor/gopkg.in/check.v1/printer.go
 delete mode 100644 vendor/gopkg.in/check.v1/printer_test.go
 delete mode 100644 vendor/gopkg.in/check.v1/reporter.go
 delete mode 100644 vendor/gopkg.in/check.v1/reporter_test.go
 delete mode 100644 vendor/gopkg.in/check.v1/run.go
 delete mode 100644 vendor/gopkg.in/check.v1/run_test.go
 delete mode 100644 xmlenc/test_data/plaintext.xml
 create mode 100644 xmlenc/testdata/cert.pem
 create mode 100644 xmlenc/testdata/ciphertext.xml
 rename xmlenc/{test_data => testdata}/encrypt-data-aes128-cbc.data (100%)
 rename xmlenc/{test_data => testdata}/encrypt-data-aes128-cbc.xml (100%)
 create mode 100644 xmlenc/testdata/input.xml
 create mode 100644 xmlenc/testdata/key.pem
 create mode 100644 xmlenc/testdata/plaintext.xml
 rename xmlenc/{test_data => testdata}/rsapriv.pem (100%)
 rename xmlenc/{test_data => testdata}/rsapub.pem (100%)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 00000000..d921d0ff
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,7 @@
+version: 2
+updates:
+- package-ecosystem: gomod
+  directory: "/"
+  schedule:
+    interval: daily
+  open-pull-requests-limit: 10
diff --git a/.github/stale.yml b/.github/stale.yml
new file mode 100644
index 00000000..a390ffbf
--- /dev/null
+++ b/.github/stale.yml
@@ -0,0 +1,17 @@
+# Number of days of inactivity before an issue becomes stale
+daysUntilStale: 60
+# Number of days of inactivity before a stale issue is closed
+daysUntilClose: 7
+# Issues with these labels will never be considered stale
+exemptLabels:
+  - pinned
+  - security
+# Label to use when marking an issue as stale
+staleLabel: wontfix
+# Comment to post when marking an issue as stale. Set to `false` to disable
+markComment: >
+  This issue has been automatically marked as stale because it has not had
+  recent activity. It will be closed if no further activity occurs. Thank you
+  for your contributions.
+# Comment to post when closing a stale issue. Set to `false` to disable
+closeComment: true
diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
new file mode 100644
index 00000000..1512e3ec
--- /dev/null
+++ b/.github/workflows/go.yml
@@ -0,0 +1,24 @@
+name: Presubmit
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+jobs:
+  check:
+    name: Presubmit checks
+    runs-on: ubuntu-latest
+    steps:
+      - name: Set up Go 1.x
+        uses: actions/setup-go@v2
+        with:
+          go-version: ^1.13
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v2
+      - name: Get dependencies
+        run: |
+          curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh| sh -s -- -b $(go env GOPATH)/bin v1.24.0
+      - name: Lint
+        run: golangci-lint run
+      - name: Test
+        run: go test -v ./...
diff --git a/.github/workflows/maint.yml b/.github/workflows/maint.yml
new file mode 100644
index 00000000..799ffab0
--- /dev/null
+++ b/.github/workflows/maint.yml
@@ -0,0 +1,34 @@
+name: Maintainer
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 12 * * 0"
+jobs:
+  upgrade_go:
+    name: Upgrade go.mod
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-go@v2
+        with:
+          go-version: "^1.17.0"
+      - name: Install goupdate
+        run: |
+          (
+            cd $(mktemp -d)
+            go get github.com/crewjam/goupdate
+          )
+          git config --global user.email noreply@github.com
+          git config --global user.name "Github Actions"
+      - name: Update go.mod
+        run: |
+          go version
+          go env
+          $(go env GOPATH)/bin/goupdate -test 'go test ./...' --commit -v
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@v3
+        with:
+          commit-message: "Update go.mod"
+          branch: auto/update-go
+          title: "Update go.mod"
+          body: ""
diff --git a/.gitignore b/.gitignore
index 1745da5c..618d11cd 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,7 @@
 coverage.out
 coverage.html
+vendor/
+
+# IDE-specific settings
+.idea
+.vscode
\ No newline at end of file
diff --git a/.golangci.yml b/.golangci.yml
new file mode 100644
index 00000000..e5188854
--- /dev/null
+++ b/.golangci.yml
@@ -0,0 +1,78 @@
+# Configuration file for golangci-lint
+#
+# https://github.com/golangci/golangci-lint
+#
+# fighting with false positives?
+# https://github.com/golangci/golangci-lint#nolint
+
+linters:
+  enable:
+    - gofmt # Gofmt checks whether code was gofmt-ed. By default this tool runs with -s option to check for code simplification [fast: true, auto-fix: true]
+    - goimports # Goimports does everything that gofmt does. Additionally it checks unused imports [fast: true, auto-fix: true]
+    - gosec # Errcheck is a program for checking for unchecked errors in go programs. These unchecked errors can be critical bugs in some cases [fast: true, auto-fix: false]
+    - misspell # Finds commonly misspelled English words in comments [fast: true, auto-fix: true]
+    - deadcode # Finds unused code [fast: true, auto-fix: false]
+    - golint # Golint differs from gofmt. Gofmt reformats Go source code, whereas golint prints out style mistakes [fast: true, auto-fix: false]
+    - unconvert # Remove unnecessary type conversions [fast: true, auto-fix: false]
+
+  disable:
+    # TODO(ross): fix errors reported by these checkers and enable them
+    - bodyclose # checks whether HTTP response body is closed successfully [fast: false, auto-fix: false]
+    - depguard # Go linter that checks if package imports are in a list of acceptable packages [fast: true, auto-fix: false]
+    - dupl # Tool for code clone detection [fast: true, auto-fix: false]
+    - errcheck # Inspects source code for security problems [fast: true, auto-fix: false]
+    - gochecknoglobals # Checks that no globals are present in Go code [fast: true, auto-fix: false]
+    - gochecknoinits # Checks that no init functions are present in Go code [fast: true, auto-fix: false]
+    - goconst # Finds repeated strings that could be replaced by a constant [fast: true, auto-fix: false]
+    - gocritic # The most opinionated Go source code linter [fast: true, auto-fix: false]
+    - gocyclo # Computes and checks the cyclomatic complexity of functions [fast: true, auto-fix: false]
+    - gosimple # Linter for Go source code that specializes in simplifying a code [fast: false, auto-fix: false]
+    - govet # Vet examines Go source code and reports suspicious constructs, such as Printf calls whose arguments do not align with the format string [fast: false, auto-fix: false]
+    - ineffassign # Detects when assignments to existing variables are not used [fast: true, auto-fix: false]
+    - interfacer # Linter that suggests narrower interface types [fast: false, auto-fix: false]
+    - lll # Reports long lines [fast: true, auto-fix: false]
+    - maligned # Tool to detect Go structs that would take less memory if their fields were sorted [fast: true, auto-fix: false]
+    - nakedret # Finds naked returns in functions greater than a specified function length [fast: true, auto-fix: false]
+    - prealloc # Finds slice declarations that could potentially be preallocated [fast: true, auto-fix: false]
+    - scopelint # Scopelint checks for unpinned variables in go programs [fast: true, auto-fix: false]
+    - staticcheck # Staticcheck is a go vet on steroids, applying a ton of static analysis checks [fast: false, auto-fix: false]
+    - structcheck # Finds unused struct fields [fast: true, auto-fix: false]
+    - stylecheck # Stylecheck is a replacement for golint [fast: false, auto-fix: false]
+    - typecheck # Like the front-end of a Go compiler, parses and type-checks Go code [fast: true, auto-fix: false]
+    - unparam # Reports unused function parameters [fast: false, auto-fix: false]
+    - unused # Checks Go code for unused constants, variables, functions and types [fast: false, auto-fix: false]
+    - varcheck # Finds unused global variables and constants [fast: true, auto-fix: false]
+linters-settings:
+  goimports:
+    local-prefixes: github.com/lightstep/saml
+  govet:
+    disable:
+      - shadow
+    enable:
+      - asmdecl
+      - assign
+      - atomic
+      - bools
+      - buildtag
+      - cgocall
+      - composites
+      - copylocks
+      - errorsas
+      - httpresponse
+      - loopclosure
+      - lostcancel
+      - nilfunc
+      - printf
+      - shift
+      - stdmethods
+      - structtag
+      - tests
+      - unmarshal
+      - unreachable
+      - unsafeptr
+      - unusedresult
+issues:
+  exclude-use-default: false
+  exclude:
+    - G104 # 'Errors unhandled. (gosec)
+
diff --git a/.travis.yml b/.travis.yml
deleted file mode 100644
index d2b67f69..00000000
--- a/.travis.yml
+++ /dev/null
@@ -1,6 +0,0 @@
-language: go
-
-go:
-  - 1.7
-  - 1.8
-  - tip
diff --git a/NOTES.md b/NOTES.md
deleted file mode 100644
index 33c3ac31..00000000
--- a/NOTES.md
+++ /dev/null
@@ -1,21 +0,0 @@
-* https://github.com/lestrrat/go-libxml2
-* https://github.com/onelogin/python-saml
-   - reads settings from a JSON file (yuck)
-   - BSD License (3-clause)
-* TODO: understand xml bomb (https://pypi.python.org/pypi/defusedxml)
-
-* Providers for SAML SP & IDP endpoints 
-* Methods for generating and authenticating various SAML flows
-
-
-
-
-Current working demo:
-
-term1: go run ./example/idp/idp.go -bind :8001
-term2: ngrok http 8001
-term4: ngrok http 8000
-edit example.go and fill in values for baseURL (term4) and idpMetadataURL (term2)
-term3: go run ./example/example.go -bind :8000
-term5: curl -v https://$SP.ngrok.io/saml/metadata | curl -v -H "Content-type: text/xml" --data-binary @- https://$IDP.ngrok.io/register-sp
-browser: https://$SP.ngrok.io
diff --git a/README.md b/README.md
index 2359ee6b..8f71b0b7 100644
--- a/README.md
+++ b/README.md
@@ -1,143 +1,142 @@
+# SAML
 
-## Breaking Changes 
+[![](https://godoc.org/github.com/lightstep/saml?status.svg)](http://godoc.org/github.com/lightstep/saml)
 
-Note: between version 0.2.0 and the current master include changes to the API
-that will break your existing code a little.
-
-This change turned some fields from pointers to a single optional struct into
-the more correct slice of struct, and to pluralize the field name. For example,
-`IDPSSODescriptor *IDPSSODescriptor` has become 
-`IDPSSODescriptors []IDPSSODescriptor`. This more accurately reflects the 
-standard.
-
-The struct `Metadata` has been renamed to `EntityDescriptor`. In 0.2.0 and before, 
-every struct derived from the standard has the same name as in the standard, 
-*except* for `Metadata` which should always have been called `EntityDescriptor`. 
-
-In various places `url.URL` is now used where `string` was used <= version 0.1.0.
-
-In various places where keys and certificates were modeled as `string` 
-<= version 0.1.0 (what was I thinking?!) they are now modeled as 
-`*rsa.PrivateKey`, `*x509.Certificate`, or `crypto.PrivateKey` as appropriate.
-
-## Introduction
+![Build Status](https://github.com/lightstep/saml/workflows/Presubmit/badge.svg)
 
 Package saml contains a partial implementation of the SAML standard in golang.
 SAML is a standard for identity federation, i.e. either allowing a third party to authenticate your users or allowing third parties to rely on us to authenticate their users.
 
+## Introduction
+
 In SAML parlance an **Identity Provider** (IDP) is a service that knows how to authenticate users. A **Service Provider** (SP) is a service that delegates authentication to an IDP. If you are building a service where users log in with someone else's credentials, then you are a **Service Provider**. This package supports implementing both service providers and identity providers.
 
 The core package contains the implementation of SAML. The package samlsp provides helper middleware suitable for use in Service Provider applications. The package samlidp provides a rudimentary IDP service that is useful for testing or as a starting point for other integrations.
 
 ## Getting Started as a Service Provider
 
-Let us assume we have a simple web appliation to protect. We'll modify this application so it uses SAML to authenticate users.
+Let us assume we have a simple web application to protect. We'll modify this application so it uses SAML to authenticate users.
 
-    package main
+```golang
+package main
 
-    import "net/http"
+import (
+    "fmt"
+    "net/http"
+)
 
-    func hello(w http.ResponseWriter, r *http.Request) {
-        fmt.Fprintf(w, "Hello, World!")
-    }
+func hello(w http.ResponseWriter, r *http.Request) {
+    fmt.Fprintf(w, "Hello, World!")
+}
 
-    func main() {
-        app := http.HandlerFunc(hello)
-        http.Handle("/hello", app)
-        http.ListenAndServe(":8000", nil)
-    }
+func main() {
+    app := http.HandlerFunc(hello)
+    http.Handle("/hello", app)
+    http.ListenAndServe(":8000", nil)
+}
+```
 
 Each service provider must have an self-signed X.509 key pair established. You can generate your own with something like this:
 
     openssl req -x509 -newkey rsa:2048 -keyout myservice.key -out myservice.cert -days 365 -nodes -subj "/CN=myservice.example.com"
 
-We will use `samlsp.Middleware` to wrap the endpoint we want to protect. Middleware provides both an `http.Handler` to serve the SAML specific URLs **and** a set of wrappers to require the user to be logged in. We also provide the URL where the service provider can fetch the metadata from the IDP at startup. In our case, we'll use [testshib.org](https://www.testshib.org/), an identity provider designed for testing.
-
-    package main
-
-    import (
-        "fmt"
-        "io/ioutil"
-        "net/http"
-
-        "github.com/crewjam/saml/samlsp"
-    )
-
-    func hello(w http.ResponseWriter, r *http.Request) {
-        fmt.Fprintf(w, "Hello, %s!", r.Header.Get("X-Saml-Cn"))
-    }
-
-    func main() {
-        keyPair, err := tls.LoadX509KeyPair("myservice.cert", "myservice.key")
-        if err != nil {
-            panic(err) // TODO handle error
-        }
-        keyPair.Leaf, err = x509.ParseCertificate(keyPair.Certificate[0])
-        if err != nil {
-            panic(err) // TODO handle error
-        }
-
-        idpMetadataURL, err := url.Parse("https://www.testshib.org/metadata/testshib-providers.xml")
-        if err != nil {
-            panic(err) // TODO handle error
-        }
-
-        rootURL, err := url.Parse("http://localhost:8000")
-        if err != nil {
-            panic(err) // TODO handle error
-        }
-
-        samlSP, _ := samlsp.New(samlsp.Options{
-            URL:            *rootURL,
-            Key:            kp.PrivateKey.(*rsa.PrivateKey),
-            Certificate:    kp.Leaf,
-            IDPMetadataURL: idpMetadataURL,
-        })
-        app := http.HandlerFunc(hello)
-        http.Handle("/hello", samlSP.RequireAccount(app))
-        http.Handle("/saml/", samlSP)
-        http.ListenAndServe(":8000", nil)
-    }
-
-
-Next we'll have to register our service provider with the identiy provider to establish trust from the service provider to the IDP. For [testshib.org](https://www.testshib.org/), you can do something like:
+We will use `samlsp.Middleware` to wrap the endpoint we want to protect. Middleware provides both an `http.Handler` to serve the SAML specific URLs **and** a set of wrappers to require the user to be logged in. We also provide the URL where the service provider can fetch the metadata from the IDP at startup. In our case, we'll use [samltest.id](https://samltest.id/), an identity provider designed for testing.
+
+```golang
+package main
+
+import (
+	"context"
+	"crypto/rsa"
+	"crypto/tls"
+	"crypto/x509"
+	"fmt"
+	"net/http"
+	"net/url"
+
+	"github.com/crewjam/saml/samlsp"
+)
+
+func hello(w http.ResponseWriter, r *http.Request) {
+	fmt.Fprintf(w, "Hello, %s!", samlsp.AttributeFromContext(r.Context(), "cn"))
+}
+
+func main() {
+	keyPair, err := tls.LoadX509KeyPair("myservice.cert", "myservice.key")
+	if err != nil {
+		panic(err) // TODO handle error
+	}
+	keyPair.Leaf, err = x509.ParseCertificate(keyPair.Certificate[0])
+	if err != nil {
+		panic(err) // TODO handle error
+	}
+
+	idpMetadataURL, err := url.Parse("https://samltest.id/saml/idp")
+	if err != nil {
+		panic(err) // TODO handle error
+	}
+	idpMetadata, err := samlsp.FetchMetadata(context.Background(), http.DefaultClient,
+		*idpMetadataURL)
+	if err != nil {
+		panic(err) // TODO handle error
+	}
+
+	rootURL, err := url.Parse("http://localhost:8000")
+	if err != nil {
+		panic(err) // TODO handle error
+	}
+
+	samlSP, _ := samlsp.New(samlsp.Options{
+		URL:            *rootURL,
+		Key:            keyPair.PrivateKey.(*rsa.PrivateKey),
+		Certificate:    keyPair.Leaf,
+		IDPMetadata: idpMetadata,
+	})
+	app := http.HandlerFunc(hello)
+	http.Handle("/hello", samlSP.RequireAccount(app))
+	http.Handle("/saml/", samlSP)
+	http.ListenAndServe(":8000", nil)
+}
+```
+
+Next we'll have to register our service provider with the identity provider to establish trust from the service provider to the IDP. For [samltest.id](https://samltest.id/), you can do something like:
 
     mdpath=saml-test-$USER-$HOST.xml
     curl localhost:8000/saml/metadata > $mdpath
 
-Naviate to https://www.testshib.org/register.html and upload the file you fetched.
+Navigate to https://samltest.id/upload.php and upload the file you fetched.
 
 Now you should be able to authenticate. The flow should look like this:
 
 1. You browse to `localhost:8000/hello`
 
-2. The middleware redirects you to `https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO`
+1. The middleware redirects you to `https://samltest.id/idp/profile/SAML2/Redirect/SSO`
 
-3. testshib.org prompts you for a username and password.
+1. samltest.id prompts you for a username and password.
 
-4. testshib.org returns you an HTML document which contains an HTML form setup to POST to `localhost:8000/saml/acs`. The form is automatically submitted if you have javascript enabled.
+1. samltest.id returns you an HTML document which contains an HTML form setup to POST to `localhost:8000/saml/acs`. The form is automatically submitted if you have javascript enabled.
 
-5. The local service validates the response, issues a session cookie, and redirects you to the original URL, `localhost:8000/hello`.
+1. The local service validates the response, issues a session cookie, and redirects you to the original URL, `localhost:8000/hello`.
 
-6. This time when `localhost:8000/hello` is requested there is a valid session and so the main content is served.
+1. This time when `localhost:8000/hello` is requested there is a valid session and so the main content is served.
 
 ## Getting Started as an Identity Provider
 
-Please see `examples/idp/` for a substantially complete example of how to use the library and helpers to be an identity provider.
+Please see `example/idp/` for a substantially complete example of how to use the library and helpers to be an identity provider.
 
 ## Support
 
-The SAML standard is huge and complex with many dark corners and strange, unused features. This package implements the most commonly used subset of these features required to provide a single sign on experience. The package supports at least the subset of SAML known as [interoperable SAML](http://saml2int.org).
+The SAML standard is huge and complex with many dark corners and strange, unused features. This package implements the most commonly used subset of these features required to provide a single sign on experience. The package supports at least the subset of SAML known as [interoperable SAML](https://kantarainitiative.github.io/SAMLprofiles/saml2int.html).
 
 This package supports the **Web SSO** profile. Message flows from the service provider to the IDP are supported using the **HTTP Redirect** binding and the **HTTP POST** binding. Message flows from the IDP to the service provider are supported via the **HTTP POST** binding.
 
-The package supports signed and encrypted SAML assertions. It does not support signed or encrypted requests.
+The package can produce signed SAML assertions, and can validate both signed and encrypted SAML assertions. It does not support signed or encrypted requests.
 
 ## RelayState
 
-The *RelayState* parameter allows you to pass user state information across the authentication flow. The most common use for this is to allow a user to request a deep link into your site, be redirected through the SAML login flow, and upon successful completion, be directed to the originaly requested link, rather than the root.
+The _RelayState_ parameter allows you to pass user state information across the authentication flow. The most common use for this is to allow a user to request a deep link into your site, be redirected through the SAML login flow, and upon successful completion, be directed to the originally requested link, rather than the root.
 
-Unfortunately, *RelayState* is less useful than it could be. Firstly, it is **not** authenticated, so anything you supply must be signed to avoid XSS or CSRF. Secondly, it is limited to 80 bytes in length, which precludes signing. (See section 3.6.3.1 of SAMLProfiles.)
+Unfortunately, _RelayState_ is less useful than it could be. Firstly, it is **not** authenticated, so anything you supply must be signed to avoid XSS or CSRF. Secondly, it is limited to 80 bytes in length, which precludes signing. (See section 3.6.3.1 of SAMLProfiles.)
 
 ## References
 
@@ -151,8 +150,8 @@ The SAML specification is a collection of PDFs (sadly):
 
 - [SAMLConformance](http://docs.oasis-open.org/security/saml/v2.0/saml-conformance-2.0-os.pdf) includes a support matrix for various parts of the protocol.
 
-[TestShib](https://www.testshib.org/) is a testing ground for SAML service and identity providers.
+[SAMLtest](https://samltest.id/) is a testing ground for SAML service and identity providers.
 
 ## Security Issues
 
-Please do not report security issues in the issue tracker. Rather, please contact me directly at ross@kndr.org ([PGP Key `8EA205C01C425FF195A5E9A43FA0768F26FD2554`](https://keybase.io/crewjam)).
+Please do not report security issues in the issue tracker. Rather, please contact me directly at ross@kndr.org ([PGP Key `78B6038B3B9DFB88`](https://keybase.io/crewjam)). If your issue is *not* a security issue, please use the issue tracker so other contributors can help.
diff --git a/duration_test.go b/duration_test.go
index 7302ed2c..54ffa0cc 100644
--- a/duration_test.go
+++ b/duration_test.go
@@ -2,18 +2,17 @@ package saml
 
 import (
 	"errors"
+	"strconv"
+	"testing"
 	"time"
 
-	. "gopkg.in/check.v1"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
 )
 
-var _ = Suite(&DurationTest{})
-
-type DurationTest struct{}
-
 var durationMarshalTests = []struct {
-	in  time.Duration
-	out []byte
+	in       time.Duration
+	expected []byte
 }{
 	{0, nil},
 	{time.Nanosecond, []byte("PT0.000000001S")},
@@ -25,18 +24,20 @@ var durationMarshalTests = []struct {
 	{2*time.Hour + 3*time.Minute + 4*time.Second + 5*time.Nanosecond, []byte("PT2H3M4.000000005S")},
 }
 
-func (t DurationTest) TestMarshalText(c *C) {
-	for _, tc := range durationMarshalTests {
-		got, err := Duration(tc.in).MarshalText()
-		c.Assert(err, IsNil)
-		c.Assert(got, DeepEquals, tc.out)
+func TestDuration(t *testing.T) {
+	for i, testCase := range durationMarshalTests {
+		t.Run(strconv.Itoa(i), func(t *testing.T) {
+			actual, err := Duration(testCase.in).MarshalText()
+			assert.Check(t, err)
+			assert.Check(t, is.DeepEqual(testCase.expected, actual))
+		})
 	}
 }
 
 var durationUnmarshalTests = []struct {
-	in  []byte
-	out time.Duration
-	err error
+	in       []byte
+	expected time.Duration
+	err      error
 }{
 	{nil, 0, nil},
 	{[]byte("PT0.0000000001S"), 0, nil},
@@ -68,11 +69,17 @@ var durationUnmarshalTests = []struct {
 	{[]byte("PT1.S"), 0, errors.New("invalid duration (PT1.S)")},
 }
 
-func (t DurationTest) TestUnmarshalText(c *C) {
-	for _, tc := range durationUnmarshalTests {
-		var d Duration
-		err := d.UnmarshalText(tc.in)
-		c.Assert(err, DeepEquals, tc.err)
-		c.Assert(d, Equals, Duration(tc.out))
+func TestDurationUnmarshal(t *testing.T) {
+	for i, testCase := range durationUnmarshalTests {
+		t.Run(strconv.Itoa(i), func(t *testing.T) {
+			var actual Duration
+			err := actual.UnmarshalText(testCase.in)
+			if testCase.err == nil {
+				assert.Check(t, err)
+			} else {
+				assert.Check(t, is.Error(err, testCase.err.Error()))
+			}
+			assert.Check(t, is.Equal(Duration(testCase.expected), actual))
+		})
 	}
 }
diff --git a/example/idp/idp.go b/example/idp/idp.go
index 97e7ad98..aa465bac 100644
--- a/example/idp/idp.go
+++ b/example/idp/idp.go
@@ -7,10 +7,11 @@ import (
 	"flag"
 	"net/url"
 
-	"github.com/lightstep/saml/logger"
-	"github.com/lightstep/saml/samlidp"
 	"github.com/zenazn/goji"
 	"golang.org/x/crypto/bcrypt"
+
+	"github.com/lightstep/saml/logger"
+	"github.com/lightstep/saml/samlidp"
 )
 
 var key = func() crypto.PrivateKey {
diff --git a/example/service.go b/example/service.go
index b54f1563..df2012b2 100644
--- a/example/service.go
+++ b/example/service.go
@@ -3,6 +3,7 @@ package main
 
 import (
 	"bytes"
+	"context"
 	"crypto/rsa"
 	"crypto/tls"
 	"crypto/x509"
@@ -18,7 +19,6 @@ import (
 	"github.com/zenazn/goji"
 	"github.com/zenazn/goji/web"
 
-	"github.com/lightstep/saml/logger"
 	"github.com/lightstep/saml/samlsp"
 )
 
@@ -100,7 +100,6 @@ OwJlNCASPZRH/JmF8tX0hoHuAQ==
 )
 
 func main() {
-	logr := logger.DefaultLogger
 	rootURLstr := flag.String("url", "https://962766ce.ngrok.io", "The base URL of this service")
 	idpMetadataURLstr := flag.String("idp", "https://516becc2.ngrok.io/metadata", "The metadata URL for the IDP")
 	flag.Parse()
@@ -119,6 +118,12 @@ func main() {
 		panic(err) // TODO handle error
 	}
 
+	idpMetadata, err := samlsp.FetchMetadata(context.Background(), http.DefaultClient,
+		*idpMetadataURL)
+	if err != nil {
+		panic(err) // TODO handle error
+	}
+
 	rootURL, err := url.Parse(*rootURLstr)
 	if err != nil {
 		panic(err) // TODO handle error
@@ -127,13 +132,12 @@ func main() {
 	samlSP, err := samlsp.New(samlsp.Options{
 		URL:               *rootURL,
 		Key:               keyPair.PrivateKey.(*rsa.PrivateKey),
-		Logger:            logr,
 		Certificate:       keyPair.Leaf,
 		AllowIDPInitiated: true,
-		IDPMetadataURL:    idpMetadataURL,
+		IDPMetadata:       idpMetadata,
 	})
 	if err != nil {
-		logr.Fatalf("%s", err)
+		panic(err) // TODO handle error
 	}
 
 	// register with the service provider
diff --git a/example/trivial/trivial.go b/example/trivial/trivial.go
index 1c5c4357..50ca554b 100644
--- a/example/trivial/trivial.go
+++ b/example/trivial/trivial.go
@@ -1,20 +1,19 @@
 package main
 
 import (
+	"context"
+	"crypto/rsa"
+	"crypto/tls"
+	"crypto/x509"
 	"fmt"
 	"net/http"
 	"net/url"
 
-	"crypto/tls"
-	"crypto/x509"
-
-	"crypto/rsa"
-
 	"github.com/lightstep/saml/samlsp"
 )
 
 func hello(w http.ResponseWriter, r *http.Request) {
-	fmt.Fprintf(w, "Hello, %s!", r.Header.Get("X-Saml-Cn"))
+	fmt.Fprintf(w, "Hello, %s!", samlsp.AttributeFromContext(r.Context(), "cn"))
 }
 
 func main() {
@@ -27,22 +26,28 @@ func main() {
 		panic(err) // TODO handle error
 	}
 
-	idpMetadataURL, err := url.Parse("https://www.testshib.org/metadata/testshib-providers.xml")
+	rootURL, _ := url.Parse("http://localhost:8000")
+	idpMetadataURL, _ := url.Parse("https://samltest.id/saml/idp")
+
+	idpMetadata, err := samlsp.FetchMetadata(
+		context.Background(),
+		http.DefaultClient,
+		*idpMetadataURL)
 	if err != nil {
 		panic(err) // TODO handle error
 	}
 
-	rootURL, err := url.Parse("http://localhost:8000")
+	samlSP, err := samlsp.New(samlsp.Options{
+		URL:         *rootURL,
+		IDPMetadata: idpMetadata,
+		Key:         keyPair.PrivateKey.(*rsa.PrivateKey),
+		Certificate: keyPair.Leaf,
+		SignRequest: true,
+	})
 	if err != nil {
 		panic(err) // TODO handle error
 	}
 
-	samlSP, _ := samlsp.New(samlsp.Options{
-		IDPMetadataURL: idpMetadataURL,
-		URL:            *rootURL,
-		Key:            keyPair.PrivateKey.(*rsa.PrivateKey),
-		Certificate:    keyPair.Leaf,
-	})
 	app := http.HandlerFunc(hello)
 	http.Handle("/hello", samlSP.RequireAccount(app))
 	http.Handle("/saml/", samlSP)
diff --git a/go.mod b/go.mod
new file mode 100644
index 00000000..c4dad961
--- /dev/null
+++ b/go.mod
@@ -0,0 +1,25 @@
+module github.com/lightstep/saml
+
+go 1.17
+
+require (
+	github.com/beevik/etree v1.1.0
+	github.com/crewjam/httperr v0.2.0
+	github.com/dchest/uniuri v0.0.0-20200228104902-7aecb25e1fe5
+	github.com/form3tech-oss/jwt-go v3.2.2+incompatible
+	github.com/google/go-cmp v0.5.5
+	github.com/kr/pretty v0.2.1
+	github.com/mattermost/xml-roundtrip-validator v0.1.0
+	github.com/russellhaering/goxmldsig v1.1.0
+	github.com/zenazn/goji v1.0.1
+	golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2
+	gotest.tools v2.2.0+incompatible
+)
+
+require (
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/jonboulle/clockwork v0.2.2 // indirect
+	github.com/kr/text v0.2.0 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
+)
diff --git a/go.sum b/go.sum
new file mode 100644
index 00000000..a45b921f
--- /dev/null
+++ b/go.sum
@@ -0,0 +1,54 @@
+github.com/beevik/etree v1.1.0 h1:T0xke/WvNtMoCqgzPhkX2r4rjY3GDZFi+FjpRZY2Jbs=
+github.com/beevik/etree v1.1.0/go.mod h1:r8Aw8JqVegEf0w2fDnATrX9VpkMcyFeM0FhwO62wh+A=
+github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/crewjam/httperr v0.2.0 h1:b2BfXR8U3AlIHwNeFFvZ+BV1LFvKLlzMjzaTnZMybNo=
+github.com/crewjam/httperr v0.2.0/go.mod h1:Jlz+Sg/XqBQhyMjdDiC+GNNRzZTD7x39Gu3pglZ5oH4=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/dchest/uniuri v0.0.0-20200228104902-7aecb25e1fe5 h1:RAV05c0xOkJ3dZGS0JFybxFKZ2WMLabgx3uXnd7rpGs=
+github.com/dchest/uniuri v0.0.0-20200228104902-7aecb25e1fe5/go.mod h1:GgB8SF9nRG+GqaDtLcwJZsQFhcogVCJ79j4EdT0c2V4=
+github.com/form3tech-oss/jwt-go v3.2.2+incompatible h1:TcekIExNqud5crz4xD2pavyTgWiPvpYe4Xau31I0PRk=
+github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
+github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU=
+github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/jonboulle/clockwork v0.2.0/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8=
+github.com/jonboulle/clockwork v0.2.2 h1:UOGuzwb1PwsrDAObMuhUnj0p5ULPj8V/xJ7Kx9qUBdQ=
+github.com/jonboulle/clockwork v0.2.2/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8=
+github.com/kr/pretty v0.2.1 h1:Fmg33tUaq4/8ym9TJN1x7sLJnHVwhP33CNkpYV/7rwI=
+github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/mattermost/xml-roundtrip-validator v0.1.0 h1:RXbVD2UAl7A7nOTR4u7E3ILa4IbtvKBHw64LDsmu9hU=
+github.com/mattermost/xml-roundtrip-validator v0.1.0/go.mod h1:qccnGMcpgwcNaBnxqpJpWWUiPNr5H3O8eDgGV9gT5To=
+github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/russellhaering/goxmldsig v1.1.0 h1:lK/zeJie2sqG52ZAlPNn1oBBqsIsEKypUUBGpYYF6lk=
+github.com/russellhaering/goxmldsig v1.1.0/go.mod h1:QK8GhXPB3+AfuCrfo0oRISa9NfzeCpWmxeGnqEpDF9o=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
+github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0=
+github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/zenazn/goji v1.0.1 h1:4lbD8Mx2h7IvloP7r2C0D6ltZP6Ufip8Hn0wmSK5LR8=
+github.com/zenazn/goji v1.0.1/go.mod h1:7S9M489iMyHBNxwZnk9/EHS098H4/F6TATF2mIxtB1Q=
+golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2 h1:It14KIkyBFYkHkwZ7k45minvA9aorojkyjGk9KJ5B/w=
+golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo=
+gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw=
diff --git a/identity_provider.go b/identity_provider.go
index 6d61e1b5..d08803f8 100644
--- a/identity_provider.go
+++ b/identity_provider.go
@@ -10,7 +10,6 @@ import (
 	"encoding/xml"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"net/http"
 	"net/url"
 	"os"
@@ -20,9 +19,11 @@ import (
 	"time"
 
 	"github.com/beevik/etree"
+	xrv "github.com/mattermost/xml-roundtrip-validator"
+	dsig "github.com/russellhaering/goxmldsig"
+
 	"github.com/lightstep/saml/logger"
 	"github.com/lightstep/saml/xmlenc"
-	dsig "github.com/russellhaering/goxmldsig"
 )
 
 // Session represents a user session. It is returned by the
@@ -34,13 +35,16 @@ type Session struct {
 	ExpireTime time.Time
 	Index      string
 
-	NameID         string
-	Groups         []string
-	UserName       string
-	UserEmail      string
-	UserCommonName string
-	UserSurname    string
-	UserGivenName  string
+	NameID                string
+	Groups                []string
+	UserName              string
+	UserEmail             string
+	UserCommonName        string
+	UserSurname           string
+	UserGivenName         string
+	UserScopedAffiliation string
+
+	CustomAttributes []Attribute
 }
 
 // SessionProvider is an interface used by IdentityProvider to determine the
@@ -91,11 +95,15 @@ type IdentityProvider struct {
 	Key                     crypto.PrivateKey
 	Logger                  logger.Interface
 	Certificate             *x509.Certificate
+	Intermediates           []*x509.Certificate
 	MetadataURL             url.URL
 	SSOURL                  url.URL
+	LogoutURL               url.URL
 	ServiceProviderProvider ServiceProviderProvider
 	SessionProvider         SessionProvider
 	AssertionMaker          AssertionMaker
+	SignatureMethod         string
+	ValidDuration           *time.Duration
 }
 
 // Metadata returns the metadata structure for this identity provider.
@@ -103,12 +111,19 @@ func (idp *IdentityProvider) Metadata() *EntityDescriptor {
 	certStr := base64.StdEncoding.EncodeToString(idp.Certificate.Raw)
 	validUntil := TimeNow().Add(DefaultValidDuration)
 
-	return &EntityDescriptor{
+	var validDuration time.Duration
+	if idp.ValidDuration != nil {
+		validDuration = *idp.ValidDuration
+	} else {
+		validDuration = DefaultValidDuration
+	}
+
+	ed := &EntityDescriptor{
 		EntityID:      idp.MetadataURL.String(),
 		ValidUntil:    &validUntil,
-		CacheDuration: DefaultValidDuration,
+		CacheDuration: validDuration,
 		IDPSSODescriptors: []IDPSSODescriptor{
-			IDPSSODescriptor{
+			{
 				SSODescriptor: SSODescriptor{
 					RoleDescriptor: RoleDescriptor{
 						ProtocolSupportEnumeration: "urn:oasis:names:tc:SAML:2.0:protocol",
@@ -148,6 +163,17 @@ func (idp *IdentityProvider) Metadata() *EntityDescriptor {
 			},
 		},
 	}
+
+	if idp.LogoutURL.String() != "" {
+		ed.IDPSSODescriptors[0].SSODescriptor.SingleLogoutServices = []Endpoint{
+			{
+				Binding:  HTTPRedirectBinding,
+				Location: idp.LogoutURL.String(),
+			},
+		}
+	}
+
+	return ed
 }
 
 // Handler returns an http.Handler that serves the metadata and SSO
@@ -229,6 +255,7 @@ func (idp *IdentityProvider) ServeIDPInitiated(w http.ResponseWriter, r *http.Re
 		IDP:         idp,
 		HTTPRequest: r,
 		RelayState:  relayState,
+		Now:         TimeNow(),
 	}
 
 	session := idp.SessionProvider.GetSession(w, r, req)
@@ -254,6 +281,14 @@ func (idp *IdentityProvider) ServeIDPInitiated(w http.ResponseWriter, r *http.Re
 	for _, spssoDescriptor := range req.ServiceProviderMetadata.SPSSODescriptors {
 		for _, endpoint := range spssoDescriptor.AssertionConsumerServices {
 			if endpoint.Binding == HTTPPostBinding {
+				// explicitly copy loop iterator variables
+				//
+				// c.f. https://github.com/golang/go/wiki/CommonMistakes#using-reference-to-loop-iterator-variable
+				//
+				// (note that I'm pretty sure this isn't strictly necessary because we break out of the loop immediately,
+				// but it certainly doesn't hurt anything and may prevent bugs in the future.)
+				endpoint, spssoDescriptor := endpoint, spssoDescriptor
+
 				req.ACSEndpoint = &endpoint
 				req.SPSSODescriptor = &spssoDescriptor
 				break
@@ -299,6 +334,7 @@ type IdpAuthnRequest struct {
 	Assertion               *Assertion
 	AssertionEl             *etree.Element
 	ResponseEl              *etree.Element
+	Now                     time.Time
 }
 
 // NewIdpAuthnRequest returns a new IdpAuthnRequest for the given HTTP request to the authorization
@@ -307,6 +343,7 @@ func NewIdpAuthnRequest(idp *IdentityProvider, r *http.Request) (*IdpAuthnReques
 	req := &IdpAuthnRequest{
 		IDP:         idp,
 		HTTPRequest: r,
+		Now:         TimeNow(),
 	}
 
 	switch r.Method {
@@ -315,7 +352,7 @@ func NewIdpAuthnRequest(idp *IdentityProvider, r *http.Request) (*IdpAuthnReques
 		if err != nil {
 			return nil, fmt.Errorf("cannot decode request: %s", err)
 		}
-		req.RequestBuffer, err = ioutil.ReadAll(flate.NewReader(bytes.NewReader(compressedRequest)))
+		req.RequestBuffer, err = io.ReadAll(flate.NewReader(bytes.NewReader(compressedRequest)))
 		if err != nil {
 			return nil, fmt.Errorf("cannot decompress request: %s", err)
 		}
@@ -333,6 +370,7 @@ func NewIdpAuthnRequest(idp *IdentityProvider, r *http.Request) (*IdpAuthnReques
 	default:
 		return nil, fmt.Errorf("method not allowed")
 	}
+
 	return req, nil
 }
 
@@ -340,6 +378,10 @@ func NewIdpAuthnRequest(idp *IdentityProvider, r *http.Request) (*IdpAuthnReques
 // the AuthnRequest and Metadata properties. Returns a non-nil error if the
 // request is not valid.
 func (req *IdpAuthnRequest) Validate() error {
+	if err := xrv.Validate(bytes.NewReader(req.RequestBuffer)); err != nil {
+		return err
+	}
+
 	if err := xml.Unmarshal(req.RequestBuffer, &req.Request); err != nil {
 		return err
 	}
@@ -354,7 +396,7 @@ func (req *IdpAuthnRequest) Validate() error {
 	// For now we do the safe thing and fail in the case where we think
 	// requests might be signed.
 	if idpSsoDescriptor.WantAuthnRequestsSigned != nil && *idpSsoDescriptor.WantAuthnRequestsSigned {
-		return fmt.Errorf("Authn request signature checking is not currently supported")
+		return fmt.Errorf("authn request signature checking is not currently supported")
 	}
 
 	// In http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf §3.4.5.2
@@ -407,6 +449,14 @@ func (req *IdpAuthnRequest) getACSEndpoint() error {
 		for _, spssoDescriptor := range req.ServiceProviderMetadata.SPSSODescriptors {
 			for _, spAssertionConsumerService := range spssoDescriptor.AssertionConsumerServices {
 				if strconv.Itoa(spAssertionConsumerService.Index) == req.Request.AssertionConsumerServiceIndex {
+					// explicitly copy loop iterator variables
+					//
+					// c.f. https://github.com/golang/go/wiki/CommonMistakes#using-reference-to-loop-iterator-variable
+					//
+					// (note that I'm pretty sure this isn't strictly necessary because we break out of the loop immediately,
+					// but it certainly doesn't hurt anything and may prevent bugs in the future.)
+					spssoDescriptor, spAssertionConsumerService := spssoDescriptor, spAssertionConsumerService
+
 					req.SPSSODescriptor = &spssoDescriptor
 					req.ACSEndpoint = &spAssertionConsumerService
 					return nil
@@ -419,6 +469,60 @@ func (req *IdpAuthnRequest) getACSEndpoint() error {
 		for _, spssoDescriptor := range req.ServiceProviderMetadata.SPSSODescriptors {
 			for _, spAssertionConsumerService := range spssoDescriptor.AssertionConsumerServices {
 				if spAssertionConsumerService.Location == req.Request.AssertionConsumerServiceURL {
+					// explicitly copy loop iterator variables
+					//
+					// c.f. https://github.com/golang/go/wiki/CommonMistakes#using-reference-to-loop-iterator-variable
+					//
+					// (note that I'm pretty sure this isn't strictly necessary because we break out of the loop immediately,
+					// but it certainly doesn't hurt anything and may prevent bugs in the future.)
+					spssoDescriptor, spAssertionConsumerService := spssoDescriptor, spAssertionConsumerService
+
+					req.SPSSODescriptor = &spssoDescriptor
+					req.ACSEndpoint = &spAssertionConsumerService
+					return nil
+				}
+			}
+		}
+	}
+
+	// Some service providers, like the Microsoft Azure AD service provider, issue
+	// assertion requests that don't specify an ACS url at all.
+	if req.Request.AssertionConsumerServiceURL == "" && req.Request.AssertionConsumerServiceIndex == "" {
+		// find a default ACS binding in the metadata that we can use
+		for _, spssoDescriptor := range req.ServiceProviderMetadata.SPSSODescriptors {
+			for _, spAssertionConsumerService := range spssoDescriptor.AssertionConsumerServices {
+				if spAssertionConsumerService.IsDefault != nil && *spAssertionConsumerService.IsDefault {
+					switch spAssertionConsumerService.Binding {
+					case HTTPPostBinding, HTTPRedirectBinding:
+						// explicitly copy loop iterator variables
+						//
+						// c.f. https://github.com/golang/go/wiki/CommonMistakes#using-reference-to-loop-iterator-variable
+						//
+						// (note that I'm pretty sure this isn't strictly necessary because we break out of the loop immediately,
+						// but it certainly doesn't hurt anything and may prevent bugs in the future.)
+						spssoDescriptor, spAssertionConsumerService := spssoDescriptor, spAssertionConsumerService
+
+						req.SPSSODescriptor = &spssoDescriptor
+						req.ACSEndpoint = &spAssertionConsumerService
+						return nil
+					}
+				}
+			}
+		}
+
+		// if we can't find a default, use *any* ACS binding
+		for _, spssoDescriptor := range req.ServiceProviderMetadata.SPSSODescriptors {
+			for _, spAssertionConsumerService := range spssoDescriptor.AssertionConsumerServices {
+				switch spAssertionConsumerService.Binding {
+				case HTTPPostBinding, HTTPRedirectBinding:
+					// explicitly copy loop iterator variables
+					//
+					// c.f. https://github.com/golang/go/wiki/CommonMistakes#using-reference-to-loop-iterator-variable
+					//
+					// (note that I'm pretty sure this isn't strictly necessary because we break out of the loop immediately,
+					// but it certainly doesn't hurt anything and may prevent bugs in the future.)
+					spssoDescriptor, spAssertionConsumerService := spssoDescriptor, spAssertionConsumerService
+
 					req.SPSSODescriptor = &spssoDescriptor
 					req.ACSEndpoint = &spAssertionConsumerService
 					return nil
@@ -443,12 +547,28 @@ func (DefaultAssertionMaker) MakeAssertion(req *IdpAuthnRequest, session *Sessio
 	var attributeConsumingService *AttributeConsumingService
 	for _, acs := range req.SPSSODescriptor.AttributeConsumingServices {
 		if acs.IsDefault != nil && *acs.IsDefault {
+			// explicitly copy loop iterator variables
+			//
+			// c.f. https://github.com/golang/go/wiki/CommonMistakes#using-reference-to-loop-iterator-variable
+			//
+			// (note that I'm pretty sure this isn't strictly necessary because we break out of the loop immediately,
+			// but it certainly doesn't hurt anything and may prevent bugs in the future.)
+			acs := acs
+
 			attributeConsumingService = &acs
 			break
 		}
 	}
 	if attributeConsumingService == nil {
 		for _, acs := range req.SPSSODescriptor.AttributeConsumingServices {
+			// explicitly copy loop iterator variables
+			//
+			// c.f. https://github.com/golang/go/wiki/CommonMistakes#using-reference-to-loop-iterator-variable
+			//
+			// (note that I'm pretty sure this isn't strictly necessary because we break out of the loop immediately,
+			// but it certainly doesn't hurt anything and may prevent bugs in the future.)
+			acs := acs
+
 			attributeConsumingService = &acs
 			break
 		}
@@ -574,6 +694,22 @@ func (DefaultAssertionMaker) MakeAssertion(req *IdpAuthnRequest, session *Sessio
 		})
 	}
 
+	if session.UserScopedAffiliation != "" {
+		attributes = append(attributes, Attribute{
+			FriendlyName: "uid",
+			Name:         "urn:oid:1.3.6.1.4.1.5923.1.1.1.9",
+			NameFormat:   "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
+			Values: []AttributeValue{{
+				Type:  "xs:string",
+				Value: session.UserScopedAffiliation,
+			}},
+		})
+	}
+
+	for _, ca := range session.CustomAttributes {
+		attributes = append(attributes, ca)
+	}
+
 	if len(session.Groups) != 0 {
 		groupMemberAttributeValues := []AttributeValue{}
 		for _, group := range session.Groups {
@@ -615,7 +751,7 @@ func (DefaultAssertionMaker) MakeAssertion(req *IdpAuthnRequest, session *Sessio
 				Value:           session.NameID,
 			},
 			SubjectConfirmations: []SubjectConfirmation{
-				SubjectConfirmation{
+				{
 					Method: "urn:oasis:names:tc:SAML:2.0:cm:bearer",
 					SubjectConfirmationData: &SubjectConfirmationData{
 						Address:      req.HTTPRequest.RemoteAddr,
@@ -630,13 +766,13 @@ func (DefaultAssertionMaker) MakeAssertion(req *IdpAuthnRequest, session *Sessio
 			NotBefore:    notBefore,
 			NotOnOrAfter: notOnOrAfterAfter,
 			AudienceRestrictions: []AudienceRestriction{
-				AudienceRestriction{
+				{
 					Audience: Audience{Value: req.ServiceProviderMetadata.EntityID},
 				},
 			},
 		},
 		AuthnStatements: []AuthnStatement{
-			AuthnStatement{
+			{
 				AuthnInstant: session.CreateTime,
 				SessionIndex: session.Index,
 				SubjectLocality: &SubjectLocality{
@@ -650,7 +786,7 @@ func (DefaultAssertionMaker) MakeAssertion(req *IdpAuthnRequest, session *Sessio
 			},
 		},
 		AttributeStatements: []AttributeStatement{
-			AttributeStatement{
+			{
 				Attributes: attributes,
 			},
 		},
@@ -670,11 +806,19 @@ func (req *IdpAuthnRequest) MakeAssertionEl() error {
 		PrivateKey:  req.IDP.Key,
 		Leaf:        req.IDP.Certificate,
 	}
+	for _, cert := range req.IDP.Intermediates {
+		keyPair.Certificate = append(keyPair.Certificate, cert.Raw)
+	}
 	keyStore := dsig.TLSCertKeyStore(keyPair)
 
+	signatureMethod := req.IDP.SignatureMethod
+	if signatureMethod == "" {
+		signatureMethod = dsig.RSASHA1SignatureMethod
+	}
+
 	signingContext := dsig.NewDefaultSigningContext(keyStore)
 	signingContext.Canonicalizer = dsig.MakeC14N10ExclusiveCanonicalizerWithPrefixList(canonicalizerPrefixList)
-	if err := signingContext.SetSignatureMethod(dsig.RSASHA1SignatureMethod); err != nil {
+	if err := signingContext.SetSignatureMethod(signatureMethod); err != nil {
 		return err
 	}
 
@@ -866,11 +1010,19 @@ func (req *IdpAuthnRequest) MakeResponse() error {
 			PrivateKey:  req.IDP.Key,
 			Leaf:        req.IDP.Certificate,
 		}
+		for _, cert := range req.IDP.Intermediates {
+			keyPair.Certificate = append(keyPair.Certificate, cert.Raw)
+		}
 		keyStore := dsig.TLSCertKeyStore(keyPair)
 
+		signatureMethod := req.IDP.SignatureMethod
+		if signatureMethod == "" {
+			signatureMethod = dsig.RSASHA1SignatureMethod
+		}
+
 		signingContext := dsig.NewDefaultSigningContext(keyStore)
 		signingContext.Canonicalizer = dsig.MakeC14N10ExclusiveCanonicalizerWithPrefixList(canonicalizerPrefixList)
-		if err := signingContext.SetSignatureMethod(dsig.RSASHA1SignatureMethod); err != nil {
+		if err := signingContext.SetSignatureMethod(signatureMethod); err != nil {
 			return err
 		}
 
diff --git a/identity_provider_test.go b/identity_provider_test.go
index f821b30e..15bb6689 100644
--- a/identity_provider_test.go
+++ b/identity_provider_test.go
@@ -1,6 +1,8 @@
 package saml
 
 import (
+	"bytes"
+	"compress/flate"
 	"crypto"
 	"crypto/rsa"
 	"crypto/x509"
@@ -8,21 +10,26 @@ import (
 	"encoding/pem"
 	"encoding/xml"
 	"fmt"
+	"io"
 	"math/rand"
 	"net/http"
 	"net/http/httptest"
 	"net/url"
+	"os"
 	"strings"
+	"testing"
 	"time"
 
-	"os"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/golden"
 
 	"github.com/beevik/etree"
-	"github.com/dgrijalva/jwt-go"
+	"github.com/form3tech-oss/jwt-go"
+
 	"github.com/lightstep/saml/logger"
 	"github.com/lightstep/saml/testsaml"
 	"github.com/lightstep/saml/xmlenc"
-	. "gopkg.in/check.v1"
 )
 
 type IdentityProviderTest struct {
@@ -36,8 +43,6 @@ type IdentityProviderTest struct {
 	IDP             IdentityProvider
 }
 
-var _ = Suite(&IdentityProviderTest{})
-
 func mustParseURL(s string) url.URL {
 	rv, err := url.Parse(s)
 	if err != nil {
@@ -46,8 +51,8 @@ func mustParseURL(s string) url.URL {
 	return *rv
 }
 
-func mustParsePrivateKey(pemStr string) crypto.PrivateKey {
-	b, _ := pem.Decode([]byte(pemStr))
+func mustParsePrivateKey(pemStr []byte) crypto.PrivateKey {
+	b, _ := pem.Decode(pemStr)
 	if b == nil {
 		panic("cannot parse PEM")
 	}
@@ -58,8 +63,8 @@ func mustParsePrivateKey(pemStr string) crypto.PrivateKey {
 	return k
 }
 
-func mustParseCertificate(pemStr string) *x509.Certificate {
-	b, _ := pem.Decode([]byte(pemStr))
+func mustParseCertificate(pemStr []byte) *x509.Certificate {
+	b, _ := pem.Decode(pemStr)
 	if b == nil {
 		panic("cannot parse PEM")
 	}
@@ -70,48 +75,18 @@ func mustParseCertificate(pemStr string) *x509.Certificate {
 	return cert
 }
 
-func (test *IdentityProviderTest) SetUpTest(c *C) {
+func NewIdentifyProviderTest(t *testing.T) *IdentityProviderTest {
+	test := IdentityProviderTest{}
 	TimeNow = func() time.Time {
 		rv, _ := time.Parse("Mon Jan 2 15:04:05 MST 2006", "Mon Dec 1 01:57:09 UTC 2015")
 		return rv
 	}
 	jwt.TimeFunc = TimeNow
 	RandReader = &testRandomReader{}                // TODO(ross): remove this and use the below generator
-	xmlenc.RandReader = rand.New(rand.NewSource(0)) // deterministic random numbers for tests
-
-	//test.AuthnRequest = `https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO?RelayState=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1cmkiOiIvIn0.eoUmy2fQduAz--6N82xIOmufY1ZZeRi5x--B7m1pNIY&SAMLRequest=lJJBj9MwEIX%2FSuR7Yzt10sZKIpWtkCotsGqB%2B5BMW4vELp4JsP8et4DYE5Tr%2BPnN957dbGY%2B%2Bz1%2BmZE4%2Bz6NnloxR28DkCPrYUKy3NvD5s2jLXJlLzFw6MMosg0RRnbBPwRP84TxgPGr6%2FHD%2FrEVZ%2BYLWSl1WVXaGJP7UwyfcxckwTQWEnoS2TbtdB6uHn9uuOGSczqgs%2FuUh3i6DmTaenQjyitGIfc4uIg9y8Phnch221a4YVFjpVflcqgM1sUajiWsYGk01KujKVRfJyHRjDtPDJ5bUShdLrReLNX7QtmysrrMK6Pqem3MeqFKq5TInn6lfeX84PypFSL7iJFuwKkN0TU303hPc%2FC7L5G9DnEC%2Frv8OkmxjjepRc%2BOn0X3r14nZBiAoZE%2FwbrmbfLZbZ%2FC6Prn%2F3zgcQzfHiICYys4zii6%2B4E5gieXsBv5kqBr5Msf1%2F0IAAD%2F%2Fw%3D%3D`
-	//test.SamlResponse = "<?xml version=\"1.0\" encoding=\"UTF-8\"?><saml2p:Response xmlns:saml2p=\"urn:oasis:names:tc:SAML:2.0:protocol\" Destination=\"https://15661444.ngrok.io/saml2/acs\" ID=\"_e9b3332eeaf348da6786aed16300aca9\" InResponseTo=\"id-9e61753d64e928af5a7a341a97f420c9\" IssueInstant=\"2015-12-01T01:56:21.375Z\" Version=\"2.0\"><saml2:Issuer xmlns:saml2=\"urn:oasis:names:tc:SAML:2.0:assertion\" Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:entity\">https://idp.testshib.org/idp/shibboleth</saml2:Issuer><saml2p:Status><saml2p:StatusCode Value=\"urn:oasis:names:tc:SAML:2.0:status:Success\"/></saml2p:Status><saml2:EncryptedAssertion xmlns:saml2=\"urn:oasis:names:tc:SAML:2.0:assertion\"><xenc:EncryptedData xmlns:xenc=\"http://www.w3.org/2001/04/xmlenc#\" Id=\"_dab0b1dbbc0595ab06473034e3bb798c\" Type=\"http://www.w3.org/2001/04/xmlenc#Element\"><xenc:EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#aes128-cbc\" xmlns:xenc=\"http://www.w3.org/2001/04/xmlenc#\"/><ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><xenc:EncryptedKey Id=\"_dd9264352cef16103cdb21fae97fa951\" xmlns:xenc=\"http://www.w3.org/2001/04/xmlenc#\"><xenc:EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p\" xmlns:xenc=\"http://www.w3.org/2001/04/xmlenc#\"><ds:DigestMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#sha1\" xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"/></xenc:EncryptionMethod><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIB7zCCAVgCCQDFzbKIp7b3MTANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGEwJVUzELMAkGA1UE\nCAwCR0ExDDAKBgNVBAoMA2ZvbzESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTEzMTAwMjAwMDg1MVoX\nDTE0MTAwMjAwMDg1MVowPDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkdBMQwwCgYDVQQKDANmb28x\nEjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1PMHYmhZj308\nkWLhZVT4vOulqx/9ibm5B86fPWwUKKQ2i12MYtz07tzukPymisTDhQaqyJ8Kqb/6JjhmeMnEOdTv\nSPmHO8m1ZVveJU6NoKRn/mP/BD7FW52WhbrUXLSeHVSKfWkNk6S4hk9MV9TswTvyRIKvRsw0X/gf\nnqkroJcCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCMMlIO+GNcGekevKgkakpMdAqJfs24maGb90Dv\nTLbRZRD7Xvn1MnVBBS9hzlXiFLYOInXACMW5gcoRFfeTQLSouMM8o57h0uKjfTmuoWHLQLi6hnF+\ncvCsEFiJZ4AbF+DgmO6TarJ8O05t8zvnOwJlNCASPZRH/JmF8tX0hoHuAQ==</ds:X509Certificate></ds:X509Data></ds:KeyInfo><xenc:CipherData xmlns:xenc=\"http://www.w3.org/2001/04/xmlenc#\"><xenc:CipherValue>i/wh2ubXbhTH5W3hwc5VEf4DH1xifeTuxoe64ULopGJ0M0XxBKgDEIfTg59JUMmDYB4L8UStTFfqJk9BRGcMeYWVfckn5gCwLptD9cz26irw+7Ud7MIorA7z68v8rEyzwagKjz8VKvX1afgec0wobVTNN3M1Bn+SOyMhAu+Z4tE=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedKey></ds:KeyInfo><xenc:CipherData xmlns:xenc=\"http://www.w3.org/2001/04/xmlenc#\"><xenc:CipherValue>a6PZohc8i16b2HG5irLqbzAt8zMI6OAjBprhcDb+w6zvjU2Pi9KgGRBAESLKmVfBR0Nf6C/cjozCGyelfVMtx9toIV1C3jtanoI45hq2EZZVprKMKGdCsAbXbhwYrd06QyGYvLjTn9iqako6+ifxtoFHJOkhMQShDMv8l3p5n36iFrJ4kUT3pSOIl4a479INcayp2B4u9MVJybvN7iqp/5dMEG5ZLRCmtczfo6NsUmu+bmT7O/Xs0XeDmqICrfI3TTLzKSOb8r0iZOaii5qjfTALDQ10hlqxV4fgd51FFGG7eHr+HHD+FT6Q9vhNjKd+4UVT2LZlaEiMw888vyBKtfl6gTsuJbln0fHRPmOGYeoJlAdfpukhxqTbgdzOke2NY5VLw72ieUWREAEdVXBolrzbSaafumQGuW7c8cjLCDPOlaYIvWsQzQOp5uL5mw4y4S7yNPtTAa5czcf+xgw4MGatcWeDFv0gMTlnBAGIT+QNLK/+idRSpnYwjPO407UNNa2HSX3QpZsutbxyskqvuMgp08DcI2+7+NrTXtQjR5knhCwRNkGTOqVxEBD6uExSjbLBbFmd4jgKn73SqHStk0wCkKatxbZMD8YosTu9mrU2wuWacZ1GFRMlk28oaeXl9qUDnqBwZ5EoxT/jDjWIMWw9b40InvZK6kKzn+v3BSGKqzq2Ecj9yxE7u5/51NC+tFyZiN2J9Lu9yehvW46xRrqFWqCyioFza5bw1yd3bzkuMMpd6UvsZPHKvWwap3+O6ngc8bMBBCLltJVOaTn/cBGsUvoARY6Rfftsx7BamrfGURd8vqq+AI6Z1OC8N3bcRCymIzw0nXdbUSqhKWwbw6P2szvAB6kCdu4+C3Bo01CEQyerCCbpfn/cZ+rPsBVlGdBOLl5eCW8oJOODruYgSRshrTnDffLQprxCddj7vSnFbVHirU8a0KwpCVCdAAL9nKppTHs0Mq2YaiMDo8mFvx+3kan/IBnJSOVL19vdLfHDbZqVh7UVFtiuWv3T15BoiefDdF/aR5joN0zRWf8l6IYcjBOskk/xgxOZhZzbJl8DcgTawD8giJ31SJ1NoOqgrSD4wBHGON4mInHkO0X5+vw1jVNPGF3BwHw0kxoCT3ZKdSsi8O4tlf1y227cf794AGnyQe13O032jYgOmM5qNkET6PyfkyD/h0ufgQq2vJvxSOiRv76Kdg0SeRuNPW9MyjO/5APHl7tBlDBEVq+LWDHl4g9h/bw+Fsi0WN4pLN1Yv9RANWpIsXWyvxTWIZHTuZEjNbHqFKpsefx/oY1b9cSzKR5fQ9vc32e17WykL0O7pwpzV6TrFN874GdmW5lG5zfqnRHUQh1aV2WwBJ74mB4tv/y5rmRjTe5h/rN90kN+eQGeR3eG7XUHLhK/yCV+xq8KKPxNZexcdHGA905rvYokbtmr/jIN5kAMBdlOU8akPAZdSMMh+g/RZo5MO50/gdg6MTpB4onU2FBd54FNDp2fuBUxBsnTqpZXkDcAPEfSBr+z2l8jTRmxMricWyeC55ILgxM4er68n0xYjwb2jyQum3IQq7TSYYU/qjNiH1fQBtdRmBkzXJYYk+9q7C6OZJUdR96ERnTIi93NaYmtpSEvZU9vS6MV1VBOnEf8UzUUT9ibMpP9XDSINX7dN24rKIufSY+3+70orQB07XOWp6++SWKgA+WThaoPhp8sWWMeSZuda/wq6jdVTAB8FOPiP3lNl0BqxagQEPmNxDWXwTplSFSR3SP0e4sHMSjLvysibV9Z87LZa1FG0cWU2hrhiyOLsIWMnd4vdTLaWjhXuGlrDShxSAiI39wsl5RB59E+DXVSTBQAoAkHCKGK69YiMKU9K8K/LeodApgw46oPL08EWvleKPCbdTyjKUADtxfAujR84GMEUz9Aml4Q497MfvABQOW6Hwg54Z3UbwLczDCOZyK1wIwZTyS9w3eTH/6EBeyzhtt4G2e/60jkywHOKn17wQgww2ZsDcukdsCMfo4FV0NzfhSER8BdL+hdLJS3R1F/Vf4aRBEuOuycv2AqB1ZqHhcjZh7yDv0RpBvn3+2rzfzmYIBlqL16d1aBnvL4C03I0J59AtXN9WlfJ8SlJhrduW/PF4pSCAQEyHGprP9hVhaXCOUuXCbjA2FI57NkxALQ2HpCVpXKGw0qO0rYxRYIRlKTl43VFcrSGJdVYOFUk0ZV3b+k+KoxLVSgBjIUWxio/tvVgUYDZsO3M3x0I+0r9xlWZSFFmhwdOFouD+Xy1NPTmgwlUXqZ4peyIE1oVntpcrTJuev2jNScXbU9PG8b589GM4Z09KS/fAyytTFKmUpBuTme969qu0eA7/kBSHAkKvbfj0hsrbkkF9y/rXi8xgcMXNgYayW8MHEhm506AyPIvJAreZL637/BENO1ABdWS1Enj/uGaLM1ED8UY94boh/lMhqa9jALgEOHHxspavexi3HIFwJ55s4ocQnjb4p6op4CRPUdPCfli5st9m3NtQoH9kT1FTRZa9sG8Ybhey5wP17YgPIg9ZZtvlvpSTwCwZxHZ348wXJWhbtId9DyOcIzsyK5HaJcRsp8SQVR5nbRW0pUyC/bFAtX1KOGJmtro/QfmnLG9ksuaZvxP6+bH1K+CibEFIRDllAUFFPiuT+2b3Yp3Tu1VvXokMAgmcB5iFDgTAglw5meJYJ99uIBmj0EVZm8snMhRrHjMPTAYD5kwPK/YDShPFFV3XEIFzLD3iYrzb7sub/Z4gTTELWzzS3bCpYPAh4KWeTih+p7Xj0Xf04nSONHZXsQnNenc+PNae+Zj5iCfJ/PpqhMn61n/YBP7gipYYEtOZYzDtvMz+mytYRUOaZTq3W4Wp64f+XVekn49CLarLm6qPyiz5kJwaT8lJ+VEZDPpS/ChLM4eq90GogJBvK0jxmQ1AGvnKpV2lw9XCudf3PXbaTb+r2QPcihKnmqcEgPgYlN8VLclicNW1WyjBJ+HvDTQPbs1r1/KnBK4O5HTT6ehuHpJsYlBN9vzjsD+ov6SRkBqiGPUg9CoKKmWS6dirxwOXi3OUFzkWFVDyDezfkJAzqkmG0nlEGb9mTHdVDfX010bPJ4ZQzQSyHp7Ht2mATyQwOEem2AMB/RpNwlOKXWIdsQ5p3dHF+kmsJHI8xjEv2GeUa/aXX3MF3fPfUA7La8J8fbnaDLbnEqMCLMfdfc9+kY7EKyqPiE5KFpF0EhQBrHl8SiPuFQCoxvlH2u+ujncW7Z5JiBmMKUWOXUHhIe4NckP1awRsEcfhEs664DqOp9CbLwTXk71hHVBtINylFcf7uBZwjxNW+hCfZEoVEjjs/V4J9QeXCxpTu5TcXxBxwN5zBdkCodNFPLUg+3UicaykaH0+wrGoTu/ugjF9rz7OezMMs3pep+bzLp+yZbFAL/z/yATY3UG+lpk6Rw4SkjbnAxBSedaEdqbotddkGzVQubHvHqCiKpkAw58rAa2v15hc+UmkrRFslS8SYxTIPXs2sTNhnCCrUn8nlKufeoAm65vgYtEQ4NzmG9tqKtTeBfZAvSToYaiQq+kPii1ssuu1OULAVuSx8x/CYO6orgX7h5wI0R/Ug1nux7cb2/+pFLbNyGvwKf1TLym2NvFMJpvFlTsOJJ4DxXM/v2JkC9umm93quXLsojx7KTEOFDQLsnMKsVo6ZzRQidEwK5gQPyZL1yjGirJcEuGMAEf6LA2AsKIIZhsMEPlLpzMiVo5Y0LoL6NFsXigceLaaJMEMuYNJJdh+uxyfW57+PoQ7V8KkzSHFsKan14GnpWeOV7r13uopwCPeIsEKUVG77ypd+ILQkbKxH2lQdsFyjpofqkbgEVM5XAnVbdhfwyebNHn5OJtadVkOMcJc/WMWJef1idcSfvP5ENkwp3pKg9Ljoi+hU2Chp1vTmksO2HJt0of4QnQ8jGlcqnOrAMiWUCd2W/8AmhRBjevt3UqxnqELVvg+HJPlyqFyuUlDxx25mXEdW0COpA3s9OlSgcMjvQbIJ42NUhGFZLoK1pvPLZo711w2Ex3Lm5qqcr/7I4+vTntd/Id5aJiP18LQpslTy614Wd4eD8+RfjEtmDAPXhgvfekVkS/rDnI/9H0k3AdHc78fJCJRPNwJrDTozzjxTvmVv9r4MtpoDELmnMxb3o7ZibUMxgptCTyDF+Q5m6T3GeD9G5ehgB3Tqsx3gcUGuDtP6KIqMGbj8YCFt8tjihDctYFAXj4AwPnIjMiI4T7skXwfrBLWCKfN1j5XrIn2paQgKln9hvaiRUpNpD3IXVyFl1WNrb21IcRinfkuCtrP2tTHqct6eSEh8sOzRkvZEArBQYD5paYyuNBcbVtsnl6PNE+DIcSIGvCVnzpMw1BeUExvQZoNdpHwhTQ3FSd1XN1nt0EWx6lve0Azl/zJBhj5hTdCd2RHdJWDtCZdOwWy/G+4dx3hEed0x6SoopOYdt5bq3lW+Ol0mbRzr1QJnuvt8FYjIfL8cIBqidkTpDjyh6V88yg1DNHDOBBqUz8IqOJ//vY0bmQMJp9gb+05UDW7u/Oe4gGIODQlswv534KF2DcaXW9OB7JQyl6f5+O8W6+zBYZ6DAL+J2vtf3CWKSZFomTwu65vrVaLRmTXIIBjQmZEUxWVeC4xN+4Cj5ORvO8GwzoePGDvqwKzrKoupSjqkL5eKqMpCLouOn8n/x5UWtHQS1NlKgMDFhRObzKMqQhS1S4mz84F3L492GFAlie0xRhywnF+FvAkm+ZIRO0UqM4IwvUXdlqTajjmUz2T0+eXKTKTR5UoNRgP51gdUMT5A4ggT5wU9WkRx7CR9KdWJwwcWzv2YrchoHIXBidQSk+f1ZSzqR7krKSOwFTVJUvEenU17qVaHoAf2he0dMgURJ8PM9JxnSr7p2pZeNPu/O5oPmLuOCmEPVRPSahJL7yj9PK5z3q57e5POIp/wXqFoniFdxRmtmpfZBxoKVlADkwRy34h8k6ZmgtqPTQfUUk/+yH2CAoQu+HyOtUnQof8vc1k4zs8nCTrCSjqvFPjU8mHtVHy1RY0qmK9t99ugXyAKaGON3PlseetIC8WCTt84nM5XGD3VQpbv139yhSPhp2Oiz0IiOsr+L9idVKSvfNSkdNq9aUC7963uAQNud8c4GuDmbENvZYvGNIMxxZhYA86n1RMNtGDZJs6/4hZTL18Kz1yCY9zbbSXTxWTmkaHJziHtgrEPoYpUeb85J229PDEX08yHOkj2HXVdnKKmEaHw3VkB4eM3PhGGdrw2CSUejSaqPQFLdhabcB2zdB4lj/AUnZvNaJc23nHHIauHnhhVrxh/KQ1H4YaYKT9ji/69BIfrTgvoGaPZC10pQKinBHEPMXoFrCd1RX1vutnXXcyT2KTBP4GG+Or0j6Sqxtp5WhxR0aJqIKM6LqMHtTooI0QhWbmSqDEBX/wRS70csVeJSrZ4dqRKit+hz8OalHA7At9e+7gSWTfHAwjl5JhtrltyAab/FII4yKQeZWG8j1fSFGHN+EbOrum2uWuVhxkUPy4coMu+yKY4GxlXfvP+yEVK5GrMECRmFBlySetJK3JOoQXiuLirlHUq+0u88QFMdAJ9+fIdU4+FxneqgW7qM7CHRE8jV4pPSWGFbGzxVZ9CWRWaYIw26VsC1qQJe1WmU7Mrp26IxmWHGwHvZ50uB0mjAHFCiln5QAvqTm2/fsY+Puk+Irt3LQbMwGVWPnb4eona2dSha+eMLOiAQkBvbaitsRqqrAVnndP7gHmO+nYZEKNx/740zTRrFBpOelrGdOa0/eV2mPhUQfozGooxoRADmT8fAcDXo0SsXCHzg9tBnmVMvInQ7+8nXfhcF/fEBjvW3gIWOmp2EWutHQ/sl73MieJWnP/n3DMk2HHcatoIZOMUzo4S4uztODHoSiOJDA1hVj7qADvKB37/OX0opnbii9o6W8naFkWG5Ie7+EWQZdo+xeVYpwGOzcNwDRrxbZpV3fTvWyWKToovncZq+TQj7c4Yhz6XDF0ffljN5hTm4ONwYViFNB4gTJlFxFX00wcWfwWah4uJs2Oa8dHPVT+7viagZiPrSDk/gythdY8glGm+F0DWlzQpWbgSI3ZbdiUQ+ox4GtLUtYgGIQFUvRYbuHqH6CXQ3SM6vkbhV/nAn6UDEWKXdJsO0u5q6UpXci7MlWDNLxoQ9dfGjSc28mX+q+4hkyho4u1XSMy9B6IdH304J7fuAQ88tTorT67AiqvqR6qnZ0icV+MMLh95moxFbrvch6sGAmMEixqeujmiZzBqBmNbzZVORiv9qcbe3CQ6X2i+9D8hMpaWj5jI0u+0wk3bRFK4uDn8T1mnD6l4TrJayf3cZI+duhKcabNj71i5w76S8RZSC6RX4ks0x+XIDc5v3223NmGvceYklbuOJtJa0/MBTOcSDKCM2kUXqPV2BlA9Za8WEO2UrdcyP+AXgM20af3thjlZvA494zdZ0mqjrsKp+VS2MVrBBtj+puSuSHJYf6bnA5/yjqQtbGvAp8hfXQURC53J5oD8rb9F7vQRqdfqpe6xd7DVd+wWZS86mWjyZYKXw312t8nM/gxo0pdvZ8F0x9y3xb9UBM2pZtdYvk3hPz6swhuE1N5j2u7nwtXuEDNcGCSfr+IempeFHFRqO8n8ikASEdKcq2XHGJwfc3lVXOQ5K4JlewcC7yQL1uNtL6iNKCtJmjJiH2PMmXrtpmCeTspFNZlwmiICyPWV9B5ce9H/qP1xjndBzFz0rn75SGDnWUhNZI/aYKNVyzkOleS5VSNxBx1hoiFuG8r+6ctYwF7XL94b95tXQ/+0V5dt0H1xVaOZ7QluoDtMSzuUjV4yUoQESa3zCfZwnW+b5SKndX5nx0GYrVxydMkUdfimZpX/fezcMiaAGwG/jgWF0zS+EL4T7gR8I5R3qUNTifKFJKJL1+AL8CgL+SRB1lgHDp2wQ7cqgqcmskAsT60qisL/UZGgmnlgZ8FkNhv0vAMkzIsz7o6cuLo15hZnrsZveIo+mZKY2cMJjJb4ZlJLcE+YcnpiM84OYjypa9lA7kv4XJaDX9oirhsl9IO/ImbFgYpR73y+xSolXYdDKfZjf/8NR7vE8fu+LYXGoZHO/hxousED6y3sCo/ItECYHWYIui+V5SmAoEvVV8FY8fFMYIc+Llc2CoX5HQISfUAtLu+fGNNV0muidXnBdtnJo25UEqxwvoENdI1lGPhlrXY6/h4kIT5djmsxxSG/EgG/4fPnrThgF9/fbG8n/3LweXvQOGjX0F1Ngt5wuMIWRQk5vtLdvv2M+BNwthHZ7xzIU7zqSVvngVPwgcsTr2d5pTVOxauT1K6ffiBF04jVZEcna+NXhJM5EcRHNuT/iOb0ncn1yuKU8JJnztEzMDjO1qCmaBTyWBR7nQS6K+nfstd/AnBWyGeC5Yi3wlvZAVMpc0m7I7McXb+rXiHM0mHoq0Z/2HOki5LP2cBuIkk84tJ3SRZwWnocrz4aTEIOmwftqMATy5Ur0KRxoUSFNMJYyc1iOfjk3H2JjgecWlQdYHcIEjxGDGeo4S9EKTRokMGNUN2nTj3SO2nHoWbx9WhGe6uB3OgDENGL9aNoPnYKXs4WcobctMxQjjBWa/zpCFwP8nr78xIFfy/64ZtsFBrxSrEHxeXiPa2Kpv456aQ9kDQjJt9XrWKe+JBawtpPUYHmWkUb3Gznp3tC2LbowvJlEe/17srb5yi+sUHEF1z/8Uk4eVYcUUXzyq3YEuqumIBIYqO8J3K5Us7tEXyzhHH8TMLNSQxmDi/w5oYccIwNFMM1+xRTsyjHHtB/rHYJjPW/50Xxb0CZF84NqotCcgIMrR4nUiPnAPd8ZvHeB/235gS1NtzBWtfcDmP8khibSQpY3JW+fdY/9W6iGlPyPIwOgH06fJayaT44sPFIm+QGIkPKSAJOFDeJNG8oc6SAqrYSfCffYfOAx3IsjSdnxQy9JAcS0HxjWnEO3rgSh7bNEecO3f4hb3TRNlczdzhfrwgxUZ0rURI3LfMCpGntF+8NrhtB7RT8sEOaa4NM13T7LWjykRQJFYKNZY0siPBP2WJxjBqL0KynlTPhAcfFyiLZbAhe7YC0XmYo8iJQqdzJQwBK9iOoDkg1XuGy7+Kfe0scamvHN2Z85umcPSiPEQRP3zAWcP5kRNDath7DKrBfQtvOJvEHiihE+qiASrCZep+m7jTD261U9vQGAnR4xBY08ChSh8XItWHvDHARN+GP08h9u6nlJ3rpOoVn9y22NNgx7bOe6QIYe9f6iYbbAzLR1/7AP1A4CQwFi39eZI9BZteze5eas+6JR2s1LqH9tncOmWAhXjE8p3hOtplh/tMbrx+pySNX4BKfZva54zccIa+e59NUifTRsq27AwAtcxg2Bk1Tu7B+LT9Yw2K8tRH6XTcGlvqDM4sYjNBqzh3yAga5iro706tg/Qaa50eln8rjISularEHlfaggogjvd+wNLg44Rj8pMr25+xxS0e9KoEGon5SutuhJ/HBGnEj3+4qNxHu27nkAmZIADiF+Jh53osDuA1fsUnRXf2lJABa30KDkG8E/eci+TkESrdfsPMo6yhWoyjtjYdJbGkjtsQCMW5DOSNYDH0FqDiiVU0nBLJ4+A4ep6aWTrv6w/ozuO4educ7x9IBpGmEY30rsXWwiGJbLGyIo+6qz6J5JBKdjNBsDO7RRweDNMp8ospaGNQSa4NKAHTG8BsGqJSP8oebpVqYpgPS1TiBWnYZKQSRJ5NFs+ULpdICekxevVXAH8uh+De9GT7KsJJzg0CFjALDbC0YrbmCigspJAh2455I6/xyWbPXCYMXwBzbioMgWcNhQBJJ6oIoQ7shwf2TP0Z+X/3NoMpWHmGpoV/JZind8lb9lcxoI44uf37+xc03O1R1bNucf0F5ljrgj2sZlGz/591EJen5GZhrT6qSTIcMu+xIyxyA/zzhy0jjkVfkDKfQ8mE9AmVtbbzHAQNy2PhDIeu7ngoFN635tSOJLR2c6pC/m6n50slFbo0oeHbbiGHyxDk7q3zXHWoHzeF1k4iVdHumYg/nwZOuRzms6rvkmwkJv59Z1p05jxA+Y0yHvDeq1WR8PfS/esm3RHfP3fM+zTlj9ZBJfzvn4OL+IIHRQ5l8pGKAeRL58OjeaU5QU98lAKHydOPDGBalsEHyIKD6iy3RZ65qIm956zQd98htZ1Vgkd7LVC7LSnLb9jRbqS1vHN7lR6bQMmXtQBYSA/+ZW2RQqSo7sToVh+Pxl3EVmsgyO8dXPL4biz7XM8eVz7CqHkrQUinnr79HJWC6Uk19cBurOD6PeOqNYy08Og/A0hbHOgN3dKmVRAPf7itK6x0eb5F70T2zVqG12GHVZieXwIcp/vahuFvriHLJtuM04laiRWNXSiL2MPHQ8e9rr8NIlWDm9uev55FI9zZxwFUPBSewawPe5vkqRLfwZCYd5mZoxtBhNBWvY3ZOVD/21dIUlQanG1n6RygbmAwCHnIB4c7EH2CBYEMDToRQuAuIssviIfdaJglwDgHbLWKNUVDOdqeclBNZjfQfVXbVukPk8DfWLqj9pD4xAOzDeVQcdmg2aLvNKgpZsWs4d+6GlKrpS7qEGvoBkIFh/cVY7DMYrt/JXYuF6DpwB+HbfnuDFc2p47SPNhnmt/ez6/DACBPQ+tgpyWYXUsiviGSp72JNTzd8uFJJZNeKUJZw1c0UTjxdwigh5tL/hWhPl48DY937zymSr1xVqC3RV6wSIpuplH+hss/rsRPAp1/TfxvhJuFsoPbW0586y9YzqEHT4FUu6WSRy0gMJLP2sLqiiZXZ6kPicXsW7M55mV3ugbGQjB7YS7EVqsQzvJTiQbOlcPqwoKK7DTqaeCOXd8kH1tNoe7hjx/UNNdLQQ7IhrJIzxqTTgwcXYMCxhoezDsIHReTIymsHPkCurfteTQcbfwoKN5E9zC2hINOPmhAxLvONzaLXQGMqofuTbFshkB4eUj8U4vBCNp+60iCLnibt4rPuyoWKEHWBYa6FfIykxVKuXkfcb64dCdGCWjv7x1XqkbpHxQB80qhipoSo244pyhIsN91ASu1Q7L75LxGXibY3jb0Y4KZ5zIWsH4kVlvPhangohDO1J9gmL9inGr9hy5BHTQiMcktGoUgOIbFJ72381vYpPxn3ngBbp48mVZd0w6xV8RBaqR3l7CxI9vvMAPYPoXBB18ERoZypza8mAlzv2QxIkNGuRzFENh1SXegBfN7eiazZnwnhbyeMghJpnXzfvHACyjkdH3shRYcJ+oMiOSpInGxm/hxFQxHJZA0Ft/lza</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></saml2:EncryptedAssertion></saml2p:Response>"
-
-	test.SPKey = mustParsePrivateKey(`-----BEGIN RSA PRIVATE KEY-----
-MIICXgIBAAKBgQDU8wdiaFmPfTyRYuFlVPi866WrH/2JubkHzp89bBQopDaLXYxi
-3PTu3O6Q/KaKxMOFBqrInwqpv/omOGZ4ycQ51O9I+Yc7ybVlW94lTo2gpGf+Y/8E
-PsVbnZaFutRctJ4dVIp9aQ2TpLiGT0xX1OzBO/JEgq9GzDRf+B+eqSuglwIDAQAB
-AoGBAMuy1eN6cgFiCOgBsB3gVDdTKpww87Qk5ivjqEt28SmXO13A1KNVPS6oQ8SJ
-CT5Azc6X/BIAoJCURVL+LHdqebogKljhH/3yIel1kH19vr4E2kTM/tYH+qj8afUS
-JEmArUzsmmK8ccuNqBcllqdwCZjxL4CHDUmyRudFcHVX9oyhAkEA/OV1OkjM3CLU
-N3sqELdMmHq5QZCUihBmk3/N5OvGdqAFGBlEeewlepEVxkh7JnaNXAXrKHRVu/f/
-fbCQxH+qrwJBANeQERF97b9Sibp9xgolb749UWNlAdqmEpmlvmS202TdcaaT1msU
-4rRLiQN3X9O9mq4LZMSVethrQAdX1whawpkCQQDk1yGf7xZpMJ8F4U5sN+F4rLyM
-Rq8Sy8p2OBTwzCUXXK+fYeXjybsUUMr6VMYTRP2fQr/LKJIX+E5ZxvcIyFmDAkEA
-yfjNVUNVaIbQTzEbRlRvT6MqR+PTCefC072NF9aJWR93JimspGZMR7viY6IM4lrr
-vBkm0F5yXKaYtoiiDMzlOQJADqmEwXl0D72ZG/2KDg8b4QZEmC9i5gidpQwJXUc6
-hU+IVQoLxRq0fBib/36K9tcrrO5Ba4iEvDcNY+D8yGbUtA==
------END RSA PRIVATE KEY-----
-`).(*rsa.PrivateKey)
-	test.SPCertificate = mustParseCertificate(`-----BEGIN CERTIFICATE-----
-MIIB7zCCAVgCCQDFzbKIp7b3MTANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGEwJV
-UzELMAkGA1UECAwCR0ExDDAKBgNVBAoMA2ZvbzESMBAGA1UEAwwJbG9jYWxob3N0
-MB4XDTEzMTAwMjAwMDg1MVoXDTE0MTAwMjAwMDg1MVowPDELMAkGA1UEBhMCVVMx
-CzAJBgNVBAgMAkdBMQwwCgYDVQQKDANmb28xEjAQBgNVBAMMCWxvY2FsaG9zdDCB
-nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1PMHYmhZj308kWLhZVT4vOulqx/9
-ibm5B86fPWwUKKQ2i12MYtz07tzukPymisTDhQaqyJ8Kqb/6JjhmeMnEOdTvSPmH
-O8m1ZVveJU6NoKRn/mP/BD7FW52WhbrUXLSeHVSKfWkNk6S4hk9MV9TswTvyRIKv
-Rsw0X/gfnqkroJcCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCMMlIO+GNcGekevKgk
-akpMdAqJfs24maGb90DvTLbRZRD7Xvn1MnVBBS9hzlXiFLYOInXACMW5gcoRFfeT
-QLSouMM8o57h0uKjfTmuoWHLQLi6hnF+cvCsEFiJZ4AbF+DgmO6TarJ8O05t8zvn
-OwJlNCASPZRH/JmF8tX0hoHuAQ==
------END CERTIFICATE-----
-`)
+	xmlenc.RandReader = rand.New(rand.NewSource(0)) //nolint:gosec  // deterministic random numbers for tests
+
+	test.SPKey = mustParsePrivateKey(golden.Get(t, "sp_key.pem")).(*rsa.PrivateKey)
+	test.SPCertificate = mustParseCertificate(golden.Get(t, "sp_cert.pem"))
 	test.SP = ServiceProvider{
 		Key:         test.SPKey,
 		Certificate: test.SPCertificate,
@@ -120,8 +95,8 @@ OwJlNCASPZRH/JmF8tX0hoHuAQ==
 		IDPMetadata: &EntityDescriptor{},
 	}
 
-	test.Key = mustParsePrivateKey("-----BEGIN RSA PRIVATE KEY-----\nMIICXgIBAAKBgQDU8wdiaFmPfTyRYuFlVPi866WrH/2JubkHzp89bBQopDaLXYxi\n3PTu3O6Q/KaKxMOFBqrInwqpv/omOGZ4ycQ51O9I+Yc7ybVlW94lTo2gpGf+Y/8E\nPsVbnZaFutRctJ4dVIp9aQ2TpLiGT0xX1OzBO/JEgq9GzDRf+B+eqSuglwIDAQAB\nAoGBAMuy1eN6cgFiCOgBsB3gVDdTKpww87Qk5ivjqEt28SmXO13A1KNVPS6oQ8SJ\nCT5Azc6X/BIAoJCURVL+LHdqebogKljhH/3yIel1kH19vr4E2kTM/tYH+qj8afUS\nJEmArUzsmmK8ccuNqBcllqdwCZjxL4CHDUmyRudFcHVX9oyhAkEA/OV1OkjM3CLU\nN3sqELdMmHq5QZCUihBmk3/N5OvGdqAFGBlEeewlepEVxkh7JnaNXAXrKHRVu/f/\nfbCQxH+qrwJBANeQERF97b9Sibp9xgolb749UWNlAdqmEpmlvmS202TdcaaT1msU\n4rRLiQN3X9O9mq4LZMSVethrQAdX1whawpkCQQDk1yGf7xZpMJ8F4U5sN+F4rLyM\nRq8Sy8p2OBTwzCUXXK+fYeXjybsUUMr6VMYTRP2fQr/LKJIX+E5ZxvcIyFmDAkEA\nyfjNVUNVaIbQTzEbRlRvT6MqR+PTCefC072NF9aJWR93JimspGZMR7viY6IM4lrr\nvBkm0F5yXKaYtoiiDMzlOQJADqmEwXl0D72ZG/2KDg8b4QZEmC9i5gidpQwJXUc6\nhU+IVQoLxRq0fBib/36K9tcrrO5Ba4iEvDcNY+D8yGbUtA==\n-----END RSA PRIVATE KEY-----\n")
-	test.Certificate = mustParseCertificate("-----BEGIN CERTIFICATE-----\nMIIB7zCCAVgCCQDFzbKIp7b3MTANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGEwJV\nUzELMAkGA1UECAwCR0ExDDAKBgNVBAoMA2ZvbzESMBAGA1UEAwwJbG9jYWxob3N0\nMB4XDTEzMTAwMjAwMDg1MVoXDTE0MTAwMjAwMDg1MVowPDELMAkGA1UEBhMCVVMx\nCzAJBgNVBAgMAkdBMQwwCgYDVQQKDANmb28xEjAQBgNVBAMMCWxvY2FsaG9zdDCB\nnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1PMHYmhZj308kWLhZVT4vOulqx/9\nibm5B86fPWwUKKQ2i12MYtz07tzukPymisTDhQaqyJ8Kqb/6JjhmeMnEOdTvSPmH\nO8m1ZVveJU6NoKRn/mP/BD7FW52WhbrUXLSeHVSKfWkNk6S4hk9MV9TswTvyRIKv\nRsw0X/gfnqkroJcCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCMMlIO+GNcGekevKgk\nakpMdAqJfs24maGb90DvTLbRZRD7Xvn1MnVBBS9hzlXiFLYOInXACMW5gcoRFfeT\nQLSouMM8o57h0uKjfTmuoWHLQLi6hnF+cvCsEFiJZ4AbF+DgmO6TarJ8O05t8zvn\nOwJlNCASPZRH/JmF8tX0hoHuAQ==\n-----END CERTIFICATE-----\n")
+	test.Key = mustParsePrivateKey(golden.Get(t, "idp_key.pem"))
+	test.Certificate = mustParseCertificate(golden.Get(t, "idp_cert.pem"))
 
 	test.IDP = IdentityProvider{
 		Key:         test.Key,
@@ -146,6 +121,7 @@ OwJlNCASPZRH/JmF8tX0hoHuAQ==
 
 	// bind the service provider and the IDP
 	test.SP.IDPMetadata = test.IDP.Metadata()
+	return &test
 }
 
 type mockSessionProvider struct {
@@ -164,15 +140,16 @@ func (mspp *mockServiceProviderProvider) GetServiceProvider(r *http.Request, ser
 	return mspp.GetServiceProviderFunc(r, serviceProviderID)
 }
 
-func (test *IdentityProviderTest) TestCanProduceMetadata(c *C) {
-	c.Skip("broken")
-	validUntil := TimeNow().Add(DefaultValidDuration)
-	c.Assert(test.IDP.Metadata(), DeepEquals, &EntityDescriptor{
+func TestIDPCanProduceMetadata(t *testing.T) {
+	// TODO: LightStep had: c.Skip("broken")
+	test := NewIdentifyProviderTest(t)
+	validUntil := time.Date(2015, time.December, 3, 1, 57, 9, 000000000, time.UTC)
+	expected := &EntityDescriptor{
 		ValidUntil:    &validUntil,
 		CacheDuration: DefaultValidDuration,
 		EntityID:      "https://idp.example.com/saml/metadata",
 		IDPSSODescriptors: []IDPSSODescriptor{
-			IDPSSODescriptor{
+			{
 				SSODescriptor: SSODescriptor{
 					RoleDescriptor: RoleDescriptor{
 						ProtocolSupportEnumeration: "urn:oasis:names:tc:SAML:2.0:protocol",
@@ -203,43 +180,74 @@ func (test *IdentityProviderTest) TestCanProduceMetadata(c *C) {
 					NameIDFormats: []NameIDFormat{NameIDFormat("urn:oasis:names:tc:SAML:2.0:nameid-format:transient")},
 				},
 				SingleSignOnServices: []Endpoint{
-					Endpoint{
+					{
 						Binding:  "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
 						Location: "https://idp.example.com/saml/sso",
 					},
-					Endpoint{
+					{
 						Binding:  "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
 						Location: "https://idp.example.com/saml/sso",
 					},
 				},
 			},
 		},
-	})
+	}
+	assert.Check(t, is.DeepEqual(expected, test.IDP.Metadata()))
 }
 
-func (test *IdentityProviderTest) TestHTTPCanHandleMetadataRequest(c *C) {
+func TestIDPHTTPCanHandleMetadataRequest(t *testing.T) {
+	test := NewIdentifyProviderTest(t)
 	w := httptest.NewRecorder()
 	r, _ := http.NewRequest("GET", "https://idp.example.com/saml/metadata", nil)
 	test.IDP.Handler().ServeHTTP(w, r)
-	c.Assert(w.Code, Equals, http.StatusOK)
-	c.Assert(w.Header().Get("Content-type"), Equals, "application/samlmetadata+xml")
-	c.Assert(strings.HasPrefix(string(w.Body.Bytes()), "<EntityDescriptor"), Equals, true)
+	assert.Check(t, is.Equal(http.StatusOK, w.Code))
+	assert.Check(t, is.Equal("application/samlmetadata+xml", w.Header().Get("Content-type")))
+	assert.Check(t, strings.HasPrefix(w.Body.String(), "<EntityDescriptor"),
+		w.Body.String())
 }
 
-func (test *IdentityProviderTest) TestHTTPCanHandleSSORequest(c *C) {
+func TestIDPHTTPCanHandleSSORequest(t *testing.T) {
+	test := NewIdentifyProviderTest(t)
 	w := httptest.NewRecorder()
-	r, _ := http.NewRequest("GET", "https://idp.example.com/saml/sso?RelayState=ThisIsTheRelayState&SAMLRequest=lJJBayoxFIX%2FypC9JhnU5wszAz7lgWCLaNtFd5fMbQ1MkmnunVb%2FfUfbUqEgdhs%2BTr5zkmLW8S5s8KVD4mzvm0Cl6FIwEciRCeCRDFuznd2sTD5Upk2Ro42NyGZEmNjFMI%2BBOo9pi%2BnVWbzfrEqxY27JSEntEPfg2waHNnpJ4JtcgiWRLfoLXYBjwDfu6p%2B8JIoiWy5K4eqBUipXIzVRUwXKKtRK53qkJ3qqQVuNPUjU4TIQQ%2BBS5EqPBzofKH2ntBn%2FMervo8jWnyX%2BuVC78FwKkT1gopNKX1JUxSklXTMIfM0gsv8xeeDL%2BPGk7%2FF0Qg0GdnwQ1cW5PDLUwFDID6uquO1Dlot1bJw9%2FPLRmia%2BzRMCYyk4dSiq6205QSDXOxfy3KAq5Pkvqt4DAAD%2F%2Fw%3D%3D", nil)
+
+	const validRequest = `lJJBayoxFIX%2FypC9JhnU5wszAz7lgWCLaNtFd5fMbQ1MkmnunVb%2FfUfbUqEgdhs%2BTr5zkmLW8S5s8KVD4mzvm0Cl6FIwEciRCeCRDFuznd2sTD5Upk2Ro42NyGZEmNjFMI%2BBOo9pi%2BnVWbzfrEqxY27JSEntEPfg2waHNnpJ4JtcgiWRLfoLXYBjwDfu6p%2B8JIoiWy5K4eqBUipXIzVRUwXKKtRK53qkJ3qqQVuNPUjU4TIQQ%2BBS5EqPBzofKH2ntBn%2FMervo8jWnyX%2BuVC78FwKkT1gopNKX1JUxSklXTMIfM0gsv8xeeDL%2BPGk7%2FF0Qg0GdnwQ1cW5PDLUwFDID6uquO1Dlot1bJw9%2FPLRmia%2BzRMCYyk4dSiq6205QSDXOxfy3KAq5Pkvqt4DAAD%2F%2Fw%3D%3D`
+
+	r, _ := http.NewRequest("GET", "https://idp.example.com/saml/sso?RelayState=ThisIsTheRelayState&"+
+		"SAMLRequest="+validRequest, nil)
 	test.IDP.Handler().ServeHTTP(w, r)
-	c.Assert(w.Code, Equals, http.StatusOK)
+	assert.Check(t, is.Equal(http.StatusOK, w.Code))
 
 	// rejects requests that are invalid
 	w = httptest.NewRecorder()
-	r, _ = http.NewRequest("GET", "https://idp.example.com/saml/sso?RelayState=ThisIsTheRelayState&SAMLRequest=PEF1dGhuUmVxdWVzdA%3D%3D", nil)
+	r, _ = http.NewRequest("GET", "https://idp.example.com/saml/sso?RelayState=ThisIsTheRelayState&"+
+		"SAMLRequest=PEF1dGhuUmVxdWVzdA%3D%3D", nil)
 	test.IDP.Handler().ServeHTTP(w, r)
-	c.Assert(w.Code, Equals, http.StatusBadRequest)
+	assert.Check(t, is.Equal(http.StatusBadRequest, w.Code))
+
+	// rejects requests that contain malformed XML
+	{
+		a, _ := url.QueryUnescape(validRequest)
+		b, _ := base64.StdEncoding.DecodeString(a)
+		c, _ := io.ReadAll(flate.NewReader(bytes.NewReader(b)))
+		d := bytes.Replace(c, []byte("<AuthnRequest"), []byte("<AuthnRequest ::foo=\"bar\""), 1)
+		f := bytes.Buffer{}
+		e, _ := flate.NewWriter(&f, flate.DefaultCompression)
+		e.Write(d)
+		e.Close()
+		g := base64.StdEncoding.EncodeToString(f.Bytes())
+		invalidRequest := url.QueryEscape(g)
+
+		w = httptest.NewRecorder()
+		r, _ = http.NewRequest("GET", "https://idp.example.com/saml/sso?RelayState=ThisIsTheRelayState&"+
+			"SAMLRequest="+invalidRequest, nil)
+		test.IDP.Handler().ServeHTTP(w, r)
+		assert.Check(t, is.Equal(http.StatusBadRequest, w.Code))
+	}
+
 }
 
-func (test *IdentityProviderTest) TestCanHandleRequestWithNewSession(c *C) {
+func TestIDPCanHandleRequestWithNewSession(t *testing.T) {
+	test := NewIdentifyProviderTest(t)
 	test.IDP.SessionProvider = &mockSessionProvider{
 		GetSessionFunc: func(w http.ResponseWriter, r *http.Request, req *IdpAuthnRequest) *Session {
 			fmt.Fprintf(w, "RelayState: %s\nSAMLRequest: %s",
@@ -251,22 +259,21 @@ func (test *IdentityProviderTest) TestCanHandleRequestWithNewSession(c *C) {
 	w := httptest.NewRecorder()
 
 	requestURL, err := test.SP.MakeRedirectAuthenticationRequest("ThisIsTheRelayState")
-	c.Assert(err, IsNil)
+	assert.Check(t, err)
 
 	decodedRequest, err := testsaml.ParseRedirectRequest(requestURL)
-	c.Assert(err, IsNil)
-	c.Assert(string(decodedRequest), Equals, "<samlp:AuthnRequest xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" ID=\"id-00020406080a0c0e10121416181a1c1e20222426\" Version=\"2.0\" IssueInstant=\"2015-12-01T01:57:09Z\" Destination=\"https://idp.example.com/saml/sso\" AssertionConsumerServiceURL=\"https://sp.example.com/saml2/acs\" ProtocolBinding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\"><saml:Issuer Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:entity\">https://sp.example.com/saml2/metadata</saml:Issuer><samlp:NameIDPolicy Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:transient\" AllowCreate=\"true\"/></samlp:AuthnRequest>")
-	c.Assert(requestURL.Query().Get("RelayState"), Equals, "ThisIsTheRelayState")
+	assert.Check(t, err)
+	golden.Assert(t, string(decodedRequest), "idp_authn_request.xml")
+	assert.Check(t, is.Equal("ThisIsTheRelayState", requestURL.Query().Get("RelayState")))
 
 	r, _ := http.NewRequest("GET", requestURL.String(), nil)
 	test.IDP.ServeSSO(w, r)
-	c.Assert(w.Code, Equals, 200)
-	c.Assert(string(w.Body.Bytes()), Equals, ""+
-		"RelayState: ThisIsTheRelayState\n"+
-		"SAMLRequest: <samlp:AuthnRequest xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" ID=\"id-00020406080a0c0e10121416181a1c1e20222426\" Version=\"2.0\" IssueInstant=\"2015-12-01T01:57:09Z\" Destination=\"https://idp.example.com/saml/sso\" AssertionConsumerServiceURL=\"https://sp.example.com/saml2/acs\" ProtocolBinding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\"><saml:Issuer Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:entity\">https://sp.example.com/saml2/metadata</saml:Issuer><samlp:NameIDPolicy Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:transient\" AllowCreate=\"true\"/></samlp:AuthnRequest>")
+	assert.Check(t, is.Equal(200, w.Code))
+	golden.Assert(t, w.Body.String(), t.Name()+"_http_response_body")
 }
 
-func (test *IdentityProviderTest) TestCanHandleRequestWithExistingSession(c *C) {
+func TestIDPCanHandleRequestWithExistingSession(t *testing.T) {
+	test := NewIdentifyProviderTest(t)
 	test.IDP.SessionProvider = &mockSessionProvider{
 		GetSessionFunc: func(w http.ResponseWriter, r *http.Request, req *IdpAuthnRequest) *Session {
 			return &Session{
@@ -278,20 +285,20 @@ func (test *IdentityProviderTest) TestCanHandleRequestWithExistingSession(c *C)
 
 	w := httptest.NewRecorder()
 	requestURL, err := test.SP.MakeRedirectAuthenticationRequest("ThisIsTheRelayState")
-	c.Assert(err, IsNil)
+	assert.Check(t, err)
 
 	decodedRequest, err := testsaml.ParseRedirectRequest(requestURL)
-	c.Assert(err, IsNil)
-	c.Assert(string(decodedRequest), Equals, "<samlp:AuthnRequest xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" ID=\"id-00020406080a0c0e10121416181a1c1e20222426\" Version=\"2.0\" IssueInstant=\"2015-12-01T01:57:09Z\" Destination=\"https://idp.example.com/saml/sso\" AssertionConsumerServiceURL=\"https://sp.example.com/saml2/acs\" ProtocolBinding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\"><saml:Issuer Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:entity\">https://sp.example.com/saml2/metadata</saml:Issuer><samlp:NameIDPolicy Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:transient\" AllowCreate=\"true\"/></samlp:AuthnRequest>")
+	assert.Check(t, err)
+	golden.Assert(t, string(decodedRequest), t.Name()+"_decodedRequest")
 
 	r, _ := http.NewRequest("GET", requestURL.String(), nil)
 	test.IDP.ServeSSO(w, r)
-	c.Assert(w.Code, Equals, 200)
-	c.Assert(string(w.Body.Bytes()), Matches,
-		"^<html><form method=\"post\" action=\"https://sp\\.example\\.com/saml2/acs\" id=\"SAMLResponseForm\"><input type=\"hidden\" name=\"SAMLResponse\" value=\".*\" /><input type=\"hidden\" name=\"RelayState\" value=\"ThisIsTheRelayState\" /><input id=\"SAMLSubmitButton\" type=\"submit\" value=\"Continue\" /></form><script>document\\.getElementById\\('SAMLSubmitButton'\\)\\.style\\.visibility='hidden';</script><script>document\\.getElementById\\('SAMLResponseForm'\\)\\.submit\\(\\);</script></html>$")
+	assert.Check(t, is.Equal(200, w.Code))
+	golden.Assert(t, w.Body.String(), t.Name()+"_http_response_body")
 }
 
-func (test *IdentityProviderTest) TestCanHandlePostRequestWithExistingSession(c *C) {
+func TestIDPCanHandlePostRequestWithExistingSession(t *testing.T) {
+	test := NewIdentifyProviderTest(t)
 	test.IDP.SessionProvider = &mockSessionProvider{
 		GetSessionFunc: func(w http.ResponseWriter, r *http.Request, req *IdpAuthnRequest) *Session {
 			return &Session{
@@ -303,10 +310,10 @@ func (test *IdentityProviderTest) TestCanHandlePostRequestWithExistingSession(c
 
 	w := httptest.NewRecorder()
 
-	authRequest, err := test.SP.MakeAuthenticationRequest(test.SP.GetSSOBindingLocation(HTTPRedirectBinding))
-	c.Assert(err, IsNil)
+	authRequest, err := test.SP.MakeAuthenticationRequest(test.SP.GetSSOBindingLocation(HTTPRedirectBinding), HTTPRedirectBinding)
+	assert.Check(t, err)
 	authRequestBuf, err := xml.Marshal(authRequest)
-	c.Assert(err, IsNil)
+	assert.Check(t, err)
 	q := url.Values{}
 	q.Set("SAMLRequest", base64.StdEncoding.EncodeToString(authRequestBuf))
 	q.Set("RelayState", "ThisIsTheRelayState")
@@ -315,12 +322,12 @@ func (test *IdentityProviderTest) TestCanHandlePostRequestWithExistingSession(c
 	r.Header.Set("Content-type", "application/x-www-form-urlencoded")
 
 	test.IDP.ServeSSO(w, r)
-	c.Assert(w.Code, Equals, 200)
-	c.Assert(string(w.Body.Bytes()), Matches,
-		"^<html><form method=\"post\" action=\"https://sp\\.example\\.com/saml2/acs\" id=\"SAMLResponseForm\"><input type=\"hidden\" name=\"SAMLResponse\" value=\".*\" /><input type=\"hidden\" name=\"RelayState\" value=\"ThisIsTheRelayState\" /><input id=\"SAMLSubmitButton\" type=\"submit\" value=\"Continue\" /></form><script>document\\.getElementById\\('SAMLSubmitButton'\\)\\.style\\.visibility='hidden';</script><script>document\\.getElementById\\('SAMLResponseForm'\\)\\.submit\\(\\);</script></html>$")
+	assert.Check(t, is.Equal(200, w.Code))
+	golden.Assert(t, w.Body.String(), t.Name()+"_http_response_body")
 }
 
-func (test *IdentityProviderTest) TestRejectsInvalidRequest(c *C) {
+func TestIDPRejectsInvalidRequest(t *testing.T) {
+	test := NewIdentifyProviderTest(t)
 	test.IDP.SessionProvider = &mockSessionProvider{
 		GetSessionFunc: func(w http.ResponseWriter, r *http.Request, req *IdpAuthnRequest) *Session {
 			panic("not reached")
@@ -330,41 +337,44 @@ func (test *IdentityProviderTest) TestRejectsInvalidRequest(c *C) {
 	w := httptest.NewRecorder()
 	r, _ := http.NewRequest("GET", "https://idp.example.com/saml/sso?RelayState=ThisIsTheRelayState&SAMLRequest=XXX", nil)
 	test.IDP.ServeSSO(w, r)
-	c.Assert(w.Code, Equals, http.StatusBadRequest)
+	assert.Check(t, is.Equal(http.StatusBadRequest, w.Code))
 
 	w = httptest.NewRecorder()
 	r, _ = http.NewRequest("POST", "https://idp.example.com/saml/sso",
 		strings.NewReader("RelayState=ThisIsTheRelayState&SAMLRequest=XXX"))
 	r.Header.Set("Content-type", "application/x-www-form-urlencoded")
 	test.IDP.ServeSSO(w, r)
-	c.Assert(w.Code, Equals, http.StatusBadRequest)
+	assert.Check(t, is.Equal(http.StatusBadRequest, w.Code))
 }
 
-func (test *IdentityProviderTest) TestCanParse(c *C) {
+func TestIDPCanParse(t *testing.T) {
+	test := NewIdentifyProviderTest(t)
 	r, _ := http.NewRequest("GET", "https://idp.example.com/saml/sso?RelayState=ThisIsTheRelayState&SAMLRequest=lJJBayoxFIX%2FypC9JhnU5wszAz7lgWCLaNtFd5fMbQ1MkmnunVb%2FfUfbUqEgdhs%2BTr5zkmLW8S5s8KVD4mzvm0Cl6FIwEciRCeCRDFuznd2sTD5Upk2Ro42NyGZEmNjFMI%2BBOo9pi%2BnVWbzfrEqxY27JSEntEPfg2waHNnpJ4JtcgiWRLfoLXYBjwDfu6p%2B8JIoiWy5K4eqBUipXIzVRUwXKKtRK53qkJ3qqQVuNPUjU4TIQQ%2BBS5EqPBzofKH2ntBn%2FMervo8jWnyX%2BuVC78FwKkT1gopNKX1JUxSklXTMIfM0gsv8xeeDL%2BPGk7%2FF0Qg0GdnwQ1cW5PDLUwFDID6uquO1Dlot1bJw9%2FPLRmia%2BzRMCYyk4dSiq6205QSDXOxfy3KAq5Pkvqt4DAAD%2F%2Fw%3D%3D", nil)
 	req, err := NewIdpAuthnRequest(&test.IDP, r)
-	c.Assert(err, IsNil)
-	c.Assert(req.Validate(), IsNil)
+	assert.Check(t, err)
+	assert.Check(t, req.Validate())
 
 	r, _ = http.NewRequest("GET", "https://idp.example.com/saml/sso?RelayState=ThisIsTheRelayState", nil)
 	_, err = NewIdpAuthnRequest(&test.IDP, r)
-	c.Assert(err, ErrorMatches, "cannot decompress request: unexpected EOF")
+	assert.Check(t, is.Error(err, "cannot decompress request: unexpected EOF"))
 
 	r, _ = http.NewRequest("GET", "https://idp.example.com/saml/sso?RelayState=ThisIsTheRelayState&SAMLRequest=NotValidBase64", nil)
 	_, err = NewIdpAuthnRequest(&test.IDP, r)
-	c.Assert(err, ErrorMatches, "cannot decode request: illegal base64 data at input byte 12")
+	assert.Check(t, is.Error(err, "cannot decode request: illegal base64 data at input byte 12"))
 
 	r, _ = http.NewRequest("GET", "https://idp.example.com/saml/sso?RelayState=ThisIsTheRelayState&SAMLRequest=bm90IGZsYXRlIGVuY29kZWQ%3D", nil)
 	_, err = NewIdpAuthnRequest(&test.IDP, r)
-	c.Assert(err, ErrorMatches, "cannot decompress request: flate: corrupt input before offset 1")
+	assert.Check(t, is.Error(err, "cannot decompress request: flate: corrupt input before offset 1"))
 
 	r, _ = http.NewRequest("FROBNICATE", "https://idp.example.com/saml/sso?RelayState=ThisIsTheRelayState&SAMLRequest=lJJBayoxFIX%2FypC9JhnU5wszAz7lgWCLaNtFd5fMbQ1MkmnunVb%2FfUfbUqEgdhs%2BTr5zkmLW8S5s8KVD4mzvm0Cl6FIwEciRCeCRDFuznd2sTD5Upk2Ro42NyGZEmNjFMI%2BBOo9pi%2BnVWbzfrEqxY27JSEntEPfg2waHNnpJ4JtcgiWRLfoLXYBjwDfu6p%2B8JIoiWy5K4eqBUipXIzVRUwXKKtRK53qkJ3qqQVuNPUjU4TIQQ%2BBS5EqPBzofKH2ntBn%2FMervo8jWnyX%2BuVC78FwKkT1gopNKX1JUxSklXTMIfM0gsv8xeeDL%2BPGk7%2FF0Qg0GdnwQ1cW5PDLUwFDID6uquO1Dlot1bJw9%2FPLRmia%2BzRMCYyk4dSiq6205QSDXOxfy3KAq5Pkvqt4DAAD%2F%2Fw%3D%3D", nil)
 	_, err = NewIdpAuthnRequest(&test.IDP, r)
-	c.Assert(err, ErrorMatches, "method not allowed")
+	assert.Check(t, is.Error(err, "method not allowed"))
 }
 
-func (test *IdentityProviderTest) TestCanValidate(c *C) {
+func TestIDPCanValidate(t *testing.T) {
+	test := NewIdentifyProviderTest(t)
 	req := IdpAuthnRequest{
+		Now: TimeNow(),
 		IDP: &test.IDP,
 		RequestBuffer: []byte("" +
 			"<AuthnRequest xmlns=\"urn:oasis:names:tc:SAML:2.0:protocol\" " +
@@ -379,18 +389,22 @@ func (test *IdentityProviderTest) TestCanValidate(c *C) {
 			"    AllowCreate=\"true\">urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDPolicy>" +
 			"</AuthnRequest>"),
 	}
-	c.Assert(req.Validate(), IsNil)
-	c.Assert(req.Request, Not(IsNil))
-	c.Assert(req.ServiceProviderMetadata, Not(IsNil))
-	c.Assert(req.ACSEndpoint, DeepEquals, &IndexedEndpoint{Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", Location: "https://sp.example.com/saml2/acs", Index: 1})
+	assert.Check(t, req.Validate())
+	assert.Check(t, req.ServiceProviderMetadata != nil)
+	assert.Check(t, is.DeepEqual(&IndexedEndpoint{
+		Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", Location: "https://sp.example.com/saml2/acs",
+		Index: 1,
+	}, req.ACSEndpoint))
 
 	req = IdpAuthnRequest{
+		Now:           TimeNow(),
 		IDP:           &test.IDP,
 		RequestBuffer: []byte("<AuthnRequest"),
 	}
-	c.Assert(req.Validate(), ErrorMatches, "XML syntax error on line 1: unexpected EOF")
+	assert.Check(t, is.Error(req.Validate(), "XML syntax error on line 1: unexpected EOF"))
 
 	req = IdpAuthnRequest{
+		Now: TimeNow(),
 		IDP: &test.IDP,
 		RequestBuffer: []byte("" +
 			"<AuthnRequest xmlns=\"urn:oasis:names:tc:SAML:2.0:protocol\" " +
@@ -405,9 +419,10 @@ func (test *IdentityProviderTest) TestCanValidate(c *C) {
 			"    AllowCreate=\"true\">urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDPolicy>" +
 			"</AuthnRequest>"),
 	}
-	c.Assert(req.Validate(), ErrorMatches, "expected destination to be \"https://idp.example.com/saml/sso\", not \"https://idp.wrongDestination.com/saml/sso\"")
+	assert.Check(t, is.Error(req.Validate(), "expected destination to be \"https://idp.example.com/saml/sso\", not \"https://idp.wrongDestination.com/saml/sso\""))
 
 	req = IdpAuthnRequest{
+		Now: TimeNow(),
 		IDP: &test.IDP,
 		RequestBuffer: []byte("" +
 			"<AuthnRequest xmlns=\"urn:oasis:names:tc:SAML:2.0:protocol\" " +
@@ -422,9 +437,10 @@ func (test *IdentityProviderTest) TestCanValidate(c *C) {
 			"    AllowCreate=\"true\">urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDPolicy>" +
 			"</AuthnRequest>"),
 	}
-	c.Assert(req.Validate(), ErrorMatches, "request expired at 2014\\-12\\-01 01:58:39 \\+0000 UTC")
+	assert.Check(t, is.Error(req.Validate(), "request expired at 2014-12-01 01:58:39 +0000 UTC"))
 
 	req = IdpAuthnRequest{
+		Now: TimeNow(),
 		IDP: &test.IDP,
 		RequestBuffer: []byte("" +
 			"<AuthnRequest xmlns=\"urn:oasis:names:tc:SAML:2.0:protocol\" " +
@@ -439,9 +455,10 @@ func (test *IdentityProviderTest) TestCanValidate(c *C) {
 			"    AllowCreate=\"true\">urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDPolicy>" +
 			"</AuthnRequest>"),
 	}
-	c.Assert(req.Validate(), ErrorMatches, "expected SAML request version 2.0 got 4.2")
+	assert.Check(t, is.Error(req.Validate(), "expected SAML request version 2.0 got 4.2"))
 
 	req = IdpAuthnRequest{
+		Now: TimeNow(),
 		IDP: &test.IDP,
 		RequestBuffer: []byte("" +
 			"<AuthnRequest xmlns=\"urn:oasis:names:tc:SAML:2.0:protocol\" " +
@@ -456,9 +473,10 @@ func (test *IdentityProviderTest) TestCanValidate(c *C) {
 			"    AllowCreate=\"true\">urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDPolicy>" +
 			"</AuthnRequest>"),
 	}
-	c.Assert(req.Validate(), ErrorMatches, "cannot handle request from unknown service provider https://unknownSP.example.com/saml2/metadata")
+	assert.Check(t, is.Error(req.Validate(), "cannot handle request from unknown service provider https://unknownSP.example.com/saml2/metadata"))
 
 	req = IdpAuthnRequest{
+		Now: TimeNow(),
 		IDP: &test.IDP,
 		RequestBuffer: []byte("" +
 			"<AuthnRequest xmlns=\"urn:oasis:names:tc:SAML:2.0:protocol\" " +
@@ -473,12 +491,14 @@ func (test *IdentityProviderTest) TestCanValidate(c *C) {
 			"    AllowCreate=\"true\">urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDPolicy>" +
 			"</AuthnRequest>"),
 	}
-	c.Assert(req.Validate(), ErrorMatches, "cannot find assertion consumer service: file does not exist")
+	assert.Check(t, is.Error(req.Validate(), "cannot find assertion consumer service: file does not exist"))
 
 }
 
-func (test *IdentityProviderTest) TestMakeAssertion(c *C) {
+func TestIDPMakeAssertion(t *testing.T) {
+	test := NewIdentifyProviderTest(t)
 	req := IdpAuthnRequest{
+		Now: TimeNow(),
 		IDP: &test.IDP,
 		RequestBuffer: []byte("" +
 			"<AuthnRequest xmlns=\"urn:oasis:names:tc:SAML:2.0:protocol\" " +
@@ -494,16 +514,15 @@ func (test *IdentityProviderTest) TestMakeAssertion(c *C) {
 			"</AuthnRequest>"),
 	}
 	req.HTTPRequest, _ = http.NewRequest("POST", "http://idp.example.com/saml/sso", nil)
-
-	c.Assert(req.Validate(), IsNil)
+	assert.Check(t, req.Validate())
 
 	err := DefaultAssertionMaker{}.MakeAssertion(&req, &Session{
 		ID:       "f00df00df00d",
 		UserName: "alice",
 	})
-	c.Assert(err, IsNil)
+	assert.Check(t, err)
 
-	c.Assert(req.Assertion, DeepEquals, &Assertion{
+	expected := &Assertion{
 		ID:           "id-00020406080a0c0e10121416181a1c1e20222426",
 		IssueInstant: TimeNow(),
 		Version:      "2.0",
@@ -515,7 +534,7 @@ func (test *IdentityProviderTest) TestMakeAssertion(c *C) {
 		Subject: &Subject{
 			NameID: &NameID{Format: "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", NameQualifier: "https://idp.example.com/saml/metadata", SPNameQualifier: "https://sp.example.com/saml2/metadata", Value: ""},
 			SubjectConfirmations: []SubjectConfirmation{
-				SubjectConfirmation{
+				{
 					Method: "urn:oasis:names:tc:SAML:2.0:cm:bearer",
 					SubjectConfirmationData: &SubjectConfirmationData{
 						Address:      "",
@@ -530,13 +549,13 @@ func (test *IdentityProviderTest) TestMakeAssertion(c *C) {
 			NotBefore:    TimeNow(),
 			NotOnOrAfter: TimeNow().Add(MaxIssueDelay),
 			AudienceRestrictions: []AudienceRestriction{
-				AudienceRestriction{
+				{
 					Audience: Audience{Value: "https://sp.example.com/saml2/metadata"},
 				},
 			},
 		},
 		AuthnStatements: []AuthnStatement{
-			AuthnStatement{
+			{
 				AuthnInstant:    time.Time{},
 				SessionIndex:    "",
 				SubjectLocality: &SubjectLocality{},
@@ -546,7 +565,7 @@ func (test *IdentityProviderTest) TestMakeAssertion(c *C) {
 			},
 		},
 		AttributeStatements: []AttributeStatement{
-			AttributeStatement{
+			{
 				Attributes: []Attribute{
 					{
 						FriendlyName: "uid",
@@ -562,7 +581,9 @@ func (test *IdentityProviderTest) TestMakeAssertion(c *C) {
 				},
 			},
 		},
-	})
+	}
+	assert.Check(t, is.DeepEqual(expected, req.Assertion))
+
 	err = DefaultAssertionMaker{}.MakeAssertion(&req, &Session{
 		ID:             "f00df00df00d",
 		CreateTime:     TimeNow(),
@@ -576,88 +597,92 @@ func (test *IdentityProviderTest) TestMakeAssertion(c *C) {
 		UserSurname:    "Smith",
 		UserGivenName:  "Alice",
 	})
-	c.Assert(err, IsNil)
-
-	c.Assert(req.Assertion.AttributeStatements[0].Attributes, DeepEquals, []Attribute{
-		{
-			FriendlyName: "uid",
-			Name:         "urn:oid:0.9.2342.19200300.100.1.1",
-			NameFormat:   "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
-			Values: []AttributeValue{
-				{
-					Type:  "xs:string",
-					Value: "alice",
+	assert.Check(t, err)
+
+	expectedAttributes :=
+		[]Attribute{
+			{
+				FriendlyName: "uid",
+				Name:         "urn:oid:0.9.2342.19200300.100.1.1",
+				NameFormat:   "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
+				Values: []AttributeValue{
+					{
+						Type:  "xs:string",
+						Value: "alice",
+					},
 				},
 			},
-		},
-		{
-			FriendlyName: "eduPersonPrincipalName",
-			Name:         "urn:oid:1.3.6.1.4.1.5923.1.1.1.6",
-			NameFormat:   "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
-			Values: []AttributeValue{
-				{
-					Type:  "xs:string",
-					Value: "alice@example.com",
+			{
+				FriendlyName: "eduPersonPrincipalName",
+				Name:         "urn:oid:1.3.6.1.4.1.5923.1.1.1.6",
+				NameFormat:   "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
+				Values: []AttributeValue{
+					{
+						Type:  "xs:string",
+						Value: "alice@example.com",
+					},
 				},
 			},
-		},
-		{
-			FriendlyName: "sn",
-			Name:         "urn:oid:2.5.4.4",
-			NameFormat:   "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
-			Values: []AttributeValue{
-				{
-					Type:  "xs:string",
-					Value: "Smith",
+			{
+				FriendlyName: "sn",
+				Name:         "urn:oid:2.5.4.4",
+				NameFormat:   "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
+				Values: []AttributeValue{
+					{
+						Type:  "xs:string",
+						Value: "Smith",
+					},
 				},
 			},
-		},
-		{
-			FriendlyName: "givenName",
-			Name:         "urn:oid:2.5.4.42",
-			NameFormat:   "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
-			Values: []AttributeValue{
-				{
-					Type:  "xs:string",
-					Value: "Alice",
+			{
+				FriendlyName: "givenName",
+				Name:         "urn:oid:2.5.4.42",
+				NameFormat:   "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
+				Values: []AttributeValue{
+					{
+						Type:  "xs:string",
+						Value: "Alice",
+					},
 				},
 			},
-		},
-		{
-			FriendlyName: "cn",
-			Name:         "urn:oid:2.5.4.3",
-			NameFormat:   "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
-			Values: []AttributeValue{
-				{
-					Type:  "xs:string",
-					Value: "Alice Smith",
+			{
+				FriendlyName: "cn",
+				Name:         "urn:oid:2.5.4.3",
+				NameFormat:   "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
+				Values: []AttributeValue{
+					{
+						Type:  "xs:string",
+						Value: "Alice Smith",
+					},
 				},
 			},
-		},
-		{
-			FriendlyName: "eduPersonAffiliation",
-			Name:         "urn:oid:1.3.6.1.4.1.5923.1.1.1.1",
-			NameFormat:   "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
-			Values: []AttributeValue{
-				{
-					Type:  "xs:string",
-					Value: "Users",
-				},
-				{
-					Type:  "xs:string",
-					Value: "Administrators",
-				},
-				{
-					Type:  "xs:string",
-					Value: "♀",
+			{
+				FriendlyName: "eduPersonAffiliation",
+				Name:         "urn:oid:1.3.6.1.4.1.5923.1.1.1.1",
+				NameFormat:   "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
+				Values: []AttributeValue{
+					{
+						Type:  "xs:string",
+						Value: "Users",
+					},
+					{
+						Type:  "xs:string",
+						Value: "Administrators",
+					},
+					{
+						Type:  "xs:string",
+						Value: "♀",
+					},
 				},
 			},
-		},
-	})
+		}
+	assert.Check(t, is.DeepEqual(expectedAttributes, req.Assertion.AttributeStatements[0].Attributes))
 }
 
-func (test *IdentityProviderTest) TestMarshalAssertion(c *C) {
+func TestIDPMarshalAssertion(t *testing.T) {
+	test := NewIdentifyProviderTest(t)
 	req := IdpAuthnRequest{
+		Now: TimeNow(),
 		IDP: &test.IDP,
 		RequestBuffer: []byte("" +
 			"<AuthnRequest xmlns=\"urn:oasis:names:tc:SAML:2.0:protocol\" " +
@@ -674,14 +699,14 @@ func (test *IdentityProviderTest) TestMarshalAssertion(c *C) {
 	}
 	req.HTTPRequest, _ = http.NewRequest("POST", "http://idp.example.com/saml/sso", nil)
 	err := req.Validate()
-	c.Assert(err, IsNil)
+	assert.Check(t, err)
 	err = DefaultAssertionMaker{}.MakeAssertion(&req, &Session{
 		ID:       "f00df00df00d",
 		UserName: "alice",
 	})
-	c.Assert(err, IsNil)
+	assert.Check(t, err)
 	err = req.MakeAssertionEl()
-	c.Assert(err, IsNil)
+	assert.Check(t, err)
 
 	// Compare the plaintext first
 	expectedPlaintext := "<saml:Assertion xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"id-00020406080a0c0e10121416181a1c1e20222426\" IssueInstant=\"2015-12-01T01:57:09Z\" Version=\"2.0\"><saml:Issuer Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:entity\">https://idp.example.com/saml/metadata</saml:Issuer><ds:Signature xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/><ds:SignatureMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\"/><ds:Reference URI=\"#id-00020406080a0c0e10121416181a1c1e20222426\"><ds:Transforms><ds:Transform Algorithm=\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\"/><ds:Transform Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/></ds:Transforms><ds:DigestMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#sha1\"/><ds:DigestValue>gjE0eLUMVt+kK0rIGYvnzHV/2Ok=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Jm1rrxo2x7SYTnaS97bCdnVLQGeQuCMTjiSUvwzBkWFR+xcPr+n38dXmv0q0R68tO7L2ELhLtBdLm/dWsxruN23TMGVQyHIPMgJExdnYb7fwqx6es/NAdbDUBTbSdMX0vhIlTsHu5F0bJ0Tg0iAo9uRk9VeBdkaxtPa7+4yl1PQ=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIB7zCCAVgCCQDFzbKIp7b3MTANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGEwJVUzELMAkGA1UECAwCR0ExDDAKBgNVBAoMA2ZvbzESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTEzMTAwMjAwMDg1MVoXDTE0MTAwMjAwMDg1MVowPDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkdBMQwwCgYDVQQKDANmb28xEjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1PMHYmhZj308kWLhZVT4vOulqx/9ibm5B86fPWwUKKQ2i12MYtz07tzukPymisTDhQaqyJ8Kqb/6JjhmeMnEOdTvSPmHO8m1ZVveJU6NoKRn/mP/BD7FW52WhbrUXLSeHVSKfWkNk6S4hk9MV9TswTvyRIKvRsw0X/gfnqkroJcCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCMMlIO+GNcGekevKgkakpMdAqJfs24maGb90DvTLbRZRD7Xvn1MnVBBS9hzlXiFLYOInXACMW5gcoRFfeTQLSouMM8o57h0uKjfTmuoWHLQLi6hnF+cvCsEFiJZ4AbF+DgmO6TarJ8O05t8zvnOwJlNCASPZRH/JmF8tX0hoHuAQ==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml:Subject><saml:NameID Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:transient\" NameQualifier=\"https://idp.example.com/saml/metadata\" SPNameQualifier=\"https://sp.example.com/saml2/metadata\"/><saml:SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><saml:SubjectConfirmationData InResponseTo=\"id-00020406080a0c0e10121416181a1c1e\" NotOnOrAfter=\"2015-12-01T01:58:39Z\" Recipient=\"https://sp.example.com/saml2/acs\"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore=\"2015-12-01T01:57:09Z\" NotOnOrAfter=\"2015-12-01T01:58:39Z\"><saml:AudienceRestriction><saml:Audience>https://sp.example.com/saml2/metadata</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant=\"0001-01-01T00:00:00Z\"><saml:SubjectLocality/><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute FriendlyName=\"uid\" Name=\"urn:oid:0.9.2342.19200300.100.1.1\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\"><saml:AttributeValue xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:type=\"xs:string\">alice</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion>"
@@ -691,117 +716,74 @@ func (test *IdentityProviderTest) TestMarshalAssertion(c *C) {
 		doc.SetRoot(req.AssertionEl)
 		el := doc.FindElement("//EncryptedAssertion/EncryptedData")
 		actualPlaintextBuf, err := xmlenc.Decrypt(test.SPKey, el)
-		c.Assert(err, IsNil)
+		assert.Check(t, err)
 		actualPlaintext = string(actualPlaintextBuf)
 	}
-	c.Assert(actualPlaintext, Equals, expectedPlaintext)
+	assert.Check(t, is.Equal(expectedPlaintext, actualPlaintext))
 
 	doc := etree.NewDocument()
 	doc.SetRoot(req.AssertionEl)
 	assertionBuffer, err := doc.WriteToBytes()
-	c.Assert(err, IsNil)
-	c.Assert(string(assertionBuffer), Equals, "<saml:EncryptedAssertion><xenc:EncryptedData xmlns:xenc=\"http://www.w3.org/2001/04/xmlenc#\" Id=\"_e285ece1511455780875d64ee2d3d0d0\" Type=\"http://www.w3.org/2001/04/xmlenc#Element\"><xenc:EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#aes128-cbc\" xmlns:xenc=\"http://www.w3.org/2001/04/xmlenc#\"/><ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><xenc:EncryptedKey Id=\"_6e4ff95ff662a5eee82abdf44a2d0b75\" xmlns:xenc=\"http://www.w3.org/2001/04/xmlenc#\"><xenc:EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p\" xmlns:xenc=\"http://www.w3.org/2001/04/xmlenc#\"><ds:DigestMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#sha1\" xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"/></xenc:EncryptionMethod><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIB7zCCAVgCCQDFzbKIp7b3MTANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGEwJVUzELMAkGA1UECAwCR0ExDDAKBgNVBAoMA2ZvbzESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTEzMTAwMjAwMDg1MVoXDTE0MTAwMjAwMDg1MVowPDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkdBMQwwCgYDVQQKDANmb28xEjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1PMHYmhZj308kWLhZVT4vOulqx/9ibm5B86fPWwUKKQ2i12MYtz07tzukPymisTDhQaqyJ8Kqb/6JjhmeMnEOdTvSPmHO8m1ZVveJU6NoKRn/mP/BD7FW52WhbrUXLSeHVSKfWkNk6S4hk9MV9TswTvyRIKvRsw0X/gfnqkroJcCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCMMlIO+GNcGekevKgkakpMdAqJfs24maGb90DvTLbRZRD7Xvn1MnVBBS9hzlXiFLYOInXACMW5gcoRFfeTQLSouMM8o57h0uKjfTmuoWHLQLi6hnF+cvCsEFiJZ4AbF+DgmO6TarJ8O05t8zvnOwJlNCASPZRH/JmF8tX0hoHuAQ==</ds:X509Certificate></ds:X509Data></ds:KeyInfo><xenc:CipherData xmlns:xenc=\"http://www.w3.org/2001/04/xmlenc#\"><xenc:CipherValue>R9aHQv2U2ZZSuvRaL4/X8TXpm2/1so2IiOz/+NsAzEKoLAg8Sj87Nj5oMrYY2HF5DPQm/N/3+v6wOU9dX62spTzoSWocVzQU+GdTG2DiIIiAAvQwZo1FyUDKS1Fs5voWzgKvs8G43nj68147T96sXY9SyeUBBdhQtXRsEsmKiAs=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedKey></ds:KeyInfo><xenc:CipherData xmlns:xenc=\"http://www.w3.org/2001/04/xmlenc#\"><xenc:CipherValue>3mv4+bRM6F/wRMax+DuOiAY7YPAkAq5YdWfvqFQJR6DwMVPK6hOERHRJDP2/w7MLLCS2TJvZ1rvWWuv4bJuVMmbQyyRR2Ijd/PUmU72sMP4QJxClpUCeA+IAuqLH6ClVC3gZ/oGpv3O9kX6VVEFq3Aozh+dc/oPriCbHmMgnH2Urv//nutx0psmdaj4ghv+Ddny7hI3AfQwW++PR8LTmupl639UjCS9RyfGlTa+1i6YpMnIpduCyquQZ+1USJXwaQsxb75Ks4fi4r55visQ6c8aX8dnJPj69rQzK++9JouWdW0ccyxDTF8nRFOB5UkxAo+/aAyi72WURx0TinpowR1fjDm04U0IOKYVY6tAm8Apl2LLHJNByGMVGZW1DMv72CLgwBgN0vli9Y6EvB4p7WtyV7Kz+oc6Ci7Wk+QTdXYMqqNnigtoWOlMehi0VEqIIhXjbmsxczEudmGWiDvmvnpWVJIWusw+oWWKF84ghnI5Evty+cWcF8Fv4aL0egk268DPuWBR368FCccsewi9JTZts8oVdgwnCfdGLvmglfdhCNXUhLNKXN2en4KL3ahatFxYWktMJQD0g7qITFBfseQRkV8YKP+v8oLjYRV4rFgfMHKYixNlHlZM4LRT7hMX8alkwAnZlNbbjQYue3cN203PJ6GuPCojT9QGfmwIxDyJ4OzonKOifXYwmK/rG9DlqoMtySNRfSHZsZuYDOwQ7Xi7jhCX1HMvSonRbgKd34si97Kf+UzS5XNnJKD1uG6RbX5+eRaVgI0jlzlzPnn/GQ1WEmadwxeQKBjIiiTRh2c5zHbctgJiX+lrK73Q23BzdEj5nsN5aXgGRGdUUPxV1wpFNpnxuWA+z8CplUDVBcUZPbd0u3CXzdH8zyYRKxIdLwjSEdXVJrsx6A+XIAOOph2Mx7OA/C/XNtDnTlJ4i2XiDYvcyDo9ILBLVdeSxcZ0WUt6l4+PpVEgEzxzTG8OpkAIpcNYJObJ38qwkXURnaE+VIoaq9ezecJj7N4uPBOZLkDfWq0UvMXGrsqZYfaFgIJYLrtAd0KuGPNJ3m0paJYa5JnckfucJer6hjDYon2y17sP5sYTP9FhWEHb08M+VLakYNFekYsseumMdYZItqQ1ZgxYE8qVvwCLN+wF7x03nmIwRpuTL8Djdee/wDFKsK/vyIFNespHkvSTltmbQKSGEmglZNzLsXeyFdyOhvTCIcF/VpPrRSu4RWw3HcyQjDOfI3Itrxok2kcWHQZohKHGzpMInYpbjQJpHox3WhwwNT8Vkq1cJ5u7x+mZO+LzuBuIiQHaYMNXPAkkb2oLYZBOKazVR3+Y4asNAFlD1K1FWSctorSLdJly93WLvdya4EUCgOufN8LhnbwpLqIw57B9RfWa254F0DtFRZ1/iMAmRMjb25KA1c/U6U1woXxeZgCzUMs+j0D5MkY5n1it7dgDJ6XohzfoAfgC/oU4glNWr07Ep+CkYD+JYZ88YZUkSPt3UmNHPIwy2H/cFAgwVuD1v2t601LxESX95PeNgaXfRX5fZJcjAPBWMUWIPwRzNX4Y/o0U5h15FKSTnBvQ822yqhOMyM/+qwFJDGRvY3f40Hy6u9Q9y2j8gnYWeYatcVbdLcGP3jb8HHHViMwNbjt1BgLC0SAd4HhEZwDraHVLgumNfZiwDMs+g3S/OTMLAsW0I4tYve/NvyY8hUgOpubWRaBaJ8/VZFbe6y1hJ3RYyHGX23hMMTHuT8ZJDq1XnQDaFvi2qe2ad6oMQrENszJBWifIv8goxoJ2djWJJ7+7WzqU/E7MTCl5WuhlR3SPhd0hZ4cjfAx50i9634JlcAv9prFMUpXk/eHZFthVGTlEgxVuMgXbAR1PAHCE9RLqgj7807hn7VNyI4HV9wlCW46/FtqiqzhBgFFmPwJGBW7Ttj8W8MfrdBdSSIiXJFPkOH1j+4UWx1ENTiRFtArZp+2yBEG2U+6N6VA78pR/988hm0QqSXPZSofnxvWPDcxJsLHOkV6kz/fUTwIGqKVtpvED/K+X4NI/7Ko+X8VWZWJ/px2ht+mdLb7N/+KOvez6TPWt7UbBlFttIekK4nz3LEVK+8rJcfj93KsFH5Bb+DycG2yMOXkbUmIZQ4HChnlcnpToDLDeLyoiOokj8uYJgfClMcfpMhWtnbytf7WlzNxdPDLAtNeO6m1C6HJukDHc0r272Zo3MDuJq8qr3H8eDnaWSPp2bfGEEoMYFR07NEKYut4i+85CniR25snEU9StGhPqXnUg9wEldtZtbhlqU+MCTovTZ0JnQb/ooa+e4YtT9fy9zRmoQVlVlMAUHV5PMuIfaLAWWlXE3+FKPUDmrl9xjdM8TCE9fggHTazznlVdY4blVodPjfGdSFAM1j6iPu6Q9QV/BpNftwd/gV7KNgHhzwkIbEx6XLb+tez+gROiNGSfjgtNX+1FB6PsJHxpIpCndkGHRAn/wroQGsuq7VPmN9PQFaayImwll7X9n/TKrQRcsFFk+afefnUMVt9BgNAC3vcBXO3v8J0lyn+vjLjtqCh/Q3h9seL2ipee1k3cJVgZGBmwxGUGOHk2LKIGb9/gkWyWOam+KFyQOI8K3LTC7sJlgodTA4qdZJtHuZ34F74x3TEoQIi1bTYvZcTNBd10B32yDGagEBafZCCHsaJkDGvRl8sirrZOGwosYmkk3bGPwRgXBAX0wiPkuSXiKDv30fj+qKl1GrRhhp1Nzv5Rwon9TTveNQPLuX4sbl3HX5N4JjWuZxyY0vQ0CT8A/waqJBxDu0/TOS2bI3uDkT8ice53BVzqgL9lk80ElFjH2KpEspllBVW37L0mGxlZNtSymg8UwnPNl8v9olwJGc5aGlYLOk6Uqy/qMVlwIKg6B0do4JTzw9eR3nNllr7XcB+rN3vwJE8Gcznlduwi6QNl7AVySFIQvYcyRgKGO4IZ+u+FGcoOqH7RnvKqazcDvThbU4UkdMAvcZZ+ACLA4ircDfNPSyetuo+M4Bdlau3U3QJT0j4f1T7YOtvqqllb284SHD0b/niJmHWROY16tmzo3S3K77vygpWHW46SM9/nhTuNyE/MATU90cQ0u95uIpH99xEU7UeZWAWQX9XRBoFdEKHeA74zQLjpEQVZq/BwJyITBPIUcBdQ/khcpywF7IMl3hXSm1gSLdRCnqjTPuGLHAtMQKUwkzMUr1Xl5jW/bgGhw2FV6jvHO2TUr7BVzkY4y9ZCXGFnba0L5XBwM9yoCppr6P2Y0c+HH8OIe/42zoek+qJZdX29ByjndNy3hqCDzKylP4NiZjsY4n9fqV05RUcGd2gohILVgCVei4XuCjGlFfthUVEHNt1iW44+OenAO69bzynmv6/jVFV6uknfvWuh8yJbkY11bfJfxdgpYGEDlgOSlhh8gm3X5kP3xzEwKWgH7usOxyls46LcyX/jMTSoVViGYi5cSJLIIE+0KBsHf19NA3VY0q8qawHDBco3ufocJFl8boKFziaJhjjSRgB1peVQiocnIBZ+rdYt0VQv+8eUnhkW4pn3nbVgNwVK49ZMRAF4NKsZfeJusdeDVZWnIP0n/ngcY0z15QqQgcxu5VZYtVg9mO0d96wDNyZ3bz30IFi91Q2boA8d7l/oxXWJkKF/tyqO5EY3m9DeLoGeu75NedPiUm+lGeJlpZH/fTHioJxEYS9IfM4Q4zXkP6ipWBkMch7X2QiTVoodJ9L8o/tpsBFbh8Cr5wTKlEChSDU7GRV7nhylBmYZOpPsL9w/4cyVMIBfWYFqxrjYQp3IheLRBqrNKWNQ2yKwvAlUC0sYdtTIDidvwa7VjEO3yt723hZeVS2cBIKhPhU5otffGi2vV9VCCS4eXTUteN/EQd7sROiHoQS6cat0kTFN34bShAJSdzY9P0wxE4j9LZjIe9eAsMq6B5aEIgqdHferl462UA8t2zeUgOp6fQC6NroVb4md9RmUphGZtHp2JN7Y5eGM9rk9wqLVSSOPfA8++LhpTOcCEmJWP9TNkM42tSSre6PWJ2gPWT5VZ/47v7scSdelLO8SeCYUJAcq8vrTbZ6b5Dqjdb6w7XjJU60g5v109rgJJuHZjhQI/3dvNMbhD4n6avqd6wGbGboRtT8Mfr95wZDQA5EhIykyMokQq+iUhRWadpg2TYkL/9zmqOgLyr6Lqep/wsWb7LJIhFkmB/qkMrHLxaHT1er8qnkDOVBQYAjTybH0Z9N/IXcPYQKinD13i4k9O1I5VJ3gtQJpukX+eCWdT4gGWMTdaqs2Fv6rmitavO9qXuzTznWVk/3MlQq0ZxER8Xq2BwZPOAjrVkjw1IpUSit/BprLcKFA=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></saml:EncryptedAssertion>")
+	assert.Check(t, err)
+	golden.Assert(t, string(assertionBuffer), t.Name()+"_encrypted_assertion")
 }
 
-func (test *IdentityProviderTest) TestMakeResponse(c *C) {
+func TestIDPMakeResponse(t *testing.T) {
+	test := NewIdentifyProviderTest(t)
 	req := IdpAuthnRequest{
-		IDP: &test.IDP,
-		RequestBuffer: []byte("" +
-			"<AuthnRequest xmlns=\"urn:oasis:names:tc:SAML:2.0:protocol\" " +
-			"  AssertionConsumerServiceURL=\"https://sp.example.com/saml2/acs\" " +
-			"  Destination=\"https://idp.example.com/saml/sso\" " +
-			"  ID=\"id-00020406080a0c0e10121416181a1c1e\" " +
-			"  IssueInstant=\"2015-12-01T01:57:09Z\" ProtocolBinding=\"\" " +
-			"  Version=\"2.0\">" +
-			"  <Issuer xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" " +
-			"    Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:entity\">https://sp.example.com/saml2/metadata</Issuer>" +
-			"  <NameIDPolicy xmlns=\"urn:oasis:names:tc:SAML:2.0:protocol\" " +
-			"    AllowCreate=\"true\">urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDPolicy>" +
-			"</AuthnRequest>"),
+		Now:           TimeNow(),
+		IDP:           &test.IDP,
+		RequestBuffer: golden.Get(t, "TestIDPMakeResponse_request_buffer"),
 	}
 	req.HTTPRequest, _ = http.NewRequest("POST", "http://idp.example.com/saml/sso", nil)
 	err := req.Validate()
-	c.Assert(err, IsNil)
+	assert.Check(t, err)
 	err = DefaultAssertionMaker{}.MakeAssertion(&req, &Session{
 		ID:       "f00df00df00d",
 		UserName: "alice",
 	})
-	c.Assert(err, IsNil)
+	assert.Check(t, err)
 	err = req.MakeAssertionEl()
-	c.Assert(err, IsNil)
+	assert.Check(t, err)
 
 	req.AssertionEl = etree.NewElement("this-is-an-encrypted-assertion")
 	err = req.MakeResponse()
-	c.Assert(err, IsNil)
+	assert.Check(t, err)
 
 	response := Response{}
 	err = unmarshalEtreeHack(req.ResponseEl, &response)
-	c.Assert(err, IsNil)
+	assert.Check(t, err)
 
 	doc := etree.NewDocument()
 	doc.SetRoot(req.ResponseEl)
 	doc.Indent(2)
-	responseStr, _ := doc.WriteToString()
-	c.Assert(responseStr, DeepEquals, ""+
-		"<samlp:Response xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" ID=\"id-282a2c2e30323436383a3c3e40424446484a4c4e\" InResponseTo=\"id-00020406080a0c0e10121416181a1c1e\" Version=\"2.0\" IssueInstant=\"2015-12-01T01:57:09Z\" Destination=\"https://sp.example.com/saml2/acs\">\n"+
-		"  <saml:Issuer Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:entity\">https://idp.example.com/saml/metadata</saml:Issuer>\n"+
-		"  <ds:Signature xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">\n"+
-		"    <ds:SignedInfo>\n"+
-		"      <ds:CanonicalizationMethod Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/>\n"+
-		"      <ds:SignatureMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\"/>\n"+
-		"      <ds:Reference URI=\"#id-282a2c2e30323436383a3c3e40424446484a4c4e\">\n"+
-		"        <ds:Transforms>\n"+
-		"          <ds:Transform Algorithm=\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\"/>\n"+
-		"          <ds:Transform Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/>\n"+
-		"        </ds:Transforms>\n"+
-		"        <ds:DigestMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#sha1\"/>\n"+
-		"        <ds:DigestValue>fGqTakd3fq3s1utz7xTvzJtQc+E=</ds:DigestValue>\n"+
-		"      </ds:Reference>\n"+
-		"    </ds:SignedInfo>\n"+
-		"    <ds:SignatureValue>yXty6VQCvvF6QAR+vXZtLq2/r8Jt2B9jExD1vVfvWY+S1sKPZbNbaKl69YHYXU8lkhymlVNaMsaezQWDisbNfPe0R0UWysp2rfIXpVDGTdp/YHPj1MIODMPrlgWFfcJjgGxox0tTVzaFyOJFSPhn4G8wEI86WHuePnjRcenfxyk=</ds:SignatureValue>\n"+
-		"    <ds:KeyInfo>\n"+
-		"      <ds:X509Data>\n"+
-		"        <ds:X509Certificate>MIIB7zCCAVgCCQDFzbKIp7b3MTANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGEwJVUzELMAkGA1UECAwCR0ExDDAKBgNVBAoMA2ZvbzESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTEzMTAwMjAwMDg1MVoXDTE0MTAwMjAwMDg1MVowPDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkdBMQwwCgYDVQQKDANmb28xEjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1PMHYmhZj308kWLhZVT4vOulqx/9ibm5B86fPWwUKKQ2i12MYtz07tzukPymisTDhQaqyJ8Kqb/6JjhmeMnEOdTvSPmHO8m1ZVveJU6NoKRn/mP/BD7FW52WhbrUXLSeHVSKfWkNk6S4hk9MV9TswTvyRIKvRsw0X/gfnqkroJcCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCMMlIO+GNcGekevKgkakpMdAqJfs24maGb90DvTLbRZRD7Xvn1MnVBBS9hzlXiFLYOInXACMW5gcoRFfeTQLSouMM8o57h0uKjfTmuoWHLQLi6hnF+cvCsEFiJZ4AbF+DgmO6TarJ8O05t8zvnOwJlNCASPZRH/JmF8tX0hoHuAQ==</ds:X509Certificate>\n"+
-		"      </ds:X509Data>\n"+
-		"    </ds:KeyInfo>\n"+
-		"  </ds:Signature>\n"+
-		"  <samlp:Status>\n"+
-		"    <samlp:StatusCode Value=\"urn:oasis:names:tc:SAML:2.0:status:Success\"/>\n"+
-		"  </samlp:Status>\n"+
-		"  <this-is-an-encrypted-assertion xmlns=\"http://www.w3.org/XML/1998/namespace\"/>\n"+
-		"</samlp:Response>\n")
+	responseStr, err := doc.WriteToString()
+	assert.Check(t, err)
+	golden.Assert(t, responseStr, t.Name()+"_response.xml")
 }
 
-func (test *IdentityProviderTest) TestWriteResponse(c *C) {
+func TestIDPWriteResponse(t *testing.T) {
+	test := NewIdentifyProviderTest(t)
 	req := IdpAuthnRequest{
-		IDP:        &test.IDP,
-		RelayState: "THIS_IS_THE_RELAY_STATE",
-		RequestBuffer: []byte("" +
-			"<AuthnRequest xmlns=\"urn:oasis:names:tc:SAML:2.0:protocol\" " +
-			"  AssertionConsumerServiceURL=\"https://sp.example.com/saml2/acs\" " +
-			"  Destination=\"https://idp.example.com/saml/sso\" " +
-			"  ID=\"id-00020406080a0c0e10121416181a1c1e\" " +
-			"  IssueInstant=\"2015-12-01T01:57:09Z\" ProtocolBinding=\"\" " +
-			"  Version=\"2.0\">" +
-			"  <Issuer xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" " +
-			"    Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:entity\">https://sp.example.com/saml2/metadata</Issuer>" +
-			"  <NameIDPolicy xmlns=\"urn:oasis:names:tc:SAML:2.0:protocol\" " +
-			"    AllowCreate=\"true\">urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDPolicy>" +
-			"</AuthnRequest>"),
-		ResponseEl: etree.NewElement("THIS_IS_THE_SAML_RESPONSE"),
+		Now:           TimeNow(),
+		IDP:           &test.IDP,
+		RelayState:    "THIS_IS_THE_RELAY_STATE",
+		RequestBuffer: golden.Get(t, "TestIDPWriteResponse_RequestBuffer.xml"),
+		ResponseEl:    etree.NewElement("THIS_IS_THE_SAML_RESPONSE"),
 	}
 	req.HTTPRequest, _ = http.NewRequest("POST", "http://idp.example.com/saml/sso", nil)
 	err := req.Validate()
-	c.Assert(err, IsNil)
+	assert.Check(t, err)
 
 	w := httptest.NewRecorder()
 	err = req.WriteResponse(w)
-	c.Assert(err, IsNil)
-	c.Assert(w.Code, Equals, 200)
-	c.Assert(string(w.Body.Bytes()), Equals, "<html><form method=\"post\" action=\"https://sp.example.com/saml2/acs\" id=\"SAMLResponseForm\"><input type=\"hidden\" name=\"SAMLResponse\" value=\"PFRISVNfSVNfVEhFX1NBTUxfUkVTUE9OU0UvPg==\" /><input type=\"hidden\" name=\"RelayState\" value=\"THIS_IS_THE_RELAY_STATE\" /><input id=\"SAMLSubmitButton\" type=\"submit\" value=\"Continue\" /></form><script>document.getElementById('SAMLSubmitButton').style.visibility='hidden';</script><script>document.getElementById('SAMLResponseForm').submit();</script></html>")
+	assert.Check(t, err)
+	assert.Check(t, is.Equal(200, w.Code))
+	golden.Assert(t, w.Body.String(), t.Name()+"response.html")
 }
 
-func (test *IdentityProviderTest) TestIDPInitiatedNewSession(c *C) {
+func TestIDPIDPInitiatedNewSession(t *testing.T) {
+	test := NewIdentifyProviderTest(t)
 	test.IDP.SessionProvider = &mockSessionProvider{
 		GetSessionFunc: func(w http.ResponseWriter, r *http.Request, req *IdpAuthnRequest) *Session {
 			fmt.Fprintf(w, "RelayState: %s", req.RelayState)
@@ -812,11 +794,12 @@ func (test *IdentityProviderTest) TestIDPInitiatedNewSession(c *C) {
 	w := httptest.NewRecorder()
 	r, _ := http.NewRequest("GET", "https://idp.example.com/services/sp/whoami", nil)
 	test.IDP.ServeIDPInitiated(w, r, test.SP.MetadataURL.String(), "ThisIsTheRelayState")
-	c.Assert(w.Code, Equals, 200)
-	c.Assert(string(w.Body.Bytes()), Equals, "RelayState: ThisIsTheRelayState")
+	assert.Check(t, is.Equal(200, w.Code))
+	assert.Check(t, is.Equal("RelayState: ThisIsTheRelayState", w.Body.String()))
 }
 
-func (test *IdentityProviderTest) TestIDPInitiatedExistingSession(c *C) {
+func TestIDPIDPInitiatedExistingSession(t *testing.T) {
+	test := NewIdentifyProviderTest(t)
 	test.IDP.SessionProvider = &mockSessionProvider{
 		GetSessionFunc: func(w http.ResponseWriter, r *http.Request, req *IdpAuthnRequest) *Session {
 			return &Session{
@@ -829,12 +812,12 @@ func (test *IdentityProviderTest) TestIDPInitiatedExistingSession(c *C) {
 	w := httptest.NewRecorder()
 	r, _ := http.NewRequest("GET", "https://idp.example.com/services/sp/whoami", nil)
 	test.IDP.ServeIDPInitiated(w, r, test.SP.MetadataURL.String(), "ThisIsTheRelayState")
-	c.Assert(w.Code, Equals, 200)
-	c.Assert(string(w.Body.Bytes()), Matches,
-		"^<html><form method=\"post\" action=\"https://sp\\.example\\.com/saml2/acs\" id=\"SAMLResponseForm\"><input type=\"hidden\" name=\"SAMLResponse\" value=\".*\" /><input type=\"hidden\" name=\"RelayState\" value=\"ThisIsTheRelayState\" /><input id=\"SAMLSubmitButton\" type=\"submit\" value=\"Continue\" /></form><script>document\\.getElementById\\('SAMLSubmitButton'\\)\\.style\\.visibility='hidden';</script><script>document\\.getElementById\\('SAMLResponseForm'\\)\\.submit\\(\\);</script></html>$")
+	assert.Check(t, is.Equal(200, w.Code))
+	golden.Assert(t, w.Body.String(), t.Name()+"_response")
 }
 
-func (test *IdentityProviderTest) TestIDPInitiatedBadServiceProvider(c *C) {
+func TestIDPIDPInitiatedBadServiceProvider(t *testing.T) {
+	test := NewIdentifyProviderTest(t)
 	test.IDP.SessionProvider = &mockSessionProvider{
 		GetSessionFunc: func(w http.ResponseWriter, r *http.Request, req *IdpAuthnRequest) *Session {
 			return &Session{
@@ -847,10 +830,11 @@ func (test *IdentityProviderTest) TestIDPInitiatedBadServiceProvider(c *C) {
 	w := httptest.NewRecorder()
 	r, _ := http.NewRequest("GET", "https://idp.example.com/services/sp/whoami", nil)
 	test.IDP.ServeIDPInitiated(w, r, "https://wrong.url/metadata", "ThisIsTheRelayState")
-	c.Assert(w.Code, Equals, http.StatusNotFound)
+	assert.Check(t, is.Equal(http.StatusNotFound, w.Code))
 }
 
-func (test *IdentityProviderTest) TestCanHandleUnencryptedResponse(c *C) {
+func TestIDPCanHandleUnencryptedResponse(t *testing.T) {
+	test := NewIdentifyProviderTest(t)
 	test.IDP.SessionProvider = &mockSessionProvider{
 		GetSessionFunc: func(w http.ResponseWriter, r *http.Request, req *IdpAuthnRequest) *Session {
 			return &Session{ID: "f00df00df00d", UserName: "alice"}
@@ -858,8 +842,10 @@ func (test *IdentityProviderTest) TestCanHandleUnencryptedResponse(c *C) {
 	}
 
 	metadata := EntityDescriptor{}
-	err := xml.Unmarshal([]byte(`<?xml version='1.0' encoding='UTF-8'?><md:EntityDescriptor ID='_97e2ce01-fa34-4c09-9126-4f7595ef6bf8' entityID='https://gitlab.example.com/users/auth/saml/metadata' xmlns:md='urn:oasis:names:tc:SAML:2.0:metadata' xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'><md:SPSSODescriptor AuthnRequestsSigned='false' WantAssertionsSigned='false' protocolSupportEnumeration='urn:oasis:names:tc:SAML:2.0:protocol'><md:AssertionConsumerService Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' Location='https://gitlab.example.com/users/auth/saml/callback' index='0' isDefault='true'/><md:AttributeConsumingService index='1' isDefault='true'><md:ServiceName xml:lang='en'>Required attributes</md:ServiceName><md:RequestedAttribute FriendlyName='Email address' Name='email' NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:basic'/><md:RequestedAttribute FriendlyName='Full name' Name='name' NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:basic'/><md:RequestedAttribute FriendlyName='Given name' Name='first_name' NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:basic'/><md:RequestedAttribute FriendlyName='Family name' Name='last_name' NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:basic'/></md:AttributeConsumingService></md:SPSSODescriptor></md:EntityDescriptor>`), &metadata)
-	c.Assert(err, IsNil)
+	err := xml.Unmarshal(
+		golden.Get(t, "TestIDPCanHandleUnencryptedResponse_idp_metadata.xml"),
+		&metadata)
+	assert.Check(t, err)
 	test.IDP.ServiceProviderProvider = &mockServiceProviderProvider{
 		GetServiceProviderFunc: func(r *http.Request, serviceProviderID string) (*EntityDescriptor, error) {
 			if serviceProviderID == "https://gitlab.example.com/users/saml/metadata" {
@@ -870,136 +856,46 @@ func (test *IdentityProviderTest) TestCanHandleUnencryptedResponse(c *C) {
 	}
 
 	req := IdpAuthnRequest{
-		IDP: &test.IDP,
-		RequestBuffer: []byte("" +
-			"<AuthnRequest xmlns=\"urn:oasis:names:tc:SAML:2.0:protocol\" " +
-			"  AssertionConsumerServiceURL=\"https://gitlab.example.com/users/auth/saml/callback\" " +
-			"  Destination=\"https://idp.example.com/saml/sso\" " +
-			"  ID=\"id-00020406080a0c0e10121416181a1c1e\" " +
-			"  IssueInstant=\"2015-12-01T01:57:09Z\" ProtocolBinding=\"\" " +
-			"  Version=\"2.0\">" +
-			"  <Issuer xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" " +
-			"    Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:entity\">https://gitlab.example.com/users/saml/metadata</Issuer>" +
-			"</AuthnRequest>"),
+		Now:           TimeNow(),
+		IDP:           &test.IDP,
+		RequestBuffer: golden.Get(t, "TestIDPCanHandleUnencryptedResponse_request"),
 	}
 	req.HTTPRequest, _ = http.NewRequest("POST", "http://idp.example.com/saml/sso", nil)
 	err = req.Validate()
-	c.Assert(err, IsNil)
+	assert.Check(t, err)
 	err = DefaultAssertionMaker{}.MakeAssertion(&req, &Session{
 		ID:       "f00df00df00d",
 		UserName: "alice",
 	})
-	c.Assert(err, IsNil)
+	assert.Check(t, err)
 	err = req.MakeAssertionEl()
-	c.Assert(err, IsNil)
+	assert.Check(t, err)
 
 	err = req.MakeResponse()
-	c.Assert(err, IsNil)
+	assert.Check(t, err)
 
 	doc := etree.NewDocument()
 	doc.SetRoot(req.ResponseEl)
 	doc.Indent(2)
 	responseStr, _ := doc.WriteToString()
-	c.Assert(responseStr, DeepEquals, ""+
-		"<samlp:Response xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" ID=\"id-282a2c2e30323436383a3c3e40424446484a4c4e\" InResponseTo=\"id-00020406080a0c0e10121416181a1c1e\" Version=\"2.0\" IssueInstant=\"2015-12-01T01:57:09Z\" Destination=\"https://gitlab.example.com/users/auth/saml/callback\">\n"+
-		"  <saml:Issuer Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:entity\">https://idp.example.com/saml/metadata</saml:Issuer>\n"+
-		"  <ds:Signature xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">\n"+
-		"    <ds:SignedInfo>\n"+
-		"      <ds:CanonicalizationMethod Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/>\n"+
-		"      <ds:SignatureMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\"/>\n"+
-		"      <ds:Reference URI=\"#id-282a2c2e30323436383a3c3e40424446484a4c4e\">\n"+
-		"        <ds:Transforms>\n"+
-		"          <ds:Transform Algorithm=\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\"/>\n"+
-		"          <ds:Transform Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/>\n"+
-		"        </ds:Transforms>\n"+
-		"        <ds:DigestMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#sha1\"/>\n"+
-		"        <ds:DigestValue>EJWYGjZq4zltPha+UU/Pcqs+JSc=</ds:DigestValue>\n"+
-		"      </ds:Reference>\n"+
-		"    </ds:SignedInfo>\n"+
-		"    <ds:SignatureValue>C4qEE/hh8tqaM47F6VK9toHJqQxnzzzfwxIc5IUOO1izD/vIFfn4OwKw/SfCFhYj8ZgnVM/BF3oaiWhuAMgFS+MKz2RYnY5h0+DUb1Mv4SjtEPQIv+TL/LGsMJuzPoEkXcxXefz2JCJMXeYM66PfeuBxRpETIe2zIJzZhd9mIrs=</ds:SignatureValue>\n"+
-		"    <ds:KeyInfo>\n"+
-		"      <ds:X509Data>\n"+
-		"        <ds:X509Certificate>MIIB7zCCAVgCCQDFzbKIp7b3MTANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGEwJVUzELMAkGA1UECAwCR0ExDDAKBgNVBAoMA2ZvbzESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTEzMTAwMjAwMDg1MVoXDTE0MTAwMjAwMDg1MVowPDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkdBMQwwCgYDVQQKDANmb28xEjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1PMHYmhZj308kWLhZVT4vOulqx/9ibm5B86fPWwUKKQ2i12MYtz07tzukPymisTDhQaqyJ8Kqb/6JjhmeMnEOdTvSPmHO8m1ZVveJU6NoKRn/mP/BD7FW52WhbrUXLSeHVSKfWkNk6S4hk9MV9TswTvyRIKvRsw0X/gfnqkroJcCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCMMlIO+GNcGekevKgkakpMdAqJfs24maGb90DvTLbRZRD7Xvn1MnVBBS9hzlXiFLYOInXACMW5gcoRFfeTQLSouMM8o57h0uKjfTmuoWHLQLi6hnF+cvCsEFiJZ4AbF+DgmO6TarJ8O05t8zvnOwJlNCASPZRH/JmF8tX0hoHuAQ==</ds:X509Certificate>\n"+
-		"      </ds:X509Data>\n"+
-		"    </ds:KeyInfo>\n"+
-		"  </ds:Signature>\n"+
-		"  <samlp:Status>\n"+
-		"    <samlp:StatusCode Value=\"urn:oasis:names:tc:SAML:2.0:status:Success\"/>\n"+
-		"  </samlp:Status>\n"+
-		"  <saml:Assertion xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"id-00020406080a0c0e10121416181a1c1e20222426\" IssueInstant=\"2015-12-01T01:57:09Z\" Version=\"2.0\">\n"+
-		"    <saml:Issuer Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:entity\">https://idp.example.com/saml/metadata</saml:Issuer>\n"+
-		"    <ds:Signature xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">\n"+
-		"      <ds:SignedInfo>\n"+
-		"        <ds:CanonicalizationMethod Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/>\n"+
-		"        <ds:SignatureMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\"/>\n"+
-		"        <ds:Reference URI=\"#id-00020406080a0c0e10121416181a1c1e20222426\">\n"+
-		"          <ds:Transforms>\n"+
-		"            <ds:Transform Algorithm=\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\"/>\n"+
-		"            <ds:Transform Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/>\n"+
-		"          </ds:Transforms>\n"+
-		"          <ds:DigestMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#sha1\"/>\n"+
-		"          <ds:DigestValue>XPlQkPZr16jJADNHhQ/sma8PBC4=</ds:DigestValue>\n"+
-		"        </ds:Reference>\n"+
-		"      </ds:SignedInfo>\n"+
-		"      <ds:SignatureValue>zDZndnR6twoH0l7j5Qv7hrWxszt+UYSpJ07L0bnN9kD/3jUFkSStok5ubRP5rvOLH6cg4sQX97VuU7EPAmNhj9XcEH7hGMkAAxV/9pbrocSMAm4+HgpyoVl4NSvh9HVWA7tq2WMBgNl6qi05xGws2Fr+zlsax7yr9/hQKdNXL04=</ds:SignatureValue>\n"+
-		"      <ds:KeyInfo>\n"+
-		"        <ds:X509Data>\n"+
-		"          <ds:X509Certificate>MIIB7zCCAVgCCQDFzbKIp7b3MTANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGEwJVUzELMAkGA1UECAwCR0ExDDAKBgNVBAoMA2ZvbzESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTEzMTAwMjAwMDg1MVoXDTE0MTAwMjAwMDg1MVowPDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkdBMQwwCgYDVQQKDANmb28xEjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1PMHYmhZj308kWLhZVT4vOulqx/9ibm5B86fPWwUKKQ2i12MYtz07tzukPymisTDhQaqyJ8Kqb/6JjhmeMnEOdTvSPmHO8m1ZVveJU6NoKRn/mP/BD7FW52WhbrUXLSeHVSKfWkNk6S4hk9MV9TswTvyRIKvRsw0X/gfnqkroJcCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCMMlIO+GNcGekevKgkakpMdAqJfs24maGb90DvTLbRZRD7Xvn1MnVBBS9hzlXiFLYOInXACMW5gcoRFfeTQLSouMM8o57h0uKjfTmuoWHLQLi6hnF+cvCsEFiJZ4AbF+DgmO6TarJ8O05t8zvnOwJlNCASPZRH/JmF8tX0hoHuAQ==</ds:X509Certificate>\n"+
-		"        </ds:X509Data>\n"+
-		"      </ds:KeyInfo>\n"+
-		"    </ds:Signature>\n"+
-		"    <saml:Subject>\n"+
-		"      <saml:NameID Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:transient\" NameQualifier=\"https://idp.example.com/saml/metadata\" SPNameQualifier=\"https://gitlab.example.com/users/auth/saml/metadata\"/>\n"+
-		"      <saml:SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\">\n"+
-		"        <saml:SubjectConfirmationData InResponseTo=\"id-00020406080a0c0e10121416181a1c1e\" NotOnOrAfter=\"2015-12-01T01:58:39Z\" Recipient=\"https://gitlab.example.com/users/auth/saml/callback\"/>\n"+
-		"      </saml:SubjectConfirmation>\n"+
-		"    </saml:Subject>\n"+
-		"    <saml:Conditions NotBefore=\"2015-12-01T01:57:09Z\" NotOnOrAfter=\"2015-12-01T01:58:39Z\">\n"+
-		"      <saml:AudienceRestriction>\n"+
-		"        <saml:Audience>https://gitlab.example.com/users/auth/saml/metadata</saml:Audience>\n"+
-		"      </saml:AudienceRestriction>\n"+
-		"    </saml:Conditions>\n"+
-		"    <saml:AuthnStatement AuthnInstant=\"0001-01-01T00:00:00Z\">\n"+
-		"      <saml:SubjectLocality/>\n"+
-		"      <saml:AuthnContext>\n"+
-		"        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>\n"+
-		"      </saml:AuthnContext>\n"+
-		"    </saml:AuthnStatement>\n"+
-		"    <saml:AttributeStatement>\n"+
-		"      <saml:Attribute FriendlyName=\"Email address\" Name=\"email\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:basic\">\n"+
-		"        <saml:AttributeValue xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:type=\"xs:string\"></saml:AttributeValue>\n"+
-		"      </saml:Attribute>\n"+
-		"      <saml:Attribute FriendlyName=\"Full name\" Name=\"name\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:basic\">\n"+
-		"        <saml:AttributeValue xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:type=\"xs:string\"></saml:AttributeValue>\n"+
-		"      </saml:Attribute>\n"+
-		"      <saml:Attribute FriendlyName=\"Given name\" Name=\"first_name\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:basic\">\n"+
-		"        <saml:AttributeValue xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:type=\"xs:string\"></saml:AttributeValue>\n"+
-		"      </saml:Attribute>\n"+
-		"      <saml:Attribute FriendlyName=\"Family name\" Name=\"last_name\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:basic\">\n"+
-		"        <saml:AttributeValue xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:type=\"xs:string\"></saml:AttributeValue>\n"+
-		"      </saml:Attribute>\n"+
-		"      <saml:Attribute FriendlyName=\"uid\" Name=\"urn:oid:0.9.2342.19200300.100.1.1\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\">\n"+
-		"        <saml:AttributeValue xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:type=\"xs:string\">alice</saml:AttributeValue>\n"+
-		"      </saml:Attribute>\n"+
-		"    </saml:AttributeStatement>\n"+
-		"  </saml:Assertion>\n"+
-		"</samlp:Response>\n")
+	golden.Assert(t, responseStr, t.Name()+"_response")
 }
 
-func (test *IdentityProviderTest) TestRequestedAttributes(c *C) {
+func TestIDPRequestedAttributes(t *testing.T) {
+	test := NewIdentifyProviderTest(t)
 	metadata := EntityDescriptor{}
-	err := xml.Unmarshal([]byte(`<?xml version='1.0' encoding='UTF-8'?><md:EntityDescriptor ID='_85fdc505-39e4-4c20-a67f-ca15f4e4064a' entityID='https://dev.aa.kndr.org/users/auth/saml/metadata' xmlns:md='urn:oasis:names:tc:SAML:2.0:metadata' xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'><md:SPSSODescriptor AuthnRequestsSigned='false' WantAssertionsSigned='false' protocolSupportEnumeration='urn:oasis:names:tc:SAML:2.0:protocol'><md:AssertionConsumerService Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' Location='https://dev.aa.kndr.org/users/auth/saml/callback' index='0' isDefault='true'/><md:AttributeConsumingService index='1' isDefault='true'><md:ServiceName xml:lang='en'>Required attributes</md:ServiceName><md:RequestedAttribute FriendlyName='Email address' Name='email' NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:basic'/><md:RequestedAttribute FriendlyName='Full name' Name='name' NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:basic'/><md:RequestedAttribute FriendlyName='Given name' Name='first_name' NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:basic'/><md:RequestedAttribute FriendlyName='Family name' Name='last_name' NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:basic'/></md:AttributeConsumingService></md:SPSSODescriptor></md:EntityDescriptor>`), &metadata)
-	c.Assert(err, IsNil)
+	err := xml.Unmarshal(golden.Get(t, "TestIDPRequestedAttributes_idp_metadata.xml"), &metadata)
+	assert.Check(t, err)
 
 	requestURL, err := test.SP.MakeRedirectAuthenticationRequest("ThisIsTheRelayState")
-	c.Assert(err, IsNil)
+	assert.Check(t, err)
 
 	r, _ := http.NewRequest("GET", requestURL.String(), nil)
 	req, err := NewIdpAuthnRequest(&test.IDP, r)
 	req.ServiceProviderMetadata = &metadata
 	req.ACSEndpoint = &metadata.SPSSODescriptors[0].AssertionConsumerServices[0]
 	req.SPSSODescriptor = &metadata.SPSSODescriptors[0]
-	c.Assert(err, IsNil)
+	assert.Check(t, err)
 	err = DefaultAssertionMaker{}.MakeAssertion(req, &Session{
 		ID:             "f00df00df00d",
 		UserName:       "alice",
@@ -1008,11 +904,11 @@ func (test *IdentityProviderTest) TestRequestedAttributes(c *C) {
 		UserSurname:    "Smith",
 		UserCommonName: "Alice Smith",
 	})
-	c.Assert(err, IsNil)
+	assert.Check(t, err)
 
-	c.Assert(req.Assertion.AttributeStatements, DeepEquals, []AttributeStatement{AttributeStatement{
+	expectedAttributes := []AttributeStatement{{
 		Attributes: []Attribute{
-			Attribute{
+			{
 				FriendlyName: "Email address",
 				Name:         "email",
 				NameFormat:   "urn:oasis:names:tc:SAML:2.0:attrname-format:basic",
@@ -1023,7 +919,7 @@ func (test *IdentityProviderTest) TestRequestedAttributes(c *C) {
 					},
 				},
 			},
-			Attribute{
+			{
 				FriendlyName: "Full name",
 				Name:         "name",
 				NameFormat:   "urn:oasis:names:tc:SAML:2.0:attrname-format:basic",
@@ -1034,7 +930,7 @@ func (test *IdentityProviderTest) TestRequestedAttributes(c *C) {
 					},
 				},
 			},
-			Attribute{
+			{
 				FriendlyName: "Given name",
 				Name:         "first_name",
 				NameFormat:   "urn:oasis:names:tc:SAML:2.0:attrname-format:basic",
@@ -1045,7 +941,7 @@ func (test *IdentityProviderTest) TestRequestedAttributes(c *C) {
 					},
 				},
 			},
-			Attribute{
+			{
 				FriendlyName: "Family name",
 				Name:         "last_name",
 				NameFormat:   "urn:oasis:names:tc:SAML:2.0:attrname-format:basic",
@@ -1056,7 +952,7 @@ func (test *IdentityProviderTest) TestRequestedAttributes(c *C) {
 					},
 				},
 			},
-			Attribute{
+			{
 				FriendlyName: "uid",
 				Name:         "urn:oid:0.9.2342.19200300.100.1.1",
 				NameFormat:   "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
@@ -1067,7 +963,7 @@ func (test *IdentityProviderTest) TestRequestedAttributes(c *C) {
 					},
 				},
 			},
-			Attribute{
+			{
 				FriendlyName: "eduPersonPrincipalName",
 				Name:         "urn:oid:1.3.6.1.4.1.5923.1.1.1.6",
 				NameFormat:   "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
@@ -1078,7 +974,7 @@ func (test *IdentityProviderTest) TestRequestedAttributes(c *C) {
 					},
 				},
 			},
-			Attribute{
+			{
 				FriendlyName: "sn",
 				Name:         "urn:oid:2.5.4.4",
 				NameFormat:   "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
@@ -1089,7 +985,7 @@ func (test *IdentityProviderTest) TestRequestedAttributes(c *C) {
 					},
 				},
 			},
-			Attribute{
+			{
 				FriendlyName: "givenName",
 				Name:         "urn:oid:2.5.4.42",
 				NameFormat:   "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
@@ -1100,7 +996,7 @@ func (test *IdentityProviderTest) TestRequestedAttributes(c *C) {
 					},
 				},
 			},
-			Attribute{
+			{
 				FriendlyName: "cn",
 				Name:         "urn:oid:2.5.4.3",
 				NameFormat:   "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
@@ -1111,10 +1007,12 @@ func (test *IdentityProviderTest) TestRequestedAttributes(c *C) {
 					},
 				},
 			},
-		}}})
+		}}}
+	assert.Check(t, is.DeepEqual(expectedAttributes, req.Assertion.AttributeStatements))
 }
 
-func (test *IdentityProviderTest) TestNoDestination(c *C) {
+func TestIDPNoDestination(t *testing.T) {
+	test := NewIdentifyProviderTest(t)
 	test.IDP.SessionProvider = &mockSessionProvider{
 		GetSessionFunc: func(w http.ResponseWriter, r *http.Request, req *IdpAuthnRequest) *Session {
 			return &Session{ID: "f00df00df00d", UserName: "alice"}
@@ -1122,8 +1020,8 @@ func (test *IdentityProviderTest) TestNoDestination(c *C) {
 	}
 
 	metadata := EntityDescriptor{}
-	err := xml.Unmarshal([]byte(`<?xml version='1.0' encoding='UTF-8'?><md:EntityDescriptor ID='_97e2ce01-fa34-4c09-9126-4f7595ef6bf8' entityID='https://gitlab.example.com/users/auth/saml/metadata' xmlns:md='urn:oasis:names:tc:SAML:2.0:metadata' xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'><md:SPSSODescriptor AuthnRequestsSigned='false' WantAssertionsSigned='false' protocolSupportEnumeration='urn:oasis:names:tc:SAML:2.0:protocol'><md:AssertionConsumerService Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' Location='https://gitlab.example.com/users/auth/saml/callback' index='0' isDefault='true'/><md:AttributeConsumingService index='1' isDefault='true'><md:ServiceName xml:lang='en'>Required attributes</md:ServiceName><md:RequestedAttribute FriendlyName='Email address' Name='email' NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:basic'/><md:RequestedAttribute FriendlyName='Full name' Name='name' NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:basic'/><md:RequestedAttribute FriendlyName='Given name' Name='first_name' NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:basic'/><md:RequestedAttribute FriendlyName='Family name' Name='last_name' NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:basic'/></md:AttributeConsumingService></md:SPSSODescriptor></md:EntityDescriptor>`), &metadata)
-	c.Assert(err, IsNil)
+	err := xml.Unmarshal(golden.Get(t, "TestIDPNoDestination_idp_metadata.xml"), &metadata)
+	assert.Check(t, err)
 	test.IDP.ServiceProviderProvider = &mockServiceProviderProvider{
 		GetServiceProviderFunc: func(r *http.Request, serviceProviderID string) (*EntityDescriptor, error) {
 			if serviceProviderID == "https://gitlab.example.com/users/saml/metadata" {
@@ -1134,28 +1032,21 @@ func (test *IdentityProviderTest) TestNoDestination(c *C) {
 	}
 
 	req := IdpAuthnRequest{
-		IDP: &test.IDP,
-		RequestBuffer: []byte("" +
-			"<AuthnRequest xmlns=\"urn:oasis:names:tc:SAML:2.0:protocol\" " +
-			"  AssertionConsumerServiceURL=\"https://gitlab.example.com/users/auth/saml/callback\" " +
-			"  ID=\"id-00020406080a0c0e10121416181a1c1e\" " +
-			"  IssueInstant=\"2015-12-01T01:57:09Z\" ProtocolBinding=\"\" " +
-			"  Version=\"2.0\">" +
-			"  <Issuer xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" " +
-			"    Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:entity\">https://gitlab.example.com/users/saml/metadata</Issuer>" +
-			"</AuthnRequest>"),
+		Now:           TimeNow(),
+		IDP:           &test.IDP,
+		RequestBuffer: golden.Get(t, "TestIDPNoDestination_request"),
 	}
 	req.HTTPRequest, _ = http.NewRequest("POST", "http://idp.example.com/saml/sso", nil)
 	err = req.Validate()
-	c.Assert(err, IsNil)
+	assert.Check(t, err)
 	err = DefaultAssertionMaker{}.MakeAssertion(&req, &Session{
 		ID:       "f00df00df00d",
 		UserName: "alice",
 	})
-	c.Assert(err, IsNil)
+	assert.Check(t, err)
 	err = req.MakeAssertionEl()
-	c.Assert(err, IsNil)
+	assert.Check(t, err)
 
 	err = req.MakeResponse()
-	c.Assert(err, IsNil)
+	assert.Check(t, err)
 }
diff --git a/metadata.go b/metadata.go
index f97fe37b..c6139d75 100644
--- a/metadata.go
+++ b/metadata.go
@@ -8,10 +8,10 @@ import (
 )
 
 // HTTPPostBinding is the official URN for the HTTP-POST binding (transport)
-var HTTPPostBinding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+const HTTPPostBinding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
 
 // HTTPRedirectBinding is the official URN for the HTTP-Redirect binding (transport)
-var HTTPRedirectBinding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+const HTTPRedirectBinding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
 
 // EntitiesDescriptor represents the SAML object of the same name.
 //
@@ -110,7 +110,7 @@ type Organization struct {
 //
 // See http://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf §2.2.4
 type LocalizedName struct {
-	Lang  string `xml:"xml lang,attr"`
+	Lang  string `xml:"http://www.w3.org/XML/1998/namespace lang,attr"`
 	Value string `xml:",chardata"`
 }
 
@@ -118,7 +118,7 @@ type LocalizedName struct {
 //
 // See http://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf §2.2.5
 type LocalizedURI struct {
-	Lang  string `xml:"xml lang,attr"`
+	Lang  string `xml:"http://www.w3.org/XML/1998/namespace lang,attr"`
 	Value string `xml:",chardata"`
 }
 
diff --git a/metadata_test.go b/metadata_test.go
index c69df0a4..92ee157e 100644
--- a/metadata_test.go
+++ b/metadata_test.go
@@ -1,35 +1,32 @@
 package saml
 
 import (
-	"time"
-
 	"encoding/xml"
+	"testing"
+	"time"
 
-	"github.com/kr/pretty"
-	. "gopkg.in/check.v1"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/golden"
 )
 
-type MetadataTest struct{}
-
-var _ = Suite(&MetadataTest{})
-
-func (s *MetadataTest) TestCanParseMetadata(c *C) {
-	buf := []byte(`<?xml version='1.0' encoding='UTF-8'?><md:EntityDescriptor ID='_af805d1c-c2e3-444e-9cf5-efc664eeace6' entityID='https://dev.aa.kndr.org/users/auth/saml/metadata' validUntil='2001-02-03T04:05:06.789' cacheDuration='PT1H' xmlns:md='urn:oasis:names:tc:SAML:2.0:metadata' xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'><md:SPSSODescriptor AuthnRequestsSigned='false' WantAssertionsSigned='false' protocolSupportEnumeration='urn:oasis:names:tc:SAML:2.0:protocol'><md:AssertionConsumerService Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' Location='https://dev.aa.kndr.org/users/auth/saml/callback' index='0' isDefault='true'/><md:AttributeConsumingService index='1' isDefault='true'><md:ServiceName xml:lang='en'>Required attributes</md:ServiceName><md:RequestedAttribute FriendlyName='Email address' Name='email' NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:basic'/><md:RequestedAttribute FriendlyName='Full name' Name='name' NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:basic'/><md:RequestedAttribute FriendlyName='Given name' Name='first_name' NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:basic'/><md:RequestedAttribute FriendlyName='Family name' Name='last_name' NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:basic'/></md:AttributeConsumingService></md:SPSSODescriptor></md:EntityDescriptor>`)
+func TestCanParseMetadata(t *testing.T) {
+	buf := golden.Get(t, "TestCanParseMetadata_metadata.xml")
 
 	metadata := EntityDescriptor{}
 	err := xml.Unmarshal(buf, &metadata)
-	c.Assert(err, IsNil)
-	pretty.Print(metadata)
+	assert.Check(t, err)
+
 	var False = false
 	var True = true
 	validUntil := time.Date(2001, time.February, 3, 4, 5, 6, 789000000, time.UTC)
-	c.Assert(metadata, DeepEquals, EntityDescriptor{
+	expected := EntityDescriptor{
 		EntityID:      "https://dev.aa.kndr.org/users/auth/saml/metadata",
 		ID:            "_af805d1c-c2e3-444e-9cf5-efc664eeace6",
 		ValidUntil:    &validUntil,
 		CacheDuration: time.Hour,
 		SPSSODescriptors: []SPSSODescriptor{
-			SPSSODescriptor{
+			{
 				XMLName: xml.Name{Space: "urn:oasis:names:tc:SAML:2.0:metadata", Local: "SPSSODescriptor"},
 				SSODescriptor: SSODescriptor{
 					RoleDescriptor: RoleDescriptor{
@@ -39,7 +36,7 @@ func (s *MetadataTest) TestCanParseMetadata(c *C) {
 				AuthnRequestsSigned:  &False,
 				WantAssertionsSigned: &False,
 				AssertionConsumerServices: []IndexedEndpoint{
-					IndexedEndpoint{
+					{
 						Binding:   "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
 						Location:  "https://dev.aa.kndr.org/users/auth/saml/callback",
 						Index:     0,
@@ -47,10 +44,10 @@ func (s *MetadataTest) TestCanParseMetadata(c *C) {
 					},
 				},
 				AttributeConsumingServices: []AttributeConsumingService{
-					AttributeConsumingService{
+					{
 						Index:        1,
 						IsDefault:    &True,
-						ServiceNames: []LocalizedName{{Value: "Required attributes"}},
+						ServiceNames: []LocalizedName{{Lang: "en", Value: "Required attributes"}},
 						RequestedAttributes: []RequestedAttribute{
 							{
 								Attribute: Attribute{
@@ -85,11 +82,13 @@ func (s *MetadataTest) TestCanParseMetadata(c *C) {
 				},
 			},
 		},
-	})
+	}
+	assert.Check(t, is.DeepEqual(expected, metadata))
+
 }
 
-func (s *MetadataTest) TestCanProduceSPMetadata(c *C) {
-	c.Skip("broken")
+func TestCanProduceSPMetadata(t *testing.T) {
+	// TODO: LightStep - still broken? 	t.Skip("broken")
 	validUntil, _ := time.Parse("2006-02-01T15:04:05.000000", "2013-10-03T00:32:19.104000")
 	AuthnRequestsSigned := true
 	WantAssertionsSigned := true
@@ -98,7 +97,7 @@ func (s *MetadataTest) TestCanProduceSPMetadata(c *C) {
 		ValidUntil:    &validUntil,
 		CacheDuration: time.Hour,
 		SPSSODescriptors: []SPSSODescriptor{
-			SPSSODescriptor{
+			{
 				AuthnRequestsSigned:  &AuthnRequestsSigned,
 				WantAssertionsSigned: &WantAssertionsSigned,
 				SSODescriptor: SSODescriptor{
@@ -152,26 +151,6 @@ cvCsEFiJZ4AbF+DgmO6TarJ8O05t8zvnOwJlNCASPZRH/JmF8tX0hoHuAQ==`,
 	}
 
 	buf, err := xml.MarshalIndent(metadata, "", "  ")
-	c.Assert(err, IsNil)
-	c.Assert(string(buf), Equals, ""+
-		"<EntityDescriptor xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\" validUntil=\"2013-03-10T00:32:19.104Z\" cacheDuration=\"PT1H\" entityID=\"http://localhost:5000/e087a985171710fb9fb30f30f41384f9/saml2/metadata/\">\n"+
-		"  <SPSSODescriptor xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\" validUntil=\"0001-01-01T00:00:00Z\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\" AuthnRequestsSigned=\"true\" WantAssertionsSigned=\"true\">\n"+
-		"    <KeyDescriptor use=\"encryption\">\n"+
-		"      <KeyInfo xmlns=\"http://www.w3.org/2000/09/xmldsig#\">\n"+
-		"        <X509Data>\n"+
-		"          <X509Certificate>MIIB7zCCAVgCCQDFzbKIp7b3MTANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGEwJVUzELMAkGA1UE&#xA;CAwCR0ExDDAKBgNVBAoMA2ZvbzESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTEzMTAwMjAwMDg1MVoX&#xA;DTE0MTAwMjAwMDg1MVowPDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkdBMQwwCgYDVQQKDANmb28x&#xA;EjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1PMHYmhZj308&#xA;kWLhZVT4vOulqx/9ibm5B86fPWwUKKQ2i12MYtz07tzukPymisTDhQaqyJ8Kqb/6JjhmeMnEOdTv&#xA;SPmHO8m1ZVveJU6NoKRn/mP/BD7FW52WhbrUXLSeHVSKfWkNk6S4hk9MV9TswTvyRIKvRsw0X/gf&#xA;nqkroJcCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCMMlIO+GNcGekevKgkakpMdAqJfs24maGb90Dv&#xA;TLbRZRD7Xvn1MnVBBS9hzlXiFLYOInXACMW5gcoRFfeTQLSouMM8o57h0uKjfTmuoWHLQLi6hnF+&#xA;cvCsEFiJZ4AbF+DgmO6TarJ8O05t8zvnOwJlNCASPZRH/JmF8tX0hoHuAQ==</X509Certificate>\n"+
-		"        </X509Data>\n"+
-		"      </KeyInfo>\n"+
-		"    </KeyDescriptor>\n"+
-		"    <KeyDescriptor use=\"signing\">\n"+
-		"      <KeyInfo xmlns=\"http://www.w3.org/2000/09/xmldsig#\">\n"+
-		"        <X509Data>\n"+
-		"          <X509Certificate>MIIB7zCCAVgCCQDFzbKIp7b3MTANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGEwJVUzELMAkGA1UE&#xA;CAwCR0ExDDAKBgNVBAoMA2ZvbzESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTEzMTAwMjAwMDg1MVoX&#xA;DTE0MTAwMjAwMDg1MVowPDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkdBMQwwCgYDVQQKDANmb28x&#xA;EjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1PMHYmhZj308&#xA;kWLhZVT4vOulqx/9ibm5B86fPWwUKKQ2i12MYtz07tzukPymisTDhQaqyJ8Kqb/6JjhmeMnEOdTv&#xA;SPmHO8m1ZVveJU6NoKRn/mP/BD7FW52WhbrUXLSeHVSKfWkNk6S4hk9MV9TswTvyRIKvRsw0X/gf&#xA;nqkroJcCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCMMlIO+GNcGekevKgkakpMdAqJfs24maGb90Dv&#xA;TLbRZRD7Xvn1MnVBBS9hzlXiFLYOInXACMW5gcoRFfeTQLSouMM8o57h0uKjfTmuoWHLQLi6hnF+&#xA;cvCsEFiJZ4AbF+DgmO6TarJ8O05t8zvnOwJlNCASPZRH/JmF8tX0hoHuAQ==</X509Certificate>\n"+
-		"        </X509Data>\n"+
-		"      </KeyInfo>\n"+
-		"    </KeyDescriptor>\n"+
-		"    <SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"http://localhost:5000/e087a985171710fb9fb30f30f41384f9/saml2/ls/\"></SingleLogoutService>\n"+
-		"    <AssertionConsumerService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"http://localhost:5000/e087a985171710fb9fb30f30f41384f9/saml2/ls/\" index=\"1\"></AssertionConsumerService>\n"+
-		"  </SPSSODescriptor>\n"+
-		"</EntityDescriptor>")
+	assert.Check(t, err)
+	golden.Assert(t, string(buf), "TestCanProduceSPMetadata_expected")
 }
diff --git a/saml.go b/saml.go
index 101b7c15..2297b753 100644
--- a/saml.go
+++ b/saml.go
@@ -1,101 +1,155 @@
 // Package saml contains a partial implementation of the SAML standard in golang.
 // SAML is a standard for identity federation, i.e. either allowing a third party to authenticate your users or allowing third parties to rely on us to authenticate their users.
 //
+// Introduction
+//
 // In SAML parlance an Identity Provider (IDP) is a service that knows how to authenticate users. A Service Provider (SP) is a service that delegates authentication to an IDP. If you are building a service where users log in with someone else's credentials, then you are a Service Provider. This package supports implementing both service providers and identity providers.
 //
 // The core package contains the implementation of SAML. The package samlsp provides helper middleware suitable for use in Service Provider applications. The package samlidp provides a rudimentary IDP service that is useful for testing or as a starting point for other integrations.
 //
-// Getting Started as a Service Provider
+// Breaking Changes
 //
-// Let us assume we have a simple web appliation to protect. We'll modify this application so it uses SAML to authenticate users.
+// Version 0.4.0 introduces a few breaking changes to the _samlsp_ package in order to make the package more extensible, and to clean up the interfaces a bit. The default behavior remains the same, but you can now provide interface implementations of _RequestTracker_ (which tracks pending requests), _Session_ (which handles maintaining a session) and _OnError_ which handles reporting errors.
 //
-//     package main
+// Public fields of _samlsp.Middleware_ have changed, so some usages may require adjustment. See [issue 231](https://github.com/crewjam/saml/issues/231) for details.
 //
-//     import "net/http"
+// The option to provide an IDP metadata URL has been deprecated. Instead, we recommend that you use the `FetchMetadata()` function, or fetch the metadata yourself and use the new `ParseMetadata()` function, and pass the metadata in _samlsp.Options.IDPMetadata_.
 //
-//      func hello(w http.ResponseWriter, r *http.Request) {
-//         fmt.Fprintf(w, "Hello, World!")
-//     })
+// Similarly, the _HTTPClient_ field is now deprecated because it was only used for fetching metdata, which is no longer directly implemented.
 //
-//     func main() {
-//         app := http.HandlerFunc(hello)
-//         http.Handle("/hello", app)
-//         http.ListenAndServe(":8000", nil)
-//     }
+// The fields that manage how cookies are set are deprecated as well. To customize how cookies are managed, provide custom implementation of _RequestTracker_ and/or _Session_, perhaps by extending the default implementations.
 //
-// Each service provider must have an self-signed X.509 key pair established. You can generate your own with something like this:
+// The deprecated fields have not been removed from the Options structure, but will be in future.
 //
-//     openssl req -x509 -newkey rsa:2048 -keyout myservice.key -out myservice.cert -days 365 -nodes -subj "/CN=myservice.example.com"
+// In particular we have deprecated the following fields in
+// _samlsp.Options_:
+//
+// - `Logger` - This was used to emit errors while validating, which is an anti-pattern.
+// - `IDPMetadataURL` - Instead use `FetchMetadata()`
+// - `HTTPClient` - Instead pass httpClient to FetchMetadata
+// - `CookieMaxAge` - Instead assign a custom CookieRequestTracker or CookieSessionProvider
+// - `CookieName` - Instead assign a custom CookieRequestTracker or CookieSessionProvider
+// - `CookieDomain` - Instead assign a custom CookieRequestTracker or CookieSessionProvider
+// - `CookieDomain` - Instead assign a custom CookieRequestTracker or CookieSessionProvider
+//
+// Getting Started as a Service Provider
 //
-// We will use `samlsp.Middleware` to wrap the endpoint we want to protect. Middleware provides both an `http.Handler` to serve the SAML specific URLs and a set of wrappers to require the user to be logged in. We also provide the URL where the service provider can fetch the metadata from the IDP at startup. In our case, we'll use [testshib.org](testshib.org), an identity provider designed for testing.
+// Let us assume we have a simple web application to protect. We'll modify this application so it uses SAML to authenticate users.
 //
-//     package main
+// ```golang
+// package main
 //
-//     import (
-//         "fmt"
-//         "io/ioutil"
-//         "net/http"
+// import (
+//     "fmt"
+//     "net/http"
+// )
 //
-//         "github.com/lightstep/saml/samlsp"
-//     )
+// func hello(w http.ResponseWriter, r *http.Request) {
+//     fmt.Fprintf(w, "Hello, World!")
+// }
 //
-//     func hello(w http.ResponseWriter, r *http.Request) {
-//         fmt.Fprintf(w, "Hello, %s!", r.Header.Get("X-Saml-Cn"))
-//     }
+// func main() {
+//     app := http.HandlerFunc(hello)
+//     http.Handle("/hello", app)
+//     http.ListenAndServe(":8000", nil)
+// }
+// ```
 //
-//     func main() {
-//         key, _ := ioutil.ReadFile("myservice.key")
-//         cert, _ := ioutil.ReadFile("myservice.cert")
-//         samlSP, _ := samlsp.New(samlsp.Options{
-//             IDPMetadataURL: "https://www.testshib.org/metadata/testshib-providers.xml",
-//             URL:            "http://localhost:8000",
-//             Key:            string(key),
-//             Certificate:    string(cert),
-//         })
-//         app := http.HandlerFunc(hello)
-//         http.Handle("/hello", samlSP.RequireAccount(app))
-//         http.Handle("/saml/", samlSP)
-//         http.ListenAndServe(":8000", nil)
-//     }
+// Each service provider must have an self-signed X.509 key pair established. You can generate your own with something like this:
 //
+//     openssl req -x509 -newkey rsa:2048 -keyout myservice.key -out myservice.cert -days 365 -nodes -subj "/CN=myservice.example.com"
 //
-// Next we'll have to register our service provider with the identiy provider to establish trust from the service provider to the IDP. For [testshib.org](testshib.org), you can do something like:
+// We will use `samlsp.Middleware` to wrap the endpoint we want to protect. Middleware provides both an `http.Handler` to serve the SAML specific URLs and a set of wrappers to require the user to be logged in. We also provide the URL where the service provider can fetch the metadata from the IDP at startup. In our case, we'll use [samltest.id](https://samltest.id/), an identity provider designed for testing.
+//
+// ```golang
+// package main
+//
+// import (
+// 	"crypto/rsa"
+// 	"crypto/tls"
+// 	"crypto/x509"
+// 	"fmt"
+// 	"net/http"
+// 	"net/url"
+//
+// 	"github.com/lightstep/saml/samlsp"
+// )
+//
+// func hello(w http.ResponseWriter, r *http.Request) {
+// 	fmt.Fprintf(w, "Hello, %s!", samlsp.Token(r.Context()).Attributes.Get("cn"))
+// }
+//
+// func main() {
+// 	keyPair, err := tls.LoadX509KeyPair("myservice.cert", "myservice.key")
+// 	if err != nil {
+// 		panic(err) // TODO handle error
+// 	}
+// 	keyPair.Leaf, err = x509.ParseCertificate(keyPair.Certificate[0])
+// 	if err != nil {
+// 		panic(err) // TODO handle error
+// 	}
+//
+// 	idpMetadataURL, err := url.Parse("https://samltest.id/saml/idp")
+// 	if err != nil {
+// 		panic(err) // TODO handle error
+// 	}
+//
+// 	rootURL, err := url.Parse("http://localhost:8000")
+// 	if err != nil {
+// 		panic(err) // TODO handle error
+// 	}
+//
+// 	samlSP, _ := samlsp.New(samlsp.Options{
+// 		URL:            *rootURL,
+// 		Key:            keyPair.PrivateKey.(*rsa.PrivateKey),
+// 		Certificate:    keyPair.Leaf,
+// 		IDPMetadataURL: idpMetadataURL,
+// 	})
+// 	app := http.HandlerFunc(hello)
+// 	http.Handle("/hello", samlSP.RequireAccount(app))
+// 	http.Handle("/saml/", samlSP)
+// 	http.ListenAndServe(":8000", nil)
+// }
+// ```
+//
+// Next we'll have to register our service provider with the identity provider to establish trust from the service provider to the IDP. For [samltest.id](https://samltest.id/), you can do something like:
 //
 //     mdpath=saml-test-$USER-$HOST.xml
 //     curl localhost:8000/saml/metadata > $mdpath
-//     curl -i -F userfile=@$mdpath https://www.testshib.org/procupload.php
+//
+// Navigate to https://samltest.id/upload.php and upload the file you fetched.
 //
 // Now you should be able to authenticate. The flow should look like this:
 //
 // 1. You browse to `localhost:8000/hello`
 //
-// 2. The middleware redirects you to `https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO`
+// 1. The middleware redirects you to `https://samltest.id/idp/profile/SAML2/Redirect/SSO`
 //
-// 3. testshib.org prompts you for a username and password.
+// 1. samltest.id prompts you for a username and password.
 //
-// 4. testshib.org returns you an HTML document which contains an HTML form setup to POST to `localhost:8000/saml/acs`. The form is automatically submitted if you have javascript enabled.
+// 1. samltest.id returns you an HTML document which contains an HTML form setup to POST to `localhost:8000/saml/acs`. The form is automatically submitted if you have javascript enabled.
 //
-// 5. The local service validates the response, issues a session cookie, and redirects you to the original URL, `localhost:8000/hello`.
+// 1. The local service validates the response, issues a session cookie, and redirects you to the original URL, `localhost:8000/hello`.
 //
-// 6. This time when `localhost:8000/hello` is requested there is a valid session and so the main content is served.
+// 1. This time when `localhost:8000/hello` is requested there is a valid session and so the main content is served.
 //
 // Getting Started as an Identity Provider
 //
-// Please see `examples/idp/` for a substantially complete example of how to use the library and helpers to be an identity provider.
+// Please see `example/idp/` for a substantially complete example of how to use the library and helpers to be an identity provider.
 //
 // Support
 //
 // The SAML standard is huge and complex with many dark corners and strange, unused features. This package implements the most commonly used subset of these features required to provide a single sign on experience. The package supports at least the subset of SAML known as [interoperable SAML](http://saml2int.org).
 //
-// This package supports the Web SSO profile. Message flows from the service provider to the IDP are supported using the HTTP Redirect binding and the HTTP POST binding. Message flows fromthe IDP to the service provider are supported vai the HTTP POST binding.
+// This package supports the Web SSO profile. Message flows from the service provider to the IDP are supported using the HTTP Redirect binding and the HTTP POST binding. Message flows from the IDP to the service provider are supported via the HTTP POST binding.
 //
-// The package supports signed and encrypted SAML assertions. It does not support signed or encrypted requests.
+// The package can produce signed SAML assertions, and can validate both signed and encrypted SAML assertions. It does not support signed or encrypted requests.
 //
 // RelayState
 //
-// The *RelayState* parameter allows you to pass user state information across the authentication flow. The most common use for this is to allow a user to request a deep link into your site, be redirected through the SAML login flow, and upon successful completion, be directed to the originally requested link, rather than the root.
+// The _RelayState_ parameter allows you to pass user state information across the authentication flow. The most common use for this is to allow a user to request a deep link into your site, be redirected through the SAML login flow, and upon successful completion, be directed to the originally requested link, rather than the root.
 //
-// Unfortunately, *RelayState* is less useful than it could be. Firstly, it is not authenticated, so anything you supply must be signed to avoid XSS or CSRF. Secondly, it is limited to 80 bytes in length, which precludes signing. (See section 3.6.3.1 of SAMLProfiles.)
+// Unfortunately, _RelayState_ is less useful than it could be. Firstly, it is not authenticated, so anything you supply must be signed to avoid XSS or CSRF. Secondly, it is limited to 80 bytes in length, which precludes signing. (See section 3.6.3.1 of SAMLProfiles.)
 //
 // References
 //
@@ -109,5 +163,9 @@
 //
 // - [SAMLConformance](http://docs.oasis-open.org/security/saml/v2.0/saml-conformance-2.0-os.pdf) includes a support matrix for various parts of the protocol.
 //
-// [TestShib](http://www.testshib.org/) is a testing ground for SAML service and identity providers.
+// [SAMLtest](https://samltest.id/) is a testing ground for SAML service and identity providers.
+//
+// Security Issues
+//
+// Please do not report security issues in the issue tracker. Rather, please contact me directly at ross@kndr.org ([PGP Key `78B6038B3B9DFB88`](https://keybase.io/crewjam)).
 package saml
diff --git a/saml_gen.go b/saml_gen.go
index c2bdb136..f85a04a2 100644
--- a/saml_gen.go
+++ b/saml_gen.go
@@ -1,3 +1,3 @@
 package saml
 
-//go:generate bash -c "(cat README.md | sed 's|^## ||g' | sed 's|\\*\\*||g' | sed 's|^|// |g'; echo 'package saml') > saml.go"
+//go:generate bash -c "(cat README.md | grep -E -v '^# SAML' | sed 's|^## ||g' | sed 's|\\*\\*||g' | sed 's|^|// |g'; echo 'package saml') > saml.go"
diff --git a/samlidp/samlidp.go b/samlidp/samlidp.go
index e13fe9e1..ae868d99 100644
--- a/samlidp/samlidp.go
+++ b/samlidp/samlidp.go
@@ -9,9 +9,10 @@ import (
 	"net/url"
 	"sync"
 
+	"github.com/zenazn/goji/web"
+
 	"github.com/lightstep/saml"
 	"github.com/lightstep/saml/logger"
-	"github.com/zenazn/goji/web"
 )
 
 // Options represent the parameters to New() for creating a new IDP server
diff --git a/samlidp/samlidp_test.go b/samlidp/samlidp_test.go
index 3a640361..00c0d730 100644
--- a/samlidp/samlidp_test.go
+++ b/samlidp/samlidp_test.go
@@ -2,6 +2,7 @@ package samlidp
 
 import (
 	"crypto"
+	"crypto/rsa"
 	"crypto/x509"
 	"encoding/pem"
 	"net/http"
@@ -11,18 +12,16 @@ import (
 	"testing"
 	"time"
 
-	. "gopkg.in/check.v1"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/golden"
 
-	"crypto/rsa"
+	"github.com/form3tech-oss/jwt-go"
 
 	"github.com/lightstep/saml"
 	"github.com/lightstep/saml/logger"
-	"github.com/dgrijalva/jwt-go"
 )
 
-// Hook up gocheck into the "go test" runner.
-func Test(t *testing.T) { TestingT(t) }
-
 type testRandomReader struct {
 	Next byte
 }
@@ -43,8 +42,8 @@ func mustParseURL(s string) url.URL {
 	return *rv
 }
 
-func mustParsePrivateKey(pemStr string) crypto.PrivateKey {
-	b, _ := pem.Decode([]byte(pemStr))
+func mustParsePrivateKey(pemStr []byte) crypto.PrivateKey {
+	b, _ := pem.Decode(pemStr)
 	if b == nil {
 		panic("cannot parse PEM")
 	}
@@ -55,8 +54,8 @@ func mustParsePrivateKey(pemStr string) crypto.PrivateKey {
 	return k
 }
 
-func mustParseCertificate(pemStr string) *x509.Certificate {
-	b, _ := pem.Decode([]byte(pemStr))
+func mustParseCertificate(pemStr []byte) *x509.Certificate {
+	b, _ := pem.Decode(pemStr)
 	if b == nil {
 		panic("cannot parse PEM")
 	}
@@ -78,9 +77,8 @@ type ServerTest struct {
 	Store       MemoryStore
 }
 
-var _ = Suite(&ServerTest{})
-
-func (test *ServerTest) SetUpTest(c *C) {
+func NewServerTest(t *testing.T) *ServerTest {
+	test := ServerTest{}
 	saml.TimeNow = func() time.Time {
 		rv, _ := time.Parse("Mon Jan 2 15:04:05 MST 2006", "Mon Dec 1 01:57:09 UTC 2015")
 		return rv
@@ -88,46 +86,17 @@ func (test *ServerTest) SetUpTest(c *C) {
 	jwt.TimeFunc = saml.TimeNow
 	saml.RandReader = &testRandomReader{}
 
-	test.SPKey = mustParsePrivateKey(`-----BEGIN RSA PRIVATE KEY-----
-MIICXgIBAAKBgQDU8wdiaFmPfTyRYuFlVPi866WrH/2JubkHzp89bBQopDaLXYxi
-3PTu3O6Q/KaKxMOFBqrInwqpv/omOGZ4ycQ51O9I+Yc7ybVlW94lTo2gpGf+Y/8E
-PsVbnZaFutRctJ4dVIp9aQ2TpLiGT0xX1OzBO/JEgq9GzDRf+B+eqSuglwIDAQAB
-AoGBAMuy1eN6cgFiCOgBsB3gVDdTKpww87Qk5ivjqEt28SmXO13A1KNVPS6oQ8SJ
-CT5Azc6X/BIAoJCURVL+LHdqebogKljhH/3yIel1kH19vr4E2kTM/tYH+qj8afUS
-JEmArUzsmmK8ccuNqBcllqdwCZjxL4CHDUmyRudFcHVX9oyhAkEA/OV1OkjM3CLU
-N3sqELdMmHq5QZCUihBmk3/N5OvGdqAFGBlEeewlepEVxkh7JnaNXAXrKHRVu/f/
-fbCQxH+qrwJBANeQERF97b9Sibp9xgolb749UWNlAdqmEpmlvmS202TdcaaT1msU
-4rRLiQN3X9O9mq4LZMSVethrQAdX1whawpkCQQDk1yGf7xZpMJ8F4U5sN+F4rLyM
-Rq8Sy8p2OBTwzCUXXK+fYeXjybsUUMr6VMYTRP2fQr/LKJIX+E5ZxvcIyFmDAkEA
-yfjNVUNVaIbQTzEbRlRvT6MqR+PTCefC072NF9aJWR93JimspGZMR7viY6IM4lrr
-vBkm0F5yXKaYtoiiDMzlOQJADqmEwXl0D72ZG/2KDg8b4QZEmC9i5gidpQwJXUc6
-hU+IVQoLxRq0fBib/36K9tcrrO5Ba4iEvDcNY+D8yGbUtA==
------END RSA PRIVATE KEY-----
-`).(*rsa.PrivateKey)
-	test.SPCertificate = mustParseCertificate(`-----BEGIN CERTIFICATE-----
-MIIB7zCCAVgCCQDFzbKIp7b3MTANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGEwJV
-UzELMAkGA1UECAwCR0ExDDAKBgNVBAoMA2ZvbzESMBAGA1UEAwwJbG9jYWxob3N0
-MB4XDTEzMTAwMjAwMDg1MVoXDTE0MTAwMjAwMDg1MVowPDELMAkGA1UEBhMCVVMx
-CzAJBgNVBAgMAkdBMQwwCgYDVQQKDANmb28xEjAQBgNVBAMMCWxvY2FsaG9zdDCB
-nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1PMHYmhZj308kWLhZVT4vOulqx/9
-ibm5B86fPWwUKKQ2i12MYtz07tzukPymisTDhQaqyJ8Kqb/6JjhmeMnEOdTvSPmH
-O8m1ZVveJU6NoKRn/mP/BD7FW52WhbrUXLSeHVSKfWkNk6S4hk9MV9TswTvyRIKv
-Rsw0X/gfnqkroJcCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCMMlIO+GNcGekevKgk
-akpMdAqJfs24maGb90DvTLbRZRD7Xvn1MnVBBS9hzlXiFLYOInXACMW5gcoRFfeT
-QLSouMM8o57h0uKjfTmuoWHLQLi6hnF+cvCsEFiJZ4AbF+DgmO6TarJ8O05t8zvn
-OwJlNCASPZRH/JmF8tX0hoHuAQ==
------END CERTIFICATE-----
-`)
+	test.SPKey = mustParsePrivateKey(golden.Get(t, "sp_key.pem")).(*rsa.PrivateKey)
+	test.SPCertificate = mustParseCertificate(golden.Get(t, "sp_cert.pem"))
 	test.SP = saml.ServiceProvider{
 		Key:         test.SPKey,
 		Certificate: test.SPCertificate,
 		MetadataURL: mustParseURL("https://sp.example.com/saml2/metadata"),
 		AcsURL:      mustParseURL("https://sp.example.com/saml2/acs"),
 		IDPMetadata: &saml.EntityDescriptor{},
-		Logger:      logger.DefaultLogger,
 	}
-	test.Key = mustParsePrivateKey("-----BEGIN RSA PRIVATE KEY-----\nMIICXgIBAAKBgQDU8wdiaFmPfTyRYuFlVPi866WrH/2JubkHzp89bBQopDaLXYxi\n3PTu3O6Q/KaKxMOFBqrInwqpv/omOGZ4ycQ51O9I+Yc7ybVlW94lTo2gpGf+Y/8E\nPsVbnZaFutRctJ4dVIp9aQ2TpLiGT0xX1OzBO/JEgq9GzDRf+B+eqSuglwIDAQAB\nAoGBAMuy1eN6cgFiCOgBsB3gVDdTKpww87Qk5ivjqEt28SmXO13A1KNVPS6oQ8SJ\nCT5Azc6X/BIAoJCURVL+LHdqebogKljhH/3yIel1kH19vr4E2kTM/tYH+qj8afUS\nJEmArUzsmmK8ccuNqBcllqdwCZjxL4CHDUmyRudFcHVX9oyhAkEA/OV1OkjM3CLU\nN3sqELdMmHq5QZCUihBmk3/N5OvGdqAFGBlEeewlepEVxkh7JnaNXAXrKHRVu/f/\nfbCQxH+qrwJBANeQERF97b9Sibp9xgolb749UWNlAdqmEpmlvmS202TdcaaT1msU\n4rRLiQN3X9O9mq4LZMSVethrQAdX1whawpkCQQDk1yGf7xZpMJ8F4U5sN+F4rLyM\nRq8Sy8p2OBTwzCUXXK+fYeXjybsUUMr6VMYTRP2fQr/LKJIX+E5ZxvcIyFmDAkEA\nyfjNVUNVaIbQTzEbRlRvT6MqR+PTCefC072NF9aJWR93JimspGZMR7viY6IM4lrr\nvBkm0F5yXKaYtoiiDMzlOQJADqmEwXl0D72ZG/2KDg8b4QZEmC9i5gidpQwJXUc6\nhU+IVQoLxRq0fBib/36K9tcrrO5Ba4iEvDcNY+D8yGbUtA==\n-----END RSA PRIVATE KEY-----\n")
-	test.Certificate = mustParseCertificate("-----BEGIN CERTIFICATE-----\nMIIB7zCCAVgCCQDFzbKIp7b3MTANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGEwJV\nUzELMAkGA1UECAwCR0ExDDAKBgNVBAoMA2ZvbzESMBAGA1UEAwwJbG9jYWxob3N0\nMB4XDTEzMTAwMjAwMDg1MVoXDTE0MTAwMjAwMDg1MVowPDELMAkGA1UEBhMCVVMx\nCzAJBgNVBAgMAkdBMQwwCgYDVQQKDANmb28xEjAQBgNVBAMMCWxvY2FsaG9zdDCB\nnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1PMHYmhZj308kWLhZVT4vOulqx/9\nibm5B86fPWwUKKQ2i12MYtz07tzukPymisTDhQaqyJ8Kqb/6JjhmeMnEOdTvSPmH\nO8m1ZVveJU6NoKRn/mP/BD7FW52WhbrUXLSeHVSKfWkNk6S4hk9MV9TswTvyRIKv\nRsw0X/gfnqkroJcCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCMMlIO+GNcGekevKgk\nakpMdAqJfs24maGb90DvTLbRZRD7Xvn1MnVBBS9hzlXiFLYOInXACMW5gcoRFfeT\nQLSouMM8o57h0uKjfTmuoWHLQLi6hnF+cvCsEFiJZ4AbF+DgmO6TarJ8O05t8zvn\nOwJlNCASPZRH/JmF8tX0hoHuAQ==\n-----END CERTIFICATE-----\n")
+	test.Key = mustParsePrivateKey(golden.Get(t, "idp_key.pem")).(*rsa.PrivateKey)
+	test.Certificate = mustParseCertificate(golden.Get(t, "idp_cert.pem"))
 
 	test.Store = MemoryStore{}
 
@@ -139,27 +108,38 @@ OwJlNCASPZRH/JmF8tX0hoHuAQ==
 		Store:       &test.Store,
 		URL:         url.URL{Scheme: "https", Host: "idp.example.com"},
 	})
-	c.Assert(err, IsNil)
+	if err != nil {
+		panic(err)
+	}
 
 	test.SP.IDPMetadata = test.Server.IDP.Metadata()
 	test.Server.serviceProviders["https://sp.example.com/saml2/metadata"] = test.SP.Metadata()
+	return &test
 }
 
-func (test *ServerTest) TestHTTPCanHandleMetadataRequest(c *C) {
+func TestHTTPCanHandleMetadataRequest(t *testing.T) {
+	test := NewServerTest(t)
 	w := httptest.NewRecorder()
 	r, _ := http.NewRequest("GET", "https://idp.example.com/metadata", nil)
 	test.Server.ServeHTTP(w, r)
-	c.Assert(w.Code, Equals, http.StatusOK)
-	c.Assert(strings.HasPrefix(string(w.Body.Bytes()), "<EntityDescriptor"), Equals, true)
+	assert.Check(t, is.Equal(http.StatusOK, w.Code))
+	assert.Check(t,
+		strings.HasPrefix(string(w.Body.Bytes()), "<EntityDescriptor"),
+		string(w.Body.Bytes()))
+	golden.Assert(t, w.Body.String(), "http_metadata_response.html")
 }
 
-func (test *ServerTest) TestHTTPCanSSORequest(c *C) {
+func TestHTTPCanSSORequest(t *testing.T) {
+	test := NewServerTest(t)
 	u, err := test.SP.MakeRedirectAuthenticationRequest("frob")
-	c.Assert(err, IsNil)
+	assert.Check(t, err)
 
 	w := httptest.NewRecorder()
 	r, _ := http.NewRequest("GET", u.String(), nil)
 	test.Server.ServeHTTP(w, r)
-	c.Assert(w.Code, Equals, http.StatusOK)
-	c.Assert(strings.HasPrefix(string(w.Body.Bytes()), "<html><p></p><form method=\"post\" action=\"https://idp.example.com/sso\">"), Equals, true)
+	assert.Check(t, is.Equal(http.StatusOK, w.Code))
+	assert.Check(t,
+		strings.HasPrefix(string(w.Body.Bytes()), "<html><p></p><form method=\"post\" action=\"https://idp.example.com/sso\">"),
+		string(w.Body.Bytes()))
+	golden.Assert(t, w.Body.String(), "http_sso_response.html")
 }
diff --git a/samlidp/service.go b/samlidp/service.go
index afe7af89..cbb1c96f 100644
--- a/samlidp/service.go
+++ b/samlidp/service.go
@@ -7,8 +7,9 @@ import (
 	"net/http"
 	"os"
 
-	"github.com/lightstep/saml"
 	"github.com/zenazn/goji/web"
+
+	"github.com/lightstep/saml"
 )
 
 // Service represents a configured SP for whom this IDP provides authentication services.
diff --git a/samlidp/service_test.go b/samlidp/service_test.go
index 35c584ab..57e7c4d4 100644
--- a/samlidp/service_test.go
+++ b/samlidp/service_test.go
@@ -1,50 +1,54 @@
 package samlidp
 
 import (
+	"bytes"
 	"net/http"
 	"net/http/httptest"
-	"strings"
+	"testing"
 
-	. "gopkg.in/check.v1"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/golden"
 )
 
-const spMetadata = "<EntityDescriptor xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\" validUntil=\"2015-12-03T01:57:09Z\" entityID=\"https://example.com/saml2/metadata\"><SPSSODescriptor xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\" validUntil=\"0001-01-01T00:00:00Z\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\" AuthnRequestsSigned=\"false\" WantAssertionsSigned=\"true\"><KeyDescriptor use=\"signing\"><KeyInfo xmlns=\"http://www.w3.org/2000/09/xmldsig#\"><X509Data><X509Certificate>MIIB7zCCAVgCCQDFzbKIp7b3MTANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGEwJVUzELMAkGA1UECAwCR0ExDDAKBgNVBAoMA2ZvbzESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTEzMTAwMjAwMDg1MVoXDTE0MTAwMjAwMDg1MVowPDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkdBMQwwCgYDVQQKDANmb28xEjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1PMHYmhZj308kWLhZVT4vOulqx/9ibm5B86fPWwUKKQ2i12MYtz07tzukPymisTDhQaqyJ8Kqb/6JjhmeMnEOdTvSPmHO8m1ZVveJU6NoKRn/mP/BD7FW52WhbrUXLSeHVSKfWkNk6S4hk9MV9TswTvyRIKvRsw0X/gfnqkroJcCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCMMlIO+GNcGekevKgkakpMdAqJfs24maGb90DvTLbRZRD7Xvn1MnVBBS9hzlXiFLYOInXACMW5gcoRFfeTQLSouMM8o57h0uKjfTmuoWHLQLi6hnF+cvCsEFiJZ4AbF+DgmO6TarJ8O05t8zvnOwJlNCASPZRH/JmF8tX0hoHuAQ==</X509Certificate></X509Data></KeyInfo></KeyDescriptor><KeyDescriptor use=\"encryption\"><KeyInfo xmlns=\"http://www.w3.org/2000/09/xmldsig#\"><X509Data><X509Certificate>MIIB7zCCAVgCCQDFzbKIp7b3MTANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGEwJVUzELMAkGA1UECAwCR0ExDDAKBgNVBAoMA2ZvbzESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTEzMTAwMjAwMDg1MVoXDTE0MTAwMjAwMDg1MVowPDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkdBMQwwCgYDVQQKDANmb28xEjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1PMHYmhZj308kWLhZVT4vOulqx/9ibm5B86fPWwUKKQ2i12MYtz07tzukPymisTDhQaqyJ8Kqb/6JjhmeMnEOdTvSPmHO8m1ZVveJU6NoKRn/mP/BD7FW52WhbrUXLSeHVSKfWkNk6S4hk9MV9TswTvyRIKvRsw0X/gfnqkroJcCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCMMlIO+GNcGekevKgkakpMdAqJfs24maGb90DvTLbRZRD7Xvn1MnVBBS9hzlXiFLYOInXACMW5gcoRFfeTQLSouMM8o57h0uKjfTmuoWHLQLi6hnF+cvCsEFiJZ4AbF+DgmO6TarJ8O05t8zvnOwJlNCASPZRH/JmF8tX0hoHuAQ==</X509Certificate></X509Data></KeyInfo><EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#aes128-cbc\"></EncryptionMethod><EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#aes192-cbc\"></EncryptionMethod><EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#aes256-cbc\"></EncryptionMethod><EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p\"></EncryptionMethod></KeyDescriptor><AssertionConsumerService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://example.com/saml2/acs\" index=\"1\"></AssertionConsumerService></SPSSODescriptor></EntityDescriptor>"
+func TestServicesCrud(t *testing.T) {
+	test := NewServerTest(t)
 
-func (test *ServerTest) TestServicesCrud(c *C) {
 	w := httptest.NewRecorder()
 	r, _ := http.NewRequest("GET", "https://idp.example.com/services/", nil)
 	test.Server.ServeHTTP(w, r)
-	c.Assert(w.Code, Equals, http.StatusOK)
-	c.Assert(string(w.Body.Bytes()), Equals, "{\"services\":[]}\n")
+	assert.Check(t, is.Equal(http.StatusOK, w.Code))
+	assert.Check(t, is.Equal("{\"services\":[]}\n", string(w.Body.Bytes())))
 
 	w = httptest.NewRecorder()
-	r, _ = http.NewRequest("PUT", "https://idp.example.com/services/sp", strings.NewReader(spMetadata))
+	r, _ = http.NewRequest("PUT", "https://idp.example.com/services/sp",
+		bytes.NewReader(golden.Get(t, "sp_metadata.xml")))
 	test.Server.ServeHTTP(w, r)
-	c.Assert(w.Code, Equals, http.StatusNoContent)
+	assert.Check(t, is.Equal(http.StatusNoContent, w.Code))
 
 	w = httptest.NewRecorder()
 	r, _ = http.NewRequest("GET", "https://idp.example.com/services/sp", nil)
 	test.Server.ServeHTTP(w, r)
-	c.Assert(w.Code, Equals, http.StatusOK)
-	c.Assert(string(w.Body.Bytes()), Equals, spMetadata)
+	assert.Check(t, is.Equal(http.StatusOK, w.Code))
+	golden.Assert(t, w.Body.String(), "sp_metadata.xml")
 
 	w = httptest.NewRecorder()
 	r, _ = http.NewRequest("GET", "https://idp.example.com/services/", nil)
 	test.Server.ServeHTTP(w, r)
-	c.Assert(w.Code, Equals, http.StatusOK)
-	c.Assert(string(w.Body.Bytes()), Equals, "{\"services\":[\"sp\"]}\n")
+	assert.Check(t, is.Equal(http.StatusOK, w.Code))
+	assert.Check(t, is.Equal("{\"services\":[\"sp\"]}\n", string(w.Body.Bytes())))
 
-	c.Assert(test.Server.serviceProviders, HasLen, 2)
+	assert.Check(t, is.Len(test.Server.serviceProviders, 2))
 
 	w = httptest.NewRecorder()
 	r, _ = http.NewRequest("DELETE", "https://idp.example.com/services/sp", nil)
 	test.Server.ServeHTTP(w, r)
-	c.Assert(w.Code, Equals, http.StatusNoContent)
+	assert.Check(t, is.Equal(http.StatusNoContent, w.Code))
 
 	w = httptest.NewRecorder()
 	r, _ = http.NewRequest("GET", "https://idp.example.com/services/", nil)
 	test.Server.ServeHTTP(w, r)
-	c.Assert(w.Code, Equals, http.StatusOK)
-	c.Assert(string(w.Body.Bytes()), Equals, "{\"services\":[]}\n")
-	c.Assert(test.Server.serviceProviders, HasLen, 1)
+	assert.Check(t, is.Equal(http.StatusOK, w.Code))
+	assert.Check(t, is.Equal("{\"services\":[]}\n", string(w.Body.Bytes())))
+	assert.Check(t, is.Len(test.Server.serviceProviders, 1))
 }
diff --git a/samlidp/session.go b/samlidp/session.go
index bb975fde..10ed05d1 100644
--- a/samlidp/session.go
+++ b/samlidp/session.go
@@ -9,10 +9,10 @@ import (
 	"text/template"
 	"time"
 
+	"github.com/zenazn/goji/web"
 	"golang.org/x/crypto/bcrypt"
 
 	"github.com/lightstep/saml"
-	"github.com/zenazn/goji/web"
 )
 
 var sessionMaxAge = time.Hour
@@ -47,16 +47,18 @@ func (s *Server) GetSession(w http.ResponseWriter, r *http.Request, req *saml.Id
 		}
 
 		session := &saml.Session{
-			ID:             base64.StdEncoding.EncodeToString(randomBytes(32)),
-			CreateTime:     saml.TimeNow(),
-			ExpireTime:     saml.TimeNow().Add(sessionMaxAge),
-			Index:          hex.EncodeToString(randomBytes(32)),
-			UserName:       user.Name,
-			Groups:         user.Groups[:],
-			UserEmail:      user.Email,
-			UserCommonName: user.CommonName,
-			UserSurname:    user.Surname,
-			UserGivenName:  user.GivenName,
+			ID:                    base64.StdEncoding.EncodeToString(randomBytes(32)),
+			NameID:                user.Email,
+			CreateTime:            saml.TimeNow(),
+			ExpireTime:            saml.TimeNow().Add(sessionMaxAge),
+			Index:                 hex.EncodeToString(randomBytes(32)),
+			UserName:              user.Name,
+			Groups:                user.Groups[:],
+			UserEmail:             user.Email,
+			UserCommonName:        user.CommonName,
+			UserSurname:           user.Surname,
+			UserGivenName:         user.GivenName,
+			UserScopedAffiliation: user.ScopedAffiliation,
 		}
 		if err := s.Store.Put(fmt.Sprintf("/sessions/%s", session.ID), &session); err != nil {
 			http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
@@ -67,7 +69,8 @@ func (s *Server) GetSession(w http.ResponseWriter, r *http.Request, req *saml.Id
 			Name:     "session",
 			Value:    session.ID,
 			MaxAge:   int(sessionMaxAge.Seconds()),
-			HttpOnly: false,
+			HttpOnly: true,
+			Secure:   r.URL.Scheme == "https",
 			Path:     "/",
 		})
 		return session
diff --git a/samlidp/session_test.go b/samlidp/session_test.go
index f5ec5f75..d24684f3 100644
--- a/samlidp/session_test.go
+++ b/samlidp/session_test.go
@@ -4,57 +4,63 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"strings"
+	"testing"
 
-	. "gopkg.in/check.v1"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
 )
 
-func (test *ServerTest) TestSessionsCrud(c *C) {
+func TestSessionsCrud(t *testing.T) {
+	test := NewServerTest(t)
 	w := httptest.NewRecorder()
 	r, _ := http.NewRequest("GET", "https://idp.example.com/sessions/", nil)
 	test.Server.ServeHTTP(w, r)
-	c.Assert(w.Code, Equals, http.StatusOK)
-	c.Assert(string(w.Body.Bytes()), Equals, "{\"sessions\":[]}\n")
+	assert.Check(t, is.Equal(http.StatusOK, w.Code))
+	assert.Check(t, is.Equal("{\"sessions\":[]}\n",
+		string(w.Body.Bytes())))
 
 	w = httptest.NewRecorder()
 	r, _ = http.NewRequest("PUT", "https://idp.example.com/users/alice",
 		strings.NewReader(`{"name": "alice", "password": "hunter2"}`+"\n"))
 	test.Server.ServeHTTP(w, r)
-	c.Assert(w.Code, Equals, http.StatusNoContent)
+	assert.Check(t, is.Equal(http.StatusNoContent, w.Code))
 
 	w = httptest.NewRecorder()
 	r, _ = http.NewRequest("POST", "https://idp.example.com/login",
 		strings.NewReader("user=alice&password=hunter2"))
 	r.Header.Set("Content-type", "application/x-www-form-urlencoded")
 	test.Server.ServeHTTP(w, r)
-	c.Assert(w.Code, Equals, http.StatusOK)
-	c.Assert(w.Header().Get("Set-Cookie"), Equals, "session=AAIEBggKDA4QEhQWGBocHiAiJCYoKiwuMDI0Njg6PD4=; Path=/; Max-Age=3600")
-	c.Assert(string(w.Body.Bytes()), Equals,
-		"{\"ID\":\"AAIEBggKDA4QEhQWGBocHiAiJCYoKiwuMDI0Njg6PD4=\",\"CreateTime\":\"2015-12-01T01:57:09Z\",\"ExpireTime\":\"2015-12-01T02:57:09Z\",\"Index\":\"40424446484a4c4e50525456585a5c5e60626466686a6c6e70727476787a7c7e\",\"NameID\":\"\",\"Groups\":null,\"UserName\":\"alice\",\"UserEmail\":\"\",\"UserCommonName\":\"\",\"UserSurname\":\"\",\"UserGivenName\":\"\"}\n")
+	assert.Check(t, is.Equal(http.StatusOK, w.Code))
+	assert.Check(t, is.Equal("session=AAIEBggKDA4QEhQWGBocHiAiJCYoKiwuMDI0Njg6PD4=; Path=/; Max-Age=3600; HttpOnly; Secure",
+		w.Header().Get("Set-Cookie")))
+	assert.Check(t, is.Equal("{\"ID\":\"AAIEBggKDA4QEhQWGBocHiAiJCYoKiwuMDI0Njg6PD4=\",\"CreateTime\":\"2015-12-01T01:57:09Z\",\"ExpireTime\":\"2015-12-01T02:57:09Z\",\"Index\":\"40424446484a4c4e50525456585a5c5e60626466686a6c6e70727476787a7c7e\",\"NameID\":\"\",\"Groups\":null,\"UserName\":\"alice\",\"UserEmail\":\"\",\"UserCommonName\":\"\",\"UserSurname\":\"\",\"UserGivenName\":\"\",\"UserScopedAffiliation\":\"\",\"CustomAttributes\":null}\n",
+		string(w.Body.Bytes())))
 
 	w = httptest.NewRecorder()
 	r, _ = http.NewRequest("GET", "https://idp.example.com/login", nil)
 	r.Header.Set("Cookie", "session=AAIEBggKDA4QEhQWGBocHiAiJCYoKiwuMDI0Njg6PD4=")
 	test.Server.ServeHTTP(w, r)
-	c.Assert(w.Code, Equals, http.StatusOK)
-	c.Assert(string(w.Body.Bytes()), Equals,
-		"{\"ID\":\"AAIEBggKDA4QEhQWGBocHiAiJCYoKiwuMDI0Njg6PD4=\",\"CreateTime\":\"2015-12-01T01:57:09Z\",\"ExpireTime\":\"2015-12-01T02:57:09Z\",\"Index\":\"40424446484a4c4e50525456585a5c5e60626466686a6c6e70727476787a7c7e\",\"NameID\":\"\",\"Groups\":null,\"UserName\":\"alice\",\"UserEmail\":\"\",\"UserCommonName\":\"\",\"UserSurname\":\"\",\"UserGivenName\":\"\"}\n")
+	assert.Check(t, is.Equal(http.StatusOK, w.Code))
+	assert.Check(t, is.Equal("{\"ID\":\"AAIEBggKDA4QEhQWGBocHiAiJCYoKiwuMDI0Njg6PD4=\",\"CreateTime\":\"2015-12-01T01:57:09Z\",\"ExpireTime\":\"2015-12-01T02:57:09Z\",\"Index\":\"40424446484a4c4e50525456585a5c5e60626466686a6c6e70727476787a7c7e\",\"NameID\":\"\",\"Groups\":null,\"UserName\":\"alice\",\"UserEmail\":\"\",\"UserCommonName\":\"\",\"UserSurname\":\"\",\"UserGivenName\":\"\",\"UserScopedAffiliation\":\"\",\"CustomAttributes\":null}\n",
+		string(w.Body.Bytes())))
 
 	w = httptest.NewRecorder()
 	r, _ = http.NewRequest("GET", "https://idp.example.com/sessions/AAIEBggKDA4QEhQWGBocHiAiJCYoKiwuMDI0Njg6PD4=", nil)
 	test.Server.ServeHTTP(w, r)
-	c.Assert(w.Code, Equals, http.StatusOK)
-	c.Assert(string(w.Body.Bytes()), Equals,
-		"{\"ID\":\"AAIEBggKDA4QEhQWGBocHiAiJCYoKiwuMDI0Njg6PD4=\",\"CreateTime\":\"2015-12-01T01:57:09Z\",\"ExpireTime\":\"2015-12-01T02:57:09Z\",\"Index\":\"40424446484a4c4e50525456585a5c5e60626466686a6c6e70727476787a7c7e\",\"NameID\":\"\",\"Groups\":null,\"UserName\":\"alice\",\"UserEmail\":\"\",\"UserCommonName\":\"\",\"UserSurname\":\"\",\"UserGivenName\":\"\"}\n")
+	assert.Check(t, is.Equal(http.StatusOK, w.Code))
+	assert.Check(t, is.Equal("{\"ID\":\"AAIEBggKDA4QEhQWGBocHiAiJCYoKiwuMDI0Njg6PD4=\",\"CreateTime\":\"2015-12-01T01:57:09Z\",\"ExpireTime\":\"2015-12-01T02:57:09Z\",\"Index\":\"40424446484a4c4e50525456585a5c5e60626466686a6c6e70727476787a7c7e\",\"NameID\":\"\",\"Groups\":null,\"UserName\":\"alice\",\"UserEmail\":\"\",\"UserCommonName\":\"\",\"UserSurname\":\"\",\"UserGivenName\":\"\",\"UserScopedAffiliation\":\"\",\"CustomAttributes\":null}\n",
+		string(w.Body.Bytes())))
 
 	w = httptest.NewRecorder()
 	r, _ = http.NewRequest("DELETE", "https://idp.example.com/sessions/AAIEBggKDA4QEhQWGBocHiAiJCYoKiwuMDI0Njg6PD4=", nil)
 	test.Server.ServeHTTP(w, r)
-	c.Assert(w.Code, Equals, http.StatusNoContent)
+	assert.Check(t, is.Equal(http.StatusNoContent, w.Code))
 
 	w = httptest.NewRecorder()
 	r, _ = http.NewRequest("GET", "https://idp.example.com/sessions/", nil)
 	test.Server.ServeHTTP(w, r)
-	c.Assert(w.Code, Equals, http.StatusOK)
-	c.Assert(string(w.Body.Bytes()), Equals, "{\"sessions\":[]}\n")
+	assert.Check(t, is.Equal(http.StatusOK, w.Code))
+	assert.Check(t, is.Equal("{\"sessions\":[]}\n",
+		string(w.Body.Bytes())))
 
 }
diff --git a/samlidp/shortcut_test.go b/samlidp/shortcut_test.go
index 4c3b37d6..7a15f148 100644
--- a/samlidp/shortcut_test.go
+++ b/samlidp/shortcut_test.go
@@ -4,73 +4,86 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"strings"
+	"testing"
 
-	. "gopkg.in/check.v1"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
 )
 
-func (test *ServerTest) TestShortcutsCrud(c *C) {
+func TestShortcutsCrud(t *testing.T) {
+	test := NewServerTest(t)
 	w := httptest.NewRecorder()
 	r, _ := http.NewRequest("GET", "https://idp.example.com/shortcuts/", nil)
 	test.Server.ServeHTTP(w, r)
-	c.Assert(w.Code, Equals, http.StatusOK)
-	c.Assert(string(w.Body.Bytes()), Equals, "{\"shortcuts\":[]}\n")
+	assert.Check(t, is.Equal(http.StatusOK, w.Code))
+	assert.Check(t, is.Equal("{\"shortcuts\":[]}\n",
+		string(w.Body.Bytes())))
 
 	w = httptest.NewRecorder()
 	r, _ = http.NewRequest("PUT", "https://idp.example.com/shortcuts/bob",
 		strings.NewReader("{\"url_suffix_as_relay_state\": true, \"service_provider\": \"https://example.com/saml2/metadata\"}"))
 	test.Server.ServeHTTP(w, r)
-	c.Assert(w.Code, Equals, http.StatusNoContent)
+	assert.Check(t, is.Equal(http.StatusNoContent, w.Code))
 
 	w = httptest.NewRecorder()
 	r, _ = http.NewRequest("GET", "https://idp.example.com/shortcuts/bob", nil)
 	test.Server.ServeHTTP(w, r)
-	c.Assert(w.Code, Equals, http.StatusOK)
-	c.Assert(string(w.Body.Bytes()), Equals, "{\"name\":\"bob\",\"service_provider\":\"https://example.com/saml2/metadata\",\"url_suffix_as_relay_state\":true}\n")
+	assert.Check(t, is.Equal(http.StatusOK, w.Code))
+	assert.Check(t, is.Equal("{\"name\":\"bob\",\"service_provider\":\"https://example.com/saml2/metadata\",\"url_suffix_as_relay_state\":true}\n",
+		string(w.Body.Bytes())))
 
 	w = httptest.NewRecorder()
 	r, _ = http.NewRequest("GET", "https://idp.example.com/shortcuts/", nil)
 	test.Server.ServeHTTP(w, r)
-	c.Assert(w.Code, Equals, http.StatusOK)
-	c.Assert(string(w.Body.Bytes()), Equals, "{\"shortcuts\":[\"bob\"]}\n")
+	assert.Check(t, is.Equal(http.StatusOK, w.Code))
+	assert.Check(t, is.Equal("{\"shortcuts\":[\"bob\"]}\n",
+		string(w.Body.Bytes())))
 
 	w = httptest.NewRecorder()
 	r, _ = http.NewRequest("DELETE", "https://idp.example.com/shortcuts/bob", nil)
 	test.Server.ServeHTTP(w, r)
-	c.Assert(w.Code, Equals, http.StatusNoContent)
+	assert.Check(t, is.Equal(http.StatusNoContent, w.Code))
 
 	w = httptest.NewRecorder()
 	r, _ = http.NewRequest("GET", "https://idp.example.com/shortcuts/", nil)
 	test.Server.ServeHTTP(w, r)
-	c.Assert(w.Code, Equals, http.StatusOK)
-	c.Assert(string(w.Body.Bytes()), Equals, "{\"shortcuts\":[]}\n")
+	assert.Check(t, is.Equal(http.StatusOK, w.Code))
+	assert.Check(t, is.Equal("{\"shortcuts\":[]}\n",
+		string(w.Body.Bytes())))
 }
 
-func (test *ServerTest) TestShortcut(c *C) {
+func TestShortcut(t *testing.T) {
+	test := NewServerTest(t)
 	w := httptest.NewRecorder()
 	r, _ := http.NewRequest("PUT", "https://idp.example.com/shortcuts/bob",
 		strings.NewReader("{\"url_suffix_as_relay_state\": true, \"service_provider\": \"https://sp.example.com/saml2/metadata\"}"))
 	test.Server.ServeHTTP(w, r)
-	c.Assert(w.Code, Equals, http.StatusNoContent)
+	assert.Check(t, is.Equal(http.StatusNoContent, w.Code))
 
 	w = httptest.NewRecorder()
 	r, _ = http.NewRequest("PUT", "https://idp.example.com/users/alice",
 		strings.NewReader(`{"name": "alice", "password": "hunter2"}`+"\n"))
 	test.Server.ServeHTTP(w, r)
-	c.Assert(w.Code, Equals, http.StatusNoContent)
+	assert.Check(t, is.Equal(http.StatusNoContent, w.Code))
 
 	w = httptest.NewRecorder()
 	r, _ = http.NewRequest("POST", "https://idp.example.com/login",
 		strings.NewReader("user=alice&password=hunter2"))
 	r.Header.Set("Content-type", "application/x-www-form-urlencoded")
 	test.Server.ServeHTTP(w, r)
-	c.Assert(w.Code, Equals, http.StatusOK)
+	assert.Check(t, is.Equal(http.StatusOK, w.Code))
 
 	w = httptest.NewRecorder()
 	r, _ = http.NewRequest("GET", "https://idp.example.com/login/bob/whoami", nil)
 	r.Header.Set("Cookie", "session=AAIEBggKDA4QEhQWGBocHiAiJCYoKiwuMDI0Njg6PD4=")
 	test.Server.ServeHTTP(w, r)
-	c.Assert(w.Code, Equals, http.StatusOK)
+	assert.Check(t, is.Equal(http.StatusOK, w.Code))
 	body := string(w.Body.Bytes())
-	c.Assert(strings.Contains(body, "<input type=\"hidden\" name=\"RelayState\" value=\"/whoami\" />"), Equals, true)
-	c.Assert(strings.Contains(body, "<script>document.getElementById('SAMLResponseForm').submit();</script>"), Equals, true)
+
+	assert.Check(t, strings.Contains(body,
+		"<input type=\"hidden\" name=\"RelayState\" value=\"/whoami\" />"),
+		body)
+	assert.Check(t, strings.Contains(body,
+		"<script>document.getElementById('SAMLResponseForm').submit();</script>"),
+		body)
 }
diff --git a/samlidp/testdata/http_metadata_response.html b/samlidp/testdata/http_metadata_response.html
new file mode 100644
index 00000000..e204fd3e
--- /dev/null
+++ b/samlidp/testdata/http_metadata_response.html
@@ -0,0 +1,25 @@
+<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2015-12-03T01:57:09Z" cacheDuration="PT48H" entityID="https://idp.example.com/metadata">
+  <IDPSSODescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+    <KeyDescriptor use="signing">
+      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
+        <X509Data>
+          <X509Certificate>MIIB7zCCAVgCCQDFzbKIp7b3MTANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGEwJVUzELMAkGA1UECAwCR0ExDDAKBgNVBAoMA2ZvbzESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTEzMTAwMjAwMDg1MVoXDTE0MTAwMjAwMDg1MVowPDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkdBMQwwCgYDVQQKDANmb28xEjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1PMHYmhZj308kWLhZVT4vOulqx/9ibm5B86fPWwUKKQ2i12MYtz07tzukPymisTDhQaqyJ8Kqb/6JjhmeMnEOdTvSPmHO8m1ZVveJU6NoKRn/mP/BD7FW52WhbrUXLSeHVSKfWkNk6S4hk9MV9TswTvyRIKvRsw0X/gfnqkroJcCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCMMlIO+GNcGekevKgkakpMdAqJfs24maGb90DvTLbRZRD7Xvn1MnVBBS9hzlXiFLYOInXACMW5gcoRFfeTQLSouMM8o57h0uKjfTmuoWHLQLi6hnF+cvCsEFiJZ4AbF+DgmO6TarJ8O05t8zvnOwJlNCASPZRH/JmF8tX0hoHuAQ==</X509Certificate>
+        </X509Data>
+      </KeyInfo>
+    </KeyDescriptor>
+    <KeyDescriptor use="encryption">
+      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
+        <X509Data>
+          <X509Certificate>MIIB7zCCAVgCCQDFzbKIp7b3MTANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGEwJVUzELMAkGA1UECAwCR0ExDDAKBgNVBAoMA2ZvbzESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTEzMTAwMjAwMDg1MVoXDTE0MTAwMjAwMDg1MVowPDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkdBMQwwCgYDVQQKDANmb28xEjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1PMHYmhZj308kWLhZVT4vOulqx/9ibm5B86fPWwUKKQ2i12MYtz07tzukPymisTDhQaqyJ8Kqb/6JjhmeMnEOdTvSPmHO8m1ZVveJU6NoKRn/mP/BD7FW52WhbrUXLSeHVSKfWkNk6S4hk9MV9TswTvyRIKvRsw0X/gfnqkroJcCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCMMlIO+GNcGekevKgkakpMdAqJfs24maGb90DvTLbRZRD7Xvn1MnVBBS9hzlXiFLYOInXACMW5gcoRFfeTQLSouMM8o57h0uKjfTmuoWHLQLi6hnF+cvCsEFiJZ4AbF+DgmO6TarJ8O05t8zvnOwJlNCASPZRH/JmF8tX0hoHuAQ==</X509Certificate>
+        </X509Data>
+      </KeyInfo>
+      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"></EncryptionMethod>
+      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc"></EncryptionMethod>
+      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"></EncryptionMethod>
+      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"></EncryptionMethod>
+    </KeyDescriptor>
+    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
+    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.example.com/sso"></SingleSignOnService>
+    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idp.example.com/sso"></SingleSignOnService>
+  </IDPSSODescriptor>
+</EntityDescriptor>
\ No newline at end of file
diff --git a/samlidp/testdata/http_sso_response.html b/samlidp/testdata/http_sso_response.html
new file mode 100644
index 00000000..ea0f60f6
--- /dev/null
+++ b/samlidp/testdata/http_sso_response.html
@@ -0,0 +1 @@
+<html><p></p><form method="post" action="https://idp.example.com/sso"><input type="text" name="user" placeholder="user" value="" /><input type="password" name="password" placeholder="password" value="" /><input type="hidden" name="SAMLRequest" value="PHNhbWxwOkF1dGhuUmVxdWVzdCB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIiB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiBJRD0iaWQtMDAwMjA0MDYwODBhMGMwZTEwMTIxNDE2MTgxYTFjMWUyMDIyMjQyNiIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTUtMTItMDFUMDE6NTc6MDlaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9pZHAuZXhhbXBsZS5jb20vc3NvIiBBc3NlcnRpb25Db25zdW1lclNlcnZpY2VVUkw9Imh0dHBzOi8vc3AuZXhhbXBsZS5jb20vc2FtbDIvYWNzIiBQcm90b2NvbEJpbmRpbmc9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpiaW5kaW5nczpIVFRQLVBPU1QiPjxzYW1sOklzc3VlciBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OmVudGl0eSI+aHR0cHM6Ly9zcC5leGFtcGxlLmNvbS9zYW1sMi9tZXRhZGF0YTwvc2FtbDpJc3N1ZXI+PHNhbWxwOk5hbWVJRFBvbGljeSBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OnRyYW5zaWVudCIgQWxsb3dDcmVhdGU9InRydWUiLz48L3NhbWxwOkF1dGhuUmVxdWVzdD4=" /><input type="hidden" name="RelayState" value="frob" /><input type="submit" value="Log In" /></form></html>
\ No newline at end of file
diff --git a/samlidp/testdata/idp_cert.pem b/samlidp/testdata/idp_cert.pem
new file mode 100644
index 00000000..cba15632
--- /dev/null
+++ b/samlidp/testdata/idp_cert.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB7zCCAVgCCQDFzbKIp7b3MTANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGEwJV
+UzELMAkGA1UECAwCR0ExDDAKBgNVBAoMA2ZvbzESMBAGA1UEAwwJbG9jYWxob3N0
+MB4XDTEzMTAwMjAwMDg1MVoXDTE0MTAwMjAwMDg1MVowPDELMAkGA1UEBhMCVVMx
+CzAJBgNVBAgMAkdBMQwwCgYDVQQKDANmb28xEjAQBgNVBAMMCWxvY2FsaG9zdDCB
+nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1PMHYmhZj308kWLhZVT4vOulqx/9
+ibm5B86fPWwUKKQ2i12MYtz07tzukPymisTDhQaqyJ8Kqb/6JjhmeMnEOdTvSPmH
+O8m1ZVveJU6NoKRn/mP/BD7FW52WhbrUXLSeHVSKfWkNk6S4hk9MV9TswTvyRIKv
+Rsw0X/gfnqkroJcCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCMMlIO+GNcGekevKgk
+akpMdAqJfs24maGb90DvTLbRZRD7Xvn1MnVBBS9hzlXiFLYOInXACMW5gcoRFfeT
+QLSouMM8o57h0uKjfTmuoWHLQLi6hnF+cvCsEFiJZ4AbF+DgmO6TarJ8O05t8zvn
+OwJlNCASPZRH/JmF8tX0hoHuAQ==
+-----END CERTIFICATE-----
diff --git a/samlidp/testdata/idp_key.pem b/samlidp/testdata/idp_key.pem
new file mode 100644
index 00000000..c4530a84
--- /dev/null
+++ b/samlidp/testdata/idp_key.pem
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXgIBAAKBgQDU8wdiaFmPfTyRYuFlVPi866WrH/2JubkHzp89bBQopDaLXYxi
+3PTu3O6Q/KaKxMOFBqrInwqpv/omOGZ4ycQ51O9I+Yc7ybVlW94lTo2gpGf+Y/8E
+PsVbnZaFutRctJ4dVIp9aQ2TpLiGT0xX1OzBO/JEgq9GzDRf+B+eqSuglwIDAQAB
+AoGBAMuy1eN6cgFiCOgBsB3gVDdTKpww87Qk5ivjqEt28SmXO13A1KNVPS6oQ8SJ
+CT5Azc6X/BIAoJCURVL+LHdqebogKljhH/3yIel1kH19vr4E2kTM/tYH+qj8afUS
+JEmArUzsmmK8ccuNqBcllqdwCZjxL4CHDUmyRudFcHVX9oyhAkEA/OV1OkjM3CLU
+N3sqELdMmHq5QZCUihBmk3/N5OvGdqAFGBlEeewlepEVxkh7JnaNXAXrKHRVu/f/
+fbCQxH+qrwJBANeQERF97b9Sibp9xgolb749UWNlAdqmEpmlvmS202TdcaaT1msU
+4rRLiQN3X9O9mq4LZMSVethrQAdX1whawpkCQQDk1yGf7xZpMJ8F4U5sN+F4rLyM
+Rq8Sy8p2OBTwzCUXXK+fYeXjybsUUMr6VMYTRP2fQr/LKJIX+E5ZxvcIyFmDAkEA
+yfjNVUNVaIbQTzEbRlRvT6MqR+PTCefC072NF9aJWR93JimspGZMR7viY6IM4lrr
+vBkm0F5yXKaYtoiiDMzlOQJADqmEwXl0D72ZG/2KDg8b4QZEmC9i5gidpQwJXUc6
+hU+IVQoLxRq0fBib/36K9tcrrO5Ba4iEvDcNY+D8yGbUtA==
+-----END RSA PRIVATE KEY-----
diff --git a/samlidp/testdata/sp_cert.pem b/samlidp/testdata/sp_cert.pem
new file mode 100644
index 00000000..52667ef3
--- /dev/null
+++ b/samlidp/testdata/sp_cert.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB7zCCAVgCCQDFzbKIp7b3MTANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGEwJV
+UzELMAkGA1UECAwCR0ExDDAKBgNVBAoMA2ZvbzESMBAGA1UEAwwJbG9jYWxob3N0
+MB4XDTEzMTAwMjAwMDg1MVoXDTE0MTAwMjAwMDg1MVowPDELMAkGA1UEBhMCVVMx
+CzAJBgNVBAgMAkdBMQwwCgYDVQQKDANmb28xEjAQBgNVBAMMCWxvY2FsaG9zdDCB
+nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1PMHYmhZj308kWLhZVT4vOulqx/9
+ibm5B86fPWwUKKQ2i12MYtz07tzukPymisTDhQaqyJ8Kqb/6JjhmeMnEOdTvSPmH
+O8m1ZVveJU6NoKRn/mP/BD7FW52WhbrUXLSeHVSKfWkNk6S4hk9MV9TswTvyRIKv
+Rsw0X/gfnqkroJcCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCMMlIO+GNcGekevKgk
+akpMdAqJfs24maGb90DvTLbRZRD7Xvn1MnVBBS9hzlXiFLYOInXACMW5gcoRFfeT
+QLSouMM8o57h0uKjfTmuoWHLQLi6hnF+cvCsEFiJZ4AbF+DgmO6TarJ8O05t8zvn
+OwJlNCASPZRH/JmF8tX0hoHuAQ==
+-----END CERTIFICATE-----
\ No newline at end of file
diff --git a/samlidp/testdata/sp_key.pem b/samlidp/testdata/sp_key.pem
new file mode 100644
index 00000000..48284dac
--- /dev/null
+++ b/samlidp/testdata/sp_key.pem
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXgIBAAKBgQDU8wdiaFmPfTyRYuFlVPi866WrH/2JubkHzp89bBQopDaLXYxi
+3PTu3O6Q/KaKxMOFBqrInwqpv/omOGZ4ycQ51O9I+Yc7ybVlW94lTo2gpGf+Y/8E
+PsVbnZaFutRctJ4dVIp9aQ2TpLiGT0xX1OzBO/JEgq9GzDRf+B+eqSuglwIDAQAB
+AoGBAMuy1eN6cgFiCOgBsB3gVDdTKpww87Qk5ivjqEt28SmXO13A1KNVPS6oQ8SJ
+CT5Azc6X/BIAoJCURVL+LHdqebogKljhH/3yIel1kH19vr4E2kTM/tYH+qj8afUS
+JEmArUzsmmK8ccuNqBcllqdwCZjxL4CHDUmyRudFcHVX9oyhAkEA/OV1OkjM3CLU
+N3sqELdMmHq5QZCUihBmk3/N5OvGdqAFGBlEeewlepEVxkh7JnaNXAXrKHRVu/f/
+fbCQxH+qrwJBANeQERF97b9Sibp9xgolb749UWNlAdqmEpmlvmS202TdcaaT1msU
+4rRLiQN3X9O9mq4LZMSVethrQAdX1whawpkCQQDk1yGf7xZpMJ8F4U5sN+F4rLyM
+Rq8Sy8p2OBTwzCUXXK+fYeXjybsUUMr6VMYTRP2fQr/LKJIX+E5ZxvcIyFmDAkEA
+yfjNVUNVaIbQTzEbRlRvT6MqR+PTCefC072NF9aJWR93JimspGZMR7viY6IM4lrr
+vBkm0F5yXKaYtoiiDMzlOQJADqmEwXl0D72ZG/2KDg8b4QZEmC9i5gidpQwJXUc6
+hU+IVQoLxRq0fBib/36K9tcrrO5Ba4iEvDcNY+D8yGbUtA==
+-----END RSA PRIVATE KEY-----
\ No newline at end of file
diff --git a/samlidp/testdata/sp_metadata.xml b/samlidp/testdata/sp_metadata.xml
new file mode 100644
index 00000000..f5cef423
--- /dev/null
+++ b/samlidp/testdata/sp_metadata.xml
@@ -0,0 +1 @@
+<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2015-12-03T01:57:09Z" entityID="https://example.com/saml2/metadata"><SPSSODescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="0001-01-01T00:00:00Z" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="false" WantAssertionsSigned="true"><KeyDescriptor use="signing"><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><X509Data><X509Certificate>MIIB7zCCAVgCCQDFzbKIp7b3MTANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGEwJVUzELMAkGA1UECAwCR0ExDDAKBgNVBAoMA2ZvbzESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTEzMTAwMjAwMDg1MVoXDTE0MTAwMjAwMDg1MVowPDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkdBMQwwCgYDVQQKDANmb28xEjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1PMHYmhZj308kWLhZVT4vOulqx/9ibm5B86fPWwUKKQ2i12MYtz07tzukPymisTDhQaqyJ8Kqb/6JjhmeMnEOdTvSPmHO8m1ZVveJU6NoKRn/mP/BD7FW52WhbrUXLSeHVSKfWkNk6S4hk9MV9TswTvyRIKvRsw0X/gfnqkroJcCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCMMlIO+GNcGekevKgkakpMdAqJfs24maGb90DvTLbRZRD7Xvn1MnVBBS9hzlXiFLYOInXACMW5gcoRFfeTQLSouMM8o57h0uKjfTmuoWHLQLi6hnF+cvCsEFiJZ4AbF+DgmO6TarJ8O05t8zvnOwJlNCASPZRH/JmF8tX0hoHuAQ==</X509Certificate></X509Data></KeyInfo></KeyDescriptor><KeyDescriptor use="encryption"><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><X509Data><X509Certificate>MIIB7zCCAVgCCQDFzbKIp7b3MTANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGEwJVUzELMAkGA1UECAwCR0ExDDAKBgNVBAoMA2ZvbzESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTEzMTAwMjAwMDg1MVoXDTE0MTAwMjAwMDg1MVowPDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkdBMQwwCgYDVQQKDANmb28xEjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1PMHYmhZj308kWLhZVT4vOulqx/9ibm5B86fPWwUKKQ2i12MYtz07tzukPymisTDhQaqyJ8Kqb/6JjhmeMnEOdTvSPmHO8m1ZVveJU6NoKRn/mP/BD7FW52WhbrUXLSeHVSKfWkNk6S4hk9MV9TswTvyRIKvRsw0X/gfnqkroJcCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCMMlIO+GNcGekevKgkakpMdAqJfs24maGb90DvTLbRZRD7Xvn1MnVBBS9hzlXiFLYOInXACMW5gcoRFfeTQLSouMM8o57h0uKjfTmuoWHLQLi6hnF+cvCsEFiJZ4AbF+DgmO6TarJ8O05t8zvnOwJlNCASPZRH/JmF8tX0hoHuAQ==</X509Certificate></X509Data></KeyInfo><EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"></EncryptionMethod><EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc"></EncryptionMethod><EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"></EncryptionMethod><EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"></EncryptionMethod></KeyDescriptor><AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://example.com/saml2/acs" index="1"></AssertionConsumerService></SPSSODescriptor></EntityDescriptor>
\ No newline at end of file
diff --git a/samlidp/user.go b/samlidp/user.go
index 23751020..46d1a964 100644
--- a/samlidp/user.go
+++ b/samlidp/user.go
@@ -20,6 +20,7 @@ type User struct {
 	CommonName        string   `json:"common_name,omitempty"`
 	Surname           string   `json:"surname,omitempty"`
 	GivenName         string   `json:"given_name,omitempty"`
+	ScopedAffiliation string   `json:"scoped_affiliation,omitempty"`
 }
 
 // HandleListUsers handles the `GET /users/` request and responds with a JSON formatted list
diff --git a/samlidp/user_test.go b/samlidp/user_test.go
index 8d45842c..ecac3459 100644
--- a/samlidp/user_test.go
+++ b/samlidp/user_test.go
@@ -4,43 +4,46 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"strings"
+	"testing"
 
-	. "gopkg.in/check.v1"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
 )
 
-func (test *ServerTest) TestUsersCrud(c *C) {
+func TestUsersCrud(t *testing.T) {
+	test := NewServerTest(t)
 	w := httptest.NewRecorder()
 	r, _ := http.NewRequest("GET", "https://idp.example.com/users/", nil)
 	test.Server.ServeHTTP(w, r)
-	c.Assert(w.Code, Equals, http.StatusOK)
-	c.Assert(string(w.Body.Bytes()), Equals, "{\"users\":[]}\n")
+	assert.Check(t, is.Equal(http.StatusOK, w.Code))
+	assert.Check(t, is.Equal("{\"users\":[]}\n", string(w.Body.Bytes())))
 
 	w = httptest.NewRecorder()
 	r, _ = http.NewRequest("PUT", "https://idp.example.com/users/alice",
 		strings.NewReader(`{"name": "alice", "password": "hunter2"}`+"\n"))
 	test.Server.ServeHTTP(w, r)
-	c.Assert(w.Code, Equals, http.StatusNoContent)
+	assert.Check(t, is.Equal(http.StatusNoContent, w.Code))
 
 	w = httptest.NewRecorder()
 	r, _ = http.NewRequest("GET", "https://idp.example.com/users/alice", nil)
 	test.Server.ServeHTTP(w, r)
-	c.Assert(w.Code, Equals, http.StatusOK)
-	c.Assert(string(w.Body.Bytes()), Equals, "{\"name\":\"alice\"}\n")
+	assert.Check(t, is.Equal(http.StatusOK, w.Code))
+	assert.Check(t, is.Equal("{\"name\":\"alice\"}\n", string(w.Body.Bytes())))
 
 	w = httptest.NewRecorder()
 	r, _ = http.NewRequest("GET", "https://idp.example.com/users/", nil)
 	test.Server.ServeHTTP(w, r)
-	c.Assert(w.Code, Equals, http.StatusOK)
-	c.Assert(string(w.Body.Bytes()), Equals, "{\"users\":[\"alice\"]}\n")
+	assert.Check(t, is.Equal(http.StatusOK, w.Code))
+	assert.Check(t, is.Equal("{\"users\":[\"alice\"]}\n", string(w.Body.Bytes())))
 
 	w = httptest.NewRecorder()
 	r, _ = http.NewRequest("DELETE", "https://idp.example.com/users/alice", nil)
 	test.Server.ServeHTTP(w, r)
-	c.Assert(w.Code, Equals, http.StatusNoContent)
+	assert.Check(t, is.Equal(http.StatusNoContent, w.Code))
 
 	w = httptest.NewRecorder()
 	r, _ = http.NewRequest("GET", "https://idp.example.com/users/", nil)
 	test.Server.ServeHTTP(w, r)
-	c.Assert(w.Code, Equals, http.StatusOK)
-	c.Assert(string(w.Body.Bytes()), Equals, "{\"users\":[]}\n")
+	assert.Check(t, is.Equal(http.StatusOK, w.Code))
+	assert.Check(t, is.Equal("{\"users\":[]}\n", string(w.Body.Bytes())))
 }
diff --git a/samlidp/util.go b/samlidp/util.go
index eb2d29ec..3352ecdb 100644
--- a/samlidp/util.go
+++ b/samlidp/util.go
@@ -1,13 +1,13 @@
 package samlidp
 
 import (
-	"errors"
-	"io/ioutil"
-
+	"bytes"
 	"encoding/xml"
-
+	"errors"
 	"io"
 
+	xrv "github.com/mattermost/xml-roundtrip-validator"
+
 	"github.com/lightstep/saml"
 )
 
@@ -20,19 +20,20 @@ func randomBytes(n int) []byte {
 }
 
 func getSPMetadata(r io.Reader) (spMetadata *saml.EntityDescriptor, err error) {
-	var bytes []byte
-
-	if bytes, err = ioutil.ReadAll(r); err != nil {
+	var data []byte
+	if data, err = io.ReadAll(r); err != nil {
 		return nil, err
 	}
 
 	spMetadata = &saml.EntityDescriptor{}
+	if err := xrv.Validate(bytes.NewBuffer(data)); err != nil {
+		return nil, err
+	}
 
-	if err := xml.Unmarshal(bytes, &spMetadata); err != nil {
+	if err := xml.Unmarshal(data, &spMetadata); err != nil {
 		if err.Error() == "expected element type <EntityDescriptor> but have <EntitiesDescriptor>" {
 			entities := &saml.EntitiesDescriptor{}
-
-			if err := xml.Unmarshal(bytes, &entities); err != nil {
+			if err := xml.Unmarshal(data, &entities); err != nil {
 				return nil, err
 			}
 
diff --git a/samlidp/util_test.go b/samlidp/util_test.go
new file mode 100644
index 00000000..4bc25a8a
--- /dev/null
+++ b/samlidp/util_test.go
@@ -0,0 +1,23 @@
+package samlidp
+
+import (
+	"strings"
+	"testing"
+
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestGetSPMetadata(t *testing.T) {
+	good := "" +
+		"<EntityDescriptor xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\" validUntil=\"2013-03-10T00:32:19.104Z\" cacheDuration=\"PT1H\" entityID=\"http://localhost:5000/e087a985171710fb9fb30f30f41384f9/saml2/metadata/\">\n" +
+		"</EntityDescriptor>"
+	_, err := getSPMetadata(strings.NewReader(good))
+	assert.Check(t, err)
+
+	bad := "" +
+		"<EntityDescriptor xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\" ::attr=\"foo\" validUntil=\"2013-03-10T00:32:19.104Z\" cacheDuration=\"PT1H\" entityID=\"http://localhost:5000/e087a985171710fb9fb30f30f41384f9/saml2/metadata/\">\n" +
+		"</EntityDescriptor>"
+	_, err = getSPMetadata(strings.NewReader(bad))
+	assert.Check(t, is.Error(err, "validator: in token starting at 1:1: roundtrip error: expected {{ EntityDescriptor} [{{ xmlns} urn:oasis:names:tc:SAML:2.0:metadata} {{ :attr} foo} {{ validUntil} 2013-03-10T00:32:19.104Z} {{ cacheDuration} PT1H} {{ entityID} http://localhost:5000/e087a985171710fb9fb30f30f41384f9/saml2/metadata/}]}, observed {{ EntityDescriptor} [{{ xmlns} urn:oasis:names:tc:SAML:2.0:metadata} {{ attr} foo} {{ validUntil} 2013-03-10T00:32:19.104Z} {{ cacheDuration} PT1H} {{ entityID} http://localhost:5000/e087a985171710fb9fb30f30f41384f9/saml2/metadata/}]}"))
+}
diff --git a/samlsp/error.go b/samlsp/error.go
new file mode 100644
index 00000000..88c8d091
--- /dev/null
+++ b/samlsp/error.go
@@ -0,0 +1,25 @@
+package samlsp
+
+import (
+	"log"
+	"net/http"
+
+	"github.com/lightstep/saml"
+)
+
+// ErrorFunction is a callback that is invoked to return an error to the
+// web user.
+type ErrorFunction func(w http.ResponseWriter, r *http.Request, err error)
+
+// DefaultOnError is the default ErrorFunction implementation. It prints
+// an message via the standard log package and returns a simple text
+// "Forbidden" message to the user.
+func DefaultOnError(w http.ResponseWriter, r *http.Request, err error) {
+	if parseErr, ok := err.(*saml.InvalidResponseError); ok {
+		log.Printf("WARNING: received invalid saml response: %s (now: %s) %s",
+			parseErr.Response, parseErr.Now, parseErr.PrivateErr)
+	} else {
+		log.Printf("ERROR: %s", err)
+	}
+	http.Error(w, http.StatusText(http.StatusForbidden), http.StatusForbidden)
+}
diff --git a/samlsp/fetch_metadata.go b/samlsp/fetch_metadata.go
new file mode 100644
index 00000000..841242bc
--- /dev/null
+++ b/samlsp/fetch_metadata.go
@@ -0,0 +1,75 @@
+package samlsp
+
+import (
+	"bytes"
+	"context"
+	"encoding/xml"
+	"errors"
+	"io"
+	"net/http"
+	"net/url"
+
+	"github.com/crewjam/httperr"
+	xrv "github.com/mattermost/xml-roundtrip-validator"
+
+	"github.com/lightstep/saml"
+)
+
+// ParseMetadata parses arbitrary SAML IDP metadata.
+//
+// Note: this is needed because IDP metadata is sometimes wrapped in
+// an <EntitiesDescriptor>, and sometimes the top level element is an
+// <EntityDescriptor>.
+func ParseMetadata(data []byte) (*saml.EntityDescriptor, error) {
+	entity := &saml.EntityDescriptor{}
+
+	if err := xrv.Validate(bytes.NewBuffer(data)); err != nil {
+		return nil, err
+	}
+
+	err := xml.Unmarshal(data, entity)
+
+	// this comparison is ugly, but it is how the error is generated in encoding/xml
+	if err != nil && err.Error() == "expected element type <EntityDescriptor> but have <EntitiesDescriptor>" {
+		entities := &saml.EntitiesDescriptor{}
+		if err := xml.Unmarshal(data, entities); err != nil {
+			return nil, err
+		}
+
+		for i, e := range entities.EntityDescriptors {
+			if len(e.IDPSSODescriptors) > 0 {
+				return &entities.EntityDescriptors[i], nil
+			}
+		}
+		return nil, errors.New("no entity found with IDPSSODescriptor")
+	}
+	if err != nil {
+		return nil, err
+	}
+	return entity, nil
+}
+
+// FetchMetadata returns metadata from an IDP metadata URL.
+func FetchMetadata(ctx context.Context, httpClient *http.Client, metadataURL url.URL) (*saml.EntityDescriptor, error) {
+	req, err := http.NewRequest("GET", metadataURL.String(), nil)
+	if err != nil {
+		return nil, err
+	}
+	req = req.WithContext(ctx)
+
+	resp, err := httpClient.Do(req)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode >= 400 {
+		return nil, httperr.Response(*resp)
+	}
+
+	data, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+
+	return ParseMetadata(data)
+}
diff --git a/samlsp/fetch_metadata_test.go b/samlsp/fetch_metadata_test.go
new file mode 100644
index 00000000..2bc2caf1
--- /dev/null
+++ b/samlsp/fetch_metadata_test.go
@@ -0,0 +1,46 @@
+package samlsp
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"testing"
+
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestFetchMetadata(t *testing.T) {
+	test := NewMiddlewareTest(t)
+
+	testServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		assert.Check(t, is.Equal("/metadata", r.URL.String()))
+		w.Write(test.IDPMetadata)
+	}))
+
+	fmt.Println(testServer.URL + "/metadata")
+	u, _ := url.Parse(testServer.URL + "/metadata")
+	md, err := FetchMetadata(context.Background(), testServer.Client(), *u)
+	assert.Check(t, err)
+	assert.Check(t, is.Equal("https://idp.testshib.org/idp/shibboleth", md.EntityID))
+}
+
+func TestFetchMetadataRejectsInvalid(t *testing.T) {
+	test := NewMiddlewareTest(t)
+	test.IDPMetadata = bytes.Replace(test.IDPMetadata,
+		[]byte("<EntityDescriptor "), []byte("<EntityDescriptor ::foo=\"bar\""), -1)
+
+	testServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		assert.Check(t, is.Equal("/metadata", r.URL.String()))
+		w.Write(test.IDPMetadata)
+	}))
+
+	fmt.Println(testServer.URL + "/metadata")
+	u, _ := url.Parse(testServer.URL + "/metadata")
+	md, err := FetchMetadata(context.Background(), testServer.Client(), *u)
+	assert.Check(t, is.Error(err, "validator: in token starting at 2:1: roundtrip error: expected {{ EntityDescriptor} [{{ :foo} bar} {{ xmlns} urn:oasis:names:tc:SAML:2.0:metadata} {{xmlns ds} http://www.w3.org/2000/09/xmldsig#} {{xmlns mdalg} urn:oasis:names:tc:SAML:metadata:algsupport} {{xmlns mdui} urn:oasis:names:tc:SAML:metadata:ui} {{xmlns shibmd} urn:mace:shibboleth:metadata:1.0} {{xmlns xsi} http://www.w3.org/2001/XMLSchema-instance} {{ Name} urn:mace:shibboleth:testshib:two} {{ entityID} https://idp.testshib.org/idp/shibboleth}]}, observed {{ EntityDescriptor} [{{ foo} bar} {{ xmlns} urn:oasis:names:tc:SAML:2.0:metadata} {{xmlns ds} http://www.w3.org/2000/09/xmldsig#} {{xmlns mdalg} urn:oasis:names:tc:SAML:metadata:algsupport} {{xmlns mdui} urn:oasis:names:tc:SAML:metadata:ui} {{xmlns shibmd} urn:mace:shibboleth:metadata:1.0} {{xmlns xsi} http://www.w3.org/2001/XMLSchema-instance} {{ Name} urn:mace:shibboleth:testshib:two} {{ entityID} https://idp.testshib.org/idp/shibboleth} {{ entityID} https://idp.testshib.org/idp/shibboleth}]}"))
+	assert.Check(t, is.Nil(md))
+}
diff --git a/samlsp/middleware.go b/samlsp/middleware.go
index 91a48c7a..022726e3 100644
--- a/samlsp/middleware.go
+++ b/samlsp/middleware.go
@@ -1,16 +1,10 @@
 package samlsp
 
 import (
-	"crypto/x509"
-	"encoding/base64"
 	"encoding/xml"
-	"fmt"
 	"net/http"
-	"strings"
-	"time"
 
 	"github.com/lightstep/saml"
-	"github.com/dgrijalva/jwt-go"
 )
 
 // Middleware implements middleware than allows a web application
@@ -19,10 +13,10 @@ import (
 // It implements http.Handler so that it can provide the metadata and ACS endpoints,
 // typically /saml/metadata and /saml/acs, respectively.
 //
-// It also provides middleware, RequireAccount which redirects users to
+// It also provides middleware RequireAccount which redirects users to
 // the auth process if they do not have session credentials.
 //
-// When redirecting the user through the SAML auth flow, the middlware assigns
+// When redirecting the user through the SAML auth flow, the middleware assigns
 // a temporary cookie with a random name beginning with "saml_". The value of
 // the cookie is a signed JSON Web Token containing the original URL requested
 // and the SAML request ID. The random part of the name corresponds to the
@@ -36,35 +30,20 @@ import (
 // cookie once the SAML flow has succeeded. The JWT token contains the
 // authenticated attributes from the SAML assertion.
 //
-// When the middlware receives a request with a valid session JWT it extracts
-// the SAML attributes and modifies the http.Request object adding headers
-// corresponding to the specified attributes. For example, if the attribute
-// "cn" were present in the initial assertion with a value of "Alice Smith",
-// then a corresponding header "X-Saml-Cn" will be added to the request with
-// a value of "Alice Smith". For safety, the middleware strips out any existing
-// headers that begin with "X-Saml-".
+// When the middleware receives a request with a valid session JWT it extracts
+// the SAML attributes and modifies the http.Request object adding a Context
+// object to the request context that contains attributes from the initial
+// SAML assertion.
 //
 // When issuing JSON Web Tokens, a signing key is required. Because the
 // SAML service provider already has a private key, we borrow that key
 // to sign the JWTs as well.
 type Middleware struct {
-	ServiceProvider   saml.ServiceProvider
-	AllowIDPInitiated bool
-	CookieName        string
-	CookieMaxAge      time.Duration
-}
-
-const defaultCookieMaxAge = time.Hour
-const defaultCookieName = "token"
-
-var jwtSigningMethod = jwt.SigningMethodHS256
-
-func randomBytes(n int) []byte {
-	rv := make([]byte, n)
-	if _, err := saml.RandReader.Read(rv); err != nil {
-		panic(err)
-	}
-	return rv
+	ServiceProvider saml.ServiceProvider
+	OnError         func(w http.ResponseWriter, r *http.Request, err error)
+	Binding         string // either saml.HTTPPostBinding or saml.HTTPRedirectBinding
+	RequestTracker  RequestTracker
+	Session         SessionProvider
 }
 
 // ServeHTTP implements http.Handler and serves the SAML-specific HTTP endpoints
@@ -72,279 +51,161 @@ func randomBytes(n int) []byte {
 // m.ServiceProvider.AcsURL.
 func (m *Middleware) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	if r.URL.Path == m.ServiceProvider.MetadataURL.Path {
-		buf, _ := xml.MarshalIndent(m.ServiceProvider.Metadata(), "", "  ")
-		w.Header().Set("Content-Type", "application/samlmetadata+xml")
-		w.Write(buf)
+		m.ServeMetadata(w, r)
 		return
 	}
 
 	if r.URL.Path == m.ServiceProvider.AcsURL.Path {
-		r.ParseForm()
-		assertion, err := m.ServiceProvider.ParseResponse(r, m.getPossibleRequestIDs(r))
-		if err != nil {
-			if parseErr, ok := err.(*saml.InvalidResponseError); ok {
-				m.ServiceProvider.Logger.Printf("RESPONSE: ===\n%s\n===\nNOW: %s\nERROR: %s",
-					parseErr.Response, parseErr.Now, parseErr.PrivateErr)
-			}
-			http.Error(w, http.StatusText(http.StatusForbidden), http.StatusForbidden)
-			return
-		}
-
-		m.Authorize(w, r, assertion)
+		m.ServeACS(w, r)
 		return
 	}
 
 	http.NotFoundHandler().ServeHTTP(w, r)
 }
 
+// ServeMetadata handles requests for the SAML metadata endpoint.
+func (m *Middleware) ServeMetadata(w http.ResponseWriter, r *http.Request) {
+	buf, _ := xml.MarshalIndent(m.ServiceProvider.Metadata(), "", "  ")
+	w.Header().Set("Content-Type", "application/samlmetadata+xml")
+	w.Write(buf)
+	return
+}
+
+// ServeACS handles requests for the SAML ACS endpoint.
+func (m *Middleware) ServeACS(w http.ResponseWriter, r *http.Request) {
+	r.ParseForm()
+
+	possibleRequestIDs := []string{}
+	if m.ServiceProvider.AllowIDPInitiated {
+		possibleRequestIDs = append(possibleRequestIDs, "")
+	}
+
+	trackedRequests := m.RequestTracker.GetTrackedRequests(r)
+	for _, tr := range trackedRequests {
+		possibleRequestIDs = append(possibleRequestIDs, tr.SAMLRequestID)
+	}
+
+	assertion, err := m.ServiceProvider.ParseResponse(r, possibleRequestIDs)
+	if err != nil {
+		m.OnError(w, r, err)
+		return
+	}
+
+	m.CreateSessionFromAssertion(w, r, assertion)
+	return
+}
+
 // RequireAccount is HTTP middleware that requires that each request be
 // associated with a valid session. If the request is not associated with a valid
-// session, then rather than serve the request, the middlware redirects the user
+// session, then rather than serve the request, the middleware redirects the user
 // to start the SAML auth flow.
 func (m *Middleware) RequireAccount(handler http.Handler) http.Handler {
-	fn := func(w http.ResponseWriter, r *http.Request) {
-		if m.IsAuthorized(r) {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		session, err := m.Session.GetSession(r)
+		if session != nil {
+			r = r.WithContext(ContextWithSession(r.Context(), session))
 			handler.ServeHTTP(w, r)
 			return
 		}
-
-		// If we try to redirect when the original request is the ACS URL we'll
-		// end up in a loop. This is a programming error, so we panic here. In
-		// general this means a 500 to the user, which is preferable to a
-		// redirect loop.
-		if r.URL.Path == m.ServiceProvider.AcsURL.Path {
-			panic("don't wrap Middleware with RequireAccount")
+		if err == ErrNoSession {
+			m.HandleStartAuthFlow(w, r)
+			return
 		}
 
-		binding := saml.HTTPRedirectBinding
-		bindingLocation := m.ServiceProvider.GetSSOBindingLocation(binding)
+		m.OnError(w, r, err)
+		return
+	})
+}
+
+// HandleStartAuthFlow is called to start the SAML authentication process.
+func (m *Middleware) HandleStartAuthFlow(w http.ResponseWriter, r *http.Request) {
+	// If we try to redirect when the original request is the ACS URL we'll
+	// end up in a loop. This is a programming error, so we panic here. In
+	// general this means a 500 to the user, which is preferable to a
+	// redirect loop.
+	if r.URL.Path == m.ServiceProvider.AcsURL.Path {
+		panic("don't wrap Middleware with RequireAccount")
+	}
+
+	var binding, bindingLocation string
+	if m.Binding != "" {
+		binding = m.Binding
+		bindingLocation = m.ServiceProvider.GetSSOBindingLocation(binding)
+	} else {
+		binding = saml.HTTPRedirectBinding
+		bindingLocation = m.ServiceProvider.GetSSOBindingLocation(binding)
 		if bindingLocation == "" {
 			binding = saml.HTTPPostBinding
 			bindingLocation = m.ServiceProvider.GetSSOBindingLocation(binding)
 		}
+	}
 
-		req, err := m.ServiceProvider.MakeAuthenticationRequest(bindingLocation)
-		if err != nil {
-			http.Error(w, err.Error(), http.StatusInternalServerError)
-			return
-		}
+	authReq, err := m.ServiceProvider.MakeAuthenticationRequest(bindingLocation, binding)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
 
-		// relayState is limited to 80 bytes but also must be integrety protected.
-		// this means that we cannot use a JWT because it is way to long. Instead
-		// we set a cookie that corresponds to the state
-		relayState := base64.URLEncoding.EncodeToString(randomBytes(42))
+	// relayState is limited to 80 bytes but also must be integrity protected.
+	// this means that we cannot use a JWT because it is way to long. Instead
+	// we set a signed cookie that encodes the original URL which we'll check
+	// against the SAML response when we get it.
+	relayState, err := m.RequestTracker.TrackRequest(w, r, authReq.ID)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
 
-		secretBlock := x509.MarshalPKCS1PrivateKey(m.ServiceProvider.Key)
-		state := jwt.New(jwtSigningMethod)
-		claims := state.Claims.(jwt.MapClaims)
-		claims["id"] = req.ID
-		claims["uri"] = r.URL.String()
-		signedState, err := state.SignedString(secretBlock)
+	if binding == saml.HTTPRedirectBinding {
+		redirectURL, err := authReq.Redirect(relayState, &m.ServiceProvider)
 		if err != nil {
 			http.Error(w, err.Error(), http.StatusInternalServerError)
 			return
 		}
-
-		http.SetCookie(w, &http.Cookie{
-			Name:     fmt.Sprintf("saml_%s", relayState),
-			Value:    signedState,
-			MaxAge:   int(saml.MaxIssueDelay.Seconds()),
-			HttpOnly: false,
-			Path:     m.ServiceProvider.AcsURL.Path,
-		})
-
-		if binding == saml.HTTPRedirectBinding {
-			redirectURL := req.Redirect(relayState)
-			w.Header().Add("Location", redirectURL.String())
-			w.WriteHeader(http.StatusFound)
-			return
-		}
-		if binding == saml.HTTPPostBinding {
-			w.Header().Set("Content-Security-Policy", ""+
-				"default-src; "+
-				"script-src 'sha256-D8xB+y+rJ90RmLdP72xBqEEc0NUatn7yuCND0orkrgk='; "+
-				"reflected-xss block; "+
-				"referrer no-referrer;")
-			w.Header().Add("Content-type", "text/html")
-			w.Write([]byte(`<!DOCTYPE html><html><body>`))
-			w.Write(req.Post(relayState))
-			w.Write([]byte(`</body></html>`))
-			return
-		}
-		panic("not reached")
-	}
-	return http.HandlerFunc(fn)
-}
-
-func (m *Middleware) getPossibleRequestIDs(r *http.Request) []string {
-	rv := []string{}
-	for _, cookie := range r.Cookies() {
-		if !strings.HasPrefix(cookie.Name, "saml_") {
-			continue
-		}
-		m.ServiceProvider.Logger.Printf("getPossibleRequestIDs: cookie: %s", cookie.String())
-
-		jwtParser := jwt.Parser{
-			ValidMethods: []string{jwtSigningMethod.Name},
-		}
-		token, err := jwtParser.Parse(cookie.Value, func(t *jwt.Token) (interface{}, error) {
-			secretBlock := x509.MarshalPKCS1PrivateKey(m.ServiceProvider.Key)
-			return secretBlock, nil
-		})
-		if err != nil || !token.Valid {
-			m.ServiceProvider.Logger.Printf("... invalid token %s", err)
-			continue
-		}
-		claims := token.Claims.(jwt.MapClaims)
-		rv = append(rv, claims["id"].(string))
+		w.Header().Add("Location", redirectURL.String())
+		w.WriteHeader(http.StatusFound)
+		return
 	}
-
-	// If IDP initiated requests are allowed, then we can expect an empty response ID.
-	if m.AllowIDPInitiated {
-		rv = append(rv, "")
+	if binding == saml.HTTPPostBinding {
+		w.Header().Add("Content-Security-Policy", ""+
+			"default-src; "+
+			"script-src 'sha256-AjPdJSbZmeWHnEc5ykvJFay8FTWeTeRbs9dutfZ0HqE='; "+
+			"reflected-xss block; referrer no-referrer;")
+		w.Header().Add("Content-type", "text/html")
+		w.Write([]byte(`<!DOCTYPE html><html><body>`))
+		w.Write(authReq.Post(relayState))
+		w.Write([]byte(`</body></html>`))
+		return
 	}
-
-	return rv
-}
-
-type TokenClaims struct {
-	jwt.StandardClaims
-	Attributes map[string][]string `json:"attr"`
+	panic("not reached")
 }
 
-// Authorize is invoked by ServeHTTP when we have a new, valid SAML assertion.
-// It sets a cookie that contains a signed JWT containing the assertion attributes.
-// It then redirects the user's browser to the original URL contained in RelayState.
-func (m *Middleware) Authorize(w http.ResponseWriter, r *http.Request, assertion *saml.Assertion) {
-	secretBlock := x509.MarshalPKCS1PrivateKey(m.ServiceProvider.Key)
-
+// CreateSessionFromAssertion is invoked by ServeHTTP when we have a new, valid SAML assertion.
+func (m *Middleware) CreateSessionFromAssertion(w http.ResponseWriter, r *http.Request, assertion *saml.Assertion) {
 	redirectURI := "/"
-	if r.Form.Get("RelayState") != "" {
-		stateCookie, err := r.Cookie(fmt.Sprintf("saml_%s", r.Form.Get("RelayState")))
+	if trackedRequestIndex := r.Form.Get("RelayState"); trackedRequestIndex != "" {
+		trackedRequest, err := m.RequestTracker.GetTrackedRequest(r, trackedRequestIndex)
 		if err != nil {
-			m.ServiceProvider.Logger.Printf("cannot find corresponding cookie: %s", fmt.Sprintf("saml_%s", r.Form.Get("RelayState")))
-			http.Error(w, http.StatusText(http.StatusForbidden), http.StatusForbidden)
+			m.OnError(w, r, err)
 			return
 		}
+		m.RequestTracker.StopTrackingRequest(w, r, trackedRequestIndex)
 
-		jwtParser := jwt.Parser{
-			ValidMethods: []string{jwtSigningMethod.Name},
-		}
-		state, err := jwtParser.Parse(stateCookie.Value, func(t *jwt.Token) (interface{}, error) {
-			return secretBlock, nil
-		})
-		if err != nil || !state.Valid {
-			m.ServiceProvider.Logger.Printf("Cannot decode state JWT: %s (%s)", err, stateCookie.Value)
-			http.Error(w, http.StatusText(http.StatusForbidden), http.StatusForbidden)
-			return
-		}
-		claims := state.Claims.(jwt.MapClaims)
-		redirectURI = claims["uri"].(string)
-
-		// delete the cookie
-		stateCookie.Value = ""
-		stateCookie.Expires = time.Unix(1,0) // past time as close to epoch as possible, but not zero time.Time{}
-		http.SetCookie(w, stateCookie)
+		redirectURI = trackedRequest.URI
 	}
 
-	now := saml.TimeNow()
-	claims := TokenClaims{}
-	claims.Audience = m.ServiceProvider.Metadata().EntityID
-	claims.IssuedAt = assertion.IssueInstant.Unix()
-	claims.ExpiresAt = now.Add(m.CookieMaxAge).Unix()
-	claims.NotBefore = now.Unix()
-	if sub := assertion.Subject; sub != nil {
-		if nameID := sub.NameID; nameID != nil {
-			claims.StandardClaims.Subject = nameID.Value
-		}
-	}
-	for _, attributeStatement := range assertion.AttributeStatements {
-		claims.Attributes = map[string][]string{}
-		for _, attr := range attributeStatement.Attributes {
-			claimName := attr.FriendlyName
-			if claimName == "" {
-				claimName = attr.Name
-			}
-			for _, value := range attr.Values {
-				claims.Attributes[claimName] = append(claims.Attributes[claimName], value.Value)
-			}
-		}
-	}
-	signedToken, err := jwt.NewWithClaims(jwt.SigningMethodHS256,
-		claims).SignedString(secretBlock)
-	if err != nil {
-		panic(err)
+	if err := m.Session.CreateSession(w, r, assertion); err != nil {
+		m.OnError(w, r, err)
+		return
 	}
 
-	http.SetCookie(w, &http.Cookie{
-		Name:     m.CookieName,
-		Value:    signedToken,
-		MaxAge:   int(m.CookieMaxAge.Seconds()),
-		HttpOnly: false,
-		Path:     "/",
-	})
-
 	http.Redirect(w, r, redirectURI, http.StatusFound)
 }
 
-// IsAuthorized is invoked by RequireAccount to determine if the request
-// is already authorized or if the user's browser should be redirected to the
-// SAML login flow. If the request is authorized, then the request headers
-// starting with X-Saml- for each SAML assertion attribute are set. For example,
-// if an attribute "uid" has the value "alice@example.com", then the following
-// header would be added to the request:
-//
-//     X-Saml-Uid: alice@example.com
-//
-// It is an error for this function to be invoked with a request containing
-// any headers starting with X-Saml. This function will panic if you do.
-func (m *Middleware) IsAuthorized(r *http.Request) bool {
-	cookie, err := r.Cookie(m.CookieName)
-	if err != nil {
-		return false
-	}
-
-	tokenClaims := TokenClaims{}
-	token, err := jwt.ParseWithClaims(cookie.Value, &tokenClaims, func(t *jwt.Token) (interface{}, error) {
-		secretBlock := x509.MarshalPKCS1PrivateKey(m.ServiceProvider.Key)
-		return secretBlock, nil
-	})
-	if err != nil || !token.Valid {
-		m.ServiceProvider.Logger.Printf("ERROR: invalid token: %s", err)
-		return false
-	}
-	if err := tokenClaims.StandardClaims.Valid(); err != nil {
-		m.ServiceProvider.Logger.Printf("ERROR: invalid token claims: %s", err)
-		return false
-	}
-	if tokenClaims.Audience != m.ServiceProvider.Metadata().EntityID {
-		m.ServiceProvider.Logger.Printf("ERROR: invalid audience: %s", err)
-		return false
-	}
-
-	// It is an error for the request to include any X-SAML* headers,
-	// because those might be confused with ours. If we encounter any
-	// such headers, we abort the request, so there is no confustion.
-	for headerName := range r.Header {
-		if strings.HasPrefix(headerName, "X-Saml") {
-			panic("X-Saml-* headers should not exist when this function is called")
-		}
-	}
-
-	for claimName, claimValues := range tokenClaims.Attributes {
-		for _, claimValue := range claimValues {
-			r.Header.Add("X-Saml-"+claimName, claimValue)
-		}
-	}
-	r.Header.Set("X-Saml-Subject", tokenClaims.Subject)
-
-	return true
-}
-
 // RequireAttribute returns a middleware function that requires that the
 // SAML attribute `name` be set to `value`. This can be used to require
-// that a remote user be a member of a group. It relies on the X-Saml-* headers
-// that RequireAccount adds to the request.
+// that a remote user be a member of a group. It relies on the Claims assigned
+// to to the context in RequireAccount.
 //
 // For example:
 //
@@ -353,17 +214,21 @@ func (m *Middleware) IsAuthorized(r *http.Request) bool {
 //
 func RequireAttribute(name, value string) func(http.Handler) http.Handler {
 	return func(handler http.Handler) http.Handler {
-		fn := func(w http.ResponseWriter, r *http.Request) {
-			if values, ok := r.Header[http.CanonicalHeaderKey(fmt.Sprintf("X-Saml-%s", name))]; ok {
-				for _, actualValue := range values {
-					if actualValue == value {
-						handler.ServeHTTP(w, r)
-						return
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			if session := SessionFromContext(r.Context()); session != nil {
+				// this will panic if we have the wrong type of Session, and that is OK.
+				sessionWithAttributes := session.(SessionWithAttributes)
+				attributes := sessionWithAttributes.GetAttributes()
+				if values, ok := attributes[name]; ok {
+					for _, v := range values {
+						if v == value {
+							handler.ServeHTTP(w, r)
+							return
+						}
 					}
 				}
 			}
 			http.Error(w, http.StatusText(http.StatusForbidden), http.StatusForbidden)
-		}
-		return http.HandlerFunc(fn)
+		})
 	}
 }
diff --git a/samlsp/middleware_test.go b/samlsp/middleware_test.go
index ed62b3b9..eca377ec 100644
--- a/samlsp/middleware_test.go
+++ b/samlsp/middleware_test.go
@@ -4,40 +4,39 @@ import (
 	"bytes"
 	"crypto/rsa"
 	"crypto/sha256"
+	"crypto/x509"
 	"encoding/base64"
+	"encoding/json"
 	"encoding/xml"
-	"io/ioutil"
+	"io"
+	"net"
 	"net/http"
 	"net/http/httptest"
 	"net/url"
+	"strings"
 	"testing"
 	"time"
 
-	"github.com/dgrijalva/jwt-go"
+	"github.com/form3tech-oss/jwt-go"
 	dsig "github.com/russellhaering/goxmldsig"
-	. "gopkg.in/check.v1"
-
-	"crypto/x509"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/golden"
 
 	"github.com/lightstep/saml"
-	"github.com/lightstep/saml/logger"
 	"github.com/lightstep/saml/testsaml"
 )
 
-// Hook up gocheck into the "go test" runner.
-func Test(t *testing.T) { TestingT(t) }
-
 type MiddlewareTest struct {
-	AuthnRequest string
-	SamlResponse string
-	Key          *rsa.PrivateKey
-	Certificate  *x509.Certificate
-	IDPMetadata  string
-	Middleware   Middleware
+	AuthnRequest          []byte
+	SamlResponse          []byte
+	Key                   *rsa.PrivateKey
+	Certificate           *x509.Certificate
+	IDPMetadata           []byte
+	Middleware            *Middleware
+	expectedSessionCookie string
 }
 
-var _ = Suite(&MiddlewareTest{})
-
 type testRandomReader struct {
 	Next byte
 }
@@ -50,9 +49,8 @@ func (tr *testRandomReader) Read(p []byte) (n int, err error) {
 	return len(p), nil
 }
 
-const expectedToken = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJodHRwczovLzE1NjYxNDQ0Lm5ncm9rLmlvL3NhbWwyL21ldGFkYXRhIiwiZXhwIjoxNDQ4OTQyMjI5LCJpYXQiOjE0NDg5MzQ5ODEsIm5iZiI6MTQ0ODkzNTAyOSwic3ViIjoiXzQxYmQyOTU5NzZkYWRkNzBlMTQ4MGYzMThlNzcyODQxIiwiYXR0ciI6eyJjbiI6WyJNZSBNeXNlbGYgQW5kIEkiXSwiZWR1UGVyc29uQWZmaWxpYXRpb24iOlsiTWVtYmVyIiwiU3RhZmYiXSwiZWR1UGVyc29uRW50aXRsZW1lbnQiOlsidXJuOm1hY2U6ZGlyOmVudGl0bGVtZW50OmNvbW1vbi1saWItdGVybXMiXSwiZWR1UGVyc29uUHJpbmNpcGFsTmFtZSI6WyJteXNlbGZAdGVzdHNoaWIub3JnIl0sImVkdVBlcnNvblNjb3BlZEFmZmlsaWF0aW9uIjpbIk1lbWJlckB0ZXN0c2hpYi5vcmciLCJTdGFmZkB0ZXN0c2hpYi5vcmciXSwiZWR1UGVyc29uVGFyZ2V0ZWRJRCI6WyIiXSwiZ2l2ZW5OYW1lIjpbIk1lIE15c2VsZiJdLCJzbiI6WyJBbmQgSSJdLCJ0ZWxlcGhvbmVOdW1iZXIiOlsiNTU1LTU1NTUiXSwidWlkIjpbIm15c2VsZiJdfX0.owRdm3bcXkYV4ePjcJw3qHILRLDhNHAdG3gddLOBJPw"
-
-func (test *MiddlewareTest) SetUpTest(c *C) {
+func NewMiddlewareTest(t *testing.T) *MiddlewareTest {
+	test := MiddlewareTest{}
 	saml.TimeNow = func() time.Time {
 		rv, _ := time.Parse("Mon Jan 2 15:04:05.999999999 MST 2006", "Mon Dec 1 01:57:09.123456789 UTC 2015")
 		return rv
@@ -61,73 +59,121 @@ func (test *MiddlewareTest) SetUpTest(c *C) {
 	saml.Clock = dsig.NewFakeClockAt(saml.TimeNow())
 	saml.RandReader = &testRandomReader{}
 
-	test.AuthnRequest = `https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO?RelayState=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1cmkiOiIvIn0.eoUmy2fQduAz--6N82xIOmufY1ZZeRi5x--B7m1pNIY&SAMLRequest=lJJBj9MwEIX%2FSuR7Yzt10sZKIpWtkCotsGqB%2B5BMW4vELp4JsP8et4DYE5Tr%2BPnN957dbGY%2B%2Bz1%2BmZE4%2Bz6NnloxR28DkCPrYUKy3NvD5s2jLXJlLzFw6MMosg0RRnbBPwRP84TxgPGr6%2FHD%2FrEVZ%2BYLWSl1WVXaGJP7UwyfcxckwTQWEnoS2TbtdB6uHn9uuOGSczqgs%2FuUh3i6DmTaenQjyitGIfc4uIg9y8Phnch221a4YVFjpVflcqgM1sUajiWsYGk01KujKVRfJyHRjDtPDJ5bUShdLrReLNX7QtmysrrMK6Pqem3MeqFKq5TInn6lfeX84PypFSL7iJFuwKkN0TU303hPc%2FC7L5G9DnEC%2Frv8OkmxjjepRc%2BOn0X3r14nZBiAoZE%2FwbrmbfLZbZ%2FC6Prn%2F3zgcQzfHiICYys4zii6%2B4E5gieXsBv5kqBr5Msf1%2F0IAAD%2F%2Fw%3D%3D`
-	test.SamlResponse = "<?xml version=\"1.0\" encoding=\"UTF-8\"?><saml2p:Response xmlns:saml2p=\"urn:oasis:names:tc:SAML:2.0:protocol\" Destination=\"https://15661444.ngrok.io/saml2/acs\" ID=\"_e9b3332eeaf348da6786aed16300aca9\" InResponseTo=\"id-9e61753d64e928af5a7a341a97f420c9\" IssueInstant=\"2015-12-01T01:56:21.375Z\" Version=\"2.0\"><saml2:Issuer xmlns:saml2=\"urn:oasis:names:tc:SAML:2.0:assertion\" Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:entity\">https://idp.testshib.org/idp/shibboleth</saml2:Issuer><saml2p:Status><saml2p:StatusCode Value=\"urn:oasis:names:tc:SAML:2.0:status:Success\"/></saml2p:Status><saml2:EncryptedAssertion xmlns:saml2=\"urn:oasis:names:tc:SAML:2.0:assertion\"><xenc:EncryptedData xmlns:xenc=\"http://www.w3.org/2001/04/xmlenc#\" Id=\"_dab0b1dbbc0595ab06473034e3bb798c\" Type=\"http://www.w3.org/2001/04/xmlenc#Element\"><xenc:EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#aes128-cbc\" xmlns:xenc=\"http://www.w3.org/2001/04/xmlenc#\"/><ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><xenc:EncryptedKey Id=\"_dd9264352cef16103cdb21fae97fa951\" xmlns:xenc=\"http://www.w3.org/2001/04/xmlenc#\"><xenc:EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p\" xmlns:xenc=\"http://www.w3.org/2001/04/xmlenc#\"><ds:DigestMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#sha1\" xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"/></xenc:EncryptionMethod><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIB7zCCAVgCCQDFzbKIp7b3MTANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGEwJVUzELMAkGA1UE\nCAwCR0ExDDAKBgNVBAoMA2ZvbzESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTEzMTAwMjAwMDg1MVoX\nDTE0MTAwMjAwMDg1MVowPDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkdBMQwwCgYDVQQKDANmb28x\nEjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1PMHYmhZj308\nkWLhZVT4vOulqx/9ibm5B86fPWwUKKQ2i12MYtz07tzukPymisTDhQaqyJ8Kqb/6JjhmeMnEOdTv\nSPmHO8m1ZVveJU6NoKRn/mP/BD7FW52WhbrUXLSeHVSKfWkNk6S4hk9MV9TswTvyRIKvRsw0X/gf\nnqkroJcCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCMMlIO+GNcGekevKgkakpMdAqJfs24maGb90Dv\nTLbRZRD7Xvn1MnVBBS9hzlXiFLYOInXACMW5gcoRFfeTQLSouMM8o57h0uKjfTmuoWHLQLi6hnF+\ncvCsEFiJZ4AbF+DgmO6TarJ8O05t8zvnOwJlNCASPZRH/JmF8tX0hoHuAQ==</ds:X509Certificate></ds:X509Data></ds:KeyInfo><xenc:CipherData xmlns:xenc=\"http://www.w3.org/2001/04/xmlenc#\"><xenc:CipherValue>i/wh2ubXbhTH5W3hwc5VEf4DH1xifeTuxoe64ULopGJ0M0XxBKgDEIfTg59JUMmDYB4L8UStTFfqJk9BRGcMeYWVfckn5gCwLptD9cz26irw+7Ud7MIorA7z68v8rEyzwagKjz8VKvX1afgec0wobVTNN3M1Bn+SOyMhAu+Z4tE=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedKey></ds:KeyInfo><xenc:CipherData xmlns:xenc=\"http://www.w3.org/2001/04/xmlenc#\"><xenc:CipherValue>a6PZohc8i16b2HG5irLqbzAt8zMI6OAjBprhcDb+w6zvjU2Pi9KgGRBAESLKmVfBR0Nf6C/cjozCGyelfVMtx9toIV1C3jtanoI45hq2EZZVprKMKGdCsAbXbhwYrd06QyGYvLjTn9iqako6+ifxtoFHJOkhMQShDMv8l3p5n36iFrJ4kUT3pSOIl4a479INcayp2B4u9MVJybvN7iqp/5dMEG5ZLRCmtczfo6NsUmu+bmT7O/Xs0XeDmqICrfI3TTLzKSOb8r0iZOaii5qjfTALDQ10hlqxV4fgd51FFGG7eHr+HHD+FT6Q9vhNjKd+4UVT2LZlaEiMw888vyBKtfl6gTsuJbln0fHRPmOGYeoJlAdfpukhxqTbgdzOke2NY5VLw72ieUWREAEdVXBolrzbSaafumQGuW7c8cjLCDPOlaYIvWsQzQOp5uL5mw4y4S7yNPtTAa5czcf+xgw4MGatcWeDFv0gMTlnBAGIT+QNLK/+idRSpnYwjPO407UNNa2HSX3QpZsutbxyskqvuMgp08DcI2+7+NrTXtQjR5knhCwRNkGTOqVxEBD6uExSjbLBbFmd4jgKn73SqHStk0wCkKatxbZMD8YosTu9mrU2wuWacZ1GFRMlk28oaeXl9qUDnqBwZ5EoxT/jDjWIMWw9b40InvZK6kKzn+v3BSGKqzq2Ecj9yxE7u5/51NC+tFyZiN2J9Lu9yehvW46xRrqFWqCyioFza5bw1yd3bzkuMMpd6UvsZPHKvWwap3+O6ngc8bMBBCLltJVOaTn/cBGsUvoARY6Rfftsx7BamrfGURd8vqq+AI6Z1OC8N3bcRCymIzw0nXdbUSqhKWwbw6P2szvAB6kCdu4+C3Bo01CEQyerCCbpfn/cZ+rPsBVlGdBOLl5eCW8oJOODruYgSRshrTnDffLQprxCddj7vSnFbVHirU8a0KwpCVCdAAL9nKppTHs0Mq2YaiMDo8mFvx+3kan/IBnJSOVL19vdLfHDbZqVh7UVFtiuWv3T15BoiefDdF/aR5joN0zRWf8l6IYcjBOskk/xgxOZhZzbJl8DcgTawD8giJ31SJ1NoOqgrSD4wBHGON4mInHkO0X5+vw1jVNPGF3BwHw0kxoCT3ZKdSsi8O4tlf1y227cf794AGnyQe13O032jYgOmM5qNkET6PyfkyD/h0ufgQq2vJvxSOiRv76Kdg0SeRuNPW9MyjO/5APHl7tBlDBEVq+LWDHl4g9h/bw+Fsi0WN4pLN1Yv9RANWpIsXWyvxTWIZHTuZEjNbHqFKpsefx/oY1b9cSzKR5fQ9vc32e17WykL0O7pwpzV6TrFN874GdmW5lG5zfqnRHUQh1aV2WwBJ74mB4tv/y5rmRjTe5h/rN90kN+eQGeR3eG7XUHLhK/yCV+xq8KKPxNZexcdHGA905rvYokbtmr/jIN5kAMBdlOU8akPAZdSMMh+g/RZo5MO50/gdg6MTpB4onU2FBd54FNDp2fuBUxBsnTqpZXkDcAPEfSBr+z2l8jTRmxMricWyeC55ILgxM4er68n0xYjwb2jyQum3IQq7TSYYU/qjNiH1fQBtdRmBkzXJYYk+9q7C6OZJUdR96ERnTIi93NaYmtpSEvZU9vS6MV1VBOnEf8UzUUT9ibMpP9XDSINX7dN24rKIufSY+3+70orQB07XOWp6++SWKgA+WThaoPhp8sWWMeSZuda/wq6jdVTAB8FOPiP3lNl0BqxagQEPmNxDWXwTplSFSR3SP0e4sHMSjLvysibV9Z87LZa1FG0cWU2hrhiyOLsIWMnd4vdTLaWjhXuGlrDShxSAiI39wsl5RB59E+DXVSTBQAoAkHCKGK69YiMKU9K8K/LeodApgw46oPL08EWvleKPCbdTyjKUADtxfAujR84GMEUz9Aml4Q497MfvABQOW6Hwg54Z3UbwLczDCOZyK1wIwZTyS9w3eTH/6EBeyzhtt4G2e/60jkywHOKn17wQgww2ZsDcukdsCMfo4FV0NzfhSER8BdL+hdLJS3R1F/Vf4aRBEuOuycv2AqB1ZqHhcjZh7yDv0RpBvn3+2rzfzmYIBlqL16d1aBnvL4C03I0J59AtXN9WlfJ8SlJhrduW/PF4pSCAQEyHGprP9hVhaXCOUuXCbjA2FI57NkxALQ2HpCVpXKGw0qO0rYxRYIRlKTl43VFcrSGJdVYOFUk0ZV3b+k+KoxLVSgBjIUWxio/tvVgUYDZsO3M3x0I+0r9xlWZSFFmhwdOFouD+Xy1NPTmgwlUXqZ4peyIE1oVntpcrTJuev2jNScXbU9PG8b589GM4Z09KS/fAyytTFKmUpBuTme969qu0eA7/kBSHAkKvbfj0hsrbkkF9y/rXi8xgcMXNgYayW8MHEhm506AyPIvJAreZL637/BENO1ABdWS1Enj/uGaLM1ED8UY94boh/lMhqa9jALgEOHHxspavexi3HIFwJ55s4ocQnjb4p6op4CRPUdPCfli5st9m3NtQoH9kT1FTRZa9sG8Ybhey5wP17YgPIg9ZZtvlvpSTwCwZxHZ348wXJWhbtId9DyOcIzsyK5HaJcRsp8SQVR5nbRW0pUyC/bFAtX1KOGJmtro/QfmnLG9ksuaZvxP6+bH1K+CibEFIRDllAUFFPiuT+2b3Yp3Tu1VvXokMAgmcB5iFDgTAglw5meJYJ99uIBmj0EVZm8snMhRrHjMPTAYD5kwPK/YDShPFFV3XEIFzLD3iYrzb7sub/Z4gTTELWzzS3bCpYPAh4KWeTih+p7Xj0Xf04nSONHZXsQnNenc+PNae+Zj5iCfJ/PpqhMn61n/YBP7gipYYEtOZYzDtvMz+mytYRUOaZTq3W4Wp64f+XVekn49CLarLm6qPyiz5kJwaT8lJ+VEZDPpS/ChLM4eq90GogJBvK0jxmQ1AGvnKpV2lw9XCudf3PXbaTb+r2QPcihKnmqcEgPgYlN8VLclicNW1WyjBJ+HvDTQPbs1r1/KnBK4O5HTT6ehuHpJsYlBN9vzjsD+ov6SRkBqiGPUg9CoKKmWS6dirxwOXi3OUFzkWFVDyDezfkJAzqkmG0nlEGb9mTHdVDfX010bPJ4ZQzQSyHp7Ht2mATyQwOEem2AMB/RpNwlOKXWIdsQ5p3dHF+kmsJHI8xjEv2GeUa/aXX3MF3fPfUA7La8J8fbnaDLbnEqMCLMfdfc9+kY7EKyqPiE5KFpF0EhQBrHl8SiPuFQCoxvlH2u+ujncW7Z5JiBmMKUWOXUHhIe4NckP1awRsEcfhEs664DqOp9CbLwTXk71hHVBtINylFcf7uBZwjxNW+hCfZEoVEjjs/V4J9QeXCxpTu5TcXxBxwN5zBdkCodNFPLUg+3UicaykaH0+wrGoTu/ugjF9rz7OezMMs3pep+bzLp+yZbFAL/z/yATY3UG+lpk6Rw4SkjbnAxBSedaEdqbotddkGzVQubHvHqCiKpkAw58rAa2v15hc+UmkrRFslS8SYxTIPXs2sTNhnCCrUn8nlKufeoAm65vgYtEQ4NzmG9tqKtTeBfZAvSToYaiQq+kPii1ssuu1OULAVuSx8x/CYO6orgX7h5wI0R/Ug1nux7cb2/+pFLbNyGvwKf1TLym2NvFMJpvFlTsOJJ4DxXM/v2JkC9umm93quXLsojx7KTEOFDQLsnMKsVo6ZzRQidEwK5gQPyZL1yjGirJcEuGMAEf6LA2AsKIIZhsMEPlLpzMiVo5Y0LoL6NFsXigceLaaJMEMuYNJJdh+uxyfW57+PoQ7V8KkzSHFsKan14GnpWeOV7r13uopwCPeIsEKUVG77ypd+ILQkbKxH2lQdsFyjpofqkbgEVM5XAnVbdhfwyebNHn5OJtadVkOMcJc/WMWJef1idcSfvP5ENkwp3pKg9Ljoi+hU2Chp1vTmksO2HJt0of4QnQ8jGlcqnOrAMiWUCd2W/8AmhRBjevt3UqxnqELVvg+HJPlyqFyuUlDxx25mXEdW0COpA3s9OlSgcMjvQbIJ42NUhGFZLoK1pvPLZo711w2Ex3Lm5qqcr/7I4+vTntd/Id5aJiP18LQpslTy614Wd4eD8+RfjEtmDAPXhgvfekVkS/rDnI/9H0k3AdHc78fJCJRPNwJrDTozzjxTvmVv9r4MtpoDELmnMxb3o7ZibUMxgptCTyDF+Q5m6T3GeD9G5ehgB3Tqsx3gcUGuDtP6KIqMGbj8YCFt8tjihDctYFAXj4AwPnIjMiI4T7skXwfrBLWCKfN1j5XrIn2paQgKln9hvaiRUpNpD3IXVyFl1WNrb21IcRinfkuCtrP2tTHqct6eSEh8sOzRkvZEArBQYD5paYyuNBcbVtsnl6PNE+DIcSIGvCVnzpMw1BeUExvQZoNdpHwhTQ3FSd1XN1nt0EWx6lve0Azl/zJBhj5hTdCd2RHdJWDtCZdOwWy/G+4dx3hEed0x6SoopOYdt5bq3lW+Ol0mbRzr1QJnuvt8FYjIfL8cIBqidkTpDjyh6V88yg1DNHDOBBqUz8IqOJ//vY0bmQMJp9gb+05UDW7u/Oe4gGIODQlswv534KF2DcaXW9OB7JQyl6f5+O8W6+zBYZ6DAL+J2vtf3CWKSZFomTwu65vrVaLRmTXIIBjQmZEUxWVeC4xN+4Cj5ORvO8GwzoePGDvqwKzrKoupSjqkL5eKqMpCLouOn8n/x5UWtHQS1NlKgMDFhRObzKMqQhS1S4mz84F3L492GFAlie0xRhywnF+FvAkm+ZIRO0UqM4IwvUXdlqTajjmUz2T0+eXKTKTR5UoNRgP51gdUMT5A4ggT5wU9WkRx7CR9KdWJwwcWzv2YrchoHIXBidQSk+f1ZSzqR7krKSOwFTVJUvEenU17qVaHoAf2he0dMgURJ8PM9JxnSr7p2pZeNPu/O5oPmLuOCmEPVRPSahJL7yj9PK5z3q57e5POIp/wXqFoniFdxRmtmpfZBxoKVlADkwRy34h8k6ZmgtqPTQfUUk/+yH2CAoQu+HyOtUnQof8vc1k4zs8nCTrCSjqvFPjU8mHtVHy1RY0qmK9t99ugXyAKaGON3PlseetIC8WCTt84nM5XGD3VQpbv139yhSPhp2Oiz0IiOsr+L9idVKSvfNSkdNq9aUC7963uAQNud8c4GuDmbENvZYvGNIMxxZhYA86n1RMNtGDZJs6/4hZTL18Kz1yCY9zbbSXTxWTmkaHJziHtgrEPoYpUeb85J229PDEX08yHOkj2HXVdnKKmEaHw3VkB4eM3PhGGdrw2CSUejSaqPQFLdhabcB2zdB4lj/AUnZvNaJc23nHHIauHnhhVrxh/KQ1H4YaYKT9ji/69BIfrTgvoGaPZC10pQKinBHEPMXoFrCd1RX1vutnXXcyT2KTBP4GG+Or0j6Sqxtp5WhxR0aJqIKM6LqMHtTooI0QhWbmSqDEBX/wRS70csVeJSrZ4dqRKit+hz8OalHA7At9e+7gSWTfHAwjl5JhtrltyAab/FII4yKQeZWG8j1fSFGHN+EbOrum2uWuVhxkUPy4coMu+yKY4GxlXfvP+yEVK5GrMECRmFBlySetJK3JOoQXiuLirlHUq+0u88QFMdAJ9+fIdU4+FxneqgW7qM7CHRE8jV4pPSWGFbGzxVZ9CWRWaYIw26VsC1qQJe1WmU7Mrp26IxmWHGwHvZ50uB0mjAHFCiln5QAvqTm2/fsY+Puk+Irt3LQbMwGVWPnb4eona2dSha+eMLOiAQkBvbaitsRqqrAVnndP7gHmO+nYZEKNx/740zTRrFBpOelrGdOa0/eV2mPhUQfozGooxoRADmT8fAcDXo0SsXCHzg9tBnmVMvInQ7+8nXfhcF/fEBjvW3gIWOmp2EWutHQ/sl73MieJWnP/n3DMk2HHcatoIZOMUzo4S4uztODHoSiOJDA1hVj7qADvKB37/OX0opnbii9o6W8naFkWG5Ie7+EWQZdo+xeVYpwGOzcNwDRrxbZpV3fTvWyWKToovncZq+TQj7c4Yhz6XDF0ffljN5hTm4ONwYViFNB4gTJlFxFX00wcWfwWah4uJs2Oa8dHPVT+7viagZiPrSDk/gythdY8glGm+F0DWlzQpWbgSI3ZbdiUQ+ox4GtLUtYgGIQFUvRYbuHqH6CXQ3SM6vkbhV/nAn6UDEWKXdJsO0u5q6UpXci7MlWDNLxoQ9dfGjSc28mX+q+4hkyho4u1XSMy9B6IdH304J7fuAQ88tTorT67AiqvqR6qnZ0icV+MMLh95moxFbrvch6sGAmMEixqeujmiZzBqBmNbzZVORiv9qcbe3CQ6X2i+9D8hMpaWj5jI0u+0wk3bRFK4uDn8T1mnD6l4TrJayf3cZI+duhKcabNj71i5w76S8RZSC6RX4ks0x+XIDc5v3223NmGvceYklbuOJtJa0/MBTOcSDKCM2kUXqPV2BlA9Za8WEO2UrdcyP+AXgM20af3thjlZvA494zdZ0mqjrsKp+VS2MVrBBtj+puSuSHJYf6bnA5/yjqQtbGvAp8hfXQURC53J5oD8rb9F7vQRqdfqpe6xd7DVd+wWZS86mWjyZYKXw312t8nM/gxo0pdvZ8F0x9y3xb9UBM2pZtdYvk3hPz6swhuE1N5j2u7nwtXuEDNcGCSfr+IempeFHFRqO8n8ikASEdKcq2XHGJwfc3lVXOQ5K4JlewcC7yQL1uNtL6iNKCtJmjJiH2PMmXrtpmCeTspFNZlwmiICyPWV9B5ce9H/qP1xjndBzFz0rn75SGDnWUhNZI/aYKNVyzkOleS5VSNxBx1hoiFuG8r+6ctYwF7XL94b95tXQ/+0V5dt0H1xVaOZ7QluoDtMSzuUjV4yUoQESa3zCfZwnW+b5SKndX5nx0GYrVxydMkUdfimZpX/fezcMiaAGwG/jgWF0zS+EL4T7gR8I5R3qUNTifKFJKJL1+AL8CgL+SRB1lgHDp2wQ7cqgqcmskAsT60qisL/UZGgmnlgZ8FkNhv0vAMkzIsz7o6cuLo15hZnrsZveIo+mZKY2cMJjJb4ZlJLcE+YcnpiM84OYjypa9lA7kv4XJaDX9oirhsl9IO/ImbFgYpR73y+xSolXYdDKfZjf/8NR7vE8fu+LYXGoZHO/hxousED6y3sCo/ItECYHWYIui+V5SmAoEvVV8FY8fFMYIc+Llc2CoX5HQISfUAtLu+fGNNV0muidXnBdtnJo25UEqxwvoENdI1lGPhlrXY6/h4kIT5djmsxxSG/EgG/4fPnrThgF9/fbG8n/3LweXvQOGjX0F1Ngt5wuMIWRQk5vtLdvv2M+BNwthHZ7xzIU7zqSVvngVPwgcsTr2d5pTVOxauT1K6ffiBF04jVZEcna+NXhJM5EcRHNuT/iOb0ncn1yuKU8JJnztEzMDjO1qCmaBTyWBR7nQS6K+nfstd/AnBWyGeC5Yi3wlvZAVMpc0m7I7McXb+rXiHM0mHoq0Z/2HOki5LP2cBuIkk84tJ3SRZwWnocrz4aTEIOmwftqMATy5Ur0KRxoUSFNMJYyc1iOfjk3H2JjgecWlQdYHcIEjxGDGeo4S9EKTRokMGNUN2nTj3SO2nHoWbx9WhGe6uB3OgDENGL9aNoPnYKXs4WcobctMxQjjBWa/zpCFwP8nr78xIFfy/64ZtsFBrxSrEHxeXiPa2Kpv456aQ9kDQjJt9XrWKe+JBawtpPUYHmWkUb3Gznp3tC2LbowvJlEe/17srb5yi+sUHEF1z/8Uk4eVYcUUXzyq3YEuqumIBIYqO8J3K5Us7tEXyzhHH8TMLNSQxmDi/w5oYccIwNFMM1+xRTsyjHHtB/rHYJjPW/50Xxb0CZF84NqotCcgIMrR4nUiPnAPd8ZvHeB/235gS1NtzBWtfcDmP8khibSQpY3JW+fdY/9W6iGlPyPIwOgH06fJayaT44sPFIm+QGIkPKSAJOFDeJNG8oc6SAqrYSfCffYfOAx3IsjSdnxQy9JAcS0HxjWnEO3rgSh7bNEecO3f4hb3TRNlczdzhfrwgxUZ0rURI3LfMCpGntF+8NrhtB7RT8sEOaa4NM13T7LWjykRQJFYKNZY0siPBP2WJxjBqL0KynlTPhAcfFyiLZbAhe7YC0XmYo8iJQqdzJQwBK9iOoDkg1XuGy7+Kfe0scamvHN2Z85umcPSiPEQRP3zAWcP5kRNDath7DKrBfQtvOJvEHiihE+qiASrCZep+m7jTD261U9vQGAnR4xBY08ChSh8XItWHvDHARN+GP08h9u6nlJ3rpOoVn9y22NNgx7bOe6QIYe9f6iYbbAzLR1/7AP1A4CQwFi39eZI9BZteze5eas+6JR2s1LqH9tncOmWAhXjE8p3hOtplh/tMbrx+pySNX4BKfZva54zccIa+e59NUifTRsq27AwAtcxg2Bk1Tu7B+LT9Yw2K8tRH6XTcGlvqDM4sYjNBqzh3yAga5iro706tg/Qaa50eln8rjISularEHlfaggogjvd+wNLg44Rj8pMr25+xxS0e9KoEGon5SutuhJ/HBGnEj3+4qNxHu27nkAmZIADiF+Jh53osDuA1fsUnRXf2lJABa30KDkG8E/eci+TkESrdfsPMo6yhWoyjtjYdJbGkjtsQCMW5DOSNYDH0FqDiiVU0nBLJ4+A4ep6aWTrv6w/ozuO4educ7x9IBpGmEY30rsXWwiGJbLGyIo+6qz6J5JBKdjNBsDO7RRweDNMp8ospaGNQSa4NKAHTG8BsGqJSP8oebpVqYpgPS1TiBWnYZKQSRJ5NFs+ULpdICekxevVXAH8uh+De9GT7KsJJzg0CFjALDbC0YrbmCigspJAh2455I6/xyWbPXCYMXwBzbioMgWcNhQBJJ6oIoQ7shwf2TP0Z+X/3NoMpWHmGpoV/JZind8lb9lcxoI44uf37+xc03O1R1bNucf0F5ljrgj2sZlGz/591EJen5GZhrT6qSTIcMu+xIyxyA/zzhy0jjkVfkDKfQ8mE9AmVtbbzHAQNy2PhDIeu7ngoFN635tSOJLR2c6pC/m6n50slFbo0oeHbbiGHyxDk7q3zXHWoHzeF1k4iVdHumYg/nwZOuRzms6rvkmwkJv59Z1p05jxA+Y0yHvDeq1WR8PfS/esm3RHfP3fM+zTlj9ZBJfzvn4OL+IIHRQ5l8pGKAeRL58OjeaU5QU98lAKHydOPDGBalsEHyIKD6iy3RZ65qIm956zQd98htZ1Vgkd7LVC7LSnLb9jRbqS1vHN7lR6bQMmXtQBYSA/+ZW2RQqSo7sToVh+Pxl3EVmsgyO8dXPL4biz7XM8eVz7CqHkrQUinnr79HJWC6Uk19cBurOD6PeOqNYy08Og/A0hbHOgN3dKmVRAPf7itK6x0eb5F70T2zVqG12GHVZieXwIcp/vahuFvriHLJtuM04laiRWNXSiL2MPHQ8e9rr8NIlWDm9uev55FI9zZxwFUPBSewawPe5vkqRLfwZCYd5mZoxtBhNBWvY3ZOVD/21dIUlQanG1n6RygbmAwCHnIB4c7EH2CBYEMDToRQuAuIssviIfdaJglwDgHbLWKNUVDOdqeclBNZjfQfVXbVukPk8DfWLqj9pD4xAOzDeVQcdmg2aLvNKgpZsWs4d+6GlKrpS7qEGvoBkIFh/cVY7DMYrt/JXYuF6DpwB+HbfnuDFc2p47SPNhnmt/ez6/DACBPQ+tgpyWYXUsiviGSp72JNTzd8uFJJZNeKUJZw1c0UTjxdwigh5tL/hWhPl48DY937zymSr1xVqC3RV6wSIpuplH+hss/rsRPAp1/TfxvhJuFsoPbW0586y9YzqEHT4FUu6WSRy0gMJLP2sLqiiZXZ6kPicXsW7M55mV3ugbGQjB7YS7EVqsQzvJTiQbOlcPqwoKK7DTqaeCOXd8kH1tNoe7hjx/UNNdLQQ7IhrJIzxqTTgwcXYMCxhoezDsIHReTIymsHPkCurfteTQcbfwoKN5E9zC2hINOPmhAxLvONzaLXQGMqofuTbFshkB4eUj8U4vBCNp+60iCLnibt4rPuyoWKEHWBYa6FfIykxVKuXkfcb64dCdGCWjv7x1XqkbpHxQB80qhipoSo244pyhIsN91ASu1Q7L75LxGXibY3jb0Y4KZ5zIWsH4kVlvPhangohDO1J9gmL9inGr9hy5BHTQiMcktGoUgOIbFJ72381vYpPxn3ngBbp48mVZd0w6xV8RBaqR3l7CxI9vvMAPYPoXBB18ERoZypza8mAlzv2QxIkNGuRzFENh1SXegBfN7eiazZnwnhbyeMghJpnXzfvHACyjkdH3shRYcJ+oMiOSpInGxm/hxFQxHJZA0Ft/lza</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></saml2:EncryptedAssertion></saml2p:Response>"
-	test.Key = mustParsePrivateKey("-----BEGIN RSA PRIVATE KEY-----\nMIICXgIBAAKBgQDU8wdiaFmPfTyRYuFlVPi866WrH/2JubkHzp89bBQopDaLXYxi\n3PTu3O6Q/KaKxMOFBqrInwqpv/omOGZ4ycQ51O9I+Yc7ybVlW94lTo2gpGf+Y/8E\nPsVbnZaFutRctJ4dVIp9aQ2TpLiGT0xX1OzBO/JEgq9GzDRf+B+eqSuglwIDAQAB\nAoGBAMuy1eN6cgFiCOgBsB3gVDdTKpww87Qk5ivjqEt28SmXO13A1KNVPS6oQ8SJ\nCT5Azc6X/BIAoJCURVL+LHdqebogKljhH/3yIel1kH19vr4E2kTM/tYH+qj8afUS\nJEmArUzsmmK8ccuNqBcllqdwCZjxL4CHDUmyRudFcHVX9oyhAkEA/OV1OkjM3CLU\nN3sqELdMmHq5QZCUihBmk3/N5OvGdqAFGBlEeewlepEVxkh7JnaNXAXrKHRVu/f/\nfbCQxH+qrwJBANeQERF97b9Sibp9xgolb749UWNlAdqmEpmlvmS202TdcaaT1msU\n4rRLiQN3X9O9mq4LZMSVethrQAdX1whawpkCQQDk1yGf7xZpMJ8F4U5sN+F4rLyM\nRq8Sy8p2OBTwzCUXXK+fYeXjybsUUMr6VMYTRP2fQr/LKJIX+E5ZxvcIyFmDAkEA\nyfjNVUNVaIbQTzEbRlRvT6MqR+PTCefC072NF9aJWR93JimspGZMR7viY6IM4lrr\nvBkm0F5yXKaYtoiiDMzlOQJADqmEwXl0D72ZG/2KDg8b4QZEmC9i5gidpQwJXUc6\nhU+IVQoLxRq0fBib/36K9tcrrO5Ba4iEvDcNY+D8yGbUtA==\n-----END RSA PRIVATE KEY-----\n").(*rsa.PrivateKey)
-	test.Certificate = mustParseCertificate("-----BEGIN CERTIFICATE-----\nMIIB7zCCAVgCCQDFzbKIp7b3MTANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGEwJV\nUzELMAkGA1UECAwCR0ExDDAKBgNVBAoMA2ZvbzESMBAGA1UEAwwJbG9jYWxob3N0\nMB4XDTEzMTAwMjAwMDg1MVoXDTE0MTAwMjAwMDg1MVowPDELMAkGA1UEBhMCVVMx\nCzAJBgNVBAgMAkdBMQwwCgYDVQQKDANmb28xEjAQBgNVBAMMCWxvY2FsaG9zdDCB\nnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1PMHYmhZj308kWLhZVT4vOulqx/9\nibm5B86fPWwUKKQ2i12MYtz07tzukPymisTDhQaqyJ8Kqb/6JjhmeMnEOdTvSPmH\nO8m1ZVveJU6NoKRn/mP/BD7FW52WhbrUXLSeHVSKfWkNk6S4hk9MV9TswTvyRIKv\nRsw0X/gfnqkroJcCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCMMlIO+GNcGekevKgk\nakpMdAqJfs24maGb90DvTLbRZRD7Xvn1MnVBBS9hzlXiFLYOInXACMW5gcoRFfeT\nQLSouMM8o57h0uKjfTmuoWHLQLi6hnF+cvCsEFiJZ4AbF+DgmO6TarJ8O05t8zvn\nOwJlNCASPZRH/JmF8tX0hoHuAQ==\n-----END CERTIFICATE-----\n")
-	test.IDPMetadata = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<EntityDescriptor xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\" xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\" xmlns:mdalg=\"urn:oasis:names:tc:SAML:metadata:algsupport\" xmlns:mdui=\"urn:oasis:names:tc:SAML:metadata:ui\" xmlns:shibmd=\"urn:mace:shibboleth:metadata:1.0\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" Name=\"urn:mace:shibboleth:testshib:two\" entityID=\"https://idp.testshib.org/idp/shibboleth\">\n\t<Extensions>\n\t\t<mdalg:DigestMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#sha512\" />\n\t\t<mdalg:DigestMethod Algorithm=\"http://www.w3.org/2001/04/xmldsig-more#sha384\" />\n\t\t<mdalg:DigestMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#sha256\" />\n\t\t<mdalg:DigestMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#sha1\" />\n\t\t<mdalg:SigningMethod Algorithm=\"http://www.w3.org/2001/04/xmldsig-more#rsa-sha512\" />\n\t\t<mdalg:SigningMethod Algorithm=\"http://www.w3.org/2001/04/xmldsig-more#rsa-sha384\" />\n\t\t<mdalg:SigningMethod Algorithm=\"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256\" />\n\t\t<mdalg:SigningMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\" />\n\t</Extensions>\n\t<IDPSSODescriptor protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:2.0:protocol\">\n\t\t<Extensions>\n\t\t\t<shibmd:Scope regexp=\"false\">testshib.org</shibmd:Scope>\n\t\t\t<mdui:UIInfo>\n\t\t\t\t<mdui:DisplayName xml:lang=\"en\">TestShib Test IdP</mdui:DisplayName>\n\t\t\t\t<mdui:Description xml:lang=\"en\">TestShib IdP. Use this as a source of attributes\n                        for your test SP.</mdui:Description>\n\t\t\t\t<mdui:Logo height=\"88\" width=\"253\">https://www.testshib.org/testshibtwo.jpg</mdui:Logo>\n\t\t\t</mdui:UIInfo>\n\t\t</Extensions>\n\t\t<KeyDescriptor>\n\t\t\t<ds:KeyInfo>\n\t\t\t\t<ds:X509Data>\n\t\t\t\t\t<ds:X509Certificate>MIIEDjCCAvagAwIBAgIBADANBgkqhkiG9w0BAQUFADBnMQswCQYDVQQGEwJVUzEV\n                            MBMGA1UECBMMUGVubnN5bHZhbmlhMRMwEQYDVQQHEwpQaXR0c2J1cmdoMREwDwYD\n                            VQQKEwhUZXN0U2hpYjEZMBcGA1UEAxMQaWRwLnRlc3RzaGliLm9yZzAeFw0wNjA4\n                            MzAyMTEyMjVaFw0xNjA4MjcyMTEyMjVaMGcxCzAJBgNVBAYTAlVTMRUwEwYDVQQI\n                            EwxQZW5uc3lsdmFuaWExEzARBgNVBAcTClBpdHRzYnVyZ2gxETAPBgNVBAoTCFRl\n                            c3RTaGliMRkwFwYDVQQDExBpZHAudGVzdHNoaWIub3JnMIIBIjANBgkqhkiG9w0B\n                            AQEFAAOCAQ8AMIIBCgKCAQEArYkCGuTmJp9eAOSGHwRJo1SNatB5ZOKqDM9ysg7C\n                            yVTDClcpu93gSP10nH4gkCZOlnESNgttg0r+MqL8tfJC6ybddEFB3YBo8PZajKSe\n                            3OQ01Ow3yT4I+Wdg1tsTpSge9gEz7SrC07EkYmHuPtd71CHiUaCWDv+xVfUQX0aT\n                            NPFmDixzUjoYzbGDrtAyCqA8f9CN2txIfJnpHE6q6CmKcoLADS4UrNPlhHSzd614\n                            kR/JYiks0K4kbRqCQF0Dv0P5Di+rEfefC6glV8ysC8dB5/9nb0yh/ojRuJGmgMWH\n                            gWk6h0ihjihqiu4jACovUZ7vVOCgSE5Ipn7OIwqd93zp2wIDAQABo4HEMIHBMB0G\n                            A1UdDgQWBBSsBQ869nh83KqZr5jArr4/7b+QazCBkQYDVR0jBIGJMIGGgBSsBQ86\n                            9nh83KqZr5jArr4/7b+Qa6FrpGkwZzELMAkGA1UEBhMCVVMxFTATBgNVBAgTDFBl\n                            bm5zeWx2YW5pYTETMBEGA1UEBxMKUGl0dHNidXJnaDERMA8GA1UEChMIVGVzdFNo\n                            aWIxGTAXBgNVBAMTEGlkcC50ZXN0c2hpYi5vcmeCAQAwDAYDVR0TBAUwAwEB/zAN\n                            BgkqhkiG9w0BAQUFAAOCAQEAjR29PhrCbk8qLN5MFfSVk98t3CT9jHZoYxd8QMRL\n                            I4j7iYQxXiGJTT1FXs1nd4Rha9un+LqTfeMMYqISdDDI6tv8iNpkOAvZZUosVkUo\n                            93pv1T0RPz35hcHHYq2yee59HJOco2bFlcsH8JBXRSRrJ3Q7Eut+z9uo80JdGNJ4\n                            /SJy5UorZ8KazGj16lfJhOBXldgrhppQBb0Nq6HKHguqmwRfJ+WkxemZXzhediAj\n                            Geka8nz8JjwxpUjAiSWYKLtJhGEaTqCYxCCX2Dw+dOTqUzHOZ7WKv4JXPK5G/Uhr\n                            8K/qhmFT2nIQi538n6rVYLeWj8Bbnl+ev0peYzxFyF5sQA==</ds:X509Certificate>\n\t\t\t\t</ds:X509Data>\n\t\t\t</ds:KeyInfo>\n\t\t\t<EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#aes256-cbc\" />\n\t\t\t<EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#aes192-cbc\" />\n\t\t\t<EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#aes128-cbc\" />\n\t\t\t<EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#tripledes-cbc\" />\n\t\t\t<EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p\" />\n\t\t\t<EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#rsa-1_5\" />\n\t\t</KeyDescriptor>\n\t\t<ArtifactResolutionService Binding=\"urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding\" Location=\"https://idp.testshib.org:8443/idp/profile/SAML1/SOAP/ArtifactResolution\" index=\"1\" />\n\t\t<ArtifactResolutionService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:SOAP\" Location=\"https://idp.testshib.org:8443/idp/profile/SAML2/SOAP/ArtifactResolution\" index=\"2\" />\n\t\t<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>\n\t\t<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>\n\t\t<SingleSignOnService Binding=\"urn:mace:shibboleth:1.0:profiles:AuthnRequest\" Location=\"https://idp.testshib.org/idp/profile/Shibboleth/SSO\" />\n\t\t<SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://idp.testshib.org/idp/profile/SAML2/POST/SSO\" />\n\t\t<SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO\" />\n\t\t<SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:SOAP\" Location=\"https://idp.testshib.org/idp/profile/SAML2/SOAP/ECP\" />\n\t</IDPSSODescriptor>\n\t<AttributeAuthorityDescriptor protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol\">\n\t\t<KeyDescriptor>\n\t\t\t<ds:KeyInfo>\n\t\t\t\t<ds:X509Data>\n\t\t\t\t\t<ds:X509Certificate>MIIEDjCCAvagAwIBAgIBADANBgkqhkiG9w0BAQUFADBnMQswCQYDVQQGEwJVUzEV\n                            MBMGA1UECBMMUGVubnN5bHZhbmlhMRMwEQYDVQQHEwpQaXR0c2J1cmdoMREwDwYD\n                            VQQKEwhUZXN0U2hpYjEZMBcGA1UEAxMQaWRwLnRlc3RzaGliLm9yZzAeFw0wNjA4\n                            MzAyMTEyMjVaFw0xNjA4MjcyMTEyMjVaMGcxCzAJBgNVBAYTAlVTMRUwEwYDVQQI\n                            EwxQZW5uc3lsdmFuaWExEzARBgNVBAcTClBpdHRzYnVyZ2gxETAPBgNVBAoTCFRl\n                            c3RTaGliMRkwFwYDVQQDExBpZHAudGVzdHNoaWIub3JnMIIBIjANBgkqhkiG9w0B\n                            AQEFAAOCAQ8AMIIBCgKCAQEArYkCGuTmJp9eAOSGHwRJo1SNatB5ZOKqDM9ysg7C\n                            yVTDClcpu93gSP10nH4gkCZOlnESNgttg0r+MqL8tfJC6ybddEFB3YBo8PZajKSe\n                            3OQ01Ow3yT4I+Wdg1tsTpSge9gEz7SrC07EkYmHuPtd71CHiUaCWDv+xVfUQX0aT\n                            NPFmDixzUjoYzbGDrtAyCqA8f9CN2txIfJnpHE6q6CmKcoLADS4UrNPlhHSzd614\n                            kR/JYiks0K4kbRqCQF0Dv0P5Di+rEfefC6glV8ysC8dB5/9nb0yh/ojRuJGmgMWH\n                            gWk6h0ihjihqiu4jACovUZ7vVOCgSE5Ipn7OIwqd93zp2wIDAQABo4HEMIHBMB0G\n                            A1UdDgQWBBSsBQ869nh83KqZr5jArr4/7b+QazCBkQYDVR0jBIGJMIGGgBSsBQ86\n                            9nh83KqZr5jArr4/7b+Qa6FrpGkwZzELMAkGA1UEBhMCVVMxFTATBgNVBAgTDFBl\n                            bm5zeWx2YW5pYTETMBEGA1UEBxMKUGl0dHNidXJnaDERMA8GA1UEChMIVGVzdFNo\n                            aWIxGTAXBgNVBAMTEGlkcC50ZXN0c2hpYi5vcmeCAQAwDAYDVR0TBAUwAwEB/zAN\n                            BgkqhkiG9w0BAQUFAAOCAQEAjR29PhrCbk8qLN5MFfSVk98t3CT9jHZoYxd8QMRL\n                            I4j7iYQxXiGJTT1FXs1nd4Rha9un+LqTfeMMYqISdDDI6tv8iNpkOAvZZUosVkUo\n                            93pv1T0RPz35hcHHYq2yee59HJOco2bFlcsH8JBXRSRrJ3Q7Eut+z9uo80JdGNJ4\n                            /SJy5UorZ8KazGj16lfJhOBXldgrhppQBb0Nq6HKHguqmwRfJ+WkxemZXzhediAj\n                            Geka8nz8JjwxpUjAiSWYKLtJhGEaTqCYxCCX2Dw+dOTqUzHOZ7WKv4JXPK5G/Uhr\n                            8K/qhmFT2nIQi538n6rVYLeWj8Bbnl+ev0peYzxFyF5sQA==</ds:X509Certificate>\n\t\t\t\t</ds:X509Data>\n\t\t\t</ds:KeyInfo>\n\t\t\t<EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#aes256-cbc\" />\n\t\t\t<EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#aes192-cbc\" />\n\t\t\t<EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#aes128-cbc\" />\n\t\t\t<EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#tripledes-cbc\" />\n\t\t\t<EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p\" />\n\t\t\t<EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#rsa-1_5\" />\n\t\t</KeyDescriptor>\n\t\t<AttributeService Binding=\"urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding\" Location=\"https://idp.testshib.org:8443/idp/profile/SAML1/SOAP/AttributeQuery\" />\n\t\t<AttributeService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:SOAP\" Location=\"https://idp.testshib.org:8443/idp/profile/SAML2/SOAP/AttributeQuery\" />\n\t\t<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>\n\t\t<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>\n\t</AttributeAuthorityDescriptor>\n\t<Organization>\n\t\t<OrganizationName xml:lang=\"en\">TestShib Two Identity Provider</OrganizationName>\n\t\t<OrganizationDisplayName xml:lang=\"en\">TestShib Two</OrganizationDisplayName>\n\t\t<OrganizationURL xml:lang=\"en\">http://www.testshib.org/testshib-two/</OrganizationURL>\n\t</Organization>\n\t<ContactPerson contactType=\"technical\">\n\t\t<GivenName>Nate</GivenName>\n\t\t<SurName>Klingenstein</SurName>\n\t\t<EmailAddress>ndk@internet2.edu</EmailAddress>\n\t</ContactPerson>\n</EntityDescriptor>"
-
-	test.Middleware = Middleware{
-		ServiceProvider: saml.ServiceProvider{
-			Key:         test.Key,
-			Certificate: test.Certificate,
-			MetadataURL: mustParseURL("https://15661444.ngrok.io/saml2/metadata"),
-			AcsURL:      mustParseURL("https://15661444.ngrok.io/saml2/acs"),
-			IDPMetadata: &saml.EntityDescriptor{},
-			Logger:      logger.DefaultLogger,
-		},
-		CookieName:   "ttt",
-		CookieMaxAge: time.Hour * 2,
+	test.AuthnRequest = golden.Get(t, "authn_request.url")
+	test.SamlResponse = golden.Get(t, "saml_response.xml")
+	test.Key = mustParsePrivateKey(golden.Get(t, "key.pem")).(*rsa.PrivateKey)
+	test.Certificate = mustParseCertificate(golden.Get(t, "cert.pem"))
+	test.IDPMetadata = golden.Get(t, "idp_metadata.xml")
+
+	var metadata saml.EntityDescriptor
+	if err := xml.Unmarshal(test.IDPMetadata, &metadata); err != nil {
+		panic(err)
+	}
+
+	opts := Options{
+		URL:         mustParseURL("https://15661444.ngrok.io/"),
+		Key:         test.Key,
+		Certificate: test.Certificate,
+		IDPMetadata: &metadata,
+	}
+
+	var err error
+	test.Middleware, err = New(opts)
+	if err != nil {
+		panic(err)
+	}
+
+	sessionProvider := DefaultSessionProvider(opts)
+	sessionProvider.Name = "ttt"
+	sessionProvider.MaxAge = 7200 * time.Second
+
+	sessionCodec := sessionProvider.Codec.(JWTSessionCodec)
+	sessionCodec.MaxAge = 7200 * time.Second
+	sessionProvider.Codec = sessionCodec
+
+	test.Middleware.Session = sessionProvider
+
+	test.Middleware.ServiceProvider.MetadataURL.Path = "/saml2/metadata"
+	test.Middleware.ServiceProvider.AcsURL.Path = "/saml2/acs"
+	test.Middleware.ServiceProvider.SloURL.Path = "/saml2/slo"
+
+	var tc JWTSessionClaims
+	if err := json.Unmarshal(golden.Get(t, "token.json"), &tc); err != nil {
+		panic(err)
+	}
+	test.expectedSessionCookie, err = sessionProvider.Codec.Encode(tc)
+	if err != nil {
+		panic(err)
+	}
+
+	return &test
+}
+
+func (test *MiddlewareTest) makeTrackedRequest(id string) string {
+	codec := test.Middleware.RequestTracker.(CookieRequestTracker).Codec
+	token, err := codec.Encode(TrackedRequest{
+		Index:         "KCosLjAyNDY4Ojw-QEJERkhKTE5QUlRWWFpcXmBiZGZoamxucHJ0dnh6",
+		SAMLRequestID: id,
+		URI:           "/frob",
+	})
+	if err != nil {
+		panic(err)
 	}
-	err := xml.Unmarshal([]byte(test.IDPMetadata), &test.Middleware.ServiceProvider.IDPMetadata)
-	c.Assert(err, IsNil)
+	return token
 }
 
-func (test *MiddlewareTest) TestCanProduceMetadata(c *C) {
-	c.Skip("broken")
+func TestMiddlewareCanProduceMetadata(t *testing.T) {
+	// TODO: Lightstep had: t.Skip("broken")
+	test := NewMiddlewareTest(t)
 	req, _ := http.NewRequest("GET", "/saml2/metadata", nil)
 
 	resp := httptest.NewRecorder()
 	test.Middleware.ServeHTTP(resp, req)
-	c.Assert(resp.Code, Equals, http.StatusOK)
-	c.Assert(resp.Header().Get("Content-type"), Equals, "application/samlmetadata+xml")
-	c.Assert(string(resp.Body.Bytes()), DeepEquals, ""+
-		"<EntityDescriptor xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\" validUntil=\"2015-12-03T01:57:09.123Z\" entityID=\"https://15661444.ngrok.io/saml2/metadata\">\n"+
-		"  <SPSSODescriptor xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\" validUntil=\"0001-01-01T00:00:00Z\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\" AuthnRequestsSigned=\"false\" WantAssertionsSigned=\"true\">\n"+
-		"    <KeyDescriptor use=\"signing\">\n"+
-		"      <KeyInfo xmlns=\"http://www.w3.org/2000/09/xmldsig#\">\n"+
-		"        <X509Data>\n"+
-		"          <X509Certificate>MIIB7zCCAVgCCQDFzbKIp7b3MTANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGEwJVUzELMAkGA1UECAwCR0ExDDAKBgNVBAoMA2ZvbzESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTEzMTAwMjAwMDg1MVoXDTE0MTAwMjAwMDg1MVowPDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkdBMQwwCgYDVQQKDANmb28xEjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1PMHYmhZj308kWLhZVT4vOulqx/9ibm5B86fPWwUKKQ2i12MYtz07tzukPymisTDhQaqyJ8Kqb/6JjhmeMnEOdTvSPmHO8m1ZVveJU6NoKRn/mP/BD7FW52WhbrUXLSeHVSKfWkNk6S4hk9MV9TswTvyRIKvRsw0X/gfnqkroJcCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCMMlIO+GNcGekevKgkakpMdAqJfs24maGb90DvTLbRZRD7Xvn1MnVBBS9hzlXiFLYOInXACMW5gcoRFfeTQLSouMM8o57h0uKjfTmuoWHLQLi6hnF+cvCsEFiJZ4AbF+DgmO6TarJ8O05t8zvnOwJlNCASPZRH/JmF8tX0hoHuAQ==</X509Certificate>\n"+
-		"        </X509Data>\n"+
-		"      </KeyInfo>\n"+
-		"    </KeyDescriptor>\n"+
-		"    <KeyDescriptor use=\"encryption\">\n"+
-		"      <KeyInfo xmlns=\"http://www.w3.org/2000/09/xmldsig#\">\n"+
-		"        <X509Data>\n"+
-		"          <X509Certificate>MIIB7zCCAVgCCQDFzbKIp7b3MTANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGEwJVUzELMAkGA1UECAwCR0ExDDAKBgNVBAoMA2ZvbzESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTEzMTAwMjAwMDg1MVoXDTE0MTAwMjAwMDg1MVowPDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkdBMQwwCgYDVQQKDANmb28xEjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1PMHYmhZj308kWLhZVT4vOulqx/9ibm5B86fPWwUKKQ2i12MYtz07tzukPymisTDhQaqyJ8Kqb/6JjhmeMnEOdTvSPmHO8m1ZVveJU6NoKRn/mP/BD7FW52WhbrUXLSeHVSKfWkNk6S4hk9MV9TswTvyRIKvRsw0X/gfnqkroJcCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCMMlIO+GNcGekevKgkakpMdAqJfs24maGb90DvTLbRZRD7Xvn1MnVBBS9hzlXiFLYOInXACMW5gcoRFfeTQLSouMM8o57h0uKjfTmuoWHLQLi6hnF+cvCsEFiJZ4AbF+DgmO6TarJ8O05t8zvnOwJlNCASPZRH/JmF8tX0hoHuAQ==</X509Certificate>\n"+
-		"        </X509Data>\n"+
-		"      </KeyInfo>\n"+
-		"      <EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#aes128-cbc\"></EncryptionMethod>\n"+
-		"      <EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#aes192-cbc\"></EncryptionMethod>\n"+
-		"      <EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#aes256-cbc\"></EncryptionMethod>\n"+
-		"      <EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p\"></EncryptionMethod>\n"+
-		"    </KeyDescriptor>\n"+
-		"    <AssertionConsumerService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://15661444.ngrok.io/saml2/acs\" index=\"1\"></AssertionConsumerService>\n"+
-		"  </SPSSODescriptor>\n"+
-		"</EntityDescriptor>")
+	assert.Check(t, is.Equal(http.StatusOK, resp.Code))
+	assert.Check(t, is.Equal("application/samlmetadata+xml",
+		resp.Header().Get("Content-type")))
+	golden.Assert(t, resp.Body.String(), "expected_middleware_metadata.xml")
 }
 
-func (test *MiddlewareTest) TestFourOhFour(c *C) {
+func TestMiddlewareFourOhFour(t *testing.T) {
+	test := NewMiddlewareTest(t)
 	req, _ := http.NewRequest("GET", "/this/is/not/a/supported/uri", nil)
 
 	resp := httptest.NewRecorder()
 	test.Middleware.ServeHTTP(resp, req)
-	c.Assert(resp.Code, Equals, http.StatusNotFound)
-	respBuf, _ := ioutil.ReadAll(resp.Body)
-	c.Assert(string(respBuf), Equals, "404 page not found\n")
+	assert.Check(t, is.Equal(http.StatusNotFound, resp.Code))
+	respBuf, _ := io.ReadAll(resp.Body)
+	assert.Check(t, is.Equal("404 page not found\n", string(respBuf)))
+}
+
+func TestMiddlewareRequireAccountNoCreds(t *testing.T) {
+	test := NewMiddlewareTest(t)
+	test.Middleware.ServiceProvider.AcsURL.Scheme = "http"
+
+	handler := test.Middleware.RequireAccount(
+		http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			panic("not reached")
+		}))
+
+	req, _ := http.NewRequest("GET", "/frob", nil)
+	resp := httptest.NewRecorder()
+	handler.ServeHTTP(resp, req)
+
+	assert.Check(t, is.Equal(http.StatusFound, resp.Code))
+	assert.Check(t, is.Equal("saml_KCosLjAyNDY4Ojw-QEJERkhKTE5QUlRWWFpcXmBiZGZoamxucHJ0dnh6="+
+		test.makeTrackedRequest("id-00020406080a0c0e10121416181a1c1e20222426")+"; Path=/saml2/acs; Max-Age=90; HttpOnly",
+		resp.Header().Get("Set-Cookie")))
+
+	redirectURL, err := url.Parse(resp.Header().Get("Location"))
+	assert.Check(t, err)
+	decodedRequest, err := testsaml.ParseRedirectRequest(redirectURL)
+	assert.Check(t, err)
+	golden.Assert(t, string(decodedRequest), "expected_authn_request.xml")
 }
 
-func (test *MiddlewareTest) TestRequireAccountNoCreds(c *C) {
+func TestMiddlewareRequireAccountNoCredsSecure(t *testing.T) {
+	test := NewMiddlewareTest(t)
+
 	handler := test.Middleware.RequireAccount(
 		http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			panic("not reached")
@@ -137,22 +183,22 @@ func (test *MiddlewareTest) TestRequireAccountNoCreds(c *C) {
 	resp := httptest.NewRecorder()
 	handler.ServeHTTP(resp, req)
 
-	c.Assert(resp.Code, Equals, http.StatusFound)
-	c.Assert(resp.Header().Get("Set-Cookie"), Equals,
-		"saml_KCosLjAyNDY4Ojw-QEJERkhKTE5QUlRWWFpcXmBiZGZoamxucHJ0dnh6="+
-			"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImlkLTAwMDIwNDA2MDgwYTBjMGUxMDEyMTQxNjE4MWExYzFlMjAyMjI0MjYiLCJ1cmkiOiIvZnJvYiJ9.7f-xjK5ZzpP_51YL4aPQSQcIBKKCRb_j6CE9pZieJG0"+
-			"; Path=/saml2/acs; Max-Age=90")
+	assert.Check(t, is.Equal(http.StatusFound, resp.Code))
+	assert.Check(t, is.Equal("saml_KCosLjAyNDY4Ojw-QEJERkhKTE5QUlRWWFpcXmBiZGZoamxucHJ0dnh6="+test.makeTrackedRequest("id-00020406080a0c0e10121416181a1c1e20222426")+"; Path=/saml2/acs; Max-Age=90; HttpOnly; Secure",
+		resp.Header().Get("Set-Cookie")))
 
 	redirectURL, err := url.Parse(resp.Header().Get("Location"))
-	c.Assert(err, IsNil)
+	assert.Check(t, err)
 	decodedRequest, err := testsaml.ParseRedirectRequest(redirectURL)
-	c.Assert(err, IsNil)
-	c.Assert(string(decodedRequest), Equals, "<samlp:AuthnRequest xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" ID=\"id-00020406080a0c0e10121416181a1c1e20222426\" Version=\"2.0\" IssueInstant=\"2015-12-01T01:57:09.123Z\" Destination=\"https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO\" AssertionConsumerServiceURL=\"https://15661444.ngrok.io/saml2/acs\" ProtocolBinding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\"><saml:Issuer Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:entity\">https://15661444.ngrok.io/saml2/metadata</saml:Issuer><samlp:NameIDPolicy Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:transient\" AllowCreate=\"true\"/></samlp:AuthnRequest>")
+	assert.Check(t, err)
+	golden.Assert(t, string(decodedRequest), "expected_authn_request_secure.xml")
 }
 
-func (test *MiddlewareTest) TestRequireAccountNoCredsPostBinding(c *C) {
+func TestMiddlewareRequireAccountNoCredsPostBinding(t *testing.T) {
+	test := NewMiddlewareTest(t)
 	test.Middleware.ServiceProvider.IDPMetadata.IDPSSODescriptors[0].SingleSignOnServices = test.Middleware.ServiceProvider.IDPMetadata.IDPSSODescriptors[0].SingleSignOnServices[1:2]
-	c.Assert("", Equals, test.Middleware.ServiceProvider.GetSSOBindingLocation(saml.HTTPRedirectBinding))
+	assert.Check(t, is.Equal("",
+		test.Middleware.ServiceProvider.GetSSOBindingLocation(saml.HTTPRedirectBinding)))
 
 	handler := test.Middleware.RequireAccount(
 		http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -163,86 +209,53 @@ func (test *MiddlewareTest) TestRequireAccountNoCredsPostBinding(c *C) {
 	resp := httptest.NewRecorder()
 	handler.ServeHTTP(resp, req)
 
-	c.Assert(resp.Code, Equals, http.StatusOK)
-	c.Assert(resp.Header().Get("Set-Cookie"), Equals,
-		"saml_KCosLjAyNDY4Ojw-QEJERkhKTE5QUlRWWFpcXmBiZGZoamxucHJ0dnh6="+
-			"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImlkLTAwMDIwNDA2MDgwYTBjMGUxMDEyMTQxNjE4MWExYzFlMjAyMjI0MjYiLCJ1cmkiOiIvZnJvYiJ9.7f-xjK5ZzpP_51YL4aPQSQcIBKKCRb_j6CE9pZieJG0"+
-			"; Path=/saml2/acs; Max-Age=90")
-	c.Assert(string(resp.Body.Bytes()), Equals, ""+
-		"<!DOCTYPE html>"+
-		"<html>"+
-		"<body>"+
-		"<form method=\"post\" action=\"https://idp.testshib.org/idp/profile/SAML2/POST/SSO\" id=\"SAMLRequestForm\">"+
-		"<input type=\"hidden\" name=\"SAMLRequest\" value=\"PHNhbWxwOkF1dGhuUmVxdWVzdCB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIiB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiBJRD0iaWQtMDAwMjA0MDYwODBhMGMwZTEwMTIxNDE2MTgxYTFjMWUyMDIyMjQyNiIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTUtMTItMDFUMDE6NTc6MDkuMTIzWiIgRGVzdGluYXRpb249Imh0dHBzOi8vaWRwLnRlc3RzaGliLm9yZy9pZHAvcHJvZmlsZS9TQU1MMi9QT1NUL1NTTyIgQXNzZXJ0aW9uQ29uc3VtZXJTZXJ2aWNlVVJMPSJodHRwczovLzE1NjYxNDQ0Lm5ncm9rLmlvL3NhbWwyL2FjcyIgUHJvdG9jb2xCaW5kaW5nPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YmluZGluZ3M6SFRUUC1QT1NUIj48c2FtbDpJc3N1ZXIgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6bmFtZWlkLWZvcm1hdDplbnRpdHkiPmh0dHBzOi8vMTU2NjE0NDQubmdyb2suaW8vc2FtbDIvbWV0YWRhdGE8L3NhbWw6SXNzdWVyPjxzYW1scDpOYW1lSURQb2xpY3kgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6bmFtZWlkLWZvcm1hdDp0cmFuc2llbnQiIEFsbG93Q3JlYXRlPSJ0cnVlIi8&#43;PC9zYW1scDpBdXRoblJlcXVlc3Q&#43;\" />"+
-		"<input type=\"hidden\" name=\"RelayState\" value=\"KCosLjAyNDY4Ojw-QEJERkhKTE5QUlRWWFpcXmBiZGZoamxucHJ0dnh6\" />"+
-		"<input id=\"SAMLSubmitButton\" type=\"submit\" value=\"Submit\" />"+
-		"</form>"+
-		"<script>document.getElementById('SAMLSubmitButton').style.visibility=\"hidden\";</script>"+
-		"<script>document.getElementById('SAMLRequestForm').submit();</script>"+
-		"</body>"+
-		"</html>")
+	assert.Check(t, is.Equal(http.StatusOK, resp.Code))
+	assert.Check(t, is.Equal("saml_KCosLjAyNDY4Ojw-QEJERkhKTE5QUlRWWFpcXmBiZGZoamxucHJ0dnh6="+test.makeTrackedRequest("id-00020406080a0c0e10121416181a1c1e20222426")+"; Path=/saml2/acs; Max-Age=90; HttpOnly; Secure",
+		resp.Header().Get("Set-Cookie")))
+
+	golden.Assert(t, resp.Body.String(), "expected_post_binding_response.html")
 
 	// check that the CSP script hash is set correctly
-	scriptContent := "document.getElementById('SAMLRequestForm').submit();"
+	scriptContent := "document.getElementById('SAMLSubmitButton').style.visibility=\"hidden\";document.getElementById('SAMLRequestForm').submit();"
 	scriptSum := sha256.Sum256([]byte(scriptContent))
 	scriptHash := base64.StdEncoding.EncodeToString(scriptSum[:])
-	c.Assert(resp.Header().Get("Content-Security-Policy"), Equals,
-		"default-src; script-src 'sha256-"+scriptHash+"'; reflected-xss block; referrer no-referrer;")
+	assert.Check(t, is.Equal("default-src; script-src 'sha256-"+scriptHash+"'; reflected-xss block; referrer no-referrer;",
+		resp.Header().Get("Content-Security-Policy")))
 
-	c.Assert(resp.Header().Get("Content-type"), Equals, "text/html")
+	assert.Check(t, is.Equal("text/html", resp.Header().Get("Content-type")))
 }
 
-func (test *MiddlewareTest) TestRequireAccountCreds(c *C) {
+func TestMiddlewareRequireAccountCreds(t *testing.T) {
+	test := NewMiddlewareTest(t)
 	handler := test.Middleware.RequireAccount(
 		http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			c.Assert(r.Header.Get("X-Saml-Telephonenumber"), Equals, "555-5555")
-			c.Assert(r.Header["X-Saml-Edupersonscopedaffiliation"], DeepEquals, []string{"Member@testshib.org", "Staff@testshib.org"})
-			c.Assert(r.Header.Get("X-Saml-Sn"), Equals, "And I")
-			c.Assert(r.Header.Get("X-Saml-Edupersonentitlement"), Equals, "urn:mace:dir:entitlement:common-lib-terms")
-			c.Assert(r.Header.Get("X-Saml-Edupersontargetedid"), Equals, "")
-			c.Assert(r.Header.Get("X-Saml-Givenname"), Equals, "Me Myself")
-			c.Assert(r.Header.Get("X-Saml-Cn"), Equals, "Me Myself And I")
-			c.Assert(r.Header["X-Saml-Edupersonaffiliation"], DeepEquals, []string{"Member", "Staff"})
-			c.Assert(r.Header.Get("X-Saml-Uid"), Equals, "myself")
-			c.Assert(r.Header.Get("X-Saml-Edupersonprincipalname"), Equals, "myself@testshib.org")
+			genericSession := SessionFromContext(r.Context())
+			jwtSession := genericSession.(JWTSessionClaims)
+			assert.Check(t, is.Equal("555-5555", jwtSession.Attributes.Get("telephoneNumber")))
+			assert.Check(t, is.Equal("And I", jwtSession.Attributes.Get("sn")))
+			assert.Check(t, is.Equal("urn:mace:dir:entitlement:common-lib-terms", jwtSession.Attributes.Get("eduPersonEntitlement")))
+			assert.Check(t, is.Equal("", jwtSession.Attributes.Get("eduPersonTargetedID")))
+			assert.Check(t, is.Equal("Me Myself", jwtSession.Attributes.Get("givenName")))
+			assert.Check(t, is.Equal("Me Myself And I", jwtSession.Attributes.Get("cn")))
+			assert.Check(t, is.Equal("myself", jwtSession.Attributes.Get("uid")))
+			assert.Check(t, is.Equal("myself@testshib.org", jwtSession.Attributes.Get("eduPersonPrincipalName")))
+			assert.Check(t, is.DeepEqual([]string{"Member@testshib.org", "Staff@testshib.org"}, jwtSession.Attributes["eduPersonScopedAffiliation"]))
+			assert.Check(t, is.DeepEqual([]string{"Member", "Staff"}, jwtSession.Attributes["eduPersonAffiliation"]))
 			w.WriteHeader(http.StatusTeapot)
 		}))
 
 	req, _ := http.NewRequest("GET", "/frob", nil)
 	req.Header.Set("Cookie", ""+
-		"ttt="+expectedToken+"; "+
+		"ttt="+test.expectedSessionCookie+"; "+
 		"Path=/; Max-Age=7200")
 	resp := httptest.NewRecorder()
 	handler.ServeHTTP(resp, req)
 
-	c.Assert(resp.Code, Equals, http.StatusTeapot)
-}
-
-func (test *MiddlewareTest) TestFiltersSpecialHeadersInRequest(c *C) {
-	handler := test.Middleware.RequireAccount(
-		http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			panic("not reached")
-		}))
-
-	{
-		req, _ := http.NewRequest("GET", "/frob", nil)
-		req.Header.Set("X-Saml-Uid", "root") // evil
-		req.Header.Set("Cookie", "ttt="+expectedToken+"; Path=/; Max-Age=7200")
-		resp := httptest.NewRecorder()
-		c.Assert(func() { handler.ServeHTTP(resp, req) }, PanicMatches, "X-Saml-\\* headers should not exist when this function is called")
-	}
-
-	// make sure case folding works
-	{
-		req, _ := http.NewRequest("GET", "/frob", nil)
-		req.Header.Set("x-SAML-uId", "root") // evil
-		req.Header.Set("Cookie", "ttt="+expectedToken+"; Path=/; Max-Age=7200")
-		resp := httptest.NewRecorder()
-		c.Assert(func() { handler.ServeHTTP(resp, req) }, PanicMatches, "X-Saml-\\* headers should not exist when this function is called")
-	}
+	assert.Check(t, is.Equal(http.StatusTeapot, resp.Code))
 }
 
-func (test *MiddlewareTest) TestRequireAccountBadCreds(c *C) {
+func TestMiddlewareRequireAccountBadCreds(t *testing.T) {
+	test := NewMiddlewareTest(t)
 	handler := test.Middleware.RequireAccount(
 		http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			panic("not reached")
@@ -251,25 +264,24 @@ func (test *MiddlewareTest) TestRequireAccountBadCreds(c *C) {
 	req, _ := http.NewRequest("GET", "/frob", nil)
 	req.Header.Set("Cookie", ""+
 		"ttt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.yejJbiI6Ik1lIE15c2VsZiBBbmQgSSIsImVkdVBlcnNvbkFmZmlsaWF0aW9uIjoiU3RhZmYiLCJlZHVQZXJzb25FbnRpdGxlbWVudCI6InVybjptYWNlOmRpcjplbnRpdGxlbWVudDpjb21tb24tbGliLXRlcm1zIiwiZWR1UGVyc29uUHJpbmNpcGFsTmFtZSI6Im15c2VsZkB0ZXN0c2hpYi5vcmciLCJlZHVQZXJzb25TY29wZWRBZmZpbGlhdGlvbiI6IlN0YWZmQHRlc3RzaGliLm9yZyIsImVkdVBlcnNvblRhcmdldGVkSUQiOiIiLCJleHAiOjE0NDg5Mzg2MjksImdpdmVuTmFtZSI6Ik1lIE15c2VsZiIsInNuIjoiQW5kIEkiLCJ0ZWxlcGhvbmVOdW1iZXIiOiI1NTUtNTU1NSIsInVpZCI6Im15c2VsZiJ9.SqeTkbGG35oFj_9H-d9oVdV-Hb7Vqam6LvZLcmia7FY; "+
-		"Path=/; Max-Age=7200")
+		"Path=/; Max-Age=7200; Secure")
 	resp := httptest.NewRecorder()
 	handler.ServeHTTP(resp, req)
 
-	c.Assert(resp.Code, Equals, http.StatusFound)
+	assert.Check(t, is.Equal(http.StatusFound, resp.Code))
+
+	assert.Check(t, is.Equal("saml_KCosLjAyNDY4Ojw-QEJERkhKTE5QUlRWWFpcXmBiZGZoamxucHJ0dnh6="+test.makeTrackedRequest("id-00020406080a0c0e10121416181a1c1e20222426")+"; Path=/saml2/acs; Max-Age=90; HttpOnly; Secure",
+		resp.Header().Get("Set-Cookie")))
 
-	c.Assert(resp.Header().Get("Set-Cookie"), Equals,
-		"saml_KCosLjAyNDY4Ojw-QEJERkhKTE5QUlRWWFpcXmBiZGZoamxucHJ0dnh6="+
-			"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImlkLTAwMDIwNDA2MDgwYTBjMGUxMDEyMTQxNjE4MWExYzFlMjAyMjI0MjYiLCJ1cmkiOiIvZnJvYiJ9.7f-xjK5ZzpP_51YL4aPQSQcIBKKCRb_j6CE9pZieJG0"+
-			"; Path=/saml2/acs; Max-Age=90")
 	redirectURL, err := url.Parse(resp.Header().Get("Location"))
-	c.Assert(err, IsNil)
+	assert.Check(t, err)
 	decodedRequest, err := testsaml.ParseRedirectRequest(redirectURL)
-	c.Assert(err, IsNil)
-	c.Assert(string(decodedRequest), Equals, "<samlp:AuthnRequest xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" ID=\"id-00020406080a0c0e10121416181a1c1e20222426\" Version=\"2.0\" IssueInstant=\"2015-12-01T01:57:09.123Z\" Destination=\"https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO\" AssertionConsumerServiceURL=\"https://15661444.ngrok.io/saml2/acs\" ProtocolBinding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\"><saml:Issuer Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:entity\">https://15661444.ngrok.io/saml2/metadata</saml:Issuer><samlp:NameIDPolicy Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:transient\" AllowCreate=\"true\"/></samlp:AuthnRequest>")
-
+	assert.Check(t, err)
+	golden.Assert(t, string(decodedRequest), "expected_authn_request_secure.xml")
 }
 
-func (test *MiddlewareTest) TestRequireAccountExpiredCreds(c *C) {
+func TestMiddlewareRequireAccountExpiredCreds(t *testing.T) {
+	test := NewMiddlewareTest(t)
 	jwt.TimeFunc = func() time.Time {
 		rv, _ := time.Parse("Mon Jan 2 15:04:05 UTC 2006", "Mon Dec 1 01:31:21 UTC 2115")
 		return rv
@@ -282,25 +294,24 @@ func (test *MiddlewareTest) TestRequireAccountExpiredCreds(c *C) {
 
 	req, _ := http.NewRequest("GET", "/frob", nil)
 	req.Header.Set("Cookie", ""+
-		"ttt="+expectedToken+"; "+
+		"ttt="+test.expectedSessionCookie+"; "+
 		"Path=/; Max-Age=7200")
 	resp := httptest.NewRecorder()
 	handler.ServeHTTP(resp, req)
 
-	c.Assert(resp.Code, Equals, http.StatusFound)
-	c.Assert(resp.Header().Get("Set-Cookie"), Equals,
-		"saml_KCosLjAyNDY4Ojw-QEJERkhKTE5QUlRWWFpcXmBiZGZoamxucHJ0dnh6="+
-			"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImlkLTAwMDIwNDA2MDgwYTBjMGUxMDEyMTQxNjE4MWExYzFlMjAyMjI0MjYiLCJ1cmkiOiIvZnJvYiJ9.7f-xjK5ZzpP_51YL4aPQSQcIBKKCRb_j6CE9pZieJG0"+
-			"; Path=/saml2/acs; Max-Age=90")
+	assert.Check(t, is.Equal(http.StatusFound, resp.Code))
+	assert.Check(t, is.Equal("saml_KCosLjAyNDY4Ojw-QEJERkhKTE5QUlRWWFpcXmBiZGZoamxucHJ0dnh6="+test.makeTrackedRequest("id-00020406080a0c0e10121416181a1c1e20222426")+"; Path=/saml2/acs; Max-Age=90; HttpOnly; Secure",
+		resp.Header().Get("Set-Cookie")))
 
 	redirectURL, err := url.Parse(resp.Header().Get("Location"))
-	c.Assert(err, IsNil)
+	assert.Check(t, err)
 	decodedRequest, err := testsaml.ParseRedirectRequest(redirectURL)
-	c.Assert(err, IsNil)
-	c.Assert(string(decodedRequest), Equals, "<samlp:AuthnRequest xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" ID=\"id-00020406080a0c0e10121416181a1c1e20222426\" Version=\"2.0\" IssueInstant=\"2015-12-01T01:57:09.123Z\" Destination=\"https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO\" AssertionConsumerServiceURL=\"https://15661444.ngrok.io/saml2/acs\" ProtocolBinding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\"><saml:Issuer Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:entity\">https://15661444.ngrok.io/saml2/metadata</saml:Issuer><samlp:NameIDPolicy Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:transient\" AllowCreate=\"true\"/></samlp:AuthnRequest>")
+	assert.Check(t, err)
+	golden.Assert(t, string(decodedRequest), "expected_authn_request_secure.xml")
 }
 
-func (test *MiddlewareTest) TestRequireAccountPanicOnRequestToACS(c *C) {
+func TestMiddlewareRequireAccountPanicOnRequestToACS(t *testing.T) {
+	test := NewMiddlewareTest(t)
 	handler := test.Middleware.RequireAccount(
 		http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			panic("not reached")
@@ -308,27 +319,12 @@ func (test *MiddlewareTest) TestRequireAccountPanicOnRequestToACS(c *C) {
 
 	req, _ := http.NewRequest("POST", "https://15661444.ngrok.io/saml2/acs", nil)
 	resp := httptest.NewRecorder()
-	c.Assert(func() { handler.ServeHTTP(resp, req) }, Panics,
-		"don't wrap Middleware with RequireAccount")
-}
 
-func (test *MiddlewareTest) TestRejectRequestWithMagicHeader(c *C) {
-	handler := test.Middleware.RequireAccount(
-		http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			panic("not reached")
-		}))
-
-	req, _ := http.NewRequest("GET", "/frob", nil)
-	req.Header.Set("Cookie", ""+
-		"ttt="+expectedToken+"; "+
-		"Path=/; Max-Age=7200")
-	req.Header.Set("X-Saml-Uid", "root") // ... evil
-	resp := httptest.NewRecorder()
-	c.Assert(func() { handler.ServeHTTP(resp, req) }, Panics,
-		"X-Saml-* headers should not exist when this function is called")
+	assert.Check(t, is.Panics(func() { handler.ServeHTTP(resp, req) }))
 }
 
-func (test *MiddlewareTest) TestRequireAttribute(c *C) {
+func TestMiddlewareRequireAttribute(t *testing.T) {
+	test := NewMiddlewareTest(t)
 	handler := test.Middleware.RequireAccount(
 		RequireAttribute("eduPersonAffiliation", "Staff")(
 			http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -337,15 +333,16 @@ func (test *MiddlewareTest) TestRequireAttribute(c *C) {
 
 	req, _ := http.NewRequest("GET", "/frob", nil)
 	req.Header.Set("Cookie", ""+
-		"ttt="+expectedToken+"; "+
+		"ttt="+test.expectedSessionCookie+"; "+
 		"Path=/; Max-Age=7200")
 	resp := httptest.NewRecorder()
 	handler.ServeHTTP(resp, req)
 
-	c.Assert(resp.Code, Equals, http.StatusTeapot)
+	assert.Check(t, is.Equal(http.StatusTeapot, resp.Code))
 }
 
-func (test *MiddlewareTest) TestRequireAttributeWrongValue(c *C) {
+func TestMiddlewareRequireAttributeWrongValue(t *testing.T) {
+	test := NewMiddlewareTest(t)
 	handler := test.Middleware.RequireAccount(
 		RequireAttribute("eduPersonAffiliation", "DomainAdmins")(
 			http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -354,15 +351,16 @@ func (test *MiddlewareTest) TestRequireAttributeWrongValue(c *C) {
 
 	req, _ := http.NewRequest("GET", "/frob", nil)
 	req.Header.Set("Cookie", ""+
-		"ttt="+expectedToken+"; "+
+		"ttt="+test.expectedSessionCookie+"; "+
 		"Path=/; Max-Age=7200")
 	resp := httptest.NewRecorder()
 	handler.ServeHTTP(resp, req)
 
-	c.Assert(resp.Code, Equals, http.StatusForbidden)
+	assert.Check(t, is.Equal(http.StatusForbidden, resp.Code))
 }
 
-func (test *MiddlewareTest) TestRequireAttributeNotPresent(c *C) {
+func TestMiddlewareRequireAttributeNotPresent(t *testing.T) {
+	test := NewMiddlewareTest(t)
 	handler := test.Middleware.RequireAccount(
 		RequireAttribute("valueThatDoesntExist", "doesntMatter")(
 			http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -371,15 +369,16 @@ func (test *MiddlewareTest) TestRequireAttributeNotPresent(c *C) {
 
 	req, _ := http.NewRequest("GET", "/frob", nil)
 	req.Header.Set("Cookie", ""+
-		"ttt="+expectedToken+"; "+
+		"ttt="+test.expectedSessionCookie+"; "+
 		"Path=/; Max-Age=7200")
 	resp := httptest.NewRecorder()
 	handler.ServeHTTP(resp, req)
 
-	c.Assert(resp.Code, Equals, http.StatusForbidden)
+	assert.Check(t, is.Equal(http.StatusForbidden, resp.Code))
 }
 
-func (test *MiddlewareTest) TestRequireAttributeMissingAccount(c *C) {
+func TestMiddlewareRequireAttributeMissingAccount(t *testing.T) {
+	test := NewMiddlewareTest(t)
 	handler := RequireAttribute("eduPersonAffiliation", "DomainAdmins")(
 		http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			panic("not reached")
@@ -387,56 +386,129 @@ func (test *MiddlewareTest) TestRequireAttributeMissingAccount(c *C) {
 
 	req, _ := http.NewRequest("GET", "/frob", nil)
 	req.Header.Set("Cookie", ""+
-		"ttt="+expectedToken+"; "+
+		"ttt="+test.expectedSessionCookie+"; "+
 		"Path=/; Max-Age=7200")
 	resp := httptest.NewRecorder()
 	handler.ServeHTTP(resp, req)
 
-	c.Assert(resp.Code, Equals, http.StatusForbidden)
+	assert.Check(t, is.Equal(http.StatusForbidden, resp.Code))
 }
 
-func (test *MiddlewareTest) TestCanParseResponse(c *C) {
+func TestMiddlewareCanParseResponse(t *testing.T) {
+	test := NewMiddlewareTest(t)
 	v := &url.Values{}
-	v.Set("SAMLResponse", base64.StdEncoding.EncodeToString([]byte(test.SamlResponse)))
+	v.Set("SAMLResponse", base64.StdEncoding.EncodeToString(test.SamlResponse))
 	v.Set("RelayState", "KCosLjAyNDY4Ojw-QEJERkhKTE5QUlRWWFpcXmBiZGZoamxucHJ0dnh6")
 	req, _ := http.NewRequest("POST", "/saml2/acs", bytes.NewReader([]byte(v.Encode())))
 	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
 	req.Header.Set("Cookie", ""+
-		"saml_KCosLjAyNDY4Ojw-QEJERkhKTE5QUlRWWFpcXmBiZGZoamxucHJ0dnh6="+
-		"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImlkLTllNjE3NTNkNjRlOTI4YWY1YTdhMzQxYTk3ZjQyMGM5IiwidXJpIjoiL2Zyb2IifQ.RHNEmqXQcB_ncWZSPkhOL4Sx5hZFD6eHP1RJ0ZgUhuk")
+		"saml_KCosLjAyNDY4Ojw-QEJERkhKTE5QUlRWWFpcXmBiZGZoamxucHJ0dnh6="+test.makeTrackedRequest("id-9e61753d64e928af5a7a341a97f420c9"))
 
 	resp := httptest.NewRecorder()
 	test.Middleware.ServeHTTP(resp, req)
-	c.Assert(resp.Code, Equals, http.StatusFound)
+	assert.Check(t, is.Equal(http.StatusFound, resp.Code))
+
+	assert.Check(t, is.Equal("/frob", resp.Header().Get("Location")))
+	assert.Check(t, is.DeepEqual([]string{
+		"saml_KCosLjAyNDY4Ojw-QEJERkhKTE5QUlRWWFpcXmBiZGZoamxucHJ0dnh6=; Domain=15661444.ngrok.io; Expires=Thu, 01 Jan 1970 00:00:01 GMT",
+		"ttt=" + test.expectedSessionCookie + "; " +
+			"Path=/; Domain=15661444.ngrok.io; Max-Age=7200; HttpOnly; Secure"},
+		resp.Header()["Set-Cookie"]))
+}
+
+func TestMiddlewareDefaultCookieDomainIPv4(t *testing.T) {
+	test := NewMiddlewareTest(t)
+	ipv4Loopback := net.IP{127, 0, 0, 1}
+
+	sp := DefaultSessionProvider(Options{
+		URL: mustParseURL("https://" + net.JoinHostPort(ipv4Loopback.String(), "54321")),
+		Key: test.Key,
+	})
+
+	req, _ := http.NewRequest("GET", "/", nil)
+	resp := httptest.NewRecorder()
+	sp.CreateSession(resp, req, &saml.Assertion{})
+
+	assert.Check(t,
+		strings.Contains(resp.Header().Get("Set-Cookie"), "Domain=127.0.0.1;"),
+		"Cookie domain must not contain a port or the cookie cannot be set properly: %v", resp.Header().Get("Set-Cookie"))
+}
+
+func TestMiddlewareDefaultCookieDomainIPv6(t *testing.T) {
+	t.Skip("fails") // TODO(ross): fix this test
 
-	c.Assert(resp.Header().Get("Location"), Equals, "/frob")
-	c.Assert(resp.Header()["Set-Cookie"], DeepEquals, []string{
-		"saml_KCosLjAyNDY4Ojw-QEJERkhKTE5QUlRWWFpcXmBiZGZoamxucHJ0dnh6=; Expires=Thu, 01 Jan 1970 00:00:01 GMT",
-		"ttt=" + expectedToken + "; " +
-			"Path=/; Max-Age=7200",
+	test := NewMiddlewareTest(t)
+
+	sp := DefaultSessionProvider(Options{
+		URL: mustParseURL("https://" + net.JoinHostPort(net.IPv6loopback.String(), "54321")),
+		Key: test.Key,
 	})
+
+	req, _ := http.NewRequest("GET", "/", nil)
+	resp := httptest.NewRecorder()
+	sp.CreateSession(resp, req, &saml.Assertion{})
+
+	assert.Check(t,
+		strings.Contains(resp.Header().Get("Set-Cookie"), "Domain=::1;"),
+		"Cookie domain must not contain a port or the cookie cannot be set properly: %v", resp.Header().Get("Set-Cookie"))
 }
 
-func (test *MiddlewareTest) TestRejectsInvalidRelayState(c *C) {
+func TestMiddlewareRejectsInvalidRelayState(t *testing.T) {
+	test := NewMiddlewareTest(t)
+
+	test.Middleware.OnError = func(w http.ResponseWriter, r *http.Request, err error) {
+		assert.Check(t, is.Error(err, http.ErrNoCookie.Error()))
+		http.Error(w, "forbidden", http.StatusTeapot)
+	}
+
 	v := &url.Values{}
-	v.Set("SAMLResponse", base64.StdEncoding.EncodeToString([]byte(test.SamlResponse)))
+	v.Set("SAMLResponse", base64.StdEncoding.EncodeToString(test.SamlResponse))
 	v.Set("RelayState", "ICIkJigqLC4wMjQ2ODo8PkBCREZISkxOUFJUVlhaXF5gYmRmaGpsbnBy")
 	req, _ := http.NewRequest("POST", "/saml2/acs", bytes.NewReader([]byte(v.Encode())))
 	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	req.Header.Set("Cookie", ""+
+		"saml_KCosLjAyNDY4Ojw-QEJERkhKTE5QUlRWWFpcXmBiZGZoamxucHJ0dnh6="+test.makeTrackedRequest("id-9e61753d64e928af5a7a341a97f420c9"))
+
+	resp := httptest.NewRecorder()
+	test.Middleware.ServeHTTP(resp, req)
+	assert.Check(t, is.Equal(http.StatusTeapot, resp.Code))
+	assert.Check(t, is.Equal("", resp.Header().Get("Location")))
+	assert.Check(t, is.Equal("", resp.Header().Get("Set-Cookie")))
+}
+
+func TestMiddlewareRejectsInvalidCookie(t *testing.T) {
+	test := NewMiddlewareTest(t)
+
+	test.Middleware.OnError = func(w http.ResponseWriter, r *http.Request, err error) {
+		assert.Check(t, is.Error(err, "Authentication failed"))
+		http.Error(w, "forbidden", http.StatusTeapot)
+	}
+
+	v := &url.Values{}
+	v.Set("SAMLResponse", base64.StdEncoding.EncodeToString(test.SamlResponse))
+	v.Set("RelayState", "KCosLjAyNDY4Ojw-QEJERkhKTE5QUlRWWFpcXmBiZGZoamxucHJ0dnh6")
+	req, _ := http.NewRequest("POST", "/saml2/acs", bytes.NewReader([]byte(v.Encode())))
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	req.Header.Set("Cookie", ""+
+		"saml_KCosLjAyNDY4Ojw-QEJERkhKTE5QUlRWWFpcXmBiZGZoamxucHJ0dnh6="+test.makeTrackedRequest("wrong"))
 
 	resp := httptest.NewRecorder()
 	test.Middleware.ServeHTTP(resp, req)
-	c.Assert(resp.Code, Equals, http.StatusForbidden)
-	c.Assert(resp.Header().Get("Location"), Equals, "")
-	c.Assert(resp.Header().Get("Set-Cookie"), Equals, "")
+	assert.Check(t, is.Equal(http.StatusTeapot, resp.Code))
+	assert.Check(t, is.Equal("", resp.Header().Get("Location")))
+	assert.Check(t, is.Equal("", resp.Header().Get("Set-Cookie")))
 }
 
-func (test *MiddlewareTest) TestHandlesInvalidResponse(c *C) {
+func TestMiddlewareHandlesInvalidResponse(t *testing.T) {
+	test := NewMiddlewareTest(t)
 	v := &url.Values{}
 	v.Set("SAMLResponse", "this is not a valid saml response")
-	v.Set("RelayState", "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1cmkiOiIvZnJvYiJ9.QEnpCWpKnhmzWZyfI8GIgCCWyH7qTly8vw-V4oJ1ni0")
+	v.Set("RelayState", "KCosLjAyNDY4Ojw-QEJERkhKTE5QUlRWWFpcXmBiZGZoamxucHJ0dnh6")
+
 	req, _ := http.NewRequest("POST", "/saml2/acs", bytes.NewReader([]byte(v.Encode())))
 	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	req.Header.Set("Cookie", ""+
+		"saml_KCosLjAyNDY4Ojw-QEJERkhKTE5QUlRWWFpcXmBiZGZoamxucHJ0dnh6="+test.makeTrackedRequest("wrong"))
 
 	resp := httptest.NewRecorder()
 	test.Middleware.ServeHTTP(resp, req)
@@ -444,9 +516,9 @@ func (test *MiddlewareTest) TestHandlesInvalidResponse(c *C) {
 	// note: it is important that when presented with an invalid request,
 	// the ACS handles DOES NOT reveal detailed error information in the
 	// HTTP response.
-	c.Assert(resp.Code, Equals, http.StatusForbidden)
-	respBody, _ := ioutil.ReadAll(resp.Body)
-	c.Assert(string(respBody), Equals, "Forbidden\n")
-	c.Assert(resp.Header().Get("Location"), Equals, "")
-	c.Assert(resp.Header().Get("Set-Cookie"), Equals, "")
+	assert.Check(t, is.Equal(http.StatusForbidden, resp.Code))
+	respBody, _ := io.ReadAll(resp.Body)
+	assert.Check(t, is.Equal("Forbidden\n", string(respBody)))
+	assert.Check(t, is.Equal("", resp.Header().Get("Location")))
+	assert.Check(t, is.Equal("", resp.Header().Get("Set-Cookie")))
 }
diff --git a/samlsp/new.go b/samlsp/new.go
new file mode 100644
index 00000000..93eaca28
--- /dev/null
+++ b/samlsp/new.go
@@ -0,0 +1,128 @@
+// Package samlsp provides helpers that can be used to protect web services using SAML.
+package samlsp
+
+import (
+	"crypto/rsa"
+	"crypto/x509"
+	"net/http"
+	"net/url"
+
+	dsig "github.com/russellhaering/goxmldsig"
+
+	"github.com/lightstep/saml"
+)
+
+// Options represents the parameters for creating a new middleware
+type Options struct {
+	EntityID          string
+	URL               url.URL
+	Key               *rsa.PrivateKey
+	Certificate       *x509.Certificate
+	Intermediates     []*x509.Certificate
+	AllowIDPInitiated bool
+	IDPMetadata       *saml.EntityDescriptor
+	SignRequest       bool
+	ForceAuthn        bool // TODO(ross): this should be *bool
+	CookieSameSite    http.SameSite
+	RelayStateFunc    func(w http.ResponseWriter, r *http.Request) string
+}
+
+// DefaultSessionCodec returns the default SessionCodec for the provided options,
+// a JWTSessionCodec configured to issue signed tokens.
+func DefaultSessionCodec(opts Options) JWTSessionCodec {
+	return JWTSessionCodec{
+		SigningMethod: defaultJWTSigningMethod,
+		Audience:      opts.URL.String(),
+		Issuer:        opts.URL.String(),
+		MaxAge:        defaultSessionMaxAge,
+		Key:           opts.Key,
+	}
+}
+
+// DefaultSessionProvider returns the default SessionProvider for the provided options,
+// a CookieSessionProvider configured to store sessions in a cookie.
+func DefaultSessionProvider(opts Options) CookieSessionProvider {
+	return CookieSessionProvider{
+		Name:     defaultSessionCookieName,
+		Domain:   opts.URL.Host,
+		MaxAge:   defaultSessionMaxAge,
+		HTTPOnly: true,
+		Secure:   opts.URL.Scheme == "https",
+		SameSite: opts.CookieSameSite,
+		Codec:    DefaultSessionCodec(opts),
+	}
+}
+
+// DefaultTrackedRequestCodec returns a new TrackedRequestCodec for the provided
+// options, a JWTTrackedRequestCodec that uses a JWT to encode TrackedRequests.
+func DefaultTrackedRequestCodec(opts Options) JWTTrackedRequestCodec {
+	return JWTTrackedRequestCodec{
+		SigningMethod: defaultJWTSigningMethod,
+		Audience:      opts.URL.String(),
+		Issuer:        opts.URL.String(),
+		MaxAge:        saml.MaxIssueDelay,
+		Key:           opts.Key,
+	}
+}
+
+// DefaultRequestTracker returns a new RequestTracker for the provided options,
+// a CookieRequestTracker which uses cookies to track pending requests.
+func DefaultRequestTracker(opts Options, serviceProvider *saml.ServiceProvider) CookieRequestTracker {
+	return CookieRequestTracker{
+		ServiceProvider: serviceProvider,
+		NamePrefix:      "saml_",
+		Codec:           DefaultTrackedRequestCodec(opts),
+		MaxAge:          saml.MaxIssueDelay,
+		RelayStateFunc:  opts.RelayStateFunc,
+		SameSite:        opts.CookieSameSite,
+	}
+}
+
+// DefaultServiceProvider returns the default saml.ServiceProvider for the provided
+// options.
+func DefaultServiceProvider(opts Options) saml.ServiceProvider {
+	metadataURL := opts.URL.ResolveReference(&url.URL{Path: "saml/metadata"})
+	acsURL := opts.URL.ResolveReference(&url.URL{Path: "saml/acs"})
+	sloURL := opts.URL.ResolveReference(&url.URL{Path: "saml/slo"})
+
+	var forceAuthn *bool
+	if opts.ForceAuthn {
+		forceAuthn = &opts.ForceAuthn
+	}
+	signatureMethod := dsig.RSASHA1SignatureMethod
+	if !opts.SignRequest {
+		signatureMethod = ""
+	}
+
+	return saml.ServiceProvider{
+		EntityID:          opts.EntityID,
+		Key:               opts.Key,
+		Certificate:       opts.Certificate,
+		Intermediates:     opts.Intermediates,
+		MetadataURL:       *metadataURL,
+		AcsURL:            *acsURL,
+		SloURL:            *sloURL,
+		IDPMetadata:       opts.IDPMetadata,
+		ForceAuthn:        forceAuthn,
+		SignatureMethod:   signatureMethod,
+		AllowIDPInitiated: opts.AllowIDPInitiated,
+	}
+}
+
+// New creates a new Middleware with the default providers for the
+// given options.
+//
+// You can customize the behavior of the middleware in more detail by
+// replacing and/or changing Session, RequestTracker, and ServiceProvider
+// in the returned Middleware.
+func New(opts Options) (*Middleware, error) {
+	m := &Middleware{
+		ServiceProvider: DefaultServiceProvider(opts),
+		Binding:         "",
+		OnError:         DefaultOnError,
+		Session:         DefaultSessionProvider(opts),
+	}
+	m.RequestTracker = DefaultRequestTracker(opts, &m.ServiceProvider)
+
+	return m, nil
+}
diff --git a/samlsp/request_tracker.go b/samlsp/request_tracker.go
new file mode 100644
index 00000000..ea1a484d
--- /dev/null
+++ b/samlsp/request_tracker.go
@@ -0,0 +1,46 @@
+package samlsp
+
+import (
+	"net/http"
+)
+
+// RequestTracker tracks pending authentication requests.
+//
+// There are two main reasons for this:
+//
+// 1. When the middleware initiates an authentication request it must track the original URL
+//    in order to redirect the user to the right place after the authentication completes.
+//
+// 2. After the authentication completes, we want to ensure that the user presenting the
+//    assertion is actually the one the request it, to mitigate request forgeries.
+type RequestTracker interface {
+	// TrackRequest starts tracking the SAML request with the given ID. It returns an
+	// `index` that should be used as the RelayState in the SAMl request flow.
+	TrackRequest(w http.ResponseWriter, r *http.Request, samlRequestID string) (index string, err error)
+
+	// StopTrackingRequest stops tracking the SAML request given by index, which is a string
+	// previously returned from TrackRequest
+	StopTrackingRequest(w http.ResponseWriter, r *http.Request, index string) error
+
+	// GetTrackedRequests returns all the pending tracked requests
+	GetTrackedRequests(r *http.Request) []TrackedRequest
+
+	// GetTrackedRequest returns a pending tracked request.
+	GetTrackedRequest(r *http.Request, index string) (*TrackedRequest, error)
+}
+
+// TrackedRequest holds the data we store for each pending request.
+type TrackedRequest struct {
+	Index         string `json:"-"`
+	SAMLRequestID string `json:"id"`
+	URI           string `json:"uri"`
+}
+
+// TrackedRequestCodec handles encoding and decoding of a TrackedRequest.
+type TrackedRequestCodec interface {
+	// Encode returns an encoded string representing the TrackedRequest.
+	Encode(value TrackedRequest) (string, error)
+
+	// Decode returns a Tracked request from an encoded string.
+	Decode(signed string) (*TrackedRequest, error)
+}
diff --git a/samlsp/request_tracker_cookie.go b/samlsp/request_tracker_cookie.go
new file mode 100644
index 00000000..f641ab89
--- /dev/null
+++ b/samlsp/request_tracker_cookie.go
@@ -0,0 +1,111 @@
+package samlsp
+
+import (
+	"encoding/base64"
+	"fmt"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/lightstep/saml"
+)
+
+var _ RequestTracker = CookieRequestTracker{}
+
+// CookieRequestTracker tracks requests by setting a uniquely named
+// cookie for each request.
+type CookieRequestTracker struct {
+	ServiceProvider *saml.ServiceProvider
+	NamePrefix      string
+	Codec           TrackedRequestCodec
+	MaxAge          time.Duration
+	RelayStateFunc  func(w http.ResponseWriter, r *http.Request) string
+	SameSite        http.SameSite
+}
+
+// TrackRequest starts tracking the SAML request with the given ID. It returns an
+// `index` that should be used as the RelayState in the SAMl request flow.
+func (t CookieRequestTracker) TrackRequest(w http.ResponseWriter, r *http.Request, samlRequestID string) (string, error) {
+	trackedRequest := TrackedRequest{
+		Index:         base64.RawURLEncoding.EncodeToString(randomBytes(42)),
+		SAMLRequestID: samlRequestID,
+		URI:           r.URL.String(),
+	}
+
+	if t.RelayStateFunc != nil {
+		relayState := t.RelayStateFunc(w, r)
+		if relayState != "" {
+			trackedRequest.Index = relayState
+		}
+	}
+
+	signedTrackedRequest, err := t.Codec.Encode(trackedRequest)
+	if err != nil {
+		return "", err
+	}
+
+	http.SetCookie(w, &http.Cookie{
+		Name:     t.NamePrefix + trackedRequest.Index,
+		Value:    signedTrackedRequest,
+		MaxAge:   int(t.MaxAge.Seconds()),
+		HttpOnly: true,
+		SameSite: t.SameSite,
+		Secure:   t.ServiceProvider.AcsURL.Scheme == "https",
+		Path:     t.ServiceProvider.AcsURL.Path,
+	})
+
+	return trackedRequest.Index, nil
+}
+
+// StopTrackingRequest stops tracking the SAML request given by index, which is a string
+// previously returned from TrackRequest
+func (t CookieRequestTracker) StopTrackingRequest(w http.ResponseWriter, r *http.Request, index string) error {
+	cookie, err := r.Cookie(t.NamePrefix + index)
+	if err != nil {
+		return err
+	}
+	cookie.Value = ""
+	cookie.Domain = t.ServiceProvider.AcsURL.Hostname()
+	cookie.Expires = time.Unix(1, 0) // past time as close to epoch as possible, but not zero time.Time{}
+	http.SetCookie(w, cookie)
+	return nil
+}
+
+// GetTrackedRequests returns all the pending tracked requests
+func (t CookieRequestTracker) GetTrackedRequests(r *http.Request) []TrackedRequest {
+	rv := []TrackedRequest{}
+	for _, cookie := range r.Cookies() {
+		if !strings.HasPrefix(cookie.Name, t.NamePrefix) {
+			continue
+		}
+
+		trackedRequest, err := t.Codec.Decode(cookie.Value)
+		if err != nil {
+			continue
+		}
+		index := strings.TrimPrefix(cookie.Name, t.NamePrefix)
+		if index != trackedRequest.Index {
+			continue
+		}
+
+		rv = append(rv, *trackedRequest)
+	}
+	return rv
+}
+
+// GetTrackedRequest returns a pending tracked request.
+func (t CookieRequestTracker) GetTrackedRequest(r *http.Request, index string) (*TrackedRequest, error) {
+	cookie, err := r.Cookie(t.NamePrefix + index)
+	if err != nil {
+		return nil, err
+	}
+
+	trackedRequest, err := t.Codec.Decode(cookie.Value)
+	if err != nil {
+		return nil, err
+	}
+	if trackedRequest.Index != index {
+		return nil, fmt.Errorf("expected index %q, got %q", index, trackedRequest.Index)
+	}
+	return trackedRequest, nil
+}
diff --git a/samlsp/request_tracker_jwt.go b/samlsp/request_tracker_jwt.go
new file mode 100644
index 00000000..ca9df342
--- /dev/null
+++ b/samlsp/request_tracker_jwt.go
@@ -0,0 +1,75 @@
+package samlsp
+
+import (
+	"crypto/rsa"
+	"fmt"
+	"time"
+
+	"github.com/form3tech-oss/jwt-go"
+
+	"github.com/lightstep/saml"
+)
+
+var defaultJWTSigningMethod = jwt.SigningMethodRS256
+
+// JWTTrackedRequestCodec encodes TrackedRequests as signed JWTs
+type JWTTrackedRequestCodec struct {
+	SigningMethod jwt.SigningMethod
+	Audience      string
+	Issuer        string
+	MaxAge        time.Duration
+	Key           *rsa.PrivateKey
+}
+
+var _ TrackedRequestCodec = JWTTrackedRequestCodec{}
+
+// JWTTrackedRequestClaims represents the JWT claims for a tracked request.
+type JWTTrackedRequestClaims struct {
+	jwt.StandardClaims
+	TrackedRequest
+	SAMLAuthnRequest bool `json:"saml-authn-request"`
+}
+
+// Encode returns an encoded string representing the TrackedRequest.
+func (s JWTTrackedRequestCodec) Encode(value TrackedRequest) (string, error) {
+	now := saml.TimeNow()
+	claims := JWTTrackedRequestClaims{
+		StandardClaims: jwt.StandardClaims{
+			Audience:  []string{s.Audience},
+			ExpiresAt: now.Add(s.MaxAge).Unix(),
+			IssuedAt:  now.Unix(),
+			Issuer:    s.Issuer,
+			NotBefore: now.Unix(), // TODO(ross): correct for clock skew
+			Subject:   value.Index,
+		},
+		TrackedRequest:   value,
+		SAMLAuthnRequest: true,
+	}
+	token := jwt.NewWithClaims(s.SigningMethod, claims)
+	return token.SignedString(s.Key)
+}
+
+// Decode returns a Tracked request from an encoded string.
+func (s JWTTrackedRequestCodec) Decode(signed string) (*TrackedRequest, error) {
+	parser := jwt.Parser{
+		ValidMethods: []string{s.SigningMethod.Alg()},
+	}
+	claims := JWTTrackedRequestClaims{}
+	_, err := parser.ParseWithClaims(signed, &claims, func(*jwt.Token) (interface{}, error) {
+		return s.Key.Public(), nil
+	})
+	if err != nil {
+		return nil, err
+	}
+	if !claims.VerifyAudience(s.Audience, true) {
+		return nil, fmt.Errorf("expected audience %q, got %q", s.Audience, claims.Audience)
+	}
+	if !claims.VerifyIssuer(s.Issuer, true) {
+		return nil, fmt.Errorf("expected issuer %q, got %q", s.Issuer, claims.Issuer)
+	}
+	if claims.SAMLAuthnRequest != true {
+		return nil, fmt.Errorf("expected saml-authn-request")
+	}
+	claims.TrackedRequest.Index = claims.Subject
+	return &claims.TrackedRequest, nil
+}
diff --git a/samlsp/samlsp.go b/samlsp/samlsp.go
deleted file mode 100644
index 4e5fb0a8..00000000
--- a/samlsp/samlsp.go
+++ /dev/null
@@ -1,120 +0,0 @@
-// Package samlsp provides helpers that can be used to protect web
-// services using SAML.
-package samlsp
-
-import (
-	"crypto/rsa"
-	"crypto/x509"
-	"encoding/xml"
-	"fmt"
-	"io/ioutil"
-	"net/http"
-	"net/url"
-	"time"
-
-	"github.com/lightstep/saml"
-	"github.com/lightstep/saml/logger"
-)
-
-// Options represents the parameters for creating a new middleware
-type Options struct {
-	URL               url.URL
-	Key               *rsa.PrivateKey
-	Logger            logger.Interface
-	Certificate       *x509.Certificate
-	AllowIDPInitiated bool
-	IDPMetadata       *saml.EntityDescriptor
-	IDPMetadataURL    *url.URL
-	HTTPClient        *http.Client
-}
-
-// New creates a new Middleware
-func New(opts Options) (*Middleware, error) {
-
-	metadataURL := opts.URL
-	metadataURL.Path = metadataURL.Path + "/saml/metadata"
-	acsURL := opts.URL
-	acsURL.Path = acsURL.Path + "/saml/acs"
-	logr := opts.Logger
-	if logr == nil {
-		logr = logger.DefaultLogger
-	}
-
-	m := &Middleware{
-		ServiceProvider: saml.ServiceProvider{
-			Key:         opts.Key,
-			Logger:      logr,
-			Certificate: opts.Certificate,
-			MetadataURL: metadataURL,
-			AcsURL:      acsURL,
-			IDPMetadata: opts.IDPMetadata,
-		},
-		AllowIDPInitiated: opts.AllowIDPInitiated,
-		CookieName:        defaultCookieName,
-		CookieMaxAge:      defaultCookieMaxAge,
-	}
-
-	// fetch the IDP metadata if needed.
-	if opts.IDPMetadataURL == nil {
-		return m, nil
-	}
-
-	c := opts.HTTPClient
-	if c == nil {
-		c = http.DefaultClient
-	}
-	req, err := http.NewRequest("GET", opts.IDPMetadataURL.String(), nil)
-	if err != nil {
-		return nil, err
-	}
-	// Some providers (like OneLogin) do not work properly unless the User-Agent header is specified.
-	// Setting the user agent prevents the 403 Forbidden errors.
-	req.Header.Set("User-Agent", "Golang; github.com/lightstep/saml")
-
-	for i := 0; true; i++ {
-		resp, err := c.Do(req)
-		if err == nil && resp.StatusCode != http.StatusOK {
-			err = fmt.Errorf("%d %s", resp.StatusCode, resp.Status)
-		}
-		var data []byte
-		if err == nil {
-			data, err = ioutil.ReadAll(resp.Body)
-			resp.Body.Close()
-		}
-		if err != nil {
-			if i > 10 {
-				return nil, err
-			}
-			logr.Printf("ERROR: %s: %s (will retry)", opts.IDPMetadataURL, err)
-			time.Sleep(5 * time.Second)
-			continue
-		}
-
-		entity := &saml.EntityDescriptor{}
-		err = xml.Unmarshal(data, entity)
-
-		// this comparison is ugly, but it is how the error is generated in encoding/xml
-		if err != nil && err.Error() == "expected element type <EntityDescriptor> but have <EntitiesDescriptor>" {
-			entities := &saml.EntitiesDescriptor{}
-			if err := xml.Unmarshal(data, entities); err != nil {
-				return nil, err
-			}
-
-			err = fmt.Errorf("no entity found with IDPSSODescriptor")
-			for _, e := range entities.EntityDescriptors {
-				if len(e.IDPSSODescriptors) > 0 {
-					entity = &e
-					err = nil
-				}
-			}
-		}
-		if err != nil {
-			return nil, err
-		}
-
-		m.ServiceProvider.IDPMetadata = entity
-		return m, nil
-	}
-
-	panic("unreachable")
-}
diff --git a/samlsp/samlsp_test.go b/samlsp/samlsp_test.go
index eb67d832..75fa6894 100644
--- a/samlsp/samlsp_test.go
+++ b/samlsp/samlsp_test.go
@@ -1,26 +1,20 @@
 package samlsp
 
 import (
+	"bytes"
+	"context"
 	"crypto"
 	"crypto/x509"
 	"encoding/pem"
-	"io/ioutil"
+	"io"
 	"net/http"
 	"net/url"
-	"strings"
+	"testing"
 
-	. "gopkg.in/check.v1"
+	"gotest.tools/assert"
+	"gotest.tools/golden"
 )
 
-var _ = Suite(&ParseTest{})
-
-type ParseTest struct {
-}
-
-func (test *ParseTest) SetUpTest(c *C) {
-
-}
-
 type mockTransport func(req *http.Request) (*http.Response, error)
 
 func (mt mockTransport) RoundTrip(req *http.Request) (*http.Response, error) {
@@ -35,8 +29,8 @@ func mustParseURL(s string) url.URL {
 	return *rv
 }
 
-func mustParsePrivateKey(pemStr string) crypto.PrivateKey {
-	b, _ := pem.Decode([]byte(pemStr))
+func mustParsePrivateKey(pemStr []byte) crypto.PrivateKey {
+	b, _ := pem.Decode(pemStr)
 	if b == nil {
 		panic("cannot parse PEM")
 	}
@@ -47,8 +41,8 @@ func mustParsePrivateKey(pemStr string) crypto.PrivateKey {
 	return k
 }
 
-func mustParseCertificate(pemStr string) *x509.Certificate {
-	b, _ := pem.Decode([]byte(pemStr))
+func mustParseCertificate(pemStr []byte) *x509.Certificate {
+	b, _ := pem.Decode(pemStr)
 	if b == nil {
 		panic("cannot parse PEM")
 	}
@@ -59,519 +53,21 @@ func mustParseCertificate(pemStr string) *x509.Certificate {
 	return cert
 }
 
-func (test *ParseTest) TestCanParseTestshibMetadata(c *C) {
-	http.DefaultTransport = mockTransport(func(req *http.Request) (*http.Response, error) {
-		responseBody := `<EntitiesDescriptor Name="urn:mace:shibboleth:testshib:two"
-    xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-    xmlns:mdalg="urn:oasis:names:tc:SAML:metadata:algsupport" xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
-    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
-
-    <!-- This file contains the metadata for the testing IdP and SP
-     that are operated by TestShib as a service for testing new
-     Shibboleth and SAML providers. -->
-
-    <EntityDescriptor entityID="https://idp.testshib.org/idp/shibboleth">
-
-        <Extensions>
-            <mdalg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512" />
-            <mdalg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384" />
-            <mdalg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
-            <mdalg:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
-            <mdalg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512" />
-            <mdalg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384" />
-            <mdalg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
-            <mdalg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
-        </Extensions>
-
-        <IDPSSODescriptor
-            protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:2.0:protocol">
-            <Extensions>
-                <shibmd:Scope regexp="false">testshib.org</shibmd:Scope>
-                <mdui:UIInfo>
-                    <mdui:DisplayName xml:lang="en">TestShib Test IdP</mdui:DisplayName>
-                    <mdui:Description xml:lang="en">TestShib IdP. Use this as a source of attributes
-                        for your test SP.</mdui:Description>
-                    <mdui:Logo height="88" width="253"
-                        >https://www.testshib.org/testshibtwo.jpg</mdui:Logo>
-                </mdui:UIInfo>
-
-            </Extensions>
-            <!-- old signing key
-            <KeyDescriptor>
-                <ds:KeyInfo>
-                    <ds:X509Data>
-                        <ds:X509Certificate>
-                            MIIEDjCCAvagAwIBAgIBADANBgkqhkiG9w0BAQUFADBnMQswCQYDVQQGEwJVUzEV
-                            MBMGA1UECBMMUGVubnN5bHZhbmlhMRMwEQYDVQQHEwpQaXR0c2J1cmdoMREwDwYD
-                            VQQKEwhUZXN0U2hpYjEZMBcGA1UEAxMQaWRwLnRlc3RzaGliLm9yZzAeFw0wNjA4
-                            MzAyMTEyMjVaFw0xNjA4MjcyMTEyMjVaMGcxCzAJBgNVBAYTAlVTMRUwEwYDVQQI
-                            EwxQZW5uc3lsdmFuaWExEzARBgNVBAcTClBpdHRzYnVyZ2gxETAPBgNVBAoTCFRl
-                            c3RTaGliMRkwFwYDVQQDExBpZHAudGVzdHNoaWIub3JnMIIBIjANBgkqhkiG9w0B
-                            AQEFAAOCAQ8AMIIBCgKCAQEArYkCGuTmJp9eAOSGHwRJo1SNatB5ZOKqDM9ysg7C
-                            yVTDClcpu93gSP10nH4gkCZOlnESNgttg0r+MqL8tfJC6ybddEFB3YBo8PZajKSe
-                            3OQ01Ow3yT4I+Wdg1tsTpSge9gEz7SrC07EkYmHuPtd71CHiUaCWDv+xVfUQX0aT
-                            NPFmDixzUjoYzbGDrtAyCqA8f9CN2txIfJnpHE6q6CmKcoLADS4UrNPlhHSzd614
-                            kR/JYiks0K4kbRqCQF0Dv0P5Di+rEfefC6glV8ysC8dB5/9nb0yh/ojRuJGmgMWH
-                            gWk6h0ihjihqiu4jACovUZ7vVOCgSE5Ipn7OIwqd93zp2wIDAQABo4HEMIHBMB0G
-                            A1UdDgQWBBSsBQ869nh83KqZr5jArr4/7b+QazCBkQYDVR0jBIGJMIGGgBSsBQ86
-                            9nh83KqZr5jArr4/7b+Qa6FrpGkwZzELMAkGA1UEBhMCVVMxFTATBgNVBAgTDFBl
-                            bm5zeWx2YW5pYTETMBEGA1UEBxMKUGl0dHNidXJnaDERMA8GA1UEChMIVGVzdFNo
-                            aWIxGTAXBgNVBAMTEGlkcC50ZXN0c2hpYi5vcmeCAQAwDAYDVR0TBAUwAwEB/zAN
-                            BgkqhkiG9w0BAQUFAAOCAQEAjR29PhrCbk8qLN5MFfSVk98t3CT9jHZoYxd8QMRL
-                            I4j7iYQxXiGJTT1FXs1nd4Rha9un+LqTfeMMYqISdDDI6tv8iNpkOAvZZUosVkUo
-                            93pv1T0RPz35hcHHYq2yee59HJOco2bFlcsH8JBXRSRrJ3Q7Eut+z9uo80JdGNJ4
-                            /SJy5UorZ8KazGj16lfJhOBXldgrhppQBb0Nq6HKHguqmwRfJ+WkxemZXzhediAj
-                            Geka8nz8JjwxpUjAiSWYKLtJhGEaTqCYxCCX2Dw+dOTqUzHOZ7WKv4JXPK5G/Uhr
-                            8K/qhmFT2nIQi538n6rVYLeWj8Bbnl+ev0peYzxFyF5sQA==
-                        </ds:X509Certificate>
-                    </ds:X509Data>
-                </ds:KeyInfo>
-                <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
-                <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc" />
-                <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
-                <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
-                <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
-                <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
-            </KeyDescriptor>
-            -->
-
-            <!-- new signing key -->
-            <KeyDescriptor>
-                <ds:KeyInfo>
-                    <ds:X509Data>
-                        <ds:X509Certificate>
-                            MIIDAzCCAeugAwIBAgIVAPX0G6LuoXnKS0Muei006mVSBXbvMA0GCSqGSIb3DQEB
-                            CwUAMBsxGTAXBgNVBAMMEGlkcC50ZXN0c2hpYi5vcmcwHhcNMTYwODIzMjEyMDU0
-                            WhcNMzYwODIzMjEyMDU0WjAbMRkwFwYDVQQDDBBpZHAudGVzdHNoaWIub3JnMIIB
-                            IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAg9C4J2DiRTEhJAWzPt1S3ryh
-                            m3M2P3hPpwJwvt2q948vdTUxhhvNMuc3M3S4WNh6JYBs53R+YmjqJAII4ShMGNEm
-                            lGnSVfHorex7IxikpuDPKV3SNf28mCAZbQrX+hWA+ann/uifVzqXktOjs6DdzdBn
-                            xoVhniXgC8WCJwKcx6JO/hHsH1rG/0DSDeZFpTTcZHj4S9MlLNUtt5JxRzV/MmmB
-                            3ObaX0CMqsSWUOQeE4nylSlp5RWHCnx70cs9kwz5WrflnbnzCeHU2sdbNotBEeTH
-                            ot6a2cj/pXlRJIgPsrL/4VSicPZcGYMJMPoLTJ8mdy6mpR6nbCmP7dVbCIm/DQID
-                            AQABoz4wPDAdBgNVHQ4EFgQUUfaDa2mPi24x09yWp1OFXmZ2GPswGwYDVR0RBBQw
-                            EoIQaWRwLnRlc3RzaGliLm9yZzANBgkqhkiG9w0BAQsFAAOCAQEASKKgqTxhqBzR
-                            OZ1eVy++si+eTTUQZU4+8UywSKLia2RattaAPMAcXUjO+3cYOQXLVASdlJtt+8QP
-                            dRkfp8SiJemHPXC8BES83pogJPYEGJsKo19l4XFJHPnPy+Dsn3mlJyOfAa8RyWBS
-                            80u5lrvAcr2TJXt9fXgkYs7BOCigxtZoR8flceGRlAZ4p5FPPxQR6NDYb645jtOT
-                            MVr3zgfjP6Wh2dt+2p04LG7ENJn8/gEwtXVuXCsPoSCDx9Y0QmyXTJNdV1aB0AhO
-                            RkWPlFYwp+zOyOIR+3m1+pqWFpn0eT/HrxpdKa74FA3R2kq4R7dXe4G0kUgXTdqX
-                            MLRKhDgdmA==
-                        </ds:X509Certificate>
-                    </ds:X509Data>
-                </ds:KeyInfo>
-                <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
-                <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc" />
-                <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
-                <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
-                <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
-                <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
-            </KeyDescriptor>
-
-            <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
-                Location="https://idp.testshib.org:8443/idp/profile/SAML1/SOAP/ArtifactResolution"
-                index="1"/>
-            <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
-                Location="https://idp.testshib.org:8443/idp/profile/SAML2/SOAP/ArtifactResolution"
-                index="2"/>
-
-            <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
-            <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
-
-            <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
-                Location="https://idp.testshib.org/idp/profile/Shibboleth/SSO"/>
-            <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
-                Location="https://idp.testshib.org/idp/profile/SAML2/POST/SSO"/>
-            <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
-                Location="https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO"/>
-            <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
-                Location="https://idp.testshib.org/idp/profile/SAML2/SOAP/ECP"/>
-
-        </IDPSSODescriptor>
-
-        <AttributeAuthorityDescriptor
-            protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
-
-            <!-- old SSL/TLS
-            <KeyDescriptor>
-                <ds:KeyInfo>
-                    <ds:X509Data>
-                        <ds:X509Certificate>
-                            MIIEDjCCAvagAwIBAgIBADANBgkqhkiG9w0BAQUFADBnMQswCQYDVQQGEwJVUzEV
-                            MBMGA1UECBMMUGVubnN5bHZhbmlhMRMwEQYDVQQHEwpQaXR0c2J1cmdoMREwDwYD
-                            VQQKEwhUZXN0U2hpYjEZMBcGA1UEAxMQaWRwLnRlc3RzaGliLm9yZzAeFw0wNjA4
-                            MzAyMTEyMjVaFw0xNjA4MjcyMTEyMjVaMGcxCzAJBgNVBAYTAlVTMRUwEwYDVQQI
-                            EwxQZW5uc3lsdmFuaWExEzARBgNVBAcTClBpdHRzYnVyZ2gxETAPBgNVBAoTCFRl
-                            c3RTaGliMRkwFwYDVQQDExBpZHAudGVzdHNoaWIub3JnMIIBIjANBgkqhkiG9w0B
-                            AQEFAAOCAQ8AMIIBCgKCAQEArYkCGuTmJp9eAOSGHwRJo1SNatB5ZOKqDM9ysg7C
-                            yVTDClcpu93gSP10nH4gkCZOlnESNgttg0r+MqL8tfJC6ybddEFB3YBo8PZajKSe
-                            3OQ01Ow3yT4I+Wdg1tsTpSge9gEz7SrC07EkYmHuPtd71CHiUaCWDv+xVfUQX0aT
-                            NPFmDixzUjoYzbGDrtAyCqA8f9CN2txIfJnpHE6q6CmKcoLADS4UrNPlhHSzd614
-                            kR/JYiks0K4kbRqCQF0Dv0P5Di+rEfefC6glV8ysC8dB5/9nb0yh/ojRuJGmgMWH
-                            gWk6h0ihjihqiu4jACovUZ7vVOCgSE5Ipn7OIwqd93zp2wIDAQABo4HEMIHBMB0G
-                            A1UdDgQWBBSsBQ869nh83KqZr5jArr4/7b+QazCBkQYDVR0jBIGJMIGGgBSsBQ86
-                            9nh83KqZr5jArr4/7b+Qa6FrpGkwZzELMAkGA1UEBhMCVVMxFTATBgNVBAgTDFBl
-                            bm5zeWx2YW5pYTETMBEGA1UEBxMKUGl0dHNidXJnaDERMA8GA1UEChMIVGVzdFNo
-                            aWIxGTAXBgNVBAMTEGlkcC50ZXN0c2hpYi5vcmeCAQAwDAYDVR0TBAUwAwEB/zAN
-                            BgkqhkiG9w0BAQUFAAOCAQEAjR29PhrCbk8qLN5MFfSVk98t3CT9jHZoYxd8QMRL
-                            I4j7iYQxXiGJTT1FXs1nd4Rha9un+LqTfeMMYqISdDDI6tv8iNpkOAvZZUosVkUo
-                            93pv1T0RPz35hcHHYq2yee59HJOco2bFlcsH8JBXRSRrJ3Q7Eut+z9uo80JdGNJ4
-                            /SJy5UorZ8KazGj16lfJhOBXldgrhppQBb0Nq6HKHguqmwRfJ+WkxemZXzhediAj
-                            Geka8nz8JjwxpUjAiSWYKLtJhGEaTqCYxCCX2Dw+dOTqUzHOZ7WKv4JXPK5G/Uhr
-                            8K/qhmFT2nIQi538n6rVYLeWj8Bbnl+ev0peYzxFyF5sQA==
-                        </ds:X509Certificate>
-                    </ds:X509Data>
-                </ds:KeyInfo>
-                <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
-                <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc" />
-                <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
-                <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
-                <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
-                <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
-            </KeyDescriptor>
-            -->
-
-            <!-- new SSL/TLS -->
-            <KeyDescriptor>
-                <ds:KeyInfo>
-                    <ds:X509Data>
-                        <ds:X509Certificate>
-                            MIIDAzCCAeugAwIBAgIVAPX0G6LuoXnKS0Muei006mVSBXbvMA0GCSqGSIb3DQEB
-                            CwUAMBsxGTAXBgNVBAMMEGlkcC50ZXN0c2hpYi5vcmcwHhcNMTYwODIzMjEyMDU0
-                            WhcNMzYwODIzMjEyMDU0WjAbMRkwFwYDVQQDDBBpZHAudGVzdHNoaWIub3JnMIIB
-                            IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAg9C4J2DiRTEhJAWzPt1S3ryh
-                            m3M2P3hPpwJwvt2q948vdTUxhhvNMuc3M3S4WNh6JYBs53R+YmjqJAII4ShMGNEm
-                            lGnSVfHorex7IxikpuDPKV3SNf28mCAZbQrX+hWA+ann/uifVzqXktOjs6DdzdBn
-                            xoVhniXgC8WCJwKcx6JO/hHsH1rG/0DSDeZFpTTcZHj4S9MlLNUtt5JxRzV/MmmB
-                            3ObaX0CMqsSWUOQeE4nylSlp5RWHCnx70cs9kwz5WrflnbnzCeHU2sdbNotBEeTH
-                            ot6a2cj/pXlRJIgPsrL/4VSicPZcGYMJMPoLTJ8mdy6mpR6nbCmP7dVbCIm/DQID
-                            AQABoz4wPDAdBgNVHQ4EFgQUUfaDa2mPi24x09yWp1OFXmZ2GPswGwYDVR0RBBQw
-                            EoIQaWRwLnRlc3RzaGliLm9yZzANBgkqhkiG9w0BAQsFAAOCAQEASKKgqTxhqBzR
-                            OZ1eVy++si+eTTUQZU4+8UywSKLia2RattaAPMAcXUjO+3cYOQXLVASdlJtt+8QP
-                            dRkfp8SiJemHPXC8BES83pogJPYEGJsKo19l4XFJHPnPy+Dsn3mlJyOfAa8RyWBS
-                            80u5lrvAcr2TJXt9fXgkYs7BOCigxtZoR8flceGRlAZ4p5FPPxQR6NDYb645jtOT
-                            MVr3zgfjP6Wh2dt+2p04LG7ENJn8/gEwtXVuXCsPoSCDx9Y0QmyXTJNdV1aB0AhO
-                            RkWPlFYwp+zOyOIR+3m1+pqWFpn0eT/HrxpdKa74FA3R2kq4R7dXe4G0kUgXTdqX
-                            MLRKhDgdmA==
-                        </ds:X509Certificate>
-                    </ds:X509Data>
-                </ds:KeyInfo>
-                <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
-                <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc" />
-                <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
-                <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
-                <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
-                <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
-            </KeyDescriptor>
-
-            <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
-                Location="https://idp.testshib.org:8443/idp/profile/SAML1/SOAP/AttributeQuery"/>
-            <AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
-                Location="https://idp.testshib.org:8443/idp/profile/SAML2/SOAP/AttributeQuery"/>
-
-            <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
-            <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
-
-        </AttributeAuthorityDescriptor>
-
-        <Organization>
-            <OrganizationName xml:lang="en">TestShib Two Identity Provider</OrganizationName>
-            <OrganizationDisplayName xml:lang="en">TestShib Two</OrganizationDisplayName>
-            <OrganizationURL xml:lang="en">http://www.testshib.org/testshib-two/</OrganizationURL>
-        </Organization>
-        <ContactPerson contactType="technical">
-            <GivenName>Nate</GivenName>
-            <SurName>Klingenstein</SurName>
-            <EmailAddress>ndk@internet2.edu</EmailAddress>
-        </ContactPerson>
-    </EntityDescriptor>
-
-    <!-- = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = -->
-    <!--             Metadata for SP.TESTSHIB.ORG                    -->
-    <!-- = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = -->
-
-    <EntityDescriptor entityID="https://sp.testshib.org/shibboleth-sp">
-
-        <Extensions>
-            <mdalg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
-            <mdalg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384"/>
-            <mdalg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
-            <mdalg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha224"/>
-            <mdalg:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
-            <mdalg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"/>
-            <mdalg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384"/>
-            <mdalg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/>
-            <mdalg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224"/>
-            <mdalg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
-            <mdalg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"/>
-            <mdalg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
-            <mdalg:SigningMethod Algorithm="http://www.w3.org/2009/xmldsig11#dsa-sha256"/>
-            <mdalg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"/>
-            <mdalg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
-            <mdalg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
-        </Extensions>
-
-
-        <!-- An SP supporting SAML 1 and 2 contains this element with protocol support as shown. -->
-        <SPSSODescriptor
-            protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol http://schemas.xmlsoap.org/ws/2003/07/secext">
-
-            <Extensions>
-                <!-- A request initiator at /Testshib that you can use to customize authentication requests issued to your IdP by TestShib. -->
-                <init:RequestInitiator xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="https://sp.testshib.org/Shibboleth.sso/TestShib"/>
-
-                <mdui:UIInfo>
-                    <mdui:DisplayName xml:lang="en">TestShib Test SP</mdui:DisplayName>
-                    <mdui:Description xml:lang="en">TestShib SP. Log into this to test your machine.
-                        Once logged in check that all attributes that you expected have been
-                        released.</mdui:Description>
-                    <mdui:Logo height="88" width="253">https://www.testshib.org/testshibtwo.jpg</mdui:Logo>
-                </mdui:UIInfo>
-            </Extensions>
-
-            <KeyDescriptor>
-                <ds:KeyInfo>
-                    <ds:X509Data>
-                        <ds:X509Certificate>
-                            MIIEPjCCAyagAwIBAgIBADANBgkqhkiG9w0BAQUFADB3MQswCQYDVQQGEwJVUzEV
-                            MBMGA1UECBMMUGVubnN5bHZhbmlhMRMwEQYDVQQHEwpQaXR0c2J1cmdoMSIwIAYD
-                            VQQKExlUZXN0U2hpYiBTZXJ2aWNlIFByb3ZpZGVyMRgwFgYDVQQDEw9zcC50ZXN0
-                            c2hpYi5vcmcwHhcNMDYwODMwMjEyNDM5WhcNMTYwODI3MjEyNDM5WjB3MQswCQYD
-                            VQQGEwJVUzEVMBMGA1UECBMMUGVubnN5bHZhbmlhMRMwEQYDVQQHEwpQaXR0c2J1
-                            cmdoMSIwIAYDVQQKExlUZXN0U2hpYiBTZXJ2aWNlIFByb3ZpZGVyMRgwFgYDVQQD
-                            Ew9zcC50ZXN0c2hpYi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
-                            AQDJyR6ZP6MXkQ9z6RRziT0AuCabDd3x1m7nLO9ZRPbr0v1LsU+nnC363jO8nGEq
-                            sqkgiZ/bSsO5lvjEt4ehff57ERio2Qk9cYw8XCgmYccVXKH9M+QVO1MQwErNobWb
-                            AjiVkuhWcwLWQwTDBowfKXI87SA7KR7sFUymNx5z1aoRvk3GM++tiPY6u4shy8c7
-                            vpWbVfisfTfvef/y+galxjPUQYHmegu7vCbjYP3On0V7/Ivzr+r2aPhp8egxt00Q
-                            XpilNai12LBYV3Nv/lMsUzBeB7+CdXRVjZOHGuQ8mGqEbsj8MBXvcxIKbcpeK5Zi
-                            JCVXPfarzuriM1G5y5QkKW+LAgMBAAGjgdQwgdEwHQYDVR0OBBYEFKB6wPDxwYrY
-                            StNjU5P4b4AjBVQVMIGhBgNVHSMEgZkwgZaAFKB6wPDxwYrYStNjU5P4b4AjBVQV
-                            oXukeTB3MQswCQYDVQQGEwJVUzEVMBMGA1UECBMMUGVubnN5bHZhbmlhMRMwEQYD
-                            VQQHEwpQaXR0c2J1cmdoMSIwIAYDVQQKExlUZXN0U2hpYiBTZXJ2aWNlIFByb3Zp
-                            ZGVyMRgwFgYDVQQDEw9zcC50ZXN0c2hpYi5vcmeCAQAwDAYDVR0TBAUwAwEB/zAN
-                            BgkqhkiG9w0BAQUFAAOCAQEAc06Kgt7ZP6g2TIZgMbFxg6vKwvDL0+2dzF11Onpl
-                            5sbtkPaNIcj24lQ4vajCrrGKdzHXo9m54BzrdRJ7xDYtw0dbu37l1IZVmiZr12eE
-                            Iay/5YMU+aWP1z70h867ZQ7/7Y4HW345rdiS6EW663oH732wSYNt9kr7/0Uer3KD
-                            9CuPuOidBacospDaFyfsaJruE99Kd6Eu/w5KLAGG+m0iqENCziDGzVA47TngKz2v
-                            PVA+aokoOyoz3b53qeti77ijatSEoKjxheBWpO+eoJeGq/e49Um3M2ogIX/JAlMa
-                            Inh+vYSYngQB2sx9LGkR9KHaMKNIGCDehk93Xla4pWJx1w==
-                        </ds:X509Certificate>
-                    </ds:X509Data>
-                </ds:KeyInfo>
-                <EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes128-gcm"/>
-                <EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes192-gcm"/>
-                <EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes256-gcm"/>
-                <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
-                <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc"/>
-                <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
-                <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
-                <EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep"/>
-                <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
-            </KeyDescriptor>
-
-            <!-- This tells IdPs that Single Logout is supported and where/how to request it. -->
-
-            <SingleLogoutService Location="https://sp.testshib.org/Shibboleth.sso/SLO/SOAP"
-                Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
-            <SingleLogoutService Location="https://sp.testshib.org/Shibboleth.sso/SLO/Redirect"
-                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
-            <SingleLogoutService Location="https://sp.testshib.org/Shibboleth.sso/SLO/POST"
-                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
-            <SingleLogoutService Location="https://sp.testshib.org/Shibboleth.sso/SLO/Artifact"
-                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
-
-
-            <!-- This tells IdPs that you only need transient identifiers. -->
-            <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
-            <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
-
-            <!--
-		This tells IdPs where and how to send authentication assertions. Mostly
-		the SP will tell the IdP what location to use in its request, but this
-		is how the IdP validates the location and also figures out which
-		SAML version/binding to use.
-		-->
-
-            <AssertionConsumerService index="1" isDefault="true"
-                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
-                Location="https://sp.testshib.org/Shibboleth.sso/SAML2/POST"/>
-            <AssertionConsumerService index="2"
-                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
-                Location="https://sp.testshib.org/Shibboleth.sso/SAML2/POST-SimpleSign"/>
-            <AssertionConsumerService index="3"
-                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
-                Location="https://sp.testshib.org/Shibboleth.sso/SAML2/Artifact"/>
-            <AssertionConsumerService index="4"
-                Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
-                Location="https://sp.testshib.org/Shibboleth.sso/SAML/POST"/>
-            <AssertionConsumerService index="5"
-                Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"
-                Location="https://sp.testshib.org/Shibboleth.sso/SAML/Artifact"/>
-            <AssertionConsumerService index="6"
-                Binding="http://schemas.xmlsoap.org/ws/2003/07/secext"
-                Location="https://sp.testshib.org/Shibboleth.sso/ADFS"/>
-
-            <!-- A couple additional assertion consumers for the registration webapp. -->
-
-            <AssertionConsumerService index="7"
-                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
-                Location="https://www.testshib.org/Shibboleth.sso/SAML2/POST"/>
-            <AssertionConsumerService index="8"
-                Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
-                Location="https://www.testshib.org/Shibboleth.sso/SAML/POST"/>
-
-        </SPSSODescriptor>
-
-        <!-- This is just information about the entity in human terms. -->
-        <Organization>
-            <OrganizationName xml:lang="en">TestShib Two Service Provider</OrganizationName>
-            <OrganizationDisplayName xml:lang="en">TestShib Two</OrganizationDisplayName>
-            <OrganizationURL xml:lang="en">http://www.testshib.org/testshib-two/</OrganizationURL>
-        </Organization>
-        <ContactPerson contactType="technical">
-            <GivenName>Nate</GivenName>
-            <SurName>Klingenstein</SurName>
-            <EmailAddress>ndk@internet2.edu</EmailAddress>
-        </ContactPerson>
-
-    </EntityDescriptor>
-
-
-</EntitiesDescriptor>`
-		return &http.Response{
-			Header:     http.Header{},
-			Request:    req,
-			StatusCode: http.StatusOK,
-			Body:       ioutil.NopCloser(strings.NewReader(responseBody)),
-		}, nil
-	})
-
-	u := mustParseURL("https://idp.testshib.org/idp/shibboleth")
-	_, err := New(Options{IDPMetadataURL: &u})
-	c.Assert(err, IsNil)
-}
-
-func (test *ParseTest) TestCanParseGoogleMetadata(c *C) {
-	http.DefaultTransport = mockTransport(func(req *http.Request) (*http.Response, error) {
-		responseBody := `<?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://accounts.google.com/o/saml2?idpid=123456789" validUntil="2021-01-03T16:17:49.000Z">
-  <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
-    <md:KeyDescriptor use="signing">
-      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
-        <ds:X509Data>
-          <ds:X509Certificate>MIIDRTCCAi2gAwIBAgIJAJmEH6sae9eeMA0GCSqGSIb3DQEBBQUAMCAxHjAcBgNV
-BAMTFW15c2VydmljZS5leGFtcGxlLmNvbTAeFw0xNjAxMDUxNjIxMDhaFw0xNzAx
-MDQxNjIxMDhaMCAxHjAcBgNVBAMTFW15c2VydmljZS5leGFtcGxlLmNvbTCCASIw
-DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMONpY1MGEw+GF3FSjVLuyZcS6i/
-CYi4VNIDKkX+w//yd2SKvEWI6cvEdwDhrFXeIyISq59uTPhsyc6Ig4Lr1XtbjhjW
-LSpTO7+nVCCjxF5mYm22550N4BUaO0cA4uLyU1lAlPIWdgvSowwpoeSy0PLqtqfN
-RJL/MHrNXZAXNjpPyUfonfq3jcZVLrvxg9pbEjMa5NanlSweNVtPSF806gZCID5f
-BBafN/m5xL18Vx3zfk7qv9G9jrkK24aaQ0lsjLY+kIXdRkfz6Qc/nWMri0kJPIev
-Slwj/rQQ/oF1ljyYXvGaSlIPIRGilXqCc6+yMN7/YMNN5T9b51ENMLyk16kCAwEA
-AaOBgTB/MB0GA1UdDgQWBBSk7n+OaCqaDMkeIq0jFuNatPtuBDBQBgNVHSMESTBH
-gBSk7n+OaCqaDMkeIq0jFuNatPtuBKEkpCIwIDEeMBwGA1UEAxMVbXlzZXJ2aWNl
-LmV4YW1wbGUuY29tggkAmYQfqxp7154wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0B
-AQUFAAOCAQEAMpvF7AwBv29vmgRYf1riXM+jidmANHADjgoR49JLijto1fo32RL8
-47UewSZW+0ojocBYWqTK0EPl7vOxVBGEmtn/OQyGhs2H1urdtokDp7LzoMJoj2jR
-cOqlJq7b1mkTI4y7btNRmFwWFFx7/ftkYk1qxbfiqXfMtN02aznFhZTLdcfyCPia
-ZIfLCYSxUx2xzv5jp16T2JxyQusAJo82yIZOICYgZRzoKodTSsP8cOOfRhnUlUE+
-ZV50RFLmIOGWbFvl8ktKyqlDC7eWT0+7C+YV3qRdOuDn+SlXFGhw8wgGV2HtVT7D
-MUsphIQXHXtrx4Z3qRgE/uZ8z98LA35XfA==</ds:X509Certificate>
-        </ds:X509Data>
-      </ds:KeyInfo>
-    </md:KeyDescriptor>
-    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
-    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://accounts.google.com/o/saml2/idp?idpid=123456789"/>
-    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://accounts.google.com/o/saml2/idp?idpid=123456789"/>
-  </md:IDPSSODescriptor>
-</md:EntityDescriptor>`
-		return &http.Response{
-			Header:     http.Header{},
-			Request:    req,
-			StatusCode: http.StatusOK,
-			Body:       ioutil.NopCloser(strings.NewReader(responseBody)),
-		}, nil
-	})
-
-	u := mustParseURL("https://accounts.google.com/o/saml2?idpid=123456789")
-	_, err := New(Options{IDPMetadataURL: &u})
-	c.Assert(err, IsNil)
-}
-
-func (test *ParseTest) TestCanParseFreeIPAMetadata(c *C) {
-	http.DefaultTransport = mockTransport(func(req *http.Request) (*http.Response, error) {
-		responseBody := `<?xml version='1.0' encoding='UTF-8'?>
-<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" validUntil="2021-10-11T12:03:21.537380" entityID="https://ipa.example.com/idp/saml2/metadata">
-  <md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
-    <md:KeyDescriptor use="signing">
-      <ds:KeyInfo>
-        <ds:X509Data>
-          <ds:X509Certificate>MIIDRTCCAi2gAwIBAgIJAJmEH6sae9eeMA0GCSqGSIb3DQEBBQUAMCAxHjAcBgNV
-BAMTFW15c2VydmljZS5leGFtcGxlLmNvbTAeFw0xNjAxMDUxNjIxMDhaFw0xNzAx
-MDQxNjIxMDhaMCAxHjAcBgNVBAMTFW15c2VydmljZS5leGFtcGxlLmNvbTCCASIw
-DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMONpY1MGEw+GF3FSjVLuyZcS6i/
-CYi4VNIDKkX+w//yd2SKvEWI6cvEdwDhrFXeIyISq59uTPhsyc6Ig4Lr1XtbjhjW
-LSpTO7+nVCCjxF5mYm22550N4BUaO0cA4uLyU1lAlPIWdgvSowwpoeSy0PLqtqfN
-RJL/MHrNXZAXNjpPyUfonfq3jcZVLrvxg9pbEjMa5NanlSweNVtPSF806gZCID5f
-BBafN/m5xL18Vx3zfk7qv9G9jrkK24aaQ0lsjLY+kIXdRkfz6Qc/nWMri0kJPIev
-Slwj/rQQ/oF1ljyYXvGaSlIPIRGilXqCc6+yMN7/YMNN5T9b51ENMLyk16kCAwEA
-AaOBgTB/MB0GA1UdDgQWBBSk7n+OaCqaDMkeIq0jFuNatPtuBDBQBgNVHSMESTBH
-gBSk7n+OaCqaDMkeIq0jFuNatPtuBKEkpCIwIDEeMBwGA1UEAxMVbXlzZXJ2aWNl
-LmV4YW1wbGUuY29tggkAmYQfqxp7154wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0B
-AQUFAAOCAQEAMpvF7AwBv29vmgRYf1riXM+jidmANHADjgoR49JLijto1fo32RL8
-47UewSZW+0ojocBYWqTK0EPl7vOxVBGEmtn/OQyGhs2H1urdtokDp7LzoMJoj2jR
-cOqlJq7b1mkTI4y7btNRmFwWFFx7/ftkYk1qxbfiqXfMtN02aznFhZTLdcfyCPia
-ZIfLCYSxUx2xzv5jp16T2JxyQusAJo82yIZOICYgZRzoKodTSsP8cOOfRhnUlUE+
-ZV50RFLmIOGWbFvl8ktKyqlDC7eWT0+7C+YV3qRdOuDn+SlXFGhw8wgGV2HtVT7D
-MUsphIQXHXtrx4Z3qRgE/uZ8z98LA35XfA==
-</ds:X509Certificate>
-        </ds:X509Data>
-      </ds:KeyInfo>
-    </md:KeyDescriptor>
-    <md:KeyDescriptor use="encryption">
-      <ds:KeyInfo>
-        <ds:X509Data>
-          <ds:X509Certificate>MIIDRTCCAi2gAwIBAgIJAJmEH6sae9eeMA0GCSqGSIb3DQEBBQUAMCAxHjAcBgNV
-BAMTFW15c2VydmljZS5leGFtcGxlLmNvbTAeFw0xNjAxMDUxNjIxMDhaFw0xNzAx
-MDQxNjIxMDhaMCAxHjAcBgNVBAMTFW15c2VydmljZS5leGFtcGxlLmNvbTCCASIw
-DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMONpY1MGEw+GF3FSjVLuyZcS6i/
-CYi4VNIDKkX+w//yd2SKvEWI6cvEdwDhrFXeIyISq59uTPhsyc6Ig4Lr1XtbjhjW
-LSpTO7+nVCCjxF5mYm22550N4BUaO0cA4uLyU1lAlPIWdgvSowwpoeSy0PLqtqfN
-RJL/MHrNXZAXNjpPyUfonfq3jcZVLrvxg9pbEjMa5NanlSweNVtPSF806gZCID5f
-BBafN/m5xL18Vx3zfk7qv9G9jrkK24aaQ0lsjLY+kIXdRkfz6Qc/nWMri0kJPIev
-Slwj/rQQ/oF1ljyYXvGaSlIPIRGilXqCc6+yMN7/YMNN5T9b51ENMLyk16kCAwEA
-AaOBgTB/MB0GA1UdDgQWBBSk7n+OaCqaDMkeIq0jFuNatPtuBDBQBgNVHSMESTBH
-gBSk7n+OaCqaDMkeIq0jFuNatPtuBKEkpCIwIDEeMBwGA1UEAxMVbXlzZXJ2aWNl
-LmV4YW1wbGUuY29tggkAmYQfqxp7154wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0B
-AQUFAAOCAQEAMpvF7AwBv29vmgRYf1riXM+jidmANHADjgoR49JLijto1fo32RL8
-47UewSZW+0ojocBYWqTK0EPl7vOxVBGEmtn/OQyGhs2H1urdtokDp7LzoMJoj2jR
-cOqlJq7b1mkTI4y7btNRmFwWFFx7/ftkYk1qxbfiqXfMtN02aznFhZTLdcfyCPia
-ZIfLCYSxUx2xzv5jp16T2JxyQusAJo82yIZOICYgZRzoKodTSsP8cOOfRhnUlUE+
-ZV50RFLmIOGWbFvl8ktKyqlDC7eWT0+7C+YV3qRdOuDn+SlXFGhw8wgGV2HtVT7D
-MUsphIQXHXtrx4Z3qRgE/uZ8z98LA35XfA==
-</ds:X509Certificate>
-        </ds:X509Data>
-      </ds:KeyInfo>
-    </md:KeyDescriptor>
-    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://ipa.example.com/idp/saml2/SSO/POST"/>
-    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://ipa.example.com/idp/saml2/SSO/Redirect"/>
-    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://ipa.example.com/idp/saml2/SSO/SOAP"/>
-    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://ipa.example.com/idp/saml2/SLO/Redirect"/>
-    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
-    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
-    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
-  </md:IDPSSODescriptor>
-</md:EntityDescriptor>`
-		return &http.Response{
-			Header:     http.Header{},
-			Request:    req,
-			StatusCode: http.StatusOK,
-			Body:       ioutil.NopCloser(strings.NewReader(responseBody)),
-		}, nil
-	})
+func TestCanParseTestshibMetadata(t *testing.T) {
+	httpClient := http.Client{
+		Transport: mockTransport(func(req *http.Request) (*http.Response, error) {
+			responseBody := golden.Get(t, "testshib_metadata.xml")
+			return &http.Response{
+				Header:     http.Header{},
+				Request:    req,
+				StatusCode: http.StatusOK,
+				Body:       io.NopCloser(bytes.NewReader(responseBody)),
+			}, nil
+		}),
+	}
 
-	u := mustParseURL("https://ipa.example.com/idp/saml2/metadata")
-	_, err := New(Options{IDPMetadataURL: &u})
-	c.Assert(err, IsNil)
+	_, err := FetchMetadata(context.Background(),
+		&httpClient,
+		mustParseURL("https://ipa.example.com/idp/saml2/metadata"))
+	assert.Check(t, err)
 }
diff --git a/samlsp/session.go b/samlsp/session.go
new file mode 100644
index 00000000..2a4f504e
--- /dev/null
+++ b/samlsp/session.go
@@ -0,0 +1,89 @@
+package samlsp
+
+import (
+	"context"
+	"errors"
+	"net/http"
+
+	"github.com/lightstep/saml"
+)
+
+// Session is an interface implemented to contain a session.
+type Session interface{}
+
+// SessionWithAttributes is a session that can expose the
+// attributes provided by the SAML identity provider.
+type SessionWithAttributes interface {
+	Session
+	GetAttributes() Attributes
+}
+
+// ErrNoSession is the error returned when the remote user does not have a session
+var ErrNoSession = errors.New("saml: session not present")
+
+// SessionProvider is an interface implemented by types that can track
+// the active session of a user. The default implementation is CookieSessionProvider
+type SessionProvider interface {
+	// CreateSession is called when we have received a valid SAML assertion and
+	// should create a new session and modify the http response accordingly, e.g. by
+	// setting a cookie.
+	CreateSession(w http.ResponseWriter, r *http.Request, assertion *saml.Assertion) error
+
+	// DeleteSession is called to modify the response such that it removed the current
+	// session, e.g. by deleting a cookie.
+	DeleteSession(w http.ResponseWriter, r *http.Request) error
+
+	// GetSession returns the current Session associated with the request, or
+	// ErrNoSession if there is no valid session.
+	GetSession(r *http.Request) (Session, error)
+}
+
+// SessionCodec is an interface to convert SAML assertions to a
+// Session. The default implementation uses JWTs, JWTSessionCodec.
+type SessionCodec interface {
+	// New creates a Session from the SAML assertion.
+	New(assertion *saml.Assertion) (Session, error)
+
+	// Encode returns a serialized version of the Session.
+	//
+	// Note: When implementing this function, it is reasonable to expect that
+	// Session is of the exact type returned by New(), and panic if it is not.
+	Encode(s Session) (string, error)
+
+	// Decode parses the serialized session that may have been returned by Encode
+	// and returns a Session.
+	Decode(string) (Session, error)
+}
+
+type indexType int
+
+const sessionIndex indexType = iota
+
+// SessionFromContext returns the session associated with ctx, or nil
+// if no session are associated
+func SessionFromContext(ctx context.Context) Session {
+	v := ctx.Value(sessionIndex)
+	if v == nil {
+		return nil
+	}
+	return v.(Session)
+}
+
+// ContextWithSession returns a new context with session associated
+func ContextWithSession(ctx context.Context, session Session) context.Context {
+	return context.WithValue(ctx, sessionIndex, session)
+}
+
+// AttributeFromContext is a convenience method that returns the named attribute
+// from the session, if available.
+func AttributeFromContext(ctx context.Context, name string) string {
+	s := SessionFromContext(ctx)
+	if s == nil {
+		return ""
+	}
+	sa, ok := s.(SessionWithAttributes)
+	if !ok {
+		return ""
+	}
+	return sa.GetAttributes().Get(name)
+}
diff --git a/samlsp/session_cookie.go b/samlsp/session_cookie.go
new file mode 100644
index 00000000..05f81d41
--- /dev/null
+++ b/samlsp/session_cookie.go
@@ -0,0 +1,99 @@
+package samlsp
+
+import (
+	"net"
+	"net/http"
+	"time"
+
+	"github.com/lightstep/saml"
+)
+
+const defaultSessionCookieName = "token"
+
+var _ SessionProvider = CookieSessionProvider{}
+
+// CookieSessionProvider is an implementation of SessionProvider that stores
+// session tokens in an HTTP cookie.
+type CookieSessionProvider struct {
+	Name     string
+	Domain   string
+	HTTPOnly bool
+	Secure   bool
+	SameSite http.SameSite
+	MaxAge   time.Duration
+	Codec    SessionCodec
+}
+
+// CreateSession is called when we have received a valid SAML assertion and
+// should create a new session and modify the http response accordingly, e.g. by
+// setting a cookie.
+func (c CookieSessionProvider) CreateSession(w http.ResponseWriter, r *http.Request, assertion *saml.Assertion) error {
+	// Cookies should not have the port attached to them so strip it off
+	if domain, _, err := net.SplitHostPort(c.Domain); err == nil {
+		c.Domain = domain
+	}
+
+	session, err := c.Codec.New(assertion)
+	if err != nil {
+		return err
+	}
+
+	value, err := c.Codec.Encode(session)
+	if err != nil {
+		return err
+	}
+
+	http.SetCookie(w, &http.Cookie{
+		Name:     c.Name,
+		Domain:   c.Domain,
+		Value:    value,
+		MaxAge:   int(c.MaxAge.Seconds()),
+		HttpOnly: c.HTTPOnly,
+		Secure:   c.Secure || r.URL.Scheme == "https",
+		SameSite: c.SameSite,
+		Path:     "/",
+	})
+	return nil
+}
+
+// DeleteSession is called to modify the response such that it removed the current
+// session, e.g. by deleting a cookie.
+func (c CookieSessionProvider) DeleteSession(w http.ResponseWriter, r *http.Request) error {
+	// Cookies should not have the port attached to them so strip it off
+	if domain, _, err := net.SplitHostPort(c.Domain); err == nil {
+		c.Domain = domain
+	}
+
+	cookie, err := r.Cookie(c.Name)
+
+	if err == http.ErrNoCookie {
+		return nil
+	}
+	if err != nil {
+		return err
+	}
+
+	cookie.Value = ""
+	cookie.Expires = time.Unix(1, 0) // past time as close to epoch as possible, but not zero time.Time{}
+	cookie.Path = "/"
+	cookie.Domain = c.Domain
+	http.SetCookie(w, cookie)
+	return nil
+}
+
+// GetSession returns the current Session associated with the request, or
+// ErrNoSession if there is no valid session.
+func (c CookieSessionProvider) GetSession(r *http.Request) (Session, error) {
+	cookie, err := r.Cookie(c.Name)
+	if err == http.ErrNoCookie {
+		return nil, ErrNoSession
+	} else if err != nil {
+		return nil, err
+	}
+
+	session, err := c.Codec.Decode(cookie.Value)
+	if err != nil {
+		return nil, ErrNoSession
+	}
+	return session, nil
+}
diff --git a/samlsp/session_cookie_test.go b/samlsp/session_cookie_test.go
new file mode 100644
index 00000000..650d9952
--- /dev/null
+++ b/samlsp/session_cookie_test.go
@@ -0,0 +1,47 @@
+package samlsp
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+
+	"github.com/lightstep/saml"
+)
+
+func TestCookieSameSite(t *testing.T) {
+	t.Parallel()
+
+	csp := CookieSessionProvider{
+		Name:   "token",
+		Domain: "localhost",
+		Codec: DefaultSessionCodec(Options{
+			Key: NewMiddlewareTest(t).Key,
+		}),
+	}
+
+	getSessionCookie := func(tb testing.TB) *http.Cookie {
+		resp := httptest.NewRecorder()
+		req := httptest.NewRequest(http.MethodGet, "/", nil)
+		err := csp.CreateSession(resp, req, &saml.Assertion{})
+		assert.Check(t, err)
+
+		cookies := resp.Result().Cookies()
+		assert.Check(t, is.Len(cookies, 1), "Expected to have a cookie set")
+
+		return cookies[0]
+	}
+
+	t.Run("no same site", func(t *testing.T) {
+		cookie := getSessionCookie(t)
+		assert.Check(t, is.Equal(http.SameSite(0), cookie.SameSite))
+	})
+
+	t.Run("with same site", func(t *testing.T) {
+		csp.SameSite = http.SameSiteStrictMode
+		cookie := getSessionCookie(t)
+		assert.Check(t, is.Equal(http.SameSiteStrictMode, cookie.SameSite))
+	})
+}
diff --git a/samlsp/session_jwt.go b/samlsp/session_jwt.go
new file mode 100644
index 00000000..3b9bdf9a
--- /dev/null
+++ b/samlsp/session_jwt.go
@@ -0,0 +1,143 @@
+package samlsp
+
+import (
+	"crypto/rsa"
+	"errors"
+	"fmt"
+	"time"
+
+	"github.com/form3tech-oss/jwt-go"
+
+	"github.com/lightstep/saml"
+)
+
+const (
+	defaultSessionMaxAge  = time.Hour
+	claimNameSessionIndex = "SessionIndex"
+)
+
+// JWTSessionCodec implements SessionCoded to encode and decode Sessions from
+// the corresponding JWT.
+type JWTSessionCodec struct {
+	SigningMethod jwt.SigningMethod
+	Audience      string
+	Issuer        string
+	MaxAge        time.Duration
+	Key           *rsa.PrivateKey
+}
+
+var _ SessionCodec = JWTSessionCodec{}
+
+// New creates a Session from the SAML assertion.
+//
+// The returned Session is a JWTSessionClaims.
+func (c JWTSessionCodec) New(assertion *saml.Assertion) (Session, error) {
+	now := saml.TimeNow()
+	claims := JWTSessionClaims{}
+	claims.SAMLSession = true
+	claims.Audience = []string{c.Audience}
+	claims.Issuer = c.Issuer
+	claims.IssuedAt = now.Unix()
+	claims.ExpiresAt = now.Add(c.MaxAge).Unix()
+	claims.NotBefore = now.Unix()
+
+	if sub := assertion.Subject; sub != nil {
+		if nameID := sub.NameID; nameID != nil {
+			claims.Subject = nameID.Value
+		}
+	}
+
+	claims.Attributes = map[string][]string{}
+
+	for _, attributeStatement := range assertion.AttributeStatements {
+		for _, attr := range attributeStatement.Attributes {
+			claimName := attr.FriendlyName
+			if claimName == "" {
+				claimName = attr.Name
+			}
+			for _, value := range attr.Values {
+				claims.Attributes[claimName] = append(claims.Attributes[claimName], value.Value)
+			}
+		}
+	}
+
+	// add SessionIndex to claims Attributes
+	for _, authnStatement := range assertion.AuthnStatements {
+		claims.Attributes[claimNameSessionIndex] = append(claims.Attributes[claimNameSessionIndex],
+			authnStatement.SessionIndex)
+	}
+
+	return claims, nil
+}
+
+// Encode returns a serialized version of the Session.
+//
+// The provided session must be a JWTSessionClaims, otherwise this
+// function will panic.
+func (c JWTSessionCodec) Encode(s Session) (string, error) {
+	claims := s.(JWTSessionClaims) // this will panic if you pass the wrong kind of session
+
+	token := jwt.NewWithClaims(c.SigningMethod, claims)
+	signedString, err := token.SignedString(c.Key)
+	if err != nil {
+		return "", err
+	}
+
+	return signedString, nil
+}
+
+// Decode parses the serialized session that may have been returned by Encode
+// and returns a Session.
+func (c JWTSessionCodec) Decode(signed string) (Session, error) {
+	parser := jwt.Parser{
+		ValidMethods: []string{c.SigningMethod.Alg()},
+	}
+	claims := JWTSessionClaims{}
+	_, err := parser.ParseWithClaims(signed, &claims, func(*jwt.Token) (interface{}, error) {
+		return c.Key.Public(), nil
+	})
+	// TODO(ross): check for errors due to bad time and return ErrNoSession
+	if err != nil {
+		return nil, err
+	}
+	if !claims.VerifyAudience(c.Audience, true) {
+		return nil, fmt.Errorf("expected audience %q, got %q", c.Audience, claims.Audience)
+	}
+	if !claims.VerifyIssuer(c.Issuer, true) {
+		return nil, fmt.Errorf("expected issuer %q, got %q", c.Issuer, claims.Issuer)
+	}
+	if claims.SAMLSession != true {
+		return nil, errors.New("expected saml-session")
+	}
+	return claims, nil
+}
+
+// JWTSessionClaims represents the JWT claims in the encoded session
+type JWTSessionClaims struct {
+	jwt.StandardClaims
+	Attributes  Attributes `json:"attr"`
+	SAMLSession bool       `json:"saml-session"`
+}
+
+var _ Session = JWTSessionClaims{}
+
+// GetAttributes implements SessionWithAttributes. It returns the SAMl attributes.
+func (c JWTSessionClaims) GetAttributes() Attributes {
+	return c.Attributes
+}
+
+// Attributes is a map of attributes provided in the SAML assertion
+type Attributes map[string][]string
+
+// Get returns the first attribute named `key` or an empty string if
+// no such attributes is present.
+func (a Attributes) Get(key string) string {
+	if a == nil {
+		return ""
+	}
+	v := a[key]
+	if len(v) == 0 {
+		return ""
+	}
+	return v[0]
+}
diff --git a/samlsp/testdata/authn_request.url b/samlsp/testdata/authn_request.url
new file mode 100644
index 00000000..a0afa93a
--- /dev/null
+++ b/samlsp/testdata/authn_request.url
@@ -0,0 +1 @@
+https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO?RelayState=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1cmkiOiIvIn0.eoUmy2fQduAz--6N82xIOmufY1ZZeRi5x--B7m1pNIY&SAMLRequest=lJJBj9MwEIX%2FSuR7Yzt10sZKIpWtkCotsGqB%2B5BMW4vELp4JsP8et4DYE5Tr%2BPnN957dbGY%2B%2Bz1%2BmZE4%2Bz6NnloxR28DkCPrYUKy3NvD5s2jLXJlLzFw6MMosg0RRnbBPwRP84TxgPGr6%2FHD%2FrEVZ%2BYLWSl1WVXaGJP7UwyfcxckwTQWEnoS2TbtdB6uHn9uuOGSczqgs%2FuUh3i6DmTaenQjyitGIfc4uIg9y8Phnch221a4YVFjpVflcqgM1sUajiWsYGk01KujKVRfJyHRjDtPDJ5bUShdLrReLNX7QtmysrrMK6Pqem3MeqFKq5TInn6lfeX84PypFSL7iJFuwKkN0TU303hPc%2FC7L5G9DnEC%2Frv8OkmxjjepRc%2BOn0X3r14nZBiAoZE%2FwbrmbfLZbZ%2FC6Prn%2F3zgcQzfHiICYys4zii6%2B4E5gieXsBv5kqBr5Msf1%2F0IAAD%2F%2Fw%3D%3D
diff --git a/samlsp/testdata/cert.pem b/samlsp/testdata/cert.pem
new file mode 100644
index 00000000..cba15632
--- /dev/null
+++ b/samlsp/testdata/cert.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB7zCCAVgCCQDFzbKIp7b3MTANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGEwJV
+UzELMAkGA1UECAwCR0ExDDAKBgNVBAoMA2ZvbzESMBAGA1UEAwwJbG9jYWxob3N0
+MB4XDTEzMTAwMjAwMDg1MVoXDTE0MTAwMjAwMDg1MVowPDELMAkGA1UEBhMCVVMx
+CzAJBgNVBAgMAkdBMQwwCgYDVQQKDANmb28xEjAQBgNVBAMMCWxvY2FsaG9zdDCB
+nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1PMHYmhZj308kWLhZVT4vOulqx/9
+ibm5B86fPWwUKKQ2i12MYtz07tzukPymisTDhQaqyJ8Kqb/6JjhmeMnEOdTvSPmH
+O8m1ZVveJU6NoKRn/mP/BD7FW52WhbrUXLSeHVSKfWkNk6S4hk9MV9TswTvyRIKv
+Rsw0X/gfnqkroJcCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCMMlIO+GNcGekevKgk
+akpMdAqJfs24maGb90DvTLbRZRD7Xvn1MnVBBS9hzlXiFLYOInXACMW5gcoRFfeT
+QLSouMM8o57h0uKjfTmuoWHLQLi6hnF+cvCsEFiJZ4AbF+DgmO6TarJ8O05t8zvn
+OwJlNCASPZRH/JmF8tX0hoHuAQ==
+-----END CERTIFICATE-----
diff --git a/samlsp/testdata/expected_authn_request.xml b/samlsp/testdata/expected_authn_request.xml
new file mode 100644
index 00000000..e9303fb4
--- /dev/null
+++ b/samlsp/testdata/expected_authn_request.xml
@@ -0,0 +1 @@
+<samlp:AuthnRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="id-00020406080a0c0e10121416181a1c1e20222426" Version="2.0" IssueInstant="2015-12-01T01:57:09.123Z" Destination="https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO" AssertionConsumerServiceURL="http://15661444.ngrok.io/saml2/acs" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://15661444.ngrok.io/saml2/metadata</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" AllowCreate="true"/></samlp:AuthnRequest>
\ No newline at end of file
diff --git a/samlsp/testdata/expected_authn_request_secure.xml b/samlsp/testdata/expected_authn_request_secure.xml
new file mode 100644
index 00000000..e06fa06b
--- /dev/null
+++ b/samlsp/testdata/expected_authn_request_secure.xml
@@ -0,0 +1 @@
+<samlp:AuthnRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="id-00020406080a0c0e10121416181a1c1e20222426" Version="2.0" IssueInstant="2015-12-01T01:57:09.123Z" Destination="https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO" AssertionConsumerServiceURL="https://15661444.ngrok.io/saml2/acs" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://15661444.ngrok.io/saml2/metadata</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" AllowCreate="true"/></samlp:AuthnRequest>
\ No newline at end of file
diff --git a/samlsp/testdata/expected_middleware_metadata.xml b/samlsp/testdata/expected_middleware_metadata.xml
new file mode 100644
index 00000000..77a0ea58
--- /dev/null
+++ b/samlsp/testdata/expected_middleware_metadata.xml
@@ -0,0 +1,17 @@
+<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2015-12-03T01:57:09.123Z" entityID="https://15661444.ngrok.io/saml2/metadata">
+  <SPSSODescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2015-12-03T01:57:09.123456789Z" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="false" WantAssertionsSigned="true">
+    <KeyDescriptor use="encryption">
+      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
+        <X509Data>
+          <X509Certificate>MIIB7zCCAVgCCQDFzbKIp7b3MTANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGEwJVUzELMAkGA1UECAwCR0ExDDAKBgNVBAoMA2ZvbzESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTEzMTAwMjAwMDg1MVoXDTE0MTAwMjAwMDg1MVowPDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkdBMQwwCgYDVQQKDANmb28xEjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1PMHYmhZj308kWLhZVT4vOulqx/9ibm5B86fPWwUKKQ2i12MYtz07tzukPymisTDhQaqyJ8Kqb/6JjhmeMnEOdTvSPmHO8m1ZVveJU6NoKRn/mP/BD7FW52WhbrUXLSeHVSKfWkNk6S4hk9MV9TswTvyRIKvRsw0X/gfnqkroJcCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCMMlIO+GNcGekevKgkakpMdAqJfs24maGb90DvTLbRZRD7Xvn1MnVBBS9hzlXiFLYOInXACMW5gcoRFfeTQLSouMM8o57h0uKjfTmuoWHLQLi6hnF+cvCsEFiJZ4AbF+DgmO6TarJ8O05t8zvnOwJlNCASPZRH/JmF8tX0hoHuAQ==</X509Certificate>
+        </X509Data>
+      </KeyInfo>
+      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"></EncryptionMethod>
+      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc"></EncryptionMethod>
+      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"></EncryptionMethod>
+      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"></EncryptionMethod>
+    </KeyDescriptor>
+    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://15661444.ngrok.io/saml2/slo" ResponseLocation="https://15661444.ngrok.io/saml2/slo"></SingleLogoutService>
+    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://15661444.ngrok.io/saml2/acs" index="1"></AssertionConsumerService>
+  </SPSSODescriptor>
+</EntityDescriptor>
\ No newline at end of file
diff --git a/samlsp/testdata/expected_post_binding_response.html b/samlsp/testdata/expected_post_binding_response.html
new file mode 100644
index 00000000..19a53cb9
--- /dev/null
+++ b/samlsp/testdata/expected_post_binding_response.html
@@ -0,0 +1 @@
+<!DOCTYPE html><html><body><form method="post" action="https://idp.testshib.org/idp/profile/SAML2/POST/SSO" id="SAMLRequestForm"><input type="hidden" name="SAMLRequest" value="PHNhbWxwOkF1dGhuUmVxdWVzdCB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIiB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiBJRD0iaWQtMDAwMjA0MDYwODBhMGMwZTEwMTIxNDE2MTgxYTFjMWUyMDIyMjQyNiIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTUtMTItMDFUMDE6NTc6MDkuMTIzWiIgRGVzdGluYXRpb249Imh0dHBzOi8vaWRwLnRlc3RzaGliLm9yZy9pZHAvcHJvZmlsZS9TQU1MMi9QT1NUL1NTTyIgQXNzZXJ0aW9uQ29uc3VtZXJTZXJ2aWNlVVJMPSJodHRwczovLzE1NjYxNDQ0Lm5ncm9rLmlvL3NhbWwyL2FjcyIgUHJvdG9jb2xCaW5kaW5nPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YmluZGluZ3M6SFRUUC1QT1NUIj48c2FtbDpJc3N1ZXIgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6bmFtZWlkLWZvcm1hdDplbnRpdHkiPmh0dHBzOi8vMTU2NjE0NDQubmdyb2suaW8vc2FtbDIvbWV0YWRhdGE8L3NhbWw6SXNzdWVyPjxzYW1scDpOYW1lSURQb2xpY3kgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6bmFtZWlkLWZvcm1hdDp0cmFuc2llbnQiIEFsbG93Q3JlYXRlPSJ0cnVlIi8&#43;PC9zYW1scDpBdXRoblJlcXVlc3Q&#43;" /><input type="hidden" name="RelayState" value="KCosLjAyNDY4Ojw-QEJERkhKTE5QUlRWWFpcXmBiZGZoamxucHJ0dnh6" /><input id="SAMLSubmitButton" type="submit" value="Submit" /></form><script>document.getElementById('SAMLSubmitButton').style.visibility="hidden";document.getElementById('SAMLRequestForm').submit();</script></body></html>
\ No newline at end of file
diff --git a/samlsp/testdata/idp_metadata.xml b/samlsp/testdata/idp_metadata.xml
new file mode 100644
index 00000000..bb812694
--- /dev/null
+++ b/samlsp/testdata/idp_metadata.xml
@@ -0,0 +1,116 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:mdalg="urn:oasis:names:tc:SAML:metadata:algsupport" xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="urn:mace:shibboleth:testshib:two" entityID="https://idp.testshib.org/idp/shibboleth">
+	<Extensions>
+		<mdalg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512" />
+		<mdalg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384" />
+		<mdalg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
+		<mdalg:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
+		<mdalg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512" />
+		<mdalg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384" />
+		<mdalg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
+		<mdalg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
+	</Extensions>
+	<IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:2.0:protocol">
+		<Extensions>
+			<shibmd:Scope regexp="false">testshib.org</shibmd:Scope>
+			<mdui:UIInfo>
+				<mdui:DisplayName xml:lang="en">TestShib Test IdP</mdui:DisplayName>
+				<mdui:Description xml:lang="en">TestShib IdP. Use this as a source of attributes
+                        for your test SP.</mdui:Description>
+				<mdui:Logo height="88" width="253">https://www.testshib.org/testshibtwo.jpg</mdui:Logo>
+			</mdui:UIInfo>
+		</Extensions>
+		<KeyDescriptor>
+			<ds:KeyInfo>
+				<ds:X509Data>
+					<ds:X509Certificate>MIIEDjCCAvagAwIBAgIBADANBgkqhkiG9w0BAQUFADBnMQswCQYDVQQGEwJVUzEV
+                            MBMGA1UECBMMUGVubnN5bHZhbmlhMRMwEQYDVQQHEwpQaXR0c2J1cmdoMREwDwYD
+                            VQQKEwhUZXN0U2hpYjEZMBcGA1UEAxMQaWRwLnRlc3RzaGliLm9yZzAeFw0wNjA4
+                            MzAyMTEyMjVaFw0xNjA4MjcyMTEyMjVaMGcxCzAJBgNVBAYTAlVTMRUwEwYDVQQI
+                            EwxQZW5uc3lsdmFuaWExEzARBgNVBAcTClBpdHRzYnVyZ2gxETAPBgNVBAoTCFRl
+                            c3RTaGliMRkwFwYDVQQDExBpZHAudGVzdHNoaWIub3JnMIIBIjANBgkqhkiG9w0B
+                            AQEFAAOCAQ8AMIIBCgKCAQEArYkCGuTmJp9eAOSGHwRJo1SNatB5ZOKqDM9ysg7C
+                            yVTDClcpu93gSP10nH4gkCZOlnESNgttg0r+MqL8tfJC6ybddEFB3YBo8PZajKSe
+                            3OQ01Ow3yT4I+Wdg1tsTpSge9gEz7SrC07EkYmHuPtd71CHiUaCWDv+xVfUQX0aT
+                            NPFmDixzUjoYzbGDrtAyCqA8f9CN2txIfJnpHE6q6CmKcoLADS4UrNPlhHSzd614
+                            kR/JYiks0K4kbRqCQF0Dv0P5Di+rEfefC6glV8ysC8dB5/9nb0yh/ojRuJGmgMWH
+                            gWk6h0ihjihqiu4jACovUZ7vVOCgSE5Ipn7OIwqd93zp2wIDAQABo4HEMIHBMB0G
+                            A1UdDgQWBBSsBQ869nh83KqZr5jArr4/7b+QazCBkQYDVR0jBIGJMIGGgBSsBQ86
+                            9nh83KqZr5jArr4/7b+Qa6FrpGkwZzELMAkGA1UEBhMCVVMxFTATBgNVBAgTDFBl
+                            bm5zeWx2YW5pYTETMBEGA1UEBxMKUGl0dHNidXJnaDERMA8GA1UEChMIVGVzdFNo
+                            aWIxGTAXBgNVBAMTEGlkcC50ZXN0c2hpYi5vcmeCAQAwDAYDVR0TBAUwAwEB/zAN
+                            BgkqhkiG9w0BAQUFAAOCAQEAjR29PhrCbk8qLN5MFfSVk98t3CT9jHZoYxd8QMRL
+                            I4j7iYQxXiGJTT1FXs1nd4Rha9un+LqTfeMMYqISdDDI6tv8iNpkOAvZZUosVkUo
+                            93pv1T0RPz35hcHHYq2yee59HJOco2bFlcsH8JBXRSRrJ3Q7Eut+z9uo80JdGNJ4
+                            /SJy5UorZ8KazGj16lfJhOBXldgrhppQBb0Nq6HKHguqmwRfJ+WkxemZXzhediAj
+                            Geka8nz8JjwxpUjAiSWYKLtJhGEaTqCYxCCX2Dw+dOTqUzHOZ7WKv4JXPK5G/Uhr
+                            8K/qhmFT2nIQi538n6rVYLeWj8Bbnl+ev0peYzxFyF5sQA==</ds:X509Certificate>
+				</ds:X509Data>
+			</ds:KeyInfo>
+			<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
+			<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc" />
+			<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
+			<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
+			<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" />
+			<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
+		</KeyDescriptor>
+		<ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://idp.testshib.org:8443/idp/profile/SAML1/SOAP/ArtifactResolution" index="1" />
+		<ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.testshib.org:8443/idp/profile/SAML2/SOAP/ArtifactResolution" index="2" />
+		<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
+		<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
+		<SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://idp.testshib.org/idp/profile/Shibboleth/SSO" />
+		<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idp.testshib.org/idp/profile/SAML2/POST/SSO" />
+		<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO" />
+		<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.testshib.org/idp/profile/SAML2/SOAP/ECP" />
+	</IDPSSODescriptor>
+	<AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
+		<KeyDescriptor>
+			<ds:KeyInfo>
+				<ds:X509Data>
+					<ds:X509Certificate>MIIEDjCCAvagAwIBAgIBADANBgkqhkiG9w0BAQUFADBnMQswCQYDVQQGEwJVUzEV
+                            MBMGA1UECBMMUGVubnN5bHZhbmlhMRMwEQYDVQQHEwpQaXR0c2J1cmdoMREwDwYD
+                            VQQKEwhUZXN0U2hpYjEZMBcGA1UEAxMQaWRwLnRlc3RzaGliLm9yZzAeFw0wNjA4
+                            MzAyMTEyMjVaFw0xNjA4MjcyMTEyMjVaMGcxCzAJBgNVBAYTAlVTMRUwEwYDVQQI
+                            EwxQZW5uc3lsdmFuaWExEzARBgNVBAcTClBpdHRzYnVyZ2gxETAPBgNVBAoTCFRl
+                            c3RTaGliMRkwFwYDVQQDExBpZHAudGVzdHNoaWIub3JnMIIBIjANBgkqhkiG9w0B
+                            AQEFAAOCAQ8AMIIBCgKCAQEArYkCGuTmJp9eAOSGHwRJo1SNatB5ZOKqDM9ysg7C
+                            yVTDClcpu93gSP10nH4gkCZOlnESNgttg0r+MqL8tfJC6ybddEFB3YBo8PZajKSe
+                            3OQ01Ow3yT4I+Wdg1tsTpSge9gEz7SrC07EkYmHuPtd71CHiUaCWDv+xVfUQX0aT
+                            NPFmDixzUjoYzbGDrtAyCqA8f9CN2txIfJnpHE6q6CmKcoLADS4UrNPlhHSzd614
+                            kR/JYiks0K4kbRqCQF0Dv0P5Di+rEfefC6glV8ysC8dB5/9nb0yh/ojRuJGmgMWH
+                            gWk6h0ihjihqiu4jACovUZ7vVOCgSE5Ipn7OIwqd93zp2wIDAQABo4HEMIHBMB0G
+                            A1UdDgQWBBSsBQ869nh83KqZr5jArr4/7b+QazCBkQYDVR0jBIGJMIGGgBSsBQ86
+                            9nh83KqZr5jArr4/7b+Qa6FrpGkwZzELMAkGA1UEBhMCVVMxFTATBgNVBAgTDFBl
+                            bm5zeWx2YW5pYTETMBEGA1UEBxMKUGl0dHNidXJnaDERMA8GA1UEChMIVGVzdFNo
+                            aWIxGTAXBgNVBAMTEGlkcC50ZXN0c2hpYi5vcmeCAQAwDAYDVR0TBAUwAwEB/zAN
+                            BgkqhkiG9w0BAQUFAAOCAQEAjR29PhrCbk8qLN5MFfSVk98t3CT9jHZoYxd8QMRL
+                            I4j7iYQxXiGJTT1FXs1nd4Rha9un+LqTfeMMYqISdDDI6tv8iNpkOAvZZUosVkUo
+                            93pv1T0RPz35hcHHYq2yee59HJOco2bFlcsH8JBXRSRrJ3Q7Eut+z9uo80JdGNJ4
+                            /SJy5UorZ8KazGj16lfJhOBXldgrhppQBb0Nq6HKHguqmwRfJ+WkxemZXzhediAj
+                            Geka8nz8JjwxpUjAiSWYKLtJhGEaTqCYxCCX2Dw+dOTqUzHOZ7WKv4JXPK5G/Uhr
+                            8K/qhmFT2nIQi538n6rVYLeWj8Bbnl+ev0peYzxFyF5sQA==</ds:X509Certificate>
+				</ds:X509Data>
+			</ds:KeyInfo>
+			<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
+			<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc" />
+			<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
+			<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
+			<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" />
+			<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
+		</KeyDescriptor>
+		<AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://idp.testshib.org:8443/idp/profile/SAML1/SOAP/AttributeQuery" />
+		<AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.testshib.org:8443/idp/profile/SAML2/SOAP/AttributeQuery" />
+		<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
+		<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
+	</AttributeAuthorityDescriptor>
+	<Organization>
+		<OrganizationName xml:lang="en">TestShib Two Identity Provider</OrganizationName>
+		<OrganizationDisplayName xml:lang="en">TestShib Two</OrganizationDisplayName>
+		<OrganizationURL xml:lang="en">http://www.testshib.org/testshib-two/</OrganizationURL>
+	</Organization>
+	<ContactPerson contactType="technical">
+		<GivenName>Nate</GivenName>
+		<SurName>Klingenstein</SurName>
+		<EmailAddress>ndk@internet2.edu</EmailAddress>
+	</ContactPerson>
+</EntityDescriptor>
\ No newline at end of file
diff --git a/samlsp/testdata/key.pem b/samlsp/testdata/key.pem
new file mode 100644
index 00000000..c4530a84
--- /dev/null
+++ b/samlsp/testdata/key.pem
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXgIBAAKBgQDU8wdiaFmPfTyRYuFlVPi866WrH/2JubkHzp89bBQopDaLXYxi
+3PTu3O6Q/KaKxMOFBqrInwqpv/omOGZ4ycQ51O9I+Yc7ybVlW94lTo2gpGf+Y/8E
+PsVbnZaFutRctJ4dVIp9aQ2TpLiGT0xX1OzBO/JEgq9GzDRf+B+eqSuglwIDAQAB
+AoGBAMuy1eN6cgFiCOgBsB3gVDdTKpww87Qk5ivjqEt28SmXO13A1KNVPS6oQ8SJ
+CT5Azc6X/BIAoJCURVL+LHdqebogKljhH/3yIel1kH19vr4E2kTM/tYH+qj8afUS
+JEmArUzsmmK8ccuNqBcllqdwCZjxL4CHDUmyRudFcHVX9oyhAkEA/OV1OkjM3CLU
+N3sqELdMmHq5QZCUihBmk3/N5OvGdqAFGBlEeewlepEVxkh7JnaNXAXrKHRVu/f/
+fbCQxH+qrwJBANeQERF97b9Sibp9xgolb749UWNlAdqmEpmlvmS202TdcaaT1msU
+4rRLiQN3X9O9mq4LZMSVethrQAdX1whawpkCQQDk1yGf7xZpMJ8F4U5sN+F4rLyM
+Rq8Sy8p2OBTwzCUXXK+fYeXjybsUUMr6VMYTRP2fQr/LKJIX+E5ZxvcIyFmDAkEA
+yfjNVUNVaIbQTzEbRlRvT6MqR+PTCefC072NF9aJWR93JimspGZMR7viY6IM4lrr
+vBkm0F5yXKaYtoiiDMzlOQJADqmEwXl0D72ZG/2KDg8b4QZEmC9i5gidpQwJXUc6
+hU+IVQoLxRq0fBib/36K9tcrrO5Ba4iEvDcNY+D8yGbUtA==
+-----END RSA PRIVATE KEY-----
diff --git a/samlsp/testdata/saml_response.xml b/samlsp/testdata/saml_response.xml
new file mode 100644
index 00000000..d5bb6a14
--- /dev/null
+++ b/samlsp/testdata/saml_response.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?><saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://15661444.ngrok.io/saml2/acs" ID="_e9b3332eeaf348da6786aed16300aca9" InResponseTo="id-9e61753d64e928af5a7a341a97f420c9" IssueInstant="2015-12-01T01:56:21.375Z" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://idp.testshib.org/idp/shibboleth</saml2:Issuer><saml2p:Status><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2p:Status><saml2:EncryptedAssertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="_dab0b1dbbc0595ab06473034e3bb798c" Type="http://www.w3.org/2001/04/xmlenc#Element"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><xenc:EncryptedKey Id="_dd9264352cef16103cdb21fae97fa951" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/></xenc:EncryptionMethod><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIB7zCCAVgCCQDFzbKIp7b3MTANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGEwJVUzELMAkGA1UE
+CAwCR0ExDDAKBgNVBAoMA2ZvbzESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTEzMTAwMjAwMDg1MVoX
+DTE0MTAwMjAwMDg1MVowPDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkdBMQwwCgYDVQQKDANmb28x
+EjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1PMHYmhZj308
+kWLhZVT4vOulqx/9ibm5B86fPWwUKKQ2i12MYtz07tzukPymisTDhQaqyJ8Kqb/6JjhmeMnEOdTv
+SPmHO8m1ZVveJU6NoKRn/mP/BD7FW52WhbrUXLSeHVSKfWkNk6S4hk9MV9TswTvyRIKvRsw0X/gf
+nqkroJcCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCMMlIO+GNcGekevKgkakpMdAqJfs24maGb90Dv
+TLbRZRD7Xvn1MnVBBS9hzlXiFLYOInXACMW5gcoRFfeTQLSouMM8o57h0uKjfTmuoWHLQLi6hnF+
+cvCsEFiJZ4AbF+DgmO6TarJ8O05t8zvnOwJlNCASPZRH/JmF8tX0hoHuAQ==</ds:X509Certificate></ds:X509Data></ds:KeyInfo><xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:CipherValue>i/wh2ubXbhTH5W3hwc5VEf4DH1xifeTuxoe64ULopGJ0M0XxBKgDEIfTg59JUMmDYB4L8UStTFfqJk9BRGcMeYWVfckn5gCwLptD9cz26irw+7Ud7MIorA7z68v8rEyzwagKjz8VKvX1afgec0wobVTNN3M1Bn+SOyMhAu+Z4tE=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedKey></ds:KeyInfo><xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:CipherValue>a6PZohc8i16b2HG5irLqbzAt8zMI6OAjBprhcDb+w6zvjU2Pi9KgGRBAESLKmVfBR0Nf6C/cjozCGyelfVMtx9toIV1C3jtanoI45hq2EZZVprKMKGdCsAbXbhwYrd06QyGYvLjTn9iqako6+ifxtoFHJOkhMQShDMv8l3p5n36iFrJ4kUT3pSOIl4a479INcayp2B4u9MVJybvN7iqp/5dMEG5ZLRCmtczfo6NsUmu+bmT7O/Xs0XeDmqICrfI3TTLzKSOb8r0iZOaii5qjfTALDQ10hlqxV4fgd51FFGG7eHr+HHD+FT6Q9vhNjKd+4UVT2LZlaEiMw888vyBKtfl6gTsuJbln0fHRPmOGYeoJlAdfpukhxqTbgdzOke2NY5VLw72ieUWREAEdVXBolrzbSaafumQGuW7c8cjLCDPOlaYIvWsQzQOp5uL5mw4y4S7yNPtTAa5czcf+xgw4MGatcWeDFv0gMTlnBAGIT+QNLK/+idRSpnYwjPO407UNNa2HSX3QpZsutbxyskqvuMgp08DcI2+7+NrTXtQjR5knhCwRNkGTOqVxEBD6uExSjbLBbFmd4jgKn73SqHStk0wCkKatxbZMD8YosTu9mrU2wuWacZ1GFRMlk28oaeXl9qUDnqBwZ5EoxT/jDjWIMWw9b40InvZK6kKzn+v3BSGKqzq2Ecj9yxE7u5/51NC+tFyZiN2J9Lu9yehvW46xRrqFWqCyioFza5bw1yd3bzkuMMpd6UvsZPHKvWwap3+O6ngc8bMBBCLltJVOaTn/cBGsUvoARY6Rfftsx7BamrfGURd8vqq+AI6Z1OC8N3bcRCymIzw0nXdbUSqhKWwbw6P2szvAB6kCdu4+C3Bo01CEQyerCCbpfn/cZ+rPsBVlGdBOLl5eCW8oJOODruYgSRshrTnDffLQprxCddj7vSnFbVHirU8a0KwpCVCdAAL9nKppTHs0Mq2YaiMDo8mFvx+3kan/IBnJSOVL19vdLfHDbZqVh7UVFtiuWv3T15BoiefDdF/aR5joN0zRWf8l6IYcjBOskk/xgxOZhZzbJl8DcgTawD8giJ31SJ1NoOqgrSD4wBHGON4mInHkO0X5+vw1jVNPGF3BwHw0kxoCT3ZKdSsi8O4tlf1y227cf794AGnyQe13O032jYgOmM5qNkET6PyfkyD/h0ufgQq2vJvxSOiRv76Kdg0SeRuNPW9MyjO/5APHl7tBlDBEVq+LWDHl4g9h/bw+Fsi0WN4pLN1Yv9RANWpIsXWyvxTWIZHTuZEjNbHqFKpsefx/oY1b9cSzKR5fQ9vc32e17WykL0O7pwpzV6TrFN874GdmW5lG5zfqnRHUQh1aV2WwBJ74mB4tv/y5rmRjTe5h/rN90kN+eQGeR3eG7XUHLhK/yCV+xq8KKPxNZexcdHGA905rvYokbtmr/jIN5kAMBdlOU8akPAZdSMMh+g/RZo5MO50/gdg6MTpB4onU2FBd54FNDp2fuBUxBsnTqpZXkDcAPEfSBr+z2l8jTRmxMricWyeC55ILgxM4er68n0xYjwb2jyQum3IQq7TSYYU/qjNiH1fQBtdRmBkzXJYYk+9q7C6OZJUdR96ERnTIi93NaYmtpSEvZU9vS6MV1VBOnEf8UzUUT9ibMpP9XDSINX7dN24rKIufSY+3+70orQB07XOWp6++SWKgA+WThaoPhp8sWWMeSZuda/wq6jdVTAB8FOPiP3lNl0BqxagQEPmNxDWXwTplSFSR3SP0e4sHMSjLvysibV9Z87LZa1FG0cWU2hrhiyOLsIWMnd4vdTLaWjhXuGlrDShxSAiI39wsl5RB59E+DXVSTBQAoAkHCKGK69YiMKU9K8K/LeodApgw46oPL08EWvleKPCbdTyjKUADtxfAujR84GMEUz9Aml4Q497MfvABQOW6Hwg54Z3UbwLczDCOZyK1wIwZTyS9w3eTH/6EBeyzhtt4G2e/60jkywHOKn17wQgww2ZsDcukdsCMfo4FV0NzfhSER8BdL+hdLJS3R1F/Vf4aRBEuOuycv2AqB1ZqHhcjZh7yDv0RpBvn3+2rzfzmYIBlqL16d1aBnvL4C03I0J59AtXN9WlfJ8SlJhrduW/PF4pSCAQEyHGprP9hVhaXCOUuXCbjA2FI57NkxALQ2HpCVpXKGw0qO0rYxRYIRlKTl43VFcrSGJdVYOFUk0ZV3b+k+KoxLVSgBjIUWxio/tvVgUYDZsO3M3x0I+0r9xlWZSFFmhwdOFouD+Xy1NPTmgwlUXqZ4peyIE1oVntpcrTJuev2jNScXbU9PG8b589GM4Z09KS/fAyytTFKmUpBuTme969qu0eA7/kBSHAkKvbfj0hsrbkkF9y/rXi8xgcMXNgYayW8MHEhm506AyPIvJAreZL637/BENO1ABdWS1Enj/uGaLM1ED8UY94boh/lMhqa9jALgEOHHxspavexi3HIFwJ55s4ocQnjb4p6op4CRPUdPCfli5st9m3NtQoH9kT1FTRZa9sG8Ybhey5wP17YgPIg9ZZtvlvpSTwCwZxHZ348wXJWhbtId9DyOcIzsyK5HaJcRsp8SQVR5nbRW0pUyC/bFAtX1KOGJmtro/QfmnLG9ksuaZvxP6+bH1K+CibEFIRDllAUFFPiuT+2b3Yp3Tu1VvXokMAgmcB5iFDgTAglw5meJYJ99uIBmj0EVZm8snMhRrHjMPTAYD5kwPK/YDShPFFV3XEIFzLD3iYrzb7sub/Z4gTTELWzzS3bCpYPAh4KWeTih+p7Xj0Xf04nSONHZXsQnNenc+PNae+Zj5iCfJ/PpqhMn61n/YBP7gipYYEtOZYzDtvMz+mytYRUOaZTq3W4Wp64f+XVekn49CLarLm6qPyiz5kJwaT8lJ+VEZDPpS/ChLM4eq90GogJBvK0jxmQ1AGvnKpV2lw9XCudf3PXbaTb+r2QPcihKnmqcEgPgYlN8VLclicNW1WyjBJ+HvDTQPbs1r1/KnBK4O5HTT6ehuHpJsYlBN9vzjsD+ov6SRkBqiGPUg9CoKKmWS6dirxwOXi3OUFzkWFVDyDezfkJAzqkmG0nlEGb9mTHdVDfX010bPJ4ZQzQSyHp7Ht2mATyQwOEem2AMB/RpNwlOKXWIdsQ5p3dHF+kmsJHI8xjEv2GeUa/aXX3MF3fPfUA7La8J8fbnaDLbnEqMCLMfdfc9+kY7EKyqPiE5KFpF0EhQBrHl8SiPuFQCoxvlH2u+ujncW7Z5JiBmMKUWOXUHhIe4NckP1awRsEcfhEs664DqOp9CbLwTXk71hHVBtINylFcf7uBZwjxNW+hCfZEoVEjjs/V4J9QeXCxpTu5TcXxBxwN5zBdkCodNFPLUg+3UicaykaH0+wrGoTu/ugjF9rz7OezMMs3pep+bzLp+yZbFAL/z/yATY3UG+lpk6Rw4SkjbnAxBSedaEdqbotddkGzVQubHvHqCiKpkAw58rAa2v15hc+UmkrRFslS8SYxTIPXs2sTNhnCCrUn8nlKufeoAm65vgYtEQ4NzmG9tqKtTeBfZAvSToYaiQq+kPii1ssuu1OULAVuSx8x/CYO6orgX7h5wI0R/Ug1nux7cb2/+pFLbNyGvwKf1TLym2NvFMJpvFlTsOJJ4DxXM/v2JkC9umm93quXLsojx7KTEOFDQLsnMKsVo6ZzRQidEwK5gQPyZL1yjGirJcEuGMAEf6LA2AsKIIZhsMEPlLpzMiVo5Y0LoL6NFsXigceLaaJMEMuYNJJdh+uxyfW57+PoQ7V8KkzSHFsKan14GnpWeOV7r13uopwCPeIsEKUVG77ypd+ILQkbKxH2lQdsFyjpofqkbgEVM5XAnVbdhfwyebNHn5OJtadVkOMcJc/WMWJef1idcSfvP5ENkwp3pKg9Ljoi+hU2Chp1vTmksO2HJt0of4QnQ8jGlcqnOrAMiWUCd2W/8AmhRBjevt3UqxnqELVvg+HJPlyqFyuUlDxx25mXEdW0COpA3s9OlSgcMjvQbIJ42NUhGFZLoK1pvPLZo711w2Ex3Lm5qqcr/7I4+vTntd/Id5aJiP18LQpslTy614Wd4eD8+RfjEtmDAPXhgvfekVkS/rDnI/9H0k3AdHc78fJCJRPNwJrDTozzjxTvmVv9r4MtpoDELmnMxb3o7ZibUMxgptCTyDF+Q5m6T3GeD9G5ehgB3Tqsx3gcUGuDtP6KIqMGbj8YCFt8tjihDctYFAXj4AwPnIjMiI4T7skXwfrBLWCKfN1j5XrIn2paQgKln9hvaiRUpNpD3IXVyFl1WNrb21IcRinfkuCtrP2tTHqct6eSEh8sOzRkvZEArBQYD5paYyuNBcbVtsnl6PNE+DIcSIGvCVnzpMw1BeUExvQZoNdpHwhTQ3FSd1XN1nt0EWx6lve0Azl/zJBhj5hTdCd2RHdJWDtCZdOwWy/G+4dx3hEed0x6SoopOYdt5bq3lW+Ol0mbRzr1QJnuvt8FYjIfL8cIBqidkTpDjyh6V88yg1DNHDOBBqUz8IqOJ//vY0bmQMJp9gb+05UDW7u/Oe4gGIODQlswv534KF2DcaXW9OB7JQyl6f5+O8W6+zBYZ6DAL+J2vtf3CWKSZFomTwu65vrVaLRmTXIIBjQmZEUxWVeC4xN+4Cj5ORvO8GwzoePGDvqwKzrKoupSjqkL5eKqMpCLouOn8n/x5UWtHQS1NlKgMDFhRObzKMqQhS1S4mz84F3L492GFAlie0xRhywnF+FvAkm+ZIRO0UqM4IwvUXdlqTajjmUz2T0+eXKTKTR5UoNRgP51gdUMT5A4ggT5wU9WkRx7CR9KdWJwwcWzv2YrchoHIXBidQSk+f1ZSzqR7krKSOwFTVJUvEenU17qVaHoAf2he0dMgURJ8PM9JxnSr7p2pZeNPu/O5oPmLuOCmEPVRPSahJL7yj9PK5z3q57e5POIp/wXqFoniFdxRmtmpfZBxoKVlADkwRy34h8k6ZmgtqPTQfUUk/+yH2CAoQu+HyOtUnQof8vc1k4zs8nCTrCSjqvFPjU8mHtVHy1RY0qmK9t99ugXyAKaGON3PlseetIC8WCTt84nM5XGD3VQpbv139yhSPhp2Oiz0IiOsr+L9idVKSvfNSkdNq9aUC7963uAQNud8c4GuDmbENvZYvGNIMxxZhYA86n1RMNtGDZJs6/4hZTL18Kz1yCY9zbbSXTxWTmkaHJziHtgrEPoYpUeb85J229PDEX08yHOkj2HXVdnKKmEaHw3VkB4eM3PhGGdrw2CSUejSaqPQFLdhabcB2zdB4lj/AUnZvNaJc23nHHIauHnhhVrxh/KQ1H4YaYKT9ji/69BIfrTgvoGaPZC10pQKinBHEPMXoFrCd1RX1vutnXXcyT2KTBP4GG+Or0j6Sqxtp5WhxR0aJqIKM6LqMHtTooI0QhWbmSqDEBX/wRS70csVeJSrZ4dqRKit+hz8OalHA7At9e+7gSWTfHAwjl5JhtrltyAab/FII4yKQeZWG8j1fSFGHN+EbOrum2uWuVhxkUPy4coMu+yKY4GxlXfvP+yEVK5GrMECRmFBlySetJK3JOoQXiuLirlHUq+0u88QFMdAJ9+fIdU4+FxneqgW7qM7CHRE8jV4pPSWGFbGzxVZ9CWRWaYIw26VsC1qQJe1WmU7Mrp26IxmWHGwHvZ50uB0mjAHFCiln5QAvqTm2/fsY+Puk+Irt3LQbMwGVWPnb4eona2dSha+eMLOiAQkBvbaitsRqqrAVnndP7gHmO+nYZEKNx/740zTRrFBpOelrGdOa0/eV2mPhUQfozGooxoRADmT8fAcDXo0SsXCHzg9tBnmVMvInQ7+8nXfhcF/fEBjvW3gIWOmp2EWutHQ/sl73MieJWnP/n3DMk2HHcatoIZOMUzo4S4uztODHoSiOJDA1hVj7qADvKB37/OX0opnbii9o6W8naFkWG5Ie7+EWQZdo+xeVYpwGOzcNwDRrxbZpV3fTvWyWKToovncZq+TQj7c4Yhz6XDF0ffljN5hTm4ONwYViFNB4gTJlFxFX00wcWfwWah4uJs2Oa8dHPVT+7viagZiPrSDk/gythdY8glGm+F0DWlzQpWbgSI3ZbdiUQ+ox4GtLUtYgGIQFUvRYbuHqH6CXQ3SM6vkbhV/nAn6UDEWKXdJsO0u5q6UpXci7MlWDNLxoQ9dfGjSc28mX+q+4hkyho4u1XSMy9B6IdH304J7fuAQ88tTorT67AiqvqR6qnZ0icV+MMLh95moxFbrvch6sGAmMEixqeujmiZzBqBmNbzZVORiv9qcbe3CQ6X2i+9D8hMpaWj5jI0u+0wk3bRFK4uDn8T1mnD6l4TrJayf3cZI+duhKcabNj71i5w76S8RZSC6RX4ks0x+XIDc5v3223NmGvceYklbuOJtJa0/MBTOcSDKCM2kUXqPV2BlA9Za8WEO2UrdcyP+AXgM20af3thjlZvA494zdZ0mqjrsKp+VS2MVrBBtj+puSuSHJYf6bnA5/yjqQtbGvAp8hfXQURC53J5oD8rb9F7vQRqdfqpe6xd7DVd+wWZS86mWjyZYKXw312t8nM/gxo0pdvZ8F0x9y3xb9UBM2pZtdYvk3hPz6swhuE1N5j2u7nwtXuEDNcGCSfr+IempeFHFRqO8n8ikASEdKcq2XHGJwfc3lVXOQ5K4JlewcC7yQL1uNtL6iNKCtJmjJiH2PMmXrtpmCeTspFNZlwmiICyPWV9B5ce9H/qP1xjndBzFz0rn75SGDnWUhNZI/aYKNVyzkOleS5VSNxBx1hoiFuG8r+6ctYwF7XL94b95tXQ/+0V5dt0H1xVaOZ7QluoDtMSzuUjV4yUoQESa3zCfZwnW+b5SKndX5nx0GYrVxydMkUdfimZpX/fezcMiaAGwG/jgWF0zS+EL4T7gR8I5R3qUNTifKFJKJL1+AL8CgL+SRB1lgHDp2wQ7cqgqcmskAsT60qisL/UZGgmnlgZ8FkNhv0vAMkzIsz7o6cuLo15hZnrsZveIo+mZKY2cMJjJb4ZlJLcE+YcnpiM84OYjypa9lA7kv4XJaDX9oirhsl9IO/ImbFgYpR73y+xSolXYdDKfZjf/8NR7vE8fu+LYXGoZHO/hxousED6y3sCo/ItECYHWYIui+V5SmAoEvVV8FY8fFMYIc+Llc2CoX5HQISfUAtLu+fGNNV0muidXnBdtnJo25UEqxwvoENdI1lGPhlrXY6/h4kIT5djmsxxSG/EgG/4fPnrThgF9/fbG8n/3LweXvQOGjX0F1Ngt5wuMIWRQk5vtLdvv2M+BNwthHZ7xzIU7zqSVvngVPwgcsTr2d5pTVOxauT1K6ffiBF04jVZEcna+NXhJM5EcRHNuT/iOb0ncn1yuKU8JJnztEzMDjO1qCmaBTyWBR7nQS6K+nfstd/AnBWyGeC5Yi3wlvZAVMpc0m7I7McXb+rXiHM0mHoq0Z/2HOki5LP2cBuIkk84tJ3SRZwWnocrz4aTEIOmwftqMATy5Ur0KRxoUSFNMJYyc1iOfjk3H2JjgecWlQdYHcIEjxGDGeo4S9EKTRokMGNUN2nTj3SO2nHoWbx9WhGe6uB3OgDENGL9aNoPnYKXs4WcobctMxQjjBWa/zpCFwP8nr78xIFfy/64ZtsFBrxSrEHxeXiPa2Kpv456aQ9kDQjJt9XrWKe+JBawtpPUYHmWkUb3Gznp3tC2LbowvJlEe/17srb5yi+sUHEF1z/8Uk4eVYcUUXzyq3YEuqumIBIYqO8J3K5Us7tEXyzhHH8TMLNSQxmDi/w5oYccIwNFMM1+xRTsyjHHtB/rHYJjPW/50Xxb0CZF84NqotCcgIMrR4nUiPnAPd8ZvHeB/235gS1NtzBWtfcDmP8khibSQpY3JW+fdY/9W6iGlPyPIwOgH06fJayaT44sPFIm+QGIkPKSAJOFDeJNG8oc6SAqrYSfCffYfOAx3IsjSdnxQy9JAcS0HxjWnEO3rgSh7bNEecO3f4hb3TRNlczdzhfrwgxUZ0rURI3LfMCpGntF+8NrhtB7RT8sEOaa4NM13T7LWjykRQJFYKNZY0siPBP2WJxjBqL0KynlTPhAcfFyiLZbAhe7YC0XmYo8iJQqdzJQwBK9iOoDkg1XuGy7+Kfe0scamvHN2Z85umcPSiPEQRP3zAWcP5kRNDath7DKrBfQtvOJvEHiihE+qiASrCZep+m7jTD261U9vQGAnR4xBY08ChSh8XItWHvDHARN+GP08h9u6nlJ3rpOoVn9y22NNgx7bOe6QIYe9f6iYbbAzLR1/7AP1A4CQwFi39eZI9BZteze5eas+6JR2s1LqH9tncOmWAhXjE8p3hOtplh/tMbrx+pySNX4BKfZva54zccIa+e59NUifTRsq27AwAtcxg2Bk1Tu7B+LT9Yw2K8tRH6XTcGlvqDM4sYjNBqzh3yAga5iro706tg/Qaa50eln8rjISularEHlfaggogjvd+wNLg44Rj8pMr25+xxS0e9KoEGon5SutuhJ/HBGnEj3+4qNxHu27nkAmZIADiF+Jh53osDuA1fsUnRXf2lJABa30KDkG8E/eci+TkESrdfsPMo6yhWoyjtjYdJbGkjtsQCMW5DOSNYDH0FqDiiVU0nBLJ4+A4ep6aWTrv6w/ozuO4educ7x9IBpGmEY30rsXWwiGJbLGyIo+6qz6J5JBKdjNBsDO7RRweDNMp8ospaGNQSa4NKAHTG8BsGqJSP8oebpVqYpgPS1TiBWnYZKQSRJ5NFs+ULpdICekxevVXAH8uh+De9GT7KsJJzg0CFjALDbC0YrbmCigspJAh2455I6/xyWbPXCYMXwBzbioMgWcNhQBJJ6oIoQ7shwf2TP0Z+X/3NoMpWHmGpoV/JZind8lb9lcxoI44uf37+xc03O1R1bNucf0F5ljrgj2sZlGz/591EJen5GZhrT6qSTIcMu+xIyxyA/zzhy0jjkVfkDKfQ8mE9AmVtbbzHAQNy2PhDIeu7ngoFN635tSOJLR2c6pC/m6n50slFbo0oeHbbiGHyxDk7q3zXHWoHzeF1k4iVdHumYg/nwZOuRzms6rvkmwkJv59Z1p05jxA+Y0yHvDeq1WR8PfS/esm3RHfP3fM+zTlj9ZBJfzvn4OL+IIHRQ5l8pGKAeRL58OjeaU5QU98lAKHydOPDGBalsEHyIKD6iy3RZ65qIm956zQd98htZ1Vgkd7LVC7LSnLb9jRbqS1vHN7lR6bQMmXtQBYSA/+ZW2RQqSo7sToVh+Pxl3EVmsgyO8dXPL4biz7XM8eVz7CqHkrQUinnr79HJWC6Uk19cBurOD6PeOqNYy08Og/A0hbHOgN3dKmVRAPf7itK6x0eb5F70T2zVqG12GHVZieXwIcp/vahuFvriHLJtuM04laiRWNXSiL2MPHQ8e9rr8NIlWDm9uev55FI9zZxwFUPBSewawPe5vkqRLfwZCYd5mZoxtBhNBWvY3ZOVD/21dIUlQanG1n6RygbmAwCHnIB4c7EH2CBYEMDToRQuAuIssviIfdaJglwDgHbLWKNUVDOdqeclBNZjfQfVXbVukPk8DfWLqj9pD4xAOzDeVQcdmg2aLvNKgpZsWs4d+6GlKrpS7qEGvoBkIFh/cVY7DMYrt/JXYuF6DpwB+HbfnuDFc2p47SPNhnmt/ez6/DACBPQ+tgpyWYXUsiviGSp72JNTzd8uFJJZNeKUJZw1c0UTjxdwigh5tL/hWhPl48DY937zymSr1xVqC3RV6wSIpuplH+hss/rsRPAp1/TfxvhJuFsoPbW0586y9YzqEHT4FUu6WSRy0gMJLP2sLqiiZXZ6kPicXsW7M55mV3ugbGQjB7YS7EVqsQzvJTiQbOlcPqwoKK7DTqaeCOXd8kH1tNoe7hjx/UNNdLQQ7IhrJIzxqTTgwcXYMCxhoezDsIHReTIymsHPkCurfteTQcbfwoKN5E9zC2hINOPmhAxLvONzaLXQGMqofuTbFshkB4eUj8U4vBCNp+60iCLnibt4rPuyoWKEHWBYa6FfIykxVKuXkfcb64dCdGCWjv7x1XqkbpHxQB80qhipoSo244pyhIsN91ASu1Q7L75LxGXibY3jb0Y4KZ5zIWsH4kVlvPhangohDO1J9gmL9inGr9hy5BHTQiMcktGoUgOIbFJ72381vYpPxn3ngBbp48mVZd0w6xV8RBaqR3l7CxI9vvMAPYPoXBB18ERoZypza8mAlzv2QxIkNGuRzFENh1SXegBfN7eiazZnwnhbyeMghJpnXzfvHACyjkdH3shRYcJ+oMiOSpInGxm/hxFQxHJZA0Ft/lza</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></saml2:EncryptedAssertion></saml2p:Response>
\ No newline at end of file
diff --git a/samlsp/testdata/testshib_metadata.xml b/samlsp/testdata/testshib_metadata.xml
new file mode 100644
index 00000000..6d77c713
--- /dev/null
+++ b/samlsp/testdata/testshib_metadata.xml
@@ -0,0 +1,378 @@
+<EntitiesDescriptor Name="urn:mace:shibboleth:testshib:two"
+                     xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+                     xmlns:mdalg="urn:oasis:names:tc:SAML:metadata:algsupport" xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+                     xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+
+    <!-- This file contains the metadata for the testing IdP and SP
+     that are operated by TestShib as a service for testing new
+     Shibboleth and SAML providers. -->
+
+    <EntityDescriptor entityID="https://idp.testshib.org/idp/shibboleth">
+
+        <Extensions>
+            <mdalg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512" />
+            <mdalg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384" />
+            <mdalg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
+            <mdalg:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
+            <mdalg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512" />
+            <mdalg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384" />
+            <mdalg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
+            <mdalg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
+        </Extensions>
+
+        <IDPSSODescriptor
+                protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:2.0:protocol">
+            <Extensions>
+                <shibmd:Scope regexp="false">testshib.org</shibmd:Scope>
+                <mdui:UIInfo>
+                    <mdui:DisplayName xml:lang="en">TestShib Test IdP</mdui:DisplayName>
+                    <mdui:Description xml:lang="en">TestShib IdP. Use this as a source of attributes
+                        for your test SP.</mdui:Description>
+                    <mdui:Logo height="88" width="253"
+                    >https://www.testshib.org/testshibtwo.jpg</mdui:Logo>
+                </mdui:UIInfo>
+
+            </Extensions>
+            <!-- old signing key
+            <KeyDescriptor>
+                <ds:KeyInfo>
+                    <ds:X509Data>
+                        <ds:X509Certificate>
+                            MIIEDjCCAvagAwIBAgIBADANBgkqhkiG9w0BAQUFADBnMQswCQYDVQQGEwJVUzEV
+                            MBMGA1UECBMMUGVubnN5bHZhbmlhMRMwEQYDVQQHEwpQaXR0c2J1cmdoMREwDwYD
+                            VQQKEwhUZXN0U2hpYjEZMBcGA1UEAxMQaWRwLnRlc3RzaGliLm9yZzAeFw0wNjA4
+                            MzAyMTEyMjVaFw0xNjA4MjcyMTEyMjVaMGcxCzAJBgNVBAYTAlVTMRUwEwYDVQQI
+                            EwxQZW5uc3lsdmFuaWExEzARBgNVBAcTClBpdHRzYnVyZ2gxETAPBgNVBAoTCFRl
+                            c3RTaGliMRkwFwYDVQQDExBpZHAudGVzdHNoaWIub3JnMIIBIjANBgkqhkiG9w0B
+                            AQEFAAOCAQ8AMIIBCgKCAQEArYkCGuTmJp9eAOSGHwRJo1SNatB5ZOKqDM9ysg7C
+                            yVTDClcpu93gSP10nH4gkCZOlnESNgttg0r+MqL8tfJC6ybddEFB3YBo8PZajKSe
+                            3OQ01Ow3yT4I+Wdg1tsTpSge9gEz7SrC07EkYmHuPtd71CHiUaCWDv+xVfUQX0aT
+                            NPFmDixzUjoYzbGDrtAyCqA8f9CN2txIfJnpHE6q6CmKcoLADS4UrNPlhHSzd614
+                            kR/JYiks0K4kbRqCQF0Dv0P5Di+rEfefC6glV8ysC8dB5/9nb0yh/ojRuJGmgMWH
+                            gWk6h0ihjihqiu4jACovUZ7vVOCgSE5Ipn7OIwqd93zp2wIDAQABo4HEMIHBMB0G
+                            A1UdDgQWBBSsBQ869nh83KqZr5jArr4/7b+QazCBkQYDVR0jBIGJMIGGgBSsBQ86
+                            9nh83KqZr5jArr4/7b+Qa6FrpGkwZzELMAkGA1UEBhMCVVMxFTATBgNVBAgTDFBl
+                            bm5zeWx2YW5pYTETMBEGA1UEBxMKUGl0dHNidXJnaDERMA8GA1UEChMIVGVzdFNo
+                            aWIxGTAXBgNVBAMTEGlkcC50ZXN0c2hpYi5vcmeCAQAwDAYDVR0TBAUwAwEB/zAN
+                            BgkqhkiG9w0BAQUFAAOCAQEAjR29PhrCbk8qLN5MFfSVk98t3CT9jHZoYxd8QMRL
+                            I4j7iYQxXiGJTT1FXs1nd4Rha9un+LqTfeMMYqISdDDI6tv8iNpkOAvZZUosVkUo
+                            93pv1T0RPz35hcHHYq2yee59HJOco2bFlcsH8JBXRSRrJ3Q7Eut+z9uo80JdGNJ4
+                            /SJy5UorZ8KazGj16lfJhOBXldgrhppQBb0Nq6HKHguqmwRfJ+WkxemZXzhediAj
+                            Geka8nz8JjwxpUjAiSWYKLtJhGEaTqCYxCCX2Dw+dOTqUzHOZ7WKv4JXPK5G/Uhr
+                            8K/qhmFT2nIQi538n6rVYLeWj8Bbnl+ev0peYzxFyF5sQA==
+                        </ds:X509Certificate>
+                    </ds:X509Data>
+                </ds:KeyInfo>
+                <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
+                <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc" />
+                <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
+                <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
+                <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
+                <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
+            </KeyDescriptor>
+            -->
+
+            <!-- new signing key -->
+            <KeyDescriptor>
+                <ds:KeyInfo>
+                    <ds:X509Data>
+                        <ds:X509Certificate>
+                            MIIDAzCCAeugAwIBAgIVAPX0G6LuoXnKS0Muei006mVSBXbvMA0GCSqGSIb3DQEB
+                            CwUAMBsxGTAXBgNVBAMMEGlkcC50ZXN0c2hpYi5vcmcwHhcNMTYwODIzMjEyMDU0
+                            WhcNMzYwODIzMjEyMDU0WjAbMRkwFwYDVQQDDBBpZHAudGVzdHNoaWIub3JnMIIB
+                            IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAg9C4J2DiRTEhJAWzPt1S3ryh
+                            m3M2P3hPpwJwvt2q948vdTUxhhvNMuc3M3S4WNh6JYBs53R+YmjqJAII4ShMGNEm
+                            lGnSVfHorex7IxikpuDPKV3SNf28mCAZbQrX+hWA+ann/uifVzqXktOjs6DdzdBn
+                            xoVhniXgC8WCJwKcx6JO/hHsH1rG/0DSDeZFpTTcZHj4S9MlLNUtt5JxRzV/MmmB
+                            3ObaX0CMqsSWUOQeE4nylSlp5RWHCnx70cs9kwz5WrflnbnzCeHU2sdbNotBEeTH
+                            ot6a2cj/pXlRJIgPsrL/4VSicPZcGYMJMPoLTJ8mdy6mpR6nbCmP7dVbCIm/DQID
+                            AQABoz4wPDAdBgNVHQ4EFgQUUfaDa2mPi24x09yWp1OFXmZ2GPswGwYDVR0RBBQw
+                            EoIQaWRwLnRlc3RzaGliLm9yZzANBgkqhkiG9w0BAQsFAAOCAQEASKKgqTxhqBzR
+                            OZ1eVy++si+eTTUQZU4+8UywSKLia2RattaAPMAcXUjO+3cYOQXLVASdlJtt+8QP
+                            dRkfp8SiJemHPXC8BES83pogJPYEGJsKo19l4XFJHPnPy+Dsn3mlJyOfAa8RyWBS
+                            80u5lrvAcr2TJXt9fXgkYs7BOCigxtZoR8flceGRlAZ4p5FPPxQR6NDYb645jtOT
+                            MVr3zgfjP6Wh2dt+2p04LG7ENJn8/gEwtXVuXCsPoSCDx9Y0QmyXTJNdV1aB0AhO
+                            RkWPlFYwp+zOyOIR+3m1+pqWFpn0eT/HrxpdKa74FA3R2kq4R7dXe4G0kUgXTdqX
+                            MLRKhDgdmA==
+                        </ds:X509Certificate>
+                    </ds:X509Data>
+                </ds:KeyInfo>
+                <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
+                <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc" />
+                <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
+                <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
+                <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
+                <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
+            </KeyDescriptor>
+
+            <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
+                                       Location="https://idp.testshib.org:8443/idp/profile/SAML1/SOAP/ArtifactResolution"
+                                       index="1"/>
+            <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
+                                       Location="https://idp.testshib.org:8443/idp/profile/SAML2/SOAP/ArtifactResolution"
+                                       index="2"/>
+
+            <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
+            <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
+
+            <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
+                                 Location="https://idp.testshib.org/idp/profile/Shibboleth/SSO"/>
+            <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+                                 Location="https://idp.testshib.org/idp/profile/SAML2/POST/SSO"/>
+            <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+                                 Location="https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO"/>
+            <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
+                                 Location="https://idp.testshib.org/idp/profile/SAML2/SOAP/ECP"/>
+
+        </IDPSSODescriptor>
+
+        <AttributeAuthorityDescriptor
+                protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
+
+            <!-- old SSL/TLS
+            <KeyDescriptor>
+                <ds:KeyInfo>
+                    <ds:X509Data>
+                        <ds:X509Certificate>
+                            MIIEDjCCAvagAwIBAgIBADANBgkqhkiG9w0BAQUFADBnMQswCQYDVQQGEwJVUzEV
+                            MBMGA1UECBMMUGVubnN5bHZhbmlhMRMwEQYDVQQHEwpQaXR0c2J1cmdoMREwDwYD
+                            VQQKEwhUZXN0U2hpYjEZMBcGA1UEAxMQaWRwLnRlc3RzaGliLm9yZzAeFw0wNjA4
+                            MzAyMTEyMjVaFw0xNjA4MjcyMTEyMjVaMGcxCzAJBgNVBAYTAlVTMRUwEwYDVQQI
+                            EwxQZW5uc3lsdmFuaWExEzARBgNVBAcTClBpdHRzYnVyZ2gxETAPBgNVBAoTCFRl
+                            c3RTaGliMRkwFwYDVQQDExBpZHAudGVzdHNoaWIub3JnMIIBIjANBgkqhkiG9w0B
+                            AQEFAAOCAQ8AMIIBCgKCAQEArYkCGuTmJp9eAOSGHwRJo1SNatB5ZOKqDM9ysg7C
+                            yVTDClcpu93gSP10nH4gkCZOlnESNgttg0r+MqL8tfJC6ybddEFB3YBo8PZajKSe
+                            3OQ01Ow3yT4I+Wdg1tsTpSge9gEz7SrC07EkYmHuPtd71CHiUaCWDv+xVfUQX0aT
+                            NPFmDixzUjoYzbGDrtAyCqA8f9CN2txIfJnpHE6q6CmKcoLADS4UrNPlhHSzd614
+                            kR/JYiks0K4kbRqCQF0Dv0P5Di+rEfefC6glV8ysC8dB5/9nb0yh/ojRuJGmgMWH
+                            gWk6h0ihjihqiu4jACovUZ7vVOCgSE5Ipn7OIwqd93zp2wIDAQABo4HEMIHBMB0G
+                            A1UdDgQWBBSsBQ869nh83KqZr5jArr4/7b+QazCBkQYDVR0jBIGJMIGGgBSsBQ86
+                            9nh83KqZr5jArr4/7b+Qa6FrpGkwZzELMAkGA1UEBhMCVVMxFTATBgNVBAgTDFBl
+                            bm5zeWx2YW5pYTETMBEGA1UEBxMKUGl0dHNidXJnaDERMA8GA1UEChMIVGVzdFNo
+                            aWIxGTAXBgNVBAMTEGlkcC50ZXN0c2hpYi5vcmeCAQAwDAYDVR0TBAUwAwEB/zAN
+                            BgkqhkiG9w0BAQUFAAOCAQEAjR29PhrCbk8qLN5MFfSVk98t3CT9jHZoYxd8QMRL
+                            I4j7iYQxXiGJTT1FXs1nd4Rha9un+LqTfeMMYqISdDDI6tv8iNpkOAvZZUosVkUo
+                            93pv1T0RPz35hcHHYq2yee59HJOco2bFlcsH8JBXRSRrJ3Q7Eut+z9uo80JdGNJ4
+                            /SJy5UorZ8KazGj16lfJhOBXldgrhppQBb0Nq6HKHguqmwRfJ+WkxemZXzhediAj
+                            Geka8nz8JjwxpUjAiSWYKLtJhGEaTqCYxCCX2Dw+dOTqUzHOZ7WKv4JXPK5G/Uhr
+                            8K/qhmFT2nIQi538n6rVYLeWj8Bbnl+ev0peYzxFyF5sQA==
+                        </ds:X509Certificate>
+                    </ds:X509Data>
+                </ds:KeyInfo>
+                <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
+                <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc" />
+                <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
+                <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
+                <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
+                <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
+            </KeyDescriptor>
+            -->
+
+            <!-- new SSL/TLS -->
+            <KeyDescriptor>
+                <ds:KeyInfo>
+                    <ds:X509Data>
+                        <ds:X509Certificate>
+                            MIIDAzCCAeugAwIBAgIVAPX0G6LuoXnKS0Muei006mVSBXbvMA0GCSqGSIb3DQEB
+                            CwUAMBsxGTAXBgNVBAMMEGlkcC50ZXN0c2hpYi5vcmcwHhcNMTYwODIzMjEyMDU0
+                            WhcNMzYwODIzMjEyMDU0WjAbMRkwFwYDVQQDDBBpZHAudGVzdHNoaWIub3JnMIIB
+                            IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAg9C4J2DiRTEhJAWzPt1S3ryh
+                            m3M2P3hPpwJwvt2q948vdTUxhhvNMuc3M3S4WNh6JYBs53R+YmjqJAII4ShMGNEm
+                            lGnSVfHorex7IxikpuDPKV3SNf28mCAZbQrX+hWA+ann/uifVzqXktOjs6DdzdBn
+                            xoVhniXgC8WCJwKcx6JO/hHsH1rG/0DSDeZFpTTcZHj4S9MlLNUtt5JxRzV/MmmB
+                            3ObaX0CMqsSWUOQeE4nylSlp5RWHCnx70cs9kwz5WrflnbnzCeHU2sdbNotBEeTH
+                            ot6a2cj/pXlRJIgPsrL/4VSicPZcGYMJMPoLTJ8mdy6mpR6nbCmP7dVbCIm/DQID
+                            AQABoz4wPDAdBgNVHQ4EFgQUUfaDa2mPi24x09yWp1OFXmZ2GPswGwYDVR0RBBQw
+                            EoIQaWRwLnRlc3RzaGliLm9yZzANBgkqhkiG9w0BAQsFAAOCAQEASKKgqTxhqBzR
+                            OZ1eVy++si+eTTUQZU4+8UywSKLia2RattaAPMAcXUjO+3cYOQXLVASdlJtt+8QP
+                            dRkfp8SiJemHPXC8BES83pogJPYEGJsKo19l4XFJHPnPy+Dsn3mlJyOfAa8RyWBS
+                            80u5lrvAcr2TJXt9fXgkYs7BOCigxtZoR8flceGRlAZ4p5FPPxQR6NDYb645jtOT
+                            MVr3zgfjP6Wh2dt+2p04LG7ENJn8/gEwtXVuXCsPoSCDx9Y0QmyXTJNdV1aB0AhO
+                            RkWPlFYwp+zOyOIR+3m1+pqWFpn0eT/HrxpdKa74FA3R2kq4R7dXe4G0kUgXTdqX
+                            MLRKhDgdmA==
+                        </ds:X509Certificate>
+                    </ds:X509Data>
+                </ds:KeyInfo>
+                <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
+                <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc" />
+                <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
+                <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
+                <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
+                <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
+            </KeyDescriptor>
+
+            <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
+                              Location="https://idp.testshib.org:8443/idp/profile/SAML1/SOAP/AttributeQuery"/>
+            <AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
+                              Location="https://idp.testshib.org:8443/idp/profile/SAML2/SOAP/AttributeQuery"/>
+
+            <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
+            <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
+
+        </AttributeAuthorityDescriptor>
+
+        <Organization>
+            <OrganizationName xml:lang="en">TestShib Two Identity Provider</OrganizationName>
+            <OrganizationDisplayName xml:lang="en">TestShib Two</OrganizationDisplayName>
+            <OrganizationURL xml:lang="en">http://www.testshib.org/testshib-two/</OrganizationURL>
+        </Organization>
+        <ContactPerson contactType="technical">
+            <GivenName>Nate</GivenName>
+            <SurName>Klingenstein</SurName>
+            <EmailAddress>ndk@internet2.edu</EmailAddress>
+        </ContactPerson>
+    </EntityDescriptor>
+
+    <!-- = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = -->
+    <!--             Metadata for SP.TESTSHIB.ORG                    -->
+    <!-- = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = -->
+
+    <EntityDescriptor entityID="https://sp.testshib.org/shibboleth-sp">
+
+        <Extensions>
+            <mdalg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
+            <mdalg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384"/>
+            <mdalg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+            <mdalg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha224"/>
+            <mdalg:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+            <mdalg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"/>
+            <mdalg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384"/>
+            <mdalg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/>
+            <mdalg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224"/>
+            <mdalg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
+            <mdalg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"/>
+            <mdalg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+            <mdalg:SigningMethod Algorithm="http://www.w3.org/2009/xmldsig11#dsa-sha256"/>
+            <mdalg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"/>
+            <mdalg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+            <mdalg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
+        </Extensions>
+
+
+        <!-- An SP supporting SAML 1 and 2 contains this element with protocol support as shown. -->
+        <SPSSODescriptor
+                protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol http://schemas.xmlsoap.org/ws/2003/07/secext">
+
+            <Extensions>
+                <!-- A request initiator at /Testshib that you can use to customize authentication requests issued to your IdP by TestShib. -->
+                <init:RequestInitiator xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="https://sp.testshib.org/Shibboleth.sso/TestShib"/>
+
+                <mdui:UIInfo>
+                    <mdui:DisplayName xml:lang="en">TestShib Test SP</mdui:DisplayName>
+                    <mdui:Description xml:lang="en">TestShib SP. Log into this to test your machine.
+                        Once logged in check that all attributes that you expected have been
+                        released.</mdui:Description>
+                    <mdui:Logo height="88" width="253">https://www.testshib.org/testshibtwo.jpg</mdui:Logo>
+                </mdui:UIInfo>
+            </Extensions>
+
+            <KeyDescriptor>
+                <ds:KeyInfo>
+                    <ds:X509Data>
+                        <ds:X509Certificate>
+                            MIIEPjCCAyagAwIBAgIBADANBgkqhkiG9w0BAQUFADB3MQswCQYDVQQGEwJVUzEV
+                            MBMGA1UECBMMUGVubnN5bHZhbmlhMRMwEQYDVQQHEwpQaXR0c2J1cmdoMSIwIAYD
+                            VQQKExlUZXN0U2hpYiBTZXJ2aWNlIFByb3ZpZGVyMRgwFgYDVQQDEw9zcC50ZXN0
+                            c2hpYi5vcmcwHhcNMDYwODMwMjEyNDM5WhcNMTYwODI3MjEyNDM5WjB3MQswCQYD
+                            VQQGEwJVUzEVMBMGA1UECBMMUGVubnN5bHZhbmlhMRMwEQYDVQQHEwpQaXR0c2J1
+                            cmdoMSIwIAYDVQQKExlUZXN0U2hpYiBTZXJ2aWNlIFByb3ZpZGVyMRgwFgYDVQQD
+                            Ew9zcC50ZXN0c2hpYi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+                            AQDJyR6ZP6MXkQ9z6RRziT0AuCabDd3x1m7nLO9ZRPbr0v1LsU+nnC363jO8nGEq
+                            sqkgiZ/bSsO5lvjEt4ehff57ERio2Qk9cYw8XCgmYccVXKH9M+QVO1MQwErNobWb
+                            AjiVkuhWcwLWQwTDBowfKXI87SA7KR7sFUymNx5z1aoRvk3GM++tiPY6u4shy8c7
+                            vpWbVfisfTfvef/y+galxjPUQYHmegu7vCbjYP3On0V7/Ivzr+r2aPhp8egxt00Q
+                            XpilNai12LBYV3Nv/lMsUzBeB7+CdXRVjZOHGuQ8mGqEbsj8MBXvcxIKbcpeK5Zi
+                            JCVXPfarzuriM1G5y5QkKW+LAgMBAAGjgdQwgdEwHQYDVR0OBBYEFKB6wPDxwYrY
+                            StNjU5P4b4AjBVQVMIGhBgNVHSMEgZkwgZaAFKB6wPDxwYrYStNjU5P4b4AjBVQV
+                            oXukeTB3MQswCQYDVQQGEwJVUzEVMBMGA1UECBMMUGVubnN5bHZhbmlhMRMwEQYD
+                            VQQHEwpQaXR0c2J1cmdoMSIwIAYDVQQKExlUZXN0U2hpYiBTZXJ2aWNlIFByb3Zp
+                            ZGVyMRgwFgYDVQQDEw9zcC50ZXN0c2hpYi5vcmeCAQAwDAYDVR0TBAUwAwEB/zAN
+                            BgkqhkiG9w0BAQUFAAOCAQEAc06Kgt7ZP6g2TIZgMbFxg6vKwvDL0+2dzF11Onpl
+                            5sbtkPaNIcj24lQ4vajCrrGKdzHXo9m54BzrdRJ7xDYtw0dbu37l1IZVmiZr12eE
+                            Iay/5YMU+aWP1z70h867ZQ7/7Y4HW345rdiS6EW663oH732wSYNt9kr7/0Uer3KD
+                            9CuPuOidBacospDaFyfsaJruE99Kd6Eu/w5KLAGG+m0iqENCziDGzVA47TngKz2v
+                            PVA+aokoOyoz3b53qeti77ijatSEoKjxheBWpO+eoJeGq/e49Um3M2ogIX/JAlMa
+                            Inh+vYSYngQB2sx9LGkR9KHaMKNIGCDehk93Xla4pWJx1w==
+                        </ds:X509Certificate>
+                    </ds:X509Data>
+                </ds:KeyInfo>
+                <EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes128-gcm"/>
+                <EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes192-gcm"/>
+                <EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes256-gcm"/>
+                <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
+                <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc"/>
+                <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
+                <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
+                <EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep"/>
+                <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
+            </KeyDescriptor>
+
+            <!-- This tells IdPs that Single Logout is supported and where/how to request it. -->
+
+            <SingleLogoutService Location="https://sp.testshib.org/Shibboleth.sso/SLO/SOAP"
+                                 Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
+            <SingleLogoutService Location="https://sp.testshib.org/Shibboleth.sso/SLO/Redirect"
+                                 Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
+            <SingleLogoutService Location="https://sp.testshib.org/Shibboleth.sso/SLO/POST"
+                                 Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
+            <SingleLogoutService Location="https://sp.testshib.org/Shibboleth.sso/SLO/Artifact"
+                                 Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
+
+
+            <!-- This tells IdPs that you only need transient identifiers. -->
+            <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
+            <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
+
+            <!--
+		This tells IdPs where and how to send authentication assertions. Mostly
+		the SP will tell the IdP what location to use in its request, but this
+		is how the IdP validates the location and also figures out which
+		SAML version/binding to use.
+		-->
+
+            <AssertionConsumerService index="1" isDefault="true"
+                                      Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+                                      Location="https://sp.testshib.org/Shibboleth.sso/SAML2/POST"/>
+            <AssertionConsumerService index="2"
+                                      Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
+                                      Location="https://sp.testshib.org/Shibboleth.sso/SAML2/POST-SimpleSign"/>
+            <AssertionConsumerService index="3"
+                                      Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
+                                      Location="https://sp.testshib.org/Shibboleth.sso/SAML2/Artifact"/>
+            <AssertionConsumerService index="4"
+                                      Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
+                                      Location="https://sp.testshib.org/Shibboleth.sso/SAML/POST"/>
+            <AssertionConsumerService index="5"
+                                      Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"
+                                      Location="https://sp.testshib.org/Shibboleth.sso/SAML/Artifact"/>
+            <AssertionConsumerService index="6"
+                                      Binding="http://schemas.xmlsoap.org/ws/2003/07/secext"
+                                      Location="https://sp.testshib.org/Shibboleth.sso/ADFS"/>
+
+            <!-- A couple additional assertion consumers for the registration webapp. -->
+
+            <AssertionConsumerService index="7"
+                                      Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+                                      Location="https://www.testshib.org/Shibboleth.sso/SAML2/POST"/>
+            <AssertionConsumerService index="8"
+                                      Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
+                                      Location="https://www.testshib.org/Shibboleth.sso/SAML/POST"/>
+
+        </SPSSODescriptor>
+
+        <!-- This is just information about the entity in human terms. -->
+        <Organization>
+            <OrganizationName xml:lang="en">TestShib Two Service Provider</OrganizationName>
+            <OrganizationDisplayName xml:lang="en">TestShib Two</OrganizationDisplayName>
+            <OrganizationURL xml:lang="en">http://www.testshib.org/testshib-two/</OrganizationURL>
+        </Organization>
+        <ContactPerson contactType="technical">
+            <GivenName>Nate</GivenName>
+            <SurName>Klingenstein</SurName>
+            <EmailAddress>ndk@internet2.edu</EmailAddress>
+        </ContactPerson>
+
+    </EntityDescriptor>
+
+
+</EntitiesDescriptor>
\ No newline at end of file
diff --git a/samlsp/testdata/token.json b/samlsp/testdata/token.json
new file mode 100644
index 00000000..8187becd
--- /dev/null
+++ b/samlsp/testdata/token.json
@@ -0,0 +1,48 @@
+{
+  "aud": [
+    "https://15661444.ngrok.io/"
+    ],
+  "iss": "https://15661444.ngrok.io/",
+  "exp": 1448942229,
+  "iat": 1448935029,
+  "nbf": 1448935029,
+  "sub": "_41bd295976dadd70e1480f318e772841",
+  "attr": {
+    "SessionIndex": [
+      "_6149230ee8fb88d3635c238509d9a35a"
+    ], 
+    "cn": [
+      "Me Myself And I"
+    ],
+    "eduPersonAffiliation": [
+      "Member",
+      "Staff"
+    ],
+    "eduPersonEntitlement": [
+      "urn:mace:dir:entitlement:common-lib-terms"
+    ],
+    "eduPersonPrincipalName": [
+      "myself@testshib.org"
+    ],
+    "eduPersonScopedAffiliation": [
+      "Member@testshib.org",
+      "Staff@testshib.org"
+    ],
+    "eduPersonTargetedID": [
+      ""
+    ],
+    "givenName": [
+      "Me Myself"
+    ],
+    "sn": [
+      "And I"
+    ],
+    "telephoneNumber": [
+      "555-5555"
+    ],
+    "uid": [
+      "myself"
+    ]
+  },
+  "saml-session": true
+}
\ No newline at end of file
diff --git a/samlsp/util.go b/samlsp/util.go
new file mode 100644
index 00000000..94586d69
--- /dev/null
+++ b/samlsp/util.go
@@ -0,0 +1,16 @@
+package samlsp
+
+import (
+	"io"
+
+	"github.com/lightstep/saml"
+)
+
+func randomBytes(n int) []byte {
+	rv := make([]byte, n)
+
+	if _, err := io.ReadFull(saml.RandReader, rv); err != nil {
+		panic(err)
+	}
+	return rv
+}
diff --git a/schema.go b/schema.go
index 7ce5471c..3c271138 100644
--- a/schema.go
+++ b/schema.go
@@ -1,6 +1,8 @@
 package saml
 
 import (
+	"bytes"
+	"compress/flate"
 	"encoding/xml"
 	"strconv"
 	"time"
@@ -39,6 +41,116 @@ type AuthnRequest struct {
 	ProviderName                   string `xml:",attr"`
 }
 
+// LogoutRequest  represents the SAML object of the same name, a request from an IDP
+// to destroy a user's session.
+//
+// See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
+type LogoutRequest struct {
+	XMLName xml.Name `xml:"urn:oasis:names:tc:SAML:2.0:protocol LogoutRequest"`
+
+	ID           string    `xml:",attr"`
+	Version      string    `xml:",attr"`
+	IssueInstant time.Time `xml:",attr"`
+	Destination  string    `xml:",attr"`
+	Issuer       *Issuer   `xml:"urn:oasis:names:tc:SAML:2.0:assertion Issuer"`
+	NameID       *NameID
+	Signature    *etree.Element
+
+	SessionIndex *SessionIndex `xml:"SessionIndex"`
+}
+
+// Element returns an etree.Element representing the object in XML form.
+func (r *LogoutRequest) Element() *etree.Element {
+	el := etree.NewElement("samlp:LogoutRequest")
+	el.CreateAttr("xmlns:saml", "urn:oasis:names:tc:SAML:2.0:assertion")
+	el.CreateAttr("xmlns:samlp", "urn:oasis:names:tc:SAML:2.0:protocol")
+	el.CreateAttr("ID", r.ID)
+	el.CreateAttr("Version", r.Version)
+	el.CreateAttr("IssueInstant", r.IssueInstant.Format(timeFormat))
+	if r.Destination != "" {
+		el.CreateAttr("Destination", r.Destination)
+	}
+	if r.Issuer != nil {
+		el.AddChild(r.Issuer.Element())
+	}
+	if r.NameID != nil {
+		el.AddChild(r.NameID.Element())
+	}
+	if r.Signature != nil {
+		el.AddChild(r.Signature)
+	}
+	if r.SessionIndex != nil {
+		el.AddChild(r.SessionIndex.Element())
+	}
+	return el
+}
+
+// MarshalXML implements xml.Marshaler
+func (r *LogoutRequest) MarshalXML(e *xml.Encoder, start xml.StartElement) error {
+	type Alias LogoutRequest
+	aux := &struct {
+		IssueInstant RelaxedTime `xml:",attr"`
+		*Alias
+	}{
+		IssueInstant: RelaxedTime(r.IssueInstant),
+		Alias:        (*Alias)(r),
+	}
+	return e.Encode(aux)
+}
+
+// UnmarshalXML implements xml.Unmarshaler
+func (r *LogoutRequest) UnmarshalXML(d *xml.Decoder, start xml.StartElement) error {
+	type Alias LogoutRequest
+	aux := &struct {
+		IssueInstant RelaxedTime `xml:",attr"`
+		*Alias
+	}{
+		Alias: (*Alias)(r),
+	}
+	if err := d.DecodeElement(&aux, &start); err != nil {
+		return err
+	}
+	r.IssueInstant = time.Time(aux.IssueInstant)
+	return nil
+}
+
+// Bytes returns a byte array representation of the LogoutRequest
+func (r *LogoutRequest) Bytes() ([]byte, error) {
+	doc := etree.NewDocument()
+	doc.SetRoot(r.Element())
+
+	buf, err := doc.WriteToBytes()
+	if err != nil {
+		return nil, err
+	}
+
+	return buf, nil
+}
+
+// Deflate returns a compressed byte array of the LogoutRequest
+func (r *LogoutRequest) Deflate() ([]byte, error) {
+	buf, err := r.Bytes()
+	if err != nil {
+		return nil, err
+	}
+
+	var b bytes.Buffer
+	writer, err := flate.NewWriter(&b, flate.DefaultCompression)
+	if err != nil {
+		return nil, err
+	}
+
+	if _, err := writer.Write(buf); err != nil {
+		return nil, err
+	}
+
+	if err := writer.Close(); err != nil {
+		return nil, err
+	}
+
+	return b.Bytes(), nil
+}
+
 // Element returns an etree.Element representing the object
 // Element returns an etree.Element representing the object in XML form.
 func (r *AuthnRequest) Element() *etree.Element {
@@ -100,31 +212,31 @@ func (r *AuthnRequest) Element() *etree.Element {
 }
 
 // MarshalXML implements xml.Marshaler
-func (a *AuthnRequest) MarshalXML(e *xml.Encoder, start xml.StartElement) error {
+func (r *AuthnRequest) MarshalXML(e *xml.Encoder, start xml.StartElement) error {
 	type Alias AuthnRequest
 	aux := &struct {
 		IssueInstant RelaxedTime `xml:",attr"`
 		*Alias
 	}{
-		IssueInstant: RelaxedTime(a.IssueInstant),
-		Alias:        (*Alias)(a),
+		IssueInstant: RelaxedTime(r.IssueInstant),
+		Alias:        (*Alias)(r),
 	}
 	return e.Encode(aux)
 }
 
 // UnmarshalXML implements xml.Unmarshaler
-func (a *AuthnRequest) UnmarshalXML(d *xml.Decoder, start xml.StartElement) error {
+func (r *AuthnRequest) UnmarshalXML(d *xml.Decoder, start xml.StartElement) error {
 	type Alias AuthnRequest
 	aux := &struct {
 		IssueInstant RelaxedTime `xml:",attr"`
 		*Alias
 	}{
-		Alias: (*Alias)(a),
+		Alias: (*Alias)(r),
 	}
 	if err := d.DecodeElement(&aux, &start); err != nil {
 		return err
 	}
-	a.IssueInstant = time.Time(aux.IssueInstant)
+	r.IssueInstant = time.Time(aux.IssueInstant)
 	return nil
 }
 
@@ -172,7 +284,7 @@ type NameIDPolicy struct {
 // Element returns an etree.Element representing the object in XML form.
 func (a *NameIDPolicy) Element() *etree.Element {
 	el := etree.NewElement("samlp:NameIDPolicy")
-	if a.Format != nil {
+	if a.Format != nil && *a.Format != "" {
 		el.CreateAttr("Format", *a.Format)
 	}
 	if a.SPNameQualifier != nil {
@@ -218,7 +330,7 @@ func (r *Response) Element() *etree.Element {
 	// cannonicalizer. This could be avoided by providing a prefix list to the
 	// cannonicalizer, but prefix lists do not appear to be implemented correctly
 	// in some libraries, so the safest action is to always produce XML that is
-	// (a) in cannonical form and (b) does not require prefix lists.
+	// (a) in canonical form and (b) does not require prefix lists.
 	el.CreateAttr("xmlns:xs", "http://www.w3.org/2001/XMLSchema")
 
 	el.CreateAttr("ID", r.ID)
@@ -357,7 +469,7 @@ const (
 	StatusNoAvailableIDP = "urn:oasis:names:tc:SAML:2.0:status:NoAvailableIDP"
 
 	// StatusNoPassive means Indicates the responding provider cannot authenticate the principal passively, as has been requested.
-	StatusNoPassive = "urn:oasis:names:tc:SAML:2.0:status:NoPassive"
+	StatusNoPassive = "urn:oasis:names:tc:SAML:2.0:status:NoPassive" //nolint:gosec
 
 	// StatusNoSupportedIDP is used by an intermediary to indicate that none of the identity providers in an <IDPList> are supported by the intermediary.
 	StatusNoSupportedIDP = "urn:oasis:names:tc:SAML:2.0:status:NoSupportedIDP"
@@ -549,6 +661,23 @@ func (a *NameID) Element() *etree.Element {
 	return el
 }
 
+// SessionIndex represents the SAML element SessionIndex.
+//
+// See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf §3.7.1
+type SessionIndex struct {
+	Value string `xml:",chardata"`
+}
+
+// Element returns an etree.Element representing the object in XML form.
+func (s *SessionIndex) Element() *etree.Element {
+	el := etree.NewElement("samlp:SessionIndex")
+	el.CreateAttr("xmlns:samlp", "urn:oasis:names:tc:SAML:2.0:protocol")
+	if s.Value != "" {
+		el.SetText(s.Value)
+	}
+	return el
+}
+
 // SubjectConfirmation represents the SAML element SubjectConfirmation.
 //
 // See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf §2.4.1.1
@@ -763,7 +892,7 @@ func (a *ProxyRestriction) Element() *etree.Element {
 type AuthnStatement struct {
 	AuthnInstant        time.Time  `xml:",attr"`
 	SessionIndex        string     `xml:",attr"`
-	SessionNotOnOrAfter *time.Time `xml:",attr"`
+	SessionNotOnOrAfter *time.Time `xml:",attr,omitempty"`
 	SubjectLocality     *SubjectLocality
 	AuthnContext        AuthnContext
 }
@@ -775,6 +904,9 @@ func (a *AuthnStatement) Element() *etree.Element {
 	if a.SessionIndex != "" {
 		el.CreateAttr("SessionIndex", a.SessionIndex)
 	}
+	if a.SessionNotOnOrAfter != nil {
+		el.CreateAttr("SessionNotOnOrAfter", a.SessionNotOnOrAfter.Format(timeFormat))
+	}
 	if a.SubjectLocality != nil {
 		el.AddChild(a.SubjectLocality.Element())
 	}
@@ -786,11 +918,13 @@ func (a *AuthnStatement) Element() *etree.Element {
 func (a *AuthnStatement) MarshalXML(e *xml.Encoder, start xml.StartElement) error {
 	type Alias AuthnStatement
 	aux := &struct {
-		AuthnInstant RelaxedTime `xml:",attr"`
+		AuthnInstant        RelaxedTime  `xml:",attr"`
+		SessionNotOnOrAfter *RelaxedTime `xml:",attr,omitempty"`
 		*Alias
 	}{
-		AuthnInstant: RelaxedTime(a.AuthnInstant),
-		Alias:        (*Alias)(a),
+		AuthnInstant:        RelaxedTime(a.AuthnInstant),
+		SessionNotOnOrAfter: (*RelaxedTime)(a.SessionNotOnOrAfter),
+		Alias:               (*Alias)(a),
 	}
 	return e.EncodeElement(aux, start)
 }
@@ -799,7 +933,8 @@ func (a *AuthnStatement) MarshalXML(e *xml.Encoder, start xml.StartElement) erro
 func (a *AuthnStatement) UnmarshalXML(d *xml.Decoder, start xml.StartElement) error {
 	type Alias AuthnStatement
 	aux := &struct {
-		AuthnInstant RelaxedTime `xml:",attr"`
+		AuthnInstant        RelaxedTime  `xml:",attr"`
+		SessionNotOnOrAfter *RelaxedTime `xml:",attr,omitempty"`
 		*Alias
 	}{
 		Alias: (*Alias)(a),
@@ -808,6 +943,7 @@ func (a *AuthnStatement) UnmarshalXML(d *xml.Decoder, start xml.StartElement) er
 		return err
 	}
 	a.AuthnInstant = time.Time(aux.AuthnInstant)
+	a.SessionNotOnOrAfter = (*time.Time)(aux.SessionNotOnOrAfter)
 	return nil
 }
 
@@ -929,3 +1065,76 @@ func (a *AttributeValue) Element() *etree.Element {
 	el.SetText(a.Value)
 	return el
 }
+
+// LogoutResponse represents the SAML object of the same name.
+//
+// See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
+type LogoutResponse struct {
+	XMLName      xml.Name  `xml:"urn:oasis:names:tc:SAML:2.0:protocol LogoutResponse"`
+	ID           string    `xml:",attr"`
+	InResponseTo string    `xml:",attr"`
+	Version      string    `xml:",attr"`
+	IssueInstant time.Time `xml:",attr"`
+	Destination  string    `xml:",attr"`
+	Consent      string    `xml:",attr"`
+	Issuer       *Issuer   `xml:"urn:oasis:names:tc:SAML:2.0:assertion Issuer"`
+	Signature    *etree.Element
+	Status       Status `xml:"urn:oasis:names:tc:SAML:2.0:protocol Status"`
+}
+
+// Element returns an etree.Element representing the object in XML form.
+func (r *LogoutResponse) Element() *etree.Element {
+	el := etree.NewElement("samlp:LogoutResponse")
+	el.CreateAttr("xmlns:saml", "urn:oasis:names:tc:SAML:2.0:assertion")
+	el.CreateAttr("xmlns:samlp", "urn:oasis:names:tc:SAML:2.0:protocol")
+
+	el.CreateAttr("ID", r.ID)
+	if r.InResponseTo != "" {
+		el.CreateAttr("InResponseTo", r.InResponseTo)
+	}
+	el.CreateAttr("Version", r.Version)
+	el.CreateAttr("IssueInstant", r.IssueInstant.Format(timeFormat))
+	if r.Destination != "" {
+		el.CreateAttr("Destination", r.Destination)
+	}
+	if r.Consent != "" {
+		el.CreateAttr("Consent", r.Consent)
+	}
+	if r.Issuer != nil {
+		el.AddChild(r.Issuer.Element())
+	}
+	if r.Signature != nil {
+		el.AddChild(r.Signature)
+	}
+	el.AddChild(r.Status.Element())
+	return el
+}
+
+// MarshalXML implements xml.Marshaler
+func (r *LogoutResponse) MarshalXML(e *xml.Encoder, start xml.StartElement) error {
+	type Alias LogoutResponse
+	aux := &struct {
+		IssueInstant RelaxedTime `xml:",attr"`
+		*Alias
+	}{
+		IssueInstant: RelaxedTime(r.IssueInstant),
+		Alias:        (*Alias)(r),
+	}
+	return e.Encode(aux)
+}
+
+// UnmarshalXML implements xml.Unmarshaler
+func (r *LogoutResponse) UnmarshalXML(d *xml.Decoder, start xml.StartElement) error {
+	type Alias LogoutResponse
+	aux := &struct {
+		IssueInstant RelaxedTime `xml:",attr"`
+		*Alias
+	}{
+		Alias: (*Alias)(r),
+	}
+	if err := d.DecodeElement(&aux, &start); err != nil {
+		return err
+	}
+	r.IssueInstant = time.Time(aux.IssueInstant)
+	return nil
+}
diff --git a/schema_test.go b/schema_test.go
index 2a55d2d7..22e58793 100644
--- a/schema_test.go
+++ b/schema_test.go
@@ -2,22 +2,20 @@ package saml
 
 import (
 	"encoding/xml"
+	"testing"
+	"time"
 
 	"github.com/beevik/etree"
-	. "gopkg.in/check.v1"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
 )
 
-var _ = Suite(&SchemaTest{})
-
-type SchemaTest struct {
-}
-
-func (test *SchemaTest) TestAttributeXMLRoundTrip(c *C) {
+func TestAttributeXMLRoundTrip(t *testing.T) {
 	expected := Attribute{
 		FriendlyName: "TestFriendlyName",
 		Name:         "TestName",
 		NameFormat:   "urn:oasis:names:tc:SAML:2.0:attrname-format:basic",
-		Values: []AttributeValue{AttributeValue{
+		Values: []AttributeValue{{
 			Type:  "xs:string",
 			Value: "test",
 		}},
@@ -26,11 +24,73 @@ func (test *SchemaTest) TestAttributeXMLRoundTrip(c *C) {
 	doc := etree.NewDocument()
 	doc.SetRoot(expected.Element())
 	x, err := doc.WriteToBytes()
-	c.Assert(err, IsNil)
-	c.Assert(string(x), Equals, "<saml:Attribute FriendlyName=\"TestFriendlyName\" Name=\"TestName\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:basic\"><saml:AttributeValue xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" xsi:type=\"xs:string\">test</saml:AttributeValue></saml:Attribute>")
+	assert.Check(t, err)
+	assert.Check(t, is.Equal("<saml:Attribute FriendlyName=\"TestFriendlyName\" Name=\"TestName\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:basic\"><saml:AttributeValue xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" xsi:type=\"xs:string\">test</saml:AttributeValue></saml:Attribute>",
+		string(x)))
 
 	var actual Attribute
 	err = xml.Unmarshal(x, &actual)
-	c.Assert(err, IsNil)
-	c.Assert(actual, DeepEquals, expected)
+	assert.Check(t, err)
+	assert.Check(t, is.DeepEqual(expected, actual))
+}
+
+func TestNameIDFormat(t *testing.T) {
+	var emptyString string
+	el := NameIDPolicy{
+		Format: &emptyString,
+	}
+	doc := etree.NewDocument()
+	doc.SetRoot(el.Element())
+	x, err := doc.WriteToBytes()
+	assert.Check(t, err)
+	assert.Check(t, is.Equal("<samlp:NameIDPolicy/>",
+		string(x)))
+}
+
+func TestAuthnStatementXMLRoundTrip(t *testing.T) {
+	authnInstant := time.Date(2020, 7, 21, 12, 30, 45, 0, time.UTC)
+	sessionNotOnOrAfter := time.Date(2020, 7, 22, 15, 0, 0, 0, time.UTC)
+	expected := AuthnStatement{
+		AuthnInstant:        authnInstant,
+		SessionIndex:        "index",
+		SessionNotOnOrAfter: &sessionNotOnOrAfter,
+	}
+
+	doc := etree.NewDocument()
+	doc.SetRoot(expected.Element())
+	x, err := doc.WriteToBytes()
+	assert.Check(t, err)
+	assert.Check(t, is.Equal(`<saml:AuthnStatement AuthnInstant="2020-07-21T12:30:45Z" SessionIndex="index" SessionNotOnOrAfter="2020-07-22T15:00:00Z"><saml:AuthnContext/></saml:AuthnStatement>`,
+		string(x)))
+
+	var actual AuthnStatement
+	err = xml.Unmarshal(x, &actual)
+	assert.Check(t, err)
+	assert.Check(t, is.DeepEqual(expected, actual))
+
+	x, err = xml.Marshal(expected)
+	assert.Check(t, err)
+	assert.Check(t, is.Equal(`<AuthnStatement AuthnInstant="2020-07-21T12:30:45Z" SessionIndex="index" SessionNotOnOrAfter="2020-07-22T15:00:00Z"><AuthnContext></AuthnContext></AuthnStatement>`,
+		string(x)))
+}
+
+func TestAuthnStatementMarshalWithoutSessionNotOnOrAfter(t *testing.T) {
+	authnInstant := time.Date(2020, 7, 21, 12, 30, 45, 0, time.UTC)
+	expected := AuthnStatement{
+		AuthnInstant:        authnInstant,
+		SessionIndex:        "index",
+		SessionNotOnOrAfter: nil,
+	}
+
+	doc := etree.NewDocument()
+	doc.SetRoot(expected.Element())
+	x, err := doc.WriteToBytes()
+	assert.Check(t, err)
+	assert.Check(t, is.Equal(`<saml:AuthnStatement AuthnInstant="2020-07-21T12:30:45Z" SessionIndex="index"><saml:AuthnContext/></saml:AuthnStatement>`,
+		string(x)))
+
+	var actual AuthnStatement
+	err = xml.Unmarshal(x, &actual)
+	assert.Check(t, err)
+	assert.Check(t, is.DeepEqual(expected, actual))
 }
diff --git a/service_provider.go b/service_provider.go
index fe1045c8..cc973075 100644
--- a/service_provider.go
+++ b/service_provider.go
@@ -4,27 +4,33 @@ import (
 	"bytes"
 	"compress/flate"
 	"crypto/rsa"
+	"crypto/tls"
 	"crypto/x509"
 	"encoding/base64"
 	"encoding/xml"
 	"errors"
 	"fmt"
 	"html/template"
+	"io"
 	"net/http"
 	"net/url"
+	"reflect"
 	"regexp"
 	"time"
 
+	xrv "github.com/mattermost/xml-roundtrip-validator"
+
 	"github.com/beevik/etree"
-	"github.com/lightstep/saml/logger"
-	"github.com/lightstep/saml/xmlenc"
 	dsig "github.com/russellhaering/goxmldsig"
 	"github.com/russellhaering/goxmldsig/etreeutils"
+
+	"github.com/lightstep/saml/xmlenc"
 )
 
 // NameIDFormat is the format of the id
 type NameIDFormat string
 
+// Element returns an XML element representation of n.
 func (n NameIDFormat) Element() *etree.Element {
 	el := etree.NewElement("")
 	el.SetText(string(n))
@@ -37,8 +43,17 @@ const (
 	UnspecifiedNameIDFormat  NameIDFormat = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
 	TransientNameIDFormat    NameIDFormat = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
 	EmailAddressNameIDFormat NameIDFormat = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+	PersistentNameIDFormat   NameIDFormat = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
 )
 
+// SignatureVerifier verifies a signature
+//
+// Can be implemented in order to override ServiceProvider's default
+// way of verifying signatures.
+type SignatureVerifier interface {
+	VerifySignature(validationContext *dsig.ValidationContext, el *etree.Element) error
+}
+
 // ServiceProvider implements SAML Service provider.
 //
 // In SAML, service providers delegate responsibility for identifying
@@ -49,11 +64,15 @@ const (
 // See the example directory for an example of a web application using
 // the service provider interface.
 type ServiceProvider struct {
+	// Entity ID is optional - if not specified then MetadataURL will be used
+	EntityID string
+
 	// Key is the RSA private key we use to sign requests.
 	Key *rsa.PrivateKey
 
 	// Certificate is the RSA public part of Key.
-	Certificate *x509.Certificate
+	Certificate   *x509.Certificate
+	Intermediates []*x509.Certificate
 
 	// MetadataURL is the full URL to the metadata endpoint on this host,
 	// i.e. https://example.com/saml/metadata
@@ -63,6 +82,10 @@ type ServiceProvider struct {
 	// on this host, i.e. https://example.com/saml/acs
 	AcsURL url.URL
 
+	// SloURL is the full URL to the SAML Single Logout endpoint on this host.
+	// i.e. https://example.com/saml/slo
+	SloURL url.URL
+
 	// IDPMetadata is the metadata from the identity provider.
 	IDPMetadata *EntityDescriptor
 
@@ -74,15 +97,26 @@ type ServiceProvider struct {
 	// attribute in the metadata endpoint
 	MetadataValidDuration time.Duration
 
-	// Logger is used to log messages for example in the event of errors
-	Logger logger.Interface
+	// ForceAuthn allows you to force re-authentication of users even if the user
+	// has a SSO session at the IdP.
+	ForceAuthn *bool
+
+	// AllowIdpInitiated
+	AllowIDPInitiated bool
+
+	// SignatureVerifier, if non-nil, allows you to implement an alternative way
+	// to verify signatures.
+	SignatureVerifier SignatureVerifier
+
+	// SignatureMethod, if non-empty, authentication requests will be signed
+	SignatureMethod string
 }
 
 // MaxIssueDelay is the longest allowed time between when a SAML assertion is
 // issued by the IDP and the time it is received by ParseResponse. This is used
 // to prevent old responses from being replayed (while allowing for some clock
 // drift between the SP and IDP).
-const MaxIssueDelay = time.Second * 90
+var MaxIssueDelay = time.Second * 90
 
 // MaxClockSkew allows for leeway for clock skew between the IDP and SP when
 // validating assertions. It defaults to 180 seconds (matches shibboleth).
@@ -96,27 +130,25 @@ const DefaultCacheDuration = time.Hour * 24 * 1
 
 // Metadata returns the service provider metadata
 func (sp *ServiceProvider) Metadata() *EntityDescriptor {
-	var validUntilPtr *time.Time
+	validDuration := DefaultValidDuration
 	if sp.MetadataValidDuration > 0 {
-		validUntil := TimeNow().Add(sp.MetadataValidDuration)
-		validUntilPtr = &validUntil
+		validDuration = sp.MetadataValidDuration
 	}
+	validUntil := TimeNow().Add(validDuration)
 
-	authnRequestsSigned := false
+	authnRequestsSigned := len(sp.SignatureMethod) > 0
 	wantAssertionsSigned := true
-	keyDescriptorSlice := []KeyDescriptor{}
+	keyDescriptors := []KeyDescriptor{}
 	if sp.Certificate != nil {
-		keyDescriptorSlice = []KeyDescriptor{
-			{
-				Use: "signing",
-				KeyInfo: KeyInfo{
-					Certificate: base64.StdEncoding.EncodeToString(sp.Certificate.Raw),
-				},
-			},
+		certBytes := sp.Certificate.Raw
+		for _, intermediate := range sp.Intermediates {
+			certBytes = append(certBytes, intermediate.Raw...)
+		}
+		keyDescriptors = []KeyDescriptor{
 			{
 				Use: "encryption",
 				KeyInfo: KeyInfo{
-					Certificate: base64.StdEncoding.EncodeToString(sp.Certificate.Raw),
+					Certificate: base64.StdEncoding.EncodeToString(certBytes),
 				},
 				EncryptionMethods: []EncryptionMethod{
 					{Algorithm: "http://www.w3.org/2001/04/xmlenc#aes128-cbc"},
@@ -126,24 +158,41 @@ func (sp *ServiceProvider) Metadata() *EntityDescriptor {
 				},
 			},
 		}
+		if len(sp.SignatureMethod) > 0 {
+			keyDescriptors = append(keyDescriptors, KeyDescriptor{
+				Use: "signing",
+				KeyInfo: KeyInfo{
+					Certificate: base64.StdEncoding.EncodeToString(certBytes),
+				},
+			})
+		}
 	}
+
 	return &EntityDescriptor{
-		EntityID:   sp.MetadataURL.String(),
-		ValidUntil: validUntilPtr,
+		EntityID:   firstSet(sp.EntityID, sp.MetadataURL.String()),
+		ValidUntil: &validUntil,
 
 		SPSSODescriptors: []SPSSODescriptor{
-			SPSSODescriptor{
+			{
 				SSODescriptor: SSODescriptor{
 					RoleDescriptor: RoleDescriptor{
 						ProtocolSupportEnumeration: "urn:oasis:names:tc:SAML:2.0:protocol",
-						KeyDescriptors:             keyDescriptorSlice,
+						KeyDescriptors:             keyDescriptors,
+						ValidUntil:                 &validUntil,
+					},
+					SingleLogoutServices: []Endpoint{
+						{
+							Binding:          HTTPPostBinding,
+							Location:         sp.SloURL.String(),
+							ResponseLocation: sp.SloURL.String(),
+						},
 					},
 				},
 				AuthnRequestsSigned:  &authnRequestsSigned,
 				WantAssertionsSigned: &wantAssertionsSigned,
 
 				AssertionConsumerServices: []IndexedEndpoint{
-					IndexedEndpoint{
+					{
 						Binding:  HTTPPostBinding,
 						Location: sp.AcsURL.String(),
 						Index:    1,
@@ -158,15 +207,15 @@ func (sp *ServiceProvider) Metadata() *EntityDescriptor {
 // the HTTP-Redirect binding. It returns a URL that we will redirect the user to
 // in order to start the auth process.
 func (sp *ServiceProvider) MakeRedirectAuthenticationRequest(relayState string) (*url.URL, error) {
-	req, err := sp.MakeAuthenticationRequest(sp.GetSSOBindingLocation(HTTPRedirectBinding))
+	req, err := sp.MakeAuthenticationRequest(sp.GetSSOBindingLocation(HTTPRedirectBinding), HTTPRedirectBinding)
 	if err != nil {
 		return nil, err
 	}
-	return req.Redirect(relayState), nil
+	return req.Redirect(relayState, sp)
 }
 
 // Redirect returns a URL suitable for using the redirect binding with the request
-func (req *AuthnRequest) Redirect(relayState string) *url.URL {
+func (req *AuthnRequest) Redirect(relayState string, sp *ServiceProvider) (*url.URL, error) {
 	w := &bytes.Buffer{}
 	w1 := base64.NewEncoder(base64.StdEncoding, w)
 	w2, _ := flate.NewWriter(w1, 9)
@@ -179,15 +228,35 @@ func (req *AuthnRequest) Redirect(relayState string) *url.URL {
 	w1.Close()
 
 	rv, _ := url.Parse(req.Destination)
+	// We can't depend on Query().set() as order matters for signing
+	query := rv.RawQuery
+	if len(query) > 0 {
+		query += "&SAMLRequest=" + url.QueryEscape(w.String())
+	} else {
+		query += "SAMLRequest=" + url.QueryEscape(w.String())
+	}
 
-	query := rv.Query()
-	query.Set("SAMLRequest", string(w.Bytes()))
 	if relayState != "" {
-		query.Set("RelayState", relayState)
+		query += "&RelayState=" + relayState
 	}
-	rv.RawQuery = query.Encode()
+	if len(sp.SignatureMethod) > 0 {
+		query += "&SigAlg=" + url.QueryEscape(sp.SignatureMethod)
+		signingContext, err := GetSigningContext(sp)
 
-	return rv
+		if err != nil {
+			return nil, err
+		}
+
+		sig, err := signingContext.SignString(query)
+		if err != nil {
+			return nil, err
+		}
+		query += "&Signature=" + url.QueryEscape(base64.StdEncoding.EncodeToString(sig))
+	}
+
+	rv.RawQuery = query
+
+	return rv, nil
 }
 
 // GetSSOBindingLocation returns URL for the IDP's Single Sign On Service binding
@@ -203,64 +272,68 @@ func (sp *ServiceProvider) GetSSOBindingLocation(binding string) string {
 	return ""
 }
 
-// getIDPSigningCert returns the certificate which we can use to verify things
-// signed by the IDP in PEM format, or nil if no such certificate is found.
-func (sp *ServiceProvider) getIDPSigningCert() (*x509.Certificate, error) {
-	certStr := ""
+// GetSLOBindingLocation returns URL for the IDP's Single Log Out Service binding
+// of the specified type (HTTPRedirectBinding or HTTPPostBinding)
+func (sp *ServiceProvider) GetSLOBindingLocation(binding string) string {
 	for _, idpSSODescriptor := range sp.IDPMetadata.IDPSSODescriptors {
-		for _, keyDescriptor := range idpSSODescriptor.KeyDescriptors {
-			if keyDescriptor.Use == "signing" {
-				certStr = keyDescriptor.KeyInfo.Certificate
-				break
+		for _, singleLogoutService := range idpSSODescriptor.SingleLogoutServices {
+			if singleLogoutService.Binding == binding {
+				return singleLogoutService.Location
 			}
 		}
 	}
+	return ""
+}
 
-	// If there are no explicitly signing certs, just return the first
-	// non-empty cert we find.
-	if certStr == "" {
-		for _, idpSSODescriptor := range sp.IDPMetadata.IDPSSODescriptors {
-			for _, keyDescriptor := range idpSSODescriptor.KeyDescriptors {
-				if keyDescriptor.Use == "" && keyDescriptor.KeyInfo.Certificate != "" {
-					certStr = keyDescriptor.KeyInfo.Certificate
-					break
+// getIDPSigningCerts returns the certificates which we can use to verify things
+// signed by the IDP in PEM format, or nil if no such certificate is found.
+func (sp *ServiceProvider) getIDPSigningCerts() ([]*x509.Certificate, error) {
+	var certStrs []string
+
+	// We need to include non-empty certs where the "use" attribute is
+	// either set to "signing" or is missing
+	for _, idpSSODescriptor := range sp.IDPMetadata.IDPSSODescriptors {
+		for _, keyDescriptor := range idpSSODescriptor.KeyDescriptors {
+			if keyDescriptor.KeyInfo.Certificate != "" {
+				switch keyDescriptor.Use {
+				case "", "signing":
+					certStrs = append(certStrs, keyDescriptor.KeyInfo.Certificate)
 				}
 			}
 		}
 	}
 
-	if certStr == "" {
+	if len(certStrs) == 0 {
 		return nil, errors.New("cannot find any signing certificate in the IDP SSO descriptor")
 	}
 
+	var certs []*x509.Certificate
+
 	// cleanup whitespace
-	certStr = regexp.MustCompile(`\s+`).ReplaceAllString(certStr, "")
-	certBytes, err := base64.StdEncoding.DecodeString(certStr)
-	if err != nil {
-		return nil, fmt.Errorf("cannot parse certificate: %s", err)
-	}
+	regex := regexp.MustCompile(`\s+`)
+	for _, certStr := range certStrs {
+		certStr = regex.ReplaceAllString(certStr, "")
+		certBytes, err := base64.StdEncoding.DecodeString(certStr)
+		if err != nil {
+			return nil, fmt.Errorf("cannot parse certificate: %s", err)
+		}
 
-	parsedCert, err := x509.ParseCertificate(certBytes)
-	if err != nil {
-		return nil, err
+		parsedCert, err := x509.ParseCertificate(certBytes)
+		if err != nil {
+			return nil, err
+		}
+		certs = append(certs, parsedCert)
 	}
-	return parsedCert, nil
+
+	return certs, nil
 }
 
-// MakeAuthenticationRequest produces a new AuthnRequest object for idpURL.
-func (sp *ServiceProvider) MakeAuthenticationRequest(idpURL string) (*AuthnRequest, error) {
-	var nameIDFormat string
-	switch sp.AuthnNameIDFormat {
-	case "":
-		// To maintain library back-compat, use "transient" if unset.
-		nameIDFormat = string(TransientNameIDFormat)
-	case UnspecifiedNameIDFormat:
-		// Spec defines an empty value as "unspecified" so don't set one.
-	default:
-		nameIDFormat = string(sp.AuthnNameIDFormat)
-	}
+// MakeAuthenticationRequest produces a new AuthnRequest object to send to the idpURL
+// that uses the specified binding (HTTPRedirectBinding or HTTPPostBinding)
+func (sp *ServiceProvider) MakeAuthenticationRequest(idpURL string, binding string) (*AuthnRequest, error) {
 
 	allowCreate := true
+	nameIDFormat := sp.nameIDFormat()
 	req := AuthnRequest{
 		AssertionConsumerServiceURL: sp.AcsURL.String(),
 		Destination:                 idpURL,
@@ -270,7 +343,7 @@ func (sp *ServiceProvider) MakeAuthenticationRequest(idpURL string) (*AuthnReque
 		Version:                     "2.0",
 		Issuer: &Issuer{
 			Format: "urn:oasis:names:tc:SAML:2.0:nameid-format:entity",
-			Value:  sp.MetadataURL.String(),
+			Value:  firstSet(sp.EntityID, sp.MetadataURL.String()),
 		},
 		NameIDPolicy: &NameIDPolicy{
 			AllowCreate: &allowCreate,
@@ -279,15 +352,69 @@ func (sp *ServiceProvider) MakeAuthenticationRequest(idpURL string) (*AuthnReque
 			// urn:oasis:names:tc:SAML:2.0:nameid-format:transient
 			Format: &nameIDFormat,
 		},
+		ForceAuthn: sp.ForceAuthn,
+	}
+	// We don't need to sign the XML document if the IDP uses HTTP-Redirect binding
+	if len(sp.SignatureMethod) > 0 && binding == HTTPPostBinding {
+		if err := sp.SignAuthnRequest(&req); err != nil {
+			return nil, err
+		}
 	}
 	return &req, nil
 }
 
+// GetSigningContext returns a dsig.SigningContext initialized based on the Service Provider's configuration
+func GetSigningContext(sp *ServiceProvider) (*dsig.SigningContext, error) {
+	keyPair := tls.Certificate{
+		Certificate: [][]byte{sp.Certificate.Raw},
+		PrivateKey:  sp.Key,
+		Leaf:        sp.Certificate,
+	}
+	// TODO: add intermediates for SP
+	//for _, cert := range sp.Intermediates {
+	//	keyPair.Certificate = append(keyPair.Certificate, cert.Raw)
+	//}
+	keyStore := dsig.TLSCertKeyStore(keyPair)
+
+	if sp.SignatureMethod != dsig.RSASHA1SignatureMethod &&
+		sp.SignatureMethod != dsig.RSASHA256SignatureMethod &&
+		sp.SignatureMethod != dsig.RSASHA512SignatureMethod {
+		return nil, fmt.Errorf("invalid signing method %s", sp.SignatureMethod)
+	}
+	signatureMethod := sp.SignatureMethod
+	signingContext := dsig.NewDefaultSigningContext(keyStore)
+	signingContext.Canonicalizer = dsig.MakeC14N10ExclusiveCanonicalizerWithPrefixList(canonicalizerPrefixList)
+	if err := signingContext.SetSignatureMethod(signatureMethod); err != nil {
+		return nil, err
+	}
+
+	return signingContext, nil
+}
+
+// SignAuthnRequest adds the `Signature` element to the `AuthnRequest`.
+func (sp *ServiceProvider) SignAuthnRequest(req *AuthnRequest) error {
+
+	signingContext, err := GetSigningContext(sp)
+	if err != nil {
+		return err
+	}
+	assertionEl := req.Element()
+
+	signedRequestEl, err := signingContext.SignEnveloped(assertionEl)
+	if err != nil {
+		return err
+	}
+
+	sigEl := signedRequestEl.Child[len(signedRequestEl.Child)-1]
+	req.Signature = sigEl.(*etree.Element)
+	return nil
+}
+
 // MakePostAuthenticationRequest creates a SAML authentication request using
 // the HTTP-POST binding. It returns HTML text representing an HTML form that
 // can be sent presented to a browser to initiate the login process.
 func (sp *ServiceProvider) MakePostAuthenticationRequest(relayState string) ([]byte, error) {
-	req, err := sp.MakeAuthenticationRequest(sp.GetSSOBindingLocation(HTTPPostBinding))
+	req, err := sp.MakeAuthenticationRequest(sp.GetSSOBindingLocation(HTTPPostBinding), HTTPPostBinding)
 	if err != nil {
 		return nil, err
 	}
@@ -310,8 +437,8 @@ func (req *AuthnRequest) Post(relayState string) []byte {
 		`<input type="hidden" name="RelayState" value="{{.RelayState}}" />` +
 		`<input id="SAMLSubmitButton" type="submit" value="Submit" />` +
 		`</form>` +
-		`<script>document.getElementById('SAMLSubmitButton').style.visibility="hidden";</script>` +
-		`<script>document.getElementById('SAMLRequestForm').submit();</script>`))
+		`<script>document.getElementById('SAMLSubmitButton').style.visibility="hidden";` +
+		`document.getElementById('SAMLRequestForm').submit();</script>`))
 	data := struct {
 		URL         string
 		SAMLRequest string
@@ -369,8 +496,76 @@ func (ivr *InvalidResponseError) Error() string {
 	return fmt.Sprintf("Authentication failed")
 }
 
+// ErrBadStatus is returned when the assertion provided is valid but the
+// status code is not "urn:oasis:names:tc:SAML:2.0:status:Success".
+type ErrBadStatus struct {
+	Status string
+}
+
+func (e ErrBadStatus) Error() string {
+	return e.Status
+}
+
+func responseIsSigned(response *etree.Document) (bool, error) {
+	signatureElement, err := findChild(response.Root(), "http://www.w3.org/2000/09/xmldsig#", "Signature")
+	if err != nil {
+		return false, err
+	}
+	return signatureElement != nil, nil
+}
+
+// validateDestination validates the Destination attribute.
+// If the response is signed, the Destination is required to be present.
+func (sp *ServiceProvider) validateDestination(response []byte, responseDom *Response) error {
+	responseXML := etree.NewDocument()
+	err := responseXML.ReadFromBytes(response)
+	if err != nil {
+		return err
+	}
+
+	signed, err := responseIsSigned(responseXML)
+	if err != nil {
+		return err
+	}
+
+	// Compare if the response is signed OR the Destination is provided.
+	// (Even if the response is not signed, if the Destination is set it must match.)
+	if signed || responseDom.Destination != "" {
+		// Compare everything except the port number, and allow parameters to appear in any order
+		if !urlsMatchModuloPortNumbers(responseDom.Destination, &sp.AcsURL) {
+			return fmt.Errorf("`Destination` does not match AcsURL (expected %q, actual %q)", sp.AcsURL.String(), responseDom.Destination)
+		}
+	}
+
+	return nil
+}
+
 // ParseResponse extracts the SAML IDP response received in req, validates
-// it, and returns the verified attributes of the request.
+// it, and returns the verified assertion.
+func (sp *ServiceProvider) ParseResponse(req *http.Request, possibleRequestIDs []string) (*Assertion, error) {
+	now := TimeNow()
+	retErr := &InvalidResponseError{
+		Now:      now,
+		Response: req.PostForm.Get("SAMLResponse"),
+	}
+
+	rawResponseBuf, err := base64.StdEncoding.DecodeString(req.PostForm.Get("SAMLResponse"))
+	if err != nil {
+		retErr.PrivateErr = fmt.Errorf("cannot parse base64: %s", err)
+		return nil, retErr
+	}
+	retErr.Response = string(rawResponseBuf)
+	assertion, err := sp.ParseXMLResponse(rawResponseBuf, possibleRequestIDs)
+	if err != nil {
+		return nil, err
+	}
+
+	return assertion, nil
+
+}
+
+// ParseXMLResponse validates the SAML IDP response and
+// returns the verified assertion.
 //
 // This function handles decrypting the message, verifying the digital
 // signature on the assertion, and verifying that the specified conditions
@@ -380,52 +575,59 @@ func (ivr *InvalidResponseError) Error() string {
 // properties are useful in describing which part of the parsing process
 // failed. However, to discourage inadvertent disclosure the diagnostic
 // information, the Error() method returns a static string.
-func (sp *ServiceProvider) ParseResponse(req *http.Request, possibleRequestIDs []string) (*Assertion, error) {
+func (sp *ServiceProvider) ParseXMLResponse(decodedResponseXML []byte, possibleRequestIDs []string) (*Assertion, error) {
 	now := TimeNow()
+	var err error
 	retErr := &InvalidResponseError{
 		Now:      now,
-		Response: req.PostForm.Get("SAMLResponse"),
+		Response: string(decodedResponseXML),
 	}
 
-	rawResponseBuf, err := base64.StdEncoding.DecodeString(req.PostForm.Get("SAMLResponse"))
-	if err != nil {
-		retErr.PrivateErr = fmt.Errorf("cannot parse base64: %s", err)
+	// ensure that the response XML is well formed before we parse it
+	if err := xrv.Validate(bytes.NewReader(decodedResponseXML)); err != nil {
+		retErr.PrivateErr = fmt.Errorf("invalid xml: %s", err)
 		return nil, retErr
 	}
-	retErr.Response = string(rawResponseBuf)
 
 	// do some validation first before we decrypt
 	resp := Response{}
-	if err := xml.Unmarshal(rawResponseBuf, &resp); err != nil {
+	if err := xml.Unmarshal(decodedResponseXML, &resp); err != nil {
 		retErr.PrivateErr = fmt.Errorf("cannot unmarshal response: %s", err)
 		return nil, retErr
 	}
-	if resp.Destination != sp.AcsURL.String() {
-		retErr.PrivateErr = fmt.Errorf("`Destination` does not match AcsURL (expected %q)", sp.AcsURL.String())
+
+	if err := sp.validateDestination(decodedResponseXML, &resp); err != nil {
+		retErr.PrivateErr = err
 		return nil, retErr
 	}
 
 	requestIDvalid := false
-	for _, possibleRequestID := range possibleRequestIDs {
-		if resp.InResponseTo == possibleRequestID {
-			requestIDvalid = true
+
+	if sp.AllowIDPInitiated {
+		requestIDvalid = true
+	} else {
+		for _, possibleRequestID := range possibleRequestIDs {
+			if resp.InResponseTo == possibleRequestID {
+				requestIDvalid = true
+			}
 		}
 	}
+
 	if !requestIDvalid {
 		retErr.PrivateErr = fmt.Errorf("`InResponseTo` does not match any of the possible request IDs (expected %v)", possibleRequestIDs)
 		return nil, retErr
 	}
 
 	if resp.IssueInstant.Add(MaxIssueDelay).Before(now) {
-		retErr.PrivateErr = fmt.Errorf("IssueInstant expired at %s", resp.IssueInstant.Add(MaxIssueDelay))
+		retErr.PrivateErr = fmt.Errorf("response IssueInstant expired at %s", resp.IssueInstant.Add(MaxIssueDelay))
 		return nil, retErr
 	}
-	if resp.Issuer.Value != sp.IDPMetadata.EntityID {
-		retErr.PrivateErr = fmt.Errorf("Issuer does not match the IDP metadata (expected %q)", sp.IDPMetadata.EntityID)
+	if resp.Issuer != nil && resp.Issuer.Value != sp.IDPMetadata.EntityID {
+		retErr.PrivateErr = fmt.Errorf("response Issuer does not match the IDP metadata (expected %q)", sp.IDPMetadata.EntityID)
 		return nil, retErr
 	}
 	if resp.Status.StatusCode.Value != StatusSuccess {
-		retErr.PrivateErr = fmt.Errorf("Status code was not %s", StatusSuccess)
+		retErr.PrivateErr = ErrBadStatus{Status: resp.Status.StatusCode.Value}
 		return nil, retErr
 	}
 
@@ -433,7 +635,7 @@ func (sp *ServiceProvider) ParseResponse(req *http.Request, possibleRequestIDs [
 	if resp.EncryptedAssertion == nil {
 
 		doc := etree.NewDocument()
-		if err := doc.ReadFromBytes(rawResponseBuf); err != nil {
+		if err := doc.ReadFromBytes(decodedResponseXML); err != nil {
 			retErr.PrivateErr = err
 			return nil, retErr
 		}
@@ -456,30 +658,65 @@ func (sp *ServiceProvider) ParseResponse(req *http.Request, possibleRequestIDs [
 	// decrypt the response
 	if resp.EncryptedAssertion != nil {
 		doc := etree.NewDocument()
-		if err := doc.ReadFromBytes(rawResponseBuf); err != nil {
+		if err := doc.ReadFromBytes(decodedResponseXML); err != nil {
 			retErr.PrivateErr = err
 			return nil, retErr
 		}
+
+		// encrypted assertions are part of the signature
+		// before decrypting the response verify that
+		responseSigned, err := responseIsSigned(doc)
+		if err != nil {
+			retErr.PrivateErr = err
+			return nil, retErr
+		}
+		if responseSigned {
+			if err := sp.validateSigned(doc.Root()); err != nil {
+				retErr.PrivateErr = err
+				return nil, retErr
+			}
+		}
+
+		var key interface{} = sp.Key
+		keyEl := doc.FindElement("//EncryptedAssertion/EncryptedKey")
+		if keyEl != nil {
+			key, err = xmlenc.Decrypt(sp.Key, keyEl)
+			if err != nil {
+				retErr.PrivateErr = fmt.Errorf("failed to decrypt key from response: %s", err)
+				return nil, retErr
+			}
+		}
+
 		el := doc.FindElement("//EncryptedAssertion/EncryptedData")
-		plaintextAssertion, err := xmlenc.Decrypt(sp.Key, el)
+		plaintextAssertion, err := xmlenc.Decrypt(key, el)
 		if err != nil {
 			retErr.PrivateErr = fmt.Errorf("failed to decrypt response: %s", err)
 			return nil, retErr
 		}
 		retErr.Response = string(plaintextAssertion)
 
+		// TODO(ross): add test case for this
+		if err := xrv.Validate(bytes.NewReader(plaintextAssertion)); err != nil {
+			retErr.PrivateErr = fmt.Errorf("plaintext response contains invalid XML: %s", err)
+			return nil, retErr
+		}
+
 		doc = etree.NewDocument()
 		if err := doc.ReadFromBytes(plaintextAssertion); err != nil {
 			retErr.PrivateErr = fmt.Errorf("cannot parse plaintext response %v", err)
 			return nil, retErr
 		}
 
-		if err := sp.validateSigned(doc.Root()); err != nil {
+		// the decrypted assertion may be signed too
+		// otherwise, a signed response is sufficient
+		if err := sp.validateSigned(doc.Root()); err != nil && !responseSigned {
 			retErr.PrivateErr = err
 			return nil, retErr
 		}
 
 		assertion = &Assertion{}
+		// Note: plaintextAssertion is known to be safe to parse because
+		// plaintextAssertion is unmodified from when xrv.Validate() was called above.
 		if err := xml.Unmarshal(plaintextAssertion, assertion); err != nil {
 			retErr.PrivateErr = err
 			return nil, retErr
@@ -494,6 +731,21 @@ func (sp *ServiceProvider) ParseResponse(req *http.Request, possibleRequestIDs [
 	return assertion, nil
 }
 
+// urlsMatchModuloPortNumbers returns true if the URLs are equivalent, ignoring port numbers and parameter order
+func urlsMatchModuloPortNumbers(s string, b *url.URL) bool {
+	a, err := url.Parse(s)
+	if err != nil {
+		return false
+	}
+	if a == nil && b == nil {
+		return true
+	}
+	if a == nil || b == nil {
+		return false
+	}
+	return a.Hostname() == b.Hostname() && a.Path == b.Path && reflect.DeepEqual(a.Query(), b.Query())
+}
+
 // validateAssertion checks that the conditions specified in assertion match
 // the requirements to accept. If validation fails, it returns an error describing
 // the failure. (The digital signature on the assertion is not checked -- this
@@ -507,37 +759,58 @@ func (sp *ServiceProvider) validateAssertion(assertion *Assertion, possibleReque
 	}
 	for _, subjectConfirmation := range assertion.Subject.SubjectConfirmations {
 		requestIDvalid := false
-		for _, possibleRequestID := range possibleRequestIDs {
-			if subjectConfirmation.SubjectConfirmationData.InResponseTo == possibleRequestID {
-				requestIDvalid = true
-				break
+
+		// We *DO NOT* validate InResponseTo when AllowIDPInitiated is set. Here's why:
+		//
+		// The SAML specification does not provide clear guidance for handling InResponseTo for IDP-initiated
+		// requests where there is no request to be in response to. The specification says:
+		//
+		//   InResponseTo [Optional]
+		//       The ID of a SAML protocol message in response to which an attesting entity can present the
+		//       assertion. For example, this attribute might be used to correlate the assertion to a SAML
+		//       request that resulted in its presentation.
+		//
+		// The initial thought was that we should specify a single empty string in possibleRequestIDs for IDP-initiated
+		// requests so that we would ensure that an InResponseTo was *not* provided in those cases where it wasn't
+		// expected. Even that turns out to be frustrating for users. And in practice some IDPs (e.g. Rippling)
+		// set a specific non-empty value for InResponseTo in IDP-initiated requests.
+		//
+		// Finally, it is unclear that there is significant security value in checking InResponseTo when we allow
+		// IDP initiated assertions.
+		if !sp.AllowIDPInitiated {
+			for _, possibleRequestID := range possibleRequestIDs {
+				if subjectConfirmation.SubjectConfirmationData.InResponseTo == possibleRequestID {
+					requestIDvalid = true
+					break
+				}
+			}
+			if !requestIDvalid {
+				return fmt.Errorf("assertion SubjectConfirmation one of the possible request IDs (%v)", possibleRequestIDs)
 			}
 		}
-		if !requestIDvalid {
-			return fmt.Errorf("SubjectConfirmation one of the possible request IDs (%v)", possibleRequestIDs)
-		}
-		if subjectConfirmation.SubjectConfirmationData.Recipient != sp.AcsURL.String() {
+		if !urlsMatchModuloPortNumbers(subjectConfirmation.SubjectConfirmationData.Recipient, &sp.AcsURL) {
 			return fmt.Errorf("SubjectConfirmation Recipient is not %s", sp.AcsURL.String())
 		}
 		if subjectConfirmation.SubjectConfirmationData.NotOnOrAfter.Add(MaxClockSkew).Before(now) {
-			return fmt.Errorf("SubjectConfirmationData is expired")
+			return fmt.Errorf("assertion SubjectConfirmationData is expired")
 		}
 	}
 	if assertion.Conditions.NotBefore.Add(-MaxClockSkew).After(now) {
-		return fmt.Errorf("Conditions is not yet valid")
+		return fmt.Errorf("assertion Conditions is not yet valid")
 	}
 	if assertion.Conditions.NotOnOrAfter.Add(MaxClockSkew).Before(now) {
-		return fmt.Errorf("Conditions is expired")
+		return fmt.Errorf("assertion Conditions is expired")
 	}
 
-	audienceRestrictionsValid := false
+	audienceRestrictionsValid := len(assertion.Conditions.AudienceRestrictions) == 0
+	audience := firstSet(sp.EntityID, sp.MetadataURL.String())
 	for _, audienceRestriction := range assertion.Conditions.AudienceRestrictions {
-		if audienceRestriction.Audience.Value == sp.MetadataURL.String() {
+		if urlsMatchModuloPortNumbers(audienceRestriction.Audience.Value, &sp.MetadataURL) {
 			audienceRestrictionsValid = true
 		}
 	}
 	if !audienceRestrictionsValid {
-		return fmt.Errorf("Conditions AudienceRestriction does not contain %q", sp.MetadataURL.String())
+		return fmt.Errorf("assertion Conditions AudienceRestriction does not contain %q", audience)
 	}
 	return nil
 }
@@ -614,13 +887,13 @@ func (sp *ServiceProvider) validateSigned(responseEl *etree.Element) error {
 
 // validateSignature returns nill iff the Signature embedded in the element is valid
 func (sp *ServiceProvider) validateSignature(el *etree.Element) error {
-	cert, err := sp.getIDPSigningCert()
+	certs, err := sp.getIDPSigningCerts()
 	if err != nil {
 		return err
 	}
 
 	certificateStore := dsig.MemoryX509CertificateStore{
-		Roots: []*x509.Certificate{cert},
+		Roots: certs,
 	}
 
 	validationContext := dsig.NewDefaultValidationContext(&certificateStore)
@@ -659,6 +932,438 @@ func (sp *ServiceProvider) validateSignature(el *etree.Element) error {
 		return err
 	}
 
+	if sp.SignatureVerifier != nil {
+		return sp.SignatureVerifier.VerifySignature(validationContext, el)
+	}
+
 	_, err = validationContext.Validate(el)
 	return err
 }
+
+// SignLogoutRequest adds the `Signature` element to the `LogoutRequest`.
+func (sp *ServiceProvider) SignLogoutRequest(req *LogoutRequest) error {
+	keyPair := tls.Certificate{
+		Certificate: [][]byte{sp.Certificate.Raw},
+		PrivateKey:  sp.Key,
+		Leaf:        sp.Certificate,
+	}
+	// TODO: add intermediates for SP
+	//for _, cert := range sp.Intermediates {
+	//	keyPair.Certificate = append(keyPair.Certificate, cert.Raw)
+	//}
+	keyStore := dsig.TLSCertKeyStore(keyPair)
+
+	if sp.SignatureMethod != dsig.RSASHA1SignatureMethod &&
+		sp.SignatureMethod != dsig.RSASHA256SignatureMethod &&
+		sp.SignatureMethod != dsig.RSASHA512SignatureMethod {
+		return fmt.Errorf("invalid signing method %s", sp.SignatureMethod)
+	}
+	signatureMethod := sp.SignatureMethod
+	signingContext := dsig.NewDefaultSigningContext(keyStore)
+	signingContext.Canonicalizer = dsig.MakeC14N10ExclusiveCanonicalizerWithPrefixList(canonicalizerPrefixList)
+	if err := signingContext.SetSignatureMethod(signatureMethod); err != nil {
+		return err
+	}
+
+	assertionEl := req.Element()
+
+	signedRequestEl, err := signingContext.SignEnveloped(assertionEl)
+	if err != nil {
+		return err
+	}
+
+	sigEl := signedRequestEl.Child[len(signedRequestEl.Child)-1]
+	req.Signature = sigEl.(*etree.Element)
+	return nil
+}
+
+// MakeLogoutRequest produces a new LogoutRequest object for idpURL.
+func (sp *ServiceProvider) MakeLogoutRequest(idpURL, nameID string) (*LogoutRequest, error) {
+
+	req := LogoutRequest{
+		ID:           fmt.Sprintf("id-%x", randomBytes(20)),
+		IssueInstant: TimeNow(),
+		Version:      "2.0",
+		Destination:  idpURL,
+		Issuer: &Issuer{
+			Format: "urn:oasis:names:tc:SAML:2.0:nameid-format:entity",
+			Value:  firstSet(sp.EntityID, sp.MetadataURL.String()),
+		},
+		NameID: &NameID{
+			Format:          sp.nameIDFormat(),
+			Value:           nameID,
+			NameQualifier:   sp.IDPMetadata.EntityID,
+			SPNameQualifier: sp.Metadata().EntityID,
+		},
+	}
+	if len(sp.SignatureMethod) > 0 {
+		if err := sp.SignLogoutRequest(&req); err != nil {
+			return nil, err
+		}
+	}
+	return &req, nil
+}
+
+// MakeRedirectLogoutRequest creates a SAML authentication request using
+// the HTTP-Redirect binding. It returns a URL that we will redirect the user to
+// in order to start the auth process.
+func (sp *ServiceProvider) MakeRedirectLogoutRequest(nameID, relayState string) (*url.URL, error) {
+	req, err := sp.MakeLogoutRequest(sp.GetSLOBindingLocation(HTTPRedirectBinding), nameID)
+	if err != nil {
+		return nil, err
+	}
+	return req.Redirect(relayState), nil
+}
+
+// Redirect returns a URL suitable for using the redirect binding with the request
+func (req *LogoutRequest) Redirect(relayState string) *url.URL {
+	w := &bytes.Buffer{}
+	w1 := base64.NewEncoder(base64.StdEncoding, w)
+	w2, _ := flate.NewWriter(w1, 9)
+	doc := etree.NewDocument()
+	doc.SetRoot(req.Element())
+	if _, err := doc.WriteTo(w2); err != nil {
+		panic(err)
+	}
+	w2.Close()
+	w1.Close()
+
+	rv, _ := url.Parse(req.Destination)
+
+	query := rv.Query()
+	query.Set("SAMLRequest", w.String())
+	if relayState != "" {
+		query.Set("RelayState", relayState)
+	}
+	rv.RawQuery = query.Encode()
+
+	return rv
+}
+
+// MakePostLogoutRequest creates a SAML authentication request using
+// the HTTP-POST binding. It returns HTML text representing an HTML form that
+// can be sent presented to a browser to initiate the logout process.
+func (sp *ServiceProvider) MakePostLogoutRequest(nameID, relayState string) ([]byte, error) {
+	req, err := sp.MakeLogoutRequest(sp.GetSLOBindingLocation(HTTPPostBinding), nameID)
+	if err != nil {
+		return nil, err
+	}
+	return req.Post(relayState), nil
+}
+
+// Post returns an HTML form suitable for using the HTTP-POST binding with the request
+func (req *LogoutRequest) Post(relayState string) []byte {
+	doc := etree.NewDocument()
+	doc.SetRoot(req.Element())
+	reqBuf, err := doc.WriteToBytes()
+	if err != nil {
+		panic(err)
+	}
+	encodedReqBuf := base64.StdEncoding.EncodeToString(reqBuf)
+
+	tmpl := template.Must(template.New("saml-post-form").Parse(`` +
+		`<form method="post" action="{{.URL}}" id="SAMLRequestForm">` +
+		`<input type="hidden" name="SAMLRequest" value="{{.SAMLRequest}}" />` +
+		`<input type="hidden" name="RelayState" value="{{.RelayState}}" />` +
+		`<input id="SAMLSubmitButton" type="submit" value="Submit" />` +
+		`</form>` +
+		`<script>document.getElementById('SAMLSubmitButton').style.visibility="hidden";` +
+		`document.getElementById('SAMLRequestForm').submit();</script>`))
+	data := struct {
+		URL         string
+		SAMLRequest string
+		RelayState  string
+	}{
+		URL:         req.Destination,
+		SAMLRequest: encodedReqBuf,
+		RelayState:  relayState,
+	}
+
+	rv := bytes.Buffer{}
+	if err := tmpl.Execute(&rv, data); err != nil {
+		panic(err)
+	}
+
+	return rv.Bytes()
+}
+
+// MakeLogoutResponse produces a new LogoutResponse object for idpURL and logoutRequestID.
+func (sp *ServiceProvider) MakeLogoutResponse(idpURL, logoutRequestID string) (*LogoutResponse, error) {
+	response := LogoutResponse{
+		ID:           fmt.Sprintf("id-%x", randomBytes(20)),
+		InResponseTo: logoutRequestID,
+		Version:      "2.0",
+		IssueInstant: TimeNow(),
+		Destination:  idpURL,
+		Issuer: &Issuer{
+			Format: "urn:oasis:names:tc:SAML:2.0:nameid-format:entity",
+			Value:  firstSet(sp.EntityID, sp.MetadataURL.String()),
+		},
+		Status: Status{
+			StatusCode: StatusCode{
+				Value: StatusSuccess,
+			},
+		},
+	}
+
+	if len(sp.SignatureMethod) > 0 {
+		if err := sp.SignLogoutResponse(&response); err != nil {
+			return nil, err
+		}
+	}
+	return &response, nil
+}
+
+// MakeRedirectLogoutResponse creates a SAML LogoutResponse using
+// the HTTP-Redirect binding. It returns a URL that we will redirect the user to
+// for LogoutResponse.
+func (sp *ServiceProvider) MakeRedirectLogoutResponse(logoutRequestID, relayState string) (*url.URL, error) {
+	resp, err := sp.MakeLogoutResponse(sp.GetSLOBindingLocation(HTTPRedirectBinding), logoutRequestID)
+	if err != nil {
+		return nil, err
+	}
+	return resp.Redirect(relayState), nil
+}
+
+// Redirect returns a URL suitable for using the redirect binding with the LogoutResponse.
+func (resp *LogoutResponse) Redirect(relayState string) *url.URL {
+	w := &bytes.Buffer{}
+	w1 := base64.NewEncoder(base64.StdEncoding, w)
+	w2, _ := flate.NewWriter(w1, 9)
+	doc := etree.NewDocument()
+	doc.SetRoot(resp.Element())
+	if _, err := doc.WriteTo(w2); err != nil {
+		panic(err)
+	}
+	w2.Close()
+	w1.Close()
+
+	rv, _ := url.Parse(resp.Destination)
+
+	query := rv.Query()
+	query.Set("SAMLResponse", w.String())
+	if relayState != "" {
+		query.Set("RelayState", relayState)
+	}
+	rv.RawQuery = query.Encode()
+
+	return rv
+}
+
+// MakePostLogoutResponse creates a SAML LogoutResponse using
+// the HTTP-POST binding. It returns HTML text representing an HTML form that
+// can be sent presented to a browser for LogoutResponse.
+func (sp *ServiceProvider) MakePostLogoutResponse(logoutRequestID, relayState string) ([]byte, error) {
+	resp, err := sp.MakeLogoutResponse(sp.GetSLOBindingLocation(HTTPPostBinding), logoutRequestID)
+	if err != nil {
+		return nil, err
+	}
+	return resp.Post(relayState), nil
+}
+
+// Post returns an HTML form suitable for using the HTTP-POST binding with the LogoutResponse.
+func (resp *LogoutResponse) Post(relayState string) []byte {
+	doc := etree.NewDocument()
+	doc.SetRoot(resp.Element())
+	reqBuf, err := doc.WriteToBytes()
+	if err != nil {
+		panic(err)
+	}
+	encodedReqBuf := base64.StdEncoding.EncodeToString(reqBuf)
+
+	tmpl := template.Must(template.New("saml-post-form").Parse(`` +
+		`<form method="post" action="{{.URL}}" id="SAMLResponseForm">` +
+		`<input type="hidden" name="SAMLResponse" value="{{.SAMLResponse}}" />` +
+		`<input type="hidden" name="RelayState" value="{{.RelayState}}" />` +
+		`<input id="SAMLSubmitButton" type="submit" value="Submit" />` +
+		`</form>` +
+		`<script>document.getElementById('SAMLSubmitButton').style.visibility="hidden";` +
+		`document.getElementById('SAMLResponseForm').submit();</script>`))
+	data := struct {
+		URL          string
+		SAMLResponse string
+		RelayState   string
+	}{
+		URL:          resp.Destination,
+		SAMLResponse: encodedReqBuf,
+		RelayState:   relayState,
+	}
+
+	rv := bytes.Buffer{}
+	if err := tmpl.Execute(&rv, data); err != nil {
+		panic(err)
+	}
+
+	return rv.Bytes()
+}
+
+// SignLogoutResponse adds the `Signature` element to the `LogoutResponse`.
+func (sp *ServiceProvider) SignLogoutResponse(resp *LogoutResponse) error {
+	keyPair := tls.Certificate{
+		Certificate: [][]byte{sp.Certificate.Raw},
+		PrivateKey:  sp.Key,
+		Leaf:        sp.Certificate,
+	}
+	// TODO: add intermediates for SP
+	//for _, cert := range sp.Intermediates {
+	//	keyPair.Certificate = append(keyPair.Certificate, cert.Raw)
+	//}
+	keyStore := dsig.TLSCertKeyStore(keyPair)
+
+	if sp.SignatureMethod != dsig.RSASHA1SignatureMethod &&
+		sp.SignatureMethod != dsig.RSASHA256SignatureMethod &&
+		sp.SignatureMethod != dsig.RSASHA512SignatureMethod {
+		return fmt.Errorf("invalid signing method %s", sp.SignatureMethod)
+	}
+	signatureMethod := sp.SignatureMethod
+	signingContext := dsig.NewDefaultSigningContext(keyStore)
+	signingContext.Canonicalizer = dsig.MakeC14N10ExclusiveCanonicalizerWithPrefixList(canonicalizerPrefixList)
+	if err := signingContext.SetSignatureMethod(signatureMethod); err != nil {
+		return err
+	}
+
+	assertionEl := resp.Element()
+
+	signedRequestEl, err := signingContext.SignEnveloped(assertionEl)
+	if err != nil {
+		return err
+	}
+
+	sigEl := signedRequestEl.Child[len(signedRequestEl.Child)-1]
+	resp.Signature = sigEl.(*etree.Element)
+	return nil
+}
+
+func (sp *ServiceProvider) nameIDFormat() string {
+	var nameIDFormat string
+	switch sp.AuthnNameIDFormat {
+	case "":
+		// To maintain library back-compat, use "transient" if unset.
+		nameIDFormat = string(TransientNameIDFormat)
+	case UnspecifiedNameIDFormat:
+		// Spec defines an empty value as "unspecified" so don't set one.
+	default:
+		nameIDFormat = string(sp.AuthnNameIDFormat)
+	}
+	return nameIDFormat
+}
+
+// ValidateLogoutResponseRequest validates the LogoutResponse content from the request
+func (sp *ServiceProvider) ValidateLogoutResponseRequest(req *http.Request) error {
+	if data := req.URL.Query().Get("SAMLResponse"); data != "" {
+		return sp.ValidateLogoutResponseRedirect(data)
+	}
+
+	err := req.ParseForm()
+	if err != nil {
+		return fmt.Errorf("unable to parse form: %v", err)
+	}
+
+	return sp.ValidateLogoutResponseForm(req.PostForm.Get("SAMLResponse"))
+}
+
+// ValidateLogoutResponseForm returns a nil error if the logout response is valid.
+func (sp *ServiceProvider) ValidateLogoutResponseForm(postFormData string) error {
+	rawResponseBuf, err := base64.StdEncoding.DecodeString(postFormData)
+	if err != nil {
+		return fmt.Errorf("unable to parse base64: %s", err)
+	}
+
+	// TODO(ross): add test case for this (SLO does not have tests right now)
+	if err := xrv.Validate(bytes.NewReader(rawResponseBuf)); err != nil {
+		return fmt.Errorf("response contains invalid XML: %s", err)
+	}
+
+	var resp LogoutResponse
+	if err := xml.Unmarshal(rawResponseBuf, &resp); err != nil {
+		return fmt.Errorf("cannot unmarshal response: %s", err)
+	}
+
+	if err := sp.validateLogoutResponse(&resp); err != nil {
+		return err
+	}
+
+	doc := etree.NewDocument()
+	if err := doc.ReadFromBytes(rawResponseBuf); err != nil {
+		return err
+	}
+
+	responseEl := doc.Root()
+	if err = sp.validateSigned(responseEl); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// ValidateLogoutResponseRedirect returns a nil error if the logout response is valid.
+//
+// URL Binding appears to be gzip / flate encoded
+// See https://www.oasis-open.org/committees/download.php/20645/sstc-saml-tech-overview-2%200-draft-10.pdf  6.6
+func (sp *ServiceProvider) ValidateLogoutResponseRedirect(queryParameterData string) error {
+	rawResponseBuf, err := base64.StdEncoding.DecodeString(queryParameterData)
+	if err != nil {
+		return fmt.Errorf("unable to parse base64: %s", err)
+	}
+
+	gr, err := io.ReadAll(flate.NewReader(bytes.NewBuffer(rawResponseBuf)))
+	if err != nil {
+		return err
+	}
+
+	if err := xrv.Validate(bytes.NewReader(gr)); err != nil {
+		return err
+	}
+
+	decoder := xml.NewDecoder(bytes.NewReader(gr))
+
+	var resp LogoutResponse
+
+	err = decoder.Decode(&resp)
+	if err != nil {
+		return fmt.Errorf("unable to flate decode: %s", err)
+	}
+
+	if err := sp.validateLogoutResponse(&resp); err != nil {
+		return err
+	}
+
+	doc := etree.NewDocument()
+	if _, err := doc.ReadFrom(bytes.NewReader(gr)); err != nil {
+		return err
+	}
+
+	responseEl := doc.Root()
+	if err = sp.validateSigned(responseEl); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// validateLogoutResponse validates the LogoutResponse fields. Returns a nil error if the LogoutResponse is valid.
+func (sp *ServiceProvider) validateLogoutResponse(resp *LogoutResponse) error {
+	if resp.Destination != sp.SloURL.String() {
+		return fmt.Errorf("`Destination` does not match SloURL (expected %q)", sp.SloURL.String())
+	}
+
+	now := time.Now()
+	if resp.IssueInstant.Add(MaxIssueDelay).Before(now) {
+		return fmt.Errorf("issueInstant expired at %s", resp.IssueInstant.Add(MaxIssueDelay))
+	}
+	if resp.Issuer.Value != sp.IDPMetadata.EntityID {
+		return fmt.Errorf("issuer does not match the IDP metadata (expected %q)", sp.IDPMetadata.EntityID)
+	}
+	if resp.Status.StatusCode.Value != StatusSuccess {
+		return fmt.Errorf("status code was not %s", StatusSuccess)
+	}
+
+	return nil
+}
+
+func firstSet(a, b string) string {
+	if a == "" {
+		return b
+	}
+	return a
+}
diff --git a/service_provider_test.go b/service_provider_test.go
index 87354c25..d2a9d520 100644
--- a/service_provider_test.go
+++ b/service_provider_test.go
@@ -1,33 +1,34 @@
 package saml
 
 import (
+	"bytes"
+	"crypto/rsa"
+	"crypto/x509"
 	"encoding/base64"
 	"encoding/xml"
+	"html"
 	"net/http"
 	"net/url"
+	"regexp"
+	"strings"
 	"testing"
 	"time"
 
-	"github.com/kr/pretty"
 	"github.com/lightstep/saml/testsaml"
-	dsig "github.com/russellhaering/goxmldsig"
-
-	"crypto/rsa"
-
-	"crypto/x509"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/golden"
 
-	. "gopkg.in/check.v1"
+	"github.com/beevik/etree"
+	dsig "github.com/russellhaering/goxmldsig"
 )
 
-// Hook up gocheck into the "go test" runner.
-func Test(t *testing.T) { TestingT(t) }
-
 type ServiceProviderTest struct {
-	AuthnRequest string
-	SamlResponse string
+	AuthnRequest []byte
+	SamlResponse []byte
 	Key          *rsa.PrivateKey
 	Certificate  *x509.Certificate
-	IDPMetadata  string
+	IDPMetadata  []byte
 }
 
 // Helper to decode SAML redirect binding requests
@@ -35,11 +36,9 @@ type ServiceProviderTest struct {
 //     x1 := "lJJBj9MwEIX%2FSuR7Y4%2FJRisriVS2Qqq0QNUAB27GmbYWiV08E6D%2FHqeA6AnKdfz85nvPbtYzn8Iev8xIXHyfxkCtmFMw0ZInE%2ByEZNiZfv362ehSmXOKHF0cRbEmwsQ%2BhqcYaJ4w9Zi%2Beofv98%2BtODGfyUgJD3UNVVWV4Zji59JHSXYatbSORLHJO32wi8efG344l5wP6OQ%2FlTEdl4HMWw9%2BRLlgaLnHwSd0LPv%2BrSi2m1b4YaWU0qpStXpUVjmFoEBDBTU8ggUHmIVEM24DsQ3cCq3gYQV6peCdAvMCjIaPotj9ivfSh8GHYytE8QETXQlzfNE1V5d0T1X2d0GieBXTZPnv8mWScxyuUoOBPV9E968iJ2Q7WLaN%2FAnWNW%2Byz3azi6N3l%2F980XGM354SWsZWcJpRdPcDc7KBfMZu5C1B18jbL9b9CAAA%2F%2F8%3D"
 //     x2, _ := url.QueryUnescape(x1)
 //     x3, _ := base64.StdEncoding.DecodeString(x2)
-//     x4, _ := ioutil.ReadAll(flate.NewReader(bytes.NewReader(x3)))
+//     x4, _ := io.ReadAll(flate.NewReader(bytes.NewReader(x3)))
 //     fmt.Printf("%s\n", x4)
 
-var _ = Suite(&ServiceProviderTest{})
-
 type testRandomReader struct {
 	Next byte
 }
@@ -52,7 +51,7 @@ func (tr *testRandomReader) Read(p []byte) (n int, err error) {
 	return len(p), nil
 }
 
-func (test *ServiceProviderTest) SetUpTest(c *C) {
+func NewServiceProviderTest(t *testing.T) *ServiceProviderTest {
 	TimeNow = func() time.Time {
 		rv, _ := time.Parse("Mon Jan 2 15:04:05 MST 2006", "Mon Dec 1 01:57:09 UTC 2015")
 		return rv
@@ -61,14 +60,18 @@ func (test *ServiceProviderTest) SetUpTest(c *C) {
 
 	RandReader = &testRandomReader{}
 
-	test.AuthnRequest = `https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO?RelayState=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1cmkiOiIvIn0.eoUmy2fQduAz--6N82xIOmufY1ZZeRi5x--B7m1pNIY&SAMLRequest=lJJBj9MwEIX%2FSuR7Yzt10sZKIpWtkCotsGqB%2B5BMW4vELp4JsP8et4DYE5Tr%2BPnN957dbGY%2B%2Bz1%2BmZE4%2Bz6NnloxR28DkCPrYUKy3NvD5s2jLXJlLzFw6MMosg0RRnbBPwRP84TxgPGr6%2FHD%2FrEVZ%2BYLWSl1WVXaGJP7UwyfcxckwTQWEnoS2TbtdB6uHn9uuOGSczqgs%2FuUh3i6DmTaenQjyitGIfc4uIg9y8Phnch221a4YVFjpVflcqgM1sUajiWsYGk01KujKVRfJyHRjDtPDJ5bUShdLrReLNX7QtmysrrMK6Pqem3MeqFKq5TInn6lfeX84PypFSL7iJFuwKkN0TU303hPc%2FC7L5G9DnEC%2Frv8OkmxjjepRc%2BOn0X3r14nZBiAoZE%2FwbrmbfLZbZ%2FC6Prn%2F3zgcQzfHiICYys4zii6%2B4E5gieXsBv5kqBr5Msf1%2F0IAAD%2F%2Fw%3D%3D`
-	test.SamlResponse = "<?xml version=\"1.0\" encoding=\"UTF-8\"?><saml2p:Response xmlns:saml2p=\"urn:oasis:names:tc:SAML:2.0:protocol\" Destination=\"https://15661444.ngrok.io/saml2/acs\" ID=\"_e9b3332eeaf348da6786aed16300aca9\" InResponseTo=\"id-9e61753d64e928af5a7a341a97f420c9\" IssueInstant=\"2015-12-01T01:56:21.375Z\" Version=\"2.0\"><saml2:Issuer xmlns:saml2=\"urn:oasis:names:tc:SAML:2.0:assertion\" Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:entity\">https://idp.testshib.org/idp/shibboleth</saml2:Issuer><saml2p:Status><saml2p:StatusCode Value=\"urn:oasis:names:tc:SAML:2.0:status:Success\"/></saml2p:Status><saml2:EncryptedAssertion xmlns:saml2=\"urn:oasis:names:tc:SAML:2.0:assertion\"><xenc:EncryptedData xmlns:xenc=\"http://www.w3.org/2001/04/xmlenc#\" Id=\"_dab0b1dbbc0595ab06473034e3bb798c\" Type=\"http://www.w3.org/2001/04/xmlenc#Element\"><xenc:EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#aes128-cbc\" xmlns:xenc=\"http://www.w3.org/2001/04/xmlenc#\"/><ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><xenc:EncryptedKey Id=\"_dd9264352cef16103cdb21fae97fa951\" xmlns:xenc=\"http://www.w3.org/2001/04/xmlenc#\"><xenc:EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p\" xmlns:xenc=\"http://www.w3.org/2001/04/xmlenc#\"><ds:DigestMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#sha1\" xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"/></xenc:EncryptionMethod><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIB7zCCAVgCCQDFzbKIp7b3MTANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGEwJVUzELMAkGA1UE\nCAwCR0ExDDAKBgNVBAoMA2ZvbzESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTEzMTAwMjAwMDg1MVoX\nDTE0MTAwMjAwMDg1MVowPDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkdBMQwwCgYDVQQKDANmb28x\nEjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1PMHYmhZj308\nkWLhZVT4vOulqx/9ibm5B86fPWwUKKQ2i12MYtz07tzukPymisTDhQaqyJ8Kqb/6JjhmeMnEOdTv\nSPmHO8m1ZVveJU6NoKRn/mP/BD7FW52WhbrUXLSeHVSKfWkNk6S4hk9MV9TswTvyRIKvRsw0X/gf\nnqkroJcCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCMMlIO+GNcGekevKgkakpMdAqJfs24maGb90Dv\nTLbRZRD7Xvn1MnVBBS9hzlXiFLYOInXACMW5gcoRFfeTQLSouMM8o57h0uKjfTmuoWHLQLi6hnF+\ncvCsEFiJZ4AbF+DgmO6TarJ8O05t8zvnOwJlNCASPZRH/JmF8tX0hoHuAQ==</ds:X509Certificate></ds:X509Data></ds:KeyInfo><xenc:CipherData xmlns:xenc=\"http://www.w3.org/2001/04/xmlenc#\"><xenc:CipherValue>i/wh2ubXbhTH5W3hwc5VEf4DH1xifeTuxoe64ULopGJ0M0XxBKgDEIfTg59JUMmDYB4L8UStTFfqJk9BRGcMeYWVfckn5gCwLptD9cz26irw+7Ud7MIorA7z68v8rEyzwagKjz8VKvX1afgec0wobVTNN3M1Bn+SOyMhAu+Z4tE=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedKey></ds:KeyInfo><xenc:CipherData xmlns:xenc=\"http://www.w3.org/2001/04/xmlenc#\"><xenc:CipherValue>a6PZohc8i16b2HG5irLqbzAt8zMI6OAjBprhcDb+w6zvjU2Pi9KgGRBAESLKmVfBR0Nf6C/cjozCGyelfVMtx9toIV1C3jtanoI45hq2EZZVprKMKGdCsAbXbhwYrd06QyGYvLjTn9iqako6+ifxtoFHJOkhMQShDMv8l3p5n36iFrJ4kUT3pSOIl4a479INcayp2B4u9MVJybvN7iqp/5dMEG5ZLRCmtczfo6NsUmu+bmT7O/Xs0XeDmqICrfI3TTLzKSOb8r0iZOaii5qjfTALDQ10hlqxV4fgd51FFGG7eHr+HHD+FT6Q9vhNjKd+4UVT2LZlaEiMw888vyBKtfl6gTsuJbln0fHRPmOGYeoJlAdfpukhxqTbgdzOke2NY5VLw72ieUWREAEdVXBolrzbSaafumQGuW7c8cjLCDPOlaYIvWsQzQOp5uL5mw4y4S7yNPtTAa5czcf+xgw4MGatcWeDFv0gMTlnBAGIT+QNLK/+idRSpnYwjPO407UNNa2HSX3QpZsutbxyskqvuMgp08DcI2+7+NrTXtQjR5knhCwRNkGTOqVxEBD6uExSjbLBbFmd4jgKn73SqHStk0wCkKatxbZMD8YosTu9mrU2wuWacZ1GFRMlk28oaeXl9qUDnqBwZ5EoxT/jDjWIMWw9b40InvZK6kKzn+v3BSGKqzq2Ecj9yxE7u5/51NC+tFyZiN2J9Lu9yehvW46xRrqFWqCyioFza5bw1yd3bzkuMMpd6UvsZPHKvWwap3+O6ngc8bMBBCLltJVOaTn/cBGsUvoARY6Rfftsx7BamrfGURd8vqq+AI6Z1OC8N3bcRCymIzw0nXdbUSqhKWwbw6P2szvAB6kCdu4+C3Bo01CEQyerCCbpfn/cZ+rPsBVlGdBOLl5eCW8oJOODruYgSRshrTnDffLQprxCddj7vSnFbVHirU8a0KwpCVCdAAL9nKppTHs0Mq2YaiMDo8mFvx+3kan/IBnJSOVL19vdLfHDbZqVh7UVFtiuWv3T15BoiefDdF/aR5joN0zRWf8l6IYcjBOskk/xgxOZhZzbJl8DcgTawD8giJ31SJ1NoOqgrSD4wBHGON4mInHkO0X5+vw1jVNPGF3BwHw0kxoCT3ZKdSsi8O4tlf1y227cf794AGnyQe13O032jYgOmM5qNkET6PyfkyD/h0ufgQq2vJvxSOiRv76Kdg0SeRuNPW9MyjO/5APHl7tBlDBEVq+LWDHl4g9h/bw+Fsi0WN4pLN1Yv9RANWpIsXWyvxTWIZHTuZEjNbHqFKpsefx/oY1b9cSzKR5fQ9vc32e17WykL0O7pwpzV6TrFN874GdmW5lG5zfqnRHUQh1aV2WwBJ74mB4tv/y5rmRjTe5h/rN90kN+eQGeR3eG7XUHLhK/yCV+xq8KKPxNZexcdHGA905rvYokbtmr/jIN5kAMBdlOU8akPAZdSMMh+g/RZo5MO50/gdg6MTpB4onU2FBd54FNDp2fuBUxBsnTqpZXkDcAPEfSBr+z2l8jTRmxMricWyeC55ILgxM4er68n0xYjwb2jyQum3IQq7TSYYU/qjNiH1fQBtdRmBkzXJYYk+9q7C6OZJUdR96ERnTIi93NaYmtpSEvZU9vS6MV1VBOnEf8UzUUT9ibMpP9XDSINX7dN24rKIufSY+3+70orQB07XOWp6++SWKgA+WThaoPhp8sWWMeSZuda/wq6jdVTAB8FOPiP3lNl0BqxagQEPmNxDWXwTplSFSR3SP0e4sHMSjLvysibV9Z87LZa1FG0cWU2hrhiyOLsIWMnd4vdTLaWjhXuGlrDShxSAiI39wsl5RB59E+DXVSTBQAoAkHCKGK69YiMKU9K8K/LeodApgw46oPL08EWvleKPCbdTyjKUADtxfAujR84GMEUz9Aml4Q497MfvABQOW6Hwg54Z3UbwLczDCOZyK1wIwZTyS9w3eTH/6EBeyzhtt4G2e/60jkywHOKn17wQgww2ZsDcukdsCMfo4FV0NzfhSER8BdL+hdLJS3R1F/Vf4aRBEuOuycv2AqB1ZqHhcjZh7yDv0RpBvn3+2rzfzmYIBlqL16d1aBnvL4C03I0J59AtXN9WlfJ8SlJhrduW/PF4pSCAQEyHGprP9hVhaXCOUuXCbjA2FI57NkxALQ2HpCVpXKGw0qO0rYxRYIRlKTl43VFcrSGJdVYOFUk0ZV3b+k+KoxLVSgBjIUWxio/tvVgUYDZsO3M3x0I+0r9xlWZSFFmhwdOFouD+Xy1NPTmgwlUXqZ4peyIE1oVntpcrTJuev2jNScXbU9PG8b589GM4Z09KS/fAyytTFKmUpBuTme969qu0eA7/kBSHAkKvbfj0hsrbkkF9y/rXi8xgcMXNgYayW8MHEhm506AyPIvJAreZL637/BENO1ABdWS1Enj/uGaLM1ED8UY94boh/lMhqa9jALgEOHHxspavexi3HIFwJ55s4ocQnjb4p6op4CRPUdPCfli5st9m3NtQoH9kT1FTRZa9sG8Ybhey5wP17YgPIg9ZZtvlvpSTwCwZxHZ348wXJWhbtId9DyOcIzsyK5HaJcRsp8SQVR5nbRW0pUyC/bFAtX1KOGJmtro/QfmnLG9ksuaZvxP6+bH1K+CibEFIRDllAUFFPiuT+2b3Yp3Tu1VvXokMAgmcB5iFDgTAglw5meJYJ99uIBmj0EVZm8snMhRrHjMPTAYD5kwPK/YDShPFFV3XEIFzLD3iYrzb7sub/Z4gTTELWzzS3bCpYPAh4KWeTih+p7Xj0Xf04nSONHZXsQnNenc+PNae+Zj5iCfJ/PpqhMn61n/YBP7gipYYEtOZYzDtvMz+mytYRUOaZTq3W4Wp64f+XVekn49CLarLm6qPyiz5kJwaT8lJ+VEZDPpS/ChLM4eq90GogJBvK0jxmQ1AGvnKpV2lw9XCudf3PXbaTb+r2QPcihKnmqcEgPgYlN8VLclicNW1WyjBJ+HvDTQPbs1r1/KnBK4O5HTT6ehuHpJsYlBN9vzjsD+ov6SRkBqiGPUg9CoKKmWS6dirxwOXi3OUFzkWFVDyDezfkJAzqkmG0nlEGb9mTHdVDfX010bPJ4ZQzQSyHp7Ht2mATyQwOEem2AMB/RpNwlOKXWIdsQ5p3dHF+kmsJHI8xjEv2GeUa/aXX3MF3fPfUA7La8J8fbnaDLbnEqMCLMfdfc9+kY7EKyqPiE5KFpF0EhQBrHl8SiPuFQCoxvlH2u+ujncW7Z5JiBmMKUWOXUHhIe4NckP1awRsEcfhEs664DqOp9CbLwTXk71hHVBtINylFcf7uBZwjxNW+hCfZEoVEjjs/V4J9QeXCxpTu5TcXxBxwN5zBdkCodNFPLUg+3UicaykaH0+wrGoTu/ugjF9rz7OezMMs3pep+bzLp+yZbFAL/z/yATY3UG+lpk6Rw4SkjbnAxBSedaEdqbotddkGzVQubHvHqCiKpkAw58rAa2v15hc+UmkrRFslS8SYxTIPXs2sTNhnCCrUn8nlKufeoAm65vgYtEQ4NzmG9tqKtTeBfZAvSToYaiQq+kPii1ssuu1OULAVuSx8x/CYO6orgX7h5wI0R/Ug1nux7cb2/+pFLbNyGvwKf1TLym2NvFMJpvFlTsOJJ4DxXM/v2JkC9umm93quXLsojx7KTEOFDQLsnMKsVo6ZzRQidEwK5gQPyZL1yjGirJcEuGMAEf6LA2AsKIIZhsMEPlLpzMiVo5Y0LoL6NFsXigceLaaJMEMuYNJJdh+uxyfW57+PoQ7V8KkzSHFsKan14GnpWeOV7r13uopwCPeIsEKUVG77ypd+ILQkbKxH2lQdsFyjpofqkbgEVM5XAnVbdhfwyebNHn5OJtadVkOMcJc/WMWJef1idcSfvP5ENkwp3pKg9Ljoi+hU2Chp1vTmksO2HJt0of4QnQ8jGlcqnOrAMiWUCd2W/8AmhRBjevt3UqxnqELVvg+HJPlyqFyuUlDxx25mXEdW0COpA3s9OlSgcMjvQbIJ42NUhGFZLoK1pvPLZo711w2Ex3Lm5qqcr/7I4+vTntd/Id5aJiP18LQpslTy614Wd4eD8+RfjEtmDAPXhgvfekVkS/rDnI/9H0k3AdHc78fJCJRPNwJrDTozzjxTvmVv9r4MtpoDELmnMxb3o7ZibUMxgptCTyDF+Q5m6T3GeD9G5ehgB3Tqsx3gcUGuDtP6KIqMGbj8YCFt8tjihDctYFAXj4AwPnIjMiI4T7skXwfrBLWCKfN1j5XrIn2paQgKln9hvaiRUpNpD3IXVyFl1WNrb21IcRinfkuCtrP2tTHqct6eSEh8sOzRkvZEArBQYD5paYyuNBcbVtsnl6PNE+DIcSIGvCVnzpMw1BeUExvQZoNdpHwhTQ3FSd1XN1nt0EWx6lve0Azl/zJBhj5hTdCd2RHdJWDtCZdOwWy/G+4dx3hEed0x6SoopOYdt5bq3lW+Ol0mbRzr1QJnuvt8FYjIfL8cIBqidkTpDjyh6V88yg1DNHDOBBqUz8IqOJ//vY0bmQMJp9gb+05UDW7u/Oe4gGIODQlswv534KF2DcaXW9OB7JQyl6f5+O8W6+zBYZ6DAL+J2vtf3CWKSZFomTwu65vrVaLRmTXIIBjQmZEUxWVeC4xN+4Cj5ORvO8GwzoePGDvqwKzrKoupSjqkL5eKqMpCLouOn8n/x5UWtHQS1NlKgMDFhRObzKMqQhS1S4mz84F3L492GFAlie0xRhywnF+FvAkm+ZIRO0UqM4IwvUXdlqTajjmUz2T0+eXKTKTR5UoNRgP51gdUMT5A4ggT5wU9WkRx7CR9KdWJwwcWzv2YrchoHIXBidQSk+f1ZSzqR7krKSOwFTVJUvEenU17qVaHoAf2he0dMgURJ8PM9JxnSr7p2pZeNPu/O5oPmLuOCmEPVRPSahJL7yj9PK5z3q57e5POIp/wXqFoniFdxRmtmpfZBxoKVlADkwRy34h8k6ZmgtqPTQfUUk/+yH2CAoQu+HyOtUnQof8vc1k4zs8nCTrCSjqvFPjU8mHtVHy1RY0qmK9t99ugXyAKaGON3PlseetIC8WCTt84nM5XGD3VQpbv139yhSPhp2Oiz0IiOsr+L9idVKSvfNSkdNq9aUC7963uAQNud8c4GuDmbENvZYvGNIMxxZhYA86n1RMNtGDZJs6/4hZTL18Kz1yCY9zbbSXTxWTmkaHJziHtgrEPoYpUeb85J229PDEX08yHOkj2HXVdnKKmEaHw3VkB4eM3PhGGdrw2CSUejSaqPQFLdhabcB2zdB4lj/AUnZvNaJc23nHHIauHnhhVrxh/KQ1H4YaYKT9ji/69BIfrTgvoGaPZC10pQKinBHEPMXoFrCd1RX1vutnXXcyT2KTBP4GG+Or0j6Sqxtp5WhxR0aJqIKM6LqMHtTooI0QhWbmSqDEBX/wRS70csVeJSrZ4dqRKit+hz8OalHA7At9e+7gSWTfHAwjl5JhtrltyAab/FII4yKQeZWG8j1fSFGHN+EbOrum2uWuVhxkUPy4coMu+yKY4GxlXfvP+yEVK5GrMECRmFBlySetJK3JOoQXiuLirlHUq+0u88QFMdAJ9+fIdU4+FxneqgW7qM7CHRE8jV4pPSWGFbGzxVZ9CWRWaYIw26VsC1qQJe1WmU7Mrp26IxmWHGwHvZ50uB0mjAHFCiln5QAvqTm2/fsY+Puk+Irt3LQbMwGVWPnb4eona2dSha+eMLOiAQkBvbaitsRqqrAVnndP7gHmO+nYZEKNx/740zTRrFBpOelrGdOa0/eV2mPhUQfozGooxoRADmT8fAcDXo0SsXCHzg9tBnmVMvInQ7+8nXfhcF/fEBjvW3gIWOmp2EWutHQ/sl73MieJWnP/n3DMk2HHcatoIZOMUzo4S4uztODHoSiOJDA1hVj7qADvKB37/OX0opnbii9o6W8naFkWG5Ie7+EWQZdo+xeVYpwGOzcNwDRrxbZpV3fTvWyWKToovncZq+TQj7c4Yhz6XDF0ffljN5hTm4ONwYViFNB4gTJlFxFX00wcWfwWah4uJs2Oa8dHPVT+7viagZiPrSDk/gythdY8glGm+F0DWlzQpWbgSI3ZbdiUQ+ox4GtLUtYgGIQFUvRYbuHqH6CXQ3SM6vkbhV/nAn6UDEWKXdJsO0u5q6UpXci7MlWDNLxoQ9dfGjSc28mX+q+4hkyho4u1XSMy9B6IdH304J7fuAQ88tTorT67AiqvqR6qnZ0icV+MMLh95moxFbrvch6sGAmMEixqeujmiZzBqBmNbzZVORiv9qcbe3CQ6X2i+9D8hMpaWj5jI0u+0wk3bRFK4uDn8T1mnD6l4TrJayf3cZI+duhKcabNj71i5w76S8RZSC6RX4ks0x+XIDc5v3223NmGvceYklbuOJtJa0/MBTOcSDKCM2kUXqPV2BlA9Za8WEO2UrdcyP+AXgM20af3thjlZvA494zdZ0mqjrsKp+VS2MVrBBtj+puSuSHJYf6bnA5/yjqQtbGvAp8hfXQURC53J5oD8rb9F7vQRqdfqpe6xd7DVd+wWZS86mWjyZYKXw312t8nM/gxo0pdvZ8F0x9y3xb9UBM2pZtdYvk3hPz6swhuE1N5j2u7nwtXuEDNcGCSfr+IempeFHFRqO8n8ikASEdKcq2XHGJwfc3lVXOQ5K4JlewcC7yQL1uNtL6iNKCtJmjJiH2PMmXrtpmCeTspFNZlwmiICyPWV9B5ce9H/qP1xjndBzFz0rn75SGDnWUhNZI/aYKNVyzkOleS5VSNxBx1hoiFuG8r+6ctYwF7XL94b95tXQ/+0V5dt0H1xVaOZ7QluoDtMSzuUjV4yUoQESa3zCfZwnW+b5SKndX5nx0GYrVxydMkUdfimZpX/fezcMiaAGwG/jgWF0zS+EL4T7gR8I5R3qUNTifKFJKJL1+AL8CgL+SRB1lgHDp2wQ7cqgqcmskAsT60qisL/UZGgmnlgZ8FkNhv0vAMkzIsz7o6cuLo15hZnrsZveIo+mZKY2cMJjJb4ZlJLcE+YcnpiM84OYjypa9lA7kv4XJaDX9oirhsl9IO/ImbFgYpR73y+xSolXYdDKfZjf/8NR7vE8fu+LYXGoZHO/hxousED6y3sCo/ItECYHWYIui+V5SmAoEvVV8FY8fFMYIc+Llc2CoX5HQISfUAtLu+fGNNV0muidXnBdtnJo25UEqxwvoENdI1lGPhlrXY6/h4kIT5djmsxxSG/EgG/4fPnrThgF9/fbG8n/3LweXvQOGjX0F1Ngt5wuMIWRQk5vtLdvv2M+BNwthHZ7xzIU7zqSVvngVPwgcsTr2d5pTVOxauT1K6ffiBF04jVZEcna+NXhJM5EcRHNuT/iOb0ncn1yuKU8JJnztEzMDjO1qCmaBTyWBR7nQS6K+nfstd/AnBWyGeC5Yi3wlvZAVMpc0m7I7McXb+rXiHM0mHoq0Z/2HOki5LP2cBuIkk84tJ3SRZwWnocrz4aTEIOmwftqMATy5Ur0KRxoUSFNMJYyc1iOfjk3H2JjgecWlQdYHcIEjxGDGeo4S9EKTRokMGNUN2nTj3SO2nHoWbx9WhGe6uB3OgDENGL9aNoPnYKXs4WcobctMxQjjBWa/zpCFwP8nr78xIFfy/64ZtsFBrxSrEHxeXiPa2Kpv456aQ9kDQjJt9XrWKe+JBawtpPUYHmWkUb3Gznp3tC2LbowvJlEe/17srb5yi+sUHEF1z/8Uk4eVYcUUXzyq3YEuqumIBIYqO8J3K5Us7tEXyzhHH8TMLNSQxmDi/w5oYccIwNFMM1+xRTsyjHHtB/rHYJjPW/50Xxb0CZF84NqotCcgIMrR4nUiPnAPd8ZvHeB/235gS1NtzBWtfcDmP8khibSQpY3JW+fdY/9W6iGlPyPIwOgH06fJayaT44sPFIm+QGIkPKSAJOFDeJNG8oc6SAqrYSfCffYfOAx3IsjSdnxQy9JAcS0HxjWnEO3rgSh7bNEecO3f4hb3TRNlczdzhfrwgxUZ0rURI3LfMCpGntF+8NrhtB7RT8sEOaa4NM13T7LWjykRQJFYKNZY0siPBP2WJxjBqL0KynlTPhAcfFyiLZbAhe7YC0XmYo8iJQqdzJQwBK9iOoDkg1XuGy7+Kfe0scamvHN2Z85umcPSiPEQRP3zAWcP5kRNDath7DKrBfQtvOJvEHiihE+qiASrCZep+m7jTD261U9vQGAnR4xBY08ChSh8XItWHvDHARN+GP08h9u6nlJ3rpOoVn9y22NNgx7bOe6QIYe9f6iYbbAzLR1/7AP1A4CQwFi39eZI9BZteze5eas+6JR2s1LqH9tncOmWAhXjE8p3hOtplh/tMbrx+pySNX4BKfZva54zccIa+e59NUifTRsq27AwAtcxg2Bk1Tu7B+LT9Yw2K8tRH6XTcGlvqDM4sYjNBqzh3yAga5iro706tg/Qaa50eln8rjISularEHlfaggogjvd+wNLg44Rj8pMr25+xxS0e9KoEGon5SutuhJ/HBGnEj3+4qNxHu27nkAmZIADiF+Jh53osDuA1fsUnRXf2lJABa30KDkG8E/eci+TkESrdfsPMo6yhWoyjtjYdJbGkjtsQCMW5DOSNYDH0FqDiiVU0nBLJ4+A4ep6aWTrv6w/ozuO4educ7x9IBpGmEY30rsXWwiGJbLGyIo+6qz6J5JBKdjNBsDO7RRweDNMp8ospaGNQSa4NKAHTG8BsGqJSP8oebpVqYpgPS1TiBWnYZKQSRJ5NFs+ULpdICekxevVXAH8uh+De9GT7KsJJzg0CFjALDbC0YrbmCigspJAh2455I6/xyWbPXCYMXwBzbioMgWcNhQBJJ6oIoQ7shwf2TP0Z+X/3NoMpWHmGpoV/JZind8lb9lcxoI44uf37+xc03O1R1bNucf0F5ljrgj2sZlGz/591EJen5GZhrT6qSTIcMu+xIyxyA/zzhy0jjkVfkDKfQ8mE9AmVtbbzHAQNy2PhDIeu7ngoFN635tSOJLR2c6pC/m6n50slFbo0oeHbbiGHyxDk7q3zXHWoHzeF1k4iVdHumYg/nwZOuRzms6rvkmwkJv59Z1p05jxA+Y0yHvDeq1WR8PfS/esm3RHfP3fM+zTlj9ZBJfzvn4OL+IIHRQ5l8pGKAeRL58OjeaU5QU98lAKHydOPDGBalsEHyIKD6iy3RZ65qIm956zQd98htZ1Vgkd7LVC7LSnLb9jRbqS1vHN7lR6bQMmXtQBYSA/+ZW2RQqSo7sToVh+Pxl3EVmsgyO8dXPL4biz7XM8eVz7CqHkrQUinnr79HJWC6Uk19cBurOD6PeOqNYy08Og/A0hbHOgN3dKmVRAPf7itK6x0eb5F70T2zVqG12GHVZieXwIcp/vahuFvriHLJtuM04laiRWNXSiL2MPHQ8e9rr8NIlWDm9uev55FI9zZxwFUPBSewawPe5vkqRLfwZCYd5mZoxtBhNBWvY3ZOVD/21dIUlQanG1n6RygbmAwCHnIB4c7EH2CBYEMDToRQuAuIssviIfdaJglwDgHbLWKNUVDOdqeclBNZjfQfVXbVukPk8DfWLqj9pD4xAOzDeVQcdmg2aLvNKgpZsWs4d+6GlKrpS7qEGvoBkIFh/cVY7DMYrt/JXYuF6DpwB+HbfnuDFc2p47SPNhnmt/ez6/DACBPQ+tgpyWYXUsiviGSp72JNTzd8uFJJZNeKUJZw1c0UTjxdwigh5tL/hWhPl48DY937zymSr1xVqC3RV6wSIpuplH+hss/rsRPAp1/TfxvhJuFsoPbW0586y9YzqEHT4FUu6WSRy0gMJLP2sLqiiZXZ6kPicXsW7M55mV3ugbGQjB7YS7EVqsQzvJTiQbOlcPqwoKK7DTqaeCOXd8kH1tNoe7hjx/UNNdLQQ7IhrJIzxqTTgwcXYMCxhoezDsIHReTIymsHPkCurfteTQcbfwoKN5E9zC2hINOPmhAxLvONzaLXQGMqofuTbFshkB4eUj8U4vBCNp+60iCLnibt4rPuyoWKEHWBYa6FfIykxVKuXkfcb64dCdGCWjv7x1XqkbpHxQB80qhipoSo244pyhIsN91ASu1Q7L75LxGXibY3jb0Y4KZ5zIWsH4kVlvPhangohDO1J9gmL9inGr9hy5BHTQiMcktGoUgOIbFJ72381vYpPxn3ngBbp48mVZd0w6xV8RBaqR3l7CxI9vvMAPYPoXBB18ERoZypza8mAlzv2QxIkNGuRzFENh1SXegBfN7eiazZnwnhbyeMghJpnXzfvHACyjkdH3shRYcJ+oMiOSpInGxm/hxFQxHJZA0Ft/lza</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></saml2:EncryptedAssertion></saml2p:Response>"
-	test.Key = mustParsePrivateKey("-----BEGIN RSA PRIVATE KEY-----\nMIICXgIBAAKBgQDU8wdiaFmPfTyRYuFlVPi866WrH/2JubkHzp89bBQopDaLXYxi\n3PTu3O6Q/KaKxMOFBqrInwqpv/omOGZ4ycQ51O9I+Yc7ybVlW94lTo2gpGf+Y/8E\nPsVbnZaFutRctJ4dVIp9aQ2TpLiGT0xX1OzBO/JEgq9GzDRf+B+eqSuglwIDAQAB\nAoGBAMuy1eN6cgFiCOgBsB3gVDdTKpww87Qk5ivjqEt28SmXO13A1KNVPS6oQ8SJ\nCT5Azc6X/BIAoJCURVL+LHdqebogKljhH/3yIel1kH19vr4E2kTM/tYH+qj8afUS\nJEmArUzsmmK8ccuNqBcllqdwCZjxL4CHDUmyRudFcHVX9oyhAkEA/OV1OkjM3CLU\nN3sqELdMmHq5QZCUihBmk3/N5OvGdqAFGBlEeewlepEVxkh7JnaNXAXrKHRVu/f/\nfbCQxH+qrwJBANeQERF97b9Sibp9xgolb749UWNlAdqmEpmlvmS202TdcaaT1msU\n4rRLiQN3X9O9mq4LZMSVethrQAdX1whawpkCQQDk1yGf7xZpMJ8F4U5sN+F4rLyM\nRq8Sy8p2OBTwzCUXXK+fYeXjybsUUMr6VMYTRP2fQr/LKJIX+E5ZxvcIyFmDAkEA\nyfjNVUNVaIbQTzEbRlRvT6MqR+PTCefC072NF9aJWR93JimspGZMR7viY6IM4lrr\nvBkm0F5yXKaYtoiiDMzlOQJADqmEwXl0D72ZG/2KDg8b4QZEmC9i5gidpQwJXUc6\nhU+IVQoLxRq0fBib/36K9tcrrO5Ba4iEvDcNY+D8yGbUtA==\n-----END RSA PRIVATE KEY-----\n").(*rsa.PrivateKey)
-	test.Certificate = mustParseCertificate("-----BEGIN CERTIFICATE-----\nMIIB7zCCAVgCCQDFzbKIp7b3MTANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGEwJV\nUzELMAkGA1UECAwCR0ExDDAKBgNVBAoMA2ZvbzESMBAGA1UEAwwJbG9jYWxob3N0\nMB4XDTEzMTAwMjAwMDg1MVoXDTE0MTAwMjAwMDg1MVowPDELMAkGA1UEBhMCVVMx\nCzAJBgNVBAgMAkdBMQwwCgYDVQQKDANmb28xEjAQBgNVBAMMCWxvY2FsaG9zdDCB\nnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1PMHYmhZj308kWLhZVT4vOulqx/9\nibm5B86fPWwUKKQ2i12MYtz07tzukPymisTDhQaqyJ8Kqb/6JjhmeMnEOdTvSPmH\nO8m1ZVveJU6NoKRn/mP/BD7FW52WhbrUXLSeHVSKfWkNk6S4hk9MV9TswTvyRIKv\nRsw0X/gfnqkroJcCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCMMlIO+GNcGekevKgk\nakpMdAqJfs24maGb90DvTLbRZRD7Xvn1MnVBBS9hzlXiFLYOInXACMW5gcoRFfeT\nQLSouMM8o57h0uKjfTmuoWHLQLi6hnF+cvCsEFiJZ4AbF+DgmO6TarJ8O05t8zvn\nOwJlNCASPZRH/JmF8tX0hoHuAQ==\n-----END CERTIFICATE-----\n")
-	test.IDPMetadata = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<EntityDescriptor xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\" xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\" xmlns:mdalg=\"urn:oasis:names:tc:SAML:metadata:algsupport\" xmlns:mdui=\"urn:oasis:names:tc:SAML:metadata:ui\" xmlns:shibmd=\"urn:mace:shibboleth:metadata:1.0\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" Name=\"urn:mace:shibboleth:testshib:two\" entityID=\"https://idp.testshib.org/idp/shibboleth\">\n\t<Extensions>\n\t\t<mdalg:DigestMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#sha512\" />\n\t\t<mdalg:DigestMethod Algorithm=\"http://www.w3.org/2001/04/xmldsig-more#sha384\" />\n\t\t<mdalg:DigestMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#sha256\" />\n\t\t<mdalg:DigestMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#sha1\" />\n\t\t<mdalg:SigningMethod Algorithm=\"http://www.w3.org/2001/04/xmldsig-more#rsa-sha512\" />\n\t\t<mdalg:SigningMethod Algorithm=\"http://www.w3.org/2001/04/xmldsig-more#rsa-sha384\" />\n\t\t<mdalg:SigningMethod Algorithm=\"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256\" />\n\t\t<mdalg:SigningMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\" />\n\t</Extensions>\n\t<IDPSSODescriptor protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:2.0:protocol\">\n\t\t<Extensions>\n\t\t\t<shibmd:Scope regexp=\"false\">testshib.org</shibmd:Scope>\n\t\t\t<mdui:UIInfo>\n\t\t\t\t<mdui:DisplayName xml:lang=\"en\">TestShib Test IdP</mdui:DisplayName>\n\t\t\t\t<mdui:Description xml:lang=\"en\">TestShib IdP. Use this as a source of attributes\n                        for your test SP.</mdui:Description>\n\t\t\t\t<mdui:Logo height=\"88\" width=\"253\">https://www.testshib.org/testshibtwo.jpg</mdui:Logo>\n\t\t\t</mdui:UIInfo>\n\t\t</Extensions>\n\t\t<KeyDescriptor>\n\t\t\t<ds:KeyInfo>\n\t\t\t\t<ds:X509Data>\n\t\t\t\t\t<ds:X509Certificate>MIIEDjCCAvagAwIBAgIBADANBgkqhkiG9w0BAQUFADBnMQswCQYDVQQGEwJVUzEV\n                            MBMGA1UECBMMUGVubnN5bHZhbmlhMRMwEQYDVQQHEwpQaXR0c2J1cmdoMREwDwYD\n                            VQQKEwhUZXN0U2hpYjEZMBcGA1UEAxMQaWRwLnRlc3RzaGliLm9yZzAeFw0wNjA4\n                            MzAyMTEyMjVaFw0xNjA4MjcyMTEyMjVaMGcxCzAJBgNVBAYTAlVTMRUwEwYDVQQI\n                            EwxQZW5uc3lsdmFuaWExEzARBgNVBAcTClBpdHRzYnVyZ2gxETAPBgNVBAoTCFRl\n                            c3RTaGliMRkwFwYDVQQDExBpZHAudGVzdHNoaWIub3JnMIIBIjANBgkqhkiG9w0B\n                            AQEFAAOCAQ8AMIIBCgKCAQEArYkCGuTmJp9eAOSGHwRJo1SNatB5ZOKqDM9ysg7C\n                            yVTDClcpu93gSP10nH4gkCZOlnESNgttg0r+MqL8tfJC6ybddEFB3YBo8PZajKSe\n                            3OQ01Ow3yT4I+Wdg1tsTpSge9gEz7SrC07EkYmHuPtd71CHiUaCWDv+xVfUQX0aT\n                            NPFmDixzUjoYzbGDrtAyCqA8f9CN2txIfJnpHE6q6CmKcoLADS4UrNPlhHSzd614\n                            kR/JYiks0K4kbRqCQF0Dv0P5Di+rEfefC6glV8ysC8dB5/9nb0yh/ojRuJGmgMWH\n                            gWk6h0ihjihqiu4jACovUZ7vVOCgSE5Ipn7OIwqd93zp2wIDAQABo4HEMIHBMB0G\n                            A1UdDgQWBBSsBQ869nh83KqZr5jArr4/7b+QazCBkQYDVR0jBIGJMIGGgBSsBQ86\n                            9nh83KqZr5jArr4/7b+Qa6FrpGkwZzELMAkGA1UEBhMCVVMxFTATBgNVBAgTDFBl\n                            bm5zeWx2YW5pYTETMBEGA1UEBxMKUGl0dHNidXJnaDERMA8GA1UEChMIVGVzdFNo\n                            aWIxGTAXBgNVBAMTEGlkcC50ZXN0c2hpYi5vcmeCAQAwDAYDVR0TBAUwAwEB/zAN\n                            BgkqhkiG9w0BAQUFAAOCAQEAjR29PhrCbk8qLN5MFfSVk98t3CT9jHZoYxd8QMRL\n                            I4j7iYQxXiGJTT1FXs1nd4Rha9un+LqTfeMMYqISdDDI6tv8iNpkOAvZZUosVkUo\n                            93pv1T0RPz35hcHHYq2yee59HJOco2bFlcsH8JBXRSRrJ3Q7Eut+z9uo80JdGNJ4\n                            /SJy5UorZ8KazGj16lfJhOBXldgrhppQBb0Nq6HKHguqmwRfJ+WkxemZXzhediAj\n                            Geka8nz8JjwxpUjAiSWYKLtJhGEaTqCYxCCX2Dw+dOTqUzHOZ7WKv4JXPK5G/Uhr\n                            8K/qhmFT2nIQi538n6rVYLeWj8Bbnl+ev0peYzxFyF5sQA==</ds:X509Certificate>\n\t\t\t\t</ds:X509Data>\n\t\t\t</ds:KeyInfo>\n\t\t\t<EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#aes256-cbc\" />\n\t\t\t<EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#aes192-cbc\" />\n\t\t\t<EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#aes128-cbc\" />\n\t\t\t<EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#tripledes-cbc\" />\n\t\t\t<EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p\" />\n\t\t\t<EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#rsa-1_5\" />\n\t\t</KeyDescriptor>\n\t\t<ArtifactResolutionService Binding=\"urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding\" Location=\"https://idp.testshib.org:8443/idp/profile/SAML1/SOAP/ArtifactResolution\" index=\"1\" />\n\t\t<ArtifactResolutionService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:SOAP\" Location=\"https://idp.testshib.org:8443/idp/profile/SAML2/SOAP/ArtifactResolution\" index=\"2\" />\n\t\t<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>\n\t\t<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>\n\t\t<SingleSignOnService Binding=\"urn:mace:shibboleth:1.0:profiles:AuthnRequest\" Location=\"https://idp.testshib.org/idp/profile/Shibboleth/SSO\" />\n\t\t<SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://idp.testshib.org/idp/profile/SAML2/POST/SSO\" />\n\t\t<SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO\" />\n\t\t<SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:SOAP\" Location=\"https://idp.testshib.org/idp/profile/SAML2/SOAP/ECP\" />\n\t</IDPSSODescriptor>\n\t<AttributeAuthorityDescriptor protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol\">\n\t\t<KeyDescriptor>\n\t\t\t<ds:KeyInfo>\n\t\t\t\t<ds:X509Data>\n\t\t\t\t\t<ds:X509Certificate>MIIEDjCCAvagAwIBAgIBADANBgkqhkiG9w0BAQUFADBnMQswCQYDVQQGEwJVUzEV\n                            MBMGA1UECBMMUGVubnN5bHZhbmlhMRMwEQYDVQQHEwpQaXR0c2J1cmdoMREwDwYD\n                            VQQKEwhUZXN0U2hpYjEZMBcGA1UEAxMQaWRwLnRlc3RzaGliLm9yZzAeFw0wNjA4\n                            MzAyMTEyMjVaFw0xNjA4MjcyMTEyMjVaMGcxCzAJBgNVBAYTAlVTMRUwEwYDVQQI\n                            EwxQZW5uc3lsdmFuaWExEzARBgNVBAcTClBpdHRzYnVyZ2gxETAPBgNVBAoTCFRl\n                            c3RTaGliMRkwFwYDVQQDExBpZHAudGVzdHNoaWIub3JnMIIBIjANBgkqhkiG9w0B\n                            AQEFAAOCAQ8AMIIBCgKCAQEArYkCGuTmJp9eAOSGHwRJo1SNatB5ZOKqDM9ysg7C\n                            yVTDClcpu93gSP10nH4gkCZOlnESNgttg0r+MqL8tfJC6ybddEFB3YBo8PZajKSe\n                            3OQ01Ow3yT4I+Wdg1tsTpSge9gEz7SrC07EkYmHuPtd71CHiUaCWDv+xVfUQX0aT\n                            NPFmDixzUjoYzbGDrtAyCqA8f9CN2txIfJnpHE6q6CmKcoLADS4UrNPlhHSzd614\n                            kR/JYiks0K4kbRqCQF0Dv0P5Di+rEfefC6glV8ysC8dB5/9nb0yh/ojRuJGmgMWH\n                            gWk6h0ihjihqiu4jACovUZ7vVOCgSE5Ipn7OIwqd93zp2wIDAQABo4HEMIHBMB0G\n                            A1UdDgQWBBSsBQ869nh83KqZr5jArr4/7b+QazCBkQYDVR0jBIGJMIGGgBSsBQ86\n                            9nh83KqZr5jArr4/7b+Qa6FrpGkwZzELMAkGA1UEBhMCVVMxFTATBgNVBAgTDFBl\n                            bm5zeWx2YW5pYTETMBEGA1UEBxMKUGl0dHNidXJnaDERMA8GA1UEChMIVGVzdFNo\n                            aWIxGTAXBgNVBAMTEGlkcC50ZXN0c2hpYi5vcmeCAQAwDAYDVR0TBAUwAwEB/zAN\n                            BgkqhkiG9w0BAQUFAAOCAQEAjR29PhrCbk8qLN5MFfSVk98t3CT9jHZoYxd8QMRL\n                            I4j7iYQxXiGJTT1FXs1nd4Rha9un+LqTfeMMYqISdDDI6tv8iNpkOAvZZUosVkUo\n                            93pv1T0RPz35hcHHYq2yee59HJOco2bFlcsH8JBXRSRrJ3Q7Eut+z9uo80JdGNJ4\n                            /SJy5UorZ8KazGj16lfJhOBXldgrhppQBb0Nq6HKHguqmwRfJ+WkxemZXzhediAj\n                            Geka8nz8JjwxpUjAiSWYKLtJhGEaTqCYxCCX2Dw+dOTqUzHOZ7WKv4JXPK5G/Uhr\n                            8K/qhmFT2nIQi538n6rVYLeWj8Bbnl+ev0peYzxFyF5sQA==</ds:X509Certificate>\n\t\t\t\t</ds:X509Data>\n\t\t\t</ds:KeyInfo>\n\t\t\t<EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#aes256-cbc\" />\n\t\t\t<EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#aes192-cbc\" />\n\t\t\t<EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#aes128-cbc\" />\n\t\t\t<EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#tripledes-cbc\" />\n\t\t\t<EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p\" />\n\t\t\t<EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#rsa-1_5\" />\n\t\t</KeyDescriptor>\n\t\t<AttributeService Binding=\"urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding\" Location=\"https://idp.testshib.org:8443/idp/profile/SAML1/SOAP/AttributeQuery\" />\n\t\t<AttributeService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:SOAP\" Location=\"https://idp.testshib.org:8443/idp/profile/SAML2/SOAP/AttributeQuery\" />\n\t\t<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>\n\t\t<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>\n\t</AttributeAuthorityDescriptor>\n\t<Organization>\n\t\t<OrganizationName xml:lang=\"en\">TestShib Two Identity Provider</OrganizationName>\n\t\t<OrganizationDisplayName xml:lang=\"en\">TestShib Two</OrganizationDisplayName>\n\t\t<OrganizationURL xml:lang=\"en\">http://www.testshib.org/testshib-two/</OrganizationURL>\n\t</Organization>\n\t<ContactPerson contactType=\"technical\">\n\t\t<GivenName>Nate</GivenName>\n\t\t<SurName>Klingenstein</SurName>\n\t\t<EmailAddress>ndk@internet2.edu</EmailAddress>\n\t</ContactPerson>\n</EntityDescriptor>"
+	test := ServiceProviderTest{}
+	test.AuthnRequest = golden.Get(t, "SP_AuthnRequest")
+	test.SamlResponse = golden.Get(t, "SP_SamlResponse")
+	test.Key = mustParsePrivateKey(golden.Get(t, "sp_key.pem")).(*rsa.PrivateKey)
+	test.Certificate = mustParseCertificate(golden.Get(t, "sp_cert.pem"))
+	test.IDPMetadata = golden.Get(t, "SP_IDPMetadata")
+	return &test
 }
 
-func (test *ServiceProviderTest) TestCanSetAuthenticationNameIDFormat(c *C) {
+func TestSPCanSetAuthenticationNameIDFormat(t *testing.T) {
+	test := NewServiceProviderTest(t)
+
 	s := ServiceProvider{
 		Key:         test.Key,
 		Certificate: test.Certificate,
@@ -77,70 +80,101 @@ func (test *ServiceProviderTest) TestCanSetAuthenticationNameIDFormat(c *C) {
 	}
 
 	// defaults to "transient"
-	req, err := s.MakeAuthenticationRequest("")
-	c.Assert(err, IsNil)
-	c.Assert(*req.NameIDPolicy.Format, Equals, string(TransientNameIDFormat))
+	req, err := s.MakeAuthenticationRequest("", HTTPRedirectBinding)
+	assert.Check(t, err)
+	assert.Check(t, is.Equal(string(TransientNameIDFormat), *req.NameIDPolicy.Format))
 
 	// explicitly set to "transient"
 	s.AuthnNameIDFormat = TransientNameIDFormat
-	req, err = s.MakeAuthenticationRequest("")
-	c.Assert(err, IsNil)
-	c.Assert(*req.NameIDPolicy.Format, Equals, string(TransientNameIDFormat))
+	req, err = s.MakeAuthenticationRequest("", HTTPRedirectBinding)
+	assert.Check(t, err)
+	assert.Check(t, is.Equal(string(TransientNameIDFormat), *req.NameIDPolicy.Format))
 
 	// explicitly set to "unspecified"
 	s.AuthnNameIDFormat = UnspecifiedNameIDFormat
-	req, err = s.MakeAuthenticationRequest("")
-	c.Assert(err, IsNil)
-	c.Assert(*req.NameIDPolicy.Format, Equals, "")
+	req, err = s.MakeAuthenticationRequest("", HTTPRedirectBinding)
+	assert.Check(t, err)
+	assert.Check(t, is.Equal("", *req.NameIDPolicy.Format))
 
 	// explicitly set to "emailAddress"
 	s.AuthnNameIDFormat = EmailAddressNameIDFormat
-	req, err = s.MakeAuthenticationRequest("")
-	c.Assert(err, IsNil)
-	c.Assert(*req.NameIDPolicy.Format, Equals, string(EmailAddressNameIDFormat))
+	req, err = s.MakeAuthenticationRequest("", HTTPRedirectBinding)
+	assert.Check(t, err)
+	assert.Check(t, is.Equal(string(EmailAddressNameIDFormat), *req.NameIDPolicy.Format))
 }
 
-func (test *ServiceProviderTest) TestCanProduceMetadata(c *C) {
-	c.Skip("broken")
+func TestSPCanProduceMetadataWithEncryptionCert(t *testing.T) {
+	test := NewServiceProviderTest(t)
 	s := ServiceProvider{
-		Key:         test.Key,
-		Certificate: test.Certificate,
+		Key:                   test.Key,
+		Certificate:           test.Certificate,
+		MetadataURL:           mustParseURL("https://example.com/saml2/metadata"),
+		AcsURL:                mustParseURL("https://example.com/saml2/acs"),
+		SloURL:                mustParseURL("https://example.com/saml2/slo"),
+		MetadataValidDuration: DefaultValidDuration,
+		IDPMetadata:           &EntityDescriptor{},
+	}
+	err := xml.Unmarshal(test.IDPMetadata, &s.IDPMetadata)
+	assert.Check(t, err)
+
+	spMetadata, err := xml.MarshalIndent(s.Metadata(), "", "  ")
+	assert.Check(t, err)
+	golden.Assert(t, string(spMetadata), t.Name()+"_metadata")
+}
+
+func TestSPCanProduceMetadataWithBothCerts(t *testing.T) {
+	test := NewServiceProviderTest(t)
+	s := ServiceProvider{
+		Key:             test.Key,
+		Certificate:     test.Certificate,
+		MetadataURL:     mustParseURL("https://example.com/saml2/metadata"),
+		AcsURL:          mustParseURL("https://example.com/saml2/acs"),
+		SloURL:          mustParseURL("https://example.com/saml2/slo"),
+		IDPMetadata:     &EntityDescriptor{},
+		SignatureMethod: "not-empty",
+	}
+	err := xml.Unmarshal(test.IDPMetadata, &s.IDPMetadata)
+	assert.Check(t, err)
+
+	spMetadata, err := xml.MarshalIndent(s.Metadata(), "", "  ")
+	assert.Check(t, err)
+	golden.Assert(t, string(spMetadata), t.Name()+"_metadata")
+
+}
+
+func TestCanProduceMetadataNoCerts(t *testing.T) {
+	test := NewServiceProviderTest(t)
+	s := ServiceProvider{
+		MetadataURL: mustParseURL("https://example.com/saml2/metadata"),
+		AcsURL:      mustParseURL("https://example.com/saml2/acs"),
+		IDPMetadata: &EntityDescriptor{},
+	}
+	err := xml.Unmarshal(test.IDPMetadata, &s.IDPMetadata)
+	assert.Check(t, err)
+
+	spMetadata, err := xml.MarshalIndent(s.Metadata(), "", "  ")
+	assert.Check(t, err)
+	golden.Assert(t, string(spMetadata), t.Name()+"_metadata")
+}
+
+func TestCanProduceMetadataEntityID(t *testing.T) {
+	test := NewServiceProviderTest(t)
+	s := ServiceProvider{
+		EntityID:    "spn:11111111-2222-3333-4444-555555555555",
 		MetadataURL: mustParseURL("https://example.com/saml2/metadata"),
 		AcsURL:      mustParseURL("https://example.com/saml2/acs"),
 		IDPMetadata: &EntityDescriptor{},
 	}
-	err := xml.Unmarshal([]byte(test.IDPMetadata), &s.IDPMetadata)
-	c.Assert(err, IsNil)
+	err := xml.Unmarshal(test.IDPMetadata, &s.IDPMetadata)
+	assert.Check(t, err)
 
 	spMetadata, err := xml.MarshalIndent(s.Metadata(), "", "  ")
-	c.Assert(err, IsNil)
-	c.Assert(string(spMetadata), DeepEquals, ""+
-		"<EntityDescriptor xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\" validUntil=\"2015-12-03T01:57:09Z\" entityID=\"https://example.com/saml2/metadata\">\n"+
-		"  <SPSSODescriptor xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\" validUntil=\"0001-01-01T00:00:00Z\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\" AuthnRequestsSigned=\"false\" WantAssertionsSigned=\"true\">\n"+
-		"    <KeyDescriptor use=\"signing\">\n"+
-		"      <KeyInfo xmlns=\"http://www.w3.org/2000/09/xmldsig#\">\n"+
-		"        <X509Data>\n"+
-		"          <X509Certificate>MIIB7zCCAVgCCQDFzbKIp7b3MTANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGEwJVUzELMAkGA1UECAwCR0ExDDAKBgNVBAoMA2ZvbzESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTEzMTAwMjAwMDg1MVoXDTE0MTAwMjAwMDg1MVowPDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkdBMQwwCgYDVQQKDANmb28xEjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1PMHYmhZj308kWLhZVT4vOulqx/9ibm5B86fPWwUKKQ2i12MYtz07tzukPymisTDhQaqyJ8Kqb/6JjhmeMnEOdTvSPmHO8m1ZVveJU6NoKRn/mP/BD7FW52WhbrUXLSeHVSKfWkNk6S4hk9MV9TswTvyRIKvRsw0X/gfnqkroJcCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCMMlIO+GNcGekevKgkakpMdAqJfs24maGb90DvTLbRZRD7Xvn1MnVBBS9hzlXiFLYOInXACMW5gcoRFfeTQLSouMM8o57h0uKjfTmuoWHLQLi6hnF+cvCsEFiJZ4AbF+DgmO6TarJ8O05t8zvnOwJlNCASPZRH/JmF8tX0hoHuAQ==</X509Certificate>\n"+
-		"        </X509Data>\n"+
-		"      </KeyInfo>\n"+
-		"    </KeyDescriptor>\n"+
-		"    <KeyDescriptor use=\"encryption\">\n"+
-		"      <KeyInfo xmlns=\"http://www.w3.org/2000/09/xmldsig#\">\n"+
-		"        <X509Data>\n"+
-		"          <X509Certificate>MIIB7zCCAVgCCQDFzbKIp7b3MTANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGEwJVUzELMAkGA1UECAwCR0ExDDAKBgNVBAoMA2ZvbzESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTEzMTAwMjAwMDg1MVoXDTE0MTAwMjAwMDg1MVowPDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkdBMQwwCgYDVQQKDANmb28xEjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1PMHYmhZj308kWLhZVT4vOulqx/9ibm5B86fPWwUKKQ2i12MYtz07tzukPymisTDhQaqyJ8Kqb/6JjhmeMnEOdTvSPmHO8m1ZVveJU6NoKRn/mP/BD7FW52WhbrUXLSeHVSKfWkNk6S4hk9MV9TswTvyRIKvRsw0X/gfnqkroJcCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCMMlIO+GNcGekevKgkakpMdAqJfs24maGb90DvTLbRZRD7Xvn1MnVBBS9hzlXiFLYOInXACMW5gcoRFfeTQLSouMM8o57h0uKjfTmuoWHLQLi6hnF+cvCsEFiJZ4AbF+DgmO6TarJ8O05t8zvnOwJlNCASPZRH/JmF8tX0hoHuAQ==</X509Certificate>\n"+
-		"        </X509Data>\n"+
-		"      </KeyInfo>\n"+
-		"      <EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#aes128-cbc\"></EncryptionMethod>\n"+
-		"      <EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#aes192-cbc\"></EncryptionMethod>\n"+
-		"      <EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#aes256-cbc\"></EncryptionMethod>\n"+
-		"      <EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p\"></EncryptionMethod>\n"+
-		"    </KeyDescriptor>\n"+
-		"    <AssertionConsumerService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://example.com/saml2/acs\" index=\"1\"></AssertionConsumerService>\n"+
-		"  </SPSSODescriptor>\n"+
-		"</EntityDescriptor>")
-}
-
-func (test *ServiceProviderTest) TestCanProduceRedirectRequest(c *C) {
+	assert.Check(t, err)
+	golden.Assert(t, string(spMetadata), t.Name()+"_metadata")
+}
+
+func TestSPCanProduceRedirectRequest(t *testing.T) {
+	test := NewServiceProviderTest(t)
 	TimeNow = func() time.Time {
 		rv, _ := time.Parse("Mon Jan 2 15:04:05.999999999 UTC 2006", "Mon Dec 1 01:31:21.123456789 UTC 2015")
 		return rv
@@ -153,20 +187,23 @@ func (test *ServiceProviderTest) TestCanProduceRedirectRequest(c *C) {
 		AcsURL:      mustParseURL("https://15661444.ngrok.io/saml2/acs"),
 		IDPMetadata: &EntityDescriptor{},
 	}
-	err := xml.Unmarshal([]byte(test.IDPMetadata), &s.IDPMetadata)
-	c.Assert(err, IsNil)
+	err := xml.Unmarshal(test.IDPMetadata, &s.IDPMetadata)
+	assert.Check(t, err)
 
 	redirectURL, err := s.MakeRedirectAuthenticationRequest("relayState")
-	c.Assert(err, IsNil)
+	assert.Check(t, err)
 
 	decodedRequest, err := testsaml.ParseRedirectRequest(redirectURL)
-	c.Assert(err, IsNil)
-	c.Assert(redirectURL.Host, Equals, "idp.testshib.org")
-	c.Assert(redirectURL.Path, Equals, "/idp/profile/SAML2/Redirect/SSO")
-	c.Assert(string(decodedRequest), Equals, "<samlp:AuthnRequest xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" ID=\"id-00020406080a0c0e10121416181a1c1e20222426\" Version=\"2.0\" IssueInstant=\"2015-12-01T01:31:21.123Z\" Destination=\"https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO\" AssertionConsumerServiceURL=\"https://15661444.ngrok.io/saml2/acs\" ProtocolBinding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\"><saml:Issuer Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:entity\">https://15661444.ngrok.io/saml2/metadata</saml:Issuer><samlp:NameIDPolicy Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:transient\" AllowCreate=\"true\"/></samlp:AuthnRequest>")
+	assert.Check(t, err)
+	assert.Check(t, is.Equal("idp.testshib.org",
+		redirectURL.Host))
+	assert.Check(t, is.Equal("/idp/profile/SAML2/Redirect/SSO",
+		redirectURL.Path))
+	golden.Assert(t, string(decodedRequest), t.Name()+"_decoded_request")
 }
 
-func (test *ServiceProviderTest) TestCanProducePostRequest(c *C) {
+func TestSPCanProducePostRequest(t *testing.T) {
+	test := NewServiceProviderTest(t)
 	TimeNow = func() time.Time {
 		rv, _ := time.Parse("Mon Jan 2 15:04:05 UTC 2006", "Mon Dec 1 01:31:21 UTC 2015")
 		return rv
@@ -178,71 +215,209 @@ func (test *ServiceProviderTest) TestCanProducePostRequest(c *C) {
 		AcsURL:      mustParseURL("https://15661444.ngrok.io/saml2/acs"),
 		IDPMetadata: &EntityDescriptor{},
 	}
-	err := xml.Unmarshal([]byte(test.IDPMetadata), &s.IDPMetadata)
-	c.Assert(err, IsNil)
+	err := xml.Unmarshal(test.IDPMetadata, &s.IDPMetadata)
+	assert.Check(t, err)
 
 	form, err := s.MakePostAuthenticationRequest("relayState")
-	c.Assert(err, IsNil)
+	assert.Check(t, err)
+	golden.Assert(t, string(form), t.Name()+"_form")
+}
+
+func TestSPCanProduceSignedRequestRedirectBinding(t *testing.T) {
+	test := NewServiceProviderTest(t)
+	TimeNow = func() time.Time {
+		rv, _ := time.Parse("Mon Jan 2 15:04:05.999999999 UTC 2006", "Mon Dec 1 01:31:21.123456789 UTC 2015")
+		return rv
+	}
+	Clock = dsig.NewFakeClockAt(TimeNow())
+	s := ServiceProvider{
+		Key:             test.Key,
+		Certificate:     test.Certificate,
+		MetadataURL:     mustParseURL("https://15661444.ngrok.io/saml2/metadata"),
+		AcsURL:          mustParseURL("https://15661444.ngrok.io/saml2/acs"),
+		IDPMetadata:     &EntityDescriptor{},
+		SignatureMethod: dsig.RSASHA1SignatureMethod,
+	}
+	err := xml.Unmarshal(test.IDPMetadata, &s.IDPMetadata)
+	assert.Check(t, err)
+
+	redirectURL, err := s.MakeRedirectAuthenticationRequest("relayState")
+	assert.Check(t, err)
+	// Signature we check against in the query string was validated with
+	// https://www.samltool.com/validate_authn_req.php . Once we add
+	// support for validating signed AuthN requests in the IDP implementation
+	// we can switch to testing using that.
+	golden.Assert(t, redirectURL.RawQuery, t.Name()+"_queryString")
+
+	decodedRequest, err := testsaml.ParseRedirectRequest(redirectURL)
+	assert.Check(t, err)
+	assert.Check(t, is.Equal("idp.testshib.org",
+		redirectURL.Host))
+	assert.Check(t, is.Equal("/idp/profile/SAML2/Redirect/SSO",
+		redirectURL.Path))
+	// Contains no enveloped signature
+	golden.Assert(t, string(decodedRequest), t.Name()+"_decodedRequest")
+}
+
+func TestSPCanProduceSignedRequestPostBinding(t *testing.T) {
+	test := NewServiceProviderTest(t)
+	TimeNow = func() time.Time {
+		rv, _ := time.Parse("Mon Jan 2 15:04:05.999999999 UTC 2006", "Mon Dec 1 01:31:21.123456789 UTC 2015")
+		return rv
+	}
+	Clock = dsig.NewFakeClockAt(TimeNow())
+	s := ServiceProvider{
+		Key:             test.Key,
+		Certificate:     test.Certificate,
+		MetadataURL:     mustParseURL("https://15661444.ngrok.io/saml2/metadata"),
+		AcsURL:          mustParseURL("https://15661444.ngrok.io/saml2/acs"),
+		IDPMetadata:     &EntityDescriptor{},
+		SignatureMethod: dsig.RSASHA1SignatureMethod,
+	}
+	err := xml.Unmarshal(test.IDPMetadata, &s.IDPMetadata)
+	assert.Check(t, err)
+
+	htmlForm, err := s.MakePostAuthenticationRequest("relayState")
+	assert.Check(t, err)
+	rgx := regexp.MustCompile(`\"SAMLRequest\" value=\"(.*?)\" /><input`)
+	rs := rgx.FindStringSubmatch(string(htmlForm))
+	assert.Check(t, len(rs) == 2)
+
+	decodedRequest, err := base64.StdEncoding.DecodeString(html.UnescapeString(rs[1]))
+	assert.Check(t, err)
+	golden.Assert(t, string(decodedRequest), t.Name()+"_decodedRequest")
+}
+
+func TestSPFailToProduceSignedRequestWithBogusSignatureMethod(t *testing.T) {
+	test := NewServiceProviderTest(t)
+	TimeNow = func() time.Time {
+		rv, _ := time.Parse("Mon Jan 2 15:04:05.999999999 UTC 2006", "Mon Dec 1 01:31:21.123456789 UTC 2015")
+		return rv
+	}
+	Clock = dsig.NewFakeClockAt(TimeNow())
+	s := ServiceProvider{
+		Key:             test.Key,
+		Certificate:     test.Certificate,
+		MetadataURL:     mustParseURL("https://15661444.ngrok.io/saml2/metadata"),
+		AcsURL:          mustParseURL("https://15661444.ngrok.io/saml2/acs"),
+		IDPMetadata:     &EntityDescriptor{},
+		SignatureMethod: "bogus",
+	}
+	err := xml.Unmarshal(test.IDPMetadata, &s.IDPMetadata)
+	assert.Check(t, err)
+
+	_, err = s.MakeRedirectAuthenticationRequest("relayState")
+	assert.Check(t, is.ErrorContains(err, ""), "invalid signing method bogus")
+}
+
+func TestSPCanProducePostLogoutRequest(t *testing.T) {
+	test := NewServiceProviderTest(t)
+	TimeNow = func() time.Time {
+		rv, _ := time.Parse("Mon Jan 2 15:04:05 UTC 2006", "Mon Dec 1 01:31:21 UTC 2015")
+		return rv
+	}
+	s := ServiceProvider{
+		Key:         test.Key,
+		Certificate: test.Certificate,
+		MetadataURL: mustParseURL("https://15661444.ngrok.io/saml2/metadata"),
+		AcsURL:      mustParseURL("https://15661444.ngrok.io/saml2/acs"),
+		IDPMetadata: &EntityDescriptor{},
+	}
+	err := xml.Unmarshal(test.IDPMetadata, &s.IDPMetadata)
+	assert.Check(t, err)
+
+	form, err := s.MakePostLogoutRequest("ros@octolabs.io", "relayState")
+	assert.Check(t, err)
+	golden.Assert(t, string(form), t.Name()+"_form")
+}
+
+func TestSPCanProduceRedirectLogoutRequest(t *testing.T) {
+	test := NewServiceProviderTest(t)
+	TimeNow = func() time.Time {
+		rv, _ := time.Parse("Mon Jan 2 15:04:05.999999999 UTC 2006", "Mon Dec 1 01:31:21.123456789 UTC 2015")
+		return rv
+	}
+	Clock = dsig.NewFakeClockAt(TimeNow())
+	s := ServiceProvider{
+		Key:         test.Key,
+		Certificate: test.Certificate,
+		MetadataURL: mustParseURL("https://15661444.ngrok.io/saml2/metadata"),
+		AcsURL:      mustParseURL("https://15661444.ngrok.io/saml2/acs"),
+		IDPMetadata: &EntityDescriptor{},
+	}
+	err := xml.Unmarshal(test.IDPMetadata, &s.IDPMetadata)
+	assert.Check(t, err)
+
+	redirectURL, err := s.MakeRedirectLogoutRequest("ross@octolabs.io", "relayState")
+	assert.Check(t, err)
+
+	decodedRequest, err := testsaml.ParseRedirectRequest(redirectURL)
+	assert.Check(t, err)
+	assert.Check(t, is.Equal("idp.testshib.org",
+		redirectURL.Host))
+	assert.Check(t, is.Equal("/idp/profile/SAML2/Redirect/SLO",
+		redirectURL.Path))
+	golden.Assert(t, string(decodedRequest), t.Name()+"_decodedRequest")
+}
+
+func TestSPCanProducePostLogoutResponse(t *testing.T) {
+	test := NewServiceProviderTest(t)
+	TimeNow = func() time.Time {
+		rv, _ := time.Parse("Mon Jan 2 15:04:05 UTC 2006", "Mon Dec 1 01:31:21 UTC 2015")
+		return rv
+	}
+	s := ServiceProvider{
+		Key:         test.Key,
+		Certificate: test.Certificate,
+		MetadataURL: mustParseURL("https://15661444.ngrok.io/saml2/metadata"),
+		AcsURL:      mustParseURL("https://15661444.ngrok.io/saml2/acs"),
+		IDPMetadata: &EntityDescriptor{},
+	}
+	err := xml.Unmarshal(test.IDPMetadata, &s.IDPMetadata)
+	assert.Check(t, err)
+
+	form, err := s.MakePostLogoutResponse("id-d40c15c104b52691eccf0a2a5c8a15595be75423", "relayState")
+	assert.Check(t, err)
+	golden.Assert(t, string(form), t.Name()+"_form")
+}
+
+func TestSPCanProduceRedirectLogoutResponse(t *testing.T) {
+	test := NewServiceProviderTest(t)
+	TimeNow = func() time.Time {
+		rv, _ := time.Parse("Mon Jan 2 15:04:05.999999999 UTC 2006", "Mon Dec 1 01:31:21.123456789 UTC 2015")
+		return rv
+	}
+	Clock = dsig.NewFakeClockAt(TimeNow())
+	s := ServiceProvider{
+		Key:         test.Key,
+		Certificate: test.Certificate,
+		MetadataURL: mustParseURL("https://15661444.ngrok.io/saml2/metadata"),
+		AcsURL:      mustParseURL("https://15661444.ngrok.io/saml2/acs"),
+		IDPMetadata: &EntityDescriptor{},
+	}
+	err := xml.Unmarshal(test.IDPMetadata, &s.IDPMetadata)
+	assert.Check(t, err)
 
-	c.Assert(string(form), Equals, ``+
-		`<form method="post" action="https://idp.testshib.org/idp/profile/SAML2/POST/SSO" id="SAMLRequestForm">`+
-		`<input type="hidden" name="SAMLRequest" value="PHNhbWxwOkF1dGhuUmVxdWVzdCB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIiB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiBJRD0iaWQtMDAwMjA0MDYwODBhMGMwZTEwMTIxNDE2MTgxYTFjMWUyMDIyMjQyNiIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTUtMTItMDFUMDE6MzE6MjFaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9pZHAudGVzdHNoaWIub3JnL2lkcC9wcm9maWxlL1NBTUwyL1BPU1QvU1NPIiBBc3NlcnRpb25Db25zdW1lclNlcnZpY2VVUkw9Imh0dHBzOi8vMTU2NjE0NDQubmdyb2suaW8vc2FtbDIvYWNzIiBQcm90b2NvbEJpbmRpbmc9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpiaW5kaW5nczpIVFRQLVBPU1QiPjxzYW1sOklzc3VlciBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OmVudGl0eSI&#43;aHR0cHM6Ly8xNTY2MTQ0NC5uZ3Jvay5pby9zYW1sMi9tZXRhZGF0YTwvc2FtbDpJc3N1ZXI&#43;PHNhbWxwOk5hbWVJRFBvbGljeSBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OnRyYW5zaWVudCIgQWxsb3dDcmVhdGU9InRydWUiLz48L3NhbWxwOkF1dGhuUmVxdWVzdD4=" />`+
-		`<input type="hidden" name="RelayState" value="relayState" />`+
-		`<input id="SAMLSubmitButton" type="submit" value="Submit" /></form>`+
-		`<script>document.getElementById('SAMLSubmitButton').style.visibility="hidden";</script>`+
-		`<script>document.getElementById('SAMLRequestForm').submit();</script>`)
+	redirectURL, err := s.MakeRedirectLogoutResponse("id-d40c15c104b52691eccf0a2a5c8a15595be75423", "relayState")
+	assert.Check(t, err)
+
+	decodedResponse, err := testsaml.ParseRedirectResponse(redirectURL)
+	assert.Check(t, err)
+	golden.Assert(t, string(decodedResponse), t.Name()+"_decodedResponse")
 }
 
-func (test *ServiceProviderTest) TestCanHandleOneloginResponse(c *C) {
+func TestSPCanHandleOneloginResponse(t *testing.T) {
+	test := NewServiceProviderTest(t)
 	// An actual response from onelogin
 	TimeNow = func() time.Time {
 		rv, _ := time.Parse("Mon Jan 2 15:04:05 UTC 2006", "Tue Jan 5 17:53:12 UTC 2016")
 		return rv
 	}
 	Clock = dsig.NewFakeClockAt(TimeNow())
-	SamlResponse := `PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIElEPSJwZnhlZDg4YzQzZC02NTA0LWUxZjEtNWFmMC00MGJlN2YyNzlmYzUiIFZlcnNpb249IjIuMCIgSXNzdWVJbnN0YW50PSIyMDE2LTAxLTA1VDE3OjUzOjExWiIgRGVzdGluYXRpb249Imh0dHBzOi8vMjllZTZkMmUubmdyb2suaW8vc2FtbC9hY3MiIEluUmVzcG9uc2VUbz0iaWQtZDQwYzE1YzEwNGI1MjY5MWVjY2YwYTJhNWM4YTE1NTk1YmU3NTQyMyI+PHNhbWw6SXNzdWVyPmh0dHBzOi8vYXBwLm9uZWxvZ2luLmNvbS9zYW1sL21ldGFkYXRhLzUwMzk4Mzwvc2FtbDpJc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+PGRzOlNpZ25lZEluZm8+PGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3JzYS1zaGExIi8+PGRzOlJlZmVyZW5jZSBVUkk9IiNwZnhlZDg4YzQzZC02NTA0LWUxZjEtNWFmMC00MGJlN2YyNzlmYzUiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48L2RzOlRyYW5zZm9ybXM+PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8+PGRzOkRpZ2VzdFZhbHVlPlNWQWFRZzh2bW1TUUw2L1lCbVMyeWRLUlA3ST08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU+c0JlVFZQMGJab1BSK2JmeUFrVnY2STNDVjdZOFhxbkoycjhmMStXbXIyZ0ZnblJGODVOdnZTUCtyMUJvN250dU9zd080ZkI0Uks0SHlTYnlsZzRiS0hLSDE5WDkxaFZBekpTeXNmbVMvZDV3ZzFDZmlXV3Q1UzJIQTUwOHRoWHVabndHM1h6NktuV0s4a1JkeDFkYytZUldnYUZ5ZDRnTEc5YUJUc1hPWjd2eC83UDRicnpORW00d1A5LzB0dWZ4Rytuc1k2RHB3bkVHQ2psK1ZVS3BnekVxd05OalFxWUZZU0FYRWsrVnQrWDNjMmQwSElyWlF2WW5OaDAyS3h1d1ZCVGhuM01helFOYU54Qy9zeWYza0RRQ1JyWkNZbytZdER1ZHpKVTlwM0EwWVhIVFFjc2RldHNIWlhDTWozbXV2emMwbUVCbHc0TGJjaEttbmJ5Wm1nPT08L2RzOlNpZ25hdHVyZVZhbHVlPjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUVDRENDQXZDZ0F3SUJBZ0lVWHVuMDhDc2xMUldTTHFObkRFMU50R0plZmwwd0RRWUpLb1pJaHZjTkFRRUZCUUF3VXpFTE1Ba0dBMVVFQmhNQ1ZWTXhEREFLQmdOVkJBb01BMk4wZFRFVk1CTUdBMVVFQ3d3TVQyNWxURzluYVc0Z1NXUlFNUjh3SFFZRFZRUUREQlpQYm1WTWIyZHBiaUJCWTJOdmRXNTBJRE15TmpFME1CNFhEVEV6TURrek1ERTVNelUwTkZvWERURTRNVEF3TVRFNU16VTBORm93VXpFTE1Ba0dBMVVFQmhNQ1ZWTXhEREFLQmdOVkJBb01BMk4wZFRFVk1CTUdBMVVFQ3d3TVQyNWxURzluYVc0Z1NXUlFNUjh3SFFZRFZRUUREQlpQYm1WTWIyZHBiaUJCWTJOdmRXNTBJRE15TmpFME1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBME9HOFY4bWhvdmtqNHJoR2hqcmJFeFJZYnpLVjJaeGZ2R2ZFR1hHVXZYYzZEcWVqWUVkaFoybUlmQ0RvamhRamswQnl3aWlyQUtNT3QxR051SDdhV0lFNDdEMGV3dEs1eWxFQW03ZVZtb1k0a3hMQ2FXNXdZckMxU3pNbnBlaXRVeHF2c2JuS3ozalVLWUhSZ2dwZnZWajRzaUhEWmVJWmE5YTVyVXZwTW5uYk9vRmlaQ0lFTnBxM1RDMzNpdk9TWmhFTlJUem12bms1R0RvTEh3LzhxQWdRaXlUM0QxeENrU0JiNTRQSGdrUTVScTFvZExNL2hKK0wwanpDVVFINGd4cFdsRUFhYjRLOXM4ZnBCVUJCaDVnbUpDWWk4VWJJbGhxTzhOMm15bnVtMzNCVS92SjNQbmF3VDRZWWtUd1JVeDZZKzNmcG1SQkhxbDRoODNTTWV3SURBUUFCbzRIVE1JSFFNQXdHQTFVZEV3RUIvd1FDTUFBd0hRWURWUjBPQkJZRUZPZkZGakhGajlhNnhwbmdiMTFycmhnTWU5QXJNSUdRQmdOVkhTTUVnWWd3Z1lXQUZPZkZGakhGajlhNnhwbmdiMTFycmhnTWU5QXJvVmVrVlRCVE1Rc3dDUVlEVlFRR0V3SlZVekVNTUFvR0ExVUVDZ3dEWTNSMU1SVXdFd1lEVlFRTERBeFBibVZNYjJkcGJpQkpaRkF4SHpBZEJnTlZCQU1NRms5dVpVeHZaMmx1SUVGalkyOTFiblFnTXpJMk1UU0NGRjdwOVBBckpTMFZraTZqWnd4TlRiUmlYbjVkTUE0R0ExVWREd0VCL3dRRUF3SUhnREFOQmdrcWhraUc5dzBCQVFVRkFBT0NBUUVBTWdsbjROUE1RbjhHeXZxOENUUCtjMmU2Q1V6Y3ZSRUtuVGhqeFQ5V2N2VjFaVlhNQk5QbTRjVHFUMzYxRWRMelk1eVdMVVdYZDRBdkZuY2lxQjNNSFlhMm5xVG1udkxnbWhrV2UraGRGb05lNStJQThBeEduK25xVUlTbXlCZUN4dVVVQWJSTXVvd2lBcndISXB6cEV5UklZZFNaUk5GMGR2Z2lQWXlyL01pUFhJY3pwSDVuTGt2YkxwY0FGK1I4Wmg5bndZMGcxSlZ5YzZBQjZqN1lleHVVUVpwSEg0czBWZHgvbldtcmNGZUxaS0NUeGNhaEh2VTUwZTF5S1g1dGhmVmFKcUk4UVE3eFp4eXUwVFRzaWFYMHV3NTFKUE96UHVBUHBoMHo2eG9TOW9ZeHV6WjF5OXNOSEg2a0g4R0ZudlMyTXF5SGlOejBoMFNxL3E2bit3PT08L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5mbz48L2RzOlNpZ25hdHVyZT48c2FtbHA6U3RhdHVzPjxzYW1scDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiLz48L3NhbWxwOlN0YXR1cz48c2FtbDpBc3NlcnRpb24geG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgeG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiBWZXJzaW9uPSIyLjAiIElEPSJBZDk0NWFlZGEzOGE1MDhmOGZhYzliYzk2MTNkNTk2NDJjMGQyZDhjYiIgSXNzdWVJbnN0YW50PSIyMDE2LTAxLTA1VDE3OjUzOjExWiI+PHNhbWw6SXNzdWVyPmh0dHBzOi8vYXBwLm9uZWxvZ2luLmNvbS9zYW1sL21ldGFkYXRhLzUwMzk4Mzwvc2FtbDpJc3N1ZXI+PHNhbWw6U3ViamVjdD48c2FtbDpOYW1lSUQgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjE6bmFtZWlkLWZvcm1hdDplbWFpbEFkZHJlc3MiPnJvc3NAa25kci5vcmc8L3NhbWw6TmFtZUlEPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBOb3RPbk9yQWZ0ZXI9IjIwMTYtMDEtMDVUMTc6NTY6MTFaIiBSZWNpcGllbnQ9Imh0dHBzOi8vMjllZTZkMmUubmdyb2suaW8vc2FtbC9hY3MiIEluUmVzcG9uc2VUbz0iaWQtZDQwYzE1YzEwNGI1MjY5MWVjY2YwYTJhNWM4YTE1NTk1YmU3NTQyMyIvPjwvc2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uPjwvc2FtbDpTdWJqZWN0PjxzYW1sOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDE2LTAxLTA1VDE3OjUwOjExWiIgTm90T25PckFmdGVyPSIyMDE2LTAxLTA1VDE3OjU2OjExWiI+PHNhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj48c2FtbDpBdWRpZW5jZT5odHRwczovLzI5ZWU2ZDJlLm5ncm9rLmlvL3NhbWwvbWV0YWRhdGE8L3NhbWw6QXVkaWVuY2U+PC9zYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+PC9zYW1sOkNvbmRpdGlvbnM+PHNhbWw6QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDE2LTAxLTA1VDE3OjUzOjEwWiIgU2Vzc2lvbk5vdE9uT3JBZnRlcj0iMjAxNi0wMS0wNlQxNzo1MzoxMVoiIFNlc3Npb25JbmRleD0iX2ViZGNiZTgwLTk1ZmYtMDEzMy1kODcxLTM4Y2EzYTY2MmYxYyI+PHNhbWw6QXV0aG5Db250ZXh0PjxzYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkUHJvdGVjdGVkVHJhbnNwb3J0PC9zYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPjwvc2FtbDpBdXRobkNvbnRleHQ+PC9zYW1sOkF1dGhuU3RhdGVtZW50PjxzYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48c2FtbDpBdHRyaWJ1dGUgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyIgTmFtZT0iVXNlci5lbWFpbCI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI+cm9zc0BrbmRyLm9yZzwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIiBOYW1lPSJtZW1iZXJPZiI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyIvPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiIE5hbWU9IlVzZXIuTGFzdE5hbWUiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPktpbmRlcjwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIiBOYW1lPSJQZXJzb25JbW11dGFibGVJRCI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyIvPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiIE5hbWU9IlVzZXIuRmlyc3ROYW1lIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj5Sb3NzPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48L3NhbWw6QXNzZXJ0aW9uPjwvc2FtbHA6UmVzcG9uc2U+Cgo=`
-	test.IDPMetadata = `<?xml version="1.0"?>
-<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://app.onelogin.com/saml/metadata/503983">
-  <IDPSSODescriptor xmlns:ds="http://www.w3.org/2000/09/xmldsig#" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
-    <KeyDescriptor use="signing">
-      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
-        <ds:X509Data>
-          <ds:X509Certificate>MIIECDCCAvCgAwIBAgIUXun08CslLRWSLqNnDE1NtGJefl0wDQYJKoZIhvcNAQEF
-BQAwUzELMAkGA1UEBhMCVVMxDDAKBgNVBAoMA2N0dTEVMBMGA1UECwwMT25lTG9n
-aW4gSWRQMR8wHQYDVQQDDBZPbmVMb2dpbiBBY2NvdW50IDMyNjE0MB4XDTEzMDkz
-MDE5MzU0NFoXDTE4MTAwMTE5MzU0NFowUzELMAkGA1UEBhMCVVMxDDAKBgNVBAoM
-A2N0dTEVMBMGA1UECwwMT25lTG9naW4gSWRQMR8wHQYDVQQDDBZPbmVMb2dpbiBB
-Y2NvdW50IDMyNjE0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0OG8
-V8mhovkj4rhGhjrbExRYbzKV2ZxfvGfEGXGUvXc6DqejYEdhZ2mIfCDojhQjk0By
-wiirAKMOt1GNuH7aWIE47D0ewtK5ylEAm7eVmoY4kxLCaW5wYrC1SzMnpeitUxqv
-sbnKz3jUKYHRggpfvVj4siHDZeIZa9a5rUvpMnnbOoFiZCIENpq3TC33ivOSZhEN
-RTzmvnk5GDoLHw/8qAgQiyT3D1xCkSBb54PHgkQ5Rq1odLM/hJ+L0jzCUQH4gxpW
-lEAab4K9s8fpBUBBh5gmJCYi8UbIlhqO8N2mynum33BU/vJ3PnawT4YYkTwRUx6Y
-+3fpmRBHql4h83SMewIDAQABo4HTMIHQMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYE
-FOfFFjHFj9a6xpngb11rrhgMe9ArMIGQBgNVHSMEgYgwgYWAFOfFFjHFj9a6xpng
-b11rrhgMe9AroVekVTBTMQswCQYDVQQGEwJVUzEMMAoGA1UECgwDY3R1MRUwEwYD
-VQQLDAxPbmVMb2dpbiBJZFAxHzAdBgNVBAMMFk9uZUxvZ2luIEFjY291bnQgMzI2
-MTSCFF7p9PArJS0Vki6jZwxNTbRiXn5dMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG
-9w0BAQUFAAOCAQEAMgln4NPMQn8Gyvq8CTP+c2e6CUzcvREKnThjxT9WcvV1ZVXM
-BNPm4cTqT361EdLzY5yWLUWXd4AvFnciqB3MHYa2nqTmnvLgmhkWe+hdFoNe5+IA
-8AxGn+nqUISmyBeCxuUUAbRMuowiArwHIpzpEyRIYdSZRNF0dvgiPYyr/MiPXIcz
-pH5nLkvbLpcAF+R8Zh9nwY0g1JVyc6AB6j7YexuUQZpHH4s0Vdx/nWmrcFeLZKCT
-xcahHvU50e1yKX5thfVaJqI8QQ7xZxyu0TTsiaX0uw51JPOzPuAPph0z6xoS9oYx
-uzZ1y9sNHH6kH8GFnvS2MqyHiNz0h0Sq/q6n+w==</ds:X509Certificate>
-        </ds:X509Data>
-      </ds:KeyInfo>
-    </KeyDescriptor>
-    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
-    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://app.onelogin.com/trust/saml2/http-post/sso/503983"/>
-    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://app.onelogin.com/trust/saml2/http-post/sso/503983"/>
-    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://app.onelogin.com/trust/saml2/soap/sso/503983"/>
-  </IDPSSODescriptor>
-  <ContactPerson contactType="technical">
-    <SurName>Support</SurName>
-    <EmailAddress>support@onelogin.com</EmailAddress>
-  </ContactPerson>
-</EntityDescriptor>
-`
+
+	SamlResponse := golden.Get(t, "TestSPCanHandleOneloginResponse_response")
+	test.IDPMetadata = golden.Get(t, "TestSPCanHandleOneloginResponse_IDPMetadata")
+
 	s := ServiceProvider{
 		Key:         test.Key,
 		Certificate: test.Certificate,
@@ -250,19 +425,16 @@ uzZ1y9sNHH6kH8GFnvS2MqyHiNz0h0Sq/q6n+w==</ds:X509Certificate>
 		AcsURL:      mustParseURL("https://29ee6d2e.ngrok.io/saml/acs"),
 		IDPMetadata: &EntityDescriptor{},
 	}
-	err := xml.Unmarshal([]byte(test.IDPMetadata), &s.IDPMetadata)
-	c.Assert(err, IsNil)
+	err := xml.Unmarshal(test.IDPMetadata, &s.IDPMetadata)
+	assert.Check(t, err)
 
 	req := http.Request{PostForm: url.Values{}}
-	req.PostForm.Set("SAMLResponse", SamlResponse)
+	req.PostForm.Set("SAMLResponse", string(SamlResponse))
 	assertion, err := s.ParseResponse(&req, []string{"id-d40c15c104b52691eccf0a2a5c8a15595be75423"})
-	if err != nil {
-		c.Logf("%s", err.(*InvalidResponseError).PrivateErr)
-	}
-	c.Assert(err, IsNil)
+	assert.Check(t, err)
 
-	c.Assert(assertion.Subject.NameID.Value, DeepEquals, "ross@kndr.org")
-	c.Assert(assertion.AttributeStatements[0].Attributes, DeepEquals, []Attribute{
+	assert.Check(t, is.Equal("ross@kndr.org", assertion.Subject.NameID.Value))
+	assert.Check(t, is.DeepEqual([]Attribute{
 		{
 			Name:       "User.email",
 			NameFormat: "urn:oasis:names:tc:SAML:2.0:attrname-format:basic",
@@ -313,47 +485,142 @@ uzZ1y9sNHH6kH8GFnvS2MqyHiNz0h0Sq/q6n+w==</ds:X509Certificate>
 				},
 			},
 		},
-	})
+	},
+		assertion.AttributeStatements[0].Attributes))
+}
+
+func TestSPCanHandleOktaSignedResponseEncryptedAssertion(t *testing.T) {
+	test := NewServiceProviderTest(t)
+	// An actual response from okta - captured with trivial.go + test.Key/test.Certificate
+	TimeNow = func() time.Time {
+		rv, _ := time.Parse("Mon Jan 2 15:04:05 UTC 2006", "Tue Mar 3 19:24:28 UTC 2020")
+		return rv
+	}
+	Clock = dsig.NewFakeClockAt(TimeNow())
+	SamlResponse := golden.Get(t, "TestSPCanHandleOktaSignedResponseEncryptedAssertion_response")
+	test.IDPMetadata = golden.Get(t, "TestSPCanHandleOktaSignedResponseEncryptedAssertion_IDPMetadata")
+	s := ServiceProvider{
+		Key:         test.Key,
+		Certificate: test.Certificate,
+		MetadataURL: mustParseURL("http://localhost:8000/saml/metadata"),
+		AcsURL:      mustParseURL("http://localhost:8000/saml/acs"),
+		IDPMetadata: &EntityDescriptor{},
+	}
+	err := xml.Unmarshal(test.IDPMetadata, &s.IDPMetadata)
+	assert.Check(t, err)
+
+	req := http.Request{PostForm: url.Values{}}
+	req.PostForm.Set("SAMLResponse", string(SamlResponse))
+	assertion, err := s.ParseResponse(&req, []string{"id-a7364d1e4432aa9085a7a8bd824ea2fa8fa8f684"})
+	assert.Check(t, err)
+
+	assert.Check(t, is.Equal("testuser@testrsc.com", assertion.Subject.NameID.Value))
+	assert.Check(t, is.DeepEqual([]Attribute{
+		{
+			Name:       "Username",
+			NameFormat: "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified",
+			Values: []AttributeValue{
+				{
+					Type:  "xs:string",
+					Value: "FixedValue",
+				},
+			},
+		},
+	}, assertion.AttributeStatements[0].Attributes))
+}
+
+func TestSPCanHandleOktaResponseEncryptedSignedAssertion(t *testing.T) {
+	test := NewServiceProviderTest(t)
+	// An actual response from okta - captured with trivial.go + test.Key/test.Certificate
+	TimeNow = func() time.Time {
+		rv, _ := time.Parse("Mon Jan 2 15:04:05 UTC 2006", "Tue Mar 3 19:31:55 UTC 2020")
+		return rv
+	}
+	Clock = dsig.NewFakeClockAt(TimeNow())
+	SamlResponse := golden.Get(t, "TestSPCanHandleOktaResponseEncryptedSignedAssertion_response")
+	test.IDPMetadata = golden.Get(t, "TestSPCanHandleOktaResponseEncryptedSignedAssertion_IDPMetadata")
+
+	s := ServiceProvider{
+		Key:         test.Key,
+		Certificate: test.Certificate,
+		MetadataURL: mustParseURL("http://localhost:8000/saml/metadata"),
+		AcsURL:      mustParseURL("http://localhost:8000/saml/acs"),
+		IDPMetadata: &EntityDescriptor{},
+	}
+	err := xml.Unmarshal(test.IDPMetadata, &s.IDPMetadata)
+	assert.Check(t, err)
+
+	req := http.Request{PostForm: url.Values{}}
+	req.PostForm.Set("SAMLResponse", string(SamlResponse))
+	assertion, err := s.ParseResponse(&req, []string{"id-6d976cdde8e76df5df0a8ff58148fc0b7ec6796d"})
+	assert.Check(t, err)
+
+	assert.Check(t, is.Equal("testuser@testrsc.com", assertion.Subject.NameID.Value))
+	assert.Check(t, is.DeepEqual([]Attribute{
+		{
+			Name:       "Username",
+			NameFormat: "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified",
+			Values: []AttributeValue{
+				{
+					Type:  "xs:string",
+					Value: "FixedValue",
+				},
+			},
+		},
+	}, assertion.AttributeStatements[0].Attributes))
+}
+
+func TestSPCanHandleOktaResponseEncryptedAssertionBothSigned(t *testing.T) {
+	test := NewServiceProviderTest(t)
+	// An actual response from okta - captured with trivial.go + test.Key/test.Certificate
+	TimeNow = func() time.Time {
+		rv, _ := time.Parse("Mon Jan 2 15:04:05 UTC 2006", "Tue Mar 3 19:40:54 UTC 2020")
+		return rv
+	}
+	Clock = dsig.NewFakeClockAt(TimeNow())
+	SamlResponse := golden.Get(t, "TestSPCanHandleOktaResponseEncryptedAssertionBothSigned_response")
+	test.IDPMetadata = golden.Get(t, "TestSPCanHandleOktaResponseEncryptedAssertionBothSigned_IDPMetadata")
+
+	s := ServiceProvider{
+		Key:         test.Key,
+		Certificate: test.Certificate,
+		MetadataURL: mustParseURL("http://localhost:8000/saml/metadata"),
+		AcsURL:      mustParseURL("http://localhost:8000/saml/acs"),
+		IDPMetadata: &EntityDescriptor{},
+	}
+	err := xml.Unmarshal(test.IDPMetadata, &s.IDPMetadata)
+	assert.Check(t, err)
+
+	req := http.Request{PostForm: url.Values{}}
+	req.PostForm.Set("SAMLResponse", string(SamlResponse))
+	assertion, err := s.ParseResponse(&req, []string{"id-953d4cab69ff475c5901d12e585b0bb15a7b85fe"})
+	assert.Check(t, err)
+
+	assert.Check(t, is.Equal("testuser@testrsc.com", assertion.Subject.NameID.Value))
+	assert.Check(t, is.DeepEqual([]Attribute{
+		{
+			Name:       "Username",
+			NameFormat: "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified",
+			Values: []AttributeValue{
+				{
+					Type:  "xs:string",
+					Value: "FixedValue",
+				},
+			},
+		},
+	}, assertion.AttributeStatements[0].Attributes))
 }
 
-func (test *ServiceProviderTest) TestCanHandlePlaintextResponse(c *C) {
+func TestSPCanHandlePlaintextResponse(t *testing.T) {
+	test := NewServiceProviderTest(t)
 	// An actual response from google
 	TimeNow = func() time.Time {
 		rv, _ := time.Parse("Mon Jan 2 15:04:05 UTC 2006", "Tue Jan 5 16:55:39 UTC 2016")
 		return rv
 	}
 	Clock = dsig.NewFakeClockAt(TimeNow())
-	SamlResponse := "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiIHN0YW5kYWxvbmU9Im5vIj8+PHNhbWwycDpSZXNwb25zZSB4bWxuczpzYW1sMnA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgRGVzdGluYXRpb249Imh0dHBzOi8vMjllZTZkMmUubmdyb2suaW8vc2FtbC9hY3MiIElEPSJfZmMxNDFkYjI4NGViMzA5ODYwNTM1MWJkZTRkOWJlNTkiIEluUmVzcG9uc2VUbz0iaWQtZmQ0MTlhNWFiMDQ3MjY0NTQyN2Y4ZTA3ZDg3YTNhNWRkMGIyZTlhNiIgSXNzdWVJbnN0YW50PSIyMDE2LTAxLTA1VDE2OjU1OjM5LjM0OFoiIFZlcnNpb249IjIuMCI+PHNhbWwyOklzc3VlciB4bWxuczpzYW1sMj0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+aHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29tL28vc2FtbDI/aWRwaWQ9QzAyZGZsMXIxPC9zYW1sMjpJc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+PGRzOlNpZ25lZEluZm8+PGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxkc2lnLW1vcmUjcnNhLXNoYTI1NiIvPjxkczpSZWZlcmVuY2UgVVJJPSIjX2ZjMTQxZGIyODRlYjMwOTg2MDUzNTFiZGU0ZDliZTU5Ij48ZHM6VHJhbnNmb3Jtcz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+PC9kczpUcmFuc2Zvcm1zPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNzaGEyNTYiLz48ZHM6RGlnZXN0VmFsdWU+bHRNRUJLRzRZNVNLeERScUxHR2xFSGtPd3hla3dQOStybnA2WEtqdkJxVT08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU+SFBVV0pmYTlqdVdiKy9wZ0YrQklsc2pycE40NkE0RUNiT3hNdXhmWEFRUCtrMU5KMG9EdTJKYk1pZHpmclJBRkRHMjZaNjZWQWtkcwpBRmYwVFgzMWxvVjdaU0tGS0lVY0tuaFlXTHFuUTZLbmRydnJLbzF5UUhzUkdUNzJoVjl3SWdqTFRTZm5FV3QvOEMxaERQQi96R0txClhXZ3VvNFFHYlZUeVBoVVh3eEFzRmxBNjFDdkE5Q1pzU2xpeHBaY2pOVjUyQmMydzI5RUNRNStBcHZGWjVqRU1EN1JiQTVpMzdBbmgKUVBCeVYrZXo4ZU9Yc0hvQlhsR0drTjlDR201MFR6djZ3TW12WkdkT2pKWlhvRWZGUTA4UFJwbE9DQWpxSjM3QnhpWitLZWtUaE1KYgorelowcG1yeWR2V3lONEMzNWcycGVueGw2QUtxYnhMaXlJUkVaZz09PC9kczpTaWduYXR1cmVWYWx1ZT48ZHM6S2V5SW5mbz48ZHM6WDUwOURhdGE+PGRzOlg1MDlTdWJqZWN0TmFtZT5TVD1DYWxpZm9ybmlhLEM9VVMsT1U9R29vZ2xlIEZvciBXb3JrLENOPUdvb2dsZSxMPU1vdW50YWluIFZpZXcsTz1Hb29nbGUgSW5jLjwvZHM6WDUwOVN1YmplY3ROYW1lPjxkczpYNTA5Q2VydGlmaWNhdGU+TUlJRGREQ0NBbHlnQXdJQkFnSUdBVklTbElsWU1BMEdDU3FHU0liM0RRRUJDd1VBTUhzeEZEQVNCZ05WQkFvVEMwZHZiMmRzWlNCSgpibU11TVJZd0ZBWURWUVFIRXcxTmIzVnVkR0ZwYmlCV2FXVjNNUTh3RFFZRFZRUURFd1pIYjI5bmJHVXhHREFXQmdOVkJBc1REMGR2CmIyZHNaU0JHYjNJZ1YyOXlhekVMTUFrR0ExVUVCaE1DVlZNeEV6QVJCZ05WQkFnVENrTmhiR2xtYjNKdWFXRXdIaGNOTVRZd01UQTEKTVRZeE56UTVXaGNOTWpFd01UQXpNVFl4TnpRNVdqQjdNUlF3RWdZRFZRUUtFd3RIYjI5bmJHVWdTVzVqTGpFV01CUUdBMVVFQnhNTgpUVzkxYm5SaGFXNGdWbWxsZHpFUE1BMEdBMVVFQXhNR1IyOXZaMnhsTVJnd0ZnWURWUVFMRXc5SGIyOW5iR1VnUm05eUlGZHZjbXN4CkN6QUpCZ05WQkFZVEFsVlRNUk13RVFZRFZRUUlFd3BEWVd4cFptOXlibWxoTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEEKTUlJQkNnS0NBUUVBbVVmTVVQeEhTWS9aWVo4OGZVR0FsaFVQNE5pN3pqNTR2c3JzUERBNFVoUWlSZUVEUnVuTjFxM09Ic1NoUm9uZwpnZDRMdkE4My9lLzNwbS9WNjBSNnZ5TWZqM1ovSUdXWStlWjk3RUpVdmprdHQrVlJvQWkyNm9lWTlaVzZTODV5YXB2QTNpdWhFd0lRCk9jdVBtMU9xUlEweVE0c1VEK1d0TC9RU21sWXZEUDVUSzFkNndoVGlzTnNLU3FlRlpDYi9zOU9YMDFVZXhXMUJ1RE9MZVZ0MHJDVzEKa1JOY0JCTERtZDRobkRQMFNWcTduTGhORllYajJFYTZXc3lSQUl2Y2hhVUd5K0ltYTJva1htOTVZZTlrbjhlMTE4aS81clJleUtDbQpCbHNrTWtOYUE0S1dLdklRbTNEZGpnT05nRWQwSXZLRXh5THdZN2E1L0pJVXZCaGI5UUlEQVFBQk1BMEdDU3FHU0liM0RRRUJDd1VBCkE0SUJBUUFVRExNbkhwemZwNFNoZEJxQ3JlVzQ4ZjhyVTk0cTJxTXdyVStXNkRrT3JHSlRBU1ZHUzlSaWIvTUtBaVJZT21xbGFxRVkKTlA1N3BDckUvblJCNUZWZEUrQWxTeC9mUjNraHNRM3pmLzRkWXMyMVN2R2YrT2FzOTlYRWJXZlYwT21QTVltM0lyU0NPQkVWMzF3aAo0MXFSYzVRTG5SK1h1dE5QYlNCTit0bitnaVJDTEdDQkxlODFvVnc0ZlJHUWJna2Q4N3JmTE95M0c2MzBJNnMvSjVmZUZGVVQ4ZDdoCjltcE9lT3FMQ1ByS3BxK3dJM2FEM2xmNG1YcUtJRE5pSEhSb05sNjdBTlB1L04zZk5VMUhwbFZ0dnJvVnBpTnA4N2ZyZ2RsS1RFY2cKUFVrZmJhWUhRR1A2SVMwbHplQ2VEWDB3YWIzcVJvaDcvakp0NS9CUjhJd2Y8L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5mbz48L2RzOlNpZ25hdHVyZT48c2FtbDJwOlN0YXR1cz48c2FtbDJwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPjwvc2FtbDJwOlN0YXR1cz48c2FtbDI6QXNzZXJ0aW9uIHhtbG5zOnNhbWwyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIiBJRD0iXzllNzY0OTUyZTZhMjYxZTE5NDA5YTM4MjU1ODEwMzNkIiBJc3N1ZUluc3RhbnQ9IjIwMTYtMDEtMDVUMTY6NTU6MzkuMzQ4WiIgVmVyc2lvbj0iMi4wIj48c2FtbDI6SXNzdWVyPmh0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbS9vL3NhbWwyP2lkcGlkPUMwMmRmbDFyMTwvc2FtbDI6SXNzdWVyPjxzYW1sMjpTdWJqZWN0PjxzYW1sMjpOYW1lSUQ+cm9zc0BvY3RvbGFicy5pbzwvc2FtbDI6TmFtZUlEPjxzYW1sMjpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+PHNhbWwyOlN1YmplY3RDb25maXJtYXRpb25EYXRhIEluUmVzcG9uc2VUbz0iaWQtZmQ0MTlhNWFiMDQ3MjY0NTQyN2Y4ZTA3ZDg3YTNhNWRkMGIyZTlhNiIgTm90T25PckFmdGVyPSIyMDE2LTAxLTA1VDE3OjAwOjM5LjM0OFoiIFJlY2lwaWVudD0iaHR0cHM6Ly8yOWVlNmQyZS5uZ3Jvay5pby9zYW1sL2FjcyIvPjwvc2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWwyOlN1YmplY3Q+PHNhbWwyOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDE2LTAxLTA1VDE2OjUwOjM5LjM0OFoiIE5vdE9uT3JBZnRlcj0iMjAxNi0wMS0wNVQxNzowMDozOS4zNDhaIj48c2FtbDI6QXVkaWVuY2VSZXN0cmljdGlvbj48c2FtbDI6QXVkaWVuY2U+aHR0cHM6Ly8yOWVlNmQyZS5uZ3Jvay5pby9zYW1sL21ldGFkYXRhPC9zYW1sMjpBdWRpZW5jZT48L3NhbWwyOkF1ZGllbmNlUmVzdHJpY3Rpb24+PC9zYW1sMjpDb25kaXRpb25zPjxzYW1sMjpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PHNhbWwyOkF0dHJpYnV0ZSBOYW1lPSJwaG9uZSIvPjxzYW1sMjpBdHRyaWJ1dGUgTmFtZT0iYWRkcmVzcyIvPjxzYW1sMjpBdHRyaWJ1dGUgTmFtZT0iam9iVGl0bGUiLz48c2FtbDI6QXR0cmlidXRlIE5hbWU9ImZpcnN0TmFtZSI+PHNhbWwyOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOmFueVR5cGUiPlJvc3M8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgTmFtZT0ibGFzdE5hbWUiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czphbnlUeXBlIj5LaW5kZXI8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjwvc2FtbDI6QXR0cmlidXRlU3RhdGVtZW50PjxzYW1sMjpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTYtMDEtMDVUMTY6NTU6MzguMDAwWiIgU2Vzc2lvbkluZGV4PSJfOWU3NjQ5NTJlNmEyNjFlMTk0MDlhMzgyNTU4MTAzM2QiPjxzYW1sMjpBdXRobkNvbnRleHQ+PHNhbWwyOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOnVuc3BlY2lmaWVkPC9zYW1sMjpBdXRobkNvbnRleHRDbGFzc1JlZj48L3NhbWwyOkF1dGhuQ29udGV4dD48L3NhbWwyOkF1dGhuU3RhdGVtZW50Pjwvc2FtbDI6QXNzZXJ0aW9uPjwvc2FtbDJwOlJlc3BvbnNlPg=="
-	test.IDPMetadata = `<?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://accounts.google.com/o/saml2?idpid=C02dfl1r1" validUntil="2021-01-03T16:17:49.000Z">
-  <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
-    <md:KeyDescriptor use="signing">
-      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
-        <ds:X509Data>
-          <ds:X509Certificate>MIIDdDCCAlygAwIBAgIGAVISlIlYMA0GCSqGSIb3DQEBCwUAMHsxFDASBgNVBAoTC0dvb2dsZSBJ
-bmMuMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MQ8wDQYDVQQDEwZHb29nbGUxGDAWBgNVBAsTD0dv
-b2dsZSBGb3IgV29yazELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEwHhcNMTYwMTA1
-MTYxNzQ5WhcNMjEwMTAzMTYxNzQ5WjB7MRQwEgYDVQQKEwtHb29nbGUgSW5jLjEWMBQGA1UEBxMN
-TW91bnRhaW4gVmlldzEPMA0GA1UEAxMGR29vZ2xlMRgwFgYDVQQLEw9Hb29nbGUgRm9yIFdvcmsx
-CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
-MIIBCgKCAQEAmUfMUPxHSY/ZYZ88fUGAlhUP4Ni7zj54vsrsPDA4UhQiReEDRunN1q3OHsShRong
-gd4LvA83/e/3pm/V60R6vyMfj3Z/IGWY+eZ97EJUvjktt+VRoAi26oeY9ZW6S85yapvA3iuhEwIQ
-OcuPm1OqRQ0yQ4sUD+WtL/QSmlYvDP5TK1d6whTisNsKSqeFZCb/s9OX01UexW1BuDOLeVt0rCW1
-kRNcBBLDmd4hnDP0SVq7nLhNFYXj2Ea6WsyRAIvchaUGy+Ima2okXm95Ye9kn8e118i/5rReyKCm
-BlskMkNaA4KWKvIQm3DdjgONgEd0IvKExyLwY7a5/JIUvBhb9QIDAQABMA0GCSqGSIb3DQEBCwUA
-A4IBAQAUDLMnHpzfp4ShdBqCreW48f8rU94q2qMwrU+W6DkOrGJTASVGS9Rib/MKAiRYOmqlaqEY
-NP57pCrE/nRB5FVdE+AlSx/fR3khsQ3zf/4dYs21SvGf+Oas99XEbWfV0OmPMYm3IrSCOBEV31wh
-41qRc5QLnR+XutNPbSBN+tn+giRCLGCBLe81oVw4fRGQbgkd87rfLOy3G630I6s/J5feFFUT8d7h
-9mpOeOqLCPrKpq+wI3aD3lf4mXqKIDNiHHRoNl67ANPu/N3fNU1HplVtvroVpiNp87frgdlKTEcg
-PUkfbaYHQGP6IS0lzeCeDX0wab3qRoh7/jJt5/BR8Iwf</ds:X509Certificate>
-        </ds:X509Data>
-      </ds:KeyInfo>
-    </md:KeyDescriptor>
-    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
-    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://accounts.google.com/o/saml2/idp?idpid=C02dfl1r1"/>
-    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://accounts.google.com/o/saml2/idp?idpid=C02dfl1r1"/>
-  </md:IDPSSODescriptor>
-</md:EntityDescriptor>`
+	SamlResponse := golden.Get(t, "TestSPCanHandlePlaintextResponse_response")
+	test.IDPMetadata = golden.Get(t, "TestSPCanHandlePlaintextResponse_IDPMetadata")
 
 	s := ServiceProvider{
 		Key:         test.Key,
@@ -362,19 +629,16 @@ PUkfbaYHQGP6IS0lzeCeDX0wab3qRoh7/jJt5/BR8Iwf</ds:X509Certificate>
 		AcsURL:      mustParseURL("https://29ee6d2e.ngrok.io/saml/acs"),
 		IDPMetadata: &EntityDescriptor{},
 	}
-	err := xml.Unmarshal([]byte(test.IDPMetadata), &s.IDPMetadata)
-	c.Assert(err, IsNil)
+	err := xml.Unmarshal(test.IDPMetadata, &s.IDPMetadata)
+	assert.Check(t, err)
 
 	req := http.Request{PostForm: url.Values{}}
-	req.PostForm.Set("SAMLResponse", SamlResponse)
+	req.PostForm.Set("SAMLResponse", string(SamlResponse))
 	assertion, err := s.ParseResponse(&req, []string{"id-fd419a5ab0472645427f8e07d87a3a5dd0b2e9a6"})
-	if err != nil {
-		c.Logf("%s", err.(*InvalidResponseError).PrivateErr)
-	}
-	c.Assert(err, IsNil)
+	assert.Check(t, err)
 
-	c.Assert(assertion.Subject.NameID.Value, DeepEquals, "ross@octolabs.io")
-	c.Assert(assertion.AttributeStatements[0].Attributes, DeepEquals, []Attribute{
+	assert.Check(t, is.Equal("ross@octolabs.io", assertion.Subject.NameID.Value))
+	assert.Check(t, is.DeepEqual([]Attribute{
 		{
 			Name:   "phone",
 			Values: nil,
@@ -405,10 +669,126 @@ PUkfbaYHQGP6IS0lzeCeDX0wab3qRoh7/jJt5/BR8Iwf</ds:X509Certificate>
 				},
 			},
 		},
-	})
+	}, assertion.AttributeStatements[0].Attributes))
+}
+
+func TestSPRejectsInjectedComment(t *testing.T) {
+	test := NewServiceProviderTest(t)
+	// An actual response from google
+	TimeNow = func() time.Time {
+		rv, _ := time.Parse("Mon Jan 2 15:04:05 UTC 2006", "Tue Jan 5 16:55:39 UTC 2016")
+		return rv
+	}
+	Clock = dsig.NewFakeClockAt(TimeNow())
+
+	SamlResponse := golden.Get(t, "TestSPRejectsInjectedComment_response")
+	test.IDPMetadata = golden.Get(t, "TestSPRejectsInjectedComment_IDPMetadata")
+
+	s := ServiceProvider{
+		Key:         test.Key,
+		Certificate: test.Certificate,
+		MetadataURL: mustParseURL("https://29ee6d2e.ngrok.io/saml/metadata"),
+		AcsURL:      mustParseURL("https://29ee6d2e.ngrok.io/saml/acs"),
+		IDPMetadata: &EntityDescriptor{},
+	}
+	err := xml.Unmarshal(test.IDPMetadata, &s.IDPMetadata)
+	assert.Check(t, err)
+
+	// this is a valid response
+	{
+		req := http.Request{PostForm: url.Values{}}
+		req.PostForm.Set("SAMLResponse", string(SamlResponse))
+		assertion, err := s.ParseResponse(&req, []string{"id-fd419a5ab0472645427f8e07d87a3a5dd0b2e9a6"})
+		assert.Check(t, err)
+		assert.Check(t, is.Equal("ross@octolabs.io", assertion.Subject.NameID.Value))
+	}
+
+	// this is a valid response but with a comment injected
+	{
+		x, _ := base64.StdEncoding.DecodeString(string(SamlResponse))
+		y := strings.Replace(string(x), "ross@octolabs.io", "ross@<!-- and a comment -->octolabs.io", 1)
+		SamlResponse = []byte(base64.StdEncoding.EncodeToString([]byte(y)))
+
+		req := http.Request{PostForm: url.Values{}}
+		req.PostForm.Set("SAMLResponse", string(SamlResponse))
+		assertion, err := s.ParseResponse(&req, []string{"id-fd419a5ab0472645427f8e07d87a3a5dd0b2e9a6"})
+
+		// Note: I would expect the injected comment to be stripped and for the signature
+		// to validate. Less ideal, but not insecure is the case where the comment breaks
+		// the signature, perhaps because xml-c18n isn't being implemented correctly by
+		// dsig.
+		if err == nil {
+			assert.Check(t, is.Equal("ross@octolabs.io",
+				assertion.Subject.NameID.Value))
+		}
+	}
+
+	// this is an invalid response with a commend injected per CVE-2018-7340
+	// ref: https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations
+	// it *MUST NOT* validate
+	{
+		x, _ := base64.StdEncoding.DecodeString(string(SamlResponse))
+		y := strings.Replace(string(x), "ross@octolabs.io", "ross@octolabs.io<!-- and a comment -->.example.com", 1)
+		SamlResponse = []byte(base64.StdEncoding.EncodeToString([]byte(y)))
+
+		req := http.Request{PostForm: url.Values{}}
+		req.PostForm.Set("SAMLResponse", string(SamlResponse))
+		_, err := s.ParseResponse(&req, []string{"id-fd419a5ab0472645427f8e07d87a3a5dd0b2e9a6"})
+		assert.Check(t, err != nil)
+
+		realErr := err.(*InvalidResponseError).PrivateErr
+		assert.Check(t, is.Error(realErr,
+			"cannot validate signature on Response: Signature could not be verified"))
+	}
+}
+
+func TestSPRejectsMalformedResponse(t *testing.T) {
+	test := NewServiceProviderTest(t)
+	// An actual response from google
+	TimeNow = func() time.Time {
+		rv, _ := time.Parse("Mon Jan 2 15:04:05 UTC 2006", "Tue Jan 5 16:55:39 UTC 2016")
+		return rv
+	}
+	Clock = dsig.NewFakeClockAt(TimeNow())
+	SamlResponse := golden.Get(t, "TestSPRejectsMalformedResponse_response")
+	test.IDPMetadata = golden.Get(t, "TestSPRejectsMalformedResponse_IDPMetadata")
+
+	s := ServiceProvider{
+		Key:         test.Key,
+		Certificate: test.Certificate,
+		MetadataURL: mustParseURL("https://29ee6d2e.ngrok.io/saml/metadata"),
+		AcsURL:      mustParseURL("https://29ee6d2e.ngrok.io/saml/acs"),
+		IDPMetadata: &EntityDescriptor{},
+	}
+	err := xml.Unmarshal(test.IDPMetadata, &s.IDPMetadata)
+	assert.Check(t, err)
+
+	// this is a valid response
+	{
+		req := http.Request{PostForm: url.Values{}}
+		req.PostForm.Set("SAMLResponse", string(SamlResponse))
+		assertion, err := s.ParseResponse(&req, []string{"id-fd419a5ab0472645427f8e07d87a3a5dd0b2e9a6"})
+		assert.Check(t, err)
+		assert.Check(t, is.Equal("ross@octolabs.io", assertion.Subject.NameID.Value))
+	}
+
+	// this is a valid response but with a comment injected
+	{
+		x, _ := base64.StdEncoding.DecodeString(string(SamlResponse))
+		y := strings.Replace(string(x), "<saml2p:Response", "<saml2p:Response ::foo=\"bar\"", 1)
+		SamlResponse = []byte(base64.StdEncoding.EncodeToString([]byte(y)))
+
+		req := http.Request{PostForm: url.Values{}}
+		req.PostForm.Set("SAMLResponse", string(SamlResponse))
+		assertion, err := s.ParseResponse(&req, []string{"id-fd419a5ab0472645427f8e07d87a3a5dd0b2e9a6"})
+		assert.Check(t, is.Error(err.(*InvalidResponseError).PrivateErr,
+			"invalid xml: validator: in token starting at 1:55: roundtrip error: expected {{saml2p Response} [{{ :foo} bar} {{xmlns saml2p} urn:oasis:names:tc:SAML:2.0:protocol} {{ Destination} https://29ee6d2e.ngrok.io/saml/acs} {{ ID} _fc141db284eb3098605351bde4d9be59} {{ InResponseTo} id-fd419a5ab0472645427f8e07d87a3a5dd0b2e9a6} {{ IssueInstant} 2016-01-05T16:55:39.348Z} {{ Version} 2.0}]}, observed {{ Response} [{{ xmlns} saml2p} {{ foo} bar} {{xmlns saml2p} urn:oasis:names:tc:SAML:2.0:protocol} {{ Destination} https://29ee6d2e.ngrok.io/saml/acs} {{ ID} _fc141db284eb3098605351bde4d9be59} {{ InResponseTo} id-fd419a5ab0472645427f8e07d87a3a5dd0b2e9a6} {{ IssueInstant} 2016-01-05T16:55:39.348Z} {{ Version} 2.0} {{ Version} 2.0}]}"))
+		assert.Check(t, is.Nil(assertion))
+	}
 }
 
-func (test *ServiceProviderTest) TestCanParseResponse(c *C) {
+func TestSPCanParseResponse(t *testing.T) {
+	test := NewServiceProviderTest(t)
 	s := ServiceProvider{
 		Key:         test.Key,
 		Certificate: test.Certificate,
@@ -416,15 +796,15 @@ func (test *ServiceProviderTest) TestCanParseResponse(c *C) {
 		AcsURL:      mustParseURL("https://15661444.ngrok.io/saml2/acs"),
 		IDPMetadata: &EntityDescriptor{},
 	}
-	err := xml.Unmarshal([]byte(test.IDPMetadata), &s.IDPMetadata)
-	c.Assert(err, IsNil)
+	err := xml.Unmarshal(test.IDPMetadata, &s.IDPMetadata)
+	assert.Check(t, err)
 
 	req := http.Request{PostForm: url.Values{}}
-	req.PostForm.Set("SAMLResponse", base64.StdEncoding.EncodeToString([]byte(test.SamlResponse)))
+	req.PostForm.Set("SAMLResponse", base64.StdEncoding.EncodeToString(test.SamlResponse))
 	assertion, err := s.ParseResponse(&req, []string{"id-9e61753d64e928af5a7a341a97f420c9"})
-	c.Assert(err, IsNil)
+	assert.Check(t, err)
 
-	c.Assert(assertion.AttributeStatements[0].Attributes, DeepEquals, []Attribute{
+	assert.Check(t, is.DeepEqual([]Attribute{
 		{
 			FriendlyName: "uid",
 			Name:         "urn:oid:0.9.2342.19200300.100.1.1",
@@ -542,10 +922,20 @@ func (test *ServiceProviderTest) TestCanParseResponse(c *C) {
 				},
 			},
 		},
-	})
+	}, assertion.AttributeStatements[0].Attributes))
+}
+
+func (test *ServiceProviderTest) replaceDestination(newDestination string) {
+	newStr := ""
+	if newDestination != "" {
+		newStr = `Destination="` + newDestination + `"`
+	}
+	test.SamlResponse = bytes.Replace(test.SamlResponse,
+		[]byte(`Destination="https://15661444.ngrok.io/saml2/acs"`), []byte(newStr), 1)
 }
 
-func (test *ServiceProviderTest) TestInvalidResponses(c *C) {
+func TestSPCanProcessResponseWithoutDestination(t *testing.T) {
+	test := NewServiceProviderTest(t)
 	s := ServiceProvider{
 		Key:         test.Key,
 		Certificate: test.Certificate,
@@ -553,36 +943,177 @@ func (test *ServiceProviderTest) TestInvalidResponses(c *C) {
 		AcsURL:      mustParseURL("https://15661444.ngrok.io/saml2/acs"),
 		IDPMetadata: &EntityDescriptor{},
 	}
-	err := xml.Unmarshal([]byte(test.IDPMetadata), &s.IDPMetadata)
-	c.Assert(err, IsNil)
+	err := xml.Unmarshal(test.IDPMetadata, &s.IDPMetadata)
+	assert.Check(t, err)
 
 	req := http.Request{PostForm: url.Values{}}
-	req.PostForm.Set("SAMLResponse", "???")
+	test.replaceDestination("")
+	req.PostForm.Set("SAMLResponse", base64.StdEncoding.EncodeToString(test.SamlResponse))
 	_, err = s.ParseResponse(&req, []string{"id-9e61753d64e928af5a7a341a97f420c9"})
-	c.Assert(err.(*InvalidResponseError).PrivateErr, ErrorMatches, "cannot parse base64: illegal base64 data at input byte 0")
+	assert.Check(t, err)
+}
 
-	req.PostForm.Set("SAMLResponse", base64.StdEncoding.EncodeToString([]byte("<hello>World!</hello>")))
-	_, err = s.ParseResponse(&req, []string{"id-9e61753d64e928af5a7a341a97f420c9"})
-	c.Assert(err.(*InvalidResponseError).PrivateErr, ErrorMatches, "cannot unmarshal response: expected element type <Response> but have <hello>")
+func (test *ServiceProviderTest) responseDom() (doc *etree.Document) {
+	doc = etree.NewDocument()
+	doc.ReadFromBytes(test.SamlResponse)
+	return doc
+}
 
-	s.AcsURL = mustParseURL("https://wrong/saml2/acs")
-	req.PostForm.Set("SAMLResponse", base64.StdEncoding.EncodeToString([]byte(test.SamlResponse)))
-	_, err = s.ParseResponse(&req, []string{"id-9e61753d64e928af5a7a341a97f420c9"})
-	c.Assert(err.(*InvalidResponseError).PrivateErr.Error(), Equals, "`Destination` does not match AcsURL (expected \"https://wrong/saml2/acs\")")
-	s.AcsURL = mustParseURL("https://15661444.ngrok.io/saml2/acs")
+func addSignatureToDocument(doc *etree.Document) *etree.Document {
+	responseEl := doc.FindElement("//Response")
+	signatureEl := doc.CreateElement("xmldsig:Signature")
+	signatureEl.CreateAttr("xmlns:xmldsig", "http://www.w3.org/2000/09/xmldsig#")
+	responseEl.AddChild(signatureEl)
+	return doc
+}
 
-	req.PostForm.Set("SAMLResponse", base64.StdEncoding.EncodeToString([]byte(test.SamlResponse)))
-	_, err = s.ParseResponse(&req, []string{"wrongRequestID"})
-	c.Assert(err.(*InvalidResponseError).PrivateErr.Error(), Equals, "`InResponseTo` does not match any of the possible request IDs (expected [wrongRequestID])")
+func removeDestinationFromDocument(doc *etree.Document) *etree.Document {
+	responseEl := doc.FindElement("//Response")
+	responseEl.RemoveAttr("Destination")
+	return doc
+}
 
-	TimeNow = func() time.Time {
-		rv, _ := time.Parse("Mon Jan 2 15:04:05 MST 2006", "Mon Nov 30 20:57:09 UTC 2016")
+func TestServiceProviderMismatchedDestinationsWithSignaturePresent(t *testing.T) {
+	test := NewServiceProviderTest(t)
+	s := ServiceProvider{
+		Key:         test.Key,
+		Certificate: test.Certificate,
+		MetadataURL: mustParseURL("https://15661444.ngrok.io/saml2/metadata"),
+		AcsURL:      mustParseURL("https://15661444.ngrok.io/saml2/acs"),
+		IDPMetadata: &EntityDescriptor{},
+	}
+	err := xml.Unmarshal(test.IDPMetadata, &s.IDPMetadata)
+	assert.Check(t, err)
+
+	req := http.Request{PostForm: url.Values{}}
+	s.AcsURL = mustParseURL("https://wrong/saml2/acs")
+	bytes, _ := addSignatureToDocument(test.responseDom()).WriteToBytes()
+	req.PostForm.Set("SAMLResponse", base64.StdEncoding.EncodeToString(bytes))
+	_, err = s.ParseResponse(&req, []string{"id-9e61753d64e928af5a7a341a97f420c9"})
+	assert.Check(t, is.Error(err.(*InvalidResponseError).PrivateErr,
+		"`Destination` does not match AcsURL (expected \"https://wrong/saml2/acs\", actual \"https://15661444.ngrok.io/saml2/acs\")"))
+}
+
+func TestServiceProviderMissingDestinationWithSignaturePresent(t *testing.T) {
+	test := NewServiceProviderTest(t)
+	s := ServiceProvider{
+		Key:         test.Key,
+		Certificate: test.Certificate,
+		MetadataURL: mustParseURL("https://15661444.ngrok.io/saml2/metadata"),
+		AcsURL:      mustParseURL("https://15661444.ngrok.io/saml2/acs"),
+		IDPMetadata: &EntityDescriptor{},
+	}
+	err := xml.Unmarshal(test.IDPMetadata, &s.IDPMetadata)
+	assert.Check(t, err)
+
+	req := http.Request{PostForm: url.Values{}}
+	bytes, _ := removeDestinationFromDocument(addSignatureToDocument(test.responseDom())).WriteToBytes()
+	req.PostForm.Set("SAMLResponse", base64.StdEncoding.EncodeToString(bytes))
+	_, err = s.ParseResponse(&req, []string{"id-9e61753d64e928af5a7a341a97f420c9"})
+	assert.Check(t, is.Error(err.(*InvalidResponseError).PrivateErr,
+		"`Destination` does not match AcsURL (expected \"https://15661444.ngrok.io/saml2/acs\", actual \"\")"))
+}
+
+func TestSPMismatchedDestinationsWithSignaturePresent(t *testing.T) {
+	test := NewServiceProviderTest(t)
+	s := ServiceProvider{
+		Key:         test.Key,
+		Certificate: test.Certificate,
+		MetadataURL: mustParseURL("https://15661444.ngrok.io/saml2/metadata"),
+		AcsURL:      mustParseURL("https://15661444.ngrok.io/saml2/acs"),
+		IDPMetadata: &EntityDescriptor{},
+	}
+	err := xml.Unmarshal(test.IDPMetadata, &s.IDPMetadata)
+	assert.Check(t, err)
+
+	req := http.Request{PostForm: url.Values{}}
+	test.replaceDestination("https://wrong/saml2/acs")
+	bytes, _ := addSignatureToDocument(test.responseDom()).WriteToBytes()
+	req.PostForm.Set("SAMLResponse", base64.StdEncoding.EncodeToString(bytes))
+	_, err = s.ParseResponse(&req, []string{"id-9e61753d64e928af5a7a341a97f420c9"})
+	assert.Check(t, is.Error(err.(*InvalidResponseError).PrivateErr,
+		"`Destination` does not match AcsURL (expected \"https://15661444.ngrok.io/saml2/acs\", actual \"https://wrong/saml2/acs\")"))
+}
+
+func TestSPMismatchedDestinationsWithNoSignaturePresent(t *testing.T) {
+	test := NewServiceProviderTest(t)
+	s := ServiceProvider{
+		Key:         test.Key,
+		Certificate: test.Certificate,
+		MetadataURL: mustParseURL("https://15661444.ngrok.io/saml2/metadata"),
+		AcsURL:      mustParseURL("https://15661444.ngrok.io/saml2/acs"),
+		IDPMetadata: &EntityDescriptor{},
+	}
+	err := xml.Unmarshal(test.IDPMetadata, &s.IDPMetadata)
+	assert.Check(t, err)
+
+	req := http.Request{PostForm: url.Values{}}
+	test.replaceDestination("https://wrong/saml2/acs")
+	bytes, _ := test.responseDom().WriteToBytes()
+	req.PostForm.Set("SAMLResponse", base64.StdEncoding.EncodeToString(bytes))
+	_, err = s.ParseResponse(&req, []string{"id-9e61753d64e928af5a7a341a97f420c9"})
+	assert.Check(t, is.Error(err.(*InvalidResponseError).PrivateErr,
+		"`Destination` does not match AcsURL (expected \"https://15661444.ngrok.io/saml2/acs\", actual \"https://wrong/saml2/acs\")"))
+}
+
+func TestSPMissingDestinationWithSignaturePresent(t *testing.T) {
+	test := NewServiceProviderTest(t)
+	s := ServiceProvider{
+		Key:         test.Key,
+		Certificate: test.Certificate,
+		MetadataURL: mustParseURL("https://15661444.ngrok.io/saml2/metadata"),
+		AcsURL:      mustParseURL("https://15661444.ngrok.io/saml2/acs"),
+		IDPMetadata: &EntityDescriptor{},
+	}
+	err := xml.Unmarshal(test.IDPMetadata, &s.IDPMetadata)
+	assert.Check(t, err)
+
+	req := http.Request{PostForm: url.Values{}}
+	test.replaceDestination("")
+	bytes, _ := addSignatureToDocument(test.responseDom()).WriteToBytes()
+	req.PostForm.Set("SAMLResponse", base64.StdEncoding.EncodeToString(bytes))
+	_, err = s.ParseResponse(&req, []string{"id-9e61753d64e928af5a7a341a97f420c9"})
+	assert.Check(t, is.Error(err.(*InvalidResponseError).PrivateErr,
+		"`Destination` does not match AcsURL (expected \"https://15661444.ngrok.io/saml2/acs\", actual \"\")"))
+}
+
+func TestSPInvalidResponses(t *testing.T) {
+	test := NewServiceProviderTest(t)
+	s := ServiceProvider{
+		Key:         test.Key,
+		Certificate: test.Certificate,
+		MetadataURL: mustParseURL("https://15661444.ngrok.io/saml2/metadata"),
+		AcsURL:      mustParseURL("https://15661444.ngrok.io/saml2/acs"),
+		IDPMetadata: &EntityDescriptor{},
+	}
+	err := xml.Unmarshal(test.IDPMetadata, &s.IDPMetadata)
+	assert.Check(t, err)
+
+	req := http.Request{PostForm: url.Values{}}
+	req.PostForm.Set("SAMLResponse", "???")
+	_, err = s.ParseResponse(&req, []string{"id-9e61753d64e928af5a7a341a97f420c9"})
+	assert.Check(t, is.Error(err.(*InvalidResponseError).PrivateErr,
+		"cannot parse base64: illegal base64 data at input byte 0"))
+
+	req.PostForm.Set("SAMLResponse", base64.StdEncoding.EncodeToString([]byte("<hello>World!</hello>")))
+	_, err = s.ParseResponse(&req, []string{"id-9e61753d64e928af5a7a341a97f420c9"})
+	assert.Check(t, is.Error(err.(*InvalidResponseError).PrivateErr,
+		"cannot unmarshal response: expected element type <Response> but have <hello>"))
+
+	req.PostForm.Set("SAMLResponse", base64.StdEncoding.EncodeToString(test.SamlResponse))
+	_, err = s.ParseResponse(&req, []string{"wrongRequestID"})
+	assert.Check(t, is.Error(err.(*InvalidResponseError).PrivateErr,
+		"`InResponseTo` does not match any of the possible request IDs (expected [wrongRequestID])"))
+
+	TimeNow = func() time.Time {
+		rv, _ := time.Parse("Mon Jan 2 15:04:05 MST 2006", "Mon Nov 30 20:57:09 UTC 2016")
 		return rv
 	}
 	Clock = dsig.NewFakeClockAt(TimeNow())
-	req.PostForm.Set("SAMLResponse", base64.StdEncoding.EncodeToString([]byte(test.SamlResponse)))
+	req.PostForm.Set("SAMLResponse", base64.StdEncoding.EncodeToString(test.SamlResponse))
 	_, err = s.ParseResponse(&req, []string{"id-9e61753d64e928af5a7a341a97f420c9"})
-	c.Assert(err.(*InvalidResponseError).PrivateErr.Error(), Equals, "IssueInstant expired at 2015-12-01 01:57:51.375 +0000 UTC")
+	assert.Check(t, is.Error(err.(*InvalidResponseError).PrivateErr,
+		"response IssueInstant expired at 2015-12-01 01:57:51.375 +0000 UTC"))
 	TimeNow = func() time.Time {
 		rv, _ := time.Parse("Mon Jan 2 15:04:05 MST 2006", "Mon Dec 1 01:57:09 UTC 2015")
 		return rv
@@ -590,30 +1121,35 @@ func (test *ServiceProviderTest) TestInvalidResponses(c *C) {
 	Clock = dsig.NewFakeClockAt(TimeNow())
 
 	s.IDPMetadata.EntityID = "http://snakeoil.com"
-	req.PostForm.Set("SAMLResponse", base64.StdEncoding.EncodeToString([]byte(test.SamlResponse)))
+	req.PostForm.Set("SAMLResponse", base64.StdEncoding.EncodeToString(test.SamlResponse))
 	_, err = s.ParseResponse(&req, []string{"id-9e61753d64e928af5a7a341a97f420c9"})
-	c.Assert(err.(*InvalidResponseError).PrivateErr.Error(), Equals, "Issuer does not match the IDP metadata (expected \"http://snakeoil.com\")")
+	assert.Check(t, is.Error(err.(*InvalidResponseError).PrivateErr,
+		"response Issuer does not match the IDP metadata (expected \"http://snakeoil.com\")"))
 	s.IDPMetadata.EntityID = "https://idp.testshib.org/idp/shibboleth"
 
 	oldSpStatusSuccess := StatusSuccess
 	StatusSuccess = "not:the:success:value"
-	req.PostForm.Set("SAMLResponse", base64.StdEncoding.EncodeToString([]byte(test.SamlResponse)))
+	req.PostForm.Set("SAMLResponse", base64.StdEncoding.EncodeToString(test.SamlResponse))
 	_, err = s.ParseResponse(&req, []string{"id-9e61753d64e928af5a7a341a97f420c9"})
-	c.Assert(err.(*InvalidResponseError).PrivateErr.Error(), Equals, "Status code was not not:the:success:value")
+	assert.Check(t, is.Error(err.(*InvalidResponseError).PrivateErr,
+		"urn:oasis:names:tc:SAML:2.0:status:Success"))
 	StatusSuccess = oldSpStatusSuccess
 
 	s.IDPMetadata.IDPSSODescriptors[0].KeyDescriptors[0].KeyInfo.Certificate = "invalid"
-	req.PostForm.Set("SAMLResponse", base64.StdEncoding.EncodeToString([]byte(test.SamlResponse)))
+	req.PostForm.Set("SAMLResponse", base64.StdEncoding.EncodeToString(test.SamlResponse))
 	_, err = s.ParseResponse(&req, []string{"id-9e61753d64e928af5a7a341a97f420c9"})
-	c.Assert(err.(*InvalidResponseError).PrivateErr, ErrorMatches, "cannot validate signature on Response: cannot parse certificate: illegal base64 data at input byte 4")
+	assert.Check(t, is.Error(err.(*InvalidResponseError).PrivateErr,
+		"cannot validate signature on Response: cannot parse certificate: illegal base64 data at input byte 4"))
 
 	s.IDPMetadata.IDPSSODescriptors[0].KeyDescriptors[0].KeyInfo.Certificate = "aW52YWxpZA=="
-	req.PostForm.Set("SAMLResponse", base64.StdEncoding.EncodeToString([]byte(test.SamlResponse)))
+	req.PostForm.Set("SAMLResponse", base64.StdEncoding.EncodeToString(test.SamlResponse))
 	_, err = s.ParseResponse(&req, []string{"id-9e61753d64e928af5a7a341a97f420c9"})
-	c.Assert(err.(*InvalidResponseError).PrivateErr, ErrorMatches, "cannot validate signature on Response: asn1: structure error: tags don't match .*")
+	assert.Check(t, is.Error(err.(*InvalidResponseError).PrivateErr,
+		"cannot validate signature on Response: asn1: structure error: tags don't match (16 vs {class:1 tag:9 length:110 isCompound:true}) {optional:false explicit:false application:false private:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} certificate @2"))
 }
 
-func (test *ServiceProviderTest) TestInvalidAssertions(c *C) {
+func TestSPInvalidAssertions(t *testing.T) {
+	test := NewServiceProviderTest(t)
 	s := ServiceProvider{
 		Key:         test.Key,
 		Certificate: test.Certificate,
@@ -621,171 +1157,370 @@ func (test *ServiceProviderTest) TestInvalidAssertions(c *C) {
 		AcsURL:      mustParseURL("https://15661444.ngrok.io/saml2/acs"),
 		IDPMetadata: &EntityDescriptor{},
 	}
-	err := xml.Unmarshal([]byte(test.IDPMetadata), &s.IDPMetadata)
-	c.Assert(err, IsNil)
+	err := xml.Unmarshal(test.IDPMetadata, &s.IDPMetadata)
+	assert.Check(t, err)
 
 	req := http.Request{PostForm: url.Values{}}
-	req.PostForm.Set("SAMLResponse", base64.StdEncoding.EncodeToString([]byte(test.SamlResponse)))
+	req.PostForm.Set("SAMLResponse", base64.StdEncoding.EncodeToString(test.SamlResponse))
 	s.IDPMetadata.IDPSSODescriptors[0].KeyDescriptors[0].KeyInfo.Certificate = "invalid"
 	_, err = s.ParseResponse(&req, []string{"id-9e61753d64e928af5a7a341a97f420c9"})
 	assertionBuf := []byte(err.(*InvalidResponseError).Response)
 
 	assertion := Assertion{}
 	err = xml.Unmarshal(assertionBuf, &assertion)
-	c.Assert(err, IsNil)
+	assert.Check(t, err)
 
 	err = s.validateAssertion(&assertion, []string{"id-9e61753d64e928af5a7a341a97f420c9"}, TimeNow().Add(time.Hour))
-	c.Assert(err.Error(), Equals, "expired on 2015-12-01 01:57:51.375 +0000 UTC")
+	assert.Check(t, is.Error(err, "expired on 2015-12-01 01:57:51.375 +0000 UTC"))
 
 	assertion.Issuer.Value = "bob"
 	err = s.validateAssertion(&assertion, []string{"id-9e61753d64e928af5a7a341a97f420c9"}, TimeNow())
-	c.Assert(err.Error(), Equals, "issuer is not \"https://idp.testshib.org/idp/shibboleth\"")
+	assert.Check(t, is.Error(err, "issuer is not \"https://idp.testshib.org/idp/shibboleth\""))
 	assertion = Assertion{}
 	xml.Unmarshal(assertionBuf, &assertion)
 
 	assertion.Subject.NameID.NameQualifier = "bob"
 	err = s.validateAssertion(&assertion, []string{"id-9e61753d64e928af5a7a341a97f420c9"}, TimeNow())
-	c.Assert(err, IsNil) // not verified
+	assert.Check(t, err) // not verified
 	assertion = Assertion{}
 	xml.Unmarshal(assertionBuf, &assertion)
 
 	assertion.Subject.NameID.SPNameQualifier = "bob"
 	err = s.validateAssertion(&assertion, []string{"id-9e61753d64e928af5a7a341a97f420c9"}, TimeNow())
-	c.Assert(err, IsNil) // not verified
+	assert.Check(t, err) // not verified
 	assertion = Assertion{}
 	xml.Unmarshal(assertionBuf, &assertion)
 
-	pretty.Print(assertion.Subject.SubjectConfirmations)
 	err = s.validateAssertion(&assertion, []string{"any request id"}, TimeNow())
-	c.Assert(err, ErrorMatches, "SubjectConfirmation one of the possible request IDs .*")
+	assert.Check(t, is.Error(err, "assertion SubjectConfirmation one of the possible request IDs ([any request id])"))
 
 	assertion.Subject.SubjectConfirmations[0].SubjectConfirmationData.Recipient = "wrong/acs/url"
 	err = s.validateAssertion(&assertion, []string{"id-9e61753d64e928af5a7a341a97f420c9"}, TimeNow())
-	c.Assert(err.Error(), Equals, "SubjectConfirmation Recipient is not https://15661444.ngrok.io/saml2/acs")
+	assert.Check(t, is.Error(err, "assertion SubjectConfirmation Recipient is not https://15661444.ngrok.io/saml2/acs"))
 	assertion = Assertion{}
 	xml.Unmarshal(assertionBuf, &assertion)
 
 	assertion.Subject.SubjectConfirmations[0].SubjectConfirmationData.NotOnOrAfter = TimeNow().Add(-1 * time.Hour)
 	err = s.validateAssertion(&assertion, []string{"id-9e61753d64e928af5a7a341a97f420c9"}, TimeNow())
-	c.Assert(err.Error(), Equals, "SubjectConfirmationData is expired")
+	assert.Check(t, is.Error(err, "assertion SubjectConfirmationData is expired"))
 	assertion = Assertion{}
 	xml.Unmarshal(assertionBuf, &assertion)
 
 	assertion.Conditions.NotBefore = TimeNow().Add(time.Hour)
 	err = s.validateAssertion(&assertion, []string{"id-9e61753d64e928af5a7a341a97f420c9"}, TimeNow())
-	c.Assert(err.Error(), Equals, "Conditions is not yet valid")
+	assert.Check(t, is.Error(err, "assertion Conditions is not yet valid"))
 	assertion = Assertion{}
 	xml.Unmarshal(assertionBuf, &assertion)
 
 	assertion.Conditions.NotOnOrAfter = TimeNow().Add(-1 * time.Hour)
 	err = s.validateAssertion(&assertion, []string{"id-9e61753d64e928af5a7a341a97f420c9"}, TimeNow())
-	c.Assert(err.Error(), Equals, "Conditions is expired")
+	assert.Check(t, is.Error(err, "assertion Conditions is expired"))
 	assertion = Assertion{}
 	xml.Unmarshal(assertionBuf, &assertion)
 
 	assertion.Conditions.AudienceRestrictions[0].Audience.Value = "not/our/metadata/url"
 	err = s.validateAssertion(&assertion, []string{"id-9e61753d64e928af5a7a341a97f420c9"}, TimeNow())
-	c.Assert(err.Error(), Equals, "Conditions AudienceRestriction does not contain \"https://15661444.ngrok.io/saml2/metadata\"")
+	assert.Check(t, is.Error(err, "assertion Conditions AudienceRestriction does not contain \"https://15661444.ngrok.io/saml2/metadata\""))
 	assertion = Assertion{}
 	xml.Unmarshal(assertionBuf, &assertion)
+
+	// Not having an audience is not an error
+	assertion.Conditions.AudienceRestrictions = []AudienceRestriction{}
+	err = s.validateAssertion(&assertion, []string{"id-9e61753d64e928af5a7a341a97f420c9"}, TimeNow())
+	assert.Check(t, err)
+}
+
+func TestXswPermutationOneIsRejected(t *testing.T) {
+	test := NewServiceProviderTest(t)
+	idpMetadata := golden.Get(t, "TestSPCanHandleOneloginResponse_IDPMetadata")
+	respStr := golden.Get(t, "TestXswPermutationOneIsRejected_response")
+	TimeNow = func() time.Time {
+		rv, _ := time.Parse("Mon Jan 2 15:04:05 UTC 2006", "Tue Jan 5 17:53:12 UTC 2016")
+		return rv
+	}
+	Clock = dsig.NewFakeClockAt(TimeNow())
+
+	s := ServiceProvider{
+		Key:         test.Key,
+		Certificate: test.Certificate,
+		MetadataURL: mustParseURL("https://29ee6d2e.ngrok.io/saml/metadata"),
+		AcsURL:      mustParseURL("https://29ee6d2e.ngrok.io/saml/acs"),
+		IDPMetadata: &EntityDescriptor{},
+	}
+	err := xml.Unmarshal(idpMetadata, &s.IDPMetadata)
+	assert.Check(t, err)
+
+	req := http.Request{PostForm: url.Values{}}
+	req.PostForm.Set("SAMLResponse", string(respStr))
+	_, err = s.ParseResponse(&req, []string{"id-d40c15c104b52691eccf0a2a5c8a15595be75423"})
+	assert.Check(t, is.Error(err.(*InvalidResponseError).PrivateErr,
+		"cannot validate signature on Response: Missing signature referencing the top-level element"))
+}
+
+func TestXswPermutationTwoIsRejected(t *testing.T) {
+	test := NewServiceProviderTest(t)
+	idpMetadata := golden.Get(t, "TestSPCanHandleOneloginResponse_IDPMetadata")
+	respStr := golden.Get(t, "TestXswPermutationTwoIsRejected_response")
+	TimeNow = func() time.Time {
+		rv, _ := time.Parse("Mon Jan 2 15:04:05 UTC 2006", "Tue Jan 5 17:53:12 UTC 2016")
+		return rv
+	}
+	Clock = dsig.NewFakeClockAt(TimeNow())
+
+	s := ServiceProvider{
+		Key:         test.Key,
+		Certificate: test.Certificate,
+		MetadataURL: mustParseURL("https://29ee6d2e.ngrok.io/saml/metadata"),
+		AcsURL:      mustParseURL("https://29ee6d2e.ngrok.io/saml/acs"),
+		IDPMetadata: &EntityDescriptor{},
+	}
+	err := xml.Unmarshal(idpMetadata, &s.IDPMetadata)
+	assert.Check(t, err)
+
+	req := http.Request{PostForm: url.Values{}}
+	req.PostForm.Set("SAMLResponse", string(respStr))
+	_, err = s.ParseResponse(&req, []string{"id-d40c15c104b52691eccf0a2a5c8a15595be75423"})
+	assert.Check(t, is.Error(err.(*InvalidResponseError).PrivateErr,
+		"cannot validate signature on Response: Missing signature referencing the top-level element"))
 }
 
-func (test *ServiceProviderTest) TestRealWorldKeyInfoHasRSAPublicKeyNotX509Cert(c *C) {
+func TestXswPermutationThreeIsRejected(t *testing.T) {
+	test := NewServiceProviderTest(t)
+	idpMetadata := golden.Get(t, "TestServiceProviderCanHandleSignedAssertionsResponse_IDPMetadata")
+	respStr := golden.Get(t, "TestXswPermutationThreeIsRejected_response")
+	TimeNow = func() time.Time {
+		rv, _ := time.Parse(timeFormat, "2014-07-17T01:02:59Z")
+		return rv
+	}
+	Clock = dsig.NewFakeClockAt(TimeNow())
+
+	s := ServiceProvider{
+		Key:         test.Key,
+		Certificate: test.Certificate,
+		MetadataURL: mustParseURL("http://sp.example.com/demo1/metadata.php"),
+		AcsURL:      mustParseURL("http://sp.example.com/demo1/index.php?acs"),
+		IDPMetadata: &EntityDescriptor{},
+	}
+	err := xml.Unmarshal(idpMetadata, &s.IDPMetadata)
+	assert.Check(t, err)
+
+	req := http.Request{PostForm: url.Values{}}
+	req.PostForm.Set("SAMLResponse", string(respStr))
+	_, err = s.ParseResponse(&req, []string{"ONELOGIN_4fee3b046395c4e751011e97f8900b5273d56685"})
+	// Because this permutation contains an unsigned assertion as child of the response
+	assert.Check(t, is.Error(err.(*InvalidResponseError).PrivateErr,
+		"either the Response or Assertion must be signed"))
+}
+
+func TestXswPermutationFourIsRejected(t *testing.T) {
+	test := NewServiceProviderTest(t)
+	idpMetadata := golden.Get(t, "TestServiceProviderCanHandleSignedAssertionsResponse_IDPMetadata")
+	respStr := golden.Get(t, "TestXswPermutationFourIsRejected_response")
+	TimeNow = func() time.Time {
+		rv, _ := time.Parse(timeFormat, "2014-07-17T01:02:59Z")
+		return rv
+	}
+	Clock = dsig.NewFakeClockAt(TimeNow())
+
+	s := ServiceProvider{
+		Key:         test.Key,
+		Certificate: test.Certificate,
+		MetadataURL: mustParseURL("http://sp.example.com/demo1/metadata.php"),
+		AcsURL:      mustParseURL("http://sp.example.com/demo1/index.php?acs"),
+		IDPMetadata: &EntityDescriptor{},
+	}
+	err := xml.Unmarshal(idpMetadata, &s.IDPMetadata)
+	assert.Check(t, err)
+
+	req := http.Request{PostForm: url.Values{}}
+	req.PostForm.Set("SAMLResponse", string(respStr))
+	_, err = s.ParseResponse(&req, []string{"ONELOGIN_4fee3b046395c4e751011e97f8900b5273d56685"})
+	// Because this permutation contains an unsigned assertion as child of the response
+	assert.Check(t, is.Error(err.(*InvalidResponseError).PrivateErr,
+		"either the Response or Assertion must be signed"))
+}
+
+func TestXswPermutationFiveIsRejected(t *testing.T) {
+	test := NewServiceProviderTest(t)
+	idpMetadata := golden.Get(t, "TestServiceProviderCanHandleSignedAssertionsResponse_IDPMetadata")
+	respStr := golden.Get(t, "TestXswPermutationFiveIsRejected_response")
+	TimeNow = func() time.Time {
+		rv, _ := time.Parse(timeFormat, "2014-07-17T01:02:59Z")
+		return rv
+	}
+	Clock = dsig.NewFakeClockAt(TimeNow())
+
+	s := ServiceProvider{
+		Key:         test.Key,
+		Certificate: test.Certificate,
+		MetadataURL: mustParseURL("http://sp.example.com/demo1/metadata.php"),
+		AcsURL:      mustParseURL("http://sp.example.com/demo1/index.php?acs"),
+		IDPMetadata: &EntityDescriptor{},
+	}
+	err := xml.Unmarshal(idpMetadata, &s.IDPMetadata)
+	assert.Check(t, err)
+
+	req := http.Request{PostForm: url.Values{}}
+	req.PostForm.Set("SAMLResponse", string(respStr))
+	_, err = s.ParseResponse(&req, []string{"ONELOGIN_4fee3b046395c4e751011e97f8900b5273d56685"})
+	assert.Check(t, is.Error(err.(*InvalidResponseError).PrivateErr,
+		"cannot validate signature on Response: Missing signature referencing the top-level element"))
+}
+
+func TestXswPermutationSixIsRejected(t *testing.T) {
+	test := NewServiceProviderTest(t)
+	idpMetadata := golden.Get(t, "TestServiceProviderCanHandleSignedAssertionsResponse_IDPMetadata")
+	respStr := golden.Get(t, "TestXswPermutationSixIsRejected_response")
+	TimeNow = func() time.Time {
+		rv, _ := time.Parse(timeFormat, "2014-07-17T01:02:59Z")
+		return rv
+	}
+	Clock = dsig.NewFakeClockAt(TimeNow())
+
+	s := ServiceProvider{
+		Key:         test.Key,
+		Certificate: test.Certificate,
+		MetadataURL: mustParseURL("http://sp.example.com/demo1/metadata.php"),
+		AcsURL:      mustParseURL("http://sp.example.com/demo1/index.php?acs"),
+		IDPMetadata: &EntityDescriptor{},
+	}
+	err := xml.Unmarshal(idpMetadata, &s.IDPMetadata)
+	assert.Check(t, err)
+
+	req := http.Request{PostForm: url.Values{}}
+	req.PostForm.Set("SAMLResponse", string(respStr))
+	_, err = s.ParseResponse(&req, []string{"ONELOGIN_4fee3b046395c4e751011e97f8900b5273d56685"})
+	assert.Check(t, is.Error(err.(*InvalidResponseError).PrivateErr,
+		"cannot validate signature on Response: Missing signature referencing the top-level element"))
+}
+
+func TestXswPermutationSevenIsRejected(t *testing.T) {
+	test := NewServiceProviderTest(t)
+	idpMetadata := golden.Get(t, "TestServiceProviderCanHandleSignedAssertionsResponse_IDPMetadata")
+	respStr := golden.Get(t, "TestXswPermutationSevenIsRejected_response")
+	TimeNow = func() time.Time {
+		rv, _ := time.Parse(timeFormat, "2014-07-17T01:02:59Z")
+		return rv
+	}
+	Clock = dsig.NewFakeClockAt(func() time.Time {
+		rv, _ := time.Parse(timeFormat, "2014-07-17T14:12:57Z")
+		return rv
+	}())
+
+	s := ServiceProvider{
+		Key:         test.Key,
+		Certificate: test.Certificate,
+		MetadataURL: mustParseURL("http://sp.example.com/demo1/metadata.php"),
+		AcsURL:      mustParseURL("http://sp.example.com/demo1/index.php?acs"),
+		IDPMetadata: &EntityDescriptor{},
+	}
+	err := xml.Unmarshal(idpMetadata, &s.IDPMetadata)
+	assert.Check(t, err)
+
+	req := http.Request{PostForm: url.Values{}}
+	req.PostForm.Set("SAMLResponse", string(respStr))
+	_, err = s.ParseResponse(&req, []string{"ONELOGIN_4fee3b046395c4e751011e97f8900b5273d56685"})
+	//It's the assertion signature that can't be verified. The error message is generic and always mentions Response
+	assert.Check(t, is.Error(err.(*InvalidResponseError).PrivateErr,
+		"cannot validate signature on Response: Signature could not be verified"))
+}
+
+func TestXswPermutationEightIsRejected(t *testing.T) {
+	test := NewServiceProviderTest(t)
+	idpMetadata := golden.Get(t, "TestServiceProviderCanHandleSignedAssertionsResponse_IDPMetadata")
+	respStr := golden.Get(t, "TestXswPermutationEightIsRejected_response")
+	TimeNow = func() time.Time {
+		rv, _ := time.Parse(timeFormat, "2014-07-17T01:02:59Z")
+		return rv
+	}
+	Clock = dsig.NewFakeClockAt(func() time.Time {
+		rv, _ := time.Parse(timeFormat, "2014-07-17T14:12:57Z")
+		return rv
+	}())
+
+	s := ServiceProvider{
+		Key:         test.Key,
+		Certificate: test.Certificate,
+		MetadataURL: mustParseURL("http://sp.example.com/demo1/metadata.php"),
+		AcsURL:      mustParseURL("http://sp.example.com/demo1/index.php?acs"),
+		IDPMetadata: &EntityDescriptor{},
+	}
+	err := xml.Unmarshal(idpMetadata, &s.IDPMetadata)
+	assert.Check(t, err)
+
+	req := http.Request{PostForm: url.Values{}}
+	req.PostForm.Set("SAMLResponse", string(respStr))
+	_, err = s.ParseResponse(&req, []string{"ONELOGIN_4fee3b046395c4e751011e97f8900b5273d56685"})
+	//It's the assertion signature that can't be verified. The error message is generic and always mentions Response
+	assert.Check(t, is.Error(err.(*InvalidResponseError).PrivateErr,
+		"cannot validate signature on Response: Signature could not be verified"))
+}
+
+func TestXswPermutationNineIsRejected(t *testing.T) {
+	test := NewServiceProviderTest(t)
+	idpMetadata := golden.Get(t, "TestServiceProviderCanHandleSignedAssertionsResponse_IDPMetadata")
+	respStr := golden.Get(t, "TestXswPermutationNineIsRejected_response")
+	TimeNow = func() time.Time {
+		rv, _ := time.Parse(timeFormat, "2014-07-17T01:02:59Z")
+		return rv
+	}
+	Clock = dsig.NewFakeClockAt(func() time.Time {
+		rv, _ := time.Parse(timeFormat, "2014-07-17T14:12:57Z")
+		return rv
+	}())
+
+	s := ServiceProvider{
+		Key:         test.Key,
+		Certificate: test.Certificate,
+		MetadataURL: mustParseURL("http://sp.example.com/demo1/metadata.php"),
+		AcsURL:      mustParseURL("http://sp.example.com/demo1/index.php?acs"),
+		IDPMetadata: &EntityDescriptor{},
+	}
+	err := xml.Unmarshal(idpMetadata, &s.IDPMetadata)
+	assert.Check(t, err)
+
+	req := http.Request{PostForm: url.Values{}}
+	req.PostForm.Set("SAMLResponse", string(respStr))
+	_, err = s.ParseResponse(&req, []string{"ONELOGIN_4fee3b046395c4e751011e97f8900b5273d56685"})
+	//It's the assertion signature that can't be verified. The error message is generic and always mentions Response
+	assert.Check(t, is.Error(err.(*InvalidResponseError).PrivateErr,
+		"cannot validate signature on Response: Missing signature referencing the top-level element"))
+}
+
+func TestSPRealWorldKeyInfoHasRSAPublicKeyNotX509Cert(t *testing.T) {
 	// This is a real world SAML response that we observed. It contains <ds:RSAKeyValue> elements
-	idpMetadata := `<?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://idp.secureworks.com/SAML2"><md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIG1TCCBL2gAwIBAgICClwwDQYJKoZIhvcNAQENBQAwgaoxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdHZW9yZ2lhMRAwDgYDVQQHEwdBdGxhbnRhMRkwFwYDVQQKExBEZWxsIFNlY3VyZVdvcmtzMQ4wDAYDVQQLEwVJVE9wczElMCMGA1UEAxMcRGVsbCBTZWN1cmVXb3JrcyBJbnRlcm5hbCBDQTElMCMGCSqGSIb3DQEJARYWYS10ZWFtQHNlY3VyZXdvcmtzLmNvbTAeFw0xNjA1MTExMTEyMzdaFw0xODA1MTExMTEyMzdaMIG+MQswCQYDVQQGDAJVUzEQMA4GA1UECAwHR2VvcmdpYTEQMA4GA1UEBwwHQXRsYW50YTEaMBgGA1UECgwRU2VjdXJld29ya3MsIEluYy4xHTAbBgNVBAsMFFNlY3VyaXR5IEVuZ2luZWVyaW5nMSYwJAYDVQQDDB1pZHAuc2VjdXJld29ya3MuY29tLXNpZ25hdHVyZTEoMCYGCSqGSIb3DQEJARYZcHJvZGNlcnRzQHNlY3VyZXdvcmtzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM2ZUzSfkHE6dshh9RAlzt68uBh4XLNQltyOhj4j77Tvj+pclsWHUHdkSvx5PSmqeqqZv6qJtK08GxVNiOu2NiXUN0+UASYxh2xh1NbjMVVpISZbqGtC6Zt/NczQiU2afD3raAfHZyBrmvctWi++b9OAhk8ydeCPf7FvmqU5Fo+8VUF7rb1ShE3Z+JAMvi99x6a4mY0DZXLgG6kI+jlrDeLRpC7zRWU+NI0M6f/P7TkBOp9vs59yPIVHj8Iz0ETlJgnivOgpBdMlQj0P7zk7AtNFGnrv0jzlLuaLfv++TT8hPMOUcg4Hn3Q14WDZnrkLcBrXLvxSOumrUDDUw6AoVyUCAwEAAaOCAe0wggHpMAwGA1UdEwEB/wQCMAAwLgYJYIZIAYb4QgENBCEWH0NBOlRvb2wgUi1HZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFAWm0miEWAiHZUTgLGQcUJ+rDfKTMAsGA1UdDwQEAwID6DAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwJAYDVR0RBB0wG4EZcHJvZGNlcnRzQHNlY3VyZXdvcmtzLmNvbTCBxAYDVR0jBIG8MIG5gBSnJ9n8XVHS92gLa5dG8CETeun58KGBnKSBmTCBljELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0dlb3JnaWExEDAOBgNVBAcTB0F0bGFudGExGTAXBgNVBAoTEERlbGwgU2VjdXJlV29ya3MxITAfBgNVBAMTGERlbGwgU2VjdXJlV29ya3MgUm9vdCBDQTElMCMGCSqGSIb3DQEJARYWYS10ZWFtQHNlY3VyZXdvcmtzLmNvbYICEAEwcQYDVR0gBGowaDBmBgRVHSAAMF4wXAYIKwYBBQUHAgEWUGh0dHBzOi8vY29uZmx1ZW5jZS5zZWN1cmV3b3Jrcy5uZXQvZGlzcGxheS9hcmNoL0RlbGwrU2VjdXJlV29ya3MrSW50ZXJuYWwrQ0ErQ1BTMA0GCSqGSIb3DQEBDQUAA4ICAQCKQPw5TuIUAV5HEwjc+lcaOeSPq288wdKYPf6peunv0v29gIgfnB33k5rr6LD7QuQW2DpcMk0fBDJZUNuQd314kjmfkz6lNoiRGR4KSCe9ryafSExuv0KTmmjKDs/Vy47tVGSdl2DZPE3/bnEbLyPGB7d2hKOzemjyYxjD+3AI24e++ATCpHpi6MGuW4Ya2Lro4DC20E4qeA2x7qIXFlPuCQR5dxs37hNaisUZKTUOgotoq1hFBOa4wF3AtMfiUDh2Wfx4cv0QuOTgL9zbZDNOiCS+niCMpok8HftJJk8IMEV0TBKjAE80p1YoZvbEXJv76e68/apmpA8oIRQniOcXEqPj2S8PgmxX4Pqpj7mGzdkj6VcZW25LOE7AkIVVYiVg1F7VzhugzDitCYeKm/o9shZfYVE/vLLOgrewQR05Pxm7rbSv3HsGGieVdDp7KRjuGQQQ2q/YUEbHAHfohXD9LW/O2jUMwXvCMXdhnmsezsCW6ZCBToplBbqW+BkqAz5dtVOhVon8GVNrcfEY4EWk5cr/UfnvvXVgbyV7Tut5qeUM3JWmieAEUl1KKFTweN25Jib/sYYwYuKjc7fp2J5Ovwi5ZcMZsRydUihoRSR5rzk6uPVq9FADyp7AXsXW5oocwzrWSBNRC6Od+nEpEiB42t0Gsih3Asenj6PbfkTBlw==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idp.secureworks.com/SAML2/SSO/POST"/></md:IDPSSODescriptor></md:EntityDescriptor>`
-	respStr := `<?xml version="1.0" encoding="UTF-8"?><saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://preview.docrocket-ross.test.octolabs.io/saml/acs" ID="28338c8c-39ab-4b94-bcdc-46f68f99d962" InResponseTo="id-3992f74e652d89c3cf1efd6c7e472abaac9bc917" IssueInstant="2017-04-21T13:12:50.830Z" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.secureworks.com/SAML2</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#28338c8c-39ab-4b94-bcdc-46f68f99d962"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>/6iPSzUnncXDbwrXiqZZVSaHt/Q=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>hpJLvXp7DN5qhYkR0+TfvzAHDTIEmOnjA7QGKxbuqUcLxL+xpLqEiPiyCT3DZ5r4eoUlGSTS4tZ2c/A3wnvzEy+f0Pf5D2dUWCL5RfVp7Q6cndEpqlXjZ3lhymTA+go/SdY9VQFKOBsS6ElT56Pr/QRtqqRP2JQK6pP96voeYqWT0YKCdrBkYZ6fJGQ32AD+mQ62hiMzOu9PvriNJzw2no7xyK1U0+MBNPzCcJ6yOrGqX8/yVB8d1hL9IjstZRbMaszdJnnGGMN/JoOtcFxg6v+a5EFC63uXAUL/inxvdNreZMGnuPJJ7HnuDe8yY089Xzwisy6dts6YJ/doEPFOJQ==</ds:SignatureValue><ds:KeyInfo><ds:KeyValue><ds:RSAKeyValue><ds:Modulus>zZlTNJ+QcTp2yGH1ECXO3ry4GHhcs1CW3I6GPiPvtO+P6lyWxYdQd2RK/Hk9Kap6qpm/qom0rTwb
-FU2I67Y2JdQ3T5QBJjGHbGHU1uMxVWkhJluoa0Lpm381zNCJTZp8PetoB8dnIGua9y1aL75v04CG
-TzJ14I9/sW+apTkWj7xVQXutvVKETdn4kAy+L33HpriZjQNlcuAbqQj6OWsN4tGkLvNFZT40jQzp
-/8/tOQE6n2+zn3I8hUePwjPQROUmCeK86CkF0yVCPQ/vOTsC00Uaeu/SPOUu5ot+/75NPyE8w5Ry
-DgefdDXhYNmeuQtwGtcu/FI66atQMNTDoChXJQ==</ds:Modulus><ds:Exponent>AQAB</ds:Exponent></ds:RSAKeyValue></ds:KeyValue></ds:KeyInfo></ds:Signature><saml2p:Status><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/><saml2p:StatusMessage>Authentication success.</saml2p:StatusMessage></saml2p:Status><saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="e5afbcaa-be69-4b41-ac48-2f23538accdb" IssueInstant="2017-04-21T13:12:50.830Z" Version="2.0"><saml2:Issuer>https://idp.secureworks.com/SAML2</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#e5afbcaa-be69-4b41-ac48-2f23538accdb"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>BMN0lUblP0gYGcw2PCyhwFZzkxY=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>F/2aaOQ3J/S6ULUd+gAuIclVueHEC2UfmtO2eR2oYb/YXub9E22yZe7eQgj2wdhYOvacVXN28QJJJG+K3Njwvi6b7mqf+T8N1YwaJW1fYAm28ayg4dEOTjHnjbRMZ6L+3cZPmPcFyE+edhCHEMnTLSqSvBnSyc1cwGdO9PmfWmt6PzUwf2nr2P5577Yc1FEQ9OtTx7ugWN3iPmjtLeTcpZfIDQX9+gSsh0KT+t61uWaYz+PJhtKnZQFeyr3uIxBTxv4wQ90FnmE4PiDvMksin5CDMfiMwd7pn7rNbk4EVHiDgSMkY6P4h8eWQwiqglOrQSZZr4BJgCoUbcNfZCq/7A==</ds:SignatureValue><ds:KeyInfo><ds:KeyValue><ds:RSAKeyValue><ds:Modulus>zZlTNJ+QcTp2yGH1ECXO3ry4GHhcs1CW3I6GPiPvtO+P6lyWxYdQd2RK/Hk9Kap6qpm/qom0rTwb
-FU2I67Y2JdQ3T5QBJjGHbGHU1uMxVWkhJluoa0Lpm381zNCJTZp8PetoB8dnIGua9y1aL75v04CG
-TzJ14I9/sW+apTkWj7xVQXutvVKETdn4kAy+L33HpriZjQNlcuAbqQj6OWsN4tGkLvNFZT40jQzp
-/8/tOQE6n2+zn3I8hUePwjPQROUmCeK86CkF0yVCPQ/vOTsC00Uaeu/SPOUu5ot+/75NPyE8w5Ry
-DgefdDXhYNmeuQtwGtcu/FI66atQMNTDoChXJQ==</ds:Modulus><ds:Exponent>AQAB</ds:Exponent></ds:RSAKeyValue></ds:KeyValue></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID>rkinder@secureworks.com</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData InResponseTo="id-3992f74e652d89c3cf1efd6c7e472abaac9bc917" NotBefore="2017-04-21T13:12:50.830Z" NotOnOrAfter="2017-04-21T13:17:50.830Z" Recipient="https://preview.docrocket-ross.test.octolabs.io/saml/acs"/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2017-04-21T13:12:50.830Z" NotOnOrAfter="2017-04-21T13:17:50.830Z"><saml2:AudienceRestriction><saml2:Audience>https://preview.docrocket-ross.test.octolabs.io/saml/metadata</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AuthnStatement AuthnInstant="2017-04-21T13:12:50.830Z" SessionIndex="undefined"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement></saml2:Assertion></saml2p:Response>
-`
+	idpMetadata := golden.Get(t, "TestSPRealWorldKeyInfoHasRSAPublicKeyNotX509Cert_idp_metadata")
+	respStr := golden.Get(t, "TestSPRealWorldKeyInfoHasRSAPublicKeyNotX509Cert_response")
 	TimeNow = func() time.Time {
 		rv, _ := time.Parse("Mon Jan 2 15:04:05 MST 2006", "Fri Apr 21 13:12:51 UTC 2017")
 		return rv
 	}
 	Clock = dsig.NewFakeClockAt(TimeNow())
 	s := ServiceProvider{
-		Key:         key2017,
-		Certificate: cert2017,
+		Key:         mustParsePrivateKey(golden.Get(t, "key_2017.pem")).(*rsa.PrivateKey),
+		Certificate: mustParseCertificate(golden.Get(t, "cert_2017.pem")),
 		MetadataURL: mustParseURL("https://preview.docrocket-ross.test.octolabs.io/saml/metadata"),
 		AcsURL:      mustParseURL("https://preview.docrocket-ross.test.octolabs.io/saml/acs"),
 		IDPMetadata: &EntityDescriptor{},
 	}
-	err := xml.Unmarshal([]byte(idpMetadata), &s.IDPMetadata)
-	c.Assert(err, IsNil)
+	err := xml.Unmarshal(idpMetadata, &s.IDPMetadata)
+	assert.Check(t, err)
 
 	req := http.Request{PostForm: url.Values{}}
-	req.PostForm.Set("SAMLResponse", base64.StdEncoding.EncodeToString([]byte(respStr)))
+	req.PostForm.Set("SAMLResponse", base64.StdEncoding.EncodeToString(respStr))
 	_, err = s.ParseResponse(&req, []string{"id-3992f74e652d89c3cf1efd6c7e472abaac9bc917"})
 	if err != nil {
-		c.Assert(err.(*InvalidResponseError).PrivateErr, IsNil)
-	}
-	c.Assert(err, IsNil)
-}
-
-var key2017 = mustParsePrivateKey(`-----BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAnu2wAmonitRkVP/lKO+gDWalAEL4qJ1x6EyxMVb/2Xvdw+dg
-2G2c1771Lyfvp4XYBK4TAAo3nGhcM/b3vLhk45GeSi4/yOJhmOo0dNyQT0t68zxg
-6lM9WiOGr6uruGJDIwXqkmQE+B26iVyycGDXzyOf+g2Z2bMhpLfdCI05noUZcsq3
-f8Vqmxx5rSCrxrjrAqEUVCZbyL4wap1JKLbnlzTllkvkfTimUM2gYS8RLk6zFKNt
-nj7b3grzec5egZIQ9+w7hdRM5GWvKKzSn9/do1SCii555OmEP0ajakYdi9qGO6zH
-041tnt6BzTt0mggBWOBoxK/5TCp+nGMBTvTXywIDAQABAoIBAGc853TqGD2qsnI0
-uFvbLREHeG+vEXAWtoO8Le5rIU/ZkrlLeDGfIp9TQFodiyQ7YZPIsDb6bB2B/UMU
-TuGctozNbxGo8W5BAD0hBmpTTLr1wSx4MEyHPfdr1HYRAj+INSxvD22A42l5hk7s
-lE1D22yHK8h3RVWRc21YspB3jNJXhYq4qHU8ZIOK+I7wEy8AZYP5kI4ZUC/nXFik
-SwMeVN7U6TT+53Q6n08pos5Nupq0+3cAvZgneV2PP2fGCLIi9VU8Oh7N1WQMYzBt
-rYQwnWR6e2Mo0uH4eaaBlPW/3t4HXbS1b26RULC+i5MU3ZUy02w76liHGuuKAWOy
-6p6CkoECgYEAzpnt/9S+HKknCFwKMkvMxZ7xI3TxyG5gd41NYm+w8hPk3QlXzcva
-RqM1p2nacok4t8HEeAotkz8sP28GmcB4Egh33fUdhKQAkFrQ/OncWcRfzrhnrAMa
-gaNT/DT1QTOvfmnle3QLnZhgEDk6plgujvPmJ104/4TjIUOqru0DebsCgYEAxO20
-Biq5Bjfot8HxQE+Ur1VPEyZkYUQ9Xmx/exyMTBLy2bUMvZq40TMDEgGMzYvbOvgR
-d7/1X2SVvl3sl2mlRJ3nfSEO/Blq+EovdOi0liUYo5LT4IGx+uToBlfmTPNrTYBp
-P7JqH97DKYdM4eujwYkiPaAHkFYsnJi/jEU9cTECgYAssS3D9uB9ULYp38cw5CbS
-5TQiyGx5QC9MDVwdHC4538XVbuz4js2UFEBKC+L+feKwFZGLqh/7x2GqAzl5TyJq
-PDy53glZpSSeFZc57tkE7i8Ph+KdWjqEqrFDUK1xQl4HSZ8j2pGcsNavC8I9M7w2
-nlo+T7NByxxbGMk2d/0VewKBgQCJvr7qhV2wRNEqH6VxV3jn/2L1QSh7hLDsaDXv
-VjOoTqTBtUs5II1f/y+Jm73yVH4/TB9jxMiMNh4r7yS7cDEiwtSWCNajbeAN1k5F
-lzQhxcbrO5uqcO2eUhkdvsQfVTDcIBL+c/yZWEbouHQFnr6HdDWYJ2TDCBPiYVGy
-ewgUMQKBgQCIgGzau6+hH8z6aWTnozGA4m8sWFq+t+ug4Gq6v3IAxBOQ2NhmQMRQ
-L3BkCfCGAx5JckBROqEiAvPLftof0bVJoxBKfslDrhJocEUJwjXUxmD5RRLr7SXU
-P4hDC736Y0DH3nzRlUZ2IP4mhqSECOEYAuz2VuJBTCbd0VEzpnxVfg==
------END RSA PRIVATE KEY-----`).(*rsa.PrivateKey)
-var cert2017 = mustParseCertificate(`-----BEGIN CERTIFICATE-----
-MIIDRTCCAi2gAwIBAgIJANke+OUVRk19MA0GCSqGSIb3DQEBBQUAMCAxHjAcBgNV
-BAMTFW15c2VydmljZS5leGFtcGxlLmNvbTAeFw0xNzA0MTkxOTU2MTNaFw0xODA0
-MTkxOTU2MTNaMCAxHjAcBgNVBAMTFW15c2VydmljZS5leGFtcGxlLmNvbTCCASIw
-DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ7tsAJqJ4rUZFT/5SjvoA1mpQBC
-+KidcehMsTFW/9l73cPnYNhtnNe+9S8n76eF2ASuEwAKN5xoXDP297y4ZOORnkou
-P8jiYZjqNHTckE9LevM8YOpTPVojhq+rq7hiQyMF6pJkBPgduolcsnBg188jn/oN
-mdmzIaS33QiNOZ6FGXLKt3/Fapscea0gq8a46wKhFFQmW8i+MGqdSSi255c05ZZL
-5H04plDNoGEvES5OsxSjbZ4+294K83nOXoGSEPfsO4XUTORlryis0p/f3aNUgoou
-eeTphD9Go2pGHYvahjusx9ONbZ7egc07dJoIAVjgaMSv+UwqfpxjAU7018sCAwEA
-AaOBgTB/MB0GA1UdDgQWBBSYE9Nwp/eUqfRQ11rqwoowNFHNyTBQBgNVHSMESTBH
-gBSYE9Nwp/eUqfRQ11rqwoowNFHNyaEkpCIwIDEeMBwGA1UEAxMVbXlzZXJ2aWNl
-LmV4YW1wbGUuY29tggkA2R745RVGTX0wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0B
-AQUFAAOCAQEAVJmpMg1ZpDGweoCU4k66RVDpPzSuPJ+9H9L2jcaA38itDtXmG9Iz
-dbOLpNF9fDbU60P421SgS0nF/s7zkxkYJWOoZaced/vUO6H9TdWEZay+uywAjvoZ
-GwkZ9HxYMqKMVld4EwW/OwT67UVBdtgkSfI1O7ojqDOFx7U4+HJWxUEwGOc0pOPz
-NyLSYCsAkQt2CZU7dN72L96Ka8xxklNaVcUaUH+zOWF1JBamV9s6M2umcdBot8MO
-3m1zQTkXzBKM3f+Yvk+dRjO4TSW90h2oQqot8xrkPhy+DgOqJj3/lKmZXjqE5mAE
-hpQB0uVPekPvKN89hCnkPo2EvXKPf7VZgg==
------END CERTIFICATE-----
-`)
-
-func (test *ServiceProviderTest) TestRealWorldAssertionSignedNotResponse(c *C) {
+		assert.Check(t, err.(*InvalidResponseError).PrivateErr)
+	}
+	assert.Check(t, err)
+}
+
+func TestSPRealWorldAssertionSignedNotResponse(t *testing.T) {
 	// This is a real world SAML response that we observed. It contains <ds:RSAKeyValue> elements rather than
 	// a certificate in the response.
-	idpMetadata := `<?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://idp.secureworks.com/SAML2"><md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIG1TCCBL2gAwIBAgICClwwDQYJKoZIhvcNAQENBQAwgaoxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdHZW9yZ2lhMRAwDgYDVQQHEwdBdGxhbnRhMRkwFwYDVQQKExBEZWxsIFNlY3VyZVdvcmtzMQ4wDAYDVQQLEwVJVE9wczElMCMGA1UEAxMcRGVsbCBTZWN1cmVXb3JrcyBJbnRlcm5hbCBDQTElMCMGCSqGSIb3DQEJARYWYS10ZWFtQHNlY3VyZXdvcmtzLmNvbTAeFw0xNjA1MTExMTEyMzdaFw0xODA1MTExMTEyMzdaMIG+MQswCQYDVQQGDAJVUzEQMA4GA1UECAwHR2VvcmdpYTEQMA4GA1UEBwwHQXRsYW50YTEaMBgGA1UECgwRU2VjdXJld29ya3MsIEluYy4xHTAbBgNVBAsMFFNlY3VyaXR5IEVuZ2luZWVyaW5nMSYwJAYDVQQDDB1pZHAuc2VjdXJld29ya3MuY29tLXNpZ25hdHVyZTEoMCYGCSqGSIb3DQEJARYZcHJvZGNlcnRzQHNlY3VyZXdvcmtzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM2ZUzSfkHE6dshh9RAlzt68uBh4XLNQltyOhj4j77Tvj+pclsWHUHdkSvx5PSmqeqqZv6qJtK08GxVNiOu2NiXUN0+UASYxh2xh1NbjMVVpISZbqGtC6Zt/NczQiU2afD3raAfHZyBrmvctWi++b9OAhk8ydeCPf7FvmqU5Fo+8VUF7rb1ShE3Z+JAMvi99x6a4mY0DZXLgG6kI+jlrDeLRpC7zRWU+NI0M6f/P7TkBOp9vs59yPIVHj8Iz0ETlJgnivOgpBdMlQj0P7zk7AtNFGnrv0jzlLuaLfv++TT8hPMOUcg4Hn3Q14WDZnrkLcBrXLvxSOumrUDDUw6AoVyUCAwEAAaOCAe0wggHpMAwGA1UdEwEB/wQCMAAwLgYJYIZIAYb4QgENBCEWH0NBOlRvb2wgUi1HZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFAWm0miEWAiHZUTgLGQcUJ+rDfKTMAsGA1UdDwQEAwID6DAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwJAYDVR0RBB0wG4EZcHJvZGNlcnRzQHNlY3VyZXdvcmtzLmNvbTCBxAYDVR0jBIG8MIG5gBSnJ9n8XVHS92gLa5dG8CETeun58KGBnKSBmTCBljELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0dlb3JnaWExEDAOBgNVBAcTB0F0bGFudGExGTAXBgNVBAoTEERlbGwgU2VjdXJlV29ya3MxITAfBgNVBAMTGERlbGwgU2VjdXJlV29ya3MgUm9vdCBDQTElMCMGCSqGSIb3DQEJARYWYS10ZWFtQHNlY3VyZXdvcmtzLmNvbYICEAEwcQYDVR0gBGowaDBmBgRVHSAAMF4wXAYIKwYBBQUHAgEWUGh0dHBzOi8vY29uZmx1ZW5jZS5zZWN1cmV3b3Jrcy5uZXQvZGlzcGxheS9hcmNoL0RlbGwrU2VjdXJlV29ya3MrSW50ZXJuYWwrQ0ErQ1BTMA0GCSqGSIb3DQEBDQUAA4ICAQCKQPw5TuIUAV5HEwjc+lcaOeSPq288wdKYPf6peunv0v29gIgfnB33k5rr6LD7QuQW2DpcMk0fBDJZUNuQd314kjmfkz6lNoiRGR4KSCe9ryafSExuv0KTmmjKDs/Vy47tVGSdl2DZPE3/bnEbLyPGB7d2hKOzemjyYxjD+3AI24e++ATCpHpi6MGuW4Ya2Lro4DC20E4qeA2x7qIXFlPuCQR5dxs37hNaisUZKTUOgotoq1hFBOa4wF3AtMfiUDh2Wfx4cv0QuOTgL9zbZDNOiCS+niCMpok8HftJJk8IMEV0TBKjAE80p1YoZvbEXJv76e68/apmpA8oIRQniOcXEqPj2S8PgmxX4Pqpj7mGzdkj6VcZW25LOE7AkIVVYiVg1F7VzhugzDitCYeKm/o9shZfYVE/vLLOgrewQR05Pxm7rbSv3HsGGieVdDp7KRjuGQQQ2q/YUEbHAHfohXD9LW/O2jUMwXvCMXdhnmsezsCW6ZCBToplBbqW+BkqAz5dtVOhVon8GVNrcfEY4EWk5cr/UfnvvXVgbyV7Tut5qeUM3JWmieAEUl1KKFTweN25Jib/sYYwYuKjc7fp2J5Ovwi5ZcMZsRydUihoRSR5rzk6uPVq9FADyp7AXsXW5oocwzrWSBNRC6Od+nEpEiB42t0Gsih3Asenj6PbfkTBlw==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idp.secureworks.com/SAML2/SSO/POST"/></md:IDPSSODescriptor></md:EntityDescriptor>`
-	respStr := `<?xml version="1.0" encoding="UTF-8"?><saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://preview.docrocket-ross.test.octolabs.io/saml/acs" ID="28338c8c-39ab-4b94-bcdc-46f68f99d962" InResponseTo="id-3992f74e652d89c3cf1efd6c7e472abaac9bc917" IssueInstant="2017-04-21T13:12:50.830Z" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.secureworks.com/SAML2</saml2:Issuer><saml2p:Status><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/><saml2p:StatusMessage>Authentication success.</saml2p:StatusMessage></saml2p:Status><saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="e5afbcaa-be69-4b41-ac48-2f23538accdb" IssueInstant="2017-04-21T13:12:50.830Z" Version="2.0"><saml2:Issuer>https://idp.secureworks.com/SAML2</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#e5afbcaa-be69-4b41-ac48-2f23538accdb"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>BMN0lUblP0gYGcw2PCyhwFZzkxY=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>F/2aaOQ3J/S6ULUd+gAuIclVueHEC2UfmtO2eR2oYb/YXub9E22yZe7eQgj2wdhYOvacVXN28QJJJG+K3Njwvi6b7mqf+T8N1YwaJW1fYAm28ayg4dEOTjHnjbRMZ6L+3cZPmPcFyE+edhCHEMnTLSqSvBnSyc1cwGdO9PmfWmt6PzUwf2nr2P5577Yc1FEQ9OtTx7ugWN3iPmjtLeTcpZfIDQX9+gSsh0KT+t61uWaYz+PJhtKnZQFeyr3uIxBTxv4wQ90FnmE4PiDvMksin5CDMfiMwd7pn7rNbk4EVHiDgSMkY6P4h8eWQwiqglOrQSZZr4BJgCoUbcNfZCq/7A==</ds:SignatureValue><ds:KeyInfo><ds:KeyValue><ds:RSAKeyValue><ds:Modulus>zZlTNJ+QcTp2yGH1ECXO3ry4GHhcs1CW3I6GPiPvtO+P6lyWxYdQd2RK/Hk9Kap6qpm/qom0rTwb
-FU2I67Y2JdQ3T5QBJjGHbGHU1uMxVWkhJluoa0Lpm381zNCJTZp8PetoB8dnIGua9y1aL75v04CG
-TzJ14I9/sW+apTkWj7xVQXutvVKETdn4kAy+L33HpriZjQNlcuAbqQj6OWsN4tGkLvNFZT40jQzp
-/8/tOQE6n2+zn3I8hUePwjPQROUmCeK86CkF0yVCPQ/vOTsC00Uaeu/SPOUu5ot+/75NPyE8w5Ry
-DgefdDXhYNmeuQtwGtcu/FI66atQMNTDoChXJQ==</ds:Modulus><ds:Exponent>AQAB</ds:Exponent></ds:RSAKeyValue></ds:KeyValue></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID>rkinder@secureworks.com</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData InResponseTo="id-3992f74e652d89c3cf1efd6c7e472abaac9bc917" NotBefore="2017-04-21T13:12:50.830Z" NotOnOrAfter="2017-04-21T13:17:50.830Z" Recipient="https://preview.docrocket-ross.test.octolabs.io/saml/acs"/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2017-04-21T13:12:50.830Z" NotOnOrAfter="2017-04-21T13:17:50.830Z"><saml2:AudienceRestriction><saml2:Audience>https://preview.docrocket-ross.test.octolabs.io/saml/metadata</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AuthnStatement AuthnInstant="2017-04-21T13:12:50.830Z" SessionIndex="undefined"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement></saml2:Assertion></saml2p:Response>
-`
+	idpMetadata := golden.Get(t, "TestSPRealWorldAssertionSignedNotResponse_idp_metadata")
+	respStr := golden.Get(t, "TestSPRealWorldAssertionSignedNotResponse_response")
+
 	TimeNow = func() time.Time {
 		rv, _ := time.Parse("Mon Jan 2 15:04:05 MST 2006", "Fri Apr 21 13:12:51 UTC 2017")
 		return rv
@@ -793,20 +1528,122 @@ DgefdDXhYNmeuQtwGtcu/FI66atQMNTDoChXJQ==</ds:Modulus><ds:Exponent>AQAB</ds:Expon
 	Clock = dsig.NewFakeClockAt(TimeNow())
 
 	s := ServiceProvider{
-		Key:         key2017,
-		Certificate: cert2017,
+		Key:         mustParsePrivateKey(golden.Get(t, "key_2017.pem")).(*rsa.PrivateKey),
+		Certificate: mustParseCertificate(golden.Get(t, "cert_2017.pem")),
 		MetadataURL: mustParseURL("https://preview.docrocket-ross.test.octolabs.io/saml/metadata"),
 		AcsURL:      mustParseURL("https://preview.docrocket-ross.test.octolabs.io/saml/acs"),
 		IDPMetadata: &EntityDescriptor{},
 	}
-	err := xml.Unmarshal([]byte(idpMetadata), &s.IDPMetadata)
-	c.Assert(err, IsNil)
+	err := xml.Unmarshal(idpMetadata, &s.IDPMetadata)
+	assert.Check(t, err)
 
 	req := http.Request{PostForm: url.Values{}}
-	req.PostForm.Set("SAMLResponse", base64.StdEncoding.EncodeToString([]byte(respStr)))
+	req.PostForm.Set("SAMLResponse", base64.StdEncoding.EncodeToString(respStr))
 	_, err = s.ParseResponse(&req, []string{"id-3992f74e652d89c3cf1efd6c7e472abaac9bc917"})
 	if err != nil {
-		c.Assert(err.(*InvalidResponseError).PrivateErr, IsNil)
+		assert.Check(t, err.(*InvalidResponseError).PrivateErr)
+	}
+	assert.Check(t, err)
+}
+
+func TestServiceProviderCanHandleSignedAssertionsResponse(t *testing.T) {
+	test := NewServiceProviderTest(t)
+
+	// Note: This test uses an actual response from onelogin, submitted by a user.
+	// However, the test data below isn't actually valid -- the issue instant is
+	// before the certificate's issued time. In order to preserve this test data and
+	// signatures, we assign a different time to Clock, used by xmldsig than to
+	// TimeNow which is used to verify the issue time of the SAML assertion.
+
+	Clock = dsig.NewFakeClockAt(func() time.Time {
+		rv, _ := time.Parse(timeFormat, "2014-07-17T14:12:57Z")
+		return rv
+	}())
+	TimeNow = func() time.Time {
+		rv, _ := time.Parse(timeFormat, "2014-07-17T01:02:59Z")
+		return rv
 	}
-	c.Assert(err, IsNil)
+
+	SamlResponse := golden.Get(t, "TestServiceProviderCanHandleSignedAssertionsResponse_response")
+	test.IDPMetadata = golden.Get(t, "TestServiceProviderCanHandleSignedAssertionsResponse_IDPMetadata")
+	s := ServiceProvider{
+		Key:         test.Key,
+		Certificate: test.Certificate,
+		MetadataURL: mustParseURL("http://sp.example.com/demo1/metadata.php"),
+		AcsURL:      mustParseURL("http://sp.example.com/demo1/index.php?acs"),
+		IDPMetadata: &EntityDescriptor{},
+	}
+	err := xml.Unmarshal(test.IDPMetadata, &s.IDPMetadata)
+	assert.Check(t, err)
+
+	req := http.Request{PostForm: url.Values{}}
+	req.PostForm.Set("SAMLResponse", string(SamlResponse))
+	assertion, err := s.ParseResponse(&req, []string{"ONELOGIN_4fee3b046395c4e751011e97f8900b5273d56685"})
+	if err != nil {
+		t.Logf("%s", err.(*InvalidResponseError).PrivateErr)
+	}
+	assert.Check(t, err)
+
+	assert.Check(t, is.Equal("_ce3d2948b4cf20146dee0a0b3dd6f69b6cf86f62d7", assertion.Subject.NameID.Value))
+	assert.Check(t, is.DeepEqual([]Attribute{
+		{
+			Name:       "uid",
+			NameFormat: "urn:oasis:names:tc:SAML:2.0:attrname-format:basic",
+			Values: []AttributeValue{
+				{
+					Type:  "xs:string",
+					Value: "test",
+				},
+			},
+		},
+		{
+			Name:       "mail",
+			NameFormat: "urn:oasis:names:tc:SAML:2.0:attrname-format:basic",
+			Values: []AttributeValue{
+				{
+					Type:  "xs:string",
+					Value: "test@example.com",
+				},
+			},
+		},
+		{
+			Name:       "eduPersonAffiliation",
+			NameFormat: "urn:oasis:names:tc:SAML:2.0:attrname-format:basic",
+			Values: []AttributeValue{
+				{
+					Type:  "xs:string",
+					Value: "users",
+				},
+				{
+					Type:  "xs:string",
+					Value: "examplerole1",
+				},
+			},
+		},
+	}, assertion.AttributeStatements[0].Attributes))
+}
+
+func TestSPResponseWithNoIssuer(t *testing.T) {
+	test := NewServiceProviderTest(t)
+
+	// This test case for the IdP response with no <Issuer> element. SAML standard says
+	// that the <Issuer> element MAY be omitted in the <Response> (but MUST present in the <Assertion>).
+
+	s := ServiceProvider{
+		Key:         test.Key,
+		Certificate: test.Certificate,
+		MetadataURL: mustParseURL("https://15661444.ngrok.io/saml2/metadata"),
+		AcsURL:      mustParseURL("https://15661444.ngrok.io/saml2/acs"),
+		IDPMetadata: &EntityDescriptor{},
+	}
+	err := xml.Unmarshal(test.IDPMetadata, &s.IDPMetadata)
+	assert.Check(t, err)
+
+	req := http.Request{PostForm: url.Values{}}
+
+	// Response with no <Issuer> (modified ServiceProviderTest.SamlResponse)
+	samlResponse := golden.Get(t, "TestSPResponseWithNoIssuer_response")
+	req.PostForm.Set("SAMLResponse", base64.StdEncoding.EncodeToString(samlResponse))
+	_, err = s.ParseResponse(&req, []string{"id-9e61753d64e928af5a7a341a97f420c9"})
+	assert.Check(t, err)
 }
diff --git a/testdata/SP_AuthnRequest b/testdata/SP_AuthnRequest
new file mode 100644
index 00000000..1adc1dbf
--- /dev/null
+++ b/testdata/SP_AuthnRequest
@@ -0,0 +1 @@
+https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO?RelayState=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1cmkiOiIvIn0.eoUmy2fQduAz--6N82xIOmufY1ZZeRi5x--B7m1pNIY&SAMLRequest=lJJBj9MwEIX%2FSuR7Yzt10sZKIpWtkCotsGqB%2B5BMW4vELp4JsP8et4DYE5Tr%2BPnN957dbGY%2B%2Bz1%2BmZE4%2Bz6NnloxR28DkCPrYUKy3NvD5s2jLXJlLzFw6MMosg0RRnbBPwRP84TxgPGr6%2FHD%2FrEVZ%2BYLWSl1WVXaGJP7UwyfcxckwTQWEnoS2TbtdB6uHn9uuOGSczqgs%2FuUh3i6DmTaenQjyitGIfc4uIg9y8Phnch221a4YVFjpVflcqgM1sUajiWsYGk01KujKVRfJyHRjDtPDJ5bUShdLrReLNX7QtmysrrMK6Pqem3MeqFKq5TInn6lfeX84PypFSL7iJFuwKkN0TU303hPc%2FC7L5G9DnEC%2Frv8OkmxjjepRc%2BOn0X3r14nZBiAoZE%2FwbrmbfLZbZ%2FC6Prn%2F3zgcQzfHiICYys4zii6%2B4E5gieXsBv5kqBr5Msf1%2F0IAAD%2F%2Fw%3D%3D
\ No newline at end of file
diff --git a/testdata/SP_IDPMetadata b/testdata/SP_IDPMetadata
new file mode 100644
index 00000000..a79b4f19
--- /dev/null
+++ b/testdata/SP_IDPMetadata
@@ -0,0 +1,118 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:mdalg="urn:oasis:names:tc:SAML:metadata:algsupport" xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="urn:mace:shibboleth:testshib:two" validUntil="2015-12-03T01:57:09Z" entityID="https://idp.testshib.org/idp/shibboleth">
+	<Extensions>
+		<mdalg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512" />
+		<mdalg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384" />
+		<mdalg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
+		<mdalg:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
+		<mdalg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512" />
+		<mdalg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384" />
+		<mdalg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
+		<mdalg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
+	</Extensions>
+	<IDPSSODescriptor validUntil="2015-12-03T01:57:09Z" protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:2.0:protocol">
+		<Extensions>
+			<shibmd:Scope regexp="false">testshib.org</shibmd:Scope>
+			<mdui:UIInfo>
+				<mdui:DisplayName xml:lang="en">TestShib Test IdP</mdui:DisplayName>
+				<mdui:Description xml:lang="en">TestShib IdP. Use this as a source of attributes
+                        for your test SP.</mdui:Description>
+				<mdui:Logo height="88" width="253">https://www.testshib.org/testshibtwo.jpg</mdui:Logo>
+			</mdui:UIInfo>
+		</Extensions>
+		<KeyDescriptor>
+			<ds:KeyInfo>
+				<ds:X509Data>
+					<ds:X509Certificate>MIIEDjCCAvagAwIBAgIBADANBgkqhkiG9w0BAQUFADBnMQswCQYDVQQGEwJVUzEV
+                            MBMGA1UECBMMUGVubnN5bHZhbmlhMRMwEQYDVQQHEwpQaXR0c2J1cmdoMREwDwYD
+                            VQQKEwhUZXN0U2hpYjEZMBcGA1UEAxMQaWRwLnRlc3RzaGliLm9yZzAeFw0wNjA4
+                            MzAyMTEyMjVaFw0xNjA4MjcyMTEyMjVaMGcxCzAJBgNVBAYTAlVTMRUwEwYDVQQI
+                            EwxQZW5uc3lsdmFuaWExEzARBgNVBAcTClBpdHRzYnVyZ2gxETAPBgNVBAoTCFRl
+                            c3RTaGliMRkwFwYDVQQDExBpZHAudGVzdHNoaWIub3JnMIIBIjANBgkqhkiG9w0B
+                            AQEFAAOCAQ8AMIIBCgKCAQEArYkCGuTmJp9eAOSGHwRJo1SNatB5ZOKqDM9ysg7C
+                            yVTDClcpu93gSP10nH4gkCZOlnESNgttg0r+MqL8tfJC6ybddEFB3YBo8PZajKSe
+                            3OQ01Ow3yT4I+Wdg1tsTpSge9gEz7SrC07EkYmHuPtd71CHiUaCWDv+xVfUQX0aT
+                            NPFmDixzUjoYzbGDrtAyCqA8f9CN2txIfJnpHE6q6CmKcoLADS4UrNPlhHSzd614
+                            kR/JYiks0K4kbRqCQF0Dv0P5Di+rEfefC6glV8ysC8dB5/9nb0yh/ojRuJGmgMWH
+                            gWk6h0ihjihqiu4jACovUZ7vVOCgSE5Ipn7OIwqd93zp2wIDAQABo4HEMIHBMB0G
+                            A1UdDgQWBBSsBQ869nh83KqZr5jArr4/7b+QazCBkQYDVR0jBIGJMIGGgBSsBQ86
+                            9nh83KqZr5jArr4/7b+Qa6FrpGkwZzELMAkGA1UEBhMCVVMxFTATBgNVBAgTDFBl
+                            bm5zeWx2YW5pYTETMBEGA1UEBxMKUGl0dHNidXJnaDERMA8GA1UEChMIVGVzdFNo
+                            aWIxGTAXBgNVBAMTEGlkcC50ZXN0c2hpYi5vcmeCAQAwDAYDVR0TBAUwAwEB/zAN
+                            BgkqhkiG9w0BAQUFAAOCAQEAjR29PhrCbk8qLN5MFfSVk98t3CT9jHZoYxd8QMRL
+                            I4j7iYQxXiGJTT1FXs1nd4Rha9un+LqTfeMMYqISdDDI6tv8iNpkOAvZZUosVkUo
+                            93pv1T0RPz35hcHHYq2yee59HJOco2bFlcsH8JBXRSRrJ3Q7Eut+z9uo80JdGNJ4
+                            /SJy5UorZ8KazGj16lfJhOBXldgrhppQBb0Nq6HKHguqmwRfJ+WkxemZXzhediAj
+                            Geka8nz8JjwxpUjAiSWYKLtJhGEaTqCYxCCX2Dw+dOTqUzHOZ7WKv4JXPK5G/Uhr
+                            8K/qhmFT2nIQi538n6rVYLeWj8Bbnl+ev0peYzxFyF5sQA==</ds:X509Certificate>
+				</ds:X509Data>
+			</ds:KeyInfo>
+			<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
+			<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc" />
+			<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
+			<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
+			<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" />
+			<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
+		</KeyDescriptor>
+		<ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://idp.testshib.org:8443/idp/profile/SAML1/SOAP/ArtifactResolution" index="1" />
+		<ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.testshib.org:8443/idp/profile/SAML2/SOAP/ArtifactResolution" index="2" />
+		<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
+		<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
+		<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idp.testshib.org/idp/profile/SAML2/POST/SLO" />
+		<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.testshib.org/idp/profile/SAML2/Redirect/SLO" />
+		<SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://idp.testshib.org/idp/profile/Shibboleth/SSO" />
+		<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idp.testshib.org/idp/profile/SAML2/POST/SSO" />
+		<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO" />
+		<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.testshib.org/idp/profile/SAML2/SOAP/ECP" />
+	</IDPSSODescriptor>
+	<AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
+		<KeyDescriptor>
+			<ds:KeyInfo>
+				<ds:X509Data>
+					<ds:X509Certificate>MIIEDjCCAvagAwIBAgIBADANBgkqhkiG9w0BAQUFADBnMQswCQYDVQQGEwJVUzEV
+                            MBMGA1UECBMMUGVubnN5bHZhbmlhMRMwEQYDVQQHEwpQaXR0c2J1cmdoMREwDwYD
+                            VQQKEwhUZXN0U2hpYjEZMBcGA1UEAxMQaWRwLnRlc3RzaGliLm9yZzAeFw0wNjA4
+                            MzAyMTEyMjVaFw0xNjA4MjcyMTEyMjVaMGcxCzAJBgNVBAYTAlVTMRUwEwYDVQQI
+                            EwxQZW5uc3lsdmFuaWExEzARBgNVBAcTClBpdHRzYnVyZ2gxETAPBgNVBAoTCFRl
+                            c3RTaGliMRkwFwYDVQQDExBpZHAudGVzdHNoaWIub3JnMIIBIjANBgkqhkiG9w0B
+                            AQEFAAOCAQ8AMIIBCgKCAQEArYkCGuTmJp9eAOSGHwRJo1SNatB5ZOKqDM9ysg7C
+                            yVTDClcpu93gSP10nH4gkCZOlnESNgttg0r+MqL8tfJC6ybddEFB3YBo8PZajKSe
+                            3OQ01Ow3yT4I+Wdg1tsTpSge9gEz7SrC07EkYmHuPtd71CHiUaCWDv+xVfUQX0aT
+                            NPFmDixzUjoYzbGDrtAyCqA8f9CN2txIfJnpHE6q6CmKcoLADS4UrNPlhHSzd614
+                            kR/JYiks0K4kbRqCQF0Dv0P5Di+rEfefC6glV8ysC8dB5/9nb0yh/ojRuJGmgMWH
+                            gWk6h0ihjihqiu4jACovUZ7vVOCgSE5Ipn7OIwqd93zp2wIDAQABo4HEMIHBMB0G
+                            A1UdDgQWBBSsBQ869nh83KqZr5jArr4/7b+QazCBkQYDVR0jBIGJMIGGgBSsBQ86
+                            9nh83KqZr5jArr4/7b+Qa6FrpGkwZzELMAkGA1UEBhMCVVMxFTATBgNVBAgTDFBl
+                            bm5zeWx2YW5pYTETMBEGA1UEBxMKUGl0dHNidXJnaDERMA8GA1UEChMIVGVzdFNo
+                            aWIxGTAXBgNVBAMTEGlkcC50ZXN0c2hpYi5vcmeCAQAwDAYDVR0TBAUwAwEB/zAN
+                            BgkqhkiG9w0BAQUFAAOCAQEAjR29PhrCbk8qLN5MFfSVk98t3CT9jHZoYxd8QMRL
+                            I4j7iYQxXiGJTT1FXs1nd4Rha9un+LqTfeMMYqISdDDI6tv8iNpkOAvZZUosVkUo
+                            93pv1T0RPz35hcHHYq2yee59HJOco2bFlcsH8JBXRSRrJ3Q7Eut+z9uo80JdGNJ4
+                            /SJy5UorZ8KazGj16lfJhOBXldgrhppQBb0Nq6HKHguqmwRfJ+WkxemZXzhediAj
+                            Geka8nz8JjwxpUjAiSWYKLtJhGEaTqCYxCCX2Dw+dOTqUzHOZ7WKv4JXPK5G/Uhr
+                            8K/qhmFT2nIQi538n6rVYLeWj8Bbnl+ev0peYzxFyF5sQA==</ds:X509Certificate>
+				</ds:X509Data>
+			</ds:KeyInfo>
+			<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
+			<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc" />
+			<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
+			<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
+			<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" />
+			<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
+		</KeyDescriptor>
+		<AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://idp.testshib.org:8443/idp/profile/SAML1/SOAP/AttributeQuery" />
+		<AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.testshib.org:8443/idp/profile/SAML2/SOAP/AttributeQuery" />
+		<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
+		<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
+	</AttributeAuthorityDescriptor>
+	<Organization>
+		<OrganizationName xml:lang="en">TestShib Two Identity Provider</OrganizationName>
+		<OrganizationDisplayName xml:lang="en">TestShib Two</OrganizationDisplayName>
+		<OrganizationURL xml:lang="en">http://www.testshib.org/testshib-two/</OrganizationURL>
+	</Organization>
+	<ContactPerson contactType="technical">
+		<GivenName>Nate</GivenName>
+		<SurName>Klingenstein</SurName>
+		<EmailAddress>ndk@internet2.edu</EmailAddress>
+	</ContactPerson>
+</EntityDescriptor>
diff --git a/testdata/SP_SamlResponse b/testdata/SP_SamlResponse
new file mode 100644
index 00000000..d5bb6a14
--- /dev/null
+++ b/testdata/SP_SamlResponse
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?><saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://15661444.ngrok.io/saml2/acs" ID="_e9b3332eeaf348da6786aed16300aca9" InResponseTo="id-9e61753d64e928af5a7a341a97f420c9" IssueInstant="2015-12-01T01:56:21.375Z" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://idp.testshib.org/idp/shibboleth</saml2:Issuer><saml2p:Status><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2p:Status><saml2:EncryptedAssertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="_dab0b1dbbc0595ab06473034e3bb798c" Type="http://www.w3.org/2001/04/xmlenc#Element"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><xenc:EncryptedKey Id="_dd9264352cef16103cdb21fae97fa951" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/></xenc:EncryptionMethod><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIB7zCCAVgCCQDFzbKIp7b3MTANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGEwJVUzELMAkGA1UE
+CAwCR0ExDDAKBgNVBAoMA2ZvbzESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTEzMTAwMjAwMDg1MVoX
+DTE0MTAwMjAwMDg1MVowPDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkdBMQwwCgYDVQQKDANmb28x
+EjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1PMHYmhZj308
+kWLhZVT4vOulqx/9ibm5B86fPWwUKKQ2i12MYtz07tzukPymisTDhQaqyJ8Kqb/6JjhmeMnEOdTv
+SPmHO8m1ZVveJU6NoKRn/mP/BD7FW52WhbrUXLSeHVSKfWkNk6S4hk9MV9TswTvyRIKvRsw0X/gf
+nqkroJcCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCMMlIO+GNcGekevKgkakpMdAqJfs24maGb90Dv
+TLbRZRD7Xvn1MnVBBS9hzlXiFLYOInXACMW5gcoRFfeTQLSouMM8o57h0uKjfTmuoWHLQLi6hnF+
+cvCsEFiJZ4AbF+DgmO6TarJ8O05t8zvnOwJlNCASPZRH/JmF8tX0hoHuAQ==</ds:X509Certificate></ds:X509Data></ds:KeyInfo><xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:CipherValue>i/wh2ubXbhTH5W3hwc5VEf4DH1xifeTuxoe64ULopGJ0M0XxBKgDEIfTg59JUMmDYB4L8UStTFfqJk9BRGcMeYWVfckn5gCwLptD9cz26irw+7Ud7MIorA7z68v8rEyzwagKjz8VKvX1afgec0wobVTNN3M1Bn+SOyMhAu+Z4tE=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedKey></ds:KeyInfo><xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:CipherValue>a6PZohc8i16b2HG5irLqbzAt8zMI6OAjBprhcDb+w6zvjU2Pi9KgGRBAESLKmVfBR0Nf6C/cjozCGyelfVMtx9toIV1C3jtanoI45hq2EZZVprKMKGdCsAbXbhwYrd06QyGYvLjTn9iqako6+ifxtoFHJOkhMQShDMv8l3p5n36iFrJ4kUT3pSOIl4a479INcayp2B4u9MVJybvN7iqp/5dMEG5ZLRCmtczfo6NsUmu+bmT7O/Xs0XeDmqICrfI3TTLzKSOb8r0iZOaii5qjfTALDQ10hlqxV4fgd51FFGG7eHr+HHD+FT6Q9vhNjKd+4UVT2LZlaEiMw888vyBKtfl6gTsuJbln0fHRPmOGYeoJlAdfpukhxqTbgdzOke2NY5VLw72ieUWREAEdVXBolrzbSaafumQGuW7c8cjLCDPOlaYIvWsQzQOp5uL5mw4y4S7yNPtTAa5czcf+xgw4MGatcWeDFv0gMTlnBAGIT+QNLK/+idRSpnYwjPO407UNNa2HSX3QpZsutbxyskqvuMgp08DcI2+7+NrTXtQjR5knhCwRNkGTOqVxEBD6uExSjbLBbFmd4jgKn73SqHStk0wCkKatxbZMD8YosTu9mrU2wuWacZ1GFRMlk28oaeXl9qUDnqBwZ5EoxT/jDjWIMWw9b40InvZK6kKzn+v3BSGKqzq2Ecj9yxE7u5/51NC+tFyZiN2J9Lu9yehvW46xRrqFWqCyioFza5bw1yd3bzkuMMpd6UvsZPHKvWwap3+O6ngc8bMBBCLltJVOaTn/cBGsUvoARY6Rfftsx7BamrfGURd8vqq+AI6Z1OC8N3bcRCymIzw0nXdbUSqhKWwbw6P2szvAB6kCdu4+C3Bo01CEQyerCCbpfn/cZ+rPsBVlGdBOLl5eCW8oJOODruYgSRshrTnDffLQprxCddj7vSnFbVHirU8a0KwpCVCdAAL9nKppTHs0Mq2YaiMDo8mFvx+3kan/IBnJSOVL19vdLfHDbZqVh7UVFtiuWv3T15BoiefDdF/aR5joN0zRWf8l6IYcjBOskk/xgxOZhZzbJl8DcgTawD8giJ31SJ1NoOqgrSD4wBHGON4mInHkO0X5+vw1jVNPGF3BwHw0kxoCT3ZKdSsi8O4tlf1y227cf794AGnyQe13O032jYgOmM5qNkET6PyfkyD/h0ufgQq2vJvxSOiRv76Kdg0SeRuNPW9MyjO/5APHl7tBlDBEVq+LWDHl4g9h/bw+Fsi0WN4pLN1Yv9RANWpIsXWyvxTWIZHTuZEjNbHqFKpsefx/oY1b9cSzKR5fQ9vc32e17WykL0O7pwpzV6TrFN874GdmW5lG5zfqnRHUQh1aV2WwBJ74mB4tv/y5rmRjTe5h/rN90kN+eQGeR3eG7XUHLhK/yCV+xq8KKPxNZexcdHGA905rvYokbtmr/jIN5kAMBdlOU8akPAZdSMMh+g/RZo5MO50/gdg6MTpB4onU2FBd54FNDp2fuBUxBsnTqpZXkDcAPEfSBr+z2l8jTRmxMricWyeC55ILgxM4er68n0xYjwb2jyQum3IQq7TSYYU/qjNiH1fQBtdRmBkzXJYYk+9q7C6OZJUdR96ERnTIi93NaYmtpSEvZU9vS6MV1VBOnEf8UzUUT9ibMpP9XDSINX7dN24rKIufSY+3+70orQB07XOWp6++SWKgA+WThaoPhp8sWWMeSZuda/wq6jdVTAB8FOPiP3lNl0BqxagQEPmNxDWXwTplSFSR3SP0e4sHMSjLvysibV9Z87LZa1FG0cWU2hrhiyOLsIWMnd4vdTLaWjhXuGlrDShxSAiI39wsl5RB59E+DXVSTBQAoAkHCKGK69YiMKU9K8K/LeodApgw46oPL08EWvleKPCbdTyjKUADtxfAujR84GMEUz9Aml4Q497MfvABQOW6Hwg54Z3UbwLczDCOZyK1wIwZTyS9w3eTH/6EBeyzhtt4G2e/60jkywHOKn17wQgww2ZsDcukdsCMfo4FV0NzfhSER8BdL+hdLJS3R1F/Vf4aRBEuOuycv2AqB1ZqHhcjZh7yDv0RpBvn3+2rzfzmYIBlqL16d1aBnvL4C03I0J59AtXN9WlfJ8SlJhrduW/PF4pSCAQEyHGprP9hVhaXCOUuXCbjA2FI57NkxALQ2HpCVpXKGw0qO0rYxRYIRlKTl43VFcrSGJdVYOFUk0ZV3b+k+KoxLVSgBjIUWxio/tvVgUYDZsO3M3x0I+0r9xlWZSFFmhwdOFouD+Xy1NPTmgwlUXqZ4peyIE1oVntpcrTJuev2jNScXbU9PG8b589GM4Z09KS/fAyytTFKmUpBuTme969qu0eA7/kBSHAkKvbfj0hsrbkkF9y/rXi8xgcMXNgYayW8MHEhm506AyPIvJAreZL637/BENO1ABdWS1Enj/uGaLM1ED8UY94boh/lMhqa9jALgEOHHxspavexi3HIFwJ55s4ocQnjb4p6op4CRPUdPCfli5st9m3NtQoH9kT1FTRZa9sG8Ybhey5wP17YgPIg9ZZtvlvpSTwCwZxHZ348wXJWhbtId9DyOcIzsyK5HaJcRsp8SQVR5nbRW0pUyC/bFAtX1KOGJmtro/QfmnLG9ksuaZvxP6+bH1K+CibEFIRDllAUFFPiuT+2b3Yp3Tu1VvXokMAgmcB5iFDgTAglw5meJYJ99uIBmj0EVZm8snMhRrHjMPTAYD5kwPK/YDShPFFV3XEIFzLD3iYrzb7sub/Z4gTTELWzzS3bCpYPAh4KWeTih+p7Xj0Xf04nSONHZXsQnNenc+PNae+Zj5iCfJ/PpqhMn61n/YBP7gipYYEtOZYzDtvMz+mytYRUOaZTq3W4Wp64f+XVekn49CLarLm6qPyiz5kJwaT8lJ+VEZDPpS/ChLM4eq90GogJBvK0jxmQ1AGvnKpV2lw9XCudf3PXbaTb+r2QPcihKnmqcEgPgYlN8VLclicNW1WyjBJ+HvDTQPbs1r1/KnBK4O5HTT6ehuHpJsYlBN9vzjsD+ov6SRkBqiGPUg9CoKKmWS6dirxwOXi3OUFzkWFVDyDezfkJAzqkmG0nlEGb9mTHdVDfX010bPJ4ZQzQSyHp7Ht2mATyQwOEem2AMB/RpNwlOKXWIdsQ5p3dHF+kmsJHI8xjEv2GeUa/aXX3MF3fPfUA7La8J8fbnaDLbnEqMCLMfdfc9+kY7EKyqPiE5KFpF0EhQBrHl8SiPuFQCoxvlH2u+ujncW7Z5JiBmMKUWOXUHhIe4NckP1awRsEcfhEs664DqOp9CbLwTXk71hHVBtINylFcf7uBZwjxNW+hCfZEoVEjjs/V4J9QeXCxpTu5TcXxBxwN5zBdkCodNFPLUg+3UicaykaH0+wrGoTu/ugjF9rz7OezMMs3pep+bzLp+yZbFAL/z/yATY3UG+lpk6Rw4SkjbnAxBSedaEdqbotddkGzVQubHvHqCiKpkAw58rAa2v15hc+UmkrRFslS8SYxTIPXs2sTNhnCCrUn8nlKufeoAm65vgYtEQ4NzmG9tqKtTeBfZAvSToYaiQq+kPii1ssuu1OULAVuSx8x/CYO6orgX7h5wI0R/Ug1nux7cb2/+pFLbNyGvwKf1TLym2NvFMJpvFlTsOJJ4DxXM/v2JkC9umm93quXLsojx7KTEOFDQLsnMKsVo6ZzRQidEwK5gQPyZL1yjGirJcEuGMAEf6LA2AsKIIZhsMEPlLpzMiVo5Y0LoL6NFsXigceLaaJMEMuYNJJdh+uxyfW57+PoQ7V8KkzSHFsKan14GnpWeOV7r13uopwCPeIsEKUVG77ypd+ILQkbKxH2lQdsFyjpofqkbgEVM5XAnVbdhfwyebNHn5OJtadVkOMcJc/WMWJef1idcSfvP5ENkwp3pKg9Ljoi+hU2Chp1vTmksO2HJt0of4QnQ8jGlcqnOrAMiWUCd2W/8AmhRBjevt3UqxnqELVvg+HJPlyqFyuUlDxx25mXEdW0COpA3s9OlSgcMjvQbIJ42NUhGFZLoK1pvPLZo711w2Ex3Lm5qqcr/7I4+vTntd/Id5aJiP18LQpslTy614Wd4eD8+RfjEtmDAPXhgvfekVkS/rDnI/9H0k3AdHc78fJCJRPNwJrDTozzjxTvmVv9r4MtpoDELmnMxb3o7ZibUMxgptCTyDF+Q5m6T3GeD9G5ehgB3Tqsx3gcUGuDtP6KIqMGbj8YCFt8tjihDctYFAXj4AwPnIjMiI4T7skXwfrBLWCKfN1j5XrIn2paQgKln9hvaiRUpNpD3IXVyFl1WNrb21IcRinfkuCtrP2tTHqct6eSEh8sOzRkvZEArBQYD5paYyuNBcbVtsnl6PNE+DIcSIGvCVnzpMw1BeUExvQZoNdpHwhTQ3FSd1XN1nt0EWx6lve0Azl/zJBhj5hTdCd2RHdJWDtCZdOwWy/G+4dx3hEed0x6SoopOYdt5bq3lW+Ol0mbRzr1QJnuvt8FYjIfL8cIBqidkTpDjyh6V88yg1DNHDOBBqUz8IqOJ//vY0bmQMJp9gb+05UDW7u/Oe4gGIODQlswv534KF2DcaXW9OB7JQyl6f5+O8W6+zBYZ6DAL+J2vtf3CWKSZFomTwu65vrVaLRmTXIIBjQmZEUxWVeC4xN+4Cj5ORvO8GwzoePGDvqwKzrKoupSjqkL5eKqMpCLouOn8n/x5UWtHQS1NlKgMDFhRObzKMqQhS1S4mz84F3L492GFAlie0xRhywnF+FvAkm+ZIRO0UqM4IwvUXdlqTajjmUz2T0+eXKTKTR5UoNRgP51gdUMT5A4ggT5wU9WkRx7CR9KdWJwwcWzv2YrchoHIXBidQSk+f1ZSzqR7krKSOwFTVJUvEenU17qVaHoAf2he0dMgURJ8PM9JxnSr7p2pZeNPu/O5oPmLuOCmEPVRPSahJL7yj9PK5z3q57e5POIp/wXqFoniFdxRmtmpfZBxoKVlADkwRy34h8k6ZmgtqPTQfUUk/+yH2CAoQu+HyOtUnQof8vc1k4zs8nCTrCSjqvFPjU8mHtVHy1RY0qmK9t99ugXyAKaGON3PlseetIC8WCTt84nM5XGD3VQpbv139yhSPhp2Oiz0IiOsr+L9idVKSvfNSkdNq9aUC7963uAQNud8c4GuDmbENvZYvGNIMxxZhYA86n1RMNtGDZJs6/4hZTL18Kz1yCY9zbbSXTxWTmkaHJziHtgrEPoYpUeb85J229PDEX08yHOkj2HXVdnKKmEaHw3VkB4eM3PhGGdrw2CSUejSaqPQFLdhabcB2zdB4lj/AUnZvNaJc23nHHIauHnhhVrxh/KQ1H4YaYKT9ji/69BIfrTgvoGaPZC10pQKinBHEPMXoFrCd1RX1vutnXXcyT2KTBP4GG+Or0j6Sqxtp5WhxR0aJqIKM6LqMHtTooI0QhWbmSqDEBX/wRS70csVeJSrZ4dqRKit+hz8OalHA7At9e+7gSWTfHAwjl5JhtrltyAab/FII4yKQeZWG8j1fSFGHN+EbOrum2uWuVhxkUPy4coMu+yKY4GxlXfvP+yEVK5GrMECRmFBlySetJK3JOoQXiuLirlHUq+0u88QFMdAJ9+fIdU4+FxneqgW7qM7CHRE8jV4pPSWGFbGzxVZ9CWRWaYIw26VsC1qQJe1WmU7Mrp26IxmWHGwHvZ50uB0mjAHFCiln5QAvqTm2/fsY+Puk+Irt3LQbMwGVWPnb4eona2dSha+eMLOiAQkBvbaitsRqqrAVnndP7gHmO+nYZEKNx/740zTRrFBpOelrGdOa0/eV2mPhUQfozGooxoRADmT8fAcDXo0SsXCHzg9tBnmVMvInQ7+8nXfhcF/fEBjvW3gIWOmp2EWutHQ/sl73MieJWnP/n3DMk2HHcatoIZOMUzo4S4uztODHoSiOJDA1hVj7qADvKB37/OX0opnbii9o6W8naFkWG5Ie7+EWQZdo+xeVYpwGOzcNwDRrxbZpV3fTvWyWKToovncZq+TQj7c4Yhz6XDF0ffljN5hTm4ONwYViFNB4gTJlFxFX00wcWfwWah4uJs2Oa8dHPVT+7viagZiPrSDk/gythdY8glGm+F0DWlzQpWbgSI3ZbdiUQ+ox4GtLUtYgGIQFUvRYbuHqH6CXQ3SM6vkbhV/nAn6UDEWKXdJsO0u5q6UpXci7MlWDNLxoQ9dfGjSc28mX+q+4hkyho4u1XSMy9B6IdH304J7fuAQ88tTorT67AiqvqR6qnZ0icV+MMLh95moxFbrvch6sGAmMEixqeujmiZzBqBmNbzZVORiv9qcbe3CQ6X2i+9D8hMpaWj5jI0u+0wk3bRFK4uDn8T1mnD6l4TrJayf3cZI+duhKcabNj71i5w76S8RZSC6RX4ks0x+XIDc5v3223NmGvceYklbuOJtJa0/MBTOcSDKCM2kUXqPV2BlA9Za8WEO2UrdcyP+AXgM20af3thjlZvA494zdZ0mqjrsKp+VS2MVrBBtj+puSuSHJYf6bnA5/yjqQtbGvAp8hfXQURC53J5oD8rb9F7vQRqdfqpe6xd7DVd+wWZS86mWjyZYKXw312t8nM/gxo0pdvZ8F0x9y3xb9UBM2pZtdYvk3hPz6swhuE1N5j2u7nwtXuEDNcGCSfr+IempeFHFRqO8n8ikASEdKcq2XHGJwfc3lVXOQ5K4JlewcC7yQL1uNtL6iNKCtJmjJiH2PMmXrtpmCeTspFNZlwmiICyPWV9B5ce9H/qP1xjndBzFz0rn75SGDnWUhNZI/aYKNVyzkOleS5VSNxBx1hoiFuG8r+6ctYwF7XL94b95tXQ/+0V5dt0H1xVaOZ7QluoDtMSzuUjV4yUoQESa3zCfZwnW+b5SKndX5nx0GYrVxydMkUdfimZpX/fezcMiaAGwG/jgWF0zS+EL4T7gR8I5R3qUNTifKFJKJL1+AL8CgL+SRB1lgHDp2wQ7cqgqcmskAsT60qisL/UZGgmnlgZ8FkNhv0vAMkzIsz7o6cuLo15hZnrsZveIo+mZKY2cMJjJb4ZlJLcE+YcnpiM84OYjypa9lA7kv4XJaDX9oirhsl9IO/ImbFgYpR73y+xSolXYdDKfZjf/8NR7vE8fu+LYXGoZHO/hxousED6y3sCo/ItECYHWYIui+V5SmAoEvVV8FY8fFMYIc+Llc2CoX5HQISfUAtLu+fGNNV0muidXnBdtnJo25UEqxwvoENdI1lGPhlrXY6/h4kIT5djmsxxSG/EgG/4fPnrThgF9/fbG8n/3LweXvQOGjX0F1Ngt5wuMIWRQk5vtLdvv2M+BNwthHZ7xzIU7zqSVvngVPwgcsTr2d5pTVOxauT1K6ffiBF04jVZEcna+NXhJM5EcRHNuT/iOb0ncn1yuKU8JJnztEzMDjO1qCmaBTyWBR7nQS6K+nfstd/AnBWyGeC5Yi3wlvZAVMpc0m7I7McXb+rXiHM0mHoq0Z/2HOki5LP2cBuIkk84tJ3SRZwWnocrz4aTEIOmwftqMATy5Ur0KRxoUSFNMJYyc1iOfjk3H2JjgecWlQdYHcIEjxGDGeo4S9EKTRokMGNUN2nTj3SO2nHoWbx9WhGe6uB3OgDENGL9aNoPnYKXs4WcobctMxQjjBWa/zpCFwP8nr78xIFfy/64ZtsFBrxSrEHxeXiPa2Kpv456aQ9kDQjJt9XrWKe+JBawtpPUYHmWkUb3Gznp3tC2LbowvJlEe/17srb5yi+sUHEF1z/8Uk4eVYcUUXzyq3YEuqumIBIYqO8J3K5Us7tEXyzhHH8TMLNSQxmDi/w5oYccIwNFMM1+xRTsyjHHtB/rHYJjPW/50Xxb0CZF84NqotCcgIMrR4nUiPnAPd8ZvHeB/235gS1NtzBWtfcDmP8khibSQpY3JW+fdY/9W6iGlPyPIwOgH06fJayaT44sPFIm+QGIkPKSAJOFDeJNG8oc6SAqrYSfCffYfOAx3IsjSdnxQy9JAcS0HxjWnEO3rgSh7bNEecO3f4hb3TRNlczdzhfrwgxUZ0rURI3LfMCpGntF+8NrhtB7RT8sEOaa4NM13T7LWjykRQJFYKNZY0siPBP2WJxjBqL0KynlTPhAcfFyiLZbAhe7YC0XmYo8iJQqdzJQwBK9iOoDkg1XuGy7+Kfe0scamvHN2Z85umcPSiPEQRP3zAWcP5kRNDath7DKrBfQtvOJvEHiihE+qiASrCZep+m7jTD261U9vQGAnR4xBY08ChSh8XItWHvDHARN+GP08h9u6nlJ3rpOoVn9y22NNgx7bOe6QIYe9f6iYbbAzLR1/7AP1A4CQwFi39eZI9BZteze5eas+6JR2s1LqH9tncOmWAhXjE8p3hOtplh/tMbrx+pySNX4BKfZva54zccIa+e59NUifTRsq27AwAtcxg2Bk1Tu7B+LT9Yw2K8tRH6XTcGlvqDM4sYjNBqzh3yAga5iro706tg/Qaa50eln8rjISularEHlfaggogjvd+wNLg44Rj8pMr25+xxS0e9KoEGon5SutuhJ/HBGnEj3+4qNxHu27nkAmZIADiF+Jh53osDuA1fsUnRXf2lJABa30KDkG8E/eci+TkESrdfsPMo6yhWoyjtjYdJbGkjtsQCMW5DOSNYDH0FqDiiVU0nBLJ4+A4ep6aWTrv6w/ozuO4educ7x9IBpGmEY30rsXWwiGJbLGyIo+6qz6J5JBKdjNBsDO7RRweDNMp8ospaGNQSa4NKAHTG8BsGqJSP8oebpVqYpgPS1TiBWnYZKQSRJ5NFs+ULpdICekxevVXAH8uh+De9GT7KsJJzg0CFjALDbC0YrbmCigspJAh2455I6/xyWbPXCYMXwBzbioMgWcNhQBJJ6oIoQ7shwf2TP0Z+X/3NoMpWHmGpoV/JZind8lb9lcxoI44uf37+xc03O1R1bNucf0F5ljrgj2sZlGz/591EJen5GZhrT6qSTIcMu+xIyxyA/zzhy0jjkVfkDKfQ8mE9AmVtbbzHAQNy2PhDIeu7ngoFN635tSOJLR2c6pC/m6n50slFbo0oeHbbiGHyxDk7q3zXHWoHzeF1k4iVdHumYg/nwZOuRzms6rvkmwkJv59Z1p05jxA+Y0yHvDeq1WR8PfS/esm3RHfP3fM+zTlj9ZBJfzvn4OL+IIHRQ5l8pGKAeRL58OjeaU5QU98lAKHydOPDGBalsEHyIKD6iy3RZ65qIm956zQd98htZ1Vgkd7LVC7LSnLb9jRbqS1vHN7lR6bQMmXtQBYSA/+ZW2RQqSo7sToVh+Pxl3EVmsgyO8dXPL4biz7XM8eVz7CqHkrQUinnr79HJWC6Uk19cBurOD6PeOqNYy08Og/A0hbHOgN3dKmVRAPf7itK6x0eb5F70T2zVqG12GHVZieXwIcp/vahuFvriHLJtuM04laiRWNXSiL2MPHQ8e9rr8NIlWDm9uev55FI9zZxwFUPBSewawPe5vkqRLfwZCYd5mZoxtBhNBWvY3ZOVD/21dIUlQanG1n6RygbmAwCHnIB4c7EH2CBYEMDToRQuAuIssviIfdaJglwDgHbLWKNUVDOdqeclBNZjfQfVXbVukPk8DfWLqj9pD4xAOzDeVQcdmg2aLvNKgpZsWs4d+6GlKrpS7qEGvoBkIFh/cVY7DMYrt/JXYuF6DpwB+HbfnuDFc2p47SPNhnmt/ez6/DACBPQ+tgpyWYXUsiviGSp72JNTzd8uFJJZNeKUJZw1c0UTjxdwigh5tL/hWhPl48DY937zymSr1xVqC3RV6wSIpuplH+hss/rsRPAp1/TfxvhJuFsoPbW0586y9YzqEHT4FUu6WSRy0gMJLP2sLqiiZXZ6kPicXsW7M55mV3ugbGQjB7YS7EVqsQzvJTiQbOlcPqwoKK7DTqaeCOXd8kH1tNoe7hjx/UNNdLQQ7IhrJIzxqTTgwcXYMCxhoezDsIHReTIymsHPkCurfteTQcbfwoKN5E9zC2hINOPmhAxLvONzaLXQGMqofuTbFshkB4eUj8U4vBCNp+60iCLnibt4rPuyoWKEHWBYa6FfIykxVKuXkfcb64dCdGCWjv7x1XqkbpHxQB80qhipoSo244pyhIsN91ASu1Q7L75LxGXibY3jb0Y4KZ5zIWsH4kVlvPhangohDO1J9gmL9inGr9hy5BHTQiMcktGoUgOIbFJ72381vYpPxn3ngBbp48mVZd0w6xV8RBaqR3l7CxI9vvMAPYPoXBB18ERoZypza8mAlzv2QxIkNGuRzFENh1SXegBfN7eiazZnwnhbyeMghJpnXzfvHACyjkdH3shRYcJ+oMiOSpInGxm/hxFQxHJZA0Ft/lza</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></saml2:EncryptedAssertion></saml2p:Response>
\ No newline at end of file
diff --git a/testdata/TestCanParseMetadata_metadata.xml b/testdata/TestCanParseMetadata_metadata.xml
new file mode 100644
index 00000000..aacba808
--- /dev/null
+++ b/testdata/TestCanParseMetadata_metadata.xml
@@ -0,0 +1 @@
+<?xml version='1.0' encoding='UTF-8'?><md:EntityDescriptor ID='_af805d1c-c2e3-444e-9cf5-efc664eeace6' entityID='https://dev.aa.kndr.org/users/auth/saml/metadata' validUntil='2001-02-03T04:05:06.789' cacheDuration='PT1H' xmlns:md='urn:oasis:names:tc:SAML:2.0:metadata' xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'><md:SPSSODescriptor AuthnRequestsSigned='false' WantAssertionsSigned='false' protocolSupportEnumeration='urn:oasis:names:tc:SAML:2.0:protocol'><md:AssertionConsumerService Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' Location='https://dev.aa.kndr.org/users/auth/saml/callback' index='0' isDefault='true'/><md:AttributeConsumingService index='1' isDefault='true'><md:ServiceName xml:lang='en'>Required attributes</md:ServiceName><md:RequestedAttribute FriendlyName='Email address' Name='email' NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:basic'/><md:RequestedAttribute FriendlyName='Full name' Name='name' NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:basic'/><md:RequestedAttribute FriendlyName='Given name' Name='first_name' NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:basic'/><md:RequestedAttribute FriendlyName='Family name' Name='last_name' NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:basic'/></md:AttributeConsumingService></md:SPSSODescriptor></md:EntityDescriptor>
\ No newline at end of file
diff --git a/testdata/TestCanProduceMetadataEntityID_metadata b/testdata/TestCanProduceMetadataEntityID_metadata
new file mode 100644
index 00000000..79686c48
--- /dev/null
+++ b/testdata/TestCanProduceMetadataEntityID_metadata
@@ -0,0 +1,6 @@
+<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2015-12-03T01:57:09Z" entityID="spn:11111111-2222-3333-4444-555555555555">
+  <SPSSODescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2015-12-03T01:57:09Z" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="false" WantAssertionsSigned="true">
+    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=""></SingleLogoutService>
+    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://example.com/saml2/acs" index="1"></AssertionConsumerService>
+  </SPSSODescriptor>
+</EntityDescriptor>
\ No newline at end of file
diff --git a/testdata/TestCanProduceMetadataNoCerts_metadata b/testdata/TestCanProduceMetadataNoCerts_metadata
new file mode 100644
index 00000000..3e802f77
--- /dev/null
+++ b/testdata/TestCanProduceMetadataNoCerts_metadata
@@ -0,0 +1,6 @@
+<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2015-12-03T01:57:09Z" entityID="https://example.com/saml2/metadata">
+  <SPSSODescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2015-12-03T01:57:09Z" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="false" WantAssertionsSigned="true">
+    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=""></SingleLogoutService>
+    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://example.com/saml2/acs" index="1"></AssertionConsumerService>
+  </SPSSODescriptor>
+</EntityDescriptor>
\ No newline at end of file
diff --git a/testdata/TestCanProduceSPMetadata_expected b/testdata/TestCanProduceSPMetadata_expected
new file mode 100644
index 00000000..9250ba1a
--- /dev/null
+++ b/testdata/TestCanProduceSPMetadata_expected
@@ -0,0 +1,20 @@
+<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2013-03-10T00:32:19.104Z" cacheDuration="PT1H" entityID="http://localhost:5000/e087a985171710fb9fb30f30f41384f9/saml2/metadata/">
+  <SPSSODescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="true" WantAssertionsSigned="true">
+    <KeyDescriptor use="encryption">
+      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
+        <X509Data>
+          <X509Certificate>MIIB7zCCAVgCCQDFzbKIp7b3MTANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGEwJVUzELMAkGA1UE&#xA;CAwCR0ExDDAKBgNVBAoMA2ZvbzESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTEzMTAwMjAwMDg1MVoX&#xA;DTE0MTAwMjAwMDg1MVowPDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkdBMQwwCgYDVQQKDANmb28x&#xA;EjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1PMHYmhZj308&#xA;kWLhZVT4vOulqx/9ibm5B86fPWwUKKQ2i12MYtz07tzukPymisTDhQaqyJ8Kqb/6JjhmeMnEOdTv&#xA;SPmHO8m1ZVveJU6NoKRn/mP/BD7FW52WhbrUXLSeHVSKfWkNk6S4hk9MV9TswTvyRIKvRsw0X/gf&#xA;nqkroJcCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCMMlIO+GNcGekevKgkakpMdAqJfs24maGb90Dv&#xA;TLbRZRD7Xvn1MnVBBS9hzlXiFLYOInXACMW5gcoRFfeTQLSouMM8o57h0uKjfTmuoWHLQLi6hnF+&#xA;cvCsEFiJZ4AbF+DgmO6TarJ8O05t8zvnOwJlNCASPZRH/JmF8tX0hoHuAQ==</X509Certificate>
+        </X509Data>
+      </KeyInfo>
+    </KeyDescriptor>
+    <KeyDescriptor use="signing">
+      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
+        <X509Data>
+          <X509Certificate>MIIB7zCCAVgCCQDFzbKIp7b3MTANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGEwJVUzELMAkGA1UE&#xA;CAwCR0ExDDAKBgNVBAoMA2ZvbzESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTEzMTAwMjAwMDg1MVoX&#xA;DTE0MTAwMjAwMDg1MVowPDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkdBMQwwCgYDVQQKDANmb28x&#xA;EjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1PMHYmhZj308&#xA;kWLhZVT4vOulqx/9ibm5B86fPWwUKKQ2i12MYtz07tzukPymisTDhQaqyJ8Kqb/6JjhmeMnEOdTv&#xA;SPmHO8m1ZVveJU6NoKRn/mP/BD7FW52WhbrUXLSeHVSKfWkNk6S4hk9MV9TswTvyRIKvRsw0X/gf&#xA;nqkroJcCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCMMlIO+GNcGekevKgkakpMdAqJfs24maGb90Dv&#xA;TLbRZRD7Xvn1MnVBBS9hzlXiFLYOInXACMW5gcoRFfeTQLSouMM8o57h0uKjfTmuoWHLQLi6hnF+&#xA;cvCsEFiJZ4AbF+DgmO6TarJ8O05t8zvnOwJlNCASPZRH/JmF8tX0hoHuAQ==</X509Certificate>
+        </X509Data>
+      </KeyInfo>
+    </KeyDescriptor>
+    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:5000/e087a985171710fb9fb30f30f41384f9/saml2/ls/"></SingleLogoutService>
+    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:5000/e087a985171710fb9fb30f30f41384f9/saml2/ls/" index="1"></AssertionConsumerService>
+  </SPSSODescriptor>
+</EntityDescriptor>
\ No newline at end of file
diff --git a/testdata/TestIDPCanHandlePostRequestWithExistingSession_http_response_body b/testdata/TestIDPCanHandlePostRequestWithExistingSession_http_response_body
new file mode 100644
index 00000000..3af5e379
--- /dev/null
+++ b/testdata/TestIDPCanHandlePostRequestWithExistingSession_http_response_body
@@ -0,0 +1 @@
+<html><form method="post" action="https://sp.example.com/saml2/acs" id="SAMLResponseForm"><input type="hidden" name="SAMLResponse" value="PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgSUQ9ImlkLTUwNTI1NDU2NTg1YTVjNWU2MDYyNjQ2NjY4NmE2YzZlNzA3Mjc0NzYiIEluUmVzcG9uc2VUbz0iaWQtMDAwMjA0MDYwODBhMGMwZTEwMTIxNDE2MTgxYTFjMWUyMDIyMjQyNiIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTUtMTItMDFUMDE6NTc6MDlaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9zcC5leGFtcGxlLmNvbS9zYW1sMi9hY3MiPjxzYW1sOklzc3VlciBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OmVudGl0eSI+aHR0cHM6Ly9pZHAuZXhhbXBsZS5jb20vc2FtbC9tZXRhZGF0YTwvc2FtbDpJc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+PGRzOlNpZ25lZEluZm8+PGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3JzYS1zaGExIi8+PGRzOlJlZmVyZW5jZSBVUkk9IiNpZC01MDUyNTQ1NjU4NWE1YzVlNjA2MjY0NjY2ODZhNmM2ZTcwNzI3NDc2Ij48ZHM6VHJhbnNmb3Jtcz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+PC9kczpUcmFuc2Zvcm1zPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjc2hhMSIvPjxkczpEaWdlc3RWYWx1ZT5XdG5qMnhHd1VON3dSc2hmYVpjWTZzSFhiQXc9PC9kczpEaWdlc3RWYWx1ZT48L2RzOlJlZmVyZW5jZT48L2RzOlNpZ25lZEluZm8+PGRzOlNpZ25hdHVyZVZhbHVlPlhmL2Y0Snd4eVF0UFRVSTlWZ1hxSFpMK1FsWGtIWXRrQTRMSlhNMURRaXFxVEkzSHpuZXllY0JRODlDODBoRWJqbE9TK1FxdjU5bHNnWmVmMkRNMTJiNHRWNlNadEZFL1E1OXc5QURUWVN0cnRTNTgrcTkrcnNrUDMxK3dLWExBandWRHFSUURTaFV6RHZWeVBKT2h0R0w5dllONmFRU1hUajVvLzgwRFg1az08L2RzOlNpZ25hdHVyZVZhbHVlPjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUI3ekNDQVZnQ0NRREZ6YktJcDdiM01UQU5CZ2txaGtpRzl3MEJBUVVGQURBOE1Rc3dDUVlEVlFRR0V3SlZVekVMTUFrR0ExVUVDQXdDUjBFeEREQUtCZ05WQkFvTUEyWnZiekVTTUJBR0ExVUVBd3dKYkc5allXeG9iM04wTUI0WERURXpNVEF3TWpBd01EZzFNVm9YRFRFME1UQXdNakF3TURnMU1Wb3dQREVMTUFrR0ExVUVCaE1DVlZNeEN6QUpCZ05WQkFnTUFrZEJNUXd3Q2dZRFZRUUtEQU5tYjI4eEVqQVFCZ05WQkFNTUNXeHZZMkZzYUc5emREQ0JuekFOQmdrcWhraUc5dzBCQVFFRkFBT0JqUUF3Z1lrQ2dZRUExUE1IWW1oWmozMDhrV0xoWlZUNHZPdWxxeC85aWJtNUI4NmZQV3dVS0tRMmkxMk1ZdHowN3R6dWtQeW1pc1REaFFhcXlKOEtxYi82SmpobWVNbkVPZFR2U1BtSE84bTFaVnZlSlU2Tm9LUm4vbVAvQkQ3Rlc1MldoYnJVWExTZUhWU0tmV2tOazZTNGhrOU1WOVRzd1R2eVJJS3ZSc3cwWC9nZm5xa3JvSmNDQXdFQUFUQU5CZ2txaGtpRzl3MEJBUVVGQUFPQmdRQ01NbElPK0dOY0dla2V2S2drYWtwTWRBcUpmczI0bWFHYjkwRHZUTGJSWlJEN1h2bjFNblZCQlM5aHpsWGlGTFlPSW5YQUNNVzVnY29SRmZlVFFMU291TU04bzU3aDB1S2pmVG11b1dITFFMaTZobkYrY3ZDc0VGaUpaNEFiRitEZ21PNlRhcko4TzA1dDh6dm5Pd0psTkNBU1BaUkgvSm1GOHRYMGhvSHVBUT09PC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L2RzOktleUluZm8+PC9kczpTaWduYXR1cmU+PHNhbWxwOlN0YXR1cz48c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8+PC9zYW1scDpTdGF0dXM+PHNhbWw6RW5jcnlwdGVkQXNzZXJ0aW9uIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPjx4ZW5jOkVuY3J5cHRlZERhdGEgeG1sbnM6eGVuYz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjIiBJZD0iX2UyODVlY2UxNTExNDU1NzgwODc1ZDY0ZWUyZDNkMGQwIiBUeXBlPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNFbGVtZW50Ij48eGVuYzpFbmNyeXB0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjYWVzMTI4LWNiYyIvPjxkczpLZXlJbmZvIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48eGVuYzpFbmNyeXB0ZWRLZXkgSWQ9Il82ZTRmZjk1ZmY2NjJhNWVlZTgyYWJkZjQ0YTJkMGI3NSI+PHhlbmM6RW5jcnlwdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jI3JzYS1vYWVwLW1nZjFwIj48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiLz48L3hlbmM6RW5jcnlwdGlvbk1ldGhvZD48ZHM6S2V5SW5mbz48ZHM6WDUwOURhdGE+PGRzOlg1MDlDZXJ0aWZpY2F0ZT5NSUlCN3pDQ0FWZ0NDUURGemJLSXA3YjNNVEFOQmdrcWhraUc5dzBCQVFVRkFEQThNUXN3Q1FZRFZRUUdFd0pWVXpFTE1Ba0dBMVVFQ0F3Q1IwRXhEREFLQmdOVkJBb01BMlp2YnpFU01CQUdBMVVFQXd3SmJHOWpZV3hvYjNOME1CNFhEVEV6TVRBd01qQXdNRGcxTVZvWERURTBNVEF3TWpBd01EZzFNVm93UERFTE1Ba0dBMVVFQmhNQ1ZWTXhDekFKQmdOVkJBZ01Ba2RCTVF3d0NnWURWUVFLREFObWIyOHhFakFRQmdOVkJBTU1DV3h2WTJGc2FHOXpkRENCbnpBTkJna3Foa2lHOXcwQkFRRUZBQU9CalFBd2dZa0NnWUVBMVBNSFltaFpqMzA4a1dMaFpWVDR2T3VscXgvOWlibTVCODZmUFd3VUtLUTJpMTJNWXR6MDd0enVrUHltaXNURGhRYXF5SjhLcWIvNkpqaG1lTW5FT2RUdlNQbUhPOG0xWlZ2ZUpVNk5vS1JuL21QL0JEN0ZXNTJXaGJyVVhMU2VIVlNLZldrTms2UzRoazlNVjlUc3dUdnlSSUt2UnN3MFgvZ2ZucWtyb0pjQ0F3RUFBVEFOQmdrcWhraUc5dzBCQVFVRkFBT0JnUUNNTWxJTytHTmNHZWtldktna2FrcE1kQXFKZnMyNG1hR2I5MER2VExiUlpSRDdYdm4xTW5WQkJTOWh6bFhpRkxZT0luWEFDTVc1Z2NvUkZmZVRRTFNvdU1NOG81N2gwdUtqZlRtdW9XSExRTGk2aG5GK2N2Q3NFRmlKWjRBYkYrRGdtTzZUYXJKOE8wNXQ4enZuT3dKbE5DQVNQWlJIL0ptRjh0WDBob0h1QVE9PTwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE+PC9kczpLZXlJbmZvPjx4ZW5jOkNpcGhlckRhdGE+PHhlbmM6Q2lwaGVyVmFsdWU+UjlhSFF2MlUyWlpTdXZSYUw0L1g4VFhwbTIvMXNvMklpT3ovK05zQXpFS29MQWc4U2o4N05qNW9NcllZMkhGNURQUW0vTi8zK3Y2d09VOWRYNjJzcFR6b1NXb2NWelFVK0dkVEcyRGlJSWlBQXZRd1pvMUZ5VURLUzFGczV2b1d6Z0t2czhHNDNuajY4MTQ3VDk2c1hZOVN5ZVVCQmRoUXRYUnNFc21LaUFzPTwveGVuYzpDaXBoZXJWYWx1ZT48L3hlbmM6Q2lwaGVyRGF0YT48L3hlbmM6RW5jcnlwdGVkS2V5PjwvZHM6S2V5SW5mbz48eGVuYzpDaXBoZXJEYXRhPjx4ZW5jOkNpcGhlclZhbHVlPjNtdjQrYlJNNkYvd1JNYXgrRHVPaUFZN1lQQWtBcTVZZFdmdnFGUUpSNkR3TVZQSzZoT0VSSFJKRFAyL3c3TUxMQ1MyVEp2WjFydldXdXY0Ykp1Vk1tYlF5eVJSMklqZC9QVW1VNzJzTVA3eWgvZE1tVi82Tyt6ckJxVjRocmJsK0R1MW8vYXVoUnBnYzB1aXE5RHFXWXVweG1QNjQ4UURoV3pnaDlkRUEvYWpwV0NuMFRoNmdvRmJ4OFRzR1FNMml3YU9jN0lnRGt4aDlhKzFvb1FOeS9kdTcwMjN4Z3VvdFFINllvc2VEVUxtTnFhemxGcnowMzZ2TXBlY3h3RDVlZ0VRRUVDOUdOZ25ZSGs4NFJMZTlMc0xMcHNwcGZCaTl1TFBML3htWTJQOUljcy9aR2prOGVoU3pudVBuTmI1S2ZKT1RaeXRKWEZpZDJ4eUkvUjZrN0VSa1BjVlE3RDZYR3I0RlJTTEIvcjNjclpSQUFaWnBITHB0ZmEzSVR5bWRDNHQxK0cyNE5sNEl3MVV2aUg4R1FET1h2Q3JJb0dnVEpZa1ZBemJ1cmRicG9hSUZuL2hNL1FaWXdidnZmeTdtYmNpNUZQSE43KyszTDJpMjNKd0hKZnVPOVRVMDE0SlpkN2YwUVZVYyttbGFSa2pSSGZRdmgzZEJJeS9XSnVBdTFuR2ZYRGJSMlNhdWR1eG41UHpENmdZUklQN3cranoxb3MzMm82MzE5eE9UeEMvaitHdEV2T1RLajZOT0FwMHpXRkRDLzFHVFR3S2x3S2VraldwUzJQaWlwbWExTmdkY1BwbEJuVjRlWngxYjRBTmtHa0RtL1k5WDB5NjhwbnlWNmJMQVRYb2FUR1JyYVpPL1VGcHFObDgwKzdYRUZXc0JCQXRzZEhaRWR4UE50bHpUb0lIMGF5aFJnaVJpVHRRSTdGdEFVS0swbnpOVkMrYVpkaFFjaVA0MXo4VGgrUTNTVFppUnQ0b21vbDMva1I0RXp3dUJFWXl1eDk3WEpGNzR4RDlBWE5iNUkvT3ZlTVdoWmhpQW5jRE1QcTA5SmRZMitlb3BNRHVtOGlQdVZWcVJoRnMxaW90dm42ejh6bVJIdFZXbXVjbjF3b2t4MUNMNkdFbkt2ZVRTdlNQQStyYmFiU3dCR0xabUVNV3NoZFZxSjB1YzV5VlF3YVUzOFR0QW1IcGhJQXBLVW1Jajlua1BJUDBLWGlzWDlDNHp5dXEvcDBMekgxM1ZxY2krTG1wREF1SmQ2ZXZFdVh1alV3VSs0VEo4MXJ1RXcxYTNFSnJPbjhNMjFHZFlkVWJuek92UFBHbFkxUUs1UGlJOVpGQnJsaUp2c1dTcUVLUjlvbmdXYklwcC9ST09tMEREdVRrRldneWtRS0NtRkJkSlA1OWQvY2tiSzZaRlV5R2FNNU0vYTdjaWNRV01HZHYybFZQMEcrRXBpdHc1Y3JNZ0I4ZjlRUnZyOVhFNkp4TjFRMDdvZlYrUHEwRUlWWXNJenM3T3hJRzNXRmVicVQxNUdJVy9GQmRIV2lhZjJiSk1GNkw1dXk1WGZzbG0rVmlEbmdUQm41M01hc1Njclg2b2JZUmNhM1JMMFltMnB5NENCcHRyaWRXZXU2L0hCY2M2NHpabnN2Yit5bitTRTkraU1MaUUvK1VucnNPWjRkem5CTWpLalFqTFd2MXpBWlczNVVKbXZNMC9rSkVuZ2ZjTm1yaUhGZzkralJ5YkJ6UXk4TTQwdnJuYXhYeUdOS2xTbTl2Slh0aWtWZ0JLNkg0dkxKZEpMUGtWd3RjSE1qTkl5NzYwWkFNdUQzWlhBalZXazFXQjZIbTgwYVY4OHhIODdhUWZXYnNUcDNITDcyRGtlbFN2Tk01QldkZEpOQktTbXhwSEVPTUtFL3NpUkpxM050cFVLV3RzYUppemVMZGJRMU1UMEx3UVhlZmFwSFBSQkN3QTBCVVAzeExXTUI4WXRjU3V0SUNnbmFKMTZGZVNRTVA3eTN4R1RaMnZXOE5CWlpFMGluWUEvcWU1dVlDYmxlLzNKSzNXbDRtcXlRZGJKVmlJQkVZc2M3WWV1MHN0Z2VuVmZzTmJuNXE1V2hON3VhR2hQaFV0YVpSMXoyK09ZTUZuT0tmL3VGT2h3Tk9oaklCdHdZSTh4NU1Pdy9Sdm0rRFlvZ3BVRkx5aGt4SDZPQWw0U05NdlFmQUdRY1doTHEyUEUxK0ZzSGdIU0VQYWFxcG80QmJyd0QyY0ZrQ3hIY0tBZk9JRUVGWnFhM2dJQW5jaDRueDdFUnhBNGo3U3R6dVR2Q3ZCeWxmdXdnd3dQWjVON2NlZTRQMlNOUStvK2VhVk1FakpUTEwvenFMN0NaOHp3ZVJTTDFKdTFxUkp6UGpBWlFySytKSDhRWlJsYkNYamxQSDZRSzR6Tkh0aWtQZ21qTnpzSU5aRXVGZTlTTEpRakNpM0hXbG00eW5jTDE4SzhnRDZuazh6NHlVRFczRituUE41VitZaWl3NENnQkJ3SkhOZDdydlZqY2tvQjQvM1JFLzFQeEFwc0JJM1NhSHJ2MEdhZHVkM055WWhlT1QyM01zU2VyYXlybm80SnA0MVdjdmNhWGNEN29LVkVlay9Cc3hCR1RhRFRXVGtFNXZjRXU0SjFJZUJCTUszOFZjSHdSQUVlSENibldYZHdCWnQ2VVdhaHFSaG5Fc1dDYzZGZGYzdVlDNmhobFQ2THcwRU1zaFltWHhiWWNmdU10L0MwUlhxUVRqb3JZUG1YRGVmVHVzNjdvUzNYWHgwVXlHQkVTOU5sN1pnc1U4MjJuamRHeTk5Wmc4NXFtVnZRQkw1R3V3eGF3WFJDMDlOaFN1bFhQT0NHek9vcGI0bDVQaWp5UkRNWXdHdklDUHp3eTBEYmlZN3hVNlVYZmhVMkpKcWhiU1VvbXVHVEQrSXFOelh1QWtvNDVvZ2ZXTEtsSjlLb3UxNTlQSFFaS0pabFdMejAzdng3U2o5UldsQjVnYzJZdnlNYWZBTDRka2JYVWJkZXpKZHlvVTdnSGl6dDA2VlFSN0gvbW5yb014cXphYUkvUzJ1QzJYWnFxL3R1ZjZpNGtoeS8wTjVUa0hNTmNtZDdCRzArQ0YrdjRGdW9BS0owbWl0NDN0czBSMGczVHJFNE5MY0hVTDZoUDhBUlJwSkc1bHVwR2ZZK3Q3Uk1SV0tHUkwvZkE1eFRFeXhNcEh6Y2piUUxORGU4VWcrMlFKYXNldFlRZS9Mb29ua0o4YjZ5V0U5MTNIKy9mcmxxYnA5N3ZVdG5VYlprK2ZlN1hQOCtXNG11MkJoVW1oZ3hPeWR3U0F6Lzc5Z3oyQ05wTWdRVWlqOFJBcFpKU2thSU8wRFh3RmRENnBPcXo1OTJ1NHhoRUR0ZEp1TTFRZWJ5RnBheTArdUV0ZGFnUE9reFdVRGRpcTArT2VBd0hiNDBJZSt4NjE0NVpjRWRJVVczWUZ3ZjlzRkt6TnNpTXlqYWRWZ0FFcGtzOE8ra3BYbjJ0Zy8rbmxOai9TZXozM3RxNmd2MWdGZkg5L1gxMUIvdGV5Q2NRNVlGSEwybUJEdFNIRGkwMjdJK1ZJMkVBb2V1dlBVWG1NVExtSTJtYjJmbkNobnRXUkhuMERKOUZWdnUxKy9PS0luMCtmNDROZjhDTTJvSDVTd2MwZ0p3MFdaRFR0TGdRZ3ozUVFhNDc1RDdDRG9zVVNNWE5vbzNpdVZBSm45VWtlTUlMTkR4TnQ5N2l3YVArS1VaSktvUW5hdXozUkVBTTJYOGRpWlJGOVhzaU5YSFNZRWliNjZWdnJxYkhESG53cW1FbmZvMm5QS3k2TUFoeHhZR0FoN1lUbm9TQjdodkdXSE4wcDFlUGNiY21PUWs5MEoxVXNzYXFWUHhxUkxjd0phclVhUHV2L0txWjF1NSs2NVNuYWhGVHl6SFdaaUtMWlBxYytrVWVZUldpUzdLS3dxM21LWXY2SnFIR3ViSEdiSkxxZGYrRW5hQlJJblhtOFRreU5GUWwvTHgzKzVpMUk1Q1d0U0N0REpOeGlDTm03a0RHKzhsbTRQS05FOG04TE5PeE1Nb0YzMzBtWGd2WTYzV0E1SHFiSnQ2Q3B5T2hHUXduQitxNnF0RWhVM0dOMWJZTkxSUVp3VEZzcXY3cDRjLzAyM041cU5BWmowc3V0ODkxS2gvc1NXU001ZVVvL3dDRWNpSGx0c2R0SkNXMXIzTGxyaWk3azU5WkxhS0xmanZhMC9rbnNOL2d5MnlqVTNobGdiQ0pabWVPU2laT2U4MUswMkdPSjNGSnl4M2N4RGc4UktPRkR0UThxdkg3dVp5VWNjdmtpS2RlZjkzMEU1ZjYzWnBDd0ZPcjVXcEdPUFZQVlVwTWhGQWZsNTcvU0FIVUkvM1hBOFFxWGszY01XMElrWFphWURWaDRzN2xWTUk4QXN5RmV1RWc1RzlBc2doVWNnbjFrTkQrSmYvUnhzUHdlaUo4ZmhzTGlWSENrRHBmTnpPQnBCdzdzU1lRL0ZoTlIrZ1RqR2lXeHdWK2NvenpKdlJGczE3d0o1WnJ6QStUc245OWh1b1YyTXo1SzlYanMzRDVhKy9XUXQ0YytmR01TaEFRSGZyMUJXUzBJbkJ2bmZ3cG5NeFhNWW1rdm9WTGVod0l0ODYwNmt2SzZZRkZZcmF2Vit2dmxDL0hiZ25HaFhLOXE4V25BTkV0WHc0YkhJa1EyQ0hPSS9TdzRpc2lQVDRUNEx0Qy9JUFRHZ3dhUURnVFl1U2pHaDNSQ0Y4MWRwSGpVbEh0Znk1NGU2U2RjeGo0bElGVEw1VVJhVE4zOXd5MzhzamhvV1c2Z2xsQXdRdDE5S2txdjZFMzZQcHk4MFk5anVZUCtZRDk4NitCMUdzb0FzemtocXBQOW14MGVGR28zK3B3NVVENlBJemR0Wm1VZ0c1aFBJeldoeXE5RXFWT21NcFZCc1ltMzNobUIzZmlZRFROMEFOMndaMExJb1hGWE1TNmpGZGxDN2t3YkM1dGF6Q3BCVS9hWHF2a1N1eXA2NW5IVkM5QTVDdHhtSmdOWFJmOFBsUi9jM2xwc0RNc05obkhJd1Nic3Brd1ZiM0xYaDE5NjhwUmc5TmZXWmdEWEZ6ZHhKUytEbWxBVTV1TDRLY0l1ZXVoMFBhdHU4RzQ0UWxpSHN0ajdpTnQrb3o1RDRpUXAxR3pQRXZOUDNEQlRmTStteHlPUmhNZ1ljQWtvUnlqR0JEZXdmNmxnb2h4Q2NtU1pGSHFFTkxtam8zODBZVVo1RytyZnBQSjBnenBGcHNjSVlBaXdJVEZmS0pJTDE5MXhLNTFzMmpNMGE5WmJwM2dvYk5FRlc0clZmV0tmUVB2V0Y1NU94N2QrVXk5dFpjeWl6QkN2eEIxa3ZnZGVKTTFNMXNISjdwbVdTSnVQenZLUHVoa0hiNDNvY1k0dXFobFY3Q1R3RllUUlFCQzNCUENKQUQ2VWplY2tNdEc1Uk1SM2RxYWZwMm9KektUczhZcEVoblJ1STFMbnFSMk9FeU13OEUwNFBLekhpTjBWQks3SDcrRVRmWnBLNmJNZVFReFVadyt3RldvZmRRbmsxTGMxVFVhbVpjWG5COUhLVkxrVEZtOW4yOWRWK2hRZVBvQ2RjVGo0eVdlRlUrYVVkbzdZMFV5MW5uN0lGMklDV214MUJzejBEcml6bGtTOVdwOHhRUVRxY1FhaFlod0tPazBrVXRvZlR2U2s0dnc4VmhhVkYvekxscGk2VjM0PTwveGVuYzpDaXBoZXJWYWx1ZT48L3hlbmM6Q2lwaGVyRGF0YT48L3hlbmM6RW5jcnlwdGVkRGF0YT48L3NhbWw6RW5jcnlwdGVkQXNzZXJ0aW9uPjwvc2FtbHA6UmVzcG9uc2U+" /><input type="hidden" name="RelayState" value="ThisIsTheRelayState" /><input id="SAMLSubmitButton" type="submit" value="Continue" /></form><script>document.getElementById('SAMLSubmitButton').style.visibility='hidden';</script><script>document.getElementById('SAMLResponseForm').submit();</script></html>
\ No newline at end of file
diff --git a/testdata/TestIDPCanHandleRequestWithExistingSession_decodedRequest b/testdata/TestIDPCanHandleRequestWithExistingSession_decodedRequest
new file mode 100644
index 00000000..820bb36b
--- /dev/null
+++ b/testdata/TestIDPCanHandleRequestWithExistingSession_decodedRequest
@@ -0,0 +1 @@
+<samlp:AuthnRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="id-00020406080a0c0e10121416181a1c1e20222426" Version="2.0" IssueInstant="2015-12-01T01:57:09Z" Destination="https://idp.example.com/saml/sso" AssertionConsumerServiceURL="https://sp.example.com/saml2/acs" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://sp.example.com/saml2/metadata</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" AllowCreate="true"/></samlp:AuthnRequest>
\ No newline at end of file
diff --git a/testdata/TestIDPCanHandleRequestWithExistingSession_http_response_body b/testdata/TestIDPCanHandleRequestWithExistingSession_http_response_body
new file mode 100644
index 00000000..3af5e379
--- /dev/null
+++ b/testdata/TestIDPCanHandleRequestWithExistingSession_http_response_body
@@ -0,0 +1 @@
+<html><form method="post" action="https://sp.example.com/saml2/acs" id="SAMLResponseForm"><input type="hidden" name="SAMLResponse" value="PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgSUQ9ImlkLTUwNTI1NDU2NTg1YTVjNWU2MDYyNjQ2NjY4NmE2YzZlNzA3Mjc0NzYiIEluUmVzcG9uc2VUbz0iaWQtMDAwMjA0MDYwODBhMGMwZTEwMTIxNDE2MTgxYTFjMWUyMDIyMjQyNiIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTUtMTItMDFUMDE6NTc6MDlaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9zcC5leGFtcGxlLmNvbS9zYW1sMi9hY3MiPjxzYW1sOklzc3VlciBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OmVudGl0eSI+aHR0cHM6Ly9pZHAuZXhhbXBsZS5jb20vc2FtbC9tZXRhZGF0YTwvc2FtbDpJc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+PGRzOlNpZ25lZEluZm8+PGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3JzYS1zaGExIi8+PGRzOlJlZmVyZW5jZSBVUkk9IiNpZC01MDUyNTQ1NjU4NWE1YzVlNjA2MjY0NjY2ODZhNmM2ZTcwNzI3NDc2Ij48ZHM6VHJhbnNmb3Jtcz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+PC9kczpUcmFuc2Zvcm1zPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjc2hhMSIvPjxkczpEaWdlc3RWYWx1ZT5XdG5qMnhHd1VON3dSc2hmYVpjWTZzSFhiQXc9PC9kczpEaWdlc3RWYWx1ZT48L2RzOlJlZmVyZW5jZT48L2RzOlNpZ25lZEluZm8+PGRzOlNpZ25hdHVyZVZhbHVlPlhmL2Y0Snd4eVF0UFRVSTlWZ1hxSFpMK1FsWGtIWXRrQTRMSlhNMURRaXFxVEkzSHpuZXllY0JRODlDODBoRWJqbE9TK1FxdjU5bHNnWmVmMkRNMTJiNHRWNlNadEZFL1E1OXc5QURUWVN0cnRTNTgrcTkrcnNrUDMxK3dLWExBandWRHFSUURTaFV6RHZWeVBKT2h0R0w5dllONmFRU1hUajVvLzgwRFg1az08L2RzOlNpZ25hdHVyZVZhbHVlPjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUI3ekNDQVZnQ0NRREZ6YktJcDdiM01UQU5CZ2txaGtpRzl3MEJBUVVGQURBOE1Rc3dDUVlEVlFRR0V3SlZVekVMTUFrR0ExVUVDQXdDUjBFeEREQUtCZ05WQkFvTUEyWnZiekVTTUJBR0ExVUVBd3dKYkc5allXeG9iM04wTUI0WERURXpNVEF3TWpBd01EZzFNVm9YRFRFME1UQXdNakF3TURnMU1Wb3dQREVMTUFrR0ExVUVCaE1DVlZNeEN6QUpCZ05WQkFnTUFrZEJNUXd3Q2dZRFZRUUtEQU5tYjI4eEVqQVFCZ05WQkFNTUNXeHZZMkZzYUc5emREQ0JuekFOQmdrcWhraUc5dzBCQVFFRkFBT0JqUUF3Z1lrQ2dZRUExUE1IWW1oWmozMDhrV0xoWlZUNHZPdWxxeC85aWJtNUI4NmZQV3dVS0tRMmkxMk1ZdHowN3R6dWtQeW1pc1REaFFhcXlKOEtxYi82SmpobWVNbkVPZFR2U1BtSE84bTFaVnZlSlU2Tm9LUm4vbVAvQkQ3Rlc1MldoYnJVWExTZUhWU0tmV2tOazZTNGhrOU1WOVRzd1R2eVJJS3ZSc3cwWC9nZm5xa3JvSmNDQXdFQUFUQU5CZ2txaGtpRzl3MEJBUVVGQUFPQmdRQ01NbElPK0dOY0dla2V2S2drYWtwTWRBcUpmczI0bWFHYjkwRHZUTGJSWlJEN1h2bjFNblZCQlM5aHpsWGlGTFlPSW5YQUNNVzVnY29SRmZlVFFMU291TU04bzU3aDB1S2pmVG11b1dITFFMaTZobkYrY3ZDc0VGaUpaNEFiRitEZ21PNlRhcko4TzA1dDh6dm5Pd0psTkNBU1BaUkgvSm1GOHRYMGhvSHVBUT09PC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L2RzOktleUluZm8+PC9kczpTaWduYXR1cmU+PHNhbWxwOlN0YXR1cz48c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8+PC9zYW1scDpTdGF0dXM+PHNhbWw6RW5jcnlwdGVkQXNzZXJ0aW9uIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPjx4ZW5jOkVuY3J5cHRlZERhdGEgeG1sbnM6eGVuYz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjIiBJZD0iX2UyODVlY2UxNTExNDU1NzgwODc1ZDY0ZWUyZDNkMGQwIiBUeXBlPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNFbGVtZW50Ij48eGVuYzpFbmNyeXB0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjYWVzMTI4LWNiYyIvPjxkczpLZXlJbmZvIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48eGVuYzpFbmNyeXB0ZWRLZXkgSWQ9Il82ZTRmZjk1ZmY2NjJhNWVlZTgyYWJkZjQ0YTJkMGI3NSI+PHhlbmM6RW5jcnlwdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jI3JzYS1vYWVwLW1nZjFwIj48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiLz48L3hlbmM6RW5jcnlwdGlvbk1ldGhvZD48ZHM6S2V5SW5mbz48ZHM6WDUwOURhdGE+PGRzOlg1MDlDZXJ0aWZpY2F0ZT5NSUlCN3pDQ0FWZ0NDUURGemJLSXA3YjNNVEFOQmdrcWhraUc5dzBCQVFVRkFEQThNUXN3Q1FZRFZRUUdFd0pWVXpFTE1Ba0dBMVVFQ0F3Q1IwRXhEREFLQmdOVkJBb01BMlp2YnpFU01CQUdBMVVFQXd3SmJHOWpZV3hvYjNOME1CNFhEVEV6TVRBd01qQXdNRGcxTVZvWERURTBNVEF3TWpBd01EZzFNVm93UERFTE1Ba0dBMVVFQmhNQ1ZWTXhDekFKQmdOVkJBZ01Ba2RCTVF3d0NnWURWUVFLREFObWIyOHhFakFRQmdOVkJBTU1DV3h2WTJGc2FHOXpkRENCbnpBTkJna3Foa2lHOXcwQkFRRUZBQU9CalFBd2dZa0NnWUVBMVBNSFltaFpqMzA4a1dMaFpWVDR2T3VscXgvOWlibTVCODZmUFd3VUtLUTJpMTJNWXR6MDd0enVrUHltaXNURGhRYXF5SjhLcWIvNkpqaG1lTW5FT2RUdlNQbUhPOG0xWlZ2ZUpVNk5vS1JuL21QL0JEN0ZXNTJXaGJyVVhMU2VIVlNLZldrTms2UzRoazlNVjlUc3dUdnlSSUt2UnN3MFgvZ2ZucWtyb0pjQ0F3RUFBVEFOQmdrcWhraUc5dzBCQVFVRkFBT0JnUUNNTWxJTytHTmNHZWtldktna2FrcE1kQXFKZnMyNG1hR2I5MER2VExiUlpSRDdYdm4xTW5WQkJTOWh6bFhpRkxZT0luWEFDTVc1Z2NvUkZmZVRRTFNvdU1NOG81N2gwdUtqZlRtdW9XSExRTGk2aG5GK2N2Q3NFRmlKWjRBYkYrRGdtTzZUYXJKOE8wNXQ4enZuT3dKbE5DQVNQWlJIL0ptRjh0WDBob0h1QVE9PTwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE+PC9kczpLZXlJbmZvPjx4ZW5jOkNpcGhlckRhdGE+PHhlbmM6Q2lwaGVyVmFsdWU+UjlhSFF2MlUyWlpTdXZSYUw0L1g4VFhwbTIvMXNvMklpT3ovK05zQXpFS29MQWc4U2o4N05qNW9NcllZMkhGNURQUW0vTi8zK3Y2d09VOWRYNjJzcFR6b1NXb2NWelFVK0dkVEcyRGlJSWlBQXZRd1pvMUZ5VURLUzFGczV2b1d6Z0t2czhHNDNuajY4MTQ3VDk2c1hZOVN5ZVVCQmRoUXRYUnNFc21LaUFzPTwveGVuYzpDaXBoZXJWYWx1ZT48L3hlbmM6Q2lwaGVyRGF0YT48L3hlbmM6RW5jcnlwdGVkS2V5PjwvZHM6S2V5SW5mbz48eGVuYzpDaXBoZXJEYXRhPjx4ZW5jOkNpcGhlclZhbHVlPjNtdjQrYlJNNkYvd1JNYXgrRHVPaUFZN1lQQWtBcTVZZFdmdnFGUUpSNkR3TVZQSzZoT0VSSFJKRFAyL3c3TUxMQ1MyVEp2WjFydldXdXY0Ykp1Vk1tYlF5eVJSMklqZC9QVW1VNzJzTVA3eWgvZE1tVi82Tyt6ckJxVjRocmJsK0R1MW8vYXVoUnBnYzB1aXE5RHFXWXVweG1QNjQ4UURoV3pnaDlkRUEvYWpwV0NuMFRoNmdvRmJ4OFRzR1FNMml3YU9jN0lnRGt4aDlhKzFvb1FOeS9kdTcwMjN4Z3VvdFFINllvc2VEVUxtTnFhemxGcnowMzZ2TXBlY3h3RDVlZ0VRRUVDOUdOZ25ZSGs4NFJMZTlMc0xMcHNwcGZCaTl1TFBML3htWTJQOUljcy9aR2prOGVoU3pudVBuTmI1S2ZKT1RaeXRKWEZpZDJ4eUkvUjZrN0VSa1BjVlE3RDZYR3I0RlJTTEIvcjNjclpSQUFaWnBITHB0ZmEzSVR5bWRDNHQxK0cyNE5sNEl3MVV2aUg4R1FET1h2Q3JJb0dnVEpZa1ZBemJ1cmRicG9hSUZuL2hNL1FaWXdidnZmeTdtYmNpNUZQSE43KyszTDJpMjNKd0hKZnVPOVRVMDE0SlpkN2YwUVZVYyttbGFSa2pSSGZRdmgzZEJJeS9XSnVBdTFuR2ZYRGJSMlNhdWR1eG41UHpENmdZUklQN3cranoxb3MzMm82MzE5eE9UeEMvaitHdEV2T1RLajZOT0FwMHpXRkRDLzFHVFR3S2x3S2VraldwUzJQaWlwbWExTmdkY1BwbEJuVjRlWngxYjRBTmtHa0RtL1k5WDB5NjhwbnlWNmJMQVRYb2FUR1JyYVpPL1VGcHFObDgwKzdYRUZXc0JCQXRzZEhaRWR4UE50bHpUb0lIMGF5aFJnaVJpVHRRSTdGdEFVS0swbnpOVkMrYVpkaFFjaVA0MXo4VGgrUTNTVFppUnQ0b21vbDMva1I0RXp3dUJFWXl1eDk3WEpGNzR4RDlBWE5iNUkvT3ZlTVdoWmhpQW5jRE1QcTA5SmRZMitlb3BNRHVtOGlQdVZWcVJoRnMxaW90dm42ejh6bVJIdFZXbXVjbjF3b2t4MUNMNkdFbkt2ZVRTdlNQQStyYmFiU3dCR0xabUVNV3NoZFZxSjB1YzV5VlF3YVUzOFR0QW1IcGhJQXBLVW1Jajlua1BJUDBLWGlzWDlDNHp5dXEvcDBMekgxM1ZxY2krTG1wREF1SmQ2ZXZFdVh1alV3VSs0VEo4MXJ1RXcxYTNFSnJPbjhNMjFHZFlkVWJuek92UFBHbFkxUUs1UGlJOVpGQnJsaUp2c1dTcUVLUjlvbmdXYklwcC9ST09tMEREdVRrRldneWtRS0NtRkJkSlA1OWQvY2tiSzZaRlV5R2FNNU0vYTdjaWNRV01HZHYybFZQMEcrRXBpdHc1Y3JNZ0I4ZjlRUnZyOVhFNkp4TjFRMDdvZlYrUHEwRUlWWXNJenM3T3hJRzNXRmVicVQxNUdJVy9GQmRIV2lhZjJiSk1GNkw1dXk1WGZzbG0rVmlEbmdUQm41M01hc1Njclg2b2JZUmNhM1JMMFltMnB5NENCcHRyaWRXZXU2L0hCY2M2NHpabnN2Yit5bitTRTkraU1MaUUvK1VucnNPWjRkem5CTWpLalFqTFd2MXpBWlczNVVKbXZNMC9rSkVuZ2ZjTm1yaUhGZzkralJ5YkJ6UXk4TTQwdnJuYXhYeUdOS2xTbTl2Slh0aWtWZ0JLNkg0dkxKZEpMUGtWd3RjSE1qTkl5NzYwWkFNdUQzWlhBalZXazFXQjZIbTgwYVY4OHhIODdhUWZXYnNUcDNITDcyRGtlbFN2Tk01QldkZEpOQktTbXhwSEVPTUtFL3NpUkpxM050cFVLV3RzYUppemVMZGJRMU1UMEx3UVhlZmFwSFBSQkN3QTBCVVAzeExXTUI4WXRjU3V0SUNnbmFKMTZGZVNRTVA3eTN4R1RaMnZXOE5CWlpFMGluWUEvcWU1dVlDYmxlLzNKSzNXbDRtcXlRZGJKVmlJQkVZc2M3WWV1MHN0Z2VuVmZzTmJuNXE1V2hON3VhR2hQaFV0YVpSMXoyK09ZTUZuT0tmL3VGT2h3Tk9oaklCdHdZSTh4NU1Pdy9Sdm0rRFlvZ3BVRkx5aGt4SDZPQWw0U05NdlFmQUdRY1doTHEyUEUxK0ZzSGdIU0VQYWFxcG80QmJyd0QyY0ZrQ3hIY0tBZk9JRUVGWnFhM2dJQW5jaDRueDdFUnhBNGo3U3R6dVR2Q3ZCeWxmdXdnd3dQWjVON2NlZTRQMlNOUStvK2VhVk1FakpUTEwvenFMN0NaOHp3ZVJTTDFKdTFxUkp6UGpBWlFySytKSDhRWlJsYkNYamxQSDZRSzR6Tkh0aWtQZ21qTnpzSU5aRXVGZTlTTEpRakNpM0hXbG00eW5jTDE4SzhnRDZuazh6NHlVRFczRituUE41VitZaWl3NENnQkJ3SkhOZDdydlZqY2tvQjQvM1JFLzFQeEFwc0JJM1NhSHJ2MEdhZHVkM055WWhlT1QyM01zU2VyYXlybm80SnA0MVdjdmNhWGNEN29LVkVlay9Cc3hCR1RhRFRXVGtFNXZjRXU0SjFJZUJCTUszOFZjSHdSQUVlSENibldYZHdCWnQ2VVdhaHFSaG5Fc1dDYzZGZGYzdVlDNmhobFQ2THcwRU1zaFltWHhiWWNmdU10L0MwUlhxUVRqb3JZUG1YRGVmVHVzNjdvUzNYWHgwVXlHQkVTOU5sN1pnc1U4MjJuamRHeTk5Wmc4NXFtVnZRQkw1R3V3eGF3WFJDMDlOaFN1bFhQT0NHek9vcGI0bDVQaWp5UkRNWXdHdklDUHp3eTBEYmlZN3hVNlVYZmhVMkpKcWhiU1VvbXVHVEQrSXFOelh1QWtvNDVvZ2ZXTEtsSjlLb3UxNTlQSFFaS0pabFdMejAzdng3U2o5UldsQjVnYzJZdnlNYWZBTDRka2JYVWJkZXpKZHlvVTdnSGl6dDA2VlFSN0gvbW5yb014cXphYUkvUzJ1QzJYWnFxL3R1ZjZpNGtoeS8wTjVUa0hNTmNtZDdCRzArQ0YrdjRGdW9BS0owbWl0NDN0czBSMGczVHJFNE5MY0hVTDZoUDhBUlJwSkc1bHVwR2ZZK3Q3Uk1SV0tHUkwvZkE1eFRFeXhNcEh6Y2piUUxORGU4VWcrMlFKYXNldFlRZS9Mb29ua0o4YjZ5V0U5MTNIKy9mcmxxYnA5N3ZVdG5VYlprK2ZlN1hQOCtXNG11MkJoVW1oZ3hPeWR3U0F6Lzc5Z3oyQ05wTWdRVWlqOFJBcFpKU2thSU8wRFh3RmRENnBPcXo1OTJ1NHhoRUR0ZEp1TTFRZWJ5RnBheTArdUV0ZGFnUE9reFdVRGRpcTArT2VBd0hiNDBJZSt4NjE0NVpjRWRJVVczWUZ3ZjlzRkt6TnNpTXlqYWRWZ0FFcGtzOE8ra3BYbjJ0Zy8rbmxOai9TZXozM3RxNmd2MWdGZkg5L1gxMUIvdGV5Q2NRNVlGSEwybUJEdFNIRGkwMjdJK1ZJMkVBb2V1dlBVWG1NVExtSTJtYjJmbkNobnRXUkhuMERKOUZWdnUxKy9PS0luMCtmNDROZjhDTTJvSDVTd2MwZ0p3MFdaRFR0TGdRZ3ozUVFhNDc1RDdDRG9zVVNNWE5vbzNpdVZBSm45VWtlTUlMTkR4TnQ5N2l3YVArS1VaSktvUW5hdXozUkVBTTJYOGRpWlJGOVhzaU5YSFNZRWliNjZWdnJxYkhESG53cW1FbmZvMm5QS3k2TUFoeHhZR0FoN1lUbm9TQjdodkdXSE4wcDFlUGNiY21PUWs5MEoxVXNzYXFWUHhxUkxjd0phclVhUHV2L0txWjF1NSs2NVNuYWhGVHl6SFdaaUtMWlBxYytrVWVZUldpUzdLS3dxM21LWXY2SnFIR3ViSEdiSkxxZGYrRW5hQlJJblhtOFRreU5GUWwvTHgzKzVpMUk1Q1d0U0N0REpOeGlDTm03a0RHKzhsbTRQS05FOG04TE5PeE1Nb0YzMzBtWGd2WTYzV0E1SHFiSnQ2Q3B5T2hHUXduQitxNnF0RWhVM0dOMWJZTkxSUVp3VEZzcXY3cDRjLzAyM041cU5BWmowc3V0ODkxS2gvc1NXU001ZVVvL3dDRWNpSGx0c2R0SkNXMXIzTGxyaWk3azU5WkxhS0xmanZhMC9rbnNOL2d5MnlqVTNobGdiQ0pabWVPU2laT2U4MUswMkdPSjNGSnl4M2N4RGc4UktPRkR0UThxdkg3dVp5VWNjdmtpS2RlZjkzMEU1ZjYzWnBDd0ZPcjVXcEdPUFZQVlVwTWhGQWZsNTcvU0FIVUkvM1hBOFFxWGszY01XMElrWFphWURWaDRzN2xWTUk4QXN5RmV1RWc1RzlBc2doVWNnbjFrTkQrSmYvUnhzUHdlaUo4ZmhzTGlWSENrRHBmTnpPQnBCdzdzU1lRL0ZoTlIrZ1RqR2lXeHdWK2NvenpKdlJGczE3d0o1WnJ6QStUc245OWh1b1YyTXo1SzlYanMzRDVhKy9XUXQ0YytmR01TaEFRSGZyMUJXUzBJbkJ2bmZ3cG5NeFhNWW1rdm9WTGVod0l0ODYwNmt2SzZZRkZZcmF2Vit2dmxDL0hiZ25HaFhLOXE4V25BTkV0WHc0YkhJa1EyQ0hPSS9TdzRpc2lQVDRUNEx0Qy9JUFRHZ3dhUURnVFl1U2pHaDNSQ0Y4MWRwSGpVbEh0Znk1NGU2U2RjeGo0bElGVEw1VVJhVE4zOXd5MzhzamhvV1c2Z2xsQXdRdDE5S2txdjZFMzZQcHk4MFk5anVZUCtZRDk4NitCMUdzb0FzemtocXBQOW14MGVGR28zK3B3NVVENlBJemR0Wm1VZ0c1aFBJeldoeXE5RXFWT21NcFZCc1ltMzNobUIzZmlZRFROMEFOMndaMExJb1hGWE1TNmpGZGxDN2t3YkM1dGF6Q3BCVS9hWHF2a1N1eXA2NW5IVkM5QTVDdHhtSmdOWFJmOFBsUi9jM2xwc0RNc05obkhJd1Nic3Brd1ZiM0xYaDE5NjhwUmc5TmZXWmdEWEZ6ZHhKUytEbWxBVTV1TDRLY0l1ZXVoMFBhdHU4RzQ0UWxpSHN0ajdpTnQrb3o1RDRpUXAxR3pQRXZOUDNEQlRmTStteHlPUmhNZ1ljQWtvUnlqR0JEZXdmNmxnb2h4Q2NtU1pGSHFFTkxtam8zODBZVVo1RytyZnBQSjBnenBGcHNjSVlBaXdJVEZmS0pJTDE5MXhLNTFzMmpNMGE5WmJwM2dvYk5FRlc0clZmV0tmUVB2V0Y1NU94N2QrVXk5dFpjeWl6QkN2eEIxa3ZnZGVKTTFNMXNISjdwbVdTSnVQenZLUHVoa0hiNDNvY1k0dXFobFY3Q1R3RllUUlFCQzNCUENKQUQ2VWplY2tNdEc1Uk1SM2RxYWZwMm9KektUczhZcEVoblJ1STFMbnFSMk9FeU13OEUwNFBLekhpTjBWQks3SDcrRVRmWnBLNmJNZVFReFVadyt3RldvZmRRbmsxTGMxVFVhbVpjWG5COUhLVkxrVEZtOW4yOWRWK2hRZVBvQ2RjVGo0eVdlRlUrYVVkbzdZMFV5MW5uN0lGMklDV214MUJzejBEcml6bGtTOVdwOHhRUVRxY1FhaFlod0tPazBrVXRvZlR2U2s0dnc4VmhhVkYvekxscGk2VjM0PTwveGVuYzpDaXBoZXJWYWx1ZT48L3hlbmM6Q2lwaGVyRGF0YT48L3hlbmM6RW5jcnlwdGVkRGF0YT48L3NhbWw6RW5jcnlwdGVkQXNzZXJ0aW9uPjwvc2FtbHA6UmVzcG9uc2U+" /><input type="hidden" name="RelayState" value="ThisIsTheRelayState" /><input id="SAMLSubmitButton" type="submit" value="Continue" /></form><script>document.getElementById('SAMLSubmitButton').style.visibility='hidden';</script><script>document.getElementById('SAMLResponseForm').submit();</script></html>
\ No newline at end of file
diff --git a/testdata/TestIDPCanHandleRequestWithNewSession_http_response_body b/testdata/TestIDPCanHandleRequestWithNewSession_http_response_body
new file mode 100644
index 00000000..82c39ff8
--- /dev/null
+++ b/testdata/TestIDPCanHandleRequestWithNewSession_http_response_body
@@ -0,0 +1,2 @@
+RelayState: ThisIsTheRelayState
+SAMLRequest: <samlp:AuthnRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="id-00020406080a0c0e10121416181a1c1e20222426" Version="2.0" IssueInstant="2015-12-01T01:57:09Z" Destination="https://idp.example.com/saml/sso" AssertionConsumerServiceURL="https://sp.example.com/saml2/acs" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://sp.example.com/saml2/metadata</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" AllowCreate="true"/></samlp:AuthnRequest>
\ No newline at end of file
diff --git a/testdata/TestIDPCanHandleUnencryptedResponse_idp_metadata.xml b/testdata/TestIDPCanHandleUnencryptedResponse_idp_metadata.xml
new file mode 100644
index 00000000..e6dc57c5
--- /dev/null
+++ b/testdata/TestIDPCanHandleUnencryptedResponse_idp_metadata.xml
@@ -0,0 +1 @@
+<?xml version='1.0' encoding='UTF-8'?><md:EntityDescriptor ID='_97e2ce01-fa34-4c09-9126-4f7595ef6bf8' entityID='https://gitlab.example.com/users/auth/saml/metadata' xmlns:md='urn:oasis:names:tc:SAML:2.0:metadata' xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'><md:SPSSODescriptor AuthnRequestsSigned='false' WantAssertionsSigned='false' protocolSupportEnumeration='urn:oasis:names:tc:SAML:2.0:protocol'><md:AssertionConsumerService Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' Location='https://gitlab.example.com/users/auth/saml/callback' index='0' isDefault='true'/><md:AttributeConsumingService index='1' isDefault='true'><md:ServiceName xml:lang='en'>Required attributes</md:ServiceName><md:RequestedAttribute FriendlyName='Email address' Name='email' NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:basic'/><md:RequestedAttribute FriendlyName='Full name' Name='name' NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:basic'/><md:RequestedAttribute FriendlyName='Given name' Name='first_name' NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:basic'/><md:RequestedAttribute FriendlyName='Family name' Name='last_name' NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:basic'/></md:AttributeConsumingService></md:SPSSODescriptor></md:EntityDescriptor>
\ No newline at end of file
diff --git a/testdata/TestIDPCanHandleUnencryptedResponse_request b/testdata/TestIDPCanHandleUnencryptedResponse_request
new file mode 100644
index 00000000..c47094bc
--- /dev/null
+++ b/testdata/TestIDPCanHandleUnencryptedResponse_request
@@ -0,0 +1 @@
+<AuthnRequest xmlns="urn:oasis:names:tc:SAML:2.0:protocol"   AssertionConsumerServiceURL="https://gitlab.example.com/users/auth/saml/callback"   Destination="https://idp.example.com/saml/sso"   ID="id-00020406080a0c0e10121416181a1c1e"   IssueInstant="2015-12-01T01:57:09Z" ProtocolBinding=""   Version="2.0">  <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion"     Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://gitlab.example.com/users/saml/metadata</Issuer></AuthnRequest>
\ No newline at end of file
diff --git a/testdata/TestIDPCanHandleUnencryptedResponse_response b/testdata/TestIDPCanHandleUnencryptedResponse_response
new file mode 100644
index 00000000..1eaec927
--- /dev/null
+++ b/testdata/TestIDPCanHandleUnencryptedResponse_response
@@ -0,0 +1,83 @@
+<samlp:Response xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="id-282a2c2e30323436383a3c3e40424446484a4c4e" InResponseTo="id-00020406080a0c0e10121416181a1c1e" Version="2.0" IssueInstant="2015-12-01T01:57:09Z" Destination="https://gitlab.example.com/users/auth/saml/callback">
+  <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://idp.example.com/saml/metadata</saml:Issuer>
+  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+    <ds:SignedInfo>
+      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+      <ds:Reference URI="#id-282a2c2e30323436383a3c3e40424446484a4c4e">
+        <ds:Transforms>
+          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+        </ds:Transforms>
+        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+        <ds:DigestValue>EJWYGjZq4zltPha+UU/Pcqs+JSc=</ds:DigestValue>
+      </ds:Reference>
+    </ds:SignedInfo>
+    <ds:SignatureValue>C4qEE/hh8tqaM47F6VK9toHJqQxnzzzfwxIc5IUOO1izD/vIFfn4OwKw/SfCFhYj8ZgnVM/BF3oaiWhuAMgFS+MKz2RYnY5h0+DUb1Mv4SjtEPQIv+TL/LGsMJuzPoEkXcxXefz2JCJMXeYM66PfeuBxRpETIe2zIJzZhd9mIrs=</ds:SignatureValue>
+    <ds:KeyInfo>
+      <ds:X509Data>
+        <ds:X509Certificate>MIIB7zCCAVgCCQDFzbKIp7b3MTANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGEwJVUzELMAkGA1UECAwCR0ExDDAKBgNVBAoMA2ZvbzESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTEzMTAwMjAwMDg1MVoXDTE0MTAwMjAwMDg1MVowPDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkdBMQwwCgYDVQQKDANmb28xEjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1PMHYmhZj308kWLhZVT4vOulqx/9ibm5B86fPWwUKKQ2i12MYtz07tzukPymisTDhQaqyJ8Kqb/6JjhmeMnEOdTvSPmHO8m1ZVveJU6NoKRn/mP/BD7FW52WhbrUXLSeHVSKfWkNk6S4hk9MV9TswTvyRIKvRsw0X/gfnqkroJcCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCMMlIO+GNcGekevKgkakpMdAqJfs24maGb90DvTLbRZRD7Xvn1MnVBBS9hzlXiFLYOInXACMW5gcoRFfeTQLSouMM8o57h0uKjfTmuoWHLQLi6hnF+cvCsEFiJZ4AbF+DgmO6TarJ8O05t8zvnOwJlNCASPZRH/JmF8tX0hoHuAQ==</ds:X509Certificate>
+      </ds:X509Data>
+    </ds:KeyInfo>
+  </ds:Signature>
+  <samlp:Status>
+    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
+  </samlp:Status>
+  <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="id-00020406080a0c0e10121416181a1c1e20222426" IssueInstant="2015-12-01T01:57:09Z" Version="2.0">
+    <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://idp.example.com/saml/metadata</saml:Issuer>
+    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+      <ds:SignedInfo>
+        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+        <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+        <ds:Reference URI="#id-00020406080a0c0e10121416181a1c1e20222426">
+          <ds:Transforms>
+            <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+          </ds:Transforms>
+          <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+          <ds:DigestValue>XPlQkPZr16jJADNHhQ/sma8PBC4=</ds:DigestValue>
+        </ds:Reference>
+      </ds:SignedInfo>
+      <ds:SignatureValue>zDZndnR6twoH0l7j5Qv7hrWxszt+UYSpJ07L0bnN9kD/3jUFkSStok5ubRP5rvOLH6cg4sQX97VuU7EPAmNhj9XcEH7hGMkAAxV/9pbrocSMAm4+HgpyoVl4NSvh9HVWA7tq2WMBgNl6qi05xGws2Fr+zlsax7yr9/hQKdNXL04=</ds:SignatureValue>
+      <ds:KeyInfo>
+        <ds:X509Data>
+          <ds:X509Certificate>MIIB7zCCAVgCCQDFzbKIp7b3MTANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGEwJVUzELMAkGA1UECAwCR0ExDDAKBgNVBAoMA2ZvbzESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTEzMTAwMjAwMDg1MVoXDTE0MTAwMjAwMDg1MVowPDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkdBMQwwCgYDVQQKDANmb28xEjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1PMHYmhZj308kWLhZVT4vOulqx/9ibm5B86fPWwUKKQ2i12MYtz07tzukPymisTDhQaqyJ8Kqb/6JjhmeMnEOdTvSPmHO8m1ZVveJU6NoKRn/mP/BD7FW52WhbrUXLSeHVSKfWkNk6S4hk9MV9TswTvyRIKvRsw0X/gfnqkroJcCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCMMlIO+GNcGekevKgkakpMdAqJfs24maGb90DvTLbRZRD7Xvn1MnVBBS9hzlXiFLYOInXACMW5gcoRFfeTQLSouMM8o57h0uKjfTmuoWHLQLi6hnF+cvCsEFiJZ4AbF+DgmO6TarJ8O05t8zvnOwJlNCASPZRH/JmF8tX0hoHuAQ==</ds:X509Certificate>
+        </ds:X509Data>
+      </ds:KeyInfo>
+    </ds:Signature>
+    <saml:Subject>
+      <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="https://idp.example.com/saml/metadata" SPNameQualifier="https://gitlab.example.com/users/auth/saml/metadata"/>
+      <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
+        <saml:SubjectConfirmationData InResponseTo="id-00020406080a0c0e10121416181a1c1e" NotOnOrAfter="2015-12-01T01:58:39Z" Recipient="https://gitlab.example.com/users/auth/saml/callback"/>
+      </saml:SubjectConfirmation>
+    </saml:Subject>
+    <saml:Conditions NotBefore="2015-12-01T01:57:09Z" NotOnOrAfter="2015-12-01T01:58:39Z">
+      <saml:AudienceRestriction>
+        <saml:Audience>https://gitlab.example.com/users/auth/saml/metadata</saml:Audience>
+      </saml:AudienceRestriction>
+    </saml:Conditions>
+    <saml:AuthnStatement AuthnInstant="0001-01-01T00:00:00Z">
+      <saml:SubjectLocality/>
+      <saml:AuthnContext>
+        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
+      </saml:AuthnContext>
+    </saml:AuthnStatement>
+    <saml:AttributeStatement>
+      <saml:Attribute FriendlyName="Email address" Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
+        <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string"/>
+      </saml:Attribute>
+      <saml:Attribute FriendlyName="Full name" Name="name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
+        <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string"/>
+      </saml:Attribute>
+      <saml:Attribute FriendlyName="Given name" Name="first_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
+        <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string"/>
+      </saml:Attribute>
+      <saml:Attribute FriendlyName="Family name" Name="last_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
+        <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string"/>
+      </saml:Attribute>
+      <saml:Attribute FriendlyName="uid" Name="urn:oid:0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+        <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">alice</saml:AttributeValue>
+      </saml:Attribute>
+    </saml:AttributeStatement>
+  </saml:Assertion>
+</samlp:Response>
diff --git a/testdata/TestIDPIDPInitiatedExistingSession_response b/testdata/TestIDPIDPInitiatedExistingSession_response
new file mode 100644
index 00000000..afd22ef3
--- /dev/null
+++ b/testdata/TestIDPIDPInitiatedExistingSession_response
@@ -0,0 +1 @@
+<html><form method="post" action="https://sp.example.com/saml2/acs" id="SAMLResponseForm"><input type="hidden" name="SAMLResponse" value="PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgSUQ9ImlkLTI4MmEyYzJlMzAzMjM0MzYzODNhM2MzZTQwNDI0NDQ2NDg0YTRjNGUiIFZlcnNpb249IjIuMCIgSXNzdWVJbnN0YW50PSIyMDE1LTEyLTAxVDAxOjU3OjA5WiIgRGVzdGluYXRpb249Imh0dHBzOi8vc3AuZXhhbXBsZS5jb20vc2FtbDIvYWNzIj48c2FtbDpJc3N1ZXIgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6bmFtZWlkLWZvcm1hdDplbnRpdHkiPmh0dHBzOi8vaWRwLmV4YW1wbGUuY29tL3NhbWwvbWV0YWRhdGE8L3NhbWw6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+PGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIvPjxkczpSZWZlcmVuY2UgVVJJPSIjaWQtMjgyYTJjMmUzMDMyMzQzNjM4M2EzYzNlNDA0MjQ0NDY0ODRhNGM0ZSI+PGRzOlRyYW5zZm9ybXM+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiLz48ZHM6RGlnZXN0VmFsdWU+Nk82Uk51Z1lyOG81QjVORW5qa2ZJakhWWjZZPTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT4wM2xMT29PVkVmcnpsZkRoSmZYekxEalpSZnRKZ2tpL3JvNlg1c3hZTjZqRnNiTjVvR2JRNVFDYXBoakI5VGIwSS9xbnYzWEV0TnZNNlhvck5UaEZmdlZzQVZKNzIvbE5OdU5Pc3gzOStob1EvMXhDUmZWNDFjNzJGM1Q3WkpUZVpBdW5PNS9TeS92K2pJUjZweEZzT29hcExUQjlwTGFWRG8yV1krOHh2UG89PC9kczpTaWduYXR1cmVWYWx1ZT48ZHM6S2V5SW5mbz48ZHM6WDUwOURhdGE+PGRzOlg1MDlDZXJ0aWZpY2F0ZT5NSUlCN3pDQ0FWZ0NDUURGemJLSXA3YjNNVEFOQmdrcWhraUc5dzBCQVFVRkFEQThNUXN3Q1FZRFZRUUdFd0pWVXpFTE1Ba0dBMVVFQ0F3Q1IwRXhEREFLQmdOVkJBb01BMlp2YnpFU01CQUdBMVVFQXd3SmJHOWpZV3hvYjNOME1CNFhEVEV6TVRBd01qQXdNRGcxTVZvWERURTBNVEF3TWpBd01EZzFNVm93UERFTE1Ba0dBMVVFQmhNQ1ZWTXhDekFKQmdOVkJBZ01Ba2RCTVF3d0NnWURWUVFLREFObWIyOHhFakFRQmdOVkJBTU1DV3h2WTJGc2FHOXpkRENCbnpBTkJna3Foa2lHOXcwQkFRRUZBQU9CalFBd2dZa0NnWUVBMVBNSFltaFpqMzA4a1dMaFpWVDR2T3VscXgvOWlibTVCODZmUFd3VUtLUTJpMTJNWXR6MDd0enVrUHltaXNURGhRYXF5SjhLcWIvNkpqaG1lTW5FT2RUdlNQbUhPOG0xWlZ2ZUpVNk5vS1JuL21QL0JEN0ZXNTJXaGJyVVhMU2VIVlNLZldrTms2UzRoazlNVjlUc3dUdnlSSUt2UnN3MFgvZ2ZucWtyb0pjQ0F3RUFBVEFOQmdrcWhraUc5dzBCQVFVRkFBT0JnUUNNTWxJTytHTmNHZWtldktna2FrcE1kQXFKZnMyNG1hR2I5MER2VExiUlpSRDdYdm4xTW5WQkJTOWh6bFhpRkxZT0luWEFDTVc1Z2NvUkZmZVRRTFNvdU1NOG81N2gwdUtqZlRtdW9XSExRTGk2aG5GK2N2Q3NFRmlKWjRBYkYrRGdtTzZUYXJKOE8wNXQ4enZuT3dKbE5DQVNQWlJIL0ptRjh0WDBob0h1QVE9PTwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE+PC9kczpLZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjxzYW1scDpTdGF0dXM+PHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPjwvc2FtbHA6U3RhdHVzPjxzYW1sOkVuY3J5cHRlZEFzc2VydGlvbiB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj48eGVuYzpFbmNyeXB0ZWREYXRhIHhtbG5zOnhlbmM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jIyIgSWQ9Il9lMjg1ZWNlMTUxMTQ1NTc4MDg3NWQ2NGVlMmQzZDBkMCIgVHlwZT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjRWxlbWVudCI+PHhlbmM6RW5jcnlwdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jI2FlczEyOC1jYmMiLz48ZHM6S2V5SW5mbyB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+PHhlbmM6RW5jcnlwdGVkS2V5IElkPSJfNmU0ZmY5NWZmNjYyYTVlZWU4MmFiZGY0NGEyZDBiNzUiPjx4ZW5jOkVuY3J5cHRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNyc2Etb2FlcC1tZ2YxcCI+PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8+PC94ZW5jOkVuY3J5cHRpb25NZXRob2Q+PGRzOktleUluZm8+PGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU+TUlJQjd6Q0NBVmdDQ1FERnpiS0lwN2IzTVRBTkJna3Foa2lHOXcwQkFRVUZBREE4TVFzd0NRWURWUVFHRXdKVlV6RUxNQWtHQTFVRUNBd0NSMEV4RERBS0JnTlZCQW9NQTJadmJ6RVNNQkFHQTFVRUF3d0piRzlqWVd4b2IzTjBNQjRYRFRFek1UQXdNakF3TURnMU1Wb1hEVEUwTVRBd01qQXdNRGcxTVZvd1BERUxNQWtHQTFVRUJoTUNWVk14Q3pBSkJnTlZCQWdNQWtkQk1Rd3dDZ1lEVlFRS0RBTm1iMjh4RWpBUUJnTlZCQU1NQ1d4dlkyRnNhRzl6ZERDQm56QU5CZ2txaGtpRzl3MEJBUUVGQUFPQmpRQXdnWWtDZ1lFQTFQTUhZbWhaajMwOGtXTGhaVlQ0dk91bHF4LzlpYm01Qjg2ZlBXd1VLS1EyaTEyTVl0ejA3dHp1a1B5bWlzVERoUWFxeUo4S3FiLzZKamhtZU1uRU9kVHZTUG1ITzhtMVpWdmVKVTZOb0tSbi9tUC9CRDdGVzUyV2hiclVYTFNlSFZTS2ZXa05rNlM0aGs5TVY5VHN3VHZ5UklLdlJzdzBYL2dmbnFrcm9KY0NBd0VBQVRBTkJna3Foa2lHOXcwQkFRVUZBQU9CZ1FDTU1sSU8rR05jR2VrZXZLZ2tha3BNZEFxSmZzMjRtYUdiOTBEdlRMYlJaUkQ3WHZuMU1uVkJCUzloemxYaUZMWU9JblhBQ01XNWdjb1JGZmVUUUxTb3VNTThvNTdoMHVLamZUbXVvV0hMUUxpNmhuRitjdkNzRUZpSlo0QWJGK0RnbU82VGFySjhPMDV0OHp2bk93SmxOQ0FTUFpSSC9KbUY4dFgwaG9IdUFRPT08L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5mbz48eGVuYzpDaXBoZXJEYXRhPjx4ZW5jOkNpcGhlclZhbHVlPlI5YUhRdjJVMlpaU3V2UmFMNC9YOFRYcG0yLzFzbzJJaU96LytOc0F6RUtvTEFnOFNqODdOajVvTXJZWTJIRjVEUFFtL04vMyt2NndPVTlkWDYyc3BUem9TV29jVnpRVStHZFRHMkRpSUlpQUF2UXdabzFGeVVES1MxRnM1dm9XemdLdnM4RzQzbmo2ODE0N1Q5NnNYWTlTeWVVQkJkaFF0WFJzRXNtS2lBcz08L3hlbmM6Q2lwaGVyVmFsdWU+PC94ZW5jOkNpcGhlckRhdGE+PC94ZW5jOkVuY3J5cHRlZEtleT48L2RzOktleUluZm8+PHhlbmM6Q2lwaGVyRGF0YT48eGVuYzpDaXBoZXJWYWx1ZT4zbXY0K2JSTTZGL3dSTWF4K0R1T2lBWTdZUEFrQXE1WWRXZnZxRlFKUjZEd01WUEs2aE9FUkhSSkRQMi93N01MTENTMlRKdloxcnZXV3V2NGJKdVZNbWJReXlSUjJJamQvUFVtVTcyc01QNFFKeENscFVDZUErSUF1cUxINkNsVkMzZ1ovb0dwdjNPOWtYNlZWRUZxM0FvemgrZGMvb1ByaUNiSG1NZ25IMlVydi8vbnV0eDBwc21kYWo0Z2h2K0Rkbnk3aEkzQWZRd1crK1BSOExUbXVwbDYzOVVqQ1M5UnlmR2xUYSsxaTZZcE1uSXBkdUN5cXVRWisxVVNKWHdhUXN4Yjc1S3M0Zmk0cjU1dmlzUTZjOGFYOGRuSlBqNjlyUXpLKys5Sm91V2RXMGNjeXhEVEY4blJGT0I1VWt4QW8rL2FBeWk3MldVUngwVGlucG93UjFmakRtMDRVMElPS1lWWTZ0QW04QXBsMkxMSEpOQnlHTVZHWlcxRE12NzJDTGd3QmdOMHZsaTlZNkV2QjRwN1d0eVY3S3orb2M2Q2k3V2srUVRkWFlNcXFObmlndG9XT2xNZWhpMFZFcUlJaFhqYm1zeGN6RXVkbUdXaUR2bXZucFdWSklXdXN3K29XV0tGODRnaG5JNUV2dHkrY1djRjhGdjRhTDBlZ2syNjhEUHVXQlIzNjhGQ2Njc2V3aTlKVFp0czhvVmRnd25DZmRHTHZtZ2xmZGhDTlhVaExOS1hOMmVuNEtMM2FoYXRGeFlXa3RNSlFEMGc3cUlURkJmc2VRUmtWOFlLUCt2OG9MallSVjRyRmdmTUhLWWl4TmxIbFpNNExSVDdoTVg4YWxrd0FuWmxOYmJqUVl1ZTNjTjIwM1BKNkd1UENvalQ5UUdmbXdJeER5SjRPem9uS09pZlhZd21LL3JHOURscW9NdHlTTlJmU0hac1p1WURPd1E3WGk3amhDWDFITXZTb25SYmdLZDM0c2k5N0tmK1V6UzVYTm5KS0QxdUc2UmJYNStlUmFWZ0kwamx6bHpQbm4vR1ExV0VtYWR3eGVRS0JqSWlpVFJoMmM1ekhiY3RnSmlYK2xySzczUTIzQnpkRWo1bnNONWFYZ0dSR2RVVVB4VjF3cEZOcG54dVdBK3o4Q3BsVURWQmNVWlBiZDB1M0NYemRIOHp5WVJLeElkTHdqU0VkWFZKcnN4NkErWElBT09waDJNeDdPQS9DL1hOdERuVGxKNGkyWGlEWXZjeURvOUlMQkxWZGVTeGNaMFdVdDZsNCtQcFZFZ0V6eHpURzhPcGtBSXBjTllKT2JKMzhxd2tYVVJuYUUrVklvYXE5ZXplY0pqN040dVBCT1pMa0RmV3EwVXZNWEdyc3FaWWZhRmdJSllMcnRBZDBLdUdQTkozbTBwYUpZYTVKbmNrZnVjSmVyNmhqRFlvbjJ5MTdzUDVzWVRQOUZoV0VIYjA4TStWTGFrWU5GZWtZc3NldW1NZFlaSXRxUTFaZ3hZRThxVnZ3Q0xOK3dGN3gwM25ZYmRTRyt0a0kvNlA3Z2FCRXVkdnpHQjdtYXBLNTJyY1pVSzlBd0tiM0VualBaZnFNN0V0RnFETWJnY1JoMFM0emJnanI4OElvUDN5dVpsQm45QUpMQVJ5WnpVclRPcVp0d05lVklpbU9JdUZoK01wdmFuME5sYkNNSzJOUGJ5eGU4NjRGZnFRaTV3cThOQ3RLanNOdjJ6K2F3T0ZHNkQ4TnhkendXMVJhUWdNNkVCQ2dFa3ZSOTZRYTNyek5iMTBkME10WnZONXVqbkJVT2NHNDgyd1ZIZVdjV0dTQ3lVWkI2TW9wUW5oSVpaTWhSN0toTDNsN2NxeVlJK0pkY2JJWlI0SFdnQmFuUW5jaG1qb2Y1cVFQc3MyZVhTa0dPMGlpTGg5cm96STEvam9CSW5xWk1Nb2F3OWNSQVV0cFpGL1VTa2YvVWtxR0xCS1JUMERuYXlkcUN1bEliWTZzRGNuVktzdkVFZTJiaGpUdmhjdm9jQnRIK2toVnZRTlU5akh6NU51VTFabldRQzhVMllaZ0ttdFQwUWttMWVPQ3NSYXV2ZnBTTEYwM051SUNObjFhaElPS2NKWmJsdW9LVndTZEJ5WmZ0ZFJOdUoybEZJeWV5UHcyaWMxUmI4QjhrRG5QU1kweWFNU3BKbmlISEV2aSs4K2tsL1d6cEZRSjFmZUYyZmVWMnRsc09abHJMRGlmdVh0aFdaSURGeldhVUhZQ2FzdEszRWJiZ0Y2b1Awek9JU3ByZVFqV3A4S0Vua0dOd3JaaCtoOTJYSWlaN3oxQ0dqUTNXS0hlYWxodFFHRzl2VnR0R0ZvK04yVEpMcVdlcHdleHVDNWxJRzBLazR3aWxjcTdSZDFGZnEzVmE5SmlpZm9hbjE5bm5tQ0FRWFhUT0c4L284ajg3SFNEa3Eyb3NHSUsxMzFGM1o4VWs0c1pvRW1aMEFKSFdva2tTQ0R0TUp6VVF0QyttLzJSNW55Sjhyb1hVbkgyV1oyTTFzYjNhMGR2UlJRL0VXenRObkZ1NUhNbVBKdngvNllsNXhEWGRJNHZpbVY4RVNJVWZrRWNJaUM0STBlWHFqeFY2Z3NUTlJYeVpHVnZvSmZ6S0FoVjIyS1pHdFhHRjI0SzJuMjRXSHczWmtrMTd6eEI4VnVnMzNoM2ZOMmhOUmRuQWpUbldrODVVbGNvald0dVg4aVdNNmV1a2Q3U3l4SWkzRk5ER245dEFaNnVQT29lY3I3ZHJvOG1BUlhoYWllWUZqcXB6NEU0WGlkR1RKR284Y1J6YlpKU2pHclpTYWpqL0J3alhGY1VvbzNldGtEY2lVUXJWZ3cybVEwQmc4cmVHNHgvYURleE1yQnduQVJmaDNJVXRBazgwaG91WEM3TUgrSXFMcndRdkVVbkN3SmkwK1kxckVkSjRLUHh2eEJ5TGJzVDZaNHlRbTQ5STZteU5IWWh1dGsyRFgyMk4wTDJ0elJqT0dMaEhXaE9TUVdoWmFibXE3TmZlbEE0Vjdkcy80NVRjVGRCWlFxdFY1Qzl5Vko0aklJSEVyS09OVXpPcDZtcDU2bUM5ak1meE9zQWJGYXhFZHAzZkE0Z1psdTAveVZaTTFXK2dQOEFjVjM1aXdEYVo1VE1tOTFteFluOFZPemU3SExEY3g3MnNReFpURG5kT0t2SlJyV1l0UjRYUFNRUkdpOGVUVS9aWjVMaDVrUmRwTC8xZ1FrUmNCSDFRRTZsMnV5SUhWTGdOODZJM0VhZXZTTXVYMFk1ZlVkNjlqQkxKY1d2STFQSjh4eS8rdGpxUWdSUlJhUFBwKzVweHBRM0FmeTB3dWF2UmRqRUdmaUszSFRVZEFSQTVGZEZIdWkwWXFmUDVTRkNmcGppVmpVT1pyQUMwV0JqR3lvTFpPWDhaK3ZkZWxXNW00dHNXZ2ZxeFVCUVI5cHF1OCtnN01ZY1ZkMVVvWERvcGFOU2xscUZwZnBiWnowSXczVXBwZ0ZsY25qR2NtZE1CY3dkbzJQaERtTGlwMnBaSTB0M2d3SjBlazZ4bzU3NlFKQS9kYTVvOVFyYUJLMmNUYk44MkNac29oa2h4MndMVjdBTHRXaDM0ZVo0bW5YS3o0cmtmQ2I1L2kwQk1uN1V6TnJ5RFZtbVQ0c0Y1QTlRUDFvNUFyVEdhNFprUzZsLzE5MGRtMm96eFZtZkxmOHZOYnk5dHNBYjI1VFFtcEEwVFhvUm4rMHRQVFhhNy9YRy9pYTFwcG1kUkx1UzdiNGdvaHMveHNEZGJlakcyZHZUM285akNQQ29HYWJ1L1FYa25IYi9tMVNWM3dTczZPZEZUV1F0d0ZJWGdqVGxSYU9WNmlHS1IySEdIOUpZZ3BlZlNwMHlldUFkNHFyd0VCVUQ0QXJUTU9NaVRINWxtMURVcWhYNXcvd2U4dENDTVBzTGR3YXdldGJuU3ZmQnl0SzF2TDVKVVllWDU5RjRDeEJiRVVML0tlaEUzNUlWRmZTcXdhN3pjOGNqUitzM09HTWNEUlhIWHVJODIwc3NnRCtDenJCQmpLNktzdUhKTjVKVzRqNURoeVRvdWpiaFJ5dzRDbzNpKzY5bThKR2JPNndpSUhHR2V6Q0d1c1krc3ZOTnFEaDZXUXkxYXJ3MDM0dkxocEZ4MHU5ODZCY29FN0grQ25UaVdsNVpNK0ZXM2VwNzF5SFZXUkgzRXBNT1lGUGRmKzg2ejNQckV6RjlCVG1CV1RmT2NSSnhEbG9sOGdWTHkwb3RkQUwzQk1UOGxRYW5Wak5Rc3ZmeGwrK1A2MUUyb3NYSy9qRUNHTVZkQ3dqRW5yeHhlTyt6ZHJiZk82S25DMTNWcllrRUQ3M2Q4M2ViM1E0MHVrVWtVc01oRExSRXZQK2x3cmp2VTMvVFhNcmt1Sk01UU1BOWdTSE1NdnhlZzZYNGpBd2VEM1NwdlFYcDBZTGVmQlZwVXV4UkxTWlZlS0F0SEJNSDAzNlhySE1lMUF3azE4UVVGOWZHSzdocDJhVGZjcXBiSTl5QVRqNW1WSGV5L1NQMjZjLzlPTWpFUjEwSHVaUUN4eURycVhQMEZseFdaZUZ3R2c5dXE3Z2xIMVVnbGZhQTRpMWhQUFFjUmRMeTIrS2ZDOFAvMVFZaEpxd2QzTktjUTV1azE3OEdpSVlFcGNoMWZKWEx1L08wUk5EUTdFeDFweHZ0VjdlR3VkWnVxVnNzZFBuN1V1a0lrWG56c0x1UUNxZFpsbEpUaFBXVmVaZ1lHcEEvWFNSWFBJa3lURnpaNm13MVB6MDVCM09GWkhKOUVKMHMxcG85eDFoaGc2R240dS94WkMvbFdFaElpWTRCUnNBRXRQSGdFWTkranFqam1OSnNhSENvRU83SVJTbDNBQ2VEUW9uRGx6VHhBNXRUa09qMHhBZHNpOU1sZmpQd21tVHdsV281WUNWTjNxbVdSWVY0M1JSN3pVV3dlUXQ3ZW11ZjNkekpCazFCR0QrUmdkU0t4ajZWVnU0NGU5YlNWcjFocXh4OSs5cnRSako5VG82aWYyZmp1WmFzaDJnT3YvYk9uNkp1Um9KckZ1eWxSWWpGSmVDWk44LzdiWVJPRlQ1SVEyRWxsRmUyb1ZIUXk0OWgzSDV3NFlTLzF2b2pHZ2xNbDZQVXBpRE0ybjFPVXpXcXR6UitIR2g0d0JSMXJOVzk0Sit4RTk2UnZjRVhRdjU5S0RuMXNvT0RxK242OWlIcGZFN2NyY3M1T1JtSy9FYU01YVNpWGoyWldjUkJoTFMvNjZVUEthWnlaUnVGWjlLN3NsUVJoSHNxaWVpUDgxVFJjb2NMSkJOQVRMc3lvOHAyK0I1dlpwYkhrYXJ4QkEwZW00bmVjdXRIZG9MTU1vQXVZU2RVL01UMGg0eFc2NFVIa0FMSlVLcDJsTVo3SC9CSGIxQ3lGT0FnU2s0bXlHNTVWMHh6d25aVkp5d0x2Wi9WMXBjWmdqdzBNc3BxM2x3SGEwZVB3eEtjZmE0NG90dzhyaHI5c2dIL0NSWWhDQjNiTDV2ZHgrV1pXTk5XSVdncFM1MkNKVldmUVFIRG1SMWFDeTkyektzbFQza2NDbENISjFWQTUyY3gvWStjQ0hSNzVacHVGV3R4WW9pWUJGRU1xeFdLQmE4UEd1d1BVVFQ0YmoyVERVPTwveGVuYzpDaXBoZXJWYWx1ZT48L3hlbmM6Q2lwaGVyRGF0YT48L3hlbmM6RW5jcnlwdGVkRGF0YT48L3NhbWw6RW5jcnlwdGVkQXNzZXJ0aW9uPjwvc2FtbHA6UmVzcG9uc2U+" /><input type="hidden" name="RelayState" value="ThisIsTheRelayState" /><input id="SAMLSubmitButton" type="submit" value="Continue" /></form><script>document.getElementById('SAMLSubmitButton').style.visibility='hidden';</script><script>document.getElementById('SAMLResponseForm').submit();</script></html>
\ No newline at end of file
diff --git a/testdata/TestIDPMakeResponse_request_buffer b/testdata/TestIDPMakeResponse_request_buffer
new file mode 100644
index 00000000..5a22f2aa
--- /dev/null
+++ b/testdata/TestIDPMakeResponse_request_buffer
@@ -0,0 +1 @@
+<AuthnRequest xmlns="urn:oasis:names:tc:SAML:2.0:protocol"   AssertionConsumerServiceURL="https://sp.example.com/saml2/acs"   Destination="https://idp.example.com/saml/sso"   ID="id-00020406080a0c0e10121416181a1c1e"   IssueInstant="2015-12-01T01:57:09Z" ProtocolBinding=""   Version="2.0">  <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion"     Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://sp.example.com/saml2/metadata</Issuer>  <NameIDPolicy xmlns="urn:oasis:names:tc:SAML:2.0:protocol"     AllowCreate="true">urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDPolicy></AuthnRequest>
\ No newline at end of file
diff --git a/testdata/TestIDPMakeResponse_response.xml b/testdata/TestIDPMakeResponse_response.xml
new file mode 100644
index 00000000..6a9757c7
--- /dev/null
+++ b/testdata/TestIDPMakeResponse_response.xml
@@ -0,0 +1,27 @@
+<samlp:Response xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="id-282a2c2e30323436383a3c3e40424446484a4c4e" InResponseTo="id-00020406080a0c0e10121416181a1c1e" Version="2.0" IssueInstant="2015-12-01T01:57:09Z" Destination="https://sp.example.com/saml2/acs">
+  <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://idp.example.com/saml/metadata</saml:Issuer>
+  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+    <ds:SignedInfo>
+      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+      <ds:Reference URI="#id-282a2c2e30323436383a3c3e40424446484a4c4e">
+        <ds:Transforms>
+          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+        </ds:Transforms>
+        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+        <ds:DigestValue>KsbyS2V2/QCarAksPQyV5s3PVDk=</ds:DigestValue>
+      </ds:Reference>
+    </ds:SignedInfo>
+    <ds:SignatureValue>paj/Jq/TTvYXu35Jtyevmu8bn2DZecfaj/wu8l7mY2sN++w9QL/sLZoyyJk6WsAsS0NMMOt8o5WN7EU+bVlbQ6VQbf2VO9gEPbONMdpQ8gfrvMiLo5vRS22iRaPehIH8gvWxAq64vWWt94OihpndNRt782K/0h/NvXBj+4vK7V8=</ds:SignatureValue>
+    <ds:KeyInfo>
+      <ds:X509Data>
+        <ds:X509Certificate>MIIB7zCCAVgCCQDFzbKIp7b3MTANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGEwJVUzELMAkGA1UECAwCR0ExDDAKBgNVBAoMA2ZvbzESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTEzMTAwMjAwMDg1MVoXDTE0MTAwMjAwMDg1MVowPDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkdBMQwwCgYDVQQKDANmb28xEjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1PMHYmhZj308kWLhZVT4vOulqx/9ibm5B86fPWwUKKQ2i12MYtz07tzukPymisTDhQaqyJ8Kqb/6JjhmeMnEOdTvSPmHO8m1ZVveJU6NoKRn/mP/BD7FW52WhbrUXLSeHVSKfWkNk6S4hk9MV9TswTvyRIKvRsw0X/gfnqkroJcCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCMMlIO+GNcGekevKgkakpMdAqJfs24maGb90DvTLbRZRD7Xvn1MnVBBS9hzlXiFLYOInXACMW5gcoRFfeTQLSouMM8o57h0uKjfTmuoWHLQLi6hnF+cvCsEFiJZ4AbF+DgmO6TarJ8O05t8zvnOwJlNCASPZRH/JmF8tX0hoHuAQ==</ds:X509Certificate>
+      </ds:X509Data>
+    </ds:KeyInfo>
+  </ds:Signature>
+  <samlp:Status>
+    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
+  </samlp:Status>
+  <this-is-an-encrypted-assertion/>
+</samlp:Response>
diff --git a/testdata/TestIDPMarshalAssertion_encrypted_assertion b/testdata/TestIDPMarshalAssertion_encrypted_assertion
new file mode 100644
index 00000000..c2f796a4
--- /dev/null
+++ b/testdata/TestIDPMarshalAssertion_encrypted_assertion
@@ -0,0 +1 @@
+<saml:EncryptedAssertion><xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="_e285ece1511455780875d64ee2d3d0d0" Type="http://www.w3.org/2001/04/xmlenc#Element"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><xenc:EncryptedKey Id="_6e4ff95ff662a5eee82abdf44a2d0b75" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/></xenc:EncryptionMethod><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIB7zCCAVgCCQDFzbKIp7b3MTANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGEwJVUzELMAkGA1UECAwCR0ExDDAKBgNVBAoMA2ZvbzESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTEzMTAwMjAwMDg1MVoXDTE0MTAwMjAwMDg1MVowPDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkdBMQwwCgYDVQQKDANmb28xEjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1PMHYmhZj308kWLhZVT4vOulqx/9ibm5B86fPWwUKKQ2i12MYtz07tzukPymisTDhQaqyJ8Kqb/6JjhmeMnEOdTvSPmHO8m1ZVveJU6NoKRn/mP/BD7FW52WhbrUXLSeHVSKfWkNk6S4hk9MV9TswTvyRIKvRsw0X/gfnqkroJcCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCMMlIO+GNcGekevKgkakpMdAqJfs24maGb90DvTLbRZRD7Xvn1MnVBBS9hzlXiFLYOInXACMW5gcoRFfeTQLSouMM8o57h0uKjfTmuoWHLQLi6hnF+cvCsEFiJZ4AbF+DgmO6TarJ8O05t8zvnOwJlNCASPZRH/JmF8tX0hoHuAQ==</ds:X509Certificate></ds:X509Data></ds:KeyInfo><xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:CipherValue>R9aHQv2U2ZZSuvRaL4/X8TXpm2/1so2IiOz/+NsAzEKoLAg8Sj87Nj5oMrYY2HF5DPQm/N/3+v6wOU9dX62spTzoSWocVzQU+GdTG2DiIIiAAvQwZo1FyUDKS1Fs5voWzgKvs8G43nj68147T96sXY9SyeUBBdhQtXRsEsmKiAs=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedKey></ds:KeyInfo><xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:CipherValue>3mv4+bRM6F/wRMax+DuOiAY7YPAkAq5YdWfvqFQJR6DwMVPK6hOERHRJDP2/w7MLLCS2TJvZ1rvWWuv4bJuVMmbQyyRR2Ijd/PUmU72sMP4QJxClpUCeA+IAuqLH6ClVC3gZ/oGpv3O9kX6VVEFq3Aozh+dc/oPriCbHmMgnH2Urv//nutx0psmdaj4ghv+Ddny7hI3AfQwW++PR8LTmupl639UjCS9RyfGlTa+1i6YpMnIpduCyquQZ+1USJXwaQsxb75Ks4fi4r55visQ6c8aX8dnJPj69rQzK++9JouWdW0ccyxDTF8nRFOB5UkxAo+/aAyi72WURx0TinpowR1fjDm04U0IOKYVY6tAm8Apl2LLHJNByGMVGZW1DMv72CLgwBgN0vli9Y6EvB4p7WtyV7Kz+oc6Ci7Wk+QTdXYMqqNnigtoWOlMehi0VEqIIhXjbmsxczEudmGWiDvmvnpWVJIWusw+oWWKF84ghnI5Evty+cWcF8Fv4aL0egk268DPuWBR368FCccsewi9JTZts8oVdgwnCfdGLvmglfdhCNXUhLNKXN2en4KL3ahatFxYWktMJQD0g7qITFBfseQRkV8YKP+v8oLjYRV4rFgfMHKYixNlHlZM4LRT7hMX8alkwAnZlNbbjQYue3cN203PJ6GuPCojT9QGfmwIxDyJ4OzonKOifXYwmK/rG9DlqoMtySNRfSHZsZuYDOwQ7Xi7jhCX1HMvSonRbgKd34si97Kf+UzS5XNnJKD1uG6RbX5+eRaVgI0jlzlzPnn/GQ1WEmadwxeQKBjIiiTRh2c5zHbctgJiX+lrK73Q23BzdEj5nsN5aXgGRGdUUPxV1wpFNpnxuWA+z8CplUDVBcUZPbd0u3CXzdH8zyYRKxIdLwjSEdXVJrsx6A+XIAOOph2Mx7OA/C/XNtDnTlJ4i2XiDYvcyDo9ILBLVdeSxcZ0WUt6l4+PpVEgEzxzTG8OpkAIpcNYJObJ38qwkXURnaE+VIoaq9ezecJj7N4uPBOZLkDfWq0UvMXGrsqZYfaFgIJYLrtAd0KuGPNJ3m0paJYa5JnckfucJer6hjDYon2y17sP5sYTP9FhWEHb08M+VLakYNFekYsseumMdYZItqQ1ZgxYE8qVvwCLN+wF7x03nmIwRpuTL8Djdee/wDFKsK/vyIFNespHkvSTltmbQKSGEmglZNzLsXeyFdyOhvTCIcF/VpPrRSu4RWw3HcyQjDOfI3Itrxok2kcWHQZohKHGzpMInYpbjQJpHox3WhwwNT8Vkq1cJ5u7x+mZO+LzuBuIiQHaYMNXPAkkb2oLYZBOKazVR3+Y4asNAFlD1K1FWSctorSLdJly93WLvdya4EUCgOufN8LhnbwpLqIw57B9RfWa254F0DtFRZ1/iMAmRMjb25KA1c/U6U1woXxeZgCzUMs+j0D5MkY5n1it7dgDJ6XohzfoAfgC/oU4glNWr07Ep+CkYD+JYZ88YZUkSPt3UmNHPIwy2H/cFAgwVuD1v2t601LxESX95PeNgaXfRX5fZJcjAPBWMUWIPwRzNX4Y/o0U5h15FKSTnBvQ822yqhOMyM/+qwFJDGRvY3f40Hy6u9Q9y2j8gnYWeYatcVbdLcGP3jb8HHHViMwNbjt1BgLC0SAd4HhEZwDraHVLgumNfZiwDMs+g3S/OTMLAsW0I4tYve/NvyY8hUgOpubWRaBaJ8/VZFbe6y1hJ3RYyHGX23hMMTHuT8ZJDq1XnQDaFvi2qe2ad6oMQrENszJBWifIv8goxoJ2djWJJ7+7WzqU/E7MTCl5WuhlR3SPhd0hZ4cjfAx50i9634JlcAv9prFMUpXk/eHZFthVGTlEgxVuMgXbAR1PAHCE9RLqgj7807hn7VNyI4HV9wlCW46/FtqiqzhBgFFmPwJGBW7Ttj8W8MfrdBdSSIiXJFPkOH1j+4UWx1ENTiRFtArZp+2yBEG2U+6N6VA78pR/988hm0QqSXPZSofnxvWPDcxJsLHOkV6kz/fUTwIGqKVtpvED/K+X4NI/7Ko+X8VWZWJ/px2ht+mdLb7N/+KOvez6TPWt7UbBlFttIekK4nz3LEVK+8rJcfj93KsFH5Bb+DycG2yMOXkbUmIZQ4HChnlcnpToDLDeLyoiOokj8uYJgfClMcfpMhWtnbytf7WlzNxdPDLAtNeO6m1C6HJukDHc0r272Zo3MDuJq8qr3H8eDnaWSPp2bfGEEoMYFR07NEKYut4i+85CniR25snEU9StGhPqXnUg9wEldtZtbhlqU+MCTovTZ0JnQb/ooa+e4YtT9fy9zRmoQVlVlMAUHV5PMuIfaLAWWlXE3+FKPUDmrl9xjdM8TCE9fggHTazznlVdY4blVodPjfGdSFAM1j6iPu6Q9QV/BpNftwd/gV7KNgHhzwkIbEx6XLb+tez+gROiNGSfjgtNX+1FB6PsJHxpIpCndkGHRAn/wroQGsuq7VPmN9PQFaayImwll7X9n/TKrQRcsFFk+afefnUMVt9BgNAC3vcBXO3v8J0lyn+vjLjtqCh/Q3h9seL2ipee1k3cJVgZGBmwxGUGOHk2LKIGb9/gkWyWOam+KFyQOI8K3LTC7sJlgodTA4qdZJtHuZ34F74x3TEoQIi1bTYvZcTNBd10B32yDGagEBafZCCHsaJkDGvRl8sirrZOGwosYmkk3bGPwRgXBAX0wiPkuSXiKDv30fj+qKl1GrRhhp1Nzv5Rwon9TTveNQPLuX4sbl3HX5N4JjWuZxyY0vQ0CT8A/waqJBxDu0/TOS2bI3uDkT8ice53BVzqgL9lk80ElFjH2KpEspllBVW37L0mGxlZNtSymg8UwnPNl8v9olwJGc5aGlYLOk6Uqy/qMVlwIKg6B0do4JTzw9eR3nNllr7XcB+rN3vwJE8Gcznlduwi6QNl7AVySFIQvYcyRgKGO4IZ+u+FGcoOqH7RnvKqazcDvThbU4UkdMAvcZZ+ACLA4ircDfNPSyetuo+M4Bdlau3U3QJT0j4f1T7YOtvqqllb284SHD0b/niJmHWROY16tmzo3S3K77vygpWHW46SM9/nhTuNyE/MATU90cQ0u95uIpH99xEU7UeZWAWQX9XRBoFdEKHeA74zQLjpEQVZq/BwJyITBPIUcBdQ/khcpywF7IMl3hXSm1gSLdRCnqjTPuGLHAtMQKUwkzMUr1Xl5jW/bgGhw2FV6jvHO2TUr7BVzkY4y9ZCXGFnba0L5XBwM9yoCppr6P2Y0c+HH8OIe/42zoek+qJZdX29ByjndNy3hqCDzKylP4NiZjsY4n9fqV05RUcGd2gohILVgCVei4XuCjGlFfthUVEHNt1iW44+OenAO69bzynmv6/jVFV6uknfvWuh8yJbkY11bfJfxdgpYGEDlgOSlhh8gm3X5kP3xzEwKWgH7usOxyls46LcyX/jMTSoVViGYi5cSJLIIE+0KBsHf19NA3VY0q8qawHDBco3ufocJFl8boKFziaJhjjSRgB1peVQiocnIBZ+rdYt0VQv+8eUnhkW4pn3nbVgNwVK49ZMRAF4NKsZfeJusdeDVZWnIP0n/ngcY0z15QqQgcxu5VZYtVg9mO0d96wDNyZ3bz30IFi91Q2boA8d7l/oxXWJkKF/tyqO5EY3m9DeLoGeu75NedPiUm+lGeJlpZH/fTHioJxEYS9IfM4Q4zXkP6ipWBkMch7X2QiTVoodJ9L8o/tpsBFbh8Cr5wTKlEChSDU7GRV7nhylBmYZOpPsL9w/4cyVMIBfWYFqxrjYQp3IheLRBqrNKWNQ2yKwvAlUC0sYdtTIDidvwa7VjEO3yt723hZeVS2cBIKhPhU5otffGi2vV9VCCS4eXTUteN/EQd7sROiHoQS6cat0kTFN34bShAJSdzY9P0wxE4j9LZjIe9eAsMq6B5aEIgqdHferl462UA8t2zeUgOp6fQC6NroVb4md9RmUphGZtHp2JN7Y5eGM9rk9wqLVSSOPfA8++LhpTOcCEmJWP9TNkM42tSSre6PWJ2gPWT5VZ/47v7scSdelLO8SeCYUJAcq8vrTbZ6b5Dqjdb6w7XjJU60g5v109rgJJuHZjhQI/3dvNMbhD4n6avqd6wGbGboRtT8Mfr95wZDQA5EhIykyMokQq+iUhRWadpg2TYkL/9zmqOgLyr6Lqep/wsWb7LJIhFkmB/qkMrHLxaHT1er8qnkDOVBQYAjTybH0Z9N/IXcPYQKinD13i4k9O1I5VJ3gtQJpukX+eCWdT4gGWMTdaqs2Fv6rmitavO9qXuzTznWVk/3MlQq0ZxER8Xq2BwZPOAjrVkjw1IpUSit/BprLcKFA=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></saml:EncryptedAssertion>
\ No newline at end of file
diff --git a/testdata/TestIDPNoDestination_idp_metadata.xml b/testdata/TestIDPNoDestination_idp_metadata.xml
new file mode 100644
index 00000000..e6dc57c5
--- /dev/null
+++ b/testdata/TestIDPNoDestination_idp_metadata.xml
@@ -0,0 +1 @@
+<?xml version='1.0' encoding='UTF-8'?><md:EntityDescriptor ID='_97e2ce01-fa34-4c09-9126-4f7595ef6bf8' entityID='https://gitlab.example.com/users/auth/saml/metadata' xmlns:md='urn:oasis:names:tc:SAML:2.0:metadata' xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'><md:SPSSODescriptor AuthnRequestsSigned='false' WantAssertionsSigned='false' protocolSupportEnumeration='urn:oasis:names:tc:SAML:2.0:protocol'><md:AssertionConsumerService Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' Location='https://gitlab.example.com/users/auth/saml/callback' index='0' isDefault='true'/><md:AttributeConsumingService index='1' isDefault='true'><md:ServiceName xml:lang='en'>Required attributes</md:ServiceName><md:RequestedAttribute FriendlyName='Email address' Name='email' NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:basic'/><md:RequestedAttribute FriendlyName='Full name' Name='name' NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:basic'/><md:RequestedAttribute FriendlyName='Given name' Name='first_name' NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:basic'/><md:RequestedAttribute FriendlyName='Family name' Name='last_name' NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:basic'/></md:AttributeConsumingService></md:SPSSODescriptor></md:EntityDescriptor>
\ No newline at end of file
diff --git a/testdata/TestIDPNoDestination_request b/testdata/TestIDPNoDestination_request
new file mode 100644
index 00000000..35e05e7e
--- /dev/null
+++ b/testdata/TestIDPNoDestination_request
@@ -0,0 +1 @@
+<AuthnRequest xmlns="urn:oasis:names:tc:SAML:2.0:protocol"   AssertionConsumerServiceURL="https://gitlab.example.com/users/auth/saml/callback"   ID="id-00020406080a0c0e10121416181a1c1e"   IssueInstant="2015-12-01T01:57:09Z" ProtocolBinding=""   Version="2.0">  <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion"     Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://gitlab.example.com/users/saml/metadata</Issuer></AuthnRequest>
\ No newline at end of file
diff --git a/testdata/TestIDPRequestedAttributes_idp_metadata.xml b/testdata/TestIDPRequestedAttributes_idp_metadata.xml
new file mode 100644
index 00000000..97ff1803
--- /dev/null
+++ b/testdata/TestIDPRequestedAttributes_idp_metadata.xml
@@ -0,0 +1 @@
+<?xml version='1.0' encoding='UTF-8'?><md:EntityDescriptor ID='_85fdc505-39e4-4c20-a67f-ca15f4e4064a' entityID='https://dev.aa.kndr.org/users/auth/saml/metadata' xmlns:md='urn:oasis:names:tc:SAML:2.0:metadata' xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'><md:SPSSODescriptor AuthnRequestsSigned='false' WantAssertionsSigned='false' protocolSupportEnumeration='urn:oasis:names:tc:SAML:2.0:protocol'><md:AssertionConsumerService Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' Location='https://dev.aa.kndr.org/users/auth/saml/callback' index='0' isDefault='true'/><md:AttributeConsumingService index='1' isDefault='true'><md:ServiceName xml:lang='en'>Required attributes</md:ServiceName><md:RequestedAttribute FriendlyName='Email address' Name='email' NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:basic'/><md:RequestedAttribute FriendlyName='Full name' Name='name' NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:basic'/><md:RequestedAttribute FriendlyName='Given name' Name='first_name' NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:basic'/><md:RequestedAttribute FriendlyName='Family name' Name='last_name' NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:basic'/></md:AttributeConsumingService></md:SPSSODescriptor></md:EntityDescriptor>
\ No newline at end of file
diff --git a/testdata/TestIDPWriteResponse_RequestBuffer.xml b/testdata/TestIDPWriteResponse_RequestBuffer.xml
new file mode 100644
index 00000000..5a22f2aa
--- /dev/null
+++ b/testdata/TestIDPWriteResponse_RequestBuffer.xml
@@ -0,0 +1 @@
+<AuthnRequest xmlns="urn:oasis:names:tc:SAML:2.0:protocol"   AssertionConsumerServiceURL="https://sp.example.com/saml2/acs"   Destination="https://idp.example.com/saml/sso"   ID="id-00020406080a0c0e10121416181a1c1e"   IssueInstant="2015-12-01T01:57:09Z" ProtocolBinding=""   Version="2.0">  <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion"     Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://sp.example.com/saml2/metadata</Issuer>  <NameIDPolicy xmlns="urn:oasis:names:tc:SAML:2.0:protocol"     AllowCreate="true">urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDPolicy></AuthnRequest>
\ No newline at end of file
diff --git a/testdata/TestIDPWriteResponseresponse.html b/testdata/TestIDPWriteResponseresponse.html
new file mode 100644
index 00000000..edce4394
--- /dev/null
+++ b/testdata/TestIDPWriteResponseresponse.html
@@ -0,0 +1 @@
+<html><form method="post" action="https://sp.example.com/saml2/acs" id="SAMLResponseForm"><input type="hidden" name="SAMLResponse" value="PFRISVNfSVNfVEhFX1NBTUxfUkVTUE9OU0UvPg==" /><input type="hidden" name="RelayState" value="THIS_IS_THE_RELAY_STATE" /><input id="SAMLSubmitButton" type="submit" value="Continue" /></form><script>document.getElementById('SAMLSubmitButton').style.visibility='hidden';</script><script>document.getElementById('SAMLResponseForm').submit();</script></html>
\ No newline at end of file
diff --git a/testdata/TestSPCanHandleOktaResponseEncryptedAssertionBothSigned_IDPMetadata b/testdata/TestSPCanHandleOktaResponseEncryptedAssertionBothSigned_IDPMetadata
new file mode 100644
index 00000000..fed77497
--- /dev/null
+++ b/testdata/TestSPCanHandleOktaResponseEncryptedAssertionBothSigned_IDPMetadata
@@ -0,0 +1,21 @@
+<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://www.okta.com/exkppsa1qwuFV4D7z0h7">
+<md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+<md:KeyDescriptor use="signing">
+<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+<ds:X509Data>
+<ds:X509Certificate>
+MIIDpDCCAoygAwIBAgIGAWW0dDUQMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU MBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi01MTMzOTQxHDAaBgkqhkiG9w0BCQEW DWluZm9Ab2t0YS5jb20wHhcNMTgwOTA3MTQzMjU5WhcNMjgwOTA3MTQzMzU5WjCBkjELMAkGA1UE BhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNV BAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtNTEzMzk0MRwwGgYJ KoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA oggcfiSRJ6PGoI8XHKUYd89/BPMmduzR365yUEKSK6TIOcA/jrnJzxWHT9PsvB4znaoEdg27dmX0 IZ2I0bjSoyvp4BT8ZtsuqpamsJOFDajfzrU/dMLIQCwY0+38F+x/gNNL+BhYb6zmrdvomb7yqI2E JuHMXMS786UY5GfD+/n0gRSvd+DpIW8ZlsZMG/llyxO1ZccuUqzkbiVV4w1y5PMvSBL7BAWsTn9G IckQsyF+fsG0bKlN3JQjHmjFUrT0cnWkAJjGIVmmrp9NUWyc/SI01i6WlwcQsKw4PB7EU3J8BINv 9mCGXpwp5vWXRdRGjTT4BmFm8lY0QXHqXa/2+QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBypFox /IaTXAKFsRQi6WUG0QiBLCR8eLhSUDF3xkgELkNYDErQKNyVaXrYoHwPoWYpok6MYddMkoo2YuPG W6V4zDa0k0ulbzKlvbbZQpkzIJEj4dr+PaqmtHAe7C7YNkj4jlfJP6QdqMK+rCBVU3kCX2c/ARun Vy/pIuLowXrQUCF0cccePD8jryej+cmm9jjHWmQNfHDMAv/vpGSXV2W3bzNALXxfCoKqU15ii6YQ hXU85OE5qXEY92ab3D67gppte7eNn/G7D7cuAZhkt7wfLsjoCVK4bZOwxqUw6mPoXXFpkTnlSo86 p7wkbeii7Epjm5HcXTPPC7jd7ZOu3Hsr
+</ds:X509Certificate>
+</ds:X509Data>
+</ds:KeyInfo>
+</md:KeyDescriptor>
+<md:NameIDFormat>
+urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
+</md:NameIDFormat>
+<md:NameIDFormat>
+urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
+</md:NameIDFormat>
+<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://dev-513394.oktapreview.com/app/rstudioincdev513394_dev_1/exkppsa1qwuFV4D7z0h7/sso/saml"/>
+<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://dev-513394.oktapreview.com/app/rstudioincdev513394_dev_1/exkppsa1qwuFV4D7z0h7/sso/saml"/>
+</md:IDPSSODescriptor>
+</md:EntityDescriptor>
diff --git a/testdata/TestSPCanHandleOktaResponseEncryptedAssertionBothSigned_response b/testdata/TestSPCanHandleOktaResponseEncryptedAssertionBothSigned_response
new file mode 100644
index 00000000..e8843de7
--- /dev/null
+++ b/testdata/TestSPCanHandleOktaResponseEncryptedAssertionBothSigned_response
@@ -0,0 +1 @@
+PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbDJwOlJlc3BvbnNlIERlc3RpbmF0aW9uPSJodHRwOi8vbG9jYWxob3N0OjgwMDAvc2FtbC9hY3MiIElEPSJpZDg0ODk4NzY1MjE1NzUzNDAxOTcxNzMyNzQ2IiBJblJlc3BvbnNlVG89ImlkLTk1M2Q0Y2FiNjlmZjQ3NWM1OTAxZDEyZTU4NWIwYmIxNWE3Yjg1ZmUiIElzc3VlSW5zdGFudD0iMjAyMC0wMy0wM1QxOTo0MDo1NC42OTlaIiBWZXJzaW9uPSIyLjAiIHhtbG5zOnNhbWwycD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIj48c2FtbDI6SXNzdWVyIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6ZW50aXR5IiB4bWxuczpzYW1sMj0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+aHR0cDovL3d3dy5va3RhLmNvbS9leGtwcHNhMXF3dUZWNEQ3ejBoNzwvc2FtbDI6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+PGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZHNpZy1tb3JlI3JzYS1zaGEyNTYiLz48ZHM6UmVmZXJlbmNlIFVSST0iI2lkODQ4OTg3NjUyMTU3NTM0MDE5NzE3MzI3NDYiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48L2RzOlRyYW5zZm9ybXM+PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jI3NoYTI1NiIvPjxkczpEaWdlc3RWYWx1ZT5qSkxWRHRsRjNlTzl0ZHdaZVJxUWdIR0hLMHJJNWxXb1J2VHBDS3dIWGUwPTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5tUTJ1SEJWdVR1YTMxNHozTnBWMEZ6RC9CUFFUL3JuZWZLcGc0bnlDYXp6RjM0Mk9LaFN0Z1Z5NHZTbVJFUmpVRnFkUjV0SFpLWlJQZWxwVEFPS01kZmxXNlV6QnphWDBpSTgwKzQ3Rm02akNtaVN3RUhyaUVIMWRBblVPZWM5MytSTzFYb2xFSlo0aXF2L3N0VTNvSS9KamlzU1VHeVVhZDVwZFA1NGFLSzZ3cDFjRW95ckxmOEVYRDUvYjREb1U4elVHZWdXdEw2NVpMYkVSWWZkL0hGWVRhRWkzVjlpalJ2SDN3WmlGeWNqNXI4YjRvWUZPOWFZaWZOOXlmMnF6QW1NTUcyS0M1R0RNUWk1WFZJbVBVVS9DeDg4SUFIbHN3TkMxZFRrUDhkOW9lRDBLeFVaQU5xTDcxZGNOTCtuU2Yrd2dDN09xMTdYSDRtcHg1YnpXMGc9PTwvZHM6U2lnbmF0dXJlVmFsdWU+PGRzOktleUluZm8+PGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU+TUlJRHBEQ0NBb3lnQXdJQkFnSUdBV1cwZERVUU1BMEdDU3FHU0liM0RRRUJDd1VBTUlHU01Rc3dDUVlEVlFRR0V3SlZVekVUTUJFRwpBMVVFQ0F3S1EyRnNhV1p2Y201cFlURVdNQlFHQTFVRUJ3d05VMkZ1SUVaeVlXNWphWE5qYnpFTk1Bc0dBMVVFQ2d3RVQydDBZVEVVCk1CSUdBMVVFQ3d3TFUxTlBVSEp2ZG1sa1pYSXhFekFSQmdOVkJBTU1DbVJsZGkwMU1UTXpPVFF4SERBYUJna3Foa2lHOXcwQkNRRVcKRFdsdVptOUFiMnQwWVM1amIyMHdIaGNOTVRnd09UQTNNVFF6TWpVNVdoY05Namd3T1RBM01UUXpNelU1V2pDQmtqRUxNQWtHQTFVRQpCaE1DVlZNeEV6QVJCZ05WQkFnTUNrTmhiR2xtYjNKdWFXRXhGakFVQmdOVkJBY01EVk5oYmlCR2NtRnVZMmx6WTI4eERUQUxCZ05WCkJBb01CRTlyZEdFeEZEQVNCZ05WQkFzTUMxTlRUMUJ5YjNacFpHVnlNUk13RVFZRFZRUUREQXBrWlhZdE5URXpNemswTVJ3d0dnWUoKS29aSWh2Y05BUWtCRmcxcGJtWnZRRzlyZEdFdVkyOXRNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQQpvZ2djZmlTUko2UEdvSThYSEtVWWQ4OS9CUE1tZHV6UjM2NXlVRUtTSzZUSU9jQS9qcm5KenhXSFQ5UHN2QjR6bmFvRWRnMjdkbVgwCklaMkkwYmpTb3l2cDRCVDhadHN1cXBhbXNKT0ZEYWpmenJVL2RNTElRQ3dZMCszOEYreC9nTk5MK0JoWWI2em1yZHZvbWI3eXFJMkUKSnVITVhNUzc4NlVZNUdmRCsvbjBnUlN2ZCtEcElXOFpsc1pNRy9sbHl4TzFaY2N1VXF6a2JpVlY0dzF5NVBNdlNCTDdCQVdzVG45RwpJY2tRc3lGK2ZzRzBiS2xOM0pRakhtakZVclQwY25Xa0FKakdJVm1tcnA5TlVXeWMvU0kwMWk2V2x3Y1FzS3c0UEI3RVUzSjhCSU52CjltQ0dYcHdwNXZXWFJkUkdqVFQ0Qm1GbThsWTBRWEhxWGEvMitRSURBUUFCTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFCeXBGb3gKL0lhVFhBS0ZzUlFpNldVRzBRaUJMQ1I4ZUxoU1VERjN4a2dFTGtOWURFclFLTnlWYVhyWW9Id1BvV1lwb2s2TVlkZE1rb28yWXVQRwpXNlY0ekRhMGswdWxiektsdmJiWlFwa3pJSkVqNGRyK1BhcW10SEFlN0M3WU5rajRqbGZKUDZRZHFNSytyQ0JWVTNrQ1gyYy9BUnVuClZ5L3BJdUxvd1hyUVVDRjBjY2NlUEQ4anJ5ZWorY21tOWpqSFdtUU5mSERNQXYvdnBHU1hWMlczYnpOQUxYeGZDb0txVTE1aWk2WVEKaFhVODVPRTVxWEVZOTJhYjNENjdncHB0ZTdlTm4vRzdEN2N1QVpoa3Q3d2ZMc2pvQ1ZLNGJaT3d4cVV3Nm1Qb1hYRnBrVG5sU284NgpwN3drYmVpaTdFcGptNUhjWFRQUEM3amQ3Wk91M0hzcjwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE+PC9kczpLZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjxzYW1sMnA6U3RhdHVzIHhtbG5zOnNhbWwycD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIj48c2FtbDJwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPjwvc2FtbDJwOlN0YXR1cz48c2FtbDI6RW5jcnlwdGVkQXNzZXJ0aW9uIHhtbG5zOnNhbWwyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj48eGVuYzpFbmNyeXB0ZWREYXRhIElkPSJfNThkYTEwZGU4ZjhjMzBlZWM1NmY0MWU4NjQzZDA3NzkiIFR5cGU9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jI0VsZW1lbnQiIHhtbG5zOnhlbmM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jIyI+PHhlbmM6RW5jcnlwdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jI2FlczI1Ni1jYmMiIHhtbG5zOnhlbmM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jIyIvPjxkczpLZXlJbmZvIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48ZHM6UmV0cmlldmFsTWV0aG9kIFR5cGU9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jI0VuY3J5cHRlZEtleSIgVVJJPSIjXzdkMWM1OGFkNDIzYTdiNDM4MTdiZGFmMWU5ZGI0ZDRmIi8+PC9kczpLZXlJbmZvPjx4ZW5jOkNpcGhlckRhdGEgeG1sbnM6eGVuYz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjIj48eGVuYzpDaXBoZXJWYWx1ZT5tbnBtYS9PL0ppdkZEaXhnOC85K0xVMlJTVXJzVU0yOUZEVEhYdkNFbGVoVzB0ZFNwUzQxOTBOaHEzbm8yMU53TjBQZ3RGTUdkUE84eEMvbEhwOXRqcXFEejBjTHh1NzVyVzlmL3hLbEhja0pYTXBxOVJmL1UyTHN3SUltMEtZQzREcXorQ3U4djlhRVA4YlB0Y3krQnQ0bm5MV3lvQlFzNnpxbW5YNmltTWkwaGNVeDhGaVYyOSsxTmRvOU5VelFxdGo4cngrYS82RGlRVjBoMjJOS2MzSHN3VlEvbWhzOVcyelFjZ0tvSldBWDV3dmIxYlVKcDNmZkJIUnVwWmZLdUh4SCtnYkNYcU9naFJpNXh3UVVMTmw1RzVLYzZhQmxGSTdxL3Ntcml3a1VlS1NUYjRwakN4MmV2d0Q4KzRobDRxem5TREN0R05TOUM3QjRnNm0zSWpkY2ZSNWd0TElKS3lVdGxpaVFzVVl5UThOc1YyaUMraUlONjRVSStJUU5CZXRNQm81WDd2RlpZenNRVm9yNUc3a1JGRUk5SUdFTFBHOGRpOFZrL3krSWJ4aldnQU5IUHBKeDJER1BUOWJZazlpc01lT21ib1FZWE5tcjBJUWsreUtOQThwTXNWK2pYSERqTnJDY3lPcTA4OXcyWjJWeHJUT3JMeHNRdVM0c2RzMTVVNk5VaTFBUXE5TUQrbWs2ZkxrOW9NNVhrV0MvUThLM2ZXNG5aZFJhTnhIb0NoaXhFc1ZXeGRVU3IvNENtSWtXSVRqUityeTcxRXJnK0JzY3JvVUJZTDNUMHBaeWdkaTd6d1pqNW0zZjE0cDRsazZpWStIZ1hzaVRLSjhsYXdWTEQ4cHFENDZzT0RkcFc1TVBDRHJ1Uk90WjZsb2dJeXJVZkd3cnh5dzJsbzlGRktYMklJamNMN3hKT3FCbmUzaldocHhTcjJjMjVJQXkrblBPVkFFMlVFSEh6a0RLcWd4bktySDZGUVhkZGdlMVdNcUt6b1BWYjRhd0hmTW9OaURHeGVURjNCWGFXcDhnSEJiOUJ0WGg1MlB4d0xTMWJvb054TjBRZ1ZOOXpaby9JOWp5aXc2d0pPbDBHV3BKaktPamFkYkl1bEJQQzlDZkJPOTJxWXhuV1RnMTRGZTV0emt5SmFEbkRjUmMwUldBQnlFRzlHNkIycUpSRU5Dc25MVjlmWG1jU0RZZmp4UGszK3hVaUYzQjdCQTlvUVBQcDJMU0JSWU1QcjExUEJZaHFHU2o3Y2hGSm1iT0FvUmFtVy9idU9IQnZKN3lCVnhiUjlhRjR0VTIrMWxTdHJ4aGZNandJQllZaWNIRHBHUDFSMTVPYk9GV2hsY2NSay9kWDdWcEhvcStQSVdXRm5tMjZRcHprYWE3UytWUXdZcVNjaVJvajZadXVBcm1nQkNtTytPU1JwY1hmaXkzcHdVMDVob24vSncycWJDZUF4U3JXTGRCMGl4L2loUkQyZmlKelJ2L21vZnVHT3p1eFBwR1JyTjh5dCttWFExREVQaWw3V29Xbm5qNFZtSFJyakdUbEF0RnBqZFdsd1NCMGFOQ21PZHhhNGUxcWMzRmw5c2pWM2EwQ3dKeTFEOUVjcWhTZE1RUWNiRjZMWGFVdjlMYll1bUlwYlJrN0FRc2s2eTloOHBPOEE1THN0RmR3VWlBdWllVkY0YlpucWxpK0ttdnVUMDJQRjVFVXQ0ZWhENE0xR2t6Y3d2VUlLKzNiUjg3dFhmQ2M0TXo5d1RJSUJEcU8wUGhEQjY4RkpIUDZlWlJqSXN5VHN3V1ZQSDg4MFpHYlhyK1MxNk5FNE5JSEl4M3FzTmplMXhoSTBCUFVlbFFuQS9VZC9sSDBjblVrVEg5ZDgrR002eXZuSStsdXVDVzBudVB5QzhES0hYTS9SZXROdW5TMlQ1UE5WTnpac2FVaUZUbThFS3FPRHNHakZoczYzZmVOWmtLaUt1T2JOMnhtNnBZekU5QVROMExQVktOT2lFVHpiYWNSc1FMTFFFWHlGU28ydkoyV0JxVkovaGFIb3Vpd2txeHdWOUFQTHFvYmwxVGJITTUyK21zOWhZcHM0bjZhVHpyZkJWSVdIOGxobUwxQU9rejRTeldjVW5yM0J4a1NhRTFseW9zZy9TbVB4M2g4SGw3ZFRLUnh0MXpISGdvV3l4ckVzR21WbjNmZ2p6NTJqaWZ5bldETTZUYzFQa240NzllYnZxd2psTUZjdlNZNzM2TWc2NE1VM3NLSEV0a0FZKzNDdGtlcm1STGprSXRlOUs3NlJzTzFkcm9IUlJ0OHhYZTlFQmFZR1IxWDUzOXFpVTh0ZnV6SjBXQXhCY3dwQ2RhclpUaXM3VjRnOTlUN0NhY2o3Z0RDOEwvQVpTdEJOZ1dFdFdnTytPTkRrK3JLeEFrYW9FOTAxU1Zzd2NxdVQ0dHR3ZXpEWmNJVVdWcjlLUWllenoxWWt6cC81TytPZ0J5cmVTLzZrUy9ibndDWlFDU2ozRWthV0syVCtTL2JTL3NJRWlmOWtpclBORUNPZ2JpM3F0YnpxMXMzS1ZLV2ZhMHJUY09nbHkzdUJMU0VRcG9pWlJ6SEdMZ2Z5N2tyVWFQcTlydDByMzEwSlEwUjJsaGxrUHlPQ1F2RXhEOW5lSjV3a25XNWlZMUFyR3FRVkxCdzkyc2hmK0NKV0FPK0RndllUNm9yQVF5dzBDYnB0a3E5anJRc25TVlpycEZRKzdoc1dFT2pQNnFXejFHWnJvRFdkckF5eUJlbXZHNmRWRTc1dHRHU1JqV1RNK3FEckZVdXlEM2pRcDFiWjZjRzlFSEs0TEdEeDFXTFY5OUp2cGV4VWFLeHNhSmRKQTlzZTdhS3k1MjVkeXA2R3ZObXBURWxIUEZQL1c4aVlCUlNidUZiNWJmYVpMOW4yWmNaQ3NHSzVPQ3BPVnpidFVyN0I3R1hCNlJ1d05wcldnck5SeUgreU14THFvdXJDczM0ODFoZXRZVmRUOTRkVnA2OW4xRTBtSVJSTU0xTXIyelByVHJMVUd3eDVkMjM1V2U2Vng3Ymt4SXl3clN2eGZQZzR6RWZ4eHdQc3JFT0M1M0pHMjJMU1JzamZoZnAvQ0xMOVdrUUt6bWYzZHRCZEZLNmk1WkIrNmtiVlNPYkZGSU80TFNHeWZwdEhJTFB4dlduMXk0TkVaY3pFOEZLNmllMHJPVisxdUFQY2FsbUdER2QrSVR4NnZnVTFZUlltcmdqc2pmY3crdFpWYnB1NFFGN1hhTlNWb0R0ZHJ6SWdycGVmanJDL0RJQnpQWGxMNFRya3V1OFFTdHRGMEx5ZU8yNEprQ1Fmdy9DbEtGUFhWUnV4V3BMVVk2WldKTkJCbDlQaWVqdi9EdUJ2NnRremNmL05sb01jeGtpYTZiTTZ0TEQ1WmNjcGJ0aC85T2NHSWJRUllETmdSM05SWndxamhwUVR0MlQ1aFh1ZTBJMWF4V2NwTlJDVmViajRaRmNvSGI3YVJKUEs3WXN6QTRHMEN5VmRPNDJkUVVnd0g1aGVKam0wbVlhZkJiU1dxeUJKZzdBOWFkRGR3ZXZqT05RMjRZMDRCY1V5RnBVb0pNTFNrN01vd2lrc3M1bWlGWDBjUmFDWThlbVZvQ2tMZERGSW5CcHRmd3paQjA4cmI0QUdWcEJkSkVLcmd4ZldBTkROYmI4WnZLTVE0bGZ3ZHVQSWVsZVdzQ29Jb283RmF6UHdQWHVCeHA2U1llc2YrVXRrbUhMTlhnSGl2Tk9lb3RSTWdwV1kzUzl2aVFDUnl4Sk00S2J1aVNiQzliSnk3UkZvOUVMQ2VqZXFITW5pL3RUWEtWTUxIMFlnblZkNjE3QVpoOGlzSHo4SW1kTmdYaXU3WUU3eFBSTkRkQ2N6S0luVXpvWm9OVlV4VGtZcHBuYlRsRUxGU0U0cVVoRVBuYXFUVU5HdFBWcElXZFpIZzZTWURwZ3VYNWF2c01nWWV3ZG9WM0lwUVA2VVBvcUFoQ3pKWGsyQm8yT1RhVTcwK21iSzh4Rjh6YUk5dGJuNmxJMDdRQXBZTWl0WDgzc0V4aW1YK3dTOEpqcG9hOFQ5aDJBMjFGczdreHZRaDdSVlJjS3JZcGY0R3U3OCs2cEtRYXcrendNcGovbDhudmtkMWhiMFJTNDNwN1Y3TjdIUnJkTjZ3dUd1ZmlOVHF0bXNycXZBeHRCM3h1c044R0V4aUt5QVl5eFgyVFMvK0hmb3FKSlhxYTZtL0g5dm5QU1Z4MUVoVXNvdUN3c1FFR3IxQkFDQVRiaEVGdCttUzhxRVo1eEx5WnNZRTBEYk1YWWRUSXErVkF4eDZnaytJcm5lbmdjN0ZVcXhhbzkzV3VDYWFzbGdqSVRZc1o5UGV5Mm9ZbmdrSzd4R2wrcWc5TG5nUmF1VzR2ZXpvVzY1dlc1TWpaajhyOXh4eDVSOHhvUmRDTEtLaUZsbFNFWnA5NUl5dzBxdEFmWmFYR0FvRTlYeFlmWldDS2RPRnI4VytpVUtVUnhGT0pEL0hjNlVkNTZZemp6bVF4N0w1a0laNW9Rc0pzMS9pcUNlZENJUlNNai80c25BSDZCK2svSWd3UnIzVncvc3QzOFJJOEhUekxyYk1sS1Q5OTdEcmdoQnZBYVcrZWN3Q1h2Vm9BYjRzQ1dsY0dpaDRsRDlyTUJMVUxTVzl5MTBpYmFWNWFPb3BrVVBud3FoRitnVjZzaHBvVFNnMjhYUjdMRjhVbXVCWHVTTkZwektUNXBPMGpmeElFRnNNb1VrSk5UeTN3OG44WHVubUhTTU9hakVKS2xVK1BOVndncUdtb3hGL2VSMTRWUmlzRzJYSWFEdXNqOW05d2lKTEh1NzF1S0d3QlVuS2xQekVXWVZFcVBWWDl2ZHBVVEVzL1k0ckdxd0RtOGhSVlUzRlR3cXZNaW11UWliZDVaRW1IWWY4ZDBkOEJNZVQ2Q2ZPQkdrWStMdTBwV0o1UXBkcng2b0Vzc3Q4eHp5REtKQmcyczBFQXFpbFpWeldEeWQrVEE0RC9ta0o4OWdiK2ROSjhtbjl2S2VHaWtnWHo2enQ3akFnbzk2anBtVlpnNTYvRjRBdzBBUERXNFRrSTJXb3pIcUVBTnZFZ0VvV2QwVHA3TkM1NUtZZnFrMVp3TVlyV0dIclJ4b2Y3dHFtNHExUzJjOVJ4Yk13Wm0yUlg2V01UeVQ5U0VMbHAzTHNBekZGV3B4Q3RMT1hHWDRWNDZOTFpPY1ZmSE41ekd2L25JT1ZMc2VGcGl3M0I1aVVzbHZkMkp5TUo2ZEVEWHNRUDlWWTk4c1h5VWwzYzFsVXlFUytVQ056ZmNJUThXb2VkR1RnWnFWMFRZcUYveGtLcE0rMTRaY3kxSys5UkNaNDNIRlZCUjhFUjZqbThMODBVWXJGZGgwUDdITEtsU2U2Z2ozOEd5MFhlaVNMay9SL3JLNUZjVzh3VnVvNjA3VjkvdmM2b09veUhyU2RvaUtyRzNDWFNiWmZEN3ZUTk1vU3dCckJqaGVxOVVtN1dMMzFpUTZlUjZKOWk3QXRRMHhRVEN6ejY2cHVEeXVPa0FBR0lwUXhXVjFNUEEwM0RkckFncXYrRmFKamZrMC9hV3p3ZkdqRnlTY2pyYktKUyt1ekF1MVdjTkw3MWYrVVhyYWZFUC9sY0ZhTkNzRU1UMmV1d0JWcFZleGpLNTlIeGZXMC95SjhNV1FYYmlZR0pOM3FIM2IwNkx5aVFRQWFONFBKUnBnMmlIK1R2b0E3ZGc0b1N2Y0RKOVNaTlpvck9KRTBYV3RWSm8wNGVvWkNoNUZ0K0p5Yzg3WEFFY1luRXovSGNHaGswVU8zNTA2YmgvK0prRDJLTjNDMUw5ZG5xdHJpUUpFdmJnTDd6VHRpemJzZTNqTU5rOEVWRjN1QWQxZWJPTFQ2bm5nNVN6TGNmOVNLa3dYVFBROWJvcGlrTUhWdUZEbjBUdDVkcGtQeUQxQS91M0w4UEpLamw4TStXeUsvVm1aNG9pSlZNWHp4bytZMDJrRTN3bGRWa2hhOEdRbDNFcDdJb2c5Uk1selc3SmtDMUR5a0dLRmUxQ1ljYUJISmp0b1dFUVN6UXJBNExidzRiV2hqVmtSRXNtdFI4VlZQTWZTUmpGaURsOHFzbFYxNVhzbTBnMVl1Zi9tNG00b0Ivckk5WHJHT2hTc1dWb1NKb0pndlE1UmFpSENSN3lGL3lUSWVEV1NXMXlvbGJQS3hZRkxhYS81Y1RlY1MrSitpTEZYZ01nM1pwMktGUDNxSHBEMnN1Tmdxb0FUSlA0cE9JeUdQSlc5b3ZvQnVPUzRhSm0rUzVUbUN0dzN0M3F1Zm9GWGpyWm1BdWp5NGdCYmdRT2g2eFNaNk9RVVViMm9odVB4M3E0dEl2eXl1VE9VaGhQU3d1TytyVDR0eGc4b2RmNUFQYWNNUmFJelROWlhtbHc2WXZnb2Q2cWFEbkRiZkxvNWN3VVBWODNzZkRwU3JFZWVLVkRoME9LbE8rZXI3aVdxUzdWMTJ4eDdNa0hPN2pEbUw2Q28wMWZGR0V4T3BQQUFWc1F1ZkpqOVZSYjhxSkpUbTRGVnFJTGxFMWR6L1hLWWZCNGI3Nk5ueEhia0M1eGRhNDRYRmU5cUhOWXV6V2xvVVBveXEyVnNraVcwVEZFSHpOTCtJWkdsN2ExcTNSUTZ1UnlnM3U0dGE0cWVQbkdNcittMUZTM2xySFVNUG9sRzZKVysxdk9xbUVmM1ZMaGxhUG1LZXh4K1lLejhsRUdzMHNqWlFuRDRjWG8xQzF5YjdEb3JUTk9UcVdMN1JLcFpYQjl6MVlRWHJ2TW1WSThJeDEzL2k2ZE5Ndy9pK0lpRzh0TWJuNkRGTk1NdEdIallndDAyM0pOMVVkVHpwVG15YmptQW9URzlqL2ErUXY4dW5vWS9rT29qb1BJWVh3blJNSWFYT1dzYWl4OEVTdHE3WUdvYU5Nd3JxTzBJdDdyWUxHTXlZQklaZTNHR1BhRUdvc0tjMmtQbjk3WXNxaHB5R01HVkdIeXlidXlDdkd1blphM2pRRVBjc3ovOVA5Zmh3a1FUOGUxOGdMdjFrTVRwdis3MWg5SFQ2NmswZWdoMTA4bncxd1htdFNpSExRbWkvL0EySlV4Z05QWHdxVndpMzA2ZWVBSEcwTmY4dnpqQ2ZqNm5tcUxGbkM1K0dRVVJ1cFZrY1drSEZ5TnkxMWNwYUlIL1VBbUU4cFhQVHVPTUxXdGhLeTVJNEhEK1NmZDZWVkVpa0plcnMzVGIzMXEzMStkdCtDVmpGZ0hVNDMyQzBiOVJwNnVXY3lOMFZ5K1VHR0N2L0RjNW5kRjAyTmtkRUZ2SmZ3RlF0T1gxbWVXZVYyeHFQWGJzL3BlRllHWkpYZjFBQ0FCQWtGaFZsdkxkaDBNcWpyd1ZYeU85dW1wc1RCeWxlb0w2SlZXZlZRd3JsVU10YmVvRXErMW0rZTBDajJhSTNIb3RkelNLL2Y3U3RobEU1ODFyblFvcGN1VFNOcHk4Q0hYVU5iTjNpQWVEWnNnVEJjbk5LL1dOZ1dlVjg0dWN0ZHJydE5lZHFzZFlsRmR3R2YzdkpnTWlwWm0ybVE3M0U3THVmU0pERTRyWlRLV05abTdxb3dGQUJLRUJlUlQ0ZVlLNkFLbjAzbXFsSVgzb1FqanI1NnlLdTc3Mm9DaVhWYTlJUVJpRDN0OEVZeUZyVGQ4eXlLdWdvaUZlS0xDTDBwVkU4TzJ5UHlWSTBZMnI1Z0NLcFpVOVY0Y1ZNKzlkdS9Sem8xcFpoTUZNc0o0VUZaQURwY1Y3VEt5YjZqWWt5VzErUUZ4QXh3WUJLcFNzS0p6Q2dzVFVianRtUzhwa1VVb3pRMUR0NFBnS1k4ak1YL1VUSWRRVC8ydHZIbUdaM0IvdWZIUmdSV2FVMnRxcjFDQUxwREMrUXNiZmZtNHhrd0lmMHBWMFpPNGRUZXR6QlpUTExDbnppUXJ1c3B0ZVZnYnBNcWVOVi9RcXlWT2QzOWsxTW9PdE50amhLQy9yNnB6bUZGRjZNMDRpdHRCaldQQzJLSXk5NmQvWmRoRGJ2NUlXL0diVElyb2M4anhxeVkxV082bXc3SDhsVldPUjlwTEE9PTwveGVuYzpDaXBoZXJWYWx1ZT48L3hlbmM6Q2lwaGVyRGF0YT48L3hlbmM6RW5jcnlwdGVkRGF0YT48eGVuYzpFbmNyeXB0ZWRLZXkgSWQ9Il83ZDFjNThhZDQyM2E3YjQzODE3YmRhZjFlOWRiNGQ0ZiIgeG1sbnM6eGVuYz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjIj48eGVuYzpFbmNyeXB0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjcnNhLW9hZXAtbWdmMXAiIHhtbG5zOnhlbmM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jIyI+PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIiB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyIvPjwveGVuYzpFbmNyeXB0aW9uTWV0aG9kPjxkczpLZXlJbmZvIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48ZHM6WDUwOURhdGE+PGRzOlg1MDlDZXJ0aWZpY2F0ZT5NSUlCN3pDQ0FWZ0NDUURGemJLSXA3YjNNVEFOQmdrcWhraUc5dzBCQVFVRkFEQThNUXN3Q1FZRFZRUUdFd0pWVXpFTE1Ba0dBMVVFCkNBd0NSMEV4RERBS0JnTlZCQW9NQTJadmJ6RVNNQkFHQTFVRUF3d0piRzlqWVd4b2IzTjBNQjRYRFRFek1UQXdNakF3TURnMU1Wb1gKRFRFME1UQXdNakF3TURnMU1Wb3dQREVMTUFrR0ExVUVCaE1DVlZNeEN6QUpCZ05WQkFnTUFrZEJNUXd3Q2dZRFZRUUtEQU5tYjI4eApFakFRQmdOVkJBTU1DV3h2WTJGc2FHOXpkRENCbnpBTkJna3Foa2lHOXcwQkFRRUZBQU9CalFBd2dZa0NnWUVBMVBNSFltaFpqMzA4CmtXTGhaVlQ0dk91bHF4LzlpYm01Qjg2ZlBXd1VLS1EyaTEyTVl0ejA3dHp1a1B5bWlzVERoUWFxeUo4S3FiLzZKamhtZU1uRU9kVHYKU1BtSE84bTFaVnZlSlU2Tm9LUm4vbVAvQkQ3Rlc1MldoYnJVWExTZUhWU0tmV2tOazZTNGhrOU1WOVRzd1R2eVJJS3ZSc3cwWC9nZgpucWtyb0pjQ0F3RUFBVEFOQmdrcWhraUc5dzBCQVFVRkFBT0JnUUNNTWxJTytHTmNHZWtldktna2FrcE1kQXFKZnMyNG1hR2I5MER2ClRMYlJaUkQ3WHZuMU1uVkJCUzloemxYaUZMWU9JblhBQ01XNWdjb1JGZmVUUUxTb3VNTThvNTdoMHVLamZUbXVvV0hMUUxpNmhuRisKY3ZDc0VGaUpaNEFiRitEZ21PNlRhcko4TzA1dDh6dm5Pd0psTkNBU1BaUkgvSm1GOHRYMGhvSHVBUT09PC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L2RzOktleUluZm8+PHhlbmM6Q2lwaGVyRGF0YSB4bWxuczp4ZW5jPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyMiPjx4ZW5jOkNpcGhlclZhbHVlPm9qZlNObDlBTWNIMHd3V25FVjlSNkpHWVVlczNDclFEWTFTMDZ3ZkwrV20zYVQrNDE4aWUxQ25BLzZTU3BQY1Q1c3NsUVJMdkQ5dGlaYWZ0ai9XcGZyMGhITzJWT2k4QXQ5VGRYcmExSWprRkNyL0ZLQys4VkMvL2VGWVNtT0piSFo5TzZFRFBXSDArcm14WEZ5cmlFYXptOHhsb3J4bGdFejFiM1ArZHVkND08L3hlbmM6Q2lwaGVyVmFsdWU+PC94ZW5jOkNpcGhlckRhdGE+PHhlbmM6UmVmZXJlbmNlTGlzdD48eGVuYzpEYXRhUmVmZXJlbmNlIFVSST0iI181OGRhMTBkZThmOGMzMGVlYzU2ZjQxZTg2NDNkMDc3OSIvPjwveGVuYzpSZWZlcmVuY2VMaXN0PjwveGVuYzpFbmNyeXB0ZWRLZXk+PC9zYW1sMjpFbmNyeXB0ZWRBc3NlcnRpb24+PC9zYW1sMnA6UmVzcG9uc2U+
\ No newline at end of file
diff --git a/testdata/TestSPCanHandleOktaResponseEncryptedSignedAssertion_IDPMetadata b/testdata/TestSPCanHandleOktaResponseEncryptedSignedAssertion_IDPMetadata
new file mode 100644
index 00000000..fed77497
--- /dev/null
+++ b/testdata/TestSPCanHandleOktaResponseEncryptedSignedAssertion_IDPMetadata
@@ -0,0 +1,21 @@
+<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://www.okta.com/exkppsa1qwuFV4D7z0h7">
+<md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+<md:KeyDescriptor use="signing">
+<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+<ds:X509Data>
+<ds:X509Certificate>
+MIIDpDCCAoygAwIBAgIGAWW0dDUQMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU MBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi01MTMzOTQxHDAaBgkqhkiG9w0BCQEW DWluZm9Ab2t0YS5jb20wHhcNMTgwOTA3MTQzMjU5WhcNMjgwOTA3MTQzMzU5WjCBkjELMAkGA1UE BhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNV BAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtNTEzMzk0MRwwGgYJ KoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA oggcfiSRJ6PGoI8XHKUYd89/BPMmduzR365yUEKSK6TIOcA/jrnJzxWHT9PsvB4znaoEdg27dmX0 IZ2I0bjSoyvp4BT8ZtsuqpamsJOFDajfzrU/dMLIQCwY0+38F+x/gNNL+BhYb6zmrdvomb7yqI2E JuHMXMS786UY5GfD+/n0gRSvd+DpIW8ZlsZMG/llyxO1ZccuUqzkbiVV4w1y5PMvSBL7BAWsTn9G IckQsyF+fsG0bKlN3JQjHmjFUrT0cnWkAJjGIVmmrp9NUWyc/SI01i6WlwcQsKw4PB7EU3J8BINv 9mCGXpwp5vWXRdRGjTT4BmFm8lY0QXHqXa/2+QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBypFox /IaTXAKFsRQi6WUG0QiBLCR8eLhSUDF3xkgELkNYDErQKNyVaXrYoHwPoWYpok6MYddMkoo2YuPG W6V4zDa0k0ulbzKlvbbZQpkzIJEj4dr+PaqmtHAe7C7YNkj4jlfJP6QdqMK+rCBVU3kCX2c/ARun Vy/pIuLowXrQUCF0cccePD8jryej+cmm9jjHWmQNfHDMAv/vpGSXV2W3bzNALXxfCoKqU15ii6YQ hXU85OE5qXEY92ab3D67gppte7eNn/G7D7cuAZhkt7wfLsjoCVK4bZOwxqUw6mPoXXFpkTnlSo86 p7wkbeii7Epjm5HcXTPPC7jd7ZOu3Hsr
+</ds:X509Certificate>
+</ds:X509Data>
+</ds:KeyInfo>
+</md:KeyDescriptor>
+<md:NameIDFormat>
+urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
+</md:NameIDFormat>
+<md:NameIDFormat>
+urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
+</md:NameIDFormat>
+<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://dev-513394.oktapreview.com/app/rstudioincdev513394_dev_1/exkppsa1qwuFV4D7z0h7/sso/saml"/>
+<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://dev-513394.oktapreview.com/app/rstudioincdev513394_dev_1/exkppsa1qwuFV4D7z0h7/sso/saml"/>
+</md:IDPSSODescriptor>
+</md:EntityDescriptor>
diff --git a/testdata/TestSPCanHandleOktaResponseEncryptedSignedAssertion_response b/testdata/TestSPCanHandleOktaResponseEncryptedSignedAssertion_response
new file mode 100644
index 00000000..1527ace0
--- /dev/null
+++ b/testdata/TestSPCanHandleOktaResponseEncryptedSignedAssertion_response
@@ -0,0 +1 @@
+PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbDJwOlJlc3BvbnNlIERlc3RpbmF0aW9uPSJodHRwOi8vbG9jYWxob3N0OjgwMDAvc2FtbC9hY3MiIElEPSJpZDg0OTM4NjUxODIwNjgwNTY5NDI1MDUxNzciIEluUmVzcG9uc2VUbz0iaWQtNmQ5NzZjZGRlOGU3NmRmNWRmMGE4ZmY1ODE0OGZjMGI3ZWM2Nzk2ZCIgSXNzdWVJbnN0YW50PSIyMDIwLTAzLTAzVDE5OjMxOjU1Ljg5NVoiIFZlcnNpb249IjIuMCIgeG1sbnM6c2FtbDJwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiPjxzYW1sMjpJc3N1ZXIgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6bmFtZWlkLWZvcm1hdDplbnRpdHkiIHhtbG5zOnNhbWwyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5odHRwOi8vd3d3Lm9rdGEuY29tL2V4a3Bwc2ExcXd1RlY0RDd6MGg3PC9zYW1sMjpJc3N1ZXI+PHNhbWwycDpTdGF0dXMgeG1sbnM6c2FtbDJwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiPjxzYW1sMnA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8+PC9zYW1sMnA6U3RhdHVzPjxzYW1sMjpFbmNyeXB0ZWRBc3NlcnRpb24geG1sbnM6c2FtbDI9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPjx4ZW5jOkVuY3J5cHRlZERhdGEgSWQ9Il8yZTYyMjQxZWU1Mzg5Zjc4OWM2NmI0OTc1NDdmZDkwYiIgVHlwZT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjRWxlbWVudCIgeG1sbnM6eGVuYz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjIj48eGVuYzpFbmNyeXB0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjYWVzMjU2LWNiYyIgeG1sbnM6eGVuYz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjIi8+PGRzOktleUluZm8geG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpSZXRyaWV2YWxNZXRob2QgVHlwZT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjRW5jcnlwdGVkS2V5IiBVUkk9IiNfNDM0MDhiODA0Zjg3MDE2YzdkZTk5MjM5ODFmNTg3MjQiLz48L2RzOktleUluZm8+PHhlbmM6Q2lwaGVyRGF0YSB4bWxuczp4ZW5jPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyMiPjx4ZW5jOkNpcGhlclZhbHVlPktxU3hnbzI4cldjc0pzL0F5K3ZPMHpkLy9CK3EvRHo1ZkZmY3A2cWQ0U0pPbTY4ekxFSEFkTkQ0TFExYjdCdkxrTzYzOW5RZ3JZcWJwM2UvVDNIOEdrSlg2REtHbDB5MnpkdjlJNjRJNUg3K1NFNFM2cjRFWmZlNzJXKzl5bm5FeUR3bmcxLy9FdUlDb1BsOUs4dE9lSTliUTZacjVreUt4OENTNGJFL01CMjJRSGhzc0pUMG9oa2kyTE9LUmg2MTlYbDh6Y1RJem1uZmRNb2tEUm1renNuVmlOa3NaK1Z3ZSt3dkgyUUNnWTFKK28yKzRmY28ya3pGdWN2ZUpkZng4dVRxVFp4dzRhRnRGQ2YvYXprOGpha0ZpazVSN0tZam1mZGxOL0QrOWFDY0tiYlFPMHFxd3AxKzNTNWFiSWczaHRIREIybkNYNnluSWl3S1ozc1B3bzNYVVRsREg2Q1NkTzRFSDVUN3NHcUhRV0ZIN0tLS0lGdHZrMUVhYjI4WXl2UnNrbVJZTXNNUG9tTUZGekt6MlpyM00yY1RBclZDS1dRSzh2RG9laFZyTzZyaHFHbmpCcWxpYkFHZjhleXRpbndEQjgvNm50RnU2aG1LZ0pOdzdFbEpwcU9sQm1ZUE5mU2MxMEMxTjZXS0hqOEZudGVHenE0MmxJdUIzcnFrME0zeGtSdytTYkhxU3FqRDFCbDFDM1gwWlRsMDh6Y2VJbmZ6Vmo1TEZ6YU5iRXFmV0ptRmNOaHhSMGNTekhjelBPT1RzdUlrTEdZZTkxejFkRG1SWTVMNmFyTlhWbzJadjc3NnI1dGgwSVk4cTUva1pjY3pzVERySW1sY1YrTWFtOTZRNjdOOWQ3VVhpVWpUcXdTUjh1TkxVMXpCWFppekpEU0sva25LMDlxZWg0UGxKcHdZcDVab0pLYVp2V0JsV1J2Mm9ZWDJkN3ZyS1kzSVpCanRLWllNQjZpR1MzWUZBbTc3d09xNGs0WWFjSkVBc2ZQaVZqNlJQaTQ4bTZOYnBSZ1ZzMmhZYTE0MzQ2amJqZlFVaWhrTnZ0Q00rM1VlcWU0bGowQVNwR3c3b1hkNVlkQWw4Z3hIc2xyTzNoY3J3Q0JqZTFhOXovaHRYdUU4RldWd2dSODgzbU1tR1hBZ2x1SkNUOUtaaUZvaXpFS0JyaW41NHFpT2R4YzU3ZEVPRmRna05XRXMvdTUwWjZCYWVzaXJvaGN6WFdsUGlWVWFaV0RlTzRzR3p6ajNiaHlPay9MZE53VDJGQ3VvWUlZbC9PWURhUWZVVjdUV3VLeHo5YlRaMVFKRTBMbjQxVjY0QzhGbmpZaldReDhWemFRUkFzVm55NFRSMkJvWmJrQ0VTUHo2eTZRUU1DNG90RC9YcStPMUlzT1pUTlJxNXUzNmo4T0xUVmNIZmdaNTJxVlRnNEJLL01PTmVEM2k3amZsTjNFR05LdGlmMzJkT2lGcTFRY0ZuTXFFL0xFYVJTMHNCdGpUaHRvanBxKzBpNHJrUjVISS9aLzVBOWZHb2hOZkhWa2dEakkvNmdGcGNGQ3lTZWJocEMwRXAzSXA5U09KRmRIQ2tjbjVLNXJYNDlSR0xFTXZtNzVTS05UOVl3RGtOSTlVcWdiQmxGMytMOXp6ZzhhWDFYbm41TWVPSDZCK2lZVlBZYXZkUjZ1WDZYbDVzR0pHRUFUNkNmQVBhdVBGUkNVU2d1LzJiUDlRYzV2Y2ZOeVhmTUJtNGVyTm5jd0NNbGhMRHN4NW1DQWVLdGRWaUxZWTlOclVTNy8vaEp0MmZseEZ5Q29tVXdlRi9pUDZVTVo2ZTV0UHIzK2hVdUZkY0FTMUNsU3FvSDRuVjJVSmVHR3ladC92c1orQmRNdkpoRmp1TEg5REtOVmRtSjFNM0ExRjZ0Ymx6dnFXajlRaVhEV2E2amxhRGxHRXR1NzdHUW5iOTU0MUVMYUZCYnhvRWYvbTNpS1NGUm04REE3NytaanhNUzMzTCtzUldaWm0rNWZJeGtvdUFWR0dGRHJ0M3lQMyt6bWVyWTVPUkN3cW9ZekdyMFRPZGRJS21UcmFrWi9uZnY4a0l1eFpIeUppdHBXSENZTkxMQlhFU3hLaXVKbFRSd0x6U2FWRFhhT3pGVTA2dWxUUVhHOThqazRqU1VhWHR5amV5NGUxT0V0V29oM3ZHVEFRNjczaVY2RlZ3VXdxYzVkQUh2MHV4aVVGaTlXWUsyckpqZ1dLVTN4VDRFZjlWUUZ5OVYrMUhZUDdpalRMWFF4eVlZZjFjTVV5OVlJVGlXbjVIS0ZwT0l6YWxLK2I1R1ZUbWdoZ0F5R0RZTjllOVo1ejg0V3BKN1N0L3FpLzM0a3V5bjRNN21WV2tPRGU4TElyZjkwWnViSk5ObkUwTTdMUldXYXZEUC8wak5OMEtJcW80cnVwRldEN2R3bDNKQWlSbzdJcEl0Rm0vQkpGb1hDWmZFTUgzOUxqL3dZNFF4Z2NuRFRKbmo1bGdUK3cvT0xvN1hJYlZRRHhjaE9WUkVqTWtKM3lKa2VmSktNUFFQUThGMGpKZ1NmM3VraWpuaTlSbG5Pd2EvVi8wVnF4RCs5NUtwNDhiMU5MR0FLN2hidVFZM3c3VFlzZWtteWZlbzRqbGZqWkZYWmFyTUExQWJ6cENvMTR2K2FCcGhnYXNzVjBjTDlxL0FyVERlK0pJM2c5Q09pN05PYm5FOHVhYjl3Z3FETzFCV1lEQ0Rnc2Z6WXFiRU9kYlE4SHZtZlBIaks5Nit3Tk55K2lDSFBvcnFiRzA1SDFsZHJyb2hVKzhkeklnOVkwMVlCc0RIUkVCU0lZMHU0QjdIYXMrQ1RnS2hSaysyQ3lWcmF0U3ZHWStuQkF6U0U5enBkTWpKbEJWaTRxeWgwcHlKeU1qQ2xESzNBMGxCYjlGd0M4RWpEdjVpbTMxZWJLMmhBQTJTRVBYZC91N01DeG1veDhKYVJBZzBxTVorZGtMZnpqNjBlUWlBalp1dGhNZ1prMWhiVzl5ZFordmRwRlBoeFVHTzd1QTA1ajc4QjkyRUxCYkxCWTMvZ09tMEplN3QrTmorTlMvbHZRN1Q4RytpT0lFZnY1S2ljU2M4dE1vWUVRWEtrK3VyZVFDQzBpOG5sOXZEdWFLMTNyNTZkM0YxMGxHN284SDYyR0ZBQm1rNnBlMVVZdDdWL3dwM2xPR09TcVBkUzJ1Q3hlR2g0aWNHcHJYeDNod3lmT3Q0TTErMnhvMjhkbHJqREtuOEhaTTZnTGRUcGlhMVc5WTFIallMNDdCcU12OEpuZGhQd2RTWkduUGhlWjJQQ00wN010bmNlRzBsemNBQmhJYUU4R0tDZ2RaRXpuODlwK3gwbVhtT2JOckJ4MTRKQU9Dd2F0N2tZdk5IS3VwckNrK1g3aW9pUTJmZmRzTkxOYktyZTdHT3cyRmZ0OUVXQU95RCsxQlFBbW4wdVI3NFBoSUJQTmFGN1o1dTdEYnRBZnV4cXR4Ym9ReFpEM1Q5M3ZWNTBnUFdIcHlVbHBRTUQ3ZEhiNVZ6aDlNWlFQYnNnSWhxeGV6U0x1dlI4dmFMT1lXbGxQcTFLTUY5dkZaNWl3U0Rjd0VTVGlXV3owNnRUMlZvZTRud2FxQk40MkhiTmVFdy9kMVpvNUR6Ujg2ZmYrQjE5c3crbGZZNTVHU0NkcENTM2kzWi9oRTVuNEZ6czhLdWhSTHlJaExKQTlYY3RTcjdyenljUFpyekhhN29QWFM3eUtCalRZVFN0ZTIzYVEvM2swQ2hoVXU5TVBzdlBiekNzV0NTQ1NtdFFZNjJtQy8vdVVQR1lFZUUxclZIWU9BeS9uWU9sc2R6NXc1Myt3VnVtVFVjTUx0V0hob1dsSVJEVlRhVklRL0FGcC9DbHpzV3lvRC90TlRoZ2Z2VlUrcVN3eTRvRVVVWHorRm9rU1dXYWFtRG11TkRFL2dJTUxWcExXNUd3UHdDWWFrNi9NUkJtVDFoVW1vdHVSL1hRUHpveElEc0UzZjQyN3V3amF0WW1wMGVqYUtWMVNXbG1NYVIzNmQ3MkJLQVovNHdvQkFXYXA3M05UVEFlZ25SL25EclZwRnNZbVpySFhQNldYaTNmY2dSWkR1QXNFdHg3R0tLNlNmMTlIMExoSVhiTXRiS0c1KzhRZFE4MnpjRW01bURreW9Ha3B2dzVuemhYNy9MOWV6SGY0Yiszcm9YU3dYTHVRRmNlT3RyZlkxb3FSWFo1YlI0MDdabXJiTTA1cXBVdUdNOThweHZybjgxaldvMXpxQ0lmckJORGNPN1hDZXVoS2JWTlJObis4TGJmV2FjMStWeUh2bUNScDJRTWxiTDVvdndodFM5UXhTSTQzRUpJbU4vczJVUS9JYVFXZXJYYVFJZjg1SEs1bjVaeTBqOWxBNFN5MlQzTXVnOXBSNitNU1RyWWNnRjVneTBxdzdEUWRoRTlhS3ZqSUY3REUzK0YwU21peHF5UzNBODBzeTZKUi96NlE1dDJKb3FjSVcyNTZHb2JXaEFYdytOWk9aT29ROXVEbkJnQ3E3VC9qcVMxamFhVlUxNVJ1TUNDSnpBTzlYSHpPVENxcURPeitMLzVqaU1xODd0ZThRTy8vZGlTVlErY1VaeHYxcGxmWURBRUpoUWtscG43eUpYdVJBVDE3S0xmbXRlaGJQNHBLM0hQNnVoZ3BFa2hZVHNHMlhweGg5VVluckQ0WTFSSzZXS2pPUDFWSzlWRU5FZ3FlMUhVTlZBbmQ3U3pUWVFnQWd6RHRuYWltNytYT1JNMEpVOFpwZWZBZ2Z6cTZtT1JIV2d6S252YTU4czVQeUYzSWk4dzN0ZmlCaEtZWjRFK3ZaVVF4NmFLUEgyNVp2U2ZYampvcDlXZ3hKN043d053WTVzZjlKd1UydnhHV29OdjVwbm84dlFKeXRkbzVzN1B3Z0NJd0FkZE5UbEZ1WEJVMEQ5aVphM2JUVUMyRHl1RFVkaGJqRkZPeldzQmR4R3h1eWYzbmtnZEhvTVBxREpYeStvKzRBU2MvZkRxbHFsaUJXa05TWmx5UWdieDJKY05BQzR0Zmw5OW9iNjl5Yyt3ZXVHU0p6YnEyM1U3Vk1HUUVObWxaR2Q5aHEwZVdCempRVVVWY3dzbHVLNk5uZTBoTk12djl2MUNoMW5sOXJna1I0bG5FWEUyQ1hhcW8xVWQ5bVdMVVJBUFZkdk9YWmNINHhiRzF2WEVPRUMxNVhBaTd0Ni9weEVkcGJLLy9rOWE2NFBld29KU0UxcUtSVGh6RmxBUTU4UzZPL21YNWJhdG9WbXo2ak02Zi9TbjFlQUVBdHFHdEFsY0lGZWNCejN2OGR6SE4wcGZrRk1lNnRLYjcybTZEYkpZVnA1blZYVjBKSjVkYjMxcXQrUVRkelp4eE5TWkJ3NUlGSXd3MXNtcnZpRmwrSUhQZlpMK1VNUUtZTk5seE8xRWxmcGFoTGpFMmtLSUQrYjkvWE9wZDI0UVA1YzZnTjJzNjNNZE92dVYwTzhqVGkwNXYxL1g0cGZ0aDYxNjl5bUZ4Q1Q1ODdMRzNscUw5T3QwbEVqODd3aEkxZ3gvTlNQcGRzWGZHSWRoZlY5MmtaT2cvQVhvZkJpb1NHQ0JYc3ZvZUdlMmFCdUZkSFFZUzJkcVl0d1Zta0F5OWhnUnA2N0paQ0FIRTJRaUIvdTRJQ0ovd3duNFduc0VBa2VIbmdlWDVZR0Y0azJwYmZqakVXbWxSWmFJVjVQSmFaU1B4TGpPWWdLb1pqZGx3L1B2cDdEWXRTVDdrTnNIRlU1WFgzNnFXS3Q2WEpaWGlDN0hJR2ZxQmtIdjhjWEdwYjExcitMNWJaZ2NvMWhzQ0ZlQ3JmamFWcnRhWDBtYjNOaUpsOGQ4ekhCcXRWSVRKMGtPNVQrU2JYZmVBa0NuQWFTUmp6QXNrdDd3b3kyY1BFVGk0eTlDQnlZYnZrWHJ5Q3RhQTgxNC9sY1FoWG9jQ1Fscmg2bVYxd0kxOS9VdFBsTnRQcUVyemtFK2QvT0tYWmtEUExydWJZQnhZQ21yb3VRVm9QMEwyQWc2TGErV2VVeTh4dm5mKzRrR2xnUittdDh6UjYrd1cvdWNvNkViK21RMVVTRTdiYVVDZXFsVjJNaVl1Yk4vMVp3MWNPNUFrcU05TlJaeG5RdUJWMXZiak5JbmhwNDgzTDJiOVAwa0RSNUJleFVDNnErL0E3NXpYNG5NUHY2VHhWWFRwV1Rrbzh2OXFQbWZQUkJhaGs2czdDbXY1M0ZkbE10RHI5cThheU9YRHBjbzRSbzlSMmpoWk9SOFM3bE0yRzNKZkxTYUpnUXBFa25kcnkrMjRBZVpFZXEwSGJoakNUVzM2TjJLeHdSMmxxbGg5Smk4WWJ5ZDd1eVlSenI0YmNmQ2lDZEVVSGhUSnJXM3BoLzU4VmVpTCtkcjV4eVdhVVBDMk5RTnFFcUlFa0w3Y1N6ZENkOUlwenY3N3ErMHdXT29xaGxua1dUK3dOeEZVaitidU03M1Z6aE4rb1poVlhZZHcxZitIZGtjY21IQXBWS2tXUVc3YUw4cllaelUycjdzQWlDMEsxNXg0WHZqdDV5ZEJhQS9HcU02MmhjZ1dXZlFmZW92MS9ZMmVFblA4Ykcycy9KZ0dlcEROcXJrQVpTR0J4NDlNUVdyYnNndEFLc3YvMGpHL2VUYXVmN3J2dDRMK29JOXFET25ZMTFzTnBSa3ByVDRKZCtlN3B4a0NlMmhoaWtsZWxZbXM2MDlXaDU0dWI4T0oyVGE1L0dnT3BKZHQ4Y1JrNXpKT1hLZGdGUDNTaWFVQjIzYXJ3TEEwS3U0cCtNUGNQOUdUeGdsSmxrK2N3QVRPVXRTL1pnYURQRnB1dTFBeXBKUi9RTUdMZ0JDbStxZkk5ZURqbWMxTXcyQXV0ajJ6Z2xrYnFtb1dadWdPTWdYZFZrSG5SU0ZOdmFqbUJId1lvc0dBWVZCQS8zM3o0QkFIZHp3aFZXbkZQUGF3b1FKcUJCaVVBeGFIOGxjeEpTVXdWUUMvaFoyQSt3TXNmdEtoOHpaeE43THJDakVEa2hON0l0NFFjcEVJYk50UG5oZ0JBWmR5TGo1YTFVUHRMY2llL3o2SGFLTmFxcUtvZjFTMll2RmlhemZLcjdnTGdkRXE0UHdKOFVrS2lIOER1TmthVWRNSDZ5cjd4Uis0SFVVRUhaRFpkbytLMWRxTnlGZWhJZ3dGM29BWE4wcFBQQ0ZjR0RYb20zWVkrWGw1RWRENTVDZEV3bUF6T3FCNDNCaTdtQm9kZmVTdXRKbG9YTlAreUpLSDJKemNuUE1wWDJpT2d5MmdwNGM0SThqdkJpSmp1bHJ4QTBsWW9aZTlXZUtkSVNQOHBkSzQxUFdwd2pkMnVPQ2VOcDZYaHNVbHZvWis0WHV4d2Q5MWRNZjJlQ2tJQUdMaHFsZUpIako3L2haa3JOTTVoYWJreGhnVGk5NVJkZ0Vzay9mR0lOS08yVTRKVXZPSkE2eUkra0QrOXRmbUxSVi9QeFhROGluZEtPWnZnYXk5MEErT3pVR1B2Mmc2UUJzSi9pR1laeVgwOE5QSFg4Wit4eGJRcTVnU0l6bkxkZ1ByTUZjWVZCeVl2Y3dMRytyTWZRcEt1eVV0Wk1WL0JCV3BXSFNxaE0rMkRwN0N2M3JYS3QzMjFnb09ZdzlPOEtzV3BhU29RSDJvU2c1Y2VBcW1TU1hUbGJyL1YramZEbjV0TldJVG9SZXpkVU5vQUVnbHJRbFJ4eHJlbklCN2xMUEFJVS9BbW1LYXVsb0V3dEl4eXJuRWRNL1A1QlJ1Q0JkTTZ1ZzNrOVJLYzlwNEVCcnZJempreEFsZzNva2VrQjhkWDh4UGhLZXd4dDBidm5yWWlsdXZSb01rSEpjYkJuelVvM2wvbjZBUmZhTUlnSDVRU1RhdFBiYmUvSlhrOHd1UG9iZVNocTFjT0ZOVFhET2VvRHNCbXNRS1RIeTlXZk0xano2R3FXYXk0VkFoYjh4NVllL1ByZ1VFVFZyeWFnRWNNUzZVdXJYODByUUZUTHltSSsweW9ORzIwcWxCVE12Ujl1dUwwVmVmYU9VaEI3NFFjS0lOajNMWFdRSytSTENpcmZMZFB4WGRhdz09PC94ZW5jOkNpcGhlclZhbHVlPjwveGVuYzpDaXBoZXJEYXRhPjwveGVuYzpFbmNyeXB0ZWREYXRhPjx4ZW5jOkVuY3J5cHRlZEtleSBJZD0iXzQzNDA4YjgwNGY4NzAxNmM3ZGU5OTIzOTgxZjU4NzI0IiB4bWxuczp4ZW5jPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyMiPjx4ZW5jOkVuY3J5cHRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNyc2Etb2FlcC1tZ2YxcCIgeG1sbnM6eGVuYz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjIj48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIi8+PC94ZW5jOkVuY3J5cHRpb25NZXRob2Q+PGRzOktleUluZm8geG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUI3ekNDQVZnQ0NRREZ6YktJcDdiM01UQU5CZ2txaGtpRzl3MEJBUVVGQURBOE1Rc3dDUVlEVlFRR0V3SlZVekVMTUFrR0ExVUUKQ0F3Q1IwRXhEREFLQmdOVkJBb01BMlp2YnpFU01CQUdBMVVFQXd3SmJHOWpZV3hvYjNOME1CNFhEVEV6TVRBd01qQXdNRGcxTVZvWApEVEUwTVRBd01qQXdNRGcxTVZvd1BERUxNQWtHQTFVRUJoTUNWVk14Q3pBSkJnTlZCQWdNQWtkQk1Rd3dDZ1lEVlFRS0RBTm1iMjh4CkVqQVFCZ05WQkFNTUNXeHZZMkZzYUc5emREQ0JuekFOQmdrcWhraUc5dzBCQVFFRkFBT0JqUUF3Z1lrQ2dZRUExUE1IWW1oWmozMDgKa1dMaFpWVDR2T3VscXgvOWlibTVCODZmUFd3VUtLUTJpMTJNWXR6MDd0enVrUHltaXNURGhRYXF5SjhLcWIvNkpqaG1lTW5FT2RUdgpTUG1ITzhtMVpWdmVKVTZOb0tSbi9tUC9CRDdGVzUyV2hiclVYTFNlSFZTS2ZXa05rNlM0aGs5TVY5VHN3VHZ5UklLdlJzdzBYL2dmCm5xa3JvSmNDQXdFQUFUQU5CZ2txaGtpRzl3MEJBUVVGQUFPQmdRQ01NbElPK0dOY0dla2V2S2drYWtwTWRBcUpmczI0bWFHYjkwRHYKVExiUlpSRDdYdm4xTW5WQkJTOWh6bFhpRkxZT0luWEFDTVc1Z2NvUkZmZVRRTFNvdU1NOG81N2gwdUtqZlRtdW9XSExRTGk2aG5GKwpjdkNzRUZpSlo0QWJGK0RnbU82VGFySjhPMDV0OHp2bk93SmxOQ0FTUFpSSC9KbUY4dFgwaG9IdUFRPT08L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5mbz48eGVuYzpDaXBoZXJEYXRhIHhtbG5zOnhlbmM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jIyI+PHhlbmM6Q2lwaGVyVmFsdWU+Y1dtRmZHU1VOM08rTGJxd1ZpbnJvMWlmZEJYNTYxOFdtRlI4KzJKQjRqUTdYSndtb1NlNG8yNTQxbkkrUStaL2R6MmhOUFc4bmF5MzdvUkRDa1RocnY2Q0RjZlFhYjBmZnFWUFUreGVrVnd0ejRBSWc5bWt0UFdSempnaGdCdUliU055aDJDZU45dUlwOWJwbVpYY09ScEZoZzMyWVpxRWhEUWxmMWdTUEpNPTwveGVuYzpDaXBoZXJWYWx1ZT48L3hlbmM6Q2lwaGVyRGF0YT48eGVuYzpSZWZlcmVuY2VMaXN0Pjx4ZW5jOkRhdGFSZWZlcmVuY2UgVVJJPSIjXzJlNjIyNDFlZTUzODlmNzg5YzY2YjQ5NzU0N2ZkOTBiIi8+PC94ZW5jOlJlZmVyZW5jZUxpc3Q+PC94ZW5jOkVuY3J5cHRlZEtleT48L3NhbWwyOkVuY3J5cHRlZEFzc2VydGlvbj48L3NhbWwycDpSZXNwb25zZT4=
\ No newline at end of file
diff --git a/testdata/TestSPCanHandleOktaSignedResponseEncryptedAssertion_IDPMetadata b/testdata/TestSPCanHandleOktaSignedResponseEncryptedAssertion_IDPMetadata
new file mode 100644
index 00000000..fed77497
--- /dev/null
+++ b/testdata/TestSPCanHandleOktaSignedResponseEncryptedAssertion_IDPMetadata
@@ -0,0 +1,21 @@
+<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://www.okta.com/exkppsa1qwuFV4D7z0h7">
+<md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+<md:KeyDescriptor use="signing">
+<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+<ds:X509Data>
+<ds:X509Certificate>
+MIIDpDCCAoygAwIBAgIGAWW0dDUQMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU MBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi01MTMzOTQxHDAaBgkqhkiG9w0BCQEW DWluZm9Ab2t0YS5jb20wHhcNMTgwOTA3MTQzMjU5WhcNMjgwOTA3MTQzMzU5WjCBkjELMAkGA1UE BhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNV BAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtNTEzMzk0MRwwGgYJ KoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA oggcfiSRJ6PGoI8XHKUYd89/BPMmduzR365yUEKSK6TIOcA/jrnJzxWHT9PsvB4znaoEdg27dmX0 IZ2I0bjSoyvp4BT8ZtsuqpamsJOFDajfzrU/dMLIQCwY0+38F+x/gNNL+BhYb6zmrdvomb7yqI2E JuHMXMS786UY5GfD+/n0gRSvd+DpIW8ZlsZMG/llyxO1ZccuUqzkbiVV4w1y5PMvSBL7BAWsTn9G IckQsyF+fsG0bKlN3JQjHmjFUrT0cnWkAJjGIVmmrp9NUWyc/SI01i6WlwcQsKw4PB7EU3J8BINv 9mCGXpwp5vWXRdRGjTT4BmFm8lY0QXHqXa/2+QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBypFox /IaTXAKFsRQi6WUG0QiBLCR8eLhSUDF3xkgELkNYDErQKNyVaXrYoHwPoWYpok6MYddMkoo2YuPG W6V4zDa0k0ulbzKlvbbZQpkzIJEj4dr+PaqmtHAe7C7YNkj4jlfJP6QdqMK+rCBVU3kCX2c/ARun Vy/pIuLowXrQUCF0cccePD8jryej+cmm9jjHWmQNfHDMAv/vpGSXV2W3bzNALXxfCoKqU15ii6YQ hXU85OE5qXEY92ab3D67gppte7eNn/G7D7cuAZhkt7wfLsjoCVK4bZOwxqUw6mPoXXFpkTnlSo86 p7wkbeii7Epjm5HcXTPPC7jd7ZOu3Hsr
+</ds:X509Certificate>
+</ds:X509Data>
+</ds:KeyInfo>
+</md:KeyDescriptor>
+<md:NameIDFormat>
+urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
+</md:NameIDFormat>
+<md:NameIDFormat>
+urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
+</md:NameIDFormat>
+<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://dev-513394.oktapreview.com/app/rstudioincdev513394_dev_1/exkppsa1qwuFV4D7z0h7/sso/saml"/>
+<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://dev-513394.oktapreview.com/app/rstudioincdev513394_dev_1/exkppsa1qwuFV4D7z0h7/sso/saml"/>
+</md:IDPSSODescriptor>
+</md:EntityDescriptor>
diff --git a/testdata/TestSPCanHandleOktaSignedResponseEncryptedAssertion_response b/testdata/TestSPCanHandleOktaSignedResponseEncryptedAssertion_response
new file mode 100644
index 00000000..21189fa8
--- /dev/null
+++ b/testdata/TestSPCanHandleOktaSignedResponseEncryptedAssertion_response
@@ -0,0 +1 @@
+PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbDJwOlJlc3BvbnNlIERlc3RpbmF0aW9uPSJodHRwOi8vbG9jYWxob3N0OjgwMDAvc2FtbC9hY3MiIElEPSJpZDg0OTUyMTk5Njg5MDU3MzYxODk2OTM5MzMzIiBJblJlc3BvbnNlVG89ImlkLWE3MzY0ZDFlNDQzMmFhOTA4NWE3YThiZDgyNGVhMmZhOGZhOGY2ODQiIElzc3VlSW5zdGFudD0iMjAyMC0wMy0wM1QxOToyNDoyOS4yMTNaIiBWZXJzaW9uPSIyLjAiIHhtbG5zOnNhbWwycD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIj48c2FtbDI6SXNzdWVyIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6ZW50aXR5IiB4bWxuczpzYW1sMj0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+aHR0cDovL3d3dy5va3RhLmNvbS9leGtwcHNhMXF3dUZWNEQ3ejBoNzwvc2FtbDI6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+PGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZHNpZy1tb3JlI3JzYS1zaGEyNTYiLz48ZHM6UmVmZXJlbmNlIFVSST0iI2lkODQ5NTIxOTk2ODkwNTczNjE4OTY5MzkzMzMiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48L2RzOlRyYW5zZm9ybXM+PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jI3NoYTI1NiIvPjxkczpEaWdlc3RWYWx1ZT5mSmFzQXdHNHQrOTh3MGFDY1h1dy9VbEdqQkRRcWtxeWpYQjFIMWdtN09nPTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5SR2RFaHJRRURiRHRxcHVrRlFveEtmVTl2cmJxNnNyTjJucHBSOG13bnhDL21VZG1kT0lTMlRwRFl6UjlPTlZVY3FzOUR5UWxwRzZhQWVvSFN0eVFDUnlYcEV1MjVUNmVLTHgyNnNGMjNsSXNmenRXWVZlaXRWVzJlaEttRXdoc3RxOUZlRmxPd2p2SkhGUWJKMHVJK2NpbjVFY1Nhc2FJV0Y4b2oySlJxcnl5cXRDbFl2WUNOd3JDL090TjVqcUg2aVNhaWVhUmM2c3hPQlR0amNGTkp2cnVKY29JaTFrV2lkaEVlWUdjVnJTT1dJVGJFWWl2UnNWczVGYUxIdTBNaUVSeG91ZG9GNEwrMDJnZWdoN21MOG1Na1RUTWdtSEd6NklJdk1JbEpoZkthRjJJNE1Na1F5c2pHQ3RBb201NG5Va0tKOXNVRDlxbFJpWStidjkvNUE9PTwvZHM6U2lnbmF0dXJlVmFsdWU+PGRzOktleUluZm8+PGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU+TUlJRHBEQ0NBb3lnQXdJQkFnSUdBV1cwZERVUU1BMEdDU3FHU0liM0RRRUJDd1VBTUlHU01Rc3dDUVlEVlFRR0V3SlZVekVUTUJFRwpBMVVFQ0F3S1EyRnNhV1p2Y201cFlURVdNQlFHQTFVRUJ3d05VMkZ1SUVaeVlXNWphWE5qYnpFTk1Bc0dBMVVFQ2d3RVQydDBZVEVVCk1CSUdBMVVFQ3d3TFUxTlBVSEp2ZG1sa1pYSXhFekFSQmdOVkJBTU1DbVJsZGkwMU1UTXpPVFF4SERBYUJna3Foa2lHOXcwQkNRRVcKRFdsdVptOUFiMnQwWVM1amIyMHdIaGNOTVRnd09UQTNNVFF6TWpVNVdoY05Namd3T1RBM01UUXpNelU1V2pDQmtqRUxNQWtHQTFVRQpCaE1DVlZNeEV6QVJCZ05WQkFnTUNrTmhiR2xtYjNKdWFXRXhGakFVQmdOVkJBY01EVk5oYmlCR2NtRnVZMmx6WTI4eERUQUxCZ05WCkJBb01CRTlyZEdFeEZEQVNCZ05WQkFzTUMxTlRUMUJ5YjNacFpHVnlNUk13RVFZRFZRUUREQXBrWlhZdE5URXpNemswTVJ3d0dnWUoKS29aSWh2Y05BUWtCRmcxcGJtWnZRRzlyZEdFdVkyOXRNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQQpvZ2djZmlTUko2UEdvSThYSEtVWWQ4OS9CUE1tZHV6UjM2NXlVRUtTSzZUSU9jQS9qcm5KenhXSFQ5UHN2QjR6bmFvRWRnMjdkbVgwCklaMkkwYmpTb3l2cDRCVDhadHN1cXBhbXNKT0ZEYWpmenJVL2RNTElRQ3dZMCszOEYreC9nTk5MK0JoWWI2em1yZHZvbWI3eXFJMkUKSnVITVhNUzc4NlVZNUdmRCsvbjBnUlN2ZCtEcElXOFpsc1pNRy9sbHl4TzFaY2N1VXF6a2JpVlY0dzF5NVBNdlNCTDdCQVdzVG45RwpJY2tRc3lGK2ZzRzBiS2xOM0pRakhtakZVclQwY25Xa0FKakdJVm1tcnA5TlVXeWMvU0kwMWk2V2x3Y1FzS3c0UEI3RVUzSjhCSU52CjltQ0dYcHdwNXZXWFJkUkdqVFQ0Qm1GbThsWTBRWEhxWGEvMitRSURBUUFCTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFCeXBGb3gKL0lhVFhBS0ZzUlFpNldVRzBRaUJMQ1I4ZUxoU1VERjN4a2dFTGtOWURFclFLTnlWYVhyWW9Id1BvV1lwb2s2TVlkZE1rb28yWXVQRwpXNlY0ekRhMGswdWxiektsdmJiWlFwa3pJSkVqNGRyK1BhcW10SEFlN0M3WU5rajRqbGZKUDZRZHFNSytyQ0JWVTNrQ1gyYy9BUnVuClZ5L3BJdUxvd1hyUVVDRjBjY2NlUEQ4anJ5ZWorY21tOWpqSFdtUU5mSERNQXYvdnBHU1hWMlczYnpOQUxYeGZDb0txVTE1aWk2WVEKaFhVODVPRTVxWEVZOTJhYjNENjdncHB0ZTdlTm4vRzdEN2N1QVpoa3Q3d2ZMc2pvQ1ZLNGJaT3d4cVV3Nm1Qb1hYRnBrVG5sU284NgpwN3drYmVpaTdFcGptNUhjWFRQUEM3amQ3Wk91M0hzcjwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE+PC9kczpLZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjxzYW1sMnA6U3RhdHVzIHhtbG5zOnNhbWwycD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIj48c2FtbDJwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPjwvc2FtbDJwOlN0YXR1cz48c2FtbDI6RW5jcnlwdGVkQXNzZXJ0aW9uIHhtbG5zOnNhbWwyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj48eGVuYzpFbmNyeXB0ZWREYXRhIElkPSJfM2I2MWMxYmI3YTQxOTUzNjE5YmRlZjQxMjM4ODFhMGIiIFR5cGU9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jI0VsZW1lbnQiIHhtbG5zOnhlbmM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jIyI+PHhlbmM6RW5jcnlwdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jI2FlczI1Ni1jYmMiIHhtbG5zOnhlbmM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jIyIvPjxkczpLZXlJbmZvIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48ZHM6UmV0cmlldmFsTWV0aG9kIFR5cGU9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jI0VuY3J5cHRlZEtleSIgVVJJPSIjX2QxOWE1OGQ5NGMxODE1NDA2YmQwMGFlZmQxNzJiODVkIi8+PC9kczpLZXlJbmZvPjx4ZW5jOkNpcGhlckRhdGEgeG1sbnM6eGVuYz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjIj48eGVuYzpDaXBoZXJWYWx1ZT4zVmdtUUwzb0hWanZtR1J4WUZveFJKMlpqcks2MDRZaDZnQ2h6K2t2OGEvOFdPd1E5R1dzZkVoWWJsam1jblJFbDh3N25aejZIZW1YZmI2WFRlTWh6Q2JUaVFZSEFjRThBZlVLaHRISGVLZk1RTWV5eTlnZ1pEM3ljT2lWQ0RQKzYraVo4cjY1WUExK24wVnc1WTJUMVJFSXpZOG1FZUdIWkNUVERJb21oRmRPYUhWRkltM2ZSQmREaXFrM0xFRWVvRG11V25uWkJpSnJ1OFNkbDkwcC8xK0x3NXVrNFhDSWd3MDc3Q0Z0WHYxb2MxcnFSUkd5TmhFWHJpWGhLMVdCck5Jemt3dVZZTVRmR0lzalREbFRJVWZUOGNwckY1ZGtQMmFyb1FEMWFlWGtyY2E2VWpYVTV0MkZ2NEYwZ1lSems3TkR2WERaSmxtNTM0Z21MSnB2YWNpQUtKZ3g1VnBpd09FL1VwVFMzbzJzRzBNZnZYUnl2N1MwdkJBSlRKUDdVUmJOczVUaTRQeHN2STV6aUM3Um9RRkZYN3BaWWZxcllCanVrbm00eDNBOFdGYzVjZFdtZEV6eHorUmQwMEpFNXBVN3VJaVZpNlF6S2cramlPWTREUzdVVStGL2pZdEluS0VaSkVFb3AvOVZ0SFJxZ1lqN3pxcGRwZTJ3SjFqcklQY05qcUlXZFY1YUhlajVsazZjWkJIcjBlRnVEWks0WDNNaDVQUnQ5UkVSb1hkbWt1N1M2cG93b0g3bEtEUEpIVEFkUVhUSFZvYXR3ZGI4VTd0Qy9kYVlvbGFrRXk2NVJ2Y01halFtYVJTeDgrVWwvZDBxMGIvUUZoWUh2NVZkTXNYYWRBU0Q0U0lWd1Mwa2FFSloxNmVhQkpPRG1WV1M0Y1YrdUxjUE9VdTZyV0t1NjhpVG9ZUDhESjFZZFNjRjhjcE0xbUNGVGFPNlpjT3RhRUQvRXJMdkJCdnFPOWgwT1EvWVo4TjVSN0hKSnQ3UlRHanV4TjBQMkxpYVcvem1vdTE1b2pySmJyZFRDZWxFV3dyWG5QTzRweXVTc01sL0tETC9JSm9aY3YxTlQ4aStKa2NuOXBQdVZuQ3BXckZnWWRGOWZTZkwrWDNraXd0SjlybjNYaVNvUVh2RUo5SjU4b3dzTWg0bjNFUFVJcnpFT3E1VGVibjVpTmxvdVMyOUhKR3RNeHphOG03UllhcDdkZjExeDE5bStrTDVmc0tnNHRzM1V1TWhVdkovblM5S1VtWWtFOENKdDF1cndWNThEem9EZ3dNTkRmbFphWGRYUmQ1MWtCVVE3Q2lab1p2NFVudkpCQXJNUjhVMHpoOG16M2xqdHpEdGdsVzBFSGNJdFp4b2htUlpLVHZVMXdOa2FHcmtwV3V4aXczSWhKTnF3blZlTG5wWkFvbEt6b1RlWkpjUjVxOHBzNEsvVnhwajhQK3pOcXJJSWpCRUtJbFVyMHl3UjZFbUpLTjFHWXpTaXF3VHdQNGp5MzIrZThuOUVQck9ka0NuWEJhak1pMlV2Rk5mQm05TWVUenY4RGNxWVphZUFhMUp6ZUl4TTd0YVozb0UxSzNYTjBYQ0tPUmJGT01SY2wwSHhQRE9vdDVQb2lDZ0xoeDNxVGJGUHdCcUdkazBmQTZmUDFNWmNMUm55N2lkdVpOQjhINHFBSlo0UU9icHgzSWZNaWxrclpxY29yNXMrMGhHMDBaZFE4YUgwa1lLejJZNDFQaFk5dTRwUXo1NXlhZkJtTGdCamREWDJNNHBiOHRnRmRsMUVyWWtkbW1TeFphNmhWRXk3QUU5Wkh2ZGV5dXZ1cFo0c1NwY1hldm5vMk5SeUVDWmwybHZyZGhkc0N6amJqRFRVM0JIRWczUjFnTTlhOWdJZzg1RklGejJIL3FxcnU0Snppdk1VZmdLdjZHdnpnSXpzWVFkSFhrTklsQkdEMFhSSEZiWGFLWXVYY3MzTDhHNzMrRXhiN1dPYTkzekRKMVNNRCt5cFpNOVNwMVZRbk5Qa2lWeExiTDNxQ01KUUZOQy9jM2theTVINUR1cUt6QjZZbjNtV2FKZjY3YmIzeXNNd255MnBTRSt4eW1BN0V0UVQwbzROWE9hRFQxQVE2bDhxeDNNUW51RUZubWg0L0xZV3FIVUtmTzhETkllR1FZS3BGcHJ4SVp1bVhLQlEvalpUdUF6dUVLUEZRY1hoU2dTM1NNUnAzYXI2aGhPbEs1dTNha0dKUURhYnZsVlZEckt6cDJrVWxoRjlVUnFtQVU0SlNSQTYrY3M2TFQxc1J1czd5V0JleWtsTnlaMnByUUpBV1prVHlaZDVKKzlwb3dvcUhQdGdhN2tEMlFNY0lJTm90QW5IWktnM2Z3UVlhWnJRME5rbUhWREw3akE5SloxUDgvYzdDdzRRMDFnWUIvZmwwVzJKZ3FHZlpnR29kSTdrM3dySmxxYlNQeGt3cWdnVytVSm42d2VGTWV4R0d3dHJseGhid0NhVjVMTXpjNk96dkdkallFM3FKQlhFRkNCdUVJcEozUXRsM2hNcXoxUEZXRXpIcWl1TUlxOG9FM1UyYXAvV2FrOXBtRkNGTll3L1k1Ry9pTE04QUFXRWwrTml3ZFN2N2xVN0wrOHM2NFJKRXJRdHplVFdTR1lneTlaRit5T1E2NUNpMHNaNlJYbEhtZkJMRWo0MHhrY0hrc1NqeHBKc0lOS1Izd0VPcWliSTNKVE1NYUpYc0FCbkhNbWtWanNyR0FQMnBtOVFQempvQ01NY3J0NHM5WDB6T2hKWEhPK2xqTzRVeWpZQkJxVUV3em1tR2V3V01OWVBVQlFrQmJnZlFwYmFNeTR2eTl1SURVWDBOVGRUSGlseUtpR3NnQmtXOWlLcm0yNTl3Ujl2eks2WG55ODcrR1J1TkRIZitLMnFlcy9UVE0xc292aU5oWUJaclV0Q2cyZnovcz08L3hlbmM6Q2lwaGVyVmFsdWU+PC94ZW5jOkNpcGhlckRhdGE+PC94ZW5jOkVuY3J5cHRlZERhdGE+PHhlbmM6RW5jcnlwdGVkS2V5IElkPSJfZDE5YTU4ZDk0YzE4MTU0MDZiZDAwYWVmZDE3MmI4NWQiIHhtbG5zOnhlbmM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jIyI+PHhlbmM6RW5jcnlwdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jI3JzYS1vYWVwLW1nZjFwIiB4bWxuczp4ZW5jPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyMiPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjc2hhMSIgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiLz48L3hlbmM6RW5jcnlwdGlvbk1ldGhvZD48ZHM6S2V5SW5mbyB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+PGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU+TUlJQjd6Q0NBVmdDQ1FERnpiS0lwN2IzTVRBTkJna3Foa2lHOXcwQkFRVUZBREE4TVFzd0NRWURWUVFHRXdKVlV6RUxNQWtHQTFVRQpDQXdDUjBFeEREQUtCZ05WQkFvTUEyWnZiekVTTUJBR0ExVUVBd3dKYkc5allXeG9iM04wTUI0WERURXpNVEF3TWpBd01EZzFNVm9YCkRURTBNVEF3TWpBd01EZzFNVm93UERFTE1Ba0dBMVVFQmhNQ1ZWTXhDekFKQmdOVkJBZ01Ba2RCTVF3d0NnWURWUVFLREFObWIyOHgKRWpBUUJnTlZCQU1NQ1d4dlkyRnNhRzl6ZERDQm56QU5CZ2txaGtpRzl3MEJBUUVGQUFPQmpRQXdnWWtDZ1lFQTFQTUhZbWhaajMwOAprV0xoWlZUNHZPdWxxeC85aWJtNUI4NmZQV3dVS0tRMmkxMk1ZdHowN3R6dWtQeW1pc1REaFFhcXlKOEtxYi82SmpobWVNbkVPZFR2ClNQbUhPOG0xWlZ2ZUpVNk5vS1JuL21QL0JEN0ZXNTJXaGJyVVhMU2VIVlNLZldrTms2UzRoazlNVjlUc3dUdnlSSUt2UnN3MFgvZ2YKbnFrcm9KY0NBd0VBQVRBTkJna3Foa2lHOXcwQkFRVUZBQU9CZ1FDTU1sSU8rR05jR2VrZXZLZ2tha3BNZEFxSmZzMjRtYUdiOTBEdgpUTGJSWlJEN1h2bjFNblZCQlM5aHpsWGlGTFlPSW5YQUNNVzVnY29SRmZlVFFMU291TU04bzU3aDB1S2pmVG11b1dITFFMaTZobkYrCmN2Q3NFRmlKWjRBYkYrRGdtTzZUYXJKOE8wNXQ4enZuT3dKbE5DQVNQWlJIL0ptRjh0WDBob0h1QVE9PTwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE+PC9kczpLZXlJbmZvPjx4ZW5jOkNpcGhlckRhdGEgeG1sbnM6eGVuYz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjIj48eGVuYzpDaXBoZXJWYWx1ZT5yRDl5RUpXdDBRbSt4UURSZXFRVUNEZDN5dEpiWTVtb01zcG5iZzcrY0ZWY1VrN2hVaDRScFpIUldSM2FkWTBRK2drQU1JcUhXYjFaZEFQL2g5emV0RktYVnFiajl4Y2FkSUFnR0UvQWZBMUs5SndXZVZQbmdjeERCNlZ0RU1oZG01cVJEemVnMEJSUnMwTE4xMTRObEN4dHhEMkx5R1c5M0NkZ2t2VXBnYWM9PC94ZW5jOkNpcGhlclZhbHVlPjwveGVuYzpDaXBoZXJEYXRhPjx4ZW5jOlJlZmVyZW5jZUxpc3Q+PHhlbmM6RGF0YVJlZmVyZW5jZSBVUkk9IiNfM2I2MWMxYmI3YTQxOTUzNjE5YmRlZjQxMjM4ODFhMGIiLz48L3hlbmM6UmVmZXJlbmNlTGlzdD48L3hlbmM6RW5jcnlwdGVkS2V5Pjwvc2FtbDI6RW5jcnlwdGVkQXNzZXJ0aW9uPjwvc2FtbDJwOlJlc3BvbnNlPg==
\ No newline at end of file
diff --git a/testdata/TestSPCanHandleOneloginResponse_IDPMetadata b/testdata/TestSPCanHandleOneloginResponse_IDPMetadata
new file mode 100644
index 00000000..6203a80a
--- /dev/null
+++ b/testdata/TestSPCanHandleOneloginResponse_IDPMetadata
@@ -0,0 +1,41 @@
+<?xml version="1.0"?>
+<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://app.onelogin.com/saml/metadata/503983">
+  <IDPSSODescriptor xmlns:ds="http://www.w3.org/2000/09/xmldsig#" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+    <KeyDescriptor use="signing">
+      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+        <ds:X509Data>
+          <ds:X509Certificate>MIIECDCCAvCgAwIBAgIUXun08CslLRWSLqNnDE1NtGJefl0wDQYJKoZIhvcNAQEF
+BQAwUzELMAkGA1UEBhMCVVMxDDAKBgNVBAoMA2N0dTEVMBMGA1UECwwMT25lTG9n
+aW4gSWRQMR8wHQYDVQQDDBZPbmVMb2dpbiBBY2NvdW50IDMyNjE0MB4XDTEzMDkz
+MDE5MzU0NFoXDTE4MTAwMTE5MzU0NFowUzELMAkGA1UEBhMCVVMxDDAKBgNVBAoM
+A2N0dTEVMBMGA1UECwwMT25lTG9naW4gSWRQMR8wHQYDVQQDDBZPbmVMb2dpbiBB
+Y2NvdW50IDMyNjE0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0OG8
+V8mhovkj4rhGhjrbExRYbzKV2ZxfvGfEGXGUvXc6DqejYEdhZ2mIfCDojhQjk0By
+wiirAKMOt1GNuH7aWIE47D0ewtK5ylEAm7eVmoY4kxLCaW5wYrC1SzMnpeitUxqv
+sbnKz3jUKYHRggpfvVj4siHDZeIZa9a5rUvpMnnbOoFiZCIENpq3TC33ivOSZhEN
+RTzmvnk5GDoLHw/8qAgQiyT3D1xCkSBb54PHgkQ5Rq1odLM/hJ+L0jzCUQH4gxpW
+lEAab4K9s8fpBUBBh5gmJCYi8UbIlhqO8N2mynum33BU/vJ3PnawT4YYkTwRUx6Y
++3fpmRBHql4h83SMewIDAQABo4HTMIHQMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYE
+FOfFFjHFj9a6xpngb11rrhgMe9ArMIGQBgNVHSMEgYgwgYWAFOfFFjHFj9a6xpng
+b11rrhgMe9AroVekVTBTMQswCQYDVQQGEwJVUzEMMAoGA1UECgwDY3R1MRUwEwYD
+VQQLDAxPbmVMb2dpbiBJZFAxHzAdBgNVBAMMFk9uZUxvZ2luIEFjY291bnQgMzI2
+MTSCFF7p9PArJS0Vki6jZwxNTbRiXn5dMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG
+9w0BAQUFAAOCAQEAMgln4NPMQn8Gyvq8CTP+c2e6CUzcvREKnThjxT9WcvV1ZVXM
+BNPm4cTqT361EdLzY5yWLUWXd4AvFnciqB3MHYa2nqTmnvLgmhkWe+hdFoNe5+IA
+8AxGn+nqUISmyBeCxuUUAbRMuowiArwHIpzpEyRIYdSZRNF0dvgiPYyr/MiPXIcz
+pH5nLkvbLpcAF+R8Zh9nwY0g1JVyc6AB6j7YexuUQZpHH4s0Vdx/nWmrcFeLZKCT
+xcahHvU50e1yKX5thfVaJqI8QQ7xZxyu0TTsiaX0uw51JPOzPuAPph0z6xoS9oYx
+uzZ1y9sNHH6kH8GFnvS2MqyHiNz0h0Sq/q6n+w==</ds:X509Certificate>
+        </ds:X509Data>
+      </ds:KeyInfo>
+    </KeyDescriptor>
+    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
+    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://app.onelogin.com/trust/saml2/http-post/sso/503983"/>
+    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://app.onelogin.com/trust/saml2/http-post/sso/503983"/>
+    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://app.onelogin.com/trust/saml2/soap/sso/503983"/>
+  </IDPSSODescriptor>
+  <ContactPerson contactType="technical">
+    <SurName>Support</SurName>
+    <EmailAddress>support@onelogin.com</EmailAddress>
+  </ContactPerson>
+</EntityDescriptor>
diff --git a/testdata/TestSPCanHandleOneloginResponse_response b/testdata/TestSPCanHandleOneloginResponse_response
new file mode 100644
index 00000000..1031d302
--- /dev/null
+++ b/testdata/TestSPCanHandleOneloginResponse_response
@@ -0,0 +1 @@
+PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIElEPSJwZnhlZDg4YzQzZC02NTA0LWUxZjEtNWFmMC00MGJlN2YyNzlmYzUiIFZlcnNpb249IjIuMCIgSXNzdWVJbnN0YW50PSIyMDE2LTAxLTA1VDE3OjUzOjExWiIgRGVzdGluYXRpb249Imh0dHBzOi8vMjllZTZkMmUubmdyb2suaW8vc2FtbC9hY3MiIEluUmVzcG9uc2VUbz0iaWQtZDQwYzE1YzEwNGI1MjY5MWVjY2YwYTJhNWM4YTE1NTk1YmU3NTQyMyI+PHNhbWw6SXNzdWVyPmh0dHBzOi8vYXBwLm9uZWxvZ2luLmNvbS9zYW1sL21ldGFkYXRhLzUwMzk4Mzwvc2FtbDpJc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+PGRzOlNpZ25lZEluZm8+PGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3JzYS1zaGExIi8+PGRzOlJlZmVyZW5jZSBVUkk9IiNwZnhlZDg4YzQzZC02NTA0LWUxZjEtNWFmMC00MGJlN2YyNzlmYzUiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48L2RzOlRyYW5zZm9ybXM+PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8+PGRzOkRpZ2VzdFZhbHVlPlNWQWFRZzh2bW1TUUw2L1lCbVMyeWRLUlA3ST08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU+c0JlVFZQMGJab1BSK2JmeUFrVnY2STNDVjdZOFhxbkoycjhmMStXbXIyZ0ZnblJGODVOdnZTUCtyMUJvN250dU9zd080ZkI0Uks0SHlTYnlsZzRiS0hLSDE5WDkxaFZBekpTeXNmbVMvZDV3ZzFDZmlXV3Q1UzJIQTUwOHRoWHVabndHM1h6NktuV0s4a1JkeDFkYytZUldnYUZ5ZDRnTEc5YUJUc1hPWjd2eC83UDRicnpORW00d1A5LzB0dWZ4Rytuc1k2RHB3bkVHQ2psK1ZVS3BnekVxd05OalFxWUZZU0FYRWsrVnQrWDNjMmQwSElyWlF2WW5OaDAyS3h1d1ZCVGhuM01helFOYU54Qy9zeWYza0RRQ1JyWkNZbytZdER1ZHpKVTlwM0EwWVhIVFFjc2RldHNIWlhDTWozbXV2emMwbUVCbHc0TGJjaEttbmJ5Wm1nPT08L2RzOlNpZ25hdHVyZVZhbHVlPjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUVDRENDQXZDZ0F3SUJBZ0lVWHVuMDhDc2xMUldTTHFObkRFMU50R0plZmwwd0RRWUpLb1pJaHZjTkFRRUZCUUF3VXpFTE1Ba0dBMVVFQmhNQ1ZWTXhEREFLQmdOVkJBb01BMk4wZFRFVk1CTUdBMVVFQ3d3TVQyNWxURzluYVc0Z1NXUlFNUjh3SFFZRFZRUUREQlpQYm1WTWIyZHBiaUJCWTJOdmRXNTBJRE15TmpFME1CNFhEVEV6TURrek1ERTVNelUwTkZvWERURTRNVEF3TVRFNU16VTBORm93VXpFTE1Ba0dBMVVFQmhNQ1ZWTXhEREFLQmdOVkJBb01BMk4wZFRFVk1CTUdBMVVFQ3d3TVQyNWxURzluYVc0Z1NXUlFNUjh3SFFZRFZRUUREQlpQYm1WTWIyZHBiaUJCWTJOdmRXNTBJRE15TmpFME1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBME9HOFY4bWhvdmtqNHJoR2hqcmJFeFJZYnpLVjJaeGZ2R2ZFR1hHVXZYYzZEcWVqWUVkaFoybUlmQ0RvamhRamswQnl3aWlyQUtNT3QxR051SDdhV0lFNDdEMGV3dEs1eWxFQW03ZVZtb1k0a3hMQ2FXNXdZckMxU3pNbnBlaXRVeHF2c2JuS3ozalVLWUhSZ2dwZnZWajRzaUhEWmVJWmE5YTVyVXZwTW5uYk9vRmlaQ0lFTnBxM1RDMzNpdk9TWmhFTlJUem12bms1R0RvTEh3LzhxQWdRaXlUM0QxeENrU0JiNTRQSGdrUTVScTFvZExNL2hKK0wwanpDVVFINGd4cFdsRUFhYjRLOXM4ZnBCVUJCaDVnbUpDWWk4VWJJbGhxTzhOMm15bnVtMzNCVS92SjNQbmF3VDRZWWtUd1JVeDZZKzNmcG1SQkhxbDRoODNTTWV3SURBUUFCbzRIVE1JSFFNQXdHQTFVZEV3RUIvd1FDTUFBd0hRWURWUjBPQkJZRUZPZkZGakhGajlhNnhwbmdiMTFycmhnTWU5QXJNSUdRQmdOVkhTTUVnWWd3Z1lXQUZPZkZGakhGajlhNnhwbmdiMTFycmhnTWU5QXJvVmVrVlRCVE1Rc3dDUVlEVlFRR0V3SlZVekVNTUFvR0ExVUVDZ3dEWTNSMU1SVXdFd1lEVlFRTERBeFBibVZNYjJkcGJpQkpaRkF4SHpBZEJnTlZCQU1NRms5dVpVeHZaMmx1SUVGalkyOTFiblFnTXpJMk1UU0NGRjdwOVBBckpTMFZraTZqWnd4TlRiUmlYbjVkTUE0R0ExVWREd0VCL3dRRUF3SUhnREFOQmdrcWhraUc5dzBCQVFVRkFBT0NBUUVBTWdsbjROUE1RbjhHeXZxOENUUCtjMmU2Q1V6Y3ZSRUtuVGhqeFQ5V2N2VjFaVlhNQk5QbTRjVHFUMzYxRWRMelk1eVdMVVdYZDRBdkZuY2lxQjNNSFlhMm5xVG1udkxnbWhrV2UraGRGb05lNStJQThBeEduK25xVUlTbXlCZUN4dVVVQWJSTXVvd2lBcndISXB6cEV5UklZZFNaUk5GMGR2Z2lQWXlyL01pUFhJY3pwSDVuTGt2YkxwY0FGK1I4Wmg5bndZMGcxSlZ5YzZBQjZqN1lleHVVUVpwSEg0czBWZHgvbldtcmNGZUxaS0NUeGNhaEh2VTUwZTF5S1g1dGhmVmFKcUk4UVE3eFp4eXUwVFRzaWFYMHV3NTFKUE96UHVBUHBoMHo2eG9TOW9ZeHV6WjF5OXNOSEg2a0g4R0ZudlMyTXF5SGlOejBoMFNxL3E2bit3PT08L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5mbz48L2RzOlNpZ25hdHVyZT48c2FtbHA6U3RhdHVzPjxzYW1scDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiLz48L3NhbWxwOlN0YXR1cz48c2FtbDpBc3NlcnRpb24geG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgeG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiBWZXJzaW9uPSIyLjAiIElEPSJBZDk0NWFlZGEzOGE1MDhmOGZhYzliYzk2MTNkNTk2NDJjMGQyZDhjYiIgSXNzdWVJbnN0YW50PSIyMDE2LTAxLTA1VDE3OjUzOjExWiI+PHNhbWw6SXNzdWVyPmh0dHBzOi8vYXBwLm9uZWxvZ2luLmNvbS9zYW1sL21ldGFkYXRhLzUwMzk4Mzwvc2FtbDpJc3N1ZXI+PHNhbWw6U3ViamVjdD48c2FtbDpOYW1lSUQgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjE6bmFtZWlkLWZvcm1hdDplbWFpbEFkZHJlc3MiPnJvc3NAa25kci5vcmc8L3NhbWw6TmFtZUlEPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBOb3RPbk9yQWZ0ZXI9IjIwMTYtMDEtMDVUMTc6NTY6MTFaIiBSZWNpcGllbnQ9Imh0dHBzOi8vMjllZTZkMmUubmdyb2suaW8vc2FtbC9hY3MiIEluUmVzcG9uc2VUbz0iaWQtZDQwYzE1YzEwNGI1MjY5MWVjY2YwYTJhNWM4YTE1NTk1YmU3NTQyMyIvPjwvc2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uPjwvc2FtbDpTdWJqZWN0PjxzYW1sOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDE2LTAxLTA1VDE3OjUwOjExWiIgTm90T25PckFmdGVyPSIyMDE2LTAxLTA1VDE3OjU2OjExWiI+PHNhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj48c2FtbDpBdWRpZW5jZT5odHRwczovLzI5ZWU2ZDJlLm5ncm9rLmlvL3NhbWwvbWV0YWRhdGE8L3NhbWw6QXVkaWVuY2U+PC9zYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+PC9zYW1sOkNvbmRpdGlvbnM+PHNhbWw6QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDE2LTAxLTA1VDE3OjUzOjEwWiIgU2Vzc2lvbk5vdE9uT3JBZnRlcj0iMjAxNi0wMS0wNlQxNzo1MzoxMVoiIFNlc3Npb25JbmRleD0iX2ViZGNiZTgwLTk1ZmYtMDEzMy1kODcxLTM4Y2EzYTY2MmYxYyI+PHNhbWw6QXV0aG5Db250ZXh0PjxzYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkUHJvdGVjdGVkVHJhbnNwb3J0PC9zYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPjwvc2FtbDpBdXRobkNvbnRleHQ+PC9zYW1sOkF1dGhuU3RhdGVtZW50PjxzYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48c2FtbDpBdHRyaWJ1dGUgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyIgTmFtZT0iVXNlci5lbWFpbCI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI+cm9zc0BrbmRyLm9yZzwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIiBOYW1lPSJtZW1iZXJPZiI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyIvPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiIE5hbWU9IlVzZXIuTGFzdE5hbWUiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPktpbmRlcjwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIiBOYW1lPSJQZXJzb25JbW11dGFibGVJRCI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyIvPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiIE5hbWU9IlVzZXIuRmlyc3ROYW1lIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj5Sb3NzPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48L3NhbWw6QXNzZXJ0aW9uPjwvc2FtbHA6UmVzcG9uc2U+Cgo=
\ No newline at end of file
diff --git a/testdata/TestSPCanHandlePlaintextResponse_IDPMetadata b/testdata/TestSPCanHandlePlaintextResponse_IDPMetadata
new file mode 100644
index 00000000..ed5a1f2c
--- /dev/null
+++ b/testdata/TestSPCanHandlePlaintextResponse_IDPMetadata
@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://accounts.google.com/o/saml2?idpid=C02dfl1r1" validUntil="2021-01-03T16:17:49.000Z">
+  <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+    <md:KeyDescriptor use="signing">
+      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+        <ds:X509Data>
+          <ds:X509Certificate>MIIDdDCCAlygAwIBAgIGAVISlIlYMA0GCSqGSIb3DQEBCwUAMHsxFDASBgNVBAoTC0dvb2dsZSBJ
+bmMuMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MQ8wDQYDVQQDEwZHb29nbGUxGDAWBgNVBAsTD0dv
+b2dsZSBGb3IgV29yazELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEwHhcNMTYwMTA1
+MTYxNzQ5WhcNMjEwMTAzMTYxNzQ5WjB7MRQwEgYDVQQKEwtHb29nbGUgSW5jLjEWMBQGA1UEBxMN
+TW91bnRhaW4gVmlldzEPMA0GA1UEAxMGR29vZ2xlMRgwFgYDVQQLEw9Hb29nbGUgRm9yIFdvcmsx
+CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAmUfMUPxHSY/ZYZ88fUGAlhUP4Ni7zj54vsrsPDA4UhQiReEDRunN1q3OHsShRong
+gd4LvA83/e/3pm/V60R6vyMfj3Z/IGWY+eZ97EJUvjktt+VRoAi26oeY9ZW6S85yapvA3iuhEwIQ
+OcuPm1OqRQ0yQ4sUD+WtL/QSmlYvDP5TK1d6whTisNsKSqeFZCb/s9OX01UexW1BuDOLeVt0rCW1
+kRNcBBLDmd4hnDP0SVq7nLhNFYXj2Ea6WsyRAIvchaUGy+Ima2okXm95Ye9kn8e118i/5rReyKCm
+BlskMkNaA4KWKvIQm3DdjgONgEd0IvKExyLwY7a5/JIUvBhb9QIDAQABMA0GCSqGSIb3DQEBCwUA
+A4IBAQAUDLMnHpzfp4ShdBqCreW48f8rU94q2qMwrU+W6DkOrGJTASVGS9Rib/MKAiRYOmqlaqEY
+NP57pCrE/nRB5FVdE+AlSx/fR3khsQ3zf/4dYs21SvGf+Oas99XEbWfV0OmPMYm3IrSCOBEV31wh
+41qRc5QLnR+XutNPbSBN+tn+giRCLGCBLe81oVw4fRGQbgkd87rfLOy3G630I6s/J5feFFUT8d7h
+9mpOeOqLCPrKpq+wI3aD3lf4mXqKIDNiHHRoNl67ANPu/N3fNU1HplVtvroVpiNp87frgdlKTEcg
+PUkfbaYHQGP6IS0lzeCeDX0wab3qRoh7/jJt5/BR8Iwf</ds:X509Certificate>
+        </ds:X509Data>
+      </ds:KeyInfo>
+    </md:KeyDescriptor>
+    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
+    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://accounts.google.com/o/saml2/idp?idpid=C02dfl1r1"/>
+    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://accounts.google.com/o/saml2/idp?idpid=C02dfl1r1"/>
+  </md:IDPSSODescriptor>
+</md:EntityDescriptor>
\ No newline at end of file
diff --git a/testdata/TestSPCanHandlePlaintextResponse_response b/testdata/TestSPCanHandlePlaintextResponse_response
new file mode 100644
index 00000000..0f7814df
--- /dev/null
+++ b/testdata/TestSPCanHandlePlaintextResponse_response
@@ -0,0 +1 @@
+PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiIHN0YW5kYWxvbmU9Im5vIj8+PHNhbWwycDpSZXNwb25zZSB4bWxuczpzYW1sMnA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgRGVzdGluYXRpb249Imh0dHBzOi8vMjllZTZkMmUubmdyb2suaW8vc2FtbC9hY3MiIElEPSJfZmMxNDFkYjI4NGViMzA5ODYwNTM1MWJkZTRkOWJlNTkiIEluUmVzcG9uc2VUbz0iaWQtZmQ0MTlhNWFiMDQ3MjY0NTQyN2Y4ZTA3ZDg3YTNhNWRkMGIyZTlhNiIgSXNzdWVJbnN0YW50PSIyMDE2LTAxLTA1VDE2OjU1OjM5LjM0OFoiIFZlcnNpb249IjIuMCI+PHNhbWwyOklzc3VlciB4bWxuczpzYW1sMj0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+aHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29tL28vc2FtbDI/aWRwaWQ9QzAyZGZsMXIxPC9zYW1sMjpJc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+PGRzOlNpZ25lZEluZm8+PGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxkc2lnLW1vcmUjcnNhLXNoYTI1NiIvPjxkczpSZWZlcmVuY2UgVVJJPSIjX2ZjMTQxZGIyODRlYjMwOTg2MDUzNTFiZGU0ZDliZTU5Ij48ZHM6VHJhbnNmb3Jtcz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+PC9kczpUcmFuc2Zvcm1zPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNzaGEyNTYiLz48ZHM6RGlnZXN0VmFsdWU+bHRNRUJLRzRZNVNLeERScUxHR2xFSGtPd3hla3dQOStybnA2WEtqdkJxVT08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU+SFBVV0pmYTlqdVdiKy9wZ0YrQklsc2pycE40NkE0RUNiT3hNdXhmWEFRUCtrMU5KMG9EdTJKYk1pZHpmclJBRkRHMjZaNjZWQWtkcwpBRmYwVFgzMWxvVjdaU0tGS0lVY0tuaFlXTHFuUTZLbmRydnJLbzF5UUhzUkdUNzJoVjl3SWdqTFRTZm5FV3QvOEMxaERQQi96R0txClhXZ3VvNFFHYlZUeVBoVVh3eEFzRmxBNjFDdkE5Q1pzU2xpeHBaY2pOVjUyQmMydzI5RUNRNStBcHZGWjVqRU1EN1JiQTVpMzdBbmgKUVBCeVYrZXo4ZU9Yc0hvQlhsR0drTjlDR201MFR6djZ3TW12WkdkT2pKWlhvRWZGUTA4UFJwbE9DQWpxSjM3QnhpWitLZWtUaE1KYgorelowcG1yeWR2V3lONEMzNWcycGVueGw2QUtxYnhMaXlJUkVaZz09PC9kczpTaWduYXR1cmVWYWx1ZT48ZHM6S2V5SW5mbz48ZHM6WDUwOURhdGE+PGRzOlg1MDlTdWJqZWN0TmFtZT5TVD1DYWxpZm9ybmlhLEM9VVMsT1U9R29vZ2xlIEZvciBXb3JrLENOPUdvb2dsZSxMPU1vdW50YWluIFZpZXcsTz1Hb29nbGUgSW5jLjwvZHM6WDUwOVN1YmplY3ROYW1lPjxkczpYNTA5Q2VydGlmaWNhdGU+TUlJRGREQ0NBbHlnQXdJQkFnSUdBVklTbElsWU1BMEdDU3FHU0liM0RRRUJDd1VBTUhzeEZEQVNCZ05WQkFvVEMwZHZiMmRzWlNCSgpibU11TVJZd0ZBWURWUVFIRXcxTmIzVnVkR0ZwYmlCV2FXVjNNUTh3RFFZRFZRUURFd1pIYjI5bmJHVXhHREFXQmdOVkJBc1REMGR2CmIyZHNaU0JHYjNJZ1YyOXlhekVMTUFrR0ExVUVCaE1DVlZNeEV6QVJCZ05WQkFnVENrTmhiR2xtYjNKdWFXRXdIaGNOTVRZd01UQTEKTVRZeE56UTVXaGNOTWpFd01UQXpNVFl4TnpRNVdqQjdNUlF3RWdZRFZRUUtFd3RIYjI5bmJHVWdTVzVqTGpFV01CUUdBMVVFQnhNTgpUVzkxYm5SaGFXNGdWbWxsZHpFUE1BMEdBMVVFQXhNR1IyOXZaMnhsTVJnd0ZnWURWUVFMRXc5SGIyOW5iR1VnUm05eUlGZHZjbXN4CkN6QUpCZ05WQkFZVEFsVlRNUk13RVFZRFZRUUlFd3BEWVd4cFptOXlibWxoTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEEKTUlJQkNnS0NBUUVBbVVmTVVQeEhTWS9aWVo4OGZVR0FsaFVQNE5pN3pqNTR2c3JzUERBNFVoUWlSZUVEUnVuTjFxM09Ic1NoUm9uZwpnZDRMdkE4My9lLzNwbS9WNjBSNnZ5TWZqM1ovSUdXWStlWjk3RUpVdmprdHQrVlJvQWkyNm9lWTlaVzZTODV5YXB2QTNpdWhFd0lRCk9jdVBtMU9xUlEweVE0c1VEK1d0TC9RU21sWXZEUDVUSzFkNndoVGlzTnNLU3FlRlpDYi9zOU9YMDFVZXhXMUJ1RE9MZVZ0MHJDVzEKa1JOY0JCTERtZDRobkRQMFNWcTduTGhORllYajJFYTZXc3lSQUl2Y2hhVUd5K0ltYTJva1htOTVZZTlrbjhlMTE4aS81clJleUtDbQpCbHNrTWtOYUE0S1dLdklRbTNEZGpnT05nRWQwSXZLRXh5THdZN2E1L0pJVXZCaGI5UUlEQVFBQk1BMEdDU3FHU0liM0RRRUJDd1VBCkE0SUJBUUFVRExNbkhwemZwNFNoZEJxQ3JlVzQ4ZjhyVTk0cTJxTXdyVStXNkRrT3JHSlRBU1ZHUzlSaWIvTUtBaVJZT21xbGFxRVkKTlA1N3BDckUvblJCNUZWZEUrQWxTeC9mUjNraHNRM3pmLzRkWXMyMVN2R2YrT2FzOTlYRWJXZlYwT21QTVltM0lyU0NPQkVWMzF3aAo0MXFSYzVRTG5SK1h1dE5QYlNCTit0bitnaVJDTEdDQkxlODFvVnc0ZlJHUWJna2Q4N3JmTE95M0c2MzBJNnMvSjVmZUZGVVQ4ZDdoCjltcE9lT3FMQ1ByS3BxK3dJM2FEM2xmNG1YcUtJRE5pSEhSb05sNjdBTlB1L04zZk5VMUhwbFZ0dnJvVnBpTnA4N2ZyZ2RsS1RFY2cKUFVrZmJhWUhRR1A2SVMwbHplQ2VEWDB3YWIzcVJvaDcvakp0NS9CUjhJd2Y8L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5mbz48L2RzOlNpZ25hdHVyZT48c2FtbDJwOlN0YXR1cz48c2FtbDJwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPjwvc2FtbDJwOlN0YXR1cz48c2FtbDI6QXNzZXJ0aW9uIHhtbG5zOnNhbWwyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIiBJRD0iXzllNzY0OTUyZTZhMjYxZTE5NDA5YTM4MjU1ODEwMzNkIiBJc3N1ZUluc3RhbnQ9IjIwMTYtMDEtMDVUMTY6NTU6MzkuMzQ4WiIgVmVyc2lvbj0iMi4wIj48c2FtbDI6SXNzdWVyPmh0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbS9vL3NhbWwyP2lkcGlkPUMwMmRmbDFyMTwvc2FtbDI6SXNzdWVyPjxzYW1sMjpTdWJqZWN0PjxzYW1sMjpOYW1lSUQ+cm9zc0BvY3RvbGFicy5pbzwvc2FtbDI6TmFtZUlEPjxzYW1sMjpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+PHNhbWwyOlN1YmplY3RDb25maXJtYXRpb25EYXRhIEluUmVzcG9uc2VUbz0iaWQtZmQ0MTlhNWFiMDQ3MjY0NTQyN2Y4ZTA3ZDg3YTNhNWRkMGIyZTlhNiIgTm90T25PckFmdGVyPSIyMDE2LTAxLTA1VDE3OjAwOjM5LjM0OFoiIFJlY2lwaWVudD0iaHR0cHM6Ly8yOWVlNmQyZS5uZ3Jvay5pby9zYW1sL2FjcyIvPjwvc2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWwyOlN1YmplY3Q+PHNhbWwyOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDE2LTAxLTA1VDE2OjUwOjM5LjM0OFoiIE5vdE9uT3JBZnRlcj0iMjAxNi0wMS0wNVQxNzowMDozOS4zNDhaIj48c2FtbDI6QXVkaWVuY2VSZXN0cmljdGlvbj48c2FtbDI6QXVkaWVuY2U+aHR0cHM6Ly8yOWVlNmQyZS5uZ3Jvay5pby9zYW1sL21ldGFkYXRhPC9zYW1sMjpBdWRpZW5jZT48L3NhbWwyOkF1ZGllbmNlUmVzdHJpY3Rpb24+PC9zYW1sMjpDb25kaXRpb25zPjxzYW1sMjpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PHNhbWwyOkF0dHJpYnV0ZSBOYW1lPSJwaG9uZSIvPjxzYW1sMjpBdHRyaWJ1dGUgTmFtZT0iYWRkcmVzcyIvPjxzYW1sMjpBdHRyaWJ1dGUgTmFtZT0iam9iVGl0bGUiLz48c2FtbDI6QXR0cmlidXRlIE5hbWU9ImZpcnN0TmFtZSI+PHNhbWwyOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOmFueVR5cGUiPlJvc3M8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgTmFtZT0ibGFzdE5hbWUiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czphbnlUeXBlIj5LaW5kZXI8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjwvc2FtbDI6QXR0cmlidXRlU3RhdGVtZW50PjxzYW1sMjpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTYtMDEtMDVUMTY6NTU6MzguMDAwWiIgU2Vzc2lvbkluZGV4PSJfOWU3NjQ5NTJlNmEyNjFlMTk0MDlhMzgyNTU4MTAzM2QiPjxzYW1sMjpBdXRobkNvbnRleHQ+PHNhbWwyOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOnVuc3BlY2lmaWVkPC9zYW1sMjpBdXRobkNvbnRleHRDbGFzc1JlZj48L3NhbWwyOkF1dGhuQ29udGV4dD48L3NhbWwyOkF1dGhuU3RhdGVtZW50Pjwvc2FtbDI6QXNzZXJ0aW9uPjwvc2FtbDJwOlJlc3BvbnNlPg==
\ No newline at end of file
diff --git a/testdata/TestSPCanProduceMetadataWithBothCerts_metadata b/testdata/TestSPCanProduceMetadataWithBothCerts_metadata
new file mode 100644
index 00000000..428cc13b
--- /dev/null
+++ b/testdata/TestSPCanProduceMetadataWithBothCerts_metadata
@@ -0,0 +1,24 @@
+<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2015-12-03T01:57:09Z" entityID="https://example.com/saml2/metadata">
+  <SPSSODescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2015-12-03T01:57:09Z" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="true" WantAssertionsSigned="true">
+    <KeyDescriptor use="encryption">
+      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
+        <X509Data>
+          <X509Certificate>MIIB7zCCAVgCCQDFzbKIp7b3MTANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGEwJVUzELMAkGA1UECAwCR0ExDDAKBgNVBAoMA2ZvbzESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTEzMTAwMjAwMDg1MVoXDTE0MTAwMjAwMDg1MVowPDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkdBMQwwCgYDVQQKDANmb28xEjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1PMHYmhZj308kWLhZVT4vOulqx/9ibm5B86fPWwUKKQ2i12MYtz07tzukPymisTDhQaqyJ8Kqb/6JjhmeMnEOdTvSPmHO8m1ZVveJU6NoKRn/mP/BD7FW52WhbrUXLSeHVSKfWkNk6S4hk9MV9TswTvyRIKvRsw0X/gfnqkroJcCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCMMlIO+GNcGekevKgkakpMdAqJfs24maGb90DvTLbRZRD7Xvn1MnVBBS9hzlXiFLYOInXACMW5gcoRFfeTQLSouMM8o57h0uKjfTmuoWHLQLi6hnF+cvCsEFiJZ4AbF+DgmO6TarJ8O05t8zvnOwJlNCASPZRH/JmF8tX0hoHuAQ==</X509Certificate>
+        </X509Data>
+      </KeyInfo>
+      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"></EncryptionMethod>
+      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc"></EncryptionMethod>
+      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"></EncryptionMethod>
+      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"></EncryptionMethod>
+    </KeyDescriptor>
+    <KeyDescriptor use="signing">
+      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
+        <X509Data>
+          <X509Certificate>MIIB7zCCAVgCCQDFzbKIp7b3MTANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGEwJVUzELMAkGA1UECAwCR0ExDDAKBgNVBAoMA2ZvbzESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTEzMTAwMjAwMDg1MVoXDTE0MTAwMjAwMDg1MVowPDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkdBMQwwCgYDVQQKDANmb28xEjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1PMHYmhZj308kWLhZVT4vOulqx/9ibm5B86fPWwUKKQ2i12MYtz07tzukPymisTDhQaqyJ8Kqb/6JjhmeMnEOdTvSPmHO8m1ZVveJU6NoKRn/mP/BD7FW52WhbrUXLSeHVSKfWkNk6S4hk9MV9TswTvyRIKvRsw0X/gfnqkroJcCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCMMlIO+GNcGekevKgkakpMdAqJfs24maGb90DvTLbRZRD7Xvn1MnVBBS9hzlXiFLYOInXACMW5gcoRFfeTQLSouMM8o57h0uKjfTmuoWHLQLi6hnF+cvCsEFiJZ4AbF+DgmO6TarJ8O05t8zvnOwJlNCASPZRH/JmF8tX0hoHuAQ==</X509Certificate>
+        </X509Data>
+      </KeyInfo>
+    </KeyDescriptor>
+    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://example.com/saml2/slo" ResponseLocation="https://example.com/saml2/slo"></SingleLogoutService>
+    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://example.com/saml2/acs" index="1"></AssertionConsumerService>
+  </SPSSODescriptor>
+</EntityDescriptor>
\ No newline at end of file
diff --git a/testdata/TestSPCanProduceMetadataWithEncryptionCert_metadata b/testdata/TestSPCanProduceMetadataWithEncryptionCert_metadata
new file mode 100644
index 00000000..02d7aeea
--- /dev/null
+++ b/testdata/TestSPCanProduceMetadataWithEncryptionCert_metadata
@@ -0,0 +1,17 @@
+<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2015-12-03T01:57:09Z" entityID="https://example.com/saml2/metadata">
+  <SPSSODescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2015-12-03T01:57:09Z" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="false" WantAssertionsSigned="true">
+    <KeyDescriptor use="encryption">
+      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
+        <X509Data>
+          <X509Certificate>MIIB7zCCAVgCCQDFzbKIp7b3MTANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGEwJVUzELMAkGA1UECAwCR0ExDDAKBgNVBAoMA2ZvbzESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTEzMTAwMjAwMDg1MVoXDTE0MTAwMjAwMDg1MVowPDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkdBMQwwCgYDVQQKDANmb28xEjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1PMHYmhZj308kWLhZVT4vOulqx/9ibm5B86fPWwUKKQ2i12MYtz07tzukPymisTDhQaqyJ8Kqb/6JjhmeMnEOdTvSPmHO8m1ZVveJU6NoKRn/mP/BD7FW52WhbrUXLSeHVSKfWkNk6S4hk9MV9TswTvyRIKvRsw0X/gfnqkroJcCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCMMlIO+GNcGekevKgkakpMdAqJfs24maGb90DvTLbRZRD7Xvn1MnVBBS9hzlXiFLYOInXACMW5gcoRFfeTQLSouMM8o57h0uKjfTmuoWHLQLi6hnF+cvCsEFiJZ4AbF+DgmO6TarJ8O05t8zvnOwJlNCASPZRH/JmF8tX0hoHuAQ==</X509Certificate>
+        </X509Data>
+      </KeyInfo>
+      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"></EncryptionMethod>
+      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc"></EncryptionMethod>
+      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"></EncryptionMethod>
+      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"></EncryptionMethod>
+    </KeyDescriptor>
+    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://example.com/saml2/slo" ResponseLocation="https://example.com/saml2/slo"></SingleLogoutService>
+    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://example.com/saml2/acs" index="1"></AssertionConsumerService>
+  </SPSSODescriptor>
+</EntityDescriptor>
\ No newline at end of file
diff --git a/testdata/TestSPCanProducePostLogoutRequest_form b/testdata/TestSPCanProducePostLogoutRequest_form
new file mode 100644
index 00000000..5bad6969
--- /dev/null
+++ b/testdata/TestSPCanProducePostLogoutRequest_form
@@ -0,0 +1 @@
+<form method="post" action="https://idp.testshib.org/idp/profile/SAML2/POST/SLO" id="SAMLRequestForm"><input type="hidden" name="SAMLRequest" value="PHNhbWxwOkxvZ291dFJlcXVlc3QgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgSUQ9ImlkLTAwMDIwNDA2MDgwYTBjMGUxMDEyMTQxNjE4MWExYzFlMjAyMjI0MjYiIFZlcnNpb249IjIuMCIgSXNzdWVJbnN0YW50PSIyMDE1LTEyLTAxVDAxOjMxOjIxWiIgRGVzdGluYXRpb249Imh0dHBzOi8vaWRwLnRlc3RzaGliLm9yZy9pZHAvcHJvZmlsZS9TQU1MMi9QT1NUL1NMTyI&#43;PHNhbWw6SXNzdWVyIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6ZW50aXR5Ij5odHRwczovLzE1NjYxNDQ0Lm5ncm9rLmlvL3NhbWwyL21ldGFkYXRhPC9zYW1sOklzc3Vlcj48c2FtbDpOYW1lSUQgTmFtZVF1YWxpZmllcj0iaHR0cHM6Ly9pZHAudGVzdHNoaWIub3JnL2lkcC9zaGliYm9sZXRoIiBTUE5hbWVRdWFsaWZpZXI9Imh0dHBzOi8vMTU2NjE0NDQubmdyb2suaW8vc2FtbDIvbWV0YWRhdGEiIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6dHJhbnNpZW50Ij5yb3NAb2N0b2xhYnMuaW88L3NhbWw6TmFtZUlEPjwvc2FtbHA6TG9nb3V0UmVxdWVzdD4=" /><input type="hidden" name="RelayState" value="relayState" /><input id="SAMLSubmitButton" type="submit" value="Submit" /></form><script>document.getElementById('SAMLSubmitButton').style.visibility="hidden";document.getElementById('SAMLRequestForm').submit();</script>
\ No newline at end of file
diff --git a/testdata/TestSPCanProducePostLogoutResponse_form b/testdata/TestSPCanProducePostLogoutResponse_form
new file mode 100644
index 00000000..69bee039
--- /dev/null
+++ b/testdata/TestSPCanProducePostLogoutResponse_form
@@ -0,0 +1 @@
+<form method="post" action="https://idp.testshib.org/idp/profile/SAML2/POST/SLO" id="SAMLResponseForm"><input type="hidden" name="SAMLResponse" value="PHNhbWxwOkxvZ291dFJlc3BvbnNlIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIElEPSJpZC0wMDAyMDQwNjA4MGEwYzBlMTAxMjE0MTYxODFhMWMxZTIwMjIyNDI2IiBJblJlc3BvbnNlVG89ImlkLWQ0MGMxNWMxMDRiNTI2OTFlY2NmMGEyYTVjOGExNTU5NWJlNzU0MjMiIFZlcnNpb249IjIuMCIgSXNzdWVJbnN0YW50PSIyMDE1LTEyLTAxVDAxOjMxOjIxWiIgRGVzdGluYXRpb249Imh0dHBzOi8vaWRwLnRlc3RzaGliLm9yZy9pZHAvcHJvZmlsZS9TQU1MMi9QT1NUL1NMTyI&#43;PHNhbWw6SXNzdWVyIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6ZW50aXR5Ij5odHRwczovLzE1NjYxNDQ0Lm5ncm9rLmlvL3NhbWwyL21ldGFkYXRhPC9zYW1sOklzc3Vlcj48c2FtbHA6U3RhdHVzPjxzYW1scDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiLz48L3NhbWxwOlN0YXR1cz48L3NhbWxwOkxvZ291dFJlc3BvbnNlPg==" /><input type="hidden" name="RelayState" value="relayState" /><input id="SAMLSubmitButton" type="submit" value="Submit" /></form><script>document.getElementById('SAMLSubmitButton').style.visibility="hidden";document.getElementById('SAMLResponseForm').submit();</script>
\ No newline at end of file
diff --git a/testdata/TestSPCanProducePostRequest_form b/testdata/TestSPCanProducePostRequest_form
new file mode 100644
index 00000000..8b9c56e6
--- /dev/null
+++ b/testdata/TestSPCanProducePostRequest_form
@@ -0,0 +1 @@
+<form method="post" action="https://idp.testshib.org/idp/profile/SAML2/POST/SSO" id="SAMLRequestForm"><input type="hidden" name="SAMLRequest" value="PHNhbWxwOkF1dGhuUmVxdWVzdCB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIiB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiBJRD0iaWQtMDAwMjA0MDYwODBhMGMwZTEwMTIxNDE2MTgxYTFjMWUyMDIyMjQyNiIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTUtMTItMDFUMDE6MzE6MjFaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9pZHAudGVzdHNoaWIub3JnL2lkcC9wcm9maWxlL1NBTUwyL1BPU1QvU1NPIiBBc3NlcnRpb25Db25zdW1lclNlcnZpY2VVUkw9Imh0dHBzOi8vMTU2NjE0NDQubmdyb2suaW8vc2FtbDIvYWNzIiBQcm90b2NvbEJpbmRpbmc9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpiaW5kaW5nczpIVFRQLVBPU1QiPjxzYW1sOklzc3VlciBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OmVudGl0eSI&#43;aHR0cHM6Ly8xNTY2MTQ0NC5uZ3Jvay5pby9zYW1sMi9tZXRhZGF0YTwvc2FtbDpJc3N1ZXI&#43;PHNhbWxwOk5hbWVJRFBvbGljeSBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OnRyYW5zaWVudCIgQWxsb3dDcmVhdGU9InRydWUiLz48L3NhbWxwOkF1dGhuUmVxdWVzdD4=" /><input type="hidden" name="RelayState" value="relayState" /><input id="SAMLSubmitButton" type="submit" value="Submit" /></form><script>document.getElementById('SAMLSubmitButton').style.visibility="hidden";document.getElementById('SAMLRequestForm').submit();</script>
\ No newline at end of file
diff --git a/testdata/TestSPCanProduceRedirectLogoutRequest_decodedRequest b/testdata/TestSPCanProduceRedirectLogoutRequest_decodedRequest
new file mode 100644
index 00000000..5ce46158
--- /dev/null
+++ b/testdata/TestSPCanProduceRedirectLogoutRequest_decodedRequest
@@ -0,0 +1 @@
+<samlp:LogoutRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="id-00020406080a0c0e10121416181a1c1e20222426" Version="2.0" IssueInstant="2015-12-01T01:31:21.123Z" Destination="https://idp.testshib.org/idp/profile/SAML2/Redirect/SLO"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://15661444.ngrok.io/saml2/metadata</saml:Issuer><saml:NameID NameQualifier="https://idp.testshib.org/idp/shibboleth" SPNameQualifier="https://15661444.ngrok.io/saml2/metadata" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">ross@octolabs.io</saml:NameID></samlp:LogoutRequest>
\ No newline at end of file
diff --git a/testdata/TestSPCanProduceRedirectLogoutResponse_decodedResponse b/testdata/TestSPCanProduceRedirectLogoutResponse_decodedResponse
new file mode 100644
index 00000000..29bf5dec
--- /dev/null
+++ b/testdata/TestSPCanProduceRedirectLogoutResponse_decodedResponse
@@ -0,0 +1 @@
+<samlp:LogoutResponse xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="id-00020406080a0c0e10121416181a1c1e20222426" InResponseTo="id-d40c15c104b52691eccf0a2a5c8a15595be75423" Version="2.0" IssueInstant="2015-12-01T01:31:21.123Z" Destination="https://idp.testshib.org/idp/profile/SAML2/Redirect/SLO"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://15661444.ngrok.io/saml2/metadata</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status></samlp:LogoutResponse>
\ No newline at end of file
diff --git a/testdata/TestSPCanProduceRedirectRequest_decoded_request b/testdata/TestSPCanProduceRedirectRequest_decoded_request
new file mode 100644
index 00000000..6cae3525
--- /dev/null
+++ b/testdata/TestSPCanProduceRedirectRequest_decoded_request
@@ -0,0 +1 @@
+<samlp:AuthnRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="id-00020406080a0c0e10121416181a1c1e20222426" Version="2.0" IssueInstant="2015-12-01T01:31:21.123Z" Destination="https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO" AssertionConsumerServiceURL="https://15661444.ngrok.io/saml2/acs" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://15661444.ngrok.io/saml2/metadata</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" AllowCreate="true"/></samlp:AuthnRequest>
\ No newline at end of file
diff --git a/testdata/TestSPCanProduceSignedRequestPostBinding_decodedRequest b/testdata/TestSPCanProduceSignedRequestPostBinding_decodedRequest
new file mode 100644
index 00000000..8f0ccb72
--- /dev/null
+++ b/testdata/TestSPCanProduceSignedRequestPostBinding_decodedRequest
@@ -0,0 +1 @@
+<samlp:AuthnRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="id-00020406080a0c0e10121416181a1c1e20222426" Version="2.0" IssueInstant="2015-12-01T01:31:21.123Z" Destination="https://idp.testshib.org/idp/profile/SAML2/POST/SSO" AssertionConsumerServiceURL="https://15661444.ngrok.io/saml2/acs" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://15661444.ngrok.io/saml2/metadata</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#id-00020406080a0c0e10121416181a1c1e20222426"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>hJD/5Zu9pV3hk8yrz7PF3aOAeb4=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>bAem8RP7VOdIl3m7TlVuh1mq2pymKHLzXRsrlrqum8tkYsXnvSDcUsn5/gCNUd+hbuA2mjp4xVAJbSDoXd6ePQDyCCsEwvY6tnb5aThIFI+FaM2h9UeoENn9cCuFZIp25tqUnvqg45S8kzJw3HZ17o2Qgu9Zsy89yU5kxwCOkEk=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIB7zCCAVgCCQDFzbKIp7b3MTANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGEwJVUzELMAkGA1UECAwCR0ExDDAKBgNVBAoMA2ZvbzESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTEzMTAwMjAwMDg1MVoXDTE0MTAwMjAwMDg1MVowPDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkdBMQwwCgYDVQQKDANmb28xEjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1PMHYmhZj308kWLhZVT4vOulqx/9ibm5B86fPWwUKKQ2i12MYtz07tzukPymisTDhQaqyJ8Kqb/6JjhmeMnEOdTvSPmHO8m1ZVveJU6NoKRn/mP/BD7FW52WhbrUXLSeHVSKfWkNk6S4hk9MV9TswTvyRIKvRsw0X/gfnqkroJcCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCMMlIO+GNcGekevKgkakpMdAqJfs24maGb90DvTLbRZRD7Xvn1MnVBBS9hzlXiFLYOInXACMW5gcoRFfeTQLSouMM8o57h0uKjfTmuoWHLQLi6hnF+cvCsEFiJZ4AbF+DgmO6TarJ8O05t8zvnOwJlNCASPZRH/JmF8tX0hoHuAQ==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" AllowCreate="true"/></samlp:AuthnRequest>
\ No newline at end of file
diff --git a/testdata/TestSPCanProduceSignedRequestRedirectBinding_decodedRequest b/testdata/TestSPCanProduceSignedRequestRedirectBinding_decodedRequest
new file mode 100644
index 00000000..6cae3525
--- /dev/null
+++ b/testdata/TestSPCanProduceSignedRequestRedirectBinding_decodedRequest
@@ -0,0 +1 @@
+<samlp:AuthnRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="id-00020406080a0c0e10121416181a1c1e20222426" Version="2.0" IssueInstant="2015-12-01T01:31:21.123Z" Destination="https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO" AssertionConsumerServiceURL="https://15661444.ngrok.io/saml2/acs" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://15661444.ngrok.io/saml2/metadata</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" AllowCreate="true"/></samlp:AuthnRequest>
\ No newline at end of file
diff --git a/testdata/TestSPCanProduceSignedRequestRedirectBinding_queryString b/testdata/TestSPCanProduceSignedRequestRedirectBinding_queryString
new file mode 100644
index 00000000..41ddd26c
--- /dev/null
+++ b/testdata/TestSPCanProduceSignedRequestRedirectBinding_queryString
@@ -0,0 +1 @@
+SAMLRequest=nFJNb9swDP0rhu62RNU1CqE2kDUYFqBbgzjbYTfVZhNituSJ9Lb%2B%2B8Fph2WXDOiV4uP70LtlPw6TW81yDDv8PiNL9mscArvloVZzCi56JnbBj8hOOteuPt47WxjnmTEJxaDOINNlzJSixC4OKtusa0V9boyxpjSVuTHedAbBgIUSKrgBDx2gNdba0lYq%2B4KJKYZa2cKobMM84yaw%2BCC1sgauc7C5gb0BdwXOQgH26qvK1shCwcsJeRSZ2GlN%2FVQIsvCRHouYDstATyk%2B0YB60Wr1DntK2Ilu2weVrf5YvYuB5xFTi%2BkHdfh5d%2F%2F3KlxXFZRlWYRDit8KinoJxGrfscq2r8bfUegpHC6n9PiyxO7Dfr%2FNtw%2FtXjWnn3In2yl7H9Po5fKRZUJ9%2FnRadRiE5Fk1%2FxM7ovjei7%2FVZ3zNa00%2B%2BRE3620cqHt%2BgwZJPjBhEJWthiH%2BvEvoBWslaUalmxfKf8vY%2FA4AAP%2F%2F&RelayState=relayState&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=WqMc7vKRJVNXwNHJmTemdfw5OML2XkLntYw%2FzwKoLMfavV%2FYy6fBP0GeGYlJVMweZBvbpjwoe%2BgpRkUCHKDUgixCG7hPi41p6MpQC%2Fp7ExTW5plvlS97iVAOvaF5V1MjvQCgBNKYnKNnvwAuxK%2Bu3N4rZjwGM%2F4JGgjJ5pannFQ%3D
\ No newline at end of file
diff --git a/testdata/TestSPRealWorldAssertionSignedNotResponse_idp_metadata b/testdata/TestSPRealWorldAssertionSignedNotResponse_idp_metadata
new file mode 100644
index 00000000..413d1e11
--- /dev/null
+++ b/testdata/TestSPRealWorldAssertionSignedNotResponse_idp_metadata
@@ -0,0 +1 @@
+<?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://idp.secureworks.com/SAML2"><md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIG1TCCBL2gAwIBAgICClwwDQYJKoZIhvcNAQENBQAwgaoxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdHZW9yZ2lhMRAwDgYDVQQHEwdBdGxhbnRhMRkwFwYDVQQKExBEZWxsIFNlY3VyZVdvcmtzMQ4wDAYDVQQLEwVJVE9wczElMCMGA1UEAxMcRGVsbCBTZWN1cmVXb3JrcyBJbnRlcm5hbCBDQTElMCMGCSqGSIb3DQEJARYWYS10ZWFtQHNlY3VyZXdvcmtzLmNvbTAeFw0xNjA1MTExMTEyMzdaFw0xODA1MTExMTEyMzdaMIG+MQswCQYDVQQGDAJVUzEQMA4GA1UECAwHR2VvcmdpYTEQMA4GA1UEBwwHQXRsYW50YTEaMBgGA1UECgwRU2VjdXJld29ya3MsIEluYy4xHTAbBgNVBAsMFFNlY3VyaXR5IEVuZ2luZWVyaW5nMSYwJAYDVQQDDB1pZHAuc2VjdXJld29ya3MuY29tLXNpZ25hdHVyZTEoMCYGCSqGSIb3DQEJARYZcHJvZGNlcnRzQHNlY3VyZXdvcmtzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM2ZUzSfkHE6dshh9RAlzt68uBh4XLNQltyOhj4j77Tvj+pclsWHUHdkSvx5PSmqeqqZv6qJtK08GxVNiOu2NiXUN0+UASYxh2xh1NbjMVVpISZbqGtC6Zt/NczQiU2afD3raAfHZyBrmvctWi++b9OAhk8ydeCPf7FvmqU5Fo+8VUF7rb1ShE3Z+JAMvi99x6a4mY0DZXLgG6kI+jlrDeLRpC7zRWU+NI0M6f/P7TkBOp9vs59yPIVHj8Iz0ETlJgnivOgpBdMlQj0P7zk7AtNFGnrv0jzlLuaLfv++TT8hPMOUcg4Hn3Q14WDZnrkLcBrXLvxSOumrUDDUw6AoVyUCAwEAAaOCAe0wggHpMAwGA1UdEwEB/wQCMAAwLgYJYIZIAYb4QgENBCEWH0NBOlRvb2wgUi1HZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFAWm0miEWAiHZUTgLGQcUJ+rDfKTMAsGA1UdDwQEAwID6DAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwJAYDVR0RBB0wG4EZcHJvZGNlcnRzQHNlY3VyZXdvcmtzLmNvbTCBxAYDVR0jBIG8MIG5gBSnJ9n8XVHS92gLa5dG8CETeun58KGBnKSBmTCBljELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0dlb3JnaWExEDAOBgNVBAcTB0F0bGFudGExGTAXBgNVBAoTEERlbGwgU2VjdXJlV29ya3MxITAfBgNVBAMTGERlbGwgU2VjdXJlV29ya3MgUm9vdCBDQTElMCMGCSqGSIb3DQEJARYWYS10ZWFtQHNlY3VyZXdvcmtzLmNvbYICEAEwcQYDVR0gBGowaDBmBgRVHSAAMF4wXAYIKwYBBQUHAgEWUGh0dHBzOi8vY29uZmx1ZW5jZS5zZWN1cmV3b3Jrcy5uZXQvZGlzcGxheS9hcmNoL0RlbGwrU2VjdXJlV29ya3MrSW50ZXJuYWwrQ0ErQ1BTMA0GCSqGSIb3DQEBDQUAA4ICAQCKQPw5TuIUAV5HEwjc+lcaOeSPq288wdKYPf6peunv0v29gIgfnB33k5rr6LD7QuQW2DpcMk0fBDJZUNuQd314kjmfkz6lNoiRGR4KSCe9ryafSExuv0KTmmjKDs/Vy47tVGSdl2DZPE3/bnEbLyPGB7d2hKOzemjyYxjD+3AI24e++ATCpHpi6MGuW4Ya2Lro4DC20E4qeA2x7qIXFlPuCQR5dxs37hNaisUZKTUOgotoq1hFBOa4wF3AtMfiUDh2Wfx4cv0QuOTgL9zbZDNOiCS+niCMpok8HftJJk8IMEV0TBKjAE80p1YoZvbEXJv76e68/apmpA8oIRQniOcXEqPj2S8PgmxX4Pqpj7mGzdkj6VcZW25LOE7AkIVVYiVg1F7VzhugzDitCYeKm/o9shZfYVE/vLLOgrewQR05Pxm7rbSv3HsGGieVdDp7KRjuGQQQ2q/YUEbHAHfohXD9LW/O2jUMwXvCMXdhnmsezsCW6ZCBToplBbqW+BkqAz5dtVOhVon8GVNrcfEY4EWk5cr/UfnvvXVgbyV7Tut5qeUM3JWmieAEUl1KKFTweN25Jib/sYYwYuKjc7fp2J5Ovwi5ZcMZsRydUihoRSR5rzk6uPVq9FADyp7AXsXW5oocwzrWSBNRC6Od+nEpEiB42t0Gsih3Asenj6PbfkTBlw==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idp.secureworks.com/SAML2/SSO/POST"/></md:IDPSSODescriptor></md:EntityDescriptor>
\ No newline at end of file
diff --git a/testdata/TestSPRealWorldAssertionSignedNotResponse_response b/testdata/TestSPRealWorldAssertionSignedNotResponse_response
new file mode 100644
index 00000000..65c7daef
--- /dev/null
+++ b/testdata/TestSPRealWorldAssertionSignedNotResponse_response
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="UTF-8"?><saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://preview.docrocket-ross.test.octolabs.io/saml/acs" ID="28338c8c-39ab-4b94-bcdc-46f68f99d962" InResponseTo="id-3992f74e652d89c3cf1efd6c7e472abaac9bc917" IssueInstant="2017-04-21T13:12:50.830Z" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.secureworks.com/SAML2</saml2:Issuer><saml2p:Status><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/><saml2p:StatusMessage>Authentication success.</saml2p:StatusMessage></saml2p:Status><saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="e5afbcaa-be69-4b41-ac48-2f23538accdb" IssueInstant="2017-04-21T13:12:50.830Z" Version="2.0"><saml2:Issuer>https://idp.secureworks.com/SAML2</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#e5afbcaa-be69-4b41-ac48-2f23538accdb"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>BMN0lUblP0gYGcw2PCyhwFZzkxY=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>F/2aaOQ3J/S6ULUd+gAuIclVueHEC2UfmtO2eR2oYb/YXub9E22yZe7eQgj2wdhYOvacVXN28QJJJG+K3Njwvi6b7mqf+T8N1YwaJW1fYAm28ayg4dEOTjHnjbRMZ6L+3cZPmPcFyE+edhCHEMnTLSqSvBnSyc1cwGdO9PmfWmt6PzUwf2nr2P5577Yc1FEQ9OtTx7ugWN3iPmjtLeTcpZfIDQX9+gSsh0KT+t61uWaYz+PJhtKnZQFeyr3uIxBTxv4wQ90FnmE4PiDvMksin5CDMfiMwd7pn7rNbk4EVHiDgSMkY6P4h8eWQwiqglOrQSZZr4BJgCoUbcNfZCq/7A==</ds:SignatureValue><ds:KeyInfo><ds:KeyValue><ds:RSAKeyValue><ds:Modulus>zZlTNJ+QcTp2yGH1ECXO3ry4GHhcs1CW3I6GPiPvtO+P6lyWxYdQd2RK/Hk9Kap6qpm/qom0rTwb
+FU2I67Y2JdQ3T5QBJjGHbGHU1uMxVWkhJluoa0Lpm381zNCJTZp8PetoB8dnIGua9y1aL75v04CG
+TzJ14I9/sW+apTkWj7xVQXutvVKETdn4kAy+L33HpriZjQNlcuAbqQj6OWsN4tGkLvNFZT40jQzp
+/8/tOQE6n2+zn3I8hUePwjPQROUmCeK86CkF0yVCPQ/vOTsC00Uaeu/SPOUu5ot+/75NPyE8w5Ry
+DgefdDXhYNmeuQtwGtcu/FI66atQMNTDoChXJQ==</ds:Modulus><ds:Exponent>AQAB</ds:Exponent></ds:RSAKeyValue></ds:KeyValue></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID>rkinder@secureworks.com</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData InResponseTo="id-3992f74e652d89c3cf1efd6c7e472abaac9bc917" NotBefore="2017-04-21T13:12:50.830Z" NotOnOrAfter="2017-04-21T13:17:50.830Z" Recipient="https://preview.docrocket-ross.test.octolabs.io/saml/acs"/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2017-04-21T13:12:50.830Z" NotOnOrAfter="2017-04-21T13:17:50.830Z"><saml2:AudienceRestriction><saml2:Audience>https://preview.docrocket-ross.test.octolabs.io/saml/metadata</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AuthnStatement AuthnInstant="2017-04-21T13:12:50.830Z" SessionIndex="undefined"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement></saml2:Assertion></saml2p:Response>
diff --git a/testdata/TestSPRealWorldKeyInfoHasRSAPublicKeyNotX509Cert_idp_metadata b/testdata/TestSPRealWorldKeyInfoHasRSAPublicKeyNotX509Cert_idp_metadata
new file mode 100644
index 00000000..413d1e11
--- /dev/null
+++ b/testdata/TestSPRealWorldKeyInfoHasRSAPublicKeyNotX509Cert_idp_metadata
@@ -0,0 +1 @@
+<?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://idp.secureworks.com/SAML2"><md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIG1TCCBL2gAwIBAgICClwwDQYJKoZIhvcNAQENBQAwgaoxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdHZW9yZ2lhMRAwDgYDVQQHEwdBdGxhbnRhMRkwFwYDVQQKExBEZWxsIFNlY3VyZVdvcmtzMQ4wDAYDVQQLEwVJVE9wczElMCMGA1UEAxMcRGVsbCBTZWN1cmVXb3JrcyBJbnRlcm5hbCBDQTElMCMGCSqGSIb3DQEJARYWYS10ZWFtQHNlY3VyZXdvcmtzLmNvbTAeFw0xNjA1MTExMTEyMzdaFw0xODA1MTExMTEyMzdaMIG+MQswCQYDVQQGDAJVUzEQMA4GA1UECAwHR2VvcmdpYTEQMA4GA1UEBwwHQXRsYW50YTEaMBgGA1UECgwRU2VjdXJld29ya3MsIEluYy4xHTAbBgNVBAsMFFNlY3VyaXR5IEVuZ2luZWVyaW5nMSYwJAYDVQQDDB1pZHAuc2VjdXJld29ya3MuY29tLXNpZ25hdHVyZTEoMCYGCSqGSIb3DQEJARYZcHJvZGNlcnRzQHNlY3VyZXdvcmtzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM2ZUzSfkHE6dshh9RAlzt68uBh4XLNQltyOhj4j77Tvj+pclsWHUHdkSvx5PSmqeqqZv6qJtK08GxVNiOu2NiXUN0+UASYxh2xh1NbjMVVpISZbqGtC6Zt/NczQiU2afD3raAfHZyBrmvctWi++b9OAhk8ydeCPf7FvmqU5Fo+8VUF7rb1ShE3Z+JAMvi99x6a4mY0DZXLgG6kI+jlrDeLRpC7zRWU+NI0M6f/P7TkBOp9vs59yPIVHj8Iz0ETlJgnivOgpBdMlQj0P7zk7AtNFGnrv0jzlLuaLfv++TT8hPMOUcg4Hn3Q14WDZnrkLcBrXLvxSOumrUDDUw6AoVyUCAwEAAaOCAe0wggHpMAwGA1UdEwEB/wQCMAAwLgYJYIZIAYb4QgENBCEWH0NBOlRvb2wgUi1HZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFAWm0miEWAiHZUTgLGQcUJ+rDfKTMAsGA1UdDwQEAwID6DAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwJAYDVR0RBB0wG4EZcHJvZGNlcnRzQHNlY3VyZXdvcmtzLmNvbTCBxAYDVR0jBIG8MIG5gBSnJ9n8XVHS92gLa5dG8CETeun58KGBnKSBmTCBljELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0dlb3JnaWExEDAOBgNVBAcTB0F0bGFudGExGTAXBgNVBAoTEERlbGwgU2VjdXJlV29ya3MxITAfBgNVBAMTGERlbGwgU2VjdXJlV29ya3MgUm9vdCBDQTElMCMGCSqGSIb3DQEJARYWYS10ZWFtQHNlY3VyZXdvcmtzLmNvbYICEAEwcQYDVR0gBGowaDBmBgRVHSAAMF4wXAYIKwYBBQUHAgEWUGh0dHBzOi8vY29uZmx1ZW5jZS5zZWN1cmV3b3Jrcy5uZXQvZGlzcGxheS9hcmNoL0RlbGwrU2VjdXJlV29ya3MrSW50ZXJuYWwrQ0ErQ1BTMA0GCSqGSIb3DQEBDQUAA4ICAQCKQPw5TuIUAV5HEwjc+lcaOeSPq288wdKYPf6peunv0v29gIgfnB33k5rr6LD7QuQW2DpcMk0fBDJZUNuQd314kjmfkz6lNoiRGR4KSCe9ryafSExuv0KTmmjKDs/Vy47tVGSdl2DZPE3/bnEbLyPGB7d2hKOzemjyYxjD+3AI24e++ATCpHpi6MGuW4Ya2Lro4DC20E4qeA2x7qIXFlPuCQR5dxs37hNaisUZKTUOgotoq1hFBOa4wF3AtMfiUDh2Wfx4cv0QuOTgL9zbZDNOiCS+niCMpok8HftJJk8IMEV0TBKjAE80p1YoZvbEXJv76e68/apmpA8oIRQniOcXEqPj2S8PgmxX4Pqpj7mGzdkj6VcZW25LOE7AkIVVYiVg1F7VzhugzDitCYeKm/o9shZfYVE/vLLOgrewQR05Pxm7rbSv3HsGGieVdDp7KRjuGQQQ2q/YUEbHAHfohXD9LW/O2jUMwXvCMXdhnmsezsCW6ZCBToplBbqW+BkqAz5dtVOhVon8GVNrcfEY4EWk5cr/UfnvvXVgbyV7Tut5qeUM3JWmieAEUl1KKFTweN25Jib/sYYwYuKjc7fp2J5Ovwi5ZcMZsRydUihoRSR5rzk6uPVq9FADyp7AXsXW5oocwzrWSBNRC6Od+nEpEiB42t0Gsih3Asenj6PbfkTBlw==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idp.secureworks.com/SAML2/SSO/POST"/></md:IDPSSODescriptor></md:EntityDescriptor>
\ No newline at end of file
diff --git a/testdata/TestSPRealWorldKeyInfoHasRSAPublicKeyNotX509Cert_response b/testdata/TestSPRealWorldKeyInfoHasRSAPublicKeyNotX509Cert_response
new file mode 100644
index 00000000..57b5c158
--- /dev/null
+++ b/testdata/TestSPRealWorldKeyInfoHasRSAPublicKeyNotX509Cert_response
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?><saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://preview.docrocket-ross.test.octolabs.io/saml/acs" ID="28338c8c-39ab-4b94-bcdc-46f68f99d962" InResponseTo="id-3992f74e652d89c3cf1efd6c7e472abaac9bc917" IssueInstant="2017-04-21T13:12:50.830Z" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.secureworks.com/SAML2</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#28338c8c-39ab-4b94-bcdc-46f68f99d962"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>/6iPSzUnncXDbwrXiqZZVSaHt/Q=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>hpJLvXp7DN5qhYkR0+TfvzAHDTIEmOnjA7QGKxbuqUcLxL+xpLqEiPiyCT3DZ5r4eoUlGSTS4tZ2c/A3wnvzEy+f0Pf5D2dUWCL5RfVp7Q6cndEpqlXjZ3lhymTA+go/SdY9VQFKOBsS6ElT56Pr/QRtqqRP2JQK6pP96voeYqWT0YKCdrBkYZ6fJGQ32AD+mQ62hiMzOu9PvriNJzw2no7xyK1U0+MBNPzCcJ6yOrGqX8/yVB8d1hL9IjstZRbMaszdJnnGGMN/JoOtcFxg6v+a5EFC63uXAUL/inxvdNreZMGnuPJJ7HnuDe8yY089Xzwisy6dts6YJ/doEPFOJQ==</ds:SignatureValue><ds:KeyInfo><ds:KeyValue><ds:RSAKeyValue><ds:Modulus>zZlTNJ+QcTp2yGH1ECXO3ry4GHhcs1CW3I6GPiPvtO+P6lyWxYdQd2RK/Hk9Kap6qpm/qom0rTwb
+FU2I67Y2JdQ3T5QBJjGHbGHU1uMxVWkhJluoa0Lpm381zNCJTZp8PetoB8dnIGua9y1aL75v04CG
+TzJ14I9/sW+apTkWj7xVQXutvVKETdn4kAy+L33HpriZjQNlcuAbqQj6OWsN4tGkLvNFZT40jQzp
+/8/tOQE6n2+zn3I8hUePwjPQROUmCeK86CkF0yVCPQ/vOTsC00Uaeu/SPOUu5ot+/75NPyE8w5Ry
+DgefdDXhYNmeuQtwGtcu/FI66atQMNTDoChXJQ==</ds:Modulus><ds:Exponent>AQAB</ds:Exponent></ds:RSAKeyValue></ds:KeyValue></ds:KeyInfo></ds:Signature><saml2p:Status><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/><saml2p:StatusMessage>Authentication success.</saml2p:StatusMessage></saml2p:Status><saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="e5afbcaa-be69-4b41-ac48-2f23538accdb" IssueInstant="2017-04-21T13:12:50.830Z" Version="2.0"><saml2:Issuer>https://idp.secureworks.com/SAML2</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#e5afbcaa-be69-4b41-ac48-2f23538accdb"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>BMN0lUblP0gYGcw2PCyhwFZzkxY=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>F/2aaOQ3J/S6ULUd+gAuIclVueHEC2UfmtO2eR2oYb/YXub9E22yZe7eQgj2wdhYOvacVXN28QJJJG+K3Njwvi6b7mqf+T8N1YwaJW1fYAm28ayg4dEOTjHnjbRMZ6L+3cZPmPcFyE+edhCHEMnTLSqSvBnSyc1cwGdO9PmfWmt6PzUwf2nr2P5577Yc1FEQ9OtTx7ugWN3iPmjtLeTcpZfIDQX9+gSsh0KT+t61uWaYz+PJhtKnZQFeyr3uIxBTxv4wQ90FnmE4PiDvMksin5CDMfiMwd7pn7rNbk4EVHiDgSMkY6P4h8eWQwiqglOrQSZZr4BJgCoUbcNfZCq/7A==</ds:SignatureValue><ds:KeyInfo><ds:KeyValue><ds:RSAKeyValue><ds:Modulus>zZlTNJ+QcTp2yGH1ECXO3ry4GHhcs1CW3I6GPiPvtO+P6lyWxYdQd2RK/Hk9Kap6qpm/qom0rTwb
+FU2I67Y2JdQ3T5QBJjGHbGHU1uMxVWkhJluoa0Lpm381zNCJTZp8PetoB8dnIGua9y1aL75v04CG
+TzJ14I9/sW+apTkWj7xVQXutvVKETdn4kAy+L33HpriZjQNlcuAbqQj6OWsN4tGkLvNFZT40jQzp
+/8/tOQE6n2+zn3I8hUePwjPQROUmCeK86CkF0yVCPQ/vOTsC00Uaeu/SPOUu5ot+/75NPyE8w5Ry
+DgefdDXhYNmeuQtwGtcu/FI66atQMNTDoChXJQ==</ds:Modulus><ds:Exponent>AQAB</ds:Exponent></ds:RSAKeyValue></ds:KeyValue></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID>rkinder@secureworks.com</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData InResponseTo="id-3992f74e652d89c3cf1efd6c7e472abaac9bc917" NotBefore="2017-04-21T13:12:50.830Z" NotOnOrAfter="2017-04-21T13:17:50.830Z" Recipient="https://preview.docrocket-ross.test.octolabs.io/saml/acs"/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2017-04-21T13:12:50.830Z" NotOnOrAfter="2017-04-21T13:17:50.830Z"><saml2:AudienceRestriction><saml2:Audience>https://preview.docrocket-ross.test.octolabs.io/saml/metadata</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AuthnStatement AuthnInstant="2017-04-21T13:12:50.830Z" SessionIndex="undefined"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement></saml2:Assertion></saml2p:Response>
diff --git a/testdata/TestSPRejectsInjectedComment_IDPMetadata b/testdata/TestSPRejectsInjectedComment_IDPMetadata
new file mode 100644
index 00000000..ed5a1f2c
--- /dev/null
+++ b/testdata/TestSPRejectsInjectedComment_IDPMetadata
@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://accounts.google.com/o/saml2?idpid=C02dfl1r1" validUntil="2021-01-03T16:17:49.000Z">
+  <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+    <md:KeyDescriptor use="signing">
+      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+        <ds:X509Data>
+          <ds:X509Certificate>MIIDdDCCAlygAwIBAgIGAVISlIlYMA0GCSqGSIb3DQEBCwUAMHsxFDASBgNVBAoTC0dvb2dsZSBJ
+bmMuMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MQ8wDQYDVQQDEwZHb29nbGUxGDAWBgNVBAsTD0dv
+b2dsZSBGb3IgV29yazELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEwHhcNMTYwMTA1
+MTYxNzQ5WhcNMjEwMTAzMTYxNzQ5WjB7MRQwEgYDVQQKEwtHb29nbGUgSW5jLjEWMBQGA1UEBxMN
+TW91bnRhaW4gVmlldzEPMA0GA1UEAxMGR29vZ2xlMRgwFgYDVQQLEw9Hb29nbGUgRm9yIFdvcmsx
+CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAmUfMUPxHSY/ZYZ88fUGAlhUP4Ni7zj54vsrsPDA4UhQiReEDRunN1q3OHsShRong
+gd4LvA83/e/3pm/V60R6vyMfj3Z/IGWY+eZ97EJUvjktt+VRoAi26oeY9ZW6S85yapvA3iuhEwIQ
+OcuPm1OqRQ0yQ4sUD+WtL/QSmlYvDP5TK1d6whTisNsKSqeFZCb/s9OX01UexW1BuDOLeVt0rCW1
+kRNcBBLDmd4hnDP0SVq7nLhNFYXj2Ea6WsyRAIvchaUGy+Ima2okXm95Ye9kn8e118i/5rReyKCm
+BlskMkNaA4KWKvIQm3DdjgONgEd0IvKExyLwY7a5/JIUvBhb9QIDAQABMA0GCSqGSIb3DQEBCwUA
+A4IBAQAUDLMnHpzfp4ShdBqCreW48f8rU94q2qMwrU+W6DkOrGJTASVGS9Rib/MKAiRYOmqlaqEY
+NP57pCrE/nRB5FVdE+AlSx/fR3khsQ3zf/4dYs21SvGf+Oas99XEbWfV0OmPMYm3IrSCOBEV31wh
+41qRc5QLnR+XutNPbSBN+tn+giRCLGCBLe81oVw4fRGQbgkd87rfLOy3G630I6s/J5feFFUT8d7h
+9mpOeOqLCPrKpq+wI3aD3lf4mXqKIDNiHHRoNl67ANPu/N3fNU1HplVtvroVpiNp87frgdlKTEcg
+PUkfbaYHQGP6IS0lzeCeDX0wab3qRoh7/jJt5/BR8Iwf</ds:X509Certificate>
+        </ds:X509Data>
+      </ds:KeyInfo>
+    </md:KeyDescriptor>
+    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
+    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://accounts.google.com/o/saml2/idp?idpid=C02dfl1r1"/>
+    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://accounts.google.com/o/saml2/idp?idpid=C02dfl1r1"/>
+  </md:IDPSSODescriptor>
+</md:EntityDescriptor>
\ No newline at end of file
diff --git a/testdata/TestSPRejectsInjectedComment_response b/testdata/TestSPRejectsInjectedComment_response
new file mode 100644
index 00000000..0f7814df
--- /dev/null
+++ b/testdata/TestSPRejectsInjectedComment_response
@@ -0,0 +1 @@
+PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiIHN0YW5kYWxvbmU9Im5vIj8+PHNhbWwycDpSZXNwb25zZSB4bWxuczpzYW1sMnA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgRGVzdGluYXRpb249Imh0dHBzOi8vMjllZTZkMmUubmdyb2suaW8vc2FtbC9hY3MiIElEPSJfZmMxNDFkYjI4NGViMzA5ODYwNTM1MWJkZTRkOWJlNTkiIEluUmVzcG9uc2VUbz0iaWQtZmQ0MTlhNWFiMDQ3MjY0NTQyN2Y4ZTA3ZDg3YTNhNWRkMGIyZTlhNiIgSXNzdWVJbnN0YW50PSIyMDE2LTAxLTA1VDE2OjU1OjM5LjM0OFoiIFZlcnNpb249IjIuMCI+PHNhbWwyOklzc3VlciB4bWxuczpzYW1sMj0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+aHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29tL28vc2FtbDI/aWRwaWQ9QzAyZGZsMXIxPC9zYW1sMjpJc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+PGRzOlNpZ25lZEluZm8+PGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxkc2lnLW1vcmUjcnNhLXNoYTI1NiIvPjxkczpSZWZlcmVuY2UgVVJJPSIjX2ZjMTQxZGIyODRlYjMwOTg2MDUzNTFiZGU0ZDliZTU5Ij48ZHM6VHJhbnNmb3Jtcz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+PC9kczpUcmFuc2Zvcm1zPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNzaGEyNTYiLz48ZHM6RGlnZXN0VmFsdWU+bHRNRUJLRzRZNVNLeERScUxHR2xFSGtPd3hla3dQOStybnA2WEtqdkJxVT08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU+SFBVV0pmYTlqdVdiKy9wZ0YrQklsc2pycE40NkE0RUNiT3hNdXhmWEFRUCtrMU5KMG9EdTJKYk1pZHpmclJBRkRHMjZaNjZWQWtkcwpBRmYwVFgzMWxvVjdaU0tGS0lVY0tuaFlXTHFuUTZLbmRydnJLbzF5UUhzUkdUNzJoVjl3SWdqTFRTZm5FV3QvOEMxaERQQi96R0txClhXZ3VvNFFHYlZUeVBoVVh3eEFzRmxBNjFDdkE5Q1pzU2xpeHBaY2pOVjUyQmMydzI5RUNRNStBcHZGWjVqRU1EN1JiQTVpMzdBbmgKUVBCeVYrZXo4ZU9Yc0hvQlhsR0drTjlDR201MFR6djZ3TW12WkdkT2pKWlhvRWZGUTA4UFJwbE9DQWpxSjM3QnhpWitLZWtUaE1KYgorelowcG1yeWR2V3lONEMzNWcycGVueGw2QUtxYnhMaXlJUkVaZz09PC9kczpTaWduYXR1cmVWYWx1ZT48ZHM6S2V5SW5mbz48ZHM6WDUwOURhdGE+PGRzOlg1MDlTdWJqZWN0TmFtZT5TVD1DYWxpZm9ybmlhLEM9VVMsT1U9R29vZ2xlIEZvciBXb3JrLENOPUdvb2dsZSxMPU1vdW50YWluIFZpZXcsTz1Hb29nbGUgSW5jLjwvZHM6WDUwOVN1YmplY3ROYW1lPjxkczpYNTA5Q2VydGlmaWNhdGU+TUlJRGREQ0NBbHlnQXdJQkFnSUdBVklTbElsWU1BMEdDU3FHU0liM0RRRUJDd1VBTUhzeEZEQVNCZ05WQkFvVEMwZHZiMmRzWlNCSgpibU11TVJZd0ZBWURWUVFIRXcxTmIzVnVkR0ZwYmlCV2FXVjNNUTh3RFFZRFZRUURFd1pIYjI5bmJHVXhHREFXQmdOVkJBc1REMGR2CmIyZHNaU0JHYjNJZ1YyOXlhekVMTUFrR0ExVUVCaE1DVlZNeEV6QVJCZ05WQkFnVENrTmhiR2xtYjNKdWFXRXdIaGNOTVRZd01UQTEKTVRZeE56UTVXaGNOTWpFd01UQXpNVFl4TnpRNVdqQjdNUlF3RWdZRFZRUUtFd3RIYjI5bmJHVWdTVzVqTGpFV01CUUdBMVVFQnhNTgpUVzkxYm5SaGFXNGdWbWxsZHpFUE1BMEdBMVVFQXhNR1IyOXZaMnhsTVJnd0ZnWURWUVFMRXc5SGIyOW5iR1VnUm05eUlGZHZjbXN4CkN6QUpCZ05WQkFZVEFsVlRNUk13RVFZRFZRUUlFd3BEWVd4cFptOXlibWxoTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEEKTUlJQkNnS0NBUUVBbVVmTVVQeEhTWS9aWVo4OGZVR0FsaFVQNE5pN3pqNTR2c3JzUERBNFVoUWlSZUVEUnVuTjFxM09Ic1NoUm9uZwpnZDRMdkE4My9lLzNwbS9WNjBSNnZ5TWZqM1ovSUdXWStlWjk3RUpVdmprdHQrVlJvQWkyNm9lWTlaVzZTODV5YXB2QTNpdWhFd0lRCk9jdVBtMU9xUlEweVE0c1VEK1d0TC9RU21sWXZEUDVUSzFkNndoVGlzTnNLU3FlRlpDYi9zOU9YMDFVZXhXMUJ1RE9MZVZ0MHJDVzEKa1JOY0JCTERtZDRobkRQMFNWcTduTGhORllYajJFYTZXc3lSQUl2Y2hhVUd5K0ltYTJva1htOTVZZTlrbjhlMTE4aS81clJleUtDbQpCbHNrTWtOYUE0S1dLdklRbTNEZGpnT05nRWQwSXZLRXh5THdZN2E1L0pJVXZCaGI5UUlEQVFBQk1BMEdDU3FHU0liM0RRRUJDd1VBCkE0SUJBUUFVRExNbkhwemZwNFNoZEJxQ3JlVzQ4ZjhyVTk0cTJxTXdyVStXNkRrT3JHSlRBU1ZHUzlSaWIvTUtBaVJZT21xbGFxRVkKTlA1N3BDckUvblJCNUZWZEUrQWxTeC9mUjNraHNRM3pmLzRkWXMyMVN2R2YrT2FzOTlYRWJXZlYwT21QTVltM0lyU0NPQkVWMzF3aAo0MXFSYzVRTG5SK1h1dE5QYlNCTit0bitnaVJDTEdDQkxlODFvVnc0ZlJHUWJna2Q4N3JmTE95M0c2MzBJNnMvSjVmZUZGVVQ4ZDdoCjltcE9lT3FMQ1ByS3BxK3dJM2FEM2xmNG1YcUtJRE5pSEhSb05sNjdBTlB1L04zZk5VMUhwbFZ0dnJvVnBpTnA4N2ZyZ2RsS1RFY2cKUFVrZmJhWUhRR1A2SVMwbHplQ2VEWDB3YWIzcVJvaDcvakp0NS9CUjhJd2Y8L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5mbz48L2RzOlNpZ25hdHVyZT48c2FtbDJwOlN0YXR1cz48c2FtbDJwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPjwvc2FtbDJwOlN0YXR1cz48c2FtbDI6QXNzZXJ0aW9uIHhtbG5zOnNhbWwyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIiBJRD0iXzllNzY0OTUyZTZhMjYxZTE5NDA5YTM4MjU1ODEwMzNkIiBJc3N1ZUluc3RhbnQ9IjIwMTYtMDEtMDVUMTY6NTU6MzkuMzQ4WiIgVmVyc2lvbj0iMi4wIj48c2FtbDI6SXNzdWVyPmh0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbS9vL3NhbWwyP2lkcGlkPUMwMmRmbDFyMTwvc2FtbDI6SXNzdWVyPjxzYW1sMjpTdWJqZWN0PjxzYW1sMjpOYW1lSUQ+cm9zc0BvY3RvbGFicy5pbzwvc2FtbDI6TmFtZUlEPjxzYW1sMjpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+PHNhbWwyOlN1YmplY3RDb25maXJtYXRpb25EYXRhIEluUmVzcG9uc2VUbz0iaWQtZmQ0MTlhNWFiMDQ3MjY0NTQyN2Y4ZTA3ZDg3YTNhNWRkMGIyZTlhNiIgTm90T25PckFmdGVyPSIyMDE2LTAxLTA1VDE3OjAwOjM5LjM0OFoiIFJlY2lwaWVudD0iaHR0cHM6Ly8yOWVlNmQyZS5uZ3Jvay5pby9zYW1sL2FjcyIvPjwvc2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWwyOlN1YmplY3Q+PHNhbWwyOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDE2LTAxLTA1VDE2OjUwOjM5LjM0OFoiIE5vdE9uT3JBZnRlcj0iMjAxNi0wMS0wNVQxNzowMDozOS4zNDhaIj48c2FtbDI6QXVkaWVuY2VSZXN0cmljdGlvbj48c2FtbDI6QXVkaWVuY2U+aHR0cHM6Ly8yOWVlNmQyZS5uZ3Jvay5pby9zYW1sL21ldGFkYXRhPC9zYW1sMjpBdWRpZW5jZT48L3NhbWwyOkF1ZGllbmNlUmVzdHJpY3Rpb24+PC9zYW1sMjpDb25kaXRpb25zPjxzYW1sMjpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PHNhbWwyOkF0dHJpYnV0ZSBOYW1lPSJwaG9uZSIvPjxzYW1sMjpBdHRyaWJ1dGUgTmFtZT0iYWRkcmVzcyIvPjxzYW1sMjpBdHRyaWJ1dGUgTmFtZT0iam9iVGl0bGUiLz48c2FtbDI6QXR0cmlidXRlIE5hbWU9ImZpcnN0TmFtZSI+PHNhbWwyOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOmFueVR5cGUiPlJvc3M8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgTmFtZT0ibGFzdE5hbWUiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czphbnlUeXBlIj5LaW5kZXI8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjwvc2FtbDI6QXR0cmlidXRlU3RhdGVtZW50PjxzYW1sMjpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTYtMDEtMDVUMTY6NTU6MzguMDAwWiIgU2Vzc2lvbkluZGV4PSJfOWU3NjQ5NTJlNmEyNjFlMTk0MDlhMzgyNTU4MTAzM2QiPjxzYW1sMjpBdXRobkNvbnRleHQ+PHNhbWwyOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOnVuc3BlY2lmaWVkPC9zYW1sMjpBdXRobkNvbnRleHRDbGFzc1JlZj48L3NhbWwyOkF1dGhuQ29udGV4dD48L3NhbWwyOkF1dGhuU3RhdGVtZW50Pjwvc2FtbDI6QXNzZXJ0aW9uPjwvc2FtbDJwOlJlc3BvbnNlPg==
\ No newline at end of file
diff --git a/testdata/TestSPRejectsMalformedResponse_IDPMetadata b/testdata/TestSPRejectsMalformedResponse_IDPMetadata
new file mode 100644
index 00000000..ed5a1f2c
--- /dev/null
+++ b/testdata/TestSPRejectsMalformedResponse_IDPMetadata
@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://accounts.google.com/o/saml2?idpid=C02dfl1r1" validUntil="2021-01-03T16:17:49.000Z">
+  <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+    <md:KeyDescriptor use="signing">
+      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+        <ds:X509Data>
+          <ds:X509Certificate>MIIDdDCCAlygAwIBAgIGAVISlIlYMA0GCSqGSIb3DQEBCwUAMHsxFDASBgNVBAoTC0dvb2dsZSBJ
+bmMuMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MQ8wDQYDVQQDEwZHb29nbGUxGDAWBgNVBAsTD0dv
+b2dsZSBGb3IgV29yazELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEwHhcNMTYwMTA1
+MTYxNzQ5WhcNMjEwMTAzMTYxNzQ5WjB7MRQwEgYDVQQKEwtHb29nbGUgSW5jLjEWMBQGA1UEBxMN
+TW91bnRhaW4gVmlldzEPMA0GA1UEAxMGR29vZ2xlMRgwFgYDVQQLEw9Hb29nbGUgRm9yIFdvcmsx
+CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAmUfMUPxHSY/ZYZ88fUGAlhUP4Ni7zj54vsrsPDA4UhQiReEDRunN1q3OHsShRong
+gd4LvA83/e/3pm/V60R6vyMfj3Z/IGWY+eZ97EJUvjktt+VRoAi26oeY9ZW6S85yapvA3iuhEwIQ
+OcuPm1OqRQ0yQ4sUD+WtL/QSmlYvDP5TK1d6whTisNsKSqeFZCb/s9OX01UexW1BuDOLeVt0rCW1
+kRNcBBLDmd4hnDP0SVq7nLhNFYXj2Ea6WsyRAIvchaUGy+Ima2okXm95Ye9kn8e118i/5rReyKCm
+BlskMkNaA4KWKvIQm3DdjgONgEd0IvKExyLwY7a5/JIUvBhb9QIDAQABMA0GCSqGSIb3DQEBCwUA
+A4IBAQAUDLMnHpzfp4ShdBqCreW48f8rU94q2qMwrU+W6DkOrGJTASVGS9Rib/MKAiRYOmqlaqEY
+NP57pCrE/nRB5FVdE+AlSx/fR3khsQ3zf/4dYs21SvGf+Oas99XEbWfV0OmPMYm3IrSCOBEV31wh
+41qRc5QLnR+XutNPbSBN+tn+giRCLGCBLe81oVw4fRGQbgkd87rfLOy3G630I6s/J5feFFUT8d7h
+9mpOeOqLCPrKpq+wI3aD3lf4mXqKIDNiHHRoNl67ANPu/N3fNU1HplVtvroVpiNp87frgdlKTEcg
+PUkfbaYHQGP6IS0lzeCeDX0wab3qRoh7/jJt5/BR8Iwf</ds:X509Certificate>
+        </ds:X509Data>
+      </ds:KeyInfo>
+    </md:KeyDescriptor>
+    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
+    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://accounts.google.com/o/saml2/idp?idpid=C02dfl1r1"/>
+    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://accounts.google.com/o/saml2/idp?idpid=C02dfl1r1"/>
+  </md:IDPSSODescriptor>
+</md:EntityDescriptor>
\ No newline at end of file
diff --git a/testdata/TestSPRejectsMalformedResponse_response b/testdata/TestSPRejectsMalformedResponse_response
new file mode 100644
index 00000000..0f7814df
--- /dev/null
+++ b/testdata/TestSPRejectsMalformedResponse_response
@@ -0,0 +1 @@
+PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiIHN0YW5kYWxvbmU9Im5vIj8+PHNhbWwycDpSZXNwb25zZSB4bWxuczpzYW1sMnA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgRGVzdGluYXRpb249Imh0dHBzOi8vMjllZTZkMmUubmdyb2suaW8vc2FtbC9hY3MiIElEPSJfZmMxNDFkYjI4NGViMzA5ODYwNTM1MWJkZTRkOWJlNTkiIEluUmVzcG9uc2VUbz0iaWQtZmQ0MTlhNWFiMDQ3MjY0NTQyN2Y4ZTA3ZDg3YTNhNWRkMGIyZTlhNiIgSXNzdWVJbnN0YW50PSIyMDE2LTAxLTA1VDE2OjU1OjM5LjM0OFoiIFZlcnNpb249IjIuMCI+PHNhbWwyOklzc3VlciB4bWxuczpzYW1sMj0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+aHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29tL28vc2FtbDI/aWRwaWQ9QzAyZGZsMXIxPC9zYW1sMjpJc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+PGRzOlNpZ25lZEluZm8+PGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxkc2lnLW1vcmUjcnNhLXNoYTI1NiIvPjxkczpSZWZlcmVuY2UgVVJJPSIjX2ZjMTQxZGIyODRlYjMwOTg2MDUzNTFiZGU0ZDliZTU5Ij48ZHM6VHJhbnNmb3Jtcz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+PC9kczpUcmFuc2Zvcm1zPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNzaGEyNTYiLz48ZHM6RGlnZXN0VmFsdWU+bHRNRUJLRzRZNVNLeERScUxHR2xFSGtPd3hla3dQOStybnA2WEtqdkJxVT08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU+SFBVV0pmYTlqdVdiKy9wZ0YrQklsc2pycE40NkE0RUNiT3hNdXhmWEFRUCtrMU5KMG9EdTJKYk1pZHpmclJBRkRHMjZaNjZWQWtkcwpBRmYwVFgzMWxvVjdaU0tGS0lVY0tuaFlXTHFuUTZLbmRydnJLbzF5UUhzUkdUNzJoVjl3SWdqTFRTZm5FV3QvOEMxaERQQi96R0txClhXZ3VvNFFHYlZUeVBoVVh3eEFzRmxBNjFDdkE5Q1pzU2xpeHBaY2pOVjUyQmMydzI5RUNRNStBcHZGWjVqRU1EN1JiQTVpMzdBbmgKUVBCeVYrZXo4ZU9Yc0hvQlhsR0drTjlDR201MFR6djZ3TW12WkdkT2pKWlhvRWZGUTA4UFJwbE9DQWpxSjM3QnhpWitLZWtUaE1KYgorelowcG1yeWR2V3lONEMzNWcycGVueGw2QUtxYnhMaXlJUkVaZz09PC9kczpTaWduYXR1cmVWYWx1ZT48ZHM6S2V5SW5mbz48ZHM6WDUwOURhdGE+PGRzOlg1MDlTdWJqZWN0TmFtZT5TVD1DYWxpZm9ybmlhLEM9VVMsT1U9R29vZ2xlIEZvciBXb3JrLENOPUdvb2dsZSxMPU1vdW50YWluIFZpZXcsTz1Hb29nbGUgSW5jLjwvZHM6WDUwOVN1YmplY3ROYW1lPjxkczpYNTA5Q2VydGlmaWNhdGU+TUlJRGREQ0NBbHlnQXdJQkFnSUdBVklTbElsWU1BMEdDU3FHU0liM0RRRUJDd1VBTUhzeEZEQVNCZ05WQkFvVEMwZHZiMmRzWlNCSgpibU11TVJZd0ZBWURWUVFIRXcxTmIzVnVkR0ZwYmlCV2FXVjNNUTh3RFFZRFZRUURFd1pIYjI5bmJHVXhHREFXQmdOVkJBc1REMGR2CmIyZHNaU0JHYjNJZ1YyOXlhekVMTUFrR0ExVUVCaE1DVlZNeEV6QVJCZ05WQkFnVENrTmhiR2xtYjNKdWFXRXdIaGNOTVRZd01UQTEKTVRZeE56UTVXaGNOTWpFd01UQXpNVFl4TnpRNVdqQjdNUlF3RWdZRFZRUUtFd3RIYjI5bmJHVWdTVzVqTGpFV01CUUdBMVVFQnhNTgpUVzkxYm5SaGFXNGdWbWxsZHpFUE1BMEdBMVVFQXhNR1IyOXZaMnhsTVJnd0ZnWURWUVFMRXc5SGIyOW5iR1VnUm05eUlGZHZjbXN4CkN6QUpCZ05WQkFZVEFsVlRNUk13RVFZRFZRUUlFd3BEWVd4cFptOXlibWxoTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEEKTUlJQkNnS0NBUUVBbVVmTVVQeEhTWS9aWVo4OGZVR0FsaFVQNE5pN3pqNTR2c3JzUERBNFVoUWlSZUVEUnVuTjFxM09Ic1NoUm9uZwpnZDRMdkE4My9lLzNwbS9WNjBSNnZ5TWZqM1ovSUdXWStlWjk3RUpVdmprdHQrVlJvQWkyNm9lWTlaVzZTODV5YXB2QTNpdWhFd0lRCk9jdVBtMU9xUlEweVE0c1VEK1d0TC9RU21sWXZEUDVUSzFkNndoVGlzTnNLU3FlRlpDYi9zOU9YMDFVZXhXMUJ1RE9MZVZ0MHJDVzEKa1JOY0JCTERtZDRobkRQMFNWcTduTGhORllYajJFYTZXc3lSQUl2Y2hhVUd5K0ltYTJva1htOTVZZTlrbjhlMTE4aS81clJleUtDbQpCbHNrTWtOYUE0S1dLdklRbTNEZGpnT05nRWQwSXZLRXh5THdZN2E1L0pJVXZCaGI5UUlEQVFBQk1BMEdDU3FHU0liM0RRRUJDd1VBCkE0SUJBUUFVRExNbkhwemZwNFNoZEJxQ3JlVzQ4ZjhyVTk0cTJxTXdyVStXNkRrT3JHSlRBU1ZHUzlSaWIvTUtBaVJZT21xbGFxRVkKTlA1N3BDckUvblJCNUZWZEUrQWxTeC9mUjNraHNRM3pmLzRkWXMyMVN2R2YrT2FzOTlYRWJXZlYwT21QTVltM0lyU0NPQkVWMzF3aAo0MXFSYzVRTG5SK1h1dE5QYlNCTit0bitnaVJDTEdDQkxlODFvVnc0ZlJHUWJna2Q4N3JmTE95M0c2MzBJNnMvSjVmZUZGVVQ4ZDdoCjltcE9lT3FMQ1ByS3BxK3dJM2FEM2xmNG1YcUtJRE5pSEhSb05sNjdBTlB1L04zZk5VMUhwbFZ0dnJvVnBpTnA4N2ZyZ2RsS1RFY2cKUFVrZmJhWUhRR1A2SVMwbHplQ2VEWDB3YWIzcVJvaDcvakp0NS9CUjhJd2Y8L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5mbz48L2RzOlNpZ25hdHVyZT48c2FtbDJwOlN0YXR1cz48c2FtbDJwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPjwvc2FtbDJwOlN0YXR1cz48c2FtbDI6QXNzZXJ0aW9uIHhtbG5zOnNhbWwyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIiBJRD0iXzllNzY0OTUyZTZhMjYxZTE5NDA5YTM4MjU1ODEwMzNkIiBJc3N1ZUluc3RhbnQ9IjIwMTYtMDEtMDVUMTY6NTU6MzkuMzQ4WiIgVmVyc2lvbj0iMi4wIj48c2FtbDI6SXNzdWVyPmh0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbS9vL3NhbWwyP2lkcGlkPUMwMmRmbDFyMTwvc2FtbDI6SXNzdWVyPjxzYW1sMjpTdWJqZWN0PjxzYW1sMjpOYW1lSUQ+cm9zc0BvY3RvbGFicy5pbzwvc2FtbDI6TmFtZUlEPjxzYW1sMjpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+PHNhbWwyOlN1YmplY3RDb25maXJtYXRpb25EYXRhIEluUmVzcG9uc2VUbz0iaWQtZmQ0MTlhNWFiMDQ3MjY0NTQyN2Y4ZTA3ZDg3YTNhNWRkMGIyZTlhNiIgTm90T25PckFmdGVyPSIyMDE2LTAxLTA1VDE3OjAwOjM5LjM0OFoiIFJlY2lwaWVudD0iaHR0cHM6Ly8yOWVlNmQyZS5uZ3Jvay5pby9zYW1sL2FjcyIvPjwvc2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWwyOlN1YmplY3Q+PHNhbWwyOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDE2LTAxLTA1VDE2OjUwOjM5LjM0OFoiIE5vdE9uT3JBZnRlcj0iMjAxNi0wMS0wNVQxNzowMDozOS4zNDhaIj48c2FtbDI6QXVkaWVuY2VSZXN0cmljdGlvbj48c2FtbDI6QXVkaWVuY2U+aHR0cHM6Ly8yOWVlNmQyZS5uZ3Jvay5pby9zYW1sL21ldGFkYXRhPC9zYW1sMjpBdWRpZW5jZT48L3NhbWwyOkF1ZGllbmNlUmVzdHJpY3Rpb24+PC9zYW1sMjpDb25kaXRpb25zPjxzYW1sMjpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PHNhbWwyOkF0dHJpYnV0ZSBOYW1lPSJwaG9uZSIvPjxzYW1sMjpBdHRyaWJ1dGUgTmFtZT0iYWRkcmVzcyIvPjxzYW1sMjpBdHRyaWJ1dGUgTmFtZT0iam9iVGl0bGUiLz48c2FtbDI6QXR0cmlidXRlIE5hbWU9ImZpcnN0TmFtZSI+PHNhbWwyOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOmFueVR5cGUiPlJvc3M8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgTmFtZT0ibGFzdE5hbWUiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czphbnlUeXBlIj5LaW5kZXI8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjwvc2FtbDI6QXR0cmlidXRlU3RhdGVtZW50PjxzYW1sMjpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTYtMDEtMDVUMTY6NTU6MzguMDAwWiIgU2Vzc2lvbkluZGV4PSJfOWU3NjQ5NTJlNmEyNjFlMTk0MDlhMzgyNTU4MTAzM2QiPjxzYW1sMjpBdXRobkNvbnRleHQ+PHNhbWwyOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOnVuc3BlY2lmaWVkPC9zYW1sMjpBdXRobkNvbnRleHRDbGFzc1JlZj48L3NhbWwyOkF1dGhuQ29udGV4dD48L3NhbWwyOkF1dGhuU3RhdGVtZW50Pjwvc2FtbDI6QXNzZXJ0aW9uPjwvc2FtbDJwOlJlc3BvbnNlPg==
\ No newline at end of file
diff --git a/testdata/TestSPResponseWithNoIssuer_response b/testdata/TestSPResponseWithNoIssuer_response
new file mode 100644
index 00000000..3442261c
--- /dev/null
+++ b/testdata/TestSPResponseWithNoIssuer_response
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?><saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://15661444.ngrok.io/saml2/acs" ID="_e9b3332eeaf348da6786aed16300aca9" InResponseTo="id-9e61753d64e928af5a7a341a97f420c9" IssueInstant="2015-12-01T01:56:21.375Z" Version="2.0"><saml2p:Status><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2p:Status><saml2:EncryptedAssertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="_dab0b1dbbc0595ab06473034e3bb798c" Type="http://www.w3.org/2001/04/xmlenc#Element"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><xenc:EncryptedKey Id="_dd9264352cef16103cdb21fae97fa951" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/></xenc:EncryptionMethod><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIB7zCCAVgCCQDFzbKIp7b3MTANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGEwJVUzELMAkGA1UE
+CAwCR0ExDDAKBgNVBAoMA2ZvbzESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTEzMTAwMjAwMDg1MVoX
+DTE0MTAwMjAwMDg1MVowPDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkdBMQwwCgYDVQQKDANmb28x
+EjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1PMHYmhZj308
+kWLhZVT4vOulqx/9ibm5B86fPWwUKKQ2i12MYtz07tzukPymisTDhQaqyJ8Kqb/6JjhmeMnEOdTv
+SPmHO8m1ZVveJU6NoKRn/mP/BD7FW52WhbrUXLSeHVSKfWkNk6S4hk9MV9TswTvyRIKvRsw0X/gf
+nqkroJcCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCMMlIO+GNcGekevKgkakpMdAqJfs24maGb90Dv
+TLbRZRD7Xvn1MnVBBS9hzlXiFLYOInXACMW5gcoRFfeTQLSouMM8o57h0uKjfTmuoWHLQLi6hnF+
+cvCsEFiJZ4AbF+DgmO6TarJ8O05t8zvnOwJlNCASPZRH/JmF8tX0hoHuAQ==</ds:X509Certificate></ds:X509Data></ds:KeyInfo><xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:CipherValue>i/wh2ubXbhTH5W3hwc5VEf4DH1xifeTuxoe64ULopGJ0M0XxBKgDEIfTg59JUMmDYB4L8UStTFfqJk9BRGcMeYWVfckn5gCwLptD9cz26irw+7Ud7MIorA7z68v8rEyzwagKjz8VKvX1afgec0wobVTNN3M1Bn+SOyMhAu+Z4tE=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedKey></ds:KeyInfo><xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:CipherValue>a6PZohc8i16b2HG5irLqbzAt8zMI6OAjBprhcDb+w6zvjU2Pi9KgGRBAESLKmVfBR0Nf6C/cjozCGyelfVMtx9toIV1C3jtanoI45hq2EZZVprKMKGdCsAbXbhwYrd06QyGYvLjTn9iqako6+ifxtoFHJOkhMQShDMv8l3p5n36iFrJ4kUT3pSOIl4a479INcayp2B4u9MVJybvN7iqp/5dMEG5ZLRCmtczfo6NsUmu+bmT7O/Xs0XeDmqICrfI3TTLzKSOb8r0iZOaii5qjfTALDQ10hlqxV4fgd51FFGG7eHr+HHD+FT6Q9vhNjKd+4UVT2LZlaEiMw888vyBKtfl6gTsuJbln0fHRPmOGYeoJlAdfpukhxqTbgdzOke2NY5VLw72ieUWREAEdVXBolrzbSaafumQGuW7c8cjLCDPOlaYIvWsQzQOp5uL5mw4y4S7yNPtTAa5czcf+xgw4MGatcWeDFv0gMTlnBAGIT+QNLK/+idRSpnYwjPO407UNNa2HSX3QpZsutbxyskqvuMgp08DcI2+7+NrTXtQjR5knhCwRNkGTOqVxEBD6uExSjbLBbFmd4jgKn73SqHStk0wCkKatxbZMD8YosTu9mrU2wuWacZ1GFRMlk28oaeXl9qUDnqBwZ5EoxT/jDjWIMWw9b40InvZK6kKzn+v3BSGKqzq2Ecj9yxE7u5/51NC+tFyZiN2J9Lu9yehvW46xRrqFWqCyioFza5bw1yd3bzkuMMpd6UvsZPHKvWwap3+O6ngc8bMBBCLltJVOaTn/cBGsUvoARY6Rfftsx7BamrfGURd8vqq+AI6Z1OC8N3bcRCymIzw0nXdbUSqhKWwbw6P2szvAB6kCdu4+C3Bo01CEQyerCCbpfn/cZ+rPsBVlGdBOLl5eCW8oJOODruYgSRshrTnDffLQprxCddj7vSnFbVHirU8a0KwpCVCdAAL9nKppTHs0Mq2YaiMDo8mFvx+3kan/IBnJSOVL19vdLfHDbZqVh7UVFtiuWv3T15BoiefDdF/aR5joN0zRWf8l6IYcjBOskk/xgxOZhZzbJl8DcgTawD8giJ31SJ1NoOqgrSD4wBHGON4mInHkO0X5+vw1jVNPGF3BwHw0kxoCT3ZKdSsi8O4tlf1y227cf794AGnyQe13O032jYgOmM5qNkET6PyfkyD/h0ufgQq2vJvxSOiRv76Kdg0SeRuNPW9MyjO/5APHl7tBlDBEVq+LWDHl4g9h/bw+Fsi0WN4pLN1Yv9RANWpIsXWyvxTWIZHTuZEjNbHqFKpsefx/oY1b9cSzKR5fQ9vc32e17WykL0O7pwpzV6TrFN874GdmW5lG5zfqnRHUQh1aV2WwBJ74mB4tv/y5rmRjTe5h/rN90kN+eQGeR3eG7XUHLhK/yCV+xq8KKPxNZexcdHGA905rvYokbtmr/jIN5kAMBdlOU8akPAZdSMMh+g/RZo5MO50/gdg6MTpB4onU2FBd54FNDp2fuBUxBsnTqpZXkDcAPEfSBr+z2l8jTRmxMricWyeC55ILgxM4er68n0xYjwb2jyQum3IQq7TSYYU/qjNiH1fQBtdRmBkzXJYYk+9q7C6OZJUdR96ERnTIi93NaYmtpSEvZU9vS6MV1VBOnEf8UzUUT9ibMpP9XDSINX7dN24rKIufSY+3+70orQB07XOWp6++SWKgA+WThaoPhp8sWWMeSZuda/wq6jdVTAB8FOPiP3lNl0BqxagQEPmNxDWXwTplSFSR3SP0e4sHMSjLvysibV9Z87LZa1FG0cWU2hrhiyOLsIWMnd4vdTLaWjhXuGlrDShxSAiI39wsl5RB59E+DXVSTBQAoAkHCKGK69YiMKU9K8K/LeodApgw46oPL08EWvleKPCbdTyjKUADtxfAujR84GMEUz9Aml4Q497MfvABQOW6Hwg54Z3UbwLczDCOZyK1wIwZTyS9w3eTH/6EBeyzhtt4G2e/60jkywHOKn17wQgww2ZsDcukdsCMfo4FV0NzfhSER8BdL+hdLJS3R1F/Vf4aRBEuOuycv2AqB1ZqHhcjZh7yDv0RpBvn3+2rzfzmYIBlqL16d1aBnvL4C03I0J59AtXN9WlfJ8SlJhrduW/PF4pSCAQEyHGprP9hVhaXCOUuXCbjA2FI57NkxALQ2HpCVpXKGw0qO0rYxRYIRlKTl43VFcrSGJdVYOFUk0ZV3b+k+KoxLVSgBjIUWxio/tvVgUYDZsO3M3x0I+0r9xlWZSFFmhwdOFouD+Xy1NPTmgwlUXqZ4peyIE1oVntpcrTJuev2jNScXbU9PG8b589GM4Z09KS/fAyytTFKmUpBuTme969qu0eA7/kBSHAkKvbfj0hsrbkkF9y/rXi8xgcMXNgYayW8MHEhm506AyPIvJAreZL637/BENO1ABdWS1Enj/uGaLM1ED8UY94boh/lMhqa9jALgEOHHxspavexi3HIFwJ55s4ocQnjb4p6op4CRPUdPCfli5st9m3NtQoH9kT1FTRZa9sG8Ybhey5wP17YgPIg9ZZtvlvpSTwCwZxHZ348wXJWhbtId9DyOcIzsyK5HaJcRsp8SQVR5nbRW0pUyC/bFAtX1KOGJmtro/QfmnLG9ksuaZvxP6+bH1K+CibEFIRDllAUFFPiuT+2b3Yp3Tu1VvXokMAgmcB5iFDgTAglw5meJYJ99uIBmj0EVZm8snMhRrHjMPTAYD5kwPK/YDShPFFV3XEIFzLD3iYrzb7sub/Z4gTTELWzzS3bCpYPAh4KWeTih+p7Xj0Xf04nSONHZXsQnNenc+PNae+Zj5iCfJ/PpqhMn61n/YBP7gipYYEtOZYzDtvMz+mytYRUOaZTq3W4Wp64f+XVekn49CLarLm6qPyiz5kJwaT8lJ+VEZDPpS/ChLM4eq90GogJBvK0jxmQ1AGvnKpV2lw9XCudf3PXbaTb+r2QPcihKnmqcEgPgYlN8VLclicNW1WyjBJ+HvDTQPbs1r1/KnBK4O5HTT6ehuHpJsYlBN9vzjsD+ov6SRkBqiGPUg9CoKKmWS6dirxwOXi3OUFzkWFVDyDezfkJAzqkmG0nlEGb9mTHdVDfX010bPJ4ZQzQSyHp7Ht2mATyQwOEem2AMB/RpNwlOKXWIdsQ5p3dHF+kmsJHI8xjEv2GeUa/aXX3MF3fPfUA7La8J8fbnaDLbnEqMCLMfdfc9+kY7EKyqPiE5KFpF0EhQBrHl8SiPuFQCoxvlH2u+ujncW7Z5JiBmMKUWOXUHhIe4NckP1awRsEcfhEs664DqOp9CbLwTXk71hHVBtINylFcf7uBZwjxNW+hCfZEoVEjjs/V4J9QeXCxpTu5TcXxBxwN5zBdkCodNFPLUg+3UicaykaH0+wrGoTu/ugjF9rz7OezMMs3pep+bzLp+yZbFAL/z/yATY3UG+lpk6Rw4SkjbnAxBSedaEdqbotddkGzVQubHvHqCiKpkAw58rAa2v15hc+UmkrRFslS8SYxTIPXs2sTNhnCCrUn8nlKufeoAm65vgYtEQ4NzmG9tqKtTeBfZAvSToYaiQq+kPii1ssuu1OULAVuSx8x/CYO6orgX7h5wI0R/Ug1nux7cb2/+pFLbNyGvwKf1TLym2NvFMJpvFlTsOJJ4DxXM/v2JkC9umm93quXLsojx7KTEOFDQLsnMKsVo6ZzRQidEwK5gQPyZL1yjGirJcEuGMAEf6LA2AsKIIZhsMEPlLpzMiVo5Y0LoL6NFsXigceLaaJMEMuYNJJdh+uxyfW57+PoQ7V8KkzSHFsKan14GnpWeOV7r13uopwCPeIsEKUVG77ypd+ILQkbKxH2lQdsFyjpofqkbgEVM5XAnVbdhfwyebNHn5OJtadVkOMcJc/WMWJef1idcSfvP5ENkwp3pKg9Ljoi+hU2Chp1vTmksO2HJt0of4QnQ8jGlcqnOrAMiWUCd2W/8AmhRBjevt3UqxnqELVvg+HJPlyqFyuUlDxx25mXEdW0COpA3s9OlSgcMjvQbIJ42NUhGFZLoK1pvPLZo711w2Ex3Lm5qqcr/7I4+vTntd/Id5aJiP18LQpslTy614Wd4eD8+RfjEtmDAPXhgvfekVkS/rDnI/9H0k3AdHc78fJCJRPNwJrDTozzjxTvmVv9r4MtpoDELmnMxb3o7ZibUMxgptCTyDF+Q5m6T3GeD9G5ehgB3Tqsx3gcUGuDtP6KIqMGbj8YCFt8tjihDctYFAXj4AwPnIjMiI4T7skXwfrBLWCKfN1j5XrIn2paQgKln9hvaiRUpNpD3IXVyFl1WNrb21IcRinfkuCtrP2tTHqct6eSEh8sOzRkvZEArBQYD5paYyuNBcbVtsnl6PNE+DIcSIGvCVnzpMw1BeUExvQZoNdpHwhTQ3FSd1XN1nt0EWx6lve0Azl/zJBhj5hTdCd2RHdJWDtCZdOwWy/G+4dx3hEed0x6SoopOYdt5bq3lW+Ol0mbRzr1QJnuvt8FYjIfL8cIBqidkTpDjyh6V88yg1DNHDOBBqUz8IqOJ//vY0bmQMJp9gb+05UDW7u/Oe4gGIODQlswv534KF2DcaXW9OB7JQyl6f5+O8W6+zBYZ6DAL+J2vtf3CWKSZFomTwu65vrVaLRmTXIIBjQmZEUxWVeC4xN+4Cj5ORvO8GwzoePGDvqwKzrKoupSjqkL5eKqMpCLouOn8n/x5UWtHQS1NlKgMDFhRObzKMqQhS1S4mz84F3L492GFAlie0xRhywnF+FvAkm+ZIRO0UqM4IwvUXdlqTajjmUz2T0+eXKTKTR5UoNRgP51gdUMT5A4ggT5wU9WkRx7CR9KdWJwwcWzv2YrchoHIXBidQSk+f1ZSzqR7krKSOwFTVJUvEenU17qVaHoAf2he0dMgURJ8PM9JxnSr7p2pZeNPu/O5oPmLuOCmEPVRPSahJL7yj9PK5z3q57e5POIp/wXqFoniFdxRmtmpfZBxoKVlADkwRy34h8k6ZmgtqPTQfUUk/+yH2CAoQu+HyOtUnQof8vc1k4zs8nCTrCSjqvFPjU8mHtVHy1RY0qmK9t99ugXyAKaGON3PlseetIC8WCTt84nM5XGD3VQpbv139yhSPhp2Oiz0IiOsr+L9idVKSvfNSkdNq9aUC7963uAQNud8c4GuDmbENvZYvGNIMxxZhYA86n1RMNtGDZJs6/4hZTL18Kz1yCY9zbbSXTxWTmkaHJziHtgrEPoYpUeb85J229PDEX08yHOkj2HXVdnKKmEaHw3VkB4eM3PhGGdrw2CSUejSaqPQFLdhabcB2zdB4lj/AUnZvNaJc23nHHIauHnhhVrxh/KQ1H4YaYKT9ji/69BIfrTgvoGaPZC10pQKinBHEPMXoFrCd1RX1vutnXXcyT2KTBP4GG+Or0j6Sqxtp5WhxR0aJqIKM6LqMHtTooI0QhWbmSqDEBX/wRS70csVeJSrZ4dqRKit+hz8OalHA7At9e+7gSWTfHAwjl5JhtrltyAab/FII4yKQeZWG8j1fSFGHN+EbOrum2uWuVhxkUPy4coMu+yKY4GxlXfvP+yEVK5GrMECRmFBlySetJK3JOoQXiuLirlHUq+0u88QFMdAJ9+fIdU4+FxneqgW7qM7CHRE8jV4pPSWGFbGzxVZ9CWRWaYIw26VsC1qQJe1WmU7Mrp26IxmWHGwHvZ50uB0mjAHFCiln5QAvqTm2/fsY+Puk+Irt3LQbMwGVWPnb4eona2dSha+eMLOiAQkBvbaitsRqqrAVnndP7gHmO+nYZEKNx/740zTRrFBpOelrGdOa0/eV2mPhUQfozGooxoRADmT8fAcDXo0SsXCHzg9tBnmVMvInQ7+8nXfhcF/fEBjvW3gIWOmp2EWutHQ/sl73MieJWnP/n3DMk2HHcatoIZOMUzo4S4uztODHoSiOJDA1hVj7qADvKB37/OX0opnbii9o6W8naFkWG5Ie7+EWQZdo+xeVYpwGOzcNwDRrxbZpV3fTvWyWKToovncZq+TQj7c4Yhz6XDF0ffljN5hTm4ONwYViFNB4gTJlFxFX00wcWfwWah4uJs2Oa8dHPVT+7viagZiPrSDk/gythdY8glGm+F0DWlzQpWbgSI3ZbdiUQ+ox4GtLUtYgGIQFUvRYbuHqH6CXQ3SM6vkbhV/nAn6UDEWKXdJsO0u5q6UpXci7MlWDNLxoQ9dfGjSc28mX+q+4hkyho4u1XSMy9B6IdH304J7fuAQ88tTorT67AiqvqR6qnZ0icV+MMLh95moxFbrvch6sGAmMEixqeujmiZzBqBmNbzZVORiv9qcbe3CQ6X2i+9D8hMpaWj5jI0u+0wk3bRFK4uDn8T1mnD6l4TrJayf3cZI+duhKcabNj71i5w76S8RZSC6RX4ks0x+XIDc5v3223NmGvceYklbuOJtJa0/MBTOcSDKCM2kUXqPV2BlA9Za8WEO2UrdcyP+AXgM20af3thjlZvA494zdZ0mqjrsKp+VS2MVrBBtj+puSuSHJYf6bnA5/yjqQtbGvAp8hfXQURC53J5oD8rb9F7vQRqdfqpe6xd7DVd+wWZS86mWjyZYKXw312t8nM/gxo0pdvZ8F0x9y3xb9UBM2pZtdYvk3hPz6swhuE1N5j2u7nwtXuEDNcGCSfr+IempeFHFRqO8n8ikASEdKcq2XHGJwfc3lVXOQ5K4JlewcC7yQL1uNtL6iNKCtJmjJiH2PMmXrtpmCeTspFNZlwmiICyPWV9B5ce9H/qP1xjndBzFz0rn75SGDnWUhNZI/aYKNVyzkOleS5VSNxBx1hoiFuG8r+6ctYwF7XL94b95tXQ/+0V5dt0H1xVaOZ7QluoDtMSzuUjV4yUoQESa3zCfZwnW+b5SKndX5nx0GYrVxydMkUdfimZpX/fezcMiaAGwG/jgWF0zS+EL4T7gR8I5R3qUNTifKFJKJL1+AL8CgL+SRB1lgHDp2wQ7cqgqcmskAsT60qisL/UZGgmnlgZ8FkNhv0vAMkzIsz7o6cuLo15hZnrsZveIo+mZKY2cMJjJb4ZlJLcE+YcnpiM84OYjypa9lA7kv4XJaDX9oirhsl9IO/ImbFgYpR73y+xSolXYdDKfZjf/8NR7vE8fu+LYXGoZHO/hxousED6y3sCo/ItECYHWYIui+V5SmAoEvVV8FY8fFMYIc+Llc2CoX5HQISfUAtLu+fGNNV0muidXnBdtnJo25UEqxwvoENdI1lGPhlrXY6/h4kIT5djmsxxSG/EgG/4fPnrThgF9/fbG8n/3LweXvQOGjX0F1Ngt5wuMIWRQk5vtLdvv2M+BNwthHZ7xzIU7zqSVvngVPwgcsTr2d5pTVOxauT1K6ffiBF04jVZEcna+NXhJM5EcRHNuT/iOb0ncn1yuKU8JJnztEzMDjO1qCmaBTyWBR7nQS6K+nfstd/AnBWyGeC5Yi3wlvZAVMpc0m7I7McXb+rXiHM0mHoq0Z/2HOki5LP2cBuIkk84tJ3SRZwWnocrz4aTEIOmwftqMATy5Ur0KRxoUSFNMJYyc1iOfjk3H2JjgecWlQdYHcIEjxGDGeo4S9EKTRokMGNUN2nTj3SO2nHoWbx9WhGe6uB3OgDENGL9aNoPnYKXs4WcobctMxQjjBWa/zpCFwP8nr78xIFfy/64ZtsFBrxSrEHxeXiPa2Kpv456aQ9kDQjJt9XrWKe+JBawtpPUYHmWkUb3Gznp3tC2LbowvJlEe/17srb5yi+sUHEF1z/8Uk4eVYcUUXzyq3YEuqumIBIYqO8J3K5Us7tEXyzhHH8TMLNSQxmDi/w5oYccIwNFMM1+xRTsyjHHtB/rHYJjPW/50Xxb0CZF84NqotCcgIMrR4nUiPnAPd8ZvHeB/235gS1NtzBWtfcDmP8khibSQpY3JW+fdY/9W6iGlPyPIwOgH06fJayaT44sPFIm+QGIkPKSAJOFDeJNG8oc6SAqrYSfCffYfOAx3IsjSdnxQy9JAcS0HxjWnEO3rgSh7bNEecO3f4hb3TRNlczdzhfrwgxUZ0rURI3LfMCpGntF+8NrhtB7RT8sEOaa4NM13T7LWjykRQJFYKNZY0siPBP2WJxjBqL0KynlTPhAcfFyiLZbAhe7YC0XmYo8iJQqdzJQwBK9iOoDkg1XuGy7+Kfe0scamvHN2Z85umcPSiPEQRP3zAWcP5kRNDath7DKrBfQtvOJvEHiihE+qiASrCZep+m7jTD261U9vQGAnR4xBY08ChSh8XItWHvDHARN+GP08h9u6nlJ3rpOoVn9y22NNgx7bOe6QIYe9f6iYbbAzLR1/7AP1A4CQwFi39eZI9BZteze5eas+6JR2s1LqH9tncOmWAhXjE8p3hOtplh/tMbrx+pySNX4BKfZva54zccIa+e59NUifTRsq27AwAtcxg2Bk1Tu7B+LT9Yw2K8tRH6XTcGlvqDM4sYjNBqzh3yAga5iro706tg/Qaa50eln8rjISularEHlfaggogjvd+wNLg44Rj8pMr25+xxS0e9KoEGon5SutuhJ/HBGnEj3+4qNxHu27nkAmZIADiF+Jh53osDuA1fsUnRXf2lJABa30KDkG8E/eci+TkESrdfsPMo6yhWoyjtjYdJbGkjtsQCMW5DOSNYDH0FqDiiVU0nBLJ4+A4ep6aWTrv6w/ozuO4educ7x9IBpGmEY30rsXWwiGJbLGyIo+6qz6J5JBKdjNBsDO7RRweDNMp8ospaGNQSa4NKAHTG8BsGqJSP8oebpVqYpgPS1TiBWnYZKQSRJ5NFs+ULpdICekxevVXAH8uh+De9GT7KsJJzg0CFjALDbC0YrbmCigspJAh2455I6/xyWbPXCYMXwBzbioMgWcNhQBJJ6oIoQ7shwf2TP0Z+X/3NoMpWHmGpoV/JZind8lb9lcxoI44uf37+xc03O1R1bNucf0F5ljrgj2sZlGz/591EJen5GZhrT6qSTIcMu+xIyxyA/zzhy0jjkVfkDKfQ8mE9AmVtbbzHAQNy2PhDIeu7ngoFN635tSOJLR2c6pC/m6n50slFbo0oeHbbiGHyxDk7q3zXHWoHzeF1k4iVdHumYg/nwZOuRzms6rvkmwkJv59Z1p05jxA+Y0yHvDeq1WR8PfS/esm3RHfP3fM+zTlj9ZBJfzvn4OL+IIHRQ5l8pGKAeRL58OjeaU5QU98lAKHydOPDGBalsEHyIKD6iy3RZ65qIm956zQd98htZ1Vgkd7LVC7LSnLb9jRbqS1vHN7lR6bQMmXtQBYSA/+ZW2RQqSo7sToVh+Pxl3EVmsgyO8dXPL4biz7XM8eVz7CqHkrQUinnr79HJWC6Uk19cBurOD6PeOqNYy08Og/A0hbHOgN3dKmVRAPf7itK6x0eb5F70T2zVqG12GHVZieXwIcp/vahuFvriHLJtuM04laiRWNXSiL2MPHQ8e9rr8NIlWDm9uev55FI9zZxwFUPBSewawPe5vkqRLfwZCYd5mZoxtBhNBWvY3ZOVD/21dIUlQanG1n6RygbmAwCHnIB4c7EH2CBYEMDToRQuAuIssviIfdaJglwDgHbLWKNUVDOdqeclBNZjfQfVXbVukPk8DfWLqj9pD4xAOzDeVQcdmg2aLvNKgpZsWs4d+6GlKrpS7qEGvoBkIFh/cVY7DMYrt/JXYuF6DpwB+HbfnuDFc2p47SPNhnmt/ez6/DACBPQ+tgpyWYXUsiviGSp72JNTzd8uFJJZNeKUJZw1c0UTjxdwigh5tL/hWhPl48DY937zymSr1xVqC3RV6wSIpuplH+hss/rsRPAp1/TfxvhJuFsoPbW0586y9YzqEHT4FUu6WSRy0gMJLP2sLqiiZXZ6kPicXsW7M55mV3ugbGQjB7YS7EVqsQzvJTiQbOlcPqwoKK7DTqaeCOXd8kH1tNoe7hjx/UNNdLQQ7IhrJIzxqTTgwcXYMCxhoezDsIHReTIymsHPkCurfteTQcbfwoKN5E9zC2hINOPmhAxLvONzaLXQGMqofuTbFshkB4eUj8U4vBCNp+60iCLnibt4rPuyoWKEHWBYa6FfIykxVKuXkfcb64dCdGCWjv7x1XqkbpHxQB80qhipoSo244pyhIsN91ASu1Q7L75LxGXibY3jb0Y4KZ5zIWsH4kVlvPhangohDO1J9gmL9inGr9hy5BHTQiMcktGoUgOIbFJ72381vYpPxn3ngBbp48mVZd0w6xV8RBaqR3l7CxI9vvMAPYPoXBB18ERoZypza8mAlzv2QxIkNGuRzFENh1SXegBfN7eiazZnwnhbyeMghJpnXzfvHACyjkdH3shRYcJ+oMiOSpInGxm/hxFQxHJZA0Ft/lza</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></saml2:EncryptedAssertion></saml2p:Response>
\ No newline at end of file
diff --git a/testdata/TestServiceProviderCanHandleSignedAssertionsResponse_IDPMetadata b/testdata/TestServiceProviderCanHandleSignedAssertionsResponse_IDPMetadata
new file mode 100644
index 00000000..2bd8b35e
--- /dev/null
+++ b/testdata/TestServiceProviderCanHandleSignedAssertionsResponse_IDPMetadata
@@ -0,0 +1,20 @@
+<?xml version="1.0"?>
+<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://idp.example.com/metadata.php">
+  <IDPSSODescriptor xmlns:ds="http://www.w3.org/2000/09/xmldsig#" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+    <KeyDescriptor use="signing">
+      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+        <ds:X509Data>
+          <ds:X509Certificate>MIICajCCAdOgAwIBAgIBADANBgkqhkiG9w0BAQ0FADBSMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UECgwMT25lbG9naW4gSW5jMRcwFQYDVQQDDA5zcC5leGFtcGxlLmNvbTAeFw0xNDA3MTcxNDEyNTZaFw0xNTA3MTcxNDEyNTZaMFIxCzAJBgNVBAYTAnVzMRMwEQYDVQQIDApDYWxpZm9ybmlhMRUwEwYDVQQKDAxPbmVsb2dpbiBJbmMxFzAVBgNVBAMMDnNwLmV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDZx+ON4IUoIWxgukTb1tOiX3bMYzYQiwWPUNMp+Fq82xoNogso2bykZG0yiJm5o8zv/sd6pGouayMgkx/2FSOdc36T0jGbCHuRSbtia0PEzNIRtmViMrt3AeoWBidRXmZsxCNLwgIV6dn2WpuE5Az0bHgpZnQxTKFek0BMKU/d8wIDAQABo1AwTjAdBgNVHQ4EFgQUGHxYqZYyX7cTxKVODVgZwSTdCnwwHwYDVR0jBBgwFoAUGHxYqZYyX7cTxKVODVgZwSTdCnwwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQByFOl+hMFICbd3DJfnp2Rgd/dqttsZG/tyhILWvErbio/DEe98mXpowhTkC04ENprOyXi7ZbUqiicF89uAGyt1oqgTUCD1VsLahqIcmrzgumNyTwLGWo17WDAa1/usDhetWAMhgzF/Cnf5ek0nK00m0YZGyc4LzgD0CROMASTWNg==</ds:X509Certificate>
+        </ds:X509Data>
+      </ds:KeyInfo>
+    </KeyDescriptor>
+    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:transient</NameIDFormat>
+    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://app.onelogin.com/trust/saml2/http-post/sso/503983"/>
+    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://app.onelogin.com/trust/saml2/http-post/sso/503983"/>
+    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://app.onelogin.com/trust/saml2/soap/sso/503983"/>
+  </IDPSSODescriptor>
+  <ContactPerson contactType="technical">
+    <SurName>Support</SurName>
+    <EmailAddress>support@onelogin.com</EmailAddress>
+  </ContactPerson>
+</EntityDescriptor>
diff --git a/testdata/TestServiceProviderCanHandleSignedAssertionsResponse_response b/testdata/TestServiceProviderCanHandleSignedAssertionsResponse_response
new file mode 100644
index 00000000..47301dcb
--- /dev/null
+++ b/testdata/TestServiceProviderCanHandleSignedAssertionsResponse_response
@@ -0,0 +1 @@
+PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIElEPSJfOGU4ZGM1ZjY5YTk4Y2M0YzFmZjM0MjdlNWNlMzQ2MDZmZDY3MmY5MWU2IiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxNC0wNy0xN1QwMTowMTo0OFoiIERlc3RpbmF0aW9uPSJodHRwOi8vc3AuZXhhbXBsZS5jb20vZGVtbzEvaW5kZXgucGhwP2FjcyIgSW5SZXNwb25zZVRvPSJPTkVMT0dJTl80ZmVlM2IwNDYzOTVjNGU3NTEwMTFlOTdmODkwMGI1MjczZDU2Njg1Ij4KICA8c2FtbDpJc3N1ZXI+aHR0cDovL2lkcC5leGFtcGxlLmNvbS9tZXRhZGF0YS5waHA8L3NhbWw6SXNzdWVyPgogIDxzYW1scDpTdGF0dXM+CiAgICA8c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8+CiAgPC9zYW1scDpTdGF0dXM+CiAgPHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgSUQ9InBmeDA0NjkwMGM1LTA0MjMtMzVjYi0yYWRiLTcyMjgzYmE1ZDhjZCIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTQtMDctMTdUMDE6MDE6NDhaIj4KICAgIDxzYW1sOklzc3Vlcj5odHRwOi8vaWRwLmV4YW1wbGUuY29tL21ldGFkYXRhLnBocDwvc2FtbDpJc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+CiAgPGRzOlNpZ25lZEluZm8+PGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz4KICAgIDxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiLz4KICA8ZHM6UmVmZXJlbmNlIFVSST0iI3BmeDA0NjkwMGM1LTA0MjMtMzVjYi0yYWRiLTcyMjgzYmE1ZDhjZCI+PGRzOlRyYW5zZm9ybXM+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiLz48ZHM6RGlnZXN0VmFsdWU+YmV5ZnFIOXMxUys2bDJHQkhiU2xXOFR4SzZFPTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5DSkJMY0pVTm91Q0psY3d5YUtTb1RGdHJUYVJOUWJnWHJFUUdKTmZsdjJkakx0M3J0d2krRzZMd3VQZkQrckF5b3lIbXFyUXlTaVJaZ1lNeWN1bk8vNUQ2R2J5ZVhJVjNrc093Y0YrQXlWZGtrblVpcVN3SDcvOXJkdkVhZmtKcDQ3d1pYKzc4dlFGMDZNcjFnNEpsODByTmNEUncxeE9FdW9QN2pDMjVtMVE9PC9kczpTaWduYXR1cmVWYWx1ZT4KPGRzOktleUluZm8+PGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU+TUlJQ2FqQ0NBZE9nQXdJQkFnSUJBREFOQmdrcWhraUc5dzBCQVEwRkFEQlNNUXN3Q1FZRFZRUUdFd0oxY3pFVE1CRUdBMVVFQ0F3S1EyRnNhV1p2Y201cFlURVZNQk1HQTFVRUNnd01UMjVsYkc5bmFXNGdTVzVqTVJjd0ZRWURWUVFEREE1emNDNWxlR0Z0Y0d4bExtTnZiVEFlRncweE5EQTNNVGN4TkRFeU5UWmFGdzB4TlRBM01UY3hOREV5TlRaYU1GSXhDekFKQmdOVkJBWVRBblZ6TVJNd0VRWURWUVFJREFwRFlXeHBabTl5Ym1saE1SVXdFd1lEVlFRS0RBeFBibVZzYjJkcGJpQkpibU14RnpBVkJnTlZCQU1NRG5Od0xtVjRZVzF3YkdVdVkyOXRNSUdmTUEwR0NTcUdTSWIzRFFFQkFRVUFBNEdOQURDQmlRS0JnUURaeCtPTjRJVW9JV3hndWtUYjF0T2lYM2JNWXpZUWl3V1BVTk1wK0ZxODJ4b05vZ3NvMmJ5a1pHMHlpSm01bzh6di9zZDZwR291YXlNZ2t4LzJGU09kYzM2VDBqR2JDSHVSU2J0aWEwUEV6TklSdG1WaU1ydDNBZW9XQmlkUlhtWnN4Q05Md2dJVjZkbjJXcHVFNUF6MGJIZ3BablF4VEtGZWswQk1LVS9kOHdJREFRQUJvMUF3VGpBZEJnTlZIUTRFRmdRVUdIeFlxWll5WDdjVHhLVk9EVmdad1NUZENud3dId1lEVlIwakJCZ3dGb0FVR0h4WXFaWXlYN2NUeEtWT0RWZ1p3U1RkQ253d0RBWURWUjBUQkFVd0F3RUIvekFOQmdrcWhraUc5dzBCQVEwRkFBT0JnUUJ5Rk9sK2hNRklDYmQzREpmbnAyUmdkL2RxdHRzWkcvdHloSUxXdkVyYmlvL0RFZTk4bVhwb3doVGtDMDRFTnByT3lYaTdaYlVxaWljRjg5dUFHeXQxb3FnVFVDRDFWc0xhaHFJY21yemd1bU55VHdMR1dvMTdXREFhMS91c0RoZXRXQU1oZ3pGL0NuZjVlazBuSzAwbTBZWkd5YzRMemdEMENST01BU1RXTmc9PTwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE+PC9kczpLZXlJbmZvPjwvZHM6U2lnbmF0dXJlPgogICAgPHNhbWw6U3ViamVjdD4KICAgICAgPHNhbWw6TmFtZUlEIFNQTmFtZVF1YWxpZmllcj0iaHR0cDovL3NwLmV4YW1wbGUuY29tL2RlbW8xL21ldGFkYXRhLnBocCIgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6bmFtZWlkLWZvcm1hdDp0cmFuc2llbnQiPl9jZTNkMjk0OGI0Y2YyMDE0NmRlZTBhMGIzZGQ2ZjY5YjZjZjg2ZjYyZDc8L3NhbWw6TmFtZUlEPgogICAgICA8c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+CiAgICAgICAgPHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgTm90T25PckFmdGVyPSIyMDI0LTAxLTE4VDA2OjIxOjQ4WiIgUmVjaXBpZW50PSJodHRwOi8vc3AuZXhhbXBsZS5jb20vZGVtbzEvaW5kZXgucGhwP2FjcyIgSW5SZXNwb25zZVRvPSJPTkVMT0dJTl80ZmVlM2IwNDYzOTVjNGU3NTEwMTFlOTdmODkwMGI1MjczZDU2Njg1Ii8+CiAgICAgIDwvc2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uPgogICAgPC9zYW1sOlN1YmplY3Q+CiAgICA8c2FtbDpDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAxNC0wNy0xN1QwMTowMToxOFoiIE5vdE9uT3JBZnRlcj0iMjAyNC0wMS0xOFQwNjoyMTo0OFoiPgogICAgICA8c2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPgogICAgICAgIDxzYW1sOkF1ZGllbmNlPmh0dHA6Ly9zcC5leGFtcGxlLmNvbS9kZW1vMS9tZXRhZGF0YS5waHA8L3NhbWw6QXVkaWVuY2U+CiAgICAgIDwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPgogICAgPC9zYW1sOkNvbmRpdGlvbnM+CiAgICA8c2FtbDpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTQtMDctMTdUMDE6MDE6NDhaIiBTZXNzaW9uTm90T25PckFmdGVyPSIyMDI0LTA3LTE3VDA5OjAxOjQ4WiIgU2Vzc2lvbkluZGV4PSJfYmU5OTY3YWJkOTA0ZGRjYWUzYzBlYjQxODlhZGJlM2Y3MWUzMjdjZjkzIj4KICAgICAgPHNhbWw6QXV0aG5Db250ZXh0PgogICAgICAgIDxzYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkPC9zYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPgogICAgICA8L3NhbWw6QXV0aG5Db250ZXh0PgogICAgPC9zYW1sOkF1dGhuU3RhdGVtZW50PgogICAgPHNhbWw6QXR0cmlidXRlU3RhdGVtZW50PgogICAgICA8c2FtbDpBdHRyaWJ1dGUgTmFtZT0idWlkIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj4KICAgICAgICA8c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj50ZXN0PC9zYW1sOkF0dHJpYnV0ZVZhbHVlPgogICAgICA8L3NhbWw6QXR0cmlidXRlPgogICAgICA8c2FtbDpBdHRyaWJ1dGUgTmFtZT0ibWFpbCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+CiAgICAgICAgPHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+dGVzdEBleGFtcGxlLmNvbTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT4KICAgICAgPC9zYW1sOkF0dHJpYnV0ZT4KICAgICAgPHNhbWw6QXR0cmlidXRlIE5hbWU9ImVkdVBlcnNvbkFmZmlsaWF0aW9uIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj4KICAgICAgICA8c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj51c2Vyczwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT4KICAgICAgICA8c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj5leGFtcGxlcm9sZTE8L3NhbWw6QXR0cmlidXRlVmFsdWU+CiAgICAgIDwvc2FtbDpBdHRyaWJ1dGU+CiAgICA8L3NhbWw6QXR0cmlidXRlU3RhdGVtZW50PgogIDwvc2FtbDpBc3NlcnRpb24+Cjwvc2FtbHA6UmVzcG9uc2U+
\ No newline at end of file
diff --git a/testdata/TestXswPermutationEightIsRejected_response b/testdata/TestXswPermutationEightIsRejected_response
new file mode 100644
index 00000000..97c233e2
--- /dev/null
+++ b/testdata/TestXswPermutationEightIsRejected_response
@@ -0,0 +1 @@
+PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIERlc3RpbmF0aW9uPSJodHRwOi8vc3AuZXhhbXBsZS5jb20vZGVtbzEvaW5kZXgucGhwP2FjcyIgSUQ9Il84ZThkYzVmNjlhOThjYzRjMWZmMzQyN2U1Y2UzNDYwNmZkNjcyZjkxZTYiIEluUmVzcG9uc2VUbz0iT05FTE9HSU5fNGZlZTNiMDQ2Mzk1YzRlNzUxMDExZTk3Zjg5MDBiNTI3M2Q1NjY4NSIgSXNzdWVJbnN0YW50PSIyMDE0LTA3LTE3VDAxOjAxOjQ4WiIgVmVyc2lvbj0iMi4wIj48c2FtbDpJc3N1ZXI+aHR0cDovL2lkcC5leGFtcGxlLmNvbS9tZXRhZGF0YS5waHA8L3NhbWw6SXNzdWVyPjxzYW1scDpTdGF0dXM+PHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPjwvc2FtbHA6U3RhdHVzPjxzYW1sOkFzc2VydGlvbiB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIElEPSJwZngwNDY5MDBjNS0wNDIzLTM1Y2ItMmFkYi03MjI4M2JhNWQ4Y2QiIElzc3VlSW5zdGFudD0iMjAxNC0wNy0xN1QwMTowMTo0OFoiIFZlcnNpb249IjIuMCI+PHNhbWw6SXNzdWVyPmh0dHA6Ly9pZHAuZXhhbXBsZS5jb20vbWV0YWRhdGEucGhwPC9zYW1sOklzc3Vlcj48ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48ZHM6U2lnbmVkSW5mbz48ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiLz48ZHM6UmVmZXJlbmNlIFVSST0iI3BmeDA0NjkwMGM1LTA0MjMtMzVjYi0yYWRiLTcyMjgzYmE1ZDhjZCI+PGRzOlRyYW5zZm9ybXM+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiLz48ZHM6RGlnZXN0VmFsdWU+YmV5ZnFIOXMxUys2bDJHQkhiU2xXOFR4SzZFPTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5DSkJMY0pVTm91Q0psY3d5YUtTb1RGdHJUYVJOUWJnWHJFUUdKTmZsdjJkakx0M3J0d2krRzZMd3VQZkQrckF5b3lIbXFyUXlTaVJaZ1lNeWN1bk8vNUQ2R2J5ZVhJVjNrc093Y0YrQXlWZGtrblVpcVN3SDcvOXJkdkVhZmtKcDQ3d1pYKzc4dlFGMDZNcjFnNEpsODByTmNEUncxeE9FdW9QN2pDMjVtMVE9PC9kczpTaWduYXR1cmVWYWx1ZT48ZHM6S2V5SW5mbz48ZHM6WDUwOURhdGE+PGRzOlg1MDlDZXJ0aWZpY2F0ZT5NSUlDYWpDQ0FkT2dBd0lCQWdJQkFEQU5CZ2txaGtpRzl3MEJBUTBGQURCU01Rc3dDUVlEVlFRR0V3SjFjekVUTUJFR0ExVUVDQXdLUTJGc2FXWnZjbTVwWVRFVk1CTUdBMVVFQ2d3TVQyNWxiRzluYVc0Z1NXNWpNUmN3RlFZRFZRUUREQTV6Y0M1bGVHRnRjR3hsTG1OdmJUQWVGdzB4TkRBM01UY3hOREV5TlRaYUZ3MHhOVEEzTVRjeE5ERXlOVFphTUZJeEN6QUpCZ05WQkFZVEFuVnpNUk13RVFZRFZRUUlEQXBEWVd4cFptOXlibWxoTVJVd0V3WURWUVFLREF4UGJtVnNiMmRwYmlCSmJtTXhGekFWQmdOVkJBTU1Ebk53TG1WNFlXMXdiR1V1WTI5dE1JR2ZNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0R05BRENCaVFLQmdRRFp4K09ONElVb0lXeGd1a1RiMXRPaVgzYk1ZellRaXdXUFVOTXArRnE4MnhvTm9nc28yYnlrWkcweWlKbTVvOHp2L3NkNnBHb3VheU1na3gvMkZTT2RjMzZUMGpHYkNIdVJTYnRpYTBQRXpOSVJ0bVZpTXJ0M0Flb1dCaWRSWG1ac3hDTkx3Z0lWNmRuMldwdUU1QXowYkhncFpuUXhUS0ZlazBCTUtVL2Q4d0lEQVFBQm8xQXdUakFkQmdOVkhRNEVGZ1FVR0h4WXFaWXlYN2NUeEtWT0RWZ1p3U1RkQ253d0h3WURWUjBqQkJnd0ZvQVVHSHhZcVpZeVg3Y1R4S1ZPRFZnWndTVGRDbnd3REFZRFZSMFRCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUTBGQUFPQmdRQnlGT2wraE1GSUNiZDNESmZucDJSZ2QvZHF0dHNaRy90eWhJTFd2RXJiaW8vREVlOThtWHBvd2hUa0MwNEVOcHJPeVhpN1piVXFpaWNGODl1QUd5dDFvcWdUVUNEMVZzTGFocUljbXJ6Z3VtTnlUd0xHV28xN1dEQWExL3VzRGhldFdBTWhnekYvQ25mNWVrMG5LMDBtMFlaR3ljNEx6Z0QwQ1JPTUFTVFdOZz09PC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L2RzOktleUluZm8+PE9iamVjdD48c2FtbDpBc3NlcnRpb24geG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiBJRD0icGZ4MDQ2OTAwYzUtMDQyMy0zNWNiLTJhZGItNzIyODNiYTVkOGNkIiBJc3N1ZUluc3RhbnQ9IjIwMTQtMDctMTdUMDE6MDE6NDhaIiBWZXJzaW9uPSIyLjAiPjxzYW1sOklzc3Vlcj5odHRwOi8vaWRwLmV4YW1wbGUuY29tL21ldGFkYXRhLnBocDwvc2FtbDpJc3N1ZXI+PHNhbWw6U3ViamVjdD48c2FtbDpOYW1lSUQgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6bmFtZWlkLWZvcm1hdDp0cmFuc2llbnQiIFNQTmFtZVF1YWxpZmllcj0iaHR0cDovL3NwLmV4YW1wbGUuY29tL2RlbW8xL21ldGFkYXRhLnBocCI+X2NlM2QyOTQ4YjRjZjIwMTQ2ZGVlMGEwYjNkZDZmNjliNmNmODZmNjJkNzwvc2FtbDpOYW1lSUQ+PHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIEluUmVzcG9uc2VUbz0iT05FTE9HSU5fNGZlZTNiMDQ2Mzk1YzRlNzUxMDExZTk3Zjg5MDBiNTI3M2Q1NjY4NSIgTm90T25PckFmdGVyPSIyMDI0LTAxLTE4VDA2OjIxOjQ4WiIgUmVjaXBpZW50PSJodHRwOi8vc3AuZXhhbXBsZS5jb20vZGVtbzEvaW5kZXgucGhwP2FjcyIvPjwvc2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uPjwvc2FtbDpTdWJqZWN0PjxzYW1sOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDE0LTA3LTE3VDAxOjAxOjE4WiIgTm90T25PckFmdGVyPSIyMDI0LTAxLTE4VDA2OjIxOjQ4WiI+PHNhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj48c2FtbDpBdWRpZW5jZT5odHRwOi8vc3AuZXhhbXBsZS5jb20vZGVtbzEvbWV0YWRhdGEucGhwPC9zYW1sOkF1ZGllbmNlPjwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjwvc2FtbDpDb25kaXRpb25zPjxzYW1sOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxNC0wNy0xN1QwMTowMTo0OFoiIFNlc3Npb25JbmRleD0iX2JlOTk2N2FiZDkwNGRkY2FlM2MwZWI0MTg5YWRiZTNmNzFlMzI3Y2Y5MyIgU2Vzc2lvbk5vdE9uT3JBZnRlcj0iMjAyNC0wNy0xN1QwOTowMTo0OFoiPjxzYW1sOkF1dGhuQ29udGV4dD48c2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZDwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj48L3NhbWw6QXV0aG5Db250ZXh0Pjwvc2FtbDpBdXRoblN0YXRlbWVudD48c2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PHNhbWw6QXR0cmlidXRlIE5hbWU9InVpZCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+dGVzdDwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJtYWlsIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj50ZXN0QGV4YW1wbGUuY29tPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9ImVkdVBlcnNvbkFmZmlsaWF0aW9uIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj51c2Vyczwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj5leGFtcGxlcm9sZTE8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48L3NhbWw6QXR0cmlidXRlU3RhdGVtZW50Pjwvc2FtbDpBc3NlcnRpb24+PC9PYmplY3Q+PC9kczpTaWduYXR1cmU+PHNhbWw6U3ViamVjdD48c2FtbDpOYW1lSUQgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6bmFtZWlkLWZvcm1hdDp0cmFuc2llbnQiIFNQTmFtZVF1YWxpZmllcj0iaHR0cDovL3NwLmV4YW1wbGUuY29tL2RlbW8xL21ldGFkYXRhLnBocCI+X2NlM2QyOTQ4YjRjZjIwMTQ2ZGVlMGEwYjNkZDZmNjliNmNmODZmNjJkNzwvc2FtbDpOYW1lSUQ+PHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIEluUmVzcG9uc2VUbz0iT05FTE9HSU5fNGZlZTNiMDQ2Mzk1YzRlNzUxMDExZTk3Zjg5MDBiNTI3M2Q1NjY4NSIgTm90T25PckFmdGVyPSIyMDI0LTAxLTE4VDA2OjIxOjQ4WiIgUmVjaXBpZW50PSJodHRwOi8vc3AuZXhhbXBsZS5jb20vZGVtbzEvaW5kZXgucGhwP2FjcyIvPjwvc2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uPjwvc2FtbDpTdWJqZWN0PjxzYW1sOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDE0LTA3LTE3VDAxOjAxOjE4WiIgTm90T25PckFmdGVyPSIyMDI0LTAxLTE4VDA2OjIxOjQ4WiI+PHNhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj48c2FtbDpBdWRpZW5jZT5odHRwOi8vc3AuZXhhbXBsZS5jb20vZGVtbzEvbWV0YWRhdGEucGhwPC9zYW1sOkF1ZGllbmNlPjwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjwvc2FtbDpDb25kaXRpb25zPjxzYW1sOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxNC0wNy0xN1QwMTowMTo0OFoiIFNlc3Npb25JbmRleD0iX2JlOTk2N2FiZDkwNGRkY2FlM2MwZWI0MTg5YWRiZTNmNzFlMzI3Y2Y5MyIgU2Vzc2lvbk5vdE9uT3JBZnRlcj0iMjAyNC0wNy0xN1QwOTowMTo0OFoiPjxzYW1sOkF1dGhuQ29udGV4dD48c2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZDwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj48L3NhbWw6QXV0aG5Db250ZXh0Pjwvc2FtbDpBdXRoblN0YXRlbWVudD48c2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PHNhbWw6QXR0cmlidXRlIE5hbWU9InVpZCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+dGVzdDwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJtYWlsIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj50ZXN0QGV4YW1wbGUuY29tPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9ImVkdVBlcnNvbkFmZmlsaWF0aW9uIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj51c2Vyczwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj5leGFtcGxlcm9sZTE8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48L3NhbWw6QXR0cmlidXRlU3RhdGVtZW50Pjwvc2FtbDpBc3NlcnRpb24+PC9zYW1scDpSZXNwb25zZT4K
\ No newline at end of file
diff --git a/testdata/TestXswPermutationFiveIsRejected_response b/testdata/TestXswPermutationFiveIsRejected_response
new file mode 100644
index 00000000..dd499fef
--- /dev/null
+++ b/testdata/TestXswPermutationFiveIsRejected_response
@@ -0,0 +1 @@
+PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIERlc3RpbmF0aW9uPSJodHRwOi8vc3AuZXhhbXBsZS5jb20vZGVtbzEvaW5kZXgucGhwP2FjcyIgSUQ9Il84ZThkYzVmNjlhOThjYzRjMWZmMzQyN2U1Y2UzNDYwNmZkNjcyZjkxZTYiIEluUmVzcG9uc2VUbz0iT05FTE9HSU5fNGZlZTNiMDQ2Mzk1YzRlNzUxMDExZTk3Zjg5MDBiNTI3M2Q1NjY4NSIgSXNzdWVJbnN0YW50PSIyMDE0LTA3LTE3VDAxOjAxOjQ4WiIgVmVyc2lvbj0iMi4wIj48c2FtbDpJc3N1ZXI+aHR0cDovL2lkcC5leGFtcGxlLmNvbS9tZXRhZGF0YS5waHA8L3NhbWw6SXNzdWVyPjxzYW1scDpTdGF0dXM+PHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPjwvc2FtbHA6U3RhdHVzPjxzYW1sOkFzc2VydGlvbiB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIElEPSJfZXZpbF9hc3NlcnRpb25fSUQiIElzc3VlSW5zdGFudD0iMjAxNC0wNy0xN1QwMTowMTo0OFoiIFZlcnNpb249IjIuMCI+PHNhbWw6SXNzdWVyPmh0dHA6Ly9pZHAuZXhhbXBsZS5jb20vbWV0YWRhdGEucGhwPC9zYW1sOklzc3Vlcj48ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48ZHM6U2lnbmVkSW5mbz48ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiLz48ZHM6UmVmZXJlbmNlIFVSST0iI3BmeDA0NjkwMGM1LTA0MjMtMzVjYi0yYWRiLTcyMjgzYmE1ZDhjZCI+PGRzOlRyYW5zZm9ybXM+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiLz48ZHM6RGlnZXN0VmFsdWU+YmV5ZnFIOXMxUys2bDJHQkhiU2xXOFR4SzZFPTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5DSkJMY0pVTm91Q0psY3d5YUtTb1RGdHJUYVJOUWJnWHJFUUdKTmZsdjJkakx0M3J0d2krRzZMd3VQZkQrckF5b3lIbXFyUXlTaVJaZ1lNeWN1bk8vNUQ2R2J5ZVhJVjNrc093Y0YrQXlWZGtrblVpcVN3SDcvOXJkdkVhZmtKcDQ3d1pYKzc4dlFGMDZNcjFnNEpsODByTmNEUncxeE9FdW9QN2pDMjVtMVE9PC9kczpTaWduYXR1cmVWYWx1ZT48ZHM6S2V5SW5mbz48ZHM6WDUwOURhdGE+PGRzOlg1MDlDZXJ0aWZpY2F0ZT5NSUlDYWpDQ0FkT2dBd0lCQWdJQkFEQU5CZ2txaGtpRzl3MEJBUTBGQURCU01Rc3dDUVlEVlFRR0V3SjFjekVUTUJFR0ExVUVDQXdLUTJGc2FXWnZjbTVwWVRFVk1CTUdBMVVFQ2d3TVQyNWxiRzluYVc0Z1NXNWpNUmN3RlFZRFZRUUREQTV6Y0M1bGVHRnRjR3hsTG1OdmJUQWVGdzB4TkRBM01UY3hOREV5TlRaYUZ3MHhOVEEzTVRjeE5ERXlOVFphTUZJeEN6QUpCZ05WQkFZVEFuVnpNUk13RVFZRFZRUUlEQXBEWVd4cFptOXlibWxoTVJVd0V3WURWUVFLREF4UGJtVnNiMmRwYmlCSmJtTXhGekFWQmdOVkJBTU1Ebk53TG1WNFlXMXdiR1V1WTI5dE1JR2ZNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0R05BRENCaVFLQmdRRFp4K09ONElVb0lXeGd1a1RiMXRPaVgzYk1ZellRaXdXUFVOTXArRnE4MnhvTm9nc28yYnlrWkcweWlKbTVvOHp2L3NkNnBHb3VheU1na3gvMkZTT2RjMzZUMGpHYkNIdVJTYnRpYTBQRXpOSVJ0bVZpTXJ0M0Flb1dCaWRSWG1ac3hDTkx3Z0lWNmRuMldwdUU1QXowYkhncFpuUXhUS0ZlazBCTUtVL2Q4d0lEQVFBQm8xQXdUakFkQmdOVkhRNEVGZ1FVR0h4WXFaWXlYN2NUeEtWT0RWZ1p3U1RkQ253d0h3WURWUjBqQkJnd0ZvQVVHSHhZcVpZeVg3Y1R4S1ZPRFZnWndTVGRDbnd3REFZRFZSMFRCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUTBGQUFPQmdRQnlGT2wraE1GSUNiZDNESmZucDJSZ2QvZHF0dHNaRy90eWhJTFd2RXJiaW8vREVlOThtWHBvd2hUa0MwNEVOcHJPeVhpN1piVXFpaWNGODl1QUd5dDFvcWdUVUNEMVZzTGFocUljbXJ6Z3VtTnlUd0xHV28xN1dEQWExL3VzRGhldFdBTWhnekYvQ25mNWVrMG5LMDBtMFlaR3ljNEx6Z0QwQ1JPTUFTVFdOZz09PC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L2RzOktleUluZm8+PC9kczpTaWduYXR1cmU+PHNhbWw6U3ViamVjdD48c2FtbDpOYW1lSUQgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6bmFtZWlkLWZvcm1hdDp0cmFuc2llbnQiIFNQTmFtZVF1YWxpZmllcj0iaHR0cDovL3NwLmV4YW1wbGUuY29tL2RlbW8xL21ldGFkYXRhLnBocCI+X2NlM2QyOTQ4YjRjZjIwMTQ2ZGVlMGEwYjNkZDZmNjliNmNmODZmNjJkNzwvc2FtbDpOYW1lSUQ+PHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIEluUmVzcG9uc2VUbz0iT05FTE9HSU5fNGZlZTNiMDQ2Mzk1YzRlNzUxMDExZTk3Zjg5MDBiNTI3M2Q1NjY4NSIgTm90T25PckFmdGVyPSIyMDI0LTAxLTE4VDA2OjIxOjQ4WiIgUmVjaXBpZW50PSJodHRwOi8vc3AuZXhhbXBsZS5jb20vZGVtbzEvaW5kZXgucGhwP2FjcyIvPjwvc2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uPjwvc2FtbDpTdWJqZWN0PjxzYW1sOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDE0LTA3LTE3VDAxOjAxOjE4WiIgTm90T25PckFmdGVyPSIyMDI0LTAxLTE4VDA2OjIxOjQ4WiI+PHNhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj48c2FtbDpBdWRpZW5jZT5odHRwOi8vc3AuZXhhbXBsZS5jb20vZGVtbzEvbWV0YWRhdGEucGhwPC9zYW1sOkF1ZGllbmNlPjwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjwvc2FtbDpDb25kaXRpb25zPjxzYW1sOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxNC0wNy0xN1QwMTowMTo0OFoiIFNlc3Npb25JbmRleD0iX2JlOTk2N2FiZDkwNGRkY2FlM2MwZWI0MTg5YWRiZTNmNzFlMzI3Y2Y5MyIgU2Vzc2lvbk5vdE9uT3JBZnRlcj0iMjAyNC0wNy0xN1QwOTowMTo0OFoiPjxzYW1sOkF1dGhuQ29udGV4dD48c2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZDwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj48L3NhbWw6QXV0aG5Db250ZXh0Pjwvc2FtbDpBdXRoblN0YXRlbWVudD48c2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PHNhbWw6QXR0cmlidXRlIE5hbWU9InVpZCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+dGVzdDwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJtYWlsIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj50ZXN0QGV4YW1wbGUuY29tPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9ImVkdVBlcnNvbkFmZmlsaWF0aW9uIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj51c2Vyczwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj5leGFtcGxlcm9sZTE8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48L3NhbWw6QXR0cmlidXRlU3RhdGVtZW50Pjwvc2FtbDpBc3NlcnRpb24+PHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgSUQ9InBmeDA0NjkwMGM1LTA0MjMtMzVjYi0yYWRiLTcyMjgzYmE1ZDhjZCIgSXNzdWVJbnN0YW50PSIyMDE0LTA3LTE3VDAxOjAxOjQ4WiIgVmVyc2lvbj0iMi4wIj48c2FtbDpJc3N1ZXI+aHR0cDovL2lkcC5leGFtcGxlLmNvbS9tZXRhZGF0YS5waHA8L3NhbWw6SXNzdWVyPjxzYW1sOlN1YmplY3Q+PHNhbWw6TmFtZUlEIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6dHJhbnNpZW50IiBTUE5hbWVRdWFsaWZpZXI9Imh0dHA6Ly9zcC5leGFtcGxlLmNvbS9kZW1vMS9tZXRhZGF0YS5waHAiPl9jZTNkMjk0OGI0Y2YyMDE0NmRlZTBhMGIzZGQ2ZjY5YjZjZjg2ZjYyZDc8L3NhbWw6TmFtZUlEPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBJblJlc3BvbnNlVG89Ik9ORUxPR0lOXzRmZWUzYjA0NjM5NWM0ZTc1MTAxMWU5N2Y4OTAwYjUyNzNkNTY2ODUiIE5vdE9uT3JBZnRlcj0iMjAyNC0wMS0xOFQwNjoyMTo0OFoiIFJlY2lwaWVudD0iaHR0cDovL3NwLmV4YW1wbGUuY29tL2RlbW8xL2luZGV4LnBocD9hY3MiLz48L3NhbWw6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWw6U3ViamVjdD48c2FtbDpDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAxNC0wNy0xN1QwMTowMToxOFoiIE5vdE9uT3JBZnRlcj0iMjAyNC0wMS0xOFQwNjoyMTo0OFoiPjxzYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+PHNhbWw6QXVkaWVuY2U+aHR0cDovL3NwLmV4YW1wbGUuY29tL2RlbW8xL21ldGFkYXRhLnBocDwvc2FtbDpBdWRpZW5jZT48L3NhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj48L3NhbWw6Q29uZGl0aW9ucz48c2FtbDpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTQtMDctMTdUMDE6MDE6NDhaIiBTZXNzaW9uSW5kZXg9Il9iZTk5NjdhYmQ5MDRkZGNhZTNjMGViNDE4OWFkYmUzZjcxZTMyN2NmOTMiIFNlc3Npb25Ob3RPbk9yQWZ0ZXI9IjIwMjQtMDctMTdUMDk6MDE6NDhaIj48c2FtbDpBdXRobkNvbnRleHQ+PHNhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmQ8L3NhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+PC9zYW1sOkF1dGhuQ29udGV4dD48L3NhbWw6QXV0aG5TdGF0ZW1lbnQ+PHNhbWw6QXR0cmlidXRlU3RhdGVtZW50PjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJ1aWQiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPnRlc3Q8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0ibWFpbCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+dGVzdEBleGFtcGxlLmNvbTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJlZHVQZXJzb25BZmZpbGlhdGlvbiIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+dXNlcnM8L3NhbWw6QXR0cmlidXRlVmFsdWU+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+ZXhhbXBsZXJvbGUxPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48L3NhbWw6QXNzZXJ0aW9uPjwvc2FtbHA6UmVzcG9uc2U+Cg==
\ No newline at end of file
diff --git a/testdata/TestXswPermutationFourIsRejected_response b/testdata/TestXswPermutationFourIsRejected_response
new file mode 100644
index 00000000..034b1bfa
--- /dev/null
+++ b/testdata/TestXswPermutationFourIsRejected_response
@@ -0,0 +1 @@
+PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIERlc3RpbmF0aW9uPSJodHRwOi8vc3AuZXhhbXBsZS5jb20vZGVtbzEvaW5kZXgucGhwP2FjcyIgSUQ9Il84ZThkYzVmNjlhOThjYzRjMWZmMzQyN2U1Y2UzNDYwNmZkNjcyZjkxZTYiIEluUmVzcG9uc2VUbz0iT05FTE9HSU5fNGZlZTNiMDQ2Mzk1YzRlNzUxMDExZTk3Zjg5MDBiNTI3M2Q1NjY4NSIgSXNzdWVJbnN0YW50PSIyMDE0LTA3LTE3VDAxOjAxOjQ4WiIgVmVyc2lvbj0iMi4wIj48c2FtbDpJc3N1ZXI+aHR0cDovL2lkcC5leGFtcGxlLmNvbS9tZXRhZGF0YS5waHA8L3NhbWw6SXNzdWVyPjxzYW1scDpTdGF0dXM+PHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPjwvc2FtbHA6U3RhdHVzPjxzYW1sOkFzc2VydGlvbiB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIElEPSJfZXZpbF9hc3NlcnRpb25fSUQiIElzc3VlSW5zdGFudD0iMjAxNC0wNy0xN1QwMTowMTo0OFoiIFZlcnNpb249IjIuMCI+PHNhbWw6SXNzdWVyPmh0dHA6Ly9pZHAuZXhhbXBsZS5jb20vbWV0YWRhdGEucGhwPC9zYW1sOklzc3Vlcj48c2FtbDpTdWJqZWN0PjxzYW1sOk5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OnRyYW5zaWVudCIgU1BOYW1lUXVhbGlmaWVyPSJodHRwOi8vc3AuZXhhbXBsZS5jb20vZGVtbzEvbWV0YWRhdGEucGhwIj5fY2UzZDI5NDhiNGNmMjAxNDZkZWUwYTBiM2RkNmY2OWI2Y2Y4NmY2MmQ3PC9zYW1sOk5hbWVJRD48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+PHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgSW5SZXNwb25zZVRvPSJPTkVMT0dJTl80ZmVlM2IwNDYzOTVjNGU3NTEwMTFlOTdmODkwMGI1MjczZDU2Njg1IiBOb3RPbk9yQWZ0ZXI9IjIwMjQtMDEtMThUMDY6MjE6NDhaIiBSZWNpcGllbnQ9Imh0dHA6Ly9zcC5leGFtcGxlLmNvbS9kZW1vMS9pbmRleC5waHA/YWNzIi8+PC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24+PC9zYW1sOlN1YmplY3Q+PHNhbWw6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTQtMDctMTdUMDE6MDE6MThaIiBOb3RPbk9yQWZ0ZXI9IjIwMjQtMDEtMThUMDY6MjE6NDhaIj48c2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sOkF1ZGllbmNlPmh0dHA6Ly9zcC5leGFtcGxlLmNvbS9kZW1vMS9tZXRhZGF0YS5waHA8L3NhbWw6QXVkaWVuY2U+PC9zYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+PC9zYW1sOkNvbmRpdGlvbnM+PHNhbWw6QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDE0LTA3LTE3VDAxOjAxOjQ4WiIgU2Vzc2lvbkluZGV4PSJfYmU5OTY3YWJkOTA0ZGRjYWUzYzBlYjQxODlhZGJlM2Y3MWUzMjdjZjkzIiBTZXNzaW9uTm90T25PckFmdGVyPSIyMDI0LTA3LTE3VDA5OjAxOjQ4WiI+PHNhbWw6QXV0aG5Db250ZXh0PjxzYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkPC9zYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPjwvc2FtbDpBdXRobkNvbnRleHQ+PC9zYW1sOkF1dGhuU3RhdGVtZW50PjxzYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48c2FtbDpBdHRyaWJ1dGUgTmFtZT0idWlkIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj50ZXN0PC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9Im1haWwiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPnRlc3RAZXhhbXBsZS5jb208L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iZWR1UGVyc29uQWZmaWxpYXRpb24iIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPnVzZXJzPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPmV4YW1wbGVyb2xlMTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjwvc2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgSUQ9InBmeDA0NjkwMGM1LTA0MjMtMzVjYi0yYWRiLTcyMjgzYmE1ZDhjZCIgSXNzdWVJbnN0YW50PSIyMDE0LTA3LTE3VDAxOjAxOjQ4WiIgVmVyc2lvbj0iMi4wIj48c2FtbDpJc3N1ZXI+aHR0cDovL2lkcC5leGFtcGxlLmNvbS9tZXRhZGF0YS5waHA8L3NhbWw6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+PGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIvPjxkczpSZWZlcmVuY2UgVVJJPSIjcGZ4MDQ2OTAwYzUtMDQyMy0zNWNiLTJhZGItNzIyODNiYTVkOGNkIj48ZHM6VHJhbnNmb3Jtcz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+PC9kczpUcmFuc2Zvcm1zPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjc2hhMSIvPjxkczpEaWdlc3RWYWx1ZT5iZXlmcUg5czFTKzZsMkdCSGJTbFc4VHhLNkU9PC9kczpEaWdlc3RWYWx1ZT48L2RzOlJlZmVyZW5jZT48L2RzOlNpZ25lZEluZm8+PGRzOlNpZ25hdHVyZVZhbHVlPkNKQkxjSlVOb3VDSmxjd3lhS1NvVEZ0clRhUk5RYmdYckVRR0pOZmx2MmRqTHQzcnR3aStHNkx3dVBmRCtyQXlveUhtcXJReVNpUlpnWU15Y3VuTy81RDZHYnllWElWM2tzT3djRitBeVZka2tuVWlxU3dINy85cmR2RWFma0pwNDd3WlgrNzh2UUYwNk1yMWc0Smw4MHJOY0RSdzF4T0V1b1A3akMyNW0xUT08L2RzOlNpZ25hdHVyZVZhbHVlPjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUNhakNDQWRPZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRMEZBREJTTVFzd0NRWURWUVFHRXdKMWN6RVRNQkVHQTFVRUNBd0tRMkZzYVdadmNtNXBZVEVWTUJNR0ExVUVDZ3dNVDI1bGJHOW5hVzRnU1c1ak1SY3dGUVlEVlFRRERBNXpjQzVsZUdGdGNHeGxMbU52YlRBZUZ3MHhOREEzTVRjeE5ERXlOVFphRncweE5UQTNNVGN4TkRFeU5UWmFNRkl4Q3pBSkJnTlZCQVlUQW5Wek1STXdFUVlEVlFRSURBcERZV3hwWm05eWJtbGhNUlV3RXdZRFZRUUtEQXhQYm1Wc2IyZHBiaUJKYm1NeEZ6QVZCZ05WQkFNTURuTndMbVY0WVcxd2JHVXVZMjl0TUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTRHTkFEQ0JpUUtCZ1FEWngrT040SVVvSVd4Z3VrVGIxdE9pWDNiTVl6WVFpd1dQVU5NcCtGcTgyeG9Ob2dzbzJieWtaRzB5aUptNW84enYvc2Q2cEdvdWF5TWdreC8yRlNPZGMzNlQwakdiQ0h1UlNidGlhMFBFek5JUnRtVmlNcnQzQWVvV0JpZFJYbVpzeENOTHdnSVY2ZG4yV3B1RTVBejBiSGdwWm5ReFRLRmVrMEJNS1UvZDh3SURBUUFCbzFBd1RqQWRCZ05WSFE0RUZnUVVHSHhZcVpZeVg3Y1R4S1ZPRFZnWndTVGRDbnd3SHdZRFZSMGpCQmd3Rm9BVUdIeFlxWll5WDdjVHhLVk9EVmdad1NUZENud3dEQVlEVlIwVEJBVXdBd0VCL3pBTkJna3Foa2lHOXcwQkFRMEZBQU9CZ1FCeUZPbCtoTUZJQ2JkM0RKZm5wMlJnZC9kcXR0c1pHL3R5aElMV3ZFcmJpby9ERWU5OG1YcG93aFRrQzA0RU5wck95WGk3WmJVcWlpY0Y4OXVBR3l0MW9xZ1RVQ0QxVnNMYWhxSWNtcnpndW1OeVR3TEdXbzE3V0RBYTEvdXNEaGV0V0FNaGd6Ri9DbmY1ZWswbkswMG0wWVpHeWM0THpnRDBDUk9NQVNUV05nPT08L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5mbz48L2RzOlNpZ25hdHVyZT48c2FtbDpTdWJqZWN0PjxzYW1sOk5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OnRyYW5zaWVudCIgU1BOYW1lUXVhbGlmaWVyPSJodHRwOi8vc3AuZXhhbXBsZS5jb20vZGVtbzEvbWV0YWRhdGEucGhwIj5fY2UzZDI5NDhiNGNmMjAxNDZkZWUwYTBiM2RkNmY2OWI2Y2Y4NmY2MmQ3PC9zYW1sOk5hbWVJRD48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+PHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgSW5SZXNwb25zZVRvPSJPTkVMT0dJTl80ZmVlM2IwNDYzOTVjNGU3NTEwMTFlOTdmODkwMGI1MjczZDU2Njg1IiBOb3RPbk9yQWZ0ZXI9IjIwMjQtMDEtMThUMDY6MjE6NDhaIiBSZWNpcGllbnQ9Imh0dHA6Ly9zcC5leGFtcGxlLmNvbS9kZW1vMS9pbmRleC5waHA/YWNzIi8+PC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24+PC9zYW1sOlN1YmplY3Q+PHNhbWw6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTQtMDctMTdUMDE6MDE6MThaIiBOb3RPbk9yQWZ0ZXI9IjIwMjQtMDEtMThUMDY6MjE6NDhaIj48c2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sOkF1ZGllbmNlPmh0dHA6Ly9zcC5leGFtcGxlLmNvbS9kZW1vMS9tZXRhZGF0YS5waHA8L3NhbWw6QXVkaWVuY2U+PC9zYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+PC9zYW1sOkNvbmRpdGlvbnM+PHNhbWw6QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDE0LTA3LTE3VDAxOjAxOjQ4WiIgU2Vzc2lvbkluZGV4PSJfYmU5OTY3YWJkOTA0ZGRjYWUzYzBlYjQxODlhZGJlM2Y3MWUzMjdjZjkzIiBTZXNzaW9uTm90T25PckFmdGVyPSIyMDI0LTA3LTE3VDA5OjAxOjQ4WiI+PHNhbWw6QXV0aG5Db250ZXh0PjxzYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkPC9zYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPjwvc2FtbDpBdXRobkNvbnRleHQ+PC9zYW1sOkF1dGhuU3RhdGVtZW50PjxzYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48c2FtbDpBdHRyaWJ1dGUgTmFtZT0idWlkIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj50ZXN0PC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9Im1haWwiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPnRlc3RAZXhhbXBsZS5jb208L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iZWR1UGVyc29uQWZmaWxpYXRpb24iIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPnVzZXJzPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPmV4YW1wbGVyb2xlMTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjwvc2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PC9zYW1sOkFzc2VydGlvbj48L3NhbWw6QXNzZXJ0aW9uPjwvc2FtbHA6UmVzcG9uc2U+Cg==
\ No newline at end of file
diff --git a/testdata/TestXswPermutationNineIsRejected_response b/testdata/TestXswPermutationNineIsRejected_response
new file mode 100644
index 00000000..50b5d227
--- /dev/null
+++ b/testdata/TestXswPermutationNineIsRejected_response
@@ -0,0 +1 @@
+PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIERlc3RpbmF0aW9uPSJodHRwOi8vc3AuZXhhbXBsZS5jb20vZGVtbzEvaW5kZXgucGhwP2FjcyIgSUQ9Il84ZThkYzVmNjlhOThjYzRjMWZmMzQyN2U1Y2UzNDYwNmZkNjcyZjkxZTYiIEluUmVzcG9uc2VUbz0iT05FTE9HSU5fNGZlZTNiMDQ2Mzk1YzRlNzUxMDExZTk3Zjg5MDBiNTI3M2Q1NjY4NSIgSXNzdWVJbnN0YW50PSIyMDE0LTA3LTE3VDAxOjAxOjQ4WiIgVmVyc2lvbj0iMi4wIj48c2FtbDpJc3N1ZXI+aHR0cDovL2lkcC5leGFtcGxlLmNvbS9tZXRhZGF0YS5waHA8L3NhbWw6SXNzdWVyPjxzYW1scDpTdGF0dXM+PHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPjwvc2FtbHA6U3RhdHVzPjxzYW1sOkFzc2VydGlvbiB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIElEPSJzcG9vZmVkX2Fzc2VydGlvbl9pZCIgSXNzdWVJbnN0YW50PSIyMDE0LTA3LTE3VDAxOjAxOjQ4WiIgVmVyc2lvbj0iMi4wIj48c2FtbDpJc3N1ZXI+aHR0cDovL2lkcC5leGFtcGxlLmNvbS9tZXRhZGF0YS5waHA8L3NhbWw6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+PGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIvPjxkczpSZWZlcmVuY2UgVVJJPSIjcGZ4MDQ2OTAwYzUtMDQyMy0zNWNiLTJhZGItNzIyODNiYTVkOGNkIj48ZHM6VHJhbnNmb3Jtcz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+PC9kczpUcmFuc2Zvcm1zPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjc2hhMSIvPjxkczpEaWdlc3RWYWx1ZT5iZXlmcUg5czFTKzZsMkdCSGJTbFc4VHhLNkU9PC9kczpEaWdlc3RWYWx1ZT48L2RzOlJlZmVyZW5jZT48L2RzOlNpZ25lZEluZm8+PGRzOlNpZ25hdHVyZVZhbHVlPkNKQkxjSlVOb3VDSmxjd3lhS1NvVEZ0clRhUk5RYmdYckVRR0pOZmx2MmRqTHQzcnR3aStHNkx3dVBmRCtyQXlveUhtcXJReVNpUlpnWU15Y3VuTy81RDZHYnllWElWM2tzT3djRitBeVZka2tuVWlxU3dINy85cmR2RWFma0pwNDd3WlgrNzh2UUYwNk1yMWc0Smw4MHJOY0RSdzF4T0V1b1A3akMyNW0xUT08L2RzOlNpZ25hdHVyZVZhbHVlPjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUNhakNDQWRPZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRMEZBREJTTVFzd0NRWURWUVFHRXdKMWN6RVRNQkVHQTFVRUNBd0tRMkZzYVdadmNtNXBZVEVWTUJNR0ExVUVDZ3dNVDI1bGJHOW5hVzRnU1c1ak1SY3dGUVlEVlFRRERBNXpjQzVsZUdGdGNHeGxMbU52YlRBZUZ3MHhOREEzTVRjeE5ERXlOVFphRncweE5UQTNNVGN4TkRFeU5UWmFNRkl4Q3pBSkJnTlZCQVlUQW5Wek1STXdFUVlEVlFRSURBcERZV3hwWm05eWJtbGhNUlV3RXdZRFZRUUtEQXhQYm1Wc2IyZHBiaUJKYm1NeEZ6QVZCZ05WQkFNTURuTndMbVY0WVcxd2JHVXVZMjl0TUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTRHTkFEQ0JpUUtCZ1FEWngrT040SVVvSVd4Z3VrVGIxdE9pWDNiTVl6WVFpd1dQVU5NcCtGcTgyeG9Ob2dzbzJieWtaRzB5aUptNW84enYvc2Q2cEdvdWF5TWdreC8yRlNPZGMzNlQwakdiQ0h1UlNidGlhMFBFek5JUnRtVmlNcnQzQWVvV0JpZFJYbVpzeENOTHdnSVY2ZG4yV3B1RTVBejBiSGdwWm5ReFRLRmVrMEJNS1UvZDh3SURBUUFCbzFBd1RqQWRCZ05WSFE0RUZnUVVHSHhZcVpZeVg3Y1R4S1ZPRFZnWndTVGRDbnd3SHdZRFZSMGpCQmd3Rm9BVUdIeFlxWll5WDdjVHhLVk9EVmdad1NUZENud3dEQVlEVlIwVEJBVXdBd0VCL3pBTkJna3Foa2lHOXcwQkFRMEZBQU9CZ1FCeUZPbCtoTUZJQ2JkM0RKZm5wMlJnZC9kcXR0c1pHL3R5aElMV3ZFcmJpby9ERWU5OG1YcG93aFRrQzA0RU5wck95WGk3WmJVcWlpY0Y4OXVBR3l0MW9xZ1RVQ0QxVnNMYWhxSWNtcnpndW1OeVR3TEdXbzE3V0RBYTEvdXNEaGV0V0FNaGd6Ri9DbmY1ZWswbkswMG0wWVpHeWM0THpnRDBDUk9NQVNUV05nPT08L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5mbz48L2RzOlNpZ25hdHVyZT48c2FtbDpTdWJqZWN0PjxzYW1sOk5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OnRyYW5zaWVudCIgU1BOYW1lUXVhbGlmaWVyPSJodHRwOi8vc3AuZXhhbXBsZS5jb20vZGVtbzEvbWV0YWRhdGEucGhwIj5fY2UzZDI5NDhiNGNmMjAxNDZkZWUwYTBiM2RkNmY2OWI2Y2Y4NmY2MmQ3PC9zYW1sOk5hbWVJRD48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+PHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgSW5SZXNwb25zZVRvPSJPTkVMT0dJTl80ZmVlM2IwNDYzOTVjNGU3NTEwMTFlOTdmODkwMGI1MjczZDU2Njg1IiBOb3RPbk9yQWZ0ZXI9IjIwMjQtMDEtMThUMDY6MjE6NDhaIiBSZWNpcGllbnQ9Imh0dHA6Ly9zcC5leGFtcGxlLmNvbS9kZW1vMS9pbmRleC5waHA/YWNzIi8+PC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24+PC9zYW1sOlN1YmplY3Q+PHNhbWw6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTQtMDctMTdUMDE6MDE6MThaIiBOb3RPbk9yQWZ0ZXI9IjIwMjQtMDEtMThUMDY6MjE6NDhaIj48c2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sOkF1ZGllbmNlPmh0dHA6Ly9zcC5leGFtcGxlLmNvbS9kZW1vMS9tZXRhZGF0YS5waHA8L3NhbWw6QXVkaWVuY2U+PC9zYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+PC9zYW1sOkNvbmRpdGlvbnM+PHNhbWw6QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDE0LTA3LTE3VDAxOjAxOjQ4WiIgU2Vzc2lvbkluZGV4PSJfYmU5OTY3YWJkOTA0ZGRjYWUzYzBlYjQxODlhZGJlM2Y3MWUzMjdjZjkzIiBTZXNzaW9uTm90T25PckFmdGVyPSIyMDI0LTA3LTE3VDA5OjAxOjQ4WiI+PHNhbWw6QXV0aG5Db250ZXh0PjxzYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkPC9zYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPjwvc2FtbDpBdXRobkNvbnRleHQ+PC9zYW1sOkF1dGhuU3RhdGVtZW50PjxzYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48c2FtbDpBdHRyaWJ1dGUgTmFtZT0idWlkIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj5hdHRhY2tlcjwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJtYWlsIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj5hdHRhY2tlckBleGFtcGxlLmNvbTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJlZHVQZXJzb25BZmZpbGlhdGlvbiIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+dXNlcnM8L3NhbWw6QXR0cmlidXRlVmFsdWU+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+ZXhhbXBsZXJvbGUxPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48L3NhbWw6QXNzZXJ0aW9uPjx4c3dfd3JhcHBlcj48c2FtbDpBc3NlcnRpb24geG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiBJRD0icGZ4MDQ2OTAwYzUtMDQyMy0zNWNiLTJhZGItNzIyODNiYTVkOGNkIiBJc3N1ZUluc3RhbnQ9IjIwMTQtMDctMTdUMDE6MDE6NDhaIiBWZXJzaW9uPSIyLjAiPjxzYW1sOklzc3Vlcj5odHRwOi8vaWRwLmV4YW1wbGUuY29tL21ldGFkYXRhLnBocDwvc2FtbDpJc3N1ZXI+PHNhbWw6U3ViamVjdD48c2FtbDpOYW1lSUQgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6bmFtZWlkLWZvcm1hdDp0cmFuc2llbnQiIFNQTmFtZVF1YWxpZmllcj0iaHR0cDovL3NwLmV4YW1wbGUuY29tL2RlbW8xL21ldGFkYXRhLnBocCI+X2NlM2QyOTQ4YjRjZjIwMTQ2ZGVlMGEwYjNkZDZmNjliNmNmODZmNjJkNzwvc2FtbDpOYW1lSUQ+PHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIEluUmVzcG9uc2VUbz0iT05FTE9HSU5fNGZlZTNiMDQ2Mzk1YzRlNzUxMDExZTk3Zjg5MDBiNTI3M2Q1NjY4NSIgTm90T25PckFmdGVyPSIyMDI0LTAxLTE4VDA2OjIxOjQ4WiIgUmVjaXBpZW50PSJodHRwOi8vc3AuZXhhbXBsZS5jb20vZGVtbzEvaW5kZXgucGhwP2FjcyIvPjwvc2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uPjwvc2FtbDpTdWJqZWN0PjxzYW1sOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDE0LTA3LTE3VDAxOjAxOjE4WiIgTm90T25PckFmdGVyPSIyMDI0LTAxLTE4VDA2OjIxOjQ4WiI+PHNhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj48c2FtbDpBdWRpZW5jZT5odHRwOi8vc3AuZXhhbXBsZS5jb20vZGVtbzEvbWV0YWRhdGEucGhwPC9zYW1sOkF1ZGllbmNlPjwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjwvc2FtbDpDb25kaXRpb25zPjxzYW1sOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxNC0wNy0xN1QwMTowMTo0OFoiIFNlc3Npb25JbmRleD0iX2JlOTk2N2FiZDkwNGRkY2FlM2MwZWI0MTg5YWRiZTNmNzFlMzI3Y2Y5MyIgU2Vzc2lvbk5vdE9uT3JBZnRlcj0iMjAyNC0wNy0xN1QwOTowMTo0OFoiPjxzYW1sOkF1dGhuQ29udGV4dD48c2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZDwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj48L3NhbWw6QXV0aG5Db250ZXh0Pjwvc2FtbDpBdXRoblN0YXRlbWVudD48c2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PHNhbWw6QXR0cmlidXRlIE5hbWU9InVpZCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+dGVzdDwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJtYWlsIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj50ZXN0QGV4YW1wbGUuY29tPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9ImVkdVBlcnNvbkFmZmlsaWF0aW9uIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj51c2Vyczwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj5leGFtcGxlcm9sZTE8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48L3NhbWw6QXR0cmlidXRlU3RhdGVtZW50Pjwvc2FtbDpBc3NlcnRpb24+PC94c3dfd3JhcHBlcj48L3NhbWxwOlJlc3BvbnNlPgo=
\ No newline at end of file
diff --git a/testdata/TestXswPermutationOneIsRejected_response b/testdata/TestXswPermutationOneIsRejected_response
new file mode 100644
index 00000000..336d56ae
--- /dev/null
+++ b/testdata/TestXswPermutationOneIsRejected_response
@@ -0,0 +1 @@
+PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIERlc3RpbmF0aW9uPSJodHRwczovLzI5ZWU2ZDJlLm5ncm9rLmlvL3NhbWwvYWNzIiBJRD0iX2V2aWxfcmVzcG9uc2VfSUQiIEluUmVzcG9uc2VUbz0iaWQtZDQwYzE1YzEwNGI1MjY5MWVjY2YwYTJhNWM4YTE1NTk1YmU3NTQyMyIgSXNzdWVJbnN0YW50PSIyMDE2LTAxLTA1VDE3OjUzOjExWiIgVmVyc2lvbj0iMi4wIj48c2FtbDpJc3N1ZXI+aHR0cHM6Ly9hcHAub25lbG9naW4uY29tL3NhbWwvbWV0YWRhdGEvNTAzOTgzPC9zYW1sOklzc3Vlcj48ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48ZHM6U2lnbmVkSW5mbz48ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiLz48ZHM6UmVmZXJlbmNlIFVSST0iI3BmeGVkODhjNDNkLTY1MDQtZTFmMS01YWYwLTQwYmU3ZjI3OWZjNSI+PGRzOlRyYW5zZm9ybXM+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiLz48ZHM6RGlnZXN0VmFsdWU+U1ZBYVFnOHZtbVNRTDYvWUJtUzJ5ZEtSUDdJPTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5zQmVUVlAwYlpvUFIrYmZ5QWtWdjZJM0NWN1k4WHFuSjJyOGYxK1dtcjJnRmduUkY4NU52dlNQK3IxQm83bnR1T3N3TzRmQjRSSzRIeVNieWxnNGJLSEtIMTlYOTFoVkF6SlN5c2ZtUy9kNXdnMUNmaVdXdDVTMkhBNTA4dGhYdVpud0czWHo2S25XSzhrUmR4MWRjK1lSV2dhRnlkNGdMRzlhQlRzWE9aN3Z4LzdQNGJyek5FbTR3UDkvMHR1ZnhHK25zWTZEcHduRUdDamwrVlVLcGd6RXF3Tk5qUXFZRllTQVhFaytWdCtYM2MyZDBISXJaUXZZbk5oMDJLeHV3VkJUaG4zTWF6UU5hTnhDL3N5ZjNrRFFDUnJaQ1lvK1l0RHVkekpVOXAzQTBZWEhUUWNzZGV0c0haWENNajNtdXZ6YzBtRUJsdzRMYmNoS21uYnlabWc9PTwvZHM6U2lnbmF0dXJlVmFsdWU+PGRzOktleUluZm8+PGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU+TUlJRUNEQ0NBdkNnQXdJQkFnSVVYdW4wOENzbExSV1NMcU5uREUxTnRHSmVmbDB3RFFZSktvWklodmNOQVFFRkJRQXdVekVMTUFrR0ExVUVCaE1DVlZNeEREQUtCZ05WQkFvTUEyTjBkVEVWTUJNR0ExVUVDd3dNVDI1bFRHOW5hVzRnU1dSUU1SOHdIUVlEVlFRRERCWlBibVZNYjJkcGJpQkJZMk52ZFc1MElETXlOakUwTUI0WERURXpNRGt6TURFNU16VTBORm9YRFRFNE1UQXdNVEU1TXpVME5Gb3dVekVMTUFrR0ExVUVCaE1DVlZNeEREQUtCZ05WQkFvTUEyTjBkVEVWTUJNR0ExVUVDd3dNVDI1bFRHOW5hVzRnU1dSUU1SOHdIUVlEVlFRRERCWlBibVZNYjJkcGJpQkJZMk52ZFc1MElETXlOakUwTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUEwT0c4VjhtaG92a2o0cmhHaGpyYkV4UlliektWMlp4ZnZHZkVHWEdVdlhjNkRxZWpZRWRoWjJtSWZDRG9qaFFqazBCeXdpaXJBS01PdDFHTnVIN2FXSUU0N0QwZXd0SzV5bEVBbTdlVm1vWTRreExDYVc1d1lyQzFTek1ucGVpdFV4cXZzYm5LejNqVUtZSFJnZ3BmdlZqNHNpSERaZUlaYTlhNXJVdnBNbm5iT29GaVpDSUVOcHEzVEMzM2l2T1NaaEVOUlR6bXZuazVHRG9MSHcvOHFBZ1FpeVQzRDF4Q2tTQmI1NFBIZ2tRNVJxMW9kTE0vaEorTDBqekNVUUg0Z3hwV2xFQWFiNEs5czhmcEJVQkJoNWdtSkNZaThVYklsaHFPOE4ybXludW0zM0JVL3ZKM1BuYXdUNFlZa1R3UlV4NlkrM2ZwbVJCSHFsNGg4M1NNZXdJREFRQUJvNEhUTUlIUU1Bd0dBMVVkRXdFQi93UUNNQUF3SFFZRFZSME9CQllFRk9mRkZqSEZqOWE2eHBuZ2IxMXJyaGdNZTlBck1JR1FCZ05WSFNNRWdZZ3dnWVdBRk9mRkZqSEZqOWE2eHBuZ2IxMXJyaGdNZTlBcm9WZWtWVEJUTVFzd0NRWURWUVFHRXdKVlV6RU1NQW9HQTFVRUNnd0RZM1IxTVJVd0V3WURWUVFMREF4UGJtVk1iMmRwYmlCSlpGQXhIekFkQmdOVkJBTU1Gazl1WlV4dloybHVJRUZqWTI5MWJuUWdNekkyTVRTQ0ZGN3A5UEFySlMwVmtpNmpad3hOVGJSaVhuNWRNQTRHQTFVZER3RUIvd1FFQXdJSGdEQU5CZ2txaGtpRzl3MEJBUVVGQUFPQ0FRRUFNZ2xuNE5QTVFuOEd5dnE4Q1RQK2MyZTZDVXpjdlJFS25UaGp4VDlXY3ZWMVpWWE1CTlBtNGNUcVQzNjFFZEx6WTV5V0xVV1hkNEF2Rm5jaXFCM01IWWEybnFUbW52TGdtaGtXZStoZEZvTmU1K0lBOEF4R24rbnFVSVNteUJlQ3h1VVVBYlJNdW93aUFyd0hJcHpwRXlSSVlkU1pSTkYwZHZnaVBZeXIvTWlQWEljenBINW5Ma3ZiTHBjQUYrUjhaaDlud1kwZzFKVnljNkFCNmo3WWV4dVVRWnBISDRzMFZkeC9uV21yY0ZlTFpLQ1R4Y2FoSHZVNTBlMXlLWDV0aGZWYUpxSThRUTd4Wnh5dTBUVHNpYVgwdXc1MUpQT3pQdUFQcGgwejZ4b1M5b1l4dXpaMXk5c05ISDZrSDhHRm52UzJNcXlIaU56MGgwU3EvcTZuK3c9PTwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE+PC9kczpLZXlJbmZvPjxzYW1scDpSZXNwb25zZSB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIiB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly8yOWVlNmQyZS5uZ3Jvay5pby9zYW1sL2FjcyIgSUQ9InBmeGVkODhjNDNkLTY1MDQtZTFmMS01YWYwLTQwYmU3ZjI3OWZjNSIgSW5SZXNwb25zZVRvPSJpZC1kNDBjMTVjMTA0YjUyNjkxZWNjZjBhMmE1YzhhMTU1OTViZTc1NDIzIiBJc3N1ZUluc3RhbnQ9IjIwMTYtMDEtMDVUMTc6NTM6MTFaIiBWZXJzaW9uPSIyLjAiPjxzYW1sOklzc3Vlcj5odHRwczovL2FwcC5vbmVsb2dpbi5jb20vc2FtbC9tZXRhZGF0YS81MDM5ODM8L3NhbWw6SXNzdWVyPjxzYW1scDpTdGF0dXM+PHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPjwvc2FtbHA6U3RhdHVzPjxzYW1sOkFzc2VydGlvbiB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIiB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIElEPSJBZDk0NWFlZGEzOGE1MDhmOGZhYzliYzk2MTNkNTk2NDJjMGQyZDhjYiIgSXNzdWVJbnN0YW50PSIyMDE2LTAxLTA1VDE3OjUzOjExWiIgVmVyc2lvbj0iMi4wIj48c2FtbDpJc3N1ZXI+aHR0cHM6Ly9hcHAub25lbG9naW4uY29tL3NhbWwvbWV0YWRhdGEvNTAzOTgzPC9zYW1sOklzc3Vlcj48c2FtbDpTdWJqZWN0PjxzYW1sOk5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OmVtYWlsQWRkcmVzcyI+cm9zc0BrbmRyLm9yZzwvc2FtbDpOYW1lSUQ+PHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIEluUmVzcG9uc2VUbz0iaWQtZDQwYzE1YzEwNGI1MjY5MWVjY2YwYTJhNWM4YTE1NTk1YmU3NTQyMyIgTm90T25PckFmdGVyPSIyMDE2LTAxLTA1VDE3OjU2OjExWiIgUmVjaXBpZW50PSJodHRwczovLzI5ZWU2ZDJlLm5ncm9rLmlvL3NhbWwvYWNzIi8+PC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24+PC9zYW1sOlN1YmplY3Q+PHNhbWw6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTYtMDEtMDVUMTc6NTA6MTFaIiBOb3RPbk9yQWZ0ZXI9IjIwMTYtMDEtMDVUMTc6NTY6MTFaIj48c2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sOkF1ZGllbmNlPmh0dHBzOi8vMjllZTZkMmUubmdyb2suaW8vc2FtbC9tZXRhZGF0YTwvc2FtbDpBdWRpZW5jZT48L3NhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj48L3NhbWw6Q29uZGl0aW9ucz48c2FtbDpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTYtMDEtMDVUMTc6NTM6MTBaIiBTZXNzaW9uSW5kZXg9Il9lYmRjYmU4MC05NWZmLTAxMzMtZDg3MS0zOGNhM2E2NjJmMWMiIFNlc3Npb25Ob3RPbk9yQWZ0ZXI9IjIwMTYtMDEtMDZUMTc6NTM6MTFaIj48c2FtbDpBdXRobkNvbnRleHQ+PHNhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmRQcm90ZWN0ZWRUcmFuc3BvcnQ8L3NhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+PC9zYW1sOkF1dGhuQ29udGV4dD48L3NhbWw6QXV0aG5TdGF0ZW1lbnQ+PHNhbWw6QXR0cmlidXRlU3RhdGVtZW50PjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJVc2VyLmVtYWlsIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj5yb3NzQGtuZHIub3JnPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9Im1lbWJlck9mIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIi8+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iVXNlci5MYXN0TmFtZSIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI+S2luZGVyPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9IlBlcnNvbkltbXV0YWJsZUlEIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIi8+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iVXNlci5GaXJzdE5hbWUiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPlJvc3M8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48L3NhbWw6QXR0cmlidXRlU3RhdGVtZW50Pjwvc2FtbDpBc3NlcnRpb24+PC9zYW1scDpSZXNwb25zZT48L2RzOlNpZ25hdHVyZT48c2FtbHA6U3RhdHVzPjxzYW1scDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiLz48L3NhbWxwOlN0YXR1cz48c2FtbDpBc3NlcnRpb24geG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgeG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiBJRD0iQWQ5NDVhZWRhMzhhNTA4ZjhmYWM5YmM5NjEzZDU5NjQyYzBkMmQ4Y2IiIElzc3VlSW5zdGFudD0iMjAxNi0wMS0wNVQxNzo1MzoxMVoiIFZlcnNpb249IjIuMCI+PHNhbWw6SXNzdWVyPmh0dHBzOi8vYXBwLm9uZWxvZ2luLmNvbS9zYW1sL21ldGFkYXRhLzUwMzk4Mzwvc2FtbDpJc3N1ZXI+PHNhbWw6U3ViamVjdD48c2FtbDpOYW1lSUQgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjE6bmFtZWlkLWZvcm1hdDplbWFpbEFkZHJlc3MiPnJvc3NAa25kci5vcmc8L3NhbWw6TmFtZUlEPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBJblJlc3BvbnNlVG89ImlkLWQ0MGMxNWMxMDRiNTI2OTFlY2NmMGEyYTVjOGExNTU5NWJlNzU0MjMiIE5vdE9uT3JBZnRlcj0iMjAxNi0wMS0wNVQxNzo1NjoxMVoiIFJlY2lwaWVudD0iaHR0cHM6Ly8yOWVlNmQyZS5uZ3Jvay5pby9zYW1sL2FjcyIvPjwvc2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uPjwvc2FtbDpTdWJqZWN0PjxzYW1sOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDE2LTAxLTA1VDE3OjUwOjExWiIgTm90T25PckFmdGVyPSIyMDE2LTAxLTA1VDE3OjU2OjExWiI+PHNhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj48c2FtbDpBdWRpZW5jZT5odHRwczovLzI5ZWU2ZDJlLm5ncm9rLmlvL3NhbWwvbWV0YWRhdGE8L3NhbWw6QXVkaWVuY2U+PC9zYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+PC9zYW1sOkNvbmRpdGlvbnM+PHNhbWw6QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDE2LTAxLTA1VDE3OjUzOjEwWiIgU2Vzc2lvbkluZGV4PSJfZWJkY2JlODAtOTVmZi0wMTMzLWQ4NzEtMzhjYTNhNjYyZjFjIiBTZXNzaW9uTm90T25PckFmdGVyPSIyMDE2LTAxLTA2VDE3OjUzOjExWiI+PHNhbWw6QXV0aG5Db250ZXh0PjxzYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkUHJvdGVjdGVkVHJhbnNwb3J0PC9zYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPjwvc2FtbDpBdXRobkNvbnRleHQ+PC9zYW1sOkF1dGhuU3RhdGVtZW50PjxzYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iVXNlci5lbWFpbCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI+cm9zc0BrbmRyLm9yZzwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJtZW1iZXJPZiIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyIvPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9IlVzZXIuTGFzdE5hbWUiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPktpbmRlcjwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJQZXJzb25JbW11dGFibGVJRCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyIvPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9IlVzZXIuRmlyc3ROYW1lIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj5Sb3NzPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48L3NhbWw6QXNzZXJ0aW9uPjwvc2FtbHA6UmVzcG9uc2U+Cg==
\ No newline at end of file
diff --git a/testdata/TestXswPermutationSevenIsRejected_response b/testdata/TestXswPermutationSevenIsRejected_response
new file mode 100644
index 00000000..a7151896
--- /dev/null
+++ b/testdata/TestXswPermutationSevenIsRejected_response
@@ -0,0 +1 @@
+PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIERlc3RpbmF0aW9uPSJodHRwOi8vc3AuZXhhbXBsZS5jb20vZGVtbzEvaW5kZXgucGhwP2FjcyIgSUQ9Il84ZThkYzVmNjlhOThjYzRjMWZmMzQyN2U1Y2UzNDYwNmZkNjcyZjkxZTYiIEluUmVzcG9uc2VUbz0iT05FTE9HSU5fNGZlZTNiMDQ2Mzk1YzRlNzUxMDExZTk3Zjg5MDBiNTI3M2Q1NjY4NSIgSXNzdWVJbnN0YW50PSIyMDE0LTA3LTE3VDAxOjAxOjQ4WiIgVmVyc2lvbj0iMi4wIj48c2FtbDpJc3N1ZXI+aHR0cDovL2lkcC5leGFtcGxlLmNvbS9tZXRhZGF0YS5waHA8L3NhbWw6SXNzdWVyPjxzYW1scDpTdGF0dXM+PHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPjwvc2FtbHA6U3RhdHVzPjxFeHRlbnNpb25zPjxzYW1sOkFzc2VydGlvbiB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIElEPSJwZngwNDY5MDBjNS0wNDIzLTM1Y2ItMmFkYi03MjI4M2JhNWQ4Y2QiIElzc3VlSW5zdGFudD0iMjAxNC0wNy0xN1QwMTowMTo0OFoiIFZlcnNpb249IjIuMCI+PHNhbWw6SXNzdWVyPmh0dHA6Ly9pZHAuZXhhbXBsZS5jb20vbWV0YWRhdGEucGhwPC9zYW1sOklzc3Vlcj48c2FtbDpTdWJqZWN0PjxzYW1sOk5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OnRyYW5zaWVudCIgU1BOYW1lUXVhbGlmaWVyPSJodHRwOi8vc3AuZXhhbXBsZS5jb20vZGVtbzEvbWV0YWRhdGEucGhwIj5fY2UzZDI5NDhiNGNmMjAxNDZkZWUwYTBiM2RkNmY2OWI2Y2Y4NmY2MmQ3PC9zYW1sOk5hbWVJRD48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+PHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgSW5SZXNwb25zZVRvPSJPTkVMT0dJTl80ZmVlM2IwNDYzOTVjNGU3NTEwMTFlOTdmODkwMGI1MjczZDU2Njg1IiBOb3RPbk9yQWZ0ZXI9IjIwMjQtMDEtMThUMDY6MjE6NDhaIiBSZWNpcGllbnQ9Imh0dHA6Ly9zcC5leGFtcGxlLmNvbS9kZW1vMS9pbmRleC5waHA/YWNzIi8+PC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24+PC9zYW1sOlN1YmplY3Q+PHNhbWw6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTQtMDctMTdUMDE6MDE6MThaIiBOb3RPbk9yQWZ0ZXI9IjIwMjQtMDEtMThUMDY6MjE6NDhaIj48c2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sOkF1ZGllbmNlPmh0dHA6Ly9zcC5leGFtcGxlLmNvbS9kZW1vMS9tZXRhZGF0YS5waHA8L3NhbWw6QXVkaWVuY2U+PC9zYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+PC9zYW1sOkNvbmRpdGlvbnM+PHNhbWw6QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDE0LTA3LTE3VDAxOjAxOjQ4WiIgU2Vzc2lvbkluZGV4PSJfYmU5OTY3YWJkOTA0ZGRjYWUzYzBlYjQxODlhZGJlM2Y3MWUzMjdjZjkzIiBTZXNzaW9uTm90T25PckFmdGVyPSIyMDI0LTA3LTE3VDA5OjAxOjQ4WiI+PHNhbWw6QXV0aG5Db250ZXh0PjxzYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkPC9zYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPjwvc2FtbDpBdXRobkNvbnRleHQ+PC9zYW1sOkF1dGhuU3RhdGVtZW50PjxzYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48c2FtbDpBdHRyaWJ1dGUgTmFtZT0idWlkIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj50ZXN0PC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9Im1haWwiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPnRlc3RAZXhhbXBsZS5jb208L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iZWR1UGVyc29uQWZmaWxpYXRpb24iIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPnVzZXJzPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPmV4YW1wbGVyb2xlMTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjwvc2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PC9zYW1sOkFzc2VydGlvbj48L0V4dGVuc2lvbnM+PHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgSUQ9InBmeDA0NjkwMGM1LTA0MjMtMzVjYi0yYWRiLTcyMjgzYmE1ZDhjZCIgSXNzdWVJbnN0YW50PSIyMDE0LTA3LTE3VDAxOjAxOjQ4WiIgVmVyc2lvbj0iMi4wIj48c2FtbDpJc3N1ZXI+aHR0cDovL2lkcC5leGFtcGxlLmNvbS9tZXRhZGF0YS5waHA8L3NhbWw6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+PGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIvPjxkczpSZWZlcmVuY2UgVVJJPSIjcGZ4MDQ2OTAwYzUtMDQyMy0zNWNiLTJhZGItNzIyODNiYTVkOGNkIj48ZHM6VHJhbnNmb3Jtcz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+PC9kczpUcmFuc2Zvcm1zPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjc2hhMSIvPjxkczpEaWdlc3RWYWx1ZT5iZXlmcUg5czFTKzZsMkdCSGJTbFc4VHhLNkU9PC9kczpEaWdlc3RWYWx1ZT48L2RzOlJlZmVyZW5jZT48L2RzOlNpZ25lZEluZm8+PGRzOlNpZ25hdHVyZVZhbHVlPkNKQkxjSlVOb3VDSmxjd3lhS1NvVEZ0clRhUk5RYmdYckVRR0pOZmx2MmRqTHQzcnR3aStHNkx3dVBmRCtyQXlveUhtcXJReVNpUlpnWU15Y3VuTy81RDZHYnllWElWM2tzT3djRitBeVZka2tuVWlxU3dINy85cmR2RWFma0pwNDd3WlgrNzh2UUYwNk1yMWc0Smw4MHJOY0RSdzF4T0V1b1A3akMyNW0xUT08L2RzOlNpZ25hdHVyZVZhbHVlPjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUNhakNDQWRPZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRMEZBREJTTVFzd0NRWURWUVFHRXdKMWN6RVRNQkVHQTFVRUNBd0tRMkZzYVdadmNtNXBZVEVWTUJNR0ExVUVDZ3dNVDI1bGJHOW5hVzRnU1c1ak1SY3dGUVlEVlFRRERBNXpjQzVsZUdGdGNHeGxMbU52YlRBZUZ3MHhOREEzTVRjeE5ERXlOVFphRncweE5UQTNNVGN4TkRFeU5UWmFNRkl4Q3pBSkJnTlZCQVlUQW5Wek1STXdFUVlEVlFRSURBcERZV3hwWm05eWJtbGhNUlV3RXdZRFZRUUtEQXhQYm1Wc2IyZHBiaUJKYm1NeEZ6QVZCZ05WQkFNTURuTndMbVY0WVcxd2JHVXVZMjl0TUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTRHTkFEQ0JpUUtCZ1FEWngrT040SVVvSVd4Z3VrVGIxdE9pWDNiTVl6WVFpd1dQVU5NcCtGcTgyeG9Ob2dzbzJieWtaRzB5aUptNW84enYvc2Q2cEdvdWF5TWdreC8yRlNPZGMzNlQwakdiQ0h1UlNidGlhMFBFek5JUnRtVmlNcnQzQWVvV0JpZFJYbVpzeENOTHdnSVY2ZG4yV3B1RTVBejBiSGdwWm5ReFRLRmVrMEJNS1UvZDh3SURBUUFCbzFBd1RqQWRCZ05WSFE0RUZnUVVHSHhZcVpZeVg3Y1R4S1ZPRFZnWndTVGRDbnd3SHdZRFZSMGpCQmd3Rm9BVUdIeFlxWll5WDdjVHhLVk9EVmdad1NUZENud3dEQVlEVlIwVEJBVXdBd0VCL3pBTkJna3Foa2lHOXcwQkFRMEZBQU9CZ1FCeUZPbCtoTUZJQ2JkM0RKZm5wMlJnZC9kcXR0c1pHL3R5aElMV3ZFcmJpby9ERWU5OG1YcG93aFRrQzA0RU5wck95WGk3WmJVcWlpY0Y4OXVBR3l0MW9xZ1RVQ0QxVnNMYWhxSWNtcnpndW1OeVR3TEdXbzE3V0RBYTEvdXNEaGV0V0FNaGd6Ri9DbmY1ZWswbkswMG0wWVpHeWM0THpnRDBDUk9NQVNUV05nPT08L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5mbz48L2RzOlNpZ25hdHVyZT48c2FtbDpTdWJqZWN0PjxzYW1sOk5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OnRyYW5zaWVudCIgU1BOYW1lUXVhbGlmaWVyPSJodHRwOi8vc3AuZXhhbXBsZS5jb20vZGVtbzEvbWV0YWRhdGEucGhwIj5fY2UzZDI5NDhiNGNmMjAxNDZkZWUwYTBiM2RkNmY2OWI2Y2Y4NmY2MmQ3PC9zYW1sOk5hbWVJRD48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+PHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgSW5SZXNwb25zZVRvPSJPTkVMT0dJTl80ZmVlM2IwNDYzOTVjNGU3NTEwMTFlOTdmODkwMGI1MjczZDU2Njg1IiBOb3RPbk9yQWZ0ZXI9IjIwMjQtMDEtMThUMDY6MjE6NDhaIiBSZWNpcGllbnQ9Imh0dHA6Ly9zcC5leGFtcGxlLmNvbS9kZW1vMS9pbmRleC5waHA/YWNzIi8+PC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24+PC9zYW1sOlN1YmplY3Q+PHNhbWw6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTQtMDctMTdUMDE6MDE6MThaIiBOb3RPbk9yQWZ0ZXI9IjIwMjQtMDEtMThUMDY6MjE6NDhaIj48c2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sOkF1ZGllbmNlPmh0dHA6Ly9zcC5leGFtcGxlLmNvbS9kZW1vMS9tZXRhZGF0YS5waHA8L3NhbWw6QXVkaWVuY2U+PC9zYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+PC9zYW1sOkNvbmRpdGlvbnM+PHNhbWw6QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDE0LTA3LTE3VDAxOjAxOjQ4WiIgU2Vzc2lvbkluZGV4PSJfYmU5OTY3YWJkOTA0ZGRjYWUzYzBlYjQxODlhZGJlM2Y3MWUzMjdjZjkzIiBTZXNzaW9uTm90T25PckFmdGVyPSIyMDI0LTA3LTE3VDA5OjAxOjQ4WiI+PHNhbWw6QXV0aG5Db250ZXh0PjxzYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkPC9zYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPjwvc2FtbDpBdXRobkNvbnRleHQ+PC9zYW1sOkF1dGhuU3RhdGVtZW50PjxzYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48c2FtbDpBdHRyaWJ1dGUgTmFtZT0idWlkIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj50ZXN0PC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9Im1haWwiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPnRlc3RAZXhhbXBsZS5jb208L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iZWR1UGVyc29uQWZmaWxpYXRpb24iIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPnVzZXJzPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPmV4YW1wbGVyb2xlMTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjwvc2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PC9zYW1sOkFzc2VydGlvbj48L3NhbWxwOlJlc3BvbnNlPgo=
\ No newline at end of file
diff --git a/testdata/TestXswPermutationSixIsRejected_response b/testdata/TestXswPermutationSixIsRejected_response
new file mode 100644
index 00000000..e0c947d0
--- /dev/null
+++ b/testdata/TestXswPermutationSixIsRejected_response
@@ -0,0 +1 @@
+PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIERlc3RpbmF0aW9uPSJodHRwOi8vc3AuZXhhbXBsZS5jb20vZGVtbzEvaW5kZXgucGhwP2FjcyIgSUQ9Il84ZThkYzVmNjlhOThjYzRjMWZmMzQyN2U1Y2UzNDYwNmZkNjcyZjkxZTYiIEluUmVzcG9uc2VUbz0iT05FTE9HSU5fNGZlZTNiMDQ2Mzk1YzRlNzUxMDExZTk3Zjg5MDBiNTI3M2Q1NjY4NSIgSXNzdWVJbnN0YW50PSIyMDE0LTA3LTE3VDAxOjAxOjQ4WiIgVmVyc2lvbj0iMi4wIj48c2FtbDpJc3N1ZXI+aHR0cDovL2lkcC5leGFtcGxlLmNvbS9tZXRhZGF0YS5waHA8L3NhbWw6SXNzdWVyPjxzYW1scDpTdGF0dXM+PHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPjwvc2FtbHA6U3RhdHVzPjxzYW1sOkFzc2VydGlvbiB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIElEPSJfZXZpbF9hc3NlcnRpb25fSUQiIElzc3VlSW5zdGFudD0iMjAxNC0wNy0xN1QwMTowMTo0OFoiIFZlcnNpb249IjIuMCI+PHNhbWw6SXNzdWVyPmh0dHA6Ly9pZHAuZXhhbXBsZS5jb20vbWV0YWRhdGEucGhwPC9zYW1sOklzc3Vlcj48ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48ZHM6U2lnbmVkSW5mbz48ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiLz48ZHM6UmVmZXJlbmNlIFVSST0iI3BmeDA0NjkwMGM1LTA0MjMtMzVjYi0yYWRiLTcyMjgzYmE1ZDhjZCI+PGRzOlRyYW5zZm9ybXM+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiLz48ZHM6RGlnZXN0VmFsdWU+YmV5ZnFIOXMxUys2bDJHQkhiU2xXOFR4SzZFPTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5DSkJMY0pVTm91Q0psY3d5YUtTb1RGdHJUYVJOUWJnWHJFUUdKTmZsdjJkakx0M3J0d2krRzZMd3VQZkQrckF5b3lIbXFyUXlTaVJaZ1lNeWN1bk8vNUQ2R2J5ZVhJVjNrc093Y0YrQXlWZGtrblVpcVN3SDcvOXJkdkVhZmtKcDQ3d1pYKzc4dlFGMDZNcjFnNEpsODByTmNEUncxeE9FdW9QN2pDMjVtMVE9PC9kczpTaWduYXR1cmVWYWx1ZT48ZHM6S2V5SW5mbz48ZHM6WDUwOURhdGE+PGRzOlg1MDlDZXJ0aWZpY2F0ZT5NSUlDYWpDQ0FkT2dBd0lCQWdJQkFEQU5CZ2txaGtpRzl3MEJBUTBGQURCU01Rc3dDUVlEVlFRR0V3SjFjekVUTUJFR0ExVUVDQXdLUTJGc2FXWnZjbTVwWVRFVk1CTUdBMVVFQ2d3TVQyNWxiRzluYVc0Z1NXNWpNUmN3RlFZRFZRUUREQTV6Y0M1bGVHRnRjR3hsTG1OdmJUQWVGdzB4TkRBM01UY3hOREV5TlRaYUZ3MHhOVEEzTVRjeE5ERXlOVFphTUZJeEN6QUpCZ05WQkFZVEFuVnpNUk13RVFZRFZRUUlEQXBEWVd4cFptOXlibWxoTVJVd0V3WURWUVFLREF4UGJtVnNiMmRwYmlCSmJtTXhGekFWQmdOVkJBTU1Ebk53TG1WNFlXMXdiR1V1WTI5dE1JR2ZNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0R05BRENCaVFLQmdRRFp4K09ONElVb0lXeGd1a1RiMXRPaVgzYk1ZellRaXdXUFVOTXArRnE4MnhvTm9nc28yYnlrWkcweWlKbTVvOHp2L3NkNnBHb3VheU1na3gvMkZTT2RjMzZUMGpHYkNIdVJTYnRpYTBQRXpOSVJ0bVZpTXJ0M0Flb1dCaWRSWG1ac3hDTkx3Z0lWNmRuMldwdUU1QXowYkhncFpuUXhUS0ZlazBCTUtVL2Q4d0lEQVFBQm8xQXdUakFkQmdOVkhRNEVGZ1FVR0h4WXFaWXlYN2NUeEtWT0RWZ1p3U1RkQ253d0h3WURWUjBqQkJnd0ZvQVVHSHhZcVpZeVg3Y1R4S1ZPRFZnWndTVGRDbnd3REFZRFZSMFRCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUTBGQUFPQmdRQnlGT2wraE1GSUNiZDNESmZucDJSZ2QvZHF0dHNaRy90eWhJTFd2RXJiaW8vREVlOThtWHBvd2hUa0MwNEVOcHJPeVhpN1piVXFpaWNGODl1QUd5dDFvcWdUVUNEMVZzTGFocUljbXJ6Z3VtTnlUd0xHV28xN1dEQWExL3VzRGhldFdBTWhnekYvQ25mNWVrMG5LMDBtMFlaR3ljNEx6Z0QwQ1JPTUFTVFdOZz09PC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L2RzOktleUluZm8+PHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgSUQ9InBmeDA0NjkwMGM1LTA0MjMtMzVjYi0yYWRiLTcyMjgzYmE1ZDhjZCIgSXNzdWVJbnN0YW50PSIyMDE0LTA3LTE3VDAxOjAxOjQ4WiIgVmVyc2lvbj0iMi4wIj48c2FtbDpJc3N1ZXI+aHR0cDovL2lkcC5leGFtcGxlLmNvbS9tZXRhZGF0YS5waHA8L3NhbWw6SXNzdWVyPjxzYW1sOlN1YmplY3Q+PHNhbWw6TmFtZUlEIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6dHJhbnNpZW50IiBTUE5hbWVRdWFsaWZpZXI9Imh0dHA6Ly9zcC5leGFtcGxlLmNvbS9kZW1vMS9tZXRhZGF0YS5waHAiPl9jZTNkMjk0OGI0Y2YyMDE0NmRlZTBhMGIzZGQ2ZjY5YjZjZjg2ZjYyZDc8L3NhbWw6TmFtZUlEPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBJblJlc3BvbnNlVG89Ik9ORUxPR0lOXzRmZWUzYjA0NjM5NWM0ZTc1MTAxMWU5N2Y4OTAwYjUyNzNkNTY2ODUiIE5vdE9uT3JBZnRlcj0iMjAyNC0wMS0xOFQwNjoyMTo0OFoiIFJlY2lwaWVudD0iaHR0cDovL3NwLmV4YW1wbGUuY29tL2RlbW8xL2luZGV4LnBocD9hY3MiLz48L3NhbWw6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWw6U3ViamVjdD48c2FtbDpDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAxNC0wNy0xN1QwMTowMToxOFoiIE5vdE9uT3JBZnRlcj0iMjAyNC0wMS0xOFQwNjoyMTo0OFoiPjxzYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+PHNhbWw6QXVkaWVuY2U+aHR0cDovL3NwLmV4YW1wbGUuY29tL2RlbW8xL21ldGFkYXRhLnBocDwvc2FtbDpBdWRpZW5jZT48L3NhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj48L3NhbWw6Q29uZGl0aW9ucz48c2FtbDpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTQtMDctMTdUMDE6MDE6NDhaIiBTZXNzaW9uSW5kZXg9Il9iZTk5NjdhYmQ5MDRkZGNhZTNjMGViNDE4OWFkYmUzZjcxZTMyN2NmOTMiIFNlc3Npb25Ob3RPbk9yQWZ0ZXI9IjIwMjQtMDctMTdUMDk6MDE6NDhaIj48c2FtbDpBdXRobkNvbnRleHQ+PHNhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmQ8L3NhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+PC9zYW1sOkF1dGhuQ29udGV4dD48L3NhbWw6QXV0aG5TdGF0ZW1lbnQ+PHNhbWw6QXR0cmlidXRlU3RhdGVtZW50PjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJ1aWQiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPnRlc3Q8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0ibWFpbCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+dGVzdEBleGFtcGxlLmNvbTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJlZHVQZXJzb25BZmZpbGlhdGlvbiIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+dXNlcnM8L3NhbWw6QXR0cmlidXRlVmFsdWU+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+ZXhhbXBsZXJvbGUxPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48L3NhbWw6QXNzZXJ0aW9uPjwvZHM6U2lnbmF0dXJlPjxzYW1sOlN1YmplY3Q+PHNhbWw6TmFtZUlEIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6dHJhbnNpZW50IiBTUE5hbWVRdWFsaWZpZXI9Imh0dHA6Ly9zcC5leGFtcGxlLmNvbS9kZW1vMS9tZXRhZGF0YS5waHAiPl9jZTNkMjk0OGI0Y2YyMDE0NmRlZTBhMGIzZGQ2ZjY5YjZjZjg2ZjYyZDc8L3NhbWw6TmFtZUlEPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBJblJlc3BvbnNlVG89Ik9ORUxPR0lOXzRmZWUzYjA0NjM5NWM0ZTc1MTAxMWU5N2Y4OTAwYjUyNzNkNTY2ODUiIE5vdE9uT3JBZnRlcj0iMjAyNC0wMS0xOFQwNjoyMTo0OFoiIFJlY2lwaWVudD0iaHR0cDovL3NwLmV4YW1wbGUuY29tL2RlbW8xL2luZGV4LnBocD9hY3MiLz48L3NhbWw6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWw6U3ViamVjdD48c2FtbDpDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAxNC0wNy0xN1QwMTowMToxOFoiIE5vdE9uT3JBZnRlcj0iMjAyNC0wMS0xOFQwNjoyMTo0OFoiPjxzYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+PHNhbWw6QXVkaWVuY2U+aHR0cDovL3NwLmV4YW1wbGUuY29tL2RlbW8xL21ldGFkYXRhLnBocDwvc2FtbDpBdWRpZW5jZT48L3NhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj48L3NhbWw6Q29uZGl0aW9ucz48c2FtbDpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTQtMDctMTdUMDE6MDE6NDhaIiBTZXNzaW9uSW5kZXg9Il9iZTk5NjdhYmQ5MDRkZGNhZTNjMGViNDE4OWFkYmUzZjcxZTMyN2NmOTMiIFNlc3Npb25Ob3RPbk9yQWZ0ZXI9IjIwMjQtMDctMTdUMDk6MDE6NDhaIj48c2FtbDpBdXRobkNvbnRleHQ+PHNhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmQ8L3NhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+PC9zYW1sOkF1dGhuQ29udGV4dD48L3NhbWw6QXV0aG5TdGF0ZW1lbnQ+PHNhbWw6QXR0cmlidXRlU3RhdGVtZW50PjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJ1aWQiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPnRlc3Q8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0ibWFpbCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+dGVzdEBleGFtcGxlLmNvbTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJlZHVQZXJzb25BZmZpbGlhdGlvbiIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+dXNlcnM8L3NhbWw6QXR0cmlidXRlVmFsdWU+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+ZXhhbXBsZXJvbGUxPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48L3NhbWw6QXNzZXJ0aW9uPjwvc2FtbHA6UmVzcG9uc2U+Cg==
\ No newline at end of file
diff --git a/testdata/TestXswPermutationThreeIsRejected_response b/testdata/TestXswPermutationThreeIsRejected_response
new file mode 100644
index 00000000..ad0e256d
--- /dev/null
+++ b/testdata/TestXswPermutationThreeIsRejected_response
@@ -0,0 +1 @@
+PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIERlc3RpbmF0aW9uPSJodHRwOi8vc3AuZXhhbXBsZS5jb20vZGVtbzEvaW5kZXgucGhwP2FjcyIgSUQ9Il84ZThkYzVmNjlhOThjYzRjMWZmMzQyN2U1Y2UzNDYwNmZkNjcyZjkxZTYiIEluUmVzcG9uc2VUbz0iT05FTE9HSU5fNGZlZTNiMDQ2Mzk1YzRlNzUxMDExZTk3Zjg5MDBiNTI3M2Q1NjY4NSIgSXNzdWVJbnN0YW50PSIyMDE0LTA3LTE3VDAxOjAxOjQ4WiIgVmVyc2lvbj0iMi4wIj48c2FtbDpJc3N1ZXI+aHR0cDovL2lkcC5leGFtcGxlLmNvbS9tZXRhZGF0YS5waHA8L3NhbWw6SXNzdWVyPjxzYW1scDpTdGF0dXM+PHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPjwvc2FtbHA6U3RhdHVzPjxzYW1sOkFzc2VydGlvbiB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIElEPSJfZXZpbF9hc3NlcnRpb25fSUQiIElzc3VlSW5zdGFudD0iMjAxNC0wNy0xN1QwMTowMTo0OFoiIFZlcnNpb249IjIuMCI+PHNhbWw6SXNzdWVyPmh0dHA6Ly9pZHAuZXhhbXBsZS5jb20vbWV0YWRhdGEucGhwPC9zYW1sOklzc3Vlcj48c2FtbDpTdWJqZWN0PjxzYW1sOk5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OnRyYW5zaWVudCIgU1BOYW1lUXVhbGlmaWVyPSJodHRwOi8vc3AuZXhhbXBsZS5jb20vZGVtbzEvbWV0YWRhdGEucGhwIj5fY2UzZDI5NDhiNGNmMjAxNDZkZWUwYTBiM2RkNmY2OWI2Y2Y4NmY2MmQ3PC9zYW1sOk5hbWVJRD48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+PHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgSW5SZXNwb25zZVRvPSJPTkVMT0dJTl80ZmVlM2IwNDYzOTVjNGU3NTEwMTFlOTdmODkwMGI1MjczZDU2Njg1IiBOb3RPbk9yQWZ0ZXI9IjIwMjQtMDEtMThUMDY6MjE6NDhaIiBSZWNpcGllbnQ9Imh0dHA6Ly9zcC5leGFtcGxlLmNvbS9kZW1vMS9pbmRleC5waHA/YWNzIi8+PC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24+PC9zYW1sOlN1YmplY3Q+PHNhbWw6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTQtMDctMTdUMDE6MDE6MThaIiBOb3RPbk9yQWZ0ZXI9IjIwMjQtMDEtMThUMDY6MjE6NDhaIj48c2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sOkF1ZGllbmNlPmh0dHA6Ly9zcC5leGFtcGxlLmNvbS9kZW1vMS9tZXRhZGF0YS5waHA8L3NhbWw6QXVkaWVuY2U+PC9zYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+PC9zYW1sOkNvbmRpdGlvbnM+PHNhbWw6QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDE0LTA3LTE3VDAxOjAxOjQ4WiIgU2Vzc2lvbkluZGV4PSJfYmU5OTY3YWJkOTA0ZGRjYWUzYzBlYjQxODlhZGJlM2Y3MWUzMjdjZjkzIiBTZXNzaW9uTm90T25PckFmdGVyPSIyMDI0LTA3LTE3VDA5OjAxOjQ4WiI+PHNhbWw6QXV0aG5Db250ZXh0PjxzYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkPC9zYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPjwvc2FtbDpBdXRobkNvbnRleHQ+PC9zYW1sOkF1dGhuU3RhdGVtZW50PjxzYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48c2FtbDpBdHRyaWJ1dGUgTmFtZT0idWlkIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj50ZXN0PC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9Im1haWwiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPnRlc3RAZXhhbXBsZS5jb208L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iZWR1UGVyc29uQWZmaWxpYXRpb24iIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPnVzZXJzPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPmV4YW1wbGVyb2xlMTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjwvc2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PC9zYW1sOkFzc2VydGlvbj48c2FtbDpBc3NlcnRpb24geG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiBJRD0icGZ4MDQ2OTAwYzUtMDQyMy0zNWNiLTJhZGItNzIyODNiYTVkOGNkIiBJc3N1ZUluc3RhbnQ9IjIwMTQtMDctMTdUMDE6MDE6NDhaIiBWZXJzaW9uPSIyLjAiPjxzYW1sOklzc3Vlcj5odHRwOi8vaWRwLmV4YW1wbGUuY29tL21ldGFkYXRhLnBocDwvc2FtbDpJc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+PGRzOlNpZ25lZEluZm8+PGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3JzYS1zaGExIi8+PGRzOlJlZmVyZW5jZSBVUkk9IiNwZngwNDY5MDBjNS0wNDIzLTM1Y2ItMmFkYi03MjI4M2JhNWQ4Y2QiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48L2RzOlRyYW5zZm9ybXM+PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8+PGRzOkRpZ2VzdFZhbHVlPmJleWZxSDlzMVMrNmwyR0JIYlNsVzhUeEs2RT08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU+Q0pCTGNKVU5vdUNKbGN3eWFLU29URnRyVGFSTlFiZ1hyRVFHSk5mbHYyZGpMdDNydHdpK0c2THd1UGZEK3JBeW95SG1xclF5U2lSWmdZTXljdW5PLzVENkdieWVYSVYza3NPd2NGK0F5VmRra25VaXFTd0g3LzlyZHZFYWZrSnA0N3daWCs3OHZRRjA2TXIxZzRKbDgwck5jRFJ3MXhPRXVvUDdqQzI1bTFRPTwvZHM6U2lnbmF0dXJlVmFsdWU+PGRzOktleUluZm8+PGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU+TUlJQ2FqQ0NBZE9nQXdJQkFnSUJBREFOQmdrcWhraUc5dzBCQVEwRkFEQlNNUXN3Q1FZRFZRUUdFd0oxY3pFVE1CRUdBMVVFQ0F3S1EyRnNhV1p2Y201cFlURVZNQk1HQTFVRUNnd01UMjVsYkc5bmFXNGdTVzVqTVJjd0ZRWURWUVFEREE1emNDNWxlR0Z0Y0d4bExtTnZiVEFlRncweE5EQTNNVGN4TkRFeU5UWmFGdzB4TlRBM01UY3hOREV5TlRaYU1GSXhDekFKQmdOVkJBWVRBblZ6TVJNd0VRWURWUVFJREFwRFlXeHBabTl5Ym1saE1SVXdFd1lEVlFRS0RBeFBibVZzYjJkcGJpQkpibU14RnpBVkJnTlZCQU1NRG5Od0xtVjRZVzF3YkdVdVkyOXRNSUdmTUEwR0NTcUdTSWIzRFFFQkFRVUFBNEdOQURDQmlRS0JnUURaeCtPTjRJVW9JV3hndWtUYjF0T2lYM2JNWXpZUWl3V1BVTk1wK0ZxODJ4b05vZ3NvMmJ5a1pHMHlpSm01bzh6di9zZDZwR291YXlNZ2t4LzJGU09kYzM2VDBqR2JDSHVSU2J0aWEwUEV6TklSdG1WaU1ydDNBZW9XQmlkUlhtWnN4Q05Md2dJVjZkbjJXcHVFNUF6MGJIZ3BablF4VEtGZWswQk1LVS9kOHdJREFRQUJvMUF3VGpBZEJnTlZIUTRFRmdRVUdIeFlxWll5WDdjVHhLVk9EVmdad1NUZENud3dId1lEVlIwakJCZ3dGb0FVR0h4WXFaWXlYN2NUeEtWT0RWZ1p3U1RkQ253d0RBWURWUjBUQkFVd0F3RUIvekFOQmdrcWhraUc5dzBCQVEwRkFBT0JnUUJ5Rk9sK2hNRklDYmQzREpmbnAyUmdkL2RxdHRzWkcvdHloSUxXdkVyYmlvL0RFZTk4bVhwb3doVGtDMDRFTnByT3lYaTdaYlVxaWljRjg5dUFHeXQxb3FnVFVDRDFWc0xhaHFJY21yemd1bU55VHdMR1dvMTdXREFhMS91c0RoZXRXQU1oZ3pGL0NuZjVlazBuSzAwbTBZWkd5YzRMemdEMENST01BU1RXTmc9PTwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE+PC9kczpLZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjxzYW1sOlN1YmplY3Q+PHNhbWw6TmFtZUlEIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6dHJhbnNpZW50IiBTUE5hbWVRdWFsaWZpZXI9Imh0dHA6Ly9zcC5leGFtcGxlLmNvbS9kZW1vMS9tZXRhZGF0YS5waHAiPl9jZTNkMjk0OGI0Y2YyMDE0NmRlZTBhMGIzZGQ2ZjY5YjZjZjg2ZjYyZDc8L3NhbWw6TmFtZUlEPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBJblJlc3BvbnNlVG89Ik9ORUxPR0lOXzRmZWUzYjA0NjM5NWM0ZTc1MTAxMWU5N2Y4OTAwYjUyNzNkNTY2ODUiIE5vdE9uT3JBZnRlcj0iMjAyNC0wMS0xOFQwNjoyMTo0OFoiIFJlY2lwaWVudD0iaHR0cDovL3NwLmV4YW1wbGUuY29tL2RlbW8xL2luZGV4LnBocD9hY3MiLz48L3NhbWw6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWw6U3ViamVjdD48c2FtbDpDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAxNC0wNy0xN1QwMTowMToxOFoiIE5vdE9uT3JBZnRlcj0iMjAyNC0wMS0xOFQwNjoyMTo0OFoiPjxzYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+PHNhbWw6QXVkaWVuY2U+aHR0cDovL3NwLmV4YW1wbGUuY29tL2RlbW8xL21ldGFkYXRhLnBocDwvc2FtbDpBdWRpZW5jZT48L3NhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj48L3NhbWw6Q29uZGl0aW9ucz48c2FtbDpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTQtMDctMTdUMDE6MDE6NDhaIiBTZXNzaW9uSW5kZXg9Il9iZTk5NjdhYmQ5MDRkZGNhZTNjMGViNDE4OWFkYmUzZjcxZTMyN2NmOTMiIFNlc3Npb25Ob3RPbk9yQWZ0ZXI9IjIwMjQtMDctMTdUMDk6MDE6NDhaIj48c2FtbDpBdXRobkNvbnRleHQ+PHNhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmQ8L3NhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+PC9zYW1sOkF1dGhuQ29udGV4dD48L3NhbWw6QXV0aG5TdGF0ZW1lbnQ+PHNhbWw6QXR0cmlidXRlU3RhdGVtZW50PjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJ1aWQiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPnRlc3Q8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0ibWFpbCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+dGVzdEBleGFtcGxlLmNvbTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJlZHVQZXJzb25BZmZpbGlhdGlvbiIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+dXNlcnM8L3NhbWw6QXR0cmlidXRlVmFsdWU+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+ZXhhbXBsZXJvbGUxPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48L3NhbWw6QXNzZXJ0aW9uPjwvc2FtbHA6UmVzcG9uc2U+Cg==
\ No newline at end of file
diff --git a/testdata/TestXswPermutationTwoIsRejected_response b/testdata/TestXswPermutationTwoIsRejected_response
new file mode 100644
index 00000000..05c3b6e2
--- /dev/null
+++ b/testdata/TestXswPermutationTwoIsRejected_response
@@ -0,0 +1 @@
+PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIERlc3RpbmF0aW9uPSJodHRwczovLzI5ZWU2ZDJlLm5ncm9rLmlvL3NhbWwvYWNzIiBJRD0iX2V2aWxfcmVzcG9uc2VfSUQiIEluUmVzcG9uc2VUbz0iaWQtZDQwYzE1YzEwNGI1MjY5MWVjY2YwYTJhNWM4YTE1NTk1YmU3NTQyMyIgSXNzdWVJbnN0YW50PSIyMDE2LTAxLTA1VDE3OjUzOjExWiIgVmVyc2lvbj0iMi4wIj48c2FtbDpJc3N1ZXI+aHR0cHM6Ly9hcHAub25lbG9naW4uY29tL3NhbWwvbWV0YWRhdGEvNTAzOTgzPC9zYW1sOklzc3Vlcj48c2FtbHA6UmVzcG9uc2UgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgRGVzdGluYXRpb249Imh0dHBzOi8vMjllZTZkMmUubmdyb2suaW8vc2FtbC9hY3MiIElEPSJwZnhlZDg4YzQzZC02NTA0LWUxZjEtNWFmMC00MGJlN2YyNzlmYzUiIEluUmVzcG9uc2VUbz0iaWQtZDQwYzE1YzEwNGI1MjY5MWVjY2YwYTJhNWM4YTE1NTk1YmU3NTQyMyIgSXNzdWVJbnN0YW50PSIyMDE2LTAxLTA1VDE3OjUzOjExWiIgVmVyc2lvbj0iMi4wIj48c2FtbDpJc3N1ZXI+aHR0cHM6Ly9hcHAub25lbG9naW4uY29tL3NhbWwvbWV0YWRhdGEvNTAzOTgzPC9zYW1sOklzc3Vlcj48c2FtbHA6U3RhdHVzPjxzYW1scDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiLz48L3NhbWxwOlN0YXR1cz48c2FtbDpBc3NlcnRpb24geG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgeG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiBJRD0iQWQ5NDVhZWRhMzhhNTA4ZjhmYWM5YmM5NjEzZDU5NjQyYzBkMmQ4Y2IiIElzc3VlSW5zdGFudD0iMjAxNi0wMS0wNVQxNzo1MzoxMVoiIFZlcnNpb249IjIuMCI+PHNhbWw6SXNzdWVyPmh0dHBzOi8vYXBwLm9uZWxvZ2luLmNvbS9zYW1sL21ldGFkYXRhLzUwMzk4Mzwvc2FtbDpJc3N1ZXI+PHNhbWw6U3ViamVjdD48c2FtbDpOYW1lSUQgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjE6bmFtZWlkLWZvcm1hdDplbWFpbEFkZHJlc3MiPnJvc3NAa25kci5vcmc8L3NhbWw6TmFtZUlEPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBJblJlc3BvbnNlVG89ImlkLWQ0MGMxNWMxMDRiNTI2OTFlY2NmMGEyYTVjOGExNTU5NWJlNzU0MjMiIE5vdE9uT3JBZnRlcj0iMjAxNi0wMS0wNVQxNzo1NjoxMVoiIFJlY2lwaWVudD0iaHR0cHM6Ly8yOWVlNmQyZS5uZ3Jvay5pby9zYW1sL2FjcyIvPjwvc2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uPjwvc2FtbDpTdWJqZWN0PjxzYW1sOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDE2LTAxLTA1VDE3OjUwOjExWiIgTm90T25PckFmdGVyPSIyMDE2LTAxLTA1VDE3OjU2OjExWiI+PHNhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj48c2FtbDpBdWRpZW5jZT5odHRwczovLzI5ZWU2ZDJlLm5ncm9rLmlvL3NhbWwvbWV0YWRhdGE8L3NhbWw6QXVkaWVuY2U+PC9zYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+PC9zYW1sOkNvbmRpdGlvbnM+PHNhbWw6QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDE2LTAxLTA1VDE3OjUzOjEwWiIgU2Vzc2lvbkluZGV4PSJfZWJkY2JlODAtOTVmZi0wMTMzLWQ4NzEtMzhjYTNhNjYyZjFjIiBTZXNzaW9uTm90T25PckFmdGVyPSIyMDE2LTAxLTA2VDE3OjUzOjExWiI+PHNhbWw6QXV0aG5Db250ZXh0PjxzYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkUHJvdGVjdGVkVHJhbnNwb3J0PC9zYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPjwvc2FtbDpBdXRobkNvbnRleHQ+PC9zYW1sOkF1dGhuU3RhdGVtZW50PjxzYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iVXNlci5lbWFpbCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI+cm9zc0BrbmRyLm9yZzwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJtZW1iZXJPZiIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyIvPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9IlVzZXIuTGFzdE5hbWUiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPktpbmRlcjwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJQZXJzb25JbW11dGFibGVJRCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyIvPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9IlVzZXIuRmlyc3ROYW1lIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj5Sb3NzPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48L3NhbWw6QXNzZXJ0aW9uPjwvc2FtbHA6UmVzcG9uc2U+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+PGRzOlNpZ25lZEluZm8+PGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3JzYS1zaGExIi8+PGRzOlJlZmVyZW5jZSBVUkk9IiNwZnhlZDg4YzQzZC02NTA0LWUxZjEtNWFmMC00MGJlN2YyNzlmYzUiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48L2RzOlRyYW5zZm9ybXM+PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8+PGRzOkRpZ2VzdFZhbHVlPlNWQWFRZzh2bW1TUUw2L1lCbVMyeWRLUlA3ST08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU+c0JlVFZQMGJab1BSK2JmeUFrVnY2STNDVjdZOFhxbkoycjhmMStXbXIyZ0ZnblJGODVOdnZTUCtyMUJvN250dU9zd080ZkI0Uks0SHlTYnlsZzRiS0hLSDE5WDkxaFZBekpTeXNmbVMvZDV3ZzFDZmlXV3Q1UzJIQTUwOHRoWHVabndHM1h6NktuV0s4a1JkeDFkYytZUldnYUZ5ZDRnTEc5YUJUc1hPWjd2eC83UDRicnpORW00d1A5LzB0dWZ4Rytuc1k2RHB3bkVHQ2psK1ZVS3BnekVxd05OalFxWUZZU0FYRWsrVnQrWDNjMmQwSElyWlF2WW5OaDAyS3h1d1ZCVGhuM01helFOYU54Qy9zeWYza0RRQ1JyWkNZbytZdER1ZHpKVTlwM0EwWVhIVFFjc2RldHNIWlhDTWozbXV2emMwbUVCbHc0TGJjaEttbmJ5Wm1nPT08L2RzOlNpZ25hdHVyZVZhbHVlPjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUVDRENDQXZDZ0F3SUJBZ0lVWHVuMDhDc2xMUldTTHFObkRFMU50R0plZmwwd0RRWUpLb1pJaHZjTkFRRUZCUUF3VXpFTE1Ba0dBMVVFQmhNQ1ZWTXhEREFLQmdOVkJBb01BMk4wZFRFVk1CTUdBMVVFQ3d3TVQyNWxURzluYVc0Z1NXUlFNUjh3SFFZRFZRUUREQlpQYm1WTWIyZHBiaUJCWTJOdmRXNTBJRE15TmpFME1CNFhEVEV6TURrek1ERTVNelUwTkZvWERURTRNVEF3TVRFNU16VTBORm93VXpFTE1Ba0dBMVVFQmhNQ1ZWTXhEREFLQmdOVkJBb01BMk4wZFRFVk1CTUdBMVVFQ3d3TVQyNWxURzluYVc0Z1NXUlFNUjh3SFFZRFZRUUREQlpQYm1WTWIyZHBiaUJCWTJOdmRXNTBJRE15TmpFME1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBME9HOFY4bWhvdmtqNHJoR2hqcmJFeFJZYnpLVjJaeGZ2R2ZFR1hHVXZYYzZEcWVqWUVkaFoybUlmQ0RvamhRamswQnl3aWlyQUtNT3QxR051SDdhV0lFNDdEMGV3dEs1eWxFQW03ZVZtb1k0a3hMQ2FXNXdZckMxU3pNbnBlaXRVeHF2c2JuS3ozalVLWUhSZ2dwZnZWajRzaUhEWmVJWmE5YTVyVXZwTW5uYk9vRmlaQ0lFTnBxM1RDMzNpdk9TWmhFTlJUem12bms1R0RvTEh3LzhxQWdRaXlUM0QxeENrU0JiNTRQSGdrUTVScTFvZExNL2hKK0wwanpDVVFINGd4cFdsRUFhYjRLOXM4ZnBCVUJCaDVnbUpDWWk4VWJJbGhxTzhOMm15bnVtMzNCVS92SjNQbmF3VDRZWWtUd1JVeDZZKzNmcG1SQkhxbDRoODNTTWV3SURBUUFCbzRIVE1JSFFNQXdHQTFVZEV3RUIvd1FDTUFBd0hRWURWUjBPQkJZRUZPZkZGakhGajlhNnhwbmdiMTFycmhnTWU5QXJNSUdRQmdOVkhTTUVnWWd3Z1lXQUZPZkZGakhGajlhNnhwbmdiMTFycmhnTWU5QXJvVmVrVlRCVE1Rc3dDUVlEVlFRR0V3SlZVekVNTUFvR0ExVUVDZ3dEWTNSMU1SVXdFd1lEVlFRTERBeFBibVZNYjJkcGJpQkpaRkF4SHpBZEJnTlZCQU1NRms5dVpVeHZaMmx1SUVGalkyOTFiblFnTXpJMk1UU0NGRjdwOVBBckpTMFZraTZqWnd4TlRiUmlYbjVkTUE0R0ExVWREd0VCL3dRRUF3SUhnREFOQmdrcWhraUc5dzBCQVFVRkFBT0NBUUVBTWdsbjROUE1RbjhHeXZxOENUUCtjMmU2Q1V6Y3ZSRUtuVGhqeFQ5V2N2VjFaVlhNQk5QbTRjVHFUMzYxRWRMelk1eVdMVVdYZDRBdkZuY2lxQjNNSFlhMm5xVG1udkxnbWhrV2UraGRGb05lNStJQThBeEduK25xVUlTbXlCZUN4dVVVQWJSTXVvd2lBcndISXB6cEV5UklZZFNaUk5GMGR2Z2lQWXlyL01pUFhJY3pwSDVuTGt2YkxwY0FGK1I4Wmg5bndZMGcxSlZ5YzZBQjZqN1lleHVVUVpwSEg0czBWZHgvbldtcmNGZUxaS0NUeGNhaEh2VTUwZTF5S1g1dGhmVmFKcUk4UVE3eFp4eXUwVFRzaWFYMHV3NTFKUE96UHVBUHBoMHo2eG9TOW9ZeHV6WjF5OXNOSEg2a0g4R0ZudlMyTXF5SGlOejBoMFNxL3E2bit3PT08L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5mbz48L2RzOlNpZ25hdHVyZT48c2FtbHA6U3RhdHVzPjxzYW1scDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiLz48L3NhbWxwOlN0YXR1cz48c2FtbDpBc3NlcnRpb24geG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgeG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiBJRD0iQWQ5NDVhZWRhMzhhNTA4ZjhmYWM5YmM5NjEzZDU5NjQyYzBkMmQ4Y2IiIElzc3VlSW5zdGFudD0iMjAxNi0wMS0wNVQxNzo1MzoxMVoiIFZlcnNpb249IjIuMCI+PHNhbWw6SXNzdWVyPmh0dHBzOi8vYXBwLm9uZWxvZ2luLmNvbS9zYW1sL21ldGFkYXRhLzUwMzk4Mzwvc2FtbDpJc3N1ZXI+PHNhbWw6U3ViamVjdD48c2FtbDpOYW1lSUQgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjE6bmFtZWlkLWZvcm1hdDplbWFpbEFkZHJlc3MiPnJvc3NAa25kci5vcmc8L3NhbWw6TmFtZUlEPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBJblJlc3BvbnNlVG89ImlkLWQ0MGMxNWMxMDRiNTI2OTFlY2NmMGEyYTVjOGExNTU5NWJlNzU0MjMiIE5vdE9uT3JBZnRlcj0iMjAxNi0wMS0wNVQxNzo1NjoxMVoiIFJlY2lwaWVudD0iaHR0cHM6Ly8yOWVlNmQyZS5uZ3Jvay5pby9zYW1sL2FjcyIvPjwvc2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uPjwvc2FtbDpTdWJqZWN0PjxzYW1sOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDE2LTAxLTA1VDE3OjUwOjExWiIgTm90T25PckFmdGVyPSIyMDE2LTAxLTA1VDE3OjU2OjExWiI+PHNhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj48c2FtbDpBdWRpZW5jZT5odHRwczovLzI5ZWU2ZDJlLm5ncm9rLmlvL3NhbWwvbWV0YWRhdGE8L3NhbWw6QXVkaWVuY2U+PC9zYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+PC9zYW1sOkNvbmRpdGlvbnM+PHNhbWw6QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDE2LTAxLTA1VDE3OjUzOjEwWiIgU2Vzc2lvbkluZGV4PSJfZWJkY2JlODAtOTVmZi0wMTMzLWQ4NzEtMzhjYTNhNjYyZjFjIiBTZXNzaW9uTm90T25PckFmdGVyPSIyMDE2LTAxLTA2VDE3OjUzOjExWiI+PHNhbWw6QXV0aG5Db250ZXh0PjxzYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkUHJvdGVjdGVkVHJhbnNwb3J0PC9zYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPjwvc2FtbDpBdXRobkNvbnRleHQ+PC9zYW1sOkF1dGhuU3RhdGVtZW50PjxzYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iVXNlci5lbWFpbCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI+cm9zc0BrbmRyLm9yZzwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJtZW1iZXJPZiIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyIvPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9IlVzZXIuTGFzdE5hbWUiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPktpbmRlcjwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJQZXJzb25JbW11dGFibGVJRCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyIvPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9IlVzZXIuRmlyc3ROYW1lIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj5Sb3NzPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48L3NhbWw6QXNzZXJ0aW9uPjwvc2FtbHA6UmVzcG9uc2U+Cg==
\ No newline at end of file
diff --git a/testdata/cert_2017.pem b/testdata/cert_2017.pem
new file mode 100644
index 00000000..34c7e887
--- /dev/null
+++ b/testdata/cert_2017.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDRTCCAi2gAwIBAgIJANke+OUVRk19MA0GCSqGSIb3DQEBBQUAMCAxHjAcBgNV
+BAMTFW15c2VydmljZS5leGFtcGxlLmNvbTAeFw0xNzA0MTkxOTU2MTNaFw0xODA0
+MTkxOTU2MTNaMCAxHjAcBgNVBAMTFW15c2VydmljZS5leGFtcGxlLmNvbTCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ7tsAJqJ4rUZFT/5SjvoA1mpQBC
++KidcehMsTFW/9l73cPnYNhtnNe+9S8n76eF2ASuEwAKN5xoXDP297y4ZOORnkou
+P8jiYZjqNHTckE9LevM8YOpTPVojhq+rq7hiQyMF6pJkBPgduolcsnBg188jn/oN
+mdmzIaS33QiNOZ6FGXLKt3/Fapscea0gq8a46wKhFFQmW8i+MGqdSSi255c05ZZL
+5H04plDNoGEvES5OsxSjbZ4+294K83nOXoGSEPfsO4XUTORlryis0p/f3aNUgoou
+eeTphD9Go2pGHYvahjusx9ONbZ7egc07dJoIAVjgaMSv+UwqfpxjAU7018sCAwEA
+AaOBgTB/MB0GA1UdDgQWBBSYE9Nwp/eUqfRQ11rqwoowNFHNyTBQBgNVHSMESTBH
+gBSYE9Nwp/eUqfRQ11rqwoowNFHNyaEkpCIwIDEeMBwGA1UEAxMVbXlzZXJ2aWNl
+LmV4YW1wbGUuY29tggkA2R745RVGTX0wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0B
+AQUFAAOCAQEAVJmpMg1ZpDGweoCU4k66RVDpPzSuPJ+9H9L2jcaA38itDtXmG9Iz
+dbOLpNF9fDbU60P421SgS0nF/s7zkxkYJWOoZaced/vUO6H9TdWEZay+uywAjvoZ
+GwkZ9HxYMqKMVld4EwW/OwT67UVBdtgkSfI1O7ojqDOFx7U4+HJWxUEwGOc0pOPz
+NyLSYCsAkQt2CZU7dN72L96Ka8xxklNaVcUaUH+zOWF1JBamV9s6M2umcdBot8MO
+3m1zQTkXzBKM3f+Yvk+dRjO4TSW90h2oQqot8xrkPhy+DgOqJj3/lKmZXjqE5mAE
+hpQB0uVPekPvKN89hCnkPo2EvXKPf7VZgg==
+-----END CERTIFICATE-----
diff --git a/testdata/idp_authn_request.xml b/testdata/idp_authn_request.xml
new file mode 100644
index 00000000..820bb36b
--- /dev/null
+++ b/testdata/idp_authn_request.xml
@@ -0,0 +1 @@
+<samlp:AuthnRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="id-00020406080a0c0e10121416181a1c1e20222426" Version="2.0" IssueInstant="2015-12-01T01:57:09Z" Destination="https://idp.example.com/saml/sso" AssertionConsumerServiceURL="https://sp.example.com/saml2/acs" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://sp.example.com/saml2/metadata</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" AllowCreate="true"/></samlp:AuthnRequest>
\ No newline at end of file
diff --git a/testdata/idp_cert.pem b/testdata/idp_cert.pem
new file mode 100644
index 00000000..cba15632
--- /dev/null
+++ b/testdata/idp_cert.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB7zCCAVgCCQDFzbKIp7b3MTANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGEwJV
+UzELMAkGA1UECAwCR0ExDDAKBgNVBAoMA2ZvbzESMBAGA1UEAwwJbG9jYWxob3N0
+MB4XDTEzMTAwMjAwMDg1MVoXDTE0MTAwMjAwMDg1MVowPDELMAkGA1UEBhMCVVMx
+CzAJBgNVBAgMAkdBMQwwCgYDVQQKDANmb28xEjAQBgNVBAMMCWxvY2FsaG9zdDCB
+nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1PMHYmhZj308kWLhZVT4vOulqx/9
+ibm5B86fPWwUKKQ2i12MYtz07tzukPymisTDhQaqyJ8Kqb/6JjhmeMnEOdTvSPmH
+O8m1ZVveJU6NoKRn/mP/BD7FW52WhbrUXLSeHVSKfWkNk6S4hk9MV9TswTvyRIKv
+Rsw0X/gfnqkroJcCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCMMlIO+GNcGekevKgk
+akpMdAqJfs24maGb90DvTLbRZRD7Xvn1MnVBBS9hzlXiFLYOInXACMW5gcoRFfeT
+QLSouMM8o57h0uKjfTmuoWHLQLi6hnF+cvCsEFiJZ4AbF+DgmO6TarJ8O05t8zvn
+OwJlNCASPZRH/JmF8tX0hoHuAQ==
+-----END CERTIFICATE-----
diff --git a/testdata/idp_key.pem b/testdata/idp_key.pem
new file mode 100644
index 00000000..c4530a84
--- /dev/null
+++ b/testdata/idp_key.pem
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXgIBAAKBgQDU8wdiaFmPfTyRYuFlVPi866WrH/2JubkHzp89bBQopDaLXYxi
+3PTu3O6Q/KaKxMOFBqrInwqpv/omOGZ4ycQ51O9I+Yc7ybVlW94lTo2gpGf+Y/8E
+PsVbnZaFutRctJ4dVIp9aQ2TpLiGT0xX1OzBO/JEgq9GzDRf+B+eqSuglwIDAQAB
+AoGBAMuy1eN6cgFiCOgBsB3gVDdTKpww87Qk5ivjqEt28SmXO13A1KNVPS6oQ8SJ
+CT5Azc6X/BIAoJCURVL+LHdqebogKljhH/3yIel1kH19vr4E2kTM/tYH+qj8afUS
+JEmArUzsmmK8ccuNqBcllqdwCZjxL4CHDUmyRudFcHVX9oyhAkEA/OV1OkjM3CLU
+N3sqELdMmHq5QZCUihBmk3/N5OvGdqAFGBlEeewlepEVxkh7JnaNXAXrKHRVu/f/
+fbCQxH+qrwJBANeQERF97b9Sibp9xgolb749UWNlAdqmEpmlvmS202TdcaaT1msU
+4rRLiQN3X9O9mq4LZMSVethrQAdX1whawpkCQQDk1yGf7xZpMJ8F4U5sN+F4rLyM
+Rq8Sy8p2OBTwzCUXXK+fYeXjybsUUMr6VMYTRP2fQr/LKJIX+E5ZxvcIyFmDAkEA
+yfjNVUNVaIbQTzEbRlRvT6MqR+PTCefC072NF9aJWR93JimspGZMR7viY6IM4lrr
+vBkm0F5yXKaYtoiiDMzlOQJADqmEwXl0D72ZG/2KDg8b4QZEmC9i5gidpQwJXUc6
+hU+IVQoLxRq0fBib/36K9tcrrO5Ba4iEvDcNY+D8yGbUtA==
+-----END RSA PRIVATE KEY-----
diff --git a/testdata/idp_new_session_response b/testdata/idp_new_session_response
new file mode 100644
index 00000000..82c39ff8
--- /dev/null
+++ b/testdata/idp_new_session_response
@@ -0,0 +1,2 @@
+RelayState: ThisIsTheRelayState
+SAMLRequest: <samlp:AuthnRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="id-00020406080a0c0e10121416181a1c1e20222426" Version="2.0" IssueInstant="2015-12-01T01:57:09Z" Destination="https://idp.example.com/saml/sso" AssertionConsumerServiceURL="https://sp.example.com/saml2/acs" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://sp.example.com/saml2/metadata</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" AllowCreate="true"/></samlp:AuthnRequest>
\ No newline at end of file
diff --git a/testdata/key_2017.pem b/testdata/key_2017.pem
new file mode 100644
index 00000000..66bb3138
--- /dev/null
+++ b/testdata/key_2017.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAnu2wAmonitRkVP/lKO+gDWalAEL4qJ1x6EyxMVb/2Xvdw+dg
+2G2c1771Lyfvp4XYBK4TAAo3nGhcM/b3vLhk45GeSi4/yOJhmOo0dNyQT0t68zxg
+6lM9WiOGr6uruGJDIwXqkmQE+B26iVyycGDXzyOf+g2Z2bMhpLfdCI05noUZcsq3
+f8Vqmxx5rSCrxrjrAqEUVCZbyL4wap1JKLbnlzTllkvkfTimUM2gYS8RLk6zFKNt
+nj7b3grzec5egZIQ9+w7hdRM5GWvKKzSn9/do1SCii555OmEP0ajakYdi9qGO6zH
+041tnt6BzTt0mggBWOBoxK/5TCp+nGMBTvTXywIDAQABAoIBAGc853TqGD2qsnI0
+uFvbLREHeG+vEXAWtoO8Le5rIU/ZkrlLeDGfIp9TQFodiyQ7YZPIsDb6bB2B/UMU
+TuGctozNbxGo8W5BAD0hBmpTTLr1wSx4MEyHPfdr1HYRAj+INSxvD22A42l5hk7s
+lE1D22yHK8h3RVWRc21YspB3jNJXhYq4qHU8ZIOK+I7wEy8AZYP5kI4ZUC/nXFik
+SwMeVN7U6TT+53Q6n08pos5Nupq0+3cAvZgneV2PP2fGCLIi9VU8Oh7N1WQMYzBt
+rYQwnWR6e2Mo0uH4eaaBlPW/3t4HXbS1b26RULC+i5MU3ZUy02w76liHGuuKAWOy
+6p6CkoECgYEAzpnt/9S+HKknCFwKMkvMxZ7xI3TxyG5gd41NYm+w8hPk3QlXzcva
+RqM1p2nacok4t8HEeAotkz8sP28GmcB4Egh33fUdhKQAkFrQ/OncWcRfzrhnrAMa
+gaNT/DT1QTOvfmnle3QLnZhgEDk6plgujvPmJ104/4TjIUOqru0DebsCgYEAxO20
+Biq5Bjfot8HxQE+Ur1VPEyZkYUQ9Xmx/exyMTBLy2bUMvZq40TMDEgGMzYvbOvgR
+d7/1X2SVvl3sl2mlRJ3nfSEO/Blq+EovdOi0liUYo5LT4IGx+uToBlfmTPNrTYBp
+P7JqH97DKYdM4eujwYkiPaAHkFYsnJi/jEU9cTECgYAssS3D9uB9ULYp38cw5CbS
+5TQiyGx5QC9MDVwdHC4538XVbuz4js2UFEBKC+L+feKwFZGLqh/7x2GqAzl5TyJq
+PDy53glZpSSeFZc57tkE7i8Ph+KdWjqEqrFDUK1xQl4HSZ8j2pGcsNavC8I9M7w2
+nlo+T7NByxxbGMk2d/0VewKBgQCJvr7qhV2wRNEqH6VxV3jn/2L1QSh7hLDsaDXv
+VjOoTqTBtUs5II1f/y+Jm73yVH4/TB9jxMiMNh4r7yS7cDEiwtSWCNajbeAN1k5F
+lzQhxcbrO5uqcO2eUhkdvsQfVTDcIBL+c/yZWEbouHQFnr6HdDWYJ2TDCBPiYVGy
+ewgUMQKBgQCIgGzau6+hH8z6aWTnozGA4m8sWFq+t+ug4Gq6v3IAxBOQ2NhmQMRQ
+L3BkCfCGAx5JckBROqEiAvPLftof0bVJoxBKfslDrhJocEUJwjXUxmD5RRLr7SXU
+P4hDC736Y0DH3nzRlUZ2IP4mhqSECOEYAuz2VuJBTCbd0VEzpnxVfg==
+-----END RSA PRIVATE KEY-----
\ No newline at end of file
diff --git a/testdata/sp_cert.pem b/testdata/sp_cert.pem
new file mode 100644
index 00000000..cba15632
--- /dev/null
+++ b/testdata/sp_cert.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB7zCCAVgCCQDFzbKIp7b3MTANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGEwJV
+UzELMAkGA1UECAwCR0ExDDAKBgNVBAoMA2ZvbzESMBAGA1UEAwwJbG9jYWxob3N0
+MB4XDTEzMTAwMjAwMDg1MVoXDTE0MTAwMjAwMDg1MVowPDELMAkGA1UEBhMCVVMx
+CzAJBgNVBAgMAkdBMQwwCgYDVQQKDANmb28xEjAQBgNVBAMMCWxvY2FsaG9zdDCB
+nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1PMHYmhZj308kWLhZVT4vOulqx/9
+ibm5B86fPWwUKKQ2i12MYtz07tzukPymisTDhQaqyJ8Kqb/6JjhmeMnEOdTvSPmH
+O8m1ZVveJU6NoKRn/mP/BD7FW52WhbrUXLSeHVSKfWkNk6S4hk9MV9TswTvyRIKv
+Rsw0X/gfnqkroJcCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCMMlIO+GNcGekevKgk
+akpMdAqJfs24maGb90DvTLbRZRD7Xvn1MnVBBS9hzlXiFLYOInXACMW5gcoRFfeT
+QLSouMM8o57h0uKjfTmuoWHLQLi6hnF+cvCsEFiJZ4AbF+DgmO6TarJ8O05t8zvn
+OwJlNCASPZRH/JmF8tX0hoHuAQ==
+-----END CERTIFICATE-----
diff --git a/testdata/sp_key.pem b/testdata/sp_key.pem
new file mode 100644
index 00000000..c4530a84
--- /dev/null
+++ b/testdata/sp_key.pem
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXgIBAAKBgQDU8wdiaFmPfTyRYuFlVPi866WrH/2JubkHzp89bBQopDaLXYxi
+3PTu3O6Q/KaKxMOFBqrInwqpv/omOGZ4ycQ51O9I+Yc7ybVlW94lTo2gpGf+Y/8E
+PsVbnZaFutRctJ4dVIp9aQ2TpLiGT0xX1OzBO/JEgq9GzDRf+B+eqSuglwIDAQAB
+AoGBAMuy1eN6cgFiCOgBsB3gVDdTKpww87Qk5ivjqEt28SmXO13A1KNVPS6oQ8SJ
+CT5Azc6X/BIAoJCURVL+LHdqebogKljhH/3yIel1kH19vr4E2kTM/tYH+qj8afUS
+JEmArUzsmmK8ccuNqBcllqdwCZjxL4CHDUmyRudFcHVX9oyhAkEA/OV1OkjM3CLU
+N3sqELdMmHq5QZCUihBmk3/N5OvGdqAFGBlEeewlepEVxkh7JnaNXAXrKHRVu/f/
+fbCQxH+qrwJBANeQERF97b9Sibp9xgolb749UWNlAdqmEpmlvmS202TdcaaT1msU
+4rRLiQN3X9O9mq4LZMSVethrQAdX1whawpkCQQDk1yGf7xZpMJ8F4U5sN+F4rLyM
+Rq8Sy8p2OBTwzCUXXK+fYeXjybsUUMr6VMYTRP2fQr/LKJIX+E5ZxvcIyFmDAkEA
+yfjNVUNVaIbQTzEbRlRvT6MqR+PTCefC072NF9aJWR93JimspGZMR7viY6IM4lrr
+vBkm0F5yXKaYtoiiDMzlOQJADqmEwXl0D72ZG/2KDg8b4QZEmC9i5gidpQwJXUc6
+hU+IVQoLxRq0fBib/36K9tcrrO5Ba4iEvDcNY+D8yGbUtA==
+-----END RSA PRIVATE KEY-----
diff --git a/testsaml/equals_any.go b/testsaml/equals_any.go
deleted file mode 100644
index 01b2ace6..00000000
--- a/testsaml/equals_any.go
+++ /dev/null
@@ -1,31 +0,0 @@
-package testsaml
-
-import (
-	"strings"
-
-	"gopkg.in/check.v1"
-)
-
-var EqualsAny = equalsAny{}
-
-type equalsAny struct {
-}
-
-func (checker equalsAny) Info() *check.CheckerInfo {
-	return &check.CheckerInfo{
-		Name:   "EqualsAny",
-		Params: []string{"value", "expected"},
-	}
-}
-
-func (checker equalsAny) Check(params []interface{}, names []string) (result bool, error string) {
-	errors := []string{}
-	for _, param := range params[1].([]interface{}) {
-		r, e := check.Equals.Check([]interface{}{params[0], param}, names)
-		if r {
-			return true, ""
-		}
-		errors = append(errors, e)
-	}
-	return false, strings.Join(errors, "\n")
-}
diff --git a/testsaml/parse.go b/testsaml/parse.go
index 70dbd601..2b9db7ad 100644
--- a/testsaml/parse.go
+++ b/testsaml/parse.go
@@ -5,7 +5,7 @@ import (
 	"compress/flate"
 	"encoding/base64"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"net/url"
 )
 
@@ -15,9 +15,22 @@ func ParseRedirectRequest(u *url.URL) ([]byte, error) {
 	if err != nil {
 		return nil, fmt.Errorf("cannot decode request: %s", err)
 	}
-	buf, err := ioutil.ReadAll(flate.NewReader(bytes.NewReader(compressedRequest)))
+	buf, err := io.ReadAll(flate.NewReader(bytes.NewReader(compressedRequest)))
 	if err != nil {
 		return nil, fmt.Errorf("cannot decompress request: %s", err)
 	}
 	return buf, nil
 }
+
+// ParseRedirectResponse returns the decoded SAML LogoutResponse from an HTTP-Redirect URL
+func ParseRedirectResponse(u *url.URL) ([]byte, error) {
+	compressedResponse, err := base64.StdEncoding.DecodeString(u.Query().Get("SAMLResponse"))
+	if err != nil {
+		return nil, fmt.Errorf("cannot decode response: %s", err)
+	}
+	buf, err := io.ReadAll(flate.NewReader(bytes.NewReader(compressedResponse)))
+	if err != nil {
+		return nil, fmt.Errorf("cannot decompress response: %s", err)
+	}
+	return buf, nil
+}
diff --git a/time.go b/time.go
index 00ce754c..3f266f97 100644
--- a/time.go
+++ b/time.go
@@ -2,10 +2,13 @@ package saml
 
 import "time"
 
+// RelaxedTime is a version of time.Time that supports the time format
+// found in SAML documents.
 type RelaxedTime time.Time
 
 const timeFormat = "2006-01-02T15:04:05.999Z07:00"
 
+// MarshalText implements encoding.TextMarshaler
 func (m RelaxedTime) MarshalText() ([]byte, error) {
 	// According to section 1.2.2 of the OASIS SAML 1.1 spec, we can't trust
 	// other applications to handle time resolution finer than a millisecond.
@@ -18,6 +21,7 @@ func (m RelaxedTime) String() string {
 	return time.Time(m).Round(time.Millisecond).UTC().Format(timeFormat)
 }
 
+// UnmarshalText implements encoding.TextUnmarshaler
 func (m *RelaxedTime) UnmarshalText(text []byte) error {
 	if len(text) == 0 {
 		*m = RelaxedTime(time.Time{})
diff --git a/time_test.go b/time_test.go
index c8f3277d..ddac0f16 100644
--- a/time_test.go
+++ b/time_test.go
@@ -1,57 +1,61 @@
 package saml
 
 import (
+	"testing"
 	"time"
 
-	. "gopkg.in/check.v1"
-)
-
-var _ = Suite(&TimeTest{})
+	"github.com/google/go-cmp/cmp"
 
-type TimeTest struct {
-}
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
 
-func (test *TimeTest) TestFormat(c *C) {
-	t := time.Date(1981, 02, 03, 14, 15, 16, 17, time.UTC)
-	c.Assert(RelaxedTime(t).String(), Equals, "1981-02-03T14:15:16Z")
+func TestRelaxedTimeFormat(t *testing.T) {
+	rt := time.Date(1981, 02, 03, 14, 15, 16, 17, time.UTC)
+	assert.Check(t, is.Equal("1981-02-03T14:15:16Z", RelaxedTime(rt).String()))
 
-	buf, err := RelaxedTime(t).MarshalText()
-	c.Assert(err, IsNil)
-	c.Assert(string(buf), Equals, "1981-02-03T14:15:16Z")
+	buf, err := RelaxedTime(rt).MarshalText()
+	assert.Check(t, err)
+	assert.Check(t, is.Equal("1981-02-03T14:15:16Z", string(buf)))
 
 	loc, err := time.LoadLocation("America/New_York")
-	c.Assert(err, IsNil)
-	t = time.Date(1981, 02, 03, 9, 15, 16, 17, loc)
+	assert.Check(t, err)
+	rt = time.Date(1981, 02, 03, 9, 15, 16, 17, loc)
 
-	c.Assert(RelaxedTime(t).String(), Equals, "1981-02-03T14:15:16Z")
-	buf, err = RelaxedTime(t).MarshalText()
-	c.Assert(err, IsNil)
-	c.Assert(string(buf), Equals, "1981-02-03T14:15:16Z")
+	assert.Check(t, is.Equal("1981-02-03T14:15:16Z", RelaxedTime(rt).String()))
+	buf, err = RelaxedTime(rt).MarshalText()
+	assert.Check(t, err)
+	assert.Check(t, is.Equal("1981-02-03T14:15:16Z", string(buf)))
 }
 
-func (test *TimeTest) TestParse(c *C) {
+func TestRelaxedTimeParse(t *testing.T) {
 	{
-		var t RelaxedTime
-		err := t.UnmarshalText([]byte("1981-02-03T14:15:16Z"))
-		c.Assert(err, IsNil)
-		c.Assert(t, DeepEquals, RelaxedTime(time.Date(1981, 02, 03, 14, 15, 16, 0, time.UTC)))
+		var rt RelaxedTime
+		err := rt.UnmarshalText([]byte("1981-02-03T14:15:16Z"))
+		assert.Check(t, err)
+		assert.Check(t, is.DeepEqual(
+			RelaxedTime(time.Date(1981, 02, 03, 14, 15, 16, 0, time.UTC)),
+			rt, cmp.AllowUnexported(RelaxedTime{})))
 	}
 
 	{
-		var t RelaxedTime
-		err := t.UnmarshalText([]byte("1981-02-03T14:15:16.178901234Z"))
-		c.Assert(err, IsNil)
-		c.Assert(t, DeepEquals, RelaxedTime(time.Date(1981, 02, 03, 14, 15, 16, 179000000, time.UTC)))
+		var rt RelaxedTime
+		err := rt.UnmarshalText([]byte("1981-02-03T14:15:16.178901234Z"))
+		assert.Check(t, err)
+		assert.Check(t, is.DeepEqual(RelaxedTime(time.Date(1981, 02, 03, 14, 15, 16, 179000000, time.UTC)),
+			rt, cmp.AllowUnexported(RelaxedTime{})))
 	}
 	{
-		var t RelaxedTime
-		err := t.UnmarshalText([]byte("1981-02-03T14:15:16.1717Z"))
-		c.Assert(err, IsNil)
-		c.Assert(t, DeepEquals, RelaxedTime(time.Date(1981, 02, 03, 14, 15, 16, 172000000, time.UTC)))
+		var rt RelaxedTime
+		err := rt.UnmarshalText([]byte("1981-02-03T14:15:16.1717Z"))
+		assert.Check(t, err)
+		assert.Check(t, is.DeepEqual(RelaxedTime(time.Date(1981, 02, 03, 14, 15, 16, 172000000, time.UTC)),
+			rt, cmp.AllowUnexported(RelaxedTime{})))
 	}
 	{
-		var t RelaxedTime
-		err := t.UnmarshalText([]byte("1981-02-03T14:15:16Z04:00"))
-		c.Assert(err, ErrorMatches, "parsing time \"1981-02-03T14:15:16Z04:00\": extra text: 04:00")
+		var rt RelaxedTime
+		err := rt.UnmarshalText([]byte("1981-02-03T14:15:16Z04:00"))
+		assert.Check(t, is.Error(err,
+			"parsing time \"1981-02-03T14:15:16Z04:00\": extra text: \"04:00\""))
 	}
 }
diff --git a/time_test_114.go b/time_test_114.go
new file mode 100644
index 00000000..a2dd17d8
--- /dev/null
+++ b/time_test_114.go
@@ -0,0 +1,6 @@
+//go:build !go1.15
+// +build !go1.15
+
+package saml
+
+const expectedTestParseError = `parsing time "1981-02-03T14:15:16Z04:00": extra text: 04:00`
diff --git a/time_test_115.go b/time_test_115.go
new file mode 100644
index 00000000..8a1d9d2b
--- /dev/null
+++ b/time_test_115.go
@@ -0,0 +1,6 @@
+//go:build go1.15
+// +build go1.15
+
+package saml
+
+const expectedTestParseError = `parsing time "1981-02-03T14:15:16Z04:00": extra text: "04:00"`
diff --git a/util.go b/util.go
index 5c5e2b24..c9731b1b 100644
--- a/util.go
+++ b/util.go
@@ -2,6 +2,7 @@ package saml
 
 import (
 	"crypto/rand"
+	"io"
 	"time"
 
 	dsig "github.com/russellhaering/goxmldsig"
@@ -22,7 +23,8 @@ var RandReader = rand.Reader
 
 func randomBytes(n int) []byte {
 	rv := make([]byte, n)
-	if _, err := RandReader.Read(rv); err != nil {
+
+	if _, err := io.ReadFull(RandReader, rv); err != nil {
 		panic(err)
 	}
 	return rv
diff --git a/vendor/github.com/beevik/etree/.travis.yml b/vendor/github.com/beevik/etree/.travis.yml
index 7caa2477..f4cb25d4 100644
--- a/vendor/github.com/beevik/etree/.travis.yml
+++ b/vendor/github.com/beevik/etree/.travis.yml
@@ -2,9 +2,7 @@ language: go
 sudo: false
 
 go:
-  - 1.4.2
-  - 1.5.1
-  - 1.6
+  - 1.11.x
   - tip
 
 matrix:
diff --git a/vendor/github.com/beevik/etree/CONTRIBUTORS b/vendor/github.com/beevik/etree/CONTRIBUTORS
index 084662c3..03211a85 100644
--- a/vendor/github.com/beevik/etree/CONTRIBUTORS
+++ b/vendor/github.com/beevik/etree/CONTRIBUTORS
@@ -6,3 +6,5 @@ Matt Smith (ma314smith)
 Michal Jemala (michaljemala)
 Nicolas Piganeau (npiganeau)
 Chris Brown (ccbrown)
+Earncef Sequeira (earncef)
+Gabriel de Labachelerie (wuzuf)
diff --git a/vendor/github.com/beevik/etree/LICENSE b/vendor/github.com/beevik/etree/LICENSE
index e14ad682..26f1f775 100644
--- a/vendor/github.com/beevik/etree/LICENSE
+++ b/vendor/github.com/beevik/etree/LICENSE
@@ -1,4 +1,4 @@
-Copyright 2015 Brett Vickers. All rights reserved.
+Copyright 2015-2019 Brett Vickers. All rights reserved.
 
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions
diff --git a/vendor/github.com/beevik/etree/README.md b/vendor/github.com/beevik/etree/README.md
index 28558433..08ec26b0 100644
--- a/vendor/github.com/beevik/etree/README.md
+++ b/vendor/github.com/beevik/etree/README.md
@@ -7,7 +7,9 @@ etree
 The etree package is a lightweight, pure go package that expresses XML in
 the form of an element tree.  Its design was inspired by the Python
 [ElementTree](http://docs.python.org/2/library/xml.etree.elementtree.html)
-module. Some of the package's features include:
+module.
+
+Some of the package's capabilities and features:
 
 * Represents XML documents as trees of elements for easy traversal.
 * Imports, serializes, modifies or creates XML documents from scratch.
diff --git a/vendor/github.com/beevik/etree/etree.go b/vendor/github.com/beevik/etree/etree.go
index 36b279f6..9e24f901 100644
--- a/vendor/github.com/beevik/etree/etree.go
+++ b/vendor/github.com/beevik/etree/etree.go
@@ -1,4 +1,4 @@
-// Copyright 2015 Brett Vickers.
+// Copyright 2015-2019 Brett Vickers.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
@@ -13,6 +13,7 @@ import (
 	"errors"
 	"io"
 	"os"
+	"sort"
 	"strings"
 )
 
@@ -33,11 +34,19 @@ type ReadSettings struct {
 	// Permissive allows input containing common mistakes such as missing tags
 	// or attribute values. Default: false.
 	Permissive bool
+
+	// Entity to be passed to standard xml.Decoder. Default: nil.
+	Entity map[string]string
 }
 
 // newReadSettings creates a default ReadSettings record.
 func newReadSettings() ReadSettings {
-	return ReadSettings{}
+	return ReadSettings{
+		CharsetReader: func(label string, input io.Reader) (io.Reader, error) {
+			return input, nil
+		},
+		Permissive: false,
+	}
 }
 
 // WriteSettings allow for changing the serialization behavior of the WriteTo*
@@ -56,6 +65,11 @@ type WriteSettings struct {
 	// attribute value characters &, < and ". If false, XML character
 	// references are also produced for > and '. Default: false.
 	CanonicalAttrVal bool
+
+	// When outputting indented XML, use a carriage return and linefeed
+	// ("\r\n") as a new-line delimiter instead of just a linefeed ("\n").
+	// This is useful on Windows-based systems.
+	UseCRLF bool
 }
 
 // newWriteSettings creates a default WriteSettings record.
@@ -64,6 +78,7 @@ func newWriteSettings() WriteSettings {
 		CanonicalEndTags: false,
 		CanonicalText:    false,
 		CanonicalAttrVal: false,
+		UseCRLF:          false,
 	}
 }
 
@@ -71,8 +86,10 @@ func newWriteSettings() WriteSettings {
 // Comment, Directive, or ProcInst.
 type Token interface {
 	Parent() *Element
+	Index() int
 	dup(parent *Element) Token
 	setParent(parent *Element)
+	setIndex(index int)
 	writeTo(w *bufio.Writer, s *WriteSettings)
 }
 
@@ -88,35 +105,52 @@ type Document struct {
 
 // An Element represents an XML element, its attributes, and its child tokens.
 type Element struct {
-	Space, Tag string   // namespace and tag
+	Space, Tag string   // namespace prefix and tag
 	Attr       []Attr   // key-value attribute pairs
 	Child      []Token  // child tokens (elements, comments, etc.)
 	parent     *Element // parent element
+	index      int      // token index in parent's children
 }
 
 // An Attr represents a key-value attribute of an XML element.
 type Attr struct {
-	Space, Key string // The attribute's namespace and key
-	Value      string // The attribute value string
+	Space, Key string   // The attribute's namespace prefix and key
+	Value      string   // The attribute value string
+	element    *Element // element containing the attribute
 }
 
-// CharData represents character data within XML.
+// charDataFlags are used with CharData tokens to store additional settings.
+type charDataFlags uint8
+
+const (
+	// The CharData was created by an indent function as whitespace.
+	whitespaceFlag charDataFlags = 1 << iota
+
+	// The CharData contains a CDATA section.
+	cdataFlag
+)
+
+// CharData can be used to represent character data or a CDATA section within
+// an XML document.
 type CharData struct {
-	Data       string
-	parent     *Element
-	whitespace bool
+	Data   string
+	parent *Element
+	index  int
+	flags  charDataFlags
 }
 
 // A Comment represents an XML comment.
 type Comment struct {
 	Data   string
 	parent *Element
+	index  int
 }
 
 // A Directive represents an XML directive.
 type Directive struct {
 	Data   string
 	parent *Element
+	index  int
 }
 
 // A ProcInst represents an XML processing instruction.
@@ -124,6 +158,7 @@ type ProcInst struct {
 	Target string
 	Inst   string
 	parent *Element
+	index  int
 }
 
 // NewDocument creates an XML document without a root element.
@@ -160,16 +195,23 @@ func (d *Document) SetRoot(e *Element) {
 	if e.parent != nil {
 		e.parent.RemoveChild(e)
 	}
-	e.setParent(&d.Element)
 
-	for i, t := range d.Child {
+	p := &d.Element
+	e.setParent(p)
+
+	// If there is already a root element, replace it.
+	for i, t := range p.Child {
 		if _, ok := t.(*Element); ok {
 			t.setParent(nil)
-			d.Child[i] = e
+			t.setIndex(-1)
+			p.Child[i] = e
+			e.setIndex(i)
 			return
 		}
 	}
-	d.Child = append(d.Child, e)
+
+	// No existing root element, so add it.
+	p.addChild(e)
 }
 
 // ReadFrom reads XML from the reader r into the document d. It returns the
@@ -246,8 +288,8 @@ func (d *Document) WriteToString() (s string, err error) {
 
 type indentFunc func(depth int) string
 
-// Indent modifies the document's element tree by inserting CharData entities
-// containing carriage returns and indentation. The amount of indentation per
+// Indent modifies the document's element tree by inserting character data
+// tokens containing newlines and indentation. The amount of indentation per
 // depth level is given as spaces. Pass etree.NoIndent for spaces if you want
 // no indentation at all.
 func (d *Document) Indent(spaces int) {
@@ -255,22 +297,30 @@ func (d *Document) Indent(spaces int) {
 	switch {
 	case spaces < 0:
 		indent = func(depth int) string { return "" }
+	case d.WriteSettings.UseCRLF == true:
+		indent = func(depth int) string { return indentCRLF(depth*spaces, indentSpaces) }
 	default:
-		indent = func(depth int) string { return crIndent(depth*spaces, crsp) }
+		indent = func(depth int) string { return indentLF(depth*spaces, indentSpaces) }
 	}
 	d.Element.indent(0, indent)
 }
 
 // IndentTabs modifies the document's element tree by inserting CharData
-// entities containing carriage returns and tabs for indentation.  One tab is
-// used per indentation level.
+// tokens containing newlines and tabs for indentation.  One tab is used per
+// indentation level.
 func (d *Document) IndentTabs() {
-	indent := func(depth int) string { return crIndent(depth, crtab) }
+	var indent indentFunc
+	switch d.WriteSettings.UseCRLF {
+	case true:
+		indent = func(depth int) string { return indentCRLF(depth, indentTabs) }
+	default:
+		indent = func(depth int) string { return indentLF(depth, indentTabs) }
+	}
 	d.Element.indent(0, indent)
 }
 
 // NewElement creates an unparented element with the specified tag. The tag
-// may be prefixed by a namespace and a colon.
+// may be prefixed by a namespace prefix and a colon.
 func NewElement(tag string) *Element {
 	space, stag := spaceDecompose(tag)
 	return newElement(space, stag, nil)
@@ -285,6 +335,7 @@ func newElement(space, tag string, parent *Element) *Element {
 		Attr:   make([]Attr, 0),
 		Child:  make([]Token, 0),
 		parent: parent,
+		index:  -1,
 	}
 	if parent != nil {
 		parent.addChild(e)
@@ -296,38 +347,210 @@ func newElement(space, tag string, parent *Element) *Element {
 // and children. The returned element has no parent but can be parented to a
 // another element using AddElement, or to a document using SetRoot.
 func (e *Element) Copy() *Element {
-	var parent *Element
-	return e.dup(parent).(*Element)
+	return e.dup(nil).(*Element)
+}
+
+// FullTag returns the element e's complete tag, including namespace prefix if
+// present.
+func (e *Element) FullTag() string {
+	if e.Space == "" {
+		return e.Tag
+	}
+	return e.Space + ":" + e.Tag
+}
+
+// NamespaceURI returns the XML namespace URI associated with the element. If
+// the element is part of the XML default namespace, NamespaceURI returns the
+// empty string.
+func (e *Element) NamespaceURI() string {
+	if e.Space == "" {
+		return e.findDefaultNamespaceURI()
+	}
+	return e.findLocalNamespaceURI(e.Space)
 }
 
-// Text returns the characters immediately following the element's
-// opening tag.
+// findLocalNamespaceURI finds the namespace URI corresponding to the
+// requested prefix.
+func (e *Element) findLocalNamespaceURI(prefix string) string {
+	for _, a := range e.Attr {
+		if a.Space == "xmlns" && a.Key == prefix {
+			return a.Value
+		}
+	}
+
+	if e.parent == nil {
+		return ""
+	}
+
+	return e.parent.findLocalNamespaceURI(prefix)
+}
+
+// findDefaultNamespaceURI finds the default namespace URI of the element.
+func (e *Element) findDefaultNamespaceURI() string {
+	for _, a := range e.Attr {
+		if a.Space == "" && a.Key == "xmlns" {
+			return a.Value
+		}
+	}
+
+	if e.parent == nil {
+		return ""
+	}
+
+	return e.parent.findDefaultNamespaceURI()
+}
+
+// hasText returns true if the element has character data immediately
+// folllowing the element's opening tag.
+func (e *Element) hasText() bool {
+	if len(e.Child) == 0 {
+		return false
+	}
+	_, ok := e.Child[0].(*CharData)
+	return ok
+}
+
+// namespacePrefix returns the namespace prefix associated with the element.
+func (e *Element) namespacePrefix() string {
+	return e.Space
+}
+
+// name returns the tag associated with the element.
+func (e *Element) name() string {
+	return e.Tag
+}
+
+// Text returns all character data immediately following the element's opening
+// tag.
 func (e *Element) Text() string {
 	if len(e.Child) == 0 {
 		return ""
 	}
-	if cd, ok := e.Child[0].(*CharData); ok {
-		return cd.Data
+
+	text := ""
+	for _, ch := range e.Child {
+		if cd, ok := ch.(*CharData); ok {
+			if text == "" {
+				text = cd.Data
+			} else {
+				text = text + cd.Data
+			}
+		} else {
+			break
+		}
 	}
-	return ""
+	return text
 }
 
-// SetText replaces an element's subsidiary CharData text with a new string.
+// SetText replaces all character data immediately following an element's
+// opening tag with the requested string.
 func (e *Element) SetText(text string) {
-	if len(e.Child) > 0 {
-		if cd, ok := e.Child[0].(*CharData); ok {
-			cd.Data = text
-			return
+	e.replaceText(0, text, 0)
+}
+
+// SetCData replaces all character data immediately following an element's
+// opening tag with a CDATA section.
+func (e *Element) SetCData(text string) {
+	e.replaceText(0, text, cdataFlag)
+}
+
+// Tail returns all character data immediately following the element's end
+// tag.
+func (e *Element) Tail() string {
+	if e.Parent() == nil {
+		return ""
+	}
+
+	p := e.Parent()
+	i := e.Index()
+
+	text := ""
+	for _, ch := range p.Child[i+1:] {
+		if cd, ok := ch.(*CharData); ok {
+			if text == "" {
+				text = cd.Data
+			} else {
+				text = text + cd.Data
+			}
+		} else {
+			break
+		}
+	}
+	return text
+}
+
+// SetTail replaces all character data immediately following the element's end
+// tag with the requested string.
+func (e *Element) SetTail(text string) {
+	if e.Parent() == nil {
+		return
+	}
+
+	p := e.Parent()
+	p.replaceText(e.Index()+1, text, 0)
+}
+
+// replaceText is a helper function that replaces a series of chardata tokens
+// starting at index i with the requested text.
+func (e *Element) replaceText(i int, text string, flags charDataFlags) {
+	end := e.findTermCharDataIndex(i)
+
+	switch {
+	case end == i:
+		if text != "" {
+			// insert a new chardata token at index i
+			cd := newCharData(text, flags, nil)
+			e.InsertChildAt(i, cd)
+		}
+
+	case end == i+1:
+		if text == "" {
+			// remove the chardata token at index i
+			e.RemoveChildAt(i)
+		} else {
+			// replace the first and only character token at index i
+			cd := e.Child[i].(*CharData)
+			cd.Data, cd.flags = text, flags
+		}
+
+	default:
+		if text == "" {
+			// remove all chardata tokens starting from index i
+			copy(e.Child[i:], e.Child[end:])
+			removed := end - i
+			e.Child = e.Child[:len(e.Child)-removed]
+			for j := i; j < len(e.Child); j++ {
+				e.Child[j].setIndex(j)
+			}
+		} else {
+			// replace the first chardata token at index i and remove all
+			// subsequent chardata tokens
+			cd := e.Child[i].(*CharData)
+			cd.Data, cd.flags = text, flags
+			copy(e.Child[i+1:], e.Child[end:])
+			removed := end - (i + 1)
+			e.Child = e.Child[:len(e.Child)-removed]
+			for j := i + 1; j < len(e.Child); j++ {
+				e.Child[j].setIndex(j)
+			}
+		}
+	}
+}
+
+// findTermCharDataIndex finds the index of the first child token that isn't
+// a CharData token. It starts from the requested start index.
+func (e *Element) findTermCharDataIndex(start int) int {
+	for i := start; i < len(e.Child); i++ {
+		if _, ok := e.Child[i].(*CharData); !ok {
+			return i
 		}
 	}
-	cd := newCharData(text, false, e)
-	copy(e.Child[1:], e.Child[0:])
-	e.Child[0] = cd
+	return len(e.Child)
 }
 
 // CreateElement creates an element with the specified tag and adds it as the
 // last child element of the element e. The tag may be prefixed by a namespace
-// and a colon.
+// prefix and a colon.
 func (e *Element) CreateElement(tag string) *Element {
 	space, stag := spaceDecompose(tag)
 	return newElement(space, stag, e)
@@ -340,43 +563,93 @@ func (e *Element) AddChild(t Token) {
 	if t.Parent() != nil {
 		t.Parent().RemoveChild(t)
 	}
+
 	t.setParent(e)
 	e.addChild(t)
 }
 
 // InsertChild inserts the token t before e's existing child token ex. If ex
-// is nil (or if ex is not a child of e), then t is added to the end of e's
-// child token list. If token t was already the child of another element, it
-// is first removed from its current parent element.
+// is nil or ex is not a child of e, then t is added to the end of e's child
+// token list. If token t was already the child of another element, it is
+// first removed from its current parent element.
+//
+// Deprecated: InsertChild is deprecated. Use InsertChildAt instead.
 func (e *Element) InsertChild(ex Token, t Token) {
+	if ex == nil || ex.Parent() != e {
+		e.AddChild(t)
+		return
+	}
+
 	if t.Parent() != nil {
 		t.Parent().RemoveChild(t)
 	}
+
 	t.setParent(e)
 
-	for i, c := range e.Child {
-		if c == ex {
-			e.Child = append(e.Child, nil)
-			copy(e.Child[i+1:], e.Child[i:])
-			e.Child[i] = t
-			return
+	i := ex.Index()
+	e.Child = append(e.Child, nil)
+	copy(e.Child[i+1:], e.Child[i:])
+	e.Child[i] = t
+
+	for j := i; j < len(e.Child); j++ {
+		e.Child[j].setIndex(j)
+	}
+}
+
+// InsertChildAt inserts the token t into the element e's list of child tokens
+// just before the requested index. If the index is greater than or equal to
+// the length of the list of child tokens, the token t is added to the end of
+// the list.
+func (e *Element) InsertChildAt(index int, t Token) {
+	if index >= len(e.Child) {
+		e.AddChild(t)
+		return
+	}
+
+	if t.Parent() != nil {
+		if t.Parent() == e && t.Index() > index {
+			index--
 		}
+		t.Parent().RemoveChild(t)
+	}
+
+	t.setParent(e)
+
+	e.Child = append(e.Child, nil)
+	copy(e.Child[index+1:], e.Child[index:])
+	e.Child[index] = t
+
+	for j := index; j < len(e.Child); j++ {
+		e.Child[j].setIndex(j)
 	}
-	e.addChild(t)
 }
 
 // RemoveChild attempts to remove the token t from element e's list of
 // children. If the token t is a child of e, then it is returned. Otherwise,
 // nil is returned.
 func (e *Element) RemoveChild(t Token) Token {
-	for i, c := range e.Child {
-		if c == t {
-			e.Child = append(e.Child[:i], e.Child[i+1:]...)
-			c.setParent(nil)
-			return t
-		}
+	if t.Parent() != e {
+		return nil
 	}
-	return nil
+	return e.RemoveChildAt(t.Index())
+}
+
+// RemoveChildAt removes the index-th child token from the element e. The
+// removed child token is returned. If the index is out of bounds, no child is
+// removed and nil is returned.
+func (e *Element) RemoveChildAt(index int) Token {
+	if index >= len(e.Child) {
+		return nil
+	}
+
+	t := e.Child[index]
+	for j := index + 1; j < len(e.Child); j++ {
+		e.Child[j].setIndex(j - 1)
+	}
+	e.Child = append(e.Child[:index], e.Child[index+1:]...)
+	t.setIndex(-1)
+	t.setParent(nil)
+	return t
 }
 
 // ReadFrom reads XML from the reader r and stores the result as a new child
@@ -386,6 +659,7 @@ func (e *Element) readFrom(ri io.Reader, settings ReadSettings) (n int64, err er
 	dec := xml.NewDecoder(r)
 	dec.CharsetReader = settings.CharsetReader
 	dec.Strict = !settings.Permissive
+	dec.Entity = settings.Entity
 	var stack stack
 	stack.push(e)
 	for {
@@ -405,14 +679,18 @@ func (e *Element) readFrom(ri io.Reader, settings ReadSettings) (n int64, err er
 		case xml.StartElement:
 			e := newElement(t.Name.Space, t.Name.Local, top)
 			for _, a := range t.Attr {
-				e.createAttr(a.Name.Space, a.Name.Local, a.Value)
+				e.createAttr(a.Name.Space, a.Name.Local, a.Value, e)
 			}
 			stack.push(e)
 		case xml.EndElement:
 			stack.pop()
 		case xml.CharData:
 			data := string(t)
-			newCharData(data, isWhitespace(data), top)
+			var flags charDataFlags
+			if isWhitespace(data) {
+				flags = whitespaceFlag
+			}
+			newCharData(data, flags, top)
 		case xml.Comment:
 			newComment(string(t), top)
 		case xml.Directive:
@@ -424,7 +702,8 @@ func (e *Element) readFrom(ri io.Reader, settings ReadSettings) (n int64, err er
 }
 
 // SelectAttr finds an element attribute matching the requested key and
-// returns it if found. The key may be prefixed by a namespace and a colon.
+// returns it if found. Returns nil if no matching attribute is found. The key
+// may be prefixed by a namespace prefix and a colon.
 func (e *Element) SelectAttr(key string) *Attr {
 	space, skey := spaceDecompose(key)
 	for i, a := range e.Attr {
@@ -436,8 +715,8 @@ func (e *Element) SelectAttr(key string) *Attr {
 }
 
 // SelectAttrValue finds an element attribute matching the requested key and
-// returns its value if found. The key may be prefixed by a namespace and a
-// colon. If the key is not found, the dflt value is returned instead.
+// returns its value if found. The key may be prefixed by a namespace prefix
+// and a colon. If the key is not found, the dflt value is returned instead.
 func (e *Element) SelectAttrValue(key, dflt string) string {
 	space, skey := spaceDecompose(key)
 	for _, a := range e.Attr {
@@ -460,7 +739,8 @@ func (e *Element) ChildElements() []*Element {
 }
 
 // SelectElement returns the first child element with the given tag. The tag
-// may be prefixed by a namespace and a colon.
+// may be prefixed by a namespace prefix and a colon. Returns nil if no
+// element with a matching tag was found.
 func (e *Element) SelectElement(tag string) *Element {
 	space, stag := spaceDecompose(tag)
 	for _, t := range e.Child {
@@ -472,7 +752,7 @@ func (e *Element) SelectElement(tag string) *Element {
 }
 
 // SelectElements returns a slice of all child elements with the given tag.
-// The tag may be prefixed by a namespace and a colon.
+// The tag may be prefixed by a namespace prefix and a colon.
 func (e *Element) SelectElements(tag string) []*Element {
 	space, stag := spaceDecompose(tag)
 	var elements []*Element
@@ -485,13 +765,14 @@ func (e *Element) SelectElements(tag string) []*Element {
 }
 
 // FindElement returns the first element matched by the XPath-like path
-// string. Panics if an invalid path string is supplied.
+// string. Returns nil if no element is found using the path. Panics if an
+// invalid path string is supplied.
 func (e *Element) FindElement(path string) *Element {
 	return e.FindElementPath(MustCompilePath(path))
 }
 
 // FindElementPath returns the first element matched by the XPath-like path
-// string.
+// string. Returns nil if no element is found using the path.
 func (e *Element) FindElementPath(path Path) *Element {
 	p := newPather()
 	elements := p.traverse(e, path)
@@ -515,6 +796,94 @@ func (e *Element) FindElementsPath(path Path) []*Element {
 	return p.traverse(e, path)
 }
 
+// GetPath returns the absolute path of the element.
+func (e *Element) GetPath() string {
+	path := []string{}
+	for seg := e; seg != nil; seg = seg.Parent() {
+		if seg.Tag != "" {
+			path = append(path, seg.Tag)
+		}
+	}
+
+	// Reverse the path.
+	for i, j := 0, len(path)-1; i < j; i, j = i+1, j-1 {
+		path[i], path[j] = path[j], path[i]
+	}
+
+	return "/" + strings.Join(path, "/")
+}
+
+// GetRelativePath returns the path of the element relative to the source
+// element. If the two elements are not part of the same element tree, then
+// GetRelativePath returns the empty string.
+func (e *Element) GetRelativePath(source *Element) string {
+	var path []*Element
+
+	if source == nil {
+		return ""
+	}
+
+	// Build a reverse path from the element toward the root. Stop if the
+	// source element is encountered.
+	var seg *Element
+	for seg = e; seg != nil && seg != source; seg = seg.Parent() {
+		path = append(path, seg)
+	}
+
+	// If we found the source element, reverse the path and compose the
+	// string.
+	if seg == source {
+		if len(path) == 0 {
+			return "."
+		}
+		parts := []string{}
+		for i := len(path) - 1; i >= 0; i-- {
+			parts = append(parts, path[i].Tag)
+		}
+		return "./" + strings.Join(parts, "/")
+	}
+
+	// The source wasn't encountered, so climb from the source element toward
+	// the root of the tree until an element in the reversed path is
+	// encountered.
+
+	findPathIndex := func(e *Element, path []*Element) int {
+		for i, ee := range path {
+			if e == ee {
+				return i
+			}
+		}
+		return -1
+	}
+
+	climb := 0
+	for seg = source; seg != nil; seg = seg.Parent() {
+		i := findPathIndex(seg, path)
+		if i >= 0 {
+			path = path[:i] // truncate at found segment
+			break
+		}
+		climb++
+	}
+
+	// No element in the reversed path was encountered, so the two elements
+	// must not be part of the same tree.
+	if seg == nil {
+		return ""
+	}
+
+	// Reverse the (possibly truncated) path and prepend ".." segments to
+	// climb.
+	parts := []string{}
+	for i := 0; i < climb; i++ {
+		parts = append(parts, "..")
+	}
+	for i := len(path) - 1; i >= 0; i-- {
+		parts = append(parts, path[i].Tag)
+	}
+	return strings.Join(parts, "/")
+}
+
 // indent recursively inserts proper indentation between an
 // XML element's child tokens.
 func (e *Element) indent(depth int, indent indentFunc) {
@@ -528,14 +897,16 @@ func (e *Element) indent(depth int, indent indentFunc) {
 	e.Child = make([]Token, 0, n*2+1)
 	isCharData, firstNonCharData := false, true
 	for _, c := range oldChild {
-
-		// Insert CR+indent before child if it's not character data.
+		// Insert NL+indent before child if it's not character data.
 		// Exceptions: when it's the first non-character-data child, or when
 		// the child is at root depth.
 		_, isCharData = c.(*CharData)
 		if !isCharData {
 			if !firstNonCharData || depth > 0 {
-				newCharData(indent(depth), true, e)
+				s := indent(depth)
+				if s != "" {
+					newCharData(s, whitespaceFlag, e)
+				}
 			}
 			firstNonCharData = false
 		}
@@ -548,10 +919,13 @@ func (e *Element) indent(depth int, indent indentFunc) {
 		}
 	}
 
-	// Insert CR+indent before the last child.
+	// Insert NL+indent before the last child.
 	if !isCharData {
 		if !firstNonCharData || depth > 0 {
-			newCharData(indent(depth-1), true, e)
+			s := indent(depth - 1)
+			if s != "" {
+				newCharData(s, whitespaceFlag, e)
+			}
 		}
 	}
 }
@@ -561,7 +935,7 @@ func (e *Element) stripIndent() {
 	// Count the number of non-indent child tokens
 	n := len(e.Child)
 	for _, c := range e.Child {
-		if cd, ok := c.(*CharData); ok && cd.whitespace {
+		if cd, ok := c.(*CharData); ok && cd.IsWhitespace() {
 			n--
 		}
 	}
@@ -573,10 +947,11 @@ func (e *Element) stripIndent() {
 	newChild := make([]Token, n)
 	j := 0
 	for _, c := range e.Child {
-		if cd, ok := c.(*CharData); ok && cd.whitespace {
+		if cd, ok := c.(*CharData); ok && cd.IsWhitespace() {
 			continue
 		}
 		newChild[j] = c
+		newChild[j].setIndex(j)
 		j++
 	}
 	e.Child = newChild
@@ -590,6 +965,7 @@ func (e *Element) dup(parent *Element) Token {
 		Attr:   make([]Attr, len(e.Attr)),
 		Child:  make([]Token, len(e.Child)),
 		parent: parent,
+		index:  e.index,
 	}
 	for i, t := range e.Child {
 		ne.Child[i] = t.dup(ne)
@@ -606,19 +982,27 @@ func (e *Element) Parent() *Element {
 	return e.parent
 }
 
+// Index returns the index of this element within its parent element's
+// list of child tokens. If this element has no parent element, the index
+// is -1.
+func (e *Element) Index() int {
+	return e.index
+}
+
 // setParent replaces the element token's parent.
 func (e *Element) setParent(parent *Element) {
 	e.parent = parent
 }
 
+// setIndex sets the element token's index within its parent's Child slice.
+func (e *Element) setIndex(index int) {
+	e.index = index
+}
+
 // writeTo serializes the element to the writer w.
 func (e *Element) writeTo(w *bufio.Writer, s *WriteSettings) {
 	w.WriteByte('<')
-	if e.Space != "" {
-		w.WriteString(e.Space)
-		w.WriteByte(':')
-	}
-	w.WriteString(e.Tag)
+	w.WriteString(e.FullTag())
 	for _, a := range e.Attr {
 		w.WriteByte(' ')
 		a.writeTo(w, s)
@@ -629,20 +1013,12 @@ func (e *Element) writeTo(w *bufio.Writer, s *WriteSettings) {
 			c.writeTo(w, s)
 		}
 		w.Write([]byte{'<', '/'})
-		if e.Space != "" {
-			w.WriteString(e.Space)
-			w.WriteByte(':')
-		}
-		w.WriteString(e.Tag)
+		w.WriteString(e.FullTag())
 		w.WriteByte('>')
 	} else {
 		if s.CanonicalEndTags {
 			w.Write([]byte{'>', '<', '/'})
-			if e.Space != "" {
-				w.WriteString(e.Space)
-				w.WriteByte(':')
-			}
-			w.WriteString(e.Tag)
+			w.WriteString(e.FullTag())
 			w.WriteByte('>')
 		} else {
 			w.Write([]byte{'/', '>'})
@@ -652,98 +1028,140 @@ func (e *Element) writeTo(w *bufio.Writer, s *WriteSettings) {
 
 // addChild adds a child token to the element e.
 func (e *Element) addChild(t Token) {
+	t.setIndex(len(e.Child))
 	e.Child = append(e.Child, t)
 }
 
 // CreateAttr creates an attribute and adds it to element e. The key may be
-// prefixed by a namespace and a colon. If an attribute with the key already
-// exists, its value is replaced.
+// prefixed by a namespace prefix and a colon. If an attribute with the key
+// already exists, its value is replaced.
 func (e *Element) CreateAttr(key, value string) *Attr {
 	space, skey := spaceDecompose(key)
-	return e.createAttr(space, skey, value)
+	return e.createAttr(space, skey, value, e)
 }
 
 // createAttr is a helper function that creates attributes.
-func (e *Element) createAttr(space, key, value string) *Attr {
+func (e *Element) createAttr(space, key, value string, parent *Element) *Attr {
 	for i, a := range e.Attr {
 		if space == a.Space && key == a.Key {
 			e.Attr[i].Value = value
 			return &e.Attr[i]
 		}
 	}
-	a := Attr{space, key, value}
+	a := Attr{
+		Space:   space,
+		Key:     key,
+		Value:   value,
+		element: parent,
+	}
 	e.Attr = append(e.Attr, a)
 	return &e.Attr[len(e.Attr)-1]
 }
 
-// RemoveAttr removes and returns the first attribute of the element whose key
-// matches the given key. The key may be prefixed by a namespace and a colon.
-// If an equal attribute does not exist, nil is returned.
+// RemoveAttr removes and returns a copy of the first attribute of the element
+// whose key matches the given key. The key may be prefixed by a namespace
+// prefix and a colon. If a matching attribute does not exist, nil is
+// returned.
 func (e *Element) RemoveAttr(key string) *Attr {
 	space, skey := spaceDecompose(key)
 	for i, a := range e.Attr {
 		if space == a.Space && skey == a.Key {
 			e.Attr = append(e.Attr[0:i], e.Attr[i+1:]...)
-			return &a
+			return &Attr{
+				Space:   a.Space,
+				Key:     a.Key,
+				Value:   a.Value,
+				element: nil,
+			}
 		}
 	}
 	return nil
 }
 
-var xmlReplacerNormal = strings.NewReplacer(
-	"&", "&amp;",
-	"<", "&lt;",
-	">", "&gt;",
-	"'", "&apos;",
-	`"`, "&quot;",
-)
+// SortAttrs sorts the element's attributes lexicographically by key.
+func (e *Element) SortAttrs() {
+	sort.Sort(byAttr(e.Attr))
+}
 
-var xmlReplacerCanonicalText = strings.NewReplacer(
-	"&", "&amp;",
-	"<", "&lt;",
-	">", "&gt;",
-	"\r", "&#xD;",
-)
+type byAttr []Attr
 
-var xmlReplacerCanonicalAttrVal = strings.NewReplacer(
-	"&", "&amp;",
-	"<", "&lt;",
-	`"`, "&quot;",
-	"\t", "&#x9;",
-	"\n", "&#xA;",
-	"\r", "&#xD;",
-)
+func (a byAttr) Len() int {
+	return len(a)
+}
+
+func (a byAttr) Swap(i, j int) {
+	a[i], a[j] = a[j], a[i]
+}
+
+func (a byAttr) Less(i, j int) bool {
+	sp := strings.Compare(a[i].Space, a[j].Space)
+	if sp == 0 {
+		return strings.Compare(a[i].Key, a[j].Key) < 0
+	}
+	return sp < 0
+}
+
+// FullKey returns the attribute a's complete key, including namespace prefix
+// if present.
+func (a *Attr) FullKey() string {
+	if a.Space == "" {
+		return a.Key
+	}
+	return a.Space + ":" + a.Key
+}
+
+// Element returns the element containing the attribute.
+func (a *Attr) Element() *Element {
+	return a.element
+}
+
+// NamespaceURI returns the XML namespace URI associated with the attribute.
+// If the element is part of the XML default namespace, NamespaceURI returns
+// the empty string.
+func (a *Attr) NamespaceURI() string {
+	return a.element.NamespaceURI()
+}
 
 // writeTo serializes the attribute to the writer.
 func (a *Attr) writeTo(w *bufio.Writer, s *WriteSettings) {
-	if a.Space != "" {
-		w.WriteString(a.Space)
-		w.WriteByte(':')
-	}
-	w.WriteString(a.Key)
+	w.WriteString(a.FullKey())
 	w.WriteString(`="`)
-	var r *strings.Replacer
+	var m escapeMode
 	if s.CanonicalAttrVal {
-		r = xmlReplacerCanonicalAttrVal
+		m = escapeCanonicalAttr
 	} else {
-		r = xmlReplacerNormal
+		m = escapeNormal
 	}
-	w.WriteString(r.Replace(a.Value))
+	escapeString(w, a.Value, m)
 	w.WriteByte('"')
 }
 
-// NewCharData creates a parentless XML character data entity.
+// NewText creates a parentless CharData token containing character data.
+func NewText(text string) *CharData {
+	return newCharData(text, 0, nil)
+}
+
+// NewCData creates a parentless XML character CDATA section.
+func NewCData(data string) *CharData {
+	return newCharData(data, cdataFlag, nil)
+}
+
+// NewCharData creates a parentless CharData token containing character data.
+//
+// Deprecated: NewCharData is deprecated. Instead, use NewText, which does the
+// same thing.
 func NewCharData(data string) *CharData {
-	return newCharData(data, false, nil)
+	return newCharData(data, 0, nil)
 }
 
-// newCharData creates an XML character data entity and binds it to a parent
+// newCharData creates a character data token and binds it to a parent
 // element. If parent is nil, the CharData token remains unbound.
-func newCharData(data string, whitespace bool, parent *Element) *CharData {
+func newCharData(data string, flags charDataFlags, parent *Element) *CharData {
 	c := &CharData{
-		Data:       data,
-		whitespace: whitespace,
-		parent:     parent,
+		Data:   data,
+		parent: parent,
+		index:  -1,
+		flags:  flags,
 	}
 	if parent != nil {
 		parent.addChild(c)
@@ -751,41 +1169,88 @@ func newCharData(data string, whitespace bool, parent *Element) *CharData {
 	return c
 }
 
-// CreateCharData creates an XML character data entity and adds it as a child
-// of element e.
+// CreateText creates a CharData token containing character data and adds it
+// as a child of element e.
+func (e *Element) CreateText(text string) *CharData {
+	return newCharData(text, 0, e)
+}
+
+// CreateCData creates a CharData token containing a CDATA section and adds it
+// as a child of element e.
+func (e *Element) CreateCData(data string) *CharData {
+	return newCharData(data, cdataFlag, e)
+}
+
+// CreateCharData creates a CharData token containing character data and adds
+// it as a child of element e.
+//
+// Deprecated: CreateCharData is deprecated. Instead, use CreateText, which
+// does the same thing.
 func (e *Element) CreateCharData(data string) *CharData {
-	return newCharData(data, false, e)
+	return newCharData(data, 0, e)
 }
 
 // dup duplicates the character data.
 func (c *CharData) dup(parent *Element) Token {
 	return &CharData{
-		Data:       c.Data,
-		whitespace: c.whitespace,
-		parent:     parent,
+		Data:   c.Data,
+		flags:  c.flags,
+		parent: parent,
+		index:  c.index,
 	}
 }
 
+// IsCData returns true if the character data token is to be encoded as a
+// CDATA section.
+func (c *CharData) IsCData() bool {
+	return (c.flags & cdataFlag) != 0
+}
+
+// IsWhitespace returns true if the character data token was created by one of
+// the document Indent methods to contain only whitespace.
+func (c *CharData) IsWhitespace() bool {
+	return (c.flags & whitespaceFlag) != 0
+}
+
 // Parent returns the character data token's parent element, or nil if it has
 // no parent.
 func (c *CharData) Parent() *Element {
 	return c.parent
 }
 
+// Index returns the index of this CharData token within its parent element's
+// list of child tokens. If this CharData token has no parent element, the
+// index is -1.
+func (c *CharData) Index() int {
+	return c.index
+}
+
 // setParent replaces the character data token's parent.
 func (c *CharData) setParent(parent *Element) {
 	c.parent = parent
 }
 
-// writeTo serializes the character data entity to the writer.
+// setIndex sets the CharData token's index within its parent element's Child
+// slice.
+func (c *CharData) setIndex(index int) {
+	c.index = index
+}
+
+// writeTo serializes character data to the writer.
 func (c *CharData) writeTo(w *bufio.Writer, s *WriteSettings) {
-	var r *strings.Replacer
-	if s.CanonicalText {
-		r = xmlReplacerCanonicalText
+	if c.IsCData() {
+		w.WriteString(`<![CDATA[`)
+		w.WriteString(c.Data)
+		w.WriteString(`]]>`)
 	} else {
-		r = xmlReplacerNormal
+		var m escapeMode
+		if s.CanonicalText {
+			m = escapeCanonicalText
+		} else {
+			m = escapeNormal
+		}
+		escapeString(w, c.Data, m)
 	}
-	w.WriteString(r.Replace(c.Data))
 }
 
 // NewComment creates a parentless XML comment.
@@ -799,6 +1264,7 @@ func newComment(comment string, parent *Element) *Comment {
 	c := &Comment{
 		Data:   comment,
 		parent: parent,
+		index:  -1,
 	}
 	if parent != nil {
 		parent.addChild(c)
@@ -816,6 +1282,7 @@ func (c *Comment) dup(parent *Element) Token {
 	return &Comment{
 		Data:   c.Data,
 		parent: parent,
+		index:  c.index,
 	}
 }
 
@@ -824,11 +1291,24 @@ func (c *Comment) Parent() *Element {
 	return c.parent
 }
 
+// Index returns the index of this Comment token within its parent element's
+// list of child tokens. If this Comment token has no parent element, the
+// index is -1.
+func (c *Comment) Index() int {
+	return c.index
+}
+
 // setParent replaces the comment token's parent.
 func (c *Comment) setParent(parent *Element) {
 	c.parent = parent
 }
 
+// setIndex sets the Comment token's index within its parent element's Child
+// slice.
+func (c *Comment) setIndex(index int) {
+	c.index = index
+}
+
 // writeTo serialies the comment to the writer.
 func (c *Comment) writeTo(w *bufio.Writer, s *WriteSettings) {
 	w.WriteString("<!--")
@@ -847,6 +1327,7 @@ func newDirective(data string, parent *Element) *Directive {
 	d := &Directive{
 		Data:   data,
 		parent: parent,
+		index:  -1,
 	}
 	if parent != nil {
 		parent.addChild(d)
@@ -865,6 +1346,7 @@ func (d *Directive) dup(parent *Element) Token {
 	return &Directive{
 		Data:   d.Data,
 		parent: parent,
+		index:  d.index,
 	}
 }
 
@@ -874,11 +1356,24 @@ func (d *Directive) Parent() *Element {
 	return d.parent
 }
 
+// Index returns the index of this Directive token within its parent element's
+// list of child tokens. If this Directive token has no parent element, the
+// index is -1.
+func (d *Directive) Index() int {
+	return d.index
+}
+
 // setParent replaces the directive token's parent.
 func (d *Directive) setParent(parent *Element) {
 	d.parent = parent
 }
 
+// setIndex sets the Directive token's index within its parent element's Child
+// slice.
+func (d *Directive) setIndex(index int) {
+	d.index = index
+}
+
 // writeTo serializes the XML directive to the writer.
 func (d *Directive) writeTo(w *bufio.Writer, s *WriteSettings) {
 	w.WriteString("<!")
@@ -898,6 +1393,7 @@ func newProcInst(target, inst string, parent *Element) *ProcInst {
 		Target: target,
 		Inst:   inst,
 		parent: parent,
+		index:  -1,
 	}
 	if parent != nil {
 		parent.addChild(p)
@@ -917,6 +1413,7 @@ func (p *ProcInst) dup(parent *Element) Token {
 		Target: p.Target,
 		Inst:   p.Inst,
 		parent: parent,
+		index:  p.index,
 	}
 }
 
@@ -926,11 +1423,24 @@ func (p *ProcInst) Parent() *Element {
 	return p.parent
 }
 
+// Index returns the index of this ProcInst token within its parent element's
+// list of child tokens. If this ProcInst token has no parent element, the
+// index is -1.
+func (p *ProcInst) Index() int {
+	return p.index
+}
+
 // setParent replaces the processing instruction token's parent.
 func (p *ProcInst) setParent(parent *Element) {
 	p.parent = parent
 }
 
+// setIndex sets the processing instruction token's index within its parent
+// element's Child slice.
+func (p *ProcInst) setIndex(index int) {
+	p.index = index
+}
+
 // writeTo serializes the processing instruction to the writer.
 func (p *ProcInst) writeTo(w *bufio.Writer, s *WriteSettings) {
 	w.WriteString("<?")
diff --git a/vendor/github.com/beevik/etree/etree_test.go b/vendor/github.com/beevik/etree/etree_test.go
deleted file mode 100644
index d3bd7aaa..00000000
--- a/vendor/github.com/beevik/etree/etree_test.go
+++ /dev/null
@@ -1,426 +0,0 @@
-// Copyright 2015 Brett Vickers.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package etree
-
-import (
-	"io"
-	"testing"
-)
-
-func checkEq(t *testing.T, got, want string) {
-	if got == want {
-		return
-	}
-	t.Errorf(
-		"etree: unexpected result.\nGot:\n%s\nWanted:\n%s\n",
-		got, want)
-}
-
-func TestDocument(t *testing.T) {
-
-	// Create a document
-	doc := NewDocument()
-	doc.CreateProcInst("xml", `version="1.0" encoding="UTF-8"`)
-	doc.CreateProcInst("xml-stylesheet", `type="text/xsl" href="style.xsl"`)
-	store := doc.CreateElement("store")
-	store.CreateAttr("xmlns:t", "urn:books-com:titles")
-	store.CreateDirective("Directive")
-	store.CreateComment("This is a comment")
-	book := store.CreateElement("book")
-	book.CreateAttr("lang", "fr")
-	book.CreateAttr("lang", "en")
-	title := book.CreateElement("t:title")
-	title.SetText("Nicholas Nickleby")
-	title.SetText("Great Expectations")
-	author := book.CreateElement("author")
-	author.CreateCharData("Charles Dickens")
-	doc.IndentTabs()
-
-	// Serialize the document to a string
-	s, err := doc.WriteToString()
-	if err != nil {
-		t.Error("etree: failed to serialize document")
-	}
-
-	// Make sure the serialized XML matches expectation.
-	expected := `<?xml version="1.0" encoding="UTF-8"?>
-<?xml-stylesheet type="text/xsl" href="style.xsl"?>
-<store xmlns:t="urn:books-com:titles">
-	<!Directive>
-	<!--This is a comment-->
-	<book lang="en">
-		<t:title>Great Expectations</t:title>
-		<author>Charles Dickens</author>
-	</book>
-</store>
-`
-	checkEq(t, s, expected)
-
-	// Test the structure of the XML
-	if doc.Root() != store {
-		t.Error("etree: root mismatch")
-	}
-	if len(store.ChildElements()) != 1 || len(store.Child) != 7 {
-		t.Error("etree: incorrect tree structure")
-	}
-	if len(book.ChildElements()) != 2 || len(book.Attr) != 1 || len(book.Child) != 5 {
-		t.Error("etree: incorrect tree structure")
-	}
-	if len(title.ChildElements()) != 0 || len(title.Child) != 1 || len(title.Attr) != 0 {
-		t.Error("etree: incorrect tree structure")
-	}
-	if len(author.ChildElements()) != 0 || len(author.Child) != 1 || len(author.Attr) != 0 {
-		t.Error("etree: incorrect tree structure")
-	}
-	if book.parent != store || store.parent != &doc.Element || doc.parent != nil {
-		t.Error("etree: incorrect tree structure")
-	}
-	if title.parent != book || author.parent != book {
-		t.Error("etree: incorrect tree structure")
-	}
-
-	// Perform some basic queries on the document
-	elements := doc.SelectElements("store")
-	if len(elements) != 1 || elements[0] != store {
-		t.Error("etree: incorrect SelectElements result")
-	}
-	element := doc.SelectElement("store")
-	if element != store {
-		t.Error("etree: incorrect SelectElement result")
-	}
-	elements = store.SelectElements("book")
-	if len(elements) != 1 || elements[0] != book {
-		t.Error("etree: incorrect SelectElements result")
-	}
-	element = store.SelectElement("book")
-	if element != book {
-		t.Error("etree: incorrect SelectElement result")
-	}
-	attr := book.SelectAttr("lang")
-	if attr == nil || attr.Key != "lang" || attr.Value != "en" {
-		t.Error("etree: incorrect SelectAttr result")
-	}
-	if book.SelectAttrValue("lang", "unknown") != "en" {
-		t.Error("etree: incorrect SelectAttrValue result")
-	}
-	if book.SelectAttrValue("t:missing", "unknown") != "unknown" {
-		t.Error("etree: incorrect SelectAttrValue result")
-	}
-	attr = book.RemoveAttr("lang")
-	if attr.Value != "en" {
-		t.Error("etree: incorrect RemoveAttr result")
-	}
-	book.CreateAttr("lang", "de")
-	attr = book.RemoveAttr("lang")
-	if attr.Value != "de" {
-		t.Error("etree: incorrect RemoveAttr result")
-	}
-	element = book.SelectElement("t:title")
-	if element != title || element.Text() != "Great Expectations" || len(element.Attr) != 0 {
-		t.Error("etree: incorrect SelectElement result")
-	}
-	element = book.SelectElement("title")
-	if element != title {
-		t.Error("etree: incorrect SelectElement result")
-	}
-	element = book.SelectElement("p:title")
-	if element != nil {
-		t.Error("etree: incorrect SelectElement result")
-	}
-	element = book.RemoveChild(title).(*Element)
-	if element != title {
-		t.Error("etree: incorrect RemoveElement result")
-	}
-	element = book.SelectElement("title")
-	if element != nil {
-		t.Error("etree: incorrect SelectElement result")
-	}
-}
-
-func TestDocumentRead_NonUTF8Encodings(t *testing.T) {
-	s := `<?xml version="1.0" encoding="ISO-8859-1"?>
-	<store>
-	<book lang="en">
-		<title>Great Expectations</title>
-		<author>Charles Dickens</author>
-	</book>
-</store>`
-
-	doc := NewDocument()
-	doc.ReadSettings.CharsetReader = func(label string, input io.Reader) (io.Reader, error) {
-		return input, nil
-	}
-	err := doc.ReadFromString(s)
-	if err != nil {
-		t.Fatal("etree: incorrect ReadFromString result")
-	}
-}
-
-func TestDocumentRead_Permissive(t *testing.T) {
-	s := "<select disabled></select>"
-
-	doc := NewDocument()
-	err := doc.ReadFromString(s)
-	if err == nil {
-		t.Fatal("etree: incorrect ReadFromString result")
-	}
-
-	doc.ReadSettings.Permissive = true
-	err = doc.ReadFromString(s)
-	if err != nil {
-		t.Fatal("etree: incorrect ReadFromString result")
-	}
-}
-
-func TestWriteSettings(t *testing.T) {
-	BOM := "\xef\xbb\xbf"
-
-	doc := NewDocument()
-	doc.WriteSettings.CanonicalEndTags = true
-	doc.WriteSettings.CanonicalText = true
-	doc.WriteSettings.CanonicalAttrVal = true
-	doc.CreateCharData(BOM)
-	doc.CreateProcInst("xml-stylesheet", `type="text/xsl" href="style.xsl"`)
-
-	people := doc.CreateElement("People")
-	people.CreateComment("These are all known people")
-
-	jon := people.CreateElement("Person")
-	jon.CreateAttr("name", "Jon O'Reilly")
-	jon.SetText("\r<'\">&")
-
-	sally := people.CreateElement("Person")
-	sally.CreateAttr("name", "Sally")
-	sally.CreateAttr("escape", "\r\n\t<'\">&")
-
-	doc.Indent(2)
-	s, err := doc.WriteToString()
-	if err != nil {
-		t.Error("etree: WriteSettings WriteTo produced incorrect result.")
-	}
-
-	expected := BOM + `<?xml-stylesheet type="text/xsl" href="style.xsl"?>
-<People>
-  <!--These are all known people-->
-  <Person name="Jon O'Reilly">&#xD;&lt;'"&gt;&amp;</Person>
-  <Person name="Sally" escape="&#xD;&#xA;&#x9;&lt;'&quot;>&amp;"></Person>
-</People>
-`
-	checkEq(t, s, expected)
-}
-
-func TestCopy(t *testing.T) {
-	s := `<store>
-	<book lang="en">
-		<title>Great Expectations</title>
-		<author>Charles Dickens</author>
-	</book>
-</store>`
-
-	doc := NewDocument()
-	err := doc.ReadFromString(s)
-	if err != nil {
-		t.Fatal("etree: incorrect ReadFromString result")
-	}
-
-	s1, err := doc.WriteToString()
-	if err != nil {
-		t.Error("etree: incorrect WriteToString result")
-	}
-
-	doc2 := doc.Copy()
-	s2, err := doc2.WriteToString()
-	if err != nil {
-		t.Error("etree: incorrect Copy result")
-	}
-
-	if s1 != s2 {
-		t.Error("etree: mismatched Copy result")
-		t.Error("wanted:\n" + s1)
-		t.Error("got:\n" + s2)
-	}
-
-	e1 := doc.FindElement("./store/book/title")
-	e2 := doc2.FindElement("./store/book/title")
-	if e1 == nil || e2 == nil {
-		t.Error("etree: incorrect FindElement result")
-	}
-	if e1 == e2 {
-		t.Error("etree: incorrect FindElement result")
-	}
-
-	e1.parent.RemoveChild(e1)
-	s1, _ = doc.WriteToString()
-	s2, _ = doc2.WriteToString()
-	if s1 == s2 {
-		t.Error("etree: incorrect result after RemoveElement")
-	}
-}
-
-func TestInsertChild(t *testing.T) {
-	testdoc := `<book lang="en">
-  <t:title>Great Expectations</t:title>
-  <author>Charles Dickens</author>
-</book>
-`
-
-	doc := NewDocument()
-	err := doc.ReadFromString(testdoc)
-	if err != nil {
-		t.Fatal("etree ReadFromString: " + err.Error())
-	}
-
-	year := NewElement("year")
-	year.SetText("1861")
-
-	book := doc.FindElement("//book")
-	book.InsertChild(book.SelectElement("t:title"), year)
-
-	expected1 := `<book lang="en">
-  <year>1861</year>
-  <t:title>Great Expectations</t:title>
-  <author>Charles Dickens</author>
-</book>
-`
-	doc.Indent(2)
-	s1, _ := doc.WriteToString()
-	checkEq(t, s1, expected1)
-
-	book.RemoveChild(year)
-	book.InsertChild(book.SelectElement("author"), year)
-
-	expected2 := `<book lang="en">
-  <t:title>Great Expectations</t:title>
-  <year>1861</year>
-  <author>Charles Dickens</author>
-</book>
-`
-	doc.Indent(2)
-	s2, _ := doc.WriteToString()
-	checkEq(t, s2, expected2)
-
-	book.RemoveChild(year)
-	book.InsertChild(book.SelectElement("UNKNOWN"), year)
-
-	expected3 := `<book lang="en">
-  <t:title>Great Expectations</t:title>
-  <author>Charles Dickens</author>
-  <year>1861</year>
-</book>
-`
-	doc.Indent(2)
-	s3, _ := doc.WriteToString()
-	checkEq(t, s3, expected3)
-
-	book.RemoveChild(year)
-	book.InsertChild(nil, year)
-
-	expected4 := `<book lang="en">
-  <t:title>Great Expectations</t:title>
-  <author>Charles Dickens</author>
-  <year>1861</year>
-</book>
-`
-	doc.Indent(2)
-	s4, _ := doc.WriteToString()
-	checkEq(t, s4, expected4)
-}
-
-func TestAddChild(t *testing.T) {
-	testdoc := `<book lang="en">
-  <t:title>Great Expectations</t:title>
-  <author>Charles Dickens</author>
-</book>
-`
-	doc1 := NewDocument()
-	err := doc1.ReadFromString(testdoc)
-	if err != nil {
-		t.Fatal("etree ReadFromString: " + err.Error())
-	}
-
-	doc2 := NewDocument()
-	root := doc2.CreateElement("root")
-
-	for _, e := range doc1.FindElements("//book/*") {
-		root.AddChild(e)
-	}
-
-	expected1 := `<book lang="en"/>
-`
-	doc1.Indent(2)
-	s1, _ := doc1.WriteToString()
-	checkEq(t, s1, expected1)
-
-	expected2 := `<root>
-  <t:title>Great Expectations</t:title>
-  <author>Charles Dickens</author>
-</root>
-`
-	doc2.Indent(2)
-	s2, _ := doc2.WriteToString()
-	checkEq(t, s2, expected2)
-}
-
-func TestSetRoot(t *testing.T) {
-	testdoc := `<?test a="wow"?>
-<book>
-  <title>Great Expectations</title>
-  <author>Charles Dickens</author>
-</book>
-`
-	doc := NewDocument()
-	err := doc.ReadFromString(testdoc)
-	if err != nil {
-		t.Fatal("etree ReadFromString: " + err.Error())
-	}
-
-	origroot := doc.Root()
-	if origroot.Parent() != &doc.Element {
-		t.Error("Root incorrect")
-	}
-
-	newroot := NewElement("root")
-	doc.SetRoot(newroot)
-
-	if doc.Root() != newroot {
-		t.Error("doc.Root() != newroot")
-	}
-	if origroot.Parent() != nil {
-		t.Error("origroot.Parent() != nil")
-	}
-
-	expected1 := `<?test a="wow"?>
-<root/>
-`
-	doc.Indent(2)
-	s1, _ := doc.WriteToString()
-	checkEq(t, s1, expected1)
-
-	doc.SetRoot(origroot)
-	doc.Indent(2)
-	expected2 := testdoc
-	s2, _ := doc.WriteToString()
-	checkEq(t, s2, expected2)
-
-	doc2 := NewDocument()
-	doc2.CreateProcInst("test", `a="wow"`)
-	doc2.SetRoot(NewElement("root"))
-	doc2.Indent(2)
-	expected3 := expected1
-	s3, _ := doc2.WriteToString()
-	checkEq(t, s3, expected3)
-
-	doc2.SetRoot(doc.Root())
-	doc2.Indent(2)
-	expected4 := testdoc
-	s4, _ := doc2.WriteToString()
-	checkEq(t, s4, expected4)
-
-	expected5 := `<?test a="wow"?>
-`
-	doc.Indent(2)
-	s5, _ := doc.WriteToString()
-	checkEq(t, s5, expected5)
-}
diff --git a/vendor/github.com/beevik/etree/example_test.go b/vendor/github.com/beevik/etree/example_test.go
deleted file mode 100644
index bdfdf239..00000000
--- a/vendor/github.com/beevik/etree/example_test.go
+++ /dev/null
@@ -1,62 +0,0 @@
-// Copyright 2015 Brett Vickers.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package etree
-
-import "os"
-
-// Create an etree Document, add XML entities to it, and serialize it
-// to stdout.
-func ExampleDocument_creating() {
-	doc := NewDocument()
-	doc.CreateProcInst("xml", `version="1.0" encoding="UTF-8"`)
-	doc.CreateProcInst("xml-stylesheet", `type="text/xsl" href="style.xsl"`)
-
-	people := doc.CreateElement("People")
-	people.CreateComment("These are all known people")
-
-	jon := people.CreateElement("Person")
-	jon.CreateAttr("name", "Jon O'Reilly")
-
-	sally := people.CreateElement("Person")
-	sally.CreateAttr("name", "Sally")
-
-	doc.Indent(2)
-	doc.WriteTo(os.Stdout)
-	// Output:
-	// <?xml version="1.0" encoding="UTF-8"?>
-	// <?xml-stylesheet type="text/xsl" href="style.xsl"?>
-	// <People>
-	//   <!--These are all known people-->
-	//   <Person name="Jon O&apos;Reilly"/>
-	//   <Person name="Sally"/>
-	// </People>
-}
-
-func ExampleDocument_reading() {
-	doc := NewDocument()
-	if err := doc.ReadFromFile("document.xml"); err != nil {
-		panic(err)
-	}
-}
-
-func ExamplePath() {
-	xml := `<bookstore><book><title>Great Expectations</title>
-      <author>Charles Dickens</author></book><book><title>Ulysses</title>
-      <author>James Joyce</author></book></bookstore>`
-
-	doc := NewDocument()
-	doc.ReadFromString(xml)
-	for _, e := range doc.FindElements(".//book[author='Charles Dickens']") {
-		doc := NewDocument()
-		doc.SetRoot(e.Copy())
-		doc.Indent(2)
-		doc.WriteTo(os.Stdout)
-	}
-	// Output:
-	// <book>
-	//   <title>Great Expectations</title>
-	//   <author>Charles Dickens</author>
-	// </book>
-}
diff --git a/vendor/github.com/beevik/etree/helpers.go b/vendor/github.com/beevik/etree/helpers.go
index 4f8350e7..825e14e9 100644
--- a/vendor/github.com/beevik/etree/helpers.go
+++ b/vendor/github.com/beevik/etree/helpers.go
@@ -1,12 +1,14 @@
-// Copyright 2015 Brett Vickers.
+// Copyright 2015-2019 Brett Vickers.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
 package etree
 
 import (
+	"bufio"
 	"io"
 	"strings"
+	"unicode/utf8"
 )
 
 // A simple stack
@@ -147,22 +149,35 @@ func spaceDecompose(str string) (space, key string) {
 	return str[:colon], str[colon+1:]
 }
 
-// Strings used by crIndent
+// Strings used by indentCRLF and indentLF
 const (
-	crsp  = "\n                                                                "
-	crtab = "\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t"
+	indentSpaces = "\r\n                                                                "
+	indentTabs   = "\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t"
 )
 
-// crIndent returns a carriage return followed by n copies of the
-// first non-CR character in the source string.
-func crIndent(n int, source string) string {
+// indentCRLF returns a CRLF newline followed by n copies of the first
+// non-CRLF character in the source string.
+func indentCRLF(n int, source string) string {
 	switch {
 	case n < 0:
-		return source[:1]
-	case n < len(source):
-		return source[:n+1]
+		return source[:2]
+	case n < len(source)-1:
+		return source[:n+2]
 	default:
-		return source + strings.Repeat(source[1:2], n-len(source)+1)
+		return source + strings.Repeat(source[2:3], n-len(source)+2)
+	}
+}
+
+// indentLF returns a LF newline followed by n copies of the first non-LF
+// character in the source string.
+func indentLF(n int, source string) string {
+	switch {
+	case n < 0:
+		return source[1:2]
+	case n < len(source)-1:
+		return source[1 : n+2]
+	default:
+		return source[1:] + strings.Repeat(source[2:3], n-len(source)+2)
 	}
 }
 
@@ -186,3 +201,76 @@ func isInteger(s string) bool {
 	}
 	return true
 }
+
+type escapeMode byte
+
+const (
+	escapeNormal escapeMode = iota
+	escapeCanonicalText
+	escapeCanonicalAttr
+)
+
+// escapeString writes an escaped version of a string to the writer.
+func escapeString(w *bufio.Writer, s string, m escapeMode) {
+	var esc []byte
+	last := 0
+	for i := 0; i < len(s); {
+		r, width := utf8.DecodeRuneInString(s[i:])
+		i += width
+		switch r {
+		case '&':
+			esc = []byte("&amp;")
+		case '<':
+			esc = []byte("&lt;")
+		case '>':
+			if m == escapeCanonicalAttr {
+				continue
+			}
+			esc = []byte("&gt;")
+		case '\'':
+			if m != escapeNormal {
+				continue
+			}
+			esc = []byte("&apos;")
+		case '"':
+			if m == escapeCanonicalText {
+				continue
+			}
+			esc = []byte("&quot;")
+		case '\t':
+			if m != escapeCanonicalAttr {
+				continue
+			}
+			esc = []byte("&#x9;")
+		case '\n':
+			if m != escapeCanonicalAttr {
+				continue
+			}
+			esc = []byte("&#xA;")
+		case '\r':
+			if m == escapeNormal {
+				continue
+			}
+			esc = []byte("&#xD;")
+		default:
+			if !isInCharacterRange(r) || (r == 0xFFFD && width == 1) {
+				esc = []byte("\uFFFD")
+				break
+			}
+			continue
+		}
+		w.WriteString(s[last : i-width])
+		w.Write(esc)
+		last = i
+	}
+	w.WriteString(s[last:])
+}
+
+func isInCharacterRange(r rune) bool {
+	return r == 0x09 ||
+		r == 0x0A ||
+		r == 0x0D ||
+		r >= 0x20 && r <= 0xD7FF ||
+		r >= 0xE000 && r <= 0xFFFD ||
+		r >= 0x10000 && r <= 0x10FFFF
+}
diff --git a/vendor/github.com/beevik/etree/path.go b/vendor/github.com/beevik/etree/path.go
index 9cf245eb..82db0ac5 100644
--- a/vendor/github.com/beevik/etree/path.go
+++ b/vendor/github.com/beevik/etree/path.go
@@ -1,4 +1,4 @@
-// Copyright 2015 Brett Vickers.
+// Copyright 2015-2019 Brett Vickers.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
@@ -10,46 +10,74 @@ import (
 )
 
 /*
-A Path is an object that represents an optimized version of an
-XPath-like search string.  Although path strings are XPath-like,
-only the following limited syntax is supported:
-
-    .               Selects the current element
-    ..              Selects the parent of the current element
-    *               Selects all child elements
-    //              Selects all descendants of the current element
-    tag             Selects all child elements with the given tag
-    [#]             Selects the element of the given index (1-based,
-                      negative starts from the end)
-    [@attrib]       Selects all elements with the given attribute
-    [@attrib='val'] Selects all elements with the given attribute set to val
-    [tag]           Selects all elements with a child element named tag
-    [tag='val']     Selects all elements with a child element named tag
-                      and text matching val
-    [text()]        Selects all elements with non-empty text
-    [text()='val']  Selects all elements whose text matches val
-
-Examples:
-
-Select the title elements of all descendant book elements having a
-'category' attribute of 'WEB':
+A Path is a string that represents a search path through an etree starting
+from the document root or an arbitrary element. Paths are used with the
+Element object's Find* methods to locate and return desired elements.
+
+A Path consists of a series of slash-separated "selectors", each of which may
+be modified by one or more bracket-enclosed "filters". Selectors are used to
+traverse the etree from element to element, while filters are used to narrow
+the list of candidate elements at each node.
+
+Although etree Path strings are similar to XPath strings
+(https://www.w3.org/TR/1999/REC-xpath-19991116/), they have a more limited set
+of selectors and filtering options.
+
+The following selectors are supported by etree Path strings:
+
+    .               Select the current element.
+    ..              Select the parent of the current element.
+    *               Select all child elements of the current element.
+    /               Select the root element when used at the start of a path.
+    //              Select all descendants of the current element.
+    tag             Select all child elements with a name matching the tag.
+
+The following basic filters are supported by etree Path strings:
+
+    [@attrib]       Keep elements with an attribute named attrib.
+    [@attrib='val'] Keep elements with an attribute named attrib and value matching val.
+    [tag]           Keep elements with a child element named tag.
+    [tag='val']     Keep elements with a child element named tag and text matching val.
+    [n]             Keep the n-th element, where n is a numeric index starting from 1.
+
+The following function filters are also supported:
+
+    [text()]                    Keep elements with non-empty text.
+    [text()='val']              Keep elements whose text matches val.
+    [local-name()='val']        Keep elements whose un-prefixed tag matches val.
+    [name()='val']              Keep elements whose full tag exactly matches val.
+    [namespace-prefix()='val']  Keep elements whose namespace prefix matches val.
+    [namespace-uri()='val']     Keep elements whose namespace URI matches val.
+
+Here are some examples of Path strings:
+
+- Select the bookstore child element of the root element:
+    /bookstore
+
+- Beginning from the root element, select the title elements of all
+descendant book elements having a 'category' attribute of 'WEB':
     //book[@category='WEB']/title
 
-Select the first book element with a title child containing the text
-'Great Expectations':
+- Beginning from the current element, select the first descendant
+book element with a title child element containing the text 'Great
+Expectations':
     .//book[title='Great Expectations'][1]
 
-Starting from the current element, select all children of book elements
-with an attribute 'language' set to 'english':
+- Beginning from the current element, select all child elements of
+book elements with an attribute 'language' set to 'english':
     ./book/*[@language='english']
 
-Starting from the current element, select all children of book elements
-containing the text 'special':
+- Beginning from the current element, select all child elements of
+book elements containing the text 'special':
     ./book/*[text()='special']
 
-Select all descendant book elements whose title element has an attribute
-'language' set to 'french':
-    //book/title[@language='french']/..
+- Beginning from the current element, select all descendant book
+elements whose title child element has a 'language' attribute of 'french':
+    .//book/title[@language='french']/..
+
+- Beginning from the current element, select all book elements
+belonging to the http://www.w3.org/TR/html4/ namespace:
+	.//book[namespace-uri()='http://www.w3.org/TR/html4/']
 
 */
 type Path struct {
@@ -180,22 +208,20 @@ type compiler struct {
 // through an element tree and returns a slice of segment
 // descriptors.
 func (c *compiler) parsePath(path string) []segment {
-	// If path starts or ends with //, fix it
-	if strings.HasPrefix(path, "//") {
-		path = "." + path
-	}
+	// If path ends with //, fix it
 	if strings.HasSuffix(path, "//") {
 		path = path + "*"
 	}
 
-	// Paths cannot be absolute
+	var segments []segment
+
+	// Check for an absolute path
 	if strings.HasPrefix(path, "/") {
-		c.err = ErrPath("paths cannot be absolute.")
-		return nil
+		segments = append(segments, segment{new(selectRoot), []filter{}})
+		path = path[1:]
 	}
 
-	// Split path into segment objects
-	var segments []segment
+	// Split path into segments
 	for _, s := range splitPath(path) {
 		segments = append(segments, c.parseSegment(s))
 		if c.err != ErrPath("") {
@@ -225,7 +251,7 @@ func (c *compiler) parseSegment(path string) segment {
 	pieces := strings.Split(path, "[")
 	seg := segment{
 		sel:     c.parseSelector(pieces[0]),
-		filters: make([]filter, 0),
+		filters: []filter{},
 	}
 	for i := 1; i < len(pieces); i++ {
 		fpath := pieces[i]
@@ -254,6 +280,17 @@ func (c *compiler) parseSelector(path string) selector {
 	}
 }
 
+var fnTable = map[string]struct {
+	hasFn    func(e *Element) bool
+	getValFn func(e *Element) string
+}{
+	"local-name":       {nil, (*Element).name},
+	"name":             {nil, (*Element).FullTag},
+	"namespace-prefix": {nil, (*Element).namespacePrefix},
+	"namespace-uri":    {nil, (*Element).NamespaceURI},
+	"text":             {(*Element).hasText, (*Element).Text},
+}
+
 // parseFilter parses a path filter contained within [brackets].
 func (c *compiler) parseFilter(path string) filter {
 	if len(path) == 0 {
@@ -261,7 +298,7 @@ func (c *compiler) parseFilter(path string) filter {
 		return nil
 	}
 
-	// Filter contains [@attr='val'], [text()='val'], or [tag='val']?
+	// Filter contains [@attr='val'], [fn()='val'], or [tag='val']?
 	eqindex := strings.Index(path, "='")
 	if eqindex >= 0 {
 		rindex := nextIndex(path, "'", eqindex+2)
@@ -269,22 +306,36 @@ func (c *compiler) parseFilter(path string) filter {
 			c.err = ErrPath("path has mismatched filter quotes.")
 			return nil
 		}
+
+		key := path[:eqindex]
+		value := path[eqindex+2 : rindex]
+
 		switch {
-		case path[0] == '@':
-			return newFilterAttrVal(path[1:eqindex], path[eqindex+2:rindex])
-		case strings.HasPrefix(path, "text()"):
-			return newFilterTextVal(path[eqindex+2 : rindex])
+		case key[0] == '@':
+			return newFilterAttrVal(key[1:], value)
+		case strings.HasSuffix(key, "()"):
+			fn := key[:len(key)-2]
+			if t, ok := fnTable[fn]; ok && t.getValFn != nil {
+				return newFilterFuncVal(t.getValFn, value)
+			}
+			c.err = ErrPath("path has unknown function " + fn)
+			return nil
 		default:
-			return newFilterChildText(path[:eqindex], path[eqindex+2:rindex])
+			return newFilterChildText(key, value)
 		}
 	}
 
-	// Filter contains [@attr], [N], [tag] or [text()]
+	// Filter contains [@attr], [N], [tag] or [fn()]
 	switch {
 	case path[0] == '@':
 		return newFilterAttr(path[1:])
-	case path == "text()":
-		return newFilterText()
+	case strings.HasSuffix(path, "()"):
+		fn := path[:len(path)-2]
+		if t, ok := fnTable[fn]; ok && t.hasFn != nil {
+			return newFilterFunc(t.hasFn)
+		}
+		c.err = ErrPath("path has unknown function " + fn)
+		return nil
 	case isInteger(path):
 		pos, _ := strconv.Atoi(path)
 		switch {
@@ -305,6 +356,17 @@ func (s *selectSelf) apply(e *Element, p *pather) {
 	p.candidates = append(p.candidates, e)
 }
 
+// selectRoot selects the element's root node.
+type selectRoot struct{}
+
+func (s *selectRoot) apply(e *Element, p *pather) {
+	root := e
+	for root.parent != nil {
+		root = root.parent
+	}
+	p.candidates = append(p.candidates, root)
+}
+
 // selectParent selects the element's parent into the candidate list.
 type selectParent struct{}
 
@@ -431,35 +493,39 @@ func (f *filterAttrVal) apply(p *pather) {
 	p.candidates, p.scratch = p.scratch, p.candidates[0:0]
 }
 
-// filterText filters the candidate list for elements having text.
-type filterText struct{}
+// filterFunc filters the candidate list for elements satisfying a custom
+// boolean function.
+type filterFunc struct {
+	fn func(e *Element) bool
+}
 
-func newFilterText() *filterText {
-	return &filterText{}
+func newFilterFunc(fn func(e *Element) bool) *filterFunc {
+	return &filterFunc{fn}
 }
 
-func (f *filterText) apply(p *pather) {
+func (f *filterFunc) apply(p *pather) {
 	for _, c := range p.candidates {
-		if c.Text() != "" {
+		if f.fn(c) {
 			p.scratch = append(p.scratch, c)
 		}
 	}
 	p.candidates, p.scratch = p.scratch, p.candidates[0:0]
 }
 
-// filterTextVal filters the candidate list for elements having
-// text equal to the specified value.
-type filterTextVal struct {
+// filterFuncVal filters the candidate list for elements containing a value
+// matching the result of a custom function.
+type filterFuncVal struct {
+	fn  func(e *Element) string
 	val string
 }
 
-func newFilterTextVal(value string) *filterTextVal {
-	return &filterTextVal{value}
+func newFilterFuncVal(fn func(e *Element) string, value string) *filterFuncVal {
+	return &filterFuncVal{fn, value}
 }
 
-func (f *filterTextVal) apply(p *pather) {
+func (f *filterFuncVal) apply(p *pather) {
 	for _, c := range p.candidates {
-		if c.Text() == f.val {
+		if f.fn(c) == f.val {
 			p.scratch = append(p.scratch, c)
 		}
 	}
diff --git a/vendor/github.com/beevik/etree/path_test.go b/vendor/github.com/beevik/etree/path_test.go
deleted file mode 100644
index ce6338c0..00000000
--- a/vendor/github.com/beevik/etree/path_test.go
+++ /dev/null
@@ -1,173 +0,0 @@
-// Copyright 2015 Brett Vickers.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package etree
-
-import "testing"
-
-var testXML = `
-<?xml version="1.0" encoding="UTF-8"?>
-<bookstore xmlns:p="urn:books-com:prices">
-
-	<!Directive>
-
-	<book category="COOKING">
-		<title lang="en">Everyday Italian</title>
-		<author>Giada De Laurentiis</author>
-		<year>2005</year>
-		<p:price>30.00</p:price>
-		<editor>Clarkson Potter</editor>
-	</book>
-
-	<book category="CHILDREN">
-		<title lang="en" sku="150">Harry Potter</title>
-		<author>J K. Rowling</author>
-		<year>2005</year>
-		<p:price>29.99</p:price>
-		<editor></editor>
-		<editor/>
-	</book>
-
-	<book category="WEB">
-		<title lang="en">XQuery Kick Start</title>
-		<author>James McGovern</author>
-		<author>Per Bothner</author>
-		<author>Kurt Cagle</author>
-		<author>James Linn</author>
-		<author>Vaidyanathan Nagarajan</author>
-		<year>2003</year>
-		<p:price>49.99</p:price>
-		<editor>
-		</editor>
-	</book>
-
-	<!-- Final book -->
-	<book category="WEB" path="/books/xml">
-		<title lang="en">Learning XML</title>
-		<author>Erik T. Ray</author>
-		<year>2003</year>
-		<p:price>39.95</p:price>
-	</book>
-
-</bookstore>
-`
-
-type test struct {
-	path   string
-	result interface{}
-}
-
-type errorResult string
-
-var tests = []test{
-
-	// basic queries
-	{"./bookstore/book/title", []string{"Everyday Italian", "Harry Potter", "XQuery Kick Start", "Learning XML"}},
-	{"./bookstore/book/author", []string{"Giada De Laurentiis", "J K. Rowling", "James McGovern", "Per Bothner", "Kurt Cagle", "James Linn", "Vaidyanathan Nagarajan", "Erik T. Ray"}},
-	{"./bookstore/book/year", []string{"2005", "2005", "2003", "2003"}},
-	{"./bookstore/book/p:price", []string{"30.00", "29.99", "49.99", "39.95"}},
-	{"./bookstore/book/isbn", nil},
-
-	// descendant queries
-	{"//title", []string{"Everyday Italian", "Harry Potter", "XQuery Kick Start", "Learning XML"}},
-	{"//book/title", []string{"Everyday Italian", "Harry Potter", "XQuery Kick Start", "Learning XML"}},
-	{".//title", []string{"Everyday Italian", "Harry Potter", "XQuery Kick Start", "Learning XML"}},
-	{".//bookstore//title", []string{"Everyday Italian", "Harry Potter", "XQuery Kick Start", "Learning XML"}},
-	{".//book/title", []string{"Everyday Italian", "Harry Potter", "XQuery Kick Start", "Learning XML"}},
-	{".//p:price/.", []string{"30.00", "29.99", "49.99", "39.95"}},
-	{".//price", []string{"30.00", "29.99", "49.99", "39.95"}},
-
-	// positional queries
-	{"./bookstore/book[1]/title", "Everyday Italian"},
-	{"./bookstore/book[4]/title", "Learning XML"},
-	{"./bookstore/book[5]/title", nil},
-	{"./bookstore/book[3]/author[0]", "James McGovern"},
-	{"./bookstore/book[3]/author[1]", "James McGovern"},
-	{"./bookstore/book[3]/author[3]/./.", "Kurt Cagle"},
-	{"./bookstore/book[3]/author[6]", nil},
-	{"./bookstore/book[-1]/title", "Learning XML"},
-	{"./bookstore/book[-4]/title", "Everyday Italian"},
-	{"./bookstore/book[-5]/title", nil},
-
-	// text queries
-	{"./bookstore/book[author='James McGovern']/title", "XQuery Kick Start"},
-	{"./bookstore/book[author='Per Bothner']/title", "XQuery Kick Start"},
-	{"./bookstore/book[author='Kurt Cagle']/title", "XQuery Kick Start"},
-	{"./bookstore/book[author='James Linn']/title", "XQuery Kick Start"},
-	{"./bookstore/book[author='Vaidyanathan Nagarajan']/title", "XQuery Kick Start"},
-	{"//book[p:price='29.99']/title", "Harry Potter"},
-	{"//book[price='29.99']/title", "Harry Potter"},
-	{"//book/price[text()='29.99']", "29.99"},
-	{"//book/author[text()='Kurt Cagle']", "Kurt Cagle"},
-	{"//book/editor[text()]", []string{"Clarkson Potter", "\n\t\t"}},
-
-	// attribute queries
-	{"./bookstore/book[@category='WEB']/title", []string{"XQuery Kick Start", "Learning XML"}},
-	{"./bookstore/book[@path='/books/xml']/title", []string{"Learning XML"}},
-	{"./bookstore/book[@category='COOKING']/title[@lang='en']", "Everyday Italian"},
-	{"./bookstore/book/title[@lang='en'][@sku='150']", "Harry Potter"},
-	{"./bookstore/book/title[@lang='fr']", nil},
-
-	// parent queries
-	{"./bookstore/book[@category='COOKING']/title/../../book[4]/title", "Learning XML"},
-
-	// bad paths
-	{"/bookstore", errorResult("etree: paths cannot be absolute.")},
-	{"./bookstore/book[]", errorResult("etree: path contains an empty filter expression.")},
-	{"./bookstore/book[@category='WEB'", errorResult("etree: path has invalid filter [brackets].")},
-	{"./bookstore/book[@category='WEB]", errorResult("etree: path has mismatched filter quotes.")},
-	{"./bookstore/book[author]a", errorResult("etree: path has invalid filter [brackets].")},
-}
-
-func TestPath(t *testing.T) {
-	doc := NewDocument()
-	err := doc.ReadFromString(testXML)
-	if err != nil {
-		t.Error(err)
-	}
-
-	for _, test := range tests {
-		path, err := CompilePath(test.path)
-		if err != nil {
-			if r, ok := test.result.(errorResult); !ok || err.Error() != string(r) {
-				fail(t, test)
-			}
-			continue
-		}
-
-		// Test both FindElementsPath and FindElementPath
-		element := doc.FindElementPath(path)
-		elements := doc.FindElementsPath(path)
-
-		switch s := test.result.(type) {
-		case errorResult:
-			fail(t, test)
-		case nil:
-			if element != nil || len(elements) != 0 {
-				fail(t, test)
-			}
-		case string:
-			if element == nil || element.Text() != s ||
-				len(elements) != 1 || elements[0].Text() != s {
-				fail(t, test)
-			}
-		case []string:
-			if element == nil || element.Text() != s[0] || len(elements) != len(s) {
-				fail(t, test)
-				continue
-			}
-			for i := 0; i < len(elements); i++ {
-				if elements[i].Text() != s[i] {
-					fail(t, test)
-					break
-				}
-			}
-		}
-
-	}
-}
-
-func fail(t *testing.T, test test) {
-	t.Errorf("etree: failed test '%s'\n", test.path)
-}
diff --git a/vendor/github.com/dchest/uniuri/.travis.yml b/vendor/github.com/dchest/uniuri/.travis.yml
index ae719be1..245a2f51 100644
--- a/vendor/github.com/dchest/uniuri/.travis.yml
+++ b/vendor/github.com/dchest/uniuri/.travis.yml
@@ -1,7 +1,6 @@
 language: go
 
 go:
-  - 1.2
   - 1.3
   - 1.4
   - tip
diff --git a/vendor/github.com/dchest/uniuri/uniuri_test.go b/vendor/github.com/dchest/uniuri/uniuri_test.go
deleted file mode 100644
index 0e26efe3..00000000
--- a/vendor/github.com/dchest/uniuri/uniuri_test.go
+++ /dev/null
@@ -1,102 +0,0 @@
-// Written in 2011-2014 by Dmitry Chestnykh
-//
-// The author(s) have dedicated all copyright and related and
-// neighboring rights to this software to the public domain
-// worldwide. Distributed without any warranty.
-// http://creativecommons.org/publicdomain/zero/1.0/
-
-package uniuri
-
-import "testing"
-
-func validateChars(t *testing.T, u string, chars []byte) {
-	for _, c := range u {
-		var present bool
-		for _, a := range chars {
-			if rune(a) == c {
-				present = true
-			}
-		}
-		if !present {
-			t.Fatalf("chars not allowed in %q", u)
-		}
-	}
-}
-
-func TestNew(t *testing.T) {
-	u := New()
-	// Check length
-	if len(u) != StdLen {
-		t.Fatalf("wrong length: expected %d, got %d", StdLen, len(u))
-	}
-	// Check that only allowed characters are present
-	validateChars(t, u, StdChars)
-
-	// Generate 1000 uniuris and check that they are unique
-	uris := make([]string, 1000)
-	for i := range uris {
-		uris[i] = New()
-	}
-	for i, u := range uris {
-		for j, u2 := range uris {
-			if i != j && u == u2 {
-				t.Fatalf("not unique: %d:%q and %d:%q", i, u, j, u2)
-			}
-		}
-	}
-}
-
-func TestNewLen(t *testing.T) {
-	for i := 0; i < 100; i++ {
-		u := NewLen(i)
-		if len(u) != i {
-			t.Fatalf("request length %d, got %d", i, len(u))
-		}
-	}
-}
-
-func TestNewLenChars(t *testing.T) {
-	length := 10
-	chars := []byte("01234567")
-	u := NewLenChars(length, chars)
-
-	// Check length
-	if len(u) != length {
-		t.Fatalf("wrong length: expected %d, got %d", StdLen, len(u))
-	}
-	// Check that only allowed characters are present
-	validateChars(t, u, chars)
-
-	// Check that two generated strings are different
-	u2 := NewLenChars(length, chars)
-	if u == u2 {
-		t.Fatalf("not unique: %q and %q", u, u2)
-	}
-}
-
-func TestNewLenCharsMaxLength(t *testing.T) {
-	defer func() {
-		if r := recover(); r == nil {
-			t.Fatal("didn't panic")
-		}
-	}()
-	chars := make([]byte, 257)
-	NewLenChars(32, chars)
-}
-
-func TestBias(t *testing.T) {
-	chars := []byte("abcdefghijklmnopqrstuvwxyz")
-	slen := 100000
-	s := NewLenChars(slen, chars)
-	counts := make(map[rune]int)
-	for _, b := range s {
-		counts[b]++
-	}
-	avg := float64(slen) / float64(len(chars))
-	for k, n := range counts {
-		diff := float64(n) / avg
-		if diff < 0.95 || diff > 1.05 {
-			t.Errorf("Bias on '%c': expected average %f, got %d", k, avg, n)
-		}
-	}
-}
diff --git a/vendor/github.com/dgrijalva/jwt-go/.gitignore b/vendor/github.com/dgrijalva/jwt-go/.gitignore
deleted file mode 100644
index 80bed650..00000000
--- a/vendor/github.com/dgrijalva/jwt-go/.gitignore
+++ /dev/null
@@ -1,4 +0,0 @@
-.DS_Store
-bin
-
-
diff --git a/vendor/github.com/dgrijalva/jwt-go/.travis.yml b/vendor/github.com/dgrijalva/jwt-go/.travis.yml
deleted file mode 100644
index 1027f56c..00000000
--- a/vendor/github.com/dgrijalva/jwt-go/.travis.yml
+++ /dev/null
@@ -1,13 +0,0 @@
-language: go
-
-script:
-    - go vet ./...
-    - go test -v ./...
-
-go:
-  - 1.3
-  - 1.4
-  - 1.5
-  - 1.6
-  - 1.7
-  - tip
diff --git a/vendor/github.com/dgrijalva/jwt-go/LICENSE b/vendor/github.com/dgrijalva/jwt-go/LICENSE
deleted file mode 100644
index df83a9c2..00000000
--- a/vendor/github.com/dgrijalva/jwt-go/LICENSE
+++ /dev/null
@@ -1,8 +0,0 @@
-Copyright (c) 2012 Dave Grijalva
-
-Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
diff --git a/vendor/github.com/dgrijalva/jwt-go/MIGRATION_GUIDE.md b/vendor/github.com/dgrijalva/jwt-go/MIGRATION_GUIDE.md
deleted file mode 100644
index 7fc1f793..00000000
--- a/vendor/github.com/dgrijalva/jwt-go/MIGRATION_GUIDE.md
+++ /dev/null
@@ -1,97 +0,0 @@
-## Migration Guide from v2 -> v3
-
-Version 3 adds several new, frequently requested features.  To do so, it introduces a few breaking changes.  We've worked to keep these as minimal as possible.  This guide explains the breaking changes and how you can quickly update your code.
-
-### `Token.Claims` is now an interface type
-
-The most requested feature from the 2.0 verison of this library was the ability to provide a custom type to the JSON parser for claims. This was implemented by introducing a new interface, `Claims`, to replace `map[string]interface{}`.  We also included two concrete implementations of `Claims`: `MapClaims` and `StandardClaims`.
-
-`MapClaims` is an alias for `map[string]interface{}` with built in validation behavior.  It is the default claims type when using `Parse`.  The usage is unchanged except you must type cast the claims property.
-
-The old example for parsing a token looked like this..
-
-```go
-	if token, err := jwt.Parse(tokenString, keyLookupFunc); err == nil {
-		fmt.Printf("Token for user %v expires %v", token.Claims["user"], token.Claims["exp"])
-	}
-```
-
-is now directly mapped to...
-
-```go
-	if token, err := jwt.Parse(tokenString, keyLookupFunc); err == nil {
-		claims := token.Claims.(jwt.MapClaims)
-		fmt.Printf("Token for user %v expires %v", claims["user"], claims["exp"])
-	}
-```
-
-`StandardClaims` is designed to be embedded in your custom type.  You can supply a custom claims type with the new `ParseWithClaims` function.  Here's an example of using a custom claims type.
-
-```go
-	type MyCustomClaims struct {
-		User string
-		*StandardClaims
-	}
-	
-	if token, err := jwt.ParseWithClaims(tokenString, &MyCustomClaims{}, keyLookupFunc); err == nil {
-		claims := token.Claims.(*MyCustomClaims)
-		fmt.Printf("Token for user %v expires %v", claims.User, claims.StandardClaims.ExpiresAt)
-	}
-```
-
-### `ParseFromRequest` has been moved
-
-To keep this library focused on the tokens without becoming overburdened with complex request processing logic, `ParseFromRequest` and its new companion `ParseFromRequestWithClaims` have been moved to a subpackage, `request`.  The method signatues have also been augmented to receive a new argument: `Extractor`.
-
-`Extractors` do the work of picking the token string out of a request.  The interface is simple and composable.
-
-This simple parsing example:
-
-```go
-	if token, err := jwt.ParseFromRequest(tokenString, req, keyLookupFunc); err == nil {
-		fmt.Printf("Token for user %v expires %v", token.Claims["user"], token.Claims["exp"])
-	}
-```
-
-is directly mapped to:
-
-```go
-	if token, err := request.ParseFromRequest(req, request.OAuth2Extractor, keyLookupFunc); err == nil {
-		claims := token.Claims.(jwt.MapClaims)
-		fmt.Printf("Token for user %v expires %v", claims["user"], claims["exp"])
-	}
-```
-
-There are several concrete `Extractor` types provided for your convenience:
-
-* `HeaderExtractor` will search a list of headers until one contains content.
-* `ArgumentExtractor` will search a list of keys in request query and form arguments until one contains content.
-* `MultiExtractor` will try a list of `Extractors` in order until one returns content.
-* `AuthorizationHeaderExtractor` will look in the `Authorization` header for a `Bearer` token.
-* `OAuth2Extractor` searches the places an OAuth2 token would be specified (per the spec): `Authorization` header and `access_token` argument
-* `PostExtractionFilter` wraps an `Extractor`, allowing you to process the content before it's parsed.  A simple example is stripping the `Bearer ` text from a header
-
-
-### RSA signing methods no longer accept `[]byte` keys
-
-Due to a [critical vulnerability](https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/), we've decided the convenience of accepting `[]byte` instead of `rsa.PublicKey` or `rsa.PrivateKey` isn't worth the risk of misuse.
-
-To replace this behavior, we've added two helper methods: `ParseRSAPrivateKeyFromPEM(key []byte) (*rsa.PrivateKey, error)` and `ParseRSAPublicKeyFromPEM(key []byte) (*rsa.PublicKey, error)`.  These are just simple helpers for unpacking PEM encoded PKCS1 and PKCS8 keys. If your keys are encoded any other way, all you need to do is convert them to the `crypto/rsa` package's types.
-
-```go 
-	func keyLookupFunc(*Token) (interface{}, error) {
-		// Don't forget to validate the alg is what you expect:
-		if _, ok := token.Method.(*jwt.SigningMethodRSA); !ok {
-			return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"])
-		}
-		
-		// Look up key 
-		key, err := lookupPublicKey(token.Header["kid"])
-		if err != nil {
-			return nil, err
-		}
-		
-		// Unpack key from PEM encoded PKCS8
-		return jwt.ParseRSAPublicKeyFromPEM(key)
-	}
-```
diff --git a/vendor/github.com/dgrijalva/jwt-go/README.md b/vendor/github.com/dgrijalva/jwt-go/README.md
deleted file mode 100644
index 25aec486..00000000
--- a/vendor/github.com/dgrijalva/jwt-go/README.md
+++ /dev/null
@@ -1,85 +0,0 @@
-A [go](http://www.golang.org) (or 'golang' for search engine friendliness) implementation of [JSON Web Tokens](http://self-issued.info/docs/draft-ietf-oauth-json-web-token.html)
-
-[![Build Status](https://travis-ci.org/dgrijalva/jwt-go.svg?branch=master)](https://travis-ci.org/dgrijalva/jwt-go)
-
-**BREAKING CHANGES:*** Version 3.0.0 is here. It includes _a lot_ of changes including a few that break the API.  We've tried to break as few things as possible, so there should just be a few type signature changes.  A full list of breaking changes is available in `VERSION_HISTORY.md`.  See `MIGRATION_GUIDE.md` for more information on updating your code.
-
-**NOTICE:** It's important that you [validate the `alg` presented is what you expect](https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/). This library attempts to make it easy to do the right thing by requiring key types match the expected alg, but you should take the extra step to verify it in your usage.  See the examples provided.
-
-
-## What the heck is a JWT?
-
-JWT.io has [a great introduction](https://jwt.io/introduction) to JSON Web Tokens.
-
-In short, it's a signed JSON object that does something useful (for example, authentication).  It's commonly used for `Bearer` tokens in Oauth 2.  A token is made of three parts, separated by `.`'s.  The first two parts are JSON objects, that have been [base64url](http://tools.ietf.org/html/rfc4648) encoded.  The last part is the signature, encoded the same way.
-
-The first part is called the header.  It contains the necessary information for verifying the last part, the signature.  For example, which encryption method was used for signing and what key was used.
-
-The part in the middle is the interesting bit.  It's called the Claims and contains the actual stuff you care about.  Refer to [the RFC](http://self-issued.info/docs/draft-jones-json-web-token.html) for information about reserved keys and the proper way to add your own.
-
-## What's in the box?
-
-This library supports the parsing and verification as well as the generation and signing of JWTs.  Current supported signing algorithms are HMAC SHA, RSA, RSA-PSS, and ECDSA, though hooks are present for adding your own.
-
-## Examples
-
-See [the project documentation](https://godoc.org/github.com/dgrijalva/jwt-go) for examples of usage:
-
-* [Simple example of parsing and validating a token](https://godoc.org/github.com/dgrijalva/jwt-go#example-Parse--Hmac)
-* [Simple example of building and signing a token](https://godoc.org/github.com/dgrijalva/jwt-go#example-New--Hmac)
-* [Directory of Examples](https://godoc.org/github.com/dgrijalva/jwt-go#pkg-examples)
-
-## Extensions
-
-This library publishes all the necessary components for adding your own signing methods.  Simply implement the `SigningMethod` interface and register a factory method using `RegisterSigningMethod`.  
-
-Here's an example of an extension that integrates with the Google App Engine signing tools: https://github.com/someone1/gcp-jwt-go
-
-## Compliance
-
-This library was last reviewed to comply with [RTF 7519](http://www.rfc-editor.org/info/rfc7519) dated May 2015 with a few notable differences: 
-
-* In order to protect against accidental use of [Unsecured JWTs](http://self-issued.info/docs/draft-ietf-oauth-json-web-token.html#UnsecuredJWT), tokens using `alg=none` will only be accepted if the constant `jwt.UnsafeAllowNoneSignatureType` is provided as the key.
-
-## Project Status & Versioning
-
-This library is considered production ready.  Feedback and feature requests are appreciated.  The API should be considered stable.  There should be very few backwards-incompatible changes outside of major version updates (and only with good reason).
-
-This project uses [Semantic Versioning 2.0.0](http://semver.org).  Accepted pull requests will land on `master`.  Periodically, versions will be tagged from `master`.  You can find all the releases on [the project releases page](https://github.com/dgrijalva/jwt-go/releases).
-
-While we try to make it obvious when we make breaking changes, there isn't a great mechanism for pushing announcements out to users.  You may want to use this alternative package include: `gopkg.in/dgrijalva/jwt-go.v2`.  It will do the right thing WRT semantic versioning.
-
-## Usage Tips
-
-### Signing vs Encryption
-
-A token is simply a JSON object that is signed by its author. this tells you exactly two things about the data:
-
-* The author of the token was in the possession of the signing secret
-* The data has not been modified since it was signed
-
-It's important to know that JWT does not provide encryption, which means anyone who has access to the token can read its contents. If you need to protect (encrypt) the data, there is a companion spec, `JWE`, that provides this functionality. JWE is currently outside the scope of this library.
-
-### Choosing a Signing Method
-
-There are several signing methods available, and you should probably take the time to learn about the various options before choosing one.  The principal design decision is most likely going to be symmetric vs asymmetric.
-
-Symmetric signing methods, such as HSA, use only a single secret. This is probably the simplest signing method to use since any `[]byte` can be used as a valid secret. They are also slightly computationally faster to use, though this rarely is enough to matter. Symmetric signing methods work the best when both producers and consumers of tokens are trusted, or even the same system. Since the same secret is used to both sign and validate tokens, you can't easily distribute the key for validation.
-
-Asymmetric signing methods, such as RSA, use different keys for signing and verifying tokens. This makes it possible to produce tokens with a private key, and allow any consumer to access the public key for verification.
-
-### JWT and OAuth
-
-It's worth mentioning that OAuth and JWT are not the same thing. A JWT token is simply a signed JSON object. It can be used anywhere such a thing is useful. There is some confusion, though, as JWT is the most common type of bearer token used in OAuth2 authentication.
-
-Without going too far down the rabbit hole, here's a description of the interaction of these technologies:
-
-* OAuth is a protocol for allowing an identity provider to be separate from the service a user is logging in to. For example, whenever you use Facebook to log into a different service (Yelp, Spotify, etc), you are using OAuth.
-* OAuth defines several options for passing around authentication data. One popular method is called a "bearer token". A bearer token is simply a string that _should_ only be held by an authenticated user. Thus, simply presenting this token proves your identity. You can probably derive from here why a JWT might make a good bearer token.
-* Because bearer tokens are used for authentication, it's important they're kept secret. This is why transactions that use bearer tokens typically happen over SSL.
- 
-## More
-
-Documentation can be found [on godoc.org](http://godoc.org/github.com/dgrijalva/jwt-go).
-
-The command line utility included in this project (cmd/jwt) provides a straightforward example of token creation and parsing as well as a useful tool for debugging your own integration. You'll also find several implementation examples in the documentation.
diff --git a/vendor/github.com/dgrijalva/jwt-go/VERSION_HISTORY.md b/vendor/github.com/dgrijalva/jwt-go/VERSION_HISTORY.md
deleted file mode 100644
index c21551f6..00000000
--- a/vendor/github.com/dgrijalva/jwt-go/VERSION_HISTORY.md
+++ /dev/null
@@ -1,111 +0,0 @@
-## `jwt-go` Version History
-
-#### 3.1.0
-
-* Improvements to `jwt` command line tool
-* Added `SkipClaimsValidation` option to `Parser`
-* Documentation updates
-
-#### 3.0.0
-
-* **Compatibility Breaking Changes**: See MIGRATION_GUIDE.md for tips on updating your code
-	* Dropped support for `[]byte` keys when using RSA signing methods.  This convenience feature could contribute to security vulnerabilities involving mismatched key types with signing methods.
-	* `ParseFromRequest` has been moved to `request` subpackage and usage has changed
-	* The `Claims` property on `Token` is now type `Claims` instead of `map[string]interface{}`.  The default value is type `MapClaims`, which is an alias to `map[string]interface{}`.  This makes it possible to use a custom type when decoding claims.
-* Other Additions and Changes
-	* Added `Claims` interface type to allow users to decode the claims into a custom type
-	* Added `ParseWithClaims`, which takes a third argument of type `Claims`.  Use this function instead of `Parse` if you have a custom type you'd like to decode into.
-	* Dramatically improved the functionality and flexibility of `ParseFromRequest`, which is now in the `request` subpackage
-	* Added `ParseFromRequestWithClaims` which is the `FromRequest` equivalent of `ParseWithClaims`
-	* Added new interface type `Extractor`, which is used for extracting JWT strings from http requests.  Used with `ParseFromRequest` and `ParseFromRequestWithClaims`.
-	* Added several new, more specific, validation errors to error type bitmask
-	* Moved examples from README to executable example files
-	* Signing method registry is now thread safe
-	* Added new property to `ValidationError`, which contains the raw error returned by calls made by parse/verify (such as those returned by keyfunc or json parser)
-
-#### 2.7.0
-
-This will likely be the last backwards compatible release before 3.0.0, excluding essential bug fixes.
-
-* Added new option `-show` to the `jwt` command that will just output the decoded token without verifying
-* Error text for expired tokens includes how long it's been expired
-* Fixed incorrect error returned from `ParseRSAPublicKeyFromPEM`
-* Documentation updates
-
-#### 2.6.0
-
-* Exposed inner error within ValidationError
-* Fixed validation errors when using UseJSONNumber flag
-* Added several unit tests
-
-#### 2.5.0
-
-* Added support for signing method none.  You shouldn't use this.  The API tries to make this clear.
-* Updated/fixed some documentation
-* Added more helpful error message when trying to parse tokens that begin with `BEARER `
-
-#### 2.4.0
-
-* Added new type, Parser, to allow for configuration of various parsing parameters
-	* You can now specify a list of valid signing methods.  Anything outside this set will be rejected.
-	* You can now opt to use the `json.Number` type instead of `float64` when parsing token JSON
-* Added support for [Travis CI](https://travis-ci.org/dgrijalva/jwt-go)
-* Fixed some bugs with ECDSA parsing
-
-#### 2.3.0
-
-* Added support for ECDSA signing methods
-* Added support for RSA PSS signing methods (requires go v1.4)
-
-#### 2.2.0
-
-* Gracefully handle a `nil` `Keyfunc` being passed to `Parse`.  Result will now be the parsed token and an error, instead of a panic.
-
-#### 2.1.0
-
-Backwards compatible API change that was missed in 2.0.0.
-
-* The `SignedString` method on `Token` now takes `interface{}` instead of `[]byte`
-
-#### 2.0.0
-
-There were two major reasons for breaking backwards compatibility with this update.  The first was a refactor required to expand the width of the RSA and HMAC-SHA signing implementations.  There will likely be no required code changes to support this change.
-
-The second update, while unfortunately requiring a small change in integration, is required to open up this library to other signing methods.  Not all keys used for all signing methods have a single standard on-disk representation.  Requiring `[]byte` as the type for all keys proved too limiting.  Additionally, this implementation allows for pre-parsed tokens to be reused, which might matter in an application that parses a high volume of tokens with a small set of keys.  Backwards compatibilty has been maintained for passing `[]byte` to the RSA signing methods, but they will also accept `*rsa.PublicKey` and `*rsa.PrivateKey`.
-
-It is likely the only integration change required here will be to change `func(t *jwt.Token) ([]byte, error)` to `func(t *jwt.Token) (interface{}, error)` when calling `Parse`.
-
-* **Compatibility Breaking Changes**
-	* `SigningMethodHS256` is now `*SigningMethodHMAC` instead of `type struct`
-	* `SigningMethodRS256` is now `*SigningMethodRSA` instead of `type struct`
-	* `KeyFunc` now returns `interface{}` instead of `[]byte`
-	* `SigningMethod.Sign` now takes `interface{}` instead of `[]byte` for the key
-	* `SigningMethod.Verify` now takes `interface{}` instead of `[]byte` for the key
-* Renamed type `SigningMethodHS256` to `SigningMethodHMAC`.  Specific sizes are now just instances of this type.
-    * Added public package global `SigningMethodHS256`
-    * Added public package global `SigningMethodHS384`
-    * Added public package global `SigningMethodHS512`
-* Renamed type `SigningMethodRS256` to `SigningMethodRSA`.  Specific sizes are now just instances of this type.
-    * Added public package global `SigningMethodRS256`
-    * Added public package global `SigningMethodRS384`
-    * Added public package global `SigningMethodRS512`
-* Moved sample private key for HMAC tests from an inline value to a file on disk.  Value is unchanged.
-* Refactored the RSA implementation to be easier to read
-* Exposed helper methods `ParseRSAPrivateKeyFromPEM` and `ParseRSAPublicKeyFromPEM`
-
-#### 1.0.2
-
-* Fixed bug in parsing public keys from certificates
-* Added more tests around the parsing of keys for RS256
-* Code refactoring in RS256 implementation.  No functional changes
-
-#### 1.0.1
-
-* Fixed panic if RS256 signing method was passed an invalid key
-
-#### 1.0.0
-
-* First versioned release
-* API stabilized
-* Supports creating, signing, parsing, and validating JWT tokens
-* Supports RS256 and HS256 signing methods
\ No newline at end of file
diff --git a/vendor/github.com/dgrijalva/jwt-go/claims.go b/vendor/github.com/dgrijalva/jwt-go/claims.go
deleted file mode 100644
index f0228f02..00000000
--- a/vendor/github.com/dgrijalva/jwt-go/claims.go
+++ /dev/null
@@ -1,134 +0,0 @@
-package jwt
-
-import (
-	"crypto/subtle"
-	"fmt"
-	"time"
-)
-
-// For a type to be a Claims object, it must just have a Valid method that determines
-// if the token is invalid for any supported reason
-type Claims interface {
-	Valid() error
-}
-
-// Structured version of Claims Section, as referenced at
-// https://tools.ietf.org/html/rfc7519#section-4.1
-// See examples for how to use this with your own claim types
-type StandardClaims struct {
-	Audience  string `json:"aud,omitempty"`
-	ExpiresAt int64  `json:"exp,omitempty"`
-	Id        string `json:"jti,omitempty"`
-	IssuedAt  int64  `json:"iat,omitempty"`
-	Issuer    string `json:"iss,omitempty"`
-	NotBefore int64  `json:"nbf,omitempty"`
-	Subject   string `json:"sub,omitempty"`
-}
-
-// Validates time based claims "exp, iat, nbf".
-// There is no accounting for clock skew.
-// As well, if any of the above claims are not in the token, it will still
-// be considered a valid claim.
-func (c StandardClaims) Valid() error {
-	vErr := new(ValidationError)
-	now := TimeFunc().Unix()
-
-	// The claims below are optional, by default, so if they are set to the
-	// default value in Go, let's not fail the verification for them.
-	if c.VerifyExpiresAt(now, false) == false {
-		delta := time.Unix(now, 0).Sub(time.Unix(c.ExpiresAt, 0))
-		vErr.Inner = fmt.Errorf("token is expired by %v", delta)
-		vErr.Errors |= ValidationErrorExpired
-	}
-
-	if c.VerifyIssuedAt(now, false) == false {
-		vErr.Inner = fmt.Errorf("Token used before issued")
-		vErr.Errors |= ValidationErrorIssuedAt
-	}
-
-	if c.VerifyNotBefore(now, false) == false {
-		vErr.Inner = fmt.Errorf("token is not valid yet")
-		vErr.Errors |= ValidationErrorNotValidYet
-	}
-
-	if vErr.valid() {
-		return nil
-	}
-
-	return vErr
-}
-
-// Compares the aud claim against cmp.
-// If required is false, this method will return true if the value matches or is unset
-func (c *StandardClaims) VerifyAudience(cmp string, req bool) bool {
-	return verifyAud(c.Audience, cmp, req)
-}
-
-// Compares the exp claim against cmp.
-// If required is false, this method will return true if the value matches or is unset
-func (c *StandardClaims) VerifyExpiresAt(cmp int64, req bool) bool {
-	return verifyExp(c.ExpiresAt, cmp, req)
-}
-
-// Compares the iat claim against cmp.
-// If required is false, this method will return true if the value matches or is unset
-func (c *StandardClaims) VerifyIssuedAt(cmp int64, req bool) bool {
-	return verifyIat(c.IssuedAt, cmp, req)
-}
-
-// Compares the iss claim against cmp.
-// If required is false, this method will return true if the value matches or is unset
-func (c *StandardClaims) VerifyIssuer(cmp string, req bool) bool {
-	return verifyIss(c.Issuer, cmp, req)
-}
-
-// Compares the nbf claim against cmp.
-// If required is false, this method will return true if the value matches or is unset
-func (c *StandardClaims) VerifyNotBefore(cmp int64, req bool) bool {
-	return verifyNbf(c.NotBefore, cmp, req)
-}
-
-// ----- helpers
-
-func verifyAud(aud string, cmp string, required bool) bool {
-	if aud == "" {
-		return !required
-	}
-	if subtle.ConstantTimeCompare([]byte(aud), []byte(cmp)) != 0 {
-		return true
-	} else {
-		return false
-	}
-}
-
-func verifyExp(exp int64, now int64, required bool) bool {
-	if exp == 0 {
-		return !required
-	}
-	return now <= exp
-}
-
-func verifyIat(iat int64, now int64, required bool) bool {
-	if iat == 0 {
-		return !required
-	}
-	return now >= iat
-}
-
-func verifyIss(iss string, cmp string, required bool) bool {
-	if iss == "" {
-		return !required
-	}
-	if subtle.ConstantTimeCompare([]byte(iss), []byte(cmp)) != 0 {
-		return true
-	} else {
-		return false
-	}
-}
-
-func verifyNbf(nbf int64, now int64, required bool) bool {
-	if nbf == 0 {
-		return !required
-	}
-	return now >= nbf
-}
diff --git a/vendor/github.com/dgrijalva/jwt-go/cmd/jwt/README.md b/vendor/github.com/dgrijalva/jwt-go/cmd/jwt/README.md
deleted file mode 100644
index c05150e3..00000000
--- a/vendor/github.com/dgrijalva/jwt-go/cmd/jwt/README.md
+++ /dev/null
@@ -1,13 +0,0 @@
-`jwt` command-line tool
-=======================
-
-This is a simple tool to sign, verify and show JSON Web Tokens from
-the command line.
-
-The following will create and sign a token, then verify it and output the original claims:
-
-     echo {\"foo\":\"bar\"} | ./jwt -key ../../test/sample_key -alg RS256 -sign - | ./jwt -key ../../test/sample_key.pub -alg RS256 -verify -
-
-To simply display a token, use:
-
-    echo $JWT | ./jwt -show -
diff --git a/vendor/github.com/dgrijalva/jwt-go/cmd/jwt/app.go b/vendor/github.com/dgrijalva/jwt-go/cmd/jwt/app.go
deleted file mode 100644
index 727182a9..00000000
--- a/vendor/github.com/dgrijalva/jwt-go/cmd/jwt/app.go
+++ /dev/null
@@ -1,282 +0,0 @@
-// A useful example app.  You can use this to debug your tokens on the command line.
-// This is also a great place to look at how you might use this library.
-//
-// Example usage:
-// The following will create and sign a token, then verify it and output the original claims.
-//     echo {\"foo\":\"bar\"} | bin/jwt -key test/sample_key -alg RS256 -sign - | bin/jwt -key test/sample_key.pub -verify -
-package main
-
-import (
-	"encoding/json"
-	"flag"
-	"fmt"
-	"io"
-	"io/ioutil"
-	"os"
-	"regexp"
-	"strings"
-
-	jwt "github.com/dgrijalva/jwt-go"
-)
-
-var (
-	// Options
-	flagAlg     = flag.String("alg", "", "signing algorithm identifier")
-	flagKey     = flag.String("key", "", "path to key file or '-' to read from stdin")
-	flagCompact = flag.Bool("compact", false, "output compact JSON")
-	flagDebug   = flag.Bool("debug", false, "print out all kinds of debug data")
-	flagClaims  = make(ArgList)
-	flagHead    = make(ArgList)
-
-	// Modes - exactly one of these is required
-	flagSign   = flag.String("sign", "", "path to claims object to sign, '-' to read from stdin, or '+' to use only -claim args")
-	flagVerify = flag.String("verify", "", "path to JWT token to verify or '-' to read from stdin")
-	flagShow   = flag.String("show", "", "path to JWT file or '-' to read from stdin")
-)
-
-func main() {
-	// Plug in Var flags
-	flag.Var(flagClaims, "claim", "add additional claims. may be used more than once")
-	flag.Var(flagHead, "header", "add additional header params. may be used more than once")
-
-	// Usage message if you ask for -help or if you mess up inputs.
-	flag.Usage = func() {
-		fmt.Fprintf(os.Stderr, "Usage of %s:\n", os.Args[0])
-		fmt.Fprintf(os.Stderr, "  One of the following flags is required: sign, verify\n")
-		flag.PrintDefaults()
-	}
-
-	// Parse command line options
-	flag.Parse()
-
-	// Do the thing.  If something goes wrong, print error to stderr
-	// and exit with a non-zero status code
-	if err := start(); err != nil {
-		fmt.Fprintf(os.Stderr, "Error: %v\n", err)
-		os.Exit(1)
-	}
-}
-
-// Figure out which thing to do and then do that
-func start() error {
-	if *flagSign != "" {
-		return signToken()
-	} else if *flagVerify != "" {
-		return verifyToken()
-	} else if *flagShow != "" {
-		return showToken()
-	} else {
-		flag.Usage()
-		return fmt.Errorf("None of the required flags are present.  What do you want me to do?")
-	}
-}
-
-// Helper func:  Read input from specified file or stdin
-func loadData(p string) ([]byte, error) {
-	if p == "" {
-		return nil, fmt.Errorf("No path specified")
-	}
-
-	var rdr io.Reader
-	if p == "-" {
-		rdr = os.Stdin
-	} else if p == "+" {
-		return []byte("{}"), nil
-	} else {
-		if f, err := os.Open(p); err == nil {
-			rdr = f
-			defer f.Close()
-		} else {
-			return nil, err
-		}
-	}
-	return ioutil.ReadAll(rdr)
-}
-
-// Print a json object in accordance with the prophecy (or the command line options)
-func printJSON(j interface{}) error {
-	var out []byte
-	var err error
-
-	if *flagCompact == false {
-		out, err = json.MarshalIndent(j, "", "    ")
-	} else {
-		out, err = json.Marshal(j)
-	}
-
-	if err == nil {
-		fmt.Println(string(out))
-	}
-
-	return err
-}
-
-// Verify a token and output the claims.  This is a great example
-// of how to verify and view a token.
-func verifyToken() error {
-	// get the token
-	tokData, err := loadData(*flagVerify)
-	if err != nil {
-		return fmt.Errorf("Couldn't read token: %v", err)
-	}
-
-	// trim possible whitespace from token
-	tokData = regexp.MustCompile(`\s*$`).ReplaceAll(tokData, []byte{})
-	if *flagDebug {
-		fmt.Fprintf(os.Stderr, "Token len: %v bytes\n", len(tokData))
-	}
-
-	// Parse the token.  Load the key from command line option
-	token, err := jwt.Parse(string(tokData), func(t *jwt.Token) (interface{}, error) {
-		data, err := loadData(*flagKey)
-		if err != nil {
-			return nil, err
-		}
-		if isEs() {
-			return jwt.ParseECPublicKeyFromPEM(data)
-		} else if isRs() {
-			return jwt.ParseRSAPublicKeyFromPEM(data)
-		}
-		return data, nil
-	})
-
-	// Print some debug data
-	if *flagDebug && token != nil {
-		fmt.Fprintf(os.Stderr, "Header:\n%v\n", token.Header)
-		fmt.Fprintf(os.Stderr, "Claims:\n%v\n", token.Claims)
-	}
-
-	// Print an error if we can't parse for some reason
-	if err != nil {
-		return fmt.Errorf("Couldn't parse token: %v", err)
-	}
-
-	// Is token invalid?
-	if !token.Valid {
-		return fmt.Errorf("Token is invalid")
-	}
-
-	// Print the token details
-	if err := printJSON(token.Claims); err != nil {
-		return fmt.Errorf("Failed to output claims: %v", err)
-	}
-
-	return nil
-}
-
-// Create, sign, and output a token.  This is a great, simple example of
-// how to use this library to create and sign a token.
-func signToken() error {
-	// get the token data from command line arguments
-	tokData, err := loadData(*flagSign)
-	if err != nil {
-		return fmt.Errorf("Couldn't read token: %v", err)
-	} else if *flagDebug {
-		fmt.Fprintf(os.Stderr, "Token: %v bytes", len(tokData))
-	}
-
-	// parse the JSON of the claims
-	var claims jwt.MapClaims
-	if err := json.Unmarshal(tokData, &claims); err != nil {
-		return fmt.Errorf("Couldn't parse claims JSON: %v", err)
-	}
-
-	// add command line claims
-	if len(flagClaims) > 0 {
-		for k, v := range flagClaims {
-			claims[k] = v
-		}
-	}
-
-	// get the key
-	var key interface{}
-	key, err = loadData(*flagKey)
-	if err != nil {
-		return fmt.Errorf("Couldn't read key: %v", err)
-	}
-
-	// get the signing alg
-	alg := jwt.GetSigningMethod(*flagAlg)
-	if alg == nil {
-		return fmt.Errorf("Couldn't find signing method: %v", *flagAlg)
-	}
-
-	// create a new token
-	token := jwt.NewWithClaims(alg, claims)
-
-	// add command line headers
-	if len(flagHead) > 0 {
-		for k, v := range flagHead {
-			token.Header[k] = v
-		}
-	}
-
-	if isEs() {
-		if k, ok := key.([]byte); !ok {
-			return fmt.Errorf("Couldn't convert key data to key")
-		} else {
-			key, err = jwt.ParseECPrivateKeyFromPEM(k)
-			if err != nil {
-				return err
-			}
-		}
-	} else if isRs() {
-		if k, ok := key.([]byte); !ok {
-			return fmt.Errorf("Couldn't convert key data to key")
-		} else {
-			key, err = jwt.ParseRSAPrivateKeyFromPEM(k)
-			if err != nil {
-				return err
-			}
-		}
-	}
-
-	if out, err := token.SignedString(key); err == nil {
-		fmt.Println(out)
-	} else {
-		return fmt.Errorf("Error signing token: %v", err)
-	}
-
-	return nil
-}
-
-// showToken pretty-prints the token on the command line.
-func showToken() error {
-	// get the token
-	tokData, err := loadData(*flagShow)
-	if err != nil {
-		return fmt.Errorf("Couldn't read token: %v", err)
-	}
-
-	// trim possible whitespace from token
-	tokData = regexp.MustCompile(`\s*$`).ReplaceAll(tokData, []byte{})
-	if *flagDebug {
-		fmt.Fprintf(os.Stderr, "Token len: %v bytes\n", len(tokData))
-	}
-
-	token, err := jwt.Parse(string(tokData), nil)
-	if token == nil {
-		return fmt.Errorf("malformed token: %v", err)
-	}
-
-	// Print the token details
-	fmt.Println("Header:")
-	if err := printJSON(token.Header); err != nil {
-		return fmt.Errorf("Failed to output header: %v", err)
-	}
-
-	fmt.Println("Claims:")
-	if err := printJSON(token.Claims); err != nil {
-		return fmt.Errorf("Failed to output claims: %v", err)
-	}
-
-	return nil
-}
-
-func isEs() bool {
-	return strings.HasPrefix(*flagAlg, "ES")
-}
-
-func isRs() bool {
-	return strings.HasPrefix(*flagAlg, "RS")
-}
diff --git a/vendor/github.com/dgrijalva/jwt-go/cmd/jwt/args.go b/vendor/github.com/dgrijalva/jwt-go/cmd/jwt/args.go
deleted file mode 100644
index a5bba5b1..00000000
--- a/vendor/github.com/dgrijalva/jwt-go/cmd/jwt/args.go
+++ /dev/null
@@ -1,23 +0,0 @@
-package main
-
-import (
-	"encoding/json"
-	"fmt"
-	"strings"
-)
-
-type ArgList map[string]string
-
-func (l ArgList) String() string {
-	data, _ := json.Marshal(l)
-	return string(data)
-}
-
-func (l ArgList) Set(arg string) error {
-	parts := strings.SplitN(arg, "=", 2)
-	if len(parts) != 2 {
-		return fmt.Errorf("Invalid argument '%v'.  Must use format 'key=value'. %v", arg, parts)
-	}
-	l[parts[0]] = parts[1]
-	return nil
-}
diff --git a/vendor/github.com/dgrijalva/jwt-go/doc.go b/vendor/github.com/dgrijalva/jwt-go/doc.go
deleted file mode 100644
index a86dc1a3..00000000
--- a/vendor/github.com/dgrijalva/jwt-go/doc.go
+++ /dev/null
@@ -1,4 +0,0 @@
-// Package jwt is a Go implementation of JSON Web Tokens: http://self-issued.info/docs/draft-jones-json-web-token.html
-//
-// See README.md for more info.
-package jwt
diff --git a/vendor/github.com/dgrijalva/jwt-go/ecdsa.go b/vendor/github.com/dgrijalva/jwt-go/ecdsa.go
deleted file mode 100644
index 2f59a222..00000000
--- a/vendor/github.com/dgrijalva/jwt-go/ecdsa.go
+++ /dev/null
@@ -1,147 +0,0 @@
-package jwt
-
-import (
-	"crypto"
-	"crypto/ecdsa"
-	"crypto/rand"
-	"errors"
-	"math/big"
-)
-
-var (
-	// Sadly this is missing from crypto/ecdsa compared to crypto/rsa
-	ErrECDSAVerification = errors.New("crypto/ecdsa: verification error")
-)
-
-// Implements the ECDSA family of signing methods signing methods
-type SigningMethodECDSA struct {
-	Name      string
-	Hash      crypto.Hash
-	KeySize   int
-	CurveBits int
-}
-
-// Specific instances for EC256 and company
-var (
-	SigningMethodES256 *SigningMethodECDSA
-	SigningMethodES384 *SigningMethodECDSA
-	SigningMethodES512 *SigningMethodECDSA
-)
-
-func init() {
-	// ES256
-	SigningMethodES256 = &SigningMethodECDSA{"ES256", crypto.SHA256, 32, 256}
-	RegisterSigningMethod(SigningMethodES256.Alg(), func() SigningMethod {
-		return SigningMethodES256
-	})
-
-	// ES384
-	SigningMethodES384 = &SigningMethodECDSA{"ES384", crypto.SHA384, 48, 384}
-	RegisterSigningMethod(SigningMethodES384.Alg(), func() SigningMethod {
-		return SigningMethodES384
-	})
-
-	// ES512
-	SigningMethodES512 = &SigningMethodECDSA{"ES512", crypto.SHA512, 66, 521}
-	RegisterSigningMethod(SigningMethodES512.Alg(), func() SigningMethod {
-		return SigningMethodES512
-	})
-}
-
-func (m *SigningMethodECDSA) Alg() string {
-	return m.Name
-}
-
-// Implements the Verify method from SigningMethod
-// For this verify method, key must be an ecdsa.PublicKey struct
-func (m *SigningMethodECDSA) Verify(signingString, signature string, key interface{}) error {
-	var err error
-
-	// Decode the signature
-	var sig []byte
-	if sig, err = DecodeSegment(signature); err != nil {
-		return err
-	}
-
-	// Get the key
-	var ecdsaKey *ecdsa.PublicKey
-	switch k := key.(type) {
-	case *ecdsa.PublicKey:
-		ecdsaKey = k
-	default:
-		return ErrInvalidKeyType
-	}
-
-	if len(sig) != 2*m.KeySize {
-		return ErrECDSAVerification
-	}
-
-	r := big.NewInt(0).SetBytes(sig[:m.KeySize])
-	s := big.NewInt(0).SetBytes(sig[m.KeySize:])
-
-	// Create hasher
-	if !m.Hash.Available() {
-		return ErrHashUnavailable
-	}
-	hasher := m.Hash.New()
-	hasher.Write([]byte(signingString))
-
-	// Verify the signature
-	if verifystatus := ecdsa.Verify(ecdsaKey, hasher.Sum(nil), r, s); verifystatus == true {
-		return nil
-	} else {
-		return ErrECDSAVerification
-	}
-}
-
-// Implements the Sign method from SigningMethod
-// For this signing method, key must be an ecdsa.PrivateKey struct
-func (m *SigningMethodECDSA) Sign(signingString string, key interface{}) (string, error) {
-	// Get the key
-	var ecdsaKey *ecdsa.PrivateKey
-	switch k := key.(type) {
-	case *ecdsa.PrivateKey:
-		ecdsaKey = k
-	default:
-		return "", ErrInvalidKeyType
-	}
-
-	// Create the hasher
-	if !m.Hash.Available() {
-		return "", ErrHashUnavailable
-	}
-
-	hasher := m.Hash.New()
-	hasher.Write([]byte(signingString))
-
-	// Sign the string and return r, s
-	if r, s, err := ecdsa.Sign(rand.Reader, ecdsaKey, hasher.Sum(nil)); err == nil {
-		curveBits := ecdsaKey.Curve.Params().BitSize
-
-		if m.CurveBits != curveBits {
-			return "", ErrInvalidKey
-		}
-
-		keyBytes := curveBits / 8
-		if curveBits%8 > 0 {
-			keyBytes += 1
-		}
-
-		// We serialize the outpus (r and s) into big-endian byte arrays and pad
-		// them with zeros on the left to make sure the sizes work out. Both arrays
-		// must be keyBytes long, and the output must be 2*keyBytes long.
-		rBytes := r.Bytes()
-		rBytesPadded := make([]byte, keyBytes)
-		copy(rBytesPadded[keyBytes-len(rBytes):], rBytes)
-
-		sBytes := s.Bytes()
-		sBytesPadded := make([]byte, keyBytes)
-		copy(sBytesPadded[keyBytes-len(sBytes):], sBytes)
-
-		out := append(rBytesPadded, sBytesPadded...)
-
-		return EncodeSegment(out), nil
-	} else {
-		return "", err
-	}
-}
diff --git a/vendor/github.com/dgrijalva/jwt-go/ecdsa_test.go b/vendor/github.com/dgrijalva/jwt-go/ecdsa_test.go
deleted file mode 100644
index 753047b1..00000000
--- a/vendor/github.com/dgrijalva/jwt-go/ecdsa_test.go
+++ /dev/null
@@ -1,100 +0,0 @@
-package jwt_test
-
-import (
-	"crypto/ecdsa"
-	"io/ioutil"
-	"strings"
-	"testing"
-
-	"github.com/dgrijalva/jwt-go"
-)
-
-var ecdsaTestData = []struct {
-	name        string
-	keys        map[string]string
-	tokenString string
-	alg         string
-	claims      map[string]interface{}
-	valid       bool
-}{
-	{
-		"Basic ES256",
-		map[string]string{"private": "test/ec256-private.pem", "public": "test/ec256-public.pem"},
-		"eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJmb28iOiJiYXIifQ.feG39E-bn8HXAKhzDZq7yEAPWYDhZlwTn3sePJnU9VrGMmwdXAIEyoOnrjreYlVM_Z4N13eK9-TmMTWyfKJtHQ",
-		"ES256",
-		map[string]interface{}{"foo": "bar"},
-		true,
-	},
-	{
-		"Basic ES384",
-		map[string]string{"private": "test/ec384-private.pem", "public": "test/ec384-public.pem"},
-		"eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzM4NCJ9.eyJmb28iOiJiYXIifQ.ngAfKMbJUh0WWubSIYe5GMsA-aHNKwFbJk_wq3lq23aPp8H2anb1rRILIzVR0gUf4a8WzDtrzmiikuPWyCS6CN4-PwdgTk-5nehC7JXqlaBZU05p3toM3nWCwm_LXcld",
-		"ES384",
-		map[string]interface{}{"foo": "bar"},
-		true,
-	},
-	{
-		"Basic ES512",
-		map[string]string{"private": "test/ec512-private.pem", "public": "test/ec512-public.pem"},
-		"eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzUxMiJ9.eyJmb28iOiJiYXIifQ.AAU0TvGQOcdg2OvrwY73NHKgfk26UDekh9Prz-L_iWuTBIBqOFCWwwLsRiHB1JOddfKAls5do1W0jR_F30JpVd-6AJeTjGKA4C1A1H6gIKwRY0o_tFDIydZCl_lMBMeG5VNFAjO86-WCSKwc3hqaGkq1MugPRq_qrF9AVbuEB4JPLyL5",
-		"ES512",
-		map[string]interface{}{"foo": "bar"},
-		true,
-	},
-	{
-		"basic ES256 invalid: foo => bar",
-		map[string]string{"private": "test/ec256-private.pem", "public": "test/ec256-public.pem"},
-		"eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJmb28iOiJiYXIifQ.MEQCIHoSJnmGlPaVQDqacx_2XlXEhhqtWceVopjomc2PJLtdAiAUTeGPoNYxZw0z8mgOnnIcjoxRuNDVZvybRZF3wR1l8W",
-		"ES256",
-		map[string]interface{}{"foo": "bar"},
-		false,
-	},
-}
-
-func TestECDSAVerify(t *testing.T) {
-	for _, data := range ecdsaTestData {
-		var err error
-
-		key, _ := ioutil.ReadFile(data.keys["public"])
-
-		var ecdsaKey *ecdsa.PublicKey
-		if ecdsaKey, err = jwt.ParseECPublicKeyFromPEM(key); err != nil {
-			t.Errorf("Unable to parse ECDSA public key: %v", err)
-		}
-
-		parts := strings.Split(data.tokenString, ".")
-
-		method := jwt.GetSigningMethod(data.alg)
-		err = method.Verify(strings.Join(parts[0:2], "."), parts[2], ecdsaKey)
-		if data.valid && err != nil {
-			t.Errorf("[%v] Error while verifying key: %v", data.name, err)
-		}
-		if !data.valid && err == nil {
-			t.Errorf("[%v] Invalid key passed validation", data.name)
-		}
-	}
-}
-
-func TestECDSASign(t *testing.T) {
-	for _, data := range ecdsaTestData {
-		var err error
-		key, _ := ioutil.ReadFile(data.keys["private"])
-
-		var ecdsaKey *ecdsa.PrivateKey
-		if ecdsaKey, err = jwt.ParseECPrivateKeyFromPEM(key); err != nil {
-			t.Errorf("Unable to parse ECDSA private key: %v", err)
-		}
-
-		if data.valid {
-			parts := strings.Split(data.tokenString, ".")
-			method := jwt.GetSigningMethod(data.alg)
-			sig, err := method.Sign(strings.Join(parts[0:2], "."), ecdsaKey)
-			if err != nil {
-				t.Errorf("[%v] Error signing token: %v", data.name, err)
-			}
-			if sig == parts[2] {
-				t.Errorf("[%v] Identical signatures\nbefore:\n%v\nafter:\n%v", data.name, parts[2], sig)
-			}
-		}
-	}
-}
diff --git a/vendor/github.com/dgrijalva/jwt-go/ecdsa_utils.go b/vendor/github.com/dgrijalva/jwt-go/ecdsa_utils.go
deleted file mode 100644
index d19624b7..00000000
--- a/vendor/github.com/dgrijalva/jwt-go/ecdsa_utils.go
+++ /dev/null
@@ -1,67 +0,0 @@
-package jwt
-
-import (
-	"crypto/ecdsa"
-	"crypto/x509"
-	"encoding/pem"
-	"errors"
-)
-
-var (
-	ErrNotECPublicKey  = errors.New("Key is not a valid ECDSA public key")
-	ErrNotECPrivateKey = errors.New("Key is not a valid ECDSA private key")
-)
-
-// Parse PEM encoded Elliptic Curve Private Key Structure
-func ParseECPrivateKeyFromPEM(key []byte) (*ecdsa.PrivateKey, error) {
-	var err error
-
-	// Parse PEM block
-	var block *pem.Block
-	if block, _ = pem.Decode(key); block == nil {
-		return nil, ErrKeyMustBePEMEncoded
-	}
-
-	// Parse the key
-	var parsedKey interface{}
-	if parsedKey, err = x509.ParseECPrivateKey(block.Bytes); err != nil {
-		return nil, err
-	}
-
-	var pkey *ecdsa.PrivateKey
-	var ok bool
-	if pkey, ok = parsedKey.(*ecdsa.PrivateKey); !ok {
-		return nil, ErrNotECPrivateKey
-	}
-
-	return pkey, nil
-}
-
-// Parse PEM encoded PKCS1 or PKCS8 public key
-func ParseECPublicKeyFromPEM(key []byte) (*ecdsa.PublicKey, error) {
-	var err error
-
-	// Parse PEM block
-	var block *pem.Block
-	if block, _ = pem.Decode(key); block == nil {
-		return nil, ErrKeyMustBePEMEncoded
-	}
-
-	// Parse the key
-	var parsedKey interface{}
-	if parsedKey, err = x509.ParsePKIXPublicKey(block.Bytes); err != nil {
-		if cert, err := x509.ParseCertificate(block.Bytes); err == nil {
-			parsedKey = cert.PublicKey
-		} else {
-			return nil, err
-		}
-	}
-
-	var pkey *ecdsa.PublicKey
-	var ok bool
-	if pkey, ok = parsedKey.(*ecdsa.PublicKey); !ok {
-		return nil, ErrNotECPublicKey
-	}
-
-	return pkey, nil
-}
diff --git a/vendor/github.com/dgrijalva/jwt-go/errors.go b/vendor/github.com/dgrijalva/jwt-go/errors.go
deleted file mode 100644
index 1c93024a..00000000
--- a/vendor/github.com/dgrijalva/jwt-go/errors.go
+++ /dev/null
@@ -1,59 +0,0 @@
-package jwt
-
-import (
-	"errors"
-)
-
-// Error constants
-var (
-	ErrInvalidKey      = errors.New("key is invalid")
-	ErrInvalidKeyType  = errors.New("key is of invalid type")
-	ErrHashUnavailable = errors.New("the requested hash function is unavailable")
-)
-
-// The errors that might occur when parsing and validating a token
-const (
-	ValidationErrorMalformed        uint32 = 1 << iota // Token is malformed
-	ValidationErrorUnverifiable                        // Token could not be verified because of signing problems
-	ValidationErrorSignatureInvalid                    // Signature validation failed
-
-	// Standard Claim validation errors
-	ValidationErrorAudience      // AUD validation failed
-	ValidationErrorExpired       // EXP validation failed
-	ValidationErrorIssuedAt      // IAT validation failed
-	ValidationErrorIssuer        // ISS validation failed
-	ValidationErrorNotValidYet   // NBF validation failed
-	ValidationErrorId            // JTI validation failed
-	ValidationErrorClaimsInvalid // Generic claims validation error
-)
-
-// Helper for constructing a ValidationError with a string error message
-func NewValidationError(errorText string, errorFlags uint32) *ValidationError {
-	return &ValidationError{
-		text:   errorText,
-		Errors: errorFlags,
-	}
-}
-
-// The error from Parse if token is not valid
-type ValidationError struct {
-	Inner  error  // stores the error returned by external dependencies, i.e.: KeyFunc
-	Errors uint32 // bitfield.  see ValidationError... constants
-	text   string // errors that do not have a valid error just have text
-}
-
-// Validation error is an error type
-func (e ValidationError) Error() string {
-	if e.Inner != nil {
-		return e.Inner.Error()
-	} else if e.text != "" {
-		return e.text
-	} else {
-		return "token is invalid"
-	}
-}
-
-// No errors
-func (e *ValidationError) valid() bool {
-	return e.Errors == 0
-}
diff --git a/vendor/github.com/dgrijalva/jwt-go/example_test.go b/vendor/github.com/dgrijalva/jwt-go/example_test.go
deleted file mode 100644
index ae8b788a..00000000
--- a/vendor/github.com/dgrijalva/jwt-go/example_test.go
+++ /dev/null
@@ -1,114 +0,0 @@
-package jwt_test
-
-import (
-	"fmt"
-	"github.com/dgrijalva/jwt-go"
-	"time"
-)
-
-// Example (atypical) using the StandardClaims type by itself to parse a token.
-// The StandardClaims type is designed to be embedded into your custom types
-// to provide standard validation features.  You can use it alone, but there's
-// no way to retrieve other fields after parsing.
-// See the CustomClaimsType example for intended usage.
-func ExampleNewWithClaims_standardClaims() {
-	mySigningKey := []byte("AllYourBase")
-
-	// Create the Claims
-	claims := &jwt.StandardClaims{
-		ExpiresAt: 15000,
-		Issuer:    "test",
-	}
-
-	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
-	ss, err := token.SignedString(mySigningKey)
-	fmt.Printf("%v %v", ss, err)
-	//Output: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1MDAwLCJpc3MiOiJ0ZXN0In0.QsODzZu3lUZMVdhbO76u3Jv02iYCvEHcYVUI1kOWEU0 <nil>
-}
-
-// Example creating a token using a custom claims type.  The StandardClaim is embedded
-// in the custom type to allow for easy encoding, parsing and validation of standard claims.
-func ExampleNewWithClaims_customClaimsType() {
-	mySigningKey := []byte("AllYourBase")
-
-	type MyCustomClaims struct {
-		Foo string `json:"foo"`
-		jwt.StandardClaims
-	}
-
-	// Create the Claims
-	claims := MyCustomClaims{
-		"bar",
-		jwt.StandardClaims{
-			ExpiresAt: 15000,
-			Issuer:    "test",
-		},
-	}
-
-	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
-	ss, err := token.SignedString(mySigningKey)
-	fmt.Printf("%v %v", ss, err)
-	//Output: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmb28iOiJiYXIiLCJleHAiOjE1MDAwLCJpc3MiOiJ0ZXN0In0.HE7fK0xOQwFEr4WDgRWj4teRPZ6i3GLwD5YCm6Pwu_c <nil>
-}
-
-// Example creating a token using a custom claims type.  The StandardClaim is embedded
-// in the custom type to allow for easy encoding, parsing and validation of standard claims.
-func ExampleParseWithClaims_customClaimsType() {
-	tokenString := "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmb28iOiJiYXIiLCJleHAiOjE1MDAwLCJpc3MiOiJ0ZXN0In0.HE7fK0xOQwFEr4WDgRWj4teRPZ6i3GLwD5YCm6Pwu_c"
-
-	type MyCustomClaims struct {
-		Foo string `json:"foo"`
-		jwt.StandardClaims
-	}
-
-	// sample token is expired.  override time so it parses as valid
-	at(time.Unix(0, 0), func() {
-		token, err := jwt.ParseWithClaims(tokenString, &MyCustomClaims{}, func(token *jwt.Token) (interface{}, error) {
-			return []byte("AllYourBase"), nil
-		})
-
-		if claims, ok := token.Claims.(*MyCustomClaims); ok && token.Valid {
-			fmt.Printf("%v %v", claims.Foo, claims.StandardClaims.ExpiresAt)
-		} else {
-			fmt.Println(err)
-		}
-	})
-
-	// Output: bar 15000
-}
-
-// Override time value for tests.  Restore default value after.
-func at(t time.Time, f func()) {
-	jwt.TimeFunc = func() time.Time {
-		return t
-	}
-	f()
-	jwt.TimeFunc = time.Now
-}
-
-// An example of parsing the error types using bitfield checks
-func ExampleParse_errorChecking() {
-	// Token from another example.  This token is expired
-	var tokenString = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmb28iOiJiYXIiLCJleHAiOjE1MDAwLCJpc3MiOiJ0ZXN0In0.HE7fK0xOQwFEr4WDgRWj4teRPZ6i3GLwD5YCm6Pwu_c"
-
-	token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
-		return []byte("AllYourBase"), nil
-	})
-
-	if token.Valid {
-		fmt.Println("You look nice today")
-	} else if ve, ok := err.(*jwt.ValidationError); ok {
-		if ve.Errors&jwt.ValidationErrorMalformed != 0 {
-			fmt.Println("That's not even a token")
-		} else if ve.Errors&(jwt.ValidationErrorExpired|jwt.ValidationErrorNotValidYet) != 0 {
-			// Token is either expired or not active yet
-			fmt.Println("Timing is everything")
-		} else {
-			fmt.Println("Couldn't handle this token:", err)
-		}
-	} else {
-		fmt.Println("Couldn't handle this token:", err)
-	}
-
-	// Output: Timing is everything
-}
diff --git a/vendor/github.com/dgrijalva/jwt-go/hmac.go b/vendor/github.com/dgrijalva/jwt-go/hmac.go
deleted file mode 100644
index c2299192..00000000
--- a/vendor/github.com/dgrijalva/jwt-go/hmac.go
+++ /dev/null
@@ -1,94 +0,0 @@
-package jwt
-
-import (
-	"crypto"
-	"crypto/hmac"
-	"errors"
-)
-
-// Implements the HMAC-SHA family of signing methods signing methods
-type SigningMethodHMAC struct {
-	Name string
-	Hash crypto.Hash
-}
-
-// Specific instances for HS256 and company
-var (
-	SigningMethodHS256  *SigningMethodHMAC
-	SigningMethodHS384  *SigningMethodHMAC
-	SigningMethodHS512  *SigningMethodHMAC
-	ErrSignatureInvalid = errors.New("signature is invalid")
-)
-
-func init() {
-	// HS256
-	SigningMethodHS256 = &SigningMethodHMAC{"HS256", crypto.SHA256}
-	RegisterSigningMethod(SigningMethodHS256.Alg(), func() SigningMethod {
-		return SigningMethodHS256
-	})
-
-	// HS384
-	SigningMethodHS384 = &SigningMethodHMAC{"HS384", crypto.SHA384}
-	RegisterSigningMethod(SigningMethodHS384.Alg(), func() SigningMethod {
-		return SigningMethodHS384
-	})
-
-	// HS512
-	SigningMethodHS512 = &SigningMethodHMAC{"HS512", crypto.SHA512}
-	RegisterSigningMethod(SigningMethodHS512.Alg(), func() SigningMethod {
-		return SigningMethodHS512
-	})
-}
-
-func (m *SigningMethodHMAC) Alg() string {
-	return m.Name
-}
-
-// Verify the signature of HSXXX tokens.  Returns nil if the signature is valid.
-func (m *SigningMethodHMAC) Verify(signingString, signature string, key interface{}) error {
-	// Verify the key is the right type
-	keyBytes, ok := key.([]byte)
-	if !ok {
-		return ErrInvalidKeyType
-	}
-
-	// Decode signature, for comparison
-	sig, err := DecodeSegment(signature)
-	if err != nil {
-		return err
-	}
-
-	// Can we use the specified hashing method?
-	if !m.Hash.Available() {
-		return ErrHashUnavailable
-	}
-
-	// This signing method is symmetric, so we validate the signature
-	// by reproducing the signature from the signing string and key, then
-	// comparing that against the provided signature.
-	hasher := hmac.New(m.Hash.New, keyBytes)
-	hasher.Write([]byte(signingString))
-	if !hmac.Equal(sig, hasher.Sum(nil)) {
-		return ErrSignatureInvalid
-	}
-
-	// No validation errors.  Signature is good.
-	return nil
-}
-
-// Implements the Sign method from SigningMethod for this signing method.
-// Key must be []byte
-func (m *SigningMethodHMAC) Sign(signingString string, key interface{}) (string, error) {
-	if keyBytes, ok := key.([]byte); ok {
-		if !m.Hash.Available() {
-			return "", ErrHashUnavailable
-		}
-
-		hasher := hmac.New(m.Hash.New, keyBytes)
-		hasher.Write([]byte(signingString))
-
-		return EncodeSegment(hasher.Sum(nil)), nil
-	}
-
-	return "", ErrInvalidKey
-}
diff --git a/vendor/github.com/dgrijalva/jwt-go/hmac_example_test.go b/vendor/github.com/dgrijalva/jwt-go/hmac_example_test.go
deleted file mode 100644
index 00278314..00000000
--- a/vendor/github.com/dgrijalva/jwt-go/hmac_example_test.go
+++ /dev/null
@@ -1,66 +0,0 @@
-package jwt_test
-
-import (
-	"fmt"
-	"github.com/dgrijalva/jwt-go"
-	"io/ioutil"
-	"time"
-)
-
-// For HMAC signing method, the key can be any []byte. It is recommended to generate
-// a key using crypto/rand or something equivalent. You need the same key for signing
-// and validating.
-var hmacSampleSecret []byte
-
-func init() {
-	// Load sample key data
-	if keyData, e := ioutil.ReadFile("test/hmacTestKey"); e == nil {
-		hmacSampleSecret = keyData
-	} else {
-		panic(e)
-	}
-}
-
-// Example creating, signing, and encoding a JWT token using the HMAC signing method
-func ExampleNew_hmac() {
-	// Create a new token object, specifying signing method and the claims
-	// you would like it to contain.
-	token := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
-		"foo": "bar",
-		"nbf": time.Date(2015, 10, 10, 12, 0, 0, 0, time.UTC).Unix(),
-	})
-
-	// Sign and get the complete encoded token as a string using the secret
-	tokenString, err := token.SignedString(hmacSampleSecret)
-
-	fmt.Println(tokenString, err)
-	// Output: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmb28iOiJiYXIiLCJuYmYiOjE0NDQ0Nzg0MDB9.u1riaD1rW97opCoAuRCTy4w58Br-Zk-bh7vLiRIsrpU <nil>
-}
-
-// Example parsing and validating a token using the HMAC signing method
-func ExampleParse_hmac() {
-	// sample token string taken from the New example
-	tokenString := "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmb28iOiJiYXIiLCJuYmYiOjE0NDQ0Nzg0MDB9.u1riaD1rW97opCoAuRCTy4w58Br-Zk-bh7vLiRIsrpU"
-
-	// Parse takes the token string and a function for looking up the key. The latter is especially
-	// useful if you use multiple keys for your application.  The standard is to use 'kid' in the
-	// head of the token to identify which key to use, but the parsed token (head and claims) is provided
-	// to the callback, providing flexibility.
-	token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
-		// Don't forget to validate the alg is what you expect:
-		if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
-			return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"])
-		}
-		
-		// hmacSampleSecret is a []byte containing your secret, e.g. []byte("my_secret_key")
-		return hmacSampleSecret, nil
-	})
-
-	if claims, ok := token.Claims.(jwt.MapClaims); ok && token.Valid {
-		fmt.Println(claims["foo"], claims["nbf"])
-	} else {
-		fmt.Println(err)
-	}
-
-	// Output: bar 1.4444784e+09
-}
diff --git a/vendor/github.com/dgrijalva/jwt-go/hmac_test.go b/vendor/github.com/dgrijalva/jwt-go/hmac_test.go
deleted file mode 100644
index c7e114f4..00000000
--- a/vendor/github.com/dgrijalva/jwt-go/hmac_test.go
+++ /dev/null
@@ -1,91 +0,0 @@
-package jwt_test
-
-import (
-	"github.com/dgrijalva/jwt-go"
-	"io/ioutil"
-	"strings"
-	"testing"
-)
-
-var hmacTestData = []struct {
-	name        string
-	tokenString string
-	alg         string
-	claims      map[string]interface{}
-	valid       bool
-}{
-	{
-		"web sample",
-		"eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk",
-		"HS256",
-		map[string]interface{}{"iss": "joe", "exp": 1300819380, "http://example.com/is_root": true},
-		true,
-	},
-	{
-		"HS384",
-		"eyJhbGciOiJIUzM4NCIsInR5cCI6IkpXVCJ9.eyJleHAiOjEuMzAwODE5MzhlKzA5LCJodHRwOi8vZXhhbXBsZS5jb20vaXNfcm9vdCI6dHJ1ZSwiaXNzIjoiam9lIn0.KWZEuOD5lbBxZ34g7F-SlVLAQ_r5KApWNWlZIIMyQVz5Zs58a7XdNzj5_0EcNoOy",
-		"HS384",
-		map[string]interface{}{"iss": "joe", "exp": 1300819380, "http://example.com/is_root": true},
-		true,
-	},
-	{
-		"HS512",
-		"eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJleHAiOjEuMzAwODE5MzhlKzA5LCJodHRwOi8vZXhhbXBsZS5jb20vaXNfcm9vdCI6dHJ1ZSwiaXNzIjoiam9lIn0.CN7YijRX6Aw1n2jyI2Id1w90ja-DEMYiWixhYCyHnrZ1VfJRaFQz1bEbjjA5Fn4CLYaUG432dEYmSbS4Saokmw",
-		"HS512",
-		map[string]interface{}{"iss": "joe", "exp": 1300819380, "http://example.com/is_root": true},
-		true,
-	},
-	{
-		"web sample: invalid",
-		"eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXo",
-		"HS256",
-		map[string]interface{}{"iss": "joe", "exp": 1300819380, "http://example.com/is_root": true},
-		false,
-	},
-}
-
-// Sample data from http://tools.ietf.org/html/draft-jones-json-web-signature-04#appendix-A.1
-var hmacTestKey, _ = ioutil.ReadFile("test/hmacTestKey")
-
-func TestHMACVerify(t *testing.T) {
-	for _, data := range hmacTestData {
-		parts := strings.Split(data.tokenString, ".")
-
-		method := jwt.GetSigningMethod(data.alg)
-		err := method.Verify(strings.Join(parts[0:2], "."), parts[2], hmacTestKey)
-		if data.valid && err != nil {
-			t.Errorf("[%v] Error while verifying key: %v", data.name, err)
-		}
-		if !data.valid && err == nil {
-			t.Errorf("[%v] Invalid key passed validation", data.name)
-		}
-	}
-}
-
-func TestHMACSign(t *testing.T) {
-	for _, data := range hmacTestData {
-		if data.valid {
-			parts := strings.Split(data.tokenString, ".")
-			method := jwt.GetSigningMethod(data.alg)
-			sig, err := method.Sign(strings.Join(parts[0:2], "."), hmacTestKey)
-			if err != nil {
-				t.Errorf("[%v] Error signing token: %v", data.name, err)
-			}
-			if sig != parts[2] {
-				t.Errorf("[%v] Incorrect signature.\nwas:\n%v\nexpecting:\n%v", data.name, sig, parts[2])
-			}
-		}
-	}
-}
-
-func BenchmarkHS256Signing(b *testing.B) {
-	benchmarkSigning(b, jwt.SigningMethodHS256, hmacTestKey)
-}
-
-func BenchmarkHS384Signing(b *testing.B) {
-	benchmarkSigning(b, jwt.SigningMethodHS384, hmacTestKey)
-}
-
-func BenchmarkHS512Signing(b *testing.B) {
-	benchmarkSigning(b, jwt.SigningMethodHS512, hmacTestKey)
-}
diff --git a/vendor/github.com/dgrijalva/jwt-go/http_example_test.go b/vendor/github.com/dgrijalva/jwt-go/http_example_test.go
deleted file mode 100644
index 82e9c50a..00000000
--- a/vendor/github.com/dgrijalva/jwt-go/http_example_test.go
+++ /dev/null
@@ -1,216 +0,0 @@
-package jwt_test
-
-// Example HTTP auth using asymmetric crypto/RSA keys
-// This is based on a (now outdated) example at https://gist.github.com/cryptix/45c33ecf0ae54828e63b
-
-import (
-	"bytes"
-	"crypto/rsa"
-	"fmt"
-	"github.com/dgrijalva/jwt-go"
-	"github.com/dgrijalva/jwt-go/request"
-	"io"
-	"io/ioutil"
-	"log"
-	"net"
-	"net/http"
-	"net/url"
-	"strings"
-	"time"
-)
-
-// location of the files used for signing and verification
-const (
-	privKeyPath = "test/sample_key"     // openssl genrsa -out app.rsa keysize
-	pubKeyPath  = "test/sample_key.pub" // openssl rsa -in app.rsa -pubout > app.rsa.pub
-)
-
-var (
-	verifyKey  *rsa.PublicKey
-	signKey    *rsa.PrivateKey
-	serverPort int
-	// storing sample username/password pairs
-	// don't do this on a real server
-	users = map[string]string{
-		"test": "known",
-	}
-)
-
-// read the key files before starting http handlers
-func init() {
-	signBytes, err := ioutil.ReadFile(privKeyPath)
-	fatal(err)
-
-	signKey, err = jwt.ParseRSAPrivateKeyFromPEM(signBytes)
-	fatal(err)
-
-	verifyBytes, err := ioutil.ReadFile(pubKeyPath)
-	fatal(err)
-
-	verifyKey, err = jwt.ParseRSAPublicKeyFromPEM(verifyBytes)
-	fatal(err)
-
-	http.HandleFunc("/authenticate", authHandler)
-	http.HandleFunc("/restricted", restrictedHandler)
-
-	// Setup listener
-	listener, err := net.ListenTCP("tcp", &net.TCPAddr{})
-	serverPort = listener.Addr().(*net.TCPAddr).Port
-
-	log.Println("Listening...")
-	go func() {
-		fatal(http.Serve(listener, nil))
-	}()
-}
-
-var start func()
-
-func fatal(err error) {
-	if err != nil {
-		log.Fatal(err)
-	}
-}
-
-// Define some custom types were going to use within our tokens
-type CustomerInfo struct {
-	Name string
-	Kind string
-}
-
-type CustomClaimsExample struct {
-	*jwt.StandardClaims
-	TokenType string
-	CustomerInfo
-}
-
-func Example_getTokenViaHTTP() {
-	// See func authHandler for an example auth handler that produces a token
-	res, err := http.PostForm(fmt.Sprintf("http://localhost:%v/authenticate", serverPort), url.Values{
-		"user": {"test"},
-		"pass": {"known"},
-	})
-	if err != nil {
-		fatal(err)
-	}
-
-	if res.StatusCode != 200 {
-		fmt.Println("Unexpected status code", res.StatusCode)
-	}
-
-	// Read the token out of the response body
-	buf := new(bytes.Buffer)
-	io.Copy(buf, res.Body)
-	res.Body.Close()
-	tokenString := strings.TrimSpace(buf.String())
-
-	// Parse the token
-	token, err := jwt.ParseWithClaims(tokenString, &CustomClaimsExample{}, func(token *jwt.Token) (interface{}, error) {
-		// since we only use the one private key to sign the tokens,
-		// we also only use its public counter part to verify
-		return verifyKey, nil
-	})
-	fatal(err)
-
-	claims := token.Claims.(*CustomClaimsExample)
-	fmt.Println(claims.CustomerInfo.Name)
-
-	//Output: test
-}
-
-func Example_useTokenViaHTTP() {
-
-	// Make a sample token
-	// In a real world situation, this token will have been acquired from
-	// some other API call (see Example_getTokenViaHTTP)
-	token, err := createToken("foo")
-	fatal(err)
-
-	// Make request.  See func restrictedHandler for example request processor
-	req, err := http.NewRequest("GET", fmt.Sprintf("http://localhost:%v/restricted", serverPort), nil)
-	fatal(err)
-	req.Header.Set("Authorization", fmt.Sprintf("Bearer %v", token))
-	res, err := http.DefaultClient.Do(req)
-	fatal(err)
-
-	// Read the response body
-	buf := new(bytes.Buffer)
-	io.Copy(buf, res.Body)
-	res.Body.Close()
-	fmt.Println(buf.String())
-
-	// Output: Welcome, foo
-}
-
-func createToken(user string) (string, error) {
-	// create a signer for rsa 256
-	t := jwt.New(jwt.GetSigningMethod("RS256"))
-
-	// set our claims
-	t.Claims = &CustomClaimsExample{
-		&jwt.StandardClaims{
-			// set the expire time
-			// see http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-20#section-4.1.4
-			ExpiresAt: time.Now().Add(time.Minute * 1).Unix(),
-		},
-		"level1",
-		CustomerInfo{user, "human"},
-	}
-
-	// Creat token string
-	return t.SignedString(signKey)
-}
-
-// reads the form values, checks them and creates the token
-func authHandler(w http.ResponseWriter, r *http.Request) {
-	// make sure its post
-	if r.Method != "POST" {
-		w.WriteHeader(http.StatusBadRequest)
-		fmt.Fprintln(w, "No POST", r.Method)
-		return
-	}
-
-	user := r.FormValue("user")
-	pass := r.FormValue("pass")
-
-	log.Printf("Authenticate: user[%s] pass[%s]\n", user, pass)
-
-	// check values
-	if user != "test" || pass != "known" {
-		w.WriteHeader(http.StatusForbidden)
-		fmt.Fprintln(w, "Wrong info")
-		return
-	}
-
-	tokenString, err := createToken(user)
-	if err != nil {
-		w.WriteHeader(http.StatusInternalServerError)
-		fmt.Fprintln(w, "Sorry, error while Signing Token!")
-		log.Printf("Token Signing error: %v\n", err)
-		return
-	}
-
-	w.Header().Set("Content-Type", "application/jwt")
-	w.WriteHeader(http.StatusOK)
-	fmt.Fprintln(w, tokenString)
-}
-
-// only accessible with a valid token
-func restrictedHandler(w http.ResponseWriter, r *http.Request) {
-	// Get token from request
-	token, err := request.ParseFromRequestWithClaims(r, request.OAuth2Extractor, &CustomClaimsExample{}, func(token *jwt.Token) (interface{}, error) {
-		// since we only use the one private key to sign the tokens,
-		// we also only use its public counter part to verify
-		return verifyKey, nil
-	})
-
-	// If the token is missing or invalid, return error
-	if err != nil {
-		w.WriteHeader(http.StatusUnauthorized)
-		fmt.Fprintln(w, "Invalid token:", err)
-		return
-	}
-
-	// Token is valid
-	fmt.Fprintln(w, "Welcome,", token.Claims.(*CustomClaimsExample).Name)
-	return
-}
diff --git a/vendor/github.com/dgrijalva/jwt-go/map_claims.go b/vendor/github.com/dgrijalva/jwt-go/map_claims.go
deleted file mode 100644
index 291213c4..00000000
--- a/vendor/github.com/dgrijalva/jwt-go/map_claims.go
+++ /dev/null
@@ -1,94 +0,0 @@
-package jwt
-
-import (
-	"encoding/json"
-	"errors"
-	// "fmt"
-)
-
-// Claims type that uses the map[string]interface{} for JSON decoding
-// This is the default claims type if you don't supply one
-type MapClaims map[string]interface{}
-
-// Compares the aud claim against cmp.
-// If required is false, this method will return true if the value matches or is unset
-func (m MapClaims) VerifyAudience(cmp string, req bool) bool {
-	aud, _ := m["aud"].(string)
-	return verifyAud(aud, cmp, req)
-}
-
-// Compares the exp claim against cmp.
-// If required is false, this method will return true if the value matches or is unset
-func (m MapClaims) VerifyExpiresAt(cmp int64, req bool) bool {
-	switch exp := m["exp"].(type) {
-	case float64:
-		return verifyExp(int64(exp), cmp, req)
-	case json.Number:
-		v, _ := exp.Int64()
-		return verifyExp(v, cmp, req)
-	}
-	return req == false
-}
-
-// Compares the iat claim against cmp.
-// If required is false, this method will return true if the value matches or is unset
-func (m MapClaims) VerifyIssuedAt(cmp int64, req bool) bool {
-	switch iat := m["iat"].(type) {
-	case float64:
-		return verifyIat(int64(iat), cmp, req)
-	case json.Number:
-		v, _ := iat.Int64()
-		return verifyIat(v, cmp, req)
-	}
-	return req == false
-}
-
-// Compares the iss claim against cmp.
-// If required is false, this method will return true if the value matches or is unset
-func (m MapClaims) VerifyIssuer(cmp string, req bool) bool {
-	iss, _ := m["iss"].(string)
-	return verifyIss(iss, cmp, req)
-}
-
-// Compares the nbf claim against cmp.
-// If required is false, this method will return true if the value matches or is unset
-func (m MapClaims) VerifyNotBefore(cmp int64, req bool) bool {
-	switch nbf := m["nbf"].(type) {
-	case float64:
-		return verifyNbf(int64(nbf), cmp, req)
-	case json.Number:
-		v, _ := nbf.Int64()
-		return verifyNbf(v, cmp, req)
-	}
-	return req == false
-}
-
-// Validates time based claims "exp, iat, nbf".
-// There is no accounting for clock skew.
-// As well, if any of the above claims are not in the token, it will still
-// be considered a valid claim.
-func (m MapClaims) Valid() error {
-	vErr := new(ValidationError)
-	now := TimeFunc().Unix()
-
-	if m.VerifyExpiresAt(now, false) == false {
-		vErr.Inner = errors.New("Token is expired")
-		vErr.Errors |= ValidationErrorExpired
-	}
-
-	if m.VerifyIssuedAt(now, false) == false {
-		vErr.Inner = errors.New("Token used before issued")
-		vErr.Errors |= ValidationErrorIssuedAt
-	}
-
-	if m.VerifyNotBefore(now, false) == false {
-		vErr.Inner = errors.New("Token is not valid yet")
-		vErr.Errors |= ValidationErrorNotValidYet
-	}
-
-	if vErr.valid() {
-		return nil
-	}
-
-	return vErr
-}
diff --git a/vendor/github.com/dgrijalva/jwt-go/none.go b/vendor/github.com/dgrijalva/jwt-go/none.go
deleted file mode 100644
index f04d189d..00000000
--- a/vendor/github.com/dgrijalva/jwt-go/none.go
+++ /dev/null
@@ -1,52 +0,0 @@
-package jwt
-
-// Implements the none signing method.  This is required by the spec
-// but you probably should never use it.
-var SigningMethodNone *signingMethodNone
-
-const UnsafeAllowNoneSignatureType unsafeNoneMagicConstant = "none signing method allowed"
-
-var NoneSignatureTypeDisallowedError error
-
-type signingMethodNone struct{}
-type unsafeNoneMagicConstant string
-
-func init() {
-	SigningMethodNone = &signingMethodNone{}
-	NoneSignatureTypeDisallowedError = NewValidationError("'none' signature type is not allowed", ValidationErrorSignatureInvalid)
-
-	RegisterSigningMethod(SigningMethodNone.Alg(), func() SigningMethod {
-		return SigningMethodNone
-	})
-}
-
-func (m *signingMethodNone) Alg() string {
-	return "none"
-}
-
-// Only allow 'none' alg type if UnsafeAllowNoneSignatureType is specified as the key
-func (m *signingMethodNone) Verify(signingString, signature string, key interface{}) (err error) {
-	// Key must be UnsafeAllowNoneSignatureType to prevent accidentally
-	// accepting 'none' signing method
-	if _, ok := key.(unsafeNoneMagicConstant); !ok {
-		return NoneSignatureTypeDisallowedError
-	}
-	// If signing method is none, signature must be an empty string
-	if signature != "" {
-		return NewValidationError(
-			"'none' signing method with non-empty signature",
-			ValidationErrorSignatureInvalid,
-		)
-	}
-
-	// Accept 'none' signing method.
-	return nil
-}
-
-// Only allow 'none' signing if UnsafeAllowNoneSignatureType is specified as the key
-func (m *signingMethodNone) Sign(signingString string, key interface{}) (string, error) {
-	if _, ok := key.(unsafeNoneMagicConstant); ok {
-		return "", nil
-	}
-	return "", NoneSignatureTypeDisallowedError
-}
diff --git a/vendor/github.com/dgrijalva/jwt-go/none_test.go b/vendor/github.com/dgrijalva/jwt-go/none_test.go
deleted file mode 100644
index 29a69efe..00000000
--- a/vendor/github.com/dgrijalva/jwt-go/none_test.go
+++ /dev/null
@@ -1,72 +0,0 @@
-package jwt_test
-
-import (
-	"github.com/dgrijalva/jwt-go"
-	"strings"
-	"testing"
-)
-
-var noneTestData = []struct {
-	name        string
-	tokenString string
-	alg         string
-	key         interface{}
-	claims      map[string]interface{}
-	valid       bool
-}{
-	{
-		"Basic",
-		"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJmb28iOiJiYXIifQ.",
-		"none",
-		jwt.UnsafeAllowNoneSignatureType,
-		map[string]interface{}{"foo": "bar"},
-		true,
-	},
-	{
-		"Basic - no key",
-		"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJmb28iOiJiYXIifQ.",
-		"none",
-		nil,
-		map[string]interface{}{"foo": "bar"},
-		false,
-	},
-	{
-		"Signed",
-		"eyJhbGciOiJSUzM4NCIsInR5cCI6IkpXVCJ9.eyJmb28iOiJiYXIifQ.W-jEzRfBigtCWsinvVVuldiuilzVdU5ty0MvpLaSaqK9PlAWWlDQ1VIQ_qSKzwL5IXaZkvZFJXT3yL3n7OUVu7zCNJzdwznbC8Z-b0z2lYvcklJYi2VOFRcGbJtXUqgjk2oGsiqUMUMOLP70TTefkpsgqDxbRh9CDUfpOJgW-dU7cmgaoswe3wjUAUi6B6G2YEaiuXC0XScQYSYVKIzgKXJV8Zw-7AN_DBUI4GkTpsvQ9fVVjZM9csQiEXhYekyrKu1nu_POpQonGd8yqkIyXPECNmmqH5jH4sFiF67XhD7_JpkvLziBpI-uh86evBUadmHhb9Otqw3uV3NTaXLzJw",
-		"none",
-		jwt.UnsafeAllowNoneSignatureType,
-		map[string]interface{}{"foo": "bar"},
-		false,
-	},
-}
-
-func TestNoneVerify(t *testing.T) {
-	for _, data := range noneTestData {
-		parts := strings.Split(data.tokenString, ".")
-
-		method := jwt.GetSigningMethod(data.alg)
-		err := method.Verify(strings.Join(parts[0:2], "."), parts[2], data.key)
-		if data.valid && err != nil {
-			t.Errorf("[%v] Error while verifying key: %v", data.name, err)
-		}
-		if !data.valid && err == nil {
-			t.Errorf("[%v] Invalid key passed validation", data.name)
-		}
-	}
-}
-
-func TestNoneSign(t *testing.T) {
-	for _, data := range noneTestData {
-		if data.valid {
-			parts := strings.Split(data.tokenString, ".")
-			method := jwt.GetSigningMethod(data.alg)
-			sig, err := method.Sign(strings.Join(parts[0:2], "."), data.key)
-			if err != nil {
-				t.Errorf("[%v] Error signing token: %v", data.name, err)
-			}
-			if sig != parts[2] {
-				t.Errorf("[%v] Incorrect signature.\nwas:\n%v\nexpecting:\n%v", data.name, sig, parts[2])
-			}
-		}
-	}
-}
diff --git a/vendor/github.com/dgrijalva/jwt-go/parser.go b/vendor/github.com/dgrijalva/jwt-go/parser.go
deleted file mode 100644
index 7bf1c4ea..00000000
--- a/vendor/github.com/dgrijalva/jwt-go/parser.go
+++ /dev/null
@@ -1,131 +0,0 @@
-package jwt
-
-import (
-	"bytes"
-	"encoding/json"
-	"fmt"
-	"strings"
-)
-
-type Parser struct {
-	ValidMethods         []string // If populated, only these methods will be considered valid
-	UseJSONNumber        bool     // Use JSON Number format in JSON decoder
-	SkipClaimsValidation bool     // Skip claims validation during token parsing
-}
-
-// Parse, validate, and return a token.
-// keyFunc will receive the parsed token and should return the key for validating.
-// If everything is kosher, err will be nil
-func (p *Parser) Parse(tokenString string, keyFunc Keyfunc) (*Token, error) {
-	return p.ParseWithClaims(tokenString, MapClaims{}, keyFunc)
-}
-
-func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyfunc) (*Token, error) {
-	parts := strings.Split(tokenString, ".")
-	if len(parts) != 3 {
-		return nil, NewValidationError("token contains an invalid number of segments", ValidationErrorMalformed)
-	}
-
-	var err error
-	token := &Token{Raw: tokenString}
-
-	// parse Header
-	var headerBytes []byte
-	if headerBytes, err = DecodeSegment(parts[0]); err != nil {
-		if strings.HasPrefix(strings.ToLower(tokenString), "bearer ") {
-			return token, NewValidationError("tokenstring should not contain 'bearer '", ValidationErrorMalformed)
-		}
-		return token, &ValidationError{Inner: err, Errors: ValidationErrorMalformed}
-	}
-	if err = json.Unmarshal(headerBytes, &token.Header); err != nil {
-		return token, &ValidationError{Inner: err, Errors: ValidationErrorMalformed}
-	}
-
-	// parse Claims
-	var claimBytes []byte
-	token.Claims = claims
-
-	if claimBytes, err = DecodeSegment(parts[1]); err != nil {
-		return token, &ValidationError{Inner: err, Errors: ValidationErrorMalformed}
-	}
-	dec := json.NewDecoder(bytes.NewBuffer(claimBytes))
-	if p.UseJSONNumber {
-		dec.UseNumber()
-	}
-	// JSON Decode.  Special case for map type to avoid weird pointer behavior
-	if c, ok := token.Claims.(MapClaims); ok {
-		err = dec.Decode(&c)
-	} else {
-		err = dec.Decode(&claims)
-	}
-	// Handle decode error
-	if err != nil {
-		return token, &ValidationError{Inner: err, Errors: ValidationErrorMalformed}
-	}
-
-	// Lookup signature method
-	if method, ok := token.Header["alg"].(string); ok {
-		if token.Method = GetSigningMethod(method); token.Method == nil {
-			return token, NewValidationError("signing method (alg) is unavailable.", ValidationErrorUnverifiable)
-		}
-	} else {
-		return token, NewValidationError("signing method (alg) is unspecified.", ValidationErrorUnverifiable)
-	}
-
-	// Verify signing method is in the required set
-	if p.ValidMethods != nil {
-		var signingMethodValid = false
-		var alg = token.Method.Alg()
-		for _, m := range p.ValidMethods {
-			if m == alg {
-				signingMethodValid = true
-				break
-			}
-		}
-		if !signingMethodValid {
-			// signing method is not in the listed set
-			return token, NewValidationError(fmt.Sprintf("signing method %v is invalid", alg), ValidationErrorSignatureInvalid)
-		}
-	}
-
-	// Lookup key
-	var key interface{}
-	if keyFunc == nil {
-		// keyFunc was not provided.  short circuiting validation
-		return token, NewValidationError("no Keyfunc was provided.", ValidationErrorUnverifiable)
-	}
-	if key, err = keyFunc(token); err != nil {
-		// keyFunc returned an error
-		return token, &ValidationError{Inner: err, Errors: ValidationErrorUnverifiable}
-	}
-
-	vErr := &ValidationError{}
-
-	// Validate Claims
-	if !p.SkipClaimsValidation {
-		if err := token.Claims.Valid(); err != nil {
-
-			// If the Claims Valid returned an error, check if it is a validation error,
-			// If it was another error type, create a ValidationError with a generic ClaimsInvalid flag set
-			if e, ok := err.(*ValidationError); !ok {
-				vErr = &ValidationError{Inner: err, Errors: ValidationErrorClaimsInvalid}
-			} else {
-				vErr = e
-			}
-		}
-	}
-
-	// Perform validation
-	token.Signature = parts[2]
-	if err = token.Method.Verify(strings.Join(parts[0:2], "."), token.Signature, key); err != nil {
-		vErr.Inner = err
-		vErr.Errors |= ValidationErrorSignatureInvalid
-	}
-
-	if vErr.valid() {
-		token.Valid = true
-		return token, nil
-	}
-
-	return token, vErr
-}
diff --git a/vendor/github.com/dgrijalva/jwt-go/parser_test.go b/vendor/github.com/dgrijalva/jwt-go/parser_test.go
deleted file mode 100644
index f8ad6f90..00000000
--- a/vendor/github.com/dgrijalva/jwt-go/parser_test.go
+++ /dev/null
@@ -1,261 +0,0 @@
-package jwt_test
-
-import (
-	"crypto/rsa"
-	"encoding/json"
-	"fmt"
-	"reflect"
-	"testing"
-	"time"
-
-	"github.com/dgrijalva/jwt-go"
-	"github.com/dgrijalva/jwt-go/test"
-)
-
-var keyFuncError error = fmt.Errorf("error loading key")
-
-var (
-	jwtTestDefaultKey *rsa.PublicKey
-	defaultKeyFunc    jwt.Keyfunc = func(t *jwt.Token) (interface{}, error) { return jwtTestDefaultKey, nil }
-	emptyKeyFunc      jwt.Keyfunc = func(t *jwt.Token) (interface{}, error) { return nil, nil }
-	errorKeyFunc      jwt.Keyfunc = func(t *jwt.Token) (interface{}, error) { return nil, keyFuncError }
-	nilKeyFunc        jwt.Keyfunc = nil
-)
-
-func init() {
-	jwtTestDefaultKey = test.LoadRSAPublicKeyFromDisk("test/sample_key.pub")
-}
-
-var jwtTestData = []struct {
-	name        string
-	tokenString string
-	keyfunc     jwt.Keyfunc
-	claims      jwt.Claims
-	valid       bool
-	errors      uint32
-	parser      *jwt.Parser
-}{
-	{
-		"basic",
-		"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJmb28iOiJiYXIifQ.FhkiHkoESI_cG3NPigFrxEk9Z60_oXrOT2vGm9Pn6RDgYNovYORQmmA0zs1AoAOf09ly2Nx2YAg6ABqAYga1AcMFkJljwxTT5fYphTuqpWdy4BELeSYJx5Ty2gmr8e7RonuUztrdD5WfPqLKMm1Ozp_T6zALpRmwTIW0QPnaBXaQD90FplAg46Iy1UlDKr-Eupy0i5SLch5Q-p2ZpaL_5fnTIUDlxC3pWhJTyx_71qDI-mAA_5lE_VdroOeflG56sSmDxopPEG3bFlSu1eowyBfxtu0_CuVd-M42RU75Zc4Gsj6uV77MBtbMrf4_7M_NUTSgoIF3fRqxrj0NzihIBg",
-		defaultKeyFunc,
-		jwt.MapClaims{"foo": "bar"},
-		true,
-		0,
-		nil,
-	},
-	{
-		"basic expired",
-		"", // autogen
-		defaultKeyFunc,
-		jwt.MapClaims{"foo": "bar", "exp": float64(time.Now().Unix() - 100)},
-		false,
-		jwt.ValidationErrorExpired,
-		nil,
-	},
-	{
-		"basic nbf",
-		"", // autogen
-		defaultKeyFunc,
-		jwt.MapClaims{"foo": "bar", "nbf": float64(time.Now().Unix() + 100)},
-		false,
-		jwt.ValidationErrorNotValidYet,
-		nil,
-	},
-	{
-		"expired and nbf",
-		"", // autogen
-		defaultKeyFunc,
-		jwt.MapClaims{"foo": "bar", "nbf": float64(time.Now().Unix() + 100), "exp": float64(time.Now().Unix() - 100)},
-		false,
-		jwt.ValidationErrorNotValidYet | jwt.ValidationErrorExpired,
-		nil,
-	},
-	{
-		"basic invalid",
-		"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJmb28iOiJiYXIifQ.EhkiHkoESI_cG3NPigFrxEk9Z60_oXrOT2vGm9Pn6RDgYNovYORQmmA0zs1AoAOf09ly2Nx2YAg6ABqAYga1AcMFkJljwxTT5fYphTuqpWdy4BELeSYJx5Ty2gmr8e7RonuUztrdD5WfPqLKMm1Ozp_T6zALpRmwTIW0QPnaBXaQD90FplAg46Iy1UlDKr-Eupy0i5SLch5Q-p2ZpaL_5fnTIUDlxC3pWhJTyx_71qDI-mAA_5lE_VdroOeflG56sSmDxopPEG3bFlSu1eowyBfxtu0_CuVd-M42RU75Zc4Gsj6uV77MBtbMrf4_7M_NUTSgoIF3fRqxrj0NzihIBg",
-		defaultKeyFunc,
-		jwt.MapClaims{"foo": "bar"},
-		false,
-		jwt.ValidationErrorSignatureInvalid,
-		nil,
-	},
-	{
-		"basic nokeyfunc",
-		"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJmb28iOiJiYXIifQ.FhkiHkoESI_cG3NPigFrxEk9Z60_oXrOT2vGm9Pn6RDgYNovYORQmmA0zs1AoAOf09ly2Nx2YAg6ABqAYga1AcMFkJljwxTT5fYphTuqpWdy4BELeSYJx5Ty2gmr8e7RonuUztrdD5WfPqLKMm1Ozp_T6zALpRmwTIW0QPnaBXaQD90FplAg46Iy1UlDKr-Eupy0i5SLch5Q-p2ZpaL_5fnTIUDlxC3pWhJTyx_71qDI-mAA_5lE_VdroOeflG56sSmDxopPEG3bFlSu1eowyBfxtu0_CuVd-M42RU75Zc4Gsj6uV77MBtbMrf4_7M_NUTSgoIF3fRqxrj0NzihIBg",
-		nilKeyFunc,
-		jwt.MapClaims{"foo": "bar"},
-		false,
-		jwt.ValidationErrorUnverifiable,
-		nil,
-	},
-	{
-		"basic nokey",
-		"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJmb28iOiJiYXIifQ.FhkiHkoESI_cG3NPigFrxEk9Z60_oXrOT2vGm9Pn6RDgYNovYORQmmA0zs1AoAOf09ly2Nx2YAg6ABqAYga1AcMFkJljwxTT5fYphTuqpWdy4BELeSYJx5Ty2gmr8e7RonuUztrdD5WfPqLKMm1Ozp_T6zALpRmwTIW0QPnaBXaQD90FplAg46Iy1UlDKr-Eupy0i5SLch5Q-p2ZpaL_5fnTIUDlxC3pWhJTyx_71qDI-mAA_5lE_VdroOeflG56sSmDxopPEG3bFlSu1eowyBfxtu0_CuVd-M42RU75Zc4Gsj6uV77MBtbMrf4_7M_NUTSgoIF3fRqxrj0NzihIBg",
-		emptyKeyFunc,
-		jwt.MapClaims{"foo": "bar"},
-		false,
-		jwt.ValidationErrorSignatureInvalid,
-		nil,
-	},
-	{
-		"basic errorkey",
-		"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJmb28iOiJiYXIifQ.FhkiHkoESI_cG3NPigFrxEk9Z60_oXrOT2vGm9Pn6RDgYNovYORQmmA0zs1AoAOf09ly2Nx2YAg6ABqAYga1AcMFkJljwxTT5fYphTuqpWdy4BELeSYJx5Ty2gmr8e7RonuUztrdD5WfPqLKMm1Ozp_T6zALpRmwTIW0QPnaBXaQD90FplAg46Iy1UlDKr-Eupy0i5SLch5Q-p2ZpaL_5fnTIUDlxC3pWhJTyx_71qDI-mAA_5lE_VdroOeflG56sSmDxopPEG3bFlSu1eowyBfxtu0_CuVd-M42RU75Zc4Gsj6uV77MBtbMrf4_7M_NUTSgoIF3fRqxrj0NzihIBg",
-		errorKeyFunc,
-		jwt.MapClaims{"foo": "bar"},
-		false,
-		jwt.ValidationErrorUnverifiable,
-		nil,
-	},
-	{
-		"invalid signing method",
-		"",
-		defaultKeyFunc,
-		jwt.MapClaims{"foo": "bar"},
-		false,
-		jwt.ValidationErrorSignatureInvalid,
-		&jwt.Parser{ValidMethods: []string{"HS256"}},
-	},
-	{
-		"valid signing method",
-		"",
-		defaultKeyFunc,
-		jwt.MapClaims{"foo": "bar"},
-		true,
-		0,
-		&jwt.Parser{ValidMethods: []string{"RS256", "HS256"}},
-	},
-	{
-		"JSON Number",
-		"",
-		defaultKeyFunc,
-		jwt.MapClaims{"foo": json.Number("123.4")},
-		true,
-		0,
-		&jwt.Parser{UseJSONNumber: true},
-	},
-	{
-		"Standard Claims",
-		"",
-		defaultKeyFunc,
-		&jwt.StandardClaims{
-			ExpiresAt: time.Now().Add(time.Second * 10).Unix(),
-		},
-		true,
-		0,
-		&jwt.Parser{UseJSONNumber: true},
-	},
-	{
-		"JSON Number - basic expired",
-		"", // autogen
-		defaultKeyFunc,
-		jwt.MapClaims{"foo": "bar", "exp": json.Number(fmt.Sprintf("%v", time.Now().Unix()-100))},
-		false,
-		jwt.ValidationErrorExpired,
-		&jwt.Parser{UseJSONNumber: true},
-	},
-	{
-		"JSON Number - basic nbf",
-		"", // autogen
-		defaultKeyFunc,
-		jwt.MapClaims{"foo": "bar", "nbf": json.Number(fmt.Sprintf("%v", time.Now().Unix()+100))},
-		false,
-		jwt.ValidationErrorNotValidYet,
-		&jwt.Parser{UseJSONNumber: true},
-	},
-	{
-		"JSON Number - expired and nbf",
-		"", // autogen
-		defaultKeyFunc,
-		jwt.MapClaims{"foo": "bar", "nbf": json.Number(fmt.Sprintf("%v", time.Now().Unix()+100)), "exp": json.Number(fmt.Sprintf("%v", time.Now().Unix()-100))},
-		false,
-		jwt.ValidationErrorNotValidYet | jwt.ValidationErrorExpired,
-		&jwt.Parser{UseJSONNumber: true},
-	},
-	{
-		"SkipClaimsValidation during token parsing",
-		"", // autogen
-		defaultKeyFunc,
-		jwt.MapClaims{"foo": "bar", "nbf": json.Number(fmt.Sprintf("%v", time.Now().Unix()+100))},
-		true,
-		0,
-		&jwt.Parser{UseJSONNumber: true, SkipClaimsValidation: true},
-	},
-}
-
-func TestParser_Parse(t *testing.T) {
-	privateKey := test.LoadRSAPrivateKeyFromDisk("test/sample_key")
-
-	// Iterate over test data set and run tests
-	for _, data := range jwtTestData {
-		// If the token string is blank, use helper function to generate string
-		if data.tokenString == "" {
-			data.tokenString = test.MakeSampleToken(data.claims, privateKey)
-		}
-
-		// Parse the token
-		var token *jwt.Token
-		var err error
-		var parser = data.parser
-		if parser == nil {
-			parser = new(jwt.Parser)
-		}
-		// Figure out correct claims type
-		switch data.claims.(type) {
-		case jwt.MapClaims:
-			token, err = parser.ParseWithClaims(data.tokenString, jwt.MapClaims{}, data.keyfunc)
-		case *jwt.StandardClaims:
-			token, err = parser.ParseWithClaims(data.tokenString, &jwt.StandardClaims{}, data.keyfunc)
-		}
-
-		// Verify result matches expectation
-		if !reflect.DeepEqual(data.claims, token.Claims) {
-			t.Errorf("[%v] Claims mismatch. Expecting: %v  Got: %v", data.name, data.claims, token.Claims)
-		}
-
-		if data.valid && err != nil {
-			t.Errorf("[%v] Error while verifying token: %T:%v", data.name, err, err)
-		}
-
-		if !data.valid && err == nil {
-			t.Errorf("[%v] Invalid token passed validation", data.name)
-		}
-
-		if (err == nil && !token.Valid) || (err != nil && token.Valid) {
-			t.Errorf("[%v] Inconsistent behavior between returned error and token.Valid", data.name)
-		}
-
-		if data.errors != 0 {
-			if err == nil {
-				t.Errorf("[%v] Expecting error.  Didn't get one.", data.name)
-			} else {
-
-				ve := err.(*jwt.ValidationError)
-				// compare the bitfield part of the error
-				if e := ve.Errors; e != data.errors {
-					t.Errorf("[%v] Errors don't match expectation.  %v != %v", data.name, e, data.errors)
-				}
-
-				if err.Error() == keyFuncError.Error() && ve.Inner != keyFuncError {
-					t.Errorf("[%v] Inner error does not match expectation.  %v != %v", data.name, ve.Inner, keyFuncError)
-				}
-			}
-		}
-		if data.valid && token.Signature == "" {
-			t.Errorf("[%v] Signature is left unpopulated after parsing", data.name)
-		}
-	}
-}
-
-// Helper method for benchmarking various methods
-func benchmarkSigning(b *testing.B, method jwt.SigningMethod, key interface{}) {
-	t := jwt.New(method)
-	b.RunParallel(func(pb *testing.PB) {
-		for pb.Next() {
-			if _, err := t.SignedString(key); err != nil {
-				b.Fatal(err)
-			}
-		}
-	})
-
-}
diff --git a/vendor/github.com/dgrijalva/jwt-go/request/doc.go b/vendor/github.com/dgrijalva/jwt-go/request/doc.go
deleted file mode 100644
index c01069c9..00000000
--- a/vendor/github.com/dgrijalva/jwt-go/request/doc.go
+++ /dev/null
@@ -1,7 +0,0 @@
-// Utility package for extracting JWT tokens from
-// HTTP requests.
-//
-// The main function is ParseFromRequest and it's WithClaims variant.
-// See examples for how to use the various Extractor implementations
-// or roll your own.
-package request
diff --git a/vendor/github.com/dgrijalva/jwt-go/request/extractor.go b/vendor/github.com/dgrijalva/jwt-go/request/extractor.go
deleted file mode 100644
index 14414fe2..00000000
--- a/vendor/github.com/dgrijalva/jwt-go/request/extractor.go
+++ /dev/null
@@ -1,81 +0,0 @@
-package request
-
-import (
-	"errors"
-	"net/http"
-)
-
-// Errors
-var (
-	ErrNoTokenInRequest = errors.New("no token present in request")
-)
-
-// Interface for extracting a token from an HTTP request.
-// The ExtractToken method should return a token string or an error.
-// If no token is present, you must return ErrNoTokenInRequest.
-type Extractor interface {
-	ExtractToken(*http.Request) (string, error)
-}
-
-// Extractor for finding a token in a header.  Looks at each specified
-// header in order until there's a match
-type HeaderExtractor []string
-
-func (e HeaderExtractor) ExtractToken(req *http.Request) (string, error) {
-	// loop over header names and return the first one that contains data
-	for _, header := range e {
-		if ah := req.Header.Get(header); ah != "" {
-			return ah, nil
-		}
-	}
-	return "", ErrNoTokenInRequest
-}
-
-// Extract token from request arguments.  This includes a POSTed form or
-// GET URL arguments.  Argument names are tried in order until there's a match.
-// This extractor calls `ParseMultipartForm` on the request
-type ArgumentExtractor []string
-
-func (e ArgumentExtractor) ExtractToken(req *http.Request) (string, error) {
-	// Make sure form is parsed
-	req.ParseMultipartForm(10e6)
-
-	// loop over arg names and return the first one that contains data
-	for _, arg := range e {
-		if ah := req.Form.Get(arg); ah != "" {
-			return ah, nil
-		}
-	}
-
-	return "", ErrNoTokenInRequest
-}
-
-// Tries Extractors in order until one returns a token string or an error occurs
-type MultiExtractor []Extractor
-
-func (e MultiExtractor) ExtractToken(req *http.Request) (string, error) {
-	// loop over header names and return the first one that contains data
-	for _, extractor := range e {
-		if tok, err := extractor.ExtractToken(req); tok != "" {
-			return tok, nil
-		} else if err != ErrNoTokenInRequest {
-			return "", err
-		}
-	}
-	return "", ErrNoTokenInRequest
-}
-
-// Wrap an Extractor in this to post-process the value before it's handed off.
-// See AuthorizationHeaderExtractor for an example
-type PostExtractionFilter struct {
-	Extractor
-	Filter func(string) (string, error)
-}
-
-func (e *PostExtractionFilter) ExtractToken(req *http.Request) (string, error) {
-	if tok, err := e.Extractor.ExtractToken(req); tok != "" {
-		return e.Filter(tok)
-	} else {
-		return "", err
-	}
-}
diff --git a/vendor/github.com/dgrijalva/jwt-go/request/extractor_example_test.go b/vendor/github.com/dgrijalva/jwt-go/request/extractor_example_test.go
deleted file mode 100644
index a994ffe5..00000000
--- a/vendor/github.com/dgrijalva/jwt-go/request/extractor_example_test.go
+++ /dev/null
@@ -1,32 +0,0 @@
-package request
-
-import (
-	"fmt"
-	"net/url"
-)
-
-const (
-	exampleTokenA = "A"
-)
-
-func ExampleHeaderExtractor() {
-	req := makeExampleRequest("GET", "/", map[string]string{"Token": exampleTokenA}, nil)
-	tokenString, err := HeaderExtractor{"Token"}.ExtractToken(req)
-	if err == nil {
-		fmt.Println(tokenString)
-	} else {
-		fmt.Println(err)
-	}
-	//Output: A
-}
-
-func ExampleArgumentExtractor() {
-	req := makeExampleRequest("GET", "/", nil, url.Values{"token": {extractorTestTokenA}})
-	tokenString, err := ArgumentExtractor{"token"}.ExtractToken(req)
-	if err == nil {
-		fmt.Println(tokenString)
-	} else {
-		fmt.Println(err)
-	}
-	//Output: A
-}
diff --git a/vendor/github.com/dgrijalva/jwt-go/request/extractor_test.go b/vendor/github.com/dgrijalva/jwt-go/request/extractor_test.go
deleted file mode 100644
index e3bbb0a3..00000000
--- a/vendor/github.com/dgrijalva/jwt-go/request/extractor_test.go
+++ /dev/null
@@ -1,91 +0,0 @@
-package request
-
-import (
-	"fmt"
-	"net/http"
-	"net/url"
-	"testing"
-)
-
-var extractorTestTokenA = "A"
-var extractorTestTokenB = "B"
-
-var extractorTestData = []struct {
-	name      string
-	extractor Extractor
-	headers   map[string]string
-	query     url.Values
-	token     string
-	err       error
-}{
-	{
-		name:      "simple header",
-		extractor: HeaderExtractor{"Foo"},
-		headers:   map[string]string{"Foo": extractorTestTokenA},
-		query:     nil,
-		token:     extractorTestTokenA,
-		err:       nil,
-	},
-	{
-		name:      "simple argument",
-		extractor: ArgumentExtractor{"token"},
-		headers:   map[string]string{},
-		query:     url.Values{"token": {extractorTestTokenA}},
-		token:     extractorTestTokenA,
-		err:       nil,
-	},
-	{
-		name: "multiple extractors",
-		extractor: MultiExtractor{
-			HeaderExtractor{"Foo"},
-			ArgumentExtractor{"token"},
-		},
-		headers: map[string]string{"Foo": extractorTestTokenA},
-		query:   url.Values{"token": {extractorTestTokenB}},
-		token:   extractorTestTokenA,
-		err:     nil,
-	},
-	{
-		name:      "simple miss",
-		extractor: HeaderExtractor{"This-Header-Is-Not-Set"},
-		headers:   map[string]string{"Foo": extractorTestTokenA},
-		query:     nil,
-		token:     "",
-		err:       ErrNoTokenInRequest,
-	},
-	{
-		name:      "filter",
-		extractor: AuthorizationHeaderExtractor,
-		headers:   map[string]string{"Authorization": "Bearer " + extractorTestTokenA},
-		query:     nil,
-		token:     extractorTestTokenA,
-		err:       nil,
-	},
-}
-
-func TestExtractor(t *testing.T) {
-	// Bearer token request
-	for _, data := range extractorTestData {
-		// Make request from test struct
-		r := makeExampleRequest("GET", "/", data.headers, data.query)
-
-		// Test extractor
-		token, err := data.extractor.ExtractToken(r)
-		if token != data.token {
-			t.Errorf("[%v] Expected token '%v'.  Got '%v'", data.name, data.token, token)
-			continue
-		}
-		if err != data.err {
-			t.Errorf("[%v] Expected error '%v'.  Got '%v'", data.name, data.err, err)
-			continue
-		}
-	}
-}
-
-func makeExampleRequest(method, path string, headers map[string]string, urlArgs url.Values) *http.Request {
-	r, _ := http.NewRequest(method, fmt.Sprintf("%v?%v", path, urlArgs.Encode()), nil)
-	for k, v := range headers {
-		r.Header.Set(k, v)
-	}
-	return r
-}
diff --git a/vendor/github.com/dgrijalva/jwt-go/request/oauth2.go b/vendor/github.com/dgrijalva/jwt-go/request/oauth2.go
deleted file mode 100644
index 5948694a..00000000
--- a/vendor/github.com/dgrijalva/jwt-go/request/oauth2.go
+++ /dev/null
@@ -1,28 +0,0 @@
-package request
-
-import (
-	"strings"
-)
-
-// Strips 'Bearer ' prefix from bearer token string
-func stripBearerPrefixFromTokenString(tok string) (string, error) {
-	// Should be a bearer token
-	if len(tok) > 6 && strings.ToUpper(tok[0:7]) == "BEARER " {
-		return tok[7:], nil
-	}
-	return tok, nil
-}
-
-// Extract bearer token from Authorization header
-// Uses PostExtractionFilter to strip "Bearer " prefix from header
-var AuthorizationHeaderExtractor = &PostExtractionFilter{
-	HeaderExtractor{"Authorization"},
-	stripBearerPrefixFromTokenString,
-}
-
-// Extractor for OAuth2 access tokens.  Looks in 'Authorization'
-// header then 'access_token' argument for a token.
-var OAuth2Extractor = &MultiExtractor{
-	AuthorizationHeaderExtractor,
-	ArgumentExtractor{"access_token"},
-}
diff --git a/vendor/github.com/dgrijalva/jwt-go/request/request.go b/vendor/github.com/dgrijalva/jwt-go/request/request.go
deleted file mode 100644
index 1807b396..00000000
--- a/vendor/github.com/dgrijalva/jwt-go/request/request.go
+++ /dev/null
@@ -1,24 +0,0 @@
-package request
-
-import (
-	"github.com/dgrijalva/jwt-go"
-	"net/http"
-)
-
-// Extract and parse a JWT token from an HTTP request.
-// This behaves the same as Parse, but accepts a request and an extractor
-// instead of a token string.  The Extractor interface allows you to define
-// the logic for extracting a token.  Several useful implementations are provided.
-func ParseFromRequest(req *http.Request, extractor Extractor, keyFunc jwt.Keyfunc) (token *jwt.Token, err error) {
-	return ParseFromRequestWithClaims(req, extractor, jwt.MapClaims{}, keyFunc)
-}
-
-// ParseFromRequest but with custom Claims type
-func ParseFromRequestWithClaims(req *http.Request, extractor Extractor, claims jwt.Claims, keyFunc jwt.Keyfunc) (token *jwt.Token, err error) {
-	// Extract token from request
-	if tokStr, err := extractor.ExtractToken(req); err == nil {
-		return jwt.ParseWithClaims(tokStr, claims, keyFunc)
-	} else {
-		return nil, err
-	}
-}
diff --git a/vendor/github.com/dgrijalva/jwt-go/request/request_test.go b/vendor/github.com/dgrijalva/jwt-go/request/request_test.go
deleted file mode 100644
index b4365cd8..00000000
--- a/vendor/github.com/dgrijalva/jwt-go/request/request_test.go
+++ /dev/null
@@ -1,103 +0,0 @@
-package request
-
-import (
-	"fmt"
-	"github.com/dgrijalva/jwt-go"
-	"github.com/dgrijalva/jwt-go/test"
-	"net/http"
-	"net/url"
-	"reflect"
-	"strings"
-	"testing"
-)
-
-var requestTestData = []struct {
-	name      string
-	claims    jwt.MapClaims
-	extractor Extractor
-	headers   map[string]string
-	query     url.Values
-	valid     bool
-}{
-	{
-		"authorization bearer token",
-		jwt.MapClaims{"foo": "bar"},
-		AuthorizationHeaderExtractor,
-		map[string]string{"Authorization": "Bearer %v"},
-		url.Values{},
-		true,
-	},
-	{
-		"oauth bearer token - header",
-		jwt.MapClaims{"foo": "bar"},
-		OAuth2Extractor,
-		map[string]string{"Authorization": "Bearer %v"},
-		url.Values{},
-		true,
-	},
-	{
-		"oauth bearer token - url",
-		jwt.MapClaims{"foo": "bar"},
-		OAuth2Extractor,
-		map[string]string{},
-		url.Values{"access_token": {"%v"}},
-		true,
-	},
-	{
-		"url token",
-		jwt.MapClaims{"foo": "bar"},
-		ArgumentExtractor{"token"},
-		map[string]string{},
-		url.Values{"token": {"%v"}},
-		true,
-	},
-}
-
-func TestParseRequest(t *testing.T) {
-	// load keys from disk
-	privateKey := test.LoadRSAPrivateKeyFromDisk("../test/sample_key")
-	publicKey := test.LoadRSAPublicKeyFromDisk("../test/sample_key.pub")
-	keyfunc := func(*jwt.Token) (interface{}, error) {
-		return publicKey, nil
-	}
-
-	// Bearer token request
-	for _, data := range requestTestData {
-		// Make token from claims
-		tokenString := test.MakeSampleToken(data.claims, privateKey)
-
-		// Make query string
-		for k, vv := range data.query {
-			for i, v := range vv {
-				if strings.Contains(v, "%v") {
-					data.query[k][i] = fmt.Sprintf(v, tokenString)
-				}
-			}
-		}
-
-		// Make request from test struct
-		r, _ := http.NewRequest("GET", fmt.Sprintf("/?%v", data.query.Encode()), nil)
-		for k, v := range data.headers {
-			if strings.Contains(v, "%v") {
-				r.Header.Set(k, fmt.Sprintf(v, tokenString))
-			} else {
-				r.Header.Set(k, tokenString)
-			}
-		}
-		token, err := ParseFromRequestWithClaims(r, data.extractor, jwt.MapClaims{}, keyfunc)
-
-		if token == nil {
-			t.Errorf("[%v] Token was not found: %v", data.name, err)
-			continue
-		}
-		if !reflect.DeepEqual(data.claims, token.Claims) {
-			t.Errorf("[%v] Claims mismatch. Expecting: %v  Got: %v", data.name, data.claims, token.Claims)
-		}
-		if data.valid && err != nil {
-			t.Errorf("[%v] Error while verifying token: %v", data.name, err)
-		}
-		if !data.valid && err == nil {
-			t.Errorf("[%v] Invalid token passed validation", data.name)
-		}
-	}
-}
diff --git a/vendor/github.com/dgrijalva/jwt-go/rsa.go b/vendor/github.com/dgrijalva/jwt-go/rsa.go
deleted file mode 100644
index 0ae0b198..00000000
--- a/vendor/github.com/dgrijalva/jwt-go/rsa.go
+++ /dev/null
@@ -1,100 +0,0 @@
-package jwt
-
-import (
-	"crypto"
-	"crypto/rand"
-	"crypto/rsa"
-)
-
-// Implements the RSA family of signing methods signing methods
-type SigningMethodRSA struct {
-	Name string
-	Hash crypto.Hash
-}
-
-// Specific instances for RS256 and company
-var (
-	SigningMethodRS256 *SigningMethodRSA
-	SigningMethodRS384 *SigningMethodRSA
-	SigningMethodRS512 *SigningMethodRSA
-)
-
-func init() {
-	// RS256
-	SigningMethodRS256 = &SigningMethodRSA{"RS256", crypto.SHA256}
-	RegisterSigningMethod(SigningMethodRS256.Alg(), func() SigningMethod {
-		return SigningMethodRS256
-	})
-
-	// RS384
-	SigningMethodRS384 = &SigningMethodRSA{"RS384", crypto.SHA384}
-	RegisterSigningMethod(SigningMethodRS384.Alg(), func() SigningMethod {
-		return SigningMethodRS384
-	})
-
-	// RS512
-	SigningMethodRS512 = &SigningMethodRSA{"RS512", crypto.SHA512}
-	RegisterSigningMethod(SigningMethodRS512.Alg(), func() SigningMethod {
-		return SigningMethodRS512
-	})
-}
-
-func (m *SigningMethodRSA) Alg() string {
-	return m.Name
-}
-
-// Implements the Verify method from SigningMethod
-// For this signing method, must be an rsa.PublicKey structure.
-func (m *SigningMethodRSA) Verify(signingString, signature string, key interface{}) error {
-	var err error
-
-	// Decode the signature
-	var sig []byte
-	if sig, err = DecodeSegment(signature); err != nil {
-		return err
-	}
-
-	var rsaKey *rsa.PublicKey
-	var ok bool
-
-	if rsaKey, ok = key.(*rsa.PublicKey); !ok {
-		return ErrInvalidKeyType
-	}
-
-	// Create hasher
-	if !m.Hash.Available() {
-		return ErrHashUnavailable
-	}
-	hasher := m.Hash.New()
-	hasher.Write([]byte(signingString))
-
-	// Verify the signature
-	return rsa.VerifyPKCS1v15(rsaKey, m.Hash, hasher.Sum(nil), sig)
-}
-
-// Implements the Sign method from SigningMethod
-// For this signing method, must be an rsa.PrivateKey structure.
-func (m *SigningMethodRSA) Sign(signingString string, key interface{}) (string, error) {
-	var rsaKey *rsa.PrivateKey
-	var ok bool
-
-	// Validate type of key
-	if rsaKey, ok = key.(*rsa.PrivateKey); !ok {
-		return "", ErrInvalidKey
-	}
-
-	// Create the hasher
-	if !m.Hash.Available() {
-		return "", ErrHashUnavailable
-	}
-
-	hasher := m.Hash.New()
-	hasher.Write([]byte(signingString))
-
-	// Sign the string and return the encoded bytes
-	if sigBytes, err := rsa.SignPKCS1v15(rand.Reader, rsaKey, m.Hash, hasher.Sum(nil)); err == nil {
-		return EncodeSegment(sigBytes), nil
-	} else {
-		return "", err
-	}
-}
diff --git a/vendor/github.com/dgrijalva/jwt-go/rsa_pss.go b/vendor/github.com/dgrijalva/jwt-go/rsa_pss.go
deleted file mode 100644
index 10ee9db8..00000000
--- a/vendor/github.com/dgrijalva/jwt-go/rsa_pss.go
+++ /dev/null
@@ -1,126 +0,0 @@
-// +build go1.4
-
-package jwt
-
-import (
-	"crypto"
-	"crypto/rand"
-	"crypto/rsa"
-)
-
-// Implements the RSAPSS family of signing methods signing methods
-type SigningMethodRSAPSS struct {
-	*SigningMethodRSA
-	Options *rsa.PSSOptions
-}
-
-// Specific instances for RS/PS and company
-var (
-	SigningMethodPS256 *SigningMethodRSAPSS
-	SigningMethodPS384 *SigningMethodRSAPSS
-	SigningMethodPS512 *SigningMethodRSAPSS
-)
-
-func init() {
-	// PS256
-	SigningMethodPS256 = &SigningMethodRSAPSS{
-		&SigningMethodRSA{
-			Name: "PS256",
-			Hash: crypto.SHA256,
-		},
-		&rsa.PSSOptions{
-			SaltLength: rsa.PSSSaltLengthAuto,
-			Hash:       crypto.SHA256,
-		},
-	}
-	RegisterSigningMethod(SigningMethodPS256.Alg(), func() SigningMethod {
-		return SigningMethodPS256
-	})
-
-	// PS384
-	SigningMethodPS384 = &SigningMethodRSAPSS{
-		&SigningMethodRSA{
-			Name: "PS384",
-			Hash: crypto.SHA384,
-		},
-		&rsa.PSSOptions{
-			SaltLength: rsa.PSSSaltLengthAuto,
-			Hash:       crypto.SHA384,
-		},
-	}
-	RegisterSigningMethod(SigningMethodPS384.Alg(), func() SigningMethod {
-		return SigningMethodPS384
-	})
-
-	// PS512
-	SigningMethodPS512 = &SigningMethodRSAPSS{
-		&SigningMethodRSA{
-			Name: "PS512",
-			Hash: crypto.SHA512,
-		},
-		&rsa.PSSOptions{
-			SaltLength: rsa.PSSSaltLengthAuto,
-			Hash:       crypto.SHA512,
-		},
-	}
-	RegisterSigningMethod(SigningMethodPS512.Alg(), func() SigningMethod {
-		return SigningMethodPS512
-	})
-}
-
-// Implements the Verify method from SigningMethod
-// For this verify method, key must be an rsa.PublicKey struct
-func (m *SigningMethodRSAPSS) Verify(signingString, signature string, key interface{}) error {
-	var err error
-
-	// Decode the signature
-	var sig []byte
-	if sig, err = DecodeSegment(signature); err != nil {
-		return err
-	}
-
-	var rsaKey *rsa.PublicKey
-	switch k := key.(type) {
-	case *rsa.PublicKey:
-		rsaKey = k
-	default:
-		return ErrInvalidKey
-	}
-
-	// Create hasher
-	if !m.Hash.Available() {
-		return ErrHashUnavailable
-	}
-	hasher := m.Hash.New()
-	hasher.Write([]byte(signingString))
-
-	return rsa.VerifyPSS(rsaKey, m.Hash, hasher.Sum(nil), sig, m.Options)
-}
-
-// Implements the Sign method from SigningMethod
-// For this signing method, key must be an rsa.PrivateKey struct
-func (m *SigningMethodRSAPSS) Sign(signingString string, key interface{}) (string, error) {
-	var rsaKey *rsa.PrivateKey
-
-	switch k := key.(type) {
-	case *rsa.PrivateKey:
-		rsaKey = k
-	default:
-		return "", ErrInvalidKeyType
-	}
-
-	// Create the hasher
-	if !m.Hash.Available() {
-		return "", ErrHashUnavailable
-	}
-
-	hasher := m.Hash.New()
-	hasher.Write([]byte(signingString))
-
-	// Sign the string and return the encoded bytes
-	if sigBytes, err := rsa.SignPSS(rand.Reader, rsaKey, m.Hash, hasher.Sum(nil), m.Options); err == nil {
-		return EncodeSegment(sigBytes), nil
-	} else {
-		return "", err
-	}
-}
diff --git a/vendor/github.com/dgrijalva/jwt-go/rsa_pss_test.go b/vendor/github.com/dgrijalva/jwt-go/rsa_pss_test.go
deleted file mode 100644
index 9045aaf3..00000000
--- a/vendor/github.com/dgrijalva/jwt-go/rsa_pss_test.go
+++ /dev/null
@@ -1,96 +0,0 @@
-// +build go1.4
-
-package jwt_test
-
-import (
-	"crypto/rsa"
-	"io/ioutil"
-	"strings"
-	"testing"
-
-	"github.com/dgrijalva/jwt-go"
-)
-
-var rsaPSSTestData = []struct {
-	name        string
-	tokenString string
-	alg         string
-	claims      map[string]interface{}
-	valid       bool
-}{
-	{
-		"Basic PS256",
-		"eyJhbGciOiJQUzI1NiIsInR5cCI6IkpXVCJ9.eyJmb28iOiJiYXIifQ.PPG4xyDVY8ffp4CcxofNmsTDXsrVG2npdQuibLhJbv4ClyPTUtR5giNSvuxo03kB6I8VXVr0Y9X7UxhJVEoJOmULAwRWaUsDnIewQa101cVhMa6iR8X37kfFoiZ6NkS-c7henVkkQWu2HtotkEtQvN5hFlk8IevXXPmvZlhQhwzB1sGzGYnoi1zOfuL98d3BIjUjtlwii5w6gYG2AEEzp7HnHCsb3jIwUPdq86Oe6hIFjtBwduIK90ca4UqzARpcfwxHwVLMpatKask00AgGVI0ysdk0BLMjmLutquD03XbThHScC2C2_Pp4cHWgMzvbgLU2RYYZcZRKr46QeNgz9w",
-		"PS256",
-		map[string]interface{}{"foo": "bar"},
-		true,
-	},
-	{
-		"Basic PS384",
-		"eyJhbGciOiJQUzM4NCIsInR5cCI6IkpXVCJ9.eyJmb28iOiJiYXIifQ.w7-qqgj97gK4fJsq_DCqdYQiylJjzWONvD0qWWWhqEOFk2P1eDULPnqHRnjgTXoO4HAw4YIWCsZPet7nR3Xxq4ZhMqvKW8b7KlfRTb9cH8zqFvzMmybQ4jv2hKc3bXYqVow3AoR7hN_CWXI3Dv6Kd2X5xhtxRHI6IL39oTVDUQ74LACe-9t4c3QRPuj6Pq1H4FAT2E2kW_0KOc6EQhCLWEhm2Z2__OZskDC8AiPpP8Kv4k2vB7l0IKQu8Pr4RcNBlqJdq8dA5D3hk5TLxP8V5nG1Ib80MOMMqoS3FQvSLyolFX-R_jZ3-zfq6Ebsqr0yEb0AH2CfsECF7935Pa0FKQ",
-		"PS384",
-		map[string]interface{}{"foo": "bar"},
-		true,
-	},
-	{
-		"Basic PS512",
-		"eyJhbGciOiJQUzUxMiIsInR5cCI6IkpXVCJ9.eyJmb28iOiJiYXIifQ.GX1HWGzFaJevuSLavqqFYaW8_TpvcjQ8KfC5fXiSDzSiT9UD9nB_ikSmDNyDILNdtjZLSvVKfXxZJqCfefxAtiozEDDdJthZ-F0uO4SPFHlGiXszvKeodh7BuTWRI2wL9-ZO4mFa8nq3GMeQAfo9cx11i7nfN8n2YNQ9SHGovG7_T_AvaMZB_jT6jkDHpwGR9mz7x1sycckEo6teLdHRnH_ZdlHlxqknmyTu8Odr5Xh0sJFOL8BepWbbvIIn-P161rRHHiDWFv6nhlHwZnVzjx7HQrWSGb6-s2cdLie9QL_8XaMcUpjLkfOMKkDOfHo6AvpL7Jbwi83Z2ZTHjJWB-A",
-		"PS512",
-		map[string]interface{}{"foo": "bar"},
-		true,
-	},
-	{
-		"basic PS256 invalid: foo => bar",
-		"eyJhbGciOiJQUzI1NiIsInR5cCI6IkpXVCJ9.eyJmb28iOiJiYXIifQ.PPG4xyDVY8ffp4CcxofNmsTDXsrVG2npdQuibLhJbv4ClyPTUtR5giNSvuxo03kB6I8VXVr0Y9X7UxhJVEoJOmULAwRWaUsDnIewQa101cVhMa6iR8X37kfFoiZ6NkS-c7henVkkQWu2HtotkEtQvN5hFlk8IevXXPmvZlhQhwzB1sGzGYnoi1zOfuL98d3BIjUjtlwii5w6gYG2AEEzp7HnHCsb3jIwUPdq86Oe6hIFjtBwduIK90ca4UqzARpcfwxHwVLMpatKask00AgGVI0ysdk0BLMjmLutquD03XbThHScC2C2_Pp4cHWgMzvbgLU2RYYZcZRKr46QeNgz9W",
-		"PS256",
-		map[string]interface{}{"foo": "bar"},
-		false,
-	},
-}
-
-func TestRSAPSSVerify(t *testing.T) {
-	var err error
-
-	key, _ := ioutil.ReadFile("test/sample_key.pub")
-	var rsaPSSKey *rsa.PublicKey
-	if rsaPSSKey, err = jwt.ParseRSAPublicKeyFromPEM(key); err != nil {
-		t.Errorf("Unable to parse RSA public key: %v", err)
-	}
-
-	for _, data := range rsaPSSTestData {
-		parts := strings.Split(data.tokenString, ".")
-
-		method := jwt.GetSigningMethod(data.alg)
-		err := method.Verify(strings.Join(parts[0:2], "."), parts[2], rsaPSSKey)
-		if data.valid && err != nil {
-			t.Errorf("[%v] Error while verifying key: %v", data.name, err)
-		}
-		if !data.valid && err == nil {
-			t.Errorf("[%v] Invalid key passed validation", data.name)
-		}
-	}
-}
-
-func TestRSAPSSSign(t *testing.T) {
-	var err error
-
-	key, _ := ioutil.ReadFile("test/sample_key")
-	var rsaPSSKey *rsa.PrivateKey
-	if rsaPSSKey, err = jwt.ParseRSAPrivateKeyFromPEM(key); err != nil {
-		t.Errorf("Unable to parse RSA private key: %v", err)
-	}
-
-	for _, data := range rsaPSSTestData {
-		if data.valid {
-			parts := strings.Split(data.tokenString, ".")
-			method := jwt.GetSigningMethod(data.alg)
-			sig, err := method.Sign(strings.Join(parts[0:2], "."), rsaPSSKey)
-			if err != nil {
-				t.Errorf("[%v] Error signing token: %v", data.name, err)
-			}
-			if sig == parts[2] {
-				t.Errorf("[%v] Signatures shouldn't match\nnew:\n%v\noriginal:\n%v", data.name, sig, parts[2])
-			}
-		}
-	}
-}
diff --git a/vendor/github.com/dgrijalva/jwt-go/rsa_test.go b/vendor/github.com/dgrijalva/jwt-go/rsa_test.go
deleted file mode 100644
index 2e0f7853..00000000
--- a/vendor/github.com/dgrijalva/jwt-go/rsa_test.go
+++ /dev/null
@@ -1,176 +0,0 @@
-package jwt_test
-
-import (
-	"github.com/dgrijalva/jwt-go"
-	"io/ioutil"
-	"strings"
-	"testing"
-)
-
-var rsaTestData = []struct {
-	name        string
-	tokenString string
-	alg         string
-	claims      map[string]interface{}
-	valid       bool
-}{
-	{
-		"Basic RS256",
-		"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJmb28iOiJiYXIifQ.FhkiHkoESI_cG3NPigFrxEk9Z60_oXrOT2vGm9Pn6RDgYNovYORQmmA0zs1AoAOf09ly2Nx2YAg6ABqAYga1AcMFkJljwxTT5fYphTuqpWdy4BELeSYJx5Ty2gmr8e7RonuUztrdD5WfPqLKMm1Ozp_T6zALpRmwTIW0QPnaBXaQD90FplAg46Iy1UlDKr-Eupy0i5SLch5Q-p2ZpaL_5fnTIUDlxC3pWhJTyx_71qDI-mAA_5lE_VdroOeflG56sSmDxopPEG3bFlSu1eowyBfxtu0_CuVd-M42RU75Zc4Gsj6uV77MBtbMrf4_7M_NUTSgoIF3fRqxrj0NzihIBg",
-		"RS256",
-		map[string]interface{}{"foo": "bar"},
-		true,
-	},
-	{
-		"Basic RS384",
-		"eyJhbGciOiJSUzM4NCIsInR5cCI6IkpXVCJ9.eyJmb28iOiJiYXIifQ.W-jEzRfBigtCWsinvVVuldiuilzVdU5ty0MvpLaSaqK9PlAWWlDQ1VIQ_qSKzwL5IXaZkvZFJXT3yL3n7OUVu7zCNJzdwznbC8Z-b0z2lYvcklJYi2VOFRcGbJtXUqgjk2oGsiqUMUMOLP70TTefkpsgqDxbRh9CDUfpOJgW-dU7cmgaoswe3wjUAUi6B6G2YEaiuXC0XScQYSYVKIzgKXJV8Zw-7AN_DBUI4GkTpsvQ9fVVjZM9csQiEXhYekyrKu1nu_POpQonGd8yqkIyXPECNmmqH5jH4sFiF67XhD7_JpkvLziBpI-uh86evBUadmHhb9Otqw3uV3NTaXLzJw",
-		"RS384",
-		map[string]interface{}{"foo": "bar"},
-		true,
-	},
-	{
-		"Basic RS512",
-		"eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.eyJmb28iOiJiYXIifQ.zBlLlmRrUxx4SJPUbV37Q1joRcI9EW13grnKduK3wtYKmDXbgDpF1cZ6B-2Jsm5RB8REmMiLpGms-EjXhgnyh2TSHE-9W2gA_jvshegLWtwRVDX40ODSkTb7OVuaWgiy9y7llvcknFBTIg-FnVPVpXMmeV_pvwQyhaz1SSwSPrDyxEmksz1hq7YONXhXPpGaNbMMeDTNP_1oj8DZaqTIL9TwV8_1wb2Odt_Fy58Ke2RVFijsOLdnyEAjt2n9Mxihu9i3PhNBkkxa2GbnXBfq3kzvZ_xxGGopLdHhJjcGWXO-NiwI9_tiu14NRv4L2xC0ItD9Yz68v2ZIZEp_DuzwRQ",
-		"RS512",
-		map[string]interface{}{"foo": "bar"},
-		true,
-	},
-	{
-		"basic invalid: foo => bar",
-		"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJmb28iOiJiYXIifQ.EhkiHkoESI_cG3NPigFrxEk9Z60_oXrOT2vGm9Pn6RDgYNovYORQmmA0zs1AoAOf09ly2Nx2YAg6ABqAYga1AcMFkJljwxTT5fYphTuqpWdy4BELeSYJx5Ty2gmr8e7RonuUztrdD5WfPqLKMm1Ozp_T6zALpRmwTIW0QPnaBXaQD90FplAg46Iy1UlDKr-Eupy0i5SLch5Q-p2ZpaL_5fnTIUDlxC3pWhJTyx_71qDI-mAA_5lE_VdroOeflG56sSmDxopPEG3bFlSu1eowyBfxtu0_CuVd-M42RU75Zc4Gsj6uV77MBtbMrf4_7M_NUTSgoIF3fRqxrj0NzihIBg",
-		"RS256",
-		map[string]interface{}{"foo": "bar"},
-		false,
-	},
-}
-
-func TestRSAVerify(t *testing.T) {
-	keyData, _ := ioutil.ReadFile("test/sample_key.pub")
-	key, _ := jwt.ParseRSAPublicKeyFromPEM(keyData)
-
-	for _, data := range rsaTestData {
-		parts := strings.Split(data.tokenString, ".")
-
-		method := jwt.GetSigningMethod(data.alg)
-		err := method.Verify(strings.Join(parts[0:2], "."), parts[2], key)
-		if data.valid && err != nil {
-			t.Errorf("[%v] Error while verifying key: %v", data.name, err)
-		}
-		if !data.valid && err == nil {
-			t.Errorf("[%v] Invalid key passed validation", data.name)
-		}
-	}
-}
-
-func TestRSASign(t *testing.T) {
-	keyData, _ := ioutil.ReadFile("test/sample_key")
-	key, _ := jwt.ParseRSAPrivateKeyFromPEM(keyData)
-
-	for _, data := range rsaTestData {
-		if data.valid {
-			parts := strings.Split(data.tokenString, ".")
-			method := jwt.GetSigningMethod(data.alg)
-			sig, err := method.Sign(strings.Join(parts[0:2], "."), key)
-			if err != nil {
-				t.Errorf("[%v] Error signing token: %v", data.name, err)
-			}
-			if sig != parts[2] {
-				t.Errorf("[%v] Incorrect signature.\nwas:\n%v\nexpecting:\n%v", data.name, sig, parts[2])
-			}
-		}
-	}
-}
-
-func TestRSAVerifyWithPreParsedPrivateKey(t *testing.T) {
-	key, _ := ioutil.ReadFile("test/sample_key.pub")
-	parsedKey, err := jwt.ParseRSAPublicKeyFromPEM(key)
-	if err != nil {
-		t.Fatal(err)
-	}
-	testData := rsaTestData[0]
-	parts := strings.Split(testData.tokenString, ".")
-	err = jwt.SigningMethodRS256.Verify(strings.Join(parts[0:2], "."), parts[2], parsedKey)
-	if err != nil {
-		t.Errorf("[%v] Error while verifying key: %v", testData.name, err)
-	}
-}
-
-func TestRSAWithPreParsedPrivateKey(t *testing.T) {
-	key, _ := ioutil.ReadFile("test/sample_key")
-	parsedKey, err := jwt.ParseRSAPrivateKeyFromPEM(key)
-	if err != nil {
-		t.Fatal(err)
-	}
-	testData := rsaTestData[0]
-	parts := strings.Split(testData.tokenString, ".")
-	sig, err := jwt.SigningMethodRS256.Sign(strings.Join(parts[0:2], "."), parsedKey)
-	if err != nil {
-		t.Errorf("[%v] Error signing token: %v", testData.name, err)
-	}
-	if sig != parts[2] {
-		t.Errorf("[%v] Incorrect signature.\nwas:\n%v\nexpecting:\n%v", testData.name, sig, parts[2])
-	}
-}
-
-func TestRSAKeyParsing(t *testing.T) {
-	key, _ := ioutil.ReadFile("test/sample_key")
-	pubKey, _ := ioutil.ReadFile("test/sample_key.pub")
-	badKey := []byte("All your base are belong to key")
-
-	// Test parsePrivateKey
-	if _, e := jwt.ParseRSAPrivateKeyFromPEM(key); e != nil {
-		t.Errorf("Failed to parse valid private key: %v", e)
-	}
-
-	if k, e := jwt.ParseRSAPrivateKeyFromPEM(pubKey); e == nil {
-		t.Errorf("Parsed public key as valid private key: %v", k)
-	}
-
-	if k, e := jwt.ParseRSAPrivateKeyFromPEM(badKey); e == nil {
-		t.Errorf("Parsed invalid key as valid private key: %v", k)
-	}
-
-	// Test parsePublicKey
-	if _, e := jwt.ParseRSAPublicKeyFromPEM(pubKey); e != nil {
-		t.Errorf("Failed to parse valid public key: %v", e)
-	}
-
-	if k, e := jwt.ParseRSAPublicKeyFromPEM(key); e == nil {
-		t.Errorf("Parsed private key as valid public key: %v", k)
-	}
-
-	if k, e := jwt.ParseRSAPublicKeyFromPEM(badKey); e == nil {
-		t.Errorf("Parsed invalid key as valid private key: %v", k)
-	}
-
-}
-
-func BenchmarkRS256Signing(b *testing.B) {
-	key, _ := ioutil.ReadFile("test/sample_key")
-	parsedKey, err := jwt.ParseRSAPrivateKeyFromPEM(key)
-	if err != nil {
-		b.Fatal(err)
-	}
-
-	benchmarkSigning(b, jwt.SigningMethodRS256, parsedKey)
-}
-
-func BenchmarkRS384Signing(b *testing.B) {
-	key, _ := ioutil.ReadFile("test/sample_key")
-	parsedKey, err := jwt.ParseRSAPrivateKeyFromPEM(key)
-	if err != nil {
-		b.Fatal(err)
-	}
-
-	benchmarkSigning(b, jwt.SigningMethodRS384, parsedKey)
-}
-
-func BenchmarkRS512Signing(b *testing.B) {
-	key, _ := ioutil.ReadFile("test/sample_key")
-	parsedKey, err := jwt.ParseRSAPrivateKeyFromPEM(key)
-	if err != nil {
-		b.Fatal(err)
-	}
-
-	benchmarkSigning(b, jwt.SigningMethodRS512, parsedKey)
-}
diff --git a/vendor/github.com/dgrijalva/jwt-go/rsa_utils.go b/vendor/github.com/dgrijalva/jwt-go/rsa_utils.go
deleted file mode 100644
index 213a90db..00000000
--- a/vendor/github.com/dgrijalva/jwt-go/rsa_utils.go
+++ /dev/null
@@ -1,69 +0,0 @@
-package jwt
-
-import (
-	"crypto/rsa"
-	"crypto/x509"
-	"encoding/pem"
-	"errors"
-)
-
-var (
-	ErrKeyMustBePEMEncoded = errors.New("Invalid Key: Key must be PEM encoded PKCS1 or PKCS8 private key")
-	ErrNotRSAPrivateKey    = errors.New("Key is not a valid RSA private key")
-	ErrNotRSAPublicKey     = errors.New("Key is not a valid RSA public key")
-)
-
-// Parse PEM encoded PKCS1 or PKCS8 private key
-func ParseRSAPrivateKeyFromPEM(key []byte) (*rsa.PrivateKey, error) {
-	var err error
-
-	// Parse PEM block
-	var block *pem.Block
-	if block, _ = pem.Decode(key); block == nil {
-		return nil, ErrKeyMustBePEMEncoded
-	}
-
-	var parsedKey interface{}
-	if parsedKey, err = x509.ParsePKCS1PrivateKey(block.Bytes); err != nil {
-		if parsedKey, err = x509.ParsePKCS8PrivateKey(block.Bytes); err != nil {
-			return nil, err
-		}
-	}
-
-	var pkey *rsa.PrivateKey
-	var ok bool
-	if pkey, ok = parsedKey.(*rsa.PrivateKey); !ok {
-		return nil, ErrNotRSAPrivateKey
-	}
-
-	return pkey, nil
-}
-
-// Parse PEM encoded PKCS1 or PKCS8 public key
-func ParseRSAPublicKeyFromPEM(key []byte) (*rsa.PublicKey, error) {
-	var err error
-
-	// Parse PEM block
-	var block *pem.Block
-	if block, _ = pem.Decode(key); block == nil {
-		return nil, ErrKeyMustBePEMEncoded
-	}
-
-	// Parse the key
-	var parsedKey interface{}
-	if parsedKey, err = x509.ParsePKIXPublicKey(block.Bytes); err != nil {
-		if cert, err := x509.ParseCertificate(block.Bytes); err == nil {
-			parsedKey = cert.PublicKey
-		} else {
-			return nil, err
-		}
-	}
-
-	var pkey *rsa.PublicKey
-	var ok bool
-	if pkey, ok = parsedKey.(*rsa.PublicKey); !ok {
-		return nil, ErrNotRSAPublicKey
-	}
-
-	return pkey, nil
-}
diff --git a/vendor/github.com/dgrijalva/jwt-go/signing_method.go b/vendor/github.com/dgrijalva/jwt-go/signing_method.go
deleted file mode 100644
index ed1f212b..00000000
--- a/vendor/github.com/dgrijalva/jwt-go/signing_method.go
+++ /dev/null
@@ -1,35 +0,0 @@
-package jwt
-
-import (
-	"sync"
-)
-
-var signingMethods = map[string]func() SigningMethod{}
-var signingMethodLock = new(sync.RWMutex)
-
-// Implement SigningMethod to add new methods for signing or verifying tokens.
-type SigningMethod interface {
-	Verify(signingString, signature string, key interface{}) error // Returns nil if signature is valid
-	Sign(signingString string, key interface{}) (string, error)    // Returns encoded signature or error
-	Alg() string                                                   // returns the alg identifier for this method (example: 'HS256')
-}
-
-// Register the "alg" name and a factory function for signing method.
-// This is typically done during init() in the method's implementation
-func RegisterSigningMethod(alg string, f func() SigningMethod) {
-	signingMethodLock.Lock()
-	defer signingMethodLock.Unlock()
-
-	signingMethods[alg] = f
-}
-
-// Get a signing method from an "alg" string
-func GetSigningMethod(alg string) (method SigningMethod) {
-	signingMethodLock.RLock()
-	defer signingMethodLock.RUnlock()
-
-	if methodF, ok := signingMethods[alg]; ok {
-		method = methodF()
-	}
-	return
-}
diff --git a/vendor/github.com/dgrijalva/jwt-go/test/ec256-private.pem b/vendor/github.com/dgrijalva/jwt-go/test/ec256-private.pem
deleted file mode 100644
index a6882b3e..00000000
--- a/vendor/github.com/dgrijalva/jwt-go/test/ec256-private.pem
+++ /dev/null
@@ -1,5 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MHcCAQEEIAh5qA3rmqQQuu0vbKV/+zouz/y/Iy2pLpIcWUSyImSwoAoGCCqGSM49
-AwEHoUQDQgAEYD54V/vp+54P9DXarYqx4MPcm+HKRIQzNasYSoRQHQ/6S6Ps8tpM
-cT+KvIIC8W/e9k0W7Cm72M1P9jU7SLf/vg==
------END EC PRIVATE KEY-----
diff --git a/vendor/github.com/dgrijalva/jwt-go/test/ec256-public.pem b/vendor/github.com/dgrijalva/jwt-go/test/ec256-public.pem
deleted file mode 100644
index 7191361e..00000000
--- a/vendor/github.com/dgrijalva/jwt-go/test/ec256-public.pem
+++ /dev/null
@@ -1,4 +0,0 @@
------BEGIN PUBLIC KEY-----
-MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEYD54V/vp+54P9DXarYqx4MPcm+HK
-RIQzNasYSoRQHQ/6S6Ps8tpMcT+KvIIC8W/e9k0W7Cm72M1P9jU7SLf/vg==
------END PUBLIC KEY-----
diff --git a/vendor/github.com/dgrijalva/jwt-go/test/ec384-private.pem b/vendor/github.com/dgrijalva/jwt-go/test/ec384-private.pem
deleted file mode 100644
index a86c823e..00000000
--- a/vendor/github.com/dgrijalva/jwt-go/test/ec384-private.pem
+++ /dev/null
@@ -1,6 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MIGkAgEBBDCaCvMHKhcG/qT7xsNLYnDT7sE/D+TtWIol1ROdaK1a564vx5pHbsRy
-SEKcIxISi1igBwYFK4EEACKhZANiAATYa7rJaU7feLMqrAx6adZFNQOpaUH/Uylb
-ZLriOLON5YFVwtVUpO1FfEXZUIQpptRPtc5ixIPY658yhBSb6irfIJUSP9aYTflJ
-GKk/mDkK4t8mWBzhiD5B6jg9cEGhGgA=
------END EC PRIVATE KEY-----
diff --git a/vendor/github.com/dgrijalva/jwt-go/test/ec384-public.pem b/vendor/github.com/dgrijalva/jwt-go/test/ec384-public.pem
deleted file mode 100644
index e80d0056..00000000
--- a/vendor/github.com/dgrijalva/jwt-go/test/ec384-public.pem
+++ /dev/null
@@ -1,5 +0,0 @@
------BEGIN PUBLIC KEY-----
-MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE2Gu6yWlO33izKqwMemnWRTUDqWlB/1Mp
-W2S64jizjeWBVcLVVKTtRXxF2VCEKabUT7XOYsSD2OufMoQUm+oq3yCVEj/WmE35
-SRipP5g5CuLfJlgc4Yg+Qeo4PXBBoRoA
------END PUBLIC KEY-----
diff --git a/vendor/github.com/dgrijalva/jwt-go/test/ec512-private.pem b/vendor/github.com/dgrijalva/jwt-go/test/ec512-private.pem
deleted file mode 100644
index 213afaf1..00000000
--- a/vendor/github.com/dgrijalva/jwt-go/test/ec512-private.pem
+++ /dev/null
@@ -1,7 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MIHcAgEBBEIB0pE4uFaWRx7t03BsYlYvF1YvKaBGyvoakxnodm9ou0R9wC+sJAjH
-QZZJikOg4SwNqgQ/hyrOuDK2oAVHhgVGcYmgBwYFK4EEACOhgYkDgYYABAAJXIuw
-12MUzpHggia9POBFYXSxaOGKGbMjIyDI+6q7wi7LMw3HgbaOmgIqFG72o8JBQwYN
-4IbXHf+f86CRY1AA2wHzbHvt6IhkCXTNxBEffa1yMUgu8n9cKKF2iLgyQKcKqW33
-8fGOw/n3Rm2Yd/EB56u2rnD29qS+nOM9eGS+gy39OQ==
------END EC PRIVATE KEY-----
diff --git a/vendor/github.com/dgrijalva/jwt-go/test/ec512-public.pem b/vendor/github.com/dgrijalva/jwt-go/test/ec512-public.pem
deleted file mode 100644
index 02ea0220..00000000
--- a/vendor/github.com/dgrijalva/jwt-go/test/ec512-public.pem
+++ /dev/null
@@ -1,6 +0,0 @@
------BEGIN PUBLIC KEY-----
-MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQACVyLsNdjFM6R4IImvTzgRWF0sWjh
-ihmzIyMgyPuqu8IuyzMNx4G2jpoCKhRu9qPCQUMGDeCG1x3/n/OgkWNQANsB82x7
-7eiIZAl0zcQRH32tcjFILvJ/XCihdoi4MkCnCqlt9/HxjsP590ZtmHfxAeertq5w
-9vakvpzjPXhkvoMt/Tk=
------END PUBLIC KEY-----
diff --git a/vendor/github.com/dgrijalva/jwt-go/test/helpers.go b/vendor/github.com/dgrijalva/jwt-go/test/helpers.go
deleted file mode 100644
index f84c3ef6..00000000
--- a/vendor/github.com/dgrijalva/jwt-go/test/helpers.go
+++ /dev/null
@@ -1,42 +0,0 @@
-package test
-
-import (
-	"crypto/rsa"
-	"github.com/dgrijalva/jwt-go"
-	"io/ioutil"
-)
-
-func LoadRSAPrivateKeyFromDisk(location string) *rsa.PrivateKey {
-	keyData, e := ioutil.ReadFile(location)
-	if e != nil {
-		panic(e.Error())
-	}
-	key, e := jwt.ParseRSAPrivateKeyFromPEM(keyData)
-	if e != nil {
-		panic(e.Error())
-	}
-	return key
-}
-
-func LoadRSAPublicKeyFromDisk(location string) *rsa.PublicKey {
-	keyData, e := ioutil.ReadFile(location)
-	if e != nil {
-		panic(e.Error())
-	}
-	key, e := jwt.ParseRSAPublicKeyFromPEM(keyData)
-	if e != nil {
-		panic(e.Error())
-	}
-	return key
-}
-
-func MakeSampleToken(c jwt.Claims, key interface{}) string {
-	token := jwt.NewWithClaims(jwt.SigningMethodRS256, c)
-	s, e := token.SignedString(key)
-
-	if e != nil {
-		panic(e.Error())
-	}
-
-	return s
-}
diff --git a/vendor/github.com/dgrijalva/jwt-go/test/hmacTestKey b/vendor/github.com/dgrijalva/jwt-go/test/hmacTestKey
deleted file mode 100644
index 435b8ddb..00000000
--- a/vendor/github.com/dgrijalva/jwt-go/test/hmacTestKey
+++ /dev/null
@@ -1 +0,0 @@
-#5K+���~ew{��Z�(��T�(����P.���Z��G��wb="=.!r.O�͚�gЀ�
\ No newline at end of file
diff --git a/vendor/github.com/dgrijalva/jwt-go/test/sample_key b/vendor/github.com/dgrijalva/jwt-go/test/sample_key
deleted file mode 100644
index abdbade3..00000000
--- a/vendor/github.com/dgrijalva/jwt-go/test/sample_key
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEA4f5wg5l2hKsTeNem/V41fGnJm6gOdrj8ym3rFkEU/wT8RDtn
-SgFEZOQpHEgQ7JL38xUfU0Y3g6aYw9QT0hJ7mCpz9Er5qLaMXJwZxzHzAahlfA0i
-cqabvJOMvQtzD6uQv6wPEyZtDTWiQi9AXwBpHssPnpYGIn20ZZuNlX2BrClciHhC
-PUIIZOQn/MmqTD31jSyjoQoV7MhhMTATKJx2XrHhR+1DcKJzQBSTAGnpYVaqpsAR
-ap+nwRipr3nUTuxyGohBTSmjJ2usSeQXHI3bODIRe1AuTyHceAbewn8b462yEWKA
-Rdpd9AjQW5SIVPfdsz5B6GlYQ5LdYKtznTuy7wIDAQABAoIBAQCwia1k7+2oZ2d3
-n6agCAbqIE1QXfCmh41ZqJHbOY3oRQG3X1wpcGH4Gk+O+zDVTV2JszdcOt7E5dAy
-MaomETAhRxB7hlIOnEN7WKm+dGNrKRvV0wDU5ReFMRHg31/Lnu8c+5BvGjZX+ky9
-POIhFFYJqwCRlopGSUIxmVj5rSgtzk3iWOQXr+ah1bjEXvlxDOWkHN6YfpV5ThdE
-KdBIPGEVqa63r9n2h+qazKrtiRqJqGnOrHzOECYbRFYhexsNFz7YT02xdfSHn7gM
-IvabDDP/Qp0PjE1jdouiMaFHYnLBbgvlnZW9yuVf/rpXTUq/njxIXMmvmEyyvSDn
-FcFikB8pAoGBAPF77hK4m3/rdGT7X8a/gwvZ2R121aBcdPwEaUhvj/36dx596zvY
-mEOjrWfZhF083/nYWE2kVquj2wjs+otCLfifEEgXcVPTnEOPO9Zg3uNSL0nNQghj
-FuD3iGLTUBCtM66oTe0jLSslHe8gLGEQqyMzHOzYxNqibxcOZIe8Qt0NAoGBAO+U
-I5+XWjWEgDmvyC3TrOSf/KCGjtu0TSv30ipv27bDLMrpvPmD/5lpptTFwcxvVhCs
-2b+chCjlghFSWFbBULBrfci2FtliClOVMYrlNBdUSJhf3aYSG2Doe6Bgt1n2CpNn
-/iu37Y3NfemZBJA7hNl4dYe+f+uzM87cdQ214+jrAoGAXA0XxX8ll2+ToOLJsaNT
-OvNB9h9Uc5qK5X5w+7G7O998BN2PC/MWp8H+2fVqpXgNENpNXttkRm1hk1dych86
-EunfdPuqsX+as44oCyJGFHVBnWpm33eWQw9YqANRI+pCJzP08I5WK3osnPiwshd+
-hR54yjgfYhBFNI7B95PmEQkCgYBzFSz7h1+s34Ycr8SvxsOBWxymG5zaCsUbPsL0
-4aCgLScCHb9J+E86aVbbVFdglYa5Id7DPTL61ixhl7WZjujspeXZGSbmq0Kcnckb
-mDgqkLECiOJW2NHP/j0McAkDLL4tysF8TLDO8gvuvzNC+WQ6drO2ThrypLVZQ+ry
-eBIPmwKBgEZxhqa0gVvHQG/7Od69KWj4eJP28kq13RhKay8JOoN0vPmspXJo1HY3
-CKuHRG+AP579dncdUnOMvfXOtkdM4vk0+hWASBQzM9xzVcztCa+koAugjVaLS9A+
-9uQoqEeVNTckxx0S2bYevRy7hGQmUJTyQm3j1zEUR5jpdbL83Fbq
------END RSA PRIVATE KEY-----
diff --git a/vendor/github.com/dgrijalva/jwt-go/test/sample_key.pub b/vendor/github.com/dgrijalva/jwt-go/test/sample_key.pub
deleted file mode 100644
index 03dc982a..00000000
--- a/vendor/github.com/dgrijalva/jwt-go/test/sample_key.pub
+++ /dev/null
@@ -1,9 +0,0 @@
------BEGIN PUBLIC KEY-----
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4f5wg5l2hKsTeNem/V41
-fGnJm6gOdrj8ym3rFkEU/wT8RDtnSgFEZOQpHEgQ7JL38xUfU0Y3g6aYw9QT0hJ7
-mCpz9Er5qLaMXJwZxzHzAahlfA0icqabvJOMvQtzD6uQv6wPEyZtDTWiQi9AXwBp
-HssPnpYGIn20ZZuNlX2BrClciHhCPUIIZOQn/MmqTD31jSyjoQoV7MhhMTATKJx2
-XrHhR+1DcKJzQBSTAGnpYVaqpsARap+nwRipr3nUTuxyGohBTSmjJ2usSeQXHI3b
-ODIRe1AuTyHceAbewn8b462yEWKARdpd9AjQW5SIVPfdsz5B6GlYQ5LdYKtznTuy
-7wIDAQAB
------END PUBLIC KEY-----
diff --git a/vendor/github.com/dgrijalva/jwt-go/token.go b/vendor/github.com/dgrijalva/jwt-go/token.go
deleted file mode 100644
index d637e086..00000000
--- a/vendor/github.com/dgrijalva/jwt-go/token.go
+++ /dev/null
@@ -1,108 +0,0 @@
-package jwt
-
-import (
-	"encoding/base64"
-	"encoding/json"
-	"strings"
-	"time"
-)
-
-// TimeFunc provides the current time when parsing token to validate "exp" claim (expiration time).
-// You can override it to use another time value.  This is useful for testing or if your
-// server uses a different time zone than your tokens.
-var TimeFunc = time.Now
-
-// Parse methods use this callback function to supply
-// the key for verification.  The function receives the parsed,
-// but unverified Token.  This allows you to use properties in the
-// Header of the token (such as `kid`) to identify which key to use.
-type Keyfunc func(*Token) (interface{}, error)
-
-// A JWT Token.  Different fields will be used depending on whether you're
-// creating or parsing/verifying a token.
-type Token struct {
-	Raw       string                 // The raw token.  Populated when you Parse a token
-	Method    SigningMethod          // The signing method used or to be used
-	Header    map[string]interface{} // The first segment of the token
-	Claims    Claims                 // The second segment of the token
-	Signature string                 // The third segment of the token.  Populated when you Parse a token
-	Valid     bool                   // Is the token valid?  Populated when you Parse/Verify a token
-}
-
-// Create a new Token.  Takes a signing method
-func New(method SigningMethod) *Token {
-	return NewWithClaims(method, MapClaims{})
-}
-
-func NewWithClaims(method SigningMethod, claims Claims) *Token {
-	return &Token{
-		Header: map[string]interface{}{
-			"typ": "JWT",
-			"alg": method.Alg(),
-		},
-		Claims: claims,
-		Method: method,
-	}
-}
-
-// Get the complete, signed token
-func (t *Token) SignedString(key interface{}) (string, error) {
-	var sig, sstr string
-	var err error
-	if sstr, err = t.SigningString(); err != nil {
-		return "", err
-	}
-	if sig, err = t.Method.Sign(sstr, key); err != nil {
-		return "", err
-	}
-	return strings.Join([]string{sstr, sig}, "."), nil
-}
-
-// Generate the signing string.  This is the
-// most expensive part of the whole deal.  Unless you
-// need this for something special, just go straight for
-// the SignedString.
-func (t *Token) SigningString() (string, error) {
-	var err error
-	parts := make([]string, 2)
-	for i, _ := range parts {
-		var jsonValue []byte
-		if i == 0 {
-			if jsonValue, err = json.Marshal(t.Header); err != nil {
-				return "", err
-			}
-		} else {
-			if jsonValue, err = json.Marshal(t.Claims); err != nil {
-				return "", err
-			}
-		}
-
-		parts[i] = EncodeSegment(jsonValue)
-	}
-	return strings.Join(parts, "."), nil
-}
-
-// Parse, validate, and return a token.
-// keyFunc will receive the parsed token and should return the key for validating.
-// If everything is kosher, err will be nil
-func Parse(tokenString string, keyFunc Keyfunc) (*Token, error) {
-	return new(Parser).Parse(tokenString, keyFunc)
-}
-
-func ParseWithClaims(tokenString string, claims Claims, keyFunc Keyfunc) (*Token, error) {
-	return new(Parser).ParseWithClaims(tokenString, claims, keyFunc)
-}
-
-// Encode JWT specific base64url encoding with padding stripped
-func EncodeSegment(seg []byte) string {
-	return strings.TrimRight(base64.URLEncoding.EncodeToString(seg), "=")
-}
-
-// Decode JWT specific base64url encoding with padding stripped
-func DecodeSegment(seg string) ([]byte, error) {
-	if l := len(seg) % 4; l > 0 {
-		seg += strings.Repeat("=", 4-l)
-	}
-
-	return base64.URLEncoding.DecodeString(seg)
-}
diff --git a/vendor/github.com/jonboulle/clockwork/.gitignore b/vendor/github.com/jonboulle/clockwork/.gitignore
index 010c242b..00852bd9 100644
--- a/vendor/github.com/jonboulle/clockwork/.gitignore
+++ b/vendor/github.com/jonboulle/clockwork/.gitignore
@@ -1,3 +1,5 @@
+/.idea/
+
 # Compiled Object files, Static and Dynamic libs (Shared Objects)
 *.o
 *.a
diff --git a/vendor/github.com/jonboulle/clockwork/.travis.yml b/vendor/github.com/jonboulle/clockwork/.travis.yml
deleted file mode 100644
index aefda90b..00000000
--- a/vendor/github.com/jonboulle/clockwork/.travis.yml
+++ /dev/null
@@ -1,5 +0,0 @@
-language: go
-go:
-  - 1.3
-
-sudo: false
diff --git a/vendor/github.com/jonboulle/clockwork/README.md b/vendor/github.com/jonboulle/clockwork/README.md
index d43a6c79..cad60835 100644
--- a/vendor/github.com/jonboulle/clockwork/README.md
+++ b/vendor/github.com/jonboulle/clockwork/README.md
@@ -1,61 +1,80 @@
-clockwork
-=========
+# clockwork
 
-[![Build Status](https://travis-ci.org/jonboulle/clockwork.png?branch=master)](https://travis-ci.org/jonboulle/clockwork)
-[![godoc](https://godoc.org/github.com/jonboulle/clockwork?status.svg)](http://godoc.org/github.com/jonboulle/clockwork) 
+[![Mentioned in Awesome Go](https://awesome.re/mentioned-badge-flat.svg)](https://github.com/avelino/awesome-go#utilities)
 
-a simple fake clock for golang
+[![GitHub Workflow Status](https://img.shields.io/github/workflow/status/jonboulle/clockwork/CI?style=flat-square)](https://github.com/jonboulle/clockwork/actions?query=workflow%3ACI)
+[![Go Report Card](https://goreportcard.com/badge/github.com/jonboulle/clockwork?style=flat-square)](https://goreportcard.com/report/github.com/jonboulle/clockwork)
+![Go Version](https://img.shields.io/badge/go%20version-%3E=1.11-61CFDD.svg?style=flat-square)
+[![go.dev reference](https://img.shields.io/badge/go.dev-reference-007d9c?logo=go&logoColor=white&style=flat-square)](https://pkg.go.dev/mod/github.com/jonboulle/clockwork)
 
-# Usage
+**A simple fake clock for Go.**
+
+
+## Usage
 
 Replace uses of the `time` package with the `clockwork.Clock` interface instead.
 
 For example, instead of using `time.Sleep` directly:
 
-```
-func my_func() {
+```go
+func myFunc() {
 	time.Sleep(3 * time.Second)
-	do_something()
+	doSomething()
 }
 ```
 
-inject a clock and use its `Sleep` method instead:
+Inject a clock and use its `Sleep` method instead:
 
-```
-func my_func(clock clockwork.Clock) {
+```go
+func myFunc(clock clockwork.Clock) {
 	clock.Sleep(3 * time.Second)
-	do_something()
+	doSomething()
 }
 ```
 
-Now you can easily test `my_func` with a `FakeClock`:
+Now you can easily test `myFunc` with a `FakeClock`:
 
-```
+```go
 func TestMyFunc(t *testing.T) {
 	c := clockwork.NewFakeClock()
 
 	// Start our sleepy function
-	my_func(c)
-
-	// Ensure we wait until my_func is sleeping
+	var wg sync.WaitGroup
+	wg.Add(1)
+	go func() {
+		myFunc(c)
+		wg.Done()
+	}()
+
+	// Ensure we wait until myFunc is sleeping
 	c.BlockUntil(1)
 
-	assert_state()
+	assertState()
 
 	// Advance the FakeClock forward in time
-	c.Advance(3)
+	c.Advance(3 * time.Second)
+
+	// Wait until the function completes
+	wg.Wait()
 
-	assert_state()
+	assertState()
 }
 ```
 
 and in production builds, simply inject the real clock instead:
-```
-my_func(clockwork.NewRealClock())
+
+```go
+myFunc(clockwork.NewRealClock())
 ```
 
 See [example_test.go](example_test.go) for a full example.
 
+
 # Credits
 
-clockwork is inspired by @wickman's [threaded fake clock](https://gist.github.com/wickman/3840816), and the [Golang playground](http://blog.golang.org/playground#Faking time)
+clockwork is inspired by @wickman's [threaded fake clock](https://gist.github.com/wickman/3840816), and the [Golang playground](https://blog.golang.org/playground#TOC_3.1.)
+
+
+## License
+
+Apache License, Version 2.0. Please see [License File](LICENSE) for more information.
diff --git a/vendor/github.com/jonboulle/clockwork/clockwork.go b/vendor/github.com/jonboulle/clockwork/clockwork.go
index 9ec96ed2..1018051f 100644
--- a/vendor/github.com/jonboulle/clockwork/clockwork.go
+++ b/vendor/github.com/jonboulle/clockwork/clockwork.go
@@ -11,6 +11,8 @@ type Clock interface {
 	After(d time.Duration) <-chan time.Time
 	Sleep(d time.Duration)
 	Now() time.Time
+	Since(t time.Time) time.Duration
+	NewTicker(d time.Duration) Ticker
 }
 
 // FakeClock provides an interface for a clock which can be
@@ -60,6 +62,14 @@ func (rc *realClock) Now() time.Time {
 	return time.Now()
 }
 
+func (rc *realClock) Since(t time.Time) time.Duration {
+	return rc.Now().Sub(t)
+}
+
+func (rc *realClock) NewTicker(d time.Duration) Ticker {
+	return &realTicker{time.NewTicker(d)}
+}
+
 type fakeClock struct {
 	sleepers []*sleeper
 	blockers []*blocker
@@ -87,7 +97,7 @@ func (fc *fakeClock) After(d time.Duration) <-chan time.Time {
 	defer fc.l.Unlock()
 	now := fc.time
 	done := make(chan time.Time, 1)
-	if d.Nanoseconds() == 0 {
+	if d.Nanoseconds() <= 0 {
 		// special case - trigger immediately
 		done <- now
 	} else {
@@ -130,6 +140,22 @@ func (fc *fakeClock) Now() time.Time {
 	return t
 }
 
+// Since returns the duration that has passed since the given time on the fakeClock
+func (fc *fakeClock) Since(t time.Time) time.Duration {
+	return fc.Now().Sub(t)
+}
+
+func (fc *fakeClock) NewTicker(d time.Duration) Ticker {
+	ft := &fakeTicker{
+		c:      make(chan time.Time, 1),
+		stop:   make(chan bool, 1),
+		clock:  fc,
+		period: d,
+	}
+	ft.runTickThread()
+	return ft
+}
+
 // Advance advances fakeClock to a new point in time, ensuring channels from any
 // previous invocations of After are notified appropriately before returning
 func (fc *fakeClock) Advance(d time.Duration) {
diff --git a/vendor/github.com/jonboulle/clockwork/clockwork_test.go b/vendor/github.com/jonboulle/clockwork/clockwork_test.go
deleted file mode 100644
index 21c8f16b..00000000
--- a/vendor/github.com/jonboulle/clockwork/clockwork_test.go
+++ /dev/null
@@ -1,129 +0,0 @@
-package clockwork
-
-import (
-	"reflect"
-	"testing"
-	"time"
-)
-
-func TestFakeClockAfter(t *testing.T) {
-	fc := &fakeClock{}
-
-	zero := fc.After(0)
-	select {
-	case <-zero:
-	default:
-		t.Errorf("zero did not return!")
-	}
-	one := fc.After(1)
-	two := fc.After(2)
-	six := fc.After(6)
-	ten := fc.After(10)
-	fc.Advance(1)
-	select {
-	case <-one:
-	default:
-		t.Errorf("one did not return!")
-	}
-	select {
-	case <-two:
-		t.Errorf("two returned prematurely!")
-	case <-six:
-		t.Errorf("six returned prematurely!")
-	case <-ten:
-		t.Errorf("ten returned prematurely!")
-	default:
-	}
-	fc.Advance(1)
-	select {
-	case <-two:
-	default:
-		t.Errorf("two did not return!")
-	}
-	select {
-	case <-six:
-		t.Errorf("six returned prematurely!")
-	case <-ten:
-		t.Errorf("ten returned prematurely!")
-	default:
-	}
-	fc.Advance(1)
-	select {
-	case <-six:
-		t.Errorf("six returned prematurely!")
-	case <-ten:
-		t.Errorf("ten returned prematurely!")
-	default:
-	}
-	fc.Advance(3)
-	select {
-	case <-six:
-	default:
-		t.Errorf("six did not return!")
-	}
-	select {
-	case <-ten:
-		t.Errorf("ten returned prematurely!")
-	default:
-	}
-	fc.Advance(100)
-	select {
-	case <-ten:
-	default:
-		t.Errorf("ten did not return!")
-	}
-}
-
-func TestNotifyBlockers(t *testing.T) {
-	b1 := &blocker{1, make(chan struct{})}
-	b2 := &blocker{2, make(chan struct{})}
-	b3 := &blocker{5, make(chan struct{})}
-	b4 := &blocker{10, make(chan struct{})}
-	b5 := &blocker{10, make(chan struct{})}
-	bs := []*blocker{b1, b2, b3, b4, b5}
-	bs1 := notifyBlockers(bs, 2)
-	if n := len(bs1); n != 4 {
-		t.Fatalf("got %d blockers, want %d", n, 4)
-	}
-	select {
-	case <-b2.ch:
-	case <-time.After(time.Second):
-		t.Fatalf("timed out waiting for channel close!")
-	}
-	bs2 := notifyBlockers(bs1, 10)
-	if n := len(bs2); n != 2 {
-		t.Fatalf("got %d blockers, want %d", n, 2)
-	}
-	select {
-	case <-b4.ch:
-	case <-time.After(time.Second):
-		t.Fatalf("timed out waiting for channel close!")
-	}
-	select {
-	case <-b5.ch:
-	case <-time.After(time.Second):
-		t.Fatalf("timed out waiting for channel close!")
-	}
-}
-
-func TestNewFakeClock(t *testing.T) {
-	fc := NewFakeClock()
-	now := fc.Now()
-	if now.IsZero() {
-		t.Fatalf("fakeClock.Now() fulfills IsZero")
-	}
-
-	now2 := fc.Now()
-	if !reflect.DeepEqual(now, now2) {
-		t.Fatalf("fakeClock.Now() returned different value: want=%#v got=%#v", now, now2)
-	}
-}
-
-func TestNewFakeClockAt(t *testing.T) {
-	t1 := time.Date(1999, time.February, 3, 4, 5, 6, 7, time.UTC)
-	fc := NewFakeClockAt(t1)
-	now := fc.Now()
-	if !reflect.DeepEqual(now, t1) {
-		t.Fatalf("fakeClock.Now() returned unexpected non-initialised value: want=%#v, got %#v", t1, now)
-	}
-}
diff --git a/vendor/github.com/jonboulle/clockwork/example_test.go b/vendor/github.com/jonboulle/clockwork/example_test.go
deleted file mode 100644
index 6a41bd86..00000000
--- a/vendor/github.com/jonboulle/clockwork/example_test.go
+++ /dev/null
@@ -1,49 +0,0 @@
-package clockwork
-
-import (
-	"sync"
-	"testing"
-	"time"
-)
-
-// my_func is an example of a time-dependent function, using an
-// injected clock
-func my_func(clock Clock, i *int) {
-	clock.Sleep(3 * time.Second)
-	*i += 1
-}
-
-// assert_state is an example of a state assertion in a test
-func assert_state(t *testing.T, i, j int) {
-	if i != j {
-		t.Fatalf("i %d, j %d", i, j)
-	}
-}
-
-// TestMyFunc tests my_func's behaviour with a FakeClock
-func TestMyFunc(t *testing.T) {
-	var i int
-	c := NewFakeClock()
-
-	var wg sync.WaitGroup
-	wg.Add(1)
-	go func() {
-		my_func(c, &i)
-		wg.Done()
-	}()
-
-	// Wait until my_func is actually sleeping on the clock
-	c.BlockUntil(1)
-
-	// Assert the initial state
-	assert_state(t, i, 0)
-
-	// Now advance the clock forward in time
-	c.Advance(1 * time.Hour)
-
-	// Wait until the function completes
-	wg.Wait()
-
-	// Assert the final state
-	assert_state(t, i, 1)
-}
diff --git a/vendor/github.com/kr/pretty/License b/vendor/github.com/kr/pretty/License
index 05c783cc..480a3280 100644
--- a/vendor/github.com/kr/pretty/License
+++ b/vendor/github.com/kr/pretty/License
@@ -1,5 +1,3 @@
-The MIT License (MIT)
-
 Copyright 2012 Keith Rarick
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
diff --git a/vendor/github.com/kr/pretty/diff_test.go b/vendor/github.com/kr/pretty/diff_test.go
deleted file mode 100644
index a951e4b6..00000000
--- a/vendor/github.com/kr/pretty/diff_test.go
+++ /dev/null
@@ -1,213 +0,0 @@
-package pretty
-
-import (
-	"bytes"
-	"fmt"
-	"log"
-	"reflect"
-	"testing"
-	"unsafe"
-)
-
-var (
-	_ Logfer   = (*testing.T)(nil)
-	_ Logfer   = (*testing.B)(nil)
-	_ Printfer = (*log.Logger)(nil)
-)
-
-type difftest struct {
-	a   interface{}
-	b   interface{}
-	exp []string
-}
-
-type S struct {
-	A int
-	S *S
-	I interface{}
-	C []int
-}
-
-type (
-	N struct{ N int }
-	E interface{}
-)
-
-var (
-	c0 = make(chan int)
-	c1 = make(chan int)
-	f0 = func() {}
-	f1 = func() {}
-	i0 = 0
-	i1 = 1
-)
-
-var diffs = []difftest{
-	{a: nil, b: nil},
-	{a: S{A: 1}, b: S{A: 1}},
-
-	{0, "", []string{`int != string`}},
-	{0, 1, []string{`0 != 1`}},
-	{S{}, new(S), []string{`pretty.S != *pretty.S`}},
-	{"a", "b", []string{`"a" != "b"`}},
-	{S{}, S{A: 1}, []string{`A: 0 != 1`}},
-	{new(S), &S{A: 1}, []string{`A: 0 != 1`}},
-	{S{S: new(S)}, S{S: &S{A: 1}}, []string{`S.A: 0 != 1`}},
-	{S{}, S{I: 0}, []string{`I: nil != int(0)`}},
-	{S{I: 1}, S{I: "x"}, []string{`I: int != string`}},
-	{S{}, S{C: []int{1}}, []string{`C: []int[0] != []int[1]`}},
-	{S{C: []int{}}, S{C: []int{1}}, []string{`C: []int[0] != []int[1]`}},
-	{S{C: []int{1, 2, 3}}, S{C: []int{1, 2, 4}}, []string{`C[2]: 3 != 4`}},
-	{S{}, S{A: 1, S: new(S)}, []string{`A: 0 != 1`, `S: nil != &pretty.S{}`}},
-
-	// unexported fields of every reflect.Kind (both equal and unequal)
-	{struct{ x bool }{false}, struct{ x bool }{false}, nil},
-	{struct{ x bool }{false}, struct{ x bool }{true}, []string{`x: false != true`}},
-	{struct{ x int }{0}, struct{ x int }{0}, nil},
-	{struct{ x int }{0}, struct{ x int }{1}, []string{`x: 0 != 1`}},
-	{struct{ x int8 }{0}, struct{ x int8 }{0}, nil},
-	{struct{ x int8 }{0}, struct{ x int8 }{1}, []string{`x: 0 != 1`}},
-	{struct{ x int16 }{0}, struct{ x int16 }{0}, nil},
-	{struct{ x int16 }{0}, struct{ x int16 }{1}, []string{`x: 0 != 1`}},
-	{struct{ x int32 }{0}, struct{ x int32 }{0}, nil},
-	{struct{ x int32 }{0}, struct{ x int32 }{1}, []string{`x: 0 != 1`}},
-	{struct{ x int64 }{0}, struct{ x int64 }{0}, nil},
-	{struct{ x int64 }{0}, struct{ x int64 }{1}, []string{`x: 0 != 1`}},
-	{struct{ x uint }{0}, struct{ x uint }{0}, nil},
-	{struct{ x uint }{0}, struct{ x uint }{1}, []string{`x: 0 != 1`}},
-	{struct{ x uint8 }{0}, struct{ x uint8 }{0}, nil},
-	{struct{ x uint8 }{0}, struct{ x uint8 }{1}, []string{`x: 0 != 1`}},
-	{struct{ x uint16 }{0}, struct{ x uint16 }{0}, nil},
-	{struct{ x uint16 }{0}, struct{ x uint16 }{1}, []string{`x: 0 != 1`}},
-	{struct{ x uint32 }{0}, struct{ x uint32 }{0}, nil},
-	{struct{ x uint32 }{0}, struct{ x uint32 }{1}, []string{`x: 0 != 1`}},
-	{struct{ x uint64 }{0}, struct{ x uint64 }{0}, nil},
-	{struct{ x uint64 }{0}, struct{ x uint64 }{1}, []string{`x: 0 != 1`}},
-	{struct{ x uintptr }{0}, struct{ x uintptr }{0}, nil},
-	{struct{ x uintptr }{0}, struct{ x uintptr }{1}, []string{`x: 0 != 1`}},
-	{struct{ x float32 }{0}, struct{ x float32 }{0}, nil},
-	{struct{ x float32 }{0}, struct{ x float32 }{1}, []string{`x: 0 != 1`}},
-	{struct{ x float64 }{0}, struct{ x float64 }{0}, nil},
-	{struct{ x float64 }{0}, struct{ x float64 }{1}, []string{`x: 0 != 1`}},
-	{struct{ x complex64 }{0}, struct{ x complex64 }{0}, nil},
-	{struct{ x complex64 }{0}, struct{ x complex64 }{1}, []string{`x: (0+0i) != (1+0i)`}},
-	{struct{ x complex128 }{0}, struct{ x complex128 }{0}, nil},
-	{struct{ x complex128 }{0}, struct{ x complex128 }{1}, []string{`x: (0+0i) != (1+0i)`}},
-	{struct{ x [1]int }{[1]int{0}}, struct{ x [1]int }{[1]int{0}}, nil},
-	{struct{ x [1]int }{[1]int{0}}, struct{ x [1]int }{[1]int{1}}, []string{`x[0]: 0 != 1`}},
-	{struct{ x chan int }{c0}, struct{ x chan int }{c0}, nil},
-	{struct{ x chan int }{c0}, struct{ x chan int }{c1}, []string{fmt.Sprintf("x: %p != %p", c0, c1)}},
-	{struct{ x func() }{f0}, struct{ x func() }{f0}, nil},
-	{struct{ x func() }{f0}, struct{ x func() }{f1}, []string{fmt.Sprintf("x: %p != %p", f0, f1)}},
-	{struct{ x interface{} }{0}, struct{ x interface{} }{0}, nil},
-	{struct{ x interface{} }{0}, struct{ x interface{} }{1}, []string{`x: 0 != 1`}},
-	{struct{ x interface{} }{0}, struct{ x interface{} }{""}, []string{`x: int != string`}},
-	{struct{ x interface{} }{0}, struct{ x interface{} }{nil}, []string{`x: int(0) != nil`}},
-	{struct{ x interface{} }{nil}, struct{ x interface{} }{0}, []string{`x: nil != int(0)`}},
-	{struct{ x map[int]int }{map[int]int{0: 0}}, struct{ x map[int]int }{map[int]int{0: 0}}, nil},
-	{struct{ x map[int]int }{map[int]int{0: 0}}, struct{ x map[int]int }{map[int]int{0: 1}}, []string{`x[0]: 0 != 1`}},
-	{struct{ x *int }{new(int)}, struct{ x *int }{new(int)}, nil},
-	{struct{ x *int }{&i0}, struct{ x *int }{&i1}, []string{`x: 0 != 1`}},
-	{struct{ x *int }{nil}, struct{ x *int }{&i0}, []string{`x: nil != &int(0)`}},
-	{struct{ x *int }{&i0}, struct{ x *int }{nil}, []string{`x: &int(0) != nil`}},
-	{struct{ x []int }{[]int{0}}, struct{ x []int }{[]int{0}}, nil},
-	{struct{ x []int }{[]int{0}}, struct{ x []int }{[]int{1}}, []string{`x[0]: 0 != 1`}},
-	{struct{ x string }{"a"}, struct{ x string }{"a"}, nil},
-	{struct{ x string }{"a"}, struct{ x string }{"b"}, []string{`x: "a" != "b"`}},
-	{struct{ x N }{N{0}}, struct{ x N }{N{0}}, nil},
-	{struct{ x N }{N{0}}, struct{ x N }{N{1}}, []string{`x.N: 0 != 1`}},
-	{
-		struct{ x unsafe.Pointer }{unsafe.Pointer(uintptr(0))},
-		struct{ x unsafe.Pointer }{unsafe.Pointer(uintptr(0))},
-		nil,
-	},
-	{
-		struct{ x unsafe.Pointer }{unsafe.Pointer(uintptr(0))},
-		struct{ x unsafe.Pointer }{unsafe.Pointer(uintptr(1))},
-		[]string{`x: 0x0 != 0x1`},
-	},
-}
-
-func TestDiff(t *testing.T) {
-	for _, tt := range diffs {
-		got := Diff(tt.a, tt.b)
-		eq := len(got) == len(tt.exp)
-		if eq {
-			for i := range got {
-				eq = eq && got[i] == tt.exp[i]
-			}
-		}
-		if !eq {
-			t.Errorf("diffing % #v", tt.a)
-			t.Errorf("with    % #v", tt.b)
-			diffdiff(t, got, tt.exp)
-			continue
-		}
-	}
-}
-
-func TestKeyEqual(t *testing.T) {
-	var emptyInterfaceZero interface{} = 0
-
-	cases := []interface{}{
-		new(bool),
-		new(int),
-		new(int8),
-		new(int16),
-		new(int32),
-		new(int64),
-		new(uint),
-		new(uint8),
-		new(uint16),
-		new(uint32),
-		new(uint64),
-		new(uintptr),
-		new(float32),
-		new(float64),
-		new(complex64),
-		new(complex128),
-		new([1]int),
-		new(chan int),
-		new(unsafe.Pointer),
-		new(interface{}),
-		&emptyInterfaceZero,
-		new(*int),
-		new(string),
-		new(struct{ int }),
-	}
-
-	for _, test := range cases {
-		rv := reflect.ValueOf(test).Elem()
-		if !keyEqual(rv, rv) {
-			t.Errorf("keyEqual(%s, %s) = false want true", rv.Type(), rv.Type())
-		}
-	}
-}
-
-func TestFdiff(t *testing.T) {
-	var buf bytes.Buffer
-	Fdiff(&buf, 0, 1)
-	want := "0 != 1\n"
-	if got := buf.String(); got != want {
-		t.Errorf("Fdiff(0, 1) = %q want %q", got, want)
-	}
-}
-
-func diffdiff(t *testing.T, got, exp []string) {
-	minus(t, "unexpected:", got, exp)
-	minus(t, "missing:", exp, got)
-}
-
-func minus(t *testing.T, s string, a, b []string) {
-	var i, j int
-	for i = 0; i < len(a); i++ {
-		for j = 0; j < len(b); j++ {
-			if a[i] == b[j] {
-				break
-			}
-		}
-		if j == len(b) {
-			t.Error(s, a[i])
-		}
-	}
-}
diff --git a/vendor/github.com/kr/pretty/example_test.go b/vendor/github.com/kr/pretty/example_test.go
deleted file mode 100644
index ecf40f3f..00000000
--- a/vendor/github.com/kr/pretty/example_test.go
+++ /dev/null
@@ -1,20 +0,0 @@
-package pretty_test
-
-import (
-	"fmt"
-	"github.com/kr/pretty"
-)
-
-func Example() {
-	type myType struct {
-		a, b int
-	}
-	var x = []myType{{1, 2}, {3, 4}, {5, 6}}
-	fmt.Printf("%# v", pretty.Formatter(x))
-	// output:
-	// []pretty_test.myType{
-	//     {a:1, b:2},
-	//     {a:3, b:4},
-	//     {a:5, b:6},
-	// }
-}
diff --git a/vendor/github.com/kr/pretty/formatter.go b/vendor/github.com/kr/pretty/formatter.go
index a317d7b8..bf4b598d 100644
--- a/vendor/github.com/kr/pretty/formatter.go
+++ b/vendor/github.com/kr/pretty/formatter.go
@@ -37,7 +37,7 @@ func (fo formatter) passThrough(f fmt.State, c rune) {
 	s := "%"
 	for i := 0; i < 128; i++ {
 		if f.Flag(i) {
-			s += string(i)
+			s += string(rune(i))
 		}
 	}
 	if w, ok := f.Width(); ok {
@@ -125,7 +125,6 @@ func (p *printer) printValue(v reflect.Value, showType, quote bool) {
 			}
 			keys := v.MapKeys()
 			for i := 0; i < v.Len(); i++ {
-				showTypeInStruct := true
 				k := keys[i]
 				mv := v.MapIndex(k)
 				pp.printValue(k, false, true)
@@ -133,7 +132,7 @@ func (p *printer) printValue(v reflect.Value, showType, quote bool) {
 				if expand {
 					writeByte(pp, '\t')
 				}
-				showTypeInStruct = t.Elem().Kind() == reflect.Interface
+				showTypeInStruct := t.Elem().Kind() == reflect.Interface
 				pp.printValue(mv, showTypeInStruct, true)
 				if expand {
 					io.WriteString(pp, ",\n")
diff --git a/vendor/github.com/kr/pretty/formatter_test.go b/vendor/github.com/kr/pretty/formatter_test.go
deleted file mode 100644
index c8c0b515..00000000
--- a/vendor/github.com/kr/pretty/formatter_test.go
+++ /dev/null
@@ -1,288 +0,0 @@
-package pretty
-
-import (
-	"fmt"
-	"io"
-	"strings"
-	"testing"
-	"unsafe"
-)
-
-type test struct {
-	v interface{}
-	s string
-}
-
-type passtest struct {
-	v    interface{}
-	f, s string
-}
-
-type LongStructTypeName struct {
-	longFieldName      interface{}
-	otherLongFieldName interface{}
-}
-
-type SA struct {
-	t *T
-	v T
-}
-
-type T struct {
-	x, y int
-}
-
-type F int
-
-func (f F) Format(s fmt.State, c rune) {
-	fmt.Fprintf(s, "F(%d)", int(f))
-}
-
-type Stringer struct { i int }
-
-func (s *Stringer) String() string { return "foo" }
-
-var long = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
-
-var passthrough = []passtest{
-	{1, "%d", "1"},
-	{"a", "%s", "a"},
-	{&Stringer{}, "%s", "foo"},
-}
-
-func TestPassthrough(t *testing.T) {
-	for _, tt := range passthrough {
-		s := fmt.Sprintf(tt.f, Formatter(tt.v))
-		if tt.s != s {
-			t.Errorf("expected %q", tt.s)
-			t.Errorf("got      %q", s)
-			t.Errorf("expraw\n%s", tt.s)
-			t.Errorf("gotraw\n%s", s)
-		}
-	}
-}
-
-var gosyntax = []test{
-	{nil, `nil`},
-	{"", `""`},
-	{"a", `"a"`},
-	{1, "int(1)"},
-	{1.0, "float64(1)"},
-	{[]int(nil), "[]int(nil)"},
-	{[0]int{}, "[0]int{}"},
-	{complex(1, 0), "(1+0i)"},
-	//{make(chan int), "(chan int)(0x1234)"},
-	{unsafe.Pointer(uintptr(unsafe.Pointer(&long))), fmt.Sprintf("unsafe.Pointer(0x%02x)", uintptr(unsafe.Pointer(&long)))},
-	{func(int) {}, "func(int) {...}"},
-	{map[int]int{1: 1}, "map[int]int{1:1}"},
-	{int32(1), "int32(1)"},
-	{io.EOF, `&errors.errorString{s:"EOF"}`},
-	{[]string{"a"}, `[]string{"a"}`},
-	{
-		[]string{long},
-		`[]string{"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"}`,
-	},
-	{F(5), "pretty.F(5)"},
-	{
-		SA{&T{1, 2}, T{3, 4}},
-		`pretty.SA{
-    t:  &pretty.T{x:1, y:2},
-    v:  pretty.T{x:3, y:4},
-}`,
-	},
-	{
-		map[int][]byte{1: {}},
-		`map[int][]uint8{
-    1:  {},
-}`,
-	},
-	{
-		map[int]T{1: {}},
-		`map[int]pretty.T{
-    1:  {},
-}`,
-	},
-	{
-		long,
-		`"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"`,
-	},
-	{
-		LongStructTypeName{
-			longFieldName:      LongStructTypeName{},
-			otherLongFieldName: long,
-		},
-		`pretty.LongStructTypeName{
-    longFieldName:      pretty.LongStructTypeName{},
-    otherLongFieldName: "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789",
-}`,
-	},
-	{
-		&LongStructTypeName{
-			longFieldName:      &LongStructTypeName{},
-			otherLongFieldName: (*LongStructTypeName)(nil),
-		},
-		`&pretty.LongStructTypeName{
-    longFieldName:      &pretty.LongStructTypeName{},
-    otherLongFieldName: (*pretty.LongStructTypeName)(nil),
-}`,
-	},
-	{
-		[]LongStructTypeName{
-			{nil, nil},
-			{3, 3},
-			{long, nil},
-		},
-		`[]pretty.LongStructTypeName{
-    {},
-    {
-        longFieldName:      int(3),
-        otherLongFieldName: int(3),
-    },
-    {
-        longFieldName:      "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789",
-        otherLongFieldName: nil,
-    },
-}`,
-	},
-	{
-		[]interface{}{
-			LongStructTypeName{nil, nil},
-			[]byte{1, 2, 3},
-			T{3, 4},
-			LongStructTypeName{long, nil},
-		},
-		`[]interface {}{
-    pretty.LongStructTypeName{},
-    []uint8{0x1, 0x2, 0x3},
-    pretty.T{x:3, y:4},
-    pretty.LongStructTypeName{
-        longFieldName:      "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789",
-        otherLongFieldName: nil,
-    },
-}`,
-	},
-}
-
-func TestGoSyntax(t *testing.T) {
-	for _, tt := range gosyntax {
-		s := fmt.Sprintf("%# v", Formatter(tt.v))
-		if tt.s != s {
-			t.Errorf("expected %q", tt.s)
-			t.Errorf("got      %q", s)
-			t.Errorf("expraw\n%s", tt.s)
-			t.Errorf("gotraw\n%s", s)
-		}
-	}
-}
-
-type I struct {
-	i int
-	R interface{}
-}
-
-func (i *I) I() *I { return i.R.(*I) }
-
-func TestCycle(t *testing.T) {
-	type A struct{ *A }
-	v := &A{}
-	v.A = v
-
-	// panics from stack overflow without cycle detection
-	t.Logf("Example cycle:\n%# v", Formatter(v))
-
-	p := &A{}
-	s := fmt.Sprintf("%# v", Formatter([]*A{p, p}))
-	if strings.Contains(s, "CYCLIC") {
-		t.Errorf("Repeated address detected as cyclic reference:\n%s", s)
-	}
-
-	type R struct {
-		i int
-		*R
-	}
-	r := &R{
-		i: 1,
-		R: &R{
-			i: 2,
-			R: &R{
-				i: 3,
-			},
-		},
-	}
-	r.R.R.R = r
-	t.Logf("Example longer cycle:\n%# v", Formatter(r))
-
-	r = &R{
-		i: 1,
-		R: &R{
-			i: 2,
-			R: &R{
-				i: 3,
-				R: &R{
-					i: 4,
-					R: &R{
-						i: 5,
-						R: &R{
-							i: 6,
-							R: &R{
-								i: 7,
-								R: &R{
-									i: 8,
-									R: &R{
-										i: 9,
-										R: &R{
-											i: 10,
-											R: &R{
-												i: 11,
-											},
-										},
-									},
-								},
-							},
-						},
-					},
-				},
-			},
-		},
-	}
-	// here be pirates
-	r.R.R.R.R.R.R.R.R.R.R.R = r
-	t.Logf("Example very long cycle:\n%# v", Formatter(r))
-
-	i := &I{
-		i: 1,
-		R: &I{
-			i: 2,
-			R: &I{
-				i: 3,
-				R: &I{
-					i: 4,
-					R: &I{
-						i: 5,
-						R: &I{
-							i: 6,
-							R: &I{
-								i: 7,
-								R: &I{
-									i: 8,
-									R: &I{
-										i: 9,
-										R: &I{
-											i: 10,
-											R: &I{
-												i: 11,
-											},
-										},
-									},
-								},
-							},
-						},
-					},
-				},
-			},
-		},
-	}
-	iv := i.I().I().I().I().I().I().I().I().I().I()
-	*iv = *i
-	t.Logf("Example long interface cycle:\n%# v", Formatter(i))
-}
diff --git a/vendor/github.com/kr/pretty/pretty.go b/vendor/github.com/kr/pretty/pretty.go
index 49423ec7..b4ca583c 100644
--- a/vendor/github.com/kr/pretty/pretty.go
+++ b/vendor/github.com/kr/pretty/pretty.go
@@ -75,7 +75,7 @@ func Printf(format string, a ...interface{}) (n int, errno error) {
 
 // Println pretty-prints its operands and writes to standard output.
 //
-// Calling Print(x, y) is equivalent to
+// Calling Println(x, y) is equivalent to
 // fmt.Println(Formatter(x), Formatter(y)), but each operand is
 // formatted with "%# v".
 func Println(a ...interface{}) (n int, errno error) {
diff --git a/vendor/github.com/kr/text/cmd/agg/doc.go b/vendor/github.com/kr/text/cmd/agg/doc.go
deleted file mode 100644
index 3a9ec2db..00000000
--- a/vendor/github.com/kr/text/cmd/agg/doc.go
+++ /dev/null
@@ -1,73 +0,0 @@
-/*
-
-Agg computes aggregate values over tabular text.
-It behaves somewhat like the SQL “GROUP BY” clause.
-
-Usage:
-
-	agg [function...]
-
-It reads input from stdin as a sequence of records, one per line.
-It treats each line as a set of fields separated by white space.
-One field (the first, by default) is designated as the key.
-Successive lines with equal keys are grouped into a group,
-and agg produces one line of output for each group.
-(Note that only contiguous input lines can form a group.
-If you need to make sure that all records for a given key
-are grouped together, sort the input first.)
-
-For each remaining field,
-agg applies a function to all the values in the group,
-producing a single output value.
-The command line arguments specify which functions to use,
-one per field in the input table.
-
-Functions
-
-The available functions are:
-
-    key        group by this field (default for field 1)
-    first      value from first line of group (default for rest)
-    last       value from last line of group
-    sample     value from any line of group, uniformly at random
-    prefix     longest common string prefix
-    join:sep   concatenate strings with given sep
-    smin       lexically least string
-    smax       lexically greatest string
-    min        numerically least value
-    max        numerically greatest value
-    sum        numeric sum
-    mean       arithmetic mean
-    count      number of records (ignores input value)
-    const:val  print val, ignoring input
-    drop       omit the column entirely
-
-The numeric functions skip items that don't parse as numbers.
-
-Examples
-
-Using the following input:
-
-    $ cat >input
-    -rwx   alice      100   /home/alice/bin/crdt
-    -rw-   alice   210002   /home/alice/thesis.tex
-    -rw-   bob      10051   /home/bob/expenses.tab
-    -rwx   kr      862060   /home/kr/bin/blog
-    -rwx   kr      304608   /home/kr/bin/agg
-
-Disk usage for each user, plus where that disk usage occurs
-(longest common prefix of filesystem paths):
-
-    $ agg <input drop key sum prefix
-    alice	210153	/home/alice/
-    bob	10051	/home/bob/expenses.tab
-    kr	1166668	/home/kr/
-
-Disk usage for executable vs non-executable files:
-
-    $ sort input | agg key drop sum join:,
-    -rw-	220053	/home/alice/thesis.tex,/home/bob/expenses.tab
-    -rwx	1166768	/home/alice/bin/crdt,/home/kr/bin/agg,/home/kr/bin/blog
-
-*/
-package main
diff --git a/vendor/github.com/kr/text/cmd/agg/main.go b/vendor/github.com/kr/text/cmd/agg/main.go
deleted file mode 100644
index 4239aa43..00000000
--- a/vendor/github.com/kr/text/cmd/agg/main.go
+++ /dev/null
@@ -1,112 +0,0 @@
-package main
-
-// TODO(kr): tests
-
-import (
-	"bufio"
-	"fmt"
-	"log"
-	"math/rand"
-	"os"
-	"strings"
-	"time"
-)
-
-type agg interface {
-	merge(string)
-	String() string
-}
-
-var (
-	key     = 0
-	funcmap = make(map[int]func(init, arg string) agg)
-	argmap  = make(map[int]string)
-	symtab  = map[string]func(init, arg string) agg{
-		"first":  first,
-		"last":   last,
-		"prefix": prefix,
-		"sample": sample,
-		"join":   join,
-		"smin":   smin,
-		"smax":   smax,
-		"min":    min,
-		"max":    max,
-		"sum":    sum,
-		"mean":   mean,
-		"count":  count,
-		"const":  constf,
-		"drop":   nil,
-	}
-)
-
-func main() {
-	log.SetPrefix("agg: ")
-	log.SetFlags(0)
-	rand.Seed(time.Now().UnixNano())
-	for i, sym := range os.Args[1:] {
-		if p := strings.IndexByte(sym, ':'); p >= 0 {
-			sym, argmap[i] = sym[:p], sym[p+1:]
-		}
-		if sym == "key" {
-			key, sym = i, "first"
-		}
-		f, ok := symtab[sym]
-		if !ok {
-			log.Fatalf("bad function: %q", sym)
-		}
-		funcmap[i] = f
-	}
-
-	sc := bufio.NewScanner(os.Stdin)
-	var g *group
-	for sc.Scan() {
-		ss := strings.Fields(sc.Text())
-		if !matches(g, ss) {
-			emit(g)
-			g = &group{key: ss[key]}
-		}
-		mergeLine(g, ss)
-	}
-	emit(g)
-}
-
-type group struct {
-	key string
-	agg []agg
-}
-
-func matches(g *group, ss []string) bool {
-	return g != nil && g.key == ss[key]
-}
-
-func emit(g *group) {
-	if g == nil {
-		return
-	}
-	rest := false
-	for i, a := range g.agg {
-		if f, ok := funcmap[i]; ok && f == nil {
-			continue
-		}
-		if rest {
-			fmt.Print("\t")
-		}
-		rest = true
-		fmt.Print(a)
-	}
-	fmt.Println()
-}
-
-func mergeLine(g *group, ss []string) {
-	for i, s := range ss {
-		if i >= len(g.agg) {
-			f := funcmap[i]
-			if f == nil {
-				f = first
-			}
-			g.agg = append(g.agg, f(s, argmap[i]))
-		} else {
-			g.agg[i].merge(s)
-		}
-	}
-}
diff --git a/vendor/github.com/kr/text/cmd/agg/num.go b/vendor/github.com/kr/text/cmd/agg/num.go
deleted file mode 100644
index 93ac3fe1..00000000
--- a/vendor/github.com/kr/text/cmd/agg/num.go
+++ /dev/null
@@ -1,99 +0,0 @@
-package main
-
-import (
-	"math/big"
-	"strconv"
-)
-
-func min(s, arg string) agg { return newBinop(s, opmin) }
-func max(s, arg string) agg { return newBinop(s, opmax) }
-func sum(s, arg string) agg { return newBinop(s, opsum) }
-
-type binop struct {
-	v *big.Float
-	f func(a, b *big.Float) *big.Float
-}
-
-func newBinop(s string, f func(a, b *big.Float) *big.Float) *binop {
-	v, _ := parseFloat(s)
-	return &binop{v, f}
-}
-
-func (o *binop) String() string {
-	if o.v == nil {
-		return "NaN"
-	}
-	return o.v.Text('f', -1)
-}
-
-func (o *binop) merge(s string) {
-	v, ok := parseFloat(s)
-	if !ok {
-		return
-	}
-	o.v = o.f(o.v, v)
-}
-
-func opmin(a, b *big.Float) *big.Float {
-	if a != nil && (b == nil || a.Cmp(b) <= 0) {
-		return a
-	}
-	return b
-}
-
-func opmax(a, b *big.Float) *big.Float {
-	if a != nil && (b == nil || a.Cmp(b) >= 0) {
-		return a
-	}
-	return b
-}
-
-func opsum(a, b *big.Float) *big.Float {
-	if a == nil {
-		return b
-	} else if b == nil {
-		return a
-	}
-	return a.Add(a, b)
-}
-
-type meanagg struct {
-	v *big.Float
-	d float64 // actually an integer
-}
-
-func mean(s, arg string) agg {
-	v, ok := parseFloat(s)
-	if !ok {
-		return &meanagg{new(big.Float), 0}
-	}
-	return &meanagg{v, 1}
-}
-
-func (m *meanagg) String() string {
-	if m.d == 0 {
-		return "NaN"
-	}
-	v := new(big.Float).Quo(m.v, big.NewFloat(m.d))
-	return v.Text('f', -1)
-}
-
-func (m *meanagg) merge(s string) {
-	v, ok := parseFloat(s)
-	if !ok {
-		return
-	}
-	m.v.Add(m.v, v)
-	m.d++
-}
-
-func parseFloat(s string) (*big.Float, bool) {
-	v, _, err := big.ParseFloat(s, 0, 1000, big.ToNearestEven)
-	return v, err == nil
-}
-
-type counter int
-
-func count(init, arg string) agg  { return new(counter) }
-func (c *counter) String() string { return strconv.Itoa(int(*c) + 1) }
-func (c *counter) merge(string)   { *c++ }
diff --git a/vendor/github.com/kr/text/cmd/agg/string.go b/vendor/github.com/kr/text/cmd/agg/string.go
deleted file mode 100644
index 9a8cf78c..00000000
--- a/vendor/github.com/kr/text/cmd/agg/string.go
+++ /dev/null
@@ -1,74 +0,0 @@
-package main
-
-import (
-	"math/rand"
-	"strings"
-)
-
-func first(s, arg string) agg  { return &sbinop{s, opfirst} }
-func last(s, arg string) agg   { return &sbinop{s, oplast} }
-func prefix(s, arg string) agg { return &sbinop{s, opprefix} }
-func join(s, arg string) agg   { return &sbinop{s, opjoin(arg)} }
-func smin(s, arg string) agg   { return &sbinop{s, opsmin} }
-func smax(s, arg string) agg   { return &sbinop{s, opsmax} }
-
-type sbinop struct {
-	s string
-	f func(a, b string) string
-}
-
-func (o *sbinop) String() string { return o.s }
-
-func (o *sbinop) merge(s string) { o.s = o.f(o.s, s) }
-
-func opfirst(a, b string) string { return a }
-func oplast(a, b string) string  { return b }
-
-func opprefix(a, b string) string {
-	for i := range a {
-		if i >= len(b) || a[i] != b[i] {
-			return a[:i]
-		}
-	}
-	return a
-}
-
-func opjoin(sep string) func(a, b string) string {
-	return func(a, b string) string {
-		return a + sep + b // TODO(kr): too slow? maybe strings.Join?
-	}
-}
-
-func opsmin(a, b string) string {
-	if strings.Compare(a, b) <= 0 {
-		return a
-	}
-	return b
-}
-
-func opsmax(a, b string) string {
-	if strings.Compare(a, b) >= 0 {
-		return a
-	}
-	return b
-}
-
-type sampler struct {
-	n int
-	s string
-}
-
-func sample(s, arg string) agg    { return &sampler{1, s} }
-func (p *sampler) String() string { return p.s }
-func (p *sampler) merge(s string) {
-	p.n++
-	if rand.Intn(p.n) == 0 {
-		p.s = s
-	}
-}
-
-type constant string
-
-func constf(init, arg string) agg { return constant(arg) }
-func (c constant) String() string { return string(c) }
-func (c constant) merge(string)   {}
diff --git a/vendor/github.com/kr/text/colwriter/Readme b/vendor/github.com/kr/text/colwriter/Readme
deleted file mode 100644
index 1c1f4e68..00000000
--- a/vendor/github.com/kr/text/colwriter/Readme
+++ /dev/null
@@ -1,5 +0,0 @@
-Package colwriter provides a write filter that formats
-input lines in multiple columns.
-
-The package is a straightforward translation from
-/src/cmd/draw/mc.c in Plan 9 from User Space.
diff --git a/vendor/github.com/kr/text/colwriter/column.go b/vendor/github.com/kr/text/colwriter/column.go
deleted file mode 100644
index 7302ce9f..00000000
--- a/vendor/github.com/kr/text/colwriter/column.go
+++ /dev/null
@@ -1,147 +0,0 @@
-// Package colwriter provides a write filter that formats
-// input lines in multiple columns.
-//
-// The package is a straightforward translation from
-// /src/cmd/draw/mc.c in Plan 9 from User Space.
-package colwriter
-
-import (
-	"bytes"
-	"io"
-	"unicode/utf8"
-)
-
-const (
-	tab = 4
-)
-
-const (
-	// Print each input line ending in a colon ':' separately.
-	BreakOnColon uint = 1 << iota
-)
-
-// A Writer is a filter that arranges input lines in as many columns as will
-// fit in its width. Tab '\t' chars in the input are translated to sequences
-// of spaces ending at multiples of 4 positions.
-//
-// If BreakOnColon is set, each input line ending in a colon ':' is written
-// separately.
-//
-// The Writer assumes that all Unicode code points have the same width; this
-// may not be true in some fonts.
-type Writer struct {
-	w     io.Writer
-	buf   []byte
-	width int
-	flag  uint
-}
-
-// NewWriter allocates and initializes a new Writer writing to w.
-// Parameter width controls the total number of characters on each line
-// across all columns.
-func NewWriter(w io.Writer, width int, flag uint) *Writer {
-	return &Writer{
-		w:     w,
-		width: width,
-		flag:  flag,
-	}
-}
-
-// Write writes p to the writer w. The only errors returned are ones
-// encountered while writing to the underlying output stream.
-func (w *Writer) Write(p []byte) (n int, err error) {
-	var linelen int
-	var lastWasColon bool
-	for i, c := range p {
-		w.buf = append(w.buf, c)
-		linelen++
-		if c == '\t' {
-			w.buf[len(w.buf)-1] = ' '
-			for linelen%tab != 0 {
-				w.buf = append(w.buf, ' ')
-				linelen++
-			}
-		}
-		if w.flag&BreakOnColon != 0 && c == ':' {
-			lastWasColon = true
-		} else if lastWasColon {
-			if c == '\n' {
-				pos := bytes.LastIndex(w.buf[:len(w.buf)-1], []byte{'\n'})
-				if pos < 0 {
-					pos = 0
-				}
-				line := w.buf[pos:]
-				w.buf = w.buf[:pos]
-				if err = w.columnate(); err != nil {
-					if len(line) < i {
-						return i - len(line), err
-					}
-					return 0, err
-				}
-				if n, err := w.w.Write(line); err != nil {
-					if r := len(line) - n; r < i {
-						return i - r, err
-					}
-					return 0, err
-				}
-			}
-			lastWasColon = false
-		}
-		if c == '\n' {
-			linelen = 0
-		}
-	}
-	return len(p), nil
-}
-
-// Flush should be called after the last call to Write to ensure that any data
-// buffered in the Writer is written to output.
-func (w *Writer) Flush() error {
-	return w.columnate()
-}
-
-func (w *Writer) columnate() error {
-	words := bytes.Split(w.buf, []byte{'\n'})
-	w.buf = nil
-	if len(words[len(words)-1]) == 0 {
-		words = words[:len(words)-1]
-	}
-	maxwidth := 0
-	for _, wd := range words {
-		if n := utf8.RuneCount(wd); n > maxwidth {
-			maxwidth = n
-		}
-	}
-	maxwidth++ // space char
-	wordsPerLine := w.width / maxwidth
-	if wordsPerLine <= 0 {
-		wordsPerLine = 1
-	}
-	nlines := (len(words) + wordsPerLine - 1) / wordsPerLine
-	for i := 0; i < nlines; i++ {
-		col := 0
-		endcol := 0
-		for j := i; j < len(words); j += nlines {
-			endcol += maxwidth
-			_, err := w.w.Write(words[j])
-			if err != nil {
-				return err
-			}
-			col += utf8.RuneCount(words[j])
-			if j+nlines < len(words) {
-				for col < endcol {
-					_, err := w.w.Write([]byte{' '})
-					if err != nil {
-						return err
-					}
-					col++
-				}
-			}
-		}
-		_, err := w.w.Write([]byte{'\n'})
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
diff --git a/vendor/github.com/kr/text/colwriter/column_test.go b/vendor/github.com/kr/text/colwriter/column_test.go
deleted file mode 100644
index ce388f5a..00000000
--- a/vendor/github.com/kr/text/colwriter/column_test.go
+++ /dev/null
@@ -1,90 +0,0 @@
-package colwriter
-
-import (
-	"bytes"
-	"testing"
-)
-
-var src = `
-.git
-.gitignore
-.godir
-Procfile:
-README.md
-api.go
-apps.go
-auth.go
-darwin.go
-data.go
-dyno.go:
-env.go
-git.go
-help.go
-hkdist
-linux.go
-ls.go
-main.go
-plugin.go
-run.go
-scale.go
-ssh.go
-tail.go
-term
-unix.go
-update.go
-version.go
-windows.go
-`[1:]
-
-var tests = []struct {
-	wid  int
-	flag uint
-	src  string
-	want string
-}{
-	{80, 0, "", ""},
-	{80, 0, src, `
-.git       README.md  darwin.go  git.go     ls.go      scale.go   unix.go
-.gitignore api.go     data.go    help.go    main.go    ssh.go     update.go
-.godir     apps.go    dyno.go:   hkdist     plugin.go  tail.go    version.go
-Procfile:  auth.go    env.go     linux.go   run.go     term       windows.go
-`[1:]},
-	{80, BreakOnColon, src, `
-.git       .gitignore .godir
-
-Procfile:
-README.md api.go    apps.go   auth.go   darwin.go data.go
-
-dyno.go:
-env.go     hkdist     main.go    scale.go   term       version.go
-git.go     linux.go   plugin.go  ssh.go     unix.go    windows.go
-help.go    ls.go      run.go     tail.go    update.go
-`[1:]},
-	{20, 0, `
-Hello
-Γειά σου
-안녕
-今日は
-`[1:], `
-Hello    안녕
-Γειά σου 今日は
-`[1:]},
-}
-
-func TestWriter(t *testing.T) {
-	for _, test := range tests {
-		b := new(bytes.Buffer)
-		w := NewWriter(b, test.wid, test.flag)
-		if _, err := w.Write([]byte(test.src)); err != nil {
-			t.Error(err)
-		}
-		if err := w.Flush(); err != nil {
-			t.Error(err)
-		}
-		if g := b.String(); test.want != g {
-			t.Log("\n" + test.want)
-			t.Log("\n" + g)
-			t.Errorf("%q != %q", test.want, g)
-		}
-	}
-}
diff --git a/vendor/github.com/kr/text/indent_test.go b/vendor/github.com/kr/text/indent_test.go
deleted file mode 100644
index 5c723eee..00000000
--- a/vendor/github.com/kr/text/indent_test.go
+++ /dev/null
@@ -1,119 +0,0 @@
-package text
-
-import (
-	"bytes"
-	"testing"
-)
-
-type T struct {
-	inp, exp, pre string
-}
-
-var tests = []T{
-	{
-		"The quick brown fox\njumps over the lazy\ndog.\nBut not quickly.\n",
-		"xxxThe quick brown fox\nxxxjumps over the lazy\nxxxdog.\nxxxBut not quickly.\n",
-		"xxx",
-	},
-	{
-		"The quick brown fox\njumps over the lazy\ndog.\n\nBut not quickly.",
-		"xxxThe quick brown fox\nxxxjumps over the lazy\nxxxdog.\n\nxxxBut not quickly.",
-		"xxx",
-	},
-}
-
-func TestIndent(t *testing.T) {
-	for _, test := range tests {
-		got := Indent(test.inp, test.pre)
-		if got != test.exp {
-			t.Errorf("mismatch %q != %q", got, test.exp)
-		}
-	}
-}
-
-type IndentWriterTest struct {
-	inp, exp string
-	pre      []string
-}
-
-var ts = []IndentWriterTest{
-	{
-		`
-The quick brown fox
-jumps over the lazy
-dog.
-But not quickly.
-`[1:],
-		`
-xxxThe quick brown fox
-xxxjumps over the lazy
-xxxdog.
-xxxBut not quickly.
-`[1:],
-		[]string{"xxx"},
-	},
-	{
-		`
-The quick brown fox
-jumps over the lazy
-dog.
-But not quickly.
-`[1:],
-		`
-xxaThe quick brown fox
-xxxjumps over the lazy
-xxxdog.
-xxxBut not quickly.
-`[1:],
-		[]string{"xxa", "xxx"},
-	},
-	{
-		`
-The quick brown fox
-jumps over the lazy
-dog.
-But not quickly.
-`[1:],
-		`
-xxaThe quick brown fox
-xxbjumps over the lazy
-xxcdog.
-xxxBut not quickly.
-`[1:],
-		[]string{"xxa", "xxb", "xxc", "xxx"},
-	},
-	{
-		`
-The quick brown fox
-jumps over the lazy
-dog.
-
-But not quickly.`[1:],
-		`
-xxaThe quick brown fox
-xxxjumps over the lazy
-xxxdog.
-xxx
-xxxBut not quickly.`[1:],
-		[]string{"xxa", "xxx"},
-	},
-}
-
-func TestIndentWriter(t *testing.T) {
-	for _, test := range ts {
-		b := new(bytes.Buffer)
-		pre := make([][]byte, len(test.pre))
-		for i := range test.pre {
-			pre[i] = []byte(test.pre[i])
-		}
-		w := NewIndentWriter(b, pre...)
-		if _, err := w.Write([]byte(test.inp)); err != nil {
-			t.Error(err)
-		}
-		if got := b.String(); got != test.exp {
-			t.Errorf("mismatch %q != %q", got, test.exp)
-			t.Log(got)
-			t.Log(test.exp)
-		}
-	}
-}
diff --git a/vendor/github.com/kr/text/mc/Readme b/vendor/github.com/kr/text/mc/Readme
deleted file mode 100644
index 519ddc00..00000000
--- a/vendor/github.com/kr/text/mc/Readme
+++ /dev/null
@@ -1,9 +0,0 @@
-Command mc prints in multiple columns.
-
-  Usage: mc [-] [-N] [file...]
-
-Mc splits the input into as many columns as will fit in N
-print positions. If the output is a tty, the default N is
-the number of characters in a terminal line; otherwise the
-default N is 80. Under option - each input line ending in
-a colon ':' is printed separately.
diff --git a/vendor/github.com/kr/text/mc/mc.go b/vendor/github.com/kr/text/mc/mc.go
deleted file mode 100644
index 00169a30..00000000
--- a/vendor/github.com/kr/text/mc/mc.go
+++ /dev/null
@@ -1,62 +0,0 @@
-// Command mc prints in multiple columns.
-//
-//   Usage: mc [-] [-N] [file...]
-//
-// Mc splits the input into as many columns as will fit in N
-// print positions. If the output is a tty, the default N is
-// the number of characters in a terminal line; otherwise the
-// default N is 80. Under option - each input line ending in
-// a colon ':' is printed separately.
-package main
-
-import (
-	"github.com/kr/pty"
-	"github.com/kr/text/colwriter"
-	"io"
-	"log"
-	"os"
-	"strconv"
-)
-
-func main() {
-	var width int
-	var flag uint
-	args := os.Args[1:]
-	for len(args) > 0 && len(args[0]) > 0 && args[0][0] == '-' {
-		if len(args[0]) > 1 {
-			width, _ = strconv.Atoi(args[0][1:])
-		} else {
-			flag |= colwriter.BreakOnColon
-		}
-		args = args[1:]
-	}
-	if width < 1 {
-		_, width, _ = pty.Getsize(os.Stdout)
-	}
-	if width < 1 {
-		width = 80
-	}
-
-	w := colwriter.NewWriter(os.Stdout, width, flag)
-	if len(args) > 0 {
-		for _, s := range args {
-			if f, err := os.Open(s); err == nil {
-				copyin(w, f)
-				f.Close()
-			} else {
-				log.Println(err)
-			}
-		}
-	} else {
-		copyin(w, os.Stdin)
-	}
-}
-
-func copyin(w *colwriter.Writer, r io.Reader) {
-	if _, err := io.Copy(w, r); err != nil {
-		log.Println(err)
-	}
-	if err := w.Flush(); err != nil {
-		log.Println(err)
-	}
-}
diff --git a/vendor/github.com/kr/text/wrap_test.go b/vendor/github.com/kr/text/wrap_test.go
deleted file mode 100644
index 634b6e8e..00000000
--- a/vendor/github.com/kr/text/wrap_test.go
+++ /dev/null
@@ -1,62 +0,0 @@
-package text
-
-import (
-	"bytes"
-	"testing"
-)
-
-var text = "The quick brown fox jumps over the lazy dog."
-
-func TestWrap(t *testing.T) {
-	exp := [][]string{
-		{"The", "quick", "brown", "fox"},
-		{"jumps", "over", "the", "lazy", "dog."},
-	}
-	words := bytes.Split([]byte(text), sp)
-	got := WrapWords(words, 1, 24, defaultPenalty)
-	if len(exp) != len(got) {
-		t.Fail()
-	}
-	for i := range exp {
-		if len(exp[i]) != len(got[i]) {
-			t.Fail()
-		}
-		for j := range exp[i] {
-			if exp[i][j] != string(got[i][j]) {
-				t.Fatal(i, exp[i][j], got[i][j])
-			}
-		}
-	}
-}
-
-func TestWrapNarrow(t *testing.T) {
-	exp := "The\nquick\nbrown\nfox\njumps\nover\nthe\nlazy\ndog."
-	if Wrap(text, 5) != exp {
-		t.Fail()
-	}
-}
-
-func TestWrapOneLine(t *testing.T) {
-	exp := "The quick brown fox jumps over the lazy dog."
-	if Wrap(text, 500) != exp {
-		t.Fail()
-	}
-}
-
-func TestWrapBug1(t *testing.T) {
-	cases := []struct {
-		limit int
-		text  string
-		want  string
-	}{
-		{4, "aaaaa", "aaaaa"},
-		{4, "a aaaaa", "a\naaaaa"},
-	}
-
-	for _, test := range cases {
-		got := Wrap(test.text, test.limit)
-		if got != test.want {
-			t.Errorf("Wrap(%q, %d) = %q want %q", test.text, test.limit, got, test.want)
-		}
-	}
-}
diff --git a/vendor/github.com/russellhaering/goxmldsig/.travis.yml b/vendor/github.com/russellhaering/goxmldsig/.travis.yml
index 637f840c..4f020af5 100644
--- a/vendor/github.com/russellhaering/goxmldsig/.travis.yml
+++ b/vendor/github.com/russellhaering/goxmldsig/.travis.yml
@@ -1,6 +1,7 @@
 language: go
 
 go:
-  - 1.5
-  - 1.6
-  - tip
\ No newline at end of file
+  - "1.13.x"
+  - "1.14.x"
+  - "1.15.x"
+  - master
diff --git a/vendor/github.com/russellhaering/goxmldsig/README.md b/vendor/github.com/russellhaering/goxmldsig/README.md
index 5fc3bdbc..9464e61e 100644
--- a/vendor/github.com/russellhaering/goxmldsig/README.md
+++ b/vendor/github.com/russellhaering/goxmldsig/README.md
@@ -7,7 +7,7 @@ XML Digital Signatures implemented in pure Go.
 
 ## Installation
 
-Install `goxmldsig` into your `$GOPATH` using `go get`:
+Install `goxmldsig` using `go get`:
 
 ```
 $ go get github.com/russellhaering/goxmldsig
diff --git a/vendor/github.com/russellhaering/goxmldsig/canonicalize_test.go b/vendor/github.com/russellhaering/goxmldsig/canonicalize_test.go
deleted file mode 100644
index da7b7712..00000000
--- a/vendor/github.com/russellhaering/goxmldsig/canonicalize_test.go
+++ /dev/null
@@ -1,66 +0,0 @@
-package dsig
-
-import (
-	"testing"
-
-	"github.com/beevik/etree"
-	"github.com/stretchr/testify/require"
-)
-
-const (
-	assertion       = `<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_88a93ebe-abdf-48cd-9ed0-b0dd1b252909" Version="2.0" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://saml2.test.astuart.co/sso/saml2" AssertionConsumerServiceIndex="0" AttributeConsumingServiceIndex="0" IssueInstant="2016-04-28T15:37:17" Destination="http://idp.astuart.co/idp/profile/SAML2/Redirect/SSO"><saml:Issuer>https://saml2.test.astuart.co/sso/saml2</saml:Issuer><samlp:NameIDPolicy AllowCreate="true" Format=""/><samlp:RequestedAuthnContext Comparison="exact"><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></samlp:RequestedAuthnContext></samlp:AuthnRequest>`
-	c14n11          = `<samlp:AuthnRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceIndex="0" AssertionConsumerServiceURL="https://saml2.test.astuart.co/sso/saml2" AttributeConsumingServiceIndex="0" Destination="http://idp.astuart.co/idp/profile/SAML2/Redirect/SSO" ID="_88a93ebe-abdf-48cd-9ed0-b0dd1b252909" IssueInstant="2016-04-28T15:37:17" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml:Issuer>https://saml2.test.astuart.co/sso/saml2</saml:Issuer><samlp:NameIDPolicy AllowCreate="true" Format=""></samlp:NameIDPolicy><samlp:RequestedAuthnContext Comparison="exact"><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></samlp:RequestedAuthnContext></samlp:AuthnRequest>`
-	assertionC14ned = `<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceIndex="0" AssertionConsumerServiceURL="https://saml2.test.astuart.co/sso/saml2" AttributeConsumingServiceIndex="0" Destination="http://idp.astuart.co/idp/profile/SAML2/Redirect/SSO" ID="_88a93ebe-abdf-48cd-9ed0-b0dd1b252909" IssueInstant="2016-04-28T15:37:17" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://saml2.test.astuart.co/sso/saml2</saml:Issuer><samlp:NameIDPolicy AllowCreate="true" Format=""></samlp:NameIDPolicy><samlp:RequestedAuthnContext Comparison="exact"><saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></samlp:RequestedAuthnContext></samlp:AuthnRequest>`
-)
-
-const (
-	xmldoc                             = `<Foo ID="id1619705532971228558789260" xmlns:bar="urn:bar" xmlns="urn:foo"><bar:Baz></bar:Baz></Foo>`
-	xmldocC14N10ExclusiveCanonicalized = `<Foo xmlns="urn:foo" ID="id1619705532971228558789260"><bar:Baz xmlns:bar="urn:bar"></bar:Baz></Foo>`
-	xmldocC14N11Canonicalized          = `<Foo xmlns="urn:foo" xmlns:bar="urn:bar" ID="id1619705532971228558789260"><bar:Baz></bar:Baz></Foo>`
-)
-
-func runCanonicalizationTest(t *testing.T, canonicalizer Canonicalizer, xmlstr string, canonicalXmlstr string) {
-	raw := etree.NewDocument()
-	err := raw.ReadFromString(xmlstr)
-	require.NoError(t, err)
-
-	canonicalized, err := canonicalizer.Canonicalize(raw.Root())
-	require.NoError(t, err)
-	require.Equal(t, canonicalXmlstr, string(canonicalized))
-}
-
-func TestExcC14N10(t *testing.T) {
-	runCanonicalizationTest(t, MakeC14N10ExclusiveCanonicalizerWithPrefixList(""), assertion, assertionC14ned)
-}
-
-func TestC14N11(t *testing.T) {
-	runCanonicalizationTest(t, MakeC14N11Canonicalizer(), assertion, c14n11)
-}
-
-func TestXmldocC14N10Exclusive(t *testing.T) {
-	runCanonicalizationTest(t, MakeC14N10ExclusiveCanonicalizerWithPrefixList(""), xmldoc, xmldocC14N10ExclusiveCanonicalized)
-}
-
-func TestXmldocC14N11(t *testing.T) {
-	runCanonicalizationTest(t, MakeC14N11Canonicalizer(), xmldoc, xmldocC14N11Canonicalized)
-}
-
-func TestExcC14nDefaultNamespace(t *testing.T) {
-	input := `<foo:Foo xmlns="urn:baz" xmlns:foo="urn:foo"><foo:Bar></foo:Bar></foo:Foo>`
-	expected := `<foo:Foo xmlns:foo="urn:foo"><foo:Bar></foo:Bar></foo:Foo>`
-	runCanonicalizationTest(t, MakeC14N10ExclusiveCanonicalizerWithPrefixList(""), input, expected)
-}
-
-func TestExcC14nWithPrefixList(t *testing.T) {
-	input := `<foo:Foo xmlns:foo="urn:foo" xmlns:xs="http://www.w3.org/2001/XMLSchema"><foo:Bar xmlns:xs="http://www.w3.org/2001/XMLSchema"></foo:Bar></foo:Foo>`
-	expected := `<foo:Foo xmlns:foo="urn:foo" xmlns:xs="http://www.w3.org/2001/XMLSchema"><foo:Bar></foo:Bar></foo:Foo>`
-	canonicalizer := MakeC14N10ExclusiveCanonicalizerWithPrefixList("xs")
-	runCanonicalizationTest(t, canonicalizer, input, expected)
-}
-
-func TestExcC14nRedeclareDefaultNamespace(t *testing.T) {
-	input := `<Foo xmlns="urn:foo"><Bar xmlns="uri:bar"></Bar></Foo>`
-	expected := `<Foo xmlns="urn:foo"><Bar xmlns="uri:bar"></Bar></Foo>`
-	canonicalizer := MakeC14N10ExclusiveCanonicalizerWithPrefixList("")
-	runCanonicalizationTest(t, canonicalizer, input, expected)
-}
diff --git a/vendor/github.com/russellhaering/goxmldsig/etreeutils/canonicalize.go b/vendor/github.com/russellhaering/goxmldsig/etreeutils/canonicalize.go
index 9e6df954..e9f8deb1 100644
--- a/vendor/github.com/russellhaering/goxmldsig/etreeutils/canonicalize.go
+++ b/vendor/github.com/russellhaering/goxmldsig/etreeutils/canonicalize.go
@@ -16,7 +16,7 @@ func TransformExcC14n(el *etree.Element, inclusiveNamespacesPrefixList string) e
 		prefixSet[prefix] = struct{}{}
 	}
 
-	err := transformExcC14n(DefaultNSContext, EmptyNSContext, el, prefixSet)
+	err := transformExcC14n(DefaultNSContext, DefaultNSContext, el, prefixSet)
 	if err != nil {
 		return err
 	}
diff --git a/vendor/github.com/russellhaering/goxmldsig/etreeutils/namespace.go b/vendor/github.com/russellhaering/goxmldsig/etreeutils/namespace.go
index 45f3bea1..baf1124f 100644
--- a/vendor/github.com/russellhaering/goxmldsig/etreeutils/namespace.go
+++ b/vendor/github.com/russellhaering/goxmldsig/etreeutils/namespace.go
@@ -266,7 +266,12 @@ func NSFindIterate(el *etree.Element, namespace, tag string, handle NSIterHandle
 // returned by NSFindIterate.
 func NSFindIterateCtx(ctx NSContext, el *etree.Element, namespace, tag string, handle NSIterHandler) error {
 	err := NSTraverse(ctx, el, func(ctx NSContext, el *etree.Element) error {
-		currentNS, err := ctx.LookupPrefix(el.Space)
+		_ctx, err := ctx.SubContext(el)
+		if err != nil {
+			return err
+		}
+
+		currentNS, err := _ctx.LookupPrefix(el.Space)
 		if err != nil {
 			return err
 		}
@@ -309,6 +314,80 @@ func NSFindOneCtx(ctx NSContext, el *etree.Element, namespace, tag string) (*etr
 	return found, nil
 }
 
+// NSIterateChildren iterates the children of an element, invoking the passed
+// handler with each direct child of the element, and the context surrounding
+// that child.
+func NSIterateChildren(ctx NSContext, el *etree.Element, handle NSIterHandler) error {
+	ctx, err := ctx.SubContext(el)
+	if err != nil {
+		return err
+	}
+
+	// Iterate the child elements.
+	for _, child := range el.ChildElements() {
+		err = handle(ctx, child)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+// NSFindIterateChildrenCtx takes an element and its surrounding context, and iterates
+// the children of that element searching for an element matching the passed namespace
+// and tag. For each such element that is found, handle is invoked with the matched
+// element and its own surrounding context.
+func NSFindChildrenIterateCtx(ctx NSContext, el *etree.Element, namespace, tag string, handle NSIterHandler) error {
+	err := NSIterateChildren(ctx, el, func(ctx NSContext, el *etree.Element) error {
+		_ctx, err := ctx.SubContext(el)
+		if err != nil {
+			return err
+		}
+
+		currentNS, err := _ctx.LookupPrefix(el.Space)
+		if err != nil {
+			return err
+		}
+
+		// Base case, el is the sought after element.
+		if currentNS == namespace && el.Tag == tag {
+			return handle(ctx, el)
+		}
+
+		return nil
+	})
+
+	if err != nil && err != ErrTraversalHalted {
+		return err
+	}
+
+	return nil
+}
+
+// NSFindOneChild behaves identically to NSFindOneChildCtx, but uses
+// DefaultNSContext for context.
+func NSFindOneChild(el *etree.Element, namespace, tag string) (*etree.Element, error) {
+	return NSFindOneChildCtx(DefaultNSContext, el, namespace, tag)
+}
+
+// NSFindOneCtx conducts a depth-first search for the specified element. If such an
+// element is found a reference to it is returned.
+func NSFindOneChildCtx(ctx NSContext, el *etree.Element, namespace, tag string) (*etree.Element, error) {
+	var found *etree.Element
+
+	err := NSFindChildrenIterateCtx(ctx, el, namespace, tag, func(ctx NSContext, el *etree.Element) error {
+		found = el
+		return ErrTraversalHalted
+	})
+
+	if err != nil && err != ErrTraversalHalted {
+		return nil, err
+	}
+
+	return found, nil
+}
+
 // NSBuildParentContext recurses upward from an element in order to build an NSContext
 // for its immediate parent. If the element has no parent DefaultNSContext
 // is returned.
diff --git a/vendor/github.com/russellhaering/goxmldsig/run_test.sh b/vendor/github.com/russellhaering/goxmldsig/run_test.sh
old mode 100755
new mode 100644
diff --git a/vendor/github.com/russellhaering/goxmldsig/sign_test.go b/vendor/github.com/russellhaering/goxmldsig/sign_test.go
deleted file mode 100644
index 56baa2a1..00000000
--- a/vendor/github.com/russellhaering/goxmldsig/sign_test.go
+++ /dev/null
@@ -1,139 +0,0 @@
-package dsig
-
-import (
-	"crypto"
-	"encoding/base64"
-	"testing"
-
-	"github.com/beevik/etree"
-	"github.com/stretchr/testify/require"
-)
-
-func TestSign(t *testing.T) {
-	randomKeyStore := RandomKeyStoreForTest()
-	ctx := NewDefaultSigningContext(randomKeyStore)
-
-	authnRequest := &etree.Element{
-		Space: "samlp",
-		Tag:   "AuthnRequest",
-	}
-	id := "_97e34c50-65ec-4132-8b39-02933960a96a"
-	authnRequest.CreateAttr("ID", id)
-	hash := crypto.SHA256.New()
-	canonicalized, err := ctx.Canonicalizer.Canonicalize(authnRequest)
-	require.NoError(t, err)
-
-	_, err = hash.Write(canonicalized)
-	require.NoError(t, err)
-	digest := hash.Sum(nil)
-
-	signed, err := ctx.SignEnveloped(authnRequest)
-	require.NoError(t, err)
-	require.NotEmpty(t, signed)
-
-	sig := signed.FindElement("//" + SignatureTag)
-	require.NotEmpty(t, sig)
-
-	signedInfo := sig.FindElement("//" + SignedInfoTag)
-	require.NotEmpty(t, signedInfo)
-
-	canonicalizationMethodElement := signedInfo.FindElement("//" + CanonicalizationMethodTag)
-	require.NotEmpty(t, canonicalizationMethodElement)
-
-	canonicalizationMethodAttr := canonicalizationMethodElement.SelectAttr(AlgorithmAttr)
-	require.NotEmpty(t, canonicalizationMethodAttr)
-	require.Equal(t, CanonicalXML11AlgorithmId.String(), canonicalizationMethodAttr.Value)
-
-	signatureMethodElement := signedInfo.FindElement("//" + SignatureMethodTag)
-	require.NotEmpty(t, signatureMethodElement)
-
-	signatureMethodAttr := signatureMethodElement.SelectAttr(AlgorithmAttr)
-	require.NotEmpty(t, signatureMethodAttr)
-	require.Equal(t, "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256", signatureMethodAttr.Value)
-
-	referenceElement := signedInfo.FindElement("//" + ReferenceTag)
-	require.NotEmpty(t, referenceElement)
-
-	idAttr := referenceElement.SelectAttr(URIAttr)
-	require.NotEmpty(t, idAttr)
-	require.Equal(t, "#"+id, idAttr.Value)
-
-	transformsElement := referenceElement.FindElement("//" + TransformsTag)
-	require.NotEmpty(t, transformsElement)
-
-	transformElement := transformsElement.FindElement("//" + TransformTag)
-	require.NotEmpty(t, transformElement)
-
-	algorithmAttr := transformElement.SelectAttr(AlgorithmAttr)
-	require.NotEmpty(t, algorithmAttr)
-	require.Equal(t, EnvelopedSignatureAltorithmId.String(), algorithmAttr.Value)
-
-	digestMethodElement := referenceElement.FindElement("//" + DigestMethodTag)
-	require.NotEmpty(t, digestMethodElement)
-
-	digestMethodAttr := digestMethodElement.SelectAttr(AlgorithmAttr)
-	require.NotEmpty(t, digestMethodElement)
-	require.Equal(t, "http://www.w3.org/2001/04/xmlenc#sha256", digestMethodAttr.Value)
-
-	digestValueElement := referenceElement.FindElement("//" + DigestValueTag)
-	require.NotEmpty(t, digestValueElement)
-	require.Equal(t, base64.StdEncoding.EncodeToString(digest), digestValueElement.Text())
-}
-
-func TestSignErrors(t *testing.T) {
-	randomKeyStore := RandomKeyStoreForTest()
-	ctx := &SigningContext{
-		Hash:        crypto.SHA512_256,
-		KeyStore:    randomKeyStore,
-		IdAttribute: DefaultIdAttr,
-		Prefix:      DefaultPrefix,
-	}
-
-	authnRequest := &etree.Element{
-		Space: "samlp",
-		Tag:   "AuthnRequest",
-	}
-
-	_, err := ctx.SignEnveloped(authnRequest)
-	require.Error(t, err)
-
-	randomKeyStore = RandomKeyStoreForTest()
-	ctx = NewDefaultSigningContext(randomKeyStore)
-
-	authnRequest = &etree.Element{
-		Space: "samlp",
-		Tag:   "AuthnRequest",
-	}
-
-	_, err = ctx.SignEnveloped(authnRequest)
-	require.Error(t, err)
-}
-
-func TestSignNonDefaultID(t *testing.T) {
-	// Sign a document by referencing a non-default ID attribute ("OtherID"),
-	// and confirm that the signature correctly references it.
-	ks := RandomKeyStoreForTest()
-	ctx := &SigningContext{
-		Hash:          crypto.SHA256,
-		KeyStore:      ks,
-		IdAttribute:   "OtherID",
-		Prefix:        DefaultPrefix,
-		Canonicalizer: MakeC14N11Canonicalizer(),
-	}
-
-	signable := &etree.Element{
-		Space: "foo",
-		Tag:   "Bar",
-	}
-
-	id := "_97e34c50-65ec-4132-8b39-02933960a96b"
-
-	signable.CreateAttr("OtherID", id)
-	signed, err := ctx.SignEnveloped(signable)
-	require.NoError(t, err)
-
-	ref := signed.FindElement("./Signature/SignedInfo/Reference")
-	require.NotNil(t, ref)
-	refURI := ref.SelectAttrValue("URI", "")
-	require.Equal(t, refURI, "#"+id)
-}
diff --git a/vendor/github.com/russellhaering/goxmldsig/validate.go b/vendor/github.com/russellhaering/goxmldsig/validate.go
index 980a4e56..3fac6991 100644
--- a/vendor/github.com/russellhaering/goxmldsig/validate.go
+++ b/vendor/github.com/russellhaering/goxmldsig/validate.go
@@ -21,6 +21,7 @@ var (
 	// ErrMissingSignature indicates that no enveloped signature was found referencing
 	// the top level element passed for signature verification.
 	ErrMissingSignature = errors.New("Missing signature referencing the top-level element")
+	ErrInvalidSignature = errors.New( "Invalid Signature")
 )
 
 type ValidationContext struct {
@@ -59,31 +60,51 @@ func childPath(space, tag string) string {
 	}
 }
 
-// The RemoveElement method on etree.Element isn't recursive...
-func recursivelyRemoveElement(tree, el *etree.Element) bool {
-	if tree.RemoveChild(el) != nil {
-		return true
+func mapPathToElement(tree, el *etree.Element) []int {
+	for i, child := range tree.Child {
+		if child == el {
+			return []int{i}
+		}
 	}
 
-	for _, child := range tree.Child {
+	for i, child := range tree.Child {
 		if childElement, ok := child.(*etree.Element); ok {
-			if recursivelyRemoveElement(childElement, el) {
-				return true
+			childPath := mapPathToElement(childElement, el)
+			if childElement != nil {
+				return append([]int{i}, childPath...)
 			}
 		}
 	}
 
-	return false
+	return nil
+}
+
+func removeElementAtPath(el *etree.Element, path []int) bool {
+	if len(path) == 0 {
+		return false
+	}
+
+	if len(el.Child) <= path[0] {
+		return false
+	}
+
+	childElement, ok := el.Child[path[0]].(*etree.Element)
+	if !ok {
+		return false
+	}
+
+	if len(path) == 1 {
+		el.RemoveChild(childElement)
+		return true
+	}
+
+	return removeElementAtPath(childElement, path[1:])
 }
 
-// transform applies the passed set of transforms to the specified root element.
+// Transform returns a new element equivalent to the passed root el, but with
+// the set of transformations described by the ref applied.
 //
 // The functionality of transform is currently very limited and purpose-specific.
-//
-// NOTE(russell_h): Ideally this wouldn't mutate the root passed to it, and would
-// instead return a copy. Unfortunately copying the tree makes it difficult to
-// correctly locate the signature. I'm opting, for now, to simply mutate the root
-// parameter.
 func (ctx *ValidationContext) transform(
 	el *etree.Element,
 	sig *types.Signature,
@@ -94,6 +115,14 @@ func (ctx *ValidationContext) transform(
 		return nil, nil, errors.New("Expected Enveloped and C14N transforms")
 	}
 
+	// map the path to the passed signature relative to the passed root, in
+	// order to enable removal of the signature by an enveloped signature
+	// transform
+	signaturePath := mapPathToElement(el, sig.UnderlyingElement())
+
+	// make a copy of the passed root
+	el = el.Copy()
+
 	var canonicalizer Canonicalizer
 
 	for _, transform := range transforms {
@@ -101,7 +130,7 @@ func (ctx *ValidationContext) transform(
 
 		switch AlgorithmID(algo) {
 		case EnvelopedSignatureAltorithmId:
-			if !recursivelyRemoveElement(el, sig.UnderlyingElement()) {
+			if !removeElementAtPath(el, signaturePath) {
 				return nil, nil, errors.New("Error applying canonicalization transform: Signature not found")
 			}
 
@@ -157,7 +186,16 @@ func (ctx *ValidationContext) digest(el *etree.Element, digestAlgorithmId string
 func (ctx *ValidationContext) verifySignedInfo(sig *types.Signature, canonicalizer Canonicalizer, signatureMethodId string, cert *x509.Certificate, decodedSignature []byte) error {
 	signatureElement := sig.UnderlyingElement()
 
-	signedInfo := signatureElement.FindElement(childPath(signatureElement.Space, SignedInfoTag))
+	nsCtx, err := etreeutils.NSBuildParentContext(signatureElement)
+	if err != nil {
+		return err
+	}
+
+	signedInfo, err := etreeutils.NSFindOneChildCtx(nsCtx, signatureElement, Namespace, SignedInfoTag)
+	if err != nil {
+		return err
+	}
+
 	if signedInfo == nil {
 		return errors.New("Missing SignedInfo")
 	}
@@ -259,9 +297,28 @@ func contains(roots []*x509.Certificate, cert *x509.Certificate) bool {
 	return false
 }
 
+// In most places, we use etree Elements, but while deserializing the Signature, we use
+// encoding/xml unmarshal directly to convert to a convenient go struct. This presents a problem in some cases because
+// when an xml element repeats under the parent, the last element will win and/or be appended. We need to assert that
+// the Signature object matches the expected shape of a Signature object.
+func validateShape(signatureEl *etree.Element) error {
+	children := signatureEl.ChildElements()
+
+	childCounts := map[string]int{}
+	for _, child := range children {
+		childCounts[child.Tag]++
+	}
+
+	validateCount := childCounts[SignedInfoTag] == 1 && childCounts[KeyInfoTag] <= 1 && childCounts[SignatureValueTag] == 1
+	if !validateCount {
+		return ErrInvalidSignature
+	}
+	return nil
+}
+
 // findSignature searches for a Signature element referencing the passed root element.
-func (ctx *ValidationContext) findSignature(el *etree.Element) (*types.Signature, error) {
-	idAttr := el.SelectAttr(ctx.IdAttribute)
+func (ctx *ValidationContext) findSignature(root *etree.Element) (*types.Signature, error) {
+	idAttr := root.SelectAttr(ctx.IdAttribute)
 	if idAttr == nil || idAttr.Value == "" {
 		return nil, errors.New("Missing ID attribute")
 	}
@@ -269,22 +326,24 @@ func (ctx *ValidationContext) findSignature(el *etree.Element) (*types.Signature
 	var sig *types.Signature
 
 	// Traverse the tree looking for a Signature element
-	err := etreeutils.NSFindIterate(el, Namespace, SignatureTag, func(ctx etreeutils.NSContext, el *etree.Element) error {
-
+	err := etreeutils.NSFindIterate(root, Namespace, SignatureTag, func(ctx etreeutils.NSContext, signatureEl *etree.Element) error {
+		err := validateShape(signatureEl)
+		if err != nil {
+			return err
+		}
 		found := false
-		err := etreeutils.NSFindIterateCtx(ctx, el, Namespace, SignedInfoTag,
+		err = etreeutils.NSFindChildrenIterateCtx(ctx, signatureEl, Namespace, SignedInfoTag,
 			func(ctx etreeutils.NSContext, signedInfo *etree.Element) error {
-				// Ignore any SignedInfo that isn't an immediate descendent of Signature.
-				if signedInfo.Parent() != el {
-					return nil
+				detachedSignedInfo, err := etreeutils.NSDetatch(ctx, signedInfo)
+				if err != nil {
+					return err
 				}
 
-				detachedSignedInfo, err := etreeutils.NSDetatch(ctx, signedInfo)
+				c14NMethod, err := etreeutils.NSFindOneChildCtx(ctx, detachedSignedInfo, Namespace, CanonicalizationMethodTag)
 				if err != nil {
 					return err
 				}
 
-				c14NMethod := detachedSignedInfo.FindElement(childPath(detachedSignedInfo.Space, CanonicalizationMethodTag))
 				if c14NMethod == nil {
 					return errors.New("missing CanonicalizationMethod on Signature")
 				}
@@ -319,8 +378,8 @@ func (ctx *ValidationContext) findSignature(el *etree.Element) (*types.Signature
 					return fmt.Errorf("invalid CanonicalizationMethod on Signature: %s", c14NAlgorithm)
 				}
 
-				el.RemoveChild(signedInfo)
-				el.AddChild(canonicalSignedInfo)
+				signatureEl.RemoveChild(signedInfo)
+				signatureEl.AddChild(canonicalSignedInfo)
 
 				found = true
 
@@ -336,7 +395,7 @@ func (ctx *ValidationContext) findSignature(el *etree.Element) (*types.Signature
 
 		// Unmarshal the signature into a structured Signature type
 		_sig := &types.Signature{}
-		err = etreeutils.NSUnmarshalElement(ctx, el, _sig)
+		err = etreeutils.NSUnmarshalElement(ctx, signatureEl, _sig)
 		if err != nil {
 			return err
 		}
diff --git a/vendor/github.com/russellhaering/goxmldsig/validate_test.go b/vendor/github.com/russellhaering/goxmldsig/validate_test.go
deleted file mode 100644
index 80486005..00000000
--- a/vendor/github.com/russellhaering/goxmldsig/validate_test.go
+++ /dev/null
@@ -1,205 +0,0 @@
-package dsig
-
-import (
-	"crypto/x509"
-	"encoding/base64"
-	"encoding/pem"
-	"testing"
-
-	"github.com/beevik/etree"
-	"github.com/stretchr/testify/require"
-)
-
-const canonicalResponse = `
-<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://localhost:8080/v1/_saml_callback" ID="id9464273530269711243550013" InResponseTo="_8a64888e-0a14-4fb9-905d-65629b84786a" IssueInstant="2016-03-15T00:21:40.409Z" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://www.okta.com/exk5zt0r12Edi4rD20h7</saml2:Issuer><saml2p:Status><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"></saml2p:StatusCode></saml2p:Status><saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="id9464273531132552093682430" IssueInstant="2016-03-15T00:21:40.409Z" Version="2.0"><saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://www.okta.com/exk5zt0r12Edi4rD20h7</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></ds:SignatureMethod><ds:Reference URI="#id9464273531132552093682430"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></ds:DigestMethod><ds:DigestValue>DRYTp4xjc4Ec2+fJkQQ2KxFp/4raYPQYGrLtXTp2IhQ=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>UquJAMHALMZGSab+9XCc6L010djnsDx1wOP7b3LEQpEmGsKUEbblAuI1mdCaKi28VSP7h04S8M4x4xmgG6+RgYERKrMrc6DsW5Mto3nl6TaYQYUMVchp7vX1kDmuGqiEuYusrqIwQnFJNgt+SDAXODolfaJqKH02EMrzEeSFyfEiwaP8+R2jTQ9vqrMTX+t9b9nNo7F1N2sPWFGfk2TC3F5r4H+MF7n33cSny/qzPEEisldLF3LoTdnrPJdKpio/9kPr7ODhks+hwij82gYlvLCXkagmn76lSsAbUgsYoq1C3zvhYUHjTH2c0jmqHNwKT/8FA/oJtxx3N9agDpXEHw==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAVLIBhAwMA0GCSqGSIb3DQEBBQUAMIGSMQswCQYDVQQGEwJVUzETMBEG
-A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
-MBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi0xMTY4MDcxHDAaBgkqhkiG9w0BCQEW
-DWluZm9Ab2t0YS5jb20wHhcNMTYwMjA5MjE1MjA2WhcNMjYwMjA5MjE1MzA2WjCBkjELMAkGA1UE
-BhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNV
-BAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtMTE2ODA3MRwwGgYJ
-KoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
-mtjBOZ8MmhUyi8cGk4dUY6Fj1MFDt/q3FFiaQpLzu3/q5lRVUNUBbAtqQWwY10dzfZguHOuvA5p5
-QyiVDvUhe+XkVwN2R2WfArQJRTPnIcOaHrxqQf3o5cCIG21ZtysFHJSo8clPSOe+0VsoRgcJ1aF4
-2rODwgqRRZdO9Wh3502XlJ799DJQ23IC7XasKEsGKzJqhlRrfd/FyIuZT0sFHDKRz5snSJhm9gpN
-uQlCmk7ONZ1sXqtt+nBIfWIqeoYQubPW7pT5GTc7wouWq4TCjHJiK9k2HiyNxW0E3JX08swEZi2+
-LVDjgLzNc4lwjSYIj3AOtPZs8s606oBdIBni4wIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQBMxSkJ
-TxkXxsoKNW0awJNpWRbU81QpheMFfENIzLam4Itc/5kSZAaSy/9e2QKfo4jBo/MMbCq2vM9TyeJQ
-DJpRaioUTd2lGh4TLUxAxCxtUk/pascL+3Nn936LFmUCLxaxnbeGzPOXAhscCtU1H0nFsXRnKx5a
-cPXYSKFZZZktieSkww2Oi8dg2DYaQhGQMSFMVqgVfwEu4bvCRBvdSiNXdWGCZQmFVzBZZ/9rOLzP
-pvTFTPnpkavJm81FLlUhiE/oFgKlCDLWDknSpXAI0uZGERcwPca6xvIMh86LjQKjbVci9FYDStXC
-qRnqQ+TccSu/B6uONFsDEngGcXSKfB+a</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">russell.haering@scaleft.com</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData InResponseTo="_8a64888e-0a14-4fb9-905d-65629b84786a" NotOnOrAfter="2016-03-15T00:26:40.409Z" Recipient="http://localhost:8080/v1/_saml_callback"></saml2:SubjectConfirmationData></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2016-03-15T00:16:40.409Z" NotOnOrAfter="2016-03-15T00:26:40.409Z"><saml2:AudienceRestriction><saml2:Audience>123</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AuthnStatement AuthnInstant="2016-03-15T00:21:40.409Z" SessionIndex="_8a64888e-0a14-4fb9-905d-65629b84786a"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement></saml2:Assertion></saml2p:Response>`
-
-const canonicalResponse2 = `
-<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://localhost:8080/v1/_saml_callback" ID="id103532804647787975381325" InResponseTo="_8699c655-c482-451a-9b7f-61668f140b47" IssueInstant="2016-03-16T01:02:57.682Z" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://www.okta.com/exk5zt0r12Edi4rD20h7</saml2:Issuer><saml2p:Status><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"></saml2p:StatusCode></saml2p:Status><saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="id1035328046526588900089424" IssueInstant="2016-03-16T01:02:57.682Z" Version="2.0"><saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://www.okta.com/exk5zt0r12Edi4rD20h7</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></ds:SignatureMethod><ds:Reference URI="#id1035328046526588900089424"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></ds:DigestMethod><ds:DigestValue>No1VyQlk8Xif4FiJ+haViwEQySIzBa14lGy0coCn0c8=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>VSV8Vw47q7n/XZwaQOPWQeKI5ZA69fnGZyEFhex4xuaIfC+LOYnfd8q8qcZsm1M6kv47H/dR6YXRIMjPKXZeyX/MKcmGPCadqWFT7EWFvzuO/uy/AB/CL5ZCQiY9H/aOhDysO8glse1S+Y2K0CwvsoRwMfFiO2XOYhVOsngUSkCBdLIB6Oq4f+ZsK0rw/E79n9QUd8owDq3dVC18SFYYdcIVDhQppglyuBEZfu2tG06gD9jls7ZE8vjcMfHmhuHtxlH3ovNLB35NFO/VrCNdFqmD76GnEA98foiJxCX8vzNHF4rPUFXAEdiS4OdQAxb7jNNVoKVYuadunLygysZGSg==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAVLIBhAwMA0GCSqGSIb3DQEBBQUAMIGSMQswCQYDVQQGEwJVUzETMBEG
-A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
-MBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi0xMTY4MDcxHDAaBgkqhkiG9w0BCQEW
-DWluZm9Ab2t0YS5jb20wHhcNMTYwMjA5MjE1MjA2WhcNMjYwMjA5MjE1MzA2WjCBkjELMAkGA1UE
-BhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNV
-BAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtMTE2ODA3MRwwGgYJ
-KoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
-mtjBOZ8MmhUyi8cGk4dUY6Fj1MFDt/q3FFiaQpLzu3/q5lRVUNUBbAtqQWwY10dzfZguHOuvA5p5
-QyiVDvUhe+XkVwN2R2WfArQJRTPnIcOaHrxqQf3o5cCIG21ZtysFHJSo8clPSOe+0VsoRgcJ1aF4
-2rODwgqRRZdO9Wh3502XlJ799DJQ23IC7XasKEsGKzJqhlRrfd/FyIuZT0sFHDKRz5snSJhm9gpN
-uQlCmk7ONZ1sXqtt+nBIfWIqeoYQubPW7pT5GTc7wouWq4TCjHJiK9k2HiyNxW0E3JX08swEZi2+
-LVDjgLzNc4lwjSYIj3AOtPZs8s606oBdIBni4wIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQBMxSkJ
-TxkXxsoKNW0awJNpWRbU81QpheMFfENIzLam4Itc/5kSZAaSy/9e2QKfo4jBo/MMbCq2vM9TyeJQ
-DJpRaioUTd2lGh4TLUxAxCxtUk/pascL+3Nn936LFmUCLxaxnbeGzPOXAhscCtU1H0nFsXRnKx5a
-cPXYSKFZZZktieSkww2Oi8dg2DYaQhGQMSFMVqgVfwEu4bvCRBvdSiNXdWGCZQmFVzBZZ/9rOLzP
-pvTFTPnpkavJm81FLlUhiE/oFgKlCDLWDknSpXAI0uZGERcwPca6xvIMh86LjQKjbVci9FYDStXC
-qRnqQ+TccSu/B6uONFsDEngGcXSKfB+a</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">russell.haering@scaleft.com</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData InResponseTo="_8699c655-c482-451a-9b7f-61668f140b47" NotOnOrAfter="2016-03-16T01:07:57.682Z" Recipient="http://localhost:8080/v1/_saml_callback"></saml2:SubjectConfirmationData></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2016-03-16T00:57:57.682Z" NotOnOrAfter="2016-03-16T01:07:57.682Z"><saml2:AudienceRestriction><saml2:Audience>123</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AuthnStatement AuthnInstant="2016-03-16T01:02:57.682Z" SessionIndex="_8699c655-c482-451a-9b7f-61668f140b47"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement></saml2:Assertion></saml2p:Response>`
-
-const rawResponse = `
-<?xml version="1.0" encoding="UTF-8"?><saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://localhost:8080/v1/_saml_callback" ID="id1619705532971228558789260" InResponseTo="_213843b4-0693-47b8-b2f6-c41e316015cc" IssueInstant="2016-03-22T19:22:57.054Z" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://www.okta.com/exk5zt0r12Edi4rD20h7</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#id1619705532971228558789260"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>ijTqmVmDy7ssK+rvmJaCQ6AQaFaXz+HIN/r6O37B0eQ=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>G09fAYXGDLK+/jAekHsNL0RLo40Xm6+VwXmUj0IDIrvIIv/mJU5VD6ylOLnPezLDBVY9BJst1YCz+8krdvmQ8Stkd6qiN2bN/5KpCdika111YGpeNdMmg/E57ZG3S895hTNJQYOfCwhPFUtQuXLkspOaw81pcqOTr+bVSofJ8uQP7cVQa/ANxbjKAj0fhAuxAvZfiqPms5Stv4sNGpzULUDJl87CoEleHExGmpTsI7Qt3EvGToPMZXPHF4MGvuC0Z2ZD4iI6Pr7xk98t54PJtAX2qJu1tZqBJmL0Qcq5spl9W3yC1tAZuDeFLm1C4/T9crO2Q5WILP/tkw/yJ+ZttQ==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAVLIBhAwMA0GCSqGSIb3DQEBBQUAMIGSMQswCQYDVQQGEwJVUzETMBEG
-A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
-MBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi0xMTY4MDcxHDAaBgkqhkiG9w0BCQEW
-DWluZm9Ab2t0YS5jb20wHhcNMTYwMjA5MjE1MjA2WhcNMjYwMjA5MjE1MzA2WjCBkjELMAkGA1UE
-BhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNV
-BAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtMTE2ODA3MRwwGgYJ
-KoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
-mtjBOZ8MmhUyi8cGk4dUY6Fj1MFDt/q3FFiaQpLzu3/q5lRVUNUBbAtqQWwY10dzfZguHOuvA5p5
-QyiVDvUhe+XkVwN2R2WfArQJRTPnIcOaHrxqQf3o5cCIG21ZtysFHJSo8clPSOe+0VsoRgcJ1aF4
-2rODwgqRRZdO9Wh3502XlJ799DJQ23IC7XasKEsGKzJqhlRrfd/FyIuZT0sFHDKRz5snSJhm9gpN
-uQlCmk7ONZ1sXqtt+nBIfWIqeoYQubPW7pT5GTc7wouWq4TCjHJiK9k2HiyNxW0E3JX08swEZi2+
-LVDjgLzNc4lwjSYIj3AOtPZs8s606oBdIBni4wIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQBMxSkJ
-TxkXxsoKNW0awJNpWRbU81QpheMFfENIzLam4Itc/5kSZAaSy/9e2QKfo4jBo/MMbCq2vM9TyeJQ
-DJpRaioUTd2lGh4TLUxAxCxtUk/pascL+3Nn936LFmUCLxaxnbeGzPOXAhscCtU1H0nFsXRnKx5a
-cPXYSKFZZZktieSkww2Oi8dg2DYaQhGQMSFMVqgVfwEu4bvCRBvdSiNXdWGCZQmFVzBZZ/9rOLzP
-pvTFTPnpkavJm81FLlUhiE/oFgKlCDLWDknSpXAI0uZGERcwPca6xvIMh86LjQKjbVci9FYDStXC
-qRnqQ+TccSu/B6uONFsDEngGcXSKfB+a</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2p:Status><saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="id16197055330485751495860275" IssueInstant="2016-03-22T19:22:57.054Z" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema"><saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://www.okta.com/exk5zt0r12Edi4rD20h7</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#id16197055330485751495860275"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>zln6sheEO2JBdanrT5mZtJZ192tGHavuBpCFHQsJFVg=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>dHh6TWbnjtImyrfjPTX5QzE/6Vm/HsRWVvWWlvFAddf/CvhO4Kc5j8C7hvQoYMLhYuZMFFSReGysuDy5IscOJwTGhhcvb238qHSGGs6q8OUBCsmLSDAbIaGA++LV/tkUZ2ridGIi0yT81UOl1oT1batlHsK3eMyxkpnFmvBzIm4tGTzRkOPpYRLeiM9bxbKI+DM/623DCXyBCLYBzJo1O6QE02aLajwRMi/vmiV4LSiGlFcY9TtDCafdVJRv0tIQ25BQoT4feuHdr6S8xOSpGgRYH5ECamVOt4e079XdEkVUiSzQokiUkgDlTXEyerPLOVsOk4PW5nRs86sXIiGL5w==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAVLIBhAwMA0GCSqGSIb3DQEBBQUAMIGSMQswCQYDVQQGEwJVUzETMBEG
-A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
-MBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi0xMTY4MDcxHDAaBgkqhkiG9w0BCQEW
-DWluZm9Ab2t0YS5jb20wHhcNMTYwMjA5MjE1MjA2WhcNMjYwMjA5MjE1MzA2WjCBkjELMAkGA1UE
-BhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNV
-BAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtMTE2ODA3MRwwGgYJ
-KoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
-mtjBOZ8MmhUyi8cGk4dUY6Fj1MFDt/q3FFiaQpLzu3/q5lRVUNUBbAtqQWwY10dzfZguHOuvA5p5
-QyiVDvUhe+XkVwN2R2WfArQJRTPnIcOaHrxqQf3o5cCIG21ZtysFHJSo8clPSOe+0VsoRgcJ1aF4
-2rODwgqRRZdO9Wh3502XlJ799DJQ23IC7XasKEsGKzJqhlRrfd/FyIuZT0sFHDKRz5snSJhm9gpN
-uQlCmk7ONZ1sXqtt+nBIfWIqeoYQubPW7pT5GTc7wouWq4TCjHJiK9k2HiyNxW0E3JX08swEZi2+
-LVDjgLzNc4lwjSYIj3AOtPZs8s606oBdIBni4wIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQBMxSkJ
-TxkXxsoKNW0awJNpWRbU81QpheMFfENIzLam4Itc/5kSZAaSy/9e2QKfo4jBo/MMbCq2vM9TyeJQ
-DJpRaioUTd2lGh4TLUxAxCxtUk/pascL+3Nn936LFmUCLxaxnbeGzPOXAhscCtU1H0nFsXRnKx5a
-cPXYSKFZZZktieSkww2Oi8dg2DYaQhGQMSFMVqgVfwEu4bvCRBvdSiNXdWGCZQmFVzBZZ/9rOLzP
-pvTFTPnpkavJm81FLlUhiE/oFgKlCDLWDknSpXAI0uZGERcwPca6xvIMh86LjQKjbVci9FYDStXC
-qRnqQ+TccSu/B6uONFsDEngGcXSKfB+a</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">phoebe.simon@scaleft.com</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData InResponseTo="_213843b4-0693-47b8-b2f6-c41e316015cc" NotOnOrAfter="2016-03-22T19:27:57.054Z" Recipient="http://localhost:8080/v1/_saml_callback"/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2016-03-22T19:17:57.054Z" NotOnOrAfter="2016-03-22T19:27:57.054Z" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:AudienceRestriction><saml2:Audience>123</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AuthnStatement AuthnInstant="2016-03-22T19:22:57.054Z" SessionIndex="_213843b4-0693-47b8-b2f6-c41e316015cc" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement><saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:Attribute Name="FirstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Phoebe</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="LastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Simon</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="Email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">phoebe.simon@scaleft.com</saml2:AttributeValue></saml2:Attribute></saml2:AttributeStatement></saml2:Assertion></saml2p:Response>`
-
-const expectedTransformation = `<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://localhost:8080/v1/_saml_callback" ID="id1619705532971228558789260" InResponseTo="_213843b4-0693-47b8-b2f6-c41e316015cc" IssueInstant="2016-03-22T19:22:57.054Z" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://www.okta.com/exk5zt0r12Edi4rD20h7</saml2:Issuer><saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2p:Status><saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="id16197055330485751495860275" IssueInstant="2016-03-22T19:22:57.054Z" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema"><saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://www.okta.com/exk5zt0r12Edi4rD20h7</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#id16197055330485751495860275"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>zln6sheEO2JBdanrT5mZtJZ192tGHavuBpCFHQsJFVg=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>dHh6TWbnjtImyrfjPTX5QzE/6Vm/HsRWVvWWlvFAddf/CvhO4Kc5j8C7hvQoYMLhYuZMFFSReGysuDy5IscOJwTGhhcvb238qHSGGs6q8OUBCsmLSDAbIaGA++LV/tkUZ2ridGIi0yT81UOl1oT1batlHsK3eMyxkpnFmvBzIm4tGTzRkOPpYRLeiM9bxbKI+DM/623DCXyBCLYBzJo1O6QE02aLajwRMi/vmiV4LSiGlFcY9TtDCafdVJRv0tIQ25BQoT4feuHdr6S8xOSpGgRYH5ECamVOt4e079XdEkVUiSzQokiUkgDlTXEyerPLOVsOk4PW5nRs86sXIiGL5w==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAVLIBhAwMA0GCSqGSIb3DQEBBQUAMIGSMQswCQYDVQQGEwJVUzETMBEG
-A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
-MBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi0xMTY4MDcxHDAaBgkqhkiG9w0BCQEW
-DWluZm9Ab2t0YS5jb20wHhcNMTYwMjA5MjE1MjA2WhcNMjYwMjA5MjE1MzA2WjCBkjELMAkGA1UE
-BhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNV
-BAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtMTE2ODA3MRwwGgYJ
-KoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
-mtjBOZ8MmhUyi8cGk4dUY6Fj1MFDt/q3FFiaQpLzu3/q5lRVUNUBbAtqQWwY10dzfZguHOuvA5p5
-QyiVDvUhe+XkVwN2R2WfArQJRTPnIcOaHrxqQf3o5cCIG21ZtysFHJSo8clPSOe+0VsoRgcJ1aF4
-2rODwgqRRZdO9Wh3502XlJ799DJQ23IC7XasKEsGKzJqhlRrfd/FyIuZT0sFHDKRz5snSJhm9gpN
-uQlCmk7ONZ1sXqtt+nBIfWIqeoYQubPW7pT5GTc7wouWq4TCjHJiK9k2HiyNxW0E3JX08swEZi2+
-LVDjgLzNc4lwjSYIj3AOtPZs8s606oBdIBni4wIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQBMxSkJ
-TxkXxsoKNW0awJNpWRbU81QpheMFfENIzLam4Itc/5kSZAaSy/9e2QKfo4jBo/MMbCq2vM9TyeJQ
-DJpRaioUTd2lGh4TLUxAxCxtUk/pascL+3Nn936LFmUCLxaxnbeGzPOXAhscCtU1H0nFsXRnKx5a
-cPXYSKFZZZktieSkww2Oi8dg2DYaQhGQMSFMVqgVfwEu4bvCRBvdSiNXdWGCZQmFVzBZZ/9rOLzP
-pvTFTPnpkavJm81FLlUhiE/oFgKlCDLWDknSpXAI0uZGERcwPca6xvIMh86LjQKjbVci9FYDStXC
-qRnqQ+TccSu/B6uONFsDEngGcXSKfB+a</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">phoebe.simon@scaleft.com</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData InResponseTo="_213843b4-0693-47b8-b2f6-c41e316015cc" NotOnOrAfter="2016-03-22T19:27:57.054Z" Recipient="http://localhost:8080/v1/_saml_callback"/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2016-03-22T19:17:57.054Z" NotOnOrAfter="2016-03-22T19:27:57.054Z" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:AudienceRestriction><saml2:Audience>123</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AuthnStatement AuthnInstant="2016-03-22T19:22:57.054Z" SessionIndex="_213843b4-0693-47b8-b2f6-c41e316015cc" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement><saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:Attribute Name="FirstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Phoebe</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="LastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Simon</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="Email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">phoebe.simon@scaleft.com</saml2:AttributeValue></saml2:Attribute></saml2:AttributeStatement></saml2:Assertion></saml2p:Response>`
-
-const emptyReference = `<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_fd4fa4a5ab4b0c5e8bbc" Version="2.0" IssueInstant="2017-03-18T02:25:46Z" Destination="https://f1f51ddc.ngrok.io/api/sso/saml2/acs/58cafd0573d4f375b8e70e8e"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">a</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2006/12/xml-c14n11"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI=""><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2006/12/xml-c14n11"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>1sl6AXnoU1CaZSx2MuDPLSKWAhGd6K40pcXe502u+Zw=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>jvr8AB4NzTi6FpZV27m6tsWtUXu4kPcCgx3vzE/T0om+DzOs0pkXhTD0H3oNqoWFOnpUo2dqO26nR58hzNpcIHPJPrHnNfboZJf68btzMNDa/OlnFtuwbFWo8Ac+rXS/Up3X5B3CNRlTz/W+ALZEuUHBGNZjE0Hw9Aav8YKAxiWx6uA9z0CCXUFVCbjmtrISMPSUQio+KjIc50j7BbVcezWTz/QB/ySsLEp/Zl4vCTCStFIkdZR/h3Ha5jovxsxuzERZ09x0l748dp8Cm449RnqOz4TIinxKz0xkqtFnbFmF1rFiGF8Vha2f7mdUqgmuy4ifevSI7G2ZQae3vQoNbw==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDPDCCAiQCCQDydJgOlszqbzANBgkqhkiG9w0BAQUFADBgMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEQMA4GA1UEChMHSmFua3lDbzESMBAGA1UEAxMJbG9jYWxob3N0MB4XDTE0MDMxMjE5NDYzM1oXDTI3MTExOTE5NDYzM1owYDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xEDAOBgNVBAoTB0phbmt5Q28xEjAQBgNVBAMTCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMGvJpRTTasRUSPqcbqCG+ZnTAurnu0vVpIG9lzExnh11o/BGmzu7lB+yLHcEdwrKBBmpepDBPCYxpVajvuEhZdKFx/Fdy6j5mH3rrW0Bh/zd36CoUNjbbhHyTjeM7FN2yF3u9lcyubuvOzr3B3gX66IwJlU46+wzcQVhSOlMk2tXR+fIKQExFrOuK9tbX3JIBUqItpI+HnAow509CnM134svw8PTFLkR6/CcMqnDfDK1m993PyoC1Y+N4X9XkhSmEQoAlAHPI5LHrvuujM13nvtoVYvKYoj7ScgumkpWNEvX652LfXOnKYlkB8ZybuxmFfIkzedQrbJsyOhfL03cMECAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAeHwzqwnzGEkxjzSD47imXaTqtYyETZow7XwBc0ZaFS50qRFJUgKTAmKS1xQBP/qHpStsROT35DUxJAE6NY1Kbq3ZbCuhGoSlY0L7VzVT5tpu4EY8+Dq/u2EjRmmhoL7UkskvIZ2n1DdERtd+YUMTeqYl9co43csZwDno/IKomeN5qaPc39IZjikJ+nUC6kPFKeu/3j9rgHNlRtocI6S1FdtFz9OZMQlpr0JbUt2T3xS/YoQJn6coDmJL5GTiiKM6cOe+Ur1VwzS1JEDbSS2TWWhzq8ojLdrotYLGd9JOsoQhElmz+tMfCFQUFLExinPAyy7YHlSiVX13QH2XTu/iQQ==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="_f6vEQCp4nBCsBY3MeMleLgS6GfmIPAwy" IssueInstant="2017-03-18T02:25:46.951Z"><saml:Issuer>a</saml:Issuer><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">arun+okta@launchdarkly.com</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2017-03-18T03:25:46.951Z" Recipient="https://f1f51ddc.ngrok.io/api/sso/saml2/acs/58cafd0573d4f375b8e70e8e"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2017-03-18T02:25:46.951Z" NotOnOrAfter="2017-03-18T03:25:46.951Z"><saml:AudienceRestriction><saml:Audience>b</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><saml:Attribute Name="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"><saml:AttributeValue xsi:type="xs:anyType">arun+okta@launchdarkly.com</saml:AttributeValue></saml:Attribute><saml:Attribute Name="Email"><saml:AttributeValue xsi:type="xs:anyType">arun+okta@launchdarkly.com</saml:AttributeValue></saml:Attribute><saml:Attribute Name="FirstName"><saml:AttributeValue xsi:type="xs:anyType">Arun</saml:AttributeValue></saml:Attribute><saml:Attribute Name="LastName"><saml:AttributeValue xsi:type="xs:anyType">Bhalla</saml:AttributeValue></saml:Attribute></saml:AttributeStatement><saml:AuthnStatement AuthnInstant="2017-03-18T02:25:46.951Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion></samlp:Response>`
-
-const oktaCert = `
------BEGIN CERTIFICATE-----
-MIIDPDCCAiQCCQDydJgOlszqbzANBgkqhkiG9w0BAQUFADBgMQswCQYDVQQGEwJV
-UzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEQ
-MA4GA1UEChMHSmFua3lDbzESMBAGA1UEAxMJbG9jYWxob3N0MB4XDTE0MDMxMjE5
-NDYzM1oXDTI3MTExOTE5NDYzM1owYDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh
-bGlmb3JuaWExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xEDAOBgNVBAoTB0phbmt5
-Q28xEjAQBgNVBAMTCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
-AQoCggEBAMGvJpRTTasRUSPqcbqCG+ZnTAurnu0vVpIG9lzExnh11o/BGmzu7lB+
-yLHcEdwrKBBmpepDBPCYxpVajvuEhZdKFx/Fdy6j5mH3rrW0Bh/zd36CoUNjbbhH
-yTjeM7FN2yF3u9lcyubuvOzr3B3gX66IwJlU46+wzcQVhSOlMk2tXR+fIKQExFrO
-uK9tbX3JIBUqItpI+HnAow509CnM134svw8PTFLkR6/CcMqnDfDK1m993PyoC1Y+
-N4X9XkhSmEQoAlAHPI5LHrvuujM13nvtoVYvKYoj7ScgumkpWNEvX652LfXOnKYl
-kB8ZybuxmFfIkzedQrbJsyOhfL03cMECAwEAATANBgkqhkiG9w0BAQUFAAOCAQEA
-eHwzqwnzGEkxjzSD47imXaTqtYyETZow7XwBc0ZaFS50qRFJUgKTAmKS1xQBP/qH
-pStsROT35DUxJAE6NY1Kbq3ZbCuhGoSlY0L7VzVT5tpu4EY8+Dq/u2EjRmmhoL7U
-kskvIZ2n1DdERtd+YUMTeqYl9co43csZwDno/IKomeN5qaPc39IZjikJ+nUC6kPF
-Keu/3j9rgHNlRtocI6S1FdtFz9OZMQlpr0JbUt2T3xS/YoQJn6coDmJL5GTiiKM6
-cOe+Ur1VwzS1JEDbSS2TWWhzq8ojLdrotYLGd9JOsoQhElmz+tMfCFQUFLExinPA
-yy7YHlSiVX13QH2XTu/iQQ==
------END CERTIFICATE-----
-`
-
-func TestDigest(t *testing.T) {
-	canonicalizer := MakeC14N10ExclusiveCanonicalizerWithPrefixList("")
-	doc := etree.NewDocument()
-	err := doc.ReadFromBytes([]byte(canonicalResponse))
-	require.NoError(t, err)
-
-	vc := NewDefaultValidationContext(nil)
-	digest, err := vc.digest(doc.Root(), "http://www.w3.org/2001/04/xmlenc#sha256", canonicalizer)
-	require.NoError(t, err)
-	require.Equal(t, "gvXF2ygtu4WbVYdepEtHFbgCZLfKW893eFF+x6gjX80=", base64.StdEncoding.EncodeToString(digest))
-
-	doc = etree.NewDocument()
-	err = doc.ReadFromBytes([]byte(canonicalResponse2))
-	require.NoError(t, err)
-
-	vc = NewDefaultValidationContext(nil)
-	digest, err = vc.digest(doc.Root(), "http://www.w3.org/2001/04/xmlenc#sha256", canonicalizer)
-	require.NoError(t, err)
-	require.Equal(t, "npTAl6kraksBlCRlunbyD6nICTcfsDaHjPXVxoDPrw0=", base64.StdEncoding.EncodeToString(digest))
-
-}
-
-func TestTransform(t *testing.T) {
-	doc := etree.NewDocument()
-	err := doc.ReadFromBytes([]byte(rawResponse))
-	require.NoError(t, err)
-
-	vc := NewDefaultValidationContext(nil)
-
-	el := doc.Root()
-
-	sig, err := vc.findSignature(el)
-	require.NoError(t, err)
-
-	ref := &sig.SignedInfo.References[0]
-
-	transformed, canonicalizer, err := vc.transform(el, sig, ref)
-	require.NoError(t, err)
-	require.NotEmpty(t, transformed)
-	require.IsType(t, &c14N10ExclusiveCanonicalizer{}, canonicalizer)
-
-	doc = etree.NewDocument()
-	doc.SetRoot(transformed)
-
-	str, err := doc.WriteToString()
-	require.NoError(t, err)
-	require.Equal(t, expectedTransformation, str)
-}
-
-func TestValidateWithEmptySignatureReference(t *testing.T) {
-	doc := etree.NewDocument()
-	err := doc.ReadFromBytes([]byte(emptyReference))
-	require.NoError(t, err)
-
-	sig := doc.FindElement("//" + SignatureTag)
-	require.NotEmpty(t, sig)
-
-	// Verify that Reference URI is empty
-	signedInfo := sig.FindElement(childPath(sig.Space, SignedInfoTag))
-	require.NotEmpty(t, signedInfo)
-	reference := signedInfo.FindElement(childPath(sig.Space, ReferenceTag))
-	require.NotEmpty(t, reference)
-	require.Empty(t, reference.SelectAttr(URIAttr).Value)
-
-	block, _ := pem.Decode([]byte(oktaCert))
-	cert, err := x509.ParseCertificate(block.Bytes)
-	require.NoError(t, err, "couldn't parse okta cert pem block")
-
-	certStore := MemoryX509CertificateStore{
-		Roots: []*x509.Certificate{cert},
-	}
-	vc := NewDefaultValidationContext(&certStore)
-
-	el, err := vc.Validate(doc.Root())
-	require.NoError(t, err)
-	require.NotEmpty(t, el)
-}
diff --git a/vendor/github.com/zenazn/goji/.travis.yml b/vendor/github.com/zenazn/goji/.travis.yml
index 35410e2b..1db3926c 100644
--- a/vendor/github.com/zenazn/goji/.travis.yml
+++ b/vendor/github.com/zenazn/goji/.travis.yml
@@ -1,33 +1,17 @@
 language: go
 
-matrix:
-  include:
-    - go: 1.2
-      install:
-      - go get golang.org/x/tools/cmd/cover
-      - go list -f '{{range .Imports}}{{.}} {{end}}' ./... | xargs go get -v
-      - go list -f '{{range .TestImports}}{{.}} {{end}}' ./... | xargs go get -v
-    - go: 1.3
-      install:
-      - go get golang.org/x/tools/cmd/cover
-      - go list -f '{{range .Imports}}{{.}} {{end}}' ./... | xargs go get -v
-      - go list -f '{{range .TestImports}}{{.}} {{end}}' ./... | xargs go get -v
-    - go: 1.4
-      install:
-      - go get golang.org/x/tools/cmd/cover
-      - go list -f '{{range .Imports}}{{.}} {{end}}' ./... | xargs go get -v
-      - go list -f '{{range .TestImports}}{{.}} {{end}}' ./... | xargs go get -v
-    - go: 1.5
-      install:
-      - go list -f '{{range .Imports}}{{.}} {{end}}' ./... | xargs go get -v
-      - go list -f '{{range .TestImports}}{{.}} {{end}}' ./... | xargs go get -v
-    - go: 1.6
-      install:
-      - go list -f '{{range .Imports}}{{.}} {{end}}' ./... | xargs go get -v
-      - go list -f '{{range .TestImports}}{{.}} {{end}}' ./... | xargs go get -v
-    - go: tip
-      install:
-      - go list -f '{{range .Imports}}{{.}} {{end}}' ./... | xargs go get -v
-      - go list -f '{{range .TestImports}}{{.}} {{end}}' ./... | xargs go get -v
-script:
-  - go test -cover ./...
+go:
+    - "1.5.x"
+    - "1.6.x"
+    - "1.7.x"
+    - "1.8.x"
+    - "1.9.x"
+    - "1.10.x"
+    - "1.11.x"
+
+install:
+    - go list -f '{{range .Imports}}{{.}} {{end}}' ./... | xargs go get -v
+    - go list -f '{{range .TestImports}}{{.}} {{end}}' ./... | xargs go get -v
+
+script: go test -cover ./...
+
diff --git a/vendor/github.com/zenazn/goji/bind/bind.go b/vendor/github.com/zenazn/goji/bind/bind.go
index 8e783bf9..43d11dd3 100644
--- a/vendor/github.com/zenazn/goji/bind/bind.go
+++ b/vendor/github.com/zenazn/goji/bind/bind.go
@@ -41,21 +41,31 @@ func init() {
 	systemdInit()
 }
 
-// WithFlag adds a standard flag to the global flag instance that allows
-// configuration of the default socket. Users who call Default() must call this
-// function before flags are parsed, for example in an init() block.
+// DefaultBind specifies the fallback used for WithFlag() if it is
+// unable to discover an environment hint (after checking $GOJI_BIND,
+// Einhorn, systemd, and $PORT).
 //
-// When selecting the default bind string, this function will examine its
-// environment for hints about what port to bind to, selecting the GOJI_BIND
-// environment variable, Einhorn, systemd, the PORT environment variable, and
-// the port 8000, in order. In most cases, this means that the default behavior
-// of the default socket will be reasonable for use in your circumstance.
+// If DefaultBind is overridden, it must be set before calling
+// WithFlag().
+var DefaultBind = ":8000"
+
+// WithFlag adds a standard flag to the global flag instance that
+// allows configuration of the default socket. Users who call
+// Default() must call this function before flags are parsed, for
+// example in an init() block.
+//
+// When selecting the default bind string, this function will examine
+// its environment for hints about what port to bind to, selecting the
+// GOJI_BIND environment variable, Einhorn, systemd, the PORT
+// environment variable, and the value of DefaultBind, in order. In
+// most cases, this means that the default behavior of the default
+// socket will be reasonable for use in your circumstance.
 func WithFlag() {
-	defaultBind := ":8000"
-	if s := Sniff(); s != "" {
-		defaultBind = s
+	s := Sniff()
+	if s == "" {
+		s = DefaultBind
 	}
-	flag.StringVar(&bind, "bind", defaultBind,
+	flag.StringVar(&bind, "bind", s,
 		`Address to bind on. If this value has a colon, as in ":8000" or
 		"127.0.0.1:9001", it will be treated as a TCP address. If it
 		begins with a "/" or a ".", it will be treated as a path to a
diff --git a/vendor/github.com/zenazn/goji/example/.gitignore b/vendor/github.com/zenazn/goji/example/.gitignore
deleted file mode 100644
index 33a9488b..00000000
--- a/vendor/github.com/zenazn/goji/example/.gitignore
+++ /dev/null
@@ -1 +0,0 @@
-example
diff --git a/vendor/github.com/zenazn/goji/example/README.md b/vendor/github.com/zenazn/goji/example/README.md
deleted file mode 100644
index 8d33103d..00000000
--- a/vendor/github.com/zenazn/goji/example/README.md
+++ /dev/null
@@ -1,10 +0,0 @@
-Gritter
-=======
-
-Gritter is an example application built using Goji, where people who have
-nothing better to do can post short 140-character "greets."
-
-A good place to start is with `main.go`, which contains a well-commented
-walkthrough of Goji's features. Gritter uses a couple custom middlewares, which
-have been arbitrarily placed in `middleware.go`. Finally some uninteresting
-"database models" live in `models.go`.
diff --git a/vendor/github.com/zenazn/goji/example/main.go b/vendor/github.com/zenazn/goji/example/main.go
deleted file mode 100644
index b2bcf6f9..00000000
--- a/vendor/github.com/zenazn/goji/example/main.go
+++ /dev/null
@@ -1,177 +0,0 @@
-// Command example is a sample application built with Goji. Its goal is to give
-// you a taste for what Goji looks like in the real world by artificially using
-// all of its features.
-//
-// In particular, this is a complete working site for gritter.com, a site where
-// users can post 140-character "greets". Any resemblance to real websites,
-// alive or dead, is purely coincidental.
-package main
-
-import (
-	"fmt"
-	"io"
-	"net/http"
-	"regexp"
-	"strconv"
-	"time"
-
-	"github.com/goji/param"
-	"github.com/zenazn/goji"
-	"github.com/zenazn/goji/web"
-	"github.com/zenazn/goji/web/middleware"
-)
-
-// Note: the code below cuts a lot of corners to make the example app simple.
-
-func main() {
-	// Add routes to the global handler
-	goji.Get("/", Root)
-	// Fully backwards compatible with net/http's Handlers
-	goji.Get("/greets", http.RedirectHandler("/", 301))
-	// Use your favorite HTTP verbs
-	goji.Post("/greets", NewGreet)
-	// Use Sinatra-style patterns in your URLs
-	goji.Get("/users/:name", GetUser)
-	// Goji also supports regular expressions with named capture groups.
-	goji.Get(regexp.MustCompile(`^/greets/(?P<id>\d+)$`), GetGreet)
-
-	// Middleware can be used to inject behavior into your app. The
-	// middleware for this application are defined in middleware.go, but you
-	// can put them wherever you like.
-	goji.Use(PlainText)
-
-	// If the patterns ends with "/*", the path is treated as a prefix, and
-	// can be used to implement sub-routes.
-	admin := web.New()
-	goji.Handle("/admin/*", admin)
-
-	// The standard SubRouter middleware helps make writing sub-routers
-	// easy. Ordinarily, Goji does not manipulate the request's URL.Path,
-	// meaning you'd have to repeat "/admin/" in each of the following
-	// routes. This middleware allows you to cut down on the repetition by
-	// eliminating the shared, already-matched prefix.
-	admin.Use(middleware.SubRouter)
-	// You can also easily attach extra middleware to sub-routers that are
-	// not present on the parent router. This one, for instance, presents a
-	// password prompt to users of the admin endpoints.
-	admin.Use(SuperSecure)
-
-	admin.Get("/", AdminRoot)
-	admin.Get("/finances", AdminFinances)
-
-	// Goji's routing, like Sinatra's, is exact: no effort is made to
-	// normalize trailing slashes.
-	goji.Get("/admin", http.RedirectHandler("/admin/", 301))
-
-	// Use a custom 404 handler
-	goji.NotFound(NotFound)
-
-	// Sometimes requests take a long time.
-	goji.Get("/waitforit", WaitForIt)
-
-	// Call Serve() at the bottom of your main() function, and it'll take
-	// care of everything else for you, including binding to a socket (with
-	// automatic support for systemd and Einhorn) and supporting graceful
-	// shutdown on SIGINT. Serve() is appropriate for both development and
-	// production.
-	goji.Serve()
-}
-
-// Root route (GET "/"). Print a list of greets.
-func Root(w http.ResponseWriter, r *http.Request) {
-	// In the real world you'd probably use a template or something.
-	io.WriteString(w, "Gritter\n======\n\n")
-	for i := len(Greets) - 1; i >= 0; i-- {
-		Greets[i].Write(w)
-	}
-}
-
-// NewGreet creates a new greet (POST "/greets"). Creates a greet and redirects
-// you to the created greet.
-//
-// To post a new greet, try this at a shell:
-// $ now=$(date +'%Y-%m-%dT%H:%M:%SZ')
-// $ curl -i -d "user=carl&message=Hello+World&time=$now" localhost:8000/greets
-func NewGreet(w http.ResponseWriter, r *http.Request) {
-	var greet Greet
-
-	// Parse the POST body into the Greet struct. The format is the same as
-	// is emitted by (e.g.) jQuery.param.
-	r.ParseForm()
-	err := param.Parse(r.Form, &greet)
-
-	if err != nil || len(greet.Message) > 140 {
-		http.Error(w, err.Error(), http.StatusBadRequest)
-		return
-	}
-
-	// We make no effort to prevent races against other insertions.
-	Greets = append(Greets, greet)
-	url := fmt.Sprintf("/greets/%d", len(Greets)-1)
-	http.Redirect(w, r, url, http.StatusCreated)
-}
-
-// GetUser finds a given user and her greets (GET "/user/:name")
-func GetUser(c web.C, w http.ResponseWriter, r *http.Request) {
-	io.WriteString(w, "Gritter\n======\n\n")
-	handle := c.URLParams["name"]
-	user, ok := Users[handle]
-	if !ok {
-		http.Error(w, http.StatusText(404), 404)
-		return
-	}
-
-	user.Write(w, handle)
-
-	io.WriteString(w, "\nGreets:\n")
-	for i := len(Greets) - 1; i >= 0; i-- {
-		if Greets[i].User == handle {
-			Greets[i].Write(w)
-		}
-	}
-}
-
-// GetGreet finds a particular greet by ID (GET "/greets/\d+"). Does no bounds
-// checking, so will probably panic.
-func GetGreet(c web.C, w http.ResponseWriter, r *http.Request) {
-	id, err := strconv.Atoi(c.URLParams["id"])
-	if err != nil {
-		http.Error(w, http.StatusText(404), 404)
-		return
-	}
-	// This will panic if id is too big. Try it out!
-	greet := Greets[id]
-
-	io.WriteString(w, "Gritter\n======\n\n")
-	greet.Write(w)
-}
-
-// WaitForIt is a particularly slow handler (GET "/waitforit"). Try loading this
-// endpoint and initiating a graceful shutdown (Ctrl-C) or Einhorn reload. The
-// old server will stop accepting new connections and will attempt to kill
-// outstanding idle (keep-alive) connections, but will patiently stick around
-// for this endpoint to finish. How kind of it!
-func WaitForIt(w http.ResponseWriter, r *http.Request) {
-	io.WriteString(w, "This is going to be legend... (wait for it)\n")
-	if fl, ok := w.(http.Flusher); ok {
-		fl.Flush()
-	}
-	time.Sleep(15 * time.Second)
-	io.WriteString(w, "...dary! Legendary!\n")
-}
-
-// AdminRoot is root (GET "/admin/root"). Much secret. Very administrate. Wow.
-func AdminRoot(w http.ResponseWriter, r *http.Request) {
-	io.WriteString(w, "Gritter\n======\n\nSuper secret admin page!\n")
-}
-
-// AdminFinances would answer the question 'How are we doing?'
-// (GET "/admin/finances")
-func AdminFinances(w http.ResponseWriter, r *http.Request) {
-	io.WriteString(w, "Gritter\n======\n\nWe're broke! :(\n")
-}
-
-// NotFound is a 404 handler.
-func NotFound(w http.ResponseWriter, r *http.Request) {
-	http.Error(w, "Umm... have you tried turning it off and on again?", 404)
-}
diff --git a/vendor/github.com/zenazn/goji/example/middleware.go b/vendor/github.com/zenazn/goji/example/middleware.go
deleted file mode 100644
index 9652ebbc..00000000
--- a/vendor/github.com/zenazn/goji/example/middleware.go
+++ /dev/null
@@ -1,47 +0,0 @@
-package main
-
-import (
-	"encoding/base64"
-	"net/http"
-	"strings"
-
-	"github.com/zenazn/goji/web"
-)
-
-// PlainText sets the content-type of responses to text/plain.
-func PlainText(h http.Handler) http.Handler {
-	fn := func(w http.ResponseWriter, r *http.Request) {
-		w.Header().Set("Content-Type", "text/plain")
-		h.ServeHTTP(w, r)
-	}
-	return http.HandlerFunc(fn)
-}
-
-// Nobody will ever guess this!
-const Password = "admin:admin"
-
-// SuperSecure is HTTP Basic Auth middleware for super-secret admin page. Shhhh!
-func SuperSecure(c *web.C, h http.Handler) http.Handler {
-	fn := func(w http.ResponseWriter, r *http.Request) {
-		auth := r.Header.Get("Authorization")
-		if !strings.HasPrefix(auth, "Basic ") {
-			pleaseAuth(w)
-			return
-		}
-
-		password, err := base64.StdEncoding.DecodeString(auth[6:])
-		if err != nil || string(password) != Password {
-			pleaseAuth(w)
-			return
-		}
-
-		h.ServeHTTP(w, r)
-	}
-	return http.HandlerFunc(fn)
-}
-
-func pleaseAuth(w http.ResponseWriter) {
-	w.Header().Set("WWW-Authenticate", `Basic realm="Gritter"`)
-	w.WriteHeader(http.StatusUnauthorized)
-	w.Write([]byte("Go away!\n"))
-}
diff --git a/vendor/github.com/zenazn/goji/example/models.go b/vendor/github.com/zenazn/goji/example/models.go
deleted file mode 100644
index 4c34c086..00000000
--- a/vendor/github.com/zenazn/goji/example/models.go
+++ /dev/null
@@ -1,49 +0,0 @@
-package main
-
-import (
-	"fmt"
-	"io"
-	"time"
-)
-
-// A Greet is a 140-character micro-blogpost that has no resemblance whatsoever
-// to the noise a bird makes.
-type Greet struct {
-	User    string    `param:"user"`
-	Message string    `param:"message"`
-	Time    time.Time `param:"time"`
-}
-
-// Store all our greets in a big list in memory, because, let's be honest, who's
-// actually going to use a service that only allows you to post 140-character
-// messages?
-var Greets = []Greet{
-	{"carl", "Welcome to Gritter!", time.Now()},
-	{"alice", "Wanna know a secret?", time.Now()},
-	{"bob", "Okay!", time.Now()},
-	{"eve", "I'm listening...", time.Now()},
-}
-
-// Write out a representation of the greet
-func (g Greet) Write(w io.Writer) {
-	fmt.Fprintf(w, "%s\n@%s at %s\n---\n", g.Message, g.User,
-		g.Time.Format(time.UnixDate))
-}
-
-// A User is a person. It may even be someone you know. Or a rabbit. Hard to say
-// from here.
-type User struct {
-	Name, Bio string
-}
-
-// All the users we know about! There aren't very many...
-var Users = map[string]User{
-	"alice": {"Alice in Wonderland", "Eating mushrooms"},
-	"bob":   {"Bob the Builder", "Making children dumber"},
-	"carl":  {"Carl Jackson", "Duct tape aficionado"},
-}
-
-// Write out the user
-func (u User) Write(w io.Writer, handle string) {
-	fmt.Fprintf(w, "%s (@%s)\n%s\n", u.Name, handle, u.Bio)
-}
diff --git a/vendor/github.com/zenazn/goji/graceful/graceful.go b/vendor/github.com/zenazn/goji/graceful/graceful.go
index ff9b186d..19490e05 100644
--- a/vendor/github.com/zenazn/goji/graceful/graceful.go
+++ b/vendor/github.com/zenazn/goji/graceful/graceful.go
@@ -9,7 +9,6 @@ package graceful
 
 import (
 	"net"
-	"runtime"
 	"sync/atomic"
 
 	"github.com/zenazn/goji/graceful/listener"
@@ -50,12 +49,16 @@ func peacefulError(err error) error {
 	// Unfortunately Go doesn't really give us a better way to select errors
 	// than this, so *shrug*.
 	if oe, ok := err.(*net.OpError); ok {
-		errOp := "accept"
-		if runtime.GOOS == "windows" {
-			errOp = "AcceptEx"
-		}
-		if oe.Op == errOp && oe.Err.Error() == errClosing {
-			return nil
+		switch oe.Op {
+		// backward compatibility: older golang returns AcceptEx on Windows.
+		// Current golang returns "accept" consistently. It's platform independent.
+		// See https://github.com/golang/go/commit/b0f4ee533a875c258ac1030ee382f0ffe2de304b
+		case "AcceptEx":
+			fallthrough
+		case "accept":
+			if oe.Err.Error() == errClosing {
+				return nil
+			}
 		}
 	}
 	return err
diff --git a/vendor/github.com/zenazn/goji/graceful/listener/conn_test.go b/vendor/github.com/zenazn/goji/graceful/listener/conn_test.go
deleted file mode 100644
index ff26e32f..00000000
--- a/vendor/github.com/zenazn/goji/graceful/listener/conn_test.go
+++ /dev/null
@@ -1,198 +0,0 @@
-package listener
-
-import (
-	"io"
-	"strings"
-	"testing"
-	"time"
-)
-
-func TestManualRead(t *testing.T) {
-	t.Parallel()
-	l, c, wc := singleConn(t, Manual)
-
-	go c.AllowRead()
-	wc.Read(make([]byte, 1024))
-
-	if err := l.CloseIdle(); err != nil {
-		t.Fatalf("error closing idle connections: %v", err)
-	}
-	if !c.Closed() {
-		t.Error("Read() should not make connection not-idle")
-	}
-}
-
-func TestAutomaticRead(t *testing.T) {
-	t.Parallel()
-	l, c, wc := singleConn(t, Automatic)
-
-	go c.AllowRead()
-	wc.Read(make([]byte, 1024))
-
-	if err := l.CloseIdle(); err != nil {
-		t.Fatalf("error closing idle connections: %v", err)
-	}
-	if c.Closed() {
-		t.Error("expected Read() to mark connection as in-use")
-	}
-}
-
-func TestDeadlineRead(t *testing.T) {
-	t.Parallel()
-	l, c, wc := singleConn(t, Deadline)
-
-	go c.AllowRead()
-	if _, err := wc.Read(make([]byte, 1024)); err != nil {
-		t.Fatalf("error reading from connection: %v", err)
-	}
-
-	if err := l.CloseIdle(); err != nil {
-		t.Fatalf("error closing idle connections: %v", err)
-	}
-	if c.Closed() {
-		t.Error("expected Read() to mark connection as in-use")
-	}
-}
-
-func TestDisownedRead(t *testing.T) {
-	t.Parallel()
-	l, c, wc := singleConn(t, Deadline)
-
-	if err := Disown(wc); err != nil {
-		t.Fatalf("unexpected error disowning conn: %v", err)
-	}
-	if err := l.Close(); err != nil {
-		t.Fatalf("unexpected error closing listener: %v", err)
-	}
-	if err := l.Drain(); err != nil {
-		t.Fatalf("unexpected error draining listener: %v", err)
-	}
-
-	go c.AllowRead()
-	if _, err := wc.Read(make([]byte, 1024)); err != nil {
-		t.Fatalf("error reading from connection: %v", err)
-	}
-}
-
-func TestCloseConn(t *testing.T) {
-	t.Parallel()
-	l, _, wc := singleConn(t, Deadline)
-
-	if err := MarkInUse(wc); err != nil {
-		t.Fatalf("error marking conn in use: %v", err)
-	}
-	if err := wc.Close(); err != nil {
-		t.Errorf("error closing connection: %v", err)
-	}
-	// This will hang if wc.Close() doesn't un-track the connection
-	if err := l.Drain(); err != nil {
-		t.Errorf("error draining listener: %v", err)
-	}
-}
-
-// Regression test for issue #130.
-func TestDisownedClose(t *testing.T) {
-	t.Parallel()
-	_, c, wc := singleConn(t, Deadline)
-
-	if err := Disown(wc); err != nil {
-		t.Fatalf("unexpected error disowning conn: %v", err)
-	}
-	if err := wc.Close(); err != nil {
-		t.Errorf("error closing connection: %v", err)
-	}
-	if !c.Closed() {
-		t.Errorf("connection didn't get closed")
-	}
-}
-
-func TestManualReadDeadline(t *testing.T) {
-	t.Parallel()
-	l, c, wc := singleConn(t, Manual)
-
-	if err := MarkInUse(wc); err != nil {
-		t.Fatalf("error marking connection in use: %v", err)
-	}
-	if err := wc.SetReadDeadline(time.Now()); err != nil {
-		t.Fatalf("error setting read deadline: %v", err)
-	}
-	if err := l.CloseIdle(); err != nil {
-		t.Fatalf("error closing idle connections: %v", err)
-	}
-	if c.Closed() {
-		t.Error("SetReadDeadline() should not mark manual conn as idle")
-	}
-}
-
-func TestAutomaticReadDeadline(t *testing.T) {
-	t.Parallel()
-	l, c, wc := singleConn(t, Automatic)
-
-	if err := MarkInUse(wc); err != nil {
-		t.Fatalf("error marking connection in use: %v", err)
-	}
-	if err := wc.SetReadDeadline(time.Now()); err != nil {
-		t.Fatalf("error setting read deadline: %v", err)
-	}
-	if err := l.CloseIdle(); err != nil {
-		t.Fatalf("error closing idle connections: %v", err)
-	}
-	if c.Closed() {
-		t.Error("SetReadDeadline() should not mark automatic conn as idle")
-	}
-}
-
-func TestDeadlineReadDeadline(t *testing.T) {
-	t.Parallel()
-	l, c, wc := singleConn(t, Deadline)
-
-	if err := MarkInUse(wc); err != nil {
-		t.Fatalf("error marking connection in use: %v", err)
-	}
-	if err := wc.SetReadDeadline(time.Now()); err != nil {
-		t.Fatalf("error setting read deadline: %v", err)
-	}
-	if err := l.CloseIdle(); err != nil {
-		t.Fatalf("error closing idle connections: %v", err)
-	}
-	if !c.Closed() {
-		t.Error("SetReadDeadline() should mark deadline conn as idle")
-	}
-}
-
-type readerConn struct {
-	fakeConn
-}
-
-func (rc *readerConn) ReadFrom(r io.Reader) (int64, error) {
-	return 123, nil
-}
-
-func TestReadFrom(t *testing.T) {
-	t.Parallel()
-
-	l := makeFakeListener("net.Listener")
-	wl := Wrap(l, Manual)
-	c := &readerConn{
-		fakeConn{
-			read:   make(chan struct{}),
-			write:  make(chan struct{}),
-			closed: make(chan struct{}),
-			me:     fakeAddr{"tcp", "local"},
-			you:    fakeAddr{"tcp", "remote"},
-		},
-	}
-
-	go l.Enqueue(c)
-	wc, err := wl.Accept()
-	if err != nil {
-		t.Fatalf("error accepting connection: %v", err)
-	}
-
-	// The io.MultiReader is a convenient hack to ensure that we're using
-	// our ReadFrom, not strings.Reader's WriteTo.
-	r := io.MultiReader(strings.NewReader("hello world"))
-	if _, err := io.Copy(wc, r); err != nil {
-		t.Fatalf("error copying: %v", err)
-	}
-}
diff --git a/vendor/github.com/zenazn/goji/graceful/listener/fake_test.go b/vendor/github.com/zenazn/goji/graceful/listener/fake_test.go
deleted file mode 100644
index 083f6a8c..00000000
--- a/vendor/github.com/zenazn/goji/graceful/listener/fake_test.go
+++ /dev/null
@@ -1,123 +0,0 @@
-package listener
-
-import (
-	"net"
-	"time"
-)
-
-type fakeAddr struct {
-	network, addr string
-}
-
-func (f fakeAddr) Network() string {
-	return f.network
-}
-func (f fakeAddr) String() string {
-	return f.addr
-}
-
-type fakeListener struct {
-	ch     chan net.Conn
-	closed chan struct{}
-	addr   net.Addr
-}
-
-func makeFakeListener(addr string) *fakeListener {
-	a := fakeAddr{"tcp", addr}
-	return &fakeListener{
-		ch:     make(chan net.Conn),
-		closed: make(chan struct{}),
-		addr:   a,
-	}
-}
-
-func (f *fakeListener) Accept() (net.Conn, error) {
-	select {
-	case c := <-f.ch:
-		return c, nil
-	case <-f.closed:
-		return nil, errClosing
-	}
-}
-func (f *fakeListener) Close() error {
-	close(f.closed)
-	return nil
-}
-
-func (f *fakeListener) Addr() net.Addr {
-	return f.addr
-}
-
-func (f *fakeListener) Enqueue(c net.Conn) {
-	f.ch <- c
-}
-
-type fakeConn struct {
-	read, write, closed chan struct{}
-	me, you             net.Addr
-}
-
-func makeFakeConn(me, you string) *fakeConn {
-	return &fakeConn{
-		read:   make(chan struct{}),
-		write:  make(chan struct{}),
-		closed: make(chan struct{}),
-		me:     fakeAddr{"tcp", me},
-		you:    fakeAddr{"tcp", you},
-	}
-}
-
-func (f *fakeConn) Read(buf []byte) (int, error) {
-	select {
-	case <-f.read:
-		return len(buf), nil
-	case <-f.closed:
-		return 0, errClosing
-	}
-}
-
-func (f *fakeConn) Write(buf []byte) (int, error) {
-	select {
-	case <-f.write:
-		return len(buf), nil
-	case <-f.closed:
-		return 0, errClosing
-	}
-}
-
-func (f *fakeConn) Close() error {
-	close(f.closed)
-	return nil
-}
-
-func (f *fakeConn) LocalAddr() net.Addr {
-	return f.me
-}
-func (f *fakeConn) RemoteAddr() net.Addr {
-	return f.you
-}
-func (f *fakeConn) SetDeadline(t time.Time) error {
-	return nil
-}
-func (f *fakeConn) SetReadDeadline(t time.Time) error {
-	return nil
-}
-func (f *fakeConn) SetWriteDeadline(t time.Time) error {
-	return nil
-}
-
-func (f *fakeConn) Closed() bool {
-	select {
-	case <-f.closed:
-		return true
-	default:
-		return false
-	}
-}
-
-func (f *fakeConn) AllowRead() {
-	f.read <- struct{}{}
-}
-func (f *fakeConn) AllowWrite() {
-	f.write <- struct{}{}
-}
diff --git a/vendor/github.com/zenazn/goji/graceful/listener/listener_test.go b/vendor/github.com/zenazn/goji/graceful/listener/listener_test.go
deleted file mode 100644
index dcefdaa0..00000000
--- a/vendor/github.com/zenazn/goji/graceful/listener/listener_test.go
+++ /dev/null
@@ -1,156 +0,0 @@
-package listener
-
-import (
-	"net"
-	"testing"
-	"time"
-)
-
-// Helper for tests acting on a single accepted connection
-func singleConn(t *testing.T, m mode) (*T, *fakeConn, net.Conn) {
-	l := makeFakeListener("net.Listener")
-	wl := Wrap(l, m)
-	c := makeFakeConn("local", "remote")
-
-	go l.Enqueue(c)
-	wc, err := wl.Accept()
-	if err != nil {
-		t.Fatalf("error accepting connection: %v", err)
-	}
-	return wl, c, wc
-}
-
-func TestAddr(t *testing.T) {
-	t.Parallel()
-	l, c, wc := singleConn(t, Manual)
-
-	if a := l.Addr(); a.String() != "net.Listener" {
-		t.Errorf("addr was %v, wanted net.Listener", a)
-	}
-
-	if c.LocalAddr() != wc.LocalAddr() {
-		t.Errorf("local addresses don't match: %v, %v", c.LocalAddr(),
-			wc.LocalAddr())
-	}
-	if c.RemoteAddr() != wc.RemoteAddr() {
-		t.Errorf("remote addresses don't match: %v, %v", c.RemoteAddr(),
-			wc.RemoteAddr())
-	}
-}
-
-func TestBasicCloseIdle(t *testing.T) {
-	t.Parallel()
-	l, c, _ := singleConn(t, Manual)
-
-	if err := l.CloseIdle(); err != nil {
-		t.Fatalf("error closing idle connections: %v", err)
-	}
-	if !c.Closed() {
-		t.Error("idle connection not closed")
-	}
-}
-
-func TestMark(t *testing.T) {
-	t.Parallel()
-	l, c, wc := singleConn(t, Manual)
-
-	if err := MarkInUse(wc); err != nil {
-		t.Fatalf("error marking %v in-use: %v", wc, err)
-	}
-	if err := l.CloseIdle(); err != nil {
-		t.Fatalf("error closing idle connections: %v", err)
-	}
-	if c.Closed() {
-		t.Errorf("manually in-use connection was closed")
-	}
-
-	if err := MarkIdle(wc); err != nil {
-		t.Fatalf("error marking %v idle: %v", wc, err)
-	}
-	if err := l.CloseIdle(); err != nil {
-		t.Fatalf("error closing idle connections: %v", err)
-	}
-	if !c.Closed() {
-		t.Error("manually idle connection was not closed")
-	}
-}
-
-func TestDisown(t *testing.T) {
-	t.Parallel()
-	l, c, wc := singleConn(t, Manual)
-
-	if err := Disown(wc); err != nil {
-		t.Fatalf("error disowning connection: %v", err)
-	}
-	if err := l.CloseIdle(); err != nil {
-		t.Fatalf("error closing idle connections: %v", err)
-	}
-
-	if c.Closed() {
-		t.Errorf("disowned connection got closed")
-	}
-}
-
-func TestDrain(t *testing.T) {
-	t.Parallel()
-	l, _, wc := singleConn(t, Manual)
-
-	MarkInUse(wc)
-	start := time.Now()
-	go func() {
-		time.Sleep(50 * time.Millisecond)
-		MarkIdle(wc)
-	}()
-	if err := l.Drain(); err != nil {
-		t.Fatalf("error draining listener: %v", err)
-	}
-	end := time.Now()
-	if dt := end.Sub(start); dt < 50*time.Millisecond {
-		t.Errorf("expected at least 50ms wait, but got %v", dt)
-	}
-}
-
-func TestDrainAll(t *testing.T) {
-	t.Parallel()
-	l, c, wc := singleConn(t, Manual)
-
-	MarkInUse(wc)
-	if err := l.DrainAll(); err != nil {
-		t.Fatalf("error draining listener: %v", err)
-	}
-	if !c.Closed() {
-		t.Error("expected in-use connection to be closed")
-	}
-}
-
-func TestErrors(t *testing.T) {
-	t.Parallel()
-	_, c, wc := singleConn(t, Manual)
-	if err := Disown(c); err == nil {
-		t.Error("expected error when disowning unmanaged net.Conn")
-	}
-	if err := MarkIdle(c); err == nil {
-		t.Error("expected error when marking unmanaged net.Conn idle")
-	}
-	if err := MarkInUse(c); err == nil {
-		t.Error("expected error when marking unmanaged net.Conn in use")
-	}
-
-	if err := Disown(wc); err != nil {
-		t.Fatalf("unexpected error disowning socket: %v", err)
-	}
-	if err := Disown(wc); err == nil {
-		t.Error("expected error disowning socket twice")
-	}
-}
-
-func TestClose(t *testing.T) {
-	t.Parallel()
-	l, c, _ := singleConn(t, Manual)
-	if err := l.Close(); err != nil {
-		t.Fatalf("error while closing listener: %v", err)
-	}
-	if c.Closed() {
-		t.Error("connection closed when listener was?")
-	}
-}
diff --git a/vendor/github.com/zenazn/goji/graceful/listener/race_test.go b/vendor/github.com/zenazn/goji/graceful/listener/race_test.go
deleted file mode 100644
index 835d6b44..00000000
--- a/vendor/github.com/zenazn/goji/graceful/listener/race_test.go
+++ /dev/null
@@ -1,103 +0,0 @@
-package listener
-
-import (
-	"fmt"
-	"math/rand"
-	"runtime"
-	"sync/atomic"
-	"testing"
-	"time"
-)
-
-func init() {
-	// Just to make sure we get some variety
-	runtime.GOMAXPROCS(4 * runtime.NumCPU())
-}
-
-// Chosen by random die roll
-const seed = 4611413766552969250
-
-// This is mostly just fuzzing to see what happens.
-func TestRace(t *testing.T) {
-	t.Parallel()
-
-	l := makeFakeListener("net.Listener")
-	wl := Wrap(l, Automatic)
-
-	var flag int32
-
-	go func() {
-		for i := 0; ; i++ {
-			laddr := fmt.Sprintf("local%d", i)
-			raddr := fmt.Sprintf("remote%d", i)
-			c := makeFakeConn(laddr, raddr)
-			go func() {
-				defer func() {
-					if r := recover(); r != nil {
-						if atomic.LoadInt32(&flag) != 0 {
-							return
-						}
-						panic(r)
-					}
-				}()
-				l.Enqueue(c)
-			}()
-			wc, err := wl.Accept()
-			if err != nil {
-				if atomic.LoadInt32(&flag) != 0 {
-					return
-				}
-				t.Fatalf("error accepting connection: %v", err)
-			}
-
-			go func() {
-				for {
-					time.Sleep(50 * time.Millisecond)
-					c.AllowRead()
-				}
-			}()
-
-			go func(i int64) {
-				rng := rand.New(rand.NewSource(i + seed))
-				buf := make([]byte, 1024)
-				for j := 0; j < 1024; j++ {
-					if _, err := wc.Read(buf); err != nil {
-						if atomic.LoadInt32(&flag) != 0 {
-							// Peaceful; the connection has
-							// probably been closed while
-							// idle
-							return
-						}
-						t.Errorf("error reading in conn %d: %v",
-							i, err)
-					}
-					time.Sleep(time.Duration(rng.Intn(100)) * time.Millisecond)
-					// This one is to make sure the connection
-					// hasn't closed underneath us
-					if _, err := wc.Read(buf); err != nil {
-						t.Errorf("error reading in conn %d: %v",
-							i, err)
-					}
-					MarkIdle(wc)
-					time.Sleep(time.Duration(rng.Intn(100)) * time.Millisecond)
-				}
-			}(int64(i))
-
-			time.Sleep(time.Duration(i) * time.Millisecond / 2)
-		}
-	}()
-
-	if testing.Short() {
-		time.Sleep(2 * time.Second)
-	} else {
-		time.Sleep(10 * time.Second)
-	}
-	start := time.Now()
-	atomic.StoreInt32(&flag, 1)
-	wl.Close()
-	wl.Drain()
-	end := time.Now()
-	if dt := end.Sub(start); dt > 300*time.Millisecond {
-		t.Errorf("took %v to drain; expected shorter", dt)
-	}
-}
diff --git a/vendor/github.com/zenazn/goji/graceful/middleware_test.go b/vendor/github.com/zenazn/goji/graceful/middleware_test.go
deleted file mode 100644
index aa4e623c..00000000
--- a/vendor/github.com/zenazn/goji/graceful/middleware_test.go
+++ /dev/null
@@ -1,71 +0,0 @@
-// +build !go1.3
-
-package graceful
-
-import (
-	"net/http"
-	"sync/atomic"
-	"testing"
-)
-
-type fakeWriter http.Header
-
-func (f fakeWriter) Header() http.Header {
-	return http.Header(f)
-}
-func (f fakeWriter) Write(buf []byte) (int, error) {
-	return len(buf), nil
-}
-func (f fakeWriter) WriteHeader(status int) {}
-
-func testClose(t *testing.T, h http.Handler, expectClose bool) {
-	m := middleware(h)
-	r, _ := http.NewRequest("GET", "/", nil)
-	w := make(fakeWriter)
-	m.ServeHTTP(w, r)
-
-	c, ok := w["Connection"]
-	if expectClose {
-		if !ok || len(c) != 1 || c[0] != "close" {
-			t.Fatal("Expected 'Connection: close'")
-		}
-	} else {
-		if ok {
-			t.Fatal("Did not expect Connection header")
-		}
-	}
-}
-
-func TestNormal(t *testing.T) {
-	atomic.StoreInt32(&closing, 0)
-	h := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.Write([]byte{})
-	})
-	testClose(t, h, false)
-}
-
-func TestClose(t *testing.T) {
-	atomic.StoreInt32(&closing, 0)
-	h := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		atomic.StoreInt32(&closing, 1)
-	})
-	testClose(t, h, true)
-}
-
-func TestCloseWriteHeader(t *testing.T) {
-	atomic.StoreInt32(&closing, 0)
-	h := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		atomic.StoreInt32(&closing, 1)
-		w.WriteHeader(200)
-	})
-	testClose(t, h, true)
-}
-
-func TestCloseWrite(t *testing.T) {
-	atomic.StoreInt32(&closing, 0)
-	h := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		atomic.StoreInt32(&closing, 1)
-		w.Write([]byte{})
-	})
-	testClose(t, h, true)
-}
diff --git a/vendor/github.com/zenazn/goji/graceful/signal.go b/vendor/github.com/zenazn/goji/graceful/signal.go
index 60612b88..55061a59 100644
--- a/vendor/github.com/zenazn/goji/graceful/signal.go
+++ b/vendor/github.com/zenazn/goji/graceful/signal.go
@@ -12,8 +12,8 @@ import (
 
 var mu sync.Mutex // protects everything that follows
 var listeners = make([]*listener.T, 0)
-var prehooks = make([]func(), 0)
-var posthooks = make([]func(), 0)
+var prehooks = make([]func(os.Signal), 0)
+var posthooks = make([]func(os.Signal), 0)
 var closing int32
 var doubleKick, timeout time.Duration
 
@@ -40,14 +40,41 @@ func ResetSignals() {
 	signal.Stop(sigchan)
 }
 
+// PreHookWithSignal registers a function to be called before any of this
+// package's normal shutdown actions, which recieves the signal that caused the
+// shutdown (or nil for manual shutdowns). All listeners will be called in the
+// order they were added, from a single goroutine.
+func PreHookWithSignal(f func(os.Signal)) {
+	mu.Lock()
+	defer mu.Unlock()
+
+	prehooks = append(prehooks, f)
+}
+
 // PreHook registers a function to be called before any of this package's normal
 // shutdown actions. All listeners will be called in the order they were added,
 // from a single goroutine.
 func PreHook(f func()) {
+	PreHookWithSignal(func(_ os.Signal) {
+		f()
+	})
+}
+
+// PostHookWithSignal registers a function to be called after all of this
+// package's normal shutdown actions, which receives the signal that caused the
+// shutdown (or nil for manual shutdowns). All listeners will be called in the
+// order they were added, from a single goroutine, and are guaranteed to be
+// called after all listening connections have been closed, but before Wait()
+// returns.
+//
+// If you've Hijacked any connections that must be gracefully shut down in some
+// other way (since this library disowns all hijacked connections), it's
+// reasonable to use a PostHook to signal and wait for them.
+func PostHookWithSignal(f func(os.Signal)) {
 	mu.Lock()
 	defer mu.Unlock()
 
-	prehooks = append(prehooks, f)
+	posthooks = append(posthooks, f)
 }
 
 // PostHook registers a function to be called after all of this package's normal
@@ -59,23 +86,22 @@ func PreHook(f func()) {
 // other way (since this library disowns all hijacked connections), it's
 // reasonable to use a PostHook to signal and wait for them.
 func PostHook(f func()) {
-	mu.Lock()
-	defer mu.Unlock()
-
-	posthooks = append(posthooks, f)
+	PostHookWithSignal(func(_ os.Signal) {
+		f()
+	})
 }
 
 // Shutdown manually triggers a shutdown from your application. Like Wait,
 // blocks until all connections have gracefully shut down.
 func Shutdown() {
-	shutdown(false)
+	shutdown(false, nil)
 }
 
 // ShutdownNow triggers an immediate shutdown from your application. All
 // connections (not just those that are idle) are immediately closed, even if
 // they are in the middle of serving a request.
 func ShutdownNow() {
-	shutdown(true)
+	shutdown(true, nil)
 }
 
 // DoubleKickWindow sets the length of the window during which two back-to-back
@@ -123,30 +149,30 @@ func init() {
 func sigLoop() {
 	var last time.Time
 	for {
-		<-sigchan
+		sig := <-sigchan
 		now := time.Now()
 		mu.Lock()
 		force := doubleKick != 0 && now.Sub(last) < doubleKick
 		if t := timeout; t != 0 && !force {
 			go func() {
 				time.Sleep(t)
-				shutdown(true)
+				shutdown(true, sig)
 			}()
 		}
 		mu.Unlock()
-		go shutdown(force)
+		go shutdown(force, sig)
 		last = now
 	}
 }
 
 var preOnce, closeOnce, forceOnce, postOnce, notifyOnce sync.Once
 
-func shutdown(force bool) {
+func shutdown(force bool, sig os.Signal) {
 	preOnce.Do(func() {
 		mu.Lock()
 		defer mu.Unlock()
 		for _, f := range prehooks {
-			f()
+			f(sig)
 		}
 	})
 
@@ -164,7 +190,7 @@ func shutdown(force bool) {
 		mu.Lock()
 		defer mu.Unlock()
 		for _, f := range posthooks {
-			f()
+			f(sig)
 		}
 	})
 
diff --git a/vendor/github.com/zenazn/goji/web/bench_test.go b/vendor/github.com/zenazn/goji/web/bench_test.go
deleted file mode 100644
index fc285db6..00000000
--- a/vendor/github.com/zenazn/goji/web/bench_test.go
+++ /dev/null
@@ -1,166 +0,0 @@
-// +build go1.3
-
-package web
-
-import (
-	"crypto/rand"
-	"encoding/base64"
-	mrand "math/rand"
-	"net/http"
-	"testing"
-)
-
-/*
-The core benchmarks here are based on cypriss's mux benchmarks, which can be
-found here:
-https://github.com/cypriss/golang-mux-benchmark
-
-They happen to play very well into Goji's router's strengths.
-*/
-
-type nilRouter struct{}
-
-var helloWorld = []byte("Hello world!\n")
-
-func (_ nilRouter) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	w.Write(helloWorld)
-}
-
-type nilResponse struct{}
-
-func (_ nilResponse) Write(buf []byte) (int, error) {
-	return len(buf), nil
-}
-func (_ nilResponse) Header() http.Header {
-	return nil
-}
-func (_ nilResponse) WriteHeader(code int) {
-}
-
-func trivialMiddleware(h http.Handler) http.Handler {
-	fn := func(w http.ResponseWriter, r *http.Request) {
-		h.ServeHTTP(w, r)
-	}
-	return http.HandlerFunc(fn)
-}
-
-var w nilResponse
-
-func addRoutes(m *Mux, prefix string) {
-	m.Get(prefix, nilRouter{})
-	m.Post(prefix, nilRouter{})
-	m.Get(prefix+"/:id", nilRouter{})
-	m.Put(prefix+"/:id", nilRouter{})
-	m.Delete(prefix+"/:id", nilRouter{})
-}
-
-func randString() string {
-	var buf [6]byte
-	rand.Reader.Read(buf[:])
-	return base64.URLEncoding.EncodeToString(buf[:])
-}
-
-func genPrefixes(n int) []string {
-	p := make([]string, n)
-	for i := range p {
-		p[i] = "/" + randString()
-	}
-	return p
-}
-
-func genRequests(prefixes []string) []*http.Request {
-	rs := make([]*http.Request, 5*len(prefixes))
-	for i, prefix := range prefixes {
-		rs[5*i+0], _ = http.NewRequest("GET", prefix, nil)
-		rs[5*i+1], _ = http.NewRequest("POST", prefix, nil)
-		rs[5*i+2], _ = http.NewRequest("GET", prefix+"/foo", nil)
-		rs[5*i+3], _ = http.NewRequest("PUT", prefix+"/foo", nil)
-		rs[5*i+4], _ = http.NewRequest("DELETE", prefix+"/foo", nil)
-	}
-	return rs
-}
-
-func permuteRequests(reqs []*http.Request) []*http.Request {
-	out := make([]*http.Request, len(reqs))
-	perm := mrand.Perm(len(reqs))
-	for i, req := range reqs {
-		out[perm[i]] = req
-	}
-	return out
-}
-
-func benchN(b *testing.B, n int) {
-	m := New()
-	prefixes := genPrefixes(n)
-	for _, prefix := range prefixes {
-		addRoutes(m, prefix)
-	}
-	m.Compile()
-	reqs := permuteRequests(genRequests(prefixes))
-
-	b.ResetTimer()
-	b.ReportAllocs()
-	b.RunParallel(func(pb *testing.PB) {
-		i := 0
-		for pb.Next() {
-			i++
-			m.ServeHTTP(w, reqs[i%len(reqs)])
-		}
-	})
-}
-
-func benchM(b *testing.B, n int) {
-	m := New()
-	m.Get("/", nilRouter{})
-	for i := 0; i < n; i++ {
-		m.Use(trivialMiddleware)
-	}
-	r, _ := http.NewRequest("GET", "/", nil)
-	m.Compile()
-
-	b.ResetTimer()
-	b.ReportAllocs()
-	b.RunParallel(func(pb *testing.PB) {
-		for pb.Next() {
-			m.ServeHTTP(w, r)
-		}
-	})
-}
-
-func BenchmarkStatic(b *testing.B) {
-	m := New()
-	m.Get("/", nilRouter{})
-	r, _ := http.NewRequest("GET", "/", nil)
-	m.Compile()
-
-	b.ResetTimer()
-	b.ReportAllocs()
-	b.RunParallel(func(pb *testing.PB) {
-		for pb.Next() {
-			m.ServeHTTP(w, r)
-		}
-	})
-}
-
-func BenchmarkRoute5(b *testing.B) {
-	benchN(b, 1)
-}
-func BenchmarkRoute50(b *testing.B) {
-	benchN(b, 10)
-}
-func BenchmarkRoute500(b *testing.B) {
-	benchN(b, 100)
-}
-func BenchmarkRoute5000(b *testing.B) {
-	benchN(b, 1000)
-}
-
-func BenchmarkMiddleware1(b *testing.B) {
-	benchM(b, 1)
-}
-func BenchmarkMiddleware10(b *testing.B) {
-	benchM(b, 10)
-}
-func BenchmarkMiddleware100(b *testing.B) {
-	benchM(b, 100)
-}
diff --git a/vendor/github.com/zenazn/goji/web/example_test.go b/vendor/github.com/zenazn/goji/web/example_test.go
deleted file mode 100644
index 9dc8de24..00000000
--- a/vendor/github.com/zenazn/goji/web/example_test.go
+++ /dev/null
@@ -1,69 +0,0 @@
-package web_test
-
-import (
-	"fmt"
-	"log"
-	"net/http"
-	"regexp"
-
-	"github.com/zenazn/goji/web"
-	"github.com/zenazn/goji/web/middleware"
-)
-
-func Example() {
-	m := web.New()
-
-	// Use your favorite HTTP verbs and the interfaces you know and love
-	// from net/http:
-	m.Get("/hello", func(w http.ResponseWriter, r *http.Request) {
-		fmt.Fprintf(w, "Why hello there!\n")
-	})
-	m.Post("/login", func(w http.ResponseWriter, r *http.Request) {
-		if r.FormValue("password") != "god" {
-			http.Error(w, "Hack the planet!", 401)
-		}
-	})
-
-	// Handlers can optionally take a context parameter, which contains
-	// (among other things) a set of bound parameters.
-	hello := func(c web.C, w http.ResponseWriter, r *http.Request) {
-		fmt.Fprintf(w, "Hello, %s!\n", c.URLParams["name"])
-	}
-
-	// Bind parameters using pattern strings...
-	m.Get("/hello/:name", hello)
-
-	// ...or use regular expressions if you need additional power.
-	bonjour := regexp.MustCompile(`^/bonjour/(?P<name>[A-Za-z]+)$`)
-	m.Get(bonjour, hello)
-
-	// Middleware are a great abstraction for performing logic on every
-	// request. Some middleware use the Goji context object to set
-	// request-scoped variables.
-	logger := func(h http.Handler) http.Handler {
-		wrap := func(w http.ResponseWriter, r *http.Request) {
-			log.Println("Before request")
-			h.ServeHTTP(w, r)
-			log.Println("After request")
-		}
-		return http.HandlerFunc(wrap)
-	}
-	auth := func(c *web.C, h http.Handler) http.Handler {
-		wrap := func(w http.ResponseWriter, r *http.Request) {
-			if cookie, err := r.Cookie("user"); err == nil {
-				c.Env["user"] = cookie.Value
-			}
-			h.ServeHTTP(w, r)
-		}
-		return http.HandlerFunc(wrap)
-	}
-
-	// A Middleware stack is a flexible way to assemble the common
-	// components of your application, like request loggers and
-	// authentication. There is an ecosystem of open-source middleware for
-	// Goji, so there's a chance someone has already written the middleware
-	// you are looking for!
-	m.Use(middleware.EnvInit)
-	m.Use(logger)
-	m.Use(auth)
-}
diff --git a/vendor/github.com/zenazn/goji/web/func_equal_test.go b/vendor/github.com/zenazn/goji/web/func_equal_test.go
deleted file mode 100644
index 9080a5a2..00000000
--- a/vendor/github.com/zenazn/goji/web/func_equal_test.go
+++ /dev/null
@@ -1,84 +0,0 @@
-package web
-
-import (
-	"testing"
-)
-
-// To tell you the truth, I'm not actually sure how many of these cases are
-// needed. Presumably someone with more patience than I could comb through
-// http://golang.org/s/go11func and figure out what all the different cases I
-// ought to test are, but I think this test includes all the cases I care about
-// and is at least reasonably thorough.
-
-func a() string {
-	return "A"
-}
-func b() string {
-	return "B"
-}
-func mkFn(s string) func() string {
-	return func() string {
-		return s
-	}
-}
-
-var c = mkFn("C")
-var d = mkFn("D")
-var e = a
-var f = c
-var g = mkFn("D")
-
-type Type string
-
-func (t *Type) String() string {
-	return string(*t)
-}
-
-var t1 = Type("hi")
-var t2 = Type("bye")
-var t1f = t1.String
-var t2f = t2.String
-
-var funcEqualTests = []struct {
-	a, b   func() string
-	result bool
-}{
-	{a, a, true},
-	{a, b, false},
-	{b, b, true},
-	{a, c, false},
-	{c, c, true},
-	{c, d, false},
-	{a, e, true},
-	{a, f, false},
-	{c, f, true},
-	{e, f, false},
-	{d, g, false},
-	{t1f, t1f, true},
-	{t1f, t2f, false},
-}
-
-func TestFuncEqual(t *testing.T) {
-	t.Parallel()
-
-	for _, test := range funcEqualTests {
-		r := funcEqual(test.a, test.b)
-		if r != test.result {
-			t.Errorf("funcEqual(%v, %v) should have been %v",
-				test.a, test.b, test.result)
-		}
-	}
-	h := mkFn("H")
-	i := h
-	j := mkFn("H")
-	k := a
-	if !funcEqual(h, i) {
-		t.Errorf("h and i should have been equal")
-	}
-	if funcEqual(h, j) {
-		t.Errorf("h and j should not have been equal")
-	}
-	if !funcEqual(a, k) {
-		t.Errorf("a and k should have been equal")
-	}
-}
diff --git a/vendor/github.com/zenazn/goji/web/match_test.go b/vendor/github.com/zenazn/goji/web/match_test.go
deleted file mode 100644
index aefff044..00000000
--- a/vendor/github.com/zenazn/goji/web/match_test.go
+++ /dev/null
@@ -1,50 +0,0 @@
-package web
-
-import (
-	"net/http"
-	"regexp"
-	"testing"
-)
-
-var rawPatterns = []PatternType{
-	"/hello/:name",
-	regexp.MustCompile("^/hello/(?P<name>[^/]+)$"),
-	testPattern{},
-}
-
-func TestRawPattern(t *testing.T) {
-	t.Parallel()
-
-	for _, p := range rawPatterns {
-		m := Match{Pattern: ParsePattern(p)}
-		if rp := m.RawPattern(); rp != p {
-			t.Errorf("got %#v, expected %#v", rp, p)
-		}
-	}
-}
-
-type httpHandlerOnly struct{}
-
-func (httpHandlerOnly) ServeHTTP(w http.ResponseWriter, r *http.Request) {}
-
-type handlerOnly struct{}
-
-func (handlerOnly) ServeHTTPC(c C, w http.ResponseWriter, r *http.Request) {}
-
-var rawHandlers = []HandlerType{
-	func(w http.ResponseWriter, r *http.Request) {},
-	func(c C, w http.ResponseWriter, r *http.Request) {},
-	httpHandlerOnly{},
-	handlerOnly{},
-}
-
-func TestRawHandler(t *testing.T) {
-	t.Parallel()
-
-	for _, h := range rawHandlers {
-		m := Match{Handler: parseHandler(h)}
-		if rh := m.RawHandler(); !funcEqual(rh, h) {
-			t.Errorf("got %#v, expected %#v", rh, h)
-		}
-	}
-}
diff --git a/vendor/github.com/zenazn/goji/web/middleware.go b/vendor/github.com/zenazn/goji/web/middleware.go
index 7ec545de..985a6c9e 100644
--- a/vendor/github.com/zenazn/goji/web/middleware.go
+++ b/vendor/github.com/zenazn/goji/web/middleware.go
@@ -110,8 +110,9 @@ func (m *mStack) release(cs *cStack) {
 	if cs.pool != m.pool {
 		return
 	}
-	cs.pool.release(cs)
+	p := cs.pool
 	cs.pool = nil
+	p.release(cs)
 }
 
 func (m *mStack) Use(middleware interface{}) {
@@ -147,7 +148,7 @@ func (m *mStack) Abandon(middleware interface{}) error {
 	}
 
 	copy(m.stack[i:], m.stack[i+1:])
-	m.stack = m.stack[:len(m.stack)-1 : len(m.stack)]
+	m.stack = m.stack[: len(m.stack)-1 : len(m.stack)]
 
 	m.invalidate()
 	return nil
diff --git a/vendor/github.com/zenazn/goji/web/middleware/nocache_test.go b/vendor/github.com/zenazn/goji/web/middleware/nocache_test.go
deleted file mode 100644
index 1fb71f6f..00000000
--- a/vendor/github.com/zenazn/goji/web/middleware/nocache_test.go
+++ /dev/null
@@ -1,29 +0,0 @@
-package middleware
-
-import (
-	"net/http"
-	"net/http/httptest"
-	"testing"
-
-	"github.com/zenazn/goji/web"
-)
-
-func TestNoCache(t *testing.T) {
-
-	rr := httptest.NewRecorder()
-	s := web.New()
-
-	s.Use(NoCache)
-	r, err := http.NewRequest("GET", "/", nil)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	s.ServeHTTP(rr, r)
-
-	for k, v := range noCacheHeaders {
-		if rr.HeaderMap[k][0] != v {
-			t.Errorf("%s header not set by middleware.", k)
-		}
-	}
-}
diff --git a/vendor/github.com/zenazn/goji/web/middleware/options_test.go b/vendor/github.com/zenazn/goji/web/middleware/options_test.go
deleted file mode 100644
index e9621450..00000000
--- a/vendor/github.com/zenazn/goji/web/middleware/options_test.go
+++ /dev/null
@@ -1,112 +0,0 @@
-package middleware
-
-import (
-	"net/http"
-	"net/http/httptest"
-	"testing"
-
-	"github.com/zenazn/goji/web"
-)
-
-func testOptions(r *http.Request, f func(*web.C, http.ResponseWriter, *http.Request)) *httptest.ResponseRecorder {
-	var c web.C
-
-	h := func(w http.ResponseWriter, r *http.Request) {
-		f(&c, w, r)
-	}
-	m := AutomaticOptions(&c, http.HandlerFunc(h))
-	w := httptest.NewRecorder()
-	m.ServeHTTP(w, r)
-
-	return w
-}
-
-var optionsTestEnv = map[interface{}]interface{}{
-	web.ValidMethodsKey: []string{
-		"hello",
-		"world",
-	},
-}
-
-func TestAutomaticOptions(t *testing.T) {
-	t.Parallel()
-
-	// Shouldn't interfere with normal requests
-	r, _ := http.NewRequest("GET", "/", nil)
-	rr := testOptions(r,
-		func(c *web.C, w http.ResponseWriter, r *http.Request) {
-			w.Write([]byte{'h', 'i'})
-		},
-	)
-	if rr.Code != http.StatusOK {
-		t.Errorf("status is %d, not 200", rr.Code)
-	}
-	if rr.Body.String() != "hi" {
-		t.Errorf("body was %q, should be %q", rr.Body.String(), "hi")
-	}
-	allow := rr.HeaderMap.Get("Allow")
-	if allow != "" {
-		t.Errorf("Allow header was set to %q, should be empty", allow)
-	}
-
-	// If we respond non-404 to an OPTIONS request, also don't interfere
-	r, _ = http.NewRequest("OPTIONS", "/", nil)
-	rr = testOptions(r,
-		func(c *web.C, w http.ResponseWriter, r *http.Request) {
-			c.Env = optionsTestEnv
-			w.Write([]byte{'h', 'i'})
-		},
-	)
-	if rr.Code != http.StatusOK {
-		t.Errorf("status is %d, not 200", rr.Code)
-	}
-	if rr.Body.String() != "hi" {
-		t.Errorf("body was %q, should be %q", rr.Body.String(), "hi")
-	}
-	allow = rr.HeaderMap.Get("Allow")
-	if allow != "" {
-		t.Errorf("Allow header was set to %q, should be empty", allow)
-	}
-
-	// Provide options if we 404. Make sure we nom the output bytes
-	r, _ = http.NewRequest("OPTIONS", "/", nil)
-	rr = testOptions(r,
-		func(c *web.C, w http.ResponseWriter, r *http.Request) {
-			c.Env = optionsTestEnv
-			w.WriteHeader(http.StatusNotFound)
-			w.Write([]byte{'h', 'i'})
-		},
-	)
-	if rr.Code != http.StatusOK {
-		t.Errorf("status is %d, not 200", rr.Code)
-	}
-	if rr.Body.Len() != 0 {
-		t.Errorf("body was %q, should be empty", rr.Body.String())
-	}
-	allow = rr.HeaderMap.Get("Allow")
-	correctHeaders := "hello, world, OPTIONS"
-	if allow != "hello, world, OPTIONS" {
-		t.Errorf("Allow header should be %q, was %q", correctHeaders,
-			allow)
-	}
-
-	// If we somehow 404 without giving a list of valid options, don't do
-	// anything
-	r, _ = http.NewRequest("OPTIONS", "/", nil)
-	rr = testOptions(r,
-		func(c *web.C, w http.ResponseWriter, r *http.Request) {
-			w.WriteHeader(http.StatusNotFound)
-			w.Write([]byte{'h', 'i'})
-		},
-	)
-	if rr.Code != http.StatusNotFound {
-		t.Errorf("status is %d, not 404", rr.Code)
-	}
-	if rr.Body.String() != "hi" {
-		t.Errorf("body was %q, should be %q", rr.Body.String(), "hi")
-	}
-	allow = rr.HeaderMap.Get("Allow")
-	if allow != "" {
-		t.Errorf("Allow header was set to %q, should be empty", allow)
-	}
-}
diff --git a/vendor/github.com/zenazn/goji/web/middleware/subrouter_test.go b/vendor/github.com/zenazn/goji/web/middleware/subrouter_test.go
deleted file mode 100644
index c46c27e7..00000000
--- a/vendor/github.com/zenazn/goji/web/middleware/subrouter_test.go
+++ /dev/null
@@ -1,28 +0,0 @@
-package middleware
-
-import (
-	"net/http"
-	"net/http/httptest"
-	"testing"
-
-	"github.com/zenazn/goji/web"
-)
-
-func TestSubRouterMatch(t *testing.T) {
-	m := web.New()
-	m.Use(m.Router)
-
-	m2 := web.New()
-	m2.Use(SubRouter)
-	m2.Get("/bar", func(w http.ResponseWriter, r *http.Request) {})
-
-	m.Get("/foo/*", m2)
-
-	r, err := http.NewRequest("GET", "/foo/bar", nil)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// This function will recurse forever if SubRouter + Match didn't work.
-	m.ServeHTTP(httptest.NewRecorder(), r)
-}
diff --git a/vendor/github.com/zenazn/goji/web/middleware/urlquery_test.go b/vendor/github.com/zenazn/goji/web/middleware/urlquery_test.go
deleted file mode 100644
index d9b78330..00000000
--- a/vendor/github.com/zenazn/goji/web/middleware/urlquery_test.go
+++ /dev/null
@@ -1,53 +0,0 @@
-package middleware
-
-import (
-	"net/http"
-	"net/http/httptest"
-	"net/url"
-	"reflect"
-	"testing"
-
-	"github.com/zenazn/goji/web"
-)
-
-func testURLQuery(r *http.Request, f func(*web.C, http.ResponseWriter, *http.Request)) *httptest.ResponseRecorder {
-	var c web.C
-
-	h := func(w http.ResponseWriter, r *http.Request) {
-		f(&c, w, r)
-	}
-	m := URLQuery(&c, http.HandlerFunc(h))
-	w := httptest.NewRecorder()
-	m.ServeHTTP(w, r)
-
-	return w
-}
-
-func TestURLQuery(t *testing.T) {
-	type testcase struct {
-		url            string
-		expectedParams url.Values
-	}
-
-	// we're not testing url.Query() here, but rather that the results of the query
-	// appear in the context
-	testcases := []testcase{
-		testcase{"/", url.Values{}},
-		testcase{"/?a=1&b=2&a=3", url.Values{"a": []string{"1", "3"}, "b": []string{"2"}}},
-		testcase{"/?x=1&y=2&z=3#freddyishere", url.Values{"x": []string{"1"}, "y": []string{"2"}, "z": []string{"3"}}},
-	}
-
-	for _, tc := range testcases {
-		r, _ := http.NewRequest("GET", tc.url, nil)
-		testURLQuery(r,
-			func(c *web.C, w http.ResponseWriter, r *http.Request) {
-				params := c.Env[URLQueryKey].(url.Values)
-				if !reflect.DeepEqual(params, tc.expectedParams) {
-					t.Errorf("GET %s, URLQuery middleware found %v, should be %v", tc.url, params, tc.expectedParams)
-				}
-
-				w.Write([]byte{'h', 'i'})
-			},
-		)
-	}
-}
diff --git a/vendor/github.com/zenazn/goji/web/middleware12_test.go b/vendor/github.com/zenazn/goji/web/middleware12_test.go
deleted file mode 100644
index fe5ca9bf..00000000
--- a/vendor/github.com/zenazn/goji/web/middleware12_test.go
+++ /dev/null
@@ -1,52 +0,0 @@
-// +build !go1.3
-
-package web
-
-import "testing"
-
-// These tests were pretty sketchtacular to start with, but they aren't even
-// guaranteed to pass with Go 1.3's sync.Pool. Let's keep them here for now; if
-// they start spuriously failing later we can delete them outright.
-
-func TestCaching(t *testing.T) {
-	ch := make(chan string)
-	st := makeStack(ch)
-	cs1 := st.alloc()
-	cs2 := st.alloc()
-	if cs1 == cs2 {
-		t.Fatal("cs1 and cs2 are the same")
-	}
-	st.release(cs2)
-	cs3 := st.alloc()
-	if cs2 != cs3 {
-		t.Fatalf("Expected cs2 to equal cs3")
-	}
-	st.release(cs1)
-	st.release(cs3)
-	cs4 := st.alloc()
-	cs5 := st.alloc()
-	if cs4 != cs1 {
-		t.Fatal("Expected cs4 to equal cs1")
-	}
-	if cs5 != cs3 {
-		t.Fatal("Expected cs5 to equal cs3")
-	}
-}
-
-func TestInvalidation(t *testing.T) {
-	ch := make(chan string)
-	st := makeStack(ch)
-	cs1 := st.alloc()
-	cs2 := st.alloc()
-	st.release(cs1)
-	st.invalidate()
-	cs3 := st.alloc()
-	if cs3 == cs1 {
-		t.Fatal("Expected cs3 to be fresh, instead got cs1")
-	}
-	st.release(cs2)
-	cs4 := st.alloc()
-	if cs4 == cs2 {
-		t.Fatal("Expected cs4 to be fresh, instead got cs2")
-	}
-}
diff --git a/vendor/github.com/zenazn/goji/web/middleware_test.go b/vendor/github.com/zenazn/goji/web/middleware_test.go
deleted file mode 100644
index 678ccaa0..00000000
--- a/vendor/github.com/zenazn/goji/web/middleware_test.go
+++ /dev/null
@@ -1,204 +0,0 @@
-package web
-
-import (
-	"net/http"
-	"net/http/httptest"
-	"testing"
-	"time"
-)
-
-type iRouter func(*C, http.ResponseWriter, *http.Request)
-
-func (i iRouter) route(c *C, w http.ResponseWriter, r *http.Request) {
-	i(c, w, r)
-}
-
-func makeStack(ch chan string) *mStack {
-	router := func(c *C, w http.ResponseWriter, r *http.Request) {
-		ch <- "router"
-	}
-	return &mStack{
-		stack:  make([]mLayer, 0),
-		pool:   makeCPool(),
-		router: iRouter(router),
-	}
-}
-
-func chanWare(ch chan string, s string) func(http.Handler) http.Handler {
-	return func(h http.Handler) http.Handler {
-		fn := func(w http.ResponseWriter, r *http.Request) {
-			ch <- s
-			h.ServeHTTP(w, r)
-		}
-		return http.HandlerFunc(fn)
-	}
-}
-
-func simpleRequest(ch chan string, st *mStack) {
-	defer func() {
-		ch <- "end"
-	}()
-	r, _ := http.NewRequest("GET", "/", nil)
-	w := httptest.NewRecorder()
-	cs := st.alloc()
-	defer st.release(cs)
-
-	cs.ServeHTTP(w, r)
-}
-
-func assertOrder(t *testing.T, ch chan string, strings ...string) {
-	for i, s := range strings {
-		var v string
-		select {
-		case v = <-ch:
-		case <-time.After(5 * time.Millisecond):
-			t.Fatalf("Expected %q as %d'th value, but timed out", s,
-				i+1)
-		}
-		if s != v {
-			t.Errorf("%d'th value was %q, expected %q", i+1, v, s)
-		}
-	}
-}
-
-func TestSimple(t *testing.T) {
-	t.Parallel()
-
-	ch := make(chan string)
-	st := makeStack(ch)
-	st.Use(chanWare(ch, "one"))
-	st.Use(chanWare(ch, "two"))
-	go simpleRequest(ch, st)
-	assertOrder(t, ch, "one", "two", "router", "end")
-}
-
-func TestTypes(t *testing.T) {
-	t.Parallel()
-
-	ch := make(chan string)
-	st := makeStack(ch)
-	st.Use(func(h http.Handler) http.Handler {
-		return h
-	})
-	st.Use(func(c *C, h http.Handler) http.Handler {
-		return h
-	})
-}
-
-func TestAddMore(t *testing.T) {
-	t.Parallel()
-
-	ch := make(chan string)
-	st := makeStack(ch)
-	st.Use(chanWare(ch, "one"))
-	go simpleRequest(ch, st)
-	assertOrder(t, ch, "one", "router", "end")
-
-	st.Use(chanWare(ch, "two"))
-	go simpleRequest(ch, st)
-	assertOrder(t, ch, "one", "two", "router", "end")
-
-	st.Use(chanWare(ch, "three"))
-	st.Use(chanWare(ch, "four"))
-	go simpleRequest(ch, st)
-	assertOrder(t, ch, "one", "two", "three", "four", "router", "end")
-}
-
-func TestInsert(t *testing.T) {
-	t.Parallel()
-
-	ch := make(chan string)
-	st := makeStack(ch)
-	one := chanWare(ch, "one")
-	two := chanWare(ch, "two")
-	st.Use(one)
-	st.Use(two)
-	go simpleRequest(ch, st)
-	assertOrder(t, ch, "one", "two", "router", "end")
-
-	err := st.Insert(chanWare(ch, "sloth"), chanWare(ch, "squirrel"))
-	if err == nil {
-		t.Error("Expected error when referencing unknown middleware")
-	}
-
-	st.Insert(chanWare(ch, "middle"), two)
-	err = st.Insert(chanWare(ch, "start"), one)
-	if err != nil {
-		t.Fatal(err)
-	}
-	go simpleRequest(ch, st)
-	assertOrder(t, ch, "start", "one", "middle", "two", "router", "end")
-}
-
-func TestAbandon(t *testing.T) {
-	t.Parallel()
-
-	ch := make(chan string)
-	st := makeStack(ch)
-	one := chanWare(ch, "one")
-	two := chanWare(ch, "two")
-	three := chanWare(ch, "three")
-	st.Use(one)
-	st.Use(two)
-	st.Use(three)
-	go simpleRequest(ch, st)
-	assertOrder(t, ch, "one", "two", "three", "router", "end")
-
-	st.Abandon(two)
-	go simpleRequest(ch, st)
-	assertOrder(t, ch, "one", "three", "router", "end")
-
-	err := st.Abandon(chanWare(ch, "panda"))
-	if err == nil {
-		t.Error("Expected error when deleting unknown middleware")
-	}
-
-	st.Abandon(one)
-	st.Abandon(three)
-	go simpleRequest(ch, st)
-	assertOrder(t, ch, "router", "end")
-
-	st.Use(one)
-	go simpleRequest(ch, st)
-	assertOrder(t, ch, "one", "router", "end")
-}
-
-func TestContext(t *testing.T) {
-	router := func(c *C, w http.ResponseWriter, r *http.Request) {
-		if c.Env["reqID"].(int) != 2 {
-			t.Error("Request id was not 2 :(")
-		}
-	}
-	st := mStack{
-		stack:  make([]mLayer, 0),
-		pool:   makeCPool(),
-		router: iRouter(router),
-	}
-	st.Use(func(c *C, h http.Handler) http.Handler {
-		fn := func(w http.ResponseWriter, r *http.Request) {
-			if c.Env != nil || c.URLParams != nil {
-				t.Error("Expected a clean context")
-			}
-			c.Env = make(map[interface{}]interface{})
-			c.Env["reqID"] = 1
-
-			h.ServeHTTP(w, r)
-		}
-		return http.HandlerFunc(fn)
-	})
-
-	st.Use(func(c *C, h http.Handler) http.Handler {
-		fn := func(w http.ResponseWriter, r *http.Request) {
-			if c.Env == nil {
-				t.Error("Expected env from last middleware")
-			}
-			c.Env["reqID"] = c.Env["reqID"].(int) + 1
-
-			h.ServeHTTP(w, r)
-		}
-		return http.HandlerFunc(fn)
-	})
-	ch := make(chan string)
-	go simpleRequest(ch, &st)
-	assertOrder(t, ch, "end")
-}
diff --git a/vendor/github.com/zenazn/goji/web/mutil/writer_proxy.go b/vendor/github.com/zenazn/goji/web/mutil/writer_proxy.go
index 9f6d776b..fb4a08be 100644
--- a/vendor/github.com/zenazn/goji/web/mutil/writer_proxy.go
+++ b/vendor/github.com/zenazn/goji/web/mutil/writer_proxy.go
@@ -1,3 +1,5 @@
+// +build !go1.8
+
 package mutil
 
 import (
@@ -62,6 +64,7 @@ func (b *basicWriter) WriteHeader(code int) {
 		b.ResponseWriter.WriteHeader(code)
 	}
 }
+
 func (b *basicWriter) Write(buf []byte) (int, error) {
 	b.WriteHeader(http.StatusOK)
 	n, err := b.ResponseWriter.Write(buf)
@@ -75,20 +78,25 @@ func (b *basicWriter) Write(buf []byte) (int, error) {
 	b.bytes += n
 	return n, err
 }
+
 func (b *basicWriter) maybeWriteHeader() {
 	if !b.wroteHeader {
 		b.WriteHeader(http.StatusOK)
 	}
 }
+
 func (b *basicWriter) Status() int {
 	return b.code
 }
+
 func (b *basicWriter) BytesWritten() int {
 	return b.bytes
 }
+
 func (b *basicWriter) Tee(w io.Writer) {
 	b.tee = w
 }
+
 func (b *basicWriter) Unwrap() http.ResponseWriter {
 	return b.ResponseWriter
 }
@@ -105,14 +113,17 @@ func (f *fancyWriter) CloseNotify() <-chan bool {
 	cn := f.basicWriter.ResponseWriter.(http.CloseNotifier)
 	return cn.CloseNotify()
 }
+
 func (f *fancyWriter) Flush() {
 	fl := f.basicWriter.ResponseWriter.(http.Flusher)
 	fl.Flush()
 }
+
 func (f *fancyWriter) Hijack() (net.Conn, *bufio.ReadWriter, error) {
 	hj := f.basicWriter.ResponseWriter.(http.Hijacker)
 	return hj.Hijack()
 }
+
 func (f *fancyWriter) ReadFrom(r io.Reader) (int64, error) {
 	if f.basicWriter.tee != nil {
 		return io.Copy(&f.basicWriter, r)
@@ -122,11 +133,6 @@ func (f *fancyWriter) ReadFrom(r io.Reader) (int64, error) {
 	return rf.ReadFrom(r)
 }
 
-var _ http.CloseNotifier = &fancyWriter{}
-var _ http.Flusher = &fancyWriter{}
-var _ http.Hijacker = &fancyWriter{}
-var _ io.ReaderFrom = &fancyWriter{}
-
 type flushWriter struct {
 	basicWriter
 }
@@ -136,4 +142,10 @@ func (f *flushWriter) Flush() {
 	fl.Flush()
 }
 
-var _ http.Flusher = &flushWriter{}
+var (
+	_ http.CloseNotifier = &fancyWriter{}
+	_ http.Flusher       = &fancyWriter{}
+	_ http.Hijacker      = &fancyWriter{}
+	_ io.ReaderFrom      = &fancyWriter{}
+	_ http.Flusher       = &flushWriter{}
+)
diff --git a/vendor/github.com/zenazn/goji/web/mux_test.go b/vendor/github.com/zenazn/goji/web/mux_test.go
deleted file mode 100644
index f461452f..00000000
--- a/vendor/github.com/zenazn/goji/web/mux_test.go
+++ /dev/null
@@ -1,45 +0,0 @@
-package web
-
-import (
-	"net/http"
-	"net/http/httptest"
-	"testing"
-)
-
-// Sanity check types
-var _ http.Handler = &Mux{}
-var _ Handler = &Mux{}
-
-// There's... really not a lot to do here.
-
-func TestIfItWorks(t *testing.T) {
-	t.Parallel()
-
-	m := New()
-	ch := make(chan string, 1)
-
-	m.Get("/hello/:name", func(c C, w http.ResponseWriter, r *http.Request) {
-		greeting := "Hello "
-		if c.Env != nil {
-			if g, ok := c.Env["greeting"]; ok {
-				greeting = g.(string)
-			}
-		}
-		ch <- greeting + c.URLParams["name"]
-	})
-
-	r, _ := http.NewRequest("GET", "/hello/carl", nil)
-	m.ServeHTTP(httptest.NewRecorder(), r)
-	out := <-ch
-	if out != "Hello carl" {
-		t.Errorf(`Unexpected response %q, expected "Hello carl"`, out)
-	}
-
-	r, _ = http.NewRequest("GET", "/hello/bob", nil)
-	env := map[interface{}]interface{}{"greeting": "Yo "}
-	m.ServeHTTPC(C{Env: env}, httptest.NewRecorder(), r)
-	out = <-ch
-	if out != "Yo bob" {
-		t.Errorf(`Unexpected response %q, expected "Yo bob"`, out)
-	}
-}
diff --git a/vendor/github.com/zenazn/goji/web/pattern_test.go b/vendor/github.com/zenazn/goji/web/pattern_test.go
deleted file mode 100644
index 8e8af29a..00000000
--- a/vendor/github.com/zenazn/goji/web/pattern_test.go
+++ /dev/null
@@ -1,188 +0,0 @@
-package web
-
-import (
-	"net/http"
-	"reflect"
-	"regexp"
-	"testing"
-)
-
-func pt(url string, match bool, params map[string]string) patternTest {
-	req, err := http.NewRequest("GET", url, nil)
-	if err != nil {
-		panic(err)
-	}
-
-	return patternTest{
-		r:     req,
-		match: match,
-		c:     &C{},
-		cout:  &C{URLParams: params},
-	}
-}
-
-type patternTest struct {
-	r     *http.Request
-	match bool
-	c     *C
-	cout  *C
-}
-
-var patternTests = []struct {
-	pat    Pattern
-	prefix string
-	tests  []patternTest
-}{
-	// Regexp tests
-	{parseRegexpPattern(regexp.MustCompile("^/hello$")),
-		"/hello", []patternTest{
-			pt("/hello", true, nil),
-			pt("/hell", false, nil),
-			pt("/hello/", false, nil),
-			pt("/hello/world", false, nil),
-			pt("/world", false, nil),
-		}},
-	{parseRegexpPattern(regexp.MustCompile("^/hello/(?P<name>[a-z]+)$")),
-		"/hello/", []patternTest{
-			pt("/hello/world", true, map[string]string{
-				"name": "world",
-			}),
-			pt("/hello/", false, nil),
-			pt("/hello/my/love", false, nil),
-		}},
-	{parseRegexpPattern(regexp.MustCompile(`^/a(?P<a>\d+)/b(?P<b>\d+)/?$`)),
-		"/a", []patternTest{
-			pt("/a1/b2", true, map[string]string{
-				"a": "1",
-				"b": "2",
-			}),
-			pt("/a9001/b007/", true, map[string]string{
-				"a": "9001",
-				"b": "007",
-			}),
-			pt("/a/b", false, nil),
-			pt("/a", false, nil),
-			pt("/squirrel", false, nil),
-		}},
-	{parseRegexpPattern(regexp.MustCompile(`^/hello/([a-z]+)$`)),
-		"/hello/", []patternTest{
-			pt("/hello/world", true, map[string]string{
-				"$1": "world",
-			}),
-			pt("/hello/", false, nil),
-		}},
-	{parseRegexpPattern(regexp.MustCompile("/hello")),
-		"/hello", []patternTest{
-			pt("/hello", true, nil),
-			pt("/hell", false, nil),
-			pt("/hello/", true, nil),
-			pt("/hello/world", true, nil),
-			pt("/world/hello", false, nil),
-		}},
-
-	// String pattern tests
-	{parseStringPattern("/hello"),
-		"/hello", []patternTest{
-			pt("/hello", true, nil),
-			pt("/hell", false, nil),
-			pt("/hello/", false, nil),
-			pt("/hello/world", false, nil),
-		}},
-	{parseStringPattern("/hello/:name"),
-		"/hello/", []patternTest{
-			pt("/hello/world", true, map[string]string{
-				"name": "world",
-			}),
-			pt("/hello/my.world;wow", true, map[string]string{
-				"name": "my.world;wow",
-			}),
-			pt("/hell", false, nil),
-			pt("/hello/", false, nil),
-			pt("/hello/my/love", false, nil),
-		}},
-	{parseStringPattern("/a/:a/b/:b"),
-		"/a/", []patternTest{
-			pt("/a/1/b/2", true, map[string]string{
-				"a": "1",
-				"b": "2",
-			}),
-			pt("/a", false, nil),
-			pt("/a//b/", false, nil),
-			pt("/a/1/b/2/3", false, nil),
-		}},
-	{parseStringPattern("/a/:b.:c"),
-		"/a/", []patternTest{
-			pt("/a/cat.gif", true, map[string]string{
-				"b": "cat",
-				"c": "gif",
-			}),
-			pt("/a/cat.tar.gz", true, map[string]string{
-				"b": "cat",
-				"c": "tar.gz",
-			}),
-			pt("/a", false, nil),
-			pt("/a/cat", false, nil),
-			pt("/a/cat/gif", false, nil),
-			pt("/a/cat.", false, nil),
-			pt("/a/cat/dog.gif", false, nil),
-		}},
-
-	// String prefix tests
-	{parseStringPattern("/user/:user/*"),
-		"/user/", []patternTest{
-			pt("/user/bob/", true, map[string]string{
-				"user": "bob",
-				"*":    "/",
-			}),
-			pt("/user/bob/friends/123", true, map[string]string{
-				"user": "bob",
-				"*":    "/friends/123",
-			}),
-			pt("/user/bob", false, nil),
-			pt("/user/", false, nil),
-			pt("/user//", false, nil),
-		}},
-	{parseStringPattern("/user/:user/friends/*"),
-		"/user/", []patternTest{
-			pt("/user/bob/friends/", true, map[string]string{
-				"user": "bob",
-				"*":    "/",
-			}),
-			pt("/user/bob/friends/123", true, map[string]string{
-				"user": "bob",
-				"*":    "/123",
-			}),
-			pt("/user/bob/enemies", false, nil),
-		}},
-}
-
-func TestPatterns(t *testing.T) {
-	t.Parallel()
-
-	for _, pt := range patternTests {
-		p := pt.pat.Prefix()
-		if p != pt.prefix {
-			t.Errorf("Expected prefix %q for %v, got %q", pt.prefix,
-				pt.pat, p)
-		} else {
-			for _, test := range pt.tests {
-				runTest(t, pt.pat, test)
-			}
-		}
-	}
-}
-
-func runTest(t *testing.T, p Pattern, test patternTest) {
-	result := p.Match(test.r, test.c)
-	if result != test.match {
-		t.Errorf("Expected match(%v, %#v) to return %v", p,
-			test.r.URL.Path, test.match)
-		return
-	}
-	p.Run(test.r, test.c)
-
-	if !reflect.DeepEqual(test.c, test.cout) {
-		t.Errorf("Expected a context of %v, instead got %v", test.cout,
-			test.c)
-	}
-}
diff --git a/vendor/github.com/zenazn/goji/web/router_middleware_test.go b/vendor/github.com/zenazn/goji/web/router_middleware_test.go
deleted file mode 100644
index 05dc2fab..00000000
--- a/vendor/github.com/zenazn/goji/web/router_middleware_test.go
+++ /dev/null
@@ -1,35 +0,0 @@
-package web
-
-import (
-	"net/http"
-	"net/http/httptest"
-	"testing"
-)
-
-func TestRouterMiddleware(t *testing.T) {
-	t.Parallel()
-
-	m := New()
-	ch := make(chan string, 1)
-	m.Get("/a", chHandler(ch, "a"))
-	m.Get("/b", chHandler(ch, "b"))
-	m.Use(m.Router)
-	m.Use(func(c *C, h http.Handler) http.Handler {
-		fn := func(w http.ResponseWriter, r *http.Request) {
-			m := GetMatch(*c)
-			if rp := m.RawPattern(); rp != "/a" {
-				t.Fatalf("RawPattern was not /a: %v", rp)
-			}
-			r.URL.Path = "/b"
-			h.ServeHTTP(w, r)
-		}
-		return http.HandlerFunc(fn)
-	})
-
-	r, _ := http.NewRequest("GET", "/a", nil)
-	w := httptest.NewRecorder()
-	m.ServeHTTP(w, r)
-	if v := <-ch; v != "a" {
-		t.Errorf("Routing was not frozen! %s", v)
-	}
-}
diff --git a/vendor/github.com/zenazn/goji/web/router_test.go b/vendor/github.com/zenazn/goji/web/router_test.go
deleted file mode 100644
index 1d2c27ee..00000000
--- a/vendor/github.com/zenazn/goji/web/router_test.go
+++ /dev/null
@@ -1,326 +0,0 @@
-package web
-
-import (
-	"net/http"
-	"net/http/httptest"
-	"reflect"
-	"regexp"
-	"testing"
-	"time"
-)
-
-// These tests can probably be DRY'd up a bunch
-
-func chHandler(ch chan string, s string) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		ch <- s
-	})
-}
-
-var methods = []string{"CONNECT", "DELETE", "GET", "HEAD", "OPTIONS", "PATCH",
-	"POST", "PUT", "TRACE", "OTHER"}
-
-func TestMethods(t *testing.T) {
-	t.Parallel()
-	m := New()
-	ch := make(chan string, 1)
-
-	m.Connect("/", chHandler(ch, "CONNECT"))
-	m.Delete("/", chHandler(ch, "DELETE"))
-	m.Head("/", chHandler(ch, "HEAD"))
-	m.Get("/", chHandler(ch, "GET"))
-	m.Options("/", chHandler(ch, "OPTIONS"))
-	m.Patch("/", chHandler(ch, "PATCH"))
-	m.Post("/", chHandler(ch, "POST"))
-	m.Put("/", chHandler(ch, "PUT"))
-	m.Trace("/", chHandler(ch, "TRACE"))
-	m.Handle("/", chHandler(ch, "OTHER"))
-
-	for _, method := range methods {
-		r, _ := http.NewRequest(method, "/", nil)
-		w := httptest.NewRecorder()
-		m.ServeHTTP(w, r)
-		select {
-		case val := <-ch:
-			if val != method {
-				t.Errorf("Got %q, expected %q", val, method)
-			}
-		case <-time.After(5 * time.Millisecond):
-			t.Errorf("Timeout waiting for method %q", method)
-		}
-	}
-}
-
-type testPattern struct{}
-
-func (t testPattern) Prefix() string {
-	return ""
-}
-
-func (t testPattern) Match(r *http.Request, c *C) bool {
-	return true
-}
-func (t testPattern) Run(r *http.Request, c *C) {
-}
-
-var _ Pattern = testPattern{}
-
-func TestPatternTypes(t *testing.T) {
-	t.Parallel()
-	m := New()
-
-	m.Get("/hello/carl", http.NotFound)
-	m.Get("/hello/:name", http.NotFound)
-	m.Get(regexp.MustCompile(`^/hello/(?P<name>.+)$`), http.NotFound)
-	m.Get(testPattern{}, http.NotFound)
-}
-
-type testHandler chan string
-
-func (t testHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	t <- "http"
-}
-func (t testHandler) ServeHTTPC(c C, w http.ResponseWriter, r *http.Request) {
-	t <- "httpc"
-}
-
-var testHandlerTable = map[string]string{
-	"/a": "http fn",
-	"/b": "http handler",
-	"/c": "web fn",
-	"/d": "web handler",
-	"/e": "httpc",
-}
-
-func TestHandlerTypes(t *testing.T) {
-	t.Parallel()
-	m := New()
-	ch := make(chan string, 1)
-
-	m.Get("/a", func(w http.ResponseWriter, r *http.Request) {
-		ch <- "http fn"
-	})
-	m.Get("/b", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		ch <- "http handler"
-	}))
-	m.Get("/c", func(c C, w http.ResponseWriter, r *http.Request) {
-		ch <- "web fn"
-	})
-	m.Get("/d", HandlerFunc(func(c C, w http.ResponseWriter, r *http.Request) {
-		ch <- "web handler"
-	}))
-	m.Get("/e", testHandler(ch))
-
-	for route, response := range testHandlerTable {
-		r, _ := http.NewRequest("GET", route, nil)
-		w := httptest.NewRecorder()
-		m.ServeHTTP(w, r)
-		select {
-		case resp := <-ch:
-			if resp != response {
-				t.Errorf("Got %q, expected %q", resp, response)
-			}
-		case <-time.After(5 * time.Millisecond):
-			t.Errorf("Timeout waiting for path %q", route)
-		}
-
-	}
-}
-
-// The idea behind this test is to comprehensively test if routes are being
-// applied in the right order. We define a special pattern type that always
-// matches so long as it's greater than or equal to the global test index. By
-// incrementing this index, we can invalidate all routes up to some point, and
-// therefore test the routing guarantee that Goji provides: for any path P, if
-// both A and B match P, and if A was inserted before B, then Goji will route to
-// A before it routes to B.
-var rsRoutes = []string{
-	"/",
-	"/a",
-	"/a",
-	"/b",
-	"/ab",
-	"/",
-	"/ba",
-	"/b",
-	"/a",
-}
-
-var rsTests = []struct {
-	key     string
-	results []int
-}{
-	{"/", []int{0, 5, 5, 5, 5, 5, -1, -1, -1, -1}},
-	{"/a", []int{0, 1, 2, 5, 5, 5, 8, 8, 8, -1}},
-	{"/b", []int{0, 3, 3, 3, 5, 5, 7, 7, -1, -1}},
-	{"/ab", []int{0, 1, 2, 4, 4, 5, 8, 8, 8, -1}},
-	{"/ba", []int{0, 3, 3, 3, 5, 5, 6, 7, -1, -1}},
-	{"/c", []int{0, 5, 5, 5, 5, 5, -1, -1, -1, -1}},
-	{"nope", []int{-1, -1, -1, -1, -1, -1, -1, -1, -1, -1}},
-}
-
-type rsPattern struct {
-	i       int
-	counter *int
-	prefix  string
-	ichan   chan int
-}
-
-func (rs rsPattern) Prefix() string {
-	return rs.prefix
-}
-func (rs rsPattern) Match(_ *http.Request, _ *C) bool {
-	return rs.i >= *rs.counter
-}
-func (rs rsPattern) Run(_ *http.Request, _ *C) {
-}
-
-func (rs rsPattern) ServeHTTP(_ http.ResponseWriter, _ *http.Request) {
-	rs.ichan <- rs.i
-}
-
-var _ Pattern = rsPattern{}
-var _ http.Handler = rsPattern{}
-
-func TestRouteSelection(t *testing.T) {
-	t.Parallel()
-	m := New()
-	counter := 0
-	ichan := make(chan int, 1)
-	m.NotFound(func(w http.ResponseWriter, r *http.Request) {
-		ichan <- -1
-	})
-
-	for i, s := range rsRoutes {
-		pat := rsPattern{
-			i:       i,
-			counter: &counter,
-			prefix:  s,
-			ichan:   ichan,
-		}
-		m.Get(pat, pat)
-	}
-
-	for _, test := range rsTests {
-		var n int
-		for counter, n = range test.results {
-			r, _ := http.NewRequest("GET", test.key, nil)
-			w := httptest.NewRecorder()
-			m.ServeHTTP(w, r)
-			actual := <-ichan
-			if n != actual {
-				t.Errorf("Expected %q @ %d to be %d, got %d",
-					test.key, counter, n, actual)
-			}
-		}
-	}
-}
-
-func TestNotFound(t *testing.T) {
-	t.Parallel()
-	m := New()
-
-	r, _ := http.NewRequest("post", "/", nil)
-	w := httptest.NewRecorder()
-	m.ServeHTTP(w, r)
-	if w.Code != 404 {
-		t.Errorf("Expected 404, got %d", w.Code)
-	}
-
-	m.NotFound(func(w http.ResponseWriter, r *http.Request) {
-		http.Error(w, "I'm a teapot!", http.StatusTeapot)
-	})
-
-	r, _ = http.NewRequest("POST", "/", nil)
-	w = httptest.NewRecorder()
-	m.ServeHTTP(w, r)
-	if w.Code != http.StatusTeapot {
-		t.Errorf("Expected a teapot, got %d", w.Code)
-	}
-}
-
-func TestPrefix(t *testing.T) {
-	t.Parallel()
-	m := New()
-	ch := make(chan string, 1)
-
-	m.Handle("/hello/*", func(w http.ResponseWriter, r *http.Request) {
-		ch <- r.URL.Path
-	})
-
-	r, _ := http.NewRequest("GET", "/hello/world", nil)
-	w := httptest.NewRecorder()
-	m.ServeHTTP(w, r)
-	select {
-	case val := <-ch:
-		if val != "/hello/world" {
-			t.Errorf("Got %q, expected /hello/world", val)
-		}
-	case <-time.After(5 * time.Millisecond):
-		t.Errorf("Timeout waiting for hello")
-	}
-}
-
-var validMethodsTable = map[string][]string{
-	"/hello/carl":       {"DELETE", "GET", "HEAD", "PATCH", "POST", "PUT"},
-	"/hello/bob":        {"DELETE", "GET", "HEAD", "PATCH", "PUT"},
-	"/hola/carl":        {"DELETE", "GET", "HEAD", "PUT"},
-	"/hola/bob":         {"DELETE"},
-	"/does/not/compute": {},
-}
-
-func TestValidMethods(t *testing.T) {
-	t.Parallel()
-	m := New()
-	ch := make(chan []string, 1)
-
-	m.NotFound(func(c C, w http.ResponseWriter, r *http.Request) {
-		if c.Env == nil {
-			ch <- []string{}
-			return
-		}
-		methods, ok := c.Env[ValidMethodsKey]
-		if !ok {
-			ch <- []string{}
-			return
-		}
-		ch <- methods.([]string)
-	})
-
-	m.Get("/hello/carl", http.NotFound)
-	m.Post("/hello/carl", http.NotFound)
-	m.Head("/hello/bob", http.NotFound)
-	m.Get("/hello/:name", http.NotFound)
-	m.Put("/hello/:name", http.NotFound)
-	m.Patch("/hello/:name", http.NotFound)
-	m.Get("/:greet/carl", http.NotFound)
-	m.Put("/:greet/carl", http.NotFound)
-	m.Delete("/:greet/:anyone", http.NotFound)
-
-	for path, eMethods := range validMethodsTable {
-		r, _ := http.NewRequest("BOGUS", path, nil)
-		m.ServeHTTP(httptest.NewRecorder(), r)
-		aMethods := <-ch
-		if !reflect.DeepEqual(eMethods, aMethods) {
-			t.Errorf("For %q, expected %v, got %v", path, eMethods,
-				aMethods)
-		}
-	}
-
-	// This should also work when c.Env has already been initalized
-	m.Use(func(c *C, h http.Handler) http.Handler {
-		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			c.Env = make(map[interface{}]interface{})
-			h.ServeHTTP(w, r)
-		})
-	})
-	for path, eMethods := range validMethodsTable {
-		r, _ := http.NewRequest("BOGUS", path, nil)
-		m.ServeHTTP(httptest.NewRecorder(), r)
-		aMethods := <-ch
-		if !reflect.DeepEqual(eMethods, aMethods) {
-			t.Errorf("For %q, expected %v, got %v", path, eMethods,
-				aMethods)
-		}
-	}
-}
diff --git a/vendor/golang.org/x/crypto/.gitattributes b/vendor/golang.org/x/crypto/.gitattributes
deleted file mode 100644
index d2f212e5..00000000
--- a/vendor/golang.org/x/crypto/.gitattributes
+++ /dev/null
@@ -1,10 +0,0 @@
-# Treat all files in this repo as binary, with no git magic updating
-# line endings. Windows users contributing to Go will need to use a
-# modern version of git and editors capable of LF line endings.
-#
-# We'll prevent accidental CRLF line endings from entering the repo
-# via the git-review gofmt checks.
-#
-# See golang.org/issue/9281
-
-* -text
diff --git a/vendor/golang.org/x/crypto/.gitignore b/vendor/golang.org/x/crypto/.gitignore
deleted file mode 100644
index 8339fd61..00000000
--- a/vendor/golang.org/x/crypto/.gitignore
+++ /dev/null
@@ -1,2 +0,0 @@
-# Add no patterns to .hgignore except for files generated by the build.
-last-change
diff --git a/vendor/golang.org/x/crypto/CONTRIBUTING.md b/vendor/golang.org/x/crypto/CONTRIBUTING.md
deleted file mode 100644
index 88dff59b..00000000
--- a/vendor/golang.org/x/crypto/CONTRIBUTING.md
+++ /dev/null
@@ -1,31 +0,0 @@
-# Contributing to Go
-
-Go is an open source project.
-
-It is the work of hundreds of contributors. We appreciate your help!
-
-
-## Filing issues
-
-When [filing an issue](https://golang.org/issue/new), make sure to answer these five questions:
-
-1. What version of Go are you using (`go version`)?
-2. What operating system and processor architecture are you using?
-3. What did you do?
-4. What did you expect to see?
-5. What did you see instead?
-
-General questions should go to the [golang-nuts mailing list](https://groups.google.com/group/golang-nuts) instead of the issue tracker.
-The gophers there will answer or ask you to file an issue if you've tripped over a bug.
-
-## Contributing code
-
-Please read the [Contribution Guidelines](https://golang.org/doc/contribute.html)
-before sending patches.
-
-**We do not accept GitHub pull requests**
-(we use [Gerrit](https://code.google.com/p/gerrit/) instead for code review).
-
-Unless otherwise noted, the Go source files are distributed under
-the BSD-style license found in the LICENSE file.
-
diff --git a/vendor/golang.org/x/crypto/README.md b/vendor/golang.org/x/crypto/README.md
deleted file mode 100644
index c9d6fecd..00000000
--- a/vendor/golang.org/x/crypto/README.md
+++ /dev/null
@@ -1,21 +0,0 @@
-# Go Cryptography
-
-This repository holds supplementary Go cryptography libraries.
-
-## Download/Install
-
-The easiest way to install is to run `go get -u golang.org/x/crypto/...`. You
-can also manually git clone the repository to `$GOPATH/src/golang.org/x/crypto`.
-
-## Report Issues / Send Patches
-
-This repository uses Gerrit for code changes. To learn how to submit changes to
-this repository, see https://golang.org/doc/contribute.html.
-
-The main issue tracker for the crypto repository is located at
-https://github.com/golang/go/issues. Prefix your issue with "x/crypto:" in the
-subject line, so it is easy to find.
-
-Note that contributions to the cryptography package receive additional scrutiny
-due to their sensitive nature. Patches may take longer than normal to receive
-feedback.
diff --git a/vendor/golang.org/x/crypto/acme/acme.go b/vendor/golang.org/x/crypto/acme/acme.go
deleted file mode 100644
index fa9c4b39..00000000
--- a/vendor/golang.org/x/crypto/acme/acme.go
+++ /dev/null
@@ -1,1058 +0,0 @@
-// Copyright 2015 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package acme provides an implementation of the
-// Automatic Certificate Management Environment (ACME) spec.
-// See https://tools.ietf.org/html/draft-ietf-acme-acme-02 for details.
-//
-// Most common scenarios will want to use autocert subdirectory instead,
-// which provides automatic access to certificates from Let's Encrypt
-// and any other ACME-based CA.
-//
-// This package is a work in progress and makes no API stability promises.
-package acme
-
-import (
-	"bytes"
-	"context"
-	"crypto"
-	"crypto/ecdsa"
-	"crypto/elliptic"
-	"crypto/rand"
-	"crypto/sha256"
-	"crypto/tls"
-	"crypto/x509"
-	"encoding/base64"
-	"encoding/hex"
-	"encoding/json"
-	"encoding/pem"
-	"errors"
-	"fmt"
-	"io"
-	"io/ioutil"
-	"math/big"
-	"net/http"
-	"strconv"
-	"strings"
-	"sync"
-	"time"
-)
-
-// LetsEncryptURL is the Directory endpoint of Let's Encrypt CA.
-const LetsEncryptURL = "https://acme-v01.api.letsencrypt.org/directory"
-
-const (
-	maxChainLen = 5       // max depth and breadth of a certificate chain
-	maxCertSize = 1 << 20 // max size of a certificate, in bytes
-
-	// Max number of collected nonces kept in memory.
-	// Expect usual peak of 1 or 2.
-	maxNonces = 100
-)
-
-// Client is an ACME client.
-// The only required field is Key. An example of creating a client with a new key
-// is as follows:
-//
-// 	key, err := rsa.GenerateKey(rand.Reader, 2048)
-// 	if err != nil {
-// 		log.Fatal(err)
-// 	}
-// 	client := &Client{Key: key}
-//
-type Client struct {
-	// Key is the account key used to register with a CA and sign requests.
-	// Key.Public() must return a *rsa.PublicKey or *ecdsa.PublicKey.
-	Key crypto.Signer
-
-	// HTTPClient optionally specifies an HTTP client to use
-	// instead of http.DefaultClient.
-	HTTPClient *http.Client
-
-	// DirectoryURL points to the CA directory endpoint.
-	// If empty, LetsEncryptURL is used.
-	// Mutating this value after a successful call of Client's Discover method
-	// will have no effect.
-	DirectoryURL string
-
-	dirMu sync.Mutex // guards writes to dir
-	dir   *Directory // cached result of Client's Discover method
-
-	noncesMu sync.Mutex
-	nonces   map[string]struct{} // nonces collected from previous responses
-}
-
-// Discover performs ACME server discovery using c.DirectoryURL.
-//
-// It caches successful result. So, subsequent calls will not result in
-// a network round-trip. This also means mutating c.DirectoryURL after successful call
-// of this method will have no effect.
-func (c *Client) Discover(ctx context.Context) (Directory, error) {
-	c.dirMu.Lock()
-	defer c.dirMu.Unlock()
-	if c.dir != nil {
-		return *c.dir, nil
-	}
-
-	dirURL := c.DirectoryURL
-	if dirURL == "" {
-		dirURL = LetsEncryptURL
-	}
-	res, err := c.get(ctx, dirURL)
-	if err != nil {
-		return Directory{}, err
-	}
-	defer res.Body.Close()
-	c.addNonce(res.Header)
-	if res.StatusCode != http.StatusOK {
-		return Directory{}, responseError(res)
-	}
-
-	var v struct {
-		Reg    string `json:"new-reg"`
-		Authz  string `json:"new-authz"`
-		Cert   string `json:"new-cert"`
-		Revoke string `json:"revoke-cert"`
-		Meta   struct {
-			Terms   string   `json:"terms-of-service"`
-			Website string   `json:"website"`
-			CAA     []string `json:"caa-identities"`
-		}
-	}
-	if err := json.NewDecoder(res.Body).Decode(&v); err != nil {
-		return Directory{}, err
-	}
-	c.dir = &Directory{
-		RegURL:    v.Reg,
-		AuthzURL:  v.Authz,
-		CertURL:   v.Cert,
-		RevokeURL: v.Revoke,
-		Terms:     v.Meta.Terms,
-		Website:   v.Meta.Website,
-		CAA:       v.Meta.CAA,
-	}
-	return *c.dir, nil
-}
-
-// CreateCert requests a new certificate using the Certificate Signing Request csr encoded in DER format.
-// The exp argument indicates the desired certificate validity duration. CA may issue a certificate
-// with a different duration.
-// If the bundle argument is true, the returned value will also contain the CA (issuer) certificate chain.
-//
-// In the case where CA server does not provide the issued certificate in the response,
-// CreateCert will poll certURL using c.FetchCert, which will result in additional round-trips.
-// In such a scenario, the caller can cancel the polling with ctx.
-//
-// CreateCert returns an error if the CA's response or chain was unreasonably large.
-// Callers are encouraged to parse the returned value to ensure the certificate is valid and has the expected features.
-func (c *Client) CreateCert(ctx context.Context, csr []byte, exp time.Duration, bundle bool) (der [][]byte, certURL string, err error) {
-	if _, err := c.Discover(ctx); err != nil {
-		return nil, "", err
-	}
-
-	req := struct {
-		Resource  string `json:"resource"`
-		CSR       string `json:"csr"`
-		NotBefore string `json:"notBefore,omitempty"`
-		NotAfter  string `json:"notAfter,omitempty"`
-	}{
-		Resource: "new-cert",
-		CSR:      base64.RawURLEncoding.EncodeToString(csr),
-	}
-	now := timeNow()
-	req.NotBefore = now.Format(time.RFC3339)
-	if exp > 0 {
-		req.NotAfter = now.Add(exp).Format(time.RFC3339)
-	}
-
-	res, err := c.retryPostJWS(ctx, c.Key, c.dir.CertURL, req)
-	if err != nil {
-		return nil, "", err
-	}
-	defer res.Body.Close()
-	if res.StatusCode != http.StatusCreated {
-		return nil, "", responseError(res)
-	}
-
-	curl := res.Header.Get("Location") // cert permanent URL
-	if res.ContentLength == 0 {
-		// no cert in the body; poll until we get it
-		cert, err := c.FetchCert(ctx, curl, bundle)
-		return cert, curl, err
-	}
-	// slurp issued cert and CA chain, if requested
-	cert, err := c.responseCert(ctx, res, bundle)
-	return cert, curl, err
-}
-
-// FetchCert retrieves already issued certificate from the given url, in DER format.
-// It retries the request until the certificate is successfully retrieved,
-// context is cancelled by the caller or an error response is received.
-//
-// The returned value will also contain the CA (issuer) certificate if the bundle argument is true.
-//
-// FetchCert returns an error if the CA's response or chain was unreasonably large.
-// Callers are encouraged to parse the returned value to ensure the certificate is valid
-// and has expected features.
-func (c *Client) FetchCert(ctx context.Context, url string, bundle bool) ([][]byte, error) {
-	for {
-		res, err := c.get(ctx, url)
-		if err != nil {
-			return nil, err
-		}
-		defer res.Body.Close()
-		if res.StatusCode == http.StatusOK {
-			return c.responseCert(ctx, res, bundle)
-		}
-		if res.StatusCode > 299 {
-			return nil, responseError(res)
-		}
-		d := retryAfter(res.Header.Get("Retry-After"), 3*time.Second)
-		select {
-		case <-time.After(d):
-			// retry
-		case <-ctx.Done():
-			return nil, ctx.Err()
-		}
-	}
-}
-
-// RevokeCert revokes a previously issued certificate cert, provided in DER format.
-//
-// The key argument, used to sign the request, must be authorized
-// to revoke the certificate. It's up to the CA to decide which keys are authorized.
-// For instance, the key pair of the certificate may be authorized.
-// If the key is nil, c.Key is used instead.
-func (c *Client) RevokeCert(ctx context.Context, key crypto.Signer, cert []byte, reason CRLReasonCode) error {
-	if _, err := c.Discover(ctx); err != nil {
-		return err
-	}
-
-	body := &struct {
-		Resource string `json:"resource"`
-		Cert     string `json:"certificate"`
-		Reason   int    `json:"reason"`
-	}{
-		Resource: "revoke-cert",
-		Cert:     base64.RawURLEncoding.EncodeToString(cert),
-		Reason:   int(reason),
-	}
-	if key == nil {
-		key = c.Key
-	}
-	res, err := c.retryPostJWS(ctx, key, c.dir.RevokeURL, body)
-	if err != nil {
-		return err
-	}
-	defer res.Body.Close()
-	if res.StatusCode != http.StatusOK {
-		return responseError(res)
-	}
-	return nil
-}
-
-// AcceptTOS always returns true to indicate the acceptance of a CA's Terms of Service
-// during account registration. See Register method of Client for more details.
-func AcceptTOS(tosURL string) bool { return true }
-
-// Register creates a new account registration by following the "new-reg" flow.
-// It returns the registered account. The account is not modified.
-//
-// The registration may require the caller to agree to the CA's Terms of Service (TOS).
-// If so, and the account has not indicated the acceptance of the terms (see Account for details),
-// Register calls prompt with a TOS URL provided by the CA. Prompt should report
-// whether the caller agrees to the terms. To always accept the terms, the caller can use AcceptTOS.
-func (c *Client) Register(ctx context.Context, a *Account, prompt func(tosURL string) bool) (*Account, error) {
-	if _, err := c.Discover(ctx); err != nil {
-		return nil, err
-	}
-
-	var err error
-	if a, err = c.doReg(ctx, c.dir.RegURL, "new-reg", a); err != nil {
-		return nil, err
-	}
-	var accept bool
-	if a.CurrentTerms != "" && a.CurrentTerms != a.AgreedTerms {
-		accept = prompt(a.CurrentTerms)
-	}
-	if accept {
-		a.AgreedTerms = a.CurrentTerms
-		a, err = c.UpdateReg(ctx, a)
-	}
-	return a, err
-}
-
-// GetReg retrieves an existing registration.
-// The url argument is an Account URI.
-func (c *Client) GetReg(ctx context.Context, url string) (*Account, error) {
-	a, err := c.doReg(ctx, url, "reg", nil)
-	if err != nil {
-		return nil, err
-	}
-	a.URI = url
-	return a, nil
-}
-
-// UpdateReg updates an existing registration.
-// It returns an updated account copy. The provided account is not modified.
-func (c *Client) UpdateReg(ctx context.Context, a *Account) (*Account, error) {
-	uri := a.URI
-	a, err := c.doReg(ctx, uri, "reg", a)
-	if err != nil {
-		return nil, err
-	}
-	a.URI = uri
-	return a, nil
-}
-
-// Authorize performs the initial step in an authorization flow.
-// The caller will then need to choose from and perform a set of returned
-// challenges using c.Accept in order to successfully complete authorization.
-//
-// If an authorization has been previously granted, the CA may return
-// a valid authorization (Authorization.Status is StatusValid). If so, the caller
-// need not fulfill any challenge and can proceed to requesting a certificate.
-func (c *Client) Authorize(ctx context.Context, domain string) (*Authorization, error) {
-	if _, err := c.Discover(ctx); err != nil {
-		return nil, err
-	}
-
-	type authzID struct {
-		Type  string `json:"type"`
-		Value string `json:"value"`
-	}
-	req := struct {
-		Resource   string  `json:"resource"`
-		Identifier authzID `json:"identifier"`
-	}{
-		Resource:   "new-authz",
-		Identifier: authzID{Type: "dns", Value: domain},
-	}
-	res, err := c.retryPostJWS(ctx, c.Key, c.dir.AuthzURL, req)
-	if err != nil {
-		return nil, err
-	}
-	defer res.Body.Close()
-	if res.StatusCode != http.StatusCreated {
-		return nil, responseError(res)
-	}
-
-	var v wireAuthz
-	if err := json.NewDecoder(res.Body).Decode(&v); err != nil {
-		return nil, fmt.Errorf("acme: invalid response: %v", err)
-	}
-	if v.Status != StatusPending && v.Status != StatusValid {
-		return nil, fmt.Errorf("acme: unexpected status: %s", v.Status)
-	}
-	return v.authorization(res.Header.Get("Location")), nil
-}
-
-// GetAuthorization retrieves an authorization identified by the given URL.
-//
-// If a caller needs to poll an authorization until its status is final,
-// see the WaitAuthorization method.
-func (c *Client) GetAuthorization(ctx context.Context, url string) (*Authorization, error) {
-	res, err := c.get(ctx, url)
-	if err != nil {
-		return nil, err
-	}
-	defer res.Body.Close()
-	if res.StatusCode != http.StatusOK && res.StatusCode != http.StatusAccepted {
-		return nil, responseError(res)
-	}
-	var v wireAuthz
-	if err := json.NewDecoder(res.Body).Decode(&v); err != nil {
-		return nil, fmt.Errorf("acme: invalid response: %v", err)
-	}
-	return v.authorization(url), nil
-}
-
-// RevokeAuthorization relinquishes an existing authorization identified
-// by the given URL.
-// The url argument is an Authorization.URI value.
-//
-// If successful, the caller will be required to obtain a new authorization
-// using the Authorize method before being able to request a new certificate
-// for the domain associated with the authorization.
-//
-// It does not revoke existing certificates.
-func (c *Client) RevokeAuthorization(ctx context.Context, url string) error {
-	req := struct {
-		Resource string `json:"resource"`
-		Status   string `json:"status"`
-		Delete   bool   `json:"delete"`
-	}{
-		Resource: "authz",
-		Status:   "deactivated",
-		Delete:   true,
-	}
-	res, err := c.retryPostJWS(ctx, c.Key, url, req)
-	if err != nil {
-		return err
-	}
-	defer res.Body.Close()
-	if res.StatusCode != http.StatusOK {
-		return responseError(res)
-	}
-	return nil
-}
-
-// WaitAuthorization polls an authorization at the given URL
-// until it is in one of the final states, StatusValid or StatusInvalid,
-// or the context is done.
-//
-// It returns a non-nil Authorization only if its Status is StatusValid.
-// In all other cases WaitAuthorization returns an error.
-// If the Status is StatusInvalid, the returned error is of type *AuthorizationError.
-func (c *Client) WaitAuthorization(ctx context.Context, url string) (*Authorization, error) {
-	sleep := sleeper(ctx)
-	for {
-		res, err := c.get(ctx, url)
-		if err != nil {
-			return nil, err
-		}
-		retry := res.Header.Get("Retry-After")
-		if res.StatusCode != http.StatusOK && res.StatusCode != http.StatusAccepted {
-			res.Body.Close()
-			if err := sleep(retry, 1); err != nil {
-				return nil, err
-			}
-			continue
-		}
-		var raw wireAuthz
-		err = json.NewDecoder(res.Body).Decode(&raw)
-		res.Body.Close()
-		if err != nil {
-			if err := sleep(retry, 0); err != nil {
-				return nil, err
-			}
-			continue
-		}
-		if raw.Status == StatusValid {
-			return raw.authorization(url), nil
-		}
-		if raw.Status == StatusInvalid {
-			return nil, raw.error(url)
-		}
-		if err := sleep(retry, 0); err != nil {
-			return nil, err
-		}
-	}
-}
-
-// GetChallenge retrieves the current status of an challenge.
-//
-// A client typically polls a challenge status using this method.
-func (c *Client) GetChallenge(ctx context.Context, url string) (*Challenge, error) {
-	res, err := c.get(ctx, url)
-	if err != nil {
-		return nil, err
-	}
-	defer res.Body.Close()
-	if res.StatusCode != http.StatusOK && res.StatusCode != http.StatusAccepted {
-		return nil, responseError(res)
-	}
-	v := wireChallenge{URI: url}
-	if err := json.NewDecoder(res.Body).Decode(&v); err != nil {
-		return nil, fmt.Errorf("acme: invalid response: %v", err)
-	}
-	return v.challenge(), nil
-}
-
-// Accept informs the server that the client accepts one of its challenges
-// previously obtained with c.Authorize.
-//
-// The server will then perform the validation asynchronously.
-func (c *Client) Accept(ctx context.Context, chal *Challenge) (*Challenge, error) {
-	auth, err := keyAuth(c.Key.Public(), chal.Token)
-	if err != nil {
-		return nil, err
-	}
-
-	req := struct {
-		Resource string `json:"resource"`
-		Type     string `json:"type"`
-		Auth     string `json:"keyAuthorization"`
-	}{
-		Resource: "challenge",
-		Type:     chal.Type,
-		Auth:     auth,
-	}
-	res, err := c.retryPostJWS(ctx, c.Key, chal.URI, req)
-	if err != nil {
-		return nil, err
-	}
-	defer res.Body.Close()
-	// Note: the protocol specifies 200 as the expected response code, but
-	// letsencrypt seems to be returning 202.
-	if res.StatusCode != http.StatusOK && res.StatusCode != http.StatusAccepted {
-		return nil, responseError(res)
-	}
-
-	var v wireChallenge
-	if err := json.NewDecoder(res.Body).Decode(&v); err != nil {
-		return nil, fmt.Errorf("acme: invalid response: %v", err)
-	}
-	return v.challenge(), nil
-}
-
-// DNS01ChallengeRecord returns a DNS record value for a dns-01 challenge response.
-// A TXT record containing the returned value must be provisioned under
-// "_acme-challenge" name of the domain being validated.
-//
-// The token argument is a Challenge.Token value.
-func (c *Client) DNS01ChallengeRecord(token string) (string, error) {
-	ka, err := keyAuth(c.Key.Public(), token)
-	if err != nil {
-		return "", err
-	}
-	b := sha256.Sum256([]byte(ka))
-	return base64.RawURLEncoding.EncodeToString(b[:]), nil
-}
-
-// HTTP01ChallengeResponse returns the response for an http-01 challenge.
-// Servers should respond with the value to HTTP requests at the URL path
-// provided by HTTP01ChallengePath to validate the challenge and prove control
-// over a domain name.
-//
-// The token argument is a Challenge.Token value.
-func (c *Client) HTTP01ChallengeResponse(token string) (string, error) {
-	return keyAuth(c.Key.Public(), token)
-}
-
-// HTTP01ChallengePath returns the URL path at which the response for an http-01 challenge
-// should be provided by the servers.
-// The response value can be obtained with HTTP01ChallengeResponse.
-//
-// The token argument is a Challenge.Token value.
-func (c *Client) HTTP01ChallengePath(token string) string {
-	return "/.well-known/acme-challenge/" + token
-}
-
-// TLSSNI01ChallengeCert creates a certificate for TLS-SNI-01 challenge response.
-// Servers can present the certificate to validate the challenge and prove control
-// over a domain name.
-//
-// The implementation is incomplete in that the returned value is a single certificate,
-// computed only for Z0 of the key authorization. ACME CAs are expected to update
-// their implementations to use the newer version, TLS-SNI-02.
-// For more details on TLS-SNI-01 see https://tools.ietf.org/html/draft-ietf-acme-acme-01#section-7.3.
-//
-// The token argument is a Challenge.Token value.
-// If a WithKey option is provided, its private part signs the returned cert,
-// and the public part is used to specify the signee.
-// If no WithKey option is provided, a new ECDSA key is generated using P-256 curve.
-//
-// The returned certificate is valid for the next 24 hours and must be presented only when
-// the server name of the client hello matches exactly the returned name value.
-func (c *Client) TLSSNI01ChallengeCert(token string, opt ...CertOption) (cert tls.Certificate, name string, err error) {
-	ka, err := keyAuth(c.Key.Public(), token)
-	if err != nil {
-		return tls.Certificate{}, "", err
-	}
-	b := sha256.Sum256([]byte(ka))
-	h := hex.EncodeToString(b[:])
-	name = fmt.Sprintf("%s.%s.acme.invalid", h[:32], h[32:])
-	cert, err = tlsChallengeCert([]string{name}, opt)
-	if err != nil {
-		return tls.Certificate{}, "", err
-	}
-	return cert, name, nil
-}
-
-// TLSSNI02ChallengeCert creates a certificate for TLS-SNI-02 challenge response.
-// Servers can present the certificate to validate the challenge and prove control
-// over a domain name. For more details on TLS-SNI-02 see
-// https://tools.ietf.org/html/draft-ietf-acme-acme-03#section-7.3.
-//
-// The token argument is a Challenge.Token value.
-// If a WithKey option is provided, its private part signs the returned cert,
-// and the public part is used to specify the signee.
-// If no WithKey option is provided, a new ECDSA key is generated using P-256 curve.
-//
-// The returned certificate is valid for the next 24 hours and must be presented only when
-// the server name in the client hello matches exactly the returned name value.
-func (c *Client) TLSSNI02ChallengeCert(token string, opt ...CertOption) (cert tls.Certificate, name string, err error) {
-	b := sha256.Sum256([]byte(token))
-	h := hex.EncodeToString(b[:])
-	sanA := fmt.Sprintf("%s.%s.token.acme.invalid", h[:32], h[32:])
-
-	ka, err := keyAuth(c.Key.Public(), token)
-	if err != nil {
-		return tls.Certificate{}, "", err
-	}
-	b = sha256.Sum256([]byte(ka))
-	h = hex.EncodeToString(b[:])
-	sanB := fmt.Sprintf("%s.%s.ka.acme.invalid", h[:32], h[32:])
-
-	cert, err = tlsChallengeCert([]string{sanA, sanB}, opt)
-	if err != nil {
-		return tls.Certificate{}, "", err
-	}
-	return cert, sanA, nil
-}
-
-// doReg sends all types of registration requests.
-// The type of request is identified by typ argument, which is a "resource"
-// in the ACME spec terms.
-//
-// A non-nil acct argument indicates whether the intention is to mutate data
-// of the Account. Only Contact and Agreement of its fields are used
-// in such cases.
-func (c *Client) doReg(ctx context.Context, url string, typ string, acct *Account) (*Account, error) {
-	req := struct {
-		Resource  string   `json:"resource"`
-		Contact   []string `json:"contact,omitempty"`
-		Agreement string   `json:"agreement,omitempty"`
-	}{
-		Resource: typ,
-	}
-	if acct != nil {
-		req.Contact = acct.Contact
-		req.Agreement = acct.AgreedTerms
-	}
-	res, err := c.retryPostJWS(ctx, c.Key, url, req)
-	if err != nil {
-		return nil, err
-	}
-	defer res.Body.Close()
-	if res.StatusCode < 200 || res.StatusCode > 299 {
-		return nil, responseError(res)
-	}
-
-	var v struct {
-		Contact        []string
-		Agreement      string
-		Authorizations string
-		Certificates   string
-	}
-	if err := json.NewDecoder(res.Body).Decode(&v); err != nil {
-		return nil, fmt.Errorf("acme: invalid response: %v", err)
-	}
-	var tos string
-	if v := linkHeader(res.Header, "terms-of-service"); len(v) > 0 {
-		tos = v[0]
-	}
-	var authz string
-	if v := linkHeader(res.Header, "next"); len(v) > 0 {
-		authz = v[0]
-	}
-	return &Account{
-		URI:            res.Header.Get("Location"),
-		Contact:        v.Contact,
-		AgreedTerms:    v.Agreement,
-		CurrentTerms:   tos,
-		Authz:          authz,
-		Authorizations: v.Authorizations,
-		Certificates:   v.Certificates,
-	}, nil
-}
-
-// retryPostJWS will retry calls to postJWS if there is a badNonce error,
-// clearing the stored nonces after each error.
-// If the response was 4XX-5XX, then responseError is called on the body,
-// the body is closed, and the error returned.
-func (c *Client) retryPostJWS(ctx context.Context, key crypto.Signer, url string, body interface{}) (*http.Response, error) {
-	sleep := sleeper(ctx)
-	for {
-		res, err := c.postJWS(ctx, key, url, body)
-		if err != nil {
-			return nil, err
-		}
-		// handle errors 4XX-5XX with responseError
-		if res.StatusCode >= 400 && res.StatusCode <= 599 {
-			err := responseError(res)
-			res.Body.Close()
-			// according to spec badNonce is urn:ietf:params:acme:error:badNonce
-			// however, acme servers in the wild return their version of the error
-			// https://tools.ietf.org/html/draft-ietf-acme-acme-02#section-5.4
-			if ae, ok := err.(*Error); ok && strings.HasSuffix(strings.ToLower(ae.ProblemType), ":badnonce") {
-				// clear any nonces that we might've stored that might now be
-				// considered bad
-				c.clearNonces()
-				retry := res.Header.Get("Retry-After")
-				if err := sleep(retry, 1); err != nil {
-					return nil, err
-				}
-				continue
-			}
-			return nil, err
-		}
-		return res, nil
-	}
-}
-
-// postJWS signs the body with the given key and POSTs it to the provided url.
-// The body argument must be JSON-serializable.
-func (c *Client) postJWS(ctx context.Context, key crypto.Signer, url string, body interface{}) (*http.Response, error) {
-	nonce, err := c.popNonce(ctx, url)
-	if err != nil {
-		return nil, err
-	}
-	b, err := jwsEncodeJSON(body, key, nonce)
-	if err != nil {
-		return nil, err
-	}
-	res, err := c.post(ctx, url, "application/jose+json", bytes.NewReader(b))
-	if err != nil {
-		return nil, err
-	}
-	c.addNonce(res.Header)
-	return res, nil
-}
-
-// popNonce returns a nonce value previously stored with c.addNonce
-// or fetches a fresh one from the given URL.
-func (c *Client) popNonce(ctx context.Context, url string) (string, error) {
-	c.noncesMu.Lock()
-	defer c.noncesMu.Unlock()
-	if len(c.nonces) == 0 {
-		return c.fetchNonce(ctx, url)
-	}
-	var nonce string
-	for nonce = range c.nonces {
-		delete(c.nonces, nonce)
-		break
-	}
-	return nonce, nil
-}
-
-// clearNonces clears any stored nonces
-func (c *Client) clearNonces() {
-	c.noncesMu.Lock()
-	defer c.noncesMu.Unlock()
-	c.nonces = make(map[string]struct{})
-}
-
-// addNonce stores a nonce value found in h (if any) for future use.
-func (c *Client) addNonce(h http.Header) {
-	v := nonceFromHeader(h)
-	if v == "" {
-		return
-	}
-	c.noncesMu.Lock()
-	defer c.noncesMu.Unlock()
-	if len(c.nonces) >= maxNonces {
-		return
-	}
-	if c.nonces == nil {
-		c.nonces = make(map[string]struct{})
-	}
-	c.nonces[v] = struct{}{}
-}
-
-func (c *Client) httpClient() *http.Client {
-	if c.HTTPClient != nil {
-		return c.HTTPClient
-	}
-	return http.DefaultClient
-}
-
-func (c *Client) get(ctx context.Context, urlStr string) (*http.Response, error) {
-	req, err := http.NewRequest("GET", urlStr, nil)
-	if err != nil {
-		return nil, err
-	}
-	return c.do(ctx, req)
-}
-
-func (c *Client) head(ctx context.Context, urlStr string) (*http.Response, error) {
-	req, err := http.NewRequest("HEAD", urlStr, nil)
-	if err != nil {
-		return nil, err
-	}
-	return c.do(ctx, req)
-}
-
-func (c *Client) post(ctx context.Context, urlStr, contentType string, body io.Reader) (*http.Response, error) {
-	req, err := http.NewRequest("POST", urlStr, body)
-	if err != nil {
-		return nil, err
-	}
-	req.Header.Set("Content-Type", contentType)
-	return c.do(ctx, req)
-}
-
-func (c *Client) do(ctx context.Context, req *http.Request) (*http.Response, error) {
-	res, err := c.httpClient().Do(req.WithContext(ctx))
-	if err != nil {
-		select {
-		case <-ctx.Done():
-			// Prefer the unadorned context error.
-			// (The acme package had tests assuming this, previously from ctxhttp's
-			// behavior, predating net/http supporting contexts natively)
-			// TODO(bradfitz): reconsider this in the future. But for now this
-			// requires no test updates.
-			return nil, ctx.Err()
-		default:
-			return nil, err
-		}
-	}
-	return res, nil
-}
-
-func (c *Client) fetchNonce(ctx context.Context, url string) (string, error) {
-	resp, err := c.head(ctx, url)
-	if err != nil {
-		return "", err
-	}
-	defer resp.Body.Close()
-	nonce := nonceFromHeader(resp.Header)
-	if nonce == "" {
-		if resp.StatusCode > 299 {
-			return "", responseError(resp)
-		}
-		return "", errors.New("acme: nonce not found")
-	}
-	return nonce, nil
-}
-
-func nonceFromHeader(h http.Header) string {
-	return h.Get("Replay-Nonce")
-}
-
-func (c *Client) responseCert(ctx context.Context, res *http.Response, bundle bool) ([][]byte, error) {
-	b, err := ioutil.ReadAll(io.LimitReader(res.Body, maxCertSize+1))
-	if err != nil {
-		return nil, fmt.Errorf("acme: response stream: %v", err)
-	}
-	if len(b) > maxCertSize {
-		return nil, errors.New("acme: certificate is too big")
-	}
-	cert := [][]byte{b}
-	if !bundle {
-		return cert, nil
-	}
-
-	// Append CA chain cert(s).
-	// At least one is required according to the spec:
-	// https://tools.ietf.org/html/draft-ietf-acme-acme-03#section-6.3.1
-	up := linkHeader(res.Header, "up")
-	if len(up) == 0 {
-		return nil, errors.New("acme: rel=up link not found")
-	}
-	if len(up) > maxChainLen {
-		return nil, errors.New("acme: rel=up link is too large")
-	}
-	for _, url := range up {
-		cc, err := c.chainCert(ctx, url, 0)
-		if err != nil {
-			return nil, err
-		}
-		cert = append(cert, cc...)
-	}
-	return cert, nil
-}
-
-// responseError creates an error of Error type from resp.
-func responseError(resp *http.Response) error {
-	// don't care if ReadAll returns an error:
-	// json.Unmarshal will fail in that case anyway
-	b, _ := ioutil.ReadAll(resp.Body)
-	e := &wireError{Status: resp.StatusCode}
-	if err := json.Unmarshal(b, e); err != nil {
-		// this is not a regular error response:
-		// populate detail with anything we received,
-		// e.Status will already contain HTTP response code value
-		e.Detail = string(b)
-		if e.Detail == "" {
-			e.Detail = resp.Status
-		}
-	}
-	return e.error(resp.Header)
-}
-
-// chainCert fetches CA certificate chain recursively by following "up" links.
-// Each recursive call increments the depth by 1, resulting in an error
-// if the recursion level reaches maxChainLen.
-//
-// First chainCert call starts with depth of 0.
-func (c *Client) chainCert(ctx context.Context, url string, depth int) ([][]byte, error) {
-	if depth >= maxChainLen {
-		return nil, errors.New("acme: certificate chain is too deep")
-	}
-
-	res, err := c.get(ctx, url)
-	if err != nil {
-		return nil, err
-	}
-	defer res.Body.Close()
-	if res.StatusCode != http.StatusOK {
-		return nil, responseError(res)
-	}
-	b, err := ioutil.ReadAll(io.LimitReader(res.Body, maxCertSize+1))
-	if err != nil {
-		return nil, err
-	}
-	if len(b) > maxCertSize {
-		return nil, errors.New("acme: certificate is too big")
-	}
-	chain := [][]byte{b}
-
-	uplink := linkHeader(res.Header, "up")
-	if len(uplink) > maxChainLen {
-		return nil, errors.New("acme: certificate chain is too large")
-	}
-	for _, up := range uplink {
-		cc, err := c.chainCert(ctx, up, depth+1)
-		if err != nil {
-			return nil, err
-		}
-		chain = append(chain, cc...)
-	}
-
-	return chain, nil
-}
-
-// linkHeader returns URI-Reference values of all Link headers
-// with relation-type rel.
-// See https://tools.ietf.org/html/rfc5988#section-5 for details.
-func linkHeader(h http.Header, rel string) []string {
-	var links []string
-	for _, v := range h["Link"] {
-		parts := strings.Split(v, ";")
-		for _, p := range parts {
-			p = strings.TrimSpace(p)
-			if !strings.HasPrefix(p, "rel=") {
-				continue
-			}
-			if v := strings.Trim(p[4:], `"`); v == rel {
-				links = append(links, strings.Trim(parts[0], "<>"))
-			}
-		}
-	}
-	return links
-}
-
-// sleeper returns a function that accepts the Retry-After HTTP header value
-// and an increment that's used with backoff to increasingly sleep on
-// consecutive calls until the context is done. If the Retry-After header
-// cannot be parsed, then backoff is used with a maximum sleep time of 10
-// seconds.
-func sleeper(ctx context.Context) func(ra string, inc int) error {
-	var count int
-	return func(ra string, inc int) error {
-		count += inc
-		d := backoff(count, 10*time.Second)
-		d = retryAfter(ra, d)
-		wakeup := time.NewTimer(d)
-		defer wakeup.Stop()
-		select {
-		case <-ctx.Done():
-			return ctx.Err()
-		case <-wakeup.C:
-			return nil
-		}
-	}
-}
-
-// retryAfter parses a Retry-After HTTP header value,
-// trying to convert v into an int (seconds) or use http.ParseTime otherwise.
-// It returns d if v cannot be parsed.
-func retryAfter(v string, d time.Duration) time.Duration {
-	if i, err := strconv.Atoi(v); err == nil {
-		return time.Duration(i) * time.Second
-	}
-	t, err := http.ParseTime(v)
-	if err != nil {
-		return d
-	}
-	return t.Sub(timeNow())
-}
-
-// backoff computes a duration after which an n+1 retry iteration should occur
-// using truncated exponential backoff algorithm.
-//
-// The n argument is always bounded between 0 and 30.
-// The max argument defines upper bound for the returned value.
-func backoff(n int, max time.Duration) time.Duration {
-	if n < 0 {
-		n = 0
-	}
-	if n > 30 {
-		n = 30
-	}
-	var d time.Duration
-	if x, err := rand.Int(rand.Reader, big.NewInt(1000)); err == nil {
-		d = time.Duration(x.Int64()) * time.Millisecond
-	}
-	d += time.Duration(1<<uint(n)) * time.Second
-	if d > max {
-		return max
-	}
-	return d
-}
-
-// keyAuth generates a key authorization string for a given token.
-func keyAuth(pub crypto.PublicKey, token string) (string, error) {
-	th, err := JWKThumbprint(pub)
-	if err != nil {
-		return "", err
-	}
-	return fmt.Sprintf("%s.%s", token, th), nil
-}
-
-// tlsChallengeCert creates a temporary certificate for TLS-SNI challenges
-// with the given SANs and auto-generated public/private key pair.
-// The Subject Common Name is set to the first SAN to aid debugging.
-// To create a cert with a custom key pair, specify WithKey option.
-func tlsChallengeCert(san []string, opt []CertOption) (tls.Certificate, error) {
-	var (
-		key  crypto.Signer
-		tmpl *x509.Certificate
-	)
-	for _, o := range opt {
-		switch o := o.(type) {
-		case *certOptKey:
-			if key != nil {
-				return tls.Certificate{}, errors.New("acme: duplicate key option")
-			}
-			key = o.key
-		case *certOptTemplate:
-			var t = *(*x509.Certificate)(o) // shallow copy is ok
-			tmpl = &t
-		default:
-			// package's fault, if we let this happen:
-			panic(fmt.Sprintf("unsupported option type %T", o))
-		}
-	}
-	if key == nil {
-		var err error
-		if key, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader); err != nil {
-			return tls.Certificate{}, err
-		}
-	}
-	if tmpl == nil {
-		tmpl = &x509.Certificate{
-			SerialNumber:          big.NewInt(1),
-			NotBefore:             time.Now(),
-			NotAfter:              time.Now().Add(24 * time.Hour),
-			BasicConstraintsValid: true,
-			KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
-			ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
-		}
-	}
-	tmpl.DNSNames = san
-	if len(san) > 0 {
-		tmpl.Subject.CommonName = san[0]
-	}
-
-	der, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, key.Public(), key)
-	if err != nil {
-		return tls.Certificate{}, err
-	}
-	return tls.Certificate{
-		Certificate: [][]byte{der},
-		PrivateKey:  key,
-	}, nil
-}
-
-// encodePEM returns b encoded as PEM with block of type typ.
-func encodePEM(typ string, b []byte) []byte {
-	pb := &pem.Block{Type: typ, Bytes: b}
-	return pem.EncodeToMemory(pb)
-}
-
-// timeNow is useful for testing for fixed current time.
-var timeNow = time.Now
diff --git a/vendor/golang.org/x/crypto/acme/acme_test.go b/vendor/golang.org/x/crypto/acme/acme_test.go
deleted file mode 100644
index 89f2efaa..00000000
--- a/vendor/golang.org/x/crypto/acme/acme_test.go
+++ /dev/null
@@ -1,1352 +0,0 @@
-// Copyright 2015 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package acme
-
-import (
-	"bytes"
-	"context"
-	"crypto/rand"
-	"crypto/rsa"
-	"crypto/tls"
-	"crypto/x509"
-	"crypto/x509/pkix"
-	"encoding/base64"
-	"encoding/json"
-	"fmt"
-	"io/ioutil"
-	"math/big"
-	"net/http"
-	"net/http/httptest"
-	"reflect"
-	"sort"
-	"strings"
-	"testing"
-	"time"
-)
-
-// Decodes a JWS-encoded request and unmarshals the decoded JSON into a provided
-// interface.
-func decodeJWSRequest(t *testing.T, v interface{}, r *http.Request) {
-	// Decode request
-	var req struct{ Payload string }
-	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
-		t.Fatal(err)
-	}
-	payload, err := base64.RawURLEncoding.DecodeString(req.Payload)
-	if err != nil {
-		t.Fatal(err)
-	}
-	err = json.Unmarshal(payload, v)
-	if err != nil {
-		t.Fatal(err)
-	}
-}
-
-type jwsHead struct {
-	Alg   string
-	Nonce string
-	JWK   map[string]string `json:"jwk"`
-}
-
-func decodeJWSHead(r *http.Request) (*jwsHead, error) {
-	var req struct{ Protected string }
-	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
-		return nil, err
-	}
-	b, err := base64.RawURLEncoding.DecodeString(req.Protected)
-	if err != nil {
-		return nil, err
-	}
-	var head jwsHead
-	if err := json.Unmarshal(b, &head); err != nil {
-		return nil, err
-	}
-	return &head, nil
-}
-
-func TestDiscover(t *testing.T) {
-	const (
-		reg    = "https://example.com/acme/new-reg"
-		authz  = "https://example.com/acme/new-authz"
-		cert   = "https://example.com/acme/new-cert"
-		revoke = "https://example.com/acme/revoke-cert"
-	)
-	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.Header().Set("Content-Type", "application/json")
-		fmt.Fprintf(w, `{
-			"new-reg": %q,
-			"new-authz": %q,
-			"new-cert": %q,
-			"revoke-cert": %q
-		}`, reg, authz, cert, revoke)
-	}))
-	defer ts.Close()
-	c := Client{DirectoryURL: ts.URL}
-	dir, err := c.Discover(context.Background())
-	if err != nil {
-		t.Fatal(err)
-	}
-	if dir.RegURL != reg {
-		t.Errorf("dir.RegURL = %q; want %q", dir.RegURL, reg)
-	}
-	if dir.AuthzURL != authz {
-		t.Errorf("dir.AuthzURL = %q; want %q", dir.AuthzURL, authz)
-	}
-	if dir.CertURL != cert {
-		t.Errorf("dir.CertURL = %q; want %q", dir.CertURL, cert)
-	}
-	if dir.RevokeURL != revoke {
-		t.Errorf("dir.RevokeURL = %q; want %q", dir.RevokeURL, revoke)
-	}
-}
-
-func TestRegister(t *testing.T) {
-	contacts := []string{"mailto:admin@example.com"}
-
-	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if r.Method == "HEAD" {
-			w.Header().Set("Replay-Nonce", "test-nonce")
-			return
-		}
-		if r.Method != "POST" {
-			t.Errorf("r.Method = %q; want POST", r.Method)
-		}
-
-		var j struct {
-			Resource  string
-			Contact   []string
-			Agreement string
-		}
-		decodeJWSRequest(t, &j, r)
-
-		// Test request
-		if j.Resource != "new-reg" {
-			t.Errorf("j.Resource = %q; want new-reg", j.Resource)
-		}
-		if !reflect.DeepEqual(j.Contact, contacts) {
-			t.Errorf("j.Contact = %v; want %v", j.Contact, contacts)
-		}
-
-		w.Header().Set("Location", "https://ca.tld/acme/reg/1")
-		w.Header().Set("Link", `<https://ca.tld/acme/new-authz>;rel="next"`)
-		w.Header().Add("Link", `<https://ca.tld/acme/recover-reg>;rel="recover"`)
-		w.Header().Add("Link", `<https://ca.tld/acme/terms>;rel="terms-of-service"`)
-		w.WriteHeader(http.StatusCreated)
-		b, _ := json.Marshal(contacts)
-		fmt.Fprintf(w, `{"contact": %s}`, b)
-	}))
-	defer ts.Close()
-
-	prompt := func(url string) bool {
-		const terms = "https://ca.tld/acme/terms"
-		if url != terms {
-			t.Errorf("prompt url = %q; want %q", url, terms)
-		}
-		return false
-	}
-
-	c := Client{Key: testKeyEC, dir: &Directory{RegURL: ts.URL}}
-	a := &Account{Contact: contacts}
-	var err error
-	if a, err = c.Register(context.Background(), a, prompt); err != nil {
-		t.Fatal(err)
-	}
-	if a.URI != "https://ca.tld/acme/reg/1" {
-		t.Errorf("a.URI = %q; want https://ca.tld/acme/reg/1", a.URI)
-	}
-	if a.Authz != "https://ca.tld/acme/new-authz" {
-		t.Errorf("a.Authz = %q; want https://ca.tld/acme/new-authz", a.Authz)
-	}
-	if a.CurrentTerms != "https://ca.tld/acme/terms" {
-		t.Errorf("a.CurrentTerms = %q; want https://ca.tld/acme/terms", a.CurrentTerms)
-	}
-	if !reflect.DeepEqual(a.Contact, contacts) {
-		t.Errorf("a.Contact = %v; want %v", a.Contact, contacts)
-	}
-}
-
-func TestUpdateReg(t *testing.T) {
-	const terms = "https://ca.tld/acme/terms"
-	contacts := []string{"mailto:admin@example.com"}
-
-	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if r.Method == "HEAD" {
-			w.Header().Set("Replay-Nonce", "test-nonce")
-			return
-		}
-		if r.Method != "POST" {
-			t.Errorf("r.Method = %q; want POST", r.Method)
-		}
-
-		var j struct {
-			Resource  string
-			Contact   []string
-			Agreement string
-		}
-		decodeJWSRequest(t, &j, r)
-
-		// Test request
-		if j.Resource != "reg" {
-			t.Errorf("j.Resource = %q; want reg", j.Resource)
-		}
-		if j.Agreement != terms {
-			t.Errorf("j.Agreement = %q; want %q", j.Agreement, terms)
-		}
-		if !reflect.DeepEqual(j.Contact, contacts) {
-			t.Errorf("j.Contact = %v; want %v", j.Contact, contacts)
-		}
-
-		w.Header().Set("Link", `<https://ca.tld/acme/new-authz>;rel="next"`)
-		w.Header().Add("Link", `<https://ca.tld/acme/recover-reg>;rel="recover"`)
-		w.Header().Add("Link", fmt.Sprintf(`<%s>;rel="terms-of-service"`, terms))
-		w.WriteHeader(http.StatusOK)
-		b, _ := json.Marshal(contacts)
-		fmt.Fprintf(w, `{"contact":%s, "agreement":%q}`, b, terms)
-	}))
-	defer ts.Close()
-
-	c := Client{Key: testKeyEC}
-	a := &Account{URI: ts.URL, Contact: contacts, AgreedTerms: terms}
-	var err error
-	if a, err = c.UpdateReg(context.Background(), a); err != nil {
-		t.Fatal(err)
-	}
-	if a.Authz != "https://ca.tld/acme/new-authz" {
-		t.Errorf("a.Authz = %q; want https://ca.tld/acme/new-authz", a.Authz)
-	}
-	if a.AgreedTerms != terms {
-		t.Errorf("a.AgreedTerms = %q; want %q", a.AgreedTerms, terms)
-	}
-	if a.CurrentTerms != terms {
-		t.Errorf("a.CurrentTerms = %q; want %q", a.CurrentTerms, terms)
-	}
-	if a.URI != ts.URL {
-		t.Errorf("a.URI = %q; want %q", a.URI, ts.URL)
-	}
-}
-
-func TestGetReg(t *testing.T) {
-	const terms = "https://ca.tld/acme/terms"
-	const newTerms = "https://ca.tld/acme/new-terms"
-	contacts := []string{"mailto:admin@example.com"}
-
-	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if r.Method == "HEAD" {
-			w.Header().Set("Replay-Nonce", "test-nonce")
-			return
-		}
-		if r.Method != "POST" {
-			t.Errorf("r.Method = %q; want POST", r.Method)
-		}
-
-		var j struct {
-			Resource  string
-			Contact   []string
-			Agreement string
-		}
-		decodeJWSRequest(t, &j, r)
-
-		// Test request
-		if j.Resource != "reg" {
-			t.Errorf("j.Resource = %q; want reg", j.Resource)
-		}
-		if len(j.Contact) != 0 {
-			t.Errorf("j.Contact = %v", j.Contact)
-		}
-		if j.Agreement != "" {
-			t.Errorf("j.Agreement = %q", j.Agreement)
-		}
-
-		w.Header().Set("Link", `<https://ca.tld/acme/new-authz>;rel="next"`)
-		w.Header().Add("Link", `<https://ca.tld/acme/recover-reg>;rel="recover"`)
-		w.Header().Add("Link", fmt.Sprintf(`<%s>;rel="terms-of-service"`, newTerms))
-		w.WriteHeader(http.StatusOK)
-		b, _ := json.Marshal(contacts)
-		fmt.Fprintf(w, `{"contact":%s, "agreement":%q}`, b, terms)
-	}))
-	defer ts.Close()
-
-	c := Client{Key: testKeyEC}
-	a, err := c.GetReg(context.Background(), ts.URL)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if a.Authz != "https://ca.tld/acme/new-authz" {
-		t.Errorf("a.AuthzURL = %q; want https://ca.tld/acme/new-authz", a.Authz)
-	}
-	if a.AgreedTerms != terms {
-		t.Errorf("a.AgreedTerms = %q; want %q", a.AgreedTerms, terms)
-	}
-	if a.CurrentTerms != newTerms {
-		t.Errorf("a.CurrentTerms = %q; want %q", a.CurrentTerms, newTerms)
-	}
-	if a.URI != ts.URL {
-		t.Errorf("a.URI = %q; want %q", a.URI, ts.URL)
-	}
-}
-
-func TestAuthorize(t *testing.T) {
-	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if r.Method == "HEAD" {
-			w.Header().Set("Replay-Nonce", "test-nonce")
-			return
-		}
-		if r.Method != "POST" {
-			t.Errorf("r.Method = %q; want POST", r.Method)
-		}
-
-		var j struct {
-			Resource   string
-			Identifier struct {
-				Type  string
-				Value string
-			}
-		}
-		decodeJWSRequest(t, &j, r)
-
-		// Test request
-		if j.Resource != "new-authz" {
-			t.Errorf("j.Resource = %q; want new-authz", j.Resource)
-		}
-		if j.Identifier.Type != "dns" {
-			t.Errorf("j.Identifier.Type = %q; want dns", j.Identifier.Type)
-		}
-		if j.Identifier.Value != "example.com" {
-			t.Errorf("j.Identifier.Value = %q; want example.com", j.Identifier.Value)
-		}
-
-		w.Header().Set("Location", "https://ca.tld/acme/auth/1")
-		w.WriteHeader(http.StatusCreated)
-		fmt.Fprintf(w, `{
-			"identifier": {"type":"dns","value":"example.com"},
-			"status":"pending",
-			"challenges":[
-				{
-					"type":"http-01",
-					"status":"pending",
-					"uri":"https://ca.tld/acme/challenge/publickey/id1",
-					"token":"token1"
-				},
-				{
-					"type":"tls-sni-01",
-					"status":"pending",
-					"uri":"https://ca.tld/acme/challenge/publickey/id2",
-					"token":"token2"
-				}
-			],
-			"combinations":[[0],[1]]}`)
-	}))
-	defer ts.Close()
-
-	cl := Client{Key: testKeyEC, dir: &Directory{AuthzURL: ts.URL}}
-	auth, err := cl.Authorize(context.Background(), "example.com")
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if auth.URI != "https://ca.tld/acme/auth/1" {
-		t.Errorf("URI = %q; want https://ca.tld/acme/auth/1", auth.URI)
-	}
-	if auth.Status != "pending" {
-		t.Errorf("Status = %q; want pending", auth.Status)
-	}
-	if auth.Identifier.Type != "dns" {
-		t.Errorf("Identifier.Type = %q; want dns", auth.Identifier.Type)
-	}
-	if auth.Identifier.Value != "example.com" {
-		t.Errorf("Identifier.Value = %q; want example.com", auth.Identifier.Value)
-	}
-
-	if n := len(auth.Challenges); n != 2 {
-		t.Fatalf("len(auth.Challenges) = %d; want 2", n)
-	}
-
-	c := auth.Challenges[0]
-	if c.Type != "http-01" {
-		t.Errorf("c.Type = %q; want http-01", c.Type)
-	}
-	if c.URI != "https://ca.tld/acme/challenge/publickey/id1" {
-		t.Errorf("c.URI = %q; want https://ca.tld/acme/challenge/publickey/id1", c.URI)
-	}
-	if c.Token != "token1" {
-		t.Errorf("c.Token = %q; want token1", c.Token)
-	}
-
-	c = auth.Challenges[1]
-	if c.Type != "tls-sni-01" {
-		t.Errorf("c.Type = %q; want tls-sni-01", c.Type)
-	}
-	if c.URI != "https://ca.tld/acme/challenge/publickey/id2" {
-		t.Errorf("c.URI = %q; want https://ca.tld/acme/challenge/publickey/id2", c.URI)
-	}
-	if c.Token != "token2" {
-		t.Errorf("c.Token = %q; want token2", c.Token)
-	}
-
-	combs := [][]int{{0}, {1}}
-	if !reflect.DeepEqual(auth.Combinations, combs) {
-		t.Errorf("auth.Combinations: %+v\nwant: %+v\n", auth.Combinations, combs)
-	}
-}
-
-func TestAuthorizeValid(t *testing.T) {
-	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if r.Method == "HEAD" {
-			w.Header().Set("Replay-Nonce", "nonce")
-			return
-		}
-		w.WriteHeader(http.StatusCreated)
-		w.Write([]byte(`{"status":"valid"}`))
-	}))
-	defer ts.Close()
-	client := Client{Key: testKey, dir: &Directory{AuthzURL: ts.URL}}
-	_, err := client.Authorize(context.Background(), "example.com")
-	if err != nil {
-		t.Errorf("err = %v", err)
-	}
-}
-
-func TestGetAuthorization(t *testing.T) {
-	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if r.Method != "GET" {
-			t.Errorf("r.Method = %q; want GET", r.Method)
-		}
-
-		w.WriteHeader(http.StatusOK)
-		fmt.Fprintf(w, `{
-			"identifier": {"type":"dns","value":"example.com"},
-			"status":"pending",
-			"challenges":[
-				{
-					"type":"http-01",
-					"status":"pending",
-					"uri":"https://ca.tld/acme/challenge/publickey/id1",
-					"token":"token1"
-				},
-				{
-					"type":"tls-sni-01",
-					"status":"pending",
-					"uri":"https://ca.tld/acme/challenge/publickey/id2",
-					"token":"token2"
-				}
-			],
-			"combinations":[[0],[1]]}`)
-	}))
-	defer ts.Close()
-
-	cl := Client{Key: testKeyEC}
-	auth, err := cl.GetAuthorization(context.Background(), ts.URL)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if auth.Status != "pending" {
-		t.Errorf("Status = %q; want pending", auth.Status)
-	}
-	if auth.Identifier.Type != "dns" {
-		t.Errorf("Identifier.Type = %q; want dns", auth.Identifier.Type)
-	}
-	if auth.Identifier.Value != "example.com" {
-		t.Errorf("Identifier.Value = %q; want example.com", auth.Identifier.Value)
-	}
-
-	if n := len(auth.Challenges); n != 2 {
-		t.Fatalf("len(set.Challenges) = %d; want 2", n)
-	}
-
-	c := auth.Challenges[0]
-	if c.Type != "http-01" {
-		t.Errorf("c.Type = %q; want http-01", c.Type)
-	}
-	if c.URI != "https://ca.tld/acme/challenge/publickey/id1" {
-		t.Errorf("c.URI = %q; want https://ca.tld/acme/challenge/publickey/id1", c.URI)
-	}
-	if c.Token != "token1" {
-		t.Errorf("c.Token = %q; want token1", c.Token)
-	}
-
-	c = auth.Challenges[1]
-	if c.Type != "tls-sni-01" {
-		t.Errorf("c.Type = %q; want tls-sni-01", c.Type)
-	}
-	if c.URI != "https://ca.tld/acme/challenge/publickey/id2" {
-		t.Errorf("c.URI = %q; want https://ca.tld/acme/challenge/publickey/id2", c.URI)
-	}
-	if c.Token != "token2" {
-		t.Errorf("c.Token = %q; want token2", c.Token)
-	}
-
-	combs := [][]int{{0}, {1}}
-	if !reflect.DeepEqual(auth.Combinations, combs) {
-		t.Errorf("auth.Combinations: %+v\nwant: %+v\n", auth.Combinations, combs)
-	}
-}
-
-func TestWaitAuthorization(t *testing.T) {
-	var count int
-	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		count++
-		w.Header().Set("Retry-After", "0")
-		if count > 1 {
-			fmt.Fprintf(w, `{"status":"valid"}`)
-			return
-		}
-		fmt.Fprintf(w, `{"status":"pending"}`)
-	}))
-	defer ts.Close()
-
-	type res struct {
-		authz *Authorization
-		err   error
-	}
-	done := make(chan res)
-	defer close(done)
-	go func() {
-		var client Client
-		a, err := client.WaitAuthorization(context.Background(), ts.URL)
-		done <- res{a, err}
-	}()
-
-	select {
-	case <-time.After(5 * time.Second):
-		t.Fatal("WaitAuthz took too long to return")
-	case res := <-done:
-		if res.err != nil {
-			t.Fatalf("res.err =  %v", res.err)
-		}
-		if res.authz == nil {
-			t.Fatal("res.authz is nil")
-		}
-	}
-}
-
-func TestWaitAuthorizationInvalid(t *testing.T) {
-	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		fmt.Fprintf(w, `{"status":"invalid"}`)
-	}))
-	defer ts.Close()
-
-	res := make(chan error)
-	defer close(res)
-	go func() {
-		var client Client
-		_, err := client.WaitAuthorization(context.Background(), ts.URL)
-		res <- err
-	}()
-
-	select {
-	case <-time.After(3 * time.Second):
-		t.Fatal("WaitAuthz took too long to return")
-	case err := <-res:
-		if err == nil {
-			t.Error("err is nil")
-		}
-		if _, ok := err.(*AuthorizationError); !ok {
-			t.Errorf("err is %T; want *AuthorizationError", err)
-		}
-	}
-}
-
-func TestWaitAuthorizationCancel(t *testing.T) {
-	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.Header().Set("Retry-After", "60")
-		fmt.Fprintf(w, `{"status":"pending"}`)
-	}))
-	defer ts.Close()
-
-	res := make(chan error)
-	defer close(res)
-	go func() {
-		var client Client
-		ctx, cancel := context.WithTimeout(context.Background(), 200*time.Millisecond)
-		defer cancel()
-		_, err := client.WaitAuthorization(ctx, ts.URL)
-		res <- err
-	}()
-
-	select {
-	case <-time.After(time.Second):
-		t.Fatal("WaitAuthz took too long to return")
-	case err := <-res:
-		if err == nil {
-			t.Error("err is nil")
-		}
-	}
-}
-
-func TestRevokeAuthorization(t *testing.T) {
-	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if r.Method == "HEAD" {
-			w.Header().Set("Replay-Nonce", "nonce")
-			return
-		}
-		switch r.URL.Path {
-		case "/1":
-			var req struct {
-				Resource string
-				Status   string
-				Delete   bool
-			}
-			decodeJWSRequest(t, &req, r)
-			if req.Resource != "authz" {
-				t.Errorf("req.Resource = %q; want authz", req.Resource)
-			}
-			if req.Status != "deactivated" {
-				t.Errorf("req.Status = %q; want deactivated", req.Status)
-			}
-			if !req.Delete {
-				t.Errorf("req.Delete is false")
-			}
-		case "/2":
-			w.WriteHeader(http.StatusInternalServerError)
-		}
-	}))
-	defer ts.Close()
-	client := &Client{Key: testKey}
-	ctx := context.Background()
-	if err := client.RevokeAuthorization(ctx, ts.URL+"/1"); err != nil {
-		t.Errorf("err = %v", err)
-	}
-	if client.RevokeAuthorization(ctx, ts.URL+"/2") == nil {
-		t.Error("nil error")
-	}
-}
-
-func TestPollChallenge(t *testing.T) {
-	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if r.Method != "GET" {
-			t.Errorf("r.Method = %q; want GET", r.Method)
-		}
-
-		w.WriteHeader(http.StatusOK)
-		fmt.Fprintf(w, `{
-			"type":"http-01",
-			"status":"pending",
-			"uri":"https://ca.tld/acme/challenge/publickey/id1",
-			"token":"token1"}`)
-	}))
-	defer ts.Close()
-
-	cl := Client{Key: testKeyEC}
-	chall, err := cl.GetChallenge(context.Background(), ts.URL)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if chall.Status != "pending" {
-		t.Errorf("Status = %q; want pending", chall.Status)
-	}
-	if chall.Type != "http-01" {
-		t.Errorf("c.Type = %q; want http-01", chall.Type)
-	}
-	if chall.URI != "https://ca.tld/acme/challenge/publickey/id1" {
-		t.Errorf("c.URI = %q; want https://ca.tld/acme/challenge/publickey/id1", chall.URI)
-	}
-	if chall.Token != "token1" {
-		t.Errorf("c.Token = %q; want token1", chall.Token)
-	}
-}
-
-func TestAcceptChallenge(t *testing.T) {
-	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if r.Method == "HEAD" {
-			w.Header().Set("Replay-Nonce", "test-nonce")
-			return
-		}
-		if r.Method != "POST" {
-			t.Errorf("r.Method = %q; want POST", r.Method)
-		}
-
-		var j struct {
-			Resource string
-			Type     string
-			Auth     string `json:"keyAuthorization"`
-		}
-		decodeJWSRequest(t, &j, r)
-
-		// Test request
-		if j.Resource != "challenge" {
-			t.Errorf(`resource = %q; want "challenge"`, j.Resource)
-		}
-		if j.Type != "http-01" {
-			t.Errorf(`type = %q; want "http-01"`, j.Type)
-		}
-		keyAuth := "token1." + testKeyECThumbprint
-		if j.Auth != keyAuth {
-			t.Errorf(`keyAuthorization = %q; want %q`, j.Auth, keyAuth)
-		}
-
-		// Respond to request
-		w.WriteHeader(http.StatusAccepted)
-		fmt.Fprintf(w, `{
-			"type":"http-01",
-			"status":"pending",
-			"uri":"https://ca.tld/acme/challenge/publickey/id1",
-			"token":"token1",
-			"keyAuthorization":%q
-		}`, keyAuth)
-	}))
-	defer ts.Close()
-
-	cl := Client{Key: testKeyEC}
-	c, err := cl.Accept(context.Background(), &Challenge{
-		URI:   ts.URL,
-		Token: "token1",
-		Type:  "http-01",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if c.Type != "http-01" {
-		t.Errorf("c.Type = %q; want http-01", c.Type)
-	}
-	if c.URI != "https://ca.tld/acme/challenge/publickey/id1" {
-		t.Errorf("c.URI = %q; want https://ca.tld/acme/challenge/publickey/id1", c.URI)
-	}
-	if c.Token != "token1" {
-		t.Errorf("c.Token = %q; want token1", c.Token)
-	}
-}
-
-func TestNewCert(t *testing.T) {
-	notBefore := time.Now()
-	notAfter := notBefore.AddDate(0, 2, 0)
-	timeNow = func() time.Time { return notBefore }
-
-	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if r.Method == "HEAD" {
-			w.Header().Set("Replay-Nonce", "test-nonce")
-			return
-		}
-		if r.Method != "POST" {
-			t.Errorf("r.Method = %q; want POST", r.Method)
-		}
-
-		var j struct {
-			Resource  string `json:"resource"`
-			CSR       string `json:"csr"`
-			NotBefore string `json:"notBefore,omitempty"`
-			NotAfter  string `json:"notAfter,omitempty"`
-		}
-		decodeJWSRequest(t, &j, r)
-
-		// Test request
-		if j.Resource != "new-cert" {
-			t.Errorf(`resource = %q; want "new-cert"`, j.Resource)
-		}
-		if j.NotBefore != notBefore.Format(time.RFC3339) {
-			t.Errorf(`notBefore = %q; wanted %q`, j.NotBefore, notBefore.Format(time.RFC3339))
-		}
-		if j.NotAfter != notAfter.Format(time.RFC3339) {
-			t.Errorf(`notAfter = %q; wanted %q`, j.NotAfter, notAfter.Format(time.RFC3339))
-		}
-
-		// Respond to request
-		template := x509.Certificate{
-			SerialNumber: big.NewInt(int64(1)),
-			Subject: pkix.Name{
-				Organization: []string{"goacme"},
-			},
-			NotBefore: notBefore,
-			NotAfter:  notAfter,
-
-			KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
-			ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
-			BasicConstraintsValid: true,
-		}
-
-		sampleCert, err := x509.CreateCertificate(rand.Reader, &template, &template, &testKeyEC.PublicKey, testKeyEC)
-		if err != nil {
-			t.Fatalf("Error creating certificate: %v", err)
-		}
-
-		w.Header().Set("Location", "https://ca.tld/acme/cert/1")
-		w.WriteHeader(http.StatusCreated)
-		w.Write(sampleCert)
-	}))
-	defer ts.Close()
-
-	csr := x509.CertificateRequest{
-		Version: 0,
-		Subject: pkix.Name{
-			CommonName:   "example.com",
-			Organization: []string{"goacme"},
-		},
-	}
-	csrb, err := x509.CreateCertificateRequest(rand.Reader, &csr, testKeyEC)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	c := Client{Key: testKeyEC, dir: &Directory{CertURL: ts.URL}}
-	cert, certURL, err := c.CreateCert(context.Background(), csrb, notAfter.Sub(notBefore), false)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if cert == nil {
-		t.Errorf("cert is nil")
-	}
-	if certURL != "https://ca.tld/acme/cert/1" {
-		t.Errorf("certURL = %q; want https://ca.tld/acme/cert/1", certURL)
-	}
-}
-
-func TestFetchCert(t *testing.T) {
-	var count byte
-	var ts *httptest.Server
-	ts = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		count++
-		if count < 3 {
-			up := fmt.Sprintf("<%s>;rel=up", ts.URL)
-			w.Header().Set("Link", up)
-		}
-		w.Write([]byte{count})
-	}))
-	defer ts.Close()
-	res, err := (&Client{}).FetchCert(context.Background(), ts.URL, true)
-	if err != nil {
-		t.Fatalf("FetchCert: %v", err)
-	}
-	cert := [][]byte{{1}, {2}, {3}}
-	if !reflect.DeepEqual(res, cert) {
-		t.Errorf("res = %v; want %v", res, cert)
-	}
-}
-
-func TestFetchCertRetry(t *testing.T) {
-	var count int
-	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if count < 1 {
-			w.Header().Set("Retry-After", "0")
-			w.WriteHeader(http.StatusAccepted)
-			count++
-			return
-		}
-		w.Write([]byte{1})
-	}))
-	defer ts.Close()
-	res, err := (&Client{}).FetchCert(context.Background(), ts.URL, false)
-	if err != nil {
-		t.Fatalf("FetchCert: %v", err)
-	}
-	cert := [][]byte{{1}}
-	if !reflect.DeepEqual(res, cert) {
-		t.Errorf("res = %v; want %v", res, cert)
-	}
-}
-
-func TestFetchCertCancel(t *testing.T) {
-	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.Header().Set("Retry-After", "0")
-		w.WriteHeader(http.StatusAccepted)
-	}))
-	defer ts.Close()
-	ctx, cancel := context.WithCancel(context.Background())
-	done := make(chan struct{})
-	var err error
-	go func() {
-		_, err = (&Client{}).FetchCert(ctx, ts.URL, false)
-		close(done)
-	}()
-	cancel()
-	<-done
-	if err != context.Canceled {
-		t.Errorf("err = %v; want %v", err, context.Canceled)
-	}
-}
-
-func TestFetchCertDepth(t *testing.T) {
-	var count byte
-	var ts *httptest.Server
-	ts = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		count++
-		if count > maxChainLen+1 {
-			t.Errorf("count = %d; want at most %d", count, maxChainLen+1)
-			w.WriteHeader(http.StatusInternalServerError)
-		}
-		w.Header().Set("Link", fmt.Sprintf("<%s>;rel=up", ts.URL))
-		w.Write([]byte{count})
-	}))
-	defer ts.Close()
-	_, err := (&Client{}).FetchCert(context.Background(), ts.URL, true)
-	if err == nil {
-		t.Errorf("err is nil")
-	}
-}
-
-func TestFetchCertBreadth(t *testing.T) {
-	var ts *httptest.Server
-	ts = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		for i := 0; i < maxChainLen+1; i++ {
-			w.Header().Add("Link", fmt.Sprintf("<%s>;rel=up", ts.URL))
-		}
-		w.Write([]byte{1})
-	}))
-	defer ts.Close()
-	_, err := (&Client{}).FetchCert(context.Background(), ts.URL, true)
-	if err == nil {
-		t.Errorf("err is nil")
-	}
-}
-
-func TestFetchCertSize(t *testing.T) {
-	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		b := bytes.Repeat([]byte{1}, maxCertSize+1)
-		w.Write(b)
-	}))
-	defer ts.Close()
-	_, err := (&Client{}).FetchCert(context.Background(), ts.URL, false)
-	if err == nil {
-		t.Errorf("err is nil")
-	}
-}
-
-func TestRevokeCert(t *testing.T) {
-	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if r.Method == "HEAD" {
-			w.Header().Set("Replay-Nonce", "nonce")
-			return
-		}
-
-		var req struct {
-			Resource    string
-			Certificate string
-			Reason      int
-		}
-		decodeJWSRequest(t, &req, r)
-		if req.Resource != "revoke-cert" {
-			t.Errorf("req.Resource = %q; want revoke-cert", req.Resource)
-		}
-		if req.Reason != 1 {
-			t.Errorf("req.Reason = %d; want 1", req.Reason)
-		}
-		// echo -n cert | base64 | tr -d '=' | tr '/+' '_-'
-		cert := "Y2VydA"
-		if req.Certificate != cert {
-			t.Errorf("req.Certificate = %q; want %q", req.Certificate, cert)
-		}
-	}))
-	defer ts.Close()
-	client := &Client{
-		Key: testKeyEC,
-		dir: &Directory{RevokeURL: ts.URL},
-	}
-	ctx := context.Background()
-	if err := client.RevokeCert(ctx, nil, []byte("cert"), CRLReasonKeyCompromise); err != nil {
-		t.Fatal(err)
-	}
-}
-
-func TestNonce_add(t *testing.T) {
-	var c Client
-	c.addNonce(http.Header{"Replay-Nonce": {"nonce"}})
-	c.addNonce(http.Header{"Replay-Nonce": {}})
-	c.addNonce(http.Header{"Replay-Nonce": {"nonce"}})
-
-	nonces := map[string]struct{}{"nonce": {}}
-	if !reflect.DeepEqual(c.nonces, nonces) {
-		t.Errorf("c.nonces = %q; want %q", c.nonces, nonces)
-	}
-}
-
-func TestNonce_addMax(t *testing.T) {
-	c := &Client{nonces: make(map[string]struct{})}
-	for i := 0; i < maxNonces; i++ {
-		c.nonces[fmt.Sprintf("%d", i)] = struct{}{}
-	}
-	c.addNonce(http.Header{"Replay-Nonce": {"nonce"}})
-	if n := len(c.nonces); n != maxNonces {
-		t.Errorf("len(c.nonces) = %d; want %d", n, maxNonces)
-	}
-}
-
-func TestNonce_fetch(t *testing.T) {
-	tests := []struct {
-		code  int
-		nonce string
-	}{
-		{http.StatusOK, "nonce1"},
-		{http.StatusBadRequest, "nonce2"},
-		{http.StatusOK, ""},
-	}
-	var i int
-	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if r.Method != "HEAD" {
-			t.Errorf("%d: r.Method = %q; want HEAD", i, r.Method)
-		}
-		w.Header().Set("Replay-Nonce", tests[i].nonce)
-		w.WriteHeader(tests[i].code)
-	}))
-	defer ts.Close()
-	for ; i < len(tests); i++ {
-		test := tests[i]
-		c := &Client{}
-		n, err := c.fetchNonce(context.Background(), ts.URL)
-		if n != test.nonce {
-			t.Errorf("%d: n=%q; want %q", i, n, test.nonce)
-		}
-		switch {
-		case err == nil && test.nonce == "":
-			t.Errorf("%d: n=%q, err=%v; want non-nil error", i, n, err)
-		case err != nil && test.nonce != "":
-			t.Errorf("%d: n=%q, err=%v; want %q", i, n, err, test.nonce)
-		}
-	}
-}
-
-func TestNonce_fetchError(t *testing.T) {
-	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.WriteHeader(http.StatusTooManyRequests)
-	}))
-	defer ts.Close()
-	c := &Client{}
-	_, err := c.fetchNonce(context.Background(), ts.URL)
-	e, ok := err.(*Error)
-	if !ok {
-		t.Fatalf("err is %T; want *Error", err)
-	}
-	if e.StatusCode != http.StatusTooManyRequests {
-		t.Errorf("e.StatusCode = %d; want %d", e.StatusCode, http.StatusTooManyRequests)
-	}
-}
-
-func TestNonce_postJWS(t *testing.T) {
-	var count int
-	seen := make(map[string]bool)
-	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		count++
-		w.Header().Set("Replay-Nonce", fmt.Sprintf("nonce%d", count))
-		if r.Method == "HEAD" {
-			// We expect the client do a HEAD request
-			// but only to fetch the first nonce.
-			return
-		}
-		// Make client.Authorize happy; we're not testing its result.
-		defer func() {
-			w.WriteHeader(http.StatusCreated)
-			w.Write([]byte(`{"status":"valid"}`))
-		}()
-
-		head, err := decodeJWSHead(r)
-		if err != nil {
-			t.Errorf("decodeJWSHead: %v", err)
-			return
-		}
-		if head.Nonce == "" {
-			t.Error("head.Nonce is empty")
-			return
-		}
-		if seen[head.Nonce] {
-			t.Errorf("nonce is already used: %q", head.Nonce)
-		}
-		seen[head.Nonce] = true
-	}))
-	defer ts.Close()
-
-	client := Client{Key: testKey, dir: &Directory{AuthzURL: ts.URL}}
-	if _, err := client.Authorize(context.Background(), "example.com"); err != nil {
-		t.Errorf("client.Authorize 1: %v", err)
-	}
-	// The second call should not generate another extra HEAD request.
-	if _, err := client.Authorize(context.Background(), "example.com"); err != nil {
-		t.Errorf("client.Authorize 2: %v", err)
-	}
-
-	if count != 3 {
-		t.Errorf("total requests count: %d; want 3", count)
-	}
-	if n := len(client.nonces); n != 1 {
-		t.Errorf("len(client.nonces) = %d; want 1", n)
-	}
-	for k := range seen {
-		if _, exist := client.nonces[k]; exist {
-			t.Errorf("used nonce %q in client.nonces", k)
-		}
-	}
-}
-
-func TestRetryPostJWS(t *testing.T) {
-	var count int
-	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		count++
-		w.Header().Set("Replay-Nonce", fmt.Sprintf("nonce%d", count))
-		if r.Method == "HEAD" {
-			// We expect the client to do 2 head requests to fetch
-			// nonces, one to start and another after getting badNonce
-			return
-		}
-
-		head, err := decodeJWSHead(r)
-		if err != nil {
-			t.Errorf("decodeJWSHead: %v", err)
-		} else if head.Nonce == "" {
-			t.Error("head.Nonce is empty")
-		} else if head.Nonce == "nonce1" {
-			// return a badNonce error to force the call to retry
-			w.WriteHeader(http.StatusBadRequest)
-			w.Write([]byte(`{"type":"urn:ietf:params:acme:error:badNonce"}`))
-			return
-		}
-		// Make client.Authorize happy; we're not testing its result.
-		w.WriteHeader(http.StatusCreated)
-		w.Write([]byte(`{"status":"valid"}`))
-	}))
-	defer ts.Close()
-
-	client := Client{Key: testKey, dir: &Directory{AuthzURL: ts.URL}}
-	// This call will fail with badNonce, causing a retry
-	if _, err := client.Authorize(context.Background(), "example.com"); err != nil {
-		t.Errorf("client.Authorize 1: %v", err)
-	}
-	if count != 4 {
-		t.Errorf("total requests count: %d; want 4", count)
-	}
-}
-
-func TestLinkHeader(t *testing.T) {
-	h := http.Header{"Link": {
-		`<https://example.com/acme/new-authz>;rel="next"`,
-		`<https://example.com/acme/recover-reg>; rel=recover`,
-		`<https://example.com/acme/terms>; foo=bar; rel="terms-of-service"`,
-		`<dup>;rel="next"`,
-	}}
-	tests := []struct {
-		rel string
-		out []string
-	}{
-		{"next", []string{"https://example.com/acme/new-authz", "dup"}},
-		{"recover", []string{"https://example.com/acme/recover-reg"}},
-		{"terms-of-service", []string{"https://example.com/acme/terms"}},
-		{"empty", nil},
-	}
-	for i, test := range tests {
-		if v := linkHeader(h, test.rel); !reflect.DeepEqual(v, test.out) {
-			t.Errorf("%d: linkHeader(%q): %v; want %v", i, test.rel, v, test.out)
-		}
-	}
-}
-
-func TestErrorResponse(t *testing.T) {
-	s := `{
-		"status": 400,
-		"type": "urn:acme:error:xxx",
-		"detail": "text"
-	}`
-	res := &http.Response{
-		StatusCode: 400,
-		Status:     "400 Bad Request",
-		Body:       ioutil.NopCloser(strings.NewReader(s)),
-		Header:     http.Header{"X-Foo": {"bar"}},
-	}
-	err := responseError(res)
-	v, ok := err.(*Error)
-	if !ok {
-		t.Fatalf("err = %+v (%T); want *Error type", err, err)
-	}
-	if v.StatusCode != 400 {
-		t.Errorf("v.StatusCode = %v; want 400", v.StatusCode)
-	}
-	if v.ProblemType != "urn:acme:error:xxx" {
-		t.Errorf("v.ProblemType = %q; want urn:acme:error:xxx", v.ProblemType)
-	}
-	if v.Detail != "text" {
-		t.Errorf("v.Detail = %q; want text", v.Detail)
-	}
-	if !reflect.DeepEqual(v.Header, res.Header) {
-		t.Errorf("v.Header = %+v; want %+v", v.Header, res.Header)
-	}
-}
-
-func TestTLSSNI01ChallengeCert(t *testing.T) {
-	const (
-		token = "evaGxfADs6pSRb2LAv9IZf17Dt3juxGJ-PCt92wr-oA"
-		// echo -n <token.testKeyECThumbprint> | shasum -a 256
-		san = "dbbd5eefe7b4d06eb9d1d9f5acb4c7cd.a27d320e4b30332f0b6cb441734ad7b0.acme.invalid"
-	)
-
-	client := &Client{Key: testKeyEC}
-	tlscert, name, err := client.TLSSNI01ChallengeCert(token)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if n := len(tlscert.Certificate); n != 1 {
-		t.Fatalf("len(tlscert.Certificate) = %d; want 1", n)
-	}
-	cert, err := x509.ParseCertificate(tlscert.Certificate[0])
-	if err != nil {
-		t.Fatal(err)
-	}
-	if len(cert.DNSNames) != 1 || cert.DNSNames[0] != san {
-		t.Fatalf("cert.DNSNames = %v; want %q", cert.DNSNames, san)
-	}
-	if cert.DNSNames[0] != name {
-		t.Errorf("cert.DNSNames[0] != name: %q vs %q", cert.DNSNames[0], name)
-	}
-	if cn := cert.Subject.CommonName; cn != san {
-		t.Errorf("cert.Subject.CommonName = %q; want %q", cn, san)
-	}
-}
-
-func TestTLSSNI02ChallengeCert(t *testing.T) {
-	const (
-		token = "evaGxfADs6pSRb2LAv9IZf17Dt3juxGJ-PCt92wr-oA"
-		// echo -n evaGxfADs6pSRb2LAv9IZf17Dt3juxGJ-PCt92wr-oA | shasum -a 256
-		sanA = "7ea0aaa69214e71e02cebb18bb867736.09b730209baabf60e43d4999979ff139.token.acme.invalid"
-		// echo -n <token.testKeyECThumbprint> | shasum -a 256
-		sanB = "dbbd5eefe7b4d06eb9d1d9f5acb4c7cd.a27d320e4b30332f0b6cb441734ad7b0.ka.acme.invalid"
-	)
-
-	client := &Client{Key: testKeyEC}
-	tlscert, name, err := client.TLSSNI02ChallengeCert(token)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if n := len(tlscert.Certificate); n != 1 {
-		t.Fatalf("len(tlscert.Certificate) = %d; want 1", n)
-	}
-	cert, err := x509.ParseCertificate(tlscert.Certificate[0])
-	if err != nil {
-		t.Fatal(err)
-	}
-	names := []string{sanA, sanB}
-	if !reflect.DeepEqual(cert.DNSNames, names) {
-		t.Fatalf("cert.DNSNames = %v;\nwant %v", cert.DNSNames, names)
-	}
-	sort.Strings(cert.DNSNames)
-	i := sort.SearchStrings(cert.DNSNames, name)
-	if i >= len(cert.DNSNames) || cert.DNSNames[i] != name {
-		t.Errorf("%v doesn't have %q", cert.DNSNames, name)
-	}
-	if cn := cert.Subject.CommonName; cn != sanA {
-		t.Errorf("CommonName = %q; want %q", cn, sanA)
-	}
-}
-
-func TestTLSChallengeCertOpt(t *testing.T) {
-	key, err := rsa.GenerateKey(rand.Reader, 512)
-	if err != nil {
-		t.Fatal(err)
-	}
-	tmpl := &x509.Certificate{
-		SerialNumber: big.NewInt(2),
-		Subject:      pkix.Name{Organization: []string{"Test"}},
-		DNSNames:     []string{"should-be-overwritten"},
-	}
-	opts := []CertOption{WithKey(key), WithTemplate(tmpl)}
-
-	client := &Client{Key: testKeyEC}
-	cert1, _, err := client.TLSSNI01ChallengeCert("token", opts...)
-	if err != nil {
-		t.Fatal(err)
-	}
-	cert2, _, err := client.TLSSNI02ChallengeCert("token", opts...)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	for i, tlscert := range []tls.Certificate{cert1, cert2} {
-		// verify generated cert private key
-		tlskey, ok := tlscert.PrivateKey.(*rsa.PrivateKey)
-		if !ok {
-			t.Errorf("%d: tlscert.PrivateKey is %T; want *rsa.PrivateKey", i, tlscert.PrivateKey)
-			continue
-		}
-		if tlskey.D.Cmp(key.D) != 0 {
-			t.Errorf("%d: tlskey.D = %v; want %v", i, tlskey.D, key.D)
-		}
-		// verify generated cert public key
-		x509Cert, err := x509.ParseCertificate(tlscert.Certificate[0])
-		if err != nil {
-			t.Errorf("%d: %v", i, err)
-			continue
-		}
-		tlspub, ok := x509Cert.PublicKey.(*rsa.PublicKey)
-		if !ok {
-			t.Errorf("%d: x509Cert.PublicKey is %T; want *rsa.PublicKey", i, x509Cert.PublicKey)
-			continue
-		}
-		if tlspub.N.Cmp(key.N) != 0 {
-			t.Errorf("%d: tlspub.N = %v; want %v", i, tlspub.N, key.N)
-		}
-		// verify template option
-		sn := big.NewInt(2)
-		if x509Cert.SerialNumber.Cmp(sn) != 0 {
-			t.Errorf("%d: SerialNumber = %v; want %v", i, x509Cert.SerialNumber, sn)
-		}
-		org := []string{"Test"}
-		if !reflect.DeepEqual(x509Cert.Subject.Organization, org) {
-			t.Errorf("%d: Subject.Organization = %+v; want %+v", i, x509Cert.Subject.Organization, org)
-		}
-		for _, v := range x509Cert.DNSNames {
-			if !strings.HasSuffix(v, ".acme.invalid") {
-				t.Errorf("%d: invalid DNSNames element: %q", i, v)
-			}
-		}
-	}
-}
-
-func TestHTTP01Challenge(t *testing.T) {
-	const (
-		token = "xxx"
-		// thumbprint is precomputed for testKeyEC in jws_test.go
-		value   = token + "." + testKeyECThumbprint
-		urlpath = "/.well-known/acme-challenge/" + token
-	)
-	client := &Client{Key: testKeyEC}
-	val, err := client.HTTP01ChallengeResponse(token)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if val != value {
-		t.Errorf("val = %q; want %q", val, value)
-	}
-	if path := client.HTTP01ChallengePath(token); path != urlpath {
-		t.Errorf("path = %q; want %q", path, urlpath)
-	}
-}
-
-func TestDNS01ChallengeRecord(t *testing.T) {
-	// echo -n xxx.<testKeyECThumbprint> | \
-	//      openssl dgst -binary -sha256 | \
-	//      base64 | tr -d '=' | tr '/+' '_-'
-	const value = "8DERMexQ5VcdJ_prpPiA0mVdp7imgbCgjsG4SqqNMIo"
-
-	client := &Client{Key: testKeyEC}
-	val, err := client.DNS01ChallengeRecord("xxx")
-	if err != nil {
-		t.Fatal(err)
-	}
-	if val != value {
-		t.Errorf("val = %q; want %q", val, value)
-	}
-}
-
-func TestBackoff(t *testing.T) {
-	tt := []struct{ min, max time.Duration }{
-		{time.Second, 2 * time.Second},
-		{2 * time.Second, 3 * time.Second},
-		{4 * time.Second, 5 * time.Second},
-		{8 * time.Second, 9 * time.Second},
-	}
-	for i, test := range tt {
-		d := backoff(i, time.Minute)
-		if d < test.min || test.max < d {
-			t.Errorf("%d: d = %v; want between %v and %v", i, d, test.min, test.max)
-		}
-	}
-
-	min, max := time.Second, 2*time.Second
-	if d := backoff(-1, time.Minute); d < min || max < d {
-		t.Errorf("d = %v; want between %v and %v", d, min, max)
-	}
-
-	bound := 10 * time.Second
-	if d := backoff(100, bound); d != bound {
-		t.Errorf("d = %v; want %v", d, bound)
-	}
-}
diff --git a/vendor/golang.org/x/crypto/acme/autocert/autocert.go b/vendor/golang.org/x/crypto/acme/autocert/autocert.go
deleted file mode 100644
index 453e7229..00000000
--- a/vendor/golang.org/x/crypto/acme/autocert/autocert.go
+++ /dev/null
@@ -1,973 +0,0 @@
-// Copyright 2016 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package autocert provides automatic access to certificates from Let's Encrypt
-// and any other ACME-based CA.
-//
-// This package is a work in progress and makes no API stability promises.
-package autocert
-
-import (
-	"bytes"
-	"context"
-	"crypto"
-	"crypto/ecdsa"
-	"crypto/elliptic"
-	"crypto/rand"
-	"crypto/rsa"
-	"crypto/tls"
-	"crypto/x509"
-	"crypto/x509/pkix"
-	"encoding/pem"
-	"errors"
-	"fmt"
-	"io"
-	mathrand "math/rand"
-	"net"
-	"net/http"
-	"path"
-	"strconv"
-	"strings"
-	"sync"
-	"time"
-
-	"golang.org/x/crypto/acme"
-)
-
-// createCertRetryAfter is how much time to wait before removing a failed state
-// entry due to an unsuccessful createCert call.
-// This is a variable instead of a const for testing.
-// TODO: Consider making it configurable or an exp backoff?
-var createCertRetryAfter = time.Minute
-
-// pseudoRand is safe for concurrent use.
-var pseudoRand *lockedMathRand
-
-func init() {
-	src := mathrand.NewSource(timeNow().UnixNano())
-	pseudoRand = &lockedMathRand{rnd: mathrand.New(src)}
-}
-
-// AcceptTOS is a Manager.Prompt function that always returns true to
-// indicate acceptance of the CA's Terms of Service during account
-// registration.
-func AcceptTOS(tosURL string) bool { return true }
-
-// HostPolicy specifies which host names the Manager is allowed to respond to.
-// It returns a non-nil error if the host should be rejected.
-// The returned error is accessible via tls.Conn.Handshake and its callers.
-// See Manager's HostPolicy field and GetCertificate method docs for more details.
-type HostPolicy func(ctx context.Context, host string) error
-
-// HostWhitelist returns a policy where only the specified host names are allowed.
-// Only exact matches are currently supported. Subdomains, regexp or wildcard
-// will not match.
-func HostWhitelist(hosts ...string) HostPolicy {
-	whitelist := make(map[string]bool, len(hosts))
-	for _, h := range hosts {
-		whitelist[h] = true
-	}
-	return func(_ context.Context, host string) error {
-		if !whitelist[host] {
-			return errors.New("acme/autocert: host not configured")
-		}
-		return nil
-	}
-}
-
-// defaultHostPolicy is used when Manager.HostPolicy is not set.
-func defaultHostPolicy(context.Context, string) error {
-	return nil
-}
-
-// Manager is a stateful certificate manager built on top of acme.Client.
-// It obtains and refreshes certificates automatically using "tls-sni-01",
-// "tls-sni-02" and "http-01" challenge types, as well as providing them
-// to a TLS server via tls.Config.
-//
-// You must specify a cache implementation, such as DirCache,
-// to reuse obtained certificates across program restarts.
-// Otherwise your server is very likely to exceed the certificate
-// issuer's request rate limits.
-type Manager struct {
-	// Prompt specifies a callback function to conditionally accept a CA's Terms of Service (TOS).
-	// The registration may require the caller to agree to the CA's TOS.
-	// If so, Manager calls Prompt with a TOS URL provided by the CA. Prompt should report
-	// whether the caller agrees to the terms.
-	//
-	// To always accept the terms, the callers can use AcceptTOS.
-	Prompt func(tosURL string) bool
-
-	// Cache optionally stores and retrieves previously-obtained certificates.
-	// If nil, certs will only be cached for the lifetime of the Manager.
-	//
-	// Manager passes the Cache certificates data encoded in PEM, with private/public
-	// parts combined in a single Cache.Put call, private key first.
-	Cache Cache
-
-	// HostPolicy controls which domains the Manager will attempt
-	// to retrieve new certificates for. It does not affect cached certs.
-	//
-	// If non-nil, HostPolicy is called before requesting a new cert.
-	// If nil, all hosts are currently allowed. This is not recommended,
-	// as it opens a potential attack where clients connect to a server
-	// by IP address and pretend to be asking for an incorrect host name.
-	// Manager will attempt to obtain a certificate for that host, incorrectly,
-	// eventually reaching the CA's rate limit for certificate requests
-	// and making it impossible to obtain actual certificates.
-	//
-	// See GetCertificate for more details.
-	HostPolicy HostPolicy
-
-	// RenewBefore optionally specifies how early certificates should
-	// be renewed before they expire.
-	//
-	// If zero, they're renewed 30 days before expiration.
-	RenewBefore time.Duration
-
-	// Client is used to perform low-level operations, such as account registration
-	// and requesting new certificates.
-	// If Client is nil, a zero-value acme.Client is used with acme.LetsEncryptURL
-	// directory endpoint and a newly-generated ECDSA P-256 key.
-	//
-	// Mutating the field after the first call of GetCertificate method will have no effect.
-	Client *acme.Client
-
-	// Email optionally specifies a contact email address.
-	// This is used by CAs, such as Let's Encrypt, to notify about problems
-	// with issued certificates.
-	//
-	// If the Client's account key is already registered, Email is not used.
-	Email string
-
-	// ForceRSA makes the Manager generate certificates with 2048-bit RSA keys.
-	//
-	// If false, a default is used. Currently the default
-	// is EC-based keys using the P-256 curve.
-	ForceRSA bool
-
-	clientMu sync.Mutex
-	client   *acme.Client // initialized by acmeClient method
-
-	stateMu sync.Mutex
-	state   map[string]*certState // keyed by domain name
-
-	// renewal tracks the set of domains currently running renewal timers.
-	// It is keyed by domain name.
-	renewalMu sync.Mutex
-	renewal   map[string]*domainRenewal
-
-	// tokensMu guards the rest of the fields: tryHTTP01, certTokens and httpTokens.
-	tokensMu sync.RWMutex
-	// tryHTTP01 indicates whether the Manager should try "http-01" challenge type
-	// during the authorization flow.
-	tryHTTP01 bool
-	// httpTokens contains response body values for http-01 challenges
-	// and is keyed by the URL path at which a challenge response is expected
-	// to be provisioned.
-	// The entries are stored for the duration of the authorization flow.
-	httpTokens map[string][]byte
-	// certTokens contains temporary certificates for tls-sni challenges
-	// and is keyed by token domain name, which matches server name of ClientHello.
-	// Keys always have ".acme.invalid" suffix.
-	// The entries are stored for the duration of the authorization flow.
-	certTokens map[string]*tls.Certificate
-}
-
-// GetCertificate implements the tls.Config.GetCertificate hook.
-// It provides a TLS certificate for hello.ServerName host, including answering
-// *.acme.invalid (TLS-SNI) challenges. All other fields of hello are ignored.
-//
-// If m.HostPolicy is non-nil, GetCertificate calls the policy before requesting
-// a new cert. A non-nil error returned from m.HostPolicy halts TLS negotiation.
-// The error is propagated back to the caller of GetCertificate and is user-visible.
-// This does not affect cached certs. See HostPolicy field description for more details.
-func (m *Manager) GetCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
-	if m.Prompt == nil {
-		return nil, errors.New("acme/autocert: Manager.Prompt not set")
-	}
-
-	name := hello.ServerName
-	if name == "" {
-		return nil, errors.New("acme/autocert: missing server name")
-	}
-	if !strings.Contains(strings.Trim(name, "."), ".") {
-		return nil, errors.New("acme/autocert: server name component count invalid")
-	}
-	if strings.ContainsAny(name, `/\`) {
-		return nil, errors.New("acme/autocert: server name contains invalid character")
-	}
-
-	// In the worst-case scenario, the timeout needs to account for caching, host policy,
-	// domain ownership verification and certificate issuance.
-	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute)
-	defer cancel()
-
-	// check whether this is a token cert requested for TLS-SNI challenge
-	if strings.HasSuffix(name, ".acme.invalid") {
-		m.tokensMu.RLock()
-		defer m.tokensMu.RUnlock()
-		if cert := m.certTokens[name]; cert != nil {
-			return cert, nil
-		}
-		if cert, err := m.cacheGet(ctx, name); err == nil {
-			return cert, nil
-		}
-		// TODO: cache error results?
-		return nil, fmt.Errorf("acme/autocert: no token cert for %q", name)
-	}
-
-	// regular domain
-	name = strings.TrimSuffix(name, ".") // golang.org/issue/18114
-	cert, err := m.cert(ctx, name)
-	if err == nil {
-		return cert, nil
-	}
-	if err != ErrCacheMiss {
-		return nil, err
-	}
-
-	// first-time
-	if err := m.hostPolicy()(ctx, name); err != nil {
-		return nil, err
-	}
-	cert, err = m.createCert(ctx, name)
-	if err != nil {
-		return nil, err
-	}
-	m.cachePut(ctx, name, cert)
-	return cert, nil
-}
-
-// HTTPHandler configures the Manager to provision ACME "http-01" challenge responses.
-// It returns an http.Handler that responds to the challenges and must be
-// running on port 80. If it receives a request that is not an ACME challenge,
-// it delegates the request to the optional fallback handler.
-//
-// If fallback is nil, the returned handler redirects all GET and HEAD requests
-// to the default TLS port 443 with 302 Found status code, preserving the original
-// request path and query. It responds with 400 Bad Request to all other HTTP methods.
-// The fallback is not protected by the optional HostPolicy.
-//
-// Because the fallback handler is run with unencrypted port 80 requests,
-// the fallback should not serve TLS-only requests.
-//
-// If HTTPHandler is never called, the Manager will only use TLS SNI
-// challenges for domain verification.
-func (m *Manager) HTTPHandler(fallback http.Handler) http.Handler {
-	m.tokensMu.Lock()
-	defer m.tokensMu.Unlock()
-	m.tryHTTP01 = true
-
-	if fallback == nil {
-		fallback = http.HandlerFunc(handleHTTPRedirect)
-	}
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if !strings.HasPrefix(r.URL.Path, "/.well-known/acme-challenge/") {
-			fallback.ServeHTTP(w, r)
-			return
-		}
-		// A reasonable context timeout for cache and host policy only,
-		// because we don't wait for a new certificate issuance here.
-		ctx, cancel := context.WithTimeout(r.Context(), time.Minute)
-		defer cancel()
-		if err := m.hostPolicy()(ctx, r.Host); err != nil {
-			http.Error(w, err.Error(), http.StatusForbidden)
-			return
-		}
-		data, err := m.httpToken(ctx, r.URL.Path)
-		if err != nil {
-			http.Error(w, err.Error(), http.StatusNotFound)
-			return
-		}
-		w.Write(data)
-	})
-}
-
-func handleHTTPRedirect(w http.ResponseWriter, r *http.Request) {
-	if r.Method != "GET" && r.Method != "HEAD" {
-		http.Error(w, "Use HTTPS", http.StatusBadRequest)
-		return
-	}
-	target := "https://" + stripPort(r.Host) + r.URL.RequestURI()
-	http.Redirect(w, r, target, http.StatusFound)
-}
-
-func stripPort(hostport string) string {
-	host, _, err := net.SplitHostPort(hostport)
-	if err != nil {
-		return hostport
-	}
-	return net.JoinHostPort(host, "443")
-}
-
-// cert returns an existing certificate either from m.state or cache.
-// If a certificate is found in cache but not in m.state, the latter will be filled
-// with the cached value.
-func (m *Manager) cert(ctx context.Context, name string) (*tls.Certificate, error) {
-	m.stateMu.Lock()
-	if s, ok := m.state[name]; ok {
-		m.stateMu.Unlock()
-		s.RLock()
-		defer s.RUnlock()
-		return s.tlscert()
-	}
-	defer m.stateMu.Unlock()
-	cert, err := m.cacheGet(ctx, name)
-	if err != nil {
-		return nil, err
-	}
-	signer, ok := cert.PrivateKey.(crypto.Signer)
-	if !ok {
-		return nil, errors.New("acme/autocert: private key cannot sign")
-	}
-	if m.state == nil {
-		m.state = make(map[string]*certState)
-	}
-	s := &certState{
-		key:  signer,
-		cert: cert.Certificate,
-		leaf: cert.Leaf,
-	}
-	m.state[name] = s
-	go m.renew(name, s.key, s.leaf.NotAfter)
-	return cert, nil
-}
-
-// cacheGet always returns a valid certificate, or an error otherwise.
-// If a cached certficate exists but is not valid, ErrCacheMiss is returned.
-func (m *Manager) cacheGet(ctx context.Context, domain string) (*tls.Certificate, error) {
-	if m.Cache == nil {
-		return nil, ErrCacheMiss
-	}
-	data, err := m.Cache.Get(ctx, domain)
-	if err != nil {
-		return nil, err
-	}
-
-	// private
-	priv, pub := pem.Decode(data)
-	if priv == nil || !strings.Contains(priv.Type, "PRIVATE") {
-		return nil, ErrCacheMiss
-	}
-	privKey, err := parsePrivateKey(priv.Bytes)
-	if err != nil {
-		return nil, err
-	}
-
-	// public
-	var pubDER [][]byte
-	for len(pub) > 0 {
-		var b *pem.Block
-		b, pub = pem.Decode(pub)
-		if b == nil {
-			break
-		}
-		pubDER = append(pubDER, b.Bytes)
-	}
-	if len(pub) > 0 {
-		// Leftover content not consumed by pem.Decode. Corrupt. Ignore.
-		return nil, ErrCacheMiss
-	}
-
-	// verify and create TLS cert
-	leaf, err := validCert(domain, pubDER, privKey)
-	if err != nil {
-		return nil, ErrCacheMiss
-	}
-	tlscert := &tls.Certificate{
-		Certificate: pubDER,
-		PrivateKey:  privKey,
-		Leaf:        leaf,
-	}
-	return tlscert, nil
-}
-
-func (m *Manager) cachePut(ctx context.Context, domain string, tlscert *tls.Certificate) error {
-	if m.Cache == nil {
-		return nil
-	}
-
-	// contains PEM-encoded data
-	var buf bytes.Buffer
-
-	// private
-	switch key := tlscert.PrivateKey.(type) {
-	case *ecdsa.PrivateKey:
-		if err := encodeECDSAKey(&buf, key); err != nil {
-			return err
-		}
-	case *rsa.PrivateKey:
-		b := x509.MarshalPKCS1PrivateKey(key)
-		pb := &pem.Block{Type: "RSA PRIVATE KEY", Bytes: b}
-		if err := pem.Encode(&buf, pb); err != nil {
-			return err
-		}
-	default:
-		return errors.New("acme/autocert: unknown private key type")
-	}
-
-	// public
-	for _, b := range tlscert.Certificate {
-		pb := &pem.Block{Type: "CERTIFICATE", Bytes: b}
-		if err := pem.Encode(&buf, pb); err != nil {
-			return err
-		}
-	}
-
-	return m.Cache.Put(ctx, domain, buf.Bytes())
-}
-
-func encodeECDSAKey(w io.Writer, key *ecdsa.PrivateKey) error {
-	b, err := x509.MarshalECPrivateKey(key)
-	if err != nil {
-		return err
-	}
-	pb := &pem.Block{Type: "EC PRIVATE KEY", Bytes: b}
-	return pem.Encode(w, pb)
-}
-
-// createCert starts the domain ownership verification and returns a certificate
-// for that domain upon success.
-//
-// If the domain is already being verified, it waits for the existing verification to complete.
-// Either way, createCert blocks for the duration of the whole process.
-func (m *Manager) createCert(ctx context.Context, domain string) (*tls.Certificate, error) {
-	// TODO: maybe rewrite this whole piece using sync.Once
-	state, err := m.certState(domain)
-	if err != nil {
-		return nil, err
-	}
-	// state may exist if another goroutine is already working on it
-	// in which case just wait for it to finish
-	if !state.locked {
-		state.RLock()
-		defer state.RUnlock()
-		return state.tlscert()
-	}
-
-	// We are the first; state is locked.
-	// Unblock the readers when domain ownership is verified
-	// and we got the cert or the process failed.
-	defer state.Unlock()
-	state.locked = false
-
-	der, leaf, err := m.authorizedCert(ctx, state.key, domain)
-	if err != nil {
-		// Remove the failed state after some time,
-		// making the manager call createCert again on the following TLS hello.
-		time.AfterFunc(createCertRetryAfter, func() {
-			defer testDidRemoveState(domain)
-			m.stateMu.Lock()
-			defer m.stateMu.Unlock()
-			// Verify the state hasn't changed and it's still invalid
-			// before deleting.
-			s, ok := m.state[domain]
-			if !ok {
-				return
-			}
-			if _, err := validCert(domain, s.cert, s.key); err == nil {
-				return
-			}
-			delete(m.state, domain)
-		})
-		return nil, err
-	}
-	state.cert = der
-	state.leaf = leaf
-	go m.renew(domain, state.key, state.leaf.NotAfter)
-	return state.tlscert()
-}
-
-// certState returns a new or existing certState.
-// If a new certState is returned, state.exist is false and the state is locked.
-// The returned error is non-nil only in the case where a new state could not be created.
-func (m *Manager) certState(domain string) (*certState, error) {
-	m.stateMu.Lock()
-	defer m.stateMu.Unlock()
-	if m.state == nil {
-		m.state = make(map[string]*certState)
-	}
-	// existing state
-	if state, ok := m.state[domain]; ok {
-		return state, nil
-	}
-
-	// new locked state
-	var (
-		err error
-		key crypto.Signer
-	)
-	if m.ForceRSA {
-		key, err = rsa.GenerateKey(rand.Reader, 2048)
-	} else {
-		key, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-	}
-	if err != nil {
-		return nil, err
-	}
-
-	state := &certState{
-		key:    key,
-		locked: true,
-	}
-	state.Lock() // will be unlocked by m.certState caller
-	m.state[domain] = state
-	return state, nil
-}
-
-// authorizedCert starts the domain ownership verification process and requests a new cert upon success.
-// The key argument is the certificate private key.
-func (m *Manager) authorizedCert(ctx context.Context, key crypto.Signer, domain string) (der [][]byte, leaf *x509.Certificate, err error) {
-	client, err := m.acmeClient(ctx)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	if err := m.verify(ctx, client, domain); err != nil {
-		return nil, nil, err
-	}
-	csr, err := certRequest(key, domain)
-	if err != nil {
-		return nil, nil, err
-	}
-	der, _, err = client.CreateCert(ctx, csr, 0, true)
-	if err != nil {
-		return nil, nil, err
-	}
-	leaf, err = validCert(domain, der, key)
-	if err != nil {
-		return nil, nil, err
-	}
-	return der, leaf, nil
-}
-
-// verify runs the identifier (domain) authorization flow
-// using each applicable ACME challenge type.
-func (m *Manager) verify(ctx context.Context, client *acme.Client, domain string) error {
-	// The list of challenge types we'll try to fulfill
-	// in this specific order.
-	challengeTypes := []string{"tls-sni-02", "tls-sni-01"}
-	m.tokensMu.RLock()
-	if m.tryHTTP01 {
-		challengeTypes = append(challengeTypes, "http-01")
-	}
-	m.tokensMu.RUnlock()
-
-	var nextTyp int // challengeType index of the next challenge type to try
-	for {
-		// Start domain authorization and get the challenge.
-		authz, err := client.Authorize(ctx, domain)
-		if err != nil {
-			return err
-		}
-		// No point in accepting challenges if the authorization status
-		// is in a final state.
-		switch authz.Status {
-		case acme.StatusValid:
-			return nil // already authorized
-		case acme.StatusInvalid:
-			return fmt.Errorf("acme/autocert: invalid authorization %q", authz.URI)
-		}
-
-		// Pick the next preferred challenge.
-		var chal *acme.Challenge
-		for chal == nil && nextTyp < len(challengeTypes) {
-			chal = pickChallenge(challengeTypes[nextTyp], authz.Challenges)
-			nextTyp++
-		}
-		if chal == nil {
-			return fmt.Errorf("acme/autocert: unable to authorize %q; tried %q", domain, challengeTypes)
-		}
-		cleanup, err := m.fulfill(ctx, client, chal)
-		if err != nil {
-			continue
-		}
-		defer cleanup()
-		if _, err := client.Accept(ctx, chal); err != nil {
-			continue
-		}
-
-		// A challenge is fulfilled and accepted: wait for the CA to validate.
-		if _, err := client.WaitAuthorization(ctx, authz.URI); err == nil {
-			return nil
-		}
-	}
-}
-
-// fulfill provisions a response to the challenge chal.
-// The cleanup is non-nil only if provisioning succeeded.
-func (m *Manager) fulfill(ctx context.Context, client *acme.Client, chal *acme.Challenge) (cleanup func(), err error) {
-	switch chal.Type {
-	case "tls-sni-01":
-		cert, name, err := client.TLSSNI01ChallengeCert(chal.Token)
-		if err != nil {
-			return nil, err
-		}
-		m.putCertToken(ctx, name, &cert)
-		return func() { go m.deleteCertToken(name) }, nil
-	case "tls-sni-02":
-		cert, name, err := client.TLSSNI02ChallengeCert(chal.Token)
-		if err != nil {
-			return nil, err
-		}
-		m.putCertToken(ctx, name, &cert)
-		return func() { go m.deleteCertToken(name) }, nil
-	case "http-01":
-		resp, err := client.HTTP01ChallengeResponse(chal.Token)
-		if err != nil {
-			return nil, err
-		}
-		p := client.HTTP01ChallengePath(chal.Token)
-		m.putHTTPToken(ctx, p, resp)
-		return func() { go m.deleteHTTPToken(p) }, nil
-	}
-	return nil, fmt.Errorf("acme/autocert: unknown challenge type %q", chal.Type)
-}
-
-func pickChallenge(typ string, chal []*acme.Challenge) *acme.Challenge {
-	for _, c := range chal {
-		if c.Type == typ {
-			return c
-		}
-	}
-	return nil
-}
-
-// putCertToken stores the cert under the named key in both m.certTokens map
-// and m.Cache.
-func (m *Manager) putCertToken(ctx context.Context, name string, cert *tls.Certificate) {
-	m.tokensMu.Lock()
-	defer m.tokensMu.Unlock()
-	if m.certTokens == nil {
-		m.certTokens = make(map[string]*tls.Certificate)
-	}
-	m.certTokens[name] = cert
-	m.cachePut(ctx, name, cert)
-}
-
-// deleteCertToken removes the token certificate for the specified domain name
-// from both m.certTokens map and m.Cache.
-func (m *Manager) deleteCertToken(name string) {
-	m.tokensMu.Lock()
-	defer m.tokensMu.Unlock()
-	delete(m.certTokens, name)
-	if m.Cache != nil {
-		m.Cache.Delete(context.Background(), name)
-	}
-}
-
-// httpToken retrieves an existing http-01 token value from an in-memory map
-// or the optional cache.
-func (m *Manager) httpToken(ctx context.Context, tokenPath string) ([]byte, error) {
-	m.tokensMu.RLock()
-	defer m.tokensMu.RUnlock()
-	if v, ok := m.httpTokens[tokenPath]; ok {
-		return v, nil
-	}
-	if m.Cache == nil {
-		return nil, fmt.Errorf("acme/autocert: no token at %q", tokenPath)
-	}
-	return m.Cache.Get(ctx, httpTokenCacheKey(tokenPath))
-}
-
-// putHTTPToken stores an http-01 token value using tokenPath as key
-// in both in-memory map and the optional Cache.
-//
-// It ignores any error returned from Cache.Put.
-func (m *Manager) putHTTPToken(ctx context.Context, tokenPath, val string) {
-	m.tokensMu.Lock()
-	defer m.tokensMu.Unlock()
-	if m.httpTokens == nil {
-		m.httpTokens = make(map[string][]byte)
-	}
-	b := []byte(val)
-	m.httpTokens[tokenPath] = b
-	if m.Cache != nil {
-		m.Cache.Put(ctx, httpTokenCacheKey(tokenPath), b)
-	}
-}
-
-// deleteHTTPToken removes an http-01 token value from both in-memory map
-// and the optional Cache, ignoring any error returned from the latter.
-//
-// If m.Cache is non-nil, it blocks until Cache.Delete returns without a timeout.
-func (m *Manager) deleteHTTPToken(tokenPath string) {
-	m.tokensMu.Lock()
-	defer m.tokensMu.Unlock()
-	delete(m.httpTokens, tokenPath)
-	if m.Cache != nil {
-		m.Cache.Delete(context.Background(), httpTokenCacheKey(tokenPath))
-	}
-}
-
-// httpTokenCacheKey returns a key at which an http-01 token value may be stored
-// in the Manager's optional Cache.
-func httpTokenCacheKey(tokenPath string) string {
-	return "http-01-" + path.Base(tokenPath)
-}
-
-// renew starts a cert renewal timer loop, one per domain.
-//
-// The loop is scheduled in two cases:
-// - a cert was fetched from cache for the first time (wasn't in m.state)
-// - a new cert was created by m.createCert
-//
-// The key argument is a certificate private key.
-// The exp argument is the cert expiration time (NotAfter).
-func (m *Manager) renew(domain string, key crypto.Signer, exp time.Time) {
-	m.renewalMu.Lock()
-	defer m.renewalMu.Unlock()
-	if m.renewal[domain] != nil {
-		// another goroutine is already on it
-		return
-	}
-	if m.renewal == nil {
-		m.renewal = make(map[string]*domainRenewal)
-	}
-	dr := &domainRenewal{m: m, domain: domain, key: key}
-	m.renewal[domain] = dr
-	dr.start(exp)
-}
-
-// stopRenew stops all currently running cert renewal timers.
-// The timers are not restarted during the lifetime of the Manager.
-func (m *Manager) stopRenew() {
-	m.renewalMu.Lock()
-	defer m.renewalMu.Unlock()
-	for name, dr := range m.renewal {
-		delete(m.renewal, name)
-		dr.stop()
-	}
-}
-
-func (m *Manager) accountKey(ctx context.Context) (crypto.Signer, error) {
-	const keyName = "acme_account.key"
-
-	genKey := func() (*ecdsa.PrivateKey, error) {
-		return ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-	}
-
-	if m.Cache == nil {
-		return genKey()
-	}
-
-	data, err := m.Cache.Get(ctx, keyName)
-	if err == ErrCacheMiss {
-		key, err := genKey()
-		if err != nil {
-			return nil, err
-		}
-		var buf bytes.Buffer
-		if err := encodeECDSAKey(&buf, key); err != nil {
-			return nil, err
-		}
-		if err := m.Cache.Put(ctx, keyName, buf.Bytes()); err != nil {
-			return nil, err
-		}
-		return key, nil
-	}
-	if err != nil {
-		return nil, err
-	}
-
-	priv, _ := pem.Decode(data)
-	if priv == nil || !strings.Contains(priv.Type, "PRIVATE") {
-		return nil, errors.New("acme/autocert: invalid account key found in cache")
-	}
-	return parsePrivateKey(priv.Bytes)
-}
-
-func (m *Manager) acmeClient(ctx context.Context) (*acme.Client, error) {
-	m.clientMu.Lock()
-	defer m.clientMu.Unlock()
-	if m.client != nil {
-		return m.client, nil
-	}
-
-	client := m.Client
-	if client == nil {
-		client = &acme.Client{DirectoryURL: acme.LetsEncryptURL}
-	}
-	if client.Key == nil {
-		var err error
-		client.Key, err = m.accountKey(ctx)
-		if err != nil {
-			return nil, err
-		}
-	}
-	var contact []string
-	if m.Email != "" {
-		contact = []string{"mailto:" + m.Email}
-	}
-	a := &acme.Account{Contact: contact}
-	_, err := client.Register(ctx, a, m.Prompt)
-	if ae, ok := err.(*acme.Error); err == nil || ok && ae.StatusCode == http.StatusConflict {
-		// conflict indicates the key is already registered
-		m.client = client
-		err = nil
-	}
-	return m.client, err
-}
-
-func (m *Manager) hostPolicy() HostPolicy {
-	if m.HostPolicy != nil {
-		return m.HostPolicy
-	}
-	return defaultHostPolicy
-}
-
-func (m *Manager) renewBefore() time.Duration {
-	if m.RenewBefore > renewJitter {
-		return m.RenewBefore
-	}
-	return 720 * time.Hour // 30 days
-}
-
-// certState is ready when its mutex is unlocked for reading.
-type certState struct {
-	sync.RWMutex
-	locked bool              // locked for read/write
-	key    crypto.Signer     // private key for cert
-	cert   [][]byte          // DER encoding
-	leaf   *x509.Certificate // parsed cert[0]; always non-nil if cert != nil
-}
-
-// tlscert creates a tls.Certificate from s.key and s.cert.
-// Callers should wrap it in s.RLock() and s.RUnlock().
-func (s *certState) tlscert() (*tls.Certificate, error) {
-	if s.key == nil {
-		return nil, errors.New("acme/autocert: missing signer")
-	}
-	if len(s.cert) == 0 {
-		return nil, errors.New("acme/autocert: missing certificate")
-	}
-	return &tls.Certificate{
-		PrivateKey:  s.key,
-		Certificate: s.cert,
-		Leaf:        s.leaf,
-	}, nil
-}
-
-// certRequest creates a certificate request for the given common name cn
-// and optional SANs.
-func certRequest(key crypto.Signer, cn string, san ...string) ([]byte, error) {
-	req := &x509.CertificateRequest{
-		Subject:  pkix.Name{CommonName: cn},
-		DNSNames: san,
-	}
-	return x509.CreateCertificateRequest(rand.Reader, req, key)
-}
-
-// Attempt to parse the given private key DER block. OpenSSL 0.9.8 generates
-// PKCS#1 private keys by default, while OpenSSL 1.0.0 generates PKCS#8 keys.
-// OpenSSL ecparam generates SEC1 EC private keys for ECDSA. We try all three.
-//
-// Inspired by parsePrivateKey in crypto/tls/tls.go.
-func parsePrivateKey(der []byte) (crypto.Signer, error) {
-	if key, err := x509.ParsePKCS1PrivateKey(der); err == nil {
-		return key, nil
-	}
-	if key, err := x509.ParsePKCS8PrivateKey(der); err == nil {
-		switch key := key.(type) {
-		case *rsa.PrivateKey:
-			return key, nil
-		case *ecdsa.PrivateKey:
-			return key, nil
-		default:
-			return nil, errors.New("acme/autocert: unknown private key type in PKCS#8 wrapping")
-		}
-	}
-	if key, err := x509.ParseECPrivateKey(der); err == nil {
-		return key, nil
-	}
-
-	return nil, errors.New("acme/autocert: failed to parse private key")
-}
-
-// validCert parses a cert chain provided as der argument and verifies the leaf, der[0],
-// corresponds to the private key, as well as the domain match and expiration dates.
-// It doesn't do any revocation checking.
-//
-// The returned value is the verified leaf cert.
-func validCert(domain string, der [][]byte, key crypto.Signer) (leaf *x509.Certificate, err error) {
-	// parse public part(s)
-	var n int
-	for _, b := range der {
-		n += len(b)
-	}
-	pub := make([]byte, n)
-	n = 0
-	for _, b := range der {
-		n += copy(pub[n:], b)
-	}
-	x509Cert, err := x509.ParseCertificates(pub)
-	if len(x509Cert) == 0 {
-		return nil, errors.New("acme/autocert: no public key found")
-	}
-	// verify the leaf is not expired and matches the domain name
-	leaf = x509Cert[0]
-	now := timeNow()
-	if now.Before(leaf.NotBefore) {
-		return nil, errors.New("acme/autocert: certificate is not valid yet")
-	}
-	if now.After(leaf.NotAfter) {
-		return nil, errors.New("acme/autocert: expired certificate")
-	}
-	if err := leaf.VerifyHostname(domain); err != nil {
-		return nil, err
-	}
-	// ensure the leaf corresponds to the private key
-	switch pub := leaf.PublicKey.(type) {
-	case *rsa.PublicKey:
-		prv, ok := key.(*rsa.PrivateKey)
-		if !ok {
-			return nil, errors.New("acme/autocert: private key type does not match public key type")
-		}
-		if pub.N.Cmp(prv.N) != 0 {
-			return nil, errors.New("acme/autocert: private key does not match public key")
-		}
-	case *ecdsa.PublicKey:
-		prv, ok := key.(*ecdsa.PrivateKey)
-		if !ok {
-			return nil, errors.New("acme/autocert: private key type does not match public key type")
-		}
-		if pub.X.Cmp(prv.X) != 0 || pub.Y.Cmp(prv.Y) != 0 {
-			return nil, errors.New("acme/autocert: private key does not match public key")
-		}
-	default:
-		return nil, errors.New("acme/autocert: unknown public key algorithm")
-	}
-	return leaf, nil
-}
-
-func retryAfter(v string) time.Duration {
-	if i, err := strconv.Atoi(v); err == nil {
-		return time.Duration(i) * time.Second
-	}
-	if t, err := http.ParseTime(v); err == nil {
-		return t.Sub(timeNow())
-	}
-	return time.Second
-}
-
-type lockedMathRand struct {
-	sync.Mutex
-	rnd *mathrand.Rand
-}
-
-func (r *lockedMathRand) int63n(max int64) int64 {
-	r.Lock()
-	n := r.rnd.Int63n(max)
-	r.Unlock()
-	return n
-}
-
-// For easier testing.
-var (
-	timeNow = time.Now
-
-	// Called when a state is removed.
-	testDidRemoveState = func(domain string) {}
-)
diff --git a/vendor/golang.org/x/crypto/acme/autocert/autocert_test.go b/vendor/golang.org/x/crypto/acme/autocert/autocert_test.go
deleted file mode 100644
index 2da1912e..00000000
--- a/vendor/golang.org/x/crypto/acme/autocert/autocert_test.go
+++ /dev/null
@@ -1,757 +0,0 @@
-// Copyright 2016 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package autocert
-
-import (
-	"context"
-	"crypto"
-	"crypto/ecdsa"
-	"crypto/elliptic"
-	"crypto/rand"
-	"crypto/rsa"
-	"crypto/tls"
-	"crypto/x509"
-	"crypto/x509/pkix"
-	"encoding/base64"
-	"encoding/json"
-	"fmt"
-	"html/template"
-	"io"
-	"math/big"
-	"net/http"
-	"net/http/httptest"
-	"reflect"
-	"strings"
-	"sync"
-	"testing"
-	"time"
-
-	"golang.org/x/crypto/acme"
-)
-
-var discoTmpl = template.Must(template.New("disco").Parse(`{
-	"new-reg": "{{.}}/new-reg",
-	"new-authz": "{{.}}/new-authz",
-	"new-cert": "{{.}}/new-cert"
-}`))
-
-var authzTmpl = template.Must(template.New("authz").Parse(`{
-	"status": "pending",
-	"challenges": [
-		{
-			"uri": "{{.}}/challenge/1",
-			"type": "tls-sni-01",
-			"token": "token-01"
-		},
-		{
-			"uri": "{{.}}/challenge/2",
-			"type": "tls-sni-02",
-			"token": "token-02"
-		},
-		{
-			"uri": "{{.}}/challenge/dns-01",
-			"type": "dns-01",
-			"token": "token-dns-01"
-		},
-		{
-			"uri": "{{.}}/challenge/http-01",
-			"type": "http-01",
-			"token": "token-http-01"
-		}
-	]
-}`))
-
-type memCache struct {
-	mu      sync.Mutex
-	keyData map[string][]byte
-}
-
-func (m *memCache) Get(ctx context.Context, key string) ([]byte, error) {
-	m.mu.Lock()
-	defer m.mu.Unlock()
-
-	v, ok := m.keyData[key]
-	if !ok {
-		return nil, ErrCacheMiss
-	}
-	return v, nil
-}
-
-func (m *memCache) Put(ctx context.Context, key string, data []byte) error {
-	m.mu.Lock()
-	defer m.mu.Unlock()
-
-	m.keyData[key] = data
-	return nil
-}
-
-func (m *memCache) Delete(ctx context.Context, key string) error {
-	m.mu.Lock()
-	defer m.mu.Unlock()
-
-	delete(m.keyData, key)
-	return nil
-}
-
-func newMemCache() *memCache {
-	return &memCache{
-		keyData: make(map[string][]byte),
-	}
-}
-
-func dummyCert(pub interface{}, san ...string) ([]byte, error) {
-	return dateDummyCert(pub, time.Now(), time.Now().Add(90*24*time.Hour), san...)
-}
-
-func dateDummyCert(pub interface{}, start, end time.Time, san ...string) ([]byte, error) {
-	// use EC key to run faster on 386
-	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-	if err != nil {
-		return nil, err
-	}
-	t := &x509.Certificate{
-		SerialNumber:          big.NewInt(1),
-		NotBefore:             start,
-		NotAfter:              end,
-		BasicConstraintsValid: true,
-		KeyUsage:              x509.KeyUsageKeyEncipherment,
-		DNSNames:              san,
-	}
-	if pub == nil {
-		pub = &key.PublicKey
-	}
-	return x509.CreateCertificate(rand.Reader, t, t, pub, key)
-}
-
-func decodePayload(v interface{}, r io.Reader) error {
-	var req struct{ Payload string }
-	if err := json.NewDecoder(r).Decode(&req); err != nil {
-		return err
-	}
-	payload, err := base64.RawURLEncoding.DecodeString(req.Payload)
-	if err != nil {
-		return err
-	}
-	return json.Unmarshal(payload, v)
-}
-
-func TestGetCertificate(t *testing.T) {
-	man := &Manager{Prompt: AcceptTOS}
-	defer man.stopRenew()
-	hello := &tls.ClientHelloInfo{ServerName: "example.org"}
-	testGetCertificate(t, man, "example.org", hello)
-}
-
-func TestGetCertificate_trailingDot(t *testing.T) {
-	man := &Manager{Prompt: AcceptTOS}
-	defer man.stopRenew()
-	hello := &tls.ClientHelloInfo{ServerName: "example.org."}
-	testGetCertificate(t, man, "example.org", hello)
-}
-
-func TestGetCertificate_ForceRSA(t *testing.T) {
-	man := &Manager{
-		Prompt:   AcceptTOS,
-		Cache:    newMemCache(),
-		ForceRSA: true,
-	}
-	defer man.stopRenew()
-	hello := &tls.ClientHelloInfo{ServerName: "example.org"}
-	testGetCertificate(t, man, "example.org", hello)
-
-	cert, err := man.cacheGet(context.Background(), "example.org")
-	if err != nil {
-		t.Fatalf("man.cacheGet: %v", err)
-	}
-	if _, ok := cert.PrivateKey.(*rsa.PrivateKey); !ok {
-		t.Errorf("cert.PrivateKey is %T; want *rsa.PrivateKey", cert.PrivateKey)
-	}
-}
-
-func TestGetCertificate_nilPrompt(t *testing.T) {
-	man := &Manager{}
-	defer man.stopRenew()
-	url, finish := startACMEServerStub(t, man, "example.org")
-	defer finish()
-	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-	if err != nil {
-		t.Fatal(err)
-	}
-	man.Client = &acme.Client{
-		Key:          key,
-		DirectoryURL: url,
-	}
-	hello := &tls.ClientHelloInfo{ServerName: "example.org"}
-	if _, err := man.GetCertificate(hello); err == nil {
-		t.Error("got certificate for example.org; wanted error")
-	}
-}
-
-func TestGetCertificate_expiredCache(t *testing.T) {
-	// Make an expired cert and cache it.
-	pk, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-	if err != nil {
-		t.Fatal(err)
-	}
-	tmpl := &x509.Certificate{
-		SerialNumber: big.NewInt(1),
-		Subject:      pkix.Name{CommonName: "example.org"},
-		NotAfter:     time.Now(),
-	}
-	pub, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, &pk.PublicKey, pk)
-	if err != nil {
-		t.Fatal(err)
-	}
-	tlscert := &tls.Certificate{
-		Certificate: [][]byte{pub},
-		PrivateKey:  pk,
-	}
-
-	man := &Manager{Prompt: AcceptTOS, Cache: newMemCache()}
-	defer man.stopRenew()
-	if err := man.cachePut(context.Background(), "example.org", tlscert); err != nil {
-		t.Fatalf("man.cachePut: %v", err)
-	}
-
-	// The expired cached cert should trigger a new cert issuance
-	// and return without an error.
-	hello := &tls.ClientHelloInfo{ServerName: "example.org"}
-	testGetCertificate(t, man, "example.org", hello)
-}
-
-func TestGetCertificate_failedAttempt(t *testing.T) {
-	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.WriteHeader(http.StatusBadRequest)
-	}))
-	defer ts.Close()
-
-	const example = "example.org"
-	d := createCertRetryAfter
-	f := testDidRemoveState
-	defer func() {
-		createCertRetryAfter = d
-		testDidRemoveState = f
-	}()
-	createCertRetryAfter = 0
-	done := make(chan struct{})
-	testDidRemoveState = func(domain string) {
-		if domain != example {
-			t.Errorf("testDidRemoveState: domain = %q; want %q", domain, example)
-		}
-		close(done)
-	}
-
-	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-	if err != nil {
-		t.Fatal(err)
-	}
-	man := &Manager{
-		Prompt: AcceptTOS,
-		Client: &acme.Client{
-			Key:          key,
-			DirectoryURL: ts.URL,
-		},
-	}
-	defer man.stopRenew()
-	hello := &tls.ClientHelloInfo{ServerName: example}
-	if _, err := man.GetCertificate(hello); err == nil {
-		t.Error("GetCertificate: err is nil")
-	}
-	select {
-	case <-time.After(5 * time.Second):
-		t.Errorf("took too long to remove the %q state", example)
-	case <-done:
-		man.stateMu.Lock()
-		defer man.stateMu.Unlock()
-		if v, exist := man.state[example]; exist {
-			t.Errorf("state exists for %q: %+v", example, v)
-		}
-	}
-}
-
-// startACMEServerStub runs an ACME server
-// The domain argument is the expected domain name of a certificate request.
-func startACMEServerStub(t *testing.T, man *Manager, domain string) (url string, finish func()) {
-	// echo token-02 | shasum -a 256
-	// then divide result in 2 parts separated by dot
-	tokenCertName := "4e8eb87631187e9ff2153b56b13a4dec.13a35d002e485d60ff37354b32f665d9.token.acme.invalid"
-	verifyTokenCert := func() {
-		hello := &tls.ClientHelloInfo{ServerName: tokenCertName}
-		_, err := man.GetCertificate(hello)
-		if err != nil {
-			t.Errorf("verifyTokenCert: GetCertificate(%q): %v", tokenCertName, err)
-			return
-		}
-	}
-
-	// ACME CA server stub
-	var ca *httptest.Server
-	ca = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.Header().Set("Replay-Nonce", "nonce")
-		if r.Method == "HEAD" {
-			// a nonce request
-			return
-		}
-
-		switch r.URL.Path {
-		// discovery
-		case "/":
-			if err := discoTmpl.Execute(w, ca.URL); err != nil {
-				t.Errorf("discoTmpl: %v", err)
-			}
-		// client key registration
-		case "/new-reg":
-			w.Write([]byte("{}"))
-		// domain authorization
-		case "/new-authz":
-			w.Header().Set("Location", ca.URL+"/authz/1")
-			w.WriteHeader(http.StatusCreated)
-			if err := authzTmpl.Execute(w, ca.URL); err != nil {
-				t.Errorf("authzTmpl: %v", err)
-			}
-		// accept tls-sni-02 challenge
-		case "/challenge/2":
-			verifyTokenCert()
-			w.Write([]byte("{}"))
-		// authorization status
-		case "/authz/1":
-			w.Write([]byte(`{"status": "valid"}`))
-		// cert request
-		case "/new-cert":
-			var req struct {
-				CSR string `json:"csr"`
-			}
-			decodePayload(&req, r.Body)
-			b, _ := base64.RawURLEncoding.DecodeString(req.CSR)
-			csr, err := x509.ParseCertificateRequest(b)
-			if err != nil {
-				t.Errorf("new-cert: CSR: %v", err)
-			}
-			if csr.Subject.CommonName != domain {
-				t.Errorf("CommonName in CSR = %q; want %q", csr.Subject.CommonName, domain)
-			}
-			der, err := dummyCert(csr.PublicKey, domain)
-			if err != nil {
-				t.Errorf("new-cert: dummyCert: %v", err)
-			}
-			chainUp := fmt.Sprintf("<%s/ca-cert>; rel=up", ca.URL)
-			w.Header().Set("Link", chainUp)
-			w.WriteHeader(http.StatusCreated)
-			w.Write(der)
-		// CA chain cert
-		case "/ca-cert":
-			der, err := dummyCert(nil, "ca")
-			if err != nil {
-				t.Errorf("ca-cert: dummyCert: %v", err)
-			}
-			w.Write(der)
-		default:
-			t.Errorf("unrecognized r.URL.Path: %s", r.URL.Path)
-		}
-	}))
-	finish = func() {
-		ca.Close()
-
-		// make sure token cert was removed
-		cancel := make(chan struct{})
-		done := make(chan struct{})
-		go func() {
-			defer close(done)
-			tick := time.NewTicker(100 * time.Millisecond)
-			defer tick.Stop()
-			for {
-				hello := &tls.ClientHelloInfo{ServerName: tokenCertName}
-				if _, err := man.GetCertificate(hello); err != nil {
-					return
-				}
-				select {
-				case <-tick.C:
-				case <-cancel:
-					return
-				}
-			}
-		}()
-		select {
-		case <-done:
-		case <-time.After(5 * time.Second):
-			close(cancel)
-			t.Error("token cert was not removed")
-			<-done
-		}
-	}
-	return ca.URL, finish
-}
-
-// tests man.GetCertificate flow using the provided hello argument.
-// The domain argument is the expected domain name of a certificate request.
-func testGetCertificate(t *testing.T, man *Manager, domain string, hello *tls.ClientHelloInfo) {
-	url, finish := startACMEServerStub(t, man, domain)
-	defer finish()
-
-	// use EC key to run faster on 386
-	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-	if err != nil {
-		t.Fatal(err)
-	}
-	man.Client = &acme.Client{
-		Key:          key,
-		DirectoryURL: url,
-	}
-
-	// simulate tls.Config.GetCertificate
-	var tlscert *tls.Certificate
-	done := make(chan struct{})
-	go func() {
-		tlscert, err = man.GetCertificate(hello)
-		close(done)
-	}()
-	select {
-	case <-time.After(time.Minute):
-		t.Fatal("man.GetCertificate took too long to return")
-	case <-done:
-	}
-	if err != nil {
-		t.Fatalf("man.GetCertificate: %v", err)
-	}
-
-	// verify the tlscert is the same we responded with from the CA stub
-	if len(tlscert.Certificate) == 0 {
-		t.Fatal("len(tlscert.Certificate) is 0")
-	}
-	cert, err := x509.ParseCertificate(tlscert.Certificate[0])
-	if err != nil {
-		t.Fatalf("x509.ParseCertificate: %v", err)
-	}
-	if len(cert.DNSNames) == 0 || cert.DNSNames[0] != domain {
-		t.Errorf("cert.DNSNames = %v; want %q", cert.DNSNames, domain)
-	}
-
-}
-
-func TestVerifyHTTP01(t *testing.T) {
-	var (
-		http01 http.Handler
-
-		authzCount      int // num. of created authorizations
-		didAcceptHTTP01 bool
-	)
-
-	verifyHTTPToken := func() {
-		r := httptest.NewRequest("GET", "/.well-known/acme-challenge/token-http-01", nil)
-		w := httptest.NewRecorder()
-		http01.ServeHTTP(w, r)
-		if w.Code != http.StatusOK {
-			t.Errorf("http token: w.Code = %d; want %d", w.Code, http.StatusOK)
-		}
-		if v := string(w.Body.Bytes()); !strings.HasPrefix(v, "token-http-01.") {
-			t.Errorf("http token value = %q; want 'token-http-01.' prefix", v)
-		}
-	}
-
-	// ACME CA server stub, only the needed bits.
-	// TODO: Merge this with startACMEServerStub, making it a configurable CA for testing.
-	var ca *httptest.Server
-	ca = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.Header().Set("Replay-Nonce", "nonce")
-		if r.Method == "HEAD" {
-			// a nonce request
-			return
-		}
-
-		switch r.URL.Path {
-		// Discovery.
-		case "/":
-			if err := discoTmpl.Execute(w, ca.URL); err != nil {
-				t.Errorf("discoTmpl: %v", err)
-			}
-		// Client key registration.
-		case "/new-reg":
-			w.Write([]byte("{}"))
-		// New domain authorization.
-		case "/new-authz":
-			authzCount++
-			w.Header().Set("Location", fmt.Sprintf("%s/authz/%d", ca.URL, authzCount))
-			w.WriteHeader(http.StatusCreated)
-			if err := authzTmpl.Execute(w, ca.URL); err != nil {
-				t.Errorf("authzTmpl: %v", err)
-			}
-		// Accept tls-sni-02.
-		case "/challenge/2":
-			w.Write([]byte("{}"))
-		// Reject tls-sni-01.
-		case "/challenge/1":
-			http.Error(w, "won't accept tls-sni-01", http.StatusBadRequest)
-		// Should not accept dns-01.
-		case "/challenge/dns-01":
-			t.Errorf("dns-01 challenge was accepted")
-			http.Error(w, "won't accept dns-01", http.StatusBadRequest)
-		// Accept http-01.
-		case "/challenge/http-01":
-			didAcceptHTTP01 = true
-			verifyHTTPToken()
-			w.Write([]byte("{}"))
-		// Authorization statuses.
-		// Make tls-sni-xxx invalid.
-		case "/authz/1", "/authz/2":
-			w.Write([]byte(`{"status": "invalid"}`))
-		case "/authz/3", "/authz/4":
-			w.Write([]byte(`{"status": "valid"}`))
-		default:
-			http.NotFound(w, r)
-			t.Errorf("unrecognized r.URL.Path: %s", r.URL.Path)
-		}
-	}))
-	defer ca.Close()
-
-	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-	if err != nil {
-		t.Fatal(err)
-	}
-	m := &Manager{
-		Client: &acme.Client{
-			Key:          key,
-			DirectoryURL: ca.URL,
-		},
-	}
-	http01 = m.HTTPHandler(nil)
-	if err := m.verify(context.Background(), m.Client, "example.org"); err != nil {
-		t.Errorf("m.verify: %v", err)
-	}
-	// Only tls-sni-01, tls-sni-02 and http-01 must be accepted
-	// The dns-01 challenge is unsupported.
-	if authzCount != 3 {
-		t.Errorf("authzCount = %d; want 3", authzCount)
-	}
-	if !didAcceptHTTP01 {
-		t.Error("did not accept http-01 challenge")
-	}
-}
-
-func TestHTTPHandlerDefaultFallback(t *testing.T) {
-	tt := []struct {
-		method, url  string
-		wantCode     int
-		wantLocation string
-	}{
-		{"GET", "http://example.org", 302, "https://example.org/"},
-		{"GET", "http://example.org/foo", 302, "https://example.org/foo"},
-		{"GET", "http://example.org/foo/bar/", 302, "https://example.org/foo/bar/"},
-		{"GET", "http://example.org/?a=b", 302, "https://example.org/?a=b"},
-		{"GET", "http://example.org/foo?a=b", 302, "https://example.org/foo?a=b"},
-		{"GET", "http://example.org:80/foo?a=b", 302, "https://example.org:443/foo?a=b"},
-		{"GET", "http://example.org:80/foo%20bar", 302, "https://example.org:443/foo%20bar"},
-		{"GET", "http://[2602:d1:xxxx::c60a]:1234", 302, "https://[2602:d1:xxxx::c60a]:443/"},
-		{"GET", "http://[2602:d1:xxxx::c60a]", 302, "https://[2602:d1:xxxx::c60a]/"},
-		{"GET", "http://[2602:d1:xxxx::c60a]/foo?a=b", 302, "https://[2602:d1:xxxx::c60a]/foo?a=b"},
-		{"HEAD", "http://example.org", 302, "https://example.org/"},
-		{"HEAD", "http://example.org/foo", 302, "https://example.org/foo"},
-		{"HEAD", "http://example.org/foo/bar/", 302, "https://example.org/foo/bar/"},
-		{"HEAD", "http://example.org/?a=b", 302, "https://example.org/?a=b"},
-		{"HEAD", "http://example.org/foo?a=b", 302, "https://example.org/foo?a=b"},
-		{"POST", "http://example.org", 400, ""},
-		{"PUT", "http://example.org", 400, ""},
-		{"GET", "http://example.org/.well-known/acme-challenge/x", 404, ""},
-	}
-	var m Manager
-	h := m.HTTPHandler(nil)
-	for i, test := range tt {
-		r := httptest.NewRequest(test.method, test.url, nil)
-		w := httptest.NewRecorder()
-		h.ServeHTTP(w, r)
-		if w.Code != test.wantCode {
-			t.Errorf("%d: w.Code = %d; want %d", i, w.Code, test.wantCode)
-			t.Errorf("%d: body: %s", i, w.Body.Bytes())
-		}
-		if v := w.Header().Get("Location"); v != test.wantLocation {
-			t.Errorf("%d: Location = %q; want %q", i, v, test.wantLocation)
-		}
-	}
-}
-
-func TestAccountKeyCache(t *testing.T) {
-	m := Manager{Cache: newMemCache()}
-	ctx := context.Background()
-	k1, err := m.accountKey(ctx)
-	if err != nil {
-		t.Fatal(err)
-	}
-	k2, err := m.accountKey(ctx)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if !reflect.DeepEqual(k1, k2) {
-		t.Errorf("account keys don't match: k1 = %#v; k2 = %#v", k1, k2)
-	}
-}
-
-func TestCache(t *testing.T) {
-	privKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-	if err != nil {
-		t.Fatal(err)
-	}
-	tmpl := &x509.Certificate{
-		SerialNumber: big.NewInt(1),
-		Subject:      pkix.Name{CommonName: "example.org"},
-		NotAfter:     time.Now().Add(time.Hour),
-	}
-	pub, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, &privKey.PublicKey, privKey)
-	if err != nil {
-		t.Fatal(err)
-	}
-	tlscert := &tls.Certificate{
-		Certificate: [][]byte{pub},
-		PrivateKey:  privKey,
-	}
-
-	man := &Manager{Cache: newMemCache()}
-	defer man.stopRenew()
-	ctx := context.Background()
-	if err := man.cachePut(ctx, "example.org", tlscert); err != nil {
-		t.Fatalf("man.cachePut: %v", err)
-	}
-	res, err := man.cacheGet(ctx, "example.org")
-	if err != nil {
-		t.Fatalf("man.cacheGet: %v", err)
-	}
-	if res == nil {
-		t.Fatal("res is nil")
-	}
-}
-
-func TestHostWhitelist(t *testing.T) {
-	policy := HostWhitelist("example.com", "example.org", "*.example.net")
-	tt := []struct {
-		host  string
-		allow bool
-	}{
-		{"example.com", true},
-		{"example.org", true},
-		{"one.example.com", false},
-		{"two.example.org", false},
-		{"three.example.net", false},
-		{"dummy", false},
-	}
-	for i, test := range tt {
-		err := policy(nil, test.host)
-		if err != nil && test.allow {
-			t.Errorf("%d: policy(%q): %v; want nil", i, test.host, err)
-		}
-		if err == nil && !test.allow {
-			t.Errorf("%d: policy(%q): nil; want an error", i, test.host)
-		}
-	}
-}
-
-func TestValidCert(t *testing.T) {
-	key1, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-	if err != nil {
-		t.Fatal(err)
-	}
-	key2, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-	if err != nil {
-		t.Fatal(err)
-	}
-	key3, err := rsa.GenerateKey(rand.Reader, 512)
-	if err != nil {
-		t.Fatal(err)
-	}
-	cert1, err := dummyCert(key1.Public(), "example.org")
-	if err != nil {
-		t.Fatal(err)
-	}
-	cert2, err := dummyCert(key2.Public(), "example.org")
-	if err != nil {
-		t.Fatal(err)
-	}
-	cert3, err := dummyCert(key3.Public(), "example.org")
-	if err != nil {
-		t.Fatal(err)
-	}
-	now := time.Now()
-	early, err := dateDummyCert(key1.Public(), now.Add(time.Hour), now.Add(2*time.Hour), "example.org")
-	if err != nil {
-		t.Fatal(err)
-	}
-	expired, err := dateDummyCert(key1.Public(), now.Add(-2*time.Hour), now.Add(-time.Hour), "example.org")
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	tt := []struct {
-		domain string
-		key    crypto.Signer
-		cert   [][]byte
-		ok     bool
-	}{
-		{"example.org", key1, [][]byte{cert1}, true},
-		{"example.org", key3, [][]byte{cert3}, true},
-		{"example.org", key1, [][]byte{cert1, cert2, cert3}, true},
-		{"example.org", key1, [][]byte{cert1, {1}}, false},
-		{"example.org", key1, [][]byte{{1}}, false},
-		{"example.org", key1, [][]byte{cert2}, false},
-		{"example.org", key2, [][]byte{cert1}, false},
-		{"example.org", key1, [][]byte{cert3}, false},
-		{"example.org", key3, [][]byte{cert1}, false},
-		{"example.net", key1, [][]byte{cert1}, false},
-		{"example.org", key1, [][]byte{early}, false},
-		{"example.org", key1, [][]byte{expired}, false},
-	}
-	for i, test := range tt {
-		leaf, err := validCert(test.domain, test.cert, test.key)
-		if err != nil && test.ok {
-			t.Errorf("%d: err = %v", i, err)
-		}
-		if err == nil && !test.ok {
-			t.Errorf("%d: err is nil", i)
-		}
-		if err == nil && test.ok && leaf == nil {
-			t.Errorf("%d: leaf is nil", i)
-		}
-	}
-}
-
-type cacheGetFunc func(ctx context.Context, key string) ([]byte, error)
-
-func (f cacheGetFunc) Get(ctx context.Context, key string) ([]byte, error) {
-	return f(ctx, key)
-}
-
-func (f cacheGetFunc) Put(ctx context.Context, key string, data []byte) error {
-	return fmt.Errorf("unsupported Put of %q = %q", key, data)
-}
-
-func (f cacheGetFunc) Delete(ctx context.Context, key string) error {
-	return fmt.Errorf("unsupported Delete of %q", key)
-}
-
-func TestManagerGetCertificateBogusSNI(t *testing.T) {
-	m := Manager{
-		Prompt: AcceptTOS,
-		Cache: cacheGetFunc(func(ctx context.Context, key string) ([]byte, error) {
-			return nil, fmt.Errorf("cache.Get of %s", key)
-		}),
-	}
-	tests := []struct {
-		name    string
-		wantErr string
-	}{
-		{"foo.com", "cache.Get of foo.com"},
-		{"foo.com.", "cache.Get of foo.com"},
-		{`a\b.com`, "acme/autocert: server name contains invalid character"},
-		{`a/b.com`, "acme/autocert: server name contains invalid character"},
-		{"", "acme/autocert: missing server name"},
-		{"foo", "acme/autocert: server name component count invalid"},
-		{".foo", "acme/autocert: server name component count invalid"},
-		{"foo.", "acme/autocert: server name component count invalid"},
-		{"fo.o", "cache.Get of fo.o"},
-	}
-	for _, tt := range tests {
-		_, err := m.GetCertificate(&tls.ClientHelloInfo{ServerName: tt.name})
-		got := fmt.Sprint(err)
-		if got != tt.wantErr {
-			t.Errorf("GetCertificate(SNI = %q) = %q; want %q", tt.name, got, tt.wantErr)
-		}
-	}
-}
diff --git a/vendor/golang.org/x/crypto/acme/autocert/cache.go b/vendor/golang.org/x/crypto/acme/autocert/cache.go
deleted file mode 100644
index 61a5fd23..00000000
--- a/vendor/golang.org/x/crypto/acme/autocert/cache.go
+++ /dev/null
@@ -1,130 +0,0 @@
-// Copyright 2016 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package autocert
-
-import (
-	"context"
-	"errors"
-	"io/ioutil"
-	"os"
-	"path/filepath"
-)
-
-// ErrCacheMiss is returned when a certificate is not found in cache.
-var ErrCacheMiss = errors.New("acme/autocert: certificate cache miss")
-
-// Cache is used by Manager to store and retrieve previously obtained certificates
-// as opaque data.
-//
-// The key argument of the methods refers to a domain name but need not be an FQDN.
-// Cache implementations should not rely on the key naming pattern.
-type Cache interface {
-	// Get returns a certificate data for the specified key.
-	// If there's no such key, Get returns ErrCacheMiss.
-	Get(ctx context.Context, key string) ([]byte, error)
-
-	// Put stores the data in the cache under the specified key.
-	// Underlying implementations may use any data storage format,
-	// as long as the reverse operation, Get, results in the original data.
-	Put(ctx context.Context, key string, data []byte) error
-
-	// Delete removes a certificate data from the cache under the specified key.
-	// If there's no such key in the cache, Delete returns nil.
-	Delete(ctx context.Context, key string) error
-}
-
-// DirCache implements Cache using a directory on the local filesystem.
-// If the directory does not exist, it will be created with 0700 permissions.
-type DirCache string
-
-// Get reads a certificate data from the specified file name.
-func (d DirCache) Get(ctx context.Context, name string) ([]byte, error) {
-	name = filepath.Join(string(d), name)
-	var (
-		data []byte
-		err  error
-		done = make(chan struct{})
-	)
-	go func() {
-		data, err = ioutil.ReadFile(name)
-		close(done)
-	}()
-	select {
-	case <-ctx.Done():
-		return nil, ctx.Err()
-	case <-done:
-	}
-	if os.IsNotExist(err) {
-		return nil, ErrCacheMiss
-	}
-	return data, err
-}
-
-// Put writes the certificate data to the specified file name.
-// The file will be created with 0600 permissions.
-func (d DirCache) Put(ctx context.Context, name string, data []byte) error {
-	if err := os.MkdirAll(string(d), 0700); err != nil {
-		return err
-	}
-
-	done := make(chan struct{})
-	var err error
-	go func() {
-		defer close(done)
-		var tmp string
-		if tmp, err = d.writeTempFile(name, data); err != nil {
-			return
-		}
-		select {
-		case <-ctx.Done():
-			// Don't overwrite the file if the context was canceled.
-		default:
-			newName := filepath.Join(string(d), name)
-			err = os.Rename(tmp, newName)
-		}
-	}()
-	select {
-	case <-ctx.Done():
-		return ctx.Err()
-	case <-done:
-	}
-	return err
-}
-
-// Delete removes the specified file name.
-func (d DirCache) Delete(ctx context.Context, name string) error {
-	name = filepath.Join(string(d), name)
-	var (
-		err  error
-		done = make(chan struct{})
-	)
-	go func() {
-		err = os.Remove(name)
-		close(done)
-	}()
-	select {
-	case <-ctx.Done():
-		return ctx.Err()
-	case <-done:
-	}
-	if err != nil && !os.IsNotExist(err) {
-		return err
-	}
-	return nil
-}
-
-// writeTempFile writes b to a temporary file, closes the file and returns its path.
-func (d DirCache) writeTempFile(prefix string, b []byte) (string, error) {
-	// TempFile uses 0600 permissions
-	f, err := ioutil.TempFile(string(d), prefix)
-	if err != nil {
-		return "", err
-	}
-	if _, err := f.Write(b); err != nil {
-		f.Close()
-		return "", err
-	}
-	return f.Name(), f.Close()
-}
diff --git a/vendor/golang.org/x/crypto/acme/autocert/cache_test.go b/vendor/golang.org/x/crypto/acme/autocert/cache_test.go
deleted file mode 100644
index 653b05be..00000000
--- a/vendor/golang.org/x/crypto/acme/autocert/cache_test.go
+++ /dev/null
@@ -1,58 +0,0 @@
-// Copyright 2016 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package autocert
-
-import (
-	"context"
-	"io/ioutil"
-	"os"
-	"path/filepath"
-	"reflect"
-	"testing"
-)
-
-// make sure DirCache satisfies Cache interface
-var _ Cache = DirCache("/")
-
-func TestDirCache(t *testing.T) {
-	dir, err := ioutil.TempDir("", "autocert")
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer os.RemoveAll(dir)
-	dir = filepath.Join(dir, "certs") // a nonexistent dir
-	cache := DirCache(dir)
-	ctx := context.Background()
-
-	// test cache miss
-	if _, err := cache.Get(ctx, "nonexistent"); err != ErrCacheMiss {
-		t.Errorf("get: %v; want ErrCacheMiss", err)
-	}
-
-	// test put/get
-	b1 := []byte{1}
-	if err := cache.Put(ctx, "dummy", b1); err != nil {
-		t.Fatalf("put: %v", err)
-	}
-	b2, err := cache.Get(ctx, "dummy")
-	if err != nil {
-		t.Fatalf("get: %v", err)
-	}
-	if !reflect.DeepEqual(b1, b2) {
-		t.Errorf("b1 = %v; want %v", b1, b2)
-	}
-	name := filepath.Join(dir, "dummy")
-	if _, err := os.Stat(name); err != nil {
-		t.Error(err)
-	}
-
-	// test delete
-	if err := cache.Delete(ctx, "dummy"); err != nil {
-		t.Fatalf("delete: %v", err)
-	}
-	if _, err := cache.Get(ctx, "dummy"); err != ErrCacheMiss {
-		t.Errorf("get: %v; want ErrCacheMiss", err)
-	}
-}
diff --git a/vendor/golang.org/x/crypto/acme/autocert/example_test.go b/vendor/golang.org/x/crypto/acme/autocert/example_test.go
deleted file mode 100644
index 552a6254..00000000
--- a/vendor/golang.org/x/crypto/acme/autocert/example_test.go
+++ /dev/null
@@ -1,36 +0,0 @@
-// Copyright 2017 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package autocert_test
-
-import (
-	"crypto/tls"
-	"fmt"
-	"log"
-	"net/http"
-
-	"golang.org/x/crypto/acme/autocert"
-)
-
-func ExampleNewListener() {
-	mux := http.NewServeMux()
-	mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
-		fmt.Fprintf(w, "Hello, TLS user! Your config: %+v", r.TLS)
-	})
-	log.Fatal(http.Serve(autocert.NewListener("example.com"), mux))
-}
-
-func ExampleManager() {
-	m := &autocert.Manager{
-		Cache:      autocert.DirCache("secret-dir"),
-		Prompt:     autocert.AcceptTOS,
-		HostPolicy: autocert.HostWhitelist("example.org"),
-	}
-	go http.ListenAndServe(":http", m.HTTPHandler(nil))
-	s := &http.Server{
-		Addr:      ":https",
-		TLSConfig: &tls.Config{GetCertificate: m.GetCertificate},
-	}
-	s.ListenAndServeTLS("", "")
-}
diff --git a/vendor/golang.org/x/crypto/acme/autocert/listener.go b/vendor/golang.org/x/crypto/acme/autocert/listener.go
deleted file mode 100644
index d744df0e..00000000
--- a/vendor/golang.org/x/crypto/acme/autocert/listener.go
+++ /dev/null
@@ -1,160 +0,0 @@
-// Copyright 2017 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package autocert
-
-import (
-	"crypto/tls"
-	"log"
-	"net"
-	"os"
-	"path/filepath"
-	"runtime"
-	"time"
-)
-
-// NewListener returns a net.Listener that listens on the standard TLS
-// port (443) on all interfaces and returns *tls.Conn connections with
-// LetsEncrypt certificates for the provided domain or domains.
-//
-// It enables one-line HTTPS servers:
-//
-//     log.Fatal(http.Serve(autocert.NewListener("example.com"), handler))
-//
-// NewListener is a convenience function for a common configuration.
-// More complex or custom configurations can use the autocert.Manager
-// type instead.
-//
-// Use of this function implies acceptance of the LetsEncrypt Terms of
-// Service. If domains is not empty, the provided domains are passed
-// to HostWhitelist. If domains is empty, the listener will do
-// LetsEncrypt challenges for any requested domain, which is not
-// recommended.
-//
-// Certificates are cached in a "golang-autocert" directory under an
-// operating system-specific cache or temp directory. This may not
-// be suitable for servers spanning multiple machines.
-//
-// The returned listener uses a *tls.Config that enables HTTP/2, and
-// should only be used with servers that support HTTP/2.
-//
-// The returned Listener also enables TCP keep-alives on the accepted
-// connections. The returned *tls.Conn are returned before their TLS
-// handshake has completed.
-func NewListener(domains ...string) net.Listener {
-	m := &Manager{
-		Prompt: AcceptTOS,
-	}
-	if len(domains) > 0 {
-		m.HostPolicy = HostWhitelist(domains...)
-	}
-	dir := cacheDir()
-	if err := os.MkdirAll(dir, 0700); err != nil {
-		log.Printf("warning: autocert.NewListener not using a cache: %v", err)
-	} else {
-		m.Cache = DirCache(dir)
-	}
-	return m.Listener()
-}
-
-// Listener listens on the standard TLS port (443) on all interfaces
-// and returns a net.Listener returning *tls.Conn connections.
-//
-// The returned listener uses a *tls.Config that enables HTTP/2, and
-// should only be used with servers that support HTTP/2.
-//
-// The returned Listener also enables TCP keep-alives on the accepted
-// connections. The returned *tls.Conn are returned before their TLS
-// handshake has completed.
-//
-// Unlike NewListener, it is the caller's responsibility to initialize
-// the Manager m's Prompt, Cache, HostPolicy, and other desired options.
-func (m *Manager) Listener() net.Listener {
-	ln := &listener{
-		m: m,
-		conf: &tls.Config{
-			GetCertificate: m.GetCertificate,           // bonus: panic on nil m
-			NextProtos:     []string{"h2", "http/1.1"}, // Enable HTTP/2
-		},
-	}
-	ln.tcpListener, ln.tcpListenErr = net.Listen("tcp", ":443")
-	return ln
-}
-
-type listener struct {
-	m    *Manager
-	conf *tls.Config
-
-	tcpListener  net.Listener
-	tcpListenErr error
-}
-
-func (ln *listener) Accept() (net.Conn, error) {
-	if ln.tcpListenErr != nil {
-		return nil, ln.tcpListenErr
-	}
-	conn, err := ln.tcpListener.Accept()
-	if err != nil {
-		return nil, err
-	}
-	tcpConn := conn.(*net.TCPConn)
-
-	// Because Listener is a convenience function, help out with
-	// this too.  This is not possible for the caller to set once
-	// we return a *tcp.Conn wrapping an inaccessible net.Conn.
-	// If callers don't want this, they can do things the manual
-	// way and tweak as needed. But this is what net/http does
-	// itself, so copy that. If net/http changes, we can change
-	// here too.
-	tcpConn.SetKeepAlive(true)
-	tcpConn.SetKeepAlivePeriod(3 * time.Minute)
-
-	return tls.Server(tcpConn, ln.conf), nil
-}
-
-func (ln *listener) Addr() net.Addr {
-	if ln.tcpListener != nil {
-		return ln.tcpListener.Addr()
-	}
-	// net.Listen failed. Return something non-nil in case callers
-	// call Addr before Accept:
-	return &net.TCPAddr{IP: net.IP{0, 0, 0, 0}, Port: 443}
-}
-
-func (ln *listener) Close() error {
-	if ln.tcpListenErr != nil {
-		return ln.tcpListenErr
-	}
-	return ln.tcpListener.Close()
-}
-
-func homeDir() string {
-	if runtime.GOOS == "windows" {
-		return os.Getenv("HOMEDRIVE") + os.Getenv("HOMEPATH")
-	}
-	if h := os.Getenv("HOME"); h != "" {
-		return h
-	}
-	return "/"
-}
-
-func cacheDir() string {
-	const base = "golang-autocert"
-	switch runtime.GOOS {
-	case "darwin":
-		return filepath.Join(homeDir(), "Library", "Caches", base)
-	case "windows":
-		for _, ev := range []string{"APPDATA", "CSIDL_APPDATA", "TEMP", "TMP"} {
-			if v := os.Getenv(ev); v != "" {
-				return filepath.Join(v, base)
-			}
-		}
-		// Worst case:
-		return filepath.Join(homeDir(), base)
-	}
-	if xdg := os.Getenv("XDG_CACHE_HOME"); xdg != "" {
-		return filepath.Join(xdg, base)
-	}
-	return filepath.Join(homeDir(), ".cache", base)
-}
diff --git a/vendor/golang.org/x/crypto/acme/autocert/renewal.go b/vendor/golang.org/x/crypto/acme/autocert/renewal.go
deleted file mode 100644
index 6c5da2bc..00000000
--- a/vendor/golang.org/x/crypto/acme/autocert/renewal.go
+++ /dev/null
@@ -1,124 +0,0 @@
-// Copyright 2016 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package autocert
-
-import (
-	"context"
-	"crypto"
-	"sync"
-	"time"
-)
-
-// renewJitter is the maximum deviation from Manager.RenewBefore.
-const renewJitter = time.Hour
-
-// domainRenewal tracks the state used by the periodic timers
-// renewing a single domain's cert.
-type domainRenewal struct {
-	m      *Manager
-	domain string
-	key    crypto.Signer
-
-	timerMu sync.Mutex
-	timer   *time.Timer
-}
-
-// start starts a cert renewal timer at the time
-// defined by the certificate expiration time exp.
-//
-// If the timer is already started, calling start is a noop.
-func (dr *domainRenewal) start(exp time.Time) {
-	dr.timerMu.Lock()
-	defer dr.timerMu.Unlock()
-	if dr.timer != nil {
-		return
-	}
-	dr.timer = time.AfterFunc(dr.next(exp), dr.renew)
-}
-
-// stop stops the cert renewal timer.
-// If the timer is already stopped, calling stop is a noop.
-func (dr *domainRenewal) stop() {
-	dr.timerMu.Lock()
-	defer dr.timerMu.Unlock()
-	if dr.timer == nil {
-		return
-	}
-	dr.timer.Stop()
-	dr.timer = nil
-}
-
-// renew is called periodically by a timer.
-// The first renew call is kicked off by dr.start.
-func (dr *domainRenewal) renew() {
-	dr.timerMu.Lock()
-	defer dr.timerMu.Unlock()
-	if dr.timer == nil {
-		return
-	}
-
-	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Minute)
-	defer cancel()
-	// TODO: rotate dr.key at some point?
-	next, err := dr.do(ctx)
-	if err != nil {
-		next = renewJitter / 2
-		next += time.Duration(pseudoRand.int63n(int64(next)))
-	}
-	dr.timer = time.AfterFunc(next, dr.renew)
-	testDidRenewLoop(next, err)
-}
-
-// do is similar to Manager.createCert but it doesn't lock a Manager.state item.
-// Instead, it requests a new certificate independently and, upon success,
-// replaces dr.m.state item with a new one and updates cache for the given domain.
-//
-// It may return immediately if the expiration date of the currently cached cert
-// is far enough in the future.
-//
-// The returned value is a time interval after which the renewal should occur again.
-func (dr *domainRenewal) do(ctx context.Context) (time.Duration, error) {
-	// a race is likely unavoidable in a distributed environment
-	// but we try nonetheless
-	if tlscert, err := dr.m.cacheGet(ctx, dr.domain); err == nil {
-		next := dr.next(tlscert.Leaf.NotAfter)
-		if next > dr.m.renewBefore()+renewJitter {
-			return next, nil
-		}
-	}
-
-	der, leaf, err := dr.m.authorizedCert(ctx, dr.key, dr.domain)
-	if err != nil {
-		return 0, err
-	}
-	state := &certState{
-		key:  dr.key,
-		cert: der,
-		leaf: leaf,
-	}
-	tlscert, err := state.tlscert()
-	if err != nil {
-		return 0, err
-	}
-	dr.m.cachePut(ctx, dr.domain, tlscert)
-	dr.m.stateMu.Lock()
-	defer dr.m.stateMu.Unlock()
-	// m.state is guaranteed to be non-nil at this point
-	dr.m.state[dr.domain] = state
-	return dr.next(leaf.NotAfter), nil
-}
-
-func (dr *domainRenewal) next(expiry time.Time) time.Duration {
-	d := expiry.Sub(timeNow()) - dr.m.renewBefore()
-	// add a bit of randomness to renew deadline
-	n := pseudoRand.int63n(int64(renewJitter))
-	d -= time.Duration(n)
-	if d < 0 {
-		return 0
-	}
-	return d
-}
-
-var testDidRenewLoop = func(next time.Duration, err error) {}
diff --git a/vendor/golang.org/x/crypto/acme/autocert/renewal_test.go b/vendor/golang.org/x/crypto/acme/autocert/renewal_test.go
deleted file mode 100644
index 11d40ff5..00000000
--- a/vendor/golang.org/x/crypto/acme/autocert/renewal_test.go
+++ /dev/null
@@ -1,191 +0,0 @@
-// Copyright 2016 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package autocert
-
-import (
-	"context"
-	"crypto/ecdsa"
-	"crypto/elliptic"
-	"crypto/rand"
-	"crypto/tls"
-	"crypto/x509"
-	"encoding/base64"
-	"fmt"
-	"net/http"
-	"net/http/httptest"
-	"testing"
-	"time"
-
-	"golang.org/x/crypto/acme"
-)
-
-func TestRenewalNext(t *testing.T) {
-	now := time.Now()
-	timeNow = func() time.Time { return now }
-	defer func() { timeNow = time.Now }()
-
-	man := &Manager{RenewBefore: 7 * 24 * time.Hour}
-	defer man.stopRenew()
-	tt := []struct {
-		expiry   time.Time
-		min, max time.Duration
-	}{
-		{now.Add(90 * 24 * time.Hour), 83*24*time.Hour - renewJitter, 83 * 24 * time.Hour},
-		{now.Add(time.Hour), 0, 1},
-		{now, 0, 1},
-		{now.Add(-time.Hour), 0, 1},
-	}
-
-	dr := &domainRenewal{m: man}
-	for i, test := range tt {
-		next := dr.next(test.expiry)
-		if next < test.min || test.max < next {
-			t.Errorf("%d: next = %v; want between %v and %v", i, next, test.min, test.max)
-		}
-	}
-}
-
-func TestRenewFromCache(t *testing.T) {
-	const domain = "example.org"
-
-	// ACME CA server stub
-	var ca *httptest.Server
-	ca = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.Header().Set("Replay-Nonce", "nonce")
-		if r.Method == "HEAD" {
-			// a nonce request
-			return
-		}
-
-		switch r.URL.Path {
-		// discovery
-		case "/":
-			if err := discoTmpl.Execute(w, ca.URL); err != nil {
-				t.Fatalf("discoTmpl: %v", err)
-			}
-		// client key registration
-		case "/new-reg":
-			w.Write([]byte("{}"))
-		// domain authorization
-		case "/new-authz":
-			w.Header().Set("Location", ca.URL+"/authz/1")
-			w.WriteHeader(http.StatusCreated)
-			w.Write([]byte(`{"status": "valid"}`))
-		// cert request
-		case "/new-cert":
-			var req struct {
-				CSR string `json:"csr"`
-			}
-			decodePayload(&req, r.Body)
-			b, _ := base64.RawURLEncoding.DecodeString(req.CSR)
-			csr, err := x509.ParseCertificateRequest(b)
-			if err != nil {
-				t.Fatalf("new-cert: CSR: %v", err)
-			}
-			der, err := dummyCert(csr.PublicKey, domain)
-			if err != nil {
-				t.Fatalf("new-cert: dummyCert: %v", err)
-			}
-			chainUp := fmt.Sprintf("<%s/ca-cert>; rel=up", ca.URL)
-			w.Header().Set("Link", chainUp)
-			w.WriteHeader(http.StatusCreated)
-			w.Write(der)
-		// CA chain cert
-		case "/ca-cert":
-			der, err := dummyCert(nil, "ca")
-			if err != nil {
-				t.Fatalf("ca-cert: dummyCert: %v", err)
-			}
-			w.Write(der)
-		default:
-			t.Errorf("unrecognized r.URL.Path: %s", r.URL.Path)
-		}
-	}))
-	defer ca.Close()
-
-	// use EC key to run faster on 386
-	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-	if err != nil {
-		t.Fatal(err)
-	}
-	man := &Manager{
-		Prompt:      AcceptTOS,
-		Cache:       newMemCache(),
-		RenewBefore: 24 * time.Hour,
-		Client: &acme.Client{
-			Key:          key,
-			DirectoryURL: ca.URL,
-		},
-	}
-	defer man.stopRenew()
-
-	// cache an almost expired cert
-	now := time.Now()
-	cert, err := dateDummyCert(key.Public(), now.Add(-2*time.Hour), now.Add(time.Minute), domain)
-	if err != nil {
-		t.Fatal(err)
-	}
-	tlscert := &tls.Certificate{PrivateKey: key, Certificate: [][]byte{cert}}
-	if err := man.cachePut(context.Background(), domain, tlscert); err != nil {
-		t.Fatal(err)
-	}
-
-	// veriy the renewal happened
-	defer func() {
-		testDidRenewLoop = func(next time.Duration, err error) {}
-	}()
-	done := make(chan struct{})
-	testDidRenewLoop = func(next time.Duration, err error) {
-		defer close(done)
-		if err != nil {
-			t.Errorf("testDidRenewLoop: %v", err)
-		}
-		// Next should be about 90 days:
-		// dummyCert creates 90days expiry + account for man.RenewBefore.
-		// Previous expiration was within 1 min.
-		future := 88 * 24 * time.Hour
-		if next < future {
-			t.Errorf("testDidRenewLoop: next = %v; want >= %v", next, future)
-		}
-
-		// ensure the new cert is cached
-		after := time.Now().Add(future)
-		tlscert, err := man.cacheGet(context.Background(), domain)
-		if err != nil {
-			t.Fatalf("man.cacheGet: %v", err)
-		}
-		if !tlscert.Leaf.NotAfter.After(after) {
-			t.Errorf("cache leaf.NotAfter = %v; want > %v", tlscert.Leaf.NotAfter, after)
-		}
-
-		// verify the old cert is also replaced in memory
-		man.stateMu.Lock()
-		defer man.stateMu.Unlock()
-		s := man.state[domain]
-		if s == nil {
-			t.Fatalf("m.state[%q] is nil", domain)
-		}
-		tlscert, err = s.tlscert()
-		if err != nil {
-			t.Fatalf("s.tlscert: %v", err)
-		}
-		if !tlscert.Leaf.NotAfter.After(after) {
-			t.Errorf("state leaf.NotAfter = %v; want > %v", tlscert.Leaf.NotAfter, after)
-		}
-	}
-
-	// trigger renew
-	hello := &tls.ClientHelloInfo{ServerName: domain}
-	if _, err := man.GetCertificate(hello); err != nil {
-		t.Fatal(err)
-	}
-
-	// wait for renew loop
-	select {
-	case <-time.After(10 * time.Second):
-		t.Fatal("renew took too long to occur")
-	case <-done:
-	}
-}
diff --git a/vendor/golang.org/x/crypto/acme/jws.go b/vendor/golang.org/x/crypto/acme/jws.go
deleted file mode 100644
index 6cbca25d..00000000
--- a/vendor/golang.org/x/crypto/acme/jws.go
+++ /dev/null
@@ -1,153 +0,0 @@
-// Copyright 2015 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package acme
-
-import (
-	"crypto"
-	"crypto/ecdsa"
-	"crypto/rand"
-	"crypto/rsa"
-	"crypto/sha256"
-	_ "crypto/sha512" // need for EC keys
-	"encoding/base64"
-	"encoding/json"
-	"fmt"
-	"math/big"
-)
-
-// jwsEncodeJSON signs claimset using provided key and a nonce.
-// The result is serialized in JSON format.
-// See https://tools.ietf.org/html/rfc7515#section-7.
-func jwsEncodeJSON(claimset interface{}, key crypto.Signer, nonce string) ([]byte, error) {
-	jwk, err := jwkEncode(key.Public())
-	if err != nil {
-		return nil, err
-	}
-	alg, sha := jwsHasher(key)
-	if alg == "" || !sha.Available() {
-		return nil, ErrUnsupportedKey
-	}
-	phead := fmt.Sprintf(`{"alg":%q,"jwk":%s,"nonce":%q}`, alg, jwk, nonce)
-	phead = base64.RawURLEncoding.EncodeToString([]byte(phead))
-	cs, err := json.Marshal(claimset)
-	if err != nil {
-		return nil, err
-	}
-	payload := base64.RawURLEncoding.EncodeToString(cs)
-	hash := sha.New()
-	hash.Write([]byte(phead + "." + payload))
-	sig, err := jwsSign(key, sha, hash.Sum(nil))
-	if err != nil {
-		return nil, err
-	}
-
-	enc := struct {
-		Protected string `json:"protected"`
-		Payload   string `json:"payload"`
-		Sig       string `json:"signature"`
-	}{
-		Protected: phead,
-		Payload:   payload,
-		Sig:       base64.RawURLEncoding.EncodeToString(sig),
-	}
-	return json.Marshal(&enc)
-}
-
-// jwkEncode encodes public part of an RSA or ECDSA key into a JWK.
-// The result is also suitable for creating a JWK thumbprint.
-// https://tools.ietf.org/html/rfc7517
-func jwkEncode(pub crypto.PublicKey) (string, error) {
-	switch pub := pub.(type) {
-	case *rsa.PublicKey:
-		// https://tools.ietf.org/html/rfc7518#section-6.3.1
-		n := pub.N
-		e := big.NewInt(int64(pub.E))
-		// Field order is important.
-		// See https://tools.ietf.org/html/rfc7638#section-3.3 for details.
-		return fmt.Sprintf(`{"e":"%s","kty":"RSA","n":"%s"}`,
-			base64.RawURLEncoding.EncodeToString(e.Bytes()),
-			base64.RawURLEncoding.EncodeToString(n.Bytes()),
-		), nil
-	case *ecdsa.PublicKey:
-		// https://tools.ietf.org/html/rfc7518#section-6.2.1
-		p := pub.Curve.Params()
-		n := p.BitSize / 8
-		if p.BitSize%8 != 0 {
-			n++
-		}
-		x := pub.X.Bytes()
-		if n > len(x) {
-			x = append(make([]byte, n-len(x)), x...)
-		}
-		y := pub.Y.Bytes()
-		if n > len(y) {
-			y = append(make([]byte, n-len(y)), y...)
-		}
-		// Field order is important.
-		// See https://tools.ietf.org/html/rfc7638#section-3.3 for details.
-		return fmt.Sprintf(`{"crv":"%s","kty":"EC","x":"%s","y":"%s"}`,
-			p.Name,
-			base64.RawURLEncoding.EncodeToString(x),
-			base64.RawURLEncoding.EncodeToString(y),
-		), nil
-	}
-	return "", ErrUnsupportedKey
-}
-
-// jwsSign signs the digest using the given key.
-// It returns ErrUnsupportedKey if the key type is unknown.
-// The hash is used only for RSA keys.
-func jwsSign(key crypto.Signer, hash crypto.Hash, digest []byte) ([]byte, error) {
-	switch key := key.(type) {
-	case *rsa.PrivateKey:
-		return key.Sign(rand.Reader, digest, hash)
-	case *ecdsa.PrivateKey:
-		r, s, err := ecdsa.Sign(rand.Reader, key, digest)
-		if err != nil {
-			return nil, err
-		}
-		rb, sb := r.Bytes(), s.Bytes()
-		size := key.Params().BitSize / 8
-		if size%8 > 0 {
-			size++
-		}
-		sig := make([]byte, size*2)
-		copy(sig[size-len(rb):], rb)
-		copy(sig[size*2-len(sb):], sb)
-		return sig, nil
-	}
-	return nil, ErrUnsupportedKey
-}
-
-// jwsHasher indicates suitable JWS algorithm name and a hash function
-// to use for signing a digest with the provided key.
-// It returns ("", 0) if the key is not supported.
-func jwsHasher(key crypto.Signer) (string, crypto.Hash) {
-	switch key := key.(type) {
-	case *rsa.PrivateKey:
-		return "RS256", crypto.SHA256
-	case *ecdsa.PrivateKey:
-		switch key.Params().Name {
-		case "P-256":
-			return "ES256", crypto.SHA256
-		case "P-384":
-			return "ES384", crypto.SHA384
-		case "P-521":
-			return "ES512", crypto.SHA512
-		}
-	}
-	return "", 0
-}
-
-// JWKThumbprint creates a JWK thumbprint out of pub
-// as specified in https://tools.ietf.org/html/rfc7638.
-func JWKThumbprint(pub crypto.PublicKey) (string, error) {
-	jwk, err := jwkEncode(pub)
-	if err != nil {
-		return "", err
-	}
-	b := sha256.Sum256([]byte(jwk))
-	return base64.RawURLEncoding.EncodeToString(b[:]), nil
-}
diff --git a/vendor/golang.org/x/crypto/acme/jws_test.go b/vendor/golang.org/x/crypto/acme/jws_test.go
deleted file mode 100644
index 0ff0fb5a..00000000
--- a/vendor/golang.org/x/crypto/acme/jws_test.go
+++ /dev/null
@@ -1,319 +0,0 @@
-// Copyright 2015 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package acme
-
-import (
-	"crypto/ecdsa"
-	"crypto/elliptic"
-	"crypto/rsa"
-	"crypto/x509"
-	"encoding/base64"
-	"encoding/json"
-	"encoding/pem"
-	"fmt"
-	"math/big"
-	"testing"
-)
-
-const (
-	testKeyPEM = `
------BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEA4xgZ3eRPkwoRvy7qeRUbmMDe0V+xH9eWLdu0iheeLlrmD2mq
-WXfP9IeSKApbn34g8TuAS9g5zhq8ELQ3kmjr+KV86GAMgI6VAcGlq3QrzpTCf/30
-Ab7+zawrfRaFONa1HwEzPY1KHnGVkxJc85gNkwYI9SY2RHXtvln3zs5wITNrdosq
-EXeaIkVYBEhbhNu54pp3kxo6TuWLi9e6pXeWetEwmlBwtWZlPoib2j3TxLBksKZf
-oyFyek380mHgJAumQ/I2fjj98/97mk3ihOY4AgVdCDj1z/GCoZkG5Rq7nbCGyosy
-KWyDX00Zs+nNqVhoLeIvXC4nnWdJMZ6rogxyQQIDAQABAoIBACIEZTOI1Kao9nmV
-9IeIsuaR1Y61b9neOF/MLmIVIZu+AAJFCMB4Iw11FV6sFodwpEyeZhx2WkpWVN+H
-r19eGiLX3zsL0DOdqBJoSIHDWCCMxgnYJ6nvS0nRxX3qVrBp8R2g12Ub+gNPbmFm
-ecf/eeERIVxfifd9VsyRu34eDEvcmKFuLYbElFcPh62xE3x12UZvV/sN7gXbawpP
-G+w255vbE5MoaKdnnO83cTFlcHvhn24M/78qP7Te5OAeelr1R89kYxQLpuGe4fbS
-zc6E3ym5Td6urDetGGrSY1Eu10/8sMusX+KNWkm+RsBRbkyKq72ks/qKpOxOa+c6
-9gm+Y8ECgYEA/iNUyg1ubRdH11p82l8KHtFC1DPE0V1gSZsX29TpM5jS4qv46K+s
-8Ym1zmrORM8x+cynfPx1VQZQ34EYeCMIX212ryJ+zDATl4NE0I4muMvSiH9vx6Xc
-7FmhNnaYzPsBL5Tm9nmtQuP09YEn8poiOJFiDs/4olnD5ogA5O4THGkCgYEA5MIL
-qWYBUuqbEWLRtMruUtpASclrBqNNsJEsMGbeqBJmoMxdHeSZckbLOrqm7GlMyNRJ
-Ne/5uWRGSzaMYuGmwsPpERzqEvYFnSrpjW5YtXZ+JtxFXNVfm9Z1gLLgvGpOUCIU
-RbpoDckDe1vgUuk3y5+DjZihs+rqIJ45XzXTzBkCgYBWuf3segruJZy5rEKhTv+o
-JqeUvRn0jNYYKFpLBeyTVBrbie6GkbUGNIWbrK05pC+c3K9nosvzuRUOQQL1tJbd
-4gA3oiD9U4bMFNr+BRTHyZ7OQBcIXdz3t1qhuHVKtnngIAN1p25uPlbRFUNpshnt
-jgeVoHlsBhApcs5DUc+pyQKBgDzeHPg/+g4z+nrPznjKnktRY1W+0El93kgi+J0Q
-YiJacxBKEGTJ1MKBb8X6sDurcRDm22wMpGfd9I5Cv2v4GsUsF7HD/cx5xdih+G73
-c4clNj/k0Ff5Nm1izPUno4C+0IOl7br39IPmfpSuR6wH/h6iHQDqIeybjxyKvT1G
-N0rRAoGBAKGD+4ZI/E1MoJ5CXB8cDDMHagbE3cq/DtmYzE2v1DFpQYu5I4PCm5c7
-EQeIP6dZtv8IMgtGIb91QX9pXvP0aznzQKwYIA8nZgoENCPfiMTPiEDT9e/0lObO
-9XWsXpbSTsRPj0sv1rB+UzBJ0PgjK4q2zOF0sNo7b1+6nlM3BWPx
------END RSA PRIVATE KEY-----
-`
-
-	// This thumbprint is for the testKey defined above.
-	testKeyThumbprint = "6nicxzh6WETQlrvdchkz-U3e3DOQZ4heJKU63rfqMqQ"
-
-	// openssl ecparam -name secp256k1 -genkey -noout
-	testKeyECPEM = `
------BEGIN EC PRIVATE KEY-----
-MHcCAQEEIK07hGLr0RwyUdYJ8wbIiBS55CjnkMD23DWr+ccnypWLoAoGCCqGSM49
-AwEHoUQDQgAE5lhEug5xK4xBDZ2nAbaxLtaLiv85bxJ7ePd1dkO23HThqIrvawF5
-QAaS/RNouybCiRhRjI3EaxLkQwgrCw0gqQ==
------END EC PRIVATE KEY-----
-`
-	// openssl ecparam -name secp384r1 -genkey -noout
-	testKeyEC384PEM = `
------BEGIN EC PRIVATE KEY-----
-MIGkAgEBBDAQ4lNtXRORWr1bgKR1CGysr9AJ9SyEk4jiVnlUWWUChmSNL+i9SLSD
-Oe/naPqXJ6CgBwYFK4EEACKhZANiAAQzKtj+Ms0vHoTX5dzv3/L5YMXOWuI5UKRj
-JigpahYCqXD2BA1j0E/2xt5vlPf+gm0PL+UHSQsCokGnIGuaHCsJAp3ry0gHQEke
-WYXapUUFdvaK1R2/2hn5O+eiQM8YzCg=
------END EC PRIVATE KEY-----
-`
-	// openssl ecparam -name secp521r1 -genkey -noout
-	testKeyEC512PEM = `
------BEGIN EC PRIVATE KEY-----
-MIHcAgEBBEIBSNZKFcWzXzB/aJClAb305ibalKgtDA7+70eEkdPt28/3LZMM935Z
-KqYHh/COcxuu3Kt8azRAUz3gyr4zZKhlKUSgBwYFK4EEACOhgYkDgYYABAHUNKbx
-7JwC7H6pa2sV0tERWhHhB3JmW+OP6SUgMWryvIKajlx73eS24dy4QPGrWO9/ABsD
-FqcRSkNVTXnIv6+0mAF25knqIBIg5Q8M9BnOu9GGAchcwt3O7RDHmqewnJJDrbjd
-GGnm6rb+NnWR9DIopM0nKNkToWoF/hzopxu4Ae/GsQ==
------END EC PRIVATE KEY-----
-`
-	// 1. openssl ec -in key.pem -noout -text
-	// 2. remove first byte, 04 (the header); the rest is X and Y
-	// 3. convert each with: echo <val> | xxd -r -p | base64 -w 100 | tr -d '=' | tr '/+' '_-'
-	testKeyECPubX    = "5lhEug5xK4xBDZ2nAbaxLtaLiv85bxJ7ePd1dkO23HQ"
-	testKeyECPubY    = "4aiK72sBeUAGkv0TaLsmwokYUYyNxGsS5EMIKwsNIKk"
-	testKeyEC384PubX = "MyrY_jLNLx6E1-Xc79_y-WDFzlriOVCkYyYoKWoWAqlw9gQNY9BP9sbeb5T3_oJt"
-	testKeyEC384PubY = "Dy_lB0kLAqJBpyBrmhwrCQKd68tIB0BJHlmF2qVFBXb2itUdv9oZ-TvnokDPGMwo"
-	testKeyEC512PubX = "AdQ0pvHsnALsfqlraxXS0RFaEeEHcmZb44_pJSAxavK8gpqOXHvd5Lbh3LhA8atY738AGwMWpxFKQ1VNeci_r7SY"
-	testKeyEC512PubY = "AXbmSeogEiDlDwz0Gc670YYByFzC3c7tEMeap7CckkOtuN0Yaebqtv42dZH0MiikzSco2ROhagX-HOinG7gB78ax"
-
-	// echo -n '{"crv":"P-256","kty":"EC","x":"<testKeyECPubX>","y":"<testKeyECPubY>"}' | \
-	// openssl dgst -binary -sha256 | base64 | tr -d '=' | tr '/+' '_-'
-	testKeyECThumbprint = "zedj-Bd1Zshp8KLePv2MB-lJ_Hagp7wAwdkA0NUTniU"
-)
-
-var (
-	testKey      *rsa.PrivateKey
-	testKeyEC    *ecdsa.PrivateKey
-	testKeyEC384 *ecdsa.PrivateKey
-	testKeyEC512 *ecdsa.PrivateKey
-)
-
-func init() {
-	testKey = parseRSA(testKeyPEM, "testKeyPEM")
-	testKeyEC = parseEC(testKeyECPEM, "testKeyECPEM")
-	testKeyEC384 = parseEC(testKeyEC384PEM, "testKeyEC384PEM")
-	testKeyEC512 = parseEC(testKeyEC512PEM, "testKeyEC512PEM")
-}
-
-func decodePEM(s, name string) []byte {
-	d, _ := pem.Decode([]byte(s))
-	if d == nil {
-		panic("no block found in " + name)
-	}
-	return d.Bytes
-}
-
-func parseRSA(s, name string) *rsa.PrivateKey {
-	b := decodePEM(s, name)
-	k, err := x509.ParsePKCS1PrivateKey(b)
-	if err != nil {
-		panic(fmt.Sprintf("%s: %v", name, err))
-	}
-	return k
-}
-
-func parseEC(s, name string) *ecdsa.PrivateKey {
-	b := decodePEM(s, name)
-	k, err := x509.ParseECPrivateKey(b)
-	if err != nil {
-		panic(fmt.Sprintf("%s: %v", name, err))
-	}
-	return k
-}
-
-func TestJWSEncodeJSON(t *testing.T) {
-	claims := struct{ Msg string }{"Hello JWS"}
-	// JWS signed with testKey and "nonce" as the nonce value
-	// JSON-serialized JWS fields are split for easier testing
-	const (
-		// {"alg":"RS256","jwk":{"e":"AQAB","kty":"RSA","n":"..."},"nonce":"nonce"}
-		protected = "eyJhbGciOiJSUzI1NiIsImp3ayI6eyJlIjoiQVFBQiIsImt0eSI6" +
-			"IlJTQSIsIm4iOiI0eGdaM2VSUGt3b1J2eTdxZVJVYm1NRGUwVi14" +
-			"SDllV0xkdTBpaGVlTGxybUQybXFXWGZQOUllU0tBcGJuMzRnOFR1" +
-			"QVM5ZzV6aHE4RUxRM2ttanItS1Y4NkdBTWdJNlZBY0dscTNRcnpw" +
-			"VENmXzMwQWI3LXphd3JmUmFGT05hMUh3RXpQWTFLSG5HVmt4SmM4" +
-			"NWdOa3dZSTlTWTJSSFh0dmxuM3pzNXdJVE5yZG9zcUVYZWFJa1ZZ" +
-			"QkVoYmhOdTU0cHAza3hvNlR1V0xpOWU2cFhlV2V0RXdtbEJ3dFda" +
-			"bFBvaWIyajNUeExCa3NLWmZveUZ5ZWszODBtSGdKQXVtUV9JMmZq" +
-			"ajk4Xzk3bWszaWhPWTRBZ1ZkQ0RqMXpfR0NvWmtHNVJxN25iQ0d5" +
-			"b3N5S1d5RFgwMFpzLW5OcVZob0xlSXZYQzRubldkSk1aNnJvZ3h5" +
-			"UVEifSwibm9uY2UiOiJub25jZSJ9"
-		// {"Msg":"Hello JWS"}
-		payload   = "eyJNc2ciOiJIZWxsbyBKV1MifQ"
-		signature = "eAGUikStX_UxyiFhxSLMyuyBcIB80GeBkFROCpap2sW3EmkU_ggF" +
-			"knaQzxrTfItICSAXsCLIquZ5BbrSWA_4vdEYrwWtdUj7NqFKjHRa" +
-			"zpLHcoR7r1rEHvkoP1xj49lS5fc3Wjjq8JUhffkhGbWZ8ZVkgPdC" +
-			"4tMBWiQDoth-x8jELP_3LYOB_ScUXi2mETBawLgOT2K8rA0Vbbmx" +
-			"hWNlOWuUf-8hL5YX4IOEwsS8JK_TrTq5Zc9My0zHJmaieqDV0UlP" +
-			"k0onFjPFkGm7MrPSgd0MqRG-4vSAg2O4hDo7rKv4n8POjjXlNQvM" +
-			"9IPLr8qZ7usYBKhEGwX3yq_eicAwBw"
-	)
-
-	b, err := jwsEncodeJSON(claims, testKey, "nonce")
-	if err != nil {
-		t.Fatal(err)
-	}
-	var jws struct{ Protected, Payload, Signature string }
-	if err := json.Unmarshal(b, &jws); err != nil {
-		t.Fatal(err)
-	}
-	if jws.Protected != protected {
-		t.Errorf("protected:\n%s\nwant:\n%s", jws.Protected, protected)
-	}
-	if jws.Payload != payload {
-		t.Errorf("payload:\n%s\nwant:\n%s", jws.Payload, payload)
-	}
-	if jws.Signature != signature {
-		t.Errorf("signature:\n%s\nwant:\n%s", jws.Signature, signature)
-	}
-}
-
-func TestJWSEncodeJSONEC(t *testing.T) {
-	tt := []struct {
-		key      *ecdsa.PrivateKey
-		x, y     string
-		alg, crv string
-	}{
-		{testKeyEC, testKeyECPubX, testKeyECPubY, "ES256", "P-256"},
-		{testKeyEC384, testKeyEC384PubX, testKeyEC384PubY, "ES384", "P-384"},
-		{testKeyEC512, testKeyEC512PubX, testKeyEC512PubY, "ES512", "P-521"},
-	}
-	for i, test := range tt {
-		claims := struct{ Msg string }{"Hello JWS"}
-		b, err := jwsEncodeJSON(claims, test.key, "nonce")
-		if err != nil {
-			t.Errorf("%d: %v", i, err)
-			continue
-		}
-		var jws struct{ Protected, Payload, Signature string }
-		if err := json.Unmarshal(b, &jws); err != nil {
-			t.Errorf("%d: %v", i, err)
-			continue
-		}
-
-		b, err = base64.RawURLEncoding.DecodeString(jws.Protected)
-		if err != nil {
-			t.Errorf("%d: jws.Protected: %v", i, err)
-		}
-		var head struct {
-			Alg   string
-			Nonce string
-			JWK   struct {
-				Crv string
-				Kty string
-				X   string
-				Y   string
-			} `json:"jwk"`
-		}
-		if err := json.Unmarshal(b, &head); err != nil {
-			t.Errorf("%d: jws.Protected: %v", i, err)
-		}
-		if head.Alg != test.alg {
-			t.Errorf("%d: head.Alg = %q; want %q", i, head.Alg, test.alg)
-		}
-		if head.Nonce != "nonce" {
-			t.Errorf("%d: head.Nonce = %q; want nonce", i, head.Nonce)
-		}
-		if head.JWK.Crv != test.crv {
-			t.Errorf("%d: head.JWK.Crv = %q; want %q", i, head.JWK.Crv, test.crv)
-		}
-		if head.JWK.Kty != "EC" {
-			t.Errorf("%d: head.JWK.Kty = %q; want EC", i, head.JWK.Kty)
-		}
-		if head.JWK.X != test.x {
-			t.Errorf("%d: head.JWK.X = %q; want %q", i, head.JWK.X, test.x)
-		}
-		if head.JWK.Y != test.y {
-			t.Errorf("%d: head.JWK.Y = %q; want %q", i, head.JWK.Y, test.y)
-		}
-	}
-}
-
-func TestJWKThumbprintRSA(t *testing.T) {
-	// Key example from RFC 7638
-	const base64N = "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx4cbbfAAt" +
-		"VT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMstn6" +
-		"4tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FD" +
-		"W2QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n9" +
-		"1CbOpbISD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINH" +
-		"aQ-G_xBniIqbw0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw"
-	const base64E = "AQAB"
-	const expected = "NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs"
-
-	b, err := base64.RawURLEncoding.DecodeString(base64N)
-	if err != nil {
-		t.Fatalf("Error parsing example key N: %v", err)
-	}
-	n := new(big.Int).SetBytes(b)
-
-	b, err = base64.RawURLEncoding.DecodeString(base64E)
-	if err != nil {
-		t.Fatalf("Error parsing example key E: %v", err)
-	}
-	e := new(big.Int).SetBytes(b)
-
-	pub := &rsa.PublicKey{N: n, E: int(e.Uint64())}
-	th, err := JWKThumbprint(pub)
-	if err != nil {
-		t.Error(err)
-	}
-	if th != expected {
-		t.Errorf("thumbprint = %q; want %q", th, expected)
-	}
-}
-
-func TestJWKThumbprintEC(t *testing.T) {
-	// Key example from RFC 7520
-	// expected was computed with
-	// echo -n '{"crv":"P-521","kty":"EC","x":"<base64X>","y":"<base64Y>"}' | \
-	// openssl dgst -binary -sha256 | \
-	// base64 | \
-	// tr -d '=' | tr '/+' '_-'
-	const (
-		base64X = "AHKZLLOsCOzz5cY97ewNUajB957y-C-U88c3v13nmGZx6sYl_oJXu9A5RkT" +
-			"KqjqvjyekWF-7ytDyRXYgCF5cj0Kt"
-		base64Y = "AdymlHvOiLxXkEhayXQnNCvDX4h9htZaCJN34kfmC6pV5OhQHiraVySsUda" +
-			"QkAgDPrwQrJmbnX9cwlGfP-HqHZR1"
-		expected = "dHri3SADZkrush5HU_50AoRhcKFryN-PI6jPBtPL55M"
-	)
-
-	b, err := base64.RawURLEncoding.DecodeString(base64X)
-	if err != nil {
-		t.Fatalf("Error parsing example key X: %v", err)
-	}
-	x := new(big.Int).SetBytes(b)
-
-	b, err = base64.RawURLEncoding.DecodeString(base64Y)
-	if err != nil {
-		t.Fatalf("Error parsing example key Y: %v", err)
-	}
-	y := new(big.Int).SetBytes(b)
-
-	pub := &ecdsa.PublicKey{Curve: elliptic.P521(), X: x, Y: y}
-	th, err := JWKThumbprint(pub)
-	if err != nil {
-		t.Error(err)
-	}
-	if th != expected {
-		t.Errorf("thumbprint = %q; want %q", th, expected)
-	}
-}
-
-func TestJWKThumbprintErrUnsupportedKey(t *testing.T) {
-	_, err := JWKThumbprint(struct{}{})
-	if err != ErrUnsupportedKey {
-		t.Errorf("err = %q; want %q", err, ErrUnsupportedKey)
-	}
-}
diff --git a/vendor/golang.org/x/crypto/acme/types.go b/vendor/golang.org/x/crypto/acme/types.go
deleted file mode 100644
index 3e199749..00000000
--- a/vendor/golang.org/x/crypto/acme/types.go
+++ /dev/null
@@ -1,329 +0,0 @@
-// Copyright 2016 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package acme
-
-import (
-	"crypto"
-	"crypto/x509"
-	"errors"
-	"fmt"
-	"net/http"
-	"strings"
-	"time"
-)
-
-// ACME server response statuses used to describe Authorization and Challenge states.
-const (
-	StatusUnknown    = "unknown"
-	StatusPending    = "pending"
-	StatusProcessing = "processing"
-	StatusValid      = "valid"
-	StatusInvalid    = "invalid"
-	StatusRevoked    = "revoked"
-)
-
-// CRLReasonCode identifies the reason for a certificate revocation.
-type CRLReasonCode int
-
-// CRL reason codes as defined in RFC 5280.
-const (
-	CRLReasonUnspecified          CRLReasonCode = 0
-	CRLReasonKeyCompromise        CRLReasonCode = 1
-	CRLReasonCACompromise         CRLReasonCode = 2
-	CRLReasonAffiliationChanged   CRLReasonCode = 3
-	CRLReasonSuperseded           CRLReasonCode = 4
-	CRLReasonCessationOfOperation CRLReasonCode = 5
-	CRLReasonCertificateHold      CRLReasonCode = 6
-	CRLReasonRemoveFromCRL        CRLReasonCode = 8
-	CRLReasonPrivilegeWithdrawn   CRLReasonCode = 9
-	CRLReasonAACompromise         CRLReasonCode = 10
-)
-
-// ErrUnsupportedKey is returned when an unsupported key type is encountered.
-var ErrUnsupportedKey = errors.New("acme: unknown key type; only RSA and ECDSA are supported")
-
-// Error is an ACME error, defined in Problem Details for HTTP APIs doc
-// http://tools.ietf.org/html/draft-ietf-appsawg-http-problem.
-type Error struct {
-	// StatusCode is The HTTP status code generated by the origin server.
-	StatusCode int
-	// ProblemType is a URI reference that identifies the problem type,
-	// typically in a "urn:acme:error:xxx" form.
-	ProblemType string
-	// Detail is a human-readable explanation specific to this occurrence of the problem.
-	Detail string
-	// Header is the original server error response headers.
-	// It may be nil.
-	Header http.Header
-}
-
-func (e *Error) Error() string {
-	return fmt.Sprintf("%d %s: %s", e.StatusCode, e.ProblemType, e.Detail)
-}
-
-// AuthorizationError indicates that an authorization for an identifier
-// did not succeed.
-// It contains all errors from Challenge items of the failed Authorization.
-type AuthorizationError struct {
-	// URI uniquely identifies the failed Authorization.
-	URI string
-
-	// Identifier is an AuthzID.Value of the failed Authorization.
-	Identifier string
-
-	// Errors is a collection of non-nil error values of Challenge items
-	// of the failed Authorization.
-	Errors []error
-}
-
-func (a *AuthorizationError) Error() string {
-	e := make([]string, len(a.Errors))
-	for i, err := range a.Errors {
-		e[i] = err.Error()
-	}
-	return fmt.Sprintf("acme: authorization error for %s: %s", a.Identifier, strings.Join(e, "; "))
-}
-
-// RateLimit reports whether err represents a rate limit error and
-// any Retry-After duration returned by the server.
-//
-// See the following for more details on rate limiting:
-// https://tools.ietf.org/html/draft-ietf-acme-acme-05#section-5.6
-func RateLimit(err error) (time.Duration, bool) {
-	e, ok := err.(*Error)
-	if !ok {
-		return 0, false
-	}
-	// Some CA implementations may return incorrect values.
-	// Use case-insensitive comparison.
-	if !strings.HasSuffix(strings.ToLower(e.ProblemType), ":ratelimited") {
-		return 0, false
-	}
-	if e.Header == nil {
-		return 0, true
-	}
-	return retryAfter(e.Header.Get("Retry-After"), 0), true
-}
-
-// Account is a user account. It is associated with a private key.
-type Account struct {
-	// URI is the account unique ID, which is also a URL used to retrieve
-	// account data from the CA.
-	URI string
-
-	// Contact is a slice of contact info used during registration.
-	Contact []string
-
-	// The terms user has agreed to.
-	// A value not matching CurrentTerms indicates that the user hasn't agreed
-	// to the actual Terms of Service of the CA.
-	AgreedTerms string
-
-	// Actual terms of a CA.
-	CurrentTerms string
-
-	// Authz is the authorization URL used to initiate a new authz flow.
-	Authz string
-
-	// Authorizations is a URI from which a list of authorizations
-	// granted to this account can be fetched via a GET request.
-	Authorizations string
-
-	// Certificates is a URI from which a list of certificates
-	// issued for this account can be fetched via a GET request.
-	Certificates string
-}
-
-// Directory is ACME server discovery data.
-type Directory struct {
-	// RegURL is an account endpoint URL, allowing for creating new
-	// and modifying existing accounts.
-	RegURL string
-
-	// AuthzURL is used to initiate Identifier Authorization flow.
-	AuthzURL string
-
-	// CertURL is a new certificate issuance endpoint URL.
-	CertURL string
-
-	// RevokeURL is used to initiate a certificate revocation flow.
-	RevokeURL string
-
-	// Term is a URI identifying the current terms of service.
-	Terms string
-
-	// Website is an HTTP or HTTPS URL locating a website
-	// providing more information about the ACME server.
-	Website string
-
-	// CAA consists of lowercase hostname elements, which the ACME server
-	// recognises as referring to itself for the purposes of CAA record validation
-	// as defined in RFC6844.
-	CAA []string
-}
-
-// Challenge encodes a returned CA challenge.
-// Its Error field may be non-nil if the challenge is part of an Authorization
-// with StatusInvalid.
-type Challenge struct {
-	// Type is the challenge type, e.g. "http-01", "tls-sni-02", "dns-01".
-	Type string
-
-	// URI is where a challenge response can be posted to.
-	URI string
-
-	// Token is a random value that uniquely identifies the challenge.
-	Token string
-
-	// Status identifies the status of this challenge.
-	Status string
-
-	// Error indicates the reason for an authorization failure
-	// when this challenge was used.
-	// The type of a non-nil value is *Error.
-	Error error
-}
-
-// Authorization encodes an authorization response.
-type Authorization struct {
-	// URI uniquely identifies a authorization.
-	URI string
-
-	// Status identifies the status of an authorization.
-	Status string
-
-	// Identifier is what the account is authorized to represent.
-	Identifier AuthzID
-
-	// Challenges that the client needs to fulfill in order to prove possession
-	// of the identifier (for pending authorizations).
-	// For final authorizations, the challenges that were used.
-	Challenges []*Challenge
-
-	// A collection of sets of challenges, each of which would be sufficient
-	// to prove possession of the identifier.
-	// Clients must complete a set of challenges that covers at least one set.
-	// Challenges are identified by their indices in the challenges array.
-	// If this field is empty, the client needs to complete all challenges.
-	Combinations [][]int
-}
-
-// AuthzID is an identifier that an account is authorized to represent.
-type AuthzID struct {
-	Type  string // The type of identifier, e.g. "dns".
-	Value string // The identifier itself, e.g. "example.org".
-}
-
-// wireAuthz is ACME JSON representation of Authorization objects.
-type wireAuthz struct {
-	Status       string
-	Challenges   []wireChallenge
-	Combinations [][]int
-	Identifier   struct {
-		Type  string
-		Value string
-	}
-}
-
-func (z *wireAuthz) authorization(uri string) *Authorization {
-	a := &Authorization{
-		URI:          uri,
-		Status:       z.Status,
-		Identifier:   AuthzID{Type: z.Identifier.Type, Value: z.Identifier.Value},
-		Combinations: z.Combinations, // shallow copy
-		Challenges:   make([]*Challenge, len(z.Challenges)),
-	}
-	for i, v := range z.Challenges {
-		a.Challenges[i] = v.challenge()
-	}
-	return a
-}
-
-func (z *wireAuthz) error(uri string) *AuthorizationError {
-	err := &AuthorizationError{
-		URI:        uri,
-		Identifier: z.Identifier.Value,
-	}
-	for _, raw := range z.Challenges {
-		if raw.Error != nil {
-			err.Errors = append(err.Errors, raw.Error.error(nil))
-		}
-	}
-	return err
-}
-
-// wireChallenge is ACME JSON challenge representation.
-type wireChallenge struct {
-	URI    string `json:"uri"`
-	Type   string
-	Token  string
-	Status string
-	Error  *wireError
-}
-
-func (c *wireChallenge) challenge() *Challenge {
-	v := &Challenge{
-		URI:    c.URI,
-		Type:   c.Type,
-		Token:  c.Token,
-		Status: c.Status,
-	}
-	if v.Status == "" {
-		v.Status = StatusPending
-	}
-	if c.Error != nil {
-		v.Error = c.Error.error(nil)
-	}
-	return v
-}
-
-// wireError is a subset of fields of the Problem Details object
-// as described in https://tools.ietf.org/html/rfc7807#section-3.1.
-type wireError struct {
-	Status int
-	Type   string
-	Detail string
-}
-
-func (e *wireError) error(h http.Header) *Error {
-	return &Error{
-		StatusCode:  e.Status,
-		ProblemType: e.Type,
-		Detail:      e.Detail,
-		Header:      h,
-	}
-}
-
-// CertOption is an optional argument type for the TLSSNIxChallengeCert methods for
-// customizing a temporary certificate for TLS-SNI challenges.
-type CertOption interface {
-	privateCertOpt()
-}
-
-// WithKey creates an option holding a private/public key pair.
-// The private part signs a certificate, and the public part represents the signee.
-func WithKey(key crypto.Signer) CertOption {
-	return &certOptKey{key}
-}
-
-type certOptKey struct {
-	key crypto.Signer
-}
-
-func (*certOptKey) privateCertOpt() {}
-
-// WithTemplate creates an option for specifying a certificate template.
-// See x509.CreateCertificate for template usage details.
-//
-// In TLSSNIxChallengeCert methods, the template is also used as parent,
-// resulting in a self-signed certificate.
-// The DNSNames field of t is always overwritten for tls-sni challenge certs.
-func WithTemplate(t *x509.Certificate) CertOption {
-	return (*certOptTemplate)(t)
-}
-
-type certOptTemplate x509.Certificate
-
-func (*certOptTemplate) privateCertOpt() {}
diff --git a/vendor/golang.org/x/crypto/acme/types_test.go b/vendor/golang.org/x/crypto/acme/types_test.go
deleted file mode 100644
index a7553e6b..00000000
--- a/vendor/golang.org/x/crypto/acme/types_test.go
+++ /dev/null
@@ -1,63 +0,0 @@
-// Copyright 2017 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package acme
-
-import (
-	"errors"
-	"net/http"
-	"testing"
-	"time"
-)
-
-func TestRateLimit(t *testing.T) {
-	now := time.Date(2017, 04, 27, 10, 0, 0, 0, time.UTC)
-	f := timeNow
-	defer func() { timeNow = f }()
-	timeNow = func() time.Time { return now }
-
-	h120, hTime := http.Header{}, http.Header{}
-	h120.Set("Retry-After", "120")
-	hTime.Set("Retry-After", "Tue Apr 27 11:00:00 2017")
-
-	err1 := &Error{
-		ProblemType: "urn:ietf:params:acme:error:nolimit",
-		Header:      h120,
-	}
-	err2 := &Error{
-		ProblemType: "urn:ietf:params:acme:error:rateLimited",
-		Header:      h120,
-	}
-	err3 := &Error{
-		ProblemType: "urn:ietf:params:acme:error:rateLimited",
-		Header:      nil,
-	}
-	err4 := &Error{
-		ProblemType: "urn:ietf:params:acme:error:rateLimited",
-		Header:      hTime,
-	}
-
-	tt := []struct {
-		err error
-		res time.Duration
-		ok  bool
-	}{
-		{nil, 0, false},
-		{errors.New("dummy"), 0, false},
-		{err1, 0, false},
-		{err2, 2 * time.Minute, true},
-		{err3, 0, true},
-		{err4, time.Hour, true},
-	}
-	for i, test := range tt {
-		res, ok := RateLimit(test.err)
-		if ok != test.ok {
-			t.Errorf("%d: RateLimit(%+v): ok = %v; want %v", i, test.err, ok, test.ok)
-			continue
-		}
-		if res != test.res {
-			t.Errorf("%d: RateLimit(%+v) = %v; want %v", i, test.err, res, test.res)
-		}
-	}
-}
diff --git a/vendor/golang.org/x/crypto/argon2/argon2.go b/vendor/golang.org/x/crypto/argon2/argon2.go
deleted file mode 100644
index 71cf8c55..00000000
--- a/vendor/golang.org/x/crypto/argon2/argon2.go
+++ /dev/null
@@ -1,228 +0,0 @@
-// Copyright 2017 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package argon2 implements the key derivation function Argon2.
-// Argon2 was selected as the winner of the Password Hashing Competition and can
-// be used to derive cryptographic keys from passwords.
-// Argon2 is specfifed at https://github.com/P-H-C/phc-winner-argon2/blob/master/argon2-specs.pdf
-package argon2
-
-import (
-	"encoding/binary"
-	"sync"
-
-	"golang.org/x/crypto/blake2b"
-)
-
-// The Argon2 version implemented by this package.
-const Version = 0x13
-
-const (
-	argon2d = iota
-	argon2i
-	argon2id
-)
-
-// Key derives a key from the password, salt, and cost parameters using Argon2i
-// returning a byte slice of length keyLen that can be used as cryptographic key.
-// The CPU cost and parallism degree must be greater than zero.
-//
-// For example, you can get a derived key for e.g. AES-256 (which needs a 32-byte key) by doing:
-// `key := argon2.Key([]byte("some password"), salt, 4, 32*1024, 4, 32)`
-//
-// The recommended parameters for interactive logins as of 2017 are time=4, memory=32*1024.
-// The number of threads can be adjusted to the numbers of available CPUs.
-// The time parameter specifies the number of passes over the memory and the memory
-// parameter specifies the size of the memory in KiB. For example memory=32*1024 sets the
-// memory cost to ~32 MB.
-// The cost parameters should be increased as memory latency and CPU parallelism increases.
-// Remember to get a good random salt.
-func Key(password, salt []byte, time, memory uint32, threads uint8, keyLen uint32) []byte {
-	return deriveKey(argon2i, password, salt, nil, nil, time, memory, threads, keyLen)
-}
-
-func deriveKey(mode int, password, salt, secret, data []byte, time, memory uint32, threads uint8, keyLen uint32) []byte {
-	if time < 1 {
-		panic("argon2: number of rounds too small")
-	}
-	if threads < 1 {
-		panic("argon2: parallelism degree too low")
-	}
-	h0 := initHash(password, salt, secret, data, time, memory, uint32(threads), keyLen, mode)
-
-	memory = memory / (syncPoints * uint32(threads)) * (syncPoints * uint32(threads))
-	if memory < 2*syncPoints*uint32(threads) {
-		memory = 2 * syncPoints * uint32(threads)
-	}
-	B := initBlocks(&h0, memory, uint32(threads))
-	processBlocks(B, time, memory, uint32(threads), mode)
-	return extractKey(B, memory, uint32(threads), keyLen)
-}
-
-const (
-	blockLength = 128
-	syncPoints  = 4
-)
-
-type block [blockLength]uint64
-
-func initHash(password, salt, key, data []byte, time, memory, threads, keyLen uint32, mode int) [blake2b.Size + 8]byte {
-	var (
-		h0     [blake2b.Size + 8]byte
-		params [24]byte
-		tmp    [4]byte
-	)
-
-	b2, _ := blake2b.New512(nil)
-	binary.LittleEndian.PutUint32(params[0:4], threads)
-	binary.LittleEndian.PutUint32(params[4:8], keyLen)
-	binary.LittleEndian.PutUint32(params[8:12], memory)
-	binary.LittleEndian.PutUint32(params[12:16], time)
-	binary.LittleEndian.PutUint32(params[16:20], uint32(Version))
-	binary.LittleEndian.PutUint32(params[20:24], uint32(mode))
-	b2.Write(params[:])
-	binary.LittleEndian.PutUint32(tmp[:], uint32(len(password)))
-	b2.Write(tmp[:])
-	b2.Write(password)
-	binary.LittleEndian.PutUint32(tmp[:], uint32(len(salt)))
-	b2.Write(tmp[:])
-	b2.Write(salt)
-	binary.LittleEndian.PutUint32(tmp[:], uint32(len(key)))
-	b2.Write(tmp[:])
-	b2.Write(key)
-	binary.LittleEndian.PutUint32(tmp[:], uint32(len(data)))
-	b2.Write(tmp[:])
-	b2.Write(data)
-	b2.Sum(h0[:0])
-	return h0
-}
-
-func initBlocks(h0 *[blake2b.Size + 8]byte, memory, threads uint32) []block {
-	var block0 [1024]byte
-	B := make([]block, memory)
-	for lane := uint32(0); lane < threads; lane++ {
-		j := lane * (memory / threads)
-		binary.LittleEndian.PutUint32(h0[blake2b.Size+4:], lane)
-
-		binary.LittleEndian.PutUint32(h0[blake2b.Size:], 0)
-		blake2bHash(block0[:], h0[:])
-		for i := range B[j+0] {
-			B[j+0][i] = binary.LittleEndian.Uint64(block0[i*8:])
-		}
-
-		binary.LittleEndian.PutUint32(h0[blake2b.Size:], 1)
-		blake2bHash(block0[:], h0[:])
-		for i := range B[j+1] {
-			B[j+1][i] = binary.LittleEndian.Uint64(block0[i*8:])
-		}
-	}
-	return B
-}
-
-func processBlocks(B []block, time, memory, threads uint32, mode int) {
-	lanes := memory / threads
-	segments := lanes / syncPoints
-
-	processSegment := func(n, slice, lane uint32, wg *sync.WaitGroup) {
-		var addresses, in, zero block
-		if mode == argon2i || (mode == argon2id && n == 0 && slice < syncPoints/2) {
-			in[0] = uint64(n)
-			in[1] = uint64(lane)
-			in[2] = uint64(slice)
-			in[3] = uint64(memory)
-			in[4] = uint64(time)
-			in[5] = uint64(mode)
-		}
-
-		index := uint32(0)
-		if n == 0 && slice == 0 {
-			index = 2 // we have already generated the first two blocks
-			if mode == argon2i || mode == argon2id {
-				in[6]++
-				processBlock(&addresses, &in, &zero)
-				processBlock(&addresses, &addresses, &zero)
-			}
-		}
-
-		offset := lane*lanes + slice*segments + index
-		var random uint64
-		for index < segments {
-			prev := offset - 1
-			if index == 0 && slice == 0 {
-				prev += lanes // last block in lane
-			}
-			if mode == argon2i || (mode == argon2id && n == 0 && slice < syncPoints/2) {
-				if index%blockLength == 0 {
-					in[6]++
-					processBlock(&addresses, &in, &zero)
-					processBlock(&addresses, &addresses, &zero)
-				}
-				random = addresses[index%blockLength]
-			} else {
-				random = B[prev][0]
-			}
-			newOffset := indexAlpha(random, lanes, segments, threads, n, slice, lane, index)
-			processBlockXOR(&B[offset], &B[prev], &B[newOffset])
-			index, offset = index+1, offset+1
-		}
-		wg.Done()
-	}
-
-	for n := uint32(0); n < time; n++ {
-		for slice := uint32(0); slice < syncPoints; slice++ {
-			var wg sync.WaitGroup
-			for lane := uint32(0); lane < threads; lane++ {
-				wg.Add(1)
-				go processSegment(n, slice, lane, &wg)
-			}
-			wg.Wait()
-		}
-	}
-
-}
-
-func extractKey(B []block, memory, threads, keyLen uint32) []byte {
-	lanes := memory / threads
-	for lane := uint32(0); lane < threads-1; lane++ {
-		for i, v := range B[(lane*lanes)+lanes-1] {
-			B[memory-1][i] ^= v
-		}
-	}
-
-	var block [1024]byte
-	for i, v := range B[memory-1] {
-		binary.LittleEndian.PutUint64(block[i*8:], v)
-	}
-	key := make([]byte, keyLen)
-	blake2bHash(key, block[:])
-	return key
-}
-
-func indexAlpha(rand uint64, lanes, segments, threads, n, slice, lane, index uint32) uint32 {
-	refLane := uint32(rand>>32) % threads
-	if n == 0 && slice == 0 {
-		refLane = lane
-	}
-	m, s := 3*segments, ((slice+1)%syncPoints)*segments
-	if lane == refLane {
-		m += index
-	}
-	if n == 0 {
-		m, s = slice*segments, 0
-		if slice == 0 || lane == refLane {
-			m += index
-		}
-	}
-	if index == 0 || lane == refLane {
-		m--
-	}
-	return phi(rand, uint64(m), uint64(s), refLane, lanes)
-}
-
-func phi(rand, m, s uint64, lane, lanes uint32) uint32 {
-	p := rand & 0xFFFFFFFF
-	p = (p * p) >> 32
-	p = (p * m) >> 32
-	return lane*lanes + uint32((s+m-(p+1))%uint64(lanes))
-}
diff --git a/vendor/golang.org/x/crypto/argon2/argon2_test.go b/vendor/golang.org/x/crypto/argon2/argon2_test.go
deleted file mode 100644
index 775b97a4..00000000
--- a/vendor/golang.org/x/crypto/argon2/argon2_test.go
+++ /dev/null
@@ -1,233 +0,0 @@
-// Copyright 2017 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package argon2
-
-import (
-	"bytes"
-	"encoding/hex"
-	"testing"
-)
-
-var (
-	genKatPassword = []byte{
-		0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
-		0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
-		0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
-		0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
-	}
-	genKatSalt   = []byte{0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02}
-	genKatSecret = []byte{0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03}
-	genKatAAD    = []byte{0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04}
-)
-
-func TestArgon2(t *testing.T) {
-	defer func(sse4 bool) { useSSE4 = sse4 }(useSSE4)
-
-	if useSSE4 {
-		t.Log("SSE4.1 version")
-		testArgon2i(t)
-		testArgon2d(t)
-		testArgon2id(t)
-		useSSE4 = false
-	}
-	t.Log("generic version")
-	testArgon2i(t)
-	testArgon2d(t)
-	testArgon2id(t)
-}
-
-func testArgon2d(t *testing.T) {
-	want := []byte{
-		0x51, 0x2b, 0x39, 0x1b, 0x6f, 0x11, 0x62, 0x97,
-		0x53, 0x71, 0xd3, 0x09, 0x19, 0x73, 0x42, 0x94,
-		0xf8, 0x68, 0xe3, 0xbe, 0x39, 0x84, 0xf3, 0xc1,
-		0xa1, 0x3a, 0x4d, 0xb9, 0xfa, 0xbe, 0x4a, 0xcb,
-	}
-	hash := deriveKey(argon2d, genKatPassword, genKatSalt, genKatSecret, genKatAAD, 3, 32, 4, 32)
-	if !bytes.Equal(hash, want) {
-		t.Errorf("derived key does not match - got: %s , want: %s", hex.EncodeToString(hash), hex.EncodeToString(want))
-	}
-}
-
-func testArgon2i(t *testing.T) {
-	want := []byte{
-		0xc8, 0x14, 0xd9, 0xd1, 0xdc, 0x7f, 0x37, 0xaa,
-		0x13, 0xf0, 0xd7, 0x7f, 0x24, 0x94, 0xbd, 0xa1,
-		0xc8, 0xde, 0x6b, 0x01, 0x6d, 0xd3, 0x88, 0xd2,
-		0x99, 0x52, 0xa4, 0xc4, 0x67, 0x2b, 0x6c, 0xe8,
-	}
-	hash := deriveKey(argon2i, genKatPassword, genKatSalt, genKatSecret, genKatAAD, 3, 32, 4, 32)
-	if !bytes.Equal(hash, want) {
-		t.Errorf("derived key does not match - got: %s , want: %s", hex.EncodeToString(hash), hex.EncodeToString(want))
-	}
-}
-
-func testArgon2id(t *testing.T) {
-	want := []byte{
-		0x0d, 0x64, 0x0d, 0xf5, 0x8d, 0x78, 0x76, 0x6c,
-		0x08, 0xc0, 0x37, 0xa3, 0x4a, 0x8b, 0x53, 0xc9,
-		0xd0, 0x1e, 0xf0, 0x45, 0x2d, 0x75, 0xb6, 0x5e,
-		0xb5, 0x25, 0x20, 0xe9, 0x6b, 0x01, 0xe6, 0x59,
-	}
-	hash := deriveKey(argon2id, genKatPassword, genKatSalt, genKatSecret, genKatAAD, 3, 32, 4, 32)
-	if !bytes.Equal(hash, want) {
-		t.Errorf("derived key does not match - got: %s , want: %s", hex.EncodeToString(hash), hex.EncodeToString(want))
-	}
-}
-
-func TestVectors(t *testing.T) {
-	password, salt := []byte("password"), []byte("somesalt")
-	for i, v := range testVectors {
-		want, err := hex.DecodeString(v.hash)
-		if err != nil {
-			t.Fatalf("Test %d: failed to decode hash: %v", i, err)
-		}
-		hash := deriveKey(v.mode, password, salt, nil, nil, v.time, v.memory, v.threads, uint32(len(want)))
-		if !bytes.Equal(hash, want) {
-			t.Errorf("Test %d - got: %s want: %s", i, hex.EncodeToString(hash), hex.EncodeToString(want))
-		}
-	}
-}
-
-func benchmarkArgon2(mode int, time, memory uint32, threads uint8, keyLen uint32, b *testing.B) {
-	password := []byte("password")
-	salt := []byte("choosing random salts is hard")
-	b.ReportAllocs()
-	for i := 0; i < b.N; i++ {
-		deriveKey(mode, password, salt, nil, nil, time, memory, threads, keyLen)
-	}
-}
-
-func BenchmarkArgon2i(b *testing.B) {
-	b.Run(" Time: 3 Memory: 32 MB, Threads: 1", func(b *testing.B) { benchmarkArgon2(argon2i, 3, 32*1024, 1, 32, b) })
-	b.Run(" Time: 4 Memory: 32 MB, Threads: 1", func(b *testing.B) { benchmarkArgon2(argon2i, 4, 32*1024, 1, 32, b) })
-	b.Run(" Time: 5 Memory: 32 MB, Threads: 1", func(b *testing.B) { benchmarkArgon2(argon2i, 5, 32*1024, 1, 32, b) })
-	b.Run(" Time: 3 Memory: 64 MB, Threads: 4", func(b *testing.B) { benchmarkArgon2(argon2i, 3, 64*1024, 4, 32, b) })
-	b.Run(" Time: 4 Memory: 64 MB, Threads: 4", func(b *testing.B) { benchmarkArgon2(argon2i, 4, 64*1024, 4, 32, b) })
-	b.Run(" Time: 5 Memory: 64 MB, Threads: 4", func(b *testing.B) { benchmarkArgon2(argon2i, 5, 64*1024, 4, 32, b) })
-}
-
-func BenchmarkArgon2d(b *testing.B) {
-	b.Run(" Time: 3, Memory: 32 MB, Threads: 1", func(b *testing.B) { benchmarkArgon2(argon2d, 3, 32*1024, 1, 32, b) })
-	b.Run(" Time: 4, Memory: 32 MB, Threads: 1", func(b *testing.B) { benchmarkArgon2(argon2d, 4, 32*1024, 1, 32, b) })
-	b.Run(" Time: 5, Memory: 32 MB, Threads: 1", func(b *testing.B) { benchmarkArgon2(argon2d, 5, 32*1024, 1, 32, b) })
-	b.Run(" Time: 3, Memory: 64 MB, Threads: 4", func(b *testing.B) { benchmarkArgon2(argon2d, 3, 64*1024, 4, 32, b) })
-	b.Run(" Time: 4, Memory: 64 MB, Threads: 4", func(b *testing.B) { benchmarkArgon2(argon2d, 4, 64*1024, 4, 32, b) })
-	b.Run(" Time: 5, Memory: 64 MB, Threads: 4", func(b *testing.B) { benchmarkArgon2(argon2d, 5, 64*1024, 4, 32, b) })
-}
-
-func BenchmarkArgon2id(b *testing.B) {
-	b.Run(" Time: 3, Memory: 32 MB, Threads: 1", func(b *testing.B) { benchmarkArgon2(argon2id, 3, 32*1024, 1, 32, b) })
-	b.Run(" Time: 4, Memory: 32 MB, Threads: 1", func(b *testing.B) { benchmarkArgon2(argon2id, 4, 32*1024, 1, 32, b) })
-	b.Run(" Time: 5, Memory: 32 MB, Threads: 1", func(b *testing.B) { benchmarkArgon2(argon2id, 5, 32*1024, 1, 32, b) })
-	b.Run(" Time: 3, Memory: 64 MB, Threads: 4", func(b *testing.B) { benchmarkArgon2(argon2id, 3, 64*1024, 4, 32, b) })
-	b.Run(" Time: 4, Memory: 64 MB, Threads: 4", func(b *testing.B) { benchmarkArgon2(argon2id, 4, 64*1024, 4, 32, b) })
-	b.Run(" Time: 5, Memory: 64 MB, Threads: 4", func(b *testing.B) { benchmarkArgon2(argon2id, 5, 64*1024, 4, 32, b) })
-}
-
-// Generated with the CLI of https://github.com/P-H-C/phc-winner-argon2/blob/master/argon2-specs.pdf
-var testVectors = []struct {
-	mode         int
-	time, memory uint32
-	threads      uint8
-	hash         string
-}{
-	{
-		mode: argon2i, time: 1, memory: 64, threads: 1,
-		hash: "b9c401d1844a67d50eae3967dc28870b22e508092e861a37",
-	},
-	{
-		mode: argon2d, time: 1, memory: 64, threads: 1,
-		hash: "8727405fd07c32c78d64f547f24150d3f2e703a89f981a19",
-	},
-	{
-		mode: argon2id, time: 1, memory: 64, threads: 1,
-		hash: "655ad15eac652dc59f7170a7332bf49b8469be1fdb9c28bb",
-	},
-	{
-		mode: argon2i, time: 2, memory: 64, threads: 1,
-		hash: "8cf3d8f76a6617afe35fac48eb0b7433a9a670ca4a07ed64",
-	},
-	{
-		mode: argon2d, time: 2, memory: 64, threads: 1,
-		hash: "3be9ec79a69b75d3752acb59a1fbb8b295a46529c48fbb75",
-	},
-	{
-		mode: argon2id, time: 2, memory: 64, threads: 1,
-		hash: "068d62b26455936aa6ebe60060b0a65870dbfa3ddf8d41f7",
-	},
-	{
-		mode: argon2i, time: 2, memory: 64, threads: 2,
-		hash: "2089f3e78a799720f80af806553128f29b132cafe40d059f",
-	},
-	{
-		mode: argon2d, time: 2, memory: 64, threads: 2,
-		hash: "68e2462c98b8bc6bb60ec68db418ae2c9ed24fc6748a40e9",
-	},
-	{
-		mode: argon2id, time: 2, memory: 64, threads: 2,
-		hash: "350ac37222f436ccb5c0972f1ebd3bf6b958bf2071841362",
-	},
-	{
-		mode: argon2i, time: 3, memory: 256, threads: 2,
-		hash: "f5bbf5d4c3836af13193053155b73ec7476a6a2eb93fd5e6",
-	},
-	{
-		mode: argon2d, time: 3, memory: 256, threads: 2,
-		hash: "f4f0669218eaf3641f39cc97efb915721102f4b128211ef2",
-	},
-	{
-		mode: argon2id, time: 3, memory: 256, threads: 2,
-		hash: "4668d30ac4187e6878eedeacf0fd83c5a0a30db2cc16ef0b",
-	},
-	{
-		mode: argon2i, time: 4, memory: 4096, threads: 4,
-		hash: "a11f7b7f3f93f02ad4bddb59ab62d121e278369288a0d0e7",
-	},
-	{
-		mode: argon2d, time: 4, memory: 4096, threads: 4,
-		hash: "935598181aa8dc2b720914aa6435ac8d3e3a4210c5b0fb2d",
-	},
-	{
-		mode: argon2id, time: 4, memory: 4096, threads: 4,
-		hash: "145db9733a9f4ee43edf33c509be96b934d505a4efb33c5a",
-	},
-	{
-		mode: argon2i, time: 4, memory: 1024, threads: 8,
-		hash: "0cdd3956aa35e6b475a7b0c63488822f774f15b43f6e6e17",
-	},
-	{
-		mode: argon2d, time: 4, memory: 1024, threads: 8,
-		hash: "83604fc2ad0589b9d055578f4d3cc55bc616df3578a896e9",
-	},
-	{
-		mode: argon2id, time: 4, memory: 1024, threads: 8,
-		hash: "8dafa8e004f8ea96bf7c0f93eecf67a6047476143d15577f",
-	},
-	{
-		mode: argon2i, time: 2, memory: 64, threads: 3,
-		hash: "5cab452fe6b8479c8661def8cd703b611a3905a6d5477fe6",
-	},
-	{
-		mode: argon2d, time: 2, memory: 64, threads: 3,
-		hash: "22474a423bda2ccd36ec9afd5119e5c8949798cadf659f51",
-	},
-	{
-		mode: argon2id, time: 2, memory: 64, threads: 3,
-		hash: "4a15b31aec7c2590b87d1f520be7d96f56658172deaa3079",
-	},
-	{
-		mode: argon2i, time: 3, memory: 1024, threads: 6,
-		hash: "d236b29c2b2a09babee842b0dec6aa1e83ccbdea8023dced",
-	},
-	{
-		mode: argon2d, time: 3, memory: 1024, threads: 6,
-		hash: "a3351b0319a53229152023d9206902f4ef59661cdca89481",
-	},
-	{
-		mode: argon2id, time: 3, memory: 1024, threads: 6,
-		hash: "1640b932f4b60e272f5d2207b9a9c626ffa1bd88d2349016",
-	},
-}
diff --git a/vendor/golang.org/x/crypto/argon2/blake2b.go b/vendor/golang.org/x/crypto/argon2/blake2b.go
deleted file mode 100644
index 10f46948..00000000
--- a/vendor/golang.org/x/crypto/argon2/blake2b.go
+++ /dev/null
@@ -1,53 +0,0 @@
-// Copyright 2017 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package argon2
-
-import (
-	"encoding/binary"
-	"hash"
-
-	"golang.org/x/crypto/blake2b"
-)
-
-// blake2bHash computes an arbitrary long hash value of in
-// and writes the hash to out.
-func blake2bHash(out []byte, in []byte) {
-	var b2 hash.Hash
-	if n := len(out); n < blake2b.Size {
-		b2, _ = blake2b.New(n, nil)
-	} else {
-		b2, _ = blake2b.New512(nil)
-	}
-
-	var buffer [blake2b.Size]byte
-	binary.LittleEndian.PutUint32(buffer[:4], uint32(len(out)))
-	b2.Write(buffer[:4])
-	b2.Write(in)
-
-	if len(out) <= blake2b.Size {
-		b2.Sum(out[:0])
-		return
-	}
-
-	outLen := len(out)
-	b2.Sum(buffer[:0])
-	b2.Reset()
-	copy(out, buffer[:32])
-	out = out[32:]
-	for len(out) > blake2b.Size {
-		b2.Write(buffer[:])
-		b2.Sum(buffer[:0])
-		copy(out, buffer[:32])
-		out = out[32:]
-		b2.Reset()
-	}
-
-	if outLen%blake2b.Size > 0 { // outLen > 64
-		r := ((outLen + 31) / 32) - 2 // ⌈τ /32⌉-2
-		b2, _ = blake2b.New(outLen-32*r, nil)
-	}
-	b2.Write(buffer[:])
-	b2.Sum(out[:0])
-}
diff --git a/vendor/golang.org/x/crypto/argon2/blamka_amd64.go b/vendor/golang.org/x/crypto/argon2/blamka_amd64.go
deleted file mode 100644
index bb2b0d8b..00000000
--- a/vendor/golang.org/x/crypto/argon2/blamka_amd64.go
+++ /dev/null
@@ -1,61 +0,0 @@
-// Copyright 2017 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build amd64,!gccgo,!appengine
-
-package argon2
-
-func init() {
-	useSSE4 = supportsSSE4()
-}
-
-//go:noescape
-func supportsSSE4() bool
-
-//go:noescape
-func mixBlocksSSE2(out, a, b, c *block)
-
-//go:noescape
-func xorBlocksSSE2(out, a, b, c *block)
-
-//go:noescape
-func blamkaSSE4(b *block)
-
-func processBlockSSE(out, in1, in2 *block, xor bool) {
-	var t block
-	mixBlocksSSE2(&t, in1, in2, &t)
-	if useSSE4 {
-		blamkaSSE4(&t)
-	} else {
-		for i := 0; i < blockLength; i += 16 {
-			blamkaGeneric(
-				&t[i+0], &t[i+1], &t[i+2], &t[i+3],
-				&t[i+4], &t[i+5], &t[i+6], &t[i+7],
-				&t[i+8], &t[i+9], &t[i+10], &t[i+11],
-				&t[i+12], &t[i+13], &t[i+14], &t[i+15],
-			)
-		}
-		for i := 0; i < blockLength/8; i += 2 {
-			blamkaGeneric(
-				&t[i], &t[i+1], &t[16+i], &t[16+i+1],
-				&t[32+i], &t[32+i+1], &t[48+i], &t[48+i+1],
-				&t[64+i], &t[64+i+1], &t[80+i], &t[80+i+1],
-				&t[96+i], &t[96+i+1], &t[112+i], &t[112+i+1],
-			)
-		}
-	}
-	if xor {
-		xorBlocksSSE2(out, in1, in2, &t)
-	} else {
-		mixBlocksSSE2(out, in1, in2, &t)
-	}
-}
-
-func processBlock(out, in1, in2 *block) {
-	processBlockSSE(out, in1, in2, false)
-}
-
-func processBlockXOR(out, in1, in2 *block) {
-	processBlockSSE(out, in1, in2, true)
-}
diff --git a/vendor/golang.org/x/crypto/argon2/blamka_amd64.s b/vendor/golang.org/x/crypto/argon2/blamka_amd64.s
deleted file mode 100644
index 8a83f7c7..00000000
--- a/vendor/golang.org/x/crypto/argon2/blamka_amd64.s
+++ /dev/null
@@ -1,252 +0,0 @@
-// Copyright 2017 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build amd64,!gccgo,!appengine
-
-#include "textflag.h"
-
-DATA ·c40<>+0x00(SB)/8, $0x0201000706050403
-DATA ·c40<>+0x08(SB)/8, $0x0a09080f0e0d0c0b
-GLOBL ·c40<>(SB), (NOPTR+RODATA), $16
-
-DATA ·c48<>+0x00(SB)/8, $0x0100070605040302
-DATA ·c48<>+0x08(SB)/8, $0x09080f0e0d0c0b0a
-GLOBL ·c48<>(SB), (NOPTR+RODATA), $16
-
-#define SHUFFLE(v2, v3, v4, v5, v6, v7, t1, t2) \
-	MOVO       v4, t1; \
-	MOVO       v5, v4; \
-	MOVO       t1, v5; \
-	MOVO       v6, t1; \
-	PUNPCKLQDQ v6, t2; \
-	PUNPCKHQDQ v7, v6; \
-	PUNPCKHQDQ t2, v6; \
-	PUNPCKLQDQ v7, t2; \
-	MOVO       t1, v7; \
-	MOVO       v2, t1; \
-	PUNPCKHQDQ t2, v7; \
-	PUNPCKLQDQ v3, t2; \
-	PUNPCKHQDQ t2, v2; \
-	PUNPCKLQDQ t1, t2; \
-	PUNPCKHQDQ t2, v3
-
-#define SHUFFLE_INV(v2, v3, v4, v5, v6, v7, t1, t2) \
-	MOVO       v4, t1; \
-	MOVO       v5, v4; \
-	MOVO       t1, v5; \
-	MOVO       v2, t1; \
-	PUNPCKLQDQ v2, t2; \
-	PUNPCKHQDQ v3, v2; \
-	PUNPCKHQDQ t2, v2; \
-	PUNPCKLQDQ v3, t2; \
-	MOVO       t1, v3; \
-	MOVO       v6, t1; \
-	PUNPCKHQDQ t2, v3; \
-	PUNPCKLQDQ v7, t2; \
-	PUNPCKHQDQ t2, v6; \
-	PUNPCKLQDQ t1, t2; \
-	PUNPCKHQDQ t2, v7
-
-#define HALF_ROUND(v0, v1, v2, v3, v4, v5, v6, v7, t0, c40, c48) \
-	MOVO    v0, t0;        \
-	PMULULQ v2, t0;        \
-	PADDQ   v2, v0;        \
-	PADDQ   t0, v0;        \
-	PADDQ   t0, v0;        \
-	PXOR    v0, v6;        \
-	PSHUFD  $0xB1, v6, v6; \
-	MOVO    v4, t0;        \
-	PMULULQ v6, t0;        \
-	PADDQ   v6, v4;        \
-	PADDQ   t0, v4;        \
-	PADDQ   t0, v4;        \
-	PXOR    v4, v2;        \
-	PSHUFB  c40, v2;       \
-	MOVO    v0, t0;        \
-	PMULULQ v2, t0;        \
-	PADDQ   v2, v0;        \
-	PADDQ   t0, v0;        \
-	PADDQ   t0, v0;        \
-	PXOR    v0, v6;        \
-	PSHUFB  c48, v6;       \
-	MOVO    v4, t0;        \
-	PMULULQ v6, t0;        \
-	PADDQ   v6, v4;        \
-	PADDQ   t0, v4;        \
-	PADDQ   t0, v4;        \
-	PXOR    v4, v2;        \
-	MOVO    v2, t0;        \
-	PADDQ   v2, t0;        \
-	PSRLQ   $63, v2;       \
-	PXOR    t0, v2;        \
-	MOVO    v1, t0;        \
-	PMULULQ v3, t0;        \
-	PADDQ   v3, v1;        \
-	PADDQ   t0, v1;        \
-	PADDQ   t0, v1;        \
-	PXOR    v1, v7;        \
-	PSHUFD  $0xB1, v7, v7; \
-	MOVO    v5, t0;        \
-	PMULULQ v7, t0;        \
-	PADDQ   v7, v5;        \
-	PADDQ   t0, v5;        \
-	PADDQ   t0, v5;        \
-	PXOR    v5, v3;        \
-	PSHUFB  c40, v3;       \
-	MOVO    v1, t0;        \
-	PMULULQ v3, t0;        \
-	PADDQ   v3, v1;        \
-	PADDQ   t0, v1;        \
-	PADDQ   t0, v1;        \
-	PXOR    v1, v7;        \
-	PSHUFB  c48, v7;       \
-	MOVO    v5, t0;        \
-	PMULULQ v7, t0;        \
-	PADDQ   v7, v5;        \
-	PADDQ   t0, v5;        \
-	PADDQ   t0, v5;        \
-	PXOR    v5, v3;        \
-	MOVO    v3, t0;        \
-	PADDQ   v3, t0;        \
-	PSRLQ   $63, v3;       \
-	PXOR    t0, v3
-
-#define LOAD_MSG_0(block, off) \
-	MOVOU 8*(off+0)(block), X0;  \
-	MOVOU 8*(off+2)(block), X1;  \
-	MOVOU 8*(off+4)(block), X2;  \
-	MOVOU 8*(off+6)(block), X3;  \
-	MOVOU 8*(off+8)(block), X4;  \
-	MOVOU 8*(off+10)(block), X5; \
-	MOVOU 8*(off+12)(block), X6; \
-	MOVOU 8*(off+14)(block), X7
-
-#define STORE_MSG_0(block, off) \
-	MOVOU X0, 8*(off+0)(block);  \
-	MOVOU X1, 8*(off+2)(block);  \
-	MOVOU X2, 8*(off+4)(block);  \
-	MOVOU X3, 8*(off+6)(block);  \
-	MOVOU X4, 8*(off+8)(block);  \
-	MOVOU X5, 8*(off+10)(block); \
-	MOVOU X6, 8*(off+12)(block); \
-	MOVOU X7, 8*(off+14)(block)
-
-#define LOAD_MSG_1(block, off) \
-	MOVOU 8*off+0*8(block), X0;  \
-	MOVOU 8*off+16*8(block), X1; \
-	MOVOU 8*off+32*8(block), X2; \
-	MOVOU 8*off+48*8(block), X3; \
-	MOVOU 8*off+64*8(block), X4; \
-	MOVOU 8*off+80*8(block), X5; \
-	MOVOU 8*off+96*8(block), X6; \
-	MOVOU 8*off+112*8(block), X7
-
-#define STORE_MSG_1(block, off) \
-	MOVOU X0, 8*off+0*8(block);  \
-	MOVOU X1, 8*off+16*8(block); \
-	MOVOU X2, 8*off+32*8(block); \
-	MOVOU X3, 8*off+48*8(block); \
-	MOVOU X4, 8*off+64*8(block); \
-	MOVOU X5, 8*off+80*8(block); \
-	MOVOU X6, 8*off+96*8(block); \
-	MOVOU X7, 8*off+112*8(block)
-
-#define BLAMKA_ROUND_0(block, off, t0, t1, c40, c48) \
-	LOAD_MSG_0(block, off);                                   \
-	HALF_ROUND(X0, X1, X2, X3, X4, X5, X6, X7, t0, c40, c48); \
-	SHUFFLE(X2, X3, X4, X5, X6, X7, t0, t1);                  \
-	HALF_ROUND(X0, X1, X2, X3, X4, X5, X6, X7, t0, c40, c48); \
-	SHUFFLE_INV(X2, X3, X4, X5, X6, X7, t0, t1);              \
-	STORE_MSG_0(block, off)
-
-#define BLAMKA_ROUND_1(block, off, t0, t1, c40, c48) \
-	LOAD_MSG_1(block, off);                                   \
-	HALF_ROUND(X0, X1, X2, X3, X4, X5, X6, X7, t0, c40, c48); \
-	SHUFFLE(X2, X3, X4, X5, X6, X7, t0, t1);                  \
-	HALF_ROUND(X0, X1, X2, X3, X4, X5, X6, X7, t0, c40, c48); \
-	SHUFFLE_INV(X2, X3, X4, X5, X6, X7, t0, t1);              \
-	STORE_MSG_1(block, off)
-
-// func blamkaSSE4(b *block)
-TEXT ·blamkaSSE4(SB), 4, $0-8
-	MOVQ b+0(FP), AX
-
-	MOVOU ·c40<>(SB), X10
-	MOVOU ·c48<>(SB), X11
-
-	BLAMKA_ROUND_0(AX, 0, X8, X9, X10, X11)
-	BLAMKA_ROUND_0(AX, 16, X8, X9, X10, X11)
-	BLAMKA_ROUND_0(AX, 32, X8, X9, X10, X11)
-	BLAMKA_ROUND_0(AX, 48, X8, X9, X10, X11)
-	BLAMKA_ROUND_0(AX, 64, X8, X9, X10, X11)
-	BLAMKA_ROUND_0(AX, 80, X8, X9, X10, X11)
-	BLAMKA_ROUND_0(AX, 96, X8, X9, X10, X11)
-	BLAMKA_ROUND_0(AX, 112, X8, X9, X10, X11)
-
-	BLAMKA_ROUND_1(AX, 0, X8, X9, X10, X11)
-	BLAMKA_ROUND_1(AX, 2, X8, X9, X10, X11)
-	BLAMKA_ROUND_1(AX, 4, X8, X9, X10, X11)
-	BLAMKA_ROUND_1(AX, 6, X8, X9, X10, X11)
-	BLAMKA_ROUND_1(AX, 8, X8, X9, X10, X11)
-	BLAMKA_ROUND_1(AX, 10, X8, X9, X10, X11)
-	BLAMKA_ROUND_1(AX, 12, X8, X9, X10, X11)
-	BLAMKA_ROUND_1(AX, 14, X8, X9, X10, X11)
-	RET
-
-// func mixBlocksSSE2(out, a, b, c *block)
-TEXT ·mixBlocksSSE2(SB), 4, $0-32
-	MOVQ out+0(FP), DX
-	MOVQ a+8(FP), AX
-	MOVQ b+16(FP), BX
-	MOVQ a+24(FP), CX
-	MOVQ $128, BP
-
-loop:
-	MOVOU 0(AX), X0
-	MOVOU 0(BX), X1
-	MOVOU 0(CX), X2
-	PXOR  X1, X0
-	PXOR  X2, X0
-	MOVOU X0, 0(DX)
-	ADDQ  $16, AX
-	ADDQ  $16, BX
-	ADDQ  $16, CX
-	ADDQ  $16, DX
-	SUBQ  $2, BP
-	JA    loop
-	RET
-
-// func xorBlocksSSE2(out, a, b, c *block)
-TEXT ·xorBlocksSSE2(SB), 4, $0-32
-	MOVQ out+0(FP), DX
-	MOVQ a+8(FP), AX
-	MOVQ b+16(FP), BX
-	MOVQ a+24(FP), CX
-	MOVQ $128, BP
-
-loop:
-	MOVOU 0(AX), X0
-	MOVOU 0(BX), X1
-	MOVOU 0(CX), X2
-	MOVOU 0(DX), X3
-	PXOR  X1, X0
-	PXOR  X2, X0
-	PXOR  X3, X0
-	MOVOU X0, 0(DX)
-	ADDQ  $16, AX
-	ADDQ  $16, BX
-	ADDQ  $16, CX
-	ADDQ  $16, DX
-	SUBQ  $2, BP
-	JA    loop
-	RET
-
-// func supportsSSE4() bool
-TEXT ·supportsSSE4(SB), 4, $0-1
-	MOVL $1, AX
-	CPUID
-	SHRL $19, CX       // Bit 19 indicates SSE4 support
-	ANDL $1, CX        // CX != 0 if support SSE4
-	MOVB CX, ret+0(FP)
-	RET
diff --git a/vendor/golang.org/x/crypto/argon2/blamka_generic.go b/vendor/golang.org/x/crypto/argon2/blamka_generic.go
deleted file mode 100644
index a481b224..00000000
--- a/vendor/golang.org/x/crypto/argon2/blamka_generic.go
+++ /dev/null
@@ -1,163 +0,0 @@
-// Copyright 2017 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package argon2
-
-var useSSE4 bool
-
-func processBlockGeneric(out, in1, in2 *block, xor bool) {
-	var t block
-	for i := range t {
-		t[i] = in1[i] ^ in2[i]
-	}
-	for i := 0; i < blockLength; i += 16 {
-		blamkaGeneric(
-			&t[i+0], &t[i+1], &t[i+2], &t[i+3],
-			&t[i+4], &t[i+5], &t[i+6], &t[i+7],
-			&t[i+8], &t[i+9], &t[i+10], &t[i+11],
-			&t[i+12], &t[i+13], &t[i+14], &t[i+15],
-		)
-	}
-	for i := 0; i < blockLength/8; i += 2 {
-		blamkaGeneric(
-			&t[i], &t[i+1], &t[16+i], &t[16+i+1],
-			&t[32+i], &t[32+i+1], &t[48+i], &t[48+i+1],
-			&t[64+i], &t[64+i+1], &t[80+i], &t[80+i+1],
-			&t[96+i], &t[96+i+1], &t[112+i], &t[112+i+1],
-		)
-	}
-	if xor {
-		for i := range t {
-			out[i] ^= in1[i] ^ in2[i] ^ t[i]
-		}
-	} else {
-		for i := range t {
-			out[i] = in1[i] ^ in2[i] ^ t[i]
-		}
-	}
-}
-
-func blamkaGeneric(t00, t01, t02, t03, t04, t05, t06, t07, t08, t09, t10, t11, t12, t13, t14, t15 *uint64) {
-	v00, v01, v02, v03 := *t00, *t01, *t02, *t03
-	v04, v05, v06, v07 := *t04, *t05, *t06, *t07
-	v08, v09, v10, v11 := *t08, *t09, *t10, *t11
-	v12, v13, v14, v15 := *t12, *t13, *t14, *t15
-
-	v00 += v04 + 2*uint64(uint32(v00))*uint64(uint32(v04))
-	v12 ^= v00
-	v12 = v12>>32 | v12<<32
-	v08 += v12 + 2*uint64(uint32(v08))*uint64(uint32(v12))
-	v04 ^= v08
-	v04 = v04>>24 | v04<<40
-
-	v00 += v04 + 2*uint64(uint32(v00))*uint64(uint32(v04))
-	v12 ^= v00
-	v12 = v12>>16 | v12<<48
-	v08 += v12 + 2*uint64(uint32(v08))*uint64(uint32(v12))
-	v04 ^= v08
-	v04 = v04>>63 | v04<<1
-
-	v01 += v05 + 2*uint64(uint32(v01))*uint64(uint32(v05))
-	v13 ^= v01
-	v13 = v13>>32 | v13<<32
-	v09 += v13 + 2*uint64(uint32(v09))*uint64(uint32(v13))
-	v05 ^= v09
-	v05 = v05>>24 | v05<<40
-
-	v01 += v05 + 2*uint64(uint32(v01))*uint64(uint32(v05))
-	v13 ^= v01
-	v13 = v13>>16 | v13<<48
-	v09 += v13 + 2*uint64(uint32(v09))*uint64(uint32(v13))
-	v05 ^= v09
-	v05 = v05>>63 | v05<<1
-
-	v02 += v06 + 2*uint64(uint32(v02))*uint64(uint32(v06))
-	v14 ^= v02
-	v14 = v14>>32 | v14<<32
-	v10 += v14 + 2*uint64(uint32(v10))*uint64(uint32(v14))
-	v06 ^= v10
-	v06 = v06>>24 | v06<<40
-
-	v02 += v06 + 2*uint64(uint32(v02))*uint64(uint32(v06))
-	v14 ^= v02
-	v14 = v14>>16 | v14<<48
-	v10 += v14 + 2*uint64(uint32(v10))*uint64(uint32(v14))
-	v06 ^= v10
-	v06 = v06>>63 | v06<<1
-
-	v03 += v07 + 2*uint64(uint32(v03))*uint64(uint32(v07))
-	v15 ^= v03
-	v15 = v15>>32 | v15<<32
-	v11 += v15 + 2*uint64(uint32(v11))*uint64(uint32(v15))
-	v07 ^= v11
-	v07 = v07>>24 | v07<<40
-
-	v03 += v07 + 2*uint64(uint32(v03))*uint64(uint32(v07))
-	v15 ^= v03
-	v15 = v15>>16 | v15<<48
-	v11 += v15 + 2*uint64(uint32(v11))*uint64(uint32(v15))
-	v07 ^= v11
-	v07 = v07>>63 | v07<<1
-
-	v00 += v05 + 2*uint64(uint32(v00))*uint64(uint32(v05))
-	v15 ^= v00
-	v15 = v15>>32 | v15<<32
-	v10 += v15 + 2*uint64(uint32(v10))*uint64(uint32(v15))
-	v05 ^= v10
-	v05 = v05>>24 | v05<<40
-
-	v00 += v05 + 2*uint64(uint32(v00))*uint64(uint32(v05))
-	v15 ^= v00
-	v15 = v15>>16 | v15<<48
-	v10 += v15 + 2*uint64(uint32(v10))*uint64(uint32(v15))
-	v05 ^= v10
-	v05 = v05>>63 | v05<<1
-
-	v01 += v06 + 2*uint64(uint32(v01))*uint64(uint32(v06))
-	v12 ^= v01
-	v12 = v12>>32 | v12<<32
-	v11 += v12 + 2*uint64(uint32(v11))*uint64(uint32(v12))
-	v06 ^= v11
-	v06 = v06>>24 | v06<<40
-
-	v01 += v06 + 2*uint64(uint32(v01))*uint64(uint32(v06))
-	v12 ^= v01
-	v12 = v12>>16 | v12<<48
-	v11 += v12 + 2*uint64(uint32(v11))*uint64(uint32(v12))
-	v06 ^= v11
-	v06 = v06>>63 | v06<<1
-
-	v02 += v07 + 2*uint64(uint32(v02))*uint64(uint32(v07))
-	v13 ^= v02
-	v13 = v13>>32 | v13<<32
-	v08 += v13 + 2*uint64(uint32(v08))*uint64(uint32(v13))
-	v07 ^= v08
-	v07 = v07>>24 | v07<<40
-
-	v02 += v07 + 2*uint64(uint32(v02))*uint64(uint32(v07))
-	v13 ^= v02
-	v13 = v13>>16 | v13<<48
-	v08 += v13 + 2*uint64(uint32(v08))*uint64(uint32(v13))
-	v07 ^= v08
-	v07 = v07>>63 | v07<<1
-
-	v03 += v04 + 2*uint64(uint32(v03))*uint64(uint32(v04))
-	v14 ^= v03
-	v14 = v14>>32 | v14<<32
-	v09 += v14 + 2*uint64(uint32(v09))*uint64(uint32(v14))
-	v04 ^= v09
-	v04 = v04>>24 | v04<<40
-
-	v03 += v04 + 2*uint64(uint32(v03))*uint64(uint32(v04))
-	v14 ^= v03
-	v14 = v14>>16 | v14<<48
-	v09 += v14 + 2*uint64(uint32(v09))*uint64(uint32(v14))
-	v04 ^= v09
-	v04 = v04>>63 | v04<<1
-
-	*t00, *t01, *t02, *t03 = v00, v01, v02, v03
-	*t04, *t05, *t06, *t07 = v04, v05, v06, v07
-	*t08, *t09, *t10, *t11 = v08, v09, v10, v11
-	*t12, *t13, *t14, *t15 = v12, v13, v14, v15
-}
diff --git a/vendor/golang.org/x/crypto/argon2/blamka_ref.go b/vendor/golang.org/x/crypto/argon2/blamka_ref.go
deleted file mode 100644
index baf7b551..00000000
--- a/vendor/golang.org/x/crypto/argon2/blamka_ref.go
+++ /dev/null
@@ -1,15 +0,0 @@
-// Copyright 2017 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build !amd64 appengine gccgo
-
-package argon2
-
-func processBlock(out, in1, in2 *block) {
-	processBlockGeneric(out, in1, in2, false)
-}
-
-func processBlockXOR(out, in1, in2 *block) {
-	processBlockGeneric(out, in1, in2, true)
-}
diff --git a/vendor/golang.org/x/crypto/bcrypt/bcrypt_test.go b/vendor/golang.org/x/crypto/bcrypt/bcrypt_test.go
deleted file mode 100644
index aecf759e..00000000
--- a/vendor/golang.org/x/crypto/bcrypt/bcrypt_test.go
+++ /dev/null
@@ -1,243 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package bcrypt
-
-import (
-	"bytes"
-	"fmt"
-	"testing"
-)
-
-func TestBcryptingIsEasy(t *testing.T) {
-	pass := []byte("mypassword")
-	hp, err := GenerateFromPassword(pass, 0)
-	if err != nil {
-		t.Fatalf("GenerateFromPassword error: %s", err)
-	}
-
-	if CompareHashAndPassword(hp, pass) != nil {
-		t.Errorf("%v should hash %s correctly", hp, pass)
-	}
-
-	notPass := "notthepass"
-	err = CompareHashAndPassword(hp, []byte(notPass))
-	if err != ErrMismatchedHashAndPassword {
-		t.Errorf("%v and %s should be mismatched", hp, notPass)
-	}
-}
-
-func TestBcryptingIsCorrect(t *testing.T) {
-	pass := []byte("allmine")
-	salt := []byte("XajjQvNhvvRt5GSeFk1xFe")
-	expectedHash := []byte("$2a$10$XajjQvNhvvRt5GSeFk1xFeyqRrsxkhBkUiQeg0dt.wU1qD4aFDcga")
-
-	hash, err := bcrypt(pass, 10, salt)
-	if err != nil {
-		t.Fatalf("bcrypt blew up: %v", err)
-	}
-	if !bytes.HasSuffix(expectedHash, hash) {
-		t.Errorf("%v should be the suffix of %v", hash, expectedHash)
-	}
-
-	h, err := newFromHash(expectedHash)
-	if err != nil {
-		t.Errorf("Unable to parse %s: %v", string(expectedHash), err)
-	}
-
-	// This is not the safe way to compare these hashes. We do this only for
-	// testing clarity. Use bcrypt.CompareHashAndPassword()
-	if err == nil && !bytes.Equal(expectedHash, h.Hash()) {
-		t.Errorf("Parsed hash %v should equal %v", h.Hash(), expectedHash)
-	}
-}
-
-func TestVeryShortPasswords(t *testing.T) {
-	key := []byte("k")
-	salt := []byte("XajjQvNhvvRt5GSeFk1xFe")
-	_, err := bcrypt(key, 10, salt)
-	if err != nil {
-		t.Errorf("One byte key resulted in error: %s", err)
-	}
-}
-
-func TestTooLongPasswordsWork(t *testing.T) {
-	salt := []byte("XajjQvNhvvRt5GSeFk1xFe")
-	// One byte over the usual 56 byte limit that blowfish has
-	tooLongPass := []byte("012345678901234567890123456789012345678901234567890123456")
-	tooLongExpected := []byte("$2a$10$XajjQvNhvvRt5GSeFk1xFe5l47dONXg781AmZtd869sO8zfsHuw7C")
-	hash, err := bcrypt(tooLongPass, 10, salt)
-	if err != nil {
-		t.Fatalf("bcrypt blew up on long password: %v", err)
-	}
-	if !bytes.HasSuffix(tooLongExpected, hash) {
-		t.Errorf("%v should be the suffix of %v", hash, tooLongExpected)
-	}
-}
-
-type InvalidHashTest struct {
-	err  error
-	hash []byte
-}
-
-var invalidTests = []InvalidHashTest{
-	{ErrHashTooShort, []byte("$2a$10$fooo")},
-	{ErrHashTooShort, []byte("$2a")},
-	{HashVersionTooNewError('3'), []byte("$3a$10$sssssssssssssssssssssshhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh")},
-	{InvalidHashPrefixError('%'), []byte("%2a$10$sssssssssssssssssssssshhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh")},
-	{InvalidCostError(32), []byte("$2a$32$sssssssssssssssssssssshhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh")},
-}
-
-func TestInvalidHashErrors(t *testing.T) {
-	check := func(name string, expected, err error) {
-		if err == nil {
-			t.Errorf("%s: Should have returned an error", name)
-		}
-		if err != nil && err != expected {
-			t.Errorf("%s gave err %v but should have given %v", name, err, expected)
-		}
-	}
-	for _, iht := range invalidTests {
-		_, err := newFromHash(iht.hash)
-		check("newFromHash", iht.err, err)
-		err = CompareHashAndPassword(iht.hash, []byte("anything"))
-		check("CompareHashAndPassword", iht.err, err)
-	}
-}
-
-func TestUnpaddedBase64Encoding(t *testing.T) {
-	original := []byte{101, 201, 101, 75, 19, 227, 199, 20, 239, 236, 133, 32, 30, 109, 243, 30}
-	encodedOriginal := []byte("XajjQvNhvvRt5GSeFk1xFe")
-
-	encoded := base64Encode(original)
-
-	if !bytes.Equal(encodedOriginal, encoded) {
-		t.Errorf("Encoded %v should have equaled %v", encoded, encodedOriginal)
-	}
-
-	decoded, err := base64Decode(encodedOriginal)
-	if err != nil {
-		t.Fatalf("base64Decode blew up: %s", err)
-	}
-
-	if !bytes.Equal(decoded, original) {
-		t.Errorf("Decoded %v should have equaled %v", decoded, original)
-	}
-}
-
-func TestCost(t *testing.T) {
-	suffix := "XajjQvNhvvRt5GSeFk1xFe5l47dONXg781AmZtd869sO8zfsHuw7C"
-	for _, vers := range []string{"2a", "2"} {
-		for _, cost := range []int{4, 10} {
-			s := fmt.Sprintf("$%s$%02d$%s", vers, cost, suffix)
-			h := []byte(s)
-			actual, err := Cost(h)
-			if err != nil {
-				t.Errorf("Cost, error: %s", err)
-				continue
-			}
-			if actual != cost {
-				t.Errorf("Cost, expected: %d, actual: %d", cost, actual)
-			}
-		}
-	}
-	_, err := Cost([]byte("$a$a$" + suffix))
-	if err == nil {
-		t.Errorf("Cost, malformed but no error returned")
-	}
-}
-
-func TestCostValidationInHash(t *testing.T) {
-	if testing.Short() {
-		return
-	}
-
-	pass := []byte("mypassword")
-
-	for c := 0; c < MinCost; c++ {
-		p, _ := newFromPassword(pass, c)
-		if p.cost != DefaultCost {
-			t.Errorf("newFromPassword should default costs below %d to %d, but was %d", MinCost, DefaultCost, p.cost)
-		}
-	}
-
-	p, _ := newFromPassword(pass, 14)
-	if p.cost != 14 {
-		t.Errorf("newFromPassword should default cost to 14, but was %d", p.cost)
-	}
-
-	hp, _ := newFromHash(p.Hash())
-	if p.cost != hp.cost {
-		t.Errorf("newFromHash should maintain the cost at %d, but was %d", p.cost, hp.cost)
-	}
-
-	_, err := newFromPassword(pass, 32)
-	if err == nil {
-		t.Fatalf("newFromPassword: should return a cost error")
-	}
-	if err != InvalidCostError(32) {
-		t.Errorf("newFromPassword: should return cost error, got %#v", err)
-	}
-}
-
-func TestCostReturnsWithLeadingZeroes(t *testing.T) {
-	hp, _ := newFromPassword([]byte("abcdefgh"), 7)
-	cost := hp.Hash()[4:7]
-	expected := []byte("07$")
-
-	if !bytes.Equal(expected, cost) {
-		t.Errorf("single digit costs in hash should have leading zeros: was %v instead of %v", cost, expected)
-	}
-}
-
-func TestMinorNotRequired(t *testing.T) {
-	noMinorHash := []byte("$2$10$XajjQvNhvvRt5GSeFk1xFeyqRrsxkhBkUiQeg0dt.wU1qD4aFDcga")
-	h, err := newFromHash(noMinorHash)
-	if err != nil {
-		t.Fatalf("No minor hash blew up: %s", err)
-	}
-	if h.minor != 0 {
-		t.Errorf("Should leave minor version at 0, but was %d", h.minor)
-	}
-
-	if !bytes.Equal(noMinorHash, h.Hash()) {
-		t.Errorf("Should generate hash %v, but created %v", noMinorHash, h.Hash())
-	}
-}
-
-func BenchmarkEqual(b *testing.B) {
-	b.StopTimer()
-	passwd := []byte("somepasswordyoulike")
-	hash, _ := GenerateFromPassword(passwd, 10)
-	b.StartTimer()
-	for i := 0; i < b.N; i++ {
-		CompareHashAndPassword(hash, passwd)
-	}
-}
-
-func BenchmarkGeneration(b *testing.B) {
-	b.StopTimer()
-	passwd := []byte("mylongpassword1234")
-	b.StartTimer()
-	for i := 0; i < b.N; i++ {
-		GenerateFromPassword(passwd, 10)
-	}
-}
-
-// See Issue https://github.com/golang/go/issues/20425.
-func TestNoSideEffectsFromCompare(t *testing.T) {
-	source := []byte("passw0rd123456")
-	password := source[:len(source)-6]
-	token := source[len(source)-6:]
-	want := make([]byte, len(source))
-	copy(want, source)
-
-	wantHash := []byte("$2a$10$LK9XRuhNxHHCvjX3tdkRKei1QiCDUKrJRhZv7WWZPuQGRUM92rOUa")
-	_ = CompareHashAndPassword(wantHash, password)
-
-	got := bytes.Join([][]byte{password, token}, []byte(""))
-	if !bytes.Equal(got, want) {
-		t.Errorf("got=%q want=%q", got, want)
-	}
-}
diff --git a/vendor/golang.org/x/crypto/blake2b/blake2b.go b/vendor/golang.org/x/crypto/blake2b/blake2b.go
deleted file mode 100644
index 6dedb894..00000000
--- a/vendor/golang.org/x/crypto/blake2b/blake2b.go
+++ /dev/null
@@ -1,221 +0,0 @@
-// Copyright 2016 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package blake2b implements the BLAKE2b hash algorithm defined by RFC 7693
-// and the extendable output function (XOF) BLAKE2Xb.
-//
-// For a detailed specification of BLAKE2b see https://blake2.net/blake2.pdf
-// and for BLAKE2Xb see https://blake2.net/blake2x.pdf
-//
-// If you aren't sure which function you need, use BLAKE2b (Sum512 or New512).
-// If you need a secret-key MAC (message authentication code), use the New512
-// function with a non-nil key.
-//
-// BLAKE2X is a construction to compute hash values larger than 64 bytes. It
-// can produce hash values between 0 and 4 GiB.
-package blake2b
-
-import (
-	"encoding/binary"
-	"errors"
-	"hash"
-)
-
-const (
-	// The blocksize of BLAKE2b in bytes.
-	BlockSize = 128
-	// The hash size of BLAKE2b-512 in bytes.
-	Size = 64
-	// The hash size of BLAKE2b-384 in bytes.
-	Size384 = 48
-	// The hash size of BLAKE2b-256 in bytes.
-	Size256 = 32
-)
-
-var (
-	useAVX2 bool
-	useAVX  bool
-	useSSE4 bool
-)
-
-var (
-	errKeySize  = errors.New("blake2b: invalid key size")
-	errHashSize = errors.New("blake2b: invalid hash size")
-)
-
-var iv = [8]uint64{
-	0x6a09e667f3bcc908, 0xbb67ae8584caa73b, 0x3c6ef372fe94f82b, 0xa54ff53a5f1d36f1,
-	0x510e527fade682d1, 0x9b05688c2b3e6c1f, 0x1f83d9abfb41bd6b, 0x5be0cd19137e2179,
-}
-
-// Sum512 returns the BLAKE2b-512 checksum of the data.
-func Sum512(data []byte) [Size]byte {
-	var sum [Size]byte
-	checkSum(&sum, Size, data)
-	return sum
-}
-
-// Sum384 returns the BLAKE2b-384 checksum of the data.
-func Sum384(data []byte) [Size384]byte {
-	var sum [Size]byte
-	var sum384 [Size384]byte
-	checkSum(&sum, Size384, data)
-	copy(sum384[:], sum[:Size384])
-	return sum384
-}
-
-// Sum256 returns the BLAKE2b-256 checksum of the data.
-func Sum256(data []byte) [Size256]byte {
-	var sum [Size]byte
-	var sum256 [Size256]byte
-	checkSum(&sum, Size256, data)
-	copy(sum256[:], sum[:Size256])
-	return sum256
-}
-
-// New512 returns a new hash.Hash computing the BLAKE2b-512 checksum. A non-nil
-// key turns the hash into a MAC. The key must between zero and 64 bytes long.
-func New512(key []byte) (hash.Hash, error) { return newDigest(Size, key) }
-
-// New384 returns a new hash.Hash computing the BLAKE2b-384 checksum. A non-nil
-// key turns the hash into a MAC. The key must between zero and 64 bytes long.
-func New384(key []byte) (hash.Hash, error) { return newDigest(Size384, key) }
-
-// New256 returns a new hash.Hash computing the BLAKE2b-256 checksum. A non-nil
-// key turns the hash into a MAC. The key must between zero and 64 bytes long.
-func New256(key []byte) (hash.Hash, error) { return newDigest(Size256, key) }
-
-// New returns a new hash.Hash computing the BLAKE2b checksum with a custom length.
-// A non-nil key turns the hash into a MAC. The key must between zero and 64 bytes long.
-// The hash size can be a value between 1 and 64 but it is highly recommended to use
-// values equal or greater than:
-// - 32 if BLAKE2b is used as a hash function (The key is zero bytes long).
-// - 16 if BLAKE2b is used as a MAC function (The key is at least 16 bytes long).
-func New(size int, key []byte) (hash.Hash, error) { return newDigest(size, key) }
-
-func newDigest(hashSize int, key []byte) (*digest, error) {
-	if hashSize < 1 || hashSize > Size {
-		return nil, errHashSize
-	}
-	if len(key) > Size {
-		return nil, errKeySize
-	}
-	d := &digest{
-		size:   hashSize,
-		keyLen: len(key),
-	}
-	copy(d.key[:], key)
-	d.Reset()
-	return d, nil
-}
-
-func checkSum(sum *[Size]byte, hashSize int, data []byte) {
-	h := iv
-	h[0] ^= uint64(hashSize) | (1 << 16) | (1 << 24)
-	var c [2]uint64
-
-	if length := len(data); length > BlockSize {
-		n := length &^ (BlockSize - 1)
-		if length == n {
-			n -= BlockSize
-		}
-		hashBlocks(&h, &c, 0, data[:n])
-		data = data[n:]
-	}
-
-	var block [BlockSize]byte
-	offset := copy(block[:], data)
-	remaining := uint64(BlockSize - offset)
-	if c[0] < remaining {
-		c[1]--
-	}
-	c[0] -= remaining
-
-	hashBlocks(&h, &c, 0xFFFFFFFFFFFFFFFF, block[:])
-
-	for i, v := range h[:(hashSize+7)/8] {
-		binary.LittleEndian.PutUint64(sum[8*i:], v)
-	}
-}
-
-type digest struct {
-	h      [8]uint64
-	c      [2]uint64
-	size   int
-	block  [BlockSize]byte
-	offset int
-
-	key    [BlockSize]byte
-	keyLen int
-}
-
-func (d *digest) BlockSize() int { return BlockSize }
-
-func (d *digest) Size() int { return d.size }
-
-func (d *digest) Reset() {
-	d.h = iv
-	d.h[0] ^= uint64(d.size) | (uint64(d.keyLen) << 8) | (1 << 16) | (1 << 24)
-	d.offset, d.c[0], d.c[1] = 0, 0, 0
-	if d.keyLen > 0 {
-		d.block = d.key
-		d.offset = BlockSize
-	}
-}
-
-func (d *digest) Write(p []byte) (n int, err error) {
-	n = len(p)
-
-	if d.offset > 0 {
-		remaining := BlockSize - d.offset
-		if n <= remaining {
-			d.offset += copy(d.block[d.offset:], p)
-			return
-		}
-		copy(d.block[d.offset:], p[:remaining])
-		hashBlocks(&d.h, &d.c, 0, d.block[:])
-		d.offset = 0
-		p = p[remaining:]
-	}
-
-	if length := len(p); length > BlockSize {
-		nn := length &^ (BlockSize - 1)
-		if length == nn {
-			nn -= BlockSize
-		}
-		hashBlocks(&d.h, &d.c, 0, p[:nn])
-		p = p[nn:]
-	}
-
-	if len(p) > 0 {
-		d.offset += copy(d.block[:], p)
-	}
-
-	return
-}
-
-func (d *digest) Sum(sum []byte) []byte {
-	var hash [Size]byte
-	d.finalize(&hash)
-	return append(sum, hash[:d.size]...)
-}
-
-func (d *digest) finalize(hash *[Size]byte) {
-	var block [BlockSize]byte
-	copy(block[:], d.block[:d.offset])
-	remaining := uint64(BlockSize - d.offset)
-
-	c := d.c
-	if c[0] < remaining {
-		c[1]--
-	}
-	c[0] -= remaining
-
-	h := d.h
-	hashBlocks(&h, &c, 0xFFFFFFFFFFFFFFFF, block[:])
-
-	for i, v := range h {
-		binary.LittleEndian.PutUint64(hash[8*i:], v)
-	}
-}
diff --git a/vendor/golang.org/x/crypto/blake2b/blake2bAVX2_amd64.go b/vendor/golang.org/x/crypto/blake2b/blake2bAVX2_amd64.go
deleted file mode 100644
index 8c41cf6c..00000000
--- a/vendor/golang.org/x/crypto/blake2b/blake2bAVX2_amd64.go
+++ /dev/null
@@ -1,43 +0,0 @@
-// Copyright 2016 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build go1.7,amd64,!gccgo,!appengine
-
-package blake2b
-
-func init() {
-	useAVX2 = supportsAVX2()
-	useAVX = supportsAVX()
-	useSSE4 = supportsSSE4()
-}
-
-//go:noescape
-func supportsSSE4() bool
-
-//go:noescape
-func supportsAVX() bool
-
-//go:noescape
-func supportsAVX2() bool
-
-//go:noescape
-func hashBlocksAVX2(h *[8]uint64, c *[2]uint64, flag uint64, blocks []byte)
-
-//go:noescape
-func hashBlocksAVX(h *[8]uint64, c *[2]uint64, flag uint64, blocks []byte)
-
-//go:noescape
-func hashBlocksSSE4(h *[8]uint64, c *[2]uint64, flag uint64, blocks []byte)
-
-func hashBlocks(h *[8]uint64, c *[2]uint64, flag uint64, blocks []byte) {
-	if useAVX2 {
-		hashBlocksAVX2(h, c, flag, blocks)
-	} else if useAVX {
-		hashBlocksAVX(h, c, flag, blocks)
-	} else if useSSE4 {
-		hashBlocksSSE4(h, c, flag, blocks)
-	} else {
-		hashBlocksGeneric(h, c, flag, blocks)
-	}
-}
diff --git a/vendor/golang.org/x/crypto/blake2b/blake2bAVX2_amd64.s b/vendor/golang.org/x/crypto/blake2b/blake2bAVX2_amd64.s
deleted file mode 100644
index 784bce6a..00000000
--- a/vendor/golang.org/x/crypto/blake2b/blake2bAVX2_amd64.s
+++ /dev/null
@@ -1,762 +0,0 @@
-// Copyright 2016 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build go1.7,amd64,!gccgo,!appengine
-
-#include "textflag.h"
-
-DATA ·AVX2_iv0<>+0x00(SB)/8, $0x6a09e667f3bcc908
-DATA ·AVX2_iv0<>+0x08(SB)/8, $0xbb67ae8584caa73b
-DATA ·AVX2_iv0<>+0x10(SB)/8, $0x3c6ef372fe94f82b
-DATA ·AVX2_iv0<>+0x18(SB)/8, $0xa54ff53a5f1d36f1
-GLOBL ·AVX2_iv0<>(SB), (NOPTR+RODATA), $32
-
-DATA ·AVX2_iv1<>+0x00(SB)/8, $0x510e527fade682d1
-DATA ·AVX2_iv1<>+0x08(SB)/8, $0x9b05688c2b3e6c1f
-DATA ·AVX2_iv1<>+0x10(SB)/8, $0x1f83d9abfb41bd6b
-DATA ·AVX2_iv1<>+0x18(SB)/8, $0x5be0cd19137e2179
-GLOBL ·AVX2_iv1<>(SB), (NOPTR+RODATA), $32
-
-DATA ·AVX2_c40<>+0x00(SB)/8, $0x0201000706050403
-DATA ·AVX2_c40<>+0x08(SB)/8, $0x0a09080f0e0d0c0b
-DATA ·AVX2_c40<>+0x10(SB)/8, $0x0201000706050403
-DATA ·AVX2_c40<>+0x18(SB)/8, $0x0a09080f0e0d0c0b
-GLOBL ·AVX2_c40<>(SB), (NOPTR+RODATA), $32
-
-DATA ·AVX2_c48<>+0x00(SB)/8, $0x0100070605040302
-DATA ·AVX2_c48<>+0x08(SB)/8, $0x09080f0e0d0c0b0a
-DATA ·AVX2_c48<>+0x10(SB)/8, $0x0100070605040302
-DATA ·AVX2_c48<>+0x18(SB)/8, $0x09080f0e0d0c0b0a
-GLOBL ·AVX2_c48<>(SB), (NOPTR+RODATA), $32
-
-DATA ·AVX_iv0<>+0x00(SB)/8, $0x6a09e667f3bcc908
-DATA ·AVX_iv0<>+0x08(SB)/8, $0xbb67ae8584caa73b
-GLOBL ·AVX_iv0<>(SB), (NOPTR+RODATA), $16
-
-DATA ·AVX_iv1<>+0x00(SB)/8, $0x3c6ef372fe94f82b
-DATA ·AVX_iv1<>+0x08(SB)/8, $0xa54ff53a5f1d36f1
-GLOBL ·AVX_iv1<>(SB), (NOPTR+RODATA), $16
-
-DATA ·AVX_iv2<>+0x00(SB)/8, $0x510e527fade682d1
-DATA ·AVX_iv2<>+0x08(SB)/8, $0x9b05688c2b3e6c1f
-GLOBL ·AVX_iv2<>(SB), (NOPTR+RODATA), $16
-
-DATA ·AVX_iv3<>+0x00(SB)/8, $0x1f83d9abfb41bd6b
-DATA ·AVX_iv3<>+0x08(SB)/8, $0x5be0cd19137e2179
-GLOBL ·AVX_iv3<>(SB), (NOPTR+RODATA), $16
-
-DATA ·AVX_c40<>+0x00(SB)/8, $0x0201000706050403
-DATA ·AVX_c40<>+0x08(SB)/8, $0x0a09080f0e0d0c0b
-GLOBL ·AVX_c40<>(SB), (NOPTR+RODATA), $16
-
-DATA ·AVX_c48<>+0x00(SB)/8, $0x0100070605040302
-DATA ·AVX_c48<>+0x08(SB)/8, $0x09080f0e0d0c0b0a
-GLOBL ·AVX_c48<>(SB), (NOPTR+RODATA), $16
-
-#define VPERMQ_0x39_Y1_Y1 BYTE $0xc4; BYTE $0xe3; BYTE $0xfd; BYTE $0x00; BYTE $0xc9; BYTE $0x39
-#define VPERMQ_0x93_Y1_Y1 BYTE $0xc4; BYTE $0xe3; BYTE $0xfd; BYTE $0x00; BYTE $0xc9; BYTE $0x93
-#define VPERMQ_0x4E_Y2_Y2 BYTE $0xc4; BYTE $0xe3; BYTE $0xfd; BYTE $0x00; BYTE $0xd2; BYTE $0x4e
-#define VPERMQ_0x93_Y3_Y3 BYTE $0xc4; BYTE $0xe3; BYTE $0xfd; BYTE $0x00; BYTE $0xdb; BYTE $0x93
-#define VPERMQ_0x39_Y3_Y3 BYTE $0xc4; BYTE $0xe3; BYTE $0xfd; BYTE $0x00; BYTE $0xdb; BYTE $0x39
-
-#define ROUND_AVX2(m0, m1, m2, m3, t, c40, c48) \
-	VPADDQ  m0, Y0, Y0;   \
-	VPADDQ  Y1, Y0, Y0;   \
-	VPXOR   Y0, Y3, Y3;   \
-	VPSHUFD $-79, Y3, Y3; \
-	VPADDQ  Y3, Y2, Y2;   \
-	VPXOR   Y2, Y1, Y1;   \
-	VPSHUFB c40, Y1, Y1;  \
-	VPADDQ  m1, Y0, Y0;   \
-	VPADDQ  Y1, Y0, Y0;   \
-	VPXOR   Y0, Y3, Y3;   \
-	VPSHUFB c48, Y3, Y3;  \
-	VPADDQ  Y3, Y2, Y2;   \
-	VPXOR   Y2, Y1, Y1;   \
-	VPADDQ  Y1, Y1, t;    \
-	VPSRLQ  $63, Y1, Y1;  \
-	VPXOR   t, Y1, Y1;    \
-	VPERMQ_0x39_Y1_Y1;    \
-	VPERMQ_0x4E_Y2_Y2;    \
-	VPERMQ_0x93_Y3_Y3;    \
-	VPADDQ  m2, Y0, Y0;   \
-	VPADDQ  Y1, Y0, Y0;   \
-	VPXOR   Y0, Y3, Y3;   \
-	VPSHUFD $-79, Y3, Y3; \
-	VPADDQ  Y3, Y2, Y2;   \
-	VPXOR   Y2, Y1, Y1;   \
-	VPSHUFB c40, Y1, Y1;  \
-	VPADDQ  m3, Y0, Y0;   \
-	VPADDQ  Y1, Y0, Y0;   \
-	VPXOR   Y0, Y3, Y3;   \
-	VPSHUFB c48, Y3, Y3;  \
-	VPADDQ  Y3, Y2, Y2;   \
-	VPXOR   Y2, Y1, Y1;   \
-	VPADDQ  Y1, Y1, t;    \
-	VPSRLQ  $63, Y1, Y1;  \
-	VPXOR   t, Y1, Y1;    \
-	VPERMQ_0x39_Y3_Y3;    \
-	VPERMQ_0x4E_Y2_Y2;    \
-	VPERMQ_0x93_Y1_Y1
-
-#define VMOVQ_SI_X11_0 BYTE $0xC5; BYTE $0x7A; BYTE $0x7E; BYTE $0x1E
-#define VMOVQ_SI_X12_0 BYTE $0xC5; BYTE $0x7A; BYTE $0x7E; BYTE $0x26
-#define VMOVQ_SI_X13_0 BYTE $0xC5; BYTE $0x7A; BYTE $0x7E; BYTE $0x2E
-#define VMOVQ_SI_X14_0 BYTE $0xC5; BYTE $0x7A; BYTE $0x7E; BYTE $0x36
-#define VMOVQ_SI_X15_0 BYTE $0xC5; BYTE $0x7A; BYTE $0x7E; BYTE $0x3E
-
-#define VMOVQ_SI_X11(n) BYTE $0xC5; BYTE $0x7A; BYTE $0x7E; BYTE $0x5E; BYTE $n
-#define VMOVQ_SI_X12(n) BYTE $0xC5; BYTE $0x7A; BYTE $0x7E; BYTE $0x66; BYTE $n
-#define VMOVQ_SI_X13(n) BYTE $0xC5; BYTE $0x7A; BYTE $0x7E; BYTE $0x6E; BYTE $n
-#define VMOVQ_SI_X14(n) BYTE $0xC5; BYTE $0x7A; BYTE $0x7E; BYTE $0x76; BYTE $n
-#define VMOVQ_SI_X15(n) BYTE $0xC5; BYTE $0x7A; BYTE $0x7E; BYTE $0x7E; BYTE $n
-
-#define VPINSRQ_1_SI_X11_0 BYTE $0xC4; BYTE $0x63; BYTE $0xA1; BYTE $0x22; BYTE $0x1E; BYTE $0x01
-#define VPINSRQ_1_SI_X12_0 BYTE $0xC4; BYTE $0x63; BYTE $0x99; BYTE $0x22; BYTE $0x26; BYTE $0x01
-#define VPINSRQ_1_SI_X13_0 BYTE $0xC4; BYTE $0x63; BYTE $0x91; BYTE $0x22; BYTE $0x2E; BYTE $0x01
-#define VPINSRQ_1_SI_X14_0 BYTE $0xC4; BYTE $0x63; BYTE $0x89; BYTE $0x22; BYTE $0x36; BYTE $0x01
-#define VPINSRQ_1_SI_X15_0 BYTE $0xC4; BYTE $0x63; BYTE $0x81; BYTE $0x22; BYTE $0x3E; BYTE $0x01
-
-#define VPINSRQ_1_SI_X11(n) BYTE $0xC4; BYTE $0x63; BYTE $0xA1; BYTE $0x22; BYTE $0x5E; BYTE $n; BYTE $0x01
-#define VPINSRQ_1_SI_X12(n) BYTE $0xC4; BYTE $0x63; BYTE $0x99; BYTE $0x22; BYTE $0x66; BYTE $n; BYTE $0x01
-#define VPINSRQ_1_SI_X13(n) BYTE $0xC4; BYTE $0x63; BYTE $0x91; BYTE $0x22; BYTE $0x6E; BYTE $n; BYTE $0x01
-#define VPINSRQ_1_SI_X14(n) BYTE $0xC4; BYTE $0x63; BYTE $0x89; BYTE $0x22; BYTE $0x76; BYTE $n; BYTE $0x01
-#define VPINSRQ_1_SI_X15(n) BYTE $0xC4; BYTE $0x63; BYTE $0x81; BYTE $0x22; BYTE $0x7E; BYTE $n; BYTE $0x01
-
-#define VMOVQ_R8_X15 BYTE $0xC4; BYTE $0x41; BYTE $0xF9; BYTE $0x6E; BYTE $0xF8
-#define VPINSRQ_1_R9_X15 BYTE $0xC4; BYTE $0x43; BYTE $0x81; BYTE $0x22; BYTE $0xF9; BYTE $0x01
-
-// load msg: Y12 = (i0, i1, i2, i3)
-// i0, i1, i2, i3 must not be 0
-#define LOAD_MSG_AVX2_Y12(i0, i1, i2, i3) \
-	VMOVQ_SI_X12(i0*8);           \
-	VMOVQ_SI_X11(i2*8);           \
-	VPINSRQ_1_SI_X12(i1*8);       \
-	VPINSRQ_1_SI_X11(i3*8);       \
-	VINSERTI128 $1, X11, Y12, Y12
-
-// load msg: Y13 = (i0, i1, i2, i3)
-// i0, i1, i2, i3 must not be 0
-#define LOAD_MSG_AVX2_Y13(i0, i1, i2, i3) \
-	VMOVQ_SI_X13(i0*8);           \
-	VMOVQ_SI_X11(i2*8);           \
-	VPINSRQ_1_SI_X13(i1*8);       \
-	VPINSRQ_1_SI_X11(i3*8);       \
-	VINSERTI128 $1, X11, Y13, Y13
-
-// load msg: Y14 = (i0, i1, i2, i3)
-// i0, i1, i2, i3 must not be 0
-#define LOAD_MSG_AVX2_Y14(i0, i1, i2, i3) \
-	VMOVQ_SI_X14(i0*8);           \
-	VMOVQ_SI_X11(i2*8);           \
-	VPINSRQ_1_SI_X14(i1*8);       \
-	VPINSRQ_1_SI_X11(i3*8);       \
-	VINSERTI128 $1, X11, Y14, Y14
-
-// load msg: Y15 = (i0, i1, i2, i3)
-// i0, i1, i2, i3 must not be 0
-#define LOAD_MSG_AVX2_Y15(i0, i1, i2, i3) \
-	VMOVQ_SI_X15(i0*8);           \
-	VMOVQ_SI_X11(i2*8);           \
-	VPINSRQ_1_SI_X15(i1*8);       \
-	VPINSRQ_1_SI_X11(i3*8);       \
-	VINSERTI128 $1, X11, Y15, Y15
-
-#define LOAD_MSG_AVX2_0_2_4_6_1_3_5_7_8_10_12_14_9_11_13_15() \
-	VMOVQ_SI_X12_0;                   \
-	VMOVQ_SI_X11(4*8);                \
-	VPINSRQ_1_SI_X12(2*8);            \
-	VPINSRQ_1_SI_X11(6*8);            \
-	VINSERTI128 $1, X11, Y12, Y12;    \
-	LOAD_MSG_AVX2_Y13(1, 3, 5, 7);    \
-	LOAD_MSG_AVX2_Y14(8, 10, 12, 14); \
-	LOAD_MSG_AVX2_Y15(9, 11, 13, 15)
-
-#define LOAD_MSG_AVX2_14_4_9_13_10_8_15_6_1_0_11_5_12_2_7_3() \
-	LOAD_MSG_AVX2_Y12(14, 4, 9, 13); \
-	LOAD_MSG_AVX2_Y13(10, 8, 15, 6); \
-	VMOVQ_SI_X11(11*8);              \
-	VPSHUFD     $0x4E, 0*8(SI), X14; \
-	VPINSRQ_1_SI_X11(5*8);           \
-	VINSERTI128 $1, X11, Y14, Y14;   \
-	LOAD_MSG_AVX2_Y15(12, 2, 7, 3)
-
-#define LOAD_MSG_AVX2_11_12_5_15_8_0_2_13_10_3_7_9_14_6_1_4() \
-	VMOVQ_SI_X11(5*8);              \
-	VMOVDQU     11*8(SI), X12;      \
-	VPINSRQ_1_SI_X11(15*8);         \
-	VINSERTI128 $1, X11, Y12, Y12;  \
-	VMOVQ_SI_X13(8*8);              \
-	VMOVQ_SI_X11(2*8);              \
-	VPINSRQ_1_SI_X13_0;             \
-	VPINSRQ_1_SI_X11(13*8);         \
-	VINSERTI128 $1, X11, Y13, Y13;  \
-	LOAD_MSG_AVX2_Y14(10, 3, 7, 9); \
-	LOAD_MSG_AVX2_Y15(14, 6, 1, 4)
-
-#define LOAD_MSG_AVX2_7_3_13_11_9_1_12_14_2_5_4_15_6_10_0_8() \
-	LOAD_MSG_AVX2_Y12(7, 3, 13, 11); \
-	LOAD_MSG_AVX2_Y13(9, 1, 12, 14); \
-	LOAD_MSG_AVX2_Y14(2, 5, 4, 15);  \
-	VMOVQ_SI_X15(6*8);               \
-	VMOVQ_SI_X11_0;                  \
-	VPINSRQ_1_SI_X15(10*8);          \
-	VPINSRQ_1_SI_X11(8*8);           \
-	VINSERTI128 $1, X11, Y15, Y15
-
-#define LOAD_MSG_AVX2_9_5_2_10_0_7_4_15_14_11_6_3_1_12_8_13() \
-	LOAD_MSG_AVX2_Y12(9, 5, 2, 10);  \
-	VMOVQ_SI_X13_0;                  \
-	VMOVQ_SI_X11(4*8);               \
-	VPINSRQ_1_SI_X13(7*8);           \
-	VPINSRQ_1_SI_X11(15*8);          \
-	VINSERTI128 $1, X11, Y13, Y13;   \
-	LOAD_MSG_AVX2_Y14(14, 11, 6, 3); \
-	LOAD_MSG_AVX2_Y15(1, 12, 8, 13)
-
-#define LOAD_MSG_AVX2_2_6_0_8_12_10_11_3_4_7_15_1_13_5_14_9() \
-	VMOVQ_SI_X12(2*8);                \
-	VMOVQ_SI_X11_0;                   \
-	VPINSRQ_1_SI_X12(6*8);            \
-	VPINSRQ_1_SI_X11(8*8);            \
-	VINSERTI128 $1, X11, Y12, Y12;    \
-	LOAD_MSG_AVX2_Y13(12, 10, 11, 3); \
-	LOAD_MSG_AVX2_Y14(4, 7, 15, 1);   \
-	LOAD_MSG_AVX2_Y15(13, 5, 14, 9)
-
-#define LOAD_MSG_AVX2_12_1_14_4_5_15_13_10_0_6_9_8_7_3_2_11() \
-	LOAD_MSG_AVX2_Y12(12, 1, 14, 4);  \
-	LOAD_MSG_AVX2_Y13(5, 15, 13, 10); \
-	VMOVQ_SI_X14_0;                   \
-	VPSHUFD     $0x4E, 8*8(SI), X11;  \
-	VPINSRQ_1_SI_X14(6*8);            \
-	VINSERTI128 $1, X11, Y14, Y14;    \
-	LOAD_MSG_AVX2_Y15(7, 3, 2, 11)
-
-#define LOAD_MSG_AVX2_13_7_12_3_11_14_1_9_5_15_8_2_0_4_6_10() \
-	LOAD_MSG_AVX2_Y12(13, 7, 12, 3); \
-	LOAD_MSG_AVX2_Y13(11, 14, 1, 9); \
-	LOAD_MSG_AVX2_Y14(5, 15, 8, 2);  \
-	VMOVQ_SI_X15_0;                  \
-	VMOVQ_SI_X11(6*8);               \
-	VPINSRQ_1_SI_X15(4*8);           \
-	VPINSRQ_1_SI_X11(10*8);          \
-	VINSERTI128 $1, X11, Y15, Y15
-
-#define LOAD_MSG_AVX2_6_14_11_0_15_9_3_8_12_13_1_10_2_7_4_5() \
-	VMOVQ_SI_X12(6*8);              \
-	VMOVQ_SI_X11(11*8);             \
-	VPINSRQ_1_SI_X12(14*8);         \
-	VPINSRQ_1_SI_X11_0;             \
-	VINSERTI128 $1, X11, Y12, Y12;  \
-	LOAD_MSG_AVX2_Y13(15, 9, 3, 8); \
-	VMOVQ_SI_X11(1*8);              \
-	VMOVDQU     12*8(SI), X14;      \
-	VPINSRQ_1_SI_X11(10*8);         \
-	VINSERTI128 $1, X11, Y14, Y14;  \
-	VMOVQ_SI_X15(2*8);              \
-	VMOVDQU     4*8(SI), X11;       \
-	VPINSRQ_1_SI_X15(7*8);          \
-	VINSERTI128 $1, X11, Y15, Y15
-
-#define LOAD_MSG_AVX2_10_8_7_1_2_4_6_5_15_9_3_13_11_14_12_0() \
-	LOAD_MSG_AVX2_Y12(10, 8, 7, 1);  \
-	VMOVQ_SI_X13(2*8);               \
-	VPSHUFD     $0x4E, 5*8(SI), X11; \
-	VPINSRQ_1_SI_X13(4*8);           \
-	VINSERTI128 $1, X11, Y13, Y13;   \
-	LOAD_MSG_AVX2_Y14(15, 9, 3, 13); \
-	VMOVQ_SI_X15(11*8);              \
-	VMOVQ_SI_X11(12*8);              \
-	VPINSRQ_1_SI_X15(14*8);          \
-	VPINSRQ_1_SI_X11_0;              \
-	VINSERTI128 $1, X11, Y15, Y15
-
-// func hashBlocksAVX2(h *[8]uint64, c *[2]uint64, flag uint64, blocks []byte)
-TEXT ·hashBlocksAVX2(SB), 4, $320-48 // frame size = 288 + 32 byte alignment
-	MOVQ h+0(FP), AX
-	MOVQ c+8(FP), BX
-	MOVQ flag+16(FP), CX
-	MOVQ blocks_base+24(FP), SI
-	MOVQ blocks_len+32(FP), DI
-
-	MOVQ SP, DX
-	MOVQ SP, R9
-	ADDQ $31, R9
-	ANDQ $~31, R9
-	MOVQ R9, SP
-
-	MOVQ CX, 16(SP)
-	XORQ CX, CX
-	MOVQ CX, 24(SP)
-
-	VMOVDQU ·AVX2_c40<>(SB), Y4
-	VMOVDQU ·AVX2_c48<>(SB), Y5
-
-	VMOVDQU 0(AX), Y8
-	VMOVDQU 32(AX), Y9
-	VMOVDQU ·AVX2_iv0<>(SB), Y6
-	VMOVDQU ·AVX2_iv1<>(SB), Y7
-
-	MOVQ 0(BX), R8
-	MOVQ 8(BX), R9
-	MOVQ R9, 8(SP)
-
-loop:
-	ADDQ $128, R8
-	MOVQ R8, 0(SP)
-	CMPQ R8, $128
-	JGE  noinc
-	INCQ R9
-	MOVQ R9, 8(SP)
-
-noinc:
-	VMOVDQA Y8, Y0
-	VMOVDQA Y9, Y1
-	VMOVDQA Y6, Y2
-	VPXOR   0(SP), Y7, Y3
-
-	LOAD_MSG_AVX2_0_2_4_6_1_3_5_7_8_10_12_14_9_11_13_15()
-	VMOVDQA Y12, 32(SP)
-	VMOVDQA Y13, 64(SP)
-	VMOVDQA Y14, 96(SP)
-	VMOVDQA Y15, 128(SP)
-	ROUND_AVX2(Y12, Y13, Y14, Y15, Y10, Y4, Y5)
-	LOAD_MSG_AVX2_14_4_9_13_10_8_15_6_1_0_11_5_12_2_7_3()
-	VMOVDQA Y12, 160(SP)
-	VMOVDQA Y13, 192(SP)
-	VMOVDQA Y14, 224(SP)
-	VMOVDQA Y15, 256(SP)
-
-	ROUND_AVX2(Y12, Y13, Y14, Y15, Y10, Y4, Y5)
-	LOAD_MSG_AVX2_11_12_5_15_8_0_2_13_10_3_7_9_14_6_1_4()
-	ROUND_AVX2(Y12, Y13, Y14, Y15, Y10, Y4, Y5)
-	LOAD_MSG_AVX2_7_3_13_11_9_1_12_14_2_5_4_15_6_10_0_8()
-	ROUND_AVX2(Y12, Y13, Y14, Y15, Y10, Y4, Y5)
-	LOAD_MSG_AVX2_9_5_2_10_0_7_4_15_14_11_6_3_1_12_8_13()
-	ROUND_AVX2(Y12, Y13, Y14, Y15, Y10, Y4, Y5)
-	LOAD_MSG_AVX2_2_6_0_8_12_10_11_3_4_7_15_1_13_5_14_9()
-	ROUND_AVX2(Y12, Y13, Y14, Y15, Y10, Y4, Y5)
-	LOAD_MSG_AVX2_12_1_14_4_5_15_13_10_0_6_9_8_7_3_2_11()
-	ROUND_AVX2(Y12, Y13, Y14, Y15, Y10, Y4, Y5)
-	LOAD_MSG_AVX2_13_7_12_3_11_14_1_9_5_15_8_2_0_4_6_10()
-	ROUND_AVX2(Y12, Y13, Y14, Y15, Y10, Y4, Y5)
-	LOAD_MSG_AVX2_6_14_11_0_15_9_3_8_12_13_1_10_2_7_4_5()
-	ROUND_AVX2(Y12, Y13, Y14, Y15, Y10, Y4, Y5)
-	LOAD_MSG_AVX2_10_8_7_1_2_4_6_5_15_9_3_13_11_14_12_0()
-	ROUND_AVX2(Y12, Y13, Y14, Y15, Y10, Y4, Y5)
-
-	ROUND_AVX2(32(SP), 64(SP), 96(SP), 128(SP), Y10, Y4, Y5)
-	ROUND_AVX2(160(SP), 192(SP), 224(SP), 256(SP), Y10, Y4, Y5)
-
-	VPXOR Y0, Y8, Y8
-	VPXOR Y1, Y9, Y9
-	VPXOR Y2, Y8, Y8
-	VPXOR Y3, Y9, Y9
-
-	LEAQ 128(SI), SI
-	SUBQ $128, DI
-	JNE  loop
-
-	MOVQ R8, 0(BX)
-	MOVQ R9, 8(BX)
-
-	VMOVDQU Y8, 0(AX)
-	VMOVDQU Y9, 32(AX)
-	VZEROUPPER
-
-	MOVQ DX, SP
-	RET
-
-#define VPUNPCKLQDQ_X2_X2_X15 BYTE $0xC5; BYTE $0x69; BYTE $0x6C; BYTE $0xFA
-#define VPUNPCKLQDQ_X3_X3_X15 BYTE $0xC5; BYTE $0x61; BYTE $0x6C; BYTE $0xFB
-#define VPUNPCKLQDQ_X7_X7_X15 BYTE $0xC5; BYTE $0x41; BYTE $0x6C; BYTE $0xFF
-#define VPUNPCKLQDQ_X13_X13_X15 BYTE $0xC4; BYTE $0x41; BYTE $0x11; BYTE $0x6C; BYTE $0xFD
-#define VPUNPCKLQDQ_X14_X14_X15 BYTE $0xC4; BYTE $0x41; BYTE $0x09; BYTE $0x6C; BYTE $0xFE
-
-#define VPUNPCKHQDQ_X15_X2_X2 BYTE $0xC4; BYTE $0xC1; BYTE $0x69; BYTE $0x6D; BYTE $0xD7
-#define VPUNPCKHQDQ_X15_X3_X3 BYTE $0xC4; BYTE $0xC1; BYTE $0x61; BYTE $0x6D; BYTE $0xDF
-#define VPUNPCKHQDQ_X15_X6_X6 BYTE $0xC4; BYTE $0xC1; BYTE $0x49; BYTE $0x6D; BYTE $0xF7
-#define VPUNPCKHQDQ_X15_X7_X7 BYTE $0xC4; BYTE $0xC1; BYTE $0x41; BYTE $0x6D; BYTE $0xFF
-#define VPUNPCKHQDQ_X15_X3_X2 BYTE $0xC4; BYTE $0xC1; BYTE $0x61; BYTE $0x6D; BYTE $0xD7
-#define VPUNPCKHQDQ_X15_X7_X6 BYTE $0xC4; BYTE $0xC1; BYTE $0x41; BYTE $0x6D; BYTE $0xF7
-#define VPUNPCKHQDQ_X15_X13_X3 BYTE $0xC4; BYTE $0xC1; BYTE $0x11; BYTE $0x6D; BYTE $0xDF
-#define VPUNPCKHQDQ_X15_X13_X7 BYTE $0xC4; BYTE $0xC1; BYTE $0x11; BYTE $0x6D; BYTE $0xFF
-
-#define SHUFFLE_AVX() \
-	VMOVDQA X6, X13;         \
-	VMOVDQA X2, X14;         \
-	VMOVDQA X4, X6;          \
-	VPUNPCKLQDQ_X13_X13_X15; \
-	VMOVDQA X5, X4;          \
-	VMOVDQA X6, X5;          \
-	VPUNPCKHQDQ_X15_X7_X6;   \
-	VPUNPCKLQDQ_X7_X7_X15;   \
-	VPUNPCKHQDQ_X15_X13_X7;  \
-	VPUNPCKLQDQ_X3_X3_X15;   \
-	VPUNPCKHQDQ_X15_X2_X2;   \
-	VPUNPCKLQDQ_X14_X14_X15; \
-	VPUNPCKHQDQ_X15_X3_X3;   \
-
-#define SHUFFLE_AVX_INV() \
-	VMOVDQA X2, X13;         \
-	VMOVDQA X4, X14;         \
-	VPUNPCKLQDQ_X2_X2_X15;   \
-	VMOVDQA X5, X4;          \
-	VPUNPCKHQDQ_X15_X3_X2;   \
-	VMOVDQA X14, X5;         \
-	VPUNPCKLQDQ_X3_X3_X15;   \
-	VMOVDQA X6, X14;         \
-	VPUNPCKHQDQ_X15_X13_X3;  \
-	VPUNPCKLQDQ_X7_X7_X15;   \
-	VPUNPCKHQDQ_X15_X6_X6;   \
-	VPUNPCKLQDQ_X14_X14_X15; \
-	VPUNPCKHQDQ_X15_X7_X7;   \
-
-#define HALF_ROUND_AVX(v0, v1, v2, v3, v4, v5, v6, v7, m0, m1, m2, m3, t0, c40, c48) \
-	VPADDQ  m0, v0, v0;   \
-	VPADDQ  v2, v0, v0;   \
-	VPADDQ  m1, v1, v1;   \
-	VPADDQ  v3, v1, v1;   \
-	VPXOR   v0, v6, v6;   \
-	VPXOR   v1, v7, v7;   \
-	VPSHUFD $-79, v6, v6; \
-	VPSHUFD $-79, v7, v7; \
-	VPADDQ  v6, v4, v4;   \
-	VPADDQ  v7, v5, v5;   \
-	VPXOR   v4, v2, v2;   \
-	VPXOR   v5, v3, v3;   \
-	VPSHUFB c40, v2, v2;  \
-	VPSHUFB c40, v3, v3;  \
-	VPADDQ  m2, v0, v0;   \
-	VPADDQ  v2, v0, v0;   \
-	VPADDQ  m3, v1, v1;   \
-	VPADDQ  v3, v1, v1;   \
-	VPXOR   v0, v6, v6;   \
-	VPXOR   v1, v7, v7;   \
-	VPSHUFB c48, v6, v6;  \
-	VPSHUFB c48, v7, v7;  \
-	VPADDQ  v6, v4, v4;   \
-	VPADDQ  v7, v5, v5;   \
-	VPXOR   v4, v2, v2;   \
-	VPXOR   v5, v3, v3;   \
-	VPADDQ  v2, v2, t0;   \
-	VPSRLQ  $63, v2, v2;  \
-	VPXOR   t0, v2, v2;   \
-	VPADDQ  v3, v3, t0;   \
-	VPSRLQ  $63, v3, v3;  \
-	VPXOR   t0, v3, v3
-
-// load msg: X12 = (i0, i1), X13 = (i2, i3), X14 = (i4, i5), X15 = (i6, i7)
-// i0, i1, i2, i3, i4, i5, i6, i7 must not be 0
-#define LOAD_MSG_AVX(i0, i1, i2, i3, i4, i5, i6, i7) \
-	VMOVQ_SI_X12(i0*8);     \
-	VMOVQ_SI_X13(i2*8);     \
-	VMOVQ_SI_X14(i4*8);     \
-	VMOVQ_SI_X15(i6*8);     \
-	VPINSRQ_1_SI_X12(i1*8); \
-	VPINSRQ_1_SI_X13(i3*8); \
-	VPINSRQ_1_SI_X14(i5*8); \
-	VPINSRQ_1_SI_X15(i7*8)
-
-// load msg: X12 = (0, 2), X13 = (4, 6), X14 = (1, 3), X15 = (5, 7)
-#define LOAD_MSG_AVX_0_2_4_6_1_3_5_7() \
-	VMOVQ_SI_X12_0;        \
-	VMOVQ_SI_X13(4*8);     \
-	VMOVQ_SI_X14(1*8);     \
-	VMOVQ_SI_X15(5*8);     \
-	VPINSRQ_1_SI_X12(2*8); \
-	VPINSRQ_1_SI_X13(6*8); \
-	VPINSRQ_1_SI_X14(3*8); \
-	VPINSRQ_1_SI_X15(7*8)
-
-// load msg: X12 = (1, 0), X13 = (11, 5), X14 = (12, 2), X15 = (7, 3)
-#define LOAD_MSG_AVX_1_0_11_5_12_2_7_3() \
-	VPSHUFD $0x4E, 0*8(SI), X12; \
-	VMOVQ_SI_X13(11*8);          \
-	VMOVQ_SI_X14(12*8);          \
-	VMOVQ_SI_X15(7*8);           \
-	VPINSRQ_1_SI_X13(5*8);       \
-	VPINSRQ_1_SI_X14(2*8);       \
-	VPINSRQ_1_SI_X15(3*8)
-
-// load msg: X12 = (11, 12), X13 = (5, 15), X14 = (8, 0), X15 = (2, 13)
-#define LOAD_MSG_AVX_11_12_5_15_8_0_2_13() \
-	VMOVDQU 11*8(SI), X12;  \
-	VMOVQ_SI_X13(5*8);      \
-	VMOVQ_SI_X14(8*8);      \
-	VMOVQ_SI_X15(2*8);      \
-	VPINSRQ_1_SI_X13(15*8); \
-	VPINSRQ_1_SI_X14_0;     \
-	VPINSRQ_1_SI_X15(13*8)
-
-// load msg: X12 = (2, 5), X13 = (4, 15), X14 = (6, 10), X15 = (0, 8)
-#define LOAD_MSG_AVX_2_5_4_15_6_10_0_8() \
-	VMOVQ_SI_X12(2*8);      \
-	VMOVQ_SI_X13(4*8);      \
-	VMOVQ_SI_X14(6*8);      \
-	VMOVQ_SI_X15_0;         \
-	VPINSRQ_1_SI_X12(5*8);  \
-	VPINSRQ_1_SI_X13(15*8); \
-	VPINSRQ_1_SI_X14(10*8); \
-	VPINSRQ_1_SI_X15(8*8)
-
-// load msg: X12 = (9, 5), X13 = (2, 10), X14 = (0, 7), X15 = (4, 15)
-#define LOAD_MSG_AVX_9_5_2_10_0_7_4_15() \
-	VMOVQ_SI_X12(9*8);      \
-	VMOVQ_SI_X13(2*8);      \
-	VMOVQ_SI_X14_0;         \
-	VMOVQ_SI_X15(4*8);      \
-	VPINSRQ_1_SI_X12(5*8);  \
-	VPINSRQ_1_SI_X13(10*8); \
-	VPINSRQ_1_SI_X14(7*8);  \
-	VPINSRQ_1_SI_X15(15*8)
-
-// load msg: X12 = (2, 6), X13 = (0, 8), X14 = (12, 10), X15 = (11, 3)
-#define LOAD_MSG_AVX_2_6_0_8_12_10_11_3() \
-	VMOVQ_SI_X12(2*8);      \
-	VMOVQ_SI_X13_0;         \
-	VMOVQ_SI_X14(12*8);     \
-	VMOVQ_SI_X15(11*8);     \
-	VPINSRQ_1_SI_X12(6*8);  \
-	VPINSRQ_1_SI_X13(8*8);  \
-	VPINSRQ_1_SI_X14(10*8); \
-	VPINSRQ_1_SI_X15(3*8)
-
-// load msg: X12 = (0, 6), X13 = (9, 8), X14 = (7, 3), X15 = (2, 11)
-#define LOAD_MSG_AVX_0_6_9_8_7_3_2_11() \
-	MOVQ    0*8(SI), X12;        \
-	VPSHUFD $0x4E, 8*8(SI), X13; \
-	MOVQ    7*8(SI), X14;        \
-	MOVQ    2*8(SI), X15;        \
-	VPINSRQ_1_SI_X12(6*8);       \
-	VPINSRQ_1_SI_X14(3*8);       \
-	VPINSRQ_1_SI_X15(11*8)
-
-// load msg: X12 = (6, 14), X13 = (11, 0), X14 = (15, 9), X15 = (3, 8)
-#define LOAD_MSG_AVX_6_14_11_0_15_9_3_8() \
-	MOVQ 6*8(SI), X12;      \
-	MOVQ 11*8(SI), X13;     \
-	MOVQ 15*8(SI), X14;     \
-	MOVQ 3*8(SI), X15;      \
-	VPINSRQ_1_SI_X12(14*8); \
-	VPINSRQ_1_SI_X13_0;     \
-	VPINSRQ_1_SI_X14(9*8);  \
-	VPINSRQ_1_SI_X15(8*8)
-
-// load msg: X12 = (5, 15), X13 = (8, 2), X14 = (0, 4), X15 = (6, 10)
-#define LOAD_MSG_AVX_5_15_8_2_0_4_6_10() \
-	MOVQ 5*8(SI), X12;      \
-	MOVQ 8*8(SI), X13;      \
-	MOVQ 0*8(SI), X14;      \
-	MOVQ 6*8(SI), X15;      \
-	VPINSRQ_1_SI_X12(15*8); \
-	VPINSRQ_1_SI_X13(2*8);  \
-	VPINSRQ_1_SI_X14(4*8);  \
-	VPINSRQ_1_SI_X15(10*8)
-
-// load msg: X12 = (12, 13), X13 = (1, 10), X14 = (2, 7), X15 = (4, 5)
-#define LOAD_MSG_AVX_12_13_1_10_2_7_4_5() \
-	VMOVDQU 12*8(SI), X12;  \
-	MOVQ    1*8(SI), X13;   \
-	MOVQ    2*8(SI), X14;   \
-	VPINSRQ_1_SI_X13(10*8); \
-	VPINSRQ_1_SI_X14(7*8);  \
-	VMOVDQU 4*8(SI), X15
-
-// load msg: X12 = (15, 9), X13 = (3, 13), X14 = (11, 14), X15 = (12, 0)
-#define LOAD_MSG_AVX_15_9_3_13_11_14_12_0() \
-	MOVQ 15*8(SI), X12;     \
-	MOVQ 3*8(SI), X13;      \
-	MOVQ 11*8(SI), X14;     \
-	MOVQ 12*8(SI), X15;     \
-	VPINSRQ_1_SI_X12(9*8);  \
-	VPINSRQ_1_SI_X13(13*8); \
-	VPINSRQ_1_SI_X14(14*8); \
-	VPINSRQ_1_SI_X15_0
-
-// func hashBlocksAVX(h *[8]uint64, c *[2]uint64, flag uint64, blocks []byte)
-TEXT ·hashBlocksAVX(SB), 4, $288-48 // frame size = 272 + 16 byte alignment
-	MOVQ h+0(FP), AX
-	MOVQ c+8(FP), BX
-	MOVQ flag+16(FP), CX
-	MOVQ blocks_base+24(FP), SI
-	MOVQ blocks_len+32(FP), DI
-
-	MOVQ SP, BP
-	MOVQ SP, R9
-	ADDQ $15, R9
-	ANDQ $~15, R9
-	MOVQ R9, SP
-
-	VMOVDQU ·AVX_c40<>(SB), X0
-	VMOVDQU ·AVX_c48<>(SB), X1
-	VMOVDQA X0, X8
-	VMOVDQA X1, X9
-
-	VMOVDQU ·AVX_iv3<>(SB), X0
-	VMOVDQA X0, 0(SP)
-	XORQ    CX, 0(SP)          // 0(SP) = ·AVX_iv3 ^ (CX || 0)
-
-	VMOVDQU 0(AX), X10
-	VMOVDQU 16(AX), X11
-	VMOVDQU 32(AX), X2
-	VMOVDQU 48(AX), X3
-
-	MOVQ 0(BX), R8
-	MOVQ 8(BX), R9
-
-loop:
-	ADDQ $128, R8
-	CMPQ R8, $128
-	JGE  noinc
-	INCQ R9
-
-noinc:
-	VMOVQ_R8_X15
-	VPINSRQ_1_R9_X15
-
-	VMOVDQA X10, X0
-	VMOVDQA X11, X1
-	VMOVDQU ·AVX_iv0<>(SB), X4
-	VMOVDQU ·AVX_iv1<>(SB), X5
-	VMOVDQU ·AVX_iv2<>(SB), X6
-
-	VPXOR   X15, X6, X6
-	VMOVDQA 0(SP), X7
-
-	LOAD_MSG_AVX_0_2_4_6_1_3_5_7()
-	VMOVDQA X12, 16(SP)
-	VMOVDQA X13, 32(SP)
-	VMOVDQA X14, 48(SP)
-	VMOVDQA X15, 64(SP)
-	HALF_ROUND_AVX(X0, X1, X2, X3, X4, X5, X6, X7, X12, X13, X14, X15, X15, X8, X9)
-	SHUFFLE_AVX()
-	LOAD_MSG_AVX(8, 10, 12, 14, 9, 11, 13, 15)
-	VMOVDQA X12, 80(SP)
-	VMOVDQA X13, 96(SP)
-	VMOVDQA X14, 112(SP)
-	VMOVDQA X15, 128(SP)
-	HALF_ROUND_AVX(X0, X1, X2, X3, X4, X5, X6, X7, X12, X13, X14, X15, X15, X8, X9)
-	SHUFFLE_AVX_INV()
-
-	LOAD_MSG_AVX(14, 4, 9, 13, 10, 8, 15, 6)
-	VMOVDQA X12, 144(SP)
-	VMOVDQA X13, 160(SP)
-	VMOVDQA X14, 176(SP)
-	VMOVDQA X15, 192(SP)
-	HALF_ROUND_AVX(X0, X1, X2, X3, X4, X5, X6, X7, X12, X13, X14, X15, X15, X8, X9)
-	SHUFFLE_AVX()
-	LOAD_MSG_AVX_1_0_11_5_12_2_7_3()
-	VMOVDQA X12, 208(SP)
-	VMOVDQA X13, 224(SP)
-	VMOVDQA X14, 240(SP)
-	VMOVDQA X15, 256(SP)
-	HALF_ROUND_AVX(X0, X1, X2, X3, X4, X5, X6, X7, X12, X13, X14, X15, X15, X8, X9)
-	SHUFFLE_AVX_INV()
-
-	LOAD_MSG_AVX_11_12_5_15_8_0_2_13()
-	HALF_ROUND_AVX(X0, X1, X2, X3, X4, X5, X6, X7, X12, X13, X14, X15, X15, X8, X9)
-	SHUFFLE_AVX()
-	LOAD_MSG_AVX(10, 3, 7, 9, 14, 6, 1, 4)
-	HALF_ROUND_AVX(X0, X1, X2, X3, X4, X5, X6, X7, X12, X13, X14, X15, X15, X8, X9)
-	SHUFFLE_AVX_INV()
-
-	LOAD_MSG_AVX(7, 3, 13, 11, 9, 1, 12, 14)
-	HALF_ROUND_AVX(X0, X1, X2, X3, X4, X5, X6, X7, X12, X13, X14, X15, X15, X8, X9)
-	SHUFFLE_AVX()
-	LOAD_MSG_AVX_2_5_4_15_6_10_0_8()
-	HALF_ROUND_AVX(X0, X1, X2, X3, X4, X5, X6, X7, X12, X13, X14, X15, X15, X8, X9)
-	SHUFFLE_AVX_INV()
-
-	LOAD_MSG_AVX_9_5_2_10_0_7_4_15()
-	HALF_ROUND_AVX(X0, X1, X2, X3, X4, X5, X6, X7, X12, X13, X14, X15, X15, X8, X9)
-	SHUFFLE_AVX()
-	LOAD_MSG_AVX(14, 11, 6, 3, 1, 12, 8, 13)
-	HALF_ROUND_AVX(X0, X1, X2, X3, X4, X5, X6, X7, X12, X13, X14, X15, X15, X8, X9)
-	SHUFFLE_AVX_INV()
-
-	LOAD_MSG_AVX_2_6_0_8_12_10_11_3()
-	HALF_ROUND_AVX(X0, X1, X2, X3, X4, X5, X6, X7, X12, X13, X14, X15, X15, X8, X9)
-	SHUFFLE_AVX()
-	LOAD_MSG_AVX(4, 7, 15, 1, 13, 5, 14, 9)
-	HALF_ROUND_AVX(X0, X1, X2, X3, X4, X5, X6, X7, X12, X13, X14, X15, X15, X8, X9)
-	SHUFFLE_AVX_INV()
-
-	LOAD_MSG_AVX(12, 1, 14, 4, 5, 15, 13, 10)
-	HALF_ROUND_AVX(X0, X1, X2, X3, X4, X5, X6, X7, X12, X13, X14, X15, X15, X8, X9)
-	SHUFFLE_AVX()
-	LOAD_MSG_AVX_0_6_9_8_7_3_2_11()
-	HALF_ROUND_AVX(X0, X1, X2, X3, X4, X5, X6, X7, X12, X13, X14, X15, X15, X8, X9)
-	SHUFFLE_AVX_INV()
-
-	LOAD_MSG_AVX(13, 7, 12, 3, 11, 14, 1, 9)
-	HALF_ROUND_AVX(X0, X1, X2, X3, X4, X5, X6, X7, X12, X13, X14, X15, X15, X8, X9)
-	SHUFFLE_AVX()
-	LOAD_MSG_AVX_5_15_8_2_0_4_6_10()
-	HALF_ROUND_AVX(X0, X1, X2, X3, X4, X5, X6, X7, X12, X13, X14, X15, X15, X8, X9)
-	SHUFFLE_AVX_INV()
-
-	LOAD_MSG_AVX_6_14_11_0_15_9_3_8()
-	HALF_ROUND_AVX(X0, X1, X2, X3, X4, X5, X6, X7, X12, X13, X14, X15, X15, X8, X9)
-	SHUFFLE_AVX()
-	LOAD_MSG_AVX_12_13_1_10_2_7_4_5()
-	HALF_ROUND_AVX(X0, X1, X2, X3, X4, X5, X6, X7, X12, X13, X14, X15, X15, X8, X9)
-	SHUFFLE_AVX_INV()
-
-	LOAD_MSG_AVX(10, 8, 7, 1, 2, 4, 6, 5)
-	HALF_ROUND_AVX(X0, X1, X2, X3, X4, X5, X6, X7, X12, X13, X14, X15, X15, X8, X9)
-	SHUFFLE_AVX()
-	LOAD_MSG_AVX_15_9_3_13_11_14_12_0()
-	HALF_ROUND_AVX(X0, X1, X2, X3, X4, X5, X6, X7, X12, X13, X14, X15, X15, X8, X9)
-	SHUFFLE_AVX_INV()
-
-	HALF_ROUND_AVX(X0, X1, X2, X3, X4, X5, X6, X7, 16(SP), 32(SP), 48(SP), 64(SP), X15, X8, X9)
-	SHUFFLE_AVX()
-	HALF_ROUND_AVX(X0, X1, X2, X3, X4, X5, X6, X7, 80(SP), 96(SP), 112(SP), 128(SP), X15, X8, X9)
-	SHUFFLE_AVX_INV()
-
-	HALF_ROUND_AVX(X0, X1, X2, X3, X4, X5, X6, X7, 144(SP), 160(SP), 176(SP), 192(SP), X15, X8, X9)
-	SHUFFLE_AVX()
-	HALF_ROUND_AVX(X0, X1, X2, X3, X4, X5, X6, X7, 208(SP), 224(SP), 240(SP), 256(SP), X15, X8, X9)
-	SHUFFLE_AVX_INV()
-
-	VMOVDQU 32(AX), X14
-	VMOVDQU 48(AX), X15
-	VPXOR   X0, X10, X10
-	VPXOR   X1, X11, X11
-	VPXOR   X2, X14, X14
-	VPXOR   X3, X15, X15
-	VPXOR   X4, X10, X10
-	VPXOR   X5, X11, X11
-	VPXOR   X6, X14, X2
-	VPXOR   X7, X15, X3
-	VMOVDQU X2, 32(AX)
-	VMOVDQU X3, 48(AX)
-
-	LEAQ 128(SI), SI
-	SUBQ $128, DI
-	JNE  loop
-
-	VMOVDQU X10, 0(AX)
-	VMOVDQU X11, 16(AX)
-
-	MOVQ R8, 0(BX)
-	MOVQ R9, 8(BX)
-	VZEROUPPER
-
-	MOVQ BP, SP
-	RET
-
-// func supportsAVX2() bool
-TEXT ·supportsAVX2(SB), 4, $0-1
-	MOVQ runtime·support_avx2(SB), AX
-	MOVB AX, ret+0(FP)
-	RET
-
-// func supportsAVX() bool
-TEXT ·supportsAVX(SB), 4, $0-1
-	MOVQ runtime·support_avx(SB), AX
-	MOVB AX, ret+0(FP)
-	RET
diff --git a/vendor/golang.org/x/crypto/blake2b/blake2b_amd64.go b/vendor/golang.org/x/crypto/blake2b/blake2b_amd64.go
deleted file mode 100644
index 2ab7c30f..00000000
--- a/vendor/golang.org/x/crypto/blake2b/blake2b_amd64.go
+++ /dev/null
@@ -1,25 +0,0 @@
-// Copyright 2016 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build !go1.7,amd64,!gccgo,!appengine
-
-package blake2b
-
-func init() {
-	useSSE4 = supportsSSE4()
-}
-
-//go:noescape
-func supportsSSE4() bool
-
-//go:noescape
-func hashBlocksSSE4(h *[8]uint64, c *[2]uint64, flag uint64, blocks []byte)
-
-func hashBlocks(h *[8]uint64, c *[2]uint64, flag uint64, blocks []byte) {
-	if useSSE4 {
-		hashBlocksSSE4(h, c, flag, blocks)
-	} else {
-		hashBlocksGeneric(h, c, flag, blocks)
-	}
-}
diff --git a/vendor/golang.org/x/crypto/blake2b/blake2b_amd64.s b/vendor/golang.org/x/crypto/blake2b/blake2b_amd64.s
deleted file mode 100644
index 64530740..00000000
--- a/vendor/golang.org/x/crypto/blake2b/blake2b_amd64.s
+++ /dev/null
@@ -1,290 +0,0 @@
-// Copyright 2016 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build amd64,!gccgo,!appengine
-
-#include "textflag.h"
-
-DATA ·iv0<>+0x00(SB)/8, $0x6a09e667f3bcc908
-DATA ·iv0<>+0x08(SB)/8, $0xbb67ae8584caa73b
-GLOBL ·iv0<>(SB), (NOPTR+RODATA), $16
-
-DATA ·iv1<>+0x00(SB)/8, $0x3c6ef372fe94f82b
-DATA ·iv1<>+0x08(SB)/8, $0xa54ff53a5f1d36f1
-GLOBL ·iv1<>(SB), (NOPTR+RODATA), $16
-
-DATA ·iv2<>+0x00(SB)/8, $0x510e527fade682d1
-DATA ·iv2<>+0x08(SB)/8, $0x9b05688c2b3e6c1f
-GLOBL ·iv2<>(SB), (NOPTR+RODATA), $16
-
-DATA ·iv3<>+0x00(SB)/8, $0x1f83d9abfb41bd6b
-DATA ·iv3<>+0x08(SB)/8, $0x5be0cd19137e2179
-GLOBL ·iv3<>(SB), (NOPTR+RODATA), $16
-
-DATA ·c40<>+0x00(SB)/8, $0x0201000706050403
-DATA ·c40<>+0x08(SB)/8, $0x0a09080f0e0d0c0b
-GLOBL ·c40<>(SB), (NOPTR+RODATA), $16
-
-DATA ·c48<>+0x00(SB)/8, $0x0100070605040302
-DATA ·c48<>+0x08(SB)/8, $0x09080f0e0d0c0b0a
-GLOBL ·c48<>(SB), (NOPTR+RODATA), $16
-
-#define SHUFFLE(v2, v3, v4, v5, v6, v7, t1, t2) \
-	MOVO       v4, t1; \
-	MOVO       v5, v4; \
-	MOVO       t1, v5; \
-	MOVO       v6, t1; \
-	PUNPCKLQDQ v6, t2; \
-	PUNPCKHQDQ v7, v6; \
-	PUNPCKHQDQ t2, v6; \
-	PUNPCKLQDQ v7, t2; \
-	MOVO       t1, v7; \
-	MOVO       v2, t1; \
-	PUNPCKHQDQ t2, v7; \
-	PUNPCKLQDQ v3, t2; \
-	PUNPCKHQDQ t2, v2; \
-	PUNPCKLQDQ t1, t2; \
-	PUNPCKHQDQ t2, v3
-
-#define SHUFFLE_INV(v2, v3, v4, v5, v6, v7, t1, t2) \
-	MOVO       v4, t1; \
-	MOVO       v5, v4; \
-	MOVO       t1, v5; \
-	MOVO       v2, t1; \
-	PUNPCKLQDQ v2, t2; \
-	PUNPCKHQDQ v3, v2; \
-	PUNPCKHQDQ t2, v2; \
-	PUNPCKLQDQ v3, t2; \
-	MOVO       t1, v3; \
-	MOVO       v6, t1; \
-	PUNPCKHQDQ t2, v3; \
-	PUNPCKLQDQ v7, t2; \
-	PUNPCKHQDQ t2, v6; \
-	PUNPCKLQDQ t1, t2; \
-	PUNPCKHQDQ t2, v7
-
-#define HALF_ROUND(v0, v1, v2, v3, v4, v5, v6, v7, m0, m1, m2, m3, t0, c40, c48) \
-	PADDQ  m0, v0;        \
-	PADDQ  m1, v1;        \
-	PADDQ  v2, v0;        \
-	PADDQ  v3, v1;        \
-	PXOR   v0, v6;        \
-	PXOR   v1, v7;        \
-	PSHUFD $0xB1, v6, v6; \
-	PSHUFD $0xB1, v7, v7; \
-	PADDQ  v6, v4;        \
-	PADDQ  v7, v5;        \
-	PXOR   v4, v2;        \
-	PXOR   v5, v3;        \
-	PSHUFB c40, v2;       \
-	PSHUFB c40, v3;       \
-	PADDQ  m2, v0;        \
-	PADDQ  m3, v1;        \
-	PADDQ  v2, v0;        \
-	PADDQ  v3, v1;        \
-	PXOR   v0, v6;        \
-	PXOR   v1, v7;        \
-	PSHUFB c48, v6;       \
-	PSHUFB c48, v7;       \
-	PADDQ  v6, v4;        \
-	PADDQ  v7, v5;        \
-	PXOR   v4, v2;        \
-	PXOR   v5, v3;        \
-	MOVOU  v2, t0;        \
-	PADDQ  v2, t0;        \
-	PSRLQ  $63, v2;       \
-	PXOR   t0, v2;        \
-	MOVOU  v3, t0;        \
-	PADDQ  v3, t0;        \
-	PSRLQ  $63, v3;       \
-	PXOR   t0, v3
-
-#define LOAD_MSG(m0, m1, m2, m3, src, i0, i1, i2, i3, i4, i5, i6, i7) \
-	MOVQ   i0*8(src), m0;     \
-	PINSRQ $1, i1*8(src), m0; \
-	MOVQ   i2*8(src), m1;     \
-	PINSRQ $1, i3*8(src), m1; \
-	MOVQ   i4*8(src), m2;     \
-	PINSRQ $1, i5*8(src), m2; \
-	MOVQ   i6*8(src), m3;     \
-	PINSRQ $1, i7*8(src), m3
-
-// func hashBlocksSSE4(h *[8]uint64, c *[2]uint64, flag uint64, blocks []byte)
-TEXT ·hashBlocksSSE4(SB), 4, $288-48 // frame size = 272 + 16 byte alignment
-	MOVQ h+0(FP), AX
-	MOVQ c+8(FP), BX
-	MOVQ flag+16(FP), CX
-	MOVQ blocks_base+24(FP), SI
-	MOVQ blocks_len+32(FP), DI
-
-	MOVQ SP, BP
-	MOVQ SP, R9
-	ADDQ $15, R9
-	ANDQ $~15, R9
-	MOVQ R9, SP
-
-	MOVOU ·iv3<>(SB), X0
-	MOVO  X0, 0(SP)
-	XORQ  CX, 0(SP)     // 0(SP) = ·iv3 ^ (CX || 0)
-
-	MOVOU ·c40<>(SB), X13
-	MOVOU ·c48<>(SB), X14
-
-	MOVOU 0(AX), X12
-	MOVOU 16(AX), X15
-
-	MOVQ 0(BX), R8
-	MOVQ 8(BX), R9
-
-loop:
-	ADDQ $128, R8
-	CMPQ R8, $128
-	JGE  noinc
-	INCQ R9
-
-noinc:
-	MOVQ R8, X8
-	PINSRQ $1, R9, X8
-
-	MOVO X12, X0
-	MOVO X15, X1
-	MOVOU 32(AX), X2
-	MOVOU 48(AX), X3
-	MOVOU ·iv0<>(SB), X4
-	MOVOU ·iv1<>(SB), X5
-	MOVOU ·iv2<>(SB), X6
-
-	PXOR X8, X6
-	MOVO 0(SP), X7
-
-	LOAD_MSG(X8, X9, X10, X11, SI, 0, 2, 4, 6, 1, 3, 5, 7)
-	MOVO X8, 16(SP)
-	MOVO X9, 32(SP)
-	MOVO X10, 48(SP)
-	MOVO X11, 64(SP)
-	HALF_ROUND(X0, X1, X2, X3, X4, X5, X6, X7, X8, X9, X10, X11, X11, X13, X14)
-	SHUFFLE(X2, X3, X4, X5, X6, X7, X8, X9)
-	LOAD_MSG(X8, X9, X10, X11, SI, 8, 10, 12, 14, 9, 11, 13, 15)
-	MOVO X8, 80(SP)
-	MOVO X9, 96(SP)
-	MOVO X10, 112(SP)
-	MOVO X11, 128(SP)
-	HALF_ROUND(X0, X1, X2, X3, X4, X5, X6, X7, X8, X9, X10, X11, X11, X13, X14)
-	SHUFFLE_INV(X2, X3, X4, X5, X6, X7, X8, X9)
-
-	LOAD_MSG(X8, X9, X10, X11, SI, 14, 4, 9, 13, 10, 8, 15, 6)
-	MOVO X8, 144(SP)
-	MOVO X9, 160(SP)
-	MOVO X10, 176(SP)
-	MOVO X11, 192(SP)
-	HALF_ROUND(X0, X1, X2, X3, X4, X5, X6, X7, X8, X9, X10, X11, X11, X13, X14)
-	SHUFFLE(X2, X3, X4, X5, X6, X7, X8, X9)
-	LOAD_MSG(X8, X9, X10, X11, SI, 1, 0, 11, 5, 12, 2, 7, 3)
-	MOVO X8, 208(SP)
-	MOVO X9, 224(SP)
-	MOVO X10, 240(SP)
-	MOVO X11, 256(SP)
-	HALF_ROUND(X0, X1, X2, X3, X4, X5, X6, X7, X8, X9, X10, X11, X11, X13, X14)
-	SHUFFLE_INV(X2, X3, X4, X5, X6, X7, X8, X9)
-
-	LOAD_MSG(X8, X9, X10, X11, SI, 11, 12, 5, 15, 8, 0, 2, 13)
-	HALF_ROUND(X0, X1, X2, X3, X4, X5, X6, X7, X8, X9, X10, X11, X11, X13, X14)
-	SHUFFLE(X2, X3, X4, X5, X6, X7, X8, X9)
-	LOAD_MSG(X8, X9, X10, X11, SI, 10, 3, 7, 9, 14, 6, 1, 4)
-	HALF_ROUND(X0, X1, X2, X3, X4, X5, X6, X7, X8, X9, X10, X11, X11, X13, X14)
-	SHUFFLE_INV(X2, X3, X4, X5, X6, X7, X8, X9)
-
-	LOAD_MSG(X8, X9, X10, X11, SI, 7, 3, 13, 11, 9, 1, 12, 14)
-	HALF_ROUND(X0, X1, X2, X3, X4, X5, X6, X7, X8, X9, X10, X11, X11, X13, X14)
-	SHUFFLE(X2, X3, X4, X5, X6, X7, X8, X9)
-	LOAD_MSG(X8, X9, X10, X11, SI, 2, 5, 4, 15, 6, 10, 0, 8)
-	HALF_ROUND(X0, X1, X2, X3, X4, X5, X6, X7, X8, X9, X10, X11, X11, X13, X14)
-	SHUFFLE_INV(X2, X3, X4, X5, X6, X7, X8, X9)
-
-	LOAD_MSG(X8, X9, X10, X11, SI, 9, 5, 2, 10, 0, 7, 4, 15)
-	HALF_ROUND(X0, X1, X2, X3, X4, X5, X6, X7, X8, X9, X10, X11, X11, X13, X14)
-	SHUFFLE(X2, X3, X4, X5, X6, X7, X8, X9)
-	LOAD_MSG(X8, X9, X10, X11, SI, 14, 11, 6, 3, 1, 12, 8, 13)
-	HALF_ROUND(X0, X1, X2, X3, X4, X5, X6, X7, X8, X9, X10, X11, X11, X13, X14)
-	SHUFFLE_INV(X2, X3, X4, X5, X6, X7, X8, X9)
-
-	LOAD_MSG(X8, X9, X10, X11, SI, 2, 6, 0, 8, 12, 10, 11, 3)
-	HALF_ROUND(X0, X1, X2, X3, X4, X5, X6, X7, X8, X9, X10, X11, X11, X13, X14)
-	SHUFFLE(X2, X3, X4, X5, X6, X7, X8, X9)
-	LOAD_MSG(X8, X9, X10, X11, SI, 4, 7, 15, 1, 13, 5, 14, 9)
-	HALF_ROUND(X0, X1, X2, X3, X4, X5, X6, X7, X8, X9, X10, X11, X11, X13, X14)
-	SHUFFLE_INV(X2, X3, X4, X5, X6, X7, X8, X9)
-
-	LOAD_MSG(X8, X9, X10, X11, SI, 12, 1, 14, 4, 5, 15, 13, 10)
-	HALF_ROUND(X0, X1, X2, X3, X4, X5, X6, X7, X8, X9, X10, X11, X11, X13, X14)
-	SHUFFLE(X2, X3, X4, X5, X6, X7, X8, X9)
-	LOAD_MSG(X8, X9, X10, X11, SI, 0, 6, 9, 8, 7, 3, 2, 11)
-	HALF_ROUND(X0, X1, X2, X3, X4, X5, X6, X7, X8, X9, X10, X11, X11, X13, X14)
-	SHUFFLE_INV(X2, X3, X4, X5, X6, X7, X8, X9)
-
-	LOAD_MSG(X8, X9, X10, X11, SI, 13, 7, 12, 3, 11, 14, 1, 9)
-	HALF_ROUND(X0, X1, X2, X3, X4, X5, X6, X7, X8, X9, X10, X11, X11, X13, X14)
-	SHUFFLE(X2, X3, X4, X5, X6, X7, X8, X9)
-	LOAD_MSG(X8, X9, X10, X11, SI, 5, 15, 8, 2, 0, 4, 6, 10)
-	HALF_ROUND(X0, X1, X2, X3, X4, X5, X6, X7, X8, X9, X10, X11, X11, X13, X14)
-	SHUFFLE_INV(X2, X3, X4, X5, X6, X7, X8, X9)
-
-	LOAD_MSG(X8, X9, X10, X11, SI, 6, 14, 11, 0, 15, 9, 3, 8)
-	HALF_ROUND(X0, X1, X2, X3, X4, X5, X6, X7, X8, X9, X10, X11, X11, X13, X14)
-	SHUFFLE(X2, X3, X4, X5, X6, X7, X8, X9)
-	LOAD_MSG(X8, X9, X10, X11, SI, 12, 13, 1, 10, 2, 7, 4, 5)
-	HALF_ROUND(X0, X1, X2, X3, X4, X5, X6, X7, X8, X9, X10, X11, X11, X13, X14)
-	SHUFFLE_INV(X2, X3, X4, X5, X6, X7, X8, X9)
-
-	LOAD_MSG(X8, X9, X10, X11, SI, 10, 8, 7, 1, 2, 4, 6, 5)
-	HALF_ROUND(X0, X1, X2, X3, X4, X5, X6, X7, X8, X9, X10, X11, X11, X13, X14)
-	SHUFFLE(X2, X3, X4, X5, X6, X7, X8, X9)
-	LOAD_MSG(X8, X9, X10, X11, SI, 15, 9, 3, 13, 11, 14, 12, 0)
-	HALF_ROUND(X0, X1, X2, X3, X4, X5, X6, X7, X8, X9, X10, X11, X11, X13, X14)
-	SHUFFLE_INV(X2, X3, X4, X5, X6, X7, X8, X9)
-
-	HALF_ROUND(X0, X1, X2, X3, X4, X5, X6, X7, 16(SP), 32(SP), 48(SP), 64(SP), X11, X13, X14)
-	SHUFFLE(X2, X3, X4, X5, X6, X7, X8, X9)
-	HALF_ROUND(X0, X1, X2, X3, X4, X5, X6, X7, 80(SP), 96(SP), 112(SP), 128(SP), X11, X13, X14)
-	SHUFFLE_INV(X2, X3, X4, X5, X6, X7, X8, X9)
-
-	HALF_ROUND(X0, X1, X2, X3, X4, X5, X6, X7, 144(SP), 160(SP), 176(SP), 192(SP), X11, X13, X14)
-	SHUFFLE(X2, X3, X4, X5, X6, X7, X8, X9)
-	HALF_ROUND(X0, X1, X2, X3, X4, X5, X6, X7, 208(SP), 224(SP), 240(SP), 256(SP), X11, X13, X14)
-	SHUFFLE_INV(X2, X3, X4, X5, X6, X7, X8, X9)
-
-	MOVOU 32(AX), X10
-	MOVOU 48(AX), X11
-	PXOR  X0, X12
-	PXOR  X1, X15
-	PXOR  X2, X10
-	PXOR  X3, X11
-	PXOR  X4, X12
-	PXOR  X5, X15
-	PXOR  X6, X10
-	PXOR  X7, X11
-	MOVOU X10, 32(AX)
-	MOVOU X11, 48(AX)
-
-	LEAQ 128(SI), SI
-	SUBQ $128, DI
-	JNE  loop
-
-	MOVOU X12, 0(AX)
-	MOVOU X15, 16(AX)
-
-	MOVQ R8, 0(BX)
-	MOVQ R9, 8(BX)
-
-	MOVQ BP, SP
-	RET
-
-// func supportsSSE4() bool
-TEXT ·supportsSSE4(SB), 4, $0-1
-	MOVL $1, AX
-	CPUID
-	SHRL $19, CX  // Bit 19 indicates SSE4 support
-	ANDL $1, CX  // CX != 0 if support SSE4
-	MOVB CX, ret+0(FP)
-	RET
diff --git a/vendor/golang.org/x/crypto/blake2b/blake2b_generic.go b/vendor/golang.org/x/crypto/blake2b/blake2b_generic.go
deleted file mode 100644
index 4bd2abc9..00000000
--- a/vendor/golang.org/x/crypto/blake2b/blake2b_generic.go
+++ /dev/null
@@ -1,179 +0,0 @@
-// Copyright 2016 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package blake2b
-
-import "encoding/binary"
-
-// the precomputed values for BLAKE2b
-// there are 12 16-byte arrays - one for each round
-// the entries are calculated from the sigma constants.
-var precomputed = [12][16]byte{
-	{0, 2, 4, 6, 1, 3, 5, 7, 8, 10, 12, 14, 9, 11, 13, 15},
-	{14, 4, 9, 13, 10, 8, 15, 6, 1, 0, 11, 5, 12, 2, 7, 3},
-	{11, 12, 5, 15, 8, 0, 2, 13, 10, 3, 7, 9, 14, 6, 1, 4},
-	{7, 3, 13, 11, 9, 1, 12, 14, 2, 5, 4, 15, 6, 10, 0, 8},
-	{9, 5, 2, 10, 0, 7, 4, 15, 14, 11, 6, 3, 1, 12, 8, 13},
-	{2, 6, 0, 8, 12, 10, 11, 3, 4, 7, 15, 1, 13, 5, 14, 9},
-	{12, 1, 14, 4, 5, 15, 13, 10, 0, 6, 9, 8, 7, 3, 2, 11},
-	{13, 7, 12, 3, 11, 14, 1, 9, 5, 15, 8, 2, 0, 4, 6, 10},
-	{6, 14, 11, 0, 15, 9, 3, 8, 12, 13, 1, 10, 2, 7, 4, 5},
-	{10, 8, 7, 1, 2, 4, 6, 5, 15, 9, 3, 13, 11, 14, 12, 0},
-	{0, 2, 4, 6, 1, 3, 5, 7, 8, 10, 12, 14, 9, 11, 13, 15}, // equal to the first
-	{14, 4, 9, 13, 10, 8, 15, 6, 1, 0, 11, 5, 12, 2, 7, 3}, // equal to the second
-}
-
-func hashBlocksGeneric(h *[8]uint64, c *[2]uint64, flag uint64, blocks []byte) {
-	var m [16]uint64
-	c0, c1 := c[0], c[1]
-
-	for i := 0; i < len(blocks); {
-		c0 += BlockSize
-		if c0 < BlockSize {
-			c1++
-		}
-
-		v0, v1, v2, v3, v4, v5, v6, v7 := h[0], h[1], h[2], h[3], h[4], h[5], h[6], h[7]
-		v8, v9, v10, v11, v12, v13, v14, v15 := iv[0], iv[1], iv[2], iv[3], iv[4], iv[5], iv[6], iv[7]
-		v12 ^= c0
-		v13 ^= c1
-		v14 ^= flag
-
-		for j := range m {
-			m[j] = binary.LittleEndian.Uint64(blocks[i:])
-			i += 8
-		}
-
-		for j := range precomputed {
-			s := &(precomputed[j])
-
-			v0 += m[s[0]]
-			v0 += v4
-			v12 ^= v0
-			v12 = v12<<(64-32) | v12>>32
-			v8 += v12
-			v4 ^= v8
-			v4 = v4<<(64-24) | v4>>24
-			v1 += m[s[1]]
-			v1 += v5
-			v13 ^= v1
-			v13 = v13<<(64-32) | v13>>32
-			v9 += v13
-			v5 ^= v9
-			v5 = v5<<(64-24) | v5>>24
-			v2 += m[s[2]]
-			v2 += v6
-			v14 ^= v2
-			v14 = v14<<(64-32) | v14>>32
-			v10 += v14
-			v6 ^= v10
-			v6 = v6<<(64-24) | v6>>24
-			v3 += m[s[3]]
-			v3 += v7
-			v15 ^= v3
-			v15 = v15<<(64-32) | v15>>32
-			v11 += v15
-			v7 ^= v11
-			v7 = v7<<(64-24) | v7>>24
-
-			v0 += m[s[4]]
-			v0 += v4
-			v12 ^= v0
-			v12 = v12<<(64-16) | v12>>16
-			v8 += v12
-			v4 ^= v8
-			v4 = v4<<(64-63) | v4>>63
-			v1 += m[s[5]]
-			v1 += v5
-			v13 ^= v1
-			v13 = v13<<(64-16) | v13>>16
-			v9 += v13
-			v5 ^= v9
-			v5 = v5<<(64-63) | v5>>63
-			v2 += m[s[6]]
-			v2 += v6
-			v14 ^= v2
-			v14 = v14<<(64-16) | v14>>16
-			v10 += v14
-			v6 ^= v10
-			v6 = v6<<(64-63) | v6>>63
-			v3 += m[s[7]]
-			v3 += v7
-			v15 ^= v3
-			v15 = v15<<(64-16) | v15>>16
-			v11 += v15
-			v7 ^= v11
-			v7 = v7<<(64-63) | v7>>63
-
-			v0 += m[s[8]]
-			v0 += v5
-			v15 ^= v0
-			v15 = v15<<(64-32) | v15>>32
-			v10 += v15
-			v5 ^= v10
-			v5 = v5<<(64-24) | v5>>24
-			v1 += m[s[9]]
-			v1 += v6
-			v12 ^= v1
-			v12 = v12<<(64-32) | v12>>32
-			v11 += v12
-			v6 ^= v11
-			v6 = v6<<(64-24) | v6>>24
-			v2 += m[s[10]]
-			v2 += v7
-			v13 ^= v2
-			v13 = v13<<(64-32) | v13>>32
-			v8 += v13
-			v7 ^= v8
-			v7 = v7<<(64-24) | v7>>24
-			v3 += m[s[11]]
-			v3 += v4
-			v14 ^= v3
-			v14 = v14<<(64-32) | v14>>32
-			v9 += v14
-			v4 ^= v9
-			v4 = v4<<(64-24) | v4>>24
-
-			v0 += m[s[12]]
-			v0 += v5
-			v15 ^= v0
-			v15 = v15<<(64-16) | v15>>16
-			v10 += v15
-			v5 ^= v10
-			v5 = v5<<(64-63) | v5>>63
-			v1 += m[s[13]]
-			v1 += v6
-			v12 ^= v1
-			v12 = v12<<(64-16) | v12>>16
-			v11 += v12
-			v6 ^= v11
-			v6 = v6<<(64-63) | v6>>63
-			v2 += m[s[14]]
-			v2 += v7
-			v13 ^= v2
-			v13 = v13<<(64-16) | v13>>16
-			v8 += v13
-			v7 ^= v8
-			v7 = v7<<(64-63) | v7>>63
-			v3 += m[s[15]]
-			v3 += v4
-			v14 ^= v3
-			v14 = v14<<(64-16) | v14>>16
-			v9 += v14
-			v4 ^= v9
-			v4 = v4<<(64-63) | v4>>63
-
-		}
-
-		h[0] ^= v0 ^ v8
-		h[1] ^= v1 ^ v9
-		h[2] ^= v2 ^ v10
-		h[3] ^= v3 ^ v11
-		h[4] ^= v4 ^ v12
-		h[5] ^= v5 ^ v13
-		h[6] ^= v6 ^ v14
-		h[7] ^= v7 ^ v15
-	}
-	c[0], c[1] = c0, c1
-}
diff --git a/vendor/golang.org/x/crypto/blake2b/blake2b_ref.go b/vendor/golang.org/x/crypto/blake2b/blake2b_ref.go
deleted file mode 100644
index da156a1b..00000000
--- a/vendor/golang.org/x/crypto/blake2b/blake2b_ref.go
+++ /dev/null
@@ -1,11 +0,0 @@
-// Copyright 2016 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build !amd64 appengine gccgo
-
-package blake2b
-
-func hashBlocks(h *[8]uint64, c *[2]uint64, flag uint64, blocks []byte) {
-	hashBlocksGeneric(h, c, flag, blocks)
-}
diff --git a/vendor/golang.org/x/crypto/blake2b/blake2b_test.go b/vendor/golang.org/x/crypto/blake2b/blake2b_test.go
deleted file mode 100644
index 5d68bbf6..00000000
--- a/vendor/golang.org/x/crypto/blake2b/blake2b_test.go
+++ /dev/null
@@ -1,798 +0,0 @@
-// Copyright 2016 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package blake2b
-
-import (
-	"bytes"
-	"encoding/hex"
-	"fmt"
-	"hash"
-	"io"
-	"testing"
-)
-
-func fromHex(s string) []byte {
-	b, err := hex.DecodeString(s)
-	if err != nil {
-		panic(err)
-	}
-	return b
-}
-
-func TestHashes(t *testing.T) {
-	defer func(sse4, avx, avx2 bool) {
-		useSSE4, useAVX, useAVX2 = sse4, avx, avx2
-	}(useSSE4, useAVX, useAVX2)
-
-	if useAVX2 {
-		t.Log("AVX2 version")
-		testHashes(t)
-		useAVX2 = false
-	}
-	if useAVX {
-		t.Log("AVX version")
-		testHashes(t)
-		useAVX = false
-	}
-	if useSSE4 {
-		t.Log("SSE4 version")
-		testHashes(t)
-		useSSE4 = false
-	}
-	t.Log("generic version")
-	testHashes(t)
-}
-
-func TestHashes2X(t *testing.T) {
-	defer func(sse4, avx, avx2 bool) {
-		useSSE4, useAVX, useAVX2 = sse4, avx, avx2
-	}(useSSE4, useAVX, useAVX2)
-
-	if useAVX2 {
-		t.Log("AVX2 version")
-		testHashes2X(t)
-		useAVX2 = false
-	}
-	if useAVX {
-		t.Log("AVX version")
-		testHashes2X(t)
-		useAVX = false
-	}
-	if useSSE4 {
-		t.Log("SSE4 version")
-		testHashes2X(t)
-		useSSE4 = false
-	}
-	t.Log("generic version")
-	testHashes2X(t)
-}
-
-func testHashes(t *testing.T) {
-	key, _ := hex.DecodeString("000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f")
-
-	input := make([]byte, 255)
-	for i := range input {
-		input[i] = byte(i)
-	}
-
-	for i, expectedHex := range hashes {
-		h, err := New512(key)
-		if err != nil {
-			t.Fatalf("#%d: error from New512: %v", i, err)
-		}
-
-		h.Write(input[:i])
-		sum := h.Sum(nil)
-
-		if gotHex := fmt.Sprintf("%x", sum); gotHex != expectedHex {
-			t.Fatalf("#%d (single write): got %s, wanted %s", i, gotHex, expectedHex)
-		}
-
-		h.Reset()
-		for j := 0; j < i; j++ {
-			h.Write(input[j : j+1])
-		}
-
-		sum = h.Sum(sum[:0])
-		if gotHex := fmt.Sprintf("%x", sum); gotHex != expectedHex {
-			t.Fatalf("#%d (byte-by-byte): got %s, wanted %s", i, gotHex, expectedHex)
-		}
-	}
-}
-
-func testHashes2X(t *testing.T) {
-	key, _ := hex.DecodeString("000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f")
-
-	input := make([]byte, 256)
-	for i := range input {
-		input[i] = byte(i)
-	}
-
-	for i, expectedHex := range hashes2X {
-		length := uint32(len(expectedHex) / 2)
-		sum := make([]byte, int(length))
-
-		h, err := NewXOF(length, key)
-		if err != nil {
-			t.Fatalf("#%d: error from NewXOF: %v", i, err)
-		}
-
-		if _, err := h.Write(input); err != nil {
-			t.Fatalf("#%d (single write): error from Write: %v", i, err)
-		}
-		if _, err := h.Read(sum); err != nil {
-			t.Fatalf("#%d (single write): error from Read: %v", i, err)
-		}
-		if n, err := h.Read(sum); n != 0 || err != io.EOF {
-			t.Fatalf("#%d (single write): Read did not return (0, io.EOF) after exhaustion, got (%v, %v)", i, n, err)
-		}
-		if gotHex := fmt.Sprintf("%x", sum); gotHex != expectedHex {
-			t.Fatalf("#%d (single write): got %s, wanted %s", i, gotHex, expectedHex)
-		}
-
-		h.Reset()
-		for j := 0; j < len(input); j++ {
-			h.Write(input[j : j+1])
-		}
-		for j := 0; j < len(sum); j++ {
-			h = h.Clone()
-			if _, err := h.Read(sum[j : j+1]); err != nil {
-				t.Fatalf("#%d (byte-by-byte) - Read %d: error from Read: %v", i, j, err)
-			}
-		}
-		if gotHex := fmt.Sprintf("%x", sum); gotHex != expectedHex {
-			t.Fatalf("#%d (byte-by-byte): got %s, wanted %s", i, gotHex, expectedHex)
-		}
-	}
-
-	h, err := NewXOF(OutputLengthUnknown, key)
-	if err != nil {
-		t.Fatalf("#unknown length: error from NewXOF: %v", err)
-	}
-	if _, err := h.Write(input); err != nil {
-		t.Fatalf("#unknown length: error from Write: %v", err)
-	}
-
-	var result [64]byte
-	if n, err := h.Read(result[:]); err != nil {
-		t.Fatalf("#unknown length: error from Read: %v", err)
-	} else if n != len(result) {
-		t.Fatalf("#unknown length: Read returned %d bytes, want %d", n, len(result))
-	}
-
-	const expected = "3dbba8516da76bf7330055c66ea36cf1005e92714262b24d9710f51d9e126406e1bcd6497059f9331f1091c3634b695428d475ed432f987040575520a1c29f5e"
-	if fmt.Sprintf("%x", result) != expected {
-		t.Fatalf("#unknown length: bad result %x, wanted %s", result, expected)
-	}
-}
-
-func generateSequence(out []byte, seed uint32) {
-	a := 0xDEAD4BAD * seed // prime
-	b := uint32(1)
-
-	for i := range out { // fill the buf
-		a, b = b, a+b
-		out[i] = byte(b >> 24)
-	}
-}
-
-func computeMAC(msg []byte, hashSize int, key []byte) (sum []byte) {
-	var h hash.Hash
-	switch hashSize {
-	case Size:
-		h, _ = New512(key)
-	case Size384:
-		h, _ = New384(key)
-	case Size256:
-		h, _ = New256(key)
-	case 20:
-		h, _ = newDigest(20, key)
-	default:
-		panic("unexpected hashSize")
-	}
-
-	h.Write(msg)
-	return h.Sum(sum)
-}
-
-func computeHash(msg []byte, hashSize int) (sum []byte) {
-	switch hashSize {
-	case Size:
-		hash := Sum512(msg)
-		return hash[:]
-	case Size384:
-		hash := Sum384(msg)
-		return hash[:]
-	case Size256:
-		hash := Sum256(msg)
-		return hash[:]
-	case 20:
-		var hash [64]byte
-		checkSum(&hash, 20, msg)
-		return hash[:20]
-	default:
-		panic("unexpected hashSize")
-	}
-}
-
-// Test function from RFC 7693.
-func TestSelfTest(t *testing.T) {
-	hashLens := [4]int{20, 32, 48, 64}
-	msgLens := [6]int{0, 3, 128, 129, 255, 1024}
-
-	msg := make([]byte, 1024)
-	key := make([]byte, 64)
-
-	h, _ := New256(nil)
-	for _, hashSize := range hashLens {
-		for _, msgLength := range msgLens {
-			generateSequence(msg[:msgLength], uint32(msgLength)) // unkeyed hash
-
-			md := computeHash(msg[:msgLength], hashSize)
-			h.Write(md)
-
-			generateSequence(key[:], uint32(hashSize)) // keyed hash
-			md = computeMAC(msg[:msgLength], hashSize, key[:hashSize])
-			h.Write(md)
-		}
-	}
-
-	sum := h.Sum(nil)
-	expected := [32]byte{
-		0xc2, 0x3a, 0x78, 0x00, 0xd9, 0x81, 0x23, 0xbd,
-		0x10, 0xf5, 0x06, 0xc6, 0x1e, 0x29, 0xda, 0x56,
-		0x03, 0xd7, 0x63, 0xb8, 0xbb, 0xad, 0x2e, 0x73,
-		0x7f, 0x5e, 0x76, 0x5a, 0x7b, 0xcc, 0xd4, 0x75,
-	}
-	if !bytes.Equal(sum, expected[:]) {
-		t.Fatalf("got %x, wanted %x", sum, expected)
-	}
-}
-
-// Benchmarks
-
-func benchmarkSum(b *testing.B, size int) {
-	data := make([]byte, size)
-	b.SetBytes(int64(size))
-	b.ResetTimer()
-	for i := 0; i < b.N; i++ {
-		Sum512(data)
-	}
-}
-
-func benchmarkWrite(b *testing.B, size int) {
-	data := make([]byte, size)
-	h, _ := New512(nil)
-	b.SetBytes(int64(size))
-	b.ResetTimer()
-	for i := 0; i < b.N; i++ {
-		h.Write(data)
-	}
-}
-
-func BenchmarkWrite128(b *testing.B) { benchmarkWrite(b, 128) }
-func BenchmarkWrite1K(b *testing.B)  { benchmarkWrite(b, 1024) }
-
-func BenchmarkSum128(b *testing.B) { benchmarkSum(b, 128) }
-func BenchmarkSum1K(b *testing.B)  { benchmarkSum(b, 1024) }
-
-// These values were taken from https://blake2.net/blake2b-test.txt.
-var hashes = []string{
-	"10ebb67700b1868efb4417987acf4690ae9d972fb7a590c2f02871799aaa4786b5e996e8f0f4eb981fc214b005f42d2ff4233499391653df7aefcbc13fc51568",
-	"961f6dd1e4dd30f63901690c512e78e4b45e4742ed197c3c5e45c549fd25f2e4187b0bc9fe30492b16b0d0bc4ef9b0f34c7003fac09a5ef1532e69430234cebd",
-	"da2cfbe2d8409a0f38026113884f84b50156371ae304c4430173d08a99d9fb1b983164a3770706d537f49e0c916d9f32b95cc37a95b99d857436f0232c88a965",
-	"33d0825dddf7ada99b0e7e307104ad07ca9cfd9692214f1561356315e784f3e5a17e364ae9dbb14cb2036df932b77f4b292761365fb328de7afdc6d8998f5fc1",
-	"beaa5a3d08f3807143cf621d95cd690514d0b49efff9c91d24b59241ec0eefa5f60196d407048bba8d2146828ebcb0488d8842fd56bb4f6df8e19c4b4daab8ac",
-	"098084b51fd13deae5f4320de94a688ee07baea2800486689a8636117b46c1f4c1f6af7f74ae7c857600456a58a3af251dc4723a64cc7c0a5ab6d9cac91c20bb",
-	"6044540d560853eb1c57df0077dd381094781cdb9073e5b1b3d3f6c7829e12066bbaca96d989a690de72ca3133a83652ba284a6d62942b271ffa2620c9e75b1f",
-	"7a8cfe9b90f75f7ecb3acc053aaed6193112b6f6a4aeeb3f65d3de541942deb9e2228152a3c4bbbe72fc3b12629528cfbb09fe630f0474339f54abf453e2ed52",
-	"380beaf6ea7cc9365e270ef0e6f3a64fb902acae51dd5512f84259ad2c91f4bc4108db73192a5bbfb0cbcf71e46c3e21aee1c5e860dc96e8eb0b7b8426e6abe9",
-	"60fe3c4535e1b59d9a61ea8500bfac41a69dffb1ceadd9aca323e9a625b64da5763bad7226da02b9c8c4f1a5de140ac5a6c1124e4f718ce0b28ea47393aa6637",
-	"4fe181f54ad63a2983feaaf77d1e7235c2beb17fa328b6d9505bda327df19fc37f02c4b6f0368ce23147313a8e5738b5fa2a95b29de1c7f8264eb77b69f585cd",
-	"f228773ce3f3a42b5f144d63237a72d99693adb8837d0e112a8a0f8ffff2c362857ac49c11ec740d1500749dac9b1f4548108bf3155794dcc9e4082849e2b85b",
-	"962452a8455cc56c8511317e3b1f3b2c37df75f588e94325fdd77070359cf63a9ae6e930936fdf8e1e08ffca440cfb72c28f06d89a2151d1c46cd5b268ef8563",
-	"43d44bfa18768c59896bf7ed1765cb2d14af8c260266039099b25a603e4ddc5039d6ef3a91847d1088d401c0c7e847781a8a590d33a3c6cb4df0fab1c2f22355",
-	"dcffa9d58c2a4ca2cdbb0c7aa4c4c1d45165190089f4e983bb1c2cab4aaeff1fa2b5ee516fecd780540240bf37e56c8bcca7fab980e1e61c9400d8a9a5b14ac6",
-	"6fbf31b45ab0c0b8dad1c0f5f4061379912dde5aa922099a030b725c73346c524291adef89d2f6fd8dfcda6d07dad811a9314536c2915ed45da34947e83de34e",
-	"a0c65bddde8adef57282b04b11e7bc8aab105b99231b750c021f4a735cb1bcfab87553bba3abb0c3e64a0b6955285185a0bd35fb8cfde557329bebb1f629ee93",
-	"f99d815550558e81eca2f96718aed10d86f3f1cfb675cce06b0eff02f617c5a42c5aa760270f2679da2677c5aeb94f1142277f21c7f79f3c4f0cce4ed8ee62b1",
-	"95391da8fc7b917a2044b3d6f5374e1ca072b41454d572c7356c05fd4bc1e0f40b8bb8b4a9f6bce9be2c4623c399b0dca0dab05cb7281b71a21b0ebcd9e55670",
-	"04b9cd3d20d221c09ac86913d3dc63041989a9a1e694f1e639a3ba7e451840f750c2fc191d56ad61f2e7936bc0ac8e094b60caeed878c18799045402d61ceaf9",
-	"ec0e0ef707e4ed6c0c66f9e089e4954b058030d2dd86398fe84059631f9ee591d9d77375355149178c0cf8f8e7c49ed2a5e4f95488a2247067c208510fadc44c",
-	"9a37cce273b79c09913677510eaf7688e89b3314d3532fd2764c39de022a2945b5710d13517af8ddc0316624e73bec1ce67df15228302036f330ab0cb4d218dd",
-	"4cf9bb8fb3d4de8b38b2f262d3c40f46dfe747e8fc0a414c193d9fcf753106ce47a18f172f12e8a2f1c26726545358e5ee28c9e2213a8787aafbc516d2343152",
-	"64e0c63af9c808fd893137129867fd91939d53f2af04be4fa268006100069b2d69daa5c5d8ed7fddcb2a70eeecdf2b105dd46a1e3b7311728f639ab489326bc9",
-	"5e9c93158d659b2def06b0c3c7565045542662d6eee8a96a89b78ade09fe8b3dcc096d4fe48815d88d8f82620156602af541955e1f6ca30dce14e254c326b88f",
-	"7775dff889458dd11aef417276853e21335eb88e4dec9cfb4e9edb49820088551a2ca60339f12066101169f0dfe84b098fddb148d9da6b3d613df263889ad64b",
-	"f0d2805afbb91f743951351a6d024f9353a23c7ce1fc2b051b3a8b968c233f46f50f806ecb1568ffaa0b60661e334b21dde04f8fa155ac740eeb42e20b60d764",
-	"86a2af316e7d7754201b942e275364ac12ea8962ab5bd8d7fb276dc5fbffc8f9a28cae4e4867df6780d9b72524160927c855da5b6078e0b554aa91e31cb9ca1d",
-	"10bdf0caa0802705e706369baf8a3f79d72c0a03a80675a7bbb00be3a45e516424d1ee88efb56f6d5777545ae6e27765c3a8f5e493fc308915638933a1dfee55",
-	"b01781092b1748459e2e4ec178696627bf4ebafebba774ecf018b79a68aeb84917bf0b84bb79d17b743151144cd66b7b33a4b9e52c76c4e112050ff5385b7f0b",
-	"c6dbc61dec6eaeac81e3d5f755203c8e220551534a0b2fd105a91889945a638550204f44093dd998c076205dffad703a0e5cd3c7f438a7e634cd59fededb539e",
-	"eba51acffb4cea31db4b8d87e9bf7dd48fe97b0253ae67aa580f9ac4a9d941f2bea518ee286818cc9f633f2a3b9fb68e594b48cdd6d515bf1d52ba6c85a203a7",
-	"86221f3ada52037b72224f105d7999231c5e5534d03da9d9c0a12acb68460cd375daf8e24386286f9668f72326dbf99ba094392437d398e95bb8161d717f8991",
-	"5595e05c13a7ec4dc8f41fb70cb50a71bce17c024ff6de7af618d0cc4e9c32d9570d6d3ea45b86525491030c0d8f2b1836d5778c1ce735c17707df364d054347",
-	"ce0f4f6aca89590a37fe034dd74dd5fa65eb1cbd0a41508aaddc09351a3cea6d18cb2189c54b700c009f4cbf0521c7ea01be61c5ae09cb54f27bc1b44d658c82",
-	"7ee80b06a215a3bca970c77cda8761822bc103d44fa4b33f4d07dcb997e36d55298bceae12241b3fa07fa63be5576068da387b8d5859aeab701369848b176d42",
-	"940a84b6a84d109aab208c024c6ce9647676ba0aaa11f86dbb7018f9fd2220a6d901a9027f9abcf935372727cbf09ebd61a2a2eeb87653e8ecad1bab85dc8327",
-	"2020b78264a82d9f4151141adba8d44bf20c5ec062eee9b595a11f9e84901bf148f298e0c9f8777dcdbc7cc4670aac356cc2ad8ccb1629f16f6a76bcefbee760",
-	"d1b897b0e075ba68ab572adf9d9c436663e43eb3d8e62d92fc49c9be214e6f27873fe215a65170e6bea902408a25b49506f47babd07cecf7113ec10c5dd31252",
-	"b14d0c62abfa469a357177e594c10c194243ed2025ab8aa5ad2fa41ad318e0ff48cd5e60bec07b13634a711d2326e488a985f31e31153399e73088efc86a5c55",
-	"4169c5cc808d2697dc2a82430dc23e3cd356dc70a94566810502b8d655b39abf9e7f902fe717e0389219859e1945df1af6ada42e4ccda55a197b7100a30c30a1",
-	"258a4edb113d66c839c8b1c91f15f35ade609f11cd7f8681a4045b9fef7b0b24c82cda06a5f2067b368825e3914e53d6948ede92efd6e8387fa2e537239b5bee",
-	"79d2d8696d30f30fb34657761171a11e6c3f1e64cbe7bebee159cb95bfaf812b4f411e2f26d9c421dc2c284a3342d823ec293849e42d1e46b0a4ac1e3c86abaa",
-	"8b9436010dc5dee992ae38aea97f2cd63b946d94fedd2ec9671dcde3bd4ce9564d555c66c15bb2b900df72edb6b891ebcadfeff63c9ea4036a998be7973981e7",
-	"c8f68e696ed28242bf997f5b3b34959508e42d613810f1e2a435c96ed2ff560c7022f361a9234b9837feee90bf47922ee0fd5f8ddf823718d86d1e16c6090071",
-	"b02d3eee4860d5868b2c39ce39bfe81011290564dd678c85e8783f29302dfc1399ba95b6b53cd9ebbf400cca1db0ab67e19a325f2d115812d25d00978ad1bca4",
-	"7693ea73af3ac4dad21ca0d8da85b3118a7d1c6024cfaf557699868217bc0c2f44a199bc6c0edd519798ba05bd5b1b4484346a47c2cadf6bf30b785cc88b2baf",
-	"a0e5c1c0031c02e48b7f09a5e896ee9aef2f17fc9e18e997d7f6cac7ae316422c2b1e77984e5f3a73cb45deed5d3f84600105e6ee38f2d090c7d0442ea34c46d",
-	"41daa6adcfdb69f1440c37b596440165c15ada596813e2e22f060fcd551f24dee8e04ba6890387886ceec4a7a0d7fc6b44506392ec3822c0d8c1acfc7d5aebe8",
-	"14d4d40d5984d84c5cf7523b7798b254e275a3a8cc0a1bd06ebc0bee726856acc3cbf516ff667cda2058ad5c3412254460a82c92187041363cc77a4dc215e487",
-	"d0e7a1e2b9a447fee83e2277e9ff8010c2f375ae12fa7aaa8ca5a6317868a26a367a0b69fbc1cf32a55d34eb370663016f3d2110230eba754028a56f54acf57c",
-	"e771aa8db5a3e043e8178f39a0857ba04a3f18e4aa05743cf8d222b0b095825350ba422f63382a23d92e4149074e816a36c1cd28284d146267940b31f8818ea2",
-	"feb4fd6f9e87a56bef398b3284d2bda5b5b0e166583a66b61e538457ff0584872c21a32962b9928ffab58de4af2edd4e15d8b35570523207ff4e2a5aa7754caa",
-	"462f17bf005fb1c1b9e671779f665209ec2873e3e411f98dabf240a1d5ec3f95ce6796b6fc23fe171903b502023467dec7273ff74879b92967a2a43a5a183d33",
-	"d3338193b64553dbd38d144bea71c5915bb110e2d88180dbc5db364fd6171df317fc7268831b5aef75e4342b2fad8797ba39eddcef80e6ec08159350b1ad696d",
-	"e1590d585a3d39f7cb599abd479070966409a6846d4377acf4471d065d5db94129cc9be92573b05ed226be1e9b7cb0cabe87918589f80dadd4ef5ef25a93d28e",
-	"f8f3726ac5a26cc80132493a6fedcb0e60760c09cfc84cad178175986819665e76842d7b9fedf76dddebf5d3f56faaad4477587af21606d396ae570d8e719af2",
-	"30186055c07949948183c850e9a756cc09937e247d9d928e869e20bafc3cd9721719d34e04a0899b92c736084550186886efba2e790d8be6ebf040b209c439a4",
-	"f3c4276cb863637712c241c444c5cc1e3554e0fddb174d035819dd83eb700b4ce88df3ab3841ba02085e1a99b4e17310c5341075c0458ba376c95a6818fbb3e2",
-	"0aa007c4dd9d5832393040a1583c930bca7dc5e77ea53add7e2b3f7c8e231368043520d4a3ef53c969b6bbfd025946f632bd7f765d53c21003b8f983f75e2a6a",
-	"08e9464720533b23a04ec24f7ae8c103145f765387d738777d3d343477fd1c58db052142cab754ea674378e18766c53542f71970171cc4f81694246b717d7564",
-	"d37ff7ad297993e7ec21e0f1b4b5ae719cdc83c5db687527f27516cbffa822888a6810ee5c1ca7bfe3321119be1ab7bfa0a502671c8329494df7ad6f522d440f",
-	"dd9042f6e464dcf86b1262f6accfafbd8cfd902ed3ed89abf78ffa482dbdeeb6969842394c9a1168ae3d481a017842f660002d42447c6b22f7b72f21aae021c9",
-	"bd965bf31e87d70327536f2a341cebc4768eca275fa05ef98f7f1b71a0351298de006fba73fe6733ed01d75801b4a928e54231b38e38c562b2e33ea1284992fa",
-	"65676d800617972fbd87e4b9514e1c67402b7a331096d3bfac22f1abb95374abc942f16e9ab0ead33b87c91968a6e509e119ff07787b3ef483e1dcdccf6e3022",
-	"939fa189699c5d2c81ddd1ffc1fa207c970b6a3685bb29ce1d3e99d42f2f7442da53e95a72907314f4588399a3ff5b0a92beb3f6be2694f9f86ecf2952d5b41c",
-	"c516541701863f91005f314108ceece3c643e04fc8c42fd2ff556220e616aaa6a48aeb97a84bad74782e8dff96a1a2fa949339d722edcaa32b57067041df88cc",
-	"987fd6e0d6857c553eaebb3d34970a2c2f6e89a3548f492521722b80a1c21a153892346d2cba6444212d56da9a26e324dccbc0dcde85d4d2ee4399eec5a64e8f",
-	"ae56deb1c2328d9c4017706bce6e99d41349053ba9d336d677c4c27d9fd50ae6aee17e853154e1f4fe7672346da2eaa31eea53fcf24a22804f11d03da6abfc2b",
-	"49d6a608c9bde4491870498572ac31aac3fa40938b38a7818f72383eb040ad39532bc06571e13d767e6945ab77c0bdc3b0284253343f9f6c1244ebf2ff0df866",
-	"da582ad8c5370b4469af862aa6467a2293b2b28bd80ae0e91f425ad3d47249fdf98825cc86f14028c3308c9804c78bfeeeee461444ce243687e1a50522456a1d",
-	"d5266aa3331194aef852eed86d7b5b2633a0af1c735906f2e13279f14931a9fc3b0eac5ce9245273bd1aa92905abe16278ef7efd47694789a7283b77da3c70f8",
-	"2962734c28252186a9a1111c732ad4de4506d4b4480916303eb7991d659ccda07a9911914bc75c418ab7a4541757ad054796e26797feaf36e9f6ad43f14b35a4",
-	"e8b79ec5d06e111bdfafd71e9f5760f00ac8ac5d8bf768f9ff6f08b8f026096b1cc3a4c973333019f1e3553e77da3f98cb9f542e0a90e5f8a940cc58e59844b3",
-	"dfb320c44f9d41d1efdcc015f08dd5539e526e39c87d509ae6812a969e5431bf4fa7d91ffd03b981e0d544cf72d7b1c0374f8801482e6dea2ef903877eba675e",
-	"d88675118fdb55a5fb365ac2af1d217bf526ce1ee9c94b2f0090b2c58a06ca58187d7fe57c7bed9d26fca067b4110eefcd9a0a345de872abe20de368001b0745",
-	"b893f2fc41f7b0dd6e2f6aa2e0370c0cff7df09e3acfcc0e920b6e6fad0ef747c40668417d342b80d2351e8c175f20897a062e9765e6c67b539b6ba8b9170545",
-	"6c67ec5697accd235c59b486d7b70baeedcbd4aa64ebd4eef3c7eac189561a726250aec4d48cadcafbbe2ce3c16ce2d691a8cce06e8879556d4483ed7165c063",
-	"f1aa2b044f8f0c638a3f362e677b5d891d6fd2ab0765f6ee1e4987de057ead357883d9b405b9d609eea1b869d97fb16d9b51017c553f3b93c0a1e0f1296fedcd",
-	"cbaa259572d4aebfc1917acddc582b9f8dfaa928a198ca7acd0f2aa76a134a90252e6298a65b08186a350d5b7626699f8cb721a3ea5921b753ae3a2dce24ba3a",
-	"fa1549c9796cd4d303dcf452c1fbd5744fd9b9b47003d920b92de34839d07ef2a29ded68f6fc9e6c45e071a2e48bd50c5084e96b657dd0404045a1ddefe282ed",
-	"5cf2ac897ab444dcb5c8d87c495dbdb34e1838b6b629427caa51702ad0f9688525f13bec503a3c3a2c80a65e0b5715e8afab00ffa56ec455a49a1ad30aa24fcd",
-	"9aaf80207bace17bb7ab145757d5696bde32406ef22b44292ef65d4519c3bb2ad41a59b62cc3e94b6fa96d32a7faadae28af7d35097219aa3fd8cda31e40c275",
-	"af88b163402c86745cb650c2988fb95211b94b03ef290eed9662034241fd51cf398f8073e369354c43eae1052f9b63b08191caa138aa54fea889cc7024236897",
-	"48fa7d64e1ceee27b9864db5ada4b53d00c9bc7626555813d3cd6730ab3cc06ff342d727905e33171bde6e8476e77fb1720861e94b73a2c538d254746285f430",
-	"0e6fd97a85e904f87bfe85bbeb34f69e1f18105cf4ed4f87aec36c6e8b5f68bd2a6f3dc8a9ecb2b61db4eedb6b2ea10bf9cb0251fb0f8b344abf7f366b6de5ab",
-	"06622da5787176287fdc8fed440bad187d830099c94e6d04c8e9c954cda70c8bb9e1fc4a6d0baa831b9b78ef6648681a4867a11da93ee36e5e6a37d87fc63f6f",
-	"1da6772b58fabf9c61f68d412c82f182c0236d7d575ef0b58dd22458d643cd1dfc93b03871c316d8430d312995d4197f0874c99172ba004a01ee295abac24e46",
-	"3cd2d9320b7b1d5fb9aab951a76023fa667be14a9124e394513918a3f44096ae4904ba0ffc150b63bc7ab1eeb9a6e257e5c8f000a70394a5afd842715de15f29",
-	"04cdc14f7434e0b4be70cb41db4c779a88eaef6accebcb41f2d42fffe7f32a8e281b5c103a27021d0d08362250753cdf70292195a53a48728ceb5844c2d98bab",
-	"9071b7a8a075d0095b8fb3ae5113785735ab98e2b52faf91d5b89e44aac5b5d4ebbf91223b0ff4c71905da55342e64655d6ef8c89a4768c3f93a6dc0366b5bc8",
-	"ebb30240dd96c7bc8d0abe49aa4edcbb4afdc51ff9aaf720d3f9e7fbb0f9c6d6571350501769fc4ebd0b2141247ff400d4fd4be414edf37757bb90a32ac5c65a",
-	"8532c58bf3c8015d9d1cbe00eef1f5082f8f3632fbe9f1ed4f9dfb1fa79e8283066d77c44c4af943d76b300364aecbd0648c8a8939bd204123f4b56260422dec",
-	"fe9846d64f7c7708696f840e2d76cb4408b6595c2f81ec6a28a7f2f20cb88cfe6ac0b9e9b8244f08bd7095c350c1d0842f64fb01bb7f532dfcd47371b0aeeb79",
-	"28f17ea6fb6c42092dc264257e29746321fb5bdaea9873c2a7fa9d8f53818e899e161bc77dfe8090afd82bf2266c5c1bc930a8d1547624439e662ef695f26f24",
-	"ec6b7d7f030d4850acae3cb615c21dd25206d63e84d1db8d957370737ba0e98467ea0ce274c66199901eaec18a08525715f53bfdb0aacb613d342ebdceeddc3b",
-	"b403d3691c03b0d3418df327d5860d34bbfcc4519bfbce36bf33b208385fadb9186bc78a76c489d89fd57e7dc75412d23bcd1dae8470ce9274754bb8585b13c5",
-	"31fc79738b8772b3f55cd8178813b3b52d0db5a419d30ba9495c4b9da0219fac6df8e7c23a811551a62b827f256ecdb8124ac8a6792ccfecc3b3012722e94463",
-	"bb2039ec287091bcc9642fc90049e73732e02e577e2862b32216ae9bedcd730c4c284ef3968c368b7d37584f97bd4b4dc6ef6127acfe2e6ae2509124e66c8af4",
-	"f53d68d13f45edfcb9bd415e2831e938350d5380d3432278fc1c0c381fcb7c65c82dafe051d8c8b0d44e0974a0e59ec7bf7ed0459f86e96f329fc79752510fd3",
-	"8d568c7984f0ecdf7640fbc483b5d8c9f86634f6f43291841b309a350ab9c1137d24066b09da9944bac54d5bb6580d836047aac74ab724b887ebf93d4b32eca9",
-	"c0b65ce5a96ff774c456cac3b5f2c4cd359b4ff53ef93a3da0778be4900d1e8da1601e769e8f1b02d2a2f8c5b9fa10b44f1c186985468feeb008730283a6657d",
-	"4900bba6f5fb103ece8ec96ada13a5c3c85488e05551da6b6b33d988e611ec0fe2e3c2aa48ea6ae8986a3a231b223c5d27cec2eadde91ce07981ee652862d1e4",
-	"c7f5c37c7285f927f76443414d4357ff789647d7a005a5a787e03c346b57f49f21b64fa9cf4b7e45573e23049017567121a9c3d4b2b73ec5e9413577525db45a",
-	"ec7096330736fdb2d64b5653e7475da746c23a4613a82687a28062d3236364284ac01720ffb406cfe265c0df626a188c9e5963ace5d3d5bb363e32c38c2190a6",
-	"82e744c75f4649ec52b80771a77d475a3bc091989556960e276a5f9ead92a03f718742cdcfeaee5cb85c44af198adc43a4a428f5f0c2ddb0be36059f06d7df73",
-	"2834b7a7170f1f5b68559ab78c1050ec21c919740b784a9072f6e5d69f828d70c919c5039fb148e39e2c8a52118378b064ca8d5001cd10a5478387b966715ed6",
-	"16b4ada883f72f853bb7ef253efcab0c3e2161687ad61543a0d2824f91c1f81347d86be709b16996e17f2dd486927b0288ad38d13063c4a9672c39397d3789b6",
-	"78d048f3a69d8b54ae0ed63a573ae350d89f7c6cf1f3688930de899afa037697629b314e5cd303aa62feea72a25bf42b304b6c6bcb27fae21c16d925e1fbdac3",
-	"0f746a48749287ada77a82961f05a4da4abdb7d77b1220f836d09ec814359c0ec0239b8c7b9ff9e02f569d1b301ef67c4612d1de4f730f81c12c40cc063c5caa",
-	"f0fc859d3bd195fbdc2d591e4cdac15179ec0f1dc821c11df1f0c1d26e6260aaa65b79fafacafd7d3ad61e600f250905f5878c87452897647a35b995bcadc3a3",
-	"2620f687e8625f6a412460b42e2cef67634208ce10a0cbd4dff7044a41b7880077e9f8dc3b8d1216d3376a21e015b58fb279b521d83f9388c7382c8505590b9b",
-	"227e3aed8d2cb10b918fcb04f9de3e6d0a57e08476d93759cd7b2ed54a1cbf0239c528fb04bbf288253e601d3bc38b21794afef90b17094a182cac557745e75f",
-	"1a929901b09c25f27d6b35be7b2f1c4745131fdebca7f3e2451926720434e0db6e74fd693ad29b777dc3355c592a361c4873b01133a57c2e3b7075cbdb86f4fc",
-	"5fd7968bc2fe34f220b5e3dc5af9571742d73b7d60819f2888b629072b96a9d8ab2d91b82d0a9aaba61bbd39958132fcc4257023d1eca591b3054e2dc81c8200",
-	"dfcce8cf32870cc6a503eadafc87fd6f78918b9b4d0737db6810be996b5497e7e5cc80e312f61e71ff3e9624436073156403f735f56b0b01845c18f6caf772e6",
-	"02f7ef3a9ce0fff960f67032b296efca3061f4934d690749f2d01c35c81c14f39a67fa350bc8a0359bf1724bffc3bca6d7c7bba4791fd522a3ad353c02ec5aa8",
-	"64be5c6aba65d594844ae78bb022e5bebe127fd6b6ffa5a13703855ab63b624dcd1a363f99203f632ec386f3ea767fc992e8ed9686586aa27555a8599d5b808f",
-	"f78585505c4eaa54a8b5be70a61e735e0ff97af944ddb3001e35d86c4e2199d976104b6ae31750a36a726ed285064f5981b503889fef822fcdc2898dddb7889a",
-	"e4b5566033869572edfd87479a5bb73c80e8759b91232879d96b1dda36c012076ee5a2ed7ae2de63ef8406a06aea82c188031b560beafb583fb3de9e57952a7e",
-	"e1b3e7ed867f6c9484a2a97f7715f25e25294e992e41f6a7c161ffc2adc6daaeb7113102d5e6090287fe6ad94ce5d6b739c6ca240b05c76fb73f25dd024bf935",
-	"85fd085fdc12a080983df07bd7012b0d402a0f4043fcb2775adf0bad174f9b08d1676e476985785c0a5dcc41dbff6d95ef4d66a3fbdc4a74b82ba52da0512b74",
-	"aed8fa764b0fbff821e05233d2f7b0900ec44d826f95e93c343c1bc3ba5a24374b1d616e7e7aba453a0ada5e4fab5382409e0d42ce9c2bc7fb39a99c340c20f0",
-	"7ba3b2e297233522eeb343bd3ebcfd835a04007735e87f0ca300cbee6d416565162171581e4020ff4cf176450f1291ea2285cb9ebffe4c56660627685145051c",
-	"de748bcf89ec88084721e16b85f30adb1a6134d664b5843569babc5bbd1a15ca9b61803c901a4fef32965a1749c9f3a4e243e173939dc5a8dc495c671ab52145",
-	"aaf4d2bdf200a919706d9842dce16c98140d34bc433df320aba9bd429e549aa7a3397652a4d768277786cf993cde2338673ed2e6b66c961fefb82cd20c93338f",
-	"c408218968b788bf864f0997e6bc4c3dba68b276e2125a4843296052ff93bf5767b8cdce7131f0876430c1165fec6c4f47adaa4fd8bcfacef463b5d3d0fa61a0",
-	"76d2d819c92bce55fa8e092ab1bf9b9eab237a25267986cacf2b8ee14d214d730dc9a5aa2d7b596e86a1fd8fa0804c77402d2fcd45083688b218b1cdfa0dcbcb",
-	"72065ee4dd91c2d8509fa1fc28a37c7fc9fa7d5b3f8ad3d0d7a25626b57b1b44788d4caf806290425f9890a3a2a35a905ab4b37acfd0da6e4517b2525c9651e4",
-	"64475dfe7600d7171bea0b394e27c9b00d8e74dd1e416a79473682ad3dfdbb706631558055cfc8a40e07bd015a4540dcdea15883cbbf31412df1de1cd4152b91",
-	"12cd1674a4488a5d7c2b3160d2e2c4b58371bedad793418d6f19c6ee385d70b3e06739369d4df910edb0b0a54cbff43d54544cd37ab3a06cfa0a3ddac8b66c89",
-	"60756966479dedc6dd4bcff8ea7d1d4ce4d4af2e7b097e32e3763518441147cc12b3c0ee6d2ecabf1198cec92e86a3616fba4f4e872f5825330adbb4c1dee444",
-	"a7803bcb71bc1d0f4383dde1e0612e04f872b715ad30815c2249cf34abb8b024915cb2fc9f4e7cc4c8cfd45be2d5a91eab0941c7d270e2da4ca4a9f7ac68663a",
-	"b84ef6a7229a34a750d9a98ee2529871816b87fbe3bc45b45fa5ae82d5141540211165c3c5d7a7476ba5a4aa06d66476f0d9dc49a3f1ee72c3acabd498967414",
-	"fae4b6d8efc3f8c8e64d001dabec3a21f544e82714745251b2b4b393f2f43e0da3d403c64db95a2cb6e23ebb7b9e94cdd5ddac54f07c4a61bd3cb10aa6f93b49",
-	"34f7286605a122369540141ded79b8957255da2d4155abbf5a8dbb89c8eb7ede8eeef1daa46dc29d751d045dc3b1d658bb64b80ff8589eddb3824b13da235a6b",
-	"3b3b48434be27b9eababba43bf6b35f14b30f6a88dc2e750c358470d6b3aa3c18e47db4017fa55106d8252f016371a00f5f8b070b74ba5f23cffc5511c9f09f0",
-	"ba289ebd6562c48c3e10a8ad6ce02e73433d1e93d7c9279d4d60a7e879ee11f441a000f48ed9f7c4ed87a45136d7dccdca482109c78a51062b3ba4044ada2469",
-	"022939e2386c5a37049856c850a2bb10a13dfea4212b4c732a8840a9ffa5faf54875c5448816b2785a007da8a8d2bc7d71a54e4e6571f10b600cbdb25d13ede3",
-	"e6fec19d89ce8717b1a087024670fe026f6c7cbda11caef959bb2d351bf856f8055d1c0ebdaaa9d1b17886fc2c562b5e99642fc064710c0d3488a02b5ed7f6fd",
-	"94c96f02a8f576aca32ba61c2b206f907285d9299b83ac175c209a8d43d53bfe683dd1d83e7549cb906c28f59ab7c46f8751366a28c39dd5fe2693c9019666c8",
-	"31a0cd215ebd2cb61de5b9edc91e6195e31c59a5648d5c9f737e125b2605708f2e325ab3381c8dce1a3e958886f1ecdc60318f882cfe20a24191352e617b0f21",
-	"91ab504a522dce78779f4c6c6ba2e6b6db5565c76d3e7e7c920caf7f757ef9db7c8fcf10e57f03379ea9bf75eb59895d96e149800b6aae01db778bb90afbc989",
-	"d85cabc6bd5b1a01a5afd8c6734740da9fd1c1acc6db29bfc8a2e5b668b028b6b3154bfb8703fa3180251d589ad38040ceb707c4bad1b5343cb426b61eaa49c1",
-	"d62efbec2ca9c1f8bd66ce8b3f6a898cb3f7566ba6568c618ad1feb2b65b76c3ce1dd20f7395372faf28427f61c9278049cf0140df434f5633048c86b81e0399",
-	"7c8fdc6175439e2c3db15bafa7fb06143a6a23bc90f449e79deef73c3d492a671715c193b6fea9f036050b946069856b897e08c00768f5ee5ddcf70b7cd6d0e0",
-	"58602ee7468e6bc9df21bd51b23c005f72d6cb013f0a1b48cbec5eca299299f97f09f54a9a01483eaeb315a6478bad37ba47ca1347c7c8fc9e6695592c91d723",
-	"27f5b79ed256b050993d793496edf4807c1d85a7b0a67c9c4fa99860750b0ae66989670a8ffd7856d7ce411599e58c4d77b232a62bef64d15275be46a68235ff",
-	"3957a976b9f1887bf004a8dca942c92d2b37ea52600f25e0c9bc5707d0279c00c6e85a839b0d2d8eb59c51d94788ebe62474a791cadf52cccf20f5070b6573fc",
-	"eaa2376d55380bf772ecca9cb0aa4668c95c707162fa86d518c8ce0ca9bf7362b9f2a0adc3ff59922df921b94567e81e452f6c1a07fc817cebe99604b3505d38",
-	"c1e2c78b6b2734e2480ec550434cb5d613111adcc21d475545c3b1b7e6ff12444476e5c055132e2229dc0f807044bb919b1a5662dd38a9ee65e243a3911aed1a",
-	"8ab48713389dd0fcf9f965d3ce66b1e559a1f8c58741d67683cd971354f452e62d0207a65e436c5d5d8f8ee71c6abfe50e669004c302b31a7ea8311d4a916051",
-	"24ce0addaa4c65038bd1b1c0f1452a0b128777aabc94a29df2fd6c7e2f85f8ab9ac7eff516b0e0a825c84a24cfe492eaad0a6308e46dd42fe8333ab971bb30ca",
-	"5154f929ee03045b6b0c0004fa778edee1d139893267cc84825ad7b36c63de32798e4a166d24686561354f63b00709a1364b3c241de3febf0754045897467cd4",
-	"e74e907920fd87bd5ad636dd11085e50ee70459c443e1ce5809af2bc2eba39f9e6d7128e0e3712c316da06f4705d78a4838e28121d4344a2c79c5e0db307a677",
-	"bf91a22334bac20f3fd80663b3cd06c4e8802f30e6b59f90d3035cc9798a217ed5a31abbda7fa6842827bdf2a7a1c21f6fcfccbb54c6c52926f32da816269be1",
-	"d9d5c74be5121b0bd742f26bffb8c89f89171f3f934913492b0903c271bbe2b3395ef259669bef43b57f7fcc3027db01823f6baee66e4f9fead4d6726c741fce",
-	"50c8b8cf34cd879f80e2faab3230b0c0e1cc3e9dcadeb1b9d97ab923415dd9a1fe38addd5c11756c67990b256e95ad6d8f9fedce10bf1c90679cde0ecf1be347",
-	"0a386e7cd5dd9b77a035e09fe6fee2c8ce61b5383c87ea43205059c5e4cd4f4408319bb0a82360f6a58e6c9ce3f487c446063bf813bc6ba535e17fc1826cfc91",
-	"1f1459cb6b61cbac5f0efe8fc487538f42548987fcd56221cfa7beb22504769e792c45adfb1d6b3d60d7b749c8a75b0bdf14e8ea721b95dca538ca6e25711209",
-	"e58b3836b7d8fedbb50ca5725c6571e74c0785e97821dab8b6298c10e4c079d4a6cdf22f0fedb55032925c16748115f01a105e77e00cee3d07924dc0d8f90659",
-	"b929cc6505f020158672deda56d0db081a2ee34c00c1100029bdf8ea98034fa4bf3e8655ec697fe36f40553c5bb46801644a627d3342f4fc92b61f03290fb381",
-	"72d353994b49d3e03153929a1e4d4f188ee58ab9e72ee8e512f29bc773913819ce057ddd7002c0433ee0a16114e3d156dd2c4a7e80ee53378b8670f23e33ef56",
-	"c70ef9bfd775d408176737a0736d68517ce1aaad7e81a93c8c1ed967ea214f56c8a377b1763e676615b60f3988241eae6eab9685a5124929d28188f29eab06f7",
-	"c230f0802679cb33822ef8b3b21bf7a9a28942092901d7dac3760300831026cf354c9232df3e084d9903130c601f63c1f4a4a4b8106e468cd443bbe5a734f45f",
-	"6f43094cafb5ebf1f7a4937ec50f56a4c9da303cbb55ac1f27f1f1976cd96beda9464f0e7b9c54620b8a9fba983164b8be3578425a024f5fe199c36356b88972",
-	"3745273f4c38225db2337381871a0c6aafd3af9b018c88aa02025850a5dc3a42a1a3e03e56cbf1b0876d63a441f1d2856a39b8801eb5af325201c415d65e97fe",
-	"c50c44cca3ec3edaae779a7e179450ebdda2f97067c690aa6c5a4ac7c30139bb27c0df4db3220e63cb110d64f37ffe078db72653e2daacf93ae3f0a2d1a7eb2e",
-	"8aef263e385cbc61e19b28914243262af5afe8726af3ce39a79c27028cf3ecd3f8d2dfd9cfc9ad91b58f6f20778fd5f02894a3d91c7d57d1e4b866a7f364b6be",
-	"28696141de6e2d9bcb3235578a66166c1448d3e905a1b482d423be4bc5369bc8c74dae0acc9cc123e1d8ddce9f97917e8c019c552da32d39d2219b9abf0fa8c8",
-	"2fb9eb2085830181903a9dafe3db428ee15be7662224efd643371fb25646aee716e531eca69b2bdc8233f1a8081fa43da1500302975a77f42fa592136710e9dc",
-	"66f9a7143f7a3314a669bf2e24bbb35014261d639f495b6c9c1f104fe8e320aca60d4550d69d52edbd5a3cdeb4014ae65b1d87aa770b69ae5c15f4330b0b0ad8",
-	"f4c4dd1d594c3565e3e25ca43dad82f62abea4835ed4cd811bcd975e46279828d44d4c62c3679f1b7f7b9dd4571d7b49557347b8c5460cbdc1bef690fb2a08c0",
-	"8f1dc9649c3a84551f8f6e91cac68242a43b1f8f328ee92280257387fa7559aa6db12e4aeadc2d26099178749c6864b357f3f83b2fb3efa8d2a8db056bed6bcc",
-	"3139c1a7f97afd1675d460ebbc07f2728aa150df849624511ee04b743ba0a833092f18c12dc91b4dd243f333402f59fe28abdbbbae301e7b659c7a26d5c0f979",
-	"06f94a2996158a819fe34c40de3cf0379fd9fb85b3e363ba3926a0e7d960e3f4c2e0c70c7ce0ccb2a64fc29869f6e7ab12bd4d3f14fce943279027e785fb5c29",
-	"c29c399ef3eee8961e87565c1ce263925fc3d0ce267d13e48dd9e732ee67b0f69fad56401b0f10fcaac119201046cca28c5b14abdea3212ae65562f7f138db3d",
-	"4cec4c9df52eef05c3f6faaa9791bc7445937183224ecc37a1e58d0132d35617531d7e795f52af7b1eb9d147de1292d345fe341823f8e6bc1e5badca5c656108",
-	"898bfbae93b3e18d00697eab7d9704fa36ec339d076131cefdf30edbe8d9cc81c3a80b129659b163a323bab9793d4feed92d54dae966c77529764a09be88db45",
-	"ee9bd0469d3aaf4f14035be48a2c3b84d9b4b1fff1d945e1f1c1d38980a951be197b25fe22c731f20aeacc930ba9c4a1f4762227617ad350fdabb4e80273a0f4",
-	"3d4d3113300581cd96acbf091c3d0f3c310138cd6979e6026cde623e2dd1b24d4a8638bed1073344783ad0649cc6305ccec04beb49f31c633088a99b65130267",
-	"95c0591ad91f921ac7be6d9ce37e0663ed8011c1cfd6d0162a5572e94368bac02024485e6a39854aa46fe38e97d6c6b1947cd272d86b06bb5b2f78b9b68d559d",
-	"227b79ded368153bf46c0a3ca978bfdbef31f3024a5665842468490b0ff748ae04e7832ed4c9f49de9b1706709d623e5c8c15e3caecae8d5e433430ff72f20eb",
-	"5d34f3952f0105eef88ae8b64c6ce95ebfade0e02c69b08762a8712d2e4911ad3f941fc4034dc9b2e479fdbcd279b902faf5d838bb2e0c6495d372b5b7029813",
-	"7f939bf8353abce49e77f14f3750af20b7b03902e1a1e7fb6aaf76d0259cd401a83190f15640e74f3e6c5a90e839c7821f6474757f75c7bf9002084ddc7a62dc",
-	"062b61a2f9a33a71d7d0a06119644c70b0716a504de7e5e1be49bd7b86e7ed6817714f9f0fc313d06129597e9a2235ec8521de36f7290a90ccfc1ffa6d0aee29",
-	"f29e01eeae64311eb7f1c6422f946bf7bea36379523e7b2bbaba7d1d34a22d5ea5f1c5a09d5ce1fe682cced9a4798d1a05b46cd72dff5c1b355440b2a2d476bc",
-	"ec38cd3bbab3ef35d7cb6d5c914298351d8a9dc97fcee051a8a02f58e3ed6184d0b7810a5615411ab1b95209c3c810114fdeb22452084e77f3f847c6dbaafe16",
-	"c2aef5e0ca43e82641565b8cb943aa8ba53550caef793b6532fafad94b816082f0113a3ea2f63608ab40437ecc0f0229cb8fa224dcf1c478a67d9b64162b92d1",
-	"15f534efff7105cd1c254d074e27d5898b89313b7d366dc2d7d87113fa7d53aae13f6dba487ad8103d5e854c91fdb6e1e74b2ef6d1431769c30767dde067a35c",
-	"89acbca0b169897a0a2714c2df8c95b5b79cb69390142b7d6018bb3e3076b099b79a964152a9d912b1b86412b7e372e9cecad7f25d4cbab8a317be36492a67d7",
-	"e3c0739190ed849c9c962fd9dbb55e207e624fcac1eb417691515499eea8d8267b7e8f1287a63633af5011fde8c4ddf55bfdf722edf88831414f2cfaed59cb9a",
-	"8d6cf87c08380d2d1506eee46fd4222d21d8c04e585fbfd08269c98f702833a156326a0724656400ee09351d57b440175e2a5de93cc5f80db6daf83576cf75fa",
-	"da24bede383666d563eeed37f6319baf20d5c75d1635a6ba5ef4cfa1ac95487e96f8c08af600aab87c986ebad49fc70a58b4890b9c876e091016daf49e1d322e",
-	"f9d1d1b1e87ea7ae753a029750cc1cf3d0157d41805e245c5617bb934e732f0ae3180b78e05bfe76c7c3051e3e3ac78b9b50c05142657e1e03215d6ec7bfd0fc",
-	"11b7bc1668032048aa43343de476395e814bbbc223678db951a1b03a021efac948cfbe215f97fe9a72a2f6bc039e3956bfa417c1a9f10d6d7ba5d3d32ff323e5",
-	"b8d9000e4fc2b066edb91afee8e7eb0f24e3a201db8b6793c0608581e628ed0bcc4e5aa6787992a4bcc44e288093e63ee83abd0bc3ec6d0934a674a4da13838a",
-	"ce325e294f9b6719d6b61278276ae06a2564c03bb0b783fafe785bdf89c7d5acd83e78756d301b445699024eaeb77b54d477336ec2a4f332f2b3f88765ddb0c3",
-	"29acc30e9603ae2fccf90bf97e6cc463ebe28c1b2f9b4b765e70537c25c702a29dcbfbf14c99c54345ba2b51f17b77b5f15db92bbad8fa95c471f5d070a137cc",
-	"3379cbaae562a87b4c0425550ffdd6bfe1203f0d666cc7ea095be407a5dfe61ee91441cd5154b3e53b4f5fb31ad4c7a9ad5c7af4ae679aa51a54003a54ca6b2d",
-	"3095a349d245708c7cf550118703d7302c27b60af5d4e67fc978f8a4e60953c7a04f92fcf41aee64321ccb707a895851552b1e37b00bc5e6b72fa5bcef9e3fff",
-	"07262d738b09321f4dbccec4bb26f48cb0f0ed246ce0b31b9a6e7bc683049f1f3e5545f28ce932dd985c5ab0f43bd6de0770560af329065ed2e49d34624c2cbb",
-	"b6405eca8ee3316c87061cc6ec18dba53e6c250c63ba1f3bae9e55dd3498036af08cd272aa24d713c6020d77ab2f3919af1a32f307420618ab97e73953994fb4",
-	"7ee682f63148ee45f6e5315da81e5c6e557c2c34641fc509c7a5701088c38a74756168e2cd8d351e88fd1a451f360a01f5b2580f9b5a2e8cfc138f3dd59a3ffc",
-	"1d263c179d6b268f6fa016f3a4f29e943891125ed8593c81256059f5a7b44af2dcb2030d175c00e62ecaf7ee96682aa07ab20a611024a28532b1c25b86657902",
-	"106d132cbdb4cd2597812846e2bc1bf732fec5f0a5f65dbb39ec4e6dc64ab2ce6d24630d0f15a805c3540025d84afa98e36703c3dbee713e72dde8465bc1be7e",
-	"0e79968226650667a8d862ea8da4891af56a4e3a8b6d1750e394f0dea76d640d85077bcec2cc86886e506751b4f6a5838f7f0b5fef765d9dc90dcdcbaf079f08",
-	"521156a82ab0c4e566e5844d5e31ad9aaf144bbd5a464fdca34dbd5717e8ff711d3ffebbfa085d67fe996a34f6d3e4e60b1396bf4b1610c263bdbb834d560816",
-	"1aba88befc55bc25efbce02db8b9933e46f57661baeabeb21cc2574d2a518a3cba5dc5a38e49713440b25f9c744e75f6b85c9d8f4681f676160f6105357b8406",
-	"5a9949fcb2c473cda968ac1b5d08566dc2d816d960f57e63b898fa701cf8ebd3f59b124d95bfbbedc5f1cf0e17d5eaed0c02c50b69d8a402cabcca4433b51fd4",
-	"b0cead09807c672af2eb2b0f06dde46cf5370e15a4096b1a7d7cbb36ec31c205fbefca00b7a4162fa89fb4fb3eb78d79770c23f44e7206664ce3cd931c291e5d",
-	"bb6664931ec97044e45b2ae420ae1c551a8874bc937d08e969399c3964ebdba8346cdd5d09caafe4c28ba7ec788191ceca65ddd6f95f18583e040d0f30d0364d",
-	"65bc770a5faa3792369803683e844b0be7ee96f29f6d6a35568006bd5590f9a4ef639b7a8061c7b0424b66b60ac34af3119905f33a9d8c3ae18382ca9b689900",
-	"ea9b4dca333336aaf839a45c6eaa48b8cb4c7ddabffea4f643d6357ea6628a480a5b45f2b052c1b07d1fedca918b6f1139d80f74c24510dcbaa4be70eacc1b06",
-	"e6342fb4a780ad975d0e24bce149989b91d360557e87994f6b457b895575cc02d0c15bad3ce7577f4c63927ff13f3e381ff7e72bdbe745324844a9d27e3f1c01",
-	"3e209c9b33e8e461178ab46b1c64b49a07fb745f1c8bc95fbfb94c6b87c69516651b264ef980937fad41238b91ddc011a5dd777c7efd4494b4b6ecd3a9c22ac0",
-	"fd6a3d5b1875d80486d6e69694a56dbb04a99a4d051f15db2689776ba1c4882e6d462a603b7015dc9f4b7450f05394303b8652cfb404a266962c41bae6e18a94",
-	"951e27517e6bad9e4195fc8671dee3e7e9be69cee1422cb9fecfce0dba875f7b310b93ee3a3d558f941f635f668ff832d2c1d033c5e2f0997e4c66f147344e02",
-	"8eba2f874f1ae84041903c7c4253c82292530fc8509550bfdc34c95c7e2889d5650b0ad8cb988e5c4894cb87fbfbb19612ea93ccc4c5cad17158b9763464b492",
-	"16f712eaa1b7c6354719a8e7dbdfaf55e4063a4d277d947550019b38dfb564830911057d50506136e2394c3b28945cc964967d54e3000c2181626cfb9b73efd2",
-	"c39639e7d5c7fb8cdd0fd3e6a52096039437122f21c78f1679cea9d78a734c56ecbeb28654b4f18e342c331f6f7229ec4b4bc281b2d80a6eb50043f31796c88c",
-	"72d081af99f8a173dcc9a0ac4eb3557405639a29084b54a40172912a2f8a395129d5536f0918e902f9e8fa6000995f4168ddc5f893011be6a0dbc9b8a1a3f5bb",
-	"c11aa81e5efd24d5fc27ee586cfd8847fbb0e27601ccece5ecca0198e3c7765393bb74457c7e7a27eb9170350e1fb53857177506be3e762cc0f14d8c3afe9077",
-	"c28f2150b452e6c0c424bcde6f8d72007f9310fed7f2f87de0dbb64f4479d6c1441ba66f44b2accee61609177ed340128b407ecec7c64bbe50d63d22d8627727",
-	"f63d88122877ec30b8c8b00d22e89000a966426112bd44166e2f525b769ccbe9b286d437a0129130dde1a86c43e04bedb594e671d98283afe64ce331de9828fd",
-	"348b0532880b88a6614a8d7408c3f913357fbb60e995c60205be9139e74998aede7f4581e42f6b52698f7fa1219708c14498067fd1e09502de83a77dd281150c",
-	"5133dc8bef725359dff59792d85eaf75b7e1dcd1978b01c35b1b85fcebc63388ad99a17b6346a217dc1a9622ebd122ecf6913c4d31a6b52a695b86af00d741a0",
-	"2753c4c0e98ecad806e88780ec27fccd0f5c1ab547f9e4bf1659d192c23aa2cc971b58b6802580baef8adc3b776ef7086b2545c2987f348ee3719cdef258c403",
-	"b1663573ce4b9d8caefc865012f3e39714b9898a5da6ce17c25a6a47931a9ddb9bbe98adaa553beed436e89578455416c2a52a525cf2862b8d1d49a2531b7391",
-	"64f58bd6bfc856f5e873b2a2956ea0eda0d6db0da39c8c7fc67c9f9feefcff3072cdf9e6ea37f69a44f0c61aa0da3693c2db5b54960c0281a088151db42b11e8",
-	"0764c7be28125d9065c4b98a69d60aede703547c66a12e17e1c618994132f5ef82482c1e3fe3146cc65376cc109f0138ed9a80e49f1f3c7d610d2f2432f20605",
-	"f748784398a2ff03ebeb07e155e66116a839741a336e32da71ec696001f0ad1b25cd48c69cfca7265eca1dd71904a0ce748ac4124f3571076dfa7116a9cf00e9",
-	"3f0dbc0186bceb6b785ba78d2a2a013c910be157bdaffae81bb6663b1a73722f7f1228795f3ecada87cf6ef0078474af73f31eca0cc200ed975b6893f761cb6d",
-	"d4762cd4599876ca75b2b8fe249944dbd27ace741fdab93616cbc6e425460feb51d4e7adcc38180e7fc47c89024a7f56191adb878dfde4ead62223f5a2610efe",
-	"cd36b3d5b4c91b90fcbba79513cfee1907d8645a162afd0cd4cf4192d4a5f4c892183a8eacdb2b6b6a9d9aa8c11ac1b261b380dbee24ca468f1bfd043c58eefe",
-	"98593452281661a53c48a9d8cd790826c1a1ce567738053d0bee4a91a3d5bd92eefdbabebe3204f2031ca5f781bda99ef5d8ae56e5b04a9e1ecd21b0eb05d3e1",
-	"771f57dd2775ccdab55921d3e8e30ccf484d61fe1c1b9c2ae819d0fb2a12fab9be70c4a7a138da84e8280435daade5bbe66af0836a154f817fb17f3397e725a3",
-	"c60897c6f828e21f16fbb5f15b323f87b6c8955eabf1d38061f707f608abdd993fac3070633e286cf8339ce295dd352df4b4b40b2f29da1dd50b3a05d079e6bb",
-	"8210cd2c2d3b135c2cf07fa0d1433cd771f325d075c6469d9c7f1ba0943cd4ab09808cabf4acb9ce5bb88b498929b4b847f681ad2c490d042db2aec94214b06b",
-	"1d4edfffd8fd80f7e4107840fa3aa31e32598491e4af7013c197a65b7f36dd3ac4b478456111cd4309d9243510782fa31b7c4c95fa951520d020eb7e5c36e4ef",
-	"af8e6e91fab46ce4873e1a50a8ef448cc29121f7f74deef34a71ef89cc00d9274bc6c2454bbb3230d8b2ec94c62b1dec85f3593bfa30ea6f7a44d7c09465a253",
-	"29fd384ed4906f2d13aa9fe7af905990938bed807f1832454a372ab412eea1f5625a1fcc9ac8343b7c67c5aba6e0b1cc4644654913692c6b39eb9187ceacd3ec",
-	"a268c7885d9874a51c44dffed8ea53e94f78456e0b2ed99ff5a3924760813826d960a15edbedbb5de5226ba4b074e71b05c55b9756bb79e55c02754c2c7b6c8a",
-	"0cf8545488d56a86817cd7ecb10f7116b7ea530a45b6ea497b6c72c997e09e3d0da8698f46bb006fc977c2cd3d1177463ac9057fdd1662c85d0c126443c10473",
-	"b39614268fdd8781515e2cfebf89b4d5402bab10c226e6344e6b9ae000fb0d6c79cb2f3ec80e80eaeb1980d2f8698916bd2e9f747236655116649cd3ca23a837",
-	"74bef092fc6f1e5dba3663a3fb003b2a5ba257496536d99f62b9d73f8f9eb3ce9ff3eec709eb883655ec9eb896b9128f2afc89cf7d1ab58a72f4a3bf034d2b4a",
-	"3a988d38d75611f3ef38b8774980b33e573b6c57bee0469ba5eed9b44f29945e7347967fba2c162e1c3be7f310f2f75ee2381e7bfd6b3f0baea8d95dfb1dafb1",
-	"58aedfce6f67ddc85a28c992f1c0bd0969f041e66f1ee88020a125cbfcfebcd61709c9c4eba192c15e69f020d462486019fa8dea0cd7a42921a19d2fe546d43d",
-	"9347bd291473e6b4e368437b8e561e065f649a6d8ada479ad09b1999a8f26b91cf6120fd3bfe014e83f23acfa4c0ad7b3712b2c3c0733270663112ccd9285cd9",
-	"b32163e7c5dbb5f51fdc11d2eac875efbbcb7e7699090a7e7ff8a8d50795af5d74d9ff98543ef8cdf89ac13d0485278756e0ef00c817745661e1d59fe38e7537",
-	"1085d78307b1c4b008c57a2e7e5b234658a0a82e4ff1e4aaac72b312fda0fe27d233bc5b10e9cc17fdc7697b540c7d95eb215a19a1a0e20e1abfa126efd568c7",
-	"4e5c734c7dde011d83eac2b7347b373594f92d7091b9ca34cb9c6f39bdf5a8d2f134379e16d822f6522170ccf2ddd55c84b9e6c64fc927ac4cf8dfb2a17701f2",
-	"695d83bd990a1117b3d0ce06cc888027d12a054c2677fd82f0d4fbfc93575523e7991a5e35a3752e9b70ce62992e268a877744cdd435f5f130869c9a2074b338",
-	"a6213743568e3b3158b9184301f3690847554c68457cb40fc9a4b8cfd8d4a118c301a07737aeda0f929c68913c5f51c80394f53bff1c3e83b2e40ca97eba9e15",
-	"d444bfa2362a96df213d070e33fa841f51334e4e76866b8139e8af3bb3398be2dfaddcbc56b9146de9f68118dc5829e74b0c28d7711907b121f9161cb92b69a9",
-	"142709d62e28fcccd0af97fad0f8465b971e82201dc51070faa0372aa43e92484be1c1e73ba10906d5d1853db6a4106e0a7bf9800d373d6dee2d46d62ef2a461",
-}
-
-var hashes2X = []string{
-	"64",
-	"f457",
-	"e8c045",
-	"a74c6d0d",
-	"eb02ae482a",
-	"be65b981275e",
-	"8540ccd083a455",
-	"074a02fa58d7c7c0",
-	"da6da05e10db3022b6",
-	"542a5aae2f28f2c3b68c",
-	"ca3af2afc4afe891da78b1",
-	"e0f66b8dcebf4edc85f12c85",
-	"744224d383733b3fa2c53bfcf5",
-	"b09b653e85b72ef5cdf8fcfa95f3",
-	"dd51877f31f1cf7b9f68bbb09064a3",
-	"f5ebf68e7ebed6ad445ffc0c47e82650",
-	"ebdcfe03bcb7e21a9091202c5938c0a1bb",
-	"860fa5a72ff92efafc48a89df1632a4e2809",
-	"0d6d49daa26ae2818041108df3ce0a4db48c8d",
-	"e5d7e1bc5715f5ae991e4043e39533af5d53e47f",
-	"5232028a43b9d4dfa7f37439b49495926481ab8a29",
-	"c118803c922f9ae2397fb676a2ab7603dd9c29c21fe4",
-	"2af924f48b9bd7076bfd68794bba6402e2a7ae048de3ea",
-	"61255ac38231087c79ea1a0fa14538c26be1c851b6f318c0",
-	"f9712b8e42f0532162822f142cb946c40369f2f0e77b6b186e",
-	"76da0b89558df66f9b1e66a61d1e795b178ce77a359087793ff2",
-	"9036fd1eb32061bdecebc4a32aa524b343b8098a16768ee774d93c",
-	"f4ce5a05934e125d159678bea521f585574bcf9572629f155f63efcc",
-	"5e1c0d9fae56393445d3024d6b82692d1339f7b5936f68b062c691d3bf",
-	"538e35f3e11111d7c4bab69f83b30ade4f67addf1f45cdd2ac74bf299509",
-	"17572c4dcbb17faf8785f3bba9f6903895394352eae79b01ebd758377694cc",
-	"29f6bb55de7f8868e053176c878c9fe6c2055c4c5413b51ab0386c277fdbac75",
-	"bad026c8b2bd3d294907f2280a7145253ec2117d76e3800357be6d431b16366e41",
-	"386b7cb6e0fd4b27783125cbe80065af8eb9981fafc3ed18d8120863d972fa7427d9",
-	"06e8e6e26e756fff0b83b226dce974c21f970e44fb5b3e5bbada6e4b12f81cca666f48",
-	"2f9bd300244f5bc093ba6dcdb4a89fa29da22b1de9d2c9762af919b5fedf6998fbda305b",
-	"cf6bdcc46d788074511f9e8f0a4b86704365b2d3f98340b8db53920c385b959a38c8869ae7",
-	"1171e603e5cdeb4cda8fd7890222dd8390ede87b6f3284cac0f0d832d8250c9200715af7913d",
-	"bda7b2ad5d02bd35ffb009bdd72b7d7bc9c28b3a32f32b0ba31d6cbd3ee87c60b7b98c03404621",
-	"2001455324e748503aa08eff2fb2e52ae0170e81a6e9368ada054a36ca340fb779393fb045ac72b3",
-	"45f0761aefafbf87a68f9f1f801148d9bba52616ad5ee8e8ac9207e9846a782f487d5cca8b20355a18",
-	"3a7e05708be62f087f17b41ac9f20e4ef8115c5ab6d08e84d46af8c273fb46d3ce1aabebae5eea14e018",
-	"ea318da9d042ca337ccdfb2bee3e96ecb8f907876c8d143e8e44569178353c2e593e4a82c265931ba1dd79",
-	"e0f7c08f5bd712f87094b04528fadb283d83c9ceb82a3e39ec31c19a42a1a1c3bee5613b5640abe069b0d690",
-	"d35e63fb1f3f52ab8f7c6cd7c8247e9799042e53922fbaea808ab979fa0c096588cfea3009181d2f93002dfc11",
-	"b8b0ab69e3ae55a8699eb481dd665b6a2424c89bc6b7cca02d15fdf1b9854139cab49d34de498b50b2c7e8b910cf",
-	"fb65e3222a2950eae1701d4cdd4736266f65bf2c0d2e77968996eadb60ef74fb786f6234973a2524bdfe32d100aa0e",
-	"f28b4bb3a2e2c4d5c01a23ff134558559a2d3d704b75402983ee4e0f71d273ae056842c4153b18ee5c47e2bfa54313d4",
-	"7bb78794e58a53c3e4b1aeb161e756af051583d14e0a5a3205e094b7c9a8cf62d098fa9ea1db12f330a51ab9852c17f983",
-	"a879a8ebae4d0987789bcc58ec3448e35ba1fa1ee58c668d8295aba4eaeaf2762b053a677e25404f635a53037996974d418a",
-	"695865b353ec701ecc1cb38f3154489eed0d39829fc192bb68db286d20fa0a64235cde5639137819f7e99f86bd89afcef84a0f",
-	"a6ec25f369f71176952fb9b33305dc768589a6070463ee4c35996e1ced4964a865a5c3dc8f0d809eab71366450de702318e4834d",
-	"604749f7bfadb069a036409ffac5ba291fa05be8cba2f141554132f56d9bcb88d1ce12f2004cd3ade1aa66a26e6ef64e327514096d",
-	"daf9fa7dc2464a899533594e7916fc9bc585bd29dd60c930f3bfa78bc47f6c8439448043a45119fc9228c15bce5fd24f46baf9de736b",
-	"943ea5647a8666763084da6a6f15dcf0e8dc24f27fd0d9194805d25180fe3a6d98f4b2b5e0d6a04e9b41869817030f16ae975dd41fc35c",
-	"af4f73cbfc093760dfeb52d57ef45207bbd1a515f5523404e5d95a73c237d97ae65bd195b472de6d514c2c448b12fafc282166da132258e9",
-	"605f4ed72ed7f5046a342fe4cf6808100d4632e610d59f7ebb016e367d0ff0a95cf45b02c727ba71f147e95212f52046804d376c918cadd260",
-	"3750d8ab0a6b13f78e51d321dfd1aa801680e958de45b7b977d05732ee39f856b27cb2bcce8fbf3db6666d35e21244c2881fdcc27fbfea6b1672",
-	"8f1b929e80ab752b58abe9731b7b34eb61369536995abef1c0980d93903c1880da3637d367456895f0cb4769d6de3a979e38ed6f5f6ac4d48e9b32",
-	"d8469b7aa538b36cdc711a591d60dafecca22bd421973a70e2deef72f69d8014a6f0064eabfbebf5383cbb90f452c6e113d2110e4b1092c54a38b857",
-	"7d1f1ad2029f4880e1898af8289c23bc933a40863cc4ab697fead79c58b6b8e25b68cf5324579b0fe879fe7a12e6d03907f0140dfe7b29d33d6109ecf1",
-	"87a77aca6d551642288a0dff66078225ae39d288801607429d6725ca949eed7a6f199dd8a65523b4ee7cfa4187400e96597bfffc3e38ade0ae0ab88536a9",
-	"e101f43179d8e8546e5ce6a96d7556b7e6b9d4a7d00e7aade5579d085d527ce34a9329551ebcaf6ba946949bbe38e30a62ae344c1950b4bde55306b3bac432",
-	"4324561d76c370ef35ac36a4adf8f3773a50d86504bd284f71f7ce9e2bc4c1f1d34a7fb2d67561d101955d448b67577eb30dfee96a95c7f921ef53e20be8bc44",
-	"78f0ed6e220b3da3cc9381563b2f72c8dc830cb0f39a48c6ae479a6a78dcfa94002631dec467e9e9b47cc8f0887eb680e340aec3ec009d4a33d241533c76c8ca8c",
-	"9f6589c31a472e0a736f4eb22b6c70a9d332cc15304ccb66a6b97cd051b6ed82f8990e1d9bee2e4bb1c3c45e550ae0e7b96e93ae23f2fb8f63b309131e72b36cba6a",
-	"c138077ee4ed3d7ffa85ba851dfdf6e9843fc1dc00889d117237bfaad9aa757192f73556b959f98e6d24886ce48869f2a01a48c371785f12b6484eb2078f08c22066e1",
-	"f83e7c9e0954a500576ea1fc90a3db2cbd7994eaef647dab5b34e88ab9dc0b47addbc807b21c8e6dd3d0bd357f008471d4f3e0abb18450e1d4919e03a34545b9643f870e",
-	"3277a11f2628544fc66f50428f1ad56bcba6ee36ba2ca6ecdf7e255effc0c30235c039d13e01f04cf1efe95b5c2033ab72adda30994b62f2851d17c9920eadca9a251752dc",
-	"c2a834281a06fe7b730d3a03f90761daf02714c066e33fc07e1f59ac801ec2f4433486b5a2da8faa51a0cf3c34e29b2960cd0013378938dbd47c3a3d12d70db01d7d06c3e91e",
-	"47680182924a51cabe142a6175c9253e8ba7ea579ece8d9bcb78b1e9ca00db844fa08abcf41702bd758ee2c608d9612fed50e85854469cb4ef3038acf1e35b6ba4390561d8ae82",
-	"cec45830cd71869e83b109a99a3cd7d935f83a95de7c582f3adbd34e4938fa2f3f922f52f14f169c38cc6618d3f306a8a4d607b345b8a9c48017136fbf825aecf7b620e85f837fae",
-	"46fb53c70ab105079d5d78dc60eaa30d938f26e4d0b9df122e21ec85deda94744c1daf8038b8a6652d1ff3e7e15376f5abd30e564784a999f665078340d66b0e939e0c2ef03f9c08bb",
-	"7b0dcb52791a170cc52f2e8b95d8956f325c3751d3ef3b2b83b41d82d4496b46228a750d02b71a96012e56b0720949ca77dc68be9b1ef1ad6d6a5ceb86bf565cb972279039e209dddcdc",
-	"7153fd43e6b05f5e1a4401e0fef954a737ed142ec2f60bc4daeef9ce73ea1b40a0fcaf1a1e03a3513f930dd5335723632f59f7297fe3a98b68e125eadf478eb045ed9fc4ee566d13f537f5",
-	"c7f569c79c801dab50e9d9ca6542f25774b3841e49c83efe0b89109f569509ce7887bc0d2b57b50320eb81fab9017f16c4c870e59edb6c26620d93748500231d70a36f48a7c60747ca2d5986",
-	"0a81e0c547648595adca65623ce783411aac7f7d30c3ad269efafab288e7186f6895261972f5137877669c550f34f5128850ebb50e1884814ea1055ee29a866afd04b2087abed02d9592573428",
-	"6a7b6769e1f1c95314b0c7fe77013567891bd23416374f23e4f43e27bc4c55cfada13b53b1581948e07fb96a50676baa2756db0988077b0f27d36ac088e0ff0fe72eda1e8eb4b8facff3218d9af0",
-	"a399474595cb1ccab6107f18e80f03b1707745c7bf769fc9f260094dc9f8bc6fe09271cb0b131ebb2acd073de4a6521c8368e664278be86be216d1622393f23435fae4fbc6a2e7c961282a777c2d75",
-	"4f0fc590b2755a515ae6b46e9628092369d9c8e589e3239320639aa8f7aa44f8111c7c4b3fdbe6e55e036fbf5ebc9c0aa87a4e66851c11e86f6cbf0bd9eb1c98a378c7a7d3af900f55ee108b59bc9e5c",
-	"ed96a046f08dd675107331d267379c6fce3c352a9f8d7b243008a74cb4e9410836afaabe871dab6038ca94ce5f6d41fa922ce08aba58169f94cfc86d9f688f396abd24c11a6a9b0830572105a477c33e92",
-	"379955f539abf0eb2972ee99ed9546c4bbee363403991833005dc27904c271ef22a799bc32cb39f08d2e4ba6717d55153feb692d7c5efae70890bf29d96df02333c7b05ccc314e4835b018fec9141a82c745",
-	"e16cc8d41b96547ede0d0cf4d908c5fa393399daa4a9696e76a4c1f6a2a9fef70f17fb53551a8145ed88f18db8fe780a079d94732437023f7c1d1849ef69ad536a76204239e8ba5d97e507c36c7d042f87fe0e",
-	"a81de50750ece3f84536728f227208bf01ec5b7721579d007de72c88ee20663318332efe5bc7c09ad1fa8342be51f0609046ccf760a7957a7d8dc88941adb93666a4521ebe76618e5ddc2dd3261493d400b50073",
-	"b72c5fb7c7f60d243928fa41a2d711157b96aef290185c64b4de3dcfa3d644da67a8f37c2ac55caad79ec695a473e8b481f658c497edb8a191526592b11a412282d2a4010c90ef4647bd6ce745ebc9244a71d4876b",
-	"9550703877079c90e200e830f277b605624954c549e729c359ee01ee2b07741ecc4255cb37f96682dafcdbaade1063e2c5ccbd1918fb669926a67744101fb6de3ac016be4c74165a1e5a696b704ba2ebf4a953d44b95",
-	"a17eb44d4de502dc04a80d5a5e9507d17f27c96467f24c79b06bc98a4c410741d4ac2db98ec02c2a976d788531f1a4451b6c6204cef6dae1b6ebbcd0bde23e6fffb02754043c8fd3c783d90a670b16879ce68b5554fe1c",
-	"41d3ea1eaba5be4a206732dbb5b70b79b66a6e5908795ad4fb7cf9e67efb13f06fef8f90acb080ce082aadec6a1b543af759ab63fa6f1d3941186482b0c2b312f1151ea8386253a13ed3708093279b8eb04185636488b226",
-	"5e7cdd8373dc42a243c96013cd29df9283b5f28bb50453a903c85e2ce57f35861bf93f03029072b70dac0804e7d51fd0c578c8d9fa619f1e9ce3d8044f65d55634dba611280c1d5cfb59c836a595c803124f696b07ddfac718",
-	"26a14c4aa168907cb5de0d12a82e1373a128fb21f2ed11feba108b1bebce934ad63ed89f4ed7ea5e0bc8846e4fc10142f82de0bebd39d68f7874f615c3a9c896bab34190e85df05aaa316e14820b5e478d838fa89dfc94a7fc1e",
-	"0211dfc3c35881adc170e4ba6daab1b702dff88933db9a6829a76b8f4a7c2a6d658117132a974f0a0b3a38ceea1efc2488da21905345909e1d859921dc2b5054f09bce8eeb91fa2fc6d048ce00b9cd655e6aafbdaa3a2f19270a16",
-	"ddf015b01b68c4f5f72c3145d54049867d99ee6bef24282abf0eecdb506e295bacf8f23ffa65a4cd891f76a046b9dd82cae43a8d01e18a8dff3b50aeb92672be69d7c087ec1fa2d3b2a39196ea5b49b7baede37a586fea71aded587f",
-	"6ee721f71ca4dd5c9ce7873c5c04c6ce76a2c824b984251c15535afc96adc9a4d48ca314bfeb6b8ee65092f14cf2a7ca9614e1dcf24c2a7f0f0c11207d3d8aed4af92873b56e8b9ba2fbd659c3f4ca90fa24f113f74a37181bf0fdf758",
-	"689bd150e65ac123612524f720f54def78c095eaab8a87b8bcc72b443408e3227f5c8e2bd5af9bcac684d497bc3e41b7a022c28fb5458b95e8dfa2e8caccde0492936ff1902476bb7b4ef2125b19aca2cd3384d922d9f36dddbcd96ae0d6",
-	"3a3c0ef066fa4390ec76ad6be1dc9c31ddf45fef43fbfa1f49b439caa2eb9f3042253a9853e96a9cf86b4f873785a5d2c5d3b05f6501bc876e09031188e05f48937bf3c9b667d14800db62437590b84ce96aa70bb5141ee2ea41b55a6fd944",
-	"741ce384e5e0edaebb136701ce38b3d33215415197758ae81235307a4115777d4dab23891db530c6d28f63a957428391421f742789a0e04c99c828373d9903b64dd57f26b3a38b67df829ae243feef731ead0abfca049924667fdec49d40f665",
-	"a513f450d66cd5a48a115aee862c65b26e836f35a5eb6894a80519e2cd96cc4cad8ed7eb922b4fc9bbc55c973089d627b1da9c3a95f6c019ef1d47143cc545b15e4244424be28199c51a5efc7234dcd94e72d229897c392af85f523c2633427825",
-	"71f1554d2d49bb7bd9e62e71fa049fb54a2c097032f61ebda669b3e1d4593962e47fc62a0ab5d85706aebd6a2f9a192c88aa1ee2f6a46710cf4af6d3c25b7e68ad5c3db23ac009c8f13625ff85dc8e50a9a1b2682d3329330b973ec8cbb7bb73b2bd",
-	"167cc1067bc08a8d2c1a0c10041ebe1fc327b37043f6bd8f1c63569e9d36ded58519e66b162f34b6d8f1107ef1e3de199d97b36b44141a1fc4f49b883f40507ff11f909a017869dc8a2357fc7336ae68703d25f75710b0ff5f9765321c0fa53a51675c",
-	"cb859b35dc70e264efaad2a809fea1e71cd4a3f924be3b5a13f8687a1166b538c40b2ad51d5c3e47b0de482497382673140f547068ff0b3b0fb7501209e1bf36082509ae85f60bb98fd02ac50d883a1a8daa704952d83c1f6da60c9624bc7c99912930bf",
-	"afb1f0c6b7125b04fa2578dd40f60cb411b35ebc7026c702e25b3f0ae3d4695d44cfdf37cb755691dd9c365edadf21ee44245620e6a24d4c2497135b37cd7ac67e3bd0aaee9f63f107746f9b88859ea902bc7d6895406aa2161f480cad56327d0a5bba2836",
-	"13e9c0522587460d90c7cb354604de8f1bf850e75b4b176bda92862d35ec810861f7d5e7ff6ba9302f2c2c8642ff8b7776a2f53665790f570fcef3cac069a90d50db42227331c4affb33d6c040d75b9aeafc9086eb83ced38bb02c759e95ba08c92b17031288",
-	"0549812d62d3ed497307673a4806a21060987a4dbbf43d352b9b170a29240954cf04bc3e1e250476e6800b79e843a8bd8253b7d743de01ab336e978d4bea384eaff700ce020691647411b10a60acacb6f8837fb08ad666b8dcc9eaa87ccb42aef6914a3f3bc30a",
-	"3a263efbe1f2d463f20526e1d0fd735035fd3f808925f058b32c4d8788aeeab9b8ce233b3c34894731cd73361f465bd350395aebcabd2fb63010298ca025d849c1fa3cd573309b74d7f824bbfe383f09db24bcc565f636b877333206a6ad70815c3bef5574c5fc1c",
-	"3c6a7d8a84ef7e3eaa812fc1eb8e85105467230d2c9e4562edbfd808f4d1ac15d16b786cc6a02959c2bc17149c2ce74c6f85ee5ef22a8a96b9be1f197cffd214c1ab02a06a9227f37cd432579f8c28ff2b5ac91cca8ffe6240932739d56788c354e92c591e1dd76499",
-	"b571859294b02af17541a0b5e899a5f67d6f5e36d38255bc417486e69240db56b09cf2607fbf4f95d085a779358a8a8b41f36503438c1860c8f361ce0f2783a08b21bd7232b50ca6d35428335272a5c05b436b2631d8d5c84d60e8040083768ce56a250727fb0579dd5c",
-	"98ee1b7269d2a0dd490ca38d447279870ea55326571a1b430adbb2cf65c492131136f504145df3ab113a13abfb72c33663266b8bc9c458db4bf5d7ef03e1d3b8a99d5de0c024be8fabc8dc4f5dac82a0342d8ed65c329e7018d6997e69e29a01350516c86beaf153da65ac",
-	"41c5c95f088df320d35269e5bf86d10248f17aec6776f0fe653f1c356aae409788c938befeb67c86d1c8870e8099ca0ce61a80fbb5a6654c44529368f70fc9b9c2f912f5092047d0ffc339577d24142300e34948e086f62e23ecaca410d24f8a36b5c8c5a80e0926bc8aa16a",
-	"9f93c41f533b2a82a4df893c78faaaa793c1506974ba2a604cd33101713ca4adfd30819ffd8403402b8d40aff78106f3357f3e2c24312c0d3603a17184d7b999fc9908d14d50192aebabd90d05073da7af4be37dd3d81c90acc80e8333df546f17ab6874f1ec204392d1c0571e",
-	"3da5207245ac270a915fc91cdb314e5a2577c4f8e269c4e701f0d7493ba716de79935918b917a2bd5db98050dbd1eb3894b65fac5abf13e075abebc011e651c03cafb6127147771a5c8418223e1548137a89206635c26ca9c235ccc108dc25cf846e4732444bd0c2782b197b262b",
-	"96011af3965bb941dc8f749932ea484eccb9ba94e34b39f24c1e80410f96ce1d4f6e0aa5be606def4f54301e930493d4b55d484d93ab9dd4dc2c9cfb79345363af31ad42f4bd1aa6c77b8afc9f0d551bef7570b13b927afe3e7ac4de7603a0876d5edb1ad9be05e9ee8b53941e8f59",
-	"51dbbf2a7ca224e524e3454fe82ddc901fafd2120fa8603bc343f129484e9600f688586e040566de0351d1693829045232d04ff31aa6b80125c763faab2a9b233313d931903dcfaba490538b06e4688a35886dc24cdd32a13875e6acf45454a8eb8a315ab95e608ad8b6a49aef0e299a",
-	"5a6a422529e22104681e8b18d64bc0463a45df19ae2633751c7aae412c250f8fb2cd5e1270d3d0cf009c8aa69688ccd4e2b6536f5747a5bc479b20c135bf4e89d33a26118705a614c6be7ecfe766932471ad4ba01c4f045b1abb5070f90ec78439a27a1788db9327d1c32f939e5fb1d5ba",
-	"5d26c983642093cb12ff0afabd87b7c56e211d01844ad6da3f623b9f20a0c968034299f2a65e6673530c5980a532beb831c7d0697d12760445986681076dfb6fae5f3a4d8f17a0db5008ce8619f566d2cfe4cf2a6d6f9c3664e3a48564a351c0b3c945c5ee24587521e4112c57e318be1b6a",
-	"52641dbc6e36be4d905d8d60311e303e8e859cc47901ce30d6f67f152343e3c4030e3a33463793c19effd81fb7c4d631a9479a7505a983a052b1e948ce093b30efa595fab3a00f4cef9a2f664ceeb07ec61719212d58966bca9f00a7d7a8cb4024cf6476bab7fbccee5fd4e7c3f5e2b2975aa2",
-	"a34ce135b37bf3db1c4aaa4878b4499bd2ee17b85578fcaf605d41e1826b45fdaa1b083d8235dc642787f11469a5493e36806504fe2a2063905e821475e2d5ee217057950370492f5024995e77b82aa51b4f5bd8ea24dc71e0a8a640b0592c0d80c24a726169cf0a10b40944747113d03b52708c",
-	"46b3cdf4946e15a5334fc3244d6680f5fc132afa67bf43bfade23d0c9e0ec64e7dab76faaeca1870c05f96b7d019411d8b0873d9fed04fa5057c039d5949a4d592827f619471359d6171691cfa8a5d7cb07ef2804f6ccad4821c56d4988bea7765f660f09ef87405f0a80bcf8559efa111f2a0b419",
-	"8b9fc21691477f11252fca050b121c5334eb4280aa11659e267297de1fec2b2294c7ccee9b59a149b9930b08bd320d3943130930a7d931b71d2f10234f4480c67f1de883d9894ada5ed5071660e221d78ae402f1f05af47761e13fec979f2671e3c63fb0ae7aa1327cf9b8313adab90794a52686bbc4",
-	"cd6598924ce847de7ff45b20ac940aa6292a8a99b56a74eddc24f2cfb45797188614a21d4e8867e23ff75afd7cd324248d58fcf1ddc73fbd115dfa8c09e62022fab540a59f87c989c12a86ded05130939f00cd2f3b512963dfe0289f0e54acad881c1027d2a0292138fdee902d67d9669c0ca1034a9456",
-	"594e1cd7337248704e691854af0fdb021067ddf7832b049ba7b684438c32b029eded2df2c89a6ff5f2f2c311522ae2dc6db5a815afc60637b15ec24ef9541f1550409db2a006da3affffe548a1eaee7bd114e9b805d0756c8e90c4dc33cb05226bc2b393b18d953f8730d4c7ae693159cdba758ad28964e2",
-	"1f0d292453f04406ada8be4c161b82e3cdd69099a8637659e0ee40b8f6da46005cfc6085db9804852decfbe9f7b4dda019a7112612895a144ed430a960c8b2f5458d3d56b7f427cee6358915aee7146278aed2a0296cdd929e4d21ef95a3adf8b7a6beba673cdccdbdcfb2474711732d972ad054b2dc64f38d",
-	"b65a72d4e1f9f9f75911cc46ad0806b9b18c87d105332a3fe183f45f063a746c892dc6c4b9181b1485b3e3a2cc3b453eba2d4c39d6905a774ed3fb755468beb190925ecd8e57ecb0d985125741650c6b6a1b2a3a50e93e3892c21d47ed5884eed83aa94e1602288f2f49fe286624de9d01fcb54433a0dc4ad70b",
-	"705ce0ffa469250782aff725248fc88fe98eb76659e8407edc1c4842c9867d61fe64fb86f74e980598b92bc213d06f337bd5654fc28643c7ba769a4c31563427543c00808b627a19c90d86c322f33566ce020121cc322229c3337943d46f68ef939d613dcef0077269f88151d6398b6b009abb763410b154ad76a3",
-	"7fa881ce87498440ab6af13854f0d851a7e0404de33896999a9b3292a5d2f5b3ad033530c558168fe5d2fdb9b89a2354c46cf32a0e612afc6c6485d789511bfef26800c74bf1a4cfbe30bda310d5f6029c3dccdedb6149e4971274e276dccfabd63bc4b9955e8303feb57f8a688db55ecb4b33d1f9fe1b3a8ba7ac32",
-	"23a98f71c01c0408ae16843dc03be7db0aeaf055f951709d4e0dfdf64fffbffaf900ee592ee10929648e56f6c1e9f5be5793f7df66453eb56502c7c56c0f0c88da77abc8fa371e434104627ef7c663c49f40998dbad63fa6c7aa4fac17ae138d8bbe081f9bd168cd33c1fbc92fa35ed687679f48a64b87db1fe5bae675",
-	"7b8970b6a33237e5a7bcb39272703edb92285c55842b30b9a48834b1b507cc02a6764739f2f7ee6ae02a7b715a1c455e59e8c77a1ae98abb10161853f1234d20da99016588cd8602d6b7ec7e177d4011edfa61e6b3766a3c6f8d6e9eac893c568903eb6e6aba9c4725774f6b4343b7acaa6c031593a36eef6c72806ff309",
-	"f7f4d328ba108b7b1de4443e889a985ed52f485f3ca4e0c246aa5526590cbed344e9f4fe53e4eea0e761c82324649206ca8c2b45152157d4115e68c818644b03b65bb47ad79f94d37cb03c1d953b74c2b8adfa0e1c418bda9c518ddcd7050e0f149044740a2b16479413b63fc13c36144f80c73687513dca761ba8642a8ae0",
-	"2d7dc80c19a1d12d5fe3963569547a5d1d3e821e6f06c5d5e2c09401f946c9f7e13cd019f2f9a878b62dd850453b6294b99ccaa068e542993524b0f63832d48e865be31e8ec1ee103c718340c904b32efb69170b67f038d50a3252794b1b4076c0620621ab3d91215d55ffea99f23d54e161a90d8d4902fda5931d9f6a27146a",
-	"77dff4c7ad30c954338c4b23639dae4b275086cbe654d401a2343528065e4c9f1f2eca22aa025d49ca823e76fdbb35df78b1e5075ff2c82b680bca385c6d57f7ea7d1030bb392527b25dd73e9eeff97bea397cf3b9dda0c817a9c870ed12c006cc054968c64000e0da874e9b7d7d621b0679866912243ea096c7b38a1344e98f74",
-	"83bed0d556798f2b419f7056e6d3ffada06e939b95a688d0ec8c6ac5ea45ab73a4cf01043e0a170766e21395f27ab4b78c435f5f0dfe6e93ab80df38610e41158429ddf20296f53a06a017723359fe22dc08b5da33f0800a4fe50118e8d7eab2f83a85cd764bf8a166903bd0e9dcfeeceba44ff4ca4439846458d31ea2bb564645d1",
-	"ea12cf5a113543e39504123036f15a5bafa9c555562469f99cd29996a4dfaaab2a34b00557ccf15f37fc0cc1b3be427e725f2cd952e50af7970dda9200cd5ce252b1f29c40067fea3027ed686190803b59d834179d1b8f5b55abe55ad174b2a1188f7753ec0ae2fc01316e7d498b68ee3598a0e9baaaa664a60f7fb4f90edbed494ad7",
-	"55266358332d8d9e68bd13432088beadf95833aab67a0eb3b10650414255f299e2670c3e1a5b2976159a46c72a7ce57d59b7be14c15798e09ed50fa312a431b0264d7a1396aa6168bde897e208ece53d2cfc83786113b1e6eac5e9bb98984abb6c8d64eebb991903254abc650c999bb9958a5d7937434b869bc940e21b9dc1cc8982f2ba",
-	"4d6104ded730aefe02873f4c741232c8234a6d66d85393aff57fbf56ba6347666988dfc4d58f3cc895a0da598822edeee4533d24ec0ee292fd5e1ad04898ffbc1ff4bef14dec220babcb0f28fffe32a6e2c28aaaac16442bf4feb02917d18bb3a415d84fa9358d5a9852688d846c92271911f934181c30f82434d915f93f155a1ffbf0b125",
-	"eb5f579a4c476af554aac11e5719d378549497e613b35a929d6f36bb8831d7a466aa76de9be24ebb55543f1c13924f64cfd648a5b3fa90387315c16174dbf1e9a183c196d9bb8f84af65f1f8212429aadc11ef2426d07d4716062b85c8d5d2dff8e21b9e62b7fa7dbd57d72633054b464fb28583a56ca13ccc5ddc74dae942492f31731e7046",
-	"ebddec3dcaf18063e45a76ebeac39af85a1adc2818881ccce48c106288f5988365cca2b4b1d7f037322da46840f42bebdcbc7193838d426e101087d8cea03aaff743d573eb4f4e9a71a2c884390769a6503874125d194bee8d46a3a0d5e4fcf28ff8465887d8e9df771d70157e75df3642b331d2778ceb32ceba868640171ab7a5d22eede1ee44",
-	"26d87ec70b57691e3bb359633d3ddba17f029d62cdfe977f5fd42274d79b444a32494d1c01e9f72d03cce78c806df96e93ea78da3a054209924ed765edc4d570f66168dc25ee3114e4017e387440349c8f0a94804761c3055f88e4fda2a49b860b1486a9609095f6250f268b6a4d1aecc03a505632ebf0b9dc22d0755a736faf7ad7000858b5864b",
-	"3880f5cc2d08fa70ef44b1f263fcf534d062a298c1bd5ee2eee8c3265806c4ce50b004f3a1fc1fa5b024aaac7f528c023c8181f67c6e1c357425dc4d573bd46b93a542afa3a19bdb140a2ce666e1a01f5c4d2dcd681fa9f5839b797813c394738d5ee4971386c12c7c117d17c7bec324b760aa30cda9ab2aa850284ba6fa97946f710f02449d1883c6",
-	"3317d2f452105dd3f4a96f9257af8285a80be58066b50f6f54bd633749b49f6ab9d57d45652d2ae852a2f6940cd5ec3159dd7f333358b12f502325df38843508faf7e246352d201280babd90b14fbf7722641c3601d0e458474439973c611bb5502fd0eb3078f87124ca7e1a016fcb6cfeff65f6a565985aca7122cfa8c5a11da0cb47797c5132333179",
-	"f2c5c955d0224e784a46b9125f8fef8a5e1271e145eb08bbbd07ca8e1cfc848cef14fa3b36221ac62006403dbb7f7d77958ccc54a8566c837858b809f3e310ace8ca682515bc655d2a397cab238a663b464d511f02dc5d033dad4cb5e0e519e94a54b62a3896e460ec70e5716b5921bf8396aa86a60123e6287e34570bb01bdc602e113670bf498af2ff10",
-	"180e275205691a83630cf4b0c7b80e6df8fad6ef1c23ba8013d2f09aef7abade1827f23af230de90676240b4b3b0673f8afdea0327330055041741f65560d90348de696d34ca80dfe8afae582fe4879d4594b80e9408fb53e800e01ca58552b905c365e7f1416e51c080f517d6bbd30e64ae1535d59decdc76c6624d737868f49f2f719da39ba1344d59eab9",
-	"c517a84e4631a7f65ace170d1e5c2fdb259841535d88da323e68c0883e6af7b041cfe05908815a5a9d1b14fa712c2c16fadcf1ca54d3aa954d411240df331b2aebdfb65aced84d0b8aace56ec0aa7c13ec7d75ca883b6bcf6db74c9e98463c484a8262684f29910373430651f90ecffe18b072170e61ee58de20e2a6ff67b3ab00fccbb80af943f20b56b98107",
-	"d1a56a5ee990e02b84b5862fde62f69ec07567be2d7ccb769a461c4989d11fdda6c945d942fb8b2da795ed97e43a5b7dbdde7f8fd2ff7154544336d5c50fb7380341e660d4898c7fbc39b2b782f28defac6873523c7c1de8e52c65e4395c686ba483c35a220b0416d46357a063fa4c33fa9c52d5c207a1304ae141c791e62ba6a7374ed922b8dd94079b72b69302",
-	"4720b88d6bfb1ab43958e26827730d852d9ec30173ebd0fe0d273edcece2e788558984cd9306fe5978086a5cb6d37975755d2a3daeb16f99a8a11544b8247a8b7ed5587afc5bea1daf85dcea5703c5905cf56ae7cc76408ccabb8fcc25cacc5ff456db3f62fa559c45b9c71505eb5073df1f10fc4c9060843f0cd68bbb4e8edfb48d0fd81d9c21e53b28a2aae4f7ba",
-	"f4639b511db9e092823d47d2947efacbaae0e5b912dec3b284d2350b9262f3a51796a0cd9f8bc5a65879d6578ec24a060e293100c2e12ad82d5b2a0e9d22965858030e7cdf2ab3562bfa8ac084c6e8237aa22f54b94c4e92d69f22169ced6c85a293f5e16bfc326153bf629cdd6393675c6627cd949cd367eef02e0f54779f4d5210197698e4754a5fe490a3a7521c1c",
-	"3d9e7a860a718565e3670c29079ce80e381969fea91017cfd5952e0d8a4a79bb08e2cd1e26161f30ee03a24891d1bfa8c212861b51618d07429fb48000ff87ef09c6fca526567777e9c076d58a642d5c521b1caa5fb0fb3a4b8982dc14a444732b72b239b8f01fc8ba8ee86b3013b5d3e98a92b2aeaecd4879fca5d5e9e0bd880dbfffa6f96f94f3998812aac6a714f331",
-	"4d9bf551d7fd531e7482e2ec875c0651b0bcc6caa738f7497befd11e67ae0e036c9d7ae4301cc3c7906f0d0e1ed4738753f414f9b3cd9b8a71176e325c4c74ce020680ecbfb146889597f5b40487e93f974cd866817fb9fb24c7c7c16177e6e120bfe349e83aa82ba40e59e917565788658a2b254f25cf99bc65070b3794cea2259eb10e42bb54852cba3110baa773dcd70c",
-	"b91f65ab5bc059bfa5b43b6ebae243b1c46826f3da061338b5af02b2da76bb5ebad2b426de3c3134a633499c7c36a120369727cb48a0c6cbab0acecdda137057159aa117a5d687c4286868f561a272e0c18966b2fec3e55d75abea818ce2d339e26adc005c2658493fe06271ad0cc33fcb25065e6a2a286af45a518aee5e2532f81ec9256f93ff2d0d41c9b9a2efdb1a2af899",
-	"736f6e387acb9acbee026a6080f8a9eb8dbb5d7c54ac7053ce75dd184b2cb7b942e22a3497419ddb3a04cf9e4eb9340a1a6f9474c06ee1dcfc8513979fee1fc4768087617fd424f4d65f54782c787a1d2de6efc81534343e855f20b3f3589027a5436201eee747d45b9b8375e4294d72ab6a52e04dfbb2914db92ee58f134b026527ed52d4f794459e02a43a17b0d51ea69bd7f3",
-	"9242d3eb31d26d923b99d66954cfade94f25a18912e6356810b63b971ae74bb53bc58b3c01424208ea1e0b1499936daea27e63d904f9ed65fdf69de40780a3027b2e89d94bdf214f585472613ce328f628f4f0d56217dfb53db5f7a07f54c8d71db16e27de7cdb8d23988837b49b65c12f1771d979e8b192c9f4a16b8d9fba917bcf74ce5a82aac2075608ba6c2d485fa59864b9de",
-	"5da68704f4b592d41f08aca08f62d85e2e2466e5f3be010315d11d113db674c4b98764a509a2f5aacc7ae72c9deff2bcc42810b47f64d429b35745b9efff0b18c58653461e968aaa3c2c7fc455bc5771a8f10cd184be831040df767201ab8d32cb9a58c89afbebecb524502c9b940c1b838f8361bbcde90d272715017f67609ea39b20fac985332d82daaa023999e3f8bfa5f3758bb8",
-	"71ea2af9c8ac2e5ae44a176662882e01027ca3cdb41ec2c6785606a07d7231cd4a2bded7155c2feef3d44d8fd42afa73265cef826f6e03aa761c5c51d5b1f129ddc27503ff50d9c2d748322df4b13dd5cdc7d46381528ab22b79b0049011e4d2e57fe2735e0d58d8d56e92c75dbeac8c76c4239d7f3f24fb56697593b3e4afa6671d5bbc96c079a1c154fe20212ade67b05d49ceaa7a84",
-	"1d133170582fa4bff59a21953ebbc01bc202d43cd79c083d1f5c02fa15a43a0f519e36acb710bdabac880f04bc003800641c2487930de9c03c0e0deb347fa815efca0a38c6c5de694db698743bc955581f6a945deec4ae988ef7cdf40498b77796ddea3fae0ea844891ab751c7ee20917c5a4af53cd4ebd82170078f41ada2795e6eea17593fa90cbf5290a1095e299fc7f507f360f187cd",
-	"5ec4ac45d48fc15c72471d795066bdf8e99a483d5fdd599511b9cdc408de7c0616491b73924d0266da34a495331a935c4b8884f57d7ad8cce4cbe586875aa52482215ed39d7626cce55d50349c7767981c8bd6890f132a196184247343566fc972b86fe3c5369d6a6519e9f07942f0522b77ad01c751dcf7defe31e471a0ec00963765dd8518144a3b8c3c978ad108056516a25dbe3092e73c",
-	"0d5e74b78290c689f2b3cfea45fc9b6a84c822639cd438a7f05c07c374adced42cdc12d2a9233a4ffe80307efc1ac13cb04300e165f8d90dd01c0ea955e7657332c6e86ad6b43e78ba4c13c675aed83192d8427866fb6484e6a3071b2369a46fba9005f31232da7ffec7952f831aaaddf63e225263531c2cf387f8cc14fa856c8795137142c3a52ffa69b8e30ebc88ce3bbc227597bcc8dddd89",
-	"a0fe36f983259921dc2fa7d89002b3066241d63bfc2448caf7e10522a35562be0bfedc3dce49cfce2e614a04d4c64cfc0ab898873a7fc26928dc1927c009d12f6f9b7a278205d3d0057604f4ac746f8b9287c3bc6b929832bf253b6586192ac43fdd29ba585dbd9059aab9c6ff6000a7867c67fec1457b733f6b620881166b8fed92bc8d84f0426002e7be7fcd6ee0abf3755e2babfe5636ca0b37",
-	"1d29b6d8eca793bb801becf90b7d7de215b17618ec32340da4bac707cdbb58b951d5036ec02e105d83b5960e2a72002d19b7fa8e1128cc7c5049ed1f76b82a59eac6ed09e56eb73d9ade38a6739f0e07155afa6ec0d9f5cf13c4b30f5f9a465b162a9c3ba04b5a0b3363c2a63f13f2a3b57c590ec6aa7f64f4dcf7f1582d0ca157eb3b3e53b20e306b1f24e9bda87397d413f01b453ceffeca1fb1e7",
-	"6a2860c110cd0fc5a19bcaafcd30762ee10242d34739638e716bd89fd537ea4dc630e6f85d1bd88a25ad3892ca554c232c9830bd56980c9f08d378d28f7fa6fa7df4fcbf6ad98b1adfff3ec1f63310e50f920c99a5200b8e64c2c2ca249399a149942261f737d5d72da949e914c024d57c4b639cb89990fed2b38a37e5bcd24d17ca12dfcd36ce04691fd03c32f6ed5de2a2191ed7c826375ba81f78d0",
-	"7132aa291ddc9210c60dbe7eb3c19f9053f2dd74742cf57fdc5df98312adbf4710a73245de4a0c3b24e21ab8b466a77ae29d15500d5142555ef3088cbccbe685ed9119a10755148f0b9f0dbcf02b2b9bcadc8517c88346ea4e78285e9cbab122f824cc18faf53b742a87c008bb6aa47eed8e1c8709b8c2b9adb4cc4f07fb423e5830a8e503ab4f7945a2a02ab0a019b65d4fd71dc364d07bdc6e637990e3",
-	"3e664da330f2c6007bff0d5101d88288aaacd3c07913c09e871cce16e55a39fde1ce4db6b8379977c46cce08983ca686778afe0a77a41baf447854b9aa286c398c2b83c95a127b053101b6799c1638e5efd67273b2618df6ec0b96d8d040e8c1ee01a99b9b5c8fe63fea2f749e6c90d31f6fae4e1469ac09884c4fe1a8539acb313f42c941224a0e79c059e18affc2bcb6724975c436f7bf949ebdd8aef51c",
-	"7a6ea63a271eb49470f5ce77519ed61ae9b2f1be07a96855726bc3df1d0723af3a703fdfc2e739c9d31d25814daf661a23558b50982e66ee37ad880f5c8f11c8130fac8a5d0250583700d5a324894fae6d61993f6bf9327214f8674649f355b23fd634940b2c467973a839e659169c773119919f5b81ee171edb2e5f6940d7551f9e5a70625d9ea88711ad0ed8ab2da720ad358bef954456cb2d5636425717c2",
-	"c5106bbda114168c449172e49590c7eeb827fa4e1a2a7a87a3c1f721a9047d0c0a50fbf244731be1b7eb1a2ef30f5ae846a9f38f0df44f32af61b68dbdcd0226e741dfb6ef81a2503691af5e4b3171f48c59ba4ef91eba344b5b697f261df7bbbb734ca6e6daebaa4a179feb17002823281b8534d55a6531c59305f6e3fd3fa63b747bcf0deb654c392a02fe687a269effb1238f38bcaea6b208b221c45fe7fbe7",
-	"597716a5ebeebc4bf524c15518816f0b5dcda39cc833c3d66b6368ce39f3fd02ceba8d12072bfe6137c68d3acd50c849873150928b320b4fbc31c1456679ea1d0acaeeabf666d1f1bad3e6b9312c5cbdecf9b799d3e30b0316bed5f41245107b693366accc8b2bcef2a6be54209ffabc0bb6f93377abdcd57d1b25a89e046f16d8fd00f99d1c0cd247aafa72234386ae484510c084ee609f08aad32a005a0a5710cb",
-	"0771ffe789f4135704b6970b617bae41666bc9a6939d47bd04282e140d5a861c44cf05e0aa57190f5b02e298f1431265a365d29e3127d6fccd86ec0df600e26bcdda2d8f487d2e4b38fbb20f1667591f9b5730930788f2691b9ee1564829d1ada15fffc53e785e0c5e5dd11705a5a71e390ca66f4a592785be188fefe89b4bd085b2024b22a210cb7f4a71c2ad215f082ec63746c7367c22aedb5601f513d9f1ffc1f3",
-	"be6556c94313739c115895a7bad2b620c0708e24f0390daa55521c31d2c6782acf41156271238885c367a57c72b4fe999c160e804ad58d8e565edbce14a2dd90e443eb80626b3eab9d7ab75d6f8a062d7ca89b7af8eb292c98eaf87ad1dfd0db103d1bb6188bd7e7a63502153cf3ce23d43b60c5782602bac8ad92fb2324f5a79453898c5de18415639ecc5c7974d3077f76fc1df5b956723bb19a624d7ea3ec13ba3d86",
-	"4bc33729f14cd2f1dc2ff459abee8f6860dda1062845e4adab78b53c835d106bdfa35dd9e77219eaef403d4e80488ca6bd1c93dd76ef9d543fbb7c8904dccc5f71509a6214f73d0f4e467c3e038ea639b29e7fc442ee29f57117740576188ada15a739827c647a46b0271817ab235c023c30c90f2115e5c90cd8501e7b286962fc66ffc3fe7e8978746168314908a41998bd83a1eeffda9d714b864f4d490fdeb9c7a6edfa",
-	"ab12faea205b3d3a803cf6cb32b9698c32301a1e7f7c6c23a20174c95e98b7c3cfe93fffb3c970face8f5751312a261741141b948d777b8a2ea286fe69fc8ac84d34116a4674bb09a1a0b6af90a748e511749de4697908f4acb22be08e96ebc58ab1690acf73914286c198a2b57f1dd70ea8a52325d3045b8bdfe9a09792521526b7564a2a5fcd01e291f1f8894017ce7d3e8a5dba15332fb410fcfc8d62195a48a9e7c86fc4",
-	"7d421e59a567af70594757a49809a9c22e07fe14061090b9a041875bb77933deae36c823a9b47044fa0599187c75426b6b5ed94982ab1af7882d9e952eca399ee80a8903c4bc8ebe7a0fb035b6b26a2a013536e57fa9c94b16f8c2753c9dd79fb568f638966b06da81ce87cd77ac0793b7a36c45b8687c995bf4414d28289dbee977e77bf05d931b4feaa359a397ca41be529910077c8d498e0e8fb06e8e660cc6ebf07b77a02f",
-	"0c18ab727725d62fd3a2714b7185c09faca130438eff1675b38beca7f93a6962d7b98cb300ea33067a2035cdd694348784aa2eda2f16c731eca119a050d3b3ce7d5c0fd6c234354a1da98c0642451922f670984d035f8c6f35031d6188bbeb31a95e99e21b26f6eb5e2af3c7f8eea426357b3b5f83e0029f4c4732bca366c9aa625748297f039327c276cd8d9c9bf692a47af098aa50ca97b99961bef8bc2a7a802e0b8cfdb84319",
-	"92d5909d18a8b2b9971cd1627b461e98a74ba377186a6a9df5bd133635250b300abccb2254cacb775df6d99f7c7d0952653c28e6909b9f9a45adce691f7adc1afffcd9b06e49f775364cc2c62825b9c1a86089080e26b57e732aac98d80d009bfe50df01b95205aa07ed8ec5c873da3b92d00d53af825aa64b3c634c5ece40bff152c331222d3453fd92e0ca17cef19ecb96a6eed4961b627aca48b12fecd091754f770d52ba861546",
-	"802f22e4a388e874927fef24c797408254e03910bab5bf372320207f8067f2b1ea543917d4a27df89f5bf936ba12e04302bde23119533d0976beca9e20cc16b4dbf17a2ddc44b66aba76c61ad59d5e90de02a88327ead0a8b75463a1a68e307a6e2e53ecc1986274b9ee80bc9f3140671d5285bc5fb57b281042a8978a1175900c6073fd7bd740122956602c1aa773dd2896674d0a6beab24454b107f7c847acb31a0d332b4dfc5e3f2f",
-	"3844fe65db11c92fb90bf15e2e0cd216b5b5be91604baf3b84a0ca480e41ecfaca3709b32f8c6e8761406a635b88eec91e075c48799a16ca08f295d9766d74475c47f3f2a274eae8a6ee1d191a7f37ee413a4bf42cad52acd5564a651715ae42ac2cddd52f819c692ecdef52ecb763270322cdca7bd5aef71428fa73e844568b96b43c89bf1ed42a0abf209ffad0eeec286c6f141e8af073ba4adfbbdeda253752ae36c9957dfc905b4c49",
-	"329377f7bf3c8d74991a7d61b0cf39baff5d485d79751b0d5ad017d23bec570fb19810105bab79ab5acb102ab972165224d4ec888ec7de5148077fa9c1bb6820e0d91ae4e2591a21fec2f820606ce4bafc1e377f8dc3a5bd1a9e2772a57abccd0b757164d768872c91d02789545ab5b203f688d71dd08522a3fd2f5bcd7df507aebf1ca27ddff0a82afb7aa9c180008f49d1325adf97d047e77238fc75f56356de4e87d8c961575c9f6362c9",
-	"f7f269929b0d71ea8eef7120e55ccba691c582dd534692abef35c0fe9dec7dae973cd9702e5ad420d278fe0e653fdcb22fdcb63148109ec7e94f2d0750b28157dd1764376ae10fdb0a4aef3b304bd82793e0595f941226a2d72abbc929f53134dc495b0d65ced409914f94c2523f3dfbbdeeac84ae247ab5d1b9ea33dce1a808885a55be1f3683b46f4be73d9b62eec2585f690056858dfc427aabf591cd276724885bcd4c00b93bb51fb7484d",
-	"ac022309aa2c4d7fb628255b8b7fb4c3e3ae64b1cb65e0de711a6def1653d95d8088871cb8905fe8ae76423604988a8f77589f3f776dc1e4b30dbe9dd262b2187db02518a132d219bd1a06ebac13132b5164b6c420b37dd2ccee7d69b3b7fa12e54f0a53b853d490a68379ea1fa2d79762830ffb71bf86aab506b51f85c4b6a41b69325c7d0c7aa85b93b7144489d213e8f33dbb879fce22849865337b620b155cb2d2d36a68832889e30194d36d",
-	"d009c2b78a8f02e5e5dbb586ef71fc324b375092e15913ca1a5bfd22d516baadb96867bee3562e77c4a4852344a1a76c30728be5e22400b4cc41711f66754c246a520498d8c24f0205b9c873748dbeb67fe1ad099ad04cf89f4b517f0aa481136d9f6de2d727df01c6aa4099da59d4382b51e25fd47c33d9842c32b62331e50794bfe8b61b3ba9de1b8b704779c6d65edff3af00f121ab4a7ea384edabe47c6d0098a48991f387ca4444135ec59d46",
-	"c00bab36cce69899817d1425016d222d7303197ed3e3fdcac744705e7f178a1ac745968900f69299163e19b3161f3e0a4cc55aa2e4e71e0ee6ac427d1f4d14e063f68d303ddfbb18118335cfa7a6a90d99c38319ee76f7a884846a9e0b68030bf28e78bfbd56359b9368842814da42b04cb0e307d5d846dc22f049147bae31b9a956d17676a8cc348dafa3cabc2007a30e730e3894dddf9999fb8819086311f0703e141613ed6dcd7af8510e2dc435b0",
-	"c9789152a9fc29698d49ed95f09bd11b75f18a8c5615a73dbe54ae5e550027fd0ae6a8b60667040c1b12de3d1ee3f6bf061c78c951a3210effc912e19f482dd4de152063c588c44903bc11761706fd935afa040df085b08144d83d0dde32b46ab52f4fae98ac116c7ff11d7f553450c2e37b9c5f0b1dd9e0b8640a24cba6f2a5246c41f197f46e3dc8a29131c79bef3351c6e277a0a34442274d546ccd058891277473d668420f121750d19cd684267405",
-	"06a15a0731ce52557e368bcbaa11ef3399299e36fb9f2eda6e5726907c1d29c5c6fc581405ba48c7e2e522206a8f128d7c1c939d1132a00bd7d6366aa82724e968964eb2e373563f607dfa649590dcf5589114df69da5547fef8d1604cc4c6de1ed5783c8746918a4dd31168d6bc8784cd0c769206bd803d6ca8557b66748770402b075ef44b38157d4c0da7c6281725a2065d087b1f7b23455fa673bdeeba45b983311c44eabe9ef4b7bde3420ae9881863",
-	"d08aacef2d7a41aec09473bd8a44f628e15addb7b9e5b77a1e09c8ab4942f379a0bfcb324d580b774666f18ae78dd36710824ff12393f059068fe4b559c53662c2b0e6c69e23785c8f32554e837ec1714bee902e60737b639dd933af4f68cb9d7de77e1f3b28e5b122891afce62b79acd5b1ab4ba411662cc77d806449e69c5a45a143b742d98ac84a0826d68433b9b700ace6cd472ba2d58a90847f42ce9c43f38ffc017db4bf40450b2eee1f4594dc740c0f",
-	"6a6058b0a498b7ea76a93c646eb9b8629f0cba4a0c726420c5f67ba9b0412cade356abdf0a4fb94384bad32ce0d5dd9e23dcaae1d6f28ff8683616b30f1392890c67b3a2c04b360893b801f127e527e4da82e239f4c878da13f4a4f1c76db07190e77ec123995168102fb274434a2d1e12913b9b5cbab4aacaad2bd89d88b3ca2b8e60dacf7c22c9379097ff60880f552e320ca3b571994f52534470feee2b39e0dadb5cd88257a3e459a4cc6f12f17b8d54e1bb",
-	"adeced01fc5671531cbb45679f5ddd42b3a95151677b6125aaf6f5e8f82fbabaa5ecf7c3552c2458587224f0042870f178f5fca5465250e75d71352e652eeed23cdb7f915f5ebb44099b6db116ca1be45530ac8ed32b7f161d60ed4397ad3d7d649ae6bf75ca5bec891d8e595605be9764f3a03965e1fe0eaffbf212e3df4f0fa35e08ff9d0091e6d4ac4748edfe43b611085a6ffec163014655fdd839fd9e81b63b1fa8cae4ec335ec343289758e389a79ceedfae",
-	"d014592f3a83ba40af366f137c674724916c3cdd3f6cf9d4c5c7c8d6d51ebf26e315e2c12b3546be56fb52382904046ecbd2f5b883aa4ff473de6f0c26ab862c3fa34bf3d880cc1911ce39a4088c6617c179dc5faf68a2c488bbde12d67b50f73abcfab0e3b062e68c95363e11f5f1de8ec36ed01ea21442518089045df67d346135283ad5b3fff80cf57f20876849f6db9fa139728358415a90610f69ec720fc92d8234e3e122551e9df2c644c4a2c4e3734d07de8e",
-	"c0d0c37838873ba8757d6e41b409605043bc1635edcd731219587676d94217e9f0ab44b71de25000661ce7303b7015f45e6eaa7b7ebef92b8f4a34c902c908d2172185505fa33aca5a41be83079316cdfdd430fc2c45f505f85d867e6d516f7e1bf19c001d9f43018968aab65ec031b3801399231c83ec9e622dab5629922a6b424cab938c135ff7310501c2c02971bfd2f577e25904d1a618baf0859f77f4e8b1d0cde9544e95ec52ff710c0672fdb3d891feeea2b017",
-	"7022e7f00902219ba97baa0e940e8ac7727f58955aa068c29680fac4a16bcd812c03eeb5adbcfe867a7f7c6b5d89f4641adb9173b76a1a8438866f9b4f640ce2aedf5f1080c890bcf515b4be4e3e512352f1e5323c62ec46cb73f3d71be8235fee55a154763f7c3f9aeb61ffd28f4cd93d3310f608e2133586bf1ab3f102de96f64c68a4668de8acb2a76a7ce0cddddc8fa3df5e9d230823da16ed9ebb402d36e38e6e018795e5a71517ecab5f9ca472b9ced8ff69d2d195",
-	"acaf4baf3681ab865ab9abfae41697141ead9d5e98523c2e0e1eeb6373dd15405242a3393611e19b693cabaa4e45ac866cc66663a6e898dc73095a4132d43fb78ff7166724f06562fc6c546c78f2d5087467fcfb780478ec871ac38d9516c2f62bdb66c00218747e959b24f1f1795fafe39ee4109a1f84e3f82e96436a3f8e2c74ef1a665b0daaa459c7a80757b52c905e2fb4e30c4a3f882e87bce35d70e2925a1671205c28c89886a49e045e31434abaab4a7aed077ff22c",
-	"84cb6ec8a2da4f6c3b15edf77f9af9e44e13d67acc17b24bd4c7a33980f37050c0301ba3aa15ad92efe842cd3ebd3636cf945bb1f199fe0682037b9dacf86f162dadabfa625239c37f8b8db9901df0e618ff56fa62a57499f7ba83baebc085eaf3dda850835520344a67e09419368d81012168e5de5ea45158397af9a5c6a1657b26f319b66f816cd2c28996547d697e8df2bb163ccb9dda4d6691dffd102a13667ab9cde60ffbfb872187d9c425a7f67c1d9fffff9276ed0aeb",
-	"6a52c9bbbba454c14540b2be58230d78ecbeb391646a0c6fcce2f789086a78364b81ae85d5396d7cfa8b46bda41e3083ec5cf7b4c47dc601c8a697df52f557defca248506dbebab25657f5a561d09625b7f4b2f0119a12beeac087efc9d350a735c35d2431c1da7dda99befb17f41a3dc4da0f00bb95366be128538ce27763d81f832fe3c1d4efc07b5b08ad8dc9e65fb5e48546664e18cb2d3bb3fe1f56fa7aae718c5e3bbdeaf70e15023f6a25b72a2d177fcfd04211d40664fe",
-	"c3c4d3b31f1f5f9538923df3478c84fffaef411520a542da9a220ee4132eabb9d718b5076fb2f985485e8ba058330aed27ddfd3afa3db34aa60301088caec3d0053828c0c2bc87e2e61db5ea5a29f62fdad9c8b5fc5063ec4ee865e5b2e35fac0c7a835d5f57a1b1079833c25fc38fcb14311c54f8a3bd251bca19342d69e5785f9c2e43cf189d421c76c8e8db925d70fa0fae5ee3a28c4047c23a2b8a167ce53f35ced33bec822b88b06f41558c47d4fed1bfa3e21eb060df4d8ba1",
-	"8d55e92136992ba23856c1aea109766fc44772477efc932b3194af2265e433ed77d63b44d2a1cff2e8680eff120a430fe012f0f09c6201d546e13ad46fc4ce910eab27bb1569879abed2d9c37fae9f1267c2216ec5debcb20d4de58461a621e6ce8946899de81c0add44d35e27b7982a97f2a5e6314901caebe41dbba35f48bc9244ca6dca2bdde7306435892f287036df088633a070c2e385815ab3e2bfc1a47c05a5b9fe0e80dd6e38e4713a70c8f82bd32475eea8400c7bc67f59cf",
-	"5016284e20362610fa05ca9d789cad25f6d43263787e7e085476764ce4a8908ce99b262b375e9d106170b1bec1f473d5e777e0c1896533040e39c8c1465e07907ef5860e14e4d8310013e35f12090e0bfc687474b1f15f3dd2033a0edac5246102da4deec7e188c3517d84d9c2a0a4497a4c5f82a30f1ba009e45ee6eb3ab4368c720ea6feee428ffd2c4cc52debb8d634a64176572c72368f94a66689f23f8a01218f532117af5a8060d140e7ca435a92882fcb5630ebe14a4805f1dc83",
-	"05456ec59b8d41bbd736727976b96b38c43827f9e16169be673ff37870c2ecd5f0d1ea1a136be4cc7b047a02a4421d484fd2a12ece418e42ee391a13a0b1df5a0162b29ab70d3fe3e04ba6ab26b37d62b7cf05a5e2f033611bf970b8e1f30e198e483e740fa9618c1e8677e07b61296b94a9787a68fba622d7653b5568f4a8628025939b0f74389ea8fced6098c065bf2a869fd8e07d705eadb53006be2abb716a3114ceb0236d7e916f037cb954cf977720855d12be76d900ca124a2a66bb",
-	"eb6f60b83fcee77060ff346aaf6ec34d82a8af469947d3b5074cde8eb26566eb1fa039bcc707738df1e95869bd827c246e88436f0614d9834ead5392ef376105c4a9f370071cdeaaff6ca0f18b74c3a48d19a717253c49bd9009ccbfdd5728a08b7d112a2ed8dbafbbb46d7a75dc9a05e09bfde1a0a92d74a51887f9d123d7896e9f9d0057b660ed7d55454c069d3c5260411db4cdc67e7b74f680d7ac4b9dcc2f8baf72e15e6b3cafebcdf449a6436ed2c398b675f79c644747c57553bf7ea2",
-	"187a88e88514f6c4157c1ba40b442baae1ae563a6c989277443b12a219aa484cb9fa8adbb9a29d429f50155321b15664926317477079c7060dfdaa84c1d74bba78892c34e6f21ad35208d2ae622012401696bff5cd57b6485944b3db7b9071fa5f57fbfb1085d91bb9cff5808d662cdc6c8157249478262c44b7fbc397ed42a4977b202e817717bfccc9f0467294062313f7705251ed09573f16d23429361fada259dfb300369c4198f07341b38e84d02cdb74af5de6aab1fc2026208ea7c418c0",
-	"be31bc96606d0fab007e5caeded2f1c9f747c759777e9b6eef962bed49e45a1d4fc993e279d024915e600865ecb087b960584be18c41114d3c43f92169b9e0e1f85a0ebcd4e196376ccdc920e66103cd3b1c58407d0aafd0e003c4e341a1daddb9f4faba974362a32f35db83384b05ae8e3322d728893861afd8b1c940de5a17f691e763ce4969b6d94f67fb4a0235d100225bd8602f291388f0ca4a568748ad0d6040f1262eac2aede6cd27419bb78a394c1ffad72c262be8c3f9d9619d633e51d0",
-	"4d83d85ca838b4518588f2a90228a4dd18f14dd5b4c012d26298a97d848abbd825d221d02cceb6e8c701b4ad00e1dee4889b5c533e4bb60f1f41a4a61ee5478be2c1b1016c30345afd7a5253668260515e70751f22c8b4022d7fe4877d7bbce90b46531507dd3e89549e7fd58ea28f4cb23d33662bd003c1345ba94cc4b06867f778957901a8c441bee0f3b12e16463a51f7e50690356971dd73a686a49fda1eae46c9d54fba262811d698025d0ee053f1c58591c3bb3cbde69de0b31549ef5b69cf10",
-	"cdeb07d36dc5f9a1cd717a9e9cca37a2ce93caa298eee63571f7d6c5fde2a11c666cf53cf2dcb41ca2ea2319e7230ca68e38c647905928713a13982bf47fe33d7095ebd50b2df976208920a43eb2e29b942f32467403c45cea18bf44e0f6aeb155b48a8e5c471fec972a9d62f7ae093d2758f0aaec7ca50cb4725bfa219f1a3a46ad6bde7361f445f86b94d66b8ece080e56c510250693a5d0ea0ae87b4421860b853bcf0381eae4f1bf7c5c0472a93ad18407bc88475ab8560d344a921d3e86a02da397",
-	"a598fad52852c5d51ae3b10528fc1f722e21d44fbd42ae5acdf20e85a28532e646a223d27fd907bfd38eb8bb75175636892f8242877aab89e8c0824d368f3339ce7a82aa4e5af6db1f3b588a4d667a00f67bee37cfd2724dde06d2909fb9e58d892f4cfd2c4ca85acdf8256f5458b030a6bda151154ff2e6d7a8da90b54a2884c8a99fab5a4ac211ff23dc0975f4f592fd1b6b9dc7783bdcd2d4ca4e68d2902f2013e122cb62e2bff6b0a98ec55ba25837e21f1cfe67739b568d43e6413dab2bd1dc471e5a",
-	"17b68c74c9fe4926e8102070916a4e381b9fe25f5973c9bd4b04ce25749fc18931f37a65a356d3f5e5a1ef125d546f4f0ea797c15fb2efea6fbfcc5739c564693d47adeb12dcb3d98a2830719b13247792cb2491dca159a28138c6cff925aca42f4fdb02e73fbd508ec49b25c60703a7595a3e8f44b155b371d525e48e7e5dc84ac7b17c52bf5e526a67e7187234a2f19f57c548c70fc0b27183df73ffa53fa58b658034c896fa791ae9a7fd2620f5e46ce84c842a6e60e9324ae4db224ffc87d9617cb85ca2",
-	"b9e4267ea39e1de1fed0579f93bb351007c9f8fcdd811053fae33f09e2753d7428f04e1a9efcd45ea701a5d87a35b3afb2e6b65365dee6ead0bbb611b7797b212ac688653f542e604a39df277f12514ddfee3b4e27b98395c2cd97a203f1f1153c50327965770802ec2c9783edc428271762b275471e7ac65ac36523df28b0d7e6e6ccc7674268a132a63411fc82c0738dbb68af003b769a0bf9e6587b36476cb465350fee13f88ea355d47ffac7b0f964f4139db11b7642cb8d75fe1bc74d859b6d9e884f75ac",
-	"8ca704fe7208fe5f9c23110c0b3b4eee0ef632cae82bda68d8db2436ad409aa05cf159223586e1e6d8bdae9f316ea786809fbe7fe81ec61c61552d3a83cd6beaf652d1263862664df6aae321d0323440430f400f291c3efbe5d5c690b0cc6b0bf871b3933befb40bc870e2ee1ebb68025a2dcc11b68daadef6be29b5f21e440374301bde1e80dcfade4c9d681480e65ec494a6af48df232c3d51447b9d06be714949249c44c43cf73ed13ef0d533e770284e51369d94ae241a5fb2f163893071b2b4c118aeaf9eae",
-	"4fd8dd01012bb4df82bf42e0683f998e6f52dd9c5617bae33f867d6c0b69798cead8179346d70acc941abbbdd26e3229d5651361d2252c72ff22db2938d06ff6fc29a42fdf800ae967d06479bc7bbb8e71f40b1190a4b7189ffc9a7096cdb76d40aec424e1388e1eb7ef4ac3b34f3f089da8fda7d1927f5d775c0b2801d22dd1265c973158f640cec93edfed06dc80b20ef8c496b98289d54d46ccd205951cbb0f4e7daeb866b60bacb483411e4382b6f04d472843186bd0e31fbaa93e5c901ec028efafeb45fc551a",
-	"e9ee1b22b04b321a5fdd8301627011f583887d77560fb0f35552e207561f81e38ac58a0d0aeaf832d1ee72d913720d01f75574e9a321864fe95f4d0d8f0b8db97649a53e71e940aede5c40b4b9105daa42a6fb2811b61209247534cbaf830b07abe338d75d2f5f4eb1c3cf151e9edabe2c8d5f6fff08fac1495ef48160b100d30dcb0676700bcceb28723a29980ab0766a93abb8cb3d1963007db8458ed99b689d2a7c28c788743c80e8c1239b20982c81dadd0eed6740c65fbc4ef15c7b5569cb9fc997c6550a34b3b2",
-	"ec01e3a60964360f7f23ab0b22e021815765ad706f242265ebc19a2bb9e4eac94393952dcf61aae47682671a10f9165f0b20adf83a6706bfbdcf04c6faba6114653a35584267267873291c6fe7ff5f7695243143421509502c8875aafa9e9afe5be5ef2c851c7f35d69be5d3896000ccdbbfab5c238bb34d607cfe2d55d748880545b4aa7ca61137992925189025c62654b1f20d49c3ccd75aa73ce99cd7258dabedd6480a9f5185531fc0118beb68cc0a9cd182f6973287cf9252e12be5b619f15c25b65c71b7a316ebfd",
-	"db51a2f84704b78414093aa93708ec5e78573595c6e3a16c9e15744fa0f98ec78a1b3ed1e16f9717c01f6cab1bff0d56367ffc516c2e33261074935e0735ccf0d018744b4d28450f9a4db0dcf7ff504d3183aa967f76a507357948da9018fc38f150db53e2df6cea14466f03792f8bc11bdb5266dd6d508cde9e12ff04305c0295de29de19d491ad86e766774bb517e7e65befb1c5e2c267f013e235d8483e177214f89978b4cdc81aa7eff8b39f2825ad3a1b6ac1424e30edd49b067d770f16e74dd7a9c3af2ad74289a676",
-	"00e40f30ae3746edad0f5dd03d0e640933cf3d1694804c1e1ed6399ac36611d405196ee48f129344a8512feda16a354517871322bd5d9c6a1b592933eab531923efb393ffb23d9109cbe1075cebfa5fb917b40df028a621460ff6783c798792cb1d9635b5a6f84ec13918fa302924649b5c7fcb1f7007f0d2f06e9cfd7c27491e565a96c68a0c3644f92cd8f38857258c33801c5d537a83dfe583cba59d7eec7e394199c0a2660a62fabe3ed2099d57f315a6cd8de1a4ade29d977f15d65759cff433e5ac0c182aef3761163e1",
-	"3c5ea24d0d9b618294a263f062b2414a722be4eb10dfc346a6ec3b821d7396eba61cd6ef33618b04cd087a811f299d4606820227f16000d7c839062b96d3e3f59cd1a082448d13fc8f56b3fa7fb5f66d0350aa3b72dd7c165d590282f7da2e12cfe9e60e1796122bb8c2d40fdc2997af634b9c6b127a893dfb3467909378300db3da911be1d7b616bb8e0572433e65527e15d936500a2c60e9f9909dcf22ab5e4b6700f0238c205b4a813626fac3d945bab2637fb08203044a73d20c9a3fcf7c3fc4eb7807c3276dd5f73ce89597",
-	"9271aeeebfac46f4de85df78f1bfd36136aa8905e15835c9e1941176f71e3aa5b1b131843d40479735e23e182a2bd71f66f6149dccb7ed8c16469079dc8590bbf165374951785f4531f7e7361de62f936cfb23a2b5bdf186632e7042a0dd451fdc9b7208f923f3a5f250ae590ec348c63a16c3aacaf7379f53b5dd4152dcd40d23e683e2156e64c592ffc07e2cd6bbeebef4dd590b2f6b2bcbf08fcd111c079f5c4033adb6c17574f8756ecd87be27eff1d7c8e8d0324438d59ae171d5a17128fbcb5533d921bd044a2038a5046b33",
-	"4e3e533d5bcb15793d1b9d0468aaee801f32fdb486b11027183553a09ddbee8213924296f2815dc61577297459e834bf1c7a53f87d43782209e589b8295219ba7073a8fff18ad647fdb474fa39e1faa69911bf83438d5f64fe52f38ce6a991f25812c8f548de7bf2fdea7e9b4782beb4011d3567184c817521a2ba0ebad75b892f7f8e35d68b099827a1b08a84ec5e8125651d6f260295684d0ab1011a9209d2bdeb75128bf5364774d7df91e0746b7b08bda9185035f4f226e7d0a1946fcaa9c607a66b185d8546aac2800e85b74e67",
-	"b5d89fa2d94531093365d1259cc6fe8827fea48e6374c8b9a8c4d2209c280fa5c44958a1847222a692a59e6aa2696e6cdc8a543dd89b0ce03bc293b4e78d6ef48e1839694ccd5c65661143095c705b07e3ced84a0f5959114dd89deb956ab3fac8130eb4a878278205b801ae41a29e34146192308c4e759b374757b0c3b00319bce92a1b95a4d2ee179fd6714ff96155d26f693a5bc973f84ac8b3b91e3926276297532d98b46992a3f104c08100bf1671c43134bac280c617da711e90a0100137525375ebb12802a428885ae7fce6514a",
-	"40e3d8048fc10650cb8a7fc2e7113e26dec34f9ca2d5129cd10a8e8e44d113d61ee48c7d003e19fd307fc6debd70feb30243f298c510ccc4418355ce143066f067ad7c6de7288c3080e7ad46a23c8d34deb55a43e652fe90444ad3c57d3ec1e1c489d63ef915a24bc74a7925a0a7b1e1523f21ca8fee78df24e3d0a68d0013423db97c280799a0618229c0f2c167289a891e5c8d6661ab21285951c31710e3b5fe55f6347fe16d9b40507948a59252efeb616df83e5c098b07d0a7247cd371daff0e50491c582503fd89f79ba94d6af9ed76",
-	"1fa444de01dd3901e2b4684e3d7a799ffa02d85afd35fb30fe4c9d672837bee6dd8a3b8608b4bb5e589220ad5a854f46b46e41c6d57ad124a46beab4169ff69fee7e3838a6165e19dad8eb5d7bf53d4edd3cd2769daf219510a02fdd2afe0c0e1da3cd30fcd1aa88b68965586f07a25a1720fbd90a096ea30fc8e945e3637d7857c8a9c0ab4154ffb2000e57b5f9adfa4e4eaf8065bc3c2b2e75f495963325588785a6ce417dcddffd299873b15dcccca128d63cd4eeeadb64cda28099a9ad7c80d34844901f26b88b00b9aafeb2f90286d29d",
-	"fde0a0d9d813983bd1f55cf778a003a2023b34a555322ab280584537bc6bdd844d22a7d6066c18da83ec09f3d8d5a1aab4be0d5ce19b436052f6e259a4b49017a1f47f1fe2bf115d5bc8599fb216351c60dd6b1bedb2e6f4dcadf424b833501b6f099cbfad9e2290680fb69c25032b42a6274f7cb9b5c5950401354838a45f7cb77b95bf54718e2f3d3d9fb91eb2311903980277396398d9736d8e92fd838594ac8a537c6c529db5a8a4f89290e6ba6f20ac0e5ed6fef40901d0e0e8e3e502990811f9acaae555dd54eb1bcd96b513e2fe751bec",
-	"9f8e0caec87858599f5ab29bff86da78a841a918a023a111098687ecdf2747612d3f3809d9ca400b878bd4f92c43a1004f1c17c7f19a3cd1ce449bd2b23aff551623c37dd8c0be56bf3fd857b500c2b9f9ccea62481944090a3cf3b6ee81d9af8eeb60f65ef150f9fa4d3ed6ce4762d3d4f174ee8ccd460c25cafac0ea5ec8a6a4b2f9e8c0520cb7061155e532cb65f188b01e4b9086db951f504b060c296b326b3fc1c590498ecce594f828f4a10ea416675720ae505295d38a791bd0e93f428448a8f4c1fc0af53604a9e8255384d29ae5c334e2",
-	"33d1e683a4c97ee6bbaa5f9df1a88cb53b7f3c157b6045d70a56fda0ccbd3a1fa1f049cd564da072b53f415bf5fb843771c1d2551fd075d33377362b2f7c0645f9723123d11975991db8a2b518f02e2c7c30342a044754290bae2c77496d755e5981f12e6b0a0174280b958bf11ed628a9062775993ced04bf752ea8d165e3ac2177d7cd1b9371c44efa98f0b3e68602a839d384eec007979f46429dafb138cbc231ad928a9f65f7d66fac77416395e8f1debaaf76ec2e4e03e8674102cd26f614739f3ec9f949033df1fb97e87c2326d65aef94ed5f",
-	"180048f09d0b480887af7fd548a85abf605440c1ddde6afe4c30c30670233f7bf928f43b4681f59279ebbda5e8f8f2a1abefdee129e18ac60f9224e90b38b0aabd01308e0a27f41b6fb2ee07ee176ec9048c5fe33c3f7c791469c81f30e28170585b9f3e7e3c8c2e9d74370cb4518f13bf2dee048cbd98ffa32d85e43bcc64a626b40efb51ce712925fdd6fee006dc68b88004a81549d2121986dd1966084cd654a7c6686b3bae32afbd9625e09344e85cf9611ea08dfce835a2e5b3726e69ae8a76a97db60fcc539944ba4b1e8449e4d9802ae99fae86",
-	"13c0bc2f5eb887cd90eae426143764cf82b3545998c386007cca871890912217aa143ac4ed4ddb5a7495b704aa4de18419b8664b15bc26cfc6596a4d2ae408f98b47a566476d5802d594ba84c2f538def9d016661f6404bb2337a3932a24f6e30073a6c9c274b940c62c727242e24466084a3ea336365d71ea8fa6499c0ea8d59eea505f1126b99c795023c4963aa0d99323d0391e8701110edf551b2d3799e1063ca443f1add162156e445502ca1a052fe70c289838593b58839fc63de128a03e2bbf389e22ae0cf957fd03315ee407b096cc1cfd92dee6",
-	"6f1eb607d679efef065df08987a1174aab41bdac8aece7726dfa65805d6fff5b3d17a672d96b770dc32165f144f0f7324822a5c87563b7cd9e37a742ae83ef245d09006d91576f435a03476f509ea2936636232f66aa7f6cdf1ac187bbd1fcb8e20f8791866e60ed96c73374c12ac16795e999b891c64507d2dbd97e5fc29fac750ad27f2937cbcd29fdafccf27ab22453834d475f6186eaf975a36fad5c8bd61c21da554e1ded46c4c39765dcf5c8f5ccfb49b6a4dc562c919d0c7d8940ec536ab2448ec3c9a9c8b0e8fd4870cad9de2577c7b0c38563f355",
-	"dcdd993c94d3acbc555f464871a32c5da6f13b3d5bbc3e34429705e8ad2e76393fdd96a69a94acb652f5dc3c120d41187e9aa919669f727c4868013b0cb6acc165c1b7706c52248e15c3bf81eb6c147619467945c7c48fa14a73e7c3d5bec91706c567145342a026c9d97eff97ec672c5debb9df1a998083b0b0081d65c517b3e5634c95e347e781aa30ca1c8af815e2e494d844e847fdcb41622894a518dc36571123a40bfdbe8c4f4cff44d83c61dd9dcd24c464c53b395edb31efee9f3aa080e87cdc3d22d613ae84a53c9249c32c96f9a3bc4629bb126a70",
-	"49971f9823e63c3a72574d977953329e813b22a8387cd13f56d8ea77a5d1a8a20012632d1d8732bbcb9f756b9675aab5db927beacab7ca263e5718b8dfa7b2eed9a91bf5ed163b16139d45f7b8cc7e3f7bdda6202106f67dfb23b7c315ee3e17a09d466b1e6b13e7c7428184a979f5358667b4fa8bd40bcc8ea46058db44587a85377ac46bf155136c09ac58cb6c27f28e17028c91e7e8f74d5b500e56293b316974f02b9d9ea205d9b6ac4cfb74eb8eb0c944577fd2f41316368307beab3e327bf7dbaa0a4428836ec4e895dea635234abeaf113ceeadac33c7a3",
-	"c57a9cc958cee983599b04fe694f15fb470fcbc53e4bfcc00a27351b12d5d2434444253ad4184e87b81b738922ffd7ff1dc1e54f39c5518b49fb8fe50d63e3935f99e4bd125e8dc0ba8a17fd62de709339a43fabe15cf86d96a54010112170c340cfac4132182eed7301402bc7c8276089dec38488af145cb6222525894658f03501204b7a66aba0be1b557b28a2f652d66f7313ed825ecc4d8596c1be7420d4425b86a1a90a5b7f30d0f24e0d1aae0eb619ca457a71699e44be612a4011c597ee80b94d5507e429d7fc6af22579cd6ad642723b05ef169fade526fb",
-	"0568a672cd1ecbaa947045b712e2ac27995392fbef8f9488f79803cbee561c212287f080eca95adb5ba42739d78e3ba667f06045d87850d3a0499358649caa257ad29f1a9c511e7054db20554d15cbb55ff854afa45cae475c729cea72ede953522031865bc02b95589ed4d9841c552a8cc94904a93ed09ed77222f6c178195056be59bc4e96a815adf534e6b466fb47e262ff79c803c157a21b6e2269c2e0abeb494113cd868d8466e82d4b2f6a28b73645853d96bc9242515d803e33294848d3fe42fdff68da53c03491636beede47ff1399dd3d54a5e914d55d7adf",
-	"3f19f61a4cd085796731ac9f85a75a8bce77031932c31762d87d8b8d07b8bd19ff78d6b7d1bd1e87f3a4f41aad03b6c4d17a6cbc86be55f7c8b88ada047bb04f8d49f1c34bcf81cc0f3389ad01a758fc7eeb0072aa9ad1481992bfdde82e438e75590a4423832dfbe3756e2229ea873bc3606e6d72174cb2163bf40b5d49c81009dab85ecc03e311351bbf96e32c030a2b276a7698cb25bc2c967acb3213161a1fdde7d912cd6a804490f8056c47da1333f6e35c41e749c2c23919cb9af5eec5652e6e072b034fb1682e9aaa194a9c0bd456ea0b008d14dbce37967a7a8e",
-	"705f98f632d99d3651793825c38dc4deda56c59eac539da6a0159c83131cf8ab6f2ee0c3b74111fde351f7aa1a8c500a0cecab17c212d2c58ca09eae608c8eefc922b9902ef8d6832f799ba48c3c28aa702b3242107edeba01daafe424406a3822965056cfe8783455a671e93b1e2eae2321364f1871471c82124df33bc09e1b52882bd7e1c4c7d0b2f3dd4a28c2a002a43246768af0700f9659de99d62167be93177aabf19d678e79e9c726ac510d94e74873eda99620a3961930cd91937c88a06d8153d64fd60da7ca38cf26d1d4f04a0df273f52127c53fdc593f0f8df9",
-	"ea6f8e977c954657b45f25480ff42c36c7a10c77caa26eb1c907062e24fbca5aebc65cacca0de10abea8c78322f08672e13d8ac16996eca1aa17402eaea4c1cc6c800b22dc18cb8d620192d74bac02c07b5cfa61e513c7f28b7e29b9700e0e442720bf4c669d4995da19d19f841d9eb68cc74153592591e3bf059ef616b95305aa453b32fe99a91afb35bd482cf2b7aa42702837a53be3c38883d2963020e347556f841254ec6b85854485fe8c520b05f2ea67a9bf3981555c20991e2bacd4db5b418228b6002d8d41c025cb472bf5443aaa885974a408ea7f2e3f932c600deb",
-	"408190134ed06556811b1af808ab2d986aff152a28de2c41a2207c0ccc18125ac20f48384de89ea7c80cda1da14e60cc1599943646b4c0082bbcda2d9fa55a13e9df2934edf15eb4fd41f25fa3dd706ab6de522ed351b106321e494e7a27d5f7caf44ec6fadf1122d227eefc0f57aefc140d2c63d07dcbfd65790b1099745ed042cfd1548242076b98e616b76ff0d53db5179df8dd62c06a36a8b9e95a671e2a9b9dd3fb187a31ae5828d218ec5851913e0b52e2532bd4bf9e7b349f32de2b6d5d3cdf9f372d49617b6220c93c05962327e99a0480488443349f0fd54c1860f7c8",
-	"5f9e5c6f38573a85010a9d84d33f29c057003b2645e3ea6f72cbc7af95d197ce6a06b13fea81722853e6991791b8b15091cd066f5ed913592ed3d3af5370d39ba22beeb2a582a414b16824b77e194a094c2afdcc09aa73ce36f4943cca5ae32c5017dc398801dd92a47382d9327c9f6cffd38ca4167cd836f7855fc5ff048d8efba378cdde224905a0425e6b1de061fc951c5e624a5153b008ad41160a710b3ff2081748d5e02deb9f841f4fc6cf4a15153dd4fe874fd447482696283e79ee0e6bc8c1c0409baa5ab02c5209c319e3169b2476149c0c6e541c6197ca46e004eef533",
-	"218c6b3508aec69574f2b5039b30b942b72a8349d05f48ff945bbbe5c8957d5a6199492a6bf54bab821c9377e2edfa4c908384664d2c80112d5e805d66e0a551b941021be17dd20bd825bea9a3b6afb1b8c605805b3bda58750f03ea5c953a698494b425d8980c69f34d1c3f6b5866e8717031152a127215c256e08873c21b0f5cc85875d0f7c94601659150c04cd5fe5d381ba29983a2d94fcd3a65a94c53c7279cd000dddd4253d8cff8d7f6ace10247fe3bc30d63ba4bb54f557b3d22a3924369430d71ab37b701e9500bda70b5a643704858beed4726a889b6c9c91584194c68f1",
-	"dac26aa7273fc25d6e044c79fc2bfa46e59892a42bbca59a86826c91e76ab03e4bd9f7c0b5f08d1931d88b36ea77d94f7ba67cd4f1d3086e529427201119096ae066ae6f170940830ed7900de7bb9d66e09788287403a4ecc93c6da975d2fb08e918840a236c15f5d3a8f7375c2eeebbf6f01a6e7f29ca2b8d42df158414c320777433663c59fdcd1f39ca68e3473db721be7ce8c6dba5fddc024f94fedb286b0477581d451313ca8c737484daf60d67f9b2d56d4bcc271f7e9ae958c7f258efbc74d25753e0516f28282461941bf2dcc7dd8c7df6173b89760cefcac07190243ff863fb",
-	"c46e6512e6797cc7a54254a1b26b2de29aa83d6c4b1ea5a2786fbcec388270625b12635eae39e1fba013f8a65219421bca8b52a8ddfd431cda60299bdf160734d5a7450ec79620058522702174ae451b9bfa7c4a455fbbee3e1d048c7d4bac5131018228f137c8e130440c7059b4f15eaa34ce872a851a16ce86f982df78a00be4d564da2003a450ddee9ab43ea876b8b4b65c84f0b39265fd5456417afb5bc54997c986e66fc222f2123ba5e719c4d6b9a177b188277df384f1125821cf19d5248cef0be183ccdc84ac194506f740ed2188b2689ea4c9236a9e9e3a2fff85b6af4e9b49a3",
-	"1ccd4d278d67b65cf2564ecd4de1b55fe07adc80e1f735fe2f08ea53fd3977323689122c29c798957abaff6aba09bdcbf661d77f4dc8913ab1fe2bef38846166e3834785e7105d746484eff8c656af5d8c7854abc1c62b7fadb65521dc6f793d978bda9838eb3800417d32e8a24d8c8cb1d18a5de6ca79d9e1b0ff9aa25e6218fe944cf18666fecc1e31334b390260dbe0997539e1b02f6366b2aea4f4a21efe04f4b97568fcb39e59919d5ebac6543d5d0f48fc66b923c34aac377dc95c20329b837b6ed5e8d9a3d2089cd0d8f025658006ff41cbdaccca618822ca590ab155253f8bc1c7f5",
-	"9875209588395ee3c9fdd793fd48717cc84c8c3ea622b2ccc4a1be4448e6034b7810569855255031f10be5ffd714b05f9ce01972d712d40abf03d4d0ce175813a7a668f761324996093fc2aa5912f7fc2abdadd8775d2b4d9ad492216293381460ed8f6db3d641d1525f4242c348bbfe504c704f215dc461de51b5c75c1aae967936963848f16c673eca5e78dfd47eb19001d52d1bcf96c98956dad5ddf594a5da757e7ca35f2f69803b784e66ac5a58b75c228b8266ec592505e5d1ca87d81225738855f15bc0914677e81593fd409e77d159f8a908f67788de9eb06c5561547aada96c47c535",
-	"40c90e375e366f3756d89091eb3eed9fe0fbfc5638700af4617d358812bac53124a2205dd6756456787d49cd6a35e302479a0992288f47532e4ea7ab62fc5ad5adc690a5d9a446f7e035ad4641bd8dae83946aee3338ec984ccb5cc633e1409f2531eeffe05532a8b0062ba99454c9aeabf8ecb94db195af7032bfebc22912f49d39330add47ff8fa5720612d697f0b602738930e060a1bb214efc5e292224cf34e29deaea6b1b1ff847e94ecc997325ac38df61db45d82bf0e74a664d2fe085c20b04c39e90d6a170b68d2f1d373f00c731c524456ada73d659aaac9df3191a7a3865083343fc13",
-	"e8800d82e072210ca6d7fa2472028974780b76aad4bcb9ad362422dd05ae3232668251d164daa375a43b26a38cce28dbeb3dee1a4a579f70d0fe7febb29b5ece8aa836e050fb3d188c63aa9c3c0da6c717d86458a6096b5effceb964efdec7035960c09ccd10dea3c5f1c7f9f478d5887ebbe2e15c5ff85dbacbc444bb951c4eec7abecb89ed80187e409e2972ffe1a5f01562af109f2cf09471cf72cf83a3bb8f4e2ef38ed0e326b698296394e5b2718a5000c01425708e8ad0461e62462d8819c2377f13ab1be2c7c9f33dc06fe23cad27b87569f2ce2e56e4b2c60c7b1b3d370841d89ebdc1f192",
-	"796d6d1447d5b7e8c55cd8b2f8b7010db39f27565f907e3fc0e464ea2d4bb52b37f10e7c6dcfc59231b9cdee12c32aeb4adbc42b86e86eb6defb5b69e6ca75e1f4d0dae3e124e5a1b8b6697f7e10b0403f1f0a5ff848eef3752837a9ba17780f16a9a709188a8d5b89a2fa74adb2e651163b1c2b3d261e225c9158dcd9eb7ac3d6704cee290cdff6bcb3cb90cee030aa0d19d4693655c3c30ac6fc06d2ae37787c47126d57ed9a6bef5f8a6c56859aefc08755739a95aac57a4dd916a92ba9f3afbf969df8085949615033365c751a9a3e1a18cee98a69d22e64009bebf8307169b6c61de0617ecfafdf",
-	"4f9057183566153cf337b07c3f5556006de54c56b2a1e5326c07aaeabd1886ec6f1641358925db232b2f0dbf75229c796a7395b2f934c1f99090bec1123f3c841b1cb3c5b1ec42ed5408f2940f0c48a9470b852c46d6557853d459cecd2c32bbcd8ee21fa11e385eef0857cba4d8545a61b52a484cdd779db4739fbc7aa9860dcabe0488b98fa0b60c3f7d6153db279000a52ffb573dab37d2ab1896a90e5deb7ac6bbe56239085c325d83a917dc6e8a448425b718c2356b9f3066163555ec444f372e184e02c8c4c69b1c1c2ae2b51e45b98f73d933d18750968945ca85d6bbb22014b4c4015262e3c40d",
-	"79dcca7d8b81a61359e4aece21f3df7b99518ce70bd2f57a18bab5e7114af2add0a0cea7f319d69f231f060e0a539d9a23fb3e95451ce8c6340cfb09edf931df84203a39226dd9eb278f11b691ef612585b973daab373e65d11325898badf6732100371fd759960fa8fec373268421d28bffdb9b12a430b92fe4b07566ca0c89e616e49f8fc75ccd9cdc66db820d7c02e109aa5ed86b89770262918a518f90a2292f6b68d68ae03992e4259a17a23c84ec2a417f082b5abf3a26e44d2278ecb8ba9456965303a75f25394d1aaf5544590e74b14d8a4cc4050be2b0ebcfe4d2db6b12a02c68a3bcdda70301f3",
-	"848755dc31e25e9a42f9ec12d847d19f292c14c162c9aba49e972cb123b58b8e57bb263a923929833373858594ff52dbc298dbbc078599194e4c07b0e5fc1e10808bbacdb6e93c72b333685cf961f28eb0d5a395c63266b01f130d25db384b356e5da6d01042fc2359581b89c63b3bb2d1ce897fbc9e83fe85d9666cb60e6a8c657f70caad5387b8a045bf91095606802c8424ea8ac52ef29386dc46183378a5fcb2cb927428b8c070f1c42aafd3bc70ca25437807696a46873cfeb7b80ba2ebc3c4272443d445e46343a1465253a9eebd532a0d1d2c18264b91ff45159f245404ae9335f2af55c802772426b4",
-	"ecaa6e999ef355a0768730edb835db411829a3764f79d764bb5682af6d00f51b313e017b83fffe2e332cd4a3de0a81d6a52084d5748346a1f81eb9b183ff6d93d05edc00e938d001c90872dfe234e8dd085f639af168af4a07e18f1c56ca6c7c1addffc4a70eb4660666dda0321636c3f83479ad3b64e23d749620413a2ecdcc52ad4e6e63f2b817ce99c15b5d2da3792721d7158297cce65e0c04fe810d7e2434b969e4c7892b3840623e153576356e9a696fd9e7a801c25de621a7849da3f99158d3d09bf039f43c510c8ffb00fa3e9a3c12d2c8062dd25b8dabe53d8581e30427e81c3dfc2d455352487e1255",
-	"23a3fe80e3636313fdf922a1359514d9f31775e1adf24285e8001c04dbce866df055edf25b506e18953492a173ba5aa0c1ec758123406a97025ba9b6b7a97eb14734424d1a7841ec0eaeba0051d6e9734263bea1af9895a3b8c83d8c854da2ae7832bdd7c285b73f8113c3821cced38b3656b4e6369a9f8327cd368f04128f1d78b6b4260f55995277feffa15e34532cd0306c1f47354667c17018ee012a791af2dbbc7afc92c388008c601740cccbbe66f1eb06ea657e9d478066c2bd2093ab62cd94abadc002722f50968e8acf361658fc64f50685a5b1b004888b3b4f64a4ddb67bec7e4ac64c9ee8deeda896b9",
-	"758f3567cd992228386a1c01930f7c52a9dcce28fdc1aaa54b0fed97d9a54f1df805f31bac12d559e90a2063cd7df8311a148f6904f78c5440f75e49877c0c0855d59c7f7ee52837e6ef3e54a568a7b38a0d5b896e298c8e46a56d24d8cabda8aeff85a622a3e7c87483ba921f34156defd185f608e2241224286e38121a162c2ba7604f68484717196f6628861a948180e8f06c6cc1ec66d032cf8d16da039cd74277cde31e535bc1692a44046e16881c954af3cd91dc49b443a3680e4bc42a954a46ebd1368b1398edd7580f935514b15c7fbfa9b40048a35122283af731f5e460aa85b66e65f49a9d158699bd2870",
-	"fe511e86971cea2b6af91b2afa898d9b067fa71780790bb409189f5debe719f405e16acf7c4306a6e6ac5cd535290efe088943b9e6c5d25bfc508023c1b105d20d57252fee8cdbddb4d34a6ec2f72e8d55be55afcafd2e922ab8c31888bec4e816d04f0b2cd23df6e04720969c5152b3563c6da37e4608554cc7b8715bc10aba6a2e3b6fbcd35408df0dd73a9076bfad32b741fcdb0edfb563b3f753508b9b26f0a91673255f9bcda2b9a120f6bfa0632b6551ca517d846a747b66ebda1b2170891ece94c19ce8bf682cc94afdf0053fba4e4f0530935c07cdd6f879c999a8c4328ef6d3e0a37974a230ada83910604337",
-	"a6024f5b959698c0de45f4f29e1803f99dc8112989c536e5a1337e281bc856ff721e986de183d7b0ea9eb61166830ae5d6d6bc857dc833ff189b52889b8e2bd3f35b4937624d9b36dc5f19db44f0772508029784c7dac9568d28609058bc437e2f79f95b12307d8a8fb042d7fd6ee910a9e8df609ede3283f958ba918a9925a0b1d0f9f9f232062315f28a52cbd60e71c09d83e0f6600f508f0ae8ad7642c080ffc618fcd2314e26f67f1529342569f6df37017f7e3b2dac32ad88d56d175ab22205ee7e3ee94720d76933a21132e110fefbb0689a3adbaa4c685f43652136d09b3a359b5c671e38f11915cb5612db2ae294",
-	"af6de0e227bd78494acb559ddf34d8a7d55a03912384831be21c38376f39cda8a864aff7a48aed758f6bdf777779a669068a75ce82a06f6b3325c855ed83daf5513a078a61f7dc6c1622a633367e5f3a33e765c8ec5d8d54f48494006fdbf8922063e5340013e312871b7f8f8e5ea439c0d4cb78e2f19dd11f010729b692c65dd0d347f0ce53de9d849224666ea2f6487f1c6f953e8f9dbfd3d6de291c3e9d045e633cfd83c89d2f2327d0b2f31f72ac1604a3db1febc5f22cad08153278047210cc2894582c251a014c652e3951593e70e52a5d7451be8924b64f85c8247dab6268d24710b39fc1c07b4ac829fbda34ed79b5",
-	"d7314e8b1ff82100b8f5870da62b61c31ab37ace9e6a7b6f7d294571523783c1fdedcbc00dd487dd6f848c34aab493507d07071b5eb59d1a2346068c7f356755fbde3d2cab67514f8c3a12d6ff9f96a977a9ac9263491bd33122a904da5386b943d35a6ba383932df07f259b6b45f69e9b27b4ca124fb3ae143d709853eed86690bc2754d5f8865c355a44b5279d8eb31cdc00f7407fb5f5b34edc57fc7ace943565da2222dc80632ccf42f2f125ceb19714ea964c2e50603c9f8960c3f27c2ed0e18a559931c4352bd7422109a28c5e145003f55c9b7c664fdc985168868950396eaf6fefc7b73d815c1aca721d7c67da632925",
-	"2928b55c0e4d0f5cb4b60af59e9a702e3d616a8cf427c8bb03981fb8c29026d8f7d89161f36c11654f9a5e8ccb703595a58d671ecdc22c6a784abe363158682be4643002a7da5c9d268a30ea9a8d4cc24f562ab59f55c2b43af7dbcecc7e5ebe7494e82d74145a1e7d442125eb0431c5ea0939b27afa47f8ca97849f341f707660c7fbe49b7a0712fbcb6f7562ae2961425f27c7779c7534ecdeb8047ff3cb89a25159f3e1cefe42f9ef16426241f2c4d62c11d7ac43c4500dfcd184436bb4ef33260366f875230f26d81613c334dbda4736ba9d1d2966502914ec01bbe72d885606ec11da7a2cb01b29d35eebedbb0ecc73ed6c35",
-	"fd993f50e8a68c7b2c7f87511ce65b93c0aa94dcbdf2c9cca93816f0f3b2ab34c62c586fc507b4900a34cf9d0517e0fe10a89d154c5419c1f5e38de00e8834fe3dc1032abdeb10729a81655a69a12856a78ca6e12110580de879b086fd6608726541cfa9616326bdd36064bc0d1e5f9c93b41278bff6a13b2494b81e238c0c45aea1b07d855e8f3fe1478e373bd9d3957cf8a5e5b9003386793d994c7c575cff2322e2428cbbaa4f47560316ae3354a7478842ff7cc5dcbacb6e871e72b36f06d63a9aaeb9044cfb7974afdc238a5816f537dcf33ee40b4e1a5eb3cff2402b46d548264e133008d284f11b7e4e450bc3c5ff9f79b9c4",
-	"8df21892f5fc303b0de4adef1970186db6fe71bb3ea3094922e13afcfabf1d0be009f36d6f6310c5f9fda51f1a946507a055b645c296370440e5e83d8e906a2fb51f2b42de8856a81a4f28a73a8825c68ea08e5e366730bce8047011cb7d6d9be8c6f4211308fad21856284d5bc47d199988e0abf5badf8693ceeed0a2d98e8ae94b7775a42925edb1f697ffbd8e806af23145054a85e071819cca4cd48875290ca65e5ee72a9a54ff9f19c10ef4adaf8d04c9a9afcc73853fc128bbebc61f78702787c966ca6e1b1a0e4dab646acdfcd3c6bf3e5cfbec5ebe3e06c8abaa1de56e48421d87c46b5c78030afcafd91f27e7d7c85eb4872b",
-	"48ec6ec520f8e593d7b3f653eb15553de246723b81a6d0c3221aaa42a37420fba98a23796338dff5f845dce6d5a449be5ecc1887356619270461087e08d05fb60433a83d7bd00c002b09ea210b428965124b9b27d9105a71c826c1a2491cfd60e4cfa86c2da0c7100a8dc1c3f2f94b280d54e01e043acf0e966200d9fa8a41daf3b9382820786c75cadbb8841a1b2be5b6cbeb64878e4a231ae063a99b4e2308960ef0c8e2a16bb3545cc43bdf171493fb89a84f47e7973dc60cf75aeeca71e0a7ebe17d161d4fb9fe009941cc438f16a5bae6c99fcad08cac486eb2a48060b023d8730bf1d82fe60a2f036e6f52a5bff95f43bbe088933f",
-	"f4d84ed3e564c102600a795eaa9b1eaf4ad12f1a4deca1d042a0a2750ddf6201db03073d8bf553cb9dde48a1b0083827a609f7242b86584cc180964ae794b12ce55661e00e36a6ba4dbc389e6a5a85f1b45df9af7ead1b0a54db56e68639b9d438a91504e82c35d40c7bc7e048a53ac0b04accd0dadf4ac9884b0ca0e3cb5ba4336e3581be4c4760a553823ffa283a1120d4e145af56a59f2533903650f0b9e9ad9fe2e8a3c3c3dd03a1fcb709032c8835324839c735b0c051d0cbd8b5d867617c11023432e4bd275d3d0eb98a0b6cf58071a5b712922f2bc751ac7c2588c447444cde2f37a8ea5ec126425bf517e0d17c9e2999f52fee14b3",
-	"2ccea21bac9c2b70d3923309cbf2d7cb7abd1fcc8b8b002688870a80029c62397350c3c898194e5deea360bb963d26d485cb7963f8167586976ec0556950b2e86135f4a2800991ce8473bfd44a3c5e937a48b5e355ba5141bccf2131a83988d9d2a9e8e7635a956105b3512c05ef708139ced51d7a4e204c12d8a49a21e8dc6de2629a2fd092326885d9f218745fe09f6d91fb6afce250a30a63689534b6be1f26899ffa3767d835cf586aa47776700f94241bc999b1e3deefe188f37ff734f5f16ee6a00914323dc7b8a143c9137cdcc5cd08ae9566f04bb2941532674c97dff6ffa5ce3405ef8e5d27ec403114253dd6394c0167d72a0044c5",
-	"2b681c6398aee63bf862770341648bbcd31d7de7903c5903fe3d9469311320bb24d914f2af0cdca199c97214c7c679dc32a2800ba484a03c010ea6be3bb9f2c87e30a98b606050b8a3f297f12b8f92caaeceb3e844652115934874e0a1ab093a73d759b53f6a6c3096940dd22c2bb96ce6820a7b9c6d71a208de9892aa6a7209b0fff56a0cafea52b952cdd6f5752cff3309d448800b4e4c878aa595595b56b12b83fcd6ca89520c7da664e449d7b4438fc455888aad5de0fad9a06eed14afd3513b5ebbffe01775549b701181bd26370764f56eba52fdb24286ad1ac0f5418a7c429f7dfc7f3168437fa8eed7a2ed7c723a485e4c3ed14dea2e07",
-	"aadfd505a89f4aade2c3018258a7e039401b1fc6a7f3d87910dddbb880d372ec8a13c70d92245de5b8e5f9a285c33b99dc82fa2b22decee72b93a72211656ad7a52696c8e570f78be28c0e427a371dafde856e8d5ed24f83b0660b51e7fac05d93a8666dfde6def59af863f80f3e5f6801182c87422203df390dcb736b8f830052a8832eeeb0b4e27e732aaf793d166b5a3ec7745aeef3766937c2b75a276bddd145f6010c29d035e343e267cb2d828436876ec3a7ebe3b6347d4172f7a99d6821ce152e039e53deb33340b324c7f068ffb94b3cde35a8eaa12d15c3806a7ad0acec3e8c7078c1d32a28fd3eec9f32cb86e4c22166ff69e83785e851",
-	"1605b8cce529a9d6262fd4390d9e4ae5e14e0adc0ec89b028ef68dd0f373ea259aaa96f2967091dd0874c0105385e9e6da9ca68297c31afa44ef834535fb302ce5b4e49edacbbdf359fe1228a8172495b3e57014c27edd58b685110980056c50c398a64f4923f2d720b4df16d75cb36b4233660694182099c35028a972519c24764fc94e18e582b24deb3491535fc06b83837c7958522800e822201d694af0bd0aa3834e17d4b1ba36f470905ae5f8bbeeb6c4c8604d8af02baa347b07086d6989867ddd5e8e8ed7740c3469bfa2810519c55c6add1332c4c54ee9097961d6741cb12a09713a0d07645f784f42f5ad94b48b836b34263130b0483f15e3",
-	"ff9c6125b2f60bfd6c2427b279df070e430075096647599bdc68c531152c58e13858b82385d78c856092d6c74106e87ccf51ac7e673936332d9b223444eaa0e762ee258d8a733d3a515ec68ed73285e5ca183ae3278b4820b0ab2797feb1e7d8cc864df585dfb5ebe02a993325a9ad5e2d7d49d3132cf66013898351d044e0fe908ccdfeeebf651983601e3673a1f92d36510c0cc19b2e75856db8e4a41f92a51efa66d6cc22e414944c2c34a5a89ccde0be76f51410824e330d8e7c613194338c93732e8aea651fca18bcf1ac1824340c5553aff1e58d4ab8d7c8842b4712021e517cd6c140f6743c69c7bee05b10a8f24050a8caa4f96d1664909c5a06",
-	"6e85c2f8e1fdc3aaeb969da1258cb504bbf0070cd03d23b3fb5ee08feea5ee2e0ee1c71a5d0f4f701b351f4e4b4d74cb1e2ae6184814f77b62d2f08134b7236ebf6b67d8a6c9f01b4248b30667c555f5d8646dbfe291151b23c9c9857e33a4d5c847be29a5ee7b402e03bac02d1a4319acc0dd8f25e9c7a266f5e5c896cc11b5b238df96a0963ae806cb277abc515c298a3e61a3036b177acf87a56ca4478c4c6d0d468913de602ec891318bbaf52c97a77c35c5b7d164816cf24e4c4b0b5f45853882f716d61eb947a45ce2efa78f1c70a918512af1ad536cbe6148083385b34e207f5f690d7a954021e4b5f4258a385fd8a87809a481f34202af4caccb82",
-	"1e9b2c454e9de3a2d723d850331037dbf54133dbe27488ff757dd255833a27d8eb8a128ad12d0978b6884e25737086a704fb289aaaccf930d5b582ab4df1f55f0c429b6875edec3fe45464fa74164be056a55e243c4222c586bec5b18f39036aa903d98180f24f83d09a454dfa1e03a60e6a3ba4613e99c35f874d790174ee48a557f4f021ade4d1b278d7997ef094569b37b3db0505951e9ee8400adaea275c6db51b325ee730c69df97745b556ae41cd98741e28aa3a49544541eeb3da1b1e8fa4e8e9100d66dd0c7f5e2c271b1ecc077de79c462b9fe4c273543ecd82a5bea63c5acc01eca5fb780c7d7c8c9fe208ae8bd50cad1769693d92c6c8649d20d8",
-}
diff --git a/vendor/golang.org/x/crypto/blake2b/blake2x.go b/vendor/golang.org/x/crypto/blake2b/blake2x.go
deleted file mode 100644
index c814496a..00000000
--- a/vendor/golang.org/x/crypto/blake2b/blake2x.go
+++ /dev/null
@@ -1,177 +0,0 @@
-// Copyright 2017 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package blake2b
-
-import (
-	"encoding/binary"
-	"errors"
-	"io"
-)
-
-// XOF defines the interface to hash functions that
-// support arbitrary-length output.
-type XOF interface {
-	// Write absorbs more data into the hash's state. It panics if called
-	// after Read.
-	io.Writer
-
-	// Read reads more output from the hash. It returns io.EOF if the limit
-	// has been reached.
-	io.Reader
-
-	// Clone returns a copy of the XOF in its current state.
-	Clone() XOF
-
-	// Reset resets the XOF to its initial state.
-	Reset()
-}
-
-// OutputLengthUnknown can be used as the size argument to NewXOF to indicate
-// the the length of the output is not known in advance.
-const OutputLengthUnknown = 0
-
-// magicUnknownOutputLength is a magic value for the output size that indicates
-// an unknown number of output bytes.
-const magicUnknownOutputLength = (1 << 32) - 1
-
-// maxOutputLength is the absolute maximum number of bytes to produce when the
-// number of output bytes is unknown.
-const maxOutputLength = (1 << 32) * 64
-
-// NewXOF creates a new variable-output-length hash. The hash either produce a
-// known number of bytes (1 <= size < 2**32-1), or an unknown number of bytes
-// (size == OutputLengthUnknown). In the latter case, an absolute limit of
-// 256GiB applies.
-//
-// A non-nil key turns the hash into a MAC. The key must between
-// zero and 32 bytes long.
-func NewXOF(size uint32, key []byte) (XOF, error) {
-	if len(key) > Size {
-		return nil, errKeySize
-	}
-	if size == magicUnknownOutputLength {
-		// 2^32-1 indicates an unknown number of bytes and thus isn't a
-		// valid length.
-		return nil, errors.New("blake2b: XOF length too large")
-	}
-	if size == OutputLengthUnknown {
-		size = magicUnknownOutputLength
-	}
-	x := &xof{
-		d: digest{
-			size:   Size,
-			keyLen: len(key),
-		},
-		length: size,
-	}
-	copy(x.d.key[:], key)
-	x.Reset()
-	return x, nil
-}
-
-type xof struct {
-	d                digest
-	length           uint32
-	remaining        uint64
-	cfg, root, block [Size]byte
-	offset           int
-	nodeOffset       uint32
-	readMode         bool
-}
-
-func (x *xof) Write(p []byte) (n int, err error) {
-	if x.readMode {
-		panic("blake2b: write to XOF after read")
-	}
-	return x.d.Write(p)
-}
-
-func (x *xof) Clone() XOF {
-	clone := *x
-	return &clone
-}
-
-func (x *xof) Reset() {
-	x.cfg[0] = byte(Size)
-	binary.LittleEndian.PutUint32(x.cfg[4:], uint32(Size)) // leaf length
-	binary.LittleEndian.PutUint32(x.cfg[12:], x.length)    // XOF length
-	x.cfg[17] = byte(Size)                                 // inner hash size
-
-	x.d.Reset()
-	x.d.h[1] ^= uint64(x.length) << 32
-
-	x.remaining = uint64(x.length)
-	if x.remaining == magicUnknownOutputLength {
-		x.remaining = maxOutputLength
-	}
-	x.offset, x.nodeOffset = 0, 0
-	x.readMode = false
-}
-
-func (x *xof) Read(p []byte) (n int, err error) {
-	if !x.readMode {
-		x.d.finalize(&x.root)
-		x.readMode = true
-	}
-
-	if x.remaining == 0 {
-		return 0, io.EOF
-	}
-
-	n = len(p)
-	if uint64(n) > x.remaining {
-		n = int(x.remaining)
-		p = p[:n]
-	}
-
-	if x.offset > 0 {
-		blockRemaining := Size - x.offset
-		if n < blockRemaining {
-			x.offset += copy(p, x.block[x.offset:])
-			x.remaining -= uint64(n)
-			return
-		}
-		copy(p, x.block[x.offset:])
-		p = p[blockRemaining:]
-		x.offset = 0
-		x.remaining -= uint64(blockRemaining)
-	}
-
-	for len(p) >= Size {
-		binary.LittleEndian.PutUint32(x.cfg[8:], x.nodeOffset)
-		x.nodeOffset++
-
-		x.d.initConfig(&x.cfg)
-		x.d.Write(x.root[:])
-		x.d.finalize(&x.block)
-
-		copy(p, x.block[:])
-		p = p[Size:]
-		x.remaining -= uint64(Size)
-	}
-
-	if todo := len(p); todo > 0 {
-		if x.remaining < uint64(Size) {
-			x.cfg[0] = byte(x.remaining)
-		}
-		binary.LittleEndian.PutUint32(x.cfg[8:], x.nodeOffset)
-		x.nodeOffset++
-
-		x.d.initConfig(&x.cfg)
-		x.d.Write(x.root[:])
-		x.d.finalize(&x.block)
-
-		x.offset = copy(p, x.block[:todo])
-		x.remaining -= uint64(todo)
-	}
-	return
-}
-
-func (d *digest) initConfig(cfg *[Size]byte) {
-	d.offset, d.c[0], d.c[1] = 0, 0, 0
-	for i := range d.h {
-		d.h[i] = iv[i] ^ binary.LittleEndian.Uint64(cfg[i*8:])
-	}
-}
diff --git a/vendor/golang.org/x/crypto/blake2b/register.go b/vendor/golang.org/x/crypto/blake2b/register.go
deleted file mode 100644
index efd689af..00000000
--- a/vendor/golang.org/x/crypto/blake2b/register.go
+++ /dev/null
@@ -1,32 +0,0 @@
-// Copyright 2017 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build go1.9
-
-package blake2b
-
-import (
-	"crypto"
-	"hash"
-)
-
-func init() {
-	newHash256 := func() hash.Hash {
-		h, _ := New256(nil)
-		return h
-	}
-	newHash384 := func() hash.Hash {
-		h, _ := New384(nil)
-		return h
-	}
-
-	newHash512 := func() hash.Hash {
-		h, _ := New512(nil)
-		return h
-	}
-
-	crypto.RegisterHash(crypto.BLAKE2b_256, newHash256)
-	crypto.RegisterHash(crypto.BLAKE2b_384, newHash384)
-	crypto.RegisterHash(crypto.BLAKE2b_512, newHash512)
-}
diff --git a/vendor/golang.org/x/crypto/blake2s/blake2s.go b/vendor/golang.org/x/crypto/blake2s/blake2s.go
deleted file mode 100644
index ae0dc922..00000000
--- a/vendor/golang.org/x/crypto/blake2s/blake2s.go
+++ /dev/null
@@ -1,187 +0,0 @@
-// Copyright 2016 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package blake2s implements the BLAKE2s hash algorithm defined by RFC 7693
-// and the extendable output function (XOF) BLAKE2Xs.
-//
-// For a detailed specification of BLAKE2s see https://blake2.net/blake2.pdf
-// and for BLAKE2Xs see https://blake2.net/blake2x.pdf
-//
-// If you aren't sure which function you need, use BLAKE2s (Sum256 or New256).
-// If you need a secret-key MAC (message authentication code), use the New256
-// function with a non-nil key.
-//
-// BLAKE2X is a construction to compute hash values larger than 32 bytes. It
-// can produce hash values between 0 and 65535 bytes.
-package blake2s // import "golang.org/x/crypto/blake2s"
-
-import (
-	"encoding/binary"
-	"errors"
-	"hash"
-)
-
-const (
-	// The blocksize of BLAKE2s in bytes.
-	BlockSize = 64
-
-	// The hash size of BLAKE2s-256 in bytes.
-	Size = 32
-
-	// The hash size of BLAKE2s-128 in bytes.
-	Size128 = 16
-)
-
-var errKeySize = errors.New("blake2s: invalid key size")
-
-var iv = [8]uint32{
-	0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a,
-	0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19,
-}
-
-// Sum256 returns the BLAKE2s-256 checksum of the data.
-func Sum256(data []byte) [Size]byte {
-	var sum [Size]byte
-	checkSum(&sum, Size, data)
-	return sum
-}
-
-// New256 returns a new hash.Hash computing the BLAKE2s-256 checksum. A non-nil
-// key turns the hash into a MAC. The key must between zero and 32 bytes long.
-func New256(key []byte) (hash.Hash, error) { return newDigest(Size, key) }
-
-// New128 returns a new hash.Hash computing the BLAKE2s-128 checksum given a
-// non-empty key. Note that a 128-bit digest is too small to be secure as a
-// cryptographic hash and should only be used as a MAC, thus the key argument
-// is not optional.
-func New128(key []byte) (hash.Hash, error) {
-	if len(key) == 0 {
-		return nil, errors.New("blake2s: a key is required for a 128-bit hash")
-	}
-	return newDigest(Size128, key)
-}
-
-func newDigest(hashSize int, key []byte) (*digest, error) {
-	if len(key) > Size {
-		return nil, errKeySize
-	}
-	d := &digest{
-		size:   hashSize,
-		keyLen: len(key),
-	}
-	copy(d.key[:], key)
-	d.Reset()
-	return d, nil
-}
-
-func checkSum(sum *[Size]byte, hashSize int, data []byte) {
-	var (
-		h [8]uint32
-		c [2]uint32
-	)
-
-	h = iv
-	h[0] ^= uint32(hashSize) | (1 << 16) | (1 << 24)
-
-	if length := len(data); length > BlockSize {
-		n := length &^ (BlockSize - 1)
-		if length == n {
-			n -= BlockSize
-		}
-		hashBlocks(&h, &c, 0, data[:n])
-		data = data[n:]
-	}
-
-	var block [BlockSize]byte
-	offset := copy(block[:], data)
-	remaining := uint32(BlockSize - offset)
-
-	if c[0] < remaining {
-		c[1]--
-	}
-	c[0] -= remaining
-
-	hashBlocks(&h, &c, 0xFFFFFFFF, block[:])
-
-	for i, v := range h {
-		binary.LittleEndian.PutUint32(sum[4*i:], v)
-	}
-}
-
-type digest struct {
-	h      [8]uint32
-	c      [2]uint32
-	size   int
-	block  [BlockSize]byte
-	offset int
-
-	key    [BlockSize]byte
-	keyLen int
-}
-
-func (d *digest) BlockSize() int { return BlockSize }
-
-func (d *digest) Size() int { return d.size }
-
-func (d *digest) Reset() {
-	d.h = iv
-	d.h[0] ^= uint32(d.size) | (uint32(d.keyLen) << 8) | (1 << 16) | (1 << 24)
-	d.offset, d.c[0], d.c[1] = 0, 0, 0
-	if d.keyLen > 0 {
-		d.block = d.key
-		d.offset = BlockSize
-	}
-}
-
-func (d *digest) Write(p []byte) (n int, err error) {
-	n = len(p)
-
-	if d.offset > 0 {
-		remaining := BlockSize - d.offset
-		if n <= remaining {
-			d.offset += copy(d.block[d.offset:], p)
-			return
-		}
-		copy(d.block[d.offset:], p[:remaining])
-		hashBlocks(&d.h, &d.c, 0, d.block[:])
-		d.offset = 0
-		p = p[remaining:]
-	}
-
-	if length := len(p); length > BlockSize {
-		nn := length &^ (BlockSize - 1)
-		if length == nn {
-			nn -= BlockSize
-		}
-		hashBlocks(&d.h, &d.c, 0, p[:nn])
-		p = p[nn:]
-	}
-
-	d.offset += copy(d.block[:], p)
-	return
-}
-
-func (d *digest) Sum(sum []byte) []byte {
-	var hash [Size]byte
-	d.finalize(&hash)
-	return append(sum, hash[:d.size]...)
-}
-
-func (d *digest) finalize(hash *[Size]byte) {
-	var block [BlockSize]byte
-	h := d.h
-	c := d.c
-
-	copy(block[:], d.block[:d.offset])
-	remaining := uint32(BlockSize - d.offset)
-	if c[0] < remaining {
-		c[1]--
-	}
-	c[0] -= remaining
-
-	hashBlocks(&h, &c, 0xFFFFFFFF, block[:])
-	for i, v := range h {
-		binary.LittleEndian.PutUint32(hash[4*i:], v)
-	}
-}
diff --git a/vendor/golang.org/x/crypto/blake2s/blake2s_386.go b/vendor/golang.org/x/crypto/blake2s/blake2s_386.go
deleted file mode 100644
index 45ae5461..00000000
--- a/vendor/golang.org/x/crypto/blake2s/blake2s_386.go
+++ /dev/null
@@ -1,35 +0,0 @@
-// Copyright 2016 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build 386,!gccgo,!appengine
-
-package blake2s
-
-var (
-	useSSE4  = false
-	useSSSE3 = supportSSSE3()
-	useSSE2  = supportSSE2()
-)
-
-//go:noescape
-func supportSSE2() bool
-
-//go:noescape
-func supportSSSE3() bool
-
-//go:noescape
-func hashBlocksSSE2(h *[8]uint32, c *[2]uint32, flag uint32, blocks []byte)
-
-//go:noescape
-func hashBlocksSSSE3(h *[8]uint32, c *[2]uint32, flag uint32, blocks []byte)
-
-func hashBlocks(h *[8]uint32, c *[2]uint32, flag uint32, blocks []byte) {
-	if useSSSE3 {
-		hashBlocksSSSE3(h, c, flag, blocks)
-	} else if useSSE2 {
-		hashBlocksSSE2(h, c, flag, blocks)
-	} else {
-		hashBlocksGeneric(h, c, flag, blocks)
-	}
-}
diff --git a/vendor/golang.org/x/crypto/blake2s/blake2s_386.s b/vendor/golang.org/x/crypto/blake2s/blake2s_386.s
deleted file mode 100644
index 0bb65c70..00000000
--- a/vendor/golang.org/x/crypto/blake2s/blake2s_386.s
+++ /dev/null
@@ -1,460 +0,0 @@
-// Copyright 2016 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build 386,!gccgo,!appengine
-
-#include "textflag.h"
-
-DATA iv0<>+0x00(SB)/4, $0x6a09e667
-DATA iv0<>+0x04(SB)/4, $0xbb67ae85
-DATA iv0<>+0x08(SB)/4, $0x3c6ef372
-DATA iv0<>+0x0c(SB)/4, $0xa54ff53a
-GLOBL iv0<>(SB), (NOPTR+RODATA), $16
-
-DATA iv1<>+0x00(SB)/4, $0x510e527f
-DATA iv1<>+0x04(SB)/4, $0x9b05688c
-DATA iv1<>+0x08(SB)/4, $0x1f83d9ab
-DATA iv1<>+0x0c(SB)/4, $0x5be0cd19
-GLOBL iv1<>(SB), (NOPTR+RODATA), $16
-
-DATA rol16<>+0x00(SB)/8, $0x0504070601000302
-DATA rol16<>+0x08(SB)/8, $0x0D0C0F0E09080B0A
-GLOBL rol16<>(SB), (NOPTR+RODATA), $16
-
-DATA rol8<>+0x00(SB)/8, $0x0407060500030201
-DATA rol8<>+0x08(SB)/8, $0x0C0F0E0D080B0A09
-GLOBL rol8<>(SB), (NOPTR+RODATA), $16
-
-DATA counter<>+0x00(SB)/8, $0x40
-DATA counter<>+0x08(SB)/8, $0x0
-GLOBL counter<>(SB), (NOPTR+RODATA), $16
-
-#define ROTL_SSE2(n, t, v) \
-	MOVO  v, t;       \
-	PSLLL $n, t;      \
-	PSRLL $(32-n), v; \
-	PXOR  t, v
-
-#define ROTL_SSSE3(c, v) \
-	PSHUFB c, v
-
-#define ROUND_SSE2(v0, v1, v2, v3, m0, m1, m2, m3, t) \
-	PADDL  m0, v0;        \
-	PADDL  v1, v0;        \
-	PXOR   v0, v3;        \
-	ROTL_SSE2(16, t, v3); \
-	PADDL  v3, v2;        \
-	PXOR   v2, v1;        \
-	ROTL_SSE2(20, t, v1); \
-	PADDL  m1, v0;        \
-	PADDL  v1, v0;        \
-	PXOR   v0, v3;        \
-	ROTL_SSE2(24, t, v3); \
-	PADDL  v3, v2;        \
-	PXOR   v2, v1;        \
-	ROTL_SSE2(25, t, v1); \
-	PSHUFL $0x39, v1, v1; \
-	PSHUFL $0x4E, v2, v2; \
-	PSHUFL $0x93, v3, v3; \
-	PADDL  m2, v0;        \
-	PADDL  v1, v0;        \
-	PXOR   v0, v3;        \
-	ROTL_SSE2(16, t, v3); \
-	PADDL  v3, v2;        \
-	PXOR   v2, v1;        \
-	ROTL_SSE2(20, t, v1); \
-	PADDL  m3, v0;        \
-	PADDL  v1, v0;        \
-	PXOR   v0, v3;        \
-	ROTL_SSE2(24, t, v3); \
-	PADDL  v3, v2;        \
-	PXOR   v2, v1;        \
-	ROTL_SSE2(25, t, v1); \
-	PSHUFL $0x39, v3, v3; \
-	PSHUFL $0x4E, v2, v2; \
-	PSHUFL $0x93, v1, v1
-
-#define ROUND_SSSE3(v0, v1, v2, v3, m0, m1, m2, m3, t, c16, c8) \
-	PADDL  m0, v0;        \
-	PADDL  v1, v0;        \
-	PXOR   v0, v3;        \
-	ROTL_SSSE3(c16, v3);  \
-	PADDL  v3, v2;        \
-	PXOR   v2, v1;        \
-	ROTL_SSE2(20, t, v1); \
-	PADDL  m1, v0;        \
-	PADDL  v1, v0;        \
-	PXOR   v0, v3;        \
-	ROTL_SSSE3(c8, v3);   \
-	PADDL  v3, v2;        \
-	PXOR   v2, v1;        \
-	ROTL_SSE2(25, t, v1); \
-	PSHUFL $0x39, v1, v1; \
-	PSHUFL $0x4E, v2, v2; \
-	PSHUFL $0x93, v3, v3; \
-	PADDL  m2, v0;        \
-	PADDL  v1, v0;        \
-	PXOR   v0, v3;        \
-	ROTL_SSSE3(c16, v3);  \
-	PADDL  v3, v2;        \
-	PXOR   v2, v1;        \
-	ROTL_SSE2(20, t, v1); \
-	PADDL  m3, v0;        \
-	PADDL  v1, v0;        \
-	PXOR   v0, v3;        \
-	ROTL_SSSE3(c8, v3);   \
-	PADDL  v3, v2;        \
-	PXOR   v2, v1;        \
-	ROTL_SSE2(25, t, v1); \
-	PSHUFL $0x39, v3, v3; \
-	PSHUFL $0x4E, v2, v2; \
-	PSHUFL $0x93, v1, v1
-
-#define PRECOMPUTE(dst, off, src, t) \
-	MOVL 0*4(src), t;          \
-	MOVL t, 0*4+off+0(dst);    \
-	MOVL t, 9*4+off+64(dst);   \
-	MOVL t, 5*4+off+128(dst);  \
-	MOVL t, 14*4+off+192(dst); \
-	MOVL t, 4*4+off+256(dst);  \
-	MOVL t, 2*4+off+320(dst);  \
-	MOVL t, 8*4+off+384(dst);  \
-	MOVL t, 12*4+off+448(dst); \
-	MOVL t, 3*4+off+512(dst);  \
-	MOVL t, 15*4+off+576(dst); \
-	MOVL 1*4(src), t;          \
-	MOVL t, 4*4+off+0(dst);    \
-	MOVL t, 8*4+off+64(dst);   \
-	MOVL t, 14*4+off+128(dst); \
-	MOVL t, 5*4+off+192(dst);  \
-	MOVL t, 12*4+off+256(dst); \
-	MOVL t, 11*4+off+320(dst); \
-	MOVL t, 1*4+off+384(dst);  \
-	MOVL t, 6*4+off+448(dst);  \
-	MOVL t, 10*4+off+512(dst); \
-	MOVL t, 3*4+off+576(dst);  \
-	MOVL 2*4(src), t;          \
-	MOVL t, 1*4+off+0(dst);    \
-	MOVL t, 13*4+off+64(dst);  \
-	MOVL t, 6*4+off+128(dst);  \
-	MOVL t, 8*4+off+192(dst);  \
-	MOVL t, 2*4+off+256(dst);  \
-	MOVL t, 0*4+off+320(dst);  \
-	MOVL t, 14*4+off+384(dst); \
-	MOVL t, 11*4+off+448(dst); \
-	MOVL t, 12*4+off+512(dst); \
-	MOVL t, 4*4+off+576(dst);  \
-	MOVL 3*4(src), t;          \
-	MOVL t, 5*4+off+0(dst);    \
-	MOVL t, 15*4+off+64(dst);  \
-	MOVL t, 9*4+off+128(dst);  \
-	MOVL t, 1*4+off+192(dst);  \
-	MOVL t, 11*4+off+256(dst); \
-	MOVL t, 7*4+off+320(dst);  \
-	MOVL t, 13*4+off+384(dst); \
-	MOVL t, 3*4+off+448(dst);  \
-	MOVL t, 6*4+off+512(dst);  \
-	MOVL t, 10*4+off+576(dst); \
-	MOVL 4*4(src), t;          \
-	MOVL t, 2*4+off+0(dst);    \
-	MOVL t, 1*4+off+64(dst);   \
-	MOVL t, 15*4+off+128(dst); \
-	MOVL t, 10*4+off+192(dst); \
-	MOVL t, 6*4+off+256(dst);  \
-	MOVL t, 8*4+off+320(dst);  \
-	MOVL t, 3*4+off+384(dst);  \
-	MOVL t, 13*4+off+448(dst); \
-	MOVL t, 14*4+off+512(dst); \
-	MOVL t, 5*4+off+576(dst);  \
-	MOVL 5*4(src), t;          \
-	MOVL t, 6*4+off+0(dst);    \
-	MOVL t, 11*4+off+64(dst);  \
-	MOVL t, 2*4+off+128(dst);  \
-	MOVL t, 9*4+off+192(dst);  \
-	MOVL t, 1*4+off+256(dst);  \
-	MOVL t, 13*4+off+320(dst); \
-	MOVL t, 4*4+off+384(dst);  \
-	MOVL t, 8*4+off+448(dst);  \
-	MOVL t, 15*4+off+512(dst); \
-	MOVL t, 7*4+off+576(dst);  \
-	MOVL 6*4(src), t;          \
-	MOVL t, 3*4+off+0(dst);    \
-	MOVL t, 7*4+off+64(dst);   \
-	MOVL t, 13*4+off+128(dst); \
-	MOVL t, 12*4+off+192(dst); \
-	MOVL t, 10*4+off+256(dst); \
-	MOVL t, 1*4+off+320(dst);  \
-	MOVL t, 9*4+off+384(dst);  \
-	MOVL t, 14*4+off+448(dst); \
-	MOVL t, 0*4+off+512(dst);  \
-	MOVL t, 6*4+off+576(dst);  \
-	MOVL 7*4(src), t;          \
-	MOVL t, 7*4+off+0(dst);    \
-	MOVL t, 14*4+off+64(dst);  \
-	MOVL t, 10*4+off+128(dst); \
-	MOVL t, 0*4+off+192(dst);  \
-	MOVL t, 5*4+off+256(dst);  \
-	MOVL t, 9*4+off+320(dst);  \
-	MOVL t, 12*4+off+384(dst); \
-	MOVL t, 1*4+off+448(dst);  \
-	MOVL t, 13*4+off+512(dst); \
-	MOVL t, 2*4+off+576(dst);  \
-	MOVL 8*4(src), t;          \
-	MOVL t, 8*4+off+0(dst);    \
-	MOVL t, 5*4+off+64(dst);   \
-	MOVL t, 4*4+off+128(dst);  \
-	MOVL t, 15*4+off+192(dst); \
-	MOVL t, 14*4+off+256(dst); \
-	MOVL t, 3*4+off+320(dst);  \
-	MOVL t, 11*4+off+384(dst); \
-	MOVL t, 10*4+off+448(dst); \
-	MOVL t, 7*4+off+512(dst);  \
-	MOVL t, 1*4+off+576(dst);  \
-	MOVL 9*4(src), t;          \
-	MOVL t, 12*4+off+0(dst);   \
-	MOVL t, 2*4+off+64(dst);   \
-	MOVL t, 11*4+off+128(dst); \
-	MOVL t, 4*4+off+192(dst);  \
-	MOVL t, 0*4+off+256(dst);  \
-	MOVL t, 15*4+off+320(dst); \
-	MOVL t, 10*4+off+384(dst); \
-	MOVL t, 7*4+off+448(dst);  \
-	MOVL t, 5*4+off+512(dst);  \
-	MOVL t, 9*4+off+576(dst);  \
-	MOVL 10*4(src), t;         \
-	MOVL t, 9*4+off+0(dst);    \
-	MOVL t, 4*4+off+64(dst);   \
-	MOVL t, 8*4+off+128(dst);  \
-	MOVL t, 13*4+off+192(dst); \
-	MOVL t, 3*4+off+256(dst);  \
-	MOVL t, 5*4+off+320(dst);  \
-	MOVL t, 7*4+off+384(dst);  \
-	MOVL t, 15*4+off+448(dst); \
-	MOVL t, 11*4+off+512(dst); \
-	MOVL t, 0*4+off+576(dst);  \
-	MOVL 11*4(src), t;         \
-	MOVL t, 13*4+off+0(dst);   \
-	MOVL t, 10*4+off+64(dst);  \
-	MOVL t, 0*4+off+128(dst);  \
-	MOVL t, 3*4+off+192(dst);  \
-	MOVL t, 9*4+off+256(dst);  \
-	MOVL t, 6*4+off+320(dst);  \
-	MOVL t, 15*4+off+384(dst); \
-	MOVL t, 4*4+off+448(dst);  \
-	MOVL t, 2*4+off+512(dst);  \
-	MOVL t, 12*4+off+576(dst); \
-	MOVL 12*4(src), t;         \
-	MOVL t, 10*4+off+0(dst);   \
-	MOVL t, 12*4+off+64(dst);  \
-	MOVL t, 1*4+off+128(dst);  \
-	MOVL t, 6*4+off+192(dst);  \
-	MOVL t, 13*4+off+256(dst); \
-	MOVL t, 4*4+off+320(dst);  \
-	MOVL t, 0*4+off+384(dst);  \
-	MOVL t, 2*4+off+448(dst);  \
-	MOVL t, 8*4+off+512(dst);  \
-	MOVL t, 14*4+off+576(dst); \
-	MOVL 13*4(src), t;         \
-	MOVL t, 14*4+off+0(dst);   \
-	MOVL t, 3*4+off+64(dst);   \
-	MOVL t, 7*4+off+128(dst);  \
-	MOVL t, 2*4+off+192(dst);  \
-	MOVL t, 15*4+off+256(dst); \
-	MOVL t, 12*4+off+320(dst); \
-	MOVL t, 6*4+off+384(dst);  \
-	MOVL t, 0*4+off+448(dst);  \
-	MOVL t, 9*4+off+512(dst);  \
-	MOVL t, 11*4+off+576(dst); \
-	MOVL 14*4(src), t;         \
-	MOVL t, 11*4+off+0(dst);   \
-	MOVL t, 0*4+off+64(dst);   \
-	MOVL t, 12*4+off+128(dst); \
-	MOVL t, 7*4+off+192(dst);  \
-	MOVL t, 8*4+off+256(dst);  \
-	MOVL t, 14*4+off+320(dst); \
-	MOVL t, 2*4+off+384(dst);  \
-	MOVL t, 5*4+off+448(dst);  \
-	MOVL t, 1*4+off+512(dst);  \
-	MOVL t, 13*4+off+576(dst); \
-	MOVL 15*4(src), t;         \
-	MOVL t, 15*4+off+0(dst);   \
-	MOVL t, 6*4+off+64(dst);   \
-	MOVL t, 3*4+off+128(dst);  \
-	MOVL t, 11*4+off+192(dst); \
-	MOVL t, 7*4+off+256(dst);  \
-	MOVL t, 10*4+off+320(dst); \
-	MOVL t, 5*4+off+384(dst);  \
-	MOVL t, 9*4+off+448(dst);  \
-	MOVL t, 4*4+off+512(dst);  \
-	MOVL t, 8*4+off+576(dst)
-
-// func hashBlocksSSE2(h *[8]uint32, c *[2]uint32, flag uint32, blocks []byte)
-TEXT ·hashBlocksSSE2(SB), 0, $672-24 // frame = 656 + 16 byte alignment
-	MOVL h+0(FP), AX
-	MOVL c+4(FP), BX
-	MOVL flag+8(FP), CX
-	MOVL blocks_base+12(FP), SI
-	MOVL blocks_len+16(FP), DX
-
-	MOVL SP, BP
-	MOVL SP, DI
-	ADDL $15, DI
-	ANDL $~15, DI
-	MOVL DI, SP
-
-	MOVL CX, 8(SP)
-	MOVL 0(BX), CX
-	MOVL CX, 0(SP)
-	MOVL 4(BX), CX
-	MOVL CX, 4(SP)
-	XORL CX, CX
-	MOVL CX, 12(SP)
-
-	MOVOU 0(AX), X0
-	MOVOU 16(AX), X1
-	MOVOU counter<>(SB), X2
-
-loop:
-	MOVO  X0, X4
-	MOVO  X1, X5
-	MOVOU iv0<>(SB), X6
-	MOVOU iv1<>(SB), X7
-
-	MOVO  0(SP), X3
-	PADDQ X2, X3
-	PXOR  X3, X7
-	MOVO  X3, 0(SP)
-
-	PRECOMPUTE(SP, 16, SI, CX)
-	ROUND_SSE2(X4, X5, X6, X7, 16(SP), 32(SP), 48(SP), 64(SP), X3)
-	ROUND_SSE2(X4, X5, X6, X7, 16+64(SP), 32+64(SP), 48+64(SP), 64+64(SP), X3)
-	ROUND_SSE2(X4, X5, X6, X7, 16+128(SP), 32+128(SP), 48+128(SP), 64+128(SP), X3)
-	ROUND_SSE2(X4, X5, X6, X7, 16+192(SP), 32+192(SP), 48+192(SP), 64+192(SP), X3)
-	ROUND_SSE2(X4, X5, X6, X7, 16+256(SP), 32+256(SP), 48+256(SP), 64+256(SP), X3)
-	ROUND_SSE2(X4, X5, X6, X7, 16+320(SP), 32+320(SP), 48+320(SP), 64+320(SP), X3)
-	ROUND_SSE2(X4, X5, X6, X7, 16+384(SP), 32+384(SP), 48+384(SP), 64+384(SP), X3)
-	ROUND_SSE2(X4, X5, X6, X7, 16+448(SP), 32+448(SP), 48+448(SP), 64+448(SP), X3)
-	ROUND_SSE2(X4, X5, X6, X7, 16+512(SP), 32+512(SP), 48+512(SP), 64+512(SP), X3)
-	ROUND_SSE2(X4, X5, X6, X7, 16+576(SP), 32+576(SP), 48+576(SP), 64+576(SP), X3)
-
-	PXOR X4, X0
-	PXOR X5, X1
-	PXOR X6, X0
-	PXOR X7, X1
-
-	LEAL 64(SI), SI
-	SUBL $64, DX
-	JNE  loop
-
-	MOVL 0(SP), CX
-	MOVL CX, 0(BX)
-	MOVL 4(SP), CX
-	MOVL CX, 4(BX)
-
-	MOVOU X0, 0(AX)
-	MOVOU X1, 16(AX)
-
-	MOVL BP, SP
-	RET
-
-// func hashBlocksSSSE3(h *[8]uint32, c *[2]uint32, flag uint32, blocks []byte)
-TEXT ·hashBlocksSSSE3(SB), 0, $704-24 // frame = 688 + 16 byte alignment
-	MOVL h+0(FP), AX
-	MOVL c+4(FP), BX
-	MOVL flag+8(FP), CX
-	MOVL blocks_base+12(FP), SI
-	MOVL blocks_len+16(FP), DX
-
-	MOVL SP, BP
-	MOVL SP, DI
-	ADDL $15, DI
-	ANDL $~15, DI
-	MOVL DI, SP
-
-	MOVL CX, 8(SP)
-	MOVL 0(BX), CX
-	MOVL CX, 0(SP)
-	MOVL 4(BX), CX
-	MOVL CX, 4(SP)
-	XORL CX, CX
-	MOVL CX, 12(SP)
-
-	MOVOU 0(AX), X0
-	MOVOU 16(AX), X1
-	MOVOU counter<>(SB), X2
-
-loop:
-	MOVO  X0, 656(SP)
-	MOVO  X1, 672(SP)
-	MOVO  X0, X4
-	MOVO  X1, X5
-	MOVOU iv0<>(SB), X6
-	MOVOU iv1<>(SB), X7
-
-	MOVO  0(SP), X3
-	PADDQ X2, X3
-	PXOR  X3, X7
-	MOVO  X3, 0(SP)
-
-	MOVOU rol16<>(SB), X0
-	MOVOU rol8<>(SB), X1
-
-	PRECOMPUTE(SP, 16, SI, CX)
-	ROUND_SSSE3(X4, X5, X6, X7, 16(SP), 32(SP), 48(SP), 64(SP), X3, X0, X1)
-	ROUND_SSSE3(X4, X5, X6, X7, 16+64(SP), 32+64(SP), 48+64(SP), 64+64(SP), X3, X0, X1)
-	ROUND_SSSE3(X4, X5, X6, X7, 16+128(SP), 32+128(SP), 48+128(SP), 64+128(SP), X3, X0, X1)
-	ROUND_SSSE3(X4, X5, X6, X7, 16+192(SP), 32+192(SP), 48+192(SP), 64+192(SP), X3, X0, X1)
-	ROUND_SSSE3(X4, X5, X6, X7, 16+256(SP), 32+256(SP), 48+256(SP), 64+256(SP), X3, X0, X1)
-	ROUND_SSSE3(X4, X5, X6, X7, 16+320(SP), 32+320(SP), 48+320(SP), 64+320(SP), X3, X0, X1)
-	ROUND_SSSE3(X4, X5, X6, X7, 16+384(SP), 32+384(SP), 48+384(SP), 64+384(SP), X3, X0, X1)
-	ROUND_SSSE3(X4, X5, X6, X7, 16+448(SP), 32+448(SP), 48+448(SP), 64+448(SP), X3, X0, X1)
-	ROUND_SSSE3(X4, X5, X6, X7, 16+512(SP), 32+512(SP), 48+512(SP), 64+512(SP), X3, X0, X1)
-	ROUND_SSSE3(X4, X5, X6, X7, 16+576(SP), 32+576(SP), 48+576(SP), 64+576(SP), X3, X0, X1)
-
-	MOVO 656(SP), X0
-	MOVO 672(SP), X1
-	PXOR X4, X0
-	PXOR X5, X1
-	PXOR X6, X0
-	PXOR X7, X1
-
-	LEAL 64(SI), SI
-	SUBL $64, DX
-	JNE  loop
-
-	MOVL 0(SP), CX
-	MOVL CX, 0(BX)
-	MOVL 4(SP), CX
-	MOVL CX, 4(BX)
-
-	MOVOU X0, 0(AX)
-	MOVOU X1, 16(AX)
-
-	MOVL BP, SP
-	RET
-
-// func supportSSSE3() bool
-TEXT ·supportSSSE3(SB), 4, $0-1
-	MOVL $1, AX
-	CPUID
-	MOVL CX, BX
-	ANDL $0x1, BX      // supports SSE3
-	JZ   FALSE
-	ANDL $0x200, CX    // supports SSSE3
-	JZ   FALSE
-	MOVB $1, ret+0(FP)
-	RET
-
-FALSE:
-	MOVB $0, ret+0(FP)
-	RET
-
-// func supportSSE2() bool
-TEXT ·supportSSE2(SB), 4, $0-1
-	MOVL $1, AX
-	CPUID
-	SHRL $26, DX
-	ANDL $1, DX        // DX != 0 if support SSE2
-	MOVB DX, ret+0(FP)
-	RET
diff --git a/vendor/golang.org/x/crypto/blake2s/blake2s_amd64.go b/vendor/golang.org/x/crypto/blake2s/blake2s_amd64.go
deleted file mode 100644
index a925e6b2..00000000
--- a/vendor/golang.org/x/crypto/blake2s/blake2s_amd64.go
+++ /dev/null
@@ -1,40 +0,0 @@
-// Copyright 2016 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build amd64,!gccgo,!appengine
-
-package blake2s
-
-var (
-	useSSE4  = supportSSE4()
-	useSSSE3 = supportSSSE3()
-	useSSE2  = true // Always available on amd64
-)
-
-//go:noescape
-func supportSSSE3() bool
-
-//go:noescape
-func supportSSE4() bool
-
-//go:noescape
-func hashBlocksSSE2(h *[8]uint32, c *[2]uint32, flag uint32, blocks []byte)
-
-//go:noescape
-func hashBlocksSSSE3(h *[8]uint32, c *[2]uint32, flag uint32, blocks []byte)
-
-//go:noescape
-func hashBlocksSSE4(h *[8]uint32, c *[2]uint32, flag uint32, blocks []byte)
-
-func hashBlocks(h *[8]uint32, c *[2]uint32, flag uint32, blocks []byte) {
-	if useSSE4 {
-		hashBlocksSSE4(h, c, flag, blocks)
-	} else if useSSSE3 {
-		hashBlocksSSSE3(h, c, flag, blocks)
-	} else if useSSE2 {
-		hashBlocksSSE2(h, c, flag, blocks)
-	} else {
-		hashBlocksGeneric(h, c, flag, blocks)
-	}
-}
diff --git a/vendor/golang.org/x/crypto/blake2s/blake2s_amd64.s b/vendor/golang.org/x/crypto/blake2s/blake2s_amd64.s
deleted file mode 100644
index 6cdf5a94..00000000
--- a/vendor/golang.org/x/crypto/blake2s/blake2s_amd64.s
+++ /dev/null
@@ -1,463 +0,0 @@
-// Copyright 2016 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build amd64,!gccgo,!appengine
-
-#include "textflag.h"
-
-DATA iv0<>+0x00(SB)/4, $0x6a09e667
-DATA iv0<>+0x04(SB)/4, $0xbb67ae85
-DATA iv0<>+0x08(SB)/4, $0x3c6ef372
-DATA iv0<>+0x0c(SB)/4, $0xa54ff53a
-GLOBL iv0<>(SB), (NOPTR+RODATA), $16
-
-DATA iv1<>+0x00(SB)/4, $0x510e527f
-DATA iv1<>+0x04(SB)/4, $0x9b05688c
-DATA iv1<>+0x08(SB)/4, $0x1f83d9ab
-DATA iv1<>+0x0c(SB)/4, $0x5be0cd19
-GLOBL iv1<>(SB), (NOPTR+RODATA), $16
-
-DATA rol16<>+0x00(SB)/8, $0x0504070601000302
-DATA rol16<>+0x08(SB)/8, $0x0D0C0F0E09080B0A
-GLOBL rol16<>(SB), (NOPTR+RODATA), $16
-
-DATA rol8<>+0x00(SB)/8, $0x0407060500030201
-DATA rol8<>+0x08(SB)/8, $0x0C0F0E0D080B0A09
-GLOBL rol8<>(SB), (NOPTR+RODATA), $16
-
-DATA counter<>+0x00(SB)/8, $0x40
-DATA counter<>+0x08(SB)/8, $0x0
-GLOBL counter<>(SB), (NOPTR+RODATA), $16
-
-#define ROTL_SSE2(n, t, v) \
-	MOVO  v, t;       \
-	PSLLL $n, t;      \
-	PSRLL $(32-n), v; \
-	PXOR  t, v
-
-#define ROTL_SSSE3(c, v) \
-	PSHUFB c, v
-
-#define ROUND_SSE2(v0, v1, v2, v3, m0, m1, m2, m3, t) \
-	PADDL  m0, v0;        \
-	PADDL  v1, v0;        \
-	PXOR   v0, v3;        \
-	ROTL_SSE2(16, t, v3); \
-	PADDL  v3, v2;        \
-	PXOR   v2, v1;        \
-	ROTL_SSE2(20, t, v1); \
-	PADDL  m1, v0;        \
-	PADDL  v1, v0;        \
-	PXOR   v0, v3;        \
-	ROTL_SSE2(24, t, v3); \
-	PADDL  v3, v2;        \
-	PXOR   v2, v1;        \
-	ROTL_SSE2(25, t, v1); \
-	PSHUFL $0x39, v1, v1; \
-	PSHUFL $0x4E, v2, v2; \
-	PSHUFL $0x93, v3, v3; \
-	PADDL  m2, v0;        \
-	PADDL  v1, v0;        \
-	PXOR   v0, v3;        \
-	ROTL_SSE2(16, t, v3); \
-	PADDL  v3, v2;        \
-	PXOR   v2, v1;        \
-	ROTL_SSE2(20, t, v1); \
-	PADDL  m3, v0;        \
-	PADDL  v1, v0;        \
-	PXOR   v0, v3;        \
-	ROTL_SSE2(24, t, v3); \
-	PADDL  v3, v2;        \
-	PXOR   v2, v1;        \
-	ROTL_SSE2(25, t, v1); \
-	PSHUFL $0x39, v3, v3; \
-	PSHUFL $0x4E, v2, v2; \
-	PSHUFL $0x93, v1, v1
-
-#define ROUND_SSSE3(v0, v1, v2, v3, m0, m1, m2, m3, t, c16, c8) \
-	PADDL  m0, v0;        \
-	PADDL  v1, v0;        \
-	PXOR   v0, v3;        \
-	ROTL_SSSE3(c16, v3);  \
-	PADDL  v3, v2;        \
-	PXOR   v2, v1;        \
-	ROTL_SSE2(20, t, v1); \
-	PADDL  m1, v0;        \
-	PADDL  v1, v0;        \
-	PXOR   v0, v3;        \
-	ROTL_SSSE3(c8, v3);   \
-	PADDL  v3, v2;        \
-	PXOR   v2, v1;        \
-	ROTL_SSE2(25, t, v1); \
-	PSHUFL $0x39, v1, v1; \
-	PSHUFL $0x4E, v2, v2; \
-	PSHUFL $0x93, v3, v3; \
-	PADDL  m2, v0;        \
-	PADDL  v1, v0;        \
-	PXOR   v0, v3;        \
-	ROTL_SSSE3(c16, v3);  \
-	PADDL  v3, v2;        \
-	PXOR   v2, v1;        \
-	ROTL_SSE2(20, t, v1); \
-	PADDL  m3, v0;        \
-	PADDL  v1, v0;        \
-	PXOR   v0, v3;        \
-	ROTL_SSSE3(c8, v3);   \
-	PADDL  v3, v2;        \
-	PXOR   v2, v1;        \
-	ROTL_SSE2(25, t, v1); \
-	PSHUFL $0x39, v3, v3; \
-	PSHUFL $0x4E, v2, v2; \
-	PSHUFL $0x93, v1, v1
-
-
-#define LOAD_MSG_SSE4(m0, m1, m2, m3, src, i0, i1, i2, i3, i4, i5, i6, i7, i8, i9, i10, i11, i12, i13, i14, i15) \
-	MOVL   i0*4(src), m0;      \
-	PINSRD $1, i1*4(src), m0;  \
-	PINSRD $2, i2*4(src), m0;  \
-	PINSRD $3, i3*4(src), m0;  \
-	MOVL   i4*4(src), m1;      \
-	PINSRD $1, i5*4(src), m1;  \
-	PINSRD $2, i6*4(src), m1;  \
-	PINSRD $3, i7*4(src), m1;  \
-	MOVL   i8*4(src), m2;      \
-	PINSRD $1, i9*4(src), m2;  \
-	PINSRD $2, i10*4(src), m2; \
-	PINSRD $3, i11*4(src), m2; \
-	MOVL   i12*4(src), m3;     \
-	PINSRD $1, i13*4(src), m3; \
-	PINSRD $2, i14*4(src), m3; \
-	PINSRD $3, i15*4(src), m3
-
-#define PRECOMPUTE_MSG(dst, off, src, R8, R9, R10, R11, R12, R13, R14, R15) \
-	MOVQ 0*4(src), R8;           \
-	MOVQ 2*4(src), R9;           \
-	MOVQ 4*4(src), R10;          \
-	MOVQ 6*4(src), R11;          \
-	MOVQ 8*4(src), R12;          \
-	MOVQ 10*4(src), R13;         \
-	MOVQ 12*4(src), R14;         \
-	MOVQ 14*4(src), R15;         \
-	                             \
-	MOVL R8, 0*4+off+0(dst);     \
-	MOVL R8, 9*4+off+64(dst);    \
-	MOVL R8, 5*4+off+128(dst);   \
-	MOVL R8, 14*4+off+192(dst);  \
-	MOVL R8, 4*4+off+256(dst);   \
-	MOVL R8, 2*4+off+320(dst);   \
-	MOVL R8, 8*4+off+384(dst);   \
-	MOVL R8, 12*4+off+448(dst);  \
-	MOVL R8, 3*4+off+512(dst);   \
-	MOVL R8, 15*4+off+576(dst);  \
-	SHRQ $32, R8;                \
-	MOVL R8, 4*4+off+0(dst);     \
-	MOVL R8, 8*4+off+64(dst);    \
-	MOVL R8, 14*4+off+128(dst);  \
-	MOVL R8, 5*4+off+192(dst);   \
-	MOVL R8, 12*4+off+256(dst);  \
-	MOVL R8, 11*4+off+320(dst);  \
-	MOVL R8, 1*4+off+384(dst);   \
-	MOVL R8, 6*4+off+448(dst);   \
-	MOVL R8, 10*4+off+512(dst);  \
-	MOVL R8, 3*4+off+576(dst);   \
-	                             \
-	MOVL R9, 1*4+off+0(dst);     \
-	MOVL R9, 13*4+off+64(dst);   \
-	MOVL R9, 6*4+off+128(dst);   \
-	MOVL R9, 8*4+off+192(dst);   \
-	MOVL R9, 2*4+off+256(dst);   \
-	MOVL R9, 0*4+off+320(dst);   \
-	MOVL R9, 14*4+off+384(dst);  \
-	MOVL R9, 11*4+off+448(dst);  \
-	MOVL R9, 12*4+off+512(dst);  \
-	MOVL R9, 4*4+off+576(dst);   \
-	SHRQ $32, R9;                \
-	MOVL R9, 5*4+off+0(dst);     \
-	MOVL R9, 15*4+off+64(dst);   \
-	MOVL R9, 9*4+off+128(dst);   \
-	MOVL R9, 1*4+off+192(dst);   \
-	MOVL R9, 11*4+off+256(dst);  \
-	MOVL R9, 7*4+off+320(dst);   \
-	MOVL R9, 13*4+off+384(dst);  \
-	MOVL R9, 3*4+off+448(dst);   \
-	MOVL R9, 6*4+off+512(dst);   \
-	MOVL R9, 10*4+off+576(dst);  \
-	                             \
-	MOVL R10, 2*4+off+0(dst);    \
-	MOVL R10, 1*4+off+64(dst);   \
-	MOVL R10, 15*4+off+128(dst); \
-	MOVL R10, 10*4+off+192(dst); \
-	MOVL R10, 6*4+off+256(dst);  \
-	MOVL R10, 8*4+off+320(dst);  \
-	MOVL R10, 3*4+off+384(dst);  \
-	MOVL R10, 13*4+off+448(dst); \
-	MOVL R10, 14*4+off+512(dst); \
-	MOVL R10, 5*4+off+576(dst);  \
-	SHRQ $32, R10;               \
-	MOVL R10, 6*4+off+0(dst);    \
-	MOVL R10, 11*4+off+64(dst);  \
-	MOVL R10, 2*4+off+128(dst);  \
-	MOVL R10, 9*4+off+192(dst);  \
-	MOVL R10, 1*4+off+256(dst);  \
-	MOVL R10, 13*4+off+320(dst); \
-	MOVL R10, 4*4+off+384(dst);  \
-	MOVL R10, 8*4+off+448(dst);  \
-	MOVL R10, 15*4+off+512(dst); \
-	MOVL R10, 7*4+off+576(dst);  \
-	                             \
-	MOVL R11, 3*4+off+0(dst);    \
-	MOVL R11, 7*4+off+64(dst);   \
-	MOVL R11, 13*4+off+128(dst); \
-	MOVL R11, 12*4+off+192(dst); \
-	MOVL R11, 10*4+off+256(dst); \
-	MOVL R11, 1*4+off+320(dst);  \
-	MOVL R11, 9*4+off+384(dst);  \
-	MOVL R11, 14*4+off+448(dst); \
-	MOVL R11, 0*4+off+512(dst);  \
-	MOVL R11, 6*4+off+576(dst);  \
-	SHRQ $32, R11;               \
-	MOVL R11, 7*4+off+0(dst);    \
-	MOVL R11, 14*4+off+64(dst);  \
-	MOVL R11, 10*4+off+128(dst); \
-	MOVL R11, 0*4+off+192(dst);  \
-	MOVL R11, 5*4+off+256(dst);  \
-	MOVL R11, 9*4+off+320(dst);  \
-	MOVL R11, 12*4+off+384(dst); \
-	MOVL R11, 1*4+off+448(dst);  \
-	MOVL R11, 13*4+off+512(dst); \
-	MOVL R11, 2*4+off+576(dst);  \
-	                             \
-	MOVL R12, 8*4+off+0(dst);    \
-	MOVL R12, 5*4+off+64(dst);   \
-	MOVL R12, 4*4+off+128(dst);  \
-	MOVL R12, 15*4+off+192(dst); \
-	MOVL R12, 14*4+off+256(dst); \
-	MOVL R12, 3*4+off+320(dst);  \
-	MOVL R12, 11*4+off+384(dst); \
-	MOVL R12, 10*4+off+448(dst); \
-	MOVL R12, 7*4+off+512(dst);  \
-	MOVL R12, 1*4+off+576(dst);  \
-	SHRQ $32, R12;               \
-	MOVL R12, 12*4+off+0(dst);   \
-	MOVL R12, 2*4+off+64(dst);   \
-	MOVL R12, 11*4+off+128(dst); \
-	MOVL R12, 4*4+off+192(dst);  \
-	MOVL R12, 0*4+off+256(dst);  \
-	MOVL R12, 15*4+off+320(dst); \
-	MOVL R12, 10*4+off+384(dst); \
-	MOVL R12, 7*4+off+448(dst);  \
-	MOVL R12, 5*4+off+512(dst);  \
-	MOVL R12, 9*4+off+576(dst);  \
-	                             \
-	MOVL R13, 9*4+off+0(dst);    \
-	MOVL R13, 4*4+off+64(dst);   \
-	MOVL R13, 8*4+off+128(dst);  \
-	MOVL R13, 13*4+off+192(dst); \
-	MOVL R13, 3*4+off+256(dst);  \
-	MOVL R13, 5*4+off+320(dst);  \
-	MOVL R13, 7*4+off+384(dst);  \
-	MOVL R13, 15*4+off+448(dst); \
-	MOVL R13, 11*4+off+512(dst); \
-	MOVL R13, 0*4+off+576(dst);  \
-	SHRQ $32, R13;               \
-	MOVL R13, 13*4+off+0(dst);   \
-	MOVL R13, 10*4+off+64(dst);  \
-	MOVL R13, 0*4+off+128(dst);  \
-	MOVL R13, 3*4+off+192(dst);  \
-	MOVL R13, 9*4+off+256(dst);  \
-	MOVL R13, 6*4+off+320(dst);  \
-	MOVL R13, 15*4+off+384(dst); \
-	MOVL R13, 4*4+off+448(dst);  \
-	MOVL R13, 2*4+off+512(dst);  \
-	MOVL R13, 12*4+off+576(dst); \
-	                             \
-	MOVL R14, 10*4+off+0(dst);   \
-	MOVL R14, 12*4+off+64(dst);  \
-	MOVL R14, 1*4+off+128(dst);  \
-	MOVL R14, 6*4+off+192(dst);  \
-	MOVL R14, 13*4+off+256(dst); \
-	MOVL R14, 4*4+off+320(dst);  \
-	MOVL R14, 0*4+off+384(dst);  \
-	MOVL R14, 2*4+off+448(dst);  \
-	MOVL R14, 8*4+off+512(dst);  \
-	MOVL R14, 14*4+off+576(dst); \
-	SHRQ $32, R14;               \
-	MOVL R14, 14*4+off+0(dst);   \
-	MOVL R14, 3*4+off+64(dst);   \
-	MOVL R14, 7*4+off+128(dst);  \
-	MOVL R14, 2*4+off+192(dst);  \
-	MOVL R14, 15*4+off+256(dst); \
-	MOVL R14, 12*4+off+320(dst); \
-	MOVL R14, 6*4+off+384(dst);  \
-	MOVL R14, 0*4+off+448(dst);  \
-	MOVL R14, 9*4+off+512(dst);  \
-	MOVL R14, 11*4+off+576(dst); \
-	                             \
-	MOVL R15, 11*4+off+0(dst);   \
-	MOVL R15, 0*4+off+64(dst);   \
-	MOVL R15, 12*4+off+128(dst); \
-	MOVL R15, 7*4+off+192(dst);  \
-	MOVL R15, 8*4+off+256(dst);  \
-	MOVL R15, 14*4+off+320(dst); \
-	MOVL R15, 2*4+off+384(dst);  \
-	MOVL R15, 5*4+off+448(dst);  \
-	MOVL R15, 1*4+off+512(dst);  \
-	MOVL R15, 13*4+off+576(dst); \
-	SHRQ $32, R15;               \
-	MOVL R15, 15*4+off+0(dst);   \
-	MOVL R15, 6*4+off+64(dst);   \
-	MOVL R15, 3*4+off+128(dst);  \
-	MOVL R15, 11*4+off+192(dst); \
-	MOVL R15, 7*4+off+256(dst);  \
-	MOVL R15, 10*4+off+320(dst); \
-	MOVL R15, 5*4+off+384(dst);  \
-	MOVL R15, 9*4+off+448(dst);  \
-	MOVL R15, 4*4+off+512(dst);  \
-	MOVL R15, 8*4+off+576(dst)
-
-#define BLAKE2s_SSE2() \
-	PRECOMPUTE_MSG(SP, 16, SI, R8, R9, R10, R11, R12, R13, R14, R15);               \
-	ROUND_SSE2(X4, X5, X6, X7, 16(SP), 32(SP), 48(SP), 64(SP), X8);                 \
-	ROUND_SSE2(X4, X5, X6, X7, 16+64(SP), 32+64(SP), 48+64(SP), 64+64(SP), X8);     \
-	ROUND_SSE2(X4, X5, X6, X7, 16+128(SP), 32+128(SP), 48+128(SP), 64+128(SP), X8); \
-	ROUND_SSE2(X4, X5, X6, X7, 16+192(SP), 32+192(SP), 48+192(SP), 64+192(SP), X8); \
-	ROUND_SSE2(X4, X5, X6, X7, 16+256(SP), 32+256(SP), 48+256(SP), 64+256(SP), X8); \
-	ROUND_SSE2(X4, X5, X6, X7, 16+320(SP), 32+320(SP), 48+320(SP), 64+320(SP), X8); \
-	ROUND_SSE2(X4, X5, X6, X7, 16+384(SP), 32+384(SP), 48+384(SP), 64+384(SP), X8); \
-	ROUND_SSE2(X4, X5, X6, X7, 16+448(SP), 32+448(SP), 48+448(SP), 64+448(SP), X8); \
-	ROUND_SSE2(X4, X5, X6, X7, 16+512(SP), 32+512(SP), 48+512(SP), 64+512(SP), X8); \
-	ROUND_SSE2(X4, X5, X6, X7, 16+576(SP), 32+576(SP), 48+576(SP), 64+576(SP), X8)
-
-#define BLAKE2s_SSSE3() \
-	PRECOMPUTE_MSG(SP, 16, SI, R8, R9, R10, R11, R12, R13, R14, R15);                          \
-	ROUND_SSSE3(X4, X5, X6, X7, 16(SP), 32(SP), 48(SP), 64(SP), X8, X13, X14);                 \
-	ROUND_SSSE3(X4, X5, X6, X7, 16+64(SP), 32+64(SP), 48+64(SP), 64+64(SP), X8, X13, X14);     \
-	ROUND_SSSE3(X4, X5, X6, X7, 16+128(SP), 32+128(SP), 48+128(SP), 64+128(SP), X8, X13, X14); \
-	ROUND_SSSE3(X4, X5, X6, X7, 16+192(SP), 32+192(SP), 48+192(SP), 64+192(SP), X8, X13, X14); \
-	ROUND_SSSE3(X4, X5, X6, X7, 16+256(SP), 32+256(SP), 48+256(SP), 64+256(SP), X8, X13, X14); \
-	ROUND_SSSE3(X4, X5, X6, X7, 16+320(SP), 32+320(SP), 48+320(SP), 64+320(SP), X8, X13, X14); \
-	ROUND_SSSE3(X4, X5, X6, X7, 16+384(SP), 32+384(SP), 48+384(SP), 64+384(SP), X8, X13, X14); \
-	ROUND_SSSE3(X4, X5, X6, X7, 16+448(SP), 32+448(SP), 48+448(SP), 64+448(SP), X8, X13, X14); \
-	ROUND_SSSE3(X4, X5, X6, X7, 16+512(SP), 32+512(SP), 48+512(SP), 64+512(SP), X8, X13, X14); \
-	ROUND_SSSE3(X4, X5, X6, X7, 16+576(SP), 32+576(SP), 48+576(SP), 64+576(SP), X8, X13, X14)
-
-#define BLAKE2s_SSE4() \
-	LOAD_MSG_SSE4(X8, X9, X10, X11, SI, 0, 2, 4, 6, 1, 3, 5, 7, 8, 10, 12, 14, 9, 11, 13, 15); \
-	ROUND_SSSE3(X4, X5, X6, X7, X8, X9, X10, X11, X8, X13, X14);                               \
-	LOAD_MSG_SSE4(X8, X9, X10, X11, SI, 14, 4, 9, 13, 10, 8, 15, 6, 1, 0, 11, 5, 12, 2, 7, 3); \
-	ROUND_SSSE3(X4, X5, X6, X7, X8, X9, X10, X11, X8, X13, X14);                               \
-	LOAD_MSG_SSE4(X8, X9, X10, X11, SI, 11, 12, 5, 15, 8, 0, 2, 13, 10, 3, 7, 9, 14, 6, 1, 4); \
-	ROUND_SSSE3(X4, X5, X6, X7, X8, X9, X10, X11, X8, X13, X14);                               \
-	LOAD_MSG_SSE4(X8, X9, X10, X11, SI, 7, 3, 13, 11, 9, 1, 12, 14, 2, 5, 4, 15, 6, 10, 0, 8); \
-	ROUND_SSSE3(X4, X5, X6, X7, X8, X9, X10, X11, X8, X13, X14);                               \
-	LOAD_MSG_SSE4(X8, X9, X10, X11, SI, 9, 5, 2, 10, 0, 7, 4, 15, 14, 11, 6, 3, 1, 12, 8, 13); \
-	ROUND_SSSE3(X4, X5, X6, X7, X8, X9, X10, X11, X8, X13, X14);                               \
-	LOAD_MSG_SSE4(X8, X9, X10, X11, SI, 2, 6, 0, 8, 12, 10, 11, 3, 4, 7, 15, 1, 13, 5, 14, 9); \
-	ROUND_SSSE3(X4, X5, X6, X7, X8, X9, X10, X11, X8, X13, X14);                               \
-	LOAD_MSG_SSE4(X8, X9, X10, X11, SI, 12, 1, 14, 4, 5, 15, 13, 10, 0, 6, 9, 8, 7, 3, 2, 11); \
-	ROUND_SSSE3(X4, X5, X6, X7, X8, X9, X10, X11, X8, X13, X14);                               \
-	LOAD_MSG_SSE4(X8, X9, X10, X11, SI, 13, 7, 12, 3, 11, 14, 1, 9, 5, 15, 8, 2, 0, 4, 6, 10); \
-	ROUND_SSSE3(X4, X5, X6, X7, X8, X9, X10, X11, X8, X13, X14);                               \
-	LOAD_MSG_SSE4(X8, X9, X10, X11, SI, 6, 14, 11, 0, 15, 9, 3, 8, 12, 13, 1, 10, 2, 7, 4, 5); \
-	ROUND_SSSE3(X4, X5, X6, X7, X8, X9, X10, X11, X8, X13, X14);                               \
-	LOAD_MSG_SSE4(X8, X9, X10, X11, SI, 10, 8, 7, 1, 2, 4, 6, 5, 15, 9, 3, 13, 11, 14, 12, 0); \
-	ROUND_SSSE3(X4, X5, X6, X7, X8, X9, X10, X11, X8, X13, X14)
-
-#define HASH_BLOCKS(h, c, flag, blocks_base, blocks_len, BLAKE2s_FUNC) \
-	MOVQ  h, AX;                   \
-	MOVQ  c, BX;                   \
-	MOVL  flag, CX;                \
-	MOVQ  blocks_base, SI;         \
-	MOVQ  blocks_len, DX;          \
-	                               \
-	MOVQ  SP, BP;                  \
-	MOVQ  SP, R9;                  \
-	ADDQ  $15, R9;                 \
-	ANDQ  $~15, R9;                \
-	MOVQ  R9, SP;                  \
-	                               \
-	MOVQ  0(BX), R9;               \
-	MOVQ  R9, 0(SP);               \
-	XORQ  R9, R9;                  \
-	MOVQ  R9, 8(SP);               \
-	MOVL  CX, 8(SP);               \
-	                               \
-	MOVOU 0(AX), X0;               \
-	MOVOU 16(AX), X1;              \
-	MOVOU iv0<>(SB), X2;           \
-	MOVOU iv1<>(SB), X3            \
-	                               \
-	MOVOU counter<>(SB), X12;      \
-	MOVOU rol16<>(SB), X13;        \
-	MOVOU rol8<>(SB), X14;         \
-	MOVO  0(SP), X15;              \
-	                               \
-	loop:                          \
-	MOVO  X0, X4;                  \
-	MOVO  X1, X5;                  \
-	MOVO  X2, X6;                  \
-	MOVO  X3, X7;                  \
-	                               \
-	PADDQ X12, X15;                \
-	PXOR  X15, X7;                 \
-	                               \
-	BLAKE2s_FUNC();                \
-	                               \
-	PXOR  X4, X0;                  \
-	PXOR  X5, X1;                  \
-	PXOR  X6, X0;                  \
-	PXOR  X7, X1;                  \
-	                               \
-	LEAQ  64(SI), SI;              \
-	SUBQ  $64, DX;                 \
-	JNE   loop;                    \
-	                               \
-	MOVO  X15, 0(SP);              \
-	MOVQ  0(SP), R9;               \
-	MOVQ  R9, 0(BX);               \
-	                               \
-	MOVOU X0, 0(AX);               \
-	MOVOU X1, 16(AX);              \
-	                               \
-	MOVQ  BP, SP
-
-// func hashBlocksSSE2(h *[8]uint32, c *[2]uint32, flag uint32, blocks []byte)
-TEXT ·hashBlocksSSE2(SB), 0, $672-48 // frame = 656 + 16 byte alignment
-	HASH_BLOCKS(h+0(FP), c+8(FP), flag+16(FP), blocks_base+24(FP), blocks_len+32(FP), BLAKE2s_SSE2)
-	RET
-
-// func hashBlocksSSSE3(h *[8]uint32, c *[2]uint32, flag uint32, blocks []byte)
-TEXT ·hashBlocksSSSE3(SB), 0, $672-48 // frame = 656 + 16 byte alignment
-	HASH_BLOCKS(h+0(FP), c+8(FP), flag+16(FP), blocks_base+24(FP), blocks_len+32(FP), BLAKE2s_SSSE3)
-	RET
-
-// func hashBlocksSSE4(h *[8]uint32, c *[2]uint32, flag uint32, blocks []byte)
-TEXT ·hashBlocksSSE4(SB), 0, $32-48 // frame = 16 + 16 byte alignment
-	HASH_BLOCKS(h+0(FP), c+8(FP), flag+16(FP), blocks_base+24(FP), blocks_len+32(FP), BLAKE2s_SSE4)
-	RET
-
-// func supportSSE4() bool
-TEXT ·supportSSE4(SB), 4, $0-1
-	MOVL $1, AX
-	CPUID
-	SHRL $19, CX       // Bit 19 indicates SSE4.1.
-	ANDL $1, CX
-	MOVB CX, ret+0(FP)
-	RET
-
-// func supportSSSE3() bool
-TEXT ·supportSSSE3(SB), 4, $0-1
-	MOVL $1, AX
-	CPUID
-	MOVL CX, BX
-	ANDL $0x1, BX      // Bit zero indicates SSE3 support.
-	JZ   FALSE
-	ANDL $0x200, CX    // Bit nine indicates SSSE3 support.
-	JZ   FALSE
-	MOVB $1, ret+0(FP)
-	RET
-
-FALSE:
-	MOVB $0, ret+0(FP)
-	RET
diff --git a/vendor/golang.org/x/crypto/blake2s/blake2s_generic.go b/vendor/golang.org/x/crypto/blake2s/blake2s_generic.go
deleted file mode 100644
index f7e06537..00000000
--- a/vendor/golang.org/x/crypto/blake2s/blake2s_generic.go
+++ /dev/null
@@ -1,174 +0,0 @@
-// Copyright 2016 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package blake2s
-
-// the precomputed values for BLAKE2s
-// there are 10 16-byte arrays - one for each round
-// the entries are calculated from the sigma constants.
-var precomputed = [10][16]byte{
-	{0, 2, 4, 6, 1, 3, 5, 7, 8, 10, 12, 14, 9, 11, 13, 15},
-	{14, 4, 9, 13, 10, 8, 15, 6, 1, 0, 11, 5, 12, 2, 7, 3},
-	{11, 12, 5, 15, 8, 0, 2, 13, 10, 3, 7, 9, 14, 6, 1, 4},
-	{7, 3, 13, 11, 9, 1, 12, 14, 2, 5, 4, 15, 6, 10, 0, 8},
-	{9, 5, 2, 10, 0, 7, 4, 15, 14, 11, 6, 3, 1, 12, 8, 13},
-	{2, 6, 0, 8, 12, 10, 11, 3, 4, 7, 15, 1, 13, 5, 14, 9},
-	{12, 1, 14, 4, 5, 15, 13, 10, 0, 6, 9, 8, 7, 3, 2, 11},
-	{13, 7, 12, 3, 11, 14, 1, 9, 5, 15, 8, 2, 0, 4, 6, 10},
-	{6, 14, 11, 0, 15, 9, 3, 8, 12, 13, 1, 10, 2, 7, 4, 5},
-	{10, 8, 7, 1, 2, 4, 6, 5, 15, 9, 3, 13, 11, 14, 12, 0},
-}
-
-func hashBlocksGeneric(h *[8]uint32, c *[2]uint32, flag uint32, blocks []byte) {
-	var m [16]uint32
-	c0, c1 := c[0], c[1]
-
-	for i := 0; i < len(blocks); {
-		c0 += BlockSize
-		if c0 < BlockSize {
-			c1++
-		}
-
-		v0, v1, v2, v3, v4, v5, v6, v7 := h[0], h[1], h[2], h[3], h[4], h[5], h[6], h[7]
-		v8, v9, v10, v11, v12, v13, v14, v15 := iv[0], iv[1], iv[2], iv[3], iv[4], iv[5], iv[6], iv[7]
-		v12 ^= c0
-		v13 ^= c1
-		v14 ^= flag
-
-		for j := range m {
-			m[j] = uint32(blocks[i]) | uint32(blocks[i+1])<<8 | uint32(blocks[i+2])<<16 | uint32(blocks[i+3])<<24
-			i += 4
-		}
-
-		for k := range precomputed {
-			s := &(precomputed[k])
-
-			v0 += m[s[0]]
-			v0 += v4
-			v12 ^= v0
-			v12 = v12<<(32-16) | v12>>16
-			v8 += v12
-			v4 ^= v8
-			v4 = v4<<(32-12) | v4>>12
-			v1 += m[s[1]]
-			v1 += v5
-			v13 ^= v1
-			v13 = v13<<(32-16) | v13>>16
-			v9 += v13
-			v5 ^= v9
-			v5 = v5<<(32-12) | v5>>12
-			v2 += m[s[2]]
-			v2 += v6
-			v14 ^= v2
-			v14 = v14<<(32-16) | v14>>16
-			v10 += v14
-			v6 ^= v10
-			v6 = v6<<(32-12) | v6>>12
-			v3 += m[s[3]]
-			v3 += v7
-			v15 ^= v3
-			v15 = v15<<(32-16) | v15>>16
-			v11 += v15
-			v7 ^= v11
-			v7 = v7<<(32-12) | v7>>12
-
-			v0 += m[s[4]]
-			v0 += v4
-			v12 ^= v0
-			v12 = v12<<(32-8) | v12>>8
-			v8 += v12
-			v4 ^= v8
-			v4 = v4<<(32-7) | v4>>7
-			v1 += m[s[5]]
-			v1 += v5
-			v13 ^= v1
-			v13 = v13<<(32-8) | v13>>8
-			v9 += v13
-			v5 ^= v9
-			v5 = v5<<(32-7) | v5>>7
-			v2 += m[s[6]]
-			v2 += v6
-			v14 ^= v2
-			v14 = v14<<(32-8) | v14>>8
-			v10 += v14
-			v6 ^= v10
-			v6 = v6<<(32-7) | v6>>7
-			v3 += m[s[7]]
-			v3 += v7
-			v15 ^= v3
-			v15 = v15<<(32-8) | v15>>8
-			v11 += v15
-			v7 ^= v11
-			v7 = v7<<(32-7) | v7>>7
-
-			v0 += m[s[8]]
-			v0 += v5
-			v15 ^= v0
-			v15 = v15<<(32-16) | v15>>16
-			v10 += v15
-			v5 ^= v10
-			v5 = v5<<(32-12) | v5>>12
-			v1 += m[s[9]]
-			v1 += v6
-			v12 ^= v1
-			v12 = v12<<(32-16) | v12>>16
-			v11 += v12
-			v6 ^= v11
-			v6 = v6<<(32-12) | v6>>12
-			v2 += m[s[10]]
-			v2 += v7
-			v13 ^= v2
-			v13 = v13<<(32-16) | v13>>16
-			v8 += v13
-			v7 ^= v8
-			v7 = v7<<(32-12) | v7>>12
-			v3 += m[s[11]]
-			v3 += v4
-			v14 ^= v3
-			v14 = v14<<(32-16) | v14>>16
-			v9 += v14
-			v4 ^= v9
-			v4 = v4<<(32-12) | v4>>12
-
-			v0 += m[s[12]]
-			v0 += v5
-			v15 ^= v0
-			v15 = v15<<(32-8) | v15>>8
-			v10 += v15
-			v5 ^= v10
-			v5 = v5<<(32-7) | v5>>7
-			v1 += m[s[13]]
-			v1 += v6
-			v12 ^= v1
-			v12 = v12<<(32-8) | v12>>8
-			v11 += v12
-			v6 ^= v11
-			v6 = v6<<(32-7) | v6>>7
-			v2 += m[s[14]]
-			v2 += v7
-			v13 ^= v2
-			v13 = v13<<(32-8) | v13>>8
-			v8 += v13
-			v7 ^= v8
-			v7 = v7<<(32-7) | v7>>7
-			v3 += m[s[15]]
-			v3 += v4
-			v14 ^= v3
-			v14 = v14<<(32-8) | v14>>8
-			v9 += v14
-			v4 ^= v9
-			v4 = v4<<(32-7) | v4>>7
-		}
-
-		h[0] ^= v0 ^ v8
-		h[1] ^= v1 ^ v9
-		h[2] ^= v2 ^ v10
-		h[3] ^= v3 ^ v11
-		h[4] ^= v4 ^ v12
-		h[5] ^= v5 ^ v13
-		h[6] ^= v6 ^ v14
-		h[7] ^= v7 ^ v15
-	}
-	c[0], c[1] = c0, c1
-}
diff --git a/vendor/golang.org/x/crypto/blake2s/blake2s_ref.go b/vendor/golang.org/x/crypto/blake2s/blake2s_ref.go
deleted file mode 100644
index a3112734..00000000
--- a/vendor/golang.org/x/crypto/blake2s/blake2s_ref.go
+++ /dev/null
@@ -1,17 +0,0 @@
-// Copyright 2016 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build !amd64,!386 gccgo appengine
-
-package blake2s
-
-var (
-	useSSE4  = false
-	useSSSE3 = false
-	useSSE2  = false
-)
-
-func hashBlocks(h *[8]uint32, c *[2]uint32, flag uint32, blocks []byte) {
-	hashBlocksGeneric(h, c, flag, blocks)
-}
diff --git a/vendor/golang.org/x/crypto/blake2s/blake2s_test.go b/vendor/golang.org/x/crypto/blake2s/blake2s_test.go
deleted file mode 100644
index cfeb18bb..00000000
--- a/vendor/golang.org/x/crypto/blake2s/blake2s_test.go
+++ /dev/null
@@ -1,1002 +0,0 @@
-// Copyright 2016 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package blake2s
-
-import (
-	"encoding/hex"
-	"fmt"
-	"testing"
-)
-
-func TestHashes(t *testing.T) {
-	defer func(sse2, ssse3, sse4 bool) {
-		useSSE2, useSSSE3, useSSE4 = sse2, ssse3, sse4
-	}(useSSE2, useSSSE3, useSSE4)
-
-	if useSSE4 {
-		t.Log("SSE4 version")
-		testHashes(t)
-		testHashes128(t)
-		useSSE4 = false
-	}
-	if useSSSE3 {
-		t.Log("SSSE3 version")
-		testHashes(t)
-		testHashes128(t)
-		useSSSE3 = false
-	}
-	if useSSE2 {
-		t.Log("SSE2 version")
-		testHashes(t)
-		testHashes128(t)
-		useSSE2 = false
-	}
-
-	t.Log("generic version")
-	testHashes(t)
-	testHashes128(t)
-}
-
-func TestHashes2X(t *testing.T) {
-	defer func(sse2, ssse3, sse4 bool) {
-		useSSE2, useSSSE3, useSSE4 = sse2, ssse3, sse4
-	}(useSSE2, useSSSE3, useSSE4)
-
-	if useSSE4 {
-		t.Log("SSE4 version")
-		testHashes2X(t)
-		useSSE4 = false
-	}
-	if useSSSE3 {
-		t.Log("SSSE3 version")
-		testHashes2X(t)
-		useSSSE3 = false
-	}
-	if useSSE2 {
-		t.Log("SSE2 version")
-		testHashes2X(t)
-		useSSE2 = false
-	}
-
-	t.Log("generic version")
-	testHashes2X(t)
-}
-
-func testHashes(t *testing.T) {
-	key, _ := hex.DecodeString("000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f")
-
-	input := make([]byte, 255)
-	for i := range input {
-		input[i] = byte(i)
-	}
-
-	for i, expectedHex := range hashes {
-		h, err := New256(key)
-		if err != nil {
-			t.Fatalf("#%d: error from New256: %v", i, err)
-		}
-
-		h.Write(input[:i])
-		sum := h.Sum(nil)
-
-		if gotHex := fmt.Sprintf("%x", sum); gotHex != expectedHex {
-			t.Fatalf("#%d (single write): got %s, wanted %s", i, gotHex, expectedHex)
-		}
-
-		h.Reset()
-		for j := 0; j < i; j++ {
-			h.Write(input[j : j+1])
-		}
-
-		sum = h.Sum(sum[:0])
-		if gotHex := fmt.Sprintf("%x", sum); gotHex != expectedHex {
-			t.Fatalf("#%d (byte-by-byte): got %s, wanted %s", i, gotHex, expectedHex)
-		}
-	}
-}
-
-func testHashes128(t *testing.T) {
-	key, _ := hex.DecodeString("000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f")
-
-	input := make([]byte, 255)
-	for i := range input {
-		input[i] = byte(i)
-	}
-
-	for i, expectedHex := range hashes128 {
-		h, err := New128(key)
-		if err != nil {
-			t.Fatalf("#%d: error from New128: %v", i, err)
-		}
-
-		h.Write(input[:i])
-		sum := h.Sum(nil)
-
-		if gotHex := fmt.Sprintf("%x", sum); gotHex != expectedHex {
-			t.Fatalf("#%d (single write): got %s, wanted %s", i, gotHex, expectedHex)
-		}
-
-		h.Reset()
-		for j := 0; j < i; j++ {
-			h.Write(input[j : j+1])
-		}
-
-		sum = h.Sum(sum[:0])
-		if gotHex := fmt.Sprintf("%x", sum); gotHex != expectedHex {
-			t.Fatalf("#%d (byte-by-byte): got %s, wanted %s", i, gotHex, expectedHex)
-		}
-	}
-}
-
-func testHashes2X(t *testing.T) {
-	key, _ := hex.DecodeString("000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f")
-
-	input := make([]byte, 256)
-	for i := range input {
-		input[i] = byte(i)
-	}
-
-	for i, expectedHex := range hashes2X {
-		length := uint16(len(expectedHex) / 2)
-		sum := make([]byte, int(length))
-
-		h, err := NewXOF(length, key)
-		if err != nil {
-			t.Fatalf("#%d: error from NewXOF: %v", i, err)
-		}
-
-		if _, err := h.Write(input); err != nil {
-			t.Fatalf("#%d (single write): error from Write: %v", i, err)
-		}
-		if _, err := h.Read(sum); err != nil {
-			t.Fatalf("#%d (single write): error from Read: %v", i, err)
-		}
-
-		if gotHex := fmt.Sprintf("%x", sum); gotHex != expectedHex {
-			t.Fatalf("#%d (single write): got %s, wanted %s", i, gotHex, expectedHex)
-		}
-
-		h.Reset()
-		for j := 0; j < len(input); j++ {
-			h.Write(input[j : j+1])
-		}
-		for j := 0; j < len(sum); j++ {
-			h = h.Clone()
-			if _, err := h.Read(sum[j : j+1]); err != nil {
-				t.Fatalf("#%d (byte-by-byte) - Read %d: error from Read: %v", i, j, err)
-			}
-		}
-		if gotHex := fmt.Sprintf("%x", sum); gotHex != expectedHex {
-			t.Fatalf("#%d (byte-by-byte): got %s, wanted %s", i, gotHex, expectedHex)
-		}
-	}
-
-	h, err := NewXOF(OutputLengthUnknown, key)
-	if err != nil {
-		t.Fatalf("#unknown length: error from NewXOF: %v", err)
-	}
-	if _, err := h.Write(input); err != nil {
-		t.Fatalf("#unknown length: error from Write: %v", err)
-	}
-
-	var result [64]byte
-	if n, err := h.Read(result[:]); err != nil {
-		t.Fatalf("#unknown length: error from Read: %v", err)
-	} else if n != len(result) {
-		t.Fatalf("#unknown length: Read returned %d bytes, want %d", n, len(result))
-	}
-
-	const expected = "2a9a6977d915a2c4dd07dbcafe1918bf1682e56d9c8e567ecd19bfd7cd93528833c764d12b34a5e2a219c9fd463dab45e972c5574d73f45de5b2e23af72530d8"
-	if fmt.Sprintf("%x", result) != expected {
-		t.Fatalf("#unknown length: bad result %x, wanted %s", result, expected)
-	}
-}
-
-// Benchmarks
-
-func benchmarkSum(b *testing.B, size int) {
-	data := make([]byte, size)
-	b.SetBytes(int64(size))
-	b.ResetTimer()
-	for i := 0; i < b.N; i++ {
-		Sum256(data)
-	}
-}
-
-func benchmarkWrite(b *testing.B, size int) {
-	data := make([]byte, size)
-	h, _ := New256(nil)
-	b.SetBytes(int64(size))
-	b.ResetTimer()
-	for i := 0; i < b.N; i++ {
-		h.Write(data)
-	}
-}
-
-func BenchmarkWrite64(b *testing.B) { benchmarkWrite(b, 64) }
-func BenchmarkWrite1K(b *testing.B) { benchmarkWrite(b, 1024) }
-
-func BenchmarkSum64(b *testing.B) { benchmarkSum(b, 64) }
-func BenchmarkSum1K(b *testing.B) { benchmarkSum(b, 1024) }
-
-// hashes is taken from https://blake2.net/blake2s-test.txt
-var hashes = []string{
-	"48a8997da407876b3d79c0d92325ad3b89cbb754d86ab71aee047ad345fd2c49",
-	"40d15fee7c328830166ac3f918650f807e7e01e177258cdc0a39b11f598066f1",
-	"6bb71300644cd3991b26ccd4d274acd1adeab8b1d7914546c1198bbe9fc9d803",
-	"1d220dbe2ee134661fdf6d9e74b41704710556f2f6e5a091b227697445dbea6b",
-	"f6c3fbadb4cc687a0064a5be6e791bec63b868ad62fba61b3757ef9ca52e05b2",
-	"49c1f21188dfd769aea0e911dd6b41f14dab109d2b85977aa3088b5c707e8598",
-	"fdd8993dcd43f696d44f3cea0ff35345234ec8ee083eb3cada017c7f78c17143",
-	"e6c8125637438d0905b749f46560ac89fd471cf8692e28fab982f73f019b83a9",
-	"19fc8ca6979d60e6edd3b4541e2f967ced740df6ec1eaebbfe813832e96b2974",
-	"a6ad777ce881b52bb5a4421ab6cdd2dfba13e963652d4d6d122aee46548c14a7",
-	"f5c4b2ba1a00781b13aba0425242c69cb1552f3f71a9a3bb22b4a6b4277b46dd",
-	"e33c4c9bd0cc7e45c80e65c77fa5997fec7002738541509e68a9423891e822a3",
-	"fba16169b2c3ee105be6e1e650e5cbf40746b6753d036ab55179014ad7ef6651",
-	"f5c4bec6d62fc608bf41cc115f16d61c7efd3ff6c65692bbe0afffb1fede7475",
-	"a4862e76db847f05ba17ede5da4e7f91b5925cf1ad4ba12732c3995742a5cd6e",
-	"65f4b860cd15b38ef814a1a804314a55be953caa65fd758ad989ff34a41c1eea",
-	"19ba234f0a4f38637d1839f9d9f76ad91c8522307143c97d5f93f69274cec9a7",
-	"1a67186ca4a5cb8e65fca0e2ecbc5ddc14ae381bb8bffeb9e0a103449e3ef03c",
-	"afbea317b5a2e89c0bd90ccf5d7fd0ed57fe585e4be3271b0a6bf0f5786b0f26",
-	"f1b01558ce541262f5ec34299d6fb4090009e3434be2f49105cf46af4d2d4124",
-	"13a0a0c86335635eaa74ca2d5d488c797bbb4f47dc07105015ed6a1f3309efce",
-	"1580afeebebb346f94d59fe62da0b79237ead7b1491f5667a90e45edf6ca8b03",
-	"20be1a875b38c573dd7faaa0de489d655c11efb6a552698e07a2d331b5f655c3",
-	"be1fe3c4c04018c54c4a0f6b9a2ed3c53abe3a9f76b4d26de56fc9ae95059a99",
-	"e3e3ace537eb3edd8463d9ad3582e13cf86533ffde43d668dd2e93bbdbd7195a",
-	"110c50c0bf2c6e7aeb7e435d92d132ab6655168e78a2decdec3330777684d9c1",
-	"e9ba8f505c9c80c08666a701f3367e6cc665f34b22e73c3c0417eb1c2206082f",
-	"26cd66fca02379c76df12317052bcafd6cd8c3a7b890d805f36c49989782433a",
-	"213f3596d6e3a5d0e9932cd2159146015e2abc949f4729ee2632fe1edb78d337",
-	"1015d70108e03be1c702fe97253607d14aee591f2413ea6787427b6459ff219a",
-	"3ca989de10cfe609909472c8d35610805b2f977734cf652cc64b3bfc882d5d89",
-	"b6156f72d380ee9ea6acd190464f2307a5c179ef01fd71f99f2d0f7a57360aea",
-	"c03bc642b20959cbe133a0303e0c1abff3e31ec8e1a328ec8565c36decff5265",
-	"2c3e08176f760c6264c3a2cd66fec6c3d78de43fc192457b2a4a660a1e0eb22b",
-	"f738c02f3c1b190c512b1a32deabf353728e0e9ab034490e3c3409946a97aeec",
-	"8b1880df301cc963418811088964839287ff7fe31c49ea6ebd9e48bdeee497c5",
-	"1e75cb21c60989020375f1a7a242839f0b0b68973a4c2a05cf7555ed5aaec4c1",
-	"62bf8a9c32a5bccf290b6c474d75b2a2a4093f1a9e27139433a8f2b3bce7b8d7",
-	"166c8350d3173b5e702b783dfd33c66ee0432742e9b92b997fd23c60dc6756ca",
-	"044a14d822a90cacf2f5a101428adc8f4109386ccb158bf905c8618b8ee24ec3",
-	"387d397ea43a994be84d2d544afbe481a2000f55252696bba2c50c8ebd101347",
-	"56f8ccf1f86409b46ce36166ae9165138441577589db08cbc5f66ca29743b9fd",
-	"9706c092b04d91f53dff91fa37b7493d28b576b5d710469df79401662236fc03",
-	"877968686c068ce2f7e2adcff68bf8748edf3cf862cfb4d3947a3106958054e3",
-	"8817e5719879acf7024787eccdb271035566cfa333e049407c0178ccc57a5b9f",
-	"8938249e4b50cadaccdf5b18621326cbb15253e33a20f5636e995d72478de472",
-	"f164abba4963a44d107257e3232d90aca5e66a1408248c51741e991db5227756",
-	"d05563e2b1cba0c4a2a1e8bde3a1a0d9f5b40c85a070d6f5fb21066ead5d0601",
-	"03fbb16384f0a3866f4c3117877666efbf124597564b293d4aab0d269fabddfa",
-	"5fa8486ac0e52964d1881bbe338eb54be2f719549224892057b4da04ba8b3475",
-	"cdfabcee46911111236a31708b2539d71fc211d9b09c0d8530a11e1dbf6eed01",
-	"4f82de03b9504793b82a07a0bdcdff314d759e7b62d26b784946b0d36f916f52",
-	"259ec7f173bcc76a0994c967b4f5f024c56057fb79c965c4fae41875f06a0e4c",
-	"193cc8e7c3e08bb30f5437aa27ade1f142369b246a675b2383e6da9b49a9809e",
-	"5c10896f0e2856b2a2eee0fe4a2c1633565d18f0e93e1fab26c373e8f829654d",
-	"f16012d93f28851a1eb989f5d0b43f3f39ca73c9a62d5181bff237536bd348c3",
-	"2966b3cfae1e44ea996dc5d686cf25fa053fb6f67201b9e46eade85d0ad6b806",
-	"ddb8782485e900bc60bcf4c33a6fd585680cc683d516efa03eb9985fad8715fb",
-	"4c4d6e71aea05786413148fc7a786b0ecaf582cff1209f5a809fba8504ce662c",
-	"fb4c5e86d7b2229b99b8ba6d94c247ef964aa3a2bae8edc77569f28dbbff2d4e",
-	"e94f526de9019633ecd54ac6120f23958d7718f1e7717bf329211a4faeed4e6d",
-	"cbd6660a10db3f23f7a03d4b9d4044c7932b2801ac89d60bc9eb92d65a46c2a0",
-	"8818bbd3db4dc123b25cbba5f54c2bc4b3fcf9bf7d7a7709f4ae588b267c4ece",
-	"c65382513f07460da39833cb666c5ed82e61b9e998f4b0c4287cee56c3cc9bcd",
-	"8975b0577fd35566d750b362b0897a26c399136df07bababbde6203ff2954ed4",
-	"21fe0ceb0052be7fb0f004187cacd7de67fa6eb0938d927677f2398c132317a8",
-	"2ef73f3c26f12d93889f3c78b6a66c1d52b649dc9e856e2c172ea7c58ac2b5e3",
-	"388a3cd56d73867abb5f8401492b6e2681eb69851e767fd84210a56076fb3dd3",
-	"af533e022fc9439e4e3cb838ecd18692232adf6fe9839526d3c3dd1b71910b1a",
-	"751c09d41a9343882a81cd13ee40818d12eb44c6c7f40df16e4aea8fab91972a",
-	"5b73ddb68d9d2b0aa265a07988d6b88ae9aac582af83032f8a9b21a2e1b7bf18",
-	"3da29126c7c5d7f43e64242a79feaa4ef3459cdeccc898ed59a97f6ec93b9dab",
-	"566dc920293da5cb4fe0aa8abda8bbf56f552313bff19046641e3615c1e3ed3f",
-	"4115bea02f73f97f629e5c5590720c01e7e449ae2a6697d4d2783321303692f9",
-	"4ce08f4762468a7670012164878d68340c52a35e66c1884d5c864889abc96677",
-	"81ea0b7804124e0c22ea5fc71104a2afcb52a1fa816f3ecb7dcb5d9dea1786d0",
-	"fe362733b05f6bedaf9379d7f7936ede209b1f8323c3922549d9e73681b5db7b",
-	"eff37d30dfd20359be4e73fdf40d27734b3df90a97a55ed745297294ca85d09f",
-	"172ffc67153d12e0ca76a8b6cd5d4731885b39ce0cac93a8972a18006c8b8baf",
-	"c47957f1cc88e83ef9445839709a480a036bed5f88ac0fcc8e1e703ffaac132c",
-	"30f3548370cfdceda5c37b569b6175e799eef1a62aaa943245ae7669c227a7b5",
-	"c95dcb3cf1f27d0eef2f25d2413870904a877c4a56c2de1e83e2bc2ae2e46821",
-	"d5d0b5d705434cd46b185749f66bfb5836dcdf6ee549a2b7a4aee7f58007caaf",
-	"bbc124a712f15d07c300e05b668389a439c91777f721f8320c1c9078066d2c7e",
-	"a451b48c35a6c7854cfaae60262e76990816382ac0667e5a5c9e1b46c4342ddf",
-	"b0d150fb55e778d01147f0b5d89d99ecb20ff07e5e6760d6b645eb5b654c622b",
-	"34f737c0ab219951eee89a9f8dac299c9d4c38f33fa494c5c6eefc92b6db08bc",
-	"1a62cc3a00800dcbd99891080c1e098458193a8cc9f970ea99fbeff00318c289",
-	"cfce55ebafc840d7ae48281c7fd57ec8b482d4b704437495495ac414cf4a374b",
-	"6746facf71146d999dabd05d093ae586648d1ee28e72617b99d0f0086e1e45bf",
-	"571ced283b3f23b4e750bf12a2caf1781847bd890e43603cdc5976102b7bb11b",
-	"cfcb765b048e35022c5d089d26e85a36b005a2b80493d03a144e09f409b6afd1",
-	"4050c7a27705bb27f42089b299f3cbe5054ead68727e8ef9318ce6f25cd6f31d",
-	"184070bd5d265fbdc142cd1c5cd0d7e414e70369a266d627c8fba84fa5e84c34",
-	"9edda9a4443902a9588c0d0ccc62b930218479a6841e6fe7d43003f04b1fd643",
-	"e412feef7908324a6da1841629f35d3d358642019310ec57c614836b63d30763",
-	"1a2b8edff3f9acc1554fcbae3cf1d6298c6462e22e5eb0259684f835012bd13f",
-	"288c4ad9b9409762ea07c24a41f04f69a7d74bee2d95435374bde946d7241c7b",
-	"805691bb286748cfb591d3aebe7e6f4e4dc6e2808c65143cc004e4eb6fd09d43",
-	"d4ac8d3a0afc6cfa7b460ae3001baeb36dadb37da07d2e8ac91822df348aed3d",
-	"c376617014d20158bced3d3ba552b6eccf84e62aa3eb650e90029c84d13eea69",
-	"c41f09f43cecae7293d6007ca0a357087d5ae59be500c1cd5b289ee810c7b082",
-	"03d1ced1fba5c39155c44b7765cb760c78708dcfc80b0bd8ade3a56da8830b29",
-	"09bde6f152218dc92c41d7f45387e63e5869d807ec70b821405dbd884b7fcf4b",
-	"71c9036e18179b90b37d39e9f05eb89cc5fc341fd7c477d0d7493285faca08a4",
-	"5916833ebb05cd919ca7fe83b692d3205bef72392b2cf6bb0a6d43f994f95f11",
-	"f63aab3ec641b3b024964c2b437c04f6043c4c7e0279239995401958f86bbe54",
-	"f172b180bfb09740493120b6326cbdc561e477def9bbcfd28cc8c1c5e3379a31",
-	"cb9b89cc18381dd9141ade588654d4e6a231d5bf49d4d59ac27d869cbe100cf3",
-	"7bd8815046fdd810a923e1984aaebdcdf84d87c8992d68b5eeb460f93eb3c8d7",
-	"607be66862fd08ee5b19facac09dfdbcd40c312101d66e6ebd2b841f1b9a9325",
-	"9fe03bbe69ab1834f5219b0da88a08b30a66c5913f0151963c360560db0387b3",
-	"90a83585717b75f0e9b725e055eeeeb9e7a028ea7e6cbc07b20917ec0363e38c",
-	"336ea0530f4a7469126e0218587ebbde3358a0b31c29d200f7dc7eb15c6aadd8",
-	"a79e76dc0abca4396f0747cd7b748df913007626b1d659da0c1f78b9303d01a3",
-	"44e78a773756e0951519504d7038d28d0213a37e0ce375371757bc996311e3b8",
-	"77ac012a3f754dcfeab5eb996be9cd2d1f96111b6e49f3994df181f28569d825",
-	"ce5a10db6fccdaf140aaa4ded6250a9c06e9222bc9f9f3658a4aff935f2b9f3a",
-	"ecc203a7fe2be4abd55bb53e6e673572e0078da8cd375ef430cc97f9f80083af",
-	"14a5186de9d7a18b0412b8563e51cc5433840b4a129a8ff963b33a3c4afe8ebb",
-	"13f8ef95cb86e6a638931c8e107673eb76ba10d7c2cd70b9d9920bbeed929409",
-	"0b338f4ee12f2dfcb78713377941e0b0632152581d1332516e4a2cab1942cca4",
-	"eaab0ec37b3b8ab796e9f57238de14a264a076f3887d86e29bb5906db5a00e02",
-	"23cb68b8c0e6dc26dc27766ddc0a13a99438fd55617aa4095d8f969720c872df",
-	"091d8ee30d6f2968d46b687dd65292665742de0bb83dcc0004c72ce10007a549",
-	"7f507abc6d19ba00c065a876ec5657868882d18a221bc46c7a6912541f5bc7ba",
-	"a0607c24e14e8c223db0d70b4d30ee88014d603f437e9e02aa7dafa3cdfbad94",
-	"ddbfea75cc467882eb3483ce5e2e756a4f4701b76b445519e89f22d60fa86e06",
-	"0c311f38c35a4fb90d651c289d486856cd1413df9b0677f53ece2cd9e477c60a",
-	"46a73a8dd3e70f59d3942c01df599def783c9da82fd83222cd662b53dce7dbdf",
-	"ad038ff9b14de84a801e4e621ce5df029dd93520d0c2fa38bff176a8b1d1698c",
-	"ab70c5dfbd1ea817fed0cd067293abf319e5d7901c2141d5d99b23f03a38e748",
-	"1fffda67932b73c8ecaf009a3491a026953babfe1f663b0697c3c4ae8b2e7dcb",
-	"b0d2cc19472dd57f2b17efc03c8d58c2283dbb19da572f7755855aa9794317a0",
-	"a0d19a6ee33979c325510e276622df41f71583d07501b87071129a0ad94732a5",
-	"724642a7032d1062b89e52bea34b75df7d8fe772d9fe3c93ddf3c4545ab5a99b",
-	"ade5eaa7e61f672d587ea03dae7d7b55229c01d06bc0a5701436cbd18366a626",
-	"013b31ebd228fcdda51fabb03bb02d60ac20ca215aafa83bdd855e3755a35f0b",
-	"332ed40bb10dde3c954a75d7b8999d4b26a1c063c1dc6e32c1d91bab7bbb7d16",
-	"c7a197b3a05b566bcc9facd20e441d6f6c2860ac9651cd51d6b9d2cdeeea0390",
-	"bd9cf64ea8953c037108e6f654914f3958b68e29c16700dc184d94a21708ff60",
-	"8835b0ac021151df716474ce27ce4d3c15f0b2dab48003cf3f3efd0945106b9a",
-	"3bfefa3301aa55c080190cffda8eae51d9af488b4c1f24c3d9a75242fd8ea01d",
-	"08284d14993cd47d53ebaecf0df0478cc182c89c00e1859c84851686ddf2c1b7",
-	"1ed7ef9f04c2ac8db6a864db131087f27065098e69c3fe78718d9b947f4a39d0",
-	"c161f2dcd57e9c1439b31a9dd43d8f3d7dd8f0eb7cfac6fb25a0f28e306f0661",
-	"c01969ad34c52caf3dc4d80d19735c29731ac6e7a92085ab9250c48dea48a3fc",
-	"1720b3655619d2a52b3521ae0e49e345cb3389ebd6208acaf9f13fdacca8be49",
-	"756288361c83e24c617cf95c905b22d017cdc86f0bf1d658f4756c7379873b7f",
-	"e7d0eda3452693b752abcda1b55e276f82698f5f1605403eff830bea0071a394",
-	"2c82ecaa6b84803e044af63118afe544687cb6e6c7df49ed762dfd7c8693a1bc",
-	"6136cbf4b441056fa1e2722498125d6ded45e17b52143959c7f4d4e395218ac2",
-	"721d3245aafef27f6a624f47954b6c255079526ffa25e9ff77e5dcff473b1597",
-	"9dd2fbd8cef16c353c0ac21191d509eb28dd9e3e0d8cea5d26ca839393851c3a",
-	"b2394ceacdebf21bf9df2ced98e58f1c3a4bbbff660dd900f62202d6785cc46e",
-	"57089f222749ad7871765f062b114f43ba20ec56422a8b1e3f87192c0ea718c6",
-	"e49a9459961cd33cdf4aae1b1078a5dea7c040e0fea340c93a724872fc4af806",
-	"ede67f720effd2ca9c88994152d0201dee6b0a2d2c077aca6dae29f73f8b6309",
-	"e0f434bf22e3088039c21f719ffc67f0f2cb5e98a7a0194c76e96bf4e8e17e61",
-	"277c04e2853484a4eba910ad336d01b477b67cc200c59f3c8d77eef8494f29cd",
-	"156d5747d0c99c7f27097d7b7e002b2e185cb72d8dd7eb424a0321528161219f",
-	"20ddd1ed9b1ca803946d64a83ae4659da67fba7a1a3eddb1e103c0f5e03e3a2c",
-	"f0af604d3dabbf9a0f2a7d3dda6bd38bba72c6d09be494fcef713ff10189b6e6",
-	"9802bb87def4cc10c4a5fd49aa58dfe2f3fddb46b4708814ead81d23ba95139b",
-	"4f8ce1e51d2fe7f24043a904d898ebfc91975418753413aa099b795ecb35cedb",
-	"bddc6514d7ee6ace0a4ac1d0e068112288cbcf560454642705630177cba608bd",
-	"d635994f6291517b0281ffdd496afa862712e5b3c4e52e4cd5fdae8c0e72fb08",
-	"878d9ca600cf87e769cc305c1b35255186615a73a0da613b5f1c98dbf81283ea",
-	"a64ebe5dc185de9fdde7607b6998702eb23456184957307d2fa72e87a47702d6",
-	"ce50eab7b5eb52bdc9ad8e5a480ab780ca9320e44360b1fe37e03f2f7ad7de01",
-	"eeddb7c0db6e30abe66d79e327511e61fcebbc29f159b40a86b046ecf0513823",
-	"787fc93440c1ec96b5ad01c16cf77916a1405f9426356ec921d8dff3ea63b7e0",
-	"7f0d5eab47eefda696c0bf0fbf86ab216fce461e9303aba6ac374120e890e8df",
-	"b68004b42f14ad029f4c2e03b1d5eb76d57160e26476d21131bef20ada7d27f4",
-	"b0c4eb18ae250b51a41382ead92d0dc7455f9379fc9884428e4770608db0faec",
-	"f92b7a870c059f4d46464c824ec96355140bdce681322cc3a992ff103e3fea52",
-	"5364312614813398cc525d4c4e146edeb371265fba19133a2c3d2159298a1742",
-	"f6620e68d37fb2af5000fc28e23b832297ecd8bce99e8be4d04e85309e3d3374",
-	"5316a27969d7fe04ff27b283961bffc3bf5dfb32fb6a89d101c6c3b1937c2871",
-	"81d1664fdf3cb33c24eebac0bd64244b77c4abea90bbe8b5ee0b2aafcf2d6a53",
-	"345782f295b0880352e924a0467b5fbc3e8f3bfbc3c7e48b67091fb5e80a9442",
-	"794111ea6cd65e311f74ee41d476cb632ce1e4b051dc1d9e9d061a19e1d0bb49",
-	"2a85daf6138816b99bf8d08ba2114b7ab07975a78420c1a3b06a777c22dd8bcb",
-	"89b0d5f289ec16401a069a960d0b093e625da3cf41ee29b59b930c5820145455",
-	"d0fdcb543943fc27d20864f52181471b942cc77ca675bcb30df31d358ef7b1eb",
-	"b17ea8d77063c709d4dc6b879413c343e3790e9e62ca85b7900b086f6b75c672",
-	"e71a3e2c274db842d92114f217e2c0eac8b45093fdfd9df4ca7162394862d501",
-	"c0476759ab7aa333234f6b44f5fd858390ec23694c622cb986e769c78edd733e",
-	"9ab8eabb1416434d85391341d56993c55458167d4418b19a0f2ad8b79a83a75b",
-	"7992d0bbb15e23826f443e00505d68d3ed7372995a5c3e498654102fbcd0964e",
-	"c021b30085151435df33b007ccecc69df1269f39ba25092bed59d932ac0fdc28",
-	"91a25ec0ec0d9a567f89c4bfe1a65a0e432d07064b4190e27dfb81901fd3139b",
-	"5950d39a23e1545f301270aa1a12f2e6c453776e4d6355de425cc153f9818867",
-	"d79f14720c610af179a3765d4b7c0968f977962dbf655b521272b6f1e194488e",
-	"e9531bfc8b02995aeaa75ba27031fadbcbf4a0dab8961d9296cd7e84d25d6006",
-	"34e9c26a01d7f16181b454a9d1623c233cb99d31c694656e9413aca3e918692f",
-	"d9d7422f437bd439ddd4d883dae2a08350173414be78155133fff1964c3d7972",
-	"4aee0c7aaf075414ff1793ead7eaca601775c615dbd60b640b0a9f0ce505d435",
-	"6bfdd15459c83b99f096bfb49ee87b063d69c1974c6928acfcfb4099f8c4ef67",
-	"9fd1c408fd75c336193a2a14d94f6af5adf050b80387b4b010fb29f4cc72707c",
-	"13c88480a5d00d6c8c7ad2110d76a82d9b70f4fa6696d4e5dd42a066dcaf9920",
-	"820e725ee25fe8fd3a8d5abe4c46c3ba889de6fa9191aa22ba67d5705421542b",
-	"32d93a0eb02f42fbbcaf2bad0085b282e46046a4df7ad10657c9d6476375b93e",
-	"adc5187905b1669cd8ec9c721e1953786b9d89a9bae30780f1e1eab24a00523c",
-	"e90756ff7f9ad810b239a10ced2cf9b2284354c1f8c7e0accc2461dc796d6e89",
-	"1251f76e56978481875359801db589a0b22f86d8d634dc04506f322ed78f17e8",
-	"3afa899fd980e73ecb7f4d8b8f291dc9af796bc65d27f974c6f193c9191a09fd",
-	"aa305be26e5deddc3c1010cbc213f95f051c785c5b431e6a7cd048f161787528",
-	"8ea1884ff32e9d10f039b407d0d44e7e670abd884aeee0fb757ae94eaa97373d",
-	"d482b2155d4dec6b4736a1f1617b53aaa37310277d3fef0c37ad41768fc235b4",
-	"4d413971387e7a8898a8dc2a27500778539ea214a2dfe9b3d7e8ebdce5cf3db3",
-	"696e5d46e6c57e8796e4735d08916e0b7929b3cf298c296d22e9d3019653371c",
-	"1f5647c1d3b088228885865c8940908bf40d1a8272821973b160008e7a3ce2eb",
-	"b6e76c330f021a5bda65875010b0edf09126c0f510ea849048192003aef4c61c",
-	"3cd952a0beada41abb424ce47f94b42be64e1ffb0fd0782276807946d0d0bc55",
-	"98d92677439b41b7bb513312afb92bcc8ee968b2e3b238cecb9b0f34c9bb63d0",
-	"ecbca2cf08ae57d517ad16158a32bfa7dc0382eaeda128e91886734c24a0b29d",
-	"942cc7c0b52e2b16a4b89fa4fc7e0bf609e29a08c1a8543452b77c7bfd11bb28",
-	"8a065d8b61a0dffb170d5627735a76b0e9506037808cba16c345007c9f79cf8f",
-	"1b9fa19714659c78ff413871849215361029ac802b1cbcd54e408bd87287f81f",
-	"8dab071bcd6c7292a9ef727b4ae0d86713301da8618d9a48adce55f303a869a1",
-	"8253e3e7c7b684b9cb2beb014ce330ff3d99d17abbdbabe4f4d674ded53ffc6b",
-	"f195f321e9e3d6bd7d074504dd2ab0e6241f92e784b1aa271ff648b1cab6d7f6",
-	"27e4cc72090f241266476a7c09495f2db153d5bcbd761903ef79275ec56b2ed8",
-	"899c2405788e25b99a1846355e646d77cf400083415f7dc5afe69d6e17c00023",
-	"a59b78c4905744076bfee894de707d4f120b5c6893ea0400297d0bb834727632",
-	"59dc78b105649707a2bb4419c48f005400d3973de3736610230435b10424b24f",
-	"c0149d1d7e7a6353a6d906efe728f2f329fe14a4149a3ea77609bc42b975ddfa",
-	"a32f241474a6c16932e9243be0cf09bcdc7e0ca0e7a6a1b9b1a0f01e41502377",
-	"b239b2e4f81841361c1339f68e2c359f929af9ad9f34e01aab4631ad6d5500b0",
-	"85fb419c7002a3e0b4b6ea093b4c1ac6936645b65dac5ac15a8528b7b94c1754",
-	"9619720625f190b93a3fad186ab314189633c0d3a01e6f9bc8c4a8f82f383dbf",
-	"7d620d90fe69fa469a6538388970a1aa09bb48a2d59b347b97e8ce71f48c7f46",
-	"294383568596fb37c75bbacd979c5ff6f20a556bf8879cc72924855df9b8240e",
-	"16b18ab314359c2b833c1c6986d48c55a9fc97cde9a3c1f10a3177140f73f738",
-	"8cbbdd14bc33f04cf45813e4a153a273d36adad5ce71f499eeb87fb8ac63b729",
-	"69c9a498db174ecaefcc5a3ac9fdedf0f813a5bec727f1e775babdec7718816e",
-	"b462c3be40448f1d4f80626254e535b08bc9cdcff599a768578d4b2881a8e3f0",
-	"553e9d9c5f360ac0b74a7d44e5a391dad4ced03e0c24183b7e8ecabdf1715a64",
-	"7a7c55a56fa9ae51e655e01975d8a6ff4ae9e4b486fcbe4eac044588f245ebea",
-	"2afdf3c82abc4867f5de111286c2b3be7d6e48657ba923cfbf101a6dfcf9db9a",
-	"41037d2edcdce0c49b7fb4a6aa0999ca66976c7483afe631d4eda283144f6dfc",
-	"c4466f8497ca2eeb4583a0b08e9d9ac74395709fda109d24f2e4462196779c5d",
-	"75f609338aa67d969a2ae2a2362b2da9d77c695dfd1df7224a6901db932c3364",
-	"68606ceb989d5488fc7cf649f3d7c272ef055da1a93faecd55fe06f6967098ca",
-	"44346bdeb7e052f6255048f0d9b42c425bab9c3dd24168212c3ecf1ebf34e6ae",
-	"8e9cf6e1f366471f2ac7d2ee9b5e6266fda71f8f2e4109f2237ed5f8813fc718",
-	"84bbeb8406d250951f8c1b3e86a7c010082921833dfd9555a2f909b1086eb4b8",
-	"ee666f3eef0f7e2a9c222958c97eaf35f51ced393d714485ab09a069340fdf88",
-	"c153d34a65c47b4a62c5cacf24010975d0356b2f32c8f5da530d338816ad5de6",
-	"9fc5450109e1b779f6c7ae79d56c27635c8dd426c5a9d54e2578db989b8c3b4e",
-	"d12bf3732ef4af5c22fa90356af8fc50fcb40f8f2ea5c8594737a3b3d5abdbd7",
-	"11030b9289bba5af65260672ab6fee88b87420acef4a1789a2073b7ec2f2a09e",
-	"69cb192b8444005c8c0ceb12c846860768188cda0aec27a9c8a55cdee2123632",
-	"db444c15597b5f1a03d1f9edd16e4a9f43a667cc275175dfa2b704e3bb1a9b83",
-	"3fb735061abc519dfe979e54c1ee5bfad0a9d858b3315bad34bde999efd724dd",
-}
-
-var hashes128 = []string{
-	"9536f9b267655743dee97b8a670f9f53",
-	"13bacfb85b48a1223c595f8c1e7e82cb",
-	"d47a9b1645e2feae501cd5fe44ce6333",
-	"1e2a79436a7796a3e9826bfedf07659f",
-	"7640360ed3c4f3054dba79a21dda66b7",
-	"d1207ac2bf5ac84fc9ef016da5a46a86",
-	"3123987871e59305ece3125abfc0099a",
-	"cf9e072ad522f2cda2d825218086731c",
-	"95d22870392efe2846b12b6e8e84efbb",
-	"7d63c30e2d51333f245601b038c0b93b",
-	"ed608b98e13976bdf4bedc63fa35e443",
-	"ed704b5cd1abf8e0dd67a6ac667a3fa5",
-	"77dc70109827dc74c70fd26cba379ae5",
-	"d2bf34508b07825ee934f33958f4560e",
-	"a340baa7b8a93a6e658adef42e78eeb7",
-	"b85c5ceaecbe9a251eac76f6932ba395",
-	"246519722001f6e8e97a2183f5985e53",
-	"5bce5aa0b7c6cac2ecf6406183cd779a",
-	"13408f1647c02f6efd0047ad8344f695",
-	"a63970f196760aa36cb965ab62f0e0fa",
-	"bc26f48421dd99fd45e15e736d3e7dac",
-	"4c6f70f9e3237cde918afb52d26f1823",
-	"45ed610cfbc37db80c4bf0eef14ae8d6",
-	"87c4c150705ea5078209ec008200539c",
-	"54de21f5e0e6f2afe04daeb822b6931e",
-	"9732a04e505064e19de3d542e7e71631",
-	"d2bd27e95531d6957eef511c4ba64ad4",
-	"7a36c9f70dcc7c3063b547101a5f6c35",
-	"322007d1a44c4257bc7903b183305529",
-	"dbcc9a09f412290ca2e0d53dfd142ddb",
-	"df12ed43b8e53a56db20e0f83764002c",
-	"d114cc11e7d5b33a360c45f18d4c7c6e",
-	"c43b5e836af88620a8a71b1652cb8640",
-	"9491c653e8867ed73c1b4ac6b5a9bb4d",
-	"06d0e988df94ada6c6f9f36f588ab7c5",
-	"561efad2480e93262c8eeaa3677615c4",
-	"ba8ffc702e5adc93503045eca8702312",
-	"5782be6ccdc78c8425285e85de8ccdc6",
-	"aa1c4393e4c07b53ea6e2b5b1e970771",
-	"42a229dc50e52271c51e8666023ebc1e",
-	"53706110e919f84de7f8d6c7f0e7b831",
-	"fc5ac8ee39cc1dd1424391323e2901bd",
-	"bed27b62ff66cac2fbb68193c727106a",
-	"cd5e689b96d0b9ea7e08dac36f7b211e",
-	"0b4c7f604eba058d18e322c6e1baf173",
-	"eb838227fdfad09a27f0f8413120675d",
-	"3149cf9d19a7fd529e6154a8b4c3b3ad",
-	"ca1e20126df930fd5fb7afe4422191e5",
-	"b23398f910599f3c09b6549fa81bcb46",
-	"27fb17c11b34fa5d8b5afe5ee3321ead",
-	"0f665f5f04cf2d46b7fead1a1f328158",
-	"8f068be73b3681f99f3b282e3c02bba5",
-	"ba189bbd13808dcf4e002a4dd21660d5",
-	"2732dcd1b16668ae6ab6a61595d0d62a",
-	"d410ccdd059f0e02b472ec9ec54bdd3c",
-	"b2eaa07b055b3a03a399971327f7e8c2",
-	"2e8a225655e9f99b69c60dc8b4d8e566",
-	"4eb55416c853f2152e67f8a224133cec",
-	"49552403790d8de0505a8e317a443687",
-	"7f2747cd41f56942752e868212c7d5ac",
-	"02a28f10e193b430df7112d2d98cf759",
-	"d4213404a9f1cf759017747cf5958270",
-	"faa34884344f9c65e944882db8476d34",
-	"ece382a8bd5018f1de5da44b72cea75b",
-	"f1efa90d2547036841ecd3627fafbc36",
-	"811ff8686d23a435ecbd0bdafcd27b1b",
-	"b21beea9c7385f657a76558530438721",
-	"9cb969da4f1b4fc5b13bf78fe366f0c4",
-	"8850d16d7b614d3268ccfa009d33c7fc",
-	"aa98a2b6176ea86415b9aff3268c6f6d",
-	"ec3e1efa5ed195eff667e16b1af1e39e",
-	"e40787dca57411d2630db2de699beb08",
-	"554835890735babd06318de23d31e78a",
-	"493957feecddc302ee2bb2086b6ebfd3",
-	"f6069709ad5b0139163717e9ce1114ab",
-	"ba5ed386098da284484b211555505a01",
-	"9244c8dfad8cbb68c118fa51465b3ae4",
-	"51e309a5008eb1f5185e5cc007cfb36f",
-	"6ce9ff712121b4f6087955f4911eafd4",
-	"59b51d8dcda031218ccdd7c760828155",
-	"0012878767a3d4f1c8194458cf1f8832",
-	"82900708afd5b6582dc16f008c655edd",
-	"21302c7e39b5a4cdf1d6f86b4f00c9b4",
-	"e894c7431591eab8d1ce0fe2aa1f01df",
-	"b67e1c40ee9d988226d605621854d955",
-	"6237bdafa34137cbbec6be43ea9bd22c",
-	"4172a8e19b0dcb09b978bb9eff7af52b",
-	"5714abb55bd4448a5a6ad09fbd872fdf",
-	"7ce1700bef423e1f958a94a77a94d44a",
-	"3742ec50cded528527775833453e0b26",
-	"5d41b135724c7c9c689495324b162f18",
-	"85c523333c6442c202e9e6e0f1185f93",
-	"5c71f5222d40ff5d90e7570e71ab2d30",
-	"6e18912e83d012efb4c66250ced6f0d9",
-	"4add4448c2e35e0b138a0bac7b4b1775",
-	"c0376c6bc5e7b8b9d2108ec25d2aab53",
-	"f72261d5ed156765c977751c8a13fcc1",
-	"cff4156c48614b6ceed3dd6b9058f17e",
-	"36bfb513f76c15f514bcb593419835aa",
-	"166bf48c6bffaf8291e6fdf63854bef4",
-	"0b67d33f8b859c3157fbabd9e6e47ed0",
-	"e4da659ca76c88e73a9f9f10f3d51789",
-	"33c1ae2a86b3f51c0642e6ed5b5aa1f1",
-	"27469b56aca2334449c1cf4970dcd969",
-	"b7117b2e363378aa0901b0d6a9f6ddc0",
-	"a9578233b09e5cd5231943fdb12cd90d",
-	"486d7d75253598b716a068243c1c3e89",
-	"66f6b02d682b78ffdc85e9ec86852489",
-	"38a07b9a4b228fbcc305476e4d2e05d2",
-	"aedb61c7970e7d05bf9002dae3c6858c",
-	"c03ef441f7dd30fdb61ad2d4d8e4c7da",
-	"7f45cc1eea9a00cb6aeb2dd748361190",
-	"a59538b358459132e55160899e47bd65",
-	"137010fef72364411820c3fbed15c8df",
-	"d8362b93fc504500dbd33ac74e1b4d70",
-	"a7e49f12c8f47e3b29cf8c0889b0a9c8",
-	"072e94ffbfc684bd8ab2a1b9dade2fd5",
-	"5ab438584bd2229e452052e002631a5f",
-	"f233d14221097baef57d3ec205c9e086",
-	"3a95db000c4a8ff98dc5c89631a7f162",
-	"0544f18c2994ab4ddf1728f66041ff16",
-	"0bc02116c60a3cc331928d6c9d3ba37e",
-	"b189dca6cb5b813c74200834fba97f29",
-	"ac8aaab075b4a5bc24419da239212650",
-	"1e9f19323dc71c29ae99c479dc7e8df9",
-	"12d944c3fa7caa1b3d62adfc492274dd",
-	"b4c68f1fffe8f0030e9b18aad8c9dc96",
-	"25887fab1422700d7fa3edc0b20206e2",
-	"8c09f698d03eaf88abf69f8147865ef6",
-	"5c363ae42a5bec26fbc5e996428d9bd7",
-	"7fdfc2e854fbb3928150d5e3abcf56d6",
-	"f0c944023f714df115f9e4f25bcdb89b",
-	"6d19534b4c332741c8ddd79a9644de2d",
-	"32595eb23764fbfc2ee7822649f74a12",
-	"5a51391aab33c8d575019b6e76ae052a",
-	"98b861ce2c620f10f913af5d704a5afd",
-	"b7fe2fc8b77fb1ce434f8465c7ddf793",
-	"0e8406e0cf8e9cc840668ece2a0fc64e",
-	"b89922db99c58f6a128ccffe19b6ce60",
-	"e1be9af665f0932b77d7f5631a511db7",
-	"74b96f20f58de8dc9ff5e31f91828523",
-	"36a4cfef5a2a7d8548db6710e50b3009",
-	"007e95e8d3b91948a1dedb91f75de76b",
-	"a87a702ce08f5745edf765bfcd5fbe0d",
-	"847e69a388a749a9c507354d0dddfe09",
-	"07176eefbc107a78f058f3d424ca6a54",
-	"ad7e80682333b68296f6cb2b4a8e446d",
-	"53c4aba43896ae422e5de5b9edbd46bf",
-	"33bd6c20ca2a7ab916d6e98003c6c5f8",
-	"060d088ea94aa093f9981a79df1dfcc8",
-	"5617b214b9df08d4f11e58f5e76d9a56",
-	"ca3a60ee85bd971e1daf9f7db059d909",
-	"cd2b7754505d8c884eddf736f1ec613e",
-	"f496163b252f1439e7e113ba2ecabd8e",
-	"5719c7dcf9d9f756d6213354acb7d5cf",
-	"6f7dd40b245c54411e7a9be83ae5701c",
-	"c8994dd9fdeb077a45ea04a30358b637",
-	"4b1184f1e35458c1c747817d527a252f",
-	"fc7df674afeac7a3fd994183f4c67a74",
-	"4f68e05ce4dcc533acf9c7c01d95711e",
-	"d4ebc59e918400720035dfc88e0c486a",
-	"d3105dd6fa123e543b0b3a6e0eeaea9e",
-	"874196128ed443f5bdb2800ca048fcad",
-	"01645f134978dc8f9cf0abc93b53780e",
-	"5b8b64caa257873a0ffd47c981ef6c3f",
-	"4ee208fc50ba0a6e65c5b58cec44c923",
-	"53f409a52427b3b7ffabb057ca088428",
-	"c1d6cd616f5341a93d921e356e5887a9",
-	"e85c20fea67fa7320dc23379181183c8",
-	"7912b6409489df001b7372bc94aebde7",
-	"e559f761ec866a87f1f331767fafc60f",
-	"20a6f5a36bc37043d977ed7708465ef8",
-	"6a72f526965ab120826640dd784c6cc4",
-	"bf486d92ad68e87c613689dd370d001b",
-	"d339fd0eb35edf3abd6419c8d857acaf",
-	"9521cd7f32306d969ddabc4e6a617f52",
-	"a1cd9f3e81520842f3cf6cc301cb0021",
-	"18e879b6f154492d593edd3f4554e237",
-	"66e2329c1f5137589e051592587e521e",
-	"e899566dd6c3e82cbc83958e69feb590",
-	"8a4b41d7c47e4e80659d77b4e4bfc9ae",
-	"f1944f6fcfc17803405a1101998c57dd",
-	"f6bcec07567b4f72851b307139656b18",
-	"22e7bb256918fe9924dce9093e2d8a27",
-	"dd25b925815fe7b50b7079f5f65a3970",
-	"0457f10f299acf0c230dd4007612e58f",
-	"ecb420c19efd93814fae2964d69b54af",
-	"14eb47b06dff685d88751c6e32789db4",
-	"e8f072dbb50d1ab6654aa162604a892d",
-	"69cff9c62092332f03a166c7b0034469",
-	"d3619f98970b798ca32c6c14cd25af91",
-	"2246d423774ee9d51a551e89c0539d9e",
-	"75e5d1a1e374a04a699247dad827b6cf",
-	"6d087dd1d4cd15bf47db07c7a96b1db8",
-	"967e4c055ac51b4b2a3e506cebd5826f",
-	"7417aa79247e473401bfa92a25b62e2a",
-	"24f3f4956da34b5c533d9a551ccd7b16",
-	"0c40382de693a5304e2331eb951cc962",
-	"9436f949d51b347db5c8e6258dafaaac",
-	"d2084297fe84c4ba6e04e4fb73d734fe",
-	"42a6f8ff590af21b512e9e088257aa34",
-	"c484ad06b1cdb3a54f3f6464a7a2a6fd",
-	"1b8ac860f5ceb4365400a201ed2917aa",
-	"c43eadabbe7b7473f3f837fc52650f54",
-	"0e5d3205406126b1f838875deb150d6a",
-	"6bf4946f8ec8a9c417f50cd1e67565be",
-	"42f09a2522314799c95b3fc121a0e3e8",
-	"06b8f1487f691a3f7c3f74e133d55870",
-	"1a70a65fb4f314dcf6a31451a9d2704f",
-	"7d4acdd0823279fd28a1e48b49a04669",
-	"09545cc8822a5dfc93bbab708fd69174",
-	"efc063db625013a83c9a426d39a9bddb",
-	"213bbf89b3f5be0ffdb14854bbcb2588",
-	"b69624d89fe2774df9a6f43695d755d4",
-	"c0f9ff9ded82bd73c512e365a894774d",
-	"d1b68507ed89c17ead6f69012982db71",
-	"14cf16db04648978e35c44850855d1b0",
-	"9f254d4eccab74cd91d694df863650a8",
-	"8f8946e2967baa4a814d36ff01d20813",
-	"6b9dc4d24ecba166cb2915d7a6cba43b",
-	"eb35a80418a0042b850e294db7898d4d",
-	"f55f925d280c637d54055c9df088ef5f",
-	"f48427a04f67e33f3ba0a17f7c9704a7",
-	"4a9f5bfcc0321aea2eced896cee65894",
-	"8723a67d1a1df90f1cef96e6fe81e702",
-	"c166c343ee25998f80bad4067960d3fd",
-	"dab67288d16702e676a040fd42344d73",
-	"c8e9e0d80841eb2c116dd14c180e006c",
-	"92294f546bacf0dea9042c93ecba8b34",
-	"013705b1502b37369ad22fe8237d444e",
-	"9b97f8837d5f2ebab0768fc9a6446b93",
-	"7e7e5236b05ec35f89edf8bf655498e7",
-	"7be8f2362c174c776fb9432fe93bf259",
-	"2422e80420276d2df5702c6470879b01",
-	"df645795db778bcce23bbe819a76ba48",
-	"3f97a4ac87dfc58761cda1782d749074",
-	"50e3f45df21ebfa1b706b9c0a1c245a8",
-	"7879541c7ff612c7ddf17cb8f7260183",
-	"67f6542b903b7ba1945eba1a85ee6b1c",
-	"b34b73d36ab6234b8d3f5494d251138e",
-	"0aea139641fdba59ab1103479a96e05f",
-	"02776815a87b8ba878453666d42afe3c",
-	"5929ab0a90459ebac5a16e2fb37c847e",
-	"c244def5b20ce0468f2b5012d04ac7fd",
-	"12116add6fefce36ed8a0aeccce9b6d3",
-	"3cd743841e9d8b878f34d91b793b4fad",
-	"45e87510cf5705262185f46905fae35f",
-	"276047016b0bfb501b2d4fc748165793",
-	"ddd245df5a799417d350bd7f4e0b0b7e",
-	"d34d917a54a2983f3fdbc4b14caae382",
-	"7730fbc09d0c1fb1939a8fc436f6b995",
-	"eb4899ef257a1711cc9270a19702e5b5",
-	"8a30932014bce35bba620895d374df7a",
-	"1924aabf9c50aa00bee5e1f95b5d9e12",
-	"1758d6f8b982aec9fbe50f20e3082b46",
-	"cd075928ab7e6883e697fe7fd3ac43ee",
-}
-
-// hashes2X is taken from
-// https://github.com/BLAKE2/BLAKE2/blob/master/testvectors/blake2-kat.json
-var hashes2X = []string{
-	"0e",
-	"5196",
-	"ad6bad",
-	"d8e4b32f",
-	"8eb89056f3",
-	"410497c2ed72",
-	"f0de771b375c90",
-	"8662db8685033611",
-	"9ef9f1eed88a3f52ca",
-	"08225082df0d2b0a815e",
-	"0f6e84a17439f1bc97c299",
-	"895ec39c78d3556cefdbfabc",
-	"2b396b3fa90ab556079a79b44d",
-	"abae26501c4c1d6123c0f2289111",
-	"bca098df9099b3f785a37ba40fce5f",
-	"19b827f054b67a120f11efb0d690be70",
-	"b88d32a338fd60b58570fda228a121113b",
-	"3f30143af1cad33f9b794576e078cc79062e",
-	"ffddb58d9aa8d38086fcdae07e6653e8f31dfc",
-	"abb99c2e74a74556919040ca0cd857c95ec985e9",
-	"71f13f89af55ba936f8a7188ee93d2e8fb0cf2a720",
-	"99734fdf0eef4838a7515426f4c59b800854e2fcdc1c",
-	"579b1652aa1f5779d2b0e61868af856855020bdd44d7a7",
-	"1383d4ab4a6d8672b4075d421a159f69380ff47e4bb518d5",
-	"d3fa1412712dbbab71d4c6265dc1585c8dcc73380cf807f76a",
-	"1d57868a71e7245667780455d9aaa9e0683baf08fbaf946091c2",
-	"ef80418fe7049c6251ed7960a6b0e9def0da2749781994b24593a0",
-	"ef91cb81e4bfb50231e89475e251e2ef2fde59357551cd227588b63f",
-	"d7f398a5d21c3139cff0562a84f154b6953c7bc18a5f4b60491c196b6d",
-	"0a2abc6d38f30aef253579a4088c5b9aec64391f37d576eb06a300c193a5",
-	"02dd758fa23113a14fd94830e50e0f6b86faec4e551e808b0ca8d00fef2a15",
-	"a4fe2bd0f96a215fa7164ae1a405f4030a586c12b0c29806a099d7d7fdd8dd72",
-	"7dce710a20f42ab687ec6ea83b53faaa418229ce0d5a2ff2a5e66defb0b65c03c9",
-	"0320c40b5eea641d0bc25420b7545ac1d796b61563728a4dc451207f1addeedcf860",
-	"460539415f2baeb626fad748dee0eb3e9f27221661160e13edf39d1b5d476ee0672400",
-	"02de8ffa5b9c748164f99ed9d678b02e53f4ae88fb26c6d94a8cefc328725a692eae78c2",
-	"348a61a0136436136910262ad67ef20644b32c15456d5fad6b1679386d0bea87cc1a2e2b5e",
-	"24c32966c803434d48d2283482ee8f404f598cf7a17961748125d2ed1da987039b1ce00f2ba7",
-	"bd07cb16121d3b47adf03b96c41c947beadc01e40548e0d0773e61780d48d33a0e2a675ca681a6",
-	"a35844e34c20b4b9371b6c52fac412afe5d80a4c1e40aa3a0e5a729dc3d41c2c3719d096f616f0ba",
-	"6df1efbb4567747fe98d218935612f8835852dde2ce3dec767792d7f1d876cdae0056fef085245449d",
-	"48d6094af78bd38d8f4b39c54279b80ef617bc6ad21def0b2c62113b656c5d6a55aea2e3fde94a254b92",
-	"cd6e684759d2f19083164712c2aca0038442efb5b646594396b1fccdbd21203290f44cfdecca0373b3801b",
-	"155dfbf26103c8354362663677fa27d0e1ce3487a821a2a7171014c1bd5dd071f4974df272b1374765b8f2e1",
-	"15b11067f311efa4ee813dbca48d690dc92780656bc4d4c56510523190a240180867c829a8b8b9844175a8aa23",
-	"9bc27953a17fb84d5eabe95b4ea6bc03ea450274abccfb6f3938ded8560fb59662459a11a86b0e0f32fbea6bb1f8",
-	"03b78fb0b34fb8662accdf350a6be75ace9789653ee4375d351e871f6a98ac5e782ca4b4a717665d25e49a5ae25d81",
-	"687e9a6fda6e2ce0e40e4d30fef38c31e3513d2892bbe85c991fc3715947e42bc49bcd079a40ed061c2c3665efe555ab",
-	"f3886027d2049a8909e26545bd202d6a6fa2a6f815d31c7d520f705a81fa606dd695369c37aee4fa77dc645e9b05813ceb",
-	"e4a412ccd20b97797d91ccc286904fcd17c5afe8bed0618f1af333c052c473cd327637d951c32e4af047106036a3bc8c1c45",
-	"92f4b8c240a28b6238bc2eabadaf2ff3c4bfe0e6c61268ace6aebdeb0691450caea4287db8b329bde96af8cdb8a0fe2f57ef2d",
-	"e506834b3445e1a9a9b7bae844e91e0834512a06c0dc75fa4604e3b903c4e23616f2e0c78b5cc496660b4a13064bb1138edef4ff",
-	"27031955a40d8dbd1591f26e3c26e367a3c68f8204a396c6a4ba34b89672896d11276966a42bd516716f35ed63e442e116dbcf35da",
-	"646b1635c68d2328dddd5ac26eb9877c24c28390a45753a65044c3136ae2fe4fb40d09bf555271646d3dceb1ab1b7c8d8e421f553f94",
-	"f6171f8d833743bdee7cc8f8b29c38614e1d2d8d6a5fff68bec2c0f4dd463d7941ff5c368e2683d8f1dc97119bde2b73ca412718bc8cb1",
-	"45db1c478b040aa2e23fb4427017079810775c62abe737e82ec0ef8dcd0fc51f521f29fe6412fff7eac9beb7bcf75f483f3f8b971e42454b",
-	"500dab14687db3ca3dde9304af5f54194b37bdf475628af46b07bfbf6bc2b64ecef284b17f9d1d9be41794699bc0e76c2878b3a55730f7142d",
-	"31bba2efc7b3f415c3f031d4c06bb590ae40085ad157370af30238e03e25a359c9e133212ed34b7a006f839173b577e7015a87fdff2270fafddb",
-	"0600b3fb4b5e1ed0c8b2698ac1d9905e67e027390764821f963ad8d2b33cbc378b9c25c3ee422992d22b760222ed5697be0576d73938ae9d634ed7",
-	"4c0ca4f177d132594a4c613bad68da24c564efa3b4da0d0a903f26534a2e09f8d799d10e78f48ccdb0203954a36c5cf1bf24c076632c2b022b041200",
-	"97aacf2e1b013677b2e14084f097cb1e64d7b3fa36f097e189d86dc4a263bcc46817cd1ee6ff0c7ccd9acef63201cdc0e36254e19204a7388643bb571f",
-	"71fd6846ce7adb0843d6063546a16b79b54ad6c0f018a479a45817624fa221f63525084860559d1a0679c8d89a80701c62743ec2da8419d503f8f0cd7946",
-	"f73dfb046def3362d6de36077dae2cee2587fe95fe0800548bb7d99737897096ba59052e0dadcc1fb0ccb5535391875328637a0376a43a4d89366758dfe3e2",
-	"ec470d0aa932c78c5bcf86203ec0014314114765fa679c3daef214f883a17e1b4ca12f44433772a6e4ef685c904b2fc35586c6bd88f325b965968b06d808d73f",
-	"cf601753ffa09fe48a8a84c37769991e96290e200bbaf1910c57760f989bd0c72e6128e294528ee861ad7eee70d589de3cf4a0c35f7197e1925a64d0133628d87d",
-	"f15413f7d6fc54bb55829f698da92ee42fcf58dde1aa1bd07d438ecdc32ad6bf2bcdbecc99f18ed43e81b33065af5a4ca29960ae50553e610c0bbf4153d580e73dbb",
-	"84b1738adb9757fb9402ef7113581291136184d7ae35fe0b6a738da6acb0889d4d5bac7a957024e3709fa80c77d3859871ed1aa25cf488e438a2d24cfadce6008761dd",
-	"e02814bb81f250c1835a05108396b74c7878e737654bb83155e241774d04e639bbc571b413cd9349092f926c8a149a53cd33e9b63f370b6d460e504199d2e7d849db6cbe",
-	"aeee4a789956ec0913592c30ce4f9c544894da77ba447c84df3be2c869100e4df8f7e316445d844b31c3209abcc912f647735fd4a7136c2f35c6fda5b2e6708f5ca951b2b0",
-	"8cfd11ca385de3c843de84c830d59278fe79b70fb5ddbfbfc1ddefeb22c329ef2f607d1d1abbd1cd0d0cc7c5d3ed922add76aadca0d2f57b66cb16c582b6f18f60aee2f7509b",
-	"852e5ce2047d8d8b42b4c7e4987b95d23e8026a202d4567951bbbd23111e389fe33a736318546a914d2bddedfbf53846036ad9e35f29318b1f96e33eba08f071d6dc665149feb6",
-	"f225c23164979d0d13874a90ee291627e4f61a672a5578506fd3d65a12cb48a182f78350dc24c637b2f3950dc4882a5c1d5d5bad551c6f3e0093aa87e962bea51566af3791d52d65",
-	"5f33864d882455f8ef046aed64e2d1691e5c1555e333b0852750592e6f00d3b5ec941d0c00e99629612795d5870cf93c984b45e4464ba072a34903b400a42824ac13da28c7c1cb1959",
-	"7baaee7c3eb68c18c5ae1d45ba381803de34e36a52e2d7ccc9d48a297273c4d8644b473195bc23005f7a4f5ca790b1fa11f6a96e585e635513f11745dd97a69c1222204ab28d3c7735df",
-	"d0a2a3fc450ef9af7ae982041feb2842901026467d87839c33b4a9e081ea63d5be60ae99ca6e42393ded45255b8f42886f87ba0310572d9f0d8b5a07ff4b6bae1f30559a844983cc568560",
-	"3aa4164462b3e7044c35b08b047b924790f6d5c520b1df4305b5d41f4717e81f0cd4bccb9a5a6594773832b8707443adde4047caaed2293f92234df257df54ed275a9658fab483d0576d33a9",
-	"c8b4239fd7f1b893d978268f77f6505b5775d89090374322d40083b0f4c437423f670ca213f7fe05c61069725da2561646eefaea597ac48e293fbad44c2872046857e56d04a426a84008cefd71",
-	"f94839a7024c0a16971271b6727c081770110c957b1f2e03be03d2200b565cf8240f2873b0426042aaea996a1784fadb2b27f23bc1a521b4f7320dfbed86cd38d75141365ba9b443defc0a3b4078",
-	"8af934fdc8b3376ca09bdd89f9057ed38b656bff96a8f8a3038d456a265689ca32036670cb01469cc6e958cc4a46f1e80d700ae56659828a65c0456b8e55f28f255bc86ce48e44377bf1f9970b617d",
-	"ada572989e42f0e38c1f7c22b46bb52a84df8f7b3b773c9f17a5823e59a9725248d703efb4cb011abc9474e8e711666ed3cfa60db48480a8160615dfabad761bc0eb843d2e46299c59b61a15b4422fdf",
-	"b11f1ea52a7e4bd2a5cf1e234b7c9eb909fb45860080f0a6bdb5517a37b5b7cd90f3a9e2297f995e96c293189b807a7bf6e7633bebbc36674544db5f18dd33020aeaf50ee832efe4d3d053873fd31ce3b9",
-	"e54b006cd96c43d19787c1ab1e08ea0f8922bdb7142e748212e7912a1f2c0a4fad1b9f5209c30960b8b83ef4960e929b155a8a48c8fb7ce4326915950cede6b98a96b6f1ecb12715b713985dacd1c1180413",
-	"ee2c2f31a414ccd8f6a790f55e09155fd50aac2a878f9014f6c6035cae9186f90cdef0b7adf3e207c3d24ddfba8cd321b2e9228b02a1182b6973da6698071fce8cc0a23a7bf0d5aefd21ab1b8dc7818549bba3",
-	"6d6810793bad6c7efe8fd56cac04a0fb8717a44c09cbfaebce196a80ac318c79ca5c2db54fee8191ee2d305b690a92bd9e2c947a3c29342a93ac05796484638787a184e4525e82aeb9afa2f9480caebb91014c51",
-	"91e4694366cff84854872667fd168d2d42eca9070cdc92fca9936e8361e7266931f418450d098a42686241d08024dd72f0024d22ba644bd414245e78608942321ff61860ba1245f83c88592dc7995c49c0c53aa8a9",
-	"608aa620a5cf145f4477694407ccd8faa3182465b29ae98d96a42f7409434c21e4671bcae079f6871a09d8f2965e4926a9b08277d32f9dd6a474e3a9fb232f27fc4235df9c02abf67f7e540ca9ddc270ee91b23a5b57",
-	"c14f75e92f75f4356ab01c8792af13383e7fef2ffb3064de55e8da0a50511fea364ccd8140134872adccad197228319260a7b77b67a39677a0dcdcadfb750333ac8e032121e278bdcdbed5e452dae0416011186d9ebf29",
-	"03fcb9f6e1f058091b11351e775184ff2cd1f31ee846c6ea8efd49dd344f4af473f92eb44eba8a019776f77bb24e294aa9f962b39feecf7c59d46f1a606f89b1e81c2715ac9aa252e9ce941d091ffb99bb52404961794cf8",
-	"11e189b1d90fcfe8111c79c5351d826f5ec15a602af3b71d50bc7ed813f36c9a682520984ae911669d3c3036223a53176794c7e17929efab2b1c5b500f24f8c83d3db5d1029c5714c6fd34eb800a913985c218071677b9885c",
-	"69f8f5db3ab0321a708ab2f4234645dade6bfda495851dbe7257f2b72e3e8378b9fa8120bc836b737a675271e519b4712d2b56b359e0f2234ba7552dd4828b939e0542e729878ac1f81b6ce14cb573e76af3a6aa227f95b2350e",
-	"be734d78fae92cacb009cc400e023086bc3a3a10e8ca7cb4d553ea85314f51383660b8508e8477af60baf7e07c04cc9e094690ae12c73e5f089763201b4b48d664b94b4f5820bd1540f4a84100fdf8fce7f6466aa5d5c34fcbab45",
-	"d61b77032403f9b6ea5ad2b760eb0157545e37f1712ec44d7926ccf130e8fc0fe8e9b15570a6214c3899a074811486182b250dc97ebdd3b61403614d935cd0a61c0899f31b0e49b81c8a9a4fe8409822c470aacfde229d965dd62f51",
-	"c31bd548e36d5fae95ed8fa6e807642711c897f0fcc3b0d00bd317ed2bca73412064618c6a84a61c71bce3e963333b0266a5656571dcc4ba8a8c9d84af4bdb445c34a7aef445b15d77698e0b13c436c928cc7fa7acd5f68867e8132993",
-	"9903b8adab803d085b634bfae2e109dd247a7d6249f203403216d9f7410c36142df8fa56fb4d6f78136eef5817bad5ea3608439bb19336628c37d42db16ab2df8018b773baedafb77278a50926370b48bd81710203c7abc7b4043f9a1751",
-	"4dadaf0d6a96022c8ce40d48f460526d9956da33260e1770315ead420da75b122c762762aa3ddc1aef9070ff2298b2304cf90443318b17183b60778f3859b141053e5827decfff27ff106a48cfdb0371d0ef614fc7400e860b676df3176d1a",
-	"314dda800f2f494ca9c9678f178940d2284cb29c51cb01ca2019a9bede0cdc50f8ecf2a77e238b884867e78e691461a66100b38f374c4ccac80309641533a3217eca7e6b9a9af01c026201f0afaec5a61629a59eb530c3cb81934b0cb5b45eae",
-	"4658b7500951f75c84e4509d74047ca621009835c0152f03c9f96ca73beb29608c44390ba4473323e621284be872bdb72175628780113e470036265d11dfcb284ac04604e667f1e4c1d357a411d3100d4d9f84a14a6fabd1e3f4de0ac81af50179",
-	"491f877592837e7912f16b73ee1fb06f4633d854a5723e156978f48ec48fbd8b5e863c24d838ff95fa865155d07e5513df42c8bb7706f8e3806b705866475c0ac04bbe5aa4b91b7dc373e82153483b1b03304a1a791b058926c1becd069509cbf46e",
-	"231034720c719ab31f7c146a702a971f5943b70086b80a2a3eb928fa9380b7a1ad8773bfd0739142d2ad6e19819765ca54f92db5f16c1df5fa4b445c266215a92527bd4ef50ed277b9a21aee3fb7a8128c14ce084f53eac878a7a660b7c011eb1a33c5",
-	"3366860c77804fe0b4f368b02bb5b0d150821d957e3ba37842da9fc8d336e9d702c8446ecafbd19d79b868702f32405853bc17695873a7306e0ce4573cd9ac0b7fc7dd35534d7635198d152a1802f7d8d6a4bb07600fcdaacfaa1c3f40a09bc02e974c99",
-	"ccbbbe621f910a95835f5f8d74b21e13f8a4b03f72f91f37b5c7e995aa3cd5539508d5e234e77a4668a42c239b2d13ef0e55ecf85142055e3f8a7e46320e21324a6b88e6c823ac04b485125c2aa59b61476481208f92ea4dd330cb18777c1cf0df7cd07893",
-	"87faf0e49e7e5ab66ee3147921f8817867fe637d4ab694c33ee8009c759e7d707f44c69c1b9754e2b4f8f47b25f51cd01de7273f548f4952e8efc4d9044c6ea72d1d5857e0ffeb3f44b0c88cb67683401cfb2f1d17f0ca5696641bef28d7579f68d9d066d968",
-	"38c876a007ec727c92e2503990c4d9407cea2271026aee88cd7b16c4396f00cc4b760576adf2d683713a3f6063cc13ecd7e4f3b6148ad914ca89f34d1375aa4c8e2033f1315153189507bfd116b07fc4bc14f751bbbb0e752f621153ae8df4d68491a22430b309",
-	"87d636a33dbd9ad81ecd6f3569e418bf8a972f97c5644787b99c361195231a72455a121dd7b3254d6ff80101a0a1e2b1eb1ca4866bd23063fe007310c88c4a2ab3b49f14755cd0ee0e5ffa2fd0d2c0ea41d89e67a27a8f6c94b134ba8d361491b3c20bacac3d226b",
-	"b021af793badbb857f9a353e320450c44c1030fce3885e6b271bcc02e6af65fdc5be4dc483ff44bd5d539ed1e7eb7efe3001252e92a87df8227ace601047e101c871d29302b3cb6c6f4639078afc81c4c0f4c2e04688612ecf3f7be1d58ea92894a5dab49b949f2089",
-	"c5c1f2fbf2c8504a686b615278fc6221858d401b7fe790b75fb6bca6885cdd128e9142bf925471ee126f9e62d984de1c30c9c677eff5fdbd5eb0fa4ef3bff6a831056cea20fd61cf44d56ffc5bda0e8472ecdc67946d63c40db4ba882bc4dfa16d8ddac600570b9b6bf3",
-	"88f8cc0daeaeaea7ab0520a311dff91b1fd9a7a3ec778c333422c9f3eb0bc183acc80dfefb17a5ac5f95c490693c45666ec69234919b83244003191bad837aa2a237daeb427e07b9e7aa6ca94b1db03d54ee8f4fe8d0802cb14a6599005eb6326eefe5008d9098d40aa851",
-	"2eb6b1a58e7fe39ff915ac84c2f21a22432c4f0d260380a3f993310af048b11647f95d23adf8a746500833ee4e467fb52ea9f1039519fa58bcb0f1d0151558147b3c92b83730aba0e20eeeea2b75f3ff3ad79f2f8a46cbbadb114a52e32f018342aeeaf827e03ad6d583bbce",
-	"3ba7dcd16a98be1df6b904457709b906cbf8d39516ef107006c0bf363db79f91aaae033466624d30858e61c2c368599963e49f22446e4473aa0df06e9c734e183a941510d540536377072334910e9cef56bc66c12df310ecd4b9dc14207439c1da0ac08bdd9be9f2c840df207e",
-	"a34a7926324ea96867dac6f0dba51d753268e497b1c4f272918c7eb0e34120be65b7b5ba044d583141ec3ea16fcedae6197116b16562fb0706a89dc8efd3ba173ccd0fd7d84d480e0a3dda3b580c326aa1caca623879b0fb91e7d173998889da704eda6495023b5ad4c9ad406298",
-	"5ef97d80b90d5c716322d9ba645a0e1b7a403968258a7d43d310320f60f96235f50e9f22cac0ad239636521fa0607d2f471051b505b371d88778c46fe6787d47a91a5bec4e3900fe6ed22918226fc9fbb3f70ee733c369420612b76b5f55988d757c891d7005d17ee55783fe506202",
-	"140d2c08dae0553f6a49585fd5c217796279152b2e100ebde6812d6e5f6b862b2a3a484aed4d6226197e511be2d7f05f55a916e32534ddcb81bdcf499c3f44f526eb515cc3b6fa4c4039ad251253241f541558bba7413ca29318a414179048a054104e433c674ca2d4b3a4c181878727",
-	"29fdfc1e859b001ee104d107216b5299a792d26b2418e823e0381fa390380d654e4a0a0720ba5ff59b2ff22d8c4e013284f980911dcfec7f0dca2f89867f311ced1ac8a14d669ef1114504a5b7626f67b22ecd86469800f1575543b72ab1d4c5c10ee08f06159a4a3e1ae09937f12aa173",
-	"52dfb643832a598a10786a430fc484d6370a05356ee61c80a101dbbcfac75847fba78e27e537cc4eb918eb5ab40b968d0fb23506fee2ad37e12fb7534fb55a9e50902b69ceb78d51db449cbe2d1fc0a8c0022d8a82e2182b0a059035e5f6c4f4cc90278518e178becfbea814f317f9e7c051",
-	"d32f69c6a8ee00ca83b82eaf82e312fbb00d9b2f6202412a1ffc6890b4509bbbeda4c4a90e8f7bca37e7fd82bd23307e2342d27aa10039a83da55e84ce273822740510e4ec239d73c52b0cbc245ad523af961994f19db225212bf4cc160f68a84760233952a8e09f2c963be9bb1d71ca4bb265",
-	"d1e603a46aa49ee1a9ded63918f80feca5fc22fb45f659fd837ff79be5ad7faf0bbd9c4ba91628ee293b478a7e6a7bd433fa265c20e5941b9ea7edc906055ce9799cbb06d0b33ae7ed7f4b918cc082c3d4a1ac317a4acec175a73cc3eeb7cb97d96d24133a29c19375c57f3a4105519846dd14d4",
-	"b45ac88fac2e8d8f5a4a90930cd7523730733369af9e39bf1ffb833c01108952198301f4619f04b9c399fef04c214bad3358999967c474b67a7c06457a1d61f9466489ed5c0c64c6cdc83027386d6263491d18e81ae8d68ca4e396a71207adaaa60997d0dca867065e68852e6dba9669b62dc7672b",
-	"d5f2893edd67f8a4b5245a616039ffe459d50e3d103ad4675102028f2c497ea69bf52fa62cd9e84f30ae2ea40449302932bbb0a5e426a054f166fdbe92c744314cc0a0aa58bbc3a8739f7e099961219ec208a8d01c1ae8a2a2b06534bf822aaa00ca96218e430f0389c69c7f3fd195e128c38d484ff6",
-	"37279a76e79f33f8b52f29358841db9ec2e03cc86d09a335f5a35c0a31a1db3e9c4eb7b1d1b978332f47f8c3e5409d4e443e1d15342a316f442e3bfa151f6a0d216df2443d80cbcf12c101c51f2946d81161583218584640f4f9c10de3bb3f4772bd3a0f4a365f444777456b913592719818afb26472b6",
-	"a46d252a0addf504ad2541e7d992cbed58a22ea5679980fb0df072d37540a77dd0a1448bdb7f172da7da19d6e4180a29356ecb2a8b5199b59a24e7028bb4521f3281313d2c00da9e1d284972ab6527066e9d508d68094c6aa03537226ef19c28d47f91dddebfcc796ec4221642ddf9de5b80b3b90c22d9e7",
-	"060c18d8b57b5e6572dee194c69e265c2743a48d4185a802eaa8d4dbd4c66c9ff725c93667f1fb816418f18c5f9be55e38b7718a9250bc06284bd834c7bd6dfcd11a97c14779ac539629bcd6e15b5fca3466d14fe60d8671af0fb8b080218703bc1c21563b8f640fde0304a3f4aeb9ec0482f880b5be0daa74",
-	"8f2f42bc01acca20d36054ec81272da60580a9a5414697e0bdb4e44a4ab18b8e690c8056d32f6eaaf9ee08f3448f1f23b9844cf33fb4a93cba5e8157b00b2179d18b6aa7215ae4e9dc9ad52484ad4bfb3688fc80565ddb246dd6db8f0937e01b0d2f2e2a64ad87e03c2a4ad74af5ab97976379445b96404f1d71",
-	"ccb9e524051cca0578aa1cb437116a01c400338f371f9e57525214ad5143b9c3416897eae8e584ce79347297071f67041f921cbc381c2be0b310b8004d039c7cc08cb8ff30ef83c3db413f3fb9c799e31cd930f64da1592ec980cc19830b2a448594cb12a61fc7a229e9c59fe1d66179772865894afd068f0942e5",
-	"3eb5dc42172022ab7d0bc465a3c725b2d82ee8d9844b396913ceb8a885323dbbbf9ef4ed549724cc96d451ea1d1d44a8175a75f2a7d44bb8bfc2c2dffed00db0328cfde52bf9171f4025770abbe59b3aefd8151c480bafa09f613955fd571e5d8c0d4936c670d182cf119c068d420ded12af694d63cd5aef2f4f6f71",
-	"20ea77e58e41337ad63f149ed962a8210b6efa3747fe9bea317c4b48f9641f7145b7906ed020a7ae7d2ee59435392edc32aee7eff978a661375af723fbd440dd84e4a152f2e6ef66f4ab1046b22c77ac52717de721dfe39aa8ba8cd5da27baca00cc1fffe12c52382f0ee83ad1418f4c6a122effaf7471e1e125d7e7ba",
-	"95c662b835171fa23f948c3c3ed27bab9b3c367bbfe267fe65f8037a35b50cd7fc6030bfce4000425ef646c34793f0762635ae70487a0216ef7428da622be895d1b6040423246511c2370d6876a5c5d2df8bbd48fb14f787b632ad2c1f5a927fdf36bc493c1c8606accfa52de33258669f7d2d73c9c81119591c8ea2b0ef",
-	"f708a230675d83299cc43167a771602d52fa37cbc068ef9128ef60d186e5d98efb8c98798da619d2011bf4673214f4a4c82e4b11156f6292f6e676d5b84dc1b81e7cc811b0d37310ac58da1bfcb339f6ba689d80dd876b82d131e03f450c6c9f15c3a3b3d4db43c273c94ed1d1bd6d369c4d30256ff80ea626bda56a6b94ea",
-	"f8417766ce86b275f2b7fec49da832ab9bf9cb6fdfe1b916979ae5b69176d7e0293f8d34cb55cf2b4264a8d671370cb595c419c1a3ce5b8afa642208481333522005fbe48cdc700e47b29254b79f685e1e91e7e34121784f53bd6a7d9fb6369571bba992c54316a54e309bbc2d488e9f4233d51d72a0dd8845772377f2c0feb9",
-	"3479e04efa2318afc441931a7d0134abc2f04227239fa5a6ae40f25189da1f1f313732026631969d3761aea0c478528b129808955be429136eeff003779dd0b8757e3b802bdff0f5f957e19278eabad72764aa74d469231e935f4c80040462ab56094e4a69a82346b3aeb075e73a8e30318e46fdaec0a42f17ccf5b592fb800613",
-	"03df0e061fa2ae63b42f94a1ba387661760deaab3ec8ffabcaff20eeed8d0717d8d09a0eafd9bde04e97b9501ac0c6f4255331f787d16054873f0673a3b42ce23b75a3b38c1ebcc04306d086c57a79d6095d8ce78e082a66c9efca7c2650c1046c6e0bbce0b2cba27c3824333e50e046e2a7703d3328ab3b82c9d6a51bc99b9516ff",
-	"76b488b801932932beefffdd8c19cf5b4632306e69e37e6a837e9a20c8e073bcadd5640549faa4972ebd7ee55cb2425b74cb041a52dd401b1a531beb6dfb23c4cfe74bc84f034156c8f55050ca93236eb73c4e2595d9fbf93dc49e1ec9a31705359732dda73f737ec4274e5c82626dc4ec929e5e2c7a2f5f5fb666181922bd8be575e3",
-	"ff17f6ef13abc0426b03d309dc6e8eeb822300f7b87eff4f9c44140a424098fd2aef860e5646066d22f5e8ed1e82a459c9b9ad7b9d5978c29718e17bff4eeefd1a80ba48108b551e62cd8be919e29edea8fbd5a96dfc97d01058d226105cfcdec0fba5d70769039c77be10bd182bd67f431e4b48b3345f534f08a4beb49628515d3e0b67",
-	"95b9d7b5b88431445ec80df511d4d106db2da75a2ba201484f90699157e5954d31a19f34d8f11524c1dabd88b9c3adcdba0520b2bdc8485def670409d1cd3707ff5f3e9dffe1bca56a23f254bf24770e2e636755f215814c8e897a062fd84c9f3f3fd62d16c6672a2578db26f65851b2c9f50e0f42685733a12dd9828cee198eb7c835b066",
-	"010e2192db21f3d49f96ba542b9977588025d823fc941c1c02d982eae87fb58c200b70b88d41bbe8ab0b0e8d6e0f14f7da03fde25e10148887d698289d2f686fa1408501422e1250af6b63e8bb30aac23dcdec4bba9c517361dff6dff5e6c6d9adcf42e1606e451b0004de10d90f0aed30dd853a7143e9e3f9256a1e638793713013ebee79d5",
-	"02aaf6b569e8e5b703ff5f28ccb6b89bf879b7311ea7f1a25edd372db62de8e000219afc1ad67e7909cc2f7c714c6fc63ba341062cebf24780980899950afc35cef38086ee88991e3002ae17c07fd8a16a49a8a90fc5540be0956dff95390c3d37629949de99920d93096eb35cf0427f75a6561cf68326e129dbeffb8772bfdce245d320f922ae",
-	"70752b3f18713e2f533246a2a46e38a83cc36dfccec07c1030b5204cba4432700735a8cee538b078d281a2d0262110381c5815a112bb84404f55af91652bd17502dd75e4910e062943d8a736ae3eecdfdd8e3f83e0a5e2ddeeff0ccbdadaddc95391310fc657a59724f7e6560c37dc1d5bb5db40170190f04a274c864ade9687c0f6a2a48283177a",
-	"01f3c1333b44077c518cc594d0fb90c37651fb7b2442e71fc0a5611097f1cf7bcfaf11c8e0ac1b1cab54afba15bb9332df6bc64d8032368e3f686c8324b0114e0979dad78a5ccd3fff88bbe89eef89c4be586ca092addef552ed33224e85d8c2f4fba85ac7735f34b6aa5ae5299154f861a9fb83046b0e8fca4db32c1343e02676f283975f43c086cf",
-	"509283ebc99ff8d87902fa00e2d2a6fa239e335fb840dbd0fdbab6ed2d95e8275402523f7ce9a2fabd4b6c9b533288fbe914bde84365a204711d0977a7d698f4614385984dd4c137e4820035dd6737da364edff1bb62283e87a8c7ae8637314fe9b5777ec4ec21276dafedb2ad5ee1aa0ac99e34a6c01c055c8a239fd28681607f65143082cd4553c529",
-	"c17e417e876db4e123c631f7136b8a85bfd6ce66a69180d0cd5ecfd6f037bb1c7bd7908d51f2c485bf9e92c0e1799ee5f6ab834ee481f5eb1a8020205adb4d0f90126d4e7c2c859c5a5f644bdfa9c649ff4f168e834de6f9769429732099d46d0af506ab86c6fd92175159bbc05c75db8e1fa867e6030d64250008d64c857c47caec3dc8b2ffb384d0193e",
-	"950988fbe9d62a66f5f2c492bc8dc944a78eb3796ec37ba94b6a81a9d402ccad03cd8497fff74c5f4a03081c5fecec48574fecb21c1de261332c23108195d3f6a96ff8e433a1a30eda53dd5bb414973334f8cde5510ff759f7c17046cbb5acd8e8c4a6eecf2a9121ec3fc4b22c4daa72678194ce809024cd45c4ebb9ccdb6f854205cdb624f0787480d8034d",
-	"552a212c403b473741da8e9c7b916d5e5e9bcc9949021ae1ca1ed46b7d4a98addbb604d9fff56175b7e0367db26c9635fa7813653dc8d610befdd09ec41e99b192a716106f4299eec8b940863e5a59cf26cdc2cd0c3017f9b4f215812bed15f69e77edf672178e13c55580982f01fcc2fa131ec3d736a55d56504c545f4be50fee83f1263e4d3f3c877cc6242c",
-	"b00c4283dd3d9cd26e44bd97cede6c771cb14f2571b51cfdaae4309560ffd165da025a1bbd31096c3aa8286e2d6dcc3e681b8d01f2c5064ea26dfd0b5156b7a7f5d1e046c5bd1628f8fdae24b03bdf7cf7366900cc013a8cbed9d7f5937c914b08f8c27683b956e1279812d04288515333fc6aba3684dde2292951f0610649d90fe61606630fc6a4cd383649252c",
-	"f6e79457bb6d0884dd223be2cf5ae412a1ed425f1e4012f75951b096aea3b9f3581f9013bcae1aff2d3fc1e5c7e06f24af6d53c2c5c238b71c71cc670b05a7ee5204400026a5c4e5ddec3ad96771e49fae4b0f75ec58049ad9d972e5749a32d90f847f1ed2a1bab83db181e541cf5c8adb6b29ecc64dc25add491d408d3eb3ddcb013de7f5ffb6de9dd7ff300a5fc6",
-	"fe1d71e1d5efa3f712d23216ee8ee9139e66bd648b83efc02cdb4d45a28cf36759ff190a84d14d9471477abefb5aea4111110336143dd80cf81e02f268120cc07d746538f968e9876bff8358d390f5b8e7eafa61ecd236cedaf276bd61865fdd3424988201dcdeda2e3e0c33c9e3b3670125dd1049106cc6df5695fb2dca443233ff440f265bbff055483bac1e859b83",
-	"4c80163562872a965dedd8725652906156ada6e9d999027d96f49289edb92f9ef043e9d7c3377e091b27f85275499454af32317535997fb4aaeaf93565ad481ff7d45d2abddd4df4b60f71a6923ec30496c6ae534dc5427107ab4c5e656a322c7ab058d4c13ec0ebafa76576560697ac98f84aa4a554f98ec87134c0d7dca9184cf70412a324aac91823c0aca02537d197",
-	"fdd58c5ffe88665beb7073c8f4c22472f4bc9390cdd27a42622ca55978b000ab7579f795d4de0dfcaf521b8268980ef1d20277b07567985c0fd5030784ad6c32541ac24e99ab706105a2255fc32935c0fce6fdad9bb224d94ae4eae2a3ff08836618a3adf193630647bce1952b69da4de360f59da303519278bfd39b733cf66820a5e9e971b702f45998b69a0889f4bec8ec",
-	"ff38b15aba3794e2c81d88003e045ac6cbfc9f4833cdf896cefd8ac0c88674727ad9a9fcb9ef36574deea480e6f6e8691c8390ad73b8ea0eb3665c914b0d886546948e67d7987eea248b5feb52346ffdd965d5c835144c3bc63daf325e74b11267e32e58a914ae4521a668839d9445fececa49c5fba41f9e171698bbc7c6c97fa163a377a96456958d6e1d74f91ada56a30df8",
-	"f048c19328d60b4e59ed76940415b2c84c23883198bba5699efb0a1774ad5da6d15390c7b55d77d66f37448fe08107f42a5336408d5322f4b630e3275865fc66dccab39f6e13fabc133e5a441fe352d81c7cd9a25f145a6e2e2417d3b0bbc79eafcd7ad688c02011fd268dd44ac3f4f87b37a84a46fd9e9975962fba92c9a3486deb0c45f6a2e044df4bb79f0feeea432c5008b0",
-	"1b3e5fe6f113cce28a6f8d6f7809d3cec398cabffe9ff2ff10a7fec29a4ee4b54186063fd5307a2be393c9ecd75a37620bdb94c9c18da69b658579676ec90351d10dc33a7cb3b75798b1234f9f684d4a73a0fab2df3d5d6fdb1c1b1514d0935c1f2dd21486f91c2595b2f8f8a500ff443b9305270fb6f3da7961d9316d4ed6a135a31c4a3611d40e6585bbb34f498cd5b9a5d92676",
-	"740db337baa12b16897f17a85fa5685acc85e48338867f8ac9c0198dd650f5dfa7c17725c1262c72207e365c8aa45ffaab6470a0e5afefbfc3bb702a9766064f28cc8b796878dfdd3ca9d0216c14941438fc541fb5be0a13d29a996c5c985db4f630df067a5626db5dcd8df3a2bff17dc446e46e4079b8815da4318cb228c7722684e2a795a0ca56f500ea51951a6a385385d886f678",
-	"1465f2d578d167faa017fe8f763ce3cc8dc1e8371d774ed2a8803f12585296ee71a1f2253dd16b717a81f91f0f3641018a0111182b4e65d884b0a3d0292631ad807cdccc88bdeecb476e76f72b5246a630aff6e2401fa9570f85acb73ccb4e19ef04a932a03d7b7985dbe1e5bb410df517fe362321469e6f8b0e0cef6c31d7aa8ec06aa220620d66cc0e133fdee963589b12320fc9678e",
-	"80c051952fa6f3ef6af0f1759ec3e83c8eb91abee1de360bfa09e74b05af2475a0dbf8f9135aa25892919bbe0515898cfb6f88abc9e1891f2b2180bb97370f578973d55c13c35edb22ed80647c2a7e2884d1ccb2dc2f92d7b6ec5843ade13a608a31190ce965bde97161c4d4af1d91ca9962053f9aa51865bdf04fc23fa35a6fc3c8e888941263a26ed66c2dd0b29b2325dfbd1227c5091c",
-	"9c1e2a1aed6406052eed12b4495365f2f80e9c9645473f3549b607f20910bcd16dc3a4b173ac8d128129cdb7c76ebbc8e9a2a1ba0d822c66b367e790a69ac71f0a60ed4bff0e979148e3f3ee6607c76dbc572ee5ff17c27e4b52adebb4bedddff517f591a1977299c7cb01106f1453b098d29848ba3751c816215bb0d090c50f9e445b41b2c49d4eec83b92ce6c269ce835fd279e7cbbb5e47",
-	"466abda8944d0329d2975c0f2e2afc901f117887af301881f63b714f49a2f692fa63a8871fc0b301fe8573dc9b2689880cd8969e5072c57671e0633b041481dab25e65c9de404af033a11a8070c8ab70ca6d465318501afdd9940c7efbe1bb6d49581c222fad251dba4ee0a98efe22a3c4f74da05844523b30bbad6b080ac8df70a02da80bc9d477dfb869adb211e209a316d5dd1fd89a6b8f8e",
-	"0e89a873e07799ba9372fc95d483193bd91a1ee6cc186374b51c8e4d1f40dd3d30e08f7feecfffbea5395d480ee588a294b96304b04f1ee7bbf6200cc8876395d1db3ac813e1019bb68d27204e514fe4a61ad2cbd1782dca0e38b5538c5390bca626c5895b745cfca5dac636fd4f37fed9014ab46ae1156c7789bbcbb956ff7ee5ce9effa560731d26783dc6ae8bddd53a5d28133614d0ddeddd9c",
-	"fdde2b80bc7a577ef0a6c03e59512bd5b62c265d860b75416ef0ce374d544cbb4e3a5dbd31e3b43e82975090c28bc77d1bdec907aeceb5d1c8b71375b6d631b84a46153f5f1d195bfcb2af6f597a9cdc83782c5bbbb58c5188a87ebf375eee5212fa52523820a83106e8ecd52bedd60d95cd646159774389c07e1adcaa6b6f649408f33399ec6e507d61659696b3dd249996892d5986b654d94ff337",
-	"f5d7d66929afcdff04de30e83f248e69e89604daea782e1d82d8032e91a95c1d6fb2f5578f79b51be4397e4cd7cbc608ce143fdddbc6fb6c43ffdd394a7df0124353b919aeeac025f3eb11ff246c3b9657c1a947fc534ce48e18feffada8797037c6bc7e2d9a9e2e019fe65627b3feb28e446473e3bd413047a2587f0be6a103403cb3c33fdc212dca14d8e386aa511c22308e632f5f9528dbabaf2deb",
-	"332990a8dba55f977bc814436cf386ebbf10cb487a5f6ce83e13741bac670c6810284fbbe4e303547ef411e964fae82854e8c13cf56979b89ecfedd337aad78260060122d13dfbbf8497acb2066ed89e30a1d5c11008bd4d145b5ec353956310536304d8b8bba0793baec6d8f3ff49718a56e6694f8122078265cf5731d9ba61292c1219a1affb3679576d4998290aba3684a205c3469d40761a5c4e96b2",
-	"efbdff285027610f03182009c89b953f19721cfcdb8accd74bab6ec4bdf3f555ab902cb0dd91284269d140638aaabd211748aa4da3b18cddc653b57e461b9ad8491807c535c08fe97d89eb587c6af19ca152e72479626ab764e8b62da89fefc8354c75a44851f985746d78715a5a92798dac1a4222be27897b3f0aa63d596aa7378545f49b259aa8518c3def8a2ec8f7aa956c43668c8717052035a7c36b47",
-	"0eea9bb83bdc324fd21b03669aa922fbebc448e7d25e210294c07862cfa6e061731dfb67b4810633f4dbe2130d90fa1c65843af436e74219d213c4458dcac1c48ec4541fc6e3b7918ab2bc621aedda53658050900c3865ca57cd5dfa1d28576827401956d2dd8b861fa90ab11bb0b544ded9bd3d62e3278ed484e17db8f2d5dc5ea4d19a0e15134ba6986714c2b22c59c2f0e517b74eb92ce40d2f5b89e6d79f",
-	"25da9f90d2d3f81b420ea5b03be69df8ccf05f91cc46d9ace62c7f56ead9de4af576fbeee747b906aad69e59104523fe03e1a0a4d5d902352df18d18dc8225855c46fefeec9bd09c508c916995ed4161ee633f6e6291cb16e8cac7edcce213417d34a2c1edea84a0e613278b1e853e25fb4d66ff4c7ee4584e7f9b681c319c874d43502534e8c16a57b1ae7cc0723783807738a55b661e617ee285bdb8b845607f",
-	"a76b6f81372df09322098868d469fb3fb9beafc5edb32c674974ca7032966aaca5b5c9bffef87bfe626bd8e33d1c5f054f7d5acd3b91ff95324d1ae39eb905b9f2694fe5cb03486cee86d2f661a751b0e6c716a61d1d405494c2d4e32bf803803dc02dba2c06eecf6f97fb1f6c5fd10cfc4215c06d627c46b6a16da0854e4c7c873d50aa1bd396b35961b5fa31ac962575230c07c369f8fbc1ff2256b47383a3df2a",
-	"f9db613812f2259972d91b1598ffb166031b339913925ee385f03b3b35dc4b2f1ae78a3c3d99c6ff6a07be129ce1f4b8d994d24988d7fbd31f20535d36ab6bd0592cfb4f8c1ed9244c7fa8a3c46e91272a1a40c6cfcf261c5658476c59793bf1a3775086e41a0492f88a31e2d9d1ce75cf1c6b4b928b3545d838d1de6b61b735d921bcf72e4e0615e9ff969ef76b4b947026cb016e2660ba39b0c4c953369a52c210de",
-	"e601c7e75f80b10a2d15b06c521618ddc1836fe9b024458385c53cbfcedd79f3b4239598cd7b9f72c42dec0b29dda9d4fa842173558ed16c2c0969f7117157317b57266990855b9acbf510e76310ebe4b96c0de47d7f6b00bb88d06fad2c2f01610b9a686079f3ed84613ba477922502bc2305681cd8dd465e70e357534503b7cbc68070ad16d9c51de96ccf0aae1599299331c5655b801fd1dd48dddf6902d0e9579f0c",
-	"ee5ff4ca16d1bde59ffaf2d064eac9141c1d8f120ea2bda942b7956ba3effc5f1e725a3b40b0b9223a14d7a50df1681d14ca0e0eda7bb09c428fa3b2701f83a7a3e139485a118f6287d266dbc7fe68c87b35becabc7782537c79cb8165bdc40cc103d7b6d4b627fafa0e4113f92341ab90ceab594bfae20dadbfafd401684584598941f1ffb8e23dc8a04ecd15376cda6d849fe0dfd177538c62413622d172d9d46e05c450",
-	"1daca80db6ed9cb162ae24aae07c02f4126f07cd09ecee8e798fa1bc25c26c644333b63731b4ebc3f287f2318a820c32a3a55fc976576bc936f7384e2553d2891e3771ff24dd4c7f0256906460a8f12d30ed2b23583a0259cb00a9065a757d654d6e4603e7c7eb4a8426b527ae8a849d9350e9094b890367df3e8b23ad2df4d7dcce416bd8ea3badd037f53f7b07c02e5926515f196d62aeb9b8b14c863f067fc12c5dfc90db",
-	"27ff4e58a34ff1fcd66855d014ea17889a3cf0021a9fea3fabfd5b270ae770f40b5439e00c0d26bd9766f6fb0b4f23c5fcc195edf6d04bf708e5b0bced4f5c256e5ae47cc5651e51cd9fe9dc5d101439b9bc5cc24f76a8e8847c72686e2af1ce7098ad7bc104dad00c096a6d48b6453322e9cd6773fb91fb1eabd05dc5185a9aea07a2f64c6fea9897681b4428aaffe1fe5fd3e8ceb890b12169ec9d51eaabf0ca3d5ba415770d",
-	"75e2fb56327983b04f640717be8cba6fef3655b4d8e5539587d6478356ec397efaed818b8425d052778eb30ef0dee656c52c2aeab079ed496ae4441a365f2130432c87ba757e25b4511656ad15e2eff84d342331fd2814d1f1d11af65d98a424c115ba183437c0d0aa55f5c44b8685028a47d89d0d36a0f20aed510c366ab338f074a941b404fb349caaec821e0850a627777cc8f5abce6b509290027a2a28ff1db62a5ed2f95fc6",
-	"c6ae8b6a060917cd498aa7874ad44baff73efc89a023d9f3e9d12c03d0b7f5bcb5e24e1bc2ab2f2c67b9a9d36ff8beb51b5affd4a3510361001c80642955b22ea4bf28b81a5affe5ecdbabd8d17960a6af3825a4522fe76b3d720b5d06e66bff5379d7a8de1f5cc3e7bb75163a854d77d9b3949bf904b6c4e568682f0dab7f217f80da7303cfdc9a53c17b6b51d8ddff0ce49541e0c7d7b2eed82a9d6be4aec73274c30895f5f0f5fa",
-	"606c9a15a89cd66a00f26122e33ab0a08c4f73f073d843e0f6a4c1618271cfd64e52a055327deaaea8841bdd5b778ebbbd46fbc5f43362326208fdb0d0f93153c57072e2e84cecfe3b45accae7cf9dd1b3eaf9d8250d8174b3dade2256ecc8c3acc77f79d1bf9795a53c46c0f04196d8b492608a9f2a0f0b80294e2abe012dc01e60af94323c467f44c536bf375cddbb068c78432843703dd00544f4fff3eaa1a5a1467afaae7815f80d",
-	"88b383cb266937c4259fc65b9005a8c190ee6cc4b7d3575900e6f3f091d0a2cefa26e601259ffb3fd03083270eb63db1ffb8b4515ec454d12f0944f8f9f6869eedc2c5f1689766a748d74e79ad83ff6a1639aefdec6109342dead31e9cead50bcc00c5b2206e8aaa47fdd01397b141880490174141a1e6e19268378c1b54a84aba60ca711fd72f7df88e120dfea2caa140085a0cf73342f3c588b7edfb5b5e5ccabd68a32364746d92d536",
-	"dc0b293f1ba02a326743509f41efdfeeac1efc45137ac03e397a3273a1f586a0190cfb4ea96d6c13ca692a4de6de905c8338c3e29a04cbae76272f568b9d795cea5d758106b9d9cff6f80ef650d6b7c428ea3946c3acc594907fe4227ed68faf31f2f6775f1be5139dc0b4d73ed6308fa226b9077561c9e4c7a4df68cc6b819b0f463a11b9a09682ba99752c4db7aea9beac1d9279f2c2675d42b551d27aa2c1c34125e32f2f6f45c35bca45",
-	"5d801a7413311e1d1b19b3c321542b22e2a4ccbe340545d272abede9223741d9835a0fc80cc9da97a13f8bb4110eb4ad71093efba165b1edad0da01da89d86726e0d8e42ae003b4b50297d233c87da08406f0e7fc58ba6da5ee5ba3d2d7142cbe6632734eb2e7b7863c15cc82198ee8f9a0ae0b7f93bdbda1ed269b3824d5d3c8e78513815b17a4c0cc8c9706b9c77423a309ae3fd98e1e05cdbe9e2577834fd71f964301b10b66c316a2d8f2c",
-	"2fd32a2bc15a9e96a100624404fd0a4e54ba9f8c0543d8ccf7c5c2e35f5e8c3c11dfd497320aa903900a4ca55a2b323b3ac4a7cfcd01bf0b448db8829072bee6b77c3d7bec2e1d8b414d907288d4a804d2379546ef2e2dc628269589164b13fceb32dba6fd5d48a956ce0b5c3eb28d894a95af58bf52f0d6d6cbe51317152744b4ccfc918ed17fa6856478d580b389016b772e1d02e57d2217a204e25361d91d4845a3fa20fefe2c5004f1f89ff7",
-	"f537b437662759bef8bd64368536b9c64fffbddc5e2cbdad465c3966b7f2c4bc5b96767ef40a1c144a4f1cd49edc4cc5b57e7eb30d9b90108f6fd3c0dc8a8808b9e0bd13aa3d661c4863637c5e4ba286553694a60bef18801299ae349df53a355051dcc46a7d003c4aa613808f430e9db8ca7dfe0b3f0a4c5ab6eb306aeb53e11a01f910064fbe6ca78b2a94fac34a2602f73de3f275953e13ff5c6bb5c39b82321ead17ec0f8ecc479e6afbc926e1",
-	"1dd9fb7d5b5d5074971e69300720014deba6fbdb942bd29704cdfcd40fa5281d2a1b9f5b776183e03ff99c29587f10e8d325cb49c5c93e94f5132741b92c4086eec1374dea5c1e772cbb230c7b31f3e962eb572be810076bdb926b63732522cdf815c3ab99bbc164a1036aab103cac7b823dd21a911aec9bc794028f07b7f839bae0e68211286441f1c8d3a35b281fd321312577bbda04f643ecb2a74ec4527bb5148dbccbeba749f5ea19b6072366ba",
-	"5bd63737449de2d20ca63943953338ecf4cdd6cd0a726241adb04376385a809cc6ba0f3482a310746fbc2cd5eb214f03a14cdc548777fb0d048d659cd75a962e490c4fe47affc2430a34b10275e4c76752a115aae3a24d4fb4fad89ce4d79d65de10292f3490bfdaeabfae08ed51bda6ec8230e66cb07ddbeec26e3ef68dd71c852900659fcf0c963f4574ffe4626a33db9abf0873dde68b21138498b81e8cc44d354be4073615889a7ddff633b5447d38",
-	"a683ec8250506571f9c640fb1837e1ebb06f123e745f95e521e4ea7a0b2b08a514bbe5bdfd316903d1d6a05f5a143d94dab61d8a3a146ab40b2d6b72df2f0e945875a8aa7051ed115975f6f1567cfcbf04c5e11e3a7027b8e179ba00739181ba10b028e3df7259d0712f4a6cef96469ff737865b85fee2c2db02a6423e32505381e18a1e0b4ce3c7998b8d6b1b5e09c3a280b85486d0984c9e193b0ad2043c2bc4ad04f5b00a73956715937eebf6b3e27afc",
-	"4df9d160b8e81c42930c48956fcb46b20b6656ee30e5a51dd6317876dc33e0160d31280fc185e58479f994991d575a917073b4439919c9ac49b6a7c3f985211d084c82c9d5c5b9a2d29c5699a22e79de3958d7b0e856b9aa97493cd4563aaa04fa3977a9bb89e0bc06a82296bdc76d20c8d393770176d648712454305fdfcf4e117d05acb5a5b006a9f8d0dc66dca708c4e4103ca825d2331750685c44ce3d9b3e753455580f4d6ac4533edeeb02cebec7cc84",
-	"67bb59c3ef5ee8bc79b89a673e331e581215076cc36b68f517ca0a74f74efafe9dcc240e6d8ca4b21019c27d6c9289f4419b4f218eeb39eb741c5ebebfe0ed2f6faeec5e8c477acf71907990e8e288f4d4049111779b0635c7bbec16b76493f1c22f645745fdac2b383679fee573e4f47af45ee08d84f63a5ace4ee1c06fa41e2e6e14b7bc392e38426813087a3a461efc62ed1941dc8f1728a2bdc04fde72a0b786558783c84abd4bd100e4926979a0a5e707b1",
-	"d341147169d2937ff2373bd0a9aefa77968ec8f0d993c6f9881eb174a1911e05cdc45993cb86d149a754bbe321ae38363f9518c50dd3faf087ffeeeb6a058b226ccab7858c00ba6de0e8f4d034b1d27508da5cc473f3a413189ee6fd912d7750486912944d4dc34405ce5ccc3885fb0aabcb922bcfa9081d0ab84c288022bd501235a835eb2e1124ed1d48fd4f8682da8e7919321031326502273375625c4e3a7282b9f53452195e53c6b4b57cd5c66f621bed1814",
-	"27e7872a54dfff359ea7f0fca256983f7600236e716e111be15a1fe72eb66923ea60038ca2953b0286447dfe4fe853ca13c4d1ddc7a578f1fc5fc8598b05809ad0c64a4363c0228f8d15e28280837a16a5c4dadab681e28968ae17934639fbc124bc59212138e494eecad48f6546c38366f1b7b2a0f56f579f41fb3aef75dc5a0958b25deaa50cb7fd1c69816aa9a51874a98e57911a33daf773c6e6166cecfeec7a0cf54df01ab4b931984f54424e92e08cd92d5e43",
-	"13dcc9c2783b3fbf6711d02505b924e72ec6736131159017b966dda90986b97522bf52fd15fc0560ecb91e2175322334aaaa0097e1f3777c0be6d5d3de18ed6fa3444133486068a777443a8d0fa212ca46994944555c87ad1fb3a367db711c7ebd8f7a7a6dbb3a0207de85851d1b0ad2f4149bdd5a5ba0e1a81ff742df95edee850c0de20e90dd01753137cb8f2c64e5e4638ceb893a3879ae2c049aa5bce44d56bf3f325b6c5029b2b8e1b2da8de7d4e48ca7d8f6fbdc",
-	"9ca875115b109eab538d4ec7023600ad953cacdb49b5abe263e68b48eafac89a15e803e838d048d9625972f271cc8f36344bed7bab69abf0bf05979a4cfff273b82f9961626509765fcb4b4e7fa48212bcb3ab2b1f2dd5e2af768cba6300a813514dd13e4d269e3d36548af0cacdb18bb2439ec9459f6d847d39f5598304ec46a26d75de1f9f0c2a88db915bd26e45e1f1e68c5b5b50d1890e97a3803c36755f026863d14176b8b57f42e91d3ff37787f9b38e333e9f0433",
-	"ec006ac11e6d62b6d9b32ebe2e18c002353a9ffd5dfbc5161ab887770ddd9b8c0e19e5321e5bc105add22e473050b71f0399327c7eba1ef809f8667c1f4e2c7172e10e753705e9a083f5bce88d77521225ecd9e89f1e1caed367fb0275dc28f620fbd67e6b176c9ae5d2659e6ec662116c9f2bbca3a93043233a4861e0688db6dc1800f752c5d58aa5033c250c891d9126e534ed921a9026eb333333fa8292059b8b446f336ca6a0cb4c7946b6aea3831653122f154a4ea1d7",
-	"23deadc94481ce28188f3a0ca3e85431964cb31b60fabf381e6bd45ef0332bd4dde774b0281d317dc2e7d0c298fcf8625fa734126968df8b68ef8a35c325d84ba4fc53936ff3ffdd8838d2a8cabf8a9cac54aa444ed9875944e55994a22f7fa8538b1e983b57d9215fac5c0052029644044e790ce2f5044655608c1d7ad3bb862203ba3aba3b526606f273d342ed5721648e3f600942d3f7546f679161436389d879dd8094e1bd1b1e12cde15cd3cda4c30a40835665e4e5cf94",
-	"94701e06340114f9cf715a1fb659988d33db59e87bc4844b1500448960af757b5282f6d52967a6ae11aa4ecfc6818c962b084c811a57724f5d401191567f24ce917e4f8c3963474fdc9d2c8613c16f62446448b6da6eeae54d672825ed7606a90e4611d0e318ff00566862c955b636b5e81fec3362e8672ad2a6d222a515cf410482836deba092a51a4d464dfbbab35c50a33437ac16a88256e9e23ddd3c827cc58d3e5000ee90b12e4c5175c5733662d4848ae0d406c2f0a4f498",
-	"735b0758d5a331b2304f01081172eb95ae4115de651b1a6693c5b9543de33df25d9f421dbaeca033fc8bff57313b482778005aa9fdcbca65c643da2f3320e34197868eec3848ff3c70d7ac7d910fc332e9a359f892ae01641be253013b554a0d3f249b3586b1857e5a0f9482ebd91432a852b221f4287a6e81ed24e8064645d5b28ab9a13b26cc1420ce73dbc47b31acf8a871601022ce23bc443b1222ce9a037a2fe5226295feb4efd4fd671338f459ae146032697cf82fc55c8fbf",
-	"c48d94f14549352790079fee69e3e72ebaa380510e3581a0824066413e7044a36ad08affbf9b52b21963d2f8e092ff0ac1c973c423ade3ece5d3bca852b894675e8173290529226939c24109f50b8b0d5c9f762ff10388833d99bea99c5ef3ebb2a9d19d2231e67ca6c9056d8834730605897426cd069cbeb6a46b9f5332be73ab45c03fcc35c2d91f22bf3861b2b2549f9ec8798aeff83ceaf707325c77e7389b388de8dab7c7c63a4110ec156c5145e42203c4a8e3d071a7cb83b4cd",
-	"553e9e0de274167ecdd7b5fc85f9c0e665be7c22c93ddc6ec840ce171cf5d1d1a476743eb7ea0c9492eac5a4c9837c62a91dd1a6ea9e6fff1f1470b22cc62359474a6ba0b0334b2739528454470f4e14b9c4eeb6fd2cdd7e7c6f97668eebd1000bef4388015630a8332de7b17c2004060ecb11e58029b3f9575040a5dd4e294e7c78e4fc99e4390c56534a4e933d9a45460f62ffaaba25da293f7765cd7a4ce78c28a85013b893a0099c1c128b01ee66a76f051dc1409bf4176e5afec90e",
-	"dea8f97c66a3e375d0a3412105ed4f0784f3973ec8c57b4f553d3da40fd4cfd39761de563ec96a9178804641f7ebbee48caf9dec17a14bc8246618b22e683c0090259e3db19dc5b6175710df80cdc735a92a990a3cfb166461ae713adda7d9fa3c4cf9f409b1467f3cf85d2141ef3f119d1c53f23c0380b1ebd728d7e932c535965bca41a414b6ea5bf0f9a381e098d282a554a25ce41980d7c7be75ff5ce4b1e54cc61e683f1dd817b8e2c1a430d7f895e5e7af13912cc110f0bbb95372fb",
-	"9dfda2e2f732867e60ed2b5fa99ab88eb82dc7a54334d02031258beef75fa4bd6962a1083b9c29e4eeb3e5ab8065f3e2fc732675b8d7705c16cfb4ef7305eb58120f1af5ddc55872a2cbde3a48661a0598f48f63e2e9aadc603545e2b6001748e3af9e86e1830af7b84ffd3e8f16679213d37cac91f07af0af02b37f5ed946ef5c955b60d488acc6ae736b10459ca7dabeacd7dabcfd656511ac913174f6d99327be59befe3e463a49afbb5235f0ce2840588c6edfbaaba00a4211c0764dd638",
-	"ddcd23e8b9dc8889b8599c721e7f8ecc2cbdca03e5a8fd5105f7f2941daec4e2906c654210bdd478374ddee43ee749a920ee91872e057a1157d384dcd111266221b3c79774476b4862fe450704ff2c5353e9a936cac87c96515c28ed4c830335a55d084cb5873c5fd2dd907f3266d8eb7bf13b6dd7cd4966982a0949efd8e428dae13daee549e01cc3c226211d6307823f742c5ef2155601a4644c46eddd603d4abd959c6d242e427768df3b1e22d87971df58a1564b38311a897c85b497a72556",
-	"39016647acfbc63fe55a74598bc1956eaf4e0cb49d532c5d8323fc6a3f15a0231597f06eafd74ad245e672bf6b21e4da503cb5bf9d15e9038ef354b38807564d91f38b4258378ccd9b9420a1562d7136196822a1291c913d83c4cd99fd8d420990c72cdc47607124de21da8d9c7f472fdcc780379f186a04da93cd87628abf323c8dadcd7fb8fbade37d7d2b5c9f9fc524ff77494c98f42f2158a6f68c906105ca9e8bb2df463863cfc1e9008d8344f55c4e3203dde6699b59812d49ce1279fa1c86",
-	"02cff7567067cbca5911664c6bd7daaf484181edd2a771d0b64566c3ab08d382e83932cdd7b4dbf86c9cdd1a4c353a511e68afb6746a507a9cd385c198246f4543d606c6149a5384e4ff54c1b90d663dc7a4b91aeac3cf716db7ca6f9a1914e3a33efe82e7ccc4215999c0b012782402db4726db1d7d1c73571d45739aa6fcb5a20eeb54a84d5f99902a8d356cbf95f34c9c28c8f2badfbc08c69233514493c0c04963268c88bc54039ab2999c7b06cba405936dfc43b48cb53f62e18e7ff8ff3f6eb9",
-	"5764812ae6ab9491d8d295a0299228ec7146148ff373241a510faee7db7080706a8dada87938bf726c754e416c8c63c0ac617266a0a4863c2582412bf0f53b827e9a3465949a03dc2db3cb10b8c75e45cb9bf65410a0f6e6410b7f71f3a7e229e647cbbd5a54904bb96f8358adea1aaa0e845ac2838f6dd16936baa15a7c755af8029ef50aed3066d375d3265eaaa38822d11b173f4a1de39461d17d1629c8df7334d8da1b6401daaf7f34b2b48d6556ae99cd29ed1073926bcda867421832a4c36c7095",
-	"4df3043cf0f90462b37d9106e67366d112e4938c4f06abae97869531af89e9feebce0812dffe71a226de5dc36be652e26ef6a4be47d9b2db5cdd43809a565e4fc0988bfe82037c505dd276b757b785203249fd083fb474a25acccc9f38dc5164ff9097e05989aa6e280739a755231f93670e7226e22046914c155bf33d135b3f736ccca84cc47ae643215a054b54b7e13ffcd7ad73cced9279dc3210b80700fcc757acfb64c68e0bc4da05aac2b6a99d5582e79b303c88a7ac4dd8ed4289516bba0e243527",
-	"bf041a11622715426c3a755c637d5f478dd7da949e50f05377bf333f1c62c671ebdbf9467d37b780c25f7af9d453fc67fafb2f065a3f9f15d4c3561eeaa73fa6c813bf96dcf02430a2e6b65da8d174d2558110dc1208bdcb7898e2670894c0b9e2c894da3b130f57a90ec8ea1bffd27a37b4da4645c546b2b141db4e2c919154dac00e78dd3eb6e4445974e3bb07905982da35e4069ee8f8c5acd0efcfa5c981b4fd5d42da83c633e3e35ebdc959bd14c8bacb52212b4334f94aa64d2ee183861db35d2d8a94",
-	"a170ceda0613adc9c3a1e427f07beacf3b16ed69fb42b6bc09a38d803f632ad2929dba215b85683b74e2feb1d18fe17d0ea0db84d1be4e2e73476917a2a4cff51d6eca7c5e82232afde00dd2286a4c20eb09800b4d5d80e7ea35b6965b9792d99e399abda8cf32174ae2b7414b9bdb9d63e148f7357635a7310b130c939593cd3479164724011966c4232142df9966f09422f34f20b30af4b640a2c6d3dd985fe0ba3dfa9083cbb9b8dfe540ff9f6c608d18481213040768ef33300d773f9890c724ead320a1e7",
-	"929477e9c2d0bbad3429a0e0de776695255013108261dc6404cb09828770e274d8bb650a50e490dfe917fc2047b0f8ee72e105927d9fa70523c727778cbf6ae876d641ad562938c870d12f2e047bb78920739dba0c3f8ce1fb77589623a5f1625f5d6ab81940c7dfc3dc3a641d82b2813629bab8282999317d6b93842334f123fb4693a9c2c9d8ba9bfc746642dfbd045cd2021b272eab7358aa954d453da53fc5392dfa7eb881f6f53809b692d27f3366595ff403289efcc691e118b4744a1147071d8909bef1e8",
-	"3e98bb14fff5bdf7db38a3960dc55ca7d02333daed8712cca13dd5bffd114636559279db72554cc0a0ee1f7e15557d77cab0f2f1131f94fe698db81be38300a856a5eca85e5cf915fb7b6f38ccd2f27350e62cc30ce10ffe835118be3d435d2342ed3d06199b7e20c8e34d68902f0ab8745bd8b7d5b863d525c1f5906d2dca598db8a0f1e67736182cac15677579c58b8c670cae1be3e3c882153b2aa2988933e579ec2d6dbb00c671da64443dfc027dee6dfc3233c99758304570a982bf9b2eb59ccd70d0b54c4b54",
-	"aa12c7fa50ffdc2811c1872e4bee15f43e6909212385c872eb489f7e06dc1787043f56126f8373bdfa4b3f61405c73dd4dfd3f40aa5cd207e8520849c26f67716a46c0989a99efff42f24e0736e327af8e607c401a1bac77341e9a78c91e35d55b2457bdd5317a405a1fcf7a2a23de68ef92b65819e8aa3807c545361dfc9fe89125123492da958dc313cb5d03cb4b192c54ac6b27fcbc498652f5ed36b587bb74942b3ad453a8d79e5ddc06ebf806dad5046b73251064582ef5777dc530f8701701761884783fdf197f",
-	"83e615cf6e17a29e63945710b548a6d9935850eec69830841e26cb6071e908bf72c87cf079ffb34c5eb1a390def72d004a9488224a18e189aa1092a0f1135712834d257a53dc1d0e2c6417d8f472ff13b181910f4c93a307420d44beec8875d5219a3160b8e921434ddf3f71d68db1c1d5c39d68edb7a604792f8b4e31ecda7895c99fc7031a5b98a22009c1da005ac8fd2da0b5d742743f5712d12fd76d11a18e487776ce21ca0d6e5ab9ca6d8c394c321b91c14e291399a642721361811a73b7392e8603a3004e7060bf",
-	"ae1a8f7bfe4b1a0fa94708921dadb2c20b938239d7b9a2c7c598528f20f49764d322ebe85a5b2ea15563cf2f2304baf55d6607c52e2e1160859dcb7af6d7856899eada0e9128a180d3de6fed9334ba52b80c5c362d5591a0ec30f86d37a399927eb1c53076a12d26775522c511c83eb5b7abc2a00bd2dfd5627a8febba53d85f9b74c4b7f0c862ddb0d9298899b646b774d6cc23e4e23ab47174fccd34499253996d5e0917210e2f6daa1685f89f2f1fdfd5509ebc38191d539ecfb54ff0f5bbe6ef36ea35d425af6462f518",
-	"1d033e06be253ab800c8176d3a9650ab2a5bcaa03e11ea95fb9ab3834b41eb0d1b2bcecfe219364c3104ef65a8d692bd77c798548b7d9a8faf7f5172db24ec7c93006d6e9839368291b8277a82c034a3731f1b2e298d6e0282ec8a7902e4f844d132f1d261d171375c646065e201849f2df73e3748d853a3122c2206aac92fea448500c5418ecfb3d80e0e6c0d51f85831ce74f6c659cc291f5348a1ef8b949f1b2a753633e382f40c1bd1b2f44748ea61127b6f568255ae25e1da9f52c8c53cd62cd482788ae430388a92694c",
-	"104bc838b16a641749dcf73c57b207ea3bcc84381170e4ca362065a3d492e892b426a1f4fd82f69461d1ce1f3aaf8fc291ea30d6667e7e1aea4c44f7d52a5fa6d34709e6658483260ff5da76bfb74e7d194ad40dcac00daf0e45e74db4bc2248100a8b256b257278c3c98f1f2e3a80cdb812352aaf4155b3a4033999fb9fe7f506994fcf3a8db31e9e5ca8ef8c2e9c6326ca5b0803724ba641950eca877fe6ed6afc2e014651c56d0e6a61eaff7c5ed0b861d4bebe42904c0a568c26aa8abb2e97da2bfb40f14eafb6bf16cd208f",
-	"5b92e4a175437d0a53eb10de2c56401720b11715a034459ebf506c3fd6534b5e817a0f09deac4bcfd353301d8d031b1331582ac09189b48e6ccea444655866c4bbd123d45ebabb774f877cf12d33b84cfca4a6a94f3f98869fcf2bbb6cc1b964c2438c2f348bcdf9001dce60a4706d20c169a040baa61cbeb0b8e58d505e6e3739ab03e110ae7efdf91347474033defbd1e86af322ec6456d3394699ca7ca6a29a70d9b10a38fe666eab2858bfe12dacb31568549c826c15af5b6fddf779954351be1872f04e53db7b3b5fbf61fd18",
-	"401cc7bd9f8227efaed70dad83fc8db3bd38efc166f0f11ab142c565c68ba9db680423a3d698b6f3476ef440051fd20b93f6a2ed045825567df5a65e3f62e4442ec396ad260a16a13a1dee46c7e8d88bdd7edf223ab76a9a787c1f4fe9925c051a4ca0e77a0e78baa29f36d193c862fd3a60653f544ea9e3f75f2f553891be8c1fb882f6a6aad118f576f3c2793efc67221b37a45ab6137434f6228cb002fc137b91fb8572c757f00736879453d64a8a868c131810ffdad9e9d028d132157ecb1da675d54047d19b27d3258c9b1bca0a",
-	"c20cf0354982ca6a19d9a4dbf78f810934db2373941a12c263adefa61a5f385c859bc47028829c531dc25ccc0004c7510e707175a102ec3c4b4c933e3f52033e67476ff5f864c446c042a21e6037f7798363d20267891b965879fde80af6b59d77862e3a229af01b7ac78b578e94bd9f9b073c38a627c1864df0083aabb17024bdab6c3c0f0f73d31d59480523a2f23b78baa0385c15f290114305d7f98786b7dbc17a8c2aad97448e8ea389e68ef71091a6a9735ac12ca5497b9171da11a93c28d3273f58b74e2e46279d3ce9d0b20d19",
-	"e2365c2754073b511f16a1881ff8a537541ca7362ae7b84223d3c7d1d49d03a37d6d05dd2b819af9705c015dacc9dda83474eb14b7d5fce6e8a8f8c58e870149338d320e5ae476da6749af45e65ffed550d225a39dc74ffd93ba7da476985d6f44e90fc8e82454496260458431804d802fe804d825f611772f9710667377adfb1a11e4275bcecb42175c515f6a9439a359824f82cc9d480954364e6693099a821ace362e6c7ecbe68be8823bb5b49b4f23ad81b64139e3b63d9d4d298a842f013ef0d91ce7915ee8f816c70ba2aa3994216f",
-	"9c43944676fe859327096f82049cf69e48b98715878400fdf2805e0d5ee642e6cc9c43739f418b701348a033c5cb96bf8702fcd2fac9be58262a843c1e4155ed8a1724b6ebf7cce659d88a95a0c54deb2d7d9574a45219b6419ee173d1d8fad3ace47c962b349abe1048565df85bbd0eb9b11698258c23598023a00fdd26573e41951452027125c6e894a97736ecd63fd15b29a55d8dd9dab7e2e18f541a2e341890a61b7c896e7dc67aa82f3479dacd4a8ec7558d40c34d9ae4060e13718d676c2450258d83de8a86e012813693098c165b4e",
-	"1c707c29582d98a0e99639211102f3f041660ca03ad0939fe3855b8c1b22d6a9b8673c93e3eabc0ab231509b2b0d73c76a290a363943d12d2ff0ea30c6dd54eda753767effe04cabb4c3966388fa4c83a1906a0f48519a5fba9aeb585e0f8c45d6123a75ebe98fd1d0272f733a3925119481a321fe7509346c05128302851ba17a137f956f184e057a305e79a148727a5926de6854eb0314d5492fd735fa773d99ea34c95ca7546bd3a3aa8e66bcc6d860cec3d35d0e2165d5fbe8be99b6e7967df6693e5a6243e94c9c4a2528ae6305cbeca209",
-	"8f1e88103ffa378f062cade0ec509bec99a5c73fb273e79dbef24abf718ac26ac23dfd2b8932038ed3cb9637b71643c161142019f45b25b4fa4c52356737a27027e805ec635154327a66bfe64efc6285cca98c34edc7fb6c0766970a545342cf840aec0a5ba1dd3c6949be4fe97b0f8c8186de07536fd9074db34d09b2f08af9dcf9424d6edbf9cd044102c0e5dc35aff78c36d079dbd2c500e19c8c985ae2abaf6b2a20716bb719754a8840ce97632116c4d0b0e3c83ccca27f11c4204b76b5d6cfe6348a9615d8e4af53500dc4c2cabf12ec8c76",
-	"b9a0c28f1a6156992c103a84655fc6e654fa6e45e45819513afa797024717c00cc195994512fd53ecd1e12dac4d2448e0c40308382312084d2111f7db147b2e6589ce6d977f6115f629508167df8f45bac98abd49f6b272bcc4fd874dd5e29fb6daceb2d727a2a892194cfb9269eda00626ac89b4e74bd29b21e9f6ef18cb69889a02d4f0a06a2e5718899c1dc3b051c2cfa29653e782f87fefa478e6465bf5ff27f8b6abdb500077aac97100bd955ec535a587d66f23354be51cd8170289344bac9451f74e8aee3639f7c09981f4885e018912324d7",
-	"456844a34ae1074246f8f71eeef2010ec8733265bed7c1cc60043d770edfa320cbd4284a94be2574337e16d27f125074ebd7e99031f7abb4547b9540a7b0b5148ef501b550dd929f3dfe39ac65519f563e9254424aaafa05b1d37c16c771882e9e25d4906ac58603da749adf686932cd73d81e2658134fe69294c7a521d257eaf2110c667fc9d6f09b52d24b93910e532184eeb96eae9d9c9750ac3c39e79367431ac1af7011172d0a8be46a31010219a0310a733068c589bfc4748f3626aa4ff8d355cc893d05111c287c9992e95ad47481a6c42d6eca",
-	"c5c4b9900b9727bdc24baa544cad5faf8340be6b3759361f53889f71f5f4b224aa0090d875a00ea7116772117dbefc3a81c6950ca7ceeae71e4ba975c50d61fec82e6d9448d3a0dfd10bb087bdf0673e3e19fa2aaa7e97eebf71f11b86034fcf5a61240c71444ac3da15ef09b27b3523d37d309e8722380f835c1aee4a767bb027ec0674040853e5b53d6a31657f51acff6d2487860becd5ce695696cfe5937f4a0217b69e01cc6facc24dfe5f5230b8692a0b718e3b3c789d682db36101795a9a5f8bbb838c3679be72f7941a1db180135347d0a884ab7c",
-	"1781df2fedd2c39137854737d054cd3ed16b0ade411e41d97888ac900fdb46d9ae26b3d2dd07e118fd57eabd0dfd03a55793c76420666444865371adffc9b2f35068a0d70f9cfda1ac27ccb4beff4ffa5b8bb8bddac843386675c38a181fd0d935d6d51b25d78e7ff4ecef27a9853c0f0d2879c395ed1c4883987d123890d04f851c3e042e1164c68c0d503de16816f4b0e554236e5f4c339ea11d01ce652f6208f78f457a2417a97c0a6a240f443262def4b6763abf53e597bf1a28f907dc7cbdc751a234ea7d75710ad5ab0c37e8e9805102a375abd44011",
-	"8963552ad1e729ead07750df599d734157aaa4bcdcac17e8eb19b4f99cdb162686ff433137aa4e8a0cc8df0053999196262115aec326cf37567d9ba4760e0ad21d5763977f1ab9b35c0fc667890fa87fc946ceb776a811b5adc69446bfb8f5d9908029dc5aa38db816e4a4e8f98e5a48cf0a01627031c5bd1ced8bc1940dcafe4ae2f1199b186468eafc07e96a89d95dc18ef0fed3eda5b58ce58f221a47ba5311313cc680367eeb058fafc7bcadce5f520b6371489d9e529278ae6ee2650a85aed82896879038bbd9aa8d685fc9528943ccf2235cdf69a86464",
-	"23ceae3008085134433f5de4b47bafe0f443d443491e6cd47b216dd2dcc3da65239515a6e6b9beb9a939ae9f1f1f5e11f88326475e0962f319d9bf75ddfb4a46e7cc3f799d7547f3c0b2e089018b75787b82ea1a7295e7411f4852f94c94170e98bb0647923b8eb7d184038e56560da46085540cbfef82b6b577c445d038f6c93fbfdfc96ab3a0191d20a57b8610efb4cc45cd95198198e6f80ac46b0601511885f650eb00992605be903bcb46cd53c360c6f86e476c4c9ca4ad052eb572bbf26eb81dd9c73bcbec137aea6ee27aa97dadf7bef733fa1555019dab",
-	"c0fd31e82c996d7edef095cccfcf669accb85a483ea9c59f368cc980f73da7202a95c5156c34192ae4ebf773c1a683c079b17ac9d08b4265b4054fcddaf6666ca50f38f1a2ef2497459a68c06837363a526e850ecfbd223f55dba67db017eadb7a9139abb5bf3854834478b838aafa16c5ee90ea52fb2f7b8db2bcefb85b06fc455c2b6c27d0af9a49dbf2f313bf2599370637393e7972b31d8bf6759f3e6115c618e672831f84d76ba1879c754144e1df4d56b1e264b1797dcb8ab165040c8d20b931071081d7f74fbff590bdc8e888e71acc6a720270da8db7c821",
-	"936fdab91fba396e4a8754a97a04ba333daadc29885c9d0c8fea3387165278f4974e468fea57f2bfd8428c4d0f010833283db73735d39de0c0cb5898d0c06c0ecd05f61098935cb6130a8da60d1a6c2ecfe420f972263fff5a631b09e81c837183c5528bb1c740b36fc39cb082f3383c2b4afb25d04ad1d1f4af63dcf26a0bf5a647cd2e35a51cc119c4dc5031f5715b3bfa1f2b92de06bdac0d670fdd30980f32c51f3936b51e5db6b95a8d36279da5faa4c4e454f2b7e54e9f488071011c7f6f9b63da260a2e46d796d36c9a9dcae88085806a10a77bbb670d475778",
-	"a55fe162b287bd6eebd6cf7e7aeea8672322d924ae42c7404ff89aedb98943f3755d2889bca488cc7000e6e9b8e7a0ef289273cd29c44cc600e330d1775e3cb767f12150e1615dca8c3f67466463a3ca993a1b788cf67a7a35b95dfff954206eb5ea1e1bf7fb06482a551625b5c9fd9a86e8414c8cf79d3a14104a153cbe04aac5172aa4c4a89349f5856c4262dd1d7317a7544c9afbbed449e7dcc2b58d9df6c9c9ed3883e42e80f5c2433550f30e73c7bce0fccdd880adc19282a392dae26a0108e7faf168cfc15937aeb046d60712603286b8ddfb27916b79242d56f1",
-	"2bd6976592408cdbc4e41dcd3ecfbb786775ddedef914d9058e6753f839fdfe15b17d549dbc084aa6cdf3befa0158aa84c5d58c5876144fd7e6c41ab7d42419d0dd353732e0e6d3fafc4f5626c07433390a4fd467197e85b5de7e2cf1c26cc575356adedcc0740008523b503df12ff571387726c5ccb280376d19cbacb1d7ce7aab8b13292c6a8b8881e949cbf6d4610d16ebba1d46cdb8d0459596e0aa683d0307bd926e14de19b9bfeaefa29d91b82248604673a455520cbb64eef3f38cfad8e126a3b1cfa1aaba53a784c8ae0c50279c0ecdab54095d36f67ace9b8ebbb",
-	"71913ae2b1c8729ed6da003c24a1d4f96e28d7faf55ca14ee0b2865282b9b61103ce6ee0b00b00aacf2081adedea5616f9dfd22c6d6d4f5907bcc02eb33edf92de0bd479794f51246d9b612b4543f6ff633c4fc83bfa6144c9d26721cdc690a3d5a8db54d8bc7873bfd32924eeb502810732b5ac2f1852bb021c401d26c39aa3b7eb09083093a9e89bf889b53383b5af61110aca1b9fdf38908c7d5a184fc5f46b3423a66a2749feb8de2c541c563987278dbd0513d99b732411012b5b75e385510de5f6839c3797dc094c9501d5f0504b06b43efb6e746f2129ca189c1da424",
-	"9d048a83294de08d3063d2ee4b4f3106641d9b340a3785c076233686dd3382d9064a349c9eaa78028d35652078b583e3f708e036eb2ced3f7f0e936c0fd98f5d0f8aa91b8d9badef298bd0c06843831279e7c0c67ca7e572f552cfdd984c12e924c08c13aeec6f7e13d161785546ebfd794b5d6a92a4744e52c4cab1d0df93b9468be6e264e8cfcc488f9c3c1817cbe501f4b9cc5999483b7433aea777226b25273a6ef2331b5f3b6db8091591e8e276015da3ef78bb2ee0526ffe23def2d8d193cbe594e8ced1f3d216fcedae2a1eb288da82e34cf98aebc28def658ee0849ae7",
-	"3251c96cbf82ee2e5264528c0b6cdfc23d20e1eb2d6441b5d62f0fd24c692a0d45a8bc8aac32884b7141ac0f4f113ec9fc7f6b4db3d696374177f9a42d602ca471275b928f639105a55b846da9ac7274cc37de8c38541f6895f94d72a81e117844b46601c201f7189b935a96e42505f2098ac985d92dfe86349a706ef6325b3c2e4060ced3c453e68ed09e043bcc75846b80118dc53530248da250fb57922d0afa53a7b2c89161aa4fa372a46b2a8e1307741cecedf585d2f998a9d496763800b6965c38a5d8aa566c709f13699c8185ab4fd8fdc8b824f4dd6d1c255b4788f50574",
-	"2de31dbc8a012254586f3229d3524fc529554e98850d30acdfc11406bba6a142029126ac165ee90b2de7509fc3571a8ee12e16b05054eb8baea879d135b39627f0d8331be3e66bc720c2096ce74e437daebf3bc53d8f2ccc228c3256d3edb6e9ae7c354a0c9350e6d663a9a30630bf9da3d96b96608a2a171ae28105714058b6c4b38a36c56561c4612c32aad25c65b7fb6faa4e4ecd44ebf9b2fad42ff9a807cda2581614fd30d41a7436069399b8d4f062a37a5bd4066a93d541fa5797a7d3e7dc9c4c40f0bbf5256f71613240f9ef128b3423eacaf428ada06b6a531f835281e4f3",
-	"07dadee629a08223dcd7ec441287b4c5e26347451d9c003e3a8496b4ea313b51126283a6720d7851e24423d9c9c818b4601247178f38a61f45fd4c8596d79529d416834226666a2c8552bbc901cc5cc3406a18fc88077fea52e1b620748553052ab7788c0d025b095b736fbe714cb3a968ec16b5917652eba2d7cf32ef3140d6c27b25d053e9786d24cd09a5306a0ef55e46201faa6196a91084267d7a7b5ca57c2efdeb2cb97d682d2a191b915553c8933f1d1b7faf0b4a1d83ef611f1e44438bc1c3d860fbfd12b5f26e5a6889a31ce26ae6a55c7a563b5816d113423ef3f25fa9befc",
-	"1d94166bb387526d519c4ce150221954da8930f66765fe6a5504e30a69962d595cfdd07a82c003843598864261f053bdb6f5086d516c261e089caa89990f0967605768ae9200bdfe4dcd7b77a93265cb33d9851a2a1036113c732bf3f37534530641300f0620de5c16101e16f4baf39d9fcbfcb01c52afce0992c329d8dbb438c314eee995c5020611d6f889e06b8a032785cba9a415580dbf752b5e510523c89f478cc6f047bd926f51e4a965c9749d1e76379c0e7e5b56803893bafaa4d2892b4c52f143b2fa777cd1035ea418684b8019df084f9a3f1f768753096621f342895c510d01",
-	"fc0073f199ed8a1d6edc8e7bdf182670003108d82b283aba82326e856f8de378987a03d0fe8d2041440fd29d51c63796aab44090d2b14ee00859b3a08cbe88f724badcd3c401226c5db8b307b8deea5be305412b080e9f99cf79d6d08d3646f347a7afebb62912e3e246e2e726f9aec5c101d916e47f984507b1d65d313697256c77da7eca3bc5811c87bee02a2826cefff0d92bae989609aaf95d70561b40d98474c37277c884aed887a1606d206b11e8a8a71d1f1d19319557b57351228ff0404be700a6cc56c0a30f3d4b7a0a046463fdaf19e7d5f59e155f378e35baa33db1e881f2207f",
-	"f42a6a91278d6a076feba985b1cf4ce0af1fa9d6d039c136e8971e665ff088a10b6b9a379a6f5526fc5957773a0ccb8972a4a19be0745ac13937030a54b18dee4f4c5df47a58a33a7516b90e646e5da999166ab0e52f457f7c9b7e391836a687eaae37b377e59a4c995ab0c57162c307ab951a9ba6590f429cd27250e7010eb794ec1b1ec35f8aad189b2fd3e8aff24d93601d91a4884e6f84b02757ce7620a02901519fccfda52f68ad6df709d112a9c25d66bcbb9622806427ca8b8d346b6db05874bde800cde9cf17df4b05baab0f133febd1ebbb053b49c109a7f5b1f864a304d10288e2f0",
-	"bbcefaf4a0739509f8a2f831c954071aac52e60cfa882a867b8b910dcf7edf92e1c0692bb027bc378c460a01cb6ecc8f2a012dd84ee5a678cd497b1457b6d393421fbee98ff544fc7eba24cbc3aae506254d9a2d74dde74437ce4c8a69010718506bf4c5943342a942e5e2d3406a3016280b6e37954c5d5e763346251afb0b746cad68cac757f9df765e092518729cfb9a5e76300c124e708ca33591a369767ffb63933cb72fba67beb2223d98984d0b75eb5d1a38615913747b520b3d613c715c0c77d2987bb88f3c419bcc5d38573cf4a8a4f550b2d876f05ca252d88c70a561d869a5018b32f7",
-	"dc2437010cb05d9cab2af5c275e1d2acd627ce19fb86355df91fb8d059e60d591663c8eb077d48388c9a321057a98136f49f0098348d9f29d808936f98bb1787c7ac75fb14f6076dfd2de5b59b1fa4848cabaa9a99a091dc24b561911c392ecdbe53f4adae82b852d830adea3a10490c908e337ce0a6d12354ce05a37ad3a06696b66820af8a1f67e6287533fd6f38a5f6ad1c6b078c08baf2c37d2683af01e6a5b33796c8ae48935a888f9bd265f4f11a4e27c433b8b1c9afd140bcd21a07e24378ad6badde8e47c57e3340f49e2406e8d49afadd65eaaa4c3d078c27d7e42118cb86cd248100a356",
-	"6c290db326dd3152e6fa9b9c0cd7d49e50a0221b96e32f5f34a8cb7d0c2edd3e937a7d025d6999b7b468add4d6894d8f7aceaabc18f4d9c171f1fe95ea1ae8570382a8450fbc595d95b1f51d24e1abc2970b0e1d20ca40aa21bdfb3656adf2f19882eda606f5ef1c03174e1d94c8d12f0fee8dce6852f42a364eeafa27a7971d4379405db8e46baac4d685b969238e5df06292a6c790bf1994a051b038e1d8db91e1bc4804f32443781c34a552ed2e8100cea374e77af56ba0e11c45990d3ba68df9087b1f4968cbcbb1c42f99b7267c76af926ff3134e093df28fab039cad420c6b70f2d9b5e678c155",
-	"ac724a22ebabaedbbb052953e3c264a4b6440f313bad501cdc1484b64f33402a2230898776db5c818c28035ffae6ea24abd04b7159e42159833903a0c23a7c564f7645e49ddedb748fd9e51bd6cbf2eced98caaa35226970f003ce1fd260ac5795e096f1c04aebf8fd36e5e2adeea929b5e963a3cb71d6b55c85bb7d3a2b03a7e74b4416de8fa68950168d7c3ae8ed2e29bad1e8a182a7c5418e5d564373163778cd3c34e9d320eb1a60480a8f98b12e0026cbd7752e6079812e3767d9f55f3f10b8c214a6eceb2a58954091a06b33862af171a9b60bf2c6a44e8766e6c56e98092c56f2a8510f6d05c103",
-	"8c70114f7cffb375c2b9a06e27297a5c32418b2daf68af5bbedcc7106edbc070e764bf40c1f8eb15079e2ab77f898afff3490108ed9afb7ea9cb05df41d263be0e42d2321d3d2656622d7bd232bf68d37375fe7314b09cba66f19c8b59424198ee69e7a9f3de0ecce0685127807ce336fa479ccaf7aa1ebc4e406271ce6c4923ec36093516498cc227f9218869346c80ba5ae83e023aca0ae2bc86b5bf5d115a4616b6587cb869d92f8c780ab70d5766de07a204af5e1c8dbba622516d2e911b36c82e4687e4d258ea616c07f76ff0baa376c8d5975cffac0b25817f779ae3ce88b72eb47e378484ce999bf0",
-	"0733d59f041036398233fd47a84b93f6778ae5259ef5d62aa3b9faedec34c7edb570c18b2a5d2c4c55cf656d98a1ae396d45a3b746b7ad6f07312c3d05d1a50ffa90bcdcdba105e25b7b0c52664223f8c2476925d46dc6ea2406ded7d0b0b292f6656cebcc7616cfa4b82aec68b35d1da67f6ed2bf0171849d6bb65128d8a140ea5cf97f1003f8d7093bee077be78def4f7bd2caccbf0644f26b26285225142c40038484c3bb9ba9597744f4389e76dca3eb695c33ccc621cab1fb603cb3535a0ad318d220385d5e94f8674f3d55e97e097f8d5c049e911946afbfce783819951d65d6bff4567dc951390d1aaa",
-	"398ddbba3dcb5642c102efa841c1fcdaf067062e7eef8e2ee0cd73d7f77e57372d6ee1a9b7b6f86ad12d575001ae71f593449cb5a476c6bfeddaa2af0f9239c1d7effdedf66ceaf413707b5ab9661a7cc0ef8cfe4d1651579c4f0f64e2d12a52653c54f2dd60864e769eab8a627c89c56ee93365d031f0d2523cb95664b1575d51b122f33c9e94de75432a690658c977b68aa5b721a393f9b9b3b612c10e920a7d510c6d8460b35f8614c42f5d2c241a01b28105aa7c1b521ac63ebbedafac6d5a38c898e8590f918a1927bc53aecc2b1c8b18d7df9107c6997d9b3fa4b0bdb1c603da619d9e75670b97a5b40f06",
-	"ef07bbc7c4150dd47f8c69a7989948fe831dc798b0424dcd6551bfa8e88216095a7e5d720909bf3d23526b9ba464b66ff6b63a7337c31451ab9a15f04ead809a62bb52206237de77597a730106d02d227dd6099ea9ee2a92cdc446ac3b9d024e32255adb3e9b56b561c431e0b5a721f0336f19568a5335d0ebc6c73ed8ff2c15e219477d9e4b67f2928e251f8a61a2848857e037d010806c718ab062967fd8e85f3722252957923f5f9005aae47b4b1b3fa464e3ba9df573a56055f17e903126fbbcb6cb96de92fe617c97f84ef3ba0d8f2651dc4aa80c157f372ae1bc02e5067ad076f3fe48bb72c0f3c99273f82b",
-	"c7076986d2333f3a6752adf11f1a9e5c6bc4755f341073cc86a9c7519c8db029d5ae833fdf3fee826ff4692c57880c5074620ea97c00f1dde1e8a0f18501627984ded4d1b5c4af35be5cc1bcc868060a49a968dc0547acde490b4c68d79924a93a986aa0ad060c7de706e8a99ce8f84a4f8707b52a8ee122b763ba580d6b1f35f6af25094c69f49247da96c836991851ad36f60bf577863d7471608a012afa7a56656abeee7cd9b4f1f4d9d13a8526c0f33cd251caf7486639e787250390e7e488e9ec311fc3d847a7266cc59bcc2bc34192554aa57cf25db10ce04bdabef3fde6db85f55195ecc2ff892b2e268ebea6",
-	"01789f40d42d8d3e4a416fd9ae7de78c3a30507809eda200e1afaaf8d7020cd1fad18eba62d821946f220506cf105ff0e2069a771a2c233714afa6b2f695497e4b95c9693dbb93ec4c9a14720676aa87ee31dd34e4e081756477032b4a57b328285f2cdec1b269754c474936927e93acc26012aff1bb36f30c2402aca0a9b9ce9568f5000e2c934263933b436c94f8d6589c89db7edabc5d03a8fe795fe50c5166beab64ed7c22662b984ae2c66dbe4c090b0df603b27c759278f8d66859afea3f6a8f02c2c2a2202b9fc29132256f164b5050a803b43688dc4c9ba86374a3522afba5d1a19bb3820b883aebc267627095",
-	"2c61944bd6a50da00ebb951d2b67d79fc6b6fb5aca83b1de3dbd7690ab756bb1e1a21051ccf1e24136ac8ccb42a2ee10be94d2cb9289d5f52b6f90e9d07a3478f36a1eb7d08c3dec52ca154fd1427ba92a4ecbe73a71bceafbd26e9a39d50821e2876d3a0c0e6e373b9795dbf72ea29cc439ff42706be798c90d4617b39c90ec84bf9fb699dc8a9a34e25d81759d6c57df45efb1d0d68aa51278564b99633ed5dc464bb7d53c5c21f798f33bcd868657ecfe75a1ed8149d394b398969ef624831b30f1458465bfd2fdf3f284f2ffc54bf2817b5fab2e02056e864f78bb6fd870c64f3609dab218f25da8060f756e45121e79",
-	"942fa0c68cc72f69518a3a7aac0cde45bab0e928b5cb2bd24d049fc313f74b6afa87c4e34150484f3b5200163f8a6472d04777928ecc49319539fc17d71a38090f55a74f757fe45781a3c09f08dcd3dd4c73c8533a5e00cf8a86ebe77fe45be2848574f7c5d25e9a0632a60d2dd41febdbf987d2a0487e4a4ce6ed5f49f2d741a88ecac232b1498253fa4ee8147bbd0f600abdf295e81f7570015aac5fe6ca7bb4a99bb3fc54287106d7fc1132a574af49db82a7b9a5f33e193cde527ca2176c52cdab672165e0fe5720f71ada57ee90060aa069ae2a0bfe67c1b71b17c601c3c2224bf9891bc11ba216e3ebcb51fd95b8d7cb",
-	"0d68cfe9c087ec116fe7572042385159cc705960f842aabad1ed1387ec1697f4413a23c6090041328fedd4b626c6eeaac5b5a71acc1fd1bb8fbd228857ac5bd045c364be7a5a26338ff04c99c4c473cf445a891db6422d1bdef4533442df171643fc36a092fabb464298e4194c9e2950884de13d113ee24160a416404c16ddc5d2476cb3fb80da543e6ed9105f6003977acb34e1fdd2cbdf7a00d5ff84350b74ac231418c0d88269d02d824802791ff42a51cc835deb9869a6023f867f82ef6dc0bfb03e6dfa835646bb18a4074773486e308aa39e532aaea4e6fb35dcada7e060f8282c371ed26d22302323d4fd142a85534671",
-	"45e24b167a0bbef1bd8f79dd047763d0754f36a7b623f298059d177e8ac994945c37d2c4af06f01318960301595941124592f2995af1459d854339998d3ae17534df2d9793d6e203857d02c98a0cd88991e641b3e640090ba303f87b907dca8ca462fac19ad079b2c82ea5b521ab891b10138b083b3d9fa214a8fe60d1cb3599c5d199c61a2cfb7ee2f39e5a5abad5ac4998b707545f73e92128d21803420526d2598a53bb314adf29a0ef56b94bd2221601eb53ecb8540e8fffd38fba7bd827ef255e4ef55491475c0f383a241f81c72af4e1dbf2a65cd4d18a497615aa0de2791a3511a7977a8d4d41492bfa4085f2fd4e8f751d",
-	"1c1bb695ae90e6e33fc1e8b2a62ab98bf835ac7193440f2351c8cdd830472b637d2fd9c9013cb83caef506abc1c4f7567706db6046b1d184579c7a9223ab1b35e32898c70a3c27628123ffcfa518612f080a2c4a9f8e0a927a47dc98307d2b48de9d5dddcb5c82f0b0e4e610d44f1baa9bbbf7f5a727134680bb7d1327b73b52d8e5e36dbb53971e99e699d79f75a3fc01316bd7012947d119d6aeb7f75b8fbf0479c03002148553fa0da450fd59d4f1bebc252caa11ed9bec5b6ef54279b5f8382b61cffc67ec03f4baa7ea476c31364b86aa8ccad9fd0818717f0ced2dd49477874b4341c602d7a1beab860eb476c7e3ce597e6926",
-	"7a3cd9bb2277e2c7f1134fe7233f0f7883c2db9fba80aa5742b03041de0fe589d9e5ea84470dabf41bb66816f3e33ebf19a0ca5aba1004cf971249b258ff26a98dbd0c37ec6cd574854109433357720040bafed4531e0079186b1e853e0ced35d08d27f6d732ed6e2c6651b51cc15c420a24f2dc36c16ef4b3896df1bb03b3963f9aaeb02a48eac5772abd5948c2fd0db2bb74e3351e5eabd681c4f413655bd94dec96b1544c1d5d2d1df4bdc26020d25fe81d5238de824687a5505e1fbe08d11b3924b3ccc070fd225bf01eb79e3d21f7b62a836cd3bcc11c931669c37613470e356143df87c48848a829f5e018973a5db88eb6c60203",
-	"3f158afd0733fcc5dfe1efc2dd4eada732f942af734ee664955bb1ba613eafd0f349e7554a14d68200c62d8f2dca2ec8b81c8350735eaf437041f78b452598825b6899560963ade66a0fc74ad01f8343d1d19c7bb327a8dc14ffdb1c42fa72b2970d9155e2da6a2e6419d4117842d826ff38ffab9617307a0283d3ea28c8104ad9a6e087bb750ed1d10fd8f7100b1663682e979d80e43968c33d9eff66f4d1344e583ee521e78d0a2193c0577516b978339c143bfc689bc744bbc4a9163063de82c9706384b6b385e54666c86b34f23c1e25be293af06092ca31d857e11e5b2caf0d19dd3afbe85380878eda76d718b4bb869c67e044e242",
-	"a177af4387b9bfa3d59e97ee7b0ff5f4ae4a326fd9204c8d28831a67fcc385ee6c4828247b16d11aea9bb8cd9e6c4d2876c6b2fa6d5041ad39e1b04039071e29c4d86417e7eac4fc7d3823958a021823e2c880a757dfbcd0c8196371db5bbfac15e4d1a0596508b6d26f8c4a664924c95082d173f817995b44c4285d625d9b2f56c86632fe1295c5a8a7a3760028072bcb07bc245a705e7174d06b9d5c0c8ca495b9ac218f1921fa63f2db3fd148f07545366d008fb5aead7497d902b91fbaa39669929d4ae9d07df8557f1f0aed7b51252f10c6606e5ff3ede1327530ca356b4896ecf14bf7322d77fddfbe28d52f6de7f66eeb81704c87e2",
-	"01a15b9018e35cc342c926b01d03ad9db4993a6bf92e0555969fee90033f28f3ec234c1268b11b040dfa0770d4ceb39edfeb8ee6a589f4eebcc08d2d1b0a1a52953aa26eb44fdf4a2743c3dacb212a0c0f325572f645f53027b6f3c0c55abaeb1b0918c89bedcb5028f094d743ea354f8ff553c45f111a8fd5a14a4e5c835164747d302472e19a67da04b4c8e39756a9d248ce14d1ed43de75aca86850f2455eccd4639b2af035bb3f504cc9065d091c1c47e036083cb3fc50bf39292b11737c7ce0b49673ba93981de304dc65a671775b6ff927e3ff93850b214fffb5792105a4bdc81354d5b09e84afbdd1792b8fb4e9d0ae3dad2492b03282",
-	"24f07ae31279ceed18ec6d35990f21200934ad6b132c6c62e82fe92a40a0e60a5bed10720eff5a1f728971888682772b2d9060d4fee88f37d0824e7384dddcc549475f0e1a44eda4804778b62febe46e04657a20577ee70acb3425e334881eebd8ddf714ae8c527ea747e3367de384e595a43b299b6bb3f6b0a4716cf90038e0f75a47d5057d7fcc3c8a8f9224992c67f8ae0d3251ea09a24aed9ce57ab637f6b3cbb7083df62b6287f64d0877984c4249d113bdb2b07865082aa24cd7ec07061b17de320f51f29f25b82d7073d369cf2dbf96310c0c311997911b2cc02f606f9cd99663c57e78499192a2a78f9c9fa67013e0f9817287faa69b22",
-	"4aeb32bf9d050f10bea18d9f71b4afea7bd08550e574e7d50df234c7413668b297b6721d7a0f0bdcdcceb2f55adddea28cd59bd44be0c5ec067039e428706caae11f565d961ad6e7f4c51b0aed6d05cc5b8d826c4b9c39daefb6c7da46dce619a359dc9ce215a215218fa8d54ee0b4f301b6c201c7c2c5f7cb1c6e0cb76ba6c6e8f63ef7a5213d550b0d0857fa0ff9e3e38e497161617413ac066e2fa539520233193a5cb7baa0c2cb20b45e56bfed2c40a9544d1f230dd0cd6d4976e7cf51da8a13200c3957c0154c8237b2931ce19b824963ac576ea49b548cc6aa85c47796b470fb2c6308d88f390bb13607e294c84a838b2713b14ca6a5e8bcee",
-	"77e607478be5502432230c913d9ec82f967d87c0ee169a74076f989648853eca693277287f8a5b306bc94dfdbf64ca5cb5dfc0bc498589d51a691b8d57d4b0a9ee247d038fe1b5571183be3e75c37045bf1235863ff1b84b208c10e7f1a5ba54ff36af5b2870129867164d013e0a6d2cc067a3509bba2f46390302c80b651cf590ef69aad8effd94cab28a9b44be6a38b58cfc47c9c725d6fa467894163383b6873d10d263b1cbbad932ded59ab503920267ac026726f794a335a88f6ef564f8968c6fa6f5d3ea161eb6062ca349b9a0e4038273399cfa297a6b07ceda1ebaa99c9de2d935ee230a08c5a488ad46f3393243371d40916b8063cac9da63",
-	"50957c407519951bd32e45d21129d6b83436e520b0801ec8292d79a828106a41583a0d607f853dc4410e0a1427f7e873455a75df065cfc6eef970f7e49d123b346976460aadd91cf513c140c356442a84656904a8b1d708dc6089db371c36f4fe059c62302eaab3c06c0cb3b429961f899dcf99798464b8571a440cac7a52b495f32417af6bc8f58adc63647531f804b4e96273b29b42434c1236bde80ba3744fef7b1d11c2f9db332b35bc25123338ac9a0796aac213c9709b3c514ea7ecd80e22d3d8a74f28c8194418a6e1ff30714d0f5a61c068b73b2ba6cad14e05569b4a5a100da3f91429d6e3ffee10ceea057845ec6fc47a6c5125b22e598b2dc",
-	"f2273ec31e03cf42d9ca953f8b87e78c291cb538098e0f2436194b308ce30583f553fccb21ae6c2d58f3a5a2ca6037c1b8b7afb291009e4310a0c518e75314c5bb1e813bf521f56d0a4891d0772ad84f09a00634815029a3f9ad4e41eafb4a745e409ef3d4f0b1cf6232b70a5ce262b9432f096e834201a0992db5d09ffa5cbc5471460519a4bc7cdc33ae6dfe6ffc1e80ea5d29813136406499c3514186ced71854a340701519ef33b6c82ca67049ab58578ff49c4c4fbf7d97bfec2ecd8fbefec1b6d6467503fea9d26e134e8c35739a422647aaf4db29c9a32e3df36e5845791fdd75a70903e0ce808313a3327431b7772567f779bbaee2e134c109a387",
-	"5784e614d538f7f26c803191deb464a884817002988c36448dcbecfad1997fe51ab0b3853c51ed49ce9f4e477522fb3f32cc50515b753c18fb89a8d965afcf1ed5e099b22c4225732baeb986f5c5bc88e4582d27915e2a19126d3d4555fab4f6516a6a156dbfeed9e982fc589e33ce2b9e1ba2b416e11852ddeab93025974267ac82c84f071c3d07f215f47e3565fd1d962c76e0d635892ea71488273765887d31f250a26c4ddc377ed89b17326e259f6cc1de0e63158e83aebb7f5a7c08c63c767876c8203639958a407acca096d1f606c04b4f4b3fd771781a5901b1c3cee7c04c3b6870226eee309b74f51edbf70a3817cc8da87875301e04d0416a65dc5d",
-}
diff --git a/vendor/golang.org/x/crypto/blake2s/blake2x.go b/vendor/golang.org/x/crypto/blake2s/blake2x.go
deleted file mode 100644
index eaff2a7f..00000000
--- a/vendor/golang.org/x/crypto/blake2s/blake2x.go
+++ /dev/null
@@ -1,178 +0,0 @@
-// Copyright 2017 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package blake2s
-
-import (
-	"encoding/binary"
-	"errors"
-	"io"
-)
-
-// XOF defines the interface to hash functions that
-// support arbitrary-length output.
-type XOF interface {
-	// Write absorbs more data into the hash's state. It panics if called
-	// after Read.
-	io.Writer
-
-	// Read reads more output from the hash. It returns io.EOF if the limit
-	// has been reached.
-	io.Reader
-
-	// Clone returns a copy of the XOF in its current state.
-	Clone() XOF
-
-	// Reset resets the XOF to its initial state.
-	Reset()
-}
-
-// OutputLengthUnknown can be used as the size argument to NewXOF to indicate
-// the the length of the output is not known in advance.
-const OutputLengthUnknown = 0
-
-// magicUnknownOutputLength is a magic value for the output size that indicates
-// an unknown number of output bytes.
-const magicUnknownOutputLength = 65535
-
-// maxOutputLength is the absolute maximum number of bytes to produce when the
-// number of output bytes is unknown.
-const maxOutputLength = (1 << 32) * 32
-
-// NewXOF creates a new variable-output-length hash. The hash either produce a
-// known number of bytes (1 <= size < 65535), or an unknown number of bytes
-// (size == OutputLengthUnknown). In the latter case, an absolute limit of
-// 128GiB applies.
-//
-// A non-nil key turns the hash into a MAC. The key must between
-// zero and 32 bytes long.
-func NewXOF(size uint16, key []byte) (XOF, error) {
-	if len(key) > Size {
-		return nil, errKeySize
-	}
-	if size == magicUnknownOutputLength {
-		// 2^16-1 indicates an unknown number of bytes and thus isn't a
-		// valid length.
-		return nil, errors.New("blake2s: XOF length too large")
-	}
-	if size == OutputLengthUnknown {
-		size = magicUnknownOutputLength
-	}
-	x := &xof{
-		d: digest{
-			size:   Size,
-			keyLen: len(key),
-		},
-		length: size,
-	}
-	copy(x.d.key[:], key)
-	x.Reset()
-	return x, nil
-}
-
-type xof struct {
-	d                digest
-	length           uint16
-	remaining        uint64
-	cfg, root, block [Size]byte
-	offset           int
-	nodeOffset       uint32
-	readMode         bool
-}
-
-func (x *xof) Write(p []byte) (n int, err error) {
-	if x.readMode {
-		panic("blake2s: write to XOF after read")
-	}
-	return x.d.Write(p)
-}
-
-func (x *xof) Clone() XOF {
-	clone := *x
-	return &clone
-}
-
-func (x *xof) Reset() {
-	x.cfg[0] = byte(Size)
-	binary.LittleEndian.PutUint32(x.cfg[4:], uint32(Size)) // leaf length
-	binary.LittleEndian.PutUint16(x.cfg[12:], x.length)    // XOF length
-	x.cfg[15] = byte(Size)                                 // inner hash size
-
-	x.d.Reset()
-	x.d.h[3] ^= uint32(x.length)
-
-	x.remaining = uint64(x.length)
-	if x.remaining == magicUnknownOutputLength {
-		x.remaining = maxOutputLength
-	}
-	x.offset, x.nodeOffset = 0, 0
-	x.readMode = false
-}
-
-func (x *xof) Read(p []byte) (n int, err error) {
-	if !x.readMode {
-		x.d.finalize(&x.root)
-		x.readMode = true
-	}
-
-	if x.remaining == 0 {
-		return 0, io.EOF
-	}
-
-	n = len(p)
-	if uint64(n) > x.remaining {
-		n = int(x.remaining)
-		p = p[:n]
-	}
-
-	if x.offset > 0 {
-		blockRemaining := Size - x.offset
-		if n < blockRemaining {
-			x.offset += copy(p, x.block[x.offset:])
-			x.remaining -= uint64(n)
-			return
-		}
-		copy(p, x.block[x.offset:])
-		p = p[blockRemaining:]
-		x.offset = 0
-		x.remaining -= uint64(blockRemaining)
-	}
-
-	for len(p) >= Size {
-		binary.LittleEndian.PutUint32(x.cfg[8:], x.nodeOffset)
-		x.nodeOffset++
-
-		x.d.initConfig(&x.cfg)
-		x.d.Write(x.root[:])
-		x.d.finalize(&x.block)
-
-		copy(p, x.block[:])
-		p = p[Size:]
-		x.remaining -= uint64(Size)
-	}
-
-	if todo := len(p); todo > 0 {
-		if x.remaining < uint64(Size) {
-			x.cfg[0] = byte(x.remaining)
-		}
-		binary.LittleEndian.PutUint32(x.cfg[8:], x.nodeOffset)
-		x.nodeOffset++
-
-		x.d.initConfig(&x.cfg)
-		x.d.Write(x.root[:])
-		x.d.finalize(&x.block)
-
-		x.offset = copy(p, x.block[:todo])
-		x.remaining -= uint64(todo)
-	}
-
-	return
-}
-
-func (d *digest) initConfig(cfg *[Size]byte) {
-	d.offset, d.c[0], d.c[1] = 0, 0, 0
-	for i := range d.h {
-		d.h[i] = iv[i] ^ binary.LittleEndian.Uint32(cfg[i*4:])
-	}
-}
diff --git a/vendor/golang.org/x/crypto/blake2s/register.go b/vendor/golang.org/x/crypto/blake2s/register.go
deleted file mode 100644
index d277459a..00000000
--- a/vendor/golang.org/x/crypto/blake2s/register.go
+++ /dev/null
@@ -1,21 +0,0 @@
-// Copyright 2017 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build go1.9
-
-package blake2s
-
-import (
-	"crypto"
-	"hash"
-)
-
-func init() {
-	newHash256 := func() hash.Hash {
-		h, _ := New256(nil)
-		return h
-	}
-
-	crypto.RegisterHash(crypto.BLAKE2s_256, newHash256)
-}
diff --git a/vendor/golang.org/x/crypto/blowfish/blowfish_test.go b/vendor/golang.org/x/crypto/blowfish/blowfish_test.go
deleted file mode 100644
index 368ba872..00000000
--- a/vendor/golang.org/x/crypto/blowfish/blowfish_test.go
+++ /dev/null
@@ -1,274 +0,0 @@
-// Copyright 2010 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package blowfish
-
-import "testing"
-
-type CryptTest struct {
-	key []byte
-	in  []byte
-	out []byte
-}
-
-// Test vector values are from https://www.schneier.com/code/vectors.txt.
-var encryptTests = []CryptTest{
-	{
-		[]byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
-		[]byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
-		[]byte{0x4E, 0xF9, 0x97, 0x45, 0x61, 0x98, 0xDD, 0x78}},
-	{
-		[]byte{0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF},
-		[]byte{0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF},
-		[]byte{0x51, 0x86, 0x6F, 0xD5, 0xB8, 0x5E, 0xCB, 0x8A}},
-	{
-		[]byte{0x30, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
-		[]byte{0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
-		[]byte{0x7D, 0x85, 0x6F, 0x9A, 0x61, 0x30, 0x63, 0xF2}},
-	{
-		[]byte{0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11},
-		[]byte{0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11},
-		[]byte{0x24, 0x66, 0xDD, 0x87, 0x8B, 0x96, 0x3C, 0x9D}},
-
-	{
-		[]byte{0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF},
-		[]byte{0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11},
-		[]byte{0x61, 0xF9, 0xC3, 0x80, 0x22, 0x81, 0xB0, 0x96}},
-	{
-		[]byte{0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11},
-		[]byte{0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF},
-		[]byte{0x7D, 0x0C, 0xC6, 0x30, 0xAF, 0xDA, 0x1E, 0xC7}},
-	{
-		[]byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
-		[]byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
-		[]byte{0x4E, 0xF9, 0x97, 0x45, 0x61, 0x98, 0xDD, 0x78}},
-	{
-		[]byte{0xFE, 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10},
-		[]byte{0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF},
-		[]byte{0x0A, 0xCE, 0xAB, 0x0F, 0xC6, 0xA0, 0xA2, 0x8D}},
-	{
-		[]byte{0x7C, 0xA1, 0x10, 0x45, 0x4A, 0x1A, 0x6E, 0x57},
-		[]byte{0x01, 0xA1, 0xD6, 0xD0, 0x39, 0x77, 0x67, 0x42},
-		[]byte{0x59, 0xC6, 0x82, 0x45, 0xEB, 0x05, 0x28, 0x2B}},
-	{
-		[]byte{0x01, 0x31, 0xD9, 0x61, 0x9D, 0xC1, 0x37, 0x6E},
-		[]byte{0x5C, 0xD5, 0x4C, 0xA8, 0x3D, 0xEF, 0x57, 0xDA},
-		[]byte{0xB1, 0xB8, 0xCC, 0x0B, 0x25, 0x0F, 0x09, 0xA0}},
-	{
-		[]byte{0x07, 0xA1, 0x13, 0x3E, 0x4A, 0x0B, 0x26, 0x86},
-		[]byte{0x02, 0x48, 0xD4, 0x38, 0x06, 0xF6, 0x71, 0x72},
-		[]byte{0x17, 0x30, 0xE5, 0x77, 0x8B, 0xEA, 0x1D, 0xA4}},
-	{
-		[]byte{0x38, 0x49, 0x67, 0x4C, 0x26, 0x02, 0x31, 0x9E},
-		[]byte{0x51, 0x45, 0x4B, 0x58, 0x2D, 0xDF, 0x44, 0x0A},
-		[]byte{0xA2, 0x5E, 0x78, 0x56, 0xCF, 0x26, 0x51, 0xEB}},
-	{
-		[]byte{0x04, 0xB9, 0x15, 0xBA, 0x43, 0xFE, 0xB5, 0xB6},
-		[]byte{0x42, 0xFD, 0x44, 0x30, 0x59, 0x57, 0x7F, 0xA2},
-		[]byte{0x35, 0x38, 0x82, 0xB1, 0x09, 0xCE, 0x8F, 0x1A}},
-	{
-		[]byte{0x01, 0x13, 0xB9, 0x70, 0xFD, 0x34, 0xF2, 0xCE},
-		[]byte{0x05, 0x9B, 0x5E, 0x08, 0x51, 0xCF, 0x14, 0x3A},
-		[]byte{0x48, 0xF4, 0xD0, 0x88, 0x4C, 0x37, 0x99, 0x18}},
-	{
-		[]byte{0x01, 0x70, 0xF1, 0x75, 0x46, 0x8F, 0xB5, 0xE6},
-		[]byte{0x07, 0x56, 0xD8, 0xE0, 0x77, 0x47, 0x61, 0xD2},
-		[]byte{0x43, 0x21, 0x93, 0xB7, 0x89, 0x51, 0xFC, 0x98}},
-	{
-		[]byte{0x43, 0x29, 0x7F, 0xAD, 0x38, 0xE3, 0x73, 0xFE},
-		[]byte{0x76, 0x25, 0x14, 0xB8, 0x29, 0xBF, 0x48, 0x6A},
-		[]byte{0x13, 0xF0, 0x41, 0x54, 0xD6, 0x9D, 0x1A, 0xE5}},
-	{
-		[]byte{0x07, 0xA7, 0x13, 0x70, 0x45, 0xDA, 0x2A, 0x16},
-		[]byte{0x3B, 0xDD, 0x11, 0x90, 0x49, 0x37, 0x28, 0x02},
-		[]byte{0x2E, 0xED, 0xDA, 0x93, 0xFF, 0xD3, 0x9C, 0x79}},
-	{
-		[]byte{0x04, 0x68, 0x91, 0x04, 0xC2, 0xFD, 0x3B, 0x2F},
-		[]byte{0x26, 0x95, 0x5F, 0x68, 0x35, 0xAF, 0x60, 0x9A},
-		[]byte{0xD8, 0x87, 0xE0, 0x39, 0x3C, 0x2D, 0xA6, 0xE3}},
-	{
-		[]byte{0x37, 0xD0, 0x6B, 0xB5, 0x16, 0xCB, 0x75, 0x46},
-		[]byte{0x16, 0x4D, 0x5E, 0x40, 0x4F, 0x27, 0x52, 0x32},
-		[]byte{0x5F, 0x99, 0xD0, 0x4F, 0x5B, 0x16, 0x39, 0x69}},
-	{
-		[]byte{0x1F, 0x08, 0x26, 0x0D, 0x1A, 0xC2, 0x46, 0x5E},
-		[]byte{0x6B, 0x05, 0x6E, 0x18, 0x75, 0x9F, 0x5C, 0xCA},
-		[]byte{0x4A, 0x05, 0x7A, 0x3B, 0x24, 0xD3, 0x97, 0x7B}},
-	{
-		[]byte{0x58, 0x40, 0x23, 0x64, 0x1A, 0xBA, 0x61, 0x76},
-		[]byte{0x00, 0x4B, 0xD6, 0xEF, 0x09, 0x17, 0x60, 0x62},
-		[]byte{0x45, 0x20, 0x31, 0xC1, 0xE4, 0xFA, 0xDA, 0x8E}},
-	{
-		[]byte{0x02, 0x58, 0x16, 0x16, 0x46, 0x29, 0xB0, 0x07},
-		[]byte{0x48, 0x0D, 0x39, 0x00, 0x6E, 0xE7, 0x62, 0xF2},
-		[]byte{0x75, 0x55, 0xAE, 0x39, 0xF5, 0x9B, 0x87, 0xBD}},
-	{
-		[]byte{0x49, 0x79, 0x3E, 0xBC, 0x79, 0xB3, 0x25, 0x8F},
-		[]byte{0x43, 0x75, 0x40, 0xC8, 0x69, 0x8F, 0x3C, 0xFA},
-		[]byte{0x53, 0xC5, 0x5F, 0x9C, 0xB4, 0x9F, 0xC0, 0x19}},
-	{
-		[]byte{0x4F, 0xB0, 0x5E, 0x15, 0x15, 0xAB, 0x73, 0xA7},
-		[]byte{0x07, 0x2D, 0x43, 0xA0, 0x77, 0x07, 0x52, 0x92},
-		[]byte{0x7A, 0x8E, 0x7B, 0xFA, 0x93, 0x7E, 0x89, 0xA3}},
-	{
-		[]byte{0x49, 0xE9, 0x5D, 0x6D, 0x4C, 0xA2, 0x29, 0xBF},
-		[]byte{0x02, 0xFE, 0x55, 0x77, 0x81, 0x17, 0xF1, 0x2A},
-		[]byte{0xCF, 0x9C, 0x5D, 0x7A, 0x49, 0x86, 0xAD, 0xB5}},
-	{
-		[]byte{0x01, 0x83, 0x10, 0xDC, 0x40, 0x9B, 0x26, 0xD6},
-		[]byte{0x1D, 0x9D, 0x5C, 0x50, 0x18, 0xF7, 0x28, 0xC2},
-		[]byte{0xD1, 0xAB, 0xB2, 0x90, 0x65, 0x8B, 0xC7, 0x78}},
-	{
-		[]byte{0x1C, 0x58, 0x7F, 0x1C, 0x13, 0x92, 0x4F, 0xEF},
-		[]byte{0x30, 0x55, 0x32, 0x28, 0x6D, 0x6F, 0x29, 0x5A},
-		[]byte{0x55, 0xCB, 0x37, 0x74, 0xD1, 0x3E, 0xF2, 0x01}},
-	{
-		[]byte{0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01},
-		[]byte{0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF},
-		[]byte{0xFA, 0x34, 0xEC, 0x48, 0x47, 0xB2, 0x68, 0xB2}},
-	{
-		[]byte{0x1F, 0x1F, 0x1F, 0x1F, 0x0E, 0x0E, 0x0E, 0x0E},
-		[]byte{0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF},
-		[]byte{0xA7, 0x90, 0x79, 0x51, 0x08, 0xEA, 0x3C, 0xAE}},
-	{
-		[]byte{0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1, 0xFE},
-		[]byte{0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF},
-		[]byte{0xC3, 0x9E, 0x07, 0x2D, 0x9F, 0xAC, 0x63, 0x1D}},
-	{
-		[]byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
-		[]byte{0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF},
-		[]byte{0x01, 0x49, 0x33, 0xE0, 0xCD, 0xAF, 0xF6, 0xE4}},
-	{
-		[]byte{0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF},
-		[]byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
-		[]byte{0xF2, 0x1E, 0x9A, 0x77, 0xB7, 0x1C, 0x49, 0xBC}},
-	{
-		[]byte{0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF},
-		[]byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
-		[]byte{0x24, 0x59, 0x46, 0x88, 0x57, 0x54, 0x36, 0x9A}},
-	{
-		[]byte{0xFE, 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10},
-		[]byte{0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF},
-		[]byte{0x6B, 0x5C, 0x5A, 0x9C, 0x5D, 0x9E, 0x0A, 0x5A}},
-}
-
-func TestCipherEncrypt(t *testing.T) {
-	for i, tt := range encryptTests {
-		c, err := NewCipher(tt.key)
-		if err != nil {
-			t.Errorf("NewCipher(%d bytes) = %s", len(tt.key), err)
-			continue
-		}
-		ct := make([]byte, len(tt.out))
-		c.Encrypt(ct, tt.in)
-		for j, v := range ct {
-			if v != tt.out[j] {
-				t.Errorf("Cipher.Encrypt, test vector #%d: cipher-text[%d] = %#x, expected %#x", i, j, v, tt.out[j])
-				break
-			}
-		}
-	}
-}
-
-func TestCipherDecrypt(t *testing.T) {
-	for i, tt := range encryptTests {
-		c, err := NewCipher(tt.key)
-		if err != nil {
-			t.Errorf("NewCipher(%d bytes) = %s", len(tt.key), err)
-			continue
-		}
-		pt := make([]byte, len(tt.in))
-		c.Decrypt(pt, tt.out)
-		for j, v := range pt {
-			if v != tt.in[j] {
-				t.Errorf("Cipher.Decrypt, test vector #%d: plain-text[%d] = %#x, expected %#x", i, j, v, tt.in[j])
-				break
-			}
-		}
-	}
-}
-
-func TestSaltedCipherKeyLength(t *testing.T) {
-	if _, err := NewSaltedCipher(nil, []byte{'a'}); err != KeySizeError(0) {
-		t.Errorf("NewSaltedCipher with short key, gave error %#v, expected %#v", err, KeySizeError(0))
-	}
-
-	// A 57-byte key. One over the typical blowfish restriction.
-	key := []byte("012345678901234567890123456789012345678901234567890123456")
-	if _, err := NewSaltedCipher(key, []byte{'a'}); err != nil {
-		t.Errorf("NewSaltedCipher with long key, gave error %#v", err)
-	}
-}
-
-// Test vectors generated with Blowfish from OpenSSH.
-var saltedVectors = [][8]byte{
-	{0x0c, 0x82, 0x3b, 0x7b, 0x8d, 0x01, 0x4b, 0x7e},
-	{0xd1, 0xe1, 0x93, 0xf0, 0x70, 0xa6, 0xdb, 0x12},
-	{0xfc, 0x5e, 0xba, 0xde, 0xcb, 0xf8, 0x59, 0xad},
-	{0x8a, 0x0c, 0x76, 0xe7, 0xdd, 0x2c, 0xd3, 0xa8},
-	{0x2c, 0xcb, 0x7b, 0xee, 0xac, 0x7b, 0x7f, 0xf8},
-	{0xbb, 0xf6, 0x30, 0x6f, 0xe1, 0x5d, 0x62, 0xbf},
-	{0x97, 0x1e, 0xc1, 0x3d, 0x3d, 0xe0, 0x11, 0xe9},
-	{0x06, 0xd7, 0x4d, 0xb1, 0x80, 0xa3, 0xb1, 0x38},
-	{0x67, 0xa1, 0xa9, 0x75, 0x0e, 0x5b, 0xc6, 0xb4},
-	{0x51, 0x0f, 0x33, 0x0e, 0x4f, 0x67, 0xd2, 0x0c},
-	{0xf1, 0x73, 0x7e, 0xd8, 0x44, 0xea, 0xdb, 0xe5},
-	{0x14, 0x0e, 0x16, 0xce, 0x7f, 0x4a, 0x9c, 0x7b},
-	{0x4b, 0xfe, 0x43, 0xfd, 0xbf, 0x36, 0x04, 0x47},
-	{0xb1, 0xeb, 0x3e, 0x15, 0x36, 0xa7, 0xbb, 0xe2},
-	{0x6d, 0x0b, 0x41, 0xdd, 0x00, 0x98, 0x0b, 0x19},
-	{0xd3, 0xce, 0x45, 0xce, 0x1d, 0x56, 0xb7, 0xfc},
-	{0xd9, 0xf0, 0xfd, 0xda, 0xc0, 0x23, 0xb7, 0x93},
-	{0x4c, 0x6f, 0xa1, 0xe4, 0x0c, 0xa8, 0xca, 0x57},
-	{0xe6, 0x2f, 0x28, 0xa7, 0x0c, 0x94, 0x0d, 0x08},
-	{0x8f, 0xe3, 0xf0, 0xb6, 0x29, 0xe3, 0x44, 0x03},
-	{0xff, 0x98, 0xdd, 0x04, 0x45, 0xb4, 0x6d, 0x1f},
-	{0x9e, 0x45, 0x4d, 0x18, 0x40, 0x53, 0xdb, 0xef},
-	{0xb7, 0x3b, 0xef, 0x29, 0xbe, 0xa8, 0x13, 0x71},
-	{0x02, 0x54, 0x55, 0x41, 0x8e, 0x04, 0xfc, 0xad},
-	{0x6a, 0x0a, 0xee, 0x7c, 0x10, 0xd9, 0x19, 0xfe},
-	{0x0a, 0x22, 0xd9, 0x41, 0xcc, 0x23, 0x87, 0x13},
-	{0x6e, 0xff, 0x1f, 0xff, 0x36, 0x17, 0x9c, 0xbe},
-	{0x79, 0xad, 0xb7, 0x40, 0xf4, 0x9f, 0x51, 0xa6},
-	{0x97, 0x81, 0x99, 0xa4, 0xde, 0x9e, 0x9f, 0xb6},
-	{0x12, 0x19, 0x7a, 0x28, 0xd0, 0xdc, 0xcc, 0x92},
-	{0x81, 0xda, 0x60, 0x1e, 0x0e, 0xdd, 0x65, 0x56},
-	{0x7d, 0x76, 0x20, 0xb2, 0x73, 0xc9, 0x9e, 0xee},
-}
-
-func TestSaltedCipher(t *testing.T) {
-	var key, salt [32]byte
-	for i := range key {
-		key[i] = byte(i)
-		salt[i] = byte(i + 32)
-	}
-	for i, v := range saltedVectors {
-		c, err := NewSaltedCipher(key[:], salt[:i])
-		if err != nil {
-			t.Fatal(err)
-		}
-		var buf [8]byte
-		c.Encrypt(buf[:], buf[:])
-		if v != buf {
-			t.Errorf("%d: expected %x, got %x", i, v, buf)
-		}
-	}
-}
-
-func BenchmarkExpandKeyWithSalt(b *testing.B) {
-	key := make([]byte, 32)
-	salt := make([]byte, 16)
-	c, _ := NewCipher(key)
-	for i := 0; i < b.N; i++ {
-		expandKeyWithSalt(key, salt, c)
-	}
-}
-
-func BenchmarkExpandKey(b *testing.B) {
-	key := make([]byte, 32)
-	c, _ := NewCipher(key)
-	for i := 0; i < b.N; i++ {
-		ExpandKey(key, c)
-	}
-}
diff --git a/vendor/golang.org/x/crypto/blowfish/cipher.go b/vendor/golang.org/x/crypto/blowfish/cipher.go
index 2641dadd..213bf204 100644
--- a/vendor/golang.org/x/crypto/blowfish/cipher.go
+++ b/vendor/golang.org/x/crypto/blowfish/cipher.go
@@ -3,6 +3,14 @@
 // license that can be found in the LICENSE file.
 
 // Package blowfish implements Bruce Schneier's Blowfish encryption algorithm.
+//
+// Blowfish is a legacy cipher and its short block size makes it vulnerable to
+// birthday bound attacks (see https://sweet32.info). It should only be used
+// where compatibility with legacy systems, not security, is the goal.
+//
+// Deprecated: any new system should use AES (from crypto/aes, if necessary in
+// an AEAD mode like crypto/cipher.NewGCM) or XChaCha20-Poly1305 (from
+// golang.org/x/crypto/chacha20poly1305).
 package blowfish // import "golang.org/x/crypto/blowfish"
 
 // The code is a port of Bruce Schneier's C implementation.
diff --git a/vendor/golang.org/x/crypto/bn256/bn256.go b/vendor/golang.org/x/crypto/bn256/bn256.go
deleted file mode 100644
index f88f3fc3..00000000
--- a/vendor/golang.org/x/crypto/bn256/bn256.go
+++ /dev/null
@@ -1,408 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package bn256 implements a particular bilinear group.
-//
-// Bilinear groups are the basis of many of the new cryptographic protocols
-// that have been proposed over the past decade. They consist of a triplet of
-// groups (G₁, G₂ and GT) such that there exists a function e(g₁ˣ,g₂ʸ)=gTˣʸ
-// (where gₓ is a generator of the respective group). That function is called
-// a pairing function.
-//
-// This package specifically implements the Optimal Ate pairing over a 256-bit
-// Barreto-Naehrig curve as described in
-// http://cryptojedi.org/papers/dclxvi-20100714.pdf. Its output is compatible
-// with the implementation described in that paper.
-//
-// (This package previously claimed to operate at a 128-bit security level.
-// However, recent improvements in attacks mean that is no longer true. See
-// https://moderncrypto.org/mail-archive/curves/2016/000740.html.)
-package bn256 // import "golang.org/x/crypto/bn256"
-
-import (
-	"crypto/rand"
-	"io"
-	"math/big"
-)
-
-// BUG(agl): this implementation is not constant time.
-// TODO(agl): keep GF(p²) elements in Mongomery form.
-
-// G1 is an abstract cyclic group. The zero value is suitable for use as the
-// output of an operation, but cannot be used as an input.
-type G1 struct {
-	p *curvePoint
-}
-
-// RandomG1 returns x and g₁ˣ where x is a random, non-zero number read from r.
-func RandomG1(r io.Reader) (*big.Int, *G1, error) {
-	var k *big.Int
-	var err error
-
-	for {
-		k, err = rand.Int(r, Order)
-		if err != nil {
-			return nil, nil, err
-		}
-		if k.Sign() > 0 {
-			break
-		}
-	}
-
-	return k, new(G1).ScalarBaseMult(k), nil
-}
-
-func (e *G1) String() string {
-	return "bn256.G1" + e.p.String()
-}
-
-// ScalarBaseMult sets e to g*k where g is the generator of the group and
-// then returns e.
-func (e *G1) ScalarBaseMult(k *big.Int) *G1 {
-	if e.p == nil {
-		e.p = newCurvePoint(nil)
-	}
-	e.p.Mul(curveGen, k, new(bnPool))
-	return e
-}
-
-// ScalarMult sets e to a*k and then returns e.
-func (e *G1) ScalarMult(a *G1, k *big.Int) *G1 {
-	if e.p == nil {
-		e.p = newCurvePoint(nil)
-	}
-	e.p.Mul(a.p, k, new(bnPool))
-	return e
-}
-
-// Add sets e to a+b and then returns e.
-// BUG(agl): this function is not complete: a==b fails.
-func (e *G1) Add(a, b *G1) *G1 {
-	if e.p == nil {
-		e.p = newCurvePoint(nil)
-	}
-	e.p.Add(a.p, b.p, new(bnPool))
-	return e
-}
-
-// Neg sets e to -a and then returns e.
-func (e *G1) Neg(a *G1) *G1 {
-	if e.p == nil {
-		e.p = newCurvePoint(nil)
-	}
-	e.p.Negative(a.p)
-	return e
-}
-
-// Marshal converts n to a byte slice.
-func (e *G1) Marshal() []byte {
-	e.p.MakeAffine(nil)
-
-	xBytes := new(big.Int).Mod(e.p.x, p).Bytes()
-	yBytes := new(big.Int).Mod(e.p.y, p).Bytes()
-
-	// Each value is a 256-bit number.
-	const numBytes = 256 / 8
-
-	ret := make([]byte, numBytes*2)
-	copy(ret[1*numBytes-len(xBytes):], xBytes)
-	copy(ret[2*numBytes-len(yBytes):], yBytes)
-
-	return ret
-}
-
-// Unmarshal sets e to the result of converting the output of Marshal back into
-// a group element and then returns e.
-func (e *G1) Unmarshal(m []byte) (*G1, bool) {
-	// Each value is a 256-bit number.
-	const numBytes = 256 / 8
-
-	if len(m) != 2*numBytes {
-		return nil, false
-	}
-
-	if e.p == nil {
-		e.p = newCurvePoint(nil)
-	}
-
-	e.p.x.SetBytes(m[0*numBytes : 1*numBytes])
-	e.p.y.SetBytes(m[1*numBytes : 2*numBytes])
-
-	if e.p.x.Sign() == 0 && e.p.y.Sign() == 0 {
-		// This is the point at infinity.
-		e.p.y.SetInt64(1)
-		e.p.z.SetInt64(0)
-		e.p.t.SetInt64(0)
-	} else {
-		e.p.z.SetInt64(1)
-		e.p.t.SetInt64(1)
-
-		if !e.p.IsOnCurve() {
-			return nil, false
-		}
-	}
-
-	return e, true
-}
-
-// G2 is an abstract cyclic group. The zero value is suitable for use as the
-// output of an operation, but cannot be used as an input.
-type G2 struct {
-	p *twistPoint
-}
-
-// RandomG1 returns x and g₂ˣ where x is a random, non-zero number read from r.
-func RandomG2(r io.Reader) (*big.Int, *G2, error) {
-	var k *big.Int
-	var err error
-
-	for {
-		k, err = rand.Int(r, Order)
-		if err != nil {
-			return nil, nil, err
-		}
-		if k.Sign() > 0 {
-			break
-		}
-	}
-
-	return k, new(G2).ScalarBaseMult(k), nil
-}
-
-func (e *G2) String() string {
-	return "bn256.G2" + e.p.String()
-}
-
-// ScalarBaseMult sets e to g*k where g is the generator of the group and
-// then returns out.
-func (e *G2) ScalarBaseMult(k *big.Int) *G2 {
-	if e.p == nil {
-		e.p = newTwistPoint(nil)
-	}
-	e.p.Mul(twistGen, k, new(bnPool))
-	return e
-}
-
-// ScalarMult sets e to a*k and then returns e.
-func (e *G2) ScalarMult(a *G2, k *big.Int) *G2 {
-	if e.p == nil {
-		e.p = newTwistPoint(nil)
-	}
-	e.p.Mul(a.p, k, new(bnPool))
-	return e
-}
-
-// Add sets e to a+b and then returns e.
-// BUG(agl): this function is not complete: a==b fails.
-func (e *G2) Add(a, b *G2) *G2 {
-	if e.p == nil {
-		e.p = newTwistPoint(nil)
-	}
-	e.p.Add(a.p, b.p, new(bnPool))
-	return e
-}
-
-// Marshal converts n into a byte slice.
-func (n *G2) Marshal() []byte {
-	n.p.MakeAffine(nil)
-
-	xxBytes := new(big.Int).Mod(n.p.x.x, p).Bytes()
-	xyBytes := new(big.Int).Mod(n.p.x.y, p).Bytes()
-	yxBytes := new(big.Int).Mod(n.p.y.x, p).Bytes()
-	yyBytes := new(big.Int).Mod(n.p.y.y, p).Bytes()
-
-	// Each value is a 256-bit number.
-	const numBytes = 256 / 8
-
-	ret := make([]byte, numBytes*4)
-	copy(ret[1*numBytes-len(xxBytes):], xxBytes)
-	copy(ret[2*numBytes-len(xyBytes):], xyBytes)
-	copy(ret[3*numBytes-len(yxBytes):], yxBytes)
-	copy(ret[4*numBytes-len(yyBytes):], yyBytes)
-
-	return ret
-}
-
-// Unmarshal sets e to the result of converting the output of Marshal back into
-// a group element and then returns e.
-func (e *G2) Unmarshal(m []byte) (*G2, bool) {
-	// Each value is a 256-bit number.
-	const numBytes = 256 / 8
-
-	if len(m) != 4*numBytes {
-		return nil, false
-	}
-
-	if e.p == nil {
-		e.p = newTwistPoint(nil)
-	}
-
-	e.p.x.x.SetBytes(m[0*numBytes : 1*numBytes])
-	e.p.x.y.SetBytes(m[1*numBytes : 2*numBytes])
-	e.p.y.x.SetBytes(m[2*numBytes : 3*numBytes])
-	e.p.y.y.SetBytes(m[3*numBytes : 4*numBytes])
-
-	if e.p.x.x.Sign() == 0 &&
-		e.p.x.y.Sign() == 0 &&
-		e.p.y.x.Sign() == 0 &&
-		e.p.y.y.Sign() == 0 {
-		// This is the point at infinity.
-		e.p.y.SetOne()
-		e.p.z.SetZero()
-		e.p.t.SetZero()
-	} else {
-		e.p.z.SetOne()
-		e.p.t.SetOne()
-
-		if !e.p.IsOnCurve() {
-			return nil, false
-		}
-	}
-
-	return e, true
-}
-
-// GT is an abstract cyclic group. The zero value is suitable for use as the
-// output of an operation, but cannot be used as an input.
-type GT struct {
-	p *gfP12
-}
-
-func (g *GT) String() string {
-	return "bn256.GT" + g.p.String()
-}
-
-// ScalarMult sets e to a*k and then returns e.
-func (e *GT) ScalarMult(a *GT, k *big.Int) *GT {
-	if e.p == nil {
-		e.p = newGFp12(nil)
-	}
-	e.p.Exp(a.p, k, new(bnPool))
-	return e
-}
-
-// Add sets e to a+b and then returns e.
-func (e *GT) Add(a, b *GT) *GT {
-	if e.p == nil {
-		e.p = newGFp12(nil)
-	}
-	e.p.Mul(a.p, b.p, new(bnPool))
-	return e
-}
-
-// Neg sets e to -a and then returns e.
-func (e *GT) Neg(a *GT) *GT {
-	if e.p == nil {
-		e.p = newGFp12(nil)
-	}
-	e.p.Invert(a.p, new(bnPool))
-	return e
-}
-
-// Marshal converts n into a byte slice.
-func (n *GT) Marshal() []byte {
-	n.p.Minimal()
-
-	xxxBytes := n.p.x.x.x.Bytes()
-	xxyBytes := n.p.x.x.y.Bytes()
-	xyxBytes := n.p.x.y.x.Bytes()
-	xyyBytes := n.p.x.y.y.Bytes()
-	xzxBytes := n.p.x.z.x.Bytes()
-	xzyBytes := n.p.x.z.y.Bytes()
-	yxxBytes := n.p.y.x.x.Bytes()
-	yxyBytes := n.p.y.x.y.Bytes()
-	yyxBytes := n.p.y.y.x.Bytes()
-	yyyBytes := n.p.y.y.y.Bytes()
-	yzxBytes := n.p.y.z.x.Bytes()
-	yzyBytes := n.p.y.z.y.Bytes()
-
-	// Each value is a 256-bit number.
-	const numBytes = 256 / 8
-
-	ret := make([]byte, numBytes*12)
-	copy(ret[1*numBytes-len(xxxBytes):], xxxBytes)
-	copy(ret[2*numBytes-len(xxyBytes):], xxyBytes)
-	copy(ret[3*numBytes-len(xyxBytes):], xyxBytes)
-	copy(ret[4*numBytes-len(xyyBytes):], xyyBytes)
-	copy(ret[5*numBytes-len(xzxBytes):], xzxBytes)
-	copy(ret[6*numBytes-len(xzyBytes):], xzyBytes)
-	copy(ret[7*numBytes-len(yxxBytes):], yxxBytes)
-	copy(ret[8*numBytes-len(yxyBytes):], yxyBytes)
-	copy(ret[9*numBytes-len(yyxBytes):], yyxBytes)
-	copy(ret[10*numBytes-len(yyyBytes):], yyyBytes)
-	copy(ret[11*numBytes-len(yzxBytes):], yzxBytes)
-	copy(ret[12*numBytes-len(yzyBytes):], yzyBytes)
-
-	return ret
-}
-
-// Unmarshal sets e to the result of converting the output of Marshal back into
-// a group element and then returns e.
-func (e *GT) Unmarshal(m []byte) (*GT, bool) {
-	// Each value is a 256-bit number.
-	const numBytes = 256 / 8
-
-	if len(m) != 12*numBytes {
-		return nil, false
-	}
-
-	if e.p == nil {
-		e.p = newGFp12(nil)
-	}
-
-	e.p.x.x.x.SetBytes(m[0*numBytes : 1*numBytes])
-	e.p.x.x.y.SetBytes(m[1*numBytes : 2*numBytes])
-	e.p.x.y.x.SetBytes(m[2*numBytes : 3*numBytes])
-	e.p.x.y.y.SetBytes(m[3*numBytes : 4*numBytes])
-	e.p.x.z.x.SetBytes(m[4*numBytes : 5*numBytes])
-	e.p.x.z.y.SetBytes(m[5*numBytes : 6*numBytes])
-	e.p.y.x.x.SetBytes(m[6*numBytes : 7*numBytes])
-	e.p.y.x.y.SetBytes(m[7*numBytes : 8*numBytes])
-	e.p.y.y.x.SetBytes(m[8*numBytes : 9*numBytes])
-	e.p.y.y.y.SetBytes(m[9*numBytes : 10*numBytes])
-	e.p.y.z.x.SetBytes(m[10*numBytes : 11*numBytes])
-	e.p.y.z.y.SetBytes(m[11*numBytes : 12*numBytes])
-
-	return e, true
-}
-
-// Pair calculates an Optimal Ate pairing.
-func Pair(g1 *G1, g2 *G2) *GT {
-	return &GT{optimalAte(g2.p, g1.p, new(bnPool))}
-}
-
-// bnPool implements a tiny cache of *big.Int objects that's used to reduce the
-// number of allocations made during processing.
-type bnPool struct {
-	bns   []*big.Int
-	count int
-}
-
-func (pool *bnPool) Get() *big.Int {
-	if pool == nil {
-		return new(big.Int)
-	}
-
-	pool.count++
-	l := len(pool.bns)
-	if l == 0 {
-		return new(big.Int)
-	}
-
-	bn := pool.bns[l-1]
-	pool.bns = pool.bns[:l-1]
-	return bn
-}
-
-func (pool *bnPool) Put(bn *big.Int) {
-	if pool == nil {
-		return
-	}
-	pool.bns = append(pool.bns, bn)
-	pool.count--
-}
-
-func (pool *bnPool) Count() int {
-	return pool.count
-}
diff --git a/vendor/golang.org/x/crypto/bn256/bn256_test.go b/vendor/golang.org/x/crypto/bn256/bn256_test.go
deleted file mode 100644
index 1cec3884..00000000
--- a/vendor/golang.org/x/crypto/bn256/bn256_test.go
+++ /dev/null
@@ -1,304 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package bn256
-
-import (
-	"bytes"
-	"crypto/rand"
-	"math/big"
-	"testing"
-)
-
-func TestGFp2Invert(t *testing.T) {
-	pool := new(bnPool)
-
-	a := newGFp2(pool)
-	a.x.SetString("23423492374", 10)
-	a.y.SetString("12934872398472394827398470", 10)
-
-	inv := newGFp2(pool)
-	inv.Invert(a, pool)
-
-	b := newGFp2(pool).Mul(inv, a, pool)
-	if b.x.Int64() != 0 || b.y.Int64() != 1 {
-		t.Fatalf("bad result for a^-1*a: %s %s", b.x, b.y)
-	}
-
-	a.Put(pool)
-	b.Put(pool)
-	inv.Put(pool)
-
-	if c := pool.Count(); c > 0 {
-		t.Errorf("Pool count non-zero: %d\n", c)
-	}
-}
-
-func isZero(n *big.Int) bool {
-	return new(big.Int).Mod(n, p).Int64() == 0
-}
-
-func isOne(n *big.Int) bool {
-	return new(big.Int).Mod(n, p).Int64() == 1
-}
-
-func TestGFp6Invert(t *testing.T) {
-	pool := new(bnPool)
-
-	a := newGFp6(pool)
-	a.x.x.SetString("239487238491", 10)
-	a.x.y.SetString("2356249827341", 10)
-	a.y.x.SetString("082659782", 10)
-	a.y.y.SetString("182703523765", 10)
-	a.z.x.SetString("978236549263", 10)
-	a.z.y.SetString("64893242", 10)
-
-	inv := newGFp6(pool)
-	inv.Invert(a, pool)
-
-	b := newGFp6(pool).Mul(inv, a, pool)
-	if !isZero(b.x.x) ||
-		!isZero(b.x.y) ||
-		!isZero(b.y.x) ||
-		!isZero(b.y.y) ||
-		!isZero(b.z.x) ||
-		!isOne(b.z.y) {
-		t.Fatalf("bad result for a^-1*a: %s", b)
-	}
-
-	a.Put(pool)
-	b.Put(pool)
-	inv.Put(pool)
-
-	if c := pool.Count(); c > 0 {
-		t.Errorf("Pool count non-zero: %d\n", c)
-	}
-}
-
-func TestGFp12Invert(t *testing.T) {
-	pool := new(bnPool)
-
-	a := newGFp12(pool)
-	a.x.x.x.SetString("239846234862342323958623", 10)
-	a.x.x.y.SetString("2359862352529835623", 10)
-	a.x.y.x.SetString("928836523", 10)
-	a.x.y.y.SetString("9856234", 10)
-	a.x.z.x.SetString("235635286", 10)
-	a.x.z.y.SetString("5628392833", 10)
-	a.y.x.x.SetString("252936598265329856238956532167968", 10)
-	a.y.x.y.SetString("23596239865236954178968", 10)
-	a.y.y.x.SetString("95421692834", 10)
-	a.y.y.y.SetString("236548", 10)
-	a.y.z.x.SetString("924523", 10)
-	a.y.z.y.SetString("12954623", 10)
-
-	inv := newGFp12(pool)
-	inv.Invert(a, pool)
-
-	b := newGFp12(pool).Mul(inv, a, pool)
-	if !isZero(b.x.x.x) ||
-		!isZero(b.x.x.y) ||
-		!isZero(b.x.y.x) ||
-		!isZero(b.x.y.y) ||
-		!isZero(b.x.z.x) ||
-		!isZero(b.x.z.y) ||
-		!isZero(b.y.x.x) ||
-		!isZero(b.y.x.y) ||
-		!isZero(b.y.y.x) ||
-		!isZero(b.y.y.y) ||
-		!isZero(b.y.z.x) ||
-		!isOne(b.y.z.y) {
-		t.Fatalf("bad result for a^-1*a: %s", b)
-	}
-
-	a.Put(pool)
-	b.Put(pool)
-	inv.Put(pool)
-
-	if c := pool.Count(); c > 0 {
-		t.Errorf("Pool count non-zero: %d\n", c)
-	}
-}
-
-func TestCurveImpl(t *testing.T) {
-	pool := new(bnPool)
-
-	g := &curvePoint{
-		pool.Get().SetInt64(1),
-		pool.Get().SetInt64(-2),
-		pool.Get().SetInt64(1),
-		pool.Get().SetInt64(0),
-	}
-
-	x := pool.Get().SetInt64(32498273234)
-	X := newCurvePoint(pool).Mul(g, x, pool)
-
-	y := pool.Get().SetInt64(98732423523)
-	Y := newCurvePoint(pool).Mul(g, y, pool)
-
-	s1 := newCurvePoint(pool).Mul(X, y, pool).MakeAffine(pool)
-	s2 := newCurvePoint(pool).Mul(Y, x, pool).MakeAffine(pool)
-
-	if s1.x.Cmp(s2.x) != 0 ||
-		s2.x.Cmp(s1.x) != 0 {
-		t.Errorf("DH points don't match: (%s, %s) (%s, %s)", s1.x, s1.y, s2.x, s2.y)
-	}
-
-	pool.Put(x)
-	X.Put(pool)
-	pool.Put(y)
-	Y.Put(pool)
-	s1.Put(pool)
-	s2.Put(pool)
-	g.Put(pool)
-
-	if c := pool.Count(); c > 0 {
-		t.Errorf("Pool count non-zero: %d\n", c)
-	}
-}
-
-func TestOrderG1(t *testing.T) {
-	g := new(G1).ScalarBaseMult(Order)
-	if !g.p.IsInfinity() {
-		t.Error("G1 has incorrect order")
-	}
-
-	one := new(G1).ScalarBaseMult(new(big.Int).SetInt64(1))
-	g.Add(g, one)
-	g.p.MakeAffine(nil)
-	if g.p.x.Cmp(one.p.x) != 0 || g.p.y.Cmp(one.p.y) != 0 {
-		t.Errorf("1+0 != 1 in G1")
-	}
-}
-
-func TestOrderG2(t *testing.T) {
-	g := new(G2).ScalarBaseMult(Order)
-	if !g.p.IsInfinity() {
-		t.Error("G2 has incorrect order")
-	}
-
-	one := new(G2).ScalarBaseMult(new(big.Int).SetInt64(1))
-	g.Add(g, one)
-	g.p.MakeAffine(nil)
-	if g.p.x.x.Cmp(one.p.x.x) != 0 ||
-		g.p.x.y.Cmp(one.p.x.y) != 0 ||
-		g.p.y.x.Cmp(one.p.y.x) != 0 ||
-		g.p.y.y.Cmp(one.p.y.y) != 0 {
-		t.Errorf("1+0 != 1 in G2")
-	}
-}
-
-func TestOrderGT(t *testing.T) {
-	gt := Pair(&G1{curveGen}, &G2{twistGen})
-	g := new(GT).ScalarMult(gt, Order)
-	if !g.p.IsOne() {
-		t.Error("GT has incorrect order")
-	}
-}
-
-func TestBilinearity(t *testing.T) {
-	for i := 0; i < 2; i++ {
-		a, p1, _ := RandomG1(rand.Reader)
-		b, p2, _ := RandomG2(rand.Reader)
-		e1 := Pair(p1, p2)
-
-		e2 := Pair(&G1{curveGen}, &G2{twistGen})
-		e2.ScalarMult(e2, a)
-		e2.ScalarMult(e2, b)
-
-		minusE2 := new(GT).Neg(e2)
-		e1.Add(e1, minusE2)
-
-		if !e1.p.IsOne() {
-			t.Fatalf("bad pairing result: %s", e1)
-		}
-	}
-}
-
-func TestG1Marshal(t *testing.T) {
-	g := new(G1).ScalarBaseMult(new(big.Int).SetInt64(1))
-	form := g.Marshal()
-	_, ok := new(G1).Unmarshal(form)
-	if !ok {
-		t.Fatalf("failed to unmarshal")
-	}
-
-	g.ScalarBaseMult(Order)
-	form = g.Marshal()
-	g2, ok := new(G1).Unmarshal(form)
-	if !ok {
-		t.Fatalf("failed to unmarshal ∞")
-	}
-	if !g2.p.IsInfinity() {
-		t.Fatalf("∞ unmarshaled incorrectly")
-	}
-}
-
-func TestG2Marshal(t *testing.T) {
-	g := new(G2).ScalarBaseMult(new(big.Int).SetInt64(1))
-	form := g.Marshal()
-	_, ok := new(G2).Unmarshal(form)
-	if !ok {
-		t.Fatalf("failed to unmarshal")
-	}
-
-	g.ScalarBaseMult(Order)
-	form = g.Marshal()
-	g2, ok := new(G2).Unmarshal(form)
-	if !ok {
-		t.Fatalf("failed to unmarshal ∞")
-	}
-	if !g2.p.IsInfinity() {
-		t.Fatalf("∞ unmarshaled incorrectly")
-	}
-}
-
-func TestG1Identity(t *testing.T) {
-	g := new(G1).ScalarBaseMult(new(big.Int).SetInt64(0))
-	if !g.p.IsInfinity() {
-		t.Error("failure")
-	}
-}
-
-func TestG2Identity(t *testing.T) {
-	g := new(G2).ScalarBaseMult(new(big.Int).SetInt64(0))
-	if !g.p.IsInfinity() {
-		t.Error("failure")
-	}
-}
-
-func TestTripartiteDiffieHellman(t *testing.T) {
-	a, _ := rand.Int(rand.Reader, Order)
-	b, _ := rand.Int(rand.Reader, Order)
-	c, _ := rand.Int(rand.Reader, Order)
-
-	pa, _ := new(G1).Unmarshal(new(G1).ScalarBaseMult(a).Marshal())
-	qa, _ := new(G2).Unmarshal(new(G2).ScalarBaseMult(a).Marshal())
-	pb, _ := new(G1).Unmarshal(new(G1).ScalarBaseMult(b).Marshal())
-	qb, _ := new(G2).Unmarshal(new(G2).ScalarBaseMult(b).Marshal())
-	pc, _ := new(G1).Unmarshal(new(G1).ScalarBaseMult(c).Marshal())
-	qc, _ := new(G2).Unmarshal(new(G2).ScalarBaseMult(c).Marshal())
-
-	k1 := Pair(pb, qc)
-	k1.ScalarMult(k1, a)
-	k1Bytes := k1.Marshal()
-
-	k2 := Pair(pc, qa)
-	k2.ScalarMult(k2, b)
-	k2Bytes := k2.Marshal()
-
-	k3 := Pair(pa, qb)
-	k3.ScalarMult(k3, c)
-	k3Bytes := k3.Marshal()
-
-	if !bytes.Equal(k1Bytes, k2Bytes) || !bytes.Equal(k2Bytes, k3Bytes) {
-		t.Errorf("keys didn't agree")
-	}
-}
-
-func BenchmarkPairing(b *testing.B) {
-	for i := 0; i < b.N; i++ {
-		Pair(&G1{curveGen}, &G2{twistGen})
-	}
-}
diff --git a/vendor/golang.org/x/crypto/bn256/constants.go b/vendor/golang.org/x/crypto/bn256/constants.go
deleted file mode 100644
index 1ccefc49..00000000
--- a/vendor/golang.org/x/crypto/bn256/constants.go
+++ /dev/null
@@ -1,44 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package bn256
-
-import (
-	"math/big"
-)
-
-func bigFromBase10(s string) *big.Int {
-	n, _ := new(big.Int).SetString(s, 10)
-	return n
-}
-
-// u is the BN parameter that determines the prime: 1868033³.
-var u = bigFromBase10("6518589491078791937")
-
-// p is a prime over which we form a basic field: 36u⁴+36u³+24u²+6u+1.
-var p = bigFromBase10("65000549695646603732796438742359905742825358107623003571877145026864184071783")
-
-// Order is the number of elements in both G₁ and G₂: 36u⁴+36u³+18u²+6u+1.
-var Order = bigFromBase10("65000549695646603732796438742359905742570406053903786389881062969044166799969")
-
-// xiToPMinus1Over6 is ξ^((p-1)/6) where ξ = i+3.
-var xiToPMinus1Over6 = &gfP2{bigFromBase10("8669379979083712429711189836753509758585994370025260553045152614783263110636"), bigFromBase10("19998038925833620163537568958541907098007303196759855091367510456613536016040")}
-
-// xiToPMinus1Over3 is ξ^((p-1)/3) where ξ = i+3.
-var xiToPMinus1Over3 = &gfP2{bigFromBase10("26098034838977895781559542626833399156321265654106457577426020397262786167059"), bigFromBase10("15931493369629630809226283458085260090334794394361662678240713231519278691715")}
-
-// xiToPMinus1Over2 is ξ^((p-1)/2) where ξ = i+3.
-var xiToPMinus1Over2 = &gfP2{bigFromBase10("50997318142241922852281555961173165965672272825141804376761836765206060036244"), bigFromBase10("38665955945962842195025998234511023902832543644254935982879660597356748036009")}
-
-// xiToPSquaredMinus1Over3 is ξ^((p²-1)/3) where ξ = i+3.
-var xiToPSquaredMinus1Over3 = bigFromBase10("65000549695646603727810655408050771481677621702948236658134783353303381437752")
-
-// xiTo2PSquaredMinus2Over3 is ξ^((2p²-2)/3) where ξ = i+3 (a cubic root of unity, mod p).
-var xiTo2PSquaredMinus2Over3 = bigFromBase10("4985783334309134261147736404674766913742361673560802634030")
-
-// xiToPSquaredMinus1Over6 is ξ^((1p²-1)/6) where ξ = i+3 (a cubic root of -1, mod p).
-var xiToPSquaredMinus1Over6 = bigFromBase10("65000549695646603727810655408050771481677621702948236658134783353303381437753")
-
-// xiTo2PMinus2Over3 is ξ^((2p-2)/3) where ξ = i+3.
-var xiTo2PMinus2Over3 = &gfP2{bigFromBase10("19885131339612776214803633203834694332692106372356013117629940868870585019582"), bigFromBase10("21645619881471562101905880913352894726728173167203616652430647841922248593627")}
diff --git a/vendor/golang.org/x/crypto/bn256/curve.go b/vendor/golang.org/x/crypto/bn256/curve.go
deleted file mode 100644
index 55b7063f..00000000
--- a/vendor/golang.org/x/crypto/bn256/curve.go
+++ /dev/null
@@ -1,278 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package bn256
-
-import (
-	"math/big"
-)
-
-// curvePoint implements the elliptic curve y²=x³+3. Points are kept in
-// Jacobian form and t=z² when valid. G₁ is the set of points of this curve on
-// GF(p).
-type curvePoint struct {
-	x, y, z, t *big.Int
-}
-
-var curveB = new(big.Int).SetInt64(3)
-
-// curveGen is the generator of G₁.
-var curveGen = &curvePoint{
-	new(big.Int).SetInt64(1),
-	new(big.Int).SetInt64(-2),
-	new(big.Int).SetInt64(1),
-	new(big.Int).SetInt64(1),
-}
-
-func newCurvePoint(pool *bnPool) *curvePoint {
-	return &curvePoint{
-		pool.Get(),
-		pool.Get(),
-		pool.Get(),
-		pool.Get(),
-	}
-}
-
-func (c *curvePoint) String() string {
-	c.MakeAffine(new(bnPool))
-	return "(" + c.x.String() + ", " + c.y.String() + ")"
-}
-
-func (c *curvePoint) Put(pool *bnPool) {
-	pool.Put(c.x)
-	pool.Put(c.y)
-	pool.Put(c.z)
-	pool.Put(c.t)
-}
-
-func (c *curvePoint) Set(a *curvePoint) {
-	c.x.Set(a.x)
-	c.y.Set(a.y)
-	c.z.Set(a.z)
-	c.t.Set(a.t)
-}
-
-// IsOnCurve returns true iff c is on the curve where c must be in affine form.
-func (c *curvePoint) IsOnCurve() bool {
-	yy := new(big.Int).Mul(c.y, c.y)
-	xxx := new(big.Int).Mul(c.x, c.x)
-	xxx.Mul(xxx, c.x)
-	yy.Sub(yy, xxx)
-	yy.Sub(yy, curveB)
-	if yy.Sign() < 0 || yy.Cmp(p) >= 0 {
-		yy.Mod(yy, p)
-	}
-	return yy.Sign() == 0
-}
-
-func (c *curvePoint) SetInfinity() {
-	c.z.SetInt64(0)
-}
-
-func (c *curvePoint) IsInfinity() bool {
-	return c.z.Sign() == 0
-}
-
-func (c *curvePoint) Add(a, b *curvePoint, pool *bnPool) {
-	if a.IsInfinity() {
-		c.Set(b)
-		return
-	}
-	if b.IsInfinity() {
-		c.Set(a)
-		return
-	}
-
-	// See http://hyperelliptic.org/EFD/g1p/auto-code/shortw/jacobian-0/addition/add-2007-bl.op3
-
-	// Normalize the points by replacing a = [x1:y1:z1] and b = [x2:y2:z2]
-	// by [u1:s1:z1·z2] and [u2:s2:z1·z2]
-	// where u1 = x1·z2², s1 = y1·z2³ and u1 = x2·z1², s2 = y2·z1³
-	z1z1 := pool.Get().Mul(a.z, a.z)
-	z1z1.Mod(z1z1, p)
-	z2z2 := pool.Get().Mul(b.z, b.z)
-	z2z2.Mod(z2z2, p)
-	u1 := pool.Get().Mul(a.x, z2z2)
-	u1.Mod(u1, p)
-	u2 := pool.Get().Mul(b.x, z1z1)
-	u2.Mod(u2, p)
-
-	t := pool.Get().Mul(b.z, z2z2)
-	t.Mod(t, p)
-	s1 := pool.Get().Mul(a.y, t)
-	s1.Mod(s1, p)
-
-	t.Mul(a.z, z1z1)
-	t.Mod(t, p)
-	s2 := pool.Get().Mul(b.y, t)
-	s2.Mod(s2, p)
-
-	// Compute x = (2h)²(s²-u1-u2)
-	// where s = (s2-s1)/(u2-u1) is the slope of the line through
-	// (u1,s1) and (u2,s2). The extra factor 2h = 2(u2-u1) comes from the value of z below.
-	// This is also:
-	// 4(s2-s1)² - 4h²(u1+u2) = 4(s2-s1)² - 4h³ - 4h²(2u1)
-	//                        = r² - j - 2v
-	// with the notations below.
-	h := pool.Get().Sub(u2, u1)
-	xEqual := h.Sign() == 0
-
-	t.Add(h, h)
-	// i = 4h²
-	i := pool.Get().Mul(t, t)
-	i.Mod(i, p)
-	// j = 4h³
-	j := pool.Get().Mul(h, i)
-	j.Mod(j, p)
-
-	t.Sub(s2, s1)
-	yEqual := t.Sign() == 0
-	if xEqual && yEqual {
-		c.Double(a, pool)
-		return
-	}
-	r := pool.Get().Add(t, t)
-
-	v := pool.Get().Mul(u1, i)
-	v.Mod(v, p)
-
-	// t4 = 4(s2-s1)²
-	t4 := pool.Get().Mul(r, r)
-	t4.Mod(t4, p)
-	t.Add(v, v)
-	t6 := pool.Get().Sub(t4, j)
-	c.x.Sub(t6, t)
-
-	// Set y = -(2h)³(s1 + s*(x/4h²-u1))
-	// This is also
-	// y = - 2·s1·j - (s2-s1)(2x - 2i·u1) = r(v-x) - 2·s1·j
-	t.Sub(v, c.x) // t7
-	t4.Mul(s1, j) // t8
-	t4.Mod(t4, p)
-	t6.Add(t4, t4) // t9
-	t4.Mul(r, t)   // t10
-	t4.Mod(t4, p)
-	c.y.Sub(t4, t6)
-
-	// Set z = 2(u2-u1)·z1·z2 = 2h·z1·z2
-	t.Add(a.z, b.z) // t11
-	t4.Mul(t, t)    // t12
-	t4.Mod(t4, p)
-	t.Sub(t4, z1z1) // t13
-	t4.Sub(t, z2z2) // t14
-	c.z.Mul(t4, h)
-	c.z.Mod(c.z, p)
-
-	pool.Put(z1z1)
-	pool.Put(z2z2)
-	pool.Put(u1)
-	pool.Put(u2)
-	pool.Put(t)
-	pool.Put(s1)
-	pool.Put(s2)
-	pool.Put(h)
-	pool.Put(i)
-	pool.Put(j)
-	pool.Put(r)
-	pool.Put(v)
-	pool.Put(t4)
-	pool.Put(t6)
-}
-
-func (c *curvePoint) Double(a *curvePoint, pool *bnPool) {
-	// See http://hyperelliptic.org/EFD/g1p/auto-code/shortw/jacobian-0/doubling/dbl-2009-l.op3
-	A := pool.Get().Mul(a.x, a.x)
-	A.Mod(A, p)
-	B := pool.Get().Mul(a.y, a.y)
-	B.Mod(B, p)
-	C := pool.Get().Mul(B, B)
-	C.Mod(C, p)
-
-	t := pool.Get().Add(a.x, B)
-	t2 := pool.Get().Mul(t, t)
-	t2.Mod(t2, p)
-	t.Sub(t2, A)
-	t2.Sub(t, C)
-	d := pool.Get().Add(t2, t2)
-	t.Add(A, A)
-	e := pool.Get().Add(t, A)
-	f := pool.Get().Mul(e, e)
-	f.Mod(f, p)
-
-	t.Add(d, d)
-	c.x.Sub(f, t)
-
-	t.Add(C, C)
-	t2.Add(t, t)
-	t.Add(t2, t2)
-	c.y.Sub(d, c.x)
-	t2.Mul(e, c.y)
-	t2.Mod(t2, p)
-	c.y.Sub(t2, t)
-
-	t.Mul(a.y, a.z)
-	t.Mod(t, p)
-	c.z.Add(t, t)
-
-	pool.Put(A)
-	pool.Put(B)
-	pool.Put(C)
-	pool.Put(t)
-	pool.Put(t2)
-	pool.Put(d)
-	pool.Put(e)
-	pool.Put(f)
-}
-
-func (c *curvePoint) Mul(a *curvePoint, scalar *big.Int, pool *bnPool) *curvePoint {
-	sum := newCurvePoint(pool)
-	sum.SetInfinity()
-	t := newCurvePoint(pool)
-
-	for i := scalar.BitLen(); i >= 0; i-- {
-		t.Double(sum, pool)
-		if scalar.Bit(i) != 0 {
-			sum.Add(t, a, pool)
-		} else {
-			sum.Set(t)
-		}
-	}
-
-	c.Set(sum)
-	sum.Put(pool)
-	t.Put(pool)
-	return c
-}
-
-func (c *curvePoint) MakeAffine(pool *bnPool) *curvePoint {
-	if words := c.z.Bits(); len(words) == 1 && words[0] == 1 {
-		return c
-	}
-
-	zInv := pool.Get().ModInverse(c.z, p)
-	t := pool.Get().Mul(c.y, zInv)
-	t.Mod(t, p)
-	zInv2 := pool.Get().Mul(zInv, zInv)
-	zInv2.Mod(zInv2, p)
-	c.y.Mul(t, zInv2)
-	c.y.Mod(c.y, p)
-	t.Mul(c.x, zInv2)
-	t.Mod(t, p)
-	c.x.Set(t)
-	c.z.SetInt64(1)
-	c.t.SetInt64(1)
-
-	pool.Put(zInv)
-	pool.Put(t)
-	pool.Put(zInv2)
-
-	return c
-}
-
-func (c *curvePoint) Negative(a *curvePoint) {
-	c.x.Set(a.x)
-	c.y.Neg(a.y)
-	c.z.Set(a.z)
-	c.t.SetInt64(0)
-}
diff --git a/vendor/golang.org/x/crypto/bn256/example_test.go b/vendor/golang.org/x/crypto/bn256/example_test.go
deleted file mode 100644
index b2d19807..00000000
--- a/vendor/golang.org/x/crypto/bn256/example_test.go
+++ /dev/null
@@ -1,43 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package bn256
-
-import (
-	"crypto/rand"
-)
-
-func ExamplePair() {
-	// This implements the tripartite Diffie-Hellman algorithm from "A One
-	// Round Protocol for Tripartite Diffie-Hellman", A. Joux.
-	// http://www.springerlink.com/content/cddc57yyva0hburb/fulltext.pdf
-
-	// Each of three parties, a, b and c, generate a private value.
-	a, _ := rand.Int(rand.Reader, Order)
-	b, _ := rand.Int(rand.Reader, Order)
-	c, _ := rand.Int(rand.Reader, Order)
-
-	// Then each party calculates g₁ and g₂ times their private value.
-	pa := new(G1).ScalarBaseMult(a)
-	qa := new(G2).ScalarBaseMult(a)
-
-	pb := new(G1).ScalarBaseMult(b)
-	qb := new(G2).ScalarBaseMult(b)
-
-	pc := new(G1).ScalarBaseMult(c)
-	qc := new(G2).ScalarBaseMult(c)
-
-	// Now each party exchanges its public values with the other two and
-	// all parties can calculate the shared key.
-	k1 := Pair(pb, qc)
-	k1.ScalarMult(k1, a)
-
-	k2 := Pair(pc, qa)
-	k2.ScalarMult(k2, b)
-
-	k3 := Pair(pa, qb)
-	k3.ScalarMult(k3, c)
-
-	// k1, k2 and k3 will all be equal.
-}
diff --git a/vendor/golang.org/x/crypto/bn256/gfp12.go b/vendor/golang.org/x/crypto/bn256/gfp12.go
deleted file mode 100644
index f084eddf..00000000
--- a/vendor/golang.org/x/crypto/bn256/gfp12.go
+++ /dev/null
@@ -1,200 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package bn256
-
-// For details of the algorithms used, see "Multiplication and Squaring on
-// Pairing-Friendly Fields, Devegili et al.
-// http://eprint.iacr.org/2006/471.pdf.
-
-import (
-	"math/big"
-)
-
-// gfP12 implements the field of size p¹² as a quadratic extension of gfP6
-// where ω²=τ.
-type gfP12 struct {
-	x, y *gfP6 // value is xω + y
-}
-
-func newGFp12(pool *bnPool) *gfP12 {
-	return &gfP12{newGFp6(pool), newGFp6(pool)}
-}
-
-func (e *gfP12) String() string {
-	return "(" + e.x.String() + "," + e.y.String() + ")"
-}
-
-func (e *gfP12) Put(pool *bnPool) {
-	e.x.Put(pool)
-	e.y.Put(pool)
-}
-
-func (e *gfP12) Set(a *gfP12) *gfP12 {
-	e.x.Set(a.x)
-	e.y.Set(a.y)
-	return e
-}
-
-func (e *gfP12) SetZero() *gfP12 {
-	e.x.SetZero()
-	e.y.SetZero()
-	return e
-}
-
-func (e *gfP12) SetOne() *gfP12 {
-	e.x.SetZero()
-	e.y.SetOne()
-	return e
-}
-
-func (e *gfP12) Minimal() {
-	e.x.Minimal()
-	e.y.Minimal()
-}
-
-func (e *gfP12) IsZero() bool {
-	e.Minimal()
-	return e.x.IsZero() && e.y.IsZero()
-}
-
-func (e *gfP12) IsOne() bool {
-	e.Minimal()
-	return e.x.IsZero() && e.y.IsOne()
-}
-
-func (e *gfP12) Conjugate(a *gfP12) *gfP12 {
-	e.x.Negative(a.x)
-	e.y.Set(a.y)
-	return a
-}
-
-func (e *gfP12) Negative(a *gfP12) *gfP12 {
-	e.x.Negative(a.x)
-	e.y.Negative(a.y)
-	return e
-}
-
-// Frobenius computes (xω+y)^p = x^p ω·ξ^((p-1)/6) + y^p
-func (e *gfP12) Frobenius(a *gfP12, pool *bnPool) *gfP12 {
-	e.x.Frobenius(a.x, pool)
-	e.y.Frobenius(a.y, pool)
-	e.x.MulScalar(e.x, xiToPMinus1Over6, pool)
-	return e
-}
-
-// FrobeniusP2 computes (xω+y)^p² = x^p² ω·ξ^((p²-1)/6) + y^p²
-func (e *gfP12) FrobeniusP2(a *gfP12, pool *bnPool) *gfP12 {
-	e.x.FrobeniusP2(a.x)
-	e.x.MulGFP(e.x, xiToPSquaredMinus1Over6)
-	e.y.FrobeniusP2(a.y)
-	return e
-}
-
-func (e *gfP12) Add(a, b *gfP12) *gfP12 {
-	e.x.Add(a.x, b.x)
-	e.y.Add(a.y, b.y)
-	return e
-}
-
-func (e *gfP12) Sub(a, b *gfP12) *gfP12 {
-	e.x.Sub(a.x, b.x)
-	e.y.Sub(a.y, b.y)
-	return e
-}
-
-func (e *gfP12) Mul(a, b *gfP12, pool *bnPool) *gfP12 {
-	tx := newGFp6(pool)
-	tx.Mul(a.x, b.y, pool)
-	t := newGFp6(pool)
-	t.Mul(b.x, a.y, pool)
-	tx.Add(tx, t)
-
-	ty := newGFp6(pool)
-	ty.Mul(a.y, b.y, pool)
-	t.Mul(a.x, b.x, pool)
-	t.MulTau(t, pool)
-	e.y.Add(ty, t)
-	e.x.Set(tx)
-
-	tx.Put(pool)
-	ty.Put(pool)
-	t.Put(pool)
-	return e
-}
-
-func (e *gfP12) MulScalar(a *gfP12, b *gfP6, pool *bnPool) *gfP12 {
-	e.x.Mul(e.x, b, pool)
-	e.y.Mul(e.y, b, pool)
-	return e
-}
-
-func (c *gfP12) Exp(a *gfP12, power *big.Int, pool *bnPool) *gfP12 {
-	sum := newGFp12(pool)
-	sum.SetOne()
-	t := newGFp12(pool)
-
-	for i := power.BitLen() - 1; i >= 0; i-- {
-		t.Square(sum, pool)
-		if power.Bit(i) != 0 {
-			sum.Mul(t, a, pool)
-		} else {
-			sum.Set(t)
-		}
-	}
-
-	c.Set(sum)
-
-	sum.Put(pool)
-	t.Put(pool)
-
-	return c
-}
-
-func (e *gfP12) Square(a *gfP12, pool *bnPool) *gfP12 {
-	// Complex squaring algorithm
-	v0 := newGFp6(pool)
-	v0.Mul(a.x, a.y, pool)
-
-	t := newGFp6(pool)
-	t.MulTau(a.x, pool)
-	t.Add(a.y, t)
-	ty := newGFp6(pool)
-	ty.Add(a.x, a.y)
-	ty.Mul(ty, t, pool)
-	ty.Sub(ty, v0)
-	t.MulTau(v0, pool)
-	ty.Sub(ty, t)
-
-	e.y.Set(ty)
-	e.x.Double(v0)
-
-	v0.Put(pool)
-	t.Put(pool)
-	ty.Put(pool)
-
-	return e
-}
-
-func (e *gfP12) Invert(a *gfP12, pool *bnPool) *gfP12 {
-	// See "Implementing cryptographic pairings", M. Scott, section 3.2.
-	// ftp://136.206.11.249/pub/crypto/pairings.pdf
-	t1 := newGFp6(pool)
-	t2 := newGFp6(pool)
-
-	t1.Square(a.x, pool)
-	t2.Square(a.y, pool)
-	t1.MulTau(t1, pool)
-	t1.Sub(t2, t1)
-	t2.Invert(t1, pool)
-
-	e.x.Negative(a.x)
-	e.y.Set(a.y)
-	e.MulScalar(e, t2, pool)
-
-	t1.Put(pool)
-	t2.Put(pool)
-
-	return e
-}
diff --git a/vendor/golang.org/x/crypto/bn256/gfp2.go b/vendor/golang.org/x/crypto/bn256/gfp2.go
deleted file mode 100644
index 97f3f1f3..00000000
--- a/vendor/golang.org/x/crypto/bn256/gfp2.go
+++ /dev/null
@@ -1,219 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package bn256
-
-// For details of the algorithms used, see "Multiplication and Squaring on
-// Pairing-Friendly Fields, Devegili et al.
-// http://eprint.iacr.org/2006/471.pdf.
-
-import (
-	"math/big"
-)
-
-// gfP2 implements a field of size p² as a quadratic extension of the base
-// field where i²=-1.
-type gfP2 struct {
-	x, y *big.Int // value is xi+y.
-}
-
-func newGFp2(pool *bnPool) *gfP2 {
-	return &gfP2{pool.Get(), pool.Get()}
-}
-
-func (e *gfP2) String() string {
-	x := new(big.Int).Mod(e.x, p)
-	y := new(big.Int).Mod(e.y, p)
-	return "(" + x.String() + "," + y.String() + ")"
-}
-
-func (e *gfP2) Put(pool *bnPool) {
-	pool.Put(e.x)
-	pool.Put(e.y)
-}
-
-func (e *gfP2) Set(a *gfP2) *gfP2 {
-	e.x.Set(a.x)
-	e.y.Set(a.y)
-	return e
-}
-
-func (e *gfP2) SetZero() *gfP2 {
-	e.x.SetInt64(0)
-	e.y.SetInt64(0)
-	return e
-}
-
-func (e *gfP2) SetOne() *gfP2 {
-	e.x.SetInt64(0)
-	e.y.SetInt64(1)
-	return e
-}
-
-func (e *gfP2) Minimal() {
-	if e.x.Sign() < 0 || e.x.Cmp(p) >= 0 {
-		e.x.Mod(e.x, p)
-	}
-	if e.y.Sign() < 0 || e.y.Cmp(p) >= 0 {
-		e.y.Mod(e.y, p)
-	}
-}
-
-func (e *gfP2) IsZero() bool {
-	return e.x.Sign() == 0 && e.y.Sign() == 0
-}
-
-func (e *gfP2) IsOne() bool {
-	if e.x.Sign() != 0 {
-		return false
-	}
-	words := e.y.Bits()
-	return len(words) == 1 && words[0] == 1
-}
-
-func (e *gfP2) Conjugate(a *gfP2) *gfP2 {
-	e.y.Set(a.y)
-	e.x.Neg(a.x)
-	return e
-}
-
-func (e *gfP2) Negative(a *gfP2) *gfP2 {
-	e.x.Neg(a.x)
-	e.y.Neg(a.y)
-	return e
-}
-
-func (e *gfP2) Add(a, b *gfP2) *gfP2 {
-	e.x.Add(a.x, b.x)
-	e.y.Add(a.y, b.y)
-	return e
-}
-
-func (e *gfP2) Sub(a, b *gfP2) *gfP2 {
-	e.x.Sub(a.x, b.x)
-	e.y.Sub(a.y, b.y)
-	return e
-}
-
-func (e *gfP2) Double(a *gfP2) *gfP2 {
-	e.x.Lsh(a.x, 1)
-	e.y.Lsh(a.y, 1)
-	return e
-}
-
-func (c *gfP2) Exp(a *gfP2, power *big.Int, pool *bnPool) *gfP2 {
-	sum := newGFp2(pool)
-	sum.SetOne()
-	t := newGFp2(pool)
-
-	for i := power.BitLen() - 1; i >= 0; i-- {
-		t.Square(sum, pool)
-		if power.Bit(i) != 0 {
-			sum.Mul(t, a, pool)
-		} else {
-			sum.Set(t)
-		}
-	}
-
-	c.Set(sum)
-
-	sum.Put(pool)
-	t.Put(pool)
-
-	return c
-}
-
-// See "Multiplication and Squaring in Pairing-Friendly Fields",
-// http://eprint.iacr.org/2006/471.pdf
-func (e *gfP2) Mul(a, b *gfP2, pool *bnPool) *gfP2 {
-	tx := pool.Get().Mul(a.x, b.y)
-	t := pool.Get().Mul(b.x, a.y)
-	tx.Add(tx, t)
-	tx.Mod(tx, p)
-
-	ty := pool.Get().Mul(a.y, b.y)
-	t.Mul(a.x, b.x)
-	ty.Sub(ty, t)
-	e.y.Mod(ty, p)
-	e.x.Set(tx)
-
-	pool.Put(tx)
-	pool.Put(ty)
-	pool.Put(t)
-
-	return e
-}
-
-func (e *gfP2) MulScalar(a *gfP2, b *big.Int) *gfP2 {
-	e.x.Mul(a.x, b)
-	e.y.Mul(a.y, b)
-	return e
-}
-
-// MulXi sets e=ξa where ξ=i+3 and then returns e.
-func (e *gfP2) MulXi(a *gfP2, pool *bnPool) *gfP2 {
-	// (xi+y)(i+3) = (3x+y)i+(3y-x)
-	tx := pool.Get().Lsh(a.x, 1)
-	tx.Add(tx, a.x)
-	tx.Add(tx, a.y)
-
-	ty := pool.Get().Lsh(a.y, 1)
-	ty.Add(ty, a.y)
-	ty.Sub(ty, a.x)
-
-	e.x.Set(tx)
-	e.y.Set(ty)
-
-	pool.Put(tx)
-	pool.Put(ty)
-
-	return e
-}
-
-func (e *gfP2) Square(a *gfP2, pool *bnPool) *gfP2 {
-	// Complex squaring algorithm:
-	// (xi+b)² = (x+y)(y-x) + 2*i*x*y
-	t1 := pool.Get().Sub(a.y, a.x)
-	t2 := pool.Get().Add(a.x, a.y)
-	ty := pool.Get().Mul(t1, t2)
-	ty.Mod(ty, p)
-
-	t1.Mul(a.x, a.y)
-	t1.Lsh(t1, 1)
-
-	e.x.Mod(t1, p)
-	e.y.Set(ty)
-
-	pool.Put(t1)
-	pool.Put(t2)
-	pool.Put(ty)
-
-	return e
-}
-
-func (e *gfP2) Invert(a *gfP2, pool *bnPool) *gfP2 {
-	// See "Implementing cryptographic pairings", M. Scott, section 3.2.
-	// ftp://136.206.11.249/pub/crypto/pairings.pdf
-	t := pool.Get()
-	t.Mul(a.y, a.y)
-	t2 := pool.Get()
-	t2.Mul(a.x, a.x)
-	t.Add(t, t2)
-
-	inv := pool.Get()
-	inv.ModInverse(t, p)
-
-	e.x.Neg(a.x)
-	e.x.Mul(e.x, inv)
-	e.x.Mod(e.x, p)
-
-	e.y.Mul(a.y, inv)
-	e.y.Mod(e.y, p)
-
-	pool.Put(t)
-	pool.Put(t2)
-	pool.Put(inv)
-
-	return e
-}
diff --git a/vendor/golang.org/x/crypto/bn256/gfp6.go b/vendor/golang.org/x/crypto/bn256/gfp6.go
deleted file mode 100644
index f98ae782..00000000
--- a/vendor/golang.org/x/crypto/bn256/gfp6.go
+++ /dev/null
@@ -1,296 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package bn256
-
-// For details of the algorithms used, see "Multiplication and Squaring on
-// Pairing-Friendly Fields, Devegili et al.
-// http://eprint.iacr.org/2006/471.pdf.
-
-import (
-	"math/big"
-)
-
-// gfP6 implements the field of size p⁶ as a cubic extension of gfP2 where τ³=ξ
-// and ξ=i+3.
-type gfP6 struct {
-	x, y, z *gfP2 // value is xτ² + yτ + z
-}
-
-func newGFp6(pool *bnPool) *gfP6 {
-	return &gfP6{newGFp2(pool), newGFp2(pool), newGFp2(pool)}
-}
-
-func (e *gfP6) String() string {
-	return "(" + e.x.String() + "," + e.y.String() + "," + e.z.String() + ")"
-}
-
-func (e *gfP6) Put(pool *bnPool) {
-	e.x.Put(pool)
-	e.y.Put(pool)
-	e.z.Put(pool)
-}
-
-func (e *gfP6) Set(a *gfP6) *gfP6 {
-	e.x.Set(a.x)
-	e.y.Set(a.y)
-	e.z.Set(a.z)
-	return e
-}
-
-func (e *gfP6) SetZero() *gfP6 {
-	e.x.SetZero()
-	e.y.SetZero()
-	e.z.SetZero()
-	return e
-}
-
-func (e *gfP6) SetOne() *gfP6 {
-	e.x.SetZero()
-	e.y.SetZero()
-	e.z.SetOne()
-	return e
-}
-
-func (e *gfP6) Minimal() {
-	e.x.Minimal()
-	e.y.Minimal()
-	e.z.Minimal()
-}
-
-func (e *gfP6) IsZero() bool {
-	return e.x.IsZero() && e.y.IsZero() && e.z.IsZero()
-}
-
-func (e *gfP6) IsOne() bool {
-	return e.x.IsZero() && e.y.IsZero() && e.z.IsOne()
-}
-
-func (e *gfP6) Negative(a *gfP6) *gfP6 {
-	e.x.Negative(a.x)
-	e.y.Negative(a.y)
-	e.z.Negative(a.z)
-	return e
-}
-
-func (e *gfP6) Frobenius(a *gfP6, pool *bnPool) *gfP6 {
-	e.x.Conjugate(a.x)
-	e.y.Conjugate(a.y)
-	e.z.Conjugate(a.z)
-
-	e.x.Mul(e.x, xiTo2PMinus2Over3, pool)
-	e.y.Mul(e.y, xiToPMinus1Over3, pool)
-	return e
-}
-
-// FrobeniusP2 computes (xτ²+yτ+z)^(p²) = xτ^(2p²) + yτ^(p²) + z
-func (e *gfP6) FrobeniusP2(a *gfP6) *gfP6 {
-	// τ^(2p²) = τ²τ^(2p²-2) = τ²ξ^((2p²-2)/3)
-	e.x.MulScalar(a.x, xiTo2PSquaredMinus2Over3)
-	// τ^(p²) = ττ^(p²-1) = τξ^((p²-1)/3)
-	e.y.MulScalar(a.y, xiToPSquaredMinus1Over3)
-	e.z.Set(a.z)
-	return e
-}
-
-func (e *gfP6) Add(a, b *gfP6) *gfP6 {
-	e.x.Add(a.x, b.x)
-	e.y.Add(a.y, b.y)
-	e.z.Add(a.z, b.z)
-	return e
-}
-
-func (e *gfP6) Sub(a, b *gfP6) *gfP6 {
-	e.x.Sub(a.x, b.x)
-	e.y.Sub(a.y, b.y)
-	e.z.Sub(a.z, b.z)
-	return e
-}
-
-func (e *gfP6) Double(a *gfP6) *gfP6 {
-	e.x.Double(a.x)
-	e.y.Double(a.y)
-	e.z.Double(a.z)
-	return e
-}
-
-func (e *gfP6) Mul(a, b *gfP6, pool *bnPool) *gfP6 {
-	// "Multiplication and Squaring on Pairing-Friendly Fields"
-	// Section 4, Karatsuba method.
-	// http://eprint.iacr.org/2006/471.pdf
-
-	v0 := newGFp2(pool)
-	v0.Mul(a.z, b.z, pool)
-	v1 := newGFp2(pool)
-	v1.Mul(a.y, b.y, pool)
-	v2 := newGFp2(pool)
-	v2.Mul(a.x, b.x, pool)
-
-	t0 := newGFp2(pool)
-	t0.Add(a.x, a.y)
-	t1 := newGFp2(pool)
-	t1.Add(b.x, b.y)
-	tz := newGFp2(pool)
-	tz.Mul(t0, t1, pool)
-
-	tz.Sub(tz, v1)
-	tz.Sub(tz, v2)
-	tz.MulXi(tz, pool)
-	tz.Add(tz, v0)
-
-	t0.Add(a.y, a.z)
-	t1.Add(b.y, b.z)
-	ty := newGFp2(pool)
-	ty.Mul(t0, t1, pool)
-	ty.Sub(ty, v0)
-	ty.Sub(ty, v1)
-	t0.MulXi(v2, pool)
-	ty.Add(ty, t0)
-
-	t0.Add(a.x, a.z)
-	t1.Add(b.x, b.z)
-	tx := newGFp2(pool)
-	tx.Mul(t0, t1, pool)
-	tx.Sub(tx, v0)
-	tx.Add(tx, v1)
-	tx.Sub(tx, v2)
-
-	e.x.Set(tx)
-	e.y.Set(ty)
-	e.z.Set(tz)
-
-	t0.Put(pool)
-	t1.Put(pool)
-	tx.Put(pool)
-	ty.Put(pool)
-	tz.Put(pool)
-	v0.Put(pool)
-	v1.Put(pool)
-	v2.Put(pool)
-	return e
-}
-
-func (e *gfP6) MulScalar(a *gfP6, b *gfP2, pool *bnPool) *gfP6 {
-	e.x.Mul(a.x, b, pool)
-	e.y.Mul(a.y, b, pool)
-	e.z.Mul(a.z, b, pool)
-	return e
-}
-
-func (e *gfP6) MulGFP(a *gfP6, b *big.Int) *gfP6 {
-	e.x.MulScalar(a.x, b)
-	e.y.MulScalar(a.y, b)
-	e.z.MulScalar(a.z, b)
-	return e
-}
-
-// MulTau computes τ·(aτ²+bτ+c) = bτ²+cτ+aξ
-func (e *gfP6) MulTau(a *gfP6, pool *bnPool) {
-	tz := newGFp2(pool)
-	tz.MulXi(a.x, pool)
-	ty := newGFp2(pool)
-	ty.Set(a.y)
-	e.y.Set(a.z)
-	e.x.Set(ty)
-	e.z.Set(tz)
-	tz.Put(pool)
-	ty.Put(pool)
-}
-
-func (e *gfP6) Square(a *gfP6, pool *bnPool) *gfP6 {
-	v0 := newGFp2(pool).Square(a.z, pool)
-	v1 := newGFp2(pool).Square(a.y, pool)
-	v2 := newGFp2(pool).Square(a.x, pool)
-
-	c0 := newGFp2(pool).Add(a.x, a.y)
-	c0.Square(c0, pool)
-	c0.Sub(c0, v1)
-	c0.Sub(c0, v2)
-	c0.MulXi(c0, pool)
-	c0.Add(c0, v0)
-
-	c1 := newGFp2(pool).Add(a.y, a.z)
-	c1.Square(c1, pool)
-	c1.Sub(c1, v0)
-	c1.Sub(c1, v1)
-	xiV2 := newGFp2(pool).MulXi(v2, pool)
-	c1.Add(c1, xiV2)
-
-	c2 := newGFp2(pool).Add(a.x, a.z)
-	c2.Square(c2, pool)
-	c2.Sub(c2, v0)
-	c2.Add(c2, v1)
-	c2.Sub(c2, v2)
-
-	e.x.Set(c2)
-	e.y.Set(c1)
-	e.z.Set(c0)
-
-	v0.Put(pool)
-	v1.Put(pool)
-	v2.Put(pool)
-	c0.Put(pool)
-	c1.Put(pool)
-	c2.Put(pool)
-	xiV2.Put(pool)
-
-	return e
-}
-
-func (e *gfP6) Invert(a *gfP6, pool *bnPool) *gfP6 {
-	// See "Implementing cryptographic pairings", M. Scott, section 3.2.
-	// ftp://136.206.11.249/pub/crypto/pairings.pdf
-
-	// Here we can give a short explanation of how it works: let j be a cubic root of
-	// unity in GF(p²) so that 1+j+j²=0.
-	// Then (xτ² + yτ + z)(xj²τ² + yjτ + z)(xjτ² + yj²τ + z)
-	// = (xτ² + yτ + z)(Cτ²+Bτ+A)
-	// = (x³ξ²+y³ξ+z³-3ξxyz) = F is an element of the base field (the norm).
-	//
-	// On the other hand (xj²τ² + yjτ + z)(xjτ² + yj²τ + z)
-	// = τ²(y²-ξxz) + τ(ξx²-yz) + (z²-ξxy)
-	//
-	// So that's why A = (z²-ξxy), B = (ξx²-yz), C = (y²-ξxz)
-	t1 := newGFp2(pool)
-
-	A := newGFp2(pool)
-	A.Square(a.z, pool)
-	t1.Mul(a.x, a.y, pool)
-	t1.MulXi(t1, pool)
-	A.Sub(A, t1)
-
-	B := newGFp2(pool)
-	B.Square(a.x, pool)
-	B.MulXi(B, pool)
-	t1.Mul(a.y, a.z, pool)
-	B.Sub(B, t1)
-
-	C := newGFp2(pool)
-	C.Square(a.y, pool)
-	t1.Mul(a.x, a.z, pool)
-	C.Sub(C, t1)
-
-	F := newGFp2(pool)
-	F.Mul(C, a.y, pool)
-	F.MulXi(F, pool)
-	t1.Mul(A, a.z, pool)
-	F.Add(F, t1)
-	t1.Mul(B, a.x, pool)
-	t1.MulXi(t1, pool)
-	F.Add(F, t1)
-
-	F.Invert(F, pool)
-
-	e.x.Mul(C, F, pool)
-	e.y.Mul(B, F, pool)
-	e.z.Mul(A, F, pool)
-
-	t1.Put(pool)
-	A.Put(pool)
-	B.Put(pool)
-	C.Put(pool)
-	F.Put(pool)
-
-	return e
-}
diff --git a/vendor/golang.org/x/crypto/bn256/optate.go b/vendor/golang.org/x/crypto/bn256/optate.go
deleted file mode 100644
index 7ae0746e..00000000
--- a/vendor/golang.org/x/crypto/bn256/optate.go
+++ /dev/null
@@ -1,395 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package bn256
-
-func lineFunctionAdd(r, p *twistPoint, q *curvePoint, r2 *gfP2, pool *bnPool) (a, b, c *gfP2, rOut *twistPoint) {
-	// See the mixed addition algorithm from "Faster Computation of the
-	// Tate Pairing", http://arxiv.org/pdf/0904.0854v3.pdf
-
-	B := newGFp2(pool).Mul(p.x, r.t, pool)
-
-	D := newGFp2(pool).Add(p.y, r.z)
-	D.Square(D, pool)
-	D.Sub(D, r2)
-	D.Sub(D, r.t)
-	D.Mul(D, r.t, pool)
-
-	H := newGFp2(pool).Sub(B, r.x)
-	I := newGFp2(pool).Square(H, pool)
-
-	E := newGFp2(pool).Add(I, I)
-	E.Add(E, E)
-
-	J := newGFp2(pool).Mul(H, E, pool)
-
-	L1 := newGFp2(pool).Sub(D, r.y)
-	L1.Sub(L1, r.y)
-
-	V := newGFp2(pool).Mul(r.x, E, pool)
-
-	rOut = newTwistPoint(pool)
-	rOut.x.Square(L1, pool)
-	rOut.x.Sub(rOut.x, J)
-	rOut.x.Sub(rOut.x, V)
-	rOut.x.Sub(rOut.x, V)
-
-	rOut.z.Add(r.z, H)
-	rOut.z.Square(rOut.z, pool)
-	rOut.z.Sub(rOut.z, r.t)
-	rOut.z.Sub(rOut.z, I)
-
-	t := newGFp2(pool).Sub(V, rOut.x)
-	t.Mul(t, L1, pool)
-	t2 := newGFp2(pool).Mul(r.y, J, pool)
-	t2.Add(t2, t2)
-	rOut.y.Sub(t, t2)
-
-	rOut.t.Square(rOut.z, pool)
-
-	t.Add(p.y, rOut.z)
-	t.Square(t, pool)
-	t.Sub(t, r2)
-	t.Sub(t, rOut.t)
-
-	t2.Mul(L1, p.x, pool)
-	t2.Add(t2, t2)
-	a = newGFp2(pool)
-	a.Sub(t2, t)
-
-	c = newGFp2(pool)
-	c.MulScalar(rOut.z, q.y)
-	c.Add(c, c)
-
-	b = newGFp2(pool)
-	b.SetZero()
-	b.Sub(b, L1)
-	b.MulScalar(b, q.x)
-	b.Add(b, b)
-
-	B.Put(pool)
-	D.Put(pool)
-	H.Put(pool)
-	I.Put(pool)
-	E.Put(pool)
-	J.Put(pool)
-	L1.Put(pool)
-	V.Put(pool)
-	t.Put(pool)
-	t2.Put(pool)
-
-	return
-}
-
-func lineFunctionDouble(r *twistPoint, q *curvePoint, pool *bnPool) (a, b, c *gfP2, rOut *twistPoint) {
-	// See the doubling algorithm for a=0 from "Faster Computation of the
-	// Tate Pairing", http://arxiv.org/pdf/0904.0854v3.pdf
-
-	A := newGFp2(pool).Square(r.x, pool)
-	B := newGFp2(pool).Square(r.y, pool)
-	C := newGFp2(pool).Square(B, pool)
-
-	D := newGFp2(pool).Add(r.x, B)
-	D.Square(D, pool)
-	D.Sub(D, A)
-	D.Sub(D, C)
-	D.Add(D, D)
-
-	E := newGFp2(pool).Add(A, A)
-	E.Add(E, A)
-
-	G := newGFp2(pool).Square(E, pool)
-
-	rOut = newTwistPoint(pool)
-	rOut.x.Sub(G, D)
-	rOut.x.Sub(rOut.x, D)
-
-	rOut.z.Add(r.y, r.z)
-	rOut.z.Square(rOut.z, pool)
-	rOut.z.Sub(rOut.z, B)
-	rOut.z.Sub(rOut.z, r.t)
-
-	rOut.y.Sub(D, rOut.x)
-	rOut.y.Mul(rOut.y, E, pool)
-	t := newGFp2(pool).Add(C, C)
-	t.Add(t, t)
-	t.Add(t, t)
-	rOut.y.Sub(rOut.y, t)
-
-	rOut.t.Square(rOut.z, pool)
-
-	t.Mul(E, r.t, pool)
-	t.Add(t, t)
-	b = newGFp2(pool)
-	b.SetZero()
-	b.Sub(b, t)
-	b.MulScalar(b, q.x)
-
-	a = newGFp2(pool)
-	a.Add(r.x, E)
-	a.Square(a, pool)
-	a.Sub(a, A)
-	a.Sub(a, G)
-	t.Add(B, B)
-	t.Add(t, t)
-	a.Sub(a, t)
-
-	c = newGFp2(pool)
-	c.Mul(rOut.z, r.t, pool)
-	c.Add(c, c)
-	c.MulScalar(c, q.y)
-
-	A.Put(pool)
-	B.Put(pool)
-	C.Put(pool)
-	D.Put(pool)
-	E.Put(pool)
-	G.Put(pool)
-	t.Put(pool)
-
-	return
-}
-
-func mulLine(ret *gfP12, a, b, c *gfP2, pool *bnPool) {
-	a2 := newGFp6(pool)
-	a2.x.SetZero()
-	a2.y.Set(a)
-	a2.z.Set(b)
-	a2.Mul(a2, ret.x, pool)
-	t3 := newGFp6(pool).MulScalar(ret.y, c, pool)
-
-	t := newGFp2(pool)
-	t.Add(b, c)
-	t2 := newGFp6(pool)
-	t2.x.SetZero()
-	t2.y.Set(a)
-	t2.z.Set(t)
-	ret.x.Add(ret.x, ret.y)
-
-	ret.y.Set(t3)
-
-	ret.x.Mul(ret.x, t2, pool)
-	ret.x.Sub(ret.x, a2)
-	ret.x.Sub(ret.x, ret.y)
-	a2.MulTau(a2, pool)
-	ret.y.Add(ret.y, a2)
-
-	a2.Put(pool)
-	t3.Put(pool)
-	t2.Put(pool)
-	t.Put(pool)
-}
-
-// sixuPlus2NAF is 6u+2 in non-adjacent form.
-var sixuPlus2NAF = []int8{0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0, 1, 0, 0, 0, -1, 0, 1, 0, 1, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, -1, 0, 1, 0, 0, 0, 1, 0, -1, 0, 0, 0, -1, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0, -1, 0, -1, 0, 0, 0, 0, 1, 0, 0, 0, 1}
-
-// miller implements the Miller loop for calculating the Optimal Ate pairing.
-// See algorithm 1 from http://cryptojedi.org/papers/dclxvi-20100714.pdf
-func miller(q *twistPoint, p *curvePoint, pool *bnPool) *gfP12 {
-	ret := newGFp12(pool)
-	ret.SetOne()
-
-	aAffine := newTwistPoint(pool)
-	aAffine.Set(q)
-	aAffine.MakeAffine(pool)
-
-	bAffine := newCurvePoint(pool)
-	bAffine.Set(p)
-	bAffine.MakeAffine(pool)
-
-	minusA := newTwistPoint(pool)
-	minusA.Negative(aAffine, pool)
-
-	r := newTwistPoint(pool)
-	r.Set(aAffine)
-
-	r2 := newGFp2(pool)
-	r2.Square(aAffine.y, pool)
-
-	for i := len(sixuPlus2NAF) - 1; i > 0; i-- {
-		a, b, c, newR := lineFunctionDouble(r, bAffine, pool)
-		if i != len(sixuPlus2NAF)-1 {
-			ret.Square(ret, pool)
-		}
-
-		mulLine(ret, a, b, c, pool)
-		a.Put(pool)
-		b.Put(pool)
-		c.Put(pool)
-		r.Put(pool)
-		r = newR
-
-		switch sixuPlus2NAF[i-1] {
-		case 1:
-			a, b, c, newR = lineFunctionAdd(r, aAffine, bAffine, r2, pool)
-		case -1:
-			a, b, c, newR = lineFunctionAdd(r, minusA, bAffine, r2, pool)
-		default:
-			continue
-		}
-
-		mulLine(ret, a, b, c, pool)
-		a.Put(pool)
-		b.Put(pool)
-		c.Put(pool)
-		r.Put(pool)
-		r = newR
-	}
-
-	// In order to calculate Q1 we have to convert q from the sextic twist
-	// to the full GF(p^12) group, apply the Frobenius there, and convert
-	// back.
-	//
-	// The twist isomorphism is (x', y') -> (xω², yω³). If we consider just
-	// x for a moment, then after applying the Frobenius, we have x̄ω^(2p)
-	// where x̄ is the conjugate of x. If we are going to apply the inverse
-	// isomorphism we need a value with a single coefficient of ω² so we
-	// rewrite this as x̄ω^(2p-2)ω². ξ⁶ = ω and, due to the construction of
-	// p, 2p-2 is a multiple of six. Therefore we can rewrite as
-	// x̄ξ^((p-1)/3)ω² and applying the inverse isomorphism eliminates the
-	// ω².
-	//
-	// A similar argument can be made for the y value.
-
-	q1 := newTwistPoint(pool)
-	q1.x.Conjugate(aAffine.x)
-	q1.x.Mul(q1.x, xiToPMinus1Over3, pool)
-	q1.y.Conjugate(aAffine.y)
-	q1.y.Mul(q1.y, xiToPMinus1Over2, pool)
-	q1.z.SetOne()
-	q1.t.SetOne()
-
-	// For Q2 we are applying the p² Frobenius. The two conjugations cancel
-	// out and we are left only with the factors from the isomorphism. In
-	// the case of x, we end up with a pure number which is why
-	// xiToPSquaredMinus1Over3 is ∈ GF(p). With y we get a factor of -1. We
-	// ignore this to end up with -Q2.
-
-	minusQ2 := newTwistPoint(pool)
-	minusQ2.x.MulScalar(aAffine.x, xiToPSquaredMinus1Over3)
-	minusQ2.y.Set(aAffine.y)
-	minusQ2.z.SetOne()
-	minusQ2.t.SetOne()
-
-	r2.Square(q1.y, pool)
-	a, b, c, newR := lineFunctionAdd(r, q1, bAffine, r2, pool)
-	mulLine(ret, a, b, c, pool)
-	a.Put(pool)
-	b.Put(pool)
-	c.Put(pool)
-	r.Put(pool)
-	r = newR
-
-	r2.Square(minusQ2.y, pool)
-	a, b, c, newR = lineFunctionAdd(r, minusQ2, bAffine, r2, pool)
-	mulLine(ret, a, b, c, pool)
-	a.Put(pool)
-	b.Put(pool)
-	c.Put(pool)
-	r.Put(pool)
-	r = newR
-
-	aAffine.Put(pool)
-	bAffine.Put(pool)
-	minusA.Put(pool)
-	r.Put(pool)
-	r2.Put(pool)
-
-	return ret
-}
-
-// finalExponentiation computes the (p¹²-1)/Order-th power of an element of
-// GF(p¹²) to obtain an element of GT (steps 13-15 of algorithm 1 from
-// http://cryptojedi.org/papers/dclxvi-20100714.pdf)
-func finalExponentiation(in *gfP12, pool *bnPool) *gfP12 {
-	t1 := newGFp12(pool)
-
-	// This is the p^6-Frobenius
-	t1.x.Negative(in.x)
-	t1.y.Set(in.y)
-
-	inv := newGFp12(pool)
-	inv.Invert(in, pool)
-	t1.Mul(t1, inv, pool)
-
-	t2 := newGFp12(pool).FrobeniusP2(t1, pool)
-	t1.Mul(t1, t2, pool)
-
-	fp := newGFp12(pool).Frobenius(t1, pool)
-	fp2 := newGFp12(pool).FrobeniusP2(t1, pool)
-	fp3 := newGFp12(pool).Frobenius(fp2, pool)
-
-	fu, fu2, fu3 := newGFp12(pool), newGFp12(pool), newGFp12(pool)
-	fu.Exp(t1, u, pool)
-	fu2.Exp(fu, u, pool)
-	fu3.Exp(fu2, u, pool)
-
-	y3 := newGFp12(pool).Frobenius(fu, pool)
-	fu2p := newGFp12(pool).Frobenius(fu2, pool)
-	fu3p := newGFp12(pool).Frobenius(fu3, pool)
-	y2 := newGFp12(pool).FrobeniusP2(fu2, pool)
-
-	y0 := newGFp12(pool)
-	y0.Mul(fp, fp2, pool)
-	y0.Mul(y0, fp3, pool)
-
-	y1, y4, y5 := newGFp12(pool), newGFp12(pool), newGFp12(pool)
-	y1.Conjugate(t1)
-	y5.Conjugate(fu2)
-	y3.Conjugate(y3)
-	y4.Mul(fu, fu2p, pool)
-	y4.Conjugate(y4)
-
-	y6 := newGFp12(pool)
-	y6.Mul(fu3, fu3p, pool)
-	y6.Conjugate(y6)
-
-	t0 := newGFp12(pool)
-	t0.Square(y6, pool)
-	t0.Mul(t0, y4, pool)
-	t0.Mul(t0, y5, pool)
-	t1.Mul(y3, y5, pool)
-	t1.Mul(t1, t0, pool)
-	t0.Mul(t0, y2, pool)
-	t1.Square(t1, pool)
-	t1.Mul(t1, t0, pool)
-	t1.Square(t1, pool)
-	t0.Mul(t1, y1, pool)
-	t1.Mul(t1, y0, pool)
-	t0.Square(t0, pool)
-	t0.Mul(t0, t1, pool)
-
-	inv.Put(pool)
-	t1.Put(pool)
-	t2.Put(pool)
-	fp.Put(pool)
-	fp2.Put(pool)
-	fp3.Put(pool)
-	fu.Put(pool)
-	fu2.Put(pool)
-	fu3.Put(pool)
-	fu2p.Put(pool)
-	fu3p.Put(pool)
-	y0.Put(pool)
-	y1.Put(pool)
-	y2.Put(pool)
-	y3.Put(pool)
-	y4.Put(pool)
-	y5.Put(pool)
-	y6.Put(pool)
-
-	return t0
-}
-
-func optimalAte(a *twistPoint, b *curvePoint, pool *bnPool) *gfP12 {
-	e := miller(a, b, pool)
-	ret := finalExponentiation(e, pool)
-	e.Put(pool)
-
-	if a.IsInfinity() || b.IsInfinity() {
-		ret.SetOne()
-	}
-
-	return ret
-}
diff --git a/vendor/golang.org/x/crypto/bn256/twist.go b/vendor/golang.org/x/crypto/bn256/twist.go
deleted file mode 100644
index 4f8b3fed..00000000
--- a/vendor/golang.org/x/crypto/bn256/twist.go
+++ /dev/null
@@ -1,249 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package bn256
-
-import (
-	"math/big"
-)
-
-// twistPoint implements the elliptic curve y²=x³+3/ξ over GF(p²). Points are
-// kept in Jacobian form and t=z² when valid. The group G₂ is the set of
-// n-torsion points of this curve over GF(p²) (where n = Order)
-type twistPoint struct {
-	x, y, z, t *gfP2
-}
-
-var twistB = &gfP2{
-	bigFromBase10("6500054969564660373279643874235990574282535810762300357187714502686418407178"),
-	bigFromBase10("45500384786952622612957507119651934019977750675336102500314001518804928850249"),
-}
-
-// twistGen is the generator of group G₂.
-var twistGen = &twistPoint{
-	&gfP2{
-		bigFromBase10("21167961636542580255011770066570541300993051739349375019639421053990175267184"),
-		bigFromBase10("64746500191241794695844075326670126197795977525365406531717464316923369116492"),
-	},
-	&gfP2{
-		bigFromBase10("20666913350058776956210519119118544732556678129809273996262322366050359951122"),
-		bigFromBase10("17778617556404439934652658462602675281523610326338642107814333856843981424549"),
-	},
-	&gfP2{
-		bigFromBase10("0"),
-		bigFromBase10("1"),
-	},
-	&gfP2{
-		bigFromBase10("0"),
-		bigFromBase10("1"),
-	},
-}
-
-func newTwistPoint(pool *bnPool) *twistPoint {
-	return &twistPoint{
-		newGFp2(pool),
-		newGFp2(pool),
-		newGFp2(pool),
-		newGFp2(pool),
-	}
-}
-
-func (c *twistPoint) String() string {
-	return "(" + c.x.String() + ", " + c.y.String() + ", " + c.z.String() + ")"
-}
-
-func (c *twistPoint) Put(pool *bnPool) {
-	c.x.Put(pool)
-	c.y.Put(pool)
-	c.z.Put(pool)
-	c.t.Put(pool)
-}
-
-func (c *twistPoint) Set(a *twistPoint) {
-	c.x.Set(a.x)
-	c.y.Set(a.y)
-	c.z.Set(a.z)
-	c.t.Set(a.t)
-}
-
-// IsOnCurve returns true iff c is on the curve where c must be in affine form.
-func (c *twistPoint) IsOnCurve() bool {
-	pool := new(bnPool)
-	yy := newGFp2(pool).Square(c.y, pool)
-	xxx := newGFp2(pool).Square(c.x, pool)
-	xxx.Mul(xxx, c.x, pool)
-	yy.Sub(yy, xxx)
-	yy.Sub(yy, twistB)
-	yy.Minimal()
-	return yy.x.Sign() == 0 && yy.y.Sign() == 0
-}
-
-func (c *twistPoint) SetInfinity() {
-	c.z.SetZero()
-}
-
-func (c *twistPoint) IsInfinity() bool {
-	return c.z.IsZero()
-}
-
-func (c *twistPoint) Add(a, b *twistPoint, pool *bnPool) {
-	// For additional comments, see the same function in curve.go.
-
-	if a.IsInfinity() {
-		c.Set(b)
-		return
-	}
-	if b.IsInfinity() {
-		c.Set(a)
-		return
-	}
-
-	// See http://hyperelliptic.org/EFD/g1p/auto-code/shortw/jacobian-0/addition/add-2007-bl.op3
-	z1z1 := newGFp2(pool).Square(a.z, pool)
-	z2z2 := newGFp2(pool).Square(b.z, pool)
-	u1 := newGFp2(pool).Mul(a.x, z2z2, pool)
-	u2 := newGFp2(pool).Mul(b.x, z1z1, pool)
-
-	t := newGFp2(pool).Mul(b.z, z2z2, pool)
-	s1 := newGFp2(pool).Mul(a.y, t, pool)
-
-	t.Mul(a.z, z1z1, pool)
-	s2 := newGFp2(pool).Mul(b.y, t, pool)
-
-	h := newGFp2(pool).Sub(u2, u1)
-	xEqual := h.IsZero()
-
-	t.Add(h, h)
-	i := newGFp2(pool).Square(t, pool)
-	j := newGFp2(pool).Mul(h, i, pool)
-
-	t.Sub(s2, s1)
-	yEqual := t.IsZero()
-	if xEqual && yEqual {
-		c.Double(a, pool)
-		return
-	}
-	r := newGFp2(pool).Add(t, t)
-
-	v := newGFp2(pool).Mul(u1, i, pool)
-
-	t4 := newGFp2(pool).Square(r, pool)
-	t.Add(v, v)
-	t6 := newGFp2(pool).Sub(t4, j)
-	c.x.Sub(t6, t)
-
-	t.Sub(v, c.x)       // t7
-	t4.Mul(s1, j, pool) // t8
-	t6.Add(t4, t4)      // t9
-	t4.Mul(r, t, pool)  // t10
-	c.y.Sub(t4, t6)
-
-	t.Add(a.z, b.z)    // t11
-	t4.Square(t, pool) // t12
-	t.Sub(t4, z1z1)    // t13
-	t4.Sub(t, z2z2)    // t14
-	c.z.Mul(t4, h, pool)
-
-	z1z1.Put(pool)
-	z2z2.Put(pool)
-	u1.Put(pool)
-	u2.Put(pool)
-	t.Put(pool)
-	s1.Put(pool)
-	s2.Put(pool)
-	h.Put(pool)
-	i.Put(pool)
-	j.Put(pool)
-	r.Put(pool)
-	v.Put(pool)
-	t4.Put(pool)
-	t6.Put(pool)
-}
-
-func (c *twistPoint) Double(a *twistPoint, pool *bnPool) {
-	// See http://hyperelliptic.org/EFD/g1p/auto-code/shortw/jacobian-0/doubling/dbl-2009-l.op3
-	A := newGFp2(pool).Square(a.x, pool)
-	B := newGFp2(pool).Square(a.y, pool)
-	C := newGFp2(pool).Square(B, pool)
-
-	t := newGFp2(pool).Add(a.x, B)
-	t2 := newGFp2(pool).Square(t, pool)
-	t.Sub(t2, A)
-	t2.Sub(t, C)
-	d := newGFp2(pool).Add(t2, t2)
-	t.Add(A, A)
-	e := newGFp2(pool).Add(t, A)
-	f := newGFp2(pool).Square(e, pool)
-
-	t.Add(d, d)
-	c.x.Sub(f, t)
-
-	t.Add(C, C)
-	t2.Add(t, t)
-	t.Add(t2, t2)
-	c.y.Sub(d, c.x)
-	t2.Mul(e, c.y, pool)
-	c.y.Sub(t2, t)
-
-	t.Mul(a.y, a.z, pool)
-	c.z.Add(t, t)
-
-	A.Put(pool)
-	B.Put(pool)
-	C.Put(pool)
-	t.Put(pool)
-	t2.Put(pool)
-	d.Put(pool)
-	e.Put(pool)
-	f.Put(pool)
-}
-
-func (c *twistPoint) Mul(a *twistPoint, scalar *big.Int, pool *bnPool) *twistPoint {
-	sum := newTwistPoint(pool)
-	sum.SetInfinity()
-	t := newTwistPoint(pool)
-
-	for i := scalar.BitLen(); i >= 0; i-- {
-		t.Double(sum, pool)
-		if scalar.Bit(i) != 0 {
-			sum.Add(t, a, pool)
-		} else {
-			sum.Set(t)
-		}
-	}
-
-	c.Set(sum)
-	sum.Put(pool)
-	t.Put(pool)
-	return c
-}
-
-func (c *twistPoint) MakeAffine(pool *bnPool) *twistPoint {
-	if c.z.IsOne() {
-		return c
-	}
-
-	zInv := newGFp2(pool).Invert(c.z, pool)
-	t := newGFp2(pool).Mul(c.y, zInv, pool)
-	zInv2 := newGFp2(pool).Square(zInv, pool)
-	c.y.Mul(t, zInv2, pool)
-	t.Mul(c.x, zInv2, pool)
-	c.x.Set(t)
-	c.z.SetOne()
-	c.t.SetOne()
-
-	zInv.Put(pool)
-	t.Put(pool)
-	zInv2.Put(pool)
-
-	return c
-}
-
-func (c *twistPoint) Negative(a *twistPoint, pool *bnPool) {
-	c.x.Set(a.x)
-	c.y.SetZero()
-	c.y.Sub(c.y, a.y)
-	c.z.Set(a.z)
-	c.t.SetZero()
-}
diff --git a/vendor/golang.org/x/crypto/cast5/cast5.go b/vendor/golang.org/x/crypto/cast5/cast5.go
deleted file mode 100644
index 0b4af37b..00000000
--- a/vendor/golang.org/x/crypto/cast5/cast5.go
+++ /dev/null
@@ -1,526 +0,0 @@
-// Copyright 2010 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package cast5 implements CAST5, as defined in RFC 2144. CAST5 is a common
-// OpenPGP cipher.
-package cast5 // import "golang.org/x/crypto/cast5"
-
-import "errors"
-
-const BlockSize = 8
-const KeySize = 16
-
-type Cipher struct {
-	masking [16]uint32
-	rotate  [16]uint8
-}
-
-func NewCipher(key []byte) (c *Cipher, err error) {
-	if len(key) != KeySize {
-		return nil, errors.New("CAST5: keys must be 16 bytes")
-	}
-
-	c = new(Cipher)
-	c.keySchedule(key)
-	return
-}
-
-func (c *Cipher) BlockSize() int {
-	return BlockSize
-}
-
-func (c *Cipher) Encrypt(dst, src []byte) {
-	l := uint32(src[0])<<24 | uint32(src[1])<<16 | uint32(src[2])<<8 | uint32(src[3])
-	r := uint32(src[4])<<24 | uint32(src[5])<<16 | uint32(src[6])<<8 | uint32(src[7])
-
-	l, r = r, l^f1(r, c.masking[0], c.rotate[0])
-	l, r = r, l^f2(r, c.masking[1], c.rotate[1])
-	l, r = r, l^f3(r, c.masking[2], c.rotate[2])
-	l, r = r, l^f1(r, c.masking[3], c.rotate[3])
-
-	l, r = r, l^f2(r, c.masking[4], c.rotate[4])
-	l, r = r, l^f3(r, c.masking[5], c.rotate[5])
-	l, r = r, l^f1(r, c.masking[6], c.rotate[6])
-	l, r = r, l^f2(r, c.masking[7], c.rotate[7])
-
-	l, r = r, l^f3(r, c.masking[8], c.rotate[8])
-	l, r = r, l^f1(r, c.masking[9], c.rotate[9])
-	l, r = r, l^f2(r, c.masking[10], c.rotate[10])
-	l, r = r, l^f3(r, c.masking[11], c.rotate[11])
-
-	l, r = r, l^f1(r, c.masking[12], c.rotate[12])
-	l, r = r, l^f2(r, c.masking[13], c.rotate[13])
-	l, r = r, l^f3(r, c.masking[14], c.rotate[14])
-	l, r = r, l^f1(r, c.masking[15], c.rotate[15])
-
-	dst[0] = uint8(r >> 24)
-	dst[1] = uint8(r >> 16)
-	dst[2] = uint8(r >> 8)
-	dst[3] = uint8(r)
-	dst[4] = uint8(l >> 24)
-	dst[5] = uint8(l >> 16)
-	dst[6] = uint8(l >> 8)
-	dst[7] = uint8(l)
-}
-
-func (c *Cipher) Decrypt(dst, src []byte) {
-	l := uint32(src[0])<<24 | uint32(src[1])<<16 | uint32(src[2])<<8 | uint32(src[3])
-	r := uint32(src[4])<<24 | uint32(src[5])<<16 | uint32(src[6])<<8 | uint32(src[7])
-
-	l, r = r, l^f1(r, c.masking[15], c.rotate[15])
-	l, r = r, l^f3(r, c.masking[14], c.rotate[14])
-	l, r = r, l^f2(r, c.masking[13], c.rotate[13])
-	l, r = r, l^f1(r, c.masking[12], c.rotate[12])
-
-	l, r = r, l^f3(r, c.masking[11], c.rotate[11])
-	l, r = r, l^f2(r, c.masking[10], c.rotate[10])
-	l, r = r, l^f1(r, c.masking[9], c.rotate[9])
-	l, r = r, l^f3(r, c.masking[8], c.rotate[8])
-
-	l, r = r, l^f2(r, c.masking[7], c.rotate[7])
-	l, r = r, l^f1(r, c.masking[6], c.rotate[6])
-	l, r = r, l^f3(r, c.masking[5], c.rotate[5])
-	l, r = r, l^f2(r, c.masking[4], c.rotate[4])
-
-	l, r = r, l^f1(r, c.masking[3], c.rotate[3])
-	l, r = r, l^f3(r, c.masking[2], c.rotate[2])
-	l, r = r, l^f2(r, c.masking[1], c.rotate[1])
-	l, r = r, l^f1(r, c.masking[0], c.rotate[0])
-
-	dst[0] = uint8(r >> 24)
-	dst[1] = uint8(r >> 16)
-	dst[2] = uint8(r >> 8)
-	dst[3] = uint8(r)
-	dst[4] = uint8(l >> 24)
-	dst[5] = uint8(l >> 16)
-	dst[6] = uint8(l >> 8)
-	dst[7] = uint8(l)
-}
-
-type keyScheduleA [4][7]uint8
-type keyScheduleB [4][5]uint8
-
-// keyScheduleRound contains the magic values for a round of the key schedule.
-// The keyScheduleA deals with the lines like:
-//   z0z1z2z3 = x0x1x2x3 ^ S5[xD] ^ S6[xF] ^ S7[xC] ^ S8[xE] ^ S7[x8]
-// Conceptually, both x and z are in the same array, x first. The first
-// element describes which word of this array gets written to and the
-// second, which word gets read. So, for the line above, it's "4, 0", because
-// it's writing to the first word of z, which, being after x, is word 4, and
-// reading from the first word of x: word 0.
-//
-// Next are the indexes into the S-boxes. Now the array is treated as bytes. So
-// "xD" is 0xd. The first byte of z is written as "16 + 0", just to be clear
-// that it's z that we're indexing.
-//
-// keyScheduleB deals with lines like:
-//   K1 = S5[z8] ^ S6[z9] ^ S7[z7] ^ S8[z6] ^ S5[z2]
-// "K1" is ignored because key words are always written in order. So the five
-// elements are the S-box indexes. They use the same form as in keyScheduleA,
-// above.
-
-type keyScheduleRound struct{}
-type keySchedule []keyScheduleRound
-
-var schedule = []struct {
-	a keyScheduleA
-	b keyScheduleB
-}{
-	{
-		keyScheduleA{
-			{4, 0, 0xd, 0xf, 0xc, 0xe, 0x8},
-			{5, 2, 16 + 0, 16 + 2, 16 + 1, 16 + 3, 0xa},
-			{6, 3, 16 + 7, 16 + 6, 16 + 5, 16 + 4, 9},
-			{7, 1, 16 + 0xa, 16 + 9, 16 + 0xb, 16 + 8, 0xb},
-		},
-		keyScheduleB{
-			{16 + 8, 16 + 9, 16 + 7, 16 + 6, 16 + 2},
-			{16 + 0xa, 16 + 0xb, 16 + 5, 16 + 4, 16 + 6},
-			{16 + 0xc, 16 + 0xd, 16 + 3, 16 + 2, 16 + 9},
-			{16 + 0xe, 16 + 0xf, 16 + 1, 16 + 0, 16 + 0xc},
-		},
-	},
-	{
-		keyScheduleA{
-			{0, 6, 16 + 5, 16 + 7, 16 + 4, 16 + 6, 16 + 0},
-			{1, 4, 0, 2, 1, 3, 16 + 2},
-			{2, 5, 7, 6, 5, 4, 16 + 1},
-			{3, 7, 0xa, 9, 0xb, 8, 16 + 3},
-		},
-		keyScheduleB{
-			{3, 2, 0xc, 0xd, 8},
-			{1, 0, 0xe, 0xf, 0xd},
-			{7, 6, 8, 9, 3},
-			{5, 4, 0xa, 0xb, 7},
-		},
-	},
-	{
-		keyScheduleA{
-			{4, 0, 0xd, 0xf, 0xc, 0xe, 8},
-			{5, 2, 16 + 0, 16 + 2, 16 + 1, 16 + 3, 0xa},
-			{6, 3, 16 + 7, 16 + 6, 16 + 5, 16 + 4, 9},
-			{7, 1, 16 + 0xa, 16 + 9, 16 + 0xb, 16 + 8, 0xb},
-		},
-		keyScheduleB{
-			{16 + 3, 16 + 2, 16 + 0xc, 16 + 0xd, 16 + 9},
-			{16 + 1, 16 + 0, 16 + 0xe, 16 + 0xf, 16 + 0xc},
-			{16 + 7, 16 + 6, 16 + 8, 16 + 9, 16 + 2},
-			{16 + 5, 16 + 4, 16 + 0xa, 16 + 0xb, 16 + 6},
-		},
-	},
-	{
-		keyScheduleA{
-			{0, 6, 16 + 5, 16 + 7, 16 + 4, 16 + 6, 16 + 0},
-			{1, 4, 0, 2, 1, 3, 16 + 2},
-			{2, 5, 7, 6, 5, 4, 16 + 1},
-			{3, 7, 0xa, 9, 0xb, 8, 16 + 3},
-		},
-		keyScheduleB{
-			{8, 9, 7, 6, 3},
-			{0xa, 0xb, 5, 4, 7},
-			{0xc, 0xd, 3, 2, 8},
-			{0xe, 0xf, 1, 0, 0xd},
-		},
-	},
-}
-
-func (c *Cipher) keySchedule(in []byte) {
-	var t [8]uint32
-	var k [32]uint32
-
-	for i := 0; i < 4; i++ {
-		j := i * 4
-		t[i] = uint32(in[j])<<24 | uint32(in[j+1])<<16 | uint32(in[j+2])<<8 | uint32(in[j+3])
-	}
-
-	x := []byte{6, 7, 4, 5}
-	ki := 0
-
-	for half := 0; half < 2; half++ {
-		for _, round := range schedule {
-			for j := 0; j < 4; j++ {
-				var a [7]uint8
-				copy(a[:], round.a[j][:])
-				w := t[a[1]]
-				w ^= sBox[4][(t[a[2]>>2]>>(24-8*(a[2]&3)))&0xff]
-				w ^= sBox[5][(t[a[3]>>2]>>(24-8*(a[3]&3)))&0xff]
-				w ^= sBox[6][(t[a[4]>>2]>>(24-8*(a[4]&3)))&0xff]
-				w ^= sBox[7][(t[a[5]>>2]>>(24-8*(a[5]&3)))&0xff]
-				w ^= sBox[x[j]][(t[a[6]>>2]>>(24-8*(a[6]&3)))&0xff]
-				t[a[0]] = w
-			}
-
-			for j := 0; j < 4; j++ {
-				var b [5]uint8
-				copy(b[:], round.b[j][:])
-				w := sBox[4][(t[b[0]>>2]>>(24-8*(b[0]&3)))&0xff]
-				w ^= sBox[5][(t[b[1]>>2]>>(24-8*(b[1]&3)))&0xff]
-				w ^= sBox[6][(t[b[2]>>2]>>(24-8*(b[2]&3)))&0xff]
-				w ^= sBox[7][(t[b[3]>>2]>>(24-8*(b[3]&3)))&0xff]
-				w ^= sBox[4+j][(t[b[4]>>2]>>(24-8*(b[4]&3)))&0xff]
-				k[ki] = w
-				ki++
-			}
-		}
-	}
-
-	for i := 0; i < 16; i++ {
-		c.masking[i] = k[i]
-		c.rotate[i] = uint8(k[16+i] & 0x1f)
-	}
-}
-
-// These are the three 'f' functions. See RFC 2144, section 2.2.
-func f1(d, m uint32, r uint8) uint32 {
-	t := m + d
-	I := (t << r) | (t >> (32 - r))
-	return ((sBox[0][I>>24] ^ sBox[1][(I>>16)&0xff]) - sBox[2][(I>>8)&0xff]) + sBox[3][I&0xff]
-}
-
-func f2(d, m uint32, r uint8) uint32 {
-	t := m ^ d
-	I := (t << r) | (t >> (32 - r))
-	return ((sBox[0][I>>24] - sBox[1][(I>>16)&0xff]) + sBox[2][(I>>8)&0xff]) ^ sBox[3][I&0xff]
-}
-
-func f3(d, m uint32, r uint8) uint32 {
-	t := m - d
-	I := (t << r) | (t >> (32 - r))
-	return ((sBox[0][I>>24] + sBox[1][(I>>16)&0xff]) ^ sBox[2][(I>>8)&0xff]) - sBox[3][I&0xff]
-}
-
-var sBox = [8][256]uint32{
-	{
-		0x30fb40d4, 0x9fa0ff0b, 0x6beccd2f, 0x3f258c7a, 0x1e213f2f, 0x9c004dd3, 0x6003e540, 0xcf9fc949,
-		0xbfd4af27, 0x88bbbdb5, 0xe2034090, 0x98d09675, 0x6e63a0e0, 0x15c361d2, 0xc2e7661d, 0x22d4ff8e,
-		0x28683b6f, 0xc07fd059, 0xff2379c8, 0x775f50e2, 0x43c340d3, 0xdf2f8656, 0x887ca41a, 0xa2d2bd2d,
-		0xa1c9e0d6, 0x346c4819, 0x61b76d87, 0x22540f2f, 0x2abe32e1, 0xaa54166b, 0x22568e3a, 0xa2d341d0,
-		0x66db40c8, 0xa784392f, 0x004dff2f, 0x2db9d2de, 0x97943fac, 0x4a97c1d8, 0x527644b7, 0xb5f437a7,
-		0xb82cbaef, 0xd751d159, 0x6ff7f0ed, 0x5a097a1f, 0x827b68d0, 0x90ecf52e, 0x22b0c054, 0xbc8e5935,
-		0x4b6d2f7f, 0x50bb64a2, 0xd2664910, 0xbee5812d, 0xb7332290, 0xe93b159f, 0xb48ee411, 0x4bff345d,
-		0xfd45c240, 0xad31973f, 0xc4f6d02e, 0x55fc8165, 0xd5b1caad, 0xa1ac2dae, 0xa2d4b76d, 0xc19b0c50,
-		0x882240f2, 0x0c6e4f38, 0xa4e4bfd7, 0x4f5ba272, 0x564c1d2f, 0xc59c5319, 0xb949e354, 0xb04669fe,
-		0xb1b6ab8a, 0xc71358dd, 0x6385c545, 0x110f935d, 0x57538ad5, 0x6a390493, 0xe63d37e0, 0x2a54f6b3,
-		0x3a787d5f, 0x6276a0b5, 0x19a6fcdf, 0x7a42206a, 0x29f9d4d5, 0xf61b1891, 0xbb72275e, 0xaa508167,
-		0x38901091, 0xc6b505eb, 0x84c7cb8c, 0x2ad75a0f, 0x874a1427, 0xa2d1936b, 0x2ad286af, 0xaa56d291,
-		0xd7894360, 0x425c750d, 0x93b39e26, 0x187184c9, 0x6c00b32d, 0x73e2bb14, 0xa0bebc3c, 0x54623779,
-		0x64459eab, 0x3f328b82, 0x7718cf82, 0x59a2cea6, 0x04ee002e, 0x89fe78e6, 0x3fab0950, 0x325ff6c2,
-		0x81383f05, 0x6963c5c8, 0x76cb5ad6, 0xd49974c9, 0xca180dcf, 0x380782d5, 0xc7fa5cf6, 0x8ac31511,
-		0x35e79e13, 0x47da91d0, 0xf40f9086, 0xa7e2419e, 0x31366241, 0x051ef495, 0xaa573b04, 0x4a805d8d,
-		0x548300d0, 0x00322a3c, 0xbf64cddf, 0xba57a68e, 0x75c6372b, 0x50afd341, 0xa7c13275, 0x915a0bf5,
-		0x6b54bfab, 0x2b0b1426, 0xab4cc9d7, 0x449ccd82, 0xf7fbf265, 0xab85c5f3, 0x1b55db94, 0xaad4e324,
-		0xcfa4bd3f, 0x2deaa3e2, 0x9e204d02, 0xc8bd25ac, 0xeadf55b3, 0xd5bd9e98, 0xe31231b2, 0x2ad5ad6c,
-		0x954329de, 0xadbe4528, 0xd8710f69, 0xaa51c90f, 0xaa786bf6, 0x22513f1e, 0xaa51a79b, 0x2ad344cc,
-		0x7b5a41f0, 0xd37cfbad, 0x1b069505, 0x41ece491, 0xb4c332e6, 0x032268d4, 0xc9600acc, 0xce387e6d,
-		0xbf6bb16c, 0x6a70fb78, 0x0d03d9c9, 0xd4df39de, 0xe01063da, 0x4736f464, 0x5ad328d8, 0xb347cc96,
-		0x75bb0fc3, 0x98511bfb, 0x4ffbcc35, 0xb58bcf6a, 0xe11f0abc, 0xbfc5fe4a, 0xa70aec10, 0xac39570a,
-		0x3f04442f, 0x6188b153, 0xe0397a2e, 0x5727cb79, 0x9ceb418f, 0x1cacd68d, 0x2ad37c96, 0x0175cb9d,
-		0xc69dff09, 0xc75b65f0, 0xd9db40d8, 0xec0e7779, 0x4744ead4, 0xb11c3274, 0xdd24cb9e, 0x7e1c54bd,
-		0xf01144f9, 0xd2240eb1, 0x9675b3fd, 0xa3ac3755, 0xd47c27af, 0x51c85f4d, 0x56907596, 0xa5bb15e6,
-		0x580304f0, 0xca042cf1, 0x011a37ea, 0x8dbfaadb, 0x35ba3e4a, 0x3526ffa0, 0xc37b4d09, 0xbc306ed9,
-		0x98a52666, 0x5648f725, 0xff5e569d, 0x0ced63d0, 0x7c63b2cf, 0x700b45e1, 0xd5ea50f1, 0x85a92872,
-		0xaf1fbda7, 0xd4234870, 0xa7870bf3, 0x2d3b4d79, 0x42e04198, 0x0cd0ede7, 0x26470db8, 0xf881814c,
-		0x474d6ad7, 0x7c0c5e5c, 0xd1231959, 0x381b7298, 0xf5d2f4db, 0xab838653, 0x6e2f1e23, 0x83719c9e,
-		0xbd91e046, 0x9a56456e, 0xdc39200c, 0x20c8c571, 0x962bda1c, 0xe1e696ff, 0xb141ab08, 0x7cca89b9,
-		0x1a69e783, 0x02cc4843, 0xa2f7c579, 0x429ef47d, 0x427b169c, 0x5ac9f049, 0xdd8f0f00, 0x5c8165bf,
-	},
-	{
-		0x1f201094, 0xef0ba75b, 0x69e3cf7e, 0x393f4380, 0xfe61cf7a, 0xeec5207a, 0x55889c94, 0x72fc0651,
-		0xada7ef79, 0x4e1d7235, 0xd55a63ce, 0xde0436ba, 0x99c430ef, 0x5f0c0794, 0x18dcdb7d, 0xa1d6eff3,
-		0xa0b52f7b, 0x59e83605, 0xee15b094, 0xe9ffd909, 0xdc440086, 0xef944459, 0xba83ccb3, 0xe0c3cdfb,
-		0xd1da4181, 0x3b092ab1, 0xf997f1c1, 0xa5e6cf7b, 0x01420ddb, 0xe4e7ef5b, 0x25a1ff41, 0xe180f806,
-		0x1fc41080, 0x179bee7a, 0xd37ac6a9, 0xfe5830a4, 0x98de8b7f, 0x77e83f4e, 0x79929269, 0x24fa9f7b,
-		0xe113c85b, 0xacc40083, 0xd7503525, 0xf7ea615f, 0x62143154, 0x0d554b63, 0x5d681121, 0xc866c359,
-		0x3d63cf73, 0xcee234c0, 0xd4d87e87, 0x5c672b21, 0x071f6181, 0x39f7627f, 0x361e3084, 0xe4eb573b,
-		0x602f64a4, 0xd63acd9c, 0x1bbc4635, 0x9e81032d, 0x2701f50c, 0x99847ab4, 0xa0e3df79, 0xba6cf38c,
-		0x10843094, 0x2537a95e, 0xf46f6ffe, 0xa1ff3b1f, 0x208cfb6a, 0x8f458c74, 0xd9e0a227, 0x4ec73a34,
-		0xfc884f69, 0x3e4de8df, 0xef0e0088, 0x3559648d, 0x8a45388c, 0x1d804366, 0x721d9bfd, 0xa58684bb,
-		0xe8256333, 0x844e8212, 0x128d8098, 0xfed33fb4, 0xce280ae1, 0x27e19ba5, 0xd5a6c252, 0xe49754bd,
-		0xc5d655dd, 0xeb667064, 0x77840b4d, 0xa1b6a801, 0x84db26a9, 0xe0b56714, 0x21f043b7, 0xe5d05860,
-		0x54f03084, 0x066ff472, 0xa31aa153, 0xdadc4755, 0xb5625dbf, 0x68561be6, 0x83ca6b94, 0x2d6ed23b,
-		0xeccf01db, 0xa6d3d0ba, 0xb6803d5c, 0xaf77a709, 0x33b4a34c, 0x397bc8d6, 0x5ee22b95, 0x5f0e5304,
-		0x81ed6f61, 0x20e74364, 0xb45e1378, 0xde18639b, 0x881ca122, 0xb96726d1, 0x8049a7e8, 0x22b7da7b,
-		0x5e552d25, 0x5272d237, 0x79d2951c, 0xc60d894c, 0x488cb402, 0x1ba4fe5b, 0xa4b09f6b, 0x1ca815cf,
-		0xa20c3005, 0x8871df63, 0xb9de2fcb, 0x0cc6c9e9, 0x0beeff53, 0xe3214517, 0xb4542835, 0x9f63293c,
-		0xee41e729, 0x6e1d2d7c, 0x50045286, 0x1e6685f3, 0xf33401c6, 0x30a22c95, 0x31a70850, 0x60930f13,
-		0x73f98417, 0xa1269859, 0xec645c44, 0x52c877a9, 0xcdff33a6, 0xa02b1741, 0x7cbad9a2, 0x2180036f,
-		0x50d99c08, 0xcb3f4861, 0xc26bd765, 0x64a3f6ab, 0x80342676, 0x25a75e7b, 0xe4e6d1fc, 0x20c710e6,
-		0xcdf0b680, 0x17844d3b, 0x31eef84d, 0x7e0824e4, 0x2ccb49eb, 0x846a3bae, 0x8ff77888, 0xee5d60f6,
-		0x7af75673, 0x2fdd5cdb, 0xa11631c1, 0x30f66f43, 0xb3faec54, 0x157fd7fa, 0xef8579cc, 0xd152de58,
-		0xdb2ffd5e, 0x8f32ce19, 0x306af97a, 0x02f03ef8, 0x99319ad5, 0xc242fa0f, 0xa7e3ebb0, 0xc68e4906,
-		0xb8da230c, 0x80823028, 0xdcdef3c8, 0xd35fb171, 0x088a1bc8, 0xbec0c560, 0x61a3c9e8, 0xbca8f54d,
-		0xc72feffa, 0x22822e99, 0x82c570b4, 0xd8d94e89, 0x8b1c34bc, 0x301e16e6, 0x273be979, 0xb0ffeaa6,
-		0x61d9b8c6, 0x00b24869, 0xb7ffce3f, 0x08dc283b, 0x43daf65a, 0xf7e19798, 0x7619b72f, 0x8f1c9ba4,
-		0xdc8637a0, 0x16a7d3b1, 0x9fc393b7, 0xa7136eeb, 0xc6bcc63e, 0x1a513742, 0xef6828bc, 0x520365d6,
-		0x2d6a77ab, 0x3527ed4b, 0x821fd216, 0x095c6e2e, 0xdb92f2fb, 0x5eea29cb, 0x145892f5, 0x91584f7f,
-		0x5483697b, 0x2667a8cc, 0x85196048, 0x8c4bacea, 0x833860d4, 0x0d23e0f9, 0x6c387e8a, 0x0ae6d249,
-		0xb284600c, 0xd835731d, 0xdcb1c647, 0xac4c56ea, 0x3ebd81b3, 0x230eabb0, 0x6438bc87, 0xf0b5b1fa,
-		0x8f5ea2b3, 0xfc184642, 0x0a036b7a, 0x4fb089bd, 0x649da589, 0xa345415e, 0x5c038323, 0x3e5d3bb9,
-		0x43d79572, 0x7e6dd07c, 0x06dfdf1e, 0x6c6cc4ef, 0x7160a539, 0x73bfbe70, 0x83877605, 0x4523ecf1,
-	},
-	{
-		0x8defc240, 0x25fa5d9f, 0xeb903dbf, 0xe810c907, 0x47607fff, 0x369fe44b, 0x8c1fc644, 0xaececa90,
-		0xbeb1f9bf, 0xeefbcaea, 0xe8cf1950, 0x51df07ae, 0x920e8806, 0xf0ad0548, 0xe13c8d83, 0x927010d5,
-		0x11107d9f, 0x07647db9, 0xb2e3e4d4, 0x3d4f285e, 0xb9afa820, 0xfade82e0, 0xa067268b, 0x8272792e,
-		0x553fb2c0, 0x489ae22b, 0xd4ef9794, 0x125e3fbc, 0x21fffcee, 0x825b1bfd, 0x9255c5ed, 0x1257a240,
-		0x4e1a8302, 0xbae07fff, 0x528246e7, 0x8e57140e, 0x3373f7bf, 0x8c9f8188, 0xa6fc4ee8, 0xc982b5a5,
-		0xa8c01db7, 0x579fc264, 0x67094f31, 0xf2bd3f5f, 0x40fff7c1, 0x1fb78dfc, 0x8e6bd2c1, 0x437be59b,
-		0x99b03dbf, 0xb5dbc64b, 0x638dc0e6, 0x55819d99, 0xa197c81c, 0x4a012d6e, 0xc5884a28, 0xccc36f71,
-		0xb843c213, 0x6c0743f1, 0x8309893c, 0x0feddd5f, 0x2f7fe850, 0xd7c07f7e, 0x02507fbf, 0x5afb9a04,
-		0xa747d2d0, 0x1651192e, 0xaf70bf3e, 0x58c31380, 0x5f98302e, 0x727cc3c4, 0x0a0fb402, 0x0f7fef82,
-		0x8c96fdad, 0x5d2c2aae, 0x8ee99a49, 0x50da88b8, 0x8427f4a0, 0x1eac5790, 0x796fb449, 0x8252dc15,
-		0xefbd7d9b, 0xa672597d, 0xada840d8, 0x45f54504, 0xfa5d7403, 0xe83ec305, 0x4f91751a, 0x925669c2,
-		0x23efe941, 0xa903f12e, 0x60270df2, 0x0276e4b6, 0x94fd6574, 0x927985b2, 0x8276dbcb, 0x02778176,
-		0xf8af918d, 0x4e48f79e, 0x8f616ddf, 0xe29d840e, 0x842f7d83, 0x340ce5c8, 0x96bbb682, 0x93b4b148,
-		0xef303cab, 0x984faf28, 0x779faf9b, 0x92dc560d, 0x224d1e20, 0x8437aa88, 0x7d29dc96, 0x2756d3dc,
-		0x8b907cee, 0xb51fd240, 0xe7c07ce3, 0xe566b4a1, 0xc3e9615e, 0x3cf8209d, 0x6094d1e3, 0xcd9ca341,
-		0x5c76460e, 0x00ea983b, 0xd4d67881, 0xfd47572c, 0xf76cedd9, 0xbda8229c, 0x127dadaa, 0x438a074e,
-		0x1f97c090, 0x081bdb8a, 0x93a07ebe, 0xb938ca15, 0x97b03cff, 0x3dc2c0f8, 0x8d1ab2ec, 0x64380e51,
-		0x68cc7bfb, 0xd90f2788, 0x12490181, 0x5de5ffd4, 0xdd7ef86a, 0x76a2e214, 0xb9a40368, 0x925d958f,
-		0x4b39fffa, 0xba39aee9, 0xa4ffd30b, 0xfaf7933b, 0x6d498623, 0x193cbcfa, 0x27627545, 0x825cf47a,
-		0x61bd8ba0, 0xd11e42d1, 0xcead04f4, 0x127ea392, 0x10428db7, 0x8272a972, 0x9270c4a8, 0x127de50b,
-		0x285ba1c8, 0x3c62f44f, 0x35c0eaa5, 0xe805d231, 0x428929fb, 0xb4fcdf82, 0x4fb66a53, 0x0e7dc15b,
-		0x1f081fab, 0x108618ae, 0xfcfd086d, 0xf9ff2889, 0x694bcc11, 0x236a5cae, 0x12deca4d, 0x2c3f8cc5,
-		0xd2d02dfe, 0xf8ef5896, 0xe4cf52da, 0x95155b67, 0x494a488c, 0xb9b6a80c, 0x5c8f82bc, 0x89d36b45,
-		0x3a609437, 0xec00c9a9, 0x44715253, 0x0a874b49, 0xd773bc40, 0x7c34671c, 0x02717ef6, 0x4feb5536,
-		0xa2d02fff, 0xd2bf60c4, 0xd43f03c0, 0x50b4ef6d, 0x07478cd1, 0x006e1888, 0xa2e53f55, 0xb9e6d4bc,
-		0xa2048016, 0x97573833, 0xd7207d67, 0xde0f8f3d, 0x72f87b33, 0xabcc4f33, 0x7688c55d, 0x7b00a6b0,
-		0x947b0001, 0x570075d2, 0xf9bb88f8, 0x8942019e, 0x4264a5ff, 0x856302e0, 0x72dbd92b, 0xee971b69,
-		0x6ea22fde, 0x5f08ae2b, 0xaf7a616d, 0xe5c98767, 0xcf1febd2, 0x61efc8c2, 0xf1ac2571, 0xcc8239c2,
-		0x67214cb8, 0xb1e583d1, 0xb7dc3e62, 0x7f10bdce, 0xf90a5c38, 0x0ff0443d, 0x606e6dc6, 0x60543a49,
-		0x5727c148, 0x2be98a1d, 0x8ab41738, 0x20e1be24, 0xaf96da0f, 0x68458425, 0x99833be5, 0x600d457d,
-		0x282f9350, 0x8334b362, 0xd91d1120, 0x2b6d8da0, 0x642b1e31, 0x9c305a00, 0x52bce688, 0x1b03588a,
-		0xf7baefd5, 0x4142ed9c, 0xa4315c11, 0x83323ec5, 0xdfef4636, 0xa133c501, 0xe9d3531c, 0xee353783,
-	},
-	{
-		0x9db30420, 0x1fb6e9de, 0xa7be7bef, 0xd273a298, 0x4a4f7bdb, 0x64ad8c57, 0x85510443, 0xfa020ed1,
-		0x7e287aff, 0xe60fb663, 0x095f35a1, 0x79ebf120, 0xfd059d43, 0x6497b7b1, 0xf3641f63, 0x241e4adf,
-		0x28147f5f, 0x4fa2b8cd, 0xc9430040, 0x0cc32220, 0xfdd30b30, 0xc0a5374f, 0x1d2d00d9, 0x24147b15,
-		0xee4d111a, 0x0fca5167, 0x71ff904c, 0x2d195ffe, 0x1a05645f, 0x0c13fefe, 0x081b08ca, 0x05170121,
-		0x80530100, 0xe83e5efe, 0xac9af4f8, 0x7fe72701, 0xd2b8ee5f, 0x06df4261, 0xbb9e9b8a, 0x7293ea25,
-		0xce84ffdf, 0xf5718801, 0x3dd64b04, 0xa26f263b, 0x7ed48400, 0x547eebe6, 0x446d4ca0, 0x6cf3d6f5,
-		0x2649abdf, 0xaea0c7f5, 0x36338cc1, 0x503f7e93, 0xd3772061, 0x11b638e1, 0x72500e03, 0xf80eb2bb,
-		0xabe0502e, 0xec8d77de, 0x57971e81, 0xe14f6746, 0xc9335400, 0x6920318f, 0x081dbb99, 0xffc304a5,
-		0x4d351805, 0x7f3d5ce3, 0xa6c866c6, 0x5d5bcca9, 0xdaec6fea, 0x9f926f91, 0x9f46222f, 0x3991467d,
-		0xa5bf6d8e, 0x1143c44f, 0x43958302, 0xd0214eeb, 0x022083b8, 0x3fb6180c, 0x18f8931e, 0x281658e6,
-		0x26486e3e, 0x8bd78a70, 0x7477e4c1, 0xb506e07c, 0xf32d0a25, 0x79098b02, 0xe4eabb81, 0x28123b23,
-		0x69dead38, 0x1574ca16, 0xdf871b62, 0x211c40b7, 0xa51a9ef9, 0x0014377b, 0x041e8ac8, 0x09114003,
-		0xbd59e4d2, 0xe3d156d5, 0x4fe876d5, 0x2f91a340, 0x557be8de, 0x00eae4a7, 0x0ce5c2ec, 0x4db4bba6,
-		0xe756bdff, 0xdd3369ac, 0xec17b035, 0x06572327, 0x99afc8b0, 0x56c8c391, 0x6b65811c, 0x5e146119,
-		0x6e85cb75, 0xbe07c002, 0xc2325577, 0x893ff4ec, 0x5bbfc92d, 0xd0ec3b25, 0xb7801ab7, 0x8d6d3b24,
-		0x20c763ef, 0xc366a5fc, 0x9c382880, 0x0ace3205, 0xaac9548a, 0xeca1d7c7, 0x041afa32, 0x1d16625a,
-		0x6701902c, 0x9b757a54, 0x31d477f7, 0x9126b031, 0x36cc6fdb, 0xc70b8b46, 0xd9e66a48, 0x56e55a79,
-		0x026a4ceb, 0x52437eff, 0x2f8f76b4, 0x0df980a5, 0x8674cde3, 0xedda04eb, 0x17a9be04, 0x2c18f4df,
-		0xb7747f9d, 0xab2af7b4, 0xefc34d20, 0x2e096b7c, 0x1741a254, 0xe5b6a035, 0x213d42f6, 0x2c1c7c26,
-		0x61c2f50f, 0x6552daf9, 0xd2c231f8, 0x25130f69, 0xd8167fa2, 0x0418f2c8, 0x001a96a6, 0x0d1526ab,
-		0x63315c21, 0x5e0a72ec, 0x49bafefd, 0x187908d9, 0x8d0dbd86, 0x311170a7, 0x3e9b640c, 0xcc3e10d7,
-		0xd5cad3b6, 0x0caec388, 0xf73001e1, 0x6c728aff, 0x71eae2a1, 0x1f9af36e, 0xcfcbd12f, 0xc1de8417,
-		0xac07be6b, 0xcb44a1d8, 0x8b9b0f56, 0x013988c3, 0xb1c52fca, 0xb4be31cd, 0xd8782806, 0x12a3a4e2,
-		0x6f7de532, 0x58fd7eb6, 0xd01ee900, 0x24adffc2, 0xf4990fc5, 0x9711aac5, 0x001d7b95, 0x82e5e7d2,
-		0x109873f6, 0x00613096, 0xc32d9521, 0xada121ff, 0x29908415, 0x7fbb977f, 0xaf9eb3db, 0x29c9ed2a,
-		0x5ce2a465, 0xa730f32c, 0xd0aa3fe8, 0x8a5cc091, 0xd49e2ce7, 0x0ce454a9, 0xd60acd86, 0x015f1919,
-		0x77079103, 0xdea03af6, 0x78a8565e, 0xdee356df, 0x21f05cbe, 0x8b75e387, 0xb3c50651, 0xb8a5c3ef,
-		0xd8eeb6d2, 0xe523be77, 0xc2154529, 0x2f69efdf, 0xafe67afb, 0xf470c4b2, 0xf3e0eb5b, 0xd6cc9876,
-		0x39e4460c, 0x1fda8538, 0x1987832f, 0xca007367, 0xa99144f8, 0x296b299e, 0x492fc295, 0x9266beab,
-		0xb5676e69, 0x9bd3ddda, 0xdf7e052f, 0xdb25701c, 0x1b5e51ee, 0xf65324e6, 0x6afce36c, 0x0316cc04,
-		0x8644213e, 0xb7dc59d0, 0x7965291f, 0xccd6fd43, 0x41823979, 0x932bcdf6, 0xb657c34d, 0x4edfd282,
-		0x7ae5290c, 0x3cb9536b, 0x851e20fe, 0x9833557e, 0x13ecf0b0, 0xd3ffb372, 0x3f85c5c1, 0x0aef7ed2,
-	},
-	{
-		0x7ec90c04, 0x2c6e74b9, 0x9b0e66df, 0xa6337911, 0xb86a7fff, 0x1dd358f5, 0x44dd9d44, 0x1731167f,
-		0x08fbf1fa, 0xe7f511cc, 0xd2051b00, 0x735aba00, 0x2ab722d8, 0x386381cb, 0xacf6243a, 0x69befd7a,
-		0xe6a2e77f, 0xf0c720cd, 0xc4494816, 0xccf5c180, 0x38851640, 0x15b0a848, 0xe68b18cb, 0x4caadeff,
-		0x5f480a01, 0x0412b2aa, 0x259814fc, 0x41d0efe2, 0x4e40b48d, 0x248eb6fb, 0x8dba1cfe, 0x41a99b02,
-		0x1a550a04, 0xba8f65cb, 0x7251f4e7, 0x95a51725, 0xc106ecd7, 0x97a5980a, 0xc539b9aa, 0x4d79fe6a,
-		0xf2f3f763, 0x68af8040, 0xed0c9e56, 0x11b4958b, 0xe1eb5a88, 0x8709e6b0, 0xd7e07156, 0x4e29fea7,
-		0x6366e52d, 0x02d1c000, 0xc4ac8e05, 0x9377f571, 0x0c05372a, 0x578535f2, 0x2261be02, 0xd642a0c9,
-		0xdf13a280, 0x74b55bd2, 0x682199c0, 0xd421e5ec, 0x53fb3ce8, 0xc8adedb3, 0x28a87fc9, 0x3d959981,
-		0x5c1ff900, 0xfe38d399, 0x0c4eff0b, 0x062407ea, 0xaa2f4fb1, 0x4fb96976, 0x90c79505, 0xb0a8a774,
-		0xef55a1ff, 0xe59ca2c2, 0xa6b62d27, 0xe66a4263, 0xdf65001f, 0x0ec50966, 0xdfdd55bc, 0x29de0655,
-		0x911e739a, 0x17af8975, 0x32c7911c, 0x89f89468, 0x0d01e980, 0x524755f4, 0x03b63cc9, 0x0cc844b2,
-		0xbcf3f0aa, 0x87ac36e9, 0xe53a7426, 0x01b3d82b, 0x1a9e7449, 0x64ee2d7e, 0xcddbb1da, 0x01c94910,
-		0xb868bf80, 0x0d26f3fd, 0x9342ede7, 0x04a5c284, 0x636737b6, 0x50f5b616, 0xf24766e3, 0x8eca36c1,
-		0x136e05db, 0xfef18391, 0xfb887a37, 0xd6e7f7d4, 0xc7fb7dc9, 0x3063fcdf, 0xb6f589de, 0xec2941da,
-		0x26e46695, 0xb7566419, 0xf654efc5, 0xd08d58b7, 0x48925401, 0xc1bacb7f, 0xe5ff550f, 0xb6083049,
-		0x5bb5d0e8, 0x87d72e5a, 0xab6a6ee1, 0x223a66ce, 0xc62bf3cd, 0x9e0885f9, 0x68cb3e47, 0x086c010f,
-		0xa21de820, 0xd18b69de, 0xf3f65777, 0xfa02c3f6, 0x407edac3, 0xcbb3d550, 0x1793084d, 0xb0d70eba,
-		0x0ab378d5, 0xd951fb0c, 0xded7da56, 0x4124bbe4, 0x94ca0b56, 0x0f5755d1, 0xe0e1e56e, 0x6184b5be,
-		0x580a249f, 0x94f74bc0, 0xe327888e, 0x9f7b5561, 0xc3dc0280, 0x05687715, 0x646c6bd7, 0x44904db3,
-		0x66b4f0a3, 0xc0f1648a, 0x697ed5af, 0x49e92ff6, 0x309e374f, 0x2cb6356a, 0x85808573, 0x4991f840,
-		0x76f0ae02, 0x083be84d, 0x28421c9a, 0x44489406, 0x736e4cb8, 0xc1092910, 0x8bc95fc6, 0x7d869cf4,
-		0x134f616f, 0x2e77118d, 0xb31b2be1, 0xaa90b472, 0x3ca5d717, 0x7d161bba, 0x9cad9010, 0xaf462ba2,
-		0x9fe459d2, 0x45d34559, 0xd9f2da13, 0xdbc65487, 0xf3e4f94e, 0x176d486f, 0x097c13ea, 0x631da5c7,
-		0x445f7382, 0x175683f4, 0xcdc66a97, 0x70be0288, 0xb3cdcf72, 0x6e5dd2f3, 0x20936079, 0x459b80a5,
-		0xbe60e2db, 0xa9c23101, 0xeba5315c, 0x224e42f2, 0x1c5c1572, 0xf6721b2c, 0x1ad2fff3, 0x8c25404e,
-		0x324ed72f, 0x4067b7fd, 0x0523138e, 0x5ca3bc78, 0xdc0fd66e, 0x75922283, 0x784d6b17, 0x58ebb16e,
-		0x44094f85, 0x3f481d87, 0xfcfeae7b, 0x77b5ff76, 0x8c2302bf, 0xaaf47556, 0x5f46b02a, 0x2b092801,
-		0x3d38f5f7, 0x0ca81f36, 0x52af4a8a, 0x66d5e7c0, 0xdf3b0874, 0x95055110, 0x1b5ad7a8, 0xf61ed5ad,
-		0x6cf6e479, 0x20758184, 0xd0cefa65, 0x88f7be58, 0x4a046826, 0x0ff6f8f3, 0xa09c7f70, 0x5346aba0,
-		0x5ce96c28, 0xe176eda3, 0x6bac307f, 0x376829d2, 0x85360fa9, 0x17e3fe2a, 0x24b79767, 0xf5a96b20,
-		0xd6cd2595, 0x68ff1ebf, 0x7555442c, 0xf19f06be, 0xf9e0659a, 0xeeb9491d, 0x34010718, 0xbb30cab8,
-		0xe822fe15, 0x88570983, 0x750e6249, 0xda627e55, 0x5e76ffa8, 0xb1534546, 0x6d47de08, 0xefe9e7d4,
-	},
-	{
-		0xf6fa8f9d, 0x2cac6ce1, 0x4ca34867, 0xe2337f7c, 0x95db08e7, 0x016843b4, 0xeced5cbc, 0x325553ac,
-		0xbf9f0960, 0xdfa1e2ed, 0x83f0579d, 0x63ed86b9, 0x1ab6a6b8, 0xde5ebe39, 0xf38ff732, 0x8989b138,
-		0x33f14961, 0xc01937bd, 0xf506c6da, 0xe4625e7e, 0xa308ea99, 0x4e23e33c, 0x79cbd7cc, 0x48a14367,
-		0xa3149619, 0xfec94bd5, 0xa114174a, 0xeaa01866, 0xa084db2d, 0x09a8486f, 0xa888614a, 0x2900af98,
-		0x01665991, 0xe1992863, 0xc8f30c60, 0x2e78ef3c, 0xd0d51932, 0xcf0fec14, 0xf7ca07d2, 0xd0a82072,
-		0xfd41197e, 0x9305a6b0, 0xe86be3da, 0x74bed3cd, 0x372da53c, 0x4c7f4448, 0xdab5d440, 0x6dba0ec3,
-		0x083919a7, 0x9fbaeed9, 0x49dbcfb0, 0x4e670c53, 0x5c3d9c01, 0x64bdb941, 0x2c0e636a, 0xba7dd9cd,
-		0xea6f7388, 0xe70bc762, 0x35f29adb, 0x5c4cdd8d, 0xf0d48d8c, 0xb88153e2, 0x08a19866, 0x1ae2eac8,
-		0x284caf89, 0xaa928223, 0x9334be53, 0x3b3a21bf, 0x16434be3, 0x9aea3906, 0xefe8c36e, 0xf890cdd9,
-		0x80226dae, 0xc340a4a3, 0xdf7e9c09, 0xa694a807, 0x5b7c5ecc, 0x221db3a6, 0x9a69a02f, 0x68818a54,
-		0xceb2296f, 0x53c0843a, 0xfe893655, 0x25bfe68a, 0xb4628abc, 0xcf222ebf, 0x25ac6f48, 0xa9a99387,
-		0x53bddb65, 0xe76ffbe7, 0xe967fd78, 0x0ba93563, 0x8e342bc1, 0xe8a11be9, 0x4980740d, 0xc8087dfc,
-		0x8de4bf99, 0xa11101a0, 0x7fd37975, 0xda5a26c0, 0xe81f994f, 0x9528cd89, 0xfd339fed, 0xb87834bf,
-		0x5f04456d, 0x22258698, 0xc9c4c83b, 0x2dc156be, 0x4f628daa, 0x57f55ec5, 0xe2220abe, 0xd2916ebf,
-		0x4ec75b95, 0x24f2c3c0, 0x42d15d99, 0xcd0d7fa0, 0x7b6e27ff, 0xa8dc8af0, 0x7345c106, 0xf41e232f,
-		0x35162386, 0xe6ea8926, 0x3333b094, 0x157ec6f2, 0x372b74af, 0x692573e4, 0xe9a9d848, 0xf3160289,
-		0x3a62ef1d, 0xa787e238, 0xf3a5f676, 0x74364853, 0x20951063, 0x4576698d, 0xb6fad407, 0x592af950,
-		0x36f73523, 0x4cfb6e87, 0x7da4cec0, 0x6c152daa, 0xcb0396a8, 0xc50dfe5d, 0xfcd707ab, 0x0921c42f,
-		0x89dff0bb, 0x5fe2be78, 0x448f4f33, 0x754613c9, 0x2b05d08d, 0x48b9d585, 0xdc049441, 0xc8098f9b,
-		0x7dede786, 0xc39a3373, 0x42410005, 0x6a091751, 0x0ef3c8a6, 0x890072d6, 0x28207682, 0xa9a9f7be,
-		0xbf32679d, 0xd45b5b75, 0xb353fd00, 0xcbb0e358, 0x830f220a, 0x1f8fb214, 0xd372cf08, 0xcc3c4a13,
-		0x8cf63166, 0x061c87be, 0x88c98f88, 0x6062e397, 0x47cf8e7a, 0xb6c85283, 0x3cc2acfb, 0x3fc06976,
-		0x4e8f0252, 0x64d8314d, 0xda3870e3, 0x1e665459, 0xc10908f0, 0x513021a5, 0x6c5b68b7, 0x822f8aa0,
-		0x3007cd3e, 0x74719eef, 0xdc872681, 0x073340d4, 0x7e432fd9, 0x0c5ec241, 0x8809286c, 0xf592d891,
-		0x08a930f6, 0x957ef305, 0xb7fbffbd, 0xc266e96f, 0x6fe4ac98, 0xb173ecc0, 0xbc60b42a, 0x953498da,
-		0xfba1ae12, 0x2d4bd736, 0x0f25faab, 0xa4f3fceb, 0xe2969123, 0x257f0c3d, 0x9348af49, 0x361400bc,
-		0xe8816f4a, 0x3814f200, 0xa3f94043, 0x9c7a54c2, 0xbc704f57, 0xda41e7f9, 0xc25ad33a, 0x54f4a084,
-		0xb17f5505, 0x59357cbe, 0xedbd15c8, 0x7f97c5ab, 0xba5ac7b5, 0xb6f6deaf, 0x3a479c3a, 0x5302da25,
-		0x653d7e6a, 0x54268d49, 0x51a477ea, 0x5017d55b, 0xd7d25d88, 0x44136c76, 0x0404a8c8, 0xb8e5a121,
-		0xb81a928a, 0x60ed5869, 0x97c55b96, 0xeaec991b, 0x29935913, 0x01fdb7f1, 0x088e8dfa, 0x9ab6f6f5,
-		0x3b4cbf9f, 0x4a5de3ab, 0xe6051d35, 0xa0e1d855, 0xd36b4cf1, 0xf544edeb, 0xb0e93524, 0xbebb8fbd,
-		0xa2d762cf, 0x49c92f54, 0x38b5f331, 0x7128a454, 0x48392905, 0xa65b1db8, 0x851c97bd, 0xd675cf2f,
-	},
-	{
-		0x85e04019, 0x332bf567, 0x662dbfff, 0xcfc65693, 0x2a8d7f6f, 0xab9bc912, 0xde6008a1, 0x2028da1f,
-		0x0227bce7, 0x4d642916, 0x18fac300, 0x50f18b82, 0x2cb2cb11, 0xb232e75c, 0x4b3695f2, 0xb28707de,
-		0xa05fbcf6, 0xcd4181e9, 0xe150210c, 0xe24ef1bd, 0xb168c381, 0xfde4e789, 0x5c79b0d8, 0x1e8bfd43,
-		0x4d495001, 0x38be4341, 0x913cee1d, 0x92a79c3f, 0x089766be, 0xbaeeadf4, 0x1286becf, 0xb6eacb19,
-		0x2660c200, 0x7565bde4, 0x64241f7a, 0x8248dca9, 0xc3b3ad66, 0x28136086, 0x0bd8dfa8, 0x356d1cf2,
-		0x107789be, 0xb3b2e9ce, 0x0502aa8f, 0x0bc0351e, 0x166bf52a, 0xeb12ff82, 0xe3486911, 0xd34d7516,
-		0x4e7b3aff, 0x5f43671b, 0x9cf6e037, 0x4981ac83, 0x334266ce, 0x8c9341b7, 0xd0d854c0, 0xcb3a6c88,
-		0x47bc2829, 0x4725ba37, 0xa66ad22b, 0x7ad61f1e, 0x0c5cbafa, 0x4437f107, 0xb6e79962, 0x42d2d816,
-		0x0a961288, 0xe1a5c06e, 0x13749e67, 0x72fc081a, 0xb1d139f7, 0xf9583745, 0xcf19df58, 0xbec3f756,
-		0xc06eba30, 0x07211b24, 0x45c28829, 0xc95e317f, 0xbc8ec511, 0x38bc46e9, 0xc6e6fa14, 0xbae8584a,
-		0xad4ebc46, 0x468f508b, 0x7829435f, 0xf124183b, 0x821dba9f, 0xaff60ff4, 0xea2c4e6d, 0x16e39264,
-		0x92544a8b, 0x009b4fc3, 0xaba68ced, 0x9ac96f78, 0x06a5b79a, 0xb2856e6e, 0x1aec3ca9, 0xbe838688,
-		0x0e0804e9, 0x55f1be56, 0xe7e5363b, 0xb3a1f25d, 0xf7debb85, 0x61fe033c, 0x16746233, 0x3c034c28,
-		0xda6d0c74, 0x79aac56c, 0x3ce4e1ad, 0x51f0c802, 0x98f8f35a, 0x1626a49f, 0xeed82b29, 0x1d382fe3,
-		0x0c4fb99a, 0xbb325778, 0x3ec6d97b, 0x6e77a6a9, 0xcb658b5c, 0xd45230c7, 0x2bd1408b, 0x60c03eb7,
-		0xb9068d78, 0xa33754f4, 0xf430c87d, 0xc8a71302, 0xb96d8c32, 0xebd4e7be, 0xbe8b9d2d, 0x7979fb06,
-		0xe7225308, 0x8b75cf77, 0x11ef8da4, 0xe083c858, 0x8d6b786f, 0x5a6317a6, 0xfa5cf7a0, 0x5dda0033,
-		0xf28ebfb0, 0xf5b9c310, 0xa0eac280, 0x08b9767a, 0xa3d9d2b0, 0x79d34217, 0x021a718d, 0x9ac6336a,
-		0x2711fd60, 0x438050e3, 0x069908a8, 0x3d7fedc4, 0x826d2bef, 0x4eeb8476, 0x488dcf25, 0x36c9d566,
-		0x28e74e41, 0xc2610aca, 0x3d49a9cf, 0xbae3b9df, 0xb65f8de6, 0x92aeaf64, 0x3ac7d5e6, 0x9ea80509,
-		0xf22b017d, 0xa4173f70, 0xdd1e16c3, 0x15e0d7f9, 0x50b1b887, 0x2b9f4fd5, 0x625aba82, 0x6a017962,
-		0x2ec01b9c, 0x15488aa9, 0xd716e740, 0x40055a2c, 0x93d29a22, 0xe32dbf9a, 0x058745b9, 0x3453dc1e,
-		0xd699296e, 0x496cff6f, 0x1c9f4986, 0xdfe2ed07, 0xb87242d1, 0x19de7eae, 0x053e561a, 0x15ad6f8c,
-		0x66626c1c, 0x7154c24c, 0xea082b2a, 0x93eb2939, 0x17dcb0f0, 0x58d4f2ae, 0x9ea294fb, 0x52cf564c,
-		0x9883fe66, 0x2ec40581, 0x763953c3, 0x01d6692e, 0xd3a0c108, 0xa1e7160e, 0xe4f2dfa6, 0x693ed285,
-		0x74904698, 0x4c2b0edd, 0x4f757656, 0x5d393378, 0xa132234f, 0x3d321c5d, 0xc3f5e194, 0x4b269301,
-		0xc79f022f, 0x3c997e7e, 0x5e4f9504, 0x3ffafbbd, 0x76f7ad0e, 0x296693f4, 0x3d1fce6f, 0xc61e45be,
-		0xd3b5ab34, 0xf72bf9b7, 0x1b0434c0, 0x4e72b567, 0x5592a33d, 0xb5229301, 0xcfd2a87f, 0x60aeb767,
-		0x1814386b, 0x30bcc33d, 0x38a0c07d, 0xfd1606f2, 0xc363519b, 0x589dd390, 0x5479f8e6, 0x1cb8d647,
-		0x97fd61a9, 0xea7759f4, 0x2d57539d, 0x569a58cf, 0xe84e63ad, 0x462e1b78, 0x6580f87e, 0xf3817914,
-		0x91da55f4, 0x40a230f3, 0xd1988f35, 0xb6e318d2, 0x3ffa50bc, 0x3d40f021, 0xc3c0bdae, 0x4958c24c,
-		0x518f36b2, 0x84b1d370, 0x0fedce83, 0x878ddada, 0xf2a279c7, 0x94e01be8, 0x90716f4b, 0x954b8aa3,
-	},
-	{
-		0xe216300d, 0xbbddfffc, 0xa7ebdabd, 0x35648095, 0x7789f8b7, 0xe6c1121b, 0x0e241600, 0x052ce8b5,
-		0x11a9cfb0, 0xe5952f11, 0xece7990a, 0x9386d174, 0x2a42931c, 0x76e38111, 0xb12def3a, 0x37ddddfc,
-		0xde9adeb1, 0x0a0cc32c, 0xbe197029, 0x84a00940, 0xbb243a0f, 0xb4d137cf, 0xb44e79f0, 0x049eedfd,
-		0x0b15a15d, 0x480d3168, 0x8bbbde5a, 0x669ded42, 0xc7ece831, 0x3f8f95e7, 0x72df191b, 0x7580330d,
-		0x94074251, 0x5c7dcdfa, 0xabbe6d63, 0xaa402164, 0xb301d40a, 0x02e7d1ca, 0x53571dae, 0x7a3182a2,
-		0x12a8ddec, 0xfdaa335d, 0x176f43e8, 0x71fb46d4, 0x38129022, 0xce949ad4, 0xb84769ad, 0x965bd862,
-		0x82f3d055, 0x66fb9767, 0x15b80b4e, 0x1d5b47a0, 0x4cfde06f, 0xc28ec4b8, 0x57e8726e, 0x647a78fc,
-		0x99865d44, 0x608bd593, 0x6c200e03, 0x39dc5ff6, 0x5d0b00a3, 0xae63aff2, 0x7e8bd632, 0x70108c0c,
-		0xbbd35049, 0x2998df04, 0x980cf42a, 0x9b6df491, 0x9e7edd53, 0x06918548, 0x58cb7e07, 0x3b74ef2e,
-		0x522fffb1, 0xd24708cc, 0x1c7e27cd, 0xa4eb215b, 0x3cf1d2e2, 0x19b47a38, 0x424f7618, 0x35856039,
-		0x9d17dee7, 0x27eb35e6, 0xc9aff67b, 0x36baf5b8, 0x09c467cd, 0xc18910b1, 0xe11dbf7b, 0x06cd1af8,
-		0x7170c608, 0x2d5e3354, 0xd4de495a, 0x64c6d006, 0xbcc0c62c, 0x3dd00db3, 0x708f8f34, 0x77d51b42,
-		0x264f620f, 0x24b8d2bf, 0x15c1b79e, 0x46a52564, 0xf8d7e54e, 0x3e378160, 0x7895cda5, 0x859c15a5,
-		0xe6459788, 0xc37bc75f, 0xdb07ba0c, 0x0676a3ab, 0x7f229b1e, 0x31842e7b, 0x24259fd7, 0xf8bef472,
-		0x835ffcb8, 0x6df4c1f2, 0x96f5b195, 0xfd0af0fc, 0xb0fe134c, 0xe2506d3d, 0x4f9b12ea, 0xf215f225,
-		0xa223736f, 0x9fb4c428, 0x25d04979, 0x34c713f8, 0xc4618187, 0xea7a6e98, 0x7cd16efc, 0x1436876c,
-		0xf1544107, 0xbedeee14, 0x56e9af27, 0xa04aa441, 0x3cf7c899, 0x92ecbae6, 0xdd67016d, 0x151682eb,
-		0xa842eedf, 0xfdba60b4, 0xf1907b75, 0x20e3030f, 0x24d8c29e, 0xe139673b, 0xefa63fb8, 0x71873054,
-		0xb6f2cf3b, 0x9f326442, 0xcb15a4cc, 0xb01a4504, 0xf1e47d8d, 0x844a1be5, 0xbae7dfdc, 0x42cbda70,
-		0xcd7dae0a, 0x57e85b7a, 0xd53f5af6, 0x20cf4d8c, 0xcea4d428, 0x79d130a4, 0x3486ebfb, 0x33d3cddc,
-		0x77853b53, 0x37effcb5, 0xc5068778, 0xe580b3e6, 0x4e68b8f4, 0xc5c8b37e, 0x0d809ea2, 0x398feb7c,
-		0x132a4f94, 0x43b7950e, 0x2fee7d1c, 0x223613bd, 0xdd06caa2, 0x37df932b, 0xc4248289, 0xacf3ebc3,
-		0x5715f6b7, 0xef3478dd, 0xf267616f, 0xc148cbe4, 0x9052815e, 0x5e410fab, 0xb48a2465, 0x2eda7fa4,
-		0xe87b40e4, 0xe98ea084, 0x5889e9e1, 0xefd390fc, 0xdd07d35b, 0xdb485694, 0x38d7e5b2, 0x57720101,
-		0x730edebc, 0x5b643113, 0x94917e4f, 0x503c2fba, 0x646f1282, 0x7523d24a, 0xe0779695, 0xf9c17a8f,
-		0x7a5b2121, 0xd187b896, 0x29263a4d, 0xba510cdf, 0x81f47c9f, 0xad1163ed, 0xea7b5965, 0x1a00726e,
-		0x11403092, 0x00da6d77, 0x4a0cdd61, 0xad1f4603, 0x605bdfb0, 0x9eedc364, 0x22ebe6a8, 0xcee7d28a,
-		0xa0e736a0, 0x5564a6b9, 0x10853209, 0xc7eb8f37, 0x2de705ca, 0x8951570f, 0xdf09822b, 0xbd691a6c,
-		0xaa12e4f2, 0x87451c0f, 0xe0f6a27a, 0x3ada4819, 0x4cf1764f, 0x0d771c2b, 0x67cdb156, 0x350d8384,
-		0x5938fa0f, 0x42399ef3, 0x36997b07, 0x0e84093d, 0x4aa93e61, 0x8360d87b, 0x1fa98b0c, 0x1149382c,
-		0xe97625a5, 0x0614d1b7, 0x0e25244b, 0x0c768347, 0x589e8d82, 0x0d2059d1, 0xa466bb1e, 0xf8da0a82,
-		0x04f19130, 0xba6e4ec0, 0x99265164, 0x1ee7230d, 0x50b2ad80, 0xeaee6801, 0x8db2a283, 0xea8bf59e,
-	},
-}
diff --git a/vendor/golang.org/x/crypto/cast5/cast5_test.go b/vendor/golang.org/x/crypto/cast5/cast5_test.go
deleted file mode 100644
index 778b272a..00000000
--- a/vendor/golang.org/x/crypto/cast5/cast5_test.go
+++ /dev/null
@@ -1,106 +0,0 @@
-// Copyright 2010 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package cast5
-
-import (
-	"bytes"
-	"encoding/hex"
-	"testing"
-)
-
-// This test vector is taken from RFC 2144, App B.1.
-// Since the other two test vectors are for reduced-round variants, we can't
-// use them.
-var basicTests = []struct {
-	key, plainText, cipherText string
-}{
-	{
-		"0123456712345678234567893456789a",
-		"0123456789abcdef",
-		"238b4fe5847e44b2",
-	},
-}
-
-func TestBasic(t *testing.T) {
-	for i, test := range basicTests {
-		key, _ := hex.DecodeString(test.key)
-		plainText, _ := hex.DecodeString(test.plainText)
-		expected, _ := hex.DecodeString(test.cipherText)
-
-		c, err := NewCipher(key)
-		if err != nil {
-			t.Errorf("#%d: failed to create Cipher: %s", i, err)
-			continue
-		}
-		var cipherText [BlockSize]byte
-		c.Encrypt(cipherText[:], plainText)
-		if !bytes.Equal(cipherText[:], expected) {
-			t.Errorf("#%d: got:%x want:%x", i, cipherText, expected)
-		}
-
-		var plainTextAgain [BlockSize]byte
-		c.Decrypt(plainTextAgain[:], cipherText[:])
-		if !bytes.Equal(plainTextAgain[:], plainText) {
-			t.Errorf("#%d: got:%x want:%x", i, plainTextAgain, plainText)
-		}
-	}
-}
-
-// TestFull performs the test specified in RFC 2144, App B.2.
-// However, due to the length of time taken, it's disabled here and a more
-// limited version is included, below.
-func TestFull(t *testing.T) {
-	if testing.Short() {
-		// This is too slow for normal testing
-		return
-	}
-
-	a, b := iterate(1000000)
-
-	const expectedA = "eea9d0a249fd3ba6b3436fb89d6dca92"
-	const expectedB = "b2c95eb00c31ad7180ac05b8e83d696e"
-
-	if hex.EncodeToString(a) != expectedA {
-		t.Errorf("a: got:%x want:%s", a, expectedA)
-	}
-	if hex.EncodeToString(b) != expectedB {
-		t.Errorf("b: got:%x want:%s", b, expectedB)
-	}
-}
-
-func iterate(iterations int) ([]byte, []byte) {
-	const initValueHex = "0123456712345678234567893456789a"
-
-	initValue, _ := hex.DecodeString(initValueHex)
-
-	var a, b [16]byte
-	copy(a[:], initValue)
-	copy(b[:], initValue)
-
-	for i := 0; i < iterations; i++ {
-		c, _ := NewCipher(b[:])
-		c.Encrypt(a[:8], a[:8])
-		c.Encrypt(a[8:], a[8:])
-		c, _ = NewCipher(a[:])
-		c.Encrypt(b[:8], b[:8])
-		c.Encrypt(b[8:], b[8:])
-	}
-
-	return a[:], b[:]
-}
-
-func TestLimited(t *testing.T) {
-	a, b := iterate(1000)
-
-	const expectedA = "23f73b14b02a2ad7dfb9f2c35644798d"
-	const expectedB = "e5bf37eff14c456a40b21ce369370a9f"
-
-	if hex.EncodeToString(a) != expectedA {
-		t.Errorf("a: got:%x want:%s", a, expectedA)
-	}
-	if hex.EncodeToString(b) != expectedB {
-		t.Errorf("b: got:%x want:%s", b, expectedB)
-	}
-}
diff --git a/vendor/golang.org/x/crypto/chacha20poly1305/chacha20poly1305.go b/vendor/golang.org/x/crypto/chacha20poly1305/chacha20poly1305.go
deleted file mode 100644
index 3f0dcb9d..00000000
--- a/vendor/golang.org/x/crypto/chacha20poly1305/chacha20poly1305.go
+++ /dev/null
@@ -1,83 +0,0 @@
-// Copyright 2016 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package chacha20poly1305 implements the ChaCha20-Poly1305 AEAD as specified in RFC 7539.
-package chacha20poly1305 // import "golang.org/x/crypto/chacha20poly1305"
-
-import (
-	"crypto/cipher"
-	"errors"
-)
-
-const (
-	// KeySize is the size of the key used by this AEAD, in bytes.
-	KeySize = 32
-	// NonceSize is the size of the nonce used with this AEAD, in bytes.
-	NonceSize = 12
-)
-
-type chacha20poly1305 struct {
-	key [32]byte
-}
-
-// New returns a ChaCha20-Poly1305 AEAD that uses the given, 256-bit key.
-func New(key []byte) (cipher.AEAD, error) {
-	if len(key) != KeySize {
-		return nil, errors.New("chacha20poly1305: bad key length")
-	}
-	ret := new(chacha20poly1305)
-	copy(ret.key[:], key)
-	return ret, nil
-}
-
-func (c *chacha20poly1305) NonceSize() int {
-	return NonceSize
-}
-
-func (c *chacha20poly1305) Overhead() int {
-	return 16
-}
-
-func (c *chacha20poly1305) Seal(dst, nonce, plaintext, additionalData []byte) []byte {
-	if len(nonce) != NonceSize {
-		panic("chacha20poly1305: bad nonce length passed to Seal")
-	}
-
-	if uint64(len(plaintext)) > (1<<38)-64 {
-		panic("chacha20poly1305: plaintext too large")
-	}
-
-	return c.seal(dst, nonce, plaintext, additionalData)
-}
-
-var errOpen = errors.New("chacha20poly1305: message authentication failed")
-
-func (c *chacha20poly1305) Open(dst, nonce, ciphertext, additionalData []byte) ([]byte, error) {
-	if len(nonce) != NonceSize {
-		panic("chacha20poly1305: bad nonce length passed to Open")
-	}
-	if len(ciphertext) < 16 {
-		return nil, errOpen
-	}
-	if uint64(len(ciphertext)) > (1<<38)-48 {
-		panic("chacha20poly1305: ciphertext too large")
-	}
-
-	return c.open(dst, nonce, ciphertext, additionalData)
-}
-
-// sliceForAppend takes a slice and a requested number of bytes. It returns a
-// slice with the contents of the given slice followed by that many bytes and a
-// second slice that aliases into it and contains only the extra bytes. If the
-// original slice has sufficient capacity then no allocation is performed.
-func sliceForAppend(in []byte, n int) (head, tail []byte) {
-	if total := len(in) + n; cap(in) >= total {
-		head = in[:total]
-	} else {
-		head = make([]byte, total)
-		copy(head, in)
-	}
-	tail = head[len(in):]
-	return
-}
diff --git a/vendor/golang.org/x/crypto/chacha20poly1305/chacha20poly1305_amd64.go b/vendor/golang.org/x/crypto/chacha20poly1305/chacha20poly1305_amd64.go
deleted file mode 100644
index 7cd7ad83..00000000
--- a/vendor/golang.org/x/crypto/chacha20poly1305/chacha20poly1305_amd64.go
+++ /dev/null
@@ -1,127 +0,0 @@
-// Copyright 2016 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build go1.7,amd64,!gccgo,!appengine
-
-package chacha20poly1305
-
-import "encoding/binary"
-
-//go:noescape
-func chacha20Poly1305Open(dst []byte, key []uint32, src, ad []byte) bool
-
-//go:noescape
-func chacha20Poly1305Seal(dst []byte, key []uint32, src, ad []byte)
-
-// cpuid is implemented in chacha20poly1305_amd64.s.
-func cpuid(eaxArg, ecxArg uint32) (eax, ebx, ecx, edx uint32)
-
-// xgetbv with ecx = 0 is implemented in chacha20poly1305_amd64.s.
-func xgetbv() (eax, edx uint32)
-
-var (
-	useASM  bool
-	useAVX2 bool
-)
-
-func init() {
-	detectCPUFeatures()
-}
-
-// detectCPUFeatures is used to detect if cpu instructions
-// used by the functions implemented in assembler in
-// chacha20poly1305_amd64.s are supported.
-func detectCPUFeatures() {
-	maxID, _, _, _ := cpuid(0, 0)
-	if maxID < 1 {
-		return
-	}
-
-	_, _, ecx1, _ := cpuid(1, 0)
-
-	haveSSSE3 := isSet(9, ecx1)
-	useASM = haveSSSE3
-
-	haveOSXSAVE := isSet(27, ecx1)
-
-	osSupportsAVX := false
-	// For XGETBV, OSXSAVE bit is required and sufficient.
-	if haveOSXSAVE {
-		eax, _ := xgetbv()
-		// Check if XMM and YMM registers have OS support.
-		osSupportsAVX = isSet(1, eax) && isSet(2, eax)
-	}
-	haveAVX := isSet(28, ecx1) && osSupportsAVX
-
-	if maxID < 7 {
-		return
-	}
-
-	_, ebx7, _, _ := cpuid(7, 0)
-	haveAVX2 := isSet(5, ebx7) && haveAVX
-	haveBMI2 := isSet(8, ebx7)
-
-	useAVX2 = haveAVX2 && haveBMI2
-}
-
-// isSet checks if bit at bitpos is set in value.
-func isSet(bitpos uint, value uint32) bool {
-	return value&(1<<bitpos) != 0
-}
-
-// setupState writes a ChaCha20 input matrix to state. See
-// https://tools.ietf.org/html/rfc7539#section-2.3.
-func setupState(state *[16]uint32, key *[32]byte, nonce []byte) {
-	state[0] = 0x61707865
-	state[1] = 0x3320646e
-	state[2] = 0x79622d32
-	state[3] = 0x6b206574
-
-	state[4] = binary.LittleEndian.Uint32(key[:4])
-	state[5] = binary.LittleEndian.Uint32(key[4:8])
-	state[6] = binary.LittleEndian.Uint32(key[8:12])
-	state[7] = binary.LittleEndian.Uint32(key[12:16])
-	state[8] = binary.LittleEndian.Uint32(key[16:20])
-	state[9] = binary.LittleEndian.Uint32(key[20:24])
-	state[10] = binary.LittleEndian.Uint32(key[24:28])
-	state[11] = binary.LittleEndian.Uint32(key[28:32])
-
-	state[12] = 0
-	state[13] = binary.LittleEndian.Uint32(nonce[:4])
-	state[14] = binary.LittleEndian.Uint32(nonce[4:8])
-	state[15] = binary.LittleEndian.Uint32(nonce[8:12])
-}
-
-func (c *chacha20poly1305) seal(dst, nonce, plaintext, additionalData []byte) []byte {
-	if !useASM {
-		return c.sealGeneric(dst, nonce, plaintext, additionalData)
-	}
-
-	var state [16]uint32
-	setupState(&state, &c.key, nonce)
-
-	ret, out := sliceForAppend(dst, len(plaintext)+16)
-	chacha20Poly1305Seal(out[:], state[:], plaintext, additionalData)
-	return ret
-}
-
-func (c *chacha20poly1305) open(dst, nonce, ciphertext, additionalData []byte) ([]byte, error) {
-	if !useASM {
-		return c.openGeneric(dst, nonce, ciphertext, additionalData)
-	}
-
-	var state [16]uint32
-	setupState(&state, &c.key, nonce)
-
-	ciphertext = ciphertext[:len(ciphertext)-16]
-	ret, out := sliceForAppend(dst, len(ciphertext))
-	if !chacha20Poly1305Open(out, state[:], ciphertext, additionalData) {
-		for i := range out {
-			out[i] = 0
-		}
-		return nil, errOpen
-	}
-
-	return ret, nil
-}
diff --git a/vendor/golang.org/x/crypto/chacha20poly1305/chacha20poly1305_amd64.s b/vendor/golang.org/x/crypto/chacha20poly1305/chacha20poly1305_amd64.s
deleted file mode 100644
index 1c57e389..00000000
--- a/vendor/golang.org/x/crypto/chacha20poly1305/chacha20poly1305_amd64.s
+++ /dev/null
@@ -1,2714 +0,0 @@
-// Copyright 2016 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// This file was originally from https://golang.org/cl/24717 by Vlad Krasnov of CloudFlare.
-
-// +build go1.7,amd64,!gccgo,!appengine
-
-#include "textflag.h"
-// General register allocation
-#define oup DI
-#define inp SI
-#define inl BX
-#define adp CX // free to reuse, after we hash the additional data
-#define keyp R8 // free to reuse, when we copy the key to stack
-#define itr2 R9 // general iterator
-#define itr1 CX // general iterator
-#define acc0 R10
-#define acc1 R11
-#define acc2 R12
-#define t0 R13
-#define t1 R14
-#define t2 R15
-#define t3 R8
-// Register and stack allocation for the SSE code
-#define rStore (0*16)(BP)
-#define sStore (1*16)(BP)
-#define state1Store (2*16)(BP)
-#define state2Store (3*16)(BP)
-#define tmpStore (4*16)(BP)
-#define ctr0Store (5*16)(BP)
-#define ctr1Store (6*16)(BP)
-#define ctr2Store (7*16)(BP)
-#define ctr3Store (8*16)(BP)
-#define A0 X0
-#define A1 X1
-#define A2 X2
-#define B0 X3
-#define B1 X4
-#define B2 X5
-#define C0 X6
-#define C1 X7
-#define C2 X8
-#define D0 X9
-#define D1 X10
-#define D2 X11
-#define T0 X12
-#define T1 X13
-#define T2 X14
-#define T3 X15
-#define A3 T0
-#define B3 T1
-#define C3 T2
-#define D3 T3
-// Register and stack allocation for the AVX2 code
-#define rsStoreAVX2 (0*32)(BP)
-#define state1StoreAVX2 (1*32)(BP)
-#define state2StoreAVX2 (2*32)(BP)
-#define ctr0StoreAVX2 (3*32)(BP)
-#define ctr1StoreAVX2 (4*32)(BP)
-#define ctr2StoreAVX2 (5*32)(BP)
-#define ctr3StoreAVX2 (6*32)(BP)
-#define tmpStoreAVX2 (7*32)(BP) // 256 bytes on stack
-#define AA0 Y0
-#define AA1 Y5
-#define AA2 Y6
-#define AA3 Y7
-#define BB0 Y14
-#define BB1 Y9
-#define BB2 Y10
-#define BB3 Y11
-#define CC0 Y12
-#define CC1 Y13
-#define CC2 Y8
-#define CC3 Y15
-#define DD0 Y4
-#define DD1 Y1
-#define DD2 Y2
-#define DD3 Y3
-#define TT0 DD3
-#define TT1 AA3
-#define TT2 BB3
-#define TT3 CC3
-// ChaCha20 constants
-DATA ·chacha20Constants<>+0x00(SB)/4, $0x61707865
-DATA ·chacha20Constants<>+0x04(SB)/4, $0x3320646e
-DATA ·chacha20Constants<>+0x08(SB)/4, $0x79622d32
-DATA ·chacha20Constants<>+0x0c(SB)/4, $0x6b206574
-DATA ·chacha20Constants<>+0x10(SB)/4, $0x61707865
-DATA ·chacha20Constants<>+0x14(SB)/4, $0x3320646e
-DATA ·chacha20Constants<>+0x18(SB)/4, $0x79622d32
-DATA ·chacha20Constants<>+0x1c(SB)/4, $0x6b206574
-// <<< 16 with PSHUFB
-DATA ·rol16<>+0x00(SB)/8, $0x0504070601000302
-DATA ·rol16<>+0x08(SB)/8, $0x0D0C0F0E09080B0A
-DATA ·rol16<>+0x10(SB)/8, $0x0504070601000302
-DATA ·rol16<>+0x18(SB)/8, $0x0D0C0F0E09080B0A
-// <<< 8 with PSHUFB
-DATA ·rol8<>+0x00(SB)/8, $0x0605040702010003
-DATA ·rol8<>+0x08(SB)/8, $0x0E0D0C0F0A09080B
-DATA ·rol8<>+0x10(SB)/8, $0x0605040702010003
-DATA ·rol8<>+0x18(SB)/8, $0x0E0D0C0F0A09080B
-
-DATA ·avx2InitMask<>+0x00(SB)/8, $0x0
-DATA ·avx2InitMask<>+0x08(SB)/8, $0x0
-DATA ·avx2InitMask<>+0x10(SB)/8, $0x1
-DATA ·avx2InitMask<>+0x18(SB)/8, $0x0
-
-DATA ·avx2IncMask<>+0x00(SB)/8, $0x2
-DATA ·avx2IncMask<>+0x08(SB)/8, $0x0
-DATA ·avx2IncMask<>+0x10(SB)/8, $0x2
-DATA ·avx2IncMask<>+0x18(SB)/8, $0x0
-// Poly1305 key clamp
-DATA ·polyClampMask<>+0x00(SB)/8, $0x0FFFFFFC0FFFFFFF
-DATA ·polyClampMask<>+0x08(SB)/8, $0x0FFFFFFC0FFFFFFC
-DATA ·polyClampMask<>+0x10(SB)/8, $0xFFFFFFFFFFFFFFFF
-DATA ·polyClampMask<>+0x18(SB)/8, $0xFFFFFFFFFFFFFFFF
-
-DATA ·sseIncMask<>+0x00(SB)/8, $0x1
-DATA ·sseIncMask<>+0x08(SB)/8, $0x0
-// To load/store the last < 16 bytes in a buffer
-DATA ·andMask<>+0x00(SB)/8, $0x00000000000000ff
-DATA ·andMask<>+0x08(SB)/8, $0x0000000000000000
-DATA ·andMask<>+0x10(SB)/8, $0x000000000000ffff
-DATA ·andMask<>+0x18(SB)/8, $0x0000000000000000
-DATA ·andMask<>+0x20(SB)/8, $0x0000000000ffffff
-DATA ·andMask<>+0x28(SB)/8, $0x0000000000000000
-DATA ·andMask<>+0x30(SB)/8, $0x00000000ffffffff
-DATA ·andMask<>+0x38(SB)/8, $0x0000000000000000
-DATA ·andMask<>+0x40(SB)/8, $0x000000ffffffffff
-DATA ·andMask<>+0x48(SB)/8, $0x0000000000000000
-DATA ·andMask<>+0x50(SB)/8, $0x0000ffffffffffff
-DATA ·andMask<>+0x58(SB)/8, $0x0000000000000000
-DATA ·andMask<>+0x60(SB)/8, $0x00ffffffffffffff
-DATA ·andMask<>+0x68(SB)/8, $0x0000000000000000
-DATA ·andMask<>+0x70(SB)/8, $0xffffffffffffffff
-DATA ·andMask<>+0x78(SB)/8, $0x0000000000000000
-DATA ·andMask<>+0x80(SB)/8, $0xffffffffffffffff
-DATA ·andMask<>+0x88(SB)/8, $0x00000000000000ff
-DATA ·andMask<>+0x90(SB)/8, $0xffffffffffffffff
-DATA ·andMask<>+0x98(SB)/8, $0x000000000000ffff
-DATA ·andMask<>+0xa0(SB)/8, $0xffffffffffffffff
-DATA ·andMask<>+0xa8(SB)/8, $0x0000000000ffffff
-DATA ·andMask<>+0xb0(SB)/8, $0xffffffffffffffff
-DATA ·andMask<>+0xb8(SB)/8, $0x00000000ffffffff
-DATA ·andMask<>+0xc0(SB)/8, $0xffffffffffffffff
-DATA ·andMask<>+0xc8(SB)/8, $0x000000ffffffffff
-DATA ·andMask<>+0xd0(SB)/8, $0xffffffffffffffff
-DATA ·andMask<>+0xd8(SB)/8, $0x0000ffffffffffff
-DATA ·andMask<>+0xe0(SB)/8, $0xffffffffffffffff
-DATA ·andMask<>+0xe8(SB)/8, $0x00ffffffffffffff
-
-GLOBL ·chacha20Constants<>(SB), (NOPTR+RODATA), $32
-GLOBL ·rol16<>(SB), (NOPTR+RODATA), $32
-GLOBL ·rol8<>(SB), (NOPTR+RODATA), $32
-GLOBL ·sseIncMask<>(SB), (NOPTR+RODATA), $16
-GLOBL ·avx2IncMask<>(SB), (NOPTR+RODATA), $32
-GLOBL ·avx2InitMask<>(SB), (NOPTR+RODATA), $32
-GLOBL ·polyClampMask<>(SB), (NOPTR+RODATA), $32
-GLOBL ·andMask<>(SB), (NOPTR+RODATA), $240
-// No PALIGNR in Go ASM yet (but VPALIGNR is present).
-#define shiftB0Left BYTE $0x66; BYTE $0x0f; BYTE $0x3a; BYTE $0x0f; BYTE $0xdb; BYTE $0x04 // PALIGNR $4, X3, X3
-#define shiftB1Left BYTE $0x66; BYTE $0x0f; BYTE $0x3a; BYTE $0x0f; BYTE $0xe4; BYTE $0x04 // PALIGNR $4, X4, X4
-#define shiftB2Left BYTE $0x66; BYTE $0x0f; BYTE $0x3a; BYTE $0x0f; BYTE $0xed; BYTE $0x04 // PALIGNR $4, X5, X5
-#define shiftB3Left BYTE $0x66; BYTE $0x45; BYTE $0x0f; BYTE $0x3a; BYTE $0x0f; BYTE $0xed; BYTE $0x04 // PALIGNR $4, X13, X13
-#define shiftC0Left BYTE $0x66; BYTE $0x0f; BYTE $0x3a; BYTE $0x0f; BYTE $0xf6; BYTE $0x08 // PALIGNR $8, X6, X6
-#define shiftC1Left BYTE $0x66; BYTE $0x0f; BYTE $0x3a; BYTE $0x0f; BYTE $0xff; BYTE $0x08 // PALIGNR $8, X7, X7
-#define shiftC2Left BYTE $0x66; BYTE $0x45; BYTE $0x0f; BYTE $0x3a; BYTE $0x0f; BYTE $0xc0; BYTE $0x08 // PALIGNR $8, X8, X8
-#define shiftC3Left BYTE $0x66; BYTE $0x45; BYTE $0x0f; BYTE $0x3a; BYTE $0x0f; BYTE $0xf6; BYTE $0x08 // PALIGNR $8, X14, X14
-#define shiftD0Left BYTE $0x66; BYTE $0x45; BYTE $0x0f; BYTE $0x3a; BYTE $0x0f; BYTE $0xc9; BYTE $0x0c // PALIGNR $12, X9, X9
-#define shiftD1Left BYTE $0x66; BYTE $0x45; BYTE $0x0f; BYTE $0x3a; BYTE $0x0f; BYTE $0xd2; BYTE $0x0c // PALIGNR $12, X10, X10
-#define shiftD2Left BYTE $0x66; BYTE $0x45; BYTE $0x0f; BYTE $0x3a; BYTE $0x0f; BYTE $0xdb; BYTE $0x0c // PALIGNR $12, X11, X11
-#define shiftD3Left BYTE $0x66; BYTE $0x45; BYTE $0x0f; BYTE $0x3a; BYTE $0x0f; BYTE $0xff; BYTE $0x0c // PALIGNR $12, X15, X15
-#define shiftB0Right BYTE $0x66; BYTE $0x0f; BYTE $0x3a; BYTE $0x0f; BYTE $0xdb; BYTE $0x0c // PALIGNR $12, X3, X3
-#define shiftB1Right BYTE $0x66; BYTE $0x0f; BYTE $0x3a; BYTE $0x0f; BYTE $0xe4; BYTE $0x0c // PALIGNR $12, X4, X4
-#define shiftB2Right BYTE $0x66; BYTE $0x0f; BYTE $0x3a; BYTE $0x0f; BYTE $0xed; BYTE $0x0c // PALIGNR $12, X5, X5
-#define shiftB3Right BYTE $0x66; BYTE $0x45; BYTE $0x0f; BYTE $0x3a; BYTE $0x0f; BYTE $0xed; BYTE $0x0c // PALIGNR $12, X13, X13
-#define shiftC0Right shiftC0Left
-#define shiftC1Right shiftC1Left
-#define shiftC2Right shiftC2Left
-#define shiftC3Right shiftC3Left
-#define shiftD0Right BYTE $0x66; BYTE $0x45; BYTE $0x0f; BYTE $0x3a; BYTE $0x0f; BYTE $0xc9; BYTE $0x04 // PALIGNR $4, X9, X9
-#define shiftD1Right BYTE $0x66; BYTE $0x45; BYTE $0x0f; BYTE $0x3a; BYTE $0x0f; BYTE $0xd2; BYTE $0x04 // PALIGNR $4, X10, X10
-#define shiftD2Right BYTE $0x66; BYTE $0x45; BYTE $0x0f; BYTE $0x3a; BYTE $0x0f; BYTE $0xdb; BYTE $0x04 // PALIGNR $4, X11, X11
-#define shiftD3Right BYTE $0x66; BYTE $0x45; BYTE $0x0f; BYTE $0x3a; BYTE $0x0f; BYTE $0xff; BYTE $0x04 // PALIGNR $4, X15, X15
-// Some macros
-#define chachaQR(A, B, C, D, T) \
-	PADDD B, A; PXOR A, D; PSHUFB ·rol16<>(SB), D                            \
-	PADDD D, C; PXOR C, B; MOVO B, T; PSLLL $12, T; PSRLL $20, B; PXOR T, B \
-	PADDD B, A; PXOR A, D; PSHUFB ·rol8<>(SB), D                             \
-	PADDD D, C; PXOR C, B; MOVO B, T; PSLLL $7, T; PSRLL $25, B; PXOR T, B
-
-#define chachaQR_AVX2(A, B, C, D, T) \
-	VPADDD B, A, A; VPXOR A, D, D; VPSHUFB ·rol16<>(SB), D, D                         \
-	VPADDD D, C, C; VPXOR C, B, B; VPSLLD $12, B, T; VPSRLD $20, B, B; VPXOR T, B, B \
-	VPADDD B, A, A; VPXOR A, D, D; VPSHUFB ·rol8<>(SB), D, D                          \
-	VPADDD D, C, C; VPXOR C, B, B; VPSLLD $7, B, T; VPSRLD $25, B, B; VPXOR T, B, B
-
-#define polyAdd(S) ADDQ S, acc0; ADCQ 8+S, acc1; ADCQ $1, acc2
-#define polyMulStage1 MOVQ (0*8)(BP), AX; MOVQ AX, t2; MULQ acc0; MOVQ AX, t0; MOVQ DX, t1; MOVQ (0*8)(BP), AX; MULQ acc1; IMULQ acc2, t2; ADDQ AX, t1; ADCQ DX, t2
-#define polyMulStage2 MOVQ (1*8)(BP), AX; MOVQ AX, t3; MULQ acc0; ADDQ AX, t1; ADCQ $0, DX; MOVQ DX, acc0; MOVQ (1*8)(BP), AX; MULQ acc1; ADDQ AX, t2; ADCQ $0, DX
-#define polyMulStage3 IMULQ acc2, t3; ADDQ acc0, t2; ADCQ DX, t3
-#define polyMulReduceStage MOVQ t0, acc0; MOVQ t1, acc1; MOVQ t2, acc2; ANDQ $3, acc2; MOVQ t2, t0; ANDQ $-4, t0; MOVQ t3, t1; SHRQ $2, t2:t3; SHRQ $2, t3; ADDQ t0, acc0; ADCQ t1, acc1; ADCQ $0, acc2; ADDQ t2, acc0; ADCQ t3, acc1; ADCQ $0, acc2
-
-#define polyMulStage1_AVX2 MOVQ (0*8)(BP), DX; MOVQ DX, t2; MULXQ acc0, t0, t1; IMULQ acc2, t2; MULXQ acc1, AX, DX; ADDQ AX, t1; ADCQ DX, t2
-#define polyMulStage2_AVX2 MOVQ (1*8)(BP), DX; MULXQ acc0, acc0, AX; ADDQ acc0, t1; MULXQ acc1, acc1, t3; ADCQ acc1, t2; ADCQ $0, t3
-#define polyMulStage3_AVX2 IMULQ acc2, DX; ADDQ AX, t2; ADCQ DX, t3
-
-#define polyMul polyMulStage1; polyMulStage2; polyMulStage3; polyMulReduceStage
-#define polyMulAVX2 polyMulStage1_AVX2; polyMulStage2_AVX2; polyMulStage3_AVX2; polyMulReduceStage
-// ----------------------------------------------------------------------------
-TEXT polyHashADInternal<>(SB), NOSPLIT, $0
-	// adp points to beginning of additional data
-	// itr2 holds ad length
-	XORQ acc0, acc0
-	XORQ acc1, acc1
-	XORQ acc2, acc2
-	CMPQ itr2, $13
-	JNE  hashADLoop
-
-openFastTLSAD:
-	// Special treatment for the TLS case of 13 bytes
-	MOVQ (adp), acc0
-	MOVQ 5(adp), acc1
-	SHRQ $24, acc1
-	MOVQ $1, acc2
-	polyMul
-	RET
-
-hashADLoop:
-	// Hash in 16 byte chunks
-	CMPQ itr2, $16
-	JB   hashADTail
-	polyAdd(0(adp))
-	LEAQ (1*16)(adp), adp
-	SUBQ $16, itr2
-	polyMul
-	JMP  hashADLoop
-
-hashADTail:
-	CMPQ itr2, $0
-	JE   hashADDone
-
-	// Hash last < 16 byte tail
-	XORQ t0, t0
-	XORQ t1, t1
-	XORQ t2, t2
-	ADDQ itr2, adp
-
-hashADTailLoop:
-	SHLQ $8, t1:t0
-	SHLQ $8, t0
-	MOVB -1(adp), t2
-	XORQ t2, t0
-	DECQ adp
-	DECQ itr2
-	JNE  hashADTailLoop
-
-hashADTailFinish:
-	ADDQ t0, acc0; ADCQ t1, acc1; ADCQ $1, acc2
-	polyMul
-
-	// Finished AD
-hashADDone:
-	RET
-
-// ----------------------------------------------------------------------------
-// func chacha20Poly1305Open(dst, key, src, ad []byte) bool
-TEXT ·chacha20Poly1305Open(SB), 0, $288-97
-	// For aligned stack access
-	MOVQ SP, BP
-	ADDQ $32, BP
-	ANDQ $-32, BP
-	MOVQ dst+0(FP), oup
-	MOVQ key+24(FP), keyp
-	MOVQ src+48(FP), inp
-	MOVQ src_len+56(FP), inl
-	MOVQ ad+72(FP), adp
-
-	// Check for AVX2 support
-	CMPB ·useAVX2(SB), $1
-	JE   chacha20Poly1305Open_AVX2
-
-	// Special optimization, for very short buffers
-	CMPQ inl, $128
-	JBE  openSSE128 // About 16% faster
-
-	// For long buffers, prepare the poly key first
-	MOVOU ·chacha20Constants<>(SB), A0
-	MOVOU (1*16)(keyp), B0
-	MOVOU (2*16)(keyp), C0
-	MOVOU (3*16)(keyp), D0
-	MOVO  D0, T1
-
-	// Store state on stack for future use
-	MOVO B0, state1Store
-	MOVO C0, state2Store
-	MOVO D0, ctr3Store
-	MOVQ $10, itr2
-
-openSSEPreparePolyKey:
-	chachaQR(A0, B0, C0, D0, T0)
-	shiftB0Left;  shiftC0Left; shiftD0Left
-	chachaQR(A0, B0, C0, D0, T0)
-	shiftB0Right; shiftC0Right; shiftD0Right
-	DECQ          itr2
-	JNE           openSSEPreparePolyKey
-
-	// A0|B0 hold the Poly1305 32-byte key, C0,D0 can be discarded
-	PADDL ·chacha20Constants<>(SB), A0; PADDL state1Store, B0
-
-	// Clamp and store the key
-	PAND ·polyClampMask<>(SB), A0
-	MOVO A0, rStore; MOVO B0, sStore
-
-	// Hash AAD
-	MOVQ ad_len+80(FP), itr2
-	CALL polyHashADInternal<>(SB)
-
-openSSEMainLoop:
-	CMPQ inl, $256
-	JB   openSSEMainLoopDone
-
-	// Load state, increment counter blocks
-	MOVO ·chacha20Constants<>(SB), A0; MOVO state1Store, B0; MOVO state2Store, C0; MOVO ctr3Store, D0; PADDL ·sseIncMask<>(SB), D0
-	MOVO A0, A1; MOVO B0, B1; MOVO C0, C1; MOVO D0, D1; PADDL ·sseIncMask<>(SB), D1
-	MOVO A1, A2; MOVO B1, B2; MOVO C1, C2; MOVO D1, D2; PADDL ·sseIncMask<>(SB), D2
-	MOVO A2, A3; MOVO B2, B3; MOVO C2, C3; MOVO D2, D3; PADDL ·sseIncMask<>(SB), D3
-
-	// Store counters
-	MOVO D0, ctr0Store; MOVO D1, ctr1Store; MOVO D2, ctr2Store; MOVO D3, ctr3Store
-
-	// There are 10 ChaCha20 iterations of 2QR each, so for 6 iterations we hash 2 blocks, and for the remaining 4 only 1 block - for a total of 16
-	MOVQ $4, itr1
-	MOVQ inp, itr2
-
-openSSEInternalLoop:
-	MOVO          C3, tmpStore
-	chachaQR(A0, B0, C0, D0, C3); chachaQR(A1, B1, C1, D1, C3); chachaQR(A2, B2, C2, D2, C3)
-	MOVO          tmpStore, C3
-	MOVO          C1, tmpStore
-	chachaQR(A3, B3, C3, D3, C1)
-	MOVO          tmpStore, C1
-	polyAdd(0(itr2))
-	shiftB0Left;  shiftB1Left; shiftB2Left; shiftB3Left
-	shiftC0Left;  shiftC1Left; shiftC2Left; shiftC3Left
-	shiftD0Left;  shiftD1Left; shiftD2Left; shiftD3Left
-	polyMulStage1
-	polyMulStage2
-	LEAQ          (2*8)(itr2), itr2
-	MOVO          C3, tmpStore
-	chachaQR(A0, B0, C0, D0, C3); chachaQR(A1, B1, C1, D1, C3); chachaQR(A2, B2, C2, D2, C3)
-	MOVO          tmpStore, C3
-	MOVO          C1, tmpStore
-	polyMulStage3
-	chachaQR(A3, B3, C3, D3, C1)
-	MOVO          tmpStore, C1
-	polyMulReduceStage
-	shiftB0Right; shiftB1Right; shiftB2Right; shiftB3Right
-	shiftC0Right; shiftC1Right; shiftC2Right; shiftC3Right
-	shiftD0Right; shiftD1Right; shiftD2Right; shiftD3Right
-	DECQ          itr1
-	JGE           openSSEInternalLoop
-
-	polyAdd(0(itr2))
-	polyMul
-	LEAQ (2*8)(itr2), itr2
-
-	CMPQ itr1, $-6
-	JG   openSSEInternalLoop
-
-	// Add in the state
-	PADDD ·chacha20Constants<>(SB), A0; PADDD ·chacha20Constants<>(SB), A1; PADDD ·chacha20Constants<>(SB), A2; PADDD ·chacha20Constants<>(SB), A3
-	PADDD state1Store, B0; PADDD state1Store, B1; PADDD state1Store, B2; PADDD state1Store, B3
-	PADDD state2Store, C0; PADDD state2Store, C1; PADDD state2Store, C2; PADDD state2Store, C3
-	PADDD ctr0Store, D0; PADDD ctr1Store, D1; PADDD ctr2Store, D2; PADDD ctr3Store, D3
-
-	// Load - xor - store
-	MOVO  D3, tmpStore
-	MOVOU (0*16)(inp), D3; PXOR D3, A0; MOVOU A0, (0*16)(oup)
-	MOVOU (1*16)(inp), D3; PXOR D3, B0; MOVOU B0, (1*16)(oup)
-	MOVOU (2*16)(inp), D3; PXOR D3, C0; MOVOU C0, (2*16)(oup)
-	MOVOU (3*16)(inp), D3; PXOR D3, D0; MOVOU D0, (3*16)(oup)
-	MOVOU (4*16)(inp), D0; PXOR D0, A1; MOVOU A1, (4*16)(oup)
-	MOVOU (5*16)(inp), D0; PXOR D0, B1; MOVOU B1, (5*16)(oup)
-	MOVOU (6*16)(inp), D0; PXOR D0, C1; MOVOU C1, (6*16)(oup)
-	MOVOU (7*16)(inp), D0; PXOR D0, D1; MOVOU D1, (7*16)(oup)
-	MOVOU (8*16)(inp), D0; PXOR D0, A2; MOVOU A2, (8*16)(oup)
-	MOVOU (9*16)(inp), D0; PXOR D0, B2; MOVOU B2, (9*16)(oup)
-	MOVOU (10*16)(inp), D0; PXOR D0, C2; MOVOU C2, (10*16)(oup)
-	MOVOU (11*16)(inp), D0; PXOR D0, D2; MOVOU D2, (11*16)(oup)
-	MOVOU (12*16)(inp), D0; PXOR D0, A3; MOVOU A3, (12*16)(oup)
-	MOVOU (13*16)(inp), D0; PXOR D0, B3; MOVOU B3, (13*16)(oup)
-	MOVOU (14*16)(inp), D0; PXOR D0, C3; MOVOU C3, (14*16)(oup)
-	MOVOU (15*16)(inp), D0; PXOR tmpStore, D0; MOVOU D0, (15*16)(oup)
-	LEAQ  256(inp), inp
-	LEAQ  256(oup), oup
-	SUBQ  $256, inl
-	JMP   openSSEMainLoop
-
-openSSEMainLoopDone:
-	// Handle the various tail sizes efficiently
-	TESTQ inl, inl
-	JE    openSSEFinalize
-	CMPQ  inl, $64
-	JBE   openSSETail64
-	CMPQ  inl, $128
-	JBE   openSSETail128
-	CMPQ  inl, $192
-	JBE   openSSETail192
-	JMP   openSSETail256
-
-openSSEFinalize:
-	// Hash in the PT, AAD lengths
-	ADDQ ad_len+80(FP), acc0; ADCQ src_len+56(FP), acc1; ADCQ $1, acc2
-	polyMul
-
-	// Final reduce
-	MOVQ    acc0, t0
-	MOVQ    acc1, t1
-	MOVQ    acc2, t2
-	SUBQ    $-5, acc0
-	SBBQ    $-1, acc1
-	SBBQ    $3, acc2
-	CMOVQCS t0, acc0
-	CMOVQCS t1, acc1
-	CMOVQCS t2, acc2
-
-	// Add in the "s" part of the key
-	ADDQ 0+sStore, acc0
-	ADCQ 8+sStore, acc1
-
-	// Finally, constant time compare to the tag at the end of the message
-	XORQ    AX, AX
-	MOVQ    $1, DX
-	XORQ    (0*8)(inp), acc0
-	XORQ    (1*8)(inp), acc1
-	ORQ     acc1, acc0
-	CMOVQEQ DX, AX
-
-	// Return true iff tags are equal
-	MOVB AX, ret+96(FP)
-	RET
-
-// ----------------------------------------------------------------------------
-// Special optimization for buffers smaller than 129 bytes
-openSSE128:
-	// For up to 128 bytes of ciphertext and 64 bytes for the poly key, we require to process three blocks
-	MOVOU ·chacha20Constants<>(SB), A0; MOVOU (1*16)(keyp), B0; MOVOU (2*16)(keyp), C0; MOVOU (3*16)(keyp), D0
-	MOVO  A0, A1; MOVO B0, B1; MOVO C0, C1; MOVO D0, D1; PADDL ·sseIncMask<>(SB), D1
-	MOVO  A1, A2; MOVO B1, B2; MOVO C1, C2; MOVO D1, D2; PADDL ·sseIncMask<>(SB), D2
-	MOVO  B0, T1; MOVO C0, T2; MOVO D1, T3
-	MOVQ  $10, itr2
-
-openSSE128InnerCipherLoop:
-	chachaQR(A0, B0, C0, D0, T0); chachaQR(A1, B1, C1, D1, T0); chachaQR(A2, B2, C2, D2, T0)
-	shiftB0Left;  shiftB1Left; shiftB2Left
-	shiftC0Left;  shiftC1Left; shiftC2Left
-	shiftD0Left;  shiftD1Left; shiftD2Left
-	chachaQR(A0, B0, C0, D0, T0); chachaQR(A1, B1, C1, D1, T0); chachaQR(A2, B2, C2, D2, T0)
-	shiftB0Right; shiftB1Right; shiftB2Right
-	shiftC0Right; shiftC1Right; shiftC2Right
-	shiftD0Right; shiftD1Right; shiftD2Right
-	DECQ          itr2
-	JNE           openSSE128InnerCipherLoop
-
-	// A0|B0 hold the Poly1305 32-byte key, C0,D0 can be discarded
-	PADDL ·chacha20Constants<>(SB), A0; PADDL ·chacha20Constants<>(SB), A1; PADDL ·chacha20Constants<>(SB), A2
-	PADDL T1, B0; PADDL T1, B1; PADDL T1, B2
-	PADDL T2, C1; PADDL T2, C2
-	PADDL T3, D1; PADDL ·sseIncMask<>(SB), T3; PADDL T3, D2
-
-	// Clamp and store the key
-	PAND  ·polyClampMask<>(SB), A0
-	MOVOU A0, rStore; MOVOU B0, sStore
-
-	// Hash
-	MOVQ ad_len+80(FP), itr2
-	CALL polyHashADInternal<>(SB)
-
-openSSE128Open:
-	CMPQ inl, $16
-	JB   openSSETail16
-	SUBQ $16, inl
-
-	// Load for hashing
-	polyAdd(0(inp))
-
-	// Load for decryption
-	MOVOU (inp), T0; PXOR T0, A1; MOVOU A1, (oup)
-	LEAQ  (1*16)(inp), inp
-	LEAQ  (1*16)(oup), oup
-	polyMul
-
-	// Shift the stream "left"
-	MOVO B1, A1
-	MOVO C1, B1
-	MOVO D1, C1
-	MOVO A2, D1
-	MOVO B2, A2
-	MOVO C2, B2
-	MOVO D2, C2
-	JMP  openSSE128Open
-
-openSSETail16:
-	TESTQ inl, inl
-	JE    openSSEFinalize
-
-	// We can safely load the CT from the end, because it is padded with the MAC
-	MOVQ   inl, itr2
-	SHLQ   $4, itr2
-	LEAQ   ·andMask<>(SB), t0
-	MOVOU  (inp), T0
-	ADDQ   inl, inp
-	PAND   -16(t0)(itr2*1), T0
-	MOVO   T0, 0+tmpStore
-	MOVQ   T0, t0
-	MOVQ   8+tmpStore, t1
-	PXOR   A1, T0
-
-	// We can only store one byte at a time, since plaintext can be shorter than 16 bytes
-openSSETail16Store:
-	MOVQ T0, t3
-	MOVB t3, (oup)
-	PSRLDQ $1, T0
-	INCQ   oup
-	DECQ   inl
-	JNE    openSSETail16Store
-	ADDQ   t0, acc0; ADCQ t1, acc1; ADCQ $1, acc2
-	polyMul
-	JMP    openSSEFinalize
-
-// ----------------------------------------------------------------------------
-// Special optimization for the last 64 bytes of ciphertext
-openSSETail64:
-	// Need to decrypt up to 64 bytes - prepare single block
-	MOVO ·chacha20Constants<>(SB), A0; MOVO state1Store, B0; MOVO state2Store, C0; MOVO ctr3Store, D0; PADDL ·sseIncMask<>(SB), D0; MOVO D0, ctr0Store
-	XORQ itr2, itr2
-	MOVQ inl, itr1
-	CMPQ itr1, $16
-	JB   openSSETail64LoopB
-
-openSSETail64LoopA:
-	// Perform ChaCha rounds, while hashing the remaining input
-	polyAdd(0(inp)(itr2*1))
-	polyMul
-	SUBQ $16, itr1
-
-openSSETail64LoopB:
-	ADDQ          $16, itr2
-	chachaQR(A0, B0, C0, D0, T0)
-	shiftB0Left;  shiftC0Left; shiftD0Left
-	chachaQR(A0, B0, C0, D0, T0)
-	shiftB0Right; shiftC0Right; shiftD0Right
-
-	CMPQ itr1, $16
-	JAE  openSSETail64LoopA
-
-	CMPQ itr2, $160
-	JNE  openSSETail64LoopB
-
-	PADDL ·chacha20Constants<>(SB), A0; PADDL state1Store, B0; PADDL state2Store, C0; PADDL ctr0Store, D0
-
-openSSETail64DecLoop:
-	CMPQ  inl, $16
-	JB    openSSETail64DecLoopDone
-	SUBQ  $16, inl
-	MOVOU (inp), T0
-	PXOR  T0, A0
-	MOVOU A0, (oup)
-	LEAQ  16(inp), inp
-	LEAQ  16(oup), oup
-	MOVO  B0, A0
-	MOVO  C0, B0
-	MOVO  D0, C0
-	JMP   openSSETail64DecLoop
-
-openSSETail64DecLoopDone:
-	MOVO A0, A1
-	JMP  openSSETail16
-
-// ----------------------------------------------------------------------------
-// Special optimization for the last 128 bytes of ciphertext
-openSSETail128:
-	// Need to decrypt up to 128 bytes - prepare two blocks
-	MOVO ·chacha20Constants<>(SB), A1; MOVO state1Store, B1; MOVO state2Store, C1; MOVO ctr3Store, D1; PADDL ·sseIncMask<>(SB), D1; MOVO D1, ctr0Store
-	MOVO A1, A0; MOVO B1, B0; MOVO C1, C0; MOVO D1, D0; PADDL ·sseIncMask<>(SB), D0; MOVO D0, ctr1Store
-	XORQ itr2, itr2
-	MOVQ inl, itr1
-	ANDQ $-16, itr1
-
-openSSETail128LoopA:
-	// Perform ChaCha rounds, while hashing the remaining input
-	polyAdd(0(inp)(itr2*1))
-	polyMul
-
-openSSETail128LoopB:
-	ADDQ          $16, itr2
-	chachaQR(A0, B0, C0, D0, T0); chachaQR(A1, B1, C1, D1, T0)
-	shiftB0Left;  shiftC0Left; shiftD0Left
-	shiftB1Left;  shiftC1Left; shiftD1Left
-	chachaQR(A0, B0, C0, D0, T0); chachaQR(A1, B1, C1, D1, T0)
-	shiftB0Right; shiftC0Right; shiftD0Right
-	shiftB1Right; shiftC1Right; shiftD1Right
-
-	CMPQ itr2, itr1
-	JB   openSSETail128LoopA
-
-	CMPQ itr2, $160
-	JNE  openSSETail128LoopB
-
-	PADDL ·chacha20Constants<>(SB), A0; PADDL ·chacha20Constants<>(SB), A1
-	PADDL state1Store, B0; PADDL state1Store, B1
-	PADDL state2Store, C0; PADDL state2Store, C1
-	PADDL ctr1Store, D0; PADDL ctr0Store, D1
-
-	MOVOU (0*16)(inp), T0; MOVOU (1*16)(inp), T1; MOVOU (2*16)(inp), T2; MOVOU (3*16)(inp), T3
-	PXOR  T0, A1; PXOR T1, B1; PXOR T2, C1; PXOR T3, D1
-	MOVOU A1, (0*16)(oup); MOVOU B1, (1*16)(oup); MOVOU C1, (2*16)(oup); MOVOU D1, (3*16)(oup)
-
-	SUBQ $64, inl
-	LEAQ 64(inp), inp
-	LEAQ 64(oup), oup
-	JMP  openSSETail64DecLoop
-
-// ----------------------------------------------------------------------------
-// Special optimization for the last 192 bytes of ciphertext
-openSSETail192:
-	// Need to decrypt up to 192 bytes - prepare three blocks
-	MOVO ·chacha20Constants<>(SB), A2; MOVO state1Store, B2; MOVO state2Store, C2; MOVO ctr3Store, D2; PADDL ·sseIncMask<>(SB), D2; MOVO D2, ctr0Store
-	MOVO A2, A1; MOVO B2, B1; MOVO C2, C1; MOVO D2, D1; PADDL ·sseIncMask<>(SB), D1; MOVO D1, ctr1Store
-	MOVO A1, A0; MOVO B1, B0; MOVO C1, C0; MOVO D1, D0; PADDL ·sseIncMask<>(SB), D0; MOVO D0, ctr2Store
-
-	MOVQ    inl, itr1
-	MOVQ    $160, itr2
-	CMPQ    itr1, $160
-	CMOVQGT itr2, itr1
-	ANDQ    $-16, itr1
-	XORQ    itr2, itr2
-
-openSSLTail192LoopA:
-	// Perform ChaCha rounds, while hashing the remaining input
-	polyAdd(0(inp)(itr2*1))
-	polyMul
-
-openSSLTail192LoopB:
-	ADDQ         $16, itr2
-	chachaQR(A0, B0, C0, D0, T0); chachaQR(A1, B1, C1, D1, T0); chachaQR(A2, B2, C2, D2, T0)
-	shiftB0Left; shiftC0Left; shiftD0Left
-	shiftB1Left; shiftC1Left; shiftD1Left
-	shiftB2Left; shiftC2Left; shiftD2Left
-
-	chachaQR(A0, B0, C0, D0, T0); chachaQR(A1, B1, C1, D1, T0); chachaQR(A2, B2, C2, D2, T0)
-	shiftB0Right; shiftC0Right; shiftD0Right
-	shiftB1Right; shiftC1Right; shiftD1Right
-	shiftB2Right; shiftC2Right; shiftD2Right
-
-	CMPQ itr2, itr1
-	JB   openSSLTail192LoopA
-
-	CMPQ itr2, $160
-	JNE  openSSLTail192LoopB
-
-	CMPQ inl, $176
-	JB   openSSLTail192Store
-
-	polyAdd(160(inp))
-	polyMul
-
-	CMPQ inl, $192
-	JB   openSSLTail192Store
-
-	polyAdd(176(inp))
-	polyMul
-
-openSSLTail192Store:
-	PADDL ·chacha20Constants<>(SB), A0; PADDL ·chacha20Constants<>(SB), A1; PADDL ·chacha20Constants<>(SB), A2
-	PADDL state1Store, B0; PADDL state1Store, B1; PADDL state1Store, B2
-	PADDL state2Store, C0; PADDL state2Store, C1; PADDL state2Store, C2
-	PADDL ctr2Store, D0; PADDL ctr1Store, D1; PADDL ctr0Store, D2
-
-	MOVOU (0*16)(inp), T0; MOVOU (1*16)(inp), T1; MOVOU (2*16)(inp), T2; MOVOU (3*16)(inp), T3
-	PXOR  T0, A2; PXOR T1, B2; PXOR T2, C2; PXOR T3, D2
-	MOVOU A2, (0*16)(oup); MOVOU B2, (1*16)(oup); MOVOU C2, (2*16)(oup); MOVOU D2, (3*16)(oup)
-
-	MOVOU (4*16)(inp), T0; MOVOU (5*16)(inp), T1; MOVOU (6*16)(inp), T2; MOVOU (7*16)(inp), T3
-	PXOR  T0, A1; PXOR T1, B1; PXOR T2, C1; PXOR T3, D1
-	MOVOU A1, (4*16)(oup); MOVOU B1, (5*16)(oup); MOVOU C1, (6*16)(oup); MOVOU D1, (7*16)(oup)
-
-	SUBQ $128, inl
-	LEAQ 128(inp), inp
-	LEAQ 128(oup), oup
-	JMP  openSSETail64DecLoop
-
-// ----------------------------------------------------------------------------
-// Special optimization for the last 256 bytes of ciphertext
-openSSETail256:
-	// Need to decrypt up to 256 bytes - prepare four blocks
-	MOVO ·chacha20Constants<>(SB), A0; MOVO state1Store, B0; MOVO state2Store, C0; MOVO ctr3Store, D0; PADDL ·sseIncMask<>(SB), D0
-	MOVO A0, A1; MOVO B0, B1; MOVO C0, C1; MOVO D0, D1; PADDL ·sseIncMask<>(SB), D1
-	MOVO A1, A2; MOVO B1, B2; MOVO C1, C2; MOVO D1, D2; PADDL ·sseIncMask<>(SB), D2
-	MOVO A2, A3; MOVO B2, B3; MOVO C2, C3; MOVO D2, D3; PADDL ·sseIncMask<>(SB), D3
-
-	// Store counters
-	MOVO D0, ctr0Store; MOVO D1, ctr1Store; MOVO D2, ctr2Store; MOVO D3, ctr3Store
-	XORQ itr2, itr2
-
-openSSETail256Loop:
-	// This loop inteleaves 8 ChaCha quarter rounds with 1 poly multiplication
-	polyAdd(0(inp)(itr2*1))
-	MOVO          C3, tmpStore
-	chachaQR(A0, B0, C0, D0, C3); chachaQR(A1, B1, C1, D1, C3); chachaQR(A2, B2, C2, D2, C3)
-	MOVO          tmpStore, C3
-	MOVO          C1, tmpStore
-	chachaQR(A3, B3, C3, D3, C1)
-	MOVO          tmpStore, C1
-	shiftB0Left;  shiftB1Left; shiftB2Left; shiftB3Left
-	shiftC0Left;  shiftC1Left; shiftC2Left; shiftC3Left
-	shiftD0Left;  shiftD1Left; shiftD2Left; shiftD3Left
-	polyMulStage1
-	polyMulStage2
-	MOVO          C3, tmpStore
-	chachaQR(A0, B0, C0, D0, C3); chachaQR(A1, B1, C1, D1, C3); chachaQR(A2, B2, C2, D2, C3)
-	MOVO          tmpStore, C3
-	MOVO          C1, tmpStore
-	chachaQR(A3, B3, C3, D3, C1)
-	MOVO          tmpStore, C1
-	polyMulStage3
-	polyMulReduceStage
-	shiftB0Right; shiftB1Right; shiftB2Right; shiftB3Right
-	shiftC0Right; shiftC1Right; shiftC2Right; shiftC3Right
-	shiftD0Right; shiftD1Right; shiftD2Right; shiftD3Right
-	ADDQ          $2*8, itr2
-	CMPQ          itr2, $160
-	JB            openSSETail256Loop
-	MOVQ          inl, itr1
-	ANDQ          $-16, itr1
-
-openSSETail256HashLoop:
-	polyAdd(0(inp)(itr2*1))
-	polyMul
-	ADDQ $2*8, itr2
-	CMPQ itr2, itr1
-	JB   openSSETail256HashLoop
-
-	// Add in the state
-	PADDD ·chacha20Constants<>(SB), A0; PADDD ·chacha20Constants<>(SB), A1; PADDD ·chacha20Constants<>(SB), A2; PADDD ·chacha20Constants<>(SB), A3
-	PADDD state1Store, B0; PADDD state1Store, B1; PADDD state1Store, B2; PADDD state1Store, B3
-	PADDD state2Store, C0; PADDD state2Store, C1; PADDD state2Store, C2; PADDD state2Store, C3
-	PADDD ctr0Store, D0; PADDD ctr1Store, D1; PADDD ctr2Store, D2; PADDD ctr3Store, D3
-	MOVO  D3, tmpStore
-
-	// Load - xor - store
-	MOVOU (0*16)(inp), D3; PXOR D3, A0
-	MOVOU (1*16)(inp), D3; PXOR D3, B0
-	MOVOU (2*16)(inp), D3; PXOR D3, C0
-	MOVOU (3*16)(inp), D3; PXOR D3, D0
-	MOVOU A0, (0*16)(oup)
-	MOVOU B0, (1*16)(oup)
-	MOVOU C0, (2*16)(oup)
-	MOVOU D0, (3*16)(oup)
-	MOVOU (4*16)(inp), A0; MOVOU (5*16)(inp), B0; MOVOU (6*16)(inp), C0; MOVOU (7*16)(inp), D0
-	PXOR  A0, A1; PXOR B0, B1; PXOR C0, C1; PXOR D0, D1
-	MOVOU A1, (4*16)(oup); MOVOU B1, (5*16)(oup); MOVOU C1, (6*16)(oup); MOVOU D1, (7*16)(oup)
-	MOVOU (8*16)(inp), A0; MOVOU (9*16)(inp), B0; MOVOU (10*16)(inp), C0; MOVOU (11*16)(inp), D0
-	PXOR  A0, A2; PXOR B0, B2; PXOR C0, C2; PXOR D0, D2
-	MOVOU A2, (8*16)(oup); MOVOU B2, (9*16)(oup); MOVOU C2, (10*16)(oup); MOVOU D2, (11*16)(oup)
-	LEAQ  192(inp), inp
-	LEAQ  192(oup), oup
-	SUBQ  $192, inl
-	MOVO  A3, A0
-	MOVO  B3, B0
-	MOVO  C3, C0
-	MOVO  tmpStore, D0
-
-	JMP openSSETail64DecLoop
-
-// ----------------------------------------------------------------------------
-// ------------------------- AVX2 Code ----------------------------------------
-chacha20Poly1305Open_AVX2:
-	VZEROUPPER
-	VMOVDQU ·chacha20Constants<>(SB), AA0
-	BYTE    $0xc4; BYTE $0x42; BYTE $0x7d; BYTE $0x5a; BYTE $0x70; BYTE $0x10 // broadcasti128 16(r8), ymm14
-	BYTE    $0xc4; BYTE $0x42; BYTE $0x7d; BYTE $0x5a; BYTE $0x60; BYTE $0x20 // broadcasti128 32(r8), ymm12
-	BYTE    $0xc4; BYTE $0xc2; BYTE $0x7d; BYTE $0x5a; BYTE $0x60; BYTE $0x30 // broadcasti128 48(r8), ymm4
-	VPADDD  ·avx2InitMask<>(SB), DD0, DD0
-
-	// Special optimization, for very short buffers
-	CMPQ inl, $192
-	JBE  openAVX2192
-	CMPQ inl, $320
-	JBE  openAVX2320
-
-	// For the general key prepare the key first - as a byproduct we have 64 bytes of cipher stream
-	VMOVDQA BB0, state1StoreAVX2
-	VMOVDQA CC0, state2StoreAVX2
-	VMOVDQA DD0, ctr3StoreAVX2
-	MOVQ    $10, itr2
-
-openAVX2PreparePolyKey:
-	chachaQR_AVX2(AA0, BB0, CC0, DD0, TT0)
-	VPALIGNR $4, BB0, BB0, BB0; VPALIGNR $8, CC0, CC0, CC0; VPALIGNR $12, DD0, DD0, DD0
-	chachaQR_AVX2(AA0, BB0, CC0, DD0, TT0)
-	VPALIGNR $12, BB0, BB0, BB0; VPALIGNR $8, CC0, CC0, CC0; VPALIGNR $4, DD0, DD0, DD0
-	DECQ     itr2
-	JNE      openAVX2PreparePolyKey
-
-	VPADDD ·chacha20Constants<>(SB), AA0, AA0
-	VPADDD state1StoreAVX2, BB0, BB0
-	VPADDD state2StoreAVX2, CC0, CC0
-	VPADDD ctr3StoreAVX2, DD0, DD0
-
-	VPERM2I128 $0x02, AA0, BB0, TT0
-
-	// Clamp and store poly key
-	VPAND   ·polyClampMask<>(SB), TT0, TT0
-	VMOVDQA TT0, rsStoreAVX2
-
-	// Stream for the first 64 bytes
-	VPERM2I128 $0x13, AA0, BB0, AA0
-	VPERM2I128 $0x13, CC0, DD0, BB0
-
-	// Hash AD + first 64 bytes
-	MOVQ ad_len+80(FP), itr2
-	CALL polyHashADInternal<>(SB)
-	XORQ itr1, itr1
-
-openAVX2InitialHash64:
-	polyAdd(0(inp)(itr1*1))
-	polyMulAVX2
-	ADDQ $16, itr1
-	CMPQ itr1, $64
-	JNE  openAVX2InitialHash64
-
-	// Decrypt the first 64 bytes
-	VPXOR   (0*32)(inp), AA0, AA0
-	VPXOR   (1*32)(inp), BB0, BB0
-	VMOVDQU AA0, (0*32)(oup)
-	VMOVDQU BB0, (1*32)(oup)
-	LEAQ    (2*32)(inp), inp
-	LEAQ    (2*32)(oup), oup
-	SUBQ    $64, inl
-
-openAVX2MainLoop:
-	CMPQ inl, $512
-	JB   openAVX2MainLoopDone
-
-	// Load state, increment counter blocks, store the incremented counters
-	VMOVDQU ·chacha20Constants<>(SB), AA0; VMOVDQA AA0, AA1; VMOVDQA AA0, AA2; VMOVDQA AA0, AA3
-	VMOVDQA state1StoreAVX2, BB0; VMOVDQA BB0, BB1; VMOVDQA BB0, BB2; VMOVDQA BB0, BB3
-	VMOVDQA state2StoreAVX2, CC0; VMOVDQA CC0, CC1; VMOVDQA CC0, CC2; VMOVDQA CC0, CC3
-	VMOVDQA ctr3StoreAVX2, DD0; VPADDD ·avx2IncMask<>(SB), DD0, DD0; VPADDD ·avx2IncMask<>(SB), DD0, DD1; VPADDD ·avx2IncMask<>(SB), DD1, DD2; VPADDD ·avx2IncMask<>(SB), DD2, DD3
-	VMOVDQA DD0, ctr0StoreAVX2; VMOVDQA DD1, ctr1StoreAVX2; VMOVDQA DD2, ctr2StoreAVX2; VMOVDQA DD3, ctr3StoreAVX2
-	XORQ    itr1, itr1
-
-openAVX2InternalLoop:
-	// Lets just say this spaghetti loop interleaves 2 quarter rounds with 3 poly multiplications
-	// Effectively per 512 bytes of stream we hash 480 bytes of ciphertext
-	polyAdd(0*8(inp)(itr1*1))
-	VPADDD   BB0, AA0, AA0; VPADDD BB1, AA1, AA1; VPADDD BB2, AA2, AA2; VPADDD BB3, AA3, AA3
-	polyMulStage1_AVX2
-	VPXOR    AA0, DD0, DD0; VPXOR AA1, DD1, DD1; VPXOR AA2, DD2, DD2; VPXOR AA3, DD3, DD3
-	VPSHUFB  ·rol16<>(SB), DD0, DD0; VPSHUFB ·rol16<>(SB), DD1, DD1; VPSHUFB ·rol16<>(SB), DD2, DD2; VPSHUFB ·rol16<>(SB), DD3, DD3
-	polyMulStage2_AVX2
-	VPADDD   DD0, CC0, CC0; VPADDD DD1, CC1, CC1; VPADDD DD2, CC2, CC2; VPADDD DD3, CC3, CC3
-	VPXOR    CC0, BB0, BB0; VPXOR CC1, BB1, BB1; VPXOR CC2, BB2, BB2; VPXOR CC3, BB3, BB3
-	polyMulStage3_AVX2
-	VMOVDQA  CC3, tmpStoreAVX2
-	VPSLLD   $12, BB0, CC3; VPSRLD $20, BB0, BB0; VPXOR CC3, BB0, BB0
-	VPSLLD   $12, BB1, CC3; VPSRLD $20, BB1, BB1; VPXOR CC3, BB1, BB1
-	VPSLLD   $12, BB2, CC3; VPSRLD $20, BB2, BB2; VPXOR CC3, BB2, BB2
-	VPSLLD   $12, BB3, CC3; VPSRLD $20, BB3, BB3; VPXOR CC3, BB3, BB3
-	VMOVDQA  tmpStoreAVX2, CC3
-	polyMulReduceStage
-	VPADDD   BB0, AA0, AA0; VPADDD BB1, AA1, AA1; VPADDD BB2, AA2, AA2; VPADDD BB3, AA3, AA3
-	VPXOR    AA0, DD0, DD0; VPXOR AA1, DD1, DD1; VPXOR AA2, DD2, DD2; VPXOR AA3, DD3, DD3
-	VPSHUFB  ·rol8<>(SB), DD0, DD0; VPSHUFB ·rol8<>(SB), DD1, DD1; VPSHUFB ·rol8<>(SB), DD2, DD2; VPSHUFB ·rol8<>(SB), DD3, DD3
-	polyAdd(2*8(inp)(itr1*1))
-	VPADDD   DD0, CC0, CC0; VPADDD DD1, CC1, CC1; VPADDD DD2, CC2, CC2; VPADDD DD3, CC3, CC3
-	polyMulStage1_AVX2
-	VPXOR    CC0, BB0, BB0; VPXOR CC1, BB1, BB1; VPXOR CC2, BB2, BB2; VPXOR CC3, BB3, BB3
-	VMOVDQA  CC3, tmpStoreAVX2
-	VPSLLD   $7, BB0, CC3; VPSRLD $25, BB0, BB0; VPXOR CC3, BB0, BB0
-	VPSLLD   $7, BB1, CC3; VPSRLD $25, BB1, BB1; VPXOR CC3, BB1, BB1
-	VPSLLD   $7, BB2, CC3; VPSRLD $25, BB2, BB2; VPXOR CC3, BB2, BB2
-	VPSLLD   $7, BB3, CC3; VPSRLD $25, BB3, BB3; VPXOR CC3, BB3, BB3
-	VMOVDQA  tmpStoreAVX2, CC3
-	polyMulStage2_AVX2
-	VPALIGNR $4, BB0, BB0, BB0; VPALIGNR $4, BB1, BB1, BB1; VPALIGNR $4, BB2, BB2, BB2; VPALIGNR $4, BB3, BB3, BB3
-	VPALIGNR $8, CC0, CC0, CC0; VPALIGNR $8, CC1, CC1, CC1; VPALIGNR $8, CC2, CC2, CC2; VPALIGNR $8, CC3, CC3, CC3
-	VPALIGNR $12, DD0, DD0, DD0; VPALIGNR $12, DD1, DD1, DD1; VPALIGNR $12, DD2, DD2, DD2; VPALIGNR $12, DD3, DD3, DD3
-	VPADDD   BB0, AA0, AA0; VPADDD BB1, AA1, AA1; VPADDD BB2, AA2, AA2; VPADDD BB3, AA3, AA3
-	polyMulStage3_AVX2
-	VPXOR    AA0, DD0, DD0; VPXOR AA1, DD1, DD1; VPXOR AA2, DD2, DD2; VPXOR AA3, DD3, DD3
-	VPSHUFB  ·rol16<>(SB), DD0, DD0; VPSHUFB ·rol16<>(SB), DD1, DD1; VPSHUFB ·rol16<>(SB), DD2, DD2; VPSHUFB ·rol16<>(SB), DD3, DD3
-	polyMulReduceStage
-	VPADDD   DD0, CC0, CC0; VPADDD DD1, CC1, CC1; VPADDD DD2, CC2, CC2; VPADDD DD3, CC3, CC3
-	VPXOR    CC0, BB0, BB0; VPXOR CC1, BB1, BB1; VPXOR CC2, BB2, BB2; VPXOR CC3, BB3, BB3
-	polyAdd(4*8(inp)(itr1*1))
-	LEAQ     (6*8)(itr1), itr1
-	VMOVDQA  CC3, tmpStoreAVX2
-	VPSLLD   $12, BB0, CC3; VPSRLD $20, BB0, BB0; VPXOR CC3, BB0, BB0
-	VPSLLD   $12, BB1, CC3; VPSRLD $20, BB1, BB1; VPXOR CC3, BB1, BB1
-	VPSLLD   $12, BB2, CC3; VPSRLD $20, BB2, BB2; VPXOR CC3, BB2, BB2
-	VPSLLD   $12, BB3, CC3; VPSRLD $20, BB3, BB3; VPXOR CC3, BB3, BB3
-	VMOVDQA  tmpStoreAVX2, CC3
-	polyMulStage1_AVX2
-	VPADDD   BB0, AA0, AA0; VPADDD BB1, AA1, AA1; VPADDD BB2, AA2, AA2; VPADDD BB3, AA3, AA3
-	VPXOR    AA0, DD0, DD0; VPXOR AA1, DD1, DD1; VPXOR AA2, DD2, DD2; VPXOR AA3, DD3, DD3
-	polyMulStage2_AVX2
-	VPSHUFB  ·rol8<>(SB), DD0, DD0; VPSHUFB ·rol8<>(SB), DD1, DD1; VPSHUFB ·rol8<>(SB), DD2, DD2; VPSHUFB ·rol8<>(SB), DD3, DD3
-	VPADDD   DD0, CC0, CC0; VPADDD DD1, CC1, CC1; VPADDD DD2, CC2, CC2; VPADDD DD3, CC3, CC3
-	polyMulStage3_AVX2
-	VPXOR    CC0, BB0, BB0; VPXOR CC1, BB1, BB1; VPXOR CC2, BB2, BB2; VPXOR CC3, BB3, BB3
-	VMOVDQA  CC3, tmpStoreAVX2
-	VPSLLD   $7, BB0, CC3; VPSRLD $25, BB0, BB0; VPXOR CC3, BB0, BB0
-	VPSLLD   $7, BB1, CC3; VPSRLD $25, BB1, BB1; VPXOR CC3, BB1, BB1
-	VPSLLD   $7, BB2, CC3; VPSRLD $25, BB2, BB2; VPXOR CC3, BB2, BB2
-	VPSLLD   $7, BB3, CC3; VPSRLD $25, BB3, BB3; VPXOR CC3, BB3, BB3
-	VMOVDQA  tmpStoreAVX2, CC3
-	polyMulReduceStage
-	VPALIGNR $12, BB0, BB0, BB0; VPALIGNR $12, BB1, BB1, BB1; VPALIGNR $12, BB2, BB2, BB2; VPALIGNR $12, BB3, BB3, BB3
-	VPALIGNR $8, CC0, CC0, CC0; VPALIGNR $8, CC1, CC1, CC1; VPALIGNR $8, CC2, CC2, CC2; VPALIGNR $8, CC3, CC3, CC3
-	VPALIGNR $4, DD0, DD0, DD0; VPALIGNR $4, DD1, DD1, DD1; VPALIGNR $4, DD2, DD2, DD2; VPALIGNR $4, DD3, DD3, DD3
-	CMPQ     itr1, $480
-	JNE      openAVX2InternalLoop
-
-	VPADDD  ·chacha20Constants<>(SB), AA0, AA0; VPADDD ·chacha20Constants<>(SB), AA1, AA1; VPADDD ·chacha20Constants<>(SB), AA2, AA2; VPADDD ·chacha20Constants<>(SB), AA3, AA3
-	VPADDD  state1StoreAVX2, BB0, BB0; VPADDD state1StoreAVX2, BB1, BB1; VPADDD state1StoreAVX2, BB2, BB2; VPADDD state1StoreAVX2, BB3, BB3
-	VPADDD  state2StoreAVX2, CC0, CC0; VPADDD state2StoreAVX2, CC1, CC1; VPADDD state2StoreAVX2, CC2, CC2; VPADDD state2StoreAVX2, CC3, CC3
-	VPADDD  ctr0StoreAVX2, DD0, DD0; VPADDD ctr1StoreAVX2, DD1, DD1; VPADDD ctr2StoreAVX2, DD2, DD2; VPADDD ctr3StoreAVX2, DD3, DD3
-	VMOVDQA CC3, tmpStoreAVX2
-
-	// We only hashed 480 of the 512 bytes available - hash the remaining 32 here
-	polyAdd(480(inp))
-	polyMulAVX2
-	VPERM2I128 $0x02, AA0, BB0, CC3; VPERM2I128 $0x13, AA0, BB0, BB0; VPERM2I128 $0x02, CC0, DD0, AA0; VPERM2I128 $0x13, CC0, DD0, CC0
-	VPXOR      (0*32)(inp), CC3, CC3; VPXOR (1*32)(inp), AA0, AA0; VPXOR (2*32)(inp), BB0, BB0; VPXOR (3*32)(inp), CC0, CC0
-	VMOVDQU    CC3, (0*32)(oup); VMOVDQU AA0, (1*32)(oup); VMOVDQU BB0, (2*32)(oup); VMOVDQU CC0, (3*32)(oup)
-	VPERM2I128 $0x02, AA1, BB1, AA0; VPERM2I128 $0x02, CC1, DD1, BB0; VPERM2I128 $0x13, AA1, BB1, CC0; VPERM2I128 $0x13, CC1, DD1, DD0
-	VPXOR      (4*32)(inp), AA0, AA0; VPXOR (5*32)(inp), BB0, BB0; VPXOR (6*32)(inp), CC0, CC0; VPXOR (7*32)(inp), DD0, DD0
-	VMOVDQU    AA0, (4*32)(oup); VMOVDQU BB0, (5*32)(oup); VMOVDQU CC0, (6*32)(oup); VMOVDQU DD0, (7*32)(oup)
-
-	// and here
-	polyAdd(496(inp))
-	polyMulAVX2
-	VPERM2I128 $0x02, AA2, BB2, AA0; VPERM2I128 $0x02, CC2, DD2, BB0; VPERM2I128 $0x13, AA2, BB2, CC0; VPERM2I128 $0x13, CC2, DD2, DD0
-	VPXOR      (8*32)(inp), AA0, AA0; VPXOR (9*32)(inp), BB0, BB0; VPXOR (10*32)(inp), CC0, CC0; VPXOR (11*32)(inp), DD0, DD0
-	VMOVDQU    AA0, (8*32)(oup); VMOVDQU BB0, (9*32)(oup); VMOVDQU CC0, (10*32)(oup); VMOVDQU DD0, (11*32)(oup)
-	VPERM2I128 $0x02, AA3, BB3, AA0; VPERM2I128 $0x02, tmpStoreAVX2, DD3, BB0; VPERM2I128 $0x13, AA3, BB3, CC0; VPERM2I128 $0x13, tmpStoreAVX2, DD3, DD0
-	VPXOR      (12*32)(inp), AA0, AA0; VPXOR (13*32)(inp), BB0, BB0; VPXOR (14*32)(inp), CC0, CC0; VPXOR (15*32)(inp), DD0, DD0
-	VMOVDQU    AA0, (12*32)(oup); VMOVDQU BB0, (13*32)(oup); VMOVDQU CC0, (14*32)(oup); VMOVDQU DD0, (15*32)(oup)
-	LEAQ       (32*16)(inp), inp
-	LEAQ       (32*16)(oup), oup
-	SUBQ       $(32*16), inl
-	JMP        openAVX2MainLoop
-
-openAVX2MainLoopDone:
-	// Handle the various tail sizes efficiently
-	TESTQ inl, inl
-	JE    openSSEFinalize
-	CMPQ  inl, $128
-	JBE   openAVX2Tail128
-	CMPQ  inl, $256
-	JBE   openAVX2Tail256
-	CMPQ  inl, $384
-	JBE   openAVX2Tail384
-	JMP   openAVX2Tail512
-
-// ----------------------------------------------------------------------------
-// Special optimization for buffers smaller than 193 bytes
-openAVX2192:
-	// For up to 192 bytes of ciphertext and 64 bytes for the poly key, we process four blocks
-	VMOVDQA AA0, AA1
-	VMOVDQA BB0, BB1
-	VMOVDQA CC0, CC1
-	VPADDD  ·avx2IncMask<>(SB), DD0, DD1
-	VMOVDQA AA0, AA2
-	VMOVDQA BB0, BB2
-	VMOVDQA CC0, CC2
-	VMOVDQA DD0, DD2
-	VMOVDQA DD1, TT3
-	MOVQ    $10, itr2
-
-openAVX2192InnerCipherLoop:
-	chachaQR_AVX2(AA0, BB0, CC0, DD0, TT0); chachaQR_AVX2(AA1, BB1, CC1, DD1, TT0)
-	VPALIGNR   $4, BB0, BB0, BB0; VPALIGNR $4, BB1, BB1, BB1
-	VPALIGNR   $8, CC0, CC0, CC0; VPALIGNR $8, CC1, CC1, CC1
-	VPALIGNR   $12, DD0, DD0, DD0; VPALIGNR $12, DD1, DD1, DD1
-	chachaQR_AVX2(AA0, BB0, CC0, DD0, TT0); chachaQR_AVX2(AA1, BB1, CC1, DD1, TT0)
-	VPALIGNR   $12, BB0, BB0, BB0; VPALIGNR $12, BB1, BB1, BB1
-	VPALIGNR   $8, CC0, CC0, CC0; VPALIGNR $8, CC1, CC1, CC1
-	VPALIGNR   $4, DD0, DD0, DD0; VPALIGNR $4, DD1, DD1, DD1
-	DECQ       itr2
-	JNE        openAVX2192InnerCipherLoop
-	VPADDD     AA2, AA0, AA0; VPADDD AA2, AA1, AA1
-	VPADDD     BB2, BB0, BB0; VPADDD BB2, BB1, BB1
-	VPADDD     CC2, CC0, CC0; VPADDD CC2, CC1, CC1
-	VPADDD     DD2, DD0, DD0; VPADDD TT3, DD1, DD1
-	VPERM2I128 $0x02, AA0, BB0, TT0
-
-	// Clamp and store poly key
-	VPAND   ·polyClampMask<>(SB), TT0, TT0
-	VMOVDQA TT0, rsStoreAVX2
-
-	// Stream for up to 192 bytes
-	VPERM2I128 $0x13, AA0, BB0, AA0
-	VPERM2I128 $0x13, CC0, DD0, BB0
-	VPERM2I128 $0x02, AA1, BB1, CC0
-	VPERM2I128 $0x02, CC1, DD1, DD0
-	VPERM2I128 $0x13, AA1, BB1, AA1
-	VPERM2I128 $0x13, CC1, DD1, BB1
-
-openAVX2ShortOpen:
-	// Hash
-	MOVQ ad_len+80(FP), itr2
-	CALL polyHashADInternal<>(SB)
-
-openAVX2ShortOpenLoop:
-	CMPQ inl, $32
-	JB   openAVX2ShortTail32
-	SUBQ $32, inl
-
-	// Load for hashing
-	polyAdd(0*8(inp))
-	polyMulAVX2
-	polyAdd(2*8(inp))
-	polyMulAVX2
-
-	// Load for decryption
-	VPXOR   (inp), AA0, AA0
-	VMOVDQU AA0, (oup)
-	LEAQ    (1*32)(inp), inp
-	LEAQ    (1*32)(oup), oup
-
-	// Shift stream left
-	VMOVDQA BB0, AA0
-	VMOVDQA CC0, BB0
-	VMOVDQA DD0, CC0
-	VMOVDQA AA1, DD0
-	VMOVDQA BB1, AA1
-	VMOVDQA CC1, BB1
-	VMOVDQA DD1, CC1
-	VMOVDQA AA2, DD1
-	VMOVDQA BB2, AA2
-	JMP     openAVX2ShortOpenLoop
-
-openAVX2ShortTail32:
-	CMPQ    inl, $16
-	VMOVDQA A0, A1
-	JB      openAVX2ShortDone
-
-	SUBQ $16, inl
-
-	// Load for hashing
-	polyAdd(0*8(inp))
-	polyMulAVX2
-
-	// Load for decryption
-	VPXOR      (inp), A0, T0
-	VMOVDQU    T0, (oup)
-	LEAQ       (1*16)(inp), inp
-	LEAQ       (1*16)(oup), oup
-	VPERM2I128 $0x11, AA0, AA0, AA0
-	VMOVDQA    A0, A1
-
-openAVX2ShortDone:
-	VZEROUPPER
-	JMP openSSETail16
-
-// ----------------------------------------------------------------------------
-// Special optimization for buffers smaller than 321 bytes
-openAVX2320:
-	// For up to 320 bytes of ciphertext and 64 bytes for the poly key, we process six blocks
-	VMOVDQA AA0, AA1; VMOVDQA BB0, BB1; VMOVDQA CC0, CC1; VPADDD ·avx2IncMask<>(SB), DD0, DD1
-	VMOVDQA AA0, AA2; VMOVDQA BB0, BB2; VMOVDQA CC0, CC2; VPADDD ·avx2IncMask<>(SB), DD1, DD2
-	VMOVDQA BB0, TT1; VMOVDQA CC0, TT2; VMOVDQA DD0, TT3
-	MOVQ    $10, itr2
-
-openAVX2320InnerCipherLoop:
-	chachaQR_AVX2(AA0, BB0, CC0, DD0, TT0); chachaQR_AVX2(AA1, BB1, CC1, DD1, TT0); chachaQR_AVX2(AA2, BB2, CC2, DD2, TT0)
-	VPALIGNR $4, BB0, BB0, BB0; VPALIGNR $4, BB1, BB1, BB1; VPALIGNR $4, BB2, BB2, BB2
-	VPALIGNR $8, CC0, CC0, CC0; VPALIGNR $8, CC1, CC1, CC1; VPALIGNR $8, CC2, CC2, CC2
-	VPALIGNR $12, DD0, DD0, DD0; VPALIGNR $12, DD1, DD1, DD1; VPALIGNR $12, DD2, DD2, DD2
-	chachaQR_AVX2(AA0, BB0, CC0, DD0, TT0); chachaQR_AVX2(AA1, BB1, CC1, DD1, TT0); chachaQR_AVX2(AA2, BB2, CC2, DD2, TT0)
-	VPALIGNR $12, BB0, BB0, BB0; VPALIGNR $12, BB1, BB1, BB1; VPALIGNR $12, BB2, BB2, BB2
-	VPALIGNR $8, CC0, CC0, CC0; VPALIGNR $8, CC1, CC1, CC1; VPALIGNR $8, CC2, CC2, CC2
-	VPALIGNR $4, DD0, DD0, DD0; VPALIGNR $4, DD1, DD1, DD1; VPALIGNR $4, DD2, DD2, DD2
-	DECQ     itr2
-	JNE      openAVX2320InnerCipherLoop
-
-	VMOVDQA ·chacha20Constants<>(SB), TT0
-	VPADDD  TT0, AA0, AA0; VPADDD TT0, AA1, AA1; VPADDD TT0, AA2, AA2
-	VPADDD  TT1, BB0, BB0; VPADDD TT1, BB1, BB1; VPADDD TT1, BB2, BB2
-	VPADDD  TT2, CC0, CC0; VPADDD TT2, CC1, CC1; VPADDD TT2, CC2, CC2
-	VMOVDQA ·avx2IncMask<>(SB), TT0
-	VPADDD  TT3, DD0, DD0; VPADDD TT0, TT3, TT3
-	VPADDD  TT3, DD1, DD1; VPADDD TT0, TT3, TT3
-	VPADDD  TT3, DD2, DD2
-
-	// Clamp and store poly key
-	VPERM2I128 $0x02, AA0, BB0, TT0
-	VPAND      ·polyClampMask<>(SB), TT0, TT0
-	VMOVDQA    TT0, rsStoreAVX2
-
-	// Stream for up to 320 bytes
-	VPERM2I128 $0x13, AA0, BB0, AA0
-	VPERM2I128 $0x13, CC0, DD0, BB0
-	VPERM2I128 $0x02, AA1, BB1, CC0
-	VPERM2I128 $0x02, CC1, DD1, DD0
-	VPERM2I128 $0x13, AA1, BB1, AA1
-	VPERM2I128 $0x13, CC1, DD1, BB1
-	VPERM2I128 $0x02, AA2, BB2, CC1
-	VPERM2I128 $0x02, CC2, DD2, DD1
-	VPERM2I128 $0x13, AA2, BB2, AA2
-	VPERM2I128 $0x13, CC2, DD2, BB2
-	JMP        openAVX2ShortOpen
-
-// ----------------------------------------------------------------------------
-// Special optimization for the last 128 bytes of ciphertext
-openAVX2Tail128:
-	// Need to decrypt up to 128 bytes - prepare two blocks
-	VMOVDQA ·chacha20Constants<>(SB), AA1
-	VMOVDQA state1StoreAVX2, BB1
-	VMOVDQA state2StoreAVX2, CC1
-	VMOVDQA ctr3StoreAVX2, DD1
-	VPADDD  ·avx2IncMask<>(SB), DD1, DD1
-	VMOVDQA DD1, DD0
-
-	XORQ  itr2, itr2
-	MOVQ  inl, itr1
-	ANDQ  $-16, itr1
-	TESTQ itr1, itr1
-	JE    openAVX2Tail128LoopB
-
-openAVX2Tail128LoopA:
-	// Perform ChaCha rounds, while hashing the remaining input
-	polyAdd(0(inp)(itr2*1))
-	polyMulAVX2
-
-openAVX2Tail128LoopB:
-	ADDQ     $16, itr2
-	chachaQR_AVX2(AA1, BB1, CC1, DD1, TT0)
-	VPALIGNR $4, BB1, BB1, BB1
-	VPALIGNR $8, CC1, CC1, CC1
-	VPALIGNR $12, DD1, DD1, DD1
-	chachaQR_AVX2(AA1, BB1, CC1, DD1, TT0)
-	VPALIGNR $12, BB1, BB1, BB1
-	VPALIGNR $8, CC1, CC1, CC1
-	VPALIGNR $4, DD1, DD1, DD1
-	CMPQ     itr2, itr1
-	JB       openAVX2Tail128LoopA
-	CMPQ     itr2, $160
-	JNE      openAVX2Tail128LoopB
-
-	VPADDD     ·chacha20Constants<>(SB), AA1, AA1
-	VPADDD     state1StoreAVX2, BB1, BB1
-	VPADDD     state2StoreAVX2, CC1, CC1
-	VPADDD     DD0, DD1, DD1
-	VPERM2I128 $0x02, AA1, BB1, AA0; VPERM2I128 $0x02, CC1, DD1, BB0; VPERM2I128 $0x13, AA1, BB1, CC0; VPERM2I128 $0x13, CC1, DD1, DD0
-
-openAVX2TailLoop:
-	CMPQ inl, $32
-	JB   openAVX2Tail
-	SUBQ $32, inl
-
-	// Load for decryption
-	VPXOR   (inp), AA0, AA0
-	VMOVDQU AA0, (oup)
-	LEAQ    (1*32)(inp), inp
-	LEAQ    (1*32)(oup), oup
-	VMOVDQA BB0, AA0
-	VMOVDQA CC0, BB0
-	VMOVDQA DD0, CC0
-	JMP     openAVX2TailLoop
-
-openAVX2Tail:
-	CMPQ    inl, $16
-	VMOVDQA A0, A1
-	JB      openAVX2TailDone
-	SUBQ    $16, inl
-
-	// Load for decryption
-	VPXOR      (inp), A0, T0
-	VMOVDQU    T0, (oup)
-	LEAQ       (1*16)(inp), inp
-	LEAQ       (1*16)(oup), oup
-	VPERM2I128 $0x11, AA0, AA0, AA0
-	VMOVDQA    A0, A1
-
-openAVX2TailDone:
-	VZEROUPPER
-	JMP openSSETail16
-
-// ----------------------------------------------------------------------------
-// Special optimization for the last 256 bytes of ciphertext
-openAVX2Tail256:
-	// Need to decrypt up to 256 bytes - prepare four blocks
-	VMOVDQA ·chacha20Constants<>(SB), AA0; VMOVDQA AA0, AA1
-	VMOVDQA state1StoreAVX2, BB0; VMOVDQA BB0, BB1
-	VMOVDQA state2StoreAVX2, CC0; VMOVDQA CC0, CC1
-	VMOVDQA ctr3StoreAVX2, DD0
-	VPADDD  ·avx2IncMask<>(SB), DD0, DD0
-	VPADDD  ·avx2IncMask<>(SB), DD0, DD1
-	VMOVDQA DD0, TT1
-	VMOVDQA DD1, TT2
-
-	// Compute the number of iterations that will hash data
-	MOVQ    inl, tmpStoreAVX2
-	MOVQ    inl, itr1
-	SUBQ    $128, itr1
-	SHRQ    $4, itr1
-	MOVQ    $10, itr2
-	CMPQ    itr1, $10
-	CMOVQGT itr2, itr1
-	MOVQ    inp, inl
-	XORQ    itr2, itr2
-
-openAVX2Tail256LoopA:
-	polyAdd(0(inl))
-	polyMulAVX2
-	LEAQ 16(inl), inl
-
-	// Perform ChaCha rounds, while hashing the remaining input
-openAVX2Tail256LoopB:
-	chachaQR_AVX2(AA0, BB0, CC0, DD0, TT0); chachaQR_AVX2(AA1, BB1, CC1, DD1, TT0)
-	VPALIGNR $4, BB0, BB0, BB0; VPALIGNR $4, BB1, BB1, BB1
-	VPALIGNR $8, CC0, CC0, CC0; VPALIGNR $8, CC1, CC1, CC1
-	VPALIGNR $12, DD0, DD0, DD0; VPALIGNR $12, DD1, DD1, DD1
-	INCQ     itr2
-	chachaQR_AVX2(AA0, BB0, CC0, DD0, TT0); chachaQR_AVX2(AA1, BB1, CC1, DD1, TT0)
-	VPALIGNR $12, BB0, BB0, BB0; VPALIGNR $12, BB1, BB1, BB1
-	VPALIGNR $8, CC0, CC0, CC0; VPALIGNR $8, CC1, CC1, CC1
-	VPALIGNR $4, DD0, DD0, DD0; VPALIGNR $4, DD1, DD1, DD1
-	CMPQ     itr2, itr1
-	JB       openAVX2Tail256LoopA
-
-	CMPQ itr2, $10
-	JNE  openAVX2Tail256LoopB
-
-	MOVQ inl, itr2
-	SUBQ inp, inl
-	MOVQ inl, itr1
-	MOVQ tmpStoreAVX2, inl
-
-	// Hash the remainder of data (if any)
-openAVX2Tail256Hash:
-	ADDQ $16, itr1
-	CMPQ itr1, inl
-	JGT  openAVX2Tail256HashEnd
-	polyAdd (0(itr2))
-	polyMulAVX2
-	LEAQ 16(itr2), itr2
-	JMP  openAVX2Tail256Hash
-
-// Store 128 bytes safely, then go to store loop
-openAVX2Tail256HashEnd:
-	VPADDD     ·chacha20Constants<>(SB), AA0, AA0; VPADDD ·chacha20Constants<>(SB), AA1, AA1
-	VPADDD     state1StoreAVX2, BB0, BB0; VPADDD state1StoreAVX2, BB1, BB1
-	VPADDD     state2StoreAVX2, CC0, CC0; VPADDD state2StoreAVX2, CC1, CC1
-	VPADDD     TT1, DD0, DD0; VPADDD TT2, DD1, DD1
-	VPERM2I128 $0x02, AA0, BB0, AA2; VPERM2I128 $0x02, CC0, DD0, BB2; VPERM2I128 $0x13, AA0, BB0, CC2; VPERM2I128 $0x13, CC0, DD0, DD2
-	VPERM2I128 $0x02, AA1, BB1, AA0; VPERM2I128 $0x02, CC1, DD1, BB0; VPERM2I128 $0x13, AA1, BB1, CC0; VPERM2I128 $0x13, CC1, DD1, DD0
-
-	VPXOR   (0*32)(inp), AA2, AA2; VPXOR (1*32)(inp), BB2, BB2; VPXOR (2*32)(inp), CC2, CC2; VPXOR (3*32)(inp), DD2, DD2
-	VMOVDQU AA2, (0*32)(oup); VMOVDQU BB2, (1*32)(oup); VMOVDQU CC2, (2*32)(oup); VMOVDQU DD2, (3*32)(oup)
-	LEAQ    (4*32)(inp), inp
-	LEAQ    (4*32)(oup), oup
-	SUBQ    $4*32, inl
-
-	JMP openAVX2TailLoop
-
-// ----------------------------------------------------------------------------
-// Special optimization for the last 384 bytes of ciphertext
-openAVX2Tail384:
-	// Need to decrypt up to 384 bytes - prepare six blocks
-	VMOVDQA ·chacha20Constants<>(SB), AA0; VMOVDQA AA0, AA1; VMOVDQA AA0, AA2
-	VMOVDQA state1StoreAVX2, BB0; VMOVDQA BB0, BB1; VMOVDQA BB0, BB2
-	VMOVDQA state2StoreAVX2, CC0; VMOVDQA CC0, CC1; VMOVDQA CC0, CC2
-	VMOVDQA ctr3StoreAVX2, DD0
-	VPADDD  ·avx2IncMask<>(SB), DD0, DD0
-	VPADDD  ·avx2IncMask<>(SB), DD0, DD1
-	VPADDD  ·avx2IncMask<>(SB), DD1, DD2
-	VMOVDQA DD0, ctr0StoreAVX2
-	VMOVDQA DD1, ctr1StoreAVX2
-	VMOVDQA DD2, ctr2StoreAVX2
-
-	// Compute the number of iterations that will hash two blocks of data
-	MOVQ    inl, tmpStoreAVX2
-	MOVQ    inl, itr1
-	SUBQ    $256, itr1
-	SHRQ    $4, itr1
-	ADDQ    $6, itr1
-	MOVQ    $10, itr2
-	CMPQ    itr1, $10
-	CMOVQGT itr2, itr1
-	MOVQ    inp, inl
-	XORQ    itr2, itr2
-
-	// Perform ChaCha rounds, while hashing the remaining input
-openAVX2Tail384LoopB:
-	polyAdd(0(inl))
-	polyMulAVX2
-	LEAQ 16(inl), inl
-
-openAVX2Tail384LoopA:
-	chachaQR_AVX2(AA0, BB0, CC0, DD0, TT0); chachaQR_AVX2(AA1, BB1, CC1, DD1, TT0); chachaQR_AVX2(AA2, BB2, CC2, DD2, TT0)
-	VPALIGNR $4, BB0, BB0, BB0; VPALIGNR $4, BB1, BB1, BB1; VPALIGNR $4, BB2, BB2, BB2
-	VPALIGNR $8, CC0, CC0, CC0; VPALIGNR $8, CC1, CC1, CC1; VPALIGNR $8, CC2, CC2, CC2
-	VPALIGNR $12, DD0, DD0, DD0; VPALIGNR $12, DD1, DD1, DD1; VPALIGNR $12, DD2, DD2, DD2
-	polyAdd(0(inl))
-	polyMulAVX2
-	LEAQ     16(inl), inl
-	INCQ     itr2
-	chachaQR_AVX2(AA0, BB0, CC0, DD0, TT0); chachaQR_AVX2(AA1, BB1, CC1, DD1, TT0); chachaQR_AVX2(AA2, BB2, CC2, DD2, TT0)
-	VPALIGNR $12, BB0, BB0, BB0; VPALIGNR $12, BB1, BB1, BB1; VPALIGNR $12, BB2, BB2, BB2
-	VPALIGNR $8, CC0, CC0, CC0; VPALIGNR $8, CC1, CC1, CC1; VPALIGNR $8, CC2, CC2, CC2
-	VPALIGNR $4, DD0, DD0, DD0; VPALIGNR $4, DD1, DD1, DD1; VPALIGNR $4, DD2, DD2, DD2
-
-	CMPQ itr2, itr1
-	JB   openAVX2Tail384LoopB
-
-	CMPQ itr2, $10
-	JNE  openAVX2Tail384LoopA
-
-	MOVQ inl, itr2
-	SUBQ inp, inl
-	MOVQ inl, itr1
-	MOVQ tmpStoreAVX2, inl
-
-openAVX2Tail384Hash:
-	ADDQ $16, itr1
-	CMPQ itr1, inl
-	JGT  openAVX2Tail384HashEnd
-	polyAdd(0(itr2))
-	polyMulAVX2
-	LEAQ 16(itr2), itr2
-	JMP  openAVX2Tail384Hash
-
-// Store 256 bytes safely, then go to store loop
-openAVX2Tail384HashEnd:
-	VPADDD     ·chacha20Constants<>(SB), AA0, AA0; VPADDD ·chacha20Constants<>(SB), AA1, AA1; VPADDD ·chacha20Constants<>(SB), AA2, AA2
-	VPADDD     state1StoreAVX2, BB0, BB0; VPADDD state1StoreAVX2, BB1, BB1; VPADDD state1StoreAVX2, BB2, BB2
-	VPADDD     state2StoreAVX2, CC0, CC0; VPADDD state2StoreAVX2, CC1, CC1; VPADDD state2StoreAVX2, CC2, CC2
-	VPADDD     ctr0StoreAVX2, DD0, DD0; VPADDD ctr1StoreAVX2, DD1, DD1; VPADDD ctr2StoreAVX2, DD2, DD2
-	VPERM2I128 $0x02, AA0, BB0, TT0; VPERM2I128 $0x02, CC0, DD0, TT1; VPERM2I128 $0x13, AA0, BB0, TT2; VPERM2I128 $0x13, CC0, DD0, TT3
-	VPXOR      (0*32)(inp), TT0, TT0; VPXOR (1*32)(inp), TT1, TT1; VPXOR (2*32)(inp), TT2, TT2; VPXOR (3*32)(inp), TT3, TT3
-	VMOVDQU    TT0, (0*32)(oup); VMOVDQU TT1, (1*32)(oup); VMOVDQU TT2, (2*32)(oup); VMOVDQU TT3, (3*32)(oup)
-	VPERM2I128 $0x02, AA1, BB1, TT0; VPERM2I128 $0x02, CC1, DD1, TT1; VPERM2I128 $0x13, AA1, BB1, TT2; VPERM2I128 $0x13, CC1, DD1, TT3
-	VPXOR      (4*32)(inp), TT0, TT0; VPXOR (5*32)(inp), TT1, TT1; VPXOR (6*32)(inp), TT2, TT2; VPXOR (7*32)(inp), TT3, TT3
-	VMOVDQU    TT0, (4*32)(oup); VMOVDQU TT1, (5*32)(oup); VMOVDQU TT2, (6*32)(oup); VMOVDQU TT3, (7*32)(oup)
-	VPERM2I128 $0x02, AA2, BB2, AA0; VPERM2I128 $0x02, CC2, DD2, BB0; VPERM2I128 $0x13, AA2, BB2, CC0; VPERM2I128 $0x13, CC2, DD2, DD0
-	LEAQ       (8*32)(inp), inp
-	LEAQ       (8*32)(oup), oup
-	SUBQ       $8*32, inl
-	JMP        openAVX2TailLoop
-
-// ----------------------------------------------------------------------------
-// Special optimization for the last 512 bytes of ciphertext
-openAVX2Tail512:
-	VMOVDQU ·chacha20Constants<>(SB), AA0; VMOVDQA AA0, AA1; VMOVDQA AA0, AA2; VMOVDQA AA0, AA3
-	VMOVDQA state1StoreAVX2, BB0; VMOVDQA BB0, BB1; VMOVDQA BB0, BB2; VMOVDQA BB0, BB3
-	VMOVDQA state2StoreAVX2, CC0; VMOVDQA CC0, CC1; VMOVDQA CC0, CC2; VMOVDQA CC0, CC3
-	VMOVDQA ctr3StoreAVX2, DD0; VPADDD ·avx2IncMask<>(SB), DD0, DD0; VPADDD ·avx2IncMask<>(SB), DD0, DD1; VPADDD ·avx2IncMask<>(SB), DD1, DD2; VPADDD ·avx2IncMask<>(SB), DD2, DD3
-	VMOVDQA DD0, ctr0StoreAVX2; VMOVDQA DD1, ctr1StoreAVX2; VMOVDQA DD2, ctr2StoreAVX2; VMOVDQA DD3, ctr3StoreAVX2
-	XORQ    itr1, itr1
-	MOVQ    inp, itr2
-
-openAVX2Tail512LoopB:
-	polyAdd(0(itr2))
-	polyMulAVX2
-	LEAQ (2*8)(itr2), itr2
-
-openAVX2Tail512LoopA:
-	VPADDD   BB0, AA0, AA0; VPADDD BB1, AA1, AA1; VPADDD BB2, AA2, AA2; VPADDD BB3, AA3, AA3
-	VPXOR    AA0, DD0, DD0; VPXOR AA1, DD1, DD1; VPXOR AA2, DD2, DD2; VPXOR AA3, DD3, DD3
-	VPSHUFB  ·rol16<>(SB), DD0, DD0; VPSHUFB ·rol16<>(SB), DD1, DD1; VPSHUFB ·rol16<>(SB), DD2, DD2; VPSHUFB ·rol16<>(SB), DD3, DD3
-	VPADDD   DD0, CC0, CC0; VPADDD DD1, CC1, CC1; VPADDD DD2, CC2, CC2; VPADDD DD3, CC3, CC3
-	VPXOR    CC0, BB0, BB0; VPXOR CC1, BB1, BB1; VPXOR CC2, BB2, BB2; VPXOR CC3, BB3, BB3
-	VMOVDQA  CC3, tmpStoreAVX2
-	VPSLLD   $12, BB0, CC3; VPSRLD $20, BB0, BB0; VPXOR CC3, BB0, BB0
-	VPSLLD   $12, BB1, CC3; VPSRLD $20, BB1, BB1; VPXOR CC3, BB1, BB1
-	VPSLLD   $12, BB2, CC3; VPSRLD $20, BB2, BB2; VPXOR CC3, BB2, BB2
-	VPSLLD   $12, BB3, CC3; VPSRLD $20, BB3, BB3; VPXOR CC3, BB3, BB3
-	VMOVDQA  tmpStoreAVX2, CC3
-	polyAdd(0*8(itr2))
-	polyMulAVX2
-	VPADDD   BB0, AA0, AA0; VPADDD BB1, AA1, AA1; VPADDD BB2, AA2, AA2; VPADDD BB3, AA3, AA3
-	VPXOR    AA0, DD0, DD0; VPXOR AA1, DD1, DD1; VPXOR AA2, DD2, DD2; VPXOR AA3, DD3, DD3
-	VPSHUFB  ·rol8<>(SB), DD0, DD0; VPSHUFB ·rol8<>(SB), DD1, DD1; VPSHUFB ·rol8<>(SB), DD2, DD2; VPSHUFB ·rol8<>(SB), DD3, DD3
-	VPADDD   DD0, CC0, CC0; VPADDD DD1, CC1, CC1; VPADDD DD2, CC2, CC2; VPADDD DD3, CC3, CC3
-	VPXOR    CC0, BB0, BB0; VPXOR CC1, BB1, BB1; VPXOR CC2, BB2, BB2; VPXOR CC3, BB3, BB3
-	VMOVDQA  CC3, tmpStoreAVX2
-	VPSLLD   $7, BB0, CC3; VPSRLD $25, BB0, BB0; VPXOR CC3, BB0, BB0
-	VPSLLD   $7, BB1, CC3; VPSRLD $25, BB1, BB1; VPXOR CC3, BB1, BB1
-	VPSLLD   $7, BB2, CC3; VPSRLD $25, BB2, BB2; VPXOR CC3, BB2, BB2
-	VPSLLD   $7, BB3, CC3; VPSRLD $25, BB3, BB3; VPXOR CC3, BB3, BB3
-	VMOVDQA  tmpStoreAVX2, CC3
-	VPALIGNR $4, BB0, BB0, BB0; VPALIGNR $4, BB1, BB1, BB1; VPALIGNR $4, BB2, BB2, BB2; VPALIGNR $4, BB3, BB3, BB3
-	VPALIGNR $8, CC0, CC0, CC0; VPALIGNR $8, CC1, CC1, CC1; VPALIGNR $8, CC2, CC2, CC2; VPALIGNR $8, CC3, CC3, CC3
-	VPALIGNR $12, DD0, DD0, DD0; VPALIGNR $12, DD1, DD1, DD1; VPALIGNR $12, DD2, DD2, DD2; VPALIGNR $12, DD3, DD3, DD3
-	VPADDD   BB0, AA0, AA0; VPADDD BB1, AA1, AA1; VPADDD BB2, AA2, AA2; VPADDD BB3, AA3, AA3
-	VPXOR    AA0, DD0, DD0; VPXOR AA1, DD1, DD1; VPXOR AA2, DD2, DD2; VPXOR AA3, DD3, DD3
-	VPSHUFB  ·rol16<>(SB), DD0, DD0; VPSHUFB ·rol16<>(SB), DD1, DD1; VPSHUFB ·rol16<>(SB), DD2, DD2; VPSHUFB ·rol16<>(SB), DD3, DD3
-	VPADDD   DD0, CC0, CC0; VPADDD DD1, CC1, CC1; VPADDD DD2, CC2, CC2; VPADDD DD3, CC3, CC3
-	VPXOR    CC0, BB0, BB0; VPXOR CC1, BB1, BB1; VPXOR CC2, BB2, BB2; VPXOR CC3, BB3, BB3
-	polyAdd(2*8(itr2))
-	polyMulAVX2
-	LEAQ     (4*8)(itr2), itr2
-	VMOVDQA  CC3, tmpStoreAVX2
-	VPSLLD   $12, BB0, CC3; VPSRLD $20, BB0, BB0; VPXOR CC3, BB0, BB0
-	VPSLLD   $12, BB1, CC3; VPSRLD $20, BB1, BB1; VPXOR CC3, BB1, BB1
-	VPSLLD   $12, BB2, CC3; VPSRLD $20, BB2, BB2; VPXOR CC3, BB2, BB2
-	VPSLLD   $12, BB3, CC3; VPSRLD $20, BB3, BB3; VPXOR CC3, BB3, BB3
-	VMOVDQA  tmpStoreAVX2, CC3
-	VPADDD   BB0, AA0, AA0; VPADDD BB1, AA1, AA1; VPADDD BB2, AA2, AA2; VPADDD BB3, AA3, AA3
-	VPXOR    AA0, DD0, DD0; VPXOR AA1, DD1, DD1; VPXOR AA2, DD2, DD2; VPXOR AA3, DD3, DD3
-	VPSHUFB  ·rol8<>(SB), DD0, DD0; VPSHUFB ·rol8<>(SB), DD1, DD1; VPSHUFB ·rol8<>(SB), DD2, DD2; VPSHUFB ·rol8<>(SB), DD3, DD3
-	VPADDD   DD0, CC0, CC0; VPADDD DD1, CC1, CC1; VPADDD DD2, CC2, CC2; VPADDD DD3, CC3, CC3
-	VPXOR    CC0, BB0, BB0; VPXOR CC1, BB1, BB1; VPXOR CC2, BB2, BB2; VPXOR CC3, BB3, BB3
-	VMOVDQA  CC3, tmpStoreAVX2
-	VPSLLD   $7, BB0, CC3; VPSRLD $25, BB0, BB0; VPXOR CC3, BB0, BB0
-	VPSLLD   $7, BB1, CC3; VPSRLD $25, BB1, BB1; VPXOR CC3, BB1, BB1
-	VPSLLD   $7, BB2, CC3; VPSRLD $25, BB2, BB2; VPXOR CC3, BB2, BB2
-	VPSLLD   $7, BB3, CC3; VPSRLD $25, BB3, BB3; VPXOR CC3, BB3, BB3
-	VMOVDQA  tmpStoreAVX2, CC3
-	VPALIGNR $12, BB0, BB0, BB0; VPALIGNR $12, BB1, BB1, BB1; VPALIGNR $12, BB2, BB2, BB2; VPALIGNR $12, BB3, BB3, BB3
-	VPALIGNR $8, CC0, CC0, CC0; VPALIGNR $8, CC1, CC1, CC1; VPALIGNR $8, CC2, CC2, CC2; VPALIGNR $8, CC3, CC3, CC3
-	VPALIGNR $4, DD0, DD0, DD0; VPALIGNR $4, DD1, DD1, DD1; VPALIGNR $4, DD2, DD2, DD2; VPALIGNR $4, DD3, DD3, DD3
-	INCQ     itr1
-	CMPQ     itr1, $4
-	JLT      openAVX2Tail512LoopB
-
-	CMPQ itr1, $10
-	JNE  openAVX2Tail512LoopA
-
-	MOVQ inl, itr1
-	SUBQ $384, itr1
-	ANDQ $-16, itr1
-
-openAVX2Tail512HashLoop:
-	TESTQ itr1, itr1
-	JE    openAVX2Tail512HashEnd
-	polyAdd(0(itr2))
-	polyMulAVX2
-	LEAQ  16(itr2), itr2
-	SUBQ  $16, itr1
-	JMP   openAVX2Tail512HashLoop
-
-openAVX2Tail512HashEnd:
-	VPADDD     ·chacha20Constants<>(SB), AA0, AA0; VPADDD ·chacha20Constants<>(SB), AA1, AA1; VPADDD ·chacha20Constants<>(SB), AA2, AA2; VPADDD ·chacha20Constants<>(SB), AA3, AA3
-	VPADDD     state1StoreAVX2, BB0, BB0; VPADDD state1StoreAVX2, BB1, BB1; VPADDD state1StoreAVX2, BB2, BB2; VPADDD state1StoreAVX2, BB3, BB3
-	VPADDD     state2StoreAVX2, CC0, CC0; VPADDD state2StoreAVX2, CC1, CC1; VPADDD state2StoreAVX2, CC2, CC2; VPADDD state2StoreAVX2, CC3, CC3
-	VPADDD     ctr0StoreAVX2, DD0, DD0; VPADDD ctr1StoreAVX2, DD1, DD1; VPADDD ctr2StoreAVX2, DD2, DD2; VPADDD ctr3StoreAVX2, DD3, DD3
-	VMOVDQA    CC3, tmpStoreAVX2
-	VPERM2I128 $0x02, AA0, BB0, CC3; VPERM2I128 $0x13, AA0, BB0, BB0; VPERM2I128 $0x02, CC0, DD0, AA0; VPERM2I128 $0x13, CC0, DD0, CC0
-	VPXOR      (0*32)(inp), CC3, CC3; VPXOR (1*32)(inp), AA0, AA0; VPXOR (2*32)(inp), BB0, BB0; VPXOR (3*32)(inp), CC0, CC0
-	VMOVDQU    CC3, (0*32)(oup); VMOVDQU AA0, (1*32)(oup); VMOVDQU BB0, (2*32)(oup); VMOVDQU CC0, (3*32)(oup)
-	VPERM2I128 $0x02, AA1, BB1, AA0; VPERM2I128 $0x02, CC1, DD1, BB0; VPERM2I128 $0x13, AA1, BB1, CC0; VPERM2I128 $0x13, CC1, DD1, DD0
-	VPXOR      (4*32)(inp), AA0, AA0; VPXOR (5*32)(inp), BB0, BB0; VPXOR (6*32)(inp), CC0, CC0; VPXOR (7*32)(inp), DD0, DD0
-	VMOVDQU    AA0, (4*32)(oup); VMOVDQU BB0, (5*32)(oup); VMOVDQU CC0, (6*32)(oup); VMOVDQU DD0, (7*32)(oup)
-	VPERM2I128 $0x02, AA2, BB2, AA0; VPERM2I128 $0x02, CC2, DD2, BB0; VPERM2I128 $0x13, AA2, BB2, CC0; VPERM2I128 $0x13, CC2, DD2, DD0
-	VPXOR      (8*32)(inp), AA0, AA0; VPXOR (9*32)(inp), BB0, BB0; VPXOR (10*32)(inp), CC0, CC0; VPXOR (11*32)(inp), DD0, DD0
-	VMOVDQU    AA0, (8*32)(oup); VMOVDQU BB0, (9*32)(oup); VMOVDQU CC0, (10*32)(oup); VMOVDQU DD0, (11*32)(oup)
-	VPERM2I128 $0x02, AA3, BB3, AA0; VPERM2I128 $0x02, tmpStoreAVX2, DD3, BB0; VPERM2I128 $0x13, AA3, BB3, CC0; VPERM2I128 $0x13, tmpStoreAVX2, DD3, DD0
-
-	LEAQ (12*32)(inp), inp
-	LEAQ (12*32)(oup), oup
-	SUBQ $12*32, inl
-
-	JMP openAVX2TailLoop
-
-// ----------------------------------------------------------------------------
-// ----------------------------------------------------------------------------
-// func chacha20Poly1305Seal(dst, key, src, ad []byte)
-TEXT ·chacha20Poly1305Seal(SB), 0, $288-96
-	// For aligned stack access
-	MOVQ SP, BP
-	ADDQ $32, BP
-	ANDQ $-32, BP
-	MOVQ dst+0(FP), oup
-	MOVQ key+24(FP), keyp
-	MOVQ src+48(FP), inp
-	MOVQ src_len+56(FP), inl
-	MOVQ ad+72(FP), adp
-
-	CMPB ·useAVX2(SB), $1
-	JE   chacha20Poly1305Seal_AVX2
-
-	// Special optimization, for very short buffers
-	CMPQ inl, $128
-	JBE  sealSSE128 // About 15% faster
-
-	// In the seal case - prepare the poly key + 3 blocks of stream in the first iteration
-	MOVOU ·chacha20Constants<>(SB), A0
-	MOVOU (1*16)(keyp), B0
-	MOVOU (2*16)(keyp), C0
-	MOVOU (3*16)(keyp), D0
-
-	// Store state on stack for future use
-	MOVO B0, state1Store
-	MOVO C0, state2Store
-
-	// Load state, increment counter blocks
-	MOVO A0, A1; MOVO B0, B1; MOVO C0, C1; MOVO D0, D1; PADDL ·sseIncMask<>(SB), D1
-	MOVO A1, A2; MOVO B1, B2; MOVO C1, C2; MOVO D1, D2; PADDL ·sseIncMask<>(SB), D2
-	MOVO A2, A3; MOVO B2, B3; MOVO C2, C3; MOVO D2, D3; PADDL ·sseIncMask<>(SB), D3
-
-	// Store counters
-	MOVO D0, ctr0Store; MOVO D1, ctr1Store; MOVO D2, ctr2Store; MOVO D3, ctr3Store
-	MOVQ $10, itr2
-
-sealSSEIntroLoop:
-	MOVO         C3, tmpStore
-	chachaQR(A0, B0, C0, D0, C3); chachaQR(A1, B1, C1, D1, C3); chachaQR(A2, B2, C2, D2, C3)
-	MOVO         tmpStore, C3
-	MOVO         C1, tmpStore
-	chachaQR(A3, B3, C3, D3, C1)
-	MOVO         tmpStore, C1
-	shiftB0Left; shiftB1Left; shiftB2Left; shiftB3Left
-	shiftC0Left; shiftC1Left; shiftC2Left; shiftC3Left
-	shiftD0Left; shiftD1Left; shiftD2Left; shiftD3Left
-
-	MOVO          C3, tmpStore
-	chachaQR(A0, B0, C0, D0, C3); chachaQR(A1, B1, C1, D1, C3); chachaQR(A2, B2, C2, D2, C3)
-	MOVO          tmpStore, C3
-	MOVO          C1, tmpStore
-	chachaQR(A3, B3, C3, D3, C1)
-	MOVO          tmpStore, C1
-	shiftB0Right; shiftB1Right; shiftB2Right; shiftB3Right
-	shiftC0Right; shiftC1Right; shiftC2Right; shiftC3Right
-	shiftD0Right; shiftD1Right; shiftD2Right; shiftD3Right
-	DECQ          itr2
-	JNE           sealSSEIntroLoop
-
-	// Add in the state
-	PADDD ·chacha20Constants<>(SB), A0; PADDD ·chacha20Constants<>(SB), A1; PADDD ·chacha20Constants<>(SB), A2; PADDD ·chacha20Constants<>(SB), A3
-	PADDD state1Store, B0; PADDD state1Store, B1; PADDD state1Store, B2; PADDD state1Store, B3
-	PADDD state2Store, C1; PADDD state2Store, C2; PADDD state2Store, C3
-	PADDD ctr1Store, D1; PADDD ctr2Store, D2; PADDD ctr3Store, D3
-
-	// Clamp and store the key
-	PAND ·polyClampMask<>(SB), A0
-	MOVO A0, rStore
-	MOVO B0, sStore
-
-	// Hash AAD
-	MOVQ ad_len+80(FP), itr2
-	CALL polyHashADInternal<>(SB)
-
-	MOVOU (0*16)(inp), A0; MOVOU (1*16)(inp), B0; MOVOU (2*16)(inp), C0; MOVOU (3*16)(inp), D0
-	PXOR  A0, A1; PXOR B0, B1; PXOR C0, C1; PXOR D0, D1
-	MOVOU A1, (0*16)(oup); MOVOU B1, (1*16)(oup); MOVOU C1, (2*16)(oup); MOVOU D1, (3*16)(oup)
-	MOVOU (4*16)(inp), A0; MOVOU (5*16)(inp), B0; MOVOU (6*16)(inp), C0; MOVOU (7*16)(inp), D0
-	PXOR  A0, A2; PXOR B0, B2; PXOR C0, C2; PXOR D0, D2
-	MOVOU A2, (4*16)(oup); MOVOU B2, (5*16)(oup); MOVOU C2, (6*16)(oup); MOVOU D2, (7*16)(oup)
-
-	MOVQ $128, itr1
-	SUBQ $128, inl
-	LEAQ 128(inp), inp
-
-	MOVO A3, A1; MOVO B3, B1; MOVO C3, C1; MOVO D3, D1
-
-	CMPQ inl, $64
-	JBE  sealSSE128SealHash
-
-	MOVOU (0*16)(inp), A0; MOVOU (1*16)(inp), B0; MOVOU (2*16)(inp), C0; MOVOU (3*16)(inp), D0
-	PXOR  A0, A3; PXOR B0, B3; PXOR C0, C3; PXOR D0, D3
-	MOVOU A3, (8*16)(oup); MOVOU B3, (9*16)(oup); MOVOU C3, (10*16)(oup); MOVOU D3, (11*16)(oup)
-
-	ADDQ $64, itr1
-	SUBQ $64, inl
-	LEAQ 64(inp), inp
-
-	MOVQ $2, itr1
-	MOVQ $8, itr2
-
-	CMPQ inl, $64
-	JBE  sealSSETail64
-	CMPQ inl, $128
-	JBE  sealSSETail128
-	CMPQ inl, $192
-	JBE  sealSSETail192
-
-sealSSEMainLoop:
-	// Load state, increment counter blocks
-	MOVO ·chacha20Constants<>(SB), A0; MOVO state1Store, B0; MOVO state2Store, C0; MOVO ctr3Store, D0; PADDL ·sseIncMask<>(SB), D0
-	MOVO A0, A1; MOVO B0, B1; MOVO C0, C1; MOVO D0, D1; PADDL ·sseIncMask<>(SB), D1
-	MOVO A1, A2; MOVO B1, B2; MOVO C1, C2; MOVO D1, D2; PADDL ·sseIncMask<>(SB), D2
-	MOVO A2, A3; MOVO B2, B3; MOVO C2, C3; MOVO D2, D3; PADDL ·sseIncMask<>(SB), D3
-
-	// Store counters
-	MOVO D0, ctr0Store; MOVO D1, ctr1Store; MOVO D2, ctr2Store; MOVO D3, ctr3Store
-
-sealSSEInnerLoop:
-	MOVO          C3, tmpStore
-	chachaQR(A0, B0, C0, D0, C3); chachaQR(A1, B1, C1, D1, C3); chachaQR(A2, B2, C2, D2, C3)
-	MOVO          tmpStore, C3
-	MOVO          C1, tmpStore
-	chachaQR(A3, B3, C3, D3, C1)
-	MOVO          tmpStore, C1
-	polyAdd(0(oup))
-	shiftB0Left;  shiftB1Left; shiftB2Left; shiftB3Left
-	shiftC0Left;  shiftC1Left; shiftC2Left; shiftC3Left
-	shiftD0Left;  shiftD1Left; shiftD2Left; shiftD3Left
-	polyMulStage1
-	polyMulStage2
-	LEAQ          (2*8)(oup), oup
-	MOVO          C3, tmpStore
-	chachaQR(A0, B0, C0, D0, C3); chachaQR(A1, B1, C1, D1, C3); chachaQR(A2, B2, C2, D2, C3)
-	MOVO          tmpStore, C3
-	MOVO          C1, tmpStore
-	polyMulStage3
-	chachaQR(A3, B3, C3, D3, C1)
-	MOVO          tmpStore, C1
-	polyMulReduceStage
-	shiftB0Right; shiftB1Right; shiftB2Right; shiftB3Right
-	shiftC0Right; shiftC1Right; shiftC2Right; shiftC3Right
-	shiftD0Right; shiftD1Right; shiftD2Right; shiftD3Right
-	DECQ          itr2
-	JGE           sealSSEInnerLoop
-	polyAdd(0(oup))
-	polyMul
-	LEAQ          (2*8)(oup), oup
-	DECQ          itr1
-	JG            sealSSEInnerLoop
-
-	// Add in the state
-	PADDD ·chacha20Constants<>(SB), A0; PADDD ·chacha20Constants<>(SB), A1; PADDD ·chacha20Constants<>(SB), A2; PADDD ·chacha20Constants<>(SB), A3
-	PADDD state1Store, B0; PADDD state1Store, B1; PADDD state1Store, B2; PADDD state1Store, B3
-	PADDD state2Store, C0; PADDD state2Store, C1; PADDD state2Store, C2; PADDD state2Store, C3
-	PADDD ctr0Store, D0; PADDD ctr1Store, D1; PADDD ctr2Store, D2; PADDD ctr3Store, D3
-	MOVO  D3, tmpStore
-
-	// Load - xor - store
-	MOVOU (0*16)(inp), D3; PXOR D3, A0
-	MOVOU (1*16)(inp), D3; PXOR D3, B0
-	MOVOU (2*16)(inp), D3; PXOR D3, C0
-	MOVOU (3*16)(inp), D3; PXOR D3, D0
-	MOVOU A0, (0*16)(oup)
-	MOVOU B0, (1*16)(oup)
-	MOVOU C0, (2*16)(oup)
-	MOVOU D0, (3*16)(oup)
-	MOVO  tmpStore, D3
-
-	MOVOU (4*16)(inp), A0; MOVOU (5*16)(inp), B0; MOVOU (6*16)(inp), C0; MOVOU (7*16)(inp), D0
-	PXOR  A0, A1; PXOR B0, B1; PXOR C0, C1; PXOR D0, D1
-	MOVOU A1, (4*16)(oup); MOVOU B1, (5*16)(oup); MOVOU C1, (6*16)(oup); MOVOU D1, (7*16)(oup)
-	MOVOU (8*16)(inp), A0; MOVOU (9*16)(inp), B0; MOVOU (10*16)(inp), C0; MOVOU (11*16)(inp), D0
-	PXOR  A0, A2; PXOR B0, B2; PXOR C0, C2; PXOR D0, D2
-	MOVOU A2, (8*16)(oup); MOVOU B2, (9*16)(oup); MOVOU C2, (10*16)(oup); MOVOU D2, (11*16)(oup)
-	ADDQ  $192, inp
-	MOVQ  $192, itr1
-	SUBQ  $192, inl
-	MOVO  A3, A1
-	MOVO  B3, B1
-	MOVO  C3, C1
-	MOVO  D3, D1
-	CMPQ  inl, $64
-	JBE   sealSSE128SealHash
-	MOVOU (0*16)(inp), A0; MOVOU (1*16)(inp), B0; MOVOU (2*16)(inp), C0; MOVOU (3*16)(inp), D0
-	PXOR  A0, A3; PXOR B0, B3; PXOR C0, C3; PXOR D0, D3
-	MOVOU A3, (12*16)(oup); MOVOU B3, (13*16)(oup); MOVOU C3, (14*16)(oup); MOVOU D3, (15*16)(oup)
-	LEAQ  64(inp), inp
-	SUBQ  $64, inl
-	MOVQ  $6, itr1
-	MOVQ  $4, itr2
-	CMPQ  inl, $192
-	JG    sealSSEMainLoop
-
-	MOVQ  inl, itr1
-	TESTQ inl, inl
-	JE    sealSSE128SealHash
-	MOVQ  $6, itr1
-	CMPQ  inl, $64
-	JBE   sealSSETail64
-	CMPQ  inl, $128
-	JBE   sealSSETail128
-	JMP   sealSSETail192
-
-// ----------------------------------------------------------------------------
-// Special optimization for the last 64 bytes of plaintext
-sealSSETail64:
-	// Need to encrypt up to 64 bytes - prepare single block, hash 192 or 256 bytes
-	MOVO  ·chacha20Constants<>(SB), A1
-	MOVO  state1Store, B1
-	MOVO  state2Store, C1
-	MOVO  ctr3Store, D1
-	PADDL ·sseIncMask<>(SB), D1
-	MOVO  D1, ctr0Store
-
-sealSSETail64LoopA:
-	// Perform ChaCha rounds, while hashing the previously encrypted ciphertext
-	polyAdd(0(oup))
-	polyMul
-	LEAQ 16(oup), oup
-
-sealSSETail64LoopB:
-	chachaQR(A1, B1, C1, D1, T1)
-	shiftB1Left;  shiftC1Left; shiftD1Left
-	chachaQR(A1, B1, C1, D1, T1)
-	shiftB1Right; shiftC1Right; shiftD1Right
-	polyAdd(0(oup))
-	polyMul
-	LEAQ          16(oup), oup
-
-	DECQ itr1
-	JG   sealSSETail64LoopA
-
-	DECQ  itr2
-	JGE   sealSSETail64LoopB
-	PADDL ·chacha20Constants<>(SB), A1
-	PADDL state1Store, B1
-	PADDL state2Store, C1
-	PADDL ctr0Store, D1
-
-	JMP sealSSE128Seal
-
-// ----------------------------------------------------------------------------
-// Special optimization for the last 128 bytes of plaintext
-sealSSETail128:
-	// Need to encrypt up to 128 bytes - prepare two blocks, hash 192 or 256 bytes
-	MOVO ·chacha20Constants<>(SB), A0; MOVO state1Store, B0; MOVO state2Store, C0; MOVO ctr3Store, D0; PADDL ·sseIncMask<>(SB), D0; MOVO D0, ctr0Store
-	MOVO A0, A1; MOVO B0, B1; MOVO C0, C1; MOVO D0, D1; PADDL ·sseIncMask<>(SB), D1; MOVO D1, ctr1Store
-
-sealSSETail128LoopA:
-	// Perform ChaCha rounds, while hashing the previously encrypted ciphertext
-	polyAdd(0(oup))
-	polyMul
-	LEAQ 16(oup), oup
-
-sealSSETail128LoopB:
-	chachaQR(A0, B0, C0, D0, T0); chachaQR(A1, B1, C1, D1, T0)
-	shiftB0Left;  shiftC0Left; shiftD0Left
-	shiftB1Left;  shiftC1Left; shiftD1Left
-	polyAdd(0(oup))
-	polyMul
-	LEAQ          16(oup), oup
-	chachaQR(A0, B0, C0, D0, T0); chachaQR(A1, B1, C1, D1, T0)
-	shiftB0Right; shiftC0Right; shiftD0Right
-	shiftB1Right; shiftC1Right; shiftD1Right
-
-	DECQ itr1
-	JG   sealSSETail128LoopA
-
-	DECQ itr2
-	JGE  sealSSETail128LoopB
-
-	PADDL ·chacha20Constants<>(SB), A0; PADDL ·chacha20Constants<>(SB), A1
-	PADDL state1Store, B0; PADDL state1Store, B1
-	PADDL state2Store, C0; PADDL state2Store, C1
-	PADDL ctr0Store, D0; PADDL ctr1Store, D1
-
-	MOVOU (0*16)(inp), T0; MOVOU (1*16)(inp), T1; MOVOU (2*16)(inp), T2; MOVOU (3*16)(inp), T3
-	PXOR  T0, A0; PXOR T1, B0; PXOR T2, C0; PXOR T3, D0
-	MOVOU A0, (0*16)(oup); MOVOU B0, (1*16)(oup); MOVOU C0, (2*16)(oup); MOVOU D0, (3*16)(oup)
-
-	MOVQ $64, itr1
-	LEAQ 64(inp), inp
-	SUBQ $64, inl
-
-	JMP sealSSE128SealHash
-
-// ----------------------------------------------------------------------------
-// Special optimization for the last 192 bytes of plaintext
-sealSSETail192:
-	// Need to encrypt up to 192 bytes - prepare three blocks, hash 192 or 256 bytes
-	MOVO ·chacha20Constants<>(SB), A0; MOVO state1Store, B0; MOVO state2Store, C0; MOVO ctr3Store, D0; PADDL ·sseIncMask<>(SB), D0; MOVO D0, ctr0Store
-	MOVO A0, A1; MOVO B0, B1; MOVO C0, C1; MOVO D0, D1; PADDL ·sseIncMask<>(SB), D1; MOVO D1, ctr1Store
-	MOVO A1, A2; MOVO B1, B2; MOVO C1, C2; MOVO D1, D2; PADDL ·sseIncMask<>(SB), D2; MOVO D2, ctr2Store
-
-sealSSETail192LoopA:
-	// Perform ChaCha rounds, while hashing the previously encrypted ciphertext
-	polyAdd(0(oup))
-	polyMul
-	LEAQ 16(oup), oup
-
-sealSSETail192LoopB:
-	chachaQR(A0, B0, C0, D0, T0); chachaQR(A1, B1, C1, D1, T0); chachaQR(A2, B2, C2, D2, T0)
-	shiftB0Left; shiftC0Left; shiftD0Left
-	shiftB1Left; shiftC1Left; shiftD1Left
-	shiftB2Left; shiftC2Left; shiftD2Left
-
-	polyAdd(0(oup))
-	polyMul
-	LEAQ 16(oup), oup
-
-	chachaQR(A0, B0, C0, D0, T0); chachaQR(A1, B1, C1, D1, T0); chachaQR(A2, B2, C2, D2, T0)
-	shiftB0Right; shiftC0Right; shiftD0Right
-	shiftB1Right; shiftC1Right; shiftD1Right
-	shiftB2Right; shiftC2Right; shiftD2Right
-
-	DECQ itr1
-	JG   sealSSETail192LoopA
-
-	DECQ itr2
-	JGE  sealSSETail192LoopB
-
-	PADDL ·chacha20Constants<>(SB), A0; PADDL ·chacha20Constants<>(SB), A1; PADDL ·chacha20Constants<>(SB), A2
-	PADDL state1Store, B0; PADDL state1Store, B1; PADDL state1Store, B2
-	PADDL state2Store, C0; PADDL state2Store, C1; PADDL state2Store, C2
-	PADDL ctr0Store, D0; PADDL ctr1Store, D1; PADDL ctr2Store, D2
-
-	MOVOU (0*16)(inp), T0; MOVOU (1*16)(inp), T1; MOVOU (2*16)(inp), T2; MOVOU (3*16)(inp), T3
-	PXOR  T0, A0; PXOR T1, B0; PXOR T2, C0; PXOR T3, D0
-	MOVOU A0, (0*16)(oup); MOVOU B0, (1*16)(oup); MOVOU C0, (2*16)(oup); MOVOU D0, (3*16)(oup)
-	MOVOU (4*16)(inp), T0; MOVOU (5*16)(inp), T1; MOVOU (6*16)(inp), T2; MOVOU (7*16)(inp), T3
-	PXOR  T0, A1; PXOR T1, B1; PXOR T2, C1; PXOR T3, D1
-	MOVOU A1, (4*16)(oup); MOVOU B1, (5*16)(oup); MOVOU C1, (6*16)(oup); MOVOU D1, (7*16)(oup)
-
-	MOVO A2, A1
-	MOVO B2, B1
-	MOVO C2, C1
-	MOVO D2, D1
-	MOVQ $128, itr1
-	LEAQ 128(inp), inp
-	SUBQ $128, inl
-
-	JMP sealSSE128SealHash
-
-// ----------------------------------------------------------------------------
-// Special seal optimization for buffers smaller than 129 bytes
-sealSSE128:
-	// For up to 128 bytes of ciphertext and 64 bytes for the poly key, we require to process three blocks
-	MOVOU ·chacha20Constants<>(SB), A0; MOVOU (1*16)(keyp), B0; MOVOU (2*16)(keyp), C0; MOVOU (3*16)(keyp), D0
-	MOVO  A0, A1; MOVO B0, B1; MOVO C0, C1; MOVO D0, D1; PADDL ·sseIncMask<>(SB), D1
-	MOVO  A1, A2; MOVO B1, B2; MOVO C1, C2; MOVO D1, D2; PADDL ·sseIncMask<>(SB), D2
-	MOVO  B0, T1; MOVO C0, T2; MOVO D1, T3
-	MOVQ  $10, itr2
-
-sealSSE128InnerCipherLoop:
-	chachaQR(A0, B0, C0, D0, T0); chachaQR(A1, B1, C1, D1, T0); chachaQR(A2, B2, C2, D2, T0)
-	shiftB0Left;  shiftB1Left; shiftB2Left
-	shiftC0Left;  shiftC1Left; shiftC2Left
-	shiftD0Left;  shiftD1Left; shiftD2Left
-	chachaQR(A0, B0, C0, D0, T0); chachaQR(A1, B1, C1, D1, T0); chachaQR(A2, B2, C2, D2, T0)
-	shiftB0Right; shiftB1Right; shiftB2Right
-	shiftC0Right; shiftC1Right; shiftC2Right
-	shiftD0Right; shiftD1Right; shiftD2Right
-	DECQ          itr2
-	JNE           sealSSE128InnerCipherLoop
-
-	// A0|B0 hold the Poly1305 32-byte key, C0,D0 can be discarded
-	PADDL ·chacha20Constants<>(SB), A0; PADDL ·chacha20Constants<>(SB), A1; PADDL ·chacha20Constants<>(SB), A2
-	PADDL T1, B0; PADDL T1, B1; PADDL T1, B2
-	PADDL T2, C1; PADDL T2, C2
-	PADDL T3, D1; PADDL ·sseIncMask<>(SB), T3; PADDL T3, D2
-	PAND  ·polyClampMask<>(SB), A0
-	MOVOU A0, rStore
-	MOVOU B0, sStore
-
-	// Hash
-	MOVQ ad_len+80(FP), itr2
-	CALL polyHashADInternal<>(SB)
-	XORQ itr1, itr1
-
-sealSSE128SealHash:
-	// itr1 holds the number of bytes encrypted but not yet hashed
-	CMPQ itr1, $16
-	JB   sealSSE128Seal
-	polyAdd(0(oup))
-	polyMul
-
-	SUBQ $16, itr1
-	ADDQ $16, oup
-
-	JMP sealSSE128SealHash
-
-sealSSE128Seal:
-	CMPQ inl, $16
-	JB   sealSSETail
-	SUBQ $16, inl
-
-	// Load for decryption
-	MOVOU (inp), T0
-	PXOR  T0, A1
-	MOVOU A1, (oup)
-	LEAQ  (1*16)(inp), inp
-	LEAQ  (1*16)(oup), oup
-
-	// Extract for hashing
-	MOVQ   A1, t0
-	PSRLDQ $8, A1
-	MOVQ A1, t1
-	ADDQ   t0, acc0; ADCQ t1, acc1; ADCQ $1, acc2
-	polyMul
-
-	// Shift the stream "left"
-	MOVO B1, A1
-	MOVO C1, B1
-	MOVO D1, C1
-	MOVO A2, D1
-	MOVO B2, A2
-	MOVO C2, B2
-	MOVO D2, C2
-	JMP  sealSSE128Seal
-
-sealSSETail:
-	TESTQ inl, inl
-	JE    sealSSEFinalize
-
-	// We can only load the PT one byte at a time to avoid read after end of buffer
-	MOVQ inl, itr2
-	SHLQ $4, itr2
-	LEAQ ·andMask<>(SB), t0
-	MOVQ inl, itr1
-	LEAQ -1(inp)(inl*1), inp
-	XORQ t2, t2
-	XORQ t3, t3
-	XORQ AX, AX
-
-sealSSETailLoadLoop:
-	SHLQ $8, t2, t3
-	SHLQ $8, t2
-	MOVB (inp), AX
-	XORQ AX, t2
-	LEAQ   -1(inp), inp
-	DECQ   itr1
-	JNE    sealSSETailLoadLoop
-	MOVQ t2, 0+tmpStore
-	MOVQ t3, 8+tmpStore
-	PXOR 0+tmpStore, A1
-	MOVOU  A1, (oup)
-	MOVOU  -16(t0)(itr2*1), T0
-	PAND   T0, A1
-	MOVQ   A1, t0
-	PSRLDQ $8, A1
-	MOVQ   A1, t1
-	ADDQ   t0, acc0; ADCQ t1, acc1; ADCQ $1, acc2
-	polyMul
-
-	ADDQ inl, oup
-
-sealSSEFinalize:
-	// Hash in the buffer lengths
-	ADDQ ad_len+80(FP), acc0
-	ADCQ src_len+56(FP), acc1
-	ADCQ $1, acc2
-	polyMul
-
-	// Final reduce
-	MOVQ    acc0, t0
-	MOVQ    acc1, t1
-	MOVQ    acc2, t2
-	SUBQ    $-5, acc0
-	SBBQ    $-1, acc1
-	SBBQ    $3, acc2
-	CMOVQCS t0, acc0
-	CMOVQCS t1, acc1
-	CMOVQCS t2, acc2
-
-	// Add in the "s" part of the key
-	ADDQ 0+sStore, acc0
-	ADCQ 8+sStore, acc1
-
-	// Finally store the tag at the end of the message
-	MOVQ acc0, (0*8)(oup)
-	MOVQ acc1, (1*8)(oup)
-	RET
-
-// ----------------------------------------------------------------------------
-// ------------------------- AVX2 Code ----------------------------------------
-chacha20Poly1305Seal_AVX2:
-	VZEROUPPER
-	VMOVDQU ·chacha20Constants<>(SB), AA0
-	BYTE    $0xc4; BYTE $0x42; BYTE $0x7d; BYTE $0x5a; BYTE $0x70; BYTE $0x10 // broadcasti128 16(r8), ymm14
-	BYTE    $0xc4; BYTE $0x42; BYTE $0x7d; BYTE $0x5a; BYTE $0x60; BYTE $0x20 // broadcasti128 32(r8), ymm12
-	BYTE    $0xc4; BYTE $0xc2; BYTE $0x7d; BYTE $0x5a; BYTE $0x60; BYTE $0x30 // broadcasti128 48(r8), ymm4
-	VPADDD  ·avx2InitMask<>(SB), DD0, DD0
-
-	// Special optimizations, for very short buffers
-	CMPQ inl, $192
-	JBE  seal192AVX2 // 33% faster
-	CMPQ inl, $320
-	JBE  seal320AVX2 // 17% faster
-
-	// For the general key prepare the key first - as a byproduct we have 64 bytes of cipher stream
-	VMOVDQA AA0, AA1; VMOVDQA AA0, AA2; VMOVDQA AA0, AA3
-	VMOVDQA BB0, BB1; VMOVDQA BB0, BB2; VMOVDQA BB0, BB3; VMOVDQA BB0, state1StoreAVX2
-	VMOVDQA CC0, CC1; VMOVDQA CC0, CC2; VMOVDQA CC0, CC3; VMOVDQA CC0, state2StoreAVX2
-	VPADDD  ·avx2IncMask<>(SB), DD0, DD1; VMOVDQA DD0, ctr0StoreAVX2
-	VPADDD  ·avx2IncMask<>(SB), DD1, DD2; VMOVDQA DD1, ctr1StoreAVX2
-	VPADDD  ·avx2IncMask<>(SB), DD2, DD3; VMOVDQA DD2, ctr2StoreAVX2
-	VMOVDQA DD3, ctr3StoreAVX2
-	MOVQ    $10, itr2
-
-sealAVX2IntroLoop:
-	VMOVDQA CC3, tmpStoreAVX2
-	chachaQR_AVX2(AA0, BB0, CC0, DD0, CC3); chachaQR_AVX2(AA1, BB1, CC1, DD1, CC3); chachaQR_AVX2(AA2, BB2, CC2, DD2, CC3)
-	VMOVDQA tmpStoreAVX2, CC3
-	VMOVDQA CC1, tmpStoreAVX2
-	chachaQR_AVX2(AA3, BB3, CC3, DD3, CC1)
-	VMOVDQA tmpStoreAVX2, CC1
-
-	VPALIGNR $4, BB0, BB0, BB0; VPALIGNR $8, CC0, CC0, CC0; VPALIGNR $12, DD0, DD0, DD0
-	VPALIGNR $4, BB1, BB1, BB1; VPALIGNR $8, CC1, CC1, CC1; VPALIGNR $12, DD1, DD1, DD1
-	VPALIGNR $4, BB2, BB2, BB2; VPALIGNR $8, CC2, CC2, CC2; VPALIGNR $12, DD2, DD2, DD2
-	VPALIGNR $4, BB3, BB3, BB3; VPALIGNR $8, CC3, CC3, CC3; VPALIGNR $12, DD3, DD3, DD3
-
-	VMOVDQA CC3, tmpStoreAVX2
-	chachaQR_AVX2(AA0, BB0, CC0, DD0, CC3); chachaQR_AVX2(AA1, BB1, CC1, DD1, CC3); chachaQR_AVX2(AA2, BB2, CC2, DD2, CC3)
-	VMOVDQA tmpStoreAVX2, CC3
-	VMOVDQA CC1, tmpStoreAVX2
-	chachaQR_AVX2(AA3, BB3, CC3, DD3, CC1)
-	VMOVDQA tmpStoreAVX2, CC1
-
-	VPALIGNR $12, BB0, BB0, BB0; VPALIGNR $8, CC0, CC0, CC0; VPALIGNR $4, DD0, DD0, DD0
-	VPALIGNR $12, BB1, BB1, BB1; VPALIGNR $8, CC1, CC1, CC1; VPALIGNR $4, DD1, DD1, DD1
-	VPALIGNR $12, BB2, BB2, BB2; VPALIGNR $8, CC2, CC2, CC2; VPALIGNR $4, DD2, DD2, DD2
-	VPALIGNR $12, BB3, BB3, BB3; VPALIGNR $8, CC3, CC3, CC3; VPALIGNR $4, DD3, DD3, DD3
-	DECQ     itr2
-	JNE      sealAVX2IntroLoop
-
-	VPADDD ·chacha20Constants<>(SB), AA0, AA0; VPADDD ·chacha20Constants<>(SB), AA1, AA1; VPADDD ·chacha20Constants<>(SB), AA2, AA2; VPADDD ·chacha20Constants<>(SB), AA3, AA3
-	VPADDD state1StoreAVX2, BB0, BB0; VPADDD state1StoreAVX2, BB1, BB1; VPADDD state1StoreAVX2, BB2, BB2; VPADDD state1StoreAVX2, BB3, BB3
-	VPADDD state2StoreAVX2, CC0, CC0; VPADDD state2StoreAVX2, CC1, CC1; VPADDD state2StoreAVX2, CC2, CC2; VPADDD state2StoreAVX2, CC3, CC3
-	VPADDD ctr0StoreAVX2, DD0, DD0; VPADDD ctr1StoreAVX2, DD1, DD1; VPADDD ctr2StoreAVX2, DD2, DD2; VPADDD ctr3StoreAVX2, DD3, DD3
-
-	VPERM2I128 $0x13, CC0, DD0, CC0 // Stream bytes 96 - 127
-	VPERM2I128 $0x02, AA0, BB0, DD0 // The Poly1305 key
-	VPERM2I128 $0x13, AA0, BB0, AA0 // Stream bytes 64 - 95
-
-	// Clamp and store poly key
-	VPAND   ·polyClampMask<>(SB), DD0, DD0
-	VMOVDQA DD0, rsStoreAVX2
-
-	// Hash AD
-	MOVQ ad_len+80(FP), itr2
-	CALL polyHashADInternal<>(SB)
-
-	// Can store at least 320 bytes
-	VPXOR   (0*32)(inp), AA0, AA0
-	VPXOR   (1*32)(inp), CC0, CC0
-	VMOVDQU AA0, (0*32)(oup)
-	VMOVDQU CC0, (1*32)(oup)
-
-	VPERM2I128 $0x02, AA1, BB1, AA0; VPERM2I128 $0x02, CC1, DD1, BB0; VPERM2I128 $0x13, AA1, BB1, CC0; VPERM2I128 $0x13, CC1, DD1, DD0
-	VPXOR      (2*32)(inp), AA0, AA0; VPXOR (3*32)(inp), BB0, BB0; VPXOR (4*32)(inp), CC0, CC0; VPXOR (5*32)(inp), DD0, DD0
-	VMOVDQU    AA0, (2*32)(oup); VMOVDQU BB0, (3*32)(oup); VMOVDQU CC0, (4*32)(oup); VMOVDQU DD0, (5*32)(oup)
-	VPERM2I128 $0x02, AA2, BB2, AA0; VPERM2I128 $0x02, CC2, DD2, BB0; VPERM2I128 $0x13, AA2, BB2, CC0; VPERM2I128 $0x13, CC2, DD2, DD0
-	VPXOR      (6*32)(inp), AA0, AA0; VPXOR (7*32)(inp), BB0, BB0; VPXOR (8*32)(inp), CC0, CC0; VPXOR (9*32)(inp), DD0, DD0
-	VMOVDQU    AA0, (6*32)(oup); VMOVDQU BB0, (7*32)(oup); VMOVDQU CC0, (8*32)(oup); VMOVDQU DD0, (9*32)(oup)
-
-	MOVQ $320, itr1
-	SUBQ $320, inl
-	LEAQ 320(inp), inp
-
-	VPERM2I128 $0x02, AA3, BB3, AA0; VPERM2I128 $0x02, CC3, DD3, BB0; VPERM2I128 $0x13, AA3, BB3, CC0; VPERM2I128 $0x13, CC3, DD3, DD0
-	CMPQ       inl, $128
-	JBE        sealAVX2SealHash
-
-	VPXOR   (0*32)(inp), AA0, AA0; VPXOR (1*32)(inp), BB0, BB0; VPXOR (2*32)(inp), CC0, CC0; VPXOR (3*32)(inp), DD0, DD0
-	VMOVDQU AA0, (10*32)(oup); VMOVDQU BB0, (11*32)(oup); VMOVDQU CC0, (12*32)(oup); VMOVDQU DD0, (13*32)(oup)
-	SUBQ    $128, inl
-	LEAQ    128(inp), inp
-
-	MOVQ $8, itr1
-	MOVQ $2, itr2
-
-	CMPQ inl, $128
-	JBE  sealAVX2Tail128
-	CMPQ inl, $256
-	JBE  sealAVX2Tail256
-	CMPQ inl, $384
-	JBE  sealAVX2Tail384
-	CMPQ inl, $512
-	JBE  sealAVX2Tail512
-
-	// We have 448 bytes to hash, but main loop hashes 512 bytes at a time - perform some rounds, before the main loop
-	VMOVDQA ·chacha20Constants<>(SB), AA0; VMOVDQA AA0, AA1; VMOVDQA AA0, AA2; VMOVDQA AA0, AA3
-	VMOVDQA state1StoreAVX2, BB0; VMOVDQA BB0, BB1; VMOVDQA BB0, BB2; VMOVDQA BB0, BB3
-	VMOVDQA state2StoreAVX2, CC0; VMOVDQA CC0, CC1; VMOVDQA CC0, CC2; VMOVDQA CC0, CC3
-	VMOVDQA ctr3StoreAVX2, DD0
-	VPADDD  ·avx2IncMask<>(SB), DD0, DD0; VPADDD ·avx2IncMask<>(SB), DD0, DD1; VPADDD ·avx2IncMask<>(SB), DD1, DD2; VPADDD ·avx2IncMask<>(SB), DD2, DD3
-	VMOVDQA DD0, ctr0StoreAVX2; VMOVDQA DD1, ctr1StoreAVX2; VMOVDQA DD2, ctr2StoreAVX2; VMOVDQA DD3, ctr3StoreAVX2
-
-	VMOVDQA CC3, tmpStoreAVX2
-	chachaQR_AVX2(AA0, BB0, CC0, DD0, CC3); chachaQR_AVX2(AA1, BB1, CC1, DD1, CC3); chachaQR_AVX2(AA2, BB2, CC2, DD2, CC3)
-	VMOVDQA tmpStoreAVX2, CC3
-	VMOVDQA CC1, tmpStoreAVX2
-	chachaQR_AVX2(AA3, BB3, CC3, DD3, CC1)
-	VMOVDQA tmpStoreAVX2, CC1
-
-	VPALIGNR $4, BB0, BB0, BB0; VPALIGNR $8, CC0, CC0, CC0; VPALIGNR $12, DD0, DD0, DD0
-	VPALIGNR $4, BB1, BB1, BB1; VPALIGNR $8, CC1, CC1, CC1; VPALIGNR $12, DD1, DD1, DD1
-	VPALIGNR $4, BB2, BB2, BB2; VPALIGNR $8, CC2, CC2, CC2; VPALIGNR $12, DD2, DD2, DD2
-	VPALIGNR $4, BB3, BB3, BB3; VPALIGNR $8, CC3, CC3, CC3; VPALIGNR $12, DD3, DD3, DD3
-
-	VMOVDQA CC3, tmpStoreAVX2
-	chachaQR_AVX2(AA0, BB0, CC0, DD0, CC3); chachaQR_AVX2(AA1, BB1, CC1, DD1, CC3); chachaQR_AVX2(AA2, BB2, CC2, DD2, CC3)
-	VMOVDQA tmpStoreAVX2, CC3
-	VMOVDQA CC1, tmpStoreAVX2
-	chachaQR_AVX2(AA3, BB3, CC3, DD3, CC1)
-	VMOVDQA tmpStoreAVX2, CC1
-
-	VPALIGNR $12, BB0, BB0, BB0; VPALIGNR $8, CC0, CC0, CC0; VPALIGNR $4, DD0, DD0, DD0
-	VPALIGNR $12, BB1, BB1, BB1; VPALIGNR $8, CC1, CC1, CC1; VPALIGNR $4, DD1, DD1, DD1
-	VPALIGNR $12, BB2, BB2, BB2; VPALIGNR $8, CC2, CC2, CC2; VPALIGNR $4, DD2, DD2, DD2
-	VPALIGNR $12, BB3, BB3, BB3; VPALIGNR $8, CC3, CC3, CC3; VPALIGNR $4, DD3, DD3, DD3
-	VPADDD   BB0, AA0, AA0; VPADDD BB1, AA1, AA1; VPADDD BB2, AA2, AA2; VPADDD BB3, AA3, AA3
-	VPXOR    AA0, DD0, DD0; VPXOR AA1, DD1, DD1; VPXOR AA2, DD2, DD2; VPXOR AA3, DD3, DD3
-	VPSHUFB  ·rol16<>(SB), DD0, DD0; VPSHUFB ·rol16<>(SB), DD1, DD1; VPSHUFB ·rol16<>(SB), DD2, DD2; VPSHUFB ·rol16<>(SB), DD3, DD3
-	VPADDD   DD0, CC0, CC0; VPADDD DD1, CC1, CC1; VPADDD DD2, CC2, CC2; VPADDD DD3, CC3, CC3
-	VPXOR    CC0, BB0, BB0; VPXOR CC1, BB1, BB1; VPXOR CC2, BB2, BB2; VPXOR CC3, BB3, BB3
-	VMOVDQA  CC3, tmpStoreAVX2
-	VPSLLD   $12, BB0, CC3; VPSRLD $20, BB0, BB0; VPXOR CC3, BB0, BB0
-	VPSLLD   $12, BB1, CC3; VPSRLD $20, BB1, BB1; VPXOR CC3, BB1, BB1
-	VPSLLD   $12, BB2, CC3; VPSRLD $20, BB2, BB2; VPXOR CC3, BB2, BB2
-	VPSLLD   $12, BB3, CC3; VPSRLD $20, BB3, BB3; VPXOR CC3, BB3, BB3
-	VMOVDQA  tmpStoreAVX2, CC3
-
-	SUBQ $16, oup                  // Adjust the pointer
-	MOVQ $9, itr1
-	JMP  sealAVX2InternalLoopStart
-
-sealAVX2MainLoop:
-	// Load state, increment counter blocks, store the incremented counters
-	VMOVDQU ·chacha20Constants<>(SB), AA0; VMOVDQA AA0, AA1; VMOVDQA AA0, AA2; VMOVDQA AA0, AA3
-	VMOVDQA state1StoreAVX2, BB0; VMOVDQA BB0, BB1; VMOVDQA BB0, BB2; VMOVDQA BB0, BB3
-	VMOVDQA state2StoreAVX2, CC0; VMOVDQA CC0, CC1; VMOVDQA CC0, CC2; VMOVDQA CC0, CC3
-	VMOVDQA ctr3StoreAVX2, DD0; VPADDD ·avx2IncMask<>(SB), DD0, DD0; VPADDD ·avx2IncMask<>(SB), DD0, DD1; VPADDD ·avx2IncMask<>(SB), DD1, DD2; VPADDD ·avx2IncMask<>(SB), DD2, DD3
-	VMOVDQA DD0, ctr0StoreAVX2; VMOVDQA DD1, ctr1StoreAVX2; VMOVDQA DD2, ctr2StoreAVX2; VMOVDQA DD3, ctr3StoreAVX2
-	MOVQ    $10, itr1
-
-sealAVX2InternalLoop:
-	polyAdd(0*8(oup))
-	VPADDD  BB0, AA0, AA0; VPADDD BB1, AA1, AA1; VPADDD BB2, AA2, AA2; VPADDD BB3, AA3, AA3
-	polyMulStage1_AVX2
-	VPXOR   AA0, DD0, DD0; VPXOR AA1, DD1, DD1; VPXOR AA2, DD2, DD2; VPXOR AA3, DD3, DD3
-	VPSHUFB ·rol16<>(SB), DD0, DD0; VPSHUFB ·rol16<>(SB), DD1, DD1; VPSHUFB ·rol16<>(SB), DD2, DD2; VPSHUFB ·rol16<>(SB), DD3, DD3
-	polyMulStage2_AVX2
-	VPADDD  DD0, CC0, CC0; VPADDD DD1, CC1, CC1; VPADDD DD2, CC2, CC2; VPADDD DD3, CC3, CC3
-	VPXOR   CC0, BB0, BB0; VPXOR CC1, BB1, BB1; VPXOR CC2, BB2, BB2; VPXOR CC3, BB3, BB3
-	polyMulStage3_AVX2
-	VMOVDQA CC3, tmpStoreAVX2
-	VPSLLD  $12, BB0, CC3; VPSRLD $20, BB0, BB0; VPXOR CC3, BB0, BB0
-	VPSLLD  $12, BB1, CC3; VPSRLD $20, BB1, BB1; VPXOR CC3, BB1, BB1
-	VPSLLD  $12, BB2, CC3; VPSRLD $20, BB2, BB2; VPXOR CC3, BB2, BB2
-	VPSLLD  $12, BB3, CC3; VPSRLD $20, BB3, BB3; VPXOR CC3, BB3, BB3
-	VMOVDQA tmpStoreAVX2, CC3
-	polyMulReduceStage
-
-sealAVX2InternalLoopStart:
-	VPADDD   BB0, AA0, AA0; VPADDD BB1, AA1, AA1; VPADDD BB2, AA2, AA2; VPADDD BB3, AA3, AA3
-	VPXOR    AA0, DD0, DD0; VPXOR AA1, DD1, DD1; VPXOR AA2, DD2, DD2; VPXOR AA3, DD3, DD3
-	VPSHUFB  ·rol8<>(SB), DD0, DD0; VPSHUFB ·rol8<>(SB), DD1, DD1; VPSHUFB ·rol8<>(SB), DD2, DD2; VPSHUFB ·rol8<>(SB), DD3, DD3
-	polyAdd(2*8(oup))
-	VPADDD   DD0, CC0, CC0; VPADDD DD1, CC1, CC1; VPADDD DD2, CC2, CC2; VPADDD DD3, CC3, CC3
-	polyMulStage1_AVX2
-	VPXOR    CC0, BB0, BB0; VPXOR CC1, BB1, BB1; VPXOR CC2, BB2, BB2; VPXOR CC3, BB3, BB3
-	VMOVDQA  CC3, tmpStoreAVX2
-	VPSLLD   $7, BB0, CC3; VPSRLD $25, BB0, BB0; VPXOR CC3, BB0, BB0
-	VPSLLD   $7, BB1, CC3; VPSRLD $25, BB1, BB1; VPXOR CC3, BB1, BB1
-	VPSLLD   $7, BB2, CC3; VPSRLD $25, BB2, BB2; VPXOR CC3, BB2, BB2
-	VPSLLD   $7, BB3, CC3; VPSRLD $25, BB3, BB3; VPXOR CC3, BB3, BB3
-	VMOVDQA  tmpStoreAVX2, CC3
-	polyMulStage2_AVX2
-	VPALIGNR $4, BB0, BB0, BB0; VPALIGNR $4, BB1, BB1, BB1; VPALIGNR $4, BB2, BB2, BB2; VPALIGNR $4, BB3, BB3, BB3
-	VPALIGNR $8, CC0, CC0, CC0; VPALIGNR $8, CC1, CC1, CC1; VPALIGNR $8, CC2, CC2, CC2; VPALIGNR $8, CC3, CC3, CC3
-	VPALIGNR $12, DD0, DD0, DD0; VPALIGNR $12, DD1, DD1, DD1; VPALIGNR $12, DD2, DD2, DD2; VPALIGNR $12, DD3, DD3, DD3
-	VPADDD   BB0, AA0, AA0; VPADDD BB1, AA1, AA1; VPADDD BB2, AA2, AA2; VPADDD BB3, AA3, AA3
-	polyMulStage3_AVX2
-	VPXOR    AA0, DD0, DD0; VPXOR AA1, DD1, DD1; VPXOR AA2, DD2, DD2; VPXOR AA3, DD3, DD3
-	VPSHUFB  ·rol16<>(SB), DD0, DD0; VPSHUFB ·rol16<>(SB), DD1, DD1; VPSHUFB ·rol16<>(SB), DD2, DD2; VPSHUFB ·rol16<>(SB), DD3, DD3
-	polyMulReduceStage
-	VPADDD   DD0, CC0, CC0; VPADDD DD1, CC1, CC1; VPADDD DD2, CC2, CC2; VPADDD DD3, CC3, CC3
-	VPXOR    CC0, BB0, BB0; VPXOR CC1, BB1, BB1; VPXOR CC2, BB2, BB2; VPXOR CC3, BB3, BB3
-	polyAdd(4*8(oup))
-	LEAQ     (6*8)(oup), oup
-	VMOVDQA  CC3, tmpStoreAVX2
-	VPSLLD   $12, BB0, CC3; VPSRLD $20, BB0, BB0; VPXOR CC3, BB0, BB0
-	VPSLLD   $12, BB1, CC3; VPSRLD $20, BB1, BB1; VPXOR CC3, BB1, BB1
-	VPSLLD   $12, BB2, CC3; VPSRLD $20, BB2, BB2; VPXOR CC3, BB2, BB2
-	VPSLLD   $12, BB3, CC3; VPSRLD $20, BB3, BB3; VPXOR CC3, BB3, BB3
-	VMOVDQA  tmpStoreAVX2, CC3
-	polyMulStage1_AVX2
-	VPADDD   BB0, AA0, AA0; VPADDD BB1, AA1, AA1; VPADDD BB2, AA2, AA2; VPADDD BB3, AA3, AA3
-	VPXOR    AA0, DD0, DD0; VPXOR AA1, DD1, DD1; VPXOR AA2, DD2, DD2; VPXOR AA3, DD3, DD3
-	polyMulStage2_AVX2
-	VPSHUFB  ·rol8<>(SB), DD0, DD0; VPSHUFB ·rol8<>(SB), DD1, DD1; VPSHUFB ·rol8<>(SB), DD2, DD2; VPSHUFB ·rol8<>(SB), DD3, DD3
-	VPADDD   DD0, CC0, CC0; VPADDD DD1, CC1, CC1; VPADDD DD2, CC2, CC2; VPADDD DD3, CC3, CC3
-	polyMulStage3_AVX2
-	VPXOR    CC0, BB0, BB0; VPXOR CC1, BB1, BB1; VPXOR CC2, BB2, BB2; VPXOR CC3, BB3, BB3
-	VMOVDQA  CC3, tmpStoreAVX2
-	VPSLLD   $7, BB0, CC3; VPSRLD $25, BB0, BB0; VPXOR CC3, BB0, BB0
-	VPSLLD   $7, BB1, CC3; VPSRLD $25, BB1, BB1; VPXOR CC3, BB1, BB1
-	VPSLLD   $7, BB2, CC3; VPSRLD $25, BB2, BB2; VPXOR CC3, BB2, BB2
-	VPSLLD   $7, BB3, CC3; VPSRLD $25, BB3, BB3; VPXOR CC3, BB3, BB3
-	VMOVDQA  tmpStoreAVX2, CC3
-	polyMulReduceStage
-	VPALIGNR $12, BB0, BB0, BB0; VPALIGNR $12, BB1, BB1, BB1; VPALIGNR $12, BB2, BB2, BB2; VPALIGNR $12, BB3, BB3, BB3
-	VPALIGNR $8, CC0, CC0, CC0; VPALIGNR $8, CC1, CC1, CC1; VPALIGNR $8, CC2, CC2, CC2; VPALIGNR $8, CC3, CC3, CC3
-	VPALIGNR $4, DD0, DD0, DD0; VPALIGNR $4, DD1, DD1, DD1; VPALIGNR $4, DD2, DD2, DD2; VPALIGNR $4, DD3, DD3, DD3
-	DECQ     itr1
-	JNE      sealAVX2InternalLoop
-
-	VPADDD  ·chacha20Constants<>(SB), AA0, AA0; VPADDD ·chacha20Constants<>(SB), AA1, AA1; VPADDD ·chacha20Constants<>(SB), AA2, AA2; VPADDD ·chacha20Constants<>(SB), AA3, AA3
-	VPADDD  state1StoreAVX2, BB0, BB0; VPADDD state1StoreAVX2, BB1, BB1; VPADDD state1StoreAVX2, BB2, BB2; VPADDD state1StoreAVX2, BB3, BB3
-	VPADDD  state2StoreAVX2, CC0, CC0; VPADDD state2StoreAVX2, CC1, CC1; VPADDD state2StoreAVX2, CC2, CC2; VPADDD state2StoreAVX2, CC3, CC3
-	VPADDD  ctr0StoreAVX2, DD0, DD0; VPADDD ctr1StoreAVX2, DD1, DD1; VPADDD ctr2StoreAVX2, DD2, DD2; VPADDD ctr3StoreAVX2, DD3, DD3
-	VMOVDQA CC3, tmpStoreAVX2
-
-	// We only hashed 480 of the 512 bytes available - hash the remaining 32 here
-	polyAdd(0*8(oup))
-	polyMulAVX2
-	LEAQ       (4*8)(oup), oup
-	VPERM2I128 $0x02, AA0, BB0, CC3; VPERM2I128 $0x13, AA0, BB0, BB0; VPERM2I128 $0x02, CC0, DD0, AA0; VPERM2I128 $0x13, CC0, DD0, CC0
-	VPXOR      (0*32)(inp), CC3, CC3; VPXOR (1*32)(inp), AA0, AA0; VPXOR (2*32)(inp), BB0, BB0; VPXOR (3*32)(inp), CC0, CC0
-	VMOVDQU    CC3, (0*32)(oup); VMOVDQU AA0, (1*32)(oup); VMOVDQU BB0, (2*32)(oup); VMOVDQU CC0, (3*32)(oup)
-	VPERM2I128 $0x02, AA1, BB1, AA0; VPERM2I128 $0x02, CC1, DD1, BB0; VPERM2I128 $0x13, AA1, BB1, CC0; VPERM2I128 $0x13, CC1, DD1, DD0
-	VPXOR      (4*32)(inp), AA0, AA0; VPXOR (5*32)(inp), BB0, BB0; VPXOR (6*32)(inp), CC0, CC0; VPXOR (7*32)(inp), DD0, DD0
-	VMOVDQU    AA0, (4*32)(oup); VMOVDQU BB0, (5*32)(oup); VMOVDQU CC0, (6*32)(oup); VMOVDQU DD0, (7*32)(oup)
-
-	// and here
-	polyAdd(-2*8(oup))
-	polyMulAVX2
-	VPERM2I128 $0x02, AA2, BB2, AA0; VPERM2I128 $0x02, CC2, DD2, BB0; VPERM2I128 $0x13, AA2, BB2, CC0; VPERM2I128 $0x13, CC2, DD2, DD0
-	VPXOR      (8*32)(inp), AA0, AA0; VPXOR (9*32)(inp), BB0, BB0; VPXOR (10*32)(inp), CC0, CC0; VPXOR (11*32)(inp), DD0, DD0
-	VMOVDQU    AA0, (8*32)(oup); VMOVDQU BB0, (9*32)(oup); VMOVDQU CC0, (10*32)(oup); VMOVDQU DD0, (11*32)(oup)
-	VPERM2I128 $0x02, AA3, BB3, AA0; VPERM2I128 $0x02, tmpStoreAVX2, DD3, BB0; VPERM2I128 $0x13, AA3, BB3, CC0; VPERM2I128 $0x13, tmpStoreAVX2, DD3, DD0
-	VPXOR      (12*32)(inp), AA0, AA0; VPXOR (13*32)(inp), BB0, BB0; VPXOR (14*32)(inp), CC0, CC0; VPXOR (15*32)(inp), DD0, DD0
-	VMOVDQU    AA0, (12*32)(oup); VMOVDQU BB0, (13*32)(oup); VMOVDQU CC0, (14*32)(oup); VMOVDQU DD0, (15*32)(oup)
-	LEAQ       (32*16)(inp), inp
-	SUBQ       $(32*16), inl
-	CMPQ       inl, $512
-	JG         sealAVX2MainLoop
-
-	// Tail can only hash 480 bytes
-	polyAdd(0*8(oup))
-	polyMulAVX2
-	polyAdd(2*8(oup))
-	polyMulAVX2
-	LEAQ 32(oup), oup
-
-	MOVQ $10, itr1
-	MOVQ $0, itr2
-	CMPQ inl, $128
-	JBE  sealAVX2Tail128
-	CMPQ inl, $256
-	JBE  sealAVX2Tail256
-	CMPQ inl, $384
-	JBE  sealAVX2Tail384
-	JMP  sealAVX2Tail512
-
-// ----------------------------------------------------------------------------
-// Special optimization for buffers smaller than 193 bytes
-seal192AVX2:
-	// For up to 192 bytes of ciphertext and 64 bytes for the poly key, we process four blocks
-	VMOVDQA AA0, AA1
-	VMOVDQA BB0, BB1
-	VMOVDQA CC0, CC1
-	VPADDD  ·avx2IncMask<>(SB), DD0, DD1
-	VMOVDQA AA0, AA2
-	VMOVDQA BB0, BB2
-	VMOVDQA CC0, CC2
-	VMOVDQA DD0, DD2
-	VMOVDQA DD1, TT3
-	MOVQ    $10, itr2
-
-sealAVX2192InnerCipherLoop:
-	chachaQR_AVX2(AA0, BB0, CC0, DD0, TT0); chachaQR_AVX2(AA1, BB1, CC1, DD1, TT0)
-	VPALIGNR   $4, BB0, BB0, BB0; VPALIGNR $4, BB1, BB1, BB1
-	VPALIGNR   $8, CC0, CC0, CC0; VPALIGNR $8, CC1, CC1, CC1
-	VPALIGNR   $12, DD0, DD0, DD0; VPALIGNR $12, DD1, DD1, DD1
-	chachaQR_AVX2(AA0, BB0, CC0, DD0, TT0); chachaQR_AVX2(AA1, BB1, CC1, DD1, TT0)
-	VPALIGNR   $12, BB0, BB0, BB0; VPALIGNR $12, BB1, BB1, BB1
-	VPALIGNR   $8, CC0, CC0, CC0; VPALIGNR $8, CC1, CC1, CC1
-	VPALIGNR   $4, DD0, DD0, DD0; VPALIGNR $4, DD1, DD1, DD1
-	DECQ       itr2
-	JNE        sealAVX2192InnerCipherLoop
-	VPADDD     AA2, AA0, AA0; VPADDD AA2, AA1, AA1
-	VPADDD     BB2, BB0, BB0; VPADDD BB2, BB1, BB1
-	VPADDD     CC2, CC0, CC0; VPADDD CC2, CC1, CC1
-	VPADDD     DD2, DD0, DD0; VPADDD TT3, DD1, DD1
-	VPERM2I128 $0x02, AA0, BB0, TT0
-
-	// Clamp and store poly key
-	VPAND   ·polyClampMask<>(SB), TT0, TT0
-	VMOVDQA TT0, rsStoreAVX2
-
-	// Stream for up to 192 bytes
-	VPERM2I128 $0x13, AA0, BB0, AA0
-	VPERM2I128 $0x13, CC0, DD0, BB0
-	VPERM2I128 $0x02, AA1, BB1, CC0
-	VPERM2I128 $0x02, CC1, DD1, DD0
-	VPERM2I128 $0x13, AA1, BB1, AA1
-	VPERM2I128 $0x13, CC1, DD1, BB1
-
-sealAVX2ShortSeal:
-	// Hash aad
-	MOVQ ad_len+80(FP), itr2
-	CALL polyHashADInternal<>(SB)
-	XORQ itr1, itr1
-
-sealAVX2SealHash:
-	// itr1 holds the number of bytes encrypted but not yet hashed
-	CMPQ itr1, $16
-	JB   sealAVX2ShortSealLoop
-	polyAdd(0(oup))
-	polyMul
-	SUBQ $16, itr1
-	ADDQ $16, oup
-	JMP  sealAVX2SealHash
-
-sealAVX2ShortSealLoop:
-	CMPQ inl, $32
-	JB   sealAVX2ShortTail32
-	SUBQ $32, inl
-
-	// Load for encryption
-	VPXOR   (inp), AA0, AA0
-	VMOVDQU AA0, (oup)
-	LEAQ    (1*32)(inp), inp
-
-	// Now can hash
-	polyAdd(0*8(oup))
-	polyMulAVX2
-	polyAdd(2*8(oup))
-	polyMulAVX2
-	LEAQ (1*32)(oup), oup
-
-	// Shift stream left
-	VMOVDQA BB0, AA0
-	VMOVDQA CC0, BB0
-	VMOVDQA DD0, CC0
-	VMOVDQA AA1, DD0
-	VMOVDQA BB1, AA1
-	VMOVDQA CC1, BB1
-	VMOVDQA DD1, CC1
-	VMOVDQA AA2, DD1
-	VMOVDQA BB2, AA2
-	JMP     sealAVX2ShortSealLoop
-
-sealAVX2ShortTail32:
-	CMPQ    inl, $16
-	VMOVDQA A0, A1
-	JB      sealAVX2ShortDone
-
-	SUBQ $16, inl
-
-	// Load for encryption
-	VPXOR   (inp), A0, T0
-	VMOVDQU T0, (oup)
-	LEAQ    (1*16)(inp), inp
-
-	// Hash
-	polyAdd(0*8(oup))
-	polyMulAVX2
-	LEAQ       (1*16)(oup), oup
-	VPERM2I128 $0x11, AA0, AA0, AA0
-	VMOVDQA    A0, A1
-
-sealAVX2ShortDone:
-	VZEROUPPER
-	JMP sealSSETail
-
-// ----------------------------------------------------------------------------
-// Special optimization for buffers smaller than 321 bytes
-seal320AVX2:
-	// For up to 320 bytes of ciphertext and 64 bytes for the poly key, we process six blocks
-	VMOVDQA AA0, AA1; VMOVDQA BB0, BB1; VMOVDQA CC0, CC1; VPADDD ·avx2IncMask<>(SB), DD0, DD1
-	VMOVDQA AA0, AA2; VMOVDQA BB0, BB2; VMOVDQA CC0, CC2; VPADDD ·avx2IncMask<>(SB), DD1, DD2
-	VMOVDQA BB0, TT1; VMOVDQA CC0, TT2; VMOVDQA DD0, TT3
-	MOVQ    $10, itr2
-
-sealAVX2320InnerCipherLoop:
-	chachaQR_AVX2(AA0, BB0, CC0, DD0, TT0); chachaQR_AVX2(AA1, BB1, CC1, DD1, TT0); chachaQR_AVX2(AA2, BB2, CC2, DD2, TT0)
-	VPALIGNR $4, BB0, BB0, BB0; VPALIGNR $4, BB1, BB1, BB1; VPALIGNR $4, BB2, BB2, BB2
-	VPALIGNR $8, CC0, CC0, CC0; VPALIGNR $8, CC1, CC1, CC1; VPALIGNR $8, CC2, CC2, CC2
-	VPALIGNR $12, DD0, DD0, DD0; VPALIGNR $12, DD1, DD1, DD1; VPALIGNR $12, DD2, DD2, DD2
-	chachaQR_AVX2(AA0, BB0, CC0, DD0, TT0); chachaQR_AVX2(AA1, BB1, CC1, DD1, TT0); chachaQR_AVX2(AA2, BB2, CC2, DD2, TT0)
-	VPALIGNR $12, BB0, BB0, BB0; VPALIGNR $12, BB1, BB1, BB1; VPALIGNR $12, BB2, BB2, BB2
-	VPALIGNR $8, CC0, CC0, CC0; VPALIGNR $8, CC1, CC1, CC1; VPALIGNR $8, CC2, CC2, CC2
-	VPALIGNR $4, DD0, DD0, DD0; VPALIGNR $4, DD1, DD1, DD1; VPALIGNR $4, DD2, DD2, DD2
-	DECQ     itr2
-	JNE      sealAVX2320InnerCipherLoop
-
-	VMOVDQA ·chacha20Constants<>(SB), TT0
-	VPADDD  TT0, AA0, AA0; VPADDD TT0, AA1, AA1; VPADDD TT0, AA2, AA2
-	VPADDD  TT1, BB0, BB0; VPADDD TT1, BB1, BB1; VPADDD TT1, BB2, BB2
-	VPADDD  TT2, CC0, CC0; VPADDD TT2, CC1, CC1; VPADDD TT2, CC2, CC2
-	VMOVDQA ·avx2IncMask<>(SB), TT0
-	VPADDD  TT3, DD0, DD0; VPADDD TT0, TT3, TT3
-	VPADDD  TT3, DD1, DD1; VPADDD TT0, TT3, TT3
-	VPADDD  TT3, DD2, DD2
-
-	// Clamp and store poly key
-	VPERM2I128 $0x02, AA0, BB0, TT0
-	VPAND      ·polyClampMask<>(SB), TT0, TT0
-	VMOVDQA    TT0, rsStoreAVX2
-
-	// Stream for up to 320 bytes
-	VPERM2I128 $0x13, AA0, BB0, AA0
-	VPERM2I128 $0x13, CC0, DD0, BB0
-	VPERM2I128 $0x02, AA1, BB1, CC0
-	VPERM2I128 $0x02, CC1, DD1, DD0
-	VPERM2I128 $0x13, AA1, BB1, AA1
-	VPERM2I128 $0x13, CC1, DD1, BB1
-	VPERM2I128 $0x02, AA2, BB2, CC1
-	VPERM2I128 $0x02, CC2, DD2, DD1
-	VPERM2I128 $0x13, AA2, BB2, AA2
-	VPERM2I128 $0x13, CC2, DD2, BB2
-	JMP        sealAVX2ShortSeal
-
-// ----------------------------------------------------------------------------
-// Special optimization for the last 128 bytes of ciphertext
-sealAVX2Tail128:
-	// Need to decrypt up to 128 bytes - prepare two blocks
-	// If we got here after the main loop - there are 512 encrypted bytes waiting to be hashed
-	// If we got here before the main loop - there are 448 encrpyred bytes waiting to be hashed
-	VMOVDQA ·chacha20Constants<>(SB), AA0
-	VMOVDQA state1StoreAVX2, BB0
-	VMOVDQA state2StoreAVX2, CC0
-	VMOVDQA ctr3StoreAVX2, DD0
-	VPADDD  ·avx2IncMask<>(SB), DD0, DD0
-	VMOVDQA DD0, DD1
-
-sealAVX2Tail128LoopA:
-	polyAdd(0(oup))
-	polyMul
-	LEAQ 16(oup), oup
-
-sealAVX2Tail128LoopB:
-	chachaQR_AVX2(AA0, BB0, CC0, DD0, TT0)
-	polyAdd(0(oup))
-	polyMul
-	VPALIGNR $4, BB0, BB0, BB0
-	VPALIGNR $8, CC0, CC0, CC0
-	VPALIGNR $12, DD0, DD0, DD0
-	chachaQR_AVX2(AA0, BB0, CC0, DD0, TT0)
-	polyAdd(16(oup))
-	polyMul
-	LEAQ     32(oup), oup
-	VPALIGNR $12, BB0, BB0, BB0
-	VPALIGNR $8, CC0, CC0, CC0
-	VPALIGNR $4, DD0, DD0, DD0
-	DECQ     itr1
-	JG       sealAVX2Tail128LoopA
-	DECQ     itr2
-	JGE      sealAVX2Tail128LoopB
-
-	VPADDD ·chacha20Constants<>(SB), AA0, AA1
-	VPADDD state1StoreAVX2, BB0, BB1
-	VPADDD state2StoreAVX2, CC0, CC1
-	VPADDD DD1, DD0, DD1
-
-	VPERM2I128 $0x02, AA1, BB1, AA0
-	VPERM2I128 $0x02, CC1, DD1, BB0
-	VPERM2I128 $0x13, AA1, BB1, CC0
-	VPERM2I128 $0x13, CC1, DD1, DD0
-	JMP        sealAVX2ShortSealLoop
-
-// ----------------------------------------------------------------------------
-// Special optimization for the last 256 bytes of ciphertext
-sealAVX2Tail256:
-	// Need to decrypt up to 256 bytes - prepare two blocks
-	// If we got here after the main loop - there are 512 encrypted bytes waiting to be hashed
-	// If we got here before the main loop - there are 448 encrpyred bytes waiting to be hashed
-	VMOVDQA ·chacha20Constants<>(SB), AA0; VMOVDQA ·chacha20Constants<>(SB), AA1
-	VMOVDQA state1StoreAVX2, BB0; VMOVDQA state1StoreAVX2, BB1
-	VMOVDQA state2StoreAVX2, CC0; VMOVDQA state2StoreAVX2, CC1
-	VMOVDQA ctr3StoreAVX2, DD0
-	VPADDD  ·avx2IncMask<>(SB), DD0, DD0
-	VPADDD  ·avx2IncMask<>(SB), DD0, DD1
-	VMOVDQA DD0, TT1
-	VMOVDQA DD1, TT2
-
-sealAVX2Tail256LoopA:
-	polyAdd(0(oup))
-	polyMul
-	LEAQ 16(oup), oup
-
-sealAVX2Tail256LoopB:
-	chachaQR_AVX2(AA0, BB0, CC0, DD0, TT0); chachaQR_AVX2(AA1, BB1, CC1, DD1, TT0)
-	polyAdd(0(oup))
-	polyMul
-	VPALIGNR $4, BB0, BB0, BB0; VPALIGNR $4, BB1, BB1, BB1
-	VPALIGNR $8, CC0, CC0, CC0; VPALIGNR $8, CC1, CC1, CC1
-	VPALIGNR $12, DD0, DD0, DD0; VPALIGNR $12, DD1, DD1, DD1
-	chachaQR_AVX2(AA0, BB0, CC0, DD0, TT0); chachaQR_AVX2(AA1, BB1, CC1, DD1, TT0)
-	polyAdd(16(oup))
-	polyMul
-	LEAQ     32(oup), oup
-	VPALIGNR $12, BB0, BB0, BB0; VPALIGNR $12, BB1, BB1, BB1
-	VPALIGNR $8, CC0, CC0, CC0; VPALIGNR $8, CC1, CC1, CC1
-	VPALIGNR $4, DD0, DD0, DD0; VPALIGNR $4, DD1, DD1, DD1
-	DECQ     itr1
-	JG       sealAVX2Tail256LoopA
-	DECQ     itr2
-	JGE      sealAVX2Tail256LoopB
-
-	VPADDD     ·chacha20Constants<>(SB), AA0, AA0; VPADDD ·chacha20Constants<>(SB), AA1, AA1
-	VPADDD     state1StoreAVX2, BB0, BB0; VPADDD state1StoreAVX2, BB1, BB1
-	VPADDD     state2StoreAVX2, CC0, CC0; VPADDD state2StoreAVX2, CC1, CC1
-	VPADDD     TT1, DD0, DD0; VPADDD TT2, DD1, DD1
-	VPERM2I128 $0x02, AA0, BB0, TT0
-	VPERM2I128 $0x02, CC0, DD0, TT1
-	VPERM2I128 $0x13, AA0, BB0, TT2
-	VPERM2I128 $0x13, CC0, DD0, TT3
-	VPXOR      (0*32)(inp), TT0, TT0; VPXOR (1*32)(inp), TT1, TT1; VPXOR (2*32)(inp), TT2, TT2; VPXOR (3*32)(inp), TT3, TT3
-	VMOVDQU    TT0, (0*32)(oup); VMOVDQU TT1, (1*32)(oup); VMOVDQU TT2, (2*32)(oup); VMOVDQU TT3, (3*32)(oup)
-	MOVQ       $128, itr1
-	LEAQ       128(inp), inp
-	SUBQ       $128, inl
-	VPERM2I128 $0x02, AA1, BB1, AA0
-	VPERM2I128 $0x02, CC1, DD1, BB0
-	VPERM2I128 $0x13, AA1, BB1, CC0
-	VPERM2I128 $0x13, CC1, DD1, DD0
-
-	JMP sealAVX2SealHash
-
-// ----------------------------------------------------------------------------
-// Special optimization for the last 384 bytes of ciphertext
-sealAVX2Tail384:
-	// Need to decrypt up to 384 bytes - prepare two blocks
-	// If we got here after the main loop - there are 512 encrypted bytes waiting to be hashed
-	// If we got here before the main loop - there are 448 encrpyred bytes waiting to be hashed
-	VMOVDQA ·chacha20Constants<>(SB), AA0; VMOVDQA AA0, AA1; VMOVDQA AA0, AA2
-	VMOVDQA state1StoreAVX2, BB0; VMOVDQA BB0, BB1; VMOVDQA BB0, BB2
-	VMOVDQA state2StoreAVX2, CC0; VMOVDQA CC0, CC1; VMOVDQA CC0, CC2
-	VMOVDQA ctr3StoreAVX2, DD0
-	VPADDD  ·avx2IncMask<>(SB), DD0, DD0; VPADDD ·avx2IncMask<>(SB), DD0, DD1; VPADDD ·avx2IncMask<>(SB), DD1, DD2
-	VMOVDQA DD0, TT1; VMOVDQA DD1, TT2; VMOVDQA DD2, TT3
-
-sealAVX2Tail384LoopA:
-	polyAdd(0(oup))
-	polyMul
-	LEAQ 16(oup), oup
-
-sealAVX2Tail384LoopB:
-	chachaQR_AVX2(AA0, BB0, CC0, DD0, TT0); chachaQR_AVX2(AA1, BB1, CC1, DD1, TT0); chachaQR_AVX2(AA2, BB2, CC2, DD2, TT0)
-	polyAdd(0(oup))
-	polyMul
-	VPALIGNR $4, BB0, BB0, BB0; VPALIGNR $4, BB1, BB1, BB1; VPALIGNR $4, BB2, BB2, BB2
-	VPALIGNR $8, CC0, CC0, CC0; VPALIGNR $8, CC1, CC1, CC1; VPALIGNR $8, CC2, CC2, CC2
-	VPALIGNR $12, DD0, DD0, DD0; VPALIGNR $12, DD1, DD1, DD1; VPALIGNR $12, DD2, DD2, DD2
-	chachaQR_AVX2(AA0, BB0, CC0, DD0, TT0); chachaQR_AVX2(AA1, BB1, CC1, DD1, TT0); chachaQR_AVX2(AA2, BB2, CC2, DD2, TT0)
-	polyAdd(16(oup))
-	polyMul
-	LEAQ     32(oup), oup
-	VPALIGNR $12, BB0, BB0, BB0; VPALIGNR $12, BB1, BB1, BB1; VPALIGNR $12, BB2, BB2, BB2
-	VPALIGNR $8, CC0, CC0, CC0; VPALIGNR $8, CC1, CC1, CC1; VPALIGNR $8, CC2, CC2, CC2
-	VPALIGNR $4, DD0, DD0, DD0; VPALIGNR $4, DD1, DD1, DD1; VPALIGNR $4, DD2, DD2, DD2
-	DECQ     itr1
-	JG       sealAVX2Tail384LoopA
-	DECQ     itr2
-	JGE      sealAVX2Tail384LoopB
-
-	VPADDD     ·chacha20Constants<>(SB), AA0, AA0; VPADDD ·chacha20Constants<>(SB), AA1, AA1; VPADDD ·chacha20Constants<>(SB), AA2, AA2
-	VPADDD     state1StoreAVX2, BB0, BB0; VPADDD state1StoreAVX2, BB1, BB1; VPADDD state1StoreAVX2, BB2, BB2
-	VPADDD     state2StoreAVX2, CC0, CC0; VPADDD state2StoreAVX2, CC1, CC1; VPADDD state2StoreAVX2, CC2, CC2
-	VPADDD     TT1, DD0, DD0; VPADDD TT2, DD1, DD1; VPADDD TT3, DD2, DD2
-	VPERM2I128 $0x02, AA0, BB0, TT0
-	VPERM2I128 $0x02, CC0, DD0, TT1
-	VPERM2I128 $0x13, AA0, BB0, TT2
-	VPERM2I128 $0x13, CC0, DD0, TT3
-	VPXOR      (0*32)(inp), TT0, TT0; VPXOR (1*32)(inp), TT1, TT1; VPXOR (2*32)(inp), TT2, TT2; VPXOR (3*32)(inp), TT3, TT3
-	VMOVDQU    TT0, (0*32)(oup); VMOVDQU TT1, (1*32)(oup); VMOVDQU TT2, (2*32)(oup); VMOVDQU TT3, (3*32)(oup)
-	VPERM2I128 $0x02, AA1, BB1, TT0
-	VPERM2I128 $0x02, CC1, DD1, TT1
-	VPERM2I128 $0x13, AA1, BB1, TT2
-	VPERM2I128 $0x13, CC1, DD1, TT3
-	VPXOR      (4*32)(inp), TT0, TT0; VPXOR (5*32)(inp), TT1, TT1; VPXOR (6*32)(inp), TT2, TT2; VPXOR (7*32)(inp), TT3, TT3
-	VMOVDQU    TT0, (4*32)(oup); VMOVDQU TT1, (5*32)(oup); VMOVDQU TT2, (6*32)(oup); VMOVDQU TT3, (7*32)(oup)
-	MOVQ       $256, itr1
-	LEAQ       256(inp), inp
-	SUBQ       $256, inl
-	VPERM2I128 $0x02, AA2, BB2, AA0
-	VPERM2I128 $0x02, CC2, DD2, BB0
-	VPERM2I128 $0x13, AA2, BB2, CC0
-	VPERM2I128 $0x13, CC2, DD2, DD0
-
-	JMP sealAVX2SealHash
-
-// ----------------------------------------------------------------------------
-// Special optimization for the last 512 bytes of ciphertext
-sealAVX2Tail512:
-	// Need to decrypt up to 512 bytes - prepare two blocks
-	// If we got here after the main loop - there are 512 encrypted bytes waiting to be hashed
-	// If we got here before the main loop - there are 448 encrpyred bytes waiting to be hashed
-	VMOVDQA ·chacha20Constants<>(SB), AA0; VMOVDQA AA0, AA1; VMOVDQA AA0, AA2; VMOVDQA AA0, AA3
-	VMOVDQA state1StoreAVX2, BB0; VMOVDQA BB0, BB1; VMOVDQA BB0, BB2; VMOVDQA BB0, BB3
-	VMOVDQA state2StoreAVX2, CC0; VMOVDQA CC0, CC1; VMOVDQA CC0, CC2; VMOVDQA CC0, CC3
-	VMOVDQA ctr3StoreAVX2, DD0
-	VPADDD  ·avx2IncMask<>(SB), DD0, DD0; VPADDD ·avx2IncMask<>(SB), DD0, DD1; VPADDD ·avx2IncMask<>(SB), DD1, DD2; VPADDD ·avx2IncMask<>(SB), DD2, DD3
-	VMOVDQA DD0, ctr0StoreAVX2; VMOVDQA DD1, ctr1StoreAVX2; VMOVDQA DD2, ctr2StoreAVX2; VMOVDQA DD3, ctr3StoreAVX2
-
-sealAVX2Tail512LoopA:
-	polyAdd(0(oup))
-	polyMul
-	LEAQ 16(oup), oup
-
-sealAVX2Tail512LoopB:
-	VPADDD   BB0, AA0, AA0; VPADDD BB1, AA1, AA1; VPADDD BB2, AA2, AA2; VPADDD BB3, AA3, AA3
-	VPXOR    AA0, DD0, DD0; VPXOR AA1, DD1, DD1; VPXOR AA2, DD2, DD2; VPXOR AA3, DD3, DD3
-	VPSHUFB  ·rol16<>(SB), DD0, DD0; VPSHUFB ·rol16<>(SB), DD1, DD1; VPSHUFB ·rol16<>(SB), DD2, DD2; VPSHUFB ·rol16<>(SB), DD3, DD3
-	VPADDD   DD0, CC0, CC0; VPADDD DD1, CC1, CC1; VPADDD DD2, CC2, CC2; VPADDD DD3, CC3, CC3
-	VPXOR    CC0, BB0, BB0; VPXOR CC1, BB1, BB1; VPXOR CC2, BB2, BB2; VPXOR CC3, BB3, BB3
-	VMOVDQA  CC3, tmpStoreAVX2
-	VPSLLD   $12, BB0, CC3; VPSRLD $20, BB0, BB0; VPXOR CC3, BB0, BB0
-	VPSLLD   $12, BB1, CC3; VPSRLD $20, BB1, BB1; VPXOR CC3, BB1, BB1
-	VPSLLD   $12, BB2, CC3; VPSRLD $20, BB2, BB2; VPXOR CC3, BB2, BB2
-	VPSLLD   $12, BB3, CC3; VPSRLD $20, BB3, BB3; VPXOR CC3, BB3, BB3
-	VMOVDQA  tmpStoreAVX2, CC3
-	polyAdd(0*8(oup))
-	polyMulAVX2
-	VPADDD   BB0, AA0, AA0; VPADDD BB1, AA1, AA1; VPADDD BB2, AA2, AA2; VPADDD BB3, AA3, AA3
-	VPXOR    AA0, DD0, DD0; VPXOR AA1, DD1, DD1; VPXOR AA2, DD2, DD2; VPXOR AA3, DD3, DD3
-	VPSHUFB  ·rol8<>(SB), DD0, DD0; VPSHUFB ·rol8<>(SB), DD1, DD1; VPSHUFB ·rol8<>(SB), DD2, DD2; VPSHUFB ·rol8<>(SB), DD3, DD3
-	VPADDD   DD0, CC0, CC0; VPADDD DD1, CC1, CC1; VPADDD DD2, CC2, CC2; VPADDD DD3, CC3, CC3
-	VPXOR    CC0, BB0, BB0; VPXOR CC1, BB1, BB1; VPXOR CC2, BB2, BB2; VPXOR CC3, BB3, BB3
-	VMOVDQA  CC3, tmpStoreAVX2
-	VPSLLD   $7, BB0, CC3; VPSRLD $25, BB0, BB0; VPXOR CC3, BB0, BB0
-	VPSLLD   $7, BB1, CC3; VPSRLD $25, BB1, BB1; VPXOR CC3, BB1, BB1
-	VPSLLD   $7, BB2, CC3; VPSRLD $25, BB2, BB2; VPXOR CC3, BB2, BB2
-	VPSLLD   $7, BB3, CC3; VPSRLD $25, BB3, BB3; VPXOR CC3, BB3, BB3
-	VMOVDQA  tmpStoreAVX2, CC3
-	VPALIGNR $4, BB0, BB0, BB0; VPALIGNR $4, BB1, BB1, BB1; VPALIGNR $4, BB2, BB2, BB2; VPALIGNR $4, BB3, BB3, BB3
-	VPALIGNR $8, CC0, CC0, CC0; VPALIGNR $8, CC1, CC1, CC1; VPALIGNR $8, CC2, CC2, CC2; VPALIGNR $8, CC3, CC3, CC3
-	VPALIGNR $12, DD0, DD0, DD0; VPALIGNR $12, DD1, DD1, DD1; VPALIGNR $12, DD2, DD2, DD2; VPALIGNR $12, DD3, DD3, DD3
-	VPADDD   BB0, AA0, AA0; VPADDD BB1, AA1, AA1; VPADDD BB2, AA2, AA2; VPADDD BB3, AA3, AA3
-	VPXOR    AA0, DD0, DD0; VPXOR AA1, DD1, DD1; VPXOR AA2, DD2, DD2; VPXOR AA3, DD3, DD3
-	VPSHUFB  ·rol16<>(SB), DD0, DD0; VPSHUFB ·rol16<>(SB), DD1, DD1; VPSHUFB ·rol16<>(SB), DD2, DD2; VPSHUFB ·rol16<>(SB), DD3, DD3
-	VPADDD   DD0, CC0, CC0; VPADDD DD1, CC1, CC1; VPADDD DD2, CC2, CC2; VPADDD DD3, CC3, CC3
-	VPXOR    CC0, BB0, BB0; VPXOR CC1, BB1, BB1; VPXOR CC2, BB2, BB2; VPXOR CC3, BB3, BB3
-	polyAdd(2*8(oup))
-	polyMulAVX2
-	LEAQ     (4*8)(oup), oup
-	VMOVDQA  CC3, tmpStoreAVX2
-	VPSLLD   $12, BB0, CC3; VPSRLD $20, BB0, BB0; VPXOR CC3, BB0, BB0
-	VPSLLD   $12, BB1, CC3; VPSRLD $20, BB1, BB1; VPXOR CC3, BB1, BB1
-	VPSLLD   $12, BB2, CC3; VPSRLD $20, BB2, BB2; VPXOR CC3, BB2, BB2
-	VPSLLD   $12, BB3, CC3; VPSRLD $20, BB3, BB3; VPXOR CC3, BB3, BB3
-	VMOVDQA  tmpStoreAVX2, CC3
-	VPADDD   BB0, AA0, AA0; VPADDD BB1, AA1, AA1; VPADDD BB2, AA2, AA2; VPADDD BB3, AA3, AA3
-	VPXOR    AA0, DD0, DD0; VPXOR AA1, DD1, DD1; VPXOR AA2, DD2, DD2; VPXOR AA3, DD3, DD3
-	VPSHUFB  ·rol8<>(SB), DD0, DD0; VPSHUFB ·rol8<>(SB), DD1, DD1; VPSHUFB ·rol8<>(SB), DD2, DD2; VPSHUFB ·rol8<>(SB), DD3, DD3
-	VPADDD   DD0, CC0, CC0; VPADDD DD1, CC1, CC1; VPADDD DD2, CC2, CC2; VPADDD DD3, CC3, CC3
-	VPXOR    CC0, BB0, BB0; VPXOR CC1, BB1, BB1; VPXOR CC2, BB2, BB2; VPXOR CC3, BB3, BB3
-	VMOVDQA  CC3, tmpStoreAVX2
-	VPSLLD   $7, BB0, CC3; VPSRLD $25, BB0, BB0; VPXOR CC3, BB0, BB0
-	VPSLLD   $7, BB1, CC3; VPSRLD $25, BB1, BB1; VPXOR CC3, BB1, BB1
-	VPSLLD   $7, BB2, CC3; VPSRLD $25, BB2, BB2; VPXOR CC3, BB2, BB2
-	VPSLLD   $7, BB3, CC3; VPSRLD $25, BB3, BB3; VPXOR CC3, BB3, BB3
-	VMOVDQA  tmpStoreAVX2, CC3
-	VPALIGNR $12, BB0, BB0, BB0; VPALIGNR $12, BB1, BB1, BB1; VPALIGNR $12, BB2, BB2, BB2; VPALIGNR $12, BB3, BB3, BB3
-	VPALIGNR $8, CC0, CC0, CC0; VPALIGNR $8, CC1, CC1, CC1; VPALIGNR $8, CC2, CC2, CC2; VPALIGNR $8, CC3, CC3, CC3
-	VPALIGNR $4, DD0, DD0, DD0; VPALIGNR $4, DD1, DD1, DD1; VPALIGNR $4, DD2, DD2, DD2; VPALIGNR $4, DD3, DD3, DD3
-
-	DECQ itr1
-	JG   sealAVX2Tail512LoopA
-	DECQ itr2
-	JGE  sealAVX2Tail512LoopB
-
-	VPADDD     ·chacha20Constants<>(SB), AA0, AA0; VPADDD ·chacha20Constants<>(SB), AA1, AA1; VPADDD ·chacha20Constants<>(SB), AA2, AA2; VPADDD ·chacha20Constants<>(SB), AA3, AA3
-	VPADDD     state1StoreAVX2, BB0, BB0; VPADDD state1StoreAVX2, BB1, BB1; VPADDD state1StoreAVX2, BB2, BB2; VPADDD state1StoreAVX2, BB3, BB3
-	VPADDD     state2StoreAVX2, CC0, CC0; VPADDD state2StoreAVX2, CC1, CC1; VPADDD state2StoreAVX2, CC2, CC2; VPADDD state2StoreAVX2, CC3, CC3
-	VPADDD     ctr0StoreAVX2, DD0, DD0; VPADDD ctr1StoreAVX2, DD1, DD1; VPADDD ctr2StoreAVX2, DD2, DD2; VPADDD ctr3StoreAVX2, DD3, DD3
-	VMOVDQA    CC3, tmpStoreAVX2
-	VPERM2I128 $0x02, AA0, BB0, CC3
-	VPXOR      (0*32)(inp), CC3, CC3
-	VMOVDQU    CC3, (0*32)(oup)
-	VPERM2I128 $0x02, CC0, DD0, CC3
-	VPXOR      (1*32)(inp), CC3, CC3
-	VMOVDQU    CC3, (1*32)(oup)
-	VPERM2I128 $0x13, AA0, BB0, CC3
-	VPXOR      (2*32)(inp), CC3, CC3
-	VMOVDQU    CC3, (2*32)(oup)
-	VPERM2I128 $0x13, CC0, DD0, CC3
-	VPXOR      (3*32)(inp), CC3, CC3
-	VMOVDQU    CC3, (3*32)(oup)
-
-	VPERM2I128 $0x02, AA1, BB1, AA0
-	VPERM2I128 $0x02, CC1, DD1, BB0
-	VPERM2I128 $0x13, AA1, BB1, CC0
-	VPERM2I128 $0x13, CC1, DD1, DD0
-	VPXOR      (4*32)(inp), AA0, AA0; VPXOR (5*32)(inp), BB0, BB0; VPXOR (6*32)(inp), CC0, CC0; VPXOR (7*32)(inp), DD0, DD0
-	VMOVDQU    AA0, (4*32)(oup); VMOVDQU BB0, (5*32)(oup); VMOVDQU CC0, (6*32)(oup); VMOVDQU DD0, (7*32)(oup)
-
-	VPERM2I128 $0x02, AA2, BB2, AA0
-	VPERM2I128 $0x02, CC2, DD2, BB0
-	VPERM2I128 $0x13, AA2, BB2, CC0
-	VPERM2I128 $0x13, CC2, DD2, DD0
-	VPXOR      (8*32)(inp), AA0, AA0; VPXOR (9*32)(inp), BB0, BB0; VPXOR (10*32)(inp), CC0, CC0; VPXOR (11*32)(inp), DD0, DD0
-	VMOVDQU    AA0, (8*32)(oup); VMOVDQU BB0, (9*32)(oup); VMOVDQU CC0, (10*32)(oup); VMOVDQU DD0, (11*32)(oup)
-
-	MOVQ       $384, itr1
-	LEAQ       384(inp), inp
-	SUBQ       $384, inl
-	VPERM2I128 $0x02, AA3, BB3, AA0
-	VPERM2I128 $0x02, tmpStoreAVX2, DD3, BB0
-	VPERM2I128 $0x13, AA3, BB3, CC0
-	VPERM2I128 $0x13, tmpStoreAVX2, DD3, DD0
-
-	JMP sealAVX2SealHash
-
-// func cpuid(eaxArg, ecxArg uint32) (eax, ebx, ecx, edx uint32)
-TEXT ·cpuid(SB), NOSPLIT, $0-24
-	MOVL eaxArg+0(FP), AX
-	MOVL ecxArg+4(FP), CX
-	CPUID
-	MOVL AX, eax+8(FP)
-	MOVL BX, ebx+12(FP)
-	MOVL CX, ecx+16(FP)
-	MOVL DX, edx+20(FP)
-	RET
-
-// func xgetbv() (eax, edx uint32)
-TEXT ·xgetbv(SB),NOSPLIT,$0-8
-	MOVL $0, CX
-	XGETBV
-	MOVL AX, eax+0(FP)
-	MOVL DX, edx+4(FP)
-	RET
diff --git a/vendor/golang.org/x/crypto/chacha20poly1305/chacha20poly1305_generic.go b/vendor/golang.org/x/crypto/chacha20poly1305/chacha20poly1305_generic.go
deleted file mode 100644
index 4ac014f5..00000000
--- a/vendor/golang.org/x/crypto/chacha20poly1305/chacha20poly1305_generic.go
+++ /dev/null
@@ -1,70 +0,0 @@
-// Copyright 2016 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package chacha20poly1305
-
-import (
-	"encoding/binary"
-
-	"golang.org/x/crypto/internal/chacha20"
-	"golang.org/x/crypto/poly1305"
-)
-
-func roundTo16(n int) int {
-	return 16 * ((n + 15) / 16)
-}
-
-func (c *chacha20poly1305) sealGeneric(dst, nonce, plaintext, additionalData []byte) []byte {
-	var counter [16]byte
-	copy(counter[4:], nonce)
-
-	var polyKey [32]byte
-	chacha20.XORKeyStream(polyKey[:], polyKey[:], &counter, &c.key)
-
-	ret, out := sliceForAppend(dst, len(plaintext)+poly1305.TagSize)
-	counter[0] = 1
-	chacha20.XORKeyStream(out, plaintext, &counter, &c.key)
-
-	polyInput := make([]byte, roundTo16(len(additionalData))+roundTo16(len(plaintext))+8+8)
-	copy(polyInput, additionalData)
-	copy(polyInput[roundTo16(len(additionalData)):], out[:len(plaintext)])
-	binary.LittleEndian.PutUint64(polyInput[len(polyInput)-16:], uint64(len(additionalData)))
-	binary.LittleEndian.PutUint64(polyInput[len(polyInput)-8:], uint64(len(plaintext)))
-
-	var tag [poly1305.TagSize]byte
-	poly1305.Sum(&tag, polyInput, &polyKey)
-	copy(out[len(plaintext):], tag[:])
-
-	return ret
-}
-
-func (c *chacha20poly1305) openGeneric(dst, nonce, ciphertext, additionalData []byte) ([]byte, error) {
-	var tag [poly1305.TagSize]byte
-	copy(tag[:], ciphertext[len(ciphertext)-16:])
-	ciphertext = ciphertext[:len(ciphertext)-16]
-
-	var counter [16]byte
-	copy(counter[4:], nonce)
-
-	var polyKey [32]byte
-	chacha20.XORKeyStream(polyKey[:], polyKey[:], &counter, &c.key)
-
-	polyInput := make([]byte, roundTo16(len(additionalData))+roundTo16(len(ciphertext))+8+8)
-	copy(polyInput, additionalData)
-	copy(polyInput[roundTo16(len(additionalData)):], ciphertext)
-	binary.LittleEndian.PutUint64(polyInput[len(polyInput)-16:], uint64(len(additionalData)))
-	binary.LittleEndian.PutUint64(polyInput[len(polyInput)-8:], uint64(len(ciphertext)))
-
-	ret, out := sliceForAppend(dst, len(ciphertext))
-	if !poly1305.Verify(&tag, polyInput, &polyKey) {
-		for i := range out {
-			out[i] = 0
-		}
-		return nil, errOpen
-	}
-
-	counter[0] = 1
-	chacha20.XORKeyStream(out, ciphertext, &counter, &c.key)
-	return ret, nil
-}
diff --git a/vendor/golang.org/x/crypto/chacha20poly1305/chacha20poly1305_noasm.go b/vendor/golang.org/x/crypto/chacha20poly1305/chacha20poly1305_noasm.go
deleted file mode 100644
index 4c2eb703..00000000
--- a/vendor/golang.org/x/crypto/chacha20poly1305/chacha20poly1305_noasm.go
+++ /dev/null
@@ -1,15 +0,0 @@
-// Copyright 2016 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build !amd64 !go1.7 gccgo appengine
-
-package chacha20poly1305
-
-func (c *chacha20poly1305) seal(dst, nonce, plaintext, additionalData []byte) []byte {
-	return c.sealGeneric(dst, nonce, plaintext, additionalData)
-}
-
-func (c *chacha20poly1305) open(dst, nonce, ciphertext, additionalData []byte) ([]byte, error) {
-	return c.openGeneric(dst, nonce, ciphertext, additionalData)
-}
diff --git a/vendor/golang.org/x/crypto/chacha20poly1305/chacha20poly1305_test.go b/vendor/golang.org/x/crypto/chacha20poly1305/chacha20poly1305_test.go
deleted file mode 100644
index 78f981a7..00000000
--- a/vendor/golang.org/x/crypto/chacha20poly1305/chacha20poly1305_test.go
+++ /dev/null
@@ -1,182 +0,0 @@
-// Copyright 2016 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package chacha20poly1305
-
-import (
-	"bytes"
-	cr "crypto/rand"
-	"encoding/hex"
-	mr "math/rand"
-	"testing"
-)
-
-func TestVectors(t *testing.T) {
-	for i, test := range chacha20Poly1305Tests {
-		key, _ := hex.DecodeString(test.key)
-		nonce, _ := hex.DecodeString(test.nonce)
-		ad, _ := hex.DecodeString(test.aad)
-		plaintext, _ := hex.DecodeString(test.plaintext)
-
-		aead, err := New(key)
-		if err != nil {
-			t.Fatal(err)
-		}
-
-		ct := aead.Seal(nil, nonce, plaintext, ad)
-		if ctHex := hex.EncodeToString(ct); ctHex != test.out {
-			t.Errorf("#%d: got %s, want %s", i, ctHex, test.out)
-			continue
-		}
-
-		plaintext2, err := aead.Open(nil, nonce, ct, ad)
-		if err != nil {
-			t.Errorf("#%d: Open failed", i)
-			continue
-		}
-
-		if !bytes.Equal(plaintext, plaintext2) {
-			t.Errorf("#%d: plaintext's don't match: got %x vs %x", i, plaintext2, plaintext)
-			continue
-		}
-
-		if len(ad) > 0 {
-			alterAdIdx := mr.Intn(len(ad))
-			ad[alterAdIdx] ^= 0x80
-			if _, err := aead.Open(nil, nonce, ct, ad); err == nil {
-				t.Errorf("#%d: Open was successful after altering additional data", i)
-			}
-			ad[alterAdIdx] ^= 0x80
-		}
-
-		alterNonceIdx := mr.Intn(aead.NonceSize())
-		nonce[alterNonceIdx] ^= 0x80
-		if _, err := aead.Open(nil, nonce, ct, ad); err == nil {
-			t.Errorf("#%d: Open was successful after altering nonce", i)
-		}
-		nonce[alterNonceIdx] ^= 0x80
-
-		alterCtIdx := mr.Intn(len(ct))
-		ct[alterCtIdx] ^= 0x80
-		if _, err := aead.Open(nil, nonce, ct, ad); err == nil {
-			t.Errorf("#%d: Open was successful after altering ciphertext", i)
-		}
-		ct[alterCtIdx] ^= 0x80
-	}
-}
-
-func TestRandom(t *testing.T) {
-	// Some random tests to verify Open(Seal) == Plaintext
-	for i := 0; i < 256; i++ {
-		var nonce [12]byte
-		var key [32]byte
-
-		al := mr.Intn(128)
-		pl := mr.Intn(16384)
-		ad := make([]byte, al)
-		plaintext := make([]byte, pl)
-		cr.Read(key[:])
-		cr.Read(nonce[:])
-		cr.Read(ad)
-		cr.Read(plaintext)
-
-		aead, err := New(key[:])
-		if err != nil {
-			t.Fatal(err)
-		}
-
-		ct := aead.Seal(nil, nonce[:], plaintext, ad)
-
-		plaintext2, err := aead.Open(nil, nonce[:], ct, ad)
-		if err != nil {
-			t.Errorf("Random #%d: Open failed", i)
-			continue
-		}
-
-		if !bytes.Equal(plaintext, plaintext2) {
-			t.Errorf("Random #%d: plaintext's don't match: got %x vs %x", i, plaintext2, plaintext)
-			continue
-		}
-
-		if len(ad) > 0 {
-			alterAdIdx := mr.Intn(len(ad))
-			ad[alterAdIdx] ^= 0x80
-			if _, err := aead.Open(nil, nonce[:], ct, ad); err == nil {
-				t.Errorf("Random #%d: Open was successful after altering additional data", i)
-			}
-			ad[alterAdIdx] ^= 0x80
-		}
-
-		alterNonceIdx := mr.Intn(aead.NonceSize())
-		nonce[alterNonceIdx] ^= 0x80
-		if _, err := aead.Open(nil, nonce[:], ct, ad); err == nil {
-			t.Errorf("Random #%d: Open was successful after altering nonce", i)
-		}
-		nonce[alterNonceIdx] ^= 0x80
-
-		alterCtIdx := mr.Intn(len(ct))
-		ct[alterCtIdx] ^= 0x80
-		if _, err := aead.Open(nil, nonce[:], ct, ad); err == nil {
-			t.Errorf("Random #%d: Open was successful after altering ciphertext", i)
-		}
-		ct[alterCtIdx] ^= 0x80
-	}
-}
-
-func benchamarkChaCha20Poly1305Seal(b *testing.B, buf []byte) {
-	b.SetBytes(int64(len(buf)))
-
-	var key [32]byte
-	var nonce [12]byte
-	var ad [13]byte
-	var out []byte
-
-	aead, _ := New(key[:])
-	b.ResetTimer()
-	for i := 0; i < b.N; i++ {
-		out = aead.Seal(out[:0], nonce[:], buf[:], ad[:])
-	}
-}
-
-func benchamarkChaCha20Poly1305Open(b *testing.B, buf []byte) {
-	b.SetBytes(int64(len(buf)))
-
-	var key [32]byte
-	var nonce [12]byte
-	var ad [13]byte
-	var ct []byte
-	var out []byte
-
-	aead, _ := New(key[:])
-	ct = aead.Seal(ct[:0], nonce[:], buf[:], ad[:])
-
-	b.ResetTimer()
-	for i := 0; i < b.N; i++ {
-		out, _ = aead.Open(out[:0], nonce[:], ct[:], ad[:])
-	}
-}
-
-func BenchmarkChacha20Poly1305Open_64(b *testing.B) {
-	benchamarkChaCha20Poly1305Open(b, make([]byte, 64))
-}
-
-func BenchmarkChacha20Poly1305Seal_64(b *testing.B) {
-	benchamarkChaCha20Poly1305Seal(b, make([]byte, 64))
-}
-
-func BenchmarkChacha20Poly1305Open_1350(b *testing.B) {
-	benchamarkChaCha20Poly1305Open(b, make([]byte, 1350))
-}
-
-func BenchmarkChacha20Poly1305Seal_1350(b *testing.B) {
-	benchamarkChaCha20Poly1305Seal(b, make([]byte, 1350))
-}
-
-func BenchmarkChacha20Poly1305Open_8K(b *testing.B) {
-	benchamarkChaCha20Poly1305Open(b, make([]byte, 8*1024))
-}
-
-func BenchmarkChacha20Poly1305Seal_8K(b *testing.B) {
-	benchamarkChaCha20Poly1305Seal(b, make([]byte, 8*1024))
-}
diff --git a/vendor/golang.org/x/crypto/chacha20poly1305/chacha20poly1305_vectors_test.go b/vendor/golang.org/x/crypto/chacha20poly1305/chacha20poly1305_vectors_test.go
deleted file mode 100644
index 49f0da6b..00000000
--- a/vendor/golang.org/x/crypto/chacha20poly1305/chacha20poly1305_vectors_test.go
+++ /dev/null
@@ -1,332 +0,0 @@
-// Copyright 2016 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package chacha20poly1305
-
-var chacha20Poly1305Tests = []struct {
-	plaintext, aad, key, nonce, out string
-}{
-	{
-		"4c616469657320616e642047656e746c656d656e206f662074686520636c617373206f66202739393a204966204920636f756c64206f6666657220796f75206f6e6c79206f6e652074697020666f7220746865206675747572652c2073756e73637265656e20776f756c642062652069742e",
-		"50515253c0c1c2c3c4c5c6c7",
-		"808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f",
-		"070000004041424344454647",
-		"d31a8d34648e60db7b86afbc53ef7ec2a4aded51296e08fea9e2b5a736ee62d63dbea45e8ca9671282fafb69da92728b1a71de0a9e060b2905d6a5b67ecd3b3692ddbd7f2d778b8c9803aee328091b58fab324e4fad675945585808b4831d7bc3ff4def08e4b7a9de576d26586cec64b61161ae10b594f09e26a7e902ecbd0600691",
-	},
-	{
-		"1400000cebccee3bf561b292340fec60",
-		"00000000000000001603030010",
-		"a5117e70953568bf750862df9e6f92af81677c3a188e847917a4a915bda7792e",
-		"129039b5572e8a7a8131f76a",
-		"2b487a2941bc07f3cc76d1a531662588ee7c2598e59778c24d5b27559a80d163",
-	},
-	{
-		"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
-		"00000000000000000000000000",
-		"a5117e70953568bf750862df9e6f92af81677c3a188e847917a4a915bda7792e",
-		"129039b5572e8a7a8131f76a",
-		"3f487a25aa70e9c8391763370569c9e83b7650dd1921c8b78869f241f25d2096c910b180930c5b8747fd90959fe8ca2dcadb4fa50fa1439f916b2301e1cc0810d6725775d3ab86721700f96e22709b0a7a8bef32627dd929b2dd3ba15772b669062bb558bc92e6c241a1d60d9f0035e80c335f854815fe1138ab8af653eab3e122135feeec7dfaba1cc24af82a2b7acccdd824899a7e03cc29c25be8a4f56a66673845b93bae1556f09dafc89a0d22af207718e2a6bb022e9d917597295992ea3b750cc0e7a7c3d33b23c5a8aeab45f5bb542f6c9e6c1747ae5a344aff483ba38577ad534b33b3abc7d284776ea33ed488c2a2475648a4fcda561745ea7787ed60f2368deb27c75adce6ff9b6cc6de1f5e72a741e2d59f64751b3ae482d714e0c90e83c671ff98ed611823afb39e6e5019a6ba548a2a72e829c7b7b4a101ac9deb90a25d3e0c50d22e1fc26c7c02296fa13c6d9c14767f68aaf46450a8d0fd5feb60d9d73c6e68623425b4984a79d619dd6bf896459aa77a681ec9c1a97f645e121f47779b051f8948a817f84d1f55da170d5bbbaf2f64e18b97ed3fd822db2819f523314f1e5ac72e8f69bbe6c87c22daddb0e1ac6790f8534071de2f258064b99789bfb165b065b8fe96f9127cd7dca9f7cb0368420f1e802faa3ca23792f2a5b93773dd405e71c320b211b54f7a26626b03c060e1ab87f32ac588abfa056ce090bd7c69913a700c80f325bfe824fa",
-	},
-	{
-		"0967de57eefe1aaa999b9b746d88a1a248000d8734e0e938c6aa87",
-		"e4f0a3a4f90a8250f8806aa319053e8d73c62f150e2f239563037e9cc92823ad18c65111d0d462c954cc6c6ed2aafb45702a5a7e597d13bd8091594ab97cf7d1",
-		"f2db28620582e05f00f31c808475ca3df1c20e340bf14828352499466d79295f",
-		"4349e2131d44dc711148dfe3",
-		"bd06cc144fdc0d8b735fa4452eabbf78fd4ad2966ea41a84f68da40ca2da439777bc2ba6c4ec2de0d003eb",
-	},
-	{
-		"c4c920fb52a56fe66eaa8aa3fa187c543e3db8e5c8094c4313dc4ed35dfc5821c5791d171e8cfe8d37883031a0ad",
-		"85deea3dc4",
-		"05ff881d1e151bab4ca3db7d44880222733fe62686f71ce1e4610f2ea19599a7",
-		"b34710f65aed442e4a40866b",
-		"b154452fb7e85d175dd0b0db08591565c5587a725cf22386922f5d27a01015aba778975510b38754b2182e24352f019b7ad493e1ed255906715644aec6e0",
-	},
-	{
-		"c4b337df5e83823900c6c202e93541cf5bc8c677a9aad8b8d87a4d7221e294e595cbc4f34e462d4e0def50f62491c57f598cf60236cfba0f4908816aea154f80e013732e59a07c668fcc5cb35d2232b7ae29b9e4f874f3417c74ab6689fae6690d5a9766fa13cd8adf293d3d4b70f4f999adde9121d1d29d467d04cf77ea398444d0ea3fe4b7c9c3e106002c76f4260fa204a0c3d5",
-		"72611bef65eb664f24ea94f4d5d3d88c9c9c6da29c9a1991c02833c4c9f6993b57b5",
-		"dd0f2d4bb1c9e5ca5aa5f38d69bc8402f7dbb7229857b4a41b3044d481b7655e",
-		"2bbca0910cc47ca0b8517391",
-		"83aa28d6d98901e2981d21d3758ae4db8cce07fe08d82ca6f036a68daa88a7dda56eeb38040c942bdda0fd2d369eec44bd070e2c9314992f68dc16989a6ac0c3912c378cf3254f4bae74a66b075e828df6f855c0d8a827ffed3c03582c12a9112eeb7be43dfe8bd78beb2d1e56678b99a0372531727cb7f2b98d2f917ec10de93fe86267100c20356e80528c5066688c8b7acba76e591449952343f663993d5b642e59eb0f",
-	},
-	{
-		"a9775b8e42b63335439cf1c79fe8a3560b3baebfdfc9ef239d70da02cea0947817f00659a63a8ee9d67fb1756854cc738f7a326e432191e1916be35f0b78d72268de7c0e180af7ee8aa864f2fc30658baa97f9edb88ace49f5b2a8002a8023925e9fa076a997643340c8253cf88ac8a221c190d94c5e224110cb423a4b65cca9046c1fad0483e1444c0680449148e7b20a778c56d5ae97e679d920c43eed6d42598cf05d10d1a15cd722a0686a871b74fea7cad45562bacf3bda937ac701bc218dac7e9d7d20f955429abdac21d821207febf4d54daea4898837035038bf71c66cef63e90f5d3e51f7fcfe18d41f38540a2c2958dacde16304e4b33da324030f1366f923c337",
-		"74ba3372d308910b5c9c3885f41252d57556",
-		"9cf77bd06a4ed8fb59349791b98ba40b6019611942f5768e8be2ee88477149e3",
-		"b928935c4c966c60fd6583c0",
-		"ec7fd64fd75b254961a2b7fc942470d8620f439258b871d0d00f58028b5e0bee5e139e8108ac439391465d6658f559b1df57aa21cf826ede1a28bc11af885e13eebfc009870928fae8abfdd943a60c54fca93f0502dc23d29c2fd5340f9bc0e6ef2a18b66ef627af95f796d5bbca50de22c8ec802da9397089b25c6ba5262468e3977b45dc112e51896c70731b0a52d7efec7c93b41995823436bf4b0c477ae79684407c9831b487928b2b8303caca752b3edf1f0598e15831155462706f94ef3fa3a9e5f937f37085afa9b4bbf939d275796a61b78f70597acfd25cd87f967021cd99328fc371b5eb5739869520657b30e4a5b0db7c8715cbe275dee78e719b357d3a9731f9eaba95986479bb2004a77822fc115a3d",
-	},
-	{
-		"b3d3128bce6bbf66fd78f1a18352bae56bfcdae18b65c379ee0aeb37ee54fba1270d2df578ec5b75654d16e89fd1cd0acda7ec580dafd2fbbabd32a8112d49383a762db2638928c8d63eb0750f7e7fdd256b35321b072dd5c45f7dd58cc60dc63d3b79a0c4a1689adf180fef968eccbcfa01ee15091ceacd7b67a3082db0ce6aeb470aafe87249c88b58b721e783dde184ccf68de8e05b6347fe6b74ae3adf9a81e9496a5c9332e7ebe908d26ce6b3f0b2a97e9a89d9fdd0d7694585a3241f240d698e69fcc050e7a959ba153f6d06f117848ba05d887134f1b6b994dad9b9e74247513e08a125b1fadfc7394dcd2a6451b504ae3e75e22f2b9bc405747dedb6c43ef4ccdf1a7edaf9451346123eaa63f3af113124f361508e255503a242b96680ae3360c8b13ac1f64d08088bb26b7f617cb0866f11d6fd362b00d86eba3fee68724e302388f119d6f92161ac8ce00d08919377a26974d99575b1032ff0f1976240c785c8b89e9eb2bf005e4be06b5371ffca14683fedfdb49e00e38ff27af1324177faf91599abd5990920797574eb743effdc7decda318ada1419cc8e0bfecf82f9c99792746c2b",
-		"7e8da4f3018f673f8e43bd7a1dee05f8031ec49129c361abbc2a434e9eaf791c3c1d0f3dad767d3bba3ab6d728bbcf2bd994bd03571eae1348f161e6a1da03ddf7121ba4",
-		"7ee32dd501dce849cd492f6e23324c1a4567bfceff9f11d1352bcb8615f1b093",
-		"8998e043d2961afa51ea262a",
-		"ba85e72af18cb5ba85a4a0d6c28b4ac1e5509a3a2fdb0e3255cbc559df5e6a661fc560c756a0264dd99b72c61c51a4b7ad56ca4c8ccb7e8edfc48ff3cceac5d1e8ac5fc87096adc4d0e9a27492857b17604c3a694cfe0e70b22df106c8f3c61f840bcd634964cdb571840e125e381e7dd3a0d97972e965f16f775fa4ce555124318290bf508beb7bd77e633042deb0e863631478fc3dc9122862b3c31264471bcce54e0b74040c8bafd481cf798f332e8940f1134d3027d6f28e771d15e154fc89c6c25fe18a5d312807cc2e623bb1bbb4f0b6ec71d009407eb54bb0759f03682f65d0da8812f84d8e97483f6a8d76a8417efcd9526444abba24288647609791578887ef49780b0b89f51b072cae81c5b5014463da3633dda105b82add0f9c2f065dca46eedd2928be2570493c79a996fa78ea6aec0996497fe2dc444432ade4eaa662ee2255f0f4b92d593288a8e3ffe7a15a10e9d33b0203af23f4c9fd2cfcb6160db63b52810869ff1e65423dbe2c4415884b9f8dec3c968e14cd74f323c89053a96111bc9ce59ec483832c49c53a648e5f0f797f53642ac60170c94b473f1f2e7d8a38e46460b81219b52081263027f74cbf63a75af3a7",
-	},
-	{
-		"68d5ba501e87994ef6bc8042d7c5a99693a835a4796ad044f0e536a0790a7ee1e03832fec0cb4cb688cdf85f92a1f526492acac2949a0684803c24f947a3da27db0c259bd87251603f49bfd1eab4f733dec2f5725cfcf6dc381ad57fbdb0a699bccc34943e86f47dcfb34eba6746ed4508e3b764dfad4117c8169785c63d1e8309531747d90cc4a8bf13622759506c613324c512d10629991dc01fe3fe3d6607907e4f698a1312492674707fc4dde0f701a609d2ac336cc9f38badf1c813f9599148c21b5bd4658249d5010db2e205b3880e863441f2fe357dab2645be1f9e5067616bc335d0457ea6468c5828910cb09f92e5e184e316018e3c464c5ce59cc34608867bd8cbfa7e1286d73a17e3ebb675d097f9b3adfa41ea408d46252a096b3290e70a5be1896d6760a87e439334b863ccb11679ab5763ebe4a9110eb37c4043634b9e44d40cab34b42977475e2faa2ae0c0a38b170776fbb0870a63044aa6679545ac6951579d0581144cdf43f60923b6acaecdb325c864acd2c7b01d6e18b2b3c41c041bb9099cce557b114b84350131e3cee4089648b5691065867e7d38314154355d0e3ef9dc9375eddef922df2a06ad0f0e4357c3ac672932e5a66b16e8bf4b45cd893ea91cb397faadb9d9d7bf86e6ceca3e9176a5baa98b6114a149d3ed8ea176cc4a9380e18d2d9b67045aedeb28b729ba2ece74d759d5ebfb1ebee8ac5f5e79aaf1f98b7f2626e62a81d315a98b3e",
-		"63b90dd89066ad7b61cc39497899a8f14399eace1810f5fe3b76d2501f5d8f83169c5ba602082164d45aad4df3553e36ef29050739fa067470d8c58f3554124bf06df1f27612564a6c04976059d69648ff9b50389556ad052e729563c6a7",
-		"7d5c4314a542aff57a454b274a7999dfdc5f878a159c29be27dabdfcf7c06975",
-		"aeb6159fa88bb1ffd51d036d",
-		"7597f7f44191e815a409754db7fea688e0105c987fa065e621823ea6dea617aed613092ad566c487cfa1a93f556615d2a575fb30ac34b11e19cd908d74545906f929dc9e59f6f1e1e6eaaabe182748ef87057ef7820ffcf254c40237d3ea9ff004472db783ed54b5a294a46cf90519bf89367b04fc01ce544c5bcdd3197eb1237923ce2c0c99921ca959c53b54176d292e97f6d9696ded6054711721aebda543e3e077c90e6f216cdc275b86d45603521c5aab24f08fd06833b0743c388382f941e19e0283ac7c4ef22383e1b9b08572882769c1382bab9ad127e7f3e09b5330b82d3e0c7d6f0df46edc93265999eef8e7afa0cb1db77df7accf5bff8631a320d146a5c751a637a80f627b0c9a41b44f09212f38c154226de02f4906ef34139bbeacc3f06739c8540e37334392d38ba1cbf4bc7debe77c09b35d2200216db15ed4389f43bfd8ae9bf76fd8243c3d869546e16b8e44a6cd1edbd2c58ef890b5a84cda889131e5cd9402ca4d8271052c6b4fe3f2dff54fb77bcb575c315b9109f90b14bc8e109919808a581c1809e2a188d29fd34ce639088a6683f641925f5b4b3529baa34e080bb47fb7ad9b43d0d67c9e6ae7cacb50527fa74e56d0c8b20149f5d332d686d48ebbe634c2b5d35fc84c69a5bcc93b93dedcf9fdf19a1fb9b75f6df9692d16f6c3490377a06294499e4b8ebeaa0cfd840bfa05fde21c0b5e94d13063b3f5da7b537caefe89069cfa9de9eb8f06e4d30125de64716f821bcc8279c0c7ea2e",
-	},
-	{
-		"89c1ee38b6697d0190c87a2aa756892ee09fca095df1e31aeedbda5750f604d9b8f2116e5b8f70ec57ea16fe419f2d213ef72b9be90eb5d7e98f2e398632123e2524ac80b31c6c0a07820848223569602d94fc16a3b1ed8c411bc6c74ed80573fcb1f3afce60b9d5e2c21d04f78665241b613abe12274a5343101a91e91f04e5d1f7959f574e743a10913e0817a32c320467f0178e3b6ad14b856234a4661a755eaf14b5fd88ef0e192e1631d14263d6a954ed388f5709dadc6c0f81d229f630d80be6d593d5e3ad03f9ded53c41abe595981d24ef27ffcc930e4d653743960f4e7ce4e251c88f55c16d2afdaed5e3446d00685c276728ba757520acb9b6bb0732a0e9836878d829e5022794d70ad8440a40a132a8c9ec1d3f0ccaf8c285fff425e9788d6150b74753dedb2ae8b36ff2f310249bd911b9181d8310e00810d42ef94cbb5a9d72a1f0507c1a382f892b23994fbe7360778b7efa9c5e03ac3231a57fecff1c5fa10caf1d26e84db0137049622ebcc3a64841a0e49fa390d1d43550c1346c20d578cff39fb7404fcab0982dde55f0849d312581d0c811a19d46f25e7a5e7e50d74d43760583c5cf335dfc11b2ec964f1dbbd0ed83e18f2027817ea2dffcf2b64a352c4fb8f11eeb4f1bfc01079251254d2112d103a1f12a2270cc026cbeb8b6f3e505abd62496253f93274625786b73997e449c1f35c742a593441252fcc845e1cef1b8f287dd311a0477407ce3b31661f7b2802c79c2d20d06e45f03aca4e47a959c6c1d7a9d377e1577fbf82a115921c3d94e3d9c204aa204a9a5b04d8a2be3269700a035371f4aaf1a42d92b9bfbee74492b106975b36d1e581d6ce2484f09e04fa91586c85f35e2a10f0d3c0afcb05327c1bc9d7429bbcc4627af8f76b86fc561844c2ae3810c84901ac09a1670ed3d31a9daa5d296",
-		"7219bd21a834d917f93a9b45647ec77102578bc2f2a132dfde6489b9095b4f7b740c9c1c4075333ab0ce7f14",
-		"a7f849b054982cc8a4c8e5e53e181feee79e0233e58882839892134ad582da7c",
-		"4c46854e9e101090b1436f90",
-		"ab2e189baf60886bed88eb751bf3560a8bd3cdb6ee621d8c18b5fb3aa418f350048ecf359a7d542daf7090ec8688c3b0fe85914aa49d83be4ae3396f7bdc48051afae6a97fca7b42c0bf612a42d3c79ef6aadceb57f5cfe8d67f89d49add0ea1ffd423da058297239e72a85fa6cd1d82e243a503b1b0e12d7510a9ee98d7921dae2754d7581e52acb8ab9e7f9df3c73410789115cef6ce7c937a5441ad4edf2b7a8c0c6d152d5a5909c4ce839d59594a6163364038c4c71a1507389717f61e2bda1ea66a83ef477762e7834ebcfaa8f2ee61ced1605ba1380108236e1763bf40af5259da07dd3e3d0fb2801868c2e7c839e318678687cbe33384e2ef5750a0a0e2d2e19e869a4277e32a315ed4de79357f6a12a8a25d5b18291316d9bf40dad2d05d1b523ade76650669c700a1c2965f4e51337aa5d45ec7b4981072779401d6d30ed69034053334bccb18425ac68460becf2aeccc75aacd3d6709f07ee10366ed848c8a54904af4ea71fc2117de133f01e1cc031f2a4d0779b997b82682433ee615202d5dfffba6c916f11a00551d56ffde8c36b303263e14adaf45b6eab0bedf344e5214ce52f071d2f40154d788c6870020791a03d2fd4ec5879d9026241954ed45cfddef4937ea3d0d45647f252be31411237983a1be340fc65ebab9a5620abb0e8d475af4e89e842e895eda0cbd283bb5d0bf20236c62d956de733d60ebceb42fc0c9adbf9b69f8d66551b0aca0e260625ad41cad75d752a234af7caf7902c2c5b62f04b6a8e019a6179d44feeb2ad5859ef1c45371e66f1af1fe0de63997266c290e27f0dd62185c53f81e0a50c296a51ace7c90d9cf0dda8b2d7e72a347f64c44262e2a544d1acc7bb05734dc1783bbc1903279092fe7fe434610aa95fc2ce5fc5ee45858f5e8337d8fcb0a468464becb1cef6b7e5ea48ba383ad8a406df9c581f1cac057d8711fcb",
-	},
-	{
-		"2dcfbb59975f217c445f95634d7c0250afe7d8316a70c47dba99ff94167ab74349729ce1d2bd5d161df27a6a6e7cba1e63924fcd03134abdad4952c3c409060d7ca2ee4e5f4c647c3edee7ad5aa1cbbd341a8a372ed4f4db1e469ee250a4efcc46de1aa52a7e22685d0915b7aae075defbff1529d40a04f250a2d4a046c36c8ca18631cb055334625c4919072a8ee5258efb4e6205525455f428f63aeb62c68de9f758ee4b8c50a7d669ae00f89425868f73e894c53ce9b964dff34f42b9dc2bb03519fbc169a397d25197cae5bc50742f3808f474f2add8d1a0281359043e0a395705fbc0a89293fa2a5ddfe6ae5416e65c0a5b4eb83320585b33b26072bc99c9c1948a6a271d64517a433728974d0ff4586a42109d6268f9961a5908d6f2d198875b02ae7866fff3a9361b41842a35dc9477ec32da542b706f8478457649ddfda5dfab1d45aa10efe12c3065566541ebdc2d1db6814826f0cc9e3642e813408df3ebaa3896bb2777e757dc3dbc1d28994a454fcb8d76bc5914f29cfc05dc89f8c734315def58d4d6b0b0136ccd3c05178155e30fcb9f68df9104dc96e0658fa899c0058818da5ec88a723558ae3a6f2f8f523e5af1a73a82ab16198c7ba8341568399d8013fc499e6e7ef61cb8654b48b88aa2a931dc2cdcf245686eed9c8355d620d5e91c1e878a9c7da655e3f29d9b7c3f44ad1c70890eb5f27ca28efff76420cd4e3cebd5c788536ddd365f7ad1dbb91588d58612e43b0460de9260d5f780a245bc8e1a83166df1f3a3506d742c268ab4fc10c6e04bca40295da0ff5420a199dd2fb36045215138c4a2a539ceccc382c8d349a81e13e848708947c4a9e85d861811e75d323896f6da3b2fa807f22bcfc57477e487602cf8e973bc925b1a19732b00d15d38675313a283bbaa75e6793b5af11fe2514bda3abe96cc19b0e58ddbe55e381ec58c31670fec1184d38bbf2d7cde0fcd29e907e780d30130b98e0c9eec44bcb1d0ed18dfda2a64adb523da3102eafe2bd3051353d8148491a290308ed4ec3fa5da5784b481e861360c3b670e256539f96a4c4c4360d0d40260049035f1cfdacb275e7fa847e0df531b466141ac9a3a16e7865947572e4ab732daec23aac6eed1256d796c4d58bf699f20aa4bbae461a16abbe9c1e9",
-		"33791b0d653fb72c2d88519b02bde85a7c51f99cfb4456dfa6f84a61e10b4a14846521",
-		"a0a7b73ca2fc9282a28acc036bd74d7f5cb2a146577a5c29dbc3963fe7ebfd87",
-		"eaa4d916d261676d632455be",
-		"c9a631de470fd04dcbf8ea9f4d8ac37c3988878b6381707ac2c91d3720edbb31576ba90731f433a5e13582aca2b3c76ae75ca8881a463ecfa789910d3a776a9ad4800521c6baa120b2f1afd10f32ef8da63f5b69f5e5fd88ee84bf66b0666b15d05c4050f5358a050b9d5cf1503719f56cd48ceba78f29efe2ae8092e37f5134df526831532f86ccb9339637e2c9e9b9036f83cc058fda23e826a188456e7fd3f4ee20f4e4a3221883fe3232b49db607b90a8956133ab95051c9ec33a908ea7e81a1bfa7bd06c09f0143d07bb23a3feeac7f0d7720269c93e2df19d03605828c8713b84d183c9a50954c12fe3b047511ad15ef03a63355520cbd224d06a34de67a671368e6a8f9feeefe48fc273764a8c69c00314e5d693f159cb5270544f3c4e1760b0529e3303ab308e9a6d03835a3a42aef2df5f7643696f707a574d1dcc676aeecdd9947ebe8c13bcf15d30b2d10d2cd95445a307c1d22d39450615ad38f9302c6eb9dc05764b0503d6a7eaff9feb94834853b47bc25660207be3e7c0e27cb3127b5402cb016396e5ff07ddc3df29861dd68a17f53bf660b23352b739d6da72381b8d19a9fc95da7efb79330a2b360dce4309860af429e3fd10cab235c4acc1d80d9e20d67019375bd161ab65648400f308815afe63cfc717f7d0eea150e687caac25b6603287d44dca4a7cc2f67c3bdd54450bd3170340253b03ba054ec003070eddf9c14fb9dc595e228e4968524900cb5d85af6d1e658a42d744e0e7eb6995023823a8dc33528c6715b2e1aa607782c8e1ddddad72026d657bf122ece8685f6e92236e809139325e4a3c069facf94c10b7896995bba01eb22c7b3a87ea2114a7649d7ed3e83d223e5e785c66a75119beab0968d3eaf0cbcc2d7ede95d024041e6db39a880ce3e19efea32fb89a40a2aae22f407e5fd615e51e48dbd50a8b4ec27ce95e2ba1928bf699d0418705482ed0ed7acc858dfbd690403c74667a88dd5221bb79940c6c4a268379c10343aaefb635982c14f33ad83d47ced9682961540bd4f75804d3d48ba8aa67fb2e3a1db83fbcbe57fec9e4ffb1b575e947f8bd8263c680357960e3a39382974774b5a013f2f8514b3c63c21dbfd314fd5d927d82ba616d76629ac018879f54ff84b5808e94af4fcfe1cf8845b65208ca5510b5b593ce6c109611652cd",
-	},
-	{
-		"c335b055b752e083554b5aa2cbb6556cfcace658d5c11b6b000256fd89e9b24c1e62a2d5b582580acdb2ad9869020465aeeabe83acd9eeacdc44aa652d5cb24bbe542073d6787ea32b2b3c942d40f9db2bb75ed7914c836d902dd2be89840948d82abbaea23952cd648e6191ce5b6cf912cad0a3165410a781e3650b676e5340980eee3b484008acce6a3e9dc5aa96d775677b8bbb8b323c6e9747d6069a169ea904d9f145e29d134cdbb0118647e8fbae638669efb9a55d50ed33568749f5304ece2193b0bfa6fc9a570d209ef61b4c59a2b5485b5aa6ab47d902cf23f7ff71c5210476e0aa727a01809b9f76b6ebcf58a018b3fbbe5f42976111ba58112b1d322f9312da068cdb86277bfcde66cb3607e3ea02a1494439aa56f302671f1f994eb3ab28b937043f5f7f3b3de50673ecea5dee8ba633c45089b852f0d772892525344ede6b521dcad15807b65e7ba348d891d47fc498cf4d50223d2794c64db9fa9b9766edb430be0c38746ab317b38ba9870a6d1fdabb70fcf89790bfe449b97fe01f6c94502aa0889f0a3bb6bdc65f44d1cd64ab88d4a7806b373f5080f9cf60183cf4686694f0059e2bbc5cf21ba0c3e8046e70d815f1444c3094cc29632c429f20aa06b49b0b52c6c7aeb8e34f7bcb53e93c2cfe2d704a5d0416876742c90762730d160e1869d5e0178dc366098ebaf2cae6f1f7563b555a52dcc194a5c8f718d50d27ee76fcce8e8991f4921fae85ea9476e1eab1364403120698b7ce8fd0a49cf79213f360a17cf1950f104494fad80adcc3bb1207bf250d57dcdce6ac8082a312959672361363cc227310b66ee8c04aab7b5cb33a81c0915e9c770a1cfaae2e8f44a0c65703927977a22fe58aef2f366b8be9a50da9376b46ae7562a82391386831febf359039ac326891bc58c0f2c34bdb6858859fc3cb4e392df65cbe2ec4f02c8425bcbdd1ee2562ab7d229d406d79a9c6fe4889c996c2f68d1fb5bbe3a5e867caa4249b934afd3ec71fdb088c54b15252f9dc1b909e121dbdc7d8a16cc00836652dd1f877ce363eed11467966f7ccb8f1a8d48146e69e04ad76a51937ad4f9cda209451eeca90dbdbd65441ce20fabfc8ce400fb4de136154b87a8b65c92740e9bb91d78521b261f806a2c6279c85ef6ac5fe1ea3117ff7c9f9832fc2aa6fab660082eb22344c1a3befe0628b6551f62a5014cd6194c42b8d475a50f2c9fb58c97e43ebb29005ed7fe54f0a4aa10074f1154152a9067d364dd7863fa082976a00db55b26b5ba0ea40eff48b90",
-		"f5ff810a41d4b34751e9942970d4c9f26b33f24689a4b1e4449b243490afc485af468ff01a42376b2bcb949b9f5e8d0b917f511a",
-		"a74271c184a82cb074c14b131fd91eb05870cb7c73c9e511ec8140bfe2f34089",
-		"2403fe689e239c2ed261b381",
-		"af9be893d5fd23aab42e6a2e59a8e7cb13d4f543db02af87cb0802bc1af7c717cd0093cc8244994cf21189146922b69927ffd5745e57118bea07a6afe7c21d952c13ab636b3c2e461dc9ffb3ae701175360156338be94b1fa7115799831019455cfaf5114010fe45f8fb9c77ec50fe06f2c5a32423edccb3b2210ee1200a78e1a3130c567542377827586ca8cf0c14c19fa1449a2cce9c039bb441b04e9c0a3f9a743b31c828032174fcdb7c894349aa68f5adf97dfe9294d24e6b5fed95eb994397883f58487bf5c57b0aea5268be7cee9efeab370f89805ebe5373ab2e93658fc078955ccf68b554dd5605005751ee8531c35ca5336a5d0ce273370c0dc9307779b86e96d2d1daf2620d67d43e1fb7800ccf250ca3c02eb74047c1d2a2bc7f29fff8320301694b80d0fd975f834337d00d5f0e4215044d52aa4ca21e6a9d7e03f186d7cdd5c48e3765dc926fb0a46bb0f05c50d9f69c9c507527a60366b7dc251aae1d6bb0d9c73735dcfab959f6fd4382fe2a1f6ad07affb0601bb9040f81b55a48f6a6c5f8ac4a2acc2b0c9a6c439198f7926460695fa11e0b0b017e39de5cf0d5d5f84d972b5eee7b5d1e0343b5485cd84b92ad892e5b23f3e803f5b363f2398c11c15be9f13e59922b0d49902dc8483fb142850b4226da2fb84e9b434a34f6bb67f575a9e57fde3354bc3077a876e260311bb2481bb139aa9af55df5074749fe532d7b8a554218a90cc7e7ac69db280bae5d55a174dfc8d325b9909a8da1016d4e162fe5ba70cf8726cdf291f5e47083d9929cd5e32021cbfd982fd0975f6f9baf4322b553cb3174b11c007559879f308419ff9e4e18eee8d3640cec8aea082b90f69cf3c7676c28af0265c24c91cd58a06513198892ce6ce1ab3ee9ac0a2e937b973a9cac06a039a54f8d994c13d42c59187f677352e5feb32a417aebec4d852b2595e7e67450e06dbd183279e3b63022a3813b37257b085bf8454d6890875a2950d20210a8df4f9da746722f62687e92f0e9efc3e5d526d65ccfbcc042fcac7964dbe147932c73924bdcdf62f9eae58d29e8567ffed90048bcf0566b952e986efeae4c477944af18bd243c3eccf8d88c06d07279adad037450cb8547a8aa0a74223f4851747c803cb21a2dd027e7080aed75038cdcecbc4639d87763cdd41829a1b72cedf0d722b180d0d492a5740ea7607b95f3201df352fb1ab28149124d2df5d5ec106867897b537302c3431402348f94d28eebc701ae1b49d10adedea38f1654fbc48885e59e6e6dfd413c6b5a97d8c35dfb07a6cdefe317bf61cf91",
-	},
-	{
-		"4aba5a776ace38b6e2578f0007e770d264e39c49f588ca3547ad2888365e3a811994f8836330394587c8458eb0b6611499fd5d8e8527c3cdd4ec550b4a8f8c632384e786b420cb3be911c999c72aad60270aefad31b27a069ecf11e95e9d4c81213308d554d3103de4d9d6ab04830c2b8dfbd8bead52c44c21d5357f72810193b5096809dc7846c1521c6c569f78812c735aea21acaf6dce84a24df7234e8ad857f3e1346b27f5bd436113e2da950e4deff96e9ba8db692c7db723a105ae795da15b910c8286cac6e7dda8c172b70f61b07dfd58596684d61da8772356f180f74c1103ce97cd947eab3d401df44f7fa4cc7cfc25e280fc002873237e64a375b0b4797f4b4613c9f150090f44588ee8250ae44aec6546ec8dba0f0c1eb281cf66fa4eb141617b32b28441f6ddcfdf02d9c34cc62893b2b64dc2c26b74433adb3e888c7fea07b19c8cf39269c2716b9c35b7625d4a141397d6d5034b193d2657c6b2d6b0ba874c467adeaf3d501ad985d13be21c4ff6b326cbb671e4f4973bba49116a0399b6491394f850e4122969e4644c00b442b3da0d6a4bf25ee22d182b3f822fd83878ebcc713cb183651a67ca66677ea81b58b685a3a8e385d5fbb0147ddfecb558d881c914324c794db443b31bc15c361912bbbcba9e418f99f2a416d190cb29684df27c7f3ff6ccf339800efbdc4514ee00d1a89f12373804db4fd66c1affd467f251e73147b3248033327b0f7790fd7861a51773dd4f78b89e4e24b94df9203f4a077091bb9411eec78dfe3e1dfbb67ea1cdf17e1d6936bbb75b74055495449e9cb52f5749404610cd444fea3f0568e0d35a5ef0c395ab7bf0208044b5c4e2517911a9c351efd31f33220972287253fbccb1eb8f46960a36b68a7a6b4f5cbdc86d668bbf555fde8881e7faa9594da425ff8fb54526bf7cdc4af64899530561c06bed7fc04c5d48cd4542779e901bc48fab79d4d13850ad8247f51b9afa7d5a656ada25b6376d837cb0fa1b4016dfcfc158a39290f43f133b352ed52fab2f951509bacb41284fbdd849d8185fb7e7200f8ab2a07ef2b3b927e18e568dbeeba2c7a66e08cebdc6a6069ebe6656a586652f3905ae2bb867529af6a827b494c97b3a378408f44aaefbe86c613e11e7a44020a9ee4b62569dfc4c462300daec7b1424ff1c1849ca1332367470475c14877cbe76c820cc651c18ab3f18852b93994f93b568dc7f7b0eb5f07ffc4c9384c851fa9071c6f68ddea1ccf627f889c0471c76aff9f52b07ab1b86a7671a2b2f6b25c0ddebb66ac95737bf7e2f493f7665b5265eaa5166556cecfdd3062802724ec24f3978b903d0f0c24e1f0b8d967142bccfed0d354279223f4c28684e9ab611e9ef89a3f25993b5a8b3c0354931780501651236a78b58e7d7814f251b053605f4c0a8e7193b9cc1ee5cf7378e6f3c8fd44ec57bd91e62b09fb1d6bab60cbfabcc6792e6a32ea7918a9ec9180d05a7e1546d5d2d8bbfde2a71b4e427c0a4d28d0b6473ae",
-		"921a401db90935c60edda8624a0590d5c46eff3522e35de2872f6f9394e24126fd8143b68a797c995624fba0298b75eef974",
-		"6a4d35ae03bf277f587da4541dcddf92bbd906dff45d5ff23c0f60ae53b062be",
-		"231b5780fedfb06d724450b3",
-		"ba40968282d98849b19d867f8b564ea5a81d657516099362926bca4cb6e9ae02719d10c8061f53008c727a0eeea5e1e36c9e55c117e9434e213316c96840231a1e356b254a9981d4a6ca3c66cfc61018bcaade1a4486506559e6aa3a86bac980d391d835fd5ded98d10f1394d84bf1bbf2cd3397890d704154802f7864ecc753db782fd3d19213ae65ace4770e1bacf32d61c6730aa5adcab4d7e2e437888c11c29abba4890a17a00f67a53b660becd94092df0598df5ac57326f6860593a519e28bd4a39f6481e1a4748881fd5f0456a3cd9f28d1d1e78dc64030cbd8fdb2c5abdab3f13d6ccccd187e71e989f8c486929efcdbf2a763effa95af62db5cef95e9081b818275c69267022fda4b7fdb8c650b491a785b03d4d0186625962b6326ec3f4e176373da4dc1f83a14815adf82c6bffa7c6967d77528d0249754bb4d17656bc4a89449b16152a4a1aea7eb0054a8892f271138971507d2f3b237ba5b620f444544e4a8c2b1ab4f9168762c27478c9f776c47ee2e9ff05bfa35ed127f0cabe7cc053640bb8aa01f8359b74bf89ef43ca94c48fcd201eae39d1835957eeccd6b3a852f4e1bbfef9a469f42c764481ff8408fe5871afeeae7676b58f4202199aad50a596626dff97c8e60d750cc59da9f595ce12ce9afdce14481cb1e39994de8fe4cce07845110d6703dc59d34734e93e9e57e1c52d61f44143a2d290220a4bad5098d098ee65ea4b6757d8a9bf5485aa3d697a7826d4a285186f5da10eff707566c23c6a15033365bcb498c44487c72d96402d1834753fdbf86770239761f03e0dc8963766441da99c0813e4f1df5a1d018c8799861a396562eb24ce305ca15f4022d83ea3c56b68d9a7ceac4742ec0ce50f4d36273df26005ec2b051fa071b319be2d8a5ed26eb75bc1ea83761b8454db234d15d84d6706cd178981c1f156e6d28f774aee3e9a4fade022e71b52b50aa532b8bc7fe464f22d6eb169c69671875d614e987658820c2f584a4fea3008afdcbb646dba3d69020fbf503f121be3480344db23efdda0d255aa058c3ff66abd3a5fe35db977521608bba7eddae72ae801f4fbb12a1de4133039e046ceb8db87e465e5ede1d79a08c857d59076d7ff858942c31e15cbbdae6fc15c3f9545a0825d6ff8583c0aba8a7d143d27b93f6caefb98c0d83bd8715abcab2a49087f55a9daf9090eacdf45be08ad80b5df5070e1719f68c4cc8f8711083f0f7823a09ec092f22df95fe9e95114fdf82a3f6eed0bfc9c0aa65222609442776154a474dbc9e662cd5dce66846572e52417ee5d7eb59287d07ef60a9537fe1f85c7fa74fe84dea0da235ac7574335e6649b54a6bd33397df4bf4a7976c4ab868aa702766d2bc8d2c82c2d1c2653fc8428b8d1e61852ac185a3a0b416dbcf8eb54c44967ff43c44f2b32c6d4a9dbf2c2f3a587b430aef50f0375cdb4c1b319ac9aca486d9bb321141b065f52f7b6decaf1985531ca7bbc3772a561eb1efb8a6297075920bc432131a5b211bf25e35fa31e12833bc77a9de14c7",
-	},
-	{
-		"6c0056937faf1023032df1e2bfacbbc58bb022eba25ffa020d4eb26f0caf0678af5d0b2f0c1b520f4843f107f0adcc7b5dee66ff4d61025bafb4cabb64d133132e3e423a599549a1d83aa8c8e774444462aa44b00b460bbafad5755ea6a872d4e6b40e3f4957e0229288ea79fc2ebe5fd9020fe4481a9f42ef14a196bd136aa3c779e311d0c333624c1ddc484c9aa7259cb609e4d0a826c0bdc7567adac01da23900b30ac4e66c100348584fe200747eb67e6287268947e3509d5d2b5d7bcd977b80a13f660d4f6956a8b938a82db75eab19e5d2a22cb5f3c9131e278eebbe096b5f49d16c983ac240f3fbe821b247cccb2c9e6e59546122677f49f56a07fed56647a6d3e0e09520d49009f54250c10e7c607cd5b4ddf81b5c4110c6490e9baf56418236211856f5a85feaebafacf92c0c7501c052f9dbae3beb7484f90f334f50b68571cedc67763b5161ebfd5a1709cf18c92112a4cf4d8f43d1895204d8a2ba5e14883a7bff75cc6060cabb77d38a909daca2417befd1bfc05a11c432b47f90c807ca4306400f67a0d92218adaca84a584a8bd4395c93f9b6a4bde9583c79204444634a8473b1244cd33cf980e443d82ecfac672b3f60e2e41ecb3c5a445d9e88c0e90c339a31806e6d79ee52bdc6808c73e8b7b24899966664d3c1a9305f31f0483e24e36fa451dc1d3f2eda05af6678971e2bdfb7c1461c9407c5c466f6b5af34d992a37de3809a22ae75275ddba0f4f9cbd4b18c1acd212192e587889a36bd73c860f0abe08bcd8f00f5ecdb95e1d560b586eccf530df0e5f3776d8dae2a01768bf1226b7ceffa7ce4e75879c82dd97db3c64c06d33cebc6b35854618355d80e46fa79c3e9743fce5b974723c421a077e7ec7dba286881dbc1d53d442a1552700fcb33f83f73c69a0a0ebdcf2f5d461649c4d0712c514ded268a31509f83c1ae4ff4a68e676d29727be641aa4487c08d4b90ff78e24c6508d69759751a1a23690ec9f8763621e8b107295b4bb01bd9fcacd8748e24d996fa70ef6f8b0992f4185bec8e920d7643159f9f604fba394b6611bff435998b2f097a9e948430899c8c752a1e83a061983f00f88ebb32da214399167932a1a83c1b47d09f77593b03cf6521520583ea4483e2d33e14ad60584676d1791779b532c085d238df0d3bae735d0078e0eabd63cc90a2e13d023983780afc8f83b1c14437937c16a1b7c41414c48cf4ae49587ad9fa5b16fc949a749e96032248c4667f58e295f999590dae1d99a2cbe3fa45bcf4a1d3f0356d64d40367f64b2c5cca843e5f7dd7b88a85d52328a00622e6c317879607bc036c9006d38652ffe21c83207c00f8348a7d0aaea5aab4c89077df170de6d41052641726eb6925cd85a9ee01a9e636346340e209ea96d17b0eb0921b96662ce9cb430fb6ac348331dd7133875769bbbba99dc49333950e4145a15ddb0789c4d2ccd38878080ca9e57ddc6cd5452790eec45482f8e990392e319609391fce0beba19463a9a00d8f1de9fbf22f23821de7d69fdfbf3019ed61aff79acfc5a6ba663a1e10da2b9ff7149aea43bd6c61a543008402309df0924de72c1cacd2d6120cf422e61fc1de345cc8771934d8be77d9437a09e06a9b2d51c849fd9a200fa714328d34f36b684f33df6968b827df916a599a4bc3367814fec21198e2213ff653cd2a463892966c72ffd42a26b3bb91",
-		"0d55dcd08b54e58916f622f81761ef6a2e19b167ac47d3",
-		"e42e1d6d44138f3d2bf12c951f454686f18d590fd30057405b5a3dc2b317fa97",
-		"1e46a7486c5a03fd6758d938",
-		"fd3c1fac10cc82e49235fd57f5aea0ee7a7bd6d539b138d4b3fb623aee591615c1a61228ef9673113a3a90a3687a12d4c6367d5f7bc67d422fdc4106455084d79c2c42c5e86368dd164bcbce7925bfffe7d96c13a2f49aac8e9d1ada3554e3fdc21aab00455a0f33b0c1fdea91b3588e7ad301bfccf9940027332fbdf966463491f7a33c093e0a13831ea9d2183294f89f414cf7b5876af04fa68d594430194429df74fa5915394427259e832bc545c13400aef6cf16620d48280798a6e49773c9316d79fa1dc758e54cde2e2cdb856092d83f4e9b698385cb976fd6cc2538abe055273a5b34a784182ea5e7d3ac9019a05de5e5afe4308a7ed2d363cd50ed6a52df1c616e4a82f607ced768445d13ae4884f2ae1f9fd8313924e8a1a8a23905c92eb231f638dfa6f4cb27bbb9844e05afbbe2ca4d1a3b3a5b371bf33c9ab6f82a7387d61cf8bf662097624145a983839b0cb9f4bd07556800b4054fb3d0bac94f44bcc9b4ac49c39f5571fac4e02ff09f08b3ed5add4bf8bba934e9feb773c0590b45c45fa036382f3fe9782ad19107d4630321e414b7b442b64f18fdd5219039e5740f34b3ce8925d1afe8a39e35ce8db086060bab63b9720700499f82db19a62897c6d845389461260303f9cf2bc7235a898b4620c2191ef05604a5c8c783d58009533a86b27c12b0772635d34ac53993ccf174c9087073e5e69b26c0c3d9f768507ac4d4e2af847b65e3a6e1b7a6dafb0aefc190871cdae6c60f0b1d6137c351d4cb211870791cf4cb8af2ea446f6401eb9ec8a5bcebccce898d1dfb13454df6b35b81ed6d7637e6e261e004080c60944f3a08e8e5fc7e2e4939e7c2607c8cf07d1d10883ba3ad43e2611826f245df571857ae0a7a867df9659f2082c19f94ce400132e48c7f8de2b102c7f83ba5cd1e785597a0ba0d73bb81bba0c00300d4bcd6ec25fb73105a46122873bfa729c0979d8d314ab7ea52391aabab513dbfd1cf01c2990c0a3612f4511c2bcf0f5a07e659a881a7f99c3f1fc4a46e66904427fe26a4a80a904c047d090c861a075c0ae4e29bfbc18b9620aaa42237f4c6fa76ee7491ee638ab5f1cf0b440759828e1ec519679efc776eb1468999a00f667e87199ad6891e98b95fb682e02517b024a6bb803ed23c944010cb7bad0733eccc12d6ab6030c6e88d510ce92e2f98fdcfaa1e37e41fbfb4e99589c0e8efbefd40473db42b3a73b57b22a2f8c9bdaab16831f1b117dd83a77dd01ee8d0c2e92203adb670f4fd65e618823ad196220d70e014c1aafd8863797c61c16382c2600062683ed3a180c70891717c52da15191b02f25d1715ebf33a5e6037092421989c942082f4b836423cc3e976c9bcda185de36f06265dfc250a27d2de0bc48c73b3bff704f3b386f962522f572108458bdb283c6ab3fd33b3ac13a406268fd5d97e17db9c0f780b4b2a8f761d15a4d8b3a0cd73357ecf4d26a6492ee069f19325823ef50bcb2f73326719a57b67eeef506fe8915a1b1ba1a637592268257b91e9c7c5d33cdd947967efc1952005d82ccef9a3ad7ef8ffbb6b658983d64c51242ba53f8f8963245b87a25aa9324c527e53f8c11d55f30aab598401589acd13f090541b3b057b162190f27910718b02a6b8ddbb8ca6cf40bf0d2848f4b76341bd5e78f476862bcdbe2d1bac84c0566fb45b21388221ecd8483d99fe603646b1a9f38a49230cf4dbe5d7883d73eece01bf",
-	},
-	{
-		"04892b94c65685f2eba438322b29bf8439938590d3e0eb10a29e279d356cb439f6dfcdbc3552af21f7e753221012a649a52bda780bc589ae63b04b981dffd113df9fcf14f17e35e865880a769bb1bf40dc99b9e85e4296c1f2e1590fe02b22bfcaf2d4bb7009a4d692ae4c2d5f0b6d3ca526240368bac55b9b1e6a7b498d3b137f0fcfef1873c5aa2111d7811d45bdc26be1c5d49b8a2f36a999b1f226ec06a5fbd59514485abe696c96ea89dba74b4688101a239b495944e30b3609f73caff3114407599ec5c30a5bad933655de7dddef97018ae15acec46504cd5d417c5052c057ac5f1c6f69781cfdae71db2b4fcac35054a4aa22681027356d68b2bdba721466d130d53ba8f23857631382b2de450232e9ad5551bd7c872ae439e79eabfb057d2bdab8d4ccf02b3003ade2e1f3e514dc92692e4fe5b579c9ee6067995b6c168647ce5a13be8543c23326a3260bb7029d2030ec05e565ced3c5366d20a283a6e95201fd108640d2b96676df712de20e4e12fa53f85f22cb24583844fabcebe40eece11e7221f12c88670bf994ed08e2000236f86258c386b0fccbaab8b68ec6a26fe41491d540193c4c12d1391ab3391de9317f41f505f1f1d09ca9862a6f289a533d2b297d4465c956360371ea3c8ed36e0d1563120654e3a2fd69cd6c9267bfcf92e84cd64e162c84199d6e552b42c33857264b5d7a2e007797cde32934a3f8c68b459cd95bc85e7466ccc9910e8dca65b315c32e43c3a5da908904c42cfc8ab74126919ceeef1054bbdae6ca67b02f1ac5f24808b5eee24577e609a3e3935a24b9ebc1a8dad1fc96abe26012928f2d5782755f3763427dda28867d0b1ad830d3c3f17b9ec278346e5a9480ed23ad44a523a4dd86e65a610ee0de1afab64ace7a3b4918fdc14c6b1ce0ec0903994da9bcf18643d7e0a4e6c08200bb394a89b385d2cb829417eeb0f7dab9fa7306a330f82973cf0917b5ca99b585d2ff0e8584e050077467f5245ecfdd5942e4fc72dc26e5ab2ffc61f996167e68168cee9a6d3ea1e1a696060465e35da8c75a1aa380004faffcb0a992c627fbdcb4e97721271802cdaf08d214ec2fbcb389d75709d7a6b9d35662661c8961f93d4a705e7188613f3769114c55400809cadf60d3b6068c8a5ceef078785171b59be1140c6a754ba1de5ced349df63d67d59d3a8ca3c716ffb506772d57e9e3f2caf7fe346c4ad64aa6c37e43b9bbaa8f58e51bfbac31fa6137728f8e5b728025697e5ad5c8301f6ff39eb2ad595d3cb24257adee88a84fbf1ade4d7550cd9ab94bf48e1424ae83184c35c5a5920157d45805c2e0ad129fc7f0ec3c41b9d6fa04cb8918ef379b0783d1cc2863cd80382585fa05320ca4f9fd90353e490b384ed6c166c6f802cd7bd39aa43667246e8da96992db7537d472c709b01114e95febaac5b1a3c77e1e9a18c2d180e63f0d8fa89f6a1ed63e909e4741af5c2a0e47d4d3f8779b7696358f58060f3f461cceeebb390c92779d30bfdedf1b08ed62dcc05a545bd0ea915f42976e81dd8a50cc4689d8d8007508bf53e7da5bd43c3894968cf0677681c6b818353af6bf8ac205139add1310e5d363ccadbfa0eaf735808325e7f9a6aeb1bee3ebb4a27576a88811859c216b6f84371c43d8063a0d87bd326eb6d81c6896ff534ba2c9c14a51d2cfedf33a5c787279bb4a7ff65706b389756a6191d2f791254233ee047d40d64c2dca878a42f903fd4382f39a89a723fe11848fe37b2008be53f7c2d037981d6462a4eea49df1a2e074957afd3c9dfb4d218a309cab395afe301ccf",
-		"67b5eccb1790babc2dab5e0d1ff3871c3024177d45a2ae",
-		"259603e1c3af3fd0ce3257eb627b02e0c0a48ea2f175de3d8c36570a445e5369",
-		"e14de73c4b17581a7e0d0649",
-		"33522e67ef932da5fa8abe628b51f3abd5049951dbc982ea95b7769652d4830c588fa45e3fcff094c8602b9008d7b2f9bf6c1c4a8cfb515401c7c44a7ec42ccb967722a710199e121a41160b1ec581507e9bd2e2e506b10c4b5a8d6977435aa08e27504957cd49e756e1574c4ccbbdde937de35128b7ee3455d2e665c596c2e97c253c94e405f85eb5de84874c099b4a97eb8f492d28f2e4bc64b228dd5984e76ca08376d7f1355ba8e0fa60fca96635075417d8b436278e0fb91e3bfc7d61ca8c7407086933c061b2d318f46f352099e1d317d6c44098539d1d2c1b7894db668e7a82ff991864fae236570cc420a4229883f1e2242d05aa07e175bc6abe11cc643cf1786a4456a2de8c066fb1a70fe387f149ffbe8cca7b110e256fd0c09b1d3bd7381cfa82fa700c8db1e79809ccf75ea52d0b349264557046e8703a191ddaace00ccfc513db5e78810eaac0a99d7bb1a5725e722d4e595216a0e12f3a7aab2e623ea9e1dad06169914bcd51b643016fea7dc3f2743b1e65877f1fd5581bee5ef206d86494a587ec8462a170746fcedb2c9f99090674ee687382711b4610ddac599732453dc063518aa36f5b4129098fb9fddc02eb8f8cfc2fdf0d904ef4d6d06014f977b29d0e9aab4044ce9c662a18b1a8db1ceea97854e90704430fe9b1046b221b27ac79054fcc68c3abd6fab7da66e255ff0cbd0506c852e961e619615c944cd9a05c25abb63742f5da7bd9939feb0f2f2208c8ce82f551a9d4d70e935dad018e3e4e6998e39670221601c3e34716ba75eb4e2fdf53c4d471c444330514986de45cf44d77f793c17e36a271fc65e6bf08943aef4c66547dc310c7a430e3fe7a54898de48f69f282f52bbdc4daabdb325cec7ab66fce1aea4e2fd932dc1a316c821f5220ea437447feae2fa478adade7cd515a27d8c132d0299b3ca1bc8516c9d9e7c65c38c238c69f03e104eb42a29cacc8d79b808ea6fb233a5056201e3697f81a2d49ccd8b8efd1ab0fd407c16a210767d1d3ca798ee53a4bbf1ce5090d321b1a64fc2c5f013c23829f5b0d2737936ca71595a1d02711c8a7b0e74654e5d76376ae26977dd49c68e3c0a7b36e047d44be42d732c31f681bd7b1b4b339f004ecd847960377acd005debfab13d0fb88355025877630aff753a7cfddf6851e8bcc8ec37b8f9149830f47e6b601098b2ba19a4c0808e31e8927b2525cb82bfddc9b4bcba2b46bbe768ee278fb89010243d16f9679f5ba4f13cfe76b5beb16c7b28daf99b0873098115c2233ee3402ac0f6c899a2cfcc83b2ccc06676999ad48017c4ace507080a26501993327ebdcbd1e2eaaaa99f4998b716cd9e36eb26b4573a03fd1d18047198fdf675ef4f979864ac85d230a011c69d8b6c45e9efbdc2a03f195c9731b4cefa60208ba845c0978e73d082bf6d6a513b93dc805a4f5973f4158f60a200167ca88704a15ac5ab1f38ed455a426f7c6a96b6bfea2ebc1ae1247cfe5ff29ee81bdbcb53b03b89568bae9a6f311d2b20e31c2d91bd18fd93a37be266d0de8015d52e325f78356dea0b77cc76f28e0f06e4ec705d1328340013a77b0b6196f44b7712fff4ae0ac7f6afab9456a95012b7c6d387285487476d189977e28f6c9d1a3f736320d61302c2d627d5a7ac8cde4988056b55eeba27efe7e640f94c115762ad5849423ae138c76f15b47bd2a2bde2c492489b7980aaf1c4e32a155f858d7be4fcd0f8a18e7b5d97c5a08d7885d6d56222ef49542c7f80498a14a8eed1c092543aac3439966d5b5d0cb9e602f4fd795c09d652b64f9ab67e38f48c88d18e30a9774f37e9c77b7a94cc7310d",
-	},
-	{
-		"4ab8068988d4bbe0bf1e5bc2fe1c668cbe58019c958dd2ec97164aea7f3f41c9f747527f1c0e5fdb2cbb9d2ad704b6955cb731f14403dddb1a28c5996707635e4eb5dd6ac33d46eff8e319cfe7cf6443869534ca9812a5b23a6b4ca172afffc064dc2b28197117115431e03c00447f87d9b45172c6f724006270a1d41fa094847cbfac9630c3a785f488c1f5cc407ca6f4cd18bac43cba26ad5bfaccfb8f50784efc0e7fc0b504b43dc5a90a0525b0faf3c8b4b7046fdeb1cad87ec667ce3eb6cb4c358b01393f3ffee949030ef9fd01c1b2b9c5219777eb6ff5b1d7c3ef8d8e3bc2193dfb597cf942c5fc50befa527fac0b44cda2bbb811b06ae87459750295371cd232754e2bb7132807d1225950ce64949b0650531800bd0074177677acad937ee008cc0bbfdf33c6b0552000238494be8be412a3e5cfa359e619d092c76310a76bdcb22abbe6f16b3b116b5f95001d20e42fc3c9ff6723e580f378475788eec265a1ed2087de8cc2eff72184f73fa5dc6e68a56dcfc85350bccb97135386d5b827c2d9aea065708f5c921454d1b9303f21d5adf19e00415acbd86d1e5e42d78505b033a515a435713649c50702f54623cbf31469f355c3be2e30dd8c72b4127764451d79e952ea1f9bb0269da56dc07060d5d9542a9c1258ccefe53fa3f7b6073cd38026256b45c01b6c5dc0d91e3139f30a8d1da7a076738f5bb23352693a8e3cbbb46226fa22416680013f9e3278913d06aee4a62457357f0a68d173a360af5e1411840e34c574b4c6b352f92ce33632911ad8b6710d357b7607ee19679e777baffb8ae3c0fe9786b2e97fdeccb5105ecfe81441f549bc6b50ab84b749fb33f8f6bddcb6bb733d6d5dbc4b29725b8741439b8239e53fa435ea29ed3324202b1bdd07d1987b0e06d8cb51013dad897ef02401290940ce3f2af72c5d1b4c8836299008c10b16c7e3e119e41ec66d9db6929ee09bdeaeda08a50665c052edf77b7dff3d8815046bf71d5015e3bdb29a4f507aeb2e28c536cdcc9b8d1e89849a0683d78f99dbfa90f94aa5dc08587657a8f042d718080de5d4a973f232f78c387b63c7143fc2a4380c491414a18b6c4a7bae2194b62e798ad7ec7d09e409425f6d0973accb17e4d860f8ec0283584cff076d93bd9b0c4873f9c57cddcebe3c3bc8afe793c6cb6b26c4582847b07446b7e1d9757de6bdf0df826cbc502bf88cf3a773866d3ff293034abc4afa3091b2126a278f50e47f2f66ebebb616e342098ab690f7f5828bf8cc4742c677d378893e9f188e8397bee983a9a0998de2a31798330f8db59a8581e1c847589bc0e2d95ffa68e39226cc15cf6cae5c4f5174e7848375391dfabafec202565ec2383721339f04c5c5d1da953d88f18cda65745ee8e99805e35203a6545a0416923b38c5db3c8aa00d64354bed27d7c78c4b257534bd7a18107ebe64d8c27b6afdb330d8efba79fd1fae480cd51fd3626bf8d79fb651b7c6cf752aa737a5123558420d48fc86451b358d270aacfa6c17f343b7a9956e6f64e4990c1b3f1e5097605edf5ce4247819b19f245e9a90758dd42c36699ba5cd7f3ed99a7df7eb155749f4b42d192c47cacb6b2865fb9ef2cfca283865cd06e40cdf7f89d76a9e2eb393e2e0ac0e2776da929f3f8e3d325d075a966d289c51347bd0bd523a5c81edef63ce9b72f5114c88b08b16edbd73f518096240a5b37421843173be8df4ac7c587a17ca6f2916f7d9a10dc75f81bc778a1eb730d12b51555cc414eab9c066113a7edba9a7f1a18092ae47f12f0368ba211feaf34a3b48a7ff5c91b81cf7c95675a4001c95a19d284fe4197fe8823909a123fcec5e45935da12416be1bdf14918414ad19b54a41052f5b8417ddbd207ee01d6a3e62fd9b0321b1c13d91d6ce15ea7b2ea0c670a5f5cb290ca8e62c26c6499104ab8e9fafb05170ede246bbf7313625d1fc9576f1609ffd08852a2f4b73c04f1f4eeecefe3f3eeb2185a618b6dd3e87d9d3fdcb349cc83c21f26b6c662bbb857aa95378e991640a160a23cce76153c134508c68ec54a5",
-		"0d471079ad3c3432b6de852ec71692d12d9df4f984554d458a9dd1f28a2697976da8111ae4454c9a23d1c8eae75bbc14f8b00e7c065bc290f8938282b91a1a26c22b40a6708c40945d087e45633a595beb67d8f1c29a81",
-		"f3dac58738ce057d3140d68d2b3e651c00ff9dbb2ca0f913be50219dd36f23c6",
-		"bb2d033de71d570ddf824e85",
-		"238c4e6be84bfb151557327095c88f6dc2889bce2d6f0329e0c42a5cd7554ab16c8b5a4db26eab30f519c24766b1085e11d40823053ca77adfe2af387b4dcde12bc38502229510606ff086265f45b1087375dc4a022eb0b641101c74ad566ab6f230133b7aa61861aa8202b67beddc30dda506691a42032357010d45adc7ee633b536a2fefb3b2143837bb46db04f66a6e2bc628d6041b3d306ff78e96205ab66847036efa1fb6e6a387cf8d5a105738be7163df9da0db48e3d8fd6a786f0f887968e180ad6888e110fb3d7919c42a7f8c92491d795c813f30ea645fafcddf877f5035f133f864fd0ba1415b3d698f2349ebe03d9e76610355e7fc23221c5c72b1b2628a40b14badf93288fc4abeaff5306d274f21938650ab236a39496d3f8a6e9086eac058e365d4335b51eafac813f9175bb7bebb75605909ec3fde6515694e119f7b6e96aa1d6d6454c3a7dddeacc83bf0c1f5f6c2a9dd2f460f3e5b074a33b8d7904e6988ae43a22a87f0933f812e45c4c518bf83e606bad4c3c55422ab2207e9d3cfcbc5819049f55e35b9663273d9d3a6f8a897fa38b0dca77eb6c344290cc007b68d913187f2cd480a40262623a4e95d90d5701ac2b9d858d70a27f0672f919c2ded1fb89134ac9a8ba6ac62931c832372abb70e811dc50cce264ece65e87338231f18ac007c5f68f3b1c5904ffbb2e1dc361d53914917770d66afe28c547d8cd5896d892cbdadc34cd6af348c93bdb8b072f38b085361e62ded7a38b4368824c759ec7d2cf4caddb9191e5deedc8b8388bc4ba2c0672321bcda3a7343c9ea71ef03750912f35624d81da5fa8a6ee676c4efd99d0c7258b844ded7b35d8c8233a316b508d79c7c0b3edabad5db9543615179b1c111bfd78b79327ac5b4155336d670baa592d441c810cb1b7c07f3d35473a45b57e780b7d997782aeecfc0363976fb608d6967844ed00b63ba75996054d090aeb605c195b1ff86f9d9ab5892d27632cbb59c06b3ccd69d33ed5dea9398f00b7c6404fcfe2fcb5924e4cb75cbcae0a1b084ea8b15eaa5847431e9ab70e4afe15b4c82239f6165e243e3b76d6c91d23b16edecad8bcb16898641f8e323671452034a8ec9b42b29cec0db210bad0444f1c5bf3505cc41d514d5a270d556f0a34333bd06cd6509ba253a6ba7a6db8f1a60c99f0c3d566a038a72f1271a178cc3ff890b0df1e7438c0c1a12d9873643e2d7bfeb92379545de50834abe2a345faf7ca49beeab87ee516dd8598b71196b8cdb15e7200cb5bd814338babd74c565faaf33d9a8ed4209b417345a1ae611880ea22ab2e894d5d14a28fe3835d3b2718125f0e6daabd85327455646290ceab89e579ed5e1d72a0172e4a6d8da70290b5022c941f3866f96cc4218de5d2622d13af6dab15760a1ec5d10918267f9585284058aba611ba07b1d5711cef505869831699bedc2b190fe1d578814065c91d87a8c8dc9b0d4dae0c80cd241f0bda3a6d5e714c894b7a48b1e5eed4555f103eb03c9db30efcb855df422d7451a6d70f28174c7ebff536dd2cd2891f6c3f264d632ca924c4e0d84b37cf8e06e6f2e29efac6cf008cc27f062441278dbc9f09cf44987e0e9ca088a48437b0b89efb9cf00d3d0c5fb449fd4b64e21dc48cf300c2d80a502cb583219f1881e78e647783d91dd2f3b389a1594eefd8ea07d4786f983d13e33cf7a34e4c9a0ec4b791f1666a4eef4e63bde7a241f49b5cf615888bd8130743bc8a6d502bfc73ab64d1184ead9a611832b7e24483a1a0fc475d9ff6166b86a18a3dc96910ff182cf326456c4461ce8acb3467f801890eaf1ce0b24791da9c650876e718c0bf43c475174f9712dd4a228695e8f8b2b23fc4a06358b4a6a8e1afa87a0280c3e098f218f7a6d6bd716f8c105a7eb799ba0220837fa5a96c8a22a826a6f7ea9d7216a24acbc7b0133210cc17c8190507badb421bc54997ff9340cdc1ee415126ac46a4fec9fee12d40f06300f7e397b228250f36d6f0d2ddad5fe1898ea690e4c7cc3a116a70bfaf6d2dc996753fffae40ba5280b8356b7ab4ffbc914ec74eaa070581fdd1d9e5aa2",
-	},
-	{
-		"4d81b652fee892d575bd13dad913d976cf0517c819d5183a72eba995b1f27efe743451721ce34791a15a6b7a6e44f13d4a080563dd1d9d4f0946e5ba3863b9ac970a1fb4ed66458ec1b1092ff5fa6c3f0271a2df8e3f2e97851352be760b6a0e1589c202f00791b1b89ae0ae944ced96bd90754bcfa3e355b735132d407d3b5507fd57f705e8a8bd82886b16d459ac91e921dcb8c5bf0d7cf420a9349ee589a5e2e19ce7c944a54ccc1062a0690f3152300d0bf5cd1871c1391bf6d7007f7ce26018ca2a5c6f76287fd8c8e9e7f93b1806460dd35f7f95989a8b6f9a0aeb7c6b0346955fb50b8735e34f1ecb4859e34ea0f022ff6fb797094206a34cf120b7f4664c531c57da513b296f0671c8e9bf68d9e1674998fe52da04f627f516dee97c2b3c988216e9bd3f58c3b021ac70898651f1cfeaef21c4f417ebe92dcad3aaf50f4277262c356584f816a5a5862f2bd720fac10f1b86033371ed603bc00a30cf4da8f579dd5bfdd571a37af7d2a5cef29f9001bb1605ee87f24ec3b259f381a69b771f78d21c4e43bfc83a916e08830d9885c8ae8ab6367c05f92e5eecaf0488262300f83f4e3bff177590857e149216995bc52311fb9f16f4cd74e07c7868a39b699bdbb7d7dace4c6a53ca7ee6e11741a63a52a1d96995a6dd752356dec6f14761ccfe38a6cd8511204f8f0630a747d6e19a77bb030c61e0828436604a28a7acf4a5e49b7269ac93b93b99e9e2e1c0c47b377f7e44e05ec6659526afbdcd5bb172404ce5a9f8786234114c16f20cda6d4359eb873a4a4d9fdf734e9c40aa4db3ea9a98939210f6c62142dd144eb78191116d194bb766ea96da38321ae27fcdcc196560ac75567297984fabe6072c771899906350f74de6d18518eb6898b934b11e945d94ead02b821fd6682602e03e9c70a1ec67eed33874eb24dc83dd1035fba5928f8f62ba1282907aa8935ae72fcb881b3277ee6bebda8fc75d6cd792677c25f70c87b11e094298b2d5f39904be211ff0980e5b83e8ea4a455622d8be9efdb5aa8466c88ea861407d54d98112faa10293af5e16974861dc9f83b45d21b112cc367894c421f5049e49dd205bd7c15e6a70bc810704e2e3a3659800864912527f8be743acdc474a26246a81fc2bdf669b9be7a2a0c986432e1e44b5675607e7e1ee2a8dcb72d8f1964272926e52f909ede0ac8daa32d1d850158db76b959e4d83c9da4e3bb23fd1f5b26463045d6cf13d187fe74a50c09a654d52d0e2f01d66b9f8b4f4aaf4c69fa62a02aa876f9bc4871aacd26a6c6ccfb9bea09cafbd0268b5b65d60aa23ff504d02fad4719698f8b044ca1bb037ea6af58a06a448080dfdbe6a5d698d5db9da5fb4aed04a46c8fa8b93153bca00a5bf8aab64d2b371d072db2ddb688a9442e948f0b99236828dc115a2fddfa2a29e2d4e02ff0173cf734efd4eb687e3f8712be82abe1fac4be0c1eddda090803fbdce41bccfb58c43038991ba1074b281a09bac5eba58a99a1a9678ba26f8f9e3c63ba095f02cd8f3b56aadc5de60477efbf3dcb54b854f651cc72042bf19268554c61b44f2f338a75de56c3c45b3ba40a697f5f21c4557380c777bcc91a151e5676c2a59606200bd476cf98d20b4cdc64bc3b8670810a014871be018bc32fe239e287cfe8a7cbcd1e8b55e08692ccfb4ef871cf797bc0b1fd7ec37931e35b6bc5d32bbe7ae77b9962c179f96436e4a32f566298d2235acf921e38c3f1942fb7674b65e222d17b95a2e58f072c63aa4bba1ce48c303f4bd24d84963f18c5e670015c52342dcdc9c0b348c7dfac721b568effe2bf2f2e816ca3279bbbed823beede8e12fc5bdccd0f1584deb1f6ea1875e9fb350919b675ccde0178bb83a4aa5232bd5e8e9a1b8daf905c6197367a0d106532297ef89f3bc690b48224592c768bd9c50a63d0881370d475081aef052b444744b33fd3fef674a37898fc950f887ed482d2a51ae615ef5b1dfa3a23257e6a6a319a4e2080b2c4094bb09e4b390d1fcbefc4d6c5dab620f8b05b1bd5d976300b007e2b8120ef8a6c9028b7d925c795058c6bdb6711fc5fc2476b9810d1d81bd24637537716edd3b7068b802c531531df710d3682f9865530e1ed51b3b56d860ba4e972bbc74662cdd1e2ea24f81bf469193afc02b14143a32e9556e3f2ecef97c65",
-		"2538d98b64b6aa9258f9141840a5abef66d6037a10356366a3a294719c10d6c148b04cac66f63ebff052d730f8821f5e5822d869573bcffbdd636c7973433abbf38767597da5186df8ef9df071bc4ecade2633366102313e659db8d8e0f293d379fa2df79f456497",
-		"a5049b0aa153e282457555bf6f82b60fc81aa6fd1c2ea3db031478ffb74b5b5d",
-		"350287a6bed5709dfba3d35c",
-		"849670914f5fe318eb01e8849e536374ec11e813acdbbe6a5e82a506f6aef4f916a3a7fb2e41db3adf990175e21f2386d1805af9bbc32a6ac156b13b1a9505958f68599019c4b7297314229c467114754277b10e9f49a4d12837ef24184629c8902ebe2a23f740dc826b01f8963d47100bf617b314835e436104eb207fa9a1079b8feba06d9369b9aa8222d38d87096b73678bc5db9a1add59394530e678b6ec93a80efc6e8320f2909e3e891306d69b016ade0d30cde64c2c903b401f9d01a29b5cb8619dc68ad6c21900b365a6b657f7d9ca4c145fe598a94eeea741e20a9329996b17aba5d7115c93623f2f5d6927068d0f190b49eb885429d771bbbb3980e9293e4d664a71c3cb629d869dc97e58fc3d328331b11df19a38d61e1705ec4c3d779168abe049e9d675337ff658e00d2d610c8f227d1341d1c41f1c01d8b5d83c4b1b30ae4318da9822f46402ee8cd5cfe9f3f22d90a5ec2d0aaa0baa85e10f5295cc6005c5a0887287b0c867a23da1a4c2196f91fe0bd4f0db1ab324c26fe6088d7583f3cd052b7f6fca38e8b21f98fd07fe78b7657da1f586f1fbd3d2b4079e20f21dccc0d269d53a29deb7c7fb63cc291d1d2c50ff163e08ce612310d3bd622f2416e193078ce4e1463f8a3490578af96ca98e665468281f1af9117a2ed23367df19b570885de9d6594f09aaba4090bdd1079720b08d54311793c97bbe14433b031c865b059cb4f75db74779b82c4f83eb4bd829c62eab995027b548063d7cab7d1a6f9642da6cf7181c0ac71594b97fc2c84b1768f81eb287091f63c76623c61e7ba90c922c74d46b9ae5d8094d9752bc1e8020a82601c356a201e0473d540053c707a88f4baad37826152dd245c4cee6b0019583c61e4327fdf6bdcae53584cdba8a503b835bfb5df9d649705fcc1f09376eec96c3da1e105accc1cbc21d90f527041a9beb85f8cbb1ee8db798838bb45374b741618f83b5d0801a3af2f640abdbe74ec3dc15d6711b4c1480aa8d6084defba82ed221ba359c9744705c4feee0955c27ef468cbb816694516f73fb541e0ad4ccf99ec8b67ef090505d1f7c4c3a8ed7e291c820261f12d92bbc6609da6c275349819848c9112826674f243acb9a29ab73f17c8f8af12c7437c11972c824f00db7ad284e51b9b508a925f0664bb259b4443d56463bffc9e5d845c9b9f79b24c1f457088fadd281f48238866e0b92d6253638eb188bbaa8bf6a81d2b1087904974752697cffb00b4ba05e5b7b842a3d2c0a743e4bd691625788fbe9df14600643b1d161bb2916176b6ee40aee38dbb594ec2735d41369ed3a0c6dd9073f1eb51d1b77eb9a967b53670a8ed755f3b2b73a6cb50a9e1ea7549346646dbe4b801c8aa642779d8761b6c2d2e1a9995e758ab92f07c4eb4a23c042171a4b354f434ced5f6d9ccd26cd6c2506e5023dc076ced15566fdabc7364f4a8594cd6ec404e1a9470f52a83052390e4f7789ade9179b069d9f84ca2c7ac9eea51035db817845aded7405bee90cbe92364c8c7cf8a366cbebd7a972438f2a9881395a8610a2cd0c06c46b60cdae5b1f473f4fd6ec48479cf35101656f05485198a470cd36af22838e7ba3e28863cd8ba7bbba7e3c2625c1106a6be44c9e3d9b9938679b26f0713c62c3757a2dc8b2d9eed5e652220a7711cd220bc91a9afd7c940dd8be71616ebb8b2cb0686dfa161c6ef56994a3cafaec5e79bd0a2531fd1c1a42771acb101a38988bcba51ad85bffcd8c67aebec5b37d526b29f7b9d31388e1e7ad7154f8e65516f0d80a30b88c2b868be2541d19ea1d2bcbadd30e2fbb1b4678bfef7f200e0f8309ac0701000c52ebbcd6fa00cb85c8d3ea9c5aceeb3adcf3773cfb3bfc9ac764d031d7c63ab888e9b03eb9fa74554dab4719d426d0875a508c8c86b22cabfeeb70b0f1461db4e5f639d2a2d28a089dbcc48e3f34394ff1acb887b89f75d3236c8143bb9b06273c3878744340ea1858a9f383f8bbdc259250e23a3c3992bf8b7ca7e1a66913547710402bb538a8866772d11cf4214060ed091d403e1c9ca3af75859259f88656a1cfecfdb49d57c193e60a2223627c681a2fbc7390140aeddc19df035a5207adde4f5736bc542bfdc943ae8b094f4a8701618688fadc2284fb423f602c41ad8ee11e5d9fdfa67fb7dc7d4dce7847d4875b3af667168ebb6082f6911c95",
-	},
-	{
-		"67f0494a728fbfc84e2f4a043e121ee40f3b12b31616c78e157ed970db28674318b08d8b3f4c538d7b9d91b9b0b09ebfebb07201c6398fdbb8684c9390b3d6a8636333a3b086302b24c2e5d47283935d33065efa3fedd5f755218be5d4618d38c5c1db75470ba06bcd853f3f08d39c3cd9fa3618e70b103c2d9b2101fcaf39c1701436b720d723ed5c622d6535c9a10ec4d727abe237e80fd20911ceb84a90285fc6e07f9d036cfa65995f9b6300a927d7d0d2b907bac9d9c4daa87c2438a583fe85029c886f96ed08f5886bf53292cc0265850a1f4ee3e3288b604dc305d0c28ad35e1242f4ff4ae988b6deba48aabcad2fc6cd7eaab0a63510f3f915c4bb9f9719b1d90db123f639d9d4f3227eafcfad769c2b204dd2555dc54e738909122022c4f92f751d25aef6f9a1187750e825c68450e6d1223c2fe88aa27194b492b6788be6eda80b9b9f053cb77c8d9fa15324f23af5147624fc00c66e947b004bf38b31e1343c7cd341b98abe462a5f994e51d343664968624a2ed0dea9d0299d5c5a7e9097fa63d8b3ed96f917f693654766a9adb01110fa3fe0d8e9b102860d5c049df3fe00ccb2ed62ab05583e6aa0a5134d55245d4f643e274def29d3fc86d79979d599458786a8338b0071f6a01609ee6b2e4bba9289e2df780bb27491890d0b5ea650e62df819b8f98aae99a1b8870ce6d3c7785ca957d5b4094946925751f0fda1d62a9aefe3937a912c1b49b4272f87eea7e397feb84c0702929959e38a568460811e5064b1caf5dee53f920c6e19fb16fc9214b5de1cb770b510533f66d8a0e7f6f04ba8ba41869f8018abee31a6042d3919e217359988eaa9db2a10b3caf7aaba43527484d81304f0bef22165f74e9e1031b545ca3d2f74195984cc237b76ddbec85142a06446902339b1883000264031db85fb19b46f320ef3fe316f750f2d3d6070dec5b66ee8ef20701f20965f5171e44c8a99bcbca7afbbd81e30e74c6d48bc4b0d72baf562da6581fafbe14b6cc597f75e53b305036ede219ec56d0c0d29571a9c110ffeeb747fe56f6030dc26c8d3841b868a1ef56840932dad9f3bd7f75573086571f4d9f0d949510a2577d2f8fbed7e850c73ed4c071bf9a656d09dab43a610b49aeaa57333f67d586d4f50683dceee4942db9549f68eef4c5f8df8a2330857cdf2fc4025f2be7d5f0dcdc74a9cb593de91282787b716d416a3ccb8d6d40fa3c70be4ecfda26a5caf3724fad3d98db16ab6d8f26defc68392923b69664b0c2d56f01a549284b042bbd43c8faec940187f190aec08d06f9a62ab03c9f610f64c0010a0939451d5502511dfd3da1fec5a38f64640c7b6db2961def257eee9a3eff944828e9557deba68bd8e42dc7a9c1570e35537993061fa0f5351fd3cf4ec36386ec4cdc5a2882d5f16703b900c5000efa63888d69982e5ecd3e329c8cf5f003e23ce03c55631246ca15ffcadb0fc9d5634252ccda812ba7bf5e343c44244026512062a68374ed4d8add0855dcc22b30148e0cef0f2886be76bafabadf3ae1205b43c6deb8a41c338114895dd6b49deb329ada31b350e02a1bdad4eb05b61b50f9d22fa2863bd607406f552713e302467ddc78213d584b4933202438d63f99d011b97297f5589f35b7e45ccbd76f02453b7a7668c2b1a1f5d1d63eb805c8881771faaf67433eacfb22f9b6fa58b93f9423a5fcf667aeec39751ae17ad36992556431bca77059a29353598dac12bd3036633d2ccadc18f44123e5bc074f4e5ca380095af062fd83b647015259be929011cfbcdc9bc5d0dcf9b688f0f5d74da95746f447a9e1cb5028ccb2827b45129d04cf6990953a6d8ee0e67fe6bdbd8004f4744cae5607fe7ec4a0f14fe603dcead3367b6870d8e751cf57387d04b881f92cce9772d695f19b36e2db2cf6a807c9ee83225f5c09a11b50e99855921a4eced8e631af7c234aa31615c00ccdd7c6ac5ae8fba6e29cc233765a891864c7d73dae08ed1a3c27cd423d8d4efb550597afee8356c12018f496637daec83575f5e38ed2fdbafabafd38483c239d31cb4d104e93d16eacc6050033a3c86929be4ca8914a538bf540b43d7ce7daaea317bee1ab80504846554879f900d312bf2fbb406a0edc5f4f809cbc68675b0b7f09fd1a8a4d52c0929b3a8b9c1dae4b3d599b976867e6a7e8736450dabf5c49c949544386a71419324ea4ce5c4319899ca510f50d07ace57b013655b0929f79dbf3cd629ad17bdd10109b7c53a4f5f04a16e5471e823c898362df43f57ebdd1627b33fd4cafca6cc065d9140acf0454d5f99be47bc87e0f3b4d4320bbf0f21e7c261bb8d5d615963beeaa46bdbe9b83a8277813ffe6132b23564bef5",
-		"74dfdc364097c39ef91c01b707a522e28edb1c11529d5050ff820234e6c0295aa00591e09d547e9671804d7825705ab44b76c59d1315ed1297ef477db070d85076693013bdafa92e2ff6a654660008b176cd4e8ae23b9c792be3f7db54cf2bca385bddf50a8624397cca8ee3cb96944164e3cb461e68",
-		"b3b5ccd7ef49a27d2c6d13c0ae77a37abec2e27e0b2d3530cdbb7f36792a7d2c",
-		"c0494bb7249f864f69beab46",
-		"ed8d6e964bcde1df68e7f362243073941fd68ac77929c8e480c89f519f748b3dc337b1af6231632c975167a8425b174b42c2c60dfc0ec85a0a212bf5c9aada818a83f9664c8712d96de1036b5e5d8c8298786b753638de3a8da958549f16eb9c723355cdf7b999aac464ec39df7d6c1607e81b88b63043d1c847dab618f1b19336911b4b0145c2a694e61db71e021282006d48e37f10f3b6314dd012a07618228532c28ca84a936e0eff83723d117b2f2db857d14af5bbd5948a0e53018b31e57cc2a81f36aa013a844990753ccb347fe98fab294cbd252a8b8f7246276275d2780511fd3cb7baa2fd1548184f968c422230f7ad73ae9dde91295f79f6b799e7d234dfd6573fee6d6ae748b0a8cd7ed4862ebd957390826f276c2afb01fbb4b64b61a1bfc138508efd630e77580867bdc1e96a48a694cf0db6c2a11f05dd0bc8769e7200bb0749f5798b6f3559de55d0c281eb5df22b731fbbc109da9c68f209b888e61240c4c0ca006d105c0a7f43144021547d3316e5a99f6c429f9ea2f17d77dc68bc9d5125b6260f79bc8b3b8061972e6757d87b6544f21645c0b4debe5224f7c48142c09f35b8e144c0c1e6521f04c170519ff744d61abd59a56d25a26c5ed5972191b25e78e2140f3ce68fe17be9e59a79f6c69619a79b83614c670c7736d19c27fd22515fb5b896a6418cc0b4850e85c07b38b995cffafd9f69763cbbcfa9d1bbea6868244a66a5cc82e815fae09f5775d28437634926d571c2b0d200855e09cbdc67d10f85bd4cc334ded4c83aeea57f8e373a950f135997666b653e8de47a3bc0059525720045996bff500a47baeec97808fe971d7693dfde339e8beca3598fbc053121536c30d0af10f8f5d8e5eeaaaa9586d7abb563fd69e88351f93bcc46520f6d97c1a49ba9f8f6a25cdcfc11b2a722910aabe7435ac8f0dcda9f824fdde80850f21a2d4bcbfd2e9fcbd14dec05c117a9796db49e2f0dc55e74c7f0f615bd049fa7d0bfcf197dcda3ef3de90762e6f6f9f8a8936bd04fcf2a97cf18ecc8f2f118ffbf02b67f252097e4289d02f264161f6f90f79e1e1ef8414b01a9e1a77b88c039ad6eda6df1e28fcfe9370f0d574aa9e857dcebb19eb7ce8af9b19b4481c9fb3e1f0db3b02af483f737ce3ea824b2165e7c0fca8585383d4b0a16eab2c7e3ee5c038f939a97bc8e1c093cc5372ee45d81836c988f3ab3e6ee0e5f9549e4b7bc381a2afac2074cf75ed56b0e757e7966cb253d549fb0902da98294c6dd4de3c2e166b7e45098d2729b1393deb68471d4d3218dea3dfd0183b654ae4092a79357945eea4b28cfd06b40d30d1b4b8f19827895f6f908f0fe511f74ec84cbab2483ca4bdfc6ef50178eabad79b18b58529c9328c13c52c2869858cc20ec36ef7717e1c743d13f9607bbdb0b701d9df6aca7366814e883d23e51ee5b0f20ef70e2c4134ab037d213315fddc89009260981329a1872e541767adbd5ee9501e7df4ef0cdfae9769961f8716ee7dfbab0ec89b3f62e987387d5842e124a69b07245d359052ada50cfd67472d27ce2c4eacb5421b62dd7331da54ebf0989803797f4c8c781d0e2e6477b421c7d5cefc8146aacc0012af3f1f7cd71ce2b1045d86bf48c9a13fe469a1865294e160b4975023d0eb24ed26837afefc250a914f86f8b1f5d67d65e9737e841519148d4dd5dbf2b5a8b073861288ec9793d4b113d71c01727f67d791852fc3946dc912d60fc66bffccf4c45d859eed9f0bfc7f89086df5d5cd830ac919aa7cdb4504018052d67f6a3ca012ed69187cd5fbe91875cfade381bff1e804ba59cd59f0f75cb46dcfba234ab9832c3fb9aa8dde19fc1fb30677ac1793a38d94aefd9ffcd4e777e9e4f6d49e0cdac6c16a36bc2f3ed8e23b80350e3be6d866aaafbc8cbf7c69fe44c2aa80651164803150c23ebe262aa669c77ca94d215895d2ee9c3e325a0bf2c61e419a41e0f7b1ba8ee0508307d49301abccd5b74c054b6c7bd1aa67cffeafee033761d8226d9dbd7214b130a867764062cf4da685deefa23693b8549d5ef5e53df85c19bfb3c43c6bd073e7a836f849587a4747e1a9a3c7194f6d5472d2e3e4c81784a3061fc9bd3b94862c4784974d859134369486f2651f1db94f511c6f59f41da0d75307191602730b88e4e6101fc8d392c87687f3be454dd92fb8ec380715bcd88aadb63717cbce4db91a36821a572c363759d8d0a2ab007e5981b78731dfdea20d900b14f0c5ee6a4a9b532ed2134e6edb4dc267f001cb88dbe43aac4aad453b839d035697df7de98ca7a9ee7601228a79004b89796e9ab971aeb8e62c789bb21f38b77b492c57db402bf6a42ad0cee169e9251d865ea3e5f79b1801ef1e53797aa6c7060d6f9486081",
-	},
-	{
-		"04cf92a64cbe135f7fc1d7223b95e41d13f04b482018039f4e7ccacba8aa15ac79a752c5666524e527fb076290ec80a3dccbebfce3ee9b316a65fd130f12bf88b9124d1f7772049e6d0c01fef881a1d44c8dd02f7b6b60e6d15df9e06fb86929cab64842284de09659e19451623525aec2f5dd3e603e24319b1d120bd57b34a0317ce25ac9c2f022a4847306b998b57c8d92baeed0de1f6cfb3177d0acab70de275238f1152813b9ac87bf651f74e1ad079b9bd779ba4374ecba459865b5768d08ae7e1dd691d6821895e8380ac9e5116580e8de3a2c5326e698bf4c4d35d955e45772bae8483d01de2539e8ee1ef9539ee132d80d85fff41dbe406af319c0d7703292587bcf5959f49241e2b03a364e1b682729ed261d0ae45d74d77634afe667413ee210983b042a7ce6dbb61c29d18450fa7176177b5a74f032ea24e1d08b220f6d32a7a836d1241cacda39d6acbd26a62f9dbeaaf7329a291dbf0aed4a2cfcb85ea360947585b1215feaf70ba71eb2d6bb7081b2a21bdcbfdae6ad2513a9dd714d3d06c2c2b7e322a1db2d48f9df1fb44fa066f2bb42b196295ebb3c0898ad55d5b317986afaba0bd5e754cec773821613e908ce2bba6454181f9020b73e758df18c255c87df675cc6bb2b8d2eada44196ac10c26674167f94a79f4be515d8d6a1fd3228dc9a85a355b030845dd4c5f481d5b6e74acc66de730629581b022fbcff61e5dcfb6a7f511aafd577849a6b057021ecbaee53986159c1ba74c3e930c34a159f467f1e9799cd6c1151067c56769e43308c96c8edef8aa7634d909310dba9af2128cdb8c29b24d3ec2a4f43a1ed86d1791c9a670b240e6e719f01827aaa319bd3ff53959a776886a1b7c942a54f141e6bae8576d294e44333e6c5ad90f74863f69bf890126016b318e0f6bd2f0adb9bb861118af5f6cd28dc93d56c8a1dd080b8c810ca29267d410673fe367dd9d1353ae2bf2fd88d57b4202c21aa49f12a01b93acbe260492367bc219d3afb6e6f35502f6529bcbcdddce9fe8632efb034a9eaff8b4a48afb105d04e3fcbbcae010ddd6636992213750b12fb3e01ab72aa957136e0bae591bfb5e0fe819cac82a98ae8df230af399160594540640c6b1d537e7b5f1cc47b08127ae02c35b846de56c4c08773fa18d4436e14b76a7fc4bdee301d0af4880306f2f33328ab79f6f24ec779b2b1928704f09bbc5b0b7108e9a115e4959df79c80eacfb98649a0788867e23b2974b22e654ddab0494bc922ecdf17727d0f0efde9dea7601857d890bfbacbd93f7df794bbc254f50e1e17eaed2f5d5a2e6c58083aff68434730d406fb9fd02b0dd7bfb99a04aea812b6830fe5e05a044ca21c77a174bae8b58eefa11ecfcc1c977bc6218064c9931b5c92f13cfd05799f11e130869c293c1b08dd29c899365014fc8195514b286c97cb6dc4b8633e47751f87fbaba137b6aa04d072ae06c2b2f34448449f60b1272c1efbd4722a2be749a3d2e5450aabef1f7c51bd8324607668a8caf8097c2f358b1b09fd3525d47ec9a7640eb20ffdc17c4f7eff63df75dc7830c471ace3a727feb11533d6e9a2a08106af33069cf482ec63724032e81cab18e12cb5c4c3ddc374e2f75bcc99fc5da09b80a738852a14e8ac552b8471c6ad52e35317b730db2c13c277e06c643e0d0fbea43833de4d2c7a9247ff040e9c56f1ff7ea92049c5341c4d1478a14275a10119d934e8165152b89951bca7ee1399dd8232fdcbf831d8354640e698b68799d060ceb877201b2fb96cec514affeb28721e163e1648164b9e5722271db9b0ee1a7f96819fa1b1590e9daa598d9571ffa3882db9d034056e9b2785a8d13686eba61d7d45cf2e9ecdbc391739ce89297211472be18b21401658c5bf29fc3615924382d802a166d05dafe7876e70a0d081e80c63632da379766928a0555eb5e7a238cfa4da267527c66caf34dd40055f2801b29b3f5604a5bf3d46048bfbec2e24abd2fed2481698a4b5cd71f5d2c12dd473b903c9bdb978eaff7d76fb69951005681ed7b0257054eb3dd6d10097fee51ba7e8d565925e4091cbb78d255c9d3ab4ac0264d172c9bcb0908db1288c9634248f198a1167daa323822058decd83936985f83b08b1e7b942756a7af200af168fb8a091107b4443fd649cdc22106f9b9657c69f19be485c23b2c715b3762c332eccc44f380883357d10019f20612ab6b8f155c2af9e2ec340e5d8f45bf5278ac1fbc9f9f44d2f615d21007d822b244b1c7a0dbc182c7f5912485d6e4d74e90f60a2f964e028c63d49c6aadbf1df170e4914ca514139ba538207b1cf7caaceed4db8423dd1086b2adf15f6c0e50dcf2e12898f53c339a745316904ae03c38b417bcd7f5cd5ea77a4f06e65d56c24f37ebe72d271ac79b6ddd2bb8bd67f0727ead49737aa71af4f620da53769ca3ae878adbaea5a249128074ca3ddbbbaf5a68f9cde2a0e8d69708b0ea7f4c8d2dd4180882bdaacccf2a409a681c551776bd10439fb12b7548342532b371c0e045d8e8c895929464bdd4fe25f0533c66104daaaffed52446094978bcbb389c",
-		"001084c8a5175c0ad43108f9215c35886c82321c800740c6118a3fcd45776a4588ee0e2d056a37d99b40d2bd9c0845088a77240b7e65d18fef105d3488c77910b5873dbbf275948db5",
-		"d614d2e671066e387f7eee07bca9f9313d86e6a4d1371360900d670e11ecf1e7",
-		"674a516f8f59f9067e0485e3",
-		"1ee376e9e3c89b2147bcf75480ff0dec1d0e8cd45ba812f34c84124871d484b4ca87bfc8cf99f85ad452c482933801426e2737a97468809fa36caebebe8eed07a626b3bc3614ef1ceb54f9221ecb16f413f0bd9ed4b3010c40632f05223484af7bf5948c2fb8a3d2ce04c53e3f2682494f3969a0f8eb738cf93c0141799c9e6b68924433f0326991e19626bb19e6fbb5dd46baf39f92e830f9b1ff465a007f031891fb1f1799cc122d3ae7a55624356b5297bd5d948d9ff2e414cd8adf00a53524df43f398938d33c93b2c06bcde2679566c0a7b0177b4a873f35874739d550712d5cfe3d25c19292ba97c01d84224738bb25546e5c252fe5e5f260ca881aaf176a271a6fca2edbb2cf23ae6d4c56c20daadadb8205c2e33881867cd67ae6e59132edccc3601f014b744ff8eb6aef5e09b358607695d3af42ab8fa30e9fdf99ce54427ba9da3699de19f7a8f9be368df47ff0607601a91e7a5fa6e72be50bb32b825427cdeda3972a18a23af290986cde14f5fb9cbddad336f5efcd2d7a0cf3d5b23e54b702352fd5ee52d7e3479441497d56e17d5868574c56cfc421ee47bb00e9c75b84262a1b9e2cbfcccfed9c4c386ef0d2c1be9a7b7556909b5d72a38b7258acdd624de2396c75386e077c34f005f92a2203c82d1072c8998f03b1df22de832ac733977705453b1d72336b8d371cf1ed3923f462ecd22075de5df68c83ab1e6648ede7fd5ee5794a744abcb32af73bcb182cf97d36f37c15535c4107b7c8f2321f9fe0e2b6ccbe74204df3d748c05bc1e0e2c55ae1aee2d4aa4a52e98ca7229d6d06576196ac8e4b14a9ce807075cdc876aaf904c9962741efa8c6caf41e6b87b2ecd6636e2e58f3ecf576e5d8b895162545e618960ff6e336ff17eacd5a1eb335001633fa78c41ed05466d904ef9b81b643a043298c0e291a085e4e67da72e329adfccc407f800709865147db49cbdf4232073b7bc7ad89b3dd901d927ee08ae6497e0f2f9d052ca8d7444d2e2ae2197f930a7b1c8af38d8739ad298464169823684612cb628c484f710cf9c552551b6837b575a43275100bf800b7a3d777adc44d07f67cee5000422b9049dcfbedfccded0f2aa4d189621579b01e3fdaedc4d772dcc593316ca85e7aa248d219dac21c561d318a4936ac0d3bd5c75311486c174e0e2182affdf69bdd6a086534e4a602efba2b9363beeb5346539b45336cbaf479da6b15b226a9ac026482216dedb84ae3443b306820d9f05f78dca7090d727c7481d82c6e5df80e189e24e46f5758e453e542bd91a58eb51a89e07c50afb543c6b998704432e863dc4c0d0236e0672835a7b0b64e14f5ced2904e54da4287597f920bb4d542c35d3b0271cf0eec055656d523d7d2cbd667445d3e8634854f8616b7d7a7f3e14fd32651e9df40e1daedfdff1371f16d5549ed5646adf2d417e4b3a4d145bbe0974ab388c2716861a08296b862e4fd035163281457877eff89dadb160eb2b780414435784804bf4fd36602699d8c2f6a8cbcb509198c38e2df2edaae7bd7c93313ca98a9c2d24419a12ce35b0b3d68c18840e3ff8739d70969927c7db9a6569787bdedf5c99948a9e79b2302a83a71159f4c789b3b3f05f1e574f8a24c899ae3457f8e73f9bd86976fbddd83b1af337eb8da4c0dbac3792921597e18a2fd3a0ac89a270794529d370d36bb6dc7452e754e903781cbf57c8646b92d5d02842e7df229b3d721f9b981f9d61a48f00e53948a5dbc4f739849609d94aba3e3f5f8163d40321576cb8eb8e89953b608a01184d41aafc13f40c47b12240e3ad49413473c26b6843f4514be221c2af632d1a54cba230457f23f00b2608485c381ae03b389ad0a1671fb416de4659cc7f7a9c4b6d9807789c307d061fcf613b96a2d79e5e3e20b863c8b1b75f35c982b40ac8dcb7d2712ef7df94901facef783e8015a9a48574aa6f0cfb0bf6c1a3409028f8d62137c347f5a35ad6a3cd60d71aeb29bae56bb4590f69226fb4e08fab7a9f41e58f4d5784540a70e7a97720c549c8440b089eabd0eb3e4d37a2e54b1160572ce568f4256dd244decec31fec555017ebf488e878945383750eff26a8a1cca73e7d6f52d8cb229d5603360a3bffec23029ee34145c4aade82d486758e0aea9e1b7bf0b4bfbd4fcc96aab66a27fb463b48c6a6c5c5a60253e2fbc5716ef55629277a5f3b89c300e21bf1226241ce0d587fe3f5b11e47f35614169dcfaa375ee1aa589be33a4363765368f5666d155cf72e851d426fa67b982aac4dbbc29356d71deb0715b34e00b9fd8876bbb09ca0701b15615f05cc45e128b3864b26003e6ffe801c4e27402f37b8997e0c29ebc273dc03358cd22fdb68d9cd3b56ff8248a727c2d4ac65acda4d0e0f511bc07ab06cefcf444f1002c151b953d7f7b19695668a86683497c2a2d2e69f19a4997148d2e8d158da859c8f44437d9ce9db92f84a88e89cbffc74c0ef4295088e2543a4f7c6ae9c908bd987bcfd7a074f83ffaf3888bd7f430dc5a5bb70d223c21b1bcd8bff2103408460df864dcc168486f6a66d67ded366c6e10f50bcddada93627cda711764a57ec36035ebc",
-	},
-	{
-		"ce72c93caa49bb9850774149a87fcf8e23a0c53701554468645554553d54190bc6e247712b02097b794bc421ca94afed34742435ca689d2ebef183fb469c060c7f4d7daa508726c9d2eaeb9c7e9a89b30faee8d9168607d4778acfbd27d5caa623475073ce763ca061273cdfc2c692d1747baa8a01b15f783b2e36620400082747599a16cfd6b630fef310c0b9a2912d1d3bb71eec16972745cd8a49cd927014eb0a2abbe0e1ebded4fb9e8d9e2fbabb6a71da5688717ecd3e08160b9a861f86904a41702b2c4fff28ed8cc61d468187b75bde3fcc5c0c0a642215fea83584387fc5a9aaf2f8a91ae535e0027b618a32bd687289c47e9428a1a92649deab825d702b076223b07c08e55c0b60be95937bfd0504c18398e924420f6e20baf07e2b1b858d3e360a461b66517c24e60f9fe314a4a4973c8dbc7e9d2a9f571a1d8235a21073d81ab9f4800b70a5f17f44d593e8792a2507e6a3a41042fb2a5f7e5f028ed2daa88cce28973ecd88bd125d50fad77b1fde61c38272057d9c65fbfc6789ce41315a105af14e277a0c39d75c34aed7538c39160eab1c8c47818743e8111229426c399c5e88c4d894fdaff0315ec885ea019bf9acb785f3380c37201d494a60b583fc130bc0eb9fbe9b90eff95874e35910dc05c761f8006e2f208b786aeb2eeee841f9a82d9966c82956c181caa4dada81dfa2e2d7a25007c2dc7f2dc7ad1bafef14581cadbee4d614a557df4931b9ca105bade8fdfdefc0d96eeda11c08500b1ca827ca670ba07bb0f85af92914c43a6f71226d6e112d487f1ae99b2239a63ee2cd0849d8a9c488a11f82ca334604a2b7260f25373c6db75656527890f9b772c6bfbb9f687f27099ea9d4d1efd874a6ff83cc36c039ed1690408f20394692ff054d9e6eccc6776b6f4b3c5f24b0052334d159f40b470a9b8799bbc0df4dbfe59a5e536624cad193160ef23abef85df2c9b6e6d4fdf16f848a2a446a77044f1162a278866c491982570cbc16041908cdd0efa2cde011526a3c96d4b39a23c5fcc53d8232869cb4dea871f4ac8afc795aeb1b28cb2d7a3669100a1cab2ee1a7f31e2a25a5c6da836e4b771ad57393305faf582adcd26045e26b618d9943358c615fb206258c8993d700adac7440dcd3ef34fdcb065e10e9c9727662b5abee160aa01d2f2ca6c203a76fb01bb08cee9fc1eb6bc7497bb012ed2774a2d263b9dd03d60c307ccf33233ee33eee702c8e3118f9f86174a97462d0e804a24bbd7f4f938c7f105bb23399967288069e1637b60f2f1883d88ce5a874ea4bc0a7ca0f3b568e4bb1407e4bd6f0d3dc8fe91345f8435d7b1be961c45e4b0f1ef2d92d2d30bb78e1fbf72cd2e7ffae76e8c2bce005195c2003bde46108f37ffacdac28fd67a0de62970b347f0ae3f5f3a5b1d3aacb2fcaceecaf2ff4a2aeef6f5a176cc1b74b234f5658ce603bc353e075278a4056540e43033d37a6eb2615453d8206f5cd294423811283bcd5d79c4afe268a547b98977ed5cf24c0f53a0533bc0b2889356cacb67e2f7353060f9e04362859b1c1f02f96bf5457b58e5ce84a6810d39d7c7f53faaec64db5d6ebb90c1412bdd503ec6bc240c277ce1f5f18876feb24eb6a77e5193e33ce141e8720329add079dc9735f0a35d7d85436f1dba6dcff9147777760b5aa2ec9c8b5e9fb4fc602ec8f754c99ab2372ff5963dbff3fda91865108e606b214cf7acab875197e78060eed52a798751998ce7c73cebc4d5f429f6729a5193d7593072d0921ac8127ba6e796107ee7b9fbcf7128ab35fe9f6fe501fa4695c19fd64460685f287acacf5250efc13899bcf80ad5a340d432a0b9449affda5c8fa090f008e01873aae7d5fbc7972451542c5c29cf9cfdf23db736c8a7112536b1b626caa63f3e4117044cdeab612fff8d8c194d19174f56ce761f6587349c48fab30390f231d209461ee7e18007d10d83ea5aacf199f3b00003259747b1d03274d3c3670595604bb4482d345ffe31d3e88c70da16649a2677bfbdbf618de1d651a53d573aada2eee5c01335ce5519a6d18a70f7ff0b1e66bacc162c49f7f29b9d3fe2c7dd85b6b355c9f9141f02baf08d2be87c36f6d2e1b2e90dfcd100886e306b360df0ecb146a6aa5ac5ad05b63a219ea65885894a386248254348ada17908d776f9b438306ad28b208f80d6b9b265500aead945134b9d388ed5d6205edf07c5d8bbfe0916d0943750150e09c76359d24e3317517ea489fd8a501dd93f159f07d19d00e86d952fbdba2db771910143df346b30a30fba908a1abe5349c3f241958f428dece7ad9a91cb42035c43573b87b26c2ab216cb4c21799f6b3d81acd300ff50edd6fe7868b9ba6c160db3418565ada027b46b63e5d4f3411284fde585ed3673b424ec1cdea678e4a43c262991c3c9b988351d6e0a10af1c959cf21b7a288f2e4d7b3b2c11b400b5e036df71fa993b72ce48d0d8598fe4ef1ce70a970f89b55cf4f07906a479bc84a08bf6ab25221de37afebbc47ea0b38b87be128737d7d43cc84d336cc6ffe1677bd802910a2084751f30398dd0ed09589b2befd2f3b40fbc013318c822fa2faec2323fcc52b43161f47aefc557e92df3050dc5f8b1c5a4b2f8bd7b2ba7aaca79dcfa362fbe7781a2e261683a4a862d5f83e34845a8fcf8a1aa73cd521e87cbeb71f20b20698cc34bee3b8628b1a3784596c",
-		"08b3fbd73d157e79ea9f61665d19867dcb8c1598c1d37b793606936d8aecd992a0d46addeae857d488b83be5d1c1639d4d78350e4cb08782b61bef4107c9d3a79d3d85",
-		"a56f38b4bbe83b3d9e562cdf5ef5b30593f08a1a166676c4fb0d5861654e640b",
-		"8726dc5cae9497936658f603",
-		"88420357d1ad70e7c7bfd55b3cfd4bf06cd4e9b4ed5cba681045199a06985956d35fe86b28b9a4599964930d05d230a23c55a6a152f67082a453fc31f68489df05c553f9ae5cdb3f611445db384d79af865e52440a876fc4153d896b7a2318dbc2a4495ecdbb2e9dc68022326d35289e82aa55197aedc266dd91ba3018c7b474ba22b4e773773f3e9890ea84bc16a6b235e4bb69e785c40c1adc15b0e0ef03aa147b0d14e62341e27398b84a53f72c9199cc1c94cbcad2bd31aa69c96b06d01775b8c0f80278a43f526664bdd430164863c9c9140ad87798a5b8f38dfe90d37f54d1137709d5311136b728e6c799da244294daa4c8b44bfb0acc603a16c088a081129a0d2cff55ce1c4ccb486fa0ecc3098ef2196f47c49f9d253112bd5746fd99df5d2be577617dc2519c0ad04ee49ee1d7be3d50492017108fffc9a414ea227af39fe49fb2c895fcf00d927bf4a2d78c466fd44df4768e6775d39fa5c834b60979ca27ee9f00faf37a090838f56275a894ddadd265a8d2de74265e4d8d286639ce8f01eccd4f551cf6b4429eae3f08902b6ce6ef422cf91ce8946d9403fe8064784895b62a7f5df76ea294132c59da6b9f53d4195c1e9000bec499c14cf8bad460aebb024a76ac50616f0dcda71c0f56dd3239b11764f3ed6ed06c049b2ad673e4beea391dbb854fde1f01b1900858b9809259f3906b34f95a1c6ce8d24fdf0cf7c2ab7bde2202a7f1482baa6e51caaccef9f541c377da620bfbc63955cae0e6644ec8ed6878f704f1dea30d6b50d4291892bad19b0234582d50c6cc0b4165322cff24a9dc2ce1be35be0fdb3bb7abb777ff0b2f4cf16277388af5a89220d59f1f45ee9cc2a0fd7af9aa8e9e8d548fd65be4e47e7f8ef58f7701f93a42e7ff78f70e807fb63513157fcba96ad9731b2e8f80da85ef407d5c368ad16f0657620bfc122ba1b10d7ac2bf46d8133a9c6fec1fe04882f3d5765da8f825e1984a4313f72b67d806ed45c000dd3ddedd524d474b9b5788547d0712e8edb4c6c586d0cdf8f2384f1e093a7f6dffea6e79df9cb9398f5d0b9a7cbd63d489430fbfa397a0d03ef916b7702f33a54ebab84a7055b7ec6179b0ab7722f03e126ed343b1cdf2af3763df7e3a070162535514b01ad86c6cb051859aba1cc4766b12c8cd57b73fdd3c65af6961c45395aa7b885dd59e115db885f644e1c94bfa26b3804f767601c86e2c7dcecd4daa59955e6a40991a4b4701e63fc82b46dc0ccf59af40a8583171375551c868436ede535705f2e6380c5899cddfcaf9e94314794bab98846cd5ba9e9afbdbe1ea7fec5e22e7b2aae59fa598f4d6c0cc6f936a616e11bf01a2acc891cbfa2bc53c511a8a3a3da2e3aa5907d123ab2a4a3c0009fdb5235a3c33718fe4c504e1539abac6370e06150c402b5fc2f8c32608db4ce2eca9d1e4b96371ee195f6cd632f5b972385f9d5d357b87c78cb4e2c27aa9851534de14de923543f5fd9d55e34d6e8b7e1f3f2735df80046de01f79d0321066f9bbd76299c7386d285f7bf4ac15e033e89a040710c90f87aacc09fb8159f93c8b4860247eef079e32d05707e88aac734a2eadaa853f528d9986e0af3435b5c5f44ddfdab9b0c9ab3eea97676e920f80d1794740067f9b229fb018c804e595aa997533a5e967cb79ee58eea18995a90ac08333f1c69600b17ef4f454f540dbfa8b502457761bc4daa876d9053ae1f55001b6916ce559dc6268d01841255990e56614e6f4ee4ce04472dff0657360d75da4e83a71c852a2585110e53137e91bd89d64d99b5614ab2a5691c876f15d9931b092fc6729c0732db5cc40f966fe440ff99d7d05b24a872f552c27fb0cf2af443340b153214b407fb9ca3750d9c157aa75763b0b7600959663889d00f392d6ebc12835bd2f03ad802a21d0228f1d2e9731d0f0051eb2d5369ab790d1134c38e28d2bc2d5d57d6d897244742c176559961a1e40c84ee5c8225c8d72b92352a011e3785c262aac115cafccc2fe1b5e81a677a0220f207ebadd786b93f58e40eb6ade68ddda5b66c5f0f6b4b95cdb8241156110ba3303beb79acbd54423315768bb43b4fe8c4a465e50c4e63bce272c4d731ea4c797e14b2de31ce4264e2479179b906f67af4a23c56e817abafedc2c7a65aa45f0c89fcd0baba60561a8d013e2d5e0bdf9fbcc1346d3edb20e6e9f9c410982e1ac43039ad8fd0ebd453a6788376951fc20374b59946a6803498929d9fdf2e0f5e58c441329a79d1232e957b3a9ed17231c663b4819dcb6b4e33d205edaeb7d7ec466930bd84a064b40aa67fd76f6ca005408062b45b5aed6f8161836c7160a8c8313dc9aa1c6d42c2c16972a1065e41aea9c58db7916e1670cb42a8b54d85498561b4401761506860b19b446655f8988101fb4c45067e30edc3f00df8d88ee34111dd6626d605d993ff207be09704fd8dc242ce514bae77cecd20f10d4a38435a3f5e545882fdc224586a04ca6a162e118d23716240fa67892b78faf98a17916471f7f121fb9f85497a0b34bf5aaa4ee1ed8a4681bec55d1b4973d4368600115bea70f20a37c9e942b87f6cd1e2ab70fd401e703e3c8334c75fc338508e06d6370779578fbe737a75954b4701bfd92028ec32d3d7ae606caaf9f049d9774f70efa707c1c1174d9fcb5b0a0ae2a961c6f58e48ba82c2db14ebbbdc24288e42879f547b855c86dea9a3b9877e4b105515bd78cc43465",
-	},
-	{
-		"bf7884fab52251e202afd7b5b46aa53f85bca5fb80a009d8016e276579e401385d853312a884f4aa33cc5fe7360426bbc0ccb7416cc0196e2e40d3a825d5e0825a1394029789acca550bb28b10d847d0a4fe1111be2b7fec6b5294902775128288a784203031ea853c9c104c75571d19552e2a1359a900c5fc9455230968a5920f2ab23f5b9cc49739d4e4ae2c01c7812ff295899b954e9729a3bb330b60c51a8a7759e5131d7d4cf261fa1e62c29f91b4341a4fc968e7f30ca2261702eb328d628b7275a9efc29b50bcb9b27e5844328d5e8256c76949d30b6fea0d5a1c9abca80d3251fcf4ec4db0a5ff2ffd43618aa2e3e1694c2a3c579a2665f443ffb1eb0ce33c09d7285687cd55b6ca9918553bfb36a44860e09ffa0604ef4904a034108370195a986fe165c598305eb08599abbb3df31b1d93162397056d9ba5a1ac2812c582aa356310fafb4058abc5f157802e4a9b4bddb16e75b6db105b7dbc838f820539b76949b1648909104efa67ce28b16a738f1be104d2bd142d3ad1b1c953b6020a1f4cbb84d5c49424befbf2e6ac5c593b783a3f4af75477312528fa78dffd82fe493d821e011642bf1135a5be91fef909383953308dcb61b2f35c2ad259acd1a2e953c0ea6a03a97b384e39c94c33d3846c26b4f9f116abe572d5b7cb81886d6adc2d544630fdc1684bfb32972e051b9a2bd0931de63e025813b923944290fe1ebd5264ee4f25569a2088314e8d4ce8b91c7bd602b9d85acc917d60d30d5ef1cbb055b9ff7b0f999b98caea2517d2de334eb436078c90d41e0e34f11b93e3e643389f43b3afdc4f47a7396cbe0b4bf159ff27618cb835aac6699be1fc7ec840b767836a165fb95d06f2cac4fe15b65714ddb8a095ed4a5b57e63d536405931b6c168683763fe07c32aa4130bff787d4d440746a2dbfc584a502d809076b257482abf7f8ead7741c82b54c41acd41581148aeb4149b0c6eeb39ef7ba091c2e8bc72583b2fdf8ce7fad1bc05aefd6db0360c644a9760a9729a88ee4b2ab123d7238c12435b9f3b4660e74c0fd4a9b00aa614453d84fea01f779e5a924f8e79630a8bb6561ae19c7bc8d88b9d823b98285fdd65d4cc05e443944ed5d3cd4f46c7cafd1dd5deaa519772dd24f508bd2d588a832d5689119a2d506ff11dbf37d57a24e35ff38da18af07eaff5775d12dfe795fd3e1f0ec83c5f283d6cd76532519a15a18d93431893b1b88929159bf8fd21f62b30f4e37d540baab0e30ff3349a08d627ac19303fcae8b8e3fe44eceb66d30697c7ea051bf5afdcd8bfc00d49c8d36164ec9194a78a4d8b78826863e93b6a810354861f4a35ec12e5ac102f74e390d9c0227e67acbbe3254e5b892786e3a88a383ea9726485854a319569a678fa70392cee90c9aa83eee8df6800565bb8e083e78a064c0f8b863120efd799ea57d3073663c0d0e7bfb9b717ca1d6372fdf75a77fd9677791cb899fc8033d6d806de1e6aaeef525ea909666316d9d604c1207cbeb6f427c3acc1b02cf59704fc65135703f2a9529bb2c8fec992c4de53e54b029c3f2a5fdbec1008d1a70dce0c11251003ce62af712b9e4abe631902485404e4933f346f1b4467fceb65baf776d0078aae6a2a1f95b85a441b635663c75b485a8a7cb9a5c12192ac874d940e2d9b88cc05a2db9b5b35df769925da508112ab0b8f64a1408633fd0d81810baf2c846b222736bd826c8cf905b2c35633d6013f5565e0a5ec1492e99613f53530799052a0d70023339d1c394fdf9f73a590a2faf68390d2a823bc3e47a173782b03dacbdadaef1e67fb47a7cad71b6067ce5b5e41fc20ea1fed28578e9bdfa99faa657a754488ed3fc084faa7a05b0f6eb66da0a28e9ab26bb319fa4ee993de840948f94dc1d68d926b783a0bd3396a89970b2c2595de8148e87b87c21f664618af4f567115d403715c3d7d2f66d7a90de2c5237893a4c18c20494e3faf94485ed39ecfe972c36acef0d7ee57bf8755924c790ad02dcc5c4e15aa7db53eb6040244c3ebb7874676782e54dfdddc256018ae6af8cc37450a4cef77f21e2e061062ca0c2a514290c960f5993ec1ce9eea6d09d3293118237e079b6015b966361c3032368174d74ae5cce4148ea2b3690fbd3c28ee544c5c5bd7bc618122979d52c9d3d44eab1f2467f338e695ec5f95998bbe77dffac42bc2809d43a324e0f5feb4ca3d5fd951b7dc8a9e6276ee080079b68849b14c7573cd02c76027a856165d1043acf99554c62fe32896d120974ae71f84986bfa0c28fcc399246bef3ab90f8e55f913aabf339dd7ca6f0861a9ef712e77dd28740615479f39a37e746c7df2b267066d1649fafe0459f665f3d5e7124db43ab1ba5ff94989acc7fe0935e0bbacf718b33103a1355d97ab416d8263ab369e6cf0ee563a77f2f265fc3856b7d54dc0887ed439a421c14f733ec1d6da086536f9539d23cb8026218c5e783423b5f4ac24c8d5d8faa7186dd5ea34afe299e6dbed73ffa8f415da706442a48808a9342d6209f65ca11eba76f8ef26db890da76671971f65bce9e6112c8aa92523dd5295d748e28857acff408c161c0513b37b855a8afb0764d118815bb1b68f8f09156641f7eea994ddea20f4062607b9919d041c880b71592402a4d5b92464b239caf431a99dc67787e76b8e1d7337af004bcb88473cd16b3f7640e8aaa59ad4609f060a2cdc71a4b3ed22c1506a7050a63bd8ed68aa58a8109980bb3f2b9f9fba9599d7620b8c25e8aee739095789af83529cfbfce5941d7f14c8ae30583deafdc7c25fc34e75bbed6ce4f6b47e9647c12333ce08c7db77dc94161cfc43f7ea0bba39def8bf8ae61c6fdcc0de6308af963c6d9ef43916d0cd2cedb970d5937c9fdd4b888cc66e99363b5a04ae62a4349f01c3933ada64080741b1781754e4a722303faef69e382cd9823177e4d5ac83e76017124a7b1a41bcdbb9c4209e7b42c",
-		"eaae1c53919e2029c137a80f91704d0871be2c1870d0333d8bcf7f94",
-		"4c434cddb399e52457113cc7e16f046c3f8301f5b6c296979f8a091a9ea557ea",
-		"b633c1a0e1ddf4727b149b3d",
-		"f1de487001a580cee6edadb1ef6b700c861a70c6ef16274447b8c61bb10d2d1efbf104d5f7d7172c6a5cf9c06d886165a2919ee9418e2e8f803d47832dae5ef232ee300d1f973a6298c22d777a1b16264353cc731a7a683cfe31e0abc704460788c555c0c24f281b81d7761235a955c736f17f213a896b40a034609ca8456ec3cf5906d01121b7580ce19d89347b6a59c81add318df487b2442a7a8b5e30df78467abbf46bcd5ee5b994a39ca5bd8846caba6f02f4f1335b73d4e20be0b6ad85966f86d1bb857713ebf947ae936782f1f4929498bbd66bdd5ad6fa252364a5a6b46180e93b54cc321b3cf63cf23d55392475c6b8c8c9dc707924b55544151c7c55ae0bf391f793e52bed70829fcd32b2926600f65be0943d6a9a96547675426b0dca9cc7b0f5dbc9d5439d0281014c6c159d055d6bd89d67828ba7fd2a0570ba82996037f7dcce297fe6518331270f6fd5ee63d406cc5081472bc5f2298a9208dba9398ccf807ce9af982885897715b3c5742456f756d79c70434a9baf7b4b6664c9d9f5696c5256b74099e593f97a2d4a469cb3430d0c3eb06083398cabd58af598945a85c9235a3fdd9ba7686e54d0de9afb594b1bb030be8e6bb839f6b45699dbcd2f771db64b0c62bbf6c8672fb412d60c00b3d87f82ffff6512e8308877573323c5a2d6a216ce3e2ce07c9763835ae59d44d7958fd873e3995b62b1b347e489ce86e023ae27a6cb03ddec27a38fb233499a714acd89232a91d38abce30299f38f437f7a46df647f2be862c1e7bcc1e4263c2147b13ee5b345b7fcb973f3ac71db8bc12309f67ddb62659bd73fbd20664eadcd23a79233386aeec1a6fcc8c592053954ee53826cb9b6bba22400648887311cdfa5414c96d5956fe193a3729be1434d923a3f9849f6c419f77ea05fb72f3c4f75ccec03b7f7aef8c8e55c8c5480ee505ae1a7594e6a911dfbc39dbb0ae8656f5972eb644c64203a920fe0078f3d050cc5666ed9747c23df7853d6913005d0156e741a5ead3bb1b22e5bd802c303a73a961f0b60d0fa698041c22577b44eba5d6071de4b545d9f5de24944c151de6a189bfdc223e0507c74ff929f06a2e7497e8c63073294b4aba110a006a6e9510a9617405d9ee711831e085940006761822672549d1d1c70e50002c2227f6f304b9a7f11dc05751be2dfd297087044d2e20ecfa0c091478d62c1bf5f0aacd25bb0384853762a51144b77d30418b633c4c10a6eda7b2eac46905641da0b685f85349749a91cdbaa4027fc50eb97a7dea9e8cbb5b5f386ace0363803ba579cd16ef80dc40ba1044b4ecd0e81e382635d7855e2341b18e0ca705ff46990282fe25093a248ca04a1fff64ebee25065350ea4b9e5990da4dd2e28688ab08b6d6fcb54d70f6d74fd7e5e05d21c12f5b140839aa966aea9ee094a923ee5ec704b5b709ff009c20ed89a75468c48b505d07c7a5ba1ad54ed610886c9d84468eaa598c71b017578404c909dbca431703e0cb1cfb975a696a1677bc015a75db007eccdcb21b9e5e119c48f148c2cffcf29e245e52156ba5ba0a8b0031570e4cbe7b3ac4646353594f0c4a9424c9d97845c5e1a4b4016df9be8df3013e5269484cf32258849afbdd733189ea11783f0f64d3aba9b4f48818011e868cc03ecaa44ff0ab83ed12981a6df445294ff672f3a16d6e0d19b90007d4646e967e0fb1763b3c879f548e1103a75c94f3a7f72be78555eafc086c1c58d1761aac60b843704f234c55b951a1303a12705f2120f784c2bc1494432a94c835d908f0edd5cbb169afd2d38087ca5bc5e5df9c3bd970dd2da4fb2a00933538148ebf669a20b5beef0402e53dbfc3a0f289b33b41ca27eb2f036a22f0d02e0617bd01e8c74be264515c9b46b9ab6fc67403a35837844580794088a9d3c14ad9309435daa0396f48017be524856ab6c191350529962ead64bab33171a01bb3c144b23bed406cb05102c693ce5df36eb541c47e871acf56f2b47de687eb9b3511ae83d06b1f69fbcef3225c3469c304741437fcd0ff4ae3484c117f51d24b6ae1363beb7d85d9b61e01e3dee901b90f2d3272eedb384ddb4d3b9594b9c0926595e500f8ce2e5cd407bd7a4e2c8e6f4315bf693e8c961ba5b8a6c7f5030c68a6b995e9d3f9eaee9eebc9d679eaf72a5f1cb6b2fc66edc7dffa2370dd778ea7ff446121999afba7bb35ceabf626c6269bc466d65f7f812c663bcb2fd87d3e09ab7d71e727f66d20ec48a5d2bf0aaf0aca05d1546d6e974f90df85c1393e3d45731f71ec7b5cb6cfb4e5c29976ead6944a99df2045056e198b19905362d4e9b765adb65eb089233a8b3777352665489c9456cceed593c6590d9f3cc4024d0bb92e1a0dc619bf8ae65be77456c18f8171e4d2d846073cf5c57ba93adbc0db9799e3d98934aa6899372acfa4d7d2ea32e20164b79c71d7bd33c94f9a781a25cbcafe563462eeacaec0e8d9d6c0199de85558a3a05d1ee3483351915d8a4e65ca0ab129a2386a9e26aff9b912c588babbcf25f8c467145061b9b8fbbff19d8c6ded8527d457be7c926c8f490bbcd627b3002044b7729a52e94147f95772591616f6074047e758597f410b3100f9efafaa4137dedfd0edfa85b0927804f0b4fcea1a174622116222004d42b36c2c73d04781f2f49d080f351e57154a3980005bcfb0ea34288e2fafec5bfd01e1f7901b3efc71ae58bf8df4cd7c045856103b77bd78073f0174aaaef4a3c0e8b5b46dc92db55478f012dc1b7d513e215e735573257f105d2390b5366f49b61809033c13ed4e1ebe19ab89313c947f2585f0788a0c5de90b41ad0dbbfc604a0d414d0e5390a0f3c9616cfce4097e38e05888b8bc6e55e40368bacdba7e5b76f4bd8fe619746155c30b38807a1ad325b00ecc3dbcf23014e79f1c39af7cdd0dc7ea58ce733e6611b7eae069deb047aeadfc21960e614db19d2e7e0905a9873268b9a24f856c28059321a742cd6cb3d1527",
-	},
-	{
-		"c89c3cadc094bffd5ba06c600dabe30ea19ad037316fc13b895fe0e14ac8841264c1bf25557e22b01f8e102c3af43adb8e0a12bf79d3fa0232dae37ca3688e07294e2c7ecc4e2eebdd3f17173351f2c15b0480d4d77bd70955ba86f82214004b622cc92f7bf81a5837326f6a83612bdf65abb33c268a457c45cb7467e074b342a17c711c748c74abbee31541444020a9ecd4e5125e2a8ea3f6030bd677be18183a8a34af16a85ad48b7015cfb036789c0a5daf68883d0c7e401754b8d56cd00ff605be0cad19e03989f608392c81d636de859e66c2aae403c138bb96a58ba69b9064a83e7d8877067e7f40aa0016e0df9b7f455d292a60eb621b8107a727a3378c4b7509d3ec10526c50fc6c66dd4b015c915e85bbbf701ddaf2258119c8b9a5132eafe61bbf38870f35f375123f766ed0d4f38b9364a86e56cdef6f95a815a8d7c48ff283c77992fc6c070eab7d7c7b517006e5d4af532a7c429912ebaebac27249b4f5112d870d998e1c450b98c05d08c742dc769506f2d7a004c24ebf84c10838b619653e27ffcc4344d8db0435e4cb77c0410cc734e36738a6b5f72a7600632d19c86b40c737830b0f5f104443dbbb031dc7ca51ab318951e7817b5d81de8a9aa7f5db6e2d5e7a3cbd8a8100653c048204ced3af005d00e7de7b445f5acff901c4d46ff133e92ef073aff1d9ebf55befc32f9ec38c9eaa6a1aefc974bec2758297e474cacea2ba4151ab1a3ca0762c64a5ca273169d29b83c164f77f266c01bd5075871e17426068ed7aa58ef0d1f2959b19c604eb6187acc57e2becea2da93ba23159ba73b9226034c7ee2498e0ba34fa8038e5e2c092a73ebd9329ea3d648d6ebd47e1776941ab3130cfc91089fd0a0a36f0ecf68293343f275d2a64c1b7d27ffeb3f667f4a19824706235fa5f3f04952ff08bb183c0f1aa1d1b0edfd2e05ed093543788f5d0ac6532e15f912163275053b202d772f381900e906fe070cdb00421e78c16b7387be91adb7b3b3ea28b92548d69c780ea578e7ac66eeb931eefb4067bcabdb345a7cd2022085fc494f118215adfa2443630bffc9faa8fbd9943c3140d81c7532895734a9dd20e31c326531d06f5623c252139c4cbc882640c457819c63f6ceed4e03872b246a3766df69373ebf5af1116e8d5e1b15745bd9dbdd663fd4352d1238a43d5d1e74b3edddfb1c9d460daeb49afccfa0712b7a4cf8d07ccd0599ef3e4e1c9b5c814f3a6f3a46fc80449b34df87f47ff91fea3618cab2d5c04cb50e8ad199d752d901b21348ae939d39c86cc1bcecbadcc6f0e581a3bb51e070507b41ea4294b35456c69cf55a2a3f1296f0df73abac3a9c81cc303d1e20ad6e9bef48de83fc22dac2cfc01ce9ff3f70e00ee49bab2f282ceb6859f989075814e690e36a8d16354fd6056cbff49c30e49b1570363498531ff0ad0979a4518e9ae271f57f883abf5e301c0e24a83f09335479698911bca90269a28c0e040a98e67c9e55f4c91542f921511dd980270cd490766da22306b48ca9309aad3b2393b7b1e9ac7afeff64204081f9c0a8f6a5396d02eb9009901ca2c0a75ffbdae3a38ccd5007cc4f6bec8fedd64086cce5c039e8abc9e23bd694fc8de4e858c89bd585ebdd422b492eab26f4ebbdc1d17dfbba19b5ac458c31320a161a52dea638548205a6ad4ec54875ca34238c059177bfab2d5be0a98d12b3932d0661d33ec655446d0283224af8ec7f1c6874add03448fd8029a71d3c5aa06951123c9fd881d435845757df50444e6cacc31a8cf7537a778d1184b96c3512cd474f5d1fd1214555789d24c8d173358e36400b2d937595109729d9f35eecb0963c0da60d2eeb52a778876059fa95d820d5d34e7948d389dffd53d34c4083d27c917879b053cc57dc43c8263e5dfe5f33c19dad0a7126ea6e8abdbacb318d37c305a183596ddb25b1934beff13a4f24fbdcc2064de8e0bc639e672ecfe45692e9f8164365e1691784b4f775ef369aeb135ce15135c20da95064c810592ea33316b9767caaef842f948b9573b2205ec57d3026a2f2244c42991462e233061549cf9bc66a7b4a8a0fc61f73883fd24dad02644004989c4721a0aa03d3b0191d7fa4d3da102e541fe463936c9365ba30681e706ca70cb3c8ad5dcc710de59e7d8a6247aa809bba74ff4dd182a38bb31baa337841302c19ed89d65e87bbed05465f4ce0dfe89b44d7e9266a8ca21d984c41109d813ca76eb67dbd4e39aa437ff98050c968ec1e40c534ab51d6b8ea2309fab08b3757e9edc5972bff316f6f2affbff458ac0299613734b30dfdad20f797d172cf295cbcfee3d8ee25485d40380d3480a9372a1a6e5ecd7c4c6a9d34027ea6c197f37e86e757750c9fc24cc7cf814878b8628326c140930dbb2041bd9ee87f36ebfdbdc34522cfd4e50c9cb48dd52d4647a06d08e0f0069c104849bf30c8e61cb693dffbc69fc0ab9c5d502a227d606a1dcd630ebd799acdb1e47ce2ad52ff53f6cf4fbd5f0058fb5db915702675ea44334d42e0b6ddae78b22b5b5f7e5aa36519e31278e37b64312479b14aef9b8f12d8c1f39faf920851bd53b13bae5490c847b3312b2e956c430f1d8deea91cf171dee5017e7709d0346d81600bd5f0c41da3f548c28aa50589b293685ba059cd7f3edefdb5d8cdea364f4a42153b0632ef0b7ba18610b71fc34a781eead1dc5a00ab47b6840590ba44dafc6a16029cf50e089684194d93dc881beb62edb7ccee6304a4e71a35915f109db92690461b9e4ea21257ffb62477c20feaafc7a78e2aac2301b66893157920ce9fb114ab4f534d61bb3d17dfb4d9ef9f79a736f7c1d32ac3998356aefc876d8c38722787d564e980a1f15056cb3fe634d71d2c98e0475c79cab318b73a863362f85aeacdcfc44e61b5aeb870de9ea5b5abd24e8c19ab05e45e1e9b8894deeb9d29d65ae99aa94b5047f3c1168276cc2e491aba52b5b03703ced28c63a167f0cb3e4bb4d8e4f0292cf3ea4376510fa49a1a5efcc00f23c3cdf6402197b81262e66e17bf4307d87ffbc2b37213b316bddd65aa9d64ce6122c4a1545c5966bf4fc4c6ff17ded787ca9a3b3cadee435bbba8f6590dc4ba30895b84d5b4eb94f4b05be3c",
-		"82abb4ff5457b21f359754f151e456e2c0a185c8363d15918bcee0d6d49f12564ac655",
-		"b63b577e719494032062e3f63682098dcdcfe26cedea2a40893c847a331e4ce9",
-		"9f1d08be539f1244f0f69ad2",
-		"88dcdb0309f8c4a96ad5560f8210eda1f5afb31b85b7a8b15525777748967d4ed77c063f65d64ef19b31044f2adc690f5e457faa1abe2e127b38c626eaa94053c9ae1b6b4d0db1f02c8404b50f58210cc9fcc6fa4ecc615631da631031cd6253b4a13a3e88295ffdc775fd4bdf29655d9780dbe02b0a82aad4c4088e90b51f170909c0f98ff93ca3926067ec94be05841603db4f913b7025a9ee34b8d8bc629ed827a2a9857e0814d36b83cba21e670f8f94ceb4be5757e0b8782895b5d8605868e4f584b5bb6a5f3a94edd9b23fc2b6fa06914aec970c260fc370aa245ca68888c90c43eecb68474c9e45c53a7da055f5bfe39b56769fa56264dc8bf4c1616e30262bd501ff9fc5cd78f73ad89e093feba0393a11c6b2cbca765ba025c40dd0417dfa644fce96db5a0362235ad37a317145e7b5f3c7213c7fb3c393be57a1cb55035f06da1f0bf665653c5fe8a0f3ca67dbcbfc59852694d34819d0978cd09b508d103017168f6848258493be737cc24c2112f2afeabf41038bea1f74bc8656d9910b77d33cc691a0d9b12f7c518ecef93423cb4871949a518d2f06e5427823324275b97110f8f88b0d14788741e617f4b194e679a1627da50376a08d4f23b005c0446b46d4f534ed85e4692e7946ec818437089425ee30e47de995e8774b61003801de67939d9fed7bf0cdaf625798d0d0d04a61a2482217b890168e36f20cf1d6b81f9daf1a49a781567c4363ac2f3ebf0252d5adfbed17f98cc264ed2765aa279b7437410ee8b4cf42932e5055f4884deefd2a979ab1328f97cb750b3b7e4615b9c1c61659c90a5ff6d1c736e785587ec85040fb2c6decf789c2707974bfcbd0c7f699627b31e0762321d55bcc6acf1aabbd44abd7766d397bfbb68c424b311611d9eeb6598ca3126f569f688455da8d5ab86eb01f9c96186858c4b5e447aa2b9ca11aa5453f731beed4e09f95bb7376e200212e2f03551b8b09a19d6910f25898d692bc20bf6ed3ac9a0276db560de5c9e264f4db8fec6577042fbbd4510bb7070086508ac451a1fda26582c259412fbf1bd60cd5e921160c2604fde559b5ed4df52b805010b225f999450adadc6e108b70f169a3d8da6efbe1cce1c4908b004e928e3cdfdd0b4c5f742fd72a11c9585aa3517486201b6d9a98739b77970a88072750d29d005a291546f13b576b4249d71f04a9abf8f653ca206d98f738af2a1203bf0975f0a40138df054ee834ab73a3b1d7036567369a7ae15f808904e08adfc84b34a0e1356009d8a82e51c3e8f2170908179bfe47be8ad819cb12e85b6b76bba7c9b9398dfc00f550e32c171b4d5f2d9676063efee0b0b49660c10260ce052dd00addc3359e35c25dc33066d4b05bec7d93f71e0ad7d5ab83d844c7f33137894327f464260688ea4ce9847046e7dd0bfa48d4e15277a9586b4742daf0c5ecc59aceea6867068b03c20aad38d04a814472287d809a9285cd4dcdbf68f3f4ffb794701f4c265b2dff4aee55c9815938689162e08309df150538e60dccc03d495adcc560fb831444b922a6375845cef5dec56eff2910b5bde5f25f0e550ab5a13205de91d20896fe04a8ecc2c83d1371cf381424f8c43d2a5ced374878405f52bb92f4fa3c15d29ec151508488f9b4e42527921e245a8ee4b5d6ee95797f6ec4374d79acd7b467454a1d7eda05a8ae104534b23c46b27581abed6afc3ca555202dda94fc2b93501fe78867730a84f6f726dfd7364bc240b65d6c3022a04e09c89e36a809fbf244cc5522315110e9e33c8a4e1f1396e3e51fcdd53d9ae94fe7bf6c6ccef0ce02048a11441de3c25aa9787c577501977e486f8dfaa4c81e3183e648311148ce5cf3de56878847a9d14c0645777022c158670377dd9553eb63eb17e19ebb06202be8fd9bc2b24878cc86f9938e5996751ad9ca04b636497199f7f27dfa0f5ba2a01c3a491bec6dc5113d127f6aae38fa07ce7539a0c1817f7f0de0da538f4d85ffa394784a42eb50994e28530e3997e3345db28bafbb836fa463d34146d9f46d8d2b28b3954b9bc7f84046828e9b55e2fd663e562aa95caa97873f48f0a003d2251fb3ddbce0b6072fc17e0d3f99b655b8f41e8e6986ef7526544222e2d402489eabed4c219540605b9f5dd321ad902708601e85bc874c11efedd072aab7e10272c87b08b9457223de9fbc3abc2d1346656a524e9c67d79d4053c4257e886d6b430f5b7f57b2e5e92ae69273c1705a3074d5066def69fadea1af8fa9b3bf4890f9cda4b1833e5ed27f22bc4fe4cf452880c7b53320bc7cb748c0af6e7550ffa84e4714ec18d208131ae9e3edc6cd6fa2c60ab8ebc1ee56eafc01fbfba061e55014b9711eb58fdd01f8936d29dd081565de0b175b02989c5ff374e6f58c3383e9bc00d8a93903e6a221c7475e15aaef77594849af877f3807a76e03bdd54ff0b192bf34385d24d858d6f454810ee48141d73e3acf1aa3d19cd4c723a634cd8e25b4fb604c744e408dfd82961e46e8444f001d0991af24b3b6ec57ba41fb45122afc73ec6b25f501f1abd46181247945729337bf5083e5821968502a5a696043ee696c290095feac000957f968ac61ccb572ab2f37008830ab9a81d02456190af99873450b52df1888c3d8b6b13df65a9bb36a4b6d0538a0f179daebca2bed6f94b4670560fc5471c3770f2d004b6a138b8243068d754fd246e9881242638c6675f1611f237146f6e0f72ff2fba96f479fe0a662a81f40928f5400a0bbfb5ed07a87f457d5febdbdd6f323e2a59f749e6fc8a51d08b023734c762a91cc517401be57ffdf6a52b9174ea153abf2190ae2642955c3c02b4a15d72456c9d2f323de6fabbf56dfa3b566f1aa688c86b662bd34cf2511cc4a30621b6f1f1ac382bc1c4fa4c0d4d5a30ae90a5e54a9fb4afc1475e7c612eeb7f0e09e894c2004cd04126df9359d525d7f090e4b531916207c38c3512341c84218c86fc50061043ba1b89ddfb21cd756b391cb53e8c1cd55352be05efe562669e3986c022e30c79a97bdf087889a392e6da0d72cc7ea208aaf23408df23f3a9ea9bf9a935e49c9994a37a5dd0faf1267d5f7db47cf64ae1d3ec166466b2f882eb21698aa375cb50146c0e660e9bbb38d7bbc1c1c6d8333f7031d6a",
-	},
-	{
-		"68ca38fccd585eb14f953358220027046c14ef965478d3d8f206f63fef4fe3571a1b53e774b298c347cc1b69cc426d39575ccfabd5a284c7a87a0698cae9efe40543cb79f5643c3c3057a5fc991235f06f059c44a7200b509a12e864fbd748001a14790f78b54ba80cf0a4a603da9672df32b68652c1d6edd3be51cf969acfb0ae49c026fe0bce0bfc72b1ff4c47712b7a27b2cce888b9bc470b8bdda55a8d53a34d79a25947ad55b95e5406a5c5311fece3ecd46ca590b3b01b9055761da8196b21bbc468681922c66d286c32598b1e3d77f2a91d835ccd9eec231409cb2e74ede9385552517718be9f84f0f9100e368701dfa4843b7222279537306065a54d4edda3a02f1ab9edba3ddeb34dece9d5edc8797103eb942a80cb5ae130ff2e7eddd11f0cecd8f9a615d75963c44238b10ab1230d9db7371d8291feb2912d306efe4f7aea2773903d4be9a00f2bd8c03589e342269a79441c0b42ce9c6fff0a6e4e845876f7e9b342d25351fe2b1233b4f576db90ef1facfa617b96d17aa03fc824973e1c80f15e5344b0516fc28424b7faff47ea1ef4e47f6f7b50e91b8fb14027f05ca7e1bafa266a4b952cd0b9e4cab82bb4d61f99568e14a6772f36296f5d19cb04fa86ff20f04ab61d1a6f01e5282c99fe4c3254da46fb5276317be58e94b1928e3791af27dc6544f6d445dbfc7275fbbea74f98ee4aea647b654909f9fa9c88312d3759099c9d0070e3db6d55506813f8b7abe602964a7dfb9387f58e237dbf50b4185a50b65ac099352dee8695017e4dac644f42aecc3e415333cf76b08fc764a721b45d7b74f6b0a2e43637e5b4849218d3d4c6a01208f345d76af56631590e520d6bcd82627d2446b45b2c68e0be81b3924753a54f47ea27b1e08de2399b34470701c9697eedaf3248db9b28991cdc2c632fd1b376bbda279b6709d5033d1c0a3ee573bdd222ef1afe8a4397a61fc30a4e94bdc55097ecebfef6c00133dc0b72c17e2f93a11eae9fa9f1364f10fa595e8e1623dead10caac068aad3967b9ab2837dabcd8f96a77a25baef16ba84bc93661ed150ffddfbb0369683cd021e8f959c2b531bb1fa95d7a574fe5ff9aae35fb9b4a0a9829c59b932ed8634fc05ca88211da3e30839baadaea8fd9843e0e80d9598a7282500d157ee579cda5d57628e7506617d301c2adec5186708f94f069ed7bdb70cbe88549cefe1673d48c9bbbdc01d2af03945cefe6e25f757750de64cbb9d496a25adf7058f5e32c827fe75e80ba0e834e6a72344dd2aac4228828ed42fd83e4576254af5737dcd9b6c338377d46baccb02d00fdffaac12133ea0e75e791593ef3aded4ae4c9249b8d5cd20aa28cd652b9d750b88111d9b4fbe729e27882206b2f0eb614d7daaf6436816fd80d452ac71c7a7f9e8c595287407c6ab9fe8a242e98da4270b4f1d4ea7243c27f89ed46a567c643f31f967b5f12e518106f3d3e08178078cc714cb6e39079631966a9becd6f02c18e983ceeaa2106ba9043f9985b791027eb5dddceed563106bcdbc48a4ac64bd95e87c708a8cdc33811bcd16c35e193203e70ef2bc7203183fbf60d46bc581f1bdfe62387b3e6c0c4a29130d872c3f8b134e7dcfb080e7e03048c49c0e468dbc44eff4b02e50bc6889cf7600fba58c0ee409ce948aa684baef4956fd8fd4a9c4c49e84e2ff314b7900b179fc66f5fb4affb9ef7a6064354fad8c3d2d50e6f2157576f864a843dda8f547955c4d80a73d4a86b7aaeaecea886927a5ba0e97df740ec7e8b70bb650010df55d4b75f478b07b205b560d45de666d84206c1bffd02ab7b8d1c37f21c47d1711b89d16214d8151a8e75eeeb5c54c39e5a855d578708d314240a064051d8b26c6183ce755be38fe9597dd5b5d198532b1db083a4b856b8dd60bf1db197cf1df852eb6daecffd97287a6cdd4c05307722e0fac798507f75b03e9361d5627ecdb56a3b633938fa61b2673efe6c6e768e4e7055e6c1d55c7113efd3e95151b606bbf169f4296455dccb93da370150c54fc11b3682f092f30381c6ecd218a3d9d39442c8bea61d9a71b174a8b2c56e028689380879cafb7c4bc2691dda0cf6ada039755edf93f851446df9f63267f8b8f030c069fabbe6457d4f63575b5905fb927a5a720d52c351bfbc48f12440a91471697e6b2564b1a2b314fa0e6dff090079637287b635d875f120671561102ad27aa83d9f0cee41bf023bcd703ad670b43ae23bf01713650834cc1e95dd486757f0a4f6fc9337bb95738805ad5e756198579c886eb0ee77e4ba957997dde0eecd84e4c9171c84ad8f0cb23c6a289e037f3a8beeea7965ce34fa47cbd727baa4ac9e6dc3baf17049fd2386674b246aca5ef6b8496f1d17a3175f6fee86299232c7fff682f066cbed895155d475bf9fd4b5571d257534c88c93377b1a600d4c280d42aafda975eb32c740073cffa610b5fd2dda7262a2fff5da7a0f3a875c62949e0c9247827d7a49bd8185bc27967124c34b9725ee961bc8102a029786652c2571be6cf33be63cf867c2b48e5826b31b714a415fe05c27f0862a870d8fb33200719ef4ac8530a4ecf2597b4a7f2e66f078a7505803774889a1cf963083c831f46725a1ec5545d8489e53921d81f80ef99f5e51a2d5992c7769c2a7ec8bd8e0f2fd81de53c7b69b650a2d838b269185c5efd668c470943bd956e3c5e1bba5d3b927b10cee68a75372d4d6fdfa6782c05659281bc9bc56a2123967f4f50cc7ae3379ba21e1617553354b5030b3d3f0092c1824f5d47b97e6b4fedaa90aa2573e1b115ffc72d44fa8209fd8d372c8dc9ee00193b47c2a9a302875da331731713243d02eb5a57d5dc51c35988ffd742ddd75c191f1eb2c2214a1fc47b82db8ea708818262d9583f2b1b98a40b6ff6e94742f25661a51882ef28475aab12d9422b6ac48e341cbd6f38460333b5fa1cfd4d0f43aeb46c21938468fe3f7bc771972246156652d2c58b18c8cecec2dbbc0feb0fae9f6bc022e029111f94e8913c0ad741612a1426b53cff73fbb24fb7b22ab750ba1310ecf339fe12ced6a3fae17b4c429550794a8d68be891b0e30cd28e81de2fb2ecfee58bdf11794951276005eb8a5af21e03c8aaeb595ace652c5ce60a8b98f6897d82698ffbb2e02213e50d9d3f00bb42c8652d22bffb87ec576ef6e206ed6c846fd5136a87f38c9ad899371799f35a6258878418830b04da79fabd80e7290456fe17c0850a4c20e2e657f97f4a53e1a3db65bb5e71bf38eab9f56aa11e6ef71c85b8a28f04c271",
-		"ea196b6a64be4b0799b1c2f72281300c3a2577db44e5d3606b8b02fa8fc46c7aded7e442",
-		"7c86a2c06b7520d60023d18fe73d09c514ed07a91d50d8fd5bff00e7550faed1",
-		"952f492fe00b26028c560fc6",
-		"b3f3294815ce461c8843172efe93f73a8254e58a0e71953e35c15aa89a7bd9dfee967853dcbfba73d3b87fa60449cbcabf13b1206d0cb27d2c3fedcfa695b6d41efda37bb6db35449bd470a23787619ee48f981d3f0b1c8e121725b2289b6d67858a4f9ab41683bdaec8a913ca2cc292a9640efe50fb85a1d1f7b286f45d4448f85b3242f45ab44e3281d759db24dfabbae4259f127d6546ecb914d7e93e2c19230c67fba8a6cba6069023ff7ea3d8a170289c2b4391bb97a7b899228d032b36186dfbb29ae8f0e6c06d753f4c6b21982d49ee682bef50a5c2c8434510c5fa2b9c0349592f33f8d7ad6f7243d42b292aee6d210c61e3f898875b91a17a89148275031b74cb34e628d7b701775dbfcf87c79ab279a73dad14d8eed365eb9f29a007b7d2ccc07ceb8cdcdaece67fa0166e135c9a4b939426882eeca98ab887ed2e4888bbebd5afc9f2da3e9162527262b0fa85903246bc8b80df3060c890ebaa516781a2b2a138b98001287e12a9c68471912dd297bc0beadccdc31a27b7c726baf31510cd355a28e4ef786b30084af66ef135909795aa73814cbbc6552270d5e11d46e9497ba30d6d8cecf343d16e7e3357bc9bbfbc7c1dcaa5fafd8a9b07056129da02e6228886463474c5af1d670bc14cf2868b816cc71578ad807a37477341c8192bfc2e8b1f7bfd58827e041f70384f92bb4c6acc415dde5099a1c2b27b709f9e53d1dab07c87a042ca4af7a2a6ee57b37bf2bb42259d372ecfeaf1dc55ac3a9f211f16fef3b2d5f11dc19fd1f425c14779580b2501ec6e0a84220e7e12baf9e0fee3e8cf499a7fba6721a746f598f04ee8ab4df31fb8fa5ce2d2419d5551155c009f2780cdd225ec2c19f94fb9c8b785ad4574b4da766eabfa696a1994e64a2518d1bcade6390cc683a6e80cf8b163c3e58cfa1134ee743079347f08a89c81478668df32ce9cdd7b853db5cf7af13436f3bbb11bcfa8f6b6d727a1df84f99fb3a5c248b8fd5baf669b68fd9af45298030f3251bf0351fa9b58b0b9fba53ecfd838300790ebd689744c1b7b333fbed76c8fb96fc669ecc6695ff5bf8379dd2a3c270af858cc60894be8922d69fb9707bd2a7825f2eec4a5056e5e91714f4dcfa86974259fcbfd5f20d55923a0a9936fb20e5ae9670e2019336e15f530c0be449fe355a7a02c0938d60720d5b8f4f59d2e4213ad5251c6058312b43d47c44ffc8946a98797f5ace279d3e126da63633c0eff1c412febdd47817aaee466c639e43637c1e179f606780ab490d3f0b3c2d79709f1262305fc87c02f68da2dc32f8c544e7b358c3a5d2c27986a19d13fe736c60a3524e94caa55e853eedeece985d16bfa6c487bed6583436cf82077fcdcf90a05f49db50588f46550f7a0c3a1cfca902d66d25dba8d2c53bb5557cc1d87c8a407898b3c30c4f0852df92d839859c191228d0a47324ea9ec2e0ae84513cbe4ff4aff85e77b8587f1044bcb9775099ebc2f28fbcd1cad58a8ce1f072f2228f559fbfdd8405d86f8262c27c3d95e01016b343c6a4e59dec81b59bb6e3c6109a4cffffa85e9752ed2149b5624417c0dfd1a27bd2630bf59814f15820c43bfa317be59ef6f433c95e8be154a8ae94765bcedadebb717f0d8c24e01e1952bd104ba9620f067554ae0faeb78f13c622c45d97b2b5774a3e30cb07f2cf0e8b19d1266d8a8861f3772305e24ec5c9cb714806c7d705a3bed6385f8be4e12562e17ec3df01afb4ef6f7427c48a1bc0e64fc65eb1c3d3ff2d6687e4c275a019f5ab5c63bbe47e3680fb1802d5835c4d494f0f394de1ae47f81eef005127d0971c4589c456ae6a69855f35635c28b590c1b93f155fabcab59b6c7cd8ea1c4ed1f67093aa782c54329cdcf9bf84a40400de707b894587d6e08cf7fd72fa45b6709a26e97ff5ec1269b8042358f872a79e8c2db1c7ebffac014d6b6f71b0c1c1945ddedaf5b6911668059b61b55eea4737aa307c829309c9ea548fba2bede023849bd61b5a467cd1ab1c61205ce64301e2531e5d58d03c74ecdafe1f5b74627be8716cad0d0a0be60984c9f9dfeae24a6c4949170ce2f589326e0a76c447a578ea3a5e4bd9f18884f18843eb1a78aa2fae06a7569a97551b227c34d429c8e1c8c5417ced93c30dcc607cb32a365d87328aaecb4ce57ab8e74f0d9099e267cfb747a3bca9f76b5f6dfb543bc4b5c06c3646062ec14f511058eb2939601913f8a0f1785249cb72b0bb1c12a9508b23caf490537eec53f614f3e06592eb61f75c1cecfa514cf7b500b0375095d5db74556220131390b77d0db72711c0c7229a5769b1d2b3f5105f3a4370beb1cacbd93ce32f89f1fc833c7949211dd204616c013a3399a22f5325f1a00008f4c8ee7dc5bd7476848721fef843123a6213cb0c0b6ae84233ed01a77a115d06e08990b8e60cfa4f41dbc9505cfae76463278b6c6b5ac7c3b83284caaba4a6a1d739c392528ff5b06bc3b82e98060e3001279a44aabaacc661fb14e7581d1235940cbe067c6b386da09454e0467c785ed0b65d41ff4cf36ba5f63d3ff2b45c11c6c22d3ea8ebbf1d52d770e0ebf2ba0c67c7d3641c145cab474a88119335990137fa82a340c2cc8c453752a3aa801127a47aeefe66d1af1a26ee1cd0e6d935bd548f6ce33a9c204be02ba08f9fa03c685665375db7c0c656ddf3e441ddd96b0d2018beff5086cc63339f26bc8332a5e6a1422bfedb69187a3443c23b630a28b02f8075faf3ff2fbeef6cdf02ba4af47a765003de2254b69f487bb5d038759a33ce6885611198b81b0b6fc5d7a531a7a90dbc3556aa758db1657698cb3698b8207b1c1b589efe5d52790667ac483dde9543953c6392d5eb8afdafa205d325e314f810e9c7722cbf5bb76fd6502733149bf21c60717ff5bc366b85ee9f206bb1f330ea72f61a9766090eabde747b1eb9c046cc8713d5a4f8d4b7dcd7c61f2496c5b467608cd9260382b8f11b04c318a5ebb6411a4c7fa060e08c295c6062ac644bd3d10bcbfcfe2e3748eba66f65d904ff21147faa8475f508f21238d42f62b697249b9fceb905127f7684c8130cb8663f09cd25ea038078e1980237389337d1446c3a77bce41b37b50b9c3a020526e7b7b3bef370cd7af71b225700627060eb65693899d277ed130ec5ed9eee75d4886f31aa93bbf302e0c69c9c4499396b43dceb67c02fafaff8b56698308393a03f60babde883f00de2c66831f024fafaf98b2fcf37a9ce01d4f34e95c9408395716dcf83fe86c7a0f5e3e6741c3b63b6ebe9964f1d5005eeb732ce66402007beb3e6a087053",
-	},
-	{
-		"9100c5b2d7c5d5a854bce55e82f94b89a268da7b66357a661dcf75cba10a1b320ae0e4e1a5b989f9766e57f867a3810a0b5b857191ffd7aece4c796f5694a2617486421940cc12b63a6aaea20d2fac188b318a1c3061cafeae436e04d710654b96a864d674768caee03a50ed6afc06f52d90115df1db5c9f1ecaa4f5da094070b1a447251ad3d4fb0e24e87821ee6d4e7e7eac7059080f77d2b36cacbdac1c6e5063946a376865458c4ebdad3c2afcbba8a82b01b03a7882eee42eab904a19e0aead4ae515b02aa2fee74f3a114bf5b9f320baa35b3225491653f4a69e0d864cbbd031d0805b727e42c2b9530dae0c01cfc6a42af8ca730e1d67b4bb743a072f0a38008b937209d534c2284271344340fae76af2b1dd00cf44b48ab8ee92e8f9cae8845e5a8d338f505cd1c19014018bfb6b7dad487e7c8c32064421982c1a63149ec16f2bf4fe7b50cf3ce1e33d6cdea8e98bf067077c9a0ec1bba6edd5090273ca719ebf6f1a0f3e56f021945cff3c468b2dad92a947a06a024758d7505a4a1bcbe9da3a03e97859da99ed36982a7c23572ab60071566b749dc34bee1d9609e87fe32282cc9adba633c9ddcbf359ef4a83a54af5fbb5699978b487954a907dc9739f4b3f3927e66cf0c338e31c272da0cc7795c72dfe60a5b2e73bfd77b8c6ea58122a913910fe29d3360cef5d398f29b024f0dd225183d538bed2b076989aceaac460e3d45e0ca7941897f151261a024b0adf6d5b62429420144497adde6557a3c53b7723471fb760b6a8b1dcc2b327cd939528f5d7bc16ec00ad99df12f082d82bf9fb7318b3d3ce5b84ab1e38d2ebcb6713c03fd0d62bd083c4af96b4316ee02b6953431c261278aabd96e28f81adf7946e3664446135c825e45ed916ccb941350c84523296cadd5360bfe3e16dda75db10da1f710fe796f3456f0911294a4735cf9968656345b9c3049ca47176194c86f36cf702538df699fcffaa254af15b198ac37eed0837b00cd3547e496ecacf6136c6648a535a235059cd75a3bfd0bc49933b379b72e7a8463c268faaf05f0b27256fb179c9d4c923a13ec6600f83aaa2bee13e30c8e676040c06aefc65ba238a29d403f3a8cc164a0bdcaa1a5f54bc1d35fa4efee0c402eccab1e92f6b0cba94e1bd87898a9dd3957a7eafd9d26bf70866450646090833d4b91c032428bdb9097b409305de669a58e44931b7b428bf1a6dc56177cd944b87b04eabd80c64e287a5758c83db26dbc06f0c772335363ea2fb9f19c833644fe3b3fbbbbf5f9d460412d287eef862ae676f258aa45bc8465667601e9ac46e7d77693936c8d67ccde94e54d746b785ad26aa38ca0500105b6870790235e780ac50b9e3198f5fe678ae3a4ff4f1d4a2177edae183daf2de42625845973fc544907e27a90d868f8634c9d529bbaacbd228a5b4ac7fa68ac208e207a022cce4b24a0b5b5791eaddc6b3b3ef6e5dba41855ff531de9bbca0a39ea743c0732772bd32cd15c4b7f28a6ba579d902331a88920fb970aa75114e14b891d42cb947e9eb14feafccf1393796b21099e52b21773adae8e550f93364b1c438dd7d7fc76994c51860b652974d04a7e6ead207610de149f231422595f4e9ced1674d98d0e15ee841143ad8613f804729524e8a5f30d451611676f70a60c5dcc7127497f4d27f35e7ba0e48f98e9022e0deac400e809170970867a1682c7d2f3ef2c632c44568abff76f4f804841ae462c7247147b6e1debe48802674fd55b2ef1be5b4604d5f60c35358c7d773ab3a3ad0ab81868c6044d4e06a48ddbffacddadf813a2ce09aef34f3b60b666245a032f021b87c81fc506166983f25930cff728d399f6dd48ea1c745ad2da7f2cdd9e3ee915f708db0d1f3481018db1c174ea950ed17247bb8ebc065186758e5403bd4d19a445e4a15519326696e4280bcecd1a903f525bbe1e521f94d79df8db4b35f4ef7bd990c0f2c32789a75f95761ca0064bf251fa00b409a58b979e56d2c44bc2302552f118162891bd78272384c739c0c98bbaca3fc46fbb5bfe123eb25df0e27343e38b5a0c2d0774443af91b64b9d4e0649f20290edb84fcedb3bf4ba491bee8754a32716739e5ab64deb6c9888bb9fd2ada1629a59b16934ec5dee3678dcbdcc7fe5e2f3833da9d1281669b1d108837eaae5180396813883de26b957037623825b0675df431fb06b35191c06229f84cc849ccf1b1e079efc2e575331cd77b3297d2908c048b82b7dd14883f3e707bf6ca38f87c19625bec47c11f54988a97205d27ac51a32f19704391af72021b78cc4461386dc3844a1b45596fede3f70e311eba92b1d9ac221d3dc19f3fdd080c2169348f2cc8c9380e12a7ebf69efa37bda4ca6f7e66919b94532ac43022c0518c04d0a8cd99e0cbac88b7a317a1dac5469534b4fbc64080196b44498e149b0a196bb2d6f59392a21c4a4523ec1ff922a52de790e42810fd9355471169d22b734dde4a3361ecd57e271a92132a8b35cfa91d508d45618ad8c6c1ea209405a3d1d3ee1535caeaa3f20546052fc13aff7a584ff79db1726678344098d8563caa2a2abf6fe5aa03d7af49dccf1b17be85600e7cfdbfff54282394b0fbeafda615185574fdff78d59ec2a26dddba1c531a1ac007cabf5be2e2f0a3dedb9174e0a9da5597c9de6d68911fc66ec9d2b1e3fd71ebb83147ab14384ee303d067f47a324a01fc187f54a98f1b0848fdba2ceb3c18936d503e71887d548c4dbc70b7eecac9ead3393f8cb85a84f1484f2e237b36b6d886f54a0f629e8bb05b0c6839c722149a5b541703aeac04e6eb230a5659b12ed0a668d018f75bc94258218c1f5390b9aee4c0b2836cb76a47da649e2425bcf4cc15c4d51d109e5f78cfdb88137c31b2510264e46f1c4eb6e6b3450ad901ff9517b47a24d508844dc85fc5dbcc079e2d09f301691f401ff5f36500cc66f0617eb4dba389d427c7ac778d78438506608f0961f818a2080ea56d0f61c40fc342b49ee63e730df61f757387b9089e1987977b7fa02d87aec2e4be24b8bdf7fb6286d190f9df870944fa910df32f178ab692fa56b071f57366a3981f51800ab416dc4500abcc19e0c6aaeeb9ca063470993ec749a0bcbd07604516b1d51175ebedbaec8986f67a4d9158f75b5f3bcbe86a83220b4fdf12a0242951f94ac7d52882b1b209b82c4749753ea4d46a60bcc4f3eed033bde2d3d20c25cb46fd907f7052217a0a4db143b2efe8875a59441f4d22ef70d0c244b2de6a7e15581e84c860a6326ae3e3aea6d3972e2de0623d2d852c9e65eed318bd3d86d29595575df60d9050e1740f884796b6657718a294adcf2303adf61c6b23933db93885172e82a78f741b8efc6315a2c88ccb6b11692a346cd82a79334e0c610734e61e6378b5e2ecc161d924778bfcf4475805a0823a0d5a54768d9272ee99b7c4a81b3d5dfe1a2f5ff34",
-		"3c77f30bbb698b1571aeb54653fcae2c23dc16be58603f0c361eedd813ec0c4f63005a1e69e533da93e820e6e4ce1308aa29c60289060ebf24fc9738e8a4874ca4e26a0dc79ee75b8607416bd554737f",
-		"0223c0a6052bb3cdc99a284fa169ba76be2df53b677642a606090a9267a60769",
-		"7d3981073f90c6648c5e9c74",
-		"61ec5230306b70113f67b340575b77ef76d521ff75b754d551e4177591a02351ad382b2a4067f2b3af7e8e15431c7133e98be9d8293d17ef40161dbad9a4f1a4f30cdd557bb9a8b03b5f1b277c850e23ecfa0fc2ab1102e4b1d5e836a606883c3d43527fc3aa26955964b144a9a56cafa7b174d72a0635b80e7b4f871ead3838a955a14c4b8c5c3c66fd86a5e4ff10dfaa92105378bbc5f76ad29727e5bc4779ba3e6dc19bf45020f6ce4dfb3400df05cac51577d58eec21b22839b8f055226b204e641783bb3305b4461172f1c1d48eec56fe6f82aae564ac6688d7b0994747d9b23a24418e69f8a4fc548f854f86baacbdec78b7597b138c453349034c8cad2ff272781e0e6799ef2f8addaf18528736aef21ef8c2d213161e36b2c7815fcfc40747626e0165684e46a9a2275c533d548e52a9952a556168195d602ead86f6bd699e97ca59f4cb2050ff148f5bdfec358dc4542ff2f700db9861dfe5ba377ec7fdc0fcb2501e72fe6873c7cc76b95b4f300857f76e6e6e370119f403b556115b19fee7009f4f6675ad2d174f44002e35ddc360f309f20a3a1dbf39d90d7e5fa2106c53afb0bf445e4cede59cb50b8a7a2c0961d00b2c251f2d815309f74a46a424838ee87f1229273ff3b66dfb79e3b1ce11bd60e061e60e3f37bd7ac896b618cd78388590f44b1a276b965a4b95f2e3a7a175b30fb45dc7a71d4b3a1a33e98af30dbb46a217c50046ac21b8bbe9537c02f05a5780c8a5d796bd6424fd9e9f3ed5932069bc050bf4a1898a0ef0ca756aa2e2269b709cc92e0c5192ab49d692143388ede2bde4923c85eae8f59db5c7711dabeb33743c692be6dfebd815456958b5e1384a109f891f433e7b4a1031d4f30478b05766dd97eb964a28f2f7b55aa6c27c7f4ebf4d47ee8709bf99915426b3896412a855798e392e111789213af537cff7a976b4509e0eb6ffbb8e886a3596a242d16d95109b0ff562c624e06636a3611f804f9b2e252afe8a4e5e868b48e9e734f688f2da2012d7fdfe2d3aca75fd74730a85aae90353417fd52b92d28a5098b6af358a096b859859916bcd5a8f779676c6e04ea461fe62872050af92d08cdf1124bde1e889ace3c923457ecfe0a635ec757907a131ad7c2ca3f60e1317880f843c5e63f4ba59ab2882a492dd1e070b070af6f60e18cca29541206a7b267c3f75a5327fd9b8ffc9b36b57b73b36e586541d15c85253e17a2581e8f8a1518f275cc79afcf2b5c88a16e9bf553e757df089b5db90a9dcdc1867b788fe75abb5161dd7ee1cf37d3f0faa793ddb1bbf1eca13f4220ea63af8ef7c0e7144d999ba1c5a983e74d48cef708c1d28d3c0a168ab87d0ef70f381693f0d438ce013ffa2cba65a8cf6b498a7120209564535b7372690329cdbd74eaa76765962720f06aae58338a10064ad80f5a67395db2c31d36b1f5eb777306395f192599d2f737327afdcd9f14b3f24155a3f974915d3302427494fad756703b13afcd1764ef9735e7dbff920f1253cb668e9f40632aea1e0b4620db162138e4a97e6f0729b14be4a7c3256250d5e7423ba1238c704503c51cfc9cb68db7001b2f597a15e77138beea02e11e0bb98a72f2a77b7260e9172fe7e60483114ddd836addd966b69570db5eb26a0cfc4f8a8b80d26357ed51a70165bc0dd11ad7467688025bdb532e7222ea12f23c44d08d111b0ad4acb2f5b3d6b45c387d541ffc84466ed57acacefb1436ef00bcb5b6211dfd0650113ac369b9f3e4891acb2693c377467b1e9c949cc0ea6c4a72ef9292964275ed397cd2b1ed25fe1aa8f47e90cde362392da5e53893eef6e4f61decae1a75e3b726f0596f09c3cba62aa08bea89984b484d5768296a5afa8b0759dceba530a169d22b81979212b3343db35ce4e4766dd251ea6a47f5033cc090d6577efbed441bb4f8944937e812f12ef17ede76df621bd4cfa31567ade18b74583a2b783279150d584ca13c0d4784b70156afdf9be8ae96666b82def888465cd3df349de427d5f5b3572e4f963d33f968e6780e381ca196bc04a6664fe93fdc8558b21b84130dfa2a646950eb2e927885925af46d7a28d1507bcc3c02ba98318bfebe5b9eea1bd47935ad869eb701cbc35a9aef5efad88ff54eb350a34ccef2e159de8e16135b81105bf799fbd86aa11653b5ef93a1ab1c367231d61b42b8bdb4f04d8d05396d53247d51890be9b56c51cb19eec0fd1e6b8cdc98376b6c6b30963ac7ab02656ff94dec0e3a0eb3f3ffb8bebd99d5889df98e6c77093c370373dd5f17871fb334c7eb12c6ca22deb75bdac9eaf24281c965dffe03da9c940e13fb382fb6be332797813710a7cd2e7720f5b9e53fc0d98fcceeea4a8e9f787e670d60bfc4a849f34571e5d09b9e9c28cdf2b2d888eca9bb31ea8b9239bd19dca86880ad3e12b1583acc3a6d1f0a438ce3b5a337487279dc4ead1b214272d455e6a2c8cce4ae3bb29abfdbe77a67ababeaff5dd9c96b17f589cd4615c0209eba5e4b1c7167b4b739ca4b9957185961529d1082226f85068890c94aa1f1c244259ef7b120e40114926a49c4412b67b4caef1ff3ce6f3aea3c6107b830cd34df9f4d73d7d978b6b9d5c481e9d76e83d649e742b098334838fe50d80975fb567642d3b72c461ef3072ebb1d03c0099e97575bae6a12cd2352d9d296351df6965d736d7568c2911394a73d199743526ba54dd62c56c598f4e78495c0172739274c0b8c96755e489765723a24a8704093a94544f6c8764dcd1ce6b4bf2917cfad27d85e4442b4e5bd577ea1a88c2b79d61cc1be01ee9028235b36444483b4e45da1087bf6d45ca540620de5aacc644a0d5c4b807b582c7b058e140eebca539947502bf73c9abc81a0e3a618b39d3a38c4ff7f94767fd7e6b9eb61e629806bc3d183bdade7e369d180dd2f57fef677e22ce41be7224f11723a85a3f1d14d7b72dc98ccb2816b77e625ce3db3e2c5753af8b079e0d63939079a01910ee4699cb405d4d9c60e4ac86a7fda3a4c9c290662afbdb7678c3a84c87ff83470fa8a416511a06d3216a1445699d7ad7e6980491fd596d39762d576b08fcbf0825243c1fc01ec8300780857c429c607113160a8354f6699b368a87983464472a5754fd58943fca6f6779764fbe6cbb510d5280292df02c4a7ed9acec8c95ad67ebcda71d0f519ac18db9b43b28244cd34fe02c5d694df57410eb54c5e1ca0f8501e7776a811d7ee81eb9d8c80b2ca50a012b5eecd5428af965b217e7fdac80be88a01f76d473105b027eb557a523f13c55e1670ff34627667649573e0f19dda41c525a8c96c2866a88bd73e66c786767e1657960f6676d8a22be1c6024158a0f0e4ec761148b5a3d8ea481d8fed94855be82479ba23213190054f937838f0e35e00aa74c89b294c29ea25ad7e96b4b6fa952ea8f1cbe5397b7c86d0b74ccc25e22c88736b045fe86110bffa0679f28a1f27162b51410498cb7",
-	},
-	{
-		"0fcff2c29cbb5cc40bfd2ec573ecf368275ade6a00e5730b77dab17e437b46524b3814e7f470acff6ddac4e0c6b748ed112657120bca1d83a4ce01e74a473995804d7c74bd28732a02370ac8ef52b600790d1284d82f077cfe096448509dddd0eb5944a882b7d384efdd4dde3003dea910f12de82035651e3ec9668e66435f519da3fa1f5bcda34aaaf028daf3068304f7b1ec18e65136241a9db281e011d27db5cc9c1099405a4430821e2488a228805314983966ce5d806b0f014c21d4c9d6a066e63aa6407ed6c29cfa4a3e22ca913762ca9d31271d9c371fe858f3b22e931814cdbe544b9416e88f6026b12bb8e88d8285beaaa35be1c24339b5f567480d7b16cbcf6160e549ef4570a0702889feaa0ebc54b11735735b6e2850d5715e5087291fe8890432784aa219bacaa2b874b075c9628cfed5e76dfe38426f9693f6bfb2de49b710c101b2dabb7c7c74f12de9ba8f75b8645d25629568d12bfbc7eaada63364b6f56569cf21e54c95d6797e9008f3496c506ecfe5d6a010d168fb7f0e2ee3c423492df36a133fffe9b87d7ac070c32cc131fba6089cb7d904b25812e03cd6048504f7ef1736ee00ee6b7aaedb3dda9c6fd6437772fa5076aca9888ce55e906a62875979bd477aabb2f4598d32342aa10a6d187c6768f213117a9ff6d830603bb7b9b475002e20b2237a4055ae6af6b8d70e343e76265188a0f07e7820dfb3d898684d99966d4bb9e78b0e95f5044dcc12810a89a75b11474c8fc06c6e734407db91a072ffeb2be6773a7c6c3ec939514b43daf29feb3aeb7afa57e96d9cf0492d90bb2c7be613f2208f5f5f5898b0a3db8a967a75d065efcabdd83759c88086583bb3d422c6c6425525a1adbd515199dbe71350b77940813618b88fe139153974c80d968ed4d9e3f97a91b7cce250a7c963f880dc38011250b9a131f2b76b677f78fd0e4cd6f1465182fd1d644dc42db0bcad8df4ae9f456841765af8e1c1775abf85a69577ece6f9e9035e36c88be784397479e713be4f5434aa4c166bc4702a4916c0c003a6baecaa182372a30af6dc7e6fc4912d13e662bd327829f6e85340fe130001babaee64d211d6761bcc52993c162a692a10cbe7434310392b64792a777a2b31341995072a6b7d4538cfde74e609dd1019a9f75cec0896186c0f42e3896d15be87aac5b11642f74e11d5c2f7de9f07f848ff543507ea4d73fa8f5683fc6b41831606352c482c7a5a013c51e0db59d824582c595f17a6d2113528943194d6b5aadcead62516507f178cd0f76729cf8b81fce4e0138ab224bfdbb8f16f8ea6196b90ef90a63f0fbdcbdfb5320984be8a80a26b932d1db7ecf870dd67fe838069136ff9b9ae087779e82cacf1b06a7b310ce6c439047c26fcec0364ea87e4549a544d540256cb7c3ef7282fa792aad89e919dd89519fe910501f5ef88da43232e917730e742ac2539d454e066feb9058f56dd246fdbb674dcab636585a788b338ffe41f4190447a65985acb9613d02669ad4ad888004c65acb0ca315752e58f51c9ae9259f20cbe8a668a207a5a46e30891bc909108f53db8bf6f0f11549e621d4cf4763e0035c867bfe9e1192fc421c080b25289a78f4167fe517852efdb6f3ccfe67ad01b4337da2c18f35bdc151c5dc76ee66efd27d5fc784e4e6829bea4f8a41ec8bf61ff998d178ce9f4a10551687337d7705eac6cd7fabb3f2379e31c1d01e4dc63e475f0fb01d9efa3de400b5177e2c2d68f2ead89e9ecad62cfc97fd0ad5b3391d0248dd2fd7c75dcbd802d3463ef0af21eb77b07a3286a72f1e9439f457630159abde7983a5c74f7dda12b40913632afedadb691d62003c70a46664fbd976457544cef8ea863858505b1c596e7f745d4a5fb657b1c694226afa9756c40d9c49425b323ce17a8531c5919b24010f715b5f27a300ee37334931ca9ff5c83c3f0a87713768ebccaaa15e35c56f3536ba945e5d954c94c885c68325bc4b51fb55d96c8d424849ece9a812af0747d5b1dc240f71609439f65acd1c17086e025e376eeb79a7255680cd692fc4b0f5768d1985fe8a1a387074f58c8bfdea8e5c11ed379b845ce2052a5b24ef0c1a658923eb87adf5b01e6aa59ae6937564ef97421722c67404cb9e5fe07d5bfad2e52ebe6cccb41ceb1eb2760545fb6a3582bc4ca572b0aa4e4f0a2ecc56299f3b485d980501a4e010576615ad518fd2d43c1f79aed013ed1f1e1bdb74357aaf7dc84772c9ec62da43c8ffe11a7fb3eeabc3584a936c37b28a438dfe78f89de6b0d5597ac1bc55057544e68fb49a6e505db69af122c2a3ad06219b7f2a2955db0ebf55c06baac5e0efac609436dee484857f75a8421945484ad0c7650a1d3008cc85c938208f19002b7994524878d6ddf85c763a65cb72a09c3a059657459f13cb584bfbd754fbf2de904517092be4f1786b2bde26ae8eb2d884592fc9e84395408f8117e47d1ab30d5fca167bbf07e41a33c230d240e3aac53cda9f251e24659da57d721288252fe7ff3653ae3e47b86209e9344accef0009b99f2ec7b3845558f1d77b89fc9b61ebc1b589fffd3261f71b9631e87541e22ed100e694854bed771358f10fe452fba61875a605b8080cc39e3eac13708e32518f28e60464c38b782c7c7800df63b6e7e95ced9154ea54e32900f6998f38eb1e51c112b6949e2eb11a96b1ea0a68c1e3b5af750a99c9fdb2cae44c5a1d37686ef87b158d19343e23daf00dd558cfb91e6f2e18f8e806abb2faf80d082f657717d08ca4e9c0d30d9bc30b612bcb1a3a3a3843231059dec344c6c04ce625b3fe064092e00175fd9d38f8fe54c4088efe30d211412be01460a6d4ad8d0a618b00a21de0a383de30ccd72f119b27a08958729a999e8aadff21829cbe8cfe398d90476e33db4c64981383a9aeab4a27f3bcb29d4b3d3b3a6ebdd71d3ac546b8658e269959630de176819b153cd53d2091efbddd2cf9178ba6ee98e1a3df9a095db0a2b713a0988a22239f5f08cc8f9abc3d67d9267f54dd5dedbf01bd490b0b09adb21d4e5aa7707e36cf77034f01bf8c7988a2e8dd7046bb2f486878436371f1258f3f7026afee6d7f6560be67103ad098edc9665e00118d4879f58bdd677cf2e6bc631d5c517acbb6db8a1debb4fe7492b7daf0b7ec7df056637c23caf926a1a589bef1db29cd81f547afd0fc9e459f46108ffdfcfdee43515a771c439dbde9177ceaf296a8749be0146cdca2b26be8c2ebd6cfd9b5032b1f7a375307f54c2f622711f8cf8684afaaf17c4da3e83666c40d26adc239c8d1a40024bbf560db5787ed404763d4e70ec6635c6a4b82c10f8ff7ad42217613c57648716ba94cb33129f3789dc86f9c8ec2e8e90e6bba0dfba1bb3dc3215188979a09f33346a6647099ed0e624c9ae10f83da0def840bdb25b718e8d86a616ff46b5327b1f99c22937920f5b5bbd6b53fa0b32f24befa4a7603234e6d94be51f00189a20b15c49e8ee58434a15ae9d10b9cf0204bfa7ab1fd9e006b22bebd22b036c4bb4c9949cb7ecdf01028d9f12466e144b2dbbf64d95d65347013e192d428678f64f0d9306f97208fb00a70d4615229143dd8890725ee3ba6021d38d6359055aa812edaf",
-		"0c5fb7075f5e15a6733737b614bf46871e29417e4b140bae6e10081623f5c52f557c36b4da4b5a4e82920497514b1e6f745fedbf73f86ee10976f82c6cbd5bc13a917514ddd062",
-		"e70954c812cac03e367e99f7b82a6dcc073d2f679f965d524872756ee58654cc",
-		"5f6267f6b3b21423267310e6",
-		"c53868c0fdc14e891ae1bc257fbb13be210a5d9cdbd9d18fe1b474f9a1929dbba3f25222d8fe8c1be3eef22352100064b922fd9642ad128a202b6382ae0a67c8affb0c5bfa1a80e55c1084cc372485243df872d677a80a3ef1ca3589908bca621f6f50133eb762cb9c05775d13db7dd3eb65ffd3eef96e8dd42928facc68390f6bbc50b17e1ef5ea6310d8756dd177be2cceb63a97bcceaa046794915589ca022d90756b02c22e8634c0ed44192abc3b8b1e2814c855ab27aaae3bdd801a73e6209fdd559ceb59a94fd98a66d12a31a643ca2f4b07ed910bc390f77ab89395d5cd1d783d8940dad4447f0452991b209cfcd998b0c814cebd08f9ff15052818bab0bf51c3b72ac1020d3b0974fbdf4ff941b1ab9c01f284fe82f2fd89c0aeb4b9fbb0a74ece08b3debc7b65e7263e2922fd4aba15ae3cba7885d04127c8e06a67f244e7aa4556f8694a5db6653f6e48d6de54f9e4024d25d3236d4f933205b6a358aa1506f832ef7d556c6a1bfe4aabfce51f3b5ac64bf6ab1e665bddb12fe13db9f07a55db3da3886df36ddb89f3a4939b1e9e5b701301570e3d01c0b947f498dcc6af438cc15e6038cb78a78986da0316cab67bca3e28c95e6b7e6b36cae9202cf4a77a0e15d3c3291d267aeee172dd587a944719b9fbe077603b4d39d4302b9a6415aa07af309a5e1cf7a9379552becdb4bc6a0b5c85d2e63bb141c405afc58a8b2b4188b3883a24eedf98dd50fc54725c440ccdb03514a6f37cab49296b6826b6bc7d7ad8cac0a3425eeb6866d94119acdad468cefe162a29e8831c77aa83321e8ae3e20e968cfe51dbf2b63f4e26c61536e6be4f63d61bbd06af38023b15f4fccb8ae0356d924dbf646bff69d1ac0d6e1c7f40b12d6d16e52d1c15958add5708bd38c514e47fe623a67c9ec211cd625b398fa7fd67a23e6e9f65d42dda2bae94524372fbc1a7e0ab3f1c451c126135536e73c573749aa60177dfb68843752b010e2cb9c1afaf51c94a48cf8ac7aab3fb200aaebcedefc6cccb581848da0121af92d9f4be002f0c2beffdfa65c36bec80e7f62d7009b1eb719d24b96e97059e6b50a52662c2c833738849f342391514349305228b29bfa9c7cf2a931558ca8e704c600148a28bd871465b23af499c11784aa45acd051f276d82789c58b14f12619372be4bc3a285f6cee21d65648d18e61752d6e7957736d3385f8ad36702c451c61ed475997d6d9f11c8be5257d8febce329aa701028aa2b5644b8515a95b5e866780e32754ac2e6f2e31b2c04a4ad35cbcbc25b23e9bf49cb1a5d877ca30880741757c29303af8676546760016f1538991b37cf0cd24ad3b1d877e5e1bd083e4b990af6ff5c0b28e530db3f463d21e76c928c8e1ffaa6c045937ea171a9071827a173e231f50e95430ae4895932c88ce048058ce6d0a50ca5c1842506158e98bb2912a61c7991a2256c97cb9050a4bb3ca32594622756291340561e9e584dd2e096263b6ff8eb898ae86f5f24500320d2d0ebb30d84cb4ef876a877dad23a611b39bf0cba5e22f2850e11c298fa23fed40691b83acc87136f8fa540b1dc40d1b0d0bd489ee9dad785c121955a094a2c6bd3353e142c04f7b88b2eb3305fd00d5eddb391b73fa2b16a6357aaa2abf2059ec979bd3ce06d5fff1c325bbe5c833a101615750613047d8155ac0c3a0734cc6aaeae7cb65d7501cb95f9d6d1161d09c961c0681547faf7983ed2efaf4e0fbb87a06169ecff1d0ee540a9223a73f75584441d4669cac09c2dbdb8aa2aed74eb9a2870f2021eb16e5f5c3e79a24d7110af4bece22a1086d27642550cadfa4f0e03f2c032a2745e1c9277a4f67fa4dc74ba056110fed3a63f643567d079c9430b8d5b3bf57a9b3f02d486d870229fee5462043b6bda8d265c745ddc1b8952bf91828d6db2edcfca7051e74df9dd456dca5e04ba469b9ff6a8130aab3903c05659b8f31cf4ba4c22511493a36541ff9d88c708dfb714d52a3c0356543e6efad37530b598bb63c3724772907abe4cad39c896c62daf5b30cd7d37eb36a7be2494353028c76e8d148b018c7bb755c45d2a33f61944071bae8316881e9aa37e4ec2374aac4f8436ed3c7db2092326538f07fc6644e0239899e3335f73c1e3c4602b12d19d7b639d4968974b6b2703ec1add8cd930cbafff4158f68f06aaac83bb4a2e31466e2ddc247ad71c5f4c49af7defd1394e21819cc24c78380caefb2ce87c0d1050680313037def12ca21cf67bb6692d6e4a9e90a9c9a0b7118ac300c6c6f636337aa25bc59cf1d9749dc183803cc0ccd1ff53210352795c6edb49ff1e5e8ebaee7b3eda6e3c0c340fa60594115e37fab60133b8a3b39d2e63db0bc6a03973e236fca801553912f93feafd8b96766049dd2066f3c5ac9222121ee9d36cbcd8f713adc8779949941f8a8dcc92ade62e46e9f1b292d5f7eced14c3bff50a811cb762ced1f103652773ef946e18569eb5892626627e085d4ffb3102c1586ddf88acbaeed903b22d3e7ccd8b8ddcdfddb872403240bc8e0e46a068f55bbddaf90fffb9a914187aac2ceedf21fefa1fe32fc7bdbb9fd76dcda1fca7b39107d308d11a118e47499dc4092ef0cd28d0d9af84440f095b4feb7adcba198894cd89a324c60ed0b996c520d4b33391bbbef1997256af7ba7ec1069244359066af81543ca23105742fee3480f890373d3205236bed566cd22a62bf69f8c0f27b714f84a203bca1605865e2cc2f9211389e0df7a4b3aab9d10826639357efe1f5fe64a1bd6d06d0b5605658c4d2d12e1bec77e70ea393b0a09043dd7d6684bd53f4c883f2f6928d99ba91873d063d43600f9105d503b11d8dc2b05e34b4fcf18e78b2b6c97d3b2c9249a2f6566ddab2a8a67fed6c9f8af2f4ef98dd579f2d4fb572e178489c503df5d5f03bee9920db347a6e734ed72ec7233387f1579c13725599a33a90915ddf03725dce20fd3806abc1029a20732380596057830ed63b6edcaa4d4418871bbfd58de1d1f2800588ed207f2016e11abd1baf1895f6096e2c75cc5916836a9ddc09cab4c28e53fadbd7d3080088131cc270095315b61011b0cea5b4d64b647bbcea54d20be1eec0992c72fc9c9771cae19191cf6a6f1840acec1deff605626d0a0d79ea8fe0af63ea75e80f8141fa8d7ca6f4c99dc7e78aeacc67762ed0134f1a0b053debfb9ccb145800b9818c2deb46f7124e8655f37c3291af107ed75384afcedb44518ca14cdea341c9657ec638531011cb957ed6b3434b736ae8c8199684cc58862638c5f6c07e1cbe8ae68c5582b1697ca9dbdd01e97023138a9173d6b1294cd99514a28102e6912b1c87ef22cdc611133bcc111e95c355a26b20a3d6f0ead66e932c5e1229b0fc17a7d6f78134c69beb362ca75017b1bf1105ac8970fad48acb8313cb3ff10e9d72c4ff11f95c2dab59575525c98653a9c7d31585a3742267c062d6ffc7a4303a3e81a45bf39e1ce2097623bba70f216aa612c64ba06ed6d596ad6abbdde69d56ab45e25ebcd4e485824449550232be26f987c14008f67c9db9d0f709f567fa44502b9e0839457e5f0aadec0395bf5c38ed8de7529708e58c0a895198fc8b2570fb6e68547630ca7f313526d392ac4776be973205f971854c300454d5",
-	},
-	{
-		"95a17355dfa9d378a18ba20e58aa4b8711ea1d6e3c65e0b2d3c6382892c7d02768437d47ed50bf8edc619c340be7bb1cd1d88b0d3d6bbf1031f738c4be09eb264c686d39b92cc7958e63c9994a84b61b5c412999ace8a9dee0e2a29eeb8dc537f63271af5f3844ed9c0d86e6913c02ed7d2b862a132f08f311aa92fc3757342d89a5dce8dd20d5792d5c60be9862ab168d3140a061489472f2266f297da357064833ef2554c49f8120ff40b961ebcfee1d0f8e7e5722f049485f72c502c9cc4afdbb70517f0fd2a00e12596ffe285d1b37eb998e0e89d756e9491ceb13e83610a3a66122b533c2c3461b3244438f5f7a7af8088881dfdf6a29fb563ce38c4c8632ada8e7e06baa2686dc6aca6bc944e5c14d6e432c4dad554803912b8fddb1c18a59a86bc452914b2efc1599c5597f87a6edcad33a7728827bbaad0a975ecc22b7748d7cc71ec7f51adc8fe0350e67dcfb31af35a8d7b72391642e29c2fa4b796ed8f535f6bc2b1198baf1cec858aac38959f83130af55c21383ebd57d364eeb0e442104004c1599060667ce5e1191e76a89199a386e5c4bf147206e7d6e598bb27a90b3c6a54cccacb39a0ac42bf22eb40bc8ec7925376a6c57d8eac6317578ac052b72ab773f572ad961ee05531cb95ee5a6d70add4176351960fb4bd673f7db9f698616a8dd41823f2f87924c40f131e6c83bc40ab1f92312f46ee86765c306cf4a1d77275ef9668d80f9d9c1ea0aa7b2456bbcf764e009584ef1c0b4b4c683fee3fa2641f48ccf7485a8356fb3dd22f848deefadbef8050de9c5c19e8c449c6f3ec2b1324f80a7d428dc44dbb966d40244c3af03bcb410a57ad1430615e07553a22686f1a62dc6cf090aaac3707ec5b44274b7fe28c7a3a298e7a8adc71e016944875bebb421babd2b64809be3454f25b90723e2cec68467ad2d14744b15de8f9c397a505a340e85998e207cd46fa18d76c46f458af4ac3821c0ac6cd68afb72c376c31daad1a2435fc2bf333260c1a82430edaf2499e7455a93b1301eada2e12365ffcd36a1119664d0c996318a3e55bb2c04dfc5eb251f7fd64f9d83f27ea6577d748e1f85248355ed19867857dc3383e01249cc37684b0eb8e891aa663801e4ac8f0331b38686a19f0d19f6e94c7ac95ec395962be0a4e3c8358d2f6d8f13191e164ad29cd1733bde8c31c7d8ab90366e26cc9a06707dcfa60bfe139a112db827778ac348fdfe26892fed61db7e9849a464e3aad561797b6c778e0688bbbeaf3349727b4670a2d0a08f317b0dc9c4b12ea85c0309d57e754d0c7bd5c83985fb82f776c968189908a8ca83b5944767c2efc3c5f898436de54fe8bb17224012a437896d9fa106a749d12aff657266276129ec5ac12fc7a77eb06296d2a2a876d931e479d3ea201cbb4b1b20bd81471eaa33786c624013e1f07577c2171f38f0511c6924078a40c2d55ce392dd2ab0885e29f4c06907a1597c181b933853838970edad7777ed394c491cde27478eafa5b7a36520aa0779261f94b957e83ce058298dcfa07b08ecc425caeb6c599a11103d7631e77daa0d9d3fc6f42703d57f2c624ecddd56b9a27b848de7dd28f8ed656f1e4decc95a8908217e2f2453ae50b5fc1d9352d735ce5bc2b538eaae25501d449d090df793151811443c64f28d19eeaaac4081e10edca4c4148e723ade8f7e7b988b732ba08b3ce4c8a0d655bac4ff66048148135decd7727a49ac59d82ad470b5479c55d3d8399b790ff033d3ef99d770e1eacecdc140480aeca1e2167553cbbdef2090c7592b40681b733b0a0d127beefd49bcbe8904c975a5ab8b1afe56d7ed7667b5cf92f537ad6972b876843364817c20400524097ac9b405e4b35bbba0d12355a0b54bd763b4491b2acd4e8e4fcaaf8fcfd398499d4c4e81ffa93ca07a5ff51a1540f178f43a931e07e1ad56ab5ce57a2f7dc3ccca114dc9ba8a6934e95f4efe9f3f76947909b280ea5fd795bbbc0feb3ad2b704e305cd9d8f37d178961f77355eedc9d7f77c58e1db2f7797eb8682255939293c3ef7dacd2eab46c4cbbdf929aac301a13f59831a88fab173803399d96dc216abb9f079e79bbfab667ca590266891c8a7ea4bc1724573e5c5a67e9f1341b5bffaa538e240f78da7733237999ac86141b2ac0324f17609b71c885630c90befc3b027a5f01e33979165ce2a00968c414838446c2aba76e1d7fe3707c742f68af21d30e23b637accc848f6c8df820a27bb4e94e5090ac6e008fde7cf3fdd5931fa891335ec8d01b5d6f77db57a87dc35d6701adf7ae0bf82dda6511c83ab4d7d3460b221eeb3d6c4aa537924db5559b1c6739040534fc330f5144c78bf99f5f4faa715e85aebac043e2529197a82ca40f65a8149a9447a9e58c61618600b0c5ab221420c0cee114a133a648dbc2eceb2894ffc329376d1eb3ce7039cf30ff6a53038b23c26c38739fdebc7b919956ca2e468d577dea6621a8d66b78075ad26a6e6d8e20c9b694698540d516ea2bd108625e5fd038b5f1e19c5d5993b82bfe16897c375322dbbca81c81cef6ad900f0ffe5ed02714c208a12f5234d78e32ee07af155ad1e1077a0d8938f426d8f326c751f6ee66c8f707e8493cbfc76f9ddf1ea329e094315a91ba9385e16c890823db0f0231c7f939a042665009d5edd8e48102c515341fa6eea33cc00fb5d82380d735b29f2eec3f61428f7b186d43fcee46b2037ad1aa6974d729848cf1a80dc8ddb0580c9c876def06d8f7642cf45263a655ee77f047fcd76171546319622bf71283f3bf0b519e123a85765779c8bb201e99981ed184e642f63aa61f9cc206bf45fa6e514bfc637671d9cdfba2891bb112a3cff438a6372ee0dd3e7d9f352ce52f8b367b7799e1f963bfe50638f0c74b94873fcd3d66fc1e342a8bd36fb8b88f33eefabb78eca4dc9c89e2c57aaa010f2140dc5ea7c86cebe2f8bf42a167d1d546cc80bfa9258c35af6efb1a090c293a4cf588e4bdf5c090ee7fe38fd7b5551e71e5ce2b0b5a50bab95bc4c257edfc94d37579816b4a2249ba05c991bb2ea02d047e480fc8a8ba71f48f344c6d20d140a64ac20184e45b4eea14d0953370c237ef0a47a7a2f22997715dd3ee8ea52f24ffe12674d571b3bf968454ca051701e411499bc43bb55bbd033f9b81d4baa6c49bdd49614efd20d58175af868ca16a9deaf65216abbdc3beed5f30b209e786a5b4c006f3bd27d93e9d78b51a1a2fb7f5160a0bc1b7df70952ea1573888ddde3d9dd5314b0d0a899a733eb48d5e6c7274667e362e4da6b37c480aa4d0d8730e66483fb1453a3aefad69942ac7f09d3c571b6275590938c541336a121bdd20722550236a9a5e4a37c7de628fceffbc260b1e9b6417c4295907937b13609b8585ebb8f076073abdcf19104ed80ffafe1b09997f115d987a552be5689c70fe125ca702d2ae4d807d5690bc2e90b72cabb0b61ad203b34c68df21c16b92bf8def5680b204ce327214c32e4363d5600f96162a6819dda472acc6441858f396385a16fa5ee52cc0f9ffef3d53c49d535aa37db2cd4b573ff81d74006677969ec1ad891082b5d18ca5b0b9f975574ccffaca72b805c9f7fdd76bfe3dd384dc953255a5b50b7731a137fb9aad42e77d3da1eff5a7b9eda5814993cf2d289bb25ae1680ffcdf419e073d38b4701021adb2019359bb70ff4cca930be7bb979a0678f20665d14803d8753c8ce54cae92feb026486ba747a861daa449863bd38cb4d5831aa6db1e7f404b0c3587aac8765aeecec686066ee7d11321574f04d3f3da571e71222ce07277eca7ff97607",
-		"5e24f34a8d53b17bd0c2aee5369e3276dbd7e7c2ea0990f1300fbbb00831b76655aab1e2fd625ecd",
-		"c1d796f1e651a1ee825855d80206baff6818cc8c247ee6ce62b7531e6e9ac32f",
-		"240cb25aaae4d085bbb747a5",
-		"319e968ad291ea5d4a057c38f7afa4ddb9c9565962fa1a7b231e397a268ad8e0c5030a2df09dc4f99402ddf2e0d06e753bf55e1b318b3e5ff0108de2328d3b8d53e23e08bf7d84d59fededd60d47bbb52736b0491f82c616eb5f779c496abd6499555035e4513c8613e7204e6bff8d06dfecd9ce38c6b83efd8d0e41f84f7cfc9ae07113237987a4b2eaa87f7e0a310155e282e57858244e9071712fa026cb781e5a4bfe6fa1bc480e534096394459a3d1354e2d9a54aac6926a60b388410fd0b53f7a3a9116292f37406369c22ea674418c4deeead171e00f74f5cabae5d24a0686a4bcd8ba99aea613a23edd0a019a319daa3779c212fbdca9d772fc3fe612cf178c2aca2aeaf6bce2433494027a474eff699bba95fc7dcf79ca1d77b1e097439a9050a5cc78e0b78bf2e7f50f959ea2986a59be3880519cd84d0a673acb0432feb1945c603e70748445c74600ccfec60efcf9e4d02a7df5f967de4b473f63b0b0499ff4ba350ec1182f3a0ac17ef9ae28945fc9bc714c49909a7c1e2f311aa6ad7652e22e1f48bb51cf53814a2125152813752d86c7f9468a991d0ac84b1a2f3969b8081c228b7f5760718036e26a10e211ff04ea323acdaaddf9b06a08c92ed663d0fdf13fa601cda45c416c2d3803dd9b5ca29cba57e59cf4ad93176c65c64507b1995d638541c90b381ff758833a2ad67b0de44c280fdfd82b3c6d4353ae30b33768863cd3169a2032f26e37ddd57e7da1673cfc7375bf6e6792495a2b434155d684f2a6f2b919f944469d47be5aa7da74eed69d871e6f65c3ae08904a9ad042ba39905188f0b9158fd14094bd6a408fba6ef57566d69eccda86bb54cd3ca7381f51bffeaf8bcc1ae8df91d22c359888e21b70f640d6f3726a34e6100ee269124747f0ca05110f63deee07e3628bd6aacf926036ccec02c0b6bd7259db52ea8b7a686b36ba1d0296c85e43e25d72ce46c66a1e646301dafd2f4c502281e6f949011cea69459c026c65bd130d6ef06be17b23a9c9a84746e39d017b144135025ac527c1e653f233770cd68e9f232c3b623ceda836843b3e9ea313cc6a57d28ce71ccfb7265ce73b06bce1447220645e6f66caeb06b55129b97c8dd8db54c94d771504d24cedc86a8ec706a9f7dcbbcd7fc7cf38005b2913b1cfb77370bd23183ac7b5ca5135a2738cc91d05b2b22640469e3daeb6a7b0f14fc6652563663520f7754aba624a35e5d24529a6ee9f5ef0d019d83c04f5a93a38b68cbce0cecd42a11aae305475806326aebb4f673791f50c9f90894add51a0fd7c02807efd8c1bd21fa717a860e224bc9fa3f40975fd8d558e4844a09f8920256528450d77e546604e2ce2d38efadaf39a0ea3ea12156174aa8a20481e6c1190e448564675f9ca60bcef37cacec5aa218122e7bd25b571ff10f54979d62018b779a2a3d5d7d6cd56ae31efef2c844ba50ff9da88eba7a8e0d9fc5388a805ba4ad35eaa4798e395d2fe112083cce2f11cc850d25ca5c6e60a9996cee4789ca99d519daedb62f4fb1e535b742a35d71d7390117e93821ff18948a78c1fcdcb90a5f1211327d7ee0663ef16ff446e0e22d8cb7b2d3d05469b1c02864f4a87e2d9715f60c9e7be841e308d0a5f6c50161a4a0464aebafb88e0d2df8cefcead93c9623106d5518a9852f320235594be10c45bc0cf06c9daa007100ff97959357f9be8e49c870d0a11c884213e266c35e9131439fb3654fd5f1abd1e778ccb02b8c262753a22653a09272a0c33b6b2683c9045e8f967af756b98dc1797ff605c64ac5bda8252e9ebfe0e4d8d7ca754fcca5e3de3c4b63678da095281d76d60fa12ff4ca818825f346b9c4e426cee16db5818d78a527a901cd088bc2983f9b83430b50683018996996717a1738439680b68e3f61cbdcd0f0e1a6b436af8fa05d3ce2228054e319bad1dc6ac970c75313c552fc1136fabc302fcd1d09ef1b9138d18133a772cbd9cb197ff58c6e898f9e83e4e27206f3b15b6bf2778aaf9fb38e0d50152f8dbf5763816132a04b4b2e9639584b3dc8ea6d95ade024f9497944200ab0aeab206ef099859b9240aaa15f737c1e0fe6d015d04f47261ade4928e3c2ca21d1f5ab4a3f571f2ed92ebeeebf2493e6e39f0063ba931e165384ee1b5081f5f8d26ec24716757037f5158d35effbe67009080ad7b0381292a513f312eb28328cf5ff47a6599e36c14277c3eb5053c5aca530ff5954c21c03fb3fd5fc0facdac36dd819b0495fde421411e0440991da0cc4a20d294446115c0b79045037fbfacfeac574da3bf192fec4bf38c27cef71d03787430223b6069ba6d9273ec8679736a832277c657862ca791b559a5054ee8c7c07618083f75480c8aa01cb086c7317315911802e6cefb15bbe20494b14d97e3a885806db775c216dc15949e3b724f7cbb30bd2c46bd5a2fd6132352c2b21cc2b47891dd9794975f70a6fa7a0791ee761ccf4c263f27f64790826c1aa656c39483e029baef0855935e7e6c133a4035a3699925fbde131ca62948879373346af35bd7fa52b8d6c3338f213bbd9c79977c0d710028d1d386df614c5faf4a1f8fe5506a9af7059370893ff6d07d91383baba67a617b5d829e0e2eb20e541ed5c34be7ef0eaf6c6f6f52d7ca01933a2a4e8de46e422dc95161ba8ad354f6bc7c8e4cf8ab5e08607530147fcd7c9481afc621c5a3230a05e2c4db79db9e1e73f43556a8e8f0dff7ffe420282212f23d4c5f6f8d2febe129b9fe5ba7ddf27f72ae898a4eba270b5d2bb3b6b06e38c546ba80a9b2bc46097d0b47db5ae72485ef2c6419e856c33c2d66a861b9d474699e730eb8a8992e3ea9c1ed74316687d5d9fc611189eba2aa31af5ba8e81179866dc016bda977c59c595e40001c8ab3a4a44cec00ff84c6dbd9ad4be30bcc080e69b9398089d6ea464a70f536ace3b447693301c94850606d0de1299770b5f45e6d28f8ab83e3ffe52178522eb91fdaa9e4a696674ba0f52ee18e960b04415782f018d67479081b1bf9b4c9b90de026cbb66bf7d9d12cddccdd9b2c8ee2f010892571c6f0c0feac9555c71bf61f9cd69553cf7fc2be8d058e0c3430e134adb1ba28985fdc4f0cf71bd3cd09f5f82f303cded0de62f98404477bdd0a846c6c51e3e82ebf72f475afc8e6388aec57206018ba2528ede194345cc1ee95cb2023793f692f708aac3c9e8a682af36b078f5d6c7a3ed07475e9fe73b95d1eee048ab898edfee3fac4beda45f03eeb64b2128f6df9453ed77c6010e13c0270c068f704f49e62fb7410be90ffee47584ca2efc5287dae1f63bcc1819e7548eb9f0d8a3182f9ed00da3817255a2ff735876b75cd21cb25e86aa4b2893f9e5089dfac76194563f9a14335dd37ef06a501c89623caaf6feb4afb792092dfed515ba7518e278c341834a9dd17b50a0fc860b62ec621b69408cb3fbf7d4ab88a3e367fda84c82357376fa9b1161b739361c313b99dcbf4122f3870c8175093298cf432174217398928983ab6cea4759f18e7a21d71fe1b0f3cda05d241e12db0818b8763bd23d958d6e52981ce8d84cd6d82640d2000874a53c0bd14949ec99e48ce6c954ef0d08e6e319de5ebf7e142f25c0f50ff13f6acecde6a270c8d8de05ef4c310ce9e92f40f6f2b77d6e7aa3f056d4a20f7faa7cd0b93d82e3972343a50a26ff462caada10621bc953b73913944246d2a4da25fa52cc6ee1293c436ab9031ee2dc79cce39f139f44d473c236731257c6f65ca4d383e39cf8d33923afea3c80244021d36e0ed43230c44e7d1a1297d35464861f9149d869f26cc51879027169803e43c898d1b4a2a2480197500",
-	},
-	{
-		"2158abc2472e1b9c061da2c01d0ad9e996fd687cccca331fe8a2baacd12c06f284b1b5cbdfd067e5ed09a60a137ff4a97c5c26482659680ffb22bbcd4ec1bfd272749e52440537320fdd3c225c30ccd98cf221b34b89c247ab7d14f93ed3ccb0486a028c6f3abe7e17fba1742b6d4db85f6e6baaf82df1a3aa059de8d9699821d39bad42d56cc1ec67626092cfad4a2e1cb5d814e2cab78ccf5474a8bd0dc990a877d37de394694af6cadcc57727f393dccba7bf955f4b65b3c00d71cdd701754ed4f231685b7b5e2557239d7e16305be2d81a773765dcea25ea5bf2c15d670f3159409ab5bbf8da121c779132a8ec1480068cb76b68a19152fd83135aeb228b446225f91d1ed4303a4bc16cf3ad8173b30d2a1e75ccafc8c933db231efeae6260d45c7ef230ae2c7b6f986f1c19e2cf260ded9cd99d64a2d03fc5ee3d73509e47ac1c39dcca655839fec75517a9243eb611da8fae3e317e7df66cbb6abd59b16975eb463f509e784e65cd660ef1a4c5027e54b1bc862f397c9cf4e6594d98c2c2830801d3a679220b46881a372cdf3aaa33eb66b91a9f36b6941c0fe1b4d2a437daa50b811f2d8c65b5a69de185d78bb9c2f172dc90a89324c5a2067974aab14f4fbcd06ee95cd49e03717f88480a410afbb4e68b5c79b0211cb69b90604cdfaf08af1ef10cf28f0f630e97ab18d9b5138d9b9ee9154e0b3104a6c164f2a114fa5032eb5c247a6b87880332a0dce7b36982515297a05dc8a4038a09f52b1def7b4fdad8735443fadc462c7c22132f8b9581de2d213bf5c53f7fce34aaeb24263afefead5341a72f88d3acaae6db367c5c14a97d4f9e438e1e11c3c8fde7ee37e5ece5382e8c68b660146046ef96c24caa6bc9fa0a0c88281e4bf01b32df5218cb3750f9c4b8af24cc106abca62d085198d14ba2ded3cafc1fbb17519a696965a1ba5f65720e893f1ef3fbc5200316b9d4615bb23426ae53e1c5a57b2f0ee0d0c83f353b4ebe7a6cb17531d278478b4ca8e6ffdd0cad30ed73d568a2e44972ac88a7e7d665614316d674e84ebc739b645a9a4166477254ba47bc5c2b05ced88e75bf64da21a7f1f71cd946d84de13ca77b7e0dc2f0617d371ed96323a83bb11dfa16f81bbde913d9c259b10f3aeeb6b56cc4775c25f49343cef667763118932c2e8b47ec745ac537b37746ed65fda2d1c11a2de60ec02adcb79152e8a9e614d8715cc4e6b6891d6a0063576560fa3621146308222432ffdbc351c36c37d844a934088fea92ac54920facf870a62e91ba9299dcb6cbdb918e2d54fb642c3f0d60489c4bda489f6c584b64c8f19359ab25f388dbbe636c4d90c048f5ed87024dcf9f98a9e738163f837a07750d61203254a80d120c795f9c3aa791272f9474fe330da81a45be5ac838613d46c25e781606862912ff88af393040605fd4d55d07e2052227c37ceffcdd2d42a08bbab69140dfa4406853799893daf768af546f915a91b81d0da719ebd45b8b5f1641f15621959689e810217bea18e3996c532ac6e4e2e4f289fddd5e5968bd6fa9aec5ca435c532b6c74a7568c8aeff9dd19bfc2fba3b484a191e2faf9a069a24e2e6d928ac0bdf635644cc1ef3bbacc547a8e4f1d42d4bed3b6b8cc56216fa550dc37da9cf4d1d1591d9348594d14adc7a3fde5e5d1a3b9875c85de7df483cdd0baa86dae793e0796d14fef1f649de6079acbec6b6fa5f2cb2bd0481f5316f00dbe5dbc379bc3cd6d13bd8c775a727ef43e6a5fad1051783b22c05a75d64a8394a73fcb430299b015563c8cb0ae0aa4ec750399855411c076d21aeca8656f3d0cae084fb0a1ffc6f73b52a7ea5d4bd6d24e7057a3811719533105fc967439a32241f2d3e3f299da2deb821748cdee1a1c5e71bfdf88d833bade2f505268f375a9e6488cd8e16705cce91d15b60b2fd269a19148296a7be348aa349a12270fbc0d5748e538afeb0598081a4f1349217ceab3c4141d40f765ea2bfffd530fb9606601469fb131a44939be984c07bac8f26d8c068accfdefb729eeb47cfd6ddc646e22031f53a7698c6501d86cbba05e282d64b2f962a1b08b9064078dd1e3f14006f45f599bc8e600cabe6d855fcbae8c3060859202361d929a241f6c0711ac0d050b67a1d44da19e0b0e236adad1f60a327c9c34b2b9c64cdde5b8e4f664f2fc70599d44a63ee2b14d051c27d71231098ecd3d4086038d63e84547dfaa39db1a92785e38b640ea0345062a1c185b25a72862e7ae6574114eba592d6492087e2580dc5d361c473a614d647e66c0a30de806f4976b69a8b92301e68794ee05b96ee116a5fd5edf5eab43dc1103801eec861383f17c2bab9f2d9126c1802b7aee0c909309ee72679ab644abb9c4caa54add283b5954e6f881781e42f849bce6554c7a5e3becc5d5a209805ccd4a0117272a53807e3978ffb19641a9dffd9034490a9284f658599961daf52f24f6464c2099cc9ed3459d84dbde2ebbdbbeef25c882a9beda03573bdd4c6a0143b14d634a1a021d5f9fa23a7ed0f5598ee57e56672814412b6c7c08b8e709fb98575fe2716100d000a20a7e7200d800e556564c7e6a8da9d609b18ff0bb8a8812e96b834a6b534b0d5dc97f5da17f42f8d58e763f1b201625d1a5158c2f9e9e190921637474ae81d278002f197f7211540088931ca8a941794e56067ef4a497fdc6fa713aa9f20c21f23c3a71ae4cc5aed459ca7c020bf55162fbcf56a066546660c5a009b8ad2aaae9651c97b1e145853a10013d1bf68e7df25dd492c328f823ed982da54557502ebc6cc56d4d0bf2881bf3c536ea53b4dcb0886e73b066969dfec343441b9372d7ff38454c4337d45e2b999415ec48f19cd05f0f80c5a61ec369610784f47a5cf3b2a13ff5d8145303ade7189a300936006846812dec9ff15500f8daf47236e724d72619af3a6cb3e854cb8284d5b8843dfe056beaa45c40a4541a98c7507feb27a605d6e07189c8c5554a492a03ce6701d3d2ec782e2c1c8346b54a963435bdda3a93bbac1d837172cebb9cd18903d25cd6bed404eaf18730a6d1c6da0783b5411770ed34f35fa6c11a4292a34565ff1b23d4200ec5a73e6b7905458088fac19f6aafd35e0e791f28bbb2cb0117ca1c3a9e3c4863e487ce5d8c14dd140e9eb4794d87d75b01f683bca84ebdbf19dafab716421bfac9e95755fd346a0cd31e8520a55c7ca652ff63fb4e20ba67fab41e11f7390bc02363162097802c6a9eb18b430d07ea60064d5b546d15bb68cada79c113848136e797577f1783e9b53574f9427be3a28230fdd69d139205dd6c7e9e7f031fb6eab70d69ce905384c5c77d084360aac590a89b2dbb2d339899b13619b455cf9f0cdc08db6c5b5f3223dc3a663ce42bcc8cc6f947f42cdf8dde15a6926b753177513a52be95b1f0b88d2a1ec90e49959b108fe204bbc29199d7382c42ad5dbaff970cbd2dbeade54bd70415e54daa805d396361f525f38efc2bba3fd818f9d7af0594dcc341c20f18c624fe13ce7e7108e1d2fd06c58b03f04642c95e3ba00d4035ea0476ac138f72378d85050bf60dedc90af38e96f67fdc38483a73e847b41d31b894ddcb234f02b0d507bbcb15a8941f9c23b592a291cbeacb3ed213f2f044aa842275a7717757467f121294bba6b357c969e96bfab455c6f328d9e5181d909c3f0543b17d9af7fcac099067b043be79aca8e5a75c3a6d4f6246357a63c516a3ca595447f34b43a055d3070517c67ec36e636aca9ed71a001d4f7b81149124deeb7826dec3697e183d861d544c9c17baff82849d599e9e77ed19f801aa1ce095940674576ff270ac788d00c429187e299a03c6f3a1646a8f7d6290287e70bd1276316ae624da929c67936191abdfba45e2803884e5a3136205a38a841448968a7900709dda033a42969bd3417a8d865d0dbee1f261f4556797dfebab278136a182a63e5ca9789e3f1371808efe06eb0cc5ccfe26c0538d573378035afa39fb7cdf3ad889b277c8c6e84954e74f3ff3140bf13bcb45c822784125d23b5eceb73e",
-		"088fc7ba068f80efd8d4d62813c93c1eba77e9ff400c7781314abc901873ce200295da09245bf8fd2fce254397616151d94b511957c89a881256182ac9e64acb7b25d4a080cc9daf9ac2f231235483fc9fd415f69caf7eaf0597",
-		"78d5f86b071bbf8a185e5e2d54faddd2a9e26983b1e7a74be0f0b979b9f4af31",
-		"d9ce7d249af9496e99c93b36",
-		"ad542824b49fc520f0b7ff8ce2bff8b3d47baacb4a1c95ed56a306483aac551fffba48e8a8f5e4cc536e9266182f6811d070fb9282f5c542cefb4993ccc7044b42cfd6fc71793dc8dd2de23c630f9ceaeddba45efed9d7fca25fcb07d193c000822478b19c2ee9fb31760cfe01475ba8a003db469d1130318a79345a29d054a9f9412dca1edf6d8f1498af5bb6fdbbd3d5f9a244ff176f62742c53779291ef6294df6540d841f4ee8c7c58fc8497ba74d9cf7947add5373427d81ae928305b93dd26cfc65e63b0ed0812ce759511bfbb10aca98f2abdbc9055c4e5ab82637f6a965bb74f592bdf11118b8eb79d50331e76cb4d10c6b4428cd4ec2ef4cb727bdba2b5375f5184d77772d0f9fd3a3c579a4a548b9c2dadc22c805ae959617af49a514b43f47af834313ed2e4d1fcec2c4b9ea87f328fa3d23129a36e6c54bcd08f7e30645de86e98ebb11bcaf99543503eb1e024bc9fd51fe6bd5e6d749033f2452cdf28b3d0f8a304111bdd26dbde641c02fcb15dc21b1a9baac5e86d35b4126ed1cc8a2c3c2a5b94c99fb9b2008daf1a0c090633bf9e31326428c75a50e821b1e72a6504c9d7bcfcaabecd929163d365832e8971f5efebff99ee3f5b95f957e8904d05b410936d8a81c60b4947f8605c58e5b727d491995c76fbe06e556c8ab5cc661a0c09ebc98d61010050f68b31fbe1f9de8f6481b2704204b0164d8433ba4dc1076908c782826e9b555e8d608463581099a466f92bfd6ac9796eacc0ab771a3f11d03806b0f33ec04c69cef6b87d58c11acb5d1374450ce61ba159456b915043c5c17cb03f0ba66d027105bb6fff41e6422f13e2a466f073358bf68149a3b577cfba7ea08b42f83fbc5a2aff17c5ee7dbdac3ff97389f5b8d1f3750e5c9be651209eeb9574127ea81bd7619da16d1cfab85754883543f6474c8c0cc9d5b80e34bf8262d2b4798f9917bcab4b880339397907a5bafe7d149247fd735523df3cbb17ae5e298846ad3bfb7d4f902aa549b7667d3ea945b002e7b209bc83842a7b120d6d27ce80631404371f31d1f61efc5423e1822032a1cbf4fa1a6b6fe79934a202d5add8c6e3595e49be3dd9553a569521c50e9653bc684ef2b73c3526ff7a0843fcac9cc9ecf46e63df5b9328a54c576bd299a366bbdc0f83a9de67b03f1da16244bd6d52e7e4b52c4ed693827735554b05b3a260cd01a41d7c944d0b7b58ae4b0eb052da34bc22b779d7ad46f90f3d4049c097e0adeaf71bbb30ed24b32ff5c7a65177db77492c2571e9cd99f15e613797e319ea7377038d53b28a4cd66a697e5e8f84cf16bd0f0430b34826114b4e1d1ebaaf2939dff7f9f4ce7c0861e51701c42d9cc9e871018b447ccaf4e402e3d63be164dcdf6799314a389ada8bf5e51a35148acf627e51481b9b0e4bec09c9e6d59229721b151fa9adf8323001fcf33afbc9a949643172f39b0d10ef57b37973683fdd9b9eb46e63054fd05ffbef889ff8fc8f251b0ab41fb00757ec1964ef373fceb8f6d148a7f7c89944b3cfc240d091601b23046188ba70a7cdf7b6f96eb93dcd3d24d4aebdc4a29a749bfe3cf5f6e1a025b62982ce188e6b57245d829c9fc1dcaaa5309a8b9557b8824a78eceef6e977721de4065b474ae008642b974001a5565ef5fe4250194e8b861cc45a8691c461817f10b646fb526bf0fe7790bb0db29d1356e8c7a197ec78df8310431d632a032b5490c2a458eb8d4327a9679d7e8ef8739797b0e820e2c567ce3562592e862a1dfcecd50bf77fcfcd00518db65ee0effb9eb3655d5d401a4a47808faa596d17b316f828cbbc14a7e018a0593da9320140a752f3824b5fcb66aa4c3cb94366ee8b821b09e7bea2c04ece15e8a7be1f58463b525e8cfcfc3fdd395ec5b0575094313557e632d0a65e3099e3c653111a5fb4f0eb2aa710229fc055a2bfd8a7147cbecc10823f1244fbb6894af1408ff9047d6483ef83573b5421b9798ee387dc38f166b11de6c33e9785e9b3d9d28bc24c37890e4f8f8ff24cca298b44d6fb1c6aad28cc634a67dd427205285521a172c2a4884ac5b038e261e38faf0086a02aa29195713cea335c47d03d67fa0dec7a8cb21db741519f5f0ba0143f14d71e33d82c75d6a19b3f7a42e6c16d762354daa2670ffa55bd400637de9cddf9e7964a03b4c8956f36bf54d89cf16de23e8c52957b52eb4572a11d1398be72bdb129e2c1abb58c65cc291bb7b0d2dc326c6125a441863a6c92de0f47a355222d58bf10af0d297a86a98b4e933a8f844fc7f1bbc8ba77919dfc50c41219e3db309b92ba056349faa758daf360b8ac05e43fc2069cd46e63fec399cd7764b111467fc65407ac06f5f84a3179930f6215ac5ec906146c19e0d3e162e77a2bca3582128284282b251cdcac03ecc204266ac3a9cfe8d8854008baf89c0ea0096a400d6a0d2f7c681c99462cf0105f7a3dde690ece0438fbb820b9c73c6cdf6208c336831101b904526cf8ac331d879d71615d8b1f750ac7f0ec692d97a5e21e17e194a98c10172b5c4bc1049a8743188ae7c4d70384a7e68c1353aab7882bb91aa383821046ed0ebabb4b2dd126ccb935f48646b299095cdb71ecd5cc402e4635a3f7a3c8a6f54f4076ba028dedb402bcc92f5668dec3d91dda7319f58382017e306237e42480ee2c1f5930564cf16fdf37a3434585336b8e4535bba87311cd47722b9da727250560624a5dde48a2090ee44592d2fc06edda634b600fad9f843c6b2eaa0697b42858afee8191dd2a31e5685bd104188e2ccb057dd0a8d4d1205d7c846f5b8ec0f06bff61c7f47ac4da30e1bc80a4e95af79b14a83e9af2e0f195cb92d14f752a5f12ff90a05765be453075d799694848fcddb07859336ec101c8052bdc273d4abc313cfb351b543fa340dcd01bf32fea59881ddb8f33c6023ccea70532814ce4a2d0c66c846347b86c29dfc34f6fa4db298911d4367c59939020a3d078194e6a3a3c5126c24ed182398468e77fd61a5b1271f5cb2a97868876954c3f7179d6a045f4bd770f681cd82216cd2b1ceeb4e724b3fddeb74481e662fbd7f5dd45bed6d4f89d21b8dd9c1009ad2b0b16954e97993ab8f3fdd9d61f8db102a945591b4552f419971a9e46a792dd8392c8d9502767c82d9b4f69e66071eb579859e9ca070cad5fe3b7fcb77b8474926ea991ce7ad201421f8a79c051b762a066027ab2b9595a1c97ad57f3149f5872ed4d8e99195d47bd3c03bbee590a50a99d8048e912aaeed797977b52f0240a6cf2c865b108456881adbfda60cf701454da17bae879cf098df808f34e50bccaada2d3edeb1aa73cfe3c512d814eb33897b6ff9d67d3d682517cc333c3c2552adc99860b1f0d1076390de9f84fcc9e802581f77e14f5254da01831c70cb8581630dadb44209377d90447a1a21cc8a2d6d897db62d8420afbcc6ed85ce42f3281255bd43e0afd3e86b27d3b957104ef54959282b0e1b381a26f16057246704c7888126055af5a1f494540f01897e8781e1a5c0193b7bef4b5588d0e9b9c8de74dcdb63f03f7b15cf48fbb71c7c3bbe9329e3d326988bad7d0cb85537c1e0b3cd88f37a3c7765f548f99e495ddc29daed8c7f15dadf2e5b79def91dbbea277c51a5da250e66c305604bcce4789ca2df9a10614d72824ba8e4f179f35ccae7119fd962cce13b282f0f970ca6c4776374c4bc438f0de98aa04fb3cf23d2c6800a4a666c15bd20c486e88e688ff9e5fce906b4ae96ec7c3388d7567ce6c8bc61f6d2373b93f9ddbb02b384084b3f28f54c9ddda232d3084daa5fac5ca356ac0059f2fd3fde5d6a9516d0954653b699aa986f70733538e19721daa41329abb95058450e602eb5726ad5a8b81aa474650659c6f7f6f53f8a6e635bf35f4b1191e0dbefad3be756c6141c7d55f007f4fd131e5d5eaa120ba31cc32b8d4c69d4fa784fe0af7dc272898789c774e7995cb252eb6c8e8053c9e7adb59c27f675952d161dba78bdfb15859fdfe4fe4a44c01efd394bf51d43c600aa9a527d9c490971e188e28b980e77a9c6ea0a4ef6bd38d11b47f5745ecdb",
-	},
-	{
-		"9cd1c25b5bdab9b9080db3e5e05dc749e0783087c310777d89307138613bdffe0ca259677c13208420d4690031314a11a97a986d8b0fea143f5b4da0972c9ea3cef80b4b0b2bcf2bff392c306a764113f0d9807be86a9027c6ddc85d096600d85e0b236937f295362bc1679537a8a9278229a36a9433925a105ab719c0b7f11fc31488fa071d3032de97c81540713dc29ae02c2e13be8823183f3cd9f72ef8ba4280b4499ee47c7c7c4492bcb5cf7e4fafaa7ec26906e58146215a3d4f52f792d3abdb718f57ed0b9b7fc7504e45a0fdf01ebf5924a4da6ac635a715879ea75a4983cbd9dab9e47638acc687f16684e184443aa9e81513ae4abbc4d1596b2ca3eef77cc9b0603fe90c0570fe6cf4dff0381a99212fadcf7968934ac1ff7664ed6ee0b61e41f5074dfb774b676c2b57a445f1c5749e95ed062837c727ae2c151c0ccb3a4dc1429bbcb9e62325117aca566b8fca0924b70f4defd7749d0389b90f55f35d1635f8d2efdef514f06fde46db6e11e492c8f4dfb7cb5454cedd0ddd32013a4836321a25110f3a017f18475a86583e192132f8d8fd4c2dcb2a3aa95c3be3a57216bf9727cfd1284eea6fa870c8e689e91982c116ceeee2f8298b55646efad684b96eab883fd3d629437e9a0b6523f47ea5b59474a4766ccd01c13170bb08f47576a0fdb573d4dfb65279c1b79cb535426bcab60f4022dc42e40db29f15a6148b461241bae62070389932f035e7257752ef2d6130503d72344b24d360cae8ec11fa2dcbe04d3b18e66d081b552e93a71dc0094d1046bf4491e318f2ae00debffa0b8ada58c5f23e33fb598829ec2f46ad3894bd7f530210371a02e51ae0a414eb2eee43f3e08126dbdbae04c7de4b7416df32953234a6694ea84e6889f27c74206ab8144a393a2614e92adcc77550dd54827387b619f004c13f6c4a31e8bf525277669db0a0c3c589eda15063f12eb774a13e2aba2f2f7b6e9bc69f8485f1d6fc5773acf83671812412d28704003e78a17da25bacd1d61a6d9cb9f121abc71d023bcafa713b7c954e4e1c524e5bcaefd86c4a843e209eabbd579cde0263fc059ec6ff10017ba54fc9c2a1171d6b06f5d85079167117c12e6e5d0c71c008765fce756fd0f1141fbad6c1d2f32cd8e80429611a9a78dbc8e738d458f9ddce58ab43c77b34db9befb25cc1a588998e8dc2efa75c6883244fbbf9a7b4d6750c81b8d3fdedaf98dc61f49d067c369409f984b155ec347a3bef73e2a44957b0ca0f84c7fc335fd89453759ad0ac2fd9a5b38afa9fbe74daaee7bc52301302fb2286c21fb922f74d756de84519171fbecaa9b869682d431614ff6845126a4034f10253aa244bf89ab8e0dfd1f7fe8fc1a8472a10746d26896c8ece7ef80eb2e910069435518ccf096caeda63ad692455b04e6525bb8bae27197ca5118a57fb9a5d8fcfae1b9eb7874d91eafafa0e4fab5cb4d0173f7e3e58fae369843a641e98f3ee460e8cfe95d98f7fd38a8d2235e9d6050015833e6d7d21d7015c3b1ff42f0d3a3d9a38d373c8524752e06987c9408cca550f08c38c2a9a8d86d5ac7a04bab44254ed15c7b5670e0747788e11b81adb0d29e3d0b50d6a429340ee0d44a8c286fcaf9bc46403d26b4a4af95b021336103c1ae0f1274b33bb8b21c8cfca8a56c639f18a9df45d083fa7019aaa14d1ba50eb9a4112e574cd70969640602096265a87b1f77c0e00bbb501555f1626196611b4a824991cf10ab2874a12a8e0390267eaf9e3f8f99eadfbf40d111a26772cda1f50743c417eeec9c80171a83a730f246cf31c6691c96185d672a0fde9ccd7091c4b455dc93326913497396e0a4992773caeddcd783e534eb0f34b99bf23a2db6ee738381b5fc94ff603be014c507888ff55557793a8c5439b11dc5a347f35a2666eda81cda4d1c3a78fc4f3df3c7bde91d05524791b67142c446f60c3a4022912ddabdf817ca3280b671beaa496c935661e5adf39c1f4650563c5c807c8f21aa59df926199c4e2404690ea8ffd7dd65f637452ff93995fe9c5ac7a322b9bdc756b7ed6f533b9357a4a1ffa379dd096f144e9e0d87330c238ed3c6b08c8478e23b65518ea1e4e64585e5e9fec2f26dd7400ce4c73ff0eacdc3b07e4f34f6316f5b82fefc66e442ecc92bea8c1d58635d644724a3380e71fbbeef4bf3e57c6240ff603d65447f510eaa3c9ac794fd24f844489b7c560c7814fbc307e03f6a213eca5ea40fddf51d8731b74ec5b472bdf8ba59751065ed2461b02c41ef96622e60c0d26f9dc78c24f94372bef7e47cf09ed565ae3a52d39b02ffddf1953f1ff500f1659db9f1c2b23534702c19ec1cb7c18166fcd33997d53874c7cdb4e6c2b4d82751911913434e48b37a61a0971861187e5decb7f5c1ef6988bc1d6f7fd147a623d8bf361b0d7ece88df6e1ff8d037762d232e22e51d8c6ddaa9dc597b23ff9efbbfd416cc53e5543253732a23aba151cecf73b3ecff21c6a9fd1f24211fc21cde9633aae918ff1c6b72468f1de7e0ecb6539fa353c069fcbe8920dfa8e2fb86782e3062462f7eb2a2c441bfac21ab62744b05c70b6fc3c9f8e3a8a0c5a4263ed256a019861ecb28e20ce78e2d93f1a1def669e9652cb35d105bfdd5ff2313d27ab3eb00d1b628b4c20f42efa23390802af96a8f261ded3678ea0b780e1f4a88d23588a4ebb058adbf9a9c62ce2ce2f8264c874c697482e25f8d5a6daca4f57fd97d23c42d7b71ec150d4ee33931db5f7d63abe7d72dc936bb23a367c798e6a01509644284d52f9ae27d7d1bae597b2cbc26139354dcca0fff6d76c6065d661b66ca5eeb9f8d85810a029cb95b17e5173ef8ab92d475a1d3e21799e874ff04dbc962c668ef4be9f94d85b2a99d97c0db8f6b6d63e00e36c325cfab9aceaf7597113bff0086e8fad36eac7c0b443de6d3a8533789616d4c863df7200ba795a3b8d0a2b9568bb32af95fa604a3e3ea778c3dae159e1b612458584564ffda07b8aba9710134242b2d83d23127b51b9e41584c56f667b71bc01060240f3a2bc7e5d438e7095c1236e0e468079a83a5dbdcf132d258e9ed18f94d3c098867d06d3c09544565677b454be34ce567f1c143e2f3153bdc0353d65090dfd8f7af4633b89a781e01f4634dd7b0323ea1f38184e697bfc39a1299eaa278c39a2709cde0a346fea53a61f211112450b318d137fe68f6c102085aedabd2b045fab912da5c58d8019239f3a44b18f4fe30c5352e2e2bf030334a1dde1dcd23178636f1e38ec9e42102d8c54df0b94b207e804eacab3edddf89fabda6c8e1bd4e17ae31a57716c679ee8bc7de4412fec3934c6f3e8b4c1d1447dbba0fbc775dd3258f789ca53f1593cadc710fef6fd282bb41c0468ede5ad5b914e4758b4148b0d0c04c75ff6208ca3e79d92de8abafa4ec70ea7a4e454f0759337ce575c4954584e2bb8444c34e823d27b025d25fc9becfb4391df9882452bca0373164cd76e9af316df3f5bb7532e22557b485217254d5ab72ce349620f03758219b259784d4c9f1c7beac3cf08e624742e768b53b3d60ad0b94442c847b84a516a93d9b7d068c44c43980b4c7e2fb0ac964bf05a11fb2adb4f6d938715dde88061b238321afc7e5e84799b02a94baf3f879f89a98ab474ca12085137d639b837ebe069f6dcd8456141d063eb1c032aa392a44d1d58b1e77aba38a280625ab84e3b123507ea7a692c4acd1756c031fa52d637703ee957a993804c13e296cc20c1de55c9b8c032e50afffc51c02e5c12f48383237cdacd005b09243d9fe05e51cea42b77645e5c6f4e48c10e671d216b90a48f0d8f5c1dda553217f5126646d11a62587eb0a4ee0efdaf0d54bc2eb04cd34f5a529b682ce09a34d5acab2c8db58ed6244f7b024e68a14bcd5d7a7daa4dbcf490485cbd38e6f20e839d2b0142b9d766f9527937bb1a737877edf6122ba306bbfb5379243a6b22bdf85dcf3b079691f0e90b28a4259c1c9d8a02afa5b5a661a0f9dac52435e7d22e3591593d37eb2e10f646b51be2d1a96cd4490289ef642ad93eeffd64d7cf830d60dc4a98c768a9bdbf6ec9923062ff04abf19e8b65b95494a9420971018c7e6268b8fb2021a4ddd103976333fa52389643c711a980664e29a8479aa9c4091c2cc2074ce3ac1ab4afa217d39c6a1",
-		"c22add33457539a957d32dd07ec9110f8cdd2f00ab6ac256b4bc7732f63dd3b867b0ecac262555",
-		"e71f9a3dd457b4064df1d9055889f105af175a2d10dd7b8729da0d0116c2d9fd",
-		"7df9824e774c5f86d83cb5d8",
-		"689683c9e7aa9c48b9fda0cfffea0458ea0c3dedccd21efeb06126f1194780917c9f4f2f44b1daceec3f6b1f75506f4169bdacf12c1f65958784851056fe0b4b42a22aeb043ab35ca73747346ac58c550324c4b849a404c94b8860967b6fc58aff25dad0556f1952c045b91f56ec8eebf6f552c18b2a0641c037e6c6538b289601e1fd5a7bbe7b6e0b224124fec341bf77615183abafb52b3e30082a0abfc2cf224324338c132426011d9f800b382e6b834896ea48a8247f149d92ded7e69c7800096076cd2a729a1fe41c70dafb1f855ffa2ffc27b93e2f5f6827ade7118af60730033675d84de9cde6c260d3d615a945dfe0ed25f33b6cbd2c0e204ee919219d85c7536f4700f06fa61937f8dbbe9bda88db1f4ba8a8d195cd385eec62edd9ce673880800be9aa4430e5c10a5908f6dd349af70f32b32d8db38a7d73821af47b993b622bf168565082d07e88fc48231a440469adeca59263302438ece96d89de11cf8057454d1bfe8e4e36965a4d82618834a0847af39dd8776866d9558a5cff79a1cc9d1e3c22e050677e54ead68b3cf0094daa01330d41bb66708a8bbb8a196fae5c77dc6774629d38905e81d97c5b16d755182f687a8046e55d148419cf9c12139fee50c0533b0f04a805723ce1ea5595fca5b668e58f6b3b396f438308372489b640317cfa3a79392cf6d1afdd8c3359557a83790021a4eb418fa189ad15ba9be0f74182ac76076f102ec171117a3d16ca20b4d200e03e54f1f0ee6308e463a148c0c85aac3ccbe5781cf45b53a313f7c9975a45d1853ed9104a860c08634a8211b87500b5ffa3d8d9d56f22256d485b9b45b24d3873159adb8ae25966cc40f164f342519e88d1ead1e711e1b2bbd4be64c7e83f056f797c2d3a5cf7c5025f92be5637fa7738a1bbba55f761dcd1451ce4b1e85a6628b629a2f7917a86363b01516472c0f8614abe2ad1c9d5501b2a44a68e3eeeb34a64541125bf49138bcd15b7c82dfd40708414b85107d8b982c4f99783a03c707a37787a91a7198063f0e8a2d52dca61755105faaa09c063c7a0849570cba1aa7ddb3600eeba602c7e7c9b90ed00ec731d4d1d8e4bb42f9e9db21616c4aca48dc27b939428834404331288f03c2b5e887103c51748d0257519c3988f6492eb70cabbc2dd8a8a910d737a678d0970ec48bef3b81673bd10b687b37e11d49e7cf90c03c54826ecd833bfd9dbb8174274dd45b139d08371d5d248ee33298193194734c5863adf4bca92bc282bae2f47da5201fc240dd0710a22a8d922faf92c2071a7eede7ee17232d3b6ee5f3ebb1a8b230600b243c860968ab427a5f540912e5e7bfa0271201f288727f2bd5173539d5318e5c1c0a71cba4d9501b91c3bffa7bb61b3713f1751efe94a66e17d2b42da51d13c3df40f4db988dace42a6a1b9d138c4f590b7227990711afbf8f56fa63f2800cc019bbd4a7b3a0983c9b9e5f77562dcad6de96e3b2eb85cd99d28a021a10d6734400a91369236b48ed68528afc68f247d45c79318fc5d634ecb0f3ef8536d8ec2e877adc3308be906c5b96777d0e05970023e5c5dffed12310cc97249e4b95e32451c9acca8394fde699deda57e938bed7167e62e2cb62357f82fbe821ee73b4e09c6e2f512515412c2f27805762a8493e74a3d30bb409e499002a97354381318af28311ce484bdf7c39db53f08f73ca5793945e13fc8c66d503fa95506b37ce134ce2945d75b424ca6367ef4ed47b9cb8ba7de80e773279bf23ac888eb105385ea958b1b49b27c8db6b1e14a5c8ed5d28808a7d0b6bff1a58f24f9c57fd8b8f477a9d1365f89c698b8ba923896181299d474b93e05d3c915b10a69e61910761a6d8644933c593661b0828afeca590ca18e702322d9140d98fcf836c2f7a4f72b59eb529823a52ab05d919c3eee4db2cae1067213c5070450a160fd52fa44bc9bacc5c136701cd7adb1faf484da376477da08f6a4dcaa37af47c7b026c2da9d5fd0b30741357104cb2bc0d3cebd132b5fc7c873ebeceec5492aecab95ab393f35b93b923d2ca071e6bd8522c3ad8598a05e96646504f1620c045aa5734d665acbdda0ef73612be4ca4d95ba069041e042497f7b10445869989ce30f55206a1feb4e64890b7d1f7e9df2e88a352674a52ae4267c06592d425ed1d88101cf94588135892218ac11f3976ab2b47a27f02eb887696c94b13d48b4370eb11222274b5513a0fef905c66d0c1893832ffdb9b333178b65338fd8b81094d8f86f2e4e96a47e72032cd6fd47af87eec295c6e980f595b57f79abeb4654c4039fa03ade732b1e579551898b801ecd6e0fb1c5fd198335834b51673d074a8222640d2a969998f5b878bf897fdcf3426c4e24a7c599e5567643fa79ea5d20e7de581a873ee0181e3632a4e304f9dae09a81f882d4061ec17e588793b160c93a926874d5a8b78727f88de9bc125589a9562db5bb1c01012bbea1b2eeab68877871ce83455db43cc48455effbc71c436aebe362af22c6a319d134f65681c4d0d51f9aa42fb20f48ae3f7065664aeff5d8349624a5d79eb0bef3cbb2a1244ee445f560a6bf7a796b2c950a37dfb85ed5be11e8e305e835c9e077e676aa5ce23edb1f74806278548e3fa35059abc2f032289f9bd76043c8dd1352b6131cf34f66bcd0e7f1d13081f5b08ed0c69136f3b7ad8e05e9fe99a9b73624095f96740c1f40074e5d92ffeccdc0f15502082fdfcfc97a800be511c22b875f2832b2b891cb1aad2a17c7bd0be4427a4549404172f7c14d5e425e14498237c26a7813cd8612d048703cb180f1a6194f688b4644304950b078692faec7a2a5c5bbc482f3a7e8ef2825c4c19032a7a79a2908ca9774c6403e6b15625c485f2dd078902aff769dfee2dca9373704bf63ad981b51f61253910fd48c49ef10e3938f35ca8dd491a8e569baef675df30367b093f1088ebe8f876191dc32055481d074e5e47a4bd728efaea9fee3e83d8556255ffb2fa08194bdc66897d97d1557186d5f873169461494a83368ed8065b9a033fa4c2f07f7c60f945b60479e3c89233d58f674c0c6fa5918150bae0c6de2b65a09ccd490e2ad8571745bc37e70982411af667f3e8e9b9f7f75d863e5fef05c1f0d2acc7c86585a83ee32e0a64a9e67e75b80def5bfeb7cffe6e6822efa7a9cf049689b58336b081c039696e0fd3b2a2a6b0d177c9b3f8fe5cbb1c69ea93c1235b2c5b6934f603127eeafc4ed0728161612acdb2ba894a5ac376c4ef1fa8d49b4722379e5cb39752837395c413dd29a2a88c03849b6fb2221fd85ba6d5a50ba7ee9c09ecc5e6dc66afdaa1b021282cadc68f19529eadab809341187d57cfdfe01d0798ab8a94277b9b868612e575bd98f70de80ebe5f57637c511800373262eb5ac3836b03808ca5d5f732f286a5f18a7b7fb8cd8f60e4debe54731c9c524b84694c5469975443964ed28ccff2f4e8e0cf4c60c1c8a092e986cf12fa90a994e4f26ac89fabe8a0d1e27fdc00f1d3d3fdb73bb76809f93ea113e336cb0a5438147e454e262fbb7d656aa1be1288839bc342b48ba7d0e72c85a2e24be1a97dfb2db85b5d850481e62f3b11a28c6407686e73d550b9f1d0f010602e82af26813d2484a8db2da0814782c8404b2865abfbe3c98a07ffb37eea6de7992cad73a9b81ae96a9acb13ba213eb4111d868cc73b0432d2b6c2d7e0e0ca7ccbdce86d01576e1136871a07c76498eae53fb7ebf2e85fb8561d10dfba740400ef4495ece7eb33ce3bce26344eddd88cf1ed8028ec5fe8e71edda54dbdae08f50f8df6295f6d7ef1163f62262a200456a7777d0565d7f5832fcc7ac144b5c3e0ce3e5c9b7f880a54ed5e80662e96b356ff58f2e372b1dc0d73cb8b96c72caa9e5dd312841a8be23f838bc706d893e1a8a48b2c069874c293c41d00226f73f987aec8686046ac4c0c972c991c38b98cabce30e7255dbf16039b95dc7d103fde630b03441b15bd2c214763fece9d6778d1c6354d2c9478c226175c02cb006006715fffc879a6a2b4111f6234ee330d6c84d453c9ffac08efda1f380110a8ef8c2fe44e2ed644cc3e0146b4d02f76586fbb6d69b827be38b9add444e2bac4d7165007cdbf2ea8c4b967fc1bb70c68b229f19bc3f79cb13ee6265264885f04c09a96583f331ed46de3e5dcaf08313ba6053f3d0c1916a0f",
-	},
-	{
-		"3ab6cbeebc18df951d371e0f3cce2697fb367476bd9d50ca9e668c77636eeb9d24b68be0ce6a75eca194fbde6221755d57e9d3148623de24896a9becd98789fd3d14de0c7e53f81fe7f3fd491472a66b5b797fe19c5d0525c7a111a0289a9e65ae7c712ccf694cb75c490070bca7db17205af9bdb7fee27f9ff41fc78ebd2d3d399e690908b5c064ffc0d5bb67b0d2880bcb45c2ca2741691b6131aa1e5ee758fc50610406216905e13ec049ee92d1f95e16bc283dfd91595ec2037d20ead51d3a362140578a4538c80581b79852b0f6686c1ea66aafffc872024592ec1aaf2650d167a75bace024b261db4ab48b401cf85ec2620dc12a7fc37012af8ac1d6db923d82eee962129bc4ede578782594708357d29118fd10dc6d228bf7e461d2769e556488b776237b6309f3dc2e884cb2df1f43f71c53d389765f805ac053d05fa835e75fab0adb0f13ceeb425637f43556372d728a00fb005f7c5a20cf2b7f776066d60b70b11a848005c6d63dba0c93f139067b39017c997dd6b94c0138c3619e9a6d0e4b8792cb8d58a2ca12ae5d03e7637f2065fbb9e2d1722fd3aaf234488ca157d829e9a3b642458054f3dd58da41d7fba6d2b488a327b776d1aaab1a364c710e755ab22b9cf7abf1eb8949c5ca20c070f275f8959cb00c6d5ab7879003f89f795351a4ef4850e033d929f9a349b9133b2e0bd1cabbdd381594bfa697b845100b96b5fade05db12de040b814ec49489f39f5abd5b37f570cbb516636d5b7378f12872d02d4de20b52ed8ca0b12029a4c084621bbb578b870ca2ea79fd5df1ef8664bfb3b1a1bf038e4ba33f6ccde42c5146470c9dd293aa747d2372db1561617920142ac1d32e4f1fd18e8b9e72b7efb8fefc56d08f00450d23b7e8381849b1385ddcf9310a4850dbd6db7a4992690190655760f557a5027b5ceab3743365ac9041a5c14bed1126c4eca00d7e0a0e0e6f666f64bd1466387150ece5835192149237d5dd25e703e9d3a4f652ae04601d6acf8228e4e86055394c3abc9dccd02f04a60c298d101260b408b2620c137f77e2019fc6eaff1b234c56dfe922b0192656254fe3356143e969f64b7609cbedebcc8cb2b68bcdd9d723b9c14669da6cbfffbca2351de51e87db6afde435ead0017682b8014f91d9734a9ab9b374257273e114a8fffac786d53183ba666d8a67e30c1fe45bb1bdcefb5787afcbad213f8e36e78d30ae1305df96bf450349ade655cccbb17d887f79e00728abb449ea427fd2d0af80e3b5607a74a57dbe5264131f2fc49cb74415974b3d43ff872d4106ff11b680f56be06fdf85ec9dd850b1f77f759337b9a9ce04e611036d3f45743e562abe4b959eba7424a712fcf7c3f3773886aef22f7cf6168efa83cd3ff70b9521cae1b6689b2b8c423d883a007bb138025f2a31db2147691bcb365ac242efe40cd09a746cc501ae0289e80205993b07f86538d486803da14b74fb0db6ebf1c2bb8c36275137d654c1be56c65891cd50f705247d85621fd0d61ade8c05cf4ec15b84e8adbcbe017d7d5743d5e91025e0154a5d9bac7c6b8297490e9c195c5d74e046219c042219817a5c56636c7c4382c6a01d721d88f4b4d20250eb5eae5f3ef481dbf8a3f47a1d51d080bd4cc33f12645c8481e57835b77a85a2d83301172782f22026e69a43376ac4f5b78734c9eb914e6c76c6a12d4127cf195ad030825322a279093cbc40a680355d086a27f3fb7560713b019e7c286d96833dc60590e9a709f2e3c632894668e74ed20e42cd83a23ebea3dc3bcc49d14f8697541780fb2072dee6a5672d0d4e7bdf5cbdacdf5fea9e03c6d9cf0faa1e954172acc26dcd344bb3d9b2e0e6015cc55d19713d795bdb7c21b44b305e69c69fdb7261483f9693f36f45d356462f1ba4498de1c2e8bc3e0a70893acef2006dcd73cf15b265a8a5d4ed792a34a846d8f1d3b9b3bb75f1c5e57a00b36c00203973ef4e2654f6cb29e4445318ed99f0de6ca992281e83ed03feedb66aeed6a461c6f2871ae95343cd9797e58430d5639d7ef5c59c78b29f76a055e18e2b85eff177770c60ca4f2d61e612e617e749b4653e7901b62ba02dcbf50e59219349120ac01e6b8a6e98eb54abd16b921a1ff85898f90fc49a3c8f8f4ae9b0dd32c3e7f2e1527c4feb67a496390f28532f20acc71abb8bb4f71b434104f41e36b705289858a4e8430b8cd9449b0198ca2244923cff1df0f63833373c275572de5a9a77b23e5ff54aebce8e86d02651f26ae32e69001e5f3951967579ebe8574682cef8c12dee0b18bc999f8cc0f07e2ad3ac94d3caf30c1c8a8295756aecbbecbbb4ade8a2b8015e52a0eb1290693c6316d036e0c443fc4ec591c32f7e7f1b3933c921d5812233d3c21ee5528822b59ef2ec7eb62f7b04f40cc8238a473ec37a07e54f8907825ccaa1421c2964d2c756be450dedc011e1cdd9045720421b9a4a00e9d3076c2fd10d71ee36d5c0fd2c7e42396b034a4cd0245027449242dfdc42c8af4a34df1b4150097726c9745247b78bb2bad5fe8af94eb13ee1f41dbd36e56d801a4c9c5b9ca5d3c26f4714b6fe9f69b87567426eb6f4ac97e8c9541eafc19fc90d3b24aae0f76c4f3f81063d206ff695d638048c2cb023147a78332939d2f2470d16f1ed0e5d3d4dde438affb2809488b99815e54938fac3b02deceaffde310cf422f9027f364f5e79da5d2b5af1b4138ac9f9d301f396b220829c1f60cd2b54ef24576e5ba6ccd4802900db1bb4eea57de7787eda0e30fa90cc19f099444488699bf7c442c398c2ed989d084c8cadc97325484e337848c34562b3dea6f7670f935ed3d5216c970e04351651c1c31a34e862821bdbcbde202d91fed38965e31cc3b6f1e52288f327bd0a787ecd92b3b6f535d1d000b0f02d41ee01ca54e4e6179ad7fcbd60f0e41dfa5c9cc7ee4f7de3844fb385ffa3b24092b30be697f1fd32c9faef29ead346e42fe2ab1d312901b678b43b7758edb7eaa1c2d038b4cd6a7dc759a6b12cec955bcf4179006a7ab6e22ef15986df107080d340b8870e2304d57caa87a9961c04655d7d66c7f71ca9260e02aced131d6de65d256d6b487141c51bc86eb1e4721742f07d09e799b30da7b5ba94c8d701ae34271ba06f8ce134a7a9a2598d1570cf05edd9ec868cfa2e41b4c20a8bc4b8bfebd45f5a60408f08e931617746d1464bbe1f3844ab3272ede635f771f9af30e483903ee4d0cdecbaff4d31451e7791dc97c92042fb932fe1c82652c1d682a55912e33de3b1299db076cef594458670dc4f911f4a244e2bec757dad4b0052a41235e2f5e60b929682608c16a61287826218a1ac3cf0d8286555d5b0552754685c365d4342f0d9c45065daf6786179da791a86b50a5edd6fb4b21f09d9747136aacf79ecbf52b00fb88b0630ec7f0a6699901ba4eff913a3ab33ac85a71ebb51ed343eac86eebb3e79c16e664078ccda09e77ef8e0919b8cc447116b65ccbd5200fbfe86e9bac5637b33c9bcac9596b57c14ad5da548e96a8ffad5f5c69247c68d464c770011da7b45a337f138cda6b4e15311879bfaf12af4c61fba596780e6adcd5dadde372823da6014122dbac70f0dd896a8d387d3c74df282a659028d06cfeab3ae22dcd1fc3ce60f69a0d678aeae0e5681952949e31ccb8975cd167c9d012f4b230b1c1f47022eb1a3042951b338a734cdd17db0ed483a621650deb3510efe74191a94611dc212c0c73b117a73b8ae41892cf176742bd98a7cb73dcdc53b42df56d640739852335f8d44d901fc884286b433fc285fd5b3db8df0a8522cea3182c071f559c328b8516c9252681a94eecec7ebf626c0a9014d9aaaa0c694d14855433dae06656657d1f8a939123d28e00513d72bd3802d211ad7c1e06b9228c0d5656edccad5339bcdddd5e01afdc01f10974be3187804324fc513ba583b7b2da1e9096bbe3d078c1adc6c34d92c54e9c49fccdc17d10e66962120ee5d9b1cfe852569436270cf7c4c3bb12568050e2ca4db08bbac16214238413195dd4d936272fca5d56d7551b9b002df1807ed44abc84c66746387b79bc9e830a635c308a7bfad7c2c22cee6d3d0c5ebd8b230837b7ceaefdf71a67a3a8eaae0c36de86b2d96e759b8b53f8b8604775eb7a7e13223cb21033dc87d775628581a954085c2d66c1c8f225b1aa86091061738e7495cb36a5ff032dc678904bfa39a00285cd6947865b6d4805e3411644b4a4c94a6fffe05ef31e156bae6165d801685dcec195552d029d22e5de393a82ddf3cd3de3ad8cd6bba2325a03982204f07fc3c21518ef17a601fd743b27f7191bb446ff61d3c61d7608777990997e911932532e5b3235f13423756f5b6c786720cf6682932c90092",
-		"50772c5a0e156ba13a9d86edc0e600021d56f7d31e7e452a74ad53a6775339c7ca6521d87a8c79b42900a1e9e6a1ec03f7e3d615611c3fd5c9927c40e5b508af1a298794b60148df01e9c9e78ab5ea8198c097fadcd6cfa6694be64e00eefe1a1885aece86f6ad87df766e692b58ebc41982bef5",
-		"93a2561a9904a1787a10e2a668cd6a814f2877a7b512698e94796805875c8d1a",
-		"588d9bc1d98210d9700ef488",
-		"165d8c9eabcd5e93e6eff7be122c8c242e1a7f284790c93324f924efabcec4a4ce48262011b7360c2833143d645ff295453853c92f0c48c6dfc2af7ec58d9bec0d13239c7e5593cdb39d49376c6341263df80c0ed2ed79fe9899d0c07de93f6ea95a5dfd307e49bdb5672b158a4df623ee86d54cd1a0fa9a60ce39d1f5f4b6b0ce9daf2a61a907cff3bdd3f29156ac439638e0910d728843ae17ea7368814ad7734732e7c023d4954e1cd5fd19fc9b76e9bb84b61dd4371478917757b14b366b4bfab4eab0d9de746088ad43d8742e2b9e58faff15c2eff084df5f4316111d5dd7d23cc0b1ee1000253f26cd260aa636f03f64a8342e531ca1515b3beecc3ee07a29184988325322d5c09754c278231f92c0d980adc919d4fccf4a1da1d37f1ddb58ca997d6d700946199fa007c43853b6caf5f8049233584087fb23c3952414ac487e452f0c3898486d04e5b008b843122501f9c8a294da9159a04119ad5c8e9f5c211411e34559d3a7bcf2ac10e0174f94f3f2968c80ebdf4498de172884dbdad0acc3a887f9bfe896a6004d54cc424567d53f1198ba33c56aa460edc6af0e437b34322c1144854bafb2434f00703c1992dbad0ceaa0616aec60a380676ca11558cece57a936959d6c2ffe0647eeffd37524fbafa9691f31499701b202d9dc9980e79ea517089eced779aa45b522c9ad193e63ea8b64e8a942f630d44370f23b7e9acfedac51dd9f139f8806b09a8fbbabc76fec3c3721fad5087a6d41f93973af8d787d8bc74a3122d99ea14e2f30a3c90be4b695c8b269784eefafa52d6a79e785eb47a23d72f037ca572b7029d2f37baabce57658119fb02c5b659e3aadfe0052f1cc3c0afc6fe4624533d9700388713945c20c1d175da53738fc73f48fe57fef8305e796b474b6f8d3fc5040042373a13384237d95bb045ce0c20934a964a8372acedfd6e559aa84180a86311a3996cc17bf7f73e5d85d4db2529989e5836edad490aaa5f56d17326825aa20608fd209903335de4b36b79f68b6a52194f6ea8ce42570533df650e65b50c367f69b9f08c32b3ce3e75318106b8b2c6b6d09369c781fbf2aaa35053af215b621f833814ec4778ac683de0dc22c418b077a917a6e405ccbde9f72ed523aa696be1a6f247b096b9235217bcf19b88d43178cce5a7d82335fccb4c079e00280bfd272b9f16ffefa7fea38d09dfb2e4874553b135052595812aed3fa15096abf1eebf9abd598289e0d156974de4c2654c60825d42b662ca7439816d9d3a0255f40a4965504f643f029da535d4b109e8658ec570e99859382ca0ede0b0495d508c63c7f1eff3f648c60e9b773590cc663a751178ba7603a11985ff519056661b9460c1aabc30e83bb0073a927682a06d1b8050c345f7920c1a37546d79587fae2a92c803a986248f90547f0b6c0ad0552d8260d2a0dc3cc76d092ab76b8c12f05dcf141167a6ea300bc23227933396ef6fe9d51a1ba5a754485950f06cfa6964db2d0fd1d4393cc36f0592fca25ac1a6aacda2a32f548ed20287e3d291661848a62d41504e4fcb1cd1785617fa5786712b3005f1a1041733df6cf838ea3ea0b93685889bc6b2857d80a9bc0e7a66f7fb3d805770402f049889311fc112dccc72a25bd127777fd87bf5ab56d39bfe6be2b45a8301c2f324dcc50b27540200d522c24941701f7293b8877ac84cf35638507c7d912a3a94e4384b68c507412df65d0c4ca8ec2da704bd4483eb2e0d13b68c0c2b68c106a55b9710ad0a1436d655a3cf3c419d5e6f027ddf5dcfc896a5b316a7dae9290a7bf81aed539a647c8c98e24e7ed6a4f7f00a11134ca715e5826625c250500f8f16b40de048b095b5dd08268407f58a91c86c36ca5a2bf4f8fc682adf1bf601da24414c74956e1a8fd2888b5260e980c32f6678a4dc4ff73220c22593d23144b84c2ff56920342248876d15ea54fc100c09a81b802dd15f030bda9aa08727ea49e34f0ca8693e0a06d0af06ea7ceddbf0584adfdebeb20510bbac683451d9f84cf0f4e85c34d979e550e07e7f414d6f1011cb3dc28d0df6d4aac113f2d5b04e4486ee2cdcd4157dafcbbd55e8330a7176d1b231d9f47a63da9ee30fec6cc2c5aba3a8c6154f79997af89d972743255355647235ee939f4f305ec655271e0cd562ff6f401b86dd5826c769298445108ad0d9e13c504551f74c507436911331db60ef0ea99dc259b13cfcb0596fa9b3c95cd7fc3b1611e3b012b6719afbcee7548939676dffc372276aecd08e6a14251407cf995266545427d49ae5ab245cd5d534c52542fc71b3973f0b766f3d234c8baaec8b74eaa8ba90abe160b4504769d02e08d7af4e7ecc167780c619cefa58865169b674b2b1e10d82f6560ba0be41a781f4afa46bd722566d941a8e6f87e4a5c03d89685a22a3470354f2922e2915f9d46288a5e8896ed13617dce694a595e379f25fe621dde8ba73d865976950954e5bd07db147a0fb74f87cb06aba49b073942b82fab33a878651df73df2721ef800b658bdc6c359d396f684598e93f38e79639b8736b02dfcc124fb9fc199c35f2fa1d0dc39939c57286e58a7deed7b6c76e02b99a14d9bbf11f65d8eb7fa096fe4baf0f78cb34736499a0ca550f10d7edc8909dc34b039e3abdf1aa67a51d37a2eaf4c07022897d4d8355d3325bcf392d91d02d462488ead90b366e9645b956c3802e4249d34b5b2b2484a1dec15a9477821df6bef5e1626ec5ee9832fc3bd0b63a3c4100d32fac3e9085f0b5ba43123f54beaa7ccbe6ba68231649f35a28acfcbbf97dea2d6cfd96025032b3950ec8437108d0f07baf1bc89e3afbc2cdbb5031d3cd9e20b19018adda466382059229e4c8c54b455eda4280bde43b36afa96e146e408c7104523d5f565d22ef86d4c7cbf9c6e0d0b30e37b37feb9332939c642eacfe19d0dae1259d3267635051ea5f9b518dd74786e45fb8bdf72cbe3753bd50bea2a961b49cc0e2d589e77fd25ebd962463fc728b1d288c38a79a182b124d345872afbcfe792d259e7e5334311244edc75d05f9a12eadb61fd3ff79fe8c097eb01a4ac1f0c339d3be74be3d96b0b6a15e8868d043a0f2007ee8aa51756d78b7a78ad90fd9a26afbcb51fdc20ed7a3947f715c833e363bb87504d8efc9f8b93a993e2e26430f79f3cce203b09093c9b456b1967212eb0db4f7688d4dccd4a523866f75c9d9e7ce07825ae34399c5607a60b771866a647b6d5e1e20795ca906e451f367d8c40ffe79a2cecfe7aa47a402f8d49be9084661c96ebb11f1b48e7e8abd2978ee626f962e98f99db4eb3c6a52aa2bb2e62194120ce1e773b9db784e8c9b5adcfb70e3bd5717293eebf014e9872c5c1bdf3fb296cb88eab5e97a5ac320092033b49f37d840dac23021c19ab2a89190f3c8dde927f6e6b41874bf71ba7747a616682bd5b3f17a1dad40f4993a1b186ce4f44afb4e36af7715450bac62cb1527eb8db1d87bbc4d9c99415d16660e48efd911e02f5777a77e72733af3c3f5315dd0c785d5212b79c46c3bccd74582c57cfac0d50fc0c85370476913f9d8e8e10d0f6602f2271994972de49ab1a91728713c3cfcedb0e61c270b5fb331a980965bcfe10b41251a0f7915d5943f49fb139626f1c424524f2fba3a407e77dd7513669894fd09fff4185fbb997b4e4677f6ea0b52892f013f1691bdb38eee9307a565e396bab484d91cea9268f49aed29e319b0add900b6a75f7461db5486aaf5366f98df05674361308931de753c70777de73337a996f6d4b0e06d63a69849ba7533bb0e446f062edbd6250e61a49f4120f84efc1cf74c1bd30cc61a2d719fa76991dab119fc814a7c56f48bd584c7935679c53bb0ac78905b5d961fcd89a4b567d17a5182651cb07146aa9a94972ce613e8ff9c878a8433c0244052f09980a52d800e97ba65e8ac186862def58c72b9feec91266e26aa5075b3337c7bb8716b3acafe666ffe2df32b78f9995661d3ba28f8a8780436aae1da2a3e6a0a16dc562b8d5df6f68391aab73a10508e0f55208f974a0505f0fc0d8a55049a7b631fc94fab91459ae1f199527362695b41972e50faee34c5cca9e35e8682099f5e9652f88cfe9fa990ff2154c89c1c2a4ed6bb8a889fecfdf048ee0aae7798c55d6cdfd062cbca97ca289578c832d658ceaf26faba54c9c3ee9eb5bac80698c1441b9cba287f749a5e30d5cc715a01c89353ceab0974ae77fecc1d2dfb31a5101783cbc002c73cd155dfd14685c2f9acc170dc437c649b6b4720b676848a7f9b56cc4787eabe72f6e3f2aed776f9bb1432fba93a63bfa44fbcfcb6eaa9ef4b79b32bdbd68cddbb9897cf5a02c6f99fc765790092edf0d5bca7c55cf232a03fbb6f3eae09b12e09a9b49a538e0589394700d16ebd3",
-	},
-	{
-		"3497e8d61062e6f2084ebf72d00e9a47b550591edeee9746f31ea28039a1646d384c4348af293ab778f92a4807c48fbd14e8dbf3d67339c991dc4aca7dae38b5fb7bfeaaa538611d328b653950f4f664dcd257b345917cd66dc6a1ea75d99f70549d1af9d67b1608077b41576f38bb4c0a13ff4fa47b251142c6fbb79f9a27f43841ed0ebc0416c37f571aef8fd63b99e93ae88db50e9ef7d499ae7433d5686b165579d3598f96d9e7b1c876870310703df8fdf2069beadb34984f676eb7d3840c4c5766dcee3fc39f0739260a499647429339482e232362bc72c92a299cae36e9069cc5f4db8893e2c1b9ec0b4f334de26c951090b9724c2b3b7655d8248bc12a27861e020eb1e4cf6ad0dab903279b6fbdabff761d4ba159c1f631e681f210a8782faa86e08e554b5e30046157a0d1144bd08a691c2cc2dd22f3c3a4e5d44c5d03f7e3e385382ee4683345c0d316d41ee75f87038b49e0ad3ca45121789e7e7b95615e1a9a8dfe02c044c2935a97b141f639448182252ebfc980e0411e5fbcb3c01acd5aa7cc5d67101ffa6ab6acacace5f02d67155c26dedc071ffa66dbad26f67a819d46de0556fdffc1b4ab6d60905d8ef873ea1e51c62571c08b4c6db242e733e02e11e5840ee445c290b2232010b118839b37d4615c4521e8928e9ad475cdb4a3de9928ec7e6daf0e20d22e308347b31e7e877fdacda0c25f2e5c33a329e84707816ff4ffdca30dfc753c2cf883df16016795db34359e9363fac60624ae4d2b30bc1f2f99c23d953779c22ffca145fd08dad83c0f76cf727196799544c6c07483e0a41ca2e1b1da5a730956154f531d292b5a39a229ab13bf24a804eb68786e481c8aebfd3bc557afceadc41d00e1472c3b80ce652be1245089283bf1a1a93abd3325bb6eea121db8c0e1d6c0c31decfe9dba63c89b881824b0531651fc500f2f75ca9e5fdcbb179c9ded5d600a495ea704c2709f4a88c4fadcda4cd82a5b089f25a6fe0161159efe03fb5e0d44bdb5487f25e8c9adacc389860f62b06a6a4f8f104d9171622f70652ace736e8b28b70a4d9fd3fa4b9784d1a6e6811150d0a0601d31d17f6041e58a1058f99b80b0a6cd4f79c79a104b6bb731ecc881bc68e1d99ab358faf43d8504957ea0152e46e27dbfaa17d0f58287276e4fa82ab78a03513d5b4c3199d1362e4fd6447d1c26fadbd011abc69332ed0181952b391f2e8a5c89d68e22a7c451f69a9573b6bb6d918c7e3d52116f3f12f1d43d2af46bb450f58bde1732a268293cfd9cf2b90a844588c1979a30d6ac21aaea4b9e5500ef4a8bcd62bd70cae6acc8839f818d23c615e45daf14335c36dd46817c9b816be60c3848caa812b055da33f45bc01721d6fb7e850fb1e1458f27c70bc34876a955aef11f5703cfacde03a039c3b75b99b2d91fc18b00071a28ce25eb169b946b49858aa0885a4c665deca020a3fbba55d4d9175fd91e7901ec9eec0239806e8305f8238e5270f4af5c94d0008f8a5564636cc33c8a3d3e76db2a7915abe798b0dfbb3e322b33e188c7b188573bddbb9e4a7edbd4bb194b9743c4aceeab449f8affddbc2b109eb3d84f3b2f8b18ea2962680437241d82bb6146674ff1abee7baacc38d5dcd688b425c3e3b0dccdda3e36de755afcf7155d3d7cac2e279baad167e2a743b82ff8ddf3db8ecfa9680ddf468339427a4e9fb8ca4ce6f1e790c24e7269912a9989088c65965b0efe68ed44eb26876674261e3e72042f5995f1a7075b3932f4c23a8027d0db35ce4322122f489995bcc0b3fa32b7298c4c1b3354766c866a2fc0ea5690c58c5e08ae7037f70accb3ca7faefc37d78883f2bcd768285dd2571dbcaead813a0b8ae87cc1df868e93500d414c4418d5c80b919f73b9fd46111a02bfc884f9d30ee14fcfc1d55d54256b9572afad4777b8d8172c911472a22e7461f6f85aca063c19d6fdef3351149ee6864e93cdc54ca5dc7837f0ead91f5e3b155795df5dd1f933cee8671ffc05058353995019e5f6f55d2de6470605a5411afcd7fa5aa8f38d77dbf496d7fa9c5a4d35ab661aa15c77ce42bed44763166160ed5bba954e470c293ca301363f5b837406ea8ea746057588c34acf266030864d8c40e2da88ef04c49205fad1607d456767d30eadd884359bce04c12e35487bc1885d9b104c9fd4dea4ceaf054cf46cb3c77a619ffe963acc9bfcfad0447591ccd32cdd1fccb1fe7080ad75cca2e17f695ce0095a774327123f21e2839773506a9f2d896bde87dc5e35512ad733aa408f8a49e9018d1013cc32f550c968a03308cdbc73ab444f0a79a13450d4de906369da4c6a675d7e338f738358dc238be4f047579c8ba7a60448da541cb9e57f22bfcb8c26280a59b77edd0f5a009a3ef1e2958d6d3c3372840dc6a0c6ab1fe86aeb7590137feacbfdc7da57c77595b8572b45c4677836ec86fd8c4ca8ac351397aaa3aa298d752754507e1cc514d41c3f1ae0a692179218141f65bccb9acf6244730c6d00829455d21371972745b3665f930cf2aa9f0abebe6f7b89094aeb4dbdf7bbbe794f134b6284e289c995ef2929fc1bd39b259259950de29e57cdec15c4a7d33ef6e689596a6ce23301d25c2ace77fe699d90c2329da4d0f471bc093563dc735ac2fdb32c6995606a67bc953534939ed1236003c004d3b47590beabf39a1e4d5d1b00898496e9effda68433da17d1ab3a32aefa3681aeac116c5705077552649153ed15e9d704e67d8819579feb02d91db0d3533182ff43ee5648f5cc9a595ded4772d61e77bd9bffd6f29fc1f478dea44c32d5ce3118bc8860b254fb0bb1e85223bf709a7c0b9a52fd3914f1b1f295fd246bcb568388dee43a32df45e3c798068608a102143b5511746903255b98238003eed68776b46bb0e64af6c9118ecf9896709aaaabefbc1f58bf45b45768345b560ae2cdbe4d7da497736da8013c4098addb4258cafe7823bdbdd715250b707b155248d39fc6773639e4de3b201fd3cdfa1526c4149ee7d15bbee680c956fbdea844b1470a287d430c5c7e2d7b51fa756720397bbe214c19df3399a989958732d93979e361f7266e53a59bcef695435db67cd8749d258e7d582726e1bcad1395e68d7848849fb6d74451a53ae6e8989c64701102959f7fedc6a5cf8352e218396f9181f33037ca74886fae6e57460bbcb71cbe4cbb3d3a81e2090434eb1d6d5baeee4ede251952ad88001ce047279cfe435a4afe97847f798d84ad79a11bd44f09222d2f3b7fdcc47ff8a4c61f40c4629a0f603193e0aa2164579a05726e547c9081abcc0087907f8034469f740a020e19623fad42e9cea64068abb3d6ff2f6680da328061c200e1f646816a5083786ae5b71728a0e5cee14d7a942379c389fa9dbc7afe7e7ae075c061df11e4587bc90f92f1b077c091c43a25e7b3e870ad852c2883aba2632063c4ff74a857ef7267816317f823a8bc5dcda311b513be3a40e6bdeb89210bece50a608e624f00c9d063e0c8878884e45527f50a3ab4447a9a01652322700f087b6f96ddbe96a68ef98656800eda6563015a6d3c0eb1b6a9b21cccd58cdcdd074b73e40a098a980210ef831ec9e881cb42ee07519fbdfa52d9c62766a2046dee7752f880dc9082ed7f050b49ed8d14307b1b811bd87b6db2419418e49885d20fd7ca8fb45a11a1da17ac2304393734b552b5d02a303ddc72d1f456697a287851f207054c18a6262f5349348c806841d21e11fd4e4ed9c01fce1688483e009930079f7d2045a34f98ed83256dec66400a783d58c61619e6e42f6e2c6e6fc69e76651b96aabfe643ac69681955ce595f4696b80dadd1f3910061be6ed0840d47e928dd93e7c3d6932d3ead820d06e2539d9a604a6b53db6bb599da851de7cc060faa9af76d708a9aaf371dbc3eff0fdb99702504c3006f789a49feb730cabe40745837e2c8c17c77f999333798431231b337357637a5efd1eeed891fb7475f2c9f960e67578adf50241287bc5599ee08d0237f08c86ed9b75b62d612a9353e48cb4cb022d78f73fba1fab7f794a5ff64c97e6c91ec464847a81e5a5253989a1ee54a41bcd9b4b77bae6e72421471a7ddf0136edc59b72402d57e542916ee47fb3988b7123c6e8debddff2df171d4ce61e83c3d41f36143c9df97f2f68639f1bfc2a9d1fe175fe9f45e17e5cfebb330d3f06e15e3cf58acaff09ea576d896359a3f06985765824bc499319384e4c458d4326db801c564b0b503552bdbec60752b670d82cc8fce9028ff24ade3e805b81a72701b37d4ccedd72118b20d792739e035bbacc4893ded88619a6c499f246311947e48684a35406c4ef279c71ab2a74f6e5313f7900080f19aec3a39109d4aa41c930c66c84cd2163f4cdd59fe84a86cd8bb6468bce45a56d09490e032da844e6d90b436dd874c1cd32a75d1ae1d3e86d8a2ef948649eb56dd7b360f55ba5dc34a12f9279945436c6fb83d1ed57ba4ae1d9342a3dc2df9baa82fc9fee927c13439ba5bd2ff9f3e6f577b8d2df731db14c51db8a14bb15bf3e125f1ca4cb2fe856c5a576cf995db5010687d0799581c5e76d400c1855bb46680a631cc582f51c589a831",
-		"823d0cd34e7450550da9716c1f456ce0cbc79431483a6214939266581b0e899e4c95719a09c1ef166a618289a6ee6971b6fea3fe380512cb977823b387ac51d341c26d4a835c61eebde37764d2e1d588df7886177e98e3151106c898b3196bf4dbd83f5f",
-		"a4639c22fc7f370d8500a53819102df5e86c541c0ca10e8f6564e50b90c28f34",
-		"34a04df283c45655a52bdd84",
-		"cd8d1b2e5f65ddb3c0da8f12096134da22ad4d541444964077610aafc1f77f8da5ffc75bee807541cb6eb0526e78d57fd88fa9d9608914cf391ae7ccb8eedb0aa711889f9b6192601163b271c90df5d69fef487b6c05a24fc667469cf16cbd5afd58fc830119fc9f61b26dd50a96ed84c96825a615a3aee84ea4c950152323b20884346b25c9e2a6be3a93505ba059fbb114c224bed8f05f54eab76b2c9c23a0fd942eef9696ff67484b542c8347f1b1fd7df7242872b3528c9e45030447b2bc85eaf191963291e4223b75778335e5f1256618ff87bbd68b5a9e5cbd2ca1dc8aff4625c834edf8fb0d879b1f75ba9b85895a6bb4d7569a41bb3be6cdd020065bcc69b44a8fa335d9418ea2d090d8061e042e8e1a6ac03a6d5525079f14274079734ed42c5c9ab9986f0fee6bc9ee6c485e233e9b4d6de70664902529a135a5675ae129353eb2c00b73f226e84fe8c594272d6eceaca28b6da30492c92074250ec80beddb7208f9b5418944305b0864009b3bbb3dfbfb4cc2bba3313f8f7c6c19860f1dc0f5d7aa06e3b551adfc63dddac980a79d72bd2225d54a87a93717291c7b78bdfc5521f7f3239d5564fe9c9559dfefe76b77efc2e75991f31a0134529a6611ab9ef076491f2d2d81ffc5774ba8f8009dd7e5881e09ddf5116fcb5a44e576aef6cea91ebf52c56c742049639392cfb8b280dc2229252e04d8d394ffafa539290acdd8118656e7e1a4f7bfc0bb689448379e8cedff7590a09a3f5a29bf819fd87297b96ca07431a29a07ae126eb9d65e21824c16707db89868e127f17614a536de6ed268b1600a8b02aac2bca54a09b7cccf8e184448df334f95b9f0221187d56da7bd422f09b4d94228098b563df53414a5a86728962a2ea63023d8c3f03847b36db7cd189ccfef3e623b14842b8cccb18b4f80f01b32a4cec48f3009b98ffa25dbad76089c8700e90848da74aeca81d01f4dab2b7e844a3e48bef21f33c92734b821ab382bdf6d0b1048a9866e676b78ac9398678ff626d5c173a15a0a7514b2544405dd54eccaa2791605c87d7117bc9f8c0ad84623a9d3a2b1733304b492d4dec38f7981db9361b03a2837a95fe937976c7f4341a802dbf583366fbe368a3af3f92618046bb55696cf7af1f465a5a57ec5908621f431ffc762f35abe892f772a60a3f75ad8401321f67981e90083fdd1cce40903ce56a629120d6e13c8871523c4d848664331966298c8b31a5bc8174a8c14f61cbe98ae7ee3e90bc832b04318864d19a9b8b6d49a260f42bb120cef9afbe704faecf0f428d917ead9f020f5e9d772bc8f29600f8a7623d8971c1e3c5f1a3b094191e497bd70f85de124137cc4b9fe0617cb73cd44b89aada072625e25976e7aaa5a8fe9d9e3f32db47d1565aaef0e84d256bfce6aedfa1a2dce5a94976a2bb9a0da95941fb7ed444990b0e0e87627e35f3235a998019650a5e5cae804ecab8cf729a5c712f1e7d17486082dd50cbeb2ee1b0be6a7bf08a66ab3cf1fe9f49c7083f5b8ad183f32fb35fb8a41230e4041bcf0e5ef54bc3d21ecc1fceb08d95d745a997e8f2fc3c0f6b1b6c1c02e03ff02ae0d879d13eedd42d9f9949ca7ebb785764162ceb6c6f9944dcb3927b2f4eab23ab566b2b2bcc0c7d77b82579e88203602264064ce98b5b1ed992c1bb13edce579ae7f5e11697b493749f308b33e47512533350df5c07c3dadff656197884f359cdfcb736d29231aea1524b56e06c92f5a98ea663543f67e44003f5b41907a951dd792468c84c5e0e1b46149a5c9751295e153990b78c0cc712889a21b299b0315150dc50aa3b4f7fb0079ddd39d263a754b1dcc595c76ea9fea6c120384afb38d4bd40491c4689b1afc9dd096dd0327c84802bda6bb6b7a8830bc6c06b308ae9665a8666a5551ec954eb72adb827ef38f036c51698a28c92dc1c9e25c267532da2c04c1bf27f5b683ac750c3ef53a8460dc186331549bf82868f9327422c09afe1cd15e161bc41a70cab2f973efcfc8f01a380b86a432e1ae540e09d404d93d22a20dd5f685a52f0acb863dadea236288b1714700f23d1c19e40e219e8ed21f6a393e541abba850ffbbd4030e5f6567b7202fb66d86cc2a0beabd495814f6a50690e8d74cb8b093e4d43261fff80e7a67ca06dfe808899cbef84c09ece01414baac740cbe4c656b17991868e2a136f4785a0de311aeb18cc95ed33fbece22aaed8cc1e47f58cf6c09a6f92c96f37d2d2485b369093506f5e9f8534f8569655277d0399ddd3d33861bd40c71ac53a44d1981cd744d79202322d47a0228356c0e27efa2ff1009cf2a416fb6e8844eb76b8077a4a3961ff193e1c95b222e72688ba48be82ec5da498e58861ea613782ed1ab50a95b5cc236834af98e61528ab18453c20ff978551b81e1bcc0ff4b7092bdd9ab0b946b7324b7361ef05e1f7d7f6a336281b4bb2c671a95a6ab84be6bef1b9c8c3d2536edb8d79b40637e16d7281ec5243016232d7c9fc07ed9dfcf555055d8ae65f12ad150da81f62f2e1e82b3adacf6d623ee4759ad61a09038905bcf1dbbab671dd28fc1d10a0b7eaaef73a5862ab449bd84c8698d061e79fbe52a86739ba945a01353e0f3916667bd7b4356cc65451c7003927f2aa738d98245760550156dda529be741ce3ae1afdea0de35ada26ac241fcb5d518e6ee7f9930baf88bacf8bdaccbecfdb920f3b26285439912a8902ae029b07f28c1dbcfde780cd2bee6c6e5f4520c5c7ff3ab5448ec86cfb270c39586f80041f3764b5dc77dc5ced0695c89671cf90ed34c4067b4bd938b1493c7902dd94be824810a00bbde4915d138fcc7584790bb0b6682fc0799cd415441ac90c1caa008c7fde3ab4a3aae478c64991ebe07e6c4587d3046c9ebb8e125e795f0be9266bcee5a4e4355a2830c5b34e583b0355b34b89c08011db6f6b8371de003074704e8cdda37ce42c7e395b6a37bae3dfbe67bcfd1f125c9a262d56883ddc028773988270aa30c6dd326cbffee589f38286533e1d5c9486011170be591beab5e0ce98837cf91f0a58d69d872e364aa88daf9cfa71bad167129420282d99ed5884a1276dfffb2c4100c74a8b863b063c07937f2e9c12523deac4ea16178863d975e3a5be5efb5ffbea994d07f7ddc5326bed1f5c9415c1d4ee1667e3a581499bb573595158636ad94d84f7c6e4b8efc2b141f2bfab7932a050fd88a8c7b21877cddd488543db5b11138cc808e1248b6e2ef492faa8a32f9d93e3c060b5cec10f03794248f9662ed8c283a8e0eb493824e2750ec75b3b1292d80ce002083a3c64cc487afc31b20f84a778f386b012ef7bef46e638d0f1cd75487ea46e05621d608482637b3e642a9a2c5371bead4386eff968b3e007fc263086d8a930dc76a8431a4e6907ae35c7b3291075d1c723f02e4895714803c0e97d65b04c0f27d01d5d68001bdb3bbd44dfee1eff1754fe8c182cd9bc6ee273beb2a444ca1766f747d86f36cd8cef6eb1dafe0c38b9327a8cac6e83e076099188f02721cc4de3d940c3ef19d9b067be07b890c798a79ee8c44d96c5e05ee5d5202d941a674378386233a83bc85134dc8c46a7531b2b952fb277d8089cfb13e882bcf7545f0605271fe38bf4754f98dfa13fe6b635a62bcf962553882a8f28a9a5fc0b3f85509b702d4a7555d40c4f7d10fbe80d48b4826995fda7d15f14aa9b95fc6526101cf09c97fd74baca6bd26b4fce8a57b0726e0f68118969ec067e9ca39b2ba59fb0d78eb5cec5b872613b1b76763b3217d859bd6d991bbb5448bd4e49dd6597ddec9e46afb3f71d254aba828c91de51904139ab19138e36e6996a207da80323d96077c97a3e8994296376d4dcb602f1e77371efe8b020b7b6f6f7bd2bd733ad9c06c45b77a2893d73b4a8a57707969af74ba06b2fe7d4079bcad1cfeb3689ab95c8b1215fe0a855eb431f67df4ea589dadbf055086924e42cb142c9031e25b81e8e1167a54008ba1ad7fec6794f203b27f3092dd72bb766c9653a72b2e25c965f53487cf3baf74eb7742702380303af8c0a61cca3eec78d4b709e35e2cc5bd586263d9f56fc12454547bc6165e3f070ce7b2bcace5c8cbf52f987568dd90237cf190dabd4ee7a80494692a5379b013611f4eebeef8e1ab9a9c5ba61926095545e19c3dd61b7b404230729aff7d82b6bbbed6b4a926f6e49189e3bccb578fcb3537951fe9c78ac842350ddd80133275ac0bce3a669183776fee8288f874d29190b452d65bb7d8edfedc6fa0ae147102b92041af6dd8a566932e016763b60a5b9b1e3667f228cab075f966d1c525ac19d12046c6409345799adfd7154b6d8b51eeb1eab3a132ac6a2e08acd1a34bbbbdd019195af9f8a93c6ed5463765173e669cb0d42b6cffee1a4b45987853d43c02f920819f45a4fe0905d8c65aca182b4bf56fa0dc51cb53c642fef003d92c13ef4bc1bac571cbe2ba3673a49694f6311b7dfc17a4069759177930b179748d4403c7259e10a5d221cd0a6b745966e598f894e607b779dd5289fbdae0b4348141ad373a62c76aa454b35b39a7be875598bb30007fc300606ee2537cfcd7c22b6149880fb3cd8eb53054d698a0d20f26a5c3ce468255737a68706784",
-	},
-	{
-		"5622aa8d2f308dd468a7e4959ccc01f0e80d91f79df65b8201eb44911f6abc758c6703bb97908fff377395d33f96c328a4541f414b7ac34c6607dd85729afbfe01feba988e4997c6bd2c99fcc35d2467b143a8fcbe6b49247226a9e4c0a4e3c1a29d5931e6f1f7a31d90a0e0edc4479f08ef9bc65ae4eacd0b93b1cb38948dda31e60b18d702bbf5935bd580201d1f280cbbee679fd834aa6be576a37a037eabe989c3c18c7fb61fda8b9ffaa8bf22b57a101c19e850c454353af7af3d755b26ff1ee78b9d9daa78294972d108958682a5a29c8ef260e2289ad9d7d74f32fd4e51e5d9ee828366abccd97dd56e035713a6f3a1985383c0ed5d98c4accac2fa1ba7d30a295670d5224952f7b7554fcbfb426c9496f054834dec48f9b70af3d2b1c6dcda1c4daf3e9601364e57851952c785e65d753be1c22729bbde33aeb1e4748dbe90da6ecf716f05bfc68ad819515dffafd33a909562b95140ecfff1d0747f8e0459fcd3ca6cd8893262614bb4bf4b639285f327e7ac782898781968ec98f6f0f2f3c4bc5f9c4691ffa7ddb3662816f8ad092095b598bd4d10d6b5fc6fabed619eb11dfd4d638f4c0b6cff7194156a411e8ad6d3229320336ad52fd9811c3a1fcd571d1bbbac67c6186737ac7ca1ed9b2bc46e4e578f81c164b09ae5cdd4059a2c22b5e7ce1dade684e49200867f9bb1430aff9b99805cfd31f7e3fecbe898f70a4eded86b8bbeef7050eff6cf8ba71395a7ae2e270a2b58010e56cdf6efc4003da3d8a82e96979ee68694b6113cc9a6e377d40a810063830eb95005a81405e5b7de8de67424845bab1911bc55da6338513742d237a555465fa54b07ba50ed712e7a57a39fdcfe4af50f064ae969823aa1c40cd86a621ec90769d0c1babd33e8388a8bd76689215b9827a5819127bb32ecc80a562a291f3192eff34cad2635e5b0c0bc174add72e2041864953f1fc72be7d28111fba0438d9036da3d5c0f220ccfde2319bb96fcbfae6055ed7f1c1967ee9a78e93bbb77cbf151084d602a5a2f087d49c3134582c1a5d7af24f4c88be26204cc9dbf4368b19470fef49a5823a2d66c65e9b1e8ab56bf5a7bb3220696840a6222caa58a7b39fb792d95d25038a8bd9d916e853cc5459640f8b8468e3d51f05f1b95e996cee40ffb7ae14cb289094f1b77d5573c1aee7c12a6c3a1e31491422f272cc5f510d4f18ab63d3c3f468c5abd61b2fa7ba0768d46392e2a4dc06c7ce79841dca916cd33cc0a700b50fc660e5d1808d8b87e65feb89428055495823b2dc317d6d9e50aa5ef7ab14076174ed32f56abe7d410e58ca40e92f8a31433d0d74ba7b130b1561f2b075fa11ead744d031f34d82f1a64d428f6cccb0a009be24b42937bf3e99a1ef1fabf0fa7335dab52918382abe756d3de229ee8223aca6d7c5de87047838e387d4e472481a4cfd4365256e13aacb518ce5300f18dcb5e0a28477a6fca08a74756ef6bd8933bacc98d02abc7ae60df7cb3e06d41abcc4bd313c543ddcdea2424d98ffc6dcaa83658aae11f5841ffd4f5df42368a0e815d2146a0fe138b223764b133d17cdb08d485e9f3dd2bf2b220d1f4565b02d7b9231d592130e4436849f49b1a70772244fc0c38da372a8c57fc80ad57828410a5a16ac6d14e093997fdd5b26e4cd4b248e0ea221715ae6e112e1b68b09f795540e31b1231244bc922207b906c4f42b5302dd7474286b653b4d1bb657134bab117d6c349fa0f121c2f8dac9cdcef510c1c28545eae0ab163db6cc84ca182feb858c10153d0136f00a01c9c7d0bed892715dd85c4e73627c3a2ef0f43710dfccacffd1d9f118c9fb1a83b2eb328b8da3e955f027d95294038184f7b895d77532c7570cb86fd6b37a5a66659cf1e330db3930f302838706050c0dcd91d532d49c89d144e9a7f864026ec99f50acc02bd5f11ee88495ee8991ec4723b189f84e03d992fd718b5173ea1b033ab7d3568dc4656648fb54d28d3119b0f293a930a772c394f45ee66838f17b73a94eca27033f9d5c2ae22eb813386905dc024673850a087958eed191d04d05798bcf909eff2deb2a0009d223323b290e3d6f71b2797a2bc2590d54294a5992d629336518514032614a04847c3fad8a7d1cfc2f86765b48cf58acf892f68b691fbece38100e6a71487ef5c4ae934f1ba03b4b26a1967f70ef1c697202e4eb22a3a95ab3b7b524f0241ab4d2adf3ee5e3f2974d0bfe4419ef0ab11039ffc26339570e74d260c4d5a16f22cb4f60b03253487f5e46c47836ce29460728086a615f78d631d89a06790928455889f58adc3d0a3a84ceb2ba9cdb00a403080e6567873b985fd59fd9dec71e375013c12c51cb67d599198f36f58fdaf897e85dfe6f9896cf6d35a84cfdc6834dd9447a2a10e1ffa9fa8edfef1db9e8b4a245b211de49e04b7e88977b4e1ac9285f43526f2452181ee0f80efeb1f6b2533b656519ae45652ccefca81c17714476b497e5d8e9fdf6c9f504c7a7fa7afa36df5f4f8da5b4b973b1618fc8d2d43e866b235e5420551d1659e5bd545fb78a3e17d9cbbc8e842f3fe6be07b892453ffd689d5188f26f9e4c545ba0b3132af12a03bce6914015d026d3d7df661c1e6384bbb50dae24abfa78079a2b1ac41c44c7d82a59183f293f12011e781d3cdca2f791afa5b55a9f2d6139587bfd74bfc54ce91e642847a33b48c1b366fd8f08f520b79ad5113a0273735aee71ceae361a97547fc09b22fbe4e4ae4ae13e52d65e0971341aab368d1e917c8f5f2ac57ac119f981b51b7c99ff2be3e16935b7c73e28fb58d332e6f2c36281228c479c4d6095cf15b14baeb0769191dfc649a70471a25d45d4433797a5b8ba31ff567e60ec4d759d99244d0fb5dfef7c2896809938ddde0d2015a4c5ce5ef6cdb5752da1c2a33e5bc78b6b7c6a5af892f0792c28560a357720da3cee3833bbeda8e98e6a8cccc6535831cfc28bc8557b4181a3978bd90eabb34b99eb7e55d9263e6790ca34561d8c87ec4e12b4a38df524318db00a9b5bbde6f5a8644a818a88e91b521d716fa9f95bf70b109b9905bfca926fd42ecb9114c039790abb0392a41ee4c190536a89ae6194befc2dc4bcf7562bcb84f65c99b69612c0511552f53436b6c489204d3881e1f67e0fba3a061165d2955c2e2e12c440d31556250a8a5cc04ee5e09b1d627c14e08bce1a92df7f6475db92a3ee57e4c16c3ae677c44237122818ad457a29595ab528744707f3ab7ccf3d20bd94047e013e647802a7af14cfc7c11441ea6e9b9f960fe69d03911ad2cf3a8f633e0d647c71dc7e188c92e75353fc953d6a30dd0040c39d4355b71524f1a4872fb1ecab22c8293b54bb22a80e1e3d4c886d2988adec26f041dd0565cfa9edfe5ad9aa7da1d3b8f68fda9e9df9dbe98148120af6ff30e6400deca6dc9593dbf06c856d0d582503e7ffa185f87c6e7ac58184bb80b4a1c0c18d669e23f9791365fe807356a5763ea418c39d94311759b29b14324fb6f3104359ae66532779b825f92b7c9ea2ba43ba7de04eaef7a86192bc93e17286f1b6e0a01c33c796ebed8f17692eb9237173a051c14e4869afda2643bb98c9ac4ea94c6bdc1401c80190df6abe988d2f0b2d80cc7bc8362ba25c6e5df4370a43e156aebd6aaf856b3f64d5fefc622d078faed40b760a361966a4765adb809dbcd74b7a41faffad3a64823860e5656874133c7f8a46b5a3ac591906359aa4f171ef6bb2ea6b5f24cfe25c2fc7c1973bd5d3bb5f197002c5ca1bccffb570f0265f5cd949c7386d961ac9c5e18b5d1d6030d8bf4a48c10f12dcdb11924b02b8ab5e91f425ca62bbe42b80c6b6dde3160ebbd55803966716734327058e29bd39874f2eac199067fdbbe8c372c5a688d3615e2b65f4937b67d6a26c64cc2a9e5379cc00925c678f174f538915f912e85b7014c064a73bcc7ddd38e1a9627ffddb4bfd6da764fdbfb45048c9495ab1a4cac5642f6c9ffbe97d33cb26964a23719620df3d85dcfc392c4502759fb31a6a797e99e51e94cf9bc79ac15de4e5cf7a05aeb88a8ab4c3b6f9c52b99794503f2c49cd7e230a67df7403e552523249f29d257b35c0c7712053c3d9eb583a1a7473d7f296d25a66566e4ba8b08de2a31b082e40c8e5b1e93985b324dded3f52511744e7e99f4e3ffd99d8ae17bb5122b37f637c5525558eab18a378f5e2cb56fa003ed3af8d139d16ec4b2ea79c415b0ba4d750ca2cdf653582ee3b65a9825fb9b123593e36e645232163cabda515b959ed0a1419e9894f6c677ac200fd11babe3503ec7bfa319f1b9559d94a6f82945c9ca8667621a5d28920949a1da644cbdb58b84742e9d65e7f2027b99fba4dec46f642bd17e88fa109143b26ba7fe285c89add0b74a369f3d381ad633bfb4f72e1822ff96aaf9a73b3c59a6e457cf40e17c1198c64737037f52d9b3118daa3fa5cd3e3c7738e3b3743c595893289974a4aa0d6bf1446e70964823a7d5cee67b9b25b7125d9ac5d1d61f2a6947c3deec6deb575e2fc5cec60df26de3c0545e5b79156dd6af33a78552d1ee9994cc8501b7dc5fe7a22eadaf201a92e06ef03be705a8bdb4db65392d3628c7cbf44cccac292c93cb5a407a7a5a0d5ac9fd95b0033d6eb719d3f14609190dd40d5aa1b983cd4c4e278cc8a1e7d5fbb0d39060d6cdce8de6a17e2dab973a7fa594205e17edab6514372eb51e03b0ced6402fac0efd3af49fb8214a505cc9f5f0ea5308d7fe6dec369ba154",
-		"9f522375925222a04f5c95ee14b6386412025903ecad0bc3ab78afe1145136b3a3592835ab4ad6faa66be9",
-		"d1ba82b3ced3e9817642aaacedf482e79bedd0560ef2754215ee792514bbf8e6",
-		"bb21211f342379370f2642d3",
-		"1a6683805d3f478ca1c1512b9846468378f83be27393db63956e151ec408368b47334afe610249182f54c4d0a01b704db2aa90a9755b8feb67ef9301f0715d7d6bdfa5cc4497cef1142a43eeb42f7c413e8f489af30d742a706d05a40a0c4a5991f9e2cc5d9fbca6ad3767682e20c146ac35aef38dfb2a77388b738fa022158d5c802e5f0761096bb45b50815ebf09172759521b5c5d459703ebe9ff669ee4d14a86e5d0650b597f4a082ba0aef366a924ea378b91c3262d99f48189eea19c76c0f644079f8415c11033cf24d30d6c149ab13ca5c29deafdc816e457257361c1af4b915da312d2e6c7fc712faa27be3e67c893f9005a0e2c28369991c1dab22d38961d1abd6d94c4d549cf491aa1f8d522be3ffa6d214825a5fde3c94c4e35c29b8d05b2627eb12c9d94f450a85eec6bc963a279a37c2344ca36eb604c4bd11c2bf2ecc0dc16c2c365bbbcad3541bd54f8d0bdbb3ca4a087b62fc19fcc1c13984eab807d2a6a1386643d90d412d027bcd0a638765498cdbb1f4cc1b91b69bd241eab3645f225ece85a56e5008d6094041f8cca6b9a0ae3b15585de6fe0695d79d348f8619431ece40e736957a7627224fe92bbe30df5124f476d97e36b5b08b3787e8e00f0c10013068eb156f82f3494a35d6edd5f7048d1e91954f1013ede22eca8b4ba41699ee08decedde87139180a567c6d169b672af0f12aa09ce20e9cac4e78b8067d31ba4f63606c00d1d787b868cf7643fbb170f8074667c9f7584d36af80b4e6557724013618c28d0dd40bfe9d4b25761b3c99558af528c2d290d04b09821bd7f992c044dd61dde9395bd0c9ddec6d0bf6e044ddf0b4b2d6753f5acf2e9c904caa4e9f310578527b85e6738803758da646919989f735b09c9a5744e63fed2c3982e59fd29d2baeb9771316bf8d29213a4956b66c78d5654436ffdd82d0d572530fd09507b988d13fd743f35333237681f8abbb301a8ea870159f802a57760659094d0e4902036c5a62c563f1fc86c4238e1ce89f5176ecaea194ca112fbdeefbef4fa7c203678cafd34486fe58b2af04f84a1cb620c6e123bfd96301e0a5e5e5abcc95d28b852d0cee2f51faa73e42f22fc335f50de4c3812ee14038633a195083f3944284c1086c34995832c3cceb7d385b4ce86af10685c16005495121105272d1d739c584a07ec7801c3667bb280987a8aa41f9537e9d1812a5dba5b385a0b71d2e9573c6f3e9ebf0bf7267528946a6aa6f43efce908d32525cdc3b825bb11c7239f1de412704d24c17455b9382fd6a873180f0d5d44dc449320973d5cd0d4e67e83946b6ef47e5fc3dabadd80751f1421404e56b1bce748b7bde63c6975ca81f3eaf52586a55242c9745dee3f7c796d4508e818eaa4fa50490c1a79624561b98d2e1139a328806414c905372356a22393ea0da51c83957029edd8c2dfcf46d9564264d74c1c0497034ec018b1dd4c14acebc34b6d2c1a616937c37b8b4a0ee5dcdf787a0de1173798ab929b72e0fa83a6c9b9a99d8024328d9c236a8f57550a4f83e8071eac76adb55939f85f5b5f514174b670a3e8dc2b54656f6201940a81fe4953d2680ae4ec58635ba74d15efab3e06dca6ac269711ef2d4dd49f731e24a92a3b935ebbb3fe8d001cd4062669ae4baa62c2947033afcfaca227d88a11769f87456d5cd1bb6606891e71d63aff9cd5a7d23263a78768ac2ac54ece1441fd37d096cd27e916e68891137fc3cca427febd1947cfb4d7ccfad75b2ec5e809c132111eadf25a73043d68333139bd2435de9941bbc61c5c509897cfc19a21645019eaaccb6d06371e3d0570c09c7556e41a727e44d9bd672fccd1f89cc7d58761c16df8fb75fb8a1dde2caaf088f02dad91b6489114398740e6798f3ea8c7b0cfd974e160a0106d703d9589ab09aae79108e3212f19cb950ea9c0798a1532bc2a065d5900a12054395c0545b0878ac0b1d461f553dccfc2a22bf254ced88dcb538e3889549960b77ba6237ab1458e158f4f46606372e797ec9d9ecc6534acaa1218e7540eef11030bb9c3e5a7816f3b33a590d970619bdd2dc04d5c6f4ec38b7cb4d525234b836eab57f65dd045e02367eede9049e219b8712b8d6fe178080c5f77b821f1a475259ae571a5578eb3b48863162d45486f71a28ecbcedb35b320e5b6401f9e7870aa5418449bf47502626e1f42abf481b48d5a6819c640bfdb64f873d583fc4e40187940a6c3373ea7b47195270a8657898f55568985018abcea9bce1c155d95b426f91a734b2a14ec2c7ca2011a4d30019fd9b3ef63a804e9c30c3de2651c4213e90285a4ba100b31ee402e8a7f23cf9d4dba003bbf982526bc63be5af102dca34e7d362d6fbf6f56046160d7af33b364f2a86074d1c0fdd54aae89b19480efde2a9caef9de7c0f9491e1cf43a48752cef405a0ff16b0fc67bbe433a3c1b9661406c3726092efdc076febd60c436476f24dab1b0b8f8893986d951ed72282990e8b1526f4dcf539b22c01c6a7eb5577cd540a16a81296ebeeb7ddda72e60fcf2840c5b42c5cba30eaea5402f267d1d04bc80da5ef0dd2bf3c7a2be986507617c9bdbc96c6273a0c9e586a0c48c98b4552113149c6f79557fc8ace0b1a512fec3aa09ef191f95c2163113ac5cdd940f0c2120509bc53c3ea493c54703effb902ef752c830c61e85636ca95429bf16937bf6786b3eae1b277bf08dcd69f521a0078d633beb33c9aa0cb33b238e1021ca67df122a403a3698452740bdcac81d22ccfe4ab5f835d1961708d1faf6d40f115f16c6094ea37a7ff15e0534f62c19a6f4ded0967be337cdbdd2a7c58ba16ba2e4c3686e9d075c6fa7d29b2a0335ab4940d2a95c4500295f4db84ae65e46c54b7300909cc5411c725a31fd962d239aa0e2007c285586b4c778e2ac7afec42cd8409a63d7cd9c677031f43f4aaf04258dcf1270c02a4764177aa66db2d8f860eeb1fd06d0b27587537410bcb641f90aaa7bfc6f12bd143f66e7c933a0f3ce6b5048913e1b2d79eaa6c19e7255d5eabd24d5f12426339541a22d600cdfd1781a1a3894740887840aa82e5a461fc324285b0223ac9b95c3eb88160353f168b3d4ae8a2e87b7715b5fd2671f66e6eaaf9365b3d9e3acd9a749faefba6009783771177aa4dc91f72fed7a5bf6b1b7738b84ac0a07b4a5a3f0a9134a39e1e7e3e2f9a92d5644295f31c5a356092bf07c709b4c34305ebf50e857a4f593dd1cce0439d3fd125c1ede1a48f583bbbe0eec7058345129ef78868a96f8a76ba7fbfd1c5eebf75f3e0eeeb9db87474b96f321b87fffc02433513fb467fb74e2fc8feb498d51530c753e9a173e95e0edc5ba9802641a45db281b2e2d87d409057b4fb1925e834e90fa5619ae3a9237d5b104e7ac67c2bdc31001eedb4ec7064b2f72e0379bf8780f67ec4b195db014a2d130e77b1778efe3dc703f1310a566a6d3b5c9b12b1d4e25815493ed1510a516a31ced3b64ca49a783ad63ea71a57290727fa31386d2fbfe41f12d36a618c6c28d8f10405eb3e0a33e8ac2e4133ba75c688c8c9a2bb33c8fa032eaf3ea0d2c27bf89269c4aec55f8232b292e7fa9fc24527184f19187d9d8a3f52335e2feb5dc6d997b9b773a79a31db832b752e5738963ee5d61a1b426414975693f986e165e52d46cb059fdd4f48f008e96d4c1a48306b7c002fd0c861721656074cf11173ca65cbdb694c79f58a3f3365e872b24670b691682c10261eb1ffb2b65da031d070e31542f49704b77970a78bcfb4c4ca517b4c966a4e8e27664704f633e90cb7d7917dc1d3a8b8b7fcf59ea3a8a81305761923cb182cebdd59255803a14ca8a75fd007670d79a25eacda1138d67a0fd1da981529dbf182fc4d7a700ba498e4476a1d415381c9e2ffa3bd46201cf2e454c4aaedbbe3893bb4121a6de02cbecc1f319155eb8c99d1030103bb6194bee51e74fa01f28dbe16092955b9599d5c1f1c3f356e26d48fcad7c4cdf0eef25c25273dd62171785c9d2c5a01b1f3da9b4786b1b399d890e2049b73c12de2fb7177f2bc3d9c645398111ebcfd83b73119897bb994f998f4a6fae1b3d6361e171059dba0bf9de9af7a5a1b21641790baf82a36278945d649cf5d310f3792fdefe8c58986a48118fd94647b786e47733ae703701e18992bc1b143b1da6110a98030bb9895c14d7b8eae1a155a550e219a5b6301b6d26d7956ecfe4c7023eec1ff62538b3606ebc7906a1243bf8357f593b6cfff32e3fc6b51f6a0ffaecb658d526f7a5e9faa6294e4808b779f4832318cc184e49e8957b72bea0d67366e040cf76a85889fc6b04e84afab0d02947d0d83e0de19f12966fa8372f6e82ff402bd7a69195eb1a7864a3375aa9e23736fa4d4b0224647e416474c01f72b7d4af240d7f43395b5b04c8fdef1165ce1d56ee8ba0e350e6ada893e0594facbfb5f0d8829ae203929525951584c21371b86deb0f76ef5daad5e847135a6488b35ea33e3a165fea502975d6421d4567a229bf3ce94605885453610eb9c82f9ea743bee9e14776bc3076a29af268cc72d9092a492d9ff08c345dc2eb2f8003b561d9912ae1198c58107f8b37a08b35075af9863110e6770425e9d59c2dfff9d9942c8bc3bf7904c2a952bcd573706caf1ee14420564ffc433c0f5871c4bda916f2530ac75819ade49fa1de21edacbbf6b7075dba21a84989411c566b7c356b81803c7215ab0f326a6b8910dbc62c1bee3af51f105fcdebc0dbc56a50b22cf81eda563bf8c2eff98b476e8",
-	},
-	{
-		"99444e82c6c4c47070b164f298ffdf6955ee5bcb3070b9aa95ce658db4db084d2056cfe61a93568b44ba7ddcba5d450f4ba0da7b119425a6628b3416663c638692326cacc5c237097db5e537122b465dcb21d8dcb5fe831789b72deff3907685c2e23187a56990221e755930a09f8d6cc065487563cb8cec82b9dc754952fa0b342c92d99522fbb39854e338f470a4b4d5ed2a39b8b6253b7001b0b953abc588d757616c7a5d1f12b1024aa572ef5a47dc8480943aa6cfaaa78064fb2b29830280e46efa418d0cf38f57980146f2482276c9b6b16f865b1606bf1131e894336979a163ba2e70adbdc746be0d38062fafcfe5603e6bbb55717b66a263fbd5cc7476302ea4a0dc6167221f745a26a309f5886934f4258965a0ef0803eaddd05e54008df8a0695a078b797be59f1eef95a658c99a7d52001d4108212ce5f18a39f1173291808c980b0513f1a531e03ad7380372b65572d3967af4c25fe54d99d664cb67e557fff05c12e10143c13b1bfa3e8db093ff832a7978ecd85d3971349e3c9b83939b73f0ad55f1f1162d0c106b99c0ff98442911bc15e9194f5b4ded97e9702b84e31b31380c224f392e5fa5c720a45f64cd7020e25a3931b5871e4c708e77f4729225aa9f48f9d876597d3e79219dddee0efdd16836021dbd21692dafe121217347cc128fc5eb051e6843978ae17478ef714957a84c74656ddd931cbeb43e32fb0a448acf2f90ee98d38522b4fa9aa36be4fa13306e799d4c0cb90ac0f73cbc018146d1b0d6bf48aa446a5e3e0502aae9fcbd196b36b6b7426fc10367febf687f05392fdcf878863de2e47be7e625d0e3e3e94e199f055c0fc65f76c41ede43231873ff10eb854dcd6ac9b550ee8533d16f81eb0e86471d4da69311c47255e78ac8e79ab36ce880d6b135279fbb5a712adc5c3862a356af49e9c10d5b16f4e5dedb80914868111e194745b802a0292c7c8564de28ba8e71a44f7eff6573e5434e65d496cde5b5e62cfa9e2e9ac85a164dbff5767983e71dd2661d37d9027a27674ebe3433731a606db88e0880e91ecea8134421962b3f68915c9f6a5e1992c56750f99bc313fb30cb89384c72571a1a6a5e3c01897b691bd70985352217fa8a67f3252a06205bd1a9931d1cea3736559572561fedbf3ac4c8bff9ebd7f3753ee69a69ecbac4be6357db7f4213b697a828edc716ac01da75c1d46098c7d5d6ae6f3f9a2903588c5b340c9d47c234efea21b700cdb8db4279afa2117677e824e627bf0f2b179c864ba823926a57825478395545f130886bdf2a7c55a2647a888c3998b750343d9cdc602e46b7b09a2fe9ef74db1ffc46fe27c254c927ce51b307e96a571da7f3f907223fbed2daedbcc96197e95edde7859f3b4ec6099f791089e368a68a5ba0917ddf4f50b93c0c839ea36cfc8053811f8fcfe6986e5fa9f743119ecd6c3e5fea1dae3ad7eb465a89e9c68569190688a8d56e4143ceea3b11fbd9de67173d5134ec8b0bd7d16560ba2be52345ebacedc01a2e03e8183ef91317d87b2e15cc6301586ed829d438e4ff1d074408b332c8ce60ccb6790ab08c228807509dd4b39f2c227755f6b039f5cd413ad6f46c9ec2cc6a79457529d297b1d9e74ead9bedd9bd652fb31568a8e2a9e2b89e4e57601bc1d960360232cdb30cb502b950ef930d54c2c0692a684cd44b0472995bd2b41dac1553ae47216253d6640d2653a033a862f3118c5b5d60a662d240bda5f4da51092eff514f61a425c5b14b19517ec1b371d240cc30a0739273b34f18a72a69b1586802a7caa6cc8f5817a8a995695d063c9dd26c3d45feb0f84dc8a0773151cf9a537664f942f351599cfbee0558f441f5c7ad320cabe305f9aba570ddf6407749b6db42f9ce94526a8f4170e735b1dcfc5f0e090af10e039db3747aa9b4f1f26acc34639ac8b60557f7753e2c261a29852932901a4093b7f307319cbb228e26eec289898b3f8ee236032163293b8caf64be3f7ffed236f1da688d958a1bbb79dd45026884904bbb936c1ebca7aa6b0c68aa8b667dc1575729e4ecb4ffa82ddced2f4571bf902c52fc4a0ea3f47aaf5c243ac2a1fc19f825fde5d9fc8d06d97a351eebf4ae1846aa62554d57cffdb3f3377695338f8d598d723289ff3962796e8065632e7da9d8dffe2636cd23eac15a60568eefe3e77c561906555268cfc1e9342417b1cdf090cc16c79939b15a9311b0210094087dea22833f74eb0e35d44259ecf327dc84f3f24b8c2bfce7be0d97e00d2be88a150a0d557ff963b4cda60eb99935951d288768b4b2649b717133517f5e3909744417c9c3102c77ddd285976cba2c89e2b4f297665632d7c8652847c4625038a6670169772de0550066ec6c2018f503cce79a333ecc0a0632334df6959d2e3b052fa47c5c84d15ceabdc80bd6be0ea2a5a8d5e374e0e9a613369ca8d4cae3d9f98755560b27b2f6e47b01ba390f5ddeb732c22b12abd225e26ecdb639b08f3237e488430b3b39f0b63aaaef4907cd003a8f2b4c3bfd721d6c3fd3a5f062d72746606a529ba34251ddec4026f40d262e9d527ad84fecf5bb2cc8601c2a38437098aec2335104842ff1c455e5d17c136ece8d461d7a3bd9a60339c22d71059e09b3603c0565c0345684893b56054ec4d3db0bf15546cafb4a03bd7775c3157e7676bb7bdb7baf3100396c563eba1a12952503eb6ccde6b6d0a42d456743c4ddb97f5994fa08c5fa41315080eb6b928090956bfc6252b232f6e0785d233c3adcbb9370b59c35b0dd66005d516befd1fc843df8e68fab19858b91e2aecd1c8a88b0fa3d4c2fed2995ee87e65976b755fbf44ee183f9fa08848bea325807bce0b7b61e03e50b2c7af9b360532a17a8250cf6068fef0198738c82a5e58961c54017e343fcef7076e823d63b4deee472fada7989ca7a213d06a4e3eb2d44b16e5c94b1588321cf6c45a5a792938b058d667e1730f8386dfedc50ea0a959b78f12f2949b34b181f90bec622515227dfb8a5f6e89d2e559c0ba686153b218d2c50b67503018e22914ce9b49d3bdb7cf38172db1ea130baacd640c111614e3db204b3b50641d8978dc14b2afc27a7efa819cac6bafa8166d1c127e2237520d57ad38a80146217a12363cb1f8a720e328cd8f846d379ada43bd4865e4aa633c479bd448d205b2e43befa63486c717af84a733f1dececc127c047850aeeb8ce677612f5966e23d92c1d3c758aaeef82f862c1154fadd6766e1dfc780bb447732a5968c0c78b9af4a9d669338458b57cbb77910a24678092857c0b903152035bab6b1c73f7b667a08cd0d31128888de3ff1fed24866eb60beac19c1b139f77bf0b9332024999a2d56975e691fd7475fd93622119d0d725bb99c1d6ac604d6b6be09d6d29360fff9f84e5318259a67fec08a006d9772b9410ec6abd4cb828b898c625c2fc35c19cb9a6cd3b0073baec7b5af254d21de8e209539f560bc80ea38e33658a68262622cdf35dcd6618b9e272ac3644c91f27d372c6297d8e37201c6a86a7d3accdf579c15246276a0009ddac4021755f4848d10f714e9da86eba13f461e6a12edb1aef2d6117986120750d609682bfdfcb90ee3cde8be54d45f841a6dee2d5b9fdc4e65edb7ebffcf3cc5c8a4e1c6919ac57568be23bd8283319ce11fca3caf968b057432f163f22e29cac30b8154a646ca0ef4fdbc7770ee1451fdde9e9d651992d94c843d4eb2570975528ad9f8c193f7c681a43df28242547010e30d75fca04f39247c77d6c3715c25fc261ecdba16844bbab23e4d0482bd1565ca9b526ada9b8f5703661a84b23070d85f3e8265b2ce10750c5d798f1a8ef4d51a473ff4d2bf4be615566ac796db9fe61a224bcce05c31ecb9ab7bc43a609944a7c9398a7875609ddbcb556296f548a117847df7d0afe48a5b504e85b0d7ca589103d3197933a744fefca795e1e036f964a4f14554d5cfa0261e25d6e5e02f86e402906d3637a2352459cb1639f20faea6f0e3fbc6a39becb1b1b3a791e32e85e5bee31be685410adf0c11190e20b7a5119b90e83f2cc4f0de8898606bb6e64165c95d4c5eae472daa6836a888ee4d9a79de72b8fb47a9c9c0323a2be9106d4ee9ba8b3858c256032a9caba37af94df4c7b0adc2f8478cb879b6d452d73191b0fc1ce944df3f4809cbf3ad46eceb3ba4abd9679410f45c8aab20dd72626f235e7c0c934b4beb4507def24ebbdd7a507943c81d54bc69df578aacd9ed0bfd3b7809dec345ba084d88fa9c34d80685415a4d5eaef9b88e51432b2b2037186baf123a6257e47aa56d6531923d38178e8264dd315e95bfafd8dacaf901e354b0f58f135d638df2c0f32453205c7aaeeedf8c102e11cfddea9a98d3ac7c385d71b760cf2afeb1ebe1d64f0222b9b101893d11a74ed175297c1dfd188a2565fbecc6bb07b56ce3973322a965dc5a675587890cc65a71efc68fdcdf1a023505ef0bc0e6b12dca5860fcf1c6c94c2e2ec3a72b8a019d69c82d36a73738dc3d17d7fdfe992bc8e18cb5d3437f1f619dd318b95d1a56b6d273ed79ab2655d83e2dd63cb6f1f5987eab6bb21a7b13b84e2c619b36b842192c3f82c755d8af840675b0bd67a655d641b1886c3c9c147ac87615ff3e58085a879b21dd63c1616a3712279ec87d650a2eed665b797ad631f0ec312f343979cbc49b99385cfa92841cba12d52777df565545a1deb07800a15431c0987b4a543fd5ed6832e80ab6f4b4d9c9ec419932a6ded4759f5c7630a0b80139234b8d53117acb4452c60b477ad50157169a89bd796e2308baa9395b513a94747611c7978c82dbdf48d716c3ac181ac2b2a4702c02a324bd4c5e089d989d020ebec9963b5c721a95492158f54973b7fc1828181acb3cc8078ac095136d97221c60b847bd2a52427383ab68cd1f10b92738c13203fdfa0b78baa09c1837be2498667c459",
-		"0ce980442336d0f427db869a6799baa6785b5e030567c588e2a7d2680e96c11b7f415fa27730969e0b1c3973b5f3192d4e773153def6dcc09dae29ac44eac7c42c2666a356fd4262197bd5cf6eeefcbd662d104423ec05c19a2e6ddf1834a3445a09e8b1062a1320a5e8ef13d6ebd03c19e1813ccd86fd68b46a",
-		"1ac8a509db7bf4acb80d8d394a5abf47c273b2093f50f35049e749f3e16cb0fb",
-		"47cc9eea11f9f3f9aafa23bd",
-		"088888333340b3a057b05491fb2402301c8654948aa6d5ee1ec75eb045858c22056fef0873d6675f897126052923a47a30675b266ffb6181cbd29ce2da3720e36a227e4c6e53328d789913c0d9cd149a6e49293996b1be7d6c513b24d876445a950e723ade3efc36907c840b9b8cfdb1503811b4044d931a0009b381fd60a5bf1e73d16348cb57eea672709875fb9d56908dbc729d5d7d322a17a41d0f62c9af9a013ab1e19fb7b6c6e7fa0c0b18bec5e3d3e92546c77e3753193389e5fcdb6a6a1896cba461343e71ef7a156b136b27ae6f45be9368301cfade203e9b53824d70f07de9abfea1968b8ff8489b9804422ba05ac3c3adf23ba0848817fa51febab5e9b5500100310479e710b663f064c1ef101c9a5320367cd8bc6e52081a32f070e7d3fd6f4210cdffdb9fcab1de4af5b06a7c6d191dcc12b25b3053e58952bfd1f723afbf570796946c1df9579ad14ea9c8c30389c1de4d1e845c764fec5eb8faaf4c558c5eb5113018c6a21ef653ac7d7f5b6c7e1a8fd48c6f423e9913436202da176a86731287db7331db055508acc94168888040ee37b3c119c8a0d88360241d68745825fe480324a944d56e7cd0375d4d33a5fe7a3863c2aaa899b2d24f65b70bd804039116fe959c32442c9f0b5470463523eb4336985b71125fe5235cbca0c88a6f92416d038e144de5ff8ef6ca749a9e239f02db505bff8e16fad1cba8b1500445f067a674142b6413e9dc0f432242d8301879bfc11fa86d1ac9992ab12319fea8b703e10a13bfd4b017496222be26b56af3ef67610f904f0ca8a3e7cc249ca8122735a542b289f13922904ff23dd197f8883c7ac77150d7331316ef94e0cf13b6ad95070420513599100b0a6d117640b781c622ed7ef7ead29476b3c835bd9dbda2203930bcee7ac01c3b9c89da405ee436ee652ddcc3e96c7f1a94e200eec9a4a226f3cf7ae5725068916e73b61149497d11dd85157f895669f51978d1bea8fd2afabb18d082365daba2682ef623109988b7d0e27ae57bc14d86603f93b5ac040ae52d8db404ee27e6c34cd4246f40eccf9d3f8637a4615a4006918b01d34709bcbebd02ea72958d54db3e87d69e6d783de2f1841029d6975eb11f9b076c247108797d5368c656f888092b82aa81aa26e164e038b359bd68801c22fc107e4083a9d85fc254b002ece9d4545310b0cb22ec1af04a7ee31d210ede4b605dbdbcb70e4301989422ef46edf63f9c96de9cb3f70638b51df5c0abe79b7af8cd97148f2b7bf394bea0f7bbbf6925f83b901b87a6079f2c3b38a98fe1a86dc7f48bf97553701834f557451df4b41e7db984a34432823585380b45c1b84813d6aa21107cae252923fb4673cf660a541e65610ac0127d238285f53bf329b62169f3e42d5efe268dea62578e97da59a58a1314a1bd46cf7a7cae772814130b51411082e30062fdbda1c9e14d6b2bfff89d0379d32461f3b8e833b105f6a89532ae748b5fb43f283fc86450404e8befb8442b65e338aa0408303a70e9c27a1d923d9f2a06e7c6159c50bf2e3ba5b035420ecbd9d0b5fae478eb1ab72fa714f99d00188bb10e60380fa3a3a318c2d359ea3805c2fa0dde17ee52a504f70d6b466bd38d1dd4196be336a9ab4a9e573d1bc6404018a119f688c1dc2a8ed1433e8a8ebf455ce3808c245f0220f0c12d28c771757763bd111ab829294e2429a6f7a59858dfa1fe0b806e986d40aaff934589fefd75ab91097a979f26bc9352267efb2d82c4738e4e6c451b0d5adc398f546c646b9e6b8fc84e91651a1252d5b805a857c7798d102d1e6f90749252bc53588348ecec0897c79f514442fe3b27608c95d0cba999a7e0fbd7f601689b4dc63ecb9ff553ff12eca3e9b26e3eccbde28770bb6aff7c864ad6be77fc09f81f90df6efd0c4025d0916ab5197ab846dfe6121c462761d9cc87112ebbca197b0a222fd34a15b824b7eda06a56a6ffda760fae5f0b527e2798f01e205a3f47947a4bd190f6abfb1dab2e3a53131af95d593bb57e4f4af506440cf20636d9fccc449d9565bf43dec8b6877337ca5a43900c1dc600c877b290342914e909aad8c5f0755bc25652781535c057ed5ab2ff8ad4322a8edf3fc1b5311dae6361a7395919725f4cd87ce0ccba37c64eb3618f9c5a53644ada569b90cd07184fc048f1b589eb29852909e75e7116ef96a268ea85c2bd257cefdde9222d7eda875a2a3abcd3a02a1fb470ba967b20beb54914b8b0c6ed464ba978088d7f8b30d098966b0bde82a8f1210f5d0c3405c9bc73f703134d0b6ee13326f65fa0b8154f4e30808997d4afbd060285942ca1dededc3410a099881492b5730ab7bdc2a4cfd0068f67766d60b5d4945f121459d2083334ac878d067bef644b9ee427bbbd6c9351d7b019bfc051c05ac301ff3792a1c687546dbf6a07a0cf56717374bfa1191c22b7753f6ae02392f8aac9207d1ad0fcd57c5c8b35817574b7dd90a00cab75f508f8a234eabce6618305f94746cb6a8573389d336bb67e1b0d2b6e9bd3959ef344e1eb245b522c35222813b8c6e82df48987436b5592025e9786ca63b6d1a064223bfacf59ada713c2a3116611393aa8446ea79b3cb21e96d13b659ada2d6524686fd46ec66c1b4d8f5ae7831840c9e3db64d528f83a1cef1e0a586a783f8306cb261ed9c2905493e74d35883fcb39cfc5745c282104cc3ce804999231d13e1bc6f2c022f05999fb57575bbdaf00d7a990e17dd2f8b9dfe66a637b42f58ee49ba60f2dd9718d09d7025b6061b2087bc35f0a8c884f5b67a5e18c2b4e857d3b48b79dc7cab6b72f572d22987566238a7153ed6264578424f1ce091fd05b7f14563fe12c76104d3373367af3ed3aca694a21127b5912c0b7eb1ddf9d4a9f03f660d49f7a7f0fb42797fd112414c3eba2b75a04282dcb9645191fd3dbe376e7f60ab40bb7ca1e991053a1912854a68d7dcf854201d1f2c26c6cfaea32e29d80847e6288274713d2ca973b91dab97884326b280c6f06c65b8fd25d314be29139961051a1d8699467d02b67991baabc9b05629660c243ca3b0477362d5e6bf9eaa33beeb52cf399846c77fcae11a89cbfdb2058e443ddd44fe202a3ba5c2efce937d78b9639781b8b2b99077b433189cf3b0733ed73b59bb194c9a98c5aa0cba6e71d1c5522f193defb9e31fd2cd60f22bedaf7008c2fb0b55a8dd52731dfa2bc69b40f835ae95db040cda6a4a1588a5ba4769edfeb7369c1e9a3b1cda293255b4942881d94d771b7b82460004875e71be64c582f2830c5e80dd6de421a311c5852f4912bea1451b0328d01c7029867cf9af99284cdfc1e1f0aa0d8c19ba9bc035dc270b45724247137da5d3fc4daa09e7014fe1439889968eb23fe124f067825d5f7b304f17a983580e009e0e51630ea0006dbc74a30b512cd9eb4d0b315a0ffdbfb581609ea9661b0007cd234ce43c17c92269a7519bfe99c2ca94b5cd3e7654946e67b37d4270a369266db6804336a446022677a024d44cc02cb04108292dc12f790578a0d61cb6fada738902eed3afdf1850bafcb279f18b5798d7466752c6368a594533baff5dbd17974638ecc41753b184845206c79bbab84dfef148eb7f1390f8cb7346a14c88caf540c241cad11ce8869be3bec85d029ef490fc5edacf94fa962be39a33c8efefcbb6b43960d5bc35f8fb72038af3801466aed141b50e9ac7dcf1921f7a6abaf320ff02ac34bbfac265e05e27495e6e027e673a48a874e6f0c33827a050fa21c2efa789c1e3df2ecda95fc52ca7be35dbf17ff6c73f37cb236e5131542e002913d177ffb21ac450e2542e24b894650007c36c52d90f83731009a7c3239ccf11829cf0fb6510d9924e927f14d6a06f8dc772fc9b028a8bbd2d3388985f3e2609abbd08434c46642b97240c9380a831bbafdc5db77be63a1400cc9a4f7362a689b07a77162022c6ba7a1bb9f0446a0b6b460ebdd9111132694fa5f1b29da39be66c5179849ae9720b2da0a012d4bdfd1b18b8fbef0d5c32b92c351dcf2c599f069c3b53f622fc8e904f27584b2d97d43f779abcde6dc1413c0a677dd187b28cfbcf7fa6316f0967b53977432d45944ce8ebd2e265c0bf6b2870c75ae808fed52aa35421ef55667ecd6f9d279c9b91c9314bd9411bce267d6ad52b1d910b3e65147c3eb6021a0af98707408e66bb11ca5abf5e34b2bc85b144fd06ea56f5d7f8939fe0cfa4862e7f306de069cf85f4aa7aa97c6848594f5a6dbcc718d2af77497f4b9d5ffa217fc301127071e9bc9c2c9222ba90e286506e384f321e622f05d81c114953d0f7e9626b74f4a6bea8cfb86ceb4575e5cf4fb84e9efac8291d1f4153ad3cd9a34ce0ffcfbe30b6829c0f986a4f85d63b602ab99ff3934b1e0c46e55d56eb479b79ca0729beb59aed783e9a3ccd55db8d884733dbd93f9fd7a7209fb92fcc49826b2d4356ca676f01b0981637897b3d2f90f37bfd73b214a398a8e4e2f9e5abec01d8192ca690191255dd8304a2d95a69331288bce00385f462e942f4d694dc3560a263c8ac2b5cd1d2c63b90ec67c32eaf5bd947bd8ac730da9c09ebc6888b0b4f3bead157aa9d31c2802df8ff0e4d69b7abfed6f184bf35a16ffb5677ddfc4682322128932d57fe4c32f21e190e1147d8e673ae407b1dbbca31331310b299e9f3db08ebfd2dad3158562c2e47addcbcc831cef0194ac8ba9778d0103c2955c886d439967bf788eae688f2a7459b0ef3bd16808e8d768b8962a24588d918ceb2cd1cd611b504019f65216beca212f44600cb7fac77216b7645c49f18064a3acdc01399315084dc9ea151ee28534fb31628d190bc540ac6b6aba572ba51aee89544015e6fbca2b3c2330f2ac1f68849e99e1a1f7f523599eaee22720392ea52259e26f1101614d4edae481b3783af4e99082d75dcca549049290731bbadd1ec0a93789ad5c9afe8bae44e35b3e59e562362964",
-	},
-	{
-		"0410d1f8bc890649c250a3819766f4496f339a6384e34acdd72b3a87266edd2a7eae223a372883f978277a108d6e59fca1f35f25d7a9f3aed42d35fa9b12241ac04754f76fd8f0e8ff6af88cd851887a45e89f1c9192ca66bfff605b128575d2ccc9ca3ba1ba23a0251b2cfd6db577b29d17ce2ea998946997f5c4a97a397c46024681a400a54425c071232d269adfc3b1adf15b4586c4dd7b8886f5c1023bc348bc674961ac6e221d914f432c2f06dddcf738227dfcfff88485ed45882809d0e57019461c88683919b87c45e78223c37a5be5f758e4f0dc6add22f2062bc2eb9bdc31b8649af17d526ec339f0e6fc6a41e26299c65276302f982235c3e5205ec1521625ec08a23e766577664b73d18d5533261c859c4cb4346feaf7540a56155c6c3a4874dc86ea42fd518d71221ac65541e2dadd2f8e129e7809f2835f07dfcc4128401dae2b5fac7ced1d9e07e3f348c6cd26f55b3893d4418557a18c366dcd5eadea0dd84ab95437d6f23eb9e5877fb2ad740ee507e2268c39c7186f34e5cee2d0dbba1a940f516a018f23e716a399c317a7a81f89cfabc296c432cba900ad79db67936f76e4d97874fc5f8a9ff84eb7a0f6d629c581ec5c451e27ef1ed468f93bfc68b2e0412a543d89dfdd812d9421236a4be9eb374531556c207340886c7b84d42d651557b952e0982f62c5c383e92dced21905174a5a836acdc3f2393e770d6cdc22c39575a42ea406f36889dc9558aeae5dc5f8b84862850b55bf4accccb6a8ef793d641d6b08235f70ad3b0605eab462afad1af80fa003645f4d302b03d81a7d167e9a8187bee0f76b1cfd7006b2d2b55fedad6e8db1d3ecfe031702dc327ff2b0197337d7542f42702cb276de852b3d72d9acff8a7feb8882028a5e340950e523c41cfa184b3d8878effe56742994e60240e58cbfd01541d39fa007a9f0ecccb409c6cc540354ccf35223677cb74e7ef7330bb60420f7d7bf97de6888cb343cd4fb0928fe5df5f1b018592ccfa7aac6dab57cded573b5950b94fd935f32cf332dd85b2b36501de6687612371dbcfdf77279d647ed8bdcf81fda8b7e0c5ab139330d64695d814fc6f761fd141dfb0c8f74e2d7616db3598d8de40b993fbdd272ca37db27b82aedb08bebc4a8e6d0385ab20fbc20c215ad50fab8e93975bcab3ff38667abb0545b3b3f20e325f01b80a32a3cc3ed51703d4b2826849ee22fddd5b544816599dca0d8fc84feed9f7e90caba53b70bc3f457eb1adb89fd0b67d2c0ab53264430c61d2c4a1b19ea99a9b453fc6b5ebf5fb5ab799134769c9b495c479c828bcc49a8f993c3127d5cbc31afb89c0e78fbc323755457ebf0f3344d3ad1cfc59d186e96ac31a9298e655b3d1df74b95f30fb868631053540388a13d597002f689708d35a2365e309bb96db8b1b94ea4c8060c2b165f7f19e72056409159371ac9c44f6bfaad9b9567094d18c29bbc8aa2c8b5b82735d20f55284fe68186004b4a4fb644fd52d9645b277c1dc238a764005c1d2791ef36e71786cd990ccee4571d9a9b1aec757e479cfa645e320bc33268e05af9cf90e0e616ae7f237c637a99fe15b4ea8a3232262d96855fa248920a28ec03f77ce4dd93925db60ec030a7be455ba9d08edbf6bb717b1a13c3ac1deb9821e21505c0a8971d5ea5dd8e4c9cd3a845a336209af191150ba5d9b8c2c450e3a765e8670d7f846b2461f971fdcd1942704f620a40f4204b99f9035bbd543f64b927cbc7a74f32cbb12c3caef955f169a45374e4479430e08d333c4a877baf41a27a0849ca3a157b6651295fa71ac94b6e3d30b5d160965e93d2a81b4d575cefd264399c9e4e17059f4064465b2d92c96ac27e3b221499b5e642d033992c236b905c072faa1e34495f9890bac6228330e4016c061605bbfc478c30e1b8534c49af54785972aca2d144328b0a540e3b3810a73e26acfa22f48652d53ea521875475ffade8ab50b9f08245fad753350f63dc4e898948ac7dcefe520ca47394f8e993a6d13ff68a2f78cf294f235f5f863bad10c4f5bc41c3ba93cf5e076357f0f7fdc136f34b656b1b8ebb3eed1ac429c7d4edbc902f7f4bc24ea9c9b200b9a9fd7adff0c6445ce1d2171fc031e3e9f8b8d6b448053393c8813d91333d4bdc3bc5bb2b8bff876cd29e8b92cf6f7bc727517b6f57ae031f3040b0637dfb40b8c1fbe44cfb6bb9cd0a445fd9b3daa1da2b1c4a82cb4da1fb8d525e0a4d9ec30e9aa75b951214621c58c1f60c9b97e6c6b330497e7dea790a3cd8158a76d898107ff3a5910707ae60c8a46c633b522aee83736d005de60b9abe202435f8bc4577b0eb08b7f2b617bb5a831e95d6488459bbf15919d764b39684d7cb7c9310f343fbfcfbeeb212a90d96c7a26c1026c5cb171ee4ef839785076e5084026077455c73404a2653f333e9bad555cafc1a9613387a02bb1287c380d7478238bec8943208de585bd18b448b6099565cb3ec70ec6672a778fa6af9d1b17b0970439da24c7bfaa74c85ecd8e5852e42391ab2258024ccf91e37f2f0e86df958b197fafd12f4a45f7990375f1665a14f7f5374ff7740f89677ea8660587fb80916b30629a7aa88213bbf80512421a0a37414a2eb549b81cc85072cdd87e4e69d97ecc63f974e60d20de0233101c3d475d777602b12e2f797e9237570085b0e9f48d4dedf233eb1301ed4621f9736946eadf599bfd79157c0b4cc31bc273f5c6f133a4e3679ff6797d3c9b76aff4bd8ad40726c1703c3d8b78f0974b748d0265b0a75928374f91b48c2d2b2c11d8b6e5efddb75009e4db72e562be59efb0bfa06808c89f585a43d4776ef08947a77f277526777f0b52f1e0b5a03aa560fa45c8f30e584b58ac1fc00b104942b7b86a3cdee1abea349dcaea4e058faeffc567e2c3b03e1c5c4ddc675e25aa15de1442bcf5ee972a8c5204ca5794694759c13a2d716839dda61635043bdf1a09e35cb6d93b4df3b7a00871f79cdb4ee69c79041dd14deb7754107b8fef8589d2d240ac1d8eafc52ea847263512651bbede2fccaf6da816b1b892319817bb6af9fc17078ab6cca95f03cf8426249fd4f2bf91921d39b8cee24af07a52bbe54ca7fc4422a310dbf2149b763ac0060fb2c59154d2cb0da1ad4892279b4e0ce7f5f92c189c3ce48e518ff48c4ffa9bf2b02d4792f84534958dc6bd2914ba010aa32d133f6a07bdbb87a237c7acc3ba5cf101efe947147ed4eb3bfdffe5fefa991c0dc8760586218d286944c52d0f221e0101f74826761d01a20af187f9ec1115e9e98bff6fbd7c8816c15d33c07f51c171490997bf269951218ae92b66fa3150d3bd40336abccb717e18b53e8806fff94009910f202a5041b5396d1c339e6d075bad4ab66a0637d81eed1696e4068024001123204b8371f0bcdf0ce07d79f7c917327f7138a75947846fde68665e9c767fbf96bb3308abffe7a8d05512c81e39fa8dab2334f46ab9543921ca97be31076dc7b2a0d05e90b7f7610d1a391b442398ef56cde3b18737faa8f282572389b4fb3c55cb8ae6737257708c808bc0a414bffae293bc69cba702ce2959e1a30edcdf64985a4b0bcc927c5912f819c71cc9b1ff5d6e5929055be72ea5c8c1a4a591093deb5449b7e6b60109be1ac0cae472ba31e1035ae65f3214f50ad699a077a2de52f7180addde0bd78c2698470b1af13cfbf497d243c9e738c4cdc265356543885c5b933a299f01a5b5a9ecb0b4ddfda0c28573064f6a3f142801795d66bcd5c31868fd3207fee7bd98c47e4da26bee64e1617b20cbaa34e3abbe31126b06d5737fc2b577b19d255a519397f3ff8668d0e7d401a37e368729e4b83c5fbf01c32ec478967605cbc0675f685b5eeeb42fc688216a0667e1204c995c9c485e6f7712d80d88edc9594528b1907790549756dcc8b0d32091f36d2b4009639e68daa130e83a1ea18353ca34f431c548d91c1591ccf8b25eec1f7a3c18ddca71b87bb290a5c13229250c5e193e1352072f6798ec504b3b4c6aa578737332f52baea7bc4468fe6d8dfabb9728cee93fee50c8caa113f5ed7e9b55e21e98d73a377ef68be7e4e965dfa50cf863e6285236f11ce80512c573ae2b55bcb43cf6ebabed6783c250f991f5f68a59dcb2ac13a3c8fba8dbb11c79dc6236809f2d7c4b0ad3cecd24b85f1aaed9748b8c109f2fd98ac8a53bd52f18475598d67305117de8e03b0d988a2847539cc2efad520f86dcd82c08ad4b10e490b9cb03bedc7197bcaca55526cd9c8a5a5f69f7a1697e7e31aa76eee597c386418e89f06b0b9817a83d6cdefaf9594548b33cea1cbb585e55df3d3b66f0b1a88f4b98ea4720f1ef5e6ebe4958078ea0bacb8ad776e325ccb252f81943b9b1c2f54aad3c7baf1bca0dda1355d191f69c5d8163c464898116dc89201032d1e3281c8054882f60522d3a65831bf779a854fb0c195f85aa66522386625658457e74d5c2fcf5234f226da4a579ac1f11f11a1e0a6993a4dfe5c856481ebe9d8d2363401058736f7ad104104aa03f5c91496aaba2fe4072d418d91c2787a9b4ab0cf4bb65681ad0392ef073cf2fc060692b0c0c194c8eed5558098cdfa3317ab02626159e40e5c76fd64b2ef60b8f5f368b6b4fd7ea3d2d3236aa01d9db7c8a01929f9fd38557335b926251ade1a0d47d0c1444e6416218781c1a51e786dbe9297b78fcf0d0304c62929e00744ed4e14af926313a9849b2a464048bead075044bee013cbe318920c4172138560629a0ff4fd229d81bdc7c7fd1086ab17d6efd5b603a1991b33a55ca5b9e2051b7c140f7937adfaf474c2f284489d9b1e8c71d58f126eaa451407eacde9f0e86504f7de3ba4d830199a229de2bf39014baad6dbbc448501588ceb2575db0ddae005b81ba9914bc22b6d600e2c990f7843e553ff29d8008265eba7dac7b5b5a7ba6dc263fe0e262a7b8638a81f4720622c7361554b61d7b04c7f8b133440baeead7d51ac8b77d606fd0eae1c55ce7e8141dfd68d40ae3d8d2dc8a061085b4fb6d8a06263183869154618329be6b01c2890f2b5d0a0f25dcdbbfe2ec3597d79311edb943613fd4b59157df4fc2e1024be03d98ea3cbec7186ea9f4a431dc3743b9f0871b205bc0c1b3a001768",
-		"113b261414b4b7dfa028668ac8b0cde5734120124991c54f4dd16a87d181efe2bc15f6d0caaeaf6ad615f59ec5c2833904a34b4d34109c82e10609b387f995430e8c13d83ac34310d838af9efa32d7fed6224c0a33",
-		"cd762390b93369f1e207eb15deeaeb0036f5331e82480d180f84a76c3e44550b",
-		"e88c14ef96c7768f5dba9de9",
-		"8d6aaa27892a76fb05a2e96cef9a9b4b7ae0670a12cff95f7b076372456889fbd3b9b4fb5fd98b3bd85b247f15009be2f4e7a0329dd118b6872199b314e159618ede0381dd97db28743461ace1a694c0383d8458150a501d6c45f4b50d5b1bd47e61a51f9ed4929bf2e564f201ed0e6825170027d93e482c1ce268459d2f81cab41f0e7ff281430c16b34a29b5c76630dba72ab9e751bae41122b26121d91f2af271a23e818263f46e05fdd52f319d58330bcabf66637a368c0a8aeeb20cad1916d966e5e0b0de74cc67ebe57e3d1fe01e9743d42a931cb4b98bb762ea43ab937d1e5c42eb08fd56e70e911bdcc1ca4ca0604a329c5364b262ce2de282b4732ea657b89300cc7b7127ba4a2d08c13f581f024fd093ac09c2bc245be60c80e102405597fa8082f4d28cc954a93217edffaba3d2a397bb59ee89c8cc0f33eded78f21183bd1acdce64a923dd609a0620d2911f61e81fb2c8ccad8ad9d81157223253a121ea2bc60d6a3670c563fe06bd75688572b3be83cd31dfeac6b17cf8455267b481219c42034b2252977f32b8e6588fb05166498fa37d17c2b002a655b5711bbc21175348225fdcca041b1f97fae48fb1e222c5bb46b5202191c00666b7e1b2d84aca3edbee7a97dc0f6d1330e929226f8a76c155e973c1ab62c867e1f87be37788754e51825ba31af9f4722b5782ef782fbb70c391a664f252d14e49a805e94790135ff6bd881a687f98b42da96fd34bf240eae4914488af739ec15f13f048a7eb5fa94af14e8b6ac5fae714cbef6268b114813ca2a3920a7a9d5eb506a2ca211758de292047eefdb5a97e18530dcd8410495fc42abed91b1204d9b8ba9d6aed11d2d0fa0d931d46f93f2c1a560ef9f5f7cee1497be770d3cb07c534215cec12c1458bb57aab4d95cf4a15a5e3a3bf8e650206d5cac4af3193d169f1a57638d9a50f6b7c6985d42f7138b9226451670d7359351c2affbca65680557693d03458341198b8e13d0ea6abb7496edea3cd4dee2eb93695e668c7c0901c6809b8ef434e88b85a8b22cab6508b9560fae62900056b7c5c29a8c899bed45a2b5159a1d4929476ef350101317f77f02d48a039cf4cf01c56319cbba16fe908c49ed6f3face88867c0ad3703452baa7b86fe58a00ab8f740b4e8055164b0385dd3fa44502ffbb99cdd843bc3287ea468aafe4cc298a3fc180f284dbf78aa09e0a2f7d8593356eab016ad8dc505420edd376b66598a3d0aaa848fd68c4e07419b8b50e40febe2b6b17ad07726fae1f87e86abd01490a0ce24fb57b533c765504ee0a9ca154187bcf5e6828e3addc7597532643cfd992558d63b1acd00e7aa41b9765094217480c08c43f4f0b3f0127120699b7f2a5ac07c655b6143e467777cdad4bc21d4b57da4d8f9b9a7e4523d8c6fba3614b7f7281e80ff0f9004577adcff1b79fe443c80ca9655ecc102d5df6aab2ff6c3401f344b77666c59ac7d5b92bf4f1e2322f74b75e6ef2bf43ad9e018f164ae76a91451e5221bdf5b65a4fbbaa8dc31e6063b451edbbf4965307f8e65bfae87b15f2453083bea8484017228a9cdc6edab1a28834eed8ce07430f776b916b3bdd2340798955ce9ffcf114c3f6a88bcc4c7b6f2e3842426488c340d00f2c4d2d6fd3b6263dcf7a57f5cea6c77efba7013297bd3320accf033acc0833aaa8e8f95cecba469704214f54a1ed581349878a591f9993371f1daf92e55b2a4faf8f952cf785c687a59b3c258daef1b6d7bf9f904123c7384a859933c3ac31e33edf648a1be4d6264ffade860915bd118f0b9aaec2eb8e16b2015fc25e68caac77a3accea53b9b178f6cf48d15029fac12963b4277df037b7a494cb29b1d9e6d2148531a1f7360519cba5657c080254f130a1cc3ccaadb4298d7ea0223897e63d798b4f4909577cf9b491a82de0275a246bb1211bc4144574c8ef176b382262c0e087975cbef33cc616d32e0131a9efdbe8ad3d9cb5f935d3f4f409852acca22ae2a6e7450e9a426ec3b9183f93b4b7f89d850e1c7053c661936e0cde23e831a261b319b430da45772f0fc0113679d06f025983bbf37ecfba35eeca28de5ff4815a490570491266e92faaf8d0ad4ac8df106faff8fe3c8d050ae9dfc03a01ad177c21d7b653509a80369a668a97eaa532dc9867c32aebaf89ed36586e1ebbe1045347766a354a86ec1e8b2f30c8fdfbb6c5d549e7a84db81b73fb828499c5c4be0d4b2b7ffb197133a0ee18abb5a4e371be0ec0a6535507029316f8decde30833ca47493ffcab781d028edfb91c138609baf1054ad52a5d8ccb98b3ca5b138f253d99bd556afd80f71b39f36e0d96fba4e0cbdb18926894968aa825392f12d98b6497ff85a0e4a91c97f37ba1dcad30fe688b54008b925805104a61dc22b712685202ecdb073fad9b10b5b9ee2ff781f23fd41ecdec87f85b369a304b85bd2af126d08f79d8a9e2bff0b18607a95c4efe35941c5493c94e3f2f3902e79f4cfe84c138b83c7f32d7c5a125b28c6107921e8ac92f1af7da015b46a2f9169369cede770292eee8a5f40d080ea1c267c33cb7d4187093d486dc3911bb2d6cae036cb508e81ca783ab5e95cec751e39f3038003081a252eefa7cd913baf136d4e27076251da9cbf0c7d2586fe02b62ec786790ef08fb3ff3d79bd06868eb1abd9875920e14fccf6dc144e898f578b7295fb5f4e84cbf683722ce3597aafe3195e194736fc317ed03ebbb00d956ce89f7a41a334020e1a88da355d3b47d5bd3965a290f6fbf5dfdc8c8e6347b4eb85151e53a960311582235f3b546ca80a670dcb628fef572dfae0c101bc08c80f78d5630a793bdfe402592c316227f2333b386839a67e6ee8d9396fabc9648ea656a407670efaf80966034958f4a70fe7b920c79dea3d5a0ff05f3ed0516537d51a686efcb258520936fdd415345251c9ac1143a41be295cf12da5d4319e78e1c57ce20507490e5213ca7be92afca8ec8b6a07b33571afe6940daa2afb0dd4dcc1c329474ff8e13d740488e5ced552074fff695a04fc1b70755245895a1e9c387fd9514261dbb0f600ae03f4896e795d1e72f421d8572543243d662f6811eb9402b6a3b8dbb0f32de95bb1ac01b1287663d3b6a3f52339a4f6b27789e15519b2b59f2f4fc8fd33ad1a6e4d02cf0ddf8499f45746da424ee78e72847e3cd3833551b6e6fd6b1aa98c688252b57a1d97660ff006ea1b970a0b8fc7d2e313ffd0b0b85299ded47b60cd2fe9bdd7ebace4b0c1072cdf67231a475045990b35ec761e1dc1dfbd0c402296566eb4b9462979d33c9d652a9295ae70943f38adb212b48bd8ebe82722b1712ab6a3be6060297e2aa54e7d0158e4aba6975237e7c7a1e22b29560b8d262125ff2a6e5c1332acd0f6b5ba15b4a82d3631891a01530321830aa8f2e8ab6b41bc5b5356957a4d0c3bc3eab04df7700305a95d0f9cd18d486c675c963876b25b1a0f78e245deb40dedd14dafdaa9d614fb06eb2538c5411e13be116c76fbd3377ff212eb07c5c035612e4cd7a1de2ceafe95832eff88a9bdb3595cc19287fa40b8d244afe9bd24dca40db49893602a59640d7a1b8e7475825b09cb0cee111864deba9d3d1beac03664279910accb9fac534ef099e398d7f6e3235cef7685fd1ae46e47da093135741894273c0c3486197c26057044b10faa57244721328b47e611633d16d3e4776d90309d68ce4a60d3ecda26c9f39c1c6da67ff79fde4977efc5653d79ad86c3b53090003bb72e78aeedcf4c8107185d9aa65221df4e2104640a1a083845c01000370371fea2a6bc8ae43fbe290949da4e559d3867c16df16b143fdc807616f51ebce8d05bb03c2b0bd587b95e3f6a15d907aa9a5b11622ddf4c81ff9fda4bb49d3e9577551bae649cf64ac0cfd646b02f6f16cdefde09a55e77afd16c74e8a3d777d80b7cc42c51f618a3c467968631119f11ca4385f0f5713e37ab1133b692de475db1d44fbfe9d274b9a09e673dac88aea74ba88cde8db3c831e9b5a0f1e40261281e5aea9d4dfd48c5d9e173f4d9cd56fe7fd610909c838bcbe1d6c729e151ecb4caef511a36a14b03cca7ec5d0feacb4647ea5212a11d18cbcbedf78443127680ac0b1bb65120b4197570288226830e2a92b380e32387bbcd3be2c77d6c7722054d849be9de459cc1832ec3ac8e7f60fba9c81cf5fbad37d228eba137a23227d56cd24970340f2b7599aada9d2424cdba8b50c2b97244dc83f7391e2ceba5bc0a11ba547c142126c791265b33a3db6238321a5f3273ffb01e42adee17b898153e41818b91413ec4f6386ab3dd48db875afe659db9eac94d16f850ac179d087d93784d607349e8711f5f96fd514e8d096de8b4a74122ba914520e93a11fa4adf006700e122e2531e1f39340cccbab4862708d69c117d3efbebabc14a0231916ae1ee8285727c9fc980051360346d53dfc76aa5a11fb1fc8f36f95f741e913bd2cd1031e508b320abd2d3a62baa400dc439969eb44e6abf8223b29d4025c3d1ca08d2dbdbbf9927c625270543e8c0cb5ac5bb5d504d224e66a1895719e4f975d819a95e54cecfa59ec8e385aaacbb023772fdddbe093afaf5a75e63a62d51926254e5b47da1e9b05851196644b9180734d05810dcf3502747c4ece652b67674c02aae74f20d07de2ad5993b3a68d10207eab6be5be34e52ada655aa96c1d82df9b24c2acec35e8f0bec9131c20d0ad8936880af87215611b80d07d7a741a12d8145bd05066c6ac171afd8684b92f72237bb0e4ca4aec1ec280e39f36928852d5d8d02fe463acbad8ecefc103083fd4298f399bb254e7bfa166638460b760ccf2b0f5fec0e3875206bdc8ce096274643824acfad71ba06441c74788356caebdd2208f6f077b056fa9d85aa4357e93bf064a776f5f3b0f288d0afdc51558c8f25cbee17247364c2bb24637dd69017f92bbb43024d9c773439626a02bd0cd44136a642c9c5ae593f32eada790c31a6704030f2e07f1173cbc0dabc410bf9864214c298a6283b3631acbf94b8371681ba81eed1aa81ccf258252d7f90fe733ac770b9744d0170cb554b39e6c72e05919cc237f8f4d7f3545f4d2732f4c9473c77401dcba04c0fd33efc73219f31c08dfab26abee9a7cd4ad3584730768fae899fc",
-	},
-	{
-		"9c73ac05648e0c50a3ea3a8eea70841e8e06669c1e7520c5e25e093769c4b005375c0a9cea16ec8e00261ceb96a00924a66fc0c4e4e089c63e93fea857aead8e0ab82af4ce1682cf3c9fbad23fc3f7e632b7aa169834ddd6c7db7e1e892cac93e4d787b2ed0a812aa93bfce8fef3ce30ab794743ad241974ff989288c43e1ba815a25a03acdc2d5517293e161d0c46c8858d0b32b124a6b0bc3838807753288cf6838fa25fbcf876e6368c0342d3cbc860d6fa12faa1c2b7d9fb37504e60dd44e36ce74229dfb80f1545125718dd1f78b31a8aadbb4d6494489ce596fcc2dbdf2ec22157a1d966b61e780d36552daf084739b602861a96ceb67b65b23d40916c02b2c3a38c2a59aaa266e1f8939000dac9b6dc50d1731e87ee833a2cc3cb98c57e5b680a85c1b428289520bb252096efd7723fa8e55d2fd4e16900a435986ab3f3d2bd799471a1bc07c1772ce10d1bb8805a6065b8903999f9393d2ed1a7e1c57a9e3e0e10dfca17a04143814f5f3acfb99a34712a6e0a24a7485279ef343e69d27c77e25b41f9fb833d7cd29cb6a15551d5c77b43d19feb19f2640926a272f81eeadb792bd474ae11f080ada72103f8f7ca733a9b1325b50589be2b2b3023491afec246d336f4e4277592ce9695c68d5f39c8fa4cedaf51776d7ca29ea0ecb89eaefe71e5f3560c68e8dafe7da08cdcd954d626418677b8f3f45b9194474a32f548a4da3bfae6a3e2c0a25f602e3b3a821160c397d77c8bcbd71c5f1e669213af36eeea30d48e12953071f55eac2fe0bd8fa355671fe032f6fc9214632428125a16fc8aea8a9c7fba0d7518b9a4f876349ccb9bbbabcdb2a85fc60b83ee1ddd041967efa4036e5e10e377c9886f40bc0b0b57c7b724795f843f6a072e87e532a04c21445090a360731a2afb896ab795750e5c2c33d58bb714f5be427ca3751df09661402604a09a1eca95a8344d3daa5b99d68e6e6245825704c5d4a73af197d052d7f75778917542261d77735a21cff3f75d6159a3e4b1a7a9854ee376e6b3c8bdaa1f353b957862b2efd50d10a40007026261a546124cef979ad20d8085d53e30f5736b8aebcd3cdaa349ea474af249ac53eef2653ae1fcd5b3095538de9368d307d45df2a19acd44e3b78c2da9d5d9fcc4cb61feac5dd35f66299845bc0018c3d476b6761083baf33a4621e41cfae0e0c642de729fb2d206db6a4b976a635b3fd911b5e9946fddceb6feb2d2f893b2bed590317442037a1d6dc5b5d72910160221cbecb53bc983f1c736c3bfc9757e9e05af1248b28d651f521af67b2a0d7e4bd86a0013338404fabac7b9833c372142e6338a98c0efb7130aae8e34bb0c80937680a7a904aba3be735d41af9462f17b967b13566bcb697579f8a9340429c77baa6e24ae1ac86d8d25ae3cb9112e34a7a948fd141367898c5f33c0635c87de06f603b510cb229df0d0d9a9e107de88b12686c539ed4fc54c8285afde0c8ee502919a125cbcaf4c8c89f56e90d3f641f97c07326956f7b5d87c65b689f39b8b84359ee0f14d2c7ed621ec67f5e2a8ee5faf21c805187edd95e3941ed62fa95a65473a569566d46b87c0d27ca37b6b022a8cca30a4480d392ba15701d1015b3648958cddfb614983211bffc4966ac6c1f691f19bd9fed405a02c06712d62a775f73353f3949c76b6b7757a4ee0410fd6d20071abfe46b09e72b70f9f19b61410ea67037e037934bbefaf09cff018a5c218176d165d1eb5cfd5c46eee7b82fe65ea02e3ed7b18a86ac7b139b7c9df79e1f6e6f85304ad22d97190c7ec12c651fcc835ea434d92ae1444e7cb0dc644efbc2ae70f2f94310805c1d0f2d49643d05e78baa1c54d4fd99137a49efde88dba1374c94208fb4a0ebc1a0090b043610ebc1bb08168ff5bf936ff9834e825eefb9ab73da2b287b06fa2b0ff52f46061b07c1131e4108cde478c767b749b696f3520acd8d3338842d53941282da289dd1e9a0e02aa9be0f127566c9bf2d50a27f6b6ffc9e9880bbfc14ce7eeee70cb0c0ad90fb474efa69b46123638e8405fdef65fa7e0e7b29fa8fe8696edf661f9003a08b4aff85a4a3e6d817655c1d533b834da981b8c37c38abd5977b3ba71b3f57967a471c2eeaf2f6f258431fbb7e92f91814b1db80ea775681f282290db170942bb7b04aa2a331950b74a4b6e337affb4c51c6cd4c4e13ce3095e73e4767c2731f72bdb225ff572163fbd8573378427fda194d165750d487f6bbb63e1378a132fb6ee5115e3c32b2380b096b735bdb4d651853bc7928346fe3ea9df7534f2a4eae1f5ffc4b82ae738db7df0103ba4e68c2a2153bca499bae2439a57778cfc616df16032aa8a19e26597d275d2775b5ea17cb25d204b18028eb25a053e5666ac47c6def151f7d4b68ea62c601d87bfbe04711c24bc34274be6815024d7b7d01e7dae10cea6e485348ab195a83854663cc5826181b688cc9c091dc1e0d491fe51400e20e6f2a51a7d56af258e038bcbc80e2c4ac4b41661bd33229d07b39b59f3aa79d99c1ef41974a33e02a7cacd6fd8f9b99cadd0fd6a031f070bd3a364c64ddda0e9fb94036f374171de0b3f4ee3380780e6d77d50db9d58e670fb4a364827d631226a3491a27602808141ce657ad6e560ad62b088ff086e6f03b8a64bdf7c7d01e7b19289279509a9d6d80e50aef3b05b5561e4556952c46d0b6ab8eae735eccee77e570e1360b7ea38c53ae6b8eb420e4c2663b57827228392db6e79105a47f7d89e06ecfebdd63783101d3bfb5f494785acfdfed41f8166faefdf0b49260222c4080ec2c6e4f949f41784f076ce37fc7a34fa4e547bb44e6b9359b4b95cd67d64e4402ac83973bd50f8adc7c6e4c34019bd8f6d3843bba3d7155890712e0ed5134e00db877398d86b459f312a6272431f01b057446bfb1b8053acf181bac79408c7708f3a0867a64e06d7786849bb874a6bdf8fd6daaa572d5648ae100f4318d6b3a811bb0fb709168e817ed83c0622a7e5b17ebf5cd5ecb21d9ac32ddddb039083144c93cb55a95ad72732132d54bb120639d1620ebd142b58d75835b35cc6367012c93c6772963e9ac852c71c0dda2246ab845469997fc170d8f62334bc5aa4ce23e036967674303ec6f75bd3d17d197d026de69beda70bc59d2ff95a899d28ac7e5e42f4d37233996a8e6d3b0b86b80df49ea8e145b4a6e3e39f3d6c3c6518bac45baf97cde23037709d737b242b8918ca31f90fe59ff2c83e2f347a954d3559a8e4f075c620ad36be20b1e24b3afa156cf3255192171ad0474e4adc9b7f35436325b92945665f038611e5d14bdfe7b7d20c09642323346a717f460dfe7b5062a0098be66febe9f5fccfc747aeaeff81ba08e5dd2b1a489c998ea9970afaf9aa03859073707a686c492fb3f7ddb27897ba5e75e578bd82114b2ba85525a2002927909c970a04035334b64b1169c3a923211e0999db8baa26b6537cdcf57c051c0ca1b317a5b66ad96cb5ebd57994f99ab202348d8ddeb343312f1f26ab2442b8c5f5cf6bab394418ef2fed68c3e60275e836027515b6b946e5d86d91fdaf49c2a5182d5051726840a156a8653cabda25e1dd9af693533d782caa09295952ebfe6a194fbc8bb7fc2c0da5914a506c6f31490928dc5d6554890f5eb268b09d671bb6b6d7416dd36e7b78ffc5c86b34fab43d22909a87e5239643d5fef373650e291be56b89b9d90431d8c9fa44fdf4f83a1689d59d6ef833b1ce31a44197b36ab298d53b51ae3f8387087dcb0571c340874c1524ba0d576bdb88101c1fc387d25b5c0dad0b4d309255ad5d5b1e209ba56db0c927bd209399a8a3b5c8663c9ac199a76ea4f49e364a4b93a569b3400e20f0d748adf7db46a07efc68e43802a5d1a914759eb2abe8fe3e8d67f2cd7612bd4d5a6a4535b1e5b3ad4d97e54f3db7f8512c9603d87e01160b6908d8df1b952c750071abb1565e5ea3f643f233faeb84278187ff0089150bf21ee4d13979fdae796f592ac5b88869aecc5be1c64665edc8ececc87502d36720b73859313607aaa561d56a195dd3c7292fa8f0750ddd3df9ca056fccd9d6ec900f45c1454c6ceaad4154c69e288dc85735b8cc42950a3c5f0fab2be8811779905c3ad5a9a6bf56e7141d863caa4e93e0065f229b695efb790926618b3eda1b9a15f143bbb09aa3c4b72900617793417df364185cc213d5cc3a375778117212266356e214f085d8a7aed908256c4aa25faebabc70ce913c08c89380da06920069e8e27dd867567f152f883a9bd2dcfb8097b7f065482d6d11c0edebc67feb3068cead403503c04b324885ce1a62c99af9808a5ec8b7cbd978b8c43e37b06e9f7e1ce0b31fa0fe52e8842002e6e99cdf69263d31de080b56c0cf94f77f0397fd1f77b13e17af90ff33b00119999df802c33534a13d3ff7fd0e8cf58e8f8c8bae033cec1aec7d191f2d1a39c7b731c97a67fd1ca43c13a24b9f97d92e2364dc26a1c9408d4659ac7373e53a2a1704a47e01c0223ed4c489735b62a27ec67ea46747e4f48d3da101b0863bda9d3f7f1b413f3e7f130208875e6a29dc30a78198ef658c7ca32d7d53b4b92e51f8ad6d39ecabb800adc0870b2ab0e85b5769f346ce7fc371ad40c561f9f3b2f2a01f2b8ccae48c78a41383cfc36b2a1bd41d61a39c24144965d9aa5ecc5d506c7c7cf9476085bf049942d35caefd77821ad925b7fd3a006213abc1e008114c848d45cbedcb8af264cdc5c07bc338fddd1123940e5d95717040325048439dccd1e298bead22b011ef76d26a390a68161b8bab29e8409a5880cca9c8104694e1282c9fd64f50e73ec6b9a9ffc31115de9cc0088400a2dc806f85487fcbdd60f409ffca584fb197156b40142e512a0dedea1571ebb74d6b26d3b4a59e9105929a055cf3540e8a6a79ca7ea71ba8b40893c9797e81c6e9a7999d4d382e52cac95727bcac354616ae1094552b3d0a33d0d3ac4e547237fc0cd54944039b0eccf335889f6aceb518de496e0986783c564be8a4a05bdc9c67b1e5abb480b98173ef091259d8c772b611e0c09758fceea3e59243406edfa71fc452d4450b55b8fa5ecb543692c6eda3a6ad3bfea929a18ebbe5ce2ac4754989c71dced37286cdd1512107e4e7f4878da1c28b4beb2dd9a712a8d1d61d1a5fe5382db8aab4857b05a783e98e77711c1933a7641fd43dc6e6e597bd03b11ce8e94aa094fe250f03cc92ed5b0a5e7723911e87b0f3c476d9aa0d96adbfb395a8fd353cfb5a4cfe27deeb82e849f90bdb17928b0a5702e4010f7aaece2d43772a78b325d2ff24f9de0f7bc65974d2348c64",
-		"bf96bbc17abcd1f56a9f22ad164d25ca72f8c996f1a7a66d6effe140336da4f20460b47e1c8573872496343be35a055552ceec437692b0e4919224c4ffc8b603286a8245eff5cc148b004f6e5a54c4ac22b0f09842a07cd332a09732694d3591b8b7d6a7ada2bb38a30aa7fd5e6baa811b9a195d3a96306d",
-		"aa2f714d3a184a9883f4199e8e33fbc9c92b36fff2d59f07a9d0d335d7476e81",
-		"36c79f9f14d431cc8c077439",
-		"873d0617c986dc9d83e9cdfc50b1f916626a9d9e1c595dc7ccd99d1e993d25d89b04a893c89e205952eef8f1733054bbb55fa5e1b07135787d4fcfae226737b50cafa2c11276e8708451be9b4d7f662e98ef6b705c5c4fc64588728eab1dfee22a0a92bae61828a7394977b0ae8a3b6d0126a23583fec025becf0a72a28891391ac1495732a7a4a1d43a63ed8eb37b280b6d886096fbc4f77aadbc5e441e996334d0e10cd7f3dbba9bb7efb147297986509a07735385c681e0543186dc166291edc3b4664f5c8ffb0965c85bc30ff5e7769a69609c69ebb68f35d104bafe3dbd3e2a40e13865f19bca3612e48592aa930eaee29440b4ebc1c0a59f1c54519857c929709b086bfddd6d4a30940b592be48e0067976099efe71f45f956182dbb300e8076e1207baa32d59c1afef7f34171bd66099d2d7f07b39d16d0f8b085185bf2554c6ad66bcd656f07979e8f19575a116f5c4fb9700ec3b46a3254f28afa1ed51348c1af6dba26fd398098a76d7bfa2ff195eebab41330ef290bf75205a2ee570a2fa46bbaa74aa6ba68a0e63e2731dc1974eb44794f3c89ba58cf96f7a070fcca678185711d97cd9d7d8202351ed589e0b05a7a190e60ae4aa109254a7bcf7013f8addd07a64145e21226795ff7c7b1c225f40ed7c3552da8eb18b9bc9bc70c2e7ecb10c8b20c54f04b6e27b5044a7a67b558407eb330f2083444375c022565c45fe817dc00c7d24c23db320d15949b0b64fbbaedd310e73e423fcebe6e1e98a5cd232d97e6466642e5e3b23f06525ac1cdf8688650cd366b1b7ba2a9033e62d836b14bb73717757b76b9673671bd3d3b2a56628f5a309f3b86ad32abac0590c50f7c5a22e0a920d88dc9fbcb3add08b900a2a2fae4178aa100a0e645ab428e0e79bd90baf4af2755e48262b64838a6fbc21226e323c0a1ba5703e30738fc7b5a7df9eabec6199df5ff6ad58f9df5a734ccd6509e53ecb3de1c881732e26e52ab848a0335b04b25f2254aaf8c130c78b0c9a40b60d402673ac7ec7311d0b00c45bd176bc73ad81c2478611804f59e3c145110aacce922e473ef346f8acaabdbb9f313dd3f8d0a937d0c048e5af789e2e09a816146f9ea28170909caf2572a2f6e2d0d511242909de2815e9ec586b2d12183ddbeb7dd70f32424097e2ec28b4ba62cf78f547e2057a4c050cccdf6b582172343742ec8c85e2847efb1595bccf89ece3b3ebba824d2f097b1987ec26c6e5710544739d54a714060fa91b7995cff0161415eaf55758078772c0271d9d282354e47a25b673eb11497a6ed8db82267d65ad47412300ed525af96f943c5336b1de88676dc346e7339230032463d305b0442f934018bdf0242768511d20474c6ecc82fd752c0c0ca5cee1f3e06e679fa5835540f97870d47ccc6bab233290be7a3bbd4a73f1dc7682049bf7b3cbfb6687479c18d246e3c07161df5c889ee95d39cccd989625a8c9e80f951f8b1832f6378e05daa8566477d7fe547e49ae6e822a68de4df9fc4d6500d5219c3d3bd8887bd7f695151ba378da17c2e750399f7482973510a386721c59683a86003edb9f0ce1ea89bd7bb8a25c222df7ebedcc1b56c8ce18f367b2cae720e0591b477f6ffb498c3d7ce59cabb1b01d7cba84d7180b4b2a165d4b889a6ac361720e768f2913aa50b0b5c88e55c35bb4df4fbc4460338809605f1fd445a2bcd97ec1d2f269b5e779a18c8f215bbc5555c745424484ee5436119eb8754f5e9e91f51fe715353596baa1fbb0a690e99691636e6027cbd4b7be752bc278661e2677070ddc12dccc262d3dd47160345de51359ee8dcf2f61044f95dfdaf323881b2bbff68af6572348f786f6e52d1309cff871ad58148307d7eaedc93ef037922b6092ac62171433adc4934884efdee3052ebd60ee115f76f9dbd0eab7c4c0a77b4ce8078209d23d81d957335f331965b556ebd54732327b5aacc899f9ed0edacad9eb98cb845867f249efb0e1a5fa2483227f78decbf7f1f32d060ab0c01eb985d83920b2cc24b5f9a0d5d869e980129d3b78277fb87e5cda61e340a729d86b6617b8828dffc7c37d4c38080ef3515c2784935973dd184e0a8160f84bb78bcd8a5e691760be4a4d41ed6512ee436ce24650c0e17e7d74b5e01cc39b21e21514a84db262d673f24a82cfd5dfe2a162976171c538b24af16429bf8ed5fa8e37f89ec6e7d63ea1d83ac1087cf89e8f43161f225108889e922493d973e36b510074533cb1cb22174d21c4076959e4191a5df880a8b868b95a9cb5151a7ad47375fcd87725660cc0b59c88ceb86984941268493c49b8aa2baa8c531ecf497853ffc3d26b926a379e72188e246d42073041fbca453bd558f328881c8f8d9e099e898a912530c4be499f2b32229c359ea10e0befe6d94cba5ddafe51d164898166e890b22fd1eebd5724451511dce1f8f7431d712a3f1e50fa5f609da686253311af255b84b2106b09b803e94b51729cfa0826869945d46b9606547e7e33fd9961cf15b400d0f5e01d8fd4d92a83ae526934059d4514b9e0005317a70466aa0b6086d5fcfed201d958a0de55fd23f0919ea29b8aa02440031a9fc206b9feef362a73430a4204869354ec81b6fff92eca97e7f1bb12d25228eae466b8137b4806895ce34b57dc14bdcd107fe160776b0e5daab150ba06976eb884eaa574da393af4de355381c7caa4f611a2ee70a0c78df93a4276f55e6281997b4aeb36888a6d9638cc95444047e5202f41f8bdd787f1ff44a648cc7d39f05e49e5d6989fedb194c526780709763da81a780db0d1534a466cce57e11dd3a4c0e273d9873af1040d52a90e20101e1f80ef296d45769d204cd5417a84e022b6b336675d36d9cbdb16b0cbb08f5e240012967c8067c92f97f981cd19d449084400d76adfb7c610abb73bf21e161db04debe6665fca79d71c8cc50adc3ecf0e52d07773478ca97b8e9821a5704dc58acc647a5bc618d2b681f17942c46c266c73ec211ca403a7d47e42e12c775b370cd500d70a4aac7124f5f6d2d4ca78e1c17a96426c326bb60379ceb0c84a86200f3b450e5e9aaa11f45440f5260eee7675a8b9c47fbc58cf18a651a1dc7b39a911442504f12c103054bb50f15381e512dc6e3af7b414b3db26fe767d83a2a53d7181fec8f6b196c7874befd6628b31797ee3c9260c7b7853b137893e36696e2a47277add98462ea9a0edeb7d2d3c0f2805fd7db64c2c7eff353ff2b36f4de862a42779ffd4dbe77b6a79bc9f4ea3e909474ead915fa3fa990bc82b83a670b163e79300b627fb91c4502e96bb9dde00f716ae6ad14dac647c9f7c2e5b2e505708b5fee996b8e9113a8f4f2caaf414061ee72e76b8bf47ec4f781bd7c589adebc2c267448247e30d659998d8037783494a1fdadcc819d7ad7ea2674f75e10639c3d3055046a00814ddda0e463185454a4455d60b9780250183d591c3db6f27373cd2ce4f02f206ae10a8c32d71226e7cb8d5b05909445977164983c0073434d6c0f2bb62bda66a16792d6e53a49ccb5ac3e285a6baba935f30e9d1ddb812a018ce04f29e2009ad678ba72b6a7112d6e7cfcd3ee7b058ec954a6fd7fd01018a6eba6209687c3130de58147b07bcfa02ec1caf30b59daf87db4618b4a5fad34cbc8014a7529b9458e05eccb9a77ef1621aa95513c6fa4003b0877ffa6d48805e7867dcf53447caf348228ce926233f65d553146584d6ff3dc3ed3296db9bfe69dec6a07add13037b3aade118b2ac3c52350b9691a6cb32356ad93377059fb8ceab68de38d96876d6d383db01f3cf620e47cbfd471bf6dd1f601210482f7c3bdd4c3bd37dd0a7507e1f0fe515151634813dd4ecefe97b52eda28e7a7129993b0af311abd3a07bc463f3cbbcb4fb0eb265a5835663fdbab0d8b8b5a73837ac98ced6582348fdeb41ac8ea9e36f9818ab9c0a41bac1389a6b518ea17df043dd50550f32471645791bf59855ed695b84919aa5cb688e569122786660f06e3a919ef9cf18c355bb397b86710c367362cddb0239aa1d32d489328e4bf92b3abdc3d0dacd76ef1a1efa28fdb848e708aed6780e2d8efb19a2e26fea56b4440dc3eafd796896d73fd150bbd967871f5e6ee5db58995f2f85cc2a15077d7d472bec2e30430af6891193ef03dfc7761e2b3b3b54a72d4f1084a8fc541526fdeb0633dcba14e9485b43065aee8750397ea88d9ff13417149e0fa145be666e6f4afdabe7ad8e4864e777c20ee7a2842db44dedee22f3ce2f97d72919b9ff6059352083be816a7515c48c5140a99af8e81b9e18b10074dc73dab55fae66261421629c8e323d8134f08beefbda555660a51e4b55a9ba4573bdf0396cc413145a941c4175aa672586f7676027f9fe211db87fe07a23962f5b1ad8f566f0d5b13c5146457276f307a02e1e13d00c5032a06d225248215e4bc4be1b672f1eaff16ca95da42513fc4315c7a6663f9101aba80224acbf0c87fd3a2ee9dedd1808c1247c5bebf3cb8d77377a508ddb484ed91203a438ef5ed3ca14e087102bc5f3828d8c3437ecf5c92eeec0331ed93ae33520740abae9b7bfc45f097da70adbb9b9b879e46a7d655dbf75d89773f737b66fd8a8c13506cff7b44bd85dee279ea7053f3ed8447fe79c400cf23726fae800449d27af5e342ecf776378e2eb449a3af27a40fe4a9806487b81c942bfe1a4b0fc146c971a13f83669e0189e337cc9fa2024864436189a9165ade6b864698ecb797ea05fed0d60f0ab4b92cbae36c72ccb5aa45337cc02dd086afed9e5522ecdb75ccf389fcd63c5a4abbf60908e39cb3268c76a08687588be67a856a841eeaaee8ed016f6640ef0f5acce12ab8bb58dda380696e3fb22d0bae0788c4fb79d00cfa5ae3e479dcf7d08b45f4592c2d2a7f8081d5a9398659613ba4932ebfd7382d516b2648ec4ff4477648069b9b2e4decc89547c16ab82a0ad9cf293fee5adb17cea4c95ab7b8e386dcae6acac63ad0d1d13656dfd97d5623dbe45230de597751321bbe5a03c879c303fd7a0d837d48141decb6df4f0865717628c85dbfda29df9a8a69b2c956c75fc66e45c08960c23bbbc706e48395057f989dfe675305067b3ed8d046db339e504d5b2bc978ab4dc261d8afb325c5e794ec79d63d8db53f9dd24b623fbcc202679fae8f7d39f7f7e0667b142c714b6a723996e5254ad2ebafd63c3577f8909981ce6b3eb1a6ad67a4e93c45ac3b34587d153ec5ab67a2697a9741610d5a176cb9b5856bdccb98f69421061c84811dd6660495d9f30548efaa69e36ead246d997c95bad0ca3fdc1a08b4be31b12daf211d3e29d585cdac48af8f2268ec304bb35d",
-	},
-	{
-		"ceb1f819497c0d631a9c9616655f419b5e3470fd3b19cd0e4fa556bd26cd9df57e960ec7121b2a2cb7c0421c1f84b77eb8277bf341490190ee574d1424eb09a281176a933394bfea5502077486bef23ee66e3127b732b7a58a04b9aeefc35170dabb030d4fc3f8a4c5ff194bbd0b89a379baca30ec81d576868f25755276e62c31e93a80ac322571313ebcee494592c3ff5cf3ecdec962645887d9aafdbfd62ea910af5542d4c7731283625bc9f41ec85012b42edb1792339e6cdd9c2bb3cad4c4792a064df17a5f74dcbb3dd0d90620ebba4fc6d1e1f9704dd60c798ad64d4e5077549d68cefdddaab81a7a91209b7ddbea43accb3d1c191328929dffdfeb4f5740ecbf0ee99cb9a1b73333d7ceb0b2b8f35f84307b9d44a42fe1a30ecdf2650dde251bc8c1d46978089c50d64c028f40611370ddb0b481df9624ed63165370f4788bbc396026b268c2023e0f04cd4f66e0bf439074c46f0ae85d6dfeb0ddf22868af61c8d5133097156fa61a3cf5801db5c3ad29871d336f7aa06d2a7d5f52e50eb3aee3c7de7bdc4d21f68a1776a7cc3954f5c071282febc89c1545fc672a0a1bd8eee2b769be048ab58ea12b356d658a6225fb8a55e752f1fc97ed64c2f87f9ae661514f1f56d9d4e47b001ae865a44b8a9fd5df8628d183bfbee781b6661c9cc76debe6c3c5bba840bbc228206673aa05498a8c715b0f3019f6b2d05cce6c233b5809ff1dc4a75d7f69859fcff94ad442d460b32f6fe348659518c16385e49fddee9efab2455732aedcd17dd51b5117efb2ca1e21ae6787437f48a7042d46e11be4dbcd2932ffd70fd154e4eca5fcdc57c6fa79746100b8e1485fe575a5c79089a25eb2d55d89e42eddc81b82c4f7da8bf153ff5353b7349b161911bbe0a14483fff6585d7f3c8b5c04a6dfc99db9548f0c53e25f0b16fa212f0bdd10ad2193ac18eb09972795f42b3bd3f4d98c4868989c4af7a760f1c88ffda59faac73256df1d607644f56a70303d6409c9ad716149bb58f01b4ab8ab475e4af1257d47049aa77adf9ce54fcd22b3d6ec60484da903a6991ff052ca37b01428d5916fd92c17530bb3385a805b0d57476e9f9417a23ab1c12a038b61b3a0898831f9615d10b468c3edc24448d09b8f3e3a2355dc5e069e880929eabcc97344fb6ca5587c5ac1404783848f531f1e915941e7359fedd328f7fd12b3c685f8c1f29d1a6ef7dbae3e5e32cdb251eb43aa2d2ae0cc18b3f40fb006c2778cba387e5852ec4f2d9b8e8ccd5b3e1f4781c974aca940c45d35d30d3b9584c750bd45a80f32f73dcd85c99ae107b92888839c342cdcf88911cb974d611b14b1d85a59e88c502559d6eef3b7f5addf7d307bb25c57aae669767db6d798ca887124e159b0317e09076cfdbe61aa9ddeda189036703b1cd9b1998f88325910a37ef1fc2e227a382ae635e847df8625b99eb6ef0ef10ce7a2a5762ad7d03a7a4e2b767c4df0b477d6e9601dc8e6438184f97193ea7d7a8c22f1b6fac1f0740f1beb8b68db40e0b22940cff2261273aa0be43df561b88184a9377e6a27f27942dd04abb9448b6b6ecb3a60f14dd39b58b8d94e1991cf9d3a071ba42e0e1d71eb211ca466a70fd4724a34639707feefbfd73dd9680d76a214924642a063b38b85cf30eb763fbfe889f34b20fa4a10ba214d938a5a092c6e9b73b13bd664c75b34f746aa360593c0f8dee0f328f0ad4a3e40d498490007e573b8204a1ce7a550deecfb15f18ed5ea6cb5dd95a68adfe4cab37c13b383f8273b1971580016a8df02a3f4f431c9de9e7ebb33244512080fc5852278081b9f4434109c3427441329e8071d19d0fbb74fb6ea73fbfc7c0ac1012d3a0948d94d7ceae9b0112ec43a16cb582f9c53e7eb0ad15e05ceda108fdb3dc9e585a332018d1cb19e4a75d86041308fdd8476c88e4826931601a3a5dce06fc16512f4669f10183d5a8d15bace4649abcac07358089aeb1e9b8fc3776f3239d5442d3be33d532097e13651af7c9a5b465ace9e626889800318447b8876b45dbbe1989e1eecbfb5cdf5067c71a0d7b7fba6555d0edede12f7228d7f9841dc532274f24060b1f52da6fbaa179b81ce962723f43601d248f8f4d5778c1653e038c8d27828836d562968004003810e9aa9318edf3260272b54fca2e012f6c04abe92c2e6152f3c3e973c7e9abe8c3467bdc246f0226d1b7669bd577bb317c571aa8758bfb694fe4dd17ce78f091cf6c6de3cb601a9d177128fce8d42e652b490d90c4f8fa04ddc71cac300d3dff699be3250bfdb2136edb0057af3ebcca77ba5b3ca34531810c5e2d4c5b5b3bc4e71ee9e30cac067b7706c326357fe0ad2a4bd9cd811b4e9d696bd9b4b70579ae246381210f879c769e5f9cc3cf8d70e9c94ab74a55f5d7bf61a17418b6edb6db4147fc40cf98c75de85421b7d192919add48e5334ebce2a06e56b915447fe085b7dcd677659dd55de1f705c389975e56e0338a2ef07ccf5ec3786407e8449d9011641786f1ecd4d3d3da975d61f5a442293e6119ab20686ea8cc7681010421226838a95a157e2de948c536aabadafcd4095dfda48e5613272289a8238dc945e5f1ef30075d5de096131740cdf23da1fb8b9fa009e5b321083cd93bba9271909460c09bbe1e8c54319394ff85c291814e21215816d4791f01424abbe4cc4c792d0d04db1b812f4d24b44caa76de2bc50f4d1d1611862512d87fcebd3c0b2659082b2423bc5360d107ad7b8e8ba7438ae4509105d6b618af25e75c51e272aafaaddf1e5a227f2b2a2c96a8a83dec23223cb428136a30b290181ee20a819cf52f6c03798e7294a89f3b5137693d5a8b7a0ea38d78e43008fc4eeaf6d077ebffd3ef7952620e0af1395c38a289832df391d1710ab5b103a1ffeea8c06684c03a74399cd63797c770e3f0136d8331611502d21fb883136a82f2034358880392fc3d2fc274b799e59b89f8f90d2a5a123d3c21e5bf3540323743858fdb8912c7c6329a3aea241075ae097ebb23c8cd50f4ff46b42486e65bda6beba5f4fe6dbb30f7e61b1bf690c9f00f7513c83274cd21bb71563257a20cc38da2b88c1063bd0849c8243058ee205853342085a8edb7545f0d96a6af936a3d4612b95676665eb02e72e0875100dfa444f039eddde1422ceed8d38e6c3dbba25064f8c6cb5786f9ca67712b7840cfbd40f99b1edadd4bb9a61f48124cf3b49d68bd642404eb1dcf428eeabadfba6810a4032f8ed06b38867a7098c7744d54dcfab8f0ff941ecee69da9916d54097e080cad86dd08bf53833fec4aa4399f7124586223ec70e2c31e8c647be06df9e86a976f37901e9b134e775de2a0fd53d545c5f92236dbf5455859c138b7bb1112427049d29ed4f5dd5c43cffd3113c276d9bba910879e55efe817189fc239a204a9ebe738c0dd161d10d60a51e9dcc8c38861d41ff029ffd841086803320a17ebf5ff14b6cc2ac3dcf0ce2eea9af7ae23597233599c2321dd2b99e06d93f84989e75e30a388f47079c2af545d96f270e064a43a00c76bddf2f5be5089a69a138de844216148a1eb0b413f58d831d9b8967df297455e7538442388cdda12d157fb25896c6e2b47696c76b234a88bed4f09dfd64f2e4b77627ef03049030190fe271a5a853591ee9218a0c6b12cb3f02683d665b211dd1480cd44c9c0566ace7d751902babae14cc3821374bec774d54b4b4afd5d1811ede556a7a5ad02642a878d2d32380e7efb9082604f49d51495105f827d77945b5cfaf2f2980566b28ce3dfbf1bee2e077eb067bdfa4cc28f5d2211ca99a615e69118d9391e3feb9b13cb4a2fa9682718189ec612db889228aaa3f3345a091aeb11f41420240fbb47caf567646d9e7c762d3288f8bb2b1165cf049a191db5042fa9185fcd180b04d3007c376e0aa3d427d66d10918821f74736816044366463df7cb3ac94cea167cf1daf2d1842f130295e40bad672a22da9238ded69e241395f04d5e3c3875b8294faafbd3d90ed56ff3e01c5a0a3e349d761273143686aa26d408620c7d1a35ccc430a09e3f750d3256298c6068c0fdded270f308f79d2fcba591d723ac0cef703d8f0e7c051bae5b453abbadfab98bcc297ed4201b03ebc195c2e441cfd3b10c63c08868db36c320707ecd6a37593661d70a81f30e6db4a32f98e4fe6b950ace55923631c8f95138781fa2af78d8104fe39242f1fff6942e8e782dfa0d37c863caff9492f8e5cb70046d207c4630cc29c20e1ac105aef093261d8d335456961e552ab14d107cbe14e9de912f0e5d58d16b729270208204469f917af4e710123c3bc38a4b3f485f2926f058344db105b9239829441a2d8ababf04aea615c0e350846d9bc3b5faecdbeb450f38f615f119ad1b5dc748e88107ec2fae01f0915174feec37b3e7248ed2699d0a5fb2fc785f17d6275fbea867aad815acc8a6fd3ca4ea7357d197e5a30082ad5f35a9d894c0aebb206c6487163c9cc20442c040e6aab33d7b4b221e4ba4cbabd975836e353129559d8ddcb3c97876cdba360da0e0c1dd5b0cff7957a444027db985ebefb6154453a221076c997d3954b347f49308d2ee14d1676b75ab6ef365f3de54aaf398fd96b9040253813ba734829bc78a6db59e3f1c0ab4c878a72d6b8681157919130fd3171126994dcdcdcf68955ad64af8156702c92f7a715ce6f7ddfb70f60e80c92691efbfdebc8cae252108fb6c0010d303d9027d4a5e63413b5fb2316d32fb93c3ea52a2a7df50cc0058c76c58d73f5bb041d9fb9f3c3cda9bee0c0920079ce4f1ef8698ced664ce2e2b3b86027ae2b3bcbbae5bf7ea3693d9429cf94938dd3a2763d3f53937c46763ffee6579d018358bc69182b1c7158a09b18352ea618c11c45f07fe97cb65faca535f43237879ae3e0a31efd14679daf8fd2ce25eb8f32218fa20afc586a98fd908d3fd804cabbf56dcae272328011b252dfd83e5f0a5fdebc6acb04c5540255e1322de5fce9db5aa4cdccd74dde8990ae51cefd6c1edc1879971d3efb1f94dc41b2b23e9c9d89415b46189914a229b2f3e8b05ff78c68711385a00e9534dae6f79d15842aaec575e4ee0f098028bc74016cd3f8e93c6a0cb21a0b574ee63e367343ca9de28003d76e02d0ee2b8d622cfa3615d3628fd02499eb7bd8c1aa1f34edd9c2d059c6a7c7c978a5e4f60801e03e17c3a09793c5217f310a30db1965b8e328893cef20f4a899aa8d9fa28f7fe0a733813ed7466046776a874273ecfb57158483f4a588ad4f232adec5ba4ea651822780596de09fd54b1717bf04130619979a0e3d12ab7c35d64afb8099a1d21bc952653742f50c8e1c244d10374329cedd27fbefd37815a9b3112a4cb2fc587c4ebda381b2b01fced45cdf0b9ff8ca7d10b65ce42e728de183a82e369486a2e3345664e70674a5dac174d6616d90de8e472b62759df057119875483cfbfb103041751747f9cd12bb31e91caf79eb2db1168026a4707dc618f30",
-		"e45eef9561f3acb3672b4f38570256e8cc4d877e2998e72b022e33de8fc20f7320fe0882f2b53559e084923786e8205336a7d15f3fb88a41e7bd20767f2feaa02df2221fa7577988db0bbf61f3dfb429868688c53e130725d0279c505686f083",
-		"475a44cde0cc931edf9a44b0c1e0001766f09ade023dfe6b59a6af800e549b55",
-		"7812a320691ca8442767a51a",
-		"eaa577bd67fe79ce4586f43355c94528e306c1678946e4f7a907d2a8ee7f4281270502522119a8b09b6f05d864921cb515fddf6a1000fc2f67b52d0627998591e2acf5b6faf71c278e5754b2703662ce670dd049da8d6e280c2b84d6a9b29ce28980563c40e03381a49c54608b72faec9b272ef05cfa41957d9eaf3e944b22610c725d8efea90aaac6e782848d368ffc08784d7fe37ea1effbbbb34952def29fc511fb10a1282bb0b6334328e4d00529a44de3259b522553a07d524dc75f431cc9670127c15670c0df419826617cfb5ebdd8788d5f528a9eb1e61324eac5c1746f339aae2e2e2fae598642a389da671482128acf2d69814258d83de98f186468136868b729aa5f0874fef2ff2575a1f87439d64e049e4d0637e9c99ecb7275417af654541306615f30b75a6caaa563e4790dfb28fe9f0e7881ea2d885eefdba99efa7f878925ce7d33e86d888154a1b03189429fe20af8fa3a68d65ced9b690a709031121425cfcd7e1890ed9614f9dc3ecbd0e38c6c84e453e3204978ddc1ef8d7fc6cae28c61a472d8e089e23209f0c36e80c994af771e6505e72ba90e5543f6bad6dcd31fdd468b13533a0254e44797825764ac1f63747d8d6ca019ff16fa732068ee94be382c46b168050ba725379df31a98ab81ec8eb266a3c3f2e1cd95e5f12b3bc79b8b435e4d94098c6184631cec57e9d8913458889223a2a4541f34d2f9df380f34c3e541fc587f0a6cf08c82e99476060eb84709a292f4c7a8551bda3a9eb6735787dbb9d7f1e83937c2e0e49f2cf6e0ab0ad84c40fbafc3c7e61886a8629bea816972fa0afd0f617b6340b1af19e341875e97565c8eb0b25fcf68696ee674d2abdc29396bfd0f282543d2b72a239c6470f76d3b5bff6d1d064e6e2d06f9deef2aae8a259c034373efc820f9a2fdbce36cc27f35dd6386de3b49509d0c305757257f8674d958c580a09e768c0f6ef237416fd53c31511badb2e7cdfee636508482f01899e72052b46b5d844799cf94708520178cfec2b61c8980fa7dfaad8915b0b75ce6eb57ed4a01edcb4a35c1dfcdf8d60f3191bbcdfd522a0e321ea41c2cd87a303522d0f98b82dcbe53232ecbf0e2528de7e1be75569584bf2ec574687fde67ffe9827ebbe78f2e5bc4fb368f3c9b0f588c97f7a139bd82fe86eb605b8e29cee75d07b510da1b24fd62cd2fb366f1621e7dbf268b15937f7f7ea4acf6e615775a32c90733769996dd2c5aebe08ecba73e0bc4781d33971992b2764c1b08aa972859cb61b003406479423254a01ea85a348ef249d408157cc0962d1e24cd9c426e6e6a3784dec6fe935be1f6730b01e8683d97e21d8774b2e2655f85db7149e930a44524d4f86004cd687d8a528b6ceadd890707458cab62809110ee28f61a7277ed79dc41e573fd4a59fabf15393ed4c21bf4d5138ac843e80bbf5e1c39ac2d7f2147f35996eb51a9e835db63faaa196b8aef1823ad72523fbfcb35b5560582a48a25ab770e7528e4b3ef291e6f62f5fac916e2162b3b56304287e46839858daf322b0de083d1691d6bda44d66d085ef0d0ad364eebacdd0a43a4456035e58910d0b2dacce45b1c0beabc784f3620a3e4390c345df6117b86d4fc386523b7ceeaecc21233a2865ec6b63bffba6689fb3323402119db8f0665a4730b2e26ca6411db04f1bcc78ce6272159ed2665a286f1ad7758d6d90090a6fd320e697dafbdfef575077e282b825bd64a4dbcf92d1fc0c6f795154e8466ee4b318f2d44b6f81c52523ab68ff8367e01090c2623e00b4008e784049df873a35c29e0abcfae7acbf27236adba0b913d19a15b4af4996669aba4c656c317084347ca962ac8df15cd2f849f522016eb92de4de62944b917d88200ef9aa2def0d13e5f4ae09d2eb4a2d0800af1d704cb01975f6d59768a2b50e39e78116147fd6dcdfbc08354c1b4033bf6772fa127856a4072556a9f07bd7516d01ef41bcb519005c0a3b2a04400427ec033f1b52fe5fdc1aed8e2521fd0fff663e203defc39d7546281a98a502b8a470af16cc62a6581c9985d7ca516864b799fcc55a803ce80711484f6b81591d2402bb1499c95dfb1dee9846679c22853be87c84b4547138dc4fd46b4e79ad12773a5392540a595954112f0cb1d9be4d4eb3aaa4286b6c01520558d58587d9d7f0df3a0282011ce01c9c17111d10ad61b3675b1826c1ad37fc562bdde951b43f890555d6f74ac4fbdb9abbe8bc1e80bb6d52c13de8960a3ff8f65201265e82981dbe39e0d65cf3f1fb6c56e11f9786210383d0150a5e0cbbdb52ca8b2bc45c12fb572657380df369082685b3de9847d5014beaeef815d63e203cc911061eb53d89a312d187f9f02760bfa71083fb643f5d8c324c410070b7ebde250a185e7359837899bb1568a43fa3418f39c12feb03b148b924bfb98b99352b1fbad3f07ac8e4302f85d1fe9ee4bf7507972670ff8beca105cdeb037f1cc4f944d6ca869d0281653de5ee93a7362420fdba8b01a375ff08fe27873655953ec1c00f53613c6ab8b244e2fc1b6babdca5311428d06f57aa4882dc870165deff75ba877dd2a04d1799f26ebfac97a1be53a83ab77dbc2cd4aa45bd779f61b1283eae1a1866ec8a9c150dd0a4deceb2ddea1bc0f4206cd435600a8f190b999b952337d9eb2bdeb3aba2cb2e7000319056629dc1f00901f0880278509417223a3ea0919fcdcf12bff0771c7cc725bdca292068478ccb2e1f35ae8964e0601789a73e7e7c1769ba53f865910fc3d0085c922d7f7849d27b6e7503d521371351f9d7dfd5afc5df0effdf6ac49617fa228501ad72154a73e07781dc4b07765dbfa721d95cf1dc41e161cbd34fc7883a25e3ba6b03e504b2c3b98c8b12ff629b965c2aefc26d74faff7f784baf09c3fc38c487a9d1f5818261162f97e9dff70cf42eb5dbcd7bebb66d68f26d917ddf2a3efc0db1e3372b170b4cd18da507e44c467943f73648dba74db1053b53f989e481c3054bac22c6342fca2c26d30a859a1312e9c353bf921f68136de2b1589747bc765153927c31ebe749dcdff98b5da84c4b66085451b4c87fe1ba2142f98636bcb268c33f7b8c2b96a6525298814578377aa189dd73d5bb27ec5cd2110d8751c18a3110273df2595d4c3a00809bdeda70d86c4a8169b7010c9cdeabfbc3dd3266518226d0ade9bcc4825f18198c854de329fb8fe456dd3bf35d89bd9d2384f3f3282f6872351a18a2f852bf173ea4426de6d01b3ef4b4685aa82df7dc45b99617a8b8c8a0c65a2237b3eaae8267e1f6c453f485432529d973924a080f6a1cc2cc18f804f53209383ce3601ad9361afc331707be1c88b4370404cb7fe0bc538df04adc5c8d9ced94b4c474b19619a53dca3fddb434cac09ce10c0293fea04e8e1b19fd3ff3d174baa988d91cb604fadc59ac0b61f4f87bfd07eee20f7f3ffd96766dd6f3555cd48da7ecd71d2fef34ab082678bfc4dd007669b3fc7a937a5a46269baa7e4e4e43eff1b2b847ea70b6c6c23905d6fb2fbccd944251087ac00c35c2eedba30641797d36ef9d3cb1afc0e3e8930f5b605a847ee77106995bd44047294d04350194369c5a7bf246d1108e1d18d9a638be0c051f695ce86579db613cd8922e86c683c91800b9a34fe6339e0dd79472daa662f78f04f0151a3acd18f11faa4e1216222843b521fb998c8490ab8bab27fde36395b456501307d07b484b453b189fa339282a634af30fea99c9af8f877e61871fe743238b2cee6cb69dbd17d574b5106ebe4b0fde4ef42fab469a5ba7d62c23b67d857f1af6ac981c320db70cdbb6be41bbca60bb7a159ee1c85cb82e0a220064359c06c660b75de6b49839eea68c80283b75d9d627aa4500c0c0f21edafe4a2cf7ee079d5310479da06ba58b142614fe69cb236c51447d63db31cdff91485b46325c26d40dc6d608d46a5e2fb01df06064a022ddf6d5cce0147d5b2a5aba5f9fadc5e778010a924e00a13e21daeea2cd330f45536ef4f42c2e77be00bb53b3f9a93d3eb327dbf30baccee5d26849cfad654ff3ef2b035b78dd3ef42de3302e5514551a968a205b823dffb040ac9452ae3efb43219b02436d0761ca11470405510e534d56caeaacc40eaf9c47a39475adad266f5ddc813e71223800dd46fa7c02b078353f870049806ed7ba57b40b7c3c6272296667500c4b97dd2d7026698b6bc4985bc01be99e0097013a2632c71740888ffaf902a02bf644b38cf9a42528880d9dd142de967cc2ad3e1f1737f0cb8dc5c59c252496e8cfe4e53c82f4a28d9ba2bfa62b6415ba3e5e09040d7f3e3abfeba53e46575e8817ac5eca806ec8a84c7cf77c9fa86c9dd2940f5b96b25a92d4a8f894d4717c8f80a62a35a51d8511f1e822fd79e6fc27cc3f3097d9e3272447de6f223971657ded9e660ee4f8836359742ce7616fd0ca2de6656c71b212b34b8edc71ff36bc84ac4af58eb1adcba4b2c0cb31468dbd2c2b7ee6752981ee1d152c4e4a9b25b2ce87796820def34b662381806d2e4fc77f0b69d7a87de43d94d62a6a6526a7f8c588392890e96f9c51bb58b4f438eb5d197477ce9b160d1c898c89ab408b3c1d648be93b531a5bb4988592c5a8999ae3acbe586d947fe6dd507cddb92dff4974ae17ab99aad5aec9d07b96bd29489876f51afa67570e86b69321d9e565d86001514638403f86666dbf93f18e0a62bf65db333bb85a3ae12d8411aa3c2a423a29bacbbfeebb8a5bafd90436bfded16f992232360211086a3084d9fd1980dd96631820a2cf25c3ac5c19d164cf5ab9a852399491962100ca4fd640146b7ea5460b4fb9e46bf8d23d508a4eeb8a3e9fad8249ece3648c2ec7705a7414eb8e8d602549204cb437f589161fe40de1447d14efa4d738b775d0333526c845cef5ffcbaf5c957df1d8022176b56eeb198e7ad2dfc3d7ea46b125ed432cd04c77efc011a2dad8573345080d7c3cdf5cc160fbc86c4ee1959ee1b8258056b0f3d9343c22dbb2f7858c5f162f08cffdca1acc866aa68e5f1c00b74f66544e8a61e429335adf6f73e32fa87e48e1adf15bb6c7aeacc93713dbc31cdccc9b0e52f922842679494039c395cc1d95eb97ae4df3bb8aba9a2584d97a236f87cb22f00c0a078b045044a5c456e22b2b94a76a559de2672c880660f9785b76bcc2aaed780e05212415c6e73880ca110654ed155a1004af45d5f15ae8e5bfd4817440c5d3d5589eea2c6c344ca0d85d91460638b37f877ea4cbbed35ea75678ef2335a5922cc8541987cc256c8f58045028d33a1c4899cc32265c619ac782ff998a478996be6a0c5b102a664831b395a884f18e77885d860d6b236c52a8066d2ced25432bce79a31b23117f405ef4ebdf3517de98d288f8c3baf04b63b6817c46c14b646308e9f97170b7dbbf9d1a36480338d8eb7466df56feb6baef42cba75512954fd7e33961d247b7393726e46c6e94e156d5776a89ad3e288554470ca0bc4cf4d2d2b0c01ae4fcafcb65ccd6ead03df1d4d6577bb",
-	},
-	{
-		"228eabb5ad8b4ff13b10d13b27372bc2152dff149859ba47d9c89b741d4a5340d8fff5858a4576c55547007d7e2b3f94583ea8f0976237712bd2e5481c3988f5387e7ac2c3f18718388795b7b2d44b0a13f3faaa55311b800301c9203a511572cf8f349280bbabb9424070f415bbfe28aef8d20329ee842cef4d4c299e619b6ef1cf00718aab2accec9ac00155be2903b6fb07dfe98b0bd8d8580176b99ce4aa6be51cf59046c17ce1817d363fa63af5a241d48bcce064a438651af102ff9c6de4b86374fe24f1dfa66e16e51550dbb791af425d8fa601c70c1bb90e1a557bfe0dde730b0364eba9d2018ee751699ee219e13fa8874070935b29a1767e1d748bfbe796fe4b81a71e823605d39fa4b5b885f4610c34d1a090fa4106785e7a035a629958ad1b00cb9d36d171d575268efa1bef064fc0a6dfbae8e532466035a0c2cef96fe9f93b872f0cf804811e927b39818189412868fb104e2d56ae62f77031f0df1ae91aa11826991ca7b8af22f130a47a72cce36ddc319b32dffd294f2e192e490249ea1a6f8437173ce6392d16dda888a98bf685bc91b89b8ee1eabdfb1806fd61f018d1744fe8b03521de4bff86d4a811ca2ecd5be668e9c752a6c26aacc0cc9dd89d112785c25ca6a0a7a5267b4e37457c04a0626c8a29be30ec28ddacf47a84918bab164d07bdedae62132ab04a6f2c4e108eba9ab878caa4a1a7509521d427ad7f3dfa86fae8345dfb5e0d46ce3a94dec84f7880c7422468ea74fe0b4825b8c762b34d5d9b82ba96e0c7dcae01718ccac0044a87476ff031e3ee3c2c13f5f375a841d243c38cd9a354b6525527de1fe7e36a6e2ad95e5bbc4c97e85f8cdcd5341da777e03451838807d5dd2eb4fd15976783c140e21cfc2eb3e58e40c16374de0aecbe3e3d41c64417a472cba18762080a2348ec3f441bf229a932ea0ca7c816938655d0c81b14dfbf86aa600d0c68172fb0046ef51f601ec89309d43ad1eacd583f9d205bb1ff1a37a97b44b5e35be4945f52897eb2a74645b01a7f82054cda44e9fa9f9af9bad1a235155718713bacd08d354f3fdd95858db0040fb551e9f93ae399d5dc53a67e88bcd5a02d104dfd9d824cdd5fe262ed9266fc47b7e640f2c9d9c7a62c6d24b429fa55560aa254a824a0858482e771144d6d5b05539cf71d75bec3a22be75655e1ababec4dff9472a019f6220067374dd49252282e4945a407084633ef9c88d14833bd95335107d36afdf56a642cb739bf0a61ed53a6915baed78e9d74166ebc492b517c7c594fe6564550bb7108f43012551e65fbafc0a9874e46fb64b5b7aee0082a5d617a43b8bf9473309c6761aebc7f13b72ed460b522a6b0875b67353c705f99d1d9dc899870fcc90c632aba1fa9ced6d7a2368dc4dd3d4b38a5807415e00de6b9ea70525a6c1b67d04521efeeefc6c591fc5256d990a1123522864a029430bb7ea00dd80d283fdd6d61cc5b509221e28f73386803d97a38fb0182fd95b3b91353c6eb60ef2b3d5c8c0ab8dc9cd9be2b4cf69450d00e88cb0f0bc9a4be82b71148a37237ceaf945ab94c365625f58171eb15c1bb244a87335550d813d28f241a3296520046e65aff3291555786d7c871ec8a2d10d4b44429041c3cd6ab60f0def742de3d28393c5aca92b150697ac15504ee66d8a2aa01a6c63d7c719d6d4f94af2ed1d8670e3231a0e481095e425e6231c43ad36e3b7a3478f6a61563f5aa13237beb8a891dbb29013c325f7f91c1b055fb83c436fdf8aef49ec457946e6ab7e955427373fd9c743acfd4b9609569b591ec79c7ea7276de103a35a4a8a05c91f59e04689ba1ddd570b18ed046f785d7e4ff9fce7115ac814fe126f781828877208ddfbb2ebc919e6d1f6eb417f38bfbf22ac9633f75e58e560b85d88d0e4fad9b2e68c9ebf9675819d50c30c8982bbbc2f41e02690390bf0e16979b24e648bf15b18800aaef58c3c465f38cfd1e47bf1266c17b69523b7868d2138cb95c4bce0dd3ceb7c2267b868b6e12888d5a489fc0091b295b56a1c328b54fe1119aaf1e6d7dd52fa450b52fbfc8b84c2200ebe209060b655cad288562786673121691809366af37b76567762d1fc24f1fad3128b43c8d10e9b6954b2efcbe40124fc0a5b670dd6dd544e30263a551825282aa06be3817a8eeacf31ca8b25cba011d60b78d3d2462810764e4acb566ff371005f5481c9d36c991527143af2c44cc8cfc59c920bb4a281f2ed4d494d30ba4d900edf59e23be2f763072255cb6f1e8b24ab1d305fbfb2429cff8bda303617c034e71a17230d0e860420dbcf9fea4ab48557e4d50797179496936ec6c97686fe6d9115809e14069244d251d4bc9c8931e47e06ec051e709ba1df526b55d959b37a6f3408833aaac80cfc9cb99915eb7d83e26998f0da2492b986fe0f5047b2cab6e6d33a117df21e6a8ec7f394a3712885dab176a4d6095e5cf75dbd3f0077e5e74b1ff8b902072380cf172562884de852ff5f07c55856224fb3df8eb44764ab9284944b86ab6f176a863cdd0e7ab5616a14692f6cbf41bc63113b27689fc2fb145736aaf2a5b26d2bef3a2a59ef8bb3f3e4d360a4251d0736482e9ed7e189fc48c0973b6649988228c2ac72b23826a61cfa06b11f13c8555be6e433d87e20113eb74c94f0e51719a7b38c59eba300089d06b9bc2a72017668e5aa3153ca4282718f1762642e7c1be1f865cd9b65c6387c8fe496f1e60d5acbb78c2f71cea1f35dc955b1e7d1cdc9ca339765995d9e05dd729cdf58aa2a1451b633c374e5b6c2af1c8486ee4250a875e80e1f359c15130eb1e2575c0c7badb2af61378527fa24347ebb12c10bbb36e3c94619556b2c641d0ebb691b2706cdd667f55b8fff8fb46e3ac72f3682661a4bac2391075ff5145eb07d69d77437adec2d096c1c89208ab3e7a9ea6a0ff4a5bc1846b3683bd7c6ec4520c3c95861a5856b0191e4221c9819c67273c66729728f6035e79c0dae8842df4c0c27ada1ad18b34efcd55b94ef120762e87e8c5afdec80d5788e83f0d1533cdd7aea8f27f33266e007b274f6d48c59bcfad607e8b298be2b17322be88558c60033452826778f167f318b660607bfb2f285cadb385399636acb8f5350d819511b5e7931c5f8483529d3ab3fdb5ae2dde0ada918f1327c6c0dfbbf5ed3c8afef171910dd0169022b3cad5b08084dd5e8eb8ef1ecb17e48bf69f80e3db0ae1cc7b73d94b89696e3c3443ecb4c7ca12568201744d1858d90ff759f2d264d49edf47772bd0e0990c14dcf8c8a4c2dafa44dc6e92f4c66b03bdc4f68f28ca2d0811a433e184cced99a8e5614ca83c46ec18b47e0c7ae91037ae06c6d6d0f3dee19711c21cddafb5869416d23c5219296acda7774891877f3f8d46155d39f43ed10500ede3afa26943b83b800b54a9752250ec6ae173e920002f365d692a9b3a2f9b27124ac97b8e81b70e8c0bb7022d07ee97e962810962b03fc019695b5399f77aab414327cfc5dedd51e99453179c42ae85a42f8e06e0cec6f937224dd019c77c5a0ba32ad08107216a9c758138b730bd5b5f4b613f192839514a8621634d9dbd5840e728c1ef4a2c8bbfadc376dd80d13dcb327ce55ab536a43b570789f5c5e135ac0af79b54232613d0e989ae695aeb358c671ae71d508b58a793e19c58c3d204cdc9a021ecc634bcb0bd6a1917554ea3bd688adab8163260a914fc01d7ce05a497a5c5836cf9401cb6aa35cd008470bdecfb97a511c905badd01bbb4d0c05867661debd2162beeccd52399d5a70a929405293916f33ed0d03f8b850f4bdd77b1fb6283118d71de629577383c81cad086f4099ce7476cb787f73c96431a0df4156f7826fce9045f7e7c97bbfd618b845595203cdc8df4638430fac74a07bc5f773486731d8ad29c06695704cbe2882077a85d543551b7ba81b181ccb93d2b3071b1a38f3c762b42df8246aa64cecbdc772830ac79e766fa99e8c65225f28297a32526df9b51227bd368253737f013ae18435a912bc18cc4a95216ce449865e8bd8bc759dce9d4af52f9e789eafa37023e91946952202dfb7243cab7db2f9f98bb66f19750c547a2bf2e2ba92862ab66f33fcf465ffc41d23f0b891a3b28b3f68ea48dde6ad4802902abd22b0d7d9101bd61471c5d88ee9d9477b7cf9f6ac52e0f520c79278da22938745446f1e647ae478ecba416b941aa31f979d0633efe72910bebb8988de1d0013616f31c5da163eb6c07022649ac57422627a5642618f53103adc9918f9992c5b085e10d2744f9934bfbb994a710d6cd387c325e94278f97d5582864f1bb29a1400aaf674ea8fb99a3b42e4ac50418fd804a5b1471eaac4642d4aa338fd3d5d0dd84372b2c32c5cfe7f319acf731a9787b048cedee3833300dde639cb1386c8fbca4bae8d67fb7bd72d1696a0212e27e166e6b04a79e34b47c98502ed0bdbd8d61777537f72df569fe5ed30071b57e8724e98ccb88c07f0458cf32298cefb6ed672b255e581ac756789b57e950d57174bffd3f47bdbe4b168e7e3f1a6df508d4202d327947facfbf9526a9e5fc1a5abb179902d4584deae6cb2900391e080d3f3540b87c3a873ccfaee5b4aaff0e6516a867ea00b4d5e680fee6b91defc65c240614a1409bdd0f49c2c4f3c1d258d77abfc17a749660f49547adb236730e5a7a22fbbabdd8ca079a8efa5b605332db12f455868ab67a1ffd27d1339bdf8d150189cfbf6199c6fc27c05788138a63267eb8ac086e27286b4ef99ee9d92cfedab5ce9916675f128f206a1733f47a597232067aa12da20c7b9cab6575d7634f8c31e9a29948b528681f3f9c13b9f585ebfbff8c28a299a43e4409b31b6c02a79eeb493734fe5f9c1d9e3830572eb54229b5cf525768f695acff48c76b4a6e0936b7406ab69f06d33d3f04946db9d7966ea6e8c50ede5abadda28149edef5223a6938d5c32933070d234043feddbd65c81be218f9d7c497a1ecac30bb9162e60a9bbbcdb4fec4b212050610e2b376aadf58b3c9207860d2650d0310ae6606a8f1b266b6a13b68c3306ed413224abdf19371bac3ea1b964f28996fc70f666ff118c6a7c9f2108d327f5145919c03832f754de35f5979ae72130e39126499037d6fbb3751cbb4843b05d9dc91dd5fc1429da491f72e3069313ea243933b47109af247fcbe0c70f9024ac5a41815655ab309fcaa282d03596ba59cfee0e40f7bd657689453e98d562442fa4c585f970b6983a581b0b8eb1c5e780b3f5c1abb326213c6b5fd440c2187066ddf55f4eabf88804139392c45979440c6f05b7222bd95e963832d7fa4a4760273cc075e8b8feeccb917e8feaf7d3f766d9ae880487e69bc01872ba62b91b8af5dbffdd93fdc95e8f47ed793fc070a5991f2e9ea61439662dab218f643c1959171937aa160008a548f51f87b58f2c4fae5aed556f26bb9cd1dc2b3518458e2f5ec5d974c6e11a0ed639958cc8c1db771cc8cc8bee8727bf6452f47c9782acf548856a0e67841c3dbdb1c98572a4fc8e6cc8195a504019b4930d302a90dc20d8628ae6c90e0206cbb3d05025744db4e115cd3b650e5519a1624acbf226ebca8875b05183b2584e65289f8b9cec3f7d010cb9671a0e80bb70ca8763f1722d79e8decb6b9023baf64b5981e745c06546cc1e",
-		"ade72c2ea29cf829ffe99c2d63840b2eef9b51a9919c02128347d2e88e9f063b86326928cf6252ce4beefbae7206dc61a22d0b33c90d464d551835e3b73c1e3d6e88663deab80c35a607e4180ec079b0ee84e3b7922904e7423acaf976e837",
-		"43348cf32211d7daa300de8a4218543c8e3c7373ad10950765c39760f80b733c",
-		"e4709d225a552e90fb357413",
-		"562050bfb40451f27b1181c389508550a0f46b53d14ca73143da9dae3d3d2b466e9618db39e3219675d2b6eadded7dd9c741d7c9bf3c5619a521189607acbcf6b3964d469d966fa134444aa06d80749c873f0f976e0c5efc5be8d00a2729f03eda6a7b8630575df8b3a19388ff88daf0d00bb3e7c35a525ded90a4511ce815fe6c8904406cf72d7bfa14ca533566f7b54268835285c5402e22a63f98b5d90c86dae0a76d65eacc1ba85b3f5a1499d5f3432dd5455fab9e8bfbd266e99283c2bddf9b556410956b2f061603d1fc91194766f90da841699ba7da3d53ed5abdd8e98034f8fe734446d92b458a731aa4c578552ec1ac5d1baaccc4153a67b48a290602d5f955d61a08436b27cfb0786a80afef76e1266310a42d90feeb3bcc40ae5c4506432dcc92f7e5758ceaf277255401f5c5f4b10df93a249e38edd9effe7bacdf7fecc451d3b2cea77c9bab0403450c41929775b8c0ace46f6928f4d9cf3adf86832d298ea32b236d3201464e2ff506ef01da0e1e389e26e2b3ddc553b369b48d1aa5dd43edd5cab065e276aeff72a4c43206063fc7eea3bcc783ba2221f5b615a7a43a75cecda6bca5aa159e9208bf66af61e2e465c2daee630c4c62077ea6ef0e8b4b4e272d4e93a5f5284f9da463e1a60f815a8a31698ecdc09dff2b62f00e37aea5fd4b07a110cef27e12466c1814d3b10017cb9b8e12f2f38f10cbe31296de2570d5662b16639fcdc05db81e0d48178d055ef873501148d00903ec771400fa4873c5579dc3265028f531538f6dab1e5607a15c8b90cbfa4835107cba6f453bbdc71d08c7e423f58b44be38a9c8a610469f2551ee6177edf639cde35fe8e02f76b7ed106d691a876a4fda3b42d8ace3e0d3d4e026206c5d7d4d56fdda9dcd30fd7b74217fab3c617903f1aeffb8363443ed128af94c391810e327704d6f655e57dece97658d41e074029823850ddf7c5937af41c64465046d8544bba65c691ac69121bd272107f7eef8cfdb6a25da5da16d1033cede09129d51f6abfe63905a6fba9a64d7832fa35825447150595a60163af848eea878fb31a5fb97b1859efbfcc8586eebce8cfe64386461a9b88aa5efc1db43c64dfd5d4a45aa74803fd178f9e16a3f59acfb6e13a564d645cedd73890d0a82fb6dffeef527694a7cf2a89aed9750c3675a67505bff77de8d046087bd39a85c90aedb085e99baf04c7e3bf92e350b332da1b8af85550a00d68904ca426da61add864496d6ff442bb0b848e9aa463bb0c2085cff1a83a47d6f702bd184cfb5c139752754c8978d27b58d364bd88722b9097ee3a6ae28eabb14ca7c31e40461101e92448dbbc63b55cfe56efd078d0058c5e6146c73bcd949c4b3ec9f881b9a5f7b41ca83301261e0c674f2d35d96761baa00ce0675c082bf73dc52dc726a3e605067569a372d2bb47fc8fe1e74f00078ce6f352a6d9d97fd2834670ba3a45aa6751eafc7ed6694e1e07542860c8ea516f296ee901a3ee16b00b40419c74bf6db12c7230325e85a918f412bc2f6469c1a13a5aa77f028e327749efd05b91053f49d9f1edf49aa552c58c68257233a168db60ac55b4086ddaea275b078869cda7b69493c4b371b4e9c8361357a7ac7d3d3bbb464c960addfa8df2b208b21b090d540c440241598212d33273203d484e0930e22469c2a8e866579a4a2b3db8f8344dbf8baa1b97be0c4d976f6aaf14cc09ec52630139b894b2b6f4dad3a205a7b286253f1522b1d6e43bfa37beaf06f831c6f0945cefb2593b9b298da13b0d910582086c5d7e256ed4067bfb476dbe01bcddb437d46ba716d6ace2ff9912c8e460ad33ab3d8f97b7b08dd4ba9e01968d1949ff85b4b9d5b8da291fc0f90ab1eab1d246f67d76092b7a37528ceb388dd76f8a8f0aabb7490f02a2c8bc6498cb26350d859c466dd611bf0ceb81a8b7899c67742c22697ccee21c4963acb003d15c1a2078112bab05595917584e417db3872a0ff0a29138bbca7314449b19827525340370d7e48fdf9f7c6b4a280e78d00775a291081a5e78e7a00ff915015dd5af5f0a45690baba8b1b503bf85f326c23136f4424be4a559aed03fbc81400ac27a33dadb2155d1704950d98043dcd86df1eee78f3f266c4d14deb8126708f74b59aa15e8b497c6a52924a473f999aaf0abd3d148fee8503a1568efec7bfb0bd463402f563e4019cc9c9e1eb498aa54dcb659f43b86df0a34de4e51ec558bbbade3d69511d3fea2baf44f67e85ada7398d7f72ecadcd9e981f82b0743ed74bd33088ba4cbc85b0c99dc5382c599706dd2d51aa9f470c25a98e7e8248dec216a155495630662bf6ba0b7a4baa2cdad30e9ce3e1a65e3c23d69d5f946606ee8504dd70830aa5a8ddd84f10e064695469727d2efeb46186c9d3b7a170057636f05b9ec4c2de7d935fba504a1e7eddf7a5a95226b253b0b9eccec976ca3c57599850db40c27a51ae755c1f30d392467cb74e5c8235861d11d0f8461b0e1d84f5718d64ea92da62f4de184a6499dba473e82b3d197305de0e494f118a263237c7b4c0652327977edb427ccded35552c00a5804b9557ccf2bca2484d9da2c33f6c1bbf2c666ea10b4644a21e3905e5c4eb417ac3572e783428d23dd7222e75c356b99e8183d033034e29e618c90e66ec2f1e9fca47d82c1cffda8ad14c96045159d9437e91ecef41d24cff89009ff57e18c1a422860aa9cd31dd2a85b07422c72a5decc614a9742e62a4988f394421b6918e51c2412d749bb53b1e8fed7b2ef0873ffe14fa77bc366bbd5fa1432be465f5e25266c6c12b55df1f19b1a491acfc5c9019f122c422243d751d8eaa8ff721397915171556e999b34425f7d3ad6f6c3323b8133b4618c65ac16cb5941edc979472734bdccafc73c08939c0b1e306ae3015faa9cfa09ed6560269a1dc54c2c046a12a178144f4381f7b6fd3fd2d28f778d444d9f7a0dae00ea96c6969b78ef326a962d23275f1518f0e6a2469440612f3710b53538fe99a6179471be8c5b2d682ab3e9a5126e41ed6de000cd9e92fec3974e0f4cb2d2245d03d6ee80d6a793b16efa829d75c796f34d4e918250f457703559bb48ff78f0896be1bda403b7f1fd6a319d68478ff70d88238f2b8afc7d20e51757bb9db3bffb35a8040fc0db913c4f03d48619af7fd24cb8986b3e139058be3cc253b3de9b3bb3f8dab7b8818638279b2e6a0c29cfe16fa7250d3c74362ffa07e2977cf562140fe28afba8f61d81f7c73bdd4a2faddb00752bb049d0a57d05c6475c7387e6716ee31974169930c9fd830cef138659cf56f2212de185186c3d683fc6b7fd36e7821f69d0de041a569765066dc4a1934870a7b80f174e8f9e484942e62404a42b21658467873865ef94fc262c231527f39e82dfec91215947b99567daf75c6a28073ee4e67d4307e4b35b46f85433abd9812f35438b34598ff3b6dbd60b60747ad64565391df45ac80b272d0141702ab807fa27c6a6ba2f42c3facfae0c773940cb2943bb1353b41298258bc0d07542b69483e17ab9ce709e4160b80a0968dae9af8fc7c0324c753ca4a11a6df32dfa79a87b445c988154bb3c503e6884cf6d8f5e062a16b4ff230fbda109a6127d35e3bf2b29bfd3b18ba275af773b1981d603300035e046ef023d51874aa105d136bfcc9c7323bd0513a6b2b397ffea71afb7a8d4695411d86164917099eef504f6cff3c5cefb88f23f56c4ae3e2b09a3f353fa55630f45f06c29e8912e8c3c4f493f25eda781680585580595bba43dca9cfd400d9eaf5081d2c6697da59e012dfd0b875336b88fe16609c2e9876737b9afb868ed52417ed0c6b359d582d585ff82d98edd4e63c6b65cf43d4f69eee2af4819157b8a433966953862d1ff2c6d0cba382644a1b0033ddb7be3d1fa9a204042d7b821b293bd659dca980c108ad1db740800b9bd2fc1a163f9b4066f7604f160a7910bd947cb48ce6c81e680fc6571ff0cd12a3ded9c8cd560970ca5cb480a70a8322d5072edcd257604eba8dcf55f9ec97ea2b14fdcc72fbf615131836fb14e42b8d7171d0a06d2fb3caec2e0759e86b0d8f21e312d9211ed7fe0b48669934ffb892baf1db9aa457c07820723e5446420334bf6479f2099e01ef8adf273adfdd9ed0b741931284515d69c211cc2efead8339e450b13be71b35c36c1f00c2b8ed0cfa9792e422912e14b5b1455ef6abdbbec0035480c6cb69d21321d12ee19d528dd48f43b142cf0502eae5304ce52b7fb827552db9ab885b93e83d56a33346135aef11b7e48efca7cd52e2499a7edab0bd0562862187ff4599b2446bff11c37181092fbb05d0e05220ca6bc37f529d6599e8c29acb9f25616c27df291d4fb07430188e6470df7002f73cfe5fe6907dab0b4f90bb58130fe90241c29c6063a22c9f45d032b282eb92c93736692bd5cbde2a17552e942b595b08e6ba0c91a03b9079e9117fbba8f26ce6c5d0500c69bb6e22e3562a50baece49109c2d42b6714250665afd0f0a7e951182012f21aef4b917cd434d9ca22661437608e32666497516be34652500def6c28ef8f56f2273de5416142ce9606faf7df92ab779ed6aa74cb99bb1bfe758ffd344e1d31f479807326d1a7b98f6811e275545d69198707b0fbf027dc6a5e4815d62ef191535569a452c27c4e25ecf139df949d70dd5935bddc04f33b2f0bcf5073c51fc51c15067963a20569b5659f0e7413b347d6d5ee38a92b7e6e656c199149f07ebafe5281db6b1b2ecd9e0384b6f5a8e27ecea9a0249c61b16564964054f5f9621471a98de132e102f518c1419829e2ae2c8c5fffd1270f0a0b33a383437b0034783d50bce8bd7420c059d16364eecbd55b6ac8df8a70382734d8127f4f5895cc9e508b13c000ea053ab59b87ee639745418ffc566ceebad37a17b842d24d3423ac3f086142c622eceaadc4106f8c90c5dae1f52f407fa0bf1e6bf9385cbcbf3b61006ea3b1e66b693ce704577ca9598587f41e05d36d1de424e0e51290a5f2e2f99f1960c0253a046a49b19eef249ca2dda2af1e8dd78411088eff1e9c23c31bd20abd4fc9e7eab19500827d202f76270fe9f90e95309516343e0fca48e5a12182e91c78ebf2cdd4644629afdc90bbccb77546cd765135910ba1cd8a3e3c00fa77e585865e898bfecd06c01a0a4d7be483801099c61941c4967154af5620b171b426cf229df59d2944ba50754140c3f305c16956953be376fe6e7cf31a2e9c276bb09cc24c4b86b2b26f039b0d8511853adcb7feb8502e7641a34e3242bf2c538006bb1983345ec3cacbf219ef10efc1681d52e6e1b1c60bb556b6b8a63d1d1f6869077841d1b816f3165a35833e33d39a8c6e62a2f7c482c395768fc6a0e3cbfc7a1a6d64da53adad66c8016f76eaa73df1b8ef83012ecbe75c92a8e39b48169433f951a539b28a034d5fdd00639a5e3e17ef14dafe869064d130c90c68be4d5ceddabed1bc94e97e2cdf7313f780cd6e175a9e3eba3eaed896fe464073fcf07ae7b5bd41d58c3160f66ac95a76fdaa7a8cbaebb304fe3c8f03cef927a1182ac2281c3b32378813b24bb99e42cb0774331ad78b74d46b8ce48bbf4ef8431a82d4240edfd61b910c38570ba0bfbd4a41665117e6d5f5a97908462e62d0b76160d06aa56cc6e17aaf4607ba8263648f2a0077e306c25486f5f39a75",
-	},
-	{
-		"2f6210063cb3071b3d49339185c2cef8357b08ca826d8d1acd852540c16540f1c850f70404fe1f414853d3cd15a1c64a1cce149e3ca1b80926de4ae8438ad90bdad010decf2f201782f3e49794aae1b079f54eb59607bebde508a528927e346d4e444b1d736b34f65e198df2c36fa23c64f1f1fbf8b0b8ddb85d054bdb39b8297d0347f16f7be7cd9474c058e36294485386434b36fb28ee582e393367f15ce5f5a3d6641fbd31b331f10b1554a05da726a0f35c9b1b4af3498426b17582966a266cce452900f85af1046f45a4ccedca6ce02607fb70fa45f420f66aa38cd4c9f8a30e21a3067b940aebdaaeb7c77824a79e2ba20f26e70346dd6de96942b261e5c08288c7fe1cd1e9f680a0bdf8c46497f007a616eea95ccc17463559f8973eb919c68017e25100d9d1a196ca65fb615502076bf0b0c8bcc70ef22006895ebfa2243fba0791bae0625b762cc1718d1673948264454a200c58122d5e9b8b1e3eb05df8b7eeb297510e0d7dcf7f0be5f29f6756e4b177f109891e6825a9866359e35b10d20da7231bb5a0ea34abd0264b377d2fe9f420f27d3e5aa2e8e00541c46052966ef9b989ae5974e2054409507b867f647aa057f7deb19ac6929f0856005aec6e53a5f702fe6be403afed532b73d38fed73e6e551987f182a1e20801e7a6c8ccd1184cf0fefb4139fa166ca15395902ac40e7fed8661602853682a3b0ee307dffb44d0ea3012142a2880cb7c166ba6ea6a16c7e0882808db8023068f060e5ef1432fdb8331ffad6a7078d686d47d613e94291f1c4117e7c13aee4030fcaf223fcefdb300ed606b5dd931e4adbf45dc437eeb5fbff337812e15c15f026071423f6ef5305c559baa2ecd8ecc7cd498b043740ff3673774855d45d45fa64591d5b4970600ec91ab1b6f39d7dc0e709c41e49c355bd3b9d120ffb57095fb127bafa971a086135b917285794e83e9dac5ce76fb1a4aa4fb6b94a0dc3a9beea64b8817ec1e2b37af9dbd18ec30f2b6f6c12df1db6896c6c43b67a066038f0c4f17142b254f62c4dd1fedb950d07047919e397d06d033cb0bab6b61aefa6dee01720926b16beb9e8bc947dca9b8143b565da85d2dec182987838b267de9047f5b0d961c7971aaf54ae2c1e4aad61ff123c84e41a4566b2bd9e64247cf46b72a444d36bdced1a309b464ee5f4afe406eb68eb05ae51b76bf01b906c0ffbdeb440b11f1c9e3a4c3a809a1f7449047b356c663a1ab7f286a70d16141d11f2d151a4f06d422ab97cab539c1f9da09ad20c000c27b8fead5f0cc37329d466fa260aea934c154dc9c0a065df3d057a0f117a1c38321ae59226a8054f7d6b49a3753436c249838b0924f0e861f5627106dd8d3f0fa724a1cecda71d4a1267ed889b234ae4a7d5edcbc5d52cba389dc0152aff24d224c6a0f16dbd3b7f242807bf4b51a3f22690bdeb66eaa59e8766b3b265d784899d247a0ae1b58a06dd91c529e3691b09f9d9f55fc39afd4a00b0fc668880ef25a46a30861fba8cfd4b51262eba4138b41a2d13ddc71128c8c1242e49a51d6f49879fcfa7595ba4a4adcad3670b0b1b26382f03ff402bc70150f54bf513ba3e9a590e41b269e55616af297ebb3499e16cc8e46c0810330a602955553c0f93d668a1181a0bfd7021ad9a9f68ce39493b012da70a3dda149d0369f23f788616e0272efa322b6a54d804f340d32c890e2eb7b538f48f4c9293b584d22d0ae80d321607644271b81a76ac5b49d8e457069b0c3e909b8a222e3fa6016cb1e979e300804742f2005c68acb7b1849c088b3714c9c7af54e9de9390df0041c87924c8fa6b0aec6b6754171e059cba0d27f221f0b9d044a3aed8338dd8745651981e4b0329376f908b86ae9022699d495bbe3a148f7eb73d56eacb2e5e2180f63fcbfa680369f88eefa71f1210bc5b6b7b957f0a1437476a2112998033197673e470dbe7d9d476c97b95db8b5136f6cccc75d6e0ac1e4ace30e34e64fcc4d7e135b2c80e863ed701d3b28c25e982f1b5f8c895a4e6df7216c3c07abf8551a0ba0469c88aa7a08c7b5218a03b9b91f0935985373f65aa56286ad0e7ef2288a926f172b098123c136455b3a0f04590839e16bade7b6434a3cf048abe2612684c03dafd9cec39af508e63f07ea881014697bc24122058b5ef5d3fae835216d055f0cdf1dc06a12c95041d13ac9e15f235d11747f16ffce1cc3b8f508da520e395edd471f3759d8879ba9c2558b1188d822fd4739ed0546b0ce3bb9988db7c1dc8518ebbc62c4440e6e0653f917dcc13aca1864b71dbb67dbe7117474c936414e4f3cfab1f13eb05f3504484ce11977ab21ec523f97ba1b7ecb8fe384b634c30561cdb752fc67a2316bfa7e4d03f5f825d24a556a0460d8cfe0cc54a6f117ac52d553a5d1bb48031732716436675c5c3996b1939b127c6b0338bfaa29c7467cac9a127e455a715c9ce2b0c35a0d2f83a3d1273ee39399e6cc4980e610c752bd51652b96bf9cf34c7fa41fc9b13f5d55007483e4082ddac4675baa7822fd257452411b01de0e5e5da26e17539d64a89dd93c71d15a4c95b1a83039cb2d5f3f7fa04a817e48dfcbfb3de34ecb47f7592123caf27e17982fbfc8597af5b8aa6558f4e6c73db69328e47677afbe6ef8df82c3d1f0db6a108b2279f61822908d7b856432c32ac5ec0f3c53befab2a7ca356b9c2636f646b228b0a830d348be4ece2271814d477d4c73c0fb6e83a338b90ec4ef45cb25f7e3d6a014a9e8d2e8a6f55a383291a57f15667a73ea1daca31c7182523ca85a107efa2518d2f7f179ed4ba21fed479ef2be09669817133b2384bd85b155dfc1c4c9e6dd9ceecf06cc1ab8ebf7f07aeaae7441468b5471aed93f248a84f44c59be33274b11f651de010ab9f8fb24d3a99914e0147951c34280e7dd15ec196f9a4c86e55e7d373c7e31e6672d1b3ac6a45fa6c8c9088c0b8963d89f4ff1feea3e85cf9cf2f6c97128afd845bb131c6f62b3282bbba42745080fd457f1d3322058f1bd4be876bd01269546d1a853310b165926c1fd4e07054deb5d3fbe8f6007711d435994005aba95918c3df4cd390b165fcd139dd418ebbf661b6de57b655698a8a02ca8fad73e8c536c7110957c36e5494a831d536eccb97a2a9ef58fe58e2885aad170720ffcc57c7de601ea1cf723577a30aad8fd544317e33897c8b6c04e5191bec391ab990e197f10038c0726d371677e4a54c28d7ca5c6046e7cc4acde565b91f7f72af6109a0614160d3ae97e9257b8f71a4663b00c681e793cbb478306e97b0e04711eae7722b4845dadf2fff5bbe71ff24acffea2ee67df99bf62a098ddae9d4ebd3bc5dff04a2d9e3d1d83e8f493db3f63c9e24231b1dbe1147c79f21b0730c842f6983330c5c17dd34556d7e932074cfbe98f2dab5b0ebfd778a1e28fe2bac2d942f61a08b787ebfcdeb3d600bb130ca4922a4ffd38ffc4a1a1a7218451e45da4da67ad81ef898ece3d54cef877cb9d09f5dcf72eccbbc06e62f1e2b4d64059b0a807329780b155ce1614b68de04387d6108ef4dd3ab54b9da72e528d6eac3e16a360ae3421f3f23808a8b5e8ec3dbefcbca3c9f76905850033d78d9283bba9272c475b4e3b4d7643e62c2cc259ebbf168f890de88e82f8b26a7654ee31fe055e45609c70ae02b4942ee15678cd158f4c9e8d351d102ddf7a942458c6125e1457bea0d86ca38cf0c26e474b2b5cca77eb57ad0867cad7d25efc2b250e79396637ea3e948dbb855029cc9b452955bd04ad5a0d0514d4d773c0f298df7bc235a3ac64383a1fbd8a397a158e936b3ba81895a51daa89f51e4ae7a71a53794ff715a42f4fc3dcc9fd56df7bea4ab782534d3760e7b15605fc4dad16911656983c0ab77bce9445bbeb1537c55fef57a32c8f1404306a0a2ca7b73348cd99d0f9948875531cbb0ef7c036cd201614c33293d746c44140e0e8f82421c5bdf2bf428b249597df949fafdb5ccfe1618323f56a6ab9abab9a84a3beb6696ca918af244d34cc1cd95bbca4a87c860a0fa9ff6a04a905b0338a53f230bd5ee9c60e0e0332ca200c15dca0be5936b858d0a7b2e540b8958432e9767396c55d5cc35b60062580023b5cb2f9a5e9a1feba59a19f9a5a251e9d0e8500955a5df21da95213ced2260a2ed8f3d4b295c36cef750c89cf21985c302d5cc577aab7855409a912dbcf1d0a9800df4aa692a78607a40fd6d5a82305c58fcb3d2a82b27e8c5b91681aae62a2bf31ed55c494dbdc38eba30e83c6044945df76705228eede8470369f2e9941ddcb2f239fb3ff6bfcdb0efb5ec50f981adf0e8b213769ffbbea364b08cf8cd69abbfa2a6fe9865cc48558134a57bb5526b9d047e14a379d246de82d3d64f3c810ede280c768dd8bee25af287d5a8d94045ddbf5981382bc716ad9aedfcd66e0ab496172a24efe80649db8e1e83675fc8451e22c6564d8d6dfb285af7fec802b35f19dd8308c68952a11770247fcfecc4ed0e8a445c17b1573f0b4e3ed350f13269ceb572943fc435563459d5044699f1542335b03be6077af156b8c5a6a9f71078ad820cec4642427a9b187ee1b17036d5a5e6108cee8a7d444342eaec3afa64e77c71d3c2b3153d4e2dbb30df2b66b4d14cc45d3a4eda7e911d697e5763e23ee05311a20626df55549b8533c6ebe79737abf472f9cff08bec590943bdeb819d3f923f45b81f9a0cba1f3f800a261842d10cb4cbdba456c7fe5f0abb4a8b58891d97cfd6b669e2708922f1934809d51a1589e5f12e3bb82c9ac3e7e44e3f6e6cd63d428da624fd2f46eec38ff798a90d228efe50c9b67c63796347c8a2b53478f27605999a03c8e1f18b70e92419f646a7f49670aa12d324751aec17d0208fc296955b3098241189af8172d39a6819415cafb107c1842b369f174d6f37dd31cd728dfd0ab10f93609006342b6e4d6ccbfd1ed2bea2fdf5411442b04b1fe218916f159b20242f80b535b4e0a3024c6eff6a40bd0d3db24e51f5ff9c14e1b4a650ca4170ee70f0a3a5a58349a7d0b7a63af86347351696870b95231f76d8c5c6a20736907726341dcbb76672871d18c2157c094b929fd29d34f5bcaacd82706f89a60000cd341d98eb830b73a12335b69f3e0131ded3ce12c98bbd960d2d0696d40696a13ab43925374498d868cd8f070c9039ea6407fc2d92b9c39fe7c935bbcfcc5c0980952fb7dac79042951f49a1af828b138a87401c4104bc28cdf1e39dbd3fa63dd4d5f5ae9d85f032a43ad353bc5e6746e5a76326ab1f4e79103116ce70bc0b459200f32f85e461291e347dda92e421778b849e37a3ecb0b31ec6818e828dd3148dc74313aba43cc9d8b9a36a9dc4e229488060eb6c109f8ad6201958adec6d3bb3b04e5e558a272d44cb98e18f7a0ad8fa6ac3667a62f150830aa930f6166baac6b9081b44304988fbe1698a5b746255de26bb5988aca90bb6523cad68a7572f615f4aa58f932d8a749615cf0a7724e99de042268ceb31433e6df0a61547d576a6201b36b348c028ded5f7e94d1cd2eafc141088ff42cb3dafbbe4c402b93aa9d955df8d9d9fb57c75ac65c2c837acc44bbd4d4aff1888aed46c73d625ad7fff035e8ca0fe411c73ed8135b6b8e17a039ec74e9de0d64cb442bf8a676c0a666f68f21066332cd921ae0ed766f0516a8e19b82cf98e78add0373737a3419e13aa902310c44feae5fdf8bc64e80dce772686a31f141bcce452041bf545b908ef4a2b000e7beaf378e2afdccbbcaa42e330e5024400cf2852d3444718",
-		"fd5008477b0855f6f2486fd4f74b9fb4f6e19726c6996bc66893183bd76054d5b05c1c2b64722256ba912ab2dcca66d2abfdf972966438fff7513acfb18ea461eac08c4e32aea4ed3fcf9f1c9905ee4402e7b6984bef974340d212f160b6524b76de99a98d3e96cc0d35e8a63ad7ea3cbea1d40a906c4dd03e5fc19e1513e9",
-		"390a5e75c9ff4ad38fb6205ff47f209294337c1f25ff54a3c01eee8e1e220257",
-		"8bf183347ec1ca4bceff3374",
-		"19fa2641519e21293094e9d767ee1237f9e0715dc57172794867c3bbe2cb647f9b28a8d3f85c0ff557b91bad66f5ea16e0107757b0277fdd3ca05bf47c19bcb92a958a57e8c142a51af29bddb20af84377b6db65f77494e0dc4d2634a776b3a5d777319873bc0dacbbd4b9ebccfae849fa7e9769cdf54660ecca0d5cf4fa5190713726d54d02b3a3f21857125b8a808c0ca2f99d11dc430ed5113ee49ff8f00bcc08f0370dd510e8100e1285659a7b2c7457a6049f2af7786c4db1471ce5bd164e11c7a2165e83e03a135ae2b3429f82f677de044a067e99e0bda2d65a7270d629c00e1d528212d3aeb2896e58ee5145a93ed06a9c00705ad5c5988d3a192304c1d17661d45257c5d16799ef70771964435b12e3b2ee9d5b467c3b1992f45b7a59871b40d8daa1c280747ecb3d170257b91df1f549ce6d66455b5b6f60b7c6e95c92a67e20cffe8599ceb183de53f1dedfe19bae836447af8e053ba419660e0912cad064d6125b9e978e8d0d5f28f8a4e43ca3cdf2d4c0e9a11221d8184e9eb6c90761b0beac82d0d22793279aedb1c7db3632adbee323bc3bbde4801152694831abf5676979af26af7dcbadfba1cad1306b635840cbca76c558b37db0803b4c12befa27d16f21506b07ade4a838d6beba1816eb29ed5e3c4f132a752fc747bd9ba879156e87e6c1584e911da9f796e1fa4a055e427272559e4bd6d0f54b8257100f8a55d84c27b702bb1fe2f995425c85fd48b0a0610db5b39f7a5031407a12dae9f508b21b1378f14952d1beb2dea81d016b2d9b7f1a67b814569b69c0e619adea02a8683242d63a11d3317d060e5b4d85df5ad73127541ba5314715d187990735aa81f438f8b94070ec506ba536274d98b766c1694e54367891a602b99e370425b47a70b819277a249fa429c5bbd0530267f987e6022f25030c30f3baeedc0d13c95f3d5e4b2b87465d179a3a23b9f9e76a42ceea55226ce072f9488392f40621289124d786109d2498e74fb37e2ef466fe8bf3016d96e34204c32978775765aa80461cac48518157f86d59f6187bad4ee62fba1ddbe166b29452f4a59af1e057300c353440644a8e40ae8171ea028be2fa315804abf518847c7945e8228b7766cfdb08d3a3116b59aab8e94b6d8c8c9ef442c2dc7f923bc2cd3e5c663baca7dded976bf191fe36da16948c89c385fe71434f4aa5dd15fe0e925d2459e3b068b9d82a9cc8b8f9786bd9f5fef9baaaf2d67027d9bfd58bb2c58ec7c746b747ab62f9242e4b53ed14d6fc75f5280eca0de23717c97a2293826e19cc8eb47f946421516c349dc4ba49225b91e4e868874bdebd373700df1f3792aaa140597e58b88f90e163397dbad3941705b53d754e3e0c9003df836a7fb8d23f40362fcb5f3947a4281b24240be4ee89aa8e917b194f94345eeca224df0adc15f22a617b6427f29410bc48ea3f92216163785723efc36301d23ed52780c6fd7924bcfaa03269b13582b7c7ea9c0e4a451f38a469fbdb585dcb7c81452da77945ebe27eb26ff6e8c7b2decea289aac5af74746dc257c9bea44a0847f02c4f586e1d76f39d5bf952355a0875f177a666d1d354ad86ce5ec0aba2c2b20cab050eaffd31095395132f5af80a2d2d53b77bda49f948bbb37bdf31c8a690476488e14e542ff6841e7fbfc2eb84795696562d079dc1612274b6dff362567084f793f0bc2dd8de23392d05aeeeeac6991c9f74387153a4b7da94790375e336a00c8293bad0fcef2dd1880e7094e2e53f738247c860780ebe308410ca02ae409ae720e841f48c9677acc6e7d4ccd18c219c400f8b7e1257f692e09eaef96802b17a1cb7d93eb81d3bfcbc7af4cdf05b98e22556b3d1a8b56d6d83bb5f5724696f8f329839dbe477483ec3c09fa2e0628faeba1bf285c224bea3f6cdc7bbd768133c6ef1da14f248cc3b819b196588811b073a7291817bd1e89c65760435d8d17cbf9423744a92143e0f956e2977b39c54fdead5a57f3a04a0facca01bbf44d3b1fb9c4fa83ae1046985e3f26aa0a437999004dd8adc04c5111759849f919b93558dbc559173a23b069b59f800096d9fcf077c7640f59170bb9a6fffe64778bac272365d27ea62aa956559e90edd3f6393cc8775597bcf7d91990ab9511973d948324a27261059e93f4b5dd2f70caf12e1a08e0493cb05588618764391f355379578cf94dd33e616136eea997ec11c0d4ff064ff51a767e5558433a2e3a9a74c232d8e187f47b8cca010709eb9fea0dac8f1ea53bf18822e154ecd929c83b0eac366e30fffbd5ba6a46d734f58d26e7f5df538e18b3d827884aa857a680823131bcf30a76f1a555bcabb17b02b53aefad96fe76f7312da69719434c580d3ff1bcdcd594e6375935003d5d732cc577e11ea2abb1d04259f50aed4c3af9866e8c4a52a09809046ee330f05c4403acbc297a9416c5208fadb31ed4eb7a3b01b87bf08c75cf44c2b0df84df30872d021d6567ea649859268e5e1b5b6405e1b41e350a32c1af13722959c17c01b52c42241313b26b25995a1c89a53e248488724d280647226195746901929501df36d1e94815d7fe6c4ca2731f3181293217f71b9d7f59c2474856972013924ae4796db4cbd22d8905a6043c959941ca6b556c53d1688c439036c715d33a47a7dfc2fe40e53424c5093020d2e85e4b04aa4c704ea5bfe5a2384878da38319c59d41d66b6add2a443d9ea11edd8d18fa41004251653857733b388b453943eb33df93dcd5d549757fa2967ef0f9a5105836c48826c47fcccb2d9bc349032b286962136b848632bdcf186a08cbeaa52d195efcfc3a440bac154971d11ff4994f293b14fb8c3214ebe7ab8b3d0f2fe0b03ed7b145fafd7730a173e3cc1847f0cdf2cf629f5ea81a07bef716b1a67dd9e3b7a52fea1aaa7a393f53b5bdb5988df78a57a9dad19a8253316835acab8a6b9a9fb42d97bf29b2443322f46de386fd82bd3453ed68e2370c6eac4497b1bde7b42d569c452f377bd38bd50fa5a6792ef5c9ec6c647001149b86fedb3e2f18d4271e9cc4801aa16ecddb31b6a795fecabc613bfbc8e4f5636d71e74595c841fd11b6a6bc7f169317c1added56b82a71fc36d774bb4d661685363e9da5fd2e1f357006dc5b5bbf8b42ee3f869e75a541586fba558a8f490d641b78c27368b9b4c2db046354e9358ae9140e91cd95ebeffc6c0d2676a3ff4ab10d463bf32bed97023a80a79df191ab9858c43537a03072a17c30b1bd99efbd361590ed6b7d5b0ec4e2326fa35904ab9a48596f44491cbbc0112890f9386ed04dec30126be359a05e99b2b77fa2c8f6b7460a6cd590d71c73b2a1b23312ff89306b6e41c76ddc0a099bfa79498e36ae5cf0c560b8854dff32d2b690ce0ac4aabfa723ac6f2e97ad1083235196b464ad67fdd649aec01695d55c8b4bb198f30630ca635aa5a1915f3718341bcfd8b522f764015fa5479004d28eceea7fe67df7ee24a97a9708d528b89589f1899f13242a0d00f7464c3cdfce213699340e754533b934f4a8410224e111f31cf8e54d7b5e90cd8c68bf96edbc8d183894deefdf4fcc1a83162a3f6341dcd9a9aecf171c0df28257a68b1af1b67c54c43c3cff27fed89cc64bc46e23a49ec74a9efbab7981d9f0a018247441e4f0f5b5f68ba9325582f92de4cca4a5f878a0c5c387581e64324e3246d8f3205c838a29f1abeea24446e496421f0e742d411adb55f70272ae4a992e825a3d327e44b8b3762b25aa451d07eb4eac0322b431fa676462632daba2aba7bdeee1b438f051d21d4b1897e2ac2f95ee7c23f9996a805de8fffb3b30b855cd6c5b84c011accf4bf94d304d944079f04b5cadf8fcd6751c22a0f9165ab98998b2d89e6514641f1f3b91b8c0bf057d69c3d893fc4e041e06a2229e2ee58082ffb58cb920972ede58483287d0ace94c1becef26a410b93e4ff402e61dcc574b790d49679f18f4e2004f8b7cc357faba34a80e56821bb5b883d1a8b49c6605002152f270bbc36bc79095644e29ab08cc988deda765d67e4fff12b726d5de135ff9d0cbd9d5f9d440e548836633b93a38330d638468b59a32642da3375cdf70b062d14b46a78569c24a706e179baa2058dcae5c61fb6cadd9e015b017f26e9dbe3e6366cf5f1ec839aa3bbb21dd6c9b8e910245fa95b09b7d6cbf08a4c6c84bef257a70389be962dad14d97a893c128b73bf6580689e540d004f21edf8403f36b1ad7c9a2e83ffceb141af59700c316c8c1e3347187f24819c2ff0c9f9a2360dce354f3374374eab1643d2d8831310a8e3ca6768200ea7759822b82f7027cd450479fcc7f6d04802b15735a137ad489f1e1ee78434a253a9dd16684ad58fc91960cde6754f82e8b38edd5e798fdbbbf8fc2e2380a4e21dd94f8c1c063b18f29d8cd8d89f65deac5640799d4ca2caa29c1e72ad8bc417490d11e4051d94956fbc74289857e5f8e9e87b9a2d83074a994de0b10bc7782f6650cfbdb8c835c81cd88bdce5f04ca939b3c5cd010d4dc5d51224fcacbca9851694b8bf55b22dead859d023eee5a7ad3436a912c3fc0284456d5d72ea5f1afa8545c856676ac2dd9a057028bd3ca0f50e7070fa74152f13997c95c1834c3e67504f1a4165d2b49a96919b88f72caed60f56ca7ab5a3204fb12ad3592c725fdebb048732fc189c7dfed185c6c184a626e07d7356860d00389862d5b9701eaa4e5f7889e6db0f54633369b8d26805c08471de8fc3f8fa1fb0b0711d9e015add5373f7f8b64abaddbac3399c756244b1b07c579d33e4967e5e0cf16de29cb8a7efad07ff9039ca305772a6e45c76bd9b77e24949556766a8b8425c5e595efb431bde4ee222f9eb3fc2d002a1e2d14db2b23135266c942eea33bffd30eb0218405373240e0cd3040436ca895093bf056fd001c00ba59d90502042e6e6c0167105051628895c8164c9ab959400898309cabafdef12be53604fa57df44e0a90a81bd63c331291a93bffefe809e80db0679568f6e94e0d8e2edec0087c35bcb3c4f4725e6013bcf197156cd9d90612423348123383e45c14d27d8833f56ddb04083c069fd6e282fe69c940840f5f747dfb72ad72fd8cf9f3ded15c9e2f4727fd60b4f40e95dbe77a89b47dde7d5326942600554905d9dade9d145ab6da802643f2081678392609c2fdd1b79dd8caec137cbed315374c6f05c0758070f3bb17e23d81ccc39c6aa89913897e487fde889c5aacd422278f8571641cc4f0a93d9768aef9e45d6bd187d1ba637ce0fbd3c573d6778cf7bf5188c00dcdf13be3fd599143952b376220283e34e014e83b214bd5f64eb0ecb098ae8bef883949907cc36e22ece60b893b963cfa73d120513e285aaf70ce5add34edbdac60b3aa7b385b90e339058fb9b3cf984b06f79788016035c5ce490f2de7995b98a8c1c9c80f29603ae2b7fc41886663163e604275cb085f8453b27f4d795b9bad19ade2f98a1c99b43a7581bd991e5d0e5e1a6e713acc522ba9fe8302658a9782558e35436e714ac6bc85ad1d3cd008f24106901fa954f5fefb61210d6f8dc9ff35c480f1d14e59c0e501917a31ee9d00c6bdb06a00af5a8b08c3928cc5f37476248223627cb77eaf0e96213cb0a13e97d3fe9b9814d462690e8d68d02655a32fc271ee73db4f88a33386ea88a5857e15a28d9b3e3a96f00c7cd85aa53f9282ab8c8ca6d6a8afed43aa87fe7fc1ad59b0f0db2dd25c20af96e8c282c19fc883ef01a4060398926a1c82f07bcd3bc314580d7636b623b7bad8ddba05850291a6344df0f346fa4a321a85ee3e9c",
-	},
-	{
-		"67c6697351ff4aec29cdbaabf2fbe3467cc254f81be8e78d765a2e63339fc99a66320db73158a35a255d051758e95ed4abb2cdc69bb454110e827441213ddc8770e93ea141e1fc673e017e97eadc6b968f385c2aecb03bfb32af3c54ec18db5c021afe43fbfaaa3afb29d1e6053c7c9475d8be6189f95cbba8990f95b1ebf1b305eff700e9a13ae5ca0bcbd0484764bd1f231ea81c7b64c514735ac55e4b79633b706424119e09dcaad4acf21b10af3b33cde3504847155cbb6f2219ba9b7df50be11a1c7f23f829f8a41b13b5ca4ee8983238e0794d3d34bc5f4e77facb6c05ac86212baa1a55a2be70b5733b045cd33694b3afe2f0e49e4f321549fd824ea90870d4b28a2954489a0abcd50e18a844ac5bf38e4cd72d9b",
-		"0942e506c433afcda3847f2dad",
-		"a5117e70953568bf750862df9e6f92af81677c3a188e847917a4a915bda7792e",
-		"129039b5572e8a7a8131f76a",
-		"588e1356fb8fa32410dad99cf7922aae47b4042502c92f3afe33dc22c1c2e90caf22bc37a254f8dd62a09582c70194f9616982639415178e9fe95740c0f1d497a69b69d4924a7a15290187f9c8acf09cf5b3b3188ecde2d2807207f5bb6a6d3504314b1b47684cf8ba8807eb9a3c497c79ebe1e4c1eca2aa90328563e201425227fca8ee05dcc05fd6c98128626c1e71d2fb3a21860567093db1012dfabe13055c48219d2a301c8a5a49033a811d8d9413bafbb2eefc177226fe578e93c2ef1f309416dc98843bfac387debb1b610b1d2366178ce7212a7312057a3d058357a629f18c78e129e60979a2310455a76207be5611e8b4b840629564020c17f5c9446882e23f610e931246ec434e62de765bf22954cfae02b2ff4b4086fbbd1b6cec23e45481eac5a25d",
-	},
-	{
-		"67c6697351ff4aec29cdbaabf2fbe3467cc254f81be8e78d765a2e63339fc99a66320db73158a35a255d051758e95ed4abb2cdc69bb454110e827441213ddc8770e93ea141e1fc673e017e97eadc6b968f385c2aecb03bfb32af3c54ec18db5c021afe43fbfaaa3afb29d1e6053c7c9475d8be6189f95cbba8990f95b1ebf1b305eff700e9a13ae5ca0bcbd0484764bd1f231ea81c7b64c514735ac55e4b79633b706424119e09dcaad4acf21b10af3b33cde3504847155cbb6f2219ba9b7df50be11a1c7f23f829f8a41b13b5ca4ee8983238e0794d3d34bc5f4e77facb6c05ac86212baa1a55a2be70b5733b045cd33694b3afe2f0e49e4f321549fd824ea90870d4b28a2954489a0abcd50e18a844ac5bf38e4cd72d9b0942e506c433afcda3847f2dadd47647de321cec4ac430f62023856cfbb20704f4ec0bb920ba86c33e05f1ecd96733b79950a3e314",
-		"d3d934f75ea0f210a8f6059401",
-		"a5117e70953568bf750862df9e6f92af81677c3a188e847917a4a915bda7792e",
-		"129039b5572e8a7a8131f76a",
-		"588e1356fb8fa32410dad99cf7922aae47b4042502c92f3afe33dc22c1c2e90caf22bc37a254f8dd62a09582c70194f9616982639415178e9fe95740c0f1d497a69b69d4924a7a15290187f9c8acf09cf5b3b3188ecde2d2807207f5bb6a6d3504314b1b47684cf8ba8807eb9a3c497c79ebe1e4c1eca2aa90328563e201425227fca8ee05dcc05fd6c98128626c1e71d2fb3a21860567093db1012dfabe13055c48219d2a301c8a5a49033a811d8d9413bafbb2eefc177226fe578e93c2ef1f309416dc98843bfac387debb1b610b1d2366178ce7212a7312057a3d058357a629f18c78e129e60979a2310455a76207be5611e8b4b840629564020c17f5c9446882e23f610e931246ec434e62de765bf22954cfae02b2ff7c59dfe246e4bb2d6a8afcebdc2beeaabf2a3f43f95a5ea639853f38719875ecdd2bbc0d81bb2a5ed59553b1e76b6365b74f618f685eb7731024bbf6794c3f4c7c5a1cf925",
-	},
-	{
-		"67c6697351ff4aec29cdbaabf2fbe3467cc254f81be8e78d765a2e63339fc99a66320db73158a35a255d051758e95ed4abb2cdc69bb454110e827441213ddc8770e93ea141e1fc673e017e97eadc6b968f385c2aecb03bfb32af3c54ec18db5c021afe43fbfaaa3afb29d1e6053c7c9475d8be6189f95cbba8990f95b1ebf1b305eff700e9a13ae5ca0bcbd0484764bd1f231ea81c7b64c514735ac55e4b79633b706424119e09dcaad4acf21b10af3b33cde3504847155cbb6f2219ba9b7df50be11a1c7f23f829f8a41b13b5ca4ee8983238e0794d3d34bc5f4e77facb6c05ac86212baa1a55a2be70b5733b045cd33694b3afe2f0e49e4f321549fd824ea90870d4b28a2954489a0abcd50e18a844ac5bf38e4cd72d9b0942e506c433afcda3847f2dadd47647de321cec4ac430f62023856cfbb20704f4ec0bb920ba86c33e05f1ecd96733b79950a3e314",
-		"d3d934f75ea0f210a8f6059401beb4bc4478fa4969e623d01ada696a7e4c7e5125b34884533a94fb319990325744ee9bbce9e525cf08f5e9e25e5360aad2b2d085fa54d835e8d466826498d9a8877565705a8a3f62802944de7ca5894e5759d351adac869580ec17e485f18c0c66f17cc07cbb",
-		"a5117e70953568bf750862df9e6f92af81677c3a188e847917a4a915bda7792e",
-		"129039b5572e8a7a8131f76a",
-		"588e1356fb8fa32410dad99cf7922aae47b4042502c92f3afe33dc22c1c2e90caf22bc37a254f8dd62a09582c70194f9616982639415178e9fe95740c0f1d497a69b69d4924a7a15290187f9c8acf09cf5b3b3188ecde2d2807207f5bb6a6d3504314b1b47684cf8ba8807eb9a3c497c79ebe1e4c1eca2aa90328563e201425227fca8ee05dcc05fd6c98128626c1e71d2fb3a21860567093db1012dfabe13055c48219d2a301c8a5a49033a811d8d9413bafbb2eefc177226fe578e93c2ef1f309416dc98843bfac387debb1b610b1d2366178ce7212a7312057a3d058357a629f18c78e129e60979a2310455a76207be5611e8b4b840629564020c17f5c9446882e23f610e931246ec434e62de765bf22954cfae02b2ff7c59dfe246e4bb2d6a8afcebdc2beeaabf2a3f43f95a5ea639853f38719875ecdd2bbc0d81bb2a5ed59553b1e76b6365b74f618f68a12d0f1cc99e132db9014100d9668c91",
-	},
-	{
-		"67c6697351ff4aec29cdbaabf2fbe3467cc254f81be8e78d765a2e63339fc99a66320db73158a35a255d051758e95ed4abb2cdc69bb454110e827441213ddc8770e93ea141e1fc673e017e97eadc6b968f385c2aecb03bfb32af3c54ec18db5c021afe43fbfaaa3afb29d1e6053c7c9475d8be6189f95cbba8990f95b1ebf1b305eff700e9a13ae5ca0bcbd0484764bd1f231ea81c7b64c514735ac55e4b79633b706424119e09dcaad4acf21b10af3b33cde3504847155cbb6f2219ba9b7df50be11a1c7f23f829f8a41b13b5ca4ee8983238e0794d3d34bc5f4e77facb6c05ac86212baa1a55a2be70b5733b045cd33694b3afe2f0e49e4f321549fd824ea90870d4b28a2954489a0abcd50e18a844ac5bf38e4cd72d9b0942e506c433afcda3847f2dadd47647de321cec4ac430f62023856cfbb20704f4ec0bb920ba86c33e05f1ecd96733b79950a3e314d3d934f75ea0f210a8f6059401beb4bc4478fa4969e623d01ada696a7e4c7e5125b34884533a94fb319990325744ee9b",
-		"bc",
-		"a5117e70953568bf750862df9e6f92af81677c3a188e847917a4a915bda7792e",
-		"129039b5572e8a7a8131f76a",
-		"588e1356fb8fa32410dad99cf7922aae47b4042502c92f3afe33dc22c1c2e90caf22bc37a254f8dd62a09582c70194f9616982639415178e9fe95740c0f1d497a69b69d4924a7a15290187f9c8acf09cf5b3b3188ecde2d2807207f5bb6a6d3504314b1b47684cf8ba8807eb9a3c497c79ebe1e4c1eca2aa90328563e201425227fca8ee05dcc05fd6c98128626c1e71d2fb3a21860567093db1012dfabe13055c48219d2a301c8a5a49033a811d8d9413bafbb2eefc177226fe578e93c2ef1f309416dc98843bfac387debb1b610b1d2366178ce7212a7312057a3d058357a629f18c78e129e60979a2310455a76207be5611e8b4b840629564020c17f5c9446882e23f610e931246ec434e62de765bf22954cfae02b2ff7c59dfe246e4bb2d6a8afcebdc2beeaabf2a3f43f95a5ea639853f38719875ecdd2bbc0d81bb2a5ed59553b1e76b6365b74f618f68d1f05b5662cd6e04de896d3ef5dae4149485a5a2093ff4ec74b20b5e5bf8e61b5c65515938c202beab3eea5a498d2f32d4d00a24b826b6efb16013ef54cbe170",
-	},
-	{
-		"67c6697351ff4aec29cdbaabf2fbe3467cc254f81be8e78d765a2e63339fc99a66320db73158a35a255d051758e95ed4abb2cdc69bb454110e827441213ddc8770e93ea141e1fc673e017e97eadc6b968f385c2aecb03bfb32af3c54ec18db5c021afe43fbfaaa3afb29d1e6053c7c9475d8be6189f95cbba8990f95b1ebf1b305eff700e9a13ae5ca0bcbd0484764bd1f231ea81c7b64c514735ac55e4b79633b706424119e09dcaad4acf21b10af3b33cde3504847155cbb6f2219ba9b7df50be11a1c7f23f829f8a41b13b5ca4ee8983238e0794d3d34bc5f4e77facb6c05ac86212baa1a55a2be70b5733b045cd33694b3afe2f0e49e4f321549fd824ea90870d4b28a2954489a0abcd50e18a844ac5bf38e4cd72d9b0942e506c433afcda3847f2dadd47647de321cec4ac430f62023856cfbb20704f4ec0bb920ba86c33e05f1ecd96733b79950a3e314d3d934f75ea0f210a8f6059401beb4bc4478fa4969e623d01ada696a7e4c7e5125b34884533a94fb319990325744ee9bbce9e525cf08f5e9e25e5360aad2b2d085fa54d835e8d466826498d9a8877565705a8a3f62802944de7ca5894e5759d351adac869580ec17e485f18c0c66f17cc0",
-		"7cbb22fce466da610b63af62bc83b4692f3affaf271693ac071fb86d11342d",
-		"a5117e70953568bf750862df9e6f92af81677c3a188e847917a4a915bda7792e",
-		"129039b5572e8a7a8131f76a",
-		"588e1356fb8fa32410dad99cf7922aae47b4042502c92f3afe33dc22c1c2e90caf22bc37a254f8dd62a09582c70194f9616982639415178e9fe95740c0f1d497a69b69d4924a7a15290187f9c8acf09cf5b3b3188ecde2d2807207f5bb6a6d3504314b1b47684cf8ba8807eb9a3c497c79ebe1e4c1eca2aa90328563e201425227fca8ee05dcc05fd6c98128626c1e71d2fb3a21860567093db1012dfabe13055c48219d2a301c8a5a49033a811d8d9413bafbb2eefc177226fe578e93c2ef1f309416dc98843bfac387debb1b610b1d2366178ce7212a7312057a3d058357a629f18c78e129e60979a2310455a76207be5611e8b4b840629564020c17f5c9446882e23f610e931246ec434e62de765bf22954cfae02b2ff7c59dfe246e4bb2d6a8afcebdc2beeaabf2a3f43f95a5ea639853f38719875ecdd2bbc0d81bb2a5ed59553b1e76b6365b74f618f68d1f05b5662cd6e04de896d3ef5dae4149485a5a2093ff4ec74b20b5e5bf8e61b5c65515938c202beab3eea5a498d2f32c38dbb37d04f8272e741da2802c54a9d9aaf8ecf38b36fc9ad0079523f6a4abd5281a22697a3180bc02662a7c13ee23599d18e5c48300dbb831509df4c172f53e524b3c15124a87ac73e5028cde6c94d8d",
-	},
-	{
-		"67c6697351ff4aec29cdbaabf2fbe3467cc254f81be8e78d765a2e63339fc99a66320db73158a35a255d051758e95ed4abb2cdc69bb454110e827441213ddc8770e93ea141e1fc673e017e97eadc6b968f385c2aecb03bfb32af3c54ec18db5c021afe43fbfaaa3afb29d1e6053c7c9475d8be6189f95cbba8990f95b1ebf1b305eff700e9a13ae5ca0bcbd0484764bd1f231ea81c7b64c514735ac55e4b79633b706424119e09dcaad4acf21b10af3b33cde3504847155cbb6f2219ba9b7df50be11a1c7f23f829f8a41b13b5ca4ee8983238e0794d3d34bc5f4e77facb6c05ac86212baa1a55a2be70b5733b045cd33694b3afe2f0e49e4f321549fd824ea90870d4b28a2954489a0abcd50e18a844ac5bf38e4cd72d9b0942e506c433afcda3847f2dadd47647de321cec4ac430f62023856cfbb20704f4ec0bb920ba86c33e05f1ecd96733b79950a3e314d3d934f75ea0f210a8f6059401beb4bc4478fa4969e623d01ada696a7e4c7e5125b34884533a94fb319990325744ee9bbce9e525",
-		"",
-		"a5117e70953568bf750862df9e6f92af81677c3a188e847917a4a915bda7792e",
-		"129039b5572e8a7a8131f76a",
-		"588e1356fb8fa32410dad99cf7922aae47b4042502c92f3afe33dc22c1c2e90caf22bc37a254f8dd62a09582c70194f9616982639415178e9fe95740c0f1d497a69b69d4924a7a15290187f9c8acf09cf5b3b3188ecde2d2807207f5bb6a6d3504314b1b47684cf8ba8807eb9a3c497c79ebe1e4c1eca2aa90328563e201425227fca8ee05dcc05fd6c98128626c1e71d2fb3a21860567093db1012dfabe13055c48219d2a301c8a5a49033a811d8d9413bafbb2eefc177226fe578e93c2ef1f309416dc98843bfac387debb1b610b1d2366178ce7212a7312057a3d058357a629f18c78e129e60979a2310455a76207be5611e8b4b840629564020c17f5c9446882e23f610e931246ec434e62de765bf22954cfae02b2ff7c59dfe246e4bb2d6a8afcebdc2beeaabf2a3f43f95a5ea639853f38719875ecdd2bbc0d81bb2a5ed59553b1e76b6365b74f618f68d1f05b5662cd6e04de896d3ef5dae4149485a5a2093ff4ec74b20b5e5bf8e61b5c65515938c202beab3eea5a498d2f32c38dbb370a9bbc3187cc260ddac991f94ce4f0d5",
-	},
-	{
-		"0fb826ddb2eb5e708de203d0438be12cf708d635ebdbae56278be09077009586b9bc646ba7c2db35a5de05e86ae71461efea96dac64430edcf117d461113cccacf303576f310ab98efb180599894ba877e50614494923163a3afa9b4c2757f91a6b40799c5b331b464b10dfc45c783c317e408ab76390e19e8b7ceaa2c4d3bd201436bc6f69c7a5a4d8756924ed95665bd5e1034971e4d80d51b2a",
-		"026866d46aa940309fdcabf92a324fbc",
-		"a5117e70953568bf750862df9e6f92af81677c3a188e847917a4a915bda7792e",
-		"129039b5572e8a7a8131f76a",
-		"30f05cf8189bb7b8b4f560e746e228c4cc7e86e8f2fa66e1afe212d1855db51070acd5eb34ce80b2e223957df50fde4c2531d97fc9e573725e7a5e47f0dfc4da1942620320bb2deaf8b17937bae4218d04db8e76f6efe84a117292159507c9f8a09fb2c17921d7762510dbf1dac7b62b1bd7572e3e2cf008d01c445c7fa78833235034281ae180e051451c6a64f22ca9708634bd0d604e4cfcd971b13742efa5b6363e662a875daccb2b00",
-	},
-	{
-		"c7d4f8790e4c47d4daecbddf5939973521ddbf3b832e564afc66f03b5583c41c58bd956609dc3ae3c8f7c2213059575236168dba44e3044049f47c9e7840bbd0fd5036062d70e9f567ac1797056ee93c8476f6c959fa09a3ee854166c6fc36c34d6cca7adcb36f435f86db65f4c4a1793b974294914b377fd179e697751c5ac289243c65d8aca93732849c27483da083d4e218652d4fe5fec8cb953ee7f00070143dd6ece97f241b03c0424bfee2cfd2c4e738f2361df0ffe8863dcf763d408a7a167763959b7f985bc1e359a4b22c6899645ad0814bcf69d10c38474978d1c48e482723e3a6bb3f689f980c51c474eb28cfbba91a8a12eb964b32dfc303a3524ccb752f71316ed9d007e521cb5a0cf429c79d4351b02ee7fb60c7be636a10af3586dfa7b74d80875466a820c0b514e97cb12cce615ab55cba7c1b1de72bcd1cb1acc368f944ef4eaa986e6a4d8253c9337f9795d94df193c90cb0b0387dcde929905223d441717ed9dfe826613bf094ba872993d41b269e27d74e5f541b497eac9ba180dc12ffb6f1e7dc5223cce6dd541071282b97c6526e15b2c330fb41dc96e25d72f45c28e543053766d11d44252db54e584c14abbb295d7e5a58bf36eea1936095ef897a338eb1995fcedd85fc92d354dfe7ff9a115c186bb4d7a1a27835030d248c87571a38f17906cefe0261d15740b9",
-		"56",
-		"a5117e70953568bf750862df9e6f92af81677c3a188e847917a4a915bda7792e",
-		"129039b5572e8a7a8131f76a",
-		"f89c825ca43cae1ce3fbdee85c505edd1aabefe69a0f9efd740f027aa7dee48a91ad24e69ad061648f0a52b4afb19d7ffccdc21f4b4247dfd89f5f9f998cb3c02b226173fedb6f8770aceef9271e7236fefd19fb3b87d08a5c587ac7918e80aa4b477f22602189811e270d686bc4949137a41d11d95ec96ee9d26c6126f6e923ab37638b34d1538d2e46d6df6216da4f193a3cecb731e632e109ced643056a1673059355d2d1314df35ded8364efed7de490201090a6f2d1751748585f64d26041637ba3723cbc4b60e226f10a19699d223075bc1f27d82e7f560c0db630ea670b3f8a70a8950894af4d1c7b3f674a3fa00d19ee4cc2b6174c1d259a297424bf2c3943a29a16a9830ce11abaa79cd2eb77b53a02b365b1838e7bfd5ae1bd044ffc885c61c6b2186a357e8b8f732b7ab96517969aeb70c7b493bbaca9462a61815a3c6135c748bf9c8487ac0631807aa69243fa09cd3b8efb63f8d4e090ad30b6c2f08bf4e82f191cedfa5cbe2b42268d67ecd105918181e44fc9879efd642d20be84e6f74717e03fb94fcbaa6ed3b307431d2a9384b8a2b3e5825ffce8d99af48f177e43bb4272226d8a5edd37d53807f768feb9e0733b437a1d0f84779ab68a1804e92a5eecca56364f0fa6dca152203b249fdc8fbd950fdc37c1887596308a90ba3a5751c7096bfbd1cb177bb17847b33c4379b43938a67674459cd9a06e3017ccac5b",
-	},
-	{
-		"135a28170fe89066da7bcff3a9ccc1b27dfe942a6f47b23835ef746aaea63dc10066d90f4e697528e5451b8e11dd408fdbd4b94a1c6c82515bf7bc099df9cb9d5fa4acad0d22d5f267f18078cec107a995c1f3b12d7603886dbf910ab85ca7180053c50e759b00dc8c81555a425c03d71df6894a6c8cd2d94b64e303c08a1bc1dee1cf537ccf300850856292e1656aff5bf349c87f1ca1ca8085cd400fe901edcad04146a0714ef0f6b083d715edd670e020385f3cda29bc5ff6fc6edffe5ca9ce9def6e0e3d5f04ede2db02cfb2",
-		"73afd2ab0e0e8537cae42dc6530dc4afb6934ca6",
-		"a5117e70953568bf750862df9e6f92af81677c3a188e847917a4a915bda7792e",
-		"129039b5572e8a7a8131f76a",
-		"2c125232a59879aee36cacc4aca5085a4688c4f776667a8fbd86862b5cfb1d57c976688fdd652eafa2b88b1b8e358aa2110ff6ef13cdc1ceca9c9f087c35c38d89d6fbd8de89538070f17916ecb19ca3ef4a1c834f0bdaa1df62aaabef2e117106787056c909e61ecd208357dd5c363f11c5d6cf24992cc873cf69f59360a820fcf290bd90b2cab24c47286acb4e1033962b6d41e562a206a94796a8ab1c6b8bade804ff9bdf5ba6062d2c1f8fe0f4dfc05720bd9a612b92c26789f9f6a7ce43f5e8e3aee99a9cd7d6c11eaa611983c36935b0dda57d898a60a0ab7c4b54",
-	},
-}
diff --git a/vendor/golang.org/x/crypto/codereview.cfg b/vendor/golang.org/x/crypto/codereview.cfg
deleted file mode 100644
index 3f8b14b6..00000000
--- a/vendor/golang.org/x/crypto/codereview.cfg
+++ /dev/null
@@ -1 +0,0 @@
-issuerepo: golang/go
diff --git a/vendor/golang.org/x/crypto/cryptobyte/asn1.go b/vendor/golang.org/x/crypto/cryptobyte/asn1.go
deleted file mode 100644
index 88ec8b4f..00000000
--- a/vendor/golang.org/x/crypto/cryptobyte/asn1.go
+++ /dev/null
@@ -1,732 +0,0 @@
-// Copyright 2017 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package cryptobyte
-
-import (
-	encoding_asn1 "encoding/asn1"
-	"fmt"
-	"math/big"
-	"reflect"
-	"time"
-
-	"golang.org/x/crypto/cryptobyte/asn1"
-)
-
-// This file contains ASN.1-related methods for String and Builder.
-
-// Builder
-
-// AddASN1Int64 appends a DER-encoded ASN.1 INTEGER.
-func (b *Builder) AddASN1Int64(v int64) {
-	b.addASN1Signed(asn1.INTEGER, v)
-}
-
-// AddASN1Enum appends a DER-encoded ASN.1 ENUMERATION.
-func (b *Builder) AddASN1Enum(v int64) {
-	b.addASN1Signed(asn1.ENUM, v)
-}
-
-func (b *Builder) addASN1Signed(tag asn1.Tag, v int64) {
-	b.AddASN1(tag, func(c *Builder) {
-		length := 1
-		for i := v; i >= 0x80 || i < -0x80; i >>= 8 {
-			length++
-		}
-
-		for ; length > 0; length-- {
-			i := v >> uint((length-1)*8) & 0xff
-			c.AddUint8(uint8(i))
-		}
-	})
-}
-
-// AddASN1Uint64 appends a DER-encoded ASN.1 INTEGER.
-func (b *Builder) AddASN1Uint64(v uint64) {
-	b.AddASN1(asn1.INTEGER, func(c *Builder) {
-		length := 1
-		for i := v; i >= 0x80; i >>= 8 {
-			length++
-		}
-
-		for ; length > 0; length-- {
-			i := v >> uint((length-1)*8) & 0xff
-			c.AddUint8(uint8(i))
-		}
-	})
-}
-
-// AddASN1BigInt appends a DER-encoded ASN.1 INTEGER.
-func (b *Builder) AddASN1BigInt(n *big.Int) {
-	if b.err != nil {
-		return
-	}
-
-	b.AddASN1(asn1.INTEGER, func(c *Builder) {
-		if n.Sign() < 0 {
-			// A negative number has to be converted to two's-complement form. So we
-			// invert and subtract 1. If the most-significant-bit isn't set then
-			// we'll need to pad the beginning with 0xff in order to keep the number
-			// negative.
-			nMinus1 := new(big.Int).Neg(n)
-			nMinus1.Sub(nMinus1, bigOne)
-			bytes := nMinus1.Bytes()
-			for i := range bytes {
-				bytes[i] ^= 0xff
-			}
-			if bytes[0]&0x80 == 0 {
-				c.add(0xff)
-			}
-			c.add(bytes...)
-		} else if n.Sign() == 0 {
-			c.add(0)
-		} else {
-			bytes := n.Bytes()
-			if bytes[0]&0x80 != 0 {
-				c.add(0)
-			}
-			c.add(bytes...)
-		}
-	})
-}
-
-// AddASN1OctetString appends a DER-encoded ASN.1 OCTET STRING.
-func (b *Builder) AddASN1OctetString(bytes []byte) {
-	b.AddASN1(asn1.OCTET_STRING, func(c *Builder) {
-		c.AddBytes(bytes)
-	})
-}
-
-const generalizedTimeFormatStr = "20060102150405Z0700"
-
-// AddASN1GeneralizedTime appends a DER-encoded ASN.1 GENERALIZEDTIME.
-func (b *Builder) AddASN1GeneralizedTime(t time.Time) {
-	if t.Year() < 0 || t.Year() > 9999 {
-		b.err = fmt.Errorf("cryptobyte: cannot represent %v as a GeneralizedTime", t)
-		return
-	}
-	b.AddASN1(asn1.GeneralizedTime, func(c *Builder) {
-		c.AddBytes([]byte(t.Format(generalizedTimeFormatStr)))
-	})
-}
-
-// AddASN1BitString appends a DER-encoded ASN.1 BIT STRING. This does not
-// support BIT STRINGs that are not a whole number of bytes.
-func (b *Builder) AddASN1BitString(data []byte) {
-	b.AddASN1(asn1.BIT_STRING, func(b *Builder) {
-		b.AddUint8(0)
-		b.AddBytes(data)
-	})
-}
-
-func (b *Builder) addBase128Int(n int64) {
-	var length int
-	if n == 0 {
-		length = 1
-	} else {
-		for i := n; i > 0; i >>= 7 {
-			length++
-		}
-	}
-
-	for i := length - 1; i >= 0; i-- {
-		o := byte(n >> uint(i*7))
-		o &= 0x7f
-		if i != 0 {
-			o |= 0x80
-		}
-
-		b.add(o)
-	}
-}
-
-func isValidOID(oid encoding_asn1.ObjectIdentifier) bool {
-	if len(oid) < 2 {
-		return false
-	}
-
-	if oid[0] > 2 || (oid[0] <= 1 && oid[1] >= 40) {
-		return false
-	}
-
-	for _, v := range oid {
-		if v < 0 {
-			return false
-		}
-	}
-
-	return true
-}
-
-func (b *Builder) AddASN1ObjectIdentifier(oid encoding_asn1.ObjectIdentifier) {
-	b.AddASN1(asn1.OBJECT_IDENTIFIER, func(b *Builder) {
-		if !isValidOID(oid) {
-			b.err = fmt.Errorf("cryptobyte: invalid OID: %v", oid)
-			return
-		}
-
-		b.addBase128Int(int64(oid[0])*40 + int64(oid[1]))
-		for _, v := range oid[2:] {
-			b.addBase128Int(int64(v))
-		}
-	})
-}
-
-func (b *Builder) AddASN1Boolean(v bool) {
-	b.AddASN1(asn1.BOOLEAN, func(b *Builder) {
-		if v {
-			b.AddUint8(0xff)
-		} else {
-			b.AddUint8(0)
-		}
-	})
-}
-
-func (b *Builder) AddASN1NULL() {
-	b.add(uint8(asn1.NULL), 0)
-}
-
-// MarshalASN1 calls encoding_asn1.Marshal on its input and appends the result if
-// successful or records an error if one occurred.
-func (b *Builder) MarshalASN1(v interface{}) {
-	// NOTE(martinkr): This is somewhat of a hack to allow propagation of
-	// encoding_asn1.Marshal errors into Builder.err. N.B. if you call MarshalASN1 with a
-	// value embedded into a struct, its tag information is lost.
-	if b.err != nil {
-		return
-	}
-	bytes, err := encoding_asn1.Marshal(v)
-	if err != nil {
-		b.err = err
-		return
-	}
-	b.AddBytes(bytes)
-}
-
-// AddASN1 appends an ASN.1 object. The object is prefixed with the given tag.
-// Tags greater than 30 are not supported and result in an error (i.e.
-// low-tag-number form only). The child builder passed to the
-// BuilderContinuation can be used to build the content of the ASN.1 object.
-func (b *Builder) AddASN1(tag asn1.Tag, f BuilderContinuation) {
-	if b.err != nil {
-		return
-	}
-	// Identifiers with the low five bits set indicate high-tag-number format
-	// (two or more octets), which we don't support.
-	if tag&0x1f == 0x1f {
-		b.err = fmt.Errorf("cryptobyte: high-tag number identifier octects not supported: 0x%x", tag)
-		return
-	}
-	b.AddUint8(uint8(tag))
-	b.addLengthPrefixed(1, true, f)
-}
-
-// String
-
-func (s *String) ReadASN1Boolean(out *bool) bool {
-	var bytes String
-	if !s.ReadASN1(&bytes, asn1.INTEGER) || len(bytes) != 1 {
-		return false
-	}
-
-	switch bytes[0] {
-	case 0:
-		*out = false
-	case 0xff:
-		*out = true
-	default:
-		return false
-	}
-
-	return true
-}
-
-var bigIntType = reflect.TypeOf((*big.Int)(nil)).Elem()
-
-// ReadASN1Integer decodes an ASN.1 INTEGER into out and advances. If out does
-// not point to an integer or to a big.Int, it panics. It returns true on
-// success and false on error.
-func (s *String) ReadASN1Integer(out interface{}) bool {
-	if reflect.TypeOf(out).Kind() != reflect.Ptr {
-		panic("out is not a pointer")
-	}
-	switch reflect.ValueOf(out).Elem().Kind() {
-	case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
-		var i int64
-		if !s.readASN1Int64(&i) || reflect.ValueOf(out).Elem().OverflowInt(i) {
-			return false
-		}
-		reflect.ValueOf(out).Elem().SetInt(i)
-		return true
-	case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64:
-		var u uint64
-		if !s.readASN1Uint64(&u) || reflect.ValueOf(out).Elem().OverflowUint(u) {
-			return false
-		}
-		reflect.ValueOf(out).Elem().SetUint(u)
-		return true
-	case reflect.Struct:
-		if reflect.TypeOf(out).Elem() == bigIntType {
-			return s.readASN1BigInt(out.(*big.Int))
-		}
-	}
-	panic("out does not point to an integer type")
-}
-
-func checkASN1Integer(bytes []byte) bool {
-	if len(bytes) == 0 {
-		// An INTEGER is encoded with at least one octet.
-		return false
-	}
-	if len(bytes) == 1 {
-		return true
-	}
-	if bytes[0] == 0 && bytes[1]&0x80 == 0 || bytes[0] == 0xff && bytes[1]&0x80 == 0x80 {
-		// Value is not minimally encoded.
-		return false
-	}
-	return true
-}
-
-var bigOne = big.NewInt(1)
-
-func (s *String) readASN1BigInt(out *big.Int) bool {
-	var bytes String
-	if !s.ReadASN1(&bytes, asn1.INTEGER) || !checkASN1Integer(bytes) {
-		return false
-	}
-	if bytes[0]&0x80 == 0x80 {
-		// Negative number.
-		neg := make([]byte, len(bytes))
-		for i, b := range bytes {
-			neg[i] = ^b
-		}
-		out.SetBytes(neg)
-		out.Add(out, bigOne)
-		out.Neg(out)
-	} else {
-		out.SetBytes(bytes)
-	}
-	return true
-}
-
-func (s *String) readASN1Int64(out *int64) bool {
-	var bytes String
-	if !s.ReadASN1(&bytes, asn1.INTEGER) || !checkASN1Integer(bytes) || !asn1Signed(out, bytes) {
-		return false
-	}
-	return true
-}
-
-func asn1Signed(out *int64, n []byte) bool {
-	length := len(n)
-	if length > 8 {
-		return false
-	}
-	for i := 0; i < length; i++ {
-		*out <<= 8
-		*out |= int64(n[i])
-	}
-	// Shift up and down in order to sign extend the result.
-	*out <<= 64 - uint8(length)*8
-	*out >>= 64 - uint8(length)*8
-	return true
-}
-
-func (s *String) readASN1Uint64(out *uint64) bool {
-	var bytes String
-	if !s.ReadASN1(&bytes, asn1.INTEGER) || !checkASN1Integer(bytes) || !asn1Unsigned(out, bytes) {
-		return false
-	}
-	return true
-}
-
-func asn1Unsigned(out *uint64, n []byte) bool {
-	length := len(n)
-	if length > 9 || length == 9 && n[0] != 0 {
-		// Too large for uint64.
-		return false
-	}
-	if n[0]&0x80 != 0 {
-		// Negative number.
-		return false
-	}
-	for i := 0; i < length; i++ {
-		*out <<= 8
-		*out |= uint64(n[i])
-	}
-	return true
-}
-
-// ReadASN1Enum decodes an ASN.1 ENUMERATION into out and advances. It returns
-// true on success and false on error.
-func (s *String) ReadASN1Enum(out *int) bool {
-	var bytes String
-	var i int64
-	if !s.ReadASN1(&bytes, asn1.ENUM) || !checkASN1Integer(bytes) || !asn1Signed(&i, bytes) {
-		return false
-	}
-	if int64(int(i)) != i {
-		return false
-	}
-	*out = int(i)
-	return true
-}
-
-func (s *String) readBase128Int(out *int) bool {
-	ret := 0
-	for i := 0; len(*s) > 0; i++ {
-		if i == 4 {
-			return false
-		}
-		ret <<= 7
-		b := s.read(1)[0]
-		ret |= int(b & 0x7f)
-		if b&0x80 == 0 {
-			*out = ret
-			return true
-		}
-	}
-	return false // truncated
-}
-
-// ReadASN1ObjectIdentifier decodes an ASN.1 OBJECT IDENTIFIER into out and
-// advances. It returns true on success and false on error.
-func (s *String) ReadASN1ObjectIdentifier(out *encoding_asn1.ObjectIdentifier) bool {
-	var bytes String
-	if !s.ReadASN1(&bytes, asn1.OBJECT_IDENTIFIER) || len(bytes) == 0 {
-		return false
-	}
-
-	// In the worst case, we get two elements from the first byte (which is
-	// encoded differently) and then every varint is a single byte long.
-	components := make([]int, len(bytes)+1)
-
-	// The first varint is 40*value1 + value2:
-	// According to this packing, value1 can take the values 0, 1 and 2 only.
-	// When value1 = 0 or value1 = 1, then value2 is <= 39. When value1 = 2,
-	// then there are no restrictions on value2.
-	var v int
-	if !bytes.readBase128Int(&v) {
-		return false
-	}
-	if v < 80 {
-		components[0] = v / 40
-		components[1] = v % 40
-	} else {
-		components[0] = 2
-		components[1] = v - 80
-	}
-
-	i := 2
-	for ; len(bytes) > 0; i++ {
-		if !bytes.readBase128Int(&v) {
-			return false
-		}
-		components[i] = v
-	}
-	*out = components[:i]
-	return true
-}
-
-// ReadASN1GeneralizedTime decodes an ASN.1 GENERALIZEDTIME into out and
-// advances. It returns true on success and false on error.
-func (s *String) ReadASN1GeneralizedTime(out *time.Time) bool {
-	var bytes String
-	if !s.ReadASN1(&bytes, asn1.GeneralizedTime) {
-		return false
-	}
-	t := string(bytes)
-	res, err := time.Parse(generalizedTimeFormatStr, t)
-	if err != nil {
-		return false
-	}
-	if serialized := res.Format(generalizedTimeFormatStr); serialized != t {
-		return false
-	}
-	*out = res
-	return true
-}
-
-// ReadASN1BitString decodes an ASN.1 BIT STRING into out and advances. It
-// returns true on success and false on error.
-func (s *String) ReadASN1BitString(out *encoding_asn1.BitString) bool {
-	var bytes String
-	if !s.ReadASN1(&bytes, asn1.BIT_STRING) || len(bytes) == 0 {
-		return false
-	}
-
-	paddingBits := uint8(bytes[0])
-	bytes = bytes[1:]
-	if paddingBits > 7 ||
-		len(bytes) == 0 && paddingBits != 0 ||
-		len(bytes) > 0 && bytes[len(bytes)-1]&(1<<paddingBits-1) != 0 {
-		return false
-	}
-
-	out.BitLength = len(bytes)*8 - int(paddingBits)
-	out.Bytes = bytes
-	return true
-}
-
-// ReadASN1BitString decodes an ASN.1 BIT STRING into out and advances. It is
-// an error if the BIT STRING is not a whole number of bytes. This function
-// returns true on success and false on error.
-func (s *String) ReadASN1BitStringAsBytes(out *[]byte) bool {
-	var bytes String
-	if !s.ReadASN1(&bytes, asn1.BIT_STRING) || len(bytes) == 0 {
-		return false
-	}
-
-	paddingBits := uint8(bytes[0])
-	if paddingBits != 0 {
-		return false
-	}
-	*out = bytes[1:]
-	return true
-}
-
-// ReadASN1Bytes reads the contents of a DER-encoded ASN.1 element (not including
-// tag and length bytes) into out, and advances. The element must match the
-// given tag. It returns true on success and false on error.
-func (s *String) ReadASN1Bytes(out *[]byte, tag asn1.Tag) bool {
-	return s.ReadASN1((*String)(out), tag)
-}
-
-// ReadASN1 reads the contents of a DER-encoded ASN.1 element (not including
-// tag and length bytes) into out, and advances. The element must match the
-// given tag. It returns true on success and false on error.
-//
-// Tags greater than 30 are not supported (i.e. low-tag-number format only).
-func (s *String) ReadASN1(out *String, tag asn1.Tag) bool {
-	var t asn1.Tag
-	if !s.ReadAnyASN1(out, &t) || t != tag {
-		return false
-	}
-	return true
-}
-
-// ReadASN1Element reads the contents of a DER-encoded ASN.1 element (including
-// tag and length bytes) into out, and advances. The element must match the
-// given tag. It returns true on success and false on error.
-//
-// Tags greater than 30 are not supported (i.e. low-tag-number format only).
-func (s *String) ReadASN1Element(out *String, tag asn1.Tag) bool {
-	var t asn1.Tag
-	if !s.ReadAnyASN1Element(out, &t) || t != tag {
-		return false
-	}
-	return true
-}
-
-// ReadAnyASN1 reads the contents of a DER-encoded ASN.1 element (not including
-// tag and length bytes) into out, sets outTag to its tag, and advances. It
-// returns true on success and false on error.
-//
-// Tags greater than 30 are not supported (i.e. low-tag-number format only).
-func (s *String) ReadAnyASN1(out *String, outTag *asn1.Tag) bool {
-	return s.readASN1(out, outTag, true /* skip header */)
-}
-
-// ReadAnyASN1Element reads the contents of a DER-encoded ASN.1 element
-// (including tag and length bytes) into out, sets outTag to is tag, and
-// advances. It returns true on success and false on error.
-//
-// Tags greater than 30 are not supported (i.e. low-tag-number format only).
-func (s *String) ReadAnyASN1Element(out *String, outTag *asn1.Tag) bool {
-	return s.readASN1(out, outTag, false /* include header */)
-}
-
-// PeekASN1Tag returns true if the next ASN.1 value on the string starts with
-// the given tag.
-func (s String) PeekASN1Tag(tag asn1.Tag) bool {
-	if len(s) == 0 {
-		return false
-	}
-	return asn1.Tag(s[0]) == tag
-}
-
-// SkipASN1 reads and discards an ASN.1 element with the given tag.
-func (s *String) SkipASN1(tag asn1.Tag) bool {
-	var unused String
-	return s.ReadASN1(&unused, tag)
-}
-
-// ReadOptionalASN1 attempts to read the contents of a DER-encoded ASN.1
-// element (not including tag and length bytes) tagged with the given tag into
-// out. It stores whether an element with the tag was found in outPresent,
-// unless outPresent is nil. It returns true on success and false on error.
-func (s *String) ReadOptionalASN1(out *String, outPresent *bool, tag asn1.Tag) bool {
-	present := s.PeekASN1Tag(tag)
-	if outPresent != nil {
-		*outPresent = present
-	}
-	if present && !s.ReadASN1(out, tag) {
-		return false
-	}
-	return true
-}
-
-// SkipOptionalASN1 advances s over an ASN.1 element with the given tag, or
-// else leaves s unchanged.
-func (s *String) SkipOptionalASN1(tag asn1.Tag) bool {
-	if !s.PeekASN1Tag(tag) {
-		return true
-	}
-	var unused String
-	return s.ReadASN1(&unused, tag)
-}
-
-// ReadOptionalASN1Integer attempts to read an optional ASN.1 INTEGER
-// explicitly tagged with tag into out and advances. If no element with a
-// matching tag is present, it writes defaultValue into out instead. If out
-// does not point to an integer or to a big.Int, it panics. It returns true on
-// success and false on error.
-func (s *String) ReadOptionalASN1Integer(out interface{}, tag asn1.Tag, defaultValue interface{}) bool {
-	if reflect.TypeOf(out).Kind() != reflect.Ptr {
-		panic("out is not a pointer")
-	}
-	var present bool
-	var i String
-	if !s.ReadOptionalASN1(&i, &present, tag) {
-		return false
-	}
-	if !present {
-		switch reflect.ValueOf(out).Elem().Kind() {
-		case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64,
-			reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64:
-			reflect.ValueOf(out).Elem().Set(reflect.ValueOf(defaultValue))
-		case reflect.Struct:
-			if reflect.TypeOf(out).Elem() != bigIntType {
-				panic("invalid integer type")
-			}
-			if reflect.TypeOf(defaultValue).Kind() != reflect.Ptr ||
-				reflect.TypeOf(defaultValue).Elem() != bigIntType {
-				panic("out points to big.Int, but defaultValue does not")
-			}
-			out.(*big.Int).Set(defaultValue.(*big.Int))
-		default:
-			panic("invalid integer type")
-		}
-		return true
-	}
-	if !i.ReadASN1Integer(out) || !i.Empty() {
-		return false
-	}
-	return true
-}
-
-// ReadOptionalASN1OctetString attempts to read an optional ASN.1 OCTET STRING
-// explicitly tagged with tag into out and advances. If no element with a
-// matching tag is present, it writes defaultValue into out instead. It returns
-// true on success and false on error.
-func (s *String) ReadOptionalASN1OctetString(out *[]byte, outPresent *bool, tag asn1.Tag) bool {
-	var present bool
-	var child String
-	if !s.ReadOptionalASN1(&child, &present, tag) {
-		return false
-	}
-	if outPresent != nil {
-		*outPresent = present
-	}
-	if present {
-		var oct String
-		if !child.ReadASN1(&oct, asn1.OCTET_STRING) || !child.Empty() {
-			return false
-		}
-		*out = oct
-	} else {
-		*out = nil
-	}
-	return true
-}
-
-// ReadOptionalASN1Boolean sets *out to the value of the next ASN.1 BOOLEAN or,
-// if the next bytes are not an ASN.1 BOOLEAN, to the value of defaultValue.
-func (s *String) ReadOptionalASN1Boolean(out *bool, defaultValue bool) bool {
-	var present bool
-	var child String
-	if !s.ReadOptionalASN1(&child, &present, asn1.BOOLEAN) {
-		return false
-	}
-
-	if !present {
-		*out = defaultValue
-		return true
-	}
-
-	return s.ReadASN1Boolean(out)
-}
-
-func (s *String) readASN1(out *String, outTag *asn1.Tag, skipHeader bool) bool {
-	if len(*s) < 2 {
-		return false
-	}
-	tag, lenByte := (*s)[0], (*s)[1]
-
-	if tag&0x1f == 0x1f {
-		// ITU-T X.690 section 8.1.2
-		//
-		// An identifier octet with a tag part of 0x1f indicates a high-tag-number
-		// form identifier with two or more octets. We only support tags less than
-		// 31 (i.e. low-tag-number form, single octet identifier).
-		return false
-	}
-
-	if outTag != nil {
-		*outTag = asn1.Tag(tag)
-	}
-
-	// ITU-T X.690 section 8.1.3
-	//
-	// Bit 8 of the first length byte indicates whether the length is short- or
-	// long-form.
-	var length, headerLen uint32 // length includes headerLen
-	if lenByte&0x80 == 0 {
-		// Short-form length (section 8.1.3.4), encoded in bits 1-7.
-		length = uint32(lenByte) + 2
-		headerLen = 2
-	} else {
-		// Long-form length (section 8.1.3.5). Bits 1-7 encode the number of octets
-		// used to encode the length.
-		lenLen := lenByte & 0x7f
-		var len32 uint32
-
-		if lenLen == 0 || lenLen > 4 || len(*s) < int(2+lenLen) {
-			return false
-		}
-
-		lenBytes := String((*s)[2 : 2+lenLen])
-		if !lenBytes.readUnsigned(&len32, int(lenLen)) {
-			return false
-		}
-
-		// ITU-T X.690 section 10.1 (DER length forms) requires encoding the length
-		// with the minimum number of octets.
-		if len32 < 128 {
-			// Length should have used short-form encoding.
-			return false
-		}
-		if len32>>((lenLen-1)*8) == 0 {
-			// Leading octet is 0. Length should have been at least one byte shorter.
-			return false
-		}
-
-		headerLen = 2 + uint32(lenLen)
-		if headerLen+len32 < len32 {
-			// Overflow.
-			return false
-		}
-		length = headerLen + len32
-	}
-
-	if uint32(int(length)) != length || !s.ReadBytes((*[]byte)(out), int(length)) {
-		return false
-	}
-	if skipHeader && !out.Skip(int(headerLen)) {
-		panic("cryptobyte: internal error")
-	}
-
-	return true
-}
diff --git a/vendor/golang.org/x/crypto/cryptobyte/asn1/asn1.go b/vendor/golang.org/x/crypto/cryptobyte/asn1/asn1.go
deleted file mode 100644
index cda8e3ed..00000000
--- a/vendor/golang.org/x/crypto/cryptobyte/asn1/asn1.go
+++ /dev/null
@@ -1,46 +0,0 @@
-// Copyright 2017 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package asn1 contains supporting types for parsing and building ASN.1
-// messages with the cryptobyte package.
-package asn1 // import "golang.org/x/crypto/cryptobyte/asn1"
-
-// Tag represents an ASN.1 identifier octet, consisting of a tag number
-// (indicating a type) and class (such as context-specific or constructed).
-//
-// Methods in the cryptobyte package only support the low-tag-number form, i.e.
-// a single identifier octet with bits 7-8 encoding the class and bits 1-6
-// encoding the tag number.
-type Tag uint8
-
-const (
-	classConstructed     = 0x20
-	classContextSpecific = 0x80
-)
-
-// Constructed returns t with the constructed class bit set.
-func (t Tag) Constructed() Tag { return t | classConstructed }
-
-// ContextSpecific returns t with the context-specific class bit set.
-func (t Tag) ContextSpecific() Tag { return t | classContextSpecific }
-
-// The following is a list of standard tag and class combinations.
-const (
-	BOOLEAN           = Tag(1)
-	INTEGER           = Tag(2)
-	BIT_STRING        = Tag(3)
-	OCTET_STRING      = Tag(4)
-	NULL              = Tag(5)
-	OBJECT_IDENTIFIER = Tag(6)
-	ENUM              = Tag(10)
-	UTF8String        = Tag(12)
-	SEQUENCE          = Tag(16 | classConstructed)
-	SET               = Tag(17 | classConstructed)
-	PrintableString   = Tag(19)
-	T61String         = Tag(20)
-	IA5String         = Tag(22)
-	UTCTime           = Tag(23)
-	GeneralizedTime   = Tag(24)
-	GeneralString     = Tag(27)
-)
diff --git a/vendor/golang.org/x/crypto/cryptobyte/asn1_test.go b/vendor/golang.org/x/crypto/cryptobyte/asn1_test.go
deleted file mode 100644
index ee6674a2..00000000
--- a/vendor/golang.org/x/crypto/cryptobyte/asn1_test.go
+++ /dev/null
@@ -1,300 +0,0 @@
-// Copyright 2017 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package cryptobyte
-
-import (
-	"bytes"
-	encoding_asn1 "encoding/asn1"
-	"math/big"
-	"reflect"
-	"testing"
-	"time"
-
-	"golang.org/x/crypto/cryptobyte/asn1"
-)
-
-type readASN1Test struct {
-	name string
-	in   []byte
-	tag  asn1.Tag
-	ok   bool
-	out  interface{}
-}
-
-var readASN1TestData = []readASN1Test{
-	{"valid", []byte{0x30, 2, 1, 2}, 0x30, true, []byte{1, 2}},
-	{"truncated", []byte{0x30, 3, 1, 2}, 0x30, false, nil},
-	{"zero length of length", []byte{0x30, 0x80}, 0x30, false, nil},
-	{"invalid long form length", []byte{0x30, 0x81, 1, 1}, 0x30, false, nil},
-	{"non-minimal length", append([]byte{0x30, 0x82, 0, 0x80}, make([]byte, 0x80)...), 0x30, false, nil},
-	{"invalid tag", []byte{0xa1, 3, 0x4, 1, 1}, 31, false, nil},
-	{"high tag", []byte{0x1f, 0x81, 0x80, 0x01, 2, 1, 2}, 0xff /* actually 0x4001, but tag is uint8 */, false, nil},
-}
-
-func TestReadASN1(t *testing.T) {
-	for _, test := range readASN1TestData {
-		t.Run(test.name, func(t *testing.T) {
-			var in, out String = test.in, nil
-			ok := in.ReadASN1(&out, test.tag)
-			if ok != test.ok || ok && !bytes.Equal(out, test.out.([]byte)) {
-				t.Errorf("in.ReadASN1() = %v, want %v; out = %v, want %v", ok, test.ok, out, test.out)
-			}
-		})
-	}
-}
-
-func TestReadASN1Optional(t *testing.T) {
-	var empty String
-	var present bool
-	ok := empty.ReadOptionalASN1(nil, &present, 0xa0)
-	if !ok || present {
-		t.Errorf("empty.ReadOptionalASN1() = %v, want true; present = %v want false", ok, present)
-	}
-
-	var in, out String = []byte{0xa1, 3, 0x4, 1, 1}, nil
-	ok = in.ReadOptionalASN1(&out, &present, 0xa0)
-	if !ok || present {
-		t.Errorf("in.ReadOptionalASN1() = %v, want true, present = %v, want false", ok, present)
-	}
-	ok = in.ReadOptionalASN1(&out, &present, 0xa1)
-	wantBytes := []byte{4, 1, 1}
-	if !ok || !present || !bytes.Equal(out, wantBytes) {
-		t.Errorf("in.ReadOptionalASN1() = %v, want true; present = %v, want true; out = %v, want = %v", ok, present, out, wantBytes)
-	}
-}
-
-var optionalOctetStringTestData = []struct {
-	readASN1Test
-	present bool
-}{
-	{readASN1Test{"empty", []byte{}, 0xa0, true, []byte{}}, false},
-	{readASN1Test{"invalid", []byte{0xa1, 3, 0x4, 2, 1}, 0xa1, false, []byte{}}, true},
-	{readASN1Test{"missing", []byte{0xa1, 3, 0x4, 1, 1}, 0xa0, true, []byte{}}, false},
-	{readASN1Test{"present", []byte{0xa1, 3, 0x4, 1, 1}, 0xa1, true, []byte{1}}, true},
-}
-
-func TestReadASN1OptionalOctetString(t *testing.T) {
-	for _, test := range optionalOctetStringTestData {
-		t.Run(test.name, func(t *testing.T) {
-			in := String(test.in)
-			var out []byte
-			var present bool
-			ok := in.ReadOptionalASN1OctetString(&out, &present, test.tag)
-			if ok != test.ok || present != test.present || !bytes.Equal(out, test.out.([]byte)) {
-				t.Errorf("in.ReadOptionalASN1OctetString() = %v, want %v; present = %v want %v; out = %v, want %v", ok, test.ok, present, test.present, out, test.out)
-			}
-		})
-	}
-}
-
-const defaultInt = -1
-
-var optionalIntTestData = []readASN1Test{
-	{"empty", []byte{}, 0xa0, true, defaultInt},
-	{"invalid", []byte{0xa1, 3, 0x2, 2, 127}, 0xa1, false, 0},
-	{"missing", []byte{0xa1, 3, 0x2, 1, 127}, 0xa0, true, defaultInt},
-	{"present", []byte{0xa1, 3, 0x2, 1, 42}, 0xa1, true, 42},
-}
-
-func TestReadASN1OptionalInteger(t *testing.T) {
-	for _, test := range optionalIntTestData {
-		t.Run(test.name, func(t *testing.T) {
-			in := String(test.in)
-			var out int
-			ok := in.ReadOptionalASN1Integer(&out, test.tag, defaultInt)
-			if ok != test.ok || ok && out != test.out.(int) {
-				t.Errorf("in.ReadOptionalASN1Integer() = %v, want %v; out = %v, want %v", ok, test.ok, out, test.out)
-			}
-		})
-	}
-}
-
-func TestReadASN1IntegerSigned(t *testing.T) {
-	testData64 := []struct {
-		in  []byte
-		out int64
-	}{
-		{[]byte{2, 3, 128, 0, 0}, -0x800000},
-		{[]byte{2, 2, 255, 0}, -256},
-		{[]byte{2, 2, 255, 127}, -129},
-		{[]byte{2, 1, 128}, -128},
-		{[]byte{2, 1, 255}, -1},
-		{[]byte{2, 1, 0}, 0},
-		{[]byte{2, 1, 1}, 1},
-		{[]byte{2, 1, 2}, 2},
-		{[]byte{2, 1, 127}, 127},
-		{[]byte{2, 2, 0, 128}, 128},
-		{[]byte{2, 2, 1, 0}, 256},
-		{[]byte{2, 4, 0, 128, 0, 0}, 0x800000},
-	}
-	for i, test := range testData64 {
-		in := String(test.in)
-		var out int64
-		ok := in.ReadASN1Integer(&out)
-		if !ok || out != test.out {
-			t.Errorf("#%d: in.ReadASN1Integer() = %v, want true; out = %d, want %d", i, ok, out, test.out)
-		}
-	}
-
-	// Repeat the same cases, reading into a big.Int.
-	t.Run("big.Int", func(t *testing.T) {
-		for i, test := range testData64 {
-			in := String(test.in)
-			var out big.Int
-			ok := in.ReadASN1Integer(&out)
-			if !ok || out.Int64() != test.out {
-				t.Errorf("#%d: in.ReadASN1Integer() = %v, want true; out = %d, want %d", i, ok, out.Int64(), test.out)
-			}
-		}
-	})
-}
-
-func TestReadASN1IntegerUnsigned(t *testing.T) {
-	testData := []struct {
-		in  []byte
-		out uint64
-	}{
-		{[]byte{2, 1, 0}, 0},
-		{[]byte{2, 1, 1}, 1},
-		{[]byte{2, 1, 2}, 2},
-		{[]byte{2, 1, 127}, 127},
-		{[]byte{2, 2, 0, 128}, 128},
-		{[]byte{2, 2, 1, 0}, 256},
-		{[]byte{2, 4, 0, 128, 0, 0}, 0x800000},
-		{[]byte{2, 8, 127, 255, 255, 255, 255, 255, 255, 255}, 0x7fffffffffffffff},
-		{[]byte{2, 9, 0, 128, 0, 0, 0, 0, 0, 0, 0}, 0x8000000000000000},
-		{[]byte{2, 9, 0, 255, 255, 255, 255, 255, 255, 255, 255}, 0xffffffffffffffff},
-	}
-	for i, test := range testData {
-		in := String(test.in)
-		var out uint64
-		ok := in.ReadASN1Integer(&out)
-		if !ok || out != test.out {
-			t.Errorf("#%d: in.ReadASN1Integer() = %v, want true; out = %d, want %d", i, ok, out, test.out)
-		}
-	}
-}
-
-func TestReadASN1IntegerInvalid(t *testing.T) {
-	testData := []String{
-		[]byte{3, 1, 0}, // invalid tag
-		// truncated
-		[]byte{2, 1},
-		[]byte{2, 2, 0},
-		// not minimally encoded
-		[]byte{2, 2, 0, 1},
-		[]byte{2, 2, 0xff, 0xff},
-	}
-
-	for i, test := range testData {
-		var out int64
-		if test.ReadASN1Integer(&out) {
-			t.Errorf("#%d: in.ReadASN1Integer() = true, want false (out = %d)", i, out)
-		}
-	}
-}
-
-func TestASN1ObjectIdentifier(t *testing.T) {
-	testData := []struct {
-		in  []byte
-		ok  bool
-		out []int
-	}{
-		{[]byte{}, false, []int{}},
-		{[]byte{6, 0}, false, []int{}},
-		{[]byte{5, 1, 85}, false, []int{2, 5}},
-		{[]byte{6, 1, 85}, true, []int{2, 5}},
-		{[]byte{6, 2, 85, 0x02}, true, []int{2, 5, 2}},
-		{[]byte{6, 4, 85, 0x02, 0xc0, 0x00}, true, []int{2, 5, 2, 0x2000}},
-		{[]byte{6, 3, 0x81, 0x34, 0x03}, true, []int{2, 100, 3}},
-		{[]byte{6, 7, 85, 0x02, 0xc0, 0x80, 0x80, 0x80, 0x80}, false, []int{}},
-	}
-
-	for i, test := range testData {
-		in := String(test.in)
-		var out encoding_asn1.ObjectIdentifier
-		ok := in.ReadASN1ObjectIdentifier(&out)
-		if ok != test.ok || ok && !out.Equal(test.out) {
-			t.Errorf("#%d: in.ReadASN1ObjectIdentifier() = %v, want %v; out = %v, want %v", i, ok, test.ok, out, test.out)
-			continue
-		}
-
-		var b Builder
-		b.AddASN1ObjectIdentifier(out)
-		result, err := b.Bytes()
-		if builderOk := err == nil; test.ok != builderOk {
-			t.Errorf("#%d: error from Builder.Bytes: %s", i, err)
-			continue
-		}
-		if test.ok && !bytes.Equal(result, test.in) {
-			t.Errorf("#%d: reserialisation didn't match, got %x, want %x", i, result, test.in)
-			continue
-		}
-	}
-}
-
-func TestReadASN1GeneralizedTime(t *testing.T) {
-	testData := []struct {
-		in  string
-		ok  bool
-		out time.Time
-	}{
-		{"20100102030405Z", true, time.Date(2010, 01, 02, 03, 04, 05, 0, time.UTC)},
-		{"20100102030405", false, time.Time{}},
-		{"20100102030405+0607", true, time.Date(2010, 01, 02, 03, 04, 05, 0, time.FixedZone("", 6*60*60+7*60))},
-		{"20100102030405-0607", true, time.Date(2010, 01, 02, 03, 04, 05, 0, time.FixedZone("", -6*60*60-7*60))},
-		/* These are invalid times. However, the time package normalises times
-		 * and they were accepted in some versions. See #11134. */
-		{"00000100000000Z", false, time.Time{}},
-		{"20101302030405Z", false, time.Time{}},
-		{"20100002030405Z", false, time.Time{}},
-		{"20100100030405Z", false, time.Time{}},
-		{"20100132030405Z", false, time.Time{}},
-		{"20100231030405Z", false, time.Time{}},
-		{"20100102240405Z", false, time.Time{}},
-		{"20100102036005Z", false, time.Time{}},
-		{"20100102030460Z", false, time.Time{}},
-		{"-20100102030410Z", false, time.Time{}},
-		{"2010-0102030410Z", false, time.Time{}},
-		{"2010-0002030410Z", false, time.Time{}},
-		{"201001-02030410Z", false, time.Time{}},
-		{"20100102-030410Z", false, time.Time{}},
-		{"2010010203-0410Z", false, time.Time{}},
-		{"201001020304-10Z", false, time.Time{}},
-	}
-	for i, test := range testData {
-		in := String(append([]byte{byte(asn1.GeneralizedTime), byte(len(test.in))}, test.in...))
-		var out time.Time
-		ok := in.ReadASN1GeneralizedTime(&out)
-		if ok != test.ok || ok && !reflect.DeepEqual(out, test.out) {
-			t.Errorf("#%d: in.ReadASN1GeneralizedTime() = %v, want %v; out = %q, want %q", i, ok, test.ok, out, test.out)
-		}
-	}
-}
-
-func TestReadASN1BitString(t *testing.T) {
-	testData := []struct {
-		in  []byte
-		ok  bool
-		out encoding_asn1.BitString
-	}{
-		{[]byte{}, false, encoding_asn1.BitString{}},
-		{[]byte{0x00}, true, encoding_asn1.BitString{}},
-		{[]byte{0x07, 0x00}, true, encoding_asn1.BitString{Bytes: []byte{0}, BitLength: 1}},
-		{[]byte{0x07, 0x01}, false, encoding_asn1.BitString{}},
-		{[]byte{0x07, 0x40}, false, encoding_asn1.BitString{}},
-		{[]byte{0x08, 0x00}, false, encoding_asn1.BitString{}},
-		{[]byte{0xff}, false, encoding_asn1.BitString{}},
-		{[]byte{0xfe, 0x00}, false, encoding_asn1.BitString{}},
-	}
-	for i, test := range testData {
-		in := String(append([]byte{3, byte(len(test.in))}, test.in...))
-		var out encoding_asn1.BitString
-		ok := in.ReadASN1BitString(&out)
-		if ok != test.ok || ok && (!bytes.Equal(out.Bytes, test.out.Bytes) || out.BitLength != test.out.BitLength) {
-			t.Errorf("#%d: in.ReadASN1BitString() = %v, want %v; out = %v, want %v", i, ok, test.ok, out, test.out)
-		}
-	}
-}
diff --git a/vendor/golang.org/x/crypto/cryptobyte/builder.go b/vendor/golang.org/x/crypto/cryptobyte/builder.go
deleted file mode 100644
index 29b4c764..00000000
--- a/vendor/golang.org/x/crypto/cryptobyte/builder.go
+++ /dev/null
@@ -1,309 +0,0 @@
-// Copyright 2017 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package cryptobyte
-
-import (
-	"errors"
-	"fmt"
-)
-
-// A Builder builds byte strings from fixed-length and length-prefixed values.
-// Builders either allocate space as needed, or are ‘fixed’, which means that
-// they write into a given buffer and produce an error if it's exhausted.
-//
-// The zero value is a usable Builder that allocates space as needed.
-//
-// Simple values are marshaled and appended to a Builder using methods on the
-// Builder. Length-prefixed values are marshaled by providing a
-// BuilderContinuation, which is a function that writes the inner contents of
-// the value to a given Builder. See the documentation for BuilderContinuation
-// for details.
-type Builder struct {
-	err            error
-	result         []byte
-	fixedSize      bool
-	child          *Builder
-	offset         int
-	pendingLenLen  int
-	pendingIsASN1  bool
-	inContinuation *bool
-}
-
-// NewBuilder creates a Builder that appends its output to the given buffer.
-// Like append(), the slice will be reallocated if its capacity is exceeded.
-// Use Bytes to get the final buffer.
-func NewBuilder(buffer []byte) *Builder {
-	return &Builder{
-		result: buffer,
-	}
-}
-
-// NewFixedBuilder creates a Builder that appends its output into the given
-// buffer. This builder does not reallocate the output buffer. Writes that
-// would exceed the buffer's capacity are treated as an error.
-func NewFixedBuilder(buffer []byte) *Builder {
-	return &Builder{
-		result:    buffer,
-		fixedSize: true,
-	}
-}
-
-// Bytes returns the bytes written by the builder or an error if one has
-// occurred during during building.
-func (b *Builder) Bytes() ([]byte, error) {
-	if b.err != nil {
-		return nil, b.err
-	}
-	return b.result[b.offset:], nil
-}
-
-// BytesOrPanic returns the bytes written by the builder or panics if an error
-// has occurred during building.
-func (b *Builder) BytesOrPanic() []byte {
-	if b.err != nil {
-		panic(b.err)
-	}
-	return b.result[b.offset:]
-}
-
-// AddUint8 appends an 8-bit value to the byte string.
-func (b *Builder) AddUint8(v uint8) {
-	b.add(byte(v))
-}
-
-// AddUint16 appends a big-endian, 16-bit value to the byte string.
-func (b *Builder) AddUint16(v uint16) {
-	b.add(byte(v>>8), byte(v))
-}
-
-// AddUint24 appends a big-endian, 24-bit value to the byte string. The highest
-// byte of the 32-bit input value is silently truncated.
-func (b *Builder) AddUint24(v uint32) {
-	b.add(byte(v>>16), byte(v>>8), byte(v))
-}
-
-// AddUint32 appends a big-endian, 32-bit value to the byte string.
-func (b *Builder) AddUint32(v uint32) {
-	b.add(byte(v>>24), byte(v>>16), byte(v>>8), byte(v))
-}
-
-// AddBytes appends a sequence of bytes to the byte string.
-func (b *Builder) AddBytes(v []byte) {
-	b.add(v...)
-}
-
-// BuilderContinuation is continuation-passing interface for building
-// length-prefixed byte sequences. Builder methods for length-prefixed
-// sequences (AddUint8LengthPrefixed etc) will invoke the BuilderContinuation
-// supplied to them. The child builder passed to the continuation can be used
-// to build the content of the length-prefixed sequence. For example:
-//
-//   parent := cryptobyte.NewBuilder()
-//   parent.AddUint8LengthPrefixed(func (child *Builder) {
-//     child.AddUint8(42)
-//     child.AddUint8LengthPrefixed(func (grandchild *Builder) {
-//       grandchild.AddUint8(5)
-//     })
-//   })
-//
-// It is an error to write more bytes to the child than allowed by the reserved
-// length prefix. After the continuation returns, the child must be considered
-// invalid, i.e. users must not store any copies or references of the child
-// that outlive the continuation.
-//
-// If the continuation panics with a value of type BuildError then the inner
-// error will be returned as the error from Bytes. If the child panics
-// otherwise then Bytes will repanic with the same value.
-type BuilderContinuation func(child *Builder)
-
-// BuildError wraps an error. If a BuilderContinuation panics with this value,
-// the panic will be recovered and the inner error will be returned from
-// Builder.Bytes.
-type BuildError struct {
-	Err error
-}
-
-// AddUint8LengthPrefixed adds a 8-bit length-prefixed byte sequence.
-func (b *Builder) AddUint8LengthPrefixed(f BuilderContinuation) {
-	b.addLengthPrefixed(1, false, f)
-}
-
-// AddUint16LengthPrefixed adds a big-endian, 16-bit length-prefixed byte sequence.
-func (b *Builder) AddUint16LengthPrefixed(f BuilderContinuation) {
-	b.addLengthPrefixed(2, false, f)
-}
-
-// AddUint24LengthPrefixed adds a big-endian, 24-bit length-prefixed byte sequence.
-func (b *Builder) AddUint24LengthPrefixed(f BuilderContinuation) {
-	b.addLengthPrefixed(3, false, f)
-}
-
-// AddUint32LengthPrefixed adds a big-endian, 32-bit length-prefixed byte sequence.
-func (b *Builder) AddUint32LengthPrefixed(f BuilderContinuation) {
-	b.addLengthPrefixed(4, false, f)
-}
-
-func (b *Builder) callContinuation(f BuilderContinuation, arg *Builder) {
-	if !*b.inContinuation {
-		*b.inContinuation = true
-
-		defer func() {
-			*b.inContinuation = false
-
-			r := recover()
-			if r == nil {
-				return
-			}
-
-			if buildError, ok := r.(BuildError); ok {
-				b.err = buildError.Err
-			} else {
-				panic(r)
-			}
-		}()
-	}
-
-	f(arg)
-}
-
-func (b *Builder) addLengthPrefixed(lenLen int, isASN1 bool, f BuilderContinuation) {
-	// Subsequent writes can be ignored if the builder has encountered an error.
-	if b.err != nil {
-		return
-	}
-
-	offset := len(b.result)
-	b.add(make([]byte, lenLen)...)
-
-	if b.inContinuation == nil {
-		b.inContinuation = new(bool)
-	}
-
-	b.child = &Builder{
-		result:         b.result,
-		fixedSize:      b.fixedSize,
-		offset:         offset,
-		pendingLenLen:  lenLen,
-		pendingIsASN1:  isASN1,
-		inContinuation: b.inContinuation,
-	}
-
-	b.callContinuation(f, b.child)
-	b.flushChild()
-	if b.child != nil {
-		panic("cryptobyte: internal error")
-	}
-}
-
-func (b *Builder) flushChild() {
-	if b.child == nil {
-		return
-	}
-	b.child.flushChild()
-	child := b.child
-	b.child = nil
-
-	if child.err != nil {
-		b.err = child.err
-		return
-	}
-
-	length := len(child.result) - child.pendingLenLen - child.offset
-
-	if length < 0 {
-		panic("cryptobyte: internal error") // result unexpectedly shrunk
-	}
-
-	if child.pendingIsASN1 {
-		// For ASN.1, we reserved a single byte for the length. If that turned out
-		// to be incorrect, we have to move the contents along in order to make
-		// space.
-		if child.pendingLenLen != 1 {
-			panic("cryptobyte: internal error")
-		}
-		var lenLen, lenByte uint8
-		if int64(length) > 0xfffffffe {
-			b.err = errors.New("pending ASN.1 child too long")
-			return
-		} else if length > 0xffffff {
-			lenLen = 5
-			lenByte = 0x80 | 4
-		} else if length > 0xffff {
-			lenLen = 4
-			lenByte = 0x80 | 3
-		} else if length > 0xff {
-			lenLen = 3
-			lenByte = 0x80 | 2
-		} else if length > 0x7f {
-			lenLen = 2
-			lenByte = 0x80 | 1
-		} else {
-			lenLen = 1
-			lenByte = uint8(length)
-			length = 0
-		}
-
-		// Insert the initial length byte, make space for successive length bytes,
-		// and adjust the offset.
-		child.result[child.offset] = lenByte
-		extraBytes := int(lenLen - 1)
-		if extraBytes != 0 {
-			child.add(make([]byte, extraBytes)...)
-			childStart := child.offset + child.pendingLenLen
-			copy(child.result[childStart+extraBytes:], child.result[childStart:])
-		}
-		child.offset++
-		child.pendingLenLen = extraBytes
-	}
-
-	l := length
-	for i := child.pendingLenLen - 1; i >= 0; i-- {
-		child.result[child.offset+i] = uint8(l)
-		l >>= 8
-	}
-	if l != 0 {
-		b.err = fmt.Errorf("cryptobyte: pending child length %d exceeds %d-byte length prefix", length, child.pendingLenLen)
-		return
-	}
-
-	if !b.fixedSize {
-		b.result = child.result // In case child reallocated result.
-	}
-}
-
-func (b *Builder) add(bytes ...byte) {
-	if b.err != nil {
-		return
-	}
-	if b.child != nil {
-		panic("attempted write while child is pending")
-	}
-	if len(b.result)+len(bytes) < len(bytes) {
-		b.err = errors.New("cryptobyte: length overflow")
-	}
-	if b.fixedSize && len(b.result)+len(bytes) > cap(b.result) {
-		b.err = errors.New("cryptobyte: Builder is exceeding its fixed-size buffer")
-		return
-	}
-	b.result = append(b.result, bytes...)
-}
-
-// A MarshalingValue marshals itself into a Builder.
-type MarshalingValue interface {
-	// Marshal is called by Builder.AddValue. It receives a pointer to a builder
-	// to marshal itself into. It may return an error that occurred during
-	// marshaling, such as unset or invalid values.
-	Marshal(b *Builder) error
-}
-
-// AddValue calls Marshal on v, passing a pointer to the builder to append to.
-// If Marshal returns an error, it is set on the Builder so that subsequent
-// appends don't have an effect.
-func (b *Builder) AddValue(v MarshalingValue) {
-	err := v.Marshal(b)
-	if err != nil {
-		b.err = err
-	}
-}
diff --git a/vendor/golang.org/x/crypto/cryptobyte/cryptobyte_test.go b/vendor/golang.org/x/crypto/cryptobyte/cryptobyte_test.go
deleted file mode 100644
index f294dd55..00000000
--- a/vendor/golang.org/x/crypto/cryptobyte/cryptobyte_test.go
+++ /dev/null
@@ -1,428 +0,0 @@
-// Copyright 2017 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package cryptobyte
-
-import (
-	"bytes"
-	"errors"
-	"fmt"
-	"testing"
-)
-
-func builderBytesEq(b *Builder, want ...byte) error {
-	got := b.BytesOrPanic()
-	if !bytes.Equal(got, want) {
-		return fmt.Errorf("Bytes() = %v, want %v", got, want)
-	}
-	return nil
-}
-
-func TestContinuationError(t *testing.T) {
-	const errorStr = "TestContinuationError"
-	var b Builder
-	b.AddUint8LengthPrefixed(func(b *Builder) {
-		b.AddUint8(1)
-		panic(BuildError{Err: errors.New(errorStr)})
-	})
-
-	ret, err := b.Bytes()
-	if ret != nil {
-		t.Error("expected nil result")
-	}
-	if err == nil {
-		t.Fatal("unexpected nil error")
-	}
-	if s := err.Error(); s != errorStr {
-		t.Errorf("expected error %q, got %v", errorStr, s)
-	}
-}
-
-func TestContinuationNonError(t *testing.T) {
-	defer func() {
-		recover()
-	}()
-
-	var b Builder
-	b.AddUint8LengthPrefixed(func(b *Builder) {
-		b.AddUint8(1)
-		panic(1)
-	})
-
-	t.Error("Builder did not panic")
-}
-
-func TestGeneratedPanic(t *testing.T) {
-	defer func() {
-		recover()
-	}()
-
-	var b Builder
-	b.AddUint8LengthPrefixed(func(b *Builder) {
-		var p *byte
-		*p = 0
-	})
-
-	t.Error("Builder did not panic")
-}
-
-func TestBytes(t *testing.T) {
-	var b Builder
-	v := []byte("foobarbaz")
-	b.AddBytes(v[0:3])
-	b.AddBytes(v[3:4])
-	b.AddBytes(v[4:9])
-	if err := builderBytesEq(&b, v...); err != nil {
-		t.Error(err)
-	}
-	s := String(b.BytesOrPanic())
-	for _, w := range []string{"foo", "bar", "baz"} {
-		var got []byte
-		if !s.ReadBytes(&got, 3) {
-			t.Errorf("ReadBytes() = false, want true (w = %v)", w)
-		}
-		want := []byte(w)
-		if !bytes.Equal(got, want) {
-			t.Errorf("ReadBytes(): got = %v, want %v", got, want)
-		}
-	}
-	if len(s) != 0 {
-		t.Errorf("len(s) = %d, want 0", len(s))
-	}
-}
-
-func TestUint8(t *testing.T) {
-	var b Builder
-	b.AddUint8(42)
-	if err := builderBytesEq(&b, 42); err != nil {
-		t.Error(err)
-	}
-
-	var s String = b.BytesOrPanic()
-	var v uint8
-	if !s.ReadUint8(&v) {
-		t.Error("ReadUint8() = false, want true")
-	}
-	if v != 42 {
-		t.Errorf("v = %d, want 42", v)
-	}
-	if len(s) != 0 {
-		t.Errorf("len(s) = %d, want 0", len(s))
-	}
-}
-
-func TestUint16(t *testing.T) {
-	var b Builder
-	b.AddUint16(65534)
-	if err := builderBytesEq(&b, 255, 254); err != nil {
-		t.Error(err)
-	}
-	var s String = b.BytesOrPanic()
-	var v uint16
-	if !s.ReadUint16(&v) {
-		t.Error("ReadUint16() == false, want true")
-	}
-	if v != 65534 {
-		t.Errorf("v = %d, want 65534", v)
-	}
-	if len(s) != 0 {
-		t.Errorf("len(s) = %d, want 0", len(s))
-	}
-}
-
-func TestUint24(t *testing.T) {
-	var b Builder
-	b.AddUint24(0xfffefd)
-	if err := builderBytesEq(&b, 255, 254, 253); err != nil {
-		t.Error(err)
-	}
-
-	var s String = b.BytesOrPanic()
-	var v uint32
-	if !s.ReadUint24(&v) {
-		t.Error("ReadUint8() = false, want true")
-	}
-	if v != 0xfffefd {
-		t.Errorf("v = %d, want fffefd", v)
-	}
-	if len(s) != 0 {
-		t.Errorf("len(s) = %d, want 0", len(s))
-	}
-}
-
-func TestUint24Truncation(t *testing.T) {
-	var b Builder
-	b.AddUint24(0x10111213)
-	if err := builderBytesEq(&b, 0x11, 0x12, 0x13); err != nil {
-		t.Error(err)
-	}
-}
-
-func TestUint32(t *testing.T) {
-	var b Builder
-	b.AddUint32(0xfffefdfc)
-	if err := builderBytesEq(&b, 255, 254, 253, 252); err != nil {
-		t.Error(err)
-	}
-
-	var s String = b.BytesOrPanic()
-	var v uint32
-	if !s.ReadUint32(&v) {
-		t.Error("ReadUint8() = false, want true")
-	}
-	if v != 0xfffefdfc {
-		t.Errorf("v = %x, want fffefdfc", v)
-	}
-	if len(s) != 0 {
-		t.Errorf("len(s) = %d, want 0", len(s))
-	}
-}
-
-func TestUMultiple(t *testing.T) {
-	var b Builder
-	b.AddUint8(23)
-	b.AddUint32(0xfffefdfc)
-	b.AddUint16(42)
-	if err := builderBytesEq(&b, 23, 255, 254, 253, 252, 0, 42); err != nil {
-		t.Error(err)
-	}
-
-	var s String = b.BytesOrPanic()
-	var (
-		x uint8
-		y uint32
-		z uint16
-	)
-	if !s.ReadUint8(&x) || !s.ReadUint32(&y) || !s.ReadUint16(&z) {
-		t.Error("ReadUint8() = false, want true")
-	}
-	if x != 23 || y != 0xfffefdfc || z != 42 {
-		t.Errorf("x, y, z = %d, %d, %d; want 23, 4294901244, 5", x, y, z)
-	}
-	if len(s) != 0 {
-		t.Errorf("len(s) = %d, want 0", len(s))
-	}
-}
-
-func TestUint8LengthPrefixedSimple(t *testing.T) {
-	var b Builder
-	b.AddUint8LengthPrefixed(func(c *Builder) {
-		c.AddUint8(23)
-		c.AddUint8(42)
-	})
-	if err := builderBytesEq(&b, 2, 23, 42); err != nil {
-		t.Error(err)
-	}
-
-	var base, child String = b.BytesOrPanic(), nil
-	var x, y uint8
-	if !base.ReadUint8LengthPrefixed(&child) || !child.ReadUint8(&x) ||
-		!child.ReadUint8(&y) {
-		t.Error("parsing failed")
-	}
-	if x != 23 || y != 42 {
-		t.Errorf("want x, y == 23, 42; got %d, %d", x, y)
-	}
-	if len(base) != 0 {
-		t.Errorf("len(base) = %d, want 0", len(base))
-	}
-	if len(child) != 0 {
-		t.Errorf("len(child) = %d, want 0", len(child))
-	}
-}
-
-func TestUint8LengthPrefixedMulti(t *testing.T) {
-	var b Builder
-	b.AddUint8LengthPrefixed(func(c *Builder) {
-		c.AddUint8(23)
-		c.AddUint8(42)
-	})
-	b.AddUint8(5)
-	b.AddUint8LengthPrefixed(func(c *Builder) {
-		c.AddUint8(123)
-		c.AddUint8(234)
-	})
-	if err := builderBytesEq(&b, 2, 23, 42, 5, 2, 123, 234); err != nil {
-		t.Error(err)
-	}
-
-	var s, child String = b.BytesOrPanic(), nil
-	var u, v, w, x, y uint8
-	if !s.ReadUint8LengthPrefixed(&child) || !child.ReadUint8(&u) || !child.ReadUint8(&v) ||
-		!s.ReadUint8(&w) || !s.ReadUint8LengthPrefixed(&child) || !child.ReadUint8(&x) || !child.ReadUint8(&y) {
-		t.Error("parsing failed")
-	}
-	if u != 23 || v != 42 || w != 5 || x != 123 || y != 234 {
-		t.Errorf("u, v, w, x, y = %d, %d, %d, %d, %d; want 23, 42, 5, 123, 234",
-			u, v, w, x, y)
-	}
-	if len(s) != 0 {
-		t.Errorf("len(s) = %d, want 0", len(s))
-	}
-	if len(child) != 0 {
-		t.Errorf("len(child) = %d, want 0", len(child))
-	}
-}
-
-func TestUint8LengthPrefixedNested(t *testing.T) {
-	var b Builder
-	b.AddUint8LengthPrefixed(func(c *Builder) {
-		c.AddUint8(5)
-		c.AddUint8LengthPrefixed(func(d *Builder) {
-			d.AddUint8(23)
-			d.AddUint8(42)
-		})
-		c.AddUint8(123)
-	})
-	if err := builderBytesEq(&b, 5, 5, 2, 23, 42, 123); err != nil {
-		t.Error(err)
-	}
-
-	var base, child1, child2 String = b.BytesOrPanic(), nil, nil
-	var u, v, w, x uint8
-	if !base.ReadUint8LengthPrefixed(&child1) {
-		t.Error("parsing base failed")
-	}
-	if !child1.ReadUint8(&u) || !child1.ReadUint8LengthPrefixed(&child2) || !child1.ReadUint8(&x) {
-		t.Error("parsing child1 failed")
-	}
-	if !child2.ReadUint8(&v) || !child2.ReadUint8(&w) {
-		t.Error("parsing child2 failed")
-	}
-	if u != 5 || v != 23 || w != 42 || x != 123 {
-		t.Errorf("u, v, w, x = %d, %d, %d, %d, want 5, 23, 42, 123",
-			u, v, w, x)
-	}
-	if len(base) != 0 {
-		t.Errorf("len(base) = %d, want 0", len(base))
-	}
-	if len(child1) != 0 {
-		t.Errorf("len(child1) = %d, want 0", len(child1))
-	}
-	if len(base) != 0 {
-		t.Errorf("len(child2) = %d, want 0", len(child2))
-	}
-}
-
-func TestPreallocatedBuffer(t *testing.T) {
-	var buf [5]byte
-	b := NewBuilder(buf[0:0])
-	b.AddUint8(1)
-	b.AddUint8LengthPrefixed(func(c *Builder) {
-		c.AddUint8(3)
-		c.AddUint8(4)
-	})
-	b.AddUint16(1286) // Outgrow buf by one byte.
-	want := []byte{1, 2, 3, 4, 0}
-	if !bytes.Equal(buf[:], want) {
-		t.Errorf("buf = %v want %v", buf, want)
-	}
-	if err := builderBytesEq(b, 1, 2, 3, 4, 5, 6); err != nil {
-		t.Error(err)
-	}
-}
-
-func TestWriteWithPendingChild(t *testing.T) {
-	var b Builder
-	b.AddUint8LengthPrefixed(func(c *Builder) {
-		c.AddUint8LengthPrefixed(func(d *Builder) {
-			defer func() {
-				if recover() == nil {
-					t.Errorf("recover() = nil, want error; c.AddUint8() did not panic")
-				}
-			}()
-			c.AddUint8(2) // panics
-
-			defer func() {
-				if recover() == nil {
-					t.Errorf("recover() = nil, want error; b.AddUint8() did not panic")
-				}
-			}()
-			b.AddUint8(2) // panics
-		})
-
-		defer func() {
-			if recover() == nil {
-				t.Errorf("recover() = nil, want error; b.AddUint8() did not panic")
-			}
-		}()
-		b.AddUint8(2) // panics
-	})
-}
-
-// ASN.1
-
-func TestASN1Int64(t *testing.T) {
-	tests := []struct {
-		in   int64
-		want []byte
-	}{
-		{-0x800000, []byte{2, 3, 128, 0, 0}},
-		{-256, []byte{2, 2, 255, 0}},
-		{-129, []byte{2, 2, 255, 127}},
-		{-128, []byte{2, 1, 128}},
-		{-1, []byte{2, 1, 255}},
-		{0, []byte{2, 1, 0}},
-		{1, []byte{2, 1, 1}},
-		{2, []byte{2, 1, 2}},
-		{127, []byte{2, 1, 127}},
-		{128, []byte{2, 2, 0, 128}},
-		{256, []byte{2, 2, 1, 0}},
-		{0x800000, []byte{2, 4, 0, 128, 0, 0}},
-	}
-	for i, tt := range tests {
-		var b Builder
-		b.AddASN1Int64(tt.in)
-		if err := builderBytesEq(&b, tt.want...); err != nil {
-			t.Errorf("%v, (i = %d; in = %v)", err, i, tt.in)
-		}
-
-		var n int64
-		s := String(b.BytesOrPanic())
-		ok := s.ReadASN1Integer(&n)
-		if !ok || n != tt.in {
-			t.Errorf("s.ReadASN1Integer(&n) = %v, n = %d; want true, n = %d (i = %d)",
-				ok, n, tt.in, i)
-		}
-		if len(s) != 0 {
-			t.Errorf("len(s) = %d, want 0", len(s))
-		}
-	}
-}
-
-func TestASN1Uint64(t *testing.T) {
-	tests := []struct {
-		in   uint64
-		want []byte
-	}{
-		{0, []byte{2, 1, 0}},
-		{1, []byte{2, 1, 1}},
-		{2, []byte{2, 1, 2}},
-		{127, []byte{2, 1, 127}},
-		{128, []byte{2, 2, 0, 128}},
-		{256, []byte{2, 2, 1, 0}},
-		{0x800000, []byte{2, 4, 0, 128, 0, 0}},
-		{0x7fffffffffffffff, []byte{2, 8, 127, 255, 255, 255, 255, 255, 255, 255}},
-		{0x8000000000000000, []byte{2, 9, 0, 128, 0, 0, 0, 0, 0, 0, 0}},
-		{0xffffffffffffffff, []byte{2, 9, 0, 255, 255, 255, 255, 255, 255, 255, 255}},
-	}
-	for i, tt := range tests {
-		var b Builder
-		b.AddASN1Uint64(tt.in)
-		if err := builderBytesEq(&b, tt.want...); err != nil {
-			t.Errorf("%v, (i = %d; in = %v)", err, i, tt.in)
-		}
-
-		var n uint64
-		s := String(b.BytesOrPanic())
-		ok := s.ReadASN1Integer(&n)
-		if !ok || n != tt.in {
-			t.Errorf("s.ReadASN1Integer(&n) = %v, n = %d; want true, n = %d (i = %d)",
-				ok, n, tt.in, i)
-		}
-		if len(s) != 0 {
-			t.Errorf("len(s) = %d, want 0", len(s))
-		}
-	}
-}
diff --git a/vendor/golang.org/x/crypto/cryptobyte/example_test.go b/vendor/golang.org/x/crypto/cryptobyte/example_test.go
deleted file mode 100644
index 86c098ad..00000000
--- a/vendor/golang.org/x/crypto/cryptobyte/example_test.go
+++ /dev/null
@@ -1,154 +0,0 @@
-// Copyright 2017 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package cryptobyte_test
-
-import (
-	"errors"
-	"fmt"
-
-	"golang.org/x/crypto/cryptobyte"
-	"golang.org/x/crypto/cryptobyte/asn1"
-)
-
-func ExampleString_lengthPrefixed() {
-	// This is an example of parsing length-prefixed data (as found in, for
-	// example, TLS). Imagine a 16-bit prefixed series of 8-bit prefixed
-	// strings.
-
-	input := cryptobyte.String([]byte{0, 12, 5, 'h', 'e', 'l', 'l', 'o', 5, 'w', 'o', 'r', 'l', 'd'})
-	var result []string
-
-	var values cryptobyte.String
-	if !input.ReadUint16LengthPrefixed(&values) ||
-		!input.Empty() {
-		panic("bad format")
-	}
-
-	for !values.Empty() {
-		var value cryptobyte.String
-		if !values.ReadUint8LengthPrefixed(&value) {
-			panic("bad format")
-		}
-
-		result = append(result, string(value))
-	}
-
-	// Output: []string{"hello", "world"}
-	fmt.Printf("%#v\n", result)
-}
-
-func ExampleString_aSN1() {
-	// This is an example of parsing ASN.1 data that looks like:
-	//    Foo ::= SEQUENCE {
-	//      version [6] INTEGER DEFAULT 0
-	//      data OCTET STRING
-	//    }
-
-	input := cryptobyte.String([]byte{0x30, 12, 0xa6, 3, 2, 1, 2, 4, 5, 'h', 'e', 'l', 'l', 'o'})
-
-	var (
-		version                   int64
-		data, inner, versionBytes cryptobyte.String
-		haveVersion               bool
-	)
-	if !input.ReadASN1(&inner, asn1.SEQUENCE) ||
-		!input.Empty() ||
-		!inner.ReadOptionalASN1(&versionBytes, &haveVersion, asn1.Tag(6).Constructed().ContextSpecific()) ||
-		(haveVersion && !versionBytes.ReadASN1Integer(&version)) ||
-		(haveVersion && !versionBytes.Empty()) ||
-		!inner.ReadASN1(&data, asn1.OCTET_STRING) ||
-		!inner.Empty() {
-		panic("bad format")
-	}
-
-	// Output: haveVersion: true, version: 2, data: hello
-	fmt.Printf("haveVersion: %t, version: %d, data: %s\n", haveVersion, version, string(data))
-}
-
-func ExampleBuilder_aSN1() {
-	// This is an example of building ASN.1 data that looks like:
-	//    Foo ::= SEQUENCE {
-	//      version [6] INTEGER DEFAULT 0
-	//      data OCTET STRING
-	//    }
-
-	version := int64(2)
-	data := []byte("hello")
-	const defaultVersion = 0
-
-	var b cryptobyte.Builder
-	b.AddASN1(asn1.SEQUENCE, func(b *cryptobyte.Builder) {
-		if version != defaultVersion {
-			b.AddASN1(asn1.Tag(6).Constructed().ContextSpecific(), func(b *cryptobyte.Builder) {
-				b.AddASN1Int64(version)
-			})
-		}
-		b.AddASN1OctetString(data)
-	})
-
-	result, err := b.Bytes()
-	if err != nil {
-		panic(err)
-	}
-
-	// Output: 300ca603020102040568656c6c6f
-	fmt.Printf("%x\n", result)
-}
-
-func ExampleBuilder_lengthPrefixed() {
-	// This is an example of building length-prefixed data (as found in,
-	// for example, TLS). Imagine a 16-bit prefixed series of 8-bit
-	// prefixed strings.
-	input := []string{"hello", "world"}
-
-	var b cryptobyte.Builder
-	b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
-		for _, value := range input {
-			b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
-				b.AddBytes([]byte(value))
-			})
-		}
-	})
-
-	result, err := b.Bytes()
-	if err != nil {
-		panic(err)
-	}
-
-	// Output: 000c0568656c6c6f05776f726c64
-	fmt.Printf("%x\n", result)
-}
-
-func ExampleBuilder_lengthPrefixOverflow() {
-	// Writing more data that can be expressed by the length prefix results
-	// in an error from Bytes().
-
-	tooLarge := make([]byte, 256)
-
-	var b cryptobyte.Builder
-	b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
-		b.AddBytes(tooLarge)
-	})
-
-	result, err := b.Bytes()
-	fmt.Printf("len=%d err=%s\n", len(result), err)
-
-	// Output: len=0 err=cryptobyte: pending child length 256 exceeds 1-byte length prefix
-}
-
-func ExampleBuilderContinuation_errorHandling() {
-	var b cryptobyte.Builder
-	// Continuations that panic with a BuildError will cause Bytes to
-	// return the inner error.
-	b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
-		b.AddUint32(0)
-		panic(cryptobyte.BuildError{Err: errors.New("example error")})
-	})
-
-	result, err := b.Bytes()
-	fmt.Printf("len=%d err=%s\n", len(result), err)
-
-	// Output: len=0 err=example error
-}
diff --git a/vendor/golang.org/x/crypto/cryptobyte/string.go b/vendor/golang.org/x/crypto/cryptobyte/string.go
deleted file mode 100644
index 7636fb9c..00000000
--- a/vendor/golang.org/x/crypto/cryptobyte/string.go
+++ /dev/null
@@ -1,167 +0,0 @@
-// Copyright 2017 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package cryptobyte contains types that help with parsing and constructing
-// length-prefixed, binary messages, including ASN.1 DER. (The asn1 subpackage
-// contains useful ASN.1 constants.)
-//
-// The String type is for parsing. It wraps a []byte slice and provides helper
-// functions for consuming structures, value by value.
-//
-// The Builder type is for constructing messages. It providers helper functions
-// for appending values and also for appending length-prefixed submessages –
-// without having to worry about calculating the length prefix ahead of time.
-//
-// See the documentation and examples for the Builder and String types to get
-// started.
-package cryptobyte // import "golang.org/x/crypto/cryptobyte"
-
-// String represents a string of bytes. It provides methods for parsing
-// fixed-length and length-prefixed values from it.
-type String []byte
-
-// read advances a String by n bytes and returns them. If less than n bytes
-// remain, it returns nil.
-func (s *String) read(n int) []byte {
-	if len(*s) < n {
-		return nil
-	}
-	v := (*s)[:n]
-	*s = (*s)[n:]
-	return v
-}
-
-// Skip advances the String by n byte and reports whether it was successful.
-func (s *String) Skip(n int) bool {
-	return s.read(n) != nil
-}
-
-// ReadUint8 decodes an 8-bit value into out and advances over it. It
-// returns true on success and false on error.
-func (s *String) ReadUint8(out *uint8) bool {
-	v := s.read(1)
-	if v == nil {
-		return false
-	}
-	*out = uint8(v[0])
-	return true
-}
-
-// ReadUint16 decodes a big-endian, 16-bit value into out and advances over it.
-// It returns true on success and false on error.
-func (s *String) ReadUint16(out *uint16) bool {
-	v := s.read(2)
-	if v == nil {
-		return false
-	}
-	*out = uint16(v[0])<<8 | uint16(v[1])
-	return true
-}
-
-// ReadUint24 decodes a big-endian, 24-bit value into out and advances over it.
-// It returns true on success and false on error.
-func (s *String) ReadUint24(out *uint32) bool {
-	v := s.read(3)
-	if v == nil {
-		return false
-	}
-	*out = uint32(v[0])<<16 | uint32(v[1])<<8 | uint32(v[2])
-	return true
-}
-
-// ReadUint32 decodes a big-endian, 32-bit value into out and advances over it.
-// It returns true on success and false on error.
-func (s *String) ReadUint32(out *uint32) bool {
-	v := s.read(4)
-	if v == nil {
-		return false
-	}
-	*out = uint32(v[0])<<24 | uint32(v[1])<<16 | uint32(v[2])<<8 | uint32(v[3])
-	return true
-}
-
-func (s *String) readUnsigned(out *uint32, length int) bool {
-	v := s.read(length)
-	if v == nil {
-		return false
-	}
-	var result uint32
-	for i := 0; i < length; i++ {
-		result <<= 8
-		result |= uint32(v[i])
-	}
-	*out = result
-	return true
-}
-
-func (s *String) readLengthPrefixed(lenLen int, outChild *String) bool {
-	lenBytes := s.read(lenLen)
-	if lenBytes == nil {
-		return false
-	}
-	var length uint32
-	for _, b := range lenBytes {
-		length = length << 8
-		length = length | uint32(b)
-	}
-	if int(length) < 0 {
-		// This currently cannot overflow because we read uint24 at most, but check
-		// anyway in case that changes in the future.
-		return false
-	}
-	v := s.read(int(length))
-	if v == nil {
-		return false
-	}
-	*outChild = v
-	return true
-}
-
-// ReadUint8LengthPrefixed reads the content of an 8-bit length-prefixed value
-// into out and advances over it. It returns true on success and false on
-// error.
-func (s *String) ReadUint8LengthPrefixed(out *String) bool {
-	return s.readLengthPrefixed(1, out)
-}
-
-// ReadUint16LengthPrefixed reads the content of a big-endian, 16-bit
-// length-prefixed value into out and advances over it. It returns true on
-// success and false on error.
-func (s *String) ReadUint16LengthPrefixed(out *String) bool {
-	return s.readLengthPrefixed(2, out)
-}
-
-// ReadUint24LengthPrefixed reads the content of a big-endian, 24-bit
-// length-prefixed value into out and advances over it. It returns true on
-// success and false on error.
-func (s *String) ReadUint24LengthPrefixed(out *String) bool {
-	return s.readLengthPrefixed(3, out)
-}
-
-// ReadBytes reads n bytes into out and advances over them. It returns true on
-// success and false and error.
-func (s *String) ReadBytes(out *[]byte, n int) bool {
-	v := s.read(n)
-	if v == nil {
-		return false
-	}
-	*out = v
-	return true
-}
-
-// CopyBytes copies len(out) bytes into out and advances over them. It returns
-// true on success and false on error.
-func (s *String) CopyBytes(out []byte) bool {
-	n := len(out)
-	v := s.read(n)
-	if v == nil {
-		return false
-	}
-	return copy(out, v) == n
-}
-
-// Empty reports whether the string does not contain any bytes.
-func (s String) Empty() bool {
-	return len(s) == 0
-}
diff --git a/vendor/golang.org/x/crypto/curve25519/const_amd64.h b/vendor/golang.org/x/crypto/curve25519/const_amd64.h
deleted file mode 100644
index b3f74162..00000000
--- a/vendor/golang.org/x/crypto/curve25519/const_amd64.h
+++ /dev/null
@@ -1,8 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// This code was translated into a form compatible with 6a from the public
-// domain sources in SUPERCOP: https://bench.cr.yp.to/supercop.html
-
-#define REDMASK51     0x0007FFFFFFFFFFFF
diff --git a/vendor/golang.org/x/crypto/curve25519/const_amd64.s b/vendor/golang.org/x/crypto/curve25519/const_amd64.s
deleted file mode 100644
index ee7b4bd5..00000000
--- a/vendor/golang.org/x/crypto/curve25519/const_amd64.s
+++ /dev/null
@@ -1,20 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// This code was translated into a form compatible with 6a from the public
-// domain sources in SUPERCOP: https://bench.cr.yp.to/supercop.html
-
-// +build amd64,!gccgo,!appengine
-
-// These constants cannot be encoded in non-MOVQ immediates.
-// We access them directly from memory instead.
-
-DATA ·_121666_213(SB)/8, $996687872
-GLOBL ·_121666_213(SB), 8, $8
-
-DATA ·_2P0(SB)/8, $0xFFFFFFFFFFFDA
-GLOBL ·_2P0(SB), 8, $8
-
-DATA ·_2P1234(SB)/8, $0xFFFFFFFFFFFFE
-GLOBL ·_2P1234(SB), 8, $8
diff --git a/vendor/golang.org/x/crypto/curve25519/cswap_amd64.s b/vendor/golang.org/x/crypto/curve25519/cswap_amd64.s
deleted file mode 100644
index cd793a5b..00000000
--- a/vendor/golang.org/x/crypto/curve25519/cswap_amd64.s
+++ /dev/null
@@ -1,65 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build amd64,!gccgo,!appengine
-
-// func cswap(inout *[4][5]uint64, v uint64)
-TEXT ·cswap(SB),7,$0
-	MOVQ inout+0(FP),DI
-	MOVQ v+8(FP),SI
-
-	SUBQ $1, SI
-	NOTQ SI
-	MOVQ SI, X15
-	PSHUFD $0x44, X15, X15
-
-	MOVOU 0(DI), X0
-	MOVOU 16(DI), X2
-	MOVOU 32(DI), X4
-	MOVOU 48(DI), X6
-	MOVOU 64(DI), X8
-	MOVOU 80(DI), X1
-	MOVOU 96(DI), X3
-	MOVOU 112(DI), X5
-	MOVOU 128(DI), X7
-	MOVOU 144(DI), X9
-
-	MOVO X1, X10
-	MOVO X3, X11
-	MOVO X5, X12
-	MOVO X7, X13
-	MOVO X9, X14
-
-	PXOR X0, X10
-	PXOR X2, X11
-	PXOR X4, X12
-	PXOR X6, X13
-	PXOR X8, X14
-	PAND X15, X10
-	PAND X15, X11
-	PAND X15, X12
-	PAND X15, X13
-	PAND X15, X14
-	PXOR X10, X0
-	PXOR X10, X1
-	PXOR X11, X2
-	PXOR X11, X3
-	PXOR X12, X4
-	PXOR X12, X5
-	PXOR X13, X6
-	PXOR X13, X7
-	PXOR X14, X8
-	PXOR X14, X9
-
-	MOVOU X0, 0(DI)
-	MOVOU X2, 16(DI)
-	MOVOU X4, 32(DI)
-	MOVOU X6, 48(DI)
-	MOVOU X8, 64(DI)
-	MOVOU X1, 80(DI)
-	MOVOU X3, 96(DI)
-	MOVOU X5, 112(DI)
-	MOVOU X7, 128(DI)
-	MOVOU X9, 144(DI)
-	RET
diff --git a/vendor/golang.org/x/crypto/curve25519/curve25519.go b/vendor/golang.org/x/crypto/curve25519/curve25519.go
deleted file mode 100644
index cb8fbc57..00000000
--- a/vendor/golang.org/x/crypto/curve25519/curve25519.go
+++ /dev/null
@@ -1,834 +0,0 @@
-// Copyright 2013 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// We have an implementation in amd64 assembly so this code is only run on
-// non-amd64 platforms. The amd64 assembly does not support gccgo.
-// +build !amd64 gccgo appengine
-
-package curve25519
-
-import (
-	"encoding/binary"
-)
-
-// This code is a port of the public domain, "ref10" implementation of
-// curve25519 from SUPERCOP 20130419 by D. J. Bernstein.
-
-// fieldElement represents an element of the field GF(2^255 - 19). An element
-// t, entries t[0]...t[9], represents the integer t[0]+2^26 t[1]+2^51 t[2]+2^77
-// t[3]+2^102 t[4]+...+2^230 t[9]. Bounds on each t[i] vary depending on
-// context.
-type fieldElement [10]int32
-
-func feZero(fe *fieldElement) {
-	for i := range fe {
-		fe[i] = 0
-	}
-}
-
-func feOne(fe *fieldElement) {
-	feZero(fe)
-	fe[0] = 1
-}
-
-func feAdd(dst, a, b *fieldElement) {
-	for i := range dst {
-		dst[i] = a[i] + b[i]
-	}
-}
-
-func feSub(dst, a, b *fieldElement) {
-	for i := range dst {
-		dst[i] = a[i] - b[i]
-	}
-}
-
-func feCopy(dst, src *fieldElement) {
-	for i := range dst {
-		dst[i] = src[i]
-	}
-}
-
-// feCSwap replaces (f,g) with (g,f) if b == 1; replaces (f,g) with (f,g) if b == 0.
-//
-// Preconditions: b in {0,1}.
-func feCSwap(f, g *fieldElement, b int32) {
-	b = -b
-	for i := range f {
-		t := b & (f[i] ^ g[i])
-		f[i] ^= t
-		g[i] ^= t
-	}
-}
-
-// load3 reads a 24-bit, little-endian value from in.
-func load3(in []byte) int64 {
-	var r int64
-	r = int64(in[0])
-	r |= int64(in[1]) << 8
-	r |= int64(in[2]) << 16
-	return r
-}
-
-// load4 reads a 32-bit, little-endian value from in.
-func load4(in []byte) int64 {
-	return int64(binary.LittleEndian.Uint32(in))
-}
-
-func feFromBytes(dst *fieldElement, src *[32]byte) {
-	h0 := load4(src[:])
-	h1 := load3(src[4:]) << 6
-	h2 := load3(src[7:]) << 5
-	h3 := load3(src[10:]) << 3
-	h4 := load3(src[13:]) << 2
-	h5 := load4(src[16:])
-	h6 := load3(src[20:]) << 7
-	h7 := load3(src[23:]) << 5
-	h8 := load3(src[26:]) << 4
-	h9 := load3(src[29:]) << 2
-
-	var carry [10]int64
-	carry[9] = (h9 + 1<<24) >> 25
-	h0 += carry[9] * 19
-	h9 -= carry[9] << 25
-	carry[1] = (h1 + 1<<24) >> 25
-	h2 += carry[1]
-	h1 -= carry[1] << 25
-	carry[3] = (h3 + 1<<24) >> 25
-	h4 += carry[3]
-	h3 -= carry[3] << 25
-	carry[5] = (h5 + 1<<24) >> 25
-	h6 += carry[5]
-	h5 -= carry[5] << 25
-	carry[7] = (h7 + 1<<24) >> 25
-	h8 += carry[7]
-	h7 -= carry[7] << 25
-
-	carry[0] = (h0 + 1<<25) >> 26
-	h1 += carry[0]
-	h0 -= carry[0] << 26
-	carry[2] = (h2 + 1<<25) >> 26
-	h3 += carry[2]
-	h2 -= carry[2] << 26
-	carry[4] = (h4 + 1<<25) >> 26
-	h5 += carry[4]
-	h4 -= carry[4] << 26
-	carry[6] = (h6 + 1<<25) >> 26
-	h7 += carry[6]
-	h6 -= carry[6] << 26
-	carry[8] = (h8 + 1<<25) >> 26
-	h9 += carry[8]
-	h8 -= carry[8] << 26
-
-	dst[0] = int32(h0)
-	dst[1] = int32(h1)
-	dst[2] = int32(h2)
-	dst[3] = int32(h3)
-	dst[4] = int32(h4)
-	dst[5] = int32(h5)
-	dst[6] = int32(h6)
-	dst[7] = int32(h7)
-	dst[8] = int32(h8)
-	dst[9] = int32(h9)
-}
-
-// feToBytes marshals h to s.
-// Preconditions:
-//   |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
-//
-// Write p=2^255-19; q=floor(h/p).
-// Basic claim: q = floor(2^(-255)(h + 19 2^(-25)h9 + 2^(-1))).
-//
-// Proof:
-//   Have |h|<=p so |q|<=1 so |19^2 2^(-255) q|<1/4.
-//   Also have |h-2^230 h9|<2^230 so |19 2^(-255)(h-2^230 h9)|<1/4.
-//
-//   Write y=2^(-1)-19^2 2^(-255)q-19 2^(-255)(h-2^230 h9).
-//   Then 0<y<1.
-//
-//   Write r=h-pq.
-//   Have 0<=r<=p-1=2^255-20.
-//   Thus 0<=r+19(2^-255)r<r+19(2^-255)2^255<=2^255-1.
-//
-//   Write x=r+19(2^-255)r+y.
-//   Then 0<x<2^255 so floor(2^(-255)x) = 0 so floor(q+2^(-255)x) = q.
-//
-//   Have q+2^(-255)x = 2^(-255)(h + 19 2^(-25) h9 + 2^(-1))
-//   so floor(2^(-255)(h + 19 2^(-25) h9 + 2^(-1))) = q.
-func feToBytes(s *[32]byte, h *fieldElement) {
-	var carry [10]int32
-
-	q := (19*h[9] + (1 << 24)) >> 25
-	q = (h[0] + q) >> 26
-	q = (h[1] + q) >> 25
-	q = (h[2] + q) >> 26
-	q = (h[3] + q) >> 25
-	q = (h[4] + q) >> 26
-	q = (h[5] + q) >> 25
-	q = (h[6] + q) >> 26
-	q = (h[7] + q) >> 25
-	q = (h[8] + q) >> 26
-	q = (h[9] + q) >> 25
-
-	// Goal: Output h-(2^255-19)q, which is between 0 and 2^255-20.
-	h[0] += 19 * q
-	// Goal: Output h-2^255 q, which is between 0 and 2^255-20.
-
-	carry[0] = h[0] >> 26
-	h[1] += carry[0]
-	h[0] -= carry[0] << 26
-	carry[1] = h[1] >> 25
-	h[2] += carry[1]
-	h[1] -= carry[1] << 25
-	carry[2] = h[2] >> 26
-	h[3] += carry[2]
-	h[2] -= carry[2] << 26
-	carry[3] = h[3] >> 25
-	h[4] += carry[3]
-	h[3] -= carry[3] << 25
-	carry[4] = h[4] >> 26
-	h[5] += carry[4]
-	h[4] -= carry[4] << 26
-	carry[5] = h[5] >> 25
-	h[6] += carry[5]
-	h[5] -= carry[5] << 25
-	carry[6] = h[6] >> 26
-	h[7] += carry[6]
-	h[6] -= carry[6] << 26
-	carry[7] = h[7] >> 25
-	h[8] += carry[7]
-	h[7] -= carry[7] << 25
-	carry[8] = h[8] >> 26
-	h[9] += carry[8]
-	h[8] -= carry[8] << 26
-	carry[9] = h[9] >> 25
-	h[9] -= carry[9] << 25
-	// h10 = carry9
-
-	// Goal: Output h[0]+...+2^255 h10-2^255 q, which is between 0 and 2^255-20.
-	// Have h[0]+...+2^230 h[9] between 0 and 2^255-1;
-	// evidently 2^255 h10-2^255 q = 0.
-	// Goal: Output h[0]+...+2^230 h[9].
-
-	s[0] = byte(h[0] >> 0)
-	s[1] = byte(h[0] >> 8)
-	s[2] = byte(h[0] >> 16)
-	s[3] = byte((h[0] >> 24) | (h[1] << 2))
-	s[4] = byte(h[1] >> 6)
-	s[5] = byte(h[1] >> 14)
-	s[6] = byte((h[1] >> 22) | (h[2] << 3))
-	s[7] = byte(h[2] >> 5)
-	s[8] = byte(h[2] >> 13)
-	s[9] = byte((h[2] >> 21) | (h[3] << 5))
-	s[10] = byte(h[3] >> 3)
-	s[11] = byte(h[3] >> 11)
-	s[12] = byte((h[3] >> 19) | (h[4] << 6))
-	s[13] = byte(h[4] >> 2)
-	s[14] = byte(h[4] >> 10)
-	s[15] = byte(h[4] >> 18)
-	s[16] = byte(h[5] >> 0)
-	s[17] = byte(h[5] >> 8)
-	s[18] = byte(h[5] >> 16)
-	s[19] = byte((h[5] >> 24) | (h[6] << 1))
-	s[20] = byte(h[6] >> 7)
-	s[21] = byte(h[6] >> 15)
-	s[22] = byte((h[6] >> 23) | (h[7] << 3))
-	s[23] = byte(h[7] >> 5)
-	s[24] = byte(h[7] >> 13)
-	s[25] = byte((h[7] >> 21) | (h[8] << 4))
-	s[26] = byte(h[8] >> 4)
-	s[27] = byte(h[8] >> 12)
-	s[28] = byte((h[8] >> 20) | (h[9] << 6))
-	s[29] = byte(h[9] >> 2)
-	s[30] = byte(h[9] >> 10)
-	s[31] = byte(h[9] >> 18)
-}
-
-// feMul calculates h = f * g
-// Can overlap h with f or g.
-//
-// Preconditions:
-//    |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
-//    |g| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
-//
-// Postconditions:
-//    |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
-//
-// Notes on implementation strategy:
-//
-// Using schoolbook multiplication.
-// Karatsuba would save a little in some cost models.
-//
-// Most multiplications by 2 and 19 are 32-bit precomputations;
-// cheaper than 64-bit postcomputations.
-//
-// There is one remaining multiplication by 19 in the carry chain;
-// one *19 precomputation can be merged into this,
-// but the resulting data flow is considerably less clean.
-//
-// There are 12 carries below.
-// 10 of them are 2-way parallelizable and vectorizable.
-// Can get away with 11 carries, but then data flow is much deeper.
-//
-// With tighter constraints on inputs can squeeze carries into int32.
-func feMul(h, f, g *fieldElement) {
-	f0 := f[0]
-	f1 := f[1]
-	f2 := f[2]
-	f3 := f[3]
-	f4 := f[4]
-	f5 := f[5]
-	f6 := f[6]
-	f7 := f[7]
-	f8 := f[8]
-	f9 := f[9]
-	g0 := g[0]
-	g1 := g[1]
-	g2 := g[2]
-	g3 := g[3]
-	g4 := g[4]
-	g5 := g[5]
-	g6 := g[6]
-	g7 := g[7]
-	g8 := g[8]
-	g9 := g[9]
-	g1_19 := 19 * g1 // 1.4*2^29
-	g2_19 := 19 * g2 // 1.4*2^30; still ok
-	g3_19 := 19 * g3
-	g4_19 := 19 * g4
-	g5_19 := 19 * g5
-	g6_19 := 19 * g6
-	g7_19 := 19 * g7
-	g8_19 := 19 * g8
-	g9_19 := 19 * g9
-	f1_2 := 2 * f1
-	f3_2 := 2 * f3
-	f5_2 := 2 * f5
-	f7_2 := 2 * f7
-	f9_2 := 2 * f9
-	f0g0 := int64(f0) * int64(g0)
-	f0g1 := int64(f0) * int64(g1)
-	f0g2 := int64(f0) * int64(g2)
-	f0g3 := int64(f0) * int64(g3)
-	f0g4 := int64(f0) * int64(g4)
-	f0g5 := int64(f0) * int64(g5)
-	f0g6 := int64(f0) * int64(g6)
-	f0g7 := int64(f0) * int64(g7)
-	f0g8 := int64(f0) * int64(g8)
-	f0g9 := int64(f0) * int64(g9)
-	f1g0 := int64(f1) * int64(g0)
-	f1g1_2 := int64(f1_2) * int64(g1)
-	f1g2 := int64(f1) * int64(g2)
-	f1g3_2 := int64(f1_2) * int64(g3)
-	f1g4 := int64(f1) * int64(g4)
-	f1g5_2 := int64(f1_2) * int64(g5)
-	f1g6 := int64(f1) * int64(g6)
-	f1g7_2 := int64(f1_2) * int64(g7)
-	f1g8 := int64(f1) * int64(g8)
-	f1g9_38 := int64(f1_2) * int64(g9_19)
-	f2g0 := int64(f2) * int64(g0)
-	f2g1 := int64(f2) * int64(g1)
-	f2g2 := int64(f2) * int64(g2)
-	f2g3 := int64(f2) * int64(g3)
-	f2g4 := int64(f2) * int64(g4)
-	f2g5 := int64(f2) * int64(g5)
-	f2g6 := int64(f2) * int64(g6)
-	f2g7 := int64(f2) * int64(g7)
-	f2g8_19 := int64(f2) * int64(g8_19)
-	f2g9_19 := int64(f2) * int64(g9_19)
-	f3g0 := int64(f3) * int64(g0)
-	f3g1_2 := int64(f3_2) * int64(g1)
-	f3g2 := int64(f3) * int64(g2)
-	f3g3_2 := int64(f3_2) * int64(g3)
-	f3g4 := int64(f3) * int64(g4)
-	f3g5_2 := int64(f3_2) * int64(g5)
-	f3g6 := int64(f3) * int64(g6)
-	f3g7_38 := int64(f3_2) * int64(g7_19)
-	f3g8_19 := int64(f3) * int64(g8_19)
-	f3g9_38 := int64(f3_2) * int64(g9_19)
-	f4g0 := int64(f4) * int64(g0)
-	f4g1 := int64(f4) * int64(g1)
-	f4g2 := int64(f4) * int64(g2)
-	f4g3 := int64(f4) * int64(g3)
-	f4g4 := int64(f4) * int64(g4)
-	f4g5 := int64(f4) * int64(g5)
-	f4g6_19 := int64(f4) * int64(g6_19)
-	f4g7_19 := int64(f4) * int64(g7_19)
-	f4g8_19 := int64(f4) * int64(g8_19)
-	f4g9_19 := int64(f4) * int64(g9_19)
-	f5g0 := int64(f5) * int64(g0)
-	f5g1_2 := int64(f5_2) * int64(g1)
-	f5g2 := int64(f5) * int64(g2)
-	f5g3_2 := int64(f5_2) * int64(g3)
-	f5g4 := int64(f5) * int64(g4)
-	f5g5_38 := int64(f5_2) * int64(g5_19)
-	f5g6_19 := int64(f5) * int64(g6_19)
-	f5g7_38 := int64(f5_2) * int64(g7_19)
-	f5g8_19 := int64(f5) * int64(g8_19)
-	f5g9_38 := int64(f5_2) * int64(g9_19)
-	f6g0 := int64(f6) * int64(g0)
-	f6g1 := int64(f6) * int64(g1)
-	f6g2 := int64(f6) * int64(g2)
-	f6g3 := int64(f6) * int64(g3)
-	f6g4_19 := int64(f6) * int64(g4_19)
-	f6g5_19 := int64(f6) * int64(g5_19)
-	f6g6_19 := int64(f6) * int64(g6_19)
-	f6g7_19 := int64(f6) * int64(g7_19)
-	f6g8_19 := int64(f6) * int64(g8_19)
-	f6g9_19 := int64(f6) * int64(g9_19)
-	f7g0 := int64(f7) * int64(g0)
-	f7g1_2 := int64(f7_2) * int64(g1)
-	f7g2 := int64(f7) * int64(g2)
-	f7g3_38 := int64(f7_2) * int64(g3_19)
-	f7g4_19 := int64(f7) * int64(g4_19)
-	f7g5_38 := int64(f7_2) * int64(g5_19)
-	f7g6_19 := int64(f7) * int64(g6_19)
-	f7g7_38 := int64(f7_2) * int64(g7_19)
-	f7g8_19 := int64(f7) * int64(g8_19)
-	f7g9_38 := int64(f7_2) * int64(g9_19)
-	f8g0 := int64(f8) * int64(g0)
-	f8g1 := int64(f8) * int64(g1)
-	f8g2_19 := int64(f8) * int64(g2_19)
-	f8g3_19 := int64(f8) * int64(g3_19)
-	f8g4_19 := int64(f8) * int64(g4_19)
-	f8g5_19 := int64(f8) * int64(g5_19)
-	f8g6_19 := int64(f8) * int64(g6_19)
-	f8g7_19 := int64(f8) * int64(g7_19)
-	f8g8_19 := int64(f8) * int64(g8_19)
-	f8g9_19 := int64(f8) * int64(g9_19)
-	f9g0 := int64(f9) * int64(g0)
-	f9g1_38 := int64(f9_2) * int64(g1_19)
-	f9g2_19 := int64(f9) * int64(g2_19)
-	f9g3_38 := int64(f9_2) * int64(g3_19)
-	f9g4_19 := int64(f9) * int64(g4_19)
-	f9g5_38 := int64(f9_2) * int64(g5_19)
-	f9g6_19 := int64(f9) * int64(g6_19)
-	f9g7_38 := int64(f9_2) * int64(g7_19)
-	f9g8_19 := int64(f9) * int64(g8_19)
-	f9g9_38 := int64(f9_2) * int64(g9_19)
-	h0 := f0g0 + f1g9_38 + f2g8_19 + f3g7_38 + f4g6_19 + f5g5_38 + f6g4_19 + f7g3_38 + f8g2_19 + f9g1_38
-	h1 := f0g1 + f1g0 + f2g9_19 + f3g8_19 + f4g7_19 + f5g6_19 + f6g5_19 + f7g4_19 + f8g3_19 + f9g2_19
-	h2 := f0g2 + f1g1_2 + f2g0 + f3g9_38 + f4g8_19 + f5g7_38 + f6g6_19 + f7g5_38 + f8g4_19 + f9g3_38
-	h3 := f0g3 + f1g2 + f2g1 + f3g0 + f4g9_19 + f5g8_19 + f6g7_19 + f7g6_19 + f8g5_19 + f9g4_19
-	h4 := f0g4 + f1g3_2 + f2g2 + f3g1_2 + f4g0 + f5g9_38 + f6g8_19 + f7g7_38 + f8g6_19 + f9g5_38
-	h5 := f0g5 + f1g4 + f2g3 + f3g2 + f4g1 + f5g0 + f6g9_19 + f7g8_19 + f8g7_19 + f9g6_19
-	h6 := f0g6 + f1g5_2 + f2g4 + f3g3_2 + f4g2 + f5g1_2 + f6g0 + f7g9_38 + f8g8_19 + f9g7_38
-	h7 := f0g7 + f1g6 + f2g5 + f3g4 + f4g3 + f5g2 + f6g1 + f7g0 + f8g9_19 + f9g8_19
-	h8 := f0g8 + f1g7_2 + f2g6 + f3g5_2 + f4g4 + f5g3_2 + f6g2 + f7g1_2 + f8g0 + f9g9_38
-	h9 := f0g9 + f1g8 + f2g7 + f3g6 + f4g5 + f5g4 + f6g3 + f7g2 + f8g1 + f9g0
-	var carry [10]int64
-
-	// |h0| <= (1.1*1.1*2^52*(1+19+19+19+19)+1.1*1.1*2^50*(38+38+38+38+38))
-	//   i.e. |h0| <= 1.2*2^59; narrower ranges for h2, h4, h6, h8
-	// |h1| <= (1.1*1.1*2^51*(1+1+19+19+19+19+19+19+19+19))
-	//   i.e. |h1| <= 1.5*2^58; narrower ranges for h3, h5, h7, h9
-
-	carry[0] = (h0 + (1 << 25)) >> 26
-	h1 += carry[0]
-	h0 -= carry[0] << 26
-	carry[4] = (h4 + (1 << 25)) >> 26
-	h5 += carry[4]
-	h4 -= carry[4] << 26
-	// |h0| <= 2^25
-	// |h4| <= 2^25
-	// |h1| <= 1.51*2^58
-	// |h5| <= 1.51*2^58
-
-	carry[1] = (h1 + (1 << 24)) >> 25
-	h2 += carry[1]
-	h1 -= carry[1] << 25
-	carry[5] = (h5 + (1 << 24)) >> 25
-	h6 += carry[5]
-	h5 -= carry[5] << 25
-	// |h1| <= 2^24; from now on fits into int32
-	// |h5| <= 2^24; from now on fits into int32
-	// |h2| <= 1.21*2^59
-	// |h6| <= 1.21*2^59
-
-	carry[2] = (h2 + (1 << 25)) >> 26
-	h3 += carry[2]
-	h2 -= carry[2] << 26
-	carry[6] = (h6 + (1 << 25)) >> 26
-	h7 += carry[6]
-	h6 -= carry[6] << 26
-	// |h2| <= 2^25; from now on fits into int32 unchanged
-	// |h6| <= 2^25; from now on fits into int32 unchanged
-	// |h3| <= 1.51*2^58
-	// |h7| <= 1.51*2^58
-
-	carry[3] = (h3 + (1 << 24)) >> 25
-	h4 += carry[3]
-	h3 -= carry[3] << 25
-	carry[7] = (h7 + (1 << 24)) >> 25
-	h8 += carry[7]
-	h7 -= carry[7] << 25
-	// |h3| <= 2^24; from now on fits into int32 unchanged
-	// |h7| <= 2^24; from now on fits into int32 unchanged
-	// |h4| <= 1.52*2^33
-	// |h8| <= 1.52*2^33
-
-	carry[4] = (h4 + (1 << 25)) >> 26
-	h5 += carry[4]
-	h4 -= carry[4] << 26
-	carry[8] = (h8 + (1 << 25)) >> 26
-	h9 += carry[8]
-	h8 -= carry[8] << 26
-	// |h4| <= 2^25; from now on fits into int32 unchanged
-	// |h8| <= 2^25; from now on fits into int32 unchanged
-	// |h5| <= 1.01*2^24
-	// |h9| <= 1.51*2^58
-
-	carry[9] = (h9 + (1 << 24)) >> 25
-	h0 += carry[9] * 19
-	h9 -= carry[9] << 25
-	// |h9| <= 2^24; from now on fits into int32 unchanged
-	// |h0| <= 1.8*2^37
-
-	carry[0] = (h0 + (1 << 25)) >> 26
-	h1 += carry[0]
-	h0 -= carry[0] << 26
-	// |h0| <= 2^25; from now on fits into int32 unchanged
-	// |h1| <= 1.01*2^24
-
-	h[0] = int32(h0)
-	h[1] = int32(h1)
-	h[2] = int32(h2)
-	h[3] = int32(h3)
-	h[4] = int32(h4)
-	h[5] = int32(h5)
-	h[6] = int32(h6)
-	h[7] = int32(h7)
-	h[8] = int32(h8)
-	h[9] = int32(h9)
-}
-
-// feSquare calculates h = f*f. Can overlap h with f.
-//
-// Preconditions:
-//    |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
-//
-// Postconditions:
-//    |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
-func feSquare(h, f *fieldElement) {
-	f0 := f[0]
-	f1 := f[1]
-	f2 := f[2]
-	f3 := f[3]
-	f4 := f[4]
-	f5 := f[5]
-	f6 := f[6]
-	f7 := f[7]
-	f8 := f[8]
-	f9 := f[9]
-	f0_2 := 2 * f0
-	f1_2 := 2 * f1
-	f2_2 := 2 * f2
-	f3_2 := 2 * f3
-	f4_2 := 2 * f4
-	f5_2 := 2 * f5
-	f6_2 := 2 * f6
-	f7_2 := 2 * f7
-	f5_38 := 38 * f5 // 1.31*2^30
-	f6_19 := 19 * f6 // 1.31*2^30
-	f7_38 := 38 * f7 // 1.31*2^30
-	f8_19 := 19 * f8 // 1.31*2^30
-	f9_38 := 38 * f9 // 1.31*2^30
-	f0f0 := int64(f0) * int64(f0)
-	f0f1_2 := int64(f0_2) * int64(f1)
-	f0f2_2 := int64(f0_2) * int64(f2)
-	f0f3_2 := int64(f0_2) * int64(f3)
-	f0f4_2 := int64(f0_2) * int64(f4)
-	f0f5_2 := int64(f0_2) * int64(f5)
-	f0f6_2 := int64(f0_2) * int64(f6)
-	f0f7_2 := int64(f0_2) * int64(f7)
-	f0f8_2 := int64(f0_2) * int64(f8)
-	f0f9_2 := int64(f0_2) * int64(f9)
-	f1f1_2 := int64(f1_2) * int64(f1)
-	f1f2_2 := int64(f1_2) * int64(f2)
-	f1f3_4 := int64(f1_2) * int64(f3_2)
-	f1f4_2 := int64(f1_2) * int64(f4)
-	f1f5_4 := int64(f1_2) * int64(f5_2)
-	f1f6_2 := int64(f1_2) * int64(f6)
-	f1f7_4 := int64(f1_2) * int64(f7_2)
-	f1f8_2 := int64(f1_2) * int64(f8)
-	f1f9_76 := int64(f1_2) * int64(f9_38)
-	f2f2 := int64(f2) * int64(f2)
-	f2f3_2 := int64(f2_2) * int64(f3)
-	f2f4_2 := int64(f2_2) * int64(f4)
-	f2f5_2 := int64(f2_2) * int64(f5)
-	f2f6_2 := int64(f2_2) * int64(f6)
-	f2f7_2 := int64(f2_2) * int64(f7)
-	f2f8_38 := int64(f2_2) * int64(f8_19)
-	f2f9_38 := int64(f2) * int64(f9_38)
-	f3f3_2 := int64(f3_2) * int64(f3)
-	f3f4_2 := int64(f3_2) * int64(f4)
-	f3f5_4 := int64(f3_2) * int64(f5_2)
-	f3f6_2 := int64(f3_2) * int64(f6)
-	f3f7_76 := int64(f3_2) * int64(f7_38)
-	f3f8_38 := int64(f3_2) * int64(f8_19)
-	f3f9_76 := int64(f3_2) * int64(f9_38)
-	f4f4 := int64(f4) * int64(f4)
-	f4f5_2 := int64(f4_2) * int64(f5)
-	f4f6_38 := int64(f4_2) * int64(f6_19)
-	f4f7_38 := int64(f4) * int64(f7_38)
-	f4f8_38 := int64(f4_2) * int64(f8_19)
-	f4f9_38 := int64(f4) * int64(f9_38)
-	f5f5_38 := int64(f5) * int64(f5_38)
-	f5f6_38 := int64(f5_2) * int64(f6_19)
-	f5f7_76 := int64(f5_2) * int64(f7_38)
-	f5f8_38 := int64(f5_2) * int64(f8_19)
-	f5f9_76 := int64(f5_2) * int64(f9_38)
-	f6f6_19 := int64(f6) * int64(f6_19)
-	f6f7_38 := int64(f6) * int64(f7_38)
-	f6f8_38 := int64(f6_2) * int64(f8_19)
-	f6f9_38 := int64(f6) * int64(f9_38)
-	f7f7_38 := int64(f7) * int64(f7_38)
-	f7f8_38 := int64(f7_2) * int64(f8_19)
-	f7f9_76 := int64(f7_2) * int64(f9_38)
-	f8f8_19 := int64(f8) * int64(f8_19)
-	f8f9_38 := int64(f8) * int64(f9_38)
-	f9f9_38 := int64(f9) * int64(f9_38)
-	h0 := f0f0 + f1f9_76 + f2f8_38 + f3f7_76 + f4f6_38 + f5f5_38
-	h1 := f0f1_2 + f2f9_38 + f3f8_38 + f4f7_38 + f5f6_38
-	h2 := f0f2_2 + f1f1_2 + f3f9_76 + f4f8_38 + f5f7_76 + f6f6_19
-	h3 := f0f3_2 + f1f2_2 + f4f9_38 + f5f8_38 + f6f7_38
-	h4 := f0f4_2 + f1f3_4 + f2f2 + f5f9_76 + f6f8_38 + f7f7_38
-	h5 := f0f5_2 + f1f4_2 + f2f3_2 + f6f9_38 + f7f8_38
-	h6 := f0f6_2 + f1f5_4 + f2f4_2 + f3f3_2 + f7f9_76 + f8f8_19
-	h7 := f0f7_2 + f1f6_2 + f2f5_2 + f3f4_2 + f8f9_38
-	h8 := f0f8_2 + f1f7_4 + f2f6_2 + f3f5_4 + f4f4 + f9f9_38
-	h9 := f0f9_2 + f1f8_2 + f2f7_2 + f3f6_2 + f4f5_2
-	var carry [10]int64
-
-	carry[0] = (h0 + (1 << 25)) >> 26
-	h1 += carry[0]
-	h0 -= carry[0] << 26
-	carry[4] = (h4 + (1 << 25)) >> 26
-	h5 += carry[4]
-	h4 -= carry[4] << 26
-
-	carry[1] = (h1 + (1 << 24)) >> 25
-	h2 += carry[1]
-	h1 -= carry[1] << 25
-	carry[5] = (h5 + (1 << 24)) >> 25
-	h6 += carry[5]
-	h5 -= carry[5] << 25
-
-	carry[2] = (h2 + (1 << 25)) >> 26
-	h3 += carry[2]
-	h2 -= carry[2] << 26
-	carry[6] = (h6 + (1 << 25)) >> 26
-	h7 += carry[6]
-	h6 -= carry[6] << 26
-
-	carry[3] = (h3 + (1 << 24)) >> 25
-	h4 += carry[3]
-	h3 -= carry[3] << 25
-	carry[7] = (h7 + (1 << 24)) >> 25
-	h8 += carry[7]
-	h7 -= carry[7] << 25
-
-	carry[4] = (h4 + (1 << 25)) >> 26
-	h5 += carry[4]
-	h4 -= carry[4] << 26
-	carry[8] = (h8 + (1 << 25)) >> 26
-	h9 += carry[8]
-	h8 -= carry[8] << 26
-
-	carry[9] = (h9 + (1 << 24)) >> 25
-	h0 += carry[9] * 19
-	h9 -= carry[9] << 25
-
-	carry[0] = (h0 + (1 << 25)) >> 26
-	h1 += carry[0]
-	h0 -= carry[0] << 26
-
-	h[0] = int32(h0)
-	h[1] = int32(h1)
-	h[2] = int32(h2)
-	h[3] = int32(h3)
-	h[4] = int32(h4)
-	h[5] = int32(h5)
-	h[6] = int32(h6)
-	h[7] = int32(h7)
-	h[8] = int32(h8)
-	h[9] = int32(h9)
-}
-
-// feMul121666 calculates h = f * 121666. Can overlap h with f.
-//
-// Preconditions:
-//    |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
-//
-// Postconditions:
-//    |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
-func feMul121666(h, f *fieldElement) {
-	h0 := int64(f[0]) * 121666
-	h1 := int64(f[1]) * 121666
-	h2 := int64(f[2]) * 121666
-	h3 := int64(f[3]) * 121666
-	h4 := int64(f[4]) * 121666
-	h5 := int64(f[5]) * 121666
-	h6 := int64(f[6]) * 121666
-	h7 := int64(f[7]) * 121666
-	h8 := int64(f[8]) * 121666
-	h9 := int64(f[9]) * 121666
-	var carry [10]int64
-
-	carry[9] = (h9 + (1 << 24)) >> 25
-	h0 += carry[9] * 19
-	h9 -= carry[9] << 25
-	carry[1] = (h1 + (1 << 24)) >> 25
-	h2 += carry[1]
-	h1 -= carry[1] << 25
-	carry[3] = (h3 + (1 << 24)) >> 25
-	h4 += carry[3]
-	h3 -= carry[3] << 25
-	carry[5] = (h5 + (1 << 24)) >> 25
-	h6 += carry[5]
-	h5 -= carry[5] << 25
-	carry[7] = (h7 + (1 << 24)) >> 25
-	h8 += carry[7]
-	h7 -= carry[7] << 25
-
-	carry[0] = (h0 + (1 << 25)) >> 26
-	h1 += carry[0]
-	h0 -= carry[0] << 26
-	carry[2] = (h2 + (1 << 25)) >> 26
-	h3 += carry[2]
-	h2 -= carry[2] << 26
-	carry[4] = (h4 + (1 << 25)) >> 26
-	h5 += carry[4]
-	h4 -= carry[4] << 26
-	carry[6] = (h6 + (1 << 25)) >> 26
-	h7 += carry[6]
-	h6 -= carry[6] << 26
-	carry[8] = (h8 + (1 << 25)) >> 26
-	h9 += carry[8]
-	h8 -= carry[8] << 26
-
-	h[0] = int32(h0)
-	h[1] = int32(h1)
-	h[2] = int32(h2)
-	h[3] = int32(h3)
-	h[4] = int32(h4)
-	h[5] = int32(h5)
-	h[6] = int32(h6)
-	h[7] = int32(h7)
-	h[8] = int32(h8)
-	h[9] = int32(h9)
-}
-
-// feInvert sets out = z^-1.
-func feInvert(out, z *fieldElement) {
-	var t0, t1, t2, t3 fieldElement
-	var i int
-
-	feSquare(&t0, z)
-	for i = 1; i < 1; i++ {
-		feSquare(&t0, &t0)
-	}
-	feSquare(&t1, &t0)
-	for i = 1; i < 2; i++ {
-		feSquare(&t1, &t1)
-	}
-	feMul(&t1, z, &t1)
-	feMul(&t0, &t0, &t1)
-	feSquare(&t2, &t0)
-	for i = 1; i < 1; i++ {
-		feSquare(&t2, &t2)
-	}
-	feMul(&t1, &t1, &t2)
-	feSquare(&t2, &t1)
-	for i = 1; i < 5; i++ {
-		feSquare(&t2, &t2)
-	}
-	feMul(&t1, &t2, &t1)
-	feSquare(&t2, &t1)
-	for i = 1; i < 10; i++ {
-		feSquare(&t2, &t2)
-	}
-	feMul(&t2, &t2, &t1)
-	feSquare(&t3, &t2)
-	for i = 1; i < 20; i++ {
-		feSquare(&t3, &t3)
-	}
-	feMul(&t2, &t3, &t2)
-	feSquare(&t2, &t2)
-	for i = 1; i < 10; i++ {
-		feSquare(&t2, &t2)
-	}
-	feMul(&t1, &t2, &t1)
-	feSquare(&t2, &t1)
-	for i = 1; i < 50; i++ {
-		feSquare(&t2, &t2)
-	}
-	feMul(&t2, &t2, &t1)
-	feSquare(&t3, &t2)
-	for i = 1; i < 100; i++ {
-		feSquare(&t3, &t3)
-	}
-	feMul(&t2, &t3, &t2)
-	feSquare(&t2, &t2)
-	for i = 1; i < 50; i++ {
-		feSquare(&t2, &t2)
-	}
-	feMul(&t1, &t2, &t1)
-	feSquare(&t1, &t1)
-	for i = 1; i < 5; i++ {
-		feSquare(&t1, &t1)
-	}
-	feMul(out, &t1, &t0)
-}
-
-func scalarMult(out, in, base *[32]byte) {
-	var e [32]byte
-
-	copy(e[:], in[:])
-	e[0] &= 248
-	e[31] &= 127
-	e[31] |= 64
-
-	var x1, x2, z2, x3, z3, tmp0, tmp1 fieldElement
-	feFromBytes(&x1, base)
-	feOne(&x2)
-	feCopy(&x3, &x1)
-	feOne(&z3)
-
-	swap := int32(0)
-	for pos := 254; pos >= 0; pos-- {
-		b := e[pos/8] >> uint(pos&7)
-		b &= 1
-		swap ^= int32(b)
-		feCSwap(&x2, &x3, swap)
-		feCSwap(&z2, &z3, swap)
-		swap = int32(b)
-
-		feSub(&tmp0, &x3, &z3)
-		feSub(&tmp1, &x2, &z2)
-		feAdd(&x2, &x2, &z2)
-		feAdd(&z2, &x3, &z3)
-		feMul(&z3, &tmp0, &x2)
-		feMul(&z2, &z2, &tmp1)
-		feSquare(&tmp0, &tmp1)
-		feSquare(&tmp1, &x2)
-		feAdd(&x3, &z3, &z2)
-		feSub(&z2, &z3, &z2)
-		feMul(&x2, &tmp1, &tmp0)
-		feSub(&tmp1, &tmp1, &tmp0)
-		feSquare(&z2, &z2)
-		feMul121666(&z3, &tmp1)
-		feSquare(&x3, &x3)
-		feAdd(&tmp0, &tmp0, &z3)
-		feMul(&z3, &x1, &z2)
-		feMul(&z2, &tmp1, &tmp0)
-	}
-
-	feCSwap(&x2, &x3, swap)
-	feCSwap(&z2, &z3, swap)
-
-	feInvert(&z2, &z2)
-	feMul(&x2, &x2, &z2)
-	feToBytes(out, &x2)
-}
diff --git a/vendor/golang.org/x/crypto/curve25519/curve25519_test.go b/vendor/golang.org/x/crypto/curve25519/curve25519_test.go
deleted file mode 100644
index 051a8301..00000000
--- a/vendor/golang.org/x/crypto/curve25519/curve25519_test.go
+++ /dev/null
@@ -1,39 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package curve25519
-
-import (
-	"fmt"
-	"testing"
-)
-
-const expectedHex = "89161fde887b2b53de549af483940106ecc114d6982daa98256de23bdf77661a"
-
-func TestBaseScalarMult(t *testing.T) {
-	var a, b [32]byte
-	in := &a
-	out := &b
-	a[0] = 1
-
-	for i := 0; i < 200; i++ {
-		ScalarBaseMult(out, in)
-		in, out = out, in
-	}
-
-	result := fmt.Sprintf("%x", in[:])
-	if result != expectedHex {
-		t.Errorf("incorrect result: got %s, want %s", result, expectedHex)
-	}
-}
-
-func BenchmarkScalarBaseMult(b *testing.B) {
-	var in, out [32]byte
-	in[0] = 1
-
-	b.SetBytes(32)
-	for i := 0; i < b.N; i++ {
-		ScalarBaseMult(&out, &in)
-	}
-}
diff --git a/vendor/golang.org/x/crypto/curve25519/doc.go b/vendor/golang.org/x/crypto/curve25519/doc.go
deleted file mode 100644
index da9b10d9..00000000
--- a/vendor/golang.org/x/crypto/curve25519/doc.go
+++ /dev/null
@@ -1,23 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package curve25519 provides an implementation of scalar multiplication on
-// the elliptic curve known as curve25519. See https://cr.yp.to/ecdh.html
-package curve25519 // import "golang.org/x/crypto/curve25519"
-
-// basePoint is the x coordinate of the generator of the curve.
-var basePoint = [32]byte{9, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}
-
-// ScalarMult sets dst to the product in*base where dst and base are the x
-// coordinates of group points and all values are in little-endian form.
-func ScalarMult(dst, in, base *[32]byte) {
-	scalarMult(dst, in, base)
-}
-
-// ScalarBaseMult sets dst to the product in*base where dst and base are the x
-// coordinates of group points, base is the standard generator and all values
-// are in little-endian form.
-func ScalarBaseMult(dst, in *[32]byte) {
-	ScalarMult(dst, in, &basePoint)
-}
diff --git a/vendor/golang.org/x/crypto/curve25519/freeze_amd64.s b/vendor/golang.org/x/crypto/curve25519/freeze_amd64.s
deleted file mode 100644
index 39081610..00000000
--- a/vendor/golang.org/x/crypto/curve25519/freeze_amd64.s
+++ /dev/null
@@ -1,73 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// This code was translated into a form compatible with 6a from the public
-// domain sources in SUPERCOP: https://bench.cr.yp.to/supercop.html
-
-// +build amd64,!gccgo,!appengine
-
-#include "const_amd64.h"
-
-// func freeze(inout *[5]uint64)
-TEXT ·freeze(SB),7,$0-8
-	MOVQ inout+0(FP), DI
-
-	MOVQ 0(DI),SI
-	MOVQ 8(DI),DX
-	MOVQ 16(DI),CX
-	MOVQ 24(DI),R8
-	MOVQ 32(DI),R9
-	MOVQ $REDMASK51,AX
-	MOVQ AX,R10
-	SUBQ $18,R10
-	MOVQ $3,R11
-REDUCELOOP:
-	MOVQ SI,R12
-	SHRQ $51,R12
-	ANDQ AX,SI
-	ADDQ R12,DX
-	MOVQ DX,R12
-	SHRQ $51,R12
-	ANDQ AX,DX
-	ADDQ R12,CX
-	MOVQ CX,R12
-	SHRQ $51,R12
-	ANDQ AX,CX
-	ADDQ R12,R8
-	MOVQ R8,R12
-	SHRQ $51,R12
-	ANDQ AX,R8
-	ADDQ R12,R9
-	MOVQ R9,R12
-	SHRQ $51,R12
-	ANDQ AX,R9
-	IMUL3Q $19,R12,R12
-	ADDQ R12,SI
-	SUBQ $1,R11
-	JA REDUCELOOP
-	MOVQ $1,R12
-	CMPQ R10,SI
-	CMOVQLT R11,R12
-	CMPQ AX,DX
-	CMOVQNE R11,R12
-	CMPQ AX,CX
-	CMOVQNE R11,R12
-	CMPQ AX,R8
-	CMOVQNE R11,R12
-	CMPQ AX,R9
-	CMOVQNE R11,R12
-	NEGQ R12
-	ANDQ R12,AX
-	ANDQ R12,R10
-	SUBQ R10,SI
-	SUBQ AX,DX
-	SUBQ AX,CX
-	SUBQ AX,R8
-	SUBQ AX,R9
-	MOVQ SI,0(DI)
-	MOVQ DX,8(DI)
-	MOVQ CX,16(DI)
-	MOVQ R8,24(DI)
-	MOVQ R9,32(DI)
-	RET
diff --git a/vendor/golang.org/x/crypto/curve25519/ladderstep_amd64.s b/vendor/golang.org/x/crypto/curve25519/ladderstep_amd64.s
deleted file mode 100644
index 9e9040b2..00000000
--- a/vendor/golang.org/x/crypto/curve25519/ladderstep_amd64.s
+++ /dev/null
@@ -1,1377 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// This code was translated into a form compatible with 6a from the public
-// domain sources in SUPERCOP: https://bench.cr.yp.to/supercop.html
-
-// +build amd64,!gccgo,!appengine
-
-#include "const_amd64.h"
-
-// func ladderstep(inout *[5][5]uint64)
-TEXT ·ladderstep(SB),0,$296-8
-	MOVQ inout+0(FP),DI
-
-	MOVQ 40(DI),SI
-	MOVQ 48(DI),DX
-	MOVQ 56(DI),CX
-	MOVQ 64(DI),R8
-	MOVQ 72(DI),R9
-	MOVQ SI,AX
-	MOVQ DX,R10
-	MOVQ CX,R11
-	MOVQ R8,R12
-	MOVQ R9,R13
-	ADDQ ·_2P0(SB),AX
-	ADDQ ·_2P1234(SB),R10
-	ADDQ ·_2P1234(SB),R11
-	ADDQ ·_2P1234(SB),R12
-	ADDQ ·_2P1234(SB),R13
-	ADDQ 80(DI),SI
-	ADDQ 88(DI),DX
-	ADDQ 96(DI),CX
-	ADDQ 104(DI),R8
-	ADDQ 112(DI),R9
-	SUBQ 80(DI),AX
-	SUBQ 88(DI),R10
-	SUBQ 96(DI),R11
-	SUBQ 104(DI),R12
-	SUBQ 112(DI),R13
-	MOVQ SI,0(SP)
-	MOVQ DX,8(SP)
-	MOVQ CX,16(SP)
-	MOVQ R8,24(SP)
-	MOVQ R9,32(SP)
-	MOVQ AX,40(SP)
-	MOVQ R10,48(SP)
-	MOVQ R11,56(SP)
-	MOVQ R12,64(SP)
-	MOVQ R13,72(SP)
-	MOVQ 40(SP),AX
-	MULQ 40(SP)
-	MOVQ AX,SI
-	MOVQ DX,CX
-	MOVQ 40(SP),AX
-	SHLQ $1,AX
-	MULQ 48(SP)
-	MOVQ AX,R8
-	MOVQ DX,R9
-	MOVQ 40(SP),AX
-	SHLQ $1,AX
-	MULQ 56(SP)
-	MOVQ AX,R10
-	MOVQ DX,R11
-	MOVQ 40(SP),AX
-	SHLQ $1,AX
-	MULQ 64(SP)
-	MOVQ AX,R12
-	MOVQ DX,R13
-	MOVQ 40(SP),AX
-	SHLQ $1,AX
-	MULQ 72(SP)
-	MOVQ AX,R14
-	MOVQ DX,R15
-	MOVQ 48(SP),AX
-	MULQ 48(SP)
-	ADDQ AX,R10
-	ADCQ DX,R11
-	MOVQ 48(SP),AX
-	SHLQ $1,AX
-	MULQ 56(SP)
-	ADDQ AX,R12
-	ADCQ DX,R13
-	MOVQ 48(SP),AX
-	SHLQ $1,AX
-	MULQ 64(SP)
-	ADDQ AX,R14
-	ADCQ DX,R15
-	MOVQ 48(SP),DX
-	IMUL3Q $38,DX,AX
-	MULQ 72(SP)
-	ADDQ AX,SI
-	ADCQ DX,CX
-	MOVQ 56(SP),AX
-	MULQ 56(SP)
-	ADDQ AX,R14
-	ADCQ DX,R15
-	MOVQ 56(SP),DX
-	IMUL3Q $38,DX,AX
-	MULQ 64(SP)
-	ADDQ AX,SI
-	ADCQ DX,CX
-	MOVQ 56(SP),DX
-	IMUL3Q $38,DX,AX
-	MULQ 72(SP)
-	ADDQ AX,R8
-	ADCQ DX,R9
-	MOVQ 64(SP),DX
-	IMUL3Q $19,DX,AX
-	MULQ 64(SP)
-	ADDQ AX,R8
-	ADCQ DX,R9
-	MOVQ 64(SP),DX
-	IMUL3Q $38,DX,AX
-	MULQ 72(SP)
-	ADDQ AX,R10
-	ADCQ DX,R11
-	MOVQ 72(SP),DX
-	IMUL3Q $19,DX,AX
-	MULQ 72(SP)
-	ADDQ AX,R12
-	ADCQ DX,R13
-	MOVQ $REDMASK51,DX
-	SHLQ $13,CX:SI
-	ANDQ DX,SI
-	SHLQ $13,R9:R8
-	ANDQ DX,R8
-	ADDQ CX,R8
-	SHLQ $13,R11:R10
-	ANDQ DX,R10
-	ADDQ R9,R10
-	SHLQ $13,R13:R12
-	ANDQ DX,R12
-	ADDQ R11,R12
-	SHLQ $13,R15:R14
-	ANDQ DX,R14
-	ADDQ R13,R14
-	IMUL3Q $19,R15,CX
-	ADDQ CX,SI
-	MOVQ SI,CX
-	SHRQ $51,CX
-	ADDQ R8,CX
-	ANDQ DX,SI
-	MOVQ CX,R8
-	SHRQ $51,CX
-	ADDQ R10,CX
-	ANDQ DX,R8
-	MOVQ CX,R9
-	SHRQ $51,CX
-	ADDQ R12,CX
-	ANDQ DX,R9
-	MOVQ CX,AX
-	SHRQ $51,CX
-	ADDQ R14,CX
-	ANDQ DX,AX
-	MOVQ CX,R10
-	SHRQ $51,CX
-	IMUL3Q $19,CX,CX
-	ADDQ CX,SI
-	ANDQ DX,R10
-	MOVQ SI,80(SP)
-	MOVQ R8,88(SP)
-	MOVQ R9,96(SP)
-	MOVQ AX,104(SP)
-	MOVQ R10,112(SP)
-	MOVQ 0(SP),AX
-	MULQ 0(SP)
-	MOVQ AX,SI
-	MOVQ DX,CX
-	MOVQ 0(SP),AX
-	SHLQ $1,AX
-	MULQ 8(SP)
-	MOVQ AX,R8
-	MOVQ DX,R9
-	MOVQ 0(SP),AX
-	SHLQ $1,AX
-	MULQ 16(SP)
-	MOVQ AX,R10
-	MOVQ DX,R11
-	MOVQ 0(SP),AX
-	SHLQ $1,AX
-	MULQ 24(SP)
-	MOVQ AX,R12
-	MOVQ DX,R13
-	MOVQ 0(SP),AX
-	SHLQ $1,AX
-	MULQ 32(SP)
-	MOVQ AX,R14
-	MOVQ DX,R15
-	MOVQ 8(SP),AX
-	MULQ 8(SP)
-	ADDQ AX,R10
-	ADCQ DX,R11
-	MOVQ 8(SP),AX
-	SHLQ $1,AX
-	MULQ 16(SP)
-	ADDQ AX,R12
-	ADCQ DX,R13
-	MOVQ 8(SP),AX
-	SHLQ $1,AX
-	MULQ 24(SP)
-	ADDQ AX,R14
-	ADCQ DX,R15
-	MOVQ 8(SP),DX
-	IMUL3Q $38,DX,AX
-	MULQ 32(SP)
-	ADDQ AX,SI
-	ADCQ DX,CX
-	MOVQ 16(SP),AX
-	MULQ 16(SP)
-	ADDQ AX,R14
-	ADCQ DX,R15
-	MOVQ 16(SP),DX
-	IMUL3Q $38,DX,AX
-	MULQ 24(SP)
-	ADDQ AX,SI
-	ADCQ DX,CX
-	MOVQ 16(SP),DX
-	IMUL3Q $38,DX,AX
-	MULQ 32(SP)
-	ADDQ AX,R8
-	ADCQ DX,R9
-	MOVQ 24(SP),DX
-	IMUL3Q $19,DX,AX
-	MULQ 24(SP)
-	ADDQ AX,R8
-	ADCQ DX,R9
-	MOVQ 24(SP),DX
-	IMUL3Q $38,DX,AX
-	MULQ 32(SP)
-	ADDQ AX,R10
-	ADCQ DX,R11
-	MOVQ 32(SP),DX
-	IMUL3Q $19,DX,AX
-	MULQ 32(SP)
-	ADDQ AX,R12
-	ADCQ DX,R13
-	MOVQ $REDMASK51,DX
-	SHLQ $13,CX:SI
-	ANDQ DX,SI
-	SHLQ $13,R9:R8
-	ANDQ DX,R8
-	ADDQ CX,R8
-	SHLQ $13,R11:R10
-	ANDQ DX,R10
-	ADDQ R9,R10
-	SHLQ $13,R13:R12
-	ANDQ DX,R12
-	ADDQ R11,R12
-	SHLQ $13,R15:R14
-	ANDQ DX,R14
-	ADDQ R13,R14
-	IMUL3Q $19,R15,CX
-	ADDQ CX,SI
-	MOVQ SI,CX
-	SHRQ $51,CX
-	ADDQ R8,CX
-	ANDQ DX,SI
-	MOVQ CX,R8
-	SHRQ $51,CX
-	ADDQ R10,CX
-	ANDQ DX,R8
-	MOVQ CX,R9
-	SHRQ $51,CX
-	ADDQ R12,CX
-	ANDQ DX,R9
-	MOVQ CX,AX
-	SHRQ $51,CX
-	ADDQ R14,CX
-	ANDQ DX,AX
-	MOVQ CX,R10
-	SHRQ $51,CX
-	IMUL3Q $19,CX,CX
-	ADDQ CX,SI
-	ANDQ DX,R10
-	MOVQ SI,120(SP)
-	MOVQ R8,128(SP)
-	MOVQ R9,136(SP)
-	MOVQ AX,144(SP)
-	MOVQ R10,152(SP)
-	MOVQ SI,SI
-	MOVQ R8,DX
-	MOVQ R9,CX
-	MOVQ AX,R8
-	MOVQ R10,R9
-	ADDQ ·_2P0(SB),SI
-	ADDQ ·_2P1234(SB),DX
-	ADDQ ·_2P1234(SB),CX
-	ADDQ ·_2P1234(SB),R8
-	ADDQ ·_2P1234(SB),R9
-	SUBQ 80(SP),SI
-	SUBQ 88(SP),DX
-	SUBQ 96(SP),CX
-	SUBQ 104(SP),R8
-	SUBQ 112(SP),R9
-	MOVQ SI,160(SP)
-	MOVQ DX,168(SP)
-	MOVQ CX,176(SP)
-	MOVQ R8,184(SP)
-	MOVQ R9,192(SP)
-	MOVQ 120(DI),SI
-	MOVQ 128(DI),DX
-	MOVQ 136(DI),CX
-	MOVQ 144(DI),R8
-	MOVQ 152(DI),R9
-	MOVQ SI,AX
-	MOVQ DX,R10
-	MOVQ CX,R11
-	MOVQ R8,R12
-	MOVQ R9,R13
-	ADDQ ·_2P0(SB),AX
-	ADDQ ·_2P1234(SB),R10
-	ADDQ ·_2P1234(SB),R11
-	ADDQ ·_2P1234(SB),R12
-	ADDQ ·_2P1234(SB),R13
-	ADDQ 160(DI),SI
-	ADDQ 168(DI),DX
-	ADDQ 176(DI),CX
-	ADDQ 184(DI),R8
-	ADDQ 192(DI),R9
-	SUBQ 160(DI),AX
-	SUBQ 168(DI),R10
-	SUBQ 176(DI),R11
-	SUBQ 184(DI),R12
-	SUBQ 192(DI),R13
-	MOVQ SI,200(SP)
-	MOVQ DX,208(SP)
-	MOVQ CX,216(SP)
-	MOVQ R8,224(SP)
-	MOVQ R9,232(SP)
-	MOVQ AX,240(SP)
-	MOVQ R10,248(SP)
-	MOVQ R11,256(SP)
-	MOVQ R12,264(SP)
-	MOVQ R13,272(SP)
-	MOVQ 224(SP),SI
-	IMUL3Q $19,SI,AX
-	MOVQ AX,280(SP)
-	MULQ 56(SP)
-	MOVQ AX,SI
-	MOVQ DX,CX
-	MOVQ 232(SP),DX
-	IMUL3Q $19,DX,AX
-	MOVQ AX,288(SP)
-	MULQ 48(SP)
-	ADDQ AX,SI
-	ADCQ DX,CX
-	MOVQ 200(SP),AX
-	MULQ 40(SP)
-	ADDQ AX,SI
-	ADCQ DX,CX
-	MOVQ 200(SP),AX
-	MULQ 48(SP)
-	MOVQ AX,R8
-	MOVQ DX,R9
-	MOVQ 200(SP),AX
-	MULQ 56(SP)
-	MOVQ AX,R10
-	MOVQ DX,R11
-	MOVQ 200(SP),AX
-	MULQ 64(SP)
-	MOVQ AX,R12
-	MOVQ DX,R13
-	MOVQ 200(SP),AX
-	MULQ 72(SP)
-	MOVQ AX,R14
-	MOVQ DX,R15
-	MOVQ 208(SP),AX
-	MULQ 40(SP)
-	ADDQ AX,R8
-	ADCQ DX,R9
-	MOVQ 208(SP),AX
-	MULQ 48(SP)
-	ADDQ AX,R10
-	ADCQ DX,R11
-	MOVQ 208(SP),AX
-	MULQ 56(SP)
-	ADDQ AX,R12
-	ADCQ DX,R13
-	MOVQ 208(SP),AX
-	MULQ 64(SP)
-	ADDQ AX,R14
-	ADCQ DX,R15
-	MOVQ 208(SP),DX
-	IMUL3Q $19,DX,AX
-	MULQ 72(SP)
-	ADDQ AX,SI
-	ADCQ DX,CX
-	MOVQ 216(SP),AX
-	MULQ 40(SP)
-	ADDQ AX,R10
-	ADCQ DX,R11
-	MOVQ 216(SP),AX
-	MULQ 48(SP)
-	ADDQ AX,R12
-	ADCQ DX,R13
-	MOVQ 216(SP),AX
-	MULQ 56(SP)
-	ADDQ AX,R14
-	ADCQ DX,R15
-	MOVQ 216(SP),DX
-	IMUL3Q $19,DX,AX
-	MULQ 64(SP)
-	ADDQ AX,SI
-	ADCQ DX,CX
-	MOVQ 216(SP),DX
-	IMUL3Q $19,DX,AX
-	MULQ 72(SP)
-	ADDQ AX,R8
-	ADCQ DX,R9
-	MOVQ 224(SP),AX
-	MULQ 40(SP)
-	ADDQ AX,R12
-	ADCQ DX,R13
-	MOVQ 224(SP),AX
-	MULQ 48(SP)
-	ADDQ AX,R14
-	ADCQ DX,R15
-	MOVQ 280(SP),AX
-	MULQ 64(SP)
-	ADDQ AX,R8
-	ADCQ DX,R9
-	MOVQ 280(SP),AX
-	MULQ 72(SP)
-	ADDQ AX,R10
-	ADCQ DX,R11
-	MOVQ 232(SP),AX
-	MULQ 40(SP)
-	ADDQ AX,R14
-	ADCQ DX,R15
-	MOVQ 288(SP),AX
-	MULQ 56(SP)
-	ADDQ AX,R8
-	ADCQ DX,R9
-	MOVQ 288(SP),AX
-	MULQ 64(SP)
-	ADDQ AX,R10
-	ADCQ DX,R11
-	MOVQ 288(SP),AX
-	MULQ 72(SP)
-	ADDQ AX,R12
-	ADCQ DX,R13
-	MOVQ $REDMASK51,DX
-	SHLQ $13,CX:SI
-	ANDQ DX,SI
-	SHLQ $13,R9:R8
-	ANDQ DX,R8
-	ADDQ CX,R8
-	SHLQ $13,R11:R10
-	ANDQ DX,R10
-	ADDQ R9,R10
-	SHLQ $13,R13:R12
-	ANDQ DX,R12
-	ADDQ R11,R12
-	SHLQ $13,R15:R14
-	ANDQ DX,R14
-	ADDQ R13,R14
-	IMUL3Q $19,R15,CX
-	ADDQ CX,SI
-	MOVQ SI,CX
-	SHRQ $51,CX
-	ADDQ R8,CX
-	MOVQ CX,R8
-	SHRQ $51,CX
-	ANDQ DX,SI
-	ADDQ R10,CX
-	MOVQ CX,R9
-	SHRQ $51,CX
-	ANDQ DX,R8
-	ADDQ R12,CX
-	MOVQ CX,AX
-	SHRQ $51,CX
-	ANDQ DX,R9
-	ADDQ R14,CX
-	MOVQ CX,R10
-	SHRQ $51,CX
-	ANDQ DX,AX
-	IMUL3Q $19,CX,CX
-	ADDQ CX,SI
-	ANDQ DX,R10
-	MOVQ SI,40(SP)
-	MOVQ R8,48(SP)
-	MOVQ R9,56(SP)
-	MOVQ AX,64(SP)
-	MOVQ R10,72(SP)
-	MOVQ 264(SP),SI
-	IMUL3Q $19,SI,AX
-	MOVQ AX,200(SP)
-	MULQ 16(SP)
-	MOVQ AX,SI
-	MOVQ DX,CX
-	MOVQ 272(SP),DX
-	IMUL3Q $19,DX,AX
-	MOVQ AX,208(SP)
-	MULQ 8(SP)
-	ADDQ AX,SI
-	ADCQ DX,CX
-	MOVQ 240(SP),AX
-	MULQ 0(SP)
-	ADDQ AX,SI
-	ADCQ DX,CX
-	MOVQ 240(SP),AX
-	MULQ 8(SP)
-	MOVQ AX,R8
-	MOVQ DX,R9
-	MOVQ 240(SP),AX
-	MULQ 16(SP)
-	MOVQ AX,R10
-	MOVQ DX,R11
-	MOVQ 240(SP),AX
-	MULQ 24(SP)
-	MOVQ AX,R12
-	MOVQ DX,R13
-	MOVQ 240(SP),AX
-	MULQ 32(SP)
-	MOVQ AX,R14
-	MOVQ DX,R15
-	MOVQ 248(SP),AX
-	MULQ 0(SP)
-	ADDQ AX,R8
-	ADCQ DX,R9
-	MOVQ 248(SP),AX
-	MULQ 8(SP)
-	ADDQ AX,R10
-	ADCQ DX,R11
-	MOVQ 248(SP),AX
-	MULQ 16(SP)
-	ADDQ AX,R12
-	ADCQ DX,R13
-	MOVQ 248(SP),AX
-	MULQ 24(SP)
-	ADDQ AX,R14
-	ADCQ DX,R15
-	MOVQ 248(SP),DX
-	IMUL3Q $19,DX,AX
-	MULQ 32(SP)
-	ADDQ AX,SI
-	ADCQ DX,CX
-	MOVQ 256(SP),AX
-	MULQ 0(SP)
-	ADDQ AX,R10
-	ADCQ DX,R11
-	MOVQ 256(SP),AX
-	MULQ 8(SP)
-	ADDQ AX,R12
-	ADCQ DX,R13
-	MOVQ 256(SP),AX
-	MULQ 16(SP)
-	ADDQ AX,R14
-	ADCQ DX,R15
-	MOVQ 256(SP),DX
-	IMUL3Q $19,DX,AX
-	MULQ 24(SP)
-	ADDQ AX,SI
-	ADCQ DX,CX
-	MOVQ 256(SP),DX
-	IMUL3Q $19,DX,AX
-	MULQ 32(SP)
-	ADDQ AX,R8
-	ADCQ DX,R9
-	MOVQ 264(SP),AX
-	MULQ 0(SP)
-	ADDQ AX,R12
-	ADCQ DX,R13
-	MOVQ 264(SP),AX
-	MULQ 8(SP)
-	ADDQ AX,R14
-	ADCQ DX,R15
-	MOVQ 200(SP),AX
-	MULQ 24(SP)
-	ADDQ AX,R8
-	ADCQ DX,R9
-	MOVQ 200(SP),AX
-	MULQ 32(SP)
-	ADDQ AX,R10
-	ADCQ DX,R11
-	MOVQ 272(SP),AX
-	MULQ 0(SP)
-	ADDQ AX,R14
-	ADCQ DX,R15
-	MOVQ 208(SP),AX
-	MULQ 16(SP)
-	ADDQ AX,R8
-	ADCQ DX,R9
-	MOVQ 208(SP),AX
-	MULQ 24(SP)
-	ADDQ AX,R10
-	ADCQ DX,R11
-	MOVQ 208(SP),AX
-	MULQ 32(SP)
-	ADDQ AX,R12
-	ADCQ DX,R13
-	MOVQ $REDMASK51,DX
-	SHLQ $13,CX:SI
-	ANDQ DX,SI
-	SHLQ $13,R9:R8
-	ANDQ DX,R8
-	ADDQ CX,R8
-	SHLQ $13,R11:R10
-	ANDQ DX,R10
-	ADDQ R9,R10
-	SHLQ $13,R13:R12
-	ANDQ DX,R12
-	ADDQ R11,R12
-	SHLQ $13,R15:R14
-	ANDQ DX,R14
-	ADDQ R13,R14
-	IMUL3Q $19,R15,CX
-	ADDQ CX,SI
-	MOVQ SI,CX
-	SHRQ $51,CX
-	ADDQ R8,CX
-	MOVQ CX,R8
-	SHRQ $51,CX
-	ANDQ DX,SI
-	ADDQ R10,CX
-	MOVQ CX,R9
-	SHRQ $51,CX
-	ANDQ DX,R8
-	ADDQ R12,CX
-	MOVQ CX,AX
-	SHRQ $51,CX
-	ANDQ DX,R9
-	ADDQ R14,CX
-	MOVQ CX,R10
-	SHRQ $51,CX
-	ANDQ DX,AX
-	IMUL3Q $19,CX,CX
-	ADDQ CX,SI
-	ANDQ DX,R10
-	MOVQ SI,DX
-	MOVQ R8,CX
-	MOVQ R9,R11
-	MOVQ AX,R12
-	MOVQ R10,R13
-	ADDQ ·_2P0(SB),DX
-	ADDQ ·_2P1234(SB),CX
-	ADDQ ·_2P1234(SB),R11
-	ADDQ ·_2P1234(SB),R12
-	ADDQ ·_2P1234(SB),R13
-	ADDQ 40(SP),SI
-	ADDQ 48(SP),R8
-	ADDQ 56(SP),R9
-	ADDQ 64(SP),AX
-	ADDQ 72(SP),R10
-	SUBQ 40(SP),DX
-	SUBQ 48(SP),CX
-	SUBQ 56(SP),R11
-	SUBQ 64(SP),R12
-	SUBQ 72(SP),R13
-	MOVQ SI,120(DI)
-	MOVQ R8,128(DI)
-	MOVQ R9,136(DI)
-	MOVQ AX,144(DI)
-	MOVQ R10,152(DI)
-	MOVQ DX,160(DI)
-	MOVQ CX,168(DI)
-	MOVQ R11,176(DI)
-	MOVQ R12,184(DI)
-	MOVQ R13,192(DI)
-	MOVQ 120(DI),AX
-	MULQ 120(DI)
-	MOVQ AX,SI
-	MOVQ DX,CX
-	MOVQ 120(DI),AX
-	SHLQ $1,AX
-	MULQ 128(DI)
-	MOVQ AX,R8
-	MOVQ DX,R9
-	MOVQ 120(DI),AX
-	SHLQ $1,AX
-	MULQ 136(DI)
-	MOVQ AX,R10
-	MOVQ DX,R11
-	MOVQ 120(DI),AX
-	SHLQ $1,AX
-	MULQ 144(DI)
-	MOVQ AX,R12
-	MOVQ DX,R13
-	MOVQ 120(DI),AX
-	SHLQ $1,AX
-	MULQ 152(DI)
-	MOVQ AX,R14
-	MOVQ DX,R15
-	MOVQ 128(DI),AX
-	MULQ 128(DI)
-	ADDQ AX,R10
-	ADCQ DX,R11
-	MOVQ 128(DI),AX
-	SHLQ $1,AX
-	MULQ 136(DI)
-	ADDQ AX,R12
-	ADCQ DX,R13
-	MOVQ 128(DI),AX
-	SHLQ $1,AX
-	MULQ 144(DI)
-	ADDQ AX,R14
-	ADCQ DX,R15
-	MOVQ 128(DI),DX
-	IMUL3Q $38,DX,AX
-	MULQ 152(DI)
-	ADDQ AX,SI
-	ADCQ DX,CX
-	MOVQ 136(DI),AX
-	MULQ 136(DI)
-	ADDQ AX,R14
-	ADCQ DX,R15
-	MOVQ 136(DI),DX
-	IMUL3Q $38,DX,AX
-	MULQ 144(DI)
-	ADDQ AX,SI
-	ADCQ DX,CX
-	MOVQ 136(DI),DX
-	IMUL3Q $38,DX,AX
-	MULQ 152(DI)
-	ADDQ AX,R8
-	ADCQ DX,R9
-	MOVQ 144(DI),DX
-	IMUL3Q $19,DX,AX
-	MULQ 144(DI)
-	ADDQ AX,R8
-	ADCQ DX,R9
-	MOVQ 144(DI),DX
-	IMUL3Q $38,DX,AX
-	MULQ 152(DI)
-	ADDQ AX,R10
-	ADCQ DX,R11
-	MOVQ 152(DI),DX
-	IMUL3Q $19,DX,AX
-	MULQ 152(DI)
-	ADDQ AX,R12
-	ADCQ DX,R13
-	MOVQ $REDMASK51,DX
-	SHLQ $13,CX:SI
-	ANDQ DX,SI
-	SHLQ $13,R9:R8
-	ANDQ DX,R8
-	ADDQ CX,R8
-	SHLQ $13,R11:R10
-	ANDQ DX,R10
-	ADDQ R9,R10
-	SHLQ $13,R13:R12
-	ANDQ DX,R12
-	ADDQ R11,R12
-	SHLQ $13,R15:R14
-	ANDQ DX,R14
-	ADDQ R13,R14
-	IMUL3Q $19,R15,CX
-	ADDQ CX,SI
-	MOVQ SI,CX
-	SHRQ $51,CX
-	ADDQ R8,CX
-	ANDQ DX,SI
-	MOVQ CX,R8
-	SHRQ $51,CX
-	ADDQ R10,CX
-	ANDQ DX,R8
-	MOVQ CX,R9
-	SHRQ $51,CX
-	ADDQ R12,CX
-	ANDQ DX,R9
-	MOVQ CX,AX
-	SHRQ $51,CX
-	ADDQ R14,CX
-	ANDQ DX,AX
-	MOVQ CX,R10
-	SHRQ $51,CX
-	IMUL3Q $19,CX,CX
-	ADDQ CX,SI
-	ANDQ DX,R10
-	MOVQ SI,120(DI)
-	MOVQ R8,128(DI)
-	MOVQ R9,136(DI)
-	MOVQ AX,144(DI)
-	MOVQ R10,152(DI)
-	MOVQ 160(DI),AX
-	MULQ 160(DI)
-	MOVQ AX,SI
-	MOVQ DX,CX
-	MOVQ 160(DI),AX
-	SHLQ $1,AX
-	MULQ 168(DI)
-	MOVQ AX,R8
-	MOVQ DX,R9
-	MOVQ 160(DI),AX
-	SHLQ $1,AX
-	MULQ 176(DI)
-	MOVQ AX,R10
-	MOVQ DX,R11
-	MOVQ 160(DI),AX
-	SHLQ $1,AX
-	MULQ 184(DI)
-	MOVQ AX,R12
-	MOVQ DX,R13
-	MOVQ 160(DI),AX
-	SHLQ $1,AX
-	MULQ 192(DI)
-	MOVQ AX,R14
-	MOVQ DX,R15
-	MOVQ 168(DI),AX
-	MULQ 168(DI)
-	ADDQ AX,R10
-	ADCQ DX,R11
-	MOVQ 168(DI),AX
-	SHLQ $1,AX
-	MULQ 176(DI)
-	ADDQ AX,R12
-	ADCQ DX,R13
-	MOVQ 168(DI),AX
-	SHLQ $1,AX
-	MULQ 184(DI)
-	ADDQ AX,R14
-	ADCQ DX,R15
-	MOVQ 168(DI),DX
-	IMUL3Q $38,DX,AX
-	MULQ 192(DI)
-	ADDQ AX,SI
-	ADCQ DX,CX
-	MOVQ 176(DI),AX
-	MULQ 176(DI)
-	ADDQ AX,R14
-	ADCQ DX,R15
-	MOVQ 176(DI),DX
-	IMUL3Q $38,DX,AX
-	MULQ 184(DI)
-	ADDQ AX,SI
-	ADCQ DX,CX
-	MOVQ 176(DI),DX
-	IMUL3Q $38,DX,AX
-	MULQ 192(DI)
-	ADDQ AX,R8
-	ADCQ DX,R9
-	MOVQ 184(DI),DX
-	IMUL3Q $19,DX,AX
-	MULQ 184(DI)
-	ADDQ AX,R8
-	ADCQ DX,R9
-	MOVQ 184(DI),DX
-	IMUL3Q $38,DX,AX
-	MULQ 192(DI)
-	ADDQ AX,R10
-	ADCQ DX,R11
-	MOVQ 192(DI),DX
-	IMUL3Q $19,DX,AX
-	MULQ 192(DI)
-	ADDQ AX,R12
-	ADCQ DX,R13
-	MOVQ $REDMASK51,DX
-	SHLQ $13,CX:SI
-	ANDQ DX,SI
-	SHLQ $13,R9:R8
-	ANDQ DX,R8
-	ADDQ CX,R8
-	SHLQ $13,R11:R10
-	ANDQ DX,R10
-	ADDQ R9,R10
-	SHLQ $13,R13:R12
-	ANDQ DX,R12
-	ADDQ R11,R12
-	SHLQ $13,R15:R14
-	ANDQ DX,R14
-	ADDQ R13,R14
-	IMUL3Q $19,R15,CX
-	ADDQ CX,SI
-	MOVQ SI,CX
-	SHRQ $51,CX
-	ADDQ R8,CX
-	ANDQ DX,SI
-	MOVQ CX,R8
-	SHRQ $51,CX
-	ADDQ R10,CX
-	ANDQ DX,R8
-	MOVQ CX,R9
-	SHRQ $51,CX
-	ADDQ R12,CX
-	ANDQ DX,R9
-	MOVQ CX,AX
-	SHRQ $51,CX
-	ADDQ R14,CX
-	ANDQ DX,AX
-	MOVQ CX,R10
-	SHRQ $51,CX
-	IMUL3Q $19,CX,CX
-	ADDQ CX,SI
-	ANDQ DX,R10
-	MOVQ SI,160(DI)
-	MOVQ R8,168(DI)
-	MOVQ R9,176(DI)
-	MOVQ AX,184(DI)
-	MOVQ R10,192(DI)
-	MOVQ 184(DI),SI
-	IMUL3Q $19,SI,AX
-	MOVQ AX,0(SP)
-	MULQ 16(DI)
-	MOVQ AX,SI
-	MOVQ DX,CX
-	MOVQ 192(DI),DX
-	IMUL3Q $19,DX,AX
-	MOVQ AX,8(SP)
-	MULQ 8(DI)
-	ADDQ AX,SI
-	ADCQ DX,CX
-	MOVQ 160(DI),AX
-	MULQ 0(DI)
-	ADDQ AX,SI
-	ADCQ DX,CX
-	MOVQ 160(DI),AX
-	MULQ 8(DI)
-	MOVQ AX,R8
-	MOVQ DX,R9
-	MOVQ 160(DI),AX
-	MULQ 16(DI)
-	MOVQ AX,R10
-	MOVQ DX,R11
-	MOVQ 160(DI),AX
-	MULQ 24(DI)
-	MOVQ AX,R12
-	MOVQ DX,R13
-	MOVQ 160(DI),AX
-	MULQ 32(DI)
-	MOVQ AX,R14
-	MOVQ DX,R15
-	MOVQ 168(DI),AX
-	MULQ 0(DI)
-	ADDQ AX,R8
-	ADCQ DX,R9
-	MOVQ 168(DI),AX
-	MULQ 8(DI)
-	ADDQ AX,R10
-	ADCQ DX,R11
-	MOVQ 168(DI),AX
-	MULQ 16(DI)
-	ADDQ AX,R12
-	ADCQ DX,R13
-	MOVQ 168(DI),AX
-	MULQ 24(DI)
-	ADDQ AX,R14
-	ADCQ DX,R15
-	MOVQ 168(DI),DX
-	IMUL3Q $19,DX,AX
-	MULQ 32(DI)
-	ADDQ AX,SI
-	ADCQ DX,CX
-	MOVQ 176(DI),AX
-	MULQ 0(DI)
-	ADDQ AX,R10
-	ADCQ DX,R11
-	MOVQ 176(DI),AX
-	MULQ 8(DI)
-	ADDQ AX,R12
-	ADCQ DX,R13
-	MOVQ 176(DI),AX
-	MULQ 16(DI)
-	ADDQ AX,R14
-	ADCQ DX,R15
-	MOVQ 176(DI),DX
-	IMUL3Q $19,DX,AX
-	MULQ 24(DI)
-	ADDQ AX,SI
-	ADCQ DX,CX
-	MOVQ 176(DI),DX
-	IMUL3Q $19,DX,AX
-	MULQ 32(DI)
-	ADDQ AX,R8
-	ADCQ DX,R9
-	MOVQ 184(DI),AX
-	MULQ 0(DI)
-	ADDQ AX,R12
-	ADCQ DX,R13
-	MOVQ 184(DI),AX
-	MULQ 8(DI)
-	ADDQ AX,R14
-	ADCQ DX,R15
-	MOVQ 0(SP),AX
-	MULQ 24(DI)
-	ADDQ AX,R8
-	ADCQ DX,R9
-	MOVQ 0(SP),AX
-	MULQ 32(DI)
-	ADDQ AX,R10
-	ADCQ DX,R11
-	MOVQ 192(DI),AX
-	MULQ 0(DI)
-	ADDQ AX,R14
-	ADCQ DX,R15
-	MOVQ 8(SP),AX
-	MULQ 16(DI)
-	ADDQ AX,R8
-	ADCQ DX,R9
-	MOVQ 8(SP),AX
-	MULQ 24(DI)
-	ADDQ AX,R10
-	ADCQ DX,R11
-	MOVQ 8(SP),AX
-	MULQ 32(DI)
-	ADDQ AX,R12
-	ADCQ DX,R13
-	MOVQ $REDMASK51,DX
-	SHLQ $13,CX:SI
-	ANDQ DX,SI
-	SHLQ $13,R9:R8
-	ANDQ DX,R8
-	ADDQ CX,R8
-	SHLQ $13,R11:R10
-	ANDQ DX,R10
-	ADDQ R9,R10
-	SHLQ $13,R13:R12
-	ANDQ DX,R12
-	ADDQ R11,R12
-	SHLQ $13,R15:R14
-	ANDQ DX,R14
-	ADDQ R13,R14
-	IMUL3Q $19,R15,CX
-	ADDQ CX,SI
-	MOVQ SI,CX
-	SHRQ $51,CX
-	ADDQ R8,CX
-	MOVQ CX,R8
-	SHRQ $51,CX
-	ANDQ DX,SI
-	ADDQ R10,CX
-	MOVQ CX,R9
-	SHRQ $51,CX
-	ANDQ DX,R8
-	ADDQ R12,CX
-	MOVQ CX,AX
-	SHRQ $51,CX
-	ANDQ DX,R9
-	ADDQ R14,CX
-	MOVQ CX,R10
-	SHRQ $51,CX
-	ANDQ DX,AX
-	IMUL3Q $19,CX,CX
-	ADDQ CX,SI
-	ANDQ DX,R10
-	MOVQ SI,160(DI)
-	MOVQ R8,168(DI)
-	MOVQ R9,176(DI)
-	MOVQ AX,184(DI)
-	MOVQ R10,192(DI)
-	MOVQ 144(SP),SI
-	IMUL3Q $19,SI,AX
-	MOVQ AX,0(SP)
-	MULQ 96(SP)
-	MOVQ AX,SI
-	MOVQ DX,CX
-	MOVQ 152(SP),DX
-	IMUL3Q $19,DX,AX
-	MOVQ AX,8(SP)
-	MULQ 88(SP)
-	ADDQ AX,SI
-	ADCQ DX,CX
-	MOVQ 120(SP),AX
-	MULQ 80(SP)
-	ADDQ AX,SI
-	ADCQ DX,CX
-	MOVQ 120(SP),AX
-	MULQ 88(SP)
-	MOVQ AX,R8
-	MOVQ DX,R9
-	MOVQ 120(SP),AX
-	MULQ 96(SP)
-	MOVQ AX,R10
-	MOVQ DX,R11
-	MOVQ 120(SP),AX
-	MULQ 104(SP)
-	MOVQ AX,R12
-	MOVQ DX,R13
-	MOVQ 120(SP),AX
-	MULQ 112(SP)
-	MOVQ AX,R14
-	MOVQ DX,R15
-	MOVQ 128(SP),AX
-	MULQ 80(SP)
-	ADDQ AX,R8
-	ADCQ DX,R9
-	MOVQ 128(SP),AX
-	MULQ 88(SP)
-	ADDQ AX,R10
-	ADCQ DX,R11
-	MOVQ 128(SP),AX
-	MULQ 96(SP)
-	ADDQ AX,R12
-	ADCQ DX,R13
-	MOVQ 128(SP),AX
-	MULQ 104(SP)
-	ADDQ AX,R14
-	ADCQ DX,R15
-	MOVQ 128(SP),DX
-	IMUL3Q $19,DX,AX
-	MULQ 112(SP)
-	ADDQ AX,SI
-	ADCQ DX,CX
-	MOVQ 136(SP),AX
-	MULQ 80(SP)
-	ADDQ AX,R10
-	ADCQ DX,R11
-	MOVQ 136(SP),AX
-	MULQ 88(SP)
-	ADDQ AX,R12
-	ADCQ DX,R13
-	MOVQ 136(SP),AX
-	MULQ 96(SP)
-	ADDQ AX,R14
-	ADCQ DX,R15
-	MOVQ 136(SP),DX
-	IMUL3Q $19,DX,AX
-	MULQ 104(SP)
-	ADDQ AX,SI
-	ADCQ DX,CX
-	MOVQ 136(SP),DX
-	IMUL3Q $19,DX,AX
-	MULQ 112(SP)
-	ADDQ AX,R8
-	ADCQ DX,R9
-	MOVQ 144(SP),AX
-	MULQ 80(SP)
-	ADDQ AX,R12
-	ADCQ DX,R13
-	MOVQ 144(SP),AX
-	MULQ 88(SP)
-	ADDQ AX,R14
-	ADCQ DX,R15
-	MOVQ 0(SP),AX
-	MULQ 104(SP)
-	ADDQ AX,R8
-	ADCQ DX,R9
-	MOVQ 0(SP),AX
-	MULQ 112(SP)
-	ADDQ AX,R10
-	ADCQ DX,R11
-	MOVQ 152(SP),AX
-	MULQ 80(SP)
-	ADDQ AX,R14
-	ADCQ DX,R15
-	MOVQ 8(SP),AX
-	MULQ 96(SP)
-	ADDQ AX,R8
-	ADCQ DX,R9
-	MOVQ 8(SP),AX
-	MULQ 104(SP)
-	ADDQ AX,R10
-	ADCQ DX,R11
-	MOVQ 8(SP),AX
-	MULQ 112(SP)
-	ADDQ AX,R12
-	ADCQ DX,R13
-	MOVQ $REDMASK51,DX
-	SHLQ $13,CX:SI
-	ANDQ DX,SI
-	SHLQ $13,R9:R8
-	ANDQ DX,R8
-	ADDQ CX,R8
-	SHLQ $13,R11:R10
-	ANDQ DX,R10
-	ADDQ R9,R10
-	SHLQ $13,R13:R12
-	ANDQ DX,R12
-	ADDQ R11,R12
-	SHLQ $13,R15:R14
-	ANDQ DX,R14
-	ADDQ R13,R14
-	IMUL3Q $19,R15,CX
-	ADDQ CX,SI
-	MOVQ SI,CX
-	SHRQ $51,CX
-	ADDQ R8,CX
-	MOVQ CX,R8
-	SHRQ $51,CX
-	ANDQ DX,SI
-	ADDQ R10,CX
-	MOVQ CX,R9
-	SHRQ $51,CX
-	ANDQ DX,R8
-	ADDQ R12,CX
-	MOVQ CX,AX
-	SHRQ $51,CX
-	ANDQ DX,R9
-	ADDQ R14,CX
-	MOVQ CX,R10
-	SHRQ $51,CX
-	ANDQ DX,AX
-	IMUL3Q $19,CX,CX
-	ADDQ CX,SI
-	ANDQ DX,R10
-	MOVQ SI,40(DI)
-	MOVQ R8,48(DI)
-	MOVQ R9,56(DI)
-	MOVQ AX,64(DI)
-	MOVQ R10,72(DI)
-	MOVQ 160(SP),AX
-	MULQ ·_121666_213(SB)
-	SHRQ $13,AX
-	MOVQ AX,SI
-	MOVQ DX,CX
-	MOVQ 168(SP),AX
-	MULQ ·_121666_213(SB)
-	SHRQ $13,AX
-	ADDQ AX,CX
-	MOVQ DX,R8
-	MOVQ 176(SP),AX
-	MULQ ·_121666_213(SB)
-	SHRQ $13,AX
-	ADDQ AX,R8
-	MOVQ DX,R9
-	MOVQ 184(SP),AX
-	MULQ ·_121666_213(SB)
-	SHRQ $13,AX
-	ADDQ AX,R9
-	MOVQ DX,R10
-	MOVQ 192(SP),AX
-	MULQ ·_121666_213(SB)
-	SHRQ $13,AX
-	ADDQ AX,R10
-	IMUL3Q $19,DX,DX
-	ADDQ DX,SI
-	ADDQ 80(SP),SI
-	ADDQ 88(SP),CX
-	ADDQ 96(SP),R8
-	ADDQ 104(SP),R9
-	ADDQ 112(SP),R10
-	MOVQ SI,80(DI)
-	MOVQ CX,88(DI)
-	MOVQ R8,96(DI)
-	MOVQ R9,104(DI)
-	MOVQ R10,112(DI)
-	MOVQ 104(DI),SI
-	IMUL3Q $19,SI,AX
-	MOVQ AX,0(SP)
-	MULQ 176(SP)
-	MOVQ AX,SI
-	MOVQ DX,CX
-	MOVQ 112(DI),DX
-	IMUL3Q $19,DX,AX
-	MOVQ AX,8(SP)
-	MULQ 168(SP)
-	ADDQ AX,SI
-	ADCQ DX,CX
-	MOVQ 80(DI),AX
-	MULQ 160(SP)
-	ADDQ AX,SI
-	ADCQ DX,CX
-	MOVQ 80(DI),AX
-	MULQ 168(SP)
-	MOVQ AX,R8
-	MOVQ DX,R9
-	MOVQ 80(DI),AX
-	MULQ 176(SP)
-	MOVQ AX,R10
-	MOVQ DX,R11
-	MOVQ 80(DI),AX
-	MULQ 184(SP)
-	MOVQ AX,R12
-	MOVQ DX,R13
-	MOVQ 80(DI),AX
-	MULQ 192(SP)
-	MOVQ AX,R14
-	MOVQ DX,R15
-	MOVQ 88(DI),AX
-	MULQ 160(SP)
-	ADDQ AX,R8
-	ADCQ DX,R9
-	MOVQ 88(DI),AX
-	MULQ 168(SP)
-	ADDQ AX,R10
-	ADCQ DX,R11
-	MOVQ 88(DI),AX
-	MULQ 176(SP)
-	ADDQ AX,R12
-	ADCQ DX,R13
-	MOVQ 88(DI),AX
-	MULQ 184(SP)
-	ADDQ AX,R14
-	ADCQ DX,R15
-	MOVQ 88(DI),DX
-	IMUL3Q $19,DX,AX
-	MULQ 192(SP)
-	ADDQ AX,SI
-	ADCQ DX,CX
-	MOVQ 96(DI),AX
-	MULQ 160(SP)
-	ADDQ AX,R10
-	ADCQ DX,R11
-	MOVQ 96(DI),AX
-	MULQ 168(SP)
-	ADDQ AX,R12
-	ADCQ DX,R13
-	MOVQ 96(DI),AX
-	MULQ 176(SP)
-	ADDQ AX,R14
-	ADCQ DX,R15
-	MOVQ 96(DI),DX
-	IMUL3Q $19,DX,AX
-	MULQ 184(SP)
-	ADDQ AX,SI
-	ADCQ DX,CX
-	MOVQ 96(DI),DX
-	IMUL3Q $19,DX,AX
-	MULQ 192(SP)
-	ADDQ AX,R8
-	ADCQ DX,R9
-	MOVQ 104(DI),AX
-	MULQ 160(SP)
-	ADDQ AX,R12
-	ADCQ DX,R13
-	MOVQ 104(DI),AX
-	MULQ 168(SP)
-	ADDQ AX,R14
-	ADCQ DX,R15
-	MOVQ 0(SP),AX
-	MULQ 184(SP)
-	ADDQ AX,R8
-	ADCQ DX,R9
-	MOVQ 0(SP),AX
-	MULQ 192(SP)
-	ADDQ AX,R10
-	ADCQ DX,R11
-	MOVQ 112(DI),AX
-	MULQ 160(SP)
-	ADDQ AX,R14
-	ADCQ DX,R15
-	MOVQ 8(SP),AX
-	MULQ 176(SP)
-	ADDQ AX,R8
-	ADCQ DX,R9
-	MOVQ 8(SP),AX
-	MULQ 184(SP)
-	ADDQ AX,R10
-	ADCQ DX,R11
-	MOVQ 8(SP),AX
-	MULQ 192(SP)
-	ADDQ AX,R12
-	ADCQ DX,R13
-	MOVQ $REDMASK51,DX
-	SHLQ $13,CX:SI
-	ANDQ DX,SI
-	SHLQ $13,R9:R8
-	ANDQ DX,R8
-	ADDQ CX,R8
-	SHLQ $13,R11:R10
-	ANDQ DX,R10
-	ADDQ R9,R10
-	SHLQ $13,R13:R12
-	ANDQ DX,R12
-	ADDQ R11,R12
-	SHLQ $13,R15:R14
-	ANDQ DX,R14
-	ADDQ R13,R14
-	IMUL3Q $19,R15,CX
-	ADDQ CX,SI
-	MOVQ SI,CX
-	SHRQ $51,CX
-	ADDQ R8,CX
-	MOVQ CX,R8
-	SHRQ $51,CX
-	ANDQ DX,SI
-	ADDQ R10,CX
-	MOVQ CX,R9
-	SHRQ $51,CX
-	ANDQ DX,R8
-	ADDQ R12,CX
-	MOVQ CX,AX
-	SHRQ $51,CX
-	ANDQ DX,R9
-	ADDQ R14,CX
-	MOVQ CX,R10
-	SHRQ $51,CX
-	ANDQ DX,AX
-	IMUL3Q $19,CX,CX
-	ADDQ CX,SI
-	ANDQ DX,R10
-	MOVQ SI,80(DI)
-	MOVQ R8,88(DI)
-	MOVQ R9,96(DI)
-	MOVQ AX,104(DI)
-	MOVQ R10,112(DI)
-	RET
diff --git a/vendor/golang.org/x/crypto/curve25519/mont25519_amd64.go b/vendor/golang.org/x/crypto/curve25519/mont25519_amd64.go
deleted file mode 100644
index 5822bd53..00000000
--- a/vendor/golang.org/x/crypto/curve25519/mont25519_amd64.go
+++ /dev/null
@@ -1,240 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build amd64,!gccgo,!appengine
-
-package curve25519
-
-// These functions are implemented in the .s files. The names of the functions
-// in the rest of the file are also taken from the SUPERCOP sources to help
-// people following along.
-
-//go:noescape
-
-func cswap(inout *[5]uint64, v uint64)
-
-//go:noescape
-
-func ladderstep(inout *[5][5]uint64)
-
-//go:noescape
-
-func freeze(inout *[5]uint64)
-
-//go:noescape
-
-func mul(dest, a, b *[5]uint64)
-
-//go:noescape
-
-func square(out, in *[5]uint64)
-
-// mladder uses a Montgomery ladder to calculate (xr/zr) *= s.
-func mladder(xr, zr *[5]uint64, s *[32]byte) {
-	var work [5][5]uint64
-
-	work[0] = *xr
-	setint(&work[1], 1)
-	setint(&work[2], 0)
-	work[3] = *xr
-	setint(&work[4], 1)
-
-	j := uint(6)
-	var prevbit byte
-
-	for i := 31; i >= 0; i-- {
-		for j < 8 {
-			bit := ((*s)[i] >> j) & 1
-			swap := bit ^ prevbit
-			prevbit = bit
-			cswap(&work[1], uint64(swap))
-			ladderstep(&work)
-			j--
-		}
-		j = 7
-	}
-
-	*xr = work[1]
-	*zr = work[2]
-}
-
-func scalarMult(out, in, base *[32]byte) {
-	var e [32]byte
-	copy(e[:], (*in)[:])
-	e[0] &= 248
-	e[31] &= 127
-	e[31] |= 64
-
-	var t, z [5]uint64
-	unpack(&t, base)
-	mladder(&t, &z, &e)
-	invert(&z, &z)
-	mul(&t, &t, &z)
-	pack(out, &t)
-}
-
-func setint(r *[5]uint64, v uint64) {
-	r[0] = v
-	r[1] = 0
-	r[2] = 0
-	r[3] = 0
-	r[4] = 0
-}
-
-// unpack sets r = x where r consists of 5, 51-bit limbs in little-endian
-// order.
-func unpack(r *[5]uint64, x *[32]byte) {
-	r[0] = uint64(x[0]) |
-		uint64(x[1])<<8 |
-		uint64(x[2])<<16 |
-		uint64(x[3])<<24 |
-		uint64(x[4])<<32 |
-		uint64(x[5])<<40 |
-		uint64(x[6]&7)<<48
-
-	r[1] = uint64(x[6])>>3 |
-		uint64(x[7])<<5 |
-		uint64(x[8])<<13 |
-		uint64(x[9])<<21 |
-		uint64(x[10])<<29 |
-		uint64(x[11])<<37 |
-		uint64(x[12]&63)<<45
-
-	r[2] = uint64(x[12])>>6 |
-		uint64(x[13])<<2 |
-		uint64(x[14])<<10 |
-		uint64(x[15])<<18 |
-		uint64(x[16])<<26 |
-		uint64(x[17])<<34 |
-		uint64(x[18])<<42 |
-		uint64(x[19]&1)<<50
-
-	r[3] = uint64(x[19])>>1 |
-		uint64(x[20])<<7 |
-		uint64(x[21])<<15 |
-		uint64(x[22])<<23 |
-		uint64(x[23])<<31 |
-		uint64(x[24])<<39 |
-		uint64(x[25]&15)<<47
-
-	r[4] = uint64(x[25])>>4 |
-		uint64(x[26])<<4 |
-		uint64(x[27])<<12 |
-		uint64(x[28])<<20 |
-		uint64(x[29])<<28 |
-		uint64(x[30])<<36 |
-		uint64(x[31]&127)<<44
-}
-
-// pack sets out = x where out is the usual, little-endian form of the 5,
-// 51-bit limbs in x.
-func pack(out *[32]byte, x *[5]uint64) {
-	t := *x
-	freeze(&t)
-
-	out[0] = byte(t[0])
-	out[1] = byte(t[0] >> 8)
-	out[2] = byte(t[0] >> 16)
-	out[3] = byte(t[0] >> 24)
-	out[4] = byte(t[0] >> 32)
-	out[5] = byte(t[0] >> 40)
-	out[6] = byte(t[0] >> 48)
-
-	out[6] ^= byte(t[1]<<3) & 0xf8
-	out[7] = byte(t[1] >> 5)
-	out[8] = byte(t[1] >> 13)
-	out[9] = byte(t[1] >> 21)
-	out[10] = byte(t[1] >> 29)
-	out[11] = byte(t[1] >> 37)
-	out[12] = byte(t[1] >> 45)
-
-	out[12] ^= byte(t[2]<<6) & 0xc0
-	out[13] = byte(t[2] >> 2)
-	out[14] = byte(t[2] >> 10)
-	out[15] = byte(t[2] >> 18)
-	out[16] = byte(t[2] >> 26)
-	out[17] = byte(t[2] >> 34)
-	out[18] = byte(t[2] >> 42)
-	out[19] = byte(t[2] >> 50)
-
-	out[19] ^= byte(t[3]<<1) & 0xfe
-	out[20] = byte(t[3] >> 7)
-	out[21] = byte(t[3] >> 15)
-	out[22] = byte(t[3] >> 23)
-	out[23] = byte(t[3] >> 31)
-	out[24] = byte(t[3] >> 39)
-	out[25] = byte(t[3] >> 47)
-
-	out[25] ^= byte(t[4]<<4) & 0xf0
-	out[26] = byte(t[4] >> 4)
-	out[27] = byte(t[4] >> 12)
-	out[28] = byte(t[4] >> 20)
-	out[29] = byte(t[4] >> 28)
-	out[30] = byte(t[4] >> 36)
-	out[31] = byte(t[4] >> 44)
-}
-
-// invert calculates r = x^-1 mod p using Fermat's little theorem.
-func invert(r *[5]uint64, x *[5]uint64) {
-	var z2, z9, z11, z2_5_0, z2_10_0, z2_20_0, z2_50_0, z2_100_0, t [5]uint64
-
-	square(&z2, x)        /* 2 */
-	square(&t, &z2)       /* 4 */
-	square(&t, &t)        /* 8 */
-	mul(&z9, &t, x)       /* 9 */
-	mul(&z11, &z9, &z2)   /* 11 */
-	square(&t, &z11)      /* 22 */
-	mul(&z2_5_0, &t, &z9) /* 2^5 - 2^0 = 31 */
-
-	square(&t, &z2_5_0)      /* 2^6 - 2^1 */
-	for i := 1; i < 5; i++ { /* 2^20 - 2^10 */
-		square(&t, &t)
-	}
-	mul(&z2_10_0, &t, &z2_5_0) /* 2^10 - 2^0 */
-
-	square(&t, &z2_10_0)      /* 2^11 - 2^1 */
-	for i := 1; i < 10; i++ { /* 2^20 - 2^10 */
-		square(&t, &t)
-	}
-	mul(&z2_20_0, &t, &z2_10_0) /* 2^20 - 2^0 */
-
-	square(&t, &z2_20_0)      /* 2^21 - 2^1 */
-	for i := 1; i < 20; i++ { /* 2^40 - 2^20 */
-		square(&t, &t)
-	}
-	mul(&t, &t, &z2_20_0) /* 2^40 - 2^0 */
-
-	square(&t, &t)            /* 2^41 - 2^1 */
-	for i := 1; i < 10; i++ { /* 2^50 - 2^10 */
-		square(&t, &t)
-	}
-	mul(&z2_50_0, &t, &z2_10_0) /* 2^50 - 2^0 */
-
-	square(&t, &z2_50_0)      /* 2^51 - 2^1 */
-	for i := 1; i < 50; i++ { /* 2^100 - 2^50 */
-		square(&t, &t)
-	}
-	mul(&z2_100_0, &t, &z2_50_0) /* 2^100 - 2^0 */
-
-	square(&t, &z2_100_0)      /* 2^101 - 2^1 */
-	for i := 1; i < 100; i++ { /* 2^200 - 2^100 */
-		square(&t, &t)
-	}
-	mul(&t, &t, &z2_100_0) /* 2^200 - 2^0 */
-
-	square(&t, &t)            /* 2^201 - 2^1 */
-	for i := 1; i < 50; i++ { /* 2^250 - 2^50 */
-		square(&t, &t)
-	}
-	mul(&t, &t, &z2_50_0) /* 2^250 - 2^0 */
-
-	square(&t, &t) /* 2^251 - 2^1 */
-	square(&t, &t) /* 2^252 - 2^2 */
-	square(&t, &t) /* 2^253 - 2^3 */
-
-	square(&t, &t) /* 2^254 - 2^4 */
-
-	square(&t, &t)   /* 2^255 - 2^5 */
-	mul(r, &t, &z11) /* 2^255 - 21 */
-}
diff --git a/vendor/golang.org/x/crypto/curve25519/mul_amd64.s b/vendor/golang.org/x/crypto/curve25519/mul_amd64.s
deleted file mode 100644
index 5ce80a2e..00000000
--- a/vendor/golang.org/x/crypto/curve25519/mul_amd64.s
+++ /dev/null
@@ -1,169 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// This code was translated into a form compatible with 6a from the public
-// domain sources in SUPERCOP: https://bench.cr.yp.to/supercop.html
-
-// +build amd64,!gccgo,!appengine
-
-#include "const_amd64.h"
-
-// func mul(dest, a, b *[5]uint64)
-TEXT ·mul(SB),0,$16-24
-	MOVQ dest+0(FP), DI
-	MOVQ a+8(FP), SI
-	MOVQ b+16(FP), DX
-
-	MOVQ DX,CX
-	MOVQ 24(SI),DX
-	IMUL3Q $19,DX,AX
-	MOVQ AX,0(SP)
-	MULQ 16(CX)
-	MOVQ AX,R8
-	MOVQ DX,R9
-	MOVQ 32(SI),DX
-	IMUL3Q $19,DX,AX
-	MOVQ AX,8(SP)
-	MULQ 8(CX)
-	ADDQ AX,R8
-	ADCQ DX,R9
-	MOVQ 0(SI),AX
-	MULQ 0(CX)
-	ADDQ AX,R8
-	ADCQ DX,R9
-	MOVQ 0(SI),AX
-	MULQ 8(CX)
-	MOVQ AX,R10
-	MOVQ DX,R11
-	MOVQ 0(SI),AX
-	MULQ 16(CX)
-	MOVQ AX,R12
-	MOVQ DX,R13
-	MOVQ 0(SI),AX
-	MULQ 24(CX)
-	MOVQ AX,R14
-	MOVQ DX,R15
-	MOVQ 0(SI),AX
-	MULQ 32(CX)
-	MOVQ AX,BX
-	MOVQ DX,BP
-	MOVQ 8(SI),AX
-	MULQ 0(CX)
-	ADDQ AX,R10
-	ADCQ DX,R11
-	MOVQ 8(SI),AX
-	MULQ 8(CX)
-	ADDQ AX,R12
-	ADCQ DX,R13
-	MOVQ 8(SI),AX
-	MULQ 16(CX)
-	ADDQ AX,R14
-	ADCQ DX,R15
-	MOVQ 8(SI),AX
-	MULQ 24(CX)
-	ADDQ AX,BX
-	ADCQ DX,BP
-	MOVQ 8(SI),DX
-	IMUL3Q $19,DX,AX
-	MULQ 32(CX)
-	ADDQ AX,R8
-	ADCQ DX,R9
-	MOVQ 16(SI),AX
-	MULQ 0(CX)
-	ADDQ AX,R12
-	ADCQ DX,R13
-	MOVQ 16(SI),AX
-	MULQ 8(CX)
-	ADDQ AX,R14
-	ADCQ DX,R15
-	MOVQ 16(SI),AX
-	MULQ 16(CX)
-	ADDQ AX,BX
-	ADCQ DX,BP
-	MOVQ 16(SI),DX
-	IMUL3Q $19,DX,AX
-	MULQ 24(CX)
-	ADDQ AX,R8
-	ADCQ DX,R9
-	MOVQ 16(SI),DX
-	IMUL3Q $19,DX,AX
-	MULQ 32(CX)
-	ADDQ AX,R10
-	ADCQ DX,R11
-	MOVQ 24(SI),AX
-	MULQ 0(CX)
-	ADDQ AX,R14
-	ADCQ DX,R15
-	MOVQ 24(SI),AX
-	MULQ 8(CX)
-	ADDQ AX,BX
-	ADCQ DX,BP
-	MOVQ 0(SP),AX
-	MULQ 24(CX)
-	ADDQ AX,R10
-	ADCQ DX,R11
-	MOVQ 0(SP),AX
-	MULQ 32(CX)
-	ADDQ AX,R12
-	ADCQ DX,R13
-	MOVQ 32(SI),AX
-	MULQ 0(CX)
-	ADDQ AX,BX
-	ADCQ DX,BP
-	MOVQ 8(SP),AX
-	MULQ 16(CX)
-	ADDQ AX,R10
-	ADCQ DX,R11
-	MOVQ 8(SP),AX
-	MULQ 24(CX)
-	ADDQ AX,R12
-	ADCQ DX,R13
-	MOVQ 8(SP),AX
-	MULQ 32(CX)
-	ADDQ AX,R14
-	ADCQ DX,R15
-	MOVQ $REDMASK51,SI
-	SHLQ $13,R9:R8
-	ANDQ SI,R8
-	SHLQ $13,R11:R10
-	ANDQ SI,R10
-	ADDQ R9,R10
-	SHLQ $13,R13:R12
-	ANDQ SI,R12
-	ADDQ R11,R12
-	SHLQ $13,R15:R14
-	ANDQ SI,R14
-	ADDQ R13,R14
-	SHLQ $13,BP:BX
-	ANDQ SI,BX
-	ADDQ R15,BX
-	IMUL3Q $19,BP,DX
-	ADDQ DX,R8
-	MOVQ R8,DX
-	SHRQ $51,DX
-	ADDQ R10,DX
-	MOVQ DX,CX
-	SHRQ $51,DX
-	ANDQ SI,R8
-	ADDQ R12,DX
-	MOVQ DX,R9
-	SHRQ $51,DX
-	ANDQ SI,CX
-	ADDQ R14,DX
-	MOVQ DX,AX
-	SHRQ $51,DX
-	ANDQ SI,R9
-	ADDQ BX,DX
-	MOVQ DX,R10
-	SHRQ $51,DX
-	ANDQ SI,AX
-	IMUL3Q $19,DX,DX
-	ADDQ DX,R8
-	ANDQ SI,R10
-	MOVQ R8,0(DI)
-	MOVQ CX,8(DI)
-	MOVQ R9,16(DI)
-	MOVQ AX,24(DI)
-	MOVQ R10,32(DI)
-	RET
diff --git a/vendor/golang.org/x/crypto/curve25519/square_amd64.s b/vendor/golang.org/x/crypto/curve25519/square_amd64.s
deleted file mode 100644
index 12f73734..00000000
--- a/vendor/golang.org/x/crypto/curve25519/square_amd64.s
+++ /dev/null
@@ -1,132 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// This code was translated into a form compatible with 6a from the public
-// domain sources in SUPERCOP: https://bench.cr.yp.to/supercop.html
-
-// +build amd64,!gccgo,!appengine
-
-#include "const_amd64.h"
-
-// func square(out, in *[5]uint64)
-TEXT ·square(SB),7,$0-16
-	MOVQ out+0(FP), DI
-	MOVQ in+8(FP), SI
-
-	MOVQ 0(SI),AX
-	MULQ 0(SI)
-	MOVQ AX,CX
-	MOVQ DX,R8
-	MOVQ 0(SI),AX
-	SHLQ $1,AX
-	MULQ 8(SI)
-	MOVQ AX,R9
-	MOVQ DX,R10
-	MOVQ 0(SI),AX
-	SHLQ $1,AX
-	MULQ 16(SI)
-	MOVQ AX,R11
-	MOVQ DX,R12
-	MOVQ 0(SI),AX
-	SHLQ $1,AX
-	MULQ 24(SI)
-	MOVQ AX,R13
-	MOVQ DX,R14
-	MOVQ 0(SI),AX
-	SHLQ $1,AX
-	MULQ 32(SI)
-	MOVQ AX,R15
-	MOVQ DX,BX
-	MOVQ 8(SI),AX
-	MULQ 8(SI)
-	ADDQ AX,R11
-	ADCQ DX,R12
-	MOVQ 8(SI),AX
-	SHLQ $1,AX
-	MULQ 16(SI)
-	ADDQ AX,R13
-	ADCQ DX,R14
-	MOVQ 8(SI),AX
-	SHLQ $1,AX
-	MULQ 24(SI)
-	ADDQ AX,R15
-	ADCQ DX,BX
-	MOVQ 8(SI),DX
-	IMUL3Q $38,DX,AX
-	MULQ 32(SI)
-	ADDQ AX,CX
-	ADCQ DX,R8
-	MOVQ 16(SI),AX
-	MULQ 16(SI)
-	ADDQ AX,R15
-	ADCQ DX,BX
-	MOVQ 16(SI),DX
-	IMUL3Q $38,DX,AX
-	MULQ 24(SI)
-	ADDQ AX,CX
-	ADCQ DX,R8
-	MOVQ 16(SI),DX
-	IMUL3Q $38,DX,AX
-	MULQ 32(SI)
-	ADDQ AX,R9
-	ADCQ DX,R10
-	MOVQ 24(SI),DX
-	IMUL3Q $19,DX,AX
-	MULQ 24(SI)
-	ADDQ AX,R9
-	ADCQ DX,R10
-	MOVQ 24(SI),DX
-	IMUL3Q $38,DX,AX
-	MULQ 32(SI)
-	ADDQ AX,R11
-	ADCQ DX,R12
-	MOVQ 32(SI),DX
-	IMUL3Q $19,DX,AX
-	MULQ 32(SI)
-	ADDQ AX,R13
-	ADCQ DX,R14
-	MOVQ $REDMASK51,SI
-	SHLQ $13,R8:CX
-	ANDQ SI,CX
-	SHLQ $13,R10:R9
-	ANDQ SI,R9
-	ADDQ R8,R9
-	SHLQ $13,R12:R11
-	ANDQ SI,R11
-	ADDQ R10,R11
-	SHLQ $13,R14:R13
-	ANDQ SI,R13
-	ADDQ R12,R13
-	SHLQ $13,BX:R15
-	ANDQ SI,R15
-	ADDQ R14,R15
-	IMUL3Q $19,BX,DX
-	ADDQ DX,CX
-	MOVQ CX,DX
-	SHRQ $51,DX
-	ADDQ R9,DX
-	ANDQ SI,CX
-	MOVQ DX,R8
-	SHRQ $51,DX
-	ADDQ R11,DX
-	ANDQ SI,R8
-	MOVQ DX,R9
-	SHRQ $51,DX
-	ADDQ R13,DX
-	ANDQ SI,R9
-	MOVQ DX,AX
-	SHRQ $51,DX
-	ADDQ R15,DX
-	ANDQ SI,AX
-	MOVQ DX,R10
-	SHRQ $51,DX
-	IMUL3Q $19,DX,DX
-	ADDQ DX,CX
-	ANDQ SI,R10
-	MOVQ CX,0(DI)
-	MOVQ R8,8(DI)
-	MOVQ R9,16(DI)
-	MOVQ AX,24(DI)
-	MOVQ R10,32(DI)
-	RET
diff --git a/vendor/golang.org/x/crypto/ed25519/ed25519.go b/vendor/golang.org/x/crypto/ed25519/ed25519.go
deleted file mode 100644
index 4f26b49b..00000000
--- a/vendor/golang.org/x/crypto/ed25519/ed25519.go
+++ /dev/null
@@ -1,181 +0,0 @@
-// Copyright 2016 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package ed25519 implements the Ed25519 signature algorithm. See
-// https://ed25519.cr.yp.to/.
-//
-// These functions are also compatible with the “Ed25519” function defined in
-// RFC 8032.
-package ed25519
-
-// This code is a port of the public domain, “ref10” implementation of ed25519
-// from SUPERCOP.
-
-import (
-	"bytes"
-	"crypto"
-	cryptorand "crypto/rand"
-	"crypto/sha512"
-	"errors"
-	"io"
-	"strconv"
-
-	"golang.org/x/crypto/ed25519/internal/edwards25519"
-)
-
-const (
-	// PublicKeySize is the size, in bytes, of public keys as used in this package.
-	PublicKeySize = 32
-	// PrivateKeySize is the size, in bytes, of private keys as used in this package.
-	PrivateKeySize = 64
-	// SignatureSize is the size, in bytes, of signatures generated and verified by this package.
-	SignatureSize = 64
-)
-
-// PublicKey is the type of Ed25519 public keys.
-type PublicKey []byte
-
-// PrivateKey is the type of Ed25519 private keys. It implements crypto.Signer.
-type PrivateKey []byte
-
-// Public returns the PublicKey corresponding to priv.
-func (priv PrivateKey) Public() crypto.PublicKey {
-	publicKey := make([]byte, PublicKeySize)
-	copy(publicKey, priv[32:])
-	return PublicKey(publicKey)
-}
-
-// Sign signs the given message with priv.
-// Ed25519 performs two passes over messages to be signed and therefore cannot
-// handle pre-hashed messages. Thus opts.HashFunc() must return zero to
-// indicate the message hasn't been hashed. This can be achieved by passing
-// crypto.Hash(0) as the value for opts.
-func (priv PrivateKey) Sign(rand io.Reader, message []byte, opts crypto.SignerOpts) (signature []byte, err error) {
-	if opts.HashFunc() != crypto.Hash(0) {
-		return nil, errors.New("ed25519: cannot sign hashed message")
-	}
-
-	return Sign(priv, message), nil
-}
-
-// GenerateKey generates a public/private key pair using entropy from rand.
-// If rand is nil, crypto/rand.Reader will be used.
-func GenerateKey(rand io.Reader) (publicKey PublicKey, privateKey PrivateKey, err error) {
-	if rand == nil {
-		rand = cryptorand.Reader
-	}
-
-	privateKey = make([]byte, PrivateKeySize)
-	publicKey = make([]byte, PublicKeySize)
-	_, err = io.ReadFull(rand, privateKey[:32])
-	if err != nil {
-		return nil, nil, err
-	}
-
-	digest := sha512.Sum512(privateKey[:32])
-	digest[0] &= 248
-	digest[31] &= 127
-	digest[31] |= 64
-
-	var A edwards25519.ExtendedGroupElement
-	var hBytes [32]byte
-	copy(hBytes[:], digest[:])
-	edwards25519.GeScalarMultBase(&A, &hBytes)
-	var publicKeyBytes [32]byte
-	A.ToBytes(&publicKeyBytes)
-
-	copy(privateKey[32:], publicKeyBytes[:])
-	copy(publicKey, publicKeyBytes[:])
-
-	return publicKey, privateKey, nil
-}
-
-// Sign signs the message with privateKey and returns a signature. It will
-// panic if len(privateKey) is not PrivateKeySize.
-func Sign(privateKey PrivateKey, message []byte) []byte {
-	if l := len(privateKey); l != PrivateKeySize {
-		panic("ed25519: bad private key length: " + strconv.Itoa(l))
-	}
-
-	h := sha512.New()
-	h.Write(privateKey[:32])
-
-	var digest1, messageDigest, hramDigest [64]byte
-	var expandedSecretKey [32]byte
-	h.Sum(digest1[:0])
-	copy(expandedSecretKey[:], digest1[:])
-	expandedSecretKey[0] &= 248
-	expandedSecretKey[31] &= 63
-	expandedSecretKey[31] |= 64
-
-	h.Reset()
-	h.Write(digest1[32:])
-	h.Write(message)
-	h.Sum(messageDigest[:0])
-
-	var messageDigestReduced [32]byte
-	edwards25519.ScReduce(&messageDigestReduced, &messageDigest)
-	var R edwards25519.ExtendedGroupElement
-	edwards25519.GeScalarMultBase(&R, &messageDigestReduced)
-
-	var encodedR [32]byte
-	R.ToBytes(&encodedR)
-
-	h.Reset()
-	h.Write(encodedR[:])
-	h.Write(privateKey[32:])
-	h.Write(message)
-	h.Sum(hramDigest[:0])
-	var hramDigestReduced [32]byte
-	edwards25519.ScReduce(&hramDigestReduced, &hramDigest)
-
-	var s [32]byte
-	edwards25519.ScMulAdd(&s, &hramDigestReduced, &expandedSecretKey, &messageDigestReduced)
-
-	signature := make([]byte, SignatureSize)
-	copy(signature[:], encodedR[:])
-	copy(signature[32:], s[:])
-
-	return signature
-}
-
-// Verify reports whether sig is a valid signature of message by publicKey. It
-// will panic if len(publicKey) is not PublicKeySize.
-func Verify(publicKey PublicKey, message, sig []byte) bool {
-	if l := len(publicKey); l != PublicKeySize {
-		panic("ed25519: bad public key length: " + strconv.Itoa(l))
-	}
-
-	if len(sig) != SignatureSize || sig[63]&224 != 0 {
-		return false
-	}
-
-	var A edwards25519.ExtendedGroupElement
-	var publicKeyBytes [32]byte
-	copy(publicKeyBytes[:], publicKey)
-	if !A.FromBytes(&publicKeyBytes) {
-		return false
-	}
-	edwards25519.FeNeg(&A.X, &A.X)
-	edwards25519.FeNeg(&A.T, &A.T)
-
-	h := sha512.New()
-	h.Write(sig[:32])
-	h.Write(publicKey[:])
-	h.Write(message)
-	var digest [64]byte
-	h.Sum(digest[:0])
-
-	var hReduced [32]byte
-	edwards25519.ScReduce(&hReduced, &digest)
-
-	var R edwards25519.ProjectiveGroupElement
-	var b [32]byte
-	copy(b[:], sig[32:])
-	edwards25519.GeDoubleScalarMultVartime(&R, &hReduced, &A, &b)
-
-	var checkR [32]byte
-	R.ToBytes(&checkR)
-	return bytes.Equal(sig[:32], checkR[:])
-}
diff --git a/vendor/golang.org/x/crypto/ed25519/ed25519_test.go b/vendor/golang.org/x/crypto/ed25519/ed25519_test.go
deleted file mode 100644
index e272f8a5..00000000
--- a/vendor/golang.org/x/crypto/ed25519/ed25519_test.go
+++ /dev/null
@@ -1,183 +0,0 @@
-// Copyright 2016 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package ed25519
-
-import (
-	"bufio"
-	"bytes"
-	"compress/gzip"
-	"crypto"
-	"crypto/rand"
-	"encoding/hex"
-	"os"
-	"strings"
-	"testing"
-
-	"golang.org/x/crypto/ed25519/internal/edwards25519"
-)
-
-type zeroReader struct{}
-
-func (zeroReader) Read(buf []byte) (int, error) {
-	for i := range buf {
-		buf[i] = 0
-	}
-	return len(buf), nil
-}
-
-func TestUnmarshalMarshal(t *testing.T) {
-	pub, _, _ := GenerateKey(rand.Reader)
-
-	var A edwards25519.ExtendedGroupElement
-	var pubBytes [32]byte
-	copy(pubBytes[:], pub)
-	if !A.FromBytes(&pubBytes) {
-		t.Fatalf("ExtendedGroupElement.FromBytes failed")
-	}
-
-	var pub2 [32]byte
-	A.ToBytes(&pub2)
-
-	if pubBytes != pub2 {
-		t.Errorf("FromBytes(%v)->ToBytes does not round-trip, got %x\n", pubBytes, pub2)
-	}
-}
-
-func TestSignVerify(t *testing.T) {
-	var zero zeroReader
-	public, private, _ := GenerateKey(zero)
-
-	message := []byte("test message")
-	sig := Sign(private, message)
-	if !Verify(public, message, sig) {
-		t.Errorf("valid signature rejected")
-	}
-
-	wrongMessage := []byte("wrong message")
-	if Verify(public, wrongMessage, sig) {
-		t.Errorf("signature of different message accepted")
-	}
-}
-
-func TestCryptoSigner(t *testing.T) {
-	var zero zeroReader
-	public, private, _ := GenerateKey(zero)
-
-	signer := crypto.Signer(private)
-
-	publicInterface := signer.Public()
-	public2, ok := publicInterface.(PublicKey)
-	if !ok {
-		t.Fatalf("expected PublicKey from Public() but got %T", publicInterface)
-	}
-
-	if !bytes.Equal(public, public2) {
-		t.Errorf("public keys do not match: original:%x vs Public():%x", public, public2)
-	}
-
-	message := []byte("message")
-	var noHash crypto.Hash
-	signature, err := signer.Sign(zero, message, noHash)
-	if err != nil {
-		t.Fatalf("error from Sign(): %s", err)
-	}
-
-	if !Verify(public, message, signature) {
-		t.Errorf("Verify failed on signature from Sign()")
-	}
-}
-
-func TestGolden(t *testing.T) {
-	// sign.input.gz is a selection of test cases from
-	// https://ed25519.cr.yp.to/python/sign.input
-	testDataZ, err := os.Open("testdata/sign.input.gz")
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer testDataZ.Close()
-	testData, err := gzip.NewReader(testDataZ)
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer testData.Close()
-
-	scanner := bufio.NewScanner(testData)
-	lineNo := 0
-
-	for scanner.Scan() {
-		lineNo++
-
-		line := scanner.Text()
-		parts := strings.Split(line, ":")
-		if len(parts) != 5 {
-			t.Fatalf("bad number of parts on line %d", lineNo)
-		}
-
-		privBytes, _ := hex.DecodeString(parts[0])
-		pubKey, _ := hex.DecodeString(parts[1])
-		msg, _ := hex.DecodeString(parts[2])
-		sig, _ := hex.DecodeString(parts[3])
-		// The signatures in the test vectors also include the message
-		// at the end, but we just want R and S.
-		sig = sig[:SignatureSize]
-
-		if l := len(pubKey); l != PublicKeySize {
-			t.Fatalf("bad public key length on line %d: got %d bytes", lineNo, l)
-		}
-
-		var priv [PrivateKeySize]byte
-		copy(priv[:], privBytes)
-		copy(priv[32:], pubKey)
-
-		sig2 := Sign(priv[:], msg)
-		if !bytes.Equal(sig, sig2[:]) {
-			t.Errorf("different signature result on line %d: %x vs %x", lineNo, sig, sig2)
-		}
-
-		if !Verify(pubKey, msg, sig2) {
-			t.Errorf("signature failed to verify on line %d", lineNo)
-		}
-	}
-
-	if err := scanner.Err(); err != nil {
-		t.Fatalf("error reading test data: %s", err)
-	}
-}
-
-func BenchmarkKeyGeneration(b *testing.B) {
-	var zero zeroReader
-	for i := 0; i < b.N; i++ {
-		if _, _, err := GenerateKey(zero); err != nil {
-			b.Fatal(err)
-		}
-	}
-}
-
-func BenchmarkSigning(b *testing.B) {
-	var zero zeroReader
-	_, priv, err := GenerateKey(zero)
-	if err != nil {
-		b.Fatal(err)
-	}
-	message := []byte("Hello, world!")
-	b.ResetTimer()
-	for i := 0; i < b.N; i++ {
-		Sign(priv, message)
-	}
-}
-
-func BenchmarkVerification(b *testing.B) {
-	var zero zeroReader
-	pub, priv, err := GenerateKey(zero)
-	if err != nil {
-		b.Fatal(err)
-	}
-	message := []byte("Hello, world!")
-	signature := Sign(priv, message)
-	b.ResetTimer()
-	for i := 0; i < b.N; i++ {
-		Verify(pub, message, signature)
-	}
-}
diff --git a/vendor/golang.org/x/crypto/ed25519/internal/edwards25519/const.go b/vendor/golang.org/x/crypto/ed25519/internal/edwards25519/const.go
deleted file mode 100644
index e39f086c..00000000
--- a/vendor/golang.org/x/crypto/ed25519/internal/edwards25519/const.go
+++ /dev/null
@@ -1,1422 +0,0 @@
-// Copyright 2016 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package edwards25519
-
-// These values are from the public domain, “ref10” implementation of ed25519
-// from SUPERCOP.
-
-// d is a constant in the Edwards curve equation.
-var d = FieldElement{
-	-10913610, 13857413, -15372611, 6949391, 114729, -8787816, -6275908, -3247719, -18696448, -12055116,
-}
-
-// d2 is 2*d.
-var d2 = FieldElement{
-	-21827239, -5839606, -30745221, 13898782, 229458, 15978800, -12551817, -6495438, 29715968, 9444199,
-}
-
-// SqrtM1 is the square-root of -1 in the field.
-var SqrtM1 = FieldElement{
-	-32595792, -7943725, 9377950, 3500415, 12389472, -272473, -25146209, -2005654, 326686, 11406482,
-}
-
-// A is a constant in the Montgomery-form of curve25519.
-var A = FieldElement{
-	486662, 0, 0, 0, 0, 0, 0, 0, 0, 0,
-}
-
-// bi contains precomputed multiples of the base-point. See the Ed25519 paper
-// for a discussion about how these values are used.
-var bi = [8]PreComputedGroupElement{
-	{
-		FieldElement{25967493, -14356035, 29566456, 3660896, -12694345, 4014787, 27544626, -11754271, -6079156, 2047605},
-		FieldElement{-12545711, 934262, -2722910, 3049990, -727428, 9406986, 12720692, 5043384, 19500929, -15469378},
-		FieldElement{-8738181, 4489570, 9688441, -14785194, 10184609, -12363380, 29287919, 11864899, -24514362, -4438546},
-	},
-	{
-		FieldElement{15636291, -9688557, 24204773, -7912398, 616977, -16685262, 27787600, -14772189, 28944400, -1550024},
-		FieldElement{16568933, 4717097, -11556148, -1102322, 15682896, -11807043, 16354577, -11775962, 7689662, 11199574},
-		FieldElement{30464156, -5976125, -11779434, -15670865, 23220365, 15915852, 7512774, 10017326, -17749093, -9920357},
-	},
-	{
-		FieldElement{10861363, 11473154, 27284546, 1981175, -30064349, 12577861, 32867885, 14515107, -15438304, 10819380},
-		FieldElement{4708026, 6336745, 20377586, 9066809, -11272109, 6594696, -25653668, 12483688, -12668491, 5581306},
-		FieldElement{19563160, 16186464, -29386857, 4097519, 10237984, -4348115, 28542350, 13850243, -23678021, -15815942},
-	},
-	{
-		FieldElement{5153746, 9909285, 1723747, -2777874, 30523605, 5516873, 19480852, 5230134, -23952439, -15175766},
-		FieldElement{-30269007, -3463509, 7665486, 10083793, 28475525, 1649722, 20654025, 16520125, 30598449, 7715701},
-		FieldElement{28881845, 14381568, 9657904, 3680757, -20181635, 7843316, -31400660, 1370708, 29794553, -1409300},
-	},
-	{
-		FieldElement{-22518993, -6692182, 14201702, -8745502, -23510406, 8844726, 18474211, -1361450, -13062696, 13821877},
-		FieldElement{-6455177, -7839871, 3374702, -4740862, -27098617, -10571707, 31655028, -7212327, 18853322, -14220951},
-		FieldElement{4566830, -12963868, -28974889, -12240689, -7602672, -2830569, -8514358, -10431137, 2207753, -3209784},
-	},
-	{
-		FieldElement{-25154831, -4185821, 29681144, 7868801, -6854661, -9423865, -12437364, -663000, -31111463, -16132436},
-		FieldElement{25576264, -2703214, 7349804, -11814844, 16472782, 9300885, 3844789, 15725684, 171356, 6466918},
-		FieldElement{23103977, 13316479, 9739013, -16149481, 817875, -15038942, 8965339, -14088058, -30714912, 16193877},
-	},
-	{
-		FieldElement{-33521811, 3180713, -2394130, 14003687, -16903474, -16270840, 17238398, 4729455, -18074513, 9256800},
-		FieldElement{-25182317, -4174131, 32336398, 5036987, -21236817, 11360617, 22616405, 9761698, -19827198, 630305},
-		FieldElement{-13720693, 2639453, -24237460, -7406481, 9494427, -5774029, -6554551, -15960994, -2449256, -14291300},
-	},
-	{
-		FieldElement{-3151181, -5046075, 9282714, 6866145, -31907062, -863023, -18940575, 15033784, 25105118, -7894876},
-		FieldElement{-24326370, 15950226, -31801215, -14592823, -11662737, -5090925, 1573892, -2625887, 2198790, -15804619},
-		FieldElement{-3099351, 10324967, -2241613, 7453183, -5446979, -2735503, -13812022, -16236442, -32461234, -12290683},
-	},
-}
-
-// base contains precomputed multiples of the base-point. See the Ed25519 paper
-// for a discussion about how these values are used.
-var base = [32][8]PreComputedGroupElement{
-	{
-		{
-			FieldElement{25967493, -14356035, 29566456, 3660896, -12694345, 4014787, 27544626, -11754271, -6079156, 2047605},
-			FieldElement{-12545711, 934262, -2722910, 3049990, -727428, 9406986, 12720692, 5043384, 19500929, -15469378},
-			FieldElement{-8738181, 4489570, 9688441, -14785194, 10184609, -12363380, 29287919, 11864899, -24514362, -4438546},
-		},
-		{
-			FieldElement{-12815894, -12976347, -21581243, 11784320, -25355658, -2750717, -11717903, -3814571, -358445, -10211303},
-			FieldElement{-21703237, 6903825, 27185491, 6451973, -29577724, -9554005, -15616551, 11189268, -26829678, -5319081},
-			FieldElement{26966642, 11152617, 32442495, 15396054, 14353839, -12752335, -3128826, -9541118, -15472047, -4166697},
-		},
-		{
-			FieldElement{15636291, -9688557, 24204773, -7912398, 616977, -16685262, 27787600, -14772189, 28944400, -1550024},
-			FieldElement{16568933, 4717097, -11556148, -1102322, 15682896, -11807043, 16354577, -11775962, 7689662, 11199574},
-			FieldElement{30464156, -5976125, -11779434, -15670865, 23220365, 15915852, 7512774, 10017326, -17749093, -9920357},
-		},
-		{
-			FieldElement{-17036878, 13921892, 10945806, -6033431, 27105052, -16084379, -28926210, 15006023, 3284568, -6276540},
-			FieldElement{23599295, -8306047, -11193664, -7687416, 13236774, 10506355, 7464579, 9656445, 13059162, 10374397},
-			FieldElement{7798556, 16710257, 3033922, 2874086, 28997861, 2835604, 32406664, -3839045, -641708, -101325},
-		},
-		{
-			FieldElement{10861363, 11473154, 27284546, 1981175, -30064349, 12577861, 32867885, 14515107, -15438304, 10819380},
-			FieldElement{4708026, 6336745, 20377586, 9066809, -11272109, 6594696, -25653668, 12483688, -12668491, 5581306},
-			FieldElement{19563160, 16186464, -29386857, 4097519, 10237984, -4348115, 28542350, 13850243, -23678021, -15815942},
-		},
-		{
-			FieldElement{-15371964, -12862754, 32573250, 4720197, -26436522, 5875511, -19188627, -15224819, -9818940, -12085777},
-			FieldElement{-8549212, 109983, 15149363, 2178705, 22900618, 4543417, 3044240, -15689887, 1762328, 14866737},
-			FieldElement{-18199695, -15951423, -10473290, 1707278, -17185920, 3916101, -28236412, 3959421, 27914454, 4383652},
-		},
-		{
-			FieldElement{5153746, 9909285, 1723747, -2777874, 30523605, 5516873, 19480852, 5230134, -23952439, -15175766},
-			FieldElement{-30269007, -3463509, 7665486, 10083793, 28475525, 1649722, 20654025, 16520125, 30598449, 7715701},
-			FieldElement{28881845, 14381568, 9657904, 3680757, -20181635, 7843316, -31400660, 1370708, 29794553, -1409300},
-		},
-		{
-			FieldElement{14499471, -2729599, -33191113, -4254652, 28494862, 14271267, 30290735, 10876454, -33154098, 2381726},
-			FieldElement{-7195431, -2655363, -14730155, 462251, -27724326, 3941372, -6236617, 3696005, -32300832, 15351955},
-			FieldElement{27431194, 8222322, 16448760, -3907995, -18707002, 11938355, -32961401, -2970515, 29551813, 10109425},
-		},
-	},
-	{
-		{
-			FieldElement{-13657040, -13155431, -31283750, 11777098, 21447386, 6519384, -2378284, -1627556, 10092783, -4764171},
-			FieldElement{27939166, 14210322, 4677035, 16277044, -22964462, -12398139, -32508754, 12005538, -17810127, 12803510},
-			FieldElement{17228999, -15661624, -1233527, 300140, -1224870, -11714777, 30364213, -9038194, 18016357, 4397660},
-		},
-		{
-			FieldElement{-10958843, -7690207, 4776341, -14954238, 27850028, -15602212, -26619106, 14544525, -17477504, 982639},
-			FieldElement{29253598, 15796703, -2863982, -9908884, 10057023, 3163536, 7332899, -4120128, -21047696, 9934963},
-			FieldElement{5793303, 16271923, -24131614, -10116404, 29188560, 1206517, -14747930, 4559895, -30123922, -10897950},
-		},
-		{
-			FieldElement{-27643952, -11493006, 16282657, -11036493, 28414021, -15012264, 24191034, 4541697, -13338309, 5500568},
-			FieldElement{12650548, -1497113, 9052871, 11355358, -17680037, -8400164, -17430592, 12264343, 10874051, 13524335},
-			FieldElement{25556948, -3045990, 714651, 2510400, 23394682, -10415330, 33119038, 5080568, -22528059, 5376628},
-		},
-		{
-			FieldElement{-26088264, -4011052, -17013699, -3537628, -6726793, 1920897, -22321305, -9447443, 4535768, 1569007},
-			FieldElement{-2255422, 14606630, -21692440, -8039818, 28430649, 8775819, -30494562, 3044290, 31848280, 12543772},
-			FieldElement{-22028579, 2943893, -31857513, 6777306, 13784462, -4292203, -27377195, -2062731, 7718482, 14474653},
-		},
-		{
-			FieldElement{2385315, 2454213, -22631320, 46603, -4437935, -15680415, 656965, -7236665, 24316168, -5253567},
-			FieldElement{13741529, 10911568, -33233417, -8603737, -20177830, -1033297, 33040651, -13424532, -20729456, 8321686},
-			FieldElement{21060490, -2212744, 15712757, -4336099, 1639040, 10656336, 23845965, -11874838, -9984458, 608372},
-		},
-		{
-			FieldElement{-13672732, -15087586, -10889693, -7557059, -6036909, 11305547, 1123968, -6780577, 27229399, 23887},
-			FieldElement{-23244140, -294205, -11744728, 14712571, -29465699, -2029617, 12797024, -6440308, -1633405, 16678954},
-			FieldElement{-29500620, 4770662, -16054387, 14001338, 7830047, 9564805, -1508144, -4795045, -17169265, 4904953},
-		},
-		{
-			FieldElement{24059557, 14617003, 19037157, -15039908, 19766093, -14906429, 5169211, 16191880, 2128236, -4326833},
-			FieldElement{-16981152, 4124966, -8540610, -10653797, 30336522, -14105247, -29806336, 916033, -6882542, -2986532},
-			FieldElement{-22630907, 12419372, -7134229, -7473371, -16478904, 16739175, 285431, 2763829, 15736322, 4143876},
-		},
-		{
-			FieldElement{2379352, 11839345, -4110402, -5988665, 11274298, 794957, 212801, -14594663, 23527084, -16458268},
-			FieldElement{33431127, -11130478, -17838966, -15626900, 8909499, 8376530, -32625340, 4087881, -15188911, -14416214},
-			FieldElement{1767683, 7197987, -13205226, -2022635, -13091350, 448826, 5799055, 4357868, -4774191, -16323038},
-		},
-	},
-	{
-		{
-			FieldElement{6721966, 13833823, -23523388, -1551314, 26354293, -11863321, 23365147, -3949732, 7390890, 2759800},
-			FieldElement{4409041, 2052381, 23373853, 10530217, 7676779, -12885954, 21302353, -4264057, 1244380, -12919645},
-			FieldElement{-4421239, 7169619, 4982368, -2957590, 30256825, -2777540, 14086413, 9208236, 15886429, 16489664},
-		},
-		{
-			FieldElement{1996075, 10375649, 14346367, 13311202, -6874135, -16438411, -13693198, 398369, -30606455, -712933},
-			FieldElement{-25307465, 9795880, -2777414, 14878809, -33531835, 14780363, 13348553, 12076947, -30836462, 5113182},
-			FieldElement{-17770784, 11797796, 31950843, 13929123, -25888302, 12288344, -30341101, -7336386, 13847711, 5387222},
-		},
-		{
-			FieldElement{-18582163, -3416217, 17824843, -2340966, 22744343, -10442611, 8763061, 3617786, -19600662, 10370991},
-			FieldElement{20246567, -14369378, 22358229, -543712, 18507283, -10413996, 14554437, -8746092, 32232924, 16763880},
-			FieldElement{9648505, 10094563, 26416693, 14745928, -30374318, -6472621, 11094161, 15689506, 3140038, -16510092},
-		},
-		{
-			FieldElement{-16160072, 5472695, 31895588, 4744994, 8823515, 10365685, -27224800, 9448613, -28774454, 366295},
-			FieldElement{19153450, 11523972, -11096490, -6503142, -24647631, 5420647, 28344573, 8041113, 719605, 11671788},
-			FieldElement{8678025, 2694440, -6808014, 2517372, 4964326, 11152271, -15432916, -15266516, 27000813, -10195553},
-		},
-		{
-			FieldElement{-15157904, 7134312, 8639287, -2814877, -7235688, 10421742, 564065, 5336097, 6750977, -14521026},
-			FieldElement{11836410, -3979488, 26297894, 16080799, 23455045, 15735944, 1695823, -8819122, 8169720, 16220347},
-			FieldElement{-18115838, 8653647, 17578566, -6092619, -8025777, -16012763, -11144307, -2627664, -5990708, -14166033},
-		},
-		{
-			FieldElement{-23308498, -10968312, 15213228, -10081214, -30853605, -11050004, 27884329, 2847284, 2655861, 1738395},
-			FieldElement{-27537433, -14253021, -25336301, -8002780, -9370762, 8129821, 21651608, -3239336, -19087449, -11005278},
-			FieldElement{1533110, 3437855, 23735889, 459276, 29970501, 11335377, 26030092, 5821408, 10478196, 8544890},
-		},
-		{
-			FieldElement{32173121, -16129311, 24896207, 3921497, 22579056, -3410854, 19270449, 12217473, 17789017, -3395995},
-			FieldElement{-30552961, -2228401, -15578829, -10147201, 13243889, 517024, 15479401, -3853233, 30460520, 1052596},
-			FieldElement{-11614875, 13323618, 32618793, 8175907, -15230173, 12596687, 27491595, -4612359, 3179268, -9478891},
-		},
-		{
-			FieldElement{31947069, -14366651, -4640583, -15339921, -15125977, -6039709, -14756777, -16411740, 19072640, -9511060},
-			FieldElement{11685058, 11822410, 3158003, -13952594, 33402194, -4165066, 5977896, -5215017, 473099, 5040608},
-			FieldElement{-20290863, 8198642, -27410132, 11602123, 1290375, -2799760, 28326862, 1721092, -19558642, -3131606},
-		},
-	},
-	{
-		{
-			FieldElement{7881532, 10687937, 7578723, 7738378, -18951012, -2553952, 21820786, 8076149, -27868496, 11538389},
-			FieldElement{-19935666, 3899861, 18283497, -6801568, -15728660, -11249211, 8754525, 7446702, -5676054, 5797016},
-			FieldElement{-11295600, -3793569, -15782110, -7964573, 12708869, -8456199, 2014099, -9050574, -2369172, -5877341},
-		},
-		{
-			FieldElement{-22472376, -11568741, -27682020, 1146375, 18956691, 16640559, 1192730, -3714199, 15123619, 10811505},
-			FieldElement{14352098, -3419715, -18942044, 10822655, 32750596, 4699007, -70363, 15776356, -28886779, -11974553},
-			FieldElement{-28241164, -8072475, -4978962, -5315317, 29416931, 1847569, -20654173, -16484855, 4714547, -9600655},
-		},
-		{
-			FieldElement{15200332, 8368572, 19679101, 15970074, -31872674, 1959451, 24611599, -4543832, -11745876, 12340220},
-			FieldElement{12876937, -10480056, 33134381, 6590940, -6307776, 14872440, 9613953, 8241152, 15370987, 9608631},
-			FieldElement{-4143277, -12014408, 8446281, -391603, 4407738, 13629032, -7724868, 15866074, -28210621, -8814099},
-		},
-		{
-			FieldElement{26660628, -15677655, 8393734, 358047, -7401291, 992988, -23904233, 858697, 20571223, 8420556},
-			FieldElement{14620715, 13067227, -15447274, 8264467, 14106269, 15080814, 33531827, 12516406, -21574435, -12476749},
-			FieldElement{236881, 10476226, 57258, -14677024, 6472998, 2466984, 17258519, 7256740, 8791136, 15069930},
-		},
-		{
-			FieldElement{1276410, -9371918, 22949635, -16322807, -23493039, -5702186, 14711875, 4874229, -30663140, -2331391},
-			FieldElement{5855666, 4990204, -13711848, 7294284, -7804282, 1924647, -1423175, -7912378, -33069337, 9234253},
-			FieldElement{20590503, -9018988, 31529744, -7352666, -2706834, 10650548, 31559055, -11609587, 18979186, 13396066},
-		},
-		{
-			FieldElement{24474287, 4968103, 22267082, 4407354, 24063882, -8325180, -18816887, 13594782, 33514650, 7021958},
-			FieldElement{-11566906, -6565505, -21365085, 15928892, -26158305, 4315421, -25948728, -3916677, -21480480, 12868082},
-			FieldElement{-28635013, 13504661, 19988037, -2132761, 21078225, 6443208, -21446107, 2244500, -12455797, -8089383},
-		},
-		{
-			FieldElement{-30595528, 13793479, -5852820, 319136, -25723172, -6263899, 33086546, 8957937, -15233648, 5540521},
-			FieldElement{-11630176, -11503902, -8119500, -7643073, 2620056, 1022908, -23710744, -1568984, -16128528, -14962807},
-			FieldElement{23152971, 775386, 27395463, 14006635, -9701118, 4649512, 1689819, 892185, -11513277, -15205948},
-		},
-		{
-			FieldElement{9770129, 9586738, 26496094, 4324120, 1556511, -3550024, 27453819, 4763127, -19179614, 5867134},
-			FieldElement{-32765025, 1927590, 31726409, -4753295, 23962434, -16019500, 27846559, 5931263, -29749703, -16108455},
-			FieldElement{27461885, -2977536, 22380810, 1815854, -23033753, -3031938, 7283490, -15148073, -19526700, 7734629},
-		},
-	},
-	{
-		{
-			FieldElement{-8010264, -9590817, -11120403, 6196038, 29344158, -13430885, 7585295, -3176626, 18549497, 15302069},
-			FieldElement{-32658337, -6171222, -7672793, -11051681, 6258878, 13504381, 10458790, -6418461, -8872242, 8424746},
-			FieldElement{24687205, 8613276, -30667046, -3233545, 1863892, -1830544, 19206234, 7134917, -11284482, -828919},
-		},
-		{
-			FieldElement{11334899, -9218022, 8025293, 12707519, 17523892, -10476071, 10243738, -14685461, -5066034, 16498837},
-			FieldElement{8911542, 6887158, -9584260, -6958590, 11145641, -9543680, 17303925, -14124238, 6536641, 10543906},
-			FieldElement{-28946384, 15479763, -17466835, 568876, -1497683, 11223454, -2669190, -16625574, -27235709, 8876771},
-		},
-		{
-			FieldElement{-25742899, -12566864, -15649966, -846607, -33026686, -796288, -33481822, 15824474, -604426, -9039817},
-			FieldElement{10330056, 70051, 7957388, -9002667, 9764902, 15609756, 27698697, -4890037, 1657394, 3084098},
-			FieldElement{10477963, -7470260, 12119566, -13250805, 29016247, -5365589, 31280319, 14396151, -30233575, 15272409},
-		},
-		{
-			FieldElement{-12288309, 3169463, 28813183, 16658753, 25116432, -5630466, -25173957, -12636138, -25014757, 1950504},
-			FieldElement{-26180358, 9489187, 11053416, -14746161, -31053720, 5825630, -8384306, -8767532, 15341279, 8373727},
-			FieldElement{28685821, 7759505, -14378516, -12002860, -31971820, 4079242, 298136, -10232602, -2878207, 15190420},
-		},
-		{
-			FieldElement{-32932876, 13806336, -14337485, -15794431, -24004620, 10940928, 8669718, 2742393, -26033313, -6875003},
-			FieldElement{-1580388, -11729417, -25979658, -11445023, -17411874, -10912854, 9291594, -16247779, -12154742, 6048605},
-			FieldElement{-30305315, 14843444, 1539301, 11864366, 20201677, 1900163, 13934231, 5128323, 11213262, 9168384},
-		},
-		{
-			FieldElement{-26280513, 11007847, 19408960, -940758, -18592965, -4328580, -5088060, -11105150, 20470157, -16398701},
-			FieldElement{-23136053, 9282192, 14855179, -15390078, -7362815, -14408560, -22783952, 14461608, 14042978, 5230683},
-			FieldElement{29969567, -2741594, -16711867, -8552442, 9175486, -2468974, 21556951, 3506042, -5933891, -12449708},
-		},
-		{
-			FieldElement{-3144746, 8744661, 19704003, 4581278, -20430686, 6830683, -21284170, 8971513, -28539189, 15326563},
-			FieldElement{-19464629, 10110288, -17262528, -3503892, -23500387, 1355669, -15523050, 15300988, -20514118, 9168260},
-			FieldElement{-5353335, 4488613, -23803248, 16314347, 7780487, -15638939, -28948358, 9601605, 33087103, -9011387},
-		},
-		{
-			FieldElement{-19443170, -15512900, -20797467, -12445323, -29824447, 10229461, -27444329, -15000531, -5996870, 15664672},
-			FieldElement{23294591, -16632613, -22650781, -8470978, 27844204, 11461195, 13099750, -2460356, 18151676, 13417686},
-			FieldElement{-24722913, -4176517, -31150679, 5988919, -26858785, 6685065, 1661597, -12551441, 15271676, -15452665},
-		},
-	},
-	{
-		{
-			FieldElement{11433042, -13228665, 8239631, -5279517, -1985436, -725718, -18698764, 2167544, -6921301, -13440182},
-			FieldElement{-31436171, 15575146, 30436815, 12192228, -22463353, 9395379, -9917708, -8638997, 12215110, 12028277},
-			FieldElement{14098400, 6555944, 23007258, 5757252, -15427832, -12950502, 30123440, 4617780, -16900089, -655628},
-		},
-		{
-			FieldElement{-4026201, -15240835, 11893168, 13718664, -14809462, 1847385, -15819999, 10154009, 23973261, -12684474},
-			FieldElement{-26531820, -3695990, -1908898, 2534301, -31870557, -16550355, 18341390, -11419951, 32013174, -10103539},
-			FieldElement{-25479301, 10876443, -11771086, -14625140, -12369567, 1838104, 21911214, 6354752, 4425632, -837822},
-		},
-		{
-			FieldElement{-10433389, -14612966, 22229858, -3091047, -13191166, 776729, -17415375, -12020462, 4725005, 14044970},
-			FieldElement{19268650, -7304421, 1555349, 8692754, -21474059, -9910664, 6347390, -1411784, -19522291, -16109756},
-			FieldElement{-24864089, 12986008, -10898878, -5558584, -11312371, -148526, 19541418, 8180106, 9282262, 10282508},
-		},
-		{
-			FieldElement{-26205082, 4428547, -8661196, -13194263, 4098402, -14165257, 15522535, 8372215, 5542595, -10702683},
-			FieldElement{-10562541, 14895633, 26814552, -16673850, -17480754, -2489360, -2781891, 6993761, -18093885, 10114655},
-			FieldElement{-20107055, -929418, 31422704, 10427861, -7110749, 6150669, -29091755, -11529146, 25953725, -106158},
-		},
-		{
-			FieldElement{-4234397, -8039292, -9119125, 3046000, 2101609, -12607294, 19390020, 6094296, -3315279, 12831125},
-			FieldElement{-15998678, 7578152, 5310217, 14408357, -33548620, -224739, 31575954, 6326196, 7381791, -2421839},
-			FieldElement{-20902779, 3296811, 24736065, -16328389, 18374254, 7318640, 6295303, 8082724, -15362489, 12339664},
-		},
-		{
-			FieldElement{27724736, 2291157, 6088201, -14184798, 1792727, 5857634, 13848414, 15768922, 25091167, 14856294},
-			FieldElement{-18866652, 8331043, 24373479, 8541013, -701998, -9269457, 12927300, -12695493, -22182473, -9012899},
-			FieldElement{-11423429, -5421590, 11632845, 3405020, 30536730, -11674039, -27260765, 13866390, 30146206, 9142070},
-		},
-		{
-			FieldElement{3924129, -15307516, -13817122, -10054960, 12291820, -668366, -27702774, 9326384, -8237858, 4171294},
-			FieldElement{-15921940, 16037937, 6713787, 16606682, -21612135, 2790944, 26396185, 3731949, 345228, -5462949},
-			FieldElement{-21327538, 13448259, 25284571, 1143661, 20614966, -8849387, 2031539, -12391231, -16253183, -13582083},
-		},
-		{
-			FieldElement{31016211, -16722429, 26371392, -14451233, -5027349, 14854137, 17477601, 3842657, 28012650, -16405420},
-			FieldElement{-5075835, 9368966, -8562079, -4600902, -15249953, 6970560, -9189873, 16292057, -8867157, 3507940},
-			FieldElement{29439664, 3537914, 23333589, 6997794, -17555561, -11018068, -15209202, -15051267, -9164929, 6580396},
-		},
-	},
-	{
-		{
-			FieldElement{-12185861, -7679788, 16438269, 10826160, -8696817, -6235611, 17860444, -9273846, -2095802, 9304567},
-			FieldElement{20714564, -4336911, 29088195, 7406487, 11426967, -5095705, 14792667, -14608617, 5289421, -477127},
-			FieldElement{-16665533, -10650790, -6160345, -13305760, 9192020, -1802462, 17271490, 12349094, 26939669, -3752294},
-		},
-		{
-			FieldElement{-12889898, 9373458, 31595848, 16374215, 21471720, 13221525, -27283495, -12348559, -3698806, 117887},
-			FieldElement{22263325, -6560050, 3984570, -11174646, -15114008, -566785, 28311253, 5358056, -23319780, 541964},
-			FieldElement{16259219, 3261970, 2309254, -15534474, -16885711, -4581916, 24134070, -16705829, -13337066, -13552195},
-		},
-		{
-			FieldElement{9378160, -13140186, -22845982, -12745264, 28198281, -7244098, -2399684, -717351, 690426, 14876244},
-			FieldElement{24977353, -314384, -8223969, -13465086, 28432343, -1176353, -13068804, -12297348, -22380984, 6618999},
-			FieldElement{-1538174, 11685646, 12944378, 13682314, -24389511, -14413193, 8044829, -13817328, 32239829, -5652762},
-		},
-		{
-			FieldElement{-18603066, 4762990, -926250, 8885304, -28412480, -3187315, 9781647, -10350059, 32779359, 5095274},
-			FieldElement{-33008130, -5214506, -32264887, -3685216, 9460461, -9327423, -24601656, 14506724, 21639561, -2630236},
-			FieldElement{-16400943, -13112215, 25239338, 15531969, 3987758, -4499318, -1289502, -6863535, 17874574, 558605},
-		},
-		{
-			FieldElement{-13600129, 10240081, 9171883, 16131053, -20869254, 9599700, 33499487, 5080151, 2085892, 5119761},
-			FieldElement{-22205145, -2519528, -16381601, 414691, -25019550, 2170430, 30634760, -8363614, -31999993, -5759884},
-			FieldElement{-6845704, 15791202, 8550074, -1312654, 29928809, -12092256, 27534430, -7192145, -22351378, 12961482},
-		},
-		{
-			FieldElement{-24492060, -9570771, 10368194, 11582341, -23397293, -2245287, 16533930, 8206996, -30194652, -5159638},
-			FieldElement{-11121496, -3382234, 2307366, 6362031, -135455, 8868177, -16835630, 7031275, 7589640, 8945490},
-			FieldElement{-32152748, 8917967, 6661220, -11677616, -1192060, -15793393, 7251489, -11182180, 24099109, -14456170},
-		},
-		{
-			FieldElement{5019558, -7907470, 4244127, -14714356, -26933272, 6453165, -19118182, -13289025, -6231896, -10280736},
-			FieldElement{10853594, 10721687, 26480089, 5861829, -22995819, 1972175, -1866647, -10557898, -3363451, -6441124},
-			FieldElement{-17002408, 5906790, 221599, -6563147, 7828208, -13248918, 24362661, -2008168, -13866408, 7421392},
-		},
-		{
-			FieldElement{8139927, -6546497, 32257646, -5890546, 30375719, 1886181, -21175108, 15441252, 28826358, -4123029},
-			FieldElement{6267086, 9695052, 7709135, -16603597, -32869068, -1886135, 14795160, -7840124, 13746021, -1742048},
-			FieldElement{28584902, 7787108, -6732942, -15050729, 22846041, -7571236, -3181936, -363524, 4771362, -8419958},
-		},
-	},
-	{
-		{
-			FieldElement{24949256, 6376279, -27466481, -8174608, -18646154, -9930606, 33543569, -12141695, 3569627, 11342593},
-			FieldElement{26514989, 4740088, 27912651, 3697550, 19331575, -11472339, 6809886, 4608608, 7325975, -14801071},
-			FieldElement{-11618399, -14554430, -24321212, 7655128, -1369274, 5214312, -27400540, 10258390, -17646694, -8186692},
-		},
-		{
-			FieldElement{11431204, 15823007, 26570245, 14329124, 18029990, 4796082, -31446179, 15580664, 9280358, -3973687},
-			FieldElement{-160783, -10326257, -22855316, -4304997, -20861367, -13621002, -32810901, -11181622, -15545091, 4387441},
-			FieldElement{-20799378, 12194512, 3937617, -5805892, -27154820, 9340370, -24513992, 8548137, 20617071, -7482001},
-		},
-		{
-			FieldElement{-938825, -3930586, -8714311, 16124718, 24603125, -6225393, -13775352, -11875822, 24345683, 10325460},
-			FieldElement{-19855277, -1568885, -22202708, 8714034, 14007766, 6928528, 16318175, -1010689, 4766743, 3552007},
-			FieldElement{-21751364, -16730916, 1351763, -803421, -4009670, 3950935, 3217514, 14481909, 10988822, -3994762},
-		},
-		{
-			FieldElement{15564307, -14311570, 3101243, 5684148, 30446780, -8051356, 12677127, -6505343, -8295852, 13296005},
-			FieldElement{-9442290, 6624296, -30298964, -11913677, -4670981, -2057379, 31521204, 9614054, -30000824, 12074674},
-			FieldElement{4771191, -135239, 14290749, -13089852, 27992298, 14998318, -1413936, -1556716, 29832613, -16391035},
-		},
-		{
-			FieldElement{7064884, -7541174, -19161962, -5067537, -18891269, -2912736, 25825242, 5293297, -27122660, 13101590},
-			FieldElement{-2298563, 2439670, -7466610, 1719965, -27267541, -16328445, 32512469, -5317593, -30356070, -4190957},
-			FieldElement{-30006540, 10162316, -33180176, 3981723, -16482138, -13070044, 14413974, 9515896, 19568978, 9628812},
-		},
-		{
-			FieldElement{33053803, 199357, 15894591, 1583059, 27380243, -4580435, -17838894, -6106839, -6291786, 3437740},
-			FieldElement{-18978877, 3884493, 19469877, 12726490, 15913552, 13614290, -22961733, 70104, 7463304, 4176122},
-			FieldElement{-27124001, 10659917, 11482427, -16070381, 12771467, -6635117, -32719404, -5322751, 24216882, 5944158},
-		},
-		{
-			FieldElement{8894125, 7450974, -2664149, -9765752, -28080517, -12389115, 19345746, 14680796, 11632993, 5847885},
-			FieldElement{26942781, -2315317, 9129564, -4906607, 26024105, 11769399, -11518837, 6367194, -9727230, 4782140},
-			FieldElement{19916461, -4828410, -22910704, -11414391, 25606324, -5972441, 33253853, 8220911, 6358847, -1873857},
-		},
-		{
-			FieldElement{801428, -2081702, 16569428, 11065167, 29875704, 96627, 7908388, -4480480, -13538503, 1387155},
-			FieldElement{19646058, 5720633, -11416706, 12814209, 11607948, 12749789, 14147075, 15156355, -21866831, 11835260},
-			FieldElement{19299512, 1155910, 28703737, 14890794, 2925026, 7269399, 26121523, 15467869, -26560550, 5052483},
-		},
-	},
-	{
-		{
-			FieldElement{-3017432, 10058206, 1980837, 3964243, 22160966, 12322533, -6431123, -12618185, 12228557, -7003677},
-			FieldElement{32944382, 14922211, -22844894, 5188528, 21913450, -8719943, 4001465, 13238564, -6114803, 8653815},
-			FieldElement{22865569, -4652735, 27603668, -12545395, 14348958, 8234005, 24808405, 5719875, 28483275, 2841751},
-		},
-		{
-			FieldElement{-16420968, -1113305, -327719, -12107856, 21886282, -15552774, -1887966, -315658, 19932058, -12739203},
-			FieldElement{-11656086, 10087521, -8864888, -5536143, -19278573, -3055912, 3999228, 13239134, -4777469, -13910208},
-			FieldElement{1382174, -11694719, 17266790, 9194690, -13324356, 9720081, 20403944, 11284705, -14013818, 3093230},
-		},
-		{
-			FieldElement{16650921, -11037932, -1064178, 1570629, -8329746, 7352753, -302424, 16271225, -24049421, -6691850},
-			FieldElement{-21911077, -5927941, -4611316, -5560156, -31744103, -10785293, 24123614, 15193618, -21652117, -16739389},
-			FieldElement{-9935934, -4289447, -25279823, 4372842, 2087473, 10399484, 31870908, 14690798, 17361620, 11864968},
-		},
-		{
-			FieldElement{-11307610, 6210372, 13206574, 5806320, -29017692, -13967200, -12331205, -7486601, -25578460, -16240689},
-			FieldElement{14668462, -12270235, 26039039, 15305210, 25515617, 4542480, 10453892, 6577524, 9145645, -6443880},
-			FieldElement{5974874, 3053895, -9433049, -10385191, -31865124, 3225009, -7972642, 3936128, -5652273, -3050304},
-		},
-		{
-			FieldElement{30625386, -4729400, -25555961, -12792866, -20484575, 7695099, 17097188, -16303496, -27999779, 1803632},
-			FieldElement{-3553091, 9865099, -5228566, 4272701, -5673832, -16689700, 14911344, 12196514, -21405489, 7047412},
-			FieldElement{20093277, 9920966, -11138194, -5343857, 13161587, 12044805, -32856851, 4124601, -32343828, -10257566},
-		},
-		{
-			FieldElement{-20788824, 14084654, -13531713, 7842147, 19119038, -13822605, 4752377, -8714640, -21679658, 2288038},
-			FieldElement{-26819236, -3283715, 29965059, 3039786, -14473765, 2540457, 29457502, 14625692, -24819617, 12570232},
-			FieldElement{-1063558, -11551823, 16920318, 12494842, 1278292, -5869109, -21159943, -3498680, -11974704, 4724943},
-		},
-		{
-			FieldElement{17960970, -11775534, -4140968, -9702530, -8876562, -1410617, -12907383, -8659932, -29576300, 1903856},
-			FieldElement{23134274, -14279132, -10681997, -1611936, 20684485, 15770816, -12989750, 3190296, 26955097, 14109738},
-			FieldElement{15308788, 5320727, -30113809, -14318877, 22902008, 7767164, 29425325, -11277562, 31960942, 11934971},
-		},
-		{
-			FieldElement{-27395711, 8435796, 4109644, 12222639, -24627868, 14818669, 20638173, 4875028, 10491392, 1379718},
-			FieldElement{-13159415, 9197841, 3875503, -8936108, -1383712, -5879801, 33518459, 16176658, 21432314, 12180697},
-			FieldElement{-11787308, 11500838, 13787581, -13832590, -22430679, 10140205, 1465425, 12689540, -10301319, -13872883},
-		},
-	},
-	{
-		{
-			FieldElement{5414091, -15386041, -21007664, 9643570, 12834970, 1186149, -2622916, -1342231, 26128231, 6032912},
-			FieldElement{-26337395, -13766162, 32496025, -13653919, 17847801, -12669156, 3604025, 8316894, -25875034, -10437358},
-			FieldElement{3296484, 6223048, 24680646, -12246460, -23052020, 5903205, -8862297, -4639164, 12376617, 3188849},
-		},
-		{
-			FieldElement{29190488, -14659046, 27549113, -1183516, 3520066, -10697301, 32049515, -7309113, -16109234, -9852307},
-			FieldElement{-14744486, -9309156, 735818, -598978, -20407687, -5057904, 25246078, -15795669, 18640741, -960977},
-			FieldElement{-6928835, -16430795, 10361374, 5642961, 4910474, 12345252, -31638386, -494430, 10530747, 1053335},
-		},
-		{
-			FieldElement{-29265967, -14186805, -13538216, -12117373, -19457059, -10655384, -31462369, -2948985, 24018831, 15026644},
-			FieldElement{-22592535, -3145277, -2289276, 5953843, -13440189, 9425631, 25310643, 13003497, -2314791, -15145616},
-			FieldElement{-27419985, -603321, -8043984, -1669117, -26092265, 13987819, -27297622, 187899, -23166419, -2531735},
-		},
-		{
-			FieldElement{-21744398, -13810475, 1844840, 5021428, -10434399, -15911473, 9716667, 16266922, -5070217, 726099},
-			FieldElement{29370922, -6053998, 7334071, -15342259, 9385287, 2247707, -13661962, -4839461, 30007388, -15823341},
-			FieldElement{-936379, 16086691, 23751945, -543318, -1167538, -5189036, 9137109, 730663, 9835848, 4555336},
-		},
-		{
-			FieldElement{-23376435, 1410446, -22253753, -12899614, 30867635, 15826977, 17693930, 544696, -11985298, 12422646},
-			FieldElement{31117226, -12215734, -13502838, 6561947, -9876867, -12757670, -5118685, -4096706, 29120153, 13924425},
-			FieldElement{-17400879, -14233209, 19675799, -2734756, -11006962, -5858820, -9383939, -11317700, 7240931, -237388},
-		},
-		{
-			FieldElement{-31361739, -11346780, -15007447, -5856218, -22453340, -12152771, 1222336, 4389483, 3293637, -15551743},
-			FieldElement{-16684801, -14444245, 11038544, 11054958, -13801175, -3338533, -24319580, 7733547, 12796905, -6335822},
-			FieldElement{-8759414, -10817836, -25418864, 10783769, -30615557, -9746811, -28253339, 3647836, 3222231, -11160462},
-		},
-		{
-			FieldElement{18606113, 1693100, -25448386, -15170272, 4112353, 10045021, 23603893, -2048234, -7550776, 2484985},
-			FieldElement{9255317, -3131197, -12156162, -1004256, 13098013, -9214866, 16377220, -2102812, -19802075, -3034702},
-			FieldElement{-22729289, 7496160, -5742199, 11329249, 19991973, -3347502, -31718148, 9936966, -30097688, -10618797},
-		},
-		{
-			FieldElement{21878590, -5001297, 4338336, 13643897, -3036865, 13160960, 19708896, 5415497, -7360503, -4109293},
-			FieldElement{27736861, 10103576, 12500508, 8502413, -3413016, -9633558, 10436918, -1550276, -23659143, -8132100},
-			FieldElement{19492550, -12104365, -29681976, -852630, -3208171, 12403437, 30066266, 8367329, 13243957, 8709688},
-		},
-	},
-	{
-		{
-			FieldElement{12015105, 2801261, 28198131, 10151021, 24818120, -4743133, -11194191, -5645734, 5150968, 7274186},
-			FieldElement{2831366, -12492146, 1478975, 6122054, 23825128, -12733586, 31097299, 6083058, 31021603, -9793610},
-			FieldElement{-2529932, -2229646, 445613, 10720828, -13849527, -11505937, -23507731, 16354465, 15067285, -14147707},
-		},
-		{
-			FieldElement{7840942, 14037873, -33364863, 15934016, -728213, -3642706, 21403988, 1057586, -19379462, -12403220},
-			FieldElement{915865, -16469274, 15608285, -8789130, -24357026, 6060030, -17371319, 8410997, -7220461, 16527025},
-			FieldElement{32922597, -556987, 20336074, -16184568, 10903705, -5384487, 16957574, 52992, 23834301, 6588044},
-		},
-		{
-			FieldElement{32752030, 11232950, 3381995, -8714866, 22652988, -10744103, 17159699, 16689107, -20314580, -1305992},
-			FieldElement{-4689649, 9166776, -25710296, -10847306, 11576752, 12733943, 7924251, -2752281, 1976123, -7249027},
-			FieldElement{21251222, 16309901, -2983015, -6783122, 30810597, 12967303, 156041, -3371252, 12331345, -8237197},
-		},
-		{
-			FieldElement{8651614, -4477032, -16085636, -4996994, 13002507, 2950805, 29054427, -5106970, 10008136, -4667901},
-			FieldElement{31486080, 15114593, -14261250, 12951354, 14369431, -7387845, 16347321, -13662089, 8684155, -10532952},
-			FieldElement{19443825, 11385320, 24468943, -9659068, -23919258, 2187569, -26263207, -6086921, 31316348, 14219878},
-		},
-		{
-			FieldElement{-28594490, 1193785, 32245219, 11392485, 31092169, 15722801, 27146014, 6992409, 29126555, 9207390},
-			FieldElement{32382935, 1110093, 18477781, 11028262, -27411763, -7548111, -4980517, 10843782, -7957600, -14435730},
-			FieldElement{2814918, 7836403, 27519878, -7868156, -20894015, -11553689, -21494559, 8550130, 28346258, 1994730},
-		},
-		{
-			FieldElement{-19578299, 8085545, -14000519, -3948622, 2785838, -16231307, -19516951, 7174894, 22628102, 8115180},
-			FieldElement{-30405132, 955511, -11133838, -15078069, -32447087, -13278079, -25651578, 3317160, -9943017, 930272},
-			FieldElement{-15303681, -6833769, 28856490, 1357446, 23421993, 1057177, 24091212, -1388970, -22765376, -10650715},
-		},
-		{
-			FieldElement{-22751231, -5303997, -12907607, -12768866, -15811511, -7797053, -14839018, -16554220, -1867018, 8398970},
-			FieldElement{-31969310, 2106403, -4736360, 1362501, 12813763, 16200670, 22981545, -6291273, 18009408, -15772772},
-			FieldElement{-17220923, -9545221, -27784654, 14166835, 29815394, 7444469, 29551787, -3727419, 19288549, 1325865},
-		},
-		{
-			FieldElement{15100157, -15835752, -23923978, -1005098, -26450192, 15509408, 12376730, -3479146, 33166107, -8042750},
-			FieldElement{20909231, 13023121, -9209752, 16251778, -5778415, -8094914, 12412151, 10018715, 2213263, -13878373},
-			FieldElement{32529814, -11074689, 30361439, -16689753, -9135940, 1513226, 22922121, 6382134, -5766928, 8371348},
-		},
-	},
-	{
-		{
-			FieldElement{9923462, 11271500, 12616794, 3544722, -29998368, -1721626, 12891687, -8193132, -26442943, 10486144},
-			FieldElement{-22597207, -7012665, 8587003, -8257861, 4084309, -12970062, 361726, 2610596, -23921530, -11455195},
-			FieldElement{5408411, -1136691, -4969122, 10561668, 24145918, 14240566, 31319731, -4235541, 19985175, -3436086},
-		},
-		{
-			FieldElement{-13994457, 16616821, 14549246, 3341099, 32155958, 13648976, -17577068, 8849297, 65030, 8370684},
-			FieldElement{-8320926, -12049626, 31204563, 5839400, -20627288, -1057277, -19442942, 6922164, 12743482, -9800518},
-			FieldElement{-2361371, 12678785, 28815050, 4759974, -23893047, 4884717, 23783145, 11038569, 18800704, 255233},
-		},
-		{
-			FieldElement{-5269658, -1773886, 13957886, 7990715, 23132995, 728773, 13393847, 9066957, 19258688, -14753793},
-			FieldElement{-2936654, -10827535, -10432089, 14516793, -3640786, 4372541, -31934921, 2209390, -1524053, 2055794},
-			FieldElement{580882, 16705327, 5468415, -2683018, -30926419, -14696000, -7203346, -8994389, -30021019, 7394435},
-		},
-		{
-			FieldElement{23838809, 1822728, -15738443, 15242727, 8318092, -3733104, -21672180, -3492205, -4821741, 14799921},
-			FieldElement{13345610, 9759151, 3371034, -16137791, 16353039, 8577942, 31129804, 13496856, -9056018, 7402518},
-			FieldElement{2286874, -4435931, -20042458, -2008336, -13696227, 5038122, 11006906, -15760352, 8205061, 1607563},
-		},
-		{
-			FieldElement{14414086, -8002132, 3331830, -3208217, 22249151, -5594188, 18364661, -2906958, 30019587, -9029278},
-			FieldElement{-27688051, 1585953, -10775053, 931069, -29120221, -11002319, -14410829, 12029093, 9944378, 8024},
-			FieldElement{4368715, -3709630, 29874200, -15022983, -20230386, -11410704, -16114594, -999085, -8142388, 5640030},
-		},
-		{
-			FieldElement{10299610, 13746483, 11661824, 16234854, 7630238, 5998374, 9809887, -16694564, 15219798, -14327783},
-			FieldElement{27425505, -5719081, 3055006, 10660664, 23458024, 595578, -15398605, -1173195, -18342183, 9742717},
-			FieldElement{6744077, 2427284, 26042789, 2720740, -847906, 1118974, 32324614, 7406442, 12420155, 1994844},
-		},
-		{
-			FieldElement{14012521, -5024720, -18384453, -9578469, -26485342, -3936439, -13033478, -10909803, 24319929, -6446333},
-			FieldElement{16412690, -4507367, 10772641, 15929391, -17068788, -4658621, 10555945, -10484049, -30102368, -4739048},
-			FieldElement{22397382, -7767684, -9293161, -12792868, 17166287, -9755136, -27333065, 6199366, 21880021, -12250760},
-		},
-		{
-			FieldElement{-4283307, 5368523, -31117018, 8163389, -30323063, 3209128, 16557151, 8890729, 8840445, 4957760},
-			FieldElement{-15447727, 709327, -6919446, -10870178, -29777922, 6522332, -21720181, 12130072, -14796503, 5005757},
-			FieldElement{-2114751, -14308128, 23019042, 15765735, -25269683, 6002752, 10183197, -13239326, -16395286, -2176112},
-		},
-	},
-	{
-		{
-			FieldElement{-19025756, 1632005, 13466291, -7995100, -23640451, 16573537, -32013908, -3057104, 22208662, 2000468},
-			FieldElement{3065073, -1412761, -25598674, -361432, -17683065, -5703415, -8164212, 11248527, -3691214, -7414184},
-			FieldElement{10379208, -6045554, 8877319, 1473647, -29291284, -12507580, 16690915, 2553332, -3132688, 16400289},
-		},
-		{
-			FieldElement{15716668, 1254266, -18472690, 7446274, -8448918, 6344164, -22097271, -7285580, 26894937, 9132066},
-			FieldElement{24158887, 12938817, 11085297, -8177598, -28063478, -4457083, -30576463, 64452, -6817084, -2692882},
-			FieldElement{13488534, 7794716, 22236231, 5989356, 25426474, -12578208, 2350710, -3418511, -4688006, 2364226},
-		},
-		{
-			FieldElement{16335052, 9132434, 25640582, 6678888, 1725628, 8517937, -11807024, -11697457, 15445875, -7798101},
-			FieldElement{29004207, -7867081, 28661402, -640412, -12794003, -7943086, 31863255, -4135540, -278050, -15759279},
-			FieldElement{-6122061, -14866665, -28614905, 14569919, -10857999, -3591829, 10343412, -6976290, -29828287, -10815811},
-		},
-		{
-			FieldElement{27081650, 3463984, 14099042, -4517604, 1616303, -6205604, 29542636, 15372179, 17293797, 960709},
-			FieldElement{20263915, 11434237, -5765435, 11236810, 13505955, -10857102, -16111345, 6493122, -19384511, 7639714},
-			FieldElement{-2830798, -14839232, 25403038, -8215196, -8317012, -16173699, 18006287, -16043750, 29994677, -15808121},
-		},
-		{
-			FieldElement{9769828, 5202651, -24157398, -13631392, -28051003, -11561624, -24613141, -13860782, -31184575, 709464},
-			FieldElement{12286395, 13076066, -21775189, -1176622, -25003198, 4057652, -32018128, -8890874, 16102007, 13205847},
-			FieldElement{13733362, 5599946, 10557076, 3195751, -5557991, 8536970, -25540170, 8525972, 10151379, 10394400},
-		},
-		{
-			FieldElement{4024660, -16137551, 22436262, 12276534, -9099015, -2686099, 19698229, 11743039, -33302334, 8934414},
-			FieldElement{-15879800, -4525240, -8580747, -2934061, 14634845, -698278, -9449077, 3137094, -11536886, 11721158},
-			FieldElement{17555939, -5013938, 8268606, 2331751, -22738815, 9761013, 9319229, 8835153, -9205489, -1280045},
-		},
-		{
-			FieldElement{-461409, -7830014, 20614118, 16688288, -7514766, -4807119, 22300304, 505429, 6108462, -6183415},
-			FieldElement{-5070281, 12367917, -30663534, 3234473, 32617080, -8422642, 29880583, -13483331, -26898490, -7867459},
-			FieldElement{-31975283, 5726539, 26934134, 10237677, -3173717, -605053, 24199304, 3795095, 7592688, -14992079},
-		},
-		{
-			FieldElement{21594432, -14964228, 17466408, -4077222, 32537084, 2739898, 6407723, 12018833, -28256052, 4298412},
-			FieldElement{-20650503, -11961496, -27236275, 570498, 3767144, -1717540, 13891942, -1569194, 13717174, 10805743},
-			FieldElement{-14676630, -15644296, 15287174, 11927123, 24177847, -8175568, -796431, 14860609, -26938930, -5863836},
-		},
-	},
-	{
-		{
-			FieldElement{12962541, 5311799, -10060768, 11658280, 18855286, -7954201, 13286263, -12808704, -4381056, 9882022},
-			FieldElement{18512079, 11319350, -20123124, 15090309, 18818594, 5271736, -22727904, 3666879, -23967430, -3299429},
-			FieldElement{-6789020, -3146043, 16192429, 13241070, 15898607, -14206114, -10084880, -6661110, -2403099, 5276065},
-		},
-		{
-			FieldElement{30169808, -5317648, 26306206, -11750859, 27814964, 7069267, 7152851, 3684982, 1449224, 13082861},
-			FieldElement{10342826, 3098505, 2119311, 193222, 25702612, 12233820, 23697382, 15056736, -21016438, -8202000},
-			FieldElement{-33150110, 3261608, 22745853, 7948688, 19370557, -15177665, -26171976, 6482814, -10300080, -11060101},
-		},
-		{
-			FieldElement{32869458, -5408545, 25609743, 15678670, -10687769, -15471071, 26112421, 2521008, -22664288, 6904815},
-			FieldElement{29506923, 4457497, 3377935, -9796444, -30510046, 12935080, 1561737, 3841096, -29003639, -6657642},
-			FieldElement{10340844, -6630377, -18656632, -2278430, 12621151, -13339055, 30878497, -11824370, -25584551, 5181966},
-		},
-		{
-			FieldElement{25940115, -12658025, 17324188, -10307374, -8671468, 15029094, 24396252, -16450922, -2322852, -12388574},
-			FieldElement{-21765684, 9916823, -1300409, 4079498, -1028346, 11909559, 1782390, 12641087, 20603771, -6561742},
-			FieldElement{-18882287, -11673380, 24849422, 11501709, 13161720, -4768874, 1925523, 11914390, 4662781, 7820689},
-		},
-		{
-			FieldElement{12241050, -425982, 8132691, 9393934, 32846760, -1599620, 29749456, 12172924, 16136752, 15264020},
-			FieldElement{-10349955, -14680563, -8211979, 2330220, -17662549, -14545780, 10658213, 6671822, 19012087, 3772772},
-			FieldElement{3753511, -3421066, 10617074, 2028709, 14841030, -6721664, 28718732, -15762884, 20527771, 12988982},
-		},
-		{
-			FieldElement{-14822485, -5797269, -3707987, 12689773, -898983, -10914866, -24183046, -10564943, 3299665, -12424953},
-			FieldElement{-16777703, -15253301, -9642417, 4978983, 3308785, 8755439, 6943197, 6461331, -25583147, 8991218},
-			FieldElement{-17226263, 1816362, -1673288, -6086439, 31783888, -8175991, -32948145, 7417950, -30242287, 1507265},
-		},
-		{
-			FieldElement{29692663, 6829891, -10498800, 4334896, 20945975, -11906496, -28887608, 8209391, 14606362, -10647073},
-			FieldElement{-3481570, 8707081, 32188102, 5672294, 22096700, 1711240, -33020695, 9761487, 4170404, -2085325},
-			FieldElement{-11587470, 14855945, -4127778, -1531857, -26649089, 15084046, 22186522, 16002000, -14276837, -8400798},
-		},
-		{
-			FieldElement{-4811456, 13761029, -31703877, -2483919, -3312471, 7869047, -7113572, -9620092, 13240845, 10965870},
-			FieldElement{-7742563, -8256762, -14768334, -13656260, -23232383, 12387166, 4498947, 14147411, 29514390, 4302863},
-			FieldElement{-13413405, -12407859, 20757302, -13801832, 14785143, 8976368, -5061276, -2144373, 17846988, -13971927},
-		},
-	},
-	{
-		{
-			FieldElement{-2244452, -754728, -4597030, -1066309, -6247172, 1455299, -21647728, -9214789, -5222701, 12650267},
-			FieldElement{-9906797, -16070310, 21134160, 12198166, -27064575, 708126, 387813, 13770293, -19134326, 10958663},
-			FieldElement{22470984, 12369526, 23446014, -5441109, -21520802, -9698723, -11772496, -11574455, -25083830, 4271862},
-		},
-		{
-			FieldElement{-25169565, -10053642, -19909332, 15361595, -5984358, 2159192, 75375, -4278529, -32526221, 8469673},
-			FieldElement{15854970, 4148314, -8893890, 7259002, 11666551, 13824734, -30531198, 2697372, 24154791, -9460943},
-			FieldElement{15446137, -15806644, 29759747, 14019369, 30811221, -9610191, -31582008, 12840104, 24913809, 9815020},
-		},
-		{
-			FieldElement{-4709286, -5614269, -31841498, -12288893, -14443537, 10799414, -9103676, 13438769, 18735128, 9466238},
-			FieldElement{11933045, 9281483, 5081055, -5183824, -2628162, -4905629, -7727821, -10896103, -22728655, 16199064},
-			FieldElement{14576810, 379472, -26786533, -8317236, -29426508, -10812974, -102766, 1876699, 30801119, 2164795},
-		},
-		{
-			FieldElement{15995086, 3199873, 13672555, 13712240, -19378835, -4647646, -13081610, -15496269, -13492807, 1268052},
-			FieldElement{-10290614, -3659039, -3286592, 10948818, 23037027, 3794475, -3470338, -12600221, -17055369, 3565904},
-			FieldElement{29210088, -9419337, -5919792, -4952785, 10834811, -13327726, -16512102, -10820713, -27162222, -14030531},
-		},
-		{
-			FieldElement{-13161890, 15508588, 16663704, -8156150, -28349942, 9019123, -29183421, -3769423, 2244111, -14001979},
-			FieldElement{-5152875, -3800936, -9306475, -6071583, 16243069, 14684434, -25673088, -16180800, 13491506, 4641841},
-			FieldElement{10813417, 643330, -19188515, -728916, 30292062, -16600078, 27548447, -7721242, 14476989, -12767431},
-		},
-		{
-			FieldElement{10292079, 9984945, 6481436, 8279905, -7251514, 7032743, 27282937, -1644259, -27912810, 12651324},
-			FieldElement{-31185513, -813383, 22271204, 11835308, 10201545, 15351028, 17099662, 3988035, 21721536, -3148940},
-			FieldElement{10202177, -6545839, -31373232, -9574638, -32150642, -8119683, -12906320, 3852694, 13216206, 14842320},
-		},
-		{
-			FieldElement{-15815640, -10601066, -6538952, -7258995, -6984659, -6581778, -31500847, 13765824, -27434397, 9900184},
-			FieldElement{14465505, -13833331, -32133984, -14738873, -27443187, 12990492, 33046193, 15796406, -7051866, -8040114},
-			FieldElement{30924417, -8279620, 6359016, -12816335, 16508377, 9071735, -25488601, 15413635, 9524356, -7018878},
-		},
-		{
-			FieldElement{12274201, -13175547, 32627641, -1785326, 6736625, 13267305, 5237659, -5109483, 15663516, 4035784},
-			FieldElement{-2951309, 8903985, 17349946, 601635, -16432815, -4612556, -13732739, -15889334, -22258478, 4659091},
-			FieldElement{-16916263, -4952973, -30393711, -15158821, 20774812, 15897498, 5736189, 15026997, -2178256, -13455585},
-		},
-	},
-	{
-		{
-			FieldElement{-8858980, -2219056, 28571666, -10155518, -474467, -10105698, -3801496, 278095, 23440562, -290208},
-			FieldElement{10226241, -5928702, 15139956, 120818, -14867693, 5218603, 32937275, 11551483, -16571960, -7442864},
-			FieldElement{17932739, -12437276, -24039557, 10749060, 11316803, 7535897, 22503767, 5561594, -3646624, 3898661},
-		},
-		{
-			FieldElement{7749907, -969567, -16339731, -16464, -25018111, 15122143, -1573531, 7152530, 21831162, 1245233},
-			FieldElement{26958459, -14658026, 4314586, 8346991, -5677764, 11960072, -32589295, -620035, -30402091, -16716212},
-			FieldElement{-12165896, 9166947, 33491384, 13673479, 29787085, 13096535, 6280834, 14587357, -22338025, 13987525},
-		},
-		{
-			FieldElement{-24349909, 7778775, 21116000, 15572597, -4833266, -5357778, -4300898, -5124639, -7469781, -2858068},
-			FieldElement{9681908, -6737123, -31951644, 13591838, -6883821, 386950, 31622781, 6439245, -14581012, 4091397},
-			FieldElement{-8426427, 1470727, -28109679, -1596990, 3978627, -5123623, -19622683, 12092163, 29077877, -14741988},
-		},
-		{
-			FieldElement{5269168, -6859726, -13230211, -8020715, 25932563, 1763552, -5606110, -5505881, -20017847, 2357889},
-			FieldElement{32264008, -15407652, -5387735, -1160093, -2091322, -3946900, 23104804, -12869908, 5727338, 189038},
-			FieldElement{14609123, -8954470, -6000566, -16622781, -14577387, -7743898, -26745169, 10942115, -25888931, -14884697},
-		},
-		{
-			FieldElement{20513500, 5557931, -15604613, 7829531, 26413943, -2019404, -21378968, 7471781, 13913677, -5137875},
-			FieldElement{-25574376, 11967826, 29233242, 12948236, -6754465, 4713227, -8940970, 14059180, 12878652, 8511905},
-			FieldElement{-25656801, 3393631, -2955415, -7075526, -2250709, 9366908, -30223418, 6812974, 5568676, -3127656},
-		},
-		{
-			FieldElement{11630004, 12144454, 2116339, 13606037, 27378885, 15676917, -17408753, -13504373, -14395196, 8070818},
-			FieldElement{27117696, -10007378, -31282771, -5570088, 1127282, 12772488, -29845906, 10483306, -11552749, -1028714},
-			FieldElement{10637467, -5688064, 5674781, 1072708, -26343588, -6982302, -1683975, 9177853, -27493162, 15431203},
-		},
-		{
-			FieldElement{20525145, 10892566, -12742472, 12779443, -29493034, 16150075, -28240519, 14943142, -15056790, -7935931},
-			FieldElement{-30024462, 5626926, -551567, -9981087, 753598, 11981191, 25244767, -3239766, -3356550, 9594024},
-			FieldElement{-23752644, 2636870, -5163910, -10103818, 585134, 7877383, 11345683, -6492290, 13352335, -10977084},
-		},
-		{
-			FieldElement{-1931799, -5407458, 3304649, -12884869, 17015806, -4877091, -29783850, -7752482, -13215537, -319204},
-			FieldElement{20239939, 6607058, 6203985, 3483793, -18386976, -779229, -20723742, 15077870, -22750759, 14523817},
-			FieldElement{27406042, -6041657, 27423596, -4497394, 4996214, 10002360, -28842031, -4545494, -30172742, -4805667},
-		},
-	},
-	{
-		{
-			FieldElement{11374242, 12660715, 17861383, -12540833, 10935568, 1099227, -13886076, -9091740, -27727044, 11358504},
-			FieldElement{-12730809, 10311867, 1510375, 10778093, -2119455, -9145702, 32676003, 11149336, -26123651, 4985768},
-			FieldElement{-19096303, 341147, -6197485, -239033, 15756973, -8796662, -983043, 13794114, -19414307, -15621255},
-		},
-		{
-			FieldElement{6490081, 11940286, 25495923, -7726360, 8668373, -8751316, 3367603, 6970005, -1691065, -9004790},
-			FieldElement{1656497, 13457317, 15370807, 6364910, 13605745, 8362338, -19174622, -5475723, -16796596, -5031438},
-			FieldElement{-22273315, -13524424, -64685, -4334223, -18605636, -10921968, -20571065, -7007978, -99853, -10237333},
-		},
-		{
-			FieldElement{17747465, 10039260, 19368299, -4050591, -20630635, -16041286, 31992683, -15857976, -29260363, -5511971},
-			FieldElement{31932027, -4986141, -19612382, 16366580, 22023614, 88450, 11371999, -3744247, 4882242, -10626905},
-			FieldElement{29796507, 37186, 19818052, 10115756, -11829032, 3352736, 18551198, 3272828, -5190932, -4162409},
-		},
-		{
-			FieldElement{12501286, 4044383, -8612957, -13392385, -32430052, 5136599, -19230378, -3529697, 330070, -3659409},
-			FieldElement{6384877, 2899513, 17807477, 7663917, -2358888, 12363165, 25366522, -8573892, -271295, 12071499},
-			FieldElement{-8365515, -4042521, 25133448, -4517355, -6211027, 2265927, -32769618, 1936675, -5159697, 3829363},
-		},
-		{
-			FieldElement{28425966, -5835433, -577090, -4697198, -14217555, 6870930, 7921550, -6567787, 26333140, 14267664},
-			FieldElement{-11067219, 11871231, 27385719, -10559544, -4585914, -11189312, 10004786, -8709488, -21761224, 8930324},
-			FieldElement{-21197785, -16396035, 25654216, -1725397, 12282012, 11008919, 1541940, 4757911, -26491501, -16408940},
-		},
-		{
-			FieldElement{13537262, -7759490, -20604840, 10961927, -5922820, -13218065, -13156584, 6217254, -15943699, 13814990},
-			FieldElement{-17422573, 15157790, 18705543, 29619, 24409717, -260476, 27361681, 9257833, -1956526, -1776914},
-			FieldElement{-25045300, -10191966, 15366585, 15166509, -13105086, 8423556, -29171540, 12361135, -18685978, 4578290},
-		},
-		{
-			FieldElement{24579768, 3711570, 1342322, -11180126, -27005135, 14124956, -22544529, 14074919, 21964432, 8235257},
-			FieldElement{-6528613, -2411497, 9442966, -5925588, 12025640, -1487420, -2981514, -1669206, 13006806, 2355433},
-			FieldElement{-16304899, -13605259, -6632427, -5142349, 16974359, -10911083, 27202044, 1719366, 1141648, -12796236},
-		},
-		{
-			FieldElement{-12863944, -13219986, -8318266, -11018091, -6810145, -4843894, 13475066, -3133972, 32674895, 13715045},
-			FieldElement{11423335, -5468059, 32344216, 8962751, 24989809, 9241752, -13265253, 16086212, -28740881, -15642093},
-			FieldElement{-1409668, 12530728, -6368726, 10847387, 19531186, -14132160, -11709148, 7791794, -27245943, 4383347},
-		},
-	},
-	{
-		{
-			FieldElement{-28970898, 5271447, -1266009, -9736989, -12455236, 16732599, -4862407, -4906449, 27193557, 6245191},
-			FieldElement{-15193956, 5362278, -1783893, 2695834, 4960227, 12840725, 23061898, 3260492, 22510453, 8577507},
-			FieldElement{-12632451, 11257346, -32692994, 13548177, -721004, 10879011, 31168030, 13952092, -29571492, -3635906},
-		},
-		{
-			FieldElement{3877321, -9572739, 32416692, 5405324, -11004407, -13656635, 3759769, 11935320, 5611860, 8164018},
-			FieldElement{-16275802, 14667797, 15906460, 12155291, -22111149, -9039718, 32003002, -8832289, 5773085, -8422109},
-			FieldElement{-23788118, -8254300, 1950875, 8937633, 18686727, 16459170, -905725, 12376320, 31632953, 190926},
-		},
-		{
-			FieldElement{-24593607, -16138885, -8423991, 13378746, 14162407, 6901328, -8288749, 4508564, -25341555, -3627528},
-			FieldElement{8884438, -5884009, 6023974, 10104341, -6881569, -4941533, 18722941, -14786005, -1672488, 827625},
-			FieldElement{-32720583, -16289296, -32503547, 7101210, 13354605, 2659080, -1800575, -14108036, -24878478, 1541286},
-		},
-		{
-			FieldElement{2901347, -1117687, 3880376, -10059388, -17620940, -3612781, -21802117, -3567481, 20456845, -1885033},
-			FieldElement{27019610, 12299467, -13658288, -1603234, -12861660, -4861471, -19540150, -5016058, 29439641, 15138866},
-			FieldElement{21536104, -6626420, -32447818, -10690208, -22408077, 5175814, -5420040, -16361163, 7779328, 109896},
-		},
-		{
-			FieldElement{30279744, 14648750, -8044871, 6425558, 13639621, -743509, 28698390, 12180118, 23177719, -554075},
-			FieldElement{26572847, 3405927, -31701700, 12890905, -19265668, 5335866, -6493768, 2378492, 4439158, -13279347},
-			FieldElement{-22716706, 3489070, -9225266, -332753, 18875722, -1140095, 14819434, -12731527, -17717757, -5461437},
-		},
-		{
-			FieldElement{-5056483, 16566551, 15953661, 3767752, -10436499, 15627060, -820954, 2177225, 8550082, -15114165},
-			FieldElement{-18473302, 16596775, -381660, 15663611, 22860960, 15585581, -27844109, -3582739, -23260460, -8428588},
-			FieldElement{-32480551, 15707275, -8205912, -5652081, 29464558, 2713815, -22725137, 15860482, -21902570, 1494193},
-		},
-		{
-			FieldElement{-19562091, -14087393, -25583872, -9299552, 13127842, 759709, 21923482, 16529112, 8742704, 12967017},
-			FieldElement{-28464899, 1553205, 32536856, -10473729, -24691605, -406174, -8914625, -2933896, -29903758, 15553883},
-			FieldElement{21877909, 3230008, 9881174, 10539357, -4797115, 2841332, 11543572, 14513274, 19375923, -12647961},
-		},
-		{
-			FieldElement{8832269, -14495485, 13253511, 5137575, 5037871, 4078777, 24880818, -6222716, 2862653, 9455043},
-			FieldElement{29306751, 5123106, 20245049, -14149889, 9592566, 8447059, -2077124, -2990080, 15511449, 4789663},
-			FieldElement{-20679756, 7004547, 8824831, -9434977, -4045704, -3750736, -5754762, 108893, 23513200, 16652362},
-		},
-	},
-	{
-		{
-			FieldElement{-33256173, 4144782, -4476029, -6579123, 10770039, -7155542, -6650416, -12936300, -18319198, 10212860},
-			FieldElement{2756081, 8598110, 7383731, -6859892, 22312759, -1105012, 21179801, 2600940, -9988298, -12506466},
-			FieldElement{-24645692, 13317462, -30449259, -15653928, 21365574, -10869657, 11344424, 864440, -2499677, -16710063},
-		},
-		{
-			FieldElement{-26432803, 6148329, -17184412, -14474154, 18782929, -275997, -22561534, 211300, 2719757, 4940997},
-			FieldElement{-1323882, 3911313, -6948744, 14759765, -30027150, 7851207, 21690126, 8518463, 26699843, 5276295},
-			FieldElement{-13149873, -6429067, 9396249, 365013, 24703301, -10488939, 1321586, 149635, -15452774, 7159369},
-		},
-		{
-			FieldElement{9987780, -3404759, 17507962, 9505530, 9731535, -2165514, 22356009, 8312176, 22477218, -8403385},
-			FieldElement{18155857, -16504990, 19744716, 9006923, 15154154, -10538976, 24256460, -4864995, -22548173, 9334109},
-			FieldElement{2986088, -4911893, 10776628, -3473844, 10620590, -7083203, -21413845, 14253545, -22587149, 536906},
-		},
-		{
-			FieldElement{4377756, 8115836, 24567078, 15495314, 11625074, 13064599, 7390551, 10589625, 10838060, -15420424},
-			FieldElement{-19342404, 867880, 9277171, -3218459, -14431572, -1986443, 19295826, -15796950, 6378260, 699185},
-			FieldElement{7895026, 4057113, -7081772, -13077756, -17886831, -323126, -716039, 15693155, -5045064, -13373962},
-		},
-		{
-			FieldElement{-7737563, -5869402, -14566319, -7406919, 11385654, 13201616, 31730678, -10962840, -3918636, -9669325},
-			FieldElement{10188286, -15770834, -7336361, 13427543, 22223443, 14896287, 30743455, 7116568, -21786507, 5427593},
-			FieldElement{696102, 13206899, 27047647, -10632082, 15285305, -9853179, 10798490, -4578720, 19236243, 12477404},
-		},
-		{
-			FieldElement{-11229439, 11243796, -17054270, -8040865, -788228, -8167967, -3897669, 11180504, -23169516, 7733644},
-			FieldElement{17800790, -14036179, -27000429, -11766671, 23887827, 3149671, 23466177, -10538171, 10322027, 15313801},
-			FieldElement{26246234, 11968874, 32263343, -5468728, 6830755, -13323031, -15794704, -101982, -24449242, 10890804},
-		},
-		{
-			FieldElement{-31365647, 10271363, -12660625, -6267268, 16690207, -13062544, -14982212, 16484931, 25180797, -5334884},
-			FieldElement{-586574, 10376444, -32586414, -11286356, 19801893, 10997610, 2276632, 9482883, 316878, 13820577},
-			FieldElement{-9882808, -4510367, -2115506, 16457136, -11100081, 11674996, 30756178, -7515054, 30696930, -3712849},
-		},
-		{
-			FieldElement{32988917, -9603412, 12499366, 7910787, -10617257, -11931514, -7342816, -9985397, -32349517, 7392473},
-			FieldElement{-8855661, 15927861, 9866406, -3649411, -2396914, -16655781, -30409476, -9134995, 25112947, -2926644},
-			FieldElement{-2504044, -436966, 25621774, -5678772, 15085042, -5479877, -24884878, -13526194, 5537438, -13914319},
-		},
-	},
-	{
-		{
-			FieldElement{-11225584, 2320285, -9584280, 10149187, -33444663, 5808648, -14876251, -1729667, 31234590, 6090599},
-			FieldElement{-9633316, 116426, 26083934, 2897444, -6364437, -2688086, 609721, 15878753, -6970405, -9034768},
-			FieldElement{-27757857, 247744, -15194774, -9002551, 23288161, -10011936, -23869595, 6503646, 20650474, 1804084},
-		},
-		{
-			FieldElement{-27589786, 15456424, 8972517, 8469608, 15640622, 4439847, 3121995, -10329713, 27842616, -202328},
-			FieldElement{-15306973, 2839644, 22530074, 10026331, 4602058, 5048462, 28248656, 5031932, -11375082, 12714369},
-			FieldElement{20807691, -7270825, 29286141, 11421711, -27876523, -13868230, -21227475, 1035546, -19733229, 12796920},
-		},
-		{
-			FieldElement{12076899, -14301286, -8785001, -11848922, -25012791, 16400684, -17591495, -12899438, 3480665, -15182815},
-			FieldElement{-32361549, 5457597, 28548107, 7833186, 7303070, -11953545, -24363064, -15921875, -33374054, 2771025},
-			FieldElement{-21389266, 421932, 26597266, 6860826, 22486084, -6737172, -17137485, -4210226, -24552282, 15673397},
-		},
-		{
-			FieldElement{-20184622, 2338216, 19788685, -9620956, -4001265, -8740893, -20271184, 4733254, 3727144, -12934448},
-			FieldElement{6120119, 814863, -11794402, -622716, 6812205, -15747771, 2019594, 7975683, 31123697, -10958981},
-			FieldElement{30069250, -11435332, 30434654, 2958439, 18399564, -976289, 12296869, 9204260, -16432438, 9648165},
-		},
-		{
-			FieldElement{32705432, -1550977, 30705658, 7451065, -11805606, 9631813, 3305266, 5248604, -26008332, -11377501},
-			FieldElement{17219865, 2375039, -31570947, -5575615, -19459679, 9219903, 294711, 15298639, 2662509, -16297073},
-			FieldElement{-1172927, -7558695, -4366770, -4287744, -21346413, -8434326, 32087529, -1222777, 32247248, -14389861},
-		},
-		{
-			FieldElement{14312628, 1221556, 17395390, -8700143, -4945741, -8684635, -28197744, -9637817, -16027623, -13378845},
-			FieldElement{-1428825, -9678990, -9235681, 6549687, -7383069, -468664, 23046502, 9803137, 17597934, 2346211},
-			FieldElement{18510800, 15337574, 26171504, 981392, -22241552, 7827556, -23491134, -11323352, 3059833, -11782870},
-		},
-		{
-			FieldElement{10141598, 6082907, 17829293, -1947643, 9830092, 13613136, -25556636, -5544586, -33502212, 3592096},
-			FieldElement{33114168, -15889352, -26525686, -13343397, 33076705, 8716171, 1151462, 1521897, -982665, -6837803},
-			FieldElement{-32939165, -4255815, 23947181, -324178, -33072974, -12305637, -16637686, 3891704, 26353178, 693168},
-		},
-		{
-			FieldElement{30374239, 1595580, -16884039, 13186931, 4600344, 406904, 9585294, -400668, 31375464, 14369965},
-			FieldElement{-14370654, -7772529, 1510301, 6434173, -18784789, -6262728, 32732230, -13108839, 17901441, 16011505},
-			FieldElement{18171223, -11934626, -12500402, 15197122, -11038147, -15230035, -19172240, -16046376, 8764035, 12309598},
-		},
-	},
-	{
-		{
-			FieldElement{5975908, -5243188, -19459362, -9681747, -11541277, 14015782, -23665757, 1228319, 17544096, -10593782},
-			FieldElement{5811932, -1715293, 3442887, -2269310, -18367348, -8359541, -18044043, -15410127, -5565381, 12348900},
-			FieldElement{-31399660, 11407555, 25755363, 6891399, -3256938, 14872274, -24849353, 8141295, -10632534, -585479},
-		},
-		{
-			FieldElement{-12675304, 694026, -5076145, 13300344, 14015258, -14451394, -9698672, -11329050, 30944593, 1130208},
-			FieldElement{8247766, -6710942, -26562381, -7709309, -14401939, -14648910, 4652152, 2488540, 23550156, -271232},
-			FieldElement{17294316, -3788438, 7026748, 15626851, 22990044, 113481, 2267737, -5908146, -408818, -137719},
-		},
-		{
-			FieldElement{16091085, -16253926, 18599252, 7340678, 2137637, -1221657, -3364161, 14550936, 3260525, -7166271},
-			FieldElement{-4910104, -13332887, 18550887, 10864893, -16459325, -7291596, -23028869, -13204905, -12748722, 2701326},
-			FieldElement{-8574695, 16099415, 4629974, -16340524, -20786213, -6005432, -10018363, 9276971, 11329923, 1862132},
-		},
-		{
-			FieldElement{14763076, -15903608, -30918270, 3689867, 3511892, 10313526, -21951088, 12219231, -9037963, -940300},
-			FieldElement{8894987, -3446094, 6150753, 3013931, 301220, 15693451, -31981216, -2909717, -15438168, 11595570},
-			FieldElement{15214962, 3537601, -26238722, -14058872, 4418657, -15230761, 13947276, 10730794, -13489462, -4363670},
-		},
-		{
-			FieldElement{-2538306, 7682793, 32759013, 263109, -29984731, -7955452, -22332124, -10188635, 977108, 699994},
-			FieldElement{-12466472, 4195084, -9211532, 550904, -15565337, 12917920, 19118110, -439841, -30534533, -14337913},
-			FieldElement{31788461, -14507657, 4799989, 7372237, 8808585, -14747943, 9408237, -10051775, 12493932, -5409317},
-		},
-		{
-			FieldElement{-25680606, 5260744, -19235809, -6284470, -3695942, 16566087, 27218280, 2607121, 29375955, 6024730},
-			FieldElement{842132, -2794693, -4763381, -8722815, 26332018, -12405641, 11831880, 6985184, -9940361, 2854096},
-			FieldElement{-4847262, -7969331, 2516242, -5847713, 9695691, -7221186, 16512645, 960770, 12121869, 16648078},
-		},
-		{
-			FieldElement{-15218652, 14667096, -13336229, 2013717, 30598287, -464137, -31504922, -7882064, 20237806, 2838411},
-			FieldElement{-19288047, 4453152, 15298546, -16178388, 22115043, -15972604, 12544294, -13470457, 1068881, -12499905},
-			FieldElement{-9558883, -16518835, 33238498, 13506958, 30505848, -1114596, -8486907, -2630053, 12521378, 4845654},
-		},
-		{
-			FieldElement{-28198521, 10744108, -2958380, 10199664, 7759311, -13088600, 3409348, -873400, -6482306, -12885870},
-			FieldElement{-23561822, 6230156, -20382013, 10655314, -24040585, -11621172, 10477734, -1240216, -3113227, 13974498},
-			FieldElement{12966261, 15550616, -32038948, -1615346, 21025980, -629444, 5642325, 7188737, 18895762, 12629579},
-		},
-	},
-	{
-		{
-			FieldElement{14741879, -14946887, 22177208, -11721237, 1279741, 8058600, 11758140, 789443, 32195181, 3895677},
-			FieldElement{10758205, 15755439, -4509950, 9243698, -4879422, 6879879, -2204575, -3566119, -8982069, 4429647},
-			FieldElement{-2453894, 15725973, -20436342, -10410672, -5803908, -11040220, -7135870, -11642895, 18047436, -15281743},
-		},
-		{
-			FieldElement{-25173001, -11307165, 29759956, 11776784, -22262383, -15820455, 10993114, -12850837, -17620701, -9408468},
-			FieldElement{21987233, 700364, -24505048, 14972008, -7774265, -5718395, 32155026, 2581431, -29958985, 8773375},
-			FieldElement{-25568350, 454463, -13211935, 16126715, 25240068, 8594567, 20656846, 12017935, -7874389, -13920155},
-		},
-		{
-			FieldElement{6028182, 6263078, -31011806, -11301710, -818919, 2461772, -31841174, -5468042, -1721788, -2776725},
-			FieldElement{-12278994, 16624277, 987579, -5922598, 32908203, 1248608, 7719845, -4166698, 28408820, 6816612},
-			FieldElement{-10358094, -8237829, 19549651, -12169222, 22082623, 16147817, 20613181, 13982702, -10339570, 5067943},
-		},
-		{
-			FieldElement{-30505967, -3821767, 12074681, 13582412, -19877972, 2443951, -19719286, 12746132, 5331210, -10105944},
-			FieldElement{30528811, 3601899, -1957090, 4619785, -27361822, -15436388, 24180793, -12570394, 27679908, -1648928},
-			FieldElement{9402404, -13957065, 32834043, 10838634, -26580150, -13237195, 26653274, -8685565, 22611444, -12715406},
-		},
-		{
-			FieldElement{22190590, 1118029, 22736441, 15130463, -30460692, -5991321, 19189625, -4648942, 4854859, 6622139},
-			FieldElement{-8310738, -2953450, -8262579, -3388049, -10401731, -271929, 13424426, -3567227, 26404409, 13001963},
-			FieldElement{-31241838, -15415700, -2994250, 8939346, 11562230, -12840670, -26064365, -11621720, -15405155, 11020693},
-		},
-		{
-			FieldElement{1866042, -7949489, -7898649, -10301010, 12483315, 13477547, 3175636, -12424163, 28761762, 1406734},
-			FieldElement{-448555, -1777666, 13018551, 3194501, -9580420, -11161737, 24760585, -4347088, 25577411, -13378680},
-			FieldElement{-24290378, 4759345, -690653, -1852816, 2066747, 10693769, -29595790, 9884936, -9368926, 4745410},
-		},
-		{
-			FieldElement{-9141284, 6049714, -19531061, -4341411, -31260798, 9944276, -15462008, -11311852, 10931924, -11931931},
-			FieldElement{-16561513, 14112680, -8012645, 4817318, -8040464, -11414606, -22853429, 10856641, -20470770, 13434654},
-			FieldElement{22759489, -10073434, -16766264, -1871422, 13637442, -10168091, 1765144, -12654326, 28445307, -5364710},
-		},
-		{
-			FieldElement{29875063, 12493613, 2795536, -3786330, 1710620, 15181182, -10195717, -8788675, 9074234, 1167180},
-			FieldElement{-26205683, 11014233, -9842651, -2635485, -26908120, 7532294, -18716888, -9535498, 3843903, 9367684},
-			FieldElement{-10969595, -6403711, 9591134, 9582310, 11349256, 108879, 16235123, 8601684, -139197, 4242895},
-		},
-	},
-	{
-		{
-			FieldElement{22092954, -13191123, -2042793, -11968512, 32186753, -11517388, -6574341, 2470660, -27417366, 16625501},
-			FieldElement{-11057722, 3042016, 13770083, -9257922, 584236, -544855, -7770857, 2602725, -27351616, 14247413},
-			FieldElement{6314175, -10264892, -32772502, 15957557, -10157730, 168750, -8618807, 14290061, 27108877, -1180880},
-		},
-		{
-			FieldElement{-8586597, -7170966, 13241782, 10960156, -32991015, -13794596, 33547976, -11058889, -27148451, 981874},
-			FieldElement{22833440, 9293594, -32649448, -13618667, -9136966, 14756819, -22928859, -13970780, -10479804, -16197962},
-			FieldElement{-7768587, 3326786, -28111797, 10783824, 19178761, 14905060, 22680049, 13906969, -15933690, 3797899},
-		},
-		{
-			FieldElement{21721356, -4212746, -12206123, 9310182, -3882239, -13653110, 23740224, -2709232, 20491983, -8042152},
-			FieldElement{9209270, -15135055, -13256557, -6167798, -731016, 15289673, 25947805, 15286587, 30997318, -6703063},
-			FieldElement{7392032, 16618386, 23946583, -8039892, -13265164, -1533858, -14197445, -2321576, 17649998, -250080},
-		},
-		{
-			FieldElement{-9301088, -14193827, 30609526, -3049543, -25175069, -1283752, -15241566, -9525724, -2233253, 7662146},
-			FieldElement{-17558673, 1763594, -33114336, 15908610, -30040870, -12174295, 7335080, -8472199, -3174674, 3440183},
-			FieldElement{-19889700, -5977008, -24111293, -9688870, 10799743, -16571957, 40450, -4431835, 4862400, 1133},
-		},
-		{
-			FieldElement{-32856209, -7873957, -5422389, 14860950, -16319031, 7956142, 7258061, 311861, -30594991, -7379421},
-			FieldElement{-3773428, -1565936, 28985340, 7499440, 24445838, 9325937, 29727763, 16527196, 18278453, 15405622},
-			FieldElement{-4381906, 8508652, -19898366, -3674424, -5984453, 15149970, -13313598, 843523, -21875062, 13626197},
-		},
-		{
-			FieldElement{2281448, -13487055, -10915418, -2609910, 1879358, 16164207, -10783882, 3953792, 13340839, 15928663},
-			FieldElement{31727126, -7179855, -18437503, -8283652, 2875793, -16390330, -25269894, -7014826, -23452306, 5964753},
-			FieldElement{4100420, -5959452, -17179337, 6017714, -18705837, 12227141, -26684835, 11344144, 2538215, -7570755},
-		},
-		{
-			FieldElement{-9433605, 6123113, 11159803, -2156608, 30016280, 14966241, -20474983, 1485421, -629256, -15958862},
-			FieldElement{-26804558, 4260919, 11851389, 9658551, -32017107, 16367492, -20205425, -13191288, 11659922, -11115118},
-			FieldElement{26180396, 10015009, -30844224, -8581293, 5418197, 9480663, 2231568, -10170080, 33100372, -1306171},
-		},
-		{
-			FieldElement{15121113, -5201871, -10389905, 15427821, -27509937, -15992507, 21670947, 4486675, -5931810, -14466380},
-			FieldElement{16166486, -9483733, -11104130, 6023908, -31926798, -1364923, 2340060, -16254968, -10735770, -10039824},
-			FieldElement{28042865, -3557089, -12126526, 12259706, -3717498, -6945899, 6766453, -8689599, 18036436, 5803270},
-		},
-	},
-	{
-		{
-			FieldElement{-817581, 6763912, 11803561, 1585585, 10958447, -2671165, 23855391, 4598332, -6159431, -14117438},
-			FieldElement{-31031306, -14256194, 17332029, -2383520, 31312682, -5967183, 696309, 50292, -20095739, 11763584},
-			FieldElement{-594563, -2514283, -32234153, 12643980, 12650761, 14811489, 665117, -12613632, -19773211, -10713562},
-		},
-		{
-			FieldElement{30464590, -11262872, -4127476, -12734478, 19835327, -7105613, -24396175, 2075773, -17020157, 992471},
-			FieldElement{18357185, -6994433, 7766382, 16342475, -29324918, 411174, 14578841, 8080033, -11574335, -10601610},
-			FieldElement{19598397, 10334610, 12555054, 2555664, 18821899, -10339780, 21873263, 16014234, 26224780, 16452269},
-		},
-		{
-			FieldElement{-30223925, 5145196, 5944548, 16385966, 3976735, 2009897, -11377804, -7618186, -20533829, 3698650},
-			FieldElement{14187449, 3448569, -10636236, -10810935, -22663880, -3433596, 7268410, -10890444, 27394301, 12015369},
-			FieldElement{19695761, 16087646, 28032085, 12999827, 6817792, 11427614, 20244189, -1312777, -13259127, -3402461},
-		},
-		{
-			FieldElement{30860103, 12735208, -1888245, -4699734, -16974906, 2256940, -8166013, 12298312, -8550524, -10393462},
-			FieldElement{-5719826, -11245325, -1910649, 15569035, 26642876, -7587760, -5789354, -15118654, -4976164, 12651793},
-			FieldElement{-2848395, 9953421, 11531313, -5282879, 26895123, -12697089, -13118820, -16517902, 9768698, -2533218},
-		},
-		{
-			FieldElement{-24719459, 1894651, -287698, -4704085, 15348719, -8156530, 32767513, 12765450, 4940095, 10678226},
-			FieldElement{18860224, 15980149, -18987240, -1562570, -26233012, -11071856, -7843882, 13944024, -24372348, 16582019},
-			FieldElement{-15504260, 4970268, -29893044, 4175593, -20993212, -2199756, -11704054, 15444560, -11003761, 7989037},
-		},
-		{
-			FieldElement{31490452, 5568061, -2412803, 2182383, -32336847, 4531686, -32078269, 6200206, -19686113, -14800171},
-			FieldElement{-17308668, -15879940, -31522777, -2831, -32887382, 16375549, 8680158, -16371713, 28550068, -6857132},
-			FieldElement{-28126887, -5688091, 16837845, -1820458, -6850681, 12700016, -30039981, 4364038, 1155602, 5988841},
-		},
-		{
-			FieldElement{21890435, -13272907, -12624011, 12154349, -7831873, 15300496, 23148983, -4470481, 24618407, 8283181},
-			FieldElement{-33136107, -10512751, 9975416, 6841041, -31559793, 16356536, 3070187, -7025928, 1466169, 10740210},
-			FieldElement{-1509399, -15488185, -13503385, -10655916, 32799044, 909394, -13938903, -5779719, -32164649, -15327040},
-		},
-		{
-			FieldElement{3960823, -14267803, -28026090, -15918051, -19404858, 13146868, 15567327, 951507, -3260321, -573935},
-			FieldElement{24740841, 5052253, -30094131, 8961361, 25877428, 6165135, -24368180, 14397372, -7380369, -6144105},
-			FieldElement{-28888365, 3510803, -28103278, -1158478, -11238128, -10631454, -15441463, -14453128, -1625486, -6494814},
-		},
-	},
-	{
-		{
-			FieldElement{793299, -9230478, 8836302, -6235707, -27360908, -2369593, 33152843, -4885251, -9906200, -621852},
-			FieldElement{5666233, 525582, 20782575, -8038419, -24538499, 14657740, 16099374, 1468826, -6171428, -15186581},
-			FieldElement{-4859255, -3779343, -2917758, -6748019, 7778750, 11688288, -30404353, -9871238, -1558923, -9863646},
-		},
-		{
-			FieldElement{10896332, -7719704, 824275, 472601, -19460308, 3009587, 25248958, 14783338, -30581476, -15757844},
-			FieldElement{10566929, 12612572, -31944212, 11118703, -12633376, 12362879, 21752402, 8822496, 24003793, 14264025},
-			FieldElement{27713862, -7355973, -11008240, 9227530, 27050101, 2504721, 23886875, -13117525, 13958495, -5732453},
-		},
-		{
-			FieldElement{-23481610, 4867226, -27247128, 3900521, 29838369, -8212291, -31889399, -10041781, 7340521, -15410068},
-			FieldElement{4646514, -8011124, -22766023, -11532654, 23184553, 8566613, 31366726, -1381061, -15066784, -10375192},
-			FieldElement{-17270517, 12723032, -16993061, 14878794, 21619651, -6197576, 27584817, 3093888, -8843694, 3849921},
-		},
-		{
-			FieldElement{-9064912, 2103172, 25561640, -15125738, -5239824, 9582958, 32477045, -9017955, 5002294, -15550259},
-			FieldElement{-12057553, -11177906, 21115585, -13365155, 8808712, -12030708, 16489530, 13378448, -25845716, 12741426},
-			FieldElement{-5946367, 10645103, -30911586, 15390284, -3286982, -7118677, 24306472, 15852464, 28834118, -7646072},
-		},
-		{
-			FieldElement{-17335748, -9107057, -24531279, 9434953, -8472084, -583362, -13090771, 455841, 20461858, 5491305},
-			FieldElement{13669248, -16095482, -12481974, -10203039, -14569770, -11893198, -24995986, 11293807, -28588204, -9421832},
-			FieldElement{28497928, 6272777, -33022994, 14470570, 8906179, -1225630, 18504674, -14165166, 29867745, -8795943},
-		},
-		{
-			FieldElement{-16207023, 13517196, -27799630, -13697798, 24009064, -6373891, -6367600, -13175392, 22853429, -4012011},
-			FieldElement{24191378, 16712145, -13931797, 15217831, 14542237, 1646131, 18603514, -11037887, 12876623, -2112447},
-			FieldElement{17902668, 4518229, -411702, -2829247, 26878217, 5258055, -12860753, 608397, 16031844, 3723494},
-		},
-		{
-			FieldElement{-28632773, 12763728, -20446446, 7577504, 33001348, -13017745, 17558842, -7872890, 23896954, -4314245},
-			FieldElement{-20005381, -12011952, 31520464, 605201, 2543521, 5991821, -2945064, 7229064, -9919646, -8826859},
-			FieldElement{28816045, 298879, -28165016, -15920938, 19000928, -1665890, -12680833, -2949325, -18051778, -2082915},
-		},
-		{
-			FieldElement{16000882, -344896, 3493092, -11447198, -29504595, -13159789, 12577740, 16041268, -19715240, 7847707},
-			FieldElement{10151868, 10572098, 27312476, 7922682, 14825339, 4723128, -32855931, -6519018, -10020567, 3852848},
-			FieldElement{-11430470, 15697596, -21121557, -4420647, 5386314, 15063598, 16514493, -15932110, 29330899, -15076224},
-		},
-	},
-	{
-		{
-			FieldElement{-25499735, -4378794, -15222908, -6901211, 16615731, 2051784, 3303702, 15490, -27548796, 12314391},
-			FieldElement{15683520, -6003043, 18109120, -9980648, 15337968, -5997823, -16717435, 15921866, 16103996, -3731215},
-			FieldElement{-23169824, -10781249, 13588192, -1628807, -3798557, -1074929, -19273607, 5402699, -29815713, -9841101},
-		},
-		{
-			FieldElement{23190676, 2384583, -32714340, 3462154, -29903655, -1529132, -11266856, 8911517, -25205859, 2739713},
-			FieldElement{21374101, -3554250, -33524649, 9874411, 15377179, 11831242, -33529904, 6134907, 4931255, 11987849},
-			FieldElement{-7732, -2978858, -16223486, 7277597, 105524, -322051, -31480539, 13861388, -30076310, 10117930},
-		},
-		{
-			FieldElement{-29501170, -10744872, -26163768, 13051539, -25625564, 5089643, -6325503, 6704079, 12890019, 15728940},
-			FieldElement{-21972360, -11771379, -951059, -4418840, 14704840, 2695116, 903376, -10428139, 12885167, 8311031},
-			FieldElement{-17516482, 5352194, 10384213, -13811658, 7506451, 13453191, 26423267, 4384730, 1888765, -5435404},
-		},
-		{
-			FieldElement{-25817338, -3107312, -13494599, -3182506, 30896459, -13921729, -32251644, -12707869, -19464434, -3340243},
-			FieldElement{-23607977, -2665774, -526091, 4651136, 5765089, 4618330, 6092245, 14845197, 17151279, -9854116},
-			FieldElement{-24830458, -12733720, -15165978, 10367250, -29530908, -265356, 22825805, -7087279, -16866484, 16176525},
-		},
-		{
-			FieldElement{-23583256, 6564961, 20063689, 3798228, -4740178, 7359225, 2006182, -10363426, -28746253, -10197509},
-			FieldElement{-10626600, -4486402, -13320562, -5125317, 3432136, -6393229, 23632037, -1940610, 32808310, 1099883},
-			FieldElement{15030977, 5768825, -27451236, -2887299, -6427378, -15361371, -15277896, -6809350, 2051441, -15225865},
-		},
-		{
-			FieldElement{-3362323, -7239372, 7517890, 9824992, 23555850, 295369, 5148398, -14154188, -22686354, 16633660},
-			FieldElement{4577086, -16752288, 13249841, -15304328, 19958763, -14537274, 18559670, -10759549, 8402478, -9864273},
-			FieldElement{-28406330, -1051581, -26790155, -907698, -17212414, -11030789, 9453451, -14980072, 17983010, 9967138},
-		},
-		{
-			FieldElement{-25762494, 6524722, 26585488, 9969270, 24709298, 1220360, -1677990, 7806337, 17507396, 3651560},
-			FieldElement{-10420457, -4118111, 14584639, 15971087, -15768321, 8861010, 26556809, -5574557, -18553322, -11357135},
-			FieldElement{2839101, 14284142, 4029895, 3472686, 14402957, 12689363, -26642121, 8459447, -5605463, -7621941},
-		},
-		{
-			FieldElement{-4839289, -3535444, 9744961, 2871048, 25113978, 3187018, -25110813, -849066, 17258084, -7977739},
-			FieldElement{18164541, -10595176, -17154882, -1542417, 19237078, -9745295, 23357533, -15217008, 26908270, 12150756},
-			FieldElement{-30264870, -7647865, 5112249, -7036672, -1499807, -6974257, 43168, -5537701, -32302074, 16215819},
-		},
-	},
-	{
-		{
-			FieldElement{-6898905, 9824394, -12304779, -4401089, -31397141, -6276835, 32574489, 12532905, -7503072, -8675347},
-			FieldElement{-27343522, -16515468, -27151524, -10722951, 946346, 16291093, 254968, 7168080, 21676107, -1943028},
-			FieldElement{21260961, -8424752, -16831886, -11920822, -23677961, 3968121, -3651949, -6215466, -3556191, -7913075},
-		},
-		{
-			FieldElement{16544754, 13250366, -16804428, 15546242, -4583003, 12757258, -2462308, -8680336, -18907032, -9662799},
-			FieldElement{-2415239, -15577728, 18312303, 4964443, -15272530, -12653564, 26820651, 16690659, 25459437, -4564609},
-			FieldElement{-25144690, 11425020, 28423002, -11020557, -6144921, -15826224, 9142795, -2391602, -6432418, -1644817},
-		},
-		{
-			FieldElement{-23104652, 6253476, 16964147, -3768872, -25113972, -12296437, -27457225, -16344658, 6335692, 7249989},
-			FieldElement{-30333227, 13979675, 7503222, -12368314, -11956721, -4621693, -30272269, 2682242, 25993170, -12478523},
-			FieldElement{4364628, 5930691, 32304656, -10044554, -8054781, 15091131, 22857016, -10598955, 31820368, 15075278},
-		},
-		{
-			FieldElement{31879134, -8918693, 17258761, 90626, -8041836, -4917709, 24162788, -9650886, -17970238, 12833045},
-			FieldElement{19073683, 14851414, -24403169, -11860168, 7625278, 11091125, -19619190, 2074449, -9413939, 14905377},
-			FieldElement{24483667, -11935567, -2518866, -11547418, -1553130, 15355506, -25282080, 9253129, 27628530, -7555480},
-		},
-		{
-			FieldElement{17597607, 8340603, 19355617, 552187, 26198470, -3176583, 4593324, -9157582, -14110875, 15297016},
-			FieldElement{510886, 14337390, -31785257, 16638632, 6328095, 2713355, -20217417, -11864220, 8683221, 2921426},
-			FieldElement{18606791, 11874196, 27155355, -5281482, -24031742, 6265446, -25178240, -1278924, 4674690, 13890525},
-		},
-		{
-			FieldElement{13609624, 13069022, -27372361, -13055908, 24360586, 9592974, 14977157, 9835105, 4389687, 288396},
-			FieldElement{9922506, -519394, 13613107, 5883594, -18758345, -434263, -12304062, 8317628, 23388070, 16052080},
-			FieldElement{12720016, 11937594, -31970060, -5028689, 26900120, 8561328, -20155687, -11632979, -14754271, -10812892},
-		},
-		{
-			FieldElement{15961858, 14150409, 26716931, -665832, -22794328, 13603569, 11829573, 7467844, -28822128, 929275},
-			FieldElement{11038231, -11582396, -27310482, -7316562, -10498527, -16307831, -23479533, -9371869, -21393143, 2465074},
-			FieldElement{20017163, -4323226, 27915242, 1529148, 12396362, 15675764, 13817261, -9658066, 2463391, -4622140},
-		},
-		{
-			FieldElement{-16358878, -12663911, -12065183, 4996454, -1256422, 1073572, 9583558, 12851107, 4003896, 12673717},
-			FieldElement{-1731589, -15155870, -3262930, 16143082, 19294135, 13385325, 14741514, -9103726, 7903886, 2348101},
-			FieldElement{24536016, -16515207, 12715592, -3862155, 1511293, 10047386, -3842346, -7129159, -28377538, 10048127},
-		},
-	},
-	{
-		{
-			FieldElement{-12622226, -6204820, 30718825, 2591312, -10617028, 12192840, 18873298, -7297090, -32297756, 15221632},
-			FieldElement{-26478122, -11103864, 11546244, -1852483, 9180880, 7656409, -21343950, 2095755, 29769758, 6593415},
-			FieldElement{-31994208, -2907461, 4176912, 3264766, 12538965, -868111, 26312345, -6118678, 30958054, 8292160},
-		},
-		{
-			FieldElement{31429822, -13959116, 29173532, 15632448, 12174511, -2760094, 32808831, 3977186, 26143136, -3148876},
-			FieldElement{22648901, 1402143, -22799984, 13746059, 7936347, 365344, -8668633, -1674433, -3758243, -2304625},
-			FieldElement{-15491917, 8012313, -2514730, -12702462, -23965846, -10254029, -1612713, -1535569, -16664475, 8194478},
-		},
-		{
-			FieldElement{27338066, -7507420, -7414224, 10140405, -19026427, -6589889, 27277191, 8855376, 28572286, 3005164},
-			FieldElement{26287124, 4821776, 25476601, -4145903, -3764513, -15788984, -18008582, 1182479, -26094821, -13079595},
-			FieldElement{-7171154, 3178080, 23970071, 6201893, -17195577, -4489192, -21876275, -13982627, 32208683, -1198248},
-		},
-		{
-			FieldElement{-16657702, 2817643, -10286362, 14811298, 6024667, 13349505, -27315504, -10497842, -27672585, -11539858},
-			FieldElement{15941029, -9405932, -21367050, 8062055, 31876073, -238629, -15278393, -1444429, 15397331, -4130193},
-			FieldElement{8934485, -13485467, -23286397, -13423241, -32446090, 14047986, 31170398, -1441021, -27505566, 15087184},
-		},
-		{
-			FieldElement{-18357243, -2156491, 24524913, -16677868, 15520427, -6360776, -15502406, 11461896, 16788528, -5868942},
-			FieldElement{-1947386, 16013773, 21750665, 3714552, -17401782, -16055433, -3770287, -10323320, 31322514, -11615635},
-			FieldElement{21426655, -5650218, -13648287, -5347537, -28812189, -4920970, -18275391, -14621414, 13040862, -12112948},
-		},
-		{
-			FieldElement{11293895, 12478086, -27136401, 15083750, -29307421, 14748872, 14555558, -13417103, 1613711, 4896935},
-			FieldElement{-25894883, 15323294, -8489791, -8057900, 25967126, -13425460, 2825960, -4897045, -23971776, -11267415},
-			FieldElement{-15924766, -5229880, -17443532, 6410664, 3622847, 10243618, 20615400, 12405433, -23753030, -8436416},
-		},
-		{
-			FieldElement{-7091295, 12556208, -20191352, 9025187, -17072479, 4333801, 4378436, 2432030, 23097949, -566018},
-			FieldElement{4565804, -16025654, 20084412, -7842817, 1724999, 189254, 24767264, 10103221, -18512313, 2424778},
-			FieldElement{366633, -11976806, 8173090, -6890119, 30788634, 5745705, -7168678, 1344109, -3642553, 12412659},
-		},
-		{
-			FieldElement{-24001791, 7690286, 14929416, -168257, -32210835, -13412986, 24162697, -15326504, -3141501, 11179385},
-			FieldElement{18289522, -14724954, 8056945, 16430056, -21729724, 7842514, -6001441, -1486897, -18684645, -11443503},
-			FieldElement{476239, 6601091, -6152790, -9723375, 17503545, -4863900, 27672959, 13403813, 11052904, 5219329},
-		},
-	},
-	{
-		{
-			FieldElement{20678546, -8375738, -32671898, 8849123, -5009758, 14574752, 31186971, -3973730, 9014762, -8579056},
-			FieldElement{-13644050, -10350239, -15962508, 5075808, -1514661, -11534600, -33102500, 9160280, 8473550, -3256838},
-			FieldElement{24900749, 14435722, 17209120, -15292541, -22592275, 9878983, -7689309, -16335821, -24568481, 11788948},
-		},
-		{
-			FieldElement{-3118155, -11395194, -13802089, 14797441, 9652448, -6845904, -20037437, 10410733, -24568470, -1458691},
-			FieldElement{-15659161, 16736706, -22467150, 10215878, -9097177, 7563911, 11871841, -12505194, -18513325, 8464118},
-			FieldElement{-23400612, 8348507, -14585951, -861714, -3950205, -6373419, 14325289, 8628612, 33313881, -8370517},
-		},
-		{
-			FieldElement{-20186973, -4967935, 22367356, 5271547, -1097117, -4788838, -24805667, -10236854, -8940735, -5818269},
-			FieldElement{-6948785, -1795212, -32625683, -16021179, 32635414, -7374245, 15989197, -12838188, 28358192, -4253904},
-			FieldElement{-23561781, -2799059, -32351682, -1661963, -9147719, 10429267, -16637684, 4072016, -5351664, 5596589},
-		},
-		{
-			FieldElement{-28236598, -3390048, 12312896, 6213178, 3117142, 16078565, 29266239, 2557221, 1768301, 15373193},
-			FieldElement{-7243358, -3246960, -4593467, -7553353, -127927, -912245, -1090902, -4504991, -24660491, 3442910},
-			FieldElement{-30210571, 5124043, 14181784, 8197961, 18964734, -11939093, 22597931, 7176455, -18585478, 13365930},
-		},
-		{
-			FieldElement{-7877390, -1499958, 8324673, 4690079, 6261860, 890446, 24538107, -8570186, -9689599, -3031667},
-			FieldElement{25008904, -10771599, -4305031, -9638010, 16265036, 15721635, 683793, -11823784, 15723479, -15163481},
-			FieldElement{-9660625, 12374379, -27006999, -7026148, -7724114, -12314514, 11879682, 5400171, 519526, -1235876},
-		},
-		{
-			FieldElement{22258397, -16332233, -7869817, 14613016, -22520255, -2950923, -20353881, 7315967, 16648397, 7605640},
-			FieldElement{-8081308, -8464597, -8223311, 9719710, 19259459, -15348212, 23994942, -5281555, -9468848, 4763278},
-			FieldElement{-21699244, 9220969, -15730624, 1084137, -25476107, -2852390, 31088447, -7764523, -11356529, 728112},
-		},
-		{
-			FieldElement{26047220, -11751471, -6900323, -16521798, 24092068, 9158119, -4273545, -12555558, -29365436, -5498272},
-			FieldElement{17510331, -322857, 5854289, 8403524, 17133918, -3112612, -28111007, 12327945, 10750447, 10014012},
-			FieldElement{-10312768, 3936952, 9156313, -8897683, 16498692, -994647, -27481051, -666732, 3424691, 7540221},
-		},
-		{
-			FieldElement{30322361, -6964110, 11361005, -4143317, 7433304, 4989748, -7071422, -16317219, -9244265, 15258046},
-			FieldElement{13054562, -2779497, 19155474, 469045, -12482797, 4566042, 5631406, 2711395, 1062915, -5136345},
-			FieldElement{-19240248, -11254599, -29509029, -7499965, -5835763, 13005411, -6066489, 12194497, 32960380, 1459310},
-		},
-	},
-	{
-		{
-			FieldElement{19852034, 7027924, 23669353, 10020366, 8586503, -6657907, 394197, -6101885, 18638003, -11174937},
-			FieldElement{31395534, 15098109, 26581030, 8030562, -16527914, -5007134, 9012486, -7584354, -6643087, -5442636},
-			FieldElement{-9192165, -2347377, -1997099, 4529534, 25766844, 607986, -13222, 9677543, -32294889, -6456008},
-		},
-		{
-			FieldElement{-2444496, -149937, 29348902, 8186665, 1873760, 12489863, -30934579, -7839692, -7852844, -8138429},
-			FieldElement{-15236356, -15433509, 7766470, 746860, 26346930, -10221762, -27333451, 10754588, -9431476, 5203576},
-			FieldElement{31834314, 14135496, -770007, 5159118, 20917671, -16768096, -7467973, -7337524, 31809243, 7347066},
-		},
-		{
-			FieldElement{-9606723, -11874240, 20414459, 13033986, 13716524, -11691881, 19797970, -12211255, 15192876, -2087490},
-			FieldElement{-12663563, -2181719, 1168162, -3804809, 26747877, -14138091, 10609330, 12694420, 33473243, -13382104},
-			FieldElement{33184999, 11180355, 15832085, -11385430, -1633671, 225884, 15089336, -11023903, -6135662, 14480053},
-		},
-		{
-			FieldElement{31308717, -5619998, 31030840, -1897099, 15674547, -6582883, 5496208, 13685227, 27595050, 8737275},
-			FieldElement{-20318852, -15150239, 10933843, -16178022, 8335352, -7546022, -31008351, -12610604, 26498114, 66511},
-			FieldElement{22644454, -8761729, -16671776, 4884562, -3105614, -13559366, 30540766, -4286747, -13327787, -7515095},
-		},
-		{
-			FieldElement{-28017847, 9834845, 18617207, -2681312, -3401956, -13307506, 8205540, 13585437, -17127465, 15115439},
-			FieldElement{23711543, -672915, 31206561, -8362711, 6164647, -9709987, -33535882, -1426096, 8236921, 16492939},
-			FieldElement{-23910559, -13515526, -26299483, -4503841, 25005590, -7687270, 19574902, 10071562, 6708380, -6222424},
-		},
-		{
-			FieldElement{2101391, -4930054, 19702731, 2367575, -15427167, 1047675, 5301017, 9328700, 29955601, -11678310},
-			FieldElement{3096359, 9271816, -21620864, -15521844, -14847996, -7592937, -25892142, -12635595, -9917575, 6216608},
-			FieldElement{-32615849, 338663, -25195611, 2510422, -29213566, -13820213, 24822830, -6146567, -26767480, 7525079},
-		},
-		{
-			FieldElement{-23066649, -13985623, 16133487, -7896178, -3389565, 778788, -910336, -2782495, -19386633, 11994101},
-			FieldElement{21691500, -13624626, -641331, -14367021, 3285881, -3483596, -25064666, 9718258, -7477437, 13381418},
-			FieldElement{18445390, -4202236, 14979846, 11622458, -1727110, -3582980, 23111648, -6375247, 28535282, 15779576},
-		},
-		{
-			FieldElement{30098053, 3089662, -9234387, 16662135, -21306940, 11308411, -14068454, 12021730, 9955285, -16303356},
-			FieldElement{9734894, -14576830, -7473633, -9138735, 2060392, 11313496, -18426029, 9924399, 20194861, 13380996},
-			FieldElement{-26378102, -7965207, -22167821, 15789297, -18055342, -6168792, -1984914, 15707771, 26342023, 10146099},
-		},
-	},
-	{
-		{
-			FieldElement{-26016874, -219943, 21339191, -41388, 19745256, -2878700, -29637280, 2227040, 21612326, -545728},
-			FieldElement{-13077387, 1184228, 23562814, -5970442, -20351244, -6348714, 25764461, 12243797, -20856566, 11649658},
-			FieldElement{-10031494, 11262626, 27384172, 2271902, 26947504, -15997771, 39944, 6114064, 33514190, 2333242},
-		},
-		{
-			FieldElement{-21433588, -12421821, 8119782, 7219913, -21830522, -9016134, -6679750, -12670638, 24350578, -13450001},
-			FieldElement{-4116307, -11271533, -23886186, 4843615, -30088339, 690623, -31536088, -10406836, 8317860, 12352766},
-			FieldElement{18200138, -14475911, -33087759, -2696619, -23702521, -9102511, -23552096, -2287550, 20712163, 6719373},
-		},
-		{
-			FieldElement{26656208, 6075253, -7858556, 1886072, -28344043, 4262326, 11117530, -3763210, 26224235, -3297458},
-			FieldElement{-17168938, -14854097, -3395676, -16369877, -19954045, 14050420, 21728352, 9493610, 18620611, -16428628},
-			FieldElement{-13323321, 13325349, 11432106, 5964811, 18609221, 6062965, -5269471, -9725556, -30701573, -16479657},
-		},
-		{
-			FieldElement{-23860538, -11233159, 26961357, 1640861, -32413112, -16737940, 12248509, -5240639, 13735342, 1934062},
-			FieldElement{25089769, 6742589, 17081145, -13406266, 21909293, -16067981, -15136294, -3765346, -21277997, 5473616},
-			FieldElement{31883677, -7961101, 1083432, -11572403, 22828471, 13290673, -7125085, 12469656, 29111212, -5451014},
-		},
-		{
-			FieldElement{24244947, -15050407, -26262976, 2791540, -14997599, 16666678, 24367466, 6388839, -10295587, 452383},
-			FieldElement{-25640782, -3417841, 5217916, 16224624, 19987036, -4082269, -24236251, -5915248, 15766062, 8407814},
-			FieldElement{-20406999, 13990231, 15495425, 16395525, 5377168, 15166495, -8917023, -4388953, -8067909, 2276718},
-		},
-		{
-			FieldElement{30157918, 12924066, -17712050, 9245753, 19895028, 3368142, -23827587, 5096219, 22740376, -7303417},
-			FieldElement{2041139, -14256350, 7783687, 13876377, -25946985, -13352459, 24051124, 13742383, -15637599, 13295222},
-			FieldElement{33338237, -8505733, 12532113, 7977527, 9106186, -1715251, -17720195, -4612972, -4451357, -14669444},
-		},
-		{
-			FieldElement{-20045281, 5454097, -14346548, 6447146, 28862071, 1883651, -2469266, -4141880, 7770569, 9620597},
-			FieldElement{23208068, 7979712, 33071466, 8149229, 1758231, -10834995, 30945528, -1694323, -33502340, -14767970},
-			FieldElement{1439958, -16270480, -1079989, -793782, 4625402, 10647766, -5043801, 1220118, 30494170, -11440799},
-		},
-		{
-			FieldElement{-5037580, -13028295, -2970559, -3061767, 15640974, -6701666, -26739026, 926050, -1684339, -13333647},
-			FieldElement{13908495, -3549272, 30919928, -6273825, -21521863, 7989039, 9021034, 9078865, 3353509, 4033511},
-			FieldElement{-29663431, -15113610, 32259991, -344482, 24295849, -12912123, 23161163, 8839127, 27485041, 7356032},
-		},
-	},
-	{
-		{
-			FieldElement{9661027, 705443, 11980065, -5370154, -1628543, 14661173, -6346142, 2625015, 28431036, -16771834},
-			FieldElement{-23839233, -8311415, -25945511, 7480958, -17681669, -8354183, -22545972, 14150565, 15970762, 4099461},
-			FieldElement{29262576, 16756590, 26350592, -8793563, 8529671, -11208050, 13617293, -9937143, 11465739, 8317062},
-		},
-		{
-			FieldElement{-25493081, -6962928, 32500200, -9419051, -23038724, -2302222, 14898637, 3848455, 20969334, -5157516},
-			FieldElement{-20384450, -14347713, -18336405, 13884722, -33039454, 2842114, -21610826, -3649888, 11177095, 14989547},
-			FieldElement{-24496721, -11716016, 16959896, 2278463, 12066309, 10137771, 13515641, 2581286, -28487508, 9930240},
-		},
-		{
-			FieldElement{-17751622, -2097826, 16544300, -13009300, -15914807, -14949081, 18345767, -13403753, 16291481, -5314038},
-			FieldElement{-33229194, 2553288, 32678213, 9875984, 8534129, 6889387, -9676774, 6957617, 4368891, 9788741},
-			FieldElement{16660756, 7281060, -10830758, 12911820, 20108584, -8101676, -21722536, -8613148, 16250552, -11111103},
-		},
-		{
-			FieldElement{-19765507, 2390526, -16551031, 14161980, 1905286, 6414907, 4689584, 10604807, -30190403, 4782747},
-			FieldElement{-1354539, 14736941, -7367442, -13292886, 7710542, -14155590, -9981571, 4383045, 22546403, 437323},
-			FieldElement{31665577, -12180464, -16186830, 1491339, -18368625, 3294682, 27343084, 2786261, -30633590, -14097016},
-		},
-		{
-			FieldElement{-14467279, -683715, -33374107, 7448552, 19294360, 14334329, -19690631, 2355319, -19284671, -6114373},
-			FieldElement{15121312, -15796162, 6377020, -6031361, -10798111, -12957845, 18952177, 15496498, -29380133, 11754228},
-			FieldElement{-2637277, -13483075, 8488727, -14303896, 12728761, -1622493, 7141596, 11724556, 22761615, -10134141},
-		},
-		{
-			FieldElement{16918416, 11729663, -18083579, 3022987, -31015732, -13339659, -28741185, -12227393, 32851222, 11717399},
-			FieldElement{11166634, 7338049, -6722523, 4531520, -29468672, -7302055, 31474879, 3483633, -1193175, -4030831},
-			FieldElement{-185635, 9921305, 31456609, -13536438, -12013818, 13348923, 33142652, 6546660, -19985279, -3948376},
-		},
-		{
-			FieldElement{-32460596, 11266712, -11197107, -7899103, 31703694, 3855903, -8537131, -12833048, -30772034, -15486313},
-			FieldElement{-18006477, 12709068, 3991746, -6479188, -21491523, -10550425, -31135347, -16049879, 10928917, 3011958},
-			FieldElement{-6957757, -15594337, 31696059, 334240, 29576716, 14796075, -30831056, -12805180, 18008031, 10258577},
-		},
-		{
-			FieldElement{-22448644, 15655569, 7018479, -4410003, -30314266, -1201591, -1853465, 1367120, 25127874, 6671743},
-			FieldElement{29701166, -14373934, -10878120, 9279288, -17568, 13127210, 21382910, 11042292, 25838796, 4642684},
-			FieldElement{-20430234, 14955537, -24126347, 8124619, -5369288, -5990470, 30468147, -13900640, 18423289, 4177476},
-		},
-	},
-}
diff --git a/vendor/golang.org/x/crypto/ed25519/internal/edwards25519/edwards25519.go b/vendor/golang.org/x/crypto/ed25519/internal/edwards25519/edwards25519.go
deleted file mode 100644
index 5f8b9947..00000000
--- a/vendor/golang.org/x/crypto/ed25519/internal/edwards25519/edwards25519.go
+++ /dev/null
@@ -1,1771 +0,0 @@
-// Copyright 2016 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package edwards25519
-
-// This code is a port of the public domain, “ref10” implementation of ed25519
-// from SUPERCOP.
-
-// FieldElement represents an element of the field GF(2^255 - 19).  An element
-// t, entries t[0]...t[9], represents the integer t[0]+2^26 t[1]+2^51 t[2]+2^77
-// t[3]+2^102 t[4]+...+2^230 t[9].  Bounds on each t[i] vary depending on
-// context.
-type FieldElement [10]int32
-
-var zero FieldElement
-
-func FeZero(fe *FieldElement) {
-	copy(fe[:], zero[:])
-}
-
-func FeOne(fe *FieldElement) {
-	FeZero(fe)
-	fe[0] = 1
-}
-
-func FeAdd(dst, a, b *FieldElement) {
-	dst[0] = a[0] + b[0]
-	dst[1] = a[1] + b[1]
-	dst[2] = a[2] + b[2]
-	dst[3] = a[3] + b[3]
-	dst[4] = a[4] + b[4]
-	dst[5] = a[5] + b[5]
-	dst[6] = a[6] + b[6]
-	dst[7] = a[7] + b[7]
-	dst[8] = a[8] + b[8]
-	dst[9] = a[9] + b[9]
-}
-
-func FeSub(dst, a, b *FieldElement) {
-	dst[0] = a[0] - b[0]
-	dst[1] = a[1] - b[1]
-	dst[2] = a[2] - b[2]
-	dst[3] = a[3] - b[3]
-	dst[4] = a[4] - b[4]
-	dst[5] = a[5] - b[5]
-	dst[6] = a[6] - b[6]
-	dst[7] = a[7] - b[7]
-	dst[8] = a[8] - b[8]
-	dst[9] = a[9] - b[9]
-}
-
-func FeCopy(dst, src *FieldElement) {
-	copy(dst[:], src[:])
-}
-
-// Replace (f,g) with (g,g) if b == 1;
-// replace (f,g) with (f,g) if b == 0.
-//
-// Preconditions: b in {0,1}.
-func FeCMove(f, g *FieldElement, b int32) {
-	b = -b
-	f[0] ^= b & (f[0] ^ g[0])
-	f[1] ^= b & (f[1] ^ g[1])
-	f[2] ^= b & (f[2] ^ g[2])
-	f[3] ^= b & (f[3] ^ g[3])
-	f[4] ^= b & (f[4] ^ g[4])
-	f[5] ^= b & (f[5] ^ g[5])
-	f[6] ^= b & (f[6] ^ g[6])
-	f[7] ^= b & (f[7] ^ g[7])
-	f[8] ^= b & (f[8] ^ g[8])
-	f[9] ^= b & (f[9] ^ g[9])
-}
-
-func load3(in []byte) int64 {
-	var r int64
-	r = int64(in[0])
-	r |= int64(in[1]) << 8
-	r |= int64(in[2]) << 16
-	return r
-}
-
-func load4(in []byte) int64 {
-	var r int64
-	r = int64(in[0])
-	r |= int64(in[1]) << 8
-	r |= int64(in[2]) << 16
-	r |= int64(in[3]) << 24
-	return r
-}
-
-func FeFromBytes(dst *FieldElement, src *[32]byte) {
-	h0 := load4(src[:])
-	h1 := load3(src[4:]) << 6
-	h2 := load3(src[7:]) << 5
-	h3 := load3(src[10:]) << 3
-	h4 := load3(src[13:]) << 2
-	h5 := load4(src[16:])
-	h6 := load3(src[20:]) << 7
-	h7 := load3(src[23:]) << 5
-	h8 := load3(src[26:]) << 4
-	h9 := (load3(src[29:]) & 8388607) << 2
-
-	FeCombine(dst, h0, h1, h2, h3, h4, h5, h6, h7, h8, h9)
-}
-
-// FeToBytes marshals h to s.
-// Preconditions:
-//   |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
-//
-// Write p=2^255-19; q=floor(h/p).
-// Basic claim: q = floor(2^(-255)(h + 19 2^(-25)h9 + 2^(-1))).
-//
-// Proof:
-//   Have |h|<=p so |q|<=1 so |19^2 2^(-255) q|<1/4.
-//   Also have |h-2^230 h9|<2^230 so |19 2^(-255)(h-2^230 h9)|<1/4.
-//
-//   Write y=2^(-1)-19^2 2^(-255)q-19 2^(-255)(h-2^230 h9).
-//   Then 0<y<1.
-//
-//   Write r=h-pq.
-//   Have 0<=r<=p-1=2^255-20.
-//   Thus 0<=r+19(2^-255)r<r+19(2^-255)2^255<=2^255-1.
-//
-//   Write x=r+19(2^-255)r+y.
-//   Then 0<x<2^255 so floor(2^(-255)x) = 0 so floor(q+2^(-255)x) = q.
-//
-//   Have q+2^(-255)x = 2^(-255)(h + 19 2^(-25) h9 + 2^(-1))
-//   so floor(2^(-255)(h + 19 2^(-25) h9 + 2^(-1))) = q.
-func FeToBytes(s *[32]byte, h *FieldElement) {
-	var carry [10]int32
-
-	q := (19*h[9] + (1 << 24)) >> 25
-	q = (h[0] + q) >> 26
-	q = (h[1] + q) >> 25
-	q = (h[2] + q) >> 26
-	q = (h[3] + q) >> 25
-	q = (h[4] + q) >> 26
-	q = (h[5] + q) >> 25
-	q = (h[6] + q) >> 26
-	q = (h[7] + q) >> 25
-	q = (h[8] + q) >> 26
-	q = (h[9] + q) >> 25
-
-	// Goal: Output h-(2^255-19)q, which is between 0 and 2^255-20.
-	h[0] += 19 * q
-	// Goal: Output h-2^255 q, which is between 0 and 2^255-20.
-
-	carry[0] = h[0] >> 26
-	h[1] += carry[0]
-	h[0] -= carry[0] << 26
-	carry[1] = h[1] >> 25
-	h[2] += carry[1]
-	h[1] -= carry[1] << 25
-	carry[2] = h[2] >> 26
-	h[3] += carry[2]
-	h[2] -= carry[2] << 26
-	carry[3] = h[3] >> 25
-	h[4] += carry[3]
-	h[3] -= carry[3] << 25
-	carry[4] = h[4] >> 26
-	h[5] += carry[4]
-	h[4] -= carry[4] << 26
-	carry[5] = h[5] >> 25
-	h[6] += carry[5]
-	h[5] -= carry[5] << 25
-	carry[6] = h[6] >> 26
-	h[7] += carry[6]
-	h[6] -= carry[6] << 26
-	carry[7] = h[7] >> 25
-	h[8] += carry[7]
-	h[7] -= carry[7] << 25
-	carry[8] = h[8] >> 26
-	h[9] += carry[8]
-	h[8] -= carry[8] << 26
-	carry[9] = h[9] >> 25
-	h[9] -= carry[9] << 25
-	// h10 = carry9
-
-	// Goal: Output h[0]+...+2^255 h10-2^255 q, which is between 0 and 2^255-20.
-	// Have h[0]+...+2^230 h[9] between 0 and 2^255-1;
-	// evidently 2^255 h10-2^255 q = 0.
-	// Goal: Output h[0]+...+2^230 h[9].
-
-	s[0] = byte(h[0] >> 0)
-	s[1] = byte(h[0] >> 8)
-	s[2] = byte(h[0] >> 16)
-	s[3] = byte((h[0] >> 24) | (h[1] << 2))
-	s[4] = byte(h[1] >> 6)
-	s[5] = byte(h[1] >> 14)
-	s[6] = byte((h[1] >> 22) | (h[2] << 3))
-	s[7] = byte(h[2] >> 5)
-	s[8] = byte(h[2] >> 13)
-	s[9] = byte((h[2] >> 21) | (h[3] << 5))
-	s[10] = byte(h[3] >> 3)
-	s[11] = byte(h[3] >> 11)
-	s[12] = byte((h[3] >> 19) | (h[4] << 6))
-	s[13] = byte(h[4] >> 2)
-	s[14] = byte(h[4] >> 10)
-	s[15] = byte(h[4] >> 18)
-	s[16] = byte(h[5] >> 0)
-	s[17] = byte(h[5] >> 8)
-	s[18] = byte(h[5] >> 16)
-	s[19] = byte((h[5] >> 24) | (h[6] << 1))
-	s[20] = byte(h[6] >> 7)
-	s[21] = byte(h[6] >> 15)
-	s[22] = byte((h[6] >> 23) | (h[7] << 3))
-	s[23] = byte(h[7] >> 5)
-	s[24] = byte(h[7] >> 13)
-	s[25] = byte((h[7] >> 21) | (h[8] << 4))
-	s[26] = byte(h[8] >> 4)
-	s[27] = byte(h[8] >> 12)
-	s[28] = byte((h[8] >> 20) | (h[9] << 6))
-	s[29] = byte(h[9] >> 2)
-	s[30] = byte(h[9] >> 10)
-	s[31] = byte(h[9] >> 18)
-}
-
-func FeIsNegative(f *FieldElement) byte {
-	var s [32]byte
-	FeToBytes(&s, f)
-	return s[0] & 1
-}
-
-func FeIsNonZero(f *FieldElement) int32 {
-	var s [32]byte
-	FeToBytes(&s, f)
-	var x uint8
-	for _, b := range s {
-		x |= b
-	}
-	x |= x >> 4
-	x |= x >> 2
-	x |= x >> 1
-	return int32(x & 1)
-}
-
-// FeNeg sets h = -f
-//
-// Preconditions:
-//    |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
-//
-// Postconditions:
-//    |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
-func FeNeg(h, f *FieldElement) {
-	h[0] = -f[0]
-	h[1] = -f[1]
-	h[2] = -f[2]
-	h[3] = -f[3]
-	h[4] = -f[4]
-	h[5] = -f[5]
-	h[6] = -f[6]
-	h[7] = -f[7]
-	h[8] = -f[8]
-	h[9] = -f[9]
-}
-
-func FeCombine(h *FieldElement, h0, h1, h2, h3, h4, h5, h6, h7, h8, h9 int64) {
-	var c0, c1, c2, c3, c4, c5, c6, c7, c8, c9 int64
-
-	/*
-	  |h0| <= (1.1*1.1*2^52*(1+19+19+19+19)+1.1*1.1*2^50*(38+38+38+38+38))
-	    i.e. |h0| <= 1.2*2^59; narrower ranges for h2, h4, h6, h8
-	  |h1| <= (1.1*1.1*2^51*(1+1+19+19+19+19+19+19+19+19))
-	    i.e. |h1| <= 1.5*2^58; narrower ranges for h3, h5, h7, h9
-	*/
-
-	c0 = (h0 + (1 << 25)) >> 26
-	h1 += c0
-	h0 -= c0 << 26
-	c4 = (h4 + (1 << 25)) >> 26
-	h5 += c4
-	h4 -= c4 << 26
-	/* |h0| <= 2^25 */
-	/* |h4| <= 2^25 */
-	/* |h1| <= 1.51*2^58 */
-	/* |h5| <= 1.51*2^58 */
-
-	c1 = (h1 + (1 << 24)) >> 25
-	h2 += c1
-	h1 -= c1 << 25
-	c5 = (h5 + (1 << 24)) >> 25
-	h6 += c5
-	h5 -= c5 << 25
-	/* |h1| <= 2^24; from now on fits into int32 */
-	/* |h5| <= 2^24; from now on fits into int32 */
-	/* |h2| <= 1.21*2^59 */
-	/* |h6| <= 1.21*2^59 */
-
-	c2 = (h2 + (1 << 25)) >> 26
-	h3 += c2
-	h2 -= c2 << 26
-	c6 = (h6 + (1 << 25)) >> 26
-	h7 += c6
-	h6 -= c6 << 26
-	/* |h2| <= 2^25; from now on fits into int32 unchanged */
-	/* |h6| <= 2^25; from now on fits into int32 unchanged */
-	/* |h3| <= 1.51*2^58 */
-	/* |h7| <= 1.51*2^58 */
-
-	c3 = (h3 + (1 << 24)) >> 25
-	h4 += c3
-	h3 -= c3 << 25
-	c7 = (h7 + (1 << 24)) >> 25
-	h8 += c7
-	h7 -= c7 << 25
-	/* |h3| <= 2^24; from now on fits into int32 unchanged */
-	/* |h7| <= 2^24; from now on fits into int32 unchanged */
-	/* |h4| <= 1.52*2^33 */
-	/* |h8| <= 1.52*2^33 */
-
-	c4 = (h4 + (1 << 25)) >> 26
-	h5 += c4
-	h4 -= c4 << 26
-	c8 = (h8 + (1 << 25)) >> 26
-	h9 += c8
-	h8 -= c8 << 26
-	/* |h4| <= 2^25; from now on fits into int32 unchanged */
-	/* |h8| <= 2^25; from now on fits into int32 unchanged */
-	/* |h5| <= 1.01*2^24 */
-	/* |h9| <= 1.51*2^58 */
-
-	c9 = (h9 + (1 << 24)) >> 25
-	h0 += c9 * 19
-	h9 -= c9 << 25
-	/* |h9| <= 2^24; from now on fits into int32 unchanged */
-	/* |h0| <= 1.8*2^37 */
-
-	c0 = (h0 + (1 << 25)) >> 26
-	h1 += c0
-	h0 -= c0 << 26
-	/* |h0| <= 2^25; from now on fits into int32 unchanged */
-	/* |h1| <= 1.01*2^24 */
-
-	h[0] = int32(h0)
-	h[1] = int32(h1)
-	h[2] = int32(h2)
-	h[3] = int32(h3)
-	h[4] = int32(h4)
-	h[5] = int32(h5)
-	h[6] = int32(h6)
-	h[7] = int32(h7)
-	h[8] = int32(h8)
-	h[9] = int32(h9)
-}
-
-// FeMul calculates h = f * g
-// Can overlap h with f or g.
-//
-// Preconditions:
-//    |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
-//    |g| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
-//
-// Postconditions:
-//    |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
-//
-// Notes on implementation strategy:
-//
-// Using schoolbook multiplication.
-// Karatsuba would save a little in some cost models.
-//
-// Most multiplications by 2 and 19 are 32-bit precomputations;
-// cheaper than 64-bit postcomputations.
-//
-// There is one remaining multiplication by 19 in the carry chain;
-// one *19 precomputation can be merged into this,
-// but the resulting data flow is considerably less clean.
-//
-// There are 12 carries below.
-// 10 of them are 2-way parallelizable and vectorizable.
-// Can get away with 11 carries, but then data flow is much deeper.
-//
-// With tighter constraints on inputs, can squeeze carries into int32.
-func FeMul(h, f, g *FieldElement) {
-	f0 := int64(f[0])
-	f1 := int64(f[1])
-	f2 := int64(f[2])
-	f3 := int64(f[3])
-	f4 := int64(f[4])
-	f5 := int64(f[5])
-	f6 := int64(f[6])
-	f7 := int64(f[7])
-	f8 := int64(f[8])
-	f9 := int64(f[9])
-
-	f1_2 := int64(2 * f[1])
-	f3_2 := int64(2 * f[3])
-	f5_2 := int64(2 * f[5])
-	f7_2 := int64(2 * f[7])
-	f9_2 := int64(2 * f[9])
-
-	g0 := int64(g[0])
-	g1 := int64(g[1])
-	g2 := int64(g[2])
-	g3 := int64(g[3])
-	g4 := int64(g[4])
-	g5 := int64(g[5])
-	g6 := int64(g[6])
-	g7 := int64(g[7])
-	g8 := int64(g[8])
-	g9 := int64(g[9])
-
-	g1_19 := int64(19 * g[1]) /* 1.4*2^29 */
-	g2_19 := int64(19 * g[2]) /* 1.4*2^30; still ok */
-	g3_19 := int64(19 * g[3])
-	g4_19 := int64(19 * g[4])
-	g5_19 := int64(19 * g[5])
-	g6_19 := int64(19 * g[6])
-	g7_19 := int64(19 * g[7])
-	g8_19 := int64(19 * g[8])
-	g9_19 := int64(19 * g[9])
-
-	h0 := f0*g0 + f1_2*g9_19 + f2*g8_19 + f3_2*g7_19 + f4*g6_19 + f5_2*g5_19 + f6*g4_19 + f7_2*g3_19 + f8*g2_19 + f9_2*g1_19
-	h1 := f0*g1 + f1*g0 + f2*g9_19 + f3*g8_19 + f4*g7_19 + f5*g6_19 + f6*g5_19 + f7*g4_19 + f8*g3_19 + f9*g2_19
-	h2 := f0*g2 + f1_2*g1 + f2*g0 + f3_2*g9_19 + f4*g8_19 + f5_2*g7_19 + f6*g6_19 + f7_2*g5_19 + f8*g4_19 + f9_2*g3_19
-	h3 := f0*g3 + f1*g2 + f2*g1 + f3*g0 + f4*g9_19 + f5*g8_19 + f6*g7_19 + f7*g6_19 + f8*g5_19 + f9*g4_19
-	h4 := f0*g4 + f1_2*g3 + f2*g2 + f3_2*g1 + f4*g0 + f5_2*g9_19 + f6*g8_19 + f7_2*g7_19 + f8*g6_19 + f9_2*g5_19
-	h5 := f0*g5 + f1*g4 + f2*g3 + f3*g2 + f4*g1 + f5*g0 + f6*g9_19 + f7*g8_19 + f8*g7_19 + f9*g6_19
-	h6 := f0*g6 + f1_2*g5 + f2*g4 + f3_2*g3 + f4*g2 + f5_2*g1 + f6*g0 + f7_2*g9_19 + f8*g8_19 + f9_2*g7_19
-	h7 := f0*g7 + f1*g6 + f2*g5 + f3*g4 + f4*g3 + f5*g2 + f6*g1 + f7*g0 + f8*g9_19 + f9*g8_19
-	h8 := f0*g8 + f1_2*g7 + f2*g6 + f3_2*g5 + f4*g4 + f5_2*g3 + f6*g2 + f7_2*g1 + f8*g0 + f9_2*g9_19
-	h9 := f0*g9 + f1*g8 + f2*g7 + f3*g6 + f4*g5 + f5*g4 + f6*g3 + f7*g2 + f8*g1 + f9*g0
-
-	FeCombine(h, h0, h1, h2, h3, h4, h5, h6, h7, h8, h9)
-}
-
-func feSquare(f *FieldElement) (h0, h1, h2, h3, h4, h5, h6, h7, h8, h9 int64) {
-	f0 := int64(f[0])
-	f1 := int64(f[1])
-	f2 := int64(f[2])
-	f3 := int64(f[3])
-	f4 := int64(f[4])
-	f5 := int64(f[5])
-	f6 := int64(f[6])
-	f7 := int64(f[7])
-	f8 := int64(f[8])
-	f9 := int64(f[9])
-	f0_2 := int64(2 * f[0])
-	f1_2 := int64(2 * f[1])
-	f2_2 := int64(2 * f[2])
-	f3_2 := int64(2 * f[3])
-	f4_2 := int64(2 * f[4])
-	f5_2 := int64(2 * f[5])
-	f6_2 := int64(2 * f[6])
-	f7_2 := int64(2 * f[7])
-	f5_38 := 38 * f5 // 1.31*2^30
-	f6_19 := 19 * f6 // 1.31*2^30
-	f7_38 := 38 * f7 // 1.31*2^30
-	f8_19 := 19 * f8 // 1.31*2^30
-	f9_38 := 38 * f9 // 1.31*2^30
-
-	h0 = f0*f0 + f1_2*f9_38 + f2_2*f8_19 + f3_2*f7_38 + f4_2*f6_19 + f5*f5_38
-	h1 = f0_2*f1 + f2*f9_38 + f3_2*f8_19 + f4*f7_38 + f5_2*f6_19
-	h2 = f0_2*f2 + f1_2*f1 + f3_2*f9_38 + f4_2*f8_19 + f5_2*f7_38 + f6*f6_19
-	h3 = f0_2*f3 + f1_2*f2 + f4*f9_38 + f5_2*f8_19 + f6*f7_38
-	h4 = f0_2*f4 + f1_2*f3_2 + f2*f2 + f5_2*f9_38 + f6_2*f8_19 + f7*f7_38
-	h5 = f0_2*f5 + f1_2*f4 + f2_2*f3 + f6*f9_38 + f7_2*f8_19
-	h6 = f0_2*f6 + f1_2*f5_2 + f2_2*f4 + f3_2*f3 + f7_2*f9_38 + f8*f8_19
-	h7 = f0_2*f7 + f1_2*f6 + f2_2*f5 + f3_2*f4 + f8*f9_38
-	h8 = f0_2*f8 + f1_2*f7_2 + f2_2*f6 + f3_2*f5_2 + f4*f4 + f9*f9_38
-	h9 = f0_2*f9 + f1_2*f8 + f2_2*f7 + f3_2*f6 + f4_2*f5
-
-	return
-}
-
-// FeSquare calculates h = f*f. Can overlap h with f.
-//
-// Preconditions:
-//    |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
-//
-// Postconditions:
-//    |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
-func FeSquare(h, f *FieldElement) {
-	h0, h1, h2, h3, h4, h5, h6, h7, h8, h9 := feSquare(f)
-	FeCombine(h, h0, h1, h2, h3, h4, h5, h6, h7, h8, h9)
-}
-
-// FeSquare2 sets h = 2 * f * f
-//
-// Can overlap h with f.
-//
-// Preconditions:
-//    |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
-//
-// Postconditions:
-//    |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc.
-// See fe_mul.c for discussion of implementation strategy.
-func FeSquare2(h, f *FieldElement) {
-	h0, h1, h2, h3, h4, h5, h6, h7, h8, h9 := feSquare(f)
-
-	h0 += h0
-	h1 += h1
-	h2 += h2
-	h3 += h3
-	h4 += h4
-	h5 += h5
-	h6 += h6
-	h7 += h7
-	h8 += h8
-	h9 += h9
-
-	FeCombine(h, h0, h1, h2, h3, h4, h5, h6, h7, h8, h9)
-}
-
-func FeInvert(out, z *FieldElement) {
-	var t0, t1, t2, t3 FieldElement
-	var i int
-
-	FeSquare(&t0, z)        // 2^1
-	FeSquare(&t1, &t0)      // 2^2
-	for i = 1; i < 2; i++ { // 2^3
-		FeSquare(&t1, &t1)
-	}
-	FeMul(&t1, z, &t1)      // 2^3 + 2^0
-	FeMul(&t0, &t0, &t1)    // 2^3 + 2^1 + 2^0
-	FeSquare(&t2, &t0)      // 2^4 + 2^2 + 2^1
-	FeMul(&t1, &t1, &t2)    // 2^4 + 2^3 + 2^2 + 2^1 + 2^0
-	FeSquare(&t2, &t1)      // 5,4,3,2,1
-	for i = 1; i < 5; i++ { // 9,8,7,6,5
-		FeSquare(&t2, &t2)
-	}
-	FeMul(&t1, &t2, &t1)     // 9,8,7,6,5,4,3,2,1,0
-	FeSquare(&t2, &t1)       // 10..1
-	for i = 1; i < 10; i++ { // 19..10
-		FeSquare(&t2, &t2)
-	}
-	FeMul(&t2, &t2, &t1)     // 19..0
-	FeSquare(&t3, &t2)       // 20..1
-	for i = 1; i < 20; i++ { // 39..20
-		FeSquare(&t3, &t3)
-	}
-	FeMul(&t2, &t3, &t2)     // 39..0
-	FeSquare(&t2, &t2)       // 40..1
-	for i = 1; i < 10; i++ { // 49..10
-		FeSquare(&t2, &t2)
-	}
-	FeMul(&t1, &t2, &t1)     // 49..0
-	FeSquare(&t2, &t1)       // 50..1
-	for i = 1; i < 50; i++ { // 99..50
-		FeSquare(&t2, &t2)
-	}
-	FeMul(&t2, &t2, &t1)      // 99..0
-	FeSquare(&t3, &t2)        // 100..1
-	for i = 1; i < 100; i++ { // 199..100
-		FeSquare(&t3, &t3)
-	}
-	FeMul(&t2, &t3, &t2)     // 199..0
-	FeSquare(&t2, &t2)       // 200..1
-	for i = 1; i < 50; i++ { // 249..50
-		FeSquare(&t2, &t2)
-	}
-	FeMul(&t1, &t2, &t1)    // 249..0
-	FeSquare(&t1, &t1)      // 250..1
-	for i = 1; i < 5; i++ { // 254..5
-		FeSquare(&t1, &t1)
-	}
-	FeMul(out, &t1, &t0) // 254..5,3,1,0
-}
-
-func fePow22523(out, z *FieldElement) {
-	var t0, t1, t2 FieldElement
-	var i int
-
-	FeSquare(&t0, z)
-	for i = 1; i < 1; i++ {
-		FeSquare(&t0, &t0)
-	}
-	FeSquare(&t1, &t0)
-	for i = 1; i < 2; i++ {
-		FeSquare(&t1, &t1)
-	}
-	FeMul(&t1, z, &t1)
-	FeMul(&t0, &t0, &t1)
-	FeSquare(&t0, &t0)
-	for i = 1; i < 1; i++ {
-		FeSquare(&t0, &t0)
-	}
-	FeMul(&t0, &t1, &t0)
-	FeSquare(&t1, &t0)
-	for i = 1; i < 5; i++ {
-		FeSquare(&t1, &t1)
-	}
-	FeMul(&t0, &t1, &t0)
-	FeSquare(&t1, &t0)
-	for i = 1; i < 10; i++ {
-		FeSquare(&t1, &t1)
-	}
-	FeMul(&t1, &t1, &t0)
-	FeSquare(&t2, &t1)
-	for i = 1; i < 20; i++ {
-		FeSquare(&t2, &t2)
-	}
-	FeMul(&t1, &t2, &t1)
-	FeSquare(&t1, &t1)
-	for i = 1; i < 10; i++ {
-		FeSquare(&t1, &t1)
-	}
-	FeMul(&t0, &t1, &t0)
-	FeSquare(&t1, &t0)
-	for i = 1; i < 50; i++ {
-		FeSquare(&t1, &t1)
-	}
-	FeMul(&t1, &t1, &t0)
-	FeSquare(&t2, &t1)
-	for i = 1; i < 100; i++ {
-		FeSquare(&t2, &t2)
-	}
-	FeMul(&t1, &t2, &t1)
-	FeSquare(&t1, &t1)
-	for i = 1; i < 50; i++ {
-		FeSquare(&t1, &t1)
-	}
-	FeMul(&t0, &t1, &t0)
-	FeSquare(&t0, &t0)
-	for i = 1; i < 2; i++ {
-		FeSquare(&t0, &t0)
-	}
-	FeMul(out, &t0, z)
-}
-
-// Group elements are members of the elliptic curve -x^2 + y^2 = 1 + d * x^2 *
-// y^2 where d = -121665/121666.
-//
-// Several representations are used:
-//   ProjectiveGroupElement: (X:Y:Z) satisfying x=X/Z, y=Y/Z
-//   ExtendedGroupElement: (X:Y:Z:T) satisfying x=X/Z, y=Y/Z, XY=ZT
-//   CompletedGroupElement: ((X:Z),(Y:T)) satisfying x=X/Z, y=Y/T
-//   PreComputedGroupElement: (y+x,y-x,2dxy)
-
-type ProjectiveGroupElement struct {
-	X, Y, Z FieldElement
-}
-
-type ExtendedGroupElement struct {
-	X, Y, Z, T FieldElement
-}
-
-type CompletedGroupElement struct {
-	X, Y, Z, T FieldElement
-}
-
-type PreComputedGroupElement struct {
-	yPlusX, yMinusX, xy2d FieldElement
-}
-
-type CachedGroupElement struct {
-	yPlusX, yMinusX, Z, T2d FieldElement
-}
-
-func (p *ProjectiveGroupElement) Zero() {
-	FeZero(&p.X)
-	FeOne(&p.Y)
-	FeOne(&p.Z)
-}
-
-func (p *ProjectiveGroupElement) Double(r *CompletedGroupElement) {
-	var t0 FieldElement
-
-	FeSquare(&r.X, &p.X)
-	FeSquare(&r.Z, &p.Y)
-	FeSquare2(&r.T, &p.Z)
-	FeAdd(&r.Y, &p.X, &p.Y)
-	FeSquare(&t0, &r.Y)
-	FeAdd(&r.Y, &r.Z, &r.X)
-	FeSub(&r.Z, &r.Z, &r.X)
-	FeSub(&r.X, &t0, &r.Y)
-	FeSub(&r.T, &r.T, &r.Z)
-}
-
-func (p *ProjectiveGroupElement) ToBytes(s *[32]byte) {
-	var recip, x, y FieldElement
-
-	FeInvert(&recip, &p.Z)
-	FeMul(&x, &p.X, &recip)
-	FeMul(&y, &p.Y, &recip)
-	FeToBytes(s, &y)
-	s[31] ^= FeIsNegative(&x) << 7
-}
-
-func (p *ExtendedGroupElement) Zero() {
-	FeZero(&p.X)
-	FeOne(&p.Y)
-	FeOne(&p.Z)
-	FeZero(&p.T)
-}
-
-func (p *ExtendedGroupElement) Double(r *CompletedGroupElement) {
-	var q ProjectiveGroupElement
-	p.ToProjective(&q)
-	q.Double(r)
-}
-
-func (p *ExtendedGroupElement) ToCached(r *CachedGroupElement) {
-	FeAdd(&r.yPlusX, &p.Y, &p.X)
-	FeSub(&r.yMinusX, &p.Y, &p.X)
-	FeCopy(&r.Z, &p.Z)
-	FeMul(&r.T2d, &p.T, &d2)
-}
-
-func (p *ExtendedGroupElement) ToProjective(r *ProjectiveGroupElement) {
-	FeCopy(&r.X, &p.X)
-	FeCopy(&r.Y, &p.Y)
-	FeCopy(&r.Z, &p.Z)
-}
-
-func (p *ExtendedGroupElement) ToBytes(s *[32]byte) {
-	var recip, x, y FieldElement
-
-	FeInvert(&recip, &p.Z)
-	FeMul(&x, &p.X, &recip)
-	FeMul(&y, &p.Y, &recip)
-	FeToBytes(s, &y)
-	s[31] ^= FeIsNegative(&x) << 7
-}
-
-func (p *ExtendedGroupElement) FromBytes(s *[32]byte) bool {
-	var u, v, v3, vxx, check FieldElement
-
-	FeFromBytes(&p.Y, s)
-	FeOne(&p.Z)
-	FeSquare(&u, &p.Y)
-	FeMul(&v, &u, &d)
-	FeSub(&u, &u, &p.Z) // y = y^2-1
-	FeAdd(&v, &v, &p.Z) // v = dy^2+1
-
-	FeSquare(&v3, &v)
-	FeMul(&v3, &v3, &v) // v3 = v^3
-	FeSquare(&p.X, &v3)
-	FeMul(&p.X, &p.X, &v)
-	FeMul(&p.X, &p.X, &u) // x = uv^7
-
-	fePow22523(&p.X, &p.X) // x = (uv^7)^((q-5)/8)
-	FeMul(&p.X, &p.X, &v3)
-	FeMul(&p.X, &p.X, &u) // x = uv^3(uv^7)^((q-5)/8)
-
-	var tmpX, tmp2 [32]byte
-
-	FeSquare(&vxx, &p.X)
-	FeMul(&vxx, &vxx, &v)
-	FeSub(&check, &vxx, &u) // vx^2-u
-	if FeIsNonZero(&check) == 1 {
-		FeAdd(&check, &vxx, &u) // vx^2+u
-		if FeIsNonZero(&check) == 1 {
-			return false
-		}
-		FeMul(&p.X, &p.X, &SqrtM1)
-
-		FeToBytes(&tmpX, &p.X)
-		for i, v := range tmpX {
-			tmp2[31-i] = v
-		}
-	}
-
-	if FeIsNegative(&p.X) != (s[31] >> 7) {
-		FeNeg(&p.X, &p.X)
-	}
-
-	FeMul(&p.T, &p.X, &p.Y)
-	return true
-}
-
-func (p *CompletedGroupElement) ToProjective(r *ProjectiveGroupElement) {
-	FeMul(&r.X, &p.X, &p.T)
-	FeMul(&r.Y, &p.Y, &p.Z)
-	FeMul(&r.Z, &p.Z, &p.T)
-}
-
-func (p *CompletedGroupElement) ToExtended(r *ExtendedGroupElement) {
-	FeMul(&r.X, &p.X, &p.T)
-	FeMul(&r.Y, &p.Y, &p.Z)
-	FeMul(&r.Z, &p.Z, &p.T)
-	FeMul(&r.T, &p.X, &p.Y)
-}
-
-func (p *PreComputedGroupElement) Zero() {
-	FeOne(&p.yPlusX)
-	FeOne(&p.yMinusX)
-	FeZero(&p.xy2d)
-}
-
-func geAdd(r *CompletedGroupElement, p *ExtendedGroupElement, q *CachedGroupElement) {
-	var t0 FieldElement
-
-	FeAdd(&r.X, &p.Y, &p.X)
-	FeSub(&r.Y, &p.Y, &p.X)
-	FeMul(&r.Z, &r.X, &q.yPlusX)
-	FeMul(&r.Y, &r.Y, &q.yMinusX)
-	FeMul(&r.T, &q.T2d, &p.T)
-	FeMul(&r.X, &p.Z, &q.Z)
-	FeAdd(&t0, &r.X, &r.X)
-	FeSub(&r.X, &r.Z, &r.Y)
-	FeAdd(&r.Y, &r.Z, &r.Y)
-	FeAdd(&r.Z, &t0, &r.T)
-	FeSub(&r.T, &t0, &r.T)
-}
-
-func geSub(r *CompletedGroupElement, p *ExtendedGroupElement, q *CachedGroupElement) {
-	var t0 FieldElement
-
-	FeAdd(&r.X, &p.Y, &p.X)
-	FeSub(&r.Y, &p.Y, &p.X)
-	FeMul(&r.Z, &r.X, &q.yMinusX)
-	FeMul(&r.Y, &r.Y, &q.yPlusX)
-	FeMul(&r.T, &q.T2d, &p.T)
-	FeMul(&r.X, &p.Z, &q.Z)
-	FeAdd(&t0, &r.X, &r.X)
-	FeSub(&r.X, &r.Z, &r.Y)
-	FeAdd(&r.Y, &r.Z, &r.Y)
-	FeSub(&r.Z, &t0, &r.T)
-	FeAdd(&r.T, &t0, &r.T)
-}
-
-func geMixedAdd(r *CompletedGroupElement, p *ExtendedGroupElement, q *PreComputedGroupElement) {
-	var t0 FieldElement
-
-	FeAdd(&r.X, &p.Y, &p.X)
-	FeSub(&r.Y, &p.Y, &p.X)
-	FeMul(&r.Z, &r.X, &q.yPlusX)
-	FeMul(&r.Y, &r.Y, &q.yMinusX)
-	FeMul(&r.T, &q.xy2d, &p.T)
-	FeAdd(&t0, &p.Z, &p.Z)
-	FeSub(&r.X, &r.Z, &r.Y)
-	FeAdd(&r.Y, &r.Z, &r.Y)
-	FeAdd(&r.Z, &t0, &r.T)
-	FeSub(&r.T, &t0, &r.T)
-}
-
-func geMixedSub(r *CompletedGroupElement, p *ExtendedGroupElement, q *PreComputedGroupElement) {
-	var t0 FieldElement
-
-	FeAdd(&r.X, &p.Y, &p.X)
-	FeSub(&r.Y, &p.Y, &p.X)
-	FeMul(&r.Z, &r.X, &q.yMinusX)
-	FeMul(&r.Y, &r.Y, &q.yPlusX)
-	FeMul(&r.T, &q.xy2d, &p.T)
-	FeAdd(&t0, &p.Z, &p.Z)
-	FeSub(&r.X, &r.Z, &r.Y)
-	FeAdd(&r.Y, &r.Z, &r.Y)
-	FeSub(&r.Z, &t0, &r.T)
-	FeAdd(&r.T, &t0, &r.T)
-}
-
-func slide(r *[256]int8, a *[32]byte) {
-	for i := range r {
-		r[i] = int8(1 & (a[i>>3] >> uint(i&7)))
-	}
-
-	for i := range r {
-		if r[i] != 0 {
-			for b := 1; b <= 6 && i+b < 256; b++ {
-				if r[i+b] != 0 {
-					if r[i]+(r[i+b]<<uint(b)) <= 15 {
-						r[i] += r[i+b] << uint(b)
-						r[i+b] = 0
-					} else if r[i]-(r[i+b]<<uint(b)) >= -15 {
-						r[i] -= r[i+b] << uint(b)
-						for k := i + b; k < 256; k++ {
-							if r[k] == 0 {
-								r[k] = 1
-								break
-							}
-							r[k] = 0
-						}
-					} else {
-						break
-					}
-				}
-			}
-		}
-	}
-}
-
-// GeDoubleScalarMultVartime sets r = a*A + b*B
-// where a = a[0]+256*a[1]+...+256^31 a[31].
-// and b = b[0]+256*b[1]+...+256^31 b[31].
-// B is the Ed25519 base point (x,4/5) with x positive.
-func GeDoubleScalarMultVartime(r *ProjectiveGroupElement, a *[32]byte, A *ExtendedGroupElement, b *[32]byte) {
-	var aSlide, bSlide [256]int8
-	var Ai [8]CachedGroupElement // A,3A,5A,7A,9A,11A,13A,15A
-	var t CompletedGroupElement
-	var u, A2 ExtendedGroupElement
-	var i int
-
-	slide(&aSlide, a)
-	slide(&bSlide, b)
-
-	A.ToCached(&Ai[0])
-	A.Double(&t)
-	t.ToExtended(&A2)
-
-	for i := 0; i < 7; i++ {
-		geAdd(&t, &A2, &Ai[i])
-		t.ToExtended(&u)
-		u.ToCached(&Ai[i+1])
-	}
-
-	r.Zero()
-
-	for i = 255; i >= 0; i-- {
-		if aSlide[i] != 0 || bSlide[i] != 0 {
-			break
-		}
-	}
-
-	for ; i >= 0; i-- {
-		r.Double(&t)
-
-		if aSlide[i] > 0 {
-			t.ToExtended(&u)
-			geAdd(&t, &u, &Ai[aSlide[i]/2])
-		} else if aSlide[i] < 0 {
-			t.ToExtended(&u)
-			geSub(&t, &u, &Ai[(-aSlide[i])/2])
-		}
-
-		if bSlide[i] > 0 {
-			t.ToExtended(&u)
-			geMixedAdd(&t, &u, &bi[bSlide[i]/2])
-		} else if bSlide[i] < 0 {
-			t.ToExtended(&u)
-			geMixedSub(&t, &u, &bi[(-bSlide[i])/2])
-		}
-
-		t.ToProjective(r)
-	}
-}
-
-// equal returns 1 if b == c and 0 otherwise, assuming that b and c are
-// non-negative.
-func equal(b, c int32) int32 {
-	x := uint32(b ^ c)
-	x--
-	return int32(x >> 31)
-}
-
-// negative returns 1 if b < 0 and 0 otherwise.
-func negative(b int32) int32 {
-	return (b >> 31) & 1
-}
-
-func PreComputedGroupElementCMove(t, u *PreComputedGroupElement, b int32) {
-	FeCMove(&t.yPlusX, &u.yPlusX, b)
-	FeCMove(&t.yMinusX, &u.yMinusX, b)
-	FeCMove(&t.xy2d, &u.xy2d, b)
-}
-
-func selectPoint(t *PreComputedGroupElement, pos int32, b int32) {
-	var minusT PreComputedGroupElement
-	bNegative := negative(b)
-	bAbs := b - (((-bNegative) & b) << 1)
-
-	t.Zero()
-	for i := int32(0); i < 8; i++ {
-		PreComputedGroupElementCMove(t, &base[pos][i], equal(bAbs, i+1))
-	}
-	FeCopy(&minusT.yPlusX, &t.yMinusX)
-	FeCopy(&minusT.yMinusX, &t.yPlusX)
-	FeNeg(&minusT.xy2d, &t.xy2d)
-	PreComputedGroupElementCMove(t, &minusT, bNegative)
-}
-
-// GeScalarMultBase computes h = a*B, where
-//   a = a[0]+256*a[1]+...+256^31 a[31]
-//   B is the Ed25519 base point (x,4/5) with x positive.
-//
-// Preconditions:
-//   a[31] <= 127
-func GeScalarMultBase(h *ExtendedGroupElement, a *[32]byte) {
-	var e [64]int8
-
-	for i, v := range a {
-		e[2*i] = int8(v & 15)
-		e[2*i+1] = int8((v >> 4) & 15)
-	}
-
-	// each e[i] is between 0 and 15 and e[63] is between 0 and 7.
-
-	carry := int8(0)
-	for i := 0; i < 63; i++ {
-		e[i] += carry
-		carry = (e[i] + 8) >> 4
-		e[i] -= carry << 4
-	}
-	e[63] += carry
-	// each e[i] is between -8 and 8.
-
-	h.Zero()
-	var t PreComputedGroupElement
-	var r CompletedGroupElement
-	for i := int32(1); i < 64; i += 2 {
-		selectPoint(&t, i/2, int32(e[i]))
-		geMixedAdd(&r, h, &t)
-		r.ToExtended(h)
-	}
-
-	var s ProjectiveGroupElement
-
-	h.Double(&r)
-	r.ToProjective(&s)
-	s.Double(&r)
-	r.ToProjective(&s)
-	s.Double(&r)
-	r.ToProjective(&s)
-	s.Double(&r)
-	r.ToExtended(h)
-
-	for i := int32(0); i < 64; i += 2 {
-		selectPoint(&t, i/2, int32(e[i]))
-		geMixedAdd(&r, h, &t)
-		r.ToExtended(h)
-	}
-}
-
-// The scalars are GF(2^252 + 27742317777372353535851937790883648493).
-
-// Input:
-//   a[0]+256*a[1]+...+256^31*a[31] = a
-//   b[0]+256*b[1]+...+256^31*b[31] = b
-//   c[0]+256*c[1]+...+256^31*c[31] = c
-//
-// Output:
-//   s[0]+256*s[1]+...+256^31*s[31] = (ab+c) mod l
-//   where l = 2^252 + 27742317777372353535851937790883648493.
-func ScMulAdd(s, a, b, c *[32]byte) {
-	a0 := 2097151 & load3(a[:])
-	a1 := 2097151 & (load4(a[2:]) >> 5)
-	a2 := 2097151 & (load3(a[5:]) >> 2)
-	a3 := 2097151 & (load4(a[7:]) >> 7)
-	a4 := 2097151 & (load4(a[10:]) >> 4)
-	a5 := 2097151 & (load3(a[13:]) >> 1)
-	a6 := 2097151 & (load4(a[15:]) >> 6)
-	a7 := 2097151 & (load3(a[18:]) >> 3)
-	a8 := 2097151 & load3(a[21:])
-	a9 := 2097151 & (load4(a[23:]) >> 5)
-	a10 := 2097151 & (load3(a[26:]) >> 2)
-	a11 := (load4(a[28:]) >> 7)
-	b0 := 2097151 & load3(b[:])
-	b1 := 2097151 & (load4(b[2:]) >> 5)
-	b2 := 2097151 & (load3(b[5:]) >> 2)
-	b3 := 2097151 & (load4(b[7:]) >> 7)
-	b4 := 2097151 & (load4(b[10:]) >> 4)
-	b5 := 2097151 & (load3(b[13:]) >> 1)
-	b6 := 2097151 & (load4(b[15:]) >> 6)
-	b7 := 2097151 & (load3(b[18:]) >> 3)
-	b8 := 2097151 & load3(b[21:])
-	b9 := 2097151 & (load4(b[23:]) >> 5)
-	b10 := 2097151 & (load3(b[26:]) >> 2)
-	b11 := (load4(b[28:]) >> 7)
-	c0 := 2097151 & load3(c[:])
-	c1 := 2097151 & (load4(c[2:]) >> 5)
-	c2 := 2097151 & (load3(c[5:]) >> 2)
-	c3 := 2097151 & (load4(c[7:]) >> 7)
-	c4 := 2097151 & (load4(c[10:]) >> 4)
-	c5 := 2097151 & (load3(c[13:]) >> 1)
-	c6 := 2097151 & (load4(c[15:]) >> 6)
-	c7 := 2097151 & (load3(c[18:]) >> 3)
-	c8 := 2097151 & load3(c[21:])
-	c9 := 2097151 & (load4(c[23:]) >> 5)
-	c10 := 2097151 & (load3(c[26:]) >> 2)
-	c11 := (load4(c[28:]) >> 7)
-	var carry [23]int64
-
-	s0 := c0 + a0*b0
-	s1 := c1 + a0*b1 + a1*b0
-	s2 := c2 + a0*b2 + a1*b1 + a2*b0
-	s3 := c3 + a0*b3 + a1*b2 + a2*b1 + a3*b0
-	s4 := c4 + a0*b4 + a1*b3 + a2*b2 + a3*b1 + a4*b0
-	s5 := c5 + a0*b5 + a1*b4 + a2*b3 + a3*b2 + a4*b1 + a5*b0
-	s6 := c6 + a0*b6 + a1*b5 + a2*b4 + a3*b3 + a4*b2 + a5*b1 + a6*b0
-	s7 := c7 + a0*b7 + a1*b6 + a2*b5 + a3*b4 + a4*b3 + a5*b2 + a6*b1 + a7*b0
-	s8 := c8 + a0*b8 + a1*b7 + a2*b6 + a3*b5 + a4*b4 + a5*b3 + a6*b2 + a7*b1 + a8*b0
-	s9 := c9 + a0*b9 + a1*b8 + a2*b7 + a3*b6 + a4*b5 + a5*b4 + a6*b3 + a7*b2 + a8*b1 + a9*b0
-	s10 := c10 + a0*b10 + a1*b9 + a2*b8 + a3*b7 + a4*b6 + a5*b5 + a6*b4 + a7*b3 + a8*b2 + a9*b1 + a10*b0
-	s11 := c11 + a0*b11 + a1*b10 + a2*b9 + a3*b8 + a4*b7 + a5*b6 + a6*b5 + a7*b4 + a8*b3 + a9*b2 + a10*b1 + a11*b0
-	s12 := a1*b11 + a2*b10 + a3*b9 + a4*b8 + a5*b7 + a6*b6 + a7*b5 + a8*b4 + a9*b3 + a10*b2 + a11*b1
-	s13 := a2*b11 + a3*b10 + a4*b9 + a5*b8 + a6*b7 + a7*b6 + a8*b5 + a9*b4 + a10*b3 + a11*b2
-	s14 := a3*b11 + a4*b10 + a5*b9 + a6*b8 + a7*b7 + a8*b6 + a9*b5 + a10*b4 + a11*b3
-	s15 := a4*b11 + a5*b10 + a6*b9 + a7*b8 + a8*b7 + a9*b6 + a10*b5 + a11*b4
-	s16 := a5*b11 + a6*b10 + a7*b9 + a8*b8 + a9*b7 + a10*b6 + a11*b5
-	s17 := a6*b11 + a7*b10 + a8*b9 + a9*b8 + a10*b7 + a11*b6
-	s18 := a7*b11 + a8*b10 + a9*b9 + a10*b8 + a11*b7
-	s19 := a8*b11 + a9*b10 + a10*b9 + a11*b8
-	s20 := a9*b11 + a10*b10 + a11*b9
-	s21 := a10*b11 + a11*b10
-	s22 := a11 * b11
-	s23 := int64(0)
-
-	carry[0] = (s0 + (1 << 20)) >> 21
-	s1 += carry[0]
-	s0 -= carry[0] << 21
-	carry[2] = (s2 + (1 << 20)) >> 21
-	s3 += carry[2]
-	s2 -= carry[2] << 21
-	carry[4] = (s4 + (1 << 20)) >> 21
-	s5 += carry[4]
-	s4 -= carry[4] << 21
-	carry[6] = (s6 + (1 << 20)) >> 21
-	s7 += carry[6]
-	s6 -= carry[6] << 21
-	carry[8] = (s8 + (1 << 20)) >> 21
-	s9 += carry[8]
-	s8 -= carry[8] << 21
-	carry[10] = (s10 + (1 << 20)) >> 21
-	s11 += carry[10]
-	s10 -= carry[10] << 21
-	carry[12] = (s12 + (1 << 20)) >> 21
-	s13 += carry[12]
-	s12 -= carry[12] << 21
-	carry[14] = (s14 + (1 << 20)) >> 21
-	s15 += carry[14]
-	s14 -= carry[14] << 21
-	carry[16] = (s16 + (1 << 20)) >> 21
-	s17 += carry[16]
-	s16 -= carry[16] << 21
-	carry[18] = (s18 + (1 << 20)) >> 21
-	s19 += carry[18]
-	s18 -= carry[18] << 21
-	carry[20] = (s20 + (1 << 20)) >> 21
-	s21 += carry[20]
-	s20 -= carry[20] << 21
-	carry[22] = (s22 + (1 << 20)) >> 21
-	s23 += carry[22]
-	s22 -= carry[22] << 21
-
-	carry[1] = (s1 + (1 << 20)) >> 21
-	s2 += carry[1]
-	s1 -= carry[1] << 21
-	carry[3] = (s3 + (1 << 20)) >> 21
-	s4 += carry[3]
-	s3 -= carry[3] << 21
-	carry[5] = (s5 + (1 << 20)) >> 21
-	s6 += carry[5]
-	s5 -= carry[5] << 21
-	carry[7] = (s7 + (1 << 20)) >> 21
-	s8 += carry[7]
-	s7 -= carry[7] << 21
-	carry[9] = (s9 + (1 << 20)) >> 21
-	s10 += carry[9]
-	s9 -= carry[9] << 21
-	carry[11] = (s11 + (1 << 20)) >> 21
-	s12 += carry[11]
-	s11 -= carry[11] << 21
-	carry[13] = (s13 + (1 << 20)) >> 21
-	s14 += carry[13]
-	s13 -= carry[13] << 21
-	carry[15] = (s15 + (1 << 20)) >> 21
-	s16 += carry[15]
-	s15 -= carry[15] << 21
-	carry[17] = (s17 + (1 << 20)) >> 21
-	s18 += carry[17]
-	s17 -= carry[17] << 21
-	carry[19] = (s19 + (1 << 20)) >> 21
-	s20 += carry[19]
-	s19 -= carry[19] << 21
-	carry[21] = (s21 + (1 << 20)) >> 21
-	s22 += carry[21]
-	s21 -= carry[21] << 21
-
-	s11 += s23 * 666643
-	s12 += s23 * 470296
-	s13 += s23 * 654183
-	s14 -= s23 * 997805
-	s15 += s23 * 136657
-	s16 -= s23 * 683901
-	s23 = 0
-
-	s10 += s22 * 666643
-	s11 += s22 * 470296
-	s12 += s22 * 654183
-	s13 -= s22 * 997805
-	s14 += s22 * 136657
-	s15 -= s22 * 683901
-	s22 = 0
-
-	s9 += s21 * 666643
-	s10 += s21 * 470296
-	s11 += s21 * 654183
-	s12 -= s21 * 997805
-	s13 += s21 * 136657
-	s14 -= s21 * 683901
-	s21 = 0
-
-	s8 += s20 * 666643
-	s9 += s20 * 470296
-	s10 += s20 * 654183
-	s11 -= s20 * 997805
-	s12 += s20 * 136657
-	s13 -= s20 * 683901
-	s20 = 0
-
-	s7 += s19 * 666643
-	s8 += s19 * 470296
-	s9 += s19 * 654183
-	s10 -= s19 * 997805
-	s11 += s19 * 136657
-	s12 -= s19 * 683901
-	s19 = 0
-
-	s6 += s18 * 666643
-	s7 += s18 * 470296
-	s8 += s18 * 654183
-	s9 -= s18 * 997805
-	s10 += s18 * 136657
-	s11 -= s18 * 683901
-	s18 = 0
-
-	carry[6] = (s6 + (1 << 20)) >> 21
-	s7 += carry[6]
-	s6 -= carry[6] << 21
-	carry[8] = (s8 + (1 << 20)) >> 21
-	s9 += carry[8]
-	s8 -= carry[8] << 21
-	carry[10] = (s10 + (1 << 20)) >> 21
-	s11 += carry[10]
-	s10 -= carry[10] << 21
-	carry[12] = (s12 + (1 << 20)) >> 21
-	s13 += carry[12]
-	s12 -= carry[12] << 21
-	carry[14] = (s14 + (1 << 20)) >> 21
-	s15 += carry[14]
-	s14 -= carry[14] << 21
-	carry[16] = (s16 + (1 << 20)) >> 21
-	s17 += carry[16]
-	s16 -= carry[16] << 21
-
-	carry[7] = (s7 + (1 << 20)) >> 21
-	s8 += carry[7]
-	s7 -= carry[7] << 21
-	carry[9] = (s9 + (1 << 20)) >> 21
-	s10 += carry[9]
-	s9 -= carry[9] << 21
-	carry[11] = (s11 + (1 << 20)) >> 21
-	s12 += carry[11]
-	s11 -= carry[11] << 21
-	carry[13] = (s13 + (1 << 20)) >> 21
-	s14 += carry[13]
-	s13 -= carry[13] << 21
-	carry[15] = (s15 + (1 << 20)) >> 21
-	s16 += carry[15]
-	s15 -= carry[15] << 21
-
-	s5 += s17 * 666643
-	s6 += s17 * 470296
-	s7 += s17 * 654183
-	s8 -= s17 * 997805
-	s9 += s17 * 136657
-	s10 -= s17 * 683901
-	s17 = 0
-
-	s4 += s16 * 666643
-	s5 += s16 * 470296
-	s6 += s16 * 654183
-	s7 -= s16 * 997805
-	s8 += s16 * 136657
-	s9 -= s16 * 683901
-	s16 = 0
-
-	s3 += s15 * 666643
-	s4 += s15 * 470296
-	s5 += s15 * 654183
-	s6 -= s15 * 997805
-	s7 += s15 * 136657
-	s8 -= s15 * 683901
-	s15 = 0
-
-	s2 += s14 * 666643
-	s3 += s14 * 470296
-	s4 += s14 * 654183
-	s5 -= s14 * 997805
-	s6 += s14 * 136657
-	s7 -= s14 * 683901
-	s14 = 0
-
-	s1 += s13 * 666643
-	s2 += s13 * 470296
-	s3 += s13 * 654183
-	s4 -= s13 * 997805
-	s5 += s13 * 136657
-	s6 -= s13 * 683901
-	s13 = 0
-
-	s0 += s12 * 666643
-	s1 += s12 * 470296
-	s2 += s12 * 654183
-	s3 -= s12 * 997805
-	s4 += s12 * 136657
-	s5 -= s12 * 683901
-	s12 = 0
-
-	carry[0] = (s0 + (1 << 20)) >> 21
-	s1 += carry[0]
-	s0 -= carry[0] << 21
-	carry[2] = (s2 + (1 << 20)) >> 21
-	s3 += carry[2]
-	s2 -= carry[2] << 21
-	carry[4] = (s4 + (1 << 20)) >> 21
-	s5 += carry[4]
-	s4 -= carry[4] << 21
-	carry[6] = (s6 + (1 << 20)) >> 21
-	s7 += carry[6]
-	s6 -= carry[6] << 21
-	carry[8] = (s8 + (1 << 20)) >> 21
-	s9 += carry[8]
-	s8 -= carry[8] << 21
-	carry[10] = (s10 + (1 << 20)) >> 21
-	s11 += carry[10]
-	s10 -= carry[10] << 21
-
-	carry[1] = (s1 + (1 << 20)) >> 21
-	s2 += carry[1]
-	s1 -= carry[1] << 21
-	carry[3] = (s3 + (1 << 20)) >> 21
-	s4 += carry[3]
-	s3 -= carry[3] << 21
-	carry[5] = (s5 + (1 << 20)) >> 21
-	s6 += carry[5]
-	s5 -= carry[5] << 21
-	carry[7] = (s7 + (1 << 20)) >> 21
-	s8 += carry[7]
-	s7 -= carry[7] << 21
-	carry[9] = (s9 + (1 << 20)) >> 21
-	s10 += carry[9]
-	s9 -= carry[9] << 21
-	carry[11] = (s11 + (1 << 20)) >> 21
-	s12 += carry[11]
-	s11 -= carry[11] << 21
-
-	s0 += s12 * 666643
-	s1 += s12 * 470296
-	s2 += s12 * 654183
-	s3 -= s12 * 997805
-	s4 += s12 * 136657
-	s5 -= s12 * 683901
-	s12 = 0
-
-	carry[0] = s0 >> 21
-	s1 += carry[0]
-	s0 -= carry[0] << 21
-	carry[1] = s1 >> 21
-	s2 += carry[1]
-	s1 -= carry[1] << 21
-	carry[2] = s2 >> 21
-	s3 += carry[2]
-	s2 -= carry[2] << 21
-	carry[3] = s3 >> 21
-	s4 += carry[3]
-	s3 -= carry[3] << 21
-	carry[4] = s4 >> 21
-	s5 += carry[4]
-	s4 -= carry[4] << 21
-	carry[5] = s5 >> 21
-	s6 += carry[5]
-	s5 -= carry[5] << 21
-	carry[6] = s6 >> 21
-	s7 += carry[6]
-	s6 -= carry[6] << 21
-	carry[7] = s7 >> 21
-	s8 += carry[7]
-	s7 -= carry[7] << 21
-	carry[8] = s8 >> 21
-	s9 += carry[8]
-	s8 -= carry[8] << 21
-	carry[9] = s9 >> 21
-	s10 += carry[9]
-	s9 -= carry[9] << 21
-	carry[10] = s10 >> 21
-	s11 += carry[10]
-	s10 -= carry[10] << 21
-	carry[11] = s11 >> 21
-	s12 += carry[11]
-	s11 -= carry[11] << 21
-
-	s0 += s12 * 666643
-	s1 += s12 * 470296
-	s2 += s12 * 654183
-	s3 -= s12 * 997805
-	s4 += s12 * 136657
-	s5 -= s12 * 683901
-	s12 = 0
-
-	carry[0] = s0 >> 21
-	s1 += carry[0]
-	s0 -= carry[0] << 21
-	carry[1] = s1 >> 21
-	s2 += carry[1]
-	s1 -= carry[1] << 21
-	carry[2] = s2 >> 21
-	s3 += carry[2]
-	s2 -= carry[2] << 21
-	carry[3] = s3 >> 21
-	s4 += carry[3]
-	s3 -= carry[3] << 21
-	carry[4] = s4 >> 21
-	s5 += carry[4]
-	s4 -= carry[4] << 21
-	carry[5] = s5 >> 21
-	s6 += carry[5]
-	s5 -= carry[5] << 21
-	carry[6] = s6 >> 21
-	s7 += carry[6]
-	s6 -= carry[6] << 21
-	carry[7] = s7 >> 21
-	s8 += carry[7]
-	s7 -= carry[7] << 21
-	carry[8] = s8 >> 21
-	s9 += carry[8]
-	s8 -= carry[8] << 21
-	carry[9] = s9 >> 21
-	s10 += carry[9]
-	s9 -= carry[9] << 21
-	carry[10] = s10 >> 21
-	s11 += carry[10]
-	s10 -= carry[10] << 21
-
-	s[0] = byte(s0 >> 0)
-	s[1] = byte(s0 >> 8)
-	s[2] = byte((s0 >> 16) | (s1 << 5))
-	s[3] = byte(s1 >> 3)
-	s[4] = byte(s1 >> 11)
-	s[5] = byte((s1 >> 19) | (s2 << 2))
-	s[6] = byte(s2 >> 6)
-	s[7] = byte((s2 >> 14) | (s3 << 7))
-	s[8] = byte(s3 >> 1)
-	s[9] = byte(s3 >> 9)
-	s[10] = byte((s3 >> 17) | (s4 << 4))
-	s[11] = byte(s4 >> 4)
-	s[12] = byte(s4 >> 12)
-	s[13] = byte((s4 >> 20) | (s5 << 1))
-	s[14] = byte(s5 >> 7)
-	s[15] = byte((s5 >> 15) | (s6 << 6))
-	s[16] = byte(s6 >> 2)
-	s[17] = byte(s6 >> 10)
-	s[18] = byte((s6 >> 18) | (s7 << 3))
-	s[19] = byte(s7 >> 5)
-	s[20] = byte(s7 >> 13)
-	s[21] = byte(s8 >> 0)
-	s[22] = byte(s8 >> 8)
-	s[23] = byte((s8 >> 16) | (s9 << 5))
-	s[24] = byte(s9 >> 3)
-	s[25] = byte(s9 >> 11)
-	s[26] = byte((s9 >> 19) | (s10 << 2))
-	s[27] = byte(s10 >> 6)
-	s[28] = byte((s10 >> 14) | (s11 << 7))
-	s[29] = byte(s11 >> 1)
-	s[30] = byte(s11 >> 9)
-	s[31] = byte(s11 >> 17)
-}
-
-// Input:
-//   s[0]+256*s[1]+...+256^63*s[63] = s
-//
-// Output:
-//   s[0]+256*s[1]+...+256^31*s[31] = s mod l
-//   where l = 2^252 + 27742317777372353535851937790883648493.
-func ScReduce(out *[32]byte, s *[64]byte) {
-	s0 := 2097151 & load3(s[:])
-	s1 := 2097151 & (load4(s[2:]) >> 5)
-	s2 := 2097151 & (load3(s[5:]) >> 2)
-	s3 := 2097151 & (load4(s[7:]) >> 7)
-	s4 := 2097151 & (load4(s[10:]) >> 4)
-	s5 := 2097151 & (load3(s[13:]) >> 1)
-	s6 := 2097151 & (load4(s[15:]) >> 6)
-	s7 := 2097151 & (load3(s[18:]) >> 3)
-	s8 := 2097151 & load3(s[21:])
-	s9 := 2097151 & (load4(s[23:]) >> 5)
-	s10 := 2097151 & (load3(s[26:]) >> 2)
-	s11 := 2097151 & (load4(s[28:]) >> 7)
-	s12 := 2097151 & (load4(s[31:]) >> 4)
-	s13 := 2097151 & (load3(s[34:]) >> 1)
-	s14 := 2097151 & (load4(s[36:]) >> 6)
-	s15 := 2097151 & (load3(s[39:]) >> 3)
-	s16 := 2097151 & load3(s[42:])
-	s17 := 2097151 & (load4(s[44:]) >> 5)
-	s18 := 2097151 & (load3(s[47:]) >> 2)
-	s19 := 2097151 & (load4(s[49:]) >> 7)
-	s20 := 2097151 & (load4(s[52:]) >> 4)
-	s21 := 2097151 & (load3(s[55:]) >> 1)
-	s22 := 2097151 & (load4(s[57:]) >> 6)
-	s23 := (load4(s[60:]) >> 3)
-
-	s11 += s23 * 666643
-	s12 += s23 * 470296
-	s13 += s23 * 654183
-	s14 -= s23 * 997805
-	s15 += s23 * 136657
-	s16 -= s23 * 683901
-	s23 = 0
-
-	s10 += s22 * 666643
-	s11 += s22 * 470296
-	s12 += s22 * 654183
-	s13 -= s22 * 997805
-	s14 += s22 * 136657
-	s15 -= s22 * 683901
-	s22 = 0
-
-	s9 += s21 * 666643
-	s10 += s21 * 470296
-	s11 += s21 * 654183
-	s12 -= s21 * 997805
-	s13 += s21 * 136657
-	s14 -= s21 * 683901
-	s21 = 0
-
-	s8 += s20 * 666643
-	s9 += s20 * 470296
-	s10 += s20 * 654183
-	s11 -= s20 * 997805
-	s12 += s20 * 136657
-	s13 -= s20 * 683901
-	s20 = 0
-
-	s7 += s19 * 666643
-	s8 += s19 * 470296
-	s9 += s19 * 654183
-	s10 -= s19 * 997805
-	s11 += s19 * 136657
-	s12 -= s19 * 683901
-	s19 = 0
-
-	s6 += s18 * 666643
-	s7 += s18 * 470296
-	s8 += s18 * 654183
-	s9 -= s18 * 997805
-	s10 += s18 * 136657
-	s11 -= s18 * 683901
-	s18 = 0
-
-	var carry [17]int64
-
-	carry[6] = (s6 + (1 << 20)) >> 21
-	s7 += carry[6]
-	s6 -= carry[6] << 21
-	carry[8] = (s8 + (1 << 20)) >> 21
-	s9 += carry[8]
-	s8 -= carry[8] << 21
-	carry[10] = (s10 + (1 << 20)) >> 21
-	s11 += carry[10]
-	s10 -= carry[10] << 21
-	carry[12] = (s12 + (1 << 20)) >> 21
-	s13 += carry[12]
-	s12 -= carry[12] << 21
-	carry[14] = (s14 + (1 << 20)) >> 21
-	s15 += carry[14]
-	s14 -= carry[14] << 21
-	carry[16] = (s16 + (1 << 20)) >> 21
-	s17 += carry[16]
-	s16 -= carry[16] << 21
-
-	carry[7] = (s7 + (1 << 20)) >> 21
-	s8 += carry[7]
-	s7 -= carry[7] << 21
-	carry[9] = (s9 + (1 << 20)) >> 21
-	s10 += carry[9]
-	s9 -= carry[9] << 21
-	carry[11] = (s11 + (1 << 20)) >> 21
-	s12 += carry[11]
-	s11 -= carry[11] << 21
-	carry[13] = (s13 + (1 << 20)) >> 21
-	s14 += carry[13]
-	s13 -= carry[13] << 21
-	carry[15] = (s15 + (1 << 20)) >> 21
-	s16 += carry[15]
-	s15 -= carry[15] << 21
-
-	s5 += s17 * 666643
-	s6 += s17 * 470296
-	s7 += s17 * 654183
-	s8 -= s17 * 997805
-	s9 += s17 * 136657
-	s10 -= s17 * 683901
-	s17 = 0
-
-	s4 += s16 * 666643
-	s5 += s16 * 470296
-	s6 += s16 * 654183
-	s7 -= s16 * 997805
-	s8 += s16 * 136657
-	s9 -= s16 * 683901
-	s16 = 0
-
-	s3 += s15 * 666643
-	s4 += s15 * 470296
-	s5 += s15 * 654183
-	s6 -= s15 * 997805
-	s7 += s15 * 136657
-	s8 -= s15 * 683901
-	s15 = 0
-
-	s2 += s14 * 666643
-	s3 += s14 * 470296
-	s4 += s14 * 654183
-	s5 -= s14 * 997805
-	s6 += s14 * 136657
-	s7 -= s14 * 683901
-	s14 = 0
-
-	s1 += s13 * 666643
-	s2 += s13 * 470296
-	s3 += s13 * 654183
-	s4 -= s13 * 997805
-	s5 += s13 * 136657
-	s6 -= s13 * 683901
-	s13 = 0
-
-	s0 += s12 * 666643
-	s1 += s12 * 470296
-	s2 += s12 * 654183
-	s3 -= s12 * 997805
-	s4 += s12 * 136657
-	s5 -= s12 * 683901
-	s12 = 0
-
-	carry[0] = (s0 + (1 << 20)) >> 21
-	s1 += carry[0]
-	s0 -= carry[0] << 21
-	carry[2] = (s2 + (1 << 20)) >> 21
-	s3 += carry[2]
-	s2 -= carry[2] << 21
-	carry[4] = (s4 + (1 << 20)) >> 21
-	s5 += carry[4]
-	s4 -= carry[4] << 21
-	carry[6] = (s6 + (1 << 20)) >> 21
-	s7 += carry[6]
-	s6 -= carry[6] << 21
-	carry[8] = (s8 + (1 << 20)) >> 21
-	s9 += carry[8]
-	s8 -= carry[8] << 21
-	carry[10] = (s10 + (1 << 20)) >> 21
-	s11 += carry[10]
-	s10 -= carry[10] << 21
-
-	carry[1] = (s1 + (1 << 20)) >> 21
-	s2 += carry[1]
-	s1 -= carry[1] << 21
-	carry[3] = (s3 + (1 << 20)) >> 21
-	s4 += carry[3]
-	s3 -= carry[3] << 21
-	carry[5] = (s5 + (1 << 20)) >> 21
-	s6 += carry[5]
-	s5 -= carry[5] << 21
-	carry[7] = (s7 + (1 << 20)) >> 21
-	s8 += carry[7]
-	s7 -= carry[7] << 21
-	carry[9] = (s9 + (1 << 20)) >> 21
-	s10 += carry[9]
-	s9 -= carry[9] << 21
-	carry[11] = (s11 + (1 << 20)) >> 21
-	s12 += carry[11]
-	s11 -= carry[11] << 21
-
-	s0 += s12 * 666643
-	s1 += s12 * 470296
-	s2 += s12 * 654183
-	s3 -= s12 * 997805
-	s4 += s12 * 136657
-	s5 -= s12 * 683901
-	s12 = 0
-
-	carry[0] = s0 >> 21
-	s1 += carry[0]
-	s0 -= carry[0] << 21
-	carry[1] = s1 >> 21
-	s2 += carry[1]
-	s1 -= carry[1] << 21
-	carry[2] = s2 >> 21
-	s3 += carry[2]
-	s2 -= carry[2] << 21
-	carry[3] = s3 >> 21
-	s4 += carry[3]
-	s3 -= carry[3] << 21
-	carry[4] = s4 >> 21
-	s5 += carry[4]
-	s4 -= carry[4] << 21
-	carry[5] = s5 >> 21
-	s6 += carry[5]
-	s5 -= carry[5] << 21
-	carry[6] = s6 >> 21
-	s7 += carry[6]
-	s6 -= carry[6] << 21
-	carry[7] = s7 >> 21
-	s8 += carry[7]
-	s7 -= carry[7] << 21
-	carry[8] = s8 >> 21
-	s9 += carry[8]
-	s8 -= carry[8] << 21
-	carry[9] = s9 >> 21
-	s10 += carry[9]
-	s9 -= carry[9] << 21
-	carry[10] = s10 >> 21
-	s11 += carry[10]
-	s10 -= carry[10] << 21
-	carry[11] = s11 >> 21
-	s12 += carry[11]
-	s11 -= carry[11] << 21
-
-	s0 += s12 * 666643
-	s1 += s12 * 470296
-	s2 += s12 * 654183
-	s3 -= s12 * 997805
-	s4 += s12 * 136657
-	s5 -= s12 * 683901
-	s12 = 0
-
-	carry[0] = s0 >> 21
-	s1 += carry[0]
-	s0 -= carry[0] << 21
-	carry[1] = s1 >> 21
-	s2 += carry[1]
-	s1 -= carry[1] << 21
-	carry[2] = s2 >> 21
-	s3 += carry[2]
-	s2 -= carry[2] << 21
-	carry[3] = s3 >> 21
-	s4 += carry[3]
-	s3 -= carry[3] << 21
-	carry[4] = s4 >> 21
-	s5 += carry[4]
-	s4 -= carry[4] << 21
-	carry[5] = s5 >> 21
-	s6 += carry[5]
-	s5 -= carry[5] << 21
-	carry[6] = s6 >> 21
-	s7 += carry[6]
-	s6 -= carry[6] << 21
-	carry[7] = s7 >> 21
-	s8 += carry[7]
-	s7 -= carry[7] << 21
-	carry[8] = s8 >> 21
-	s9 += carry[8]
-	s8 -= carry[8] << 21
-	carry[9] = s9 >> 21
-	s10 += carry[9]
-	s9 -= carry[9] << 21
-	carry[10] = s10 >> 21
-	s11 += carry[10]
-	s10 -= carry[10] << 21
-
-	out[0] = byte(s0 >> 0)
-	out[1] = byte(s0 >> 8)
-	out[2] = byte((s0 >> 16) | (s1 << 5))
-	out[3] = byte(s1 >> 3)
-	out[4] = byte(s1 >> 11)
-	out[5] = byte((s1 >> 19) | (s2 << 2))
-	out[6] = byte(s2 >> 6)
-	out[7] = byte((s2 >> 14) | (s3 << 7))
-	out[8] = byte(s3 >> 1)
-	out[9] = byte(s3 >> 9)
-	out[10] = byte((s3 >> 17) | (s4 << 4))
-	out[11] = byte(s4 >> 4)
-	out[12] = byte(s4 >> 12)
-	out[13] = byte((s4 >> 20) | (s5 << 1))
-	out[14] = byte(s5 >> 7)
-	out[15] = byte((s5 >> 15) | (s6 << 6))
-	out[16] = byte(s6 >> 2)
-	out[17] = byte(s6 >> 10)
-	out[18] = byte((s6 >> 18) | (s7 << 3))
-	out[19] = byte(s7 >> 5)
-	out[20] = byte(s7 >> 13)
-	out[21] = byte(s8 >> 0)
-	out[22] = byte(s8 >> 8)
-	out[23] = byte((s8 >> 16) | (s9 << 5))
-	out[24] = byte(s9 >> 3)
-	out[25] = byte(s9 >> 11)
-	out[26] = byte((s9 >> 19) | (s10 << 2))
-	out[27] = byte(s10 >> 6)
-	out[28] = byte((s10 >> 14) | (s11 << 7))
-	out[29] = byte(s11 >> 1)
-	out[30] = byte(s11 >> 9)
-	out[31] = byte(s11 >> 17)
-}
diff --git a/vendor/golang.org/x/crypto/ed25519/testdata/sign.input.gz b/vendor/golang.org/x/crypto/ed25519/testdata/sign.input.gz
deleted file mode 100644
index 41030690c0db39a0279304a46f002a625caa9080..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 50330
zcmV*3Kz6?$iwFoTsc=vL19NF-ZZ2tVaCLM5?EPz!AU%?02mX)M0EV~k28PG}moVqp
z*D^9gA!nNH)m2%^C^oAyBf`zi0DW8qRPP<T#y5_A?%ie9@Xns|ym>rlJ!@tDXRK03
zd(%@#94(}Gu8`uIr`;NMD|7S^`}4*y-?mGB@7ZaMnnO!7oD<t~)1I?F=_&JuC(hb$
z3$4UBe}4UdpHoWBDTI}3n5#V_^m=&r9_r~&=Yx7{H=ehjvPa9iw{$`+&yz=prIh>j
z{=_oEOn%&|@gzPpt~=gb-~E*LmK(|_?|YtHONlw=)K8l+g!ku9UTcRw-lyL?>Yii2
zb){U-iZP#X%iCv)<EAoSz9R40*R5w~e)FvNO*@C!Ryv)h4%Xv&TbPqqjc+^e8f$bu
z=&~ny)V@|&o7avH8&zvqKfiuJdw#|<Ll|@1u=AR4Z%<(P!dq_5Psw3E@6+CrV=W=w
z&Re(oJWo0=Upw{;z04I)PKTu&_2klTsxj?wW88hE-rncT^RidZJm(EzKO@%oyl+?`
z@CtucnX~Vk(;c^`_MZK=oZ0=j*W2D$>rTC-5?Z}s<hPe~(tJ*Mv%jw0RpQ$H)F<{C
zXX<<Ac6JC)3T$8xJ+kbPT}~;axynB8h_U33(S)b`{Q3d&_UEVaUAvaH4^EWBll#+7
z9V^ZE1fCk!;V0(PbIWP+>L=BXEA5vh<f&0RdJDfj){8yQQ`>DdjGp(ZW#rjbEN3)d
z=IMI{cIK>eW@LlecwgcV`#3{+aia3fl2bjghg7gnA9(HzDVNKly|J{Xw9?vhdI;s<
zCH;(3<BYw$>)eNZoOLxeVYHgo8M*BAKK$=ivGKig4)4NCp1tCnrG?Ude*J*;uGZe4
zJ$miCJnMO}<x_6Dv&=U77mscVW4){jUQ4LJw)p?Ck2xBP|E7uC_Zo1>zD6s(JQ!;s
ztfctj_WbP3<!N!%KISz9hBKeK23{NoR=WPjYy7GEj+DcSJc&K(xW>u3=JU>(G`=U)
z`QTXie#*qB)AAa3g?#X(_g!JLx8Yg2q!bNOWv`r~cJQQ<&YbvCZ=DUnLx@))#5<ln
zFuycekKaC^+`KyL_7k6c>s|E?n-JDB3pP%R?=C6SN{H;ZVaLz*t%U!5_Qf~}514x*
z1e~X0_Z@GXGt?Byb{otSEX@1h#R*@Z<vAGVJbB!Ao-%tOIN<E<|NSC=-iA?jB06Sw
zJOAxgY~%EeLAQ}3$%daMB-I#L`%9RAaw?cnna{wIo|4E3t>QrhggRb6o=A;%)PfJ?
z-s{T-y`8rtj)%=|-af{A*}o8fe*FMGxbm`Lw4e96E7!SmGqC2|`if(m$cLR+$Bpl)
z>1q7@zzO+{BVl-R5O6PFS8>?*K1Aiq29gbTA(}@QoRB*YzCz;Qp}ZUE_hsQG$ugHZ
zC*ePg|BqMs)B41R?>&SN7IZvB4S#*e_*=!1YU5Kj`yFrr0t|oh5O4S!B2p$Tt^3}Y
zLt%H@#rMDhguRVRuT?T11a>G-4g4pZ_rX30@jc;L<m3JG>jw~1W7xfvL2e+@5mxVt
zd+_;(Pw0&lc5A8tmvjkxWcM}Vyn7_V%zkoY%WflJU@0A3(eHydSEBMu=)uIc5q6WK
z2j)a9$XIH~n}9;<tckVnJ@F*a#sAmK`~eDetmCf!5OeceTIQ+y<OL`hVX#|R>g}~9
z(n897QN<t%R=mn>WAsVTpTy+aFs+F%5KqWyX`eXvsOhvuPET*bcUi^Pz};V7f_<&&
z=hqK-^CUm_cv=9*u)Ja3=Ypl?Nv+NLw%H!iz`k!L4DR$qK+_KUmh*rDNmjkb=d?q5
z89fGKaw!ktf@DdiDhrbYy#=x}TSV^1u8BJM4Z)NEuvz-`2EZFX-2M-*^M~9}OZ>3W
z>ixX2$9LcW>5?YM1^lo2vfBJzewW@x!nivS`_3Wd-5zmI9{QBKNN5GTK?uD37y%Px
z2^71pE{30xMf!MvH6+QK3<Bxr*AK`<<@tgq-nSZ^e>Q<(A0Q4tR=}kzHbPA!h=Qb_
z-VF+yKbb7di7^zs_9mXdU+nYnOJ`X<b#Ts;UhENfCi~4b0-jrlTc;CXNlgt)BOn8w
zHqq<$fCm`l{|_(phu~aExi4D*cmOPdd5Pxa05A%kz@8bgI(VOd2a*8Gje>Le_&6Ri
zHPu1I1|#oyunhhS;RB3P32C_c0eP^Dx+~%BIe5HLW&pd--9Nv603Y%ai)-1$Zayv7
zpJ%l?12xQ(MqH6R+@F(h$hpWV1wYhf398sMp&f(^B+xIg`Gv({!DFqFLtZ&<Ak`zr
zil8PuEfS4;t!xP82~m9$Wmu73$dVysuv+{-d8I%3wEbXD2|Fgzv?%E7R2yud$qmd|
ziI0h7%I^*QI3Xk6_3p)6lkLe01u)aeMz_s3?kiMj#!>2!L5*_~&fDX_ITyGdSLbVt
z4|(7F^ZN&+O+e_F@Bz!mmn<EB9-Oa?&N>k_uu;H95W2J2FEN#85t0g_Vn0B9pu}kd
zFQ$MRE-;J8dQR3EY~3l4(y*qWjsXHtl9fSR2CG?<%--^7ymB3tK#vt1e&qk`rT$n>
zvVsrrjVf|Xsv?l`VMj>Mctwtf96?1xngE_9?EdcO*`35lg-6;ZoRfoi<F}L!Tr{<0
z5_AQ`fD}5#BncR&jc<J@U@t3Jv6KYFFZbuy4`7q(t)0RZSVRovDfr$`Ygp_!R#z!(
zp(s%L85j~aLcEwYQ@=eFa;ETw)v~hu&+6y7R2D!S)-f(1c>`l~U@tYtQ@~@C%vd;E
zRtW(jGRl{V*-`5O%}-&AL-@aVtv{foSt)P9C7@_xJ)o?D_MQ);fZxOvn|hcx!nq!@
zH%qd~qzUvw#e7d^%c&G86eItW;>s8ipbPXsHO)5HmmD0~KYj*)o(7ebc8ry@pI<)!
zWV+oY%2{@<VxSiY(92ISCXY6fvHu~8)*3T)FgwxAR&@`6G;8~4rkULaJRGfaknajc
zIZJH=985|eQWGISZYzQ0*_OR;iv;FV0!tgPy>~toywrYWg6zZjzkIPj_zwsg@aL9p
za>@qMd|(E+jUPmcropq=xMi&h1ejE!{8JJNRUTFIOJFa7vMFGeqLuvMs2l7J^iJ;e
zOHq?Z?)=NrsGbJ3I$)I|ZU6lG0Te3Ob4=ia%Sw?@$ltH1>&M^&7$ykez^nz1NxhfI
zpTyfMmJE#~*IUe&1j6^`<G+0QQZ|4T4Ngg55+L{mdjK>FsesUQ#x=3=uIrL*aeQ$3
zA{jq{dbE4;HNnIG*RS?x%!Nsm;ZHsh529>jwF$2WYYvMzL->3WEAVc@%lm`}pWN(8
zovg|tWfPuyCY|7j)JU5+Mph-uHXMia)c3^42fuvr*eA9#_{)SBKLog6KY#+2NJ@!H
zzGa2ktcS-O0Z9S~ng}p$z5rzYf;%2QA>cox5WoQGB0LdCcmP?1nVb($5DVP3&X**K
zMYHH}fDsCiyYv}1;lQ&d&*nl&mdFi238D@IgYS3<aR9pr_5bI~{Q>G9kV^FUh>SzX
zCkX%@*qPqWd!A8a#VtuYfY9rqz~V1~54Z~ffc?fH3-Bj`kf|pMDPkYq==4hhW{2hr
z9*Nlik<WDDX8qs<rA7Jq^#k}XU{><r!IFUzgv1TDsc+eY<{#oKxPf~9kgdpg3G?C!
zF>hiTYbVSAoj*L3a-;-{Rcxx<L@>5sq3Qyt_uAQO&-uo4*iOv47uK?RkVfv?88;-V
zluQBui$o7V`b)C-|NVM@!sI8Y#64f2T%g!2o|G+<_5&ten4F-Fa1UO_i7TE|fT$p8
z{sn*h9RmbXQ_HF0xqb@^mS3_sZ$tr1QOgQ!vkpd)TV3Qb7qpc3=hqJ~2w!$-Rcw0_
zpl&5CP-S4-;O+7A%(S0o_}#|Vrww8Pp!Z_DZ(@0<Ir(qVz#m1GEf%6N0T}26&JKe=
zjQo;}DNx%|_F~Y(qjfT4N#nUBlMePF-A|yv%`9G9^MLq0Zu<ZCf`6z@gmDF@Yz@z$
zSog0x#ivCR@4VTi`jy`)b`sqhtW3pkO1-fKj~ufnforu5u%~pO$fcMKVwMIprZP)b
zv#%A`1RuW{fU<xwiTd}~4`{4odnjmFAmDxT6mxi<Oig~8r~E$&{IS+ch$XmE!ggyb
zYSEb<vSj76GJuJS3wJ*ibdlB}MpZ)7%Ddo#<e~|Jd1vD{Pe1^v=)D(M7;e;OS<(D>
z>iRaoXWxL<2lT#h?C}0iyyBnME+qtIMn3m?6z)&uLCpcm!8i(d^HSY{xUxYwf@%|W
z^0V1jcB^HNz#ohWpbL)emD&Y(kSJ{l!}upFK(RwKTl^o)II_zN`1N?6`u_a-0WXU{
z4yQiCBtdEGz1gGWmrno+S~|ra0vq46J**CiKs*4Otz-?E4?Waqlso_r;3e)q7ulb6
z!yMV3LKa>Rp8tY``N_lr)@9A0AqH|VVB~3M0a|gI#=-+MGbkpV!*Y{@=l|48{vqyC
z+MGl6=iLFn`<+znR6cV9Lk<c5Z6{%-!oGIT!=uSko&CMMS9wRJ-XiGsR$gE!C1^Q-
z^GU|NgIbOUvWH;fx~K%t>4mRmRp-Mtte;;$pho}=9_leoqf(?yYi)Se`kflQ1U+&-
z&hxT^6j&P+?I{c?`B>1cGs(C337(G+UM#n<2mE#*CGc<YYLtBVZTSjJFwXJ7VqlEr
zC8Zjp*|23o;5A5KuctEw>+&XH&EP5H|Kw}_={qKpPFq%1FY%FljklJ~U-$b^kVL?;
zn6QRR60?@3-s~P`t@LcyrR$g;FafI)AdugDQt3J1QoSA#-69zSE%=vLNX>?>5O~M?
z^XmuncUJ0C03Ov0HaW257kesvb6|yVqTJs+er5!(6FEHpr~D*u*47R%=z4obDk93v
z5^e$MtU16TH(ByMEMs~+EMqZ%aR3FZd05Ik18d2;640f_dHtDUr9-?6`KeaR`yB?D
z@<08ee=vz!wwHS?P)sCDF;3t)HGB5~nfOf2Mp~ty3zU}@eD4F=G-#0hFZBflc$k3#
z&WBrjzM9qq@A07lKcAk9<^rltw>}_2Ahmd4_McxrAQIf`cNzR0%d;H2dvyPbM8G-6
zQ>ws!s6SK@(XwP8@&%zA^JSTczbqI@f_SeN64cmiB00wFRWMZ^<-)DNCE#AbsGmyN
zy^8?s#ljcG4EFAg@y(GWw;u9FOWw_RCEPshINdDsKmDqIHrRsbR5u}fVf<sQZaqQ0
zX*vlH0gMu!tma|kdC6&+;PwK>4Q-(4#BPI(NW>SvER?1%i}r#Lnt1ei&J?u-%mE(@
zC9}5go`hfQzWn_90g(XWktk7P4q`1?wLNR^#oK0AAQH9Sb-*V1=Ot89s^OQLI-StS
z<0mP+6Fkk`Rg<-hA&q#J|AKWl$d@{>ndtylnJ1H!ylY)%A2t9JCH8^&iM~9J@)1)5
zygiqqWLU%XIe2mi|F>TD52ZHX@r2tNCG_yVD>Ta9q}PXaB2a|)73v+2n8L0&5l%*8
zrpPA{you5%WtNIH#E>XkSjtp@1-Sv#FG(7gBvuoH`Jg9N?ZJ~NVB^oPA5gG;DlE)9
zSi(?ElSN6i58ojAsb6rRvgG|^{b}cdsVQpMYob!m-(4a(Cu6`se+-i9Ty$9`)d6vy
zs-tZa(Cj!kr9Xg;RRp1oalNgrwPaGWhq4d<9SDhY5W`HB7KaO*O8VEe@VWnculpw-
zLhj=o>=S_z+1oGTFTU90HI@^S53s%L_wj}=QzA4%!yz|?yel~@eQhXu8ju$IUNt9{
zw<b#2KGI8JLpbqX5(rA59ykR6h;0Dj{rvg?;L}R<_9~YZtC%30S>BR~Ac>@sX72n$
zP&5JR-15UVPZqYaz$^DjXl_(zsrQ$KK6dPQoJ}wtwRr+JSsw2v+unB%vIOzekiy@O
z4n!gG4@v`&H2L_o;o&JIe^+0)MFHkM36vQl2o6J=|F>WG4>rN>?P;?FAe$sqUKR~M
z1FloT9)QKDVo37WEkqb#J4ut*5F2jK%&2vS*sT|`rp-acCY~+SVxe&ik~*)uFifCv
z^+JVw_n1TK&#xa)CvQ&_F<D-LD!WaE4v<TH+_R~Qz&0edNj=mqMfFdlG$j^2W7fS5
z^>|D&(|~Wc<sL84YlsIo#@amy1pCx?P+JXe5&#XgXKH$J$qfZtS{q<vqVoQKRlwzD
z<Lo)HlL74VV0j^UB-H;GUinWP(`Z7if+3xh&a&DjH1jT4^|}!#o2XMg6K<2ImhaYa
zZ9B#ASbWvu3wI?tc(#5$EIDiUFW<HolWkNLEPIX*--+?Pj~4~D52T-8KcGMBrGBIk
zoL+)bTL&A)c!HfEt9q*Vw(oKp=cHnKI{2GdQ9P;y5d<PUCH7mZCmAj9<OYB}C$Xk2
z5nfoyl)i1O*{%W13cmsJ5_=w?S@CR{h1rJ^_UVbR0P=gw?buVL`toK(Nd1EFJa)YQ
zOE3Kgkik2@B+P=*#vE()p5a_vdfS=B-yd?E@4NS&lQ$$z0Jo?_fJTGb1AlFevhieq
z4*zRBs{+xBr>evas<n0O__$srgKh{a&jrBpS>@-~58&na0Fp6blgcBX0v2FFU%r%5
zcJF$5clNs!DmN^b+VTxQX)a<e;gn!P@xU@ZW3=a?(k#K7G{I8_)Bv}$7aZ95JOG9|
z7ir`+0uA}`HUc1PeL)zWZf$#N%99OAJ2g+SO<FszXHAzBL{_O?*Z<;c|EW0F3*2E<
zcw0&<N~pcgNJPQ*08ojRn+oL;J%ebEvi0zc`d#uY?~{6-RKml1dMZ1Qmk3nARo)iI
zuQSHFyk2XE`ps4n;X(FZjZ*vP*AFO|+hsAui-C0JS(rVU@7JLNmKvG5muL>O8z$xz
z0p1%JQz(ry-qA^gwwqw^2W-{1y_xs=afC5q7}ZIhi`dgLl|KbdI^^+Kz*3;`eTZ@7
zHImqF;L!+<YuzpyB0&aygXP~u0rR}u`}4^!8j(2vzxv{ThTT=Y<lQi0_7||oX1ycd
zWkaM_i^PQL1u8`#<=VmfJrD%L0*6Q<i+Z2jM&TBF656~~Bv0iLESb+R7ho-!;+%Jn
z7kJ%_$cKl3u7CT0gu^{;4B{n$n`n`!atLf*bliOoId@Jha8q&`7>HdrcKd36Hoq_0
z+ci_5y0xiw+EXz3pB~6WnF@2IPPlnaz1OA)q9@2cQN(28+vC*-u{pe84Qf9MhI4ox
zf8ogt=njkwh9j`^OJgKZ)Zjfec@U)izy9if_#vums#zOIv1MwvmzTi#1j%zh3-C%M
zES43QZVH0PX214@@vcvLzeA%^A8=DMju9#-5DK+Op2TsAQ&MSZX+PKNz~mLic(WbV
z<^B2f1KyYVl+Q1?1r=eyGd2rAiHXVKs81^7am*OBKr*MeCs(nm;I8>YR=IO~B?4%}
zDe}et!kMd;g&UG6>eqG(Iu8cX^+dvE=cTF0USWR(9NYYChwYs&al3g!Gv2TL?(MvX
zE1A;-4)p6`eBn1!rGP%4U%mXFXwwE>ne25lm|`KBjrSNO5h=F*xDNh&E{O9!qY%#u
zackJ)#h*}z5pm*&lvkjtzV;YD6rcDE1vt+6^}B}R&8c0@WXu<sNNpA8&#xcQJbk+^
z_MVG`VSCxN@;yWtmXIn3aMwxr?9;GyDS&h@Pu607-qXAw!0AXGl%96@T;MzV8Lr38
z+tVDc$+Ek$C~tWndz5YEDz$?TSHm&m1?HX}SWc4e3oOJW7b%f|7fG4z+J*@5Y-c@!
z9?%}}<Cm}hhXrbu?612-O_bO?LP^BlZ3yX>WR&+ubd%d9-{5;s1|v^A@d<ApH%&WQ
ziNln4c8O77kfgx2o=V?ftOorCy}4z4D+88zDs|x=Kfiv!Y&gb~Fm{T4Qhy|{>~1ez
zHUoTJj9#?AlQPN%%<1tvJB16q1eYJr>Z;eTuca?}-+PM8?_fj7c*MR%_90fYj)bLA
z2(&X=FcLFUc<om7w*l=Qs$Gf}051ry#96<V<nW=tO02?Dk7XU@Sqye2HLsn1`vHG0
zuqJ(N8Y9$`4uw)WV|Zlm<<9^r_aX$xn?b-Qkg@?`6dmPO@>UnIQ<N7<9esXIOpcNW
zbQnKywW+R5!zoqjV#>_WL0#ameC_M``Sk<J%o)J`vb_sb$LjV?tz=gu;MM%!qFr3O
zu@nHebO<9BVPqD7LhS8l+T3kjOEKb!DfR87Lh=TK=-nr%4hVdyy4YWb8}O!+@e8L+
zMx^@MM9BW!4MOz5tXmqB6aE>Q@QMl4Sk0JkYo7mklM(nog{s6;$X|cLp8_r>9a3BX
zdS5=`vY!NQo@N_uOz~-n5AjK$DnLxF*~VC~4*_IPJ33-66ocD-i%fRL06}M4lg<Nk
zpg=6%$?#Iy^?3(N!kUz^!q2ZC;JGc8IhD~Vlvv=rn*nSEd_Z=$>gwf!OKcHdGZ9}X
zUa<xbv3=0JPXkKf2>iexWD&_g+a5i6S!fFZFtG1g&WHeBA}hGEgfF@huRu8zXvdv+
zSpPLxTRawo3TQd@zHas;*{XV}4eyELY2J!b{PQKA0aN1tM|^}ux;K@L%-a`flS0PJ
zpi!xH8U+rC_ujlro)i$1lD)>XKvaROz@J=iK!O)*GroY`V8a|~c=20Vad7@q)<eNx
z#uM9HiB=J`>>UAxW4b@Tet=CItk-QUEw*3}Vz8h(tbBO7t)^gzLg4Nc2bIX@I%Dr3
zs`(u|cFgmK#8OCt><xdMtJi@g#0IAHn4@}<em6jpG`Wa&K)vVM$Yz!V{CKS%2#XKf
z-n&yE4J=r{Lwq2#21-^14_QJ3{0Wfy<+lF`rwj2v=rjJT`P4=|PG(31Y!WJE1JH?5
z$K#n7KOv3qAFHj-<awc8nPCv`@R#T}^VXf9KfXpkN+rq^V@<HP^t+(4CrFF}0=Gkq
zVCvLeF7H!+e*FM!;euCeqn~7!MZ8(|{J+kIP22A=U6Lz^Jx}jP0Ga%jjcsD!Jo=mf
z?2bPe3ExNtO2t^8ZQlge8P!Oa{5XJQKAvTUrxw!Z*Ih(NDYimUJ%eC*Y~?kHZT1gc
zz;4PTdLjE#B~3iH3adI_P3EHXPq?U;_9v|Wun+l@Fru%-&EGW&scJh6^*lgnuRjRv
z&j1vi2naq8;U_wgx2P-0;>jy^((22CfG8<ig3Tc-lubJ5K|pM;4z^YL_RxxQ7f?U!
znNC21_vhCS7+9hg$&~Bwr7$Yb;xTOeB4jlnW1kNmNF1a@H#d9d=)9XZp~<kC@Eoec
z=LhV1TzSVNiR{!6$wPVaHc5u6u6~0>)VOaXMi5a3Anh5{chuku=gE^2Bw-bRTYhR{
z9s@wy7K!m0k3*@=4d5S5s;W6D4j(5*_SXjgANVPM#`KD#;kw_g%lWQgU-vaE%jCr-
zc88d--uv<@7!Qe@QY<b|A8+j0wr!im+N<ergnz0cFY$qD{7417_wNXS0E<x(`#0}{
z)ur(B>j!jiiYTW5go)SmoFKMl-`8-S6c2Oqjslwi+IWAUDq&lD?amC9?(M}$ySF`m
z9t-ATGbQE6D%l1<K<7z~7r^m6fdd-86p4l43HUh8IbU`c^hjM?SlzY32B&_5qR-c~
z={zP$6Nq#ux5$vue$H?__I4O!5Y~yhq5Ow_%pb7WOEJT5m}Q6hg=2qNC!X_E+|x67
z5KHr3bPA&D30~+6mWYg$U+2xcfWj{y-_Cmt<SfQEEr8J2t5PZ`mXLGelPCom|I+J*
z6MlaE01$fl=E3UM9m>kF9vCKI0mBE>05Ax!z1xFkSN);Z#?CR&OA-4l>xOcNxip<0
zn|I>QKx;~;cL0gpvw6ZMiSotITfL0~+&&<2Y~5*~YYKG2faN0&d(ilJzXV>|&V=of
z+_@+8XWaol*3YZsC*-<KA;^mi&kjQU5B{7#fGrTSliWKCJS~uy=N#m2N>EY=1yup>
z@9Bid(+U-28+^Z4S~+T4K=PNE@p#7yIL5{RJD4@~z`~S0n4kb4>XIIbbhCLl#lNii
z?LWVM06tAxA}0poSlo{X#P7yZDj2M{nwy77k1f%cN|*l-NQ1TSW@j7OB@gG4pE3O5
zc76a(*f_C~fHv%fraZKxiQS_jDA-?P6YjMnAYi8ox+$GddJ4r*0qEe-U{33QN|#F|
zg0Vc+_R@IL6IQsEnB_ZWYpt7^S?!&U=i>c8{Db~n(s(66KLe<RkAkNtoUR8^j<>d{
zIg1$sz>xYfuqE#ky#b`KbZT&%*B?mi)^^U_qx<J&DdKn5<sHK7-OTi|e>Gd}z;K|^
z+^Bqie*J*ua<Im{&Z0&q!7Oa!65=RZh^5QvrWvT&SVA(`$(_Jgz2s|bU2gUY)kI2)
z_pF7n{p>Q1CyrDkjanWfv|Yc0u)Odz{8HYo`;D1<Y6*7F*HQfLHEE}WXjqC@#EGDr
zbHF1`BW+e&EgzDvJ==D2JUAhspE@A&W6ukAb*kz={*(TcvpitO@E!u>x}{UqRtG<(
zhtd33hqM45e3dsDBz;?hN3H;fPSBZr)5`{Ahm}CO)MS)e)ZbL}V2M0mq5)Z?VCQBf
zJa(DCY_p&a|M~R;?8_w=Zc)YYEF)6xV(?f)?|bzW^I?BBK6WUbgH#k0aacP*Gp%m7
z9_g#$m##rO)Db_?&NkxLs%FBcPKp|Sx~%MQyv6PS31f?1V&&-lw==qdGzM6Bo|6~<
zux*FN2(g7NIi#ILO1!KnId%_n55<)YK_D+S&zTC~M|lXy|64xl4+d-@V1EM<09ye?
z=kr`bv}rMB+r4h6@A%I3HtC<NpZOwUiTD3)$VYKJ3!z$crnphSQKsUC(et<a9_sge
zZrhz`OazRRTufC69JxQge!y&U0(4W7ZE%1NsVye?)K1D1JtzdD=yj~^7<d?X5l}_6
z<9qgK-uWgVvlWQb;)lB92Z#^@iw&k7)h>Vx*4>9%_k48`uUK=X93hq5uU&0ZuM+U5
z=b^Z?wIq(VJs&Fhb<8gCtHF*drApm{%geZtoStE;yxw+v@3B-1<$u#>{SgmP3fdI!
zF*DU!wUZk&Yu$?>TR6<mZ@7RFifQXs-f%yQWHb8VW$S$2{V|EWH9p?-+L?MNzJYMm
zvfJ_Z8ur`b^q$|tlrSaiNbTp>52&Qm@B(DKc|ISBK{>-|8P+7f1pYvfB|&9bBA$r1
z1~1#>RM;)>g9&>gI}o8`BwSr_?_NLr;@%5Uc<JgGc{j6=+XByt{8Dn~Gve8qJ$Tp}
zU|IHX#H#kWj@f!TV#R9t`4%U|$F=Wgvf+6GfgO0IHY4o6<o*|v(WYXN8smT4hy4kA
zFG2(vxq*KA_EOxV5g?v$7gXQdEnpBrQs*Vl%Wtq@HJ{{ME|>)Dw%1GTcO3@{{Isou
zuj6~m(Q8-BWpS3&^O$M>hDBtvoAK8VaB*!L2+!R7)J@;b_I}T6$Lq#h@q>y9C8>K@
z&RH@4*HOAdU2e}X@!BRBNpy&%&#ulb#OKEz{1rwnL~8rsp06_ibagQHKvu&c!Ai+`
zVTWNoPyTDy9%$R)L0)VEk+SXa?8rCl8$o-RFL*8j2*xIHvJoHxwv06VdXC|Hlf%>h
z#!vgxWgr4!49W#k$n;h(cjpUb(CEi|K<e_0ljXt=^qfLjLs%u35gs=a0G1+zd>o&-
z*5M_|7Gg=K$F?ER4q(2HNSUf9<esup!SwX}{Q3deyXVS}%<TzpX4xFYxmXO@ld#60
zEDE+(2(^wJl5{~bxNKi|O^o*N;cocGv%8hhnO@5_mg?tObpTCq2&ajju<@L0@-805
zodCA9w+9Twz7ZLL(KUM57@ayGNqXN(LHu<JQgMYuT4cAVzCJo44=P9!)Jg#I*LzvQ
z*#N-KK7IWE){px`#9Ta|biQr6y07j`Mg`shSnb`v=6dJ3-m&@em>p6Ci7cQ76`EHr
zWR?a*j7}&osyCaem*drj2x(U2_9{z@ji5syMjTF*5;1>%{eZlvLHP8;Uo~HqbVP0A
z=-IZ3=h?P8H>tHqy!;#fADfuI5w7+;Yh!I~Q`S@5*hn{>EeO`2<mw-s*r@`(dX&ct
z-PR_N>Ut|jYRv>`un~()P?QLWI7w)(<bn96jLnYi2$cf`{Md<(Za!m{0gmbMCBL>-
zDGB)5FdoOoXR{NpdacbC{crxfKZ|m1cCR5p#hxaF?%{Te9tLGushqA_9`B{{&4DEn
zaf-vM@7IgJ{Tz&OTGyZYVkQP;>X4rHyQt~xyuwYT&j`oqoCG@R(orq2@XxOw(0T$P
zS<zAN+0*Y_Ny((r)`5+V<nkmlAn_FQX9>4tCN`6YLlNzW@J_Gp1LUr8&BAj@i<K(k
z-XC7!P`czt=pDT)s+A1+MN)p}<G_Pd8ZVK1I>oSqJRg*w_~)sCd|?sZQ;N<MIB7e+
zE6J#Xj#FOwFZeOp!+?p=dAalvjS>FH_W!#-@Xu=<PnH461Z>f+v~{h_#dI+k5ZY5>
zaj10J!mkw$zA+tY{d?`QAsShU$#j9uUpt$DVs2=)35|Njm_FrB0^br1@9`XstUCA4
zuOHyFT%(Ex<pOz~2$?!5*)=yTXdP=7owgD?qbHQ0vi#UM_ImKiPe(uwb=uUxVts4w
zM1Jqs2sORE;*;dCz3&59UO2ejF*a;mpgW-3{;TG(`5Uc>0cf&24XWtsS&sxMn)%0k
zBn#7;F6Nbu<CJf_<x&7*`i4E?2|0#RkRNZehW4NEiGMz71PTLc_Ba}bGdz69l1+gg
zp=Xd#s}$Th1n{hHewyt$<Gg(mZc4bFqW5G+cOCb5Zl^d;&XR@^UXA;s^rDzK!3J!w
z%83GAN|2vlKj0?A2L)*!tOU`JZ+`5jpVFRv{6X>|c{pDrJ$y;2FFCzR9dYjU1p7Lq
zJ^0u}-MKt?1BUl%Ok`!B^i%CQ%$ZsoxKFtZ4(OGa%;avppFbf5mrk?@gv?APU4492
zm=tcjkB7?X#j8owx5Pwk)?$$f#LLD*oPMbh4u8T=Tc<S}GpqL`C4~Q!kNjiY-I>?H
zyr}s>FdIaOArp|ia$g=4UCiOlM3Im%O8e-5y1I$uqFCi5sU&F`N3Sm>CN4yQXfxm|
zca6nO2iaVkL_K%rO`ENqx!j*$KOo8gM^FT-*ppMKf8)yY>6KiL73JNZ$Eh$%b(fJ0
z+Ptfbb0sP`$;?3J$E!Qa`{g*EmxRF8C^;01@KR3yEIW>)cF-2?MzGF+>PwvZsymAl
zXD~0p7x&}m!OqUO#n;JD{58t?+DP+_<nU-5@09|vJ=9$l@4|jSc$IYg&TV7u0hc8Y
z1bU~+`_K8zKUn0NudG{aL6Ug|Eb|Qqr|Nuglr7Y0{pL~hBsiwG*=0{S8&a15EqT{R
z`XZ1qnFCjt`MjQxft@9U8eZLzZfrs3Iibr2Dm*0C|NQy^xB{z1#LONR5Ru7W;H=}k
ztjtrLbPIldtM}HGjNEO+1(eU=6?ZD%0BE<H(>dwO2ggUMj*<KAP6hGg6#CE8faz)4
zS$i(AIC*?4?-wo)nqJbTc+oFasXf+q8#akHnvJNDobLDydr-v?yML4At=9B8m@IHs
zp6gzs_YxP0OA^4pyx{u~|I<G7&oR<G#6jor&+Blw42egBnjzWRC@<dO{~m{IDc*QB
zLKg}A{Q%~D+@=9SUZQ}5T~cOm@Ss0~6)w+#UaDK7tZY@o0Tr*NDZbXv?;ij{0ujsa
z6w-Okb7uhGDk(8sBa2t`kJF#GRQx#vO8ymEWAQ56_)Q{$-PZu7dwU%S^qUWq*MRC9
zBxUo}e1E9)od&0r9`cM)1OoSa$&`6>bpkUntVa?FO9v!QEf7?w+9eu2qe|FGD)h{k
ztvQ)0O%f`KHo|l~_G`@KJZs#;e$a3QbT4^R=X1#TKkrljytW8V>Y;SC6w(_e_<kpe
z&YyPMY7;=?HGlHukI4V<5j@_9)I!qX{iMj`F<F)cDLTTI4#62W*&~3k)L;Y5^|Ij<
z&x?P}YCh-Z*AD<*NZ|DHnszNkSvLUDq433(DvdDt6v?mG+f7i5ja{}&9>TFqHDqyz
z?BYj9B6}-YLGog0t>hK~FcxR?K@&eAny<z4Z)ZQA?R}p-i{$iX;Wc6^;=R^NdIW}#
zhsHcHNZ(tu?l>tCL5JSBJkc30$Hv5h*YilKja;bh*t2l2qZDUXd_+&)|EVAQ=cV?M
z&M(M)^mv_I7N!tt)@a+tJ1Avq#-s=?UI#nC4^SaM+IiIM=fp^xa~E-aJvCyNk0Xj_
z#Za4ryQ}B%7~P83jRpIv<k>~l_}d3i&F$IdSj1Wa;G~v2hrO%YzUC1L)iOJi^}#1>
zNAcYH#dU)R1cx|I+LfxB&rEVJO)n%T|7;}j-HFToAV;mjdVX;7XAGSDK9$O`4wkHW
z<jaz>e$Qi*YWL89lEjI+M<U>-x@F^9H?Y{U!m;@*bHv<pmO2QB!y`L&OY+t**#Y~=
zY=o;esu#&ZTZsS3pZllEMfE;M>SCGTdIexTk&ySK>J-G7e0YEL)ZmQFD<czCE$ia+
zNdb*!>ZC%wu=c(-mQlPsQng{we8%v&n`+!)&Lu&gA5T3wK}Z{{@!JP@H*e__DWgMw
zy|g3bIsbG$q;tfYn)=EpT;<0|9uy{d#sCYU00bx5ii9ph@9rbu^iPOh5rlQD(`H&S
zj#w`8`9IEFEt~p1zp=5W00@Dby*z-g;dq;z<yka}qfd}^ZW#xaxv5-1Ung9A*sVA=
zd5Oi~wsnCL!-OffmE_2F?KF8w57AxTE4#qo|MU<3L*Waq-m;HT+a6Khn*U6Z1`=vc
zCrOGlDYOQl&{@y9WL~j*axEL*%0uD4<i_D`&nEdaKzNhTKvpZ_&H+?=qVAyeYf-)l
z)kAMOKfiu}O%x5!y)vZ?%G+k+oO#*|>;N)rgyUde<jhs_9*&Yr>(e^E?{H6(g{zhE
zojwQI=j;^S9@9`MzK0^h<{mt_v^0JILF*f6^E$W6fIF+SWp69e1K05m_S@skDhCG}
zEg>s~Bry>e5Wik|2_Dw+KEqj~>*!C#B62&@@;Bm<u$*5<jUFT=piE0VM>gUA{7?R4
z*&v}sz>OO~u|<GEr#jzu!Myg>3UF`4Vla7t&$Y8qie~4U<e@NPd0Yo}1UtO*o96~x
z7Ql1KWNnIL!Xs%o0+T)c$1l2kSv5XCzkWdXdQLKNEDk6qxdETJK!Ln^xApzGnTYA|
zKlRYaHptqrOl}|=IIuzz2ez@B%|LnN9R{~`$+pC5d41PS0F59w0omb)zv7R`IJ0aA
zUhFr#-DVVNa!%N6p`72isV!#&N2-8&z<+~%BGoVZAFGj^s7(0A+=7gf;~1*$owXDh
z8)|jW`4!}UY-XnD-E;mg`RG3~H4)f&5qnWdaa27-M6acyW4o!mlCVkQYa6RgZ-OtC
z4&J291|RoSpj^R<iLew~c1#W@SiX5m`zpbnytE^w_RJ;u+Sl-WvDKenKVVj%ED;q?
zwP8?7)*y8(h~F8a)0}W36(>auh|qI)uYFC|I2*M^qdxJhC(K-;qf4!WFAi}V1SuVl
zmzw1g^=*Q5-e|7ylb#Jo33-3>P+l=QLla-Bo9F4W?URv)WVmV8`m(>%@?2?@0T@W2
zFH&y0vR`&5c)*@<*wcEWQ{d}j4CyU$`VTN0m8y*t!MTxm!uT)x>_2&ck*Sk6(01BJ
z17OV(;qIxs+i?U)+0s3wT28(`pM2LtA`vJs;5c^X%~?7SKG8T5@q$$HO<?Ll8^+B7
z?!oVQYw_w8C!*#qUZVZ>0ho6x;~xs&kf_p05V*thI=3Fkt?yQ<NEl}-QvyXU;WfT6
zAO#yaxRW)uWXM%X7YWhiZrJh;dEjta$xS%3HB>o_24wx&&!zH^r%rYfJc#|e)WnX;
zVo8*0M^?<tjz{2y3NW}a)vF1ict%pa$OP~Wi4emk(G&*^@oU8dC`w*MT;!_uUjCfm
zm35Z5#^UwA?8E<%n^vX%&xX_gaefGn%H0`l+y02LCg%|6i-CjITX?U^6sE<d;0Uo*
z_LeBq7!R!qkAS$ktkP!^GKNu0g(8K4DE4G8tus3^6@PyHfX7p(P-gg=h}P<n4BI6#
zkTtUs81WU}JMjUfI-lN;cwaS@hp2@c-bdz$>Lr7BQ-j@`)Z~%?1H7d;AF`5dO0E}k
zo?`<tcKUf94;ki=;*vshuBM<weJEB|FpPXUQc_dmx0}~>FIaxjUv>x~Unvc{1L{d;
z+w6&4cc|YM2g+YcW=bN;3x0xFyYI67wm)T#s^G$Z*{A=ZP<{v4V9L4hM3&;(MnF2;
zo*7reX$!M?!vH*c-?aIUGVe!6c_?Bdn+swF=gZ3F(V@40gB4kJBC5XOlzhY}h<pj}
zFuyxuR^l6fe*J**xz1#nNwEO)kK&tp!SavLT?k)?%+`+_JvmpqQ`UFxEaQ}fH<G%3
zy>AYtR5J%Pj+WU!>W3lEmB*ERx(h*G-8b3YT7JAC*p?g^O_L8vc0f6!DDuDsHcNSe
zK@lx5yw8=>@=O&4*hxEA9Vnur@pNGJcS_3hq^6`#B+pd&<!o?%;%ie*^15YDN&%@@
z!~0+Q@qeh4Y^19)1_NPkbL3$+GPX@4B{=MSs}o;Y_RN3&h3CIytc(N1*M1@*9y{M0
zjigTdSox?Q@dd(yT>MFyo5at~k1bb*A95#!-t+VO2Pk2)6gg=xb*4Hg-?$Nhy=B=*
z`EiOHBWfUdJNW$+Z?e3rqyC*9UQVy-gNM{b?%sZF)UmT_Ti#3L71kqs?Z+<mDRpIX
zUO;a7V>eeQThmbhYDk5%sBx%9-+5)A2Og}zFL$gU+(}T-z7)x!__#BTE2~>H0L2Qz
zi~X?)Le}-C@OI?qb0smtl_{BJxSpN8ztgTgme9|5PW*0(ql~ICdm$K~`rVaPCo1Jk
zir4#PrM0X-)2{iuNzL!t{1c3`ZeBrl>xa<fG+qFFxji<wOzG!<F2e&OOq_-2!9FKP
zoY|fFJf#A(r4xC!Ko5%}o{lTEfE}cb60LfnHKkQ54s`G~#0k|vKqvMwtK&65OyttY
zm&@V?&VPwreD!_aC6Oy3kb1OBjknl9wd#haKOLv=4()Z06sJ4N*rd(30^X(2<Y`u1
zw%R&WAt4uaB8j0Y(ZOE>FDJ#Bw6Q}}P;9|1l3<3^LD+fnhaKceot%GwDiZG2yC;!e
zB{}DZJxH+x=Am+AD--eBJPi=G*SD;xLLFu+S1l&DKF<68HP2(4R94~)8O5gzPI*fc
zB8BUk@>!EnfGw;9h~%&N|26;rI`jWi%RZtC&u32O#i_6e-=UEFo~&kFP-TGfuiWem
zK;`?v10Jt{a-NsWM-erikAiF3B`YE1M~FhwA``{pwbyj=TfsD-=gP}rvLHdh&#xa4
zlQ$!hi%}8rZ%fs@d9}ko$K;!oye<#8l1~b5#gV<6%-bfWU0C^I+sD{n|7)k@@~BAd
zA+KG&Bg#8uUzV_n+{Lc0ZXY$EDL3%jw516L0ZQ<a_@<sLwG$ZDS>%H|%IWi3GF*jD
z^EkW-kF4)U`J^xk?+rpE;fHF?uxgpT+6DH0BfKEQ;=R{x-qQTjp--9hHamYXX<44y
zRLe~=OKhju*Ye;Pz>NHnc41}!1%73g<T{l{Tszf_Tht0qRfTK<HY8b2@<crjsPLDq
z)mB)C(!Ho2Cx=JrtJI4sg`2Xof8DIFeBp<f>G-j?x85O43VGXOsF7v#dm7bipmbB{
zD^c%vM`l2lH5HE%ha&=VGg7))`8^*&$!fBRwZ+GJ^k$KVv4pKeB)ItfSo&n(=_>J2
zK7Z>k9eq!RWW0!K9oTLe+HB`@4_{)1#27KW%0hlDt+H%8W&J7WdgT3%@<?T+(4PHy
zA<ryrlb7x3{o$WVTTf-TSj9<YIIfG9p0CkrU|)Routg_J>eDFf9cZV@P=8f=sezjr
z-1uYu^EAY-5VG@%c18pna>gf3_wvWz070-lfS)0S{B?l84)9;;0Dpp`iY@U!&c4bg
z*&G^uZgu1_J2f}>_ig1VqsW#thJ>4CJ?{G(C4N%wYkoXfvaz2Q`SbW(`6EX>{SEu0
z9VZXvV=nw|3A~S>9Qyh7160pb-pAfpmH#OAC}TYDbSipK!SEjrNNn2dV_D`GfwyM3
ztO#zzj+W)s;tc!q>4`;wE*uJzqMzSQ&iz`5Py6`6z(ka2)O93&R#;A0N-`eprMv|#
zap2%sYrcS*<<Jq>%;mxWieV+3;O0kl*!V%#J;sCuNL&bFUF{_B6`<|JNG310m-bll
z-uK{Tm)r}Il&dx?M&aRqIZ7^lG%(WcOyJR~&9OWOeh(lqS`6<O1lJoVL4DWxyed)P
zm);pge&JKV%y<^)F-;aW%IEz&-J9Vfc8OP<R>Q4DLTc>pp(gZx`ciH8WMGpI2jAFV
zvkJzFecBMly7%r8-|V;=NH|mKO9QhEZv-1KX{)lzHb>fm3|2+ulsTL9c8=&uz4L;p
z5=)%>mV;<Deu46$vi8L{^GU2#s9-&fJ@KC?{ei33kl12Sf(E3>&%4+s%<$sO@r2bJ
z1)Ke!QNL8$QnSpv`d4C(T9hPk6kqkRPngJdy!=j;o1|lHATK$x)C-RG+OP(}TG}CA
zz)@<SYpDqQI&+`ocJ#avEQskAhrM&Oh+$Qgo{~kvBPC4dVn>@t25oIWfXc3RgPK!+
zUEr?^{Fl1GAD56SOm+hs<2pYfA0yQP1~NzJmEE7`b-=dQVKv}wf<h`Q?p$nYW^Gm1
zc^o7p8++*8XK}jnyFxmoFEVq^bH_~0B!id-t?J~SpI<*<z2*Imw)hJv6=bQBw1}L^
zvh4SDV6$Vs@BMo6U27@#j|GmSxKat&)@>0SY^|6)BT0B_xlJUX41R3QXS>3uLxh>V
zHOQBZ>sG7t7lcvYU8b}!HPunTb+zY|q{g8BCGW8fYh#)JFo37w<l*vSq`Z2^Q`B3%
zM?IuB`$0=0Qm=9_q3h5wMynK}boDxF=4102kNhN`G-p&Xrz)rAoeds6!YA<VrO-~7
zeRKpMeVo(85-_P=I2^&|o21Qui^{Qtz<BEFQeHkA)M%i=5im$K_HuJNTiN6Tib+JA
zsNU|UaMe^2pN^1^Cd?qF3<0syJzp<djl$VEqoN7~LXgb$5Z2+z%hSBGS&|dWf3dt}
zlXyv`z-jY|ipyZ`>H+xy?OVRuuel@f`O{``IPg(#E(?R&`iJX$cj8HqYV9ei4!``k
z)1fR7MvQ;HA7ig}j`aZK-&yij$RQ2DUoVOy$tiiZjG=4!jfC5`Q-0K+y{P&<pJD$y
zL9lm;oyJpS%iCT`4B2z>(k(Y&yT@Yz1wJqm)zV~2DZaDDtG?;00Q->YxAFQ4FUt<~
zT?6kUtps_=CKG-;G3&1r{B?r=awqsh@n%!OyQ>2-m}xq4Cs2{rOb8D$!R8Ze_DaVa
z6{Vr%EpmZ?2w<!@y&8HQ;>9lx@xD9*07I>5yHBLRqec$7t6G>|Dl$2_=3#%!{`vI-
zB<qu3E&L<X9&LLk5n-X2tlV<f=QvrePAj$TBgLRIOZeXfF5#^*QaHDU^_J>9+kR8g
zEn<_&+8ZmD14yaD53bO%ENF}D`bfnvqKw~Nu2>8J&$FM3ZLmMk>3D!0&wD&y1sut{
zcpcXPaBNAhK{Ql^*n=G(gcM$Y1g^etb*PH8irFqfo{hju%$mw6;y^NLSKw^kDZMKZ
zqkbG_ReF_9fY?%109Rk<LdKI{&`ICKk#mR(Sxya4LIEfLqtW<bJz2tNZ{fVE7<B4&
zc7vjEZ=U5ur8xKQI%MrAo<C>FaFYX3(GIWaYR7L_LQ2O=u`G2)V|%Y!Qk2Hd>TVSf
zF4e7VaUSXO+^AR^unI&ACeOohqT(#z!70Fe=d1S*pYTzJv~dVql+1RdE^tWdPXXE$
z>HLnJARxhwcgmu6zp+4q0%)ZsZ=Lb^rG!19(t*XP%x)*3>|KST4__nN{s)YO%ZF%I
zdxZ+H{#XU6B8dF;2awrp89Yi6J8YuJb?nI#8a%4z^xAlF3why__Oj`F+bc=1Q#!R0
z0JA5^V8R{j?_{wrhUC;4mB0oVNBfxhN-#DtIoLc%B;U3a{dI%CZtySQ27fRzX@%_(
zZzaAHj3aA|GvG3P)}f&1pnOo!oTz@WQBoBp3+A%2)DNmcFKKoZ&F+T}tk1MJdr5jE
zY25o@s;}aQ)?x|EQtVTH!0_|y2Y7o&Eor+|h_YMb9esX`qD4W;q-<YK4;XBcW_PxW
z^F$KzNRn#<e*i4SHkU^dgGK4eda44&GWlBNQQO0j3e}Q7*4cu&C@e3nW`EZ!^W&|G
zTZ58v&$&-9N?Q_F0}6-_&C!$O;Bb}PwaH0ddC9_;K3R?WYGa`%tDT@DEgI3K7UGG`
z%nQ%-csQobXXEv$CnvJckwU9_zztUDc?fkKgvABFE6k^#LNw{B4n@1XS*;-dmWt~h
zH^_`wb{Oj$SodsG?o<MwS}D;$CN1r36870ThCiKMz)(wMoxT?Si<N8KtXx%3I(!ms
zUnh#9_6an0fyM)H9jaqB)Xpp<&~|#rLS=7>93Ly;`yoHiPV^Fm^%|Q3@C&Mbu%|@h
z4KQcZ@@q-1Qk+CLr>Zp@4m-RXIC6QNx9rBm#zv@$OA^>ZluPVL5!#$)FESQLBI;rA
z1BhZhr@C2jdRUPhQNLh1kK(~>`i(D-&-1(3UU2qv>TEv;V7K0yE~qZs>pgO%ekL&D
zMZh@f1X*V*#uDX@7JV<9pgOCzy+L^>Y~&0`-eeM#Q|YqX#QPnY9qDMnloB#NTgh~_
zU531dQ%SbJj_}tJ{v{mYPq1|X!>*y6oE?1shhgHyKZayJ!`3Z(r{CT*+WAslJ<4?}
z8KIseNQ76x9L%Os##b8_9>=w*;|8T$8hH+C$3#6+91-Ic&EqH6pI<+KLY!j7JHP#L
zt;#S!My^}op_#YN<iI#N5yMno3KRQ;VOOULN@T`&KHIAPS%<~dYUKm4^WkJCRw+)W
zW~&?rXvO|Mdjg&f00b=_^+HboUA<J>c0&M0H^23LYknLIq4qr#<M_YLB&szk5ka*|
z8cld{zzHccon_F&sMh&>!OrXDD#!xgUkPm4nltovOYi|NXtvACqTp_Q0h`{fjUyp0
zHMjS0?2*KLL?N}F0cH&lrp}uenCn%ciFH4`dTI_wM*p?k|5XN>$GgKv9{%#RMn?&M
zY|~(!`jRG7VRt3-Vv>|x-QwaS%PSwbC$UeqadCPl9Hl8bcY+Zy>MF_Jk_?GWf0YUc
z_#VD|7tHmsJINN=*GpsD2D?P<@kmdG56c|}a<uzi`pM<w>0q@z^}j)`A#f;`8nhXJ
zaROUYSpzXo_|TGSN#SXPPkcNngxl@$Rhb32ri3tMy^3>*7yATk`3?O#f%qyGp$HAJ
zZU|=OW3!R`2XqKfzgzj|rqs&dMG2uG(vNi^--~O;B4Kvop#(cG5<*m@a8Q*K!Boi2
zcc@WFEOt~<%`jqN2OP5BL9QLg6Zy3)9dRPB_nfO<<X>0#>k9uOuJ9)*aLfxS(}6V?
zAQP3|Nsk@FB%4NQ3AkG4k>;j9PgVL2&zUy8?~}^clclJseU8qcb`?Gz$4JSG%I!SO
zAxMcas!5H%8INk3CxrU*>j&7mVIQHYKaxjbK<!>Ll?U2-&`^`o77_V*0BAs$zq0gf
zwv~)P!3B(>hGaYNBE`$Ey(bi{joKJ1j-~V<XTkLtQn0D};}R$2qt2@X01`XsBmtPY
zoqeLj?%N653)a}rb(H-ZKl}9B62L@H`I_yr2caq$Wqz?6KWtSLK7ndqymUJ#*_CFe
zKEAs|Pb!=UpU1jcrw&193xG7gj19+vKX^6qAii^q<o#~+PVFozUMvb<+A|+M(QZRA
zRTQ7qQ9BiXpzxQa8U&o!k0vu$qGrw$kctC2=cg>klOp)<dcC<7br0S>f3pvSJKirw
zIrM=9z%Azl@l|Ecg7bUH&c~*Zt38inw#JShtgp+t$<}VZXMpKy>mz|D*y|`cytOQz
zGE#I-*(O@)VF^JmnDKcCB+9jT0)7cp1k8tB=bt~1wxtkBE&G$!OQ9E)67TBZB>XT=
zxg#q0Y~|vR7U;Nx&6{!-4)X>-pMaM;(XB=B_UFBiDkOt{@B>C#(iQK$6vf7-S9j)v
zkhIm+JYNY;*pMXod_{`FeqGH}PeYbelKH!gS0P2Mc#9xqkz4c+h9af-!L@CLXlq&`
zSMdRDpHTif!(V6kmvM$a@^iBgWV~DYClM!4yqt8064rUwC9$|FC1exD`v6_d-VZeb
zDf*vwMsO|5c?Q+DL&wLidrGdgiv@bMhJF*N-nl3Ts+A(K&+Lq!Uq1jOMh3dd^12^k
zV9Lj~wx-}kvGmQNDC~Q(9ra3|VsFAuRDG%kHn2)aRLyLAS9H<Twmk|hi!Fcpd#k<w
z-yIzP2Y+&^_~IQ4=&2IQBcc?BJV)v+k1QnNh@;)F0CqEyG8$hu_wFYbo&jL0imHcK
z>R5h*EYB>29jE!qQsvDUj{b4KyfRi!Ti-y7{k%NfG3udW(;m`Dcf}KIjSun?`R#Fl
zb#P=*CSeb7Br`qeZ^Z6|A-2^OSvt}q<1@TdqS^*(Z+qYgTNM6N<+gL8@*LmX#ORqi
z8&v2>wRZuTha9<5aY|{l?N2`*=41I_IyFxzh#l>1Pf}|#^M*Gbi&EAiN@b=Rr-&J7
zQ^in(xI|<I0>+WYp0>II%@buaUZhUQy@#bc{z}Z#9;%||qU6*{vuLq$d&^a=h~D$`
znD_Hdvr5%xtJC#DVmf(?hey2nM%lftMMtQD;qaXhTyUIU|I`HHYS^M9pv0!*lv%(;
zumKivzCV3+<%hj#ZOuMQX>>9LK?Vb^p!&i5#yY>2u;r~c$h9;TjH2LKirJ0Jea9>D
zIkRsfYyr)&TwgECmCMQYSLwd4i41c%3iHX$`qv%)y2HPYJN#j3vn=_nM(xxr!^^ny
zvh&pNZ0nWYSV^6x4(tVT>?bNIZcPPlkO7TcTZ5exuNyWLi&W=+l7UEX_K#=&Gl_cM
z)ksiUCq)TAbIQ-JAK-!E+YSI}?C{a>@@1eKAOQuAeAwm9)cE+YdxFjRZ^`2Q#;h_c
zt4{SvLN4<SD~9_u>AZN<1l$2Ij{Oau&3eQd5+$$tvJ{6s4T(Em3V#grd8;D?Ak)|0
z8TKkKr5O2DAOODUrY0}cp@x-=-qF<1HO66!AhzArcz?fd?Oi@+{*#?}t9!-{;KD6M
zb2jO{vO-Nqy9Bz)&dll-)$0Vd=f;h126F)<wg`95j45xT#fc>o+o(j_;A0yeL1Da_
zT0#|M5u{$W3ACw6LzO#7`(t{Omu#oRdgpN_$g`akz}GETFF@^FQt<5Ap{jpwf4Y*J
zz)ZU-?N0$|37bI_r^-))*YcvoTs&QUtVpyP8;CusW90XhG>NKw6GtQH!ZyxGh+-=i
zub+lj%2@Ut^DT7%d;#5gw(S)j5pp^&L7aTlZUrM_Iuh>y$#W*8%PjFuhl#<7LfaHx
zwG@WRO}NHOWS3~`6Ur0_6Q*DAcuW1B8AFL`drPUGam2<~uAkSt3IJXNCzt9SCf>XY
z&ZmC$BI6KA`LD7)ow+5kUHp~z)EZ1w3InH{%GAgNX&oTH4*1)9)zxin4T(rbk>O=4
zvGd5b)>W4e;jcsdb%=i{hxn5m1@TPIL8{ZT%`N4Tv<7rywGvfae9l`aBIJaSZ;0K_
zEp&>0;DvH-t6Uk*<Y#6xrO2#-<!f6(8*+jQ8v~OYN_sqt(lcTx)NS?W*AM6*houp{
z@%2h?ERiA=&Q=DF5?U7c<xw#SA0Myj0Z0y0HpT3t0*Cq#iJG={Fca`9tJf&EmCWa)
zeYLh^q#&n;DRWWh&wzdax8PGECFG-Cj^_oQcN1MwU+TVQq2{ZLc#a!)lLUdnk+@>k
zly%>2R<Lr*ah;>0NaNG9d2FZvmH<88W^dusDKzEMczH+aJ_*C0dex{+o**0mlLDbj
zou1&?1h1(IFYex{$Zzekk^)y>$F$h)DrW=>d~M7LKvGOCZrLJ8?5~4yb|T)-v)=`N
znXId9HjY;~6MZiG<RCyBD)mg6!t-$g%X4kz*VM;exM@+3KEzMn6VMW#B{jo{abjl<
zvyHR)41SmDr=Ay_?3n>UNs*{3%b5}FY_;zBH7dX;Nbxq6H#KZ!=z+^(>Bj@)oxT7A
zs{F<v_}5pK#iyy=>@%ce^mVbg6YZ!!NnXj@=l0_KRn;OXgrGzrz%WXl)V&2*mk9kx
z>z<N&l2;e4#PB@k4}bM4%w9Z1_9!{0^n5Jm#Iwk*5~~)K#K90FS?Aas>4ho9$&$Yb
zJF|ajNE^zhWwi<^P$us|5koi}>Ynu8#sDI!D6zh2I54F>V}D)ZuS@)kxx}AFlqXxb
z%NUSczx<ashbV*l`!#-FHAmEnG>6A1g|pX@rTVj8P3?Cac_+5>C!6|I{YfW?sCec~
zpUBW7nNv?M3k(1l>*Hk|L-NvJK7jv>CpOg#9yzYkT~(^1W(Ocue@nKyNF#Aqlvorf
zAXojE12@N`+SBANPQ{wHfHqphQ?WJW%2;V3)a%$RMo`zs1FOo-o!h1eoHy{-(mUco
z8$YWXgHtUSWTrl`;p3b~){T|bwZqymh=ltF0tzO6ZXd^sTFmgd9=H=<2uBoe;7!v!
z4*{DEs^&<Z1%@2O8>3qFY1~u%BC1d^ba9+amUU`=DcOQVVb18W>Dv)F;Bm*1fM$u(
zo_Oal7`DM;^Dp@LS2jhS)t%Dy1|f!}AgnDlpcFe!z7bvrX^ET^)Z4@NAXyn<KvoIB
z__=uBbrkT<;+aW$a|$0PrsX{TF&>pwaG(9Gh^rmGSW>?IIvyCFF!4||`Qpcz<`6n1
z`{Yd&3XBpgs<TQ2d;pxmxRB2IAf7DGcRE2bF&wa?N-1i!p3Q!y>Dg;8@`8GwH~0~C
zRpjy@ip#V}P<>v@3u29dgNi=b3F_y|DG!v)TLMV_B&pI($wExd>uD{{AKvkj1s>a^
z>Zc)@yQ&+`3fdMnr(u5iTb+YG4mNmC;;l+tT|VlBy@0?jV3r~y_mU*DYykJ+-6$?G
z2}03!RV)`@Ck#&M+7_YzuT%VWihnt$_)`Hk)PO-61c1chlSiFReoBReol*K|7pSJ>
zX`j@Yk9S$~QZBP@m@;ppCS{HwtdIX?u{FyPtY|Y|DoPPbl?TjWZEPy3ttxoQpZ)y)
z0k+xorBFIZZb?ZWqP=zxAn$Bd>O7B)2h{L-5m!G;SV=W0RTpeH*;L^@f~>kTN7S_7
zkt<ieZ3n|zUtZQ*zCGl-o$r#E3C{+-@-WB9I{)yAUb{8>^L*<Lz5?|$`^NEI#}=rz
z<%XnG;~!4S^!FPKp56Px{o;kJ{%&k`#J_+NpU`jF9?aWON)Q3W*eV1DQQ^y}SHAp>
zIG5+GA$o)_Rq}P#o45hwy(}p}HrM;~K_y+^pvK(mEUj|vmXj3RNAl1#9kN!DGCC#J
z*lKmhR}9h-o{?T<-|zHy?GKf*W~GnsLJ!Mqk34$`b0!Y0r%I-OMbF8OMO%Disnbb;
zeAC8%EKnY#Lx_xCE89fHdjZMbH)zx9<2fCClI@04Zw&dL30PH0f|5sZc&=me!y8E3
zpZuIH2S=+iq=xkn167((m4GGO5%dI3+kiO_qeqwcL^<#<(<@KjSW)<R0@m4+ng%xY
z%doGO_*vbF2ak8~{7&V8wXyx!*>isKk<Q6M<6*sW6vX!Ed=MI0v=pvW3wi%TZ&jl<
z)%DZ6!0TZdE(w3_>*2fv=pggsE*J#?)5+?q!ZuY-JXea+{ywV7PwCtp9{=kWf8F9=
z&n^Dg>Acc|oyll(Y$<SbXJjdiM~_~eDHVZfbpP`s8=Z5hbry_n^MCoe=ToI)<4O`0
zNICa7bJ{ogELx<;Om+XI;I%JUr50<{@%;Sy0bZ(QdFaX*)LWq`^7dAsUbIh#S{}4!
z0|=EL7%cg__M~2;h;+VyLY_+XN+h`Xvv5h^w|Zh>Gip-V^48<3dVDMW_3S40?=~!d
zT|>4eKDi|+YFeA|Yw45eho5nN?RssPEWGQKM~Md?p-NVcM|Slac};99B@aH*>$$gr
z)@Ky3iPH5q9-J)fR7+GrY85B3q|$aS*#n6*09K&gXM3Y4!7O<^KS}Biel>9dZ0NK!
z8%byaqP>b6ncrW#NMix=-GgyqAri$ZtnAd9JR{_IEcJ2pi#U`N|4LxTNVHLUcKfFo
zlD(PXj$|uk9ujYS(x+XDCe;uril?LGiQUKsF3Bkrs{(j}A>PMUD6khFTJ8{izD*KR
zHM)xm%6;`6t~&)JlBc(b(4MAdC6$0=ze!2n2;_S_^ij=yedHo+E^dOw5Xg42++WY5
zuwvfw)l;(XN>rLl5eWj1L(OgQ|1gLr$mETawWW}KUiqULTvXoi>pW^Y6=A8V`!nkx
zI{h@oz`M+jU{vC2akgI4;o;q{*P;oBUyc-e{-Hhy@O*;2mq#1m>YG8+Wlag0_<j7%
zRe7U6%EYB~RUb4#fSWNhHL2hI+E+XUZhsx)uVeg6I>sN?tbU_Pq~~5QDa%e~{#$K}
z{Tnt-V^h?FZ#keL{&zYg*?%NWsJE29R{m)!S5@tw8;TrA>?Y|^uTd^G?Aw7}t91}W
zNu*9z4jcXX^#hudRU1<UxJ4H0V|>^c`9ChZB_`h%szbHhpib=u$s{>tDQn|V<r&O~
zO*}8@RD1Bu7$DLv5UU<Ng4I#qO0C%t4lqTg!W=U`tB@mJp%1Yi)N1je>Q%kaJ7ExN
z0*kV%SGxNihx4vO9U-7=UMuE&Fa|z!k=i54-jmJbG%%2MkHN-D`Gm9MI^%fiLGGRE
z*;o1C9<qPh_n(P~ZF!&hC(%|^up{8(AGyJYZ+RSjARMSJ(6;m*kJaK_8^GqQZOQ{w
z23T<zn@YOxZapt5eQ-ry4S!g`p+~Ka0F1W*hCjR>TTlwu#Cqeko-?<OBhQ>_FP%T2
z-e<M2^R4=N!r{9E9=w3ee9G~aZwyd=z>m^ov4~)J{)2oL*_dVnkrn&%9wJchyMS#k
z@h-~Q(KYX#)pnQDM7fxIq|nNb2SG|AAHKrt_p@+5uTK<XdoOk#o9c2vnxoF#%hF;H
zR0F|AW#P1S|G}IdFOA6*St9xwl}~)6<MRqR<PYx=0Y}b1S?QeQQFuDvMTJ^eK+G-|
z>v2#$EB<jhW^oF(dB^dj%tq%I5bwxb#N&xxR6JyYY#Bqm1VuY2SY>tL!SXZ4lQ6Ap
z4}oeYuNpIdUE{B7{ENEApQYU0r~5>zSMu{%zZQ(RNs*jL>-KS`U}HafyK~Dt>b+lH
z#TJLM6@0a#tJEVUb<YWUdY-H9-HXA$Qur-3cngLXC&)n>4Ll>4pI<*<<(j;xYG9pU
z$LaODkd?cjm5@88*?V+)H@uEZUut%b)QJa*?cBEjGSz3kT@yXIxFCnj#sUH%@U6#x
zf&H__Z<!vd^E->@5?zk+)|y?BQ(O>1LM?s5JVC9Jl)S?u63mfUvH>hh_JsEJ96%~Q
zWd|U2HsFs?g6RzB=sd;+wy_KZ7Q2?b_q+NC*2t$(1QQ*?u!}UM`h9m{mzoHvJYJ&a
zFe|nN+<haTaY*jjZw4SQ`4~l}cs=-4VDxl5N+l5)EChQV9Lvc3F6Gp<3{cQKKy&uu
zNTVnRY?Y=XDD<82!Za1Z!k}M%?Y&2Z*zP@pr1ZoIYW%8BjC@kTFhSf@eK=k@O}*MK
z;P8v{ISbNfatys0d=54awjE6(;l(b3m0!#pEEzvZ!1#7w7BGj69}uw<78tP#OJLlR
z<1STl@+03!tAuc=PR8Uh>`W<7jB;8TM))snU4C1w%7iYN0Na*FuOAs+X7Uz%zO1(0
zvw`n?JZ9K(L+0abbpZ=ss*j&yqZHnRKfWPQ``Ak*$sm3-F8@sVKg`-UE0|v1yjLbY
z$V!=HRUYF?@mp~0OsHu!_QGo3BT1CvD-td_p8=ld@e*Se(5sC;Q%bGB&hghd{zaYR
zj}Qu^;gwV_GNU^9Q$14aSG_#jNcN{C@k$nF8w}58Wxh6b>dJRCucNS6>`0CtwH}KU
z+Ls;Q_B>w)5kO`e&xwUM&9=kWvDvDhUq68D2>t2g{t<^faZaMz=RY#5vtw}t={`#m
zq$Kwr#eX6Bf}_;8&X0Pa`E?GK-|QGek{L>VxQSEOiodK2l3<N?==h!YxSiJl!3EC-
z$^uh@Dw3KMDs)qD-bvNij#P52)7%3?eXcVHsiwY^Qiy{(yT8fHyZ3shi|zNfe$9YX
z;!3*{Bt!wyMM$<<<PdT8ZCrsD_+-kUp!!b~$gz^zZw5bycwQc^MlW^0=MPOuqi=kg
z&5b~C^;=2f1VbR$?s=@r7dtL}o^aMYCw1LbhNC9iJ5RQZw^BY;7my;J598Hr_yDto
zPq!WO*_p*+?|QnjMrNF}s>k76z)PF}d`hBM+02N8VT;v~X~K~LT={nSD!}U}%e2Ra
z<MNMi--~JG@{Y7j1C%DQ%CvPWI`u{o4Q3M{5m#;JtQSuj5}FK32v$D4(hxpi(=7jM
zIB%wWn7rycwghDCo837{VJCikNL1p$*OM?FDiO*U54(<iPq!{!-)m*{{f<O{m{NXZ
zY~;76PtiRTFSVm0*E}_c%Tf`79=4}DF0U%C;viT%|3<y$o7CYx8}PWmU_Cn|FoJqA
z-*|eo6%0rg$U#Kxp+>of5qvhKNi|+&Y&qD+^w&N9y2rn+d;D1+fznnj-h=5_?ORu6
zNIHip1@mj6eB5!Y_^LE5`vA#^BJ?p)rPoa}*-ty?Y!Cpn?NXM5PI7}w*gbRe=+19z
zA4N3v8^zquuOA>0=T`A2t_yB?x@(9%<?+d5ywr1GN!#18WxNoGKrKjhscf2KTJJXk
zfEQzMq4u2$?#Ztmau>YR&)3)yrsSS@71(B|@hCfOQsl;y?Dcg=$aj_4Y!!?SsMZcv
zB`|sbO2{BiW<NgnNNkQVN+TF#2z@QNL5s=L)$}$X3UF9V@tnP@^LxNNDU@DW-VabK
z){hnZQ5U>X6M}jFnMw=P>4czfe%CA0R7D#YPJO@j_+Ffe#`Zx}Gr!T<>oy;iH_CP-
zSs_D$TPFSh#_?1Ttg6#f6Y-Q~PKTAF%(^0atcUvlnQC4HyCuQUm0%|2IcTqh4?Q|w
zS6Rc*r~RV1zFoNhH~Gt(N=F|+leU&+1l5gMd!b|iSZ7;mcczGV`9}n;=%u~-jghAu
ziLCt2rc@SQmak>A)5Jvb$19I2@rGi0*e@|`-|s}L-7p^+RftM6Dq94WXU%}x)w>jM
zkn7Lyk}zB;^qnO%kH`CY*`)TwM<{66x#w%c@eqdE0eexnj}Wncs9Vk*((8gyfm$pe
zx#g;)OsNu{gO|=v;SkfU9b*qe&655^=Q{&M{~XP0X*-=gSz^npRFw*3cwfBa46)UA
zEzComO&ml;FQC2J9)BI=uY>#xJIJ4B@BLO@W(U@7klno*3eHHyPTdZCTf!FgDlF0>
zwc^~$(WPu%+(Q|PJ2$&au(EMT$A?YBbol2$Bhb`k!TD4>CLf`iYSlJy+Ar|y2S`+)
z9#K%afxj*uklP#gP>CkcpENxSb7t}FB~*p_fI^2=mG}&d$;xM`T3Kn2<rS?4L!IHR
z=XAV*7gH^l;t@ZUeiih|-;n=p_@4vVlbR>QRi*m=)bt58ROyO>WUstYj#T-bC=)Qr
zz1pUrr;xwWycXO-Bd5j#ih*;FtRa_*ccmD3nK$W7!Ycb+k^^!0oMcG~Tq#pw1L!<5
zMcJdt|HA3Q_3GL~?OAG*bytbi5H=W;Bu}tw(JmS14znB<TQ0*hue2D-J=+=uEV-W4
zK4Xf9K;<|wpz;7wFz&$GK1p}#j!y6DU|^1I_fIoV`KiM<$7x^d#5AML#U6j;DYGIA
zy2{GHQZRA=9o^ai^8Orkf>Oe@4Nn*p3v70`vT-U@dt$Sw>wBHo3A=|lhigWBmXE1L
zmX>LI)75EZrVk!vL{`V^hU{g76-A#QMAo{?cHZX!yb+U#-)*c>CMa+#YMzL^lpkHf
zrA1n(#96~2hLJ&XUX6<231D6;00+Zm!3IC{vvB)^ixUwKfz(^hA>}XuAjo459tY=9
zECmpM5xWv$LQzjj5drBH!S!q4AL7i~Z256@qG*;1fcJODAMZ+SvNm$^r;n{@?DAh1
z`RgM8;x6*XMhnW>fTe=a_%Z3mW!njb9Dq$pOQ50#Xb6Oa9b>?kyrd*6AVety{<l-A
z<s1o*=E{-;C1+B@u98YoO}2eoru<G1W?0kXJ<_`E{`~p@l;yFpX}I%uYqv1oKB~0j
zZH~-3@DE1?g4tJeC^H?jUEd|2Y_X35L0O^OYcnJE3SQhK-mQ8CMKkcQsnl^A)jqX;
z@F4bilfA9-Rsmcn&E~px0)~AokL~k$9HI)UcBltC*n!;7k~sWnPTJ|&VmA;Pw)cuH
zI?y+L6uMW6^+=Hz<tUL0o`rC9{JY(J!yBu!4#n%ZJ=i%<p@GWByJMvg%l!toSrtN9
zBqHtGF*TwN6*xcYX}WDGwmKCF<(J31AI%-8Sz@SkYHK2NkEE+YuPVQ*mEi@YW7m%Q
z5eJGofhy77=}m3;C|i;(mS04{uVS<3N*-B>4#BM-Fu&eQHqeBDNC9B!^rdv?o%l75
zCEO9DE>;rkY?h?gXY(pkASBvmJJ}^b;8WYVVsyKg9QjbS<R9ThoIW`)iKl)Yu)u3u
zhH{U1@2hK{CEF6)i<w^sAi&Mk17KpJ<;NFuc9J?Q9-@ML9|R^jWl~i19Bf4RCxB;6
zBY629lGl|iAK$<8TYnzAfF|*We}?S=TIIl$LjQFxC#{dA-L@}3!?TrmCRQ+ev(H$W
z^%Wy)vDLr?JD<1r%FlUtu)g6C%9hgen^n45MAj#HciV_%H-x`V^4CfJ<(=dY=H2AS
zBkxRJ)C@I&YL}8N<`LwS3xzT^hVO(~UZnLN8wL9NHBzd!+}?*Dn4?HX+tOt1o=<G{
zdDos|yem;tRz-n4AAuNo0l8**e}4Ud{XU&#Acv7rgE~j+NR{-OuLfT6*ku1KPotfU
z%g(X^PnYUa9`aiEgA<Qqx?UK{1;jpi6iS&sCG{qXfM5sJ7|=(;Rv8hKgmh^oOGy?G
zjPmCEk6~r|H~Gc$<nO4RGT-s!_P*_7A8av@{NHp$j<<o&Fx9v1k7bJZ0q9XN?)609
zW619Paj>W8f;OsbfRu@9$WmL+H8s?=<b#ss#LM7sBE4H$$DmWp{JxSd1vxUDca+Wo
zJm{SFcD#-cuuT{Y=Exymj6uodF5`Ih_R=nY{)LK6l4D?NqBUaRut}+TtNt`+<%5Up
zprB#bEb+%H4kB3S8~jIE?!ESPy$J?ylm%Tvj@Rh9V{-sT0e9kS>Ap5NJavrQ7U8D4
z7w@(_avAD`Juf)35lIN%^W$f%av|3BA=uuNv?fv-uXdgpZ10s{%kZ$5oyj1eyTOrU
z23|k;1FN>GPK=_uRmDaA^BzxoKRHJ=VX}Ry;Jj0wFEC)T<EqN!u~-Tv#~>DG1*kWc
z<dr}9JDN+D2lHK6NeL3pzgQpD2f^=^RmMw=u^OvmEAP5?Dj6avNC43Uq9u(^loQcg
z0h^9C&XMG2x%Vmt;CTDS<{eBaO}Q$2vGZRy`RgYC4cz1pr7UP--yuINRqB)zM4?o0
zQu@?M6~Z`{-J6o7VKr$8;<Akc(J|O;$%lDP*{Ir@yT0HY3vTN8l1G>2+o><ft3#u%
z#z6SgQ>br$e*J(*Y3?|c+;-NP?rLL2qr^jTk>-!D9P&8q%hOJE?IS-?UsgyuMjjJw
zWI0{=*~y;mn0rwm79?n&BoL%WieGXwE3W1OctwpZ0GUjPC1>SzRp4ODJdcUvgHhDV
z5BYmuXQH=yfQ5Cn&E&lv9F$iUSL|xKvDB&(RXNi@5qdmlk!g@pvDv68d*P$r*1Rm#
zRf8gvvhfVHTeG}MtVUXne)G1sTAJgs_`qCSRbfiaC&tQRU3nRS6_-#o%AP!RV9x6s
zRPWb5QXCif4#t$EBQ1x|)r7<>Q@Q84UtiOGKMMJG#g{cIk8Hi)+&tg+>?ah;Y6-2%
z%DknNkoy&E@(Zs6nEO%Y(9yym<)T+9H9m@^8+L()kAu%)s>?wjcjQHFl>;80?E9AX
ztIFqCJ<oV?o*P(P!*EhRcgc-NDe%4$Y&wX+_uUsfr%L<`3TPzZZx}WdV;k|k9<^g-
zgzk7No)%^Z*-Lc7QJ=~QbX|W9bx!Oap0Da%xY{nDZ82U;ICkLA2`*i^kRK(^((n{u
z*lZI#R9P?4<m+i=(LRzLg?k?-|8V&v2`GRUyjcU=AG~$CN~6Ea8NrXZrb{ywiM<0z
z3$B!yKYK2M-?JA<GolJn@9VFl{B@N729EMa$+}6>AFVxdVbofbKWGYmv-c!}Q_sRb
z9CHBahzcy3RxnF93#c$;5%Tar^;&5K-{+&&tt!C+W!^_#4vNlIw=F2GZ(f}bTUJTG
zeZZF=H?JuXcyI{(P8Jhvl)Y(lSgemQ`6SA`Ap3`N8#d3MD8nP=`$I(t<Xg57^{T#>
z%1r!z`&kv)lS!&xwL`)PYk*y&{NO8(4X(qe3Puu7S7RzkbN=i+2`@Q0&Nb7wi#Vl4
zo+I%5<hBq6(Y+aC0B|_$kSPhzDIW1IAWE3Eh9R;5P*ITX4Osc=;~r#jFRPan-g@^`
z_6y%3vp2Ofo}3&EPwE@;5~sz6UGqWTIgoSV0Kyrrhw=Pl`M_}i1?a~lqKU1R5WxWj
z>ATkJ$qN75kas^xlL>%Q5&YIc2n+-0`|`uYm4E|))NN>0psSAoPX0)XpV+;fZ=eY^
zm&aVI=cvMxbAqzT)TpC;SGoMA0){`bNP2m}233}MfDbQNdPOw_l-cx%q5x@q42yY-
zS0EU@oo8d-jXBi}aIcDNvV2ow#3|9{cnRDAe14TzcW%%N)sZJ3RjJj3Evp{dlsMQm
z;<Bu5sj=-g4|~vl)e(_Pn56>$rO$q@=TC8er_RbR;wn@t=cfRzymNi`^`hMPK;*z!
zgt%4il^0WP%aa^z_9&HkqW#;kOSXjxc6*)Q+NHVNQx!Gr(W~9BYk*CZStau`ug6PL
z`Q%rA97U4DUsw6-D*sJf<qx$|0K05TLQgS^4J8l8`b<F0d8sBxY}Vn|*1eS-9C)am
zGPRk_dPy2lQZL(189%)vOp<v!%kbT9fkzZ1!QveRBD+(7u2@)6EPbz^Uq4`4QwM4%
zpyncF2X*xL7gvQ+&{=O`L{Nd`iK<=W$E<AOo3k8|R>Q!#A#b?kw^zYHO4O)o2;~_6
zf+U&9_{(Xrt@xlcz)#*-7+a1ri6$C9KOW_{6p7_4=D9D0_qa-LE12;_6<)!BYK;Jl
z@grbkd6j=E`%`cs08sJQ<w9)yAl@!aC{l_QeKkg%e02x1o#F<wIx#-hcw6k)eJ6-u
zQ=V1?J8t+(4b)Z?c2t2_XBA4NNM?gANhNih?Bna!;?vk4!HmyQf<1P;3?Nc4T<;};
zh|S+CqX`B9XqDM1l*{5oFm04e5@@RIqyCIPjl6Q4yLdM&cVYONclKZjrI2sgX*+^}
z)G;lp=v5nLyxH7u_WINhc>$DV`*7f3JD4wt*~y>GE!Btgjl%C)sI9%`h+z;fhq2HB
zn9?rb)Ny)HV6jI?-A-I3@1mUj6_YLy=#`VR*=3VJ)!u?!d#%+6I7&qYFz{9iC5h$g
zj?Rb+k?MFKk8_AvD&ssJdPHR(qiUd*1H0xQwx%h(11imux8qj)NY%kqSd@s7D0kcG
zhn<${T{H-2_Y&S)*Pa|c+WaLrx5<)e7q4uT+le5Bf4yd|ZG23c_<?A1SwncA@Yh-X
zI?I0>XZb@BGT*jr_dYGeNKF=R!4C0?_KCprM>goq@M+;$iOnZ&?=d4EM+Wyw3)eWd
zLEsmP*mZV*(p_SNe|9M=$CRGb-}rS?z7yD#<07~G_5s_jd%zx_J{1Uw9y-2Q9WdqA
z$eKql1RdSwQMj@DmyU`VlweqY$#>r4Xm^%bBeBc?B`FxGKx2C)KU|(lyz-(4FcS;b
z4tOlQtgmXlcqk<}+XLvrRH;LGg^Zoc^Hgz|ZrAIa-ir-vXgR)dRf6qet-;oGtflUy
za4zxZsmj2_WwERH6GbEVAYpd>coM{at#M*s8^0Mdl=OJxi9cb0k2>cysS5a3Yyppv
z>uZ-(KxG$?W0!}HLC^q_rTwa_iMzF2)jxA)E!c*v1XGj<S6vo91OyGN;a@4sWNS}j
zU)0nDa(-BWpF4Gx?WD(3?ooN(>xpFNF7NME>cj8gjfpz%^V<4F*s<}9THT3xnSQ}~
zUMBM$S$?Omx`W;=d$REq04x470eBAiElI_Q<8oA;hbKBMPDE5YXFkgV9YP+D+o}@C
z)`qP&*6z7BT?0bfE0toDXmh&)v&%H>flLFHvse7{>%F#pupdDd2I>{KGV=MZqa3M%
zCV)FR@(pHQ-6j=NLLHv&n3d}7^T$EMWkGTIt?n`JfSa)^v)C<+{q1tpNhlUi<P;JA
z3E*9#Z^C{<pPs6XBnw&wT`Fok`R%SArOlMP#Y3lQ__k4qhfrIX?IaTT>n?xY<-d))
z{ITnt)I;t2o&15qz-0UN5G_(oQ8M>XJ%#A2Nyp>FIK|n?-({v9K@TR`*8#P)xJI-l
zETu;&q4w9glRYYS9@!KlzQXmS5npOc{QUX>!>W*d)>iWan8fO~>aJS~VdcAIRb&tD
zDcJ`lELc)+Nui3R>A6Z{fJj*k4Bc_xqJoOJ<{dtl$2*dMA9h8B0S_J$8wctgSt|Ia
zInO1Nen0$^L&^O~c4)e+etX#>YVUP$vZ%Zm(4%%KmM0IS+%_x$hcc!5+*3sN&gdv|
zR!`X!4sukhD=C*aB#Z|gILG*aW=6(sNa=vQHn183iFECtv<nW&HvVLCdwd9ePE<S}
zLs=DtgFEFg$?uZh3#$p<+Y)<<ELr%Cr0hW<fU>|-K{9&j(9g?@*T8@JsEZS|?IX_$
zrqlVYHr(26WlJ;m@2O4XNu?>Me6TXPikH&|A1&67rG2c8vJ-nu(>;)wCo3nF?}xUl
zYKW?XHgN7Vv?&5TU4Z@$X>v2s0Xz?~RK@!Ft|VA5bz&kVO8AE~vrt*EjNU*Hpz`d6
z3S_i^Jpp?=2BJ!EJcqjGc>ixV94~o4rpNx#ys<%mKFl$JU|$Igj$WF`KOk*~>Q&ov
zPQ^|kEREf<6K~F+!?GlzWVl|1OX2gp{2)MlvUyTOwg|>2cJC<T)uIOAE2<orrKf$=
z{29ldCy=5i_wx1dp`bXM&j{*ktM~ADV6GsxJPeAgO@&SSUx)eYF#oL_=8r8os-cq^
zNQUl<QuW0fI@t$<ba@Fd@jgA*MaH<5)V%B#ROGi{Rc!A!9~F0SQY&}>x+36+S7a9e
zB7J;Bcc8Jn9#y1d7kMb?U#h5IKcL&jM?tC>$o9zdyBwZ)B}=fS_~514A&Y;OZX|17
zmFZ<L26V~&)ns2i-ENGg-~>SJIGn|jotWEqUg7vi-fUIC0bBfL<ah_^WZ4yO^yWN(
z-H_CO2}gCYW^WF*^|UBzt-Ma$Ja?tHO%N+^I&USxZrzzjywa;Ywz6zM)tLkV4@<yX
z$0PIg9t`+?+V;=J(12t>!oxqV)uZ;#l7*-gZ>^y?0)1+g@1=VQVV@5G_DRXfZ`r0C
zj926<MG%dxoI8U6;$00Ocsn5wTX4Le&n{uhu6B0}AJwGtzr;Nk!b^4S%AQmpwUnQq
zPUtJPrU;&1>idiP0HF~EJ`OR^Adb+gH_;bsCK@;AIzfgk5g#4)NOHr-!pO?Bj|743
zr;zrtg}>z=DGq#vk9hi0{YEb78*Ls7$^gqZ1Mmde_Gc^Jb@8k-%XbJ?pM?E^0)q|1
zETLol9vLm$i(lN1LS5bINAgPT3q<v9Vu5I#XHD<8)rnur{^<e?t=T?W^+)sFi=u-K
zqkgf?YX|nM{E&0hJT6#()0g~{2gvAw+tU+}mqoY2s;`qm)D}k;Ibh_r8GsU}gYdl{
zXygu6nE8z!LG<_}ndJBgQ9dh6UGRDh!>$r$yyabFwD{L${<_S6Gne^8HavEstn+-#
zBF&anUO!sSQ+3(gYP-TI_W|PAz&)g4RVJ1{aEeP_$U9GIMd7}3_a4=rc<_W%;rt**
zLoFXC=C>)y6Yj%?rxnxq`Sk+?Q}6W(@N)ycB+Lq$lb(=WkTxvm@=#>k_}M*$RoeV(
zlS!RTqEalSGzmS33!^CMA|J-Xj{@xEGqMSj{28)T;~gM*X8?%?49{|t+P48bftsF^
z-cx62n3?Nkd+#GNrBdW)%5})s0aFg(Rpv(3cVCapolO`Qn<R?h^o2x?^@aU<EW^fA
z4Hx`}_yNuwM3y-ovpYCSKA1rG0u^@eVs8S<8~|hS7848}tB0uxC*S-J2ua1=cB(fG
zd{gzV_}(GUN~#vj{PEYVqtJ4p0(T(hHvF`gXds>M4a7R|v}ZTl**szyK-nR*WYHT`
z)&kqeXtHGimcKcw4)EBRRVJRb7C0Mok|UrUwv@fJ5&(eZ=CDu48>lZ*y-EuJjAeFw
zq~uf?2b3G-=G?3f1qc5Ot9_{bWs;Vb1*rTD;M5cx&bgN;fWJs&#ka*v=(rBbgE`Ab
z=lD>~7eFz#LgeJ-FRoib?LvM<=_o$Lv~S2M#_$rZbLN*~1cbx60dUF`@vEg+1N0S7
zmfiz2Cu&P*0A8-E{S-x~6(#60H{f-vRH6Z|@)9DCqe>oFc|F48Dl0C#kVM`@oAZ#O
zo?en?J<GxU(P|hE)|a-)PcGs{Uh~jR+3mVW6b|r`aK?D}q`yw{*J=LSIn5u(o|E^e
z4kEKdp6-Qx9TX4!X&<VS%!7{^ue`(s91us4A9sM|`~c_CZK6reXJ@>OI><rt@n#u>
z!})|FY<ZOsn8GO>l~E|1R{r_*1Ikz|z?fH%Lyc>7yQIXm#T6_gm%Qni;$Ix7fTR3a
z#~J$606~2HC#X*DmvaQKwP&b&T|?w>%69%c*!Fsx?O~+KOF6J=p2oZs&Iu2+$v1AL
zL%b`P-t<)m=e>=6o+&?}a%Od6PW3}^%5mBxlD={F@J^s;im9nVKfylhf{wv9&ScnF
zKZ#pUluuxIDok~cYmFnZBmu(j<Kv2`3oN5hzz*M`c<?|%aQr?_*#MC(nOj->BBz<3
zMN|Xdo#+|1vnEgWGC_V3gP$tVll4feHiyBld{+txq<bF^riKLVL_ff=LNVJb>4~on
z51$BgN_xH0`>&?Hqc;+r%__?5thvP0-?%0?2vb*@x|TBcBl~aw$^);O;yyc5Dd=nc
zM!@%XE-rU;=|k>Nz$LK&EMFuP=pUQ0ECT?_x6epWNOnB$uYdLH%LSK`AY?Yh-+OC>
z`FnOy@kHUdVo#~v(}^IJq{n)x1z2tN2)K3~6C42$OC)<%BPuk<<jYbJK{9WNp$m^t
zY~reQaMS*0<fH!pLV=G&3XSmb2ArkX9@@W&t>7We$p5t2?2g-fu?j(xZ+WrMNaW1Q
zYJ(xuOVz>ew;_Y?iEXOOR_5@u%EJftA~@>4Ws}Iqa8~}h&0n|qZ|F9ERJ@leC1=y#
zhyt0;_OAkN`Kr@uN4<vKc+W1UA7)Bv$|IWWTDH<Z611~IU@%!H@B57WQsgOI8#h(;
zjq-lC`>x#BU<cs7k?{TV>jx-dfopWKo9ti*V3oUmdT)K@M5HcfP4kR)>EPM?^93rj
zX~>&D<wU{=SH*kjjAQ(cUG&T*WxI$0*oaLO2`t7~H2^9wc#sD_QRQY~3p{*{NrISy
z`MeIu5r|&gV|}VNIXLF1rq}9UKPr}(w9F(qqciZpv3`>C@{1prtTBT8y3!utGhjsQ
ztCz*@I#UjU<WW_f_Nxfoc5aOSI`9Iig@G!b8}a9C?BZ{|YQ+*|ZnU*i(x_Dg@{iJD
zV}G~zsjm;9&fC6QRNKQ|kS_rK0=LwB35p`KU<dGr!GLvGeBhKg2~5?yEnJTKg(Tv6
zQe+inVU(j+VPA*OiLr~i*_#NDYJiEUe}g3IZYmHADkY#)$5Q!VsSHZX_MKMA<%!`L
z(Azz&&wxmIXY7=X<2EAQ#`O+%5ZP#(Y6I&RD?zDyJ^n0Dy<07hTslR;(`wZqx;$}-
z*<Uinm_{^()KtRTpX_G#5`T1&BjEn<A+=AymbWptXUBXnK`M-_y>>f~_#>qv?669b
znMT00++sh8K=I9m08CS3C$`h2fK#%~2D=WM0qih;TC6XDsB4DLm_vC2+1W6frPSRk
zCuZsP07&WTIo~17VJg=~bwir;0&RD@EL6C&C-|@9{B@lFmX7m>kLo6)HEv+Vj*?yH
zu+-q6CCMu2Pgy02hh5M^A@+D}Yahz<=s%GKQ#-c|2eI+HptMuZ9&le0eV~3#b)E5v
z!`NH-5eKs7tlrPBA7Bc$Pk+thNxoOP_fdM-X4Ji2n;kv%m8NkFycN@2*;$Vm)9v!h
zVx#1I0L#RLfPN|ZoA>@k1bBL|qvO~T>8wMO#YE|544VShVSo0In6fJGSx)k3n+=nP
ztL>XESwC-nbCtI9k*qgjO-{T-voNq>@N27Dn;@~JeJPV*Rs1TVga6$}@f($|S$dV>
zlB}4AAf&+ia!2oxc!rk(J{Db8rsBBfR!iDRG^*Jw{z;#9q@bN><KgSEfd5+3I)QN<
zFgh@X1<kVQcoU*NSG@5IVB_2ESH&iuEq9JmUoq`8K^WH~nNIx+Ky!}p0jaI9H`cj4
zRZsw@O6VfD053GLbwV7Q=77R3!#d(gnYZIj!=p@TB!CI)UnR`&)i1m{ApgXVsro3{
zz&m@fX@@TF&VE#UbH15R<rg(c!5pUlc3?;6U7pn2>9VfjD52fij=f&R+uQcYy!NnW
zLo&8glUw{c-XF6(Yf;umwIy)0eV!8}Pzx&3EhVh)(!~`H*zC8G)-r&5GDSSa(<XbX
zGUtz@{>G0m`EM8}|3`Vz#`Y70m#lZ0%3(GFUj!Y0O$8_1>hMy!uQd;Nui!kqN)IaE
z@H^J-zLI)Mgux+2OY`z3s5wi3%c;ba`J2D4^VfC$o4U@Q<`6}qkh%))<`F`1zW0$g
ziQiqRD3xs*hr(U~OzO%9h=nf<Qb$x~t9^umYDX$RS+B`?I?+88#jP({5p3fWBI^Q3
zl3ZU_|3kjMKfite=mR^LFYXNrBe%`;L|he2BsH?+GbI0jk7aC~Kyak#Enlha{CKpP
z#ctiXD9N4ERv)+DS1df!l)S4DG*bWQ%$zt*xvFtCJ#;A~Ryj+6A|jwFpQiZpsozxH
zZTx?q2mpmYf4%IbO45$JPROST<SI2i0Hf^MKfqux?UGOV*d)_GvZyD<K&Ix`;Y$2}
z<pqayj|!5LaH^q=<$0>C$rrB~vg9k*bqHMQaa{poso~};0d=+|_}G?2d3_}7oKKVw
z#U^0hrr9Kwyfz#~`eFM{ciR$=Vm#|v4#8YeSi!uVImr)Bu>*0!0QKMje0sEnD6+h-
zigcbV$@s&!s9@IHOF^$L9e6Z=Lp#1bu`2*<Wmg6su!oIfC(6z>gBo)!5UrI+eY?#1
z82Q={h^IatL}W_$T^)R|@%E19Tx*i#`4H8*JgPV(Vc<BEwAnO20ju)5HuT;AX_Mb_
z-Jz3T)mT3TPJyQKJy%j0d*22@uz>t=BvvJOmi=yNJ(ueYaGV3%smGr5$C<&1q4xIh
zyX+84Eu`}^v-9_(-^E8yPh&32%0HBAGkqfCt&Hvf@Jp$YmZE#lvjx2KZAO>)5eg7}
zx<`5zYDa49z!$43DzPQOBHN26R$kM-ULw{cF!sOB^VfO)+d9u5&s7`N%p<9#J8SAh
zoSYord_`0=Dh-b-sl~x|Z3<FY!6#jS(#Oi-ap}gSoEq4#lYuu*8IL^PC=yFH);LYo
z0VR1qQkt`;(vSW8`T?WGfae`=?)XL$+hZrIcbiet7tcbv^!6s^yslFk`OTS9(}BFk
z&k+^WiN4^SG3A42pHjawmJQm#mnFPxMIw}_NZZS*89fvzsN_-Byy4Lbz)vMWuL_Al
zSp))3ji16=a{Q!7j+{Q$ktqB1Av{RP|1~kq5Qbb`{$j<FwY)bIl88j@c&>c0$lw$S
zMeuko$n$+C=quM&rk5PMQ|-?ym2qT~|6v!vP>ZJ(RLjxxinlstN0?H{%(GudGt^nA
zF*}f<d=5C(^KrJOD|mf3xa(+(K+)nzHh}}&g{J{5vivaEn?0?b;LC2sLZ2{+Tf`Ix
zN-uaGyJClH>4j3lPJx!xIeRd>{avhP54t=_A$X_;OV9+s6N?3#(q+c23fO*otP|_J
zxyea-jvCM^Ue8PEo&frU?MzfuS3p`A^*MpV9}l*}P5hA4v7$kHfuEsXdHJ}Str2Wb
zkfJ7EMSOOa3WgxxJAu?LX9B?{xUm=ZdtX^MJG;Xwt;iFpRHVCej)q^iY#R8E!P&4N
zFC2jt)2Ygf?w|OHQTOmPm7N^$C*H}<z*-()E1=usp%~OvknS(?`0I#IB?^$AQjpcU
z2`OWhB`Lq5c+E31tFnozq$BF61T<EQ)_|%q((0HRVdJm+{B@uIzV7o!xp<P(=OUEj
z9}%t`<x%xVUVx2kRPy{+UQ*8EykEsfYN-^<RhB|5jxsUYlC!$%h#7wXP}P3q4OITg
z>rWLwT9L%Pel~V_T)aQOe!$voDrD8}GV4z)f)wp2J#Z&9mQb-z=|8fE;kPPR87Y<@
zu+yL{25MqZ;0(*oF8lP9#0AU<Ji!sOY@bbn8UOd~WdFCmo>_d7&W~CL?1oBVp{bC@
zf6U@g)mWC}1MEK7xmG+9Pz8u!UA+Nt80E=*Hi_Sy-}7R%+5F_5Ch2<lEtQ8nsxGVz
zV*U=sJAMe(^&EF9I96oa1f{c>b5szVH{chK!_QO>$|`JD)<p^Asw;H@o_#v=T`wC6
z!cu<q(Ki)x-tsSEB!b#e*#wWmC6?YGXOLKYCeW_C5d%a@Xu~z+<ph9%&ieAOo3&B7
zM>(Iu|0`ZOJgH0f<4uUP+qEm~tzPx>ELJCiMz;vmS;+P=(X5_uxlPCcsnsCownr)+
z!Mx+FOnmISokcYc{F?mNE5Cl@rSt)HUq*lC`R8`Xt7oTV6sw4{+hfd+3~~s8>?5#q
zG;vUHfJW5~a;W~5kwH#8%)S#-WP$6Z4=(~hRcdNJ)BfV+VASlYvGLa!vSdX`ueCK{
zw%hY3<I_aaz;E2}r{b~!NPPg`)KX7uTWLGqe}7z~q#d<y*Ig1elPm%@8H@6Too#z7
zfxtP;$@^f^5AjUl)lQ1R(Y?#&-9}H(l5B#%;~!?C8u0rX|NlDBUkCbc?LdF_l^wFa
zc0^)(axSh&MYR6Mq<4HBxtrb$Zab5_51oku+_GLL;P)t9OxB@r$J%-K9oFM5s^VIW
z@AQ0gQ?g=~;X5VHB<p~Et~7ss{Q#2SutMBjctpNenuHV#cB|uj1K#p9I{-hxX$~nK
zIpR<5S#YNY^l};@d_DLv$fE3}bz;>3q5;pmkBzPDL;*HE!LC-22vs8>LfQLGHmze&
zKBo(mkUScb;lt!?!?f7DQ#_=8UtWdUae1iD|LTvT50Z+2z$hxED#Z~9QC~-sm#<U(
zu$MP~2hdUN<!bZ+djv{<p$3LnS2FwGZlf5fKbCx0xEmsv<f%X~_S7>UvCR6uZxe?+
zX};KMt~0%HNlQ6w_XIpQ-b*fQ7Qj6?<xnYvXJYV4PRf^;0Z?v-bfy>6AX0v^<M9J9
zw34z)@^S0(SCa0S!Nquw(h;lQld^mQw&b|+alN;V9A7m|ZH)$EV(?z%R`tvQr@*H$
zWe1ZoASmj+m0tyuUu*^k!Ax*L?3BOn8C=%AA13e=37L7+8>$kfRT2d}+dzTwfSP$2
z%fxC^_BTN7^)gBg(xfEmn+phd@+Eoi`AjE<f&}DQ3JaB?!JS(<@j%ee9>Pmc6c2UB
zdF3o6#Vlnk`s%i#^D!gfMy&SQ@dx+ouZEWa(=V$%2;G>5*VV6*RMpgh$(>Sy4REyp
zMV*CF6lq(9N$Y8k*&2_954!;Zd}PKufxO||7d74p^57*fJ}b*kfR=}+F@Ig?uM7S6
zcA-C1T;!&{T2+5iUipwnmnu}A_3;swdU)Qw-?WHa(VM-SX_8*meRKM7kUQ&+xAgo0
zg>2R6DY48TgF;a4;RfdF*6Lu!l<eB9IN;B(A3)}NDaBWdzBnkWQ)y?Ln7q*&j|A@u
zU`0zin~VY*4~US04Kr1vxIH#}$|{0oTEhDp{1p{Hp=EYnsK>m(yu&J3m9eBm*yu4C
zYO*?Ss-M<NIeWafwy$=vxgMztOWyvetl-c?%KQ099B>A}8bc*If!j`+VaU$&4xZ3U
zeuZ&aQZwMtEHgz1(1)@$PRwMFcvA`N9baP?(Z{wwMz={Q0pR%F-o1eU>&S-vI{zam
zQj<(-uhy+_<!WZvu_NphBZ$RjWomGsP@0>FIQU~b)Nt+9SZ{q~$_7?H@jJdxeG93<
zVwFchTGjDQ-zbKcva~n~S=)3QoEJ($BI<0yc6|r$Q9z_Or%{Z<!oc(v6>jGH)#Q!Z
z;1eETb$84U`wRdh7Cd6pkY-c5r^tYZ)f6WaS1oV3jhDw16t*QYgI6gZw&LGA5zufp
zqPQ>3x~=pb0}Y7{l-C%<NuC$HxS3#HX-n7Z0UqzEB=&ZONABxH{!of2C{ITmk`45I
zyYfN&{o}#k1eBN69tX8Z2ow-8wtfR<!p{B-t0@`V-~AoR88U&n2{&y~`5_m%f7+(m
z1Fe*S;5eo$fo-vml7`MWz0CKdkIJIU?$*B3sq%W-M9!&iY@pNTz1fhVKp`tW@vjs8
zb)x_FPV@(Owr%gLppln^h^;Gh^R%OC8img}l0$aVb5;vk0p2dPGqq*B)blUJY|;K(
z@!-0ttOF{t#}r_4#~pH0l`dtkjj30nuQ&!dE3!X7zkYyvSeQ!%&8k}*rn3s(7bHr`
zC|ehpL<!AS-u0B-qg^=OjLt>f|9C%3&aQPnWPfSSF3`-2=ElO+pnT7KzUq9+3y|$U
zSql_<sPCPh3r^+;VWrJfp9im63a0`gt6fcG{_LzJ;b7L-?Wb})wDjG(qzdmGQ7)X5
zS=i3!ds@*BE1qvrkW4K*UIeJ4==Pu%FZHuyV#GM$%x!n|6L4k6{l0tP7w;~X`h>_h
zF{14Sfpdr0#LXLQSn~j2jU+j8Q2~>81^Av=7x794mY~qVlNOelU-?Qu*_zWNUpX;(
zodA14gulWP-1WY>*}*nX!pI{Cb!gbBIs7WLR29LKi5bL^6R4{4put&vq?iF^CCT+2
zIuR1nb^J+%&`D5|6dXGYd3v9HWH{$9<-y57H+4xZ6$m~Xe`gOtuvaTj&V1l1c-uoU
zzsEO;A0=ab_jzr?%6WY)!8m9ba!pe&u;Tt-{-U4xC^2<jJARWQxzA3HJMj*DJs|Q;
z!yc%&;zJKk*mINQ+pB6yE1Vbnf7u@X&0-}mf))U}8(=trxdB5-Qftbe#sb-dMOf+I
z)%}yyX&ukoGXHsX`S*;%i3~B1{7#3^Ks?R|%j5s<IaEMkb@3MJilJx&@EeQYf!|0e
zl;ogL&1w+?vN9!0S;zI)jsCjPzkwV5VRch>mhT-|_74wocaxHs<&g+^UfYh2=k(M_
zl!qPw+r?vlYd%dpaAkOAY2Q_^bSU^xahPQS)WRll53m?Xv9C8BSv%Ca^pqjapI<)!
zucG$k#k_q4<j4hpHA!+dpXKGA1+}DcK!ubW@GIUL9WER)IRdPP17`=5VFM`uGp1=<
zDmz4?t^Brvjcy9n%g+EOrR~S_A64<59dSNv&=U~5RXu(<M^`=)pMDM~J@g>##QK6D
zrsAE{-_*}dQkdS9lgJ@SnBx>XhROe}0Md)e32Sw&?ES6tB3TX3P;DtA@<{yEyW-Wm
zT>EhNoftKc6~OmCACEo-^~bS%Z=GHKA7?-x{%(WOhAd)px#N;Q)Ln>4?_iDjEP=&X
zGDb^-;=H>n(}$FFYe`q&`ALqvf)q0q9IK-2m1hqG%4-zjR8_d>`6i42Dd~+w%M2#X
z8>~`0yB5Juqf{#IA_v`j6k5X19uS<gslZ8Fy9rsqMFlO2C((Hjhk|3kVEs!3R(N7a
zK+(H0w@w_%gtVS?KJYv3dXU1P0Lmn-1)df!+;P(WVZtYl*m%@>1Np@Jd&-9C?Yo%$
ztunp>UZr3-1bB*xCR>KGKyp;GfT4EY<zuei662_co?7Q)*&}c*$skxysmFT$5u$B5
zK0nV@XoCOpPtWto*N*F#sQ$ieE#Yv2{^ma_fiYbod7&UWL#4-a4N)b`ET+H5G0Ua%
z#G(FFBHZcP#I^M4%(q1d^suM$U2WhZ{jVeab)<g_NBT2KrB0}u<k?IG0FpAnO}Q;r
z)J3I4uZ35@99amKfD*Tk;ps$nMlg_^?;*ob&_*dchjN*V%5g76k%M{BK2YH1T3c0s
z^E#~2;`{UK2h`_E*5#?~3)UgEzjZBH41jL?s)Y@1U}rIxo2Pf17>q<S*pw6FtGrRt
z6Ym-Ueo~1RXK8kN&V%PWHd;OI2OeCzq7*g1`bA@p&MrVD9t%Ev?Dss9GkOq|2pg>{
zK7_NDqfA8qgf%frdCe4v@RIu0mq)~pOssw9xwU@OF-d7_o(~AMZ)>O26VB1U>4(QN
z>{^^G^7uiX9?YM8I@j4(DYGAkHnzP!A=DQu-Ta@{3IU~znD=)IeMXrfY@8@v;Gm~j
z%K;9R@46kxIr9lXcYD4Sh{K4A=Szzqv0uqPZ4@r*S_hsr9=YJgb7!;P+ve<&%T$)&
zCXA3B>cJa_+9qEIGR(L`xei*!;2>@L_yE0~SEp5xy8^<u1^gxt4ghe<SQ8DD7NXj~
zbd<vdbYZ@A24#t+?oq#v067B=Z=iCwU*l<!T%cqNK82EhE2R!>_Xr8Ae%SApu<rOB
zeW{4;XsFjGSdwz>A@M)0oX2jsNe!hu2bF+Pl3J_wqF4{B!!p`#7^}o}{Fve#n2jxF
zQec2-?K~VV%Ix)r-J!N=TK>h<3F1=ruqm=J-CK&2RpqP8B3ni%By_~)1rqQsNHf*n
zEfvQ+JF@e{lTQL;A60DkQse}mIj+)R9bW(NqdzBBg!0#w{<_k?i7Wkyo<g@QmExzU
zGlYMRZVfN4gg-KzjO39;!Z4}i)j{({*(3^N0Xa1%A2n6`ePRY!_80fTyE<#|0`(jZ
z|E62=+bb*SApPsL_Rp^$5Gk-hq-&kJZ7oio<M`2)LYVagR0aT4*q)<;u@+|ffH*p(
zzsJ<Js^-rB|9}{uQRP!(aTM7ug1T|G_*Ggp;*G@MCE;ANDe3pvhCI~K^L#(>EdyKg
zk{PfN9Jt9R@HVM}D>DY2B}8V;6_1nRS=tr#vS*U37~5mRR+CY=znF~oDC`wT^6mgW
zU++qQxp1TvA0Gh_-!@uu{$vHb5`am(@zPV)u<x$CZr%V>Wl<HEt&U;5lkiy<r9U`I
zd4U&rif8f5my=CiQpjQ^1vL>yeWaBeC4E#NZtvh&t~wDx+M~XMXHS6e#xjmoo!MxP
zr>y+VJPDj7D%yLs7eDvt=3WsRD_pK!+3NOscHyYaR-?POPohJmZ>0f0ty4hUczCi@
z+pmn&z&)0{sPCiDk3Pf7cK|MF;Z*|t8LZ%VUe?6+^OsepjEI|h|KO}|U?VP3(nBZ0
zTTbKx3@xcq|4;+)gh(|c2gE~qC{mej3}8Qt)wiuemOKR$h%aLAR&3%RIe720R8f*p
zU0%KEp}v|YK-8)(*Vmo#5fu%^fA5dO$Z3LK*@<S}*j{IND1>`<Pa_{`zwyMhr1D*M
zk=*w?!XfopP>uJ^#way_9iSq{R}Y77?;&Ga)uSa#8>eWS`XV{L(grnkT>m=LUuXJv
zai%{vv?06kd3O3(@1vUFPVTX2uiPvOEvvE(+5?fuChy4d*<);sNLCcjmL0tY2FSbi
zemBOdwLBo9#rLzccuiU)sW{m|vL=5wGyn4E*AHlNXW8#U9oj<~rsk?X*;YL?eN&59
z7USv>?*{P9@NA%u-9p&TeNQ{>o&3W6D!ttK9VI599^f)$IoN<kg{>#q@`s*+i>e;=
z*FFCCYCfMu!Ucw8RdgJskRR@mw9`Wp%wH=TGI3+cRPWvfyr55;U6&*MUbzBR`VIZ5
zFQBJ8`Dr^cZUQQ@(JU4$zb84o`v*DW@_0Qv%i3_~Y9Cv=9S9&@8D<4wxnQ{oN&;5P
z?3R+g1X4Uv%juX%0wLP@TJh!E<?9>m_#$g&z9&;kN6Gf^x0jd)K$N<!)(UhbI!s_Z
z!AKFD{3Zzy>}i_{G{}w(wo+wkKSZW&_qTj5>fb%D$42{2ywutv+Z7cieVY6V?|S1W
zh+so?STBIgIVUL~(pHusy)P)aDilu$3Lh6tJcP|o*!tw=fnU;<Uw*K75qza{R~e~!
zQ1uc-u$`&TvuSE`r}FeTDG8E<ckuzy0sBs}W3U3{ac4l68on6Y0Yq2jPHa}Z`gW0a
z$9c?C-Yhc3UTRJ(7jLN!>=|IjnJgaI9s)$f(kY2-h{96z$k4qwt16X$hmi3+#Y-2U
zDlbJIqI#lwIm!=HUi7;@5dSztOq`T}a2{0zdHXP(Xe9)_b`4S%#Ic<w-l`vapM<6T
z)AUhUWDJhl<gYvZb*FzLclwk0)P0+CVEDzZ&+CB&+XPh0)S3gc@K&=NivK3Mc&d`s
z>HW^AuY!CPw+YAPEgzRBMS5#w<HbIEIRHGwHe<3-b4tdU{D}3L(tdvZfcVYWvH5sF
zALYA*9?G3B@z&D=)_yKak)CFUsv0*z)c`w?KMB>GU6uHFSj}FROg0@$;^-YMRwc1{
zXOeE^O-|QiC&~yea9S(8xjsa39-2C@or)iu;H5_L)&K~+<Ma4P+;ODcovy)Ux9GLw
zC3#CGS`@ly;M}e3V2Q&?lcYc(?|+VCHvrN)6e#T7_Tu~vKq`Q!>?)N#CRm6}qp3Xp
zc)a~6=emS$P3@$&)u;>zC?#jb7h<av2kPvqjQXqznDlbFK6CNckEG}l0C+;C>PLRr
z07)|g)kIMLrzp711Ne8tA^;GEX{{~$pF@u_|1@?)ns&DOj{QwU@(d&LLjm!T8@2Y`
zr!U<0I`lFgIig+p!^5kCwr%&UrYZiz;w6cVu2O{rYJSQ27}=y>0%^0zgxrb8K6^^v
zR#Zp|>dcNV!M6l|2_*Gy+wut08&pd$>K^ZSw-dtGaNfx*PpXk$k(;VTkL2Nb5`-Q}
z2yDBjWWX;da<HCc?b04%9v0~ZHx-Qp2VmMpRJFt2W3d~sLeRa8s(@Uq>sA229(sNb
zR!s&<brB#Pg=KSZ259rhR9;7l$52-o3%~N&6(u<GWhwW^1e9IZQ`c#=d06(c;kWRb
z?RxbNlw=X@uI?nOT*5OI=6X)l-h8va4)xce{*4^!549ctEvQkdm<nqbMy`_1%NQ_w
zwW$TPFq{D#W!=T1n&cWO9)lfr3)i!-)J!d&l-=$Mn^#_6`o{zo%0X7GD6vk}XR58p
zu|-hB&#xaa6&PL0IgkO_Q+Y!>TSI1N?YuvHURjAf$W{X2f?;0_WqpG^8&e(<LLQN(
z)2b|f1dQ-6D9{0{aeD8;!^p06Vp#K=s>7zDlCC7)PA10MXO$cJv@6fJjNk2jd2vu2
zz~BZORCflwsmb@)HPnIQBd~){|C*cL0xXi#{QU-S25>m2?&_$GO<!`CQkU0{kPS4I
zwk(?+uk3p`n!j-|3gT+7K;?JHB8I5}wLpBHX@h+af8wP+NFfVhlnPPt${TrN4qnsz
zt_L#&Nhh}Ze%#;t@>?Gph1nC^snjjKuOd&vQhvL*)Tt-6w=+HpoaeRLW52KRKkI<=
zZ%~*OB*l(*oS+e`<KvAJD?2v-wY?%mhp*T=F9>Fo^==KjCZeZoQhPt1oLx0jU#Y_9
z0vDAC+%830BU{mNEG(9-TVg2uHs|gw36Om8=W;!*=fQ!2OUpjGXC!+Y%2Nh7`$q8|
zt3Y^?c<CMUlYydw0YKV0u%$jIjpBjD0IpKNY}<Qn8*`{E%;&X%9~2)vd%4@zkk&5{
zUB*OK->ap-Dua>lSJaG<&(A9#ko|rudT&NZ*^+N4JY23Iod9>GiG5;eHrU&@mN0NX
zO-}vCTkB7d>=O);t*<6ZvqKIN-`7~D{blMTv8z%Z90>wreWjKC>r#JR>fg+z{*b>_
zRBK!MePz+ULv4zu?(n^06W4U^h+=!mv{f;J%dYU-EJ+<%OuXV&+YYdT$yG|h{Ji!`
zS>6|WL_*Z_x_BVxMFnkhC@Hr6{Q3cEfESbW#jK^v13G~srY&fjoG#b26lO6@d!e!#
zbJD?J7bJG97ho3Or@ywKbxd12fJcVXEK!j~C4ZSQl)O|HU%8Z}+P1gQBOmH*IdXs$
z$J<vWf95zZSfo>1JG0;IY*rw43k>m;d<D@x?)aXv6rkE2d^W0$au=&^!D&#%*{9vQ
zA@_cOlWIAsI+dhD1q-AoPKj&0czO1QH{CZZ<>wy<S};2=Ffqt8gt3$fOA?3cEU9<B
z_vKH9_uUfHteyfkQuuAaLDq52#EK}0*pvnOy6N8AZ3ntf@YfbLAx8W;vw8VAJypTZ
z#MJDV=~=9_!UrtZC)2?n%WSc8Ob4Vg=al1*<yQrS_->EZlF0K_#iJ`cLY;sGDjHlV
zDcJkQZ<hMOTiV!^N@4G9aK9jUe8!nuMd<nMav;r@1&hgJo#5TE3`NU7nON}+s((2x
zLmg73RqUS4<Hk~SR3LN0ULN&hsVQvtJFUpQIy<F?#_IUz3@HFT?LlnHw5+UP;ahsZ
z*`>;_ALkRMt571D<I}8AWovl?N2xL$5d!at>tdciTiT24aBa0+UNUyxshzyl@GwEi
z{J_#t7Z`m3hxI!V@?_^L2#9?ab68lyY+w73akHlpXDR&ndE9N==RiS|@{wX_DORiU
zap-@Y>aSD%+d0)ArEcu~-$zjxR_DbEZ_~c0<uS<0-%wA27x?+M*6X>lbf#Yw#?E4t
z*S^Pxop;<tpBq4mSOVBXbOHvUitiNt*Mn^!%T2&R<zd#(uOBd1!vk!pj%prJ&jJcb
z+R3w;H#K{fK#|HD;$@3UI(nj$um{{h5@}Vqm55>!)KYj`c-#WqE|}PxbOb&00p4jg
zy{X3IwC9%3MwtfrU*35t7**tOQ{scV6tohcQZz4KAVmsN&je(7&^D+{6`P>azWI|k
zI@sQ}uXw&{+sYQ$OYpkCeOzhrVWZ9sD$iDBb-te6TBME`U9L}XdSoM)lw<An`1}kz
z%UHt*#>CTthrxq?8Gz@i^$8O3lNt$F?cTH!R^WO?r7f=4uR)Tbp~yGRQXPDKhHcHN
z^G2eR115l8`;(--!@RtTcnSptrTLIiAS&HgyaT3ymlg;otbvccd3pqH^A&*y4_=bI
z+CVI4T8s&6ZUK+7|84-lPY)%oM%3ojd76hKJG>sF2}mValoN^=dp?<=m*Qg-btqQB
z?g4{eKk+V}&V8&)9^6ey_-e6~m~yU5n7~V=7i+VHPiU#!-z$i;W!m{5(E7$pWLAF^
zcOekAZ$j6Ts$!M$rH{tL$O9g$RAN6h0EGvSa|bHERuWcK2R1V&zc^(c7JqQWrtoE4
zyS~KmWLR}}1_ZsyRwMKIeC1VGT46`<KB&GE<i@Zmj#Z4FjVZfK6njL|`FfNYC5X5S
zqf5pMbD8R24=<{|3adr_{OeYK-Rj@at^O#O-c<;sjKVzPWEmalH^mHxKq>LAr<Rne
z5nOq<`g=~t`}SmOdCd4vgN%HoOj{Y?&_|U%;DY<Sj^vf(bV(qxqkM#fnUinCD1LtZ
z0OuLlCrWufIlT@^rtG1put8ceQaJXhb`xkB6p1;9u-O-(VHq#`k0Cf;_;qzPO7$T9
zTX=%k7yG>mRNzRZdk@MQt=nb)#6mMzRN%E6wjPhfa1%ESiQn3{L~jbo&YoDstKJd+
z9Ry|%_M^U1&3p;2;ABpjPO?1PU=bqDDvc;+-X%}KX|P@_t18G{8+fLGr)?nO7ZEYe
zxUKU&Mva@Wq@u=Qzdf^~TdD!4E}!-0!Ya0)m@)D0TuJM|EoFk5K9+UdEnn-2B@cDy
z_YPv|DJmf5Vjp+`c(3I+@OKP#tBf|DSd1ynQL&r-!&h>c%3~*wyF~1_^P~7gsJ39M
zXhc*2N)G2<9D3|d0~g?aminSdLjedJ>Kt~UY;5Y>OL-femYrqV9u<%B>&HWuqaJXt
zo8Op<^R9Su4fB1D#O?gFGPSaF%n>)fd|Mk?{sT7j^r7-rkjd6wz1K^iI6dW;oSwY_
zdXK}qmTrwxCZUVpyd99m0Z(S3r%Sb+lv)-EO(OG#4b?iObHc|C0gG4`Wk%wK=LKL6
z<>adZjb6JDfBC0Btd@gG8WMqL2LevwUxJ4()!cD-Oopbi`|~t@N9+o1mf#iMQl&aQ
zSE6z<nuZl5`6}OaK|f6;=tq|K6EPKHrV8|-JZjL?>TSvU*RlRO*1x4={b|pq2J1~V
zfXpLZignpD-$Sms{+deScD|qF+YhBxvr)+Prr;w9hIdp~@nS>miN|`M0&%PTJsT;?
zHXe|W>S-*{1ugD|tL%ockDp&Zfc-k1{Ac$Hd7f<zS^to|AOqQCoP9r~^8&nllOjM-
z64m&rC!V(f!;-8+&KbVgHDTgW_wTJ(u-d-2D_8moKRWg;t4f_<Y&m>*`zYPoQ2ql$
z!~I-EJfn3DOm*QCN*gwbgPI9A9lNd(Fom<>8ISIOLlK`IP#Rx`=?aZv#ew^4KQ-`B
zjo-p2Z?7GI(-9x9VJsqtlr`&S7EY$Z_F*^-Ch*k>#0O-@e)vi3b)TwQL<|{Z0l-sI
zY4e`Ms3k`MAnL^*@%vE1b8xr|Ou~&+xf&D#cVCd$KFI@{(8FuNzii)@>tWWfld8Qd
zY~HfYI_207OKSLZ(vna@l6K;Xd`s+jYy>8+Zvu#!|C5hOQZgOj&8>wC{1U*)3>f&I
z3FfZ+GTYz5WRKBo@M>Qmx-!0Rg5C{_l7YHFqC#GQ&ycz?f7b?b3<p5*QYE=(Ufa&(
zkA5Hp8y9S7TrRV8c|>=xR-#6j1mynm5W-EoVMxvg_?N~{?sBJ_!f+Z0P)69*?TX=R
z*+M~<NJ-P$?2P@5xk=@diA>4?%N<VfrikHNlZ1TxXF1n9OS8@*Ttr8L!PAdgVErSq
zeF&${0D%haP#DvHp~7R9WE{Y%j(zaTZV{jRidvLWcuUOqKA8;+5*EdXt#+kZct;UB
zSvLQ5t-r4IZ|Yiq%C)6t0O%<Ac4~Po=O!Ok_|(sE8t+oEToRw01?n`}WR#Xdv-4Br
zh^4SUIM}<f&%LDKPSrUIO2i9HI|Hy;z&RMb96!Jk3G2?Ae}4S{-j}krC(r<;IUkHQ
zE<8phD0Y$0y(bd^mcygK5)g3o0vv!TrviT{Pv2Xenf1;+d(^GC`2*~AgmK^1Ti8`@
zRw{Gg=1v2MH&p@o3}S8KlPZ9AAcyDeD%Zy2SdX3oHkW&ppUIMj+kCX|_?mJeAikX3
z6vj&HQsx6D_jjsL0V~c}U}*|MD3=E?1AKu<U&&ib21f<^lzUN{u(ao{hgB>ab8sdp
z*1ea(Z{P@y-P+@JOO`}!77v$fMcd^PmbziD5YEn)qzNM!7!oh%m{N%!Y2gTJA5t2u
zOc<5h{$vF-__P_j9SHfTJFo05fi$oryw|IG;NaK3IgX`V?gCBKkB9+Bw{BO<UBdkC
zHLhr1wgxF1q(;iDN|jtG0e1-1gP5J{gTK}i<r?bZcMk7SpZrjGkh-)_dmZhm_ik_F
zd6D-cult5>_ebo3dAwLumk{4gVb_UVy?^wxibJZr86-?k4jbJ#GKGQH4TEK0<RbQQ
zIL5_d68&~<OFD;-MUidu_9P_fi2$(t9kmw~%3N_ON!&JB0-I!sE6BULeR2NNI6o*C
z+K=auV-?a^Ojz_L3CQHdkGu+v0FXh7%{EPT?w?zG$xj+3jST%=C2HFWqXRw41n1tU
zODqRs;#VGr@^m?g{drM-{^buHU+P4{=dW}9b*_I~=lXM&_l6XnHaKMpVN0(56kt}v
zz*Ul%)8l@UWwxnnU<WqAOsD#e4acmNjCY-Xu;n2FU)~5zEFYyee_jjbO15ujnsjA+
zkiXj+F8=)b0X7QD9xV?xAdm`CLI}!lQsWmnlDb!Tsm-R;)i|6tC0oWJyF=TRR1PDR
zwkHjx7z-H5hVHuXM@hLIX5By)K0SbIpV;eL54K<%*t4AOTuWxtXUdUKW^_`Bg;dE(
zy>KsRW2vv_H%jcL>`}Ku6z^2!$upU4m#ibh63Oonr-D^p!U98W-{QYLZz-V;uWu%1
zYy0}Mc^SUz1@_={%VAx>*xhm~luOa?5fIprNYDmmYy-BVs!G9QgCLBC^TpGvjStcd
zcy{59MLyXPqRbaAr-A2FZKjeb5f~D|mkS62_675^#6w+ZkIRqreOD&c?l%#>l&S=b
zy`GbKiT{Yb9bd+8u(bjLR_AG{3OUC|v7VaRXBpTkZFp6#H{)<P&y!!fxzC6nCB*Fc
zpJ`0?@+yusWX0MJ?0}Fwxr)xB5jwL6MAStO8zF%qmfiSm?K>K);|-2($zz`%UO-aZ
zgVnIn`*So(iT<%FY|r(&QXdY2vWD0yk-kf`73?Sp&SF_F99-A1Ok{O{$ENDjDoaEv
zJNDrxTx#2|65fxjzS<^nqhq+M8mWGIW`lRB26P9aYGeIh+>q}AUK5t&gedmP;holU
zANEcDp=!TJ>LYfUP)2Ex>mcTh|DiNyhXGL}JD^q4ch^Vi8a4HU;XD|8h=1MduY3I)
zyVoBK>Z!xFEqRJ=Zq;wcZvX}fBaylLN=~;iGwWb1K?-g#q_d7#9wt&r&-sp1K9$y)
zKe_>@Htf71>!xT~yUSQ_iygDP;Q(p|w)^wz2TbquD~~9<D?J>D6>KM%M6PQ-${~+e
zC0J@~N=(V>9vgmHfF0R4RTFP3?VD`mSF<fZl5nM3O;RFNB`a)II|GPoM;YL&s;L0n
zpnm72-hd^7VeLn&wo1#=6WHP4Xoy4wU}BpDk`#ZNKf!<;ApPcFm+K4E7>>n8Z&nCM
zlEeB30KNh8i&EgSJ{eDoIY~~>=gnEJeX!$1f(*Dd7eWqy2#(<m9yTl6v#`^5Prgs@
zlInGvA&&L`D#H_^<LTAK5wWm>J#S!MR?3O3zr5S|y3*^X|KUu_3`ae$B)GRhVZPo}
z;M{6S1&<{NMv}U}t5az3-(Be>em>s(<Kj{+C;{b-OLzcV0?gV~s;68i)FHO=E<$nb
z2{g}26D6XZTC+!BVtcU=LYtFTE#)*nI=RpNBXD%~hS!G-ekB-GAUIJY_kO3dSKEuU
zE4Dkfqd!|$-j2%b&aN%?r4ihT?ifmAH)5E9KawWjt^>bPp%H%DLxlBefE^)N0yPyU
z$&XEH5?fK4NfS(%8eMg)iY-L-Bfp!LXMSVB7}E&qJrj*XcDRZdL-=FIehx3+uBVX{
zW%0=0`>{0uxMkXN2jnnJR!<ICsX`OJi!}S8AF@Np->@%E%ZpZ<6NytG_}B7`8ZoU=
z1NEXJk#Vc>Y{i17*PO%q*TMce*uS-d{c-k&ay#(Tj^wll04K4x!t$T|YLIX}-qE@m
ze!xdn?Wt!&dY!Xz8U*NN%8%0n{S5Yq@-`$7SSCMukE1TsZ<t49kMIO+6%6G)>d&tq
z0JtbN!zcuaA4?9aj|PPxE>LZHVl0b*ooCrGNZIMgw*pv)XMu+6c}5XulIZ6YIC|B;
zSmFm$c<{&O>8rQ31M}t;s%#Gm7v~W%vc^g{c?pO*M}{PY<Z}q82OEYbHS8IS03ct&
zl)OED0>T>*TSIWDDSKW7>UrBKfX6I@g}NcRsH%va$}9Nb_>~8R2GS<9JzfM!Aq6l?
z8^k@I=1i-DnsfKf4)UN+a~@=;w5I5#mMEwVk6=95H~4&m%}<|U5fp%?;8^D(@l3*l
zO39~V2KxzeRscwWmz#i;PgnUPtXIJ)2X%mXe4y}h4sYX$N$k^WKcZI*#M@`hTC&nv
zwqa2t;4zU<mHP9Zd!%c4d9^{9mgxte8;gG9k(Lz2eisn{tewMM3i{frAtf#0;u=7C
zt@0=}98_fKiKWLAt9=gZdKCq71=9jziJ)x@xomi>>I?%`z4>O(Juw8gkB7IE3;8Ln
z-UR@}t*S&0MFy#t$XWx2(B~q$uk`I+Y5k)sZ?>+n^v6-V^<)a2X#>dGstyxf>ac&C
zUyKD+S*1RW<k^byoon!-&;6n3u^f}Va()5WlcK>h>?@FLzIo-7sc?u^N2=x-9cX{$
zptm1Cee&Vm2K#5_^?qYhatF7#u&YemqdthdMA=_g=cl6l1<lrMef;ZUe_ia~+Qt4{
z=f~Noc~oEUlJwm!lay}!7h!?zM2D*XP(aTq3+roNvj`E$K_-=UwR<p~z0r))#925}
zp%2xZ0+w0dMoJB9s-ofl0T?FS_Wu0(0dG0oE@i54$4MVj<T!zy@ZQq``WyaGdmeL8
zlCU^mOD<PA=<({`3CRS+?KNR=pk65joMznMGb-iu5yOrR90mT^wFN-M{gRA19!Rrs
zPEa}$B6a#KQCW3~+3&@#$=Z3b_L_(XMceIohym@{o?DzPTX|473A0hXZ)ZW}lcYC_
z%ZE7?1EQC6h!6s%FYn_WxJP6jtp_YJ_gsR+d0;g;i$KI_M!*X=?oqHY_Iv9EzaGg6
zF^Fh`c$QSjX1`M%aREB>i}=`+WtLcYY1rOPw+a@WfU`u&4m!?RLXc5dt~m2)k~u^h
zv|I?Mf`|%xpTbH%ci<LVLFPRiV^KSip#AZ-wqd^lUK;Uqud0c3GB|XcV!jT<;*9*0
zP5qy@{nr7oPbE`=N*{4cx?Y}V=dZsILkB268nNenSAIxWBjCMpNtyn#fP~?_SmX1k
zn4(_Dlu7XPf-%b0>j?G5LgWVeMrG~AW+A3LTJvk<1Dj&DkGK18k^Bq1STQ;vYnBcY
zM0aF_TJkIz0VxT#%A^gurpN(!dt_!G_QT2_$puMf7F<)(W@7ty_}R~o;sPcuz%}JU
zt#Zr%GfGfw1rID-v8$VCGo{A|-7D#1KV5Fg@hm);5-~Up{@SKT3<Gy6vQi&I0Fk^?
zSpwE;FWm`%lPmR|BGy>SUnl$PWdH6?_U9WF7ea`-p2*ie#fH(PP6=@9p79ptexnvx
z6?|}V1s?;FU}1gn-3~-hAy4UOx@x*!lHy&TK46&B>G<72iXDhK`ex0_IK4kN{`~#{
z-k4gumMSO3RZuD8Z;$Y_NZu5anLgb&KYarqWaz_{voo_xmc#8)64>zO?s}zu!5-1k
z8R~oqe{5H+wgM;L=l~XpJd%t%(UP&<m`fbT8Bvv=-;+OnrTO+(-iOt}Ozd<GBa|1I
z`eAZ~I^!^UL|k}i{({3%Wu3=O@N=(W#?euGJ{L#hwW)?95IU%?iOT|C=gyckaBpMI
zk|Yvd+Eh=aR|kOrr?opZ6tuz&)E_(Awblbp^G+$HFdJp*i8!K1K7?wZy=%0y_q92X
zK%l5bvPDUyv{k(r0j#J;ofQLB?U`s(S8*onswW!Mv5A1o3g&c7GXUBhZ{3rK*Rp43
zVSB&P-&?Y<RlX1Ji}5DVm;HZizf(643)+kA!azjj9eKS9^pCt$|AebPT@rya7)|=z
zNel}f<`d$lgGsoy%*vKduh$Ub(@ZdvAnD~(k8H-oqFR-RUh*noSDTu|(SvY4k%Q5l
z&ki3UgbaILzsKR#zRVuP3gW$_`$R(d{;{Cx-rL2!<Z1%LYXl9i<j?W>M8P+RztLM2
z(nMtsYP97bO6=bW0sH+qb@DdSeL3s|*bY=c)CyF2Q*eFOJDhW_A9R1@gIIiwqUHQG
z#=*{kf$y^%A#$dCyeCpP#RN__HWp=Ic2a}I4eCk0rcPv@3cCJvv%hZk{{T1pV?8@B
z_3I8R;TBk?t44C9IE+h~SBmN)dr&xX0+bBu<3B3h^>MWHCdU!@G)mLsP+u}tA65Qj
z)CD-m$MY=eev5x_VZ4tQewoVf=hqK-Wg@z4Tzy`!%5p5SZmE$Xz^C7X&Br>5>R#X>
ztMF#!E=#KFvRly+M`4eHhpbCJlEXE72BOrcpP(?t?B(Q#rkv=JWCtKyKIKMS4=6FN
z><{en3|P^Xb^^HJ-%Db#Ro1|&abFLVo^uF4@AXSD_8o=kpRA)BWMh>SSGeK(;Q6-{
zF!tW|+ez&cH|{Fh;}wL$schmBFMHVL1_B!|@colziTxjq&t}inQKAH&%F)hWA0`}=
zyaTV6k+mLKqC{ALqN8%xaIhH|)tcx2a@}1_`<r0FyOpf+8XX8DXTHiUt=LuIg%ysH
z)+gmigz1->q<H$_-MpeXU0w*e6{f5bYn&G>=8!7OQ2Fn?Qj)~}?E^^W`G2?5>rzkv
z$Wj8-my$8>;-!w1e0A`V1*h{iqe#Qdr`JynRA1d&4a||i{e86P`5jR!B#Mt`rA6Ga
zY&uU>N5CV-89zm6RgPb8=O=Z{*TP%~1q)<&9YyEw<6u1((Znl=mOh&zFR*&mMz|u?
zA)BTWwD(7|IXkYqy<I=GPl34kaW+1LokM8*2CURuO(9YAJpJcYcqWx5VVDPg(GF_o
zh=BF!ySgFl;pe2j`0;X*zNouchD`j-?_EvW&fV{h_9IAj|Nf&Puvp_ZFr$-Zeu<^i
zW|~j(=kbG*$B};>?XRQ#Kf=-e%ovjQ$L*mAr!qTE(nq_Xr(%q}LT;YBU>$0}f09>?
z)v@|*D@tEVLH=sZ6q#*GDVng8{Rs`PApRQ3;hElIQA}{#tR!E$ciZ{r*AKuDz;?qa
zDm=abtm65^RRoQ|8A027idu|IR_-{0Bf^g?PJ9$b2WE5dr^(7tHl|QrE)evS5_p)u
z4cGgOg)=MLnJ`OPeo|ylpHW{$>z7l%b{@z$@YpXfBqF>(5q6}=vXnL5QeVenfz=)g
z@!4b9xa427;j03bm0<$Ww(D*E$WAO{eByiFXNQle{*gFjO}ns0AjCO^14iuXAXj45
z*d92j7t>w}{h`oRcfM%6QEG`o%y27-v`wBlxd$FV2o_TfCX%Z+07#c`ZhU80gjqsq
zWW%;p%APLtPZj&Q{O)vBRvrP2J;GQ8_oh@yAi<0SCwcbo<ITQTCaRcyI*KZsy)R(R
z6Nr~kcbq%J=fs-(J2)tgh}&n7taM6X9f%_tTO^{80}Lv|Hal-Mwse@U0s$RYa^|Z8
z)l07#zrwO#aD4JKCdn^r1HpZa__z-+8juN^eV?x}gU8B&vJKkU(vG_2_7;vrLr~nx
z)Df8^Li`Afrs^%(Ml`a-V&e$<SO9;U6>?R;6?887^!kR~B2j<ImgOA;P?qGTG^uoE
zRA@_6CiVaov4Dw<{Ww)b`J%qG3}rGKlhUI5I(Lvz^HC0!x{;v2)8Q9CAAOX)l}lYd
z*)Wwro9gCZtvI+9B(VKe5Q$g!LM+E#+Ex^lcm3whylw<^|8=#$uJ->7SNpTGlkr}^
zt8?)xZspJ(FpwPDK~DVJ{HpXoHq9W#2rPN95Gme!m#CGG=!#;_XWiq(zwjha)g|P1
zPvlyXJlGKbitp=@4Ey6%cE0`R*AM6*l#k6@d8chd*SX=lpq!2_^%TxGdFv^>ua6_k
zNx@U)Ugy8yXjT3nTn0Gi+5NN`s@g6csnxZ!ZY$N1M(A4W%W=N+x~|`{@Jot;F~2VH
zo<KiT;Y5fy({dtdsL>py+y~sS6(F^On>PuE`=SD<nlylDDC&_1zV|vvS@(yiW{@#G
zH7A<>xvby?Zufek7iVV(d9j^KlmP8sz7gQ9hDnu^fo-fkerL~z4@pGV&BwpN9=%<2
zodYKa;pe<2kb?&i24&T!6455U77eY52-cimYr;1$kr)hrj0%2U;*FQrEnf-v7ypEp
zCmwiSR)MIR5oLanr6i^shjC+EuYY(+B4d^X_oN%VzPG4&)otXr8lWk7ip|d0!wsN2
zg&Ui&{{Y!{{p8Vn<6ayTw<)oWAxqRp;)_29o@iZ=i?FKN%u&+F3X3j6!d43u4+Qcb
z+s7-odDx<z^UnJWd*(9^RAoh!oZk<`XNbbF5vK;2Ghcux1wo&R61@)D4KLTQrjK_x
z$a}k-v%~f6mLPxJ6hjoihCqqpH1|2tuz$|S<2f%&>!{v*o*jOiwUsFUq<prc-)gjs
z;&8-q8tWl79+KR&4HOf6s2+>f%A;%xZ&Y`biPVh`xH^3IhE`6Gv=vGdBnPWj;N1yH
z3U*)nIAXGif}Q#6Y=52Y|1r+?=Pr*>S2+&G;$WU^KW`Ezu5(><k0t=C6xKLFOG)a_
z3~HJ000LxXi+1PdfMLx!qh_aYnBukZSfAc`1(7Ux`uG!+aaMa}vsBN|uOA>!!NKoY
zY*5DwW{Sd`AQRC13T>N*dGZDxo+4RA7or`NqP$<QvQN%LP2A+MM=p96#4lq{2?WwY
z$=|r~VWLCFg<@8_(;C|en1r7!S!?+gkovg~o*`ZXcD)7;kLn2(w!Xdj6VF<kujCv2
zH$&}506`xHhy_-?EO4Hb`*~wQ`_T`HBkG#m_Wx?{Ob+bEVIX>UG!l1qHeB-$Vcye(
z;G_FA9=luriv+*|0aQf-;X0BqgpOA^_<Lu#YF!f>rlkAR60uzRJi;N-E&EaDS97YD
zR}+iGa>Lg}j@f{%5?=mzt^FtjBf-`shiKsQZ*sYR3=j8_epczux3f6PNA{7#Hn-;;
z*FH9(0Wn$G`r>PVz8xDGKe3doW3heG(a*#$Y%lF<#ET2Ye)lV@0&eiN^3CeaTvD?K
z{OU+9p2-H<DH3hzW`7*LB@S=f<S<CSv#r;`o(Mwmquv|VeqI*0;sa-udu&jPBq3MT
z8}A0I<*E<%0lmD2c_bRk4!WwiW>ffzz26c#FB)%plNzWwu;C!oX=#ghBWocU;D9;!
zxsT*@vW4Xn$Bf=wDJ~n|TO1lxb%Ee(?^;v?@0b|bX4#dzkw(Q^l;RZ~ps*Mb@XhTo
z`46c<RRVMN#&L&ds5EeS9MIA$vc6s=O^XyErb}MKsMsbY=CL$lij^FE2+Bmf_|3E^
zGoG)df=mhvSHk_=%07SG{D9;o59N)7(qDJ`b+>=V-TuhHL+T#A+FeVApX$`k^pGc?
zFQjtuV3}+Rm~%;6XFnWg`03>Mph>k=Bn^6{RsFP3NZ;R!ZLN{=M~LV!>_}=7%2n?k
zhf$N1JMYh5KY+cKdSPb?&VgJ*;U_lh<0k+Llx+*S<nC(7<oUIRKkE7Z&vKxme3qP`
z%ks_2Ehm~Kg_SQDP?L5BF)36QTAn1-lIjj34)|lph2d?=!6(i)Sp;5Vci6<T0cFIG
zGQ5wrKzgiC16HP!y2X-z-DP}~dc(ok*TGm8I_#Q-RT<Fcg*!lMk2Y+-a)+Hr8pVKS
z8%B;_J5>%(?s7IbubZOMkdv>874hjs4x{1a2srwY%3XRZyV?QtFK({bvFIF!zpR%t
zMWt^u1CW(#B7v4oWFSh(@QF(5Nyf0r3b1N5=o<OUJ#Umd^2j4h$dJP+MP)*QR2WvE
zR#OCMmiXe%<UmACoG9U?%KJ#S@;+XxNx!c2x!htH`M7ncAm;$9Jng5M@0|8cy(uoX
z)iRAw@V?CnvGBxqu$JB$Jwo<|D^#F!|EgeJg&+`hR#}<TCO+cqM963F`5`roSRY3i
z0``AdSC_qlp=}F@fOiLz@TDhn9<<y$jy8s5RO80>U34g0&Iynlh~jrD8G@|?t#{k%
zX2p=c63%kc;!z|i-6rBEM1D7*uZ^M3G&BraO>Yc-r7d<<T{M~%M1p9v6a>_jh0#{-
zR|)dyn6WBv+GA;^Uh~SM|22RttArdDWFo8}$JQ9tL<g&sm?OCwk^)<NYqm>95;yXI
z`|EJO4);$v+@IQAo~Z;g=jCO^rn<U`qdt>0gWaSiTI^7Ni=CkkqZB3UA5aXKvA3!&
z3NP8_&X`4L*IufSB$;bMOb)bh2H4^}snskIZX(0RK6n55>jy{?@dU|}6zl+YzRxCL
zG+bduJ&w@8iUN?pg1kZI?Ld^%3wm34r62&rSpUot$AKvNr&f)}7Ij56Lp_w3Fy>kE
zghZ!Kz2SY-bPQlW#j9HKjwR*ih~I$9#FqN8*Rsgu;N?vFuy{14aH2!5YuH5oS}4!u
z#83C_d^}KD#$*7ToUTCyu%3B@@>!eL0!KT8^;$A|S6V8AVtr%hTKOIeE0#tOh({>7
z8*J?jz&%#5TUZVZVWuxz-rek4?b`A>sp3oL!GmotT<*og>X5=~xuMFT<s1~7g=K;3
zit2DrZ&smpXm3@(n$V?cvymyUwMY(flYBD0MP-xq2E}?NnCI=@g?V)o@24Ci0=j87
zMc>x;{%iyMCE%zHNR)=l9<giU!rI`*69D_p6G`eAN-IQWlY$_PmWB1tVdL!m;0VFp
zUA+O@XO+`A9;-U!22Xo934&v4q+9B}zF4LgPdOwW;q;Vb$8WM*{N?l^37O~P<RoG|
z$7{xlAuAqEc5*UK38p5IAteJ&l6W<H7HT56-w5(2#e2IqTc^m*Nw&i0A9npNQX7sH
zrL9vP<J*&s%}UHx=1-M7<4A+a3MY>>(0k-848fd(6R#vk4Z+ELa^eWF&y?lNu@NWD
z<gDOXDj`3637)`wyBQ^hxeg6@>1r2cZ4cPJa`t}nZ1R&72NHi>?$_o1DVO^*<q22e
z#j&V!&+ZNx4)5u)o)D#lC+h~_)UD#xC5P)hZ9GKb5RUL7Wk87XL-C9VeE5(S8@9op
z9J-wBXS7e3*}DzZ!*HSWq&eU4^Vbi^IZw=d`TN-9vLYTDp#qH9L&p5EY9UC+@b9!K
z?sPc}_^~2QZQ$n=f-80)kW>R8Nu|?u78a<mlo2}vc=bGcs%^5A8XE`8x9#b{o7bEN
z{{W!?R)AkNGN0n^`<04Rw8M^K<;RF9Y+CklUB+F2FK`fa1PB7{OCp5Hxb+F}+Lm+6
zwq-pjZb6X*y6GO<uVnL0V*`osU|;iqcyZ3wgsTJGEdho7Y2QWst#9d%_%kM32dB5}
z3zxyFwsSGS(7H<N&w~N*BPzi(46xggc<i~hr3#E#s^j2}!QsiOp0wp4w}PDSLx4(!
zh{>~-aCk1l1|EZt)XxKAT5~TliI0WTc4@V6NIJSb)&%xf-bW?+UJ{LQZE}}PjE#S{
zEKzT9a!M-5I7tRDAHwrv3G6LIgBI|D?eIC!7=*X$+!kT@{nTc{A(ZBctyl8}2Z3?;
zTpvxOO)L4;^@-9*5}afzHd!Jr+FN<TyBx$@w$>5K`Jn1_wql}quGf-$q?cKs?dQlA
zQaziTseVL*N1}eb@9ll2Oj?nr{AT;zuaO>GC6fb;HsCyHTm^WR_E>)^4j$Avf3EPH
z<WJSPp2Cz1#1b1><>g!hzi+8mdb^(@xg;Z*5M=9Rw*_XbT;B6P>9Lx1wkPINz|cue
zz)Z%9)tnhtPA91gm8D`XgSRC@=3l4#b-I7f>HdH+hb?hW*kr*Iquhg3eUDGOqX<Wr
z+`n=vN`q9$DP^s>pjNTsxVIIDbUM}!%zY<$r$e$zZNAGjFAY=mQV09Wm$bfNaU_go
zWWK>)KcGl&r;?h)8PaT&F-g|DEDT_ybb+1WaQ5T*_$k@*Y4wRLMapZgu&!9z0>c7g
z<BLG-K2*LL&Wz#M)26hGrL37gO;OPAe8FS=K0{{8H-b(TwRyS__3#~nrJBeFs?aSE
z1rUL$x5a>qVF3{OCVpJt8n)vEY)=mnZRZ<!Mm<gG$^Jiq#%qMICjcK)qUGgj0J<ks
z3r7otoSqGUjUy*3-({JGzcz9|L45wT==bgAItG;po)$=ms4B3^H1=k@K@J#JF5<}7
zW#KFrw|%7~!|C1<ojAw&^GCt2G7s-9ffuGg>i<lZ`X$7&=om7vDvq6uh83vVyoE`;
z-{kF=BpIMlV&}Jw4V>HUac`=6=5_FmgKNtAEcgY_XE5(%2@?lFuDF97WD=Vk)xfH=
zc<~mX-x17jS?k#~cj{|8+po7<_PxJps>8OdM_li%La5CtaCYFe##a;}c$Eg^Jw|ez
z`)+kX!?h2zZnlRYtG3PH#89SX$dXmhwk|>(;xC-A7{2@+Bz`!RIi7sU{P9YjkyT^M
zU&9|?S=DcRGQZibQvm4*(>{ltp6vX!#X~|yoS#rZpFhg`@P*m5i{-91mHj?PMO5;|
zTO52=#epLrDH^*ZNhXWSQv%V6&DzuByuJ;O!7fhQTuCjv<T&Q0BNA7uy_gs#>$p9a
z!zR6Yp7rZ?zi#&ry4@cz*pY+dxja`jXBOt`j9TBtM|_>fR43(1N_D_LWXB&9N8#iu
z!y!t^oO1Ilml4S}awRaQO>nF=p7SNX@AZEHj^x5u76^rj$Io9spvqOnuQcg?l8Vvk
zErVSA(Y}h(rPG>@Hy{#7*lSg@!=!hg3gD88Z#hK+R`=p+V2lQrbL;+K?MgV+J1U8L
zb8xw-RSs_8n*l4A4TV<)gYrDS#|3kRJ$Uq2(n*&6gDL$2;Z<3m#i})WlgyGUeQFEA
zTqgpbq{PFuXL_66b-)C^fZh4l9)N9uPaz;o47<s8F@c0B4SNpA#2u6d`QyD!`alV@
z+EZ_EQAilT;_P#YHnOSX2^9DC%dRLJCuXY30)U?rQ6%AJ{mqWFeH@N_r=4>(^Dw{_
z+4VtkyhuOWnH)!1OLul00DkPLo_9Im)m57XwXsMM-xFzrRoV32h&e&}kwILEtb1@i
zZ^Ua8cba4%-u8U__7nU^ls;3=CN*(@RRYwl9(W+GJEk>RIs&ilB7}N_Sde$*VH;w(
za!v-dV~jJA&x(b=c=!U@J~6c*Y61P*KSm6wOS0xe$bXH7b@EQ;XCx-X8j$z31)!d<
ztJ7P`v?aGGl|$jRw0>(yfZB)ky?}20d@A|5TT&`c-BS{e_!PC+AK8qt+2B|QNV&_S
zg25H%`Q!*__RW~X<;<GaAEzZQ!DbNq`zJMe*}kAEJ06d5kvb@6$6<(#N{yq|yPNlR
z!aT3c&yN#1`@AIGfjAxB(16)wS+-1IgEz~5>0ORpt*h259k(Pr&#&YCI^I9&cz=p)
zQI7;VUymBF2uLCKd5T@RkS2?-hwLNQsVn;x4_L4wR|n^M^gLfS);d@tmUsq^TlPmc
zfcxAi|KHeZYq3^<P}{JgEPCPo{PhFkTzjcK9X<lRj_Ck;m;KaoS9#`cs~)G{*Q&WR
zf{!=Xq2|d>?FnckW~2|NkpIi5RBTY-(}3h^h%0`>KV|vRr7(z1$r|aFzC669rC{9q
zcIh5FzqLm>VLN9%B|m7AL}ZC8<G_hB5UB@T1>i>Bys!}YfW0#!Gf;i27xlpNYP=J1
zZD2B`+LRBdU!Pz3{!&GIfo-ARerYv%0F3jKT{)Sz#4OWeTUV5anD|!`UJkOd#BJCZ
zO53a^?P9Q8;XEAwqKFJ=^3C<D`0VdH0Q`nD|D*!4KZ569X#q9hsI=&`Ejz?VawNG&
z0QnbaOs11nb+y|tYz6y()k(?|gLsX7f%2|Hdz)Qhzj$}~OqzYyyf|2}W8`5!Y_3Xv
z<ET)h-j1TK0{14^O$sHwN-zM`dk<=n+f~>)8yo?tZnd-}X({2*q8DOh0`DbE+Azjp
z5*=fH0})Olkb6yg#`F0+xH#WO$~3zizSe@7-52K+qJ%e<4CLawgn=(x;m3}|z>#-X
zD5;)2$#H6Fd=FW{rhV%jNK1^nWG9X>Hg#2JmJKsLVC+MJ2*l?oc$^B0Bp&z)2jzKw
z_I^0!h?t?N$z+)+mrjUn4pht9>8n?w5r4v9O{;ckK_y%%o3n}tWG&dBMWw;}Ra@%T
z4#_D!jFE32Sa+{)>#$q>N(H*slxg7C^?qINA9cMy<epCTwBA%~+qO+z@k?t3)PVhv
z>qh=jIh<wpz{(Q!D`#!}w@cN)x%z^Ave`S^0Q$sCZXzAU@j?cHUb~EeeVn-ppSV~o
zQzlja`RfO;k>t)f#3niY85^7;!NwZcKNfegf<I>zD;$`$)qH6eb_M5sH`~vVAW5AR
zl4_}pSrK3cV7E$HHP!<TW20<fpA#heRIrG1xAS~tyj$UIPI-XLTwbnk@XD0QegjHy
zhX-Jr%ab-ASG+!Z2^+OwluKCrY{kC!eU6;?U?<$XR!cM$++-tkvtCf}BRM_VdH83Y
z+;sm5xk~@v-tK6$T!>C5sm}+vo?vp!#bNHIq#4*)^!`l3fT7S{wo*RU4xhC|xzSs9
znKaieSiYXey4a?83T8d-)+8+gc_9~Uro*-32X$^^VfDTHg`s_ktrCx5srC#sXO$yB
zv@asjRV?0VKvrT}(!yA$OvLlCXFiW3S5#C6DcC|6EPd1?l;k+Lp~%sq!{xJP<!O!)
z;=`3F%jX&S7N$ELkLHv9@97}e$ntTrfw+R*rL-6>P99ahwk$m-%Y=~=TUqcI4^}*;
zk__Mii=^uPS~qbmCkonEDH@<|d<Vn$*x<T%B`^DHWnM9glRNt@qh~6zOoJ1x%Xhxb
z`Jbb@j(MMb%S+_YSa1na!RR=~gW>Lc6-@V@F*%S1^8JZT{bGKiWC9E38u+fEtVd?B
ztSTUm3^?E4oc1Ar-9DA;ScFO&B`PcYsVd0jMoK}T<-p}Q=DXVq8dNua#L=W2sg0{F
z(3s8#s4V>Je80~3&pO|qTtS@Ip-cP^e6j3K9|urn?|D%5j0{()x8y}b98n<~ULAnd
zA4#>Q>MAy4joKxtR~a=VTq5W7&2i$Le85{d4R>%PWt3bm;18e{e*XFa0T%$EscRO6
z53)QKtGcJ2>mb^;B<v(m0A}D7RUNq3(P)JeQUNXl(fkflkpMQ{kHF7)XQl93?(Aj)
z_9`ME(3}L9SKf;jJ1&qg))x<#^$C<)orhXuhPRI(4CIs#?er3@@n|p@yCUmTy2x6k
z+>pe5+&aMsc%6JFn0>(YE$b$k^jlJn0B{UkRaK2mJ8XW%$jBr1lotwU>3drJCk=mz
zUxN*MA4xxnJ_$UTb0;F^A#ckJwsfCJL?O}Vg{z1V&<GR;vnp=1-t3jp6Nr?}o;@BT
zW#X*TX$|kTuq=?+WBc3b%dUH14K6PRPWa<|10PRT^Mw8sXAc5D_Bz=1Y}|B9x|TNi
zjG!{wp$YgM%8|a0oR7g#a=ZoueO2C5Up`vU2}O=Ch071?K0d{9{5dN|+SFLsS&;&w
z9UJiV-?iQICAk9L9^8*`Ln89s`j9(qLd+lr1bNm}lNhTOVva%@#QebirX_U?JB+=T
zVOtuR7|%>3ZxS#|vR$8#GGzi>PwG8~X~%zkL4)&zfsqmZF<79o#G$9FW7ws&CiANG
z6ES||AjddYR_cjRa;0+VU*(A(c!*XU6RiCFIJOJ^qN;DLiGxn4i!m<;Hb!*RaggbG
zMN`&!i@hX7L#dsYxu0q3;+*5v+4S|sX`9LPzK@KD-05Mlq;-|A>z+rtRx-m}In;<N
zBgm2yy`OyK1J9Ymgad@MPlJh^A)U;s)RyDQO%?ZcH|sSx2V!TLBHqceP1UG808hSO
zbv4^m!3*v;eS8H(;yxVCh=+yX7&elzcGgj=l(g)X`6h|%`bN^Qzoi}$nbQ{l&ofj}
zKI>!2xtyod`(i$3D97s^CVTCFOP8;-%Gw#a<D$InBPnafCXPyksxAT(jEYsZ&Cpc|
zCUKiHDMb62+nWZ+bh{+RJw^UecDSinrUoINE_*>x`qI;qUnbRFa?!PUSbKJQm=j{_
zMd8a3BnGU6f|Wj|y5nsqA%vqQ{wTSWtUns7^GEgVjU)k(vnB?whE-9*nBMD!z5*iQ
z8%+fvO$T|-?N$k2&ZF5PK|v6KX#|I42*#wiX{g$Q>&&lAhWqj}#e_BdhTq@t`x}0L
T!|y*De*gRjX1oxufGGk1?cM`*

diff --git a/vendor/golang.org/x/crypto/hkdf/example_test.go b/vendor/golang.org/x/crypto/hkdf/example_test.go
deleted file mode 100644
index df843951..00000000
--- a/vendor/golang.org/x/crypto/hkdf/example_test.go
+++ /dev/null
@@ -1,61 +0,0 @@
-// Copyright 2014 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package hkdf_test
-
-import (
-	"bytes"
-	"crypto/rand"
-	"crypto/sha256"
-	"fmt"
-	"golang.org/x/crypto/hkdf"
-	"io"
-)
-
-// Usage example that expands one master key into three other cryptographically
-// secure keys.
-func Example_usage() {
-	// Underlying hash function to use
-	hash := sha256.New
-
-	// Cryptographically secure master key.
-	master := []byte{0x00, 0x01, 0x02, 0x03} // i.e. NOT this.
-
-	// Non secret salt, optional (can be nil)
-	// Recommended: hash-length sized random
-	salt := make([]byte, hash().Size())
-	n, err := io.ReadFull(rand.Reader, salt)
-	if n != len(salt) || err != nil {
-		fmt.Println("error:", err)
-		return
-	}
-
-	// Non secret context specific info, optional (can be nil).
-	// Note, independent from the master key.
-	info := []byte{0x03, 0x14, 0x15, 0x92, 0x65}
-
-	// Create the key derivation function
-	hkdf := hkdf.New(hash, master, salt, info)
-
-	// Generate the required keys
-	keys := make([][]byte, 3)
-	for i := 0; i < len(keys); i++ {
-		keys[i] = make([]byte, 24)
-		n, err := io.ReadFull(hkdf, keys[i])
-		if n != len(keys[i]) || err != nil {
-			fmt.Println("error:", err)
-			return
-		}
-	}
-
-	// Keys should contain 192 bit random keys
-	for i := 1; i <= len(keys); i++ {
-		fmt.Printf("Key #%d: %v\n", i, !bytes.Equal(keys[i-1], make([]byte, 24)))
-	}
-
-	// Output:
-	// Key #1: true
-	// Key #2: true
-	// Key #3: true
-}
diff --git a/vendor/golang.org/x/crypto/hkdf/hkdf.go b/vendor/golang.org/x/crypto/hkdf/hkdf.go
deleted file mode 100644
index 5bc24635..00000000
--- a/vendor/golang.org/x/crypto/hkdf/hkdf.go
+++ /dev/null
@@ -1,75 +0,0 @@
-// Copyright 2014 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package hkdf implements the HMAC-based Extract-and-Expand Key Derivation
-// Function (HKDF) as defined in RFC 5869.
-//
-// HKDF is a cryptographic key derivation function (KDF) with the goal of
-// expanding limited input keying material into one or more cryptographically
-// strong secret keys.
-//
-// RFC 5869: https://tools.ietf.org/html/rfc5869
-package hkdf // import "golang.org/x/crypto/hkdf"
-
-import (
-	"crypto/hmac"
-	"errors"
-	"hash"
-	"io"
-)
-
-type hkdf struct {
-	expander hash.Hash
-	size     int
-
-	info    []byte
-	counter byte
-
-	prev  []byte
-	cache []byte
-}
-
-func (f *hkdf) Read(p []byte) (int, error) {
-	// Check whether enough data can be generated
-	need := len(p)
-	remains := len(f.cache) + int(255-f.counter+1)*f.size
-	if remains < need {
-		return 0, errors.New("hkdf: entropy limit reached")
-	}
-	// Read from the cache, if enough data is present
-	n := copy(p, f.cache)
-	p = p[n:]
-
-	// Fill the buffer
-	for len(p) > 0 {
-		f.expander.Reset()
-		f.expander.Write(f.prev)
-		f.expander.Write(f.info)
-		f.expander.Write([]byte{f.counter})
-		f.prev = f.expander.Sum(f.prev[:0])
-		f.counter++
-
-		// Copy the new batch into p
-		f.cache = f.prev
-		n = copy(p, f.cache)
-		p = p[n:]
-	}
-	// Save leftovers for next run
-	f.cache = f.cache[n:]
-
-	return need, nil
-}
-
-// New returns a new HKDF using the given hash, the secret keying material to expand
-// and optional salt and info fields.
-func New(hash func() hash.Hash, secret, salt, info []byte) io.Reader {
-	if salt == nil {
-		salt = make([]byte, hash().Size())
-	}
-	extractor := hmac.New(hash, salt)
-	extractor.Write(secret)
-	prk := extractor.Sum(nil)
-
-	return &hkdf{hmac.New(hash, prk), extractor.Size(), info, 1, nil, nil}
-}
diff --git a/vendor/golang.org/x/crypto/hkdf/hkdf_test.go b/vendor/golang.org/x/crypto/hkdf/hkdf_test.go
deleted file mode 100644
index cee659bc..00000000
--- a/vendor/golang.org/x/crypto/hkdf/hkdf_test.go
+++ /dev/null
@@ -1,370 +0,0 @@
-// Copyright 2014 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-package hkdf
-
-import (
-	"bytes"
-	"crypto/md5"
-	"crypto/sha1"
-	"crypto/sha256"
-	"crypto/sha512"
-	"hash"
-	"io"
-	"testing"
-)
-
-type hkdfTest struct {
-	hash   func() hash.Hash
-	master []byte
-	salt   []byte
-	info   []byte
-	out    []byte
-}
-
-var hkdfTests = []hkdfTest{
-	// Tests from RFC 5869
-	{
-		sha256.New,
-		[]byte{
-			0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
-			0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
-			0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
-		},
-		[]byte{
-			0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
-			0x08, 0x09, 0x0a, 0x0b, 0x0c,
-		},
-		[]byte{
-			0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
-			0xf8, 0xf9,
-		},
-		[]byte{
-			0x3c, 0xb2, 0x5f, 0x25, 0xfa, 0xac, 0xd5, 0x7a,
-			0x90, 0x43, 0x4f, 0x64, 0xd0, 0x36, 0x2f, 0x2a,
-			0x2d, 0x2d, 0x0a, 0x90, 0xcf, 0x1a, 0x5a, 0x4c,
-			0x5d, 0xb0, 0x2d, 0x56, 0xec, 0xc4, 0xc5, 0xbf,
-			0x34, 0x00, 0x72, 0x08, 0xd5, 0xb8, 0x87, 0x18,
-			0x58, 0x65,
-		},
-	},
-	{
-		sha256.New,
-		[]byte{
-			0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
-			0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
-			0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
-			0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
-			0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
-			0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
-			0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
-			0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f,
-			0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
-			0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f,
-		},
-		[]byte{
-			0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67,
-			0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f,
-			0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77,
-			0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f,
-			0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
-			0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
-			0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
-			0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f,
-			0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6, 0xa7,
-			0xa8, 0xa9, 0xaa, 0xab, 0xac, 0xad, 0xae, 0xaf,
-		},
-		[]byte{
-			0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7,
-			0xb8, 0xb9, 0xba, 0xbb, 0xbc, 0xbd, 0xbe, 0xbf,
-			0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7,
-			0xc8, 0xc9, 0xca, 0xcb, 0xcc, 0xcd, 0xce, 0xcf,
-			0xd0, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7,
-			0xd8, 0xd9, 0xda, 0xdb, 0xdc, 0xdd, 0xde, 0xdf,
-			0xe0, 0xe1, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6, 0xe7,
-			0xe8, 0xe9, 0xea, 0xeb, 0xec, 0xed, 0xee, 0xef,
-			0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
-			0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff,
-		},
-		[]byte{
-			0xb1, 0x1e, 0x39, 0x8d, 0xc8, 0x03, 0x27, 0xa1,
-			0xc8, 0xe7, 0xf7, 0x8c, 0x59, 0x6a, 0x49, 0x34,
-			0x4f, 0x01, 0x2e, 0xda, 0x2d, 0x4e, 0xfa, 0xd8,
-			0xa0, 0x50, 0xcc, 0x4c, 0x19, 0xaf, 0xa9, 0x7c,
-			0x59, 0x04, 0x5a, 0x99, 0xca, 0xc7, 0x82, 0x72,
-			0x71, 0xcb, 0x41, 0xc6, 0x5e, 0x59, 0x0e, 0x09,
-			0xda, 0x32, 0x75, 0x60, 0x0c, 0x2f, 0x09, 0xb8,
-			0x36, 0x77, 0x93, 0xa9, 0xac, 0xa3, 0xdb, 0x71,
-			0xcc, 0x30, 0xc5, 0x81, 0x79, 0xec, 0x3e, 0x87,
-			0xc1, 0x4c, 0x01, 0xd5, 0xc1, 0xf3, 0x43, 0x4f,
-			0x1d, 0x87,
-		},
-	},
-	{
-		sha256.New,
-		[]byte{
-			0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
-			0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
-			0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
-		},
-		[]byte{},
-		[]byte{},
-		[]byte{
-			0x8d, 0xa4, 0xe7, 0x75, 0xa5, 0x63, 0xc1, 0x8f,
-			0x71, 0x5f, 0x80, 0x2a, 0x06, 0x3c, 0x5a, 0x31,
-			0xb8, 0xa1, 0x1f, 0x5c, 0x5e, 0xe1, 0x87, 0x9e,
-			0xc3, 0x45, 0x4e, 0x5f, 0x3c, 0x73, 0x8d, 0x2d,
-			0x9d, 0x20, 0x13, 0x95, 0xfa, 0xa4, 0xb6, 0x1a,
-			0x96, 0xc8,
-		},
-	},
-	{
-		sha1.New,
-		[]byte{
-			0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
-			0x0b, 0x0b, 0x0b,
-		},
-		[]byte{
-			0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
-			0x08, 0x09, 0x0a, 0x0b, 0x0c,
-		},
-		[]byte{
-			0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
-			0xf8, 0xf9,
-		},
-		[]byte{
-			0x08, 0x5a, 0x01, 0xea, 0x1b, 0x10, 0xf3, 0x69,
-			0x33, 0x06, 0x8b, 0x56, 0xef, 0xa5, 0xad, 0x81,
-			0xa4, 0xf1, 0x4b, 0x82, 0x2f, 0x5b, 0x09, 0x15,
-			0x68, 0xa9, 0xcd, 0xd4, 0xf1, 0x55, 0xfd, 0xa2,
-			0xc2, 0x2e, 0x42, 0x24, 0x78, 0xd3, 0x05, 0xf3,
-			0xf8, 0x96,
-		},
-	},
-	{
-		sha1.New,
-		[]byte{
-			0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
-			0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
-			0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
-			0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
-			0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
-			0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
-			0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
-			0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f,
-			0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
-			0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f,
-		},
-		[]byte{
-			0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67,
-			0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f,
-			0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77,
-			0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f,
-			0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
-			0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
-			0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
-			0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f,
-			0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6, 0xa7,
-			0xa8, 0xa9, 0xaa, 0xab, 0xac, 0xad, 0xae, 0xaf,
-		},
-		[]byte{
-			0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7,
-			0xb8, 0xb9, 0xba, 0xbb, 0xbc, 0xbd, 0xbe, 0xbf,
-			0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7,
-			0xc8, 0xc9, 0xca, 0xcb, 0xcc, 0xcd, 0xce, 0xcf,
-			0xd0, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7,
-			0xd8, 0xd9, 0xda, 0xdb, 0xdc, 0xdd, 0xde, 0xdf,
-			0xe0, 0xe1, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6, 0xe7,
-			0xe8, 0xe9, 0xea, 0xeb, 0xec, 0xed, 0xee, 0xef,
-			0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
-			0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff,
-		},
-		[]byte{
-			0x0b, 0xd7, 0x70, 0xa7, 0x4d, 0x11, 0x60, 0xf7,
-			0xc9, 0xf1, 0x2c, 0xd5, 0x91, 0x2a, 0x06, 0xeb,
-			0xff, 0x6a, 0xdc, 0xae, 0x89, 0x9d, 0x92, 0x19,
-			0x1f, 0xe4, 0x30, 0x56, 0x73, 0xba, 0x2f, 0xfe,
-			0x8f, 0xa3, 0xf1, 0xa4, 0xe5, 0xad, 0x79, 0xf3,
-			0xf3, 0x34, 0xb3, 0xb2, 0x02, 0xb2, 0x17, 0x3c,
-			0x48, 0x6e, 0xa3, 0x7c, 0xe3, 0xd3, 0x97, 0xed,
-			0x03, 0x4c, 0x7f, 0x9d, 0xfe, 0xb1, 0x5c, 0x5e,
-			0x92, 0x73, 0x36, 0xd0, 0x44, 0x1f, 0x4c, 0x43,
-			0x00, 0xe2, 0xcf, 0xf0, 0xd0, 0x90, 0x0b, 0x52,
-			0xd3, 0xb4,
-		},
-	},
-	{
-		sha1.New,
-		[]byte{
-			0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
-			0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
-			0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
-		},
-		[]byte{},
-		[]byte{},
-		[]byte{
-			0x0a, 0xc1, 0xaf, 0x70, 0x02, 0xb3, 0xd7, 0x61,
-			0xd1, 0xe5, 0x52, 0x98, 0xda, 0x9d, 0x05, 0x06,
-			0xb9, 0xae, 0x52, 0x05, 0x72, 0x20, 0xa3, 0x06,
-			0xe0, 0x7b, 0x6b, 0x87, 0xe8, 0xdf, 0x21, 0xd0,
-			0xea, 0x00, 0x03, 0x3d, 0xe0, 0x39, 0x84, 0xd3,
-			0x49, 0x18,
-		},
-	},
-	{
-		sha1.New,
-		[]byte{
-			0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c,
-			0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c,
-			0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c,
-		},
-		nil,
-		[]byte{},
-		[]byte{
-			0x2c, 0x91, 0x11, 0x72, 0x04, 0xd7, 0x45, 0xf3,
-			0x50, 0x0d, 0x63, 0x6a, 0x62, 0xf6, 0x4f, 0x0a,
-			0xb3, 0xba, 0xe5, 0x48, 0xaa, 0x53, 0xd4, 0x23,
-			0xb0, 0xd1, 0xf2, 0x7e, 0xbb, 0xa6, 0xf5, 0xe5,
-			0x67, 0x3a, 0x08, 0x1d, 0x70, 0xcc, 0xe7, 0xac,
-			0xfc, 0x48,
-		},
-	},
-}
-
-func TestHKDF(t *testing.T) {
-	for i, tt := range hkdfTests {
-		hkdf := New(tt.hash, tt.master, tt.salt, tt.info)
-		out := make([]byte, len(tt.out))
-
-		n, err := io.ReadFull(hkdf, out)
-		if n != len(tt.out) || err != nil {
-			t.Errorf("test %d: not enough output bytes: %d.", i, n)
-		}
-
-		if !bytes.Equal(out, tt.out) {
-			t.Errorf("test %d: incorrect output: have %v, need %v.", i, out, tt.out)
-		}
-	}
-}
-
-func TestHKDFMultiRead(t *testing.T) {
-	for i, tt := range hkdfTests {
-		hkdf := New(tt.hash, tt.master, tt.salt, tt.info)
-		out := make([]byte, len(tt.out))
-
-		for b := 0; b < len(tt.out); b++ {
-			n, err := io.ReadFull(hkdf, out[b:b+1])
-			if n != 1 || err != nil {
-				t.Errorf("test %d.%d: not enough output bytes: have %d, need %d .", i, b, n, len(tt.out))
-			}
-		}
-
-		if !bytes.Equal(out, tt.out) {
-			t.Errorf("test %d: incorrect output: have %v, need %v.", i, out, tt.out)
-		}
-	}
-}
-
-func TestHKDFLimit(t *testing.T) {
-	hash := sha1.New
-	master := []byte{0x00, 0x01, 0x02, 0x03}
-	info := []byte{}
-
-	hkdf := New(hash, master, nil, info)
-	limit := hash().Size() * 255
-	out := make([]byte, limit)
-
-	// The maximum output bytes should be extractable
-	n, err := io.ReadFull(hkdf, out)
-	if n != limit || err != nil {
-		t.Errorf("not enough output bytes: %d, %v.", n, err)
-	}
-
-	// Reading one more should fail
-	n, err = io.ReadFull(hkdf, make([]byte, 1))
-	if n > 0 || err == nil {
-		t.Errorf("key expansion overflowed: n = %d, err = %v", n, err)
-	}
-}
-
-func Benchmark16ByteMD5Single(b *testing.B) {
-	benchmarkHKDFSingle(md5.New, 16, b)
-}
-
-func Benchmark20ByteSHA1Single(b *testing.B) {
-	benchmarkHKDFSingle(sha1.New, 20, b)
-}
-
-func Benchmark32ByteSHA256Single(b *testing.B) {
-	benchmarkHKDFSingle(sha256.New, 32, b)
-}
-
-func Benchmark64ByteSHA512Single(b *testing.B) {
-	benchmarkHKDFSingle(sha512.New, 64, b)
-}
-
-func Benchmark8ByteMD5Stream(b *testing.B) {
-	benchmarkHKDFStream(md5.New, 8, b)
-}
-
-func Benchmark16ByteMD5Stream(b *testing.B) {
-	benchmarkHKDFStream(md5.New, 16, b)
-}
-
-func Benchmark8ByteSHA1Stream(b *testing.B) {
-	benchmarkHKDFStream(sha1.New, 8, b)
-}
-
-func Benchmark20ByteSHA1Stream(b *testing.B) {
-	benchmarkHKDFStream(sha1.New, 20, b)
-}
-
-func Benchmark8ByteSHA256Stream(b *testing.B) {
-	benchmarkHKDFStream(sha256.New, 8, b)
-}
-
-func Benchmark32ByteSHA256Stream(b *testing.B) {
-	benchmarkHKDFStream(sha256.New, 32, b)
-}
-
-func Benchmark8ByteSHA512Stream(b *testing.B) {
-	benchmarkHKDFStream(sha512.New, 8, b)
-}
-
-func Benchmark64ByteSHA512Stream(b *testing.B) {
-	benchmarkHKDFStream(sha512.New, 64, b)
-}
-
-func benchmarkHKDFSingle(hasher func() hash.Hash, block int, b *testing.B) {
-	master := []byte{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07}
-	salt := []byte{0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17}
-	info := []byte{0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27}
-	out := make([]byte, block)
-
-	b.SetBytes(int64(block))
-	b.ResetTimer()
-
-	for i := 0; i < b.N; i++ {
-		hkdf := New(hasher, master, salt, info)
-		io.ReadFull(hkdf, out)
-	}
-}
-
-func benchmarkHKDFStream(hasher func() hash.Hash, block int, b *testing.B) {
-	master := []byte{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07}
-	salt := []byte{0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17}
-	info := []byte{0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27}
-	out := make([]byte, block)
-
-	b.SetBytes(int64(block))
-	b.ResetTimer()
-
-	hkdf := New(hasher, master, salt, info)
-	for i := 0; i < b.N; i++ {
-		_, err := io.ReadFull(hkdf, out)
-		if err != nil {
-			hkdf = New(hasher, master, salt, info)
-			i--
-		}
-	}
-}
diff --git a/vendor/golang.org/x/crypto/internal/chacha20/chacha_generic.go b/vendor/golang.org/x/crypto/internal/chacha20/chacha_generic.go
deleted file mode 100644
index 0f8efdba..00000000
--- a/vendor/golang.org/x/crypto/internal/chacha20/chacha_generic.go
+++ /dev/null
@@ -1,198 +0,0 @@
-// Copyright 2016 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package ChaCha20 implements the core ChaCha20 function as specified in https://tools.ietf.org/html/rfc7539#section-2.3.
-package chacha20
-
-import "encoding/binary"
-
-const rounds = 20
-
-// core applies the ChaCha20 core function to 16-byte input in, 32-byte key k,
-// and 16-byte constant c, and puts the result into 64-byte array out.
-func core(out *[64]byte, in *[16]byte, k *[32]byte) {
-	j0 := uint32(0x61707865)
-	j1 := uint32(0x3320646e)
-	j2 := uint32(0x79622d32)
-	j3 := uint32(0x6b206574)
-	j4 := binary.LittleEndian.Uint32(k[0:4])
-	j5 := binary.LittleEndian.Uint32(k[4:8])
-	j6 := binary.LittleEndian.Uint32(k[8:12])
-	j7 := binary.LittleEndian.Uint32(k[12:16])
-	j8 := binary.LittleEndian.Uint32(k[16:20])
-	j9 := binary.LittleEndian.Uint32(k[20:24])
-	j10 := binary.LittleEndian.Uint32(k[24:28])
-	j11 := binary.LittleEndian.Uint32(k[28:32])
-	j12 := binary.LittleEndian.Uint32(in[0:4])
-	j13 := binary.LittleEndian.Uint32(in[4:8])
-	j14 := binary.LittleEndian.Uint32(in[8:12])
-	j15 := binary.LittleEndian.Uint32(in[12:16])
-
-	x0, x1, x2, x3, x4, x5, x6, x7 := j0, j1, j2, j3, j4, j5, j6, j7
-	x8, x9, x10, x11, x12, x13, x14, x15 := j8, j9, j10, j11, j12, j13, j14, j15
-
-	for i := 0; i < rounds; i += 2 {
-		x0 += x4
-		x12 ^= x0
-		x12 = (x12 << 16) | (x12 >> (16))
-		x8 += x12
-		x4 ^= x8
-		x4 = (x4 << 12) | (x4 >> (20))
-		x0 += x4
-		x12 ^= x0
-		x12 = (x12 << 8) | (x12 >> (24))
-		x8 += x12
-		x4 ^= x8
-		x4 = (x4 << 7) | (x4 >> (25))
-		x1 += x5
-		x13 ^= x1
-		x13 = (x13 << 16) | (x13 >> 16)
-		x9 += x13
-		x5 ^= x9
-		x5 = (x5 << 12) | (x5 >> 20)
-		x1 += x5
-		x13 ^= x1
-		x13 = (x13 << 8) | (x13 >> 24)
-		x9 += x13
-		x5 ^= x9
-		x5 = (x5 << 7) | (x5 >> 25)
-		x2 += x6
-		x14 ^= x2
-		x14 = (x14 << 16) | (x14 >> 16)
-		x10 += x14
-		x6 ^= x10
-		x6 = (x6 << 12) | (x6 >> 20)
-		x2 += x6
-		x14 ^= x2
-		x14 = (x14 << 8) | (x14 >> 24)
-		x10 += x14
-		x6 ^= x10
-		x6 = (x6 << 7) | (x6 >> 25)
-		x3 += x7
-		x15 ^= x3
-		x15 = (x15 << 16) | (x15 >> 16)
-		x11 += x15
-		x7 ^= x11
-		x7 = (x7 << 12) | (x7 >> 20)
-		x3 += x7
-		x15 ^= x3
-		x15 = (x15 << 8) | (x15 >> 24)
-		x11 += x15
-		x7 ^= x11
-		x7 = (x7 << 7) | (x7 >> 25)
-		x0 += x5
-		x15 ^= x0
-		x15 = (x15 << 16) | (x15 >> 16)
-		x10 += x15
-		x5 ^= x10
-		x5 = (x5 << 12) | (x5 >> 20)
-		x0 += x5
-		x15 ^= x0
-		x15 = (x15 << 8) | (x15 >> 24)
-		x10 += x15
-		x5 ^= x10
-		x5 = (x5 << 7) | (x5 >> 25)
-		x1 += x6
-		x12 ^= x1
-		x12 = (x12 << 16) | (x12 >> 16)
-		x11 += x12
-		x6 ^= x11
-		x6 = (x6 << 12) | (x6 >> 20)
-		x1 += x6
-		x12 ^= x1
-		x12 = (x12 << 8) | (x12 >> 24)
-		x11 += x12
-		x6 ^= x11
-		x6 = (x6 << 7) | (x6 >> 25)
-		x2 += x7
-		x13 ^= x2
-		x13 = (x13 << 16) | (x13 >> 16)
-		x8 += x13
-		x7 ^= x8
-		x7 = (x7 << 12) | (x7 >> 20)
-		x2 += x7
-		x13 ^= x2
-		x13 = (x13 << 8) | (x13 >> 24)
-		x8 += x13
-		x7 ^= x8
-		x7 = (x7 << 7) | (x7 >> 25)
-		x3 += x4
-		x14 ^= x3
-		x14 = (x14 << 16) | (x14 >> 16)
-		x9 += x14
-		x4 ^= x9
-		x4 = (x4 << 12) | (x4 >> 20)
-		x3 += x4
-		x14 ^= x3
-		x14 = (x14 << 8) | (x14 >> 24)
-		x9 += x14
-		x4 ^= x9
-		x4 = (x4 << 7) | (x4 >> 25)
-	}
-
-	x0 += j0
-	x1 += j1
-	x2 += j2
-	x3 += j3
-	x4 += j4
-	x5 += j5
-	x6 += j6
-	x7 += j7
-	x8 += j8
-	x9 += j9
-	x10 += j10
-	x11 += j11
-	x12 += j12
-	x13 += j13
-	x14 += j14
-	x15 += j15
-
-	binary.LittleEndian.PutUint32(out[0:4], x0)
-	binary.LittleEndian.PutUint32(out[4:8], x1)
-	binary.LittleEndian.PutUint32(out[8:12], x2)
-	binary.LittleEndian.PutUint32(out[12:16], x3)
-	binary.LittleEndian.PutUint32(out[16:20], x4)
-	binary.LittleEndian.PutUint32(out[20:24], x5)
-	binary.LittleEndian.PutUint32(out[24:28], x6)
-	binary.LittleEndian.PutUint32(out[28:32], x7)
-	binary.LittleEndian.PutUint32(out[32:36], x8)
-	binary.LittleEndian.PutUint32(out[36:40], x9)
-	binary.LittleEndian.PutUint32(out[40:44], x10)
-	binary.LittleEndian.PutUint32(out[44:48], x11)
-	binary.LittleEndian.PutUint32(out[48:52], x12)
-	binary.LittleEndian.PutUint32(out[52:56], x13)
-	binary.LittleEndian.PutUint32(out[56:60], x14)
-	binary.LittleEndian.PutUint32(out[60:64], x15)
-}
-
-// XORKeyStream crypts bytes from in to out using the given key and counters.
-// In and out must overlap entirely or not at all. Counter contains the raw
-// ChaCha20 counter bytes (i.e. block counter followed by nonce).
-func XORKeyStream(out, in []byte, counter *[16]byte, key *[32]byte) {
-	var block [64]byte
-	var counterCopy [16]byte
-	copy(counterCopy[:], counter[:])
-
-	for len(in) >= 64 {
-		core(&block, &counterCopy, key)
-		for i, x := range block {
-			out[i] = in[i] ^ x
-		}
-		u := uint32(1)
-		for i := 0; i < 4; i++ {
-			u += uint32(counterCopy[i])
-			counterCopy[i] = byte(u)
-			u >>= 8
-		}
-		in = in[64:]
-		out = out[64:]
-	}
-
-	if len(in) > 0 {
-		core(&block, &counterCopy, key)
-		for i, v := range in {
-			out[i] = v ^ block[i]
-		}
-	}
-}
diff --git a/vendor/golang.org/x/crypto/internal/chacha20/chacha_test.go b/vendor/golang.org/x/crypto/internal/chacha20/chacha_test.go
deleted file mode 100644
index b80d34cd..00000000
--- a/vendor/golang.org/x/crypto/internal/chacha20/chacha_test.go
+++ /dev/null
@@ -1,33 +0,0 @@
-// Copyright 2016 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package chacha20
-
-import (
-	"encoding/hex"
-	"testing"
-)
-
-func TestCore(t *testing.T) {
-	// This is just a smoke test that checks the example from
-	// https://tools.ietf.org/html/rfc7539#section-2.3.2. The
-	// chacha20poly1305 package contains much more extensive tests of this
-	// code.
-	var key [32]byte
-	for i := range key {
-		key[i] = byte(i)
-	}
-
-	var input [16]byte
-	input[0] = 1
-	input[7] = 9
-	input[11] = 0x4a
-
-	var out [64]byte
-	XORKeyStream(out[:], out[:], &input, &key)
-	const expected = "10f1e7e4d13b5915500fdd1fa32071c4c7d1f4c733c068030422aa9ac3d46c4ed2826446079faa0914c2d705d98b02a2b5129cd1de164eb9cbd083e8a2503c4e"
-	if result := hex.EncodeToString(out[:]); result != expected {
-		t.Errorf("wanted %x but got %x", expected, result)
-	}
-}
diff --git a/vendor/golang.org/x/crypto/md4/example_test.go b/vendor/golang.org/x/crypto/md4/example_test.go
deleted file mode 100644
index db3f59b1..00000000
--- a/vendor/golang.org/x/crypto/md4/example_test.go
+++ /dev/null
@@ -1,20 +0,0 @@
-// Copyright 2017 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package md4_test
-
-import (
-	"fmt"
-	"io"
-
-	"golang.org/x/crypto/md4"
-)
-
-func ExampleNew() {
-	h := md4.New()
-	data := "These pretzels are making me thirsty."
-	io.WriteString(h, data)
-	fmt.Printf("%x", h.Sum(nil))
-	// Output: 48c4e365090b30a32f084c4888deceaa
-}
diff --git a/vendor/golang.org/x/crypto/md4/md4.go b/vendor/golang.org/x/crypto/md4/md4.go
deleted file mode 100644
index 6d9ba9e5..00000000
--- a/vendor/golang.org/x/crypto/md4/md4.go
+++ /dev/null
@@ -1,118 +0,0 @@
-// Copyright 2009 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package md4 implements the MD4 hash algorithm as defined in RFC 1320.
-package md4 // import "golang.org/x/crypto/md4"
-
-import (
-	"crypto"
-	"hash"
-)
-
-func init() {
-	crypto.RegisterHash(crypto.MD4, New)
-}
-
-// The size of an MD4 checksum in bytes.
-const Size = 16
-
-// The blocksize of MD4 in bytes.
-const BlockSize = 64
-
-const (
-	_Chunk = 64
-	_Init0 = 0x67452301
-	_Init1 = 0xEFCDAB89
-	_Init2 = 0x98BADCFE
-	_Init3 = 0x10325476
-)
-
-// digest represents the partial evaluation of a checksum.
-type digest struct {
-	s   [4]uint32
-	x   [_Chunk]byte
-	nx  int
-	len uint64
-}
-
-func (d *digest) Reset() {
-	d.s[0] = _Init0
-	d.s[1] = _Init1
-	d.s[2] = _Init2
-	d.s[3] = _Init3
-	d.nx = 0
-	d.len = 0
-}
-
-// New returns a new hash.Hash computing the MD4 checksum.
-func New() hash.Hash {
-	d := new(digest)
-	d.Reset()
-	return d
-}
-
-func (d *digest) Size() int { return Size }
-
-func (d *digest) BlockSize() int { return BlockSize }
-
-func (d *digest) Write(p []byte) (nn int, err error) {
-	nn = len(p)
-	d.len += uint64(nn)
-	if d.nx > 0 {
-		n := len(p)
-		if n > _Chunk-d.nx {
-			n = _Chunk - d.nx
-		}
-		for i := 0; i < n; i++ {
-			d.x[d.nx+i] = p[i]
-		}
-		d.nx += n
-		if d.nx == _Chunk {
-			_Block(d, d.x[0:])
-			d.nx = 0
-		}
-		p = p[n:]
-	}
-	n := _Block(d, p)
-	p = p[n:]
-	if len(p) > 0 {
-		d.nx = copy(d.x[:], p)
-	}
-	return
-}
-
-func (d0 *digest) Sum(in []byte) []byte {
-	// Make a copy of d0, so that caller can keep writing and summing.
-	d := new(digest)
-	*d = *d0
-
-	// Padding.  Add a 1 bit and 0 bits until 56 bytes mod 64.
-	len := d.len
-	var tmp [64]byte
-	tmp[0] = 0x80
-	if len%64 < 56 {
-		d.Write(tmp[0 : 56-len%64])
-	} else {
-		d.Write(tmp[0 : 64+56-len%64])
-	}
-
-	// Length in bits.
-	len <<= 3
-	for i := uint(0); i < 8; i++ {
-		tmp[i] = byte(len >> (8 * i))
-	}
-	d.Write(tmp[0:8])
-
-	if d.nx != 0 {
-		panic("d.nx != 0")
-	}
-
-	for _, s := range d.s {
-		in = append(in, byte(s>>0))
-		in = append(in, byte(s>>8))
-		in = append(in, byte(s>>16))
-		in = append(in, byte(s>>24))
-	}
-	return in
-}
diff --git a/vendor/golang.org/x/crypto/md4/md4_test.go b/vendor/golang.org/x/crypto/md4/md4_test.go
deleted file mode 100644
index b56edd78..00000000
--- a/vendor/golang.org/x/crypto/md4/md4_test.go
+++ /dev/null
@@ -1,71 +0,0 @@
-// Copyright 2009 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package md4
-
-import (
-	"fmt"
-	"io"
-	"testing"
-)
-
-type md4Test struct {
-	out string
-	in  string
-}
-
-var golden = []md4Test{
-	{"31d6cfe0d16ae931b73c59d7e0c089c0", ""},
-	{"bde52cb31de33e46245e05fbdbd6fb24", "a"},
-	{"ec388dd78999dfc7cf4632465693b6bf", "ab"},
-	{"a448017aaf21d8525fc10ae87aa6729d", "abc"},
-	{"41decd8f579255c5200f86a4bb3ba740", "abcd"},
-	{"9803f4a34e8eb14f96adba49064a0c41", "abcde"},
-	{"804e7f1c2586e50b49ac65db5b645131", "abcdef"},
-	{"752f4adfe53d1da0241b5bc216d098fc", "abcdefg"},
-	{"ad9daf8d49d81988590a6f0e745d15dd", "abcdefgh"},
-	{"1e4e28b05464316b56402b3815ed2dfd", "abcdefghi"},
-	{"dc959c6f5d6f9e04e4380777cc964b3d", "abcdefghij"},
-	{"1b5701e265778898ef7de5623bbe7cc0", "Discard medicine more than two years old."},
-	{"d7f087e090fe7ad4a01cb59dacc9a572", "He who has a shady past knows that nice guys finish last."},
-	{"a6f8fd6df617c72837592fc3570595c9", "I wouldn't marry him with a ten foot pole."},
-	{"c92a84a9526da8abc240c05d6b1a1ce0", "Free! Free!/A trip/to Mars/for 900/empty jars/Burma Shave"},
-	{"f6013160c4dcb00847069fee3bb09803", "The days of the digital watch are numbered.  -Tom Stoppard"},
-	{"2c3bb64f50b9107ed57640fe94bec09f", "Nepal premier won't resign."},
-	{"45b7d8a32c7806f2f7f897332774d6e4", "For every action there is an equal and opposite government program."},
-	{"b5b4f9026b175c62d7654bdc3a1cd438", "His money is twice tainted: 'taint yours and 'taint mine."},
-	{"caf44e80f2c20ce19b5ba1cab766e7bd", "There is no reason for any individual to have a computer in their home. -Ken Olsen, 1977"},
-	{"191fae6707f496aa54a6bce9f2ecf74d", "It's a tiny change to the code and not completely disgusting. - Bob Manchek"},
-	{"9ddc753e7a4ccee6081cd1b45b23a834", "size:  a.out:  bad magic"},
-	{"8d050f55b1cadb9323474564be08a521", "The major problem is with sendmail.  -Mark Horton"},
-	{"ad6e2587f74c3e3cc19146f6127fa2e3", "Give me a rock, paper and scissors and I will move the world.  CCFestoon"},
-	{"1d616d60a5fabe85589c3f1566ca7fca", "If the enemy is within range, then so are you."},
-	{"aec3326a4f496a2ced65a1963f84577f", "It's well we cannot hear the screams/That we create in others' dreams."},
-	{"77b4fd762d6b9245e61c50bf6ebf118b", "You remind me of a TV show, but that's all right: I watch it anyway."},
-	{"e8f48c726bae5e516f6ddb1a4fe62438", "C is as portable as Stonehedge!!"},
-	{"a3a84366e7219e887423b01f9be7166e", "Even if I could be Shakespeare, I think I should still choose to be Faraday. - A. Huxley"},
-	{"a6b7aa35157e984ef5d9b7f32e5fbb52", "The fugacity of a constituent in a mixture of gases at a given temperature is proportional to its mole fraction.  Lewis-Randall Rule"},
-	{"75661f0545955f8f9abeeb17845f3fd6", "How can you write a big system without C++?  -Paul Glick"},
-}
-
-func TestGolden(t *testing.T) {
-	for i := 0; i < len(golden); i++ {
-		g := golden[i]
-		c := New()
-		for j := 0; j < 3; j++ {
-			if j < 2 {
-				io.WriteString(c, g.in)
-			} else {
-				io.WriteString(c, g.in[0:len(g.in)/2])
-				c.Sum(nil)
-				io.WriteString(c, g.in[len(g.in)/2:])
-			}
-			s := fmt.Sprintf("%x", c.Sum(nil))
-			if s != g.out {
-				t.Fatalf("md4[%d](%s) = %s want %s", j, g.in, s, g.out)
-			}
-			c.Reset()
-		}
-	}
-}
diff --git a/vendor/golang.org/x/crypto/md4/md4block.go b/vendor/golang.org/x/crypto/md4/md4block.go
deleted file mode 100644
index 3fed475f..00000000
--- a/vendor/golang.org/x/crypto/md4/md4block.go
+++ /dev/null
@@ -1,89 +0,0 @@
-// Copyright 2009 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// MD4 block step.
-// In its own file so that a faster assembly or C version
-// can be substituted easily.
-
-package md4
-
-var shift1 = []uint{3, 7, 11, 19}
-var shift2 = []uint{3, 5, 9, 13}
-var shift3 = []uint{3, 9, 11, 15}
-
-var xIndex2 = []uint{0, 4, 8, 12, 1, 5, 9, 13, 2, 6, 10, 14, 3, 7, 11, 15}
-var xIndex3 = []uint{0, 8, 4, 12, 2, 10, 6, 14, 1, 9, 5, 13, 3, 11, 7, 15}
-
-func _Block(dig *digest, p []byte) int {
-	a := dig.s[0]
-	b := dig.s[1]
-	c := dig.s[2]
-	d := dig.s[3]
-	n := 0
-	var X [16]uint32
-	for len(p) >= _Chunk {
-		aa, bb, cc, dd := a, b, c, d
-
-		j := 0
-		for i := 0; i < 16; i++ {
-			X[i] = uint32(p[j]) | uint32(p[j+1])<<8 | uint32(p[j+2])<<16 | uint32(p[j+3])<<24
-			j += 4
-		}
-
-		// If this needs to be made faster in the future,
-		// the usual trick is to unroll each of these
-		// loops by a factor of 4; that lets you replace
-		// the shift[] lookups with constants and,
-		// with suitable variable renaming in each
-		// unrolled body, delete the a, b, c, d = d, a, b, c
-		// (or you can let the optimizer do the renaming).
-		//
-		// The index variables are uint so that % by a power
-		// of two can be optimized easily by a compiler.
-
-		// Round 1.
-		for i := uint(0); i < 16; i++ {
-			x := i
-			s := shift1[i%4]
-			f := ((c ^ d) & b) ^ d
-			a += f + X[x]
-			a = a<<s | a>>(32-s)
-			a, b, c, d = d, a, b, c
-		}
-
-		// Round 2.
-		for i := uint(0); i < 16; i++ {
-			x := xIndex2[i]
-			s := shift2[i%4]
-			g := (b & c) | (b & d) | (c & d)
-			a += g + X[x] + 0x5a827999
-			a = a<<s | a>>(32-s)
-			a, b, c, d = d, a, b, c
-		}
-
-		// Round 3.
-		for i := uint(0); i < 16; i++ {
-			x := xIndex3[i]
-			s := shift3[i%4]
-			h := b ^ c ^ d
-			a += h + X[x] + 0x6ed9eba1
-			a = a<<s | a>>(32-s)
-			a, b, c, d = d, a, b, c
-		}
-
-		a += aa
-		b += bb
-		c += cc
-		d += dd
-
-		p = p[_Chunk:]
-		n += _Chunk
-	}
-
-	dig.s[0] = a
-	dig.s[1] = b
-	dig.s[2] = c
-	dig.s[3] = d
-	return n
-}
diff --git a/vendor/golang.org/x/crypto/nacl/auth/auth.go b/vendor/golang.org/x/crypto/nacl/auth/auth.go
deleted file mode 100644
index ec1d6ebe..00000000
--- a/vendor/golang.org/x/crypto/nacl/auth/auth.go
+++ /dev/null
@@ -1,58 +0,0 @@
-// Copyright 2017 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-/*
-Package auth authenticates a message using a secret key.
-
-The Sum function, viewed as a function of the message for a uniform random
-key, is designed to meet the standard notion of unforgeability. This means
-that an attacker cannot find authenticators for any messages not authenticated
-by the sender, even if the attacker has adaptively influenced the messages
-authenticated by the sender. For a formal definition see, e.g., Section 2.4
-of Bellare, Kilian, and Rogaway, "The security of the cipher block chaining
-message authentication code," Journal of Computer and System Sciences 61 (2000),
-362–399; http://www-cse.ucsd.edu/~mihir/papers/cbc.html.
-
-auth does not make any promises regarding "strong" unforgeability; perhaps
-one valid authenticator can be converted into another valid authenticator for
-the same message. NaCl also does not make any promises regarding "truncated
-unforgeability."
-
-This package is interoperable with NaCl: https://nacl.cr.yp.to/auth.html.
-*/
-package auth
-
-import (
-	"crypto/hmac"
-	"crypto/sha512"
-)
-
-const (
-	// Size is the size, in bytes, of an authenticated digest.
-	Size = 32
-	// KeySize is the size, in bytes, of an authentication key.
-	KeySize = 32
-)
-
-// Sum generates an authenticator for m using a secret key and returns the
-// 32-byte digest.
-func Sum(m []byte, key *[KeySize]byte) *[Size]byte {
-	mac := hmac.New(sha512.New, key[:])
-	mac.Write(m)
-	out := new([KeySize]byte)
-	copy(out[:], mac.Sum(nil)[:Size])
-	return out
-}
-
-// Verify checks that digest is a valid authenticator of message m under the
-// given secret key. Verify does not leak timing information.
-func Verify(digest []byte, m []byte, key *[KeySize]byte) bool {
-	if len(digest) != Size {
-		return false
-	}
-	mac := hmac.New(sha512.New, key[:])
-	mac.Write(m)
-	expectedMAC := mac.Sum(nil) // first 256 bits of 512-bit sum
-	return hmac.Equal(digest, expectedMAC[:Size])
-}
diff --git a/vendor/golang.org/x/crypto/nacl/auth/auth_test.go b/vendor/golang.org/x/crypto/nacl/auth/auth_test.go
deleted file mode 100644
index 92074b50..00000000
--- a/vendor/golang.org/x/crypto/nacl/auth/auth_test.go
+++ /dev/null
@@ -1,172 +0,0 @@
-// Copyright 2017 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package auth
-
-import (
-	"bytes"
-	rand "crypto/rand"
-	mrand "math/rand"
-	"testing"
-)
-
-// Test cases are from RFC 4231, and match those present in the tests directory
-// of the download here: https://nacl.cr.yp.to/install.html
-var testCases = []struct {
-	key [32]byte
-	msg []byte
-	out [32]byte
-}{
-	{
-		key: [32]byte{
-			0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
-			0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
-			0x0b, 0x0b, 0x0b, 0x0b,
-		},
-		msg: []byte("Hi There"),
-		out: [32]byte{
-			0x87, 0xaa, 0x7c, 0xde, 0xa5, 0xef, 0x61, 0x9d,
-			0x4f, 0xf0, 0xb4, 0x24, 0x1a, 0x1d, 0x6c, 0xb0,
-			0x23, 0x79, 0xf4, 0xe2, 0xce, 0x4e, 0xc2, 0x78,
-			0x7a, 0xd0, 0xb3, 0x05, 0x45, 0xe1, 0x7c, 0xde,
-		},
-	},
-	{
-		key: [32]byte{'J', 'e', 'f', 'e'},
-		msg: []byte("what do ya want for nothing?"),
-		out: [32]byte{
-			0x16, 0x4b, 0x7a, 0x7b, 0xfc, 0xf8, 0x19, 0xe2,
-			0xe3, 0x95, 0xfb, 0xe7, 0x3b, 0x56, 0xe0, 0xa3,
-			0x87, 0xbd, 0x64, 0x22, 0x2e, 0x83, 0x1f, 0xd6,
-			0x10, 0x27, 0x0c, 0xd7, 0xea, 0x25, 0x05, 0x54,
-		},
-	},
-	{
-		key: [32]byte{
-			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
-			0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
-			0xaa, 0xaa, 0xaa, 0xaa,
-		},
-		msg: []byte{ // 50 bytes of 0xdd
-			0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
-			0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
-			0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
-			0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
-			0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
-			0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
-			0xdd, 0xdd,
-		},
-		out: [32]byte{
-			0xfa, 0x73, 0xb0, 0x08, 0x9d, 0x56, 0xa2, 0x84,
-			0xef, 0xb0, 0xf0, 0x75, 0x6c, 0x89, 0x0b, 0xe9,
-			0xb1, 0xb5, 0xdb, 0xdd, 0x8e, 0xe8, 0x1a, 0x36,
-			0x55, 0xf8, 0x3e, 0x33, 0xb2, 0x27, 0x9d, 0x39,
-		},
-	},
-	{
-		key: [32]byte{
-			0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
-			0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10,
-			0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
-			0x19,
-		},
-		msg: []byte{
-			0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
-			0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
-			0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
-			0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
-			0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
-			0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
-			0xcd, 0xcd,
-		},
-		out: [32]byte{
-			0xb0, 0xba, 0x46, 0x56, 0x37, 0x45, 0x8c, 0x69,
-			0x90, 0xe5, 0xa8, 0xc5, 0xf6, 0x1d, 0x4a, 0xf7,
-			0xe5, 0x76, 0xd9, 0x7f, 0xf9, 0x4b, 0x87, 0x2d,
-			0xe7, 0x6f, 0x80, 0x50, 0x36, 0x1e, 0xe3, 0xdb,
-		},
-	},
-}
-
-func TestSum(t *testing.T) {
-	for i, test := range testCases {
-		tag := Sum(test.msg, &test.key)
-		if !bytes.Equal(tag[:], test.out[:]) {
-			t.Errorf("#%d: Sum: got\n%x\nwant\n%x", i, tag, test.out)
-		}
-	}
-}
-
-func TestVerify(t *testing.T) {
-	wrongMsg := []byte("unknown msg")
-
-	for i, test := range testCases {
-		if !Verify(test.out[:], test.msg, &test.key) {
-			t.Errorf("#%d: Verify(%x, %q, %x) failed", i, test.out, test.msg, test.key)
-		}
-		if Verify(test.out[:], wrongMsg, &test.key) {
-			t.Errorf("#%d: Verify(%x, %q, %x) unexpectedly passed", i, test.out, wrongMsg, test.key)
-		}
-	}
-}
-
-func TestStress(t *testing.T) {
-	if testing.Short() {
-		t.Skip("exhaustiveness test")
-	}
-
-	var key [32]byte
-	msg := make([]byte, 10000)
-	prng := mrand.New(mrand.NewSource(0))
-
-	// copied from tests/auth5.c in nacl
-	for i := 0; i < 10000; i++ {
-		if _, err := rand.Read(key[:]); err != nil {
-			t.Fatal(err)
-		}
-		if _, err := rand.Read(msg[:i]); err != nil {
-			t.Fatal(err)
-		}
-		tag := Sum(msg[:i], &key)
-		if !Verify(tag[:], msg[:i], &key) {
-			t.Errorf("#%d: unexpected failure from Verify", i)
-		}
-		if i > 0 {
-			msgIndex := prng.Intn(i)
-			oldMsgByte := msg[msgIndex]
-			msg[msgIndex] += byte(1 + prng.Intn(255))
-			if Verify(tag[:], msg[:i], &key) {
-				t.Errorf("#%d: unexpected success from Verify after corrupting message", i)
-			}
-			msg[msgIndex] = oldMsgByte
-
-			tag[prng.Intn(len(tag))] += byte(1 + prng.Intn(255))
-			if Verify(tag[:], msg[:i], &key) {
-				t.Errorf("#%d: unexpected success from Verify after corrupting authenticator", i)
-			}
-		}
-	}
-}
-
-func BenchmarkAuth(b *testing.B) {
-	var key [32]byte
-	if _, err := rand.Read(key[:]); err != nil {
-		b.Fatal(err)
-	}
-	buf := make([]byte, 1024)
-	if _, err := rand.Read(buf[:]); err != nil {
-		b.Fatal(err)
-	}
-
-	b.SetBytes(int64(len(buf)))
-	b.ReportAllocs()
-	b.ResetTimer()
-
-	for i := 0; i < b.N; i++ {
-		tag := Sum(buf, &key)
-		if Verify(tag[:], buf, &key) == false {
-			b.Fatal("unexpected failure from Verify")
-		}
-	}
-}
diff --git a/vendor/golang.org/x/crypto/nacl/auth/example_test.go b/vendor/golang.org/x/crypto/nacl/auth/example_test.go
deleted file mode 100644
index 02a2cd6c..00000000
--- a/vendor/golang.org/x/crypto/nacl/auth/example_test.go
+++ /dev/null
@@ -1,36 +0,0 @@
-// Copyright 2017 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package auth_test
-
-import (
-	"encoding/hex"
-	"fmt"
-
-	"golang.org/x/crypto/nacl/auth"
-)
-
-func Example() {
-	// Load your secret key from a safe place and reuse it across multiple
-	// Sum calls. (Obviously don't use this example key for anything
-	// real.) If you want to convert a passphrase to a key, use a suitable
-	// package like bcrypt or scrypt.
-	secretKeyBytes, err := hex.DecodeString("6368616e676520746869732070617373776f726420746f206120736563726574")
-	if err != nil {
-		panic(err)
-	}
-
-	var secretKey [32]byte
-	copy(secretKey[:], secretKeyBytes)
-
-	mac := auth.Sum([]byte("hello world"), &secretKey)
-	fmt.Printf("%x\n", *mac)
-	result := auth.Verify(mac[:], []byte("hello world"), &secretKey)
-	fmt.Println(result)
-	badResult := auth.Verify(mac[:], []byte("different message"), &secretKey)
-	fmt.Println(badResult)
-	// Output: eca5a521f3d77b63f567fb0cb6f5f2d200641bc8dada42f60c5f881260c30317
-	// true
-	// false
-}
diff --git a/vendor/golang.org/x/crypto/nacl/box/box.go b/vendor/golang.org/x/crypto/nacl/box/box.go
deleted file mode 100644
index 31b697be..00000000
--- a/vendor/golang.org/x/crypto/nacl/box/box.go
+++ /dev/null
@@ -1,103 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-/*
-Package box authenticates and encrypts small messages using public-key cryptography.
-
-Box uses Curve25519, XSalsa20 and Poly1305 to encrypt and authenticate
-messages. The length of messages is not hidden.
-
-It is the caller's responsibility to ensure the uniqueness of nonces—for
-example, by using nonce 1 for the first message, nonce 2 for the second
-message, etc. Nonces are long enough that randomly generated nonces have
-negligible risk of collision.
-
-Messages should be small because:
-
-1. The whole message needs to be held in memory to be processed.
-
-2. Using large messages pressures implementations on small machines to decrypt
-and process plaintext before authenticating it. This is very dangerous, and
-this API does not allow it, but a protocol that uses excessive message sizes
-might present some implementations with no other choice.
-
-3. Fixed overheads will be sufficiently amortised by messages as small as 8KB.
-
-4. Performance may be improved by working with messages that fit into data caches.
-
-Thus large amounts of data should be chunked so that each message is small.
-(Each message still needs a unique nonce.) If in doubt, 16KB is a reasonable
-chunk size.
-
-This package is interoperable with NaCl: https://nacl.cr.yp.to/box.html.
-*/
-package box // import "golang.org/x/crypto/nacl/box"
-
-import (
-	"io"
-
-	"golang.org/x/crypto/curve25519"
-	"golang.org/x/crypto/nacl/secretbox"
-	"golang.org/x/crypto/salsa20/salsa"
-)
-
-// Overhead is the number of bytes of overhead when boxing a message.
-const Overhead = secretbox.Overhead
-
-// GenerateKey generates a new public/private key pair suitable for use with
-// Seal and Open.
-func GenerateKey(rand io.Reader) (publicKey, privateKey *[32]byte, err error) {
-	publicKey = new([32]byte)
-	privateKey = new([32]byte)
-	_, err = io.ReadFull(rand, privateKey[:])
-	if err != nil {
-		publicKey = nil
-		privateKey = nil
-		return
-	}
-
-	curve25519.ScalarBaseMult(publicKey, privateKey)
-	return
-}
-
-var zeros [16]byte
-
-// Precompute calculates the shared key between peersPublicKey and privateKey
-// and writes it to sharedKey. The shared key can be used with
-// OpenAfterPrecomputation and SealAfterPrecomputation to speed up processing
-// when using the same pair of keys repeatedly.
-func Precompute(sharedKey, peersPublicKey, privateKey *[32]byte) {
-	curve25519.ScalarMult(sharedKey, privateKey, peersPublicKey)
-	salsa.HSalsa20(sharedKey, &zeros, sharedKey, &salsa.Sigma)
-}
-
-// Seal appends an encrypted and authenticated copy of message to out, which
-// will be Overhead bytes longer than the original and must not overlap it. The
-// nonce must be unique for each distinct message for a given pair of keys.
-func Seal(out, message []byte, nonce *[24]byte, peersPublicKey, privateKey *[32]byte) []byte {
-	var sharedKey [32]byte
-	Precompute(&sharedKey, peersPublicKey, privateKey)
-	return secretbox.Seal(out, message, nonce, &sharedKey)
-}
-
-// SealAfterPrecomputation performs the same actions as Seal, but takes a
-// shared key as generated by Precompute.
-func SealAfterPrecomputation(out, message []byte, nonce *[24]byte, sharedKey *[32]byte) []byte {
-	return secretbox.Seal(out, message, nonce, sharedKey)
-}
-
-// Open authenticates and decrypts a box produced by Seal and appends the
-// message to out, which must not overlap box. The output will be Overhead
-// bytes smaller than box.
-func Open(out, box []byte, nonce *[24]byte, peersPublicKey, privateKey *[32]byte) ([]byte, bool) {
-	var sharedKey [32]byte
-	Precompute(&sharedKey, peersPublicKey, privateKey)
-	return secretbox.Open(out, box, nonce, &sharedKey)
-}
-
-// OpenAfterPrecomputation performs the same actions as Open, but takes a
-// shared key as generated by Precompute.
-func OpenAfterPrecomputation(out, box []byte, nonce *[24]byte, sharedKey *[32]byte) ([]byte, bool) {
-	return secretbox.Open(out, box, nonce, sharedKey)
-}
diff --git a/vendor/golang.org/x/crypto/nacl/box/box_test.go b/vendor/golang.org/x/crypto/nacl/box/box_test.go
deleted file mode 100644
index 481ade28..00000000
--- a/vendor/golang.org/x/crypto/nacl/box/box_test.go
+++ /dev/null
@@ -1,78 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package box
-
-import (
-	"bytes"
-	"crypto/rand"
-	"encoding/hex"
-	"testing"
-
-	"golang.org/x/crypto/curve25519"
-)
-
-func TestSealOpen(t *testing.T) {
-	publicKey1, privateKey1, _ := GenerateKey(rand.Reader)
-	publicKey2, privateKey2, _ := GenerateKey(rand.Reader)
-
-	if *privateKey1 == *privateKey2 {
-		t.Fatalf("private keys are equal!")
-	}
-	if *publicKey1 == *publicKey2 {
-		t.Fatalf("public keys are equal!")
-	}
-	message := []byte("test message")
-	var nonce [24]byte
-
-	box := Seal(nil, message, &nonce, publicKey1, privateKey2)
-	opened, ok := Open(nil, box, &nonce, publicKey2, privateKey1)
-	if !ok {
-		t.Fatalf("failed to open box")
-	}
-
-	if !bytes.Equal(opened, message) {
-		t.Fatalf("got %x, want %x", opened, message)
-	}
-
-	for i := range box {
-		box[i] ^= 0x40
-		_, ok := Open(nil, box, &nonce, publicKey2, privateKey1)
-		if ok {
-			t.Fatalf("opened box with byte %d corrupted", i)
-		}
-		box[i] ^= 0x40
-	}
-}
-
-func TestBox(t *testing.T) {
-	var privateKey1, privateKey2 [32]byte
-	for i := range privateKey1[:] {
-		privateKey1[i] = 1
-	}
-	for i := range privateKey2[:] {
-		privateKey2[i] = 2
-	}
-
-	var publicKey1 [32]byte
-	curve25519.ScalarBaseMult(&publicKey1, &privateKey1)
-	var message [64]byte
-	for i := range message[:] {
-		message[i] = 3
-	}
-
-	var nonce [24]byte
-	for i := range nonce[:] {
-		nonce[i] = 4
-	}
-
-	box := Seal(nil, message[:], &nonce, &publicKey1, &privateKey2)
-
-	// expected was generated using the C implementation of NaCl.
-	expected, _ := hex.DecodeString("78ea30b19d2341ebbdba54180f821eec265cf86312549bea8a37652a8bb94f07b78a73ed1708085e6ddd0e943bbdeb8755079a37eb31d86163ce241164a47629c0539f330b4914cd135b3855bc2a2dfc")
-
-	if !bytes.Equal(box, expected) {
-		t.Fatalf("box didn't match, got\n%x\n, expected\n%x", box, expected)
-	}
-}
diff --git a/vendor/golang.org/x/crypto/nacl/box/example_test.go b/vendor/golang.org/x/crypto/nacl/box/example_test.go
deleted file mode 100644
index 25e42d2b..00000000
--- a/vendor/golang.org/x/crypto/nacl/box/example_test.go
+++ /dev/null
@@ -1,95 +0,0 @@
-package box_test
-
-import (
-	crypto_rand "crypto/rand" // Custom so it's clear which rand we're using.
-	"fmt"
-	"io"
-
-	"golang.org/x/crypto/nacl/box"
-)
-
-func Example() {
-	senderPublicKey, senderPrivateKey, err := box.GenerateKey(crypto_rand.Reader)
-	if err != nil {
-		panic(err)
-	}
-
-	recipientPublicKey, recipientPrivateKey, err := box.GenerateKey(crypto_rand.Reader)
-	if err != nil {
-		panic(err)
-	}
-
-	// You must use a different nonce for each message you encrypt with the
-	// same key. Since the nonce here is 192 bits long, a random value
-	// provides a sufficiently small probability of repeats.
-	var nonce [24]byte
-	if _, err := io.ReadFull(crypto_rand.Reader, nonce[:]); err != nil {
-		panic(err)
-	}
-
-	msg := []byte("Alas, poor Yorick! I knew him, Horatio")
-	// This encrypts msg and appends the result to the nonce.
-	encrypted := box.Seal(nonce[:], msg, &nonce, recipientPublicKey, senderPrivateKey)
-
-	// The recipient can decrypt the message using their private key and the
-	// sender's public key. When you decrypt, you must use the same nonce you
-	// used to encrypt the message. One way to achieve this is to store the
-	// nonce alongside the encrypted message. Above, we stored the nonce in the
-	// first 24 bytes of the encrypted text.
-	var decryptNonce [24]byte
-	copy(decryptNonce[:], encrypted[:24])
-	decrypted, ok := box.Open(nil, encrypted[24:], &decryptNonce, senderPublicKey, recipientPrivateKey)
-	if !ok {
-		panic("decryption error")
-	}
-	fmt.Println(string(decrypted))
-	// Output: Alas, poor Yorick! I knew him, Horatio
-}
-
-func Example_precompute() {
-	senderPublicKey, senderPrivateKey, err := box.GenerateKey(crypto_rand.Reader)
-	if err != nil {
-		panic(err)
-	}
-
-	recipientPublicKey, recipientPrivateKey, err := box.GenerateKey(crypto_rand.Reader)
-	if err != nil {
-		panic(err)
-	}
-
-	// The shared key can be used to speed up processing when using the same
-	// pair of keys repeatedly.
-	sharedEncryptKey := new([32]byte)
-	box.Precompute(sharedEncryptKey, recipientPublicKey, senderPrivateKey)
-
-	// You must use a different nonce for each message you encrypt with the
-	// same key. Since the nonce here is 192 bits long, a random value
-	// provides a sufficiently small probability of repeats.
-	var nonce [24]byte
-	if _, err := io.ReadFull(crypto_rand.Reader, nonce[:]); err != nil {
-		panic(err)
-	}
-
-	msg := []byte("A fellow of infinite jest, of most excellent fancy")
-	// This encrypts msg and appends the result to the nonce.
-	encrypted := box.SealAfterPrecomputation(nonce[:], msg, &nonce, sharedEncryptKey)
-
-	// The shared key can be used to speed up processing when using the same
-	// pair of keys repeatedly.
-	var sharedDecryptKey [32]byte
-	box.Precompute(&sharedDecryptKey, senderPublicKey, recipientPrivateKey)
-
-	// The recipient can decrypt the message using the shared key. When you
-	// decrypt, you must use the same nonce you used to encrypt the message.
-	// One way to achieve this is to store the nonce alongside the encrypted
-	// message. Above, we stored the nonce in the first 24 bytes of the
-	// encrypted text.
-	var decryptNonce [24]byte
-	copy(decryptNonce[:], encrypted[:24])
-	decrypted, ok := box.OpenAfterPrecomputation(nil, encrypted[24:], &decryptNonce, &sharedDecryptKey)
-	if !ok {
-		panic("decryption error")
-	}
-	fmt.Println(string(decrypted))
-	// Output: A fellow of infinite jest, of most excellent fancy
-}
diff --git a/vendor/golang.org/x/crypto/nacl/secretbox/example_test.go b/vendor/golang.org/x/crypto/nacl/secretbox/example_test.go
deleted file mode 100644
index 789f4ff0..00000000
--- a/vendor/golang.org/x/crypto/nacl/secretbox/example_test.go
+++ /dev/null
@@ -1,53 +0,0 @@
-// Copyright 2016 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package secretbox_test
-
-import (
-	"crypto/rand"
-	"encoding/hex"
-	"fmt"
-	"io"
-
-	"golang.org/x/crypto/nacl/secretbox"
-)
-
-func Example() {
-	// Load your secret key from a safe place and reuse it across multiple
-	// Seal calls. (Obviously don't use this example key for anything
-	// real.) If you want to convert a passphrase to a key, use a suitable
-	// package like bcrypt or scrypt.
-	secretKeyBytes, err := hex.DecodeString("6368616e676520746869732070617373776f726420746f206120736563726574")
-	if err != nil {
-		panic(err)
-	}
-
-	var secretKey [32]byte
-	copy(secretKey[:], secretKeyBytes)
-
-	// You must use a different nonce for each message you encrypt with the
-	// same key. Since the nonce here is 192 bits long, a random value
-	// provides a sufficiently small probability of repeats.
-	var nonce [24]byte
-	if _, err := io.ReadFull(rand.Reader, nonce[:]); err != nil {
-		panic(err)
-	}
-
-	// This encrypts "hello world" and appends the result to the nonce.
-	encrypted := secretbox.Seal(nonce[:], []byte("hello world"), &nonce, &secretKey)
-
-	// When you decrypt, you must use the same nonce and key you used to
-	// encrypt the message. One way to achieve this is to store the nonce
-	// alongside the encrypted message. Above, we stored the nonce in the first
-	// 24 bytes of the encrypted text.
-	var decryptNonce [24]byte
-	copy(decryptNonce[:], encrypted[:24])
-	decrypted, ok := secretbox.Open(nil, encrypted[24:], &decryptNonce, &secretKey)
-	if !ok {
-		panic("decryption error")
-	}
-
-	fmt.Println(string(decrypted))
-	// Output: hello world
-}
diff --git a/vendor/golang.org/x/crypto/nacl/secretbox/secretbox.go b/vendor/golang.org/x/crypto/nacl/secretbox/secretbox.go
deleted file mode 100644
index 53ee83cf..00000000
--- a/vendor/golang.org/x/crypto/nacl/secretbox/secretbox.go
+++ /dev/null
@@ -1,166 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-/*
-Package secretbox encrypts and authenticates small messages.
-
-Secretbox uses XSalsa20 and Poly1305 to encrypt and authenticate messages with
-secret-key cryptography. The length of messages is not hidden.
-
-It is the caller's responsibility to ensure the uniqueness of nonces—for
-example, by using nonce 1 for the first message, nonce 2 for the second
-message, etc. Nonces are long enough that randomly generated nonces have
-negligible risk of collision.
-
-Messages should be small because:
-
-1. The whole message needs to be held in memory to be processed.
-
-2. Using large messages pressures implementations on small machines to decrypt
-and process plaintext before authenticating it. This is very dangerous, and
-this API does not allow it, but a protocol that uses excessive message sizes
-might present some implementations with no other choice.
-
-3. Fixed overheads will be sufficiently amortised by messages as small as 8KB.
-
-4. Performance may be improved by working with messages that fit into data caches.
-
-Thus large amounts of data should be chunked so that each message is small.
-(Each message still needs a unique nonce.) If in doubt, 16KB is a reasonable
-chunk size.
-
-This package is interoperable with NaCl: https://nacl.cr.yp.to/secretbox.html.
-*/
-package secretbox // import "golang.org/x/crypto/nacl/secretbox"
-
-import (
-	"golang.org/x/crypto/poly1305"
-	"golang.org/x/crypto/salsa20/salsa"
-)
-
-// Overhead is the number of bytes of overhead when boxing a message.
-const Overhead = poly1305.TagSize
-
-// setup produces a sub-key and Salsa20 counter given a nonce and key.
-func setup(subKey *[32]byte, counter *[16]byte, nonce *[24]byte, key *[32]byte) {
-	// We use XSalsa20 for encryption so first we need to generate a
-	// key and nonce with HSalsa20.
-	var hNonce [16]byte
-	copy(hNonce[:], nonce[:])
-	salsa.HSalsa20(subKey, &hNonce, key, &salsa.Sigma)
-
-	// The final 8 bytes of the original nonce form the new nonce.
-	copy(counter[:], nonce[16:])
-}
-
-// sliceForAppend takes a slice and a requested number of bytes. It returns a
-// slice with the contents of the given slice followed by that many bytes and a
-// second slice that aliases into it and contains only the extra bytes. If the
-// original slice has sufficient capacity then no allocation is performed.
-func sliceForAppend(in []byte, n int) (head, tail []byte) {
-	if total := len(in) + n; cap(in) >= total {
-		head = in[:total]
-	} else {
-		head = make([]byte, total)
-		copy(head, in)
-	}
-	tail = head[len(in):]
-	return
-}
-
-// Seal appends an encrypted and authenticated copy of message to out, which
-// must not overlap message. The key and nonce pair must be unique for each
-// distinct message and the output will be Overhead bytes longer than message.
-func Seal(out, message []byte, nonce *[24]byte, key *[32]byte) []byte {
-	var subKey [32]byte
-	var counter [16]byte
-	setup(&subKey, &counter, nonce, key)
-
-	// The Poly1305 key is generated by encrypting 32 bytes of zeros. Since
-	// Salsa20 works with 64-byte blocks, we also generate 32 bytes of
-	// keystream as a side effect.
-	var firstBlock [64]byte
-	salsa.XORKeyStream(firstBlock[:], firstBlock[:], &counter, &subKey)
-
-	var poly1305Key [32]byte
-	copy(poly1305Key[:], firstBlock[:])
-
-	ret, out := sliceForAppend(out, len(message)+poly1305.TagSize)
-
-	// We XOR up to 32 bytes of message with the keystream generated from
-	// the first block.
-	firstMessageBlock := message
-	if len(firstMessageBlock) > 32 {
-		firstMessageBlock = firstMessageBlock[:32]
-	}
-
-	tagOut := out
-	out = out[poly1305.TagSize:]
-	for i, x := range firstMessageBlock {
-		out[i] = firstBlock[32+i] ^ x
-	}
-	message = message[len(firstMessageBlock):]
-	ciphertext := out
-	out = out[len(firstMessageBlock):]
-
-	// Now encrypt the rest.
-	counter[8] = 1
-	salsa.XORKeyStream(out, message, &counter, &subKey)
-
-	var tag [poly1305.TagSize]byte
-	poly1305.Sum(&tag, ciphertext, &poly1305Key)
-	copy(tagOut, tag[:])
-
-	return ret
-}
-
-// Open authenticates and decrypts a box produced by Seal and appends the
-// message to out, which must not overlap box. The output will be Overhead
-// bytes smaller than box.
-func Open(out []byte, box []byte, nonce *[24]byte, key *[32]byte) ([]byte, bool) {
-	if len(box) < Overhead {
-		return nil, false
-	}
-
-	var subKey [32]byte
-	var counter [16]byte
-	setup(&subKey, &counter, nonce, key)
-
-	// The Poly1305 key is generated by encrypting 32 bytes of zeros. Since
-	// Salsa20 works with 64-byte blocks, we also generate 32 bytes of
-	// keystream as a side effect.
-	var firstBlock [64]byte
-	salsa.XORKeyStream(firstBlock[:], firstBlock[:], &counter, &subKey)
-
-	var poly1305Key [32]byte
-	copy(poly1305Key[:], firstBlock[:])
-	var tag [poly1305.TagSize]byte
-	copy(tag[:], box)
-
-	if !poly1305.Verify(&tag, box[poly1305.TagSize:], &poly1305Key) {
-		return nil, false
-	}
-
-	ret, out := sliceForAppend(out, len(box)-Overhead)
-
-	// We XOR up to 32 bytes of box with the keystream generated from
-	// the first block.
-	box = box[Overhead:]
-	firstMessageBlock := box
-	if len(firstMessageBlock) > 32 {
-		firstMessageBlock = firstMessageBlock[:32]
-	}
-	for i, x := range firstMessageBlock {
-		out[i] = firstBlock[32+i] ^ x
-	}
-
-	box = box[len(firstMessageBlock):]
-	out = out[len(firstMessageBlock):]
-
-	// Now decrypt the rest.
-	counter[8] = 1
-	salsa.XORKeyStream(out, box, &counter, &subKey)
-
-	return ret, true
-}
diff --git a/vendor/golang.org/x/crypto/nacl/secretbox/secretbox_test.go b/vendor/golang.org/x/crypto/nacl/secretbox/secretbox_test.go
deleted file mode 100644
index 3c70b0f4..00000000
--- a/vendor/golang.org/x/crypto/nacl/secretbox/secretbox_test.go
+++ /dev/null
@@ -1,154 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package secretbox
-
-import (
-	"bytes"
-	"crypto/rand"
-	"encoding/hex"
-	"testing"
-)
-
-func TestSealOpen(t *testing.T) {
-	var key [32]byte
-	var nonce [24]byte
-
-	rand.Reader.Read(key[:])
-	rand.Reader.Read(nonce[:])
-
-	var box, opened []byte
-
-	for msgLen := 0; msgLen < 128; msgLen += 17 {
-		message := make([]byte, msgLen)
-		rand.Reader.Read(message)
-
-		box = Seal(box[:0], message, &nonce, &key)
-		var ok bool
-		opened, ok = Open(opened[:0], box, &nonce, &key)
-		if !ok {
-			t.Errorf("%d: failed to open box", msgLen)
-			continue
-		}
-
-		if !bytes.Equal(opened, message) {
-			t.Errorf("%d: got %x, expected %x", msgLen, opened, message)
-			continue
-		}
-	}
-
-	for i := range box {
-		box[i] ^= 0x20
-		_, ok := Open(opened[:0], box, &nonce, &key)
-		if ok {
-			t.Errorf("box was opened after corrupting byte %d", i)
-		}
-		box[i] ^= 0x20
-	}
-}
-
-func TestSecretBox(t *testing.T) {
-	var key [32]byte
-	var nonce [24]byte
-	var message [64]byte
-
-	for i := range key[:] {
-		key[i] = 1
-	}
-	for i := range nonce[:] {
-		nonce[i] = 2
-	}
-	for i := range message[:] {
-		message[i] = 3
-	}
-
-	box := Seal(nil, message[:], &nonce, &key)
-	// expected was generated using the C implementation of NaCl.
-	expected, _ := hex.DecodeString("8442bc313f4626f1359e3b50122b6ce6fe66ddfe7d39d14e637eb4fd5b45beadab55198df6ab5368439792a23c87db70acb6156dc5ef957ac04f6276cf6093b84be77ff0849cc33e34b7254d5a8f65ad")
-
-	if !bytes.Equal(box, expected) {
-		t.Fatalf("box didn't match, got\n%x\n, expected\n%x", box, expected)
-	}
-}
-
-func TestAppend(t *testing.T) {
-	var key [32]byte
-	var nonce [24]byte
-	var message [8]byte
-
-	out := make([]byte, 4)
-	box := Seal(out, message[:], &nonce, &key)
-	if !bytes.Equal(box[:4], out[:4]) {
-		t.Fatalf("Seal didn't correctly append")
-	}
-
-	out = make([]byte, 4, 100)
-	box = Seal(out, message[:], &nonce, &key)
-	if !bytes.Equal(box[:4], out[:4]) {
-		t.Fatalf("Seal didn't correctly append with sufficient capacity.")
-	}
-}
-
-func benchmarkSealSize(b *testing.B, size int) {
-	message := make([]byte, size)
-	out := make([]byte, size+Overhead)
-	var nonce [24]byte
-	var key [32]byte
-
-	b.SetBytes(int64(size))
-	b.ResetTimer()
-
-	for i := 0; i < b.N; i++ {
-		out = Seal(out[:0], message, &nonce, &key)
-	}
-}
-
-func BenchmarkSeal8Bytes(b *testing.B) {
-	benchmarkSealSize(b, 8)
-}
-
-func BenchmarkSeal100Bytes(b *testing.B) {
-	benchmarkSealSize(b, 100)
-}
-
-func BenchmarkSeal1K(b *testing.B) {
-	benchmarkSealSize(b, 1024)
-}
-
-func BenchmarkSeal8K(b *testing.B) {
-	benchmarkSealSize(b, 8192)
-}
-
-func benchmarkOpenSize(b *testing.B, size int) {
-	msg := make([]byte, size)
-	result := make([]byte, size)
-	var nonce [24]byte
-	var key [32]byte
-	box := Seal(nil, msg, &nonce, &key)
-
-	b.SetBytes(int64(size))
-	b.ResetTimer()
-
-	for i := 0; i < b.N; i++ {
-		if _, ok := Open(result[:0], box, &nonce, &key); !ok {
-			panic("Open failed")
-		}
-	}
-}
-
-func BenchmarkOpen8Bytes(b *testing.B) {
-	benchmarkOpenSize(b, 8)
-}
-
-func BenchmarkOpen100Bytes(b *testing.B) {
-	benchmarkOpenSize(b, 100)
-}
-
-func BenchmarkOpen1K(b *testing.B) {
-	benchmarkOpenSize(b, 1024)
-}
-
-func BenchmarkOpen8K(b *testing.B) {
-	benchmarkOpenSize(b, 8192)
-}
diff --git a/vendor/golang.org/x/crypto/ocsp/ocsp.go b/vendor/golang.org/x/crypto/ocsp/ocsp.go
deleted file mode 100644
index 589dfd35..00000000
--- a/vendor/golang.org/x/crypto/ocsp/ocsp.go
+++ /dev/null
@@ -1,778 +0,0 @@
-// Copyright 2013 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package ocsp parses OCSP responses as specified in RFC 2560. OCSP responses
-// are signed messages attesting to the validity of a certificate for a small
-// period of time. This is used to manage revocation for X.509 certificates.
-package ocsp // import "golang.org/x/crypto/ocsp"
-
-import (
-	"crypto"
-	"crypto/ecdsa"
-	"crypto/elliptic"
-	"crypto/rand"
-	"crypto/rsa"
-	_ "crypto/sha1"
-	_ "crypto/sha256"
-	_ "crypto/sha512"
-	"crypto/x509"
-	"crypto/x509/pkix"
-	"encoding/asn1"
-	"errors"
-	"fmt"
-	"math/big"
-	"strconv"
-	"time"
-)
-
-var idPKIXOCSPBasic = asn1.ObjectIdentifier([]int{1, 3, 6, 1, 5, 5, 7, 48, 1, 1})
-
-// ResponseStatus contains the result of an OCSP request. See
-// https://tools.ietf.org/html/rfc6960#section-2.3
-type ResponseStatus int
-
-const (
-	Success       ResponseStatus = 0
-	Malformed     ResponseStatus = 1
-	InternalError ResponseStatus = 2
-	TryLater      ResponseStatus = 3
-	// Status code four is unused in OCSP. See
-	// https://tools.ietf.org/html/rfc6960#section-4.2.1
-	SignatureRequired ResponseStatus = 5
-	Unauthorized      ResponseStatus = 6
-)
-
-func (r ResponseStatus) String() string {
-	switch r {
-	case Success:
-		return "success"
-	case Malformed:
-		return "malformed"
-	case InternalError:
-		return "internal error"
-	case TryLater:
-		return "try later"
-	case SignatureRequired:
-		return "signature required"
-	case Unauthorized:
-		return "unauthorized"
-	default:
-		return "unknown OCSP status: " + strconv.Itoa(int(r))
-	}
-}
-
-// ResponseError is an error that may be returned by ParseResponse to indicate
-// that the response itself is an error, not just that its indicating that a
-// certificate is revoked, unknown, etc.
-type ResponseError struct {
-	Status ResponseStatus
-}
-
-func (r ResponseError) Error() string {
-	return "ocsp: error from server: " + r.Status.String()
-}
-
-// These are internal structures that reflect the ASN.1 structure of an OCSP
-// response. See RFC 2560, section 4.2.
-
-type certID struct {
-	HashAlgorithm pkix.AlgorithmIdentifier
-	NameHash      []byte
-	IssuerKeyHash []byte
-	SerialNumber  *big.Int
-}
-
-// https://tools.ietf.org/html/rfc2560#section-4.1.1
-type ocspRequest struct {
-	TBSRequest tbsRequest
-}
-
-type tbsRequest struct {
-	Version       int              `asn1:"explicit,tag:0,default:0,optional"`
-	RequestorName pkix.RDNSequence `asn1:"explicit,tag:1,optional"`
-	RequestList   []request
-}
-
-type request struct {
-	Cert certID
-}
-
-type responseASN1 struct {
-	Status   asn1.Enumerated
-	Response responseBytes `asn1:"explicit,tag:0,optional"`
-}
-
-type responseBytes struct {
-	ResponseType asn1.ObjectIdentifier
-	Response     []byte
-}
-
-type basicResponse struct {
-	TBSResponseData    responseData
-	SignatureAlgorithm pkix.AlgorithmIdentifier
-	Signature          asn1.BitString
-	Certificates       []asn1.RawValue `asn1:"explicit,tag:0,optional"`
-}
-
-type responseData struct {
-	Raw            asn1.RawContent
-	Version        int `asn1:"optional,default:0,explicit,tag:0"`
-	RawResponderID asn1.RawValue
-	ProducedAt     time.Time `asn1:"generalized"`
-	Responses      []singleResponse
-}
-
-type singleResponse struct {
-	CertID           certID
-	Good             asn1.Flag        `asn1:"tag:0,optional"`
-	Revoked          revokedInfo      `asn1:"tag:1,optional"`
-	Unknown          asn1.Flag        `asn1:"tag:2,optional"`
-	ThisUpdate       time.Time        `asn1:"generalized"`
-	NextUpdate       time.Time        `asn1:"generalized,explicit,tag:0,optional"`
-	SingleExtensions []pkix.Extension `asn1:"explicit,tag:1,optional"`
-}
-
-type revokedInfo struct {
-	RevocationTime time.Time       `asn1:"generalized"`
-	Reason         asn1.Enumerated `asn1:"explicit,tag:0,optional"`
-}
-
-var (
-	oidSignatureMD2WithRSA      = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 2}
-	oidSignatureMD5WithRSA      = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 4}
-	oidSignatureSHA1WithRSA     = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 5}
-	oidSignatureSHA256WithRSA   = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 11}
-	oidSignatureSHA384WithRSA   = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 12}
-	oidSignatureSHA512WithRSA   = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 13}
-	oidSignatureDSAWithSHA1     = asn1.ObjectIdentifier{1, 2, 840, 10040, 4, 3}
-	oidSignatureDSAWithSHA256   = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 3, 2}
-	oidSignatureECDSAWithSHA1   = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 1}
-	oidSignatureECDSAWithSHA256 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 3, 2}
-	oidSignatureECDSAWithSHA384 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 3, 3}
-	oidSignatureECDSAWithSHA512 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 3, 4}
-)
-
-var hashOIDs = map[crypto.Hash]asn1.ObjectIdentifier{
-	crypto.SHA1:   asn1.ObjectIdentifier([]int{1, 3, 14, 3, 2, 26}),
-	crypto.SHA256: asn1.ObjectIdentifier([]int{2, 16, 840, 1, 101, 3, 4, 2, 1}),
-	crypto.SHA384: asn1.ObjectIdentifier([]int{2, 16, 840, 1, 101, 3, 4, 2, 2}),
-	crypto.SHA512: asn1.ObjectIdentifier([]int{2, 16, 840, 1, 101, 3, 4, 2, 3}),
-}
-
-// TODO(rlb): This is also from crypto/x509, so same comment as AGL's below
-var signatureAlgorithmDetails = []struct {
-	algo       x509.SignatureAlgorithm
-	oid        asn1.ObjectIdentifier
-	pubKeyAlgo x509.PublicKeyAlgorithm
-	hash       crypto.Hash
-}{
-	{x509.MD2WithRSA, oidSignatureMD2WithRSA, x509.RSA, crypto.Hash(0) /* no value for MD2 */},
-	{x509.MD5WithRSA, oidSignatureMD5WithRSA, x509.RSA, crypto.MD5},
-	{x509.SHA1WithRSA, oidSignatureSHA1WithRSA, x509.RSA, crypto.SHA1},
-	{x509.SHA256WithRSA, oidSignatureSHA256WithRSA, x509.RSA, crypto.SHA256},
-	{x509.SHA384WithRSA, oidSignatureSHA384WithRSA, x509.RSA, crypto.SHA384},
-	{x509.SHA512WithRSA, oidSignatureSHA512WithRSA, x509.RSA, crypto.SHA512},
-	{x509.DSAWithSHA1, oidSignatureDSAWithSHA1, x509.DSA, crypto.SHA1},
-	{x509.DSAWithSHA256, oidSignatureDSAWithSHA256, x509.DSA, crypto.SHA256},
-	{x509.ECDSAWithSHA1, oidSignatureECDSAWithSHA1, x509.ECDSA, crypto.SHA1},
-	{x509.ECDSAWithSHA256, oidSignatureECDSAWithSHA256, x509.ECDSA, crypto.SHA256},
-	{x509.ECDSAWithSHA384, oidSignatureECDSAWithSHA384, x509.ECDSA, crypto.SHA384},
-	{x509.ECDSAWithSHA512, oidSignatureECDSAWithSHA512, x509.ECDSA, crypto.SHA512},
-}
-
-// TODO(rlb): This is also from crypto/x509, so same comment as AGL's below
-func signingParamsForPublicKey(pub interface{}, requestedSigAlgo x509.SignatureAlgorithm) (hashFunc crypto.Hash, sigAlgo pkix.AlgorithmIdentifier, err error) {
-	var pubType x509.PublicKeyAlgorithm
-
-	switch pub := pub.(type) {
-	case *rsa.PublicKey:
-		pubType = x509.RSA
-		hashFunc = crypto.SHA256
-		sigAlgo.Algorithm = oidSignatureSHA256WithRSA
-		sigAlgo.Parameters = asn1.RawValue{
-			Tag: 5,
-		}
-
-	case *ecdsa.PublicKey:
-		pubType = x509.ECDSA
-
-		switch pub.Curve {
-		case elliptic.P224(), elliptic.P256():
-			hashFunc = crypto.SHA256
-			sigAlgo.Algorithm = oidSignatureECDSAWithSHA256
-		case elliptic.P384():
-			hashFunc = crypto.SHA384
-			sigAlgo.Algorithm = oidSignatureECDSAWithSHA384
-		case elliptic.P521():
-			hashFunc = crypto.SHA512
-			sigAlgo.Algorithm = oidSignatureECDSAWithSHA512
-		default:
-			err = errors.New("x509: unknown elliptic curve")
-		}
-
-	default:
-		err = errors.New("x509: only RSA and ECDSA keys supported")
-	}
-
-	if err != nil {
-		return
-	}
-
-	if requestedSigAlgo == 0 {
-		return
-	}
-
-	found := false
-	for _, details := range signatureAlgorithmDetails {
-		if details.algo == requestedSigAlgo {
-			if details.pubKeyAlgo != pubType {
-				err = errors.New("x509: requested SignatureAlgorithm does not match private key type")
-				return
-			}
-			sigAlgo.Algorithm, hashFunc = details.oid, details.hash
-			if hashFunc == 0 {
-				err = errors.New("x509: cannot sign with hash function requested")
-				return
-			}
-			found = true
-			break
-		}
-	}
-
-	if !found {
-		err = errors.New("x509: unknown SignatureAlgorithm")
-	}
-
-	return
-}
-
-// TODO(agl): this is taken from crypto/x509 and so should probably be exported
-// from crypto/x509 or crypto/x509/pkix.
-func getSignatureAlgorithmFromOID(oid asn1.ObjectIdentifier) x509.SignatureAlgorithm {
-	for _, details := range signatureAlgorithmDetails {
-		if oid.Equal(details.oid) {
-			return details.algo
-		}
-	}
-	return x509.UnknownSignatureAlgorithm
-}
-
-// TODO(rlb): This is not taken from crypto/x509, but it's of the same general form.
-func getHashAlgorithmFromOID(target asn1.ObjectIdentifier) crypto.Hash {
-	for hash, oid := range hashOIDs {
-		if oid.Equal(target) {
-			return hash
-		}
-	}
-	return crypto.Hash(0)
-}
-
-func getOIDFromHashAlgorithm(target crypto.Hash) asn1.ObjectIdentifier {
-	for hash, oid := range hashOIDs {
-		if hash == target {
-			return oid
-		}
-	}
-	return nil
-}
-
-// This is the exposed reflection of the internal OCSP structures.
-
-// The status values that can be expressed in OCSP.  See RFC 6960.
-const (
-	// Good means that the certificate is valid.
-	Good = iota
-	// Revoked means that the certificate has been deliberately revoked.
-	Revoked
-	// Unknown means that the OCSP responder doesn't know about the certificate.
-	Unknown
-	// ServerFailed is unused and was never used (see
-	// https://go-review.googlesource.com/#/c/18944). ParseResponse will
-	// return a ResponseError when an error response is parsed.
-	ServerFailed
-)
-
-// The enumerated reasons for revoking a certificate.  See RFC 5280.
-const (
-	Unspecified          = 0
-	KeyCompromise        = 1
-	CACompromise         = 2
-	AffiliationChanged   = 3
-	Superseded           = 4
-	CessationOfOperation = 5
-	CertificateHold      = 6
-
-	RemoveFromCRL      = 8
-	PrivilegeWithdrawn = 9
-	AACompromise       = 10
-)
-
-// Request represents an OCSP request. See RFC 6960.
-type Request struct {
-	HashAlgorithm  crypto.Hash
-	IssuerNameHash []byte
-	IssuerKeyHash  []byte
-	SerialNumber   *big.Int
-}
-
-// Marshal marshals the OCSP request to ASN.1 DER encoded form.
-func (req *Request) Marshal() ([]byte, error) {
-	hashAlg := getOIDFromHashAlgorithm(req.HashAlgorithm)
-	if hashAlg == nil {
-		return nil, errors.New("Unknown hash algorithm")
-	}
-	return asn1.Marshal(ocspRequest{
-		tbsRequest{
-			Version: 0,
-			RequestList: []request{
-				{
-					Cert: certID{
-						pkix.AlgorithmIdentifier{
-							Algorithm:  hashAlg,
-							Parameters: asn1.RawValue{Tag: 5 /* ASN.1 NULL */},
-						},
-						req.IssuerNameHash,
-						req.IssuerKeyHash,
-						req.SerialNumber,
-					},
-				},
-			},
-		},
-	})
-}
-
-// Response represents an OCSP response containing a single SingleResponse. See
-// RFC 6960.
-type Response struct {
-	// Status is one of {Good, Revoked, Unknown}
-	Status                                        int
-	SerialNumber                                  *big.Int
-	ProducedAt, ThisUpdate, NextUpdate, RevokedAt time.Time
-	RevocationReason                              int
-	Certificate                                   *x509.Certificate
-	// TBSResponseData contains the raw bytes of the signed response. If
-	// Certificate is nil then this can be used to verify Signature.
-	TBSResponseData    []byte
-	Signature          []byte
-	SignatureAlgorithm x509.SignatureAlgorithm
-
-	// IssuerHash is the hash used to compute the IssuerNameHash and IssuerKeyHash.
-	// Valid values are crypto.SHA1, crypto.SHA256, crypto.SHA384, and crypto.SHA512.
-	// If zero, the default is crypto.SHA1.
-	IssuerHash crypto.Hash
-
-	// RawResponderName optionally contains the DER-encoded subject of the
-	// responder certificate. Exactly one of RawResponderName and
-	// ResponderKeyHash is set.
-	RawResponderName []byte
-	// ResponderKeyHash optionally contains the SHA-1 hash of the
-	// responder's public key. Exactly one of RawResponderName and
-	// ResponderKeyHash is set.
-	ResponderKeyHash []byte
-
-	// Extensions contains raw X.509 extensions from the singleExtensions field
-	// of the OCSP response. When parsing certificates, this can be used to
-	// extract non-critical extensions that are not parsed by this package. When
-	// marshaling OCSP responses, the Extensions field is ignored, see
-	// ExtraExtensions.
-	Extensions []pkix.Extension
-
-	// ExtraExtensions contains extensions to be copied, raw, into any marshaled
-	// OCSP response (in the singleExtensions field). Values override any
-	// extensions that would otherwise be produced based on the other fields. The
-	// ExtraExtensions field is not populated when parsing certificates, see
-	// Extensions.
-	ExtraExtensions []pkix.Extension
-}
-
-// These are pre-serialized error responses for the various non-success codes
-// defined by OCSP. The Unauthorized code in particular can be used by an OCSP
-// responder that supports only pre-signed responses as a response to requests
-// for certificates with unknown status. See RFC 5019.
-var (
-	MalformedRequestErrorResponse = []byte{0x30, 0x03, 0x0A, 0x01, 0x01}
-	InternalErrorErrorResponse    = []byte{0x30, 0x03, 0x0A, 0x01, 0x02}
-	TryLaterErrorResponse         = []byte{0x30, 0x03, 0x0A, 0x01, 0x03}
-	SigRequredErrorResponse       = []byte{0x30, 0x03, 0x0A, 0x01, 0x05}
-	UnauthorizedErrorResponse     = []byte{0x30, 0x03, 0x0A, 0x01, 0x06}
-)
-
-// CheckSignatureFrom checks that the signature in resp is a valid signature
-// from issuer. This should only be used if resp.Certificate is nil. Otherwise,
-// the OCSP response contained an intermediate certificate that created the
-// signature. That signature is checked by ParseResponse and only
-// resp.Certificate remains to be validated.
-func (resp *Response) CheckSignatureFrom(issuer *x509.Certificate) error {
-	return issuer.CheckSignature(resp.SignatureAlgorithm, resp.TBSResponseData, resp.Signature)
-}
-
-// ParseError results from an invalid OCSP response.
-type ParseError string
-
-func (p ParseError) Error() string {
-	return string(p)
-}
-
-// ParseRequest parses an OCSP request in DER form. It only supports
-// requests for a single certificate. Signed requests are not supported.
-// If a request includes a signature, it will result in a ParseError.
-func ParseRequest(bytes []byte) (*Request, error) {
-	var req ocspRequest
-	rest, err := asn1.Unmarshal(bytes, &req)
-	if err != nil {
-		return nil, err
-	}
-	if len(rest) > 0 {
-		return nil, ParseError("trailing data in OCSP request")
-	}
-
-	if len(req.TBSRequest.RequestList) == 0 {
-		return nil, ParseError("OCSP request contains no request body")
-	}
-	innerRequest := req.TBSRequest.RequestList[0]
-
-	hashFunc := getHashAlgorithmFromOID(innerRequest.Cert.HashAlgorithm.Algorithm)
-	if hashFunc == crypto.Hash(0) {
-		return nil, ParseError("OCSP request uses unknown hash function")
-	}
-
-	return &Request{
-		HashAlgorithm:  hashFunc,
-		IssuerNameHash: innerRequest.Cert.NameHash,
-		IssuerKeyHash:  innerRequest.Cert.IssuerKeyHash,
-		SerialNumber:   innerRequest.Cert.SerialNumber,
-	}, nil
-}
-
-// ParseResponse parses an OCSP response in DER form. It only supports
-// responses for a single certificate. If the response contains a certificate
-// then the signature over the response is checked. If issuer is not nil then
-// it will be used to validate the signature or embedded certificate.
-//
-// Invalid responses and parse failures will result in a ParseError.
-// Error responses will result in a ResponseError.
-func ParseResponse(bytes []byte, issuer *x509.Certificate) (*Response, error) {
-	return ParseResponseForCert(bytes, nil, issuer)
-}
-
-// ParseResponseForCert parses an OCSP response in DER form and searches for a
-// Response relating to cert. If such a Response is found and the OCSP response
-// contains a certificate then the signature over the response is checked. If
-// issuer is not nil then it will be used to validate the signature or embedded
-// certificate.
-//
-// Invalid responses and parse failures will result in a ParseError.
-// Error responses will result in a ResponseError.
-func ParseResponseForCert(bytes []byte, cert, issuer *x509.Certificate) (*Response, error) {
-	var resp responseASN1
-	rest, err := asn1.Unmarshal(bytes, &resp)
-	if err != nil {
-		return nil, err
-	}
-	if len(rest) > 0 {
-		return nil, ParseError("trailing data in OCSP response")
-	}
-
-	if status := ResponseStatus(resp.Status); status != Success {
-		return nil, ResponseError{status}
-	}
-
-	if !resp.Response.ResponseType.Equal(idPKIXOCSPBasic) {
-		return nil, ParseError("bad OCSP response type")
-	}
-
-	var basicResp basicResponse
-	rest, err = asn1.Unmarshal(resp.Response.Response, &basicResp)
-	if err != nil {
-		return nil, err
-	}
-
-	if len(basicResp.Certificates) > 1 {
-		return nil, ParseError("OCSP response contains bad number of certificates")
-	}
-
-	if n := len(basicResp.TBSResponseData.Responses); n == 0 || cert == nil && n > 1 {
-		return nil, ParseError("OCSP response contains bad number of responses")
-	}
-
-	var singleResp singleResponse
-	if cert == nil {
-		singleResp = basicResp.TBSResponseData.Responses[0]
-	} else {
-		match := false
-		for _, resp := range basicResp.TBSResponseData.Responses {
-			if cert.SerialNumber.Cmp(resp.CertID.SerialNumber) == 0 {
-				singleResp = resp
-				match = true
-				break
-			}
-		}
-		if !match {
-			return nil, ParseError("no response matching the supplied certificate")
-		}
-	}
-
-	ret := &Response{
-		TBSResponseData:    basicResp.TBSResponseData.Raw,
-		Signature:          basicResp.Signature.RightAlign(),
-		SignatureAlgorithm: getSignatureAlgorithmFromOID(basicResp.SignatureAlgorithm.Algorithm),
-		Extensions:         singleResp.SingleExtensions,
-		SerialNumber:       singleResp.CertID.SerialNumber,
-		ProducedAt:         basicResp.TBSResponseData.ProducedAt,
-		ThisUpdate:         singleResp.ThisUpdate,
-		NextUpdate:         singleResp.NextUpdate,
-	}
-
-	// Handle the ResponderID CHOICE tag. ResponderID can be flattened into
-	// TBSResponseData once https://go-review.googlesource.com/34503 has been
-	// released.
-	rawResponderID := basicResp.TBSResponseData.RawResponderID
-	switch rawResponderID.Tag {
-	case 1: // Name
-		var rdn pkix.RDNSequence
-		if rest, err := asn1.Unmarshal(rawResponderID.Bytes, &rdn); err != nil || len(rest) != 0 {
-			return nil, ParseError("invalid responder name")
-		}
-		ret.RawResponderName = rawResponderID.Bytes
-	case 2: // KeyHash
-		if rest, err := asn1.Unmarshal(rawResponderID.Bytes, &ret.ResponderKeyHash); err != nil || len(rest) != 0 {
-			return nil, ParseError("invalid responder key hash")
-		}
-	default:
-		return nil, ParseError("invalid responder id tag")
-	}
-
-	if len(basicResp.Certificates) > 0 {
-		ret.Certificate, err = x509.ParseCertificate(basicResp.Certificates[0].FullBytes)
-		if err != nil {
-			return nil, err
-		}
-
-		if err := ret.CheckSignatureFrom(ret.Certificate); err != nil {
-			return nil, ParseError("bad signature on embedded certificate: " + err.Error())
-		}
-
-		if issuer != nil {
-			if err := issuer.CheckSignature(ret.Certificate.SignatureAlgorithm, ret.Certificate.RawTBSCertificate, ret.Certificate.Signature); err != nil {
-				return nil, ParseError("bad OCSP signature: " + err.Error())
-			}
-		}
-	} else if issuer != nil {
-		if err := ret.CheckSignatureFrom(issuer); err != nil {
-			return nil, ParseError("bad OCSP signature: " + err.Error())
-		}
-	}
-
-	for _, ext := range singleResp.SingleExtensions {
-		if ext.Critical {
-			return nil, ParseError("unsupported critical extension")
-		}
-	}
-
-	for h, oid := range hashOIDs {
-		if singleResp.CertID.HashAlgorithm.Algorithm.Equal(oid) {
-			ret.IssuerHash = h
-			break
-		}
-	}
-	if ret.IssuerHash == 0 {
-		return nil, ParseError("unsupported issuer hash algorithm")
-	}
-
-	switch {
-	case bool(singleResp.Good):
-		ret.Status = Good
-	case bool(singleResp.Unknown):
-		ret.Status = Unknown
-	default:
-		ret.Status = Revoked
-		ret.RevokedAt = singleResp.Revoked.RevocationTime
-		ret.RevocationReason = int(singleResp.Revoked.Reason)
-	}
-
-	return ret, nil
-}
-
-// RequestOptions contains options for constructing OCSP requests.
-type RequestOptions struct {
-	// Hash contains the hash function that should be used when
-	// constructing the OCSP request. If zero, SHA-1 will be used.
-	Hash crypto.Hash
-}
-
-func (opts *RequestOptions) hash() crypto.Hash {
-	if opts == nil || opts.Hash == 0 {
-		// SHA-1 is nearly universally used in OCSP.
-		return crypto.SHA1
-	}
-	return opts.Hash
-}
-
-// CreateRequest returns a DER-encoded, OCSP request for the status of cert. If
-// opts is nil then sensible defaults are used.
-func CreateRequest(cert, issuer *x509.Certificate, opts *RequestOptions) ([]byte, error) {
-	hashFunc := opts.hash()
-
-	// OCSP seems to be the only place where these raw hash identifiers are
-	// used. I took the following from
-	// http://msdn.microsoft.com/en-us/library/ff635603.aspx
-	_, ok := hashOIDs[hashFunc]
-	if !ok {
-		return nil, x509.ErrUnsupportedAlgorithm
-	}
-
-	if !hashFunc.Available() {
-		return nil, x509.ErrUnsupportedAlgorithm
-	}
-	h := opts.hash().New()
-
-	var publicKeyInfo struct {
-		Algorithm pkix.AlgorithmIdentifier
-		PublicKey asn1.BitString
-	}
-	if _, err := asn1.Unmarshal(issuer.RawSubjectPublicKeyInfo, &publicKeyInfo); err != nil {
-		return nil, err
-	}
-
-	h.Write(publicKeyInfo.PublicKey.RightAlign())
-	issuerKeyHash := h.Sum(nil)
-
-	h.Reset()
-	h.Write(issuer.RawSubject)
-	issuerNameHash := h.Sum(nil)
-
-	req := &Request{
-		HashAlgorithm:  hashFunc,
-		IssuerNameHash: issuerNameHash,
-		IssuerKeyHash:  issuerKeyHash,
-		SerialNumber:   cert.SerialNumber,
-	}
-	return req.Marshal()
-}
-
-// CreateResponse returns a DER-encoded OCSP response with the specified contents.
-// The fields in the response are populated as follows:
-//
-// The responder cert is used to populate the responder's name field, and the
-// certificate itself is provided alongside the OCSP response signature.
-//
-// The issuer cert is used to puplate the IssuerNameHash and IssuerKeyHash fields.
-//
-// The template is used to populate the SerialNumber, Status, RevokedAt,
-// RevocationReason, ThisUpdate, and NextUpdate fields.
-//
-// If template.IssuerHash is not set, SHA1 will be used.
-//
-// The ProducedAt date is automatically set to the current date, to the nearest minute.
-func CreateResponse(issuer, responderCert *x509.Certificate, template Response, priv crypto.Signer) ([]byte, error) {
-	var publicKeyInfo struct {
-		Algorithm pkix.AlgorithmIdentifier
-		PublicKey asn1.BitString
-	}
-	if _, err := asn1.Unmarshal(issuer.RawSubjectPublicKeyInfo, &publicKeyInfo); err != nil {
-		return nil, err
-	}
-
-	if template.IssuerHash == 0 {
-		template.IssuerHash = crypto.SHA1
-	}
-	hashOID := getOIDFromHashAlgorithm(template.IssuerHash)
-	if hashOID == nil {
-		return nil, errors.New("unsupported issuer hash algorithm")
-	}
-
-	if !template.IssuerHash.Available() {
-		return nil, fmt.Errorf("issuer hash algorithm %v not linked into binary", template.IssuerHash)
-	}
-	h := template.IssuerHash.New()
-	h.Write(publicKeyInfo.PublicKey.RightAlign())
-	issuerKeyHash := h.Sum(nil)
-
-	h.Reset()
-	h.Write(issuer.RawSubject)
-	issuerNameHash := h.Sum(nil)
-
-	innerResponse := singleResponse{
-		CertID: certID{
-			HashAlgorithm: pkix.AlgorithmIdentifier{
-				Algorithm:  hashOID,
-				Parameters: asn1.RawValue{Tag: 5 /* ASN.1 NULL */},
-			},
-			NameHash:      issuerNameHash,
-			IssuerKeyHash: issuerKeyHash,
-			SerialNumber:  template.SerialNumber,
-		},
-		ThisUpdate:       template.ThisUpdate.UTC(),
-		NextUpdate:       template.NextUpdate.UTC(),
-		SingleExtensions: template.ExtraExtensions,
-	}
-
-	switch template.Status {
-	case Good:
-		innerResponse.Good = true
-	case Unknown:
-		innerResponse.Unknown = true
-	case Revoked:
-		innerResponse.Revoked = revokedInfo{
-			RevocationTime: template.RevokedAt.UTC(),
-			Reason:         asn1.Enumerated(template.RevocationReason),
-		}
-	}
-
-	rawResponderID := asn1.RawValue{
-		Class:      2, // context-specific
-		Tag:        1, // Name (explicit tag)
-		IsCompound: true,
-		Bytes:      responderCert.RawSubject,
-	}
-	tbsResponseData := responseData{
-		Version:        0,
-		RawResponderID: rawResponderID,
-		ProducedAt:     time.Now().Truncate(time.Minute).UTC(),
-		Responses:      []singleResponse{innerResponse},
-	}
-
-	tbsResponseDataDER, err := asn1.Marshal(tbsResponseData)
-	if err != nil {
-		return nil, err
-	}
-
-	hashFunc, signatureAlgorithm, err := signingParamsForPublicKey(priv.Public(), template.SignatureAlgorithm)
-	if err != nil {
-		return nil, err
-	}
-
-	responseHash := hashFunc.New()
-	responseHash.Write(tbsResponseDataDER)
-	signature, err := priv.Sign(rand.Reader, responseHash.Sum(nil), hashFunc)
-	if err != nil {
-		return nil, err
-	}
-
-	response := basicResponse{
-		TBSResponseData:    tbsResponseData,
-		SignatureAlgorithm: signatureAlgorithm,
-		Signature: asn1.BitString{
-			Bytes:     signature,
-			BitLength: 8 * len(signature),
-		},
-	}
-	if template.Certificate != nil {
-		response.Certificates = []asn1.RawValue{
-			{FullBytes: template.Certificate.Raw},
-		}
-	}
-	responseDER, err := asn1.Marshal(response)
-	if err != nil {
-		return nil, err
-	}
-
-	return asn1.Marshal(responseASN1{
-		Status: asn1.Enumerated(Success),
-		Response: responseBytes{
-			ResponseType: idPKIXOCSPBasic,
-			Response:     responseDER,
-		},
-	})
-}
diff --git a/vendor/golang.org/x/crypto/ocsp/ocsp_test.go b/vendor/golang.org/x/crypto/ocsp/ocsp_test.go
deleted file mode 100644
index 70b19764..00000000
--- a/vendor/golang.org/x/crypto/ocsp/ocsp_test.go
+++ /dev/null
@@ -1,875 +0,0 @@
-// Copyright 2013 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build go1.7
-
-package ocsp
-
-import (
-	"bytes"
-	"crypto"
-	"crypto/sha1"
-	"crypto/x509"
-	"crypto/x509/pkix"
-	"encoding/asn1"
-	"encoding/hex"
-	"math/big"
-	"reflect"
-	"testing"
-	"time"
-)
-
-func TestOCSPDecode(t *testing.T) {
-	responseBytes, _ := hex.DecodeString(ocspResponseHex)
-	resp, err := ParseResponse(responseBytes, nil)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	responderCert, _ := hex.DecodeString(startComResponderCertHex)
-	responder, err := x509.ParseCertificate(responderCert)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	expected := Response{
-		Status:           Good,
-		SerialNumber:     big.NewInt(0x1d0fa),
-		RevocationReason: Unspecified,
-		ThisUpdate:       time.Date(2010, 7, 7, 15, 1, 5, 0, time.UTC),
-		NextUpdate:       time.Date(2010, 7, 7, 18, 35, 17, 0, time.UTC),
-		RawResponderName: responder.RawSubject,
-	}
-
-	if !reflect.DeepEqual(resp.ThisUpdate, expected.ThisUpdate) {
-		t.Errorf("resp.ThisUpdate: got %v, want %v", resp.ThisUpdate, expected.ThisUpdate)
-	}
-
-	if !reflect.DeepEqual(resp.NextUpdate, expected.NextUpdate) {
-		t.Errorf("resp.NextUpdate: got %v, want %v", resp.NextUpdate, expected.NextUpdate)
-	}
-
-	if resp.Status != expected.Status {
-		t.Errorf("resp.Status: got %d, want %d", resp.Status, expected.Status)
-	}
-
-	if resp.SerialNumber.Cmp(expected.SerialNumber) != 0 {
-		t.Errorf("resp.SerialNumber: got %x, want %x", resp.SerialNumber, expected.SerialNumber)
-	}
-
-	if resp.RevocationReason != expected.RevocationReason {
-		t.Errorf("resp.RevocationReason: got %d, want %d", resp.RevocationReason, expected.RevocationReason)
-	}
-
-	if !bytes.Equal(resp.RawResponderName, expected.RawResponderName) {
-		t.Errorf("resp.RawResponderName: got %x, want %x", resp.RawResponderName, expected.RawResponderName)
-	}
-
-	if !bytes.Equal(resp.ResponderKeyHash, expected.ResponderKeyHash) {
-		t.Errorf("resp.ResponderKeyHash: got %x, want %x", resp.ResponderKeyHash, expected.ResponderKeyHash)
-	}
-}
-
-func TestOCSPDecodeWithoutCert(t *testing.T) {
-	responseBytes, _ := hex.DecodeString(ocspResponseWithoutCertHex)
-	_, err := ParseResponse(responseBytes, nil)
-	if err != nil {
-		t.Error(err)
-	}
-}
-
-func TestOCSPDecodeWithExtensions(t *testing.T) {
-	responseBytes, _ := hex.DecodeString(ocspResponseWithCriticalExtensionHex)
-	_, err := ParseResponse(responseBytes, nil)
-	if err == nil {
-		t.Error(err)
-	}
-
-	responseBytes, _ = hex.DecodeString(ocspResponseWithExtensionHex)
-	response, err := ParseResponse(responseBytes, nil)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if len(response.Extensions) != 1 {
-		t.Errorf("len(response.Extensions): got %v, want %v", len(response.Extensions), 1)
-	}
-
-	extensionBytes := response.Extensions[0].Value
-	expectedBytes, _ := hex.DecodeString(ocspExtensionValueHex)
-	if !bytes.Equal(extensionBytes, expectedBytes) {
-		t.Errorf("response.Extensions[0]: got %x, want %x", extensionBytes, expectedBytes)
-	}
-}
-
-func TestOCSPSignature(t *testing.T) {
-	issuerCert, _ := hex.DecodeString(startComHex)
-	issuer, err := x509.ParseCertificate(issuerCert)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	response, _ := hex.DecodeString(ocspResponseHex)
-	if _, err := ParseResponse(response, issuer); err != nil {
-		t.Error(err)
-	}
-}
-
-func TestOCSPRequest(t *testing.T) {
-	leafCert, _ := hex.DecodeString(leafCertHex)
-	cert, err := x509.ParseCertificate(leafCert)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	issuerCert, _ := hex.DecodeString(issuerCertHex)
-	issuer, err := x509.ParseCertificate(issuerCert)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	request, err := CreateRequest(cert, issuer, nil)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	expectedBytes, _ := hex.DecodeString(ocspRequestHex)
-	if !bytes.Equal(request, expectedBytes) {
-		t.Errorf("request: got %x, wanted %x", request, expectedBytes)
-	}
-
-	decodedRequest, err := ParseRequest(expectedBytes)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if decodedRequest.HashAlgorithm != crypto.SHA1 {
-		t.Errorf("request.HashAlgorithm: got %v, want %v", decodedRequest.HashAlgorithm, crypto.SHA1)
-	}
-
-	var publicKeyInfo struct {
-		Algorithm pkix.AlgorithmIdentifier
-		PublicKey asn1.BitString
-	}
-	_, err = asn1.Unmarshal(issuer.RawSubjectPublicKeyInfo, &publicKeyInfo)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	h := sha1.New()
-	h.Write(publicKeyInfo.PublicKey.RightAlign())
-	issuerKeyHash := h.Sum(nil)
-
-	h.Reset()
-	h.Write(issuer.RawSubject)
-	issuerNameHash := h.Sum(nil)
-
-	if got := decodedRequest.IssuerKeyHash; !bytes.Equal(got, issuerKeyHash) {
-		t.Errorf("request.IssuerKeyHash: got %x, want %x", got, issuerKeyHash)
-	}
-
-	if got := decodedRequest.IssuerNameHash; !bytes.Equal(got, issuerNameHash) {
-		t.Errorf("request.IssuerKeyHash: got %x, want %x", got, issuerNameHash)
-	}
-
-	if got := decodedRequest.SerialNumber; got.Cmp(cert.SerialNumber) != 0 {
-		t.Errorf("request.SerialNumber: got %x, want %x", got, cert.SerialNumber)
-	}
-
-	marshaledRequest, err := decodedRequest.Marshal()
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if bytes.Compare(expectedBytes, marshaledRequest) != 0 {
-		t.Errorf(
-			"Marshaled request doesn't match expected: wanted %x, got %x",
-			expectedBytes,
-			marshaledRequest,
-		)
-	}
-}
-
-func TestOCSPResponse(t *testing.T) {
-	leafCert, _ := hex.DecodeString(leafCertHex)
-	leaf, err := x509.ParseCertificate(leafCert)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	issuerCert, _ := hex.DecodeString(issuerCertHex)
-	issuer, err := x509.ParseCertificate(issuerCert)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	responderCert, _ := hex.DecodeString(responderCertHex)
-	responder, err := x509.ParseCertificate(responderCert)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	responderPrivateKeyDER, _ := hex.DecodeString(responderPrivateKeyHex)
-	responderPrivateKey, err := x509.ParsePKCS1PrivateKey(responderPrivateKeyDER)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	extensionBytes, _ := hex.DecodeString(ocspExtensionValueHex)
-	extensions := []pkix.Extension{
-		{
-			Id:       ocspExtensionOID,
-			Critical: false,
-			Value:    extensionBytes,
-		},
-	}
-
-	thisUpdate := time.Date(2010, 7, 7, 15, 1, 5, 0, time.UTC)
-	nextUpdate := time.Date(2010, 7, 7, 18, 35, 17, 0, time.UTC)
-	template := Response{
-		Status:           Revoked,
-		SerialNumber:     leaf.SerialNumber,
-		ThisUpdate:       thisUpdate,
-		NextUpdate:       nextUpdate,
-		RevokedAt:        thisUpdate,
-		RevocationReason: KeyCompromise,
-		Certificate:      responder,
-		ExtraExtensions:  extensions,
-	}
-
-	template.IssuerHash = crypto.MD5
-	_, err = CreateResponse(issuer, responder, template, responderPrivateKey)
-	if err == nil {
-		t.Fatal("CreateResponse didn't fail with non-valid template.IssuerHash value crypto.MD5")
-	}
-
-	testCases := []struct {
-		name       string
-		issuerHash crypto.Hash
-	}{
-		{"Zero value", 0},
-		{"crypto.SHA1", crypto.SHA1},
-		{"crypto.SHA256", crypto.SHA256},
-		{"crypto.SHA384", crypto.SHA384},
-		{"crypto.SHA512", crypto.SHA512},
-	}
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			template.IssuerHash = tc.issuerHash
-			responseBytes, err := CreateResponse(issuer, responder, template, responderPrivateKey)
-			if err != nil {
-				t.Fatalf("CreateResponse failed: %s", err)
-			}
-
-			resp, err := ParseResponse(responseBytes, nil)
-			if err != nil {
-				t.Fatalf("ParseResponse failed: %s", err)
-			}
-
-			if !reflect.DeepEqual(resp.ThisUpdate, template.ThisUpdate) {
-				t.Errorf("resp.ThisUpdate: got %v, want %v", resp.ThisUpdate, template.ThisUpdate)
-			}
-
-			if !reflect.DeepEqual(resp.NextUpdate, template.NextUpdate) {
-				t.Errorf("resp.NextUpdate: got %v, want %v", resp.NextUpdate, template.NextUpdate)
-			}
-
-			if !reflect.DeepEqual(resp.RevokedAt, template.RevokedAt) {
-				t.Errorf("resp.RevokedAt: got %v, want %v", resp.RevokedAt, template.RevokedAt)
-			}
-
-			if !reflect.DeepEqual(resp.Extensions, template.ExtraExtensions) {
-				t.Errorf("resp.Extensions: got %v, want %v", resp.Extensions, template.ExtraExtensions)
-			}
-
-			delay := time.Since(resp.ProducedAt)
-			if delay < -time.Hour || delay > time.Hour {
-				t.Errorf("resp.ProducedAt: got %s, want close to current time (%s)", resp.ProducedAt, time.Now())
-			}
-
-			if resp.Status != template.Status {
-				t.Errorf("resp.Status: got %d, want %d", resp.Status, template.Status)
-			}
-
-			if resp.SerialNumber.Cmp(template.SerialNumber) != 0 {
-				t.Errorf("resp.SerialNumber: got %x, want %x", resp.SerialNumber, template.SerialNumber)
-			}
-
-			if resp.RevocationReason != template.RevocationReason {
-				t.Errorf("resp.RevocationReason: got %d, want %d", resp.RevocationReason, template.RevocationReason)
-			}
-
-			expectedHash := tc.issuerHash
-			if tc.issuerHash == 0 {
-				expectedHash = crypto.SHA1
-			}
-
-			if resp.IssuerHash != expectedHash {
-				t.Errorf("resp.IssuerHash: got %d, want %d", resp.IssuerHash, expectedHash)
-			}
-		})
-	}
-}
-
-func TestErrorResponse(t *testing.T) {
-	responseBytes, _ := hex.DecodeString(errorResponseHex)
-	_, err := ParseResponse(responseBytes, nil)
-
-	respErr, ok := err.(ResponseError)
-	if !ok {
-		t.Fatalf("expected ResponseError from ParseResponse but got %#v", err)
-	}
-	if respErr.Status != Malformed {
-		t.Fatalf("expected Malformed status from ParseResponse but got %d", respErr.Status)
-	}
-}
-
-func TestOCSPDecodeMultiResponse(t *testing.T) {
-	inclCert, _ := hex.DecodeString(ocspMultiResponseCertHex)
-	cert, err := x509.ParseCertificate(inclCert)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	responseBytes, _ := hex.DecodeString(ocspMultiResponseHex)
-	resp, err := ParseResponseForCert(responseBytes, cert, nil)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if resp.SerialNumber.Cmp(cert.SerialNumber) != 0 {
-		t.Errorf("resp.SerialNumber: got %x, want %x", resp.SerialNumber, cert.SerialNumber)
-	}
-}
-
-func TestOCSPDecodeMultiResponseWithoutMatchingCert(t *testing.T) {
-	wrongCert, _ := hex.DecodeString(startComHex)
-	cert, err := x509.ParseCertificate(wrongCert)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	responseBytes, _ := hex.DecodeString(ocspMultiResponseHex)
-	_, err = ParseResponseForCert(responseBytes, cert, nil)
-	want := ParseError("no response matching the supplied certificate")
-	if err != want {
-		t.Errorf("err: got %q, want %q", err, want)
-	}
-}
-
-// This OCSP response was taken from Thawte's public OCSP responder.
-// To recreate:
-//   $ openssl s_client -tls1 -showcerts -servername www.google.com -connect www.google.com:443
-// Copy and paste the first certificate into /tmp/cert.crt and the second into
-// /tmp/intermediate.crt
-//   $ openssl ocsp -issuer /tmp/intermediate.crt -cert /tmp/cert.crt -url http://ocsp.thawte.com -resp_text -respout /tmp/ocsp.der
-// Then hex encode the result:
-//   $ python -c 'print file("/tmp/ocsp.der", "r").read().encode("hex")'
-
-const ocspResponseHex = "308206bc0a0100a08206b5308206b106092b0601050507300101048206a23082069e3081" +
-	"c9a14e304c310b300906035504061302494c31163014060355040a130d5374617274436f" +
-	"6d204c74642e312530230603550403131c5374617274436f6d20436c6173732031204f43" +
-	"5350205369676e6572180f32303130303730373137333531375a30663064303c30090605" +
-	"2b0e03021a050004146568874f40750f016a3475625e1f5c93e5a26d580414eb4234d098" +
-	"b0ab9ff41b6b08f7cc642eef0e2c45020301d0fa8000180f323031303037303731353031" +
-	"30355aa011180f32303130303730373138333531375a300d06092a864886f70d01010505" +
-	"000382010100ab557ff070d1d7cebbb5f0ec91a15c3fed22eb2e1b8244f1b84545f013a4" +
-	"fb46214c5e3fbfbebb8a56acc2b9db19f68fd3c3201046b3824d5ba689f99864328710cb" +
-	"467195eb37d84f539e49f859316b32964dc3e47e36814ce94d6c56dd02733b1d0802f7ff" +
-	"4eebdbbd2927dcf580f16cbc290f91e81b53cb365e7223f1d6e20a88ea064104875e0145" +
-	"672b20fc14829d51ca122f5f5d77d3ad6c83889c55c7dc43680ba2fe3cef8b05dbcabdc0" +
-	"d3e09aaf9725597f8c858c2fa38c0d6aed2e6318194420dd1a1137445d13e1c97ab47896" +
-	"17a4e08925f46f867b72e3a4dc1f08cb870b2b0717f7207faa0ac512e628a029aba7457a" +
-	"e63dcf3281e2162d9349a08204ba308204b6308204b23082039aa003020102020101300d" +
-	"06092a864886f70d010105050030818c310b300906035504061302494c31163014060355" +
-	"040a130d5374617274436f6d204c74642e312b3029060355040b13225365637572652044" +
-	"69676974616c204365727469666963617465205369676e696e6731383036060355040313" +
-	"2f5374617274436f6d20436c6173732031205072696d61727920496e7465726d65646961" +
-	"746520536572766572204341301e170d3037313032353030323330365a170d3132313032" +
-	"333030323330365a304c310b300906035504061302494c31163014060355040a130d5374" +
-	"617274436f6d204c74642e312530230603550403131c5374617274436f6d20436c617373" +
-	"2031204f435350205369676e657230820122300d06092a864886f70d0101010500038201" +
-	"0f003082010a0282010100b9561b4c45318717178084e96e178df2255e18ed8d8ecc7c2b" +
-	"7b51a6c1c2e6bf0aa3603066f132fe10ae97b50e99fa24b83fc53dd2777496387d14e1c3" +
-	"a9b6a4933e2ac12413d085570a95b8147414a0bc007c7bcf222446ef7f1a156d7ea1c577" +
-	"fc5f0facdfd42eb0f5974990cb2f5cefebceef4d1bdc7ae5c1075c5a99a93171f2b0845b" +
-	"4ff0864e973fcfe32f9d7511ff87a3e943410c90a4493a306b6944359340a9ca96f02b66" +
-	"ce67f028df2980a6aaee8d5d5d452b8b0eb93f923cc1e23fcccbdbe7ffcb114d08fa7a6a" +
-	"3c404f825d1a0e715935cf623a8c7b59670014ed0622f6089a9447a7a19010f7fe58f841" +
-	"29a2765ea367824d1c3bb2fda308530203010001a382015c30820158300c0603551d1301" +
-	"01ff04023000300b0603551d0f0404030203a8301e0603551d250417301506082b060105" +
-	"0507030906092b0601050507300105301d0603551d0e0416041445e0a36695414c5dd449" +
-	"bc00e33cdcdbd2343e173081a80603551d230481a030819d8014eb4234d098b0ab9ff41b" +
-	"6b08f7cc642eef0e2c45a18181a47f307d310b300906035504061302494c311630140603" +
-	"55040a130d5374617274436f6d204c74642e312b3029060355040b132253656375726520" +
-	"4469676974616c204365727469666963617465205369676e696e67312930270603550403" +
-	"13205374617274436f6d2043657274696669636174696f6e20417574686f726974798201" +
-	"0a30230603551d12041c301a8618687474703a2f2f7777772e737461727473736c2e636f" +
-	"6d2f302c06096086480186f842010d041f161d5374617274436f6d205265766f63617469" +
-	"6f6e20417574686f72697479300d06092a864886f70d01010505000382010100182d2215" +
-	"8f0fc0291324fa8574c49bb8ff2835085adcbf7b7fc4191c397ab6951328253fffe1e5ec" +
-	"2a7da0d50fca1a404e6968481366939e666c0a6209073eca57973e2fefa9ed1718e8176f" +
-	"1d85527ff522c08db702e3b2b180f1cbff05d98128252cf0f450f7dd2772f4188047f19d" +
-	"c85317366f94bc52d60f453a550af58e308aaab00ced33040b62bf37f5b1ab2a4f7f0f80" +
-	"f763bf4d707bc8841d7ad9385ee2a4244469260b6f2bf085977af9074796048ecc2f9d48" +
-	"a1d24ce16e41a9941568fec5b42771e118f16c106a54ccc339a4b02166445a167902e75e" +
-	"6d8620b0825dcd18a069b90fd851d10fa8effd409deec02860d26d8d833f304b10669b42"
-
-const startComResponderCertHex = "308204b23082039aa003020102020101300d06092a864886f70d010105050030818c310b" +
-	"300906035504061302494c31163014060355040a130d5374617274436f6d204c74642e31" +
-	"2b3029060355040b1322536563757265204469676974616c204365727469666963617465" +
-	"205369676e696e67313830360603550403132f5374617274436f6d20436c617373203120" +
-	"5072696d61727920496e7465726d65646961746520536572766572204341301e170d3037" +
-	"313032353030323330365a170d3132313032333030323330365a304c310b300906035504" +
-	"061302494c31163014060355040a130d5374617274436f6d204c74642e31253023060355" +
-	"0403131c5374617274436f6d20436c6173732031204f435350205369676e657230820122" +
-	"300d06092a864886f70d01010105000382010f003082010a0282010100b9561b4c453187" +
-	"17178084e96e178df2255e18ed8d8ecc7c2b7b51a6c1c2e6bf0aa3603066f132fe10ae97" +
-	"b50e99fa24b83fc53dd2777496387d14e1c3a9b6a4933e2ac12413d085570a95b8147414" +
-	"a0bc007c7bcf222446ef7f1a156d7ea1c577fc5f0facdfd42eb0f5974990cb2f5cefebce" +
-	"ef4d1bdc7ae5c1075c5a99a93171f2b0845b4ff0864e973fcfe32f9d7511ff87a3e94341" +
-	"0c90a4493a306b6944359340a9ca96f02b66ce67f028df2980a6aaee8d5d5d452b8b0eb9" +
-	"3f923cc1e23fcccbdbe7ffcb114d08fa7a6a3c404f825d1a0e715935cf623a8c7b596700" +
-	"14ed0622f6089a9447a7a19010f7fe58f84129a2765ea367824d1c3bb2fda30853020301" +
-	"0001a382015c30820158300c0603551d130101ff04023000300b0603551d0f0404030203" +
-	"a8301e0603551d250417301506082b0601050507030906092b0601050507300105301d06" +
-	"03551d0e0416041445e0a36695414c5dd449bc00e33cdcdbd2343e173081a80603551d23" +
-	"0481a030819d8014eb4234d098b0ab9ff41b6b08f7cc642eef0e2c45a18181a47f307d31" +
-	"0b300906035504061302494c31163014060355040a130d5374617274436f6d204c74642e" +
-	"312b3029060355040b1322536563757265204469676974616c2043657274696669636174" +
-	"65205369676e696e6731293027060355040313205374617274436f6d2043657274696669" +
-	"636174696f6e20417574686f7269747982010a30230603551d12041c301a861868747470" +
-	"3a2f2f7777772e737461727473736c2e636f6d2f302c06096086480186f842010d041f16" +
-	"1d5374617274436f6d205265766f636174696f6e20417574686f72697479300d06092a86" +
-	"4886f70d01010505000382010100182d22158f0fc0291324fa8574c49bb8ff2835085adc" +
-	"bf7b7fc4191c397ab6951328253fffe1e5ec2a7da0d50fca1a404e6968481366939e666c" +
-	"0a6209073eca57973e2fefa9ed1718e8176f1d85527ff522c08db702e3b2b180f1cbff05" +
-	"d98128252cf0f450f7dd2772f4188047f19dc85317366f94bc52d60f453a550af58e308a" +
-	"aab00ced33040b62bf37f5b1ab2a4f7f0f80f763bf4d707bc8841d7ad9385ee2a4244469" +
-	"260b6f2bf085977af9074796048ecc2f9d48a1d24ce16e41a9941568fec5b42771e118f1" +
-	"6c106a54ccc339a4b02166445a167902e75e6d8620b0825dcd18a069b90fd851d10fa8ef" +
-	"fd409deec02860d26d8d833f304b10669b42"
-
-const startComHex = "308206343082041ca003020102020118300d06092a864886f70d0101050500307d310b30" +
-	"0906035504061302494c31163014060355040a130d5374617274436f6d204c74642e312b" +
-	"3029060355040b1322536563757265204469676974616c20436572746966696361746520" +
-	"5369676e696e6731293027060355040313205374617274436f6d20436572746966696361" +
-	"74696f6e20417574686f72697479301e170d3037313032343230353431375a170d313731" +
-	"3032343230353431375a30818c310b300906035504061302494c31163014060355040a13" +
-	"0d5374617274436f6d204c74642e312b3029060355040b13225365637572652044696769" +
-	"74616c204365727469666963617465205369676e696e67313830360603550403132f5374" +
-	"617274436f6d20436c6173732031205072696d61727920496e7465726d65646961746520" +
-	"53657276657220434130820122300d06092a864886f70d01010105000382010f00308201" +
-	"0a0282010100b689c6acef09527807ac9263d0f44418188480561f91aee187fa3250b4d3" +
-	"4706f0e6075f700e10f71dc0ce103634855a0f92ac83c6ac58523fba38e8fce7a724e240" +
-	"a60876c0926e9e2a6d4d3f6e61200adb59ded27d63b33e46fefa215118d7cd30a6ed076e" +
-	"3b7087b4f9faebee823c056f92f7a4dc0a301e9373fe07cad75f809d225852ae06da8b87" +
-	"2369b0e42ad8ea83d2bdf371db705a280faf5a387045123f304dcd3baf17e50fcba0a95d" +
-	"48aab16150cb34cd3c5cc30be810c08c9bf0030362feb26c3e720eee1c432ac9480e5739" +
-	"c43121c810c12c87fe5495521f523c31129b7fe7c0a0a559d5e28f3ef0d5a8e1d77031a9" +
-	"c4b3cfaf6d532f06f4a70203010001a38201ad308201a9300f0603551d130101ff040530" +
-	"030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414eb4234d098" +
-	"b0ab9ff41b6b08f7cc642eef0e2c45301f0603551d230418301680144e0bef1aa4405ba5" +
-	"17698730ca346843d041aef2306606082b06010505070101045a3058302706082b060105" +
-	"05073001861b687474703a2f2f6f6373702e737461727473736c2e636f6d2f6361302d06" +
-	"082b060105050730028621687474703a2f2f7777772e737461727473736c2e636f6d2f73" +
-	"667363612e637274305b0603551d1f045430523027a025a0238621687474703a2f2f7777" +
-	"772e737461727473736c2e636f6d2f73667363612e63726c3027a025a023862168747470" +
-	"3a2f2f63726c2e737461727473736c2e636f6d2f73667363612e63726c3081800603551d" +
-	"20047930773075060b2b0601040181b5370102013066302e06082b060105050702011622" +
-	"687474703a2f2f7777772e737461727473736c2e636f6d2f706f6c6963792e7064663034" +
-	"06082b060105050702011628687474703a2f2f7777772e737461727473736c2e636f6d2f" +
-	"696e7465726d6564696174652e706466300d06092a864886f70d01010505000382020100" +
-	"2109493ea5886ee00b8b48da314d8ff75657a2e1d36257e9b556f38545753be5501f048b" +
-	"e6a05a3ee700ae85d0fbff200364cbad02e1c69172f8a34dd6dee8cc3fa18aa2e37c37a7" +
-	"c64f8f35d6f4d66e067bdd21d9cf56ffcb302249fe8904f385e5aaf1e71fe875904dddf9" +
-	"46f74234f745580c110d84b0c6da5d3ef9019ee7e1da5595be741c7bfc4d144fac7e5547" +
-	"7d7bf4a50d491e95e8f712c1ccff76a62547d0f37535be97b75816ebaa5c786fec5330af" +
-	"ea044dcca902e3f0b60412f630b1113d904e5664d7dc3c435f7339ef4baf87ebf6fe6888" +
-	"4472ead207c669b0c1a18bef1749d761b145485f3b2021e95bb2ccf4d7e931f50b15613b" +
-	"7a94e3ebd9bc7f94ae6ae3626296a8647cb887f399327e92a252bebbf865cfc9f230fc8b" +
-	"c1c2a696d75f89e15c3480f58f47072fb491bfb1a27e5f4b5ad05b9f248605515a690365" +
-	"434971c5e06f94346bf61bd8a9b04c7e53eb8f48dfca33b548fa364a1a53a6330cd089cd" +
-	"4915cd89313c90c072d7654b52358a461144b93d8e2865a63e799e5c084429adb035112e" +
-	"214eb8d2e7103e5d8483b3c3c2e4d2c6fd094b7409ddf1b3d3193e800da20b19f038e7c5" +
-	"c2afe223db61e29d5c6e2089492e236ab262c145b49faf8ba7f1223bf87de290d07a19fb" +
-	"4a4ce3d27d5f4a8303ed27d6239e6b8db459a2d9ef6c8229dd75193c3f4c108defbb7527" +
-	"d2ae83a7a8ce5ba7"
-
-const ocspResponseWithoutCertHex = "308201d40a0100a08201cd308201c906092b0601050507300101048201ba3082" +
-	"01b630819fa2160414884451ff502a695e2d88f421bad90cf2cecbea7c180f3230313330" +
-	"3631383037323434335a30743072304a300906052b0e03021a0500041448b60d38238df8" +
-	"456e4ee5843ea394111802979f0414884451ff502a695e2d88f421bad90cf2cecbea7c02" +
-	"1100f78b13b946fc9635d8ab49de9d2148218000180f3230313330363138303732343433" +
-	"5aa011180f32303133303632323037323434335a300d06092a864886f70d010105050003" +
-	"82010100103e18b3d297a5e7a6c07a4fc52ac46a15c0eba96f3be17f0ffe84de5b8c8e05" +
-	"5a8f577586a849dc4abd6440eb6fedde4622451e2823c1cbf3558b4e8184959c9fe96eff" +
-	"8bc5f95866c58c6d087519faabfdae37e11d9874f1bc0db292208f645dd848185e4dd38b" +
-	"6a8547dfa7b74d514a8470015719064d35476b95bebb03d4d2845c5ca15202d2784878f2" +
-	"0f904c24f09736f044609e9c271381713400e563023d212db422236440c6f377bbf24b2b" +
-	"9e7dec8698e36a8df68b7592ad3489fb2937afb90eb85d2aa96b81c94c25057dbd4759d9" +
-	"20a1a65c7f0b6427a224b3c98edd96b9b61f706099951188b0289555ad30a216fb774651" +
-	"5a35fca2e054dfa8"
-
-// PKIX nonce extension
-var ocspExtensionOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 48, 1, 2}
-var ocspExtensionValueHex = "0403000000"
-
-const ocspResponseWithCriticalExtensionHex = "308204fe0a0100a08204f7308204f306092b0601050507300101048204e4308204e03081" +
-	"dba003020100a11b3019311730150603550403130e4f43535020526573706f6e64657218" +
-	"0f32303136303130343137303130305a3081a53081a23049300906052b0e03021a050004" +
-	"14c0fe0278fc99188891b3f212e9c7e1b21ab7bfc004140dfc1df0a9e0f01ce7f2b21317" +
-	"7e6f8d157cd4f60210017f77deb3bcbb235d44ccc7dba62e72a116180f32303130303730" +
-	"373135303130355aa0030a0101180f32303130303730373135303130355aa011180f3230" +
-	"3130303730373138333531375aa1193017301506092b06010505073001020101ff040504" +
-	"03000000300d06092a864886f70d01010b0500038201010031c730ca60a7a0d92d8e4010" +
-	"911b469de95b4d27e89de6537552436237967694f76f701cf6b45c932bd308bca4a8d092" +
-	"5c604ba94796903091d9e6c000178e72c1f0a24a277dd262835af5d17d3f9d7869606c9f" +
-	"e7c8e708a41645699895beee38bfa63bb46296683761c5d1d65439b8ab868dc3017c9eeb" +
-	"b70b82dbf3a31c55b457d48bb9e82b335ed49f445042eaf606b06a3e0639824924c89c63" +
-	"eccddfe85e6694314138b2536f5e15e07085d0f6e26d4b2f8244bab0d70de07283ac6384" +
-	"a0501fc3dea7cf0adfd4c7f34871080900e252ddc403e3f0265f2a704af905d3727504ed" +
-	"28f3214a219d898a022463c78439799ca81c8cbafdbcec34ea937cd6a08202ea308202e6" +
-	"308202e2308201caa003020102020101300d06092a864886f70d01010b05003019311730" +
-	"150603550403130e4f43535020526573706f6e646572301e170d31353031333031353530" +
-	"33335a170d3136303133303135353033335a3019311730150603550403130e4f43535020" +
-	"526573706f6e64657230820122300d06092a864886f70d01010105000382010f00308201" +
-	"0a0282010100e8155f2d3e6f2e8d14c62a788bd462f9f844e7a6977c83ef1099f0f6616e" +
-	"c5265b56f356e62c5400f0b06a2e7945a82752c636df32a895152d6074df1701dc6ccfbc" +
-	"bec75a70bd2b55ae2be7e6cad3b5fd4cd5b7790ab401a436d3f5f346074ffde8a99d5b72" +
-	"3350f0a112076614b12ef79c78991b119453445acf2416ab0046b540db14c9fc0f27b898" +
-	"9ad0f63aa4b8aefc91aa8a72160c36307c60fec78a93d3fddf4259902aa77e7332971c7d" +
-	"285b6a04f648993c6922a3e9da9adf5f81508c3228791843e5d49f24db2f1290bafd97e6" +
-	"55b1049a199f652cd603c4fafa330c390b0da78fbbc67e8fa021cbd74eb96222b12ace31" +
-	"a77dcf920334dc94581b0203010001a3353033300e0603551d0f0101ff04040302078030" +
-	"130603551d25040c300a06082b06010505070309300c0603551d130101ff04023000300d" +
-	"06092a864886f70d01010b05000382010100718012761b5063e18f0dc44644d8e6ab8612" +
-	"31c15fd5357805425d82aec1de85bf6d3e30fce205e3e3b8b795bbe52e40a439286d2288" +
-	"9064f4aeeb150359b9425f1da51b3a5c939018555d13ac42c565a0603786a919328f3267" +
-	"09dce52c22ad958ecb7873b9771d1148b1c4be2efe80ba868919fc9f68b6090c2f33c156" +
-	"d67156e42766a50b5d51e79637b7e58af74c2a951b1e642fa7741fec982cc937de37eff5" +
-	"9e2005d5939bfc031589ca143e6e8ab83f40ee08cc20a6b4a95a318352c28d18528dcaf9" +
-	"66705de17afa19d6e8ae91ddf33179d16ebb6ac2c69cae8373d408ebf8c55308be6c04d9" +
-	"3a25439a94299a65a709756c7a3e568be049d5c38839"
-
-const ocspResponseWithExtensionHex = "308204fb0a0100a08204f4308204f006092b0601050507300101048204e1308204dd3081" +
-	"d8a003020100a11b3019311730150603550403130e4f43535020526573706f6e64657218" +
-	"0f32303136303130343136353930305a3081a230819f3049300906052b0e03021a050004" +
-	"14c0fe0278fc99188891b3f212e9c7e1b21ab7bfc004140dfc1df0a9e0f01ce7f2b21317" +
-	"7e6f8d157cd4f60210017f77deb3bcbb235d44ccc7dba62e72a116180f32303130303730" +
-	"373135303130355aa0030a0101180f32303130303730373135303130355aa011180f3230" +
-	"3130303730373138333531375aa1163014301206092b0601050507300102040504030000" +
-	"00300d06092a864886f70d01010b05000382010100c09a33e0b2324c852421bb83f85ac9" +
-	"9113f5426012bd2d2279a8166e9241d18a33c870894250622ffc7ed0c4601b16d624f90b" +
-	"779265442cdb6868cf40ab304ab4b66e7315ed02cf663b1601d1d4751772b31bc299db23" +
-	"9aebac78ed6797c06ed815a7a8d18d63cfbb609cafb47ec2e89e37db255216eb09307848" +
-	"d01be0a3e943653c78212b96ff524b74c9ec456b17cdfb950cc97645c577b2e09ff41dde" +
-	"b03afb3adaa381cc0f7c1d95663ef22a0f72f2c45613ae8e2b2d1efc96e8463c7d1d8a1d" +
-	"7e3b35df8fe73a301fc3f804b942b2b3afa337ff105fc1462b7b1c1d75eb4566c8665e59" +
-	"f80393b0adbf8004ff6c3327ed34f007cb4a3348a7d55e06e3a08202ea308202e6308202" +
-	"e2308201caa003020102020101300d06092a864886f70d01010b05003019311730150603" +
-	"550403130e4f43535020526573706f6e646572301e170d3135303133303135353033335a" +
-	"170d3136303133303135353033335a3019311730150603550403130e4f43535020526573" +
-	"706f6e64657230820122300d06092a864886f70d01010105000382010f003082010a0282" +
-	"010100e8155f2d3e6f2e8d14c62a788bd462f9f844e7a6977c83ef1099f0f6616ec5265b" +
-	"56f356e62c5400f0b06a2e7945a82752c636df32a895152d6074df1701dc6ccfbcbec75a" +
-	"70bd2b55ae2be7e6cad3b5fd4cd5b7790ab401a436d3f5f346074ffde8a99d5b723350f0" +
-	"a112076614b12ef79c78991b119453445acf2416ab0046b540db14c9fc0f27b8989ad0f6" +
-	"3aa4b8aefc91aa8a72160c36307c60fec78a93d3fddf4259902aa77e7332971c7d285b6a" +
-	"04f648993c6922a3e9da9adf5f81508c3228791843e5d49f24db2f1290bafd97e655b104" +
-	"9a199f652cd603c4fafa330c390b0da78fbbc67e8fa021cbd74eb96222b12ace31a77dcf" +
-	"920334dc94581b0203010001a3353033300e0603551d0f0101ff04040302078030130603" +
-	"551d25040c300a06082b06010505070309300c0603551d130101ff04023000300d06092a" +
-	"864886f70d01010b05000382010100718012761b5063e18f0dc44644d8e6ab861231c15f" +
-	"d5357805425d82aec1de85bf6d3e30fce205e3e3b8b795bbe52e40a439286d22889064f4" +
-	"aeeb150359b9425f1da51b3a5c939018555d13ac42c565a0603786a919328f326709dce5" +
-	"2c22ad958ecb7873b9771d1148b1c4be2efe80ba868919fc9f68b6090c2f33c156d67156" +
-	"e42766a50b5d51e79637b7e58af74c2a951b1e642fa7741fec982cc937de37eff59e2005" +
-	"d5939bfc031589ca143e6e8ab83f40ee08cc20a6b4a95a318352c28d18528dcaf966705d" +
-	"e17afa19d6e8ae91ddf33179d16ebb6ac2c69cae8373d408ebf8c55308be6c04d93a2543" +
-	"9a94299a65a709756c7a3e568be049d5c38839"
-
-const ocspMultiResponseHex = "30820ee60a0100a0820edf30820edb06092b060105050730010104820ecc30820ec83082" +
-	"0839a216041445ac2ecd75f53f1cf6e4c51d3de0047ad0aa7465180f3230313530363032" +
-	"3130303033305a3082080c3065303d300906052b0e03021a05000414f7452a0080601527" +
-	"72e4a135e76e9e52fde0f1580414edd8f2ee977252853a330b297a18f5c993853b3f0204" +
-	"5456656a8000180f32303135303630323039303230375aa011180f323031353036303331" +
-	"30303033305a3065303d300906052b0e03021a05000414f7452a008060152772e4a135e7" +
-	"6e9e52fde0f1580414edd8f2ee977252853a330b297a18f5c993853b3f02045456656b80" +
-	"00180f32303135303630323039303230375aa011180f3230313530363033313030303330" +
-	"5a3065303d300906052b0e03021a05000414f7452a008060152772e4a135e76e9e52fde0" +
-	"f1580414edd8f2ee977252853a330b297a18f5c993853b3f02045456656c8000180f3230" +
-	"3135303630323039303230375aa011180f32303135303630333130303033305a3065303d" +
-	"300906052b0e03021a05000414f7452a008060152772e4a135e76e9e52fde0f1580414ed" +
-	"d8f2ee977252853a330b297a18f5c993853b3f02045456656d8000180f32303135303630" +
-	"323039303230375aa011180f32303135303630333130303033305a3065303d300906052b" +
-	"0e03021a05000414f7452a008060152772e4a135e76e9e52fde0f1580414edd8f2ee9772" +
-	"52853a330b297a18f5c993853b3f02045456656e8000180f323031353036303230393032" +
-	"30375aa011180f32303135303630333130303033305a3065303d300906052b0e03021a05" +
-	"000414f7452a008060152772e4a135e76e9e52fde0f1580414edd8f2ee977252853a330b" +
-	"297a18f5c993853b3f02045456656f8000180f32303135303630323039303230375aa011" +
-	"180f32303135303630333130303033305a3065303d300906052b0e03021a05000414f745" +
-	"2a008060152772e4a135e76e9e52fde0f1580414edd8f2ee977252853a330b297a18f5c9" +
-	"93853b3f0204545665708000180f32303135303630323039303230375aa011180f323031" +
-	"35303630333130303033305a3065303d300906052b0e03021a05000414f7452a00806015" +
-	"2772e4a135e76e9e52fde0f1580414edd8f2ee977252853a330b297a18f5c993853b3f02" +
-	"04545665718000180f32303135303630323039303230375aa011180f3230313530363033" +
-	"3130303033305a3065303d300906052b0e03021a05000414f7452a008060152772e4a135" +
-	"e76e9e52fde0f1580414edd8f2ee977252853a330b297a18f5c993853b3f020454566572" +
-	"8000180f32303135303630323039303230375aa011180f32303135303630333130303033" +
-	"305a3065303d300906052b0e03021a05000414f7452a008060152772e4a135e76e9e52fd" +
-	"e0f1580414edd8f2ee977252853a330b297a18f5c993853b3f0204545665738000180f32" +
-	"303135303630323039303230375aa011180f32303135303630333130303033305a306530" +
-	"3d300906052b0e03021a05000414f7452a008060152772e4a135e76e9e52fde0f1580414" +
-	"edd8f2ee977252853a330b297a18f5c993853b3f0204545665748000180f323031353036" +
-	"30323039303230375aa011180f32303135303630333130303033305a3065303d30090605" +
-	"2b0e03021a05000414f7452a008060152772e4a135e76e9e52fde0f1580414edd8f2ee97" +
-	"7252853a330b297a18f5c993853b3f0204545665758000180f3230313530363032303930" +
-	"3230375aa011180f32303135303630333130303033305a3065303d300906052b0e03021a" +
-	"05000414f7452a008060152772e4a135e76e9e52fde0f1580414edd8f2ee977252853a33" +
-	"0b297a18f5c993853b3f0204545665768000180f32303135303630323039303230375aa0" +
-	"11180f32303135303630333130303033305a3065303d300906052b0e03021a05000414f7" +
-	"452a008060152772e4a135e76e9e52fde0f1580414edd8f2ee977252853a330b297a18f5" +
-	"c993853b3f0204545665778000180f32303135303630323039303230375aa011180f3230" +
-	"3135303630333130303033305a3065303d300906052b0e03021a05000414f7452a008060" +
-	"152772e4a135e76e9e52fde0f1580414edd8f2ee977252853a330b297a18f5c993853b3f" +
-	"0204545665788000180f32303135303630323039303230375aa011180f32303135303630" +
-	"333130303033305a3065303d300906052b0e03021a05000414f7452a008060152772e4a1" +
-	"35e76e9e52fde0f1580414edd8f2ee977252853a330b297a18f5c993853b3f0204545665" +
-	"798000180f32303135303630323039303230375aa011180f323031353036303331303030" +
-	"33305a3065303d300906052b0e03021a05000414f7452a008060152772e4a135e76e9e52" +
-	"fde0f1580414edd8f2ee977252853a330b297a18f5c993853b3f02045456657a8000180f" +
-	"32303135303630323039303230375aa011180f32303135303630333130303033305a3065" +
-	"303d300906052b0e03021a05000414f7452a008060152772e4a135e76e9e52fde0f15804" +
-	"14edd8f2ee977252853a330b297a18f5c993853b3f02045456657b8000180f3230313530" +
-	"3630323039303230375aa011180f32303135303630333130303033305a3065303d300906" +
-	"052b0e03021a05000414f7452a008060152772e4a135e76e9e52fde0f1580414edd8f2ee" +
-	"977252853a330b297a18f5c993853b3f02045456657c8000180f32303135303630323039" +
-	"303230375aa011180f32303135303630333130303033305a3065303d300906052b0e0302" +
-	"1a05000414f7452a008060152772e4a135e76e9e52fde0f1580414edd8f2ee977252853a" +
-	"330b297a18f5c993853b3f02045456657d8000180f32303135303630323039303230375a" +
-	"a011180f32303135303630333130303033305a300d06092a864886f70d01010505000382" +
-	"01010016b73b92859979f27d15eb018cf069eed39c3d280213565f3026de11ba15bdb94d" +
-	"764cf2d0fdd204ef926c588d7b183483c8a2b1995079c7ed04dcefcc650c1965be4b6832" +
-	"a8839e832f7f60f638425eccdf9bc3a81fbe700fda426ddf4f06c29bee431bbbe81effda" +
-	"a60b7da5b378f199af2f3c8380be7ba6c21c8e27124f8a4d8989926aea19055700848d33" +
-	"799e833512945fd75364edbd2dd18b783c1e96e332266b17979a0b88c35b43f47c87c493" +
-	"19155056ad8dbbae5ff2afad3c0e1c69ed111206ffda49875e8e4efc0926264823bc4423" +
-	"c8a002f34288c4bc22516f98f54fc609943721f590ddd8d24f989457526b599b0eb75cb5" +
-	"a80da1ad93a621a08205733082056f3082056b30820453a0030201020204545638c4300d" +
-	"06092a864886f70d01010b0500308182310b300906035504061302555331183016060355" +
-	"040a130f552e532e20476f7665726e6d656e7431233021060355040b131a446570617274" +
-	"6d656e74206f662074686520547265617375727931223020060355040b13194365727469" +
-	"6669636174696f6e20417574686f7269746965733110300e060355040b13074f43494f20" +
-	"4341301e170d3135303332303131353531335a170d3135303633303034303030305a3081" +
-	"98310b300906035504061302555331183016060355040a130f552e532e20476f7665726e" +
-	"6d656e7431233021060355040b131a4465706172746d656e74206f662074686520547265" +
-	"617375727931223020060355040b131943657274696669636174696f6e20417574686f72" +
-	"69746965733110300e060355040b13074f43494f204341311430120603550403130b4f43" +
-	"5350205369676e657230820122300d06092a864886f70d01010105000382010f00308201" +
-	"0a0282010100c1b6fe1ba1ad50bb98c855811acbd67fe68057f48b8e08d3800e7f2c51b7" +
-	"9e20551934971fd92b9c9e6c49453097927cba83a94c0b2fea7124ba5ac442b38e37dba6" +
-	"7303d4962dd7d92b22a04b0e0e182e9ea67620b1c6ce09ee607c19e0e6e3adae81151db1" +
-	"2bb7f706149349a292e21c1eb28565b6839df055e1a838a772ff34b5a1452618e2c26042" +
-	"705d53f0af4b57aae6163f58216af12f3887813fe44b0321827b3a0c52b0e47d0aab94a2" +
-	"f768ab0ba3901d22f8bb263823090b0e37a7f8856db4b0d165c42f3aa7e94f5f6ce1855e" +
-	"98dc57adea0ae98ad39f67ecdec00b88685566e9e8d69f6cefb6ddced53015d0d3b862bc" +
-	"be21f3d72251eefcec730203010001a38201cf308201cb300e0603551d0f0101ff040403" +
-	"020780306b0603551d2004643062300c060a60864801650302010502300c060a60864801" +
-	"650302010503300c060a60864801650302010504300c060a60864801650302010507300c" +
-	"060a60864801650302010508300c060a6086480165030201030d300c060a608648016503" +
-	"020103113081e506082b060105050701010481d83081d5303006082b0601050507300286" +
-	"24687474703a2f2f706b692e74726561732e676f762f746f63615f65655f6169612e7037" +
-	"633081a006082b060105050730028681936c6461703a2f2f6c6461702e74726561732e67" +
-	"6f762f6f753d4f43494f25323043412c6f753d43657274696669636174696f6e25323041" +
-	"7574686f7269746965732c6f753d4465706172746d656e742532306f6625323074686525" +
-	"323054726561737572792c6f3d552e532e253230476f7665726e6d656e742c633d55533f" +
-	"634143657274696669636174653b62696e61727930130603551d25040c300a06082b0601" +
-	"0505070309300f06092b060105050730010504020500301f0603551d23041830168014a2" +
-	"13a8e5c607546c243d4eb72b27a2a7711ab5af301d0603551d0e0416041451f98046818a" +
-	"e46d953ac90c210ccfaa1a06980c300d06092a864886f70d01010b050003820101003a37" +
-	"0b301d14ffdeb370883639bec5ae6f572dcbddadd672af16ee2a8303316b14e1fbdca8c2" +
-	"8f4bad9c7b1410250e149c14e9830ca6f17370a8d13151205d956e28c141cc0500379596" +
-	"c5b9239fcfa3d2de8f1d4f1a2b1bf2d1851bed1c86012ee8135bdc395cd4496ce69fadd0" +
-	"3b682b90350ca7b4f458190b7a0ab5c33a04cf1347a77d541877a380a4c94988c5658908" +
-	"44fdc22637a72b9fa410333e2caf969477f9fe07f50e3681c204fb3bf073b9da01cd8d91" +
-	"8044c40b1159955af12a3263ab1d34119d7f59bfa6cae88ed058addc4e08250263f8f836" +
-	"2f5bdffd45636fea7474c60a55c535954477b2f286e1b2535f0dd12c162f1b353c370e08" +
-	"be67"
-
-const ocspMultiResponseCertHex = "308207943082067ca003020102020454566573300d06092a864886f70d01010b05003081" +
-	"82310b300906035504061302555331183016060355040a130f552e532e20476f7665726e" +
-	"6d656e7431233021060355040b131a4465706172746d656e74206f662074686520547265" +
-	"617375727931223020060355040b131943657274696669636174696f6e20417574686f72" +
-	"69746965733110300e060355040b13074f43494f204341301e170d313530343130313535" +
-	"3733385a170d3138303431303136323733385a30819d310b300906035504061302555331" +
-	"183016060355040a130f552e532e20476f7665726e6d656e7431233021060355040b131a" +
-	"4465706172746d656e74206f662074686520547265617375727931253023060355040b13" +
-	"1c427572656175206f66207468652046697363616c20536572766963653110300e060355" +
-	"040b130744657669636573311630140603550403130d706b692e74726561732e676f7630" +
-	"820122300d06092a864886f70d01010105000382010f003082010a0282010100c7273623" +
-	"8c49c48bf501515a2490ef6e5ae0c06e0ad2aa9a6bb77f3d0370d846b2571581ebf38fd3" +
-	"1948daad3dec7a4da095f1dcbe9654e65bcf7acdfd4ee802421dad9b90536c721d2bca58" +
-	"8413e6bfd739a72470560bb7d64f9a09284f90ff8af1d5a3c5c84d0f95a00f9c6d988dd0" +
-	"d87f1d0d3344580901c955139f54d09de0acdbd3322b758cb0c58881bf04913243401f44" +
-	"013fd9f6d8348044cc8bb0a71978ad93366b2a4687a5274b2ee07d0fb40225453eb244ed" +
-	"b20152251ac77c59455260ff07eeceb3cb3c60fb8121cf92afd3daa2a4650e1942ccb555" +
-	"de10b3d481feb299838ef05d0fd1810b146753472ae80da65dd34da25ca1f89971f10039" +
-	"0203010001a38203f3308203ef300e0603551d0f0101ff0404030205a030170603551d20" +
-	"0410300e300c060a60864801650302010503301106096086480186f84201010404030206" +
-	"4030130603551d25040c300a06082b060105050703013082010806082b06010505070101" +
-	"0481fb3081f8303006082b060105050730028624687474703a2f2f706b692e7472656173" +
-	"2e676f762f746f63615f65655f6169612e7037633081a006082b06010505073002868193" +
-	"6c6461703a2f2f6c6461702e74726561732e676f762f6f753d4f43494f25323043412c6f" +
-	"753d43657274696669636174696f6e253230417574686f7269746965732c6f753d446570" +
-	"6172746d656e742532306f6625323074686525323054726561737572792c6f3d552e532e" +
-	"253230476f7665726e6d656e742c633d55533f634143657274696669636174653b62696e" +
-	"617279302106082b060105050730018615687474703a2f2f6f6373702e74726561732e67" +
-	"6f76307b0603551d1104743072811c6373612d7465616d4066697363616c2e7472656173" +
-	"7572792e676f768210706b692e74726561737572792e676f768210706b692e64696d632e" +
-	"6468732e676f76820d706b692e74726561732e676f76811f6563622d686f7374696e6740" +
-	"66697363616c2e74726561737572792e676f76308201890603551d1f048201803082017c" +
-	"3027a025a0238621687474703a2f2f706b692e74726561732e676f762f4f43494f5f4341" +
-	"332e63726c3082014fa082014ba0820147a48197308194310b3009060355040613025553" +
-	"31183016060355040a130f552e532e20476f7665726e6d656e7431233021060355040b13" +
-	"1a4465706172746d656e74206f662074686520547265617375727931223020060355040b" +
-	"131943657274696669636174696f6e20417574686f7269746965733110300e060355040b" +
-	"13074f43494f2043413110300e0603550403130743524c313430398681aa6c6461703a2f" +
-	"2f6c6461702e74726561732e676f762f636e3d43524c313430392c6f753d4f43494f2532" +
-	"3043412c6f753d43657274696669636174696f6e253230417574686f7269746965732c6f" +
-	"753d4465706172746d656e742532306f6625323074686525323054726561737572792c6f" +
-	"3d552e532e253230476f7665726e6d656e742c633d55533f636572746966696361746552" +
-	"65766f636174696f6e4c6973743b62696e617279302b0603551d1004243022800f323031" +
-	"35303431303135353733385a810f32303138303431303136323733385a301f0603551d23" +
-	"041830168014a213a8e5c607546c243d4eb72b27a2a7711ab5af301d0603551d0e041604" +
-	"14b0869c12c293914cd460e33ed43e6c5a26e0d68f301906092a864886f67d074100040c" +
-	"300a1b0456382e31030203a8300d06092a864886f70d01010b050003820101004968d182" +
-	"8f9efdc147e747bb5dda15536a42a079b32d3d7f87e619b483aeee70b7e26bda393c6028" +
-	"7c733ecb468fe8b8b11bf809ff76add6b90eb25ad8d3a1052e43ee281e48a3a1ebe7efb5" +
-	"9e2c4a48765dedeb23f5346242145786cc988c762d230d28dd33bf4c2405d80cbb2cb1d6" +
-	"4c8f10ba130d50cb174f6ffb9cfc12808297a2cefba385f4fad170f39b51ebd87c12abf9" +
-	"3c51fc000af90d8aaba78f48923908804a5eb35f617ccf71d201e3708a559e6d16f9f13e" +
-	"074361eb9007e28d86bb4e0bfa13aad0e9ddd9124e84519de60e2fc6040b18d9fd602b02" +
-	"684b4c071c3019fc842197d00c120c41654bcbfbc4a096a1c637b79112b81ce1fa3899f9"
-
-const ocspRequestHex = "3051304f304d304b3049300906052b0e03021a05000414c0fe0278fc99188891b3f212e9" +
-	"c7e1b21ab7bfc004140dfc1df0a9e0f01ce7f2b213177e6f8d157cd4f60210017f77deb3" +
-	"bcbb235d44ccc7dba62e72"
-
-const leafCertHex = "308203c830820331a0030201020210017f77deb3bcbb235d44ccc7dba62e72300d06092a" +
-	"864886f70d01010505003081ba311f301d060355040a1316566572695369676e20547275" +
-	"7374204e6574776f726b31173015060355040b130e566572695369676e2c20496e632e31" +
-	"333031060355040b132a566572695369676e20496e7465726e6174696f6e616c20536572" +
-	"766572204341202d20436c617373203331493047060355040b13407777772e7665726973" +
-	"69676e2e636f6d2f43505320496e636f72702e6279205265662e204c494142494c495459" +
-	"204c54442e286329393720566572695369676e301e170d3132303632313030303030305a" +
-	"170d3133313233313233353935395a3068310b3009060355040613025553311330110603" +
-	"550408130a43616c69666f726e6961311230100603550407130950616c6f20416c746f31" +
-	"173015060355040a130e46616365626f6f6b2c20496e632e311730150603550403140e2a" +
-	"2e66616365626f6f6b2e636f6d30819f300d06092a864886f70d010101050003818d0030" +
-	"818902818100ae94b171e2deccc1693e051063240102e0689ae83c39b6b3e74b97d48d7b" +
-	"23689100b0b496ee62f0e6d356bcf4aa0f50643402f5d1766aa972835a7564723f39bbef" +
-	"5290ded9bcdbf9d3d55dfad23aa03dc604c54d29cf1d4b3bdbd1a809cfae47b44c7eae17" +
-	"c5109bee24a9cf4a8d911bb0fd0415ae4c3f430aa12a557e2ae10203010001a382011e30" +
-	"82011a30090603551d130402300030440603551d20043d303b3039060b6086480186f845" +
-	"01071703302a302806082b06010505070201161c68747470733a2f2f7777772e76657269" +
-	"7369676e2e636f6d2f727061303c0603551d1f043530333031a02fa02d862b687474703a" +
-	"2f2f535652496e746c2d63726c2e766572697369676e2e636f6d2f535652496e746c2e63" +
-	"726c301d0603551d250416301406082b0601050507030106082b06010505070302300b06" +
-	"03551d0f0404030205a0303406082b0601050507010104283026302406082b0601050507" +
-	"30018618687474703a2f2f6f6373702e766572697369676e2e636f6d30270603551d1104" +
-	"20301e820e2a2e66616365626f6f6b2e636f6d820c66616365626f6f6b2e636f6d300d06" +
-	"092a864886f70d0101050500038181005b6c2b75f8ed30aa51aad36aba595e555141951f" +
-	"81a53b447910ac1f76ff78fc2781616b58f3122afc1c87010425e9ed43df1a7ba6498060" +
-	"67e2688af03db58c7df4ee03309a6afc247ccb134dc33e54c6bc1d5133a532a73273b1d7" +
-	"9cadc08e7e1a83116d34523340b0305427a21742827c98916698ee7eaf8c3bdd71700817"
-
-const issuerCertHex = "30820383308202eca003020102021046fcebbab4d02f0f926098233f93078f300d06092a" +
-	"864886f70d0101050500305f310b300906035504061302555331173015060355040a130e" +
-	"566572695369676e2c20496e632e31373035060355040b132e436c617373203320507562" +
-	"6c6963205072696d6172792043657274696669636174696f6e20417574686f7269747930" +
-	"1e170d3937303431373030303030305a170d3136313032343233353935395a3081ba311f" +
-	"301d060355040a1316566572695369676e205472757374204e6574776f726b3117301506" +
-	"0355040b130e566572695369676e2c20496e632e31333031060355040b132a5665726953" +
-	"69676e20496e7465726e6174696f6e616c20536572766572204341202d20436c61737320" +
-	"3331493047060355040b13407777772e766572697369676e2e636f6d2f43505320496e63" +
-	"6f72702e6279205265662e204c494142494c495459204c54442e28632939372056657269" +
-	"5369676e30819f300d06092a864886f70d010101050003818d0030818902818100d88280" +
-	"e8d619027d1f85183925a2652be1bfd405d3bce6363baaf04c6c5bb6e7aa3c734555b2f1" +
-	"bdea9742ed9a340a15d4a95cf54025ddd907c132b2756cc4cabba3fe56277143aa63f530" +
-	"3e9328e5faf1093bf3b74d4e39f75c495ab8c11dd3b28afe70309542cbfe2b518b5a3c3a" +
-	"f9224f90b202a7539c4f34e7ab04b27b6f0203010001a381e33081e0300f0603551d1304" +
-	"0830060101ff02010030440603551d20043d303b3039060b6086480186f8450107010130" +
-	"2a302806082b06010505070201161c68747470733a2f2f7777772e766572697369676e2e" +
-	"636f6d2f43505330340603551d25042d302b06082b0601050507030106082b0601050507" +
-	"030206096086480186f8420401060a6086480186f845010801300b0603551d0f04040302" +
-	"0106301106096086480186f842010104040302010630310603551d1f042a30283026a024" +
-	"a0228620687474703a2f2f63726c2e766572697369676e2e636f6d2f706361332e63726c" +
-	"300d06092a864886f70d010105050003818100408e4997968a73dd8e4def3e61b7caa062" +
-	"adf40e0abb753de26ed82cc7bff4b98c369bcaa2d09c724639f6a682036511c4bcbf2da6" +
-	"f5d93b0ab598fab378b91ef22b4c62d5fdb27a1ddf33fd73f9a5d82d8c2aead1fcb028b6" +
-	"e94948134b838a1b487b24f738de6f4154b8ab576b06dfc7a2d4a9f6f136628088f28b75" +
-	"d68071"
-
-// Key and certificate for the OCSP responder were not taken from the Thawte
-// responder, since CreateResponse requires that we have the private key.
-// Instead, they were generated randomly.
-const responderPrivateKeyHex = "308204a40201000282010100e8155f2d3e6f2e8d14c62a788bd462f9f844e7a6977c83ef" +
-	"1099f0f6616ec5265b56f356e62c5400f0b06a2e7945a82752c636df32a895152d6074df" +
-	"1701dc6ccfbcbec75a70bd2b55ae2be7e6cad3b5fd4cd5b7790ab401a436d3f5f346074f" +
-	"fde8a99d5b723350f0a112076614b12ef79c78991b119453445acf2416ab0046b540db14" +
-	"c9fc0f27b8989ad0f63aa4b8aefc91aa8a72160c36307c60fec78a93d3fddf4259902aa7" +
-	"7e7332971c7d285b6a04f648993c6922a3e9da9adf5f81508c3228791843e5d49f24db2f" +
-	"1290bafd97e655b1049a199f652cd603c4fafa330c390b0da78fbbc67e8fa021cbd74eb9" +
-	"6222b12ace31a77dcf920334dc94581b02030100010282010100bcf0b93d7238bda329a8" +
-	"72e7149f61bcb37c154330ccb3f42a85c9002c2e2bdea039d77d8581cd19bed94078794e" +
-	"56293d601547fc4bf6a2f9002fe5772b92b21b254403b403585e3130cc99ccf08f0ef81a" +
-	"575b38f597ba4660448b54f44bfbb97072b5a2bf043bfeca828cf7741d13698e3f38162b" +
-	"679faa646b82abd9a72c5c7d722c5fc577a76d2c2daac588accad18516d1bbad10b0dfa2" +
-	"05cfe246b59e28608a43942e1b71b0c80498075121de5b900d727c31c42c78cf1db5c0aa" +
-	"5b491e10ea4ed5c0962aaf2ae025dd81fa4ce490d9d6b4a4465411d8e542fc88617e5695" +
-	"1aa4fc8ea166f2b4d0eb89ef17f2b206bd5f1014bf8fe0e71fe62f2cccf102818100f2dc" +
-	"ddf878d553286daad68bac4070a82ffec3dc4666a2750f47879eec913f91836f1d976b60" +
-	"daf9356e078446dafab5bd2e489e5d64f8572ba24a4ba4f3729b5e106c4dd831cc2497a7" +
-	"e6c7507df05cb64aeb1bbc81c1e340d58b5964cf39cff84ea30c29ec5d3f005ee1362698" +
-	"07395037955955655292c3e85f6187fa1f9502818100f4a33c102630840705f8c778a47b" +
-	"87e8da31e68809af981ac5e5999cf1551685d761cdf0d6520361b99aebd5777a940fa64d" +
-	"327c09fa63746fbb3247ec73a86edf115f1fe5c83598db803881ade71c33c6e956118345" +
-	"497b98b5e07bb5be75971465ec78f2f9467e1b74956ca9d4c7c3e314e742a72d8b33889c" +
-	"6c093a466cef0281801d3df0d02124766dd0be98349b19eb36a508c4e679e793ba0a8bef" +
-	"4d786888c1e9947078b1ea28938716677b4ad8c5052af12eb73ac194915264a913709a0b" +
-	"7b9f98d4a18edd781a13d49899f91c20dbd8eb2e61d991ba19b5cdc08893f5cb9d39e5a6" +
-	"0629ea16d426244673b1b3ee72bd30e41fac8395acac40077403de5efd028180050731dd" +
-	"d71b1a2b96c8d538ba90bb6b62c8b1c74c03aae9a9f59d21a7a82b0d572ef06fa9c807bf" +
-	"c373d6b30d809c7871df96510c577421d9860c7383fda0919ece19996b3ca13562159193" +
-	"c0c246471e287f975e8e57034e5136aaf44254e2650def3d51292474c515b1588969112e" +
-	"0a85cc77073e9d64d2c2fc497844284b02818100d71d63eabf416cf677401ebf965f8314" +
-	"120b568a57dd3bd9116c629c40dc0c6948bab3a13cc544c31c7da40e76132ef5dd3f7534" +
-	"45a635930c74326ae3df0edd1bfb1523e3aa259873ac7cf1ac31151ec8f37b528c275622" +
-	"48f99b8bed59fd4da2576aa6ee20d93a684900bf907e80c66d6e2261ae15e55284b4ed9d" +
-	"6bdaa059"
-
-const responderCertHex = "308202e2308201caa003020102020101300d06092a864886f70d01010b05003019311730" +
-	"150603550403130e4f43535020526573706f6e646572301e170d31353031333031353530" +
-	"33335a170d3136303133303135353033335a3019311730150603550403130e4f43535020" +
-	"526573706f6e64657230820122300d06092a864886f70d01010105000382010f00308201" +
-	"0a0282010100e8155f2d3e6f2e8d14c62a788bd462f9f844e7a6977c83ef1099f0f6616e" +
-	"c5265b56f356e62c5400f0b06a2e7945a82752c636df32a895152d6074df1701dc6ccfbc" +
-	"bec75a70bd2b55ae2be7e6cad3b5fd4cd5b7790ab401a436d3f5f346074ffde8a99d5b72" +
-	"3350f0a112076614b12ef79c78991b119453445acf2416ab0046b540db14c9fc0f27b898" +
-	"9ad0f63aa4b8aefc91aa8a72160c36307c60fec78a93d3fddf4259902aa77e7332971c7d" +
-	"285b6a04f648993c6922a3e9da9adf5f81508c3228791843e5d49f24db2f1290bafd97e6" +
-	"55b1049a199f652cd603c4fafa330c390b0da78fbbc67e8fa021cbd74eb96222b12ace31" +
-	"a77dcf920334dc94581b0203010001a3353033300e0603551d0f0101ff04040302078030" +
-	"130603551d25040c300a06082b06010505070309300c0603551d130101ff04023000300d" +
-	"06092a864886f70d01010b05000382010100718012761b5063e18f0dc44644d8e6ab8612" +
-	"31c15fd5357805425d82aec1de85bf6d3e30fce205e3e3b8b795bbe52e40a439286d2288" +
-	"9064f4aeeb150359b9425f1da51b3a5c939018555d13ac42c565a0603786a919328f3267" +
-	"09dce52c22ad958ecb7873b9771d1148b1c4be2efe80ba868919fc9f68b6090c2f33c156" +
-	"d67156e42766a50b5d51e79637b7e58af74c2a951b1e642fa7741fec982cc937de37eff5" +
-	"9e2005d5939bfc031589ca143e6e8ab83f40ee08cc20a6b4a95a318352c28d18528dcaf9" +
-	"66705de17afa19d6e8ae91ddf33179d16ebb6ac2c69cae8373d408ebf8c55308be6c04d9" +
-	"3a25439a94299a65a709756c7a3e568be049d5c38839"
-
-const errorResponseHex = "30030a0101"
diff --git a/vendor/golang.org/x/crypto/openpgp/armor/armor.go b/vendor/golang.org/x/crypto/openpgp/armor/armor.go
deleted file mode 100644
index 592d1864..00000000
--- a/vendor/golang.org/x/crypto/openpgp/armor/armor.go
+++ /dev/null
@@ -1,219 +0,0 @@
-// Copyright 2010 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package armor implements OpenPGP ASCII Armor, see RFC 4880. OpenPGP Armor is
-// very similar to PEM except that it has an additional CRC checksum.
-package armor // import "golang.org/x/crypto/openpgp/armor"
-
-import (
-	"bufio"
-	"bytes"
-	"encoding/base64"
-	"golang.org/x/crypto/openpgp/errors"
-	"io"
-)
-
-// A Block represents an OpenPGP armored structure.
-//
-// The encoded form is:
-//    -----BEGIN Type-----
-//    Headers
-//
-//    base64-encoded Bytes
-//    '=' base64 encoded checksum
-//    -----END Type-----
-// where Headers is a possibly empty sequence of Key: Value lines.
-//
-// Since the armored data can be very large, this package presents a streaming
-// interface.
-type Block struct {
-	Type    string            // The type, taken from the preamble (i.e. "PGP SIGNATURE").
-	Header  map[string]string // Optional headers.
-	Body    io.Reader         // A Reader from which the contents can be read
-	lReader lineReader
-	oReader openpgpReader
-}
-
-var ArmorCorrupt error = errors.StructuralError("armor invalid")
-
-const crc24Init = 0xb704ce
-const crc24Poly = 0x1864cfb
-const crc24Mask = 0xffffff
-
-// crc24 calculates the OpenPGP checksum as specified in RFC 4880, section 6.1
-func crc24(crc uint32, d []byte) uint32 {
-	for _, b := range d {
-		crc ^= uint32(b) << 16
-		for i := 0; i < 8; i++ {
-			crc <<= 1
-			if crc&0x1000000 != 0 {
-				crc ^= crc24Poly
-			}
-		}
-	}
-	return crc
-}
-
-var armorStart = []byte("-----BEGIN ")
-var armorEnd = []byte("-----END ")
-var armorEndOfLine = []byte("-----")
-
-// lineReader wraps a line based reader. It watches for the end of an armor
-// block and records the expected CRC value.
-type lineReader struct {
-	in  *bufio.Reader
-	buf []byte
-	eof bool
-	crc uint32
-}
-
-func (l *lineReader) Read(p []byte) (n int, err error) {
-	if l.eof {
-		return 0, io.EOF
-	}
-
-	if len(l.buf) > 0 {
-		n = copy(p, l.buf)
-		l.buf = l.buf[n:]
-		return
-	}
-
-	line, isPrefix, err := l.in.ReadLine()
-	if err != nil {
-		return
-	}
-	if isPrefix {
-		return 0, ArmorCorrupt
-	}
-
-	if len(line) == 5 && line[0] == '=' {
-		// This is the checksum line
-		var expectedBytes [3]byte
-		var m int
-		m, err = base64.StdEncoding.Decode(expectedBytes[0:], line[1:])
-		if m != 3 || err != nil {
-			return
-		}
-		l.crc = uint32(expectedBytes[0])<<16 |
-			uint32(expectedBytes[1])<<8 |
-			uint32(expectedBytes[2])
-
-		line, _, err = l.in.ReadLine()
-		if err != nil && err != io.EOF {
-			return
-		}
-		if !bytes.HasPrefix(line, armorEnd) {
-			return 0, ArmorCorrupt
-		}
-
-		l.eof = true
-		return 0, io.EOF
-	}
-
-	if len(line) > 96 {
-		return 0, ArmorCorrupt
-	}
-
-	n = copy(p, line)
-	bytesToSave := len(line) - n
-	if bytesToSave > 0 {
-		if cap(l.buf) < bytesToSave {
-			l.buf = make([]byte, 0, bytesToSave)
-		}
-		l.buf = l.buf[0:bytesToSave]
-		copy(l.buf, line[n:])
-	}
-
-	return
-}
-
-// openpgpReader passes Read calls to the underlying base64 decoder, but keeps
-// a running CRC of the resulting data and checks the CRC against the value
-// found by the lineReader at EOF.
-type openpgpReader struct {
-	lReader    *lineReader
-	b64Reader  io.Reader
-	currentCRC uint32
-}
-
-func (r *openpgpReader) Read(p []byte) (n int, err error) {
-	n, err = r.b64Reader.Read(p)
-	r.currentCRC = crc24(r.currentCRC, p[:n])
-
-	if err == io.EOF {
-		if r.lReader.crc != uint32(r.currentCRC&crc24Mask) {
-			return 0, ArmorCorrupt
-		}
-	}
-
-	return
-}
-
-// Decode reads a PGP armored block from the given Reader. It will ignore
-// leading garbage. If it doesn't find a block, it will return nil, io.EOF. The
-// given Reader is not usable after calling this function: an arbitrary amount
-// of data may have been read past the end of the block.
-func Decode(in io.Reader) (p *Block, err error) {
-	r := bufio.NewReaderSize(in, 100)
-	var line []byte
-	ignoreNext := false
-
-TryNextBlock:
-	p = nil
-
-	// Skip leading garbage
-	for {
-		ignoreThis := ignoreNext
-		line, ignoreNext, err = r.ReadLine()
-		if err != nil {
-			return
-		}
-		if ignoreNext || ignoreThis {
-			continue
-		}
-		line = bytes.TrimSpace(line)
-		if len(line) > len(armorStart)+len(armorEndOfLine) && bytes.HasPrefix(line, armorStart) {
-			break
-		}
-	}
-
-	p = new(Block)
-	p.Type = string(line[len(armorStart) : len(line)-len(armorEndOfLine)])
-	p.Header = make(map[string]string)
-	nextIsContinuation := false
-	var lastKey string
-
-	// Read headers
-	for {
-		isContinuation := nextIsContinuation
-		line, nextIsContinuation, err = r.ReadLine()
-		if err != nil {
-			p = nil
-			return
-		}
-		if isContinuation {
-			p.Header[lastKey] += string(line)
-			continue
-		}
-		line = bytes.TrimSpace(line)
-		if len(line) == 0 {
-			break
-		}
-
-		i := bytes.Index(line, []byte(": "))
-		if i == -1 {
-			goto TryNextBlock
-		}
-		lastKey = string(line[:i])
-		p.Header[lastKey] = string(line[i+2:])
-	}
-
-	p.lReader.in = r
-	p.oReader.currentCRC = crc24Init
-	p.oReader.lReader = &p.lReader
-	p.oReader.b64Reader = base64.NewDecoder(base64.StdEncoding, &p.lReader)
-	p.Body = &p.oReader
-
-	return
-}
diff --git a/vendor/golang.org/x/crypto/openpgp/armor/armor_test.go b/vendor/golang.org/x/crypto/openpgp/armor/armor_test.go
deleted file mode 100644
index 9334e94e..00000000
--- a/vendor/golang.org/x/crypto/openpgp/armor/armor_test.go
+++ /dev/null
@@ -1,95 +0,0 @@
-// Copyright 2010 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package armor
-
-import (
-	"bytes"
-	"hash/adler32"
-	"io/ioutil"
-	"testing"
-)
-
-func TestDecodeEncode(t *testing.T) {
-	buf := bytes.NewBuffer([]byte(armorExample1))
-	result, err := Decode(buf)
-	if err != nil {
-		t.Error(err)
-	}
-	expectedType := "PGP SIGNATURE"
-	if result.Type != expectedType {
-		t.Errorf("result.Type: got:%s want:%s", result.Type, expectedType)
-	}
-	if len(result.Header) != 1 {
-		t.Errorf("len(result.Header): got:%d want:1", len(result.Header))
-	}
-	v, ok := result.Header["Version"]
-	if !ok || v != "GnuPG v1.4.10 (GNU/Linux)" {
-		t.Errorf("result.Header: got:%#v", result.Header)
-	}
-
-	contents, err := ioutil.ReadAll(result.Body)
-	if err != nil {
-		t.Error(err)
-	}
-
-	if adler32.Checksum(contents) != 0x27b144be {
-		t.Errorf("contents: got: %x", contents)
-	}
-
-	buf = bytes.NewBuffer(nil)
-	w, err := Encode(buf, result.Type, result.Header)
-	if err != nil {
-		t.Error(err)
-	}
-	_, err = w.Write(contents)
-	if err != nil {
-		t.Error(err)
-	}
-	w.Close()
-
-	if !bytes.Equal(buf.Bytes(), []byte(armorExample1)) {
-		t.Errorf("got: %s\nwant: %s", string(buf.Bytes()), armorExample1)
-	}
-}
-
-func TestLongHeader(t *testing.T) {
-	buf := bytes.NewBuffer([]byte(armorLongLine))
-	result, err := Decode(buf)
-	if err != nil {
-		t.Error(err)
-		return
-	}
-	value, ok := result.Header["Version"]
-	if !ok {
-		t.Errorf("missing Version header")
-	}
-	if value != longValueExpected {
-		t.Errorf("got: %s want: %s", value, longValueExpected)
-	}
-}
-
-const armorExample1 = `-----BEGIN PGP SIGNATURE-----
-Version: GnuPG v1.4.10 (GNU/Linux)
-
-iJwEAAECAAYFAk1Fv/0ACgkQo01+GMIMMbsYTwQAiAw+QAaNfY6WBdplZ/uMAccm
-4g+81QPmTSGHnetSb6WBiY13kVzK4HQiZH8JSkmmroMLuGeJwsRTEL4wbjRyUKEt
-p1xwUZDECs234F1xiG5enc5SGlRtP7foLBz9lOsjx+LEcA4sTl5/2eZR9zyFZqWW
-TxRjs+fJCIFuo71xb1g=
-=/teI
------END PGP SIGNATURE-----`
-
-const armorLongLine = `-----BEGIN PGP SIGNATURE-----
-Version: 0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz
-
-iQEcBAABAgAGBQJMtFESAAoJEKsQXJGvOPsVj40H/1WW6jaMXv4BW+1ueDSMDwM8
-kx1fLOXbVM5/Kn5LStZNt1jWWnpxdz7eq3uiqeCQjmqUoRde3YbB2EMnnwRbAhpp
-cacnAvy9ZQ78OTxUdNW1mhX5bS6q1MTEJnl+DcyigD70HG/yNNQD7sOPMdYQw0TA
-byQBwmLwmTsuZsrYqB68QyLHI+DUugn+kX6Hd2WDB62DKa2suoIUIHQQCd/ofwB3
-WfCYInXQKKOSxu2YOg2Eb4kLNhSMc1i9uKUWAH+sdgJh7NBgdoE4MaNtBFkHXRvv
-okWuf3+xA9ksp1npSY/mDvgHijmjvtpRDe6iUeqfCn8N9u9CBg8geANgaG8+QA4=
-=wfQG
------END PGP SIGNATURE-----`
-
-const longValueExpected = "0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz"
diff --git a/vendor/golang.org/x/crypto/openpgp/armor/encode.go b/vendor/golang.org/x/crypto/openpgp/armor/encode.go
deleted file mode 100644
index 6f07582c..00000000
--- a/vendor/golang.org/x/crypto/openpgp/armor/encode.go
+++ /dev/null
@@ -1,160 +0,0 @@
-// Copyright 2010 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package armor
-
-import (
-	"encoding/base64"
-	"io"
-)
-
-var armorHeaderSep = []byte(": ")
-var blockEnd = []byte("\n=")
-var newline = []byte("\n")
-var armorEndOfLineOut = []byte("-----\n")
-
-// writeSlices writes its arguments to the given Writer.
-func writeSlices(out io.Writer, slices ...[]byte) (err error) {
-	for _, s := range slices {
-		_, err = out.Write(s)
-		if err != nil {
-			return err
-		}
-	}
-	return
-}
-
-// lineBreaker breaks data across several lines, all of the same byte length
-// (except possibly the last). Lines are broken with a single '\n'.
-type lineBreaker struct {
-	lineLength  int
-	line        []byte
-	used        int
-	out         io.Writer
-	haveWritten bool
-}
-
-func newLineBreaker(out io.Writer, lineLength int) *lineBreaker {
-	return &lineBreaker{
-		lineLength: lineLength,
-		line:       make([]byte, lineLength),
-		used:       0,
-		out:        out,
-	}
-}
-
-func (l *lineBreaker) Write(b []byte) (n int, err error) {
-	n = len(b)
-
-	if n == 0 {
-		return
-	}
-
-	if l.used == 0 && l.haveWritten {
-		_, err = l.out.Write([]byte{'\n'})
-		if err != nil {
-			return
-		}
-	}
-
-	if l.used+len(b) < l.lineLength {
-		l.used += copy(l.line[l.used:], b)
-		return
-	}
-
-	l.haveWritten = true
-	_, err = l.out.Write(l.line[0:l.used])
-	if err != nil {
-		return
-	}
-	excess := l.lineLength - l.used
-	l.used = 0
-
-	_, err = l.out.Write(b[0:excess])
-	if err != nil {
-		return
-	}
-
-	_, err = l.Write(b[excess:])
-	return
-}
-
-func (l *lineBreaker) Close() (err error) {
-	if l.used > 0 {
-		_, err = l.out.Write(l.line[0:l.used])
-		if err != nil {
-			return
-		}
-	}
-
-	return
-}
-
-// encoding keeps track of a running CRC24 over the data which has been written
-// to it and outputs a OpenPGP checksum when closed, followed by an armor
-// trailer.
-//
-// It's built into a stack of io.Writers:
-//    encoding -> base64 encoder -> lineBreaker -> out
-type encoding struct {
-	out       io.Writer
-	breaker   *lineBreaker
-	b64       io.WriteCloser
-	crc       uint32
-	blockType []byte
-}
-
-func (e *encoding) Write(data []byte) (n int, err error) {
-	e.crc = crc24(e.crc, data)
-	return e.b64.Write(data)
-}
-
-func (e *encoding) Close() (err error) {
-	err = e.b64.Close()
-	if err != nil {
-		return
-	}
-	e.breaker.Close()
-
-	var checksumBytes [3]byte
-	checksumBytes[0] = byte(e.crc >> 16)
-	checksumBytes[1] = byte(e.crc >> 8)
-	checksumBytes[2] = byte(e.crc)
-
-	var b64ChecksumBytes [4]byte
-	base64.StdEncoding.Encode(b64ChecksumBytes[:], checksumBytes[:])
-
-	return writeSlices(e.out, blockEnd, b64ChecksumBytes[:], newline, armorEnd, e.blockType, armorEndOfLine)
-}
-
-// Encode returns a WriteCloser which will encode the data written to it in
-// OpenPGP armor.
-func Encode(out io.Writer, blockType string, headers map[string]string) (w io.WriteCloser, err error) {
-	bType := []byte(blockType)
-	err = writeSlices(out, armorStart, bType, armorEndOfLineOut)
-	if err != nil {
-		return
-	}
-
-	for k, v := range headers {
-		err = writeSlices(out, []byte(k), armorHeaderSep, []byte(v), newline)
-		if err != nil {
-			return
-		}
-	}
-
-	_, err = out.Write(newline)
-	if err != nil {
-		return
-	}
-
-	e := &encoding{
-		out:       out,
-		breaker:   newLineBreaker(out, 64),
-		crc:       crc24Init,
-		blockType: bType,
-	}
-	e.b64 = base64.NewEncoder(base64.StdEncoding, e.breaker)
-	return e, nil
-}
diff --git a/vendor/golang.org/x/crypto/openpgp/canonical_text.go b/vendor/golang.org/x/crypto/openpgp/canonical_text.go
deleted file mode 100644
index e601e389..00000000
--- a/vendor/golang.org/x/crypto/openpgp/canonical_text.go
+++ /dev/null
@@ -1,59 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package openpgp
-
-import "hash"
-
-// NewCanonicalTextHash reformats text written to it into the canonical
-// form and then applies the hash h.  See RFC 4880, section 5.2.1.
-func NewCanonicalTextHash(h hash.Hash) hash.Hash {
-	return &canonicalTextHash{h, 0}
-}
-
-type canonicalTextHash struct {
-	h hash.Hash
-	s int
-}
-
-var newline = []byte{'\r', '\n'}
-
-func (cth *canonicalTextHash) Write(buf []byte) (int, error) {
-	start := 0
-
-	for i, c := range buf {
-		switch cth.s {
-		case 0:
-			if c == '\r' {
-				cth.s = 1
-			} else if c == '\n' {
-				cth.h.Write(buf[start:i])
-				cth.h.Write(newline)
-				start = i + 1
-			}
-		case 1:
-			cth.s = 0
-		}
-	}
-
-	cth.h.Write(buf[start:])
-	return len(buf), nil
-}
-
-func (cth *canonicalTextHash) Sum(in []byte) []byte {
-	return cth.h.Sum(in)
-}
-
-func (cth *canonicalTextHash) Reset() {
-	cth.h.Reset()
-	cth.s = 0
-}
-
-func (cth *canonicalTextHash) Size() int {
-	return cth.h.Size()
-}
-
-func (cth *canonicalTextHash) BlockSize() int {
-	return cth.h.BlockSize()
-}
diff --git a/vendor/golang.org/x/crypto/openpgp/canonical_text_test.go b/vendor/golang.org/x/crypto/openpgp/canonical_text_test.go
deleted file mode 100644
index 8f3ba2a8..00000000
--- a/vendor/golang.org/x/crypto/openpgp/canonical_text_test.go
+++ /dev/null
@@ -1,52 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package openpgp
-
-import (
-	"bytes"
-	"testing"
-)
-
-type recordingHash struct {
-	buf *bytes.Buffer
-}
-
-func (r recordingHash) Write(b []byte) (n int, err error) {
-	return r.buf.Write(b)
-}
-
-func (r recordingHash) Sum(in []byte) []byte {
-	return append(in, r.buf.Bytes()...)
-}
-
-func (r recordingHash) Reset() {
-	panic("shouldn't be called")
-}
-
-func (r recordingHash) Size() int {
-	panic("shouldn't be called")
-}
-
-func (r recordingHash) BlockSize() int {
-	panic("shouldn't be called")
-}
-
-func testCanonicalText(t *testing.T, input, expected string) {
-	r := recordingHash{bytes.NewBuffer(nil)}
-	c := NewCanonicalTextHash(r)
-	c.Write([]byte(input))
-	result := c.Sum(nil)
-	if expected != string(result) {
-		t.Errorf("input: %x got: %x want: %x", input, result, expected)
-	}
-}
-
-func TestCanonicalText(t *testing.T) {
-	testCanonicalText(t, "foo\n", "foo\r\n")
-	testCanonicalText(t, "foo", "foo")
-	testCanonicalText(t, "foo\r\n", "foo\r\n")
-	testCanonicalText(t, "foo\r\nbar", "foo\r\nbar")
-	testCanonicalText(t, "foo\r\nbar\n\n", "foo\r\nbar\r\n\r\n")
-}
diff --git a/vendor/golang.org/x/crypto/openpgp/clearsign/clearsign.go b/vendor/golang.org/x/crypto/openpgp/clearsign/clearsign.go
deleted file mode 100644
index def4caba..00000000
--- a/vendor/golang.org/x/crypto/openpgp/clearsign/clearsign.go
+++ /dev/null
@@ -1,376 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package clearsign generates and processes OpenPGP, clear-signed data. See
-// RFC 4880, section 7.
-//
-// Clearsigned messages are cryptographically signed, but the contents of the
-// message are kept in plaintext so that it can be read without special tools.
-package clearsign // import "golang.org/x/crypto/openpgp/clearsign"
-
-import (
-	"bufio"
-	"bytes"
-	"crypto"
-	"hash"
-	"io"
-	"net/textproto"
-	"strconv"
-
-	"golang.org/x/crypto/openpgp/armor"
-	"golang.org/x/crypto/openpgp/errors"
-	"golang.org/x/crypto/openpgp/packet"
-)
-
-// A Block represents a clearsigned message. A signature on a Block can
-// be checked by passing Bytes into openpgp.CheckDetachedSignature.
-type Block struct {
-	Headers          textproto.MIMEHeader // Optional message headers
-	Plaintext        []byte               // The original message text
-	Bytes            []byte               // The signed message
-	ArmoredSignature *armor.Block         // The signature block
-}
-
-// start is the marker which denotes the beginning of a clearsigned message.
-var start = []byte("\n-----BEGIN PGP SIGNED MESSAGE-----")
-
-// dashEscape is prefixed to any lines that begin with a hyphen so that they
-// can't be confused with endText.
-var dashEscape = []byte("- ")
-
-// endText is a marker which denotes the end of the message and the start of
-// an armored signature.
-var endText = []byte("-----BEGIN PGP SIGNATURE-----")
-
-// end is a marker which denotes the end of the armored signature.
-var end = []byte("\n-----END PGP SIGNATURE-----")
-
-var crlf = []byte("\r\n")
-var lf = byte('\n')
-
-// getLine returns the first \r\n or \n delineated line from the given byte
-// array. The line does not include the \r\n or \n. The remainder of the byte
-// array (also not including the new line bytes) is also returned and this will
-// always be smaller than the original argument.
-func getLine(data []byte) (line, rest []byte) {
-	i := bytes.Index(data, []byte{'\n'})
-	var j int
-	if i < 0 {
-		i = len(data)
-		j = i
-	} else {
-		j = i + 1
-		if i > 0 && data[i-1] == '\r' {
-			i--
-		}
-	}
-	return data[0:i], data[j:]
-}
-
-// Decode finds the first clearsigned message in data and returns it, as well
-// as the suffix of data which remains after the message.
-func Decode(data []byte) (b *Block, rest []byte) {
-	// start begins with a newline. However, at the very beginning of
-	// the byte array, we'll accept the start string without it.
-	rest = data
-	if bytes.HasPrefix(data, start[1:]) {
-		rest = rest[len(start)-1:]
-	} else if i := bytes.Index(data, start); i >= 0 {
-		rest = rest[i+len(start):]
-	} else {
-		return nil, data
-	}
-
-	// Consume the start line.
-	_, rest = getLine(rest)
-
-	var line []byte
-	b = &Block{
-		Headers: make(textproto.MIMEHeader),
-	}
-
-	// Next come a series of header lines.
-	for {
-		// This loop terminates because getLine's second result is
-		// always smaller than its argument.
-		if len(rest) == 0 {
-			return nil, data
-		}
-		// An empty line marks the end of the headers.
-		if line, rest = getLine(rest); len(line) == 0 {
-			break
-		}
-
-		i := bytes.Index(line, []byte{':'})
-		if i == -1 {
-			return nil, data
-		}
-
-		key, val := line[0:i], line[i+1:]
-		key = bytes.TrimSpace(key)
-		val = bytes.TrimSpace(val)
-		b.Headers.Add(string(key), string(val))
-	}
-
-	firstLine := true
-	for {
-		start := rest
-
-		line, rest = getLine(rest)
-		if len(line) == 0 && len(rest) == 0 {
-			// No armored data was found, so this isn't a complete message.
-			return nil, data
-		}
-		if bytes.Equal(line, endText) {
-			// Back up to the start of the line because armor expects to see the
-			// header line.
-			rest = start
-			break
-		}
-
-		// The final CRLF isn't included in the hash so we don't write it until
-		// we've seen the next line.
-		if firstLine {
-			firstLine = false
-		} else {
-			b.Bytes = append(b.Bytes, crlf...)
-		}
-
-		if bytes.HasPrefix(line, dashEscape) {
-			line = line[2:]
-		}
-		line = bytes.TrimRight(line, " \t")
-		b.Bytes = append(b.Bytes, line...)
-
-		b.Plaintext = append(b.Plaintext, line...)
-		b.Plaintext = append(b.Plaintext, lf)
-	}
-
-	// We want to find the extent of the armored data (including any newlines at
-	// the end).
-	i := bytes.Index(rest, end)
-	if i == -1 {
-		return nil, data
-	}
-	i += len(end)
-	for i < len(rest) && (rest[i] == '\r' || rest[i] == '\n') {
-		i++
-	}
-	armored := rest[:i]
-	rest = rest[i:]
-
-	var err error
-	b.ArmoredSignature, err = armor.Decode(bytes.NewBuffer(armored))
-	if err != nil {
-		return nil, data
-	}
-
-	return b, rest
-}
-
-// A dashEscaper is an io.WriteCloser which processes the body of a clear-signed
-// message. The clear-signed message is written to buffered and a hash, suitable
-// for signing, is maintained in h.
-//
-// When closed, an armored signature is created and written to complete the
-// message.
-type dashEscaper struct {
-	buffered *bufio.Writer
-	h        hash.Hash
-	hashType crypto.Hash
-
-	atBeginningOfLine bool
-	isFirstLine       bool
-
-	whitespace []byte
-	byteBuf    []byte // a one byte buffer to save allocations
-
-	privateKey *packet.PrivateKey
-	config     *packet.Config
-}
-
-func (d *dashEscaper) Write(data []byte) (n int, err error) {
-	for _, b := range data {
-		d.byteBuf[0] = b
-
-		if d.atBeginningOfLine {
-			// The final CRLF isn't included in the hash so we have to wait
-			// until this point (the start of the next line) before writing it.
-			if !d.isFirstLine {
-				d.h.Write(crlf)
-			}
-			d.isFirstLine = false
-		}
-
-		// Any whitespace at the end of the line has to be removed so we
-		// buffer it until we find out whether there's more on this line.
-		if b == ' ' || b == '\t' || b == '\r' {
-			d.whitespace = append(d.whitespace, b)
-			d.atBeginningOfLine = false
-			continue
-		}
-
-		if d.atBeginningOfLine {
-			// At the beginning of a line, hyphens have to be escaped.
-			if b == '-' {
-				// The signature isn't calculated over the dash-escaped text so
-				// the escape is only written to buffered.
-				if _, err = d.buffered.Write(dashEscape); err != nil {
-					return
-				}
-				d.h.Write(d.byteBuf)
-				d.atBeginningOfLine = false
-			} else if b == '\n' {
-				// Nothing to do because we delay writing CRLF to the hash.
-			} else {
-				d.h.Write(d.byteBuf)
-				d.atBeginningOfLine = false
-			}
-			if err = d.buffered.WriteByte(b); err != nil {
-				return
-			}
-		} else {
-			if b == '\n' {
-				// We got a raw \n. Drop any trailing whitespace and write a
-				// CRLF.
-				d.whitespace = d.whitespace[:0]
-				// We delay writing CRLF to the hash until the start of the
-				// next line.
-				if err = d.buffered.WriteByte(b); err != nil {
-					return
-				}
-				d.atBeginningOfLine = true
-			} else {
-				// Any buffered whitespace wasn't at the end of the line so
-				// we need to write it out.
-				if len(d.whitespace) > 0 {
-					d.h.Write(d.whitespace)
-					if _, err = d.buffered.Write(d.whitespace); err != nil {
-						return
-					}
-					d.whitespace = d.whitespace[:0]
-				}
-				d.h.Write(d.byteBuf)
-				if err = d.buffered.WriteByte(b); err != nil {
-					return
-				}
-			}
-		}
-	}
-
-	n = len(data)
-	return
-}
-
-func (d *dashEscaper) Close() (err error) {
-	if !d.atBeginningOfLine {
-		if err = d.buffered.WriteByte(lf); err != nil {
-			return
-		}
-	}
-	sig := new(packet.Signature)
-	sig.SigType = packet.SigTypeText
-	sig.PubKeyAlgo = d.privateKey.PubKeyAlgo
-	sig.Hash = d.hashType
-	sig.CreationTime = d.config.Now()
-	sig.IssuerKeyId = &d.privateKey.KeyId
-
-	if err = sig.Sign(d.h, d.privateKey, d.config); err != nil {
-		return
-	}
-
-	out, err := armor.Encode(d.buffered, "PGP SIGNATURE", nil)
-	if err != nil {
-		return
-	}
-
-	if err = sig.Serialize(out); err != nil {
-		return
-	}
-	if err = out.Close(); err != nil {
-		return
-	}
-	if err = d.buffered.Flush(); err != nil {
-		return
-	}
-	return
-}
-
-// Encode returns a WriteCloser which will clear-sign a message with privateKey
-// and write it to w. If config is nil, sensible defaults are used.
-func Encode(w io.Writer, privateKey *packet.PrivateKey, config *packet.Config) (plaintext io.WriteCloser, err error) {
-	if privateKey.Encrypted {
-		return nil, errors.InvalidArgumentError("signing key is encrypted")
-	}
-
-	hashType := config.Hash()
-	name := nameOfHash(hashType)
-	if len(name) == 0 {
-		return nil, errors.UnsupportedError("unknown hash type: " + strconv.Itoa(int(hashType)))
-	}
-
-	if !hashType.Available() {
-		return nil, errors.UnsupportedError("unsupported hash type: " + strconv.Itoa(int(hashType)))
-	}
-	h := hashType.New()
-
-	buffered := bufio.NewWriter(w)
-	// start has a \n at the beginning that we don't want here.
-	if _, err = buffered.Write(start[1:]); err != nil {
-		return
-	}
-	if err = buffered.WriteByte(lf); err != nil {
-		return
-	}
-	if _, err = buffered.WriteString("Hash: "); err != nil {
-		return
-	}
-	if _, err = buffered.WriteString(name); err != nil {
-		return
-	}
-	if err = buffered.WriteByte(lf); err != nil {
-		return
-	}
-	if err = buffered.WriteByte(lf); err != nil {
-		return
-	}
-
-	plaintext = &dashEscaper{
-		buffered: buffered,
-		h:        h,
-		hashType: hashType,
-
-		atBeginningOfLine: true,
-		isFirstLine:       true,
-
-		byteBuf: make([]byte, 1),
-
-		privateKey: privateKey,
-		config:     config,
-	}
-
-	return
-}
-
-// nameOfHash returns the OpenPGP name for the given hash, or the empty string
-// if the name isn't known. See RFC 4880, section 9.4.
-func nameOfHash(h crypto.Hash) string {
-	switch h {
-	case crypto.MD5:
-		return "MD5"
-	case crypto.SHA1:
-		return "SHA1"
-	case crypto.RIPEMD160:
-		return "RIPEMD160"
-	case crypto.SHA224:
-		return "SHA224"
-	case crypto.SHA256:
-		return "SHA256"
-	case crypto.SHA384:
-		return "SHA384"
-	case crypto.SHA512:
-		return "SHA512"
-	}
-	return ""
-}
diff --git a/vendor/golang.org/x/crypto/openpgp/clearsign/clearsign_test.go b/vendor/golang.org/x/crypto/openpgp/clearsign/clearsign_test.go
deleted file mode 100644
index 2c094807..00000000
--- a/vendor/golang.org/x/crypto/openpgp/clearsign/clearsign_test.go
+++ /dev/null
@@ -1,210 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package clearsign
-
-import (
-	"bytes"
-	"golang.org/x/crypto/openpgp"
-	"testing"
-)
-
-func testParse(t *testing.T, input []byte, expected, expectedPlaintext string) {
-	b, rest := Decode(input)
-	if b == nil {
-		t.Fatal("failed to decode clearsign message")
-	}
-	if !bytes.Equal(rest, []byte("trailing")) {
-		t.Errorf("unexpected remaining bytes returned: %s", string(rest))
-	}
-	if b.ArmoredSignature.Type != "PGP SIGNATURE" {
-		t.Errorf("bad armor type, got:%s, want:PGP SIGNATURE", b.ArmoredSignature.Type)
-	}
-	if !bytes.Equal(b.Bytes, []byte(expected)) {
-		t.Errorf("bad body, got:%x want:%x", b.Bytes, expected)
-	}
-
-	if !bytes.Equal(b.Plaintext, []byte(expectedPlaintext)) {
-		t.Errorf("bad plaintext, got:%x want:%x", b.Plaintext, expectedPlaintext)
-	}
-
-	keyring, err := openpgp.ReadArmoredKeyRing(bytes.NewBufferString(signingKey))
-	if err != nil {
-		t.Errorf("failed to parse public key: %s", err)
-	}
-
-	if _, err := openpgp.CheckDetachedSignature(keyring, bytes.NewBuffer(b.Bytes), b.ArmoredSignature.Body); err != nil {
-		t.Errorf("failed to check signature: %s", err)
-	}
-}
-
-func TestParse(t *testing.T) {
-	testParse(t, clearsignInput, "Hello world\r\nline 2", "Hello world\nline 2\n")
-	testParse(t, clearsignInput2, "\r\n\r\n(This message has a couple of blank lines at the start and end.)\r\n\r\n", "\n\n(This message has a couple of blank lines at the start and end.)\n\n\n")
-}
-
-func TestParseInvalid(t *testing.T) {
-	if b, _ := Decode(clearsignInput3); b != nil {
-		t.Fatal("decoded a bad clearsigned message without any error")
-	}
-}
-
-func TestParseWithNoNewlineAtEnd(t *testing.T) {
-	input := clearsignInput
-	input = input[:len(input)-len("trailing")-1]
-	b, rest := Decode(input)
-	if b == nil {
-		t.Fatal("failed to decode clearsign message")
-	}
-	if len(rest) > 0 {
-		t.Errorf("unexpected remaining bytes returned: %s", string(rest))
-	}
-}
-
-var signingTests = []struct {
-	in, signed, plaintext string
-}{
-	{"", "", ""},
-	{"a", "a", "a\n"},
-	{"a\n", "a", "a\n"},
-	{"-a\n", "-a", "-a\n"},
-	{"--a\nb", "--a\r\nb", "--a\nb\n"},
-	// leading whitespace
-	{" a\n", " a", " a\n"},
-	{"  a\n", "  a", "  a\n"},
-	// trailing whitespace (should be stripped)
-	{"a \n", "a", "a\n"},
-	{"a ", "a", "a\n"},
-	// whitespace-only lines (should be stripped)
-	{"  \n", "", "\n"},
-	{"  ", "", "\n"},
-	{"a\n  \n  \nb\n", "a\r\n\r\n\r\nb", "a\n\n\nb\n"},
-}
-
-func TestSigning(t *testing.T) {
-	keyring, err := openpgp.ReadArmoredKeyRing(bytes.NewBufferString(signingKey))
-	if err != nil {
-		t.Errorf("failed to parse public key: %s", err)
-	}
-
-	for i, test := range signingTests {
-		var buf bytes.Buffer
-
-		plaintext, err := Encode(&buf, keyring[0].PrivateKey, nil)
-		if err != nil {
-			t.Errorf("#%d: error from Encode: %s", i, err)
-			continue
-		}
-		if _, err := plaintext.Write([]byte(test.in)); err != nil {
-			t.Errorf("#%d: error from Write: %s", i, err)
-			continue
-		}
-		if err := plaintext.Close(); err != nil {
-			t.Fatalf("#%d: error from Close: %s", i, err)
-			continue
-		}
-
-		b, _ := Decode(buf.Bytes())
-		if b == nil {
-			t.Errorf("#%d: failed to decode clearsign message", i)
-			continue
-		}
-		if !bytes.Equal(b.Bytes, []byte(test.signed)) {
-			t.Errorf("#%d: bad result, got:%x, want:%x", i, b.Bytes, test.signed)
-			continue
-		}
-		if !bytes.Equal(b.Plaintext, []byte(test.plaintext)) {
-			t.Errorf("#%d: bad result, got:%x, want:%x", i, b.Plaintext, test.plaintext)
-			continue
-		}
-
-		if _, err := openpgp.CheckDetachedSignature(keyring, bytes.NewBuffer(b.Bytes), b.ArmoredSignature.Body); err != nil {
-			t.Errorf("#%d: failed to check signature: %s", i, err)
-		}
-	}
-}
-
-var clearsignInput = []byte(`
-;lasjlkfdsa
-
------BEGIN PGP SIGNED MESSAGE-----
-Hash: SHA1
-
-Hello world
-line 2
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v1.4.10 (GNU/Linux)
-
-iJwEAQECAAYFAk8kMuEACgkQO9o98PRieSpMsAQAhmY/vwmNpflrPgmfWsYhk5O8
-pjnBUzZwqTDoDeINjZEoPDSpQAHGhjFjgaDx/Gj4fAl0dM4D0wuUEBb6QOrwflog
-2A2k9kfSOMOtk0IH/H5VuFN1Mie9L/erYXjTQIptv9t9J7NoRBMU0QOOaFU0JaO9
-MyTpno24AjIAGb+mH1U=
-=hIJ6
------END PGP SIGNATURE-----
-trailing`)
-
-var clearsignInput2 = []byte(`
-asdlfkjasdlkfjsadf
-
------BEGIN PGP SIGNED MESSAGE-----
-Hash: SHA256
-
-
-
-(This message has a couple of blank lines at the start and end.)
-
-
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v1.4.11 (GNU/Linux)
-
-iJwEAQEIAAYFAlPpSREACgkQO9o98PRieSpZTAP+M8QUoCt/7Rf3YbXPcdzIL32v
-pt1I+cMNeopzfLy0u4ioEFi8s5VkwpL1AFmirvgViCwlf82inoRxzZRiW05JQ5LI
-ESEzeCoy2LIdRCQ2hcrG8pIUPzUO4TqO5D/dMbdHwNH4h5nNmGJUAEG6FpURlPm+
-qZg6BaTvOxepqOxnhVU=
-=e+C6
------END PGP SIGNATURE-----
-
-trailing`)
-
-var clearsignInput3 = []byte(`
------BEGIN PGP SIGNED MESSAGE-----
-Hash: SHA256
-
-(This message was truncated.)
-`)
-
-var signingKey = `-----BEGIN PGP PRIVATE KEY BLOCK-----
-Version: GnuPG v1.4.10 (GNU/Linux)
-
-lQHYBE2rFNoBBADFwqWQIW/DSqcB4yCQqnAFTJ27qS5AnB46ccAdw3u4Greeu3Bp
-idpoHdjULy7zSKlwR1EA873dO/k/e11Ml3dlAFUinWeejWaK2ugFP6JjiieSsrKn
-vWNicdCS4HTWn0X4sjl0ZiAygw6GNhqEQ3cpLeL0g8E9hnYzJKQ0LWJa0QARAQAB
-AAP/TB81EIo2VYNmTq0pK1ZXwUpxCrvAAIG3hwKjEzHcbQznsjNvPUihZ+NZQ6+X
-0HCfPAdPkGDCLCb6NavcSW+iNnLTrdDnSI6+3BbIONqWWdRDYJhqZCkqmG6zqSfL
-IdkJgCw94taUg5BWP/AAeQrhzjChvpMQTVKQL5mnuZbUCeMCAN5qrYMP2S9iKdnk
-VANIFj7656ARKt/nf4CBzxcpHTyB8+d2CtPDKCmlJP6vL8t58Jmih+kHJMvC0dzn
-gr5f5+sCAOOe5gt9e0am7AvQWhdbHVfJU0TQJx+m2OiCJAqGTB1nvtBLHdJnfdC9
-TnXXQ6ZXibqLyBies/xeY2sCKL5qtTMCAKnX9+9d/5yQxRyrQUHt1NYhaXZnJbHx
-q4ytu0eWz+5i68IYUSK69jJ1NWPM0T6SkqpB3KCAIv68VFm9PxqG1KmhSrQIVGVz
-dCBLZXmIuAQTAQIAIgUCTasU2gIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AA
-CgkQO9o98PRieSoLhgQAkLEZex02Qt7vGhZzMwuN0R22w3VwyYyjBx+fM3JFETy1
-ut4xcLJoJfIaF5ZS38UplgakHG0FQ+b49i8dMij0aZmDqGxrew1m4kBfjXw9B/v+
-eIqpODryb6cOSwyQFH0lQkXC040pjq9YqDsO5w0WYNXYKDnzRV0p4H1pweo2VDid
-AdgETasU2gEEAN46UPeWRqKHvA99arOxee38fBt2CI08iiWyI8T3J6ivtFGixSqV
-bRcPxYO/qLpVe5l84Nb3X71GfVXlc9hyv7CD6tcowL59hg1E/DC5ydI8K8iEpUmK
-/UnHdIY5h8/kqgGxkY/T/hgp5fRQgW1ZoZxLajVlMRZ8W4tFtT0DeA+JABEBAAEA
-A/0bE1jaaZKj6ndqcw86jd+QtD1SF+Cf21CWRNeLKnUds4FRRvclzTyUMuWPkUeX
-TaNNsUOFqBsf6QQ2oHUBBK4VCHffHCW4ZEX2cd6umz7mpHW6XzN4DECEzOVksXtc
-lUC1j4UB91DC/RNQqwX1IV2QLSwssVotPMPqhOi0ZLNY7wIA3n7DWKInxYZZ4K+6
-rQ+POsz6brEoRHwr8x6XlHenq1Oki855pSa1yXIARoTrSJkBtn5oI+f8AzrnN0BN
-oyeQAwIA/7E++3HDi5aweWrViiul9cd3rcsS0dEnksPhvS0ozCJiHsq/6GFmy7J8
-QSHZPteedBnZyNp5jR+H7cIfVN3KgwH/Skq4PsuPhDq5TKK6i8Pc1WW8MA6DXTdU
-nLkX7RGmMwjC0DBf7KWAlPjFaONAX3a8ndnz//fy1q7u2l9AZwrj1qa1iJ8EGAEC
-AAkFAk2rFNoCGwwACgkQO9o98PRieSo2/QP/WTzr4ioINVsvN1akKuekmEMI3LAp
-BfHwatufxxP1U+3Si/6YIk7kuPB9Hs+pRqCXzbvPRrI8NHZBmc8qIGthishdCYad
-AHcVnXjtxrULkQFGbGvhKURLvS9WnzD/m1K2zzwxzkPTzT9/Yf06O6Mal5AdugPL
-VrM0m72/jnpKo04=
-=zNCn
------END PGP PRIVATE KEY BLOCK-----
-`
diff --git a/vendor/golang.org/x/crypto/openpgp/elgamal/elgamal.go b/vendor/golang.org/x/crypto/openpgp/elgamal/elgamal.go
deleted file mode 100644
index 73f4fe37..00000000
--- a/vendor/golang.org/x/crypto/openpgp/elgamal/elgamal.go
+++ /dev/null
@@ -1,122 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package elgamal implements ElGamal encryption, suitable for OpenPGP,
-// as specified in "A Public-Key Cryptosystem and a Signature Scheme Based on
-// Discrete Logarithms," IEEE Transactions on Information Theory, v. IT-31,
-// n. 4, 1985, pp. 469-472.
-//
-// This form of ElGamal embeds PKCS#1 v1.5 padding, which may make it
-// unsuitable for other protocols. RSA should be used in preference in any
-// case.
-package elgamal // import "golang.org/x/crypto/openpgp/elgamal"
-
-import (
-	"crypto/rand"
-	"crypto/subtle"
-	"errors"
-	"io"
-	"math/big"
-)
-
-// PublicKey represents an ElGamal public key.
-type PublicKey struct {
-	G, P, Y *big.Int
-}
-
-// PrivateKey represents an ElGamal private key.
-type PrivateKey struct {
-	PublicKey
-	X *big.Int
-}
-
-// Encrypt encrypts the given message to the given public key. The result is a
-// pair of integers. Errors can result from reading random, or because msg is
-// too large to be encrypted to the public key.
-func Encrypt(random io.Reader, pub *PublicKey, msg []byte) (c1, c2 *big.Int, err error) {
-	pLen := (pub.P.BitLen() + 7) / 8
-	if len(msg) > pLen-11 {
-		err = errors.New("elgamal: message too long")
-		return
-	}
-
-	// EM = 0x02 || PS || 0x00 || M
-	em := make([]byte, pLen-1)
-	em[0] = 2
-	ps, mm := em[1:len(em)-len(msg)-1], em[len(em)-len(msg):]
-	err = nonZeroRandomBytes(ps, random)
-	if err != nil {
-		return
-	}
-	em[len(em)-len(msg)-1] = 0
-	copy(mm, msg)
-
-	m := new(big.Int).SetBytes(em)
-
-	k, err := rand.Int(random, pub.P)
-	if err != nil {
-		return
-	}
-
-	c1 = new(big.Int).Exp(pub.G, k, pub.P)
-	s := new(big.Int).Exp(pub.Y, k, pub.P)
-	c2 = s.Mul(s, m)
-	c2.Mod(c2, pub.P)
-
-	return
-}
-
-// Decrypt takes two integers, resulting from an ElGamal encryption, and
-// returns the plaintext of the message. An error can result only if the
-// ciphertext is invalid. Users should keep in mind that this is a padding
-// oracle and thus, if exposed to an adaptive chosen ciphertext attack, can
-// be used to break the cryptosystem.  See ``Chosen Ciphertext Attacks
-// Against Protocols Based on the RSA Encryption Standard PKCS #1'', Daniel
-// Bleichenbacher, Advances in Cryptology (Crypto '98),
-func Decrypt(priv *PrivateKey, c1, c2 *big.Int) (msg []byte, err error) {
-	s := new(big.Int).Exp(c1, priv.X, priv.P)
-	s.ModInverse(s, priv.P)
-	s.Mul(s, c2)
-	s.Mod(s, priv.P)
-	em := s.Bytes()
-
-	firstByteIsTwo := subtle.ConstantTimeByteEq(em[0], 2)
-
-	// The remainder of the plaintext must be a string of non-zero random
-	// octets, followed by a 0, followed by the message.
-	//   lookingForIndex: 1 iff we are still looking for the zero.
-	//   index: the offset of the first zero byte.
-	var lookingForIndex, index int
-	lookingForIndex = 1
-
-	for i := 1; i < len(em); i++ {
-		equals0 := subtle.ConstantTimeByteEq(em[i], 0)
-		index = subtle.ConstantTimeSelect(lookingForIndex&equals0, i, index)
-		lookingForIndex = subtle.ConstantTimeSelect(equals0, 0, lookingForIndex)
-	}
-
-	if firstByteIsTwo != 1 || lookingForIndex != 0 || index < 9 {
-		return nil, errors.New("elgamal: decryption error")
-	}
-	return em[index+1:], nil
-}
-
-// nonZeroRandomBytes fills the given slice with non-zero random octets.
-func nonZeroRandomBytes(s []byte, rand io.Reader) (err error) {
-	_, err = io.ReadFull(rand, s)
-	if err != nil {
-		return
-	}
-
-	for i := 0; i < len(s); i++ {
-		for s[i] == 0 {
-			_, err = io.ReadFull(rand, s[i:i+1])
-			if err != nil {
-				return
-			}
-		}
-	}
-
-	return
-}
diff --git a/vendor/golang.org/x/crypto/openpgp/elgamal/elgamal_test.go b/vendor/golang.org/x/crypto/openpgp/elgamal/elgamal_test.go
deleted file mode 100644
index c4f99f5c..00000000
--- a/vendor/golang.org/x/crypto/openpgp/elgamal/elgamal_test.go
+++ /dev/null
@@ -1,49 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package elgamal
-
-import (
-	"bytes"
-	"crypto/rand"
-	"math/big"
-	"testing"
-)
-
-// This is the 1024-bit MODP group from RFC 5114, section 2.1:
-const primeHex = "B10B8F96A080E01DDE92DE5EAE5D54EC52C99FBCFB06A3C69A6A9DCA52D23B616073E28675A23D189838EF1E2EE652C013ECB4AEA906112324975C3CD49B83BFACCBDD7D90C4BD7098488E9C219A73724EFFD6FAE5644738FAA31A4FF55BCCC0A151AF5F0DC8B4BD45BF37DF365C1A65E68CFDA76D4DA708DF1FB2BC2E4A4371"
-
-const generatorHex = "A4D1CBD5C3FD34126765A442EFB99905F8104DD258AC507FD6406CFF14266D31266FEA1E5C41564B777E690F5504F213160217B4B01B886A5E91547F9E2749F4D7FBD7D3B9A92EE1909D0D2263F80A76A6A24C087A091F531DBF0A0169B6A28AD662A4D18E73AFA32D779D5918D08BC8858F4DCEF97C2A24855E6EEB22B3B2E5"
-
-func fromHex(hex string) *big.Int {
-	n, ok := new(big.Int).SetString(hex, 16)
-	if !ok {
-		panic("failed to parse hex number")
-	}
-	return n
-}
-
-func TestEncryptDecrypt(t *testing.T) {
-	priv := &PrivateKey{
-		PublicKey: PublicKey{
-			G: fromHex(generatorHex),
-			P: fromHex(primeHex),
-		},
-		X: fromHex("42"),
-	}
-	priv.Y = new(big.Int).Exp(priv.G, priv.X, priv.P)
-
-	message := []byte("hello world")
-	c1, c2, err := Encrypt(rand.Reader, &priv.PublicKey, message)
-	if err != nil {
-		t.Errorf("error encrypting: %s", err)
-	}
-	message2, err := Decrypt(priv, c1, c2)
-	if err != nil {
-		t.Errorf("error decrypting: %s", err)
-	}
-	if !bytes.Equal(message2, message) {
-		t.Errorf("decryption failed, got: %x, want: %x", message2, message)
-	}
-}
diff --git a/vendor/golang.org/x/crypto/openpgp/errors/errors.go b/vendor/golang.org/x/crypto/openpgp/errors/errors.go
deleted file mode 100644
index eb0550b2..00000000
--- a/vendor/golang.org/x/crypto/openpgp/errors/errors.go
+++ /dev/null
@@ -1,72 +0,0 @@
-// Copyright 2010 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package errors contains common error types for the OpenPGP packages.
-package errors // import "golang.org/x/crypto/openpgp/errors"
-
-import (
-	"strconv"
-)
-
-// A StructuralError is returned when OpenPGP data is found to be syntactically
-// invalid.
-type StructuralError string
-
-func (s StructuralError) Error() string {
-	return "openpgp: invalid data: " + string(s)
-}
-
-// UnsupportedError indicates that, although the OpenPGP data is valid, it
-// makes use of currently unimplemented features.
-type UnsupportedError string
-
-func (s UnsupportedError) Error() string {
-	return "openpgp: unsupported feature: " + string(s)
-}
-
-// InvalidArgumentError indicates that the caller is in error and passed an
-// incorrect value.
-type InvalidArgumentError string
-
-func (i InvalidArgumentError) Error() string {
-	return "openpgp: invalid argument: " + string(i)
-}
-
-// SignatureError indicates that a syntactically valid signature failed to
-// validate.
-type SignatureError string
-
-func (b SignatureError) Error() string {
-	return "openpgp: invalid signature: " + string(b)
-}
-
-type keyIncorrectError int
-
-func (ki keyIncorrectError) Error() string {
-	return "openpgp: incorrect key"
-}
-
-var ErrKeyIncorrect error = keyIncorrectError(0)
-
-type unknownIssuerError int
-
-func (unknownIssuerError) Error() string {
-	return "openpgp: signature made by unknown entity"
-}
-
-var ErrUnknownIssuer error = unknownIssuerError(0)
-
-type keyRevokedError int
-
-func (keyRevokedError) Error() string {
-	return "openpgp: signature made by revoked key"
-}
-
-var ErrKeyRevoked error = keyRevokedError(0)
-
-type UnknownPacketTypeError uint8
-
-func (upte UnknownPacketTypeError) Error() string {
-	return "openpgp: unknown packet type: " + strconv.Itoa(int(upte))
-}
diff --git a/vendor/golang.org/x/crypto/openpgp/keys.go b/vendor/golang.org/x/crypto/openpgp/keys.go
deleted file mode 100644
index 744e293f..00000000
--- a/vendor/golang.org/x/crypto/openpgp/keys.go
+++ /dev/null
@@ -1,636 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package openpgp
-
-import (
-	"crypto/rsa"
-	"io"
-	"time"
-
-	"golang.org/x/crypto/openpgp/armor"
-	"golang.org/x/crypto/openpgp/errors"
-	"golang.org/x/crypto/openpgp/packet"
-)
-
-// PublicKeyType is the armor type for a PGP public key.
-var PublicKeyType = "PGP PUBLIC KEY BLOCK"
-
-// PrivateKeyType is the armor type for a PGP private key.
-var PrivateKeyType = "PGP PRIVATE KEY BLOCK"
-
-// An Entity represents the components of an OpenPGP key: a primary public key
-// (which must be a signing key), one or more identities claimed by that key,
-// and zero or more subkeys, which may be encryption keys.
-type Entity struct {
-	PrimaryKey  *packet.PublicKey
-	PrivateKey  *packet.PrivateKey
-	Identities  map[string]*Identity // indexed by Identity.Name
-	Revocations []*packet.Signature
-	Subkeys     []Subkey
-}
-
-// An Identity represents an identity claimed by an Entity and zero or more
-// assertions by other entities about that claim.
-type Identity struct {
-	Name          string // by convention, has the form "Full Name (comment) <email@example.com>"
-	UserId        *packet.UserId
-	SelfSignature *packet.Signature
-	Signatures    []*packet.Signature
-}
-
-// A Subkey is an additional public key in an Entity. Subkeys can be used for
-// encryption.
-type Subkey struct {
-	PublicKey  *packet.PublicKey
-	PrivateKey *packet.PrivateKey
-	Sig        *packet.Signature
-}
-
-// A Key identifies a specific public key in an Entity. This is either the
-// Entity's primary key or a subkey.
-type Key struct {
-	Entity        *Entity
-	PublicKey     *packet.PublicKey
-	PrivateKey    *packet.PrivateKey
-	SelfSignature *packet.Signature
-}
-
-// A KeyRing provides access to public and private keys.
-type KeyRing interface {
-	// KeysById returns the set of keys that have the given key id.
-	KeysById(id uint64) []Key
-	// KeysByIdAndUsage returns the set of keys with the given id
-	// that also meet the key usage given by requiredUsage.
-	// The requiredUsage is expressed as the bitwise-OR of
-	// packet.KeyFlag* values.
-	KeysByIdUsage(id uint64, requiredUsage byte) []Key
-	// DecryptionKeys returns all private keys that are valid for
-	// decryption.
-	DecryptionKeys() []Key
-}
-
-// primaryIdentity returns the Identity marked as primary or the first identity
-// if none are so marked.
-func (e *Entity) primaryIdentity() *Identity {
-	var firstIdentity *Identity
-	for _, ident := range e.Identities {
-		if firstIdentity == nil {
-			firstIdentity = ident
-		}
-		if ident.SelfSignature.IsPrimaryId != nil && *ident.SelfSignature.IsPrimaryId {
-			return ident
-		}
-	}
-	return firstIdentity
-}
-
-// encryptionKey returns the best candidate Key for encrypting a message to the
-// given Entity.
-func (e *Entity) encryptionKey(now time.Time) (Key, bool) {
-	candidateSubkey := -1
-
-	// Iterate the keys to find the newest key
-	var maxTime time.Time
-	for i, subkey := range e.Subkeys {
-		if subkey.Sig.FlagsValid &&
-			subkey.Sig.FlagEncryptCommunications &&
-			subkey.PublicKey.PubKeyAlgo.CanEncrypt() &&
-			!subkey.Sig.KeyExpired(now) &&
-			(maxTime.IsZero() || subkey.Sig.CreationTime.After(maxTime)) {
-			candidateSubkey = i
-			maxTime = subkey.Sig.CreationTime
-		}
-	}
-
-	if candidateSubkey != -1 {
-		subkey := e.Subkeys[candidateSubkey]
-		return Key{e, subkey.PublicKey, subkey.PrivateKey, subkey.Sig}, true
-	}
-
-	// If we don't have any candidate subkeys for encryption and
-	// the primary key doesn't have any usage metadata then we
-	// assume that the primary key is ok. Or, if the primary key is
-	// marked as ok to encrypt to, then we can obviously use it.
-	i := e.primaryIdentity()
-	if !i.SelfSignature.FlagsValid || i.SelfSignature.FlagEncryptCommunications &&
-		e.PrimaryKey.PubKeyAlgo.CanEncrypt() &&
-		!i.SelfSignature.KeyExpired(now) {
-		return Key{e, e.PrimaryKey, e.PrivateKey, i.SelfSignature}, true
-	}
-
-	// This Entity appears to be signing only.
-	return Key{}, false
-}
-
-// signingKey return the best candidate Key for signing a message with this
-// Entity.
-func (e *Entity) signingKey(now time.Time) (Key, bool) {
-	candidateSubkey := -1
-
-	for i, subkey := range e.Subkeys {
-		if subkey.Sig.FlagsValid &&
-			subkey.Sig.FlagSign &&
-			subkey.PublicKey.PubKeyAlgo.CanSign() &&
-			!subkey.Sig.KeyExpired(now) {
-			candidateSubkey = i
-			break
-		}
-	}
-
-	if candidateSubkey != -1 {
-		subkey := e.Subkeys[candidateSubkey]
-		return Key{e, subkey.PublicKey, subkey.PrivateKey, subkey.Sig}, true
-	}
-
-	// If we have no candidate subkey then we assume that it's ok to sign
-	// with the primary key.
-	i := e.primaryIdentity()
-	if !i.SelfSignature.FlagsValid || i.SelfSignature.FlagSign &&
-		!i.SelfSignature.KeyExpired(now) {
-		return Key{e, e.PrimaryKey, e.PrivateKey, i.SelfSignature}, true
-	}
-
-	return Key{}, false
-}
-
-// An EntityList contains one or more Entities.
-type EntityList []*Entity
-
-// KeysById returns the set of keys that have the given key id.
-func (el EntityList) KeysById(id uint64) (keys []Key) {
-	for _, e := range el {
-		if e.PrimaryKey.KeyId == id {
-			var selfSig *packet.Signature
-			for _, ident := range e.Identities {
-				if selfSig == nil {
-					selfSig = ident.SelfSignature
-				} else if ident.SelfSignature.IsPrimaryId != nil && *ident.SelfSignature.IsPrimaryId {
-					selfSig = ident.SelfSignature
-					break
-				}
-			}
-			keys = append(keys, Key{e, e.PrimaryKey, e.PrivateKey, selfSig})
-		}
-
-		for _, subKey := range e.Subkeys {
-			if subKey.PublicKey.KeyId == id {
-				keys = append(keys, Key{e, subKey.PublicKey, subKey.PrivateKey, subKey.Sig})
-			}
-		}
-	}
-	return
-}
-
-// KeysByIdAndUsage returns the set of keys with the given id that also meet
-// the key usage given by requiredUsage.  The requiredUsage is expressed as
-// the bitwise-OR of packet.KeyFlag* values.
-func (el EntityList) KeysByIdUsage(id uint64, requiredUsage byte) (keys []Key) {
-	for _, key := range el.KeysById(id) {
-		if len(key.Entity.Revocations) > 0 {
-			continue
-		}
-
-		if key.SelfSignature.RevocationReason != nil {
-			continue
-		}
-
-		if key.SelfSignature.FlagsValid && requiredUsage != 0 {
-			var usage byte
-			if key.SelfSignature.FlagCertify {
-				usage |= packet.KeyFlagCertify
-			}
-			if key.SelfSignature.FlagSign {
-				usage |= packet.KeyFlagSign
-			}
-			if key.SelfSignature.FlagEncryptCommunications {
-				usage |= packet.KeyFlagEncryptCommunications
-			}
-			if key.SelfSignature.FlagEncryptStorage {
-				usage |= packet.KeyFlagEncryptStorage
-			}
-			if usage&requiredUsage != requiredUsage {
-				continue
-			}
-		}
-
-		keys = append(keys, key)
-	}
-	return
-}
-
-// DecryptionKeys returns all private keys that are valid for decryption.
-func (el EntityList) DecryptionKeys() (keys []Key) {
-	for _, e := range el {
-		for _, subKey := range e.Subkeys {
-			if subKey.PrivateKey != nil && (!subKey.Sig.FlagsValid || subKey.Sig.FlagEncryptStorage || subKey.Sig.FlagEncryptCommunications) {
-				keys = append(keys, Key{e, subKey.PublicKey, subKey.PrivateKey, subKey.Sig})
-			}
-		}
-	}
-	return
-}
-
-// ReadArmoredKeyRing reads one or more public/private keys from an armor keyring file.
-func ReadArmoredKeyRing(r io.Reader) (EntityList, error) {
-	block, err := armor.Decode(r)
-	if err == io.EOF {
-		return nil, errors.InvalidArgumentError("no armored data found")
-	}
-	if err != nil {
-		return nil, err
-	}
-	if block.Type != PublicKeyType && block.Type != PrivateKeyType {
-		return nil, errors.InvalidArgumentError("expected public or private key block, got: " + block.Type)
-	}
-
-	return ReadKeyRing(block.Body)
-}
-
-// ReadKeyRing reads one or more public/private keys. Unsupported keys are
-// ignored as long as at least a single valid key is found.
-func ReadKeyRing(r io.Reader) (el EntityList, err error) {
-	packets := packet.NewReader(r)
-	var lastUnsupportedError error
-
-	for {
-		var e *Entity
-		e, err = ReadEntity(packets)
-		if err != nil {
-			// TODO: warn about skipped unsupported/unreadable keys
-			if _, ok := err.(errors.UnsupportedError); ok {
-				lastUnsupportedError = err
-				err = readToNextPublicKey(packets)
-			} else if _, ok := err.(errors.StructuralError); ok {
-				// Skip unreadable, badly-formatted keys
-				lastUnsupportedError = err
-				err = readToNextPublicKey(packets)
-			}
-			if err == io.EOF {
-				err = nil
-				break
-			}
-			if err != nil {
-				el = nil
-				break
-			}
-		} else {
-			el = append(el, e)
-		}
-	}
-
-	if len(el) == 0 && err == nil {
-		err = lastUnsupportedError
-	}
-	return
-}
-
-// readToNextPublicKey reads packets until the start of the entity and leaves
-// the first packet of the new entity in the Reader.
-func readToNextPublicKey(packets *packet.Reader) (err error) {
-	var p packet.Packet
-	for {
-		p, err = packets.Next()
-		if err == io.EOF {
-			return
-		} else if err != nil {
-			if _, ok := err.(errors.UnsupportedError); ok {
-				err = nil
-				continue
-			}
-			return
-		}
-
-		if pk, ok := p.(*packet.PublicKey); ok && !pk.IsSubkey {
-			packets.Unread(p)
-			return
-		}
-	}
-}
-
-// ReadEntity reads an entity (public key, identities, subkeys etc) from the
-// given Reader.
-func ReadEntity(packets *packet.Reader) (*Entity, error) {
-	e := new(Entity)
-	e.Identities = make(map[string]*Identity)
-
-	p, err := packets.Next()
-	if err != nil {
-		return nil, err
-	}
-
-	var ok bool
-	if e.PrimaryKey, ok = p.(*packet.PublicKey); !ok {
-		if e.PrivateKey, ok = p.(*packet.PrivateKey); !ok {
-			packets.Unread(p)
-			return nil, errors.StructuralError("first packet was not a public/private key")
-		}
-		e.PrimaryKey = &e.PrivateKey.PublicKey
-	}
-
-	if !e.PrimaryKey.PubKeyAlgo.CanSign() {
-		return nil, errors.StructuralError("primary key cannot be used for signatures")
-	}
-
-	var current *Identity
-	var revocations []*packet.Signature
-EachPacket:
-	for {
-		p, err := packets.Next()
-		if err == io.EOF {
-			break
-		} else if err != nil {
-			return nil, err
-		}
-
-		switch pkt := p.(type) {
-		case *packet.UserId:
-			current = new(Identity)
-			current.Name = pkt.Id
-			current.UserId = pkt
-			e.Identities[pkt.Id] = current
-
-			for {
-				p, err = packets.Next()
-				if err == io.EOF {
-					return nil, io.ErrUnexpectedEOF
-				} else if err != nil {
-					return nil, err
-				}
-
-				sig, ok := p.(*packet.Signature)
-				if !ok {
-					return nil, errors.StructuralError("user ID packet not followed by self-signature")
-				}
-
-				if (sig.SigType == packet.SigTypePositiveCert || sig.SigType == packet.SigTypeGenericCert) && sig.IssuerKeyId != nil && *sig.IssuerKeyId == e.PrimaryKey.KeyId {
-					if err = e.PrimaryKey.VerifyUserIdSignature(pkt.Id, e.PrimaryKey, sig); err != nil {
-						return nil, errors.StructuralError("user ID self-signature invalid: " + err.Error())
-					}
-					current.SelfSignature = sig
-					break
-				}
-				current.Signatures = append(current.Signatures, sig)
-			}
-		case *packet.Signature:
-			if pkt.SigType == packet.SigTypeKeyRevocation {
-				revocations = append(revocations, pkt)
-			} else if pkt.SigType == packet.SigTypeDirectSignature {
-				// TODO: RFC4880 5.2.1 permits signatures
-				// directly on keys (eg. to bind additional
-				// revocation keys).
-			} else if current == nil {
-				return nil, errors.StructuralError("signature packet found before user id packet")
-			} else {
-				current.Signatures = append(current.Signatures, pkt)
-			}
-		case *packet.PrivateKey:
-			if pkt.IsSubkey == false {
-				packets.Unread(p)
-				break EachPacket
-			}
-			err = addSubkey(e, packets, &pkt.PublicKey, pkt)
-			if err != nil {
-				return nil, err
-			}
-		case *packet.PublicKey:
-			if pkt.IsSubkey == false {
-				packets.Unread(p)
-				break EachPacket
-			}
-			err = addSubkey(e, packets, pkt, nil)
-			if err != nil {
-				return nil, err
-			}
-		default:
-			// we ignore unknown packets
-		}
-	}
-
-	if len(e.Identities) == 0 {
-		return nil, errors.StructuralError("entity without any identities")
-	}
-
-	for _, revocation := range revocations {
-		err = e.PrimaryKey.VerifyRevocationSignature(revocation)
-		if err == nil {
-			e.Revocations = append(e.Revocations, revocation)
-		} else {
-			// TODO: RFC 4880 5.2.3.15 defines revocation keys.
-			return nil, errors.StructuralError("revocation signature signed by alternate key")
-		}
-	}
-
-	return e, nil
-}
-
-func addSubkey(e *Entity, packets *packet.Reader, pub *packet.PublicKey, priv *packet.PrivateKey) error {
-	var subKey Subkey
-	subKey.PublicKey = pub
-	subKey.PrivateKey = priv
-	p, err := packets.Next()
-	if err == io.EOF {
-		return io.ErrUnexpectedEOF
-	}
-	if err != nil {
-		return errors.StructuralError("subkey signature invalid: " + err.Error())
-	}
-	var ok bool
-	subKey.Sig, ok = p.(*packet.Signature)
-	if !ok {
-		return errors.StructuralError("subkey packet not followed by signature")
-	}
-	if subKey.Sig.SigType != packet.SigTypeSubkeyBinding && subKey.Sig.SigType != packet.SigTypeSubkeyRevocation {
-		return errors.StructuralError("subkey signature with wrong type")
-	}
-	err = e.PrimaryKey.VerifyKeySignature(subKey.PublicKey, subKey.Sig)
-	if err != nil {
-		return errors.StructuralError("subkey signature invalid: " + err.Error())
-	}
-	e.Subkeys = append(e.Subkeys, subKey)
-	return nil
-}
-
-const defaultRSAKeyBits = 2048
-
-// NewEntity returns an Entity that contains a fresh RSA/RSA keypair with a
-// single identity composed of the given full name, comment and email, any of
-// which may be empty but must not contain any of "()<>\x00".
-// If config is nil, sensible defaults will be used.
-func NewEntity(name, comment, email string, config *packet.Config) (*Entity, error) {
-	currentTime := config.Now()
-
-	bits := defaultRSAKeyBits
-	if config != nil && config.RSABits != 0 {
-		bits = config.RSABits
-	}
-
-	uid := packet.NewUserId(name, comment, email)
-	if uid == nil {
-		return nil, errors.InvalidArgumentError("user id field contained invalid characters")
-	}
-	signingPriv, err := rsa.GenerateKey(config.Random(), bits)
-	if err != nil {
-		return nil, err
-	}
-	encryptingPriv, err := rsa.GenerateKey(config.Random(), bits)
-	if err != nil {
-		return nil, err
-	}
-
-	e := &Entity{
-		PrimaryKey: packet.NewRSAPublicKey(currentTime, &signingPriv.PublicKey),
-		PrivateKey: packet.NewRSAPrivateKey(currentTime, signingPriv),
-		Identities: make(map[string]*Identity),
-	}
-	isPrimaryId := true
-	e.Identities[uid.Id] = &Identity{
-		Name:   uid.Name,
-		UserId: uid,
-		SelfSignature: &packet.Signature{
-			CreationTime: currentTime,
-			SigType:      packet.SigTypePositiveCert,
-			PubKeyAlgo:   packet.PubKeyAlgoRSA,
-			Hash:         config.Hash(),
-			IsPrimaryId:  &isPrimaryId,
-			FlagsValid:   true,
-			FlagSign:     true,
-			FlagCertify:  true,
-			IssuerKeyId:  &e.PrimaryKey.KeyId,
-		},
-	}
-
-	// If the user passes in a DefaultHash via packet.Config,
-	// set the PreferredHash for the SelfSignature.
-	if config != nil && config.DefaultHash != 0 {
-		e.Identities[uid.Id].SelfSignature.PreferredHash = []uint8{hashToHashId(config.DefaultHash)}
-	}
-
-	e.Subkeys = make([]Subkey, 1)
-	e.Subkeys[0] = Subkey{
-		PublicKey:  packet.NewRSAPublicKey(currentTime, &encryptingPriv.PublicKey),
-		PrivateKey: packet.NewRSAPrivateKey(currentTime, encryptingPriv),
-		Sig: &packet.Signature{
-			CreationTime:              currentTime,
-			SigType:                   packet.SigTypeSubkeyBinding,
-			PubKeyAlgo:                packet.PubKeyAlgoRSA,
-			Hash:                      config.Hash(),
-			FlagsValid:                true,
-			FlagEncryptStorage:        true,
-			FlagEncryptCommunications: true,
-			IssuerKeyId:               &e.PrimaryKey.KeyId,
-		},
-	}
-	e.Subkeys[0].PublicKey.IsSubkey = true
-	e.Subkeys[0].PrivateKey.IsSubkey = true
-
-	return e, nil
-}
-
-// SerializePrivate serializes an Entity, including private key material, to
-// the given Writer. For now, it must only be used on an Entity returned from
-// NewEntity.
-// If config is nil, sensible defaults will be used.
-func (e *Entity) SerializePrivate(w io.Writer, config *packet.Config) (err error) {
-	err = e.PrivateKey.Serialize(w)
-	if err != nil {
-		return
-	}
-	for _, ident := range e.Identities {
-		err = ident.UserId.Serialize(w)
-		if err != nil {
-			return
-		}
-		err = ident.SelfSignature.SignUserId(ident.UserId.Id, e.PrimaryKey, e.PrivateKey, config)
-		if err != nil {
-			return
-		}
-		err = ident.SelfSignature.Serialize(w)
-		if err != nil {
-			return
-		}
-	}
-	for _, subkey := range e.Subkeys {
-		err = subkey.PrivateKey.Serialize(w)
-		if err != nil {
-			return
-		}
-		err = subkey.Sig.SignKey(subkey.PublicKey, e.PrivateKey, config)
-		if err != nil {
-			return
-		}
-		err = subkey.Sig.Serialize(w)
-		if err != nil {
-			return
-		}
-	}
-	return nil
-}
-
-// Serialize writes the public part of the given Entity to w. (No private
-// key material will be output).
-func (e *Entity) Serialize(w io.Writer) error {
-	err := e.PrimaryKey.Serialize(w)
-	if err != nil {
-		return err
-	}
-	for _, ident := range e.Identities {
-		err = ident.UserId.Serialize(w)
-		if err != nil {
-			return err
-		}
-		err = ident.SelfSignature.Serialize(w)
-		if err != nil {
-			return err
-		}
-		for _, sig := range ident.Signatures {
-			err = sig.Serialize(w)
-			if err != nil {
-				return err
-			}
-		}
-	}
-	for _, subkey := range e.Subkeys {
-		err = subkey.PublicKey.Serialize(w)
-		if err != nil {
-			return err
-		}
-		err = subkey.Sig.Serialize(w)
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-// SignIdentity adds a signature to e, from signer, attesting that identity is
-// associated with e. The provided identity must already be an element of
-// e.Identities and the private key of signer must have been decrypted if
-// necessary.
-// If config is nil, sensible defaults will be used.
-func (e *Entity) SignIdentity(identity string, signer *Entity, config *packet.Config) error {
-	if signer.PrivateKey == nil {
-		return errors.InvalidArgumentError("signing Entity must have a private key")
-	}
-	if signer.PrivateKey.Encrypted {
-		return errors.InvalidArgumentError("signing Entity's private key must be decrypted")
-	}
-	ident, ok := e.Identities[identity]
-	if !ok {
-		return errors.InvalidArgumentError("given identity string not found in Entity")
-	}
-
-	sig := &packet.Signature{
-		SigType:      packet.SigTypeGenericCert,
-		PubKeyAlgo:   signer.PrivateKey.PubKeyAlgo,
-		Hash:         config.Hash(),
-		CreationTime: config.Now(),
-		IssuerKeyId:  &signer.PrivateKey.KeyId,
-	}
-	if err := sig.SignUserId(identity, e.PrimaryKey, signer.PrivateKey, config); err != nil {
-		return err
-	}
-	ident.Signatures = append(ident.Signatures, sig)
-	return nil
-}
diff --git a/vendor/golang.org/x/crypto/openpgp/keys_test.go b/vendor/golang.org/x/crypto/openpgp/keys_test.go
deleted file mode 100644
index 76ba13ed..00000000
--- a/vendor/golang.org/x/crypto/openpgp/keys_test.go
+++ /dev/null
@@ -1,419 +0,0 @@
-package openpgp
-
-import (
-	"bytes"
-	"crypto"
-	"strings"
-	"testing"
-	"time"
-
-	"golang.org/x/crypto/openpgp/errors"
-	"golang.org/x/crypto/openpgp/packet"
-)
-
-func TestKeyExpiry(t *testing.T) {
-	kring, err := ReadKeyRing(readerFromHex(expiringKeyHex))
-	if err != nil {
-		t.Fatal(err)
-	}
-	entity := kring[0]
-
-	const timeFormat = "2006-01-02"
-	time1, _ := time.Parse(timeFormat, "2013-07-01")
-
-	// The expiringKeyHex key is structured as:
-	//
-	// pub  1024R/5E237D8C  created: 2013-07-01                      expires: 2013-07-31  usage: SC
-	// sub  1024R/1ABB25A0  created: 2013-07-01 23:11:07 +0200 CEST  expires: 2013-07-08  usage: E
-	// sub  1024R/96A672F5  created: 2013-07-01 23:11:23 +0200 CEST  expires: 2013-07-31  usage: E
-	//
-	// So this should select the newest, non-expired encryption key.
-	key, _ := entity.encryptionKey(time1)
-	if id := key.PublicKey.KeyIdShortString(); id != "96A672F5" {
-		t.Errorf("Expected key 1ABB25A0 at time %s, but got key %s", time1.Format(timeFormat), id)
-	}
-
-	// Once the first encryption subkey has expired, the second should be
-	// selected.
-	time2, _ := time.Parse(timeFormat, "2013-07-09")
-	key, _ = entity.encryptionKey(time2)
-	if id := key.PublicKey.KeyIdShortString(); id != "96A672F5" {
-		t.Errorf("Expected key 96A672F5 at time %s, but got key %s", time2.Format(timeFormat), id)
-	}
-
-	// Once all the keys have expired, nothing should be returned.
-	time3, _ := time.Parse(timeFormat, "2013-08-01")
-	if key, ok := entity.encryptionKey(time3); ok {
-		t.Errorf("Expected no key at time %s, but got key %s", time3.Format(timeFormat), key.PublicKey.KeyIdShortString())
-	}
-}
-
-func TestMissingCrossSignature(t *testing.T) {
-	// This public key has a signing subkey, but the subkey does not
-	// contain a cross-signature.
-	keys, err := ReadArmoredKeyRing(bytes.NewBufferString(missingCrossSignatureKey))
-	if len(keys) != 0 {
-		t.Errorf("Accepted key with missing cross signature")
-	}
-	if err == nil {
-		t.Fatal("Failed to detect error in keyring with missing cross signature")
-	}
-	structural, ok := err.(errors.StructuralError)
-	if !ok {
-		t.Fatalf("Unexpected class of error: %T. Wanted StructuralError", err)
-	}
-	const expectedMsg = "signing subkey is missing cross-signature"
-	if !strings.Contains(string(structural), expectedMsg) {
-		t.Fatalf("Unexpected error: %q. Expected it to contain %q", err, expectedMsg)
-	}
-}
-
-func TestInvalidCrossSignature(t *testing.T) {
-	// This public key has a signing subkey, and the subkey has an
-	// embedded cross-signature. However, the cross-signature does
-	// not correctly validate over the primary and subkey.
-	keys, err := ReadArmoredKeyRing(bytes.NewBufferString(invalidCrossSignatureKey))
-	if len(keys) != 0 {
-		t.Errorf("Accepted key with invalid cross signature")
-	}
-	if err == nil {
-		t.Fatal("Failed to detect error in keyring with an invalid cross signature")
-	}
-	structural, ok := err.(errors.StructuralError)
-	if !ok {
-		t.Fatalf("Unexpected class of error: %T. Wanted StructuralError", err)
-	}
-	const expectedMsg = "subkey signature invalid"
-	if !strings.Contains(string(structural), expectedMsg) {
-		t.Fatalf("Unexpected error: %q. Expected it to contain %q", err, expectedMsg)
-	}
-}
-
-func TestGoodCrossSignature(t *testing.T) {
-	// This public key has a signing subkey, and the subkey has an
-	// embedded cross-signature which correctly validates over the
-	// primary and subkey.
-	keys, err := ReadArmoredKeyRing(bytes.NewBufferString(goodCrossSignatureKey))
-	if err != nil {
-		t.Fatal(err)
-	}
-	if len(keys) != 1 {
-		t.Errorf("Failed to accept key with good cross signature, %d", len(keys))
-	}
-	if len(keys[0].Subkeys) != 1 {
-		t.Errorf("Failed to accept good subkey, %d", len(keys[0].Subkeys))
-	}
-}
-
-// TestExternallyRevokableKey attempts to load and parse a key with a third party revocation permission.
-func TestExternallyRevocableKey(t *testing.T) {
-	kring, err := ReadKeyRing(readerFromHex(subkeyUsageHex))
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// The 0xA42704B92866382A key can be revoked by 0xBE3893CB843D0FE70C
-	// according to this signature that appears within the key:
-	// :signature packet: algo 1, keyid A42704B92866382A
-	//    version 4, created 1396409682, md5len 0, sigclass 0x1f
-	//    digest algo 2, begin of digest a9 84
-	//    hashed subpkt 2 len 4 (sig created 2014-04-02)
-	//    hashed subpkt 12 len 22 (revocation key: c=80 a=1 f=CE094AA433F7040BB2DDF0BE3893CB843D0FE70C)
-	//    hashed subpkt 7 len 1 (not revocable)
-	//    subpkt 16 len 8 (issuer key ID A42704B92866382A)
-	//    data: [1024 bits]
-
-	id := uint64(0xA42704B92866382A)
-	keys := kring.KeysById(id)
-	if len(keys) != 1 {
-		t.Errorf("Expected to find key id %X, but got %d matches", id, len(keys))
-	}
-}
-
-func TestKeyRevocation(t *testing.T) {
-	kring, err := ReadKeyRing(readerFromHex(revokedKeyHex))
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// revokedKeyHex contains these keys:
-	// pub   1024R/9A34F7C0 2014-03-25 [revoked: 2014-03-25]
-	// sub   1024R/1BA3CD60 2014-03-25 [revoked: 2014-03-25]
-	ids := []uint64{0xA401D9F09A34F7C0, 0x5CD3BE0A1BA3CD60}
-
-	for _, id := range ids {
-		keys := kring.KeysById(id)
-		if len(keys) != 1 {
-			t.Errorf("Expected KeysById to find revoked key %X, but got %d matches", id, len(keys))
-		}
-		keys = kring.KeysByIdUsage(id, 0)
-		if len(keys) != 0 {
-			t.Errorf("Expected KeysByIdUsage to filter out revoked key %X, but got %d matches", id, len(keys))
-		}
-	}
-}
-
-func TestSubkeyRevocation(t *testing.T) {
-	kring, err := ReadKeyRing(readerFromHex(revokedSubkeyHex))
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// revokedSubkeyHex contains these keys:
-	// pub   1024R/4EF7E4BECCDE97F0 2014-03-25
-	// sub   1024R/D63636E2B96AE423 2014-03-25
-	// sub   1024D/DBCE4EE19529437F 2014-03-25
-	// sub   1024R/677815E371C2FD23 2014-03-25 [revoked: 2014-03-25]
-	validKeys := []uint64{0x4EF7E4BECCDE97F0, 0xD63636E2B96AE423, 0xDBCE4EE19529437F}
-	revokedKey := uint64(0x677815E371C2FD23)
-
-	for _, id := range validKeys {
-		keys := kring.KeysById(id)
-		if len(keys) != 1 {
-			t.Errorf("Expected KeysById to find key %X, but got %d matches", id, len(keys))
-		}
-		keys = kring.KeysByIdUsage(id, 0)
-		if len(keys) != 1 {
-			t.Errorf("Expected KeysByIdUsage to find key %X, but got %d matches", id, len(keys))
-		}
-	}
-
-	keys := kring.KeysById(revokedKey)
-	if len(keys) != 1 {
-		t.Errorf("Expected KeysById to find key %X, but got %d matches", revokedKey, len(keys))
-	}
-
-	keys = kring.KeysByIdUsage(revokedKey, 0)
-	if len(keys) != 0 {
-		t.Errorf("Expected KeysByIdUsage to filter out revoked key %X, but got %d matches", revokedKey, len(keys))
-	}
-}
-
-func TestKeyUsage(t *testing.T) {
-	kring, err := ReadKeyRing(readerFromHex(subkeyUsageHex))
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// subkeyUsageHex contains these keys:
-	// pub  1024R/2866382A  created: 2014-04-01  expires: never       usage: SC
-	// sub  1024R/936C9153  created: 2014-04-01  expires: never       usage: E
-	// sub  1024R/64D5F5BB  created: 2014-04-02  expires: never       usage: E
-	// sub  1024D/BC0BA992  created: 2014-04-02  expires: never       usage: S
-	certifiers := []uint64{0xA42704B92866382A}
-	signers := []uint64{0xA42704B92866382A, 0x42CE2C64BC0BA992}
-	encrypters := []uint64{0x09C0C7D9936C9153, 0xC104E98664D5F5BB}
-
-	for _, id := range certifiers {
-		keys := kring.KeysByIdUsage(id, packet.KeyFlagCertify)
-		if len(keys) == 1 {
-			if keys[0].PublicKey.KeyId != id {
-				t.Errorf("Expected to find certifier key id %X, but got %X", id, keys[0].PublicKey.KeyId)
-			}
-		} else {
-			t.Errorf("Expected one match for certifier key id %X, but got %d matches", id, len(keys))
-		}
-	}
-
-	for _, id := range signers {
-		keys := kring.KeysByIdUsage(id, packet.KeyFlagSign)
-		if len(keys) == 1 {
-			if keys[0].PublicKey.KeyId != id {
-				t.Errorf("Expected to find signing key id %X, but got %X", id, keys[0].PublicKey.KeyId)
-			}
-		} else {
-			t.Errorf("Expected one match for signing key id %X, but got %d matches", id, len(keys))
-		}
-
-		// This keyring contains no encryption keys that are also good for signing.
-		keys = kring.KeysByIdUsage(id, packet.KeyFlagEncryptStorage|packet.KeyFlagEncryptCommunications)
-		if len(keys) != 0 {
-			t.Errorf("Unexpected match for encryption key id %X", id)
-		}
-	}
-
-	for _, id := range encrypters {
-		keys := kring.KeysByIdUsage(id, packet.KeyFlagEncryptStorage|packet.KeyFlagEncryptCommunications)
-		if len(keys) == 1 {
-			if keys[0].PublicKey.KeyId != id {
-				t.Errorf("Expected to find encryption key id %X, but got %X", id, keys[0].PublicKey.KeyId)
-			}
-		} else {
-			t.Errorf("Expected one match for encryption key id %X, but got %d matches", id, len(keys))
-		}
-
-		// This keyring contains no encryption keys that are also good for signing.
-		keys = kring.KeysByIdUsage(id, packet.KeyFlagSign)
-		if len(keys) != 0 {
-			t.Errorf("Unexpected match for signing key id %X", id)
-		}
-	}
-}
-
-func TestIdVerification(t *testing.T) {
-	kring, err := ReadKeyRing(readerFromHex(testKeys1And2PrivateHex))
-	if err != nil {
-		t.Fatal(err)
-	}
-	if err := kring[1].PrivateKey.Decrypt([]byte("passphrase")); err != nil {
-		t.Fatal(err)
-	}
-
-	const identity = "Test Key 1 (RSA)"
-	if err := kring[0].SignIdentity(identity, kring[1], nil); err != nil {
-		t.Fatal(err)
-	}
-
-	ident, ok := kring[0].Identities[identity]
-	if !ok {
-		t.Fatal("identity missing from key after signing")
-	}
-
-	checked := false
-	for _, sig := range ident.Signatures {
-		if sig.IssuerKeyId == nil || *sig.IssuerKeyId != kring[1].PrimaryKey.KeyId {
-			continue
-		}
-
-		if err := kring[1].PrimaryKey.VerifyUserIdSignature(identity, kring[0].PrimaryKey, sig); err != nil {
-			t.Fatalf("error verifying new identity signature: %s", err)
-		}
-		checked = true
-		break
-	}
-
-	if !checked {
-		t.Fatal("didn't find identity signature in Entity")
-	}
-}
-
-func TestNewEntityWithPreferredHash(t *testing.T) {
-	c := &packet.Config{
-		DefaultHash: crypto.SHA256,
-	}
-	entity, err := NewEntity("Golang Gopher", "Test Key", "no-reply@golang.com", c)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	for _, identity := range entity.Identities {
-		if len(identity.SelfSignature.PreferredHash) == 0 {
-			t.Fatal("didn't find a preferred hash in self signature")
-		}
-		ph := hashToHashId(c.DefaultHash)
-		if identity.SelfSignature.PreferredHash[0] != ph {
-			t.Fatalf("Expected preferred hash to be %d, got %d", ph, identity.SelfSignature.PreferredHash[0])
-		}
-	}
-}
-
-func TestNewEntityWithoutPreferredHash(t *testing.T) {
-	entity, err := NewEntity("Golang Gopher", "Test Key", "no-reply@golang.com", nil)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	for _, identity := range entity.Identities {
-		if len(identity.SelfSignature.PreferredHash) != 0 {
-			t.Fatalf("Expected preferred hash to be empty but got length %d", len(identity.SelfSignature.PreferredHash))
-		}
-	}
-}
-
-const expiringKeyHex = "988d0451d1ec5d010400ba3385721f2dc3f4ab096b2ee867ab77213f0a27a8538441c35d2fa225b08798a1439a66a5150e6bdc3f40f5d28d588c712394c632b6299f77db8c0d48d37903fb72ebd794d61be6aa774688839e5fdecfe06b2684cc115d240c98c66cb1ef22ae84e3aa0c2b0c28665c1e7d4d044e7f270706193f5223c8d44e0d70b7b8da830011010001b40f4578706972792074657374206b657988be041301020028050251d1ec5d021b03050900278d00060b090807030206150802090a0b0416020301021e01021780000a091072589ad75e237d8c033503fd10506d72837834eb7f994117740723adc39227104b0d326a1161871c0b415d25b4aedef946ca77ea4c05af9c22b32cf98be86ab890111fced1ee3f75e87b7cc3c00dc63bbc85dfab91c0dc2ad9de2c4d13a34659333a85c6acc1a669c5e1d6cecb0cf1e56c10e72d855ae177ddc9e766f9b2dda57ccbb75f57156438bbdb4e42b88d0451d1ec5d0104009c64906559866c5cb61578f5846a94fcee142a489c9b41e67b12bb54cfe86eb9bc8566460f9a720cb00d6526fbccfd4f552071a8e3f7744b1882d01036d811ee5a3fb91a1c568055758f43ba5d2c6a9676b012f3a1a89e47bbf624f1ad571b208f3cc6224eb378f1645dd3d47584463f9eadeacfd1ce6f813064fbfdcc4b5a53001101000188a504180102000f021b0c050251d1f06b050900093e89000a091072589ad75e237d8c20e00400ab8310a41461425b37889c4da28129b5fae6084fafbc0a47dd1adc74a264c6e9c9cc125f40462ee1433072a58384daef88c961c390ed06426a81b464a53194c4e291ddd7e2e2ba3efced01537d713bd111f48437bde2363446200995e8e0d4e528dda377fd1e8f8ede9c8e2198b393bd86852ce7457a7e3daf74d510461a5b77b88d0451d1ece8010400b3a519f83ab0010307e83bca895170acce8964a044190a2b368892f7a244758d9fc193482648acb1fb9780d28cc22d171931f38bb40279389fc9bf2110876d4f3db4fcfb13f22f7083877fe56592b3b65251312c36f83ffcb6d313c6a17f197dd471f0712aad15a8537b435a92471ba2e5b0c72a6c72536c3b567c558d7b6051001101000188a504180102000f021b0c050251d1f07b050900279091000a091072589ad75e237d8ce69e03fe286026afacf7c97ee20673864d4459a2240b5655219950643c7dba0ac384b1d4359c67805b21d98211f7b09c2a0ccf6410c8c04d4ff4a51293725d8d6570d9d8bb0e10c07d22357caeb49626df99c180be02d77d1fe8ed25e7a54481237646083a9f89a11566cd20b9e995b1487c5f9e02aeb434f3a1897cd416dd0a87861838da3e9e"
-const subkeyUsageHex = "988d04533a52bc010400d26af43085558f65b9e7dbc90cb9238015259aed5e954637adcfa2181548b2d0b60c65f1f42ec5081cbf1bc0a8aa4900acfb77070837c58f26012fbce297d70afe96e759ad63531f0037538e70dbf8e384569b9720d99d8eb39d8d0a2947233ed242436cb6ac7dfe74123354b3d0119b5c235d3dd9c9d6c004f8ffaf67ad8583001101000188b7041f010200210502533b8552170c8001ce094aa433f7040bb2ddf0be3893cb843d0fe70c020700000a0910a42704b92866382aa98404009d63d916a27543da4221c60087c33f1c44bec9998c5438018ed370cca4962876c748e94b73eb39c58eb698063f3fd6346d58dd2a11c0247934c4a9d71f24754f7468f96fb24c3e791dd2392b62f626148ad724189498cbf993db2df7c0cdc2d677c35da0f16cb16c9ce7c33b4de65a4a91b1d21a130ae9cc26067718910ef8e2b417556d627261203c756d627261407379642e65642e61753e88b80413010200220502533a52bc021b03060b090807030206150802090a0b0416020301021e01021780000a0910a42704b92866382a47840400c0c2bd04f5fca586de408b395b3c280a278259c93eaaa8b79a53b97003f8ed502a8a00446dd9947fb462677e4fcac0dac2f0701847d15130aadb6cd9e0705ea0cf5f92f129136c7be21a718d46c8e641eb7f044f2adae573e11ae423a0a9ca51324f03a8a2f34b91fa40c3cc764bee4dccadedb54c768ba0469b683ea53f1c29b88d04533a52bc01040099c92a5d6f8b744224da27bc2369127c35269b58bec179de6bbc038f749344222f85a31933224f26b70243c4e4b2d242f0c4777eaef7b5502f9dad6d8bf3aaeb471210674b74de2d7078af497d55f5cdad97c7bedfbc1b41e8065a97c9c3d344b21fc81d27723af8e374bc595da26ea242dccb6ae497be26eea57e563ed517e90011010001889f0418010200090502533a52bc021b0c000a0910a42704b92866382afa1403ff70284c2de8a043ff51d8d29772602fa98009b7861c540535f874f2c230af8caf5638151a636b21f8255003997ccd29747fdd06777bb24f9593bd7d98a3e887689bf902f999915fcc94625ae487e5d13e6616f89090ebc4fdc7eb5cad8943e4056995bb61c6af37f8043016876a958ec7ebf39c43d20d53b7f546cfa83e8d2604b88d04533b8283010400c0b529316dbdf58b4c54461e7e669dc11c09eb7f73819f178ccd4177b9182b91d138605fcf1e463262fabefa73f94a52b5e15d1904635541c7ea540f07050ce0fb51b73e6f88644cec86e91107c957a114f69554548a85295d2b70bd0b203992f76eb5d493d86d9eabcaa7ef3fc7db7e458438db3fcdb0ca1cc97c638439a9170011010001889f0418010200090502533b8283021b0c000a0910a42704b92866382adc6d0400cfff6258485a21675adb7a811c3e19ebca18851533f75a7ba317950b9997fda8d1a4c8c76505c08c04b6c2cc31dc704d33da36a21273f2b388a1a706f7c3378b66d887197a525936ed9a69acb57fe7f718133da85ec742001c5d1864e9c6c8ea1b94f1c3759cebfd93b18606066c063a63be86085b7e37bdbc65f9a915bf084bb901a204533b85cd110400aed3d2c52af2b38b5b67904b0ef73d6dd7aef86adb770e2b153cd22489654dcc91730892087bb9856ae2d9f7ed1eb48f214243fe86bfe87b349ebd7c30e630e49c07b21fdabf78b7a95c8b7f969e97e3d33f2e074c63552ba64a2ded7badc05ce0ea2be6d53485f6900c7860c7aa76560376ce963d7271b9b54638a4028b573f00a0d8854bfcdb04986141568046202192263b9b67350400aaa1049dbc7943141ef590a70dcb028d730371d92ea4863de715f7f0f16d168bd3dc266c2450457d46dcbbf0b071547e5fbee7700a820c3750b236335d8d5848adb3c0da010e998908dfd93d961480084f3aea20b247034f8988eccb5546efaa35a92d0451df3aaf1aee5aa36a4c4d462c760ecd9cebcabfbe1412b1f21450f203fd126687cd486496e971a87fd9e1a8a765fe654baa219a6871ab97768596ab05c26c1aeea8f1a2c72395a58dbc12ef9640d2b95784e974a4d2d5a9b17c25fedacfe551bda52602de8f6d2e48443f5dd1a2a2a8e6a5e70ecdb88cd6e766ad9745c7ee91d78cc55c3d06536b49c3fee6c3d0b6ff0fb2bf13a314f57c953b8f4d93bf88e70418010200090502533b85cd021b0200520910a42704b92866382a47200419110200060502533b85cd000a091042ce2c64bc0ba99214b2009e26b26852c8b13b10c35768e40e78fbbb48bd084100a0c79d9ea0844fa5853dd3c85ff3ecae6f2c9dd6c557aa04008bbbc964cd65b9b8299d4ebf31f41cc7264b8cf33a00e82c5af022331fac79efc9563a822497ba012953cefe2629f1242fcdcb911dbb2315985bab060bfd58261ace3c654bdbbe2e8ed27a46e836490145c86dc7bae15c011f7e1ffc33730109b9338cd9f483e7cef3d2f396aab5bd80efb6646d7e778270ee99d934d187dd98"
-const revokedKeyHex = "988d045331ce82010400c4fdf7b40a5477f206e6ee278eaef888ca73bf9128a9eef9f2f1ddb8b7b71a4c07cfa241f028a04edb405e4d916c61d6beabc333813dc7b484d2b3c52ee233c6a79b1eea4e9cc51596ba9cd5ac5aeb9df62d86ea051055b79d03f8a4fa9f38386f5bd17529138f3325d46801514ea9047977e0829ed728e68636802796801be10011010001889f04200102000905025331d0e3021d03000a0910a401d9f09a34f7c042aa040086631196405b7e6af71026b88e98012eab44aa9849f6ef3fa930c7c9f23deaedba9db1538830f8652fb7648ec3fcade8dbcbf9eaf428e83c6cbcc272201bfe2fbb90d41963397a7c0637a1a9d9448ce695d9790db2dc95433ad7be19eb3de72dacf1d6db82c3644c13eae2a3d072b99bb341debba012c5ce4006a7d34a1f4b94b444526567205265766f6b657220283c52656727732022424d204261726973746122204b657920262530305c303e5c29203c72656740626d626172697374612e636f2e61753e88b704130102002205025331ce82021b03060b090807030206150802090a0b0416020301021e01021780000a0910a401d9f09a34f7c0019c03f75edfbeb6a73e7225ad3cc52724e2872e04260d7daf0d693c170d8c4b243b8767bc7785763533febc62ec2600c30603c433c095453ede59ff2fcabeb84ce32e0ed9d5cf15ffcbc816202b64370d4d77c1e9077d74e94a16fb4fa2e5bec23a56d7a73cf275f91691ae1801a976fcde09e981a2f6327ac27ea1fecf3185df0d56889c04100102000605025331cfb5000a0910fe9645554e8266b64b4303fc084075396674fb6f778d302ac07cef6bc0b5d07b66b2004c44aef711cbac79617ef06d836b4957522d8772dd94bf41a2f4ac8b1ee6d70c57503f837445a74765a076d07b829b8111fc2a918423ddb817ead7ca2a613ef0bfb9c6b3562aec6c3cf3c75ef3031d81d95f6563e4cdcc9960bcb386c5d757b104fcca5fe11fc709df884604101102000605025331cfe7000a09107b15a67f0b3ddc0317f6009e360beea58f29c1d963a22b962b80788c3fa6c84e009d148cfde6b351469b8eae91187eff07ad9d08fcaab88d045331ce820104009f25e20a42b904f3fa555530fe5c46737cf7bd076c35a2a0d22b11f7e0b61a69320b768f4a80fe13980ce380d1cfc4a0cd8fbe2d2e2ef85416668b77208baa65bf973fe8e500e78cc310d7c8705cdb34328bf80e24f0385fce5845c33bc7943cf6b11b02348a23da0bf6428e57c05135f2dc6bd7c1ce325d666d5a5fd2fd5e410011010001889f04180102000905025331ce82021b0c000a0910a401d9f09a34f7c0418003fe34feafcbeaef348a800a0d908a7a6809cc7304017d820f70f0474d5e23cb17e38b67dc6dca282c6ca00961f4ec9edf2738d0f087b1d81e4871ef08e1798010863afb4eac4c44a376cb343be929c5be66a78cfd4456ae9ec6a99d97f4e1c3ff3583351db2147a65c0acef5c003fb544ab3a2e2dc4d43646f58b811a6c3a369d1f"
-const revokedSubkeyHex = "988d04533121f6010400aefc803a3e4bb1a61c86e8a86d2726c6a43e0079e9f2713f1fa017e9854c83877f4aced8e331d675c67ea83ddab80aacbfa0b9040bb12d96f5a3d6be09455e2a76546cbd21677537db941cab710216b6d24ec277ee0bd65b910f416737ed120f6b93a9d3b306245c8cfd8394606fdb462e5cf43c551438d2864506c63367fc890011010001b41d416c696365203c616c69636540626d626172697374612e636f2e61753e88bb041301020025021b03060b090807030206150802090a0b0416020301021e01021780050253312798021901000a09104ef7e4beccde97f015a803ff5448437780f63263b0df8442a995e7f76c221351a51edd06f2063d8166cf3157aada4923dfc44aa0f2a6a4da5cf83b7fe722ba8ab416c976e77c6b5682e7f1069026673bd0de56ba06fd5d7a9f177607f277d9b55ff940a638c3e68525c67517e2b3d976899b93ca267f705b3e5efad7d61220e96b618a4497eab8d04403d23f8846041011020006050253312910000a09107b15a67f0b3ddc03d96e009f50b6365d86c4be5d5e9d0ea42d5e56f5794c617700a0ab274e19c2827780016d23417ce89e0a2c0d987d889c04100102000605025331cf7a000a0910a401d9f09a34f7c0ee970400aca292f213041c9f3b3fc49148cbda9d84afee6183c8dd6c5ff2600b29482db5fecd4303797be1ee6d544a20a858080fec43412061c9a71fae4039fd58013b4ae341273e6c66ad4c7cdd9e68245bedb260562e7b166f2461a1032f2b38c0e0e5715fb3d1656979e052b55ca827a76f872b78a9fdae64bc298170bfcebedc1271b41a416c696365203c616c696365407379646973702e6f722e61753e88b804130102002205025331278b021b03060b090807030206150802090a0b0416020301021e01021780000a09104ef7e4beccde97f06a7003fa03c3af68d272ebc1fa08aa72a03b02189c26496a2833d90450801c4e42c5b5f51ad96ce2d2c9cef4b7c02a6a2fcf1412d6a2d486098eb762f5010a201819c17fd2888aec8eda20c65a3b75744de7ee5cc8ac7bfc470cbe3cb982720405a27a3c6a8c229cfe36905f881b02ed5680f6a8f05866efb9d6c5844897e631deb949ca8846041011020006050253312910000a09107b15a67f0b3ddc0347bc009f7fa35db59147469eb6f2c5aaf6428accb138b22800a0caa2f5f0874bacc5909c652a57a31beda65eddd5889c04100102000605025331cf7a000a0910a401d9f09a34f7c0316403ff46f2a5c101256627f16384d34a38fb47a6c88ba60506843e532d91614339fccae5f884a5741e7582ffaf292ba38ee10a270a05f139bde3814b6a077e8cd2db0f105ebea2a83af70d385f13b507fac2ad93ff79d84950328bb86f3074745a8b7f9b64990fb142e2a12976e27e8d09a28dc5621f957ac49091116da410ac3cbde1b88d04533121f6010400cbd785b56905e4192e2fb62a720727d43c4fa487821203cf72138b884b78b701093243e1d8c92a0248a6c0203a5a88693da34af357499abacaf4b3309c640797d03093870a323b4b6f37865f6eaa2838148a67df4735d43a90ca87942554cdf1c4a751b1e75f9fd4ce4e97e278d6c1c7ed59d33441df7d084f3f02beb68896c70011010001889f0418010200090502533121f6021b0c000a09104ef7e4beccde97f0b98b03fc0a5ccf6a372995835a2f5da33b282a7d612c0ab2a97f59cf9fff73e9110981aac2858c41399afa29624a7fd8a0add11654e3d882c0fd199e161bdad65e5e2548f7b68a437ea64293db1246e3011cbb94dc1bcdeaf0f2539bd88ff16d95547144d97cead6a8c5927660a91e6db0d16eb36b7b49a3525b54d1644e65599b032b7eb901a204533127a0110400bd3edaa09eff9809c4edc2c2a0ebe52e53c50a19c1e49ab78e6167bf61473bb08f2050d78a5cbbc6ed66aff7b42cd503f16b4a0b99fa1609681fca9b7ce2bbb1a5b3864d6cdda4d7ef7849d156d534dea30fb0efb9e4cf8959a2b2ce623905882d5430b995a15c3b9fe92906086788b891002924f94abe139b42cbbfaaabe42f00a0b65dc1a1ad27d798adbcb5b5ad02d2688c89477b03ff4eebb6f7b15a73b96a96bed201c0e5e4ea27e4c6e2dd1005b94d4b90137a5b1cf5e01c6226c070c4cc999938101578877ee76d296b9aab8246d57049caacf489e80a3f40589cade790a020b1ac146d6f7a6241184b8c7fcde680eae3188f5dcbe846d7f7bdad34f6fcfca08413e19c1d5df83fc7c7c627d493492e009c2f52a80400a2fe82de87136fd2e8845888c4431b032ba29d9a29a804277e31002a8201fb8591a3e55c7a0d0881496caf8b9fb07544a5a4879291d0dc026a0ea9e5bd88eb4aa4947bbd694b25012e208a250d65ddc6f1eea59d3aed3b4ec15fcab85e2afaa23a40ab1ef9ce3e11e1bc1c34a0e758e7aa64deb8739276df0af7d4121f834a9b88e70418010200090502533127a0021b02005209104ef7e4beccde97f047200419110200060502533127a0000a0910dbce4ee19529437fe045009c0b32f5ead48ee8a7e98fac0dea3d3e6c0e2c552500a0ad71fadc5007cfaf842d9b7db3335a8cdad15d3d1a6404009b08e2c68fe8f3b45c1bb72a4b3278cdf3012aa0f229883ad74aa1f6000bb90b18301b2f85372ca5d6b9bf478d235b733b1b197d19ccca48e9daf8e890cb64546b4ce1b178faccfff07003c172a2d4f5ebaba9f57153955f3f61a9b80a4f5cb959908f8b211b03b7026a8a82fc612bfedd3794969bcf458c4ce92be215a1176ab88d045331d144010400a5063000c5aaf34953c1aa3bfc95045b3aab9882b9a8027fecfe2142dc6b47ba8aca667399990244d513dd0504716908c17d92c65e74219e004f7b83fc125e575dd58efec3ab6dd22e3580106998523dea42ec75bf9aa111734c82df54630bebdff20fe981cfc36c76f865eb1c2fb62c9e85bc3a6e5015a361a2eb1c8431578d0011010001889f04280102000905025331d433021d03000a09104ef7e4beccde97f02e5503ff5e0630d1b65291f4882b6d40a29da4616bb5088717d469fbcc3648b8276de04a04988b1f1b9f3e18f52265c1f8b6c85861691c1a6b8a3a25a1809a0b32ad330aec5667cb4262f4450649184e8113849b05e5ad06a316ea80c001e8e71838190339a6e48bbde30647bcf245134b9a97fa875c1d83a9862cae87ffd7e2c4ce3a1b89013d04180102000905025331d144021b0200a809104ef7e4beccde97f09d2004190102000605025331d144000a0910677815e371c2fd23522203fe22ab62b8e7a151383cea3edd3a12995693911426f8ccf125e1f6426388c0010f88d9ca7da2224aee8d1c12135998640c5e1813d55a93df472faae75bef858457248db41b4505827590aeccf6f9eb646da7f980655dd3050c6897feddddaca90676dee856d66db8923477d251712bb9b3186b4d0114daf7d6b59272b53218dd1da94a03ff64006fcbe71211e5daecd9961fba66cdb6de3f914882c58ba5beddeba7dcb950c1156d7fba18c19ea880dccc800eae335deec34e3b84ac75ffa24864f782f87815cda1c0f634b3dd2fa67cea30811d21723d21d9551fa12ccbcfa62b6d3a15d01307b99925707992556d50065505b090aadb8579083a20fe65bd2a270da9b011"
-const missingCrossSignatureKey = `-----BEGIN PGP PUBLIC KEY BLOCK-----
-Charset: UTF-8
-
-mQENBFMYynYBCACVOZ3/e8Bm2b9KH9QyIlHGo/i1bnkpqsgXj8tpJ2MIUOnXMMAY
-ztW7kKFLCmgVdLIC0vSoLA4yhaLcMojznh/2CcUglZeb6Ao8Gtelr//Rd5DRfPpG
-zqcfUo+m+eO1co2Orabw0tZDfGpg5p3AYl0hmxhUyYSc/xUq93xL1UJzBFgYXY54
-QsM8dgeQgFseSk/YvdP5SMx1ev+eraUyiiUtWzWrWC1TdyRa5p4UZg6Rkoppf+WJ
-QrW6BWrhAtqATHc8ozV7uJjeONjUEq24roRc/OFZdmQQGK6yrzKnnbA6MdHhqpdo
-9kWDcXYb7pSE63Lc+OBa5X2GUVvXJLS/3nrtABEBAAG0F2ludmFsaWQtc2lnbmlu
-Zy1zdWJrZXlziQEoBBMBAgASBQJTnKB5AhsBAgsHAhUIAh4BAAoJEO3UDQUIHpI/
-dN4H/idX4FQ1LIZCnpHS/oxoWQWfpRgdKAEM0qCqjMgiipJeEwSQbqjTCynuh5/R
-JlODDz85ABR06aoF4l5ebGLQWFCYifPnJZ/Yf5OYcMGtb7dIbqxWVFL9iLMO/oDL
-ioI3dotjPui5e+2hI9pVH1UHB/bZ/GvMGo6Zg0XxLPolKQODMVjpjLAQ0YJ3spew
-RAmOGre6tIvbDsMBnm8qREt7a07cBJ6XK7xjxYaZHQBiHVxyEWDa6gyANONx8duW
-/fhQ/zDTnyVM/ik6VO0Ty9BhPpcEYLFwh5c1ilFari1ta3e6qKo6ZGa9YMk/REhu
-yBHd9nTkI+0CiQUmbckUiVjDKKe5AQ0EUxjKdgEIAJcXQeP+NmuciE99YcJoffxv
-2gVLU4ZXBNHEaP0mgaJ1+tmMD089vUQAcyGRvw8jfsNsVZQIOAuRxY94aHQhIRHR
-bUzBN28ofo/AJJtfx62C15xt6fDKRV6HXYqAiygrHIpEoRLyiN69iScUsjIJeyFL
-C8wa72e8pSL6dkHoaV1N9ZH/xmrJ+k0vsgkQaAh9CzYufncDxcwkoP+aOlGtX1gP
-WwWoIbz0JwLEMPHBWvDDXQcQPQTYQyj+LGC9U6f9VZHN25E94subM1MjuT9OhN9Y
-MLfWaaIc5WyhLFyQKW2Upofn9wSFi8ubyBnv640Dfd0rVmaWv7LNTZpoZ/GbJAMA
-EQEAAYkBHwQYAQIACQUCU5ygeQIbAgAKCRDt1A0FCB6SP0zCB/sEzaVR38vpx+OQ
-MMynCBJrakiqDmUZv9xtplY7zsHSQjpd6xGflbU2n+iX99Q+nav0ETQZifNUEd4N
-1ljDGQejcTyKD6Pkg6wBL3x9/RJye7Zszazm4+toJXZ8xJ3800+BtaPoI39akYJm
-+ijzbskvN0v/j5GOFJwQO0pPRAFtdHqRs9Kf4YanxhedB4dIUblzlIJuKsxFit6N
-lgGRblagG3Vv2eBszbxzPbJjHCgVLR3RmrVezKOsZjr/2i7X+xLWIR0uD3IN1qOW
-CXQxLBizEEmSNVNxsp7KPGTLnqO3bPtqFirxS9PJLIMPTPLNBY7ZYuPNTMqVIUWF
-4artDmrG
-=7FfJ
------END PGP PUBLIC KEY BLOCK-----`
-
-const invalidCrossSignatureKey = `-----BEGIN PGP PUBLIC KEY BLOCK-----
-
-mQENBFMYynYBCACVOZ3/e8Bm2b9KH9QyIlHGo/i1bnkpqsgXj8tpJ2MIUOnXMMAY
-ztW7kKFLCmgVdLIC0vSoLA4yhaLcMojznh/2CcUglZeb6Ao8Gtelr//Rd5DRfPpG
-zqcfUo+m+eO1co2Orabw0tZDfGpg5p3AYl0hmxhUyYSc/xUq93xL1UJzBFgYXY54
-QsM8dgeQgFseSk/YvdP5SMx1ev+eraUyiiUtWzWrWC1TdyRa5p4UZg6Rkoppf+WJ
-QrW6BWrhAtqATHc8ozV7uJjeONjUEq24roRc/OFZdmQQGK6yrzKnnbA6MdHhqpdo
-9kWDcXYb7pSE63Lc+OBa5X2GUVvXJLS/3nrtABEBAAG0F2ludmFsaWQtc2lnbmlu
-Zy1zdWJrZXlziQEoBBMBAgASBQJTnKB5AhsBAgsHAhUIAh4BAAoJEO3UDQUIHpI/
-dN4H/idX4FQ1LIZCnpHS/oxoWQWfpRgdKAEM0qCqjMgiipJeEwSQbqjTCynuh5/R
-JlODDz85ABR06aoF4l5ebGLQWFCYifPnJZ/Yf5OYcMGtb7dIbqxWVFL9iLMO/oDL
-ioI3dotjPui5e+2hI9pVH1UHB/bZ/GvMGo6Zg0XxLPolKQODMVjpjLAQ0YJ3spew
-RAmOGre6tIvbDsMBnm8qREt7a07cBJ6XK7xjxYaZHQBiHVxyEWDa6gyANONx8duW
-/fhQ/zDTnyVM/ik6VO0Ty9BhPpcEYLFwh5c1ilFari1ta3e6qKo6ZGa9YMk/REhu
-yBHd9nTkI+0CiQUmbckUiVjDKKe5AQ0EUxjKdgEIAIINDqlj7X6jYKc6DjwrOkjQ
-UIRWbQQar0LwmNilehmt70g5DCL1SYm9q4LcgJJ2Nhxj0/5qqsYib50OSWMcKeEe
-iRXpXzv1ObpcQtI5ithp0gR53YPXBib80t3bUzomQ5UyZqAAHzMp3BKC54/vUrSK
-FeRaxDzNLrCeyI00+LHNUtwghAqHvdNcsIf8VRumK8oTm3RmDh0TyjASWYbrt9c8
-R1Um3zuoACOVy+mEIgIzsfHq0u7dwYwJB5+KeM7ZLx+HGIYdUYzHuUE1sLwVoELh
-+SHIGHI1HDicOjzqgajShuIjj5hZTyQySVprrsLKiXS6NEwHAP20+XjayJ/R3tEA
-EQEAAYkCPgQYAQIBKAUCU5ygeQIbAsBdIAQZAQIABgUCU5ygeQAKCRCpVlnFZmhO
-52RJB/9uD1MSa0wjY6tHOIgquZcP3bHBvHmrHNMw9HR2wRCMO91ZkhrpdS3ZHtgb
-u3/55etj0FdvDo1tb8P8FGSVtO5Vcwf5APM8sbbqoi8L951Q3i7qt847lfhu6sMl
-w0LWFvPTOLHrliZHItPRjOltS1WAWfr2jUYhsU9ytaDAJmvf9DujxEOsN5G1YJep
-54JCKVCkM/y585Zcnn+yxk/XwqoNQ0/iJUT9qRrZWvoeasxhl1PQcwihCwss44A+
-YXaAt3hbk+6LEQuZoYS73yR3WHj+42tfm7YxRGeubXfgCEz/brETEWXMh4pe0vCL
-bfWrmfSPq2rDegYcAybxRQz0lF8PAAoJEO3UDQUIHpI/exkH/0vQfdHA8g/N4T6E
-i6b1CUVBAkvtdJpCATZjWPhXmShOw62gkDw306vHPilL4SCvEEi4KzG72zkp6VsB
-DSRcpxCwT4mHue+duiy53/aRMtSJ+vDfiV1Vhq+3sWAck/yUtfDU9/u4eFaiNok1
-8/Gd7reyuZt5CiJnpdPpjCwelK21l2w7sHAnJF55ITXdOxI8oG3BRKufz0z5lyDY
-s2tXYmhhQIggdgelN8LbcMhWs/PBbtUr6uZlNJG2lW1yscD4aI529VjwJlCeo745
-U7pO4eF05VViUJ2mmfoivL3tkhoTUWhx8xs8xCUcCg8DoEoSIhxtOmoTPR22Z9BL
-6LCg2mg=
-=Dhm4
------END PGP PUBLIC KEY BLOCK-----`
-
-const goodCrossSignatureKey = `-----BEGIN PGP PUBLIC KEY BLOCK-----
-Version: GnuPG v1
-
-mI0EVUqeVwEEAMufHRrMPWK3gyvi0O0tABCs/oON9zV9KDZlr1a1M91ShCSFwCPo
-7r80PxdWVWcj0V5h50/CJYtpN3eE/mUIgW2z1uDYQF1OzrQ8ubrksfsJvpAhENom
-lTQEppv9mV8qhcM278teb7TX0pgrUHLYF5CfPdp1L957JLLXoQR/lwLVABEBAAG0
-E2dvb2Qtc2lnbmluZy1zdWJrZXmIuAQTAQIAIgUCVUqeVwIbAwYLCQgHAwIGFQgC
-CQoLBBYCAwECHgECF4AACgkQNRjL95IRWP69XQQAlH6+eyXJN4DZTLX78KGjHrsw
-6FCvxxClEPtPUjcJy/1KCRQmtLAt9PbbA78dvgzjDeZMZqRAwdjyJhjyg/fkU2OH
-7wq4ktjUu+dLcOBb+BFMEY+YjKZhf6EJuVfxoTVr5f82XNPbYHfTho9/OABKH6kv
-X70PaKZhbwnwij8Nts65AaIEVUqftREEAJ3WxZfqAX0bTDbQPf2CMT2IVMGDfhK7
-GyubOZgDFFjwUJQvHNvsrbeGLZ0xOBumLINyPO1amIfTgJNm1iiWFWfmnHReGcDl
-y5mpYG60Mb79Whdcer7CMm3AqYh/dW4g6IB02NwZMKoUHo3PXmFLxMKXnWyJ0clw
-R0LI/Qn509yXAKDh1SO20rqrBM+EAP2c5bfI98kyNwQAi3buu94qo3RR1ZbvfxgW
-CKXDVm6N99jdZGNK7FbRifXqzJJDLcXZKLnstnC4Sd3uyfyf1uFhmDLIQRryn5m+
-LBYHfDBPN3kdm7bsZDDq9GbTHiFZUfm/tChVKXWxkhpAmHhU/tH6GGzNSMXuIWSO
-aOz3Rqq0ED4NXyNKjdF9MiwD/i83S0ZBc0LmJYt4Z10jtH2B6tYdqnAK29uQaadx
-yZCX2scE09UIm32/w7pV77CKr1Cp/4OzAXS1tmFzQ+bX7DR+Gl8t4wxr57VeEMvl
-BGw4Vjh3X8//m3xynxycQU18Q1zJ6PkiMyPw2owZ/nss3hpSRKFJsxMLhW3fKmKr
-Ey2KiOcEGAECAAkFAlVKn7UCGwIAUgkQNRjL95IRWP5HIAQZEQIABgUCVUqftQAK
-CRD98VjDN10SqkWrAKDTpEY8D8HC02E/KVC5YUI01B30wgCgurpILm20kXEDCeHp
-C5pygfXw1DJrhAP+NyPJ4um/bU1I+rXaHHJYroYJs8YSweiNcwiHDQn0Engh/mVZ
-SqLHvbKh2dL/RXymC3+rjPvQf5cup9bPxNMa6WagdYBNAfzWGtkVISeaQW+cTEp/
-MtgVijRGXR/lGLGETPg2X3Afwn9N9bLMBkBprKgbBqU7lpaoPupxT61bL70=
-=vtbN
------END PGP PUBLIC KEY BLOCK-----`
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/compressed.go b/vendor/golang.org/x/crypto/openpgp/packet/compressed.go
deleted file mode 100644
index e8f0b5ca..00000000
--- a/vendor/golang.org/x/crypto/openpgp/packet/compressed.go
+++ /dev/null
@@ -1,123 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package packet
-
-import (
-	"compress/bzip2"
-	"compress/flate"
-	"compress/zlib"
-	"golang.org/x/crypto/openpgp/errors"
-	"io"
-	"strconv"
-)
-
-// Compressed represents a compressed OpenPGP packet. The decompressed contents
-// will contain more OpenPGP packets. See RFC 4880, section 5.6.
-type Compressed struct {
-	Body io.Reader
-}
-
-const (
-	NoCompression      = flate.NoCompression
-	BestSpeed          = flate.BestSpeed
-	BestCompression    = flate.BestCompression
-	DefaultCompression = flate.DefaultCompression
-)
-
-// CompressionConfig contains compressor configuration settings.
-type CompressionConfig struct {
-	// Level is the compression level to use. It must be set to
-	// between -1 and 9, with -1 causing the compressor to use the
-	// default compression level, 0 causing the compressor to use
-	// no compression and 1 to 9 representing increasing (better,
-	// slower) compression levels. If Level is less than -1 or
-	// more then 9, a non-nil error will be returned during
-	// encryption. See the constants above for convenient common
-	// settings for Level.
-	Level int
-}
-
-func (c *Compressed) parse(r io.Reader) error {
-	var buf [1]byte
-	_, err := readFull(r, buf[:])
-	if err != nil {
-		return err
-	}
-
-	switch buf[0] {
-	case 1:
-		c.Body = flate.NewReader(r)
-	case 2:
-		c.Body, err = zlib.NewReader(r)
-	case 3:
-		c.Body = bzip2.NewReader(r)
-	default:
-		err = errors.UnsupportedError("unknown compression algorithm: " + strconv.Itoa(int(buf[0])))
-	}
-
-	return err
-}
-
-// compressedWriterCloser represents the serialized compression stream
-// header and the compressor. Its Close() method ensures that both the
-// compressor and serialized stream header are closed. Its Write()
-// method writes to the compressor.
-type compressedWriteCloser struct {
-	sh io.Closer      // Stream Header
-	c  io.WriteCloser // Compressor
-}
-
-func (cwc compressedWriteCloser) Write(p []byte) (int, error) {
-	return cwc.c.Write(p)
-}
-
-func (cwc compressedWriteCloser) Close() (err error) {
-	err = cwc.c.Close()
-	if err != nil {
-		return err
-	}
-
-	return cwc.sh.Close()
-}
-
-// SerializeCompressed serializes a compressed data packet to w and
-// returns a WriteCloser to which the literal data packets themselves
-// can be written and which MUST be closed on completion. If cc is
-// nil, sensible defaults will be used to configure the compression
-// algorithm.
-func SerializeCompressed(w io.WriteCloser, algo CompressionAlgo, cc *CompressionConfig) (literaldata io.WriteCloser, err error) {
-	compressed, err := serializeStreamHeader(w, packetTypeCompressed)
-	if err != nil {
-		return
-	}
-
-	_, err = compressed.Write([]byte{uint8(algo)})
-	if err != nil {
-		return
-	}
-
-	level := DefaultCompression
-	if cc != nil {
-		level = cc.Level
-	}
-
-	var compressor io.WriteCloser
-	switch algo {
-	case CompressionZIP:
-		compressor, err = flate.NewWriter(compressed, level)
-	case CompressionZLIB:
-		compressor, err = zlib.NewWriterLevel(compressed, level)
-	default:
-		s := strconv.Itoa(int(algo))
-		err = errors.UnsupportedError("Unsupported compression algorithm: " + s)
-	}
-	if err != nil {
-		return
-	}
-
-	literaldata = compressedWriteCloser{compressed, compressor}
-
-	return
-}
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/compressed_test.go b/vendor/golang.org/x/crypto/openpgp/packet/compressed_test.go
deleted file mode 100644
index cb2d70bd..00000000
--- a/vendor/golang.org/x/crypto/openpgp/packet/compressed_test.go
+++ /dev/null
@@ -1,41 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package packet
-
-import (
-	"bytes"
-	"encoding/hex"
-	"io"
-	"io/ioutil"
-	"testing"
-)
-
-func TestCompressed(t *testing.T) {
-	packet, err := Read(readerFromHex(compressedHex))
-	if err != nil {
-		t.Errorf("failed to read Compressed: %s", err)
-		return
-	}
-
-	c, ok := packet.(*Compressed)
-	if !ok {
-		t.Error("didn't find Compressed packet")
-		return
-	}
-
-	contents, err := ioutil.ReadAll(c.Body)
-	if err != nil && err != io.EOF {
-		t.Error(err)
-		return
-	}
-
-	expected, _ := hex.DecodeString(compressedExpectedHex)
-	if !bytes.Equal(expected, contents) {
-		t.Errorf("got:%x want:%x", contents, expected)
-	}
-}
-
-const compressedHex = "a3013b2d90c4e02b72e25f727e5e496a5e49b11e1700"
-const compressedExpectedHex = "cb1062004d14c8fe636f6e74656e74732e0a"
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/config.go b/vendor/golang.org/x/crypto/openpgp/packet/config.go
deleted file mode 100644
index c76eecc9..00000000
--- a/vendor/golang.org/x/crypto/openpgp/packet/config.go
+++ /dev/null
@@ -1,91 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package packet
-
-import (
-	"crypto"
-	"crypto/rand"
-	"io"
-	"time"
-)
-
-// Config collects a number of parameters along with sensible defaults.
-// A nil *Config is valid and results in all default values.
-type Config struct {
-	// Rand provides the source of entropy.
-	// If nil, the crypto/rand Reader is used.
-	Rand io.Reader
-	// DefaultHash is the default hash function to be used.
-	// If zero, SHA-256 is used.
-	DefaultHash crypto.Hash
-	// DefaultCipher is the cipher to be used.
-	// If zero, AES-128 is used.
-	DefaultCipher CipherFunction
-	// Time returns the current time as the number of seconds since the
-	// epoch. If Time is nil, time.Now is used.
-	Time func() time.Time
-	// DefaultCompressionAlgo is the compression algorithm to be
-	// applied to the plaintext before encryption. If zero, no
-	// compression is done.
-	DefaultCompressionAlgo CompressionAlgo
-	// CompressionConfig configures the compression settings.
-	CompressionConfig *CompressionConfig
-	// S2KCount is only used for symmetric encryption. It
-	// determines the strength of the passphrase stretching when
-	// the said passphrase is hashed to produce a key. S2KCount
-	// should be between 1024 and 65011712, inclusive. If Config
-	// is nil or S2KCount is 0, the value 65536 used. Not all
-	// values in the above range can be represented. S2KCount will
-	// be rounded up to the next representable value if it cannot
-	// be encoded exactly. When set, it is strongly encrouraged to
-	// use a value that is at least 65536. See RFC 4880 Section
-	// 3.7.1.3.
-	S2KCount int
-	// RSABits is the number of bits in new RSA keys made with NewEntity.
-	// If zero, then 2048 bit keys are created.
-	RSABits int
-}
-
-func (c *Config) Random() io.Reader {
-	if c == nil || c.Rand == nil {
-		return rand.Reader
-	}
-	return c.Rand
-}
-
-func (c *Config) Hash() crypto.Hash {
-	if c == nil || uint(c.DefaultHash) == 0 {
-		return crypto.SHA256
-	}
-	return c.DefaultHash
-}
-
-func (c *Config) Cipher() CipherFunction {
-	if c == nil || uint8(c.DefaultCipher) == 0 {
-		return CipherAES128
-	}
-	return c.DefaultCipher
-}
-
-func (c *Config) Now() time.Time {
-	if c == nil || c.Time == nil {
-		return time.Now()
-	}
-	return c.Time()
-}
-
-func (c *Config) Compression() CompressionAlgo {
-	if c == nil {
-		return CompressionNone
-	}
-	return c.DefaultCompressionAlgo
-}
-
-func (c *Config) PasswordHashIterations() int {
-	if c == nil || c.S2KCount == 0 {
-		return 0
-	}
-	return c.S2KCount
-}
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/encrypted_key.go b/vendor/golang.org/x/crypto/openpgp/packet/encrypted_key.go
deleted file mode 100644
index 266840d0..00000000
--- a/vendor/golang.org/x/crypto/openpgp/packet/encrypted_key.go
+++ /dev/null
@@ -1,199 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package packet
-
-import (
-	"crypto/rsa"
-	"encoding/binary"
-	"io"
-	"math/big"
-	"strconv"
-
-	"golang.org/x/crypto/openpgp/elgamal"
-	"golang.org/x/crypto/openpgp/errors"
-)
-
-const encryptedKeyVersion = 3
-
-// EncryptedKey represents a public-key encrypted session key. See RFC 4880,
-// section 5.1.
-type EncryptedKey struct {
-	KeyId      uint64
-	Algo       PublicKeyAlgorithm
-	CipherFunc CipherFunction // only valid after a successful Decrypt
-	Key        []byte         // only valid after a successful Decrypt
-
-	encryptedMPI1, encryptedMPI2 parsedMPI
-}
-
-func (e *EncryptedKey) parse(r io.Reader) (err error) {
-	var buf [10]byte
-	_, err = readFull(r, buf[:])
-	if err != nil {
-		return
-	}
-	if buf[0] != encryptedKeyVersion {
-		return errors.UnsupportedError("unknown EncryptedKey version " + strconv.Itoa(int(buf[0])))
-	}
-	e.KeyId = binary.BigEndian.Uint64(buf[1:9])
-	e.Algo = PublicKeyAlgorithm(buf[9])
-	switch e.Algo {
-	case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly:
-		e.encryptedMPI1.bytes, e.encryptedMPI1.bitLength, err = readMPI(r)
-	case PubKeyAlgoElGamal:
-		e.encryptedMPI1.bytes, e.encryptedMPI1.bitLength, err = readMPI(r)
-		if err != nil {
-			return
-		}
-		e.encryptedMPI2.bytes, e.encryptedMPI2.bitLength, err = readMPI(r)
-	}
-	_, err = consumeAll(r)
-	return
-}
-
-func checksumKeyMaterial(key []byte) uint16 {
-	var checksum uint16
-	for _, v := range key {
-		checksum += uint16(v)
-	}
-	return checksum
-}
-
-// Decrypt decrypts an encrypted session key with the given private key. The
-// private key must have been decrypted first.
-// If config is nil, sensible defaults will be used.
-func (e *EncryptedKey) Decrypt(priv *PrivateKey, config *Config) error {
-	var err error
-	var b []byte
-
-	// TODO(agl): use session key decryption routines here to avoid
-	// padding oracle attacks.
-	switch priv.PubKeyAlgo {
-	case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly:
-		b, err = rsa.DecryptPKCS1v15(config.Random(), priv.PrivateKey.(*rsa.PrivateKey), e.encryptedMPI1.bytes)
-	case PubKeyAlgoElGamal:
-		c1 := new(big.Int).SetBytes(e.encryptedMPI1.bytes)
-		c2 := new(big.Int).SetBytes(e.encryptedMPI2.bytes)
-		b, err = elgamal.Decrypt(priv.PrivateKey.(*elgamal.PrivateKey), c1, c2)
-	default:
-		err = errors.InvalidArgumentError("cannot decrypted encrypted session key with private key of type " + strconv.Itoa(int(priv.PubKeyAlgo)))
-	}
-
-	if err != nil {
-		return err
-	}
-
-	e.CipherFunc = CipherFunction(b[0])
-	e.Key = b[1 : len(b)-2]
-	expectedChecksum := uint16(b[len(b)-2])<<8 | uint16(b[len(b)-1])
-	checksum := checksumKeyMaterial(e.Key)
-	if checksum != expectedChecksum {
-		return errors.StructuralError("EncryptedKey checksum incorrect")
-	}
-
-	return nil
-}
-
-// Serialize writes the encrypted key packet, e, to w.
-func (e *EncryptedKey) Serialize(w io.Writer) error {
-	var mpiLen int
-	switch e.Algo {
-	case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly:
-		mpiLen = 2 + len(e.encryptedMPI1.bytes)
-	case PubKeyAlgoElGamal:
-		mpiLen = 2 + len(e.encryptedMPI1.bytes) + 2 + len(e.encryptedMPI2.bytes)
-	default:
-		return errors.InvalidArgumentError("don't know how to serialize encrypted key type " + strconv.Itoa(int(e.Algo)))
-	}
-
-	serializeHeader(w, packetTypeEncryptedKey, 1 /* version */ +8 /* key id */ +1 /* algo */ +mpiLen)
-
-	w.Write([]byte{encryptedKeyVersion})
-	binary.Write(w, binary.BigEndian, e.KeyId)
-	w.Write([]byte{byte(e.Algo)})
-
-	switch e.Algo {
-	case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly:
-		writeMPIs(w, e.encryptedMPI1)
-	case PubKeyAlgoElGamal:
-		writeMPIs(w, e.encryptedMPI1, e.encryptedMPI2)
-	default:
-		panic("internal error")
-	}
-
-	return nil
-}
-
-// SerializeEncryptedKey serializes an encrypted key packet to w that contains
-// key, encrypted to pub.
-// If config is nil, sensible defaults will be used.
-func SerializeEncryptedKey(w io.Writer, pub *PublicKey, cipherFunc CipherFunction, key []byte, config *Config) error {
-	var buf [10]byte
-	buf[0] = encryptedKeyVersion
-	binary.BigEndian.PutUint64(buf[1:9], pub.KeyId)
-	buf[9] = byte(pub.PubKeyAlgo)
-
-	keyBlock := make([]byte, 1 /* cipher type */ +len(key)+2 /* checksum */)
-	keyBlock[0] = byte(cipherFunc)
-	copy(keyBlock[1:], key)
-	checksum := checksumKeyMaterial(key)
-	keyBlock[1+len(key)] = byte(checksum >> 8)
-	keyBlock[1+len(key)+1] = byte(checksum)
-
-	switch pub.PubKeyAlgo {
-	case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly:
-		return serializeEncryptedKeyRSA(w, config.Random(), buf, pub.PublicKey.(*rsa.PublicKey), keyBlock)
-	case PubKeyAlgoElGamal:
-		return serializeEncryptedKeyElGamal(w, config.Random(), buf, pub.PublicKey.(*elgamal.PublicKey), keyBlock)
-	case PubKeyAlgoDSA, PubKeyAlgoRSASignOnly:
-		return errors.InvalidArgumentError("cannot encrypt to public key of type " + strconv.Itoa(int(pub.PubKeyAlgo)))
-	}
-
-	return errors.UnsupportedError("encrypting a key to public key of type " + strconv.Itoa(int(pub.PubKeyAlgo)))
-}
-
-func serializeEncryptedKeyRSA(w io.Writer, rand io.Reader, header [10]byte, pub *rsa.PublicKey, keyBlock []byte) error {
-	cipherText, err := rsa.EncryptPKCS1v15(rand, pub, keyBlock)
-	if err != nil {
-		return errors.InvalidArgumentError("RSA encryption failed: " + err.Error())
-	}
-
-	packetLen := 10 /* header length */ + 2 /* mpi size */ + len(cipherText)
-
-	err = serializeHeader(w, packetTypeEncryptedKey, packetLen)
-	if err != nil {
-		return err
-	}
-	_, err = w.Write(header[:])
-	if err != nil {
-		return err
-	}
-	return writeMPI(w, 8*uint16(len(cipherText)), cipherText)
-}
-
-func serializeEncryptedKeyElGamal(w io.Writer, rand io.Reader, header [10]byte, pub *elgamal.PublicKey, keyBlock []byte) error {
-	c1, c2, err := elgamal.Encrypt(rand, pub, keyBlock)
-	if err != nil {
-		return errors.InvalidArgumentError("ElGamal encryption failed: " + err.Error())
-	}
-
-	packetLen := 10 /* header length */
-	packetLen += 2 /* mpi size */ + (c1.BitLen()+7)/8
-	packetLen += 2 /* mpi size */ + (c2.BitLen()+7)/8
-
-	err = serializeHeader(w, packetTypeEncryptedKey, packetLen)
-	if err != nil {
-		return err
-	}
-	_, err = w.Write(header[:])
-	if err != nil {
-		return err
-	}
-	err = writeBig(w, c1)
-	if err != nil {
-		return err
-	}
-	return writeBig(w, c2)
-}
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/encrypted_key_test.go b/vendor/golang.org/x/crypto/openpgp/packet/encrypted_key_test.go
deleted file mode 100644
index fee14cf3..00000000
--- a/vendor/golang.org/x/crypto/openpgp/packet/encrypted_key_test.go
+++ /dev/null
@@ -1,146 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package packet
-
-import (
-	"bytes"
-	"crypto/rsa"
-	"encoding/hex"
-	"fmt"
-	"math/big"
-	"testing"
-)
-
-func bigFromBase10(s string) *big.Int {
-	b, ok := new(big.Int).SetString(s, 10)
-	if !ok {
-		panic("bigFromBase10 failed")
-	}
-	return b
-}
-
-var encryptedKeyPub = rsa.PublicKey{
-	E: 65537,
-	N: bigFromBase10("115804063926007623305902631768113868327816898845124614648849934718568541074358183759250136204762053879858102352159854352727097033322663029387610959884180306668628526686121021235757016368038585212410610742029286439607686208110250133174279811431933746643015923132833417396844716207301518956640020862630546868823"),
-}
-
-var encryptedKeyRSAPriv = &rsa.PrivateKey{
-	PublicKey: encryptedKeyPub,
-	D:         bigFromBase10("32355588668219869544751561565313228297765464314098552250409557267371233892496951383426602439009993875125222579159850054973310859166139474359774543943714622292329487391199285040721944491839695981199720170366763547754915493640685849961780092241140181198779299712578774460837139360803883139311171713302987058393"),
-}
-
-var encryptedKeyPriv = &PrivateKey{
-	PublicKey: PublicKey{
-		PubKeyAlgo: PubKeyAlgoRSA,
-	},
-	PrivateKey: encryptedKeyRSAPriv,
-}
-
-func TestDecryptingEncryptedKey(t *testing.T) {
-	const encryptedKeyHex = "c18c032a67d68660df41c70104005789d0de26b6a50c985a02a13131ca829c413a35d0e6fa8d6842599252162808ac7439c72151c8c6183e76923fe3299301414d0c25a2f06a2257db3839e7df0ec964773f6e4c4ac7ff3b48c444237166dd46ba8ff443a5410dc670cb486672fdbe7c9dfafb75b4fea83af3a204fe2a7dfa86bd20122b4f3d2646cbeecb8f7be8"
-	const expectedKeyHex = "d930363f7e0308c333b9618617ea728963d8df993665ae7be1092d4926fd864b"
-
-	p, err := Read(readerFromHex(encryptedKeyHex))
-	if err != nil {
-		t.Errorf("error from Read: %s", err)
-		return
-	}
-	ek, ok := p.(*EncryptedKey)
-	if !ok {
-		t.Errorf("didn't parse an EncryptedKey, got %#v", p)
-		return
-	}
-
-	if ek.KeyId != 0x2a67d68660df41c7 || ek.Algo != PubKeyAlgoRSA {
-		t.Errorf("unexpected EncryptedKey contents: %#v", ek)
-		return
-	}
-
-	err = ek.Decrypt(encryptedKeyPriv, nil)
-	if err != nil {
-		t.Errorf("error from Decrypt: %s", err)
-		return
-	}
-
-	if ek.CipherFunc != CipherAES256 {
-		t.Errorf("unexpected EncryptedKey contents: %#v", ek)
-		return
-	}
-
-	keyHex := fmt.Sprintf("%x", ek.Key)
-	if keyHex != expectedKeyHex {
-		t.Errorf("bad key, got %s want %x", keyHex, expectedKeyHex)
-	}
-}
-
-func TestEncryptingEncryptedKey(t *testing.T) {
-	key := []byte{1, 2, 3, 4}
-	const expectedKeyHex = "01020304"
-	const keyId = 42
-
-	pub := &PublicKey{
-		PublicKey:  &encryptedKeyPub,
-		KeyId:      keyId,
-		PubKeyAlgo: PubKeyAlgoRSAEncryptOnly,
-	}
-
-	buf := new(bytes.Buffer)
-	err := SerializeEncryptedKey(buf, pub, CipherAES128, key, nil)
-	if err != nil {
-		t.Errorf("error writing encrypted key packet: %s", err)
-	}
-
-	p, err := Read(buf)
-	if err != nil {
-		t.Errorf("error from Read: %s", err)
-		return
-	}
-	ek, ok := p.(*EncryptedKey)
-	if !ok {
-		t.Errorf("didn't parse an EncryptedKey, got %#v", p)
-		return
-	}
-
-	if ek.KeyId != keyId || ek.Algo != PubKeyAlgoRSAEncryptOnly {
-		t.Errorf("unexpected EncryptedKey contents: %#v", ek)
-		return
-	}
-
-	err = ek.Decrypt(encryptedKeyPriv, nil)
-	if err != nil {
-		t.Errorf("error from Decrypt: %s", err)
-		return
-	}
-
-	if ek.CipherFunc != CipherAES128 {
-		t.Errorf("unexpected EncryptedKey contents: %#v", ek)
-		return
-	}
-
-	keyHex := fmt.Sprintf("%x", ek.Key)
-	if keyHex != expectedKeyHex {
-		t.Errorf("bad key, got %s want %x", keyHex, expectedKeyHex)
-	}
-}
-
-func TestSerializingEncryptedKey(t *testing.T) {
-	const encryptedKeyHex = "c18c032a67d68660df41c70104005789d0de26b6a50c985a02a13131ca829c413a35d0e6fa8d6842599252162808ac7439c72151c8c6183e76923fe3299301414d0c25a2f06a2257db3839e7df0ec964773f6e4c4ac7ff3b48c444237166dd46ba8ff443a5410dc670cb486672fdbe7c9dfafb75b4fea83af3a204fe2a7dfa86bd20122b4f3d2646cbeecb8f7be8"
-
-	p, err := Read(readerFromHex(encryptedKeyHex))
-	if err != nil {
-		t.Fatalf("error from Read: %s", err)
-	}
-	ek, ok := p.(*EncryptedKey)
-	if !ok {
-		t.Fatalf("didn't parse an EncryptedKey, got %#v", p)
-	}
-
-	var buf bytes.Buffer
-	ek.Serialize(&buf)
-
-	if bufHex := hex.EncodeToString(buf.Bytes()); bufHex != encryptedKeyHex {
-		t.Fatalf("serialization of encrypted key differed from original. Original was %s, but reserialized as %s", encryptedKeyHex, bufHex)
-	}
-}
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/literal.go b/vendor/golang.org/x/crypto/openpgp/packet/literal.go
deleted file mode 100644
index 1a9ec6e5..00000000
--- a/vendor/golang.org/x/crypto/openpgp/packet/literal.go
+++ /dev/null
@@ -1,89 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package packet
-
-import (
-	"encoding/binary"
-	"io"
-)
-
-// LiteralData represents an encrypted file. See RFC 4880, section 5.9.
-type LiteralData struct {
-	IsBinary bool
-	FileName string
-	Time     uint32 // Unix epoch time. Either creation time or modification time. 0 means undefined.
-	Body     io.Reader
-}
-
-// ForEyesOnly returns whether the contents of the LiteralData have been marked
-// as especially sensitive.
-func (l *LiteralData) ForEyesOnly() bool {
-	return l.FileName == "_CONSOLE"
-}
-
-func (l *LiteralData) parse(r io.Reader) (err error) {
-	var buf [256]byte
-
-	_, err = readFull(r, buf[:2])
-	if err != nil {
-		return
-	}
-
-	l.IsBinary = buf[0] == 'b'
-	fileNameLen := int(buf[1])
-
-	_, err = readFull(r, buf[:fileNameLen])
-	if err != nil {
-		return
-	}
-
-	l.FileName = string(buf[:fileNameLen])
-
-	_, err = readFull(r, buf[:4])
-	if err != nil {
-		return
-	}
-
-	l.Time = binary.BigEndian.Uint32(buf[:4])
-	l.Body = r
-	return
-}
-
-// SerializeLiteral serializes a literal data packet to w and returns a
-// WriteCloser to which the data itself can be written and which MUST be closed
-// on completion. The fileName is truncated to 255 bytes.
-func SerializeLiteral(w io.WriteCloser, isBinary bool, fileName string, time uint32) (plaintext io.WriteCloser, err error) {
-	var buf [4]byte
-	buf[0] = 't'
-	if isBinary {
-		buf[0] = 'b'
-	}
-	if len(fileName) > 255 {
-		fileName = fileName[:255]
-	}
-	buf[1] = byte(len(fileName))
-
-	inner, err := serializeStreamHeader(w, packetTypeLiteralData)
-	if err != nil {
-		return
-	}
-
-	_, err = inner.Write(buf[:2])
-	if err != nil {
-		return
-	}
-	_, err = inner.Write([]byte(fileName))
-	if err != nil {
-		return
-	}
-	binary.BigEndian.PutUint32(buf[:], time)
-	_, err = inner.Write(buf[:])
-	if err != nil {
-		return
-	}
-
-	plaintext = inner
-	return
-}
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/ocfb.go b/vendor/golang.org/x/crypto/openpgp/packet/ocfb.go
deleted file mode 100644
index ce2a33a5..00000000
--- a/vendor/golang.org/x/crypto/openpgp/packet/ocfb.go
+++ /dev/null
@@ -1,143 +0,0 @@
-// Copyright 2010 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// OpenPGP CFB Mode. http://tools.ietf.org/html/rfc4880#section-13.9
-
-package packet
-
-import (
-	"crypto/cipher"
-)
-
-type ocfbEncrypter struct {
-	b       cipher.Block
-	fre     []byte
-	outUsed int
-}
-
-// An OCFBResyncOption determines if the "resynchronization step" of OCFB is
-// performed.
-type OCFBResyncOption bool
-
-const (
-	OCFBResync   OCFBResyncOption = true
-	OCFBNoResync OCFBResyncOption = false
-)
-
-// NewOCFBEncrypter returns a cipher.Stream which encrypts data with OpenPGP's
-// cipher feedback mode using the given cipher.Block, and an initial amount of
-// ciphertext.  randData must be random bytes and be the same length as the
-// cipher.Block's block size. Resync determines if the "resynchronization step"
-// from RFC 4880, 13.9 step 7 is performed. Different parts of OpenPGP vary on
-// this point.
-func NewOCFBEncrypter(block cipher.Block, randData []byte, resync OCFBResyncOption) (cipher.Stream, []byte) {
-	blockSize := block.BlockSize()
-	if len(randData) != blockSize {
-		return nil, nil
-	}
-
-	x := &ocfbEncrypter{
-		b:       block,
-		fre:     make([]byte, blockSize),
-		outUsed: 0,
-	}
-	prefix := make([]byte, blockSize+2)
-
-	block.Encrypt(x.fre, x.fre)
-	for i := 0; i < blockSize; i++ {
-		prefix[i] = randData[i] ^ x.fre[i]
-	}
-
-	block.Encrypt(x.fre, prefix[:blockSize])
-	prefix[blockSize] = x.fre[0] ^ randData[blockSize-2]
-	prefix[blockSize+1] = x.fre[1] ^ randData[blockSize-1]
-
-	if resync {
-		block.Encrypt(x.fre, prefix[2:])
-	} else {
-		x.fre[0] = prefix[blockSize]
-		x.fre[1] = prefix[blockSize+1]
-		x.outUsed = 2
-	}
-	return x, prefix
-}
-
-func (x *ocfbEncrypter) XORKeyStream(dst, src []byte) {
-	for i := 0; i < len(src); i++ {
-		if x.outUsed == len(x.fre) {
-			x.b.Encrypt(x.fre, x.fre)
-			x.outUsed = 0
-		}
-
-		x.fre[x.outUsed] ^= src[i]
-		dst[i] = x.fre[x.outUsed]
-		x.outUsed++
-	}
-}
-
-type ocfbDecrypter struct {
-	b       cipher.Block
-	fre     []byte
-	outUsed int
-}
-
-// NewOCFBDecrypter returns a cipher.Stream which decrypts data with OpenPGP's
-// cipher feedback mode using the given cipher.Block. Prefix must be the first
-// blockSize + 2 bytes of the ciphertext, where blockSize is the cipher.Block's
-// block size. If an incorrect key is detected then nil is returned. On
-// successful exit, blockSize+2 bytes of decrypted data are written into
-// prefix. Resync determines if the "resynchronization step" from RFC 4880,
-// 13.9 step 7 is performed. Different parts of OpenPGP vary on this point.
-func NewOCFBDecrypter(block cipher.Block, prefix []byte, resync OCFBResyncOption) cipher.Stream {
-	blockSize := block.BlockSize()
-	if len(prefix) != blockSize+2 {
-		return nil
-	}
-
-	x := &ocfbDecrypter{
-		b:       block,
-		fre:     make([]byte, blockSize),
-		outUsed: 0,
-	}
-	prefixCopy := make([]byte, len(prefix))
-	copy(prefixCopy, prefix)
-
-	block.Encrypt(x.fre, x.fre)
-	for i := 0; i < blockSize; i++ {
-		prefixCopy[i] ^= x.fre[i]
-	}
-
-	block.Encrypt(x.fre, prefix[:blockSize])
-	prefixCopy[blockSize] ^= x.fre[0]
-	prefixCopy[blockSize+1] ^= x.fre[1]
-
-	if prefixCopy[blockSize-2] != prefixCopy[blockSize] ||
-		prefixCopy[blockSize-1] != prefixCopy[blockSize+1] {
-		return nil
-	}
-
-	if resync {
-		block.Encrypt(x.fre, prefix[2:])
-	} else {
-		x.fre[0] = prefix[blockSize]
-		x.fre[1] = prefix[blockSize+1]
-		x.outUsed = 2
-	}
-	copy(prefix, prefixCopy)
-	return x
-}
-
-func (x *ocfbDecrypter) XORKeyStream(dst, src []byte) {
-	for i := 0; i < len(src); i++ {
-		if x.outUsed == len(x.fre) {
-			x.b.Encrypt(x.fre, x.fre)
-			x.outUsed = 0
-		}
-
-		c := src[i]
-		dst[i] = x.fre[x.outUsed] ^ src[i]
-		x.fre[x.outUsed] = c
-		x.outUsed++
-	}
-}
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/ocfb_test.go b/vendor/golang.org/x/crypto/openpgp/packet/ocfb_test.go
deleted file mode 100644
index 91022c04..00000000
--- a/vendor/golang.org/x/crypto/openpgp/packet/ocfb_test.go
+++ /dev/null
@@ -1,46 +0,0 @@
-// Copyright 2010 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package packet
-
-import (
-	"bytes"
-	"crypto/aes"
-	"crypto/rand"
-	"testing"
-)
-
-var commonKey128 = []byte{0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c}
-
-func testOCFB(t *testing.T, resync OCFBResyncOption) {
-	block, err := aes.NewCipher(commonKey128)
-	if err != nil {
-		t.Error(err)
-		return
-	}
-
-	plaintext := []byte("this is the plaintext, which is long enough to span several blocks.")
-	randData := make([]byte, block.BlockSize())
-	rand.Reader.Read(randData)
-	ocfb, prefix := NewOCFBEncrypter(block, randData, resync)
-	ciphertext := make([]byte, len(plaintext))
-	ocfb.XORKeyStream(ciphertext, plaintext)
-
-	ocfbdec := NewOCFBDecrypter(block, prefix, resync)
-	if ocfbdec == nil {
-		t.Errorf("NewOCFBDecrypter failed (resync: %t)", resync)
-		return
-	}
-	plaintextCopy := make([]byte, len(plaintext))
-	ocfbdec.XORKeyStream(plaintextCopy, ciphertext)
-
-	if !bytes.Equal(plaintextCopy, plaintext) {
-		t.Errorf("got: %x, want: %x (resync: %t)", plaintextCopy, plaintext, resync)
-	}
-}
-
-func TestOCFB(t *testing.T) {
-	testOCFB(t, OCFBNoResync)
-	testOCFB(t, OCFBResync)
-}
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/one_pass_signature.go b/vendor/golang.org/x/crypto/openpgp/packet/one_pass_signature.go
deleted file mode 100644
index 17135033..00000000
--- a/vendor/golang.org/x/crypto/openpgp/packet/one_pass_signature.go
+++ /dev/null
@@ -1,73 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package packet
-
-import (
-	"crypto"
-	"encoding/binary"
-	"golang.org/x/crypto/openpgp/errors"
-	"golang.org/x/crypto/openpgp/s2k"
-	"io"
-	"strconv"
-)
-
-// OnePassSignature represents a one-pass signature packet. See RFC 4880,
-// section 5.4.
-type OnePassSignature struct {
-	SigType    SignatureType
-	Hash       crypto.Hash
-	PubKeyAlgo PublicKeyAlgorithm
-	KeyId      uint64
-	IsLast     bool
-}
-
-const onePassSignatureVersion = 3
-
-func (ops *OnePassSignature) parse(r io.Reader) (err error) {
-	var buf [13]byte
-
-	_, err = readFull(r, buf[:])
-	if err != nil {
-		return
-	}
-	if buf[0] != onePassSignatureVersion {
-		err = errors.UnsupportedError("one-pass-signature packet version " + strconv.Itoa(int(buf[0])))
-	}
-
-	var ok bool
-	ops.Hash, ok = s2k.HashIdToHash(buf[2])
-	if !ok {
-		return errors.UnsupportedError("hash function: " + strconv.Itoa(int(buf[2])))
-	}
-
-	ops.SigType = SignatureType(buf[1])
-	ops.PubKeyAlgo = PublicKeyAlgorithm(buf[3])
-	ops.KeyId = binary.BigEndian.Uint64(buf[4:12])
-	ops.IsLast = buf[12] != 0
-	return
-}
-
-// Serialize marshals the given OnePassSignature to w.
-func (ops *OnePassSignature) Serialize(w io.Writer) error {
-	var buf [13]byte
-	buf[0] = onePassSignatureVersion
-	buf[1] = uint8(ops.SigType)
-	var ok bool
-	buf[2], ok = s2k.HashToHashId(ops.Hash)
-	if !ok {
-		return errors.UnsupportedError("hash type: " + strconv.Itoa(int(ops.Hash)))
-	}
-	buf[3] = uint8(ops.PubKeyAlgo)
-	binary.BigEndian.PutUint64(buf[4:12], ops.KeyId)
-	if ops.IsLast {
-		buf[12] = 1
-	}
-
-	if err := serializeHeader(w, packetTypeOnePassSignature, len(buf)); err != nil {
-		return err
-	}
-	_, err := w.Write(buf[:])
-	return err
-}
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/opaque.go b/vendor/golang.org/x/crypto/openpgp/packet/opaque.go
deleted file mode 100644
index 456d807f..00000000
--- a/vendor/golang.org/x/crypto/openpgp/packet/opaque.go
+++ /dev/null
@@ -1,162 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package packet
-
-import (
-	"bytes"
-	"io"
-	"io/ioutil"
-
-	"golang.org/x/crypto/openpgp/errors"
-)
-
-// OpaquePacket represents an OpenPGP packet as raw, unparsed data. This is
-// useful for splitting and storing the original packet contents separately,
-// handling unsupported packet types or accessing parts of the packet not yet
-// implemented by this package.
-type OpaquePacket struct {
-	// Packet type
-	Tag uint8
-	// Reason why the packet was parsed opaquely
-	Reason error
-	// Binary contents of the packet data
-	Contents []byte
-}
-
-func (op *OpaquePacket) parse(r io.Reader) (err error) {
-	op.Contents, err = ioutil.ReadAll(r)
-	return
-}
-
-// Serialize marshals the packet to a writer in its original form, including
-// the packet header.
-func (op *OpaquePacket) Serialize(w io.Writer) (err error) {
-	err = serializeHeader(w, packetType(op.Tag), len(op.Contents))
-	if err == nil {
-		_, err = w.Write(op.Contents)
-	}
-	return
-}
-
-// Parse attempts to parse the opaque contents into a structure supported by
-// this package. If the packet is not known then the result will be another
-// OpaquePacket.
-func (op *OpaquePacket) Parse() (p Packet, err error) {
-	hdr := bytes.NewBuffer(nil)
-	err = serializeHeader(hdr, packetType(op.Tag), len(op.Contents))
-	if err != nil {
-		op.Reason = err
-		return op, err
-	}
-	p, err = Read(io.MultiReader(hdr, bytes.NewBuffer(op.Contents)))
-	if err != nil {
-		op.Reason = err
-		p = op
-	}
-	return
-}
-
-// OpaqueReader reads OpaquePackets from an io.Reader.
-type OpaqueReader struct {
-	r io.Reader
-}
-
-func NewOpaqueReader(r io.Reader) *OpaqueReader {
-	return &OpaqueReader{r: r}
-}
-
-// Read the next OpaquePacket.
-func (or *OpaqueReader) Next() (op *OpaquePacket, err error) {
-	tag, _, contents, err := readHeader(or.r)
-	if err != nil {
-		return
-	}
-	op = &OpaquePacket{Tag: uint8(tag), Reason: err}
-	err = op.parse(contents)
-	if err != nil {
-		consumeAll(contents)
-	}
-	return
-}
-
-// OpaqueSubpacket represents an unparsed OpenPGP subpacket,
-// as found in signature and user attribute packets.
-type OpaqueSubpacket struct {
-	SubType  uint8
-	Contents []byte
-}
-
-// OpaqueSubpackets extracts opaque, unparsed OpenPGP subpackets from
-// their byte representation.
-func OpaqueSubpackets(contents []byte) (result []*OpaqueSubpacket, err error) {
-	var (
-		subHeaderLen int
-		subPacket    *OpaqueSubpacket
-	)
-	for len(contents) > 0 {
-		subHeaderLen, subPacket, err = nextSubpacket(contents)
-		if err != nil {
-			break
-		}
-		result = append(result, subPacket)
-		contents = contents[subHeaderLen+len(subPacket.Contents):]
-	}
-	return
-}
-
-func nextSubpacket(contents []byte) (subHeaderLen int, subPacket *OpaqueSubpacket, err error) {
-	// RFC 4880, section 5.2.3.1
-	var subLen uint32
-	if len(contents) < 1 {
-		goto Truncated
-	}
-	subPacket = &OpaqueSubpacket{}
-	switch {
-	case contents[0] < 192:
-		subHeaderLen = 2 // 1 length byte, 1 subtype byte
-		if len(contents) < subHeaderLen {
-			goto Truncated
-		}
-		subLen = uint32(contents[0])
-		contents = contents[1:]
-	case contents[0] < 255:
-		subHeaderLen = 3 // 2 length bytes, 1 subtype
-		if len(contents) < subHeaderLen {
-			goto Truncated
-		}
-		subLen = uint32(contents[0]-192)<<8 + uint32(contents[1]) + 192
-		contents = contents[2:]
-	default:
-		subHeaderLen = 6 // 5 length bytes, 1 subtype
-		if len(contents) < subHeaderLen {
-			goto Truncated
-		}
-		subLen = uint32(contents[1])<<24 |
-			uint32(contents[2])<<16 |
-			uint32(contents[3])<<8 |
-			uint32(contents[4])
-		contents = contents[5:]
-	}
-	if subLen > uint32(len(contents)) || subLen == 0 {
-		goto Truncated
-	}
-	subPacket.SubType = contents[0]
-	subPacket.Contents = contents[1:subLen]
-	return
-Truncated:
-	err = errors.StructuralError("subpacket truncated")
-	return
-}
-
-func (osp *OpaqueSubpacket) Serialize(w io.Writer) (err error) {
-	buf := make([]byte, 6)
-	n := serializeSubpacketLength(buf, len(osp.Contents)+1)
-	buf[n] = osp.SubType
-	if _, err = w.Write(buf[:n+1]); err != nil {
-		return
-	}
-	_, err = w.Write(osp.Contents)
-	return
-}
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/opaque_test.go b/vendor/golang.org/x/crypto/openpgp/packet/opaque_test.go
deleted file mode 100644
index f27bbfe0..00000000
--- a/vendor/golang.org/x/crypto/openpgp/packet/opaque_test.go
+++ /dev/null
@@ -1,67 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package packet
-
-import (
-	"bytes"
-	"encoding/hex"
-	"io"
-	"testing"
-)
-
-// Test packet.Read error handling in OpaquePacket.Parse,
-// which attempts to re-read an OpaquePacket as a supported
-// Packet type.
-func TestOpaqueParseReason(t *testing.T) {
-	buf, err := hex.DecodeString(UnsupportedKeyHex)
-	if err != nil {
-		t.Fatal(err)
-	}
-	or := NewOpaqueReader(bytes.NewBuffer(buf))
-	count := 0
-	badPackets := 0
-	var uid *UserId
-	for {
-		op, err := or.Next()
-		if err == io.EOF {
-			break
-		} else if err != nil {
-			t.Errorf("#%d: opaque read error: %v", count, err)
-			break
-		}
-		// try to parse opaque packet
-		p, err := op.Parse()
-		switch pkt := p.(type) {
-		case *UserId:
-			uid = pkt
-		case *OpaquePacket:
-			// If an OpaquePacket can't re-parse, packet.Read
-			// certainly had its reasons.
-			if pkt.Reason == nil {
-				t.Errorf("#%d: opaque packet, no reason", count)
-			} else {
-				badPackets++
-			}
-		}
-		count++
-	}
-
-	const expectedBad = 3
-	// Test post-conditions, make sure we actually parsed packets as expected.
-	if badPackets != expectedBad {
-		t.Errorf("unexpected # unparseable packets: %d (want %d)", badPackets, expectedBad)
-	}
-	if uid == nil {
-		t.Errorf("failed to find expected UID in unsupported keyring")
-	} else if uid.Id != "Armin M. Warda <warda@nephilim.ruhr.de>" {
-		t.Errorf("unexpected UID: %v", uid.Id)
-	}
-}
-
-// This key material has public key and signature packet versions modified to
-// an unsupported value (1), so that trying to parse the OpaquePacket to
-// a typed packet will get an error. It also contains a GnuPG trust packet.
-// (Created with: od -An -t x1 pubring.gpg | xargs | sed 's/ //g')
-const UnsupportedKeyHex = `988d012e7a18a20000010400d6ac00d92b89c1f4396c243abb9b76d2e9673ad63483291fed88e22b82e255e441c078c6abbbf7d2d195e50b62eeaa915b85b0ec20c225ce2c64c167cacb6e711daf2e45da4a8356a059b8160e3b3628ac0dd8437b31f06d53d6e8ea4214d4a26406a6b63e1001406ef23e0bb3069fac9a99a91f77dfafd5de0f188a5da5e3c9000511b42741726d696e204d2e205761726461203c7761726461406e657068696c696d2e727568722e64653e8900950105102e8936c705d1eb399e58489901013f0e03ff5a0c4f421e34fcfa388129166420c08cd76987bcdec6f01bd0271459a85cc22048820dd4e44ac2c7d23908d540f54facf1b36b0d9c20488781ce9dca856531e76e2e846826e9951338020a03a09b57aa5faa82e9267458bd76105399885ac35af7dc1cbb6aaed7c39e1039f3b5beda2c0e916bd38560509bab81235d1a0ead83b0020000`
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/packet.go b/vendor/golang.org/x/crypto/openpgp/packet/packet.go
deleted file mode 100644
index 3eded93f..00000000
--- a/vendor/golang.org/x/crypto/openpgp/packet/packet.go
+++ /dev/null
@@ -1,537 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package packet implements parsing and serialization of OpenPGP packets, as
-// specified in RFC 4880.
-package packet // import "golang.org/x/crypto/openpgp/packet"
-
-import (
-	"bufio"
-	"crypto/aes"
-	"crypto/cipher"
-	"crypto/des"
-	"golang.org/x/crypto/cast5"
-	"golang.org/x/crypto/openpgp/errors"
-	"io"
-	"math/big"
-)
-
-// readFull is the same as io.ReadFull except that reading zero bytes returns
-// ErrUnexpectedEOF rather than EOF.
-func readFull(r io.Reader, buf []byte) (n int, err error) {
-	n, err = io.ReadFull(r, buf)
-	if err == io.EOF {
-		err = io.ErrUnexpectedEOF
-	}
-	return
-}
-
-// readLength reads an OpenPGP length from r. See RFC 4880, section 4.2.2.
-func readLength(r io.Reader) (length int64, isPartial bool, err error) {
-	var buf [4]byte
-	_, err = readFull(r, buf[:1])
-	if err != nil {
-		return
-	}
-	switch {
-	case buf[0] < 192:
-		length = int64(buf[0])
-	case buf[0] < 224:
-		length = int64(buf[0]-192) << 8
-		_, err = readFull(r, buf[0:1])
-		if err != nil {
-			return
-		}
-		length += int64(buf[0]) + 192
-	case buf[0] < 255:
-		length = int64(1) << (buf[0] & 0x1f)
-		isPartial = true
-	default:
-		_, err = readFull(r, buf[0:4])
-		if err != nil {
-			return
-		}
-		length = int64(buf[0])<<24 |
-			int64(buf[1])<<16 |
-			int64(buf[2])<<8 |
-			int64(buf[3])
-	}
-	return
-}
-
-// partialLengthReader wraps an io.Reader and handles OpenPGP partial lengths.
-// The continuation lengths are parsed and removed from the stream and EOF is
-// returned at the end of the packet. See RFC 4880, section 4.2.2.4.
-type partialLengthReader struct {
-	r         io.Reader
-	remaining int64
-	isPartial bool
-}
-
-func (r *partialLengthReader) Read(p []byte) (n int, err error) {
-	for r.remaining == 0 {
-		if !r.isPartial {
-			return 0, io.EOF
-		}
-		r.remaining, r.isPartial, err = readLength(r.r)
-		if err != nil {
-			return 0, err
-		}
-	}
-
-	toRead := int64(len(p))
-	if toRead > r.remaining {
-		toRead = r.remaining
-	}
-
-	n, err = r.r.Read(p[:int(toRead)])
-	r.remaining -= int64(n)
-	if n < int(toRead) && err == io.EOF {
-		err = io.ErrUnexpectedEOF
-	}
-	return
-}
-
-// partialLengthWriter writes a stream of data using OpenPGP partial lengths.
-// See RFC 4880, section 4.2.2.4.
-type partialLengthWriter struct {
-	w          io.WriteCloser
-	lengthByte [1]byte
-}
-
-func (w *partialLengthWriter) Write(p []byte) (n int, err error) {
-	for len(p) > 0 {
-		for power := uint(14); power < 32; power-- {
-			l := 1 << power
-			if len(p) >= l {
-				w.lengthByte[0] = 224 + uint8(power)
-				_, err = w.w.Write(w.lengthByte[:])
-				if err != nil {
-					return
-				}
-				var m int
-				m, err = w.w.Write(p[:l])
-				n += m
-				if err != nil {
-					return
-				}
-				p = p[l:]
-				break
-			}
-		}
-	}
-	return
-}
-
-func (w *partialLengthWriter) Close() error {
-	w.lengthByte[0] = 0
-	_, err := w.w.Write(w.lengthByte[:])
-	if err != nil {
-		return err
-	}
-	return w.w.Close()
-}
-
-// A spanReader is an io.LimitReader, but it returns ErrUnexpectedEOF if the
-// underlying Reader returns EOF before the limit has been reached.
-type spanReader struct {
-	r io.Reader
-	n int64
-}
-
-func (l *spanReader) Read(p []byte) (n int, err error) {
-	if l.n <= 0 {
-		return 0, io.EOF
-	}
-	if int64(len(p)) > l.n {
-		p = p[0:l.n]
-	}
-	n, err = l.r.Read(p)
-	l.n -= int64(n)
-	if l.n > 0 && err == io.EOF {
-		err = io.ErrUnexpectedEOF
-	}
-	return
-}
-
-// readHeader parses a packet header and returns an io.Reader which will return
-// the contents of the packet. See RFC 4880, section 4.2.
-func readHeader(r io.Reader) (tag packetType, length int64, contents io.Reader, err error) {
-	var buf [4]byte
-	_, err = io.ReadFull(r, buf[:1])
-	if err != nil {
-		return
-	}
-	if buf[0]&0x80 == 0 {
-		err = errors.StructuralError("tag byte does not have MSB set")
-		return
-	}
-	if buf[0]&0x40 == 0 {
-		// Old format packet
-		tag = packetType((buf[0] & 0x3f) >> 2)
-		lengthType := buf[0] & 3
-		if lengthType == 3 {
-			length = -1
-			contents = r
-			return
-		}
-		lengthBytes := 1 << lengthType
-		_, err = readFull(r, buf[0:lengthBytes])
-		if err != nil {
-			return
-		}
-		for i := 0; i < lengthBytes; i++ {
-			length <<= 8
-			length |= int64(buf[i])
-		}
-		contents = &spanReader{r, length}
-		return
-	}
-
-	// New format packet
-	tag = packetType(buf[0] & 0x3f)
-	length, isPartial, err := readLength(r)
-	if err != nil {
-		return
-	}
-	if isPartial {
-		contents = &partialLengthReader{
-			remaining: length,
-			isPartial: true,
-			r:         r,
-		}
-		length = -1
-	} else {
-		contents = &spanReader{r, length}
-	}
-	return
-}
-
-// serializeHeader writes an OpenPGP packet header to w. See RFC 4880, section
-// 4.2.
-func serializeHeader(w io.Writer, ptype packetType, length int) (err error) {
-	var buf [6]byte
-	var n int
-
-	buf[0] = 0x80 | 0x40 | byte(ptype)
-	if length < 192 {
-		buf[1] = byte(length)
-		n = 2
-	} else if length < 8384 {
-		length -= 192
-		buf[1] = 192 + byte(length>>8)
-		buf[2] = byte(length)
-		n = 3
-	} else {
-		buf[1] = 255
-		buf[2] = byte(length >> 24)
-		buf[3] = byte(length >> 16)
-		buf[4] = byte(length >> 8)
-		buf[5] = byte(length)
-		n = 6
-	}
-
-	_, err = w.Write(buf[:n])
-	return
-}
-
-// serializeStreamHeader writes an OpenPGP packet header to w where the
-// length of the packet is unknown. It returns a io.WriteCloser which can be
-// used to write the contents of the packet. See RFC 4880, section 4.2.
-func serializeStreamHeader(w io.WriteCloser, ptype packetType) (out io.WriteCloser, err error) {
-	var buf [1]byte
-	buf[0] = 0x80 | 0x40 | byte(ptype)
-	_, err = w.Write(buf[:])
-	if err != nil {
-		return
-	}
-	out = &partialLengthWriter{w: w}
-	return
-}
-
-// Packet represents an OpenPGP packet. Users are expected to try casting
-// instances of this interface to specific packet types.
-type Packet interface {
-	parse(io.Reader) error
-}
-
-// consumeAll reads from the given Reader until error, returning the number of
-// bytes read.
-func consumeAll(r io.Reader) (n int64, err error) {
-	var m int
-	var buf [1024]byte
-
-	for {
-		m, err = r.Read(buf[:])
-		n += int64(m)
-		if err == io.EOF {
-			err = nil
-			return
-		}
-		if err != nil {
-			return
-		}
-	}
-}
-
-// packetType represents the numeric ids of the different OpenPGP packet types. See
-// http://www.iana.org/assignments/pgp-parameters/pgp-parameters.xhtml#pgp-parameters-2
-type packetType uint8
-
-const (
-	packetTypeEncryptedKey              packetType = 1
-	packetTypeSignature                 packetType = 2
-	packetTypeSymmetricKeyEncrypted     packetType = 3
-	packetTypeOnePassSignature          packetType = 4
-	packetTypePrivateKey                packetType = 5
-	packetTypePublicKey                 packetType = 6
-	packetTypePrivateSubkey             packetType = 7
-	packetTypeCompressed                packetType = 8
-	packetTypeSymmetricallyEncrypted    packetType = 9
-	packetTypeLiteralData               packetType = 11
-	packetTypeUserId                    packetType = 13
-	packetTypePublicSubkey              packetType = 14
-	packetTypeUserAttribute             packetType = 17
-	packetTypeSymmetricallyEncryptedMDC packetType = 18
-)
-
-// peekVersion detects the version of a public key packet about to
-// be read. A bufio.Reader at the original position of the io.Reader
-// is returned.
-func peekVersion(r io.Reader) (bufr *bufio.Reader, ver byte, err error) {
-	bufr = bufio.NewReader(r)
-	var verBuf []byte
-	if verBuf, err = bufr.Peek(1); err != nil {
-		return
-	}
-	ver = verBuf[0]
-	return
-}
-
-// Read reads a single OpenPGP packet from the given io.Reader. If there is an
-// error parsing a packet, the whole packet is consumed from the input.
-func Read(r io.Reader) (p Packet, err error) {
-	tag, _, contents, err := readHeader(r)
-	if err != nil {
-		return
-	}
-
-	switch tag {
-	case packetTypeEncryptedKey:
-		p = new(EncryptedKey)
-	case packetTypeSignature:
-		var version byte
-		// Detect signature version
-		if contents, version, err = peekVersion(contents); err != nil {
-			return
-		}
-		if version < 4 {
-			p = new(SignatureV3)
-		} else {
-			p = new(Signature)
-		}
-	case packetTypeSymmetricKeyEncrypted:
-		p = new(SymmetricKeyEncrypted)
-	case packetTypeOnePassSignature:
-		p = new(OnePassSignature)
-	case packetTypePrivateKey, packetTypePrivateSubkey:
-		pk := new(PrivateKey)
-		if tag == packetTypePrivateSubkey {
-			pk.IsSubkey = true
-		}
-		p = pk
-	case packetTypePublicKey, packetTypePublicSubkey:
-		var version byte
-		if contents, version, err = peekVersion(contents); err != nil {
-			return
-		}
-		isSubkey := tag == packetTypePublicSubkey
-		if version < 4 {
-			p = &PublicKeyV3{IsSubkey: isSubkey}
-		} else {
-			p = &PublicKey{IsSubkey: isSubkey}
-		}
-	case packetTypeCompressed:
-		p = new(Compressed)
-	case packetTypeSymmetricallyEncrypted:
-		p = new(SymmetricallyEncrypted)
-	case packetTypeLiteralData:
-		p = new(LiteralData)
-	case packetTypeUserId:
-		p = new(UserId)
-	case packetTypeUserAttribute:
-		p = new(UserAttribute)
-	case packetTypeSymmetricallyEncryptedMDC:
-		se := new(SymmetricallyEncrypted)
-		se.MDC = true
-		p = se
-	default:
-		err = errors.UnknownPacketTypeError(tag)
-	}
-	if p != nil {
-		err = p.parse(contents)
-	}
-	if err != nil {
-		consumeAll(contents)
-	}
-	return
-}
-
-// SignatureType represents the different semantic meanings of an OpenPGP
-// signature. See RFC 4880, section 5.2.1.
-type SignatureType uint8
-
-const (
-	SigTypeBinary            SignatureType = 0
-	SigTypeText                            = 1
-	SigTypeGenericCert                     = 0x10
-	SigTypePersonaCert                     = 0x11
-	SigTypeCasualCert                      = 0x12
-	SigTypePositiveCert                    = 0x13
-	SigTypeSubkeyBinding                   = 0x18
-	SigTypePrimaryKeyBinding               = 0x19
-	SigTypeDirectSignature                 = 0x1F
-	SigTypeKeyRevocation                   = 0x20
-	SigTypeSubkeyRevocation                = 0x28
-)
-
-// PublicKeyAlgorithm represents the different public key system specified for
-// OpenPGP. See
-// http://www.iana.org/assignments/pgp-parameters/pgp-parameters.xhtml#pgp-parameters-12
-type PublicKeyAlgorithm uint8
-
-const (
-	PubKeyAlgoRSA            PublicKeyAlgorithm = 1
-	PubKeyAlgoRSAEncryptOnly PublicKeyAlgorithm = 2
-	PubKeyAlgoRSASignOnly    PublicKeyAlgorithm = 3
-	PubKeyAlgoElGamal        PublicKeyAlgorithm = 16
-	PubKeyAlgoDSA            PublicKeyAlgorithm = 17
-	// RFC 6637, Section 5.
-	PubKeyAlgoECDH  PublicKeyAlgorithm = 18
-	PubKeyAlgoECDSA PublicKeyAlgorithm = 19
-)
-
-// CanEncrypt returns true if it's possible to encrypt a message to a public
-// key of the given type.
-func (pka PublicKeyAlgorithm) CanEncrypt() bool {
-	switch pka {
-	case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly, PubKeyAlgoElGamal:
-		return true
-	}
-	return false
-}
-
-// CanSign returns true if it's possible for a public key of the given type to
-// sign a message.
-func (pka PublicKeyAlgorithm) CanSign() bool {
-	switch pka {
-	case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly, PubKeyAlgoDSA, PubKeyAlgoECDSA:
-		return true
-	}
-	return false
-}
-
-// CipherFunction represents the different block ciphers specified for OpenPGP. See
-// http://www.iana.org/assignments/pgp-parameters/pgp-parameters.xhtml#pgp-parameters-13
-type CipherFunction uint8
-
-const (
-	Cipher3DES   CipherFunction = 2
-	CipherCAST5  CipherFunction = 3
-	CipherAES128 CipherFunction = 7
-	CipherAES192 CipherFunction = 8
-	CipherAES256 CipherFunction = 9
-)
-
-// KeySize returns the key size, in bytes, of cipher.
-func (cipher CipherFunction) KeySize() int {
-	switch cipher {
-	case Cipher3DES:
-		return 24
-	case CipherCAST5:
-		return cast5.KeySize
-	case CipherAES128:
-		return 16
-	case CipherAES192:
-		return 24
-	case CipherAES256:
-		return 32
-	}
-	return 0
-}
-
-// blockSize returns the block size, in bytes, of cipher.
-func (cipher CipherFunction) blockSize() int {
-	switch cipher {
-	case Cipher3DES:
-		return des.BlockSize
-	case CipherCAST5:
-		return 8
-	case CipherAES128, CipherAES192, CipherAES256:
-		return 16
-	}
-	return 0
-}
-
-// new returns a fresh instance of the given cipher.
-func (cipher CipherFunction) new(key []byte) (block cipher.Block) {
-	switch cipher {
-	case Cipher3DES:
-		block, _ = des.NewTripleDESCipher(key)
-	case CipherCAST5:
-		block, _ = cast5.NewCipher(key)
-	case CipherAES128, CipherAES192, CipherAES256:
-		block, _ = aes.NewCipher(key)
-	}
-	return
-}
-
-// readMPI reads a big integer from r. The bit length returned is the bit
-// length that was specified in r. This is preserved so that the integer can be
-// reserialized exactly.
-func readMPI(r io.Reader) (mpi []byte, bitLength uint16, err error) {
-	var buf [2]byte
-	_, err = readFull(r, buf[0:])
-	if err != nil {
-		return
-	}
-	bitLength = uint16(buf[0])<<8 | uint16(buf[1])
-	numBytes := (int(bitLength) + 7) / 8
-	mpi = make([]byte, numBytes)
-	_, err = readFull(r, mpi)
-	return
-}
-
-// mpiLength returns the length of the given *big.Int when serialized as an
-// MPI.
-func mpiLength(n *big.Int) (mpiLengthInBytes int) {
-	mpiLengthInBytes = 2 /* MPI length */
-	mpiLengthInBytes += (n.BitLen() + 7) / 8
-	return
-}
-
-// writeMPI serializes a big integer to w.
-func writeMPI(w io.Writer, bitLength uint16, mpiBytes []byte) (err error) {
-	_, err = w.Write([]byte{byte(bitLength >> 8), byte(bitLength)})
-	if err == nil {
-		_, err = w.Write(mpiBytes)
-	}
-	return
-}
-
-// writeBig serializes a *big.Int to w.
-func writeBig(w io.Writer, i *big.Int) error {
-	return writeMPI(w, uint16(i.BitLen()), i.Bytes())
-}
-
-// CompressionAlgo Represents the different compression algorithms
-// supported by OpenPGP (except for BZIP2, which is not currently
-// supported). See Section 9.3 of RFC 4880.
-type CompressionAlgo uint8
-
-const (
-	CompressionNone CompressionAlgo = 0
-	CompressionZIP  CompressionAlgo = 1
-	CompressionZLIB CompressionAlgo = 2
-)
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/packet_test.go b/vendor/golang.org/x/crypto/openpgp/packet/packet_test.go
deleted file mode 100644
index 1dab5c3d..00000000
--- a/vendor/golang.org/x/crypto/openpgp/packet/packet_test.go
+++ /dev/null
@@ -1,255 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package packet
-
-import (
-	"bytes"
-	"encoding/hex"
-	"fmt"
-	"golang.org/x/crypto/openpgp/errors"
-	"io"
-	"io/ioutil"
-	"testing"
-)
-
-func TestReadFull(t *testing.T) {
-	var out [4]byte
-
-	b := bytes.NewBufferString("foo")
-	n, err := readFull(b, out[:3])
-	if n != 3 || err != nil {
-		t.Errorf("full read failed n:%d err:%s", n, err)
-	}
-
-	b = bytes.NewBufferString("foo")
-	n, err = readFull(b, out[:4])
-	if n != 3 || err != io.ErrUnexpectedEOF {
-		t.Errorf("partial read failed n:%d err:%s", n, err)
-	}
-
-	b = bytes.NewBuffer(nil)
-	n, err = readFull(b, out[:3])
-	if n != 0 || err != io.ErrUnexpectedEOF {
-		t.Errorf("empty read failed n:%d err:%s", n, err)
-	}
-}
-
-func readerFromHex(s string) io.Reader {
-	data, err := hex.DecodeString(s)
-	if err != nil {
-		panic("readerFromHex: bad input")
-	}
-	return bytes.NewBuffer(data)
-}
-
-var readLengthTests = []struct {
-	hexInput  string
-	length    int64
-	isPartial bool
-	err       error
-}{
-	{"", 0, false, io.ErrUnexpectedEOF},
-	{"1f", 31, false, nil},
-	{"c0", 0, false, io.ErrUnexpectedEOF},
-	{"c101", 256 + 1 + 192, false, nil},
-	{"e0", 1, true, nil},
-	{"e1", 2, true, nil},
-	{"e2", 4, true, nil},
-	{"ff", 0, false, io.ErrUnexpectedEOF},
-	{"ff00", 0, false, io.ErrUnexpectedEOF},
-	{"ff0000", 0, false, io.ErrUnexpectedEOF},
-	{"ff000000", 0, false, io.ErrUnexpectedEOF},
-	{"ff00000000", 0, false, nil},
-	{"ff01020304", 16909060, false, nil},
-}
-
-func TestReadLength(t *testing.T) {
-	for i, test := range readLengthTests {
-		length, isPartial, err := readLength(readerFromHex(test.hexInput))
-		if test.err != nil {
-			if err != test.err {
-				t.Errorf("%d: expected different error got:%s want:%s", i, err, test.err)
-			}
-			continue
-		}
-		if err != nil {
-			t.Errorf("%d: unexpected error: %s", i, err)
-			continue
-		}
-		if length != test.length || isPartial != test.isPartial {
-			t.Errorf("%d: bad result got:(%d,%t) want:(%d,%t)", i, length, isPartial, test.length, test.isPartial)
-		}
-	}
-}
-
-var partialLengthReaderTests = []struct {
-	hexInput  string
-	err       error
-	hexOutput string
-}{
-	{"e0", io.ErrUnexpectedEOF, ""},
-	{"e001", io.ErrUnexpectedEOF, ""},
-	{"e0010102", nil, "0102"},
-	{"ff00000000", nil, ""},
-	{"e10102e1030400", nil, "01020304"},
-	{"e101", io.ErrUnexpectedEOF, ""},
-}
-
-func TestPartialLengthReader(t *testing.T) {
-	for i, test := range partialLengthReaderTests {
-		r := &partialLengthReader{readerFromHex(test.hexInput), 0, true}
-		out, err := ioutil.ReadAll(r)
-		if test.err != nil {
-			if err != test.err {
-				t.Errorf("%d: expected different error got:%s want:%s", i, err, test.err)
-			}
-			continue
-		}
-		if err != nil {
-			t.Errorf("%d: unexpected error: %s", i, err)
-			continue
-		}
-
-		got := fmt.Sprintf("%x", out)
-		if got != test.hexOutput {
-			t.Errorf("%d: got:%s want:%s", i, test.hexOutput, got)
-		}
-	}
-}
-
-var readHeaderTests = []struct {
-	hexInput        string
-	structuralError bool
-	unexpectedEOF   bool
-	tag             int
-	length          int64
-	hexOutput       string
-}{
-	{"", false, false, 0, 0, ""},
-	{"7f", true, false, 0, 0, ""},
-
-	// Old format headers
-	{"80", false, true, 0, 0, ""},
-	{"8001", false, true, 0, 1, ""},
-	{"800102", false, false, 0, 1, "02"},
-	{"81000102", false, false, 0, 1, "02"},
-	{"820000000102", false, false, 0, 1, "02"},
-	{"860000000102", false, false, 1, 1, "02"},
-	{"83010203", false, false, 0, -1, "010203"},
-
-	// New format headers
-	{"c0", false, true, 0, 0, ""},
-	{"c000", false, false, 0, 0, ""},
-	{"c00102", false, false, 0, 1, "02"},
-	{"c0020203", false, false, 0, 2, "0203"},
-	{"c00202", false, true, 0, 2, ""},
-	{"c3020203", false, false, 3, 2, "0203"},
-}
-
-func TestReadHeader(t *testing.T) {
-	for i, test := range readHeaderTests {
-		tag, length, contents, err := readHeader(readerFromHex(test.hexInput))
-		if test.structuralError {
-			if _, ok := err.(errors.StructuralError); ok {
-				continue
-			}
-			t.Errorf("%d: expected StructuralError, got:%s", i, err)
-			continue
-		}
-		if err != nil {
-			if len(test.hexInput) == 0 && err == io.EOF {
-				continue
-			}
-			if !test.unexpectedEOF || err != io.ErrUnexpectedEOF {
-				t.Errorf("%d: unexpected error from readHeader: %s", i, err)
-			}
-			continue
-		}
-		if int(tag) != test.tag || length != test.length {
-			t.Errorf("%d: got:(%d,%d) want:(%d,%d)", i, int(tag), length, test.tag, test.length)
-			continue
-		}
-
-		body, err := ioutil.ReadAll(contents)
-		if err != nil {
-			if !test.unexpectedEOF || err != io.ErrUnexpectedEOF {
-				t.Errorf("%d: unexpected error from contents: %s", i, err)
-			}
-			continue
-		}
-		if test.unexpectedEOF {
-			t.Errorf("%d: expected ErrUnexpectedEOF from contents but got no error", i)
-			continue
-		}
-		got := fmt.Sprintf("%x", body)
-		if got != test.hexOutput {
-			t.Errorf("%d: got:%s want:%s", i, got, test.hexOutput)
-		}
-	}
-}
-
-func TestSerializeHeader(t *testing.T) {
-	tag := packetTypePublicKey
-	lengths := []int{0, 1, 2, 64, 192, 193, 8000, 8384, 8385, 10000}
-
-	for _, length := range lengths {
-		buf := bytes.NewBuffer(nil)
-		serializeHeader(buf, tag, length)
-		tag2, length2, _, err := readHeader(buf)
-		if err != nil {
-			t.Errorf("length %d, err: %s", length, err)
-		}
-		if tag2 != tag {
-			t.Errorf("length %d, tag incorrect (got %d, want %d)", length, tag2, tag)
-		}
-		if int(length2) != length {
-			t.Errorf("length %d, length incorrect (got %d)", length, length2)
-		}
-	}
-}
-
-func TestPartialLengths(t *testing.T) {
-	buf := bytes.NewBuffer(nil)
-	w := new(partialLengthWriter)
-	w.w = noOpCloser{buf}
-
-	const maxChunkSize = 64
-
-	var b [maxChunkSize]byte
-	var n uint8
-	for l := 1; l <= maxChunkSize; l++ {
-		for i := 0; i < l; i++ {
-			b[i] = n
-			n++
-		}
-		m, err := w.Write(b[:l])
-		if m != l {
-			t.Errorf("short write got: %d want: %d", m, l)
-		}
-		if err != nil {
-			t.Errorf("error from write: %s", err)
-		}
-	}
-	w.Close()
-
-	want := (maxChunkSize * (maxChunkSize + 1)) / 2
-	copyBuf := bytes.NewBuffer(nil)
-	r := &partialLengthReader{buf, 0, true}
-	m, err := io.Copy(copyBuf, r)
-	if m != int64(want) {
-		t.Errorf("short copy got: %d want: %d", m, want)
-	}
-	if err != nil {
-		t.Errorf("error from copy: %s", err)
-	}
-
-	copyBytes := copyBuf.Bytes()
-	for i := 0; i < want; i++ {
-		if copyBytes[i] != uint8(i) {
-			t.Errorf("bad pattern in copy at %d", i)
-			break
-		}
-	}
-}
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/private_key.go b/vendor/golang.org/x/crypto/openpgp/packet/private_key.go
deleted file mode 100644
index 34734cc6..00000000
--- a/vendor/golang.org/x/crypto/openpgp/packet/private_key.go
+++ /dev/null
@@ -1,380 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package packet
-
-import (
-	"bytes"
-	"crypto"
-	"crypto/cipher"
-	"crypto/dsa"
-	"crypto/ecdsa"
-	"crypto/rsa"
-	"crypto/sha1"
-	"io"
-	"io/ioutil"
-	"math/big"
-	"strconv"
-	"time"
-
-	"golang.org/x/crypto/openpgp/elgamal"
-	"golang.org/x/crypto/openpgp/errors"
-	"golang.org/x/crypto/openpgp/s2k"
-)
-
-// PrivateKey represents a possibly encrypted private key. See RFC 4880,
-// section 5.5.3.
-type PrivateKey struct {
-	PublicKey
-	Encrypted     bool // if true then the private key is unavailable until Decrypt has been called.
-	encryptedData []byte
-	cipher        CipherFunction
-	s2k           func(out, in []byte)
-	PrivateKey    interface{} // An *{rsa|dsa|ecdsa}.PrivateKey or a crypto.Signer.
-	sha1Checksum  bool
-	iv            []byte
-}
-
-func NewRSAPrivateKey(currentTime time.Time, priv *rsa.PrivateKey) *PrivateKey {
-	pk := new(PrivateKey)
-	pk.PublicKey = *NewRSAPublicKey(currentTime, &priv.PublicKey)
-	pk.PrivateKey = priv
-	return pk
-}
-
-func NewDSAPrivateKey(currentTime time.Time, priv *dsa.PrivateKey) *PrivateKey {
-	pk := new(PrivateKey)
-	pk.PublicKey = *NewDSAPublicKey(currentTime, &priv.PublicKey)
-	pk.PrivateKey = priv
-	return pk
-}
-
-func NewElGamalPrivateKey(currentTime time.Time, priv *elgamal.PrivateKey) *PrivateKey {
-	pk := new(PrivateKey)
-	pk.PublicKey = *NewElGamalPublicKey(currentTime, &priv.PublicKey)
-	pk.PrivateKey = priv
-	return pk
-}
-
-func NewECDSAPrivateKey(currentTime time.Time, priv *ecdsa.PrivateKey) *PrivateKey {
-	pk := new(PrivateKey)
-	pk.PublicKey = *NewECDSAPublicKey(currentTime, &priv.PublicKey)
-	pk.PrivateKey = priv
-	return pk
-}
-
-// NewSignerPrivateKey creates a sign-only PrivateKey from a crypto.Signer that
-// implements RSA or ECDSA.
-func NewSignerPrivateKey(currentTime time.Time, signer crypto.Signer) *PrivateKey {
-	pk := new(PrivateKey)
-	switch pubkey := signer.Public().(type) {
-	case rsa.PublicKey:
-		pk.PublicKey = *NewRSAPublicKey(currentTime, &pubkey)
-		pk.PubKeyAlgo = PubKeyAlgoRSASignOnly
-	case ecdsa.PublicKey:
-		pk.PublicKey = *NewECDSAPublicKey(currentTime, &pubkey)
-	default:
-		panic("openpgp: unknown crypto.Signer type in NewSignerPrivateKey")
-	}
-	pk.PrivateKey = signer
-	return pk
-}
-
-func (pk *PrivateKey) parse(r io.Reader) (err error) {
-	err = (&pk.PublicKey).parse(r)
-	if err != nil {
-		return
-	}
-	var buf [1]byte
-	_, err = readFull(r, buf[:])
-	if err != nil {
-		return
-	}
-
-	s2kType := buf[0]
-
-	switch s2kType {
-	case 0:
-		pk.s2k = nil
-		pk.Encrypted = false
-	case 254, 255:
-		_, err = readFull(r, buf[:])
-		if err != nil {
-			return
-		}
-		pk.cipher = CipherFunction(buf[0])
-		pk.Encrypted = true
-		pk.s2k, err = s2k.Parse(r)
-		if err != nil {
-			return
-		}
-		if s2kType == 254 {
-			pk.sha1Checksum = true
-		}
-	default:
-		return errors.UnsupportedError("deprecated s2k function in private key")
-	}
-
-	if pk.Encrypted {
-		blockSize := pk.cipher.blockSize()
-		if blockSize == 0 {
-			return errors.UnsupportedError("unsupported cipher in private key: " + strconv.Itoa(int(pk.cipher)))
-		}
-		pk.iv = make([]byte, blockSize)
-		_, err = readFull(r, pk.iv)
-		if err != nil {
-			return
-		}
-	}
-
-	pk.encryptedData, err = ioutil.ReadAll(r)
-	if err != nil {
-		return
-	}
-
-	if !pk.Encrypted {
-		return pk.parsePrivateKey(pk.encryptedData)
-	}
-
-	return
-}
-
-func mod64kHash(d []byte) uint16 {
-	var h uint16
-	for _, b := range d {
-		h += uint16(b)
-	}
-	return h
-}
-
-func (pk *PrivateKey) Serialize(w io.Writer) (err error) {
-	// TODO(agl): support encrypted private keys
-	buf := bytes.NewBuffer(nil)
-	err = pk.PublicKey.serializeWithoutHeaders(buf)
-	if err != nil {
-		return
-	}
-	buf.WriteByte(0 /* no encryption */)
-
-	privateKeyBuf := bytes.NewBuffer(nil)
-
-	switch priv := pk.PrivateKey.(type) {
-	case *rsa.PrivateKey:
-		err = serializeRSAPrivateKey(privateKeyBuf, priv)
-	case *dsa.PrivateKey:
-		err = serializeDSAPrivateKey(privateKeyBuf, priv)
-	case *elgamal.PrivateKey:
-		err = serializeElGamalPrivateKey(privateKeyBuf, priv)
-	case *ecdsa.PrivateKey:
-		err = serializeECDSAPrivateKey(privateKeyBuf, priv)
-	default:
-		err = errors.InvalidArgumentError("unknown private key type")
-	}
-	if err != nil {
-		return
-	}
-
-	ptype := packetTypePrivateKey
-	contents := buf.Bytes()
-	privateKeyBytes := privateKeyBuf.Bytes()
-	if pk.IsSubkey {
-		ptype = packetTypePrivateSubkey
-	}
-	err = serializeHeader(w, ptype, len(contents)+len(privateKeyBytes)+2)
-	if err != nil {
-		return
-	}
-	_, err = w.Write(contents)
-	if err != nil {
-		return
-	}
-	_, err = w.Write(privateKeyBytes)
-	if err != nil {
-		return
-	}
-
-	checksum := mod64kHash(privateKeyBytes)
-	var checksumBytes [2]byte
-	checksumBytes[0] = byte(checksum >> 8)
-	checksumBytes[1] = byte(checksum)
-	_, err = w.Write(checksumBytes[:])
-
-	return
-}
-
-func serializeRSAPrivateKey(w io.Writer, priv *rsa.PrivateKey) error {
-	err := writeBig(w, priv.D)
-	if err != nil {
-		return err
-	}
-	err = writeBig(w, priv.Primes[1])
-	if err != nil {
-		return err
-	}
-	err = writeBig(w, priv.Primes[0])
-	if err != nil {
-		return err
-	}
-	return writeBig(w, priv.Precomputed.Qinv)
-}
-
-func serializeDSAPrivateKey(w io.Writer, priv *dsa.PrivateKey) error {
-	return writeBig(w, priv.X)
-}
-
-func serializeElGamalPrivateKey(w io.Writer, priv *elgamal.PrivateKey) error {
-	return writeBig(w, priv.X)
-}
-
-func serializeECDSAPrivateKey(w io.Writer, priv *ecdsa.PrivateKey) error {
-	return writeBig(w, priv.D)
-}
-
-// Decrypt decrypts an encrypted private key using a passphrase.
-func (pk *PrivateKey) Decrypt(passphrase []byte) error {
-	if !pk.Encrypted {
-		return nil
-	}
-
-	key := make([]byte, pk.cipher.KeySize())
-	pk.s2k(key, passphrase)
-	block := pk.cipher.new(key)
-	cfb := cipher.NewCFBDecrypter(block, pk.iv)
-
-	data := make([]byte, len(pk.encryptedData))
-	cfb.XORKeyStream(data, pk.encryptedData)
-
-	if pk.sha1Checksum {
-		if len(data) < sha1.Size {
-			return errors.StructuralError("truncated private key data")
-		}
-		h := sha1.New()
-		h.Write(data[:len(data)-sha1.Size])
-		sum := h.Sum(nil)
-		if !bytes.Equal(sum, data[len(data)-sha1.Size:]) {
-			return errors.StructuralError("private key checksum failure")
-		}
-		data = data[:len(data)-sha1.Size]
-	} else {
-		if len(data) < 2 {
-			return errors.StructuralError("truncated private key data")
-		}
-		var sum uint16
-		for i := 0; i < len(data)-2; i++ {
-			sum += uint16(data[i])
-		}
-		if data[len(data)-2] != uint8(sum>>8) ||
-			data[len(data)-1] != uint8(sum) {
-			return errors.StructuralError("private key checksum failure")
-		}
-		data = data[:len(data)-2]
-	}
-
-	return pk.parsePrivateKey(data)
-}
-
-func (pk *PrivateKey) parsePrivateKey(data []byte) (err error) {
-	switch pk.PublicKey.PubKeyAlgo {
-	case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly, PubKeyAlgoRSAEncryptOnly:
-		return pk.parseRSAPrivateKey(data)
-	case PubKeyAlgoDSA:
-		return pk.parseDSAPrivateKey(data)
-	case PubKeyAlgoElGamal:
-		return pk.parseElGamalPrivateKey(data)
-	case PubKeyAlgoECDSA:
-		return pk.parseECDSAPrivateKey(data)
-	}
-	panic("impossible")
-}
-
-func (pk *PrivateKey) parseRSAPrivateKey(data []byte) (err error) {
-	rsaPub := pk.PublicKey.PublicKey.(*rsa.PublicKey)
-	rsaPriv := new(rsa.PrivateKey)
-	rsaPriv.PublicKey = *rsaPub
-
-	buf := bytes.NewBuffer(data)
-	d, _, err := readMPI(buf)
-	if err != nil {
-		return
-	}
-	p, _, err := readMPI(buf)
-	if err != nil {
-		return
-	}
-	q, _, err := readMPI(buf)
-	if err != nil {
-		return
-	}
-
-	rsaPriv.D = new(big.Int).SetBytes(d)
-	rsaPriv.Primes = make([]*big.Int, 2)
-	rsaPriv.Primes[0] = new(big.Int).SetBytes(p)
-	rsaPriv.Primes[1] = new(big.Int).SetBytes(q)
-	if err := rsaPriv.Validate(); err != nil {
-		return err
-	}
-	rsaPriv.Precompute()
-	pk.PrivateKey = rsaPriv
-	pk.Encrypted = false
-	pk.encryptedData = nil
-
-	return nil
-}
-
-func (pk *PrivateKey) parseDSAPrivateKey(data []byte) (err error) {
-	dsaPub := pk.PublicKey.PublicKey.(*dsa.PublicKey)
-	dsaPriv := new(dsa.PrivateKey)
-	dsaPriv.PublicKey = *dsaPub
-
-	buf := bytes.NewBuffer(data)
-	x, _, err := readMPI(buf)
-	if err != nil {
-		return
-	}
-
-	dsaPriv.X = new(big.Int).SetBytes(x)
-	pk.PrivateKey = dsaPriv
-	pk.Encrypted = false
-	pk.encryptedData = nil
-
-	return nil
-}
-
-func (pk *PrivateKey) parseElGamalPrivateKey(data []byte) (err error) {
-	pub := pk.PublicKey.PublicKey.(*elgamal.PublicKey)
-	priv := new(elgamal.PrivateKey)
-	priv.PublicKey = *pub
-
-	buf := bytes.NewBuffer(data)
-	x, _, err := readMPI(buf)
-	if err != nil {
-		return
-	}
-
-	priv.X = new(big.Int).SetBytes(x)
-	pk.PrivateKey = priv
-	pk.Encrypted = false
-	pk.encryptedData = nil
-
-	return nil
-}
-
-func (pk *PrivateKey) parseECDSAPrivateKey(data []byte) (err error) {
-	ecdsaPub := pk.PublicKey.PublicKey.(*ecdsa.PublicKey)
-
-	buf := bytes.NewBuffer(data)
-	d, _, err := readMPI(buf)
-	if err != nil {
-		return
-	}
-
-	pk.PrivateKey = &ecdsa.PrivateKey{
-		PublicKey: *ecdsaPub,
-		D:         new(big.Int).SetBytes(d),
-	}
-	pk.Encrypted = false
-	pk.encryptedData = nil
-
-	return nil
-}
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/private_key_test.go b/vendor/golang.org/x/crypto/openpgp/packet/private_key_test.go
deleted file mode 100644
index ac651d91..00000000
--- a/vendor/golang.org/x/crypto/openpgp/packet/private_key_test.go
+++ /dev/null
@@ -1,270 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package packet
-
-import (
-	"bytes"
-	"crypto"
-	"crypto/ecdsa"
-	"crypto/elliptic"
-	"crypto/rand"
-	"crypto/rsa"
-	"crypto/x509"
-	"encoding/hex"
-	"hash"
-	"io"
-	"testing"
-	"time"
-)
-
-var privateKeyTests = []struct {
-	privateKeyHex string
-	creationTime  time.Time
-}{
-	{
-		privKeyRSAHex,
-		time.Unix(0x4cc349a8, 0),
-	},
-	{
-		privKeyElGamalHex,
-		time.Unix(0x4df9ee1a, 0),
-	},
-}
-
-func TestPrivateKeyRead(t *testing.T) {
-	for i, test := range privateKeyTests {
-		packet, err := Read(readerFromHex(test.privateKeyHex))
-		if err != nil {
-			t.Errorf("#%d: failed to parse: %s", i, err)
-			continue
-		}
-
-		privKey := packet.(*PrivateKey)
-
-		if !privKey.Encrypted {
-			t.Errorf("#%d: private key isn't encrypted", i)
-			continue
-		}
-
-		err = privKey.Decrypt([]byte("wrong password"))
-		if err == nil {
-			t.Errorf("#%d: decrypted with incorrect key", i)
-			continue
-		}
-
-		err = privKey.Decrypt([]byte("testing"))
-		if err != nil {
-			t.Errorf("#%d: failed to decrypt: %s", i, err)
-			continue
-		}
-
-		if !privKey.CreationTime.Equal(test.creationTime) || privKey.Encrypted {
-			t.Errorf("#%d: bad result, got: %#v", i, privKey)
-		}
-	}
-}
-
-func populateHash(hashFunc crypto.Hash, msg []byte) (hash.Hash, error) {
-	h := hashFunc.New()
-	if _, err := h.Write(msg); err != nil {
-		return nil, err
-	}
-	return h, nil
-}
-
-func TestRSAPrivateKey(t *testing.T) {
-	privKeyDER, _ := hex.DecodeString(pkcs1PrivKeyHex)
-	rsaPriv, err := x509.ParsePKCS1PrivateKey(privKeyDER)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	var buf bytes.Buffer
-	if err := NewRSAPrivateKey(time.Now(), rsaPriv).Serialize(&buf); err != nil {
-		t.Fatal(err)
-	}
-
-	p, err := Read(&buf)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	priv, ok := p.(*PrivateKey)
-	if !ok {
-		t.Fatal("didn't parse private key")
-	}
-
-	sig := &Signature{
-		PubKeyAlgo: PubKeyAlgoRSA,
-		Hash:       crypto.SHA256,
-	}
-	msg := []byte("Hello World!")
-
-	h, err := populateHash(sig.Hash, msg)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if err := sig.Sign(h, priv, nil); err != nil {
-		t.Fatal(err)
-	}
-
-	if h, err = populateHash(sig.Hash, msg); err != nil {
-		t.Fatal(err)
-	}
-	if err := priv.VerifySignature(h, sig); err != nil {
-		t.Fatal(err)
-	}
-}
-
-func TestECDSAPrivateKey(t *testing.T) {
-	ecdsaPriv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	var buf bytes.Buffer
-	if err := NewECDSAPrivateKey(time.Now(), ecdsaPriv).Serialize(&buf); err != nil {
-		t.Fatal(err)
-	}
-
-	p, err := Read(&buf)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	priv, ok := p.(*PrivateKey)
-	if !ok {
-		t.Fatal("didn't parse private key")
-	}
-
-	sig := &Signature{
-		PubKeyAlgo: PubKeyAlgoECDSA,
-		Hash:       crypto.SHA256,
-	}
-	msg := []byte("Hello World!")
-
-	h, err := populateHash(sig.Hash, msg)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if err := sig.Sign(h, priv, nil); err != nil {
-		t.Fatal(err)
-	}
-
-	if h, err = populateHash(sig.Hash, msg); err != nil {
-		t.Fatal(err)
-	}
-	if err := priv.VerifySignature(h, sig); err != nil {
-		t.Fatal(err)
-	}
-}
-
-type rsaSigner struct {
-	priv *rsa.PrivateKey
-}
-
-func (s *rsaSigner) Public() crypto.PublicKey {
-	return s.priv.PublicKey
-}
-
-func (s *rsaSigner) Sign(rand io.Reader, msg []byte, opts crypto.SignerOpts) ([]byte, error) {
-	return s.priv.Sign(rand, msg, opts)
-}
-
-func TestRSASignerPrivateKey(t *testing.T) {
-	rsaPriv, err := rsa.GenerateKey(rand.Reader, 1024)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	priv := NewSignerPrivateKey(time.Now(), &rsaSigner{rsaPriv})
-
-	if priv.PubKeyAlgo != PubKeyAlgoRSASignOnly {
-		t.Fatal("NewSignerPrivateKey should have made a sign-only RSA private key")
-	}
-
-	sig := &Signature{
-		PubKeyAlgo: PubKeyAlgoRSASignOnly,
-		Hash:       crypto.SHA256,
-	}
-	msg := []byte("Hello World!")
-
-	h, err := populateHash(sig.Hash, msg)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if err := sig.Sign(h, priv, nil); err != nil {
-		t.Fatal(err)
-	}
-
-	if h, err = populateHash(sig.Hash, msg); err != nil {
-		t.Fatal(err)
-	}
-	if err := priv.VerifySignature(h, sig); err != nil {
-		t.Fatal(err)
-	}
-}
-
-type ecdsaSigner struct {
-	priv *ecdsa.PrivateKey
-}
-
-func (s *ecdsaSigner) Public() crypto.PublicKey {
-	return s.priv.PublicKey
-}
-
-func (s *ecdsaSigner) Sign(rand io.Reader, msg []byte, opts crypto.SignerOpts) ([]byte, error) {
-	return s.priv.Sign(rand, msg, opts)
-}
-
-func TestECDSASignerPrivateKey(t *testing.T) {
-	ecdsaPriv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	priv := NewSignerPrivateKey(time.Now(), &ecdsaSigner{ecdsaPriv})
-
-	if priv.PubKeyAlgo != PubKeyAlgoECDSA {
-		t.Fatal("NewSignerPrivateKey should have made an ECSDA private key")
-	}
-
-	sig := &Signature{
-		PubKeyAlgo: PubKeyAlgoECDSA,
-		Hash:       crypto.SHA256,
-	}
-	msg := []byte("Hello World!")
-
-	h, err := populateHash(sig.Hash, msg)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if err := sig.Sign(h, priv, nil); err != nil {
-		t.Fatal(err)
-	}
-
-	if h, err = populateHash(sig.Hash, msg); err != nil {
-		t.Fatal(err)
-	}
-	if err := priv.VerifySignature(h, sig); err != nil {
-		t.Fatal(err)
-	}
-}
-
-func TestIssue11505(t *testing.T) {
-	// parsing a rsa private key with p or q == 1 used to panic due to a divide by zero
-	_, _ = Read(readerFromHex("9c3004303030300100000011303030000000000000010130303030303030303030303030303030303030303030303030303030303030303030303030303030303030"))
-}
-
-// Generated with `gpg --export-secret-keys "Test Key 2"`
-const privKeyRSAHex = "9501fe044cc349a8010400b70ca0010e98c090008d45d1ee8f9113bd5861fd57b88bacb7c68658747663f1e1a3b5a98f32fda6472373c024b97359cd2efc88ff60f77751adfbf6af5e615e6a1408cfad8bf0cea30b0d5f53aa27ad59089ba9b15b7ebc2777a25d7b436144027e3bcd203909f147d0e332b240cf63d3395f5dfe0df0a6c04e8655af7eacdf0011010001fe0303024a252e7d475fd445607de39a265472aa74a9320ba2dac395faa687e9e0336aeb7e9a7397e511b5afd9dc84557c80ac0f3d4d7bfec5ae16f20d41c8c84a04552a33870b930420e230e179564f6d19bb153145e76c33ae993886c388832b0fa042ddda7f133924f3854481533e0ede31d51278c0519b29abc3bf53da673e13e3e1214b52413d179d7f66deee35cac8eacb060f78379d70ef4af8607e68131ff529439668fc39c9ce6dfef8a5ac234d234802cbfb749a26107db26406213ae5c06d4673253a3cbee1fcbae58d6ab77e38d6e2c0e7c6317c48e054edadb5a40d0d48acb44643d998139a8a66bb820be1f3f80185bc777d14b5954b60effe2448a036d565c6bc0b915fcea518acdd20ab07bc1529f561c58cd044f723109b93f6fd99f876ff891d64306b5d08f48bab59f38695e9109c4dec34013ba3153488ce070268381ba923ee1eb77125b36afcb4347ec3478c8f2735b06ef17351d872e577fa95d0c397c88c71b59629a36aec"
-
-// Generated by `gpg --export-secret-keys` followed by a manual extraction of
-// the ElGamal subkey from the packets.
-const privKeyElGamalHex = "9d0157044df9ee1a100400eb8e136a58ec39b582629cdadf830bc64e0a94ed8103ca8bb247b27b11b46d1d25297ef4bcc3071785ba0c0bedfe89eabc5287fcc0edf81ab5896c1c8e4b20d27d79813c7aede75320b33eaeeaa586edc00fd1036c10133e6ba0ff277245d0d59d04b2b3421b7244aca5f4a8d870c6f1c1fbff9e1c26699a860b9504f35ca1d700030503fd1ededd3b840795be6d9ccbe3c51ee42e2f39233c432b831ddd9c4e72b7025a819317e47bf94f9ee316d7273b05d5fcf2999c3a681f519b1234bbfa6d359b4752bd9c3f77d6b6456cde152464763414ca130f4e91d91041432f90620fec0e6d6b5116076c2985d5aeaae13be492b9b329efcaf7ee25120159a0a30cd976b42d7afe030302dae7eb80db744d4960c4df930d57e87fe81412eaace9f900e6c839817a614ddb75ba6603b9417c33ea7b6c93967dfa2bcff3fa3c74a5ce2c962db65b03aece14c96cbd0038fc"
-
-// pkcs1PrivKeyHex is a PKCS#1, RSA private key.
-// Generated by `openssl genrsa 1024 | openssl rsa -outform DER  | xxd -p`
-const pkcs1PrivKeyHex = "3082025d02010002818100e98edfa1c3b35884a54d0b36a6a603b0290fa85e49e30fa23fc94fef9c6790bc4849928607aa48d809da326fb42a969d06ad756b98b9c1a90f5d4a2b6d0ac05953c97f4da3120164a21a679793ce181c906dc01d235cc085ddcdf6ea06c389b6ab8885dfd685959e693138856a68a7e5db263337ff82a088d583a897cf2d59e9020301000102818100b6d5c9eb70b02d5369b3ee5b520a14490b5bde8a317d36f7e4c74b7460141311d1e5067735f8f01d6f5908b2b96fbd881f7a1ab9a84d82753e39e19e2d36856be960d05ac9ef8e8782ea1b6d65aee28fdfe1d61451e8cff0adfe84322f12cf455028b581cf60eb9e0e140ba5d21aeba6c2634d7c65318b9a665fc01c3191ca21024100fa5e818da3705b0fa33278bb28d4b6f6050388af2d4b75ec9375dd91ccf2e7d7068086a8b82a8f6282e4fbbdb8a7f2622eb97295249d87acea7f5f816f54d347024100eecf9406d7dc49cdfb95ab1eff4064de84c7a30f64b2798936a0d2018ba9eb52e4b636f82e96c49cc63b80b675e91e40d1b2e4017d4b9adaf33ab3d9cf1c214f024100c173704ace742c082323066226a4655226819a85304c542b9dacbeacbf5d1881ee863485fcf6f59f3a604f9b42289282067447f2b13dfeed3eab7851fc81e0550240741fc41f3fc002b382eed8730e33c5d8de40256e4accee846667f536832f711ab1d4590e7db91a8a116ac5bff3be13d3f9243ff2e976662aa9b395d907f8e9c9024046a5696c9ef882363e06c9fa4e2f5b580906452befba03f4a99d0f873697ef1f851d2226ca7934b30b7c3e80cb634a67172bbbf4781735fe3e09263e2dd723e7"
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/public_key.go b/vendor/golang.org/x/crypto/openpgp/packet/public_key.go
deleted file mode 100644
index ead26233..00000000
--- a/vendor/golang.org/x/crypto/openpgp/packet/public_key.go
+++ /dev/null
@@ -1,748 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package packet
-
-import (
-	"bytes"
-	"crypto"
-	"crypto/dsa"
-	"crypto/ecdsa"
-	"crypto/elliptic"
-	"crypto/rsa"
-	"crypto/sha1"
-	_ "crypto/sha256"
-	_ "crypto/sha512"
-	"encoding/binary"
-	"fmt"
-	"hash"
-	"io"
-	"math/big"
-	"strconv"
-	"time"
-
-	"golang.org/x/crypto/openpgp/elgamal"
-	"golang.org/x/crypto/openpgp/errors"
-)
-
-var (
-	// NIST curve P-256
-	oidCurveP256 []byte = []byte{0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07}
-	// NIST curve P-384
-	oidCurveP384 []byte = []byte{0x2B, 0x81, 0x04, 0x00, 0x22}
-	// NIST curve P-521
-	oidCurveP521 []byte = []byte{0x2B, 0x81, 0x04, 0x00, 0x23}
-)
-
-const maxOIDLength = 8
-
-// ecdsaKey stores the algorithm-specific fields for ECDSA keys.
-// as defined in RFC 6637, Section 9.
-type ecdsaKey struct {
-	// oid contains the OID byte sequence identifying the elliptic curve used
-	oid []byte
-	// p contains the elliptic curve point that represents the public key
-	p parsedMPI
-}
-
-// parseOID reads the OID for the curve as defined in RFC 6637, Section 9.
-func parseOID(r io.Reader) (oid []byte, err error) {
-	buf := make([]byte, maxOIDLength)
-	if _, err = readFull(r, buf[:1]); err != nil {
-		return
-	}
-	oidLen := buf[0]
-	if int(oidLen) > len(buf) {
-		err = errors.UnsupportedError("invalid oid length: " + strconv.Itoa(int(oidLen)))
-		return
-	}
-	oid = buf[:oidLen]
-	_, err = readFull(r, oid)
-	return
-}
-
-func (f *ecdsaKey) parse(r io.Reader) (err error) {
-	if f.oid, err = parseOID(r); err != nil {
-		return err
-	}
-	f.p.bytes, f.p.bitLength, err = readMPI(r)
-	return
-}
-
-func (f *ecdsaKey) serialize(w io.Writer) (err error) {
-	buf := make([]byte, maxOIDLength+1)
-	buf[0] = byte(len(f.oid))
-	copy(buf[1:], f.oid)
-	if _, err = w.Write(buf[:len(f.oid)+1]); err != nil {
-		return
-	}
-	return writeMPIs(w, f.p)
-}
-
-func (f *ecdsaKey) newECDSA() (*ecdsa.PublicKey, error) {
-	var c elliptic.Curve
-	if bytes.Equal(f.oid, oidCurveP256) {
-		c = elliptic.P256()
-	} else if bytes.Equal(f.oid, oidCurveP384) {
-		c = elliptic.P384()
-	} else if bytes.Equal(f.oid, oidCurveP521) {
-		c = elliptic.P521()
-	} else {
-		return nil, errors.UnsupportedError(fmt.Sprintf("unsupported oid: %x", f.oid))
-	}
-	x, y := elliptic.Unmarshal(c, f.p.bytes)
-	if x == nil {
-		return nil, errors.UnsupportedError("failed to parse EC point")
-	}
-	return &ecdsa.PublicKey{Curve: c, X: x, Y: y}, nil
-}
-
-func (f *ecdsaKey) byteLen() int {
-	return 1 + len(f.oid) + 2 + len(f.p.bytes)
-}
-
-type kdfHashFunction byte
-type kdfAlgorithm byte
-
-// ecdhKdf stores key derivation function parameters
-// used for ECDH encryption. See RFC 6637, Section 9.
-type ecdhKdf struct {
-	KdfHash kdfHashFunction
-	KdfAlgo kdfAlgorithm
-}
-
-func (f *ecdhKdf) parse(r io.Reader) (err error) {
-	buf := make([]byte, 1)
-	if _, err = readFull(r, buf); err != nil {
-		return
-	}
-	kdfLen := int(buf[0])
-	if kdfLen < 3 {
-		return errors.UnsupportedError("Unsupported ECDH KDF length: " + strconv.Itoa(kdfLen))
-	}
-	buf = make([]byte, kdfLen)
-	if _, err = readFull(r, buf); err != nil {
-		return
-	}
-	reserved := int(buf[0])
-	f.KdfHash = kdfHashFunction(buf[1])
-	f.KdfAlgo = kdfAlgorithm(buf[2])
-	if reserved != 0x01 {
-		return errors.UnsupportedError("Unsupported KDF reserved field: " + strconv.Itoa(reserved))
-	}
-	return
-}
-
-func (f *ecdhKdf) serialize(w io.Writer) (err error) {
-	buf := make([]byte, 4)
-	// See RFC 6637, Section 9, Algorithm-Specific Fields for ECDH keys.
-	buf[0] = byte(0x03) // Length of the following fields
-	buf[1] = byte(0x01) // Reserved for future extensions, must be 1 for now
-	buf[2] = byte(f.KdfHash)
-	buf[3] = byte(f.KdfAlgo)
-	_, err = w.Write(buf[:])
-	return
-}
-
-func (f *ecdhKdf) byteLen() int {
-	return 4
-}
-
-// PublicKey represents an OpenPGP public key. See RFC 4880, section 5.5.2.
-type PublicKey struct {
-	CreationTime time.Time
-	PubKeyAlgo   PublicKeyAlgorithm
-	PublicKey    interface{} // *rsa.PublicKey, *dsa.PublicKey or *ecdsa.PublicKey
-	Fingerprint  [20]byte
-	KeyId        uint64
-	IsSubkey     bool
-
-	n, e, p, q, g, y parsedMPI
-
-	// RFC 6637 fields
-	ec   *ecdsaKey
-	ecdh *ecdhKdf
-}
-
-// signingKey provides a convenient abstraction over signature verification
-// for v3 and v4 public keys.
-type signingKey interface {
-	SerializeSignaturePrefix(io.Writer)
-	serializeWithoutHeaders(io.Writer) error
-}
-
-func fromBig(n *big.Int) parsedMPI {
-	return parsedMPI{
-		bytes:     n.Bytes(),
-		bitLength: uint16(n.BitLen()),
-	}
-}
-
-// NewRSAPublicKey returns a PublicKey that wraps the given rsa.PublicKey.
-func NewRSAPublicKey(creationTime time.Time, pub *rsa.PublicKey) *PublicKey {
-	pk := &PublicKey{
-		CreationTime: creationTime,
-		PubKeyAlgo:   PubKeyAlgoRSA,
-		PublicKey:    pub,
-		n:            fromBig(pub.N),
-		e:            fromBig(big.NewInt(int64(pub.E))),
-	}
-
-	pk.setFingerPrintAndKeyId()
-	return pk
-}
-
-// NewDSAPublicKey returns a PublicKey that wraps the given dsa.PublicKey.
-func NewDSAPublicKey(creationTime time.Time, pub *dsa.PublicKey) *PublicKey {
-	pk := &PublicKey{
-		CreationTime: creationTime,
-		PubKeyAlgo:   PubKeyAlgoDSA,
-		PublicKey:    pub,
-		p:            fromBig(pub.P),
-		q:            fromBig(pub.Q),
-		g:            fromBig(pub.G),
-		y:            fromBig(pub.Y),
-	}
-
-	pk.setFingerPrintAndKeyId()
-	return pk
-}
-
-// NewElGamalPublicKey returns a PublicKey that wraps the given elgamal.PublicKey.
-func NewElGamalPublicKey(creationTime time.Time, pub *elgamal.PublicKey) *PublicKey {
-	pk := &PublicKey{
-		CreationTime: creationTime,
-		PubKeyAlgo:   PubKeyAlgoElGamal,
-		PublicKey:    pub,
-		p:            fromBig(pub.P),
-		g:            fromBig(pub.G),
-		y:            fromBig(pub.Y),
-	}
-
-	pk.setFingerPrintAndKeyId()
-	return pk
-}
-
-func NewECDSAPublicKey(creationTime time.Time, pub *ecdsa.PublicKey) *PublicKey {
-	pk := &PublicKey{
-		CreationTime: creationTime,
-		PubKeyAlgo:   PubKeyAlgoECDSA,
-		PublicKey:    pub,
-		ec:           new(ecdsaKey),
-	}
-
-	switch pub.Curve {
-	case elliptic.P256():
-		pk.ec.oid = oidCurveP256
-	case elliptic.P384():
-		pk.ec.oid = oidCurveP384
-	case elliptic.P521():
-		pk.ec.oid = oidCurveP521
-	default:
-		panic("unknown elliptic curve")
-	}
-
-	pk.ec.p.bytes = elliptic.Marshal(pub.Curve, pub.X, pub.Y)
-	pk.ec.p.bitLength = uint16(8 * len(pk.ec.p.bytes))
-
-	pk.setFingerPrintAndKeyId()
-	return pk
-}
-
-func (pk *PublicKey) parse(r io.Reader) (err error) {
-	// RFC 4880, section 5.5.2
-	var buf [6]byte
-	_, err = readFull(r, buf[:])
-	if err != nil {
-		return
-	}
-	if buf[0] != 4 {
-		return errors.UnsupportedError("public key version")
-	}
-	pk.CreationTime = time.Unix(int64(uint32(buf[1])<<24|uint32(buf[2])<<16|uint32(buf[3])<<8|uint32(buf[4])), 0)
-	pk.PubKeyAlgo = PublicKeyAlgorithm(buf[5])
-	switch pk.PubKeyAlgo {
-	case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly, PubKeyAlgoRSASignOnly:
-		err = pk.parseRSA(r)
-	case PubKeyAlgoDSA:
-		err = pk.parseDSA(r)
-	case PubKeyAlgoElGamal:
-		err = pk.parseElGamal(r)
-	case PubKeyAlgoECDSA:
-		pk.ec = new(ecdsaKey)
-		if err = pk.ec.parse(r); err != nil {
-			return err
-		}
-		pk.PublicKey, err = pk.ec.newECDSA()
-	case PubKeyAlgoECDH:
-		pk.ec = new(ecdsaKey)
-		if err = pk.ec.parse(r); err != nil {
-			return
-		}
-		pk.ecdh = new(ecdhKdf)
-		if err = pk.ecdh.parse(r); err != nil {
-			return
-		}
-		// The ECDH key is stored in an ecdsa.PublicKey for convenience.
-		pk.PublicKey, err = pk.ec.newECDSA()
-	default:
-		err = errors.UnsupportedError("public key type: " + strconv.Itoa(int(pk.PubKeyAlgo)))
-	}
-	if err != nil {
-		return
-	}
-
-	pk.setFingerPrintAndKeyId()
-	return
-}
-
-func (pk *PublicKey) setFingerPrintAndKeyId() {
-	// RFC 4880, section 12.2
-	fingerPrint := sha1.New()
-	pk.SerializeSignaturePrefix(fingerPrint)
-	pk.serializeWithoutHeaders(fingerPrint)
-	copy(pk.Fingerprint[:], fingerPrint.Sum(nil))
-	pk.KeyId = binary.BigEndian.Uint64(pk.Fingerprint[12:20])
-}
-
-// parseRSA parses RSA public key material from the given Reader. See RFC 4880,
-// section 5.5.2.
-func (pk *PublicKey) parseRSA(r io.Reader) (err error) {
-	pk.n.bytes, pk.n.bitLength, err = readMPI(r)
-	if err != nil {
-		return
-	}
-	pk.e.bytes, pk.e.bitLength, err = readMPI(r)
-	if err != nil {
-		return
-	}
-
-	if len(pk.e.bytes) > 3 {
-		err = errors.UnsupportedError("large public exponent")
-		return
-	}
-	rsa := &rsa.PublicKey{
-		N: new(big.Int).SetBytes(pk.n.bytes),
-		E: 0,
-	}
-	for i := 0; i < len(pk.e.bytes); i++ {
-		rsa.E <<= 8
-		rsa.E |= int(pk.e.bytes[i])
-	}
-	pk.PublicKey = rsa
-	return
-}
-
-// parseDSA parses DSA public key material from the given Reader. See RFC 4880,
-// section 5.5.2.
-func (pk *PublicKey) parseDSA(r io.Reader) (err error) {
-	pk.p.bytes, pk.p.bitLength, err = readMPI(r)
-	if err != nil {
-		return
-	}
-	pk.q.bytes, pk.q.bitLength, err = readMPI(r)
-	if err != nil {
-		return
-	}
-	pk.g.bytes, pk.g.bitLength, err = readMPI(r)
-	if err != nil {
-		return
-	}
-	pk.y.bytes, pk.y.bitLength, err = readMPI(r)
-	if err != nil {
-		return
-	}
-
-	dsa := new(dsa.PublicKey)
-	dsa.P = new(big.Int).SetBytes(pk.p.bytes)
-	dsa.Q = new(big.Int).SetBytes(pk.q.bytes)
-	dsa.G = new(big.Int).SetBytes(pk.g.bytes)
-	dsa.Y = new(big.Int).SetBytes(pk.y.bytes)
-	pk.PublicKey = dsa
-	return
-}
-
-// parseElGamal parses ElGamal public key material from the given Reader. See
-// RFC 4880, section 5.5.2.
-func (pk *PublicKey) parseElGamal(r io.Reader) (err error) {
-	pk.p.bytes, pk.p.bitLength, err = readMPI(r)
-	if err != nil {
-		return
-	}
-	pk.g.bytes, pk.g.bitLength, err = readMPI(r)
-	if err != nil {
-		return
-	}
-	pk.y.bytes, pk.y.bitLength, err = readMPI(r)
-	if err != nil {
-		return
-	}
-
-	elgamal := new(elgamal.PublicKey)
-	elgamal.P = new(big.Int).SetBytes(pk.p.bytes)
-	elgamal.G = new(big.Int).SetBytes(pk.g.bytes)
-	elgamal.Y = new(big.Int).SetBytes(pk.y.bytes)
-	pk.PublicKey = elgamal
-	return
-}
-
-// SerializeSignaturePrefix writes the prefix for this public key to the given Writer.
-// The prefix is used when calculating a signature over this public key. See
-// RFC 4880, section 5.2.4.
-func (pk *PublicKey) SerializeSignaturePrefix(h io.Writer) {
-	var pLength uint16
-	switch pk.PubKeyAlgo {
-	case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly, PubKeyAlgoRSASignOnly:
-		pLength += 2 + uint16(len(pk.n.bytes))
-		pLength += 2 + uint16(len(pk.e.bytes))
-	case PubKeyAlgoDSA:
-		pLength += 2 + uint16(len(pk.p.bytes))
-		pLength += 2 + uint16(len(pk.q.bytes))
-		pLength += 2 + uint16(len(pk.g.bytes))
-		pLength += 2 + uint16(len(pk.y.bytes))
-	case PubKeyAlgoElGamal:
-		pLength += 2 + uint16(len(pk.p.bytes))
-		pLength += 2 + uint16(len(pk.g.bytes))
-		pLength += 2 + uint16(len(pk.y.bytes))
-	case PubKeyAlgoECDSA:
-		pLength += uint16(pk.ec.byteLen())
-	case PubKeyAlgoECDH:
-		pLength += uint16(pk.ec.byteLen())
-		pLength += uint16(pk.ecdh.byteLen())
-	default:
-		panic("unknown public key algorithm")
-	}
-	pLength += 6
-	h.Write([]byte{0x99, byte(pLength >> 8), byte(pLength)})
-	return
-}
-
-func (pk *PublicKey) Serialize(w io.Writer) (err error) {
-	length := 6 // 6 byte header
-
-	switch pk.PubKeyAlgo {
-	case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly, PubKeyAlgoRSASignOnly:
-		length += 2 + len(pk.n.bytes)
-		length += 2 + len(pk.e.bytes)
-	case PubKeyAlgoDSA:
-		length += 2 + len(pk.p.bytes)
-		length += 2 + len(pk.q.bytes)
-		length += 2 + len(pk.g.bytes)
-		length += 2 + len(pk.y.bytes)
-	case PubKeyAlgoElGamal:
-		length += 2 + len(pk.p.bytes)
-		length += 2 + len(pk.g.bytes)
-		length += 2 + len(pk.y.bytes)
-	case PubKeyAlgoECDSA:
-		length += pk.ec.byteLen()
-	case PubKeyAlgoECDH:
-		length += pk.ec.byteLen()
-		length += pk.ecdh.byteLen()
-	default:
-		panic("unknown public key algorithm")
-	}
-
-	packetType := packetTypePublicKey
-	if pk.IsSubkey {
-		packetType = packetTypePublicSubkey
-	}
-	err = serializeHeader(w, packetType, length)
-	if err != nil {
-		return
-	}
-	return pk.serializeWithoutHeaders(w)
-}
-
-// serializeWithoutHeaders marshals the PublicKey to w in the form of an
-// OpenPGP public key packet, not including the packet header.
-func (pk *PublicKey) serializeWithoutHeaders(w io.Writer) (err error) {
-	var buf [6]byte
-	buf[0] = 4
-	t := uint32(pk.CreationTime.Unix())
-	buf[1] = byte(t >> 24)
-	buf[2] = byte(t >> 16)
-	buf[3] = byte(t >> 8)
-	buf[4] = byte(t)
-	buf[5] = byte(pk.PubKeyAlgo)
-
-	_, err = w.Write(buf[:])
-	if err != nil {
-		return
-	}
-
-	switch pk.PubKeyAlgo {
-	case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly, PubKeyAlgoRSASignOnly:
-		return writeMPIs(w, pk.n, pk.e)
-	case PubKeyAlgoDSA:
-		return writeMPIs(w, pk.p, pk.q, pk.g, pk.y)
-	case PubKeyAlgoElGamal:
-		return writeMPIs(w, pk.p, pk.g, pk.y)
-	case PubKeyAlgoECDSA:
-		return pk.ec.serialize(w)
-	case PubKeyAlgoECDH:
-		if err = pk.ec.serialize(w); err != nil {
-			return
-		}
-		return pk.ecdh.serialize(w)
-	}
-	return errors.InvalidArgumentError("bad public-key algorithm")
-}
-
-// CanSign returns true iff this public key can generate signatures
-func (pk *PublicKey) CanSign() bool {
-	return pk.PubKeyAlgo != PubKeyAlgoRSAEncryptOnly && pk.PubKeyAlgo != PubKeyAlgoElGamal
-}
-
-// VerifySignature returns nil iff sig is a valid signature, made by this
-// public key, of the data hashed into signed. signed is mutated by this call.
-func (pk *PublicKey) VerifySignature(signed hash.Hash, sig *Signature) (err error) {
-	if !pk.CanSign() {
-		return errors.InvalidArgumentError("public key cannot generate signatures")
-	}
-
-	signed.Write(sig.HashSuffix)
-	hashBytes := signed.Sum(nil)
-
-	if hashBytes[0] != sig.HashTag[0] || hashBytes[1] != sig.HashTag[1] {
-		return errors.SignatureError("hash tag doesn't match")
-	}
-
-	if pk.PubKeyAlgo != sig.PubKeyAlgo {
-		return errors.InvalidArgumentError("public key and signature use different algorithms")
-	}
-
-	switch pk.PubKeyAlgo {
-	case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly:
-		rsaPublicKey, _ := pk.PublicKey.(*rsa.PublicKey)
-		err = rsa.VerifyPKCS1v15(rsaPublicKey, sig.Hash, hashBytes, sig.RSASignature.bytes)
-		if err != nil {
-			return errors.SignatureError("RSA verification failure")
-		}
-		return nil
-	case PubKeyAlgoDSA:
-		dsaPublicKey, _ := pk.PublicKey.(*dsa.PublicKey)
-		// Need to truncate hashBytes to match FIPS 186-3 section 4.6.
-		subgroupSize := (dsaPublicKey.Q.BitLen() + 7) / 8
-		if len(hashBytes) > subgroupSize {
-			hashBytes = hashBytes[:subgroupSize]
-		}
-		if !dsa.Verify(dsaPublicKey, hashBytes, new(big.Int).SetBytes(sig.DSASigR.bytes), new(big.Int).SetBytes(sig.DSASigS.bytes)) {
-			return errors.SignatureError("DSA verification failure")
-		}
-		return nil
-	case PubKeyAlgoECDSA:
-		ecdsaPublicKey := pk.PublicKey.(*ecdsa.PublicKey)
-		if !ecdsa.Verify(ecdsaPublicKey, hashBytes, new(big.Int).SetBytes(sig.ECDSASigR.bytes), new(big.Int).SetBytes(sig.ECDSASigS.bytes)) {
-			return errors.SignatureError("ECDSA verification failure")
-		}
-		return nil
-	default:
-		return errors.SignatureError("Unsupported public key algorithm used in signature")
-	}
-}
-
-// VerifySignatureV3 returns nil iff sig is a valid signature, made by this
-// public key, of the data hashed into signed. signed is mutated by this call.
-func (pk *PublicKey) VerifySignatureV3(signed hash.Hash, sig *SignatureV3) (err error) {
-	if !pk.CanSign() {
-		return errors.InvalidArgumentError("public key cannot generate signatures")
-	}
-
-	suffix := make([]byte, 5)
-	suffix[0] = byte(sig.SigType)
-	binary.BigEndian.PutUint32(suffix[1:], uint32(sig.CreationTime.Unix()))
-	signed.Write(suffix)
-	hashBytes := signed.Sum(nil)
-
-	if hashBytes[0] != sig.HashTag[0] || hashBytes[1] != sig.HashTag[1] {
-		return errors.SignatureError("hash tag doesn't match")
-	}
-
-	if pk.PubKeyAlgo != sig.PubKeyAlgo {
-		return errors.InvalidArgumentError("public key and signature use different algorithms")
-	}
-
-	switch pk.PubKeyAlgo {
-	case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly:
-		rsaPublicKey := pk.PublicKey.(*rsa.PublicKey)
-		if err = rsa.VerifyPKCS1v15(rsaPublicKey, sig.Hash, hashBytes, sig.RSASignature.bytes); err != nil {
-			return errors.SignatureError("RSA verification failure")
-		}
-		return
-	case PubKeyAlgoDSA:
-		dsaPublicKey := pk.PublicKey.(*dsa.PublicKey)
-		// Need to truncate hashBytes to match FIPS 186-3 section 4.6.
-		subgroupSize := (dsaPublicKey.Q.BitLen() + 7) / 8
-		if len(hashBytes) > subgroupSize {
-			hashBytes = hashBytes[:subgroupSize]
-		}
-		if !dsa.Verify(dsaPublicKey, hashBytes, new(big.Int).SetBytes(sig.DSASigR.bytes), new(big.Int).SetBytes(sig.DSASigS.bytes)) {
-			return errors.SignatureError("DSA verification failure")
-		}
-		return nil
-	default:
-		panic("shouldn't happen")
-	}
-}
-
-// keySignatureHash returns a Hash of the message that needs to be signed for
-// pk to assert a subkey relationship to signed.
-func keySignatureHash(pk, signed signingKey, hashFunc crypto.Hash) (h hash.Hash, err error) {
-	if !hashFunc.Available() {
-		return nil, errors.UnsupportedError("hash function")
-	}
-	h = hashFunc.New()
-
-	// RFC 4880, section 5.2.4
-	pk.SerializeSignaturePrefix(h)
-	pk.serializeWithoutHeaders(h)
-	signed.SerializeSignaturePrefix(h)
-	signed.serializeWithoutHeaders(h)
-	return
-}
-
-// VerifyKeySignature returns nil iff sig is a valid signature, made by this
-// public key, of signed.
-func (pk *PublicKey) VerifyKeySignature(signed *PublicKey, sig *Signature) error {
-	h, err := keySignatureHash(pk, signed, sig.Hash)
-	if err != nil {
-		return err
-	}
-	if err = pk.VerifySignature(h, sig); err != nil {
-		return err
-	}
-
-	if sig.FlagSign {
-		// Signing subkeys must be cross-signed. See
-		// https://www.gnupg.org/faq/subkey-cross-certify.html.
-		if sig.EmbeddedSignature == nil {
-			return errors.StructuralError("signing subkey is missing cross-signature")
-		}
-		// Verify the cross-signature. This is calculated over the same
-		// data as the main signature, so we cannot just recursively
-		// call signed.VerifyKeySignature(...)
-		if h, err = keySignatureHash(pk, signed, sig.EmbeddedSignature.Hash); err != nil {
-			return errors.StructuralError("error while hashing for cross-signature: " + err.Error())
-		}
-		if err := signed.VerifySignature(h, sig.EmbeddedSignature); err != nil {
-			return errors.StructuralError("error while verifying cross-signature: " + err.Error())
-		}
-	}
-
-	return nil
-}
-
-func keyRevocationHash(pk signingKey, hashFunc crypto.Hash) (h hash.Hash, err error) {
-	if !hashFunc.Available() {
-		return nil, errors.UnsupportedError("hash function")
-	}
-	h = hashFunc.New()
-
-	// RFC 4880, section 5.2.4
-	pk.SerializeSignaturePrefix(h)
-	pk.serializeWithoutHeaders(h)
-
-	return
-}
-
-// VerifyRevocationSignature returns nil iff sig is a valid signature, made by this
-// public key.
-func (pk *PublicKey) VerifyRevocationSignature(sig *Signature) (err error) {
-	h, err := keyRevocationHash(pk, sig.Hash)
-	if err != nil {
-		return err
-	}
-	return pk.VerifySignature(h, sig)
-}
-
-// userIdSignatureHash returns a Hash of the message that needs to be signed
-// to assert that pk is a valid key for id.
-func userIdSignatureHash(id string, pk *PublicKey, hashFunc crypto.Hash) (h hash.Hash, err error) {
-	if !hashFunc.Available() {
-		return nil, errors.UnsupportedError("hash function")
-	}
-	h = hashFunc.New()
-
-	// RFC 4880, section 5.2.4
-	pk.SerializeSignaturePrefix(h)
-	pk.serializeWithoutHeaders(h)
-
-	var buf [5]byte
-	buf[0] = 0xb4
-	buf[1] = byte(len(id) >> 24)
-	buf[2] = byte(len(id) >> 16)
-	buf[3] = byte(len(id) >> 8)
-	buf[4] = byte(len(id))
-	h.Write(buf[:])
-	h.Write([]byte(id))
-
-	return
-}
-
-// VerifyUserIdSignature returns nil iff sig is a valid signature, made by this
-// public key, that id is the identity of pub.
-func (pk *PublicKey) VerifyUserIdSignature(id string, pub *PublicKey, sig *Signature) (err error) {
-	h, err := userIdSignatureHash(id, pub, sig.Hash)
-	if err != nil {
-		return err
-	}
-	return pk.VerifySignature(h, sig)
-}
-
-// VerifyUserIdSignatureV3 returns nil iff sig is a valid signature, made by this
-// public key, that id is the identity of pub.
-func (pk *PublicKey) VerifyUserIdSignatureV3(id string, pub *PublicKey, sig *SignatureV3) (err error) {
-	h, err := userIdSignatureV3Hash(id, pub, sig.Hash)
-	if err != nil {
-		return err
-	}
-	return pk.VerifySignatureV3(h, sig)
-}
-
-// KeyIdString returns the public key's fingerprint in capital hex
-// (e.g. "6C7EE1B8621CC013").
-func (pk *PublicKey) KeyIdString() string {
-	return fmt.Sprintf("%X", pk.Fingerprint[12:20])
-}
-
-// KeyIdShortString returns the short form of public key's fingerprint
-// in capital hex, as shown by gpg --list-keys (e.g. "621CC013").
-func (pk *PublicKey) KeyIdShortString() string {
-	return fmt.Sprintf("%X", pk.Fingerprint[16:20])
-}
-
-// A parsedMPI is used to store the contents of a big integer, along with the
-// bit length that was specified in the original input. This allows the MPI to
-// be reserialized exactly.
-type parsedMPI struct {
-	bytes     []byte
-	bitLength uint16
-}
-
-// writeMPIs is a utility function for serializing several big integers to the
-// given Writer.
-func writeMPIs(w io.Writer, mpis ...parsedMPI) (err error) {
-	for _, mpi := range mpis {
-		err = writeMPI(w, mpi.bitLength, mpi.bytes)
-		if err != nil {
-			return
-		}
-	}
-	return
-}
-
-// BitLength returns the bit length for the given public key.
-func (pk *PublicKey) BitLength() (bitLength uint16, err error) {
-	switch pk.PubKeyAlgo {
-	case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly, PubKeyAlgoRSASignOnly:
-		bitLength = pk.n.bitLength
-	case PubKeyAlgoDSA:
-		bitLength = pk.p.bitLength
-	case PubKeyAlgoElGamal:
-		bitLength = pk.p.bitLength
-	default:
-		err = errors.InvalidArgumentError("bad public-key algorithm")
-	}
-	return
-}
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/public_key_test.go b/vendor/golang.org/x/crypto/openpgp/packet/public_key_test.go
deleted file mode 100644
index 7ad7d918..00000000
--- a/vendor/golang.org/x/crypto/openpgp/packet/public_key_test.go
+++ /dev/null
@@ -1,202 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package packet
-
-import (
-	"bytes"
-	"encoding/hex"
-	"testing"
-	"time"
-)
-
-var pubKeyTests = []struct {
-	hexData        string
-	hexFingerprint string
-	creationTime   time.Time
-	pubKeyAlgo     PublicKeyAlgorithm
-	keyId          uint64
-	keyIdString    string
-	keyIdShort     string
-}{
-	{rsaPkDataHex, rsaFingerprintHex, time.Unix(0x4d3c5c10, 0), PubKeyAlgoRSA, 0xa34d7e18c20c31bb, "A34D7E18C20C31BB", "C20C31BB"},
-	{dsaPkDataHex, dsaFingerprintHex, time.Unix(0x4d432f89, 0), PubKeyAlgoDSA, 0x8e8fbe54062f19ed, "8E8FBE54062F19ED", "062F19ED"},
-	{ecdsaPkDataHex, ecdsaFingerprintHex, time.Unix(0x5071c294, 0), PubKeyAlgoECDSA, 0x43fe956c542ca00b, "43FE956C542CA00B", "542CA00B"},
-}
-
-func TestPublicKeyRead(t *testing.T) {
-	for i, test := range pubKeyTests {
-		packet, err := Read(readerFromHex(test.hexData))
-		if err != nil {
-			t.Errorf("#%d: Read error: %s", i, err)
-			continue
-		}
-		pk, ok := packet.(*PublicKey)
-		if !ok {
-			t.Errorf("#%d: failed to parse, got: %#v", i, packet)
-			continue
-		}
-		if pk.PubKeyAlgo != test.pubKeyAlgo {
-			t.Errorf("#%d: bad public key algorithm got:%x want:%x", i, pk.PubKeyAlgo, test.pubKeyAlgo)
-		}
-		if !pk.CreationTime.Equal(test.creationTime) {
-			t.Errorf("#%d: bad creation time got:%v want:%v", i, pk.CreationTime, test.creationTime)
-		}
-		expectedFingerprint, _ := hex.DecodeString(test.hexFingerprint)
-		if !bytes.Equal(expectedFingerprint, pk.Fingerprint[:]) {
-			t.Errorf("#%d: bad fingerprint got:%x want:%x", i, pk.Fingerprint[:], expectedFingerprint)
-		}
-		if pk.KeyId != test.keyId {
-			t.Errorf("#%d: bad keyid got:%x want:%x", i, pk.KeyId, test.keyId)
-		}
-		if g, e := pk.KeyIdString(), test.keyIdString; g != e {
-			t.Errorf("#%d: bad KeyIdString got:%q want:%q", i, g, e)
-		}
-		if g, e := pk.KeyIdShortString(), test.keyIdShort; g != e {
-			t.Errorf("#%d: bad KeyIdShortString got:%q want:%q", i, g, e)
-		}
-	}
-}
-
-func TestPublicKeySerialize(t *testing.T) {
-	for i, test := range pubKeyTests {
-		packet, err := Read(readerFromHex(test.hexData))
-		if err != nil {
-			t.Errorf("#%d: Read error: %s", i, err)
-			continue
-		}
-		pk, ok := packet.(*PublicKey)
-		if !ok {
-			t.Errorf("#%d: failed to parse, got: %#v", i, packet)
-			continue
-		}
-		serializeBuf := bytes.NewBuffer(nil)
-		err = pk.Serialize(serializeBuf)
-		if err != nil {
-			t.Errorf("#%d: failed to serialize: %s", i, err)
-			continue
-		}
-
-		packet, err = Read(serializeBuf)
-		if err != nil {
-			t.Errorf("#%d: Read error (from serialized data): %s", i, err)
-			continue
-		}
-		pk, ok = packet.(*PublicKey)
-		if !ok {
-			t.Errorf("#%d: failed to parse serialized data, got: %#v", i, packet)
-			continue
-		}
-	}
-}
-
-func TestEcc384Serialize(t *testing.T) {
-	r := readerFromHex(ecc384PubHex)
-	var w bytes.Buffer
-	for i := 0; i < 2; i++ {
-		// Public key
-		p, err := Read(r)
-		if err != nil {
-			t.Error(err)
-		}
-		pubkey := p.(*PublicKey)
-		if !bytes.Equal(pubkey.ec.oid, []byte{0x2b, 0x81, 0x04, 0x00, 0x22}) {
-			t.Errorf("Unexpected pubkey OID: %x", pubkey.ec.oid)
-		}
-		if !bytes.Equal(pubkey.ec.p.bytes[:5], []byte{0x04, 0xf6, 0xb8, 0xc5, 0xac}) {
-			t.Errorf("Unexpected pubkey P[:5]: %x", pubkey.ec.p.bytes)
-		}
-		if pubkey.KeyId != 0x098033880F54719F {
-			t.Errorf("Unexpected pubkey ID: %x", pubkey.KeyId)
-		}
-		err = pubkey.Serialize(&w)
-		if err != nil {
-			t.Error(err)
-		}
-		// User ID
-		p, err = Read(r)
-		if err != nil {
-			t.Error(err)
-		}
-		uid := p.(*UserId)
-		if uid.Id != "ec_dsa_dh_384 <openpgp@brainhub.org>" {
-			t.Error("Unexpected UID:", uid.Id)
-		}
-		err = uid.Serialize(&w)
-		if err != nil {
-			t.Error(err)
-		}
-		// User ID Sig
-		p, err = Read(r)
-		if err != nil {
-			t.Error(err)
-		}
-		uidSig := p.(*Signature)
-		err = pubkey.VerifyUserIdSignature(uid.Id, pubkey, uidSig)
-		if err != nil {
-			t.Error(err, ": UID")
-		}
-		err = uidSig.Serialize(&w)
-		if err != nil {
-			t.Error(err)
-		}
-		// Subkey
-		p, err = Read(r)
-		if err != nil {
-			t.Error(err)
-		}
-		subkey := p.(*PublicKey)
-		if !bytes.Equal(subkey.ec.oid, []byte{0x2b, 0x81, 0x04, 0x00, 0x22}) {
-			t.Errorf("Unexpected subkey OID: %x", subkey.ec.oid)
-		}
-		if !bytes.Equal(subkey.ec.p.bytes[:5], []byte{0x04, 0x2f, 0xaa, 0x84, 0x02}) {
-			t.Errorf("Unexpected subkey P[:5]: %x", subkey.ec.p.bytes)
-		}
-		if subkey.ecdh.KdfHash != 0x09 {
-			t.Error("Expected KDF hash function SHA384 (0x09), got", subkey.ecdh.KdfHash)
-		}
-		if subkey.ecdh.KdfAlgo != 0x09 {
-			t.Error("Expected KDF symmetric alg AES256 (0x09), got", subkey.ecdh.KdfAlgo)
-		}
-		if subkey.KeyId != 0xAA8B938F9A201946 {
-			t.Errorf("Unexpected subkey ID: %x", subkey.KeyId)
-		}
-		err = subkey.Serialize(&w)
-		if err != nil {
-			t.Error(err)
-		}
-		// Subkey Sig
-		p, err = Read(r)
-		if err != nil {
-			t.Error(err)
-		}
-		subkeySig := p.(*Signature)
-		err = pubkey.VerifyKeySignature(subkey, subkeySig)
-		if err != nil {
-			t.Error(err)
-		}
-		err = subkeySig.Serialize(&w)
-		if err != nil {
-			t.Error(err)
-		}
-		// Now read back what we've written again
-		r = bytes.NewBuffer(w.Bytes())
-		w.Reset()
-	}
-}
-
-const rsaFingerprintHex = "5fb74b1d03b1e3cb31bc2f8aa34d7e18c20c31bb"
-
-const rsaPkDataHex = "988d044d3c5c10010400b1d13382944bd5aba23a4312968b5095d14f947f600eb478e14a6fcb16b0e0cac764884909c020bc495cfcc39a935387c661507bdb236a0612fb582cac3af9b29cc2c8c70090616c41b662f4da4c1201e195472eb7f4ae1ccbcbf9940fe21d985e379a5563dde5b9a23d35f1cfaa5790da3b79db26f23695107bfaca8e7b5bcd0011010001"
-
-const dsaFingerprintHex = "eece4c094db002103714c63c8e8fbe54062f19ed"
-
-const dsaPkDataHex = "9901a2044d432f89110400cd581334f0d7a1e1bdc8b9d6d8c0baf68793632735d2bb0903224cbaa1dfbf35a60ee7a13b92643421e1eb41aa8d79bea19a115a677f6b8ba3c7818ce53a6c2a24a1608bd8b8d6e55c5090cbde09dd26e356267465ae25e69ec8bdd57c7bbb2623e4d73336f73a0a9098f7f16da2e25252130fd694c0e8070c55a812a423ae7f00a0ebf50e70c2f19c3520a551bd4b08d30f23530d3d03ff7d0bf4a53a64a09dc5e6e6e35854b7d70c882b0c60293401958b1bd9e40abec3ea05ba87cf64899299d4bd6aa7f459c201d3fbbd6c82004bdc5e8a9eb8082d12054cc90fa9d4ec251a843236a588bf49552441817436c4f43326966fe85447d4e6d0acf8fa1ef0f014730770603ad7634c3088dc52501c237328417c31c89ed70400b2f1a98b0bf42f11fefc430704bebbaa41d9f355600c3facee1e490f64208e0e094ea55e3a598a219a58500bf78ac677b670a14f4e47e9cf8eab4f368cc1ddcaa18cc59309d4cc62dd4f680e73e6cc3e1ce87a84d0925efbcb26c575c093fc42eecf45135fabf6403a25c2016e1774c0484e440a18319072c617cc97ac0a3bb0"
-
-const ecdsaFingerprintHex = "9892270b38b8980b05c8d56d43fe956c542ca00b"
-
-const ecdsaPkDataHex = "9893045071c29413052b8104002304230401f4867769cedfa52c325018896245443968e52e51d0c2df8d939949cb5b330f2921711fbee1c9b9dddb95d15cb0255e99badeddda7cc23d9ddcaacbc290969b9f24019375d61c2e4e3b36953a28d8b2bc95f78c3f1d592fb24499be348656a7b17e3963187b4361afe497bc5f9f81213f04069f8e1fb9e6a6290ae295ca1a92b894396cb4"
-
-// Source: https://sites.google.com/site/brainhub/pgpecckeys#TOC-ECC-NIST-P-384-key
-const ecc384PubHex = `99006f044d53059213052b81040022030304f6b8c5aced5b84ef9f4a209db2e4a9dfb70d28cb8c10ecd57674a9fa5a67389942b62d5e51367df4c7bfd3f8e500feecf07ed265a621a8ebbbe53e947ec78c677eba143bd1533c2b350e1c29f82313e1e1108eba063be1e64b10e6950e799c2db42465635f6473615f64685f333834203c6f70656e70677040627261696e6875622e6f72673e8900cb04101309005305024d530592301480000000002000077072656665727265642d656d61696c2d656e636f64696e67407067702e636f6d7067706d696d65040b090807021901051b03000000021602051e010000000415090a08000a0910098033880f54719fca2b0180aa37350968bd5f115afd8ce7bc7b103822152dbff06d0afcda835329510905b98cb469ba208faab87c7412b799e7b633017f58364ea480e8a1a3f253a0c5f22c446e8be9a9fce6210136ee30811abbd49139de28b5bdf8dc36d06ae748579e9ff503b90073044d53059212052b810400220303042faa84024a20b6735c4897efa5bfb41bf85b7eefeab5ca0cb9ffc8ea04a46acb25534a577694f9e25340a4ab5223a9dd1eda530c8aa2e6718db10d7e672558c7736fe09369ea5739a2a3554bf16d41faa50562f11c6d39bbd5dffb6b9a9ec9180301090989008404181309000c05024d530592051b0c000000000a0910098033880f54719f80970180eee7a6d8fcee41ee4f9289df17f9bcf9d955dca25c583b94336f3a2b2d4986dc5cf417b8d2dc86f741a9e1a6d236c0e3017d1c76575458a0cfb93ae8a2b274fcc65ceecd7a91eec83656ba13219969f06945b48c56bd04152c3a0553c5f2f4bd1267`
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/public_key_v3.go b/vendor/golang.org/x/crypto/openpgp/packet/public_key_v3.go
deleted file mode 100644
index 5daf7b6c..00000000
--- a/vendor/golang.org/x/crypto/openpgp/packet/public_key_v3.go
+++ /dev/null
@@ -1,279 +0,0 @@
-// Copyright 2013 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package packet
-
-import (
-	"crypto"
-	"crypto/md5"
-	"crypto/rsa"
-	"encoding/binary"
-	"fmt"
-	"hash"
-	"io"
-	"math/big"
-	"strconv"
-	"time"
-
-	"golang.org/x/crypto/openpgp/errors"
-)
-
-// PublicKeyV3 represents older, version 3 public keys. These keys are less secure and
-// should not be used for signing or encrypting. They are supported here only for
-// parsing version 3 key material and validating signatures.
-// See RFC 4880, section 5.5.2.
-type PublicKeyV3 struct {
-	CreationTime time.Time
-	DaysToExpire uint16
-	PubKeyAlgo   PublicKeyAlgorithm
-	PublicKey    *rsa.PublicKey
-	Fingerprint  [16]byte
-	KeyId        uint64
-	IsSubkey     bool
-
-	n, e parsedMPI
-}
-
-// newRSAPublicKeyV3 returns a PublicKey that wraps the given rsa.PublicKey.
-// Included here for testing purposes only. RFC 4880, section 5.5.2:
-// "an implementation MUST NOT generate a V3 key, but MAY accept it."
-func newRSAPublicKeyV3(creationTime time.Time, pub *rsa.PublicKey) *PublicKeyV3 {
-	pk := &PublicKeyV3{
-		CreationTime: creationTime,
-		PublicKey:    pub,
-		n:            fromBig(pub.N),
-		e:            fromBig(big.NewInt(int64(pub.E))),
-	}
-
-	pk.setFingerPrintAndKeyId()
-	return pk
-}
-
-func (pk *PublicKeyV3) parse(r io.Reader) (err error) {
-	// RFC 4880, section 5.5.2
-	var buf [8]byte
-	if _, err = readFull(r, buf[:]); err != nil {
-		return
-	}
-	if buf[0] < 2 || buf[0] > 3 {
-		return errors.UnsupportedError("public key version")
-	}
-	pk.CreationTime = time.Unix(int64(uint32(buf[1])<<24|uint32(buf[2])<<16|uint32(buf[3])<<8|uint32(buf[4])), 0)
-	pk.DaysToExpire = binary.BigEndian.Uint16(buf[5:7])
-	pk.PubKeyAlgo = PublicKeyAlgorithm(buf[7])
-	switch pk.PubKeyAlgo {
-	case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly, PubKeyAlgoRSASignOnly:
-		err = pk.parseRSA(r)
-	default:
-		err = errors.UnsupportedError("public key type: " + strconv.Itoa(int(pk.PubKeyAlgo)))
-	}
-	if err != nil {
-		return
-	}
-
-	pk.setFingerPrintAndKeyId()
-	return
-}
-
-func (pk *PublicKeyV3) setFingerPrintAndKeyId() {
-	// RFC 4880, section 12.2
-	fingerPrint := md5.New()
-	fingerPrint.Write(pk.n.bytes)
-	fingerPrint.Write(pk.e.bytes)
-	fingerPrint.Sum(pk.Fingerprint[:0])
-	pk.KeyId = binary.BigEndian.Uint64(pk.n.bytes[len(pk.n.bytes)-8:])
-}
-
-// parseRSA parses RSA public key material from the given Reader. See RFC 4880,
-// section 5.5.2.
-func (pk *PublicKeyV3) parseRSA(r io.Reader) (err error) {
-	if pk.n.bytes, pk.n.bitLength, err = readMPI(r); err != nil {
-		return
-	}
-	if pk.e.bytes, pk.e.bitLength, err = readMPI(r); err != nil {
-		return
-	}
-
-	// RFC 4880 Section 12.2 requires the low 8 bytes of the
-	// modulus to form the key id.
-	if len(pk.n.bytes) < 8 {
-		return errors.StructuralError("v3 public key modulus is too short")
-	}
-	if len(pk.e.bytes) > 3 {
-		err = errors.UnsupportedError("large public exponent")
-		return
-	}
-	rsa := &rsa.PublicKey{N: new(big.Int).SetBytes(pk.n.bytes)}
-	for i := 0; i < len(pk.e.bytes); i++ {
-		rsa.E <<= 8
-		rsa.E |= int(pk.e.bytes[i])
-	}
-	pk.PublicKey = rsa
-	return
-}
-
-// SerializeSignaturePrefix writes the prefix for this public key to the given Writer.
-// The prefix is used when calculating a signature over this public key. See
-// RFC 4880, section 5.2.4.
-func (pk *PublicKeyV3) SerializeSignaturePrefix(w io.Writer) {
-	var pLength uint16
-	switch pk.PubKeyAlgo {
-	case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly, PubKeyAlgoRSASignOnly:
-		pLength += 2 + uint16(len(pk.n.bytes))
-		pLength += 2 + uint16(len(pk.e.bytes))
-	default:
-		panic("unknown public key algorithm")
-	}
-	pLength += 6
-	w.Write([]byte{0x99, byte(pLength >> 8), byte(pLength)})
-	return
-}
-
-func (pk *PublicKeyV3) Serialize(w io.Writer) (err error) {
-	length := 8 // 8 byte header
-
-	switch pk.PubKeyAlgo {
-	case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly, PubKeyAlgoRSASignOnly:
-		length += 2 + len(pk.n.bytes)
-		length += 2 + len(pk.e.bytes)
-	default:
-		panic("unknown public key algorithm")
-	}
-
-	packetType := packetTypePublicKey
-	if pk.IsSubkey {
-		packetType = packetTypePublicSubkey
-	}
-	if err = serializeHeader(w, packetType, length); err != nil {
-		return
-	}
-	return pk.serializeWithoutHeaders(w)
-}
-
-// serializeWithoutHeaders marshals the PublicKey to w in the form of an
-// OpenPGP public key packet, not including the packet header.
-func (pk *PublicKeyV3) serializeWithoutHeaders(w io.Writer) (err error) {
-	var buf [8]byte
-	// Version 3
-	buf[0] = 3
-	// Creation time
-	t := uint32(pk.CreationTime.Unix())
-	buf[1] = byte(t >> 24)
-	buf[2] = byte(t >> 16)
-	buf[3] = byte(t >> 8)
-	buf[4] = byte(t)
-	// Days to expire
-	buf[5] = byte(pk.DaysToExpire >> 8)
-	buf[6] = byte(pk.DaysToExpire)
-	// Public key algorithm
-	buf[7] = byte(pk.PubKeyAlgo)
-
-	if _, err = w.Write(buf[:]); err != nil {
-		return
-	}
-
-	switch pk.PubKeyAlgo {
-	case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly, PubKeyAlgoRSASignOnly:
-		return writeMPIs(w, pk.n, pk.e)
-	}
-	return errors.InvalidArgumentError("bad public-key algorithm")
-}
-
-// CanSign returns true iff this public key can generate signatures
-func (pk *PublicKeyV3) CanSign() bool {
-	return pk.PubKeyAlgo != PubKeyAlgoRSAEncryptOnly
-}
-
-// VerifySignatureV3 returns nil iff sig is a valid signature, made by this
-// public key, of the data hashed into signed. signed is mutated by this call.
-func (pk *PublicKeyV3) VerifySignatureV3(signed hash.Hash, sig *SignatureV3) (err error) {
-	if !pk.CanSign() {
-		return errors.InvalidArgumentError("public key cannot generate signatures")
-	}
-
-	suffix := make([]byte, 5)
-	suffix[0] = byte(sig.SigType)
-	binary.BigEndian.PutUint32(suffix[1:], uint32(sig.CreationTime.Unix()))
-	signed.Write(suffix)
-	hashBytes := signed.Sum(nil)
-
-	if hashBytes[0] != sig.HashTag[0] || hashBytes[1] != sig.HashTag[1] {
-		return errors.SignatureError("hash tag doesn't match")
-	}
-
-	if pk.PubKeyAlgo != sig.PubKeyAlgo {
-		return errors.InvalidArgumentError("public key and signature use different algorithms")
-	}
-
-	switch pk.PubKeyAlgo {
-	case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly:
-		if err = rsa.VerifyPKCS1v15(pk.PublicKey, sig.Hash, hashBytes, sig.RSASignature.bytes); err != nil {
-			return errors.SignatureError("RSA verification failure")
-		}
-		return
-	default:
-		// V3 public keys only support RSA.
-		panic("shouldn't happen")
-	}
-}
-
-// VerifyUserIdSignatureV3 returns nil iff sig is a valid signature, made by this
-// public key, that id is the identity of pub.
-func (pk *PublicKeyV3) VerifyUserIdSignatureV3(id string, pub *PublicKeyV3, sig *SignatureV3) (err error) {
-	h, err := userIdSignatureV3Hash(id, pk, sig.Hash)
-	if err != nil {
-		return err
-	}
-	return pk.VerifySignatureV3(h, sig)
-}
-
-// VerifyKeySignatureV3 returns nil iff sig is a valid signature, made by this
-// public key, of signed.
-func (pk *PublicKeyV3) VerifyKeySignatureV3(signed *PublicKeyV3, sig *SignatureV3) (err error) {
-	h, err := keySignatureHash(pk, signed, sig.Hash)
-	if err != nil {
-		return err
-	}
-	return pk.VerifySignatureV3(h, sig)
-}
-
-// userIdSignatureV3Hash returns a Hash of the message that needs to be signed
-// to assert that pk is a valid key for id.
-func userIdSignatureV3Hash(id string, pk signingKey, hfn crypto.Hash) (h hash.Hash, err error) {
-	if !hfn.Available() {
-		return nil, errors.UnsupportedError("hash function")
-	}
-	h = hfn.New()
-
-	// RFC 4880, section 5.2.4
-	pk.SerializeSignaturePrefix(h)
-	pk.serializeWithoutHeaders(h)
-
-	h.Write([]byte(id))
-
-	return
-}
-
-// KeyIdString returns the public key's fingerprint in capital hex
-// (e.g. "6C7EE1B8621CC013").
-func (pk *PublicKeyV3) KeyIdString() string {
-	return fmt.Sprintf("%X", pk.KeyId)
-}
-
-// KeyIdShortString returns the short form of public key's fingerprint
-// in capital hex, as shown by gpg --list-keys (e.g. "621CC013").
-func (pk *PublicKeyV3) KeyIdShortString() string {
-	return fmt.Sprintf("%X", pk.KeyId&0xFFFFFFFF)
-}
-
-// BitLength returns the bit length for the given public key.
-func (pk *PublicKeyV3) BitLength() (bitLength uint16, err error) {
-	switch pk.PubKeyAlgo {
-	case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly, PubKeyAlgoRSASignOnly:
-		bitLength = pk.n.bitLength
-	default:
-		err = errors.InvalidArgumentError("bad public-key algorithm")
-	}
-	return
-}
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/public_key_v3_test.go b/vendor/golang.org/x/crypto/openpgp/packet/public_key_v3_test.go
deleted file mode 100644
index e0640590..00000000
--- a/vendor/golang.org/x/crypto/openpgp/packet/public_key_v3_test.go
+++ /dev/null
@@ -1,82 +0,0 @@
-// Copyright 2013 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package packet
-
-import (
-	"bytes"
-	"encoding/hex"
-	"testing"
-	"time"
-)
-
-var pubKeyV3Test = struct {
-	hexFingerprint string
-	creationTime   time.Time
-	pubKeyAlgo     PublicKeyAlgorithm
-	keyId          uint64
-	keyIdString    string
-	keyIdShort     string
-}{
-	"103BECF5BD1E837C89D19E98487767F7",
-	time.Unix(779753634, 0),
-	PubKeyAlgoRSA,
-	0xDE0F188A5DA5E3C9,
-	"DE0F188A5DA5E3C9",
-	"5DA5E3C9"}
-
-func TestPublicKeyV3Read(t *testing.T) {
-	i, test := 0, pubKeyV3Test
-	packet, err := Read(v3KeyReader(t))
-	if err != nil {
-		t.Fatalf("#%d: Read error: %s", i, err)
-	}
-	pk, ok := packet.(*PublicKeyV3)
-	if !ok {
-		t.Fatalf("#%d: failed to parse, got: %#v", i, packet)
-	}
-	if pk.PubKeyAlgo != test.pubKeyAlgo {
-		t.Errorf("#%d: bad public key algorithm got:%x want:%x", i, pk.PubKeyAlgo, test.pubKeyAlgo)
-	}
-	if !pk.CreationTime.Equal(test.creationTime) {
-		t.Errorf("#%d: bad creation time got:%v want:%v", i, pk.CreationTime, test.creationTime)
-	}
-	expectedFingerprint, _ := hex.DecodeString(test.hexFingerprint)
-	if !bytes.Equal(expectedFingerprint, pk.Fingerprint[:]) {
-		t.Errorf("#%d: bad fingerprint got:%x want:%x", i, pk.Fingerprint[:], expectedFingerprint)
-	}
-	if pk.KeyId != test.keyId {
-		t.Errorf("#%d: bad keyid got:%x want:%x", i, pk.KeyId, test.keyId)
-	}
-	if g, e := pk.KeyIdString(), test.keyIdString; g != e {
-		t.Errorf("#%d: bad KeyIdString got:%q want:%q", i, g, e)
-	}
-	if g, e := pk.KeyIdShortString(), test.keyIdShort; g != e {
-		t.Errorf("#%d: bad KeyIdShortString got:%q want:%q", i, g, e)
-	}
-}
-
-func TestPublicKeyV3Serialize(t *testing.T) {
-	//for i, test := range pubKeyV3Tests {
-	i := 0
-	packet, err := Read(v3KeyReader(t))
-	if err != nil {
-		t.Fatalf("#%d: Read error: %s", i, err)
-	}
-	pk, ok := packet.(*PublicKeyV3)
-	if !ok {
-		t.Fatalf("#%d: failed to parse, got: %#v", i, packet)
-	}
-	var serializeBuf bytes.Buffer
-	if err = pk.Serialize(&serializeBuf); err != nil {
-		t.Fatalf("#%d: failed to serialize: %s", i, err)
-	}
-
-	if packet, err = Read(bytes.NewBuffer(serializeBuf.Bytes())); err != nil {
-		t.Fatalf("#%d: Read error (from serialized data): %s", i, err)
-	}
-	if pk, ok = packet.(*PublicKeyV3); !ok {
-		t.Fatalf("#%d: failed to parse serialized data, got: %#v", i, packet)
-	}
-}
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/reader.go b/vendor/golang.org/x/crypto/openpgp/packet/reader.go
deleted file mode 100644
index 34bc7c61..00000000
--- a/vendor/golang.org/x/crypto/openpgp/packet/reader.go
+++ /dev/null
@@ -1,76 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package packet
-
-import (
-	"golang.org/x/crypto/openpgp/errors"
-	"io"
-)
-
-// Reader reads packets from an io.Reader and allows packets to be 'unread' so
-// that they result from the next call to Next.
-type Reader struct {
-	q       []Packet
-	readers []io.Reader
-}
-
-// New io.Readers are pushed when a compressed or encrypted packet is processed
-// and recursively treated as a new source of packets. However, a carefully
-// crafted packet can trigger an infinite recursive sequence of packets. See
-// http://mumble.net/~campbell/misc/pgp-quine
-// https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4402
-// This constant limits the number of recursive packets that may be pushed.
-const maxReaders = 32
-
-// Next returns the most recently unread Packet, or reads another packet from
-// the top-most io.Reader. Unknown packet types are skipped.
-func (r *Reader) Next() (p Packet, err error) {
-	if len(r.q) > 0 {
-		p = r.q[len(r.q)-1]
-		r.q = r.q[:len(r.q)-1]
-		return
-	}
-
-	for len(r.readers) > 0 {
-		p, err = Read(r.readers[len(r.readers)-1])
-		if err == nil {
-			return
-		}
-		if err == io.EOF {
-			r.readers = r.readers[:len(r.readers)-1]
-			continue
-		}
-		if _, ok := err.(errors.UnknownPacketTypeError); !ok {
-			return nil, err
-		}
-	}
-
-	return nil, io.EOF
-}
-
-// Push causes the Reader to start reading from a new io.Reader. When an EOF
-// error is seen from the new io.Reader, it is popped and the Reader continues
-// to read from the next most recent io.Reader. Push returns a StructuralError
-// if pushing the reader would exceed the maximum recursion level, otherwise it
-// returns nil.
-func (r *Reader) Push(reader io.Reader) (err error) {
-	if len(r.readers) >= maxReaders {
-		return errors.StructuralError("too many layers of packets")
-	}
-	r.readers = append(r.readers, reader)
-	return nil
-}
-
-// Unread causes the given Packet to be returned from the next call to Next.
-func (r *Reader) Unread(p Packet) {
-	r.q = append(r.q, p)
-}
-
-func NewReader(r io.Reader) *Reader {
-	return &Reader{
-		q:       nil,
-		readers: []io.Reader{r},
-	}
-}
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/signature.go b/vendor/golang.org/x/crypto/openpgp/packet/signature.go
deleted file mode 100644
index 6ce0cbed..00000000
--- a/vendor/golang.org/x/crypto/openpgp/packet/signature.go
+++ /dev/null
@@ -1,731 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package packet
-
-import (
-	"bytes"
-	"crypto"
-	"crypto/dsa"
-	"crypto/ecdsa"
-	"encoding/asn1"
-	"encoding/binary"
-	"hash"
-	"io"
-	"math/big"
-	"strconv"
-	"time"
-
-	"golang.org/x/crypto/openpgp/errors"
-	"golang.org/x/crypto/openpgp/s2k"
-)
-
-const (
-	// See RFC 4880, section 5.2.3.21 for details.
-	KeyFlagCertify = 1 << iota
-	KeyFlagSign
-	KeyFlagEncryptCommunications
-	KeyFlagEncryptStorage
-)
-
-// Signature represents a signature. See RFC 4880, section 5.2.
-type Signature struct {
-	SigType    SignatureType
-	PubKeyAlgo PublicKeyAlgorithm
-	Hash       crypto.Hash
-
-	// HashSuffix is extra data that is hashed in after the signed data.
-	HashSuffix []byte
-	// HashTag contains the first two bytes of the hash for fast rejection
-	// of bad signed data.
-	HashTag      [2]byte
-	CreationTime time.Time
-
-	RSASignature         parsedMPI
-	DSASigR, DSASigS     parsedMPI
-	ECDSASigR, ECDSASigS parsedMPI
-
-	// rawSubpackets contains the unparsed subpackets, in order.
-	rawSubpackets []outputSubpacket
-
-	// The following are optional so are nil when not included in the
-	// signature.
-
-	SigLifetimeSecs, KeyLifetimeSecs                        *uint32
-	PreferredSymmetric, PreferredHash, PreferredCompression []uint8
-	IssuerKeyId                                             *uint64
-	IsPrimaryId                                             *bool
-
-	// FlagsValid is set if any flags were given. See RFC 4880, section
-	// 5.2.3.21 for details.
-	FlagsValid                                                           bool
-	FlagCertify, FlagSign, FlagEncryptCommunications, FlagEncryptStorage bool
-
-	// RevocationReason is set if this signature has been revoked.
-	// See RFC 4880, section 5.2.3.23 for details.
-	RevocationReason     *uint8
-	RevocationReasonText string
-
-	// MDC is set if this signature has a feature packet that indicates
-	// support for MDC subpackets.
-	MDC bool
-
-	// EmbeddedSignature, if non-nil, is a signature of the parent key, by
-	// this key. This prevents an attacker from claiming another's signing
-	// subkey as their own.
-	EmbeddedSignature *Signature
-
-	outSubpackets []outputSubpacket
-}
-
-func (sig *Signature) parse(r io.Reader) (err error) {
-	// RFC 4880, section 5.2.3
-	var buf [5]byte
-	_, err = readFull(r, buf[:1])
-	if err != nil {
-		return
-	}
-	if buf[0] != 4 {
-		err = errors.UnsupportedError("signature packet version " + strconv.Itoa(int(buf[0])))
-		return
-	}
-
-	_, err = readFull(r, buf[:5])
-	if err != nil {
-		return
-	}
-	sig.SigType = SignatureType(buf[0])
-	sig.PubKeyAlgo = PublicKeyAlgorithm(buf[1])
-	switch sig.PubKeyAlgo {
-	case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly, PubKeyAlgoDSA, PubKeyAlgoECDSA:
-	default:
-		err = errors.UnsupportedError("public key algorithm " + strconv.Itoa(int(sig.PubKeyAlgo)))
-		return
-	}
-
-	var ok bool
-	sig.Hash, ok = s2k.HashIdToHash(buf[2])
-	if !ok {
-		return errors.UnsupportedError("hash function " + strconv.Itoa(int(buf[2])))
-	}
-
-	hashedSubpacketsLength := int(buf[3])<<8 | int(buf[4])
-	l := 6 + hashedSubpacketsLength
-	sig.HashSuffix = make([]byte, l+6)
-	sig.HashSuffix[0] = 4
-	copy(sig.HashSuffix[1:], buf[:5])
-	hashedSubpackets := sig.HashSuffix[6:l]
-	_, err = readFull(r, hashedSubpackets)
-	if err != nil {
-		return
-	}
-	// See RFC 4880, section 5.2.4
-	trailer := sig.HashSuffix[l:]
-	trailer[0] = 4
-	trailer[1] = 0xff
-	trailer[2] = uint8(l >> 24)
-	trailer[3] = uint8(l >> 16)
-	trailer[4] = uint8(l >> 8)
-	trailer[5] = uint8(l)
-
-	err = parseSignatureSubpackets(sig, hashedSubpackets, true)
-	if err != nil {
-		return
-	}
-
-	_, err = readFull(r, buf[:2])
-	if err != nil {
-		return
-	}
-	unhashedSubpacketsLength := int(buf[0])<<8 | int(buf[1])
-	unhashedSubpackets := make([]byte, unhashedSubpacketsLength)
-	_, err = readFull(r, unhashedSubpackets)
-	if err != nil {
-		return
-	}
-	err = parseSignatureSubpackets(sig, unhashedSubpackets, false)
-	if err != nil {
-		return
-	}
-
-	_, err = readFull(r, sig.HashTag[:2])
-	if err != nil {
-		return
-	}
-
-	switch sig.PubKeyAlgo {
-	case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly:
-		sig.RSASignature.bytes, sig.RSASignature.bitLength, err = readMPI(r)
-	case PubKeyAlgoDSA:
-		sig.DSASigR.bytes, sig.DSASigR.bitLength, err = readMPI(r)
-		if err == nil {
-			sig.DSASigS.bytes, sig.DSASigS.bitLength, err = readMPI(r)
-		}
-	case PubKeyAlgoECDSA:
-		sig.ECDSASigR.bytes, sig.ECDSASigR.bitLength, err = readMPI(r)
-		if err == nil {
-			sig.ECDSASigS.bytes, sig.ECDSASigS.bitLength, err = readMPI(r)
-		}
-	default:
-		panic("unreachable")
-	}
-	return
-}
-
-// parseSignatureSubpackets parses subpackets of the main signature packet. See
-// RFC 4880, section 5.2.3.1.
-func parseSignatureSubpackets(sig *Signature, subpackets []byte, isHashed bool) (err error) {
-	for len(subpackets) > 0 {
-		subpackets, err = parseSignatureSubpacket(sig, subpackets, isHashed)
-		if err != nil {
-			return
-		}
-	}
-
-	if sig.CreationTime.IsZero() {
-		err = errors.StructuralError("no creation time in signature")
-	}
-
-	return
-}
-
-type signatureSubpacketType uint8
-
-const (
-	creationTimeSubpacket        signatureSubpacketType = 2
-	signatureExpirationSubpacket signatureSubpacketType = 3
-	keyExpirationSubpacket       signatureSubpacketType = 9
-	prefSymmetricAlgosSubpacket  signatureSubpacketType = 11
-	issuerSubpacket              signatureSubpacketType = 16
-	prefHashAlgosSubpacket       signatureSubpacketType = 21
-	prefCompressionSubpacket     signatureSubpacketType = 22
-	primaryUserIdSubpacket       signatureSubpacketType = 25
-	keyFlagsSubpacket            signatureSubpacketType = 27
-	reasonForRevocationSubpacket signatureSubpacketType = 29
-	featuresSubpacket            signatureSubpacketType = 30
-	embeddedSignatureSubpacket   signatureSubpacketType = 32
-)
-
-// parseSignatureSubpacket parses a single subpacket. len(subpacket) is >= 1.
-func parseSignatureSubpacket(sig *Signature, subpacket []byte, isHashed bool) (rest []byte, err error) {
-	// RFC 4880, section 5.2.3.1
-	var (
-		length     uint32
-		packetType signatureSubpacketType
-		isCritical bool
-	)
-	switch {
-	case subpacket[0] < 192:
-		length = uint32(subpacket[0])
-		subpacket = subpacket[1:]
-	case subpacket[0] < 255:
-		if len(subpacket) < 2 {
-			goto Truncated
-		}
-		length = uint32(subpacket[0]-192)<<8 + uint32(subpacket[1]) + 192
-		subpacket = subpacket[2:]
-	default:
-		if len(subpacket) < 5 {
-			goto Truncated
-		}
-		length = uint32(subpacket[1])<<24 |
-			uint32(subpacket[2])<<16 |
-			uint32(subpacket[3])<<8 |
-			uint32(subpacket[4])
-		subpacket = subpacket[5:]
-	}
-	if length > uint32(len(subpacket)) {
-		goto Truncated
-	}
-	rest = subpacket[length:]
-	subpacket = subpacket[:length]
-	if len(subpacket) == 0 {
-		err = errors.StructuralError("zero length signature subpacket")
-		return
-	}
-	packetType = signatureSubpacketType(subpacket[0] & 0x7f)
-	isCritical = subpacket[0]&0x80 == 0x80
-	subpacket = subpacket[1:]
-	sig.rawSubpackets = append(sig.rawSubpackets, outputSubpacket{isHashed, packetType, isCritical, subpacket})
-	switch packetType {
-	case creationTimeSubpacket:
-		if !isHashed {
-			err = errors.StructuralError("signature creation time in non-hashed area")
-			return
-		}
-		if len(subpacket) != 4 {
-			err = errors.StructuralError("signature creation time not four bytes")
-			return
-		}
-		t := binary.BigEndian.Uint32(subpacket)
-		sig.CreationTime = time.Unix(int64(t), 0)
-	case signatureExpirationSubpacket:
-		// Signature expiration time, section 5.2.3.10
-		if !isHashed {
-			return
-		}
-		if len(subpacket) != 4 {
-			err = errors.StructuralError("expiration subpacket with bad length")
-			return
-		}
-		sig.SigLifetimeSecs = new(uint32)
-		*sig.SigLifetimeSecs = binary.BigEndian.Uint32(subpacket)
-	case keyExpirationSubpacket:
-		// Key expiration time, section 5.2.3.6
-		if !isHashed {
-			return
-		}
-		if len(subpacket) != 4 {
-			err = errors.StructuralError("key expiration subpacket with bad length")
-			return
-		}
-		sig.KeyLifetimeSecs = new(uint32)
-		*sig.KeyLifetimeSecs = binary.BigEndian.Uint32(subpacket)
-	case prefSymmetricAlgosSubpacket:
-		// Preferred symmetric algorithms, section 5.2.3.7
-		if !isHashed {
-			return
-		}
-		sig.PreferredSymmetric = make([]byte, len(subpacket))
-		copy(sig.PreferredSymmetric, subpacket)
-	case issuerSubpacket:
-		// Issuer, section 5.2.3.5
-		if len(subpacket) != 8 {
-			err = errors.StructuralError("issuer subpacket with bad length")
-			return
-		}
-		sig.IssuerKeyId = new(uint64)
-		*sig.IssuerKeyId = binary.BigEndian.Uint64(subpacket)
-	case prefHashAlgosSubpacket:
-		// Preferred hash algorithms, section 5.2.3.8
-		if !isHashed {
-			return
-		}
-		sig.PreferredHash = make([]byte, len(subpacket))
-		copy(sig.PreferredHash, subpacket)
-	case prefCompressionSubpacket:
-		// Preferred compression algorithms, section 5.2.3.9
-		if !isHashed {
-			return
-		}
-		sig.PreferredCompression = make([]byte, len(subpacket))
-		copy(sig.PreferredCompression, subpacket)
-	case primaryUserIdSubpacket:
-		// Primary User ID, section 5.2.3.19
-		if !isHashed {
-			return
-		}
-		if len(subpacket) != 1 {
-			err = errors.StructuralError("primary user id subpacket with bad length")
-			return
-		}
-		sig.IsPrimaryId = new(bool)
-		if subpacket[0] > 0 {
-			*sig.IsPrimaryId = true
-		}
-	case keyFlagsSubpacket:
-		// Key flags, section 5.2.3.21
-		if !isHashed {
-			return
-		}
-		if len(subpacket) == 0 {
-			err = errors.StructuralError("empty key flags subpacket")
-			return
-		}
-		sig.FlagsValid = true
-		if subpacket[0]&KeyFlagCertify != 0 {
-			sig.FlagCertify = true
-		}
-		if subpacket[0]&KeyFlagSign != 0 {
-			sig.FlagSign = true
-		}
-		if subpacket[0]&KeyFlagEncryptCommunications != 0 {
-			sig.FlagEncryptCommunications = true
-		}
-		if subpacket[0]&KeyFlagEncryptStorage != 0 {
-			sig.FlagEncryptStorage = true
-		}
-	case reasonForRevocationSubpacket:
-		// Reason For Revocation, section 5.2.3.23
-		if !isHashed {
-			return
-		}
-		if len(subpacket) == 0 {
-			err = errors.StructuralError("empty revocation reason subpacket")
-			return
-		}
-		sig.RevocationReason = new(uint8)
-		*sig.RevocationReason = subpacket[0]
-		sig.RevocationReasonText = string(subpacket[1:])
-	case featuresSubpacket:
-		// Features subpacket, section 5.2.3.24 specifies a very general
-		// mechanism for OpenPGP implementations to signal support for new
-		// features. In practice, the subpacket is used exclusively to
-		// indicate support for MDC-protected encryption.
-		sig.MDC = len(subpacket) >= 1 && subpacket[0]&1 == 1
-	case embeddedSignatureSubpacket:
-		// Only usage is in signatures that cross-certify
-		// signing subkeys. section 5.2.3.26 describes the
-		// format, with its usage described in section 11.1
-		if sig.EmbeddedSignature != nil {
-			err = errors.StructuralError("Cannot have multiple embedded signatures")
-			return
-		}
-		sig.EmbeddedSignature = new(Signature)
-		// Embedded signatures are required to be v4 signatures see
-		// section 12.1. However, we only parse v4 signatures in this
-		// file anyway.
-		if err := sig.EmbeddedSignature.parse(bytes.NewBuffer(subpacket)); err != nil {
-			return nil, err
-		}
-		if sigType := sig.EmbeddedSignature.SigType; sigType != SigTypePrimaryKeyBinding {
-			return nil, errors.StructuralError("cross-signature has unexpected type " + strconv.Itoa(int(sigType)))
-		}
-	default:
-		if isCritical {
-			err = errors.UnsupportedError("unknown critical signature subpacket type " + strconv.Itoa(int(packetType)))
-			return
-		}
-	}
-	return
-
-Truncated:
-	err = errors.StructuralError("signature subpacket truncated")
-	return
-}
-
-// subpacketLengthLength returns the length, in bytes, of an encoded length value.
-func subpacketLengthLength(length int) int {
-	if length < 192 {
-		return 1
-	}
-	if length < 16320 {
-		return 2
-	}
-	return 5
-}
-
-// serializeSubpacketLength marshals the given length into to.
-func serializeSubpacketLength(to []byte, length int) int {
-	// RFC 4880, Section 4.2.2.
-	if length < 192 {
-		to[0] = byte(length)
-		return 1
-	}
-	if length < 16320 {
-		length -= 192
-		to[0] = byte((length >> 8) + 192)
-		to[1] = byte(length)
-		return 2
-	}
-	to[0] = 255
-	to[1] = byte(length >> 24)
-	to[2] = byte(length >> 16)
-	to[3] = byte(length >> 8)
-	to[4] = byte(length)
-	return 5
-}
-
-// subpacketsLength returns the serialized length, in bytes, of the given
-// subpackets.
-func subpacketsLength(subpackets []outputSubpacket, hashed bool) (length int) {
-	for _, subpacket := range subpackets {
-		if subpacket.hashed == hashed {
-			length += subpacketLengthLength(len(subpacket.contents) + 1)
-			length += 1 // type byte
-			length += len(subpacket.contents)
-		}
-	}
-	return
-}
-
-// serializeSubpackets marshals the given subpackets into to.
-func serializeSubpackets(to []byte, subpackets []outputSubpacket, hashed bool) {
-	for _, subpacket := range subpackets {
-		if subpacket.hashed == hashed {
-			n := serializeSubpacketLength(to, len(subpacket.contents)+1)
-			to[n] = byte(subpacket.subpacketType)
-			to = to[1+n:]
-			n = copy(to, subpacket.contents)
-			to = to[n:]
-		}
-	}
-	return
-}
-
-// KeyExpired returns whether sig is a self-signature of a key that has
-// expired.
-func (sig *Signature) KeyExpired(currentTime time.Time) bool {
-	if sig.KeyLifetimeSecs == nil {
-		return false
-	}
-	expiry := sig.CreationTime.Add(time.Duration(*sig.KeyLifetimeSecs) * time.Second)
-	return currentTime.After(expiry)
-}
-
-// buildHashSuffix constructs the HashSuffix member of sig in preparation for signing.
-func (sig *Signature) buildHashSuffix() (err error) {
-	hashedSubpacketsLen := subpacketsLength(sig.outSubpackets, true)
-
-	var ok bool
-	l := 6 + hashedSubpacketsLen
-	sig.HashSuffix = make([]byte, l+6)
-	sig.HashSuffix[0] = 4
-	sig.HashSuffix[1] = uint8(sig.SigType)
-	sig.HashSuffix[2] = uint8(sig.PubKeyAlgo)
-	sig.HashSuffix[3], ok = s2k.HashToHashId(sig.Hash)
-	if !ok {
-		sig.HashSuffix = nil
-		return errors.InvalidArgumentError("hash cannot be represented in OpenPGP: " + strconv.Itoa(int(sig.Hash)))
-	}
-	sig.HashSuffix[4] = byte(hashedSubpacketsLen >> 8)
-	sig.HashSuffix[5] = byte(hashedSubpacketsLen)
-	serializeSubpackets(sig.HashSuffix[6:l], sig.outSubpackets, true)
-	trailer := sig.HashSuffix[l:]
-	trailer[0] = 4
-	trailer[1] = 0xff
-	trailer[2] = byte(l >> 24)
-	trailer[3] = byte(l >> 16)
-	trailer[4] = byte(l >> 8)
-	trailer[5] = byte(l)
-	return
-}
-
-func (sig *Signature) signPrepareHash(h hash.Hash) (digest []byte, err error) {
-	err = sig.buildHashSuffix()
-	if err != nil {
-		return
-	}
-
-	h.Write(sig.HashSuffix)
-	digest = h.Sum(nil)
-	copy(sig.HashTag[:], digest)
-	return
-}
-
-// Sign signs a message with a private key. The hash, h, must contain
-// the hash of the message to be signed and will be mutated by this function.
-// On success, the signature is stored in sig. Call Serialize to write it out.
-// If config is nil, sensible defaults will be used.
-func (sig *Signature) Sign(h hash.Hash, priv *PrivateKey, config *Config) (err error) {
-	sig.outSubpackets = sig.buildSubpackets()
-	digest, err := sig.signPrepareHash(h)
-	if err != nil {
-		return
-	}
-
-	switch priv.PubKeyAlgo {
-	case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly:
-		// supports both *rsa.PrivateKey and crypto.Signer
-		sig.RSASignature.bytes, err = priv.PrivateKey.(crypto.Signer).Sign(config.Random(), digest, sig.Hash)
-		sig.RSASignature.bitLength = uint16(8 * len(sig.RSASignature.bytes))
-	case PubKeyAlgoDSA:
-		dsaPriv := priv.PrivateKey.(*dsa.PrivateKey)
-
-		// Need to truncate hashBytes to match FIPS 186-3 section 4.6.
-		subgroupSize := (dsaPriv.Q.BitLen() + 7) / 8
-		if len(digest) > subgroupSize {
-			digest = digest[:subgroupSize]
-		}
-		r, s, err := dsa.Sign(config.Random(), dsaPriv, digest)
-		if err == nil {
-			sig.DSASigR.bytes = r.Bytes()
-			sig.DSASigR.bitLength = uint16(8 * len(sig.DSASigR.bytes))
-			sig.DSASigS.bytes = s.Bytes()
-			sig.DSASigS.bitLength = uint16(8 * len(sig.DSASigS.bytes))
-		}
-	case PubKeyAlgoECDSA:
-		var r, s *big.Int
-		if pk, ok := priv.PrivateKey.(*ecdsa.PrivateKey); ok {
-			// direct support, avoid asn1 wrapping/unwrapping
-			r, s, err = ecdsa.Sign(config.Random(), pk, digest)
-		} else {
-			var b []byte
-			b, err = priv.PrivateKey.(crypto.Signer).Sign(config.Random(), digest, nil)
-			if err == nil {
-				r, s, err = unwrapECDSASig(b)
-			}
-		}
-		if err == nil {
-			sig.ECDSASigR = fromBig(r)
-			sig.ECDSASigS = fromBig(s)
-		}
-	default:
-		err = errors.UnsupportedError("public key algorithm: " + strconv.Itoa(int(sig.PubKeyAlgo)))
-	}
-
-	return
-}
-
-// unwrapECDSASig parses the two integer components of an ASN.1-encoded ECDSA
-// signature.
-func unwrapECDSASig(b []byte) (r, s *big.Int, err error) {
-	var ecsdaSig struct {
-		R, S *big.Int
-	}
-	_, err = asn1.Unmarshal(b, &ecsdaSig)
-	if err != nil {
-		return
-	}
-	return ecsdaSig.R, ecsdaSig.S, nil
-}
-
-// SignUserId computes a signature from priv, asserting that pub is a valid
-// key for the identity id.  On success, the signature is stored in sig. Call
-// Serialize to write it out.
-// If config is nil, sensible defaults will be used.
-func (sig *Signature) SignUserId(id string, pub *PublicKey, priv *PrivateKey, config *Config) error {
-	h, err := userIdSignatureHash(id, pub, sig.Hash)
-	if err != nil {
-		return err
-	}
-	return sig.Sign(h, priv, config)
-}
-
-// SignKey computes a signature from priv, asserting that pub is a subkey. On
-// success, the signature is stored in sig. Call Serialize to write it out.
-// If config is nil, sensible defaults will be used.
-func (sig *Signature) SignKey(pub *PublicKey, priv *PrivateKey, config *Config) error {
-	h, err := keySignatureHash(&priv.PublicKey, pub, sig.Hash)
-	if err != nil {
-		return err
-	}
-	return sig.Sign(h, priv, config)
-}
-
-// Serialize marshals sig to w. Sign, SignUserId or SignKey must have been
-// called first.
-func (sig *Signature) Serialize(w io.Writer) (err error) {
-	if len(sig.outSubpackets) == 0 {
-		sig.outSubpackets = sig.rawSubpackets
-	}
-	if sig.RSASignature.bytes == nil && sig.DSASigR.bytes == nil && sig.ECDSASigR.bytes == nil {
-		return errors.InvalidArgumentError("Signature: need to call Sign, SignUserId or SignKey before Serialize")
-	}
-
-	sigLength := 0
-	switch sig.PubKeyAlgo {
-	case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly:
-		sigLength = 2 + len(sig.RSASignature.bytes)
-	case PubKeyAlgoDSA:
-		sigLength = 2 + len(sig.DSASigR.bytes)
-		sigLength += 2 + len(sig.DSASigS.bytes)
-	case PubKeyAlgoECDSA:
-		sigLength = 2 + len(sig.ECDSASigR.bytes)
-		sigLength += 2 + len(sig.ECDSASigS.bytes)
-	default:
-		panic("impossible")
-	}
-
-	unhashedSubpacketsLen := subpacketsLength(sig.outSubpackets, false)
-	length := len(sig.HashSuffix) - 6 /* trailer not included */ +
-		2 /* length of unhashed subpackets */ + unhashedSubpacketsLen +
-		2 /* hash tag */ + sigLength
-	err = serializeHeader(w, packetTypeSignature, length)
-	if err != nil {
-		return
-	}
-
-	_, err = w.Write(sig.HashSuffix[:len(sig.HashSuffix)-6])
-	if err != nil {
-		return
-	}
-
-	unhashedSubpackets := make([]byte, 2+unhashedSubpacketsLen)
-	unhashedSubpackets[0] = byte(unhashedSubpacketsLen >> 8)
-	unhashedSubpackets[1] = byte(unhashedSubpacketsLen)
-	serializeSubpackets(unhashedSubpackets[2:], sig.outSubpackets, false)
-
-	_, err = w.Write(unhashedSubpackets)
-	if err != nil {
-		return
-	}
-	_, err = w.Write(sig.HashTag[:])
-	if err != nil {
-		return
-	}
-
-	switch sig.PubKeyAlgo {
-	case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly:
-		err = writeMPIs(w, sig.RSASignature)
-	case PubKeyAlgoDSA:
-		err = writeMPIs(w, sig.DSASigR, sig.DSASigS)
-	case PubKeyAlgoECDSA:
-		err = writeMPIs(w, sig.ECDSASigR, sig.ECDSASigS)
-	default:
-		panic("impossible")
-	}
-	return
-}
-
-// outputSubpacket represents a subpacket to be marshaled.
-type outputSubpacket struct {
-	hashed        bool // true if this subpacket is in the hashed area.
-	subpacketType signatureSubpacketType
-	isCritical    bool
-	contents      []byte
-}
-
-func (sig *Signature) buildSubpackets() (subpackets []outputSubpacket) {
-	creationTime := make([]byte, 4)
-	binary.BigEndian.PutUint32(creationTime, uint32(sig.CreationTime.Unix()))
-	subpackets = append(subpackets, outputSubpacket{true, creationTimeSubpacket, false, creationTime})
-
-	if sig.IssuerKeyId != nil {
-		keyId := make([]byte, 8)
-		binary.BigEndian.PutUint64(keyId, *sig.IssuerKeyId)
-		subpackets = append(subpackets, outputSubpacket{true, issuerSubpacket, false, keyId})
-	}
-
-	if sig.SigLifetimeSecs != nil && *sig.SigLifetimeSecs != 0 {
-		sigLifetime := make([]byte, 4)
-		binary.BigEndian.PutUint32(sigLifetime, *sig.SigLifetimeSecs)
-		subpackets = append(subpackets, outputSubpacket{true, signatureExpirationSubpacket, true, sigLifetime})
-	}
-
-	// Key flags may only appear in self-signatures or certification signatures.
-
-	if sig.FlagsValid {
-		var flags byte
-		if sig.FlagCertify {
-			flags |= KeyFlagCertify
-		}
-		if sig.FlagSign {
-			flags |= KeyFlagSign
-		}
-		if sig.FlagEncryptCommunications {
-			flags |= KeyFlagEncryptCommunications
-		}
-		if sig.FlagEncryptStorage {
-			flags |= KeyFlagEncryptStorage
-		}
-		subpackets = append(subpackets, outputSubpacket{true, keyFlagsSubpacket, false, []byte{flags}})
-	}
-
-	// The following subpackets may only appear in self-signatures
-
-	if sig.KeyLifetimeSecs != nil && *sig.KeyLifetimeSecs != 0 {
-		keyLifetime := make([]byte, 4)
-		binary.BigEndian.PutUint32(keyLifetime, *sig.KeyLifetimeSecs)
-		subpackets = append(subpackets, outputSubpacket{true, keyExpirationSubpacket, true, keyLifetime})
-	}
-
-	if sig.IsPrimaryId != nil && *sig.IsPrimaryId {
-		subpackets = append(subpackets, outputSubpacket{true, primaryUserIdSubpacket, false, []byte{1}})
-	}
-
-	if len(sig.PreferredSymmetric) > 0 {
-		subpackets = append(subpackets, outputSubpacket{true, prefSymmetricAlgosSubpacket, false, sig.PreferredSymmetric})
-	}
-
-	if len(sig.PreferredHash) > 0 {
-		subpackets = append(subpackets, outputSubpacket{true, prefHashAlgosSubpacket, false, sig.PreferredHash})
-	}
-
-	if len(sig.PreferredCompression) > 0 {
-		subpackets = append(subpackets, outputSubpacket{true, prefCompressionSubpacket, false, sig.PreferredCompression})
-	}
-
-	return
-}
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/signature_test.go b/vendor/golang.org/x/crypto/openpgp/packet/signature_test.go
deleted file mode 100644
index 56e76117..00000000
--- a/vendor/golang.org/x/crypto/openpgp/packet/signature_test.go
+++ /dev/null
@@ -1,78 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package packet
-
-import (
-	"bytes"
-	"crypto"
-	"encoding/hex"
-	"testing"
-)
-
-func TestSignatureRead(t *testing.T) {
-	packet, err := Read(readerFromHex(signatureDataHex))
-	if err != nil {
-		t.Error(err)
-		return
-	}
-	sig, ok := packet.(*Signature)
-	if !ok || sig.SigType != SigTypeBinary || sig.PubKeyAlgo != PubKeyAlgoRSA || sig.Hash != crypto.SHA1 {
-		t.Errorf("failed to parse, got: %#v", packet)
-	}
-}
-
-func TestSignatureReserialize(t *testing.T) {
-	packet, _ := Read(readerFromHex(signatureDataHex))
-	sig := packet.(*Signature)
-	out := new(bytes.Buffer)
-	err := sig.Serialize(out)
-	if err != nil {
-		t.Errorf("error reserializing: %s", err)
-		return
-	}
-
-	expected, _ := hex.DecodeString(signatureDataHex)
-	if !bytes.Equal(expected, out.Bytes()) {
-		t.Errorf("output doesn't match input (got vs expected):\n%s\n%s", hex.Dump(out.Bytes()), hex.Dump(expected))
-	}
-}
-
-func TestSignUserId(t *testing.T) {
-	sig := &Signature{
-		SigType:    SigTypeGenericCert,
-		PubKeyAlgo: PubKeyAlgoRSA,
-		Hash:       0, // invalid hash function
-	}
-
-	packet, err := Read(readerFromHex(rsaPkDataHex))
-	if err != nil {
-		t.Fatalf("failed to deserialize public key: %v", err)
-	}
-	pubKey := packet.(*PublicKey)
-
-	packet, err = Read(readerFromHex(privKeyRSAHex))
-	if err != nil {
-		t.Fatalf("failed to deserialize private key: %v", err)
-	}
-	privKey := packet.(*PrivateKey)
-
-	err = sig.SignUserId("", pubKey, privKey, nil)
-	if err == nil {
-		t.Errorf("did not receive an error when expected")
-	}
-
-	sig.Hash = crypto.SHA256
-	err = privKey.Decrypt([]byte("testing"))
-	if err != nil {
-		t.Fatalf("failed to decrypt private key: %v", err)
-	}
-
-	err = sig.SignUserId("", pubKey, privKey, nil)
-	if err != nil {
-		t.Errorf("failed to sign user id: %v", err)
-	}
-}
-
-const signatureDataHex = "c2c05c04000102000605024cb45112000a0910ab105c91af38fb158f8d07ff5596ea368c5efe015bed6e78348c0f033c931d5f2ce5db54ce7f2a7e4b4ad64db758d65a7a71773edeab7ba2a9e0908e6a94a1175edd86c1d843279f045b021a6971a72702fcbd650efc393c5474d5b59a15f96d2eaad4c4c426797e0dcca2803ef41c6ff234d403eec38f31d610c344c06f2401c262f0993b2e66cad8a81ebc4322c723e0d4ba09fe917e8777658307ad8329adacba821420741009dfe87f007759f0982275d028a392c6ed983a0d846f890b36148c7358bdb8a516007fac760261ecd06076813831a36d0459075d1befa245ae7f7fb103d92ca759e9498fe60ef8078a39a3beda510deea251ea9f0a7f0df6ef42060f20780360686f3e400e"
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/signature_v3.go b/vendor/golang.org/x/crypto/openpgp/packet/signature_v3.go
deleted file mode 100644
index 6edff889..00000000
--- a/vendor/golang.org/x/crypto/openpgp/packet/signature_v3.go
+++ /dev/null
@@ -1,146 +0,0 @@
-// Copyright 2013 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package packet
-
-import (
-	"crypto"
-	"encoding/binary"
-	"fmt"
-	"io"
-	"strconv"
-	"time"
-
-	"golang.org/x/crypto/openpgp/errors"
-	"golang.org/x/crypto/openpgp/s2k"
-)
-
-// SignatureV3 represents older version 3 signatures. These signatures are less secure
-// than version 4 and should not be used to create new signatures. They are included
-// here for backwards compatibility to read and validate with older key material.
-// See RFC 4880, section 5.2.2.
-type SignatureV3 struct {
-	SigType      SignatureType
-	CreationTime time.Time
-	IssuerKeyId  uint64
-	PubKeyAlgo   PublicKeyAlgorithm
-	Hash         crypto.Hash
-	HashTag      [2]byte
-
-	RSASignature     parsedMPI
-	DSASigR, DSASigS parsedMPI
-}
-
-func (sig *SignatureV3) parse(r io.Reader) (err error) {
-	// RFC 4880, section 5.2.2
-	var buf [8]byte
-	if _, err = readFull(r, buf[:1]); err != nil {
-		return
-	}
-	if buf[0] < 2 || buf[0] > 3 {
-		err = errors.UnsupportedError("signature packet version " + strconv.Itoa(int(buf[0])))
-		return
-	}
-	if _, err = readFull(r, buf[:1]); err != nil {
-		return
-	}
-	if buf[0] != 5 {
-		err = errors.UnsupportedError(
-			"invalid hashed material length " + strconv.Itoa(int(buf[0])))
-		return
-	}
-
-	// Read hashed material: signature type + creation time
-	if _, err = readFull(r, buf[:5]); err != nil {
-		return
-	}
-	sig.SigType = SignatureType(buf[0])
-	t := binary.BigEndian.Uint32(buf[1:5])
-	sig.CreationTime = time.Unix(int64(t), 0)
-
-	// Eight-octet Key ID of signer.
-	if _, err = readFull(r, buf[:8]); err != nil {
-		return
-	}
-	sig.IssuerKeyId = binary.BigEndian.Uint64(buf[:])
-
-	// Public-key and hash algorithm
-	if _, err = readFull(r, buf[:2]); err != nil {
-		return
-	}
-	sig.PubKeyAlgo = PublicKeyAlgorithm(buf[0])
-	switch sig.PubKeyAlgo {
-	case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly, PubKeyAlgoDSA:
-	default:
-		err = errors.UnsupportedError("public key algorithm " + strconv.Itoa(int(sig.PubKeyAlgo)))
-		return
-	}
-	var ok bool
-	if sig.Hash, ok = s2k.HashIdToHash(buf[1]); !ok {
-		return errors.UnsupportedError("hash function " + strconv.Itoa(int(buf[2])))
-	}
-
-	// Two-octet field holding left 16 bits of signed hash value.
-	if _, err = readFull(r, sig.HashTag[:2]); err != nil {
-		return
-	}
-
-	switch sig.PubKeyAlgo {
-	case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly:
-		sig.RSASignature.bytes, sig.RSASignature.bitLength, err = readMPI(r)
-	case PubKeyAlgoDSA:
-		if sig.DSASigR.bytes, sig.DSASigR.bitLength, err = readMPI(r); err != nil {
-			return
-		}
-		sig.DSASigS.bytes, sig.DSASigS.bitLength, err = readMPI(r)
-	default:
-		panic("unreachable")
-	}
-	return
-}
-
-// Serialize marshals sig to w. Sign, SignUserId or SignKey must have been
-// called first.
-func (sig *SignatureV3) Serialize(w io.Writer) (err error) {
-	buf := make([]byte, 8)
-
-	// Write the sig type and creation time
-	buf[0] = byte(sig.SigType)
-	binary.BigEndian.PutUint32(buf[1:5], uint32(sig.CreationTime.Unix()))
-	if _, err = w.Write(buf[:5]); err != nil {
-		return
-	}
-
-	// Write the issuer long key ID
-	binary.BigEndian.PutUint64(buf[:8], sig.IssuerKeyId)
-	if _, err = w.Write(buf[:8]); err != nil {
-		return
-	}
-
-	// Write public key algorithm, hash ID, and hash value
-	buf[0] = byte(sig.PubKeyAlgo)
-	hashId, ok := s2k.HashToHashId(sig.Hash)
-	if !ok {
-		return errors.UnsupportedError(fmt.Sprintf("hash function %v", sig.Hash))
-	}
-	buf[1] = hashId
-	copy(buf[2:4], sig.HashTag[:])
-	if _, err = w.Write(buf[:4]); err != nil {
-		return
-	}
-
-	if sig.RSASignature.bytes == nil && sig.DSASigR.bytes == nil {
-		return errors.InvalidArgumentError("Signature: need to call Sign, SignUserId or SignKey before Serialize")
-	}
-
-	switch sig.PubKeyAlgo {
-	case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly:
-		err = writeMPIs(w, sig.RSASignature)
-	case PubKeyAlgoDSA:
-		err = writeMPIs(w, sig.DSASigR, sig.DSASigS)
-	default:
-		panic("impossible")
-	}
-	return
-}
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/signature_v3_test.go b/vendor/golang.org/x/crypto/openpgp/packet/signature_v3_test.go
deleted file mode 100644
index ad7b62ac..00000000
--- a/vendor/golang.org/x/crypto/openpgp/packet/signature_v3_test.go
+++ /dev/null
@@ -1,92 +0,0 @@
-// Copyright 2013 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package packet
-
-import (
-	"bytes"
-	"crypto"
-	"encoding/hex"
-	"io"
-	"io/ioutil"
-	"testing"
-
-	"golang.org/x/crypto/openpgp/armor"
-)
-
-func TestSignatureV3Read(t *testing.T) {
-	r := v3KeyReader(t)
-	Read(r)                // Skip public key
-	Read(r)                // Skip uid
-	packet, err := Read(r) // Signature
-	if err != nil {
-		t.Error(err)
-		return
-	}
-	sig, ok := packet.(*SignatureV3)
-	if !ok || sig.SigType != SigTypeGenericCert || sig.PubKeyAlgo != PubKeyAlgoRSA || sig.Hash != crypto.MD5 {
-		t.Errorf("failed to parse, got: %#v", packet)
-	}
-}
-
-func TestSignatureV3Reserialize(t *testing.T) {
-	r := v3KeyReader(t)
-	Read(r) // Skip public key
-	Read(r) // Skip uid
-	packet, err := Read(r)
-	if err != nil {
-		t.Error(err)
-		return
-	}
-	sig := packet.(*SignatureV3)
-	out := new(bytes.Buffer)
-	if err = sig.Serialize(out); err != nil {
-		t.Errorf("error reserializing: %s", err)
-		return
-	}
-	expected, err := ioutil.ReadAll(v3KeyReader(t))
-	if err != nil {
-		t.Error(err)
-		return
-	}
-	expected = expected[4+141+4+39:] // See pgpdump offsets below, this is where the sig starts
-	if !bytes.Equal(expected, out.Bytes()) {
-		t.Errorf("output doesn't match input (got vs expected):\n%s\n%s", hex.Dump(out.Bytes()), hex.Dump(expected))
-	}
-}
-
-func v3KeyReader(t *testing.T) io.Reader {
-	armorBlock, err := armor.Decode(bytes.NewBufferString(keySigV3Armor))
-	if err != nil {
-		t.Fatalf("armor Decode failed: %v", err)
-	}
-	return armorBlock.Body
-}
-
-// keySigV3Armor is some V3 public key I found in an SKS dump.
-// Old: Public Key Packet(tag 6)(141 bytes)
-//      Ver 4 - new
-//      Public key creation time - Fri Sep 16 17:13:54 CDT 1994
-//      Pub alg - unknown(pub 0)
-//      Unknown public key(pub 0)
-// Old: User ID Packet(tag 13)(39 bytes)
-//      User ID - Armin M. Warda <warda@nephilim.ruhr.de>
-// Old: Signature Packet(tag 2)(149 bytes)
-//      Ver 4 - new
-//      Sig type - unknown(05)
-//      Pub alg - ElGamal Encrypt-Only(pub 16)
-//      Hash alg - unknown(hash 46)
-//      Hashed Sub: unknown(sub 81, critical)(1988 bytes)
-const keySigV3Armor = `-----BEGIN PGP PUBLIC KEY BLOCK-----
-Version: SKS 1.0.10
-
-mI0CLnoYogAAAQQA1qwA2SuJwfQ5bCQ6u5t20ulnOtY0gykf7YjiK4LiVeRBwHjGq7v30tGV
-5Qti7qqRW4Ww7CDCJc4sZMFnystucR2vLkXaSoNWoFm4Fg47NiisDdhDezHwbVPW6OpCFNSi
-ZAamtj4QAUBu8j4LswafrJqZqR9336/V3g8Yil2l48kABRG0J0FybWluIE0uIFdhcmRhIDx3
-YXJkYUBuZXBoaWxpbS5ydWhyLmRlPoiVAgUQLok2xwXR6zmeWEiZAQE/DgP/WgxPQh40/Po4
-gSkWZCDAjNdph7zexvAb0CcUWahcwiBIgg3U5ErCx9I5CNVA9U+s8bNrDZwgSIeBzp3KhWUx
-524uhGgm6ZUTOAIKA6CbV6pfqoLpJnRYvXYQU5mIWsNa99wcu2qu18OeEDnztb7aLA6Ra9OF
-YFCbq4EjXRoOrYM=
-=LPjs
------END PGP PUBLIC KEY BLOCK-----`
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/symmetric_key_encrypted.go b/vendor/golang.org/x/crypto/openpgp/packet/symmetric_key_encrypted.go
deleted file mode 100644
index 744c2d2c..00000000
--- a/vendor/golang.org/x/crypto/openpgp/packet/symmetric_key_encrypted.go
+++ /dev/null
@@ -1,155 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package packet
-
-import (
-	"bytes"
-	"crypto/cipher"
-	"io"
-	"strconv"
-
-	"golang.org/x/crypto/openpgp/errors"
-	"golang.org/x/crypto/openpgp/s2k"
-)
-
-// This is the largest session key that we'll support. Since no 512-bit cipher
-// has even been seriously used, this is comfortably large.
-const maxSessionKeySizeInBytes = 64
-
-// SymmetricKeyEncrypted represents a passphrase protected session key. See RFC
-// 4880, section 5.3.
-type SymmetricKeyEncrypted struct {
-	CipherFunc   CipherFunction
-	s2k          func(out, in []byte)
-	encryptedKey []byte
-}
-
-const symmetricKeyEncryptedVersion = 4
-
-func (ske *SymmetricKeyEncrypted) parse(r io.Reader) error {
-	// RFC 4880, section 5.3.
-	var buf [2]byte
-	if _, err := readFull(r, buf[:]); err != nil {
-		return err
-	}
-	if buf[0] != symmetricKeyEncryptedVersion {
-		return errors.UnsupportedError("SymmetricKeyEncrypted version")
-	}
-	ske.CipherFunc = CipherFunction(buf[1])
-
-	if ske.CipherFunc.KeySize() == 0 {
-		return errors.UnsupportedError("unknown cipher: " + strconv.Itoa(int(buf[1])))
-	}
-
-	var err error
-	ske.s2k, err = s2k.Parse(r)
-	if err != nil {
-		return err
-	}
-
-	encryptedKey := make([]byte, maxSessionKeySizeInBytes)
-	// The session key may follow. We just have to try and read to find
-	// out. If it exists then we limit it to maxSessionKeySizeInBytes.
-	n, err := readFull(r, encryptedKey)
-	if err != nil && err != io.ErrUnexpectedEOF {
-		return err
-	}
-
-	if n != 0 {
-		if n == maxSessionKeySizeInBytes {
-			return errors.UnsupportedError("oversized encrypted session key")
-		}
-		ske.encryptedKey = encryptedKey[:n]
-	}
-
-	return nil
-}
-
-// Decrypt attempts to decrypt an encrypted session key and returns the key and
-// the cipher to use when decrypting a subsequent Symmetrically Encrypted Data
-// packet.
-func (ske *SymmetricKeyEncrypted) Decrypt(passphrase []byte) ([]byte, CipherFunction, error) {
-	key := make([]byte, ske.CipherFunc.KeySize())
-	ske.s2k(key, passphrase)
-
-	if len(ske.encryptedKey) == 0 {
-		return key, ske.CipherFunc, nil
-	}
-
-	// the IV is all zeros
-	iv := make([]byte, ske.CipherFunc.blockSize())
-	c := cipher.NewCFBDecrypter(ske.CipherFunc.new(key), iv)
-	plaintextKey := make([]byte, len(ske.encryptedKey))
-	c.XORKeyStream(plaintextKey, ske.encryptedKey)
-	cipherFunc := CipherFunction(plaintextKey[0])
-	if cipherFunc.blockSize() == 0 {
-		return nil, ske.CipherFunc, errors.UnsupportedError("unknown cipher: " + strconv.Itoa(int(cipherFunc)))
-	}
-	plaintextKey = plaintextKey[1:]
-	if l, cipherKeySize := len(plaintextKey), cipherFunc.KeySize(); l != cipherFunc.KeySize() {
-		return nil, cipherFunc, errors.StructuralError("length of decrypted key (" + strconv.Itoa(l) + ") " +
-			"not equal to cipher keysize (" + strconv.Itoa(cipherKeySize) + ")")
-	}
-	return plaintextKey, cipherFunc, nil
-}
-
-// SerializeSymmetricKeyEncrypted serializes a symmetric key packet to w. The
-// packet contains a random session key, encrypted by a key derived from the
-// given passphrase. The session key is returned and must be passed to
-// SerializeSymmetricallyEncrypted.
-// If config is nil, sensible defaults will be used.
-func SerializeSymmetricKeyEncrypted(w io.Writer, passphrase []byte, config *Config) (key []byte, err error) {
-	cipherFunc := config.Cipher()
-	keySize := cipherFunc.KeySize()
-	if keySize == 0 {
-		return nil, errors.UnsupportedError("unknown cipher: " + strconv.Itoa(int(cipherFunc)))
-	}
-
-	s2kBuf := new(bytes.Buffer)
-	keyEncryptingKey := make([]byte, keySize)
-	// s2k.Serialize salts and stretches the passphrase, and writes the
-	// resulting key to keyEncryptingKey and the s2k descriptor to s2kBuf.
-	err = s2k.Serialize(s2kBuf, keyEncryptingKey, config.Random(), passphrase, &s2k.Config{Hash: config.Hash(), S2KCount: config.PasswordHashIterations()})
-	if err != nil {
-		return
-	}
-	s2kBytes := s2kBuf.Bytes()
-
-	packetLength := 2 /* header */ + len(s2kBytes) + 1 /* cipher type */ + keySize
-	err = serializeHeader(w, packetTypeSymmetricKeyEncrypted, packetLength)
-	if err != nil {
-		return
-	}
-
-	var buf [2]byte
-	buf[0] = symmetricKeyEncryptedVersion
-	buf[1] = byte(cipherFunc)
-	_, err = w.Write(buf[:])
-	if err != nil {
-		return
-	}
-	_, err = w.Write(s2kBytes)
-	if err != nil {
-		return
-	}
-
-	sessionKey := make([]byte, keySize)
-	_, err = io.ReadFull(config.Random(), sessionKey)
-	if err != nil {
-		return
-	}
-	iv := make([]byte, cipherFunc.blockSize())
-	c := cipher.NewCFBEncrypter(cipherFunc.new(keyEncryptingKey), iv)
-	encryptedCipherAndKey := make([]byte, keySize+1)
-	c.XORKeyStream(encryptedCipherAndKey, buf[1:])
-	c.XORKeyStream(encryptedCipherAndKey[1:], sessionKey)
-	_, err = w.Write(encryptedCipherAndKey)
-	if err != nil {
-		return
-	}
-
-	key = sessionKey
-	return
-}
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/symmetric_key_encrypted_test.go b/vendor/golang.org/x/crypto/openpgp/packet/symmetric_key_encrypted_test.go
deleted file mode 100644
index e1d52c12..00000000
--- a/vendor/golang.org/x/crypto/openpgp/packet/symmetric_key_encrypted_test.go
+++ /dev/null
@@ -1,117 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package packet
-
-import (
-	"bytes"
-	"encoding/hex"
-	"io"
-	"io/ioutil"
-	"testing"
-)
-
-func TestSymmetricKeyEncrypted(t *testing.T) {
-	buf := readerFromHex(symmetricallyEncryptedHex)
-	packet, err := Read(buf)
-	if err != nil {
-		t.Errorf("failed to read SymmetricKeyEncrypted: %s", err)
-		return
-	}
-	ske, ok := packet.(*SymmetricKeyEncrypted)
-	if !ok {
-		t.Error("didn't find SymmetricKeyEncrypted packet")
-		return
-	}
-	key, cipherFunc, err := ske.Decrypt([]byte("password"))
-	if err != nil {
-		t.Error(err)
-		return
-	}
-
-	packet, err = Read(buf)
-	if err != nil {
-		t.Errorf("failed to read SymmetricallyEncrypted: %s", err)
-		return
-	}
-	se, ok := packet.(*SymmetricallyEncrypted)
-	if !ok {
-		t.Error("didn't find SymmetricallyEncrypted packet")
-		return
-	}
-	r, err := se.Decrypt(cipherFunc, key)
-	if err != nil {
-		t.Error(err)
-		return
-	}
-
-	contents, err := ioutil.ReadAll(r)
-	if err != nil && err != io.EOF {
-		t.Error(err)
-		return
-	}
-
-	expectedContents, _ := hex.DecodeString(symmetricallyEncryptedContentsHex)
-	if !bytes.Equal(expectedContents, contents) {
-		t.Errorf("bad contents got:%x want:%x", contents, expectedContents)
-	}
-}
-
-const symmetricallyEncryptedHex = "8c0d04030302371a0b38d884f02060c91cf97c9973b8e58e028e9501708ccfe618fb92afef7fa2d80ddadd93cf"
-const symmetricallyEncryptedContentsHex = "cb1062004d14c4df636f6e74656e74732e0a"
-
-func TestSerializeSymmetricKeyEncryptedCiphers(t *testing.T) {
-	tests := [...]struct {
-		cipherFunc CipherFunction
-		name       string
-	}{
-		{Cipher3DES, "Cipher3DES"},
-		{CipherCAST5, "CipherCAST5"},
-		{CipherAES128, "CipherAES128"},
-		{CipherAES192, "CipherAES192"},
-		{CipherAES256, "CipherAES256"},
-	}
-
-	for _, test := range tests {
-		var buf bytes.Buffer
-		passphrase := []byte("testing")
-		config := &Config{
-			DefaultCipher: test.cipherFunc,
-		}
-
-		key, err := SerializeSymmetricKeyEncrypted(&buf, passphrase, config)
-		if err != nil {
-			t.Errorf("cipher(%s) failed to serialize: %s", test.name, err)
-			continue
-		}
-
-		p, err := Read(&buf)
-		if err != nil {
-			t.Errorf("cipher(%s) failed to reparse: %s", test.name, err)
-			continue
-		}
-
-		ske, ok := p.(*SymmetricKeyEncrypted)
-		if !ok {
-			t.Errorf("cipher(%s) parsed a different packet type: %#v", test.name, p)
-			continue
-		}
-
-		if ske.CipherFunc != config.DefaultCipher {
-			t.Errorf("cipher(%s) SKE cipher function is %d (expected %d)", test.name, ske.CipherFunc, config.DefaultCipher)
-		}
-		parsedKey, parsedCipherFunc, err := ske.Decrypt(passphrase)
-		if err != nil {
-			t.Errorf("cipher(%s) failed to decrypt reparsed SKE: %s", test.name, err)
-			continue
-		}
-		if !bytes.Equal(key, parsedKey) {
-			t.Errorf("cipher(%s) keys don't match after Decrypt: %x (original) vs %x (parsed)", test.name, key, parsedKey)
-		}
-		if parsedCipherFunc != test.cipherFunc {
-			t.Errorf("cipher(%s) cipher function doesn't match after Decrypt: %d (original) vs %d (parsed)",
-				test.name, test.cipherFunc, parsedCipherFunc)
-		}
-	}
-}
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/symmetrically_encrypted.go b/vendor/golang.org/x/crypto/openpgp/packet/symmetrically_encrypted.go
deleted file mode 100644
index 6126030e..00000000
--- a/vendor/golang.org/x/crypto/openpgp/packet/symmetrically_encrypted.go
+++ /dev/null
@@ -1,290 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package packet
-
-import (
-	"crypto/cipher"
-	"crypto/sha1"
-	"crypto/subtle"
-	"golang.org/x/crypto/openpgp/errors"
-	"hash"
-	"io"
-	"strconv"
-)
-
-// SymmetricallyEncrypted represents a symmetrically encrypted byte string. The
-// encrypted contents will consist of more OpenPGP packets. See RFC 4880,
-// sections 5.7 and 5.13.
-type SymmetricallyEncrypted struct {
-	MDC      bool // true iff this is a type 18 packet and thus has an embedded MAC.
-	contents io.Reader
-	prefix   []byte
-}
-
-const symmetricallyEncryptedVersion = 1
-
-func (se *SymmetricallyEncrypted) parse(r io.Reader) error {
-	if se.MDC {
-		// See RFC 4880, section 5.13.
-		var buf [1]byte
-		_, err := readFull(r, buf[:])
-		if err != nil {
-			return err
-		}
-		if buf[0] != symmetricallyEncryptedVersion {
-			return errors.UnsupportedError("unknown SymmetricallyEncrypted version")
-		}
-	}
-	se.contents = r
-	return nil
-}
-
-// Decrypt returns a ReadCloser, from which the decrypted contents of the
-// packet can be read. An incorrect key can, with high probability, be detected
-// immediately and this will result in a KeyIncorrect error being returned.
-func (se *SymmetricallyEncrypted) Decrypt(c CipherFunction, key []byte) (io.ReadCloser, error) {
-	keySize := c.KeySize()
-	if keySize == 0 {
-		return nil, errors.UnsupportedError("unknown cipher: " + strconv.Itoa(int(c)))
-	}
-	if len(key) != keySize {
-		return nil, errors.InvalidArgumentError("SymmetricallyEncrypted: incorrect key length")
-	}
-
-	if se.prefix == nil {
-		se.prefix = make([]byte, c.blockSize()+2)
-		_, err := readFull(se.contents, se.prefix)
-		if err != nil {
-			return nil, err
-		}
-	} else if len(se.prefix) != c.blockSize()+2 {
-		return nil, errors.InvalidArgumentError("can't try ciphers with different block lengths")
-	}
-
-	ocfbResync := OCFBResync
-	if se.MDC {
-		// MDC packets use a different form of OCFB mode.
-		ocfbResync = OCFBNoResync
-	}
-
-	s := NewOCFBDecrypter(c.new(key), se.prefix, ocfbResync)
-	if s == nil {
-		return nil, errors.ErrKeyIncorrect
-	}
-
-	plaintext := cipher.StreamReader{S: s, R: se.contents}
-
-	if se.MDC {
-		// MDC packets have an embedded hash that we need to check.
-		h := sha1.New()
-		h.Write(se.prefix)
-		return &seMDCReader{in: plaintext, h: h}, nil
-	}
-
-	// Otherwise, we just need to wrap plaintext so that it's a valid ReadCloser.
-	return seReader{plaintext}, nil
-}
-
-// seReader wraps an io.Reader with a no-op Close method.
-type seReader struct {
-	in io.Reader
-}
-
-func (ser seReader) Read(buf []byte) (int, error) {
-	return ser.in.Read(buf)
-}
-
-func (ser seReader) Close() error {
-	return nil
-}
-
-const mdcTrailerSize = 1 /* tag byte */ + 1 /* length byte */ + sha1.Size
-
-// An seMDCReader wraps an io.Reader, maintains a running hash and keeps hold
-// of the most recent 22 bytes (mdcTrailerSize). Upon EOF, those bytes form an
-// MDC packet containing a hash of the previous contents which is checked
-// against the running hash. See RFC 4880, section 5.13.
-type seMDCReader struct {
-	in          io.Reader
-	h           hash.Hash
-	trailer     [mdcTrailerSize]byte
-	scratch     [mdcTrailerSize]byte
-	trailerUsed int
-	error       bool
-	eof         bool
-}
-
-func (ser *seMDCReader) Read(buf []byte) (n int, err error) {
-	if ser.error {
-		err = io.ErrUnexpectedEOF
-		return
-	}
-	if ser.eof {
-		err = io.EOF
-		return
-	}
-
-	// If we haven't yet filled the trailer buffer then we must do that
-	// first.
-	for ser.trailerUsed < mdcTrailerSize {
-		n, err = ser.in.Read(ser.trailer[ser.trailerUsed:])
-		ser.trailerUsed += n
-		if err == io.EOF {
-			if ser.trailerUsed != mdcTrailerSize {
-				n = 0
-				err = io.ErrUnexpectedEOF
-				ser.error = true
-				return
-			}
-			ser.eof = true
-			n = 0
-			return
-		}
-
-		if err != nil {
-			n = 0
-			return
-		}
-	}
-
-	// If it's a short read then we read into a temporary buffer and shift
-	// the data into the caller's buffer.
-	if len(buf) <= mdcTrailerSize {
-		n, err = readFull(ser.in, ser.scratch[:len(buf)])
-		copy(buf, ser.trailer[:n])
-		ser.h.Write(buf[:n])
-		copy(ser.trailer[:], ser.trailer[n:])
-		copy(ser.trailer[mdcTrailerSize-n:], ser.scratch[:])
-		if n < len(buf) {
-			ser.eof = true
-			err = io.EOF
-		}
-		return
-	}
-
-	n, err = ser.in.Read(buf[mdcTrailerSize:])
-	copy(buf, ser.trailer[:])
-	ser.h.Write(buf[:n])
-	copy(ser.trailer[:], buf[n:])
-
-	if err == io.EOF {
-		ser.eof = true
-	}
-	return
-}
-
-// This is a new-format packet tag byte for a type 19 (MDC) packet.
-const mdcPacketTagByte = byte(0x80) | 0x40 | 19
-
-func (ser *seMDCReader) Close() error {
-	if ser.error {
-		return errors.SignatureError("error during reading")
-	}
-
-	for !ser.eof {
-		// We haven't seen EOF so we need to read to the end
-		var buf [1024]byte
-		_, err := ser.Read(buf[:])
-		if err == io.EOF {
-			break
-		}
-		if err != nil {
-			return errors.SignatureError("error during reading")
-		}
-	}
-
-	if ser.trailer[0] != mdcPacketTagByte || ser.trailer[1] != sha1.Size {
-		return errors.SignatureError("MDC packet not found")
-	}
-	ser.h.Write(ser.trailer[:2])
-
-	final := ser.h.Sum(nil)
-	if subtle.ConstantTimeCompare(final, ser.trailer[2:]) != 1 {
-		return errors.SignatureError("hash mismatch")
-	}
-	return nil
-}
-
-// An seMDCWriter writes through to an io.WriteCloser while maintains a running
-// hash of the data written. On close, it emits an MDC packet containing the
-// running hash.
-type seMDCWriter struct {
-	w io.WriteCloser
-	h hash.Hash
-}
-
-func (w *seMDCWriter) Write(buf []byte) (n int, err error) {
-	w.h.Write(buf)
-	return w.w.Write(buf)
-}
-
-func (w *seMDCWriter) Close() (err error) {
-	var buf [mdcTrailerSize]byte
-
-	buf[0] = mdcPacketTagByte
-	buf[1] = sha1.Size
-	w.h.Write(buf[:2])
-	digest := w.h.Sum(nil)
-	copy(buf[2:], digest)
-
-	_, err = w.w.Write(buf[:])
-	if err != nil {
-		return
-	}
-	return w.w.Close()
-}
-
-// noOpCloser is like an ioutil.NopCloser, but for an io.Writer.
-type noOpCloser struct {
-	w io.Writer
-}
-
-func (c noOpCloser) Write(data []byte) (n int, err error) {
-	return c.w.Write(data)
-}
-
-func (c noOpCloser) Close() error {
-	return nil
-}
-
-// SerializeSymmetricallyEncrypted serializes a symmetrically encrypted packet
-// to w and returns a WriteCloser to which the to-be-encrypted packets can be
-// written.
-// If config is nil, sensible defaults will be used.
-func SerializeSymmetricallyEncrypted(w io.Writer, c CipherFunction, key []byte, config *Config) (contents io.WriteCloser, err error) {
-	if c.KeySize() != len(key) {
-		return nil, errors.InvalidArgumentError("SymmetricallyEncrypted.Serialize: bad key length")
-	}
-	writeCloser := noOpCloser{w}
-	ciphertext, err := serializeStreamHeader(writeCloser, packetTypeSymmetricallyEncryptedMDC)
-	if err != nil {
-		return
-	}
-
-	_, err = ciphertext.Write([]byte{symmetricallyEncryptedVersion})
-	if err != nil {
-		return
-	}
-
-	block := c.new(key)
-	blockSize := block.BlockSize()
-	iv := make([]byte, blockSize)
-	_, err = config.Random().Read(iv)
-	if err != nil {
-		return
-	}
-	s, prefix := NewOCFBEncrypter(block, iv, OCFBNoResync)
-	_, err = ciphertext.Write(prefix)
-	if err != nil {
-		return
-	}
-	plaintext := cipher.StreamWriter{S: s, W: ciphertext}
-
-	h := sha1.New()
-	h.Write(iv)
-	h.Write(iv[blockSize-2:])
-	contents = &seMDCWriter{w: plaintext, h: h}
-	return
-}
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/symmetrically_encrypted_test.go b/vendor/golang.org/x/crypto/openpgp/packet/symmetrically_encrypted_test.go
deleted file mode 100644
index c5c00f7b..00000000
--- a/vendor/golang.org/x/crypto/openpgp/packet/symmetrically_encrypted_test.go
+++ /dev/null
@@ -1,123 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package packet
-
-import (
-	"bytes"
-	"crypto/sha1"
-	"encoding/hex"
-	"golang.org/x/crypto/openpgp/errors"
-	"io"
-	"io/ioutil"
-	"testing"
-)
-
-// TestReader wraps a []byte and returns reads of a specific length.
-type testReader struct {
-	data   []byte
-	stride int
-}
-
-func (t *testReader) Read(buf []byte) (n int, err error) {
-	n = t.stride
-	if n > len(t.data) {
-		n = len(t.data)
-	}
-	if n > len(buf) {
-		n = len(buf)
-	}
-	copy(buf, t.data)
-	t.data = t.data[n:]
-	if len(t.data) == 0 {
-		err = io.EOF
-	}
-	return
-}
-
-func testMDCReader(t *testing.T) {
-	mdcPlaintext, _ := hex.DecodeString(mdcPlaintextHex)
-
-	for stride := 1; stride < len(mdcPlaintext)/2; stride++ {
-		r := &testReader{data: mdcPlaintext, stride: stride}
-		mdcReader := &seMDCReader{in: r, h: sha1.New()}
-		body, err := ioutil.ReadAll(mdcReader)
-		if err != nil {
-			t.Errorf("stride: %d, error: %s", stride, err)
-			continue
-		}
-		if !bytes.Equal(body, mdcPlaintext[:len(mdcPlaintext)-22]) {
-			t.Errorf("stride: %d: bad contents %x", stride, body)
-			continue
-		}
-
-		err = mdcReader.Close()
-		if err != nil {
-			t.Errorf("stride: %d, error on Close: %s", stride, err)
-		}
-	}
-
-	mdcPlaintext[15] ^= 80
-
-	r := &testReader{data: mdcPlaintext, stride: 2}
-	mdcReader := &seMDCReader{in: r, h: sha1.New()}
-	_, err := ioutil.ReadAll(mdcReader)
-	if err != nil {
-		t.Errorf("corruption test, error: %s", err)
-		return
-	}
-	err = mdcReader.Close()
-	if err == nil {
-		t.Error("corruption: no error")
-	} else if _, ok := err.(*errors.SignatureError); !ok {
-		t.Errorf("corruption: expected SignatureError, got: %s", err)
-	}
-}
-
-const mdcPlaintextHex = "a302789c3b2d93c4e0eb9aba22283539b3203335af44a134afb800c849cb4c4de10200aff40b45d31432c80cb384299a0655966d6939dfdeed1dddf980"
-
-func TestSerialize(t *testing.T) {
-	buf := bytes.NewBuffer(nil)
-	c := CipherAES128
-	key := make([]byte, c.KeySize())
-
-	w, err := SerializeSymmetricallyEncrypted(buf, c, key, nil)
-	if err != nil {
-		t.Errorf("error from SerializeSymmetricallyEncrypted: %s", err)
-		return
-	}
-
-	contents := []byte("hello world\n")
-
-	w.Write(contents)
-	w.Close()
-
-	p, err := Read(buf)
-	if err != nil {
-		t.Errorf("error from Read: %s", err)
-		return
-	}
-
-	se, ok := p.(*SymmetricallyEncrypted)
-	if !ok {
-		t.Errorf("didn't read a *SymmetricallyEncrypted")
-		return
-	}
-
-	r, err := se.Decrypt(c, key)
-	if err != nil {
-		t.Errorf("error from Decrypt: %s", err)
-		return
-	}
-
-	contentsCopy := bytes.NewBuffer(nil)
-	_, err = io.Copy(contentsCopy, r)
-	if err != nil {
-		t.Errorf("error from io.Copy: %s", err)
-		return
-	}
-	if !bytes.Equal(contentsCopy.Bytes(), contents) {
-		t.Errorf("contents not equal got: %x want: %x", contentsCopy.Bytes(), contents)
-	}
-}
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/userattribute.go b/vendor/golang.org/x/crypto/openpgp/packet/userattribute.go
deleted file mode 100644
index 96a2b382..00000000
--- a/vendor/golang.org/x/crypto/openpgp/packet/userattribute.go
+++ /dev/null
@@ -1,91 +0,0 @@
-// Copyright 2013 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package packet
-
-import (
-	"bytes"
-	"image"
-	"image/jpeg"
-	"io"
-	"io/ioutil"
-)
-
-const UserAttrImageSubpacket = 1
-
-// UserAttribute is capable of storing other types of data about a user
-// beyond name, email and a text comment. In practice, user attributes are typically used
-// to store a signed thumbnail photo JPEG image of the user.
-// See RFC 4880, section 5.12.
-type UserAttribute struct {
-	Contents []*OpaqueSubpacket
-}
-
-// NewUserAttributePhoto creates a user attribute packet
-// containing the given images.
-func NewUserAttributePhoto(photos ...image.Image) (uat *UserAttribute, err error) {
-	uat = new(UserAttribute)
-	for _, photo := range photos {
-		var buf bytes.Buffer
-		// RFC 4880, Section 5.12.1.
-		data := []byte{
-			0x10, 0x00, // Little-endian image header length (16 bytes)
-			0x01,       // Image header version 1
-			0x01,       // JPEG
-			0, 0, 0, 0, // 12 reserved octets, must be all zero.
-			0, 0, 0, 0,
-			0, 0, 0, 0}
-		if _, err = buf.Write(data); err != nil {
-			return
-		}
-		if err = jpeg.Encode(&buf, photo, nil); err != nil {
-			return
-		}
-		uat.Contents = append(uat.Contents, &OpaqueSubpacket{
-			SubType:  UserAttrImageSubpacket,
-			Contents: buf.Bytes()})
-	}
-	return
-}
-
-// NewUserAttribute creates a new user attribute packet containing the given subpackets.
-func NewUserAttribute(contents ...*OpaqueSubpacket) *UserAttribute {
-	return &UserAttribute{Contents: contents}
-}
-
-func (uat *UserAttribute) parse(r io.Reader) (err error) {
-	// RFC 4880, section 5.13
-	b, err := ioutil.ReadAll(r)
-	if err != nil {
-		return
-	}
-	uat.Contents, err = OpaqueSubpackets(b)
-	return
-}
-
-// Serialize marshals the user attribute to w in the form of an OpenPGP packet, including
-// header.
-func (uat *UserAttribute) Serialize(w io.Writer) (err error) {
-	var buf bytes.Buffer
-	for _, sp := range uat.Contents {
-		sp.Serialize(&buf)
-	}
-	if err = serializeHeader(w, packetTypeUserAttribute, buf.Len()); err != nil {
-		return err
-	}
-	_, err = w.Write(buf.Bytes())
-	return
-}
-
-// ImageData returns zero or more byte slices, each containing
-// JPEG File Interchange Format (JFIF), for each photo in the
-// the user attribute packet.
-func (uat *UserAttribute) ImageData() (imageData [][]byte) {
-	for _, sp := range uat.Contents {
-		if sp.SubType == UserAttrImageSubpacket && len(sp.Contents) > 16 {
-			imageData = append(imageData, sp.Contents[16:])
-		}
-	}
-	return
-}
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/userattribute_test.go b/vendor/golang.org/x/crypto/openpgp/packet/userattribute_test.go
deleted file mode 100644
index 13ca5143..00000000
--- a/vendor/golang.org/x/crypto/openpgp/packet/userattribute_test.go
+++ /dev/null
@@ -1,109 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package packet
-
-import (
-	"bytes"
-	"encoding/base64"
-	"image/color"
-	"image/jpeg"
-	"testing"
-)
-
-func TestParseUserAttribute(t *testing.T) {
-	r := base64.NewDecoder(base64.StdEncoding, bytes.NewBufferString(userAttributePacket))
-	for i := 0; i < 2; i++ {
-		p, err := Read(r)
-		if err != nil {
-			t.Fatal(err)
-		}
-		uat := p.(*UserAttribute)
-		imgs := uat.ImageData()
-		if len(imgs) != 1 {
-			t.Errorf("Unexpected number of images in user attribute packet: %d", len(imgs))
-		}
-		if len(imgs[0]) != 3395 {
-			t.Errorf("Unexpected JPEG image size: %d", len(imgs[0]))
-		}
-		img, err := jpeg.Decode(bytes.NewBuffer(imgs[0]))
-		if err != nil {
-			t.Errorf("Error decoding JPEG image: %v", err)
-		}
-		// A pixel in my right eye.
-		pixel := color.NRGBAModel.Convert(img.At(56, 36))
-		ref := color.NRGBA{R: 157, G: 128, B: 124, A: 255}
-		if pixel != ref {
-			t.Errorf("Unexpected pixel color: %v", pixel)
-		}
-		w := bytes.NewBuffer(nil)
-		err = uat.Serialize(w)
-		if err != nil {
-			t.Errorf("Error writing user attribute: %v", err)
-		}
-		r = bytes.NewBuffer(w.Bytes())
-	}
-}
-
-const userAttributePacket = `
-0cyWzJQBEAABAQAAAAAAAAAAAAAAAP/Y/+AAEEpGSUYAAQIAAAEAAQAA/9sAQwAFAwQEBAMFBAQE
-BQUFBgcMCAcHBwcPCgsJDBEPEhIRDxEQExYcFxMUGhUQERghGBocHR8fHxMXIiQiHiQcHh8e/9sA
-QwEFBQUHBgcOCAgOHhQRFB4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4e
-Hh4eHh4eHh4e/8AAEQgAZABkAwEiAAIRAQMRAf/EAB8AAAEFAQEBAQEBAAAAAAAAAAABAgMEBQYH
-CAkKC//EALUQAAIBAwMCBAMFBQQEAAABfQECAwAEEQUSITFBBhNRYQcicRQygZGhCCNCscEVUtHw
-JDNicoIJChYXGBkaJSYnKCkqNDU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6
-g4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2drh4uPk
-5ebn6Onq8fLz9PX29/j5+v/EAB8BAAMBAQEBAQEBAQEAAAAAAAABAgMEBQYHCAkKC//EALURAAIB
-AgQEAwQHBQQEAAECdwABAgMRBAUhMQYSQVEHYXETIjKBCBRCkaGxwQkjM1LwFWJy0QoWJDThJfEX
-GBkaJicoKSo1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2RlZmdoaWpzdHV2d3h5eoKDhIWGh4iJipKT
-lJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uLj5OXm5+jp6vLz9PX2
-9/j5+v/aAAwDAQACEQMRAD8A5uGP06VehQ4pIox04q5EnHSvAep+hIIl4zVuMHGPWmRrUWtalaaN
-pU2oXsgSGJSxPr6ClvoitErs0Itqjc7BQOpPAFYmrfEnwjojtHNqaXEynBjtx5hH4jj9a8B8d+Od
-W8UXZjWR4LJT+7t0Jwfc+prnIdO1CWZEW2mZ3HyDactXXDB3V5s8evm1namj6r0H4weCLtxG+ova
-ueP30RA/MV6not1bX0Ed1ZzxzwyDKvGwZSPqK+Ff+ES8R8t/ZV2oHUmM10Hgbxp4m8BatEfNnWBH
-/eWshOxx9Kmpg4te49RUM1kn+8Wh9zQ4P1FaMC7l465rjPh14y0fxnoseoaXOpfaPOgJ+eI98j09
-67W19M15bi4uzPSqTU480WXkjZkAyAR61DPE6OCSOalWRRgZxjvTb598sfU4FBwx5uY4T4feIm8P
-TeJbAgc65NIM+8cX+FFeLfF3Vr3SfiNrMFrMypJMJcDPUqP8KK+kpVFyLU+ar037SXqX4hxVpMY7
-1UhPpVlT2rybKx9smWYz3NeH/EDVLzxt40j8O6bITaQybPlbKkjq39K9O8fasdH8IahfKxWQRFIy
-Ou9uB/OuE/Z/0y3j1d9TuyoZCMs5xjuea1pLli5nn46q240l13PcfhN8EvDNtpcEl/CklyVBLuMk
-mvU/Dfwo0BL/AO13FjEDD/qyV7Vn+CvGPg8zRpJrVm8ikLtEg6+1ew2dxZ3EQaJgysuQPasH7eXW
-1zzsbVhT92kk/PsYieEND+zlPs6c/wCyAPyryH4wfCPRtW0u6j+xRLOxLxSoADkDpXY+MPjJ4c0S
-9k082d3O8ZKkxw5XI96ytK+IGk+IpFjRpod+Qq3C7QT6A1E6NenaXbqRg6rlLlqS0fRnxjpd1r/w
-w8afa7GWRPKbZLGeBKmeVNfZngLxNaeKfDdprVjxHcLlkJ5Vh1H5185/tDad9h8XOsqAw3Cb0cjq
-CfX61P8AsveKf7L8T3fhe5nxa3g324YniQdh9R/KuivTdSmp9TXB1/Z1nRlsfU249QBx1pWfcwI7
-Cq6u2Ovamb9rYz16V5x7Psz5q/aJhZfibcupIElvE3H+7j+lFbXx9szP45jlUfeso8/99OKK9elL
-3EeNVopzZVharCtxVRGGMk02S5JyFOB69zWTieypnL/GksfB+0cr9oQt69awPhPpD69Y3Ky3DWth
-CWluGU4LAdq3vibGs/g68BJygVxjrwRW5+ztoRv/AAs8EeCZnO/J/hzz/Kumi4wp3kePjlOdZKPY
-ml8Mvo6WM9ppi7J0EkQYMzkb1X0wW+bJHGACa+ivg14huZPCkjXUO6SImIYOQAP6UQ2sGneHmiWF
-CYoSAAuM8etXfhBpMr+EZ3SSNRcMx6ZxWdes6ytBGSwkMNFuo7pnP614Ut9Zn1C4uLySKcwObGFA
-Qnm4+XcR71h+CfDHiKCQWuv2YWFtw+bBZQD8rcE8n2Ney+GbGGQSM6I7xvtI681rXdp8hKRRp6t3
-FYPE1VDlsY1nQjWdl+J8w/tOeDZZ/AMd/EGefTHyxxyYjwfyODXg3waRh8UtEcFh+8Jb8FNfZPxh
-Ak8J6nbPIsiyW7LnseK+Ofh99ptPHFnf2lu0y2twGcKuSEPB/Q1WHk50miq1o14TXU+xop+On61H
-NMC6Nis1LgsAcUTSt1APFcXJZn0EqmhyvxA037friTYziBV6f7Tf40Vr3k4aXLx5OMZIzRXZB2ik
-efJXbPHJJcnaD9aN2R1qoGO8/WkuLlIV+YjdjpXSonQ5lTxfiTwzqCnkeQxx9BWx+zPrQsrBFYja
-zEfrXL6lfie3khcjY6lSPUGud+G3iA6FrY0uQ/KJsA9gCa0jSvFpnBi6tpKSPu++nsIfDFxeXciR
-qIicscY4rxTwB8RUkn1axsPEf2LTYx85kTGzqCUP8VcJ47+JOs+I0Hhq1njjt/ufIeSvq1VtE+Gs
-eoaUbSHUrkHdu3WtuX5Ix81XRh7OL5jirVpV5Whdn0F8C/iX4auVn0i612T7bASoe8wjTAd89K9g
-vtSt5NMa4t5lkRhgOh3Dn6V8aaz8KZrIR3OlQ6r56LySmSxxz06Vo/CHx34h0rxBP4XvJ5AjK2RP
-nEbAEj6ZxjPrWM6fMmoswqJxqJ1VZnqHxn1NLPwveqWHmNC2BnnNcD8DfDkGi+CH1m+ijN1qMzNA
-4GSIiAMf+hVxPxU8Tapc3c0F9MGCn5GU5BX0Pau3+HmrT3XgXSIJCBHDGdgAx1NYSpezha52Yauq
-1dya2Wh2onAIwTj1p0lxxWWLkhRyCKWa5O3ORXOos9KVQluZm83j0oqi84JyWH50Vdmc7ep43d3I
-t1Z2Iz2FYdxeSTsxyRnvTdVuDNcNluM9KrKcg817NOnZGNbEXdkNckjrXGeIIprPxFFdRHAlIwem
-COtdmxrG8Q2cd/ZNExw45RvQ1bVjim+dWNzw7eaTD4mN3dndCQCo6hmI5zXpj/Ea/wBHjkh0kwRW
-xXEfl4yTxXzXZalJDL9nuWKMmRnHcV2Hh3WreCyYXW2SWQhd5P3F6n+lS43d2cTm6d7Ox9EWPxH1
-ODQxPqWpCaSU/ukUc4z3/WvKW8UhviAdaMewYZG98gj9c1ymoa8LyWOJHwkTDaVPb0qpr+q2m6Nb
-cfvNo349az9mou9iZVXNWbub3jm98/Vza2ReV7lsJg/e3dsV654UR9N0K0sZP9ZDGFbHr3rzL4P+
-H7rXfEEWr3I3W1qf3IYdW9fwqDxf4k8UeH/G95p08kscHmk25dPlZT0we9YTj7SXKjpw1aNG8mj3
-FLv5ccU959ycnmvKPDnxB82YQarGsZPAlTp+IrvIr1ZIgySKwIyCOhFYTpyg9T0qWIhVV4svzPvf
-IdhgY4orPachj81FRdmtzxqdiZmJ9aQEgdqZcPtmbJ71DJcAZ5r20kkeXJtsfPIQDwPzrG1a+S3i
-LyHAHvmp7y7HOD1rlNdm+1T7Acovf3o+J2RMpezjzMvrob67pX9o2ShZlYgg/wAWKxZLLWLZ/Ke3
-mVh14yK9M+BMC3dre2ko3LHKCB7EV7EngeGQJdQ7HyBkMKS0djgq1W3c+XtK03U522RwzsTwNiEk
-ntXoHgf4calql9El/G8UZbLfLyfr7V9FeGvh+s+0Lbxxcglu2K1NW1nwN4Gk/wBLuI57tV5jjwzE
-/QVNS+0dWYRqNvXRFv4eeCodKsY1ggVIY1G3K4z714h+1Jqul3GpwaXYeXJLbzgyyrg4b+6D+HNb
-vjz436zq9m+naHF/ZdkeGfOZXH17V4Vqt2b29K+ZuOc5bnce5zWdPBShL2lTfojSeJhy+zp/NjVz
-1Bwa6DSfFGq6fbJFDKrov8DjPFcu97ZxsUe4jVhwVJ5Bpp1mwQiLewJPXacVq6fNpYyjOUXdHoKf
-EG8VQHsInbuVcgflRXnt5fIs2FYHgcgUVi8LG+xusdW/mN7U2KgEVkTzPt60UVfQ9eHxGHrV1MGi
-iD4V25x1qvdgLAMd6KK0pbHm4x++dp8FtUubLxJ5EIjMc+A4Za+qfD8pe1JZVOBmiinW3RyRPMfi
-R8QPE638+k2l6LK0Hylbddhb6nOa80mlkcmWR2kcnlnOSaKK7qCXKcNdu5narcSrAoBxvODWJIga
-VckjDdqKKwq/EaQ0gUdbjQ6mr7QGBUcd6tPBC6gtGpOOuKKKie5qn7qIpEXd0HSiiimSf//Z`
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/userid.go b/vendor/golang.org/x/crypto/openpgp/packet/userid.go
deleted file mode 100644
index d6bea7d4..00000000
--- a/vendor/golang.org/x/crypto/openpgp/packet/userid.go
+++ /dev/null
@@ -1,160 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package packet
-
-import (
-	"io"
-	"io/ioutil"
-	"strings"
-)
-
-// UserId contains text that is intended to represent the name and email
-// address of the key holder. See RFC 4880, section 5.11. By convention, this
-// takes the form "Full Name (Comment) <email@example.com>"
-type UserId struct {
-	Id string // By convention, this takes the form "Full Name (Comment) <email@example.com>" which is split out in the fields below.
-
-	Name, Comment, Email string
-}
-
-func hasInvalidCharacters(s string) bool {
-	for _, c := range s {
-		switch c {
-		case '(', ')', '<', '>', 0:
-			return true
-		}
-	}
-	return false
-}
-
-// NewUserId returns a UserId or nil if any of the arguments contain invalid
-// characters. The invalid characters are '\x00', '(', ')', '<' and '>'
-func NewUserId(name, comment, email string) *UserId {
-	// RFC 4880 doesn't deal with the structure of userid strings; the
-	// name, comment and email form is just a convention. However, there's
-	// no convention about escaping the metacharacters and GPG just refuses
-	// to create user ids where, say, the name contains a '('. We mirror
-	// this behaviour.
-
-	if hasInvalidCharacters(name) || hasInvalidCharacters(comment) || hasInvalidCharacters(email) {
-		return nil
-	}
-
-	uid := new(UserId)
-	uid.Name, uid.Comment, uid.Email = name, comment, email
-	uid.Id = name
-	if len(comment) > 0 {
-		if len(uid.Id) > 0 {
-			uid.Id += " "
-		}
-		uid.Id += "("
-		uid.Id += comment
-		uid.Id += ")"
-	}
-	if len(email) > 0 {
-		if len(uid.Id) > 0 {
-			uid.Id += " "
-		}
-		uid.Id += "<"
-		uid.Id += email
-		uid.Id += ">"
-	}
-	return uid
-}
-
-func (uid *UserId) parse(r io.Reader) (err error) {
-	// RFC 4880, section 5.11
-	b, err := ioutil.ReadAll(r)
-	if err != nil {
-		return
-	}
-	uid.Id = string(b)
-	uid.Name, uid.Comment, uid.Email = parseUserId(uid.Id)
-	return
-}
-
-// Serialize marshals uid to w in the form of an OpenPGP packet, including
-// header.
-func (uid *UserId) Serialize(w io.Writer) error {
-	err := serializeHeader(w, packetTypeUserId, len(uid.Id))
-	if err != nil {
-		return err
-	}
-	_, err = w.Write([]byte(uid.Id))
-	return err
-}
-
-// parseUserId extracts the name, comment and email from a user id string that
-// is formatted as "Full Name (Comment) <email@example.com>".
-func parseUserId(id string) (name, comment, email string) {
-	var n, c, e struct {
-		start, end int
-	}
-	var state int
-
-	for offset, rune := range id {
-		switch state {
-		case 0:
-			// Entering name
-			n.start = offset
-			state = 1
-			fallthrough
-		case 1:
-			// In name
-			if rune == '(' {
-				state = 2
-				n.end = offset
-			} else if rune == '<' {
-				state = 5
-				n.end = offset
-			}
-		case 2:
-			// Entering comment
-			c.start = offset
-			state = 3
-			fallthrough
-		case 3:
-			// In comment
-			if rune == ')' {
-				state = 4
-				c.end = offset
-			}
-		case 4:
-			// Between comment and email
-			if rune == '<' {
-				state = 5
-			}
-		case 5:
-			// Entering email
-			e.start = offset
-			state = 6
-			fallthrough
-		case 6:
-			// In email
-			if rune == '>' {
-				state = 7
-				e.end = offset
-			}
-		default:
-			// After email
-		}
-	}
-	switch state {
-	case 1:
-		// ended in the name
-		n.end = len(id)
-	case 3:
-		// ended in comment
-		c.end = len(id)
-	case 6:
-		// ended in email
-		e.end = len(id)
-	}
-
-	name = strings.TrimSpace(id[n.start:n.end])
-	comment = strings.TrimSpace(id[c.start:c.end])
-	email = strings.TrimSpace(id[e.start:e.end])
-	return
-}
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/userid_test.go b/vendor/golang.org/x/crypto/openpgp/packet/userid_test.go
deleted file mode 100644
index 29681938..00000000
--- a/vendor/golang.org/x/crypto/openpgp/packet/userid_test.go
+++ /dev/null
@@ -1,87 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package packet
-
-import (
-	"testing"
-)
-
-var userIdTests = []struct {
-	id                   string
-	name, comment, email string
-}{
-	{"", "", "", ""},
-	{"John Smith", "John Smith", "", ""},
-	{"John Smith ()", "John Smith", "", ""},
-	{"John Smith () <>", "John Smith", "", ""},
-	{"(comment", "", "comment", ""},
-	{"(comment)", "", "comment", ""},
-	{"<email", "", "", "email"},
-	{"<email>   sdfk", "", "", "email"},
-	{"  John Smith  (  Comment ) asdkflj < email > lksdfj", "John Smith", "Comment", "email"},
-	{"  John Smith  < email > lksdfj", "John Smith", "", "email"},
-	{"(<foo", "", "<foo", ""},
-	{"René Descartes (العربي)", "René Descartes", "العربي", ""},
-}
-
-func TestParseUserId(t *testing.T) {
-	for i, test := range userIdTests {
-		name, comment, email := parseUserId(test.id)
-		if name != test.name {
-			t.Errorf("%d: name mismatch got:%s want:%s", i, name, test.name)
-		}
-		if comment != test.comment {
-			t.Errorf("%d: comment mismatch got:%s want:%s", i, comment, test.comment)
-		}
-		if email != test.email {
-			t.Errorf("%d: email mismatch got:%s want:%s", i, email, test.email)
-		}
-	}
-}
-
-var newUserIdTests = []struct {
-	name, comment, email, id string
-}{
-	{"foo", "", "", "foo"},
-	{"", "bar", "", "(bar)"},
-	{"", "", "baz", "<baz>"},
-	{"foo", "bar", "", "foo (bar)"},
-	{"foo", "", "baz", "foo <baz>"},
-	{"", "bar", "baz", "(bar) <baz>"},
-	{"foo", "bar", "baz", "foo (bar) <baz>"},
-}
-
-func TestNewUserId(t *testing.T) {
-	for i, test := range newUserIdTests {
-		uid := NewUserId(test.name, test.comment, test.email)
-		if uid == nil {
-			t.Errorf("#%d: returned nil", i)
-			continue
-		}
-		if uid.Id != test.id {
-			t.Errorf("#%d: got '%s', want '%s'", i, uid.Id, test.id)
-		}
-	}
-}
-
-var invalidNewUserIdTests = []struct {
-	name, comment, email string
-}{
-	{"foo(", "", ""},
-	{"foo<", "", ""},
-	{"", "bar)", ""},
-	{"", "bar<", ""},
-	{"", "", "baz>"},
-	{"", "", "baz)"},
-	{"", "", "baz\x00"},
-}
-
-func TestNewUserIdWithInvalidInput(t *testing.T) {
-	for i, test := range invalidNewUserIdTests {
-		if uid := NewUserId(test.name, test.comment, test.email); uid != nil {
-			t.Errorf("#%d: returned non-nil value: %#v", i, uid)
-		}
-	}
-}
diff --git a/vendor/golang.org/x/crypto/openpgp/read.go b/vendor/golang.org/x/crypto/openpgp/read.go
deleted file mode 100644
index 6ec664f4..00000000
--- a/vendor/golang.org/x/crypto/openpgp/read.go
+++ /dev/null
@@ -1,442 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package openpgp implements high level operations on OpenPGP messages.
-package openpgp // import "golang.org/x/crypto/openpgp"
-
-import (
-	"crypto"
-	_ "crypto/sha256"
-	"hash"
-	"io"
-	"strconv"
-
-	"golang.org/x/crypto/openpgp/armor"
-	"golang.org/x/crypto/openpgp/errors"
-	"golang.org/x/crypto/openpgp/packet"
-)
-
-// SignatureType is the armor type for a PGP signature.
-var SignatureType = "PGP SIGNATURE"
-
-// readArmored reads an armored block with the given type.
-func readArmored(r io.Reader, expectedType string) (body io.Reader, err error) {
-	block, err := armor.Decode(r)
-	if err != nil {
-		return
-	}
-
-	if block.Type != expectedType {
-		return nil, errors.InvalidArgumentError("expected '" + expectedType + "', got: " + block.Type)
-	}
-
-	return block.Body, nil
-}
-
-// MessageDetails contains the result of parsing an OpenPGP encrypted and/or
-// signed message.
-type MessageDetails struct {
-	IsEncrypted              bool                // true if the message was encrypted.
-	EncryptedToKeyIds        []uint64            // the list of recipient key ids.
-	IsSymmetricallyEncrypted bool                // true if a passphrase could have decrypted the message.
-	DecryptedWith            Key                 // the private key used to decrypt the message, if any.
-	IsSigned                 bool                // true if the message is signed.
-	SignedByKeyId            uint64              // the key id of the signer, if any.
-	SignedBy                 *Key                // the key of the signer, if available.
-	LiteralData              *packet.LiteralData // the metadata of the contents
-	UnverifiedBody           io.Reader           // the contents of the message.
-
-	// If IsSigned is true and SignedBy is non-zero then the signature will
-	// be verified as UnverifiedBody is read. The signature cannot be
-	// checked until the whole of UnverifiedBody is read so UnverifiedBody
-	// must be consumed until EOF before the data can be trusted. Even if a
-	// message isn't signed (or the signer is unknown) the data may contain
-	// an authentication code that is only checked once UnverifiedBody has
-	// been consumed. Once EOF has been seen, the following fields are
-	// valid. (An authentication code failure is reported as a
-	// SignatureError error when reading from UnverifiedBody.)
-	SignatureError error               // nil if the signature is good.
-	Signature      *packet.Signature   // the signature packet itself, if v4 (default)
-	SignatureV3    *packet.SignatureV3 // the signature packet if it is a v2 or v3 signature
-
-	decrypted io.ReadCloser
-}
-
-// A PromptFunction is used as a callback by functions that may need to decrypt
-// a private key, or prompt for a passphrase. It is called with a list of
-// acceptable, encrypted private keys and a boolean that indicates whether a
-// passphrase is usable. It should either decrypt a private key or return a
-// passphrase to try. If the decrypted private key or given passphrase isn't
-// correct, the function will be called again, forever. Any error returned will
-// be passed up.
-type PromptFunction func(keys []Key, symmetric bool) ([]byte, error)
-
-// A keyEnvelopePair is used to store a private key with the envelope that
-// contains a symmetric key, encrypted with that key.
-type keyEnvelopePair struct {
-	key          Key
-	encryptedKey *packet.EncryptedKey
-}
-
-// ReadMessage parses an OpenPGP message that may be signed and/or encrypted.
-// The given KeyRing should contain both public keys (for signature
-// verification) and, possibly encrypted, private keys for decrypting.
-// If config is nil, sensible defaults will be used.
-func ReadMessage(r io.Reader, keyring KeyRing, prompt PromptFunction, config *packet.Config) (md *MessageDetails, err error) {
-	var p packet.Packet
-
-	var symKeys []*packet.SymmetricKeyEncrypted
-	var pubKeys []keyEnvelopePair
-	var se *packet.SymmetricallyEncrypted
-
-	packets := packet.NewReader(r)
-	md = new(MessageDetails)
-	md.IsEncrypted = true
-
-	// The message, if encrypted, starts with a number of packets
-	// containing an encrypted decryption key. The decryption key is either
-	// encrypted to a public key, or with a passphrase. This loop
-	// collects these packets.
-ParsePackets:
-	for {
-		p, err = packets.Next()
-		if err != nil {
-			return nil, err
-		}
-		switch p := p.(type) {
-		case *packet.SymmetricKeyEncrypted:
-			// This packet contains the decryption key encrypted with a passphrase.
-			md.IsSymmetricallyEncrypted = true
-			symKeys = append(symKeys, p)
-		case *packet.EncryptedKey:
-			// This packet contains the decryption key encrypted to a public key.
-			md.EncryptedToKeyIds = append(md.EncryptedToKeyIds, p.KeyId)
-			switch p.Algo {
-			case packet.PubKeyAlgoRSA, packet.PubKeyAlgoRSAEncryptOnly, packet.PubKeyAlgoElGamal:
-				break
-			default:
-				continue
-			}
-			var keys []Key
-			if p.KeyId == 0 {
-				keys = keyring.DecryptionKeys()
-			} else {
-				keys = keyring.KeysById(p.KeyId)
-			}
-			for _, k := range keys {
-				pubKeys = append(pubKeys, keyEnvelopePair{k, p})
-			}
-		case *packet.SymmetricallyEncrypted:
-			se = p
-			break ParsePackets
-		case *packet.Compressed, *packet.LiteralData, *packet.OnePassSignature:
-			// This message isn't encrypted.
-			if len(symKeys) != 0 || len(pubKeys) != 0 {
-				return nil, errors.StructuralError("key material not followed by encrypted message")
-			}
-			packets.Unread(p)
-			return readSignedMessage(packets, nil, keyring)
-		}
-	}
-
-	var candidates []Key
-	var decrypted io.ReadCloser
-
-	// Now that we have the list of encrypted keys we need to decrypt at
-	// least one of them or, if we cannot, we need to call the prompt
-	// function so that it can decrypt a key or give us a passphrase.
-FindKey:
-	for {
-		// See if any of the keys already have a private key available
-		candidates = candidates[:0]
-		candidateFingerprints := make(map[string]bool)
-
-		for _, pk := range pubKeys {
-			if pk.key.PrivateKey == nil {
-				continue
-			}
-			if !pk.key.PrivateKey.Encrypted {
-				if len(pk.encryptedKey.Key) == 0 {
-					pk.encryptedKey.Decrypt(pk.key.PrivateKey, config)
-				}
-				if len(pk.encryptedKey.Key) == 0 {
-					continue
-				}
-				decrypted, err = se.Decrypt(pk.encryptedKey.CipherFunc, pk.encryptedKey.Key)
-				if err != nil && err != errors.ErrKeyIncorrect {
-					return nil, err
-				}
-				if decrypted != nil {
-					md.DecryptedWith = pk.key
-					break FindKey
-				}
-			} else {
-				fpr := string(pk.key.PublicKey.Fingerprint[:])
-				if v := candidateFingerprints[fpr]; v {
-					continue
-				}
-				candidates = append(candidates, pk.key)
-				candidateFingerprints[fpr] = true
-			}
-		}
-
-		if len(candidates) == 0 && len(symKeys) == 0 {
-			return nil, errors.ErrKeyIncorrect
-		}
-
-		if prompt == nil {
-			return nil, errors.ErrKeyIncorrect
-		}
-
-		passphrase, err := prompt(candidates, len(symKeys) != 0)
-		if err != nil {
-			return nil, err
-		}
-
-		// Try the symmetric passphrase first
-		if len(symKeys) != 0 && passphrase != nil {
-			for _, s := range symKeys {
-				key, cipherFunc, err := s.Decrypt(passphrase)
-				if err == nil {
-					decrypted, err = se.Decrypt(cipherFunc, key)
-					if err != nil && err != errors.ErrKeyIncorrect {
-						return nil, err
-					}
-					if decrypted != nil {
-						break FindKey
-					}
-				}
-
-			}
-		}
-	}
-
-	md.decrypted = decrypted
-	if err := packets.Push(decrypted); err != nil {
-		return nil, err
-	}
-	return readSignedMessage(packets, md, keyring)
-}
-
-// readSignedMessage reads a possibly signed message if mdin is non-zero then
-// that structure is updated and returned. Otherwise a fresh MessageDetails is
-// used.
-func readSignedMessage(packets *packet.Reader, mdin *MessageDetails, keyring KeyRing) (md *MessageDetails, err error) {
-	if mdin == nil {
-		mdin = new(MessageDetails)
-	}
-	md = mdin
-
-	var p packet.Packet
-	var h hash.Hash
-	var wrappedHash hash.Hash
-FindLiteralData:
-	for {
-		p, err = packets.Next()
-		if err != nil {
-			return nil, err
-		}
-		switch p := p.(type) {
-		case *packet.Compressed:
-			if err := packets.Push(p.Body); err != nil {
-				return nil, err
-			}
-		case *packet.OnePassSignature:
-			if !p.IsLast {
-				return nil, errors.UnsupportedError("nested signatures")
-			}
-
-			h, wrappedHash, err = hashForSignature(p.Hash, p.SigType)
-			if err != nil {
-				md = nil
-				return
-			}
-
-			md.IsSigned = true
-			md.SignedByKeyId = p.KeyId
-			keys := keyring.KeysByIdUsage(p.KeyId, packet.KeyFlagSign)
-			if len(keys) > 0 {
-				md.SignedBy = &keys[0]
-			}
-		case *packet.LiteralData:
-			md.LiteralData = p
-			break FindLiteralData
-		}
-	}
-
-	if md.SignedBy != nil {
-		md.UnverifiedBody = &signatureCheckReader{packets, h, wrappedHash, md}
-	} else if md.decrypted != nil {
-		md.UnverifiedBody = checkReader{md}
-	} else {
-		md.UnverifiedBody = md.LiteralData.Body
-	}
-
-	return md, nil
-}
-
-// hashForSignature returns a pair of hashes that can be used to verify a
-// signature. The signature may specify that the contents of the signed message
-// should be preprocessed (i.e. to normalize line endings). Thus this function
-// returns two hashes. The second should be used to hash the message itself and
-// performs any needed preprocessing.
-func hashForSignature(hashId crypto.Hash, sigType packet.SignatureType) (hash.Hash, hash.Hash, error) {
-	if !hashId.Available() {
-		return nil, nil, errors.UnsupportedError("hash not available: " + strconv.Itoa(int(hashId)))
-	}
-	h := hashId.New()
-
-	switch sigType {
-	case packet.SigTypeBinary:
-		return h, h, nil
-	case packet.SigTypeText:
-		return h, NewCanonicalTextHash(h), nil
-	}
-
-	return nil, nil, errors.UnsupportedError("unsupported signature type: " + strconv.Itoa(int(sigType)))
-}
-
-// checkReader wraps an io.Reader from a LiteralData packet. When it sees EOF
-// it closes the ReadCloser from any SymmetricallyEncrypted packet to trigger
-// MDC checks.
-type checkReader struct {
-	md *MessageDetails
-}
-
-func (cr checkReader) Read(buf []byte) (n int, err error) {
-	n, err = cr.md.LiteralData.Body.Read(buf)
-	if err == io.EOF {
-		mdcErr := cr.md.decrypted.Close()
-		if mdcErr != nil {
-			err = mdcErr
-		}
-	}
-	return
-}
-
-// signatureCheckReader wraps an io.Reader from a LiteralData packet and hashes
-// the data as it is read. When it sees an EOF from the underlying io.Reader
-// it parses and checks a trailing Signature packet and triggers any MDC checks.
-type signatureCheckReader struct {
-	packets        *packet.Reader
-	h, wrappedHash hash.Hash
-	md             *MessageDetails
-}
-
-func (scr *signatureCheckReader) Read(buf []byte) (n int, err error) {
-	n, err = scr.md.LiteralData.Body.Read(buf)
-	scr.wrappedHash.Write(buf[:n])
-	if err == io.EOF {
-		var p packet.Packet
-		p, scr.md.SignatureError = scr.packets.Next()
-		if scr.md.SignatureError != nil {
-			return
-		}
-
-		var ok bool
-		if scr.md.Signature, ok = p.(*packet.Signature); ok {
-			scr.md.SignatureError = scr.md.SignedBy.PublicKey.VerifySignature(scr.h, scr.md.Signature)
-		} else if scr.md.SignatureV3, ok = p.(*packet.SignatureV3); ok {
-			scr.md.SignatureError = scr.md.SignedBy.PublicKey.VerifySignatureV3(scr.h, scr.md.SignatureV3)
-		} else {
-			scr.md.SignatureError = errors.StructuralError("LiteralData not followed by Signature")
-			return
-		}
-
-		// The SymmetricallyEncrypted packet, if any, might have an
-		// unsigned hash of its own. In order to check this we need to
-		// close that Reader.
-		if scr.md.decrypted != nil {
-			mdcErr := scr.md.decrypted.Close()
-			if mdcErr != nil {
-				err = mdcErr
-			}
-		}
-	}
-	return
-}
-
-// CheckDetachedSignature takes a signed file and a detached signature and
-// returns the signer if the signature is valid. If the signer isn't known,
-// ErrUnknownIssuer is returned.
-func CheckDetachedSignature(keyring KeyRing, signed, signature io.Reader) (signer *Entity, err error) {
-	var issuerKeyId uint64
-	var hashFunc crypto.Hash
-	var sigType packet.SignatureType
-	var keys []Key
-	var p packet.Packet
-
-	packets := packet.NewReader(signature)
-	for {
-		p, err = packets.Next()
-		if err == io.EOF {
-			return nil, errors.ErrUnknownIssuer
-		}
-		if err != nil {
-			return nil, err
-		}
-
-		switch sig := p.(type) {
-		case *packet.Signature:
-			if sig.IssuerKeyId == nil {
-				return nil, errors.StructuralError("signature doesn't have an issuer")
-			}
-			issuerKeyId = *sig.IssuerKeyId
-			hashFunc = sig.Hash
-			sigType = sig.SigType
-		case *packet.SignatureV3:
-			issuerKeyId = sig.IssuerKeyId
-			hashFunc = sig.Hash
-			sigType = sig.SigType
-		default:
-			return nil, errors.StructuralError("non signature packet found")
-		}
-
-		keys = keyring.KeysByIdUsage(issuerKeyId, packet.KeyFlagSign)
-		if len(keys) > 0 {
-			break
-		}
-	}
-
-	if len(keys) == 0 {
-		panic("unreachable")
-	}
-
-	h, wrappedHash, err := hashForSignature(hashFunc, sigType)
-	if err != nil {
-		return nil, err
-	}
-
-	if _, err := io.Copy(wrappedHash, signed); err != nil && err != io.EOF {
-		return nil, err
-	}
-
-	for _, key := range keys {
-		switch sig := p.(type) {
-		case *packet.Signature:
-			err = key.PublicKey.VerifySignature(h, sig)
-		case *packet.SignatureV3:
-			err = key.PublicKey.VerifySignatureV3(h, sig)
-		default:
-			panic("unreachable")
-		}
-
-		if err == nil {
-			return key.Entity, nil
-		}
-	}
-
-	return nil, err
-}
-
-// CheckArmoredDetachedSignature performs the same actions as
-// CheckDetachedSignature but expects the signature to be armored.
-func CheckArmoredDetachedSignature(keyring KeyRing, signed, signature io.Reader) (signer *Entity, err error) {
-	body, err := readArmored(signature, SignatureType)
-	if err != nil {
-		return
-	}
-
-	return CheckDetachedSignature(keyring, signed, body)
-}
diff --git a/vendor/golang.org/x/crypto/openpgp/read_test.go b/vendor/golang.org/x/crypto/openpgp/read_test.go
deleted file mode 100644
index 1fbfbac4..00000000
--- a/vendor/golang.org/x/crypto/openpgp/read_test.go
+++ /dev/null
@@ -1,613 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package openpgp
-
-import (
-	"bytes"
-	_ "crypto/sha512"
-	"encoding/hex"
-	"io"
-	"io/ioutil"
-	"strings"
-	"testing"
-
-	"golang.org/x/crypto/openpgp/armor"
-	"golang.org/x/crypto/openpgp/errors"
-)
-
-func readerFromHex(s string) io.Reader {
-	data, err := hex.DecodeString(s)
-	if err != nil {
-		panic("readerFromHex: bad input")
-	}
-	return bytes.NewBuffer(data)
-}
-
-func TestReadKeyRing(t *testing.T) {
-	kring, err := ReadKeyRing(readerFromHex(testKeys1And2Hex))
-	if err != nil {
-		t.Error(err)
-		return
-	}
-	if len(kring) != 2 || uint32(kring[0].PrimaryKey.KeyId) != 0xC20C31BB || uint32(kring[1].PrimaryKey.KeyId) != 0x1E35246B {
-		t.Errorf("bad keyring: %#v", kring)
-	}
-}
-
-func TestRereadKeyRing(t *testing.T) {
-	kring, err := ReadKeyRing(readerFromHex(testKeys1And2Hex))
-	if err != nil {
-		t.Errorf("error in initial parse: %s", err)
-		return
-	}
-	out := new(bytes.Buffer)
-	err = kring[0].Serialize(out)
-	if err != nil {
-		t.Errorf("error in serialization: %s", err)
-		return
-	}
-	kring, err = ReadKeyRing(out)
-	if err != nil {
-		t.Errorf("error in second parse: %s", err)
-		return
-	}
-
-	if len(kring) != 1 || uint32(kring[0].PrimaryKey.KeyId) != 0xC20C31BB {
-		t.Errorf("bad keyring: %#v", kring)
-	}
-}
-
-func TestReadPrivateKeyRing(t *testing.T) {
-	kring, err := ReadKeyRing(readerFromHex(testKeys1And2PrivateHex))
-	if err != nil {
-		t.Error(err)
-		return
-	}
-	if len(kring) != 2 || uint32(kring[0].PrimaryKey.KeyId) != 0xC20C31BB || uint32(kring[1].PrimaryKey.KeyId) != 0x1E35246B || kring[0].PrimaryKey == nil {
-		t.Errorf("bad keyring: %#v", kring)
-	}
-}
-
-func TestReadDSAKey(t *testing.T) {
-	kring, err := ReadKeyRing(readerFromHex(dsaTestKeyHex))
-	if err != nil {
-		t.Error(err)
-		return
-	}
-	if len(kring) != 1 || uint32(kring[0].PrimaryKey.KeyId) != 0x0CCC0360 {
-		t.Errorf("bad parse: %#v", kring)
-	}
-}
-
-func TestReadP256Key(t *testing.T) {
-	kring, err := ReadKeyRing(readerFromHex(p256TestKeyHex))
-	if err != nil {
-		t.Error(err)
-		return
-	}
-	if len(kring) != 1 || uint32(kring[0].PrimaryKey.KeyId) != 0x5918513E {
-		t.Errorf("bad parse: %#v", kring)
-	}
-}
-
-func TestDSAHashTruncatation(t *testing.T) {
-	// dsaKeyWithSHA512 was generated with GnuPG and --cert-digest-algo
-	// SHA512 in order to require DSA hash truncation to verify correctly.
-	_, err := ReadKeyRing(readerFromHex(dsaKeyWithSHA512))
-	if err != nil {
-		t.Error(err)
-	}
-}
-
-func TestGetKeyById(t *testing.T) {
-	kring, _ := ReadKeyRing(readerFromHex(testKeys1And2Hex))
-
-	keys := kring.KeysById(0xa34d7e18c20c31bb)
-	if len(keys) != 1 || keys[0].Entity != kring[0] {
-		t.Errorf("bad result for 0xa34d7e18c20c31bb: %#v", keys)
-	}
-
-	keys = kring.KeysById(0xfd94408d4543314f)
-	if len(keys) != 1 || keys[0].Entity != kring[0] {
-		t.Errorf("bad result for 0xa34d7e18c20c31bb: %#v", keys)
-	}
-}
-
-func checkSignedMessage(t *testing.T, signedHex, expected string) {
-	kring, _ := ReadKeyRing(readerFromHex(testKeys1And2Hex))
-
-	md, err := ReadMessage(readerFromHex(signedHex), kring, nil, nil)
-	if err != nil {
-		t.Error(err)
-		return
-	}
-
-	if !md.IsSigned || md.SignedByKeyId != 0xa34d7e18c20c31bb || md.SignedBy == nil || md.IsEncrypted || md.IsSymmetricallyEncrypted || len(md.EncryptedToKeyIds) != 0 || md.IsSymmetricallyEncrypted {
-		t.Errorf("bad MessageDetails: %#v", md)
-	}
-
-	contents, err := ioutil.ReadAll(md.UnverifiedBody)
-	if err != nil {
-		t.Errorf("error reading UnverifiedBody: %s", err)
-	}
-	if string(contents) != expected {
-		t.Errorf("bad UnverifiedBody got:%s want:%s", string(contents), expected)
-	}
-	if md.SignatureError != nil || md.Signature == nil {
-		t.Errorf("failed to validate: %s", md.SignatureError)
-	}
-}
-
-func TestSignedMessage(t *testing.T) {
-	checkSignedMessage(t, signedMessageHex, signedInput)
-}
-
-func TestTextSignedMessage(t *testing.T) {
-	checkSignedMessage(t, signedTextMessageHex, signedTextInput)
-}
-
-// The reader should detect "compressed quines", which are compressed
-// packets that expand into themselves and cause an infinite recursive
-// parsing loop.
-// The packet in this test case comes from Taylor R. Campbell at
-// http://mumble.net/~campbell/misc/pgp-quine/
-func TestCampbellQuine(t *testing.T) {
-	md, err := ReadMessage(readerFromHex(campbellQuine), nil, nil, nil)
-	if md != nil {
-		t.Errorf("Reading a compressed quine should not return any data: %#v", md)
-	}
-	structural, ok := err.(errors.StructuralError)
-	if !ok {
-		t.Fatalf("Unexpected class of error: %T", err)
-	}
-	if !strings.Contains(string(structural), "too many layers of packets") {
-		t.Fatalf("Unexpected error: %s", err)
-	}
-}
-
-var signedEncryptedMessageTests = []struct {
-	keyRingHex       string
-	messageHex       string
-	signedByKeyId    uint64
-	encryptedToKeyId uint64
-}{
-	{
-		testKeys1And2PrivateHex,
-		signedEncryptedMessageHex,
-		0xa34d7e18c20c31bb,
-		0x2a67d68660df41c7,
-	},
-	{
-		dsaElGamalTestKeysHex,
-		signedEncryptedMessage2Hex,
-		0x33af447ccd759b09,
-		0xcf6a7abcd43e3673,
-	},
-}
-
-func TestSignedEncryptedMessage(t *testing.T) {
-	for i, test := range signedEncryptedMessageTests {
-		expected := "Signed and encrypted message\n"
-		kring, _ := ReadKeyRing(readerFromHex(test.keyRingHex))
-		prompt := func(keys []Key, symmetric bool) ([]byte, error) {
-			if symmetric {
-				t.Errorf("prompt: message was marked as symmetrically encrypted")
-				return nil, errors.ErrKeyIncorrect
-			}
-
-			if len(keys) == 0 {
-				t.Error("prompt: no keys requested")
-				return nil, errors.ErrKeyIncorrect
-			}
-
-			err := keys[0].PrivateKey.Decrypt([]byte("passphrase"))
-			if err != nil {
-				t.Errorf("prompt: error decrypting key: %s", err)
-				return nil, errors.ErrKeyIncorrect
-			}
-
-			return nil, nil
-		}
-
-		md, err := ReadMessage(readerFromHex(test.messageHex), kring, prompt, nil)
-		if err != nil {
-			t.Errorf("#%d: error reading message: %s", i, err)
-			return
-		}
-
-		if !md.IsSigned || md.SignedByKeyId != test.signedByKeyId || md.SignedBy == nil || !md.IsEncrypted || md.IsSymmetricallyEncrypted || len(md.EncryptedToKeyIds) == 0 || md.EncryptedToKeyIds[0] != test.encryptedToKeyId {
-			t.Errorf("#%d: bad MessageDetails: %#v", i, md)
-		}
-
-		contents, err := ioutil.ReadAll(md.UnverifiedBody)
-		if err != nil {
-			t.Errorf("#%d: error reading UnverifiedBody: %s", i, err)
-		}
-		if string(contents) != expected {
-			t.Errorf("#%d: bad UnverifiedBody got:%s want:%s", i, string(contents), expected)
-		}
-
-		if md.SignatureError != nil || md.Signature == nil {
-			t.Errorf("#%d: failed to validate: %s", i, md.SignatureError)
-		}
-	}
-}
-
-func TestUnspecifiedRecipient(t *testing.T) {
-	expected := "Recipient unspecified\n"
-	kring, _ := ReadKeyRing(readerFromHex(testKeys1And2PrivateHex))
-
-	md, err := ReadMessage(readerFromHex(recipientUnspecifiedHex), kring, nil, nil)
-	if err != nil {
-		t.Errorf("error reading message: %s", err)
-		return
-	}
-
-	contents, err := ioutil.ReadAll(md.UnverifiedBody)
-	if err != nil {
-		t.Errorf("error reading UnverifiedBody: %s", err)
-	}
-	if string(contents) != expected {
-		t.Errorf("bad UnverifiedBody got:%s want:%s", string(contents), expected)
-	}
-}
-
-func TestSymmetricallyEncrypted(t *testing.T) {
-	firstTimeCalled := true
-
-	prompt := func(keys []Key, symmetric bool) ([]byte, error) {
-		if len(keys) != 0 {
-			t.Errorf("prompt: len(keys) = %d (want 0)", len(keys))
-		}
-
-		if !symmetric {
-			t.Errorf("symmetric is not set")
-		}
-
-		if firstTimeCalled {
-			firstTimeCalled = false
-			return []byte("wrongpassword"), nil
-		}
-
-		return []byte("password"), nil
-	}
-
-	md, err := ReadMessage(readerFromHex(symmetricallyEncryptedCompressedHex), nil, prompt, nil)
-	if err != nil {
-		t.Errorf("ReadMessage: %s", err)
-		return
-	}
-
-	contents, err := ioutil.ReadAll(md.UnverifiedBody)
-	if err != nil {
-		t.Errorf("ReadAll: %s", err)
-	}
-
-	expectedCreationTime := uint32(1295992998)
-	if md.LiteralData.Time != expectedCreationTime {
-		t.Errorf("LiteralData.Time is %d, want %d", md.LiteralData.Time, expectedCreationTime)
-	}
-
-	const expected = "Symmetrically encrypted.\n"
-	if string(contents) != expected {
-		t.Errorf("contents got: %s want: %s", string(contents), expected)
-	}
-}
-
-func testDetachedSignature(t *testing.T, kring KeyRing, signature io.Reader, sigInput, tag string, expectedSignerKeyId uint64) {
-	signed := bytes.NewBufferString(sigInput)
-	signer, err := CheckDetachedSignature(kring, signed, signature)
-	if err != nil {
-		t.Errorf("%s: signature error: %s", tag, err)
-		return
-	}
-	if signer == nil {
-		t.Errorf("%s: signer is nil", tag)
-		return
-	}
-	if signer.PrimaryKey.KeyId != expectedSignerKeyId {
-		t.Errorf("%s: wrong signer got:%x want:%x", tag, signer.PrimaryKey.KeyId, expectedSignerKeyId)
-	}
-}
-
-func TestDetachedSignature(t *testing.T) {
-	kring, _ := ReadKeyRing(readerFromHex(testKeys1And2Hex))
-	testDetachedSignature(t, kring, readerFromHex(detachedSignatureHex), signedInput, "binary", testKey1KeyId)
-	testDetachedSignature(t, kring, readerFromHex(detachedSignatureTextHex), signedInput, "text", testKey1KeyId)
-	testDetachedSignature(t, kring, readerFromHex(detachedSignatureV3TextHex), signedInput, "v3", testKey1KeyId)
-
-	incorrectSignedInput := signedInput + "X"
-	_, err := CheckDetachedSignature(kring, bytes.NewBufferString(incorrectSignedInput), readerFromHex(detachedSignatureHex))
-	if err == nil {
-		t.Fatal("CheckDetachedSignature returned without error for bad signature")
-	}
-	if err == errors.ErrUnknownIssuer {
-		t.Fatal("CheckDetachedSignature returned ErrUnknownIssuer when the signer was known, but the signature invalid")
-	}
-}
-
-func TestDetachedSignatureDSA(t *testing.T) {
-	kring, _ := ReadKeyRing(readerFromHex(dsaTestKeyHex))
-	testDetachedSignature(t, kring, readerFromHex(detachedSignatureDSAHex), signedInput, "binary", testKey3KeyId)
-}
-
-func TestMultipleSignaturePacketsDSA(t *testing.T) {
-	kring, _ := ReadKeyRing(readerFromHex(dsaTestKeyHex))
-	testDetachedSignature(t, kring, readerFromHex(missingHashFunctionHex+detachedSignatureDSAHex), signedInput, "binary", testKey3KeyId)
-}
-
-func TestDetachedSignatureP256(t *testing.T) {
-	kring, _ := ReadKeyRing(readerFromHex(p256TestKeyHex))
-	testDetachedSignature(t, kring, readerFromHex(detachedSignatureP256Hex), signedInput, "binary", testKeyP256KeyId)
-}
-
-func testHashFunctionError(t *testing.T, signatureHex string) {
-	kring, _ := ReadKeyRing(readerFromHex(testKeys1And2Hex))
-	_, err := CheckDetachedSignature(kring, nil, readerFromHex(signatureHex))
-	if err == nil {
-		t.Fatal("Packet with bad hash type was correctly parsed")
-	}
-	unsupported, ok := err.(errors.UnsupportedError)
-	if !ok {
-		t.Fatalf("Unexpected class of error: %s", err)
-	}
-	if !strings.Contains(string(unsupported), "hash ") {
-		t.Fatalf("Unexpected error: %s", err)
-	}
-}
-
-func TestUnknownHashFunction(t *testing.T) {
-	// unknownHashFunctionHex contains a signature packet with hash
-	// function type 153 (which isn't a real hash function id).
-	testHashFunctionError(t, unknownHashFunctionHex)
-}
-
-func TestMissingHashFunction(t *testing.T) {
-	// missingHashFunctionHex contains a signature packet that uses
-	// RIPEMD160, which isn't compiled in.  Since that's the only signature
-	// packet we don't find any suitable packets and end up with ErrUnknownIssuer
-	kring, _ := ReadKeyRing(readerFromHex(testKeys1And2Hex))
-	_, err := CheckDetachedSignature(kring, nil, readerFromHex(missingHashFunctionHex))
-	if err == nil {
-		t.Fatal("Packet with missing hash type was correctly parsed")
-	}
-	if err != errors.ErrUnknownIssuer {
-		t.Fatalf("Unexpected class of error: %s", err)
-	}
-}
-
-func TestReadingArmoredPrivateKey(t *testing.T) {
-	el, err := ReadArmoredKeyRing(bytes.NewBufferString(armoredPrivateKeyBlock))
-	if err != nil {
-		t.Error(err)
-	}
-	if len(el) != 1 {
-		t.Errorf("got %d entities, wanted 1\n", len(el))
-	}
-}
-
-func TestReadingArmoredPublicKey(t *testing.T) {
-	el, err := ReadArmoredKeyRing(bytes.NewBufferString(e2ePublicKey))
-	if err != nil {
-		t.Error(err)
-	}
-	if len(el) != 1 {
-		t.Errorf("didn't get a valid entity")
-	}
-}
-
-func TestNoArmoredData(t *testing.T) {
-	_, err := ReadArmoredKeyRing(bytes.NewBufferString("foo"))
-	if _, ok := err.(errors.InvalidArgumentError); !ok {
-		t.Errorf("error was not an InvalidArgumentError: %s", err)
-	}
-}
-
-func testReadMessageError(t *testing.T, messageHex string) {
-	buf, err := hex.DecodeString(messageHex)
-	if err != nil {
-		t.Errorf("hex.DecodeString(): %v", err)
-	}
-
-	kr, err := ReadKeyRing(new(bytes.Buffer))
-	if err != nil {
-		t.Errorf("ReadKeyring(): %v", err)
-	}
-
-	_, err = ReadMessage(bytes.NewBuffer(buf), kr,
-		func([]Key, bool) ([]byte, error) {
-			return []byte("insecure"), nil
-		}, nil)
-
-	if err == nil {
-		t.Errorf("ReadMessage(): Unexpected nil error")
-	}
-}
-
-func TestIssue11503(t *testing.T) {
-	testReadMessageError(t, "8c040402000aa430aa8228b9248b01fc899a91197130303030")
-}
-
-func TestIssue11504(t *testing.T) {
-	testReadMessageError(t, "9303000130303030303030303030983002303030303030030000000130")
-}
-
-// TestSignatureV3Message tests the verification of V3 signature, generated
-// with a modern V4-style key.  Some people have their clients set to generate
-// V3 signatures, so it's useful to be able to verify them.
-func TestSignatureV3Message(t *testing.T) {
-	sig, err := armor.Decode(strings.NewReader(signedMessageV3))
-	if err != nil {
-		t.Error(err)
-		return
-	}
-	key, err := ReadArmoredKeyRing(strings.NewReader(keyV4forVerifyingSignedMessageV3))
-	if err != nil {
-		t.Error(err)
-		return
-	}
-	md, err := ReadMessage(sig.Body, key, nil, nil)
-	if err != nil {
-		t.Error(err)
-		return
-	}
-
-	_, err = ioutil.ReadAll(md.UnverifiedBody)
-	if err != nil {
-		t.Error(err)
-		return
-	}
-
-	// We'll see a sig error here after reading in the UnverifiedBody above,
-	// if there was one to see.
-	if err = md.SignatureError; err != nil {
-		t.Error(err)
-		return
-	}
-
-	if md.SignatureV3 == nil {
-		t.Errorf("No available signature after checking signature")
-		return
-	}
-	if md.Signature != nil {
-		t.Errorf("Did not expect a signature V4 back")
-		return
-	}
-	return
-}
-
-const testKey1KeyId = 0xA34D7E18C20C31BB
-const testKey3KeyId = 0x338934250CCC0360
-const testKeyP256KeyId = 0xd44a2c495918513e
-
-const signedInput = "Signed message\nline 2\nline 3\n"
-const signedTextInput = "Signed message\r\nline 2\r\nline 3\r\n"
-
-const recipientUnspecifiedHex = "848c0300000000000000000103ff62d4d578d03cf40c3da998dfe216c074fa6ddec5e31c197c9666ba292830d91d18716a80f699f9d897389a90e6d62d0238f5f07a5248073c0f24920e4bc4a30c2d17ee4e0cae7c3d4aaa4e8dced50e3010a80ee692175fa0385f62ecca4b56ee6e9980aa3ec51b61b077096ac9e800edaf161268593eedb6cc7027ff5cb32745d250010d407a6221ae22ef18469b444f2822478c4d190b24d36371a95cb40087cdd42d9399c3d06a53c0673349bfb607927f20d1e122bde1e2bf3aa6cae6edf489629bcaa0689539ae3b718914d88ededc3b"
-
-const detachedSignatureHex = "889c04000102000605024d449cd1000a0910a34d7e18c20c31bb167603ff57718d09f28a519fdc7b5a68b6a3336da04df85e38c5cd5d5bd2092fa4629848a33d85b1729402a2aab39c3ac19f9d573f773cc62c264dc924c067a79dfd8a863ae06c7c8686120760749f5fd9b1e03a64d20a7df3446ddc8f0aeadeaeba7cbaee5c1e366d65b6a0c6cc749bcb912d2f15013f812795c2e29eb7f7b77f39ce77"
-
-const detachedSignatureTextHex = "889c04010102000605024d449d21000a0910a34d7e18c20c31bbc8c60400a24fbef7342603a41cb1165767bd18985d015fb72fe05db42db36cfb2f1d455967f1e491194fbf6cf88146222b23bf6ffbd50d17598d976a0417d3192ff9cc0034fd00f287b02e90418bbefe609484b09231e4e7a5f3562e199bf39909ab5276c4d37382fe088f6b5c3426fc1052865da8b3ab158672d58b6264b10823dc4b39"
-
-const detachedSignatureV3TextHex = "8900950305005255c25ca34d7e18c20c31bb0102bb3f04009f6589ef8a028d6e54f6eaf25432e590d31c3a41f4710897585e10c31e5e332c7f9f409af8512adceaff24d0da1474ab07aa7bce4f674610b010fccc5b579ae5eb00a127f272fb799f988ab8e4574c141da6dbfecfef7e6b2c478d9a3d2551ba741f260ee22bec762812f0053e05380bfdd55ad0f22d8cdf71b233fe51ae8a24"
-
-const detachedSignatureDSAHex = "884604001102000605024d6c4eac000a0910338934250ccc0360f18d00a087d743d6405ed7b87755476629600b8b694a39e900a0abff8126f46faf1547c1743c37b21b4ea15b8f83"
-
-const detachedSignatureP256Hex = "885e0400130a0006050256e5bb00000a0910d44a2c495918513edef001009841a4f792beb0befccb35c8838a6a87d9b936beaa86db6745ddc7b045eee0cf00fd1ac1f78306b17e965935dd3f8bae4587a76587e4af231efe19cc4011a8434817"
-
-const testKeys1And2Hex = "988d044d3c5c10010400b1d13382944bd5aba23a4312968b5095d14f947f600eb478e14a6fcb16b0e0cac764884909c020bc495cfcc39a935387c661507bdb236a0612fb582cac3af9b29cc2c8c70090616c41b662f4da4c1201e195472eb7f4ae1ccbcbf9940fe21d985e379a5563dde5b9a23d35f1cfaa5790da3b79db26f23695107bfaca8e7b5bcd0011010001b41054657374204b6579203120285253412988b804130102002205024d3c5c10021b03060b090807030206150802090a0b0416020301021e01021780000a0910a34d7e18c20c31bbb5b304009cc45fe610b641a2c146331be94dade0a396e73ca725e1b25c21708d9cab46ecca5ccebc23055879df8f99eea39b377962a400f2ebdc36a7c99c333d74aeba346315137c3ff9d0a09b0273299090343048afb8107cf94cbd1400e3026f0ccac7ecebbc4d78588eb3e478fe2754d3ca664bcf3eac96ca4a6b0c8d7df5102f60f6b0020003b88d044d3c5c10010400b201df61d67487301f11879d514f4248ade90c8f68c7af1284c161098de4c28c2850f1ec7b8e30f959793e571542ffc6532189409cb51c3d30dad78c4ad5165eda18b20d9826d8707d0f742e2ab492103a85bbd9ddf4f5720f6de7064feb0d39ee002219765bb07bcfb8b877f47abe270ddeda4f676108cecb6b9bb2ad484a4f0011010001889f04180102000905024d3c5c10021b0c000a0910a34d7e18c20c31bb1a03040085c8d62e16d05dc4e9dad64953c8a2eed8b6c12f92b1575eeaa6dcf7be9473dd5b24b37b6dffbb4e7c99ed1bd3cb11634be19b3e6e207bed7505c7ca111ccf47cb323bf1f8851eb6360e8034cbff8dd149993c959de89f8f77f38e7e98b8e3076323aa719328e2b408db5ec0d03936efd57422ba04f925cdc7b4c1af7590e40ab0020003988d044d3c5c33010400b488c3e5f83f4d561f317817538d9d0397981e9aef1321ca68ebfae1cf8b7d388e19f4b5a24a82e2fbbf1c6c26557a6c5845307a03d815756f564ac7325b02bc83e87d5480a8fae848f07cb891f2d51ce7df83dcafdc12324517c86d472cc0ee10d47a68fd1d9ae49a6c19bbd36d82af597a0d88cc9c49de9df4e696fc1f0b5d0011010001b42754657374204b6579203220285253412c20656e637279707465642070726976617465206b65792988b804130102002205024d3c5c33021b03060b090807030206150802090a0b0416020301021e01021780000a0910d4984f961e35246b98940400908a73b6a6169f700434f076c6c79015a49bee37130eaf23aaa3cfa9ce60bfe4acaa7bc95f1146ada5867e0079babb38804891f4f0b8ebca57a86b249dee786161a755b7a342e68ccf3f78ed6440a93a6626beb9a37aa66afcd4f888790cb4bb46d94a4ae3eb3d7d3e6b00f6bfec940303e89ec5b32a1eaaacce66497d539328b0020003b88d044d3c5c33010400a4e913f9442abcc7f1804ccab27d2f787ffa592077ca935a8bb23165bd8d57576acac647cc596b2c3f814518cc8c82953c7a4478f32e0cf645630a5ba38d9618ef2bc3add69d459ae3dece5cab778938d988239f8c5ae437807075e06c828019959c644ff05ef6a5a1dab72227c98e3a040b0cf219026640698d7a13d8538a570011010001889f04180102000905024d3c5c33021b0c000a0910d4984f961e35246b26c703ff7ee29ef53bc1ae1ead533c408fa136db508434e233d6e62be621e031e5940bbd4c08142aed0f82217e7c3e1ec8de574bc06ccf3c36633be41ad78a9eacd209f861cae7b064100758545cc9dd83db71806dc1cfd5fb9ae5c7474bba0c19c44034ae61bae5eca379383339dece94ff56ff7aa44a582f3e5c38f45763af577c0934b0020003"
-
-const testKeys1And2PrivateHex = "9501d8044d3c5c10010400b1d13382944bd5aba23a4312968b5095d14f947f600eb478e14a6fcb16b0e0cac764884909c020bc495cfcc39a935387c661507bdb236a0612fb582cac3af9b29cc2c8c70090616c41b662f4da4c1201e195472eb7f4ae1ccbcbf9940fe21d985e379a5563dde5b9a23d35f1cfaa5790da3b79db26f23695107bfaca8e7b5bcd00110100010003ff4d91393b9a8e3430b14d6209df42f98dc927425b881f1209f319220841273a802a97c7bdb8b3a7740b3ab5866c4d1d308ad0d3a79bd1e883aacf1ac92dfe720285d10d08752a7efe3c609b1d00f17f2805b217be53999a7da7e493bfc3e9618fd17018991b8128aea70a05dbce30e4fbe626aa45775fa255dd9177aabf4df7cf0200c1ded12566e4bc2bb590455e5becfb2e2c9796482270a943343a7835de41080582c2be3caf5981aa838140e97afa40ad652a0b544f83eb1833b0957dce26e47b0200eacd6046741e9ce2ec5beb6fb5e6335457844fb09477f83b050a96be7da043e17f3a9523567ed40e7a521f818813a8b8a72209f1442844843ccc7eb9805442570200bdafe0438d97ac36e773c7162028d65844c4d463e2420aa2228c6e50dc2743c3d6c72d0d782a5173fe7be2169c8a9f4ef8a7cf3e37165e8c61b89c346cdc6c1799d2b41054657374204b6579203120285253412988b804130102002205024d3c5c10021b03060b090807030206150802090a0b0416020301021e01021780000a0910a34d7e18c20c31bbb5b304009cc45fe610b641a2c146331be94dade0a396e73ca725e1b25c21708d9cab46ecca5ccebc23055879df8f99eea39b377962a400f2ebdc36a7c99c333d74aeba346315137c3ff9d0a09b0273299090343048afb8107cf94cbd1400e3026f0ccac7ecebbc4d78588eb3e478fe2754d3ca664bcf3eac96ca4a6b0c8d7df5102f60f6b00200009d01d8044d3c5c10010400b201df61d67487301f11879d514f4248ade90c8f68c7af1284c161098de4c28c2850f1ec7b8e30f959793e571542ffc6532189409cb51c3d30dad78c4ad5165eda18b20d9826d8707d0f742e2ab492103a85bbd9ddf4f5720f6de7064feb0d39ee002219765bb07bcfb8b877f47abe270ddeda4f676108cecb6b9bb2ad484a4f00110100010003fd17a7490c22a79c59281fb7b20f5e6553ec0c1637ae382e8adaea295f50241037f8997cf42c1ce26417e015091451b15424b2c59eb8d4161b0975630408e394d3b00f88d4b4e18e2cc85e8251d4753a27c639c83f5ad4a571c4f19d7cd460b9b73c25ade730c99df09637bd173d8e3e981ac64432078263bb6dc30d3e974150dd0200d0ee05be3d4604d2146fb0457f31ba17c057560785aa804e8ca5530a7cd81d3440d0f4ba6851efcfd3954b7e68908fc0ba47f7ac37bf559c6c168b70d3a7c8cd0200da1c677c4bce06a068070f2b3733b0a714e88d62aa3f9a26c6f5216d48d5c2b5624144f3807c0df30be66b3268eeeca4df1fbded58faf49fc95dc3c35f134f8b01fd1396b6c0fc1b6c4f0eb8f5e44b8eace1e6073e20d0b8bc5385f86f1cf3f050f66af789f3ef1fc107b7f4421e19e0349c730c68f0a226981f4e889054fdb4dc149e8e889f04180102000905024d3c5c10021b0c000a0910a34d7e18c20c31bb1a03040085c8d62e16d05dc4e9dad64953c8a2eed8b6c12f92b1575eeaa6dcf7be9473dd5b24b37b6dffbb4e7c99ed1bd3cb11634be19b3e6e207bed7505c7ca111ccf47cb323bf1f8851eb6360e8034cbff8dd149993c959de89f8f77f38e7e98b8e3076323aa719328e2b408db5ec0d03936efd57422ba04f925cdc7b4c1af7590e40ab00200009501fe044d3c5c33010400b488c3e5f83f4d561f317817538d9d0397981e9aef1321ca68ebfae1cf8b7d388e19f4b5a24a82e2fbbf1c6c26557a6c5845307a03d815756f564ac7325b02bc83e87d5480a8fae848f07cb891f2d51ce7df83dcafdc12324517c86d472cc0ee10d47a68fd1d9ae49a6c19bbd36d82af597a0d88cc9c49de9df4e696fc1f0b5d0011010001fe030302e9030f3c783e14856063f16938530e148bc57a7aa3f3e4f90df9dceccdc779bc0835e1ad3d006e4a8d7b36d08b8e0de5a0d947254ecfbd22037e6572b426bcfdc517796b224b0036ff90bc574b5509bede85512f2eefb520fb4b02aa523ba739bff424a6fe81c5041f253f8d757e69a503d3563a104d0d49e9e890b9d0c26f96b55b743883b472caa7050c4acfd4a21f875bdf1258d88bd61224d303dc9df77f743137d51e6d5246b88c406780528fd9a3e15bab5452e5b93970d9dcc79f48b38651b9f15bfbcf6da452837e9cc70683d1bdca94507870f743e4ad902005812488dd342f836e72869afd00ce1850eea4cfa53ce10e3608e13d3c149394ee3cbd0e23d018fcbcb6e2ec5a1a22972d1d462ca05355d0d290dd2751e550d5efb38c6c89686344df64852bf4ff86638708f644e8ec6bd4af9b50d8541cb91891a431326ab2e332faa7ae86cfb6e0540aa63160c1e5cdd5a4add518b303fff0a20117c6bc77f7cfbaf36b04c865c6c2b42754657374204b6579203220285253412c20656e637279707465642070726976617465206b65792988b804130102002205024d3c5c33021b03060b090807030206150802090a0b0416020301021e01021780000a0910d4984f961e35246b98940400908a73b6a6169f700434f076c6c79015a49bee37130eaf23aaa3cfa9ce60bfe4acaa7bc95f1146ada5867e0079babb38804891f4f0b8ebca57a86b249dee786161a755b7a342e68ccf3f78ed6440a93a6626beb9a37aa66afcd4f888790cb4bb46d94a4ae3eb3d7d3e6b00f6bfec940303e89ec5b32a1eaaacce66497d539328b00200009d01fe044d3c5c33010400a4e913f9442abcc7f1804ccab27d2f787ffa592077ca935a8bb23165bd8d57576acac647cc596b2c3f814518cc8c82953c7a4478f32e0cf645630a5ba38d9618ef2bc3add69d459ae3dece5cab778938d988239f8c5ae437807075e06c828019959c644ff05ef6a5a1dab72227c98e3a040b0cf219026640698d7a13d8538a570011010001fe030302e9030f3c783e148560f936097339ae381d63116efcf802ff8b1c9360767db5219cc987375702a4123fd8657d3e22700f23f95020d1b261eda5257e9a72f9a918e8ef22dd5b3323ae03bbc1923dd224db988cadc16acc04b120a9f8b7e84da9716c53e0334d7b66586ddb9014df604b41be1e960dcfcbc96f4ed150a1a0dd070b9eb14276b9b6be413a769a75b519a53d3ecc0c220e85cd91ca354d57e7344517e64b43b6e29823cbd87eae26e2b2e78e6dedfbb76e3e9f77bcb844f9a8932eb3db2c3f9e44316e6f5d60e9e2a56e46b72abe6b06dc9a31cc63f10023d1f5e12d2a3ee93b675c96f504af0001220991c88db759e231b3320dcedf814dcf723fd9857e3d72d66a0f2af26950b915abdf56c1596f46a325bf17ad4810d3535fb02a259b247ac3dbd4cc3ecf9c51b6c07cebb009c1506fba0a89321ec8683e3fd009a6e551d50243e2d5092fefb3321083a4bad91320dc624bd6b5dddf93553e3d53924c05bfebec1fb4bd47e89a1a889f04180102000905024d3c5c33021b0c000a0910d4984f961e35246b26c703ff7ee29ef53bc1ae1ead533c408fa136db508434e233d6e62be621e031e5940bbd4c08142aed0f82217e7c3e1ec8de574bc06ccf3c36633be41ad78a9eacd209f861cae7b064100758545cc9dd83db71806dc1cfd5fb9ae5c7474bba0c19c44034ae61bae5eca379383339dece94ff56ff7aa44a582f3e5c38f45763af577c0934b0020000"
-
-const dsaElGamalTestKeysHex = "9501e1044dfcb16a110400aa3e5c1a1f43dd28c2ffae8abf5cfce555ee874134d8ba0a0f7b868ce2214beddc74e5e1e21ded354a95d18acdaf69e5e342371a71fbb9093162e0c5f3427de413a7f2c157d83f5cd2f9d791256dc4f6f0e13f13c3302af27f2384075ab3021dff7a050e14854bbde0a1094174855fc02f0bae8e00a340d94a1f22b32e48485700a0cec672ac21258fb95f61de2ce1af74b2c4fa3e6703ff698edc9be22c02ae4d916e4fa223f819d46582c0516235848a77b577ea49018dcd5e9e15cff9dbb4663a1ae6dd7580fa40946d40c05f72814b0f88481207e6c0832c3bded4853ebba0a7e3bd8e8c66df33d5a537cd4acf946d1080e7a3dcea679cb2b11a72a33a2b6a9dc85f466ad2ddf4c3db6283fa645343286971e3dd700703fc0c4e290d45767f370831a90187e74e9972aae5bff488eeff7d620af0362bfb95c1a6c3413ab5d15a2e4139e5d07a54d72583914661ed6a87cce810be28a0aa8879a2dd39e52fb6fe800f4f181ac7e328f740cde3d09a05cecf9483e4cca4253e60d4429ffd679d9996a520012aad119878c941e3cf151459873bdfc2a9563472fe0303027a728f9feb3b864260a1babe83925ce794710cfd642ee4ae0e5b9d74cee49e9c67b6cd0ea5dfbb582132195a121356a1513e1bca73e5b80c58c7ccb4164453412f456c47616d616c2054657374204b65792031886204131102002205024dfcb16a021b03060b090807030206150802090a0b0416020301021e01021780000a091033af447ccd759b09fadd00a0b8fd6f5a790bad7e9f2dbb7632046dc4493588db009c087c6a9ba9f7f49fab221587a74788c00db4889ab00200009d0157044dfcb16a1004008dec3f9291205255ccff8c532318133a6840739dd68b03ba942676f9038612071447bf07d00d559c5c0875724ea16a4c774f80d8338b55fca691a0522e530e604215b467bbc9ccfd483a1da99d7bc2648b4318fdbd27766fc8bfad3fddb37c62b8ae7ccfe9577e9b8d1e77c1d417ed2c2ef02d52f4da11600d85d3229607943700030503ff506c94c87c8cab778e963b76cf63770f0a79bf48fb49d3b4e52234620fc9f7657f9f8d56c96a2b7c7826ae6b57ebb2221a3fe154b03b6637cea7e6d98e3e45d87cf8dc432f723d3d71f89c5192ac8d7290684d2c25ce55846a80c9a7823f6acd9bb29fa6cd71f20bc90eccfca20451d0c976e460e672b000df49466408d527affe0303027a728f9feb3b864260abd761730327bca2aaa4ea0525c175e92bf240682a0e83b226f97ecb2e935b62c9a133858ce31b271fa8eb41f6a1b3cd72a63025ce1a75ee4180dcc284884904181102000905024dfcb16a021b0c000a091033af447ccd759b09dd0b009e3c3e7296092c81bee5a19929462caaf2fff3ae26009e218c437a2340e7ea628149af1ec98ec091a43992b00200009501e1044dfcb1be1104009f61faa61aa43df75d128cbe53de528c4aec49ce9360c992e70c77072ad5623de0a3a6212771b66b39a30dad6781799e92608316900518ec01184a85d872365b7d2ba4bacfb5882ea3c2473d3750dc6178cc1cf82147fb58caa28b28e9f12f6d1efcb0534abed644156c91cca4ab78834268495160b2400bc422beb37d237c2300a0cac94911b6d493bda1e1fbc6feeca7cb7421d34b03fe22cec6ccb39675bb7b94a335c2b7be888fd3906a1125f33301d8aa6ec6ee6878f46f73961c8d57a3e9544d8ef2a2cbfd4d52da665b1266928cfe4cb347a58c412815f3b2d2369dec04b41ac9a71cc9547426d5ab941cccf3b18575637ccfb42df1a802df3cfe0a999f9e7109331170e3a221991bf868543960f8c816c28097e503fe319db10fb98049f3a57d7c80c420da66d56f3644371631fad3f0ff4040a19a4fedc2d07727a1b27576f75a4d28c47d8246f27071e12d7a8de62aad216ddbae6aa02efd6b8a3e2818cda48526549791ab277e447b3a36c57cefe9b592f5eab73959743fcc8e83cbefec03a329b55018b53eec196765ae40ef9e20521a603c551efe0303020950d53a146bf9c66034d00c23130cce95576a2ff78016ca471276e8227fb30b1ffbd92e61804fb0c3eff9e30b1a826ee8f3e4730b4d86273ca977b4164453412f456c47616d616c2054657374204b65792032886204131102002205024dfcb1be021b03060b090807030206150802090a0b0416020301021e01021780000a0910a86bf526325b21b22bd9009e34511620415c974750a20df5cb56b182f3b48e6600a0a9466cb1a1305a84953445f77d461593f1d42bc1b00200009d0157044dfcb1be1004009565a951da1ee87119d600c077198f1c1bceb0f7aa54552489298e41ff788fa8f0d43a69871f0f6f77ebdfb14a4260cf9fbeb65d5844b4272a1904dd95136d06c3da745dc46327dd44a0f16f60135914368c8039a34033862261806bb2c5ce1152e2840254697872c85441ccb7321431d75a747a4bfb1d2c66362b51ce76311700030503fc0ea76601c196768070b7365a200e6ddb09307f262d5f39eec467b5f5784e22abdf1aa49226f59ab37cb49969d8f5230ea65caf56015abda62604544ed526c5c522bf92bed178a078789f6c807b6d34885688024a5bed9e9f8c58d11d4b82487b44c5f470c5606806a0443b79cadb45e0f897a561a53f724e5349b9267c75ca17fe0303020950d53a146bf9c660bc5f4ce8f072465e2d2466434320c1e712272fafc20e342fe7608101580fa1a1a367e60486a7cd1246b7ef5586cf5e10b32762b710a30144f12dd17dd4884904181102000905024dfcb1be021b0c000a0910a86bf526325b21b2904c00a0b2b66b4b39ccffda1d10f3ea8d58f827e30a8b8e009f4255b2d8112a184e40cde43a34e8655ca7809370b0020000"
-
-const signedMessageHex = "a3019bc0cbccc0c4b8d8b74ee2108fe16ec6d3ca490cbe362d3f8333d3f352531472538b8b13d353b97232f352158c20943157c71c16064626063656269052062e4e01987e9b6fccff4b7df3a34c534b23e679cbec3bc0f8f6e64dfb4b55fe3f8efa9ce110ddb5cd79faf1d753c51aecfa669f7e7aa043436596cccc3359cb7dd6bbe9ecaa69e5989d9e57209571edc0b2fa7f57b9b79a64ee6e99ce1371395fee92fec2796f7b15a77c386ff668ee27f6d38f0baa6c438b561657377bf6acff3c5947befd7bf4c196252f1d6e5c524d0300"
-
-const signedTextMessageHex = "a3019bc0cbccc8c4b8d8b74ee2108fe16ec6d36a250cbece0c178233d3f352531472538b8b13d35379b97232f352158ca0b4312f57c71c1646462606365626906a062e4e019811591798ff99bf8afee860b0d8a8c2a85c3387e3bcf0bb3b17987f2bbcfab2aa526d930cbfd3d98757184df3995c9f3e7790e36e3e9779f06089d4c64e9e47dd6202cb6e9bc73c5d11bb59fbaf89d22d8dc7cf199ddf17af96e77c5f65f9bbed56f427bd8db7af37f6c9984bf9385efaf5f184f986fb3e6adb0ecfe35bbf92d16a7aa2a344fb0bc52fb7624f0200"
-
-const signedEncryptedMessageHex = "848c032a67d68660df41c70103ff5789d0de26b6a50c985a02a13131ca829c413a35d0e6fa8d6842599252162808ac7439c72151c8c6183e76923fe3299301414d0c25a2f06a2257db3839e7df0ec964773f6e4c4ac7ff3b48c444237166dd46ba8ff443a5410dc670cb486672fdbe7c9dfafb75b4fea83af3a204fe2a7dfa86bd20122b4f3d2646cbeecb8f7be8d2c03b018bd210b1d3791e1aba74b0f1034e122ab72e760492c192383cf5e20b5628bd043272d63df9b923f147eb6091cd897553204832aba48fec54aa447547bb16305a1024713b90e77fd0065f1918271947549205af3c74891af22ee0b56cd29bfec6d6e351901cd4ab3ece7c486f1e32a792d4e474aed98ee84b3f591c7dff37b64e0ecd68fd036d517e412dcadf85840ce184ad7921ad446c4ee28db80447aea1ca8d4f574db4d4e37688158ddd19e14ee2eab4873d46947d65d14a23e788d912cf9a19624ca7352469b72a83866b7c23cb5ace3deab3c7018061b0ba0f39ed2befe27163e5083cf9b8271e3e3d52cc7ad6e2a3bd81d4c3d7022f8d"
-
-const signedEncryptedMessage2Hex = "85010e03cf6a7abcd43e36731003fb057f5495b79db367e277cdbe4ab90d924ddee0c0381494112ff8c1238fb0184af35d1731573b01bc4c55ecacd2aafbe2003d36310487d1ecc9ac994f3fada7f9f7f5c3a64248ab7782906c82c6ff1303b69a84d9a9529c31ecafbcdb9ba87e05439897d87e8a2a3dec55e14df19bba7f7bd316291c002ae2efd24f83f9e3441203fc081c0c23dc3092a454ca8a082b27f631abf73aca341686982e8fbda7e0e7d863941d68f3de4a755c2964407f4b5e0477b3196b8c93d551dd23c8beef7d0f03fbb1b6066f78907faf4bf1677d8fcec72651124080e0b7feae6b476e72ab207d38d90b958759fdedfc3c6c35717c9dbfc979b3cfbbff0a76d24a5e57056bb88acbd2a901ef64bc6e4db02adc05b6250ff378de81dca18c1910ab257dff1b9771b85bb9bbe0a69f5989e6d1710a35e6dfcceb7d8fb5ccea8db3932b3d9ff3fe0d327597c68b3622aec8e3716c83a6c93f497543b459b58ba504ed6bcaa747d37d2ca746fe49ae0a6ce4a8b694234e941b5159ff8bd34b9023da2814076163b86f40eed7c9472f81b551452d5ab87004a373c0172ec87ea6ce42ccfa7dbdad66b745496c4873d8019e8c28d6b3"
-
-const symmetricallyEncryptedCompressedHex = "8c0d04030302eb4a03808145d0d260c92f714339e13de5a79881216431925bf67ee2898ea61815f07894cd0703c50d0a76ef64d482196f47a8bc729af9b80bb6"
-
-const dsaTestKeyHex = "9901a2044d6c49de110400cb5ce438cf9250907ac2ba5bf6547931270b89f7c4b53d9d09f4d0213a5ef2ec1f26806d3d259960f872a4a102ef1581ea3f6d6882d15134f21ef6a84de933cc34c47cc9106efe3bd84c6aec12e78523661e29bc1a61f0aab17fa58a627fd5fd33f5149153fbe8cd70edf3d963bc287ef875270ff14b5bfdd1bca4483793923b00a0fe46d76cb6e4cbdc568435cd5480af3266d610d303fe33ae8273f30a96d4d34f42fa28ce1112d425b2e3bf7ea553d526e2db6b9255e9dc7419045ce817214d1a0056dbc8d5289956a4b1b69f20f1105124096e6a438f41f2e2495923b0f34b70642607d45559595c7fe94d7fa85fc41bf7d68c1fd509ebeaa5f315f6059a446b9369c277597e4f474a9591535354c7e7f4fd98a08aa60400b130c24ff20bdfbf683313f5daebf1c9b34b3bdadfc77f2ddd72ee1fb17e56c473664bc21d66467655dd74b9005e3a2bacce446f1920cd7017231ae447b67036c9b431b8179deacd5120262d894c26bc015bffe3d827ba7087ad9b700d2ca1f6d16cc1786581e5dd065f293c31209300f9b0afcc3f7c08dd26d0a22d87580b4db41054657374204b65792033202844534129886204131102002205024d6c49de021b03060b090807030206150802090a0b0416020301021e01021780000a0910338934250ccc03607e0400a0bdb9193e8a6b96fc2dfc108ae848914b504481f100a09c4dc148cb693293a67af24dd40d2b13a9e36794"
-
-const dsaTestKeyPrivateHex = "9501bb044d6c49de110400cb5ce438cf9250907ac2ba5bf6547931270b89f7c4b53d9d09f4d0213a5ef2ec1f26806d3d259960f872a4a102ef1581ea3f6d6882d15134f21ef6a84de933cc34c47cc9106efe3bd84c6aec12e78523661e29bc1a61f0aab17fa58a627fd5fd33f5149153fbe8cd70edf3d963bc287ef875270ff14b5bfdd1bca4483793923b00a0fe46d76cb6e4cbdc568435cd5480af3266d610d303fe33ae8273f30a96d4d34f42fa28ce1112d425b2e3bf7ea553d526e2db6b9255e9dc7419045ce817214d1a0056dbc8d5289956a4b1b69f20f1105124096e6a438f41f2e2495923b0f34b70642607d45559595c7fe94d7fa85fc41bf7d68c1fd509ebeaa5f315f6059a446b9369c277597e4f474a9591535354c7e7f4fd98a08aa60400b130c24ff20bdfbf683313f5daebf1c9b34b3bdadfc77f2ddd72ee1fb17e56c473664bc21d66467655dd74b9005e3a2bacce446f1920cd7017231ae447b67036c9b431b8179deacd5120262d894c26bc015bffe3d827ba7087ad9b700d2ca1f6d16cc1786581e5dd065f293c31209300f9b0afcc3f7c08dd26d0a22d87580b4d00009f592e0619d823953577d4503061706843317e4fee083db41054657374204b65792033202844534129886204131102002205024d6c49de021b03060b090807030206150802090a0b0416020301021e01021780000a0910338934250ccc03607e0400a0bdb9193e8a6b96fc2dfc108ae848914b504481f100a09c4dc148cb693293a67af24dd40d2b13a9e36794"
-
-const p256TestKeyHex = "98520456e5b83813082a8648ce3d030107020304a2072cd6d21321266c758cc5b83fab0510f751cb8d91897cddb7047d8d6f185546e2107111b0a95cb8ef063c33245502af7a65f004d5919d93ee74eb71a66253b424502d3235362054657374204b6579203c696e76616c6964406578616d706c652e636f6d3e8879041313080021050256e5b838021b03050b09080702061508090a0b020416020301021e01021780000a0910d44a2c495918513e54e50100dfa64f97d9b47766fc1943c6314ba3f2b2a103d71ad286dc5b1efb96a345b0c80100dbc8150b54241f559da6ef4baacea6d31902b4f4b1bdc09b34bf0502334b7754b8560456e5b83812082a8648ce3d030107020304bfe3cea9cee13486f8d518aa487fecab451f25467d2bf08e58f63e5fa525d5482133e6a79299c274b068ef0be448152ad65cf11cf764348588ca4f6a0bcf22b6030108078861041813080009050256e5b838021b0c000a0910d44a2c495918513e4a4800ff49d589fa64024ad30be363a032e3a0e0e6f5db56ba4c73db850518bf0121b8f20100fd78e065f4c70ea5be9df319ea67e493b936fc78da834a71828043d3154af56e"
-
-const p256TestKeyPrivateHex = "94a50456e5b83813082a8648ce3d030107020304a2072cd6d21321266c758cc5b83fab0510f751cb8d91897cddb7047d8d6f185546e2107111b0a95cb8ef063c33245502af7a65f004d5919d93ee74eb71a66253fe070302f0c2bfb0b6c30f87ee1599472b8636477eab23ced13b271886a4b50ed34c9d8436af5af5b8f88921f0efba6ef8c37c459bbb88bc1c6a13bbd25c4ce9b1e97679569ee77645d469bf4b43de637f5561b424502d3235362054657374204b6579203c696e76616c6964406578616d706c652e636f6d3e8879041313080021050256e5b838021b03050b09080702061508090a0b020416020301021e01021780000a0910d44a2c495918513e54e50100dfa64f97d9b47766fc1943c6314ba3f2b2a103d71ad286dc5b1efb96a345b0c80100dbc8150b54241f559da6ef4baacea6d31902b4f4b1bdc09b34bf0502334b77549ca90456e5b83812082a8648ce3d030107020304bfe3cea9cee13486f8d518aa487fecab451f25467d2bf08e58f63e5fa525d5482133e6a79299c274b068ef0be448152ad65cf11cf764348588ca4f6a0bcf22b603010807fe0703027510012471a603cfee2968dce19f732721ddf03e966fd133b4e3c7a685b788705cbc46fb026dc94724b830c9edbaecd2fb2c662f23169516cacd1fe423f0475c364ecc10abcabcfd4bbbda1a36a1bd8861041813080009050256e5b838021b0c000a0910d44a2c495918513e4a4800ff49d589fa64024ad30be363a032e3a0e0e6f5db56ba4c73db850518bf0121b8f20100fd78e065f4c70ea5be9df319ea67e493b936fc78da834a71828043d3154af56e"
-
-const armoredPrivateKeyBlock = `-----BEGIN PGP PRIVATE KEY BLOCK-----
-Version: GnuPG v1.4.10 (GNU/Linux)
-
-lQHYBE2rFNoBBADFwqWQIW/DSqcB4yCQqnAFTJ27qS5AnB46ccAdw3u4Greeu3Bp
-idpoHdjULy7zSKlwR1EA873dO/k/e11Ml3dlAFUinWeejWaK2ugFP6JjiieSsrKn
-vWNicdCS4HTWn0X4sjl0ZiAygw6GNhqEQ3cpLeL0g8E9hnYzJKQ0LWJa0QARAQAB
-AAP/TB81EIo2VYNmTq0pK1ZXwUpxCrvAAIG3hwKjEzHcbQznsjNvPUihZ+NZQ6+X
-0HCfPAdPkGDCLCb6NavcSW+iNnLTrdDnSI6+3BbIONqWWdRDYJhqZCkqmG6zqSfL
-IdkJgCw94taUg5BWP/AAeQrhzjChvpMQTVKQL5mnuZbUCeMCAN5qrYMP2S9iKdnk
-VANIFj7656ARKt/nf4CBzxcpHTyB8+d2CtPDKCmlJP6vL8t58Jmih+kHJMvC0dzn
-gr5f5+sCAOOe5gt9e0am7AvQWhdbHVfJU0TQJx+m2OiCJAqGTB1nvtBLHdJnfdC9
-TnXXQ6ZXibqLyBies/xeY2sCKL5qtTMCAKnX9+9d/5yQxRyrQUHt1NYhaXZnJbHx
-q4ytu0eWz+5i68IYUSK69jJ1NWPM0T6SkqpB3KCAIv68VFm9PxqG1KmhSrQIVGVz
-dCBLZXmIuAQTAQIAIgUCTasU2gIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AA
-CgkQO9o98PRieSoLhgQAkLEZex02Qt7vGhZzMwuN0R22w3VwyYyjBx+fM3JFETy1
-ut4xcLJoJfIaF5ZS38UplgakHG0FQ+b49i8dMij0aZmDqGxrew1m4kBfjXw9B/v+
-eIqpODryb6cOSwyQFH0lQkXC040pjq9YqDsO5w0WYNXYKDnzRV0p4H1pweo2VDid
-AdgETasU2gEEAN46UPeWRqKHvA99arOxee38fBt2CI08iiWyI8T3J6ivtFGixSqV
-bRcPxYO/qLpVe5l84Nb3X71GfVXlc9hyv7CD6tcowL59hg1E/DC5ydI8K8iEpUmK
-/UnHdIY5h8/kqgGxkY/T/hgp5fRQgW1ZoZxLajVlMRZ8W4tFtT0DeA+JABEBAAEA
-A/0bE1jaaZKj6ndqcw86jd+QtD1SF+Cf21CWRNeLKnUds4FRRvclzTyUMuWPkUeX
-TaNNsUOFqBsf6QQ2oHUBBK4VCHffHCW4ZEX2cd6umz7mpHW6XzN4DECEzOVksXtc
-lUC1j4UB91DC/RNQqwX1IV2QLSwssVotPMPqhOi0ZLNY7wIA3n7DWKInxYZZ4K+6
-rQ+POsz6brEoRHwr8x6XlHenq1Oki855pSa1yXIARoTrSJkBtn5oI+f8AzrnN0BN
-oyeQAwIA/7E++3HDi5aweWrViiul9cd3rcsS0dEnksPhvS0ozCJiHsq/6GFmy7J8
-QSHZPteedBnZyNp5jR+H7cIfVN3KgwH/Skq4PsuPhDq5TKK6i8Pc1WW8MA6DXTdU
-nLkX7RGmMwjC0DBf7KWAlPjFaONAX3a8ndnz//fy1q7u2l9AZwrj1qa1iJ8EGAEC
-AAkFAk2rFNoCGwwACgkQO9o98PRieSo2/QP/WTzr4ioINVsvN1akKuekmEMI3LAp
-BfHwatufxxP1U+3Si/6YIk7kuPB9Hs+pRqCXzbvPRrI8NHZBmc8qIGthishdCYad
-AHcVnXjtxrULkQFGbGvhKURLvS9WnzD/m1K2zzwxzkPTzT9/Yf06O6Mal5AdugPL
-VrM0m72/jnpKo04=
-=zNCn
------END PGP PRIVATE KEY BLOCK-----`
-
-const e2ePublicKey = `-----BEGIN PGP PUBLIC KEY BLOCK-----
-Charset: UTF-8
-
-xv8AAABSBAAAAAATCCqGSM49AwEHAgME1LRoXSpOxtHXDUdmuvzchyg6005qIBJ4
-sfaSxX7QgH9RV2ONUhC+WiayCNADq+UMzuR/vunSr4aQffXvuGnR383/AAAAFDxk
-Z2lsQHlhaG9vLWluYy5jb20+wv8AAACGBBATCAA4/wAAAAWCVGvAG/8AAAACiwn/
-AAAACZC2VkQCOjdvYf8AAAAFlQgJCgv/AAAAA5YBAv8AAAACngEAAE1BAP0X8veD
-24IjmI5/C6ZAfVNXxgZZFhTAACFX75jUA3oD6AEAzoSwKf1aqH6oq62qhCN/pekX
-+WAsVMBhNwzLpqtCRjLO/wAAAFYEAAAAABIIKoZIzj0DAQcCAwT50ain7vXiIRv8
-B1DO3x3cE/aattZ5sHNixJzRCXi2vQIA5QmOxZ6b5jjUekNbdHG3SZi1a2Ak5mfX
-fRxC/5VGAwEIB8L/AAAAZQQYEwgAGP8AAAAFglRrwBz/AAAACZC2VkQCOjdvYQAA
-FJAA9isX3xtGyMLYwp2F3nXm7QEdY5bq5VUcD/RJlj792VwA/1wH0pCzVLl4Q9F9
-ex7En5r7rHR5xwX82Msc+Rq9dSyO
-=7MrZ
------END PGP PUBLIC KEY BLOCK-----`
-
-const dsaKeyWithSHA512 = `9901a2044f04b07f110400db244efecc7316553ee08d179972aab87bb1214de7692593fcf5b6feb1c80fba268722dd464748539b85b81d574cd2d7ad0ca2444de4d849b8756bad7768c486c83a824f9bba4af773d11742bdfb4ac3b89ef8cc9452d4aad31a37e4b630d33927bff68e879284a1672659b8b298222fc68f370f3e24dccacc4a862442b9438b00a0ea444a24088dc23e26df7daf8f43cba3bffc4fe703fe3d6cd7fdca199d54ed8ae501c30e3ec7871ea9cdd4cf63cfe6fc82281d70a5b8bb493f922cd99fba5f088935596af087c8d818d5ec4d0b9afa7f070b3d7c1dd32a84fca08d8280b4890c8da1dde334de8e3cad8450eed2a4a4fcc2db7b8e5528b869a74a7f0189e11ef097ef1253582348de072bb07a9fa8ab838e993cef0ee203ff49298723e2d1f549b00559f886cd417a41692ce58d0ac1307dc71d85a8af21b0cf6eaa14baf2922d3a70389bedf17cc514ba0febbd107675a372fe84b90162a9e88b14d4b1c6be855b96b33fb198c46f058568817780435b6936167ebb3724b680f32bf27382ada2e37a879b3d9de2abe0c3f399350afd1ad438883f4791e2e3b4184453412068617368207472756e636174696f6e207465737488620413110a002205024f04b07f021b03060b090807030206150802090a0b0416020301021e01021780000a0910ef20e0cefca131581318009e2bf3bf047a44d75a9bacd00161ee04d435522397009a03a60d51bd8a568c6c021c8d7cf1be8d990d6417b0020003`
-
-const unknownHashFunctionHex = `8a00000040040001990006050253863c24000a09103b4fe6acc0b21f32ffff01010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101`
-
-const missingHashFunctionHex = `8a00000040040001030006050253863c24000a09103b4fe6acc0b21f32ffff0101010101010101010101010101010101010101010101010101010101010101010101010101`
-
-const campbellQuine = `a0b001000300fcffa0b001000d00f2ff000300fcffa0b001000d00f2ff8270a01c00000500faff8270a01c00000500faff000500faff001400ebff8270a01c00000500faff000500faff001400ebff428821c400001400ebff428821c400001400ebff428821c400001400ebff428821c400001400ebff428821c400000000ffff000000ffff000b00f4ff428821c400000000ffff000000ffff000b00f4ff0233214c40000100feff000233214c40000100feff0000`
-
-const keyV4forVerifyingSignedMessageV3 = `-----BEGIN PGP PUBLIC KEY BLOCK-----
-Comment: GPGTools - https://gpgtools.org
-
-mI0EVfxoFQEEAMBIqmbDfYygcvP6Phr1wr1XI41IF7Qixqybs/foBF8qqblD9gIY
-BKpXjnBOtbkcVOJ0nljd3/sQIfH4E0vQwK5/4YRQSI59eKOqd6Fx+fWQOLG+uu6z
-tewpeCj9LLHvibx/Sc7VWRnrznia6ftrXxJ/wHMezSab3tnGC0YPVdGNABEBAAG0
-JEdvY3J5cHRvIFRlc3QgS2V5IDx0aGVtYXhAZ21haWwuY29tPoi5BBMBCgAjBQJV
-/GgVAhsDBwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4AACgkQeXnQmhdGW9PFVAP+
-K7TU0qX5ArvIONIxh/WAweyOk884c5cE8f+3NOPOOCRGyVy0FId5A7MmD5GOQh4H
-JseOZVEVCqlmngEvtHZb3U1VYtVGE5WZ+6rQhGsMcWP5qaT4soYwMBlSYxgYwQcx
-YhN9qOr292f9j2Y//TTIJmZT4Oa+lMxhWdqTfX+qMgG4jQRV/GgVAQQArhFSiij1
-b+hT3dnapbEU+23Z1yTu1DfF6zsxQ4XQWEV3eR8v+8mEDDNcz8oyyF56k6UQ3rXi
-UMTIwRDg4V6SbZmaFbZYCOwp/EmXJ3rfhm7z7yzXj2OFN22luuqbyVhuL7LRdB0M
-pxgmjXb4tTvfgKd26x34S+QqUJ7W6uprY4sAEQEAAYifBBgBCgAJBQJV/GgVAhsM
-AAoJEHl50JoXRlvT7y8D/02ckx4OMkKBZo7viyrBw0MLG92i+DC2bs35PooHR6zz
-786mitjOp5z2QWNLBvxC70S0qVfCIz8jKupO1J6rq6Z8CcbLF3qjm6h1omUBf8Nd
-EfXKD2/2HV6zMKVknnKzIEzauh+eCKS2CeJUSSSryap/QLVAjRnckaES/OsEWhNB
-=RZia
------END PGP PUBLIC KEY BLOCK-----
-`
-
-const signedMessageV3 = `-----BEGIN PGP MESSAGE-----
-Comment: GPGTools - https://gpgtools.org
-
-owGbwMvMwMVYWXlhlrhb9GXG03JJDKF/MtxDMjKLFYAoUaEktbhEITe1uDgxPVWP
-q5NhKjMrWAVcC9evD8z/bF/uWNjqtk/X3y5/38XGRQHm/57rrDRYuGnTw597Xqka
-uM3137/hH3Os+Jf2dc0fXOITKwJvXJvecPVs0ta+Vg7ZO1MLn8w58Xx+6L58mbka
-DGHyU9yTueZE8D+QF/Tz28Y78dqtF56R1VPn9Xw4uJqrWYdd7b3vIZ1V6R4Nh05d
-iT57d/OhWwA=
-=hG7R
------END PGP MESSAGE-----
-`
diff --git a/vendor/golang.org/x/crypto/openpgp/s2k/s2k.go b/vendor/golang.org/x/crypto/openpgp/s2k/s2k.go
deleted file mode 100644
index 4b9a44ca..00000000
--- a/vendor/golang.org/x/crypto/openpgp/s2k/s2k.go
+++ /dev/null
@@ -1,273 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package s2k implements the various OpenPGP string-to-key transforms as
-// specified in RFC 4800 section 3.7.1.
-package s2k // import "golang.org/x/crypto/openpgp/s2k"
-
-import (
-	"crypto"
-	"hash"
-	"io"
-	"strconv"
-
-	"golang.org/x/crypto/openpgp/errors"
-)
-
-// Config collects configuration parameters for s2k key-stretching
-// transformatioms. A nil *Config is valid and results in all default
-// values. Currently, Config is used only by the Serialize function in
-// this package.
-type Config struct {
-	// Hash is the default hash function to be used. If
-	// nil, SHA1 is used.
-	Hash crypto.Hash
-	// S2KCount is only used for symmetric encryption. It
-	// determines the strength of the passphrase stretching when
-	// the said passphrase is hashed to produce a key. S2KCount
-	// should be between 1024 and 65011712, inclusive. If Config
-	// is nil or S2KCount is 0, the value 65536 used. Not all
-	// values in the above range can be represented. S2KCount will
-	// be rounded up to the next representable value if it cannot
-	// be encoded exactly. When set, it is strongly encrouraged to
-	// use a value that is at least 65536. See RFC 4880 Section
-	// 3.7.1.3.
-	S2KCount int
-}
-
-func (c *Config) hash() crypto.Hash {
-	if c == nil || uint(c.Hash) == 0 {
-		// SHA1 is the historical default in this package.
-		return crypto.SHA1
-	}
-
-	return c.Hash
-}
-
-func (c *Config) encodedCount() uint8 {
-	if c == nil || c.S2KCount == 0 {
-		return 96 // The common case. Correspoding to 65536
-	}
-
-	i := c.S2KCount
-	switch {
-	// Behave like GPG. Should we make 65536 the lowest value used?
-	case i < 1024:
-		i = 1024
-	case i > 65011712:
-		i = 65011712
-	}
-
-	return encodeCount(i)
-}
-
-// encodeCount converts an iterative "count" in the range 1024 to
-// 65011712, inclusive, to an encoded count. The return value is the
-// octet that is actually stored in the GPG file. encodeCount panics
-// if i is not in the above range (encodedCount above takes care to
-// pass i in the correct range). See RFC 4880 Section 3.7.7.1.
-func encodeCount(i int) uint8 {
-	if i < 1024 || i > 65011712 {
-		panic("count arg i outside the required range")
-	}
-
-	for encoded := 0; encoded < 256; encoded++ {
-		count := decodeCount(uint8(encoded))
-		if count >= i {
-			return uint8(encoded)
-		}
-	}
-
-	return 255
-}
-
-// decodeCount returns the s2k mode 3 iterative "count" corresponding to
-// the encoded octet c.
-func decodeCount(c uint8) int {
-	return (16 + int(c&15)) << (uint32(c>>4) + 6)
-}
-
-// Simple writes to out the result of computing the Simple S2K function (RFC
-// 4880, section 3.7.1.1) using the given hash and input passphrase.
-func Simple(out []byte, h hash.Hash, in []byte) {
-	Salted(out, h, in, nil)
-}
-
-var zero [1]byte
-
-// Salted writes to out the result of computing the Salted S2K function (RFC
-// 4880, section 3.7.1.2) using the given hash, input passphrase and salt.
-func Salted(out []byte, h hash.Hash, in []byte, salt []byte) {
-	done := 0
-	var digest []byte
-
-	for i := 0; done < len(out); i++ {
-		h.Reset()
-		for j := 0; j < i; j++ {
-			h.Write(zero[:])
-		}
-		h.Write(salt)
-		h.Write(in)
-		digest = h.Sum(digest[:0])
-		n := copy(out[done:], digest)
-		done += n
-	}
-}
-
-// Iterated writes to out the result of computing the Iterated and Salted S2K
-// function (RFC 4880, section 3.7.1.3) using the given hash, input passphrase,
-// salt and iteration count.
-func Iterated(out []byte, h hash.Hash, in []byte, salt []byte, count int) {
-	combined := make([]byte, len(in)+len(salt))
-	copy(combined, salt)
-	copy(combined[len(salt):], in)
-
-	if count < len(combined) {
-		count = len(combined)
-	}
-
-	done := 0
-	var digest []byte
-	for i := 0; done < len(out); i++ {
-		h.Reset()
-		for j := 0; j < i; j++ {
-			h.Write(zero[:])
-		}
-		written := 0
-		for written < count {
-			if written+len(combined) > count {
-				todo := count - written
-				h.Write(combined[:todo])
-				written = count
-			} else {
-				h.Write(combined)
-				written += len(combined)
-			}
-		}
-		digest = h.Sum(digest[:0])
-		n := copy(out[done:], digest)
-		done += n
-	}
-}
-
-// Parse reads a binary specification for a string-to-key transformation from r
-// and returns a function which performs that transform.
-func Parse(r io.Reader) (f func(out, in []byte), err error) {
-	var buf [9]byte
-
-	_, err = io.ReadFull(r, buf[:2])
-	if err != nil {
-		return
-	}
-
-	hash, ok := HashIdToHash(buf[1])
-	if !ok {
-		return nil, errors.UnsupportedError("hash for S2K function: " + strconv.Itoa(int(buf[1])))
-	}
-	if !hash.Available() {
-		return nil, errors.UnsupportedError("hash not available: " + strconv.Itoa(int(hash)))
-	}
-	h := hash.New()
-
-	switch buf[0] {
-	case 0:
-		f := func(out, in []byte) {
-			Simple(out, h, in)
-		}
-		return f, nil
-	case 1:
-		_, err = io.ReadFull(r, buf[:8])
-		if err != nil {
-			return
-		}
-		f := func(out, in []byte) {
-			Salted(out, h, in, buf[:8])
-		}
-		return f, nil
-	case 3:
-		_, err = io.ReadFull(r, buf[:9])
-		if err != nil {
-			return
-		}
-		count := decodeCount(buf[8])
-		f := func(out, in []byte) {
-			Iterated(out, h, in, buf[:8], count)
-		}
-		return f, nil
-	}
-
-	return nil, errors.UnsupportedError("S2K function")
-}
-
-// Serialize salts and stretches the given passphrase and writes the
-// resulting key into key. It also serializes an S2K descriptor to
-// w. The key stretching can be configured with c, which may be
-// nil. In that case, sensible defaults will be used.
-func Serialize(w io.Writer, key []byte, rand io.Reader, passphrase []byte, c *Config) error {
-	var buf [11]byte
-	buf[0] = 3 /* iterated and salted */
-	buf[1], _ = HashToHashId(c.hash())
-	salt := buf[2:10]
-	if _, err := io.ReadFull(rand, salt); err != nil {
-		return err
-	}
-	encodedCount := c.encodedCount()
-	count := decodeCount(encodedCount)
-	buf[10] = encodedCount
-	if _, err := w.Write(buf[:]); err != nil {
-		return err
-	}
-
-	Iterated(key, c.hash().New(), passphrase, salt, count)
-	return nil
-}
-
-// hashToHashIdMapping contains pairs relating OpenPGP's hash identifier with
-// Go's crypto.Hash type. See RFC 4880, section 9.4.
-var hashToHashIdMapping = []struct {
-	id   byte
-	hash crypto.Hash
-	name string
-}{
-	{1, crypto.MD5, "MD5"},
-	{2, crypto.SHA1, "SHA1"},
-	{3, crypto.RIPEMD160, "RIPEMD160"},
-	{8, crypto.SHA256, "SHA256"},
-	{9, crypto.SHA384, "SHA384"},
-	{10, crypto.SHA512, "SHA512"},
-	{11, crypto.SHA224, "SHA224"},
-}
-
-// HashIdToHash returns a crypto.Hash which corresponds to the given OpenPGP
-// hash id.
-func HashIdToHash(id byte) (h crypto.Hash, ok bool) {
-	for _, m := range hashToHashIdMapping {
-		if m.id == id {
-			return m.hash, true
-		}
-	}
-	return 0, false
-}
-
-// HashIdToString returns the name of the hash function corresponding to the
-// given OpenPGP hash id.
-func HashIdToString(id byte) (name string, ok bool) {
-	for _, m := range hashToHashIdMapping {
-		if m.id == id {
-			return m.name, true
-		}
-	}
-
-	return "", false
-}
-
-// HashIdToHash returns an OpenPGP hash id which corresponds the given Hash.
-func HashToHashId(h crypto.Hash) (id byte, ok bool) {
-	for _, m := range hashToHashIdMapping {
-		if m.hash == h {
-			return m.id, true
-		}
-	}
-	return 0, false
-}
diff --git a/vendor/golang.org/x/crypto/openpgp/s2k/s2k_test.go b/vendor/golang.org/x/crypto/openpgp/s2k/s2k_test.go
deleted file mode 100644
index 183d2605..00000000
--- a/vendor/golang.org/x/crypto/openpgp/s2k/s2k_test.go
+++ /dev/null
@@ -1,137 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package s2k
-
-import (
-	"bytes"
-	"crypto"
-	_ "crypto/md5"
-	"crypto/rand"
-	"crypto/sha1"
-	_ "crypto/sha256"
-	_ "crypto/sha512"
-	"encoding/hex"
-	"testing"
-
-	_ "golang.org/x/crypto/ripemd160"
-)
-
-var saltedTests = []struct {
-	in, out string
-}{
-	{"hello", "10295ac1"},
-	{"world", "ac587a5e"},
-	{"foo", "4dda8077"},
-	{"bar", "bd8aac6b9ea9cae04eae6a91c6133b58b5d9a61c14f355516ed9370456"},
-	{"x", "f1d3f289"},
-	{"xxxxxxxxxxxxxxxxxxxxxxx", "e00d7b45"},
-}
-
-func TestSalted(t *testing.T) {
-	h := sha1.New()
-	salt := [4]byte{1, 2, 3, 4}
-
-	for i, test := range saltedTests {
-		expected, _ := hex.DecodeString(test.out)
-		out := make([]byte, len(expected))
-		Salted(out, h, []byte(test.in), salt[:])
-		if !bytes.Equal(expected, out) {
-			t.Errorf("#%d, got: %x want: %x", i, out, expected)
-		}
-	}
-}
-
-var iteratedTests = []struct {
-	in, out string
-}{
-	{"hello", "83126105"},
-	{"world", "6fa317f9"},
-	{"foo", "8fbc35b9"},
-	{"bar", "2af5a99b54f093789fd657f19bd245af7604d0f6ae06f66602a46a08ae"},
-	{"x", "5a684dfe"},
-	{"xxxxxxxxxxxxxxxxxxxxxxx", "18955174"},
-}
-
-func TestIterated(t *testing.T) {
-	h := sha1.New()
-	salt := [4]byte{4, 3, 2, 1}
-
-	for i, test := range iteratedTests {
-		expected, _ := hex.DecodeString(test.out)
-		out := make([]byte, len(expected))
-		Iterated(out, h, []byte(test.in), salt[:], 31)
-		if !bytes.Equal(expected, out) {
-			t.Errorf("#%d, got: %x want: %x", i, out, expected)
-		}
-	}
-}
-
-var parseTests = []struct {
-	spec, in, out string
-}{
-	/* Simple with SHA1 */
-	{"0002", "hello", "aaf4c61d"},
-	/* Salted with SHA1 */
-	{"01020102030405060708", "hello", "f4f7d67e"},
-	/* Iterated with SHA1 */
-	{"03020102030405060708f1", "hello", "f2a57b7c"},
-}
-
-func TestParse(t *testing.T) {
-	for i, test := range parseTests {
-		spec, _ := hex.DecodeString(test.spec)
-		buf := bytes.NewBuffer(spec)
-		f, err := Parse(buf)
-		if err != nil {
-			t.Errorf("%d: Parse returned error: %s", i, err)
-			continue
-		}
-
-		expected, _ := hex.DecodeString(test.out)
-		out := make([]byte, len(expected))
-		f(out, []byte(test.in))
-		if !bytes.Equal(out, expected) {
-			t.Errorf("%d: output got: %x want: %x", i, out, expected)
-		}
-		if testing.Short() {
-			break
-		}
-	}
-}
-
-func TestSerialize(t *testing.T) {
-	hashes := []crypto.Hash{crypto.MD5, crypto.SHA1, crypto.RIPEMD160,
-		crypto.SHA256, crypto.SHA384, crypto.SHA512, crypto.SHA224}
-	testCounts := []int{-1, 0, 1024, 65536, 4063232, 65011712}
-	for _, h := range hashes {
-		for _, c := range testCounts {
-			testSerializeConfig(t, &Config{Hash: h, S2KCount: c})
-		}
-	}
-}
-
-func testSerializeConfig(t *testing.T, c *Config) {
-	t.Logf("Running testSerializeConfig() with config: %+v", c)
-
-	buf := bytes.NewBuffer(nil)
-	key := make([]byte, 16)
-	passphrase := []byte("testing")
-	err := Serialize(buf, key, rand.Reader, passphrase, c)
-	if err != nil {
-		t.Errorf("failed to serialize: %s", err)
-		return
-	}
-
-	f, err := Parse(buf)
-	if err != nil {
-		t.Errorf("failed to reparse: %s", err)
-		return
-	}
-	key2 := make([]byte, len(key))
-	f(key2, passphrase)
-	if !bytes.Equal(key2, key) {
-		t.Errorf("keys don't match: %x (serialied) vs %x (parsed)", key, key2)
-	}
-}
diff --git a/vendor/golang.org/x/crypto/openpgp/write.go b/vendor/golang.org/x/crypto/openpgp/write.go
deleted file mode 100644
index 65a304cc..00000000
--- a/vendor/golang.org/x/crypto/openpgp/write.go
+++ /dev/null
@@ -1,378 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package openpgp
-
-import (
-	"crypto"
-	"hash"
-	"io"
-	"strconv"
-	"time"
-
-	"golang.org/x/crypto/openpgp/armor"
-	"golang.org/x/crypto/openpgp/errors"
-	"golang.org/x/crypto/openpgp/packet"
-	"golang.org/x/crypto/openpgp/s2k"
-)
-
-// DetachSign signs message with the private key from signer (which must
-// already have been decrypted) and writes the signature to w.
-// If config is nil, sensible defaults will be used.
-func DetachSign(w io.Writer, signer *Entity, message io.Reader, config *packet.Config) error {
-	return detachSign(w, signer, message, packet.SigTypeBinary, config)
-}
-
-// ArmoredDetachSign signs message with the private key from signer (which
-// must already have been decrypted) and writes an armored signature to w.
-// If config is nil, sensible defaults will be used.
-func ArmoredDetachSign(w io.Writer, signer *Entity, message io.Reader, config *packet.Config) (err error) {
-	return armoredDetachSign(w, signer, message, packet.SigTypeBinary, config)
-}
-
-// DetachSignText signs message (after canonicalising the line endings) with
-// the private key from signer (which must already have been decrypted) and
-// writes the signature to w.
-// If config is nil, sensible defaults will be used.
-func DetachSignText(w io.Writer, signer *Entity, message io.Reader, config *packet.Config) error {
-	return detachSign(w, signer, message, packet.SigTypeText, config)
-}
-
-// ArmoredDetachSignText signs message (after canonicalising the line endings)
-// with the private key from signer (which must already have been decrypted)
-// and writes an armored signature to w.
-// If config is nil, sensible defaults will be used.
-func ArmoredDetachSignText(w io.Writer, signer *Entity, message io.Reader, config *packet.Config) error {
-	return armoredDetachSign(w, signer, message, packet.SigTypeText, config)
-}
-
-func armoredDetachSign(w io.Writer, signer *Entity, message io.Reader, sigType packet.SignatureType, config *packet.Config) (err error) {
-	out, err := armor.Encode(w, SignatureType, nil)
-	if err != nil {
-		return
-	}
-	err = detachSign(out, signer, message, sigType, config)
-	if err != nil {
-		return
-	}
-	return out.Close()
-}
-
-func detachSign(w io.Writer, signer *Entity, message io.Reader, sigType packet.SignatureType, config *packet.Config) (err error) {
-	if signer.PrivateKey == nil {
-		return errors.InvalidArgumentError("signing key doesn't have a private key")
-	}
-	if signer.PrivateKey.Encrypted {
-		return errors.InvalidArgumentError("signing key is encrypted")
-	}
-
-	sig := new(packet.Signature)
-	sig.SigType = sigType
-	sig.PubKeyAlgo = signer.PrivateKey.PubKeyAlgo
-	sig.Hash = config.Hash()
-	sig.CreationTime = config.Now()
-	sig.IssuerKeyId = &signer.PrivateKey.KeyId
-
-	h, wrappedHash, err := hashForSignature(sig.Hash, sig.SigType)
-	if err != nil {
-		return
-	}
-	io.Copy(wrappedHash, message)
-
-	err = sig.Sign(h, signer.PrivateKey, config)
-	if err != nil {
-		return
-	}
-
-	return sig.Serialize(w)
-}
-
-// FileHints contains metadata about encrypted files. This metadata is, itself,
-// encrypted.
-type FileHints struct {
-	// IsBinary can be set to hint that the contents are binary data.
-	IsBinary bool
-	// FileName hints at the name of the file that should be written. It's
-	// truncated to 255 bytes if longer. It may be empty to suggest that the
-	// file should not be written to disk. It may be equal to "_CONSOLE" to
-	// suggest the data should not be written to disk.
-	FileName string
-	// ModTime contains the modification time of the file, or the zero time if not applicable.
-	ModTime time.Time
-}
-
-// SymmetricallyEncrypt acts like gpg -c: it encrypts a file with a passphrase.
-// The resulting WriteCloser must be closed after the contents of the file have
-// been written.
-// If config is nil, sensible defaults will be used.
-func SymmetricallyEncrypt(ciphertext io.Writer, passphrase []byte, hints *FileHints, config *packet.Config) (plaintext io.WriteCloser, err error) {
-	if hints == nil {
-		hints = &FileHints{}
-	}
-
-	key, err := packet.SerializeSymmetricKeyEncrypted(ciphertext, passphrase, config)
-	if err != nil {
-		return
-	}
-	w, err := packet.SerializeSymmetricallyEncrypted(ciphertext, config.Cipher(), key, config)
-	if err != nil {
-		return
-	}
-
-	literaldata := w
-	if algo := config.Compression(); algo != packet.CompressionNone {
-		var compConfig *packet.CompressionConfig
-		if config != nil {
-			compConfig = config.CompressionConfig
-		}
-		literaldata, err = packet.SerializeCompressed(w, algo, compConfig)
-		if err != nil {
-			return
-		}
-	}
-
-	var epochSeconds uint32
-	if !hints.ModTime.IsZero() {
-		epochSeconds = uint32(hints.ModTime.Unix())
-	}
-	return packet.SerializeLiteral(literaldata, hints.IsBinary, hints.FileName, epochSeconds)
-}
-
-// intersectPreferences mutates and returns a prefix of a that contains only
-// the values in the intersection of a and b. The order of a is preserved.
-func intersectPreferences(a []uint8, b []uint8) (intersection []uint8) {
-	var j int
-	for _, v := range a {
-		for _, v2 := range b {
-			if v == v2 {
-				a[j] = v
-				j++
-				break
-			}
-		}
-	}
-
-	return a[:j]
-}
-
-func hashToHashId(h crypto.Hash) uint8 {
-	v, ok := s2k.HashToHashId(h)
-	if !ok {
-		panic("tried to convert unknown hash")
-	}
-	return v
-}
-
-// Encrypt encrypts a message to a number of recipients and, optionally, signs
-// it. hints contains optional information, that is also encrypted, that aids
-// the recipients in processing the message. The resulting WriteCloser must
-// be closed after the contents of the file have been written.
-// If config is nil, sensible defaults will be used.
-func Encrypt(ciphertext io.Writer, to []*Entity, signed *Entity, hints *FileHints, config *packet.Config) (plaintext io.WriteCloser, err error) {
-	var signer *packet.PrivateKey
-	if signed != nil {
-		signKey, ok := signed.signingKey(config.Now())
-		if !ok {
-			return nil, errors.InvalidArgumentError("no valid signing keys")
-		}
-		signer = signKey.PrivateKey
-		if signer == nil {
-			return nil, errors.InvalidArgumentError("no private key in signing key")
-		}
-		if signer.Encrypted {
-			return nil, errors.InvalidArgumentError("signing key must be decrypted")
-		}
-	}
-
-	// These are the possible ciphers that we'll use for the message.
-	candidateCiphers := []uint8{
-		uint8(packet.CipherAES128),
-		uint8(packet.CipherAES256),
-		uint8(packet.CipherCAST5),
-	}
-	// These are the possible hash functions that we'll use for the signature.
-	candidateHashes := []uint8{
-		hashToHashId(crypto.SHA256),
-		hashToHashId(crypto.SHA512),
-		hashToHashId(crypto.SHA1),
-		hashToHashId(crypto.RIPEMD160),
-	}
-	// In the event that a recipient doesn't specify any supported ciphers
-	// or hash functions, these are the ones that we assume that every
-	// implementation supports.
-	defaultCiphers := candidateCiphers[len(candidateCiphers)-1:]
-	defaultHashes := candidateHashes[len(candidateHashes)-1:]
-
-	encryptKeys := make([]Key, len(to))
-	for i := range to {
-		var ok bool
-		encryptKeys[i], ok = to[i].encryptionKey(config.Now())
-		if !ok {
-			return nil, errors.InvalidArgumentError("cannot encrypt a message to key id " + strconv.FormatUint(to[i].PrimaryKey.KeyId, 16) + " because it has no encryption keys")
-		}
-
-		sig := to[i].primaryIdentity().SelfSignature
-
-		preferredSymmetric := sig.PreferredSymmetric
-		if len(preferredSymmetric) == 0 {
-			preferredSymmetric = defaultCiphers
-		}
-		preferredHashes := sig.PreferredHash
-		if len(preferredHashes) == 0 {
-			preferredHashes = defaultHashes
-		}
-		candidateCiphers = intersectPreferences(candidateCiphers, preferredSymmetric)
-		candidateHashes = intersectPreferences(candidateHashes, preferredHashes)
-	}
-
-	if len(candidateCiphers) == 0 || len(candidateHashes) == 0 {
-		return nil, errors.InvalidArgumentError("cannot encrypt because recipient set shares no common algorithms")
-	}
-
-	cipher := packet.CipherFunction(candidateCiphers[0])
-	// If the cipher specified by config is a candidate, we'll use that.
-	configuredCipher := config.Cipher()
-	for _, c := range candidateCiphers {
-		cipherFunc := packet.CipherFunction(c)
-		if cipherFunc == configuredCipher {
-			cipher = cipherFunc
-			break
-		}
-	}
-
-	var hash crypto.Hash
-	for _, hashId := range candidateHashes {
-		if h, ok := s2k.HashIdToHash(hashId); ok && h.Available() {
-			hash = h
-			break
-		}
-	}
-
-	// If the hash specified by config is a candidate, we'll use that.
-	if configuredHash := config.Hash(); configuredHash.Available() {
-		for _, hashId := range candidateHashes {
-			if h, ok := s2k.HashIdToHash(hashId); ok && h == configuredHash {
-				hash = h
-				break
-			}
-		}
-	}
-
-	if hash == 0 {
-		hashId := candidateHashes[0]
-		name, ok := s2k.HashIdToString(hashId)
-		if !ok {
-			name = "#" + strconv.Itoa(int(hashId))
-		}
-		return nil, errors.InvalidArgumentError("cannot encrypt because no candidate hash functions are compiled in. (Wanted " + name + " in this case.)")
-	}
-
-	symKey := make([]byte, cipher.KeySize())
-	if _, err := io.ReadFull(config.Random(), symKey); err != nil {
-		return nil, err
-	}
-
-	for _, key := range encryptKeys {
-		if err := packet.SerializeEncryptedKey(ciphertext, key.PublicKey, cipher, symKey, config); err != nil {
-			return nil, err
-		}
-	}
-
-	encryptedData, err := packet.SerializeSymmetricallyEncrypted(ciphertext, cipher, symKey, config)
-	if err != nil {
-		return
-	}
-
-	if signer != nil {
-		ops := &packet.OnePassSignature{
-			SigType:    packet.SigTypeBinary,
-			Hash:       hash,
-			PubKeyAlgo: signer.PubKeyAlgo,
-			KeyId:      signer.KeyId,
-			IsLast:     true,
-		}
-		if err := ops.Serialize(encryptedData); err != nil {
-			return nil, err
-		}
-	}
-
-	if hints == nil {
-		hints = &FileHints{}
-	}
-
-	w := encryptedData
-	if signer != nil {
-		// If we need to write a signature packet after the literal
-		// data then we need to stop literalData from closing
-		// encryptedData.
-		w = noOpCloser{encryptedData}
-
-	}
-	var epochSeconds uint32
-	if !hints.ModTime.IsZero() {
-		epochSeconds = uint32(hints.ModTime.Unix())
-	}
-	literalData, err := packet.SerializeLiteral(w, hints.IsBinary, hints.FileName, epochSeconds)
-	if err != nil {
-		return nil, err
-	}
-
-	if signer != nil {
-		return signatureWriter{encryptedData, literalData, hash, hash.New(), signer, config}, nil
-	}
-	return literalData, nil
-}
-
-// signatureWriter hashes the contents of a message while passing it along to
-// literalData. When closed, it closes literalData, writes a signature packet
-// to encryptedData and then also closes encryptedData.
-type signatureWriter struct {
-	encryptedData io.WriteCloser
-	literalData   io.WriteCloser
-	hashType      crypto.Hash
-	h             hash.Hash
-	signer        *packet.PrivateKey
-	config        *packet.Config
-}
-
-func (s signatureWriter) Write(data []byte) (int, error) {
-	s.h.Write(data)
-	return s.literalData.Write(data)
-}
-
-func (s signatureWriter) Close() error {
-	sig := &packet.Signature{
-		SigType:      packet.SigTypeBinary,
-		PubKeyAlgo:   s.signer.PubKeyAlgo,
-		Hash:         s.hashType,
-		CreationTime: s.config.Now(),
-		IssuerKeyId:  &s.signer.KeyId,
-	}
-
-	if err := sig.Sign(s.h, s.signer, s.config); err != nil {
-		return err
-	}
-	if err := s.literalData.Close(); err != nil {
-		return err
-	}
-	if err := sig.Serialize(s.encryptedData); err != nil {
-		return err
-	}
-	return s.encryptedData.Close()
-}
-
-// noOpCloser is like an ioutil.NopCloser, but for an io.Writer.
-// TODO: we have two of these in OpenPGP packages alone. This probably needs
-// to be promoted somewhere more common.
-type noOpCloser struct {
-	w io.Writer
-}
-
-func (c noOpCloser) Write(data []byte) (n int, err error) {
-	return c.w.Write(data)
-}
-
-func (c noOpCloser) Close() error {
-	return nil
-}
diff --git a/vendor/golang.org/x/crypto/openpgp/write_test.go b/vendor/golang.org/x/crypto/openpgp/write_test.go
deleted file mode 100644
index f2d50a0c..00000000
--- a/vendor/golang.org/x/crypto/openpgp/write_test.go
+++ /dev/null
@@ -1,273 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package openpgp
-
-import (
-	"bytes"
-	"io"
-	"io/ioutil"
-	"testing"
-	"time"
-
-	"golang.org/x/crypto/openpgp/packet"
-)
-
-func TestSignDetached(t *testing.T) {
-	kring, _ := ReadKeyRing(readerFromHex(testKeys1And2PrivateHex))
-	out := bytes.NewBuffer(nil)
-	message := bytes.NewBufferString(signedInput)
-	err := DetachSign(out, kring[0], message, nil)
-	if err != nil {
-		t.Error(err)
-	}
-
-	testDetachedSignature(t, kring, out, signedInput, "check", testKey1KeyId)
-}
-
-func TestSignTextDetached(t *testing.T) {
-	kring, _ := ReadKeyRing(readerFromHex(testKeys1And2PrivateHex))
-	out := bytes.NewBuffer(nil)
-	message := bytes.NewBufferString(signedInput)
-	err := DetachSignText(out, kring[0], message, nil)
-	if err != nil {
-		t.Error(err)
-	}
-
-	testDetachedSignature(t, kring, out, signedInput, "check", testKey1KeyId)
-}
-
-func TestSignDetachedDSA(t *testing.T) {
-	kring, _ := ReadKeyRing(readerFromHex(dsaTestKeyPrivateHex))
-	out := bytes.NewBuffer(nil)
-	message := bytes.NewBufferString(signedInput)
-	err := DetachSign(out, kring[0], message, nil)
-	if err != nil {
-		t.Error(err)
-	}
-
-	testDetachedSignature(t, kring, out, signedInput, "check", testKey3KeyId)
-}
-
-func TestSignDetachedP256(t *testing.T) {
-	kring, _ := ReadKeyRing(readerFromHex(p256TestKeyPrivateHex))
-	kring[0].PrivateKey.Decrypt([]byte("passphrase"))
-
-	out := bytes.NewBuffer(nil)
-	message := bytes.NewBufferString(signedInput)
-	err := DetachSign(out, kring[0], message, nil)
-	if err != nil {
-		t.Error(err)
-	}
-
-	testDetachedSignature(t, kring, out, signedInput, "check", testKeyP256KeyId)
-}
-
-func TestNewEntity(t *testing.T) {
-	if testing.Short() {
-		return
-	}
-
-	// Check bit-length with no config.
-	e, err := NewEntity("Test User", "test", "test@example.com", nil)
-	if err != nil {
-		t.Errorf("failed to create entity: %s", err)
-		return
-	}
-	bl, err := e.PrimaryKey.BitLength()
-	if err != nil {
-		t.Errorf("failed to find bit length: %s", err)
-	}
-	if int(bl) != defaultRSAKeyBits {
-		t.Errorf("BitLength %v, expected %v", int(bl), defaultRSAKeyBits)
-	}
-
-	// Check bit-length with a config.
-	cfg := &packet.Config{RSABits: 1024}
-	e, err = NewEntity("Test User", "test", "test@example.com", cfg)
-	if err != nil {
-		t.Errorf("failed to create entity: %s", err)
-		return
-	}
-	bl, err = e.PrimaryKey.BitLength()
-	if err != nil {
-		t.Errorf("failed to find bit length: %s", err)
-	}
-	if int(bl) != cfg.RSABits {
-		t.Errorf("BitLength %v, expected %v", bl, cfg.RSABits)
-	}
-
-	w := bytes.NewBuffer(nil)
-	if err := e.SerializePrivate(w, nil); err != nil {
-		t.Errorf("failed to serialize entity: %s", err)
-		return
-	}
-	serialized := w.Bytes()
-
-	el, err := ReadKeyRing(w)
-	if err != nil {
-		t.Errorf("failed to reparse entity: %s", err)
-		return
-	}
-
-	if len(el) != 1 {
-		t.Errorf("wrong number of entities found, got %d, want 1", len(el))
-	}
-
-	w = bytes.NewBuffer(nil)
-	if err := e.SerializePrivate(w, nil); err != nil {
-		t.Errorf("failed to serialize entity second time: %s", err)
-		return
-	}
-
-	if !bytes.Equal(w.Bytes(), serialized) {
-		t.Errorf("results differed")
-	}
-}
-
-func TestSymmetricEncryption(t *testing.T) {
-	buf := new(bytes.Buffer)
-	plaintext, err := SymmetricallyEncrypt(buf, []byte("testing"), nil, nil)
-	if err != nil {
-		t.Errorf("error writing headers: %s", err)
-		return
-	}
-	message := []byte("hello world\n")
-	_, err = plaintext.Write(message)
-	if err != nil {
-		t.Errorf("error writing to plaintext writer: %s", err)
-	}
-	err = plaintext.Close()
-	if err != nil {
-		t.Errorf("error closing plaintext writer: %s", err)
-	}
-
-	md, err := ReadMessage(buf, nil, func(keys []Key, symmetric bool) ([]byte, error) {
-		return []byte("testing"), nil
-	}, nil)
-	if err != nil {
-		t.Errorf("error rereading message: %s", err)
-	}
-	messageBuf := bytes.NewBuffer(nil)
-	_, err = io.Copy(messageBuf, md.UnverifiedBody)
-	if err != nil {
-		t.Errorf("error rereading message: %s", err)
-	}
-	if !bytes.Equal(message, messageBuf.Bytes()) {
-		t.Errorf("recovered message incorrect got '%s', want '%s'", messageBuf.Bytes(), message)
-	}
-}
-
-var testEncryptionTests = []struct {
-	keyRingHex string
-	isSigned   bool
-}{
-	{
-		testKeys1And2PrivateHex,
-		false,
-	},
-	{
-		testKeys1And2PrivateHex,
-		true,
-	},
-	{
-		dsaElGamalTestKeysHex,
-		false,
-	},
-	{
-		dsaElGamalTestKeysHex,
-		true,
-	},
-}
-
-func TestEncryption(t *testing.T) {
-	for i, test := range testEncryptionTests {
-		kring, _ := ReadKeyRing(readerFromHex(test.keyRingHex))
-
-		passphrase := []byte("passphrase")
-		for _, entity := range kring {
-			if entity.PrivateKey != nil && entity.PrivateKey.Encrypted {
-				err := entity.PrivateKey.Decrypt(passphrase)
-				if err != nil {
-					t.Errorf("#%d: failed to decrypt key", i)
-				}
-			}
-			for _, subkey := range entity.Subkeys {
-				if subkey.PrivateKey != nil && subkey.PrivateKey.Encrypted {
-					err := subkey.PrivateKey.Decrypt(passphrase)
-					if err != nil {
-						t.Errorf("#%d: failed to decrypt subkey", i)
-					}
-				}
-			}
-		}
-
-		var signed *Entity
-		if test.isSigned {
-			signed = kring[0]
-		}
-
-		buf := new(bytes.Buffer)
-		w, err := Encrypt(buf, kring[:1], signed, nil /* no hints */, nil)
-		if err != nil {
-			t.Errorf("#%d: error in Encrypt: %s", i, err)
-			continue
-		}
-
-		const message = "testing"
-		_, err = w.Write([]byte(message))
-		if err != nil {
-			t.Errorf("#%d: error writing plaintext: %s", i, err)
-			continue
-		}
-		err = w.Close()
-		if err != nil {
-			t.Errorf("#%d: error closing WriteCloser: %s", i, err)
-			continue
-		}
-
-		md, err := ReadMessage(buf, kring, nil /* no prompt */, nil)
-		if err != nil {
-			t.Errorf("#%d: error reading message: %s", i, err)
-			continue
-		}
-
-		testTime, _ := time.Parse("2006-01-02", "2013-07-01")
-		if test.isSigned {
-			signKey, _ := kring[0].signingKey(testTime)
-			expectedKeyId := signKey.PublicKey.KeyId
-			if md.SignedByKeyId != expectedKeyId {
-				t.Errorf("#%d: message signed by wrong key id, got: %v, want: %v", i, *md.SignedBy, expectedKeyId)
-			}
-			if md.SignedBy == nil {
-				t.Errorf("#%d: failed to find the signing Entity", i)
-			}
-		}
-
-		plaintext, err := ioutil.ReadAll(md.UnverifiedBody)
-		if err != nil {
-			t.Errorf("#%d: error reading encrypted contents: %s", i, err)
-			continue
-		}
-
-		encryptKey, _ := kring[0].encryptionKey(testTime)
-		expectedKeyId := encryptKey.PublicKey.KeyId
-		if len(md.EncryptedToKeyIds) != 1 || md.EncryptedToKeyIds[0] != expectedKeyId {
-			t.Errorf("#%d: expected message to be encrypted to %v, but got %#v", i, expectedKeyId, md.EncryptedToKeyIds)
-		}
-
-		if string(plaintext) != message {
-			t.Errorf("#%d: got: %s, want: %s", i, string(plaintext), message)
-		}
-
-		if test.isSigned {
-			if md.SignatureError != nil {
-				t.Errorf("#%d: signature error: %s", i, md.SignatureError)
-			}
-			if md.Signature == nil {
-				t.Error("signature missing")
-			}
-		}
-	}
-}
diff --git a/vendor/golang.org/x/crypto/otr/libotr_test_helper.c b/vendor/golang.org/x/crypto/otr/libotr_test_helper.c
deleted file mode 100644
index b3ca072d..00000000
--- a/vendor/golang.org/x/crypto/otr/libotr_test_helper.c
+++ /dev/null
@@ -1,197 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// This code can be compiled and used to test the otr package against libotr.
-// See otr_test.go.
-
-// +build ignore
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-
-#include <proto.h>
-#include <message.h>
-#include <privkey.h>
-
-static int g_session_established = 0;
-
-OtrlPolicy policy(void *opdata, ConnContext *context) {
-  return OTRL_POLICY_ALWAYS;
-}
-
-int is_logged_in(void *opdata, const char *accountname, const char *protocol,
-                 const char *recipient) {
-  return 1;
-}
-
-void inject_message(void *opdata, const char *accountname, const char *protocol,
-                    const char *recipient, const char *message) {
-  printf("%s\n", message);
-  fflush(stdout);
-  fprintf(stderr, "libotr helper sent: %s\n", message);
-}
-
-void update_context_list(void *opdata) {}
-
-void new_fingerprint(void *opdata, OtrlUserState us, const char *accountname,
-                     const char *protocol, const char *username,
-                     unsigned char fingerprint[20]) {
-  fprintf(stderr, "NEW FINGERPRINT\n");
-  g_session_established = 1;
-}
-
-void write_fingerprints(void *opdata) {}
-
-void gone_secure(void *opdata, ConnContext *context) {}
-
-void gone_insecure(void *opdata, ConnContext *context) {}
-
-void still_secure(void *opdata, ConnContext *context, int is_reply) {}
-
-int max_message_size(void *opdata, ConnContext *context) { return 99999; }
-
-const char *account_name(void *opdata, const char *account,
-                         const char *protocol) {
-  return "ACCOUNT";
-}
-
-void account_name_free(void *opdata, const char *account_name) {}
-
-const char *error_message(void *opdata, ConnContext *context,
-                          OtrlErrorCode err_code) {
-  return "ERR";
-}
-
-void error_message_free(void *opdata, const char *msg) {}
-
-void resent_msg_prefix_free(void *opdata, const char *prefix) {}
-
-void handle_smp_event(void *opdata, OtrlSMPEvent smp_event,
-                      ConnContext *context, unsigned short progress_event,
-                      char *question) {}
-
-void handle_msg_event(void *opdata, OtrlMessageEvent msg_event,
-                      ConnContext *context, const char *message,
-                      gcry_error_t err) {
-  fprintf(stderr, "msg event: %d %s\n", msg_event, message);
-}
-
-OtrlMessageAppOps uiops = {
-    policy,
-    NULL,
-    is_logged_in,
-    inject_message,
-    update_context_list,
-    new_fingerprint,
-    write_fingerprints,
-    gone_secure,
-    gone_insecure,
-    still_secure,
-    max_message_size,
-    account_name,
-    account_name_free,
-    NULL, /* received_symkey */
-    error_message,
-    error_message_free,
-    NULL, /* resent_msg_prefix */
-    resent_msg_prefix_free,
-    handle_smp_event,
-    handle_msg_event,
-    NULL /* create_instag */,
-    NULL /* convert_msg */,
-    NULL /* convert_free */,
-    NULL /* timer_control */,
-};
-
-static const char kPrivateKeyData[] =
-    "(privkeys (account (name \"account\") (protocol proto) (private-key (dsa "
-    "(p "
-    "#00FC07ABCF0DC916AFF6E9AE47BEF60C7AB9B4D6B2469E436630E36F8A489BE812486A09F"
-    "30B71224508654940A835301ACC525A4FF133FC152CC53DCC59D65C30A54F1993FE13FE63E"
-    "5823D4C746DB21B90F9B9C00B49EC7404AB1D929BA7FBA12F2E45C6E0A651689750E8528AB"
-    "8C031D3561FECEE72EBB4A090D450A9B7A857#) (q "
-    "#00997BD266EF7B1F60A5C23F3A741F2AEFD07A2081#) (g "
-    "#535E360E8A95EBA46A4F7DE50AD6E9B2A6DB785A66B64EB9F20338D2A3E8FB0E94725848F"
-    "1AA6CC567CB83A1CC517EC806F2E92EAE71457E80B2210A189B91250779434B41FC8A8873F"
-    "6DB94BEA7D177F5D59E7E114EE10A49CFD9CEF88AE43387023B672927BA74B04EB6BBB5E57"
-    "597766A2F9CE3857D7ACE3E1E3BC1FC6F26#) (y "
-    "#0AC8670AD767D7A8D9D14CC1AC6744CD7D76F993B77FFD9E39DF01E5A6536EF65E775FCEF"
-    "2A983E2A19BD6415500F6979715D9FD1257E1FE2B6F5E1E74B333079E7C880D39868462A93"
-    "454B41877BE62E5EF0A041C2EE9C9E76BD1E12AE25D9628DECB097025DD625EF49C3258A1A"
-    "3C0FF501E3DC673B76D7BABF349009B6ECF#) (x "
-    "#14D0345A3562C480A039E3C72764F72D79043216#)))))\n";
-
-int main() {
-  OTRL_INIT;
-
-  // We have to write the private key information to a file because the libotr
-  // API demands a filename to read from.
-  const char *tmpdir = "/tmp";
-  if (getenv("TMP")) {
-    tmpdir = getenv("TMP");
-  }
-
-  char private_key_file[256];
-  snprintf(private_key_file, sizeof(private_key_file),
-           "%s/libotr_test_helper_privatekeys-XXXXXX", tmpdir);
-  int fd = mkstemp(private_key_file);
-  if (fd == -1) {
-    perror("creating temp file");
-  }
-  write(fd, kPrivateKeyData, sizeof(kPrivateKeyData) - 1);
-  close(fd);
-
-  OtrlUserState userstate = otrl_userstate_create();
-  otrl_privkey_read(userstate, private_key_file);
-  unlink(private_key_file);
-
-  fprintf(stderr, "libotr helper started\n");
-
-  char buf[4096];
-
-  for (;;) {
-    char *message = fgets(buf, sizeof(buf), stdin);
-    if (strlen(message) == 0) {
-      break;
-    }
-    message[strlen(message) - 1] = 0;
-    fprintf(stderr, "libotr helper got: %s\n", message);
-
-    char *newmessage = NULL;
-    OtrlTLV *tlvs;
-    int ignore_message = otrl_message_receiving(
-        userstate, &uiops, NULL, "account", "proto", "peer", message,
-        &newmessage, &tlvs, NULL, NULL, NULL);
-    if (tlvs) {
-      otrl_tlv_free(tlvs);
-    }
-
-    if (newmessage != NULL) {
-      fprintf(stderr, "libotr got: %s\n", newmessage);
-      otrl_message_free(newmessage);
-
-      gcry_error_t err;
-      char *newmessage = NULL;
-
-      err = otrl_message_sending(userstate, &uiops, NULL, "account", "proto",
-                                 "peer", 0, "test message", NULL, &newmessage,
-                                 OTRL_FRAGMENT_SEND_SKIP, NULL, NULL, NULL);
-      if (newmessage == NULL) {
-        fprintf(stderr, "libotr didn't encrypt message\n");
-        return 1;
-      }
-      write(1, newmessage, strlen(newmessage));
-      write(1, "\n", 1);
-      fprintf(stderr, "libotr sent: %s\n", newmessage);
-      otrl_message_free(newmessage);
-
-      g_session_established = 0;
-      write(1, "?OTRv2?\n", 8);
-      fprintf(stderr, "libotr sent: ?OTRv2\n");
-    }
-  }
-
-  return 0;
-}
diff --git a/vendor/golang.org/x/crypto/otr/otr.go b/vendor/golang.org/x/crypto/otr/otr.go
deleted file mode 100644
index 173b753d..00000000
--- a/vendor/golang.org/x/crypto/otr/otr.go
+++ /dev/null
@@ -1,1415 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package otr implements the Off The Record protocol as specified in
-// http://www.cypherpunks.ca/otr/Protocol-v2-3.1.0.html
-package otr // import "golang.org/x/crypto/otr"
-
-import (
-	"bytes"
-	"crypto/aes"
-	"crypto/cipher"
-	"crypto/dsa"
-	"crypto/hmac"
-	"crypto/rand"
-	"crypto/sha1"
-	"crypto/sha256"
-	"crypto/subtle"
-	"encoding/base64"
-	"encoding/hex"
-	"errors"
-	"hash"
-	"io"
-	"math/big"
-	"strconv"
-)
-
-// SecurityChange describes a change in the security state of a Conversation.
-type SecurityChange int
-
-const (
-	NoChange SecurityChange = iota
-	// NewKeys indicates that a key exchange has completed. This occurs
-	// when a conversation first becomes encrypted, and when the keys are
-	// renegotiated within an encrypted conversation.
-	NewKeys
-	// SMPSecretNeeded indicates that the peer has started an
-	// authentication and that we need to supply a secret. Call SMPQuestion
-	// to get the optional, human readable challenge and then Authenticate
-	// to supply the matching secret.
-	SMPSecretNeeded
-	// SMPComplete indicates that an authentication completed. The identity
-	// of the peer has now been confirmed.
-	SMPComplete
-	// SMPFailed indicates that an authentication failed.
-	SMPFailed
-	// ConversationEnded indicates that the peer ended the secure
-	// conversation.
-	ConversationEnded
-)
-
-// QueryMessage can be sent to a peer to start an OTR conversation.
-var QueryMessage = "?OTRv2?"
-
-// ErrorPrefix can be used to make an OTR error by appending an error message
-// to it.
-var ErrorPrefix = "?OTR Error:"
-
-var (
-	fragmentPartSeparator = []byte(",")
-	fragmentPrefix        = []byte("?OTR,")
-	msgPrefix             = []byte("?OTR:")
-	queryMarker           = []byte("?OTR")
-)
-
-// isQuery attempts to parse an OTR query from msg and returns the greatest
-// common version, or 0 if msg is not an OTR query.
-func isQuery(msg []byte) (greatestCommonVersion int) {
-	pos := bytes.Index(msg, queryMarker)
-	if pos == -1 {
-		return 0
-	}
-	for i, c := range msg[pos+len(queryMarker):] {
-		if i == 0 {
-			if c == '?' {
-				// Indicates support for version 1, but we don't
-				// implement that.
-				continue
-			}
-
-			if c != 'v' {
-				// Invalid message
-				return 0
-			}
-
-			continue
-		}
-
-		if c == '?' {
-			// End of message
-			return
-		}
-
-		if c == ' ' || c == '\t' {
-			// Probably an invalid message
-			return 0
-		}
-
-		if c == '2' {
-			greatestCommonVersion = 2
-		}
-	}
-
-	return 0
-}
-
-const (
-	statePlaintext = iota
-	stateEncrypted
-	stateFinished
-)
-
-const (
-	authStateNone = iota
-	authStateAwaitingDHKey
-	authStateAwaitingRevealSig
-	authStateAwaitingSig
-)
-
-const (
-	msgTypeDHCommit  = 2
-	msgTypeData      = 3
-	msgTypeDHKey     = 10
-	msgTypeRevealSig = 17
-	msgTypeSig       = 18
-)
-
-const (
-	// If the requested fragment size is less than this, it will be ignored.
-	minFragmentSize = 18
-	// Messages are padded to a multiple of this number of bytes.
-	paddingGranularity = 256
-	// The number of bytes in a Diffie-Hellman private value (320-bits).
-	dhPrivateBytes = 40
-	// The number of bytes needed to represent an element of the DSA
-	// subgroup (160-bits).
-	dsaSubgroupBytes = 20
-	// The number of bytes of the MAC that are sent on the wire (160-bits).
-	macPrefixBytes = 20
-)
-
-// These are the global, common group parameters for OTR.
-var (
-	p       *big.Int // group prime
-	g       *big.Int // group generator
-	q       *big.Int // group order
-	pMinus2 *big.Int
-)
-
-func init() {
-	p, _ = new(big.Int).SetString("FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA237327FFFFFFFFFFFFFFFF", 16)
-	q, _ = new(big.Int).SetString("7FFFFFFFFFFFFFFFE487ED5110B4611A62633145C06E0E68948127044533E63A0105DF531D89CD9128A5043CC71A026EF7CA8CD9E69D218D98158536F92F8A1BA7F09AB6B6A8E122F242DABB312F3F637A262174D31BF6B585FFAE5B7A035BF6F71C35FDAD44CFD2D74F9208BE258FF324943328F6722D9EE1003E5C50B1DF82CC6D241B0E2AE9CD348B1FD47E9267AFC1B2AE91EE51D6CB0E3179AB1042A95DCF6A9483B84B4B36B3861AA7255E4C0278BA36046511B993FFFFFFFFFFFFFFFF", 16)
-	g = new(big.Int).SetInt64(2)
-	pMinus2 = new(big.Int).Sub(p, g)
-}
-
-// Conversation represents a relation with a peer. The zero value is a valid
-// Conversation, although PrivateKey must be set.
-//
-// When communicating with a peer, all inbound messages should be passed to
-// Conversation.Receive and all outbound messages to Conversation.Send. The
-// Conversation will take care of maintaining the encryption state and
-// negotiating encryption as needed.
-type Conversation struct {
-	// PrivateKey contains the private key to use to sign key exchanges.
-	PrivateKey *PrivateKey
-
-	// Rand can be set to override the entropy source. Otherwise,
-	// crypto/rand will be used.
-	Rand io.Reader
-	// If FragmentSize is set, all messages produced by Receive and Send
-	// will be fragmented into messages of, at most, this number of bytes.
-	FragmentSize int
-
-	// Once Receive has returned NewKeys once, the following fields are
-	// valid.
-	SSID           [8]byte
-	TheirPublicKey PublicKey
-
-	state, authState int
-
-	r       [16]byte
-	x, y    *big.Int
-	gx, gy  *big.Int
-	gxBytes []byte
-	digest  [sha256.Size]byte
-
-	revealKeys, sigKeys akeKeys
-
-	myKeyId         uint32
-	myCurrentDHPub  *big.Int
-	myCurrentDHPriv *big.Int
-	myLastDHPub     *big.Int
-	myLastDHPriv    *big.Int
-
-	theirKeyId        uint32
-	theirCurrentDHPub *big.Int
-	theirLastDHPub    *big.Int
-
-	keySlots [4]keySlot
-
-	myCounter    [8]byte
-	theirLastCtr [8]byte
-	oldMACs      []byte
-
-	k, n int // fragment state
-	frag []byte
-
-	smp smpState
-}
-
-// A keySlot contains key material for a specific (their keyid, my keyid) pair.
-type keySlot struct {
-	// used is true if this slot is valid. If false, it's free for reuse.
-	used                   bool
-	theirKeyId             uint32
-	myKeyId                uint32
-	sendAESKey, recvAESKey []byte
-	sendMACKey, recvMACKey []byte
-	theirLastCtr           [8]byte
-}
-
-// akeKeys are generated during key exchange. There's one set for the reveal
-// signature message and another for the signature message. In the protocol
-// spec the latter are indicated with a prime mark.
-type akeKeys struct {
-	c      [16]byte
-	m1, m2 [32]byte
-}
-
-func (c *Conversation) rand() io.Reader {
-	if c.Rand != nil {
-		return c.Rand
-	}
-	return rand.Reader
-}
-
-func (c *Conversation) randMPI(buf []byte) *big.Int {
-	_, err := io.ReadFull(c.rand(), buf)
-	if err != nil {
-		panic("otr: short read from random source")
-	}
-
-	return new(big.Int).SetBytes(buf)
-}
-
-// tlv represents the type-length value from the protocol.
-type tlv struct {
-	typ, length uint16
-	data        []byte
-}
-
-const (
-	tlvTypePadding          = 0
-	tlvTypeDisconnected     = 1
-	tlvTypeSMP1             = 2
-	tlvTypeSMP2             = 3
-	tlvTypeSMP3             = 4
-	tlvTypeSMP4             = 5
-	tlvTypeSMPAbort         = 6
-	tlvTypeSMP1WithQuestion = 7
-)
-
-// Receive handles a message from a peer. It returns a human readable message,
-// an indicator of whether that message was encrypted, a hint about the
-// encryption state and zero or more messages to send back to the peer.
-// These messages do not need to be passed to Send before transmission.
-func (c *Conversation) Receive(in []byte) (out []byte, encrypted bool, change SecurityChange, toSend [][]byte, err error) {
-	if bytes.HasPrefix(in, fragmentPrefix) {
-		in, err = c.processFragment(in)
-		if in == nil || err != nil {
-			return
-		}
-	}
-
-	if bytes.HasPrefix(in, msgPrefix) && in[len(in)-1] == '.' {
-		in = in[len(msgPrefix) : len(in)-1]
-	} else if version := isQuery(in); version > 0 {
-		c.authState = authStateAwaitingDHKey
-		c.reset()
-		toSend = c.encode(c.generateDHCommit())
-		return
-	} else {
-		// plaintext message
-		out = in
-		return
-	}
-
-	msg := make([]byte, base64.StdEncoding.DecodedLen(len(in)))
-	msgLen, err := base64.StdEncoding.Decode(msg, in)
-	if err != nil {
-		err = errors.New("otr: invalid base64 encoding in message")
-		return
-	}
-	msg = msg[:msgLen]
-
-	// The first two bytes are the protocol version (2)
-	if len(msg) < 3 || msg[0] != 0 || msg[1] != 2 {
-		err = errors.New("otr: invalid OTR message")
-		return
-	}
-
-	msgType := int(msg[2])
-	msg = msg[3:]
-
-	switch msgType {
-	case msgTypeDHCommit:
-		switch c.authState {
-		case authStateNone:
-			c.authState = authStateAwaitingRevealSig
-			if err = c.processDHCommit(msg); err != nil {
-				return
-			}
-			c.reset()
-			toSend = c.encode(c.generateDHKey())
-			return
-		case authStateAwaitingDHKey:
-			// This is a 'SYN-crossing'. The greater digest wins.
-			var cmp int
-			if cmp, err = c.compareToDHCommit(msg); err != nil {
-				return
-			}
-			if cmp > 0 {
-				// We win. Retransmit DH commit.
-				toSend = c.encode(c.serializeDHCommit())
-				return
-			} else {
-				// They win. We forget about our DH commit.
-				c.authState = authStateAwaitingRevealSig
-				if err = c.processDHCommit(msg); err != nil {
-					return
-				}
-				c.reset()
-				toSend = c.encode(c.generateDHKey())
-				return
-			}
-		case authStateAwaitingRevealSig:
-			if err = c.processDHCommit(msg); err != nil {
-				return
-			}
-			toSend = c.encode(c.serializeDHKey())
-		case authStateAwaitingSig:
-			if err = c.processDHCommit(msg); err != nil {
-				return
-			}
-			c.reset()
-			toSend = c.encode(c.generateDHKey())
-			c.authState = authStateAwaitingRevealSig
-		default:
-			panic("bad state")
-		}
-	case msgTypeDHKey:
-		switch c.authState {
-		case authStateAwaitingDHKey:
-			var isSame bool
-			if isSame, err = c.processDHKey(msg); err != nil {
-				return
-			}
-			if isSame {
-				err = errors.New("otr: unexpected duplicate DH key")
-				return
-			}
-			toSend = c.encode(c.generateRevealSig())
-			c.authState = authStateAwaitingSig
-		case authStateAwaitingSig:
-			var isSame bool
-			if isSame, err = c.processDHKey(msg); err != nil {
-				return
-			}
-			if isSame {
-				toSend = c.encode(c.serializeDHKey())
-			}
-		}
-	case msgTypeRevealSig:
-		if c.authState != authStateAwaitingRevealSig {
-			return
-		}
-		if err = c.processRevealSig(msg); err != nil {
-			return
-		}
-		toSend = c.encode(c.generateSig())
-		c.authState = authStateNone
-		c.state = stateEncrypted
-		change = NewKeys
-	case msgTypeSig:
-		if c.authState != authStateAwaitingSig {
-			return
-		}
-		if err = c.processSig(msg); err != nil {
-			return
-		}
-		c.authState = authStateNone
-		c.state = stateEncrypted
-		change = NewKeys
-	case msgTypeData:
-		if c.state != stateEncrypted {
-			err = errors.New("otr: encrypted message received without encrypted session established")
-			return
-		}
-		var tlvs []tlv
-		out, tlvs, err = c.processData(msg)
-		encrypted = true
-
-	EachTLV:
-		for _, inTLV := range tlvs {
-			switch inTLV.typ {
-			case tlvTypeDisconnected:
-				change = ConversationEnded
-				c.state = stateFinished
-				break EachTLV
-			case tlvTypeSMP1, tlvTypeSMP2, tlvTypeSMP3, tlvTypeSMP4, tlvTypeSMPAbort, tlvTypeSMP1WithQuestion:
-				var reply tlv
-				var complete bool
-				reply, complete, err = c.processSMP(inTLV)
-				if err == smpSecretMissingError {
-					err = nil
-					change = SMPSecretNeeded
-					c.smp.saved = &inTLV
-					return
-				}
-				if err == smpFailureError {
-					err = nil
-					change = SMPFailed
-				} else if complete {
-					change = SMPComplete
-				}
-				if reply.typ != 0 {
-					toSend = c.encode(c.generateData(nil, &reply))
-				}
-				break EachTLV
-			default:
-				// skip unknown TLVs
-			}
-		}
-	default:
-		err = errors.New("otr: unknown message type " + strconv.Itoa(msgType))
-	}
-
-	return
-}
-
-// Send takes a human readable message from the local user, possibly encrypts
-// it and returns zero one or more messages to send to the peer.
-func (c *Conversation) Send(msg []byte) ([][]byte, error) {
-	switch c.state {
-	case statePlaintext:
-		return [][]byte{msg}, nil
-	case stateEncrypted:
-		return c.encode(c.generateData(msg, nil)), nil
-	case stateFinished:
-		return nil, errors.New("otr: cannot send message because secure conversation has finished")
-	}
-
-	return nil, errors.New("otr: cannot send message in current state")
-}
-
-// SMPQuestion returns the human readable challenge question from the peer.
-// It's only valid after Receive has returned SMPSecretNeeded.
-func (c *Conversation) SMPQuestion() string {
-	return c.smp.question
-}
-
-// Authenticate begins an authentication with the peer. Authentication involves
-// an optional challenge message and a shared secret. The authentication
-// proceeds until either Receive returns SMPComplete, SMPSecretNeeded (which
-// indicates that a new authentication is happening and thus this one was
-// aborted) or SMPFailed.
-func (c *Conversation) Authenticate(question string, mutualSecret []byte) (toSend [][]byte, err error) {
-	if c.state != stateEncrypted {
-		err = errors.New("otr: can't authenticate a peer without a secure conversation established")
-		return
-	}
-
-	if c.smp.saved != nil {
-		c.calcSMPSecret(mutualSecret, false /* they started it */)
-
-		var out tlv
-		var complete bool
-		out, complete, err = c.processSMP(*c.smp.saved)
-		if complete {
-			panic("SMP completed on the first message")
-		}
-		c.smp.saved = nil
-		if out.typ != 0 {
-			toSend = c.encode(c.generateData(nil, &out))
-		}
-		return
-	}
-
-	c.calcSMPSecret(mutualSecret, true /* we started it */)
-	outs := c.startSMP(question)
-	for _, out := range outs {
-		toSend = append(toSend, c.encode(c.generateData(nil, &out))...)
-	}
-	return
-}
-
-// End ends a secure conversation by generating a termination message for
-// the peer and switches to unencrypted communication.
-func (c *Conversation) End() (toSend [][]byte) {
-	switch c.state {
-	case statePlaintext:
-		return nil
-	case stateEncrypted:
-		c.state = statePlaintext
-		return c.encode(c.generateData(nil, &tlv{typ: tlvTypeDisconnected}))
-	case stateFinished:
-		c.state = statePlaintext
-		return nil
-	}
-	panic("unreachable")
-}
-
-// IsEncrypted returns true if a message passed to Send would be encrypted
-// before transmission. This result remains valid until the next call to
-// Receive or End, which may change the state of the Conversation.
-func (c *Conversation) IsEncrypted() bool {
-	return c.state == stateEncrypted
-}
-
-var fragmentError = errors.New("otr: invalid OTR fragment")
-
-// processFragment processes a fragmented OTR message and possibly returns a
-// complete message. Fragmented messages look like "?OTR,k,n,msg," where k is
-// the fragment number (starting from 1), n is the number of fragments in this
-// message and msg is a substring of the base64 encoded message.
-func (c *Conversation) processFragment(in []byte) (out []byte, err error) {
-	in = in[len(fragmentPrefix):] // remove "?OTR,"
-	parts := bytes.Split(in, fragmentPartSeparator)
-	if len(parts) != 4 || len(parts[3]) != 0 {
-		return nil, fragmentError
-	}
-
-	k, err := strconv.Atoi(string(parts[0]))
-	if err != nil {
-		return nil, fragmentError
-	}
-
-	n, err := strconv.Atoi(string(parts[1]))
-	if err != nil {
-		return nil, fragmentError
-	}
-
-	if k < 1 || n < 1 || k > n {
-		return nil, fragmentError
-	}
-
-	if k == 1 {
-		c.frag = append(c.frag[:0], parts[2]...)
-		c.k, c.n = k, n
-	} else if n == c.n && k == c.k+1 {
-		c.frag = append(c.frag, parts[2]...)
-		c.k++
-	} else {
-		c.frag = c.frag[:0]
-		c.n, c.k = 0, 0
-	}
-
-	if c.n > 0 && c.k == c.n {
-		c.n, c.k = 0, 0
-		return c.frag, nil
-	}
-
-	return nil, nil
-}
-
-func (c *Conversation) generateDHCommit() []byte {
-	_, err := io.ReadFull(c.rand(), c.r[:])
-	if err != nil {
-		panic("otr: short read from random source")
-	}
-
-	var xBytes [dhPrivateBytes]byte
-	c.x = c.randMPI(xBytes[:])
-	c.gx = new(big.Int).Exp(g, c.x, p)
-	c.gy = nil
-	c.gxBytes = appendMPI(nil, c.gx)
-
-	h := sha256.New()
-	h.Write(c.gxBytes)
-	h.Sum(c.digest[:0])
-
-	aesCipher, err := aes.NewCipher(c.r[:])
-	if err != nil {
-		panic(err.Error())
-	}
-
-	var iv [aes.BlockSize]byte
-	ctr := cipher.NewCTR(aesCipher, iv[:])
-	ctr.XORKeyStream(c.gxBytes, c.gxBytes)
-
-	return c.serializeDHCommit()
-}
-
-func (c *Conversation) serializeDHCommit() []byte {
-	var ret []byte
-	ret = appendU16(ret, 2) // protocol version
-	ret = append(ret, msgTypeDHCommit)
-	ret = appendData(ret, c.gxBytes)
-	ret = appendData(ret, c.digest[:])
-	return ret
-}
-
-func (c *Conversation) processDHCommit(in []byte) error {
-	var ok1, ok2 bool
-	c.gxBytes, in, ok1 = getData(in)
-	digest, in, ok2 := getData(in)
-	if !ok1 || !ok2 || len(in) > 0 {
-		return errors.New("otr: corrupt DH commit message")
-	}
-	copy(c.digest[:], digest)
-	return nil
-}
-
-func (c *Conversation) compareToDHCommit(in []byte) (int, error) {
-	_, in, ok1 := getData(in)
-	digest, in, ok2 := getData(in)
-	if !ok1 || !ok2 || len(in) > 0 {
-		return 0, errors.New("otr: corrupt DH commit message")
-	}
-	return bytes.Compare(c.digest[:], digest), nil
-}
-
-func (c *Conversation) generateDHKey() []byte {
-	var yBytes [dhPrivateBytes]byte
-	c.y = c.randMPI(yBytes[:])
-	c.gy = new(big.Int).Exp(g, c.y, p)
-	return c.serializeDHKey()
-}
-
-func (c *Conversation) serializeDHKey() []byte {
-	var ret []byte
-	ret = appendU16(ret, 2) // protocol version
-	ret = append(ret, msgTypeDHKey)
-	ret = appendMPI(ret, c.gy)
-	return ret
-}
-
-func (c *Conversation) processDHKey(in []byte) (isSame bool, err error) {
-	gy, in, ok := getMPI(in)
-	if !ok {
-		err = errors.New("otr: corrupt DH key message")
-		return
-	}
-	if gy.Cmp(g) < 0 || gy.Cmp(pMinus2) > 0 {
-		err = errors.New("otr: DH value out of range")
-		return
-	}
-	if c.gy != nil {
-		isSame = c.gy.Cmp(gy) == 0
-		return
-	}
-	c.gy = gy
-	return
-}
-
-func (c *Conversation) generateEncryptedSignature(keys *akeKeys, xFirst bool) ([]byte, []byte) {
-	var xb []byte
-	xb = c.PrivateKey.PublicKey.Serialize(xb)
-
-	var verifyData []byte
-	if xFirst {
-		verifyData = appendMPI(verifyData, c.gx)
-		verifyData = appendMPI(verifyData, c.gy)
-	} else {
-		verifyData = appendMPI(verifyData, c.gy)
-		verifyData = appendMPI(verifyData, c.gx)
-	}
-	verifyData = append(verifyData, xb...)
-	verifyData = appendU32(verifyData, c.myKeyId)
-
-	mac := hmac.New(sha256.New, keys.m1[:])
-	mac.Write(verifyData)
-	mb := mac.Sum(nil)
-
-	xb = appendU32(xb, c.myKeyId)
-	xb = append(xb, c.PrivateKey.Sign(c.rand(), mb)...)
-
-	aesCipher, err := aes.NewCipher(keys.c[:])
-	if err != nil {
-		panic(err.Error())
-	}
-	var iv [aes.BlockSize]byte
-	ctr := cipher.NewCTR(aesCipher, iv[:])
-	ctr.XORKeyStream(xb, xb)
-
-	mac = hmac.New(sha256.New, keys.m2[:])
-	encryptedSig := appendData(nil, xb)
-	mac.Write(encryptedSig)
-
-	return encryptedSig, mac.Sum(nil)
-}
-
-func (c *Conversation) generateRevealSig() []byte {
-	s := new(big.Int).Exp(c.gy, c.x, p)
-	c.calcAKEKeys(s)
-	c.myKeyId++
-
-	encryptedSig, mac := c.generateEncryptedSignature(&c.revealKeys, true /* gx comes first */)
-
-	c.myCurrentDHPub = c.gx
-	c.myCurrentDHPriv = c.x
-	c.rotateDHKeys()
-	incCounter(&c.myCounter)
-
-	var ret []byte
-	ret = appendU16(ret, 2)
-	ret = append(ret, msgTypeRevealSig)
-	ret = appendData(ret, c.r[:])
-	ret = append(ret, encryptedSig...)
-	ret = append(ret, mac[:20]...)
-	return ret
-}
-
-func (c *Conversation) processEncryptedSig(encryptedSig, theirMAC []byte, keys *akeKeys, xFirst bool) error {
-	mac := hmac.New(sha256.New, keys.m2[:])
-	mac.Write(appendData(nil, encryptedSig))
-	myMAC := mac.Sum(nil)[:20]
-
-	if len(myMAC) != len(theirMAC) || subtle.ConstantTimeCompare(myMAC, theirMAC) == 0 {
-		return errors.New("bad signature MAC in encrypted signature")
-	}
-
-	aesCipher, err := aes.NewCipher(keys.c[:])
-	if err != nil {
-		panic(err.Error())
-	}
-	var iv [aes.BlockSize]byte
-	ctr := cipher.NewCTR(aesCipher, iv[:])
-	ctr.XORKeyStream(encryptedSig, encryptedSig)
-
-	sig := encryptedSig
-	sig, ok1 := c.TheirPublicKey.Parse(sig)
-	keyId, sig, ok2 := getU32(sig)
-	if !ok1 || !ok2 {
-		return errors.New("otr: corrupt encrypted signature")
-	}
-
-	var verifyData []byte
-	if xFirst {
-		verifyData = appendMPI(verifyData, c.gx)
-		verifyData = appendMPI(verifyData, c.gy)
-	} else {
-		verifyData = appendMPI(verifyData, c.gy)
-		verifyData = appendMPI(verifyData, c.gx)
-	}
-	verifyData = c.TheirPublicKey.Serialize(verifyData)
-	verifyData = appendU32(verifyData, keyId)
-
-	mac = hmac.New(sha256.New, keys.m1[:])
-	mac.Write(verifyData)
-	mb := mac.Sum(nil)
-
-	sig, ok1 = c.TheirPublicKey.Verify(mb, sig)
-	if !ok1 {
-		return errors.New("bad signature in encrypted signature")
-	}
-	if len(sig) > 0 {
-		return errors.New("corrupt encrypted signature")
-	}
-
-	c.theirKeyId = keyId
-	zero(c.theirLastCtr[:])
-	return nil
-}
-
-func (c *Conversation) processRevealSig(in []byte) error {
-	r, in, ok1 := getData(in)
-	encryptedSig, in, ok2 := getData(in)
-	theirMAC := in
-	if !ok1 || !ok2 || len(theirMAC) != 20 {
-		return errors.New("otr: corrupt reveal signature message")
-	}
-
-	aesCipher, err := aes.NewCipher(r)
-	if err != nil {
-		return errors.New("otr: cannot create AES cipher from reveal signature message: " + err.Error())
-	}
-	var iv [aes.BlockSize]byte
-	ctr := cipher.NewCTR(aesCipher, iv[:])
-	ctr.XORKeyStream(c.gxBytes, c.gxBytes)
-	h := sha256.New()
-	h.Write(c.gxBytes)
-	digest := h.Sum(nil)
-	if len(digest) != len(c.digest) || subtle.ConstantTimeCompare(digest, c.digest[:]) == 0 {
-		return errors.New("otr: bad commit MAC in reveal signature message")
-	}
-	var rest []byte
-	c.gx, rest, ok1 = getMPI(c.gxBytes)
-	if !ok1 || len(rest) > 0 {
-		return errors.New("otr: gx corrupt after decryption")
-	}
-	if c.gx.Cmp(g) < 0 || c.gx.Cmp(pMinus2) > 0 {
-		return errors.New("otr: DH value out of range")
-	}
-	s := new(big.Int).Exp(c.gx, c.y, p)
-	c.calcAKEKeys(s)
-
-	if err := c.processEncryptedSig(encryptedSig, theirMAC, &c.revealKeys, true /* gx comes first */); err != nil {
-		return errors.New("otr: in reveal signature message: " + err.Error())
-	}
-
-	c.theirCurrentDHPub = c.gx
-	c.theirLastDHPub = nil
-
-	return nil
-}
-
-func (c *Conversation) generateSig() []byte {
-	c.myKeyId++
-
-	encryptedSig, mac := c.generateEncryptedSignature(&c.sigKeys, false /* gy comes first */)
-
-	c.myCurrentDHPub = c.gy
-	c.myCurrentDHPriv = c.y
-	c.rotateDHKeys()
-	incCounter(&c.myCounter)
-
-	var ret []byte
-	ret = appendU16(ret, 2)
-	ret = append(ret, msgTypeSig)
-	ret = append(ret, encryptedSig...)
-	ret = append(ret, mac[:macPrefixBytes]...)
-	return ret
-}
-
-func (c *Conversation) processSig(in []byte) error {
-	encryptedSig, in, ok1 := getData(in)
-	theirMAC := in
-	if !ok1 || len(theirMAC) != macPrefixBytes {
-		return errors.New("otr: corrupt signature message")
-	}
-
-	if err := c.processEncryptedSig(encryptedSig, theirMAC, &c.sigKeys, false /* gy comes first */); err != nil {
-		return errors.New("otr: in signature message: " + err.Error())
-	}
-
-	c.theirCurrentDHPub = c.gy
-	c.theirLastDHPub = nil
-
-	return nil
-}
-
-func (c *Conversation) rotateDHKeys() {
-	// evict slots using our retired key id
-	for i := range c.keySlots {
-		slot := &c.keySlots[i]
-		if slot.used && slot.myKeyId == c.myKeyId-1 {
-			slot.used = false
-			c.oldMACs = append(c.oldMACs, slot.recvMACKey...)
-		}
-	}
-
-	c.myLastDHPriv = c.myCurrentDHPriv
-	c.myLastDHPub = c.myCurrentDHPub
-
-	var xBytes [dhPrivateBytes]byte
-	c.myCurrentDHPriv = c.randMPI(xBytes[:])
-	c.myCurrentDHPub = new(big.Int).Exp(g, c.myCurrentDHPriv, p)
-	c.myKeyId++
-}
-
-func (c *Conversation) processData(in []byte) (out []byte, tlvs []tlv, err error) {
-	origIn := in
-	flags, in, ok1 := getU8(in)
-	theirKeyId, in, ok2 := getU32(in)
-	myKeyId, in, ok3 := getU32(in)
-	y, in, ok4 := getMPI(in)
-	counter, in, ok5 := getNBytes(in, 8)
-	encrypted, in, ok6 := getData(in)
-	macedData := origIn[:len(origIn)-len(in)]
-	theirMAC, in, ok7 := getNBytes(in, macPrefixBytes)
-	_, in, ok8 := getData(in)
-	if !ok1 || !ok2 || !ok3 || !ok4 || !ok5 || !ok6 || !ok7 || !ok8 || len(in) > 0 {
-		err = errors.New("otr: corrupt data message")
-		return
-	}
-
-	ignoreErrors := flags&1 != 0
-
-	slot, err := c.calcDataKeys(myKeyId, theirKeyId)
-	if err != nil {
-		if ignoreErrors {
-			err = nil
-		}
-		return
-	}
-
-	mac := hmac.New(sha1.New, slot.recvMACKey)
-	mac.Write([]byte{0, 2, 3})
-	mac.Write(macedData)
-	myMAC := mac.Sum(nil)
-	if len(myMAC) != len(theirMAC) || subtle.ConstantTimeCompare(myMAC, theirMAC) == 0 {
-		if !ignoreErrors {
-			err = errors.New("otr: bad MAC on data message")
-		}
-		return
-	}
-
-	if bytes.Compare(counter, slot.theirLastCtr[:]) <= 0 {
-		err = errors.New("otr: counter regressed")
-		return
-	}
-	copy(slot.theirLastCtr[:], counter)
-
-	var iv [aes.BlockSize]byte
-	copy(iv[:], counter)
-	aesCipher, err := aes.NewCipher(slot.recvAESKey)
-	if err != nil {
-		panic(err.Error())
-	}
-	ctr := cipher.NewCTR(aesCipher, iv[:])
-	ctr.XORKeyStream(encrypted, encrypted)
-	decrypted := encrypted
-
-	if myKeyId == c.myKeyId {
-		c.rotateDHKeys()
-	}
-	if theirKeyId == c.theirKeyId {
-		// evict slots using their retired key id
-		for i := range c.keySlots {
-			slot := &c.keySlots[i]
-			if slot.used && slot.theirKeyId == theirKeyId-1 {
-				slot.used = false
-				c.oldMACs = append(c.oldMACs, slot.recvMACKey...)
-			}
-		}
-
-		c.theirLastDHPub = c.theirCurrentDHPub
-		c.theirKeyId++
-		c.theirCurrentDHPub = y
-	}
-
-	if nulPos := bytes.IndexByte(decrypted, 0); nulPos >= 0 {
-		out = decrypted[:nulPos]
-		tlvData := decrypted[nulPos+1:]
-		for len(tlvData) > 0 {
-			var t tlv
-			var ok1, ok2, ok3 bool
-
-			t.typ, tlvData, ok1 = getU16(tlvData)
-			t.length, tlvData, ok2 = getU16(tlvData)
-			t.data, tlvData, ok3 = getNBytes(tlvData, int(t.length))
-			if !ok1 || !ok2 || !ok3 {
-				err = errors.New("otr: corrupt tlv data")
-				return
-			}
-			tlvs = append(tlvs, t)
-		}
-	} else {
-		out = decrypted
-	}
-
-	return
-}
-
-func (c *Conversation) generateData(msg []byte, extra *tlv) []byte {
-	slot, err := c.calcDataKeys(c.myKeyId-1, c.theirKeyId)
-	if err != nil {
-		panic("otr: failed to generate sending keys: " + err.Error())
-	}
-
-	var plaintext []byte
-	plaintext = append(plaintext, msg...)
-	plaintext = append(plaintext, 0)
-
-	padding := paddingGranularity - ((len(plaintext) + 4) % paddingGranularity)
-	plaintext = appendU16(plaintext, tlvTypePadding)
-	plaintext = appendU16(plaintext, uint16(padding))
-	for i := 0; i < padding; i++ {
-		plaintext = append(plaintext, 0)
-	}
-
-	if extra != nil {
-		plaintext = appendU16(plaintext, extra.typ)
-		plaintext = appendU16(plaintext, uint16(len(extra.data)))
-		plaintext = append(plaintext, extra.data...)
-	}
-
-	encrypted := make([]byte, len(plaintext))
-
-	var iv [aes.BlockSize]byte
-	copy(iv[:], c.myCounter[:])
-	aesCipher, err := aes.NewCipher(slot.sendAESKey)
-	if err != nil {
-		panic(err.Error())
-	}
-	ctr := cipher.NewCTR(aesCipher, iv[:])
-	ctr.XORKeyStream(encrypted, plaintext)
-
-	var ret []byte
-	ret = appendU16(ret, 2)
-	ret = append(ret, msgTypeData)
-	ret = append(ret, 0 /* flags */)
-	ret = appendU32(ret, c.myKeyId-1)
-	ret = appendU32(ret, c.theirKeyId)
-	ret = appendMPI(ret, c.myCurrentDHPub)
-	ret = append(ret, c.myCounter[:]...)
-	ret = appendData(ret, encrypted)
-
-	mac := hmac.New(sha1.New, slot.sendMACKey)
-	mac.Write(ret)
-	ret = append(ret, mac.Sum(nil)[:macPrefixBytes]...)
-	ret = appendData(ret, c.oldMACs)
-	c.oldMACs = nil
-	incCounter(&c.myCounter)
-
-	return ret
-}
-
-func incCounter(counter *[8]byte) {
-	for i := 7; i >= 0; i-- {
-		counter[i]++
-		if counter[i] > 0 {
-			break
-		}
-	}
-}
-
-// calcDataKeys computes the keys used to encrypt a data message given the key
-// IDs.
-func (c *Conversation) calcDataKeys(myKeyId, theirKeyId uint32) (slot *keySlot, err error) {
-	// Check for a cache hit.
-	for i := range c.keySlots {
-		slot = &c.keySlots[i]
-		if slot.used && slot.theirKeyId == theirKeyId && slot.myKeyId == myKeyId {
-			return
-		}
-	}
-
-	// Find an empty slot to write into.
-	slot = nil
-	for i := range c.keySlots {
-		if !c.keySlots[i].used {
-			slot = &c.keySlots[i]
-			break
-		}
-	}
-	if slot == nil {
-		return nil, errors.New("otr: internal error: no more key slots")
-	}
-
-	var myPriv, myPub, theirPub *big.Int
-
-	if myKeyId == c.myKeyId {
-		myPriv = c.myCurrentDHPriv
-		myPub = c.myCurrentDHPub
-	} else if myKeyId == c.myKeyId-1 {
-		myPriv = c.myLastDHPriv
-		myPub = c.myLastDHPub
-	} else {
-		err = errors.New("otr: peer requested keyid " + strconv.FormatUint(uint64(myKeyId), 10) + " when I'm on " + strconv.FormatUint(uint64(c.myKeyId), 10))
-		return
-	}
-
-	if theirKeyId == c.theirKeyId {
-		theirPub = c.theirCurrentDHPub
-	} else if theirKeyId == c.theirKeyId-1 && c.theirLastDHPub != nil {
-		theirPub = c.theirLastDHPub
-	} else {
-		err = errors.New("otr: peer requested keyid " + strconv.FormatUint(uint64(myKeyId), 10) + " when they're on " + strconv.FormatUint(uint64(c.myKeyId), 10))
-		return
-	}
-
-	var sendPrefixByte, recvPrefixByte [1]byte
-
-	if myPub.Cmp(theirPub) > 0 {
-		// we're the high end
-		sendPrefixByte[0], recvPrefixByte[0] = 1, 2
-	} else {
-		// we're the low end
-		sendPrefixByte[0], recvPrefixByte[0] = 2, 1
-	}
-
-	s := new(big.Int).Exp(theirPub, myPriv, p)
-	sBytes := appendMPI(nil, s)
-
-	h := sha1.New()
-	h.Write(sendPrefixByte[:])
-	h.Write(sBytes)
-	slot.sendAESKey = h.Sum(slot.sendAESKey[:0])[:16]
-
-	h.Reset()
-	h.Write(slot.sendAESKey)
-	slot.sendMACKey = h.Sum(slot.sendMACKey[:0])
-
-	h.Reset()
-	h.Write(recvPrefixByte[:])
-	h.Write(sBytes)
-	slot.recvAESKey = h.Sum(slot.recvAESKey[:0])[:16]
-
-	h.Reset()
-	h.Write(slot.recvAESKey)
-	slot.recvMACKey = h.Sum(slot.recvMACKey[:0])
-
-	slot.theirKeyId = theirKeyId
-	slot.myKeyId = myKeyId
-	slot.used = true
-
-	zero(slot.theirLastCtr[:])
-	return
-}
-
-func (c *Conversation) calcAKEKeys(s *big.Int) {
-	mpi := appendMPI(nil, s)
-	h := sha256.New()
-
-	var cBytes [32]byte
-	hashWithPrefix(c.SSID[:], 0, mpi, h)
-
-	hashWithPrefix(cBytes[:], 1, mpi, h)
-	copy(c.revealKeys.c[:], cBytes[:16])
-	copy(c.sigKeys.c[:], cBytes[16:])
-
-	hashWithPrefix(c.revealKeys.m1[:], 2, mpi, h)
-	hashWithPrefix(c.revealKeys.m2[:], 3, mpi, h)
-	hashWithPrefix(c.sigKeys.m1[:], 4, mpi, h)
-	hashWithPrefix(c.sigKeys.m2[:], 5, mpi, h)
-}
-
-func hashWithPrefix(out []byte, prefix byte, in []byte, h hash.Hash) {
-	h.Reset()
-	var p [1]byte
-	p[0] = prefix
-	h.Write(p[:])
-	h.Write(in)
-	if len(out) == h.Size() {
-		h.Sum(out[:0])
-	} else {
-		digest := h.Sum(nil)
-		copy(out, digest)
-	}
-}
-
-func (c *Conversation) encode(msg []byte) [][]byte {
-	b64 := make([]byte, base64.StdEncoding.EncodedLen(len(msg))+len(msgPrefix)+1)
-	base64.StdEncoding.Encode(b64[len(msgPrefix):], msg)
-	copy(b64, msgPrefix)
-	b64[len(b64)-1] = '.'
-
-	if c.FragmentSize < minFragmentSize || len(b64) <= c.FragmentSize {
-		// We can encode this in a single fragment.
-		return [][]byte{b64}
-	}
-
-	// We have to fragment this message.
-	var ret [][]byte
-	bytesPerFragment := c.FragmentSize - minFragmentSize
-	numFragments := (len(b64) + bytesPerFragment) / bytesPerFragment
-
-	for i := 0; i < numFragments; i++ {
-		frag := []byte("?OTR," + strconv.Itoa(i+1) + "," + strconv.Itoa(numFragments) + ",")
-		todo := bytesPerFragment
-		if todo > len(b64) {
-			todo = len(b64)
-		}
-		frag = append(frag, b64[:todo]...)
-		b64 = b64[todo:]
-		frag = append(frag, ',')
-		ret = append(ret, frag)
-	}
-
-	return ret
-}
-
-func (c *Conversation) reset() {
-	c.myKeyId = 0
-
-	for i := range c.keySlots {
-		c.keySlots[i].used = false
-	}
-}
-
-type PublicKey struct {
-	dsa.PublicKey
-}
-
-func (pk *PublicKey) Parse(in []byte) ([]byte, bool) {
-	var ok bool
-	var pubKeyType uint16
-
-	if pubKeyType, in, ok = getU16(in); !ok || pubKeyType != 0 {
-		return nil, false
-	}
-	if pk.P, in, ok = getMPI(in); !ok {
-		return nil, false
-	}
-	if pk.Q, in, ok = getMPI(in); !ok {
-		return nil, false
-	}
-	if pk.G, in, ok = getMPI(in); !ok {
-		return nil, false
-	}
-	if pk.Y, in, ok = getMPI(in); !ok {
-		return nil, false
-	}
-
-	return in, true
-}
-
-func (pk *PublicKey) Serialize(in []byte) []byte {
-	in = appendU16(in, 0)
-	in = appendMPI(in, pk.P)
-	in = appendMPI(in, pk.Q)
-	in = appendMPI(in, pk.G)
-	in = appendMPI(in, pk.Y)
-	return in
-}
-
-// Fingerprint returns the 20-byte, binary fingerprint of the PublicKey.
-func (pk *PublicKey) Fingerprint() []byte {
-	b := pk.Serialize(nil)
-	h := sha1.New()
-	h.Write(b[2:])
-	return h.Sum(nil)
-}
-
-func (pk *PublicKey) Verify(hashed, sig []byte) ([]byte, bool) {
-	if len(sig) != 2*dsaSubgroupBytes {
-		return nil, false
-	}
-	r := new(big.Int).SetBytes(sig[:dsaSubgroupBytes])
-	s := new(big.Int).SetBytes(sig[dsaSubgroupBytes:])
-	ok := dsa.Verify(&pk.PublicKey, hashed, r, s)
-	return sig[dsaSubgroupBytes*2:], ok
-}
-
-type PrivateKey struct {
-	PublicKey
-	dsa.PrivateKey
-}
-
-func (priv *PrivateKey) Sign(rand io.Reader, hashed []byte) []byte {
-	r, s, err := dsa.Sign(rand, &priv.PrivateKey, hashed)
-	if err != nil {
-		panic(err.Error())
-	}
-	rBytes := r.Bytes()
-	sBytes := s.Bytes()
-	if len(rBytes) > dsaSubgroupBytes || len(sBytes) > dsaSubgroupBytes {
-		panic("DSA signature too large")
-	}
-
-	out := make([]byte, 2*dsaSubgroupBytes)
-	copy(out[dsaSubgroupBytes-len(rBytes):], rBytes)
-	copy(out[len(out)-len(sBytes):], sBytes)
-	return out
-}
-
-func (priv *PrivateKey) Serialize(in []byte) []byte {
-	in = priv.PublicKey.Serialize(in)
-	in = appendMPI(in, priv.PrivateKey.X)
-	return in
-}
-
-func (priv *PrivateKey) Parse(in []byte) ([]byte, bool) {
-	in, ok := priv.PublicKey.Parse(in)
-	if !ok {
-		return in, ok
-	}
-	priv.PrivateKey.PublicKey = priv.PublicKey.PublicKey
-	priv.PrivateKey.X, in, ok = getMPI(in)
-	return in, ok
-}
-
-func (priv *PrivateKey) Generate(rand io.Reader) {
-	if err := dsa.GenerateParameters(&priv.PrivateKey.PublicKey.Parameters, rand, dsa.L1024N160); err != nil {
-		panic(err.Error())
-	}
-	if err := dsa.GenerateKey(&priv.PrivateKey, rand); err != nil {
-		panic(err.Error())
-	}
-	priv.PublicKey.PublicKey = priv.PrivateKey.PublicKey
-}
-
-func notHex(r rune) bool {
-	if r >= '0' && r <= '9' ||
-		r >= 'a' && r <= 'f' ||
-		r >= 'A' && r <= 'F' {
-		return false
-	}
-
-	return true
-}
-
-// Import parses the contents of a libotr private key file.
-func (priv *PrivateKey) Import(in []byte) bool {
-	mpiStart := []byte(" #")
-
-	mpis := make([]*big.Int, 5)
-
-	for i := 0; i < len(mpis); i++ {
-		start := bytes.Index(in, mpiStart)
-		if start == -1 {
-			return false
-		}
-		in = in[start+len(mpiStart):]
-		end := bytes.IndexFunc(in, notHex)
-		if end == -1 {
-			return false
-		}
-		hexBytes := in[:end]
-		in = in[end:]
-
-		if len(hexBytes)&1 != 0 {
-			return false
-		}
-
-		mpiBytes := make([]byte, len(hexBytes)/2)
-		if _, err := hex.Decode(mpiBytes, hexBytes); err != nil {
-			return false
-		}
-
-		mpis[i] = new(big.Int).SetBytes(mpiBytes)
-	}
-
-	for _, mpi := range mpis {
-		if mpi.Sign() <= 0 {
-			return false
-		}
-	}
-
-	priv.PrivateKey.P = mpis[0]
-	priv.PrivateKey.Q = mpis[1]
-	priv.PrivateKey.G = mpis[2]
-	priv.PrivateKey.Y = mpis[3]
-	priv.PrivateKey.X = mpis[4]
-	priv.PublicKey.PublicKey = priv.PrivateKey.PublicKey
-
-	a := new(big.Int).Exp(priv.PrivateKey.G, priv.PrivateKey.X, priv.PrivateKey.P)
-	return a.Cmp(priv.PrivateKey.Y) == 0
-}
-
-func getU8(in []byte) (uint8, []byte, bool) {
-	if len(in) < 1 {
-		return 0, in, false
-	}
-	return in[0], in[1:], true
-}
-
-func getU16(in []byte) (uint16, []byte, bool) {
-	if len(in) < 2 {
-		return 0, in, false
-	}
-	r := uint16(in[0])<<8 | uint16(in[1])
-	return r, in[2:], true
-}
-
-func getU32(in []byte) (uint32, []byte, bool) {
-	if len(in) < 4 {
-		return 0, in, false
-	}
-	r := uint32(in[0])<<24 | uint32(in[1])<<16 | uint32(in[2])<<8 | uint32(in[3])
-	return r, in[4:], true
-}
-
-func getMPI(in []byte) (*big.Int, []byte, bool) {
-	l, in, ok := getU32(in)
-	if !ok || uint32(len(in)) < l {
-		return nil, in, false
-	}
-	r := new(big.Int).SetBytes(in[:l])
-	return r, in[l:], true
-}
-
-func getData(in []byte) ([]byte, []byte, bool) {
-	l, in, ok := getU32(in)
-	if !ok || uint32(len(in)) < l {
-		return nil, in, false
-	}
-	return in[:l], in[l:], true
-}
-
-func getNBytes(in []byte, n int) ([]byte, []byte, bool) {
-	if len(in) < n {
-		return nil, in, false
-	}
-	return in[:n], in[n:], true
-}
-
-func appendU16(out []byte, v uint16) []byte {
-	out = append(out, byte(v>>8), byte(v))
-	return out
-}
-
-func appendU32(out []byte, v uint32) []byte {
-	out = append(out, byte(v>>24), byte(v>>16), byte(v>>8), byte(v))
-	return out
-}
-
-func appendData(out, v []byte) []byte {
-	out = appendU32(out, uint32(len(v)))
-	out = append(out, v...)
-	return out
-}
-
-func appendMPI(out []byte, v *big.Int) []byte {
-	vBytes := v.Bytes()
-	out = appendU32(out, uint32(len(vBytes)))
-	out = append(out, vBytes...)
-	return out
-}
-
-func appendMPIs(out []byte, mpis ...*big.Int) []byte {
-	for _, mpi := range mpis {
-		out = appendMPI(out, mpi)
-	}
-	return out
-}
-
-func zero(b []byte) {
-	for i := range b {
-		b[i] = 0
-	}
-}
diff --git a/vendor/golang.org/x/crypto/otr/otr_test.go b/vendor/golang.org/x/crypto/otr/otr_test.go
deleted file mode 100644
index cfcd062b..00000000
--- a/vendor/golang.org/x/crypto/otr/otr_test.go
+++ /dev/null
@@ -1,470 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package otr
-
-import (
-	"bufio"
-	"bytes"
-	"crypto/rand"
-	"encoding/hex"
-	"math/big"
-	"os"
-	"os/exec"
-	"testing"
-)
-
-var isQueryTests = []struct {
-	msg             string
-	expectedVersion int
-}{
-	{"foo", 0},
-	{"?OtR", 0},
-	{"?OtR?", 0},
-	{"?OTR?", 0},
-	{"?OTRv?", 0},
-	{"?OTRv1?", 0},
-	{"?OTR?v1?", 0},
-	{"?OTR?v?", 0},
-	{"?OTR?v2?", 2},
-	{"?OTRv2?", 2},
-	{"?OTRv23?", 2},
-	{"?OTRv23 ?", 0},
-}
-
-func TestIsQuery(t *testing.T) {
-	for i, test := range isQueryTests {
-		version := isQuery([]byte(test.msg))
-		if version != test.expectedVersion {
-			t.Errorf("#%d: got %d, want %d", i, version, test.expectedVersion)
-		}
-	}
-}
-
-var alicePrivateKeyHex = "000000000080c81c2cb2eb729b7e6fd48e975a932c638b3a9055478583afa46755683e30102447f6da2d8bec9f386bbb5da6403b0040fee8650b6ab2d7f32c55ab017ae9b6aec8c324ab5844784e9a80e194830d548fb7f09a0410df2c4d5c8bc2b3e9ad484e65412be689cf0834694e0839fb2954021521ffdffb8f5c32c14dbf2020b3ce7500000014da4591d58def96de61aea7b04a8405fe1609308d000000808ddd5cb0b9d66956e3dea5a915d9aba9d8a6e7053b74dadb2fc52f9fe4e5bcc487d2305485ed95fed026ad93f06ebb8c9e8baf693b7887132c7ffdd3b0f72f4002ff4ed56583ca7c54458f8c068ca3e8a4dfa309d1dd5d34e2a4b68e6f4338835e5e0fb4317c9e4c7e4806dafda3ef459cd563775a586dd91b1319f72621bf3f00000080b8147e74d8c45e6318c37731b8b33b984a795b3653c2cd1d65cc99efe097cb7eb2fa49569bab5aab6e8a1c261a27d0f7840a5e80b317e6683042b59b6dceca2879c6ffc877a465be690c15e4a42f9a7588e79b10faac11b1ce3741fcef7aba8ce05327a2c16d279ee1b3d77eb783fb10e3356caa25635331e26dd42b8396c4d00000001420bec691fea37ecea58a5c717142f0b804452f57"
-
-var aliceFingerprintHex = "0bb01c360424522e94ee9c346ce877a1a4288b2f"
-
-var bobPrivateKeyHex = "000000000080a5138eb3d3eb9c1d85716faecadb718f87d31aaed1157671d7fee7e488f95e8e0ba60ad449ec732710a7dec5190f7182af2e2f98312d98497221dff160fd68033dd4f3a33b7c078d0d9f66e26847e76ca7447d4bab35486045090572863d9e4454777f24d6706f63e02548dfec2d0a620af37bbc1d24f884708a212c343b480d00000014e9c58f0ea21a5e4dfd9f44b6a9f7f6a9961a8fa9000000803c4d111aebd62d3c50c2889d420a32cdf1e98b70affcc1fcf44d59cca2eb019f6b774ef88153fb9b9615441a5fe25ea2d11b74ce922ca0232bd81b3c0fcac2a95b20cb6e6c0c5c1ace2e26f65dc43c751af0edbb10d669890e8ab6beea91410b8b2187af1a8347627a06ecea7e0f772c28aae9461301e83884860c9b656c722f0000008065af8625a555ea0e008cd04743671a3cda21162e83af045725db2eb2bb52712708dc0cc1a84c08b3649b88a966974bde27d8612c2861792ec9f08786a246fcadd6d8d3a81a32287745f309238f47618c2bd7612cb8b02d940571e0f30b96420bcd462ff542901b46109b1e5ad6423744448d20a57818a8cbb1647d0fea3b664e0000001440f9f2eb554cb00d45a5826b54bfa419b6980e48"
-
-func TestKeySerialization(t *testing.T) {
-	var priv PrivateKey
-	alicePrivateKey, _ := hex.DecodeString(alicePrivateKeyHex)
-	rest, ok := priv.Parse(alicePrivateKey)
-	if !ok {
-		t.Error("failed to parse private key")
-	}
-	if len(rest) > 0 {
-		t.Error("data remaining after parsing private key")
-	}
-
-	out := priv.Serialize(nil)
-	if !bytes.Equal(alicePrivateKey, out) {
-		t.Errorf("serialization (%x) is not equal to original (%x)", out, alicePrivateKey)
-	}
-
-	aliceFingerprint, _ := hex.DecodeString(aliceFingerprintHex)
-	fingerprint := priv.PublicKey.Fingerprint()
-	if !bytes.Equal(aliceFingerprint, fingerprint) {
-		t.Errorf("fingerprint (%x) is not equal to expected value (%x)", fingerprint, aliceFingerprint)
-	}
-}
-
-const libOTRPrivateKey = `(privkeys
- (account
-(name "foo@example.com")
-(protocol prpl-jabber)
-(private-key 
- (dsa 
-  (p #00FC07ABCF0DC916AFF6E9AE47BEF60C7AB9B4D6B2469E436630E36F8A489BE812486A09F30B71224508654940A835301ACC525A4FF133FC152CC53DCC59D65C30A54F1993FE13FE63E5823D4C746DB21B90F9B9C00B49EC7404AB1D929BA7FBA12F2E45C6E0A651689750E8528AB8C031D3561FECEE72EBB4A090D450A9B7A857#)
-  (q #00997BD266EF7B1F60A5C23F3A741F2AEFD07A2081#)
-  (g #535E360E8A95EBA46A4F7DE50AD6E9B2A6DB785A66B64EB9F20338D2A3E8FB0E94725848F1AA6CC567CB83A1CC517EC806F2E92EAE71457E80B2210A189B91250779434B41FC8A8873F6DB94BEA7D177F5D59E7E114EE10A49CFD9CEF88AE43387023B672927BA74B04EB6BBB5E57597766A2F9CE3857D7ACE3E1E3BC1FC6F26#)
-  (y #0AC8670AD767D7A8D9D14CC1AC6744CD7D76F993B77FFD9E39DF01E5A6536EF65E775FCEF2A983E2A19BD6415500F6979715D9FD1257E1FE2B6F5E1E74B333079E7C880D39868462A93454B41877BE62E5EF0A041C2EE9C9E76BD1E12AE25D9628DECB097025DD625EF49C3258A1A3C0FF501E3DC673B76D7BABF349009B6ECF#)
-  (x #14D0345A3562C480A039E3C72764F72D79043216#)
-  )
- )
- )
-)`
-
-func TestParseLibOTRPrivateKey(t *testing.T) {
-	var priv PrivateKey
-
-	if !priv.Import([]byte(libOTRPrivateKey)) {
-		t.Fatalf("Failed to import sample private key")
-	}
-}
-
-func TestSignVerify(t *testing.T) {
-	var priv PrivateKey
-	alicePrivateKey, _ := hex.DecodeString(alicePrivateKeyHex)
-	_, ok := priv.Parse(alicePrivateKey)
-	if !ok {
-		t.Error("failed to parse private key")
-	}
-
-	var msg [32]byte
-	rand.Reader.Read(msg[:])
-
-	sig := priv.Sign(rand.Reader, msg[:])
-	rest, ok := priv.PublicKey.Verify(msg[:], sig)
-	if !ok {
-		t.Errorf("signature (%x) of %x failed to verify", sig, msg[:])
-	} else if len(rest) > 0 {
-		t.Error("signature data remains after verification")
-	}
-
-	sig[10] ^= 80
-	_, ok = priv.PublicKey.Verify(msg[:], sig)
-	if ok {
-		t.Errorf("corrupted signature (%x) of %x verified", sig, msg[:])
-	}
-}
-
-func setupConversation(t *testing.T) (alice, bob *Conversation) {
-	alicePrivateKey, _ := hex.DecodeString(alicePrivateKeyHex)
-	bobPrivateKey, _ := hex.DecodeString(bobPrivateKeyHex)
-
-	alice, bob = new(Conversation), new(Conversation)
-
-	alice.PrivateKey = new(PrivateKey)
-	bob.PrivateKey = new(PrivateKey)
-	alice.PrivateKey.Parse(alicePrivateKey)
-	bob.PrivateKey.Parse(bobPrivateKey)
-	alice.FragmentSize = 100
-	bob.FragmentSize = 100
-
-	if alice.IsEncrypted() {
-		t.Error("Alice believes that the conversation is secure before we've started")
-	}
-	if bob.IsEncrypted() {
-		t.Error("Bob believes that the conversation is secure before we've started")
-	}
-
-	performHandshake(t, alice, bob)
-	return alice, bob
-}
-
-func performHandshake(t *testing.T, alice, bob *Conversation) {
-	var alicesMessage, bobsMessage [][]byte
-	var out []byte
-	var aliceChange, bobChange SecurityChange
-	var err error
-	alicesMessage = append(alicesMessage, []byte(QueryMessage))
-
-	for round := 0; len(alicesMessage) > 0 || len(bobsMessage) > 0; round++ {
-		bobsMessage = nil
-		for i, msg := range alicesMessage {
-			out, _, bobChange, bobsMessage, err = bob.Receive(msg)
-			if len(out) > 0 {
-				t.Errorf("Bob generated output during key exchange, round %d, message %d", round, i)
-			}
-			if err != nil {
-				t.Fatalf("Bob returned an error, round %d, message %d (%x): %s", round, i, msg, err)
-			}
-			if len(bobsMessage) > 0 && i != len(alicesMessage)-1 {
-				t.Errorf("Bob produced output while processing a fragment, round %d, message %d", round, i)
-			}
-		}
-
-		alicesMessage = nil
-		for i, msg := range bobsMessage {
-			out, _, aliceChange, alicesMessage, err = alice.Receive(msg)
-			if len(out) > 0 {
-				t.Errorf("Alice generated output during key exchange, round %d, message %d", round, i)
-			}
-			if err != nil {
-				t.Fatalf("Alice returned an error, round %d, message %d (%x): %s", round, i, msg, err)
-			}
-			if len(alicesMessage) > 0 && i != len(bobsMessage)-1 {
-				t.Errorf("Alice produced output while processing a fragment, round %d, message %d", round, i)
-			}
-		}
-	}
-
-	if aliceChange != NewKeys {
-		t.Errorf("Alice terminated without signaling new keys")
-	}
-	if bobChange != NewKeys {
-		t.Errorf("Bob terminated without signaling new keys")
-	}
-
-	if !bytes.Equal(alice.SSID[:], bob.SSID[:]) {
-		t.Errorf("Session identifiers don't match. Alice has %x, Bob has %x", alice.SSID[:], bob.SSID[:])
-	}
-
-	if !alice.IsEncrypted() {
-		t.Error("Alice doesn't believe that the conversation is secure")
-	}
-	if !bob.IsEncrypted() {
-		t.Error("Bob doesn't believe that the conversation is secure")
-	}
-}
-
-const (
-	firstRoundTrip = iota
-	subsequentRoundTrip
-	noMACKeyCheck
-)
-
-func roundTrip(t *testing.T, alice, bob *Conversation, message []byte, macKeyCheck int) {
-	alicesMessage, err := alice.Send(message)
-	if err != nil {
-		t.Errorf("Error from Alice sending message: %s", err)
-	}
-
-	if len(alice.oldMACs) != 0 {
-		t.Errorf("Alice has not revealed all MAC keys")
-	}
-
-	for i, msg := range alicesMessage {
-		out, encrypted, _, _, err := bob.Receive(msg)
-
-		if err != nil {
-			t.Errorf("Error generated while processing test message: %s", err.Error())
-		}
-		if len(out) > 0 {
-			if i != len(alicesMessage)-1 {
-				t.Fatal("Bob produced a message while processing a fragment of Alice's")
-			}
-			if !encrypted {
-				t.Errorf("Message was not marked as encrypted")
-			}
-			if !bytes.Equal(out, message) {
-				t.Errorf("Message corrupted: got %x, want %x", out, message)
-			}
-		}
-	}
-
-	switch macKeyCheck {
-	case firstRoundTrip:
-		if len(bob.oldMACs) != 0 {
-			t.Errorf("Bob should not have MAC keys to reveal")
-		}
-	case subsequentRoundTrip:
-		if len(bob.oldMACs) != 40 {
-			t.Errorf("Bob has %d bytes of MAC keys to reveal, but should have 40", len(bob.oldMACs))
-		}
-	}
-
-	bobsMessage, err := bob.Send(message)
-	if err != nil {
-		t.Errorf("Error from Bob sending message: %s", err)
-	}
-
-	if len(bob.oldMACs) != 0 {
-		t.Errorf("Bob has not revealed all MAC keys")
-	}
-
-	for i, msg := range bobsMessage {
-		out, encrypted, _, _, err := alice.Receive(msg)
-
-		if err != nil {
-			t.Errorf("Error generated while processing test message: %s", err.Error())
-		}
-		if len(out) > 0 {
-			if i != len(bobsMessage)-1 {
-				t.Fatal("Alice produced a message while processing a fragment of Bob's")
-			}
-			if !encrypted {
-				t.Errorf("Message was not marked as encrypted")
-			}
-			if !bytes.Equal(out, message) {
-				t.Errorf("Message corrupted: got %x, want %x", out, message)
-			}
-		}
-	}
-
-	switch macKeyCheck {
-	case firstRoundTrip:
-		if len(alice.oldMACs) != 20 {
-			t.Errorf("Alice has %d bytes of MAC keys to reveal, but should have 20", len(alice.oldMACs))
-		}
-	case subsequentRoundTrip:
-		if len(alice.oldMACs) != 40 {
-			t.Errorf("Alice has %d bytes of MAC keys to reveal, but should have 40", len(alice.oldMACs))
-		}
-	}
-}
-
-func TestConversation(t *testing.T) {
-	alice, bob := setupConversation(t)
-
-	var testMessages = [][]byte{
-		[]byte("hello"), []byte("bye"),
-	}
-
-	roundTripType := firstRoundTrip
-
-	for _, testMessage := range testMessages {
-		roundTrip(t, alice, bob, testMessage, roundTripType)
-		roundTripType = subsequentRoundTrip
-	}
-}
-
-func TestGoodSMP(t *testing.T) {
-	var alice, bob Conversation
-
-	alice.smp.secret = new(big.Int).SetInt64(42)
-	bob.smp.secret = alice.smp.secret
-
-	var alicesMessages, bobsMessages []tlv
-	var aliceComplete, bobComplete bool
-	var err error
-	var out tlv
-
-	alicesMessages = alice.startSMP("")
-	for round := 0; len(alicesMessages) > 0 || len(bobsMessages) > 0; round++ {
-		bobsMessages = bobsMessages[:0]
-		for i, msg := range alicesMessages {
-			out, bobComplete, err = bob.processSMP(msg)
-			if err != nil {
-				t.Errorf("Error from Bob in round %d: %s", round, err)
-			}
-			if bobComplete && i != len(alicesMessages)-1 {
-				t.Errorf("Bob returned a completed signal before processing all of Alice's messages in round %d", round)
-			}
-			if out.typ != 0 {
-				bobsMessages = append(bobsMessages, out)
-			}
-		}
-
-		alicesMessages = alicesMessages[:0]
-		for i, msg := range bobsMessages {
-			out, aliceComplete, err = alice.processSMP(msg)
-			if err != nil {
-				t.Errorf("Error from Alice in round %d: %s", round, err)
-			}
-			if aliceComplete && i != len(bobsMessages)-1 {
-				t.Errorf("Alice returned a completed signal before processing all of Bob's messages in round %d", round)
-			}
-			if out.typ != 0 {
-				alicesMessages = append(alicesMessages, out)
-			}
-		}
-	}
-
-	if !aliceComplete || !bobComplete {
-		t.Errorf("SMP completed without both sides reporting success: alice: %v, bob: %v\n", aliceComplete, bobComplete)
-	}
-}
-
-func TestBadSMP(t *testing.T) {
-	var alice, bob Conversation
-
-	alice.smp.secret = new(big.Int).SetInt64(42)
-	bob.smp.secret = new(big.Int).SetInt64(43)
-
-	var alicesMessages, bobsMessages []tlv
-
-	alicesMessages = alice.startSMP("")
-	for round := 0; len(alicesMessages) > 0 || len(bobsMessages) > 0; round++ {
-		bobsMessages = bobsMessages[:0]
-		for _, msg := range alicesMessages {
-			out, complete, _ := bob.processSMP(msg)
-			if complete {
-				t.Errorf("Bob signaled completion in round %d", round)
-			}
-			if out.typ != 0 {
-				bobsMessages = append(bobsMessages, out)
-			}
-		}
-
-		alicesMessages = alicesMessages[:0]
-		for _, msg := range bobsMessages {
-			out, complete, _ := alice.processSMP(msg)
-			if complete {
-				t.Errorf("Alice signaled completion in round %d", round)
-			}
-			if out.typ != 0 {
-				alicesMessages = append(alicesMessages, out)
-			}
-		}
-	}
-}
-
-func TestRehandshaking(t *testing.T) {
-	alice, bob := setupConversation(t)
-	roundTrip(t, alice, bob, []byte("test"), firstRoundTrip)
-	roundTrip(t, alice, bob, []byte("test 2"), subsequentRoundTrip)
-	roundTrip(t, alice, bob, []byte("test 3"), subsequentRoundTrip)
-	roundTrip(t, alice, bob, []byte("test 4"), subsequentRoundTrip)
-	roundTrip(t, alice, bob, []byte("test 5"), subsequentRoundTrip)
-	roundTrip(t, alice, bob, []byte("test 6"), subsequentRoundTrip)
-	roundTrip(t, alice, bob, []byte("test 7"), subsequentRoundTrip)
-	roundTrip(t, alice, bob, []byte("test 8"), subsequentRoundTrip)
-	performHandshake(t, alice, bob)
-	roundTrip(t, alice, bob, []byte("test"), noMACKeyCheck)
-	roundTrip(t, alice, bob, []byte("test 2"), noMACKeyCheck)
-}
-
-func TestAgainstLibOTR(t *testing.T) {
-	// This test requires otr.c.test to be built as /tmp/a.out.
-	// If enabled, this tests runs forever performing OTR handshakes in a
-	// loop.
-	return
-
-	alicePrivateKey, _ := hex.DecodeString(alicePrivateKeyHex)
-	var alice Conversation
-	alice.PrivateKey = new(PrivateKey)
-	alice.PrivateKey.Parse(alicePrivateKey)
-
-	cmd := exec.Command("/tmp/a.out")
-	cmd.Stderr = os.Stderr
-
-	out, err := cmd.StdinPipe()
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer out.Close()
-	stdout, err := cmd.StdoutPipe()
-	if err != nil {
-		t.Fatal(err)
-	}
-	in := bufio.NewReader(stdout)
-
-	if err := cmd.Start(); err != nil {
-		t.Fatal(err)
-	}
-
-	out.Write([]byte(QueryMessage))
-	out.Write([]byte("\n"))
-	var expectedText = []byte("test message")
-
-	for {
-		line, isPrefix, err := in.ReadLine()
-		if isPrefix {
-			t.Fatal("line from subprocess too long")
-		}
-		if err != nil {
-			t.Fatal(err)
-		}
-		text, encrypted, change, alicesMessage, err := alice.Receive(line)
-		if err != nil {
-			t.Fatal(err)
-		}
-		for _, msg := range alicesMessage {
-			out.Write(msg)
-			out.Write([]byte("\n"))
-		}
-		if change == NewKeys {
-			alicesMessage, err := alice.Send([]byte("Go -> libotr test message"))
-			if err != nil {
-				t.Fatalf("error sending message: %s", err.Error())
-			} else {
-				for _, msg := range alicesMessage {
-					out.Write(msg)
-					out.Write([]byte("\n"))
-				}
-			}
-		}
-		if len(text) > 0 {
-			if !bytes.Equal(text, expectedText) {
-				t.Fatalf("expected %x, but got %x", expectedText, text)
-			}
-			if !encrypted {
-				t.Fatal("message wasn't encrypted")
-			}
-		}
-	}
-}
diff --git a/vendor/golang.org/x/crypto/otr/smp.go b/vendor/golang.org/x/crypto/otr/smp.go
deleted file mode 100644
index dc6de4ee..00000000
--- a/vendor/golang.org/x/crypto/otr/smp.go
+++ /dev/null
@@ -1,572 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// This file implements the Socialist Millionaires Protocol as described in
-// http://www.cypherpunks.ca/otr/Protocol-v2-3.1.0.html. The protocol
-// specification is required in order to understand this code and, where
-// possible, the variable names in the code match up with the spec.
-
-package otr
-
-import (
-	"bytes"
-	"crypto/sha256"
-	"errors"
-	"hash"
-	"math/big"
-)
-
-type smpFailure string
-
-func (s smpFailure) Error() string {
-	return string(s)
-}
-
-var smpFailureError = smpFailure("otr: SMP protocol failed")
-var smpSecretMissingError = smpFailure("otr: mutual secret needed")
-
-const smpVersion = 1
-
-const (
-	smpState1 = iota
-	smpState2
-	smpState3
-	smpState4
-)
-
-type smpState struct {
-	state                  int
-	a2, a3, b2, b3, pb, qb *big.Int
-	g2a, g3a               *big.Int
-	g2, g3                 *big.Int
-	g3b, papb, qaqb, ra    *big.Int
-	saved                  *tlv
-	secret                 *big.Int
-	question               string
-}
-
-func (c *Conversation) startSMP(question string) (tlvs []tlv) {
-	if c.smp.state != smpState1 {
-		tlvs = append(tlvs, c.generateSMPAbort())
-	}
-	tlvs = append(tlvs, c.generateSMP1(question))
-	c.smp.question = ""
-	c.smp.state = smpState2
-	return
-}
-
-func (c *Conversation) resetSMP() {
-	c.smp.state = smpState1
-	c.smp.secret = nil
-	c.smp.question = ""
-}
-
-func (c *Conversation) processSMP(in tlv) (out tlv, complete bool, err error) {
-	data := in.data
-
-	switch in.typ {
-	case tlvTypeSMPAbort:
-		if c.smp.state != smpState1 {
-			err = smpFailureError
-		}
-		c.resetSMP()
-		return
-	case tlvTypeSMP1WithQuestion:
-		// We preprocess this into a SMP1 message.
-		nulPos := bytes.IndexByte(data, 0)
-		if nulPos == -1 {
-			err = errors.New("otr: SMP message with question didn't contain a NUL byte")
-			return
-		}
-		c.smp.question = string(data[:nulPos])
-		data = data[nulPos+1:]
-	}
-
-	numMPIs, data, ok := getU32(data)
-	if !ok || numMPIs > 20 {
-		err = errors.New("otr: corrupt SMP message")
-		return
-	}
-
-	mpis := make([]*big.Int, numMPIs)
-	for i := range mpis {
-		var ok bool
-		mpis[i], data, ok = getMPI(data)
-		if !ok {
-			err = errors.New("otr: corrupt SMP message")
-			return
-		}
-	}
-
-	switch in.typ {
-	case tlvTypeSMP1, tlvTypeSMP1WithQuestion:
-		if c.smp.state != smpState1 {
-			c.resetSMP()
-			out = c.generateSMPAbort()
-			return
-		}
-		if c.smp.secret == nil {
-			err = smpSecretMissingError
-			return
-		}
-		if err = c.processSMP1(mpis); err != nil {
-			return
-		}
-		c.smp.state = smpState3
-		out = c.generateSMP2()
-	case tlvTypeSMP2:
-		if c.smp.state != smpState2 {
-			c.resetSMP()
-			out = c.generateSMPAbort()
-			return
-		}
-		if out, err = c.processSMP2(mpis); err != nil {
-			out = c.generateSMPAbort()
-			return
-		}
-		c.smp.state = smpState4
-	case tlvTypeSMP3:
-		if c.smp.state != smpState3 {
-			c.resetSMP()
-			out = c.generateSMPAbort()
-			return
-		}
-		if out, err = c.processSMP3(mpis); err != nil {
-			return
-		}
-		c.smp.state = smpState1
-		c.smp.secret = nil
-		complete = true
-	case tlvTypeSMP4:
-		if c.smp.state != smpState4 {
-			c.resetSMP()
-			out = c.generateSMPAbort()
-			return
-		}
-		if err = c.processSMP4(mpis); err != nil {
-			out = c.generateSMPAbort()
-			return
-		}
-		c.smp.state = smpState1
-		c.smp.secret = nil
-		complete = true
-	default:
-		panic("unknown SMP message")
-	}
-
-	return
-}
-
-func (c *Conversation) calcSMPSecret(mutualSecret []byte, weStarted bool) {
-	h := sha256.New()
-	h.Write([]byte{smpVersion})
-	if weStarted {
-		h.Write(c.PrivateKey.PublicKey.Fingerprint())
-		h.Write(c.TheirPublicKey.Fingerprint())
-	} else {
-		h.Write(c.TheirPublicKey.Fingerprint())
-		h.Write(c.PrivateKey.PublicKey.Fingerprint())
-	}
-	h.Write(c.SSID[:])
-	h.Write(mutualSecret)
-	c.smp.secret = new(big.Int).SetBytes(h.Sum(nil))
-}
-
-func (c *Conversation) generateSMP1(question string) tlv {
-	var randBuf [16]byte
-	c.smp.a2 = c.randMPI(randBuf[:])
-	c.smp.a3 = c.randMPI(randBuf[:])
-	g2a := new(big.Int).Exp(g, c.smp.a2, p)
-	g3a := new(big.Int).Exp(g, c.smp.a3, p)
-	h := sha256.New()
-
-	r2 := c.randMPI(randBuf[:])
-	r := new(big.Int).Exp(g, r2, p)
-	c2 := new(big.Int).SetBytes(hashMPIs(h, 1, r))
-	d2 := new(big.Int).Mul(c.smp.a2, c2)
-	d2.Sub(r2, d2)
-	d2.Mod(d2, q)
-	if d2.Sign() < 0 {
-		d2.Add(d2, q)
-	}
-
-	r3 := c.randMPI(randBuf[:])
-	r.Exp(g, r3, p)
-	c3 := new(big.Int).SetBytes(hashMPIs(h, 2, r))
-	d3 := new(big.Int).Mul(c.smp.a3, c3)
-	d3.Sub(r3, d3)
-	d3.Mod(d3, q)
-	if d3.Sign() < 0 {
-		d3.Add(d3, q)
-	}
-
-	var ret tlv
-	if len(question) > 0 {
-		ret.typ = tlvTypeSMP1WithQuestion
-		ret.data = append(ret.data, question...)
-		ret.data = append(ret.data, 0)
-	} else {
-		ret.typ = tlvTypeSMP1
-	}
-	ret.data = appendU32(ret.data, 6)
-	ret.data = appendMPIs(ret.data, g2a, c2, d2, g3a, c3, d3)
-	return ret
-}
-
-func (c *Conversation) processSMP1(mpis []*big.Int) error {
-	if len(mpis) != 6 {
-		return errors.New("otr: incorrect number of arguments in SMP1 message")
-	}
-	g2a := mpis[0]
-	c2 := mpis[1]
-	d2 := mpis[2]
-	g3a := mpis[3]
-	c3 := mpis[4]
-	d3 := mpis[5]
-	h := sha256.New()
-
-	r := new(big.Int).Exp(g, d2, p)
-	s := new(big.Int).Exp(g2a, c2, p)
-	r.Mul(r, s)
-	r.Mod(r, p)
-	t := new(big.Int).SetBytes(hashMPIs(h, 1, r))
-	if c2.Cmp(t) != 0 {
-		return errors.New("otr: ZKP c2 incorrect in SMP1 message")
-	}
-	r.Exp(g, d3, p)
-	s.Exp(g3a, c3, p)
-	r.Mul(r, s)
-	r.Mod(r, p)
-	t.SetBytes(hashMPIs(h, 2, r))
-	if c3.Cmp(t) != 0 {
-		return errors.New("otr: ZKP c3 incorrect in SMP1 message")
-	}
-
-	c.smp.g2a = g2a
-	c.smp.g3a = g3a
-	return nil
-}
-
-func (c *Conversation) generateSMP2() tlv {
-	var randBuf [16]byte
-	b2 := c.randMPI(randBuf[:])
-	c.smp.b3 = c.randMPI(randBuf[:])
-	r2 := c.randMPI(randBuf[:])
-	r3 := c.randMPI(randBuf[:])
-	r4 := c.randMPI(randBuf[:])
-	r5 := c.randMPI(randBuf[:])
-	r6 := c.randMPI(randBuf[:])
-
-	g2b := new(big.Int).Exp(g, b2, p)
-	g3b := new(big.Int).Exp(g, c.smp.b3, p)
-
-	r := new(big.Int).Exp(g, r2, p)
-	h := sha256.New()
-	c2 := new(big.Int).SetBytes(hashMPIs(h, 3, r))
-	d2 := new(big.Int).Mul(b2, c2)
-	d2.Sub(r2, d2)
-	d2.Mod(d2, q)
-	if d2.Sign() < 0 {
-		d2.Add(d2, q)
-	}
-
-	r.Exp(g, r3, p)
-	c3 := new(big.Int).SetBytes(hashMPIs(h, 4, r))
-	d3 := new(big.Int).Mul(c.smp.b3, c3)
-	d3.Sub(r3, d3)
-	d3.Mod(d3, q)
-	if d3.Sign() < 0 {
-		d3.Add(d3, q)
-	}
-
-	c.smp.g2 = new(big.Int).Exp(c.smp.g2a, b2, p)
-	c.smp.g3 = new(big.Int).Exp(c.smp.g3a, c.smp.b3, p)
-	c.smp.pb = new(big.Int).Exp(c.smp.g3, r4, p)
-	c.smp.qb = new(big.Int).Exp(g, r4, p)
-	r.Exp(c.smp.g2, c.smp.secret, p)
-	c.smp.qb.Mul(c.smp.qb, r)
-	c.smp.qb.Mod(c.smp.qb, p)
-
-	s := new(big.Int)
-	s.Exp(c.smp.g2, r6, p)
-	r.Exp(g, r5, p)
-	s.Mul(r, s)
-	s.Mod(s, p)
-	r.Exp(c.smp.g3, r5, p)
-	cp := new(big.Int).SetBytes(hashMPIs(h, 5, r, s))
-
-	// D5 = r5 - r4 cP mod q and D6 = r6 - y cP mod q
-
-	s.Mul(r4, cp)
-	r.Sub(r5, s)
-	d5 := new(big.Int).Mod(r, q)
-	if d5.Sign() < 0 {
-		d5.Add(d5, q)
-	}
-
-	s.Mul(c.smp.secret, cp)
-	r.Sub(r6, s)
-	d6 := new(big.Int).Mod(r, q)
-	if d6.Sign() < 0 {
-		d6.Add(d6, q)
-	}
-
-	var ret tlv
-	ret.typ = tlvTypeSMP2
-	ret.data = appendU32(ret.data, 11)
-	ret.data = appendMPIs(ret.data, g2b, c2, d2, g3b, c3, d3, c.smp.pb, c.smp.qb, cp, d5, d6)
-	return ret
-}
-
-func (c *Conversation) processSMP2(mpis []*big.Int) (out tlv, err error) {
-	if len(mpis) != 11 {
-		err = errors.New("otr: incorrect number of arguments in SMP2 message")
-		return
-	}
-	g2b := mpis[0]
-	c2 := mpis[1]
-	d2 := mpis[2]
-	g3b := mpis[3]
-	c3 := mpis[4]
-	d3 := mpis[5]
-	pb := mpis[6]
-	qb := mpis[7]
-	cp := mpis[8]
-	d5 := mpis[9]
-	d6 := mpis[10]
-	h := sha256.New()
-
-	r := new(big.Int).Exp(g, d2, p)
-	s := new(big.Int).Exp(g2b, c2, p)
-	r.Mul(r, s)
-	r.Mod(r, p)
-	s.SetBytes(hashMPIs(h, 3, r))
-	if c2.Cmp(s) != 0 {
-		err = errors.New("otr: ZKP c2 failed in SMP2 message")
-		return
-	}
-
-	r.Exp(g, d3, p)
-	s.Exp(g3b, c3, p)
-	r.Mul(r, s)
-	r.Mod(r, p)
-	s.SetBytes(hashMPIs(h, 4, r))
-	if c3.Cmp(s) != 0 {
-		err = errors.New("otr: ZKP c3 failed in SMP2 message")
-		return
-	}
-
-	c.smp.g2 = new(big.Int).Exp(g2b, c.smp.a2, p)
-	c.smp.g3 = new(big.Int).Exp(g3b, c.smp.a3, p)
-
-	r.Exp(g, d5, p)
-	s.Exp(c.smp.g2, d6, p)
-	r.Mul(r, s)
-	s.Exp(qb, cp, p)
-	r.Mul(r, s)
-	r.Mod(r, p)
-
-	s.Exp(c.smp.g3, d5, p)
-	t := new(big.Int).Exp(pb, cp, p)
-	s.Mul(s, t)
-	s.Mod(s, p)
-	t.SetBytes(hashMPIs(h, 5, s, r))
-	if cp.Cmp(t) != 0 {
-		err = errors.New("otr: ZKP cP failed in SMP2 message")
-		return
-	}
-
-	var randBuf [16]byte
-	r4 := c.randMPI(randBuf[:])
-	r5 := c.randMPI(randBuf[:])
-	r6 := c.randMPI(randBuf[:])
-	r7 := c.randMPI(randBuf[:])
-
-	pa := new(big.Int).Exp(c.smp.g3, r4, p)
-	r.Exp(c.smp.g2, c.smp.secret, p)
-	qa := new(big.Int).Exp(g, r4, p)
-	qa.Mul(qa, r)
-	qa.Mod(qa, p)
-
-	r.Exp(g, r5, p)
-	s.Exp(c.smp.g2, r6, p)
-	r.Mul(r, s)
-	r.Mod(r, p)
-
-	s.Exp(c.smp.g3, r5, p)
-	cp.SetBytes(hashMPIs(h, 6, s, r))
-
-	r.Mul(r4, cp)
-	d5 = new(big.Int).Sub(r5, r)
-	d5.Mod(d5, q)
-	if d5.Sign() < 0 {
-		d5.Add(d5, q)
-	}
-
-	r.Mul(c.smp.secret, cp)
-	d6 = new(big.Int).Sub(r6, r)
-	d6.Mod(d6, q)
-	if d6.Sign() < 0 {
-		d6.Add(d6, q)
-	}
-
-	r.ModInverse(qb, p)
-	qaqb := new(big.Int).Mul(qa, r)
-	qaqb.Mod(qaqb, p)
-
-	ra := new(big.Int).Exp(qaqb, c.smp.a3, p)
-	r.Exp(qaqb, r7, p)
-	s.Exp(g, r7, p)
-	cr := new(big.Int).SetBytes(hashMPIs(h, 7, s, r))
-
-	r.Mul(c.smp.a3, cr)
-	d7 := new(big.Int).Sub(r7, r)
-	d7.Mod(d7, q)
-	if d7.Sign() < 0 {
-		d7.Add(d7, q)
-	}
-
-	c.smp.g3b = g3b
-	c.smp.qaqb = qaqb
-
-	r.ModInverse(pb, p)
-	c.smp.papb = new(big.Int).Mul(pa, r)
-	c.smp.papb.Mod(c.smp.papb, p)
-	c.smp.ra = ra
-
-	out.typ = tlvTypeSMP3
-	out.data = appendU32(out.data, 8)
-	out.data = appendMPIs(out.data, pa, qa, cp, d5, d6, ra, cr, d7)
-	return
-}
-
-func (c *Conversation) processSMP3(mpis []*big.Int) (out tlv, err error) {
-	if len(mpis) != 8 {
-		err = errors.New("otr: incorrect number of arguments in SMP3 message")
-		return
-	}
-	pa := mpis[0]
-	qa := mpis[1]
-	cp := mpis[2]
-	d5 := mpis[3]
-	d6 := mpis[4]
-	ra := mpis[5]
-	cr := mpis[6]
-	d7 := mpis[7]
-	h := sha256.New()
-
-	r := new(big.Int).Exp(g, d5, p)
-	s := new(big.Int).Exp(c.smp.g2, d6, p)
-	r.Mul(r, s)
-	s.Exp(qa, cp, p)
-	r.Mul(r, s)
-	r.Mod(r, p)
-
-	s.Exp(c.smp.g3, d5, p)
-	t := new(big.Int).Exp(pa, cp, p)
-	s.Mul(s, t)
-	s.Mod(s, p)
-	t.SetBytes(hashMPIs(h, 6, s, r))
-	if t.Cmp(cp) != 0 {
-		err = errors.New("otr: ZKP cP failed in SMP3 message")
-		return
-	}
-
-	r.ModInverse(c.smp.qb, p)
-	qaqb := new(big.Int).Mul(qa, r)
-	qaqb.Mod(qaqb, p)
-
-	r.Exp(qaqb, d7, p)
-	s.Exp(ra, cr, p)
-	r.Mul(r, s)
-	r.Mod(r, p)
-
-	s.Exp(g, d7, p)
-	t.Exp(c.smp.g3a, cr, p)
-	s.Mul(s, t)
-	s.Mod(s, p)
-	t.SetBytes(hashMPIs(h, 7, s, r))
-	if t.Cmp(cr) != 0 {
-		err = errors.New("otr: ZKP cR failed in SMP3 message")
-		return
-	}
-
-	var randBuf [16]byte
-	r7 := c.randMPI(randBuf[:])
-	rb := new(big.Int).Exp(qaqb, c.smp.b3, p)
-
-	r.Exp(qaqb, r7, p)
-	s.Exp(g, r7, p)
-	cr = new(big.Int).SetBytes(hashMPIs(h, 8, s, r))
-
-	r.Mul(c.smp.b3, cr)
-	d7 = new(big.Int).Sub(r7, r)
-	d7.Mod(d7, q)
-	if d7.Sign() < 0 {
-		d7.Add(d7, q)
-	}
-
-	out.typ = tlvTypeSMP4
-	out.data = appendU32(out.data, 3)
-	out.data = appendMPIs(out.data, rb, cr, d7)
-
-	r.ModInverse(c.smp.pb, p)
-	r.Mul(pa, r)
-	r.Mod(r, p)
-	s.Exp(ra, c.smp.b3, p)
-	if r.Cmp(s) != 0 {
-		err = smpFailureError
-	}
-
-	return
-}
-
-func (c *Conversation) processSMP4(mpis []*big.Int) error {
-	if len(mpis) != 3 {
-		return errors.New("otr: incorrect number of arguments in SMP4 message")
-	}
-	rb := mpis[0]
-	cr := mpis[1]
-	d7 := mpis[2]
-	h := sha256.New()
-
-	r := new(big.Int).Exp(c.smp.qaqb, d7, p)
-	s := new(big.Int).Exp(rb, cr, p)
-	r.Mul(r, s)
-	r.Mod(r, p)
-
-	s.Exp(g, d7, p)
-	t := new(big.Int).Exp(c.smp.g3b, cr, p)
-	s.Mul(s, t)
-	s.Mod(s, p)
-	t.SetBytes(hashMPIs(h, 8, s, r))
-	if t.Cmp(cr) != 0 {
-		return errors.New("otr: ZKP cR failed in SMP4 message")
-	}
-
-	r.Exp(rb, c.smp.a3, p)
-	if r.Cmp(c.smp.papb) != 0 {
-		return smpFailureError
-	}
-
-	return nil
-}
-
-func (c *Conversation) generateSMPAbort() tlv {
-	return tlv{typ: tlvTypeSMPAbort}
-}
-
-func hashMPIs(h hash.Hash, magic byte, mpis ...*big.Int) []byte {
-	if h != nil {
-		h.Reset()
-	} else {
-		h = sha256.New()
-	}
-
-	h.Write([]byte{magic})
-	for _, mpi := range mpis {
-		h.Write(appendMPI(nil, mpi))
-	}
-	return h.Sum(nil)
-}
diff --git a/vendor/golang.org/x/crypto/pbkdf2/pbkdf2.go b/vendor/golang.org/x/crypto/pbkdf2/pbkdf2.go
deleted file mode 100644
index 593f6530..00000000
--- a/vendor/golang.org/x/crypto/pbkdf2/pbkdf2.go
+++ /dev/null
@@ -1,77 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-/*
-Package pbkdf2 implements the key derivation function PBKDF2 as defined in RFC
-2898 / PKCS #5 v2.0.
-
-A key derivation function is useful when encrypting data based on a password
-or any other not-fully-random data. It uses a pseudorandom function to derive
-a secure encryption key based on the password.
-
-While v2.0 of the standard defines only one pseudorandom function to use,
-HMAC-SHA1, the drafted v2.1 specification allows use of all five FIPS Approved
-Hash Functions SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512 for HMAC. To
-choose, you can pass the `New` functions from the different SHA packages to
-pbkdf2.Key.
-*/
-package pbkdf2 // import "golang.org/x/crypto/pbkdf2"
-
-import (
-	"crypto/hmac"
-	"hash"
-)
-
-// Key derives a key from the password, salt and iteration count, returning a
-// []byte of length keylen that can be used as cryptographic key. The key is
-// derived based on the method described as PBKDF2 with the HMAC variant using
-// the supplied hash function.
-//
-// For example, to use a HMAC-SHA-1 based PBKDF2 key derivation function, you
-// can get a derived key for e.g. AES-256 (which needs a 32-byte key) by
-// doing:
-//
-// 	dk := pbkdf2.Key([]byte("some password"), salt, 4096, 32, sha1.New)
-//
-// Remember to get a good random salt. At least 8 bytes is recommended by the
-// RFC.
-//
-// Using a higher iteration count will increase the cost of an exhaustive
-// search but will also make derivation proportionally slower.
-func Key(password, salt []byte, iter, keyLen int, h func() hash.Hash) []byte {
-	prf := hmac.New(h, password)
-	hashLen := prf.Size()
-	numBlocks := (keyLen + hashLen - 1) / hashLen
-
-	var buf [4]byte
-	dk := make([]byte, 0, numBlocks*hashLen)
-	U := make([]byte, hashLen)
-	for block := 1; block <= numBlocks; block++ {
-		// N.B.: || means concatenation, ^ means XOR
-		// for each block T_i = U_1 ^ U_2 ^ ... ^ U_iter
-		// U_1 = PRF(password, salt || uint(i))
-		prf.Reset()
-		prf.Write(salt)
-		buf[0] = byte(block >> 24)
-		buf[1] = byte(block >> 16)
-		buf[2] = byte(block >> 8)
-		buf[3] = byte(block)
-		prf.Write(buf[:4])
-		dk = prf.Sum(dk)
-		T := dk[len(dk)-hashLen:]
-		copy(U, T)
-
-		// U_n = PRF(password, U_(n-1))
-		for n := 2; n <= iter; n++ {
-			prf.Reset()
-			prf.Write(U)
-			U = U[:0]
-			U = prf.Sum(U)
-			for x := range U {
-				T[x] ^= U[x]
-			}
-		}
-	}
-	return dk[:keyLen]
-}
diff --git a/vendor/golang.org/x/crypto/pbkdf2/pbkdf2_test.go b/vendor/golang.org/x/crypto/pbkdf2/pbkdf2_test.go
deleted file mode 100644
index f83cb692..00000000
--- a/vendor/golang.org/x/crypto/pbkdf2/pbkdf2_test.go
+++ /dev/null
@@ -1,176 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package pbkdf2
-
-import (
-	"bytes"
-	"crypto/sha1"
-	"crypto/sha256"
-	"hash"
-	"testing"
-)
-
-type testVector struct {
-	password string
-	salt     string
-	iter     int
-	output   []byte
-}
-
-// Test vectors from RFC 6070, http://tools.ietf.org/html/rfc6070
-var sha1TestVectors = []testVector{
-	{
-		"password",
-		"salt",
-		1,
-		[]byte{
-			0x0c, 0x60, 0xc8, 0x0f, 0x96, 0x1f, 0x0e, 0x71,
-			0xf3, 0xa9, 0xb5, 0x24, 0xaf, 0x60, 0x12, 0x06,
-			0x2f, 0xe0, 0x37, 0xa6,
-		},
-	},
-	{
-		"password",
-		"salt",
-		2,
-		[]byte{
-			0xea, 0x6c, 0x01, 0x4d, 0xc7, 0x2d, 0x6f, 0x8c,
-			0xcd, 0x1e, 0xd9, 0x2a, 0xce, 0x1d, 0x41, 0xf0,
-			0xd8, 0xde, 0x89, 0x57,
-		},
-	},
-	{
-		"password",
-		"salt",
-		4096,
-		[]byte{
-			0x4b, 0x00, 0x79, 0x01, 0xb7, 0x65, 0x48, 0x9a,
-			0xbe, 0xad, 0x49, 0xd9, 0x26, 0xf7, 0x21, 0xd0,
-			0x65, 0xa4, 0x29, 0xc1,
-		},
-	},
-	// // This one takes too long
-	// {
-	// 	"password",
-	// 	"salt",
-	// 	16777216,
-	// 	[]byte{
-	// 		0xee, 0xfe, 0x3d, 0x61, 0xcd, 0x4d, 0xa4, 0xe4,
-	// 		0xe9, 0x94, 0x5b, 0x3d, 0x6b, 0xa2, 0x15, 0x8c,
-	// 		0x26, 0x34, 0xe9, 0x84,
-	// 	},
-	// },
-	{
-		"passwordPASSWORDpassword",
-		"saltSALTsaltSALTsaltSALTsaltSALTsalt",
-		4096,
-		[]byte{
-			0x3d, 0x2e, 0xec, 0x4f, 0xe4, 0x1c, 0x84, 0x9b,
-			0x80, 0xc8, 0xd8, 0x36, 0x62, 0xc0, 0xe4, 0x4a,
-			0x8b, 0x29, 0x1a, 0x96, 0x4c, 0xf2, 0xf0, 0x70,
-			0x38,
-		},
-	},
-	{
-		"pass\000word",
-		"sa\000lt",
-		4096,
-		[]byte{
-			0x56, 0xfa, 0x6a, 0xa7, 0x55, 0x48, 0x09, 0x9d,
-			0xcc, 0x37, 0xd7, 0xf0, 0x34, 0x25, 0xe0, 0xc3,
-		},
-	},
-}
-
-// Test vectors from
-// http://stackoverflow.com/questions/5130513/pbkdf2-hmac-sha2-test-vectors
-var sha256TestVectors = []testVector{
-	{
-		"password",
-		"salt",
-		1,
-		[]byte{
-			0x12, 0x0f, 0xb6, 0xcf, 0xfc, 0xf8, 0xb3, 0x2c,
-			0x43, 0xe7, 0x22, 0x52, 0x56, 0xc4, 0xf8, 0x37,
-			0xa8, 0x65, 0x48, 0xc9,
-		},
-	},
-	{
-		"password",
-		"salt",
-		2,
-		[]byte{
-			0xae, 0x4d, 0x0c, 0x95, 0xaf, 0x6b, 0x46, 0xd3,
-			0x2d, 0x0a, 0xdf, 0xf9, 0x28, 0xf0, 0x6d, 0xd0,
-			0x2a, 0x30, 0x3f, 0x8e,
-		},
-	},
-	{
-		"password",
-		"salt",
-		4096,
-		[]byte{
-			0xc5, 0xe4, 0x78, 0xd5, 0x92, 0x88, 0xc8, 0x41,
-			0xaa, 0x53, 0x0d, 0xb6, 0x84, 0x5c, 0x4c, 0x8d,
-			0x96, 0x28, 0x93, 0xa0,
-		},
-	},
-	{
-		"passwordPASSWORDpassword",
-		"saltSALTsaltSALTsaltSALTsaltSALTsalt",
-		4096,
-		[]byte{
-			0x34, 0x8c, 0x89, 0xdb, 0xcb, 0xd3, 0x2b, 0x2f,
-			0x32, 0xd8, 0x14, 0xb8, 0x11, 0x6e, 0x84, 0xcf,
-			0x2b, 0x17, 0x34, 0x7e, 0xbc, 0x18, 0x00, 0x18,
-			0x1c,
-		},
-	},
-	{
-		"pass\000word",
-		"sa\000lt",
-		4096,
-		[]byte{
-			0x89, 0xb6, 0x9d, 0x05, 0x16, 0xf8, 0x29, 0x89,
-			0x3c, 0x69, 0x62, 0x26, 0x65, 0x0a, 0x86, 0x87,
-		},
-	},
-}
-
-func testHash(t *testing.T, h func() hash.Hash, hashName string, vectors []testVector) {
-	for i, v := range vectors {
-		o := Key([]byte(v.password), []byte(v.salt), v.iter, len(v.output), h)
-		if !bytes.Equal(o, v.output) {
-			t.Errorf("%s %d: expected %x, got %x", hashName, i, v.output, o)
-		}
-	}
-}
-
-func TestWithHMACSHA1(t *testing.T) {
-	testHash(t, sha1.New, "SHA1", sha1TestVectors)
-}
-
-func TestWithHMACSHA256(t *testing.T) {
-	testHash(t, sha256.New, "SHA256", sha256TestVectors)
-}
-
-var sink uint8
-
-func benchmark(b *testing.B, h func() hash.Hash) {
-	password := make([]byte, h().Size())
-	salt := make([]byte, 8)
-	for i := 0; i < b.N; i++ {
-		password = Key(password, salt, 4096, len(password), h)
-	}
-	sink += password[0]
-}
-
-func BenchmarkHMACSHA1(b *testing.B) {
-	benchmark(b, sha1.New)
-}
-
-func BenchmarkHMACSHA256(b *testing.B) {
-	benchmark(b, sha256.New)
-}
diff --git a/vendor/golang.org/x/crypto/pkcs12/bmp-string.go b/vendor/golang.org/x/crypto/pkcs12/bmp-string.go
deleted file mode 100644
index 233b8b62..00000000
--- a/vendor/golang.org/x/crypto/pkcs12/bmp-string.go
+++ /dev/null
@@ -1,50 +0,0 @@
-// Copyright 2015 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package pkcs12
-
-import (
-	"errors"
-	"unicode/utf16"
-)
-
-// bmpString returns s encoded in UCS-2 with a zero terminator.
-func bmpString(s string) ([]byte, error) {
-	// References:
-	// https://tools.ietf.org/html/rfc7292#appendix-B.1
-	// https://en.wikipedia.org/wiki/Plane_(Unicode)#Basic_Multilingual_Plane
-	//  - non-BMP characters are encoded in UTF 16 by using a surrogate pair of 16-bit codes
-	//	  EncodeRune returns 0xfffd if the rune does not need special encoding
-	//  - the above RFC provides the info that BMPStrings are NULL terminated.
-
-	ret := make([]byte, 0, 2*len(s)+2)
-
-	for _, r := range s {
-		if t, _ := utf16.EncodeRune(r); t != 0xfffd {
-			return nil, errors.New("pkcs12: string contains characters that cannot be encoded in UCS-2")
-		}
-		ret = append(ret, byte(r/256), byte(r%256))
-	}
-
-	return append(ret, 0, 0), nil
-}
-
-func decodeBMPString(bmpString []byte) (string, error) {
-	if len(bmpString)%2 != 0 {
-		return "", errors.New("pkcs12: odd-length BMP string")
-	}
-
-	// strip terminator if present
-	if l := len(bmpString); l >= 2 && bmpString[l-1] == 0 && bmpString[l-2] == 0 {
-		bmpString = bmpString[:l-2]
-	}
-
-	s := make([]uint16, 0, len(bmpString)/2)
-	for len(bmpString) > 0 {
-		s = append(s, uint16(bmpString[0])<<8+uint16(bmpString[1]))
-		bmpString = bmpString[2:]
-	}
-
-	return string(utf16.Decode(s)), nil
-}
diff --git a/vendor/golang.org/x/crypto/pkcs12/bmp-string_test.go b/vendor/golang.org/x/crypto/pkcs12/bmp-string_test.go
deleted file mode 100644
index 7fca55f4..00000000
--- a/vendor/golang.org/x/crypto/pkcs12/bmp-string_test.go
+++ /dev/null
@@ -1,63 +0,0 @@
-// Copyright 2015 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package pkcs12
-
-import (
-	"bytes"
-	"encoding/hex"
-	"testing"
-)
-
-var bmpStringTests = []struct {
-	in          string
-	expectedHex string
-	shouldFail  bool
-}{
-	{"", "0000", false},
-	// Example from https://tools.ietf.org/html/rfc7292#appendix-B.
-	{"Beavis", "0042006500610076006900730000", false},
-	// Some characters from the "Letterlike Symbols Unicode block".
-	{"\u2115 - Double-struck N", "21150020002d00200044006f00750062006c0065002d00730074007200750063006b0020004e0000", false},
-	// any character outside the BMP should trigger an error.
-	{"\U0001f000 East wind (Mahjong)", "", true},
-}
-
-func TestBMPString(t *testing.T) {
-	for i, test := range bmpStringTests {
-		expected, err := hex.DecodeString(test.expectedHex)
-		if err != nil {
-			t.Fatalf("#%d: failed to decode expectation", i)
-		}
-
-		out, err := bmpString(test.in)
-		if err == nil && test.shouldFail {
-			t.Errorf("#%d: expected to fail, but produced %x", i, out)
-			continue
-		}
-
-		if err != nil && !test.shouldFail {
-			t.Errorf("#%d: failed unexpectedly: %s", i, err)
-			continue
-		}
-
-		if !test.shouldFail {
-			if !bytes.Equal(out, expected) {
-				t.Errorf("#%d: expected %s, got %x", i, test.expectedHex, out)
-				continue
-			}
-
-			roundTrip, err := decodeBMPString(out)
-			if err != nil {
-				t.Errorf("#%d: decoding output gave an error: %s", i, err)
-				continue
-			}
-
-			if roundTrip != test.in {
-				t.Errorf("#%d: decoding output resulted in %q, but it should have been %q", i, roundTrip, test.in)
-				continue
-			}
-		}
-	}
-}
diff --git a/vendor/golang.org/x/crypto/pkcs12/crypto.go b/vendor/golang.org/x/crypto/pkcs12/crypto.go
deleted file mode 100644
index 484ca51b..00000000
--- a/vendor/golang.org/x/crypto/pkcs12/crypto.go
+++ /dev/null
@@ -1,131 +0,0 @@
-// Copyright 2015 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package pkcs12
-
-import (
-	"bytes"
-	"crypto/cipher"
-	"crypto/des"
-	"crypto/x509/pkix"
-	"encoding/asn1"
-	"errors"
-
-	"golang.org/x/crypto/pkcs12/internal/rc2"
-)
-
-var (
-	oidPBEWithSHAAnd3KeyTripleDESCBC = asn1.ObjectIdentifier([]int{1, 2, 840, 113549, 1, 12, 1, 3})
-	oidPBEWithSHAAnd40BitRC2CBC      = asn1.ObjectIdentifier([]int{1, 2, 840, 113549, 1, 12, 1, 6})
-)
-
-// pbeCipher is an abstraction of a PKCS#12 cipher.
-type pbeCipher interface {
-	// create returns a cipher.Block given a key.
-	create(key []byte) (cipher.Block, error)
-	// deriveKey returns a key derived from the given password and salt.
-	deriveKey(salt, password []byte, iterations int) []byte
-	// deriveKey returns an IV derived from the given password and salt.
-	deriveIV(salt, password []byte, iterations int) []byte
-}
-
-type shaWithTripleDESCBC struct{}
-
-func (shaWithTripleDESCBC) create(key []byte) (cipher.Block, error) {
-	return des.NewTripleDESCipher(key)
-}
-
-func (shaWithTripleDESCBC) deriveKey(salt, password []byte, iterations int) []byte {
-	return pbkdf(sha1Sum, 20, 64, salt, password, iterations, 1, 24)
-}
-
-func (shaWithTripleDESCBC) deriveIV(salt, password []byte, iterations int) []byte {
-	return pbkdf(sha1Sum, 20, 64, salt, password, iterations, 2, 8)
-}
-
-type shaWith40BitRC2CBC struct{}
-
-func (shaWith40BitRC2CBC) create(key []byte) (cipher.Block, error) {
-	return rc2.New(key, len(key)*8)
-}
-
-func (shaWith40BitRC2CBC) deriveKey(salt, password []byte, iterations int) []byte {
-	return pbkdf(sha1Sum, 20, 64, salt, password, iterations, 1, 5)
-}
-
-func (shaWith40BitRC2CBC) deriveIV(salt, password []byte, iterations int) []byte {
-	return pbkdf(sha1Sum, 20, 64, salt, password, iterations, 2, 8)
-}
-
-type pbeParams struct {
-	Salt       []byte
-	Iterations int
-}
-
-func pbDecrypterFor(algorithm pkix.AlgorithmIdentifier, password []byte) (cipher.BlockMode, int, error) {
-	var cipherType pbeCipher
-
-	switch {
-	case algorithm.Algorithm.Equal(oidPBEWithSHAAnd3KeyTripleDESCBC):
-		cipherType = shaWithTripleDESCBC{}
-	case algorithm.Algorithm.Equal(oidPBEWithSHAAnd40BitRC2CBC):
-		cipherType = shaWith40BitRC2CBC{}
-	default:
-		return nil, 0, NotImplementedError("algorithm " + algorithm.Algorithm.String() + " is not supported")
-	}
-
-	var params pbeParams
-	if err := unmarshal(algorithm.Parameters.FullBytes, &params); err != nil {
-		return nil, 0, err
-	}
-
-	key := cipherType.deriveKey(params.Salt, password, params.Iterations)
-	iv := cipherType.deriveIV(params.Salt, password, params.Iterations)
-
-	block, err := cipherType.create(key)
-	if err != nil {
-		return nil, 0, err
-	}
-
-	return cipher.NewCBCDecrypter(block, iv), block.BlockSize(), nil
-}
-
-func pbDecrypt(info decryptable, password []byte) (decrypted []byte, err error) {
-	cbc, blockSize, err := pbDecrypterFor(info.Algorithm(), password)
-	if err != nil {
-		return nil, err
-	}
-
-	encrypted := info.Data()
-	if len(encrypted) == 0 {
-		return nil, errors.New("pkcs12: empty encrypted data")
-	}
-	if len(encrypted)%blockSize != 0 {
-		return nil, errors.New("pkcs12: input is not a multiple of the block size")
-	}
-	decrypted = make([]byte, len(encrypted))
-	cbc.CryptBlocks(decrypted, encrypted)
-
-	psLen := int(decrypted[len(decrypted)-1])
-	if psLen == 0 || psLen > blockSize {
-		return nil, ErrDecryption
-	}
-
-	if len(decrypted) < psLen {
-		return nil, ErrDecryption
-	}
-	ps := decrypted[len(decrypted)-psLen:]
-	decrypted = decrypted[:len(decrypted)-psLen]
-	if bytes.Compare(ps, bytes.Repeat([]byte{byte(psLen)}, psLen)) != 0 {
-		return nil, ErrDecryption
-	}
-
-	return
-}
-
-// decryptable abstracts an object that contains ciphertext.
-type decryptable interface {
-	Algorithm() pkix.AlgorithmIdentifier
-	Data() []byte
-}
diff --git a/vendor/golang.org/x/crypto/pkcs12/crypto_test.go b/vendor/golang.org/x/crypto/pkcs12/crypto_test.go
deleted file mode 100644
index eb4dae8f..00000000
--- a/vendor/golang.org/x/crypto/pkcs12/crypto_test.go
+++ /dev/null
@@ -1,125 +0,0 @@
-// Copyright 2015 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package pkcs12
-
-import (
-	"bytes"
-	"crypto/x509/pkix"
-	"encoding/asn1"
-	"testing"
-)
-
-var sha1WithTripleDES = asn1.ObjectIdentifier([]int{1, 2, 840, 113549, 1, 12, 1, 3})
-
-func TestPbDecrypterFor(t *testing.T) {
-	params, _ := asn1.Marshal(pbeParams{
-		Salt:       []byte{1, 2, 3, 4, 5, 6, 7, 8},
-		Iterations: 2048,
-	})
-	alg := pkix.AlgorithmIdentifier{
-		Algorithm: asn1.ObjectIdentifier([]int{1, 2, 3}),
-		Parameters: asn1.RawValue{
-			FullBytes: params,
-		},
-	}
-
-	pass, _ := bmpString("Sesame open")
-
-	_, _, err := pbDecrypterFor(alg, pass)
-	if _, ok := err.(NotImplementedError); !ok {
-		t.Errorf("expected not implemented error, got: %T %s", err, err)
-	}
-
-	alg.Algorithm = sha1WithTripleDES
-	cbc, blockSize, err := pbDecrypterFor(alg, pass)
-	if err != nil {
-		t.Errorf("unexpected error from pbDecrypterFor %v", err)
-	}
-	if blockSize != 8 {
-		t.Errorf("unexpected block size %d, wanted 8", blockSize)
-	}
-
-	plaintext := []byte{1, 2, 3, 4, 5, 6, 7, 8}
-	expectedCiphertext := []byte{185, 73, 135, 249, 137, 1, 122, 247}
-	ciphertext := make([]byte, len(plaintext))
-	cbc.CryptBlocks(ciphertext, plaintext)
-
-	if bytes.Compare(ciphertext, expectedCiphertext) != 0 {
-		t.Errorf("bad ciphertext, got %x but wanted %x", ciphertext, expectedCiphertext)
-	}
-}
-
-var pbDecryptTests = []struct {
-	in            []byte
-	expected      []byte
-	expectedError error
-}{
-	{
-		[]byte("\x33\x73\xf3\x9f\xda\x49\xae\xfc\xa0\x9a\xdf\x5a\x58\xa0\xea\x46"), // 7 padding bytes
-		[]byte("A secret!"),
-		nil,
-	},
-	{
-		[]byte("\x33\x73\xf3\x9f\xda\x49\xae\xfc\x96\x24\x2f\x71\x7e\x32\x3f\xe7"), // 8 padding bytes
-		[]byte("A secret"),
-		nil,
-	},
-	{
-		[]byte("\x35\x0c\xc0\x8d\xab\xa9\x5d\x30\x7f\x9a\xec\x6a\xd8\x9b\x9c\xd9"), // 9 padding bytes, incorrect
-		nil,
-		ErrDecryption,
-	},
-	{
-		[]byte("\xb2\xf9\x6e\x06\x60\xae\x20\xcf\x08\xa0\x7b\xd9\x6b\x20\xef\x41"), // incorrect padding bytes: [ ... 0x04 0x02 ]
-		nil,
-		ErrDecryption,
-	},
-}
-
-func TestPbDecrypt(t *testing.T) {
-	for i, test := range pbDecryptTests {
-		decryptable := testDecryptable{
-			data: test.in,
-			algorithm: pkix.AlgorithmIdentifier{
-				Algorithm: sha1WithTripleDES,
-				Parameters: pbeParams{
-					Salt:       []byte("\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8"),
-					Iterations: 4096,
-				}.RawASN1(),
-			},
-		}
-		password, _ := bmpString("sesame")
-
-		plaintext, err := pbDecrypt(decryptable, password)
-		if err != test.expectedError {
-			t.Errorf("#%d: got error %q, but wanted %q", i, err, test.expectedError)
-			continue
-		}
-
-		if !bytes.Equal(plaintext, test.expected) {
-			t.Errorf("#%d: got %x, but wanted %x", i, plaintext, test.expected)
-		}
-	}
-}
-
-type testDecryptable struct {
-	data      []byte
-	algorithm pkix.AlgorithmIdentifier
-}
-
-func (d testDecryptable) Algorithm() pkix.AlgorithmIdentifier { return d.algorithm }
-func (d testDecryptable) Data() []byte                        { return d.data }
-
-func (params pbeParams) RawASN1() (raw asn1.RawValue) {
-	asn1Bytes, err := asn1.Marshal(params)
-	if err != nil {
-		panic(err)
-	}
-	_, err = asn1.Unmarshal(asn1Bytes, &raw)
-	if err != nil {
-		panic(err)
-	}
-	return
-}
diff --git a/vendor/golang.org/x/crypto/pkcs12/errors.go b/vendor/golang.org/x/crypto/pkcs12/errors.go
deleted file mode 100644
index 7377ce6f..00000000
--- a/vendor/golang.org/x/crypto/pkcs12/errors.go
+++ /dev/null
@@ -1,23 +0,0 @@
-// Copyright 2015 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package pkcs12
-
-import "errors"
-
-var (
-	// ErrDecryption represents a failure to decrypt the input.
-	ErrDecryption = errors.New("pkcs12: decryption error, incorrect padding")
-
-	// ErrIncorrectPassword is returned when an incorrect password is detected.
-	// Usually, P12/PFX data is signed to be able to verify the password.
-	ErrIncorrectPassword = errors.New("pkcs12: decryption password incorrect")
-)
-
-// NotImplementedError indicates that the input is not currently supported.
-type NotImplementedError string
-
-func (e NotImplementedError) Error() string {
-	return "pkcs12: " + string(e)
-}
diff --git a/vendor/golang.org/x/crypto/pkcs12/internal/rc2/bench_test.go b/vendor/golang.org/x/crypto/pkcs12/internal/rc2/bench_test.go
deleted file mode 100644
index 3347f338..00000000
--- a/vendor/golang.org/x/crypto/pkcs12/internal/rc2/bench_test.go
+++ /dev/null
@@ -1,27 +0,0 @@
-// Copyright 2015 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package rc2
-
-import (
-	"testing"
-)
-
-func BenchmarkEncrypt(b *testing.B) {
-	r, _ := New([]byte{0, 0, 0, 0, 0, 0, 0, 0}, 64)
-	b.ResetTimer()
-	var src [8]byte
-	for i := 0; i < b.N; i++ {
-		r.Encrypt(src[:], src[:])
-	}
-}
-
-func BenchmarkDecrypt(b *testing.B) {
-	r, _ := New([]byte{0, 0, 0, 0, 0, 0, 0, 0}, 64)
-	b.ResetTimer()
-	var src [8]byte
-	for i := 0; i < b.N; i++ {
-		r.Decrypt(src[:], src[:])
-	}
-}
diff --git a/vendor/golang.org/x/crypto/pkcs12/internal/rc2/rc2.go b/vendor/golang.org/x/crypto/pkcs12/internal/rc2/rc2.go
deleted file mode 100644
index 7499e3fb..00000000
--- a/vendor/golang.org/x/crypto/pkcs12/internal/rc2/rc2.go
+++ /dev/null
@@ -1,271 +0,0 @@
-// Copyright 2015 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package rc2 implements the RC2 cipher
-/*
-https://www.ietf.org/rfc/rfc2268.txt
-http://people.csail.mit.edu/rivest/pubs/KRRR98.pdf
-
-This code is licensed under the MIT license.
-*/
-package rc2
-
-import (
-	"crypto/cipher"
-	"encoding/binary"
-)
-
-// The rc2 block size in bytes
-const BlockSize = 8
-
-type rc2Cipher struct {
-	k [64]uint16
-}
-
-// New returns a new rc2 cipher with the given key and effective key length t1
-func New(key []byte, t1 int) (cipher.Block, error) {
-	// TODO(dgryski): error checking for key length
-	return &rc2Cipher{
-		k: expandKey(key, t1),
-	}, nil
-}
-
-func (*rc2Cipher) BlockSize() int { return BlockSize }
-
-var piTable = [256]byte{
-	0xd9, 0x78, 0xf9, 0xc4, 0x19, 0xdd, 0xb5, 0xed, 0x28, 0xe9, 0xfd, 0x79, 0x4a, 0xa0, 0xd8, 0x9d,
-	0xc6, 0x7e, 0x37, 0x83, 0x2b, 0x76, 0x53, 0x8e, 0x62, 0x4c, 0x64, 0x88, 0x44, 0x8b, 0xfb, 0xa2,
-	0x17, 0x9a, 0x59, 0xf5, 0x87, 0xb3, 0x4f, 0x13, 0x61, 0x45, 0x6d, 0x8d, 0x09, 0x81, 0x7d, 0x32,
-	0xbd, 0x8f, 0x40, 0xeb, 0x86, 0xb7, 0x7b, 0x0b, 0xf0, 0x95, 0x21, 0x22, 0x5c, 0x6b, 0x4e, 0x82,
-	0x54, 0xd6, 0x65, 0x93, 0xce, 0x60, 0xb2, 0x1c, 0x73, 0x56, 0xc0, 0x14, 0xa7, 0x8c, 0xf1, 0xdc,
-	0x12, 0x75, 0xca, 0x1f, 0x3b, 0xbe, 0xe4, 0xd1, 0x42, 0x3d, 0xd4, 0x30, 0xa3, 0x3c, 0xb6, 0x26,
-	0x6f, 0xbf, 0x0e, 0xda, 0x46, 0x69, 0x07, 0x57, 0x27, 0xf2, 0x1d, 0x9b, 0xbc, 0x94, 0x43, 0x03,
-	0xf8, 0x11, 0xc7, 0xf6, 0x90, 0xef, 0x3e, 0xe7, 0x06, 0xc3, 0xd5, 0x2f, 0xc8, 0x66, 0x1e, 0xd7,
-	0x08, 0xe8, 0xea, 0xde, 0x80, 0x52, 0xee, 0xf7, 0x84, 0xaa, 0x72, 0xac, 0x35, 0x4d, 0x6a, 0x2a,
-	0x96, 0x1a, 0xd2, 0x71, 0x5a, 0x15, 0x49, 0x74, 0x4b, 0x9f, 0xd0, 0x5e, 0x04, 0x18, 0xa4, 0xec,
-	0xc2, 0xe0, 0x41, 0x6e, 0x0f, 0x51, 0xcb, 0xcc, 0x24, 0x91, 0xaf, 0x50, 0xa1, 0xf4, 0x70, 0x39,
-	0x99, 0x7c, 0x3a, 0x85, 0x23, 0xb8, 0xb4, 0x7a, 0xfc, 0x02, 0x36, 0x5b, 0x25, 0x55, 0x97, 0x31,
-	0x2d, 0x5d, 0xfa, 0x98, 0xe3, 0x8a, 0x92, 0xae, 0x05, 0xdf, 0x29, 0x10, 0x67, 0x6c, 0xba, 0xc9,
-	0xd3, 0x00, 0xe6, 0xcf, 0xe1, 0x9e, 0xa8, 0x2c, 0x63, 0x16, 0x01, 0x3f, 0x58, 0xe2, 0x89, 0xa9,
-	0x0d, 0x38, 0x34, 0x1b, 0xab, 0x33, 0xff, 0xb0, 0xbb, 0x48, 0x0c, 0x5f, 0xb9, 0xb1, 0xcd, 0x2e,
-	0xc5, 0xf3, 0xdb, 0x47, 0xe5, 0xa5, 0x9c, 0x77, 0x0a, 0xa6, 0x20, 0x68, 0xfe, 0x7f, 0xc1, 0xad,
-}
-
-func expandKey(key []byte, t1 int) [64]uint16 {
-
-	l := make([]byte, 128)
-	copy(l, key)
-
-	var t = len(key)
-	var t8 = (t1 + 7) / 8
-	var tm = byte(255 % uint(1<<(8+uint(t1)-8*uint(t8))))
-
-	for i := len(key); i < 128; i++ {
-		l[i] = piTable[l[i-1]+l[uint8(i-t)]]
-	}
-
-	l[128-t8] = piTable[l[128-t8]&tm]
-
-	for i := 127 - t8; i >= 0; i-- {
-		l[i] = piTable[l[i+1]^l[i+t8]]
-	}
-
-	var k [64]uint16
-
-	for i := range k {
-		k[i] = uint16(l[2*i]) + uint16(l[2*i+1])*256
-	}
-
-	return k
-}
-
-func rotl16(x uint16, b uint) uint16 {
-	return (x >> (16 - b)) | (x << b)
-}
-
-func (c *rc2Cipher) Encrypt(dst, src []byte) {
-
-	r0 := binary.LittleEndian.Uint16(src[0:])
-	r1 := binary.LittleEndian.Uint16(src[2:])
-	r2 := binary.LittleEndian.Uint16(src[4:])
-	r3 := binary.LittleEndian.Uint16(src[6:])
-
-	var j int
-
-	for j <= 16 {
-		// mix r0
-		r0 = r0 + c.k[j] + (r3 & r2) + ((^r3) & r1)
-		r0 = rotl16(r0, 1)
-		j++
-
-		// mix r1
-		r1 = r1 + c.k[j] + (r0 & r3) + ((^r0) & r2)
-		r1 = rotl16(r1, 2)
-		j++
-
-		// mix r2
-		r2 = r2 + c.k[j] + (r1 & r0) + ((^r1) & r3)
-		r2 = rotl16(r2, 3)
-		j++
-
-		// mix r3
-		r3 = r3 + c.k[j] + (r2 & r1) + ((^r2) & r0)
-		r3 = rotl16(r3, 5)
-		j++
-
-	}
-
-	r0 = r0 + c.k[r3&63]
-	r1 = r1 + c.k[r0&63]
-	r2 = r2 + c.k[r1&63]
-	r3 = r3 + c.k[r2&63]
-
-	for j <= 40 {
-		// mix r0
-		r0 = r0 + c.k[j] + (r3 & r2) + ((^r3) & r1)
-		r0 = rotl16(r0, 1)
-		j++
-
-		// mix r1
-		r1 = r1 + c.k[j] + (r0 & r3) + ((^r0) & r2)
-		r1 = rotl16(r1, 2)
-		j++
-
-		// mix r2
-		r2 = r2 + c.k[j] + (r1 & r0) + ((^r1) & r3)
-		r2 = rotl16(r2, 3)
-		j++
-
-		// mix r3
-		r3 = r3 + c.k[j] + (r2 & r1) + ((^r2) & r0)
-		r3 = rotl16(r3, 5)
-		j++
-
-	}
-
-	r0 = r0 + c.k[r3&63]
-	r1 = r1 + c.k[r0&63]
-	r2 = r2 + c.k[r1&63]
-	r3 = r3 + c.k[r2&63]
-
-	for j <= 60 {
-		// mix r0
-		r0 = r0 + c.k[j] + (r3 & r2) + ((^r3) & r1)
-		r0 = rotl16(r0, 1)
-		j++
-
-		// mix r1
-		r1 = r1 + c.k[j] + (r0 & r3) + ((^r0) & r2)
-		r1 = rotl16(r1, 2)
-		j++
-
-		// mix r2
-		r2 = r2 + c.k[j] + (r1 & r0) + ((^r1) & r3)
-		r2 = rotl16(r2, 3)
-		j++
-
-		// mix r3
-		r3 = r3 + c.k[j] + (r2 & r1) + ((^r2) & r0)
-		r3 = rotl16(r3, 5)
-		j++
-	}
-
-	binary.LittleEndian.PutUint16(dst[0:], r0)
-	binary.LittleEndian.PutUint16(dst[2:], r1)
-	binary.LittleEndian.PutUint16(dst[4:], r2)
-	binary.LittleEndian.PutUint16(dst[6:], r3)
-}
-
-func (c *rc2Cipher) Decrypt(dst, src []byte) {
-
-	r0 := binary.LittleEndian.Uint16(src[0:])
-	r1 := binary.LittleEndian.Uint16(src[2:])
-	r2 := binary.LittleEndian.Uint16(src[4:])
-	r3 := binary.LittleEndian.Uint16(src[6:])
-
-	j := 63
-
-	for j >= 44 {
-		// unmix r3
-		r3 = rotl16(r3, 16-5)
-		r3 = r3 - c.k[j] - (r2 & r1) - ((^r2) & r0)
-		j--
-
-		// unmix r2
-		r2 = rotl16(r2, 16-3)
-		r2 = r2 - c.k[j] - (r1 & r0) - ((^r1) & r3)
-		j--
-
-		// unmix r1
-		r1 = rotl16(r1, 16-2)
-		r1 = r1 - c.k[j] - (r0 & r3) - ((^r0) & r2)
-		j--
-
-		// unmix r0
-		r0 = rotl16(r0, 16-1)
-		r0 = r0 - c.k[j] - (r3 & r2) - ((^r3) & r1)
-		j--
-	}
-
-	r3 = r3 - c.k[r2&63]
-	r2 = r2 - c.k[r1&63]
-	r1 = r1 - c.k[r0&63]
-	r0 = r0 - c.k[r3&63]
-
-	for j >= 20 {
-		// unmix r3
-		r3 = rotl16(r3, 16-5)
-		r3 = r3 - c.k[j] - (r2 & r1) - ((^r2) & r0)
-		j--
-
-		// unmix r2
-		r2 = rotl16(r2, 16-3)
-		r2 = r2 - c.k[j] - (r1 & r0) - ((^r1) & r3)
-		j--
-
-		// unmix r1
-		r1 = rotl16(r1, 16-2)
-		r1 = r1 - c.k[j] - (r0 & r3) - ((^r0) & r2)
-		j--
-
-		// unmix r0
-		r0 = rotl16(r0, 16-1)
-		r0 = r0 - c.k[j] - (r3 & r2) - ((^r3) & r1)
-		j--
-
-	}
-
-	r3 = r3 - c.k[r2&63]
-	r2 = r2 - c.k[r1&63]
-	r1 = r1 - c.k[r0&63]
-	r0 = r0 - c.k[r3&63]
-
-	for j >= 0 {
-		// unmix r3
-		r3 = rotl16(r3, 16-5)
-		r3 = r3 - c.k[j] - (r2 & r1) - ((^r2) & r0)
-		j--
-
-		// unmix r2
-		r2 = rotl16(r2, 16-3)
-		r2 = r2 - c.k[j] - (r1 & r0) - ((^r1) & r3)
-		j--
-
-		// unmix r1
-		r1 = rotl16(r1, 16-2)
-		r1 = r1 - c.k[j] - (r0 & r3) - ((^r0) & r2)
-		j--
-
-		// unmix r0
-		r0 = rotl16(r0, 16-1)
-		r0 = r0 - c.k[j] - (r3 & r2) - ((^r3) & r1)
-		j--
-
-	}
-
-	binary.LittleEndian.PutUint16(dst[0:], r0)
-	binary.LittleEndian.PutUint16(dst[2:], r1)
-	binary.LittleEndian.PutUint16(dst[4:], r2)
-	binary.LittleEndian.PutUint16(dst[6:], r3)
-}
diff --git a/vendor/golang.org/x/crypto/pkcs12/internal/rc2/rc2_test.go b/vendor/golang.org/x/crypto/pkcs12/internal/rc2/rc2_test.go
deleted file mode 100644
index 51a7efe5..00000000
--- a/vendor/golang.org/x/crypto/pkcs12/internal/rc2/rc2_test.go
+++ /dev/null
@@ -1,92 +0,0 @@
-// Copyright 2015 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package rc2
-
-import (
-	"bytes"
-	"encoding/hex"
-	"testing"
-)
-
-func TestEncryptDecrypt(t *testing.T) {
-	// TODO(dgryski): add the rest of the test vectors from the RFC
-	var tests = []struct {
-		key    string
-		plain  string
-		cipher string
-		t1     int
-	}{
-		{
-			"0000000000000000",
-			"0000000000000000",
-			"ebb773f993278eff",
-			63,
-		},
-		{
-			"ffffffffffffffff",
-			"ffffffffffffffff",
-			"278b27e42e2f0d49",
-			64,
-		},
-		{
-			"3000000000000000",
-			"1000000000000001",
-			"30649edf9be7d2c2",
-			64,
-		},
-		{
-			"88",
-			"0000000000000000",
-			"61a8a244adacccf0",
-			64,
-		},
-		{
-			"88bca90e90875a",
-			"0000000000000000",
-			"6ccf4308974c267f",
-			64,
-		},
-		{
-			"88bca90e90875a7f0f79c384627bafb2",
-			"0000000000000000",
-			"1a807d272bbe5db1",
-			64,
-		},
-		{
-			"88bca90e90875a7f0f79c384627bafb2",
-			"0000000000000000",
-			"2269552ab0f85ca6",
-			128,
-		},
-		{
-			"88bca90e90875a7f0f79c384627bafb216f80a6f85920584c42fceb0be255daf1e",
-			"0000000000000000",
-			"5b78d3a43dfff1f1",
-			129,
-		},
-	}
-
-	for _, tt := range tests {
-		k, _ := hex.DecodeString(tt.key)
-		p, _ := hex.DecodeString(tt.plain)
-		c, _ := hex.DecodeString(tt.cipher)
-
-		b, _ := New(k, tt.t1)
-
-		var dst [8]byte
-
-		b.Encrypt(dst[:], p)
-
-		if !bytes.Equal(dst[:], c) {
-			t.Errorf("encrypt failed: got % 2x wanted % 2x\n", dst, c)
-		}
-
-		b.Decrypt(dst[:], c)
-
-		if !bytes.Equal(dst[:], p) {
-			t.Errorf("decrypt failed: got % 2x wanted % 2x\n", dst, p)
-		}
-	}
-}
diff --git a/vendor/golang.org/x/crypto/pkcs12/mac.go b/vendor/golang.org/x/crypto/pkcs12/mac.go
deleted file mode 100644
index 5f38aa7d..00000000
--- a/vendor/golang.org/x/crypto/pkcs12/mac.go
+++ /dev/null
@@ -1,45 +0,0 @@
-// Copyright 2015 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package pkcs12
-
-import (
-	"crypto/hmac"
-	"crypto/sha1"
-	"crypto/x509/pkix"
-	"encoding/asn1"
-)
-
-type macData struct {
-	Mac        digestInfo
-	MacSalt    []byte
-	Iterations int `asn1:"optional,default:1"`
-}
-
-// from PKCS#7:
-type digestInfo struct {
-	Algorithm pkix.AlgorithmIdentifier
-	Digest    []byte
-}
-
-var (
-	oidSHA1 = asn1.ObjectIdentifier([]int{1, 3, 14, 3, 2, 26})
-)
-
-func verifyMac(macData *macData, message, password []byte) error {
-	if !macData.Mac.Algorithm.Algorithm.Equal(oidSHA1) {
-		return NotImplementedError("unknown digest algorithm: " + macData.Mac.Algorithm.Algorithm.String())
-	}
-
-	key := pbkdf(sha1Sum, 20, 64, macData.MacSalt, password, macData.Iterations, 3, 20)
-
-	mac := hmac.New(sha1.New, key)
-	mac.Write(message)
-	expectedMAC := mac.Sum(nil)
-
-	if !hmac.Equal(macData.Mac.Digest, expectedMAC) {
-		return ErrIncorrectPassword
-	}
-	return nil
-}
diff --git a/vendor/golang.org/x/crypto/pkcs12/mac_test.go b/vendor/golang.org/x/crypto/pkcs12/mac_test.go
deleted file mode 100644
index 1ed4ff21..00000000
--- a/vendor/golang.org/x/crypto/pkcs12/mac_test.go
+++ /dev/null
@@ -1,42 +0,0 @@
-// Copyright 2015 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package pkcs12
-
-import (
-	"encoding/asn1"
-	"testing"
-)
-
-func TestVerifyMac(t *testing.T) {
-	td := macData{
-		Mac: digestInfo{
-			Digest: []byte{0x18, 0x20, 0x3d, 0xff, 0x1e, 0x16, 0xf4, 0x92, 0xf2, 0xaf, 0xc8, 0x91, 0xa9, 0xba, 0xd6, 0xca, 0x9d, 0xee, 0x51, 0x93},
-		},
-		MacSalt:    []byte{1, 2, 3, 4, 5, 6, 7, 8},
-		Iterations: 2048,
-	}
-
-	message := []byte{11, 12, 13, 14, 15}
-	password, _ := bmpString("")
-
-	td.Mac.Algorithm.Algorithm = asn1.ObjectIdentifier([]int{1, 2, 3})
-	err := verifyMac(&td, message, password)
-	if _, ok := err.(NotImplementedError); !ok {
-		t.Errorf("err: %v", err)
-	}
-
-	td.Mac.Algorithm.Algorithm = asn1.ObjectIdentifier([]int{1, 3, 14, 3, 2, 26})
-	err = verifyMac(&td, message, password)
-	if err != ErrIncorrectPassword {
-		t.Errorf("Expected incorrect password, got err: %v", err)
-	}
-
-	password, _ = bmpString("Sesame open")
-	err = verifyMac(&td, message, password)
-	if err != nil {
-		t.Errorf("err: %v", err)
-	}
-
-}
diff --git a/vendor/golang.org/x/crypto/pkcs12/pbkdf.go b/vendor/golang.org/x/crypto/pkcs12/pbkdf.go
deleted file mode 100644
index 5c419d41..00000000
--- a/vendor/golang.org/x/crypto/pkcs12/pbkdf.go
+++ /dev/null
@@ -1,170 +0,0 @@
-// Copyright 2015 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package pkcs12
-
-import (
-	"bytes"
-	"crypto/sha1"
-	"math/big"
-)
-
-var (
-	one = big.NewInt(1)
-)
-
-// sha1Sum returns the SHA-1 hash of in.
-func sha1Sum(in []byte) []byte {
-	sum := sha1.Sum(in)
-	return sum[:]
-}
-
-// fillWithRepeats returns v*ceiling(len(pattern) / v) bytes consisting of
-// repeats of pattern.
-func fillWithRepeats(pattern []byte, v int) []byte {
-	if len(pattern) == 0 {
-		return nil
-	}
-	outputLen := v * ((len(pattern) + v - 1) / v)
-	return bytes.Repeat(pattern, (outputLen+len(pattern)-1)/len(pattern))[:outputLen]
-}
-
-func pbkdf(hash func([]byte) []byte, u, v int, salt, password []byte, r int, ID byte, size int) (key []byte) {
-	// implementation of https://tools.ietf.org/html/rfc7292#appendix-B.2 , RFC text verbatim in comments
-
-	//    Let H be a hash function built around a compression function f:
-
-	//       Z_2^u x Z_2^v -> Z_2^u
-
-	//    (that is, H has a chaining variable and output of length u bits, and
-	//    the message input to the compression function of H is v bits).  The
-	//    values for u and v are as follows:
-
-	//            HASH FUNCTION     VALUE u        VALUE v
-	//              MD2, MD5          128            512
-	//                SHA-1           160            512
-	//               SHA-224          224            512
-	//               SHA-256          256            512
-	//               SHA-384          384            1024
-	//               SHA-512          512            1024
-	//             SHA-512/224        224            1024
-	//             SHA-512/256        256            1024
-
-	//    Furthermore, let r be the iteration count.
-
-	//    We assume here that u and v are both multiples of 8, as are the
-	//    lengths of the password and salt strings (which we denote by p and s,
-	//    respectively) and the number n of pseudorandom bits required.  In
-	//    addition, u and v are of course non-zero.
-
-	//    For information on security considerations for MD5 [19], see [25] and
-	//    [1], and on those for MD2, see [18].
-
-	//    The following procedure can be used to produce pseudorandom bits for
-	//    a particular "purpose" that is identified by a byte called "ID".
-	//    This standard specifies 3 different values for the ID byte:
-
-	//    1.  If ID=1, then the pseudorandom bits being produced are to be used
-	//        as key material for performing encryption or decryption.
-
-	//    2.  If ID=2, then the pseudorandom bits being produced are to be used
-	//        as an IV (Initial Value) for encryption or decryption.
-
-	//    3.  If ID=3, then the pseudorandom bits being produced are to be used
-	//        as an integrity key for MACing.
-
-	//    1.  Construct a string, D (the "diversifier"), by concatenating v/8
-	//        copies of ID.
-	var D []byte
-	for i := 0; i < v; i++ {
-		D = append(D, ID)
-	}
-
-	//    2.  Concatenate copies of the salt together to create a string S of
-	//        length v(ceiling(s/v)) bits (the final copy of the salt may be
-	//        truncated to create S).  Note that if the salt is the empty
-	//        string, then so is S.
-
-	S := fillWithRepeats(salt, v)
-
-	//    3.  Concatenate copies of the password together to create a string P
-	//        of length v(ceiling(p/v)) bits (the final copy of the password
-	//        may be truncated to create P).  Note that if the password is the
-	//        empty string, then so is P.
-
-	P := fillWithRepeats(password, v)
-
-	//    4.  Set I=S||P to be the concatenation of S and P.
-	I := append(S, P...)
-
-	//    5.  Set c=ceiling(n/u).
-	c := (size + u - 1) / u
-
-	//    6.  For i=1, 2, ..., c, do the following:
-	A := make([]byte, c*20)
-	var IjBuf []byte
-	for i := 0; i < c; i++ {
-		//        A.  Set A2=H^r(D||I). (i.e., the r-th hash of D||1,
-		//            H(H(H(... H(D||I))))
-		Ai := hash(append(D, I...))
-		for j := 1; j < r; j++ {
-			Ai = hash(Ai)
-		}
-		copy(A[i*20:], Ai[:])
-
-		if i < c-1 { // skip on last iteration
-			// B.  Concatenate copies of Ai to create a string B of length v
-			//     bits (the final copy of Ai may be truncated to create B).
-			var B []byte
-			for len(B) < v {
-				B = append(B, Ai[:]...)
-			}
-			B = B[:v]
-
-			// C.  Treating I as a concatenation I_0, I_1, ..., I_(k-1) of v-bit
-			//     blocks, where k=ceiling(s/v)+ceiling(p/v), modify I by
-			//     setting I_j=(I_j+B+1) mod 2^v for each j.
-			{
-				Bbi := new(big.Int).SetBytes(B)
-				Ij := new(big.Int)
-
-				for j := 0; j < len(I)/v; j++ {
-					Ij.SetBytes(I[j*v : (j+1)*v])
-					Ij.Add(Ij, Bbi)
-					Ij.Add(Ij, one)
-					Ijb := Ij.Bytes()
-					// We expect Ijb to be exactly v bytes,
-					// if it is longer or shorter we must
-					// adjust it accordingly.
-					if len(Ijb) > v {
-						Ijb = Ijb[len(Ijb)-v:]
-					}
-					if len(Ijb) < v {
-						if IjBuf == nil {
-							IjBuf = make([]byte, v)
-						}
-						bytesShort := v - len(Ijb)
-						for i := 0; i < bytesShort; i++ {
-							IjBuf[i] = 0
-						}
-						copy(IjBuf[bytesShort:], Ijb)
-						Ijb = IjBuf
-					}
-					copy(I[j*v:(j+1)*v], Ijb)
-				}
-			}
-		}
-	}
-	//    7.  Concatenate A_1, A_2, ..., A_c together to form a pseudorandom
-	//        bit string, A.
-
-	//    8.  Use the first n bits of A as the output of this entire process.
-	return A[:size]
-
-	//    If the above process is being used to generate a DES key, the process
-	//    should be used to create 64 random bits, and the key's parity bits
-	//    should be set after the 64 bits have been produced.  Similar concerns
-	//    hold for 2-key and 3-key triple-DES keys, for CDMF keys, and for any
-	//    similar keys with parity bits "built into them".
-}
diff --git a/vendor/golang.org/x/crypto/pkcs12/pbkdf_test.go b/vendor/golang.org/x/crypto/pkcs12/pbkdf_test.go
deleted file mode 100644
index 262037d7..00000000
--- a/vendor/golang.org/x/crypto/pkcs12/pbkdf_test.go
+++ /dev/null
@@ -1,34 +0,0 @@
-// Copyright 2015 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package pkcs12
-
-import (
-	"bytes"
-	"testing"
-)
-
-func TestThatPBKDFWorksCorrectlyForLongKeys(t *testing.T) {
-	cipherInfo := shaWithTripleDESCBC{}
-
-	salt := []byte("\xff\xff\xff\xff\xff\xff\xff\xff")
-	password, _ := bmpString("sesame")
-	key := cipherInfo.deriveKey(salt, password, 2048)
-
-	if expected := []byte("\x7c\xd9\xfd\x3e\x2b\x3b\xe7\x69\x1a\x44\xe3\xbe\xf0\xf9\xea\x0f\xb9\xb8\x97\xd4\xe3\x25\xd9\xd1"); bytes.Compare(key, expected) != 0 {
-		t.Fatalf("expected key '%x', but found '%x'", expected, key)
-	}
-}
-
-func TestThatPBKDFHandlesLeadingZeros(t *testing.T) {
-	// This test triggers a case where I_j (in step 6C) ends up with leading zero
-	// byte, meaning that len(Ijb) < v (leading zeros get stripped by big.Int).
-	// This was previously causing bug whereby certain inputs would break the
-	// derivation and produce the wrong output.
-	key := pbkdf(sha1Sum, 20, 64, []byte("\xf3\x7e\x05\xb5\x18\x32\x4b\x4b"), []byte("\x00\x00"), 2048, 1, 24)
-	expected := []byte("\x00\xf7\x59\xff\x47\xd1\x4d\xd0\x36\x65\xd5\x94\x3c\xb3\xc4\xa3\x9a\x25\x55\xc0\x2a\xed\x66\xe1")
-	if bytes.Compare(key, expected) != 0 {
-		t.Fatalf("expected key '%x', but found '%x'", expected, key)
-	}
-}
diff --git a/vendor/golang.org/x/crypto/pkcs12/pkcs12.go b/vendor/golang.org/x/crypto/pkcs12/pkcs12.go
deleted file mode 100644
index eff9ad3a..00000000
--- a/vendor/golang.org/x/crypto/pkcs12/pkcs12.go
+++ /dev/null
@@ -1,346 +0,0 @@
-// Copyright 2015 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package pkcs12 implements some of PKCS#12.
-//
-// This implementation is distilled from https://tools.ietf.org/html/rfc7292
-// and referenced documents. It is intended for decoding P12/PFX-stored
-// certificates and keys for use with the crypto/tls package.
-package pkcs12
-
-import (
-	"crypto/ecdsa"
-	"crypto/rsa"
-	"crypto/x509"
-	"crypto/x509/pkix"
-	"encoding/asn1"
-	"encoding/hex"
-	"encoding/pem"
-	"errors"
-)
-
-var (
-	oidDataContentType          = asn1.ObjectIdentifier([]int{1, 2, 840, 113549, 1, 7, 1})
-	oidEncryptedDataContentType = asn1.ObjectIdentifier([]int{1, 2, 840, 113549, 1, 7, 6})
-
-	oidFriendlyName     = asn1.ObjectIdentifier([]int{1, 2, 840, 113549, 1, 9, 20})
-	oidLocalKeyID       = asn1.ObjectIdentifier([]int{1, 2, 840, 113549, 1, 9, 21})
-	oidMicrosoftCSPName = asn1.ObjectIdentifier([]int{1, 3, 6, 1, 4, 1, 311, 17, 1})
-)
-
-type pfxPdu struct {
-	Version  int
-	AuthSafe contentInfo
-	MacData  macData `asn1:"optional"`
-}
-
-type contentInfo struct {
-	ContentType asn1.ObjectIdentifier
-	Content     asn1.RawValue `asn1:"tag:0,explicit,optional"`
-}
-
-type encryptedData struct {
-	Version              int
-	EncryptedContentInfo encryptedContentInfo
-}
-
-type encryptedContentInfo struct {
-	ContentType                asn1.ObjectIdentifier
-	ContentEncryptionAlgorithm pkix.AlgorithmIdentifier
-	EncryptedContent           []byte `asn1:"tag:0,optional"`
-}
-
-func (i encryptedContentInfo) Algorithm() pkix.AlgorithmIdentifier {
-	return i.ContentEncryptionAlgorithm
-}
-
-func (i encryptedContentInfo) Data() []byte { return i.EncryptedContent }
-
-type safeBag struct {
-	Id         asn1.ObjectIdentifier
-	Value      asn1.RawValue     `asn1:"tag:0,explicit"`
-	Attributes []pkcs12Attribute `asn1:"set,optional"`
-}
-
-type pkcs12Attribute struct {
-	Id    asn1.ObjectIdentifier
-	Value asn1.RawValue `asn1:"set"`
-}
-
-type encryptedPrivateKeyInfo struct {
-	AlgorithmIdentifier pkix.AlgorithmIdentifier
-	EncryptedData       []byte
-}
-
-func (i encryptedPrivateKeyInfo) Algorithm() pkix.AlgorithmIdentifier {
-	return i.AlgorithmIdentifier
-}
-
-func (i encryptedPrivateKeyInfo) Data() []byte {
-	return i.EncryptedData
-}
-
-// PEM block types
-const (
-	certificateType = "CERTIFICATE"
-	privateKeyType  = "PRIVATE KEY"
-)
-
-// unmarshal calls asn1.Unmarshal, but also returns an error if there is any
-// trailing data after unmarshaling.
-func unmarshal(in []byte, out interface{}) error {
-	trailing, err := asn1.Unmarshal(in, out)
-	if err != nil {
-		return err
-	}
-	if len(trailing) != 0 {
-		return errors.New("pkcs12: trailing data found")
-	}
-	return nil
-}
-
-// ConvertToPEM converts all "safe bags" contained in pfxData to PEM blocks.
-func ToPEM(pfxData []byte, password string) ([]*pem.Block, error) {
-	encodedPassword, err := bmpString(password)
-	if err != nil {
-		return nil, ErrIncorrectPassword
-	}
-
-	bags, encodedPassword, err := getSafeContents(pfxData, encodedPassword)
-
-	if err != nil {
-		return nil, err
-	}
-
-	blocks := make([]*pem.Block, 0, len(bags))
-	for _, bag := range bags {
-		block, err := convertBag(&bag, encodedPassword)
-		if err != nil {
-			return nil, err
-		}
-		blocks = append(blocks, block)
-	}
-
-	return blocks, nil
-}
-
-func convertBag(bag *safeBag, password []byte) (*pem.Block, error) {
-	block := &pem.Block{
-		Headers: make(map[string]string),
-	}
-
-	for _, attribute := range bag.Attributes {
-		k, v, err := convertAttribute(&attribute)
-		if err != nil {
-			return nil, err
-		}
-		block.Headers[k] = v
-	}
-
-	switch {
-	case bag.Id.Equal(oidCertBag):
-		block.Type = certificateType
-		certsData, err := decodeCertBag(bag.Value.Bytes)
-		if err != nil {
-			return nil, err
-		}
-		block.Bytes = certsData
-	case bag.Id.Equal(oidPKCS8ShroundedKeyBag):
-		block.Type = privateKeyType
-
-		key, err := decodePkcs8ShroudedKeyBag(bag.Value.Bytes, password)
-		if err != nil {
-			return nil, err
-		}
-
-		switch key := key.(type) {
-		case *rsa.PrivateKey:
-			block.Bytes = x509.MarshalPKCS1PrivateKey(key)
-		case *ecdsa.PrivateKey:
-			block.Bytes, err = x509.MarshalECPrivateKey(key)
-			if err != nil {
-				return nil, err
-			}
-		default:
-			return nil, errors.New("found unknown private key type in PKCS#8 wrapping")
-		}
-	default:
-		return nil, errors.New("don't know how to convert a safe bag of type " + bag.Id.String())
-	}
-	return block, nil
-}
-
-func convertAttribute(attribute *pkcs12Attribute) (key, value string, err error) {
-	isString := false
-
-	switch {
-	case attribute.Id.Equal(oidFriendlyName):
-		key = "friendlyName"
-		isString = true
-	case attribute.Id.Equal(oidLocalKeyID):
-		key = "localKeyId"
-	case attribute.Id.Equal(oidMicrosoftCSPName):
-		// This key is chosen to match OpenSSL.
-		key = "Microsoft CSP Name"
-		isString = true
-	default:
-		return "", "", errors.New("pkcs12: unknown attribute with OID " + attribute.Id.String())
-	}
-
-	if isString {
-		if err := unmarshal(attribute.Value.Bytes, &attribute.Value); err != nil {
-			return "", "", err
-		}
-		if value, err = decodeBMPString(attribute.Value.Bytes); err != nil {
-			return "", "", err
-		}
-	} else {
-		var id []byte
-		if err := unmarshal(attribute.Value.Bytes, &id); err != nil {
-			return "", "", err
-		}
-		value = hex.EncodeToString(id)
-	}
-
-	return key, value, nil
-}
-
-// Decode extracts a certificate and private key from pfxData. This function
-// assumes that there is only one certificate and only one private key in the
-// pfxData.
-func Decode(pfxData []byte, password string) (privateKey interface{}, certificate *x509.Certificate, err error) {
-	encodedPassword, err := bmpString(password)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	bags, encodedPassword, err := getSafeContents(pfxData, encodedPassword)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	if len(bags) != 2 {
-		err = errors.New("pkcs12: expected exactly two safe bags in the PFX PDU")
-		return
-	}
-
-	for _, bag := range bags {
-		switch {
-		case bag.Id.Equal(oidCertBag):
-			if certificate != nil {
-				err = errors.New("pkcs12: expected exactly one certificate bag")
-			}
-
-			certsData, err := decodeCertBag(bag.Value.Bytes)
-			if err != nil {
-				return nil, nil, err
-			}
-			certs, err := x509.ParseCertificates(certsData)
-			if err != nil {
-				return nil, nil, err
-			}
-			if len(certs) != 1 {
-				err = errors.New("pkcs12: expected exactly one certificate in the certBag")
-				return nil, nil, err
-			}
-			certificate = certs[0]
-
-		case bag.Id.Equal(oidPKCS8ShroundedKeyBag):
-			if privateKey != nil {
-				err = errors.New("pkcs12: expected exactly one key bag")
-			}
-
-			if privateKey, err = decodePkcs8ShroudedKeyBag(bag.Value.Bytes, encodedPassword); err != nil {
-				return nil, nil, err
-			}
-		}
-	}
-
-	if certificate == nil {
-		return nil, nil, errors.New("pkcs12: certificate missing")
-	}
-	if privateKey == nil {
-		return nil, nil, errors.New("pkcs12: private key missing")
-	}
-
-	return
-}
-
-func getSafeContents(p12Data, password []byte) (bags []safeBag, updatedPassword []byte, err error) {
-	pfx := new(pfxPdu)
-	if err := unmarshal(p12Data, pfx); err != nil {
-		return nil, nil, errors.New("pkcs12: error reading P12 data: " + err.Error())
-	}
-
-	if pfx.Version != 3 {
-		return nil, nil, NotImplementedError("can only decode v3 PFX PDU's")
-	}
-
-	if !pfx.AuthSafe.ContentType.Equal(oidDataContentType) {
-		return nil, nil, NotImplementedError("only password-protected PFX is implemented")
-	}
-
-	// unmarshal the explicit bytes in the content for type 'data'
-	if err := unmarshal(pfx.AuthSafe.Content.Bytes, &pfx.AuthSafe.Content); err != nil {
-		return nil, nil, err
-	}
-
-	if len(pfx.MacData.Mac.Algorithm.Algorithm) == 0 {
-		return nil, nil, errors.New("pkcs12: no MAC in data")
-	}
-
-	if err := verifyMac(&pfx.MacData, pfx.AuthSafe.Content.Bytes, password); err != nil {
-		if err == ErrIncorrectPassword && len(password) == 2 && password[0] == 0 && password[1] == 0 {
-			// some implementations use an empty byte array
-			// for the empty string password try one more
-			// time with empty-empty password
-			password = nil
-			err = verifyMac(&pfx.MacData, pfx.AuthSafe.Content.Bytes, password)
-		}
-		if err != nil {
-			return nil, nil, err
-		}
-	}
-
-	var authenticatedSafe []contentInfo
-	if err := unmarshal(pfx.AuthSafe.Content.Bytes, &authenticatedSafe); err != nil {
-		return nil, nil, err
-	}
-
-	if len(authenticatedSafe) != 2 {
-		return nil, nil, NotImplementedError("expected exactly two items in the authenticated safe")
-	}
-
-	for _, ci := range authenticatedSafe {
-		var data []byte
-
-		switch {
-		case ci.ContentType.Equal(oidDataContentType):
-			if err := unmarshal(ci.Content.Bytes, &data); err != nil {
-				return nil, nil, err
-			}
-		case ci.ContentType.Equal(oidEncryptedDataContentType):
-			var encryptedData encryptedData
-			if err := unmarshal(ci.Content.Bytes, &encryptedData); err != nil {
-				return nil, nil, err
-			}
-			if encryptedData.Version != 0 {
-				return nil, nil, NotImplementedError("only version 0 of EncryptedData is supported")
-			}
-			if data, err = pbDecrypt(encryptedData.EncryptedContentInfo, password); err != nil {
-				return nil, nil, err
-			}
-		default:
-			return nil, nil, NotImplementedError("only data and encryptedData content types are supported in authenticated safe")
-		}
-
-		var safeContents []safeBag
-		if err := unmarshal(data, &safeContents); err != nil {
-			return nil, nil, err
-		}
-		bags = append(bags, safeContents...)
-	}
-
-	return bags, password, nil
-}
diff --git a/vendor/golang.org/x/crypto/pkcs12/pkcs12_test.go b/vendor/golang.org/x/crypto/pkcs12/pkcs12_test.go
deleted file mode 100644
index 14dd2a6c..00000000
--- a/vendor/golang.org/x/crypto/pkcs12/pkcs12_test.go
+++ /dev/null
@@ -1,138 +0,0 @@
-// Copyright 2015 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package pkcs12
-
-import (
-	"crypto/rsa"
-	"crypto/tls"
-	"encoding/base64"
-	"encoding/pem"
-	"testing"
-)
-
-func TestPfx(t *testing.T) {
-	for commonName, base64P12 := range testdata {
-		p12, _ := base64.StdEncoding.DecodeString(base64P12)
-
-		priv, cert, err := Decode(p12, "")
-		if err != nil {
-			t.Fatal(err)
-		}
-
-		if err := priv.(*rsa.PrivateKey).Validate(); err != nil {
-			t.Errorf("error while validating private key: %v", err)
-		}
-
-		if cert.Subject.CommonName != commonName {
-			t.Errorf("expected common name to be %q, but found %q", commonName, cert.Subject.CommonName)
-		}
-	}
-}
-
-func TestPEM(t *testing.T) {
-	for commonName, base64P12 := range testdata {
-		p12, _ := base64.StdEncoding.DecodeString(base64P12)
-
-		blocks, err := ToPEM(p12, "")
-		if err != nil {
-			t.Fatalf("error while converting to PEM: %s", err)
-		}
-
-		var pemData []byte
-		for _, b := range blocks {
-			pemData = append(pemData, pem.EncodeToMemory(b)...)
-		}
-
-		cert, err := tls.X509KeyPair(pemData, pemData)
-		if err != nil {
-			t.Errorf("err while converting to key pair: %v", err)
-		}
-		config := tls.Config{
-			Certificates: []tls.Certificate{cert},
-		}
-		config.BuildNameToCertificate()
-
-		if _, exists := config.NameToCertificate[commonName]; !exists {
-			t.Errorf("did not find our cert in PEM?: %v", config.NameToCertificate)
-		}
-	}
-}
-
-func ExampleToPEM() {
-	p12, _ := base64.StdEncoding.DecodeString(`MIIJzgIBAzCCCZQGCS ... CA+gwggPk==`)
-
-	blocks, err := ToPEM(p12, "password")
-	if err != nil {
-		panic(err)
-	}
-
-	var pemData []byte
-	for _, b := range blocks {
-		pemData = append(pemData, pem.EncodeToMemory(b)...)
-	}
-
-	// then use PEM data for tls to construct tls certificate:
-	cert, err := tls.X509KeyPair(pemData, pemData)
-	if err != nil {
-		panic(err)
-	}
-
-	config := &tls.Config{
-		Certificates: []tls.Certificate{cert},
-	}
-
-	_ = config
-}
-
-var testdata = map[string]string{
-	// 'null' password test case
-	"Windows Azure Tools": `MIIKDAIBAzCCCcwGCSqGSIb3DQEHAaCCCb0Eggm5MIIJtTCCBe4GCSqGSIb3DQEHAaCCBd8EggXbMIIF1zCCBdMGCyqGSIb3DQEMCgECoIIE7jCCBOowHAYKKoZIhvcNAQwBAzAOBAhStUNnlTGV+gICB9AEggTIJ81JIossF6boFWpPtkiQRPtI6DW6e9QD4/WvHAVrM2bKdpMzSMsCML5NyuddANTKHBVq00Jc9keqGNAqJPKkjhSUebzQFyhe0E1oI9T4zY5UKr/I8JclOeccH4QQnsySzYUG2SnniXnQ+JrG3juetli7EKth9h6jLc6xbubPadY5HMB3wL/eG/kJymiXwU2KQ9Mgd4X6jbcV+NNCE/8jbZHvSTCPeYTJIjxfeX61Sj5kFKUCzERbsnpyevhY3X0eYtEDezZQarvGmXtMMdzf8HJHkWRdk9VLDLgjk8uiJif/+X4FohZ37ig0CpgC2+dP4DGugaZZ51hb8tN9GeCKIsrmWogMXDIVd0OACBp/EjJVmFB6y0kUCXxUE0TZt0XA1tjAGJcjDUpBvTntZjPsnH/4ZySy+s2d9OOhJ6pzRQBRm360TzkFdSwk9DLiLdGfv4pwMMu/vNGBlqjP/1sQtj+jprJiD1sDbCl4AdQZVoMBQHadF2uSD4/o17XG/Ci0r2h6Htc2yvZMAbEY4zMjjIn2a+vqIxD6onexaek1R3zbkS9j19D6EN9EWn8xgz80YRCyW65znZk8xaIhhvlU/mg7sTxeyuqroBZNcq6uDaQTehDpyH7bY2l4zWRpoj10a6JfH2q5shYz8Y6UZC/kOTfuGqbZDNZWro/9pYquvNNW0M847E5t9bsf9VkAAMHRGBbWoVoU9VpI0UnoXSfvpOo+aXa2DSq5sHHUTVY7A9eov3z5IqT+pligx11xcs+YhDWcU8di3BTJisohKvv5Y8WSkm/rloiZd4ig269k0jTRk1olP/vCksPli4wKG2wdsd5o42nX1yL7mFfXocOANZbB+5qMkiwdyoQSk+Vq+C8nAZx2bbKhUq2MbrORGMzOe0Hh0x2a0PeObycN1Bpyv7Mp3ZI9h5hBnONKCnqMhtyQHUj/nNvbJUnDVYNfoOEqDiEqqEwB7YqWzAKz8KW0OIqdlM8uiQ4JqZZlFllnWJUfaiDrdFM3lYSnFQBkzeVlts6GpDOOBjCYd7dcCNS6kq6pZC6p6HN60Twu0JnurZD6RT7rrPkIGE8vAenFt4iGe/yF52fahCSY8Ws4K0UTwN7bAS+4xRHVCWvE8sMRZsRCHizb5laYsVrPZJhE6+hux6OBb6w8kwPYXc+ud5v6UxawUWgt6uPwl8mlAtU9Z7Miw4Nn/wtBkiLL/ke1UI1gqJtcQXgHxx6mzsjh41+nAgTvdbsSEyU6vfOmxGj3Rwc1eOrIhJUqn5YjOWfzzsz/D5DzWKmwXIwdspt1p+u+kol1N3f2wT9fKPnd/RGCb4g/1hc3Aju4DQYgGY782l89CEEdalpQ/35bQczMFk6Fje12HykakWEXd/bGm9Unh82gH84USiRpeOfQvBDYoqEyrY3zkFZzBjhDqa+jEcAj41tcGx47oSfDq3iVYCdL7HSIjtnyEktVXd7mISZLoMt20JACFcMw+mrbjlug+eU7o2GR7T+LwtOp/p4LZqyLa7oQJDwde1BNZtm3TCK2P1mW94QDL0nDUps5KLtr1DaZXEkRbjSJub2ZE9WqDHyU3KA8G84Tq/rN1IoNu/if45jacyPje1Npj9IftUZSP22nV7HMwZtwQ4P4MYHRMBMGCSqGSIb3DQEJFTEGBAQBAAAAMFsGCSqGSIb3DQEJFDFOHkwAewBCADQAQQA0AEYARQBCADAALQBBADEAOABBAC0ANAA0AEIAQgAtAEIANQBGADIALQA0ADkAMQBFAEYAMQA1ADIAQgBBADEANgB9MF0GCSsGAQQBgjcRATFQHk4ATQBpAGMAcgBvAHMAbwBmAHQAIABTAG8AZgB0AHcAYQByAGUAIABLAGUAeQAgAFMAdABvAHIAYQBnAGUAIABQAHIAbwB2AGkAZABlAHIwggO/BgkqhkiG9w0BBwagggOwMIIDrAIBADCCA6UGCSqGSIb3DQEHATAcBgoqhkiG9w0BDAEGMA4ECEBk5ZAYpu0WAgIH0ICCA3hik4mQFGpw9Ha8TQPtk+j2jwWdxfF0+sTk6S8PTsEfIhB7wPltjiCK92Uv2tCBQnodBUmatIfkpnRDEySmgmdglmOCzj204lWAMRs94PoALGn3JVBXbO1vIDCbAPOZ7Z0Hd0/1t2hmk8v3//QJGUg+qr59/4y/MuVfIg4qfkPcC2QSvYWcK3oTf6SFi5rv9B1IOWFgN5D0+C+x/9Lb/myPYX+rbOHrwtJ4W1fWKoz9g7wwmGFA9IJ2DYGuH8ifVFbDFT1Vcgsvs8arSX7oBsJVW0qrP7XkuDRe3EqCmKW7rBEwYrFznhxZcRDEpMwbFoSvgSIZ4XhFY9VKYglT+JpNH5iDceYEBOQL4vBLpxNUk3l5jKaBNxVa14AIBxq18bVHJ+STInhLhad4u10v/Xbx7wIL3f9DX1yLAkPrpBYbNHS2/ew6H/ySDJnoIDxkw2zZ4qJ+qUJZ1S0lbZVG+VT0OP5uF6tyOSpbMlcGkdl3z254n6MlCrTifcwkzscysDsgKXaYQw06rzrPW6RDub+t+hXzGny799fS9jhQMLDmOggaQ7+LA4oEZsfT89HLMWxJYDqjo3gIfjciV2mV54R684qLDS+AO09U49e6yEbwGlq8lpmO/pbXCbpGbB1b3EomcQbxdWxW2WEkkEd/VBn81K4M3obmywwXJkw+tPXDXfBmzzaqqCR+onMQ5ME1nMkY8ybnfoCc1bDIupjVWsEL2Wvq752RgI6KqzVNr1ew1IdqV5AWN2fOfek+0vi3Jd9FHF3hx8JMwjJL9dZsETV5kHtYJtE7wJ23J68BnCt2eI0GEuwXcCf5EdSKN/xXCTlIokc4Qk/gzRdIZsvcEJ6B1lGovKG54X4IohikqTjiepjbsMWj38yxDmK3mtENZ9ci8FPfbbvIEcOCZIinuY3qFUlRSbx7VUerEoV1IP3clUwexVQo4lHFee2jd7ocWsdSqSapW7OWUupBtDzRkqVhE7tGria+i1W2d6YLlJ21QTjyapWJehAMO637OdbJCCzDs1cXbodRRE7bsP492ocJy8OX66rKdhYbg8srSFNKdb3pF3UDNbN9jhI/t8iagRhNBhlQtTr1me2E/c86Q18qcRXl4bcXTt6acgCeffK6Y26LcVlrgjlD33AEYRRUeyC+rpxbT0aMjdFderlndKRIyG23mSp0HaUwNzAfMAcGBSsOAwIaBBRlviCbIyRrhIysg2dc/KbLFTc2vQQUg4rfwHMM4IKYRD/fsd1x6dda+wQ=`,
-	// empty string password test case
-	"testing@example.com": `MIIJzgIBAzCCCZQGCSqGSIb3DQEHAaCCCYUEggmBMIIJfTCCA/cGCSqGSIb3DQEHBqCCA+gwggPk
-AgEAMIID3QYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQIIszfRGqcmPcCAggAgIIDsOZ9Eg1L
-s5Wx8JhYoV3HAL4aRnkAWvTYB5NISZOgSgIQTssmt/3A7134dibTmaT/93LikkL3cTKLnQzJ4wDf
-YZ1bprpVJvUqz+HFT79m27bP9zYXFrvxWBJbxjYKTSjQMgz+h8LAEpXXGajCmxMJ1oCOtdXkhhzc
-LdZN6SAYgtmtyFnCdMEDskSggGuLb3fw84QEJ/Sj6FAULXunW/CPaS7Ce0TMsKmNU/jfFWj3yXXw
-ro0kwjKiVLpVFlnBlHo2OoVU7hmkm59YpGhLgS7nxLD3n7nBroQ0ID1+8R01NnV9XLGoGzxMm1te
-6UyTCkr5mj+kEQ8EP1Ys7g/TC411uhVWySMt/rcpkx7Vz1r9kYEAzJpONAfr6cuEVkPKrxpq4Fh0
-2fzlKBky0i/hrfIEUmngh+ERHUb/Mtv/fkv1j5w9suESbhsMLLiCXAlsP1UWMX+3bNizi3WVMEts
-FM2k9byn+p8IUD/A8ULlE4kEaWeoc+2idkCNQkLGuIdGUXUFVm58se0auUkVRoRJx8x4CkMesT8j
-b1H831W66YRWoEwwDQp2kK1lA2vQXxdVHWlFevMNxJeromLzj3ayiaFrfByeUXhR2S+Hpm+c0yNR
-4UVU9WED2kacsZcpRm9nlEa5sr28mri5JdBrNa/K02OOhvKCxr5ZGmbOVzUQKla2z4w+Ku9k8POm
-dfDNU/fGx1b5hcFWtghXe3msWVsSJrQihnN6q1ughzNiYZlJUGcHdZDRtiWwCFI0bR8h/Dmg9uO9
-4rawQQrjIRT7B8yF3UbkZyAqs8Ppb1TsMeNPHh1rxEfGVQknh/48ouJYsmtbnzugTUt3mJCXXiL+
-XcPMV6bBVAUu4aaVKSmg9+yJtY4/VKv10iw88ktv29fViIdBe3t6l/oPuvQgbQ8dqf4T8w0l/uKZ
-9lS1Na9jfT1vCoS7F5TRi+tmyj1vL5kr/amEIW6xKEP6oeAMvCMtbPAzVEj38zdJ1R22FfuIBxkh
-f0Zl7pdVbmzRxl/SBx9iIBJSqAvcXItiT0FIj8HxQ+0iZKqMQMiBuNWJf5pYOLWGrIyntCWwHuaQ
-wrx0sTGuEL9YXLEAsBDrsvzLkx/56E4INGZFrH8G7HBdW6iGqb22IMI4GHltYSyBRKbB0gadYTyv
-abPEoqww8o7/85aPSzOTJ/53ozD438Q+d0u9SyDuOb60SzCD/zPuCEd78YgtXJwBYTuUNRT27FaM
-3LGMX8Hz+6yPNRnmnA2XKPn7dx/IlaqAjIs8MIIFfgYJKoZIhvcNAQcBoIIFbwSCBWswggVnMIIF
-YwYLKoZIhvcNAQwKAQKgggTuMIIE6jAcBgoqhkiG9w0BDAEDMA4ECJr0cClYqOlcAgIIAASCBMhe
-OQSiP2s0/46ONXcNeVAkz2ksW3u/+qorhSiskGZ0b3dFa1hhgBU2Q7JVIkc4Hf7OXaT1eVQ8oqND
-uhqsNz83/kqYo70+LS8Hocj49jFgWAKrf/yQkdyP1daHa2yzlEw4mkpqOfnIORQHvYCa8nEApspZ
-wVu8y6WVuLHKU67mel7db2xwstQp7PRuSAYqGjTfAylElog8ASdaqqYbYIrCXucF8iF9oVgmb/Qo
-xrXshJ9aSLO4MuXlTPELmWgj07AXKSb90FKNihE+y0bWb9LPVFY1Sly3AX9PfrtkSXIZwqW3phpv
-MxGxQl/R6mr1z+hlTfY9Wdpb5vlKXPKA0L0Rt8d2pOesylFi6esJoS01QgP1kJILjbrV731kvDc0
-Jsd+Oxv4BMwA7ClG8w1EAOInc/GrV1MWFGw/HeEqj3CZ/l/0jv9bwkbVeVCiIhoL6P6lVx9pXq4t
-KZ0uKg/tk5TVJmG2vLcMLvezD0Yk3G2ZOMrywtmskrwoF7oAUpO9e87szoH6fEvUZlkDkPVW1NV4
-cZk3DBSQiuA3VOOg8qbo/tx/EE3H59P0axZWno2GSB0wFPWd1aj+b//tJEJHaaNR6qPRj4IWj9ru
-Qbc8eRAcVWleHg8uAehSvUXlFpyMQREyrnpvMGddpiTC8N4UMrrBRhV7+UbCOWhxPCbItnInBqgl
-1JpSZIP7iUtsIMdu3fEC2cdbXMTRul+4rdzUR7F9OaezV3jjvcAbDvgbK1CpyC+MJ1Mxm/iTgk9V
-iUArydhlR8OniN84GyGYoYCW9O/KUwb6ASmeFOu/msx8x6kAsSQHIkKqMKv0TUR3kZnkxUvdpBGP
-KTl4YCTvNGX4dYALBqrAETRDhua2KVBD/kEttDHwBNVbN2xi81+Mc7ml461aADfk0c66R/m2sjHB
-2tN9+wG12OIWFQjL6wF/UfJMYamxx2zOOExiId29Opt57uYiNVLOO4ourPewHPeH0u8Gz35aero7
-lkt7cZAe1Q0038JUuE/QGlnK4lESK9UkSIQAjSaAlTsrcfwtQxB2EjoOoLhwH5mvxUEmcNGNnXUc
-9xj3M5BD3zBz3Ft7G3YMMDwB1+zC2l+0UG0MGVjMVaeoy32VVNvxgX7jk22OXG1iaOB+PY9kdk+O
-X+52BGSf/rD6X0EnqY7XuRPkMGgjtpZeAYxRQnFtCZgDY4wYheuxqSSpdF49yNczSPLkgB3CeCfS
-+9NTKN7aC6hBbmW/8yYh6OvSiCEwY0lFS/T+7iaVxr1loE4zI1y/FFp4Pe1qfLlLttVlkygga2UU
-SCunTQ8UB/M5IXWKkhMOO11dP4niWwb39Y7pCWpau7mwbXOKfRPX96cgHnQJK5uG+BesDD1oYnX0
-6frN7FOnTSHKruRIwuI8KnOQ/I+owmyz71wiv5LMQt+yM47UrEjB/EZa5X8dpEwOZvkdqL7utcyo
-l0XH5kWMXdW856LL/FYftAqJIDAmtX1TXF/rbP6mPyN/IlDC0gjP84Uzd/a2UyTIWr+wk49Ek3vQ
-/uDamq6QrwAxVmNh5Tset5Vhpc1e1kb7mRMZIzxSP8JcTuYd45oFKi98I8YjvueHVZce1g7OudQP
-SbFQoJvdT46iBg1TTatlltpOiH2mFaxWVS0xYjAjBgkqhkiG9w0BCRUxFgQUdA9eVqvETX4an/c8
-p8SsTugkit8wOwYJKoZIhvcNAQkUMS4eLABGAHIAaQBlAG4AZABsAHkAIABuAGEAbQBlACAAZgBv
-AHIAIABjAGUAcgB0MDEwITAJBgUrDgMCGgUABBRFsNz3Zd1O1GI8GTuFwCWuDOjEEwQIuBEfIcAy
-HQ8CAggA`,
-}
diff --git a/vendor/golang.org/x/crypto/pkcs12/safebags.go b/vendor/golang.org/x/crypto/pkcs12/safebags.go
deleted file mode 100644
index def1f7b9..00000000
--- a/vendor/golang.org/x/crypto/pkcs12/safebags.go
+++ /dev/null
@@ -1,57 +0,0 @@
-// Copyright 2015 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package pkcs12
-
-import (
-	"crypto/x509"
-	"encoding/asn1"
-	"errors"
-)
-
-var (
-	// see https://tools.ietf.org/html/rfc7292#appendix-D
-	oidCertTypeX509Certificate = asn1.ObjectIdentifier([]int{1, 2, 840, 113549, 1, 9, 22, 1})
-	oidPKCS8ShroundedKeyBag    = asn1.ObjectIdentifier([]int{1, 2, 840, 113549, 1, 12, 10, 1, 2})
-	oidCertBag                 = asn1.ObjectIdentifier([]int{1, 2, 840, 113549, 1, 12, 10, 1, 3})
-)
-
-type certBag struct {
-	Id   asn1.ObjectIdentifier
-	Data []byte `asn1:"tag:0,explicit"`
-}
-
-func decodePkcs8ShroudedKeyBag(asn1Data, password []byte) (privateKey interface{}, err error) {
-	pkinfo := new(encryptedPrivateKeyInfo)
-	if err = unmarshal(asn1Data, pkinfo); err != nil {
-		return nil, errors.New("pkcs12: error decoding PKCS#8 shrouded key bag: " + err.Error())
-	}
-
-	pkData, err := pbDecrypt(pkinfo, password)
-	if err != nil {
-		return nil, errors.New("pkcs12: error decrypting PKCS#8 shrouded key bag: " + err.Error())
-	}
-
-	ret := new(asn1.RawValue)
-	if err = unmarshal(pkData, ret); err != nil {
-		return nil, errors.New("pkcs12: error unmarshaling decrypted private key: " + err.Error())
-	}
-
-	if privateKey, err = x509.ParsePKCS8PrivateKey(pkData); err != nil {
-		return nil, errors.New("pkcs12: error parsing PKCS#8 private key: " + err.Error())
-	}
-
-	return privateKey, nil
-}
-
-func decodeCertBag(asn1Data []byte) (x509Certificates []byte, err error) {
-	bag := new(certBag)
-	if err := unmarshal(asn1Data, bag); err != nil {
-		return nil, errors.New("pkcs12: error decoding cert bag: " + err.Error())
-	}
-	if !bag.Id.Equal(oidCertTypeX509Certificate) {
-		return nil, NotImplementedError("only X509 certificates are supported")
-	}
-	return bag.Data, nil
-}
diff --git a/vendor/golang.org/x/crypto/poly1305/poly1305.go b/vendor/golang.org/x/crypto/poly1305/poly1305.go
deleted file mode 100644
index f562fa57..00000000
--- a/vendor/golang.org/x/crypto/poly1305/poly1305.go
+++ /dev/null
@@ -1,33 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-/*
-Package poly1305 implements Poly1305 one-time message authentication code as
-specified in https://cr.yp.to/mac/poly1305-20050329.pdf.
-
-Poly1305 is a fast, one-time authentication function. It is infeasible for an
-attacker to generate an authenticator for a message without the key. However, a
-key must only be used for a single message. Authenticating two different
-messages with the same key allows an attacker to forge authenticators for other
-messages with the same key.
-
-Poly1305 was originally coupled with AES in order to make Poly1305-AES. AES was
-used with a fixed key in order to generate one-time keys from an nonce.
-However, in this package AES isn't used and the one-time key is specified
-directly.
-*/
-package poly1305 // import "golang.org/x/crypto/poly1305"
-
-import "crypto/subtle"
-
-// TagSize is the size, in bytes, of a poly1305 authenticator.
-const TagSize = 16
-
-// Verify returns true if mac is a valid authenticator for m with the given
-// key.
-func Verify(mac *[16]byte, m []byte, key *[32]byte) bool {
-	var tmp [16]byte
-	Sum(&tmp, m, key)
-	return subtle.ConstantTimeCompare(tmp[:], mac[:]) == 1
-}
diff --git a/vendor/golang.org/x/crypto/poly1305/poly1305_test.go b/vendor/golang.org/x/crypto/poly1305/poly1305_test.go
deleted file mode 100644
index 017027fe..00000000
--- a/vendor/golang.org/x/crypto/poly1305/poly1305_test.go
+++ /dev/null
@@ -1,159 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package poly1305
-
-import (
-	"bytes"
-	"encoding/hex"
-	"flag"
-	"testing"
-	"unsafe"
-)
-
-var stressFlag = flag.Bool("stress", false, "run slow stress tests")
-
-var testData = []struct {
-	in, k, correct []byte
-}{
-	{
-		[]byte("Hello world!"),
-		[]byte("this is 32-byte key for Poly1305"),
-		[]byte{0xa6, 0xf7, 0x45, 0x00, 0x8f, 0x81, 0xc9, 0x16, 0xa2, 0x0d, 0xcc, 0x74, 0xee, 0xf2, 0xb2, 0xf0},
-	},
-	{
-		make([]byte, 32),
-		[]byte("this is 32-byte key for Poly1305"),
-		[]byte{0x49, 0xec, 0x78, 0x09, 0x0e, 0x48, 0x1e, 0xc6, 0xc2, 0x6b, 0x33, 0xb9, 0x1c, 0xcc, 0x03, 0x07},
-	},
-	{
-		make([]byte, 2007),
-		[]byte("this is 32-byte key for Poly1305"),
-		[]byte{0xda, 0x84, 0xbc, 0xab, 0x02, 0x67, 0x6c, 0x38, 0xcd, 0xb0, 0x15, 0x60, 0x42, 0x74, 0xc2, 0xaa},
-	},
-	{
-		make([]byte, 2007),
-		make([]byte, 32),
-		make([]byte, 16),
-	},
-	{
-		// This test triggers an edge-case. See https://go-review.googlesource.com/#/c/30101/.
-		[]byte{0x81, 0xd8, 0xb2, 0xe4, 0x6a, 0x25, 0x21, 0x3b, 0x58, 0xfe, 0xe4, 0x21, 0x3a, 0x2a, 0x28, 0xe9, 0x21, 0xc1, 0x2a, 0x96, 0x32, 0x51, 0x6d, 0x3b, 0x73, 0x27, 0x27, 0x27, 0xbe, 0xcf, 0x21, 0x29},
-		[]byte{0x3b, 0x3a, 0x29, 0xe9, 0x3b, 0x21, 0x3a, 0x5c, 0x5c, 0x3b, 0x3b, 0x05, 0x3a, 0x3a, 0x8c, 0x0d},
-		[]byte{0x6d, 0xc1, 0x8b, 0x8c, 0x34, 0x4c, 0xd7, 0x99, 0x27, 0x11, 0x8b, 0xbe, 0x84, 0xb7, 0xf3, 0x14},
-	},
-	{
-		// This test generates a result of (2^130-1) % (2^130-5).
-		[]byte{
-			0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-		},
-		[]byte{1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
-		[]byte{4, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
-	},
-	{
-		// This test generates a result of (2^130-6) % (2^130-5).
-		[]byte{
-			0xfa, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-		},
-		[]byte{1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
-		[]byte{0xfa, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
-	},
-	{
-		// This test generates a result of (2^130-5) % (2^130-5).
-		[]byte{
-			0xfb, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-		},
-		[]byte{1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
-		[]byte{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
-	},
-}
-
-func testSum(t *testing.T, unaligned bool) {
-	var out [16]byte
-	var key [32]byte
-
-	for i, v := range testData {
-		in := v.in
-		if unaligned {
-			in = unalignBytes(in)
-		}
-		copy(key[:], v.k)
-		Sum(&out, in, &key)
-		if !bytes.Equal(out[:], v.correct) {
-			t.Errorf("%d: expected %x, got %x", i, v.correct, out[:])
-		}
-	}
-}
-
-func TestBurnin(t *testing.T) {
-	// This test can be used to sanity-check significant changes. It can
-	// take about many minutes to run, even on fast machines. It's disabled
-	// by default.
-	if !*stressFlag {
-		t.Skip("skipping without -stress")
-	}
-
-	var key [32]byte
-	var input [25]byte
-	var output [16]byte
-
-	for i := range key {
-		key[i] = 1
-	}
-	for i := range input {
-		input[i] = 2
-	}
-
-	for i := uint64(0); i < 1e10; i++ {
-		Sum(&output, input[:], &key)
-		copy(key[0:], output[:])
-		copy(key[16:], output[:])
-		copy(input[:], output[:])
-		copy(input[16:], output[:])
-	}
-
-	const expected = "5e3b866aea0b636d240c83c428f84bfa"
-	if got := hex.EncodeToString(output[:]); got != expected {
-		t.Errorf("expected %s, got %s", expected, got)
-	}
-}
-
-func TestSum(t *testing.T)          { testSum(t, false) }
-func TestSumUnaligned(t *testing.T) { testSum(t, true) }
-
-func benchmark(b *testing.B, size int, unaligned bool) {
-	var out [16]byte
-	var key [32]byte
-	in := make([]byte, size)
-	if unaligned {
-		in = unalignBytes(in)
-	}
-	b.SetBytes(int64(len(in)))
-	b.ResetTimer()
-	for i := 0; i < b.N; i++ {
-		Sum(&out, in, &key)
-	}
-}
-
-func Benchmark64(b *testing.B)          { benchmark(b, 64, false) }
-func Benchmark1K(b *testing.B)          { benchmark(b, 1024, false) }
-func Benchmark64Unaligned(b *testing.B) { benchmark(b, 64, true) }
-func Benchmark1KUnaligned(b *testing.B) { benchmark(b, 1024, true) }
-
-func unalignBytes(in []byte) []byte {
-	out := make([]byte, len(in)+1)
-	if uintptr(unsafe.Pointer(&out[0]))&(unsafe.Alignof(uint32(0))-1) == 0 {
-		out = out[1:]
-	} else {
-		out = out[:len(in)]
-	}
-	copy(out, in)
-	return out
-}
diff --git a/vendor/golang.org/x/crypto/poly1305/sum_amd64.go b/vendor/golang.org/x/crypto/poly1305/sum_amd64.go
deleted file mode 100644
index 4dd72fe7..00000000
--- a/vendor/golang.org/x/crypto/poly1305/sum_amd64.go
+++ /dev/null
@@ -1,22 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build amd64,!gccgo,!appengine
-
-package poly1305
-
-// This function is implemented in sum_amd64.s
-//go:noescape
-func poly1305(out *[16]byte, m *byte, mlen uint64, key *[32]byte)
-
-// Sum generates an authenticator for m using a one-time key and puts the
-// 16-byte result into out. Authenticating two different messages with the same
-// key allows an attacker to forge messages at will.
-func Sum(out *[16]byte, m []byte, key *[32]byte) {
-	var mPtr *byte
-	if len(m) > 0 {
-		mPtr = &m[0]
-	}
-	poly1305(out, mPtr, uint64(len(m)), key)
-}
diff --git a/vendor/golang.org/x/crypto/poly1305/sum_amd64.s b/vendor/golang.org/x/crypto/poly1305/sum_amd64.s
deleted file mode 100644
index 2edae638..00000000
--- a/vendor/golang.org/x/crypto/poly1305/sum_amd64.s
+++ /dev/null
@@ -1,125 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build amd64,!gccgo,!appengine
-
-#include "textflag.h"
-
-#define POLY1305_ADD(msg, h0, h1, h2) \
-	ADDQ 0(msg), h0;  \
-	ADCQ 8(msg), h1;  \
-	ADCQ $1, h2;      \
-	LEAQ 16(msg), msg
-
-#define POLY1305_MUL(h0, h1, h2, r0, r1, t0, t1, t2, t3) \
-	MOVQ  r0, AX;                  \
-	MULQ  h0;                      \
-	MOVQ  AX, t0;                  \
-	MOVQ  DX, t1;                  \
-	MOVQ  r0, AX;                  \
-	MULQ  h1;                      \
-	ADDQ  AX, t1;                  \
-	ADCQ  $0, DX;                  \
-	MOVQ  r0, t2;                  \
-	IMULQ h2, t2;                  \
-	ADDQ  DX, t2;                  \
-	                               \
-	MOVQ  r1, AX;                  \
-	MULQ  h0;                      \
-	ADDQ  AX, t1;                  \
-	ADCQ  $0, DX;                  \
-	MOVQ  DX, h0;                  \
-	MOVQ  r1, t3;                  \
-	IMULQ h2, t3;                  \
-	MOVQ  r1, AX;                  \
-	MULQ  h1;                      \
-	ADDQ  AX, t2;                  \
-	ADCQ  DX, t3;                  \
-	ADDQ  h0, t2;                  \
-	ADCQ  $0, t3;                  \
-	                               \
-	MOVQ  t0, h0;                  \
-	MOVQ  t1, h1;                  \
-	MOVQ  t2, h2;                  \
-	ANDQ  $3, h2;                  \
-	MOVQ  t2, t0;                  \
-	ANDQ  $0xFFFFFFFFFFFFFFFC, t0; \
-	ADDQ  t0, h0;                  \
-	ADCQ  t3, h1;                  \
-	ADCQ  $0, h2;                  \
-	SHRQ  $2, t3, t2;              \
-	SHRQ  $2, t3;                  \
-	ADDQ  t2, h0;                  \
-	ADCQ  t3, h1;                  \
-	ADCQ  $0, h2
-
-DATA ·poly1305Mask<>+0x00(SB)/8, $0x0FFFFFFC0FFFFFFF
-DATA ·poly1305Mask<>+0x08(SB)/8, $0x0FFFFFFC0FFFFFFC
-GLOBL ·poly1305Mask<>(SB), RODATA, $16
-
-// func poly1305(out *[16]byte, m *byte, mlen uint64, key *[32]key)
-TEXT ·poly1305(SB), $0-32
-	MOVQ out+0(FP), DI
-	MOVQ m+8(FP), SI
-	MOVQ mlen+16(FP), R15
-	MOVQ key+24(FP), AX
-
-	MOVQ 0(AX), R11
-	MOVQ 8(AX), R12
-	ANDQ ·poly1305Mask<>(SB), R11   // r0
-	ANDQ ·poly1305Mask<>+8(SB), R12 // r1
-	XORQ R8, R8                    // h0
-	XORQ R9, R9                    // h1
-	XORQ R10, R10                  // h2
-
-	CMPQ R15, $16
-	JB   bytes_between_0_and_15
-
-loop:
-	POLY1305_ADD(SI, R8, R9, R10)
-
-multiply:
-	POLY1305_MUL(R8, R9, R10, R11, R12, BX, CX, R13, R14)
-	SUBQ $16, R15
-	CMPQ R15, $16
-	JAE  loop
-
-bytes_between_0_and_15:
-	TESTQ R15, R15
-	JZ    done
-	MOVQ  $1, BX
-	XORQ  CX, CX
-	XORQ  R13, R13
-	ADDQ  R15, SI
-
-flush_buffer:
-	SHLQ $8, BX, CX
-	SHLQ $8, BX
-	MOVB -1(SI), R13
-	XORQ R13, BX
-	DECQ SI
-	DECQ R15
-	JNZ  flush_buffer
-
-	ADDQ BX, R8
-	ADCQ CX, R9
-	ADCQ $0, R10
-	MOVQ $16, R15
-	JMP  multiply
-
-done:
-	MOVQ    R8, AX
-	MOVQ    R9, BX
-	SUBQ    $0xFFFFFFFFFFFFFFFB, AX
-	SBBQ    $0xFFFFFFFFFFFFFFFF, BX
-	SBBQ    $3, R10
-	CMOVQCS R8, AX
-	CMOVQCS R9, BX
-	MOVQ    key+24(FP), R8
-	ADDQ    16(R8), AX
-	ADCQ    24(R8), BX
-
-	MOVQ AX, 0(DI)
-	MOVQ BX, 8(DI)
-	RET
diff --git a/vendor/golang.org/x/crypto/poly1305/sum_arm.go b/vendor/golang.org/x/crypto/poly1305/sum_arm.go
deleted file mode 100644
index 5dc321c2..00000000
--- a/vendor/golang.org/x/crypto/poly1305/sum_arm.go
+++ /dev/null
@@ -1,22 +0,0 @@
-// Copyright 2015 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build arm,!gccgo,!appengine,!nacl
-
-package poly1305
-
-// This function is implemented in sum_arm.s
-//go:noescape
-func poly1305_auth_armv6(out *[16]byte, m *byte, mlen uint32, key *[32]byte)
-
-// Sum generates an authenticator for m using a one-time key and puts the
-// 16-byte result into out. Authenticating two different messages with the same
-// key allows an attacker to forge messages at will.
-func Sum(out *[16]byte, m []byte, key *[32]byte) {
-	var mPtr *byte
-	if len(m) > 0 {
-		mPtr = &m[0]
-	}
-	poly1305_auth_armv6(out, mPtr, uint32(len(m)), key)
-}
diff --git a/vendor/golang.org/x/crypto/poly1305/sum_arm.s b/vendor/golang.org/x/crypto/poly1305/sum_arm.s
deleted file mode 100644
index f70b4ac4..00000000
--- a/vendor/golang.org/x/crypto/poly1305/sum_arm.s
+++ /dev/null
@@ -1,427 +0,0 @@
-// Copyright 2015 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build arm,!gccgo,!appengine,!nacl
-
-#include "textflag.h"
-
-// This code was translated into a form compatible with 5a from the public
-// domain source by Andrew Moon: github.com/floodyberry/poly1305-opt/blob/master/app/extensions/poly1305.
-
-DATA ·poly1305_init_constants_armv6<>+0x00(SB)/4, $0x3ffffff
-DATA ·poly1305_init_constants_armv6<>+0x04(SB)/4, $0x3ffff03
-DATA ·poly1305_init_constants_armv6<>+0x08(SB)/4, $0x3ffc0ff
-DATA ·poly1305_init_constants_armv6<>+0x0c(SB)/4, $0x3f03fff
-DATA ·poly1305_init_constants_armv6<>+0x10(SB)/4, $0x00fffff
-GLOBL ·poly1305_init_constants_armv6<>(SB), 8, $20
-
-// Warning: the linker may use R11 to synthesize certain instructions. Please
-// take care and verify that no synthetic instructions use it.
-
-TEXT poly1305_init_ext_armv6<>(SB), NOSPLIT, $0
-	// Needs 16 bytes of stack and 64 bytes of space pointed to by R0.  (It
-	// might look like it's only 60 bytes of space but the final four bytes
-	// will be written by another function.) We need to skip over four
-	// bytes of stack because that's saving the value of 'g'.
-	ADD       $4, R13, R8
-	MOVM.IB   [R4-R7], (R8)
-	MOVM.IA.W (R1), [R2-R5]
-	MOVW      $·poly1305_init_constants_armv6<>(SB), R7
-	MOVW      R2, R8
-	MOVW      R2>>26, R9
-	MOVW      R3>>20, g
-	MOVW      R4>>14, R11
-	MOVW      R5>>8, R12
-	ORR       R3<<6, R9, R9
-	ORR       R4<<12, g, g
-	ORR       R5<<18, R11, R11
-	MOVM.IA   (R7), [R2-R6]
-	AND       R8, R2, R2
-	AND       R9, R3, R3
-	AND       g, R4, R4
-	AND       R11, R5, R5
-	AND       R12, R6, R6
-	MOVM.IA.W [R2-R6], (R0)
-	EOR       R2, R2, R2
-	EOR       R3, R3, R3
-	EOR       R4, R4, R4
-	EOR       R5, R5, R5
-	EOR       R6, R6, R6
-	MOVM.IA.W [R2-R6], (R0)
-	MOVM.IA.W (R1), [R2-R5]
-	MOVM.IA   [R2-R6], (R0)
-	ADD       $20, R13, R0
-	MOVM.DA   (R0), [R4-R7]
-	RET
-
-#define MOVW_UNALIGNED(Rsrc, Rdst, Rtmp, offset) \
-	MOVBU (offset+0)(Rsrc), Rtmp; \
-	MOVBU Rtmp, (offset+0)(Rdst); \
-	MOVBU (offset+1)(Rsrc), Rtmp; \
-	MOVBU Rtmp, (offset+1)(Rdst); \
-	MOVBU (offset+2)(Rsrc), Rtmp; \
-	MOVBU Rtmp, (offset+2)(Rdst); \
-	MOVBU (offset+3)(Rsrc), Rtmp; \
-	MOVBU Rtmp, (offset+3)(Rdst)
-
-TEXT poly1305_blocks_armv6<>(SB), NOSPLIT, $0
-	// Needs 24 bytes of stack for saved registers and then 88 bytes of
-	// scratch space after that. We assume that 24 bytes at (R13) have
-	// already been used: four bytes for the link register saved in the
-	// prelude of poly1305_auth_armv6, four bytes for saving the value of g
-	// in that function and 16 bytes of scratch space used around
-	// poly1305_finish_ext_armv6_skip1.
-	ADD     $24, R13, R12
-	MOVM.IB [R4-R8, R14], (R12)
-	MOVW    R0, 88(R13)
-	MOVW    R1, 92(R13)
-	MOVW    R2, 96(R13)
-	MOVW    R1, R14
-	MOVW    R2, R12
-	MOVW    56(R0), R8
-	WORD    $0xe1180008                // TST R8, R8 not working see issue 5921
-	EOR     R6, R6, R6
-	MOVW.EQ $(1<<24), R6
-	MOVW    R6, 84(R13)
-	ADD     $116, R13, g
-	MOVM.IA (R0), [R0-R9]
-	MOVM.IA [R0-R4], (g)
-	CMP     $16, R12
-	BLO     poly1305_blocks_armv6_done
-
-poly1305_blocks_armv6_mainloop:
-	WORD    $0xe31e0003                            // TST R14, #3 not working see issue 5921
-	BEQ     poly1305_blocks_armv6_mainloop_aligned
-	ADD     $100, R13, g
-	MOVW_UNALIGNED(R14, g, R0, 0)
-	MOVW_UNALIGNED(R14, g, R0, 4)
-	MOVW_UNALIGNED(R14, g, R0, 8)
-	MOVW_UNALIGNED(R14, g, R0, 12)
-	MOVM.IA (g), [R0-R3]
-	ADD     $16, R14
-	B       poly1305_blocks_armv6_mainloop_loaded
-
-poly1305_blocks_armv6_mainloop_aligned:
-	MOVM.IA.W (R14), [R0-R3]
-
-poly1305_blocks_armv6_mainloop_loaded:
-	MOVW    R0>>26, g
-	MOVW    R1>>20, R11
-	MOVW    R2>>14, R12
-	MOVW    R14, 92(R13)
-	MOVW    R3>>8, R4
-	ORR     R1<<6, g, g
-	ORR     R2<<12, R11, R11
-	ORR     R3<<18, R12, R12
-	BIC     $0xfc000000, R0, R0
-	BIC     $0xfc000000, g, g
-	MOVW    84(R13), R3
-	BIC     $0xfc000000, R11, R11
-	BIC     $0xfc000000, R12, R12
-	ADD     R0, R5, R5
-	ADD     g, R6, R6
-	ORR     R3, R4, R4
-	ADD     R11, R7, R7
-	ADD     $116, R13, R14
-	ADD     R12, R8, R8
-	ADD     R4, R9, R9
-	MOVM.IA (R14), [R0-R4]
-	MULLU   R4, R5, (R11, g)
-	MULLU   R3, R5, (R14, R12)
-	MULALU  R3, R6, (R11, g)
-	MULALU  R2, R6, (R14, R12)
-	MULALU  R2, R7, (R11, g)
-	MULALU  R1, R7, (R14, R12)
-	ADD     R4<<2, R4, R4
-	ADD     R3<<2, R3, R3
-	MULALU  R1, R8, (R11, g)
-	MULALU  R0, R8, (R14, R12)
-	MULALU  R0, R9, (R11, g)
-	MULALU  R4, R9, (R14, R12)
-	MOVW    g, 76(R13)
-	MOVW    R11, 80(R13)
-	MOVW    R12, 68(R13)
-	MOVW    R14, 72(R13)
-	MULLU   R2, R5, (R11, g)
-	MULLU   R1, R5, (R14, R12)
-	MULALU  R1, R6, (R11, g)
-	MULALU  R0, R6, (R14, R12)
-	MULALU  R0, R7, (R11, g)
-	MULALU  R4, R7, (R14, R12)
-	ADD     R2<<2, R2, R2
-	ADD     R1<<2, R1, R1
-	MULALU  R4, R8, (R11, g)
-	MULALU  R3, R8, (R14, R12)
-	MULALU  R3, R9, (R11, g)
-	MULALU  R2, R9, (R14, R12)
-	MOVW    g, 60(R13)
-	MOVW    R11, 64(R13)
-	MOVW    R12, 52(R13)
-	MOVW    R14, 56(R13)
-	MULLU   R0, R5, (R11, g)
-	MULALU  R4, R6, (R11, g)
-	MULALU  R3, R7, (R11, g)
-	MULALU  R2, R8, (R11, g)
-	MULALU  R1, R9, (R11, g)
-	ADD     $52, R13, R0
-	MOVM.IA (R0), [R0-R7]
-	MOVW    g>>26, R12
-	MOVW    R4>>26, R14
-	ORR     R11<<6, R12, R12
-	ORR     R5<<6, R14, R14
-	BIC     $0xfc000000, g, g
-	BIC     $0xfc000000, R4, R4
-	ADD.S   R12, R0, R0
-	ADC     $0, R1, R1
-	ADD.S   R14, R6, R6
-	ADC     $0, R7, R7
-	MOVW    R0>>26, R12
-	MOVW    R6>>26, R14
-	ORR     R1<<6, R12, R12
-	ORR     R7<<6, R14, R14
-	BIC     $0xfc000000, R0, R0
-	BIC     $0xfc000000, R6, R6
-	ADD     R14<<2, R14, R14
-	ADD.S   R12, R2, R2
-	ADC     $0, R3, R3
-	ADD     R14, g, g
-	MOVW    R2>>26, R12
-	MOVW    g>>26, R14
-	ORR     R3<<6, R12, R12
-	BIC     $0xfc000000, g, R5
-	BIC     $0xfc000000, R2, R7
-	ADD     R12, R4, R4
-	ADD     R14, R0, R0
-	MOVW    R4>>26, R12
-	BIC     $0xfc000000, R4, R8
-	ADD     R12, R6, R9
-	MOVW    96(R13), R12
-	MOVW    92(R13), R14
-	MOVW    R0, R6
-	CMP     $32, R12
-	SUB     $16, R12, R12
-	MOVW    R12, 96(R13)
-	BHS     poly1305_blocks_armv6_mainloop
-
-poly1305_blocks_armv6_done:
-	MOVW    88(R13), R12
-	MOVW    R5, 20(R12)
-	MOVW    R6, 24(R12)
-	MOVW    R7, 28(R12)
-	MOVW    R8, 32(R12)
-	MOVW    R9, 36(R12)
-	ADD     $48, R13, R0
-	MOVM.DA (R0), [R4-R8, R14]
-	RET
-
-#define MOVHUP_UNALIGNED(Rsrc, Rdst, Rtmp) \
-	MOVBU.P 1(Rsrc), Rtmp; \
-	MOVBU.P Rtmp, 1(Rdst); \
-	MOVBU.P 1(Rsrc), Rtmp; \
-	MOVBU.P Rtmp, 1(Rdst)
-
-#define MOVWP_UNALIGNED(Rsrc, Rdst, Rtmp) \
-	MOVHUP_UNALIGNED(Rsrc, Rdst, Rtmp); \
-	MOVHUP_UNALIGNED(Rsrc, Rdst, Rtmp)
-
-// func poly1305_auth_armv6(out *[16]byte, m *byte, mlen uint32, key *[32]key)
-TEXT ·poly1305_auth_armv6(SB), $196-16
-	// The value 196, just above, is the sum of 64 (the size of the context
-	// structure) and 132 (the amount of stack needed).
-	//
-	// At this point, the stack pointer (R13) has been moved down. It
-	// points to the saved link register and there's 196 bytes of free
-	// space above it.
-	//
-	// The stack for this function looks like:
-	//
-	// +---------------------
-	// |
-	// | 64 bytes of context structure
-	// |
-	// +---------------------
-	// |
-	// | 112 bytes for poly1305_blocks_armv6
-	// |
-	// +---------------------
-	// | 16 bytes of final block, constructed at
-	// | poly1305_finish_ext_armv6_skip8
-	// +---------------------
-	// | four bytes of saved 'g'
-	// +---------------------
-	// | lr, saved by prelude    <- R13 points here
-	// +---------------------
-	MOVW g, 4(R13)
-
-	MOVW out+0(FP), R4
-	MOVW m+4(FP), R5
-	MOVW mlen+8(FP), R6
-	MOVW key+12(FP), R7
-
-	ADD  $136, R13, R0 // 136 = 4 + 4 + 16 + 112
-	MOVW R7, R1
-
-	// poly1305_init_ext_armv6 will write to the stack from R13+4, but
-	// that's ok because none of the other values have been written yet.
-	BL    poly1305_init_ext_armv6<>(SB)
-	BIC.S $15, R6, R2
-	BEQ   poly1305_auth_armv6_noblocks
-	ADD   $136, R13, R0
-	MOVW  R5, R1
-	ADD   R2, R5, R5
-	SUB   R2, R6, R6
-	BL    poly1305_blocks_armv6<>(SB)
-
-poly1305_auth_armv6_noblocks:
-	ADD  $136, R13, R0
-	MOVW R5, R1
-	MOVW R6, R2
-	MOVW R4, R3
-
-	MOVW  R0, R5
-	MOVW  R1, R6
-	MOVW  R2, R7
-	MOVW  R3, R8
-	AND.S R2, R2, R2
-	BEQ   poly1305_finish_ext_armv6_noremaining
-	EOR   R0, R0
-	ADD   $8, R13, R9                           // 8 = offset to 16 byte scratch space
-	MOVW  R0, (R9)
-	MOVW  R0, 4(R9)
-	MOVW  R0, 8(R9)
-	MOVW  R0, 12(R9)
-	WORD  $0xe3110003                           // TST R1, #3 not working see issue 5921
-	BEQ   poly1305_finish_ext_armv6_aligned
-	WORD  $0xe3120008                           // TST R2, #8 not working see issue 5921
-	BEQ   poly1305_finish_ext_armv6_skip8
-	MOVWP_UNALIGNED(R1, R9, g)
-	MOVWP_UNALIGNED(R1, R9, g)
-
-poly1305_finish_ext_armv6_skip8:
-	WORD $0xe3120004                     // TST $4, R2 not working see issue 5921
-	BEQ  poly1305_finish_ext_armv6_skip4
-	MOVWP_UNALIGNED(R1, R9, g)
-
-poly1305_finish_ext_armv6_skip4:
-	WORD $0xe3120002                     // TST $2, R2 not working see issue 5921
-	BEQ  poly1305_finish_ext_armv6_skip2
-	MOVHUP_UNALIGNED(R1, R9, g)
-	B    poly1305_finish_ext_armv6_skip2
-
-poly1305_finish_ext_armv6_aligned:
-	WORD      $0xe3120008                             // TST R2, #8 not working see issue 5921
-	BEQ       poly1305_finish_ext_armv6_skip8_aligned
-	MOVM.IA.W (R1), [g-R11]
-	MOVM.IA.W [g-R11], (R9)
-
-poly1305_finish_ext_armv6_skip8_aligned:
-	WORD   $0xe3120004                             // TST $4, R2 not working see issue 5921
-	BEQ    poly1305_finish_ext_armv6_skip4_aligned
-	MOVW.P 4(R1), g
-	MOVW.P g, 4(R9)
-
-poly1305_finish_ext_armv6_skip4_aligned:
-	WORD    $0xe3120002                     // TST $2, R2 not working see issue 5921
-	BEQ     poly1305_finish_ext_armv6_skip2
-	MOVHU.P 2(R1), g
-	MOVH.P  g, 2(R9)
-
-poly1305_finish_ext_armv6_skip2:
-	WORD    $0xe3120001                     // TST $1, R2 not working see issue 5921
-	BEQ     poly1305_finish_ext_armv6_skip1
-	MOVBU.P 1(R1), g
-	MOVBU.P g, 1(R9)
-
-poly1305_finish_ext_armv6_skip1:
-	MOVW  $1, R11
-	MOVBU R11, 0(R9)
-	MOVW  R11, 56(R5)
-	MOVW  R5, R0
-	ADD   $8, R13, R1
-	MOVW  $16, R2
-	BL    poly1305_blocks_armv6<>(SB)
-
-poly1305_finish_ext_armv6_noremaining:
-	MOVW      20(R5), R0
-	MOVW      24(R5), R1
-	MOVW      28(R5), R2
-	MOVW      32(R5), R3
-	MOVW      36(R5), R4
-	MOVW      R4>>26, R12
-	BIC       $0xfc000000, R4, R4
-	ADD       R12<<2, R12, R12
-	ADD       R12, R0, R0
-	MOVW      R0>>26, R12
-	BIC       $0xfc000000, R0, R0
-	ADD       R12, R1, R1
-	MOVW      R1>>26, R12
-	BIC       $0xfc000000, R1, R1
-	ADD       R12, R2, R2
-	MOVW      R2>>26, R12
-	BIC       $0xfc000000, R2, R2
-	ADD       R12, R3, R3
-	MOVW      R3>>26, R12
-	BIC       $0xfc000000, R3, R3
-	ADD       R12, R4, R4
-	ADD       $5, R0, R6
-	MOVW      R6>>26, R12
-	BIC       $0xfc000000, R6, R6
-	ADD       R12, R1, R7
-	MOVW      R7>>26, R12
-	BIC       $0xfc000000, R7, R7
-	ADD       R12, R2, g
-	MOVW      g>>26, R12
-	BIC       $0xfc000000, g, g
-	ADD       R12, R3, R11
-	MOVW      $-(1<<26), R12
-	ADD       R11>>26, R12, R12
-	BIC       $0xfc000000, R11, R11
-	ADD       R12, R4, R9
-	MOVW      R9>>31, R12
-	SUB       $1, R12
-	AND       R12, R6, R6
-	AND       R12, R7, R7
-	AND       R12, g, g
-	AND       R12, R11, R11
-	AND       R12, R9, R9
-	MVN       R12, R12
-	AND       R12, R0, R0
-	AND       R12, R1, R1
-	AND       R12, R2, R2
-	AND       R12, R3, R3
-	AND       R12, R4, R4
-	ORR       R6, R0, R0
-	ORR       R7, R1, R1
-	ORR       g, R2, R2
-	ORR       R11, R3, R3
-	ORR       R9, R4, R4
-	ORR       R1<<26, R0, R0
-	MOVW      R1>>6, R1
-	ORR       R2<<20, R1, R1
-	MOVW      R2>>12, R2
-	ORR       R3<<14, R2, R2
-	MOVW      R3>>18, R3
-	ORR       R4<<8, R3, R3
-	MOVW      40(R5), R6
-	MOVW      44(R5), R7
-	MOVW      48(R5), g
-	MOVW      52(R5), R11
-	ADD.S     R6, R0, R0
-	ADC.S     R7, R1, R1
-	ADC.S     g, R2, R2
-	ADC.S     R11, R3, R3
-	MOVM.IA   [R0-R3], (R8)
-	MOVW      R5, R12
-	EOR       R0, R0, R0
-	EOR       R1, R1, R1
-	EOR       R2, R2, R2
-	EOR       R3, R3, R3
-	EOR       R4, R4, R4
-	EOR       R5, R5, R5
-	EOR       R6, R6, R6
-	EOR       R7, R7, R7
-	MOVM.IA.W [R0-R7], (R12)
-	MOVM.IA   [R0-R7], (R12)
-	MOVW      4(R13), g
-	RET
diff --git a/vendor/golang.org/x/crypto/poly1305/sum_ref.go b/vendor/golang.org/x/crypto/poly1305/sum_ref.go
deleted file mode 100644
index b2805a5c..00000000
--- a/vendor/golang.org/x/crypto/poly1305/sum_ref.go
+++ /dev/null
@@ -1,141 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build !amd64,!arm gccgo appengine nacl
-
-package poly1305
-
-import "encoding/binary"
-
-// Sum generates an authenticator for msg using a one-time key and puts the
-// 16-byte result into out. Authenticating two different messages with the same
-// key allows an attacker to forge messages at will.
-func Sum(out *[TagSize]byte, msg []byte, key *[32]byte) {
-	var (
-		h0, h1, h2, h3, h4 uint32 // the hash accumulators
-		r0, r1, r2, r3, r4 uint64 // the r part of the key
-	)
-
-	r0 = uint64(binary.LittleEndian.Uint32(key[0:]) & 0x3ffffff)
-	r1 = uint64((binary.LittleEndian.Uint32(key[3:]) >> 2) & 0x3ffff03)
-	r2 = uint64((binary.LittleEndian.Uint32(key[6:]) >> 4) & 0x3ffc0ff)
-	r3 = uint64((binary.LittleEndian.Uint32(key[9:]) >> 6) & 0x3f03fff)
-	r4 = uint64((binary.LittleEndian.Uint32(key[12:]) >> 8) & 0x00fffff)
-
-	R1, R2, R3, R4 := r1*5, r2*5, r3*5, r4*5
-
-	for len(msg) >= TagSize {
-		// h += msg
-		h0 += binary.LittleEndian.Uint32(msg[0:]) & 0x3ffffff
-		h1 += (binary.LittleEndian.Uint32(msg[3:]) >> 2) & 0x3ffffff
-		h2 += (binary.LittleEndian.Uint32(msg[6:]) >> 4) & 0x3ffffff
-		h3 += (binary.LittleEndian.Uint32(msg[9:]) >> 6) & 0x3ffffff
-		h4 += (binary.LittleEndian.Uint32(msg[12:]) >> 8) | (1 << 24)
-
-		// h *= r
-		d0 := (uint64(h0) * r0) + (uint64(h1) * R4) + (uint64(h2) * R3) + (uint64(h3) * R2) + (uint64(h4) * R1)
-		d1 := (d0 >> 26) + (uint64(h0) * r1) + (uint64(h1) * r0) + (uint64(h2) * R4) + (uint64(h3) * R3) + (uint64(h4) * R2)
-		d2 := (d1 >> 26) + (uint64(h0) * r2) + (uint64(h1) * r1) + (uint64(h2) * r0) + (uint64(h3) * R4) + (uint64(h4) * R3)
-		d3 := (d2 >> 26) + (uint64(h0) * r3) + (uint64(h1) * r2) + (uint64(h2) * r1) + (uint64(h3) * r0) + (uint64(h4) * R4)
-		d4 := (d3 >> 26) + (uint64(h0) * r4) + (uint64(h1) * r3) + (uint64(h2) * r2) + (uint64(h3) * r1) + (uint64(h4) * r0)
-
-		// h %= p
-		h0 = uint32(d0) & 0x3ffffff
-		h1 = uint32(d1) & 0x3ffffff
-		h2 = uint32(d2) & 0x3ffffff
-		h3 = uint32(d3) & 0x3ffffff
-		h4 = uint32(d4) & 0x3ffffff
-
-		h0 += uint32(d4>>26) * 5
-		h1 += h0 >> 26
-		h0 = h0 & 0x3ffffff
-
-		msg = msg[TagSize:]
-	}
-
-	if len(msg) > 0 {
-		var block [TagSize]byte
-		off := copy(block[:], msg)
-		block[off] = 0x01
-
-		// h += msg
-		h0 += binary.LittleEndian.Uint32(block[0:]) & 0x3ffffff
-		h1 += (binary.LittleEndian.Uint32(block[3:]) >> 2) & 0x3ffffff
-		h2 += (binary.LittleEndian.Uint32(block[6:]) >> 4) & 0x3ffffff
-		h3 += (binary.LittleEndian.Uint32(block[9:]) >> 6) & 0x3ffffff
-		h4 += (binary.LittleEndian.Uint32(block[12:]) >> 8)
-
-		// h *= r
-		d0 := (uint64(h0) * r0) + (uint64(h1) * R4) + (uint64(h2) * R3) + (uint64(h3) * R2) + (uint64(h4) * R1)
-		d1 := (d0 >> 26) + (uint64(h0) * r1) + (uint64(h1) * r0) + (uint64(h2) * R4) + (uint64(h3) * R3) + (uint64(h4) * R2)
-		d2 := (d1 >> 26) + (uint64(h0) * r2) + (uint64(h1) * r1) + (uint64(h2) * r0) + (uint64(h3) * R4) + (uint64(h4) * R3)
-		d3 := (d2 >> 26) + (uint64(h0) * r3) + (uint64(h1) * r2) + (uint64(h2) * r1) + (uint64(h3) * r0) + (uint64(h4) * R4)
-		d4 := (d3 >> 26) + (uint64(h0) * r4) + (uint64(h1) * r3) + (uint64(h2) * r2) + (uint64(h3) * r1) + (uint64(h4) * r0)
-
-		// h %= p
-		h0 = uint32(d0) & 0x3ffffff
-		h1 = uint32(d1) & 0x3ffffff
-		h2 = uint32(d2) & 0x3ffffff
-		h3 = uint32(d3) & 0x3ffffff
-		h4 = uint32(d4) & 0x3ffffff
-
-		h0 += uint32(d4>>26) * 5
-		h1 += h0 >> 26
-		h0 = h0 & 0x3ffffff
-	}
-
-	// h %= p reduction
-	h2 += h1 >> 26
-	h1 &= 0x3ffffff
-	h3 += h2 >> 26
-	h2 &= 0x3ffffff
-	h4 += h3 >> 26
-	h3 &= 0x3ffffff
-	h0 += 5 * (h4 >> 26)
-	h4 &= 0x3ffffff
-	h1 += h0 >> 26
-	h0 &= 0x3ffffff
-
-	// h - p
-	t0 := h0 + 5
-	t1 := h1 + (t0 >> 26)
-	t2 := h2 + (t1 >> 26)
-	t3 := h3 + (t2 >> 26)
-	t4 := h4 + (t3 >> 26) - (1 << 26)
-	t0 &= 0x3ffffff
-	t1 &= 0x3ffffff
-	t2 &= 0x3ffffff
-	t3 &= 0x3ffffff
-
-	// select h if h < p else h - p
-	t_mask := (t4 >> 31) - 1
-	h_mask := ^t_mask
-	h0 = (h0 & h_mask) | (t0 & t_mask)
-	h1 = (h1 & h_mask) | (t1 & t_mask)
-	h2 = (h2 & h_mask) | (t2 & t_mask)
-	h3 = (h3 & h_mask) | (t3 & t_mask)
-	h4 = (h4 & h_mask) | (t4 & t_mask)
-
-	// h %= 2^128
-	h0 |= h1 << 26
-	h1 = ((h1 >> 6) | (h2 << 20))
-	h2 = ((h2 >> 12) | (h3 << 14))
-	h3 = ((h3 >> 18) | (h4 << 8))
-
-	// s: the s part of the key
-	// tag = (h + s) % (2^128)
-	t := uint64(h0) + uint64(binary.LittleEndian.Uint32(key[16:]))
-	h0 = uint32(t)
-	t = uint64(h1) + uint64(binary.LittleEndian.Uint32(key[20:])) + (t >> 32)
-	h1 = uint32(t)
-	t = uint64(h2) + uint64(binary.LittleEndian.Uint32(key[24:])) + (t >> 32)
-	h2 = uint32(t)
-	t = uint64(h3) + uint64(binary.LittleEndian.Uint32(key[28:])) + (t >> 32)
-	h3 = uint32(t)
-
-	binary.LittleEndian.PutUint32(out[0:], h0)
-	binary.LittleEndian.PutUint32(out[4:], h1)
-	binary.LittleEndian.PutUint32(out[8:], h2)
-	binary.LittleEndian.PutUint32(out[12:], h3)
-}
diff --git a/vendor/golang.org/x/crypto/ripemd160/ripemd160.go b/vendor/golang.org/x/crypto/ripemd160/ripemd160.go
index 6c6e8423..cf3eeb15 100644
--- a/vendor/golang.org/x/crypto/ripemd160/ripemd160.go
+++ b/vendor/golang.org/x/crypto/ripemd160/ripemd160.go
@@ -3,9 +3,13 @@
 // license that can be found in the LICENSE file.
 
 // Package ripemd160 implements the RIPEMD-160 hash algorithm.
+//
+// Deprecated: RIPEMD-160 is a legacy hash and should not be used for new
+// applications. Also, this package does not and will not provide an optimized
+// implementation. Instead, use a modern hash like SHA-256 (from crypto/sha256).
 package ripemd160 // import "golang.org/x/crypto/ripemd160"
 
-// RIPEMD-160 is designed by by Hans Dobbertin, Antoon Bosselaers, and Bart
+// RIPEMD-160 is designed by Hans Dobbertin, Antoon Bosselaers, and Bart
 // Preneel with specifications available at:
 // http://homes.esat.kuleuven.be/~cosicart/pdf/AB-9601/AB-9601.pdf.
 
diff --git a/vendor/golang.org/x/crypto/ripemd160/ripemd160_test.go b/vendor/golang.org/x/crypto/ripemd160/ripemd160_test.go
deleted file mode 100644
index 5df1b259..00000000
--- a/vendor/golang.org/x/crypto/ripemd160/ripemd160_test.go
+++ /dev/null
@@ -1,64 +0,0 @@
-// Copyright 2010 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package ripemd160
-
-// Test vectors are from:
-// http://homes.esat.kuleuven.be/~bosselae/ripemd160.html
-
-import (
-	"fmt"
-	"io"
-	"testing"
-)
-
-type mdTest struct {
-	out string
-	in  string
-}
-
-var vectors = [...]mdTest{
-	{"9c1185a5c5e9fc54612808977ee8f548b2258d31", ""},
-	{"0bdc9d2d256b3ee9daae347be6f4dc835a467ffe", "a"},
-	{"8eb208f7e05d987a9b044a8e98c6b087f15a0bfc", "abc"},
-	{"5d0689ef49d2fae572b881b123a85ffa21595f36", "message digest"},
-	{"f71c27109c692c1b56bbdceb5b9d2865b3708dbc", "abcdefghijklmnopqrstuvwxyz"},
-	{"12a053384a9c0c88e405a06c27dcf49ada62eb2b", "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"},
-	{"b0e20b6e3116640286ed3a87a5713079b21f5189", "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"},
-	{"9b752e45573d4b39f4dbd3323cab82bf63326bfb", "12345678901234567890123456789012345678901234567890123456789012345678901234567890"},
-}
-
-func TestVectors(t *testing.T) {
-	for i := 0; i < len(vectors); i++ {
-		tv := vectors[i]
-		md := New()
-		for j := 0; j < 3; j++ {
-			if j < 2 {
-				io.WriteString(md, tv.in)
-			} else {
-				io.WriteString(md, tv.in[0:len(tv.in)/2])
-				md.Sum(nil)
-				io.WriteString(md, tv.in[len(tv.in)/2:])
-			}
-			s := fmt.Sprintf("%x", md.Sum(nil))
-			if s != tv.out {
-				t.Fatalf("RIPEMD-160[%d](%s) = %s, expected %s", j, tv.in, s, tv.out)
-			}
-			md.Reset()
-		}
-	}
-}
-
-func TestMillionA(t *testing.T) {
-	md := New()
-	for i := 0; i < 100000; i++ {
-		io.WriteString(md, "aaaaaaaaaa")
-	}
-	out := "52783243c1697bdbe16d37f97f68f08325dc1528"
-	s := fmt.Sprintf("%x", md.Sum(nil))
-	if s != out {
-		t.Fatalf("RIPEMD-160 (1 million 'a') = %s, expected %s", s, out)
-	}
-	md.Reset()
-}
diff --git a/vendor/golang.org/x/crypto/ripemd160/ripemd160block.go b/vendor/golang.org/x/crypto/ripemd160/ripemd160block.go
index 7bc8e6c4..e0edc02f 100644
--- a/vendor/golang.org/x/crypto/ripemd160/ripemd160block.go
+++ b/vendor/golang.org/x/crypto/ripemd160/ripemd160block.go
@@ -8,6 +8,10 @@
 
 package ripemd160
 
+import (
+	"math/bits"
+)
+
 // work buffer indices and roll amounts for one line
 var _n = [80]uint{
 	0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15,
@@ -59,16 +63,16 @@ func _Block(md *digest, p []byte) int {
 		i := 0
 		for i < 16 {
 			alpha = a + (b ^ c ^ d) + x[_n[i]]
-			s := _r[i]
-			alpha = (alpha<<s | alpha>>(32-s)) + e
-			beta = c<<10 | c>>22
+			s := int(_r[i])
+			alpha = bits.RotateLeft32(alpha, s) + e
+			beta = bits.RotateLeft32(c, 10)
 			a, b, c, d, e = e, alpha, b, beta, d
 
 			// parallel line
 			alpha = aa + (bb ^ (cc | ^dd)) + x[n_[i]] + 0x50a28be6
-			s = r_[i]
-			alpha = (alpha<<s | alpha>>(32-s)) + ee
-			beta = cc<<10 | cc>>22
+			s = int(r_[i])
+			alpha = bits.RotateLeft32(alpha, s) + ee
+			beta = bits.RotateLeft32(cc, 10)
 			aa, bb, cc, dd, ee = ee, alpha, bb, beta, dd
 
 			i++
@@ -77,16 +81,16 @@ func _Block(md *digest, p []byte) int {
 		// round 2
 		for i < 32 {
 			alpha = a + (b&c | ^b&d) + x[_n[i]] + 0x5a827999
-			s := _r[i]
-			alpha = (alpha<<s | alpha>>(32-s)) + e
-			beta = c<<10 | c>>22
+			s := int(_r[i])
+			alpha = bits.RotateLeft32(alpha, s) + e
+			beta = bits.RotateLeft32(c, 10)
 			a, b, c, d, e = e, alpha, b, beta, d
 
 			// parallel line
 			alpha = aa + (bb&dd | cc&^dd) + x[n_[i]] + 0x5c4dd124
-			s = r_[i]
-			alpha = (alpha<<s | alpha>>(32-s)) + ee
-			beta = cc<<10 | cc>>22
+			s = int(r_[i])
+			alpha = bits.RotateLeft32(alpha, s) + ee
+			beta = bits.RotateLeft32(cc, 10)
 			aa, bb, cc, dd, ee = ee, alpha, bb, beta, dd
 
 			i++
@@ -95,16 +99,16 @@ func _Block(md *digest, p []byte) int {
 		// round 3
 		for i < 48 {
 			alpha = a + (b | ^c ^ d) + x[_n[i]] + 0x6ed9eba1
-			s := _r[i]
-			alpha = (alpha<<s | alpha>>(32-s)) + e
-			beta = c<<10 | c>>22
+			s := int(_r[i])
+			alpha = bits.RotateLeft32(alpha, s) + e
+			beta = bits.RotateLeft32(c, 10)
 			a, b, c, d, e = e, alpha, b, beta, d
 
 			// parallel line
 			alpha = aa + (bb | ^cc ^ dd) + x[n_[i]] + 0x6d703ef3
-			s = r_[i]
-			alpha = (alpha<<s | alpha>>(32-s)) + ee
-			beta = cc<<10 | cc>>22
+			s = int(r_[i])
+			alpha = bits.RotateLeft32(alpha, s) + ee
+			beta = bits.RotateLeft32(cc, 10)
 			aa, bb, cc, dd, ee = ee, alpha, bb, beta, dd
 
 			i++
@@ -113,16 +117,16 @@ func _Block(md *digest, p []byte) int {
 		// round 4
 		for i < 64 {
 			alpha = a + (b&d | c&^d) + x[_n[i]] + 0x8f1bbcdc
-			s := _r[i]
-			alpha = (alpha<<s | alpha>>(32-s)) + e
-			beta = c<<10 | c>>22
+			s := int(_r[i])
+			alpha = bits.RotateLeft32(alpha, s) + e
+			beta = bits.RotateLeft32(c, 10)
 			a, b, c, d, e = e, alpha, b, beta, d
 
 			// parallel line
 			alpha = aa + (bb&cc | ^bb&dd) + x[n_[i]] + 0x7a6d76e9
-			s = r_[i]
-			alpha = (alpha<<s | alpha>>(32-s)) + ee
-			beta = cc<<10 | cc>>22
+			s = int(r_[i])
+			alpha = bits.RotateLeft32(alpha, s) + ee
+			beta = bits.RotateLeft32(cc, 10)
 			aa, bb, cc, dd, ee = ee, alpha, bb, beta, dd
 
 			i++
@@ -131,16 +135,16 @@ func _Block(md *digest, p []byte) int {
 		// round 5
 		for i < 80 {
 			alpha = a + (b ^ (c | ^d)) + x[_n[i]] + 0xa953fd4e
-			s := _r[i]
-			alpha = (alpha<<s | alpha>>(32-s)) + e
-			beta = c<<10 | c>>22
+			s := int(_r[i])
+			alpha = bits.RotateLeft32(alpha, s) + e
+			beta = bits.RotateLeft32(c, 10)
 			a, b, c, d, e = e, alpha, b, beta, d
 
 			// parallel line
 			alpha = aa + (bb ^ cc ^ dd) + x[n_[i]]
-			s = r_[i]
-			alpha = (alpha<<s | alpha>>(32-s)) + ee
-			beta = cc<<10 | cc>>22
+			s = int(r_[i])
+			alpha = bits.RotateLeft32(alpha, s) + ee
+			beta = bits.RotateLeft32(cc, 10)
 			aa, bb, cc, dd, ee = ee, alpha, bb, beta, dd
 
 			i++
diff --git a/vendor/golang.org/x/crypto/salsa20/salsa/hsalsa20.go b/vendor/golang.org/x/crypto/salsa20/salsa/hsalsa20.go
deleted file mode 100644
index 4c96147c..00000000
--- a/vendor/golang.org/x/crypto/salsa20/salsa/hsalsa20.go
+++ /dev/null
@@ -1,144 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package salsa provides low-level access to functions in the Salsa family.
-package salsa // import "golang.org/x/crypto/salsa20/salsa"
-
-// Sigma is the Salsa20 constant for 256-bit keys.
-var Sigma = [16]byte{'e', 'x', 'p', 'a', 'n', 'd', ' ', '3', '2', '-', 'b', 'y', 't', 'e', ' ', 'k'}
-
-// HSalsa20 applies the HSalsa20 core function to a 16-byte input in, 32-byte
-// key k, and 16-byte constant c, and puts the result into the 32-byte array
-// out.
-func HSalsa20(out *[32]byte, in *[16]byte, k *[32]byte, c *[16]byte) {
-	x0 := uint32(c[0]) | uint32(c[1])<<8 | uint32(c[2])<<16 | uint32(c[3])<<24
-	x1 := uint32(k[0]) | uint32(k[1])<<8 | uint32(k[2])<<16 | uint32(k[3])<<24
-	x2 := uint32(k[4]) | uint32(k[5])<<8 | uint32(k[6])<<16 | uint32(k[7])<<24
-	x3 := uint32(k[8]) | uint32(k[9])<<8 | uint32(k[10])<<16 | uint32(k[11])<<24
-	x4 := uint32(k[12]) | uint32(k[13])<<8 | uint32(k[14])<<16 | uint32(k[15])<<24
-	x5 := uint32(c[4]) | uint32(c[5])<<8 | uint32(c[6])<<16 | uint32(c[7])<<24
-	x6 := uint32(in[0]) | uint32(in[1])<<8 | uint32(in[2])<<16 | uint32(in[3])<<24
-	x7 := uint32(in[4]) | uint32(in[5])<<8 | uint32(in[6])<<16 | uint32(in[7])<<24
-	x8 := uint32(in[8]) | uint32(in[9])<<8 | uint32(in[10])<<16 | uint32(in[11])<<24
-	x9 := uint32(in[12]) | uint32(in[13])<<8 | uint32(in[14])<<16 | uint32(in[15])<<24
-	x10 := uint32(c[8]) | uint32(c[9])<<8 | uint32(c[10])<<16 | uint32(c[11])<<24
-	x11 := uint32(k[16]) | uint32(k[17])<<8 | uint32(k[18])<<16 | uint32(k[19])<<24
-	x12 := uint32(k[20]) | uint32(k[21])<<8 | uint32(k[22])<<16 | uint32(k[23])<<24
-	x13 := uint32(k[24]) | uint32(k[25])<<8 | uint32(k[26])<<16 | uint32(k[27])<<24
-	x14 := uint32(k[28]) | uint32(k[29])<<8 | uint32(k[30])<<16 | uint32(k[31])<<24
-	x15 := uint32(c[12]) | uint32(c[13])<<8 | uint32(c[14])<<16 | uint32(c[15])<<24
-
-	for i := 0; i < 20; i += 2 {
-		u := x0 + x12
-		x4 ^= u<<7 | u>>(32-7)
-		u = x4 + x0
-		x8 ^= u<<9 | u>>(32-9)
-		u = x8 + x4
-		x12 ^= u<<13 | u>>(32-13)
-		u = x12 + x8
-		x0 ^= u<<18 | u>>(32-18)
-
-		u = x5 + x1
-		x9 ^= u<<7 | u>>(32-7)
-		u = x9 + x5
-		x13 ^= u<<9 | u>>(32-9)
-		u = x13 + x9
-		x1 ^= u<<13 | u>>(32-13)
-		u = x1 + x13
-		x5 ^= u<<18 | u>>(32-18)
-
-		u = x10 + x6
-		x14 ^= u<<7 | u>>(32-7)
-		u = x14 + x10
-		x2 ^= u<<9 | u>>(32-9)
-		u = x2 + x14
-		x6 ^= u<<13 | u>>(32-13)
-		u = x6 + x2
-		x10 ^= u<<18 | u>>(32-18)
-
-		u = x15 + x11
-		x3 ^= u<<7 | u>>(32-7)
-		u = x3 + x15
-		x7 ^= u<<9 | u>>(32-9)
-		u = x7 + x3
-		x11 ^= u<<13 | u>>(32-13)
-		u = x11 + x7
-		x15 ^= u<<18 | u>>(32-18)
-
-		u = x0 + x3
-		x1 ^= u<<7 | u>>(32-7)
-		u = x1 + x0
-		x2 ^= u<<9 | u>>(32-9)
-		u = x2 + x1
-		x3 ^= u<<13 | u>>(32-13)
-		u = x3 + x2
-		x0 ^= u<<18 | u>>(32-18)
-
-		u = x5 + x4
-		x6 ^= u<<7 | u>>(32-7)
-		u = x6 + x5
-		x7 ^= u<<9 | u>>(32-9)
-		u = x7 + x6
-		x4 ^= u<<13 | u>>(32-13)
-		u = x4 + x7
-		x5 ^= u<<18 | u>>(32-18)
-
-		u = x10 + x9
-		x11 ^= u<<7 | u>>(32-7)
-		u = x11 + x10
-		x8 ^= u<<9 | u>>(32-9)
-		u = x8 + x11
-		x9 ^= u<<13 | u>>(32-13)
-		u = x9 + x8
-		x10 ^= u<<18 | u>>(32-18)
-
-		u = x15 + x14
-		x12 ^= u<<7 | u>>(32-7)
-		u = x12 + x15
-		x13 ^= u<<9 | u>>(32-9)
-		u = x13 + x12
-		x14 ^= u<<13 | u>>(32-13)
-		u = x14 + x13
-		x15 ^= u<<18 | u>>(32-18)
-	}
-	out[0] = byte(x0)
-	out[1] = byte(x0 >> 8)
-	out[2] = byte(x0 >> 16)
-	out[3] = byte(x0 >> 24)
-
-	out[4] = byte(x5)
-	out[5] = byte(x5 >> 8)
-	out[6] = byte(x5 >> 16)
-	out[7] = byte(x5 >> 24)
-
-	out[8] = byte(x10)
-	out[9] = byte(x10 >> 8)
-	out[10] = byte(x10 >> 16)
-	out[11] = byte(x10 >> 24)
-
-	out[12] = byte(x15)
-	out[13] = byte(x15 >> 8)
-	out[14] = byte(x15 >> 16)
-	out[15] = byte(x15 >> 24)
-
-	out[16] = byte(x6)
-	out[17] = byte(x6 >> 8)
-	out[18] = byte(x6 >> 16)
-	out[19] = byte(x6 >> 24)
-
-	out[20] = byte(x7)
-	out[21] = byte(x7 >> 8)
-	out[22] = byte(x7 >> 16)
-	out[23] = byte(x7 >> 24)
-
-	out[24] = byte(x8)
-	out[25] = byte(x8 >> 8)
-	out[26] = byte(x8 >> 16)
-	out[27] = byte(x8 >> 24)
-
-	out[28] = byte(x9)
-	out[29] = byte(x9 >> 8)
-	out[30] = byte(x9 >> 16)
-	out[31] = byte(x9 >> 24)
-}
diff --git a/vendor/golang.org/x/crypto/salsa20/salsa/salsa2020_amd64.s b/vendor/golang.org/x/crypto/salsa20/salsa/salsa2020_amd64.s
deleted file mode 100644
index 22afbdca..00000000
--- a/vendor/golang.org/x/crypto/salsa20/salsa/salsa2020_amd64.s
+++ /dev/null
@@ -1,889 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build amd64,!appengine,!gccgo
-
-// This code was translated into a form compatible with 6a from the public
-// domain sources in SUPERCOP: https://bench.cr.yp.to/supercop.html
-
-// func salsa2020XORKeyStream(out, in *byte, n uint64, nonce, key *byte)
-// This needs up to 64 bytes at 360(SP); hence the non-obvious frame size.
-TEXT ·salsa2020XORKeyStream(SB),0,$456-40 // frame = 424 + 32 byte alignment
-	MOVQ out+0(FP),DI
-	MOVQ in+8(FP),SI
-	MOVQ n+16(FP),DX
-	MOVQ nonce+24(FP),CX
-	MOVQ key+32(FP),R8
-
-	MOVQ SP,R12
-	MOVQ SP,R9
-	ADDQ $31, R9
-	ANDQ $~31, R9
-	MOVQ R9, SP
-
-	MOVQ DX,R9
-	MOVQ CX,DX
-	MOVQ R8,R10
-	CMPQ R9,$0
-	JBE DONE
-	START:
-	MOVL 20(R10),CX
-	MOVL 0(R10),R8
-	MOVL 0(DX),AX
-	MOVL 16(R10),R11
-	MOVL CX,0(SP)
-	MOVL R8, 4 (SP)
-	MOVL AX, 8 (SP)
-	MOVL R11, 12 (SP)
-	MOVL 8(DX),CX
-	MOVL 24(R10),R8
-	MOVL 4(R10),AX
-	MOVL 4(DX),R11
-	MOVL CX,16(SP)
-	MOVL R8, 20 (SP)
-	MOVL AX, 24 (SP)
-	MOVL R11, 28 (SP)
-	MOVL 12(DX),CX
-	MOVL 12(R10),DX
-	MOVL 28(R10),R8
-	MOVL 8(R10),AX
-	MOVL DX,32(SP)
-	MOVL CX, 36 (SP)
-	MOVL R8, 40 (SP)
-	MOVL AX, 44 (SP)
-	MOVQ $1634760805,DX
-	MOVQ $857760878,CX
-	MOVQ $2036477234,R8
-	MOVQ $1797285236,AX
-	MOVL DX,48(SP)
-	MOVL CX, 52 (SP)
-	MOVL R8, 56 (SP)
-	MOVL AX, 60 (SP)
-	CMPQ R9,$256
-	JB BYTESBETWEEN1AND255
-	MOVOA 48(SP),X0
-	PSHUFL $0X55,X0,X1
-	PSHUFL $0XAA,X0,X2
-	PSHUFL $0XFF,X0,X3
-	PSHUFL $0X00,X0,X0
-	MOVOA X1,64(SP)
-	MOVOA X2,80(SP)
-	MOVOA X3,96(SP)
-	MOVOA X0,112(SP)
-	MOVOA 0(SP),X0
-	PSHUFL $0XAA,X0,X1
-	PSHUFL $0XFF,X0,X2
-	PSHUFL $0X00,X0,X3
-	PSHUFL $0X55,X0,X0
-	MOVOA X1,128(SP)
-	MOVOA X2,144(SP)
-	MOVOA X3,160(SP)
-	MOVOA X0,176(SP)
-	MOVOA 16(SP),X0
-	PSHUFL $0XFF,X0,X1
-	PSHUFL $0X55,X0,X2
-	PSHUFL $0XAA,X0,X0
-	MOVOA X1,192(SP)
-	MOVOA X2,208(SP)
-	MOVOA X0,224(SP)
-	MOVOA 32(SP),X0
-	PSHUFL $0X00,X0,X1
-	PSHUFL $0XAA,X0,X2
-	PSHUFL $0XFF,X0,X0
-	MOVOA X1,240(SP)
-	MOVOA X2,256(SP)
-	MOVOA X0,272(SP)
-	BYTESATLEAST256:
-	MOVL 16(SP),DX
-	MOVL  36 (SP),CX
-	MOVL DX,288(SP)
-	MOVL CX,304(SP)
-	ADDQ $1,DX
-	SHLQ $32,CX
-	ADDQ CX,DX
-	MOVQ DX,CX
-	SHRQ $32,CX
-	MOVL DX, 292 (SP)
-	MOVL CX, 308 (SP)
-	ADDQ $1,DX
-	SHLQ $32,CX
-	ADDQ CX,DX
-	MOVQ DX,CX
-	SHRQ $32,CX
-	MOVL DX, 296 (SP)
-	MOVL CX, 312 (SP)
-	ADDQ $1,DX
-	SHLQ $32,CX
-	ADDQ CX,DX
-	MOVQ DX,CX
-	SHRQ $32,CX
-	MOVL DX, 300 (SP)
-	MOVL CX, 316 (SP)
-	ADDQ $1,DX
-	SHLQ $32,CX
-	ADDQ CX,DX
-	MOVQ DX,CX
-	SHRQ $32,CX
-	MOVL DX,16(SP)
-	MOVL CX, 36 (SP)
-	MOVQ R9,352(SP)
-	MOVQ $20,DX
-	MOVOA 64(SP),X0
-	MOVOA 80(SP),X1
-	MOVOA 96(SP),X2
-	MOVOA 256(SP),X3
-	MOVOA 272(SP),X4
-	MOVOA 128(SP),X5
-	MOVOA 144(SP),X6
-	MOVOA 176(SP),X7
-	MOVOA 192(SP),X8
-	MOVOA 208(SP),X9
-	MOVOA 224(SP),X10
-	MOVOA 304(SP),X11
-	MOVOA 112(SP),X12
-	MOVOA 160(SP),X13
-	MOVOA 240(SP),X14
-	MOVOA 288(SP),X15
-	MAINLOOP1:
-	MOVOA X1,320(SP)
-	MOVOA X2,336(SP)
-	MOVOA X13,X1
-	PADDL X12,X1
-	MOVOA X1,X2
-	PSLLL $7,X1
-	PXOR X1,X14
-	PSRLL $25,X2
-	PXOR X2,X14
-	MOVOA X7,X1
-	PADDL X0,X1
-	MOVOA X1,X2
-	PSLLL $7,X1
-	PXOR X1,X11
-	PSRLL $25,X2
-	PXOR X2,X11
-	MOVOA X12,X1
-	PADDL X14,X1
-	MOVOA X1,X2
-	PSLLL $9,X1
-	PXOR X1,X15
-	PSRLL $23,X2
-	PXOR X2,X15
-	MOVOA X0,X1
-	PADDL X11,X1
-	MOVOA X1,X2
-	PSLLL $9,X1
-	PXOR X1,X9
-	PSRLL $23,X2
-	PXOR X2,X9
-	MOVOA X14,X1
-	PADDL X15,X1
-	MOVOA X1,X2
-	PSLLL $13,X1
-	PXOR X1,X13
-	PSRLL $19,X2
-	PXOR X2,X13
-	MOVOA X11,X1
-	PADDL X9,X1
-	MOVOA X1,X2
-	PSLLL $13,X1
-	PXOR X1,X7
-	PSRLL $19,X2
-	PXOR X2,X7
-	MOVOA X15,X1
-	PADDL X13,X1
-	MOVOA X1,X2
-	PSLLL $18,X1
-	PXOR X1,X12
-	PSRLL $14,X2
-	PXOR X2,X12
-	MOVOA 320(SP),X1
-	MOVOA X12,320(SP)
-	MOVOA X9,X2
-	PADDL X7,X2
-	MOVOA X2,X12
-	PSLLL $18,X2
-	PXOR X2,X0
-	PSRLL $14,X12
-	PXOR X12,X0
-	MOVOA X5,X2
-	PADDL X1,X2
-	MOVOA X2,X12
-	PSLLL $7,X2
-	PXOR X2,X3
-	PSRLL $25,X12
-	PXOR X12,X3
-	MOVOA 336(SP),X2
-	MOVOA X0,336(SP)
-	MOVOA X6,X0
-	PADDL X2,X0
-	MOVOA X0,X12
-	PSLLL $7,X0
-	PXOR X0,X4
-	PSRLL $25,X12
-	PXOR X12,X4
-	MOVOA X1,X0
-	PADDL X3,X0
-	MOVOA X0,X12
-	PSLLL $9,X0
-	PXOR X0,X10
-	PSRLL $23,X12
-	PXOR X12,X10
-	MOVOA X2,X0
-	PADDL X4,X0
-	MOVOA X0,X12
-	PSLLL $9,X0
-	PXOR X0,X8
-	PSRLL $23,X12
-	PXOR X12,X8
-	MOVOA X3,X0
-	PADDL X10,X0
-	MOVOA X0,X12
-	PSLLL $13,X0
-	PXOR X0,X5
-	PSRLL $19,X12
-	PXOR X12,X5
-	MOVOA X4,X0
-	PADDL X8,X0
-	MOVOA X0,X12
-	PSLLL $13,X0
-	PXOR X0,X6
-	PSRLL $19,X12
-	PXOR X12,X6
-	MOVOA X10,X0
-	PADDL X5,X0
-	MOVOA X0,X12
-	PSLLL $18,X0
-	PXOR X0,X1
-	PSRLL $14,X12
-	PXOR X12,X1
-	MOVOA 320(SP),X0
-	MOVOA X1,320(SP)
-	MOVOA X4,X1
-	PADDL X0,X1
-	MOVOA X1,X12
-	PSLLL $7,X1
-	PXOR X1,X7
-	PSRLL $25,X12
-	PXOR X12,X7
-	MOVOA X8,X1
-	PADDL X6,X1
-	MOVOA X1,X12
-	PSLLL $18,X1
-	PXOR X1,X2
-	PSRLL $14,X12
-	PXOR X12,X2
-	MOVOA 336(SP),X12
-	MOVOA X2,336(SP)
-	MOVOA X14,X1
-	PADDL X12,X1
-	MOVOA X1,X2
-	PSLLL $7,X1
-	PXOR X1,X5
-	PSRLL $25,X2
-	PXOR X2,X5
-	MOVOA X0,X1
-	PADDL X7,X1
-	MOVOA X1,X2
-	PSLLL $9,X1
-	PXOR X1,X10
-	PSRLL $23,X2
-	PXOR X2,X10
-	MOVOA X12,X1
-	PADDL X5,X1
-	MOVOA X1,X2
-	PSLLL $9,X1
-	PXOR X1,X8
-	PSRLL $23,X2
-	PXOR X2,X8
-	MOVOA X7,X1
-	PADDL X10,X1
-	MOVOA X1,X2
-	PSLLL $13,X1
-	PXOR X1,X4
-	PSRLL $19,X2
-	PXOR X2,X4
-	MOVOA X5,X1
-	PADDL X8,X1
-	MOVOA X1,X2
-	PSLLL $13,X1
-	PXOR X1,X14
-	PSRLL $19,X2
-	PXOR X2,X14
-	MOVOA X10,X1
-	PADDL X4,X1
-	MOVOA X1,X2
-	PSLLL $18,X1
-	PXOR X1,X0
-	PSRLL $14,X2
-	PXOR X2,X0
-	MOVOA 320(SP),X1
-	MOVOA X0,320(SP)
-	MOVOA X8,X0
-	PADDL X14,X0
-	MOVOA X0,X2
-	PSLLL $18,X0
-	PXOR X0,X12
-	PSRLL $14,X2
-	PXOR X2,X12
-	MOVOA X11,X0
-	PADDL X1,X0
-	MOVOA X0,X2
-	PSLLL $7,X0
-	PXOR X0,X6
-	PSRLL $25,X2
-	PXOR X2,X6
-	MOVOA 336(SP),X2
-	MOVOA X12,336(SP)
-	MOVOA X3,X0
-	PADDL X2,X0
-	MOVOA X0,X12
-	PSLLL $7,X0
-	PXOR X0,X13
-	PSRLL $25,X12
-	PXOR X12,X13
-	MOVOA X1,X0
-	PADDL X6,X0
-	MOVOA X0,X12
-	PSLLL $9,X0
-	PXOR X0,X15
-	PSRLL $23,X12
-	PXOR X12,X15
-	MOVOA X2,X0
-	PADDL X13,X0
-	MOVOA X0,X12
-	PSLLL $9,X0
-	PXOR X0,X9
-	PSRLL $23,X12
-	PXOR X12,X9
-	MOVOA X6,X0
-	PADDL X15,X0
-	MOVOA X0,X12
-	PSLLL $13,X0
-	PXOR X0,X11
-	PSRLL $19,X12
-	PXOR X12,X11
-	MOVOA X13,X0
-	PADDL X9,X0
-	MOVOA X0,X12
-	PSLLL $13,X0
-	PXOR X0,X3
-	PSRLL $19,X12
-	PXOR X12,X3
-	MOVOA X15,X0
-	PADDL X11,X0
-	MOVOA X0,X12
-	PSLLL $18,X0
-	PXOR X0,X1
-	PSRLL $14,X12
-	PXOR X12,X1
-	MOVOA X9,X0
-	PADDL X3,X0
-	MOVOA X0,X12
-	PSLLL $18,X0
-	PXOR X0,X2
-	PSRLL $14,X12
-	PXOR X12,X2
-	MOVOA 320(SP),X12
-	MOVOA 336(SP),X0
-	SUBQ $2,DX
-	JA MAINLOOP1
-	PADDL 112(SP),X12
-	PADDL 176(SP),X7
-	PADDL 224(SP),X10
-	PADDL 272(SP),X4
-	MOVD X12,DX
-	MOVD X7,CX
-	MOVD X10,R8
-	MOVD X4,R9
-	PSHUFL $0X39,X12,X12
-	PSHUFL $0X39,X7,X7
-	PSHUFL $0X39,X10,X10
-	PSHUFL $0X39,X4,X4
-	XORL 0(SI),DX
-	XORL 4(SI),CX
-	XORL 8(SI),R8
-	XORL 12(SI),R9
-	MOVL DX,0(DI)
-	MOVL CX,4(DI)
-	MOVL R8,8(DI)
-	MOVL R9,12(DI)
-	MOVD X12,DX
-	MOVD X7,CX
-	MOVD X10,R8
-	MOVD X4,R9
-	PSHUFL $0X39,X12,X12
-	PSHUFL $0X39,X7,X7
-	PSHUFL $0X39,X10,X10
-	PSHUFL $0X39,X4,X4
-	XORL 64(SI),DX
-	XORL 68(SI),CX
-	XORL 72(SI),R8
-	XORL 76(SI),R9
-	MOVL DX,64(DI)
-	MOVL CX,68(DI)
-	MOVL R8,72(DI)
-	MOVL R9,76(DI)
-	MOVD X12,DX
-	MOVD X7,CX
-	MOVD X10,R8
-	MOVD X4,R9
-	PSHUFL $0X39,X12,X12
-	PSHUFL $0X39,X7,X7
-	PSHUFL $0X39,X10,X10
-	PSHUFL $0X39,X4,X4
-	XORL 128(SI),DX
-	XORL 132(SI),CX
-	XORL 136(SI),R8
-	XORL 140(SI),R9
-	MOVL DX,128(DI)
-	MOVL CX,132(DI)
-	MOVL R8,136(DI)
-	MOVL R9,140(DI)
-	MOVD X12,DX
-	MOVD X7,CX
-	MOVD X10,R8
-	MOVD X4,R9
-	XORL 192(SI),DX
-	XORL 196(SI),CX
-	XORL 200(SI),R8
-	XORL 204(SI),R9
-	MOVL DX,192(DI)
-	MOVL CX,196(DI)
-	MOVL R8,200(DI)
-	MOVL R9,204(DI)
-	PADDL 240(SP),X14
-	PADDL 64(SP),X0
-	PADDL 128(SP),X5
-	PADDL 192(SP),X8
-	MOVD X14,DX
-	MOVD X0,CX
-	MOVD X5,R8
-	MOVD X8,R9
-	PSHUFL $0X39,X14,X14
-	PSHUFL $0X39,X0,X0
-	PSHUFL $0X39,X5,X5
-	PSHUFL $0X39,X8,X8
-	XORL 16(SI),DX
-	XORL 20(SI),CX
-	XORL 24(SI),R8
-	XORL 28(SI),R9
-	MOVL DX,16(DI)
-	MOVL CX,20(DI)
-	MOVL R8,24(DI)
-	MOVL R9,28(DI)
-	MOVD X14,DX
-	MOVD X0,CX
-	MOVD X5,R8
-	MOVD X8,R9
-	PSHUFL $0X39,X14,X14
-	PSHUFL $0X39,X0,X0
-	PSHUFL $0X39,X5,X5
-	PSHUFL $0X39,X8,X8
-	XORL 80(SI),DX
-	XORL 84(SI),CX
-	XORL 88(SI),R8
-	XORL 92(SI),R9
-	MOVL DX,80(DI)
-	MOVL CX,84(DI)
-	MOVL R8,88(DI)
-	MOVL R9,92(DI)
-	MOVD X14,DX
-	MOVD X0,CX
-	MOVD X5,R8
-	MOVD X8,R9
-	PSHUFL $0X39,X14,X14
-	PSHUFL $0X39,X0,X0
-	PSHUFL $0X39,X5,X5
-	PSHUFL $0X39,X8,X8
-	XORL 144(SI),DX
-	XORL 148(SI),CX
-	XORL 152(SI),R8
-	XORL 156(SI),R9
-	MOVL DX,144(DI)
-	MOVL CX,148(DI)
-	MOVL R8,152(DI)
-	MOVL R9,156(DI)
-	MOVD X14,DX
-	MOVD X0,CX
-	MOVD X5,R8
-	MOVD X8,R9
-	XORL 208(SI),DX
-	XORL 212(SI),CX
-	XORL 216(SI),R8
-	XORL 220(SI),R9
-	MOVL DX,208(DI)
-	MOVL CX,212(DI)
-	MOVL R8,216(DI)
-	MOVL R9,220(DI)
-	PADDL 288(SP),X15
-	PADDL 304(SP),X11
-	PADDL 80(SP),X1
-	PADDL 144(SP),X6
-	MOVD X15,DX
-	MOVD X11,CX
-	MOVD X1,R8
-	MOVD X6,R9
-	PSHUFL $0X39,X15,X15
-	PSHUFL $0X39,X11,X11
-	PSHUFL $0X39,X1,X1
-	PSHUFL $0X39,X6,X6
-	XORL 32(SI),DX
-	XORL 36(SI),CX
-	XORL 40(SI),R8
-	XORL 44(SI),R9
-	MOVL DX,32(DI)
-	MOVL CX,36(DI)
-	MOVL R8,40(DI)
-	MOVL R9,44(DI)
-	MOVD X15,DX
-	MOVD X11,CX
-	MOVD X1,R8
-	MOVD X6,R9
-	PSHUFL $0X39,X15,X15
-	PSHUFL $0X39,X11,X11
-	PSHUFL $0X39,X1,X1
-	PSHUFL $0X39,X6,X6
-	XORL 96(SI),DX
-	XORL 100(SI),CX
-	XORL 104(SI),R8
-	XORL 108(SI),R9
-	MOVL DX,96(DI)
-	MOVL CX,100(DI)
-	MOVL R8,104(DI)
-	MOVL R9,108(DI)
-	MOVD X15,DX
-	MOVD X11,CX
-	MOVD X1,R8
-	MOVD X6,R9
-	PSHUFL $0X39,X15,X15
-	PSHUFL $0X39,X11,X11
-	PSHUFL $0X39,X1,X1
-	PSHUFL $0X39,X6,X6
-	XORL 160(SI),DX
-	XORL 164(SI),CX
-	XORL 168(SI),R8
-	XORL 172(SI),R9
-	MOVL DX,160(DI)
-	MOVL CX,164(DI)
-	MOVL R8,168(DI)
-	MOVL R9,172(DI)
-	MOVD X15,DX
-	MOVD X11,CX
-	MOVD X1,R8
-	MOVD X6,R9
-	XORL 224(SI),DX
-	XORL 228(SI),CX
-	XORL 232(SI),R8
-	XORL 236(SI),R9
-	MOVL DX,224(DI)
-	MOVL CX,228(DI)
-	MOVL R8,232(DI)
-	MOVL R9,236(DI)
-	PADDL 160(SP),X13
-	PADDL 208(SP),X9
-	PADDL 256(SP),X3
-	PADDL 96(SP),X2
-	MOVD X13,DX
-	MOVD X9,CX
-	MOVD X3,R8
-	MOVD X2,R9
-	PSHUFL $0X39,X13,X13
-	PSHUFL $0X39,X9,X9
-	PSHUFL $0X39,X3,X3
-	PSHUFL $0X39,X2,X2
-	XORL 48(SI),DX
-	XORL 52(SI),CX
-	XORL 56(SI),R8
-	XORL 60(SI),R9
-	MOVL DX,48(DI)
-	MOVL CX,52(DI)
-	MOVL R8,56(DI)
-	MOVL R9,60(DI)
-	MOVD X13,DX
-	MOVD X9,CX
-	MOVD X3,R8
-	MOVD X2,R9
-	PSHUFL $0X39,X13,X13
-	PSHUFL $0X39,X9,X9
-	PSHUFL $0X39,X3,X3
-	PSHUFL $0X39,X2,X2
-	XORL 112(SI),DX
-	XORL 116(SI),CX
-	XORL 120(SI),R8
-	XORL 124(SI),R9
-	MOVL DX,112(DI)
-	MOVL CX,116(DI)
-	MOVL R8,120(DI)
-	MOVL R9,124(DI)
-	MOVD X13,DX
-	MOVD X9,CX
-	MOVD X3,R8
-	MOVD X2,R9
-	PSHUFL $0X39,X13,X13
-	PSHUFL $0X39,X9,X9
-	PSHUFL $0X39,X3,X3
-	PSHUFL $0X39,X2,X2
-	XORL 176(SI),DX
-	XORL 180(SI),CX
-	XORL 184(SI),R8
-	XORL 188(SI),R9
-	MOVL DX,176(DI)
-	MOVL CX,180(DI)
-	MOVL R8,184(DI)
-	MOVL R9,188(DI)
-	MOVD X13,DX
-	MOVD X9,CX
-	MOVD X3,R8
-	MOVD X2,R9
-	XORL 240(SI),DX
-	XORL 244(SI),CX
-	XORL 248(SI),R8
-	XORL 252(SI),R9
-	MOVL DX,240(DI)
-	MOVL CX,244(DI)
-	MOVL R8,248(DI)
-	MOVL R9,252(DI)
-	MOVQ 352(SP),R9
-	SUBQ $256,R9
-	ADDQ $256,SI
-	ADDQ $256,DI
-	CMPQ R9,$256
-	JAE BYTESATLEAST256
-	CMPQ R9,$0
-	JBE DONE
-	BYTESBETWEEN1AND255:
-	CMPQ R9,$64
-	JAE NOCOPY
-	MOVQ DI,DX
-	LEAQ 360(SP),DI
-	MOVQ R9,CX
-	REP; MOVSB
-	LEAQ 360(SP),DI
-	LEAQ 360(SP),SI
-	NOCOPY:
-	MOVQ R9,352(SP)
-	MOVOA 48(SP),X0
-	MOVOA 0(SP),X1
-	MOVOA 16(SP),X2
-	MOVOA 32(SP),X3
-	MOVOA X1,X4
-	MOVQ $20,CX
-	MAINLOOP2:
-	PADDL X0,X4
-	MOVOA X0,X5
-	MOVOA X4,X6
-	PSLLL $7,X4
-	PSRLL $25,X6
-	PXOR X4,X3
-	PXOR X6,X3
-	PADDL X3,X5
-	MOVOA X3,X4
-	MOVOA X5,X6
-	PSLLL $9,X5
-	PSRLL $23,X6
-	PXOR X5,X2
-	PSHUFL $0X93,X3,X3
-	PXOR X6,X2
-	PADDL X2,X4
-	MOVOA X2,X5
-	MOVOA X4,X6
-	PSLLL $13,X4
-	PSRLL $19,X6
-	PXOR X4,X1
-	PSHUFL $0X4E,X2,X2
-	PXOR X6,X1
-	PADDL X1,X5
-	MOVOA X3,X4
-	MOVOA X5,X6
-	PSLLL $18,X5
-	PSRLL $14,X6
-	PXOR X5,X0
-	PSHUFL $0X39,X1,X1
-	PXOR X6,X0
-	PADDL X0,X4
-	MOVOA X0,X5
-	MOVOA X4,X6
-	PSLLL $7,X4
-	PSRLL $25,X6
-	PXOR X4,X1
-	PXOR X6,X1
-	PADDL X1,X5
-	MOVOA X1,X4
-	MOVOA X5,X6
-	PSLLL $9,X5
-	PSRLL $23,X6
-	PXOR X5,X2
-	PSHUFL $0X93,X1,X1
-	PXOR X6,X2
-	PADDL X2,X4
-	MOVOA X2,X5
-	MOVOA X4,X6
-	PSLLL $13,X4
-	PSRLL $19,X6
-	PXOR X4,X3
-	PSHUFL $0X4E,X2,X2
-	PXOR X6,X3
-	PADDL X3,X5
-	MOVOA X1,X4
-	MOVOA X5,X6
-	PSLLL $18,X5
-	PSRLL $14,X6
-	PXOR X5,X0
-	PSHUFL $0X39,X3,X3
-	PXOR X6,X0
-	PADDL X0,X4
-	MOVOA X0,X5
-	MOVOA X4,X6
-	PSLLL $7,X4
-	PSRLL $25,X6
-	PXOR X4,X3
-	PXOR X6,X3
-	PADDL X3,X5
-	MOVOA X3,X4
-	MOVOA X5,X6
-	PSLLL $9,X5
-	PSRLL $23,X6
-	PXOR X5,X2
-	PSHUFL $0X93,X3,X3
-	PXOR X6,X2
-	PADDL X2,X4
-	MOVOA X2,X5
-	MOVOA X4,X6
-	PSLLL $13,X4
-	PSRLL $19,X6
-	PXOR X4,X1
-	PSHUFL $0X4E,X2,X2
-	PXOR X6,X1
-	PADDL X1,X5
-	MOVOA X3,X4
-	MOVOA X5,X6
-	PSLLL $18,X5
-	PSRLL $14,X6
-	PXOR X5,X0
-	PSHUFL $0X39,X1,X1
-	PXOR X6,X0
-	PADDL X0,X4
-	MOVOA X0,X5
-	MOVOA X4,X6
-	PSLLL $7,X4
-	PSRLL $25,X6
-	PXOR X4,X1
-	PXOR X6,X1
-	PADDL X1,X5
-	MOVOA X1,X4
-	MOVOA X5,X6
-	PSLLL $9,X5
-	PSRLL $23,X6
-	PXOR X5,X2
-	PSHUFL $0X93,X1,X1
-	PXOR X6,X2
-	PADDL X2,X4
-	MOVOA X2,X5
-	MOVOA X4,X6
-	PSLLL $13,X4
-	PSRLL $19,X6
-	PXOR X4,X3
-	PSHUFL $0X4E,X2,X2
-	PXOR X6,X3
-	SUBQ $4,CX
-	PADDL X3,X5
-	MOVOA X1,X4
-	MOVOA X5,X6
-	PSLLL $18,X5
-	PXOR X7,X7
-	PSRLL $14,X6
-	PXOR X5,X0
-	PSHUFL $0X39,X3,X3
-	PXOR X6,X0
-	JA MAINLOOP2
-	PADDL 48(SP),X0
-	PADDL 0(SP),X1
-	PADDL 16(SP),X2
-	PADDL 32(SP),X3
-	MOVD X0,CX
-	MOVD X1,R8
-	MOVD X2,R9
-	MOVD X3,AX
-	PSHUFL $0X39,X0,X0
-	PSHUFL $0X39,X1,X1
-	PSHUFL $0X39,X2,X2
-	PSHUFL $0X39,X3,X3
-	XORL 0(SI),CX
-	XORL 48(SI),R8
-	XORL 32(SI),R9
-	XORL 16(SI),AX
-	MOVL CX,0(DI)
-	MOVL R8,48(DI)
-	MOVL R9,32(DI)
-	MOVL AX,16(DI)
-	MOVD X0,CX
-	MOVD X1,R8
-	MOVD X2,R9
-	MOVD X3,AX
-	PSHUFL $0X39,X0,X0
-	PSHUFL $0X39,X1,X1
-	PSHUFL $0X39,X2,X2
-	PSHUFL $0X39,X3,X3
-	XORL 20(SI),CX
-	XORL 4(SI),R8
-	XORL 52(SI),R9
-	XORL 36(SI),AX
-	MOVL CX,20(DI)
-	MOVL R8,4(DI)
-	MOVL R9,52(DI)
-	MOVL AX,36(DI)
-	MOVD X0,CX
-	MOVD X1,R8
-	MOVD X2,R9
-	MOVD X3,AX
-	PSHUFL $0X39,X0,X0
-	PSHUFL $0X39,X1,X1
-	PSHUFL $0X39,X2,X2
-	PSHUFL $0X39,X3,X3
-	XORL 40(SI),CX
-	XORL 24(SI),R8
-	XORL 8(SI),R9
-	XORL 56(SI),AX
-	MOVL CX,40(DI)
-	MOVL R8,24(DI)
-	MOVL R9,8(DI)
-	MOVL AX,56(DI)
-	MOVD X0,CX
-	MOVD X1,R8
-	MOVD X2,R9
-	MOVD X3,AX
-	XORL 60(SI),CX
-	XORL 44(SI),R8
-	XORL 28(SI),R9
-	XORL 12(SI),AX
-	MOVL CX,60(DI)
-	MOVL R8,44(DI)
-	MOVL R9,28(DI)
-	MOVL AX,12(DI)
-	MOVQ 352(SP),R9
-	MOVL 16(SP),CX
-	MOVL  36 (SP),R8
-	ADDQ $1,CX
-	SHLQ $32,R8
-	ADDQ R8,CX
-	MOVQ CX,R8
-	SHRQ $32,R8
-	MOVL CX,16(SP)
-	MOVL R8, 36 (SP)
-	CMPQ R9,$64
-	JA BYTESATLEAST65
-	JAE BYTESATLEAST64
-	MOVQ DI,SI
-	MOVQ DX,DI
-	MOVQ R9,CX
-	REP; MOVSB
-	BYTESATLEAST64:
-	DONE:
-	MOVQ R12,SP
-	RET
-	BYTESATLEAST65:
-	SUBQ $64,R9
-	ADDQ $64,DI
-	ADDQ $64,SI
-	JMP BYTESBETWEEN1AND255
diff --git a/vendor/golang.org/x/crypto/salsa20/salsa/salsa208.go b/vendor/golang.org/x/crypto/salsa20/salsa/salsa208.go
deleted file mode 100644
index 9bfc0927..00000000
--- a/vendor/golang.org/x/crypto/salsa20/salsa/salsa208.go
+++ /dev/null
@@ -1,199 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package salsa
-
-// Core208 applies the Salsa20/8 core function to the 64-byte array in and puts
-// the result into the 64-byte array out. The input and output may be the same array.
-func Core208(out *[64]byte, in *[64]byte) {
-	j0 := uint32(in[0]) | uint32(in[1])<<8 | uint32(in[2])<<16 | uint32(in[3])<<24
-	j1 := uint32(in[4]) | uint32(in[5])<<8 | uint32(in[6])<<16 | uint32(in[7])<<24
-	j2 := uint32(in[8]) | uint32(in[9])<<8 | uint32(in[10])<<16 | uint32(in[11])<<24
-	j3 := uint32(in[12]) | uint32(in[13])<<8 | uint32(in[14])<<16 | uint32(in[15])<<24
-	j4 := uint32(in[16]) | uint32(in[17])<<8 | uint32(in[18])<<16 | uint32(in[19])<<24
-	j5 := uint32(in[20]) | uint32(in[21])<<8 | uint32(in[22])<<16 | uint32(in[23])<<24
-	j6 := uint32(in[24]) | uint32(in[25])<<8 | uint32(in[26])<<16 | uint32(in[27])<<24
-	j7 := uint32(in[28]) | uint32(in[29])<<8 | uint32(in[30])<<16 | uint32(in[31])<<24
-	j8 := uint32(in[32]) | uint32(in[33])<<8 | uint32(in[34])<<16 | uint32(in[35])<<24
-	j9 := uint32(in[36]) | uint32(in[37])<<8 | uint32(in[38])<<16 | uint32(in[39])<<24
-	j10 := uint32(in[40]) | uint32(in[41])<<8 | uint32(in[42])<<16 | uint32(in[43])<<24
-	j11 := uint32(in[44]) | uint32(in[45])<<8 | uint32(in[46])<<16 | uint32(in[47])<<24
-	j12 := uint32(in[48]) | uint32(in[49])<<8 | uint32(in[50])<<16 | uint32(in[51])<<24
-	j13 := uint32(in[52]) | uint32(in[53])<<8 | uint32(in[54])<<16 | uint32(in[55])<<24
-	j14 := uint32(in[56]) | uint32(in[57])<<8 | uint32(in[58])<<16 | uint32(in[59])<<24
-	j15 := uint32(in[60]) | uint32(in[61])<<8 | uint32(in[62])<<16 | uint32(in[63])<<24
-
-	x0, x1, x2, x3, x4, x5, x6, x7, x8 := j0, j1, j2, j3, j4, j5, j6, j7, j8
-	x9, x10, x11, x12, x13, x14, x15 := j9, j10, j11, j12, j13, j14, j15
-
-	for i := 0; i < 8; i += 2 {
-		u := x0 + x12
-		x4 ^= u<<7 | u>>(32-7)
-		u = x4 + x0
-		x8 ^= u<<9 | u>>(32-9)
-		u = x8 + x4
-		x12 ^= u<<13 | u>>(32-13)
-		u = x12 + x8
-		x0 ^= u<<18 | u>>(32-18)
-
-		u = x5 + x1
-		x9 ^= u<<7 | u>>(32-7)
-		u = x9 + x5
-		x13 ^= u<<9 | u>>(32-9)
-		u = x13 + x9
-		x1 ^= u<<13 | u>>(32-13)
-		u = x1 + x13
-		x5 ^= u<<18 | u>>(32-18)
-
-		u = x10 + x6
-		x14 ^= u<<7 | u>>(32-7)
-		u = x14 + x10
-		x2 ^= u<<9 | u>>(32-9)
-		u = x2 + x14
-		x6 ^= u<<13 | u>>(32-13)
-		u = x6 + x2
-		x10 ^= u<<18 | u>>(32-18)
-
-		u = x15 + x11
-		x3 ^= u<<7 | u>>(32-7)
-		u = x3 + x15
-		x7 ^= u<<9 | u>>(32-9)
-		u = x7 + x3
-		x11 ^= u<<13 | u>>(32-13)
-		u = x11 + x7
-		x15 ^= u<<18 | u>>(32-18)
-
-		u = x0 + x3
-		x1 ^= u<<7 | u>>(32-7)
-		u = x1 + x0
-		x2 ^= u<<9 | u>>(32-9)
-		u = x2 + x1
-		x3 ^= u<<13 | u>>(32-13)
-		u = x3 + x2
-		x0 ^= u<<18 | u>>(32-18)
-
-		u = x5 + x4
-		x6 ^= u<<7 | u>>(32-7)
-		u = x6 + x5
-		x7 ^= u<<9 | u>>(32-9)
-		u = x7 + x6
-		x4 ^= u<<13 | u>>(32-13)
-		u = x4 + x7
-		x5 ^= u<<18 | u>>(32-18)
-
-		u = x10 + x9
-		x11 ^= u<<7 | u>>(32-7)
-		u = x11 + x10
-		x8 ^= u<<9 | u>>(32-9)
-		u = x8 + x11
-		x9 ^= u<<13 | u>>(32-13)
-		u = x9 + x8
-		x10 ^= u<<18 | u>>(32-18)
-
-		u = x15 + x14
-		x12 ^= u<<7 | u>>(32-7)
-		u = x12 + x15
-		x13 ^= u<<9 | u>>(32-9)
-		u = x13 + x12
-		x14 ^= u<<13 | u>>(32-13)
-		u = x14 + x13
-		x15 ^= u<<18 | u>>(32-18)
-	}
-	x0 += j0
-	x1 += j1
-	x2 += j2
-	x3 += j3
-	x4 += j4
-	x5 += j5
-	x6 += j6
-	x7 += j7
-	x8 += j8
-	x9 += j9
-	x10 += j10
-	x11 += j11
-	x12 += j12
-	x13 += j13
-	x14 += j14
-	x15 += j15
-
-	out[0] = byte(x0)
-	out[1] = byte(x0 >> 8)
-	out[2] = byte(x0 >> 16)
-	out[3] = byte(x0 >> 24)
-
-	out[4] = byte(x1)
-	out[5] = byte(x1 >> 8)
-	out[6] = byte(x1 >> 16)
-	out[7] = byte(x1 >> 24)
-
-	out[8] = byte(x2)
-	out[9] = byte(x2 >> 8)
-	out[10] = byte(x2 >> 16)
-	out[11] = byte(x2 >> 24)
-
-	out[12] = byte(x3)
-	out[13] = byte(x3 >> 8)
-	out[14] = byte(x3 >> 16)
-	out[15] = byte(x3 >> 24)
-
-	out[16] = byte(x4)
-	out[17] = byte(x4 >> 8)
-	out[18] = byte(x4 >> 16)
-	out[19] = byte(x4 >> 24)
-
-	out[20] = byte(x5)
-	out[21] = byte(x5 >> 8)
-	out[22] = byte(x5 >> 16)
-	out[23] = byte(x5 >> 24)
-
-	out[24] = byte(x6)
-	out[25] = byte(x6 >> 8)
-	out[26] = byte(x6 >> 16)
-	out[27] = byte(x6 >> 24)
-
-	out[28] = byte(x7)
-	out[29] = byte(x7 >> 8)
-	out[30] = byte(x7 >> 16)
-	out[31] = byte(x7 >> 24)
-
-	out[32] = byte(x8)
-	out[33] = byte(x8 >> 8)
-	out[34] = byte(x8 >> 16)
-	out[35] = byte(x8 >> 24)
-
-	out[36] = byte(x9)
-	out[37] = byte(x9 >> 8)
-	out[38] = byte(x9 >> 16)
-	out[39] = byte(x9 >> 24)
-
-	out[40] = byte(x10)
-	out[41] = byte(x10 >> 8)
-	out[42] = byte(x10 >> 16)
-	out[43] = byte(x10 >> 24)
-
-	out[44] = byte(x11)
-	out[45] = byte(x11 >> 8)
-	out[46] = byte(x11 >> 16)
-	out[47] = byte(x11 >> 24)
-
-	out[48] = byte(x12)
-	out[49] = byte(x12 >> 8)
-	out[50] = byte(x12 >> 16)
-	out[51] = byte(x12 >> 24)
-
-	out[52] = byte(x13)
-	out[53] = byte(x13 >> 8)
-	out[54] = byte(x13 >> 16)
-	out[55] = byte(x13 >> 24)
-
-	out[56] = byte(x14)
-	out[57] = byte(x14 >> 8)
-	out[58] = byte(x14 >> 16)
-	out[59] = byte(x14 >> 24)
-
-	out[60] = byte(x15)
-	out[61] = byte(x15 >> 8)
-	out[62] = byte(x15 >> 16)
-	out[63] = byte(x15 >> 24)
-}
diff --git a/vendor/golang.org/x/crypto/salsa20/salsa/salsa20_amd64.go b/vendor/golang.org/x/crypto/salsa20/salsa/salsa20_amd64.go
deleted file mode 100644
index f9269c38..00000000
--- a/vendor/golang.org/x/crypto/salsa20/salsa/salsa20_amd64.go
+++ /dev/null
@@ -1,24 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build amd64,!appengine,!gccgo
-
-package salsa
-
-// This function is implemented in salsa2020_amd64.s.
-
-//go:noescape
-
-func salsa2020XORKeyStream(out, in *byte, n uint64, nonce, key *byte)
-
-// XORKeyStream crypts bytes from in to out using the given key and counters.
-// In and out must overlap entirely or not at all. Counter
-// contains the raw salsa20 counter bytes (both nonce and block counter).
-func XORKeyStream(out, in []byte, counter *[16]byte, key *[32]byte) {
-	if len(in) == 0 {
-		return
-	}
-	_ = out[len(in)-1]
-	salsa2020XORKeyStream(&out[0], &in[0], uint64(len(in)), &counter[0], &key[0])
-}
diff --git a/vendor/golang.org/x/crypto/salsa20/salsa/salsa20_ref.go b/vendor/golang.org/x/crypto/salsa20/salsa/salsa20_ref.go
deleted file mode 100644
index 22126d17..00000000
--- a/vendor/golang.org/x/crypto/salsa20/salsa/salsa20_ref.go
+++ /dev/null
@@ -1,234 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build !amd64 appengine gccgo
-
-package salsa
-
-const rounds = 20
-
-// core applies the Salsa20 core function to 16-byte input in, 32-byte key k,
-// and 16-byte constant c, and puts the result into 64-byte array out.
-func core(out *[64]byte, in *[16]byte, k *[32]byte, c *[16]byte) {
-	j0 := uint32(c[0]) | uint32(c[1])<<8 | uint32(c[2])<<16 | uint32(c[3])<<24
-	j1 := uint32(k[0]) | uint32(k[1])<<8 | uint32(k[2])<<16 | uint32(k[3])<<24
-	j2 := uint32(k[4]) | uint32(k[5])<<8 | uint32(k[6])<<16 | uint32(k[7])<<24
-	j3 := uint32(k[8]) | uint32(k[9])<<8 | uint32(k[10])<<16 | uint32(k[11])<<24
-	j4 := uint32(k[12]) | uint32(k[13])<<8 | uint32(k[14])<<16 | uint32(k[15])<<24
-	j5 := uint32(c[4]) | uint32(c[5])<<8 | uint32(c[6])<<16 | uint32(c[7])<<24
-	j6 := uint32(in[0]) | uint32(in[1])<<8 | uint32(in[2])<<16 | uint32(in[3])<<24
-	j7 := uint32(in[4]) | uint32(in[5])<<8 | uint32(in[6])<<16 | uint32(in[7])<<24
-	j8 := uint32(in[8]) | uint32(in[9])<<8 | uint32(in[10])<<16 | uint32(in[11])<<24
-	j9 := uint32(in[12]) | uint32(in[13])<<8 | uint32(in[14])<<16 | uint32(in[15])<<24
-	j10 := uint32(c[8]) | uint32(c[9])<<8 | uint32(c[10])<<16 | uint32(c[11])<<24
-	j11 := uint32(k[16]) | uint32(k[17])<<8 | uint32(k[18])<<16 | uint32(k[19])<<24
-	j12 := uint32(k[20]) | uint32(k[21])<<8 | uint32(k[22])<<16 | uint32(k[23])<<24
-	j13 := uint32(k[24]) | uint32(k[25])<<8 | uint32(k[26])<<16 | uint32(k[27])<<24
-	j14 := uint32(k[28]) | uint32(k[29])<<8 | uint32(k[30])<<16 | uint32(k[31])<<24
-	j15 := uint32(c[12]) | uint32(c[13])<<8 | uint32(c[14])<<16 | uint32(c[15])<<24
-
-	x0, x1, x2, x3, x4, x5, x6, x7, x8 := j0, j1, j2, j3, j4, j5, j6, j7, j8
-	x9, x10, x11, x12, x13, x14, x15 := j9, j10, j11, j12, j13, j14, j15
-
-	for i := 0; i < rounds; i += 2 {
-		u := x0 + x12
-		x4 ^= u<<7 | u>>(32-7)
-		u = x4 + x0
-		x8 ^= u<<9 | u>>(32-9)
-		u = x8 + x4
-		x12 ^= u<<13 | u>>(32-13)
-		u = x12 + x8
-		x0 ^= u<<18 | u>>(32-18)
-
-		u = x5 + x1
-		x9 ^= u<<7 | u>>(32-7)
-		u = x9 + x5
-		x13 ^= u<<9 | u>>(32-9)
-		u = x13 + x9
-		x1 ^= u<<13 | u>>(32-13)
-		u = x1 + x13
-		x5 ^= u<<18 | u>>(32-18)
-
-		u = x10 + x6
-		x14 ^= u<<7 | u>>(32-7)
-		u = x14 + x10
-		x2 ^= u<<9 | u>>(32-9)
-		u = x2 + x14
-		x6 ^= u<<13 | u>>(32-13)
-		u = x6 + x2
-		x10 ^= u<<18 | u>>(32-18)
-
-		u = x15 + x11
-		x3 ^= u<<7 | u>>(32-7)
-		u = x3 + x15
-		x7 ^= u<<9 | u>>(32-9)
-		u = x7 + x3
-		x11 ^= u<<13 | u>>(32-13)
-		u = x11 + x7
-		x15 ^= u<<18 | u>>(32-18)
-
-		u = x0 + x3
-		x1 ^= u<<7 | u>>(32-7)
-		u = x1 + x0
-		x2 ^= u<<9 | u>>(32-9)
-		u = x2 + x1
-		x3 ^= u<<13 | u>>(32-13)
-		u = x3 + x2
-		x0 ^= u<<18 | u>>(32-18)
-
-		u = x5 + x4
-		x6 ^= u<<7 | u>>(32-7)
-		u = x6 + x5
-		x7 ^= u<<9 | u>>(32-9)
-		u = x7 + x6
-		x4 ^= u<<13 | u>>(32-13)
-		u = x4 + x7
-		x5 ^= u<<18 | u>>(32-18)
-
-		u = x10 + x9
-		x11 ^= u<<7 | u>>(32-7)
-		u = x11 + x10
-		x8 ^= u<<9 | u>>(32-9)
-		u = x8 + x11
-		x9 ^= u<<13 | u>>(32-13)
-		u = x9 + x8
-		x10 ^= u<<18 | u>>(32-18)
-
-		u = x15 + x14
-		x12 ^= u<<7 | u>>(32-7)
-		u = x12 + x15
-		x13 ^= u<<9 | u>>(32-9)
-		u = x13 + x12
-		x14 ^= u<<13 | u>>(32-13)
-		u = x14 + x13
-		x15 ^= u<<18 | u>>(32-18)
-	}
-	x0 += j0
-	x1 += j1
-	x2 += j2
-	x3 += j3
-	x4 += j4
-	x5 += j5
-	x6 += j6
-	x7 += j7
-	x8 += j8
-	x9 += j9
-	x10 += j10
-	x11 += j11
-	x12 += j12
-	x13 += j13
-	x14 += j14
-	x15 += j15
-
-	out[0] = byte(x0)
-	out[1] = byte(x0 >> 8)
-	out[2] = byte(x0 >> 16)
-	out[3] = byte(x0 >> 24)
-
-	out[4] = byte(x1)
-	out[5] = byte(x1 >> 8)
-	out[6] = byte(x1 >> 16)
-	out[7] = byte(x1 >> 24)
-
-	out[8] = byte(x2)
-	out[9] = byte(x2 >> 8)
-	out[10] = byte(x2 >> 16)
-	out[11] = byte(x2 >> 24)
-
-	out[12] = byte(x3)
-	out[13] = byte(x3 >> 8)
-	out[14] = byte(x3 >> 16)
-	out[15] = byte(x3 >> 24)
-
-	out[16] = byte(x4)
-	out[17] = byte(x4 >> 8)
-	out[18] = byte(x4 >> 16)
-	out[19] = byte(x4 >> 24)
-
-	out[20] = byte(x5)
-	out[21] = byte(x5 >> 8)
-	out[22] = byte(x5 >> 16)
-	out[23] = byte(x5 >> 24)
-
-	out[24] = byte(x6)
-	out[25] = byte(x6 >> 8)
-	out[26] = byte(x6 >> 16)
-	out[27] = byte(x6 >> 24)
-
-	out[28] = byte(x7)
-	out[29] = byte(x7 >> 8)
-	out[30] = byte(x7 >> 16)
-	out[31] = byte(x7 >> 24)
-
-	out[32] = byte(x8)
-	out[33] = byte(x8 >> 8)
-	out[34] = byte(x8 >> 16)
-	out[35] = byte(x8 >> 24)
-
-	out[36] = byte(x9)
-	out[37] = byte(x9 >> 8)
-	out[38] = byte(x9 >> 16)
-	out[39] = byte(x9 >> 24)
-
-	out[40] = byte(x10)
-	out[41] = byte(x10 >> 8)
-	out[42] = byte(x10 >> 16)
-	out[43] = byte(x10 >> 24)
-
-	out[44] = byte(x11)
-	out[45] = byte(x11 >> 8)
-	out[46] = byte(x11 >> 16)
-	out[47] = byte(x11 >> 24)
-
-	out[48] = byte(x12)
-	out[49] = byte(x12 >> 8)
-	out[50] = byte(x12 >> 16)
-	out[51] = byte(x12 >> 24)
-
-	out[52] = byte(x13)
-	out[53] = byte(x13 >> 8)
-	out[54] = byte(x13 >> 16)
-	out[55] = byte(x13 >> 24)
-
-	out[56] = byte(x14)
-	out[57] = byte(x14 >> 8)
-	out[58] = byte(x14 >> 16)
-	out[59] = byte(x14 >> 24)
-
-	out[60] = byte(x15)
-	out[61] = byte(x15 >> 8)
-	out[62] = byte(x15 >> 16)
-	out[63] = byte(x15 >> 24)
-}
-
-// XORKeyStream crypts bytes from in to out using the given key and counters.
-// In and out must overlap entirely or not at all. Counter
-// contains the raw salsa20 counter bytes (both nonce and block counter).
-func XORKeyStream(out, in []byte, counter *[16]byte, key *[32]byte) {
-	var block [64]byte
-	var counterCopy [16]byte
-	copy(counterCopy[:], counter[:])
-
-	for len(in) >= 64 {
-		core(&block, &counterCopy, key, &Sigma)
-		for i, x := range block {
-			out[i] = in[i] ^ x
-		}
-		u := uint32(1)
-		for i := 8; i < 16; i++ {
-			u += uint32(counterCopy[i])
-			counterCopy[i] = byte(u)
-			u >>= 8
-		}
-		in = in[64:]
-		out = out[64:]
-	}
-
-	if len(in) > 0 {
-		core(&block, &counterCopy, key, &Sigma)
-		for i, v := range in {
-			out[i] = v ^ block[i]
-		}
-	}
-}
diff --git a/vendor/golang.org/x/crypto/salsa20/salsa/salsa_test.go b/vendor/golang.org/x/crypto/salsa20/salsa/salsa_test.go
deleted file mode 100644
index f67e94eb..00000000
--- a/vendor/golang.org/x/crypto/salsa20/salsa/salsa_test.go
+++ /dev/null
@@ -1,54 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package salsa
-
-import "testing"
-
-func TestCore208(t *testing.T) {
-	in := [64]byte{
-		0x7e, 0x87, 0x9a, 0x21, 0x4f, 0x3e, 0xc9, 0x86,
-		0x7c, 0xa9, 0x40, 0xe6, 0x41, 0x71, 0x8f, 0x26,
-		0xba, 0xee, 0x55, 0x5b, 0x8c, 0x61, 0xc1, 0xb5,
-		0x0d, 0xf8, 0x46, 0x11, 0x6d, 0xcd, 0x3b, 0x1d,
-		0xee, 0x24, 0xf3, 0x19, 0xdf, 0x9b, 0x3d, 0x85,
-		0x14, 0x12, 0x1e, 0x4b, 0x5a, 0xc5, 0xaa, 0x32,
-		0x76, 0x02, 0x1d, 0x29, 0x09, 0xc7, 0x48, 0x29,
-		0xed, 0xeb, 0xc6, 0x8d, 0xb8, 0xb8, 0xc2, 0x5e}
-
-	out := [64]byte{
-		0xa4, 0x1f, 0x85, 0x9c, 0x66, 0x08, 0xcc, 0x99,
-		0x3b, 0x81, 0xca, 0xcb, 0x02, 0x0c, 0xef, 0x05,
-		0x04, 0x4b, 0x21, 0x81, 0xa2, 0xfd, 0x33, 0x7d,
-		0xfd, 0x7b, 0x1c, 0x63, 0x96, 0x68, 0x2f, 0x29,
-		0xb4, 0x39, 0x31, 0x68, 0xe3, 0xc9, 0xe6, 0xbc,
-		0xfe, 0x6b, 0xc5, 0xb7, 0xa0, 0x6d, 0x96, 0xba,
-		0xe4, 0x24, 0xcc, 0x10, 0x2c, 0x91, 0x74, 0x5c,
-		0x24, 0xad, 0x67, 0x3d, 0xc7, 0x61, 0x8f, 0x81,
-	}
-
-	Core208(&in, &in)
-	if in != out {
-		t.Errorf("expected %x, got %x", out, in)
-	}
-}
-
-func TestOutOfBoundsWrite(t *testing.T) {
-	// encrypted "0123456789"
-	cipherText := []byte{170, 166, 196, 104, 175, 121, 68, 44, 174, 51}
-	var counter [16]byte
-	var key [32]byte
-	want := "abcdefghij"
-	plainText := []byte(want)
-	defer func() {
-		err := recover()
-		if err == nil {
-			t.Error("XORKeyStream expected to panic on len(dst) < len(src), but didn't")
-		}
-		if plainText[3] == '3' {
-			t.Errorf("XORKeyStream did out of bounds write, want %v, got %v", want, string(plainText))
-		}
-	}()
-	XORKeyStream(plainText[:3], cipherText, &counter, &key)
-}
diff --git a/vendor/golang.org/x/crypto/salsa20/salsa20.go b/vendor/golang.org/x/crypto/salsa20/salsa20.go
deleted file mode 100644
index 0ee62485..00000000
--- a/vendor/golang.org/x/crypto/salsa20/salsa20.go
+++ /dev/null
@@ -1,54 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-/*
-Package salsa20 implements the Salsa20 stream cipher as specified in https://cr.yp.to/snuffle/spec.pdf.
-
-Salsa20 differs from many other stream ciphers in that it is message orientated
-rather than byte orientated. Keystream blocks are not preserved between calls,
-therefore each side must encrypt/decrypt data with the same segmentation.
-
-Another aspect of this difference is that part of the counter is exposed as
-a nonce in each call. Encrypting two different messages with the same (key,
-nonce) pair leads to trivial plaintext recovery. This is analogous to
-encrypting two different messages with the same key with a traditional stream
-cipher.
-
-This package also implements XSalsa20: a version of Salsa20 with a 24-byte
-nonce as specified in https://cr.yp.to/snuffle/xsalsa-20081128.pdf. Simply
-passing a 24-byte slice as the nonce triggers XSalsa20.
-*/
-package salsa20 // import "golang.org/x/crypto/salsa20"
-
-// TODO(agl): implement XORKeyStream12 and XORKeyStream8 - the reduced round variants of Salsa20.
-
-import (
-	"golang.org/x/crypto/salsa20/salsa"
-)
-
-// XORKeyStream crypts bytes from in to out using the given key and nonce.
-// In and out must overlap entirely or not at all. Nonce must
-// be either 8 or 24 bytes long.
-func XORKeyStream(out, in []byte, nonce []byte, key *[32]byte) {
-	if len(out) < len(in) {
-		in = in[:len(out)]
-	}
-
-	var subNonce [16]byte
-
-	if len(nonce) == 24 {
-		var subKey [32]byte
-		var hNonce [16]byte
-		copy(hNonce[:], nonce[:16])
-		salsa.HSalsa20(&subKey, &hNonce, key, &salsa.Sigma)
-		copy(subNonce[:], nonce[16:])
-		key = &subKey
-	} else if len(nonce) == 8 {
-		copy(subNonce[:], nonce[:])
-	} else {
-		panic("salsa20: nonce must be 8 or 24 bytes")
-	}
-
-	salsa.XORKeyStream(out, in, &subNonce, key)
-}
diff --git a/vendor/golang.org/x/crypto/salsa20/salsa20_test.go b/vendor/golang.org/x/crypto/salsa20/salsa20_test.go
deleted file mode 100644
index 0ef3328e..00000000
--- a/vendor/golang.org/x/crypto/salsa20/salsa20_test.go
+++ /dev/null
@@ -1,139 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package salsa20
-
-import (
-	"bytes"
-	"encoding/hex"
-	"testing"
-)
-
-func fromHex(s string) []byte {
-	ret, err := hex.DecodeString(s)
-	if err != nil {
-		panic(err)
-	}
-	return ret
-}
-
-// testVectors was taken from set 6 of the ECRYPT test vectors:
-// http://www.ecrypt.eu.org/stream/svn/viewcvs.cgi/ecrypt/trunk/submissions/salsa20/full/verified.test-vectors?logsort=rev&rev=210&view=markup
-var testVectors = []struct {
-	key      []byte
-	iv       []byte
-	numBytes int
-	xor      []byte
-}{
-	{
-		fromHex("0053A6F94C9FF24598EB3E91E4378ADD3083D6297CCF2275C81B6EC11467BA0D"),
-		fromHex("0D74DB42A91077DE"),
-		131072,
-		fromHex("C349B6A51A3EC9B712EAED3F90D8BCEE69B7628645F251A996F55260C62EF31FD6C6B0AEA94E136C9D984AD2DF3578F78E457527B03A0450580DD874F63B1AB9"),
-	},
-	{
-		fromHex("0558ABFE51A4F74A9DF04396E93C8FE23588DB2E81D4277ACD2073C6196CBF12"),
-		fromHex("167DE44BB21980E7"),
-		131072,
-		fromHex("C3EAAF32836BACE32D04E1124231EF47E101367D6305413A0EEB07C60698A2876E4D031870A739D6FFDDD208597AFF0A47AC17EDB0167DD67EBA84F1883D4DFD"),
-	},
-	{
-		fromHex("0A5DB00356A9FC4FA2F5489BEE4194E73A8DE03386D92C7FD22578CB1E71C417"),
-		fromHex("1F86ED54BB2289F0"),
-		131072,
-		fromHex("3CD23C3DC90201ACC0CF49B440B6C417F0DC8D8410A716D5314C059E14B1A8D9A9FB8EA3D9C8DAE12B21402F674AA95C67B1FC514E994C9D3F3A6E41DFF5BBA6"),
-	},
-	{
-		fromHex("0F62B5085BAE0154A7FA4DA0F34699EC3F92E5388BDE3184D72A7DD02376C91C"),
-		fromHex("288FF65DC42B92F9"),
-		131072,
-		fromHex("E00EBCCD70D69152725F9987982178A2E2E139C7BCBE04CA8A0E99E318D9AB76F988C8549F75ADD790BA4F81C176DA653C1A043F11A958E169B6D2319F4EEC1A"),
-	},
-}
-
-func TestSalsa20(t *testing.T) {
-	var inBuf, outBuf []byte
-	var key [32]byte
-
-	for i, test := range testVectors {
-		if test.numBytes%64 != 0 {
-			t.Errorf("#%d: numBytes is not a multiple of 64", i)
-			continue
-		}
-
-		if test.numBytes > len(inBuf) {
-			inBuf = make([]byte, test.numBytes)
-			outBuf = make([]byte, test.numBytes)
-		}
-		in := inBuf[:test.numBytes]
-		out := outBuf[:test.numBytes]
-		copy(key[:], test.key)
-		XORKeyStream(out, in, test.iv, &key)
-
-		var xor [64]byte
-		for len(out) > 0 {
-			for i := 0; i < 64; i++ {
-				xor[i] ^= out[i]
-			}
-			out = out[64:]
-		}
-
-		if !bytes.Equal(xor[:], test.xor) {
-			t.Errorf("#%d: bad result", i)
-		}
-	}
-}
-
-var xSalsa20TestData = []struct {
-	in, nonce, key, out []byte
-}{
-	{
-		[]byte("Hello world!"),
-		[]byte("24-byte nonce for xsalsa"),
-		[]byte("this is 32-byte key for xsalsa20"),
-		[]byte{0x00, 0x2d, 0x45, 0x13, 0x84, 0x3f, 0xc2, 0x40, 0xc4, 0x01, 0xe5, 0x41},
-	},
-	{
-		make([]byte, 64),
-		[]byte("24-byte nonce for xsalsa"),
-		[]byte("this is 32-byte key for xsalsa20"),
-		[]byte{0x48, 0x48, 0x29, 0x7f, 0xeb, 0x1f, 0xb5, 0x2f, 0xb6,
-			0x6d, 0x81, 0x60, 0x9b, 0xd5, 0x47, 0xfa, 0xbc, 0xbe, 0x70,
-			0x26, 0xed, 0xc8, 0xb5, 0xe5, 0xe4, 0x49, 0xd0, 0x88, 0xbf,
-			0xa6, 0x9c, 0x08, 0x8f, 0x5d, 0x8d, 0xa1, 0xd7, 0x91, 0x26,
-			0x7c, 0x2c, 0x19, 0x5a, 0x7f, 0x8c, 0xae, 0x9c, 0x4b, 0x40,
-			0x50, 0xd0, 0x8c, 0xe6, 0xd3, 0xa1, 0x51, 0xec, 0x26, 0x5f,
-			0x3a, 0x58, 0xe4, 0x76, 0x48},
-	},
-}
-
-func TestXSalsa20(t *testing.T) {
-	var key [32]byte
-
-	for i, test := range xSalsa20TestData {
-		out := make([]byte, len(test.in))
-		copy(key[:], test.key)
-		XORKeyStream(out, test.in, test.nonce, &key)
-		if !bytes.Equal(out, test.out) {
-			t.Errorf("%d: expected %x, got %x", i, test.out, out)
-		}
-	}
-}
-
-var (
-	keyArray [32]byte
-	key      = &keyArray
-	nonce    [8]byte
-	msg      = make([]byte, 1<<10)
-)
-
-func BenchmarkXOR1K(b *testing.B) {
-	b.StopTimer()
-	out := make([]byte, 1024)
-	b.StartTimer()
-	for i := 0; i < b.N; i++ {
-		XORKeyStream(out, msg[:1024], nonce[:], key)
-	}
-	b.SetBytes(1024)
-}
diff --git a/vendor/golang.org/x/crypto/scrypt/example_test.go b/vendor/golang.org/x/crypto/scrypt/example_test.go
deleted file mode 100644
index 6736479b..00000000
--- a/vendor/golang.org/x/crypto/scrypt/example_test.go
+++ /dev/null
@@ -1,26 +0,0 @@
-// Copyright 2017 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package scrypt_test
-
-import (
-	"encoding/base64"
-	"fmt"
-	"log"
-
-	"golang.org/x/crypto/scrypt"
-)
-
-func Example() {
-	// DO NOT use this salt value; generate your own random salt. 8 bytes is
-	// a good length.
-	salt := []byte{0xc8, 0x28, 0xf2, 0x58, 0xa7, 0x6a, 0xad, 0x7b}
-
-	dk, err := scrypt.Key([]byte("some password"), salt, 1<<15, 8, 1, 32)
-	if err != nil {
-		log.Fatal(err)
-	}
-	fmt.Println(base64.StdEncoding.EncodeToString(dk))
-	// Output: lGnMz8io0AUkfzn6Pls1qX20Vs7PGN6sbYQ2TQgY12M=
-}
diff --git a/vendor/golang.org/x/crypto/scrypt/scrypt.go b/vendor/golang.org/x/crypto/scrypt/scrypt.go
deleted file mode 100644
index ff28aaef..00000000
--- a/vendor/golang.org/x/crypto/scrypt/scrypt.go
+++ /dev/null
@@ -1,244 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package scrypt implements the scrypt key derivation function as defined in
-// Colin Percival's paper "Stronger Key Derivation via Sequential Memory-Hard
-// Functions" (https://www.tarsnap.com/scrypt/scrypt.pdf).
-package scrypt // import "golang.org/x/crypto/scrypt"
-
-import (
-	"crypto/sha256"
-	"errors"
-
-	"golang.org/x/crypto/pbkdf2"
-)
-
-const maxInt = int(^uint(0) >> 1)
-
-// blockCopy copies n numbers from src into dst.
-func blockCopy(dst, src []uint32, n int) {
-	copy(dst, src[:n])
-}
-
-// blockXOR XORs numbers from dst with n numbers from src.
-func blockXOR(dst, src []uint32, n int) {
-	for i, v := range src[:n] {
-		dst[i] ^= v
-	}
-}
-
-// salsaXOR applies Salsa20/8 to the XOR of 16 numbers from tmp and in,
-// and puts the result into both both tmp and out.
-func salsaXOR(tmp *[16]uint32, in, out []uint32) {
-	w0 := tmp[0] ^ in[0]
-	w1 := tmp[1] ^ in[1]
-	w2 := tmp[2] ^ in[2]
-	w3 := tmp[3] ^ in[3]
-	w4 := tmp[4] ^ in[4]
-	w5 := tmp[5] ^ in[5]
-	w6 := tmp[6] ^ in[6]
-	w7 := tmp[7] ^ in[7]
-	w8 := tmp[8] ^ in[8]
-	w9 := tmp[9] ^ in[9]
-	w10 := tmp[10] ^ in[10]
-	w11 := tmp[11] ^ in[11]
-	w12 := tmp[12] ^ in[12]
-	w13 := tmp[13] ^ in[13]
-	w14 := tmp[14] ^ in[14]
-	w15 := tmp[15] ^ in[15]
-
-	x0, x1, x2, x3, x4, x5, x6, x7, x8 := w0, w1, w2, w3, w4, w5, w6, w7, w8
-	x9, x10, x11, x12, x13, x14, x15 := w9, w10, w11, w12, w13, w14, w15
-
-	for i := 0; i < 8; i += 2 {
-		u := x0 + x12
-		x4 ^= u<<7 | u>>(32-7)
-		u = x4 + x0
-		x8 ^= u<<9 | u>>(32-9)
-		u = x8 + x4
-		x12 ^= u<<13 | u>>(32-13)
-		u = x12 + x8
-		x0 ^= u<<18 | u>>(32-18)
-
-		u = x5 + x1
-		x9 ^= u<<7 | u>>(32-7)
-		u = x9 + x5
-		x13 ^= u<<9 | u>>(32-9)
-		u = x13 + x9
-		x1 ^= u<<13 | u>>(32-13)
-		u = x1 + x13
-		x5 ^= u<<18 | u>>(32-18)
-
-		u = x10 + x6
-		x14 ^= u<<7 | u>>(32-7)
-		u = x14 + x10
-		x2 ^= u<<9 | u>>(32-9)
-		u = x2 + x14
-		x6 ^= u<<13 | u>>(32-13)
-		u = x6 + x2
-		x10 ^= u<<18 | u>>(32-18)
-
-		u = x15 + x11
-		x3 ^= u<<7 | u>>(32-7)
-		u = x3 + x15
-		x7 ^= u<<9 | u>>(32-9)
-		u = x7 + x3
-		x11 ^= u<<13 | u>>(32-13)
-		u = x11 + x7
-		x15 ^= u<<18 | u>>(32-18)
-
-		u = x0 + x3
-		x1 ^= u<<7 | u>>(32-7)
-		u = x1 + x0
-		x2 ^= u<<9 | u>>(32-9)
-		u = x2 + x1
-		x3 ^= u<<13 | u>>(32-13)
-		u = x3 + x2
-		x0 ^= u<<18 | u>>(32-18)
-
-		u = x5 + x4
-		x6 ^= u<<7 | u>>(32-7)
-		u = x6 + x5
-		x7 ^= u<<9 | u>>(32-9)
-		u = x7 + x6
-		x4 ^= u<<13 | u>>(32-13)
-		u = x4 + x7
-		x5 ^= u<<18 | u>>(32-18)
-
-		u = x10 + x9
-		x11 ^= u<<7 | u>>(32-7)
-		u = x11 + x10
-		x8 ^= u<<9 | u>>(32-9)
-		u = x8 + x11
-		x9 ^= u<<13 | u>>(32-13)
-		u = x9 + x8
-		x10 ^= u<<18 | u>>(32-18)
-
-		u = x15 + x14
-		x12 ^= u<<7 | u>>(32-7)
-		u = x12 + x15
-		x13 ^= u<<9 | u>>(32-9)
-		u = x13 + x12
-		x14 ^= u<<13 | u>>(32-13)
-		u = x14 + x13
-		x15 ^= u<<18 | u>>(32-18)
-	}
-	x0 += w0
-	x1 += w1
-	x2 += w2
-	x3 += w3
-	x4 += w4
-	x5 += w5
-	x6 += w6
-	x7 += w7
-	x8 += w8
-	x9 += w9
-	x10 += w10
-	x11 += w11
-	x12 += w12
-	x13 += w13
-	x14 += w14
-	x15 += w15
-
-	out[0], tmp[0] = x0, x0
-	out[1], tmp[1] = x1, x1
-	out[2], tmp[2] = x2, x2
-	out[3], tmp[3] = x3, x3
-	out[4], tmp[4] = x4, x4
-	out[5], tmp[5] = x5, x5
-	out[6], tmp[6] = x6, x6
-	out[7], tmp[7] = x7, x7
-	out[8], tmp[8] = x8, x8
-	out[9], tmp[9] = x9, x9
-	out[10], tmp[10] = x10, x10
-	out[11], tmp[11] = x11, x11
-	out[12], tmp[12] = x12, x12
-	out[13], tmp[13] = x13, x13
-	out[14], tmp[14] = x14, x14
-	out[15], tmp[15] = x15, x15
-}
-
-func blockMix(tmp *[16]uint32, in, out []uint32, r int) {
-	blockCopy(tmp[:], in[(2*r-1)*16:], 16)
-	for i := 0; i < 2*r; i += 2 {
-		salsaXOR(tmp, in[i*16:], out[i*8:])
-		salsaXOR(tmp, in[i*16+16:], out[i*8+r*16:])
-	}
-}
-
-func integer(b []uint32, r int) uint64 {
-	j := (2*r - 1) * 16
-	return uint64(b[j]) | uint64(b[j+1])<<32
-}
-
-func smix(b []byte, r, N int, v, xy []uint32) {
-	var tmp [16]uint32
-	x := xy
-	y := xy[32*r:]
-
-	j := 0
-	for i := 0; i < 32*r; i++ {
-		x[i] = uint32(b[j]) | uint32(b[j+1])<<8 | uint32(b[j+2])<<16 | uint32(b[j+3])<<24
-		j += 4
-	}
-	for i := 0; i < N; i += 2 {
-		blockCopy(v[i*(32*r):], x, 32*r)
-		blockMix(&tmp, x, y, r)
-
-		blockCopy(v[(i+1)*(32*r):], y, 32*r)
-		blockMix(&tmp, y, x, r)
-	}
-	for i := 0; i < N; i += 2 {
-		j := int(integer(x, r) & uint64(N-1))
-		blockXOR(x, v[j*(32*r):], 32*r)
-		blockMix(&tmp, x, y, r)
-
-		j = int(integer(y, r) & uint64(N-1))
-		blockXOR(y, v[j*(32*r):], 32*r)
-		blockMix(&tmp, y, x, r)
-	}
-	j = 0
-	for _, v := range x[:32*r] {
-		b[j+0] = byte(v >> 0)
-		b[j+1] = byte(v >> 8)
-		b[j+2] = byte(v >> 16)
-		b[j+3] = byte(v >> 24)
-		j += 4
-	}
-}
-
-// Key derives a key from the password, salt, and cost parameters, returning
-// a byte slice of length keyLen that can be used as cryptographic key.
-//
-// N is a CPU/memory cost parameter, which must be a power of two greater than 1.
-// r and p must satisfy r * p < 2³⁰. If the parameters do not satisfy the
-// limits, the function returns a nil byte slice and an error.
-//
-// For example, you can get a derived key for e.g. AES-256 (which needs a
-// 32-byte key) by doing:
-//
-//      dk, err := scrypt.Key([]byte("some password"), salt, 16384, 8, 1, 32)
-//
-// The recommended parameters for interactive logins as of 2017 are N=32768, r=8
-// and p=1. The parameters N, r, and p should be increased as memory latency and
-// CPU parallelism increases; consider setting N to the highest power of 2 you
-// can derive within 100 milliseconds. Remember to get a good random salt.
-func Key(password, salt []byte, N, r, p, keyLen int) ([]byte, error) {
-	if N <= 1 || N&(N-1) != 0 {
-		return nil, errors.New("scrypt: N must be > 1 and a power of 2")
-	}
-	if uint64(r)*uint64(p) >= 1<<30 || r > maxInt/128/p || r > maxInt/256 || N > maxInt/128/r {
-		return nil, errors.New("scrypt: parameters are too large")
-	}
-
-	xy := make([]uint32, 64*r)
-	v := make([]uint32, 32*N*r)
-	b := pbkdf2.Key(password, salt, 1, p*128*r, sha256.New)
-
-	for i := 0; i < p; i++ {
-		smix(b[i*128*r:], r, N, v, xy)
-	}
-
-	return pbkdf2.Key(password, b, 1, keyLen, sha256.New), nil
-}
diff --git a/vendor/golang.org/x/crypto/scrypt/scrypt_test.go b/vendor/golang.org/x/crypto/scrypt/scrypt_test.go
deleted file mode 100644
index 766ed8d9..00000000
--- a/vendor/golang.org/x/crypto/scrypt/scrypt_test.go
+++ /dev/null
@@ -1,162 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package scrypt
-
-import (
-	"bytes"
-	"testing"
-)
-
-type testVector struct {
-	password string
-	salt     string
-	N, r, p  int
-	output   []byte
-}
-
-var good = []testVector{
-	{
-		"password",
-		"salt",
-		2, 10, 10,
-		[]byte{
-			0x48, 0x2c, 0x85, 0x8e, 0x22, 0x90, 0x55, 0xe6, 0x2f,
-			0x41, 0xe0, 0xec, 0x81, 0x9a, 0x5e, 0xe1, 0x8b, 0xdb,
-			0x87, 0x25, 0x1a, 0x53, 0x4f, 0x75, 0xac, 0xd9, 0x5a,
-			0xc5, 0xe5, 0xa, 0xa1, 0x5f,
-		},
-	},
-	{
-		"password",
-		"salt",
-		16, 100, 100,
-		[]byte{
-			0x88, 0xbd, 0x5e, 0xdb, 0x52, 0xd1, 0xdd, 0x0, 0x18,
-			0x87, 0x72, 0xad, 0x36, 0x17, 0x12, 0x90, 0x22, 0x4e,
-			0x74, 0x82, 0x95, 0x25, 0xb1, 0x8d, 0x73, 0x23, 0xa5,
-			0x7f, 0x91, 0x96, 0x3c, 0x37,
-		},
-	},
-	{
-		"this is a long \000 password",
-		"and this is a long \000 salt",
-		16384, 8, 1,
-		[]byte{
-			0xc3, 0xf1, 0x82, 0xee, 0x2d, 0xec, 0x84, 0x6e, 0x70,
-			0xa6, 0x94, 0x2f, 0xb5, 0x29, 0x98, 0x5a, 0x3a, 0x09,
-			0x76, 0x5e, 0xf0, 0x4c, 0x61, 0x29, 0x23, 0xb1, 0x7f,
-			0x18, 0x55, 0x5a, 0x37, 0x07, 0x6d, 0xeb, 0x2b, 0x98,
-			0x30, 0xd6, 0x9d, 0xe5, 0x49, 0x26, 0x51, 0xe4, 0x50,
-			0x6a, 0xe5, 0x77, 0x6d, 0x96, 0xd4, 0x0f, 0x67, 0xaa,
-			0xee, 0x37, 0xe1, 0x77, 0x7b, 0x8a, 0xd5, 0xc3, 0x11,
-			0x14, 0x32, 0xbb, 0x3b, 0x6f, 0x7e, 0x12, 0x64, 0x40,
-			0x18, 0x79, 0xe6, 0x41, 0xae,
-		},
-	},
-	{
-		"p",
-		"s",
-		2, 1, 1,
-		[]byte{
-			0x48, 0xb0, 0xd2, 0xa8, 0xa3, 0x27, 0x26, 0x11, 0x98,
-			0x4c, 0x50, 0xeb, 0xd6, 0x30, 0xaf, 0x52,
-		},
-	},
-
-	{
-		"",
-		"",
-		16, 1, 1,
-		[]byte{
-			0x77, 0xd6, 0x57, 0x62, 0x38, 0x65, 0x7b, 0x20, 0x3b,
-			0x19, 0xca, 0x42, 0xc1, 0x8a, 0x04, 0x97, 0xf1, 0x6b,
-			0x48, 0x44, 0xe3, 0x07, 0x4a, 0xe8, 0xdf, 0xdf, 0xfa,
-			0x3f, 0xed, 0xe2, 0x14, 0x42, 0xfc, 0xd0, 0x06, 0x9d,
-			0xed, 0x09, 0x48, 0xf8, 0x32, 0x6a, 0x75, 0x3a, 0x0f,
-			0xc8, 0x1f, 0x17, 0xe8, 0xd3, 0xe0, 0xfb, 0x2e, 0x0d,
-			0x36, 0x28, 0xcf, 0x35, 0xe2, 0x0c, 0x38, 0xd1, 0x89,
-			0x06,
-		},
-	},
-	{
-		"password",
-		"NaCl",
-		1024, 8, 16,
-		[]byte{
-			0xfd, 0xba, 0xbe, 0x1c, 0x9d, 0x34, 0x72, 0x00, 0x78,
-			0x56, 0xe7, 0x19, 0x0d, 0x01, 0xe9, 0xfe, 0x7c, 0x6a,
-			0xd7, 0xcb, 0xc8, 0x23, 0x78, 0x30, 0xe7, 0x73, 0x76,
-			0x63, 0x4b, 0x37, 0x31, 0x62, 0x2e, 0xaf, 0x30, 0xd9,
-			0x2e, 0x22, 0xa3, 0x88, 0x6f, 0xf1, 0x09, 0x27, 0x9d,
-			0x98, 0x30, 0xda, 0xc7, 0x27, 0xaf, 0xb9, 0x4a, 0x83,
-			0xee, 0x6d, 0x83, 0x60, 0xcb, 0xdf, 0xa2, 0xcc, 0x06,
-			0x40,
-		},
-	},
-	{
-		"pleaseletmein", "SodiumChloride",
-		16384, 8, 1,
-		[]byte{
-			0x70, 0x23, 0xbd, 0xcb, 0x3a, 0xfd, 0x73, 0x48, 0x46,
-			0x1c, 0x06, 0xcd, 0x81, 0xfd, 0x38, 0xeb, 0xfd, 0xa8,
-			0xfb, 0xba, 0x90, 0x4f, 0x8e, 0x3e, 0xa9, 0xb5, 0x43,
-			0xf6, 0x54, 0x5d, 0xa1, 0xf2, 0xd5, 0x43, 0x29, 0x55,
-			0x61, 0x3f, 0x0f, 0xcf, 0x62, 0xd4, 0x97, 0x05, 0x24,
-			0x2a, 0x9a, 0xf9, 0xe6, 0x1e, 0x85, 0xdc, 0x0d, 0x65,
-			0x1e, 0x40, 0xdf, 0xcf, 0x01, 0x7b, 0x45, 0x57, 0x58,
-			0x87,
-		},
-	},
-	/*
-		// Disabled: needs 1 GiB RAM and takes too long for a simple test.
-		{
-			"pleaseletmein", "SodiumChloride",
-			1048576, 8, 1,
-			[]byte{
-				0x21, 0x01, 0xcb, 0x9b, 0x6a, 0x51, 0x1a, 0xae, 0xad,
-				0xdb, 0xbe, 0x09, 0xcf, 0x70, 0xf8, 0x81, 0xec, 0x56,
-				0x8d, 0x57, 0x4a, 0x2f, 0xfd, 0x4d, 0xab, 0xe5, 0xee,
-				0x98, 0x20, 0xad, 0xaa, 0x47, 0x8e, 0x56, 0xfd, 0x8f,
-				0x4b, 0xa5, 0xd0, 0x9f, 0xfa, 0x1c, 0x6d, 0x92, 0x7c,
-				0x40, 0xf4, 0xc3, 0x37, 0x30, 0x40, 0x49, 0xe8, 0xa9,
-				0x52, 0xfb, 0xcb, 0xf4, 0x5c, 0x6f, 0xa7, 0x7a, 0x41,
-				0xa4,
-			},
-		},
-	*/
-}
-
-var bad = []testVector{
-	{"p", "s", 0, 1, 1, nil},                    // N == 0
-	{"p", "s", 1, 1, 1, nil},                    // N == 1
-	{"p", "s", 7, 8, 1, nil},                    // N is not power of 2
-	{"p", "s", 16, maxInt / 2, maxInt / 2, nil}, // p * r too large
-}
-
-func TestKey(t *testing.T) {
-	for i, v := range good {
-		k, err := Key([]byte(v.password), []byte(v.salt), v.N, v.r, v.p, len(v.output))
-		if err != nil {
-			t.Errorf("%d: got unexpected error: %s", i, err)
-		}
-		if !bytes.Equal(k, v.output) {
-			t.Errorf("%d: expected %x, got %x", i, v.output, k)
-		}
-	}
-	for i, v := range bad {
-		_, err := Key([]byte(v.password), []byte(v.salt), v.N, v.r, v.p, 32)
-		if err == nil {
-			t.Errorf("%d: expected error, got nil", i)
-		}
-	}
-}
-
-var sink []byte
-
-func BenchmarkKey(b *testing.B) {
-	for i := 0; i < b.N; i++ {
-		sink, _ = Key([]byte("password"), []byte("salt"), 1<<15, 8, 1, 64)
-	}
-}
diff --git a/vendor/golang.org/x/crypto/sha3/doc.go b/vendor/golang.org/x/crypto/sha3/doc.go
deleted file mode 100644
index a0ee3ae7..00000000
--- a/vendor/golang.org/x/crypto/sha3/doc.go
+++ /dev/null
@@ -1,66 +0,0 @@
-// Copyright 2014 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package sha3 implements the SHA-3 fixed-output-length hash functions and
-// the SHAKE variable-output-length hash functions defined by FIPS-202.
-//
-// Both types of hash function use the "sponge" construction and the Keccak
-// permutation. For a detailed specification see http://keccak.noekeon.org/
-//
-//
-// Guidance
-//
-// If you aren't sure what function you need, use SHAKE256 with at least 64
-// bytes of output. The SHAKE instances are faster than the SHA3 instances;
-// the latter have to allocate memory to conform to the hash.Hash interface.
-//
-// If you need a secret-key MAC (message authentication code), prepend the
-// secret key to the input, hash with SHAKE256 and read at least 32 bytes of
-// output.
-//
-//
-// Security strengths
-//
-// The SHA3-x (x equals 224, 256, 384, or 512) functions have a security
-// strength against preimage attacks of x bits. Since they only produce "x"
-// bits of output, their collision-resistance is only "x/2" bits.
-//
-// The SHAKE-256 and -128 functions have a generic security strength of 256 and
-// 128 bits against all attacks, provided that at least 2x bits of their output
-// is used.  Requesting more than 64 or 32 bytes of output, respectively, does
-// not increase the collision-resistance of the SHAKE functions.
-//
-//
-// The sponge construction
-//
-// A sponge builds a pseudo-random function from a public pseudo-random
-// permutation, by applying the permutation to a state of "rate + capacity"
-// bytes, but hiding "capacity" of the bytes.
-//
-// A sponge starts out with a zero state. To hash an input using a sponge, up
-// to "rate" bytes of the input are XORed into the sponge's state. The sponge
-// is then "full" and the permutation is applied to "empty" it. This process is
-// repeated until all the input has been "absorbed". The input is then padded.
-// The digest is "squeezed" from the sponge in the same way, except that output
-// output is copied out instead of input being XORed in.
-//
-// A sponge is parameterized by its generic security strength, which is equal
-// to half its capacity; capacity + rate is equal to the permutation's width.
-// Since the KeccakF-1600 permutation is 1600 bits (200 bytes) wide, this means
-// that the security strength of a sponge instance is equal to (1600 - bitrate) / 2.
-//
-//
-// Recommendations
-//
-// The SHAKE functions are recommended for most new uses. They can produce
-// output of arbitrary length. SHAKE256, with an output length of at least
-// 64 bytes, provides 256-bit security against all attacks.  The Keccak team
-// recommends it for most applications upgrading from SHA2-512. (NIST chose a
-// much stronger, but much slower, sponge instance for SHA3-512.)
-//
-// The SHA-3 functions are "drop-in" replacements for the SHA-2 functions.
-// They produce output of the same length, with the same security strengths
-// against all attacks. This means, in particular, that SHA3-256 only has
-// 128-bit collision resistance, because its output length is 32 bytes.
-package sha3 // import "golang.org/x/crypto/sha3"
diff --git a/vendor/golang.org/x/crypto/sha3/hashes.go b/vendor/golang.org/x/crypto/sha3/hashes.go
deleted file mode 100644
index 2b51cf4e..00000000
--- a/vendor/golang.org/x/crypto/sha3/hashes.go
+++ /dev/null
@@ -1,65 +0,0 @@
-// Copyright 2014 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package sha3
-
-// This file provides functions for creating instances of the SHA-3
-// and SHAKE hash functions, as well as utility functions for hashing
-// bytes.
-
-import (
-	"hash"
-)
-
-// New224 creates a new SHA3-224 hash.
-// Its generic security strength is 224 bits against preimage attacks,
-// and 112 bits against collision attacks.
-func New224() hash.Hash { return &state{rate: 144, outputLen: 28, dsbyte: 0x06} }
-
-// New256 creates a new SHA3-256 hash.
-// Its generic security strength is 256 bits against preimage attacks,
-// and 128 bits against collision attacks.
-func New256() hash.Hash { return &state{rate: 136, outputLen: 32, dsbyte: 0x06} }
-
-// New384 creates a new SHA3-384 hash.
-// Its generic security strength is 384 bits against preimage attacks,
-// and 192 bits against collision attacks.
-func New384() hash.Hash { return &state{rate: 104, outputLen: 48, dsbyte: 0x06} }
-
-// New512 creates a new SHA3-512 hash.
-// Its generic security strength is 512 bits against preimage attacks,
-// and 256 bits against collision attacks.
-func New512() hash.Hash { return &state{rate: 72, outputLen: 64, dsbyte: 0x06} }
-
-// Sum224 returns the SHA3-224 digest of the data.
-func Sum224(data []byte) (digest [28]byte) {
-	h := New224()
-	h.Write(data)
-	h.Sum(digest[:0])
-	return
-}
-
-// Sum256 returns the SHA3-256 digest of the data.
-func Sum256(data []byte) (digest [32]byte) {
-	h := New256()
-	h.Write(data)
-	h.Sum(digest[:0])
-	return
-}
-
-// Sum384 returns the SHA3-384 digest of the data.
-func Sum384(data []byte) (digest [48]byte) {
-	h := New384()
-	h.Write(data)
-	h.Sum(digest[:0])
-	return
-}
-
-// Sum512 returns the SHA3-512 digest of the data.
-func Sum512(data []byte) (digest [64]byte) {
-	h := New512()
-	h.Write(data)
-	h.Sum(digest[:0])
-	return
-}
diff --git a/vendor/golang.org/x/crypto/sha3/keccakf.go b/vendor/golang.org/x/crypto/sha3/keccakf.go
deleted file mode 100644
index 46d03ed3..00000000
--- a/vendor/golang.org/x/crypto/sha3/keccakf.go
+++ /dev/null
@@ -1,412 +0,0 @@
-// Copyright 2014 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//  +build !amd64 appengine gccgo
-
-package sha3
-
-// rc stores the round constants for use in the ι step.
-var rc = [24]uint64{
-	0x0000000000000001,
-	0x0000000000008082,
-	0x800000000000808A,
-	0x8000000080008000,
-	0x000000000000808B,
-	0x0000000080000001,
-	0x8000000080008081,
-	0x8000000000008009,
-	0x000000000000008A,
-	0x0000000000000088,
-	0x0000000080008009,
-	0x000000008000000A,
-	0x000000008000808B,
-	0x800000000000008B,
-	0x8000000000008089,
-	0x8000000000008003,
-	0x8000000000008002,
-	0x8000000000000080,
-	0x000000000000800A,
-	0x800000008000000A,
-	0x8000000080008081,
-	0x8000000000008080,
-	0x0000000080000001,
-	0x8000000080008008,
-}
-
-// keccakF1600 applies the Keccak permutation to a 1600b-wide
-// state represented as a slice of 25 uint64s.
-func keccakF1600(a *[25]uint64) {
-	// Implementation translated from Keccak-inplace.c
-	// in the keccak reference code.
-	var t, bc0, bc1, bc2, bc3, bc4, d0, d1, d2, d3, d4 uint64
-
-	for i := 0; i < 24; i += 4 {
-		// Combines the 5 steps in each round into 2 steps.
-		// Unrolls 4 rounds per loop and spreads some steps across rounds.
-
-		// Round 1
-		bc0 = a[0] ^ a[5] ^ a[10] ^ a[15] ^ a[20]
-		bc1 = a[1] ^ a[6] ^ a[11] ^ a[16] ^ a[21]
-		bc2 = a[2] ^ a[7] ^ a[12] ^ a[17] ^ a[22]
-		bc3 = a[3] ^ a[8] ^ a[13] ^ a[18] ^ a[23]
-		bc4 = a[4] ^ a[9] ^ a[14] ^ a[19] ^ a[24]
-		d0 = bc4 ^ (bc1<<1 | bc1>>63)
-		d1 = bc0 ^ (bc2<<1 | bc2>>63)
-		d2 = bc1 ^ (bc3<<1 | bc3>>63)
-		d3 = bc2 ^ (bc4<<1 | bc4>>63)
-		d4 = bc3 ^ (bc0<<1 | bc0>>63)
-
-		bc0 = a[0] ^ d0
-		t = a[6] ^ d1
-		bc1 = t<<44 | t>>(64-44)
-		t = a[12] ^ d2
-		bc2 = t<<43 | t>>(64-43)
-		t = a[18] ^ d3
-		bc3 = t<<21 | t>>(64-21)
-		t = a[24] ^ d4
-		bc4 = t<<14 | t>>(64-14)
-		a[0] = bc0 ^ (bc2 &^ bc1) ^ rc[i]
-		a[6] = bc1 ^ (bc3 &^ bc2)
-		a[12] = bc2 ^ (bc4 &^ bc3)
-		a[18] = bc3 ^ (bc0 &^ bc4)
-		a[24] = bc4 ^ (bc1 &^ bc0)
-
-		t = a[10] ^ d0
-		bc2 = t<<3 | t>>(64-3)
-		t = a[16] ^ d1
-		bc3 = t<<45 | t>>(64-45)
-		t = a[22] ^ d2
-		bc4 = t<<61 | t>>(64-61)
-		t = a[3] ^ d3
-		bc0 = t<<28 | t>>(64-28)
-		t = a[9] ^ d4
-		bc1 = t<<20 | t>>(64-20)
-		a[10] = bc0 ^ (bc2 &^ bc1)
-		a[16] = bc1 ^ (bc3 &^ bc2)
-		a[22] = bc2 ^ (bc4 &^ bc3)
-		a[3] = bc3 ^ (bc0 &^ bc4)
-		a[9] = bc4 ^ (bc1 &^ bc0)
-
-		t = a[20] ^ d0
-		bc4 = t<<18 | t>>(64-18)
-		t = a[1] ^ d1
-		bc0 = t<<1 | t>>(64-1)
-		t = a[7] ^ d2
-		bc1 = t<<6 | t>>(64-6)
-		t = a[13] ^ d3
-		bc2 = t<<25 | t>>(64-25)
-		t = a[19] ^ d4
-		bc3 = t<<8 | t>>(64-8)
-		a[20] = bc0 ^ (bc2 &^ bc1)
-		a[1] = bc1 ^ (bc3 &^ bc2)
-		a[7] = bc2 ^ (bc4 &^ bc3)
-		a[13] = bc3 ^ (bc0 &^ bc4)
-		a[19] = bc4 ^ (bc1 &^ bc0)
-
-		t = a[5] ^ d0
-		bc1 = t<<36 | t>>(64-36)
-		t = a[11] ^ d1
-		bc2 = t<<10 | t>>(64-10)
-		t = a[17] ^ d2
-		bc3 = t<<15 | t>>(64-15)
-		t = a[23] ^ d3
-		bc4 = t<<56 | t>>(64-56)
-		t = a[4] ^ d4
-		bc0 = t<<27 | t>>(64-27)
-		a[5] = bc0 ^ (bc2 &^ bc1)
-		a[11] = bc1 ^ (bc3 &^ bc2)
-		a[17] = bc2 ^ (bc4 &^ bc3)
-		a[23] = bc3 ^ (bc0 &^ bc4)
-		a[4] = bc4 ^ (bc1 &^ bc0)
-
-		t = a[15] ^ d0
-		bc3 = t<<41 | t>>(64-41)
-		t = a[21] ^ d1
-		bc4 = t<<2 | t>>(64-2)
-		t = a[2] ^ d2
-		bc0 = t<<62 | t>>(64-62)
-		t = a[8] ^ d3
-		bc1 = t<<55 | t>>(64-55)
-		t = a[14] ^ d4
-		bc2 = t<<39 | t>>(64-39)
-		a[15] = bc0 ^ (bc2 &^ bc1)
-		a[21] = bc1 ^ (bc3 &^ bc2)
-		a[2] = bc2 ^ (bc4 &^ bc3)
-		a[8] = bc3 ^ (bc0 &^ bc4)
-		a[14] = bc4 ^ (bc1 &^ bc0)
-
-		// Round 2
-		bc0 = a[0] ^ a[5] ^ a[10] ^ a[15] ^ a[20]
-		bc1 = a[1] ^ a[6] ^ a[11] ^ a[16] ^ a[21]
-		bc2 = a[2] ^ a[7] ^ a[12] ^ a[17] ^ a[22]
-		bc3 = a[3] ^ a[8] ^ a[13] ^ a[18] ^ a[23]
-		bc4 = a[4] ^ a[9] ^ a[14] ^ a[19] ^ a[24]
-		d0 = bc4 ^ (bc1<<1 | bc1>>63)
-		d1 = bc0 ^ (bc2<<1 | bc2>>63)
-		d2 = bc1 ^ (bc3<<1 | bc3>>63)
-		d3 = bc2 ^ (bc4<<1 | bc4>>63)
-		d4 = bc3 ^ (bc0<<1 | bc0>>63)
-
-		bc0 = a[0] ^ d0
-		t = a[16] ^ d1
-		bc1 = t<<44 | t>>(64-44)
-		t = a[7] ^ d2
-		bc2 = t<<43 | t>>(64-43)
-		t = a[23] ^ d3
-		bc3 = t<<21 | t>>(64-21)
-		t = a[14] ^ d4
-		bc4 = t<<14 | t>>(64-14)
-		a[0] = bc0 ^ (bc2 &^ bc1) ^ rc[i+1]
-		a[16] = bc1 ^ (bc3 &^ bc2)
-		a[7] = bc2 ^ (bc4 &^ bc3)
-		a[23] = bc3 ^ (bc0 &^ bc4)
-		a[14] = bc4 ^ (bc1 &^ bc0)
-
-		t = a[20] ^ d0
-		bc2 = t<<3 | t>>(64-3)
-		t = a[11] ^ d1
-		bc3 = t<<45 | t>>(64-45)
-		t = a[2] ^ d2
-		bc4 = t<<61 | t>>(64-61)
-		t = a[18] ^ d3
-		bc0 = t<<28 | t>>(64-28)
-		t = a[9] ^ d4
-		bc1 = t<<20 | t>>(64-20)
-		a[20] = bc0 ^ (bc2 &^ bc1)
-		a[11] = bc1 ^ (bc3 &^ bc2)
-		a[2] = bc2 ^ (bc4 &^ bc3)
-		a[18] = bc3 ^ (bc0 &^ bc4)
-		a[9] = bc4 ^ (bc1 &^ bc0)
-
-		t = a[15] ^ d0
-		bc4 = t<<18 | t>>(64-18)
-		t = a[6] ^ d1
-		bc0 = t<<1 | t>>(64-1)
-		t = a[22] ^ d2
-		bc1 = t<<6 | t>>(64-6)
-		t = a[13] ^ d3
-		bc2 = t<<25 | t>>(64-25)
-		t = a[4] ^ d4
-		bc3 = t<<8 | t>>(64-8)
-		a[15] = bc0 ^ (bc2 &^ bc1)
-		a[6] = bc1 ^ (bc3 &^ bc2)
-		a[22] = bc2 ^ (bc4 &^ bc3)
-		a[13] = bc3 ^ (bc0 &^ bc4)
-		a[4] = bc4 ^ (bc1 &^ bc0)
-
-		t = a[10] ^ d0
-		bc1 = t<<36 | t>>(64-36)
-		t = a[1] ^ d1
-		bc2 = t<<10 | t>>(64-10)
-		t = a[17] ^ d2
-		bc3 = t<<15 | t>>(64-15)
-		t = a[8] ^ d3
-		bc4 = t<<56 | t>>(64-56)
-		t = a[24] ^ d4
-		bc0 = t<<27 | t>>(64-27)
-		a[10] = bc0 ^ (bc2 &^ bc1)
-		a[1] = bc1 ^ (bc3 &^ bc2)
-		a[17] = bc2 ^ (bc4 &^ bc3)
-		a[8] = bc3 ^ (bc0 &^ bc4)
-		a[24] = bc4 ^ (bc1 &^ bc0)
-
-		t = a[5] ^ d0
-		bc3 = t<<41 | t>>(64-41)
-		t = a[21] ^ d1
-		bc4 = t<<2 | t>>(64-2)
-		t = a[12] ^ d2
-		bc0 = t<<62 | t>>(64-62)
-		t = a[3] ^ d3
-		bc1 = t<<55 | t>>(64-55)
-		t = a[19] ^ d4
-		bc2 = t<<39 | t>>(64-39)
-		a[5] = bc0 ^ (bc2 &^ bc1)
-		a[21] = bc1 ^ (bc3 &^ bc2)
-		a[12] = bc2 ^ (bc4 &^ bc3)
-		a[3] = bc3 ^ (bc0 &^ bc4)
-		a[19] = bc4 ^ (bc1 &^ bc0)
-
-		// Round 3
-		bc0 = a[0] ^ a[5] ^ a[10] ^ a[15] ^ a[20]
-		bc1 = a[1] ^ a[6] ^ a[11] ^ a[16] ^ a[21]
-		bc2 = a[2] ^ a[7] ^ a[12] ^ a[17] ^ a[22]
-		bc3 = a[3] ^ a[8] ^ a[13] ^ a[18] ^ a[23]
-		bc4 = a[4] ^ a[9] ^ a[14] ^ a[19] ^ a[24]
-		d0 = bc4 ^ (bc1<<1 | bc1>>63)
-		d1 = bc0 ^ (bc2<<1 | bc2>>63)
-		d2 = bc1 ^ (bc3<<1 | bc3>>63)
-		d3 = bc2 ^ (bc4<<1 | bc4>>63)
-		d4 = bc3 ^ (bc0<<1 | bc0>>63)
-
-		bc0 = a[0] ^ d0
-		t = a[11] ^ d1
-		bc1 = t<<44 | t>>(64-44)
-		t = a[22] ^ d2
-		bc2 = t<<43 | t>>(64-43)
-		t = a[8] ^ d3
-		bc3 = t<<21 | t>>(64-21)
-		t = a[19] ^ d4
-		bc4 = t<<14 | t>>(64-14)
-		a[0] = bc0 ^ (bc2 &^ bc1) ^ rc[i+2]
-		a[11] = bc1 ^ (bc3 &^ bc2)
-		a[22] = bc2 ^ (bc4 &^ bc3)
-		a[8] = bc3 ^ (bc0 &^ bc4)
-		a[19] = bc4 ^ (bc1 &^ bc0)
-
-		t = a[15] ^ d0
-		bc2 = t<<3 | t>>(64-3)
-		t = a[1] ^ d1
-		bc3 = t<<45 | t>>(64-45)
-		t = a[12] ^ d2
-		bc4 = t<<61 | t>>(64-61)
-		t = a[23] ^ d3
-		bc0 = t<<28 | t>>(64-28)
-		t = a[9] ^ d4
-		bc1 = t<<20 | t>>(64-20)
-		a[15] = bc0 ^ (bc2 &^ bc1)
-		a[1] = bc1 ^ (bc3 &^ bc2)
-		a[12] = bc2 ^ (bc4 &^ bc3)
-		a[23] = bc3 ^ (bc0 &^ bc4)
-		a[9] = bc4 ^ (bc1 &^ bc0)
-
-		t = a[5] ^ d0
-		bc4 = t<<18 | t>>(64-18)
-		t = a[16] ^ d1
-		bc0 = t<<1 | t>>(64-1)
-		t = a[2] ^ d2
-		bc1 = t<<6 | t>>(64-6)
-		t = a[13] ^ d3
-		bc2 = t<<25 | t>>(64-25)
-		t = a[24] ^ d4
-		bc3 = t<<8 | t>>(64-8)
-		a[5] = bc0 ^ (bc2 &^ bc1)
-		a[16] = bc1 ^ (bc3 &^ bc2)
-		a[2] = bc2 ^ (bc4 &^ bc3)
-		a[13] = bc3 ^ (bc0 &^ bc4)
-		a[24] = bc4 ^ (bc1 &^ bc0)
-
-		t = a[20] ^ d0
-		bc1 = t<<36 | t>>(64-36)
-		t = a[6] ^ d1
-		bc2 = t<<10 | t>>(64-10)
-		t = a[17] ^ d2
-		bc3 = t<<15 | t>>(64-15)
-		t = a[3] ^ d3
-		bc4 = t<<56 | t>>(64-56)
-		t = a[14] ^ d4
-		bc0 = t<<27 | t>>(64-27)
-		a[20] = bc0 ^ (bc2 &^ bc1)
-		a[6] = bc1 ^ (bc3 &^ bc2)
-		a[17] = bc2 ^ (bc4 &^ bc3)
-		a[3] = bc3 ^ (bc0 &^ bc4)
-		a[14] = bc4 ^ (bc1 &^ bc0)
-
-		t = a[10] ^ d0
-		bc3 = t<<41 | t>>(64-41)
-		t = a[21] ^ d1
-		bc4 = t<<2 | t>>(64-2)
-		t = a[7] ^ d2
-		bc0 = t<<62 | t>>(64-62)
-		t = a[18] ^ d3
-		bc1 = t<<55 | t>>(64-55)
-		t = a[4] ^ d4
-		bc2 = t<<39 | t>>(64-39)
-		a[10] = bc0 ^ (bc2 &^ bc1)
-		a[21] = bc1 ^ (bc3 &^ bc2)
-		a[7] = bc2 ^ (bc4 &^ bc3)
-		a[18] = bc3 ^ (bc0 &^ bc4)
-		a[4] = bc4 ^ (bc1 &^ bc0)
-
-		// Round 4
-		bc0 = a[0] ^ a[5] ^ a[10] ^ a[15] ^ a[20]
-		bc1 = a[1] ^ a[6] ^ a[11] ^ a[16] ^ a[21]
-		bc2 = a[2] ^ a[7] ^ a[12] ^ a[17] ^ a[22]
-		bc3 = a[3] ^ a[8] ^ a[13] ^ a[18] ^ a[23]
-		bc4 = a[4] ^ a[9] ^ a[14] ^ a[19] ^ a[24]
-		d0 = bc4 ^ (bc1<<1 | bc1>>63)
-		d1 = bc0 ^ (bc2<<1 | bc2>>63)
-		d2 = bc1 ^ (bc3<<1 | bc3>>63)
-		d3 = bc2 ^ (bc4<<1 | bc4>>63)
-		d4 = bc3 ^ (bc0<<1 | bc0>>63)
-
-		bc0 = a[0] ^ d0
-		t = a[1] ^ d1
-		bc1 = t<<44 | t>>(64-44)
-		t = a[2] ^ d2
-		bc2 = t<<43 | t>>(64-43)
-		t = a[3] ^ d3
-		bc3 = t<<21 | t>>(64-21)
-		t = a[4] ^ d4
-		bc4 = t<<14 | t>>(64-14)
-		a[0] = bc0 ^ (bc2 &^ bc1) ^ rc[i+3]
-		a[1] = bc1 ^ (bc3 &^ bc2)
-		a[2] = bc2 ^ (bc4 &^ bc3)
-		a[3] = bc3 ^ (bc0 &^ bc4)
-		a[4] = bc4 ^ (bc1 &^ bc0)
-
-		t = a[5] ^ d0
-		bc2 = t<<3 | t>>(64-3)
-		t = a[6] ^ d1
-		bc3 = t<<45 | t>>(64-45)
-		t = a[7] ^ d2
-		bc4 = t<<61 | t>>(64-61)
-		t = a[8] ^ d3
-		bc0 = t<<28 | t>>(64-28)
-		t = a[9] ^ d4
-		bc1 = t<<20 | t>>(64-20)
-		a[5] = bc0 ^ (bc2 &^ bc1)
-		a[6] = bc1 ^ (bc3 &^ bc2)
-		a[7] = bc2 ^ (bc4 &^ bc3)
-		a[8] = bc3 ^ (bc0 &^ bc4)
-		a[9] = bc4 ^ (bc1 &^ bc0)
-
-		t = a[10] ^ d0
-		bc4 = t<<18 | t>>(64-18)
-		t = a[11] ^ d1
-		bc0 = t<<1 | t>>(64-1)
-		t = a[12] ^ d2
-		bc1 = t<<6 | t>>(64-6)
-		t = a[13] ^ d3
-		bc2 = t<<25 | t>>(64-25)
-		t = a[14] ^ d4
-		bc3 = t<<8 | t>>(64-8)
-		a[10] = bc0 ^ (bc2 &^ bc1)
-		a[11] = bc1 ^ (bc3 &^ bc2)
-		a[12] = bc2 ^ (bc4 &^ bc3)
-		a[13] = bc3 ^ (bc0 &^ bc4)
-		a[14] = bc4 ^ (bc1 &^ bc0)
-
-		t = a[15] ^ d0
-		bc1 = t<<36 | t>>(64-36)
-		t = a[16] ^ d1
-		bc2 = t<<10 | t>>(64-10)
-		t = a[17] ^ d2
-		bc3 = t<<15 | t>>(64-15)
-		t = a[18] ^ d3
-		bc4 = t<<56 | t>>(64-56)
-		t = a[19] ^ d4
-		bc0 = t<<27 | t>>(64-27)
-		a[15] = bc0 ^ (bc2 &^ bc1)
-		a[16] = bc1 ^ (bc3 &^ bc2)
-		a[17] = bc2 ^ (bc4 &^ bc3)
-		a[18] = bc3 ^ (bc0 &^ bc4)
-		a[19] = bc4 ^ (bc1 &^ bc0)
-
-		t = a[20] ^ d0
-		bc3 = t<<41 | t>>(64-41)
-		t = a[21] ^ d1
-		bc4 = t<<2 | t>>(64-2)
-		t = a[22] ^ d2
-		bc0 = t<<62 | t>>(64-62)
-		t = a[23] ^ d3
-		bc1 = t<<55 | t>>(64-55)
-		t = a[24] ^ d4
-		bc2 = t<<39 | t>>(64-39)
-		a[20] = bc0 ^ (bc2 &^ bc1)
-		a[21] = bc1 ^ (bc3 &^ bc2)
-		a[22] = bc2 ^ (bc4 &^ bc3)
-		a[23] = bc3 ^ (bc0 &^ bc4)
-		a[24] = bc4 ^ (bc1 &^ bc0)
-	}
-}
diff --git a/vendor/golang.org/x/crypto/sha3/keccakf_amd64.go b/vendor/golang.org/x/crypto/sha3/keccakf_amd64.go
deleted file mode 100644
index 78867958..00000000
--- a/vendor/golang.org/x/crypto/sha3/keccakf_amd64.go
+++ /dev/null
@@ -1,13 +0,0 @@
-// Copyright 2015 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build amd64,!appengine,!gccgo
-
-package sha3
-
-// This function is implemented in keccakf_amd64.s.
-
-//go:noescape
-
-func keccakF1600(a *[25]uint64)
diff --git a/vendor/golang.org/x/crypto/sha3/keccakf_amd64.s b/vendor/golang.org/x/crypto/sha3/keccakf_amd64.s
deleted file mode 100644
index f88533ac..00000000
--- a/vendor/golang.org/x/crypto/sha3/keccakf_amd64.s
+++ /dev/null
@@ -1,390 +0,0 @@
-// Copyright 2015 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build amd64,!appengine,!gccgo
-
-// This code was translated into a form compatible with 6a from the public
-// domain sources at https://github.com/gvanas/KeccakCodePackage
-
-// Offsets in state
-#define _ba  (0*8)
-#define _be  (1*8)
-#define _bi  (2*8)
-#define _bo  (3*8)
-#define _bu  (4*8)
-#define _ga  (5*8)
-#define _ge  (6*8)
-#define _gi  (7*8)
-#define _go  (8*8)
-#define _gu  (9*8)
-#define _ka (10*8)
-#define _ke (11*8)
-#define _ki (12*8)
-#define _ko (13*8)
-#define _ku (14*8)
-#define _ma (15*8)
-#define _me (16*8)
-#define _mi (17*8)
-#define _mo (18*8)
-#define _mu (19*8)
-#define _sa (20*8)
-#define _se (21*8)
-#define _si (22*8)
-#define _so (23*8)
-#define _su (24*8)
-
-// Temporary registers
-#define rT1  AX
-
-// Round vars
-#define rpState DI
-#define rpStack SP
-
-#define rDa BX
-#define rDe CX
-#define rDi DX
-#define rDo R8
-#define rDu R9
-
-#define rBa R10
-#define rBe R11
-#define rBi R12
-#define rBo R13
-#define rBu R14
-
-#define rCa SI
-#define rCe BP
-#define rCi rBi
-#define rCo rBo
-#define rCu R15
-
-#define MOVQ_RBI_RCE MOVQ rBi, rCe
-#define XORQ_RT1_RCA XORQ rT1, rCa
-#define XORQ_RT1_RCE XORQ rT1, rCe
-#define XORQ_RBA_RCU XORQ rBa, rCu
-#define XORQ_RBE_RCU XORQ rBe, rCu
-#define XORQ_RDU_RCU XORQ rDu, rCu
-#define XORQ_RDA_RCA XORQ rDa, rCa
-#define XORQ_RDE_RCE XORQ rDe, rCe
-
-#define mKeccakRound(iState, oState, rc, B_RBI_RCE, G_RT1_RCA, G_RT1_RCE, G_RBA_RCU, K_RT1_RCA, K_RT1_RCE, K_RBA_RCU, M_RT1_RCA, M_RT1_RCE, M_RBE_RCU, S_RDU_RCU, S_RDA_RCA, S_RDE_RCE) \
-	/* Prepare round */    \
-	MOVQ rCe, rDa;         \
-	ROLQ $1, rDa;          \
-	                       \
-	MOVQ _bi(iState), rCi; \
-	XORQ _gi(iState), rDi; \
-	XORQ rCu, rDa;         \
-	XORQ _ki(iState), rCi; \
-	XORQ _mi(iState), rDi; \
-	XORQ rDi, rCi;         \
-	                       \
-	MOVQ rCi, rDe;         \
-	ROLQ $1, rDe;          \
-	                       \
-	MOVQ _bo(iState), rCo; \
-	XORQ _go(iState), rDo; \
-	XORQ rCa, rDe;         \
-	XORQ _ko(iState), rCo; \
-	XORQ _mo(iState), rDo; \
-	XORQ rDo, rCo;         \
-	                       \
-	MOVQ rCo, rDi;         \
-	ROLQ $1, rDi;          \
-	                       \
-	MOVQ rCu, rDo;         \
-	XORQ rCe, rDi;         \
-	ROLQ $1, rDo;          \
-	                       \
-	MOVQ rCa, rDu;         \
-	XORQ rCi, rDo;         \
-	ROLQ $1, rDu;          \
-	                       \
-	/* Result b */         \
-	MOVQ _ba(iState), rBa; \
-	MOVQ _ge(iState), rBe; \
-	XORQ rCo, rDu;         \
-	MOVQ _ki(iState), rBi; \
-	MOVQ _mo(iState), rBo; \
-	MOVQ _su(iState), rBu; \
-	XORQ rDe, rBe;         \
-	ROLQ $44, rBe;         \
-	XORQ rDi, rBi;         \
-	XORQ rDa, rBa;         \
-	ROLQ $43, rBi;         \
-	                       \
-	MOVQ rBe, rCa;         \
-	MOVQ rc, rT1;          \
-	ORQ  rBi, rCa;         \
-	XORQ rBa, rT1;         \
-	XORQ rT1, rCa;         \
-	MOVQ rCa, _ba(oState); \
-	                       \
-	XORQ rDu, rBu;         \
-	ROLQ $14, rBu;         \
-	MOVQ rBa, rCu;         \
-	ANDQ rBe, rCu;         \
-	XORQ rBu, rCu;         \
-	MOVQ rCu, _bu(oState); \
-	                       \
-	XORQ rDo, rBo;         \
-	ROLQ $21, rBo;         \
-	MOVQ rBo, rT1;         \
-	ANDQ rBu, rT1;         \
-	XORQ rBi, rT1;         \
-	MOVQ rT1, _bi(oState); \
-	                       \
-	NOTQ rBi;              \
-	ORQ  rBa, rBu;         \
-	ORQ  rBo, rBi;         \
-	XORQ rBo, rBu;         \
-	XORQ rBe, rBi;         \
-	MOVQ rBu, _bo(oState); \
-	MOVQ rBi, _be(oState); \
-	B_RBI_RCE;             \
-	                       \
-	/* Result g */         \
-	MOVQ _gu(iState), rBe; \
-	XORQ rDu, rBe;         \
-	MOVQ _ka(iState), rBi; \
-	ROLQ $20, rBe;         \
-	XORQ rDa, rBi;         \
-	ROLQ $3, rBi;          \
-	MOVQ _bo(iState), rBa; \
-	MOVQ rBe, rT1;         \
-	ORQ  rBi, rT1;         \
-	XORQ rDo, rBa;         \
-	MOVQ _me(iState), rBo; \
-	MOVQ _si(iState), rBu; \
-	ROLQ $28, rBa;         \
-	XORQ rBa, rT1;         \
-	MOVQ rT1, _ga(oState); \
-	G_RT1_RCA;             \
-	                       \
-	XORQ rDe, rBo;         \
-	ROLQ $45, rBo;         \
-	MOVQ rBi, rT1;         \
-	ANDQ rBo, rT1;         \
-	XORQ rBe, rT1;         \
-	MOVQ rT1, _ge(oState); \
-	G_RT1_RCE;             \
-	                       \
-	XORQ rDi, rBu;         \
-	ROLQ $61, rBu;         \
-	MOVQ rBu, rT1;         \
-	ORQ  rBa, rT1;         \
-	XORQ rBo, rT1;         \
-	MOVQ rT1, _go(oState); \
-	                       \
-	ANDQ rBe, rBa;         \
-	XORQ rBu, rBa;         \
-	MOVQ rBa, _gu(oState); \
-	NOTQ rBu;              \
-	G_RBA_RCU;             \
-	                       \
-	ORQ  rBu, rBo;         \
-	XORQ rBi, rBo;         \
-	MOVQ rBo, _gi(oState); \
-	                       \
-	/* Result k */         \
-	MOVQ _be(iState), rBa; \
-	MOVQ _gi(iState), rBe; \
-	MOVQ _ko(iState), rBi; \
-	MOVQ _mu(iState), rBo; \
-	MOVQ _sa(iState), rBu; \
-	XORQ rDi, rBe;         \
-	ROLQ $6, rBe;          \
-	XORQ rDo, rBi;         \
-	ROLQ $25, rBi;         \
-	MOVQ rBe, rT1;         \
-	ORQ  rBi, rT1;         \
-	XORQ rDe, rBa;         \
-	ROLQ $1, rBa;          \
-	XORQ rBa, rT1;         \
-	MOVQ rT1, _ka(oState); \
-	K_RT1_RCA;             \
-	                       \
-	XORQ rDu, rBo;         \
-	ROLQ $8, rBo;          \
-	MOVQ rBi, rT1;         \
-	ANDQ rBo, rT1;         \
-	XORQ rBe, rT1;         \
-	MOVQ rT1, _ke(oState); \
-	K_RT1_RCE;             \
-	                       \
-	XORQ rDa, rBu;         \
-	ROLQ $18, rBu;         \
-	NOTQ rBo;              \
-	MOVQ rBo, rT1;         \
-	ANDQ rBu, rT1;         \
-	XORQ rBi, rT1;         \
-	MOVQ rT1, _ki(oState); \
-	                       \
-	MOVQ rBu, rT1;         \
-	ORQ  rBa, rT1;         \
-	XORQ rBo, rT1;         \
-	MOVQ rT1, _ko(oState); \
-	                       \
-	ANDQ rBe, rBa;         \
-	XORQ rBu, rBa;         \
-	MOVQ rBa, _ku(oState); \
-	K_RBA_RCU;             \
-	                       \
-	/* Result m */         \
-	MOVQ _ga(iState), rBe; \
-	XORQ rDa, rBe;         \
-	MOVQ _ke(iState), rBi; \
-	ROLQ $36, rBe;         \
-	XORQ rDe, rBi;         \
-	MOVQ _bu(iState), rBa; \
-	ROLQ $10, rBi;         \
-	MOVQ rBe, rT1;         \
-	MOVQ _mi(iState), rBo; \
-	ANDQ rBi, rT1;         \
-	XORQ rDu, rBa;         \
-	MOVQ _so(iState), rBu; \
-	ROLQ $27, rBa;         \
-	XORQ rBa, rT1;         \
-	MOVQ rT1, _ma(oState); \
-	M_RT1_RCA;             \
-	                       \
-	XORQ rDi, rBo;         \
-	ROLQ $15, rBo;         \
-	MOVQ rBi, rT1;         \
-	ORQ  rBo, rT1;         \
-	XORQ rBe, rT1;         \
-	MOVQ rT1, _me(oState); \
-	M_RT1_RCE;             \
-	                       \
-	XORQ rDo, rBu;         \
-	ROLQ $56, rBu;         \
-	NOTQ rBo;              \
-	MOVQ rBo, rT1;         \
-	ORQ  rBu, rT1;         \
-	XORQ rBi, rT1;         \
-	MOVQ rT1, _mi(oState); \
-	                       \
-	ORQ  rBa, rBe;         \
-	XORQ rBu, rBe;         \
-	MOVQ rBe, _mu(oState); \
-	                       \
-	ANDQ rBa, rBu;         \
-	XORQ rBo, rBu;         \
-	MOVQ rBu, _mo(oState); \
-	M_RBE_RCU;             \
-	                       \
-	/* Result s */         \
-	MOVQ _bi(iState), rBa; \
-	MOVQ _go(iState), rBe; \
-	MOVQ _ku(iState), rBi; \
-	XORQ rDi, rBa;         \
-	MOVQ _ma(iState), rBo; \
-	ROLQ $62, rBa;         \
-	XORQ rDo, rBe;         \
-	MOVQ _se(iState), rBu; \
-	ROLQ $55, rBe;         \
-	                       \
-	XORQ rDu, rBi;         \
-	MOVQ rBa, rDu;         \
-	XORQ rDe, rBu;         \
-	ROLQ $2, rBu;          \
-	ANDQ rBe, rDu;         \
-	XORQ rBu, rDu;         \
-	MOVQ rDu, _su(oState); \
-	                       \
-	ROLQ $39, rBi;         \
-	S_RDU_RCU;             \
-	NOTQ rBe;              \
-	XORQ rDa, rBo;         \
-	MOVQ rBe, rDa;         \
-	ANDQ rBi, rDa;         \
-	XORQ rBa, rDa;         \
-	MOVQ rDa, _sa(oState); \
-	S_RDA_RCA;             \
-	                       \
-	ROLQ $41, rBo;         \
-	MOVQ rBi, rDe;         \
-	ORQ  rBo, rDe;         \
-	XORQ rBe, rDe;         \
-	MOVQ rDe, _se(oState); \
-	S_RDE_RCE;             \
-	                       \
-	MOVQ rBo, rDi;         \
-	MOVQ rBu, rDo;         \
-	ANDQ rBu, rDi;         \
-	ORQ  rBa, rDo;         \
-	XORQ rBi, rDi;         \
-	XORQ rBo, rDo;         \
-	MOVQ rDi, _si(oState); \
-	MOVQ rDo, _so(oState)  \
-
-// func keccakF1600(state *[25]uint64)
-TEXT ·keccakF1600(SB), 0, $200-8
-	MOVQ state+0(FP), rpState
-
-	// Convert the user state into an internal state
-	NOTQ _be(rpState)
-	NOTQ _bi(rpState)
-	NOTQ _go(rpState)
-	NOTQ _ki(rpState)
-	NOTQ _mi(rpState)
-	NOTQ _sa(rpState)
-
-	// Execute the KeccakF permutation
-	MOVQ _ba(rpState), rCa
-	MOVQ _be(rpState), rCe
-	MOVQ _bu(rpState), rCu
-
-	XORQ _ga(rpState), rCa
-	XORQ _ge(rpState), rCe
-	XORQ _gu(rpState), rCu
-
-	XORQ _ka(rpState), rCa
-	XORQ _ke(rpState), rCe
-	XORQ _ku(rpState), rCu
-
-	XORQ _ma(rpState), rCa
-	XORQ _me(rpState), rCe
-	XORQ _mu(rpState), rCu
-
-	XORQ _sa(rpState), rCa
-	XORQ _se(rpState), rCe
-	MOVQ _si(rpState), rDi
-	MOVQ _so(rpState), rDo
-	XORQ _su(rpState), rCu
-
-	mKeccakRound(rpState, rpStack, $0x0000000000000001, MOVQ_RBI_RCE, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBE_RCU, XORQ_RDU_RCU, XORQ_RDA_RCA, XORQ_RDE_RCE)
-	mKeccakRound(rpStack, rpState, $0x0000000000008082, MOVQ_RBI_RCE, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBE_RCU, XORQ_RDU_RCU, XORQ_RDA_RCA, XORQ_RDE_RCE)
-	mKeccakRound(rpState, rpStack, $0x800000000000808a, MOVQ_RBI_RCE, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBE_RCU, XORQ_RDU_RCU, XORQ_RDA_RCA, XORQ_RDE_RCE)
-	mKeccakRound(rpStack, rpState, $0x8000000080008000, MOVQ_RBI_RCE, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBE_RCU, XORQ_RDU_RCU, XORQ_RDA_RCA, XORQ_RDE_RCE)
-	mKeccakRound(rpState, rpStack, $0x000000000000808b, MOVQ_RBI_RCE, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBE_RCU, XORQ_RDU_RCU, XORQ_RDA_RCA, XORQ_RDE_RCE)
-	mKeccakRound(rpStack, rpState, $0x0000000080000001, MOVQ_RBI_RCE, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBE_RCU, XORQ_RDU_RCU, XORQ_RDA_RCA, XORQ_RDE_RCE)
-	mKeccakRound(rpState, rpStack, $0x8000000080008081, MOVQ_RBI_RCE, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBE_RCU, XORQ_RDU_RCU, XORQ_RDA_RCA, XORQ_RDE_RCE)
-	mKeccakRound(rpStack, rpState, $0x8000000000008009, MOVQ_RBI_RCE, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBE_RCU, XORQ_RDU_RCU, XORQ_RDA_RCA, XORQ_RDE_RCE)
-	mKeccakRound(rpState, rpStack, $0x000000000000008a, MOVQ_RBI_RCE, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBE_RCU, XORQ_RDU_RCU, XORQ_RDA_RCA, XORQ_RDE_RCE)
-	mKeccakRound(rpStack, rpState, $0x0000000000000088, MOVQ_RBI_RCE, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBE_RCU, XORQ_RDU_RCU, XORQ_RDA_RCA, XORQ_RDE_RCE)
-	mKeccakRound(rpState, rpStack, $0x0000000080008009, MOVQ_RBI_RCE, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBE_RCU, XORQ_RDU_RCU, XORQ_RDA_RCA, XORQ_RDE_RCE)
-	mKeccakRound(rpStack, rpState, $0x000000008000000a, MOVQ_RBI_RCE, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBE_RCU, XORQ_RDU_RCU, XORQ_RDA_RCA, XORQ_RDE_RCE)
-	mKeccakRound(rpState, rpStack, $0x000000008000808b, MOVQ_RBI_RCE, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBE_RCU, XORQ_RDU_RCU, XORQ_RDA_RCA, XORQ_RDE_RCE)
-	mKeccakRound(rpStack, rpState, $0x800000000000008b, MOVQ_RBI_RCE, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBE_RCU, XORQ_RDU_RCU, XORQ_RDA_RCA, XORQ_RDE_RCE)
-	mKeccakRound(rpState, rpStack, $0x8000000000008089, MOVQ_RBI_RCE, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBE_RCU, XORQ_RDU_RCU, XORQ_RDA_RCA, XORQ_RDE_RCE)
-	mKeccakRound(rpStack, rpState, $0x8000000000008003, MOVQ_RBI_RCE, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBE_RCU, XORQ_RDU_RCU, XORQ_RDA_RCA, XORQ_RDE_RCE)
-	mKeccakRound(rpState, rpStack, $0x8000000000008002, MOVQ_RBI_RCE, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBE_RCU, XORQ_RDU_RCU, XORQ_RDA_RCA, XORQ_RDE_RCE)
-	mKeccakRound(rpStack, rpState, $0x8000000000000080, MOVQ_RBI_RCE, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBE_RCU, XORQ_RDU_RCU, XORQ_RDA_RCA, XORQ_RDE_RCE)
-	mKeccakRound(rpState, rpStack, $0x000000000000800a, MOVQ_RBI_RCE, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBE_RCU, XORQ_RDU_RCU, XORQ_RDA_RCA, XORQ_RDE_RCE)
-	mKeccakRound(rpStack, rpState, $0x800000008000000a, MOVQ_RBI_RCE, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBE_RCU, XORQ_RDU_RCU, XORQ_RDA_RCA, XORQ_RDE_RCE)
-	mKeccakRound(rpState, rpStack, $0x8000000080008081, MOVQ_RBI_RCE, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBE_RCU, XORQ_RDU_RCU, XORQ_RDA_RCA, XORQ_RDE_RCE)
-	mKeccakRound(rpStack, rpState, $0x8000000000008080, MOVQ_RBI_RCE, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBE_RCU, XORQ_RDU_RCU, XORQ_RDA_RCA, XORQ_RDE_RCE)
-	mKeccakRound(rpState, rpStack, $0x0000000080000001, MOVQ_RBI_RCE, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBE_RCU, XORQ_RDU_RCU, XORQ_RDA_RCA, XORQ_RDE_RCE)
-	mKeccakRound(rpStack, rpState, $0x8000000080008008, NOP, NOP, NOP, NOP, NOP, NOP, NOP, NOP, NOP, NOP, NOP, NOP, NOP)
-
-	// Revert the internal state to the user state
-	NOTQ _be(rpState)
-	NOTQ _bi(rpState)
-	NOTQ _go(rpState)
-	NOTQ _ki(rpState)
-	NOTQ _mi(rpState)
-	NOTQ _sa(rpState)
-
-	RET
diff --git a/vendor/golang.org/x/crypto/sha3/register.go b/vendor/golang.org/x/crypto/sha3/register.go
deleted file mode 100644
index 3cf6a22e..00000000
--- a/vendor/golang.org/x/crypto/sha3/register.go
+++ /dev/null
@@ -1,18 +0,0 @@
-// Copyright 2014 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build go1.4
-
-package sha3
-
-import (
-	"crypto"
-)
-
-func init() {
-	crypto.RegisterHash(crypto.SHA3_224, New224)
-	crypto.RegisterHash(crypto.SHA3_256, New256)
-	crypto.RegisterHash(crypto.SHA3_384, New384)
-	crypto.RegisterHash(crypto.SHA3_512, New512)
-}
diff --git a/vendor/golang.org/x/crypto/sha3/sha3.go b/vendor/golang.org/x/crypto/sha3/sha3.go
deleted file mode 100644
index b12a35c8..00000000
--- a/vendor/golang.org/x/crypto/sha3/sha3.go
+++ /dev/null
@@ -1,192 +0,0 @@
-// Copyright 2014 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package sha3
-
-// spongeDirection indicates the direction bytes are flowing through the sponge.
-type spongeDirection int
-
-const (
-	// spongeAbsorbing indicates that the sponge is absorbing input.
-	spongeAbsorbing spongeDirection = iota
-	// spongeSqueezing indicates that the sponge is being squeezed.
-	spongeSqueezing
-)
-
-const (
-	// maxRate is the maximum size of the internal buffer. SHAKE-256
-	// currently needs the largest buffer.
-	maxRate = 168
-)
-
-type state struct {
-	// Generic sponge components.
-	a    [25]uint64 // main state of the hash
-	buf  []byte     // points into storage
-	rate int        // the number of bytes of state to use
-
-	// dsbyte contains the "domain separation" bits and the first bit of
-	// the padding. Sections 6.1 and 6.2 of [1] separate the outputs of the
-	// SHA-3 and SHAKE functions by appending bitstrings to the message.
-	// Using a little-endian bit-ordering convention, these are "01" for SHA-3
-	// and "1111" for SHAKE, or 00000010b and 00001111b, respectively. Then the
-	// padding rule from section 5.1 is applied to pad the message to a multiple
-	// of the rate, which involves adding a "1" bit, zero or more "0" bits, and
-	// a final "1" bit. We merge the first "1" bit from the padding into dsbyte,
-	// giving 00000110b (0x06) and 00011111b (0x1f).
-	// [1] http://csrc.nist.gov/publications/drafts/fips-202/fips_202_draft.pdf
-	//     "Draft FIPS 202: SHA-3 Standard: Permutation-Based Hash and
-	//      Extendable-Output Functions (May 2014)"
-	dsbyte  byte
-	storage [maxRate]byte
-
-	// Specific to SHA-3 and SHAKE.
-	outputLen int             // the default output size in bytes
-	state     spongeDirection // whether the sponge is absorbing or squeezing
-}
-
-// BlockSize returns the rate of sponge underlying this hash function.
-func (d *state) BlockSize() int { return d.rate }
-
-// Size returns the output size of the hash function in bytes.
-func (d *state) Size() int { return d.outputLen }
-
-// Reset clears the internal state by zeroing the sponge state and
-// the byte buffer, and setting Sponge.state to absorbing.
-func (d *state) Reset() {
-	// Zero the permutation's state.
-	for i := range d.a {
-		d.a[i] = 0
-	}
-	d.state = spongeAbsorbing
-	d.buf = d.storage[:0]
-}
-
-func (d *state) clone() *state {
-	ret := *d
-	if ret.state == spongeAbsorbing {
-		ret.buf = ret.storage[:len(ret.buf)]
-	} else {
-		ret.buf = ret.storage[d.rate-cap(d.buf) : d.rate]
-	}
-
-	return &ret
-}
-
-// permute applies the KeccakF-1600 permutation. It handles
-// any input-output buffering.
-func (d *state) permute() {
-	switch d.state {
-	case spongeAbsorbing:
-		// If we're absorbing, we need to xor the input into the state
-		// before applying the permutation.
-		xorIn(d, d.buf)
-		d.buf = d.storage[:0]
-		keccakF1600(&d.a)
-	case spongeSqueezing:
-		// If we're squeezing, we need to apply the permutatin before
-		// copying more output.
-		keccakF1600(&d.a)
-		d.buf = d.storage[:d.rate]
-		copyOut(d, d.buf)
-	}
-}
-
-// pads appends the domain separation bits in dsbyte, applies
-// the multi-bitrate 10..1 padding rule, and permutes the state.
-func (d *state) padAndPermute(dsbyte byte) {
-	if d.buf == nil {
-		d.buf = d.storage[:0]
-	}
-	// Pad with this instance's domain-separator bits. We know that there's
-	// at least one byte of space in d.buf because, if it were full,
-	// permute would have been called to empty it. dsbyte also contains the
-	// first one bit for the padding. See the comment in the state struct.
-	d.buf = append(d.buf, dsbyte)
-	zerosStart := len(d.buf)
-	d.buf = d.storage[:d.rate]
-	for i := zerosStart; i < d.rate; i++ {
-		d.buf[i] = 0
-	}
-	// This adds the final one bit for the padding. Because of the way that
-	// bits are numbered from the LSB upwards, the final bit is the MSB of
-	// the last byte.
-	d.buf[d.rate-1] ^= 0x80
-	// Apply the permutation
-	d.permute()
-	d.state = spongeSqueezing
-	d.buf = d.storage[:d.rate]
-	copyOut(d, d.buf)
-}
-
-// Write absorbs more data into the hash's state. It produces an error
-// if more data is written to the ShakeHash after writing
-func (d *state) Write(p []byte) (written int, err error) {
-	if d.state != spongeAbsorbing {
-		panic("sha3: write to sponge after read")
-	}
-	if d.buf == nil {
-		d.buf = d.storage[:0]
-	}
-	written = len(p)
-
-	for len(p) > 0 {
-		if len(d.buf) == 0 && len(p) >= d.rate {
-			// The fast path; absorb a full "rate" bytes of input and apply the permutation.
-			xorIn(d, p[:d.rate])
-			p = p[d.rate:]
-			keccakF1600(&d.a)
-		} else {
-			// The slow path; buffer the input until we can fill the sponge, and then xor it in.
-			todo := d.rate - len(d.buf)
-			if todo > len(p) {
-				todo = len(p)
-			}
-			d.buf = append(d.buf, p[:todo]...)
-			p = p[todo:]
-
-			// If the sponge is full, apply the permutation.
-			if len(d.buf) == d.rate {
-				d.permute()
-			}
-		}
-	}
-
-	return
-}
-
-// Read squeezes an arbitrary number of bytes from the sponge.
-func (d *state) Read(out []byte) (n int, err error) {
-	// If we're still absorbing, pad and apply the permutation.
-	if d.state == spongeAbsorbing {
-		d.padAndPermute(d.dsbyte)
-	}
-
-	n = len(out)
-
-	// Now, do the squeezing.
-	for len(out) > 0 {
-		n := copy(out, d.buf)
-		d.buf = d.buf[n:]
-		out = out[n:]
-
-		// Apply the permutation if we've squeezed the sponge dry.
-		if len(d.buf) == 0 {
-			d.permute()
-		}
-	}
-
-	return
-}
-
-// Sum applies padding to the hash state and then squeezes out the desired
-// number of output bytes.
-func (d *state) Sum(in []byte) []byte {
-	// Make a copy of the original hash so that caller can keep writing
-	// and summing.
-	dup := d.clone()
-	hash := make([]byte, dup.outputLen)
-	dup.Read(hash)
-	return append(in, hash...)
-}
diff --git a/vendor/golang.org/x/crypto/sha3/sha3_test.go b/vendor/golang.org/x/crypto/sha3/sha3_test.go
deleted file mode 100644
index 2c8719b4..00000000
--- a/vendor/golang.org/x/crypto/sha3/sha3_test.go
+++ /dev/null
@@ -1,311 +0,0 @@
-// Copyright 2014 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package sha3
-
-// Tests include all the ShortMsgKATs provided by the Keccak team at
-// https://github.com/gvanas/KeccakCodePackage
-//
-// They only include the zero-bit case of the bitwise testvectors
-// published by NIST in the draft of FIPS-202.
-
-import (
-	"bytes"
-	"compress/flate"
-	"encoding/hex"
-	"encoding/json"
-	"fmt"
-	"hash"
-	"os"
-	"strings"
-	"testing"
-)
-
-const (
-	testString  = "brekeccakkeccak koax koax"
-	katFilename = "testdata/keccakKats.json.deflate"
-)
-
-// Internal-use instances of SHAKE used to test against KATs.
-func newHashShake128() hash.Hash {
-	return &state{rate: 168, dsbyte: 0x1f, outputLen: 512}
-}
-func newHashShake256() hash.Hash {
-	return &state{rate: 136, dsbyte: 0x1f, outputLen: 512}
-}
-
-// testDigests contains functions returning hash.Hash instances
-// with output-length equal to the KAT length for both SHA-3 and
-// SHAKE instances.
-var testDigests = map[string]func() hash.Hash{
-	"SHA3-224": New224,
-	"SHA3-256": New256,
-	"SHA3-384": New384,
-	"SHA3-512": New512,
-	"SHAKE128": newHashShake128,
-	"SHAKE256": newHashShake256,
-}
-
-// testShakes contains functions that return ShakeHash instances for
-// testing the ShakeHash-specific interface.
-var testShakes = map[string]func() ShakeHash{
-	"SHAKE128": NewShake128,
-	"SHAKE256": NewShake256,
-}
-
-// decodeHex converts a hex-encoded string into a raw byte string.
-func decodeHex(s string) []byte {
-	b, err := hex.DecodeString(s)
-	if err != nil {
-		panic(err)
-	}
-	return b
-}
-
-// structs used to marshal JSON test-cases.
-type KeccakKats struct {
-	Kats map[string][]struct {
-		Digest  string `json:"digest"`
-		Length  int64  `json:"length"`
-		Message string `json:"message"`
-	}
-}
-
-func testUnalignedAndGeneric(t *testing.T, testf func(impl string)) {
-	xorInOrig, copyOutOrig := xorIn, copyOut
-	xorIn, copyOut = xorInGeneric, copyOutGeneric
-	testf("generic")
-	if xorImplementationUnaligned != "generic" {
-		xorIn, copyOut = xorInUnaligned, copyOutUnaligned
-		testf("unaligned")
-	}
-	xorIn, copyOut = xorInOrig, copyOutOrig
-}
-
-// TestKeccakKats tests the SHA-3 and Shake implementations against all the
-// ShortMsgKATs from https://github.com/gvanas/KeccakCodePackage
-// (The testvectors are stored in keccakKats.json.deflate due to their length.)
-func TestKeccakKats(t *testing.T) {
-	testUnalignedAndGeneric(t, func(impl string) {
-		// Read the KATs.
-		deflated, err := os.Open(katFilename)
-		if err != nil {
-			t.Errorf("error opening %s: %s", katFilename, err)
-		}
-		file := flate.NewReader(deflated)
-		dec := json.NewDecoder(file)
-		var katSet KeccakKats
-		err = dec.Decode(&katSet)
-		if err != nil {
-			t.Errorf("error decoding KATs: %s", err)
-		}
-
-		// Do the KATs.
-		for functionName, kats := range katSet.Kats {
-			d := testDigests[functionName]()
-			for _, kat := range kats {
-				d.Reset()
-				in, err := hex.DecodeString(kat.Message)
-				if err != nil {
-					t.Errorf("error decoding KAT: %s", err)
-				}
-				d.Write(in[:kat.Length/8])
-				got := strings.ToUpper(hex.EncodeToString(d.Sum(nil)))
-				if got != kat.Digest {
-					t.Errorf("function=%s, implementation=%s, length=%d\nmessage:\n  %s\ngot:\n  %s\nwanted:\n %s",
-						functionName, impl, kat.Length, kat.Message, got, kat.Digest)
-					t.Logf("wanted %+v", kat)
-					t.FailNow()
-				}
-				continue
-			}
-		}
-	})
-}
-
-// TestUnalignedWrite tests that writing data in an arbitrary pattern with
-// small input buffers.
-func testUnalignedWrite(t *testing.T) {
-	testUnalignedAndGeneric(t, func(impl string) {
-		buf := sequentialBytes(0x10000)
-		for alg, df := range testDigests {
-			d := df()
-			d.Reset()
-			d.Write(buf)
-			want := d.Sum(nil)
-			d.Reset()
-			for i := 0; i < len(buf); {
-				// Cycle through offsets which make a 137 byte sequence.
-				// Because 137 is prime this sequence should exercise all corner cases.
-				offsets := [17]int{1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 1}
-				for _, j := range offsets {
-					if v := len(buf) - i; v < j {
-						j = v
-					}
-					d.Write(buf[i : i+j])
-					i += j
-				}
-			}
-			got := d.Sum(nil)
-			if !bytes.Equal(got, want) {
-				t.Errorf("Unaligned writes, implementation=%s, alg=%s\ngot %q, want %q", impl, alg, got, want)
-			}
-		}
-	})
-}
-
-// TestAppend checks that appending works when reallocation is necessary.
-func TestAppend(t *testing.T) {
-	testUnalignedAndGeneric(t, func(impl string) {
-		d := New224()
-
-		for capacity := 2; capacity <= 66; capacity += 64 {
-			// The first time around the loop, Sum will have to reallocate.
-			// The second time, it will not.
-			buf := make([]byte, 2, capacity)
-			d.Reset()
-			d.Write([]byte{0xcc})
-			buf = d.Sum(buf)
-			expected := "0000DF70ADC49B2E76EEE3A6931B93FA41841C3AF2CDF5B32A18B5478C39"
-			if got := strings.ToUpper(hex.EncodeToString(buf)); got != expected {
-				t.Errorf("got %s, want %s", got, expected)
-			}
-		}
-	})
-}
-
-// TestAppendNoRealloc tests that appending works when no reallocation is necessary.
-func TestAppendNoRealloc(t *testing.T) {
-	testUnalignedAndGeneric(t, func(impl string) {
-		buf := make([]byte, 1, 200)
-		d := New224()
-		d.Write([]byte{0xcc})
-		buf = d.Sum(buf)
-		expected := "00DF70ADC49B2E76EEE3A6931B93FA41841C3AF2CDF5B32A18B5478C39"
-		if got := strings.ToUpper(hex.EncodeToString(buf)); got != expected {
-			t.Errorf("%s: got %s, want %s", impl, got, expected)
-		}
-	})
-}
-
-// TestSqueezing checks that squeezing the full output a single time produces
-// the same output as repeatedly squeezing the instance.
-func TestSqueezing(t *testing.T) {
-	testUnalignedAndGeneric(t, func(impl string) {
-		for functionName, newShakeHash := range testShakes {
-			d0 := newShakeHash()
-			d0.Write([]byte(testString))
-			ref := make([]byte, 32)
-			d0.Read(ref)
-
-			d1 := newShakeHash()
-			d1.Write([]byte(testString))
-			var multiple []byte
-			for range ref {
-				one := make([]byte, 1)
-				d1.Read(one)
-				multiple = append(multiple, one...)
-			}
-			if !bytes.Equal(ref, multiple) {
-				t.Errorf("%s (%s): squeezing %d bytes one at a time failed", functionName, impl, len(ref))
-			}
-		}
-	})
-}
-
-// sequentialBytes produces a buffer of size consecutive bytes 0x00, 0x01, ..., used for testing.
-func sequentialBytes(size int) []byte {
-	result := make([]byte, size)
-	for i := range result {
-		result[i] = byte(i)
-	}
-	return result
-}
-
-// BenchmarkPermutationFunction measures the speed of the permutation function
-// with no input data.
-func BenchmarkPermutationFunction(b *testing.B) {
-	b.SetBytes(int64(200))
-	var lanes [25]uint64
-	for i := 0; i < b.N; i++ {
-		keccakF1600(&lanes)
-	}
-}
-
-// benchmarkHash tests the speed to hash num buffers of buflen each.
-func benchmarkHash(b *testing.B, h hash.Hash, size, num int) {
-	b.StopTimer()
-	h.Reset()
-	data := sequentialBytes(size)
-	b.SetBytes(int64(size * num))
-	b.StartTimer()
-
-	var state []byte
-	for i := 0; i < b.N; i++ {
-		for j := 0; j < num; j++ {
-			h.Write(data)
-		}
-		state = h.Sum(state[:0])
-	}
-	b.StopTimer()
-	h.Reset()
-}
-
-// benchmarkShake is specialized to the Shake instances, which don't
-// require a copy on reading output.
-func benchmarkShake(b *testing.B, h ShakeHash, size, num int) {
-	b.StopTimer()
-	h.Reset()
-	data := sequentialBytes(size)
-	d := make([]byte, 32)
-
-	b.SetBytes(int64(size * num))
-	b.StartTimer()
-
-	for i := 0; i < b.N; i++ {
-		h.Reset()
-		for j := 0; j < num; j++ {
-			h.Write(data)
-		}
-		h.Read(d)
-	}
-}
-
-func BenchmarkSha3_512_MTU(b *testing.B) { benchmarkHash(b, New512(), 1350, 1) }
-func BenchmarkSha3_384_MTU(b *testing.B) { benchmarkHash(b, New384(), 1350, 1) }
-func BenchmarkSha3_256_MTU(b *testing.B) { benchmarkHash(b, New256(), 1350, 1) }
-func BenchmarkSha3_224_MTU(b *testing.B) { benchmarkHash(b, New224(), 1350, 1) }
-
-func BenchmarkShake128_MTU(b *testing.B)  { benchmarkShake(b, NewShake128(), 1350, 1) }
-func BenchmarkShake256_MTU(b *testing.B)  { benchmarkShake(b, NewShake256(), 1350, 1) }
-func BenchmarkShake256_16x(b *testing.B)  { benchmarkShake(b, NewShake256(), 16, 1024) }
-func BenchmarkShake256_1MiB(b *testing.B) { benchmarkShake(b, NewShake256(), 1024, 1024) }
-
-func BenchmarkSha3_512_1MiB(b *testing.B) { benchmarkHash(b, New512(), 1024, 1024) }
-
-func Example_sum() {
-	buf := []byte("some data to hash")
-	// A hash needs to be 64 bytes long to have 256-bit collision resistance.
-	h := make([]byte, 64)
-	// Compute a 64-byte hash of buf and put it in h.
-	ShakeSum256(h, buf)
-	fmt.Printf("%x\n", h)
-	// Output: 0f65fe41fc353e52c55667bb9e2b27bfcc8476f2c413e9437d272ee3194a4e3146d05ec04a25d16b8f577c19b82d16b1424c3e022e783d2b4da98de3658d363d
-}
-
-func Example_mac() {
-	k := []byte("this is a secret key; you should generate a strong random key that's at least 32 bytes long")
-	buf := []byte("and this is some data to authenticate")
-	// A MAC with 32 bytes of output has 256-bit security strength -- if you use at least a 32-byte-long key.
-	h := make([]byte, 32)
-	d := NewShake256()
-	// Write the key into the hash.
-	d.Write(k)
-	// Now write the data.
-	d.Write(buf)
-	// Read 32 bytes of output from the hash into h.
-	d.Read(h)
-	fmt.Printf("%x\n", h)
-	// Output: 78de2974bd2711d5549ffd32b753ef0f5fa80a0db2556db60f0987eb8a9218ff
-}
diff --git a/vendor/golang.org/x/crypto/sha3/shake.go b/vendor/golang.org/x/crypto/sha3/shake.go
deleted file mode 100644
index 841f9860..00000000
--- a/vendor/golang.org/x/crypto/sha3/shake.go
+++ /dev/null
@@ -1,60 +0,0 @@
-// Copyright 2014 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package sha3
-
-// This file defines the ShakeHash interface, and provides
-// functions for creating SHAKE instances, as well as utility
-// functions for hashing bytes to arbitrary-length output.
-
-import (
-	"io"
-)
-
-// ShakeHash defines the interface to hash functions that
-// support arbitrary-length output.
-type ShakeHash interface {
-	// Write absorbs more data into the hash's state. It panics if input is
-	// written to it after output has been read from it.
-	io.Writer
-
-	// Read reads more output from the hash; reading affects the hash's
-	// state. (ShakeHash.Read is thus very different from Hash.Sum)
-	// It never returns an error.
-	io.Reader
-
-	// Clone returns a copy of the ShakeHash in its current state.
-	Clone() ShakeHash
-
-	// Reset resets the ShakeHash to its initial state.
-	Reset()
-}
-
-func (d *state) Clone() ShakeHash {
-	return d.clone()
-}
-
-// NewShake128 creates a new SHAKE128 variable-output-length ShakeHash.
-// Its generic security strength is 128 bits against all attacks if at
-// least 32 bytes of its output are used.
-func NewShake128() ShakeHash { return &state{rate: 168, dsbyte: 0x1f} }
-
-// NewShake256 creates a new SHAKE128 variable-output-length ShakeHash.
-// Its generic security strength is 256 bits against all attacks if
-// at least 64 bytes of its output are used.
-func NewShake256() ShakeHash { return &state{rate: 136, dsbyte: 0x1f} }
-
-// ShakeSum128 writes an arbitrary-length digest of data into hash.
-func ShakeSum128(hash, data []byte) {
-	h := NewShake128()
-	h.Write(data)
-	h.Read(hash)
-}
-
-// ShakeSum256 writes an arbitrary-length digest of data into hash.
-func ShakeSum256(hash, data []byte) {
-	h := NewShake256()
-	h.Write(data)
-	h.Read(hash)
-}
diff --git a/vendor/golang.org/x/crypto/sha3/testdata/keccakKats.json.deflate b/vendor/golang.org/x/crypto/sha3/testdata/keccakKats.json.deflate
deleted file mode 100644
index 62e85ae24236b46c09e5cfa84c71c69f5cc33cf6..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 521342
zcmV(wK<U4P`8%(#Z;l*_<^B|djxB(fhZj2Ig~a3&4ip@~f^7Jbj55LB-8~D?iC*E?
z!T#^P8d!K)RZp=<{?C8>zy6Q^@gM*Azx~Vq{J;Fmzx?Ch{x$i(5WRo?```ch?|=FG
z>3{z3AOH9N=YRii|M5Tm`SX8hy#;>6sy0=|rHk_99c*FNJPEr<EHGa_DM_uifBawn
z*YEm&|F{3|fBzr<kAMCy_&<O2|M_qK@gM)kfB$d)`TGI>@%PjJ-+%s}pI<O%kkc=U
z)^v9{H5e=S@}WO$&ZC}_VoLOqXWkqiU*KO~(EaNR>W)HOadPLF*FZ1|m#XVEZQL^J
z8}q2<LSw*2`S=3VuTOY*_3I<>xyRg#2Gfi@x>sGO%u(G>lHS%u@0*@p+eRb&B7)x6
zN8q{HPb`wT#pgU7NDnR~FjQ-F0CtB9*D1syD{4u-^FG;N`lJK5Z?1ph0V@v4gb@;o
z8qApUxUUa^^qr%q02@32@&v6X{_!F2Q<;Q^{IbP<eafv+GjvGf3I-F{h7F6{EW{Ij
zP6poKrkSBA;0Iry@-0z4fhv1T@#|x}-V1-xW&O;wC3sf+Mw*t1x`a_{!P5l95^zWJ
z<74DgtcYRA-Ojsvzdi?$U3<nrJc^57JltE<ask7Q%6N_zK?LueK5+H@_#FL|?aOxr
z^!y2ukp9F+LwLaT0Y*FCa5@N!B`V#RCURQW=^c!+0LsAE2N`|8Bh{>jE;~`mCci#u
zMXxC(#SH=&=YW#-X->!mi}R8_Q3iQ1K4E9TUk>*v<=wGIL}ZFwdcyrvM>yu(Y|WHZ
zh9&T-GeNEaN;wWM*Vf0EkE>rCJpB5oPf>5~j`ZA($87HtIsElm^4j**aT_lN<t!1;
zZMq%}yzC2MMKZ<^KbO~5^YK~nDQ~HL+yO@vK>KcehlYQBnAr;U<|JieS6xW<I3a+S
z*v8YdctFI3anQo6^rb6=Po<|lC1WB-qGQMAdb;m7Xt5))gCZM-@)p!C;Utm4IZCXi
zCiS+QCTjuo;LD&8KSj?iZrGz3t&z$l54I$ge#+mmct!hm*Ef)TxNhlHS@+z$5*R4&
zM9j5$1s(eNb@ZwKOCq;d-JtFk>wAc)abQG0+dqn7?Fg;B-D9(fn6uhft?JZ|+3lz<
zvO8!_!SD0?{8Mw33Z6ySJ>&VFSc>heIicxKlXZB~XFkL}qG5E{F7WVGKX}(VU5Mv@
zf*j!2ik}Gb=c{m94B7{eXL^vfPbf47&cSx)rv~rFAG8SM5QpKG^m^pdjS^ATl^tZ>
z*cJeYq1M+ozR&kzqR!JLqWGYNNFG<|280)367J7eOtW3GiA9n$nOnp!eL@#bj1V8G
zswVB47O_h!eSM|SXW-R+d;0`fR`D|Lkz2j-!9(f{TlpEo#3NYQAbALYqo2mSm)NAM
z<iuIz-2!Nm;b9m4={EY^Ge|KwJO)(MZ`FNG<UwwN+Ovss`RzS=j~`&pixwYu1A^m_
zngKkW9C%2cE`??e54_nvzx4C<j8FT`UQKVzd;7Zb*8DxITrPR62$a9WZNfo|&{_`}
z@h#Efh+!-tPb5#`RKzmv-3{E+uWz;Q?qc9_V~dYavk+*U(F(elJ<WCGnrZxg#)b&I
zm-tF_T8rrIu~4p8d*^y#9yUp<G0&CVEq?lve|H>^2X9WMN=(C+8ugN5_Od;TMPU?4
zFX89gLU+|B>{>nwWPJ@*tYDs62jwJQu#F;1ONDvFU*8+_`Muj!Kqhham`AS*G?d#O
zDE2s)6yK#Da{u&IVg()08$Y)u0?8`5f!EAi$siCRLI9$gaAs65zGg0f&o9oK4thL1
zFCkRKlNGwj+Q*d+YK^C4-81E<Gk^rkK@O3=XEMj{GW0Y9(VM9VZCz1g%X0QD-PGqd
z`=`%V`*XF^i;bJ+MR?k|oI-83^ITkEmlT$v@aI=wZ98{O>43M@%``3B85inwP>`lH
z@nk)m-MYfhuSWgO04>B~k`dd_$s#SE#D?DmV4&wS0e(!jS0es?raoK^E~s8&BN3R~
zV<~)xob~uU+);ZpyS%P9IKKDw-QQz5oEME>-^8f*U88khA(}yy@Q^;G<m0DT))wWm
zKfl}@5Ba@mv{Q32ytgvP5ned#h2yM1C0tQ@<UC(qNBsR7L%Df9<W3T5pVNB)f<BH9
z>D=T}KnRy~T{b(Q;r-M&m%Xy_YdqpJtt={SmZP9X5ztwEVSar&5ysd1_3huoKX9U}
zdm(hg&N=5Cq(2AGFm!hA2L`SEjzS<@BeLn|=0a0l>?#AeVv<Z)1Dd1dc`bl1(N?k1
zZYFBG1p4RK`)68vSAr#IbJ~*KB?Cm~M?MKr2*fmxnBcCNrnZ}%rG9T1+${+Gc~1Bf
zKc3=+?U5Xr!h^av8t4R9K(IFwpPQ)f6+;|dw{^fQ1dNtjk8K!w<EC~IBKkFr%*KVS
zOldZ5H2&;F3u2sOp!ME(zae<%{wgF3J&@P*9`;cr>eTYHcwZHKZzX2^u=p}x89dl|
zqTF1*5>CQszHa*l=1lh8(b4RTB-FzD*_$dEi5Vh5<T-c5S&q}d(93&nJFkTA4%35D
zWTyD5hVMm&(xJR<jyF(kVgpaw!rRL&0Txtb;5nuZO<ajjaPG94mi*2HwU>!q&-%<~
z<}HMlD^~M^GSd@U7Tj7k&shek{Ho%6_fa%`8+RB>MciwXl#jrMSGKJck<ybWw?j?R
zUD<r`t<+V{`{|~KYl%g^`9`l?#o$x}ahb%M@5Onb%Dd`~`m^c!tmE@dKReN|Y;VQ~
z(ctP%#?MlblSK(0wleqO;kmj>is=G5%MLZY_&M!16{9_UPlMkr#ro?jX_5l2W!?aI
zXKw==^I*#SGxNlE21ZI93R<=8qTA<Mw?V29!fEpS-MxNC+erm^u+uY-Ia-T$-^%-0
z3#WrVxqW2FPcwI#a|IB~WDb=thj$gp$L)Ax^6QN-yicbx?xT9s2X*O2^$_EAfmFRk
zHHAcfFwTz|(1FAh!?rP&5?}E6y{n(qv~2C;Br&YsBiXm9maj9M-3*3UB0wTU@`CUD
zvzqTMjzjHM4=tZ(Ji&P{A{0A}F;~@kn%*W5^m0Y!t7=F)i)F~*_tYj|{e1g*hLZ)y
zJY3I>IY*hLQz1BfJl^VM=!qcY8m|m})$_ggv8+s_ZA#;3YH#0r_#hXqRARsvTXnX_
zM>jV}E}!7295*odQoN_-`+EmCV}dl9(8{kH#oZ0cp9YT2Qlry~7>t;!ug#>)XGNbb
z(C)JvL8cbvd5<WoEBnZ~0^S|tVrPrDIfg@=%7}x_QzI^dQ>#>jrm~-DrR!Z#P$hGx
z4+WQ{?U^dZnlVHrp?S|sWT*@JOe@TvegL?SZ&~1a`w47EArJ_!mW=2^c<92+1lYSp
z_Elgf1Ttvn*Q=Y;ROMQyKeZR-k7Y%!1#W}o&-=quDH?fQw7I2k=sA*x>B1*d@6#EW
z4T#wwpO@0^V|jXL{r0HN$F>LO#RXKB!Yk)!T3x9jlm|mmNtWfy5cz(y6}%QMphOjT
zMv(=gn-6Ho4zPrYQ5+GAf|W9K<f|_EP6Zw$4=(hzx4jyg0&2){e}d4(o;UBY=P_Of
zl8GMgZEG==_*S!DQ)&gWgr@(h%vNwj7}@Csr~#tPA|qQD=ajA~VcEoXIvQMN=vQU>
z=@uuUI5$*ycQ^U&>KH_!QKfDt%X^_#Nc_oc`LrUyE1P0}Y6NmJeZ?;+`!=+HI$=n&
z09!hk2I;l*BWxB_$d+4SPBNz>I2yiJST>)vefvg&V$zoO?zlVl5{RMExW*VKhTtlX
z7%8&9a_B92f@@ZweQ=VniP9NhyVzt~`TKkh^zz+42W3U{>vkyzGk7CW`UW*oAXB(!
zA09A#RcD_Lg7!GgNN_ahkqPuW#0SFE!_9nA(miK_Z(aP&OS!ljW2ioV1M`fO^;Oh`
zWRc)R)zA7Y1+NPH&2EVx>)seCtP~<G_k+Qt!B_ZbE*R#%>hteu!Y?cF1mpFal0(zW
zx;qyQdV5NiY(3z8A_`uWez;6;tnE;Y!Z)km^xAmz3M##bi=RCJ`<x-E-}ybS*2fo?
zB<Dm8$Y)%0uj^sFY9EpB3ggpNYD4|i8t?;GVB?N{PL+bT9&znhnTfR0I%Z^HGB^(_
zz4pw#r=;&GXh&n)DdvvEh0V|2?RH9=j+k^>$1OLD{7foZO_iVl{hb@Wn09sTuRizS
zJB=*LP{pRbPK8r#pUYyi2@EeQ)Y;O+O4#JKU4lpFF>J1D7JVSxX6BL^t3l_4hcE4Z
zZ{vYHm7{GNDsg%nN<A`3ml{w_iJp>bq_hw)Do}k^`RO!~gi-t0kZZ&oP&RH-wc%)-
zJ6n{?Ota$HkN2JJ5k=Q~%<!)A0qzym)Y$e02Le&J3byM{M+M&_&!W<<dM_&S?9#k=
z0v0fu167o^o?|4m+kMrE`klm%N`q@)O!gu=x2B15?ty!TB+H{yHUeI9u4*QAb69g5
z^&#(O4|_tVNtEeg+`V=5B#eH#t7iMd7v}+sEYv#2VUx|pW*pCoO>BMVZG*&~M|@RE
zpYF2_7h#Bi+M1MLISzyR=d{|Z_a1`84Qaebm6_zNoxoN^yV);B#^W{AsS?IfgKrG1
zXA#cI&w1|2B$=V~n4GvtZP^6AK6~!;V6gDQWFEuNz1XNvR{7J1VEPF<GFvB8IuYGk
za^0irI1hV|B>GN;1>PtK-uf#{yBmV8XY(|)myl9jtD-j2v#>R+bTpZNGRt|DRoh^M
z59WGr_4QeG2*2q>2vK;nj8iK<kn&aS`*fsPa;<y>x?TWc_|D-9doH(T1Bc@LDe%7J
zt%j$r7m-gp)*ULe#h#Oh)4C%i=}NlTU8`7}vOT(=^*%QYp6FT$E}l$*d2@3%LyE)z
zRl!{x%e$ADm!I{1ded%oqk|X;bsb+c7#yZCA+zYnylRYW%7?h^J-cfuhD%GZd5SmC
z%n5f}6gE?48Fr8lg`Z8SR_D)(VYW$Xnaq}K-kHA~x%0Ca#ffBy8VwfY?AjfqPd&@0
zOFh(*o{rlPtYO6(%eqE_6p&})Tj_o?>NozDW4Iu)NnY5n*5j_Va!F0@tx2DHEApaw
zSFlR2OSAF!-GQOhS_e}UmB_NjIP3Jb46YYP^3^f3w@!C)%%`gL)32oE@>Gv$;hYhh
zX?@bkU%nj$4@^m0fh!8p;;u}KYt>FReF}>J59I+~Q@NnGJ^?y(+r(GbA;2bKAip<J
zRgzu)T$Z3p3Faj*R5Zyjie?n42j>D<TO7k@)%NLJhH8roREuey8e{INdQP1Cc8`M$
zkDD~5&w3Z6I-OAwRHtbPt(alX2@%*L=5*{i!tStgPQR>(V}+;rvkwz3p$bKYFbIQf
zfVT##ZB^t1<90GWQO;(~EQhbU{nNwfCK++6l8gykm_iUPSL68s6GEBJ<F)sEP(2cq
z-K=!*^*bHd%+N*w5M;x%8PA6pXOq&;xtmvwxB;(z=gBtO;H2ir>Iuj~?BPQhiAiqa
zhC}POq#Z3D;BKFle<v*&eD+c@ONJg%cIrMybaUoZLaL#G3w(m9He;@H9XPimSS<H!
zake}?>s55Al>u6Glb#6YT8Tzz^rB$-@7lYYOXA3zub<L1q=urvNp31lLRN<LGp&Jf
z)yA*d<2!vB)>u5ehjZ{=Qjn$JiPWp7*31JQ2jQMc!b9<Lrly#Lp<y0@7s5nHIPpQl
zf$>v+06J%J1`%#>S|?11>A$Nd?;B`6An>7=nHsCjaYAB^%)lGiH0qp@M^Rz?QN6&Y
z!<|^`1JH?0Q}m$4Cmk_|MNc2N^Q6VZj*yZ|Oiy}qGc8B~Pxw2`dPxlQC`-$HSbbVD
z6IX{{_z1J%`YULh_j}%Nl&4@9t`~IyG|ouD?d&?NMSz=?dU^$==Jm?)tA70Sx((7?
zFUZpsM$@UgZb~ip)*4f};20h>&#2kh<4k01#bs>VM?IJK>P^pzMY1gl?A4x#NWI3c
z2ajW%C5_(F<=RizlXc4uIC+>A(A8%*wy@AB)O+S5yXXuXJD#{>UkK2r>!Gd}k6*ZN
zRKc5#4n0ybN9-`}eJK=L&x|^G_qH5Tg=&uQ1pYM6G(~)I#>2ryBQ}vhVP{E4Ytc8!
zamm4Rm<{l=<4KJTkUSinR|wgwK#}wsEZJ{FIV*|m;LLPWmOe4~^uOyzZ@0)AJrNu5
zI9f!;%RC*V+@}(!DIe{~Qp2{f-KiHn(Q(*vSwzEk$>*DO6`;e77W%s0$(j~Lqp3^*
zPhc(E^-m?lY?t@pJbPhK+?Q^bPpM3n$*scc)jkM*6iYPvg#v#%Vb=09DtT*U{Awy~
z0>zE>=_A2@M_9~P)j?yI9m&#fnThTIhuEPj^X>T+*bpWmd0E9t>BR9{<l|_&Yg(gy
z=I#<v`7{4`6Ws9lf)h&t8d<)%_r`S%*XbR;f~MQIK52(lUpTx^Ph`C~NR^|`7e2;O
z@!sg(@uX~3imgrbLkUkR*vAgXeXpLyHu3WTl)F_DC1XKEd3k+YuU;L*Xg_=JX5f^@
z1T5w~Fwpv)1eapfA4hJ_ik?u|Rj^Fk)GCi+FDoR5Qea4pXMQ0e^sR_?Gv&_3&hQ#<
zDW}d#dD+h7dTtwvfaJMvRy{jpPL?T}6%4J0UmR(<k&wTjPV0D0jf;DtWpAofnzC6i
z9B+zoK-(<eFDzsT^-cO)Gq4_9^Dx9zeOa{Cr@ECMkpYo7(6#-Ag?{>Eyt7VUOnJnw
zb%eW(Ulk9dKzpUPoI7lm56SHyTX2Q}ZY>iC1i9Y$KB5iAiRkdjH)m^*`<_*n_uT}s
z(|DShLXyPwyBeckXk3zVLGUJDXbDXz32u_4ki49fk~hz^3oPESyT>OQpN@%KLyma5
zL!}4rjy)uMcdYh&dY)_{p#@fByo7U50<F8|3UX{J1}{vb=ml`Zm|;-eVDs$h7Rc~)
zS^{HtfYP3+mD|vGIr@7e>%hwd8LqN*EF$a4%gE2vlXkIqB`#5prD<CPzVI;p#AA1&
zE72kWVw<)_z|DAuL7rJBqOFc-tZK>WYpvGjfW0K?k6!Of(h-yL)GLI|;Tw#gotfRH
ztu+*w4nO6bW@6hDt3VFR^!%AC5GY7Wxp;#^&K>DB*QJ>qMM^zv<WkBRYclN7{X)b)
zU9?h4tz?^%?{cXzW*kkE_DmXj0@z6ANk^9fL<T@ZL8m2!T88ARlSb;)`BQBx_4g7-
z!LwEIZ0`VseVKSlj#}R<^P+h^iwU0j`#$~FxhF`RK#rTLPanRxmp#2}_Na@771)Ih
z4QswIiBCU;y(G;RHAc1R>?~IZrX58(mAe<^a2dHOPh~|Obt!?#9Jb`jyUI7^V6`L#
z2Ee?RL|ijcINb4C7XzY!N(tr_7N>UH4!tq37Ygt9^!YlriuNMIiBgHY2GMo8-$SgH
z*beqNvXxihC?BXOd^&5@O)wAMSe?YnwtFmOHjOqul2X2JkSBEL^sO0Y)d;4f=cYZZ
z?XH<Zv+7L{db~9N+&7!+X5INF<0(j~X<%TC7cigMu)j_~32v;Po<jTxF2ZG055neg
z!WBJ!_+qG-kFcb2w695E!RQm0@2MQXJR)wmS<3V39;kNBGK&YY%E7fsBf0jB`=#Jz
z#k(k<J?qF8r<AFl5J$@^8?5K2Z15JNsWRUjKfCAiQb&OSxrq-q6mcYEE1Ru<dkgIh
zZ9F~Z8Os#m&DZ-@CEAJ}EG~JqDgpSDar;6BKiyUzf^4TN3rZ8L^;IS$lsg1GMSaKi
zMgx0lRKPQ{8Xe;z+g}M)USq+n^-Q(MD+O=B_JG%_F+Rnp2_c-X)wh@FZA-qmo03SZ
z(WIbE*k9OK`&M`vvp?Vl<WXrTsd^<tT_+q}h!B16*`?}dCsO+K-FYgnmfS0j%MhCe
z2vEX2y<6-Vj;KRIP^R!ZW1}|g%`78HcJ6n5Z+tdW>^iv@M30d|al0?d_3(vbrPPjQ
zNxc`oc-l^_ovYXQ{7G?p{`Q&zn+@FSeKc9-7_m!R4EXZJi+IGENX4_n3{9V2!=Da}
zG{N!Qok6lgSLLV<77M*8I^Z_O@Xbh^3Z7887Xx^U`(u&kpt?!duMrT@JMfr9l<1{A
znAN?R>ZH&;yaM2dCk1%h*Z8!iNU*pjM?`ym<~q9GBZ-&mBD3#Wb-G*7QY8?*IOAyL
zR@uWLr>?&6d7obFh6!US$J#uJbG>5O<5~XPn(SQ;vsNS9*67_+@seka)0d@kz?La~
zEPJSV_p;WkQt?!r^sH7LOG-x)HyvD-a-&E3AOhVy8L{L=>S!J@{B-3fZhY{ByN(@2
z6WQM~ue7PSm(|ttG>GDOJb|vC2z|Qp2GqOTd-KGq%@FTirV%lAlH_U866krION^U%
zd8GBQBFGd8`+!b5SB{)2S0bjIp5hVfjhv5g%X%C-C-=6Zlt5dn<C^gx#GSpsl5Qdj
z?cWy!d7Lv+wsY;Ax7K(xBKRP8%EcL;k|V?om=(KzdXVTRMn*oXG$t-80R7r5AGsp+
zIJ{$MK7?VtB8-+!$Ye0mEDTsVKC)Oa<}q6%wMMHY8$uPx$Tzr5r!SOD*{5<c45+P>
zfk|TrAK)uG?(_0^o9!a+CrWDm4)KNfcu6VAj7PrZFiu2X8B~P16sdRhBtIug)la8Z
zettx;RyfCH25lzqt)S|HqYGSOYrCVyl)X0HM_b{1*+r%~nlN~2B`~~PdOa4g9rg@@
zAT4X>*^v94J1@OX!nSijt>CJtSTL`tFyNsw$5Pav9qpmpZSK6Q;SrDwO&<kSPj@uh
zch>#{^QAgai@ncoZ=at13dwF(W{o*f9hxkFm6dFjvpxB+o`Fp`b#9WlicHj@pGV%x
zL$c>o3Ao_?MB<eiGH3!xM@mcS1s5cT5KX(;W2=>>$J%ua&}&(0&w}6eHA8OZ>CgFM
zpQ%p0jX?zJU7cIVB_d?PiiTSQJ4kbqF%kP#lz+N6_)|Op?Yq~luS}>zjNDcdF0&e>
zqwYM0_$Gjc>9s`w*YoT0^Lqt&yl<wSvjh*x0RX#d_({&%WzL48+_b<jnaif&yzqGY
zq%wKhz?SH#d+P%)^+NoG)#7y+)fL4<m&0)Aq+nN(D{)>&%Hh#>Df#*gct5fF^l|m}
zbAM4tu)5F@8Y!-tCxPh{6?Du!kuMoTLoD%mzd-iIrIR+rNFCYP+6c)W$8E2Qwu-(^
zH6L)?j3r5v;h2KA=<`g1px4PO-Wt)vqc>$FPm6^T_NP~!9{F;ql=|zK5KvGI2Y3pK
z9MC;WPdo`O3S4VHb5ndedijVxqmZ|ZSMrwpI_>fK8=vOqfnB1n^%eM887k{+jlNFY
zsj0MUY2F9$qBoqX(%Tjc82BwSvOf*km^Cdyct=<Lgk`&StC_3Gj^fZyk8B-?3$98}
zl>0Ycu0w_FT0jMUfBzjB0RkOaWPcC3V1l>0xtQ|HvkX4H9Y#D`RWAMUqgCj=UB<$E
zn>__VheUI&&JbXhJ9xZ8eq!ztyRonL>ZOryJY{-8R%+7o?q&NseN#Nyw=U2)gKqD&
zz25GL+c!=4zy-nY!P_hyzb91k9_6$7>GJxV*<=vunriJ7vG!H?Tu!okP(SXy6jvjy
z=T%>b;de4Ok)@%P!Nvj<eWE2CCVcl$RdC+Z@O1;A=~JA(q<U*~q;Dce0_X5%*Xm)>
z763W7<W})RWa3hz&BP}yNP;eZDuZJdhgU#MQaYO|3Vi(H-pF{F(+oe2?)mLu8#$t$
zD+LqA_y8*3waoz&CcMpu99*ek(S{cNg&BSNeWAlFrXnKZu8F@&>Q_J@;XPt6+iV}a
zb>Trt1Z+J?T4@Iy8<*)2a!qu2?FLnG05@;CfHR%R$ppn6V>-u3_;`7UEjQD`g49!{
zu(cOFW80d<!kpXl8ZR(^Zzh?KapJ16D47pCylx2>DHaShHFn7!xIMl*wERZx)A{>Y
zoV(`cbu}6&7p_e}0UfL^?Sfpym@T~(1r8FHeYPNAhGG}$$nsvI!PCHZu~+&`DT(_m
zU)%~M<ZHlIhQ4(pE61yd^tiKb#OV|?2C;>QR(@+4dzCsNEh6_buOgElyiR@VLYS=S
z@wl0LE2I`Hz~P=Sk4}Oq=zQVE`sry#*FgMWF9K02$LN9@a9=}kg+!e8^^-1k*j3jq
z*#eAp(5$EtS>>07kg1d*2;HDYJ-jm|9&K|}YS+U|ar)<*@8Nd3C3E|UOunnikv=LC
zvhoe*D#oPC*)}2mg<Q_Cy}}`jr_tbRMV8BVSn!$$u6R#ZB9rr6RpHayzAuWVyL};=
zLi*y|Ovv%+Eb|<_=y8B0bcR#efP*9Hj8S=Tvkw%Q7`9VQ;Sf36j?`x>2^5rZH-ifA
z4&;JwM2xPMLM*oDc{QhxHf_DsB3<^;maC%%hxc+fpF#T3k^bzYJ9e`kZ-TnHO8vSy
z^pAAthoT4XI(jE!kor<Su@m~lE~lYXgIBRh<H&q9-b+auXMk|r2S9Yrk*)8sTU~a5
zs|tWiQ%{S_Z9c0QTA@)%DvGpeHh6%0G72*=gcnN{aJhlO7=^FAMN|qNaqpFrjT{m%
z17!@L5WnzzQwVJDr`OpvFxl+0*XAee^^U_)?cF_t%tw1%P7U4sW_9ulz3;2#;@xF9
zY4>`$R`*`H#oOoowCC6ekk6d9cW~L9G|FnJtWJ>aK@chCBEdRQt-2horL*d*zFPKM
zSLUO)%6zvN?u*rueG(~dV3A@O2sNny3hPpGQhH{3AQZ|m(Y>#Jc3Ah@tMv$33eA|^
zH%ayIjifE|gD1+7T4>rd#=7%~-}jUd7g?1m60{3A^`=*7Dl4GCui;^^0$I@Rn@my$
z=8*tLaVv<beKAlkI-F#P{6W#3OthfLg~|C*(^>|!$<V%ZcyP;c%2j#wfG3u`o6B|K
zEyv5~KW~*9ZkNkAX!Ae?_=R8tkTIPedzQ142jR(ez4TtZ7R7>%OTyQ32ZTXi2!3Bi
z*%KjIs8e$1(ifxkncMhAbDB&Ym#e+HEQ*q;Ym`(Tgv(X!!PM2ECp01!YMVJ8`8xc)
zFt>tY)YmCxXc>P>EGPl(ErYJ=@-Zq(qX@o$$ef^q_ZCW$I<lh+HKCKv@m~DQ#%}|F
zE+%Zks~$&Qv*HC;g@h2VF|sDLO3_k*>KBIJw^SW(-S?szS@|8J*o&s;jn;$D%Lv7i
znyt=5W7E0bXr(vok|8$vF5(Nh$M8Zzg`oGb0=xp!(#A6is_4gBAktMvBMjpTgJha0
zKq>fOx%uQ}uqy8xf}L%qA%9CE`cCPENXhTrcHN<NWvqZH4UzknIe__7YH+>RbrR3w
zgxwN~K4-F^PZamMI`0WKQcNvCMejkgy%^q&dDvDX06F`hr&VUBs&dL*QVL%&B{U4U
zISBzS1Cx6ivp>4Dm57EGd<*6W(oWcx?}Zm&KLDnULpMt7Ah|^ACE@j8+1K2L<V26U
z47CV6x*LDtD0|b~nMAwPw53e*TJ=dUZ!3qw+-M}css%*RmJb~L`(FE)TNoG_m0kl7
zj;kkwlRT64ff@#(1R`|c@Oz!_5mz|jE3M6J!ghy0(eil**E}i+>c#@?onxXmvV+?c
z=I_0CL<^oGnd0)OgkAyl@W{w%faR@W%h*#QddU|PE4;SgPp7M1@6Y+ouk@uocI!x9
z%zjzzG%SIo#V?LldRE2X_*k>yCz7AtCEa+T)jE{}NK4fjz|S(3>CFoZ5!k3+(ASBJ
zS7FIe_$=uipQ<*b(HQdcoi)Hd8nh)6ZhnK?T>5OP_vqZ>-j+M|bB3}&Htzu3GLlVc
zG-A}&QP71vn|pJ1ruzbV7>X+Ao~ZwxPNs-nb)R&)&Q<az8!eHB36wBBh)saEPV-8f
zW&I0F{GLug1FiI3OwZxaxV5LEap^l1H&kDT%XB!W@plRgxT3g>G;!6dbR4Ny&vXGd
zNRG6+180@+y{J`z*8<NOGMD2)X#2HkJQV~%R++aOV1R(zQR?7&wCU$rR*tyoIl*tF
zqm)`9pBet_I7{wo(|ep&CecZ69KmV}x-O>R5R&^LWYnwl{zUWpihRf&MlICE-7nu9
zd50a%A@+htIm%P5b$4ZYyv68EIfePqx)2^RxP;3?BfzkV!Y-*KMz0aEH#kRVFAtyl
z!xxoNbnodX#2h{7WfqADvGQ#PH=Rgu$pwD_RxP1e1a)%SDLyh;>^b$*GaH)bkP~mz
zluB3NiWeMKUo@ws&*VetM_0;*tY3J3-<_Am9JazDa$cJW%e<LV=RW2=Rx=bP>wEoD
zd?&i5XP)b+#yOzJ$cqftcj=UZDWvkYjj)O{D`a}>rE6+l20Q6g5DVG{`7tkFr3=gx
zRoHW`aMSG0OUekhBzc8wt&0zmPy-i1<01R=-`BGfW!NUCD7eb;cPJ1{`&6IpbU%3u
zTEwWTilgv_==Y^s-!>3-h|2=rtqx<Az`WNMr4c+vYL3cN&t5!B5LSDNF(?kGIYp08
z+D9NW=mfG@S1j&mvdSEiN+{T1GAV+<`l@F*BS`>sF!~+dGVd$g+-8*V)?Hj<P~sbm
zhi+0qZ%b@+plPSynveeU&}@=;)x%<|9OOy3;r#r_1}>=$w!qrfH+XdX?I)(6{YXMy
zWeHLrlZ|T0#8D_ZfWre)dO4=#0$L)no6b(6#Ps@}&{e)9WSHeel|gjIB!h{ruwHK(
zrVKrSF;sx6*GcMq;TtgeLJLwABPG3+r*u3)`OUSqZTn_4fR^?XJuHGAj5WtRf+sKA
z9e(D{7Y1|O=N-#1U8{<Yc4tr6a~@X*6u#K8&N4@=FI45bGx5X)6}6}sM2fo6OUS!`
z^W$gtxPX}b;wA77)9Nv+>YX^y<ZH*8UKm){hL<;Qr|H`3;lrjdDLpXdD2#X=#uFKN
zy*x3j;z|Jg!Uef5QFTZumhny4d#Gv!U=QCK$JlKh+;THDS|+-utMl)zTGTy)p%R0w
zwIEK@BH=^PV?j2g5UH+;bmMsQiK~A1D8}`A7Yj-_!Z<|94z)6oHKLc>!d=5rcv-}-
zsfPaEgO$QTd15srCra=x1MTwpss^BTJ#V~gT-+yQuehGE#RBAGf86H^m?DA?aT`g1
zS2FwYxSA#wQP{R6IKb5H!lR%Kwj*o+IkboPjN#!=#hyZtlkzQ&Tne&I`YaALmqN`e
z14v$K65SBiy)R_HFYYG3$+v0jVLS!pwYCybwf6*rjYn6f$1r5mU9KZ=Jk*pT$RwH)
z0)PVP3VfkU%Jg2KQf_&lTcJ@O=U@N{&neQG6&|!OEtgzJG!5hVsQ{veB)BEZ?%Q2i
z=GUw-zAHm<8saG9s*@3Od=?LWs<y5koUNVX(QTW)x8PSD(Wai$%J|B=$C;Vwu<kQi
z`S<i>tqV<MFP=Y@Aar$ycW_oCFvG;+JZ=6i!ZWxBJ74Rbzj-+A*whb>UrFt12D@5u
zO(lR(%So&rt5~2nJFOWGGeRIyw^za93in$c<a*ruUKpG#G*}Gf*jTc>=rJ*cCaglK
z_e?z2b$v_=H+tvijE?~uH|c3(&X4ct<!s!ph6=PPV~#S#pv|ihlW$LO|MUb6NMy=-
zTI4&I`YgzK^u4!i*!m<8Ja3{|riNG+N=xrvzfJKqkyisiPvJ2ap}tPRb@j7&_6H1%
z1?|f^sFiyHF5LZKT%Jo&xr=QwmTc<2?n^pO+hcYB)v@ugxXD)Z%;B+h*V%jrAh|CG
zWCis1l(nQi1my<KU2*hu2z7Z<aL-x<qn`8B;}|v)o%&1&@!8A7M>C>YpSaU25)D){
zNPlSXzzDnh=9R@}kC#fasr5>wtv!U-;gT&{-W|C$sJAt*Cncwlq2P{~qT5FixA09i
zsV7~mGIzu*bA;XI!xl<wS!A@4lF1#Gt+bI;*e8RRwwcu|Crt$jM{GfiA<RVm_7}q1
zc@B1()tF|4DMt|35H|qNUd2+H?OBN}G68+=1Oh(0TJ2?tJq{f^FEx;*krFRzY$vFq
zw|uX1dHt$~b?S`YF20q~tT4)*VR=9-Pj#Kd1$JKx(q>pl)(!J9!^Dl9#VS>ma_Xkb
zEJ|(erk)SMOY#r}i6vzkL|2?ESe0t9Y)_P6_mO5YTOuRZQ@N9slHA6h7{4B&z{CUx
ztF*?4zzO%XmDNJd&xaFfCDwhS<r8E4>~Fr}_}*op#i;8uSEAl0(Ds}ZI%Kf&ars3_
zWNoKU@N=Iue#(0fFudNNUO|C@5g<QX5YRh}0jy29N9B33hKYwYsBVs+F>jdtW)Gn5
zVO$je1LK?;-b=Qy5PhdXPP5S}56qv<z@&g=p+0P&`SXl%e&PBvMZ^mv(R8T83?|{{
zCH`=yjr7t}7|}?*pPjvuees1d!Kac%8ewx`Tm3caAV1}!pujrPc3QfGN0bq5IQ8=I
z%|zQV@1)R;@c>#k98In98)rNiCm7I?^O)>@F2;fHo%hYN2qG@by8y;SkS<N2s5D$%
zakX(tkr#o@KF1w<-nh7trVO=;omrh4<j@?^cx8z+NV(TPbFdJ<7xib6vs@fK?<qXR
z7q_{~WTPX+5fl}f9VnkTfA&1u-PGU{mwP*UdhRM!xzADqJh#XCQS7VjcQA_soq*1l
z1enl;FNLCPEE`tuRKb$z@oropRv#}hyjzpIo*8XvTFTe+<di#<1`zZKh!3k6K6t4^
z_3k|rdHlvS!q@phG!sZBD$3M*AT||&#5mOTNa=~alP5osuA=KD<X+U*@v<yUxd~6%
zldF7;&VgogvKxqVzmVq7?l)P8(@^ki3LZg<%Zc`*2}To9a-m25B2G17$`Svd%A&KL
zyB(CrD_2H{Q2Nxh+DhFmg+1rJ27$wUq>R;X+cS<5o}uzMQL=}}?#nE|dX0yQ1xn+_
zg?-8HHw-BFPKoHDSViqU;x=<G%WNNpQR%^|^ihwd`Gs{qn9w*Q^f9b}*KgluZ^1LJ
zgrqg*&=-?3x8=e9h4uUFgO4^M=^Szw768d2>G3;bT)^R%?-iyappgb)g9J3gF%oP!
zgTyh(dc2hEkeE)xULt%J5vY&ey2Ox;c|5j?A)^O%-Yhwl*W1lR^*ob6ih@IFTwH~+
zvTMY>`n0RreISBsl;}ct<SD);Db2_fGV$2VyFRp;v!7nQMSgQneBN!B)O$FAP-1$@
zu&P>h44EB}rSFl{7uxdK5xJwDK7od#&h=#{KCh`qX2)3eUN3E-fxMb&ojcY%yBAlU
z#01@3bH0$YNs+@TGK;7(gpso|C1^szOM}m2qx5EgmYRq2mAp|{&S%W8*#fymL)bi3
zW21~_n<-BozYD&nXu5UqUO)5q)Y<@^!9YVjXiso&M{(4jPQvU~bV;1Zb-899a(KbP
zl3)nCoIrL5qZ~25-CuYsd^!oP$}6)j6gg?LFid@Ou`>LcG`VxM?X(zRIA#k20pe+3
zP9}uZzDgNa4ahKk<jOK4q{kai&!)NNO|^MMtO~z}=$4KbIX#lxawM<XNwfgPPo5f2
zHxkq72Kv^uwqUQ?<`z7fII-P+bsGqa8hPf$v(E?F=H8J%_=UKMiQLnsYuB2Wxh8?p
z+9`!;Y_d<alhNP|cJ~E*BL3MWmGsmbJvCA#03|Z|X)W+bsA%}nWb>?9l>gNc{RkJ1
zutFqJ+fW*}afy0)OP`e2J5oLcRoG-8569gaZEsFiBbU;^_Fd6<FRcd&Ey5NjnotQ!
zSZiuz)`R5EaJKcTL6u&X7U435BhLm5t{BagN1`J^^C>8c49QQ-(O+xqVn4nSeF)T}
zzUSd11LLHxqF~@X4Xj4b`@-Dx6LZ1TEACegZLQu4h-$J5@wP;>POcfmnBG?FGjkG9
zyg0J8jHk?5gO?JX_H<v0S?3A87TQL0e})%S-fTx~A)Oc_67!yR7HU^dZ$MdGB9Qj3
zS>4OR65y7K*F>T@CdHerH!@wJ+4%}MonKwOjl6L0?K;Ypu&#ix_^tF4=rg~2D##rm
z9MMgJppF^P3m(@y53V};2)*-tq3)lZ(=!i@uGf<$v>Ktf1KS~XgTd&EKsxOZvc_q9
zociEFVfBkm<Utp6l!lEk$63y)lJ~e5+rw4_-Fx$hFf-Iq*=Ip=v6v{>?`ic4%HtB-
zo_bBHWJD5!7Cwty8?Xp_+caR$-$W56yTMXsENByE(m+SwBLIhV$iUe}y`Q*KW-a<y
zy&2y(4cR_@Zv!yeI`Ww3RR~Q!B#hh793G!NRQLk@2B6RYYXshT&!z)scM@i!x9H0X
zXiBt632GY+bw3pcG2svqT<>9CxIOSr-Ff0ZZ}36!zSqFSB6HZnDEh|kIg1JNd;BET
z92c=i7DCE+PR^-4mvaEzELc5M4L6>33oRAJ^gQJWNazR(B%dUrk|e|@P}Q(N@A=Zt
zZrU;cgJx?uR*_+3uu1^?h6l_Aw`j!+sTOK?;tP2M_-v=CPa?`wv7~!DRxNil-m@ps
zKFNdI+Sb-iX^*_3#NVab2Auj*16<Y4Q)E?LLG{U(sK+5^$<5AGT*$AkqboCHDB+fb
z?!9bP$1R-)S%HlM<a9e~fGzfvhg*)Syfuvhub!A@a>=0x!jy;To!K*Q(zJ%CO)C!X
zYi9vIVc(xYy(}#1wKh3v&z>!2PP&};lczHhLvanc`QAGRvv2S}J1Z<_!Gb*FD1e^Q
zbgMz?T%cF-x@1LQwI2y9G_Bi8JiwD}dV9e5T;$+H`<aG}XxbG%G!4$9#2ul)quUKR
zliiV*SlG0VM0$0nr<}9mFA&=>)Y7*Mg1MSc2BkW%q)FeK5Y*x3^hSBR&lk~a@I7jH
z+?Ftvk}ZWJtdO}<0V+RTC&s%^)t?6UgLd4i0nmOC{;u*ksb~WvYZXjo<`aI@Z|&2y
zgw%u3Rc2k`>$&#9ZZsLg$&N9BRAe4vjM&U3cLIy|dQ%H^$doZq>M6$A<4IbEga)XZ
z!m47)a-lu0$Zai1pKje)%*x~(rEExTnKhMJYBt0&jpdttFYN*9-8p4Hz4Sv18!k#C
zEe&0sO%aC2k-f|Lq$vffnPxyl1?m?8J9x@&X|)hQW~GvHJq8cjYGF4IZtU=dI)u4#
zeG)*Q{gz6ntan^hwl-!994Lg)A8AddwN6IP5V!|Z&s}9=<3oz-o-sJq*eiTNE-pS)
zI4CmsX6dHXA-#Z%{DBBMC3G&C5Wnu|AXjdzm!*0PuMd>4N1mvh)ZJ4YuBTY@V2&Ka
zmyJmP>$$?_i~tYm=xQ+gy@e;bu~B(EPL``KS2&J8r&ma_UJc_eqVz%lvGlc6c_3bf
ztK+TFD*RCHpdCLc;Lp~JFeMO0J)M=>pp?s8`y5e|VhepaV6iGEr4y12J+FF*ALDy~
zpc2o6;c>SeDG52&*(|AuJA`Ty8^}QmiZq>cXB;)*qYWKMT2n3qb?teCB~y+x**nlW
zD!_8HBEIpCw0L!9r3N`1x*aH}j2Mt>fSLS>zq%t+F*hve151B#FMl`TTCRN&4)^#<
zCA>BW$Hs3GkHbzuCJek~kfh(neUk7#n{Y6{S%r?UnpAK_z*NR}`u08Xle>5VEf8}6
zy590EoLdDu!`uQ*GAp5lW1R-1ae?|dgh^L1AUYC)V&PWyJD*54$E7JPba=FY+ZTYA
z`Vv;`J=?bHT1`7AaXEXyyF|nzG;H<i9_b@j<k5O077k&QkewyqX-d%8MZWbmhT-}l
zD{lXyA()V@j(V78Zn)B+g@n|Nq4eyDD_{wQ<`$En^EVBj?Red@z|{jaI8#`9i(vJ&
zWrelPuslCDSLX1rl!N8~MtRZc2B^Bv%pP}NEuhwW<l|xN`$$jj)=^23?a*@jPO*%p
zc4?X*6y2e3$#E`AcG(Mq&>f$^q5{*b>>H6BpLd-KVT1)5RM{4_lAw!bx84p7?JO8q
z%+F@y9*>A(mm^q3$<9wAEL6jL>FxET6TU%3WIt}3)G<Zb*N2m>TpIE4;*$vZY|J+p
z3z*JZy6p%RPn^2^>XNQ2f=XEZUD@*?(sw{GT%pi~qvg%dn@V2B^`;RsG-YNaz3nN0
zeymw-K&+TfRqo{F!W!jmw7mdMx1b`1${x{_u$ND@nHwHIPUm=NAjT1?oE#LjxceMr
zw3k-~214yN0G@`XsPete4zvK!q~0=-M`JSTKdp&SgJDs8RIc#u(Yx3z?IDj)V%(Em
z9F?i17&iE%LO)xyL@q(;*+Ow!hDTnJGrfFpoh0Kb*oXHtm!0=?{5=%6Ol)|~%XRMS
z$k?m+q^~@TCluEoQxVXm<ncm`l3eCENj1h~l(aU%0A)?mb&HqO@U4K=5g;iagFJQ&
zL1?6E;-#5-XNUuC>AF)`EW*gFoHQGu<$*x5_zYOV?E!WlcbcQraliOEtev)+rV_aq
z4N1DvxvLf_rM=~$gn9TXRC^V0@qLnEpUv8A*WpzhQ%DxEl7*L1L1NJ`1x{}{a(F0<
zIK%NPE+!X6VLS(mvPj(s2LnL?SA9S?jiwFaVapP!U6_^yYV5rA!q6#gCHD;2_jTwX
zbCEd(+Cy6o6qb_361->QJGO5gklcn(yHzwQk>aa69t4V2UpAUG3<q|xP9ae1nam0C
z5bPpQ@77;*JoI+n0(8fE$1d-w3IWc5bZ~USvte|8r)>O)AAQo{-)CAg9O*q7%!e5~
zDEfE|9fy+kAbtH!pd%f@4&mXm+B2p)PKCV(YR$&4T&lh28Jfc(OvgF}mN;{ynpG$e
z`WdbTA6Zy#@{0#5NKOGN!&W7-X`z?zL~q<f>qSuyMm;8!oKR~+DtarxG@wFE3)D#V
zAcl4xKCKv&G361O3ZHl}TyQ&@4nkKy=Lvmd?r4VZ7KDt39b|PeK(tU_0BcW=K)f65
z_JI5*#6JmPnvjBu%%OBgoz(#yJXZi0kQ#4%NbhtbQMn{3XGP9g2DaH9_5=)IxJdR<
zH{^jp_h7B8h!ionExfV1aAYMihc-q|40-4Fpmdjp&+trr=AoSsJf|8?@Oei>^>$-w
z0OdU^W&xWKIL><XtYtRRvqmX>wl@Kn%dNeF?4-bJi%spdo-aEzykC@1zqJ;&fu%em
z#Z--IdNnYII@CsK7e1D<r|Br){UbhGIlPCkjNp{d#9uwo13?Z?&02f=CMBx$TvqGF
zdg9qpC%{~#Jf)@{s+;xFcSSe`4bF$i=p~v$16+=sExS#z#aIJiUW%gTI?1Es%?#l!
z{j5qYTi+BuRLN7R_vF2C(3zEcZX;~mc40wH5gY1Sw&H|q?MqLbQ7S@9)NF!uvc-yz
zXwr>a0Rc5(evvYV*X5AK4xP+3rFfw^S<Elk76T5rvCNAwR^a@L6ol_RcR6lU&Mc4~
zz6oi-2s5D9vB*=F(nEN$as2|vP*Go1_OyY*xRavHLwxMH38KvpdM?b&{dCa=(Pu?~
z)I~0s44%>84SL1eI#T5#*uvbbfieS@;c4H#C6dnKBBlUI(T#WqzDpih8AS7<dGfYQ
z&RW9+y41#rIuuR&X^khvp#ie-6+~j{avO@@&sluNEGOAtXK7mY4n|))JZ}=!c?`S+
z2pvAC34;1b3x2luOWhrMld7soMBw<eFjAPBwxcrMK^)E=u3aNHN96N;nBA1(F%Utf
z6w1$!LrJ*Ax?mqrU=2B$v5J;1jMpaiB=}1<c1KNr@LaBsuNdsi>{4#CpKC}{-ZKp&
zAn`Vf$5&58o0TTI((4d7w*vT8rf+&(MZfb^d(;af)Gs!D!`?B6BCRuQtYtI>sQeDW
zq64F)qiM8=JP48#3fO_cJi<kg4C70E%ojSJ#L)MAUiI>@-a#}N_HyTC(7r9>UQaz4
zr*tvq_kh)B_ibTUTZv?&fEkzGKAT!#?I+^2qqfBN+Mc*fmO#v5IV*zblPCJ9sBrr!
zFFHKGCVpnEMVY`N@wSKA0`oNQbu}fTYF7Fvd5f)q9Tcn^Smy=yyjN3!vOu8=7%-y4
zJU+7sC8fY-&K|~%6OWr{hgtR~H6dptNb+=Fp1K4hJvFrI=Tx^rWFASndw@0TG~d*G
zwtPah148s}C3w66fvL|rr*=XVF@^9JM&G)iA8I>z7KIs!gy&MIJER#aSX%g5b6>B+
zkl@y~x(lFOWSwnh<vz9WbLx^Hos}lO_mVFzgkN#%J&+RC*L0p<)6)5(?M3Z)@2h<7
zVW5=jk6x$Ftei;0KFW~6rJzoES5MR5RY#B8(Ll%Adp^tXIG5;Vh~j4+BPaF@VKTCA
z=kuH1K^$aHwB3D9)G{nDP;7K$Kgr?G<{z)@5~{J^+jvnprf9=h&j`BKI>lNq-#v&o
z&lE*%*<-u)ord~8&^Ko==dAf`pbeQ>OMtvsf?+7OEbSsCFLI>sJ+vp4+ffDhdiPH9
zVWl+og3E1%LuEyu#Sw}x@Sd&mQZ)OR{~6-EGh8@%UUto>;F8Oppl}!Ev(0*eIkDA{
zQrgVkReq`x!;g|4tM|`-lLa>nE&*b1^b{G0Y2xxS?)o;(#UeHR)LH@_!6!ZMGX`uv
zSm!SE;-p87+pXOLWiFhLW3s44qpx+EJuyx?AiK^q_hOUn(H)n(JsZ|7>wS0Fk;T=B
z(RW%K+`voV=FBV&S&nSAQV2b*ddKIHSTn7OyJPPJUe_80Xh0Q(q#IQ%-%{_!YOD3b
zDc>6#SMEbNe{ielYr#6n(<z-g7tBZRG~`u+113_u9v@rPxxC*C$r0p70Mp_3I-f%i
zy`lHQjE#g!B+POpU89l=Jig6MzL)c2BW3#p>{KU`)Sl@uJL6iFsm~jD-Tc@mkuCs%
zlsDx%uVzUsrs%Z9FAzt9N6z93<d!9L`O@Kz&J+g=Rty|Kq!GP^SGcE?L4*{?I*N*;
zCLp_+grKXYCaK?zyXaK!qA@ZhsRf2lo-=@Dl(e8A=Dsl1wxFaC0(O7zZS5^NiC!_!
zBZbG&mBty*Vi%y5e^K<}b#;`!*yr1lW2`T?qJ8JypX-2m>=E!;IeNbLNs)d=17|IM
zB`DAI6#4c&%eT;cTz&+BknNEiW+2j`Ff=k$Mm3(@hLQm+Ojxc4oDXqk;i-;zN|=Tk
zWh&%|TlsUGeN`z!iTcDW%tHXTg-0G#z;nW5DyTshDR}$*`NetP#@2Ws)`pm4n#5R6
z7`-$Enp!b6)3R2kYL1GM#Q?D-QV~jtc#TuVC2ek)h$q4Zi11#^Pm=7;lROIv>>*I@
z@m_hrBY&l6#KuHPbq3gReS7^)(q~BMHuIM+kkYawhm|0+C@S5+tcSatl{Kg1cskw*
z?wk-7q2eBbA7MgLxQK;g!wUCm?>wnFb86fpfT5@?#~FPJ;u`vPvaGkJYTM+-f&>)K
zCaGMwsK7(qFX6mVxAlb=z80C@WtJ|^z|ru1!@*g;zS-a;=Q&%ui=lH538Vp0?XB=5
z?aU{9K8sx?7Jt&Phx2~#(*$~IvtCsuxZ?4$zC0ng7%zEivFwIfomN#;x$;SqeZ~b-
zj(UoBM+QYtBpV0wdd(@`%T3t;x2=~PTcK6bT$u;!>g_^0{NP<YkhNH|x@@^Ck2(yo
z65>T0emKU&%|M$5&Tcd#>jt9nvS*TYB(XdsGf}rw5dc9zzQ0~Osk<<>*DYE=$#mS?
zmfMiZ9k#_Gw^~DZjE5`hy9iSKXoqd=6|PA5tHXx4)x=BWJ+9Ep%^gij41q+#-|vZ{
zw1l{w?nQuk8!JO4JCRil_#P&WT0N2m@!9((%D;m{sUTk~7DHd9_`I=oxOjt4JRqPC
z$DweJRvp}@72$<MC5$+axcqrf7UVYcvG()FvL&<=e`@Qsl&n>Y4$GyfWm)gWc~YP=
z$$bx9Ra&fT_f^%i%h!44_jXnEwu$Zb?N;R_fiCV*4eY*L!y4EqI(Zj3nR9qsHwH}X
zILcbaJY8I8dWCO^^A1maho|~XIx3>|NPpind!c<Ei!i{vRUVZHq?k>61S_QwQ^ivI
zm<p-BsfzCiA@Rmuoy_cek5uM0y!kVFyyNB9bxJgO{O}gFLLcL4zd1Zp7=A~gTVWGE
zqL3rxdfRV$(dZpP$-A*R!FhGamNP2a4)XL0>jZU_cAY9Sf&yXhb)%QT@wtYR>Gjon
z3)}LvsX6+_cLRanT`(|+*CU~)bgu2hTPStUakVVEIe`dWLW)&<z1Y~PM&SA8j@$q>
zTfDc%^)v4QdFcH4M}%t}73GVde6f3$g$#aAw9VTgYO>wG$RhX*6R$6k%mWxmPxW@@
zA=?x2S}buH;FcDd?0Bp=N3Qc~ING`#*mk%`t-zX}D(QPM&@BZs)JKG8`<ma2e6<nb
zGBmPkbw@$WVl$g1SzS*tj+0ZYs4vJ9h_=Yow6)Jc)C1sM=bML{+BA^QJlYiGtjgJE
z+_^Z1SAlHJr20t79UnPFwB21u;cE!lM23ZmU{6`1Yatal3H(JDIxaEbDMg9~8CKbY
zVJaN1A;~VZ*vPHDaDdo(-*kP(is4o13hGM>RXWXk!K0xG)_qKwIo*2)y2k4hrxy?e
zv8skLx?yha{bH{I+zJi0k276|<_#vO<icKi&^uNcH7)LnrP>bko6v!JJiE?D){((=
zqMcN<5;>JF8Y)lIQ9$k5(i}LHVqQES6k978CmpQwbtJaRGA3lCo6I*tXzyLPPwCCU
zlNSRwog6&M(MFMHs2lB7`TS?V=mE4MjZ{``^O)%E+~eJ7787(#@JFg+o<KfjpM>FO
z!0<=i;w<olLy5-DaBUe~IjP*GMH4EOre0I>(GAjCsKT@nNGC<YG^E?qn^xL=mJg>`
zD`tu*xFY*i=GvUJt`Xp(ouOrkE>h<_)7lpbo<k$R5Nq>%Xngivif41*=I!qDhK${I
zf8on}EqL;V0mjK^rn_RGKxcq3Df*;KiUc%JYReNb!pqBD7cR=uVZ$acZ2-yOBF)f#
zQI<^(Nr)YuV5iqrhH)gYypmc;9h}Y_rX9!lZ0nOU`ivUduOPuN#CXN%xhih>Z7q|E
z;YDJnBM&RPFy@libA=;rPEOCpCIR4=s<1SMi#nX$uP%BCrS(t>8?J55hKCHrR&_FZ
zw}ZsbkLqH9>SYI8@Qg0SGT6?th9t}>cTK~!>XjKd@)o}6qzu$Rtlbwt{jAM_R%0K?
zEjPU05+Smn6al_;iZd`WB2pzh>*t=P;SHmaDT=jmY(L*wlfMoIPx8{C=*~13KJSN>
z(=*kW`8MJ?rtZ?c`6P`$Lx*75R9P?GZ9TFK?7kI3zj<)6P`30;bY4H}5m8V8uW7PD
zeE`86pf_<0dpGmk0f+`1QG_4m@s;)nt5KF+NpW&@?Xz0E;UqHeTu-@CY<$dT!vbnD
zL+HTvv~xPe9x@yt0RX*Levk#-)MxLA_^HP6+W?3?+KT7Iqg0F!>|W*5!^GWws1MiQ
zm>F3~tUWDHHLSg0J&;-_Fp0}wwDClSMe&;_qOsWF12L^Mz>3;Hg8eYP0+8JV4)>F`
z2cP!H5;4IiqPR|21DMZ<U90Kt?bW>8Q5bQ;^_RK!#=#IM9N}ci_59FOu!n3CtZ?hG
z)0w;;>=05n=Nt$kI1wO!zy|Z;)fO7kBZAYs-oR~7I1ysJP@%`X(#y}IjLcB`UT&pL
zPZIP{WJbCK0g~{=^O<-Yl9jRSLNz!FGikXp4Nr=kCjoS^E62GTnSzp0rbL7pq?LRI
z0`aNDPm}bSj>CnE*GSJ&Z4@#7jKGvy+YYzw6mb+;IE&$%xbGuKZPW>A$4HutsLUYl
zDOXqwsH;TV0cnHR=F3CHamlAN4*LWiY~VdqX|UIivsIBD7%{zTN21&J^%L}U=%F^x
z!p=I?x^vzvP6vE00u06oAuxZ|ORgQ9xV;_}tL)OUT&0_y)^Mex%(P6fhTU)LDJ7-S
zQr&_dbms)GV(pa7K$&YAd6udk*n*f2dUQ}-ToFv?i)<PW(Rs!$OTValx|5_t^P&Qu
z*Mm~P*CzSEbt`6`Jvf+=!0Z$*`lL=iBT1*}a3V=aI+{8u8i4w9HIZk->nG4e2p4$)
z+OXCuQ12<A>#e~P%UHKqi<>u?>fQ#)&seejStZP9rckhMp09XfEuA#B!CL}+I;@&o
z?83DZvr&5+qLJ;Hn`{|Zh8&5BX(MgV6(oK3io#rDYiA5cQBo#}U+5q%VpbKB7J*(u
znuYD!ETV-g;Gdn*^q!eC-Qts+)SATZV$wQ&?`NL0zC^ZAZ;s7G5@vX>oK&g;cpJ5S
z&`SI85VYkxPwHnlIn#2PR(pg%GWs?cLI=l?$|}#U0MJkmXqbyop{d=e8DS4O#k8<#
z820?k_k8G{3V<O*<^-R;u2>tZJ?oHw^*k<8YmY{mB6ei&C(hjA-7lYEngbc}-fMd=
zUAWI7p-I$d-i~-uhrZ{a_Xy$juCS7?)SQ)aK{5LV<1&_8(<^-1I`BY2M6GvELSZfz
zh`OG}yf(LcUCAx)C1wX+$o;fUV`#!yjEQ0EvQ*ADGa~D6x`0^stli0rlDMPdlRl$Q
z+m!N-2BuA|9%H_1H}tEb6ySWDeulG&Xo?=E@fhC0o%*^`I);^VgqXb8qsJ*^aZUQP
z<~2Z+4(@CnJ!8kPta=?mr-jo|>47H(Zjs$1sfDhA8QeCIKI|7#%F#Hv^}Juxp>&^A
zjDVjrb2H7Fn`1q6fg{Cok$$z+jU>qqEpG&{Ww-`xwS*7|QNewM$5fmPP;n{62h98+
zkU%qQB!3RziVb-65)h6t27|kFSV7qYLm)Bzf`y|tna<xPeiG>LNg(!3Q(AY~F=O%2
z?%lEN^PIShHuvV^CV&Mro`_Ih?CK0w;v#(;1RO8-dDUx9sS3TT_Jb8Zh9wHooUA5O
zIk78KTzs}&=b|ReQ@R4}iRbYcA>-|wgU)!TCM-T|xU`PT)z(~<L+{{pp;%oh5v~(C
zl3H4a40ozwJA886wZ-$ECHLE>O(^ubMS4c*gfJ^8z0#;WEJFK56&YiASz*Wiq7a`1
zyf+t3db0H3G_`^qj9=&YE0v(@(BPSg3w!%b;b(Mt`-CbVA=z|?=-xX&mKpUfBDpdy
zskX&!Ne{0|3Pw?0dzW`yYK-sb;r5GrX`r}V1B9IGq?N@EhllSn%M12qMsBd`1sl6?
zf**qjkEBR<RXGaJK7)4@om8`X@GzeGg3JhtSa&-#WGDtyb-yv&z9VeantQHKVjkIr
z>q9tqPKT80W@>_iXI>Q<mPmRn7xD!6!BJ2?#TN_%^4bNn2Qa#S8tImF1E4W+xZrUp
z>|`@5fFJ~V%r(5C=zKl1QvLl7LqGdqx~SotP0mH6-tC4ZXGH|6;fYdU2)uBI7xvs-
zEw$g%QUJHhj)bG@_T{3tVf%=mRB*}Jum(EC@Ok&VD%OWsF4x55ThM}CjDlz23OP(q
zdqIiQr@gpeT!^1*!1=N(tl<_FK8uvzgyQqs8@KE{VWr2ix!omn?21;cElsUU8k>Vx
zqp|UDUJe1$B()S__0@&%OS3G>!{eJ|Vm^2}?1$4o$M)0*^ZX$P+_ULt^XmGL;rawy
zj^+hkU?a1=UI~>i8X3ONIsyJHS1s(Sp|n^>SKJ%Y9*>cjd#6C@SP%<sI>kGwRC$TQ
zs^yDC?&I$S&FO)Yg-M!n^^>-O$FQCvG54OkfGj|?@?^w2e8Bg>LY#nmt904MqvNG)
z_9<{Alb!aPs<xzLunE&lj(wP?!bXp;34Ja#>&-Y?X>!<{bZQ`228LV24n5b0rCg7?
zUQ^V~SeRso?p%|-Y*89`_F93TC7AcVCRzVUq)Qd=g!gms@l$If>OhQ^w<?c|V#R9S
zm2|b6w|x?cpTXvIq^Y!nL*BKLDNqCS>x{JF9i$>d<Ab7(f_*8$!QrVYtF{^gg>+^6
zdW(eD!FjN^j9xa_0mMPPeRMQ>gcQ$X{psc%7(n{GC%pHBlXs@k?}4{jI+KZ_T~@zM
zPIBf<;|JQXp-QG;G3@KhE*xpF7_VCdIWwPFYXm#rU;q@ZQO%XJ4Bjwdu~j<Aivsg}
zu?dbsu91P>DRxrwb`1C3aJDq4QT)D%mknfBFd;5n2g`*)_2UGnb&ApAMz(or%SH8V
ztxTU0r_V*Huy#B=Xw+shk7u{Y>FE>QFk;fFo{~PkB9H6@T=hvA2@hRPMHLn=Ff4{Q
zn#BX?@m{UKi;;z;D#yq^wNwB_MDSQOHDns28JF6buA<TRLZ_fRC`7VeEAczrO?pQo
z_?(ZHAohtzT?ocy3)UM@Tn9vwRgiNCuF?prM&%Jf3B7$;)|cy7kpZXS@Em%fiQ)#;
z<U!P!JIk9qMx_UR3wgm?zsR(nMsq5TYuGJ3w>M$!4uX9M0>0oTmuQ^*u-o^W%<nx-
z_A+J_BrTI#yf<_viy{#&Q^xXI|DZsh_Gj>jualvS87GRlUp^)^=fTcgtao6buy<j;
z&z{yn+cNYh!h;&wCVN^GuDoT3z+01wuO9`bgOuiLCw#;p`VvH}+7M`=hIfb!gM`i=
z%jg?I*rm*Caj6a9%ZH1h-U2r=!fHV}X9=>LkNUt?Mel-UjSE=&yf8exp^Kl0H8fJw
zc=_8vbj*8d)g~E(KV#3z2zb6V2>=Y<h=f-@&YtMAbKQ?|EsxPDpUvneo%|VlV0<8Q
z2jdWsL!(#Lwt~(%2_o0Dma$Eqzqc8P+FKk+v{eegfL7H<Dk7Jv^w0&}ru?9bMPGSg
zgVw3bJUb@Wog^q{7C(s?g7>Np#QCy(%+KZBLP{t)6GO|Mue?WU0-HzOZz+ar2H4j4
zjVm|Rgn86!dJLh+ex^oEOpI^u=2`{$ku6P{25JdC59V4%+LD=leFhHiio~<!%4x(0
z9L=)zo{0k5-N{e0jYpMU;>jXMxd*ls=NDnffa_+LOk+SYCqji=pM<{mX|_zPWjtG^
zN_BiZnc|0R#p0EUAPRf-M9d|l_NIU(L3INR-UUTXs7LQXFW01G-+K<#TRsqjP!OKu
z0x(euhI7q{FHhS{5XW&j)BU}0ZLUqdr*W}B7_Wm|y+=+^pOUDB-@&67@){q%n%jxX
zE)FQL;YS-m!Mbqnbpz}E5@t#*2IN`yY%BXCmwfUl22rwYh$Rh;9s%LtG>bkwImqYh
z@5xk(uXa)U<}XSq=t0JYvAb7zayn};yU08o&nj(p&{WdqIrP*1q*OkmP;uOrlk?`Z
z@;dq}!8yt0n}?b08Ol{qi#_0(;%eg)2(21KxW@FD74+$;$e;0oq`&oPm<1_)7~A}!
zGvYl53?9G^5|ZO9p580)yw)L&XEjwfE*N~mC7=+k_#i-9I8|Lse1(%SQmjIW8Fw}u
zU*z#DBYHZ<<Qr21O?dR`Ee-`j!47Gj;-J7**Ha0ZN2&=mb}Cr;Y@qGXqLW;n0N4br
zKa6>Pb2au}?=Mm#56uf_xc54g$dWwJq)Kt(w4hjM%;B9Z*yfY@Bvn5{QHJx#I{|j!
z^|pw(w^OxF8{qFA5kAgfnwjZmiB?c1`qGXqBL>WMBcACaABsOKYz#}Ix-8^Jjg)Zx
z%<aYiZ7db-!HdnuC1!ydd-jZKswN&zm(#UzW<N>KcpXPI{LD`AhRZ?^D6yRMCE;tm
zO?zb^SVY=J1QFZj&iRzexioL)0R%lSPhvX-xs?RJwefnwgpY8mQmw`yp#Wy;;#FqZ
zvBb#WZX(E$Pv6gYbn>{~JmSr4S7xu$@m6%q(P>B$V-Dfou`Oq_<8N9&<I%psMh{C!
zSM3#j%2M`-=t4v5sO|K@jQQA7cB(FxV(X(S;7t?O%#|=l+^BnL^@Mkp@xtn9%E6vs
zf?-l|pwFQe3JFFoo9V^jPS$HmHfyG!4SnD&F|5e`-pCdQ0{}UX<nRMbMlYlreD=x}
z>8MKJO4BPAh*RF!%#!!x(Q%j8K7URt!O|Gvh*Q^Y8w+5x0bB0s*lj{#_|C69sbkzl
zE$1ri?Gi{vos~cTnR~4sSnO_0EZ-yu?n38ds5b|Q1EPx5nD?G0x;1?gYx-%z2rXg6
z%hNfdV>0J9kSGpojLaEj1JD(+jd3E+fQ*T2O;EfL&!KejQEQqDqq|PPvjSfcT$5E&
zTnlqy)iIz~V?EKwL=&|(VppmN8b{But;!^N4C@tZCsos&4kwdeZcRl<hQ&)CBNW*Y
z!NhZGhdKp`dVFpA0-(?no8H5-=Vp)l{H>^*;`t11ua<Uqy!YS*hGpgnZ;)Q?a$Tp_
ziu<<NQ4As0dd#91%IQxlb{hsH=*WDbPX$ub7&f9^&#q?bZTe_EN7;Q__ergPMy4sm
zQ;5n+E9g{yL0UK?9PM2>NiWpKa^_9A>6tZ+L&Lr4y&6M8dCtb-WFXy1FQkU@v7z4T
z+aVp0=qphzW_>j;cEQkUCLCb~-}vP?Ox5)3ykhHCxPn_shpQ(K%R6HvruT^%d&cni
z>BBs4zR^iknnt|_%xodcmp~%*h8P=a1@66rDJVnE1D;U7wS!aK0jJj@{Ypqhp5NAJ
z=19x#obujU@bhSn@*9dlc)$DXQw(Ma4y)$P9*w$t2m~z7>@*v^-ESPGuimxbcb|>#
z@U%7WF#TP7q3nA?DX#`-G?w9&9h0JF&IAZsupwyfTk_c$&n%$9sOF`c#Zf_#SPFf@
z`=&A;8zjD|DjJ-(1Vjw98?Xe<gnK<M<T)PublN#KV@}aGo#Um}9fPkKY2`v=RL`pw
znp6^B+It(CNl5QKihHpqUC(vwj-|7)vdcEa5aYe-F3RF(0P|>Yi@juowc;5+&nLdK
zJgqglEzb%II#-IsYFX2e-XbV88r=QN#!yXxU~Nk>@16HL=R+x+l{xlQ!!Qj6HKj5P
z`nKf<pD{|ZQ#64S+5FWslg9+>JBy`sX(TeO7Zo%GIhpSWbOgwckWbB<1z{2KV)`{U
zo|k49TIxg2Br*kSL20ElW=E@(HKlH~=W7e2Zq(s#jJTtU3(>Ybl+lF&(xEO@diI5k
zK|byGTwFn}yLP~}sh;#+C=WBmo7ynYLe3*PEbG@J34nduBzTqRYecP!{R&Yv(CeMv
z^9(P2#SM1tn)+ARz;np5n78^+N(c`7`5QGU{6%m*7k#gp$hpV?EzUX&9}655XWv*q
zNqSbtr9B1qP4H)+O3579r%#iqUHUrP_<*j30S?3IvWkw-V#yhJ-!qp7@p`UZ9wV$Y
zoI(Wm-pLz(qxF=DCm3=HtkEQ*SV}++V$EN5O1Lbb5s6vYm9V~8+A!k1L3Nd8ENLD=
z<Pxufy7nNrteFJYF=1QPF^B<y8hisC3T}KTdO1=&><@abr=wQ$1Y?SnlI$LMXckE~
z$AyN!Q2|A47)b_)k>bQUbj_MaAu8_0CEgRy!(b@fOhMsiW@dl#=tb-eF+0vyPawS(
zj($*=1}kXfaH0u8u=q(ae(#{Pt5$8}WtbE2=4gXhVoE{yGp|>#Yfmz4gWLDfi5MBO
zm|Ro3KVckGqVsbLc1xE?heOx{GVmThd&pVrlGiMz<`rVzuyy)y4@?u2;qXk@Vq>}}
z-KAzIBtUi@8c;ozG9+ve`jBR5ymz1KleU$_ho=imocWxxR#dT3S7Q&CoDG+jSeqp(
z-v%{_lBSj2A)ju(+yGtdTU6da!zerx$k47?x#|#}STXG()VvO0;-5x6NXzc8+WP`c
z2F-juIWrMsUwW9apO0f9nODE(pCr>~$U1Bx?=$0Ydj>XdJVz@0tj$nk7D^1==ZLvz
z+Ea>gCuQnU;7pwQYUQw%kDYcjz<b4Y_Nto41}%J%-5?6aWUVE5xVxvZ2-?tIz15(c
zaf0k6rFqhQxddkG<`&A&P#qK!m9{&**&EZH1!|P5gai4V0o=Tt83~Cc5oViA&}vr}
zzpSpkxsq!4Fz4~d4W2oz{Z5<pR1QVg1v?Th(Do&(mE;7E+jFGESxu|p9^srYV){w5
zCqE~B^BkVcdrrr<0MwXxtn=nzWS?EOAW2)iZ@cEtxD^w}Y1<=M4^PGD1_s=588~3B
z%pn3N*QU6hDF*U0^wkSDM_75J7;~9c0@9{sEYSLx#_O<eYYsu90+Qum;C0O*L&02|
zo7~H{N<HN(B$+eT>yLyWpHnvaLA*y}&LFogX>U2!6!JOSbK0SMY%|D3+X#>H`eL@H
zdEIOU?jC~XAf%8G!ypC$(@RH)H_14grO!0;(Gj#if85vD;`071g@tN{?ZJ#Dss-iJ
zxE`WDtTMFzNwm7k)7P5BP_Is3C39WalNcPL$t#QnzgITd3v~BM^!pB8XyNWg&oQoY
zI4^^2Sj;R`6;{)+g(iH1fk|;BUpf=h>6v)&8-YycyI6vhAf4OF>=!~Y0J;^#Ex7{E
zcjUe8XSib+xN}cgnVp^91&V1Duew9LR;L0&!IfRW6@+?>?XHq{URru|5?wk-F=?@3
ztwZIP+B(Unz!)(!Se+%$)F~Z%v`^(!1d)&f$Gp0UOKM<)Xj{kY!a9W3-wb)~1w>Xd
z?o<F5`PDUZnF04iD4`@GvHzkPW0-qbULt2vz6bB2yc$<IMBDRpx2pj$NYB^l@J+RU
zQf<1&LNE+v`8=Y$VPsiipR}My&LF@(u6+~<bj7oB_s(x%EhbbsyVIzLqT`8EVNg(t
zSW6+JP}rdQRms~}+8$(wXeznh2;XTH19`IeBBs`^?9H<tI~FG{LMo6tK1qwt<VW;w
zMh%8pt_wj=Ca5`{-h0D&UAeRmvqj$cs!1F(m1(U<0@KSxYI#nBo4o5WJ1<y|mm3@&
z>j}ptvaP+=VfLsw$tPg1pH*8C6vXofma5|-OZSWHeeAgpg`aXUbMCtpt3yTsX>WKb
z{E{OH#2$+5i%+uUJB-Z{3SGW?EY@xhg<{5R%{fSh$8<v~FRA2FQZpY94x$Z8^gZKq
zVgwew-PZvbD<Erde)L>IMOnQPf*mjE$(A;cDIY`dL3>mft!fF6!~>l;z}y5oFD^yt
z?6>;{<mA!Xz+^ocweIfWRM76)V%)?_1CUBEG+l+svN1n(ggtP*M+d$Va<ENkY*gW4
z(5*};rW4f5e%2h854ds?<@pdu^W$uY*-lp`VdLg9oj4{SzfIp_5|m$bKY13~Mi{MU
z>n`APjjZbBXwM0;22jUeNl<XTC!cidXDs7IVS#ZQ-70C%iI_)%(zj^g5X^1qr{z_3
zkjh5hdznKZq{Iz15{%A)Ncmiuueb@|E!c~8%ZEjpUeDu+a17o(%vYrGlx{GhZhM}v
zJrg~V3`E@^2+odpg1J|e7dK3!V<%T_XDJUxAgm#DtGPIhP#(^Labh>n*%e%21(RJt
zA)$A^=y+~f!l6o($hq>g!?I>iOOzdE(f}!){Xt-<iVkFv(XeuFnxpcasq_qT78-lS
zgF)@wUxfFfc<$&9cg%ZCOOGheheWdQ*uzgxN?H=1xd`<q;YQ#0VIM6h6YCP8+6VDq
zdjTN!xS%8$tnmq|>tPZZP!Ku5h*z(rvNjsot~_hNB7A1C9)1lg3g@|YinaH~WHU9i
zg78MmSOyJ+Wn*VZtud$~+@akf%n$(xARuHsEg##GIKs<^DIhC*hAWCZGX&rma?oOL
zwUTciKtx|6>dIl#rKe89tDLU4G%_&Dc+<}TJg}dbV?t(I2Uv-YGG3?jdQs0R!5|Kr
z*-l(4@Sn;o-b{;$UyodldH<ZR6OwR3Rv#R4k*Lt~xAa~u78`FAC`75tUhi`R%TLPv
zGphN}EFTnGD!X)maX3h!0f-$0_CQ-gbqLCXBTY$@;?;P{Sf#H`S$2m}Pms|!#%Gb+
zASo;1B|c|$kz?8CAmnAH1BvTNT=J~Fd^BMoiXINv2AiQmcfM5%9)J{-X^NmOyS9gu
zooM(NCnLI7&&=bHVkuktRO-PPFtGFxx>N;gI|0z-c~_IAWvs|6Pz+Uu_cZk&@l~S8
z4(Wu{C|MbSG#Cv~DNMnQ?TbwiZ(67%pvgO!4P1ZHXYuo$r*|Ps92CgXT|9i<3$r@Z
z^#-KCSzZ%jq#Hl#{3iV~wDr?hH92I`0@D-DrILeyQE}&zxQ6Xu#{{p6ItZs3uX?=Y
z`iZOO#-2-QM>$s|rKA%P;EuYuZp${=6}ec-VA4Pg1fm?#baUJ)o-9_vovzo*uGczg
z&ui`Yz&VVA<K5Y%FUQ&0`b*|!S9OyHtS%(wjt4S<0lu+N0&7p=vPyZpwW^HAm!ES(
zM2S>0+(FQtdTGwi%`+QiG3YoE6n}QCORo~jKtv1~dRuHO2M3BV*?a>%-Y)5K!uv%#
z%*>!rA1EK3fRvzb`ILzmynE7NEatGy>ERi~pR~tkeDm^Aukti8rdu*{lvGdbXvt)(
zhqKfEg4a|?1_zLbxwj^kFr_MFiWD_W(;Mvi9^%PqwVo}MSazCslLe$+l!v=`cC<yI
z${oE`RWo5+juWF=8OJRqeL@c%5#^Z7fyC-6a<?@PDUW=`t+PQrF)4&gB1awWH9aX>
z-ex_Ccra{>!&B^wyi*h<4fo)k-npH_wbxn_$sN&EMSE%C7&Ek(KNxz|CIwm!!!SAO
zpz_`bLZ0?Bmv!Q7UZ|f#niz*w;rTN}eYo-NA)kz~h*oH&^exI6gpe!geDBExK7*VV
zpc}$_daS<o2oI~F`$TD?(I5NMYM=1Ijyjtdy{_kV&2`SjI`8$n41NrGCOsHXv#e<s
zbgp*d>A(Rn=YWm^>~CDg37HOw0W_O(E5#Qmf$diFYE-t<`n@ol;c0vKymT$GZlwE7
zAH97ev_UoRiTLw<L0+)gUiM6Hxf^(0Df7+Udj?atqqEQVAsh*WKDX^_rX(Y?;}ak*
zGLoEqiiIrV9wIN@Sv&fKYfSCL*hU2X?IvdN3GWPqX+M|WtC-X5M;<pq_(&NUoZ%+l
zqym<E;khtxHdq3)Pkd63-;pkaU(z#tHLsSf-IFH~oOaSWYfxS@#8{0QO!tIj3X8;h
z${?N;X90|(+nI4{GDwIUEK%#E8fnokvgzY7!`{@UI5V&fy|G~u_Lw#jYjZ)VXAF04
zZk|5GsEySa^t7}a>xCr*J!mh;x@Ra$ozM5;p1f%S?obs~;W9FC7Uc82a@`j#$W<m@
zTp)Byc-SCS%*}=rquq{&xu-e(q+s32(iv{$NuSt2h&WIq+7Ne_$R_!PG>kW0v?M($
z=AZNW;gfzsNF3zx)(-ovkdZ%w^P~wy!RHzguvhEE^hrK_hC8qTZ8r)lSIfF5rW?oI
zc1}lBC@-(;D7b<#4hzKJq~?PrE2f3QvU^DV4$J8|tU(5`6w)>s1f(Q0nj}?`kLUC=
z>Aht>bKvt{vQQ&5c08a}ORjhR((tf_$QPP&!jO$mPmPq`^`;MIoC_LU4#Oo>4GFL`
z*TYmanWq-vHApC@$F6$9{_LVpeUF!}N?vuun<WM+r)b$t_3iiYy7I;bHTT`d-G$cy
ztW;BuyqUnexXCwTR@x>n14Cr+Dsz5jd-h&KfDPJxrPA$;fs&woO$ZnPUFwSf?`#9m
z=6%!uy_<92coiTos|h{kG|DUa@xwCf86jVDg_YUsOpAh!d_p;|oH7}-)}OF$S?_c$
zh>w-O)ZBB@0`l?%GAxa3R*(#3*^HA-$TWcCEpwJ?d5Ty;6#5vTLwIlP1um;uQ*SLe
z(S~Rb>SHdTR_~X@B-DJdD3}kmUMQ1TnezhsX}yt-Lxgif6>3X;kygFa)!lkDU?f!m
z+>N1?rfr%ThmaUhIEd;IT$yp#p@}L&sAl}cYul(`IXaFS3EBKM>#ga}yIPHMr@zVe
zYH=MnsAZw4s>FL;k6|{`5u<z(xj{b#z~B2i4~evWmAP&&$Q_yWfg#3Q3Jx<mf+=f8
zF)$Ce7O|$(k*rl8A=o{het{aaxP;Z?4mn$=T=fXK1U&2#KuC1wVTlHu`3bp5`vj`z
zD^<N-nxuN7V`*!RmL*45xEoLwtKo*Up=>DOd;_Krb6>rUX=4JuY|KTx#Phazc->B$
zMbC1kM3<EPJ=++CSVbs>UT{^>%&o&oZckzyn|Mn%khf2Z1Ml#q(dHK4dpU2;#Z_nT
z@jP=(C>HbT2yM48DExhMv)#A3sYur9d%da=SbpGww_r5Kg$pGEww$l_TLSXlXa6rs
z;&)G$wntpqL-Gj@dn9XQRz%+(jC9;};_51&DVH?9tEgwr$nEP5dt00x0?;Qn!4_EN
zv1*%*bOY>5@~qnzu4769k2!H)fVI91qM0P#4ku%TVo(SddHK@(K!B8{q~uAV#Nr)J
zr*0X)awC3R{;0(^uW!;H$nI1<-(%Vc4IN|&3u0+b5Z1SB*fgex0dzRd_;fB_NJDCi
zjn&1j**aX9Tkew8;w_T)bnJO>zO?D8X0?5A`}R-0^=OkM5Adf5j(5ep;325n<_YV?
zwvEawlM{H2@XFkR`}GBke2PFmL*Ss+<{VHK&YRYAFYhPvT5w%;&Kb(1LDyVU&P{AR
zAQ&M}u>HZ_`VbTgGu~s7aX4cN341C$GfL1i`;6gA+XsfGi|WY)&AXZswT9$%t-<uP
zkUY|>qqx>qiHAK?5O8Nb#E>ndp7j*;x+`O62a-w#@a;nLJ1BC;Y+zk_i-NTtyQMvm
zmKKoLeMkJpx)3X3>%@DY#p4KSvfstQlAp=)!doextzHGo7drlY)Gn=FAX6Kbo8O3t
zEjT6mcH-4!ym|FY1|3bxp(_eKxa#yKR&>$gx;?XB!vxcrGF3{vdHpE^{oeJR%4xMk
zx)=zcE>*7GiiN{0BiTw8nVc98^E=~n1xC<q7GXeD@I9K*)hK$kP=?5Lnx;^x8@<@i
zFBV+^sV_8fp1&BAIjM3+VYeIejYZ)#J+HKFZTA<Ba1vLqDhl8+Iw2I>Aw>wOtKNGc
zv4FNj8``xGT_XnYwQd4-8~}SEP=x!N+GdQX0?Fxk8zPCqOc;%bayzhcghXCocn@a8
z`q6_4AGR{yhja^<&w!C&tfAGyXor|rW{UxmNI{;_B_~(9{=DNIg9<ITZoX~8_l)X7
zSB_yiaTwEl>k%10McF+37J`2Y;d$T+EzA>iWI|}ZQI_IJ;MB4-Mk^vr%W5*1%Xr$4
zR3o#iYR&-{#osZ*lDAR#vrT*`RHJOg14qSPuSV*kEwIHMlpGN_d9x~aR@M+#I9Ah(
z`Y5cA1slxkUHaLv^eNWXx#O#&=Lt9u*R{n^HXpR|8Jn<0+7^!aktxyDQ_nJgnOXT(
z_@&Mb&gmtJAo9aCk{w#N3pcjzveMMK+=u$io>9TmI&?&I8x*X|I4i1)>?z{pS^?`h
ze0_6*Hq<3ou`lbV6eL4m9s3qPQ-4H%uE|@t*QF2JFA%#xJ<VQ`lz)4IeMZEav5d!@
zTrV$cEIDQQiLK~to%#AJODO1s_0|!tfu_l2EHZ#rBxip2I2>!a2)S@95q%`uR!d)S
zx}K{hDoZ1|L|;V?+EYlgdP0=a=+4cf+3mWDN~*T~@NFc*%k&@+PAVKDR7n@9?D5NU
z;FmHJWvKTo!O<I{N-K{jQ-B+^UMDG@h?!z|4CU3hm!_KMAbFm;8X?%g;k9u~r#*NQ
z6jn?@MUER>y=96uYed+bA_l&)?e7`&OlSJrK4K&8h6rSlR`Q<%BiKV$m7Ok679ezc
z;V%&Ch4<NWVi3>=^f=erU(cr){4*>X<b%4}3nH_`%rQDGivcvluzp+fm{h%Q8)P6N
zyGsQ@sbua@w4unDRoyaPk*Y=COiZ5T5Ikm|iGG6*@d0y66G;u?5n9PTW12*@UB2KT
zrFro9I=V85fy+uZG&hlQCiS_*+$-0OT`2M8fWXy4_j=&j@fImwdLYu1T~=I$RlvOy
z9~?I2I5y$hcG#-7H%sDZj}=Un_*&(m+zJjBkOQj@Qj5HCwa3TJrDC)XfE820NRjb9
ztbD=ge6^7`8E}?|xrRpU^K*UF9h-v+&UA8cc{|FEc_Vg<%yM-FQg($0U^4u@HV*of
z!(-8XFYeX3zISGY@7}0&X-zbq<g%C&j+EoG6{S*XRdMM&+80>Qg(3ly-w^3M){sD9
zM`4E%^;m{tVX>ZUUGU+ff^}a4P=HaYiIdHH?sKmBp1~%O0Vq1{dkz5*uHLW7p&yTp
zz7$fwGz_p83gA|pn$^zcPUlX4f8{4ELBSr0RMh6^wzLVh=jFRcHthmH&ABXxDNwtb
z*v~6%(d3v>)u712`59$uD(()XIw!|26N7^iY`&Lq_8wxc^hN-KkY8lIXp5ttxuK<X
zN}<5{UD3iCg63{s#VWp92yTA{=!9=PW$H^13f}>;*}_+_TKzeVG23ufnM}vsx`N@$
z$T1edMFNm;g_)(7<;G-0RQmeN-a|=)GkQHo2D5zoY$m}<v15;tMev@ah(A}L=a)6B
zri(o$r!11mo13*<g42#XaYdW?4h|>I`Hgi>w6%uh`YWbjmujdz52-lZx%U!yUOj|v
z;<QLDrG3XwQ`To(u*t<DWTsAv#?W%hpE1JXX+F*7Ax*oe_rfJlMTg2d9_V_;`aPSj
zx2NUYnSGIarHEeFced}<o(9|2OnacKbClWdo1&b~qLy`4zG!llca$5B$|SZ{S^|*l
zfV&6AeBYAr&-{?0b;i)|oI~6MJsP3k6$vVciKX9mGhP_ma+3fTkb<uo<GPF`I|sMg
zte}<)!*hCdg)GZlM^v1|707j(Jye$Eg5l-pR#ZJt-pDeecXlz|C@D5$uAR2LJxxo>
z*KxdEj=d}*^A2*J>db2d&j5}X19%u=%|*gbGF14uBh?VIumVRjh6wdNnxqcnu2Gj=
z)5mpV#$-unxzR<=N|4}&I#*9=rEydqQ)i552CO5#$33`RelUv`9bL~W-|20$LaQDL
zovyx}4*fZ3TG`_D8+PU$w;NQwfH-Lq)oIv}Ld$l3ha1b2^C=4a43(wG@1l7FXB+_R
z!2raJgVF;>9KkG<ry2ID3w`)KeN>s!BLSS}Z^XBy5{&^zw&4)E2Lz(4_=fK;&}c9?
z56+xO=mwd+jozCF3;T$b$fSq{uwOHK9L9`B&4u{Zk}qSvyQPvtPd8`mD}#^|Pq&Us
z!YQLl(qN0CX<~oHlOfy|B&K*fOiu~2Hy_Ii)uWeY#HUFt#`aJw`Smynv0#%V7BM+#
z?=9Bw8r(HXGOjg9IAM$(z+<I&gXn?f^unsmGli8sDCvdFdE@TSb5v_~j68iVveI<U
zM=5%d5rk}$&$dBY9#Y78KVJKk1-<WE<inndCeMPjz@wG+^(rA3P|{2f0;z3ITOxI0
z<iYU5OXh2%5O!pFE^gwv+P<xq&Ge*opS(f6q!a9is+T1=M@BAwGzx46{UF><-+MIA
zE$>B-G)G{si*HgYOqQlf@_YC~C78oFo1PeWEK8t5S<g;CI*LWez#uf2(=wvB3&k%u
zxTo(F1xujVY!pHyf_NbO^`ruTQ&ga4sfTLto+e>LaTA?QivT1_If*}lWqeIU)c{ca
zRvz-|j8jMOIWwHJ4%WVEivv$g$oF#yeY<qQjUM(U%x5^U>%4HXpRt31TDgM_kfKus
z;HNP7GibgSv3HmKsyBt~+1}v3BPip2ZsN6p((Z|OD-=;s0OD-<wCD&jy0~@qWh}So
zOR|Q;)*K84HU`#hsas6H)_g2Y=&}Qc_*!7ScwgI2Xn`iMI!4D+Ue}l6qvU$#vP|jl
z-s2R_gL-qC)nYr+ROm9Z>(65o9A<Y{HIun%b+TAVupf{*l{!5qya;b5R7QOizIb`V
zSXtF~CGk4Y-CGF*EGEEi>ap*52*v1x64H%G))H{U)ZXwTdM;p(H5hv~=Y?+RzI0&m
z>^9eD1CM`6WAx=N+Kw-k%W6T`)C-X}EPB9{{1T;X{k?4;_xO~?`;45sUFA2IZ&C>j
zZa|IfG;AEt`4sR@ai2MY40o9T9koXtub=47JdJ@D4wmfhl(u`-F4vJE5JDT5{>t;V
zhI`Fv-lT*BkdqZ|g}c)x9;BaTMlT?zZd5;|E7kUSi9SjA02eEmMYoWSjihu6)!z{V
zWOzj)#>$Z08N9qJMPDQXU$fPf<A)q6`4AazaFkh_jMA^!z~SIw8}h^2)hrR{dP$Hv
zQ<}a&5l4lu+8A11d0}Hew|envx^Fmzg(ZuQ7$u;N`hn67<%nN^CJp=?P_bq@sMaIZ
zsIewQ>j_kh)w6n4P%WM<cqnHJ^5$C{{wWT9$NREZ+8_F;+%{FqP%`k$69<0Ax?C`4
z7!Y1-NuaZNLZg*VjM{n3u;)T-g6=&_#nBxv^Su!Bw59arlZ;VcM=c*z_qb}<ItY$|
zcgnz=8@W`IWnAt}I$A@r`xJI@Py7n<GN@ZP&f9c&AZ#r)mA5KN+->K$4@`l)rD~*N
ziV2YobNChs=WW!zM-=xKw@(r-4z}`*^p=sEXAw0YY)L8!6KAWQf#SV%ylm(93>R8L
zgb%@=$t?xU<JAO_T;6?prS^!<@uhmdT3+w?Ih(X+(*rbUm8Y|Hudbxn&yQhKrghJ?
zQFVQhb@Y2&mCqPD)J0>=z<jZR9KuKr&d%NMpfl{P+qU`x7@-X<zSQuSEk2P0!9KH+
zVGQ8o=>0;$CT5BJttt9pdG0tHU5(I=JQ2%#L~z*<bLsCfAZkQ~jXgd;D$G3=wyk<H
z-Lc4X_1GWzE(YY=o8rzbI}T<<t5eRJwiT<bhlXv7Ii!#U;^v_J2H8p(wFI&{x)<h-
zvvcxURk_xh*(zGqiuv6W41aHm6&5nI)c`4AO{+qN^xzy`d%hz>+w8YC8%KS|RV|We
zYo-kY<f6co+Jlfo&i+dvbQ3o>^j<+4KRS0Ux8j-UmDlbDSEOl}ekugS-?>9S1L;wO
zhlnE2Jbc}VI48Xf86i~`w4_k5Y$=5kk8T6dFkd#E>bxKy%VD#710t{MUJLOM-k*6}
zjNU6C@9By{6CW-PRi;OG+@(9K$(ni~Q(XOUVO+7;U+HX%S3&4NKB60WG>0aOwJ3&H
zLb<9(<C=8p^wRq>yRu)}3(A4Vyjv(wUY;K#6&IzLnZWX14I8YdcQ%TXIELX>a^<Um
zF<nES?DNMw%qcPCcHSLC{MM2T;b95svd3P*J}6D};>=U=b=tu;SH>ISdd*v8&6nG*
zF27rh)?$niM%0<yJTO^#VUm~dm@Dc8rG^1|<?+04i5PuHQ?sxok0_&L(MplJH^<qX
z+EWM*x1L!II=_sI>}r0H6mN{;=)&eW6`>aHP<AR>N2VU?dlhbv74X5ez7xs>J|Nfj
z)CXz+YUytQElAVgu}@(YE6(1oF&Yp)l5;1VJ<`FwF}rr*a&&nzAd=HT{w#FGxlLDZ
z?R8|6xMe=g^mB)IbX(%A-LE(+E6X26ia9UZNJJbHJ=&7kW9YG*tVSK9sVN9kVtCf!
z;c@PRZ}WiC2&oozn+7Z#GczJy%$&#e1Tb@&Rlmh>Pp7Q2w$5V;{3VinS{|jZpe-0?
zo}3hk(~U)2PC$xxycW8sOOd|*6p4R^)HrJNoQ-0KHh+r-SEjs?Ng$_>fkABxt2cw^
zWU^nKBrQOhW5_x99KCDPCGE0W#%Y!Vf3If;MXf3+T)gi(?1};qn6Usyldl*hy0OA|
zNMthn@$yT^2a26F6+3K459_jun_!si@jW0diG1D7E=de{&J6{L0R=|`m|cD_4-s(@
zj_xhKU<)#lh!mOzk7BtQA$|pYWu@b}HKN>!mnz)SKsYyg5(KM<UY9quT?bhJ<jBlB
z0u>n%@}jZ*yp_k4w4XE4h6Rq?8BsiVQL}+-e81Zb9*nyPyV1ijOhZ~ZQKv@HiW|yQ
z@<;Iu-GvYGTPB}zH5Vn0FPRksfO56E*Sl)QhJ0lwMp5`lNWYGI+z%+Dit)G@u<PdK
z<KEZwdZfc&bSp`0XTVZgEZ|*bgH^)fv&%<nnmDR11`8a@ZY9+t5$mg(xr612fi3w=
zo}D5a1L394=5&d$@(^>=dk>D<c&Y^Btm9JBLuqg1l!O`{*kQojUXFnsw*lB_+_9EF
zkCf7~7O}OMc_+}If_M^fqV1u@(t%dWl`O4y4ndV?gDSpe*CFGn`FOWp10M4MyV(Vq
zy;_e(#5W_14Tvk8{HE!7(!uI4p*Zcj$iuOeqNJh#0B+uWD)vS^ZD!<MH6fherhG5T
z;xo8%`G&RJHI3$jOPjUpy$(1oq>cw`Sr3H?mtt3g=CUoK0HPzNXUf2@R}#%znq`;D
z6%8Nn^y>%phLKhAUS!P#_ol@lnxH$#3%%9sqo96GiDz05IK#%8BPP$Kp62*lRC?NK
zqt0q#HOs6`0VDGOR~y+ii^;<Bw2A~bipFnEUO#(IWwcNnZ?jAT6-jT@H*Hk5f=A+{
zUQ70av*u!3JJxtd@#r<ZJa0ePljw=5!y#W-gtLg$Gw&RnClymXHoGqkB(gRFoeW<%
zS9HvKV<-ApLgyX-^c3?MPd+Aa4D34<FCU#^S!7PseU`~4I~CNL_I;x@c%M>v{I(ej
z;m<K|w_!$W;;qA3WlSf=9+;eM0h%D?sgCBWJ{#0ZaEwF`N@b&qVySNHbQIaeSbyZz
zL__#obVn|O?KL+<&7y_^brXhKoJyjoUK^v{>*i9%M8A6P#iiyYYVs6SKSJ6&;b^r!
z^rsF^DlFpBhKOTacfF6XUO#w2YswR3AqttvzD3jcl90xTFXAQMs_5OD!6$;fZ>^QE
zC{q+(A^>2Ko2Q2*d4fYoGsz+(>ChFXN!{pc5@3ibk$mrntFmE4P!n6-hU?)TUDZXm
z=se?}191rmnISejn>~X<>m#@@s2z*O#tI>mCiB-Ez_XuX!S929TL_P1`w;jIc9=TO
z^LsG^z)y5m;hB^_FxY$kteLs&iAmwL4<)*WzUPu$uKaE@Swb=slkQ1K+Gr^Xi}LI;
zR%O4(?a915Ix-=e;gIUA+9YHp0=pqV0&}H-n_VL#nv1W(K-Fu}UVF^ZZ9dKwI%IsL
z9PR#Yl#<oCq1l2Cj$RfrdUcU4;XPx!ETuNvWUu~%<Q|?)mcB;5tu+*?lPb%SG(X{|
z^SIj{cIg?Fm50NTda2hbWz7|eSqeS&TYM#fFT6YCz>vtFLR-s7Z@sjd75B9x>|b&@
zvo0YMLh7JPn4BOil@oA$PP9Ba;;%h~JOU2rQ!WIba!Jj1@1`XZhltrRSMpx?*efHU
z?UPvc*cZsqwz;dMYc=6vdpALVcCUL@wctH?N<BL_EHsY7tNGf;5*+Cau-n*5(7Z`R
z4-63rU`xrSnj$*Wg62~ESb~KjE;(5+HVPP3=PpqKf$x%KUChoJ(zUgo-Xc%=QqRQn
zRl3y7bT6c(FN&Pw8PfR1tv*HJ;UQ{Atl>Ckc+5qFJoA(R<6%iq@C_vMQYq)ugb+tH
zAfxotn^JQ(DQ?FF;e2r7*jL;15+A%mHB2n`)B!~Tq7d{e<h0ib*^>M7?yH@#>N1zp
zYGOL?tv9CAdY^636{O?sizP(xh4>cCXTY7fOnkkyQ8p`rr46R?Ad)%QMG25g))y8R
zQXl%9al}Asn&FjWb7$0Wl`n;0LA3=5Nm9J6L2y=g2fdZG!$rG!%lU8s+GG9tUb1rM
zPGNS5`0|L-Ap;eUbCtX9kd-MgTR1XK7DzopW5>-*t3=s$f+}g`64V)eu(>TsHXt|G
z3CB{L!btekLF+Y;N%cTxauJ{%KMj*9QN5@)$aZfRLEmdinpB<LPT@yOtS_Xwl^le;
zZkRS8@AX7gfFD0VDxrGSqVv4lQ%j<<0AILo)*vk=BsMJ?to<CFYZ$rOpzN|>t5I!?
zqvUlMd#nlVVlr|esqqQ+r)2mu>eBcld&~o^cr>AX>(GZAOr(++$STdHn3+5}-N12L
zNjXBP>D>(12xlOxWd?#EVRrdK8{5E>%o6D_yu<4Ufw=Y_4wkH0g<$4b0p7?I7Ml&K
z6iC&1I6PVoRp>k~vbYtZ7)+mXZHR~+l@%Vq?&?>M(YX5}s5tS7>uKeqlUs(o^xOw6
za}=R^!A~dUyjTu3ah9`m7VepikE=qUgTlI3RBUu=J^};ga!W^=I+6E=W1l+#!a0@p
z0?7ILo!)Y@gH}@+H<fc<89aWX6b$d;Tv^<ZHZGStd4D&iIAu{LZ*eF`yiLcJoq%NE
z&f}L5wS|vspTNBD#`HczuPnxdx!ZMS1G_Cz>p5`qOP=f@g@;Cu`7Avxg|zb}C6eLx
zwTz6_N;Ztk1R;d5z+9_D*u2M0*bea)l5cM)6ss#<?f_F@E+ceLnv7@ftG4l28(tYy
zftr+2_3{#^YhMLl^mlJKBdK!w-N}J1G*o-W(Lzy@-spIX0Dxa+mdTA_9_6D~+mY52
z<9s=<eS<L&MMcvMZMcLu)$bhOk$6P}?64ApKShUE$;)XQG=6lKD@|7^QYpzz){u0D
zHHJ8Jix$z8Q;bCb!15e7cBNm=QC2iu3KVge^!=QbB1Y+aPBv%N4c)o^6wQzkLTRs%
zjz=WV!doN0XC?WJzwH~QSx?ymg57$#eBKH|Gcl}azykFX2re873xuqGjw`yGa1?ss
zY%$jX4tW}DT*MKB{U_;l$VDbcrCzMG({#3{7DbTR!wy?-71^mHBHZAOk^$yr;JZjN
zke&h+cR7Ip*XAuTVFPG(L-Z<qbi6u=8}4((m~Aq~>cO~A201XvUJ;#hZ-LQ8byh<W
zs=CyTd7J=o7y`XQH%|h2kA&!A)5a|<9|9%MJv3lbC&3$8Kx>yl0?4Ni(KA_8-dZQe
zakEMJo_DPYzp2(&O;CIF(E1d%gHCy3*EsC=KBkh&M`iKdWDA}`oV&Z@l!HM+8H{;Q
z14LpD`KNI7I|$>GOQcu!C=#!U7>O<8MWqp7b)ypvlhG`Ilsa)ZhBnFBN;e&OT-|#Q
z<uszpZq>vru<$*82*fWJ6n9RESz@W)GBrk>`xAIfGk~2bTd0ZCY<?WrDa-v<jzx{U
zX6A*-l(h#;dR6=DHol|xINrcK4|!p3D*F<kB=`)DI>AYelN5K{r+N>O%*e-kJgTWB
zYy*LMM*-nfE=>~O);_gMv0kou@x0X4#$LvpG;He$L)X!+Vy_-(wI8{@xf5|V(_)<S
zw!1FHN1mc}R>Oww^-_?y>X@B_^PcXc%kNd*`3j*=f!nYbwi(m2Ya)Z!cr`^(C;&^E
zmry1~-_r3<>D*jScML`45a$AWYpe7m=AMZWVYwUa@R;2BoK1p~4XG~CTSsb+vvA%g
z;&lUwN43YdC0YrA1be0wXcY~?t`^VbS?-1_z#xoU5g@3Wrw>u<WAi%YcXlQL(7@qZ
zU{+87NkF#0=VcGl={+mOinv{2)0Qn&hwWGf_k)^&7Io)`JPM60Hr$RF0xKS{rT_@s
zfyxidq3v;Nx=>lYD~0At!sBX`a&~%bss7}dMIZOr#RYV??~xCbfeK6EJ_O$qC98Te
zhS3F2og;S{u@keVoiP>!MlFoGSW*iWut=uv`A^@uRG@<>@^iH?!;R)p1*USiq=RE#
zf5$r-wU!&-;n+UIakwixVcal;Ji>F*6Ww<Z%c2xoO5WV7!O(HECVqqI&`!ojr?_u2
zSEb(}!th!rgi5vzz2(<1{VHkn4(g<8gNw!GSl*aC?vh7|nex=$unCwQ4J)MIn@7h}
z$k<$#WeiGcl?bL1t}g@HJ0PAy8Y|)8$;9wYNNr&h@f3Dx!@yMr4yy+WMR|>ra%W;?
ziRR0@+<7mQ<{)%@q;Sih>@lKy@gf}NIbtFoiq@7Txo55fZw)@fQhJ$~)|zvGO9W6n
zM&q8GJB$GBPK^6-uh}#}4@w-SJ><aQCdD59mGDbG?PH?u9y5Af&E;-y#{vZ1WVn|C
zf##rPvOTvvKjq`!F*&o8OmrA5Rb%jJR)+fo*lS6YD4ume!E}s5v`)NJ2|Gp6b+{Sw
zj%GA<7SuOvlQxMs@fIRy%%Id$7aV(tI-vnx-C7Sh*F8>gpA0;KD6&-X*Uw(Qq~l#U
zJkj@zE$Bf?7G9a%biODCIj~CC`YY=y_Uc^|NxS-!1JX@-1f~_3P)$99tcygg615~T
z;Vb@d?lqkPGt3+B*|j=MNP17`?RKl*QSM0{fJVo<C1UFe#w_Lor9^0FXJhxXJ#h(7
z_NVt^UW7W8I`>OZsz)gCF0UHdx#MxAbIqQh?DZkcF9D5nfsQ~7Goe0kYiPa{C?b7b
zWT!gzwBQ+_YFB?ZulNki&&mlk6Rt`|EmV)zsnHrNlSY|rL$AkqdDfU&J&t!RB3@$M
z6L9J`MzZ7ckU+YmdQO@jp4nv=PCiYkDC+7Ln{(z`J??mHm?4*FbH=Bjf{~kWXEBn9
zkF3IX?T}L%K-rdD9`e&bkZ=wpyv@j3>cQ%&I<mIcd93COQdijV!oxNJPxLO|<kh;q
zr-<s(ik3{EZE3)|FWXTq;xu^j)(+zsxc6-(#1Jm9A`oC*t4bL?fRty63vd}_IX?c*
zU-8R5L>H8`H+zT`=w5@17dDYd&45hX<e<z^laoD3H(vJh=FP77te}rrg`aNt)8XT^
z>D|(0RjIT=32yMB691Ht!)J8%zQa?y6>bRk&<SK^j~aJJNA1qy=So#-siMmh?xDxM
zdN*&<I7}SkdM;Ge6h>DRTZGt)K*r%kWAE%9+Z!~N$rNUMR+phr)V(j?kvuf5dV@8%
z9xCrKl}{}uvh*WFDUMe_&qb5cdD>;voN8aa_lQH(y0>4Uzj^X}bNNmagN`3lP$ex>
z!jalBc9R;$mJ2<ZhjQg%*);i>cLOux(d!sHG}U|$4F^>a0Gs{Vg5qU&tM`_u%CHjp
zlQ&$68o3~z&dBVIW{(y49Cy*Ut|7>tzKa?opWS$^xmlLEy346#`%^@z(a`8=NDqAc
zlGr0VtGP~3AJS=<^Tx4-!a#|Bi|8{%Z}xzNVc$hXa0Kvq<9JueyeTYso-PA#flctG
zI4it0w_}Q+Izq$>%a-*Fc48JGV`M@h%93?)7DZAh8|1CsGnXRHhc_;!sgtHJeMiTM
z=7m_wlM#B)L>oQRVKH;w;6)P*Nz5)9;!?NY05WP^S@-K@FIGBV2-e)d@UnIG>CJbR
zQt>FN__V5zrh`OfSxp;TR=0SD63#V~cxQOP0}sRAGYztM#dAp-ikK62Mr9!iRPUxR
z{P>2q9@awveI&a4WPQ8^TSTTk2?Jh6!C?;UU6z?^{%M#CLj`Q(m^)eY(a$&y8gaw&
zP{-K<r+roQhzz|TCS!R{*N!boV2P&ZQ%3l`Yv$~?k&jyUo-{LSug*2y*{r+29^&ah
zx;;2E(S{giY4kYG;Uw0utVtJ4M|VtU@6PLR$f7nN(brUqa{KyK9Ku`?Js%k8q9u2`
zc@myDFMHC%;=QE17Kgha!|0Gc%6v2}{?uNVWK@f(RE*A?n1=-p%K1!?WFpmFUiB(C
zS-pTNo8y_(qr}JUb)i`uz~ej;X@N_l<oME~92}Ay6hys`UOMC|qQ$Mhg}WR8c1QCr
zO+_2Fy^+@q7zX+B;b8jkOz+d3s(e}20Xd?=;lrl)7}2BG8=HBN={8r>d(cv`l>v}`
z-qBB!|3H-`FEb^IdxP}m0bfoGTs4)cdWVdc!29+i`V7{9MsvnQP95{yRijya`2~?e
z*9QI(SB=ZJsr?GJk)oa)J<48)L!oOWev7s1ndLpA>-Ah0rz@jD9$3?bO#1j?L!S9A
z?KmZ;#Wr+-L2&4<Qs$Ju^L)FW*4@dCyZ)Ae5@OSV2wvXy!Go|>8#rIj7*atbZAb}E
zHgMcWgX#sjo`xaVLXRZ&ErGlhmNE;qsL5GTy%jM47gzLE(s~J(=ONX-0f+)GUo6Ot
zD3Wb151t2FUdi+AoUBO%0z|y+V0`_MUwE=Yf$IZ#kwjg@ZH(D#k4Y$<$P$LsV_qu&
zDyW*zRS^D?lIZ!yX(UIikVj}g<xx3;sfQ0#nA_&467!N?y!@0Be@1L}lL~s!#|!Bt
z(JC$vjx-Ih58YqrQWM%U_d?PeiU%~BCQrB$l!g2axU<{?5KPKY=joul3U)RO3?xQ0
zV2et<m(z}V+f{JU?`fG!oe)^4KU{G)FXI*;-YN*|eWrM`S&K4D#~5>!hxVvvi#<f5
z%^ew2EqF25MOBea+p#x9eG(&6gQT9_jafc!OIQ<cw$UJY0dWUc^HBDDE7+>%#RWd~
zdJ*;-Y}zrhMvX(JU_sp8o%76Oc?iFkHL!+=MRT#@V>&K5;Rsr+6yl_{@aC~7ii9Z0
zzIs(oubBJgZOK{{48{e-FEK^H8?o7`V0mOmEC~RiNW^mZHXdma`U3g66*u&!nBMoE
z`dK%o#O+na%V?8IS8axAY3zcA^9@#<@aHc?XJjxRoT9(HTAu7UQy?Gg-0rK>z=+mf
zs@D*dd~Ya4ZzY)%z{Kv2&92N92t7v3uv}2}d=`ckVya80GtZk(%pYFh!ApP~*)%ws
zXOW}?)6!$UnZ?Nkh=x(N=7TYF1{06i!t=}oZL38%=z0LJ6<~axYQ<Vwy3{dWbj!oo
zsBwEUHwxj10yB9&c3YW`?H#yLijohb0{|l~ou~+_<h=QFXIN=?b7)CKYqQ%HEm?@D
z<6?AyJ)n!-ZM`FGtk<q~^J05zwa&q5J%7pR&H!00vZz)icLu^ZPV{^Rz{uFkbq$lA
z!82{|Z#jL&Zn3;Dyzbl%do0tm9eeO7s&`sTpBcp_s=IjVzQ{%}Tm!wAlKP|*-+G%p
z9Th=T0(I&DZ7<jD06d=Ad8k%=00r80*_yj-<RDnQa)(gwV#jNsd@>#bw=<haaVO`_
z9F)9jA5|t~FBy``0v@#DC!R6pgx~;rQf0FyB@LA>uO9Jul>@E;Zp8Gv%^ZnpY(u0c
zT=0f@la)m|t{kY1o62y+Q?zQ-u+VS$?a=acvOC!*-xSWfVsd#P0I#TcNx?Dw4!lQ)
z3jBPnYy*<AaL4jt;Q*2gQPX+diKgAEg~lW5b&iaA3Vy&p{b{Z=U0yN=zRg7mogS)X
z<qTb0aIY1DQ&>rrw)+&6d<JlMi#j`vL>54mdCW9C;6bc_HKXsu_%gA|2r$t57PW8@
zP;heHWD*)ixh0xsK%if1x;;QFK!1dJ{ggNh*wGn_CMmu0QHSn31J{@R-XiG5V?+>K
zdu`T8fpsz!!m%2nR;P*Br@>TJIn3wrv`!pfgX*}TG7qL83j%NyzX*=Hc~mamgih9e
z2XZ(Ng$1TEZJx+d()s2p!2zpt<`PYmxV`k*W?#McUb*CZXY2tAHlQP5`OZ05#m!wc
zPWRqyi4S-Sbb^VFEZvL2v>fAwgW}<mgMjQ)qCz)s31r@v{(M1DSb{bkTd#iJ^qXuQ
znvIK44S0BB)rh#S<%Kn`y(cm+3SQ*$$-PfW>HBPX?I_Lub{CG^x0kGYM<@Xm7|9AO
z8o=1RS_W5JHdY7QSd2KkYQzDvU%0%Y5{-G!XqfLoRk=HbC_QObon~<wLk-Qae2XDs
z`*7vW?sH0fL;)ZdoHx`jZCvpULWX6`CD>U{JiUBE%Ah<m6jOe&{H7EplS%y@fYByp
zJkss0OCgRcwWDbCu1w0)omcnhPX<n$jTV6VZd;yMMps&!TBigDO}x&s_xuF5_-$lx
zIsn--?3FOqgNSz5*~F~Zm2W&wt}U02uzSc(5x4UxY0-dB6S30<HSQIi=1u!e^AH*-
zyc1yQr{x$nKYfZ5J(S^uTht00oy6je!0ZKJ0<0Yy`SwxO0!+ZCsO&S8FU1H5icif1
z+r;t^K2h;qJ&B;CYYVt{3O><O?<E9|RJ?Lu$IE^<C;j3*I^+t(7ID|7p%fyB9-DVc
z&;2l;McEW$q9`ne&vbX607^jcBe}D~E*~7ErvqVb`oL|pvPld`3j+3Xy|?9vN{_H5
zvKO<BT~ErLty2@J^y)<T&44KEfpnT9yy1$+Gercqx$TiDt3e5HPLz}tNw*3tFeYoY
zsCOi!)B4zr1ZV*7(V=_R4y10Rp4`A-uZ@^U$6cxx<UtYCIOu^dD2i&pIA%MdnRoJJ
zQ`3tI1t37X-ryCm<qF~KiwJ$?@8|xB#HGe3P<%9mYB!_+-pTD4TplQvdKQi5gQrnz
zpR)4Lcs~9|edvkls%$5q$Z^O)U-md3YepdAj+pu!4WbSq;WDvU<vV#h8)SzbM`6Pm
zb~$e&;iMjpkH?JN5}>F>G?kUsMTb}=jGFREbG0CaJ*z5V6{;5$(0ABwOFc*ZDr7u!
z7oys)F4dh^X^72T9N`7lH3A-vx3Vq|?5wlrfHZ+6&%MhreL`We6>$`KxxF*k%H_k_
z$L3F7VwGCj!#2y-(&7ubcR;0YvKr;FEAr+G6PSCn8-Rd^D4CH}ai@>z&1_6o6(Go4
ztkHVa(-sW*UK0b1Tc>%02E73$&M|k}rya1~ZxA4RVs{Alm#}R09k+PMfVg%`$>SoM
z#Zt{+LBplB<Id+ZZ0P$ftk0m%iF7XD^`M#B-U}*KCT5fA+ZX7s&CeJuju~HBtTLOH
zXRGr`3LXl-8lxznf;RwkB3<L_*HN;Kn_9J+FtGL*1%0*h$sj#oxfq^aNUyRwd<+?<
zVhi;);|R70+FVl{9TS%zLl2ew+{hET<}6>mV!HNB19{!g9dqpxBQI52n|HA|XBmU?
z9)Y~{48-znbW&HDrxSd**0NOQ$Q_gdy29>yJkJ2Df`?Kaa}c8aNx-Xe#XQdgeOkI4
zQS7DoKydh-`Xf<JIJRwoE*@98ma(V(!flpP1q>0uos%-!lIj+hW)yg0liswo+<?|k
zX~8+0fiEDiNuJx8Jd_=caKBa9q9fJF0l~`%qi@fO&&ZChxYPUeQgYB1?{GF3{LQvF
zT-ZRWxy#%-zlynR%mq_>)Ei4`g48K^Iw$!=@}T8Lvo2otCITn3L9@K)lIBmZ{2gao
zQ@|@Jx;i2Qpk6^j<|<q4w*nwmH@NRjF}L+pXk^5aze0Z}koXGJ6R!mzCW^wRHi$UH
zC{4*S8z^i2c)6bOLp#=aLjp3WWny+uNINE8l0nkkK7j$9^wY}_b&G@)>D!34N1GzD
z`OGSLqu%Qt0dF>W#EO^~v?Bauno!K5Xaq5~@<kiYi;7!56pc%IE1kT|H1OyVrI(}l
z@V06?08*G9<J}yC9CWn&6jxi!a+tXUJ3<4C^GGNa>%u#JtioW=R0qWpC4#@i74W@B
z_kp`vPTjYsqTriqw9gqDDISlZTlXFKy?EHy$SY5dE822ow`!>X^-(?7&U2BbHa_vj
zeajp;=}V(Lp^I|kFNAZYi7^lhAV)!<$1-m+I|@#fb2YP`2*$t(2c|qUuz421Z;exP
z93+<|976NJ{E&kg@CA=5&lsMwYjl!T3V7KDuHzzkqoGc7_AP_IA_81^eGZ_Cw%doL
z51zf0dD1r<_lEa^Mh8SHAUp`;ji(d(l#UZ{`Xj|5fH8c=W6%Bgkv-H>4{c<dCvwCH
zhMisQy6{l4+;iI>PH0(q-opi{dW!i#pVXnL0v@g@%*xN%Fr?cNyG4aCA1wEdPb4uc
zA>cYFUI8w<SA@PgicfjrXN(_n$||FjTIL`Vs|6a~C$+i+5u*nH1CQEM9-qLDZZ(Lc
z9Wocp_(nB97uKE5Tw0`U^mS*Ov&7<d+kQF%O%G?+32wv{!$fGBpmtN>-jf7N_Cr%o
zj-{eIkeS&z6Fi(fMH<>Sjxd>=&>ipu^&%hVsRE<03!0};tl)X(;zI{-ua>b==xoxe
z@RyAqFz{IS%;Ax?Jll9_1%80pb^Vf^WOL!25M%)A(UsQ;s_Y;c>$Tys=8H5|e8#bv
zyzTrzqp%(vvOrUDmb)}i>w}6jb={GR5VC#P*JGi#uSv86jnTD<6gBQhEaYuXIyS6a
z#Lqy#waACG{doDbKtRW`2z9X;k>j1U$7o~_^Z+z`3XDDjy<D#&M6$RT?1OM#M1Ly}
zow+I?aLM6Fysz**b}Nv<fPIWz7?r6;#+A_GSsTdUi~ip9K(U%v=A&blqe~D{OP~kE
zZRjcSsJM8!F2hr#NfMvx`dBKk5p_}30q3Q>9@EH(V+3Q_l?0hwYNFw=nh<3<@qV6a
z7qD2ynb*VTglGq-s$zeph5%CNlY0DcbOWxjr&y>MF89gsbBebDSjr?ci_ab$l}oNr
z#LPCM(X5vaR1!uKByp82!rkLH98-Ma%pe;l4IC3L8p~#7k_K7MHaJHb<@rif??F{y
ziP;mm;pRWFy-U!Fv|f5`jFxCLza-`a2zc^X#&t1jTYLu=+g2HFoo0f@4BkF`4wR_h
z68ntyibjWFn7X)c6%Fz#CuHQdBkDAYUa7rmv>9_iRFoB<Sv}EmElk7Vd;A>S2tC`%
z27-YixR#9er38k0?x81=(x{3e41&RKV7E`QE}lP3jkHv!7Ke4#csPU;5XpIs2NlYT
zosxyYi}Vsxcn(|Kp23PcUdfwWEEs=q(0(yk@LHc#B0OvxpE@F7NF~lhQTF1ANa_c0
zXL?LRV3FrORBXqxtJ;`<xFq@TuzU6ssIZZPv)CsOO@u{@3sW?-fcQAFEK81j?h#P1
zR)=wL1y=`37fNhmjV0v6*Y(O0vpG-w1jgc^qmA*c37iekWs2ARJoFUy$veSwyeTPt
zQKg82r1*kD$-M4(ghTq|5NY10$XGvpOx3q1Vy>1@`XM@pXGh28Vd7)Htk*rmp$_^?
zsFY+g-ZRECndeD1@NCrN+2NakyG)TwS&Fkf7*rgW&Fgmr6lG`~=$jS8@Z>QC)KnUZ
zmpTwMRK5j^>X4FZxQ6#Kf+}9U?%^8Mfz2wJs;q!FN(*2@{gw+LaLl;+UgN9BW|O>k
z=kyA@=n}A)2KQ+P#470yO>Pj}Yn$3qmTHrC*)={dYAgAO8~b5*T@UO+Bfixzwi5|!
zsKarIgEqBA2cTSEjwU6=yIBf?;epD74Nzp)(7u(jWhw=@Cv%*c9Km#)HWyL~mu^T&
zWO$v&f!J#$h=o68ra(qCSaFOMEfBbHX9S0X=_$CS7qY|kkY+)7K4td4<35j)Ja?8i
z$FO{ElIlCx$M4TVG<`8k?P8?mxn`(S%w>a^lLt5zr4pho_C54^TmcI??T*))>j={B
zzOg-oxrrUQm=D<J293>c$8dmhUl6#B_4I_FJ#`Tx3$-rHdWMe_ceyr)?@b{(Qw(qI
zz3S)bCXG>P%Aq<5TbmBBfJG-z02?!}vs0&w@eKg_+cVrG4jfbH5HN(Pmj)MvboYk@
zUQC-%FS@Ih=RiN7^QXFJ#JH9%Y6n{)5V1<MRjyscCIlFeimjT%@9^G|M;DV*E^lTl
z3hmGv>Y&P%G!-YI6z&&g1vIzvZi+Sl?3MO0LbmEpp&_e3dFwBZhA0Be?tzom1Eba3
zeNhBTUA|mTi2FPE%V+SXohGNd3aBtdp8?KH;KC=z$^o+6H8cX-qd~=12LR~ODmc7h
zq^$wNX1tC2ToCqAq1mH?0ybNl)$$Wrfb@J*&mQ!yPJuHB#SDg`3E(ttutX+TA3j@1
z)8Z_He&Mf?mpN7)w2EcbInRX*g4Mt!j>i+OZC-G7rB)%8oXQ%mfpp4f$MaF$;W36H
zo#K$<_srOu^m4!>6LMe~w2QnBvJXMeBaiLL!M4!|zfkW^dE7&t0v)gLiP~e5w=CYs
zXbqNNbyTpOk39{7)h@3+Qj9o&{911NM!0-0#P<+(LBY#Tx*~{k!a#f*)C{28o;H%D
z;_lB=k(f#uh`kHuhmGAYyZD_xDVeZxoY(8e-t0=Jjo(t!&k-P?$Wt@%R+s~&x_ljX
zw6muXLaFS|>DfDfvRkfUrT~2g1y<?H7K#sd`N8t_`lDn|fxOxP228H$mcXO6iCN)&
zAwnVw72xebk0Sz-I!P^BgyU{bS<Ngb8hiE}q9<d0dg=*gRcticUOu+S8hV9JHR0HK
zZ9)1V(YX{g9s>@%mg3DEjh9;Ux<U73(l3eYT~g{3iI!C7uwVd-A%PaGK7ge{P3;$G
z_?Qba=f;5;$y5}|;fc?ffk#<lRd=lIt2lSu?9mSD$LRb#k?#e*Eiyz&>}wg+v72}y
zuUVM(vXeRsND#PafLd=1CppdTp^XKTy14uAoaR@IPEYE=BO<B?$_c`UGO6Y9j>uS#
zFP8L-(BxZe{^@I>@tzHuynv(3r~(ndH?>ErF0Vt*M<E32)*EVlmgF^Q(J)r*n~hfQ
z$hjB$cB8P#1w!p8P6piApL0F5s?eeoJ!sEPWhxN@iI&K0KE<<o(xF-=hZDhg_f|q5
zD4X|gU}hR=a{6oLW83JdRniiBl2D+aFFk!kS2*(!XozQG4w7%qQrQI})fAKY^3kQw
z)cB&JL<a+S37ZOFG#_jnLg9P8lr45LMqw8n@nYYddKnCJoSOjlx(JjR9aHP1=TI*p
zKzhh{fnVZojy0Rs12YH%Zb2x4b6ewme7?rd&#l>+Ql9Nm)rv)A?exjwvC*bO5c2`(
z&oj8N5^YdhfSrhP<@vp}JZL&Mx_2ec1(+9GJOTD8H~Sn5j8LB_bH10<=7j<DHn&e)
zOtOfZ3<I3GN!?@`4o0A!=4LcM9;ZzkDPDnX1CS@JD3hC;`iwN;Kom?&r-wtwkqY=q
zMX>cDxVh+nKq0K=8xgZ|%J97M=v|k19n%<VaeD{sbbW(lhvmTeD&pzA?8wLFi>nI{
z3)v%um!Cin)5K6bEa=Lb5}5Q&5@dXW`kJ$}x`qV%Js+A^;Fc|x5>4bXqVG^A-;S(;
z?SzE{;nTZ<JwBdd@GE{aCtDKq@;QlKn=(F3GIxCKG&;)9#Y~>KK`y6r8!==9CCY<a
zwD7Y%h-H>^m84vV7e%=5?D>_a;Js%8OUUV0zXaz-D0#*sJsVyu@+|VoDFqQ7%BFdQ
zAGP};bME-3;QVty&~k<0Fp|VqFTBd|iM@Km)@g1Jo~fU{*5`#LSS*|!RN2&=<eLF;
zbMT0n^#LZ(DsR(c5(XG2E_HoX26!>nmUzA$1Gy~zGId626C<q08S7QnM7~LZV4Al#
zX@6SYhYTLDD4M&9$c8$3A*PRrG7#OSXzw;(j0{L90*zwSkfx$m-J~;%fLs+!K)ptX
z!6as>Kw)20^@|IAWC8V7<f60SmTHEAWdLwjA4XP|JTZ3|n7Sj_aTCAS1h*!!SIqdZ
z57vXk?bgw4<*LQZwQRk>Ly<aI=Nfp(_Nvy})%Z|BYXnE`*!5momio>~9J_2G1s<Z+
zt)X%JUg1iv3r!_!`G{w{8R;A6C;0GAY;DTM9JSvW2~~YcF6dKo3Fr)Y>>f#i&h*}F
zmw?v*lJH0gc-9LTMtXU5kCe1%4LsgPiBggKK++TF%RYPwGr7|640R;|oSHctPl0WS
zM;4y!;vSLnm6x)42ELYw_fW~wh?<=4p3st{Z7TR^^zP%}1S1)=P#)k%>hDP8g^nkB
zQz+sSMnML7!HCyj2aI%Oz6xf{@7y-ijceC4Lo_@>w+Pu}i|XwOH@*i*V6*i^ox@jV
zBCRiMy+f6knEBPyKsx958e^}|n=19-G09<)Ehv>ziVv9TwNAaE*2ExJcm-%OZZxQ6
z0lwAn&=k?F+gyaSDcOy0vpMxq6~_q+ia=hNK{I)t{q(u*1&;U74^&SCh%HP67xXl3
zP@kw%=9`!?$@8_Zr7i({4h_XEYp*ndxk;E2v_-jICjqe^m9CnstK;%Z_V9S-Qj@b1
zDl{*R$04O%YM#6s+_;+@Y<83rVBgq#Oqngs{cin1HyiZ1ibE<Ont9buo*<@Ri4G=h
zsdKzcidfRg$Vp8)j*81WyUHh~9u<u#W<`lBAU9{ymXP`i=NyZZMFFr5=H3D&UQ3(`
zc8s`eE77YWi`Lpo3e|OY8g(`W#|pQnzLq<<7qB%Dkn1EC($k6c4kE*%eXa@f`FINV
zRFU?Zl4sYTdrKECurs7C`Bbs%1>&K~yi(pHDYt<P9iBVQ0uzsj%prUOR`U*-Q;pxv
zz9+ZOo*|Y-hMz6{Zm%z24J}`i_PYYSbqrw+KdDz@@Zvp|SAykkHxckHyU+2#IgcM%
zbeBAa+u8<8#}F8Xd!>5MpOfb8+7mqh!xUVsY7sFg>9%dXV2DPmliHiH)=J$_?<4f2
z;#VVmL6+rDmpva;jiX6yEHgU-YMRJt#2m}00)Ull&QZ|qUKtC4ZJj|$4Vv>it4mna
zF2cxpc|tD>H`$n9rs`u^84kOK1eJb>Th+_d^q>Ns=`dKY18qAs_KRw)?dJ_@vQ4S2
z$2+`I_Hd9N8-y5Gi^?L5Cqa1=JoUQ}eAmZVk6!dRP49{~B;^TvQDC|)bHErI1}50^
zmoj{O<?V;k3!*D4=eM=8cqK7v55gf6w9^xs;KY#X^{fmqZBUlSLGJH;oIyWiSDv`H
z-cWAo!t_uJAvKzx4=28-;+wk%JD<YC&p{$>$Dh6EZqX{7s}w_wA&YrP<r%K-I*xFl
zmd7vF?Zw8XJxzrIwnxg^Pv14}5_5J7HHLHG)1cDF5IZ+VahMfI+q^yr_J$9K7zOdf
zL=Q@Lb9g;c)BTni65+C!)atITc^LxQZX#Vk6pxj2Og7zdjov$lI}ryO*|WraYvpl$
z>2RoX@&*e;ca?25^i?d}4N577){IS&L5tQi5_~TFd|x<ny{*_mq6947e3B!J85DDh
zBMrxEws_MlTFUO63L9M&*Sr8t$22uhLnYk#G@#XtmRU~Gs+kWJM^D2a3GE`SQYipr
z3o$NqRIAhy@%Y@tYXNwPfO&DF4ZlZ<@g}h;Q(-;Z!|5w}VY+3g6ECpGRd9jit@TT(
z`jj5MPwD9`!}RqeCR40amcTNVoWK@IyK&19gSbLEOK$Hf>C0rzXOAL?`jr>w4ZtKS
zusFj`d6+ZyTPuL0CccJ3xoL)RxiV;mevGZ`i%C*~orh!V1p;N~QCAEnac~5;eaE95
zS^Y?)*wwF}%sB3|Eu^dmN11Ibb22!MIT6--{l;0#<@Ii40|fxE9=qBtjK91)wwh%I
zZz9lE>SvGH1mYpMo3(Md70J_EkWFN(oomn}3nhCHkuV}}($B_-IG=YNW7%wH;#Pa%
z6H{JRV^nV}EJJDRiP#>VDPk{Bc;PPFIl<4G9_!pOwHY42WEZ!5FP&P32iX$1Gs#x9
z{qE-i<s8R%AGk&pdm`sM6LG&}1_$*S>}fJm8`aCk@K5nEeK%ZGyAw8e&6yY*SIoe|
zVG{jx=0RWz&E!Uo>jN(hW(ki~eE6yfvfcm^!Lrc9y^{_hDzLap2~&IRW2m?9;fg9E
zloFya_I97&fL8ko;sBV-ikbUPB(}7%&^th97+S>V9W=1hVTin3R?@@pLdmkGyf|jw
zs0S?U21f7&6)?+7_Y)$)mZz)l@tbHKd-C29Uj?ru4IN&g$dh`Dtkz-7Qb2+6UV9ls
z4$m_WGQNE8Dtye7wYk~!W$k8Li$>!<P8M1zGiVlg=LP|@3nq#E+NGg6`W|6Tx1wC^
zop!xjed+)&w^xo~al3VjC?|rWiVC_rR0!wlUM_%_)YEDJ-Cy#HryiSe{A?zD#=_IZ
z6~xu;acd25YO1t?%LvtX+lBWzW^i&kMnB)1rJTTbbpVT=rPc57333+MK%;r0dnrD~
zwG$=oQY~VBY9_<3C9vVtFF2>_T3$tR4?D9HvnD1Kp+KUr_%Z7M=c1pgwu$kG^t(aF
zrdaL1S>;WZgPaq0>1#+He@R9AX6U`pDf3uWMuXn7XW^Mx)$_#OCRF8v=P{<Q=$tdB
zRSTcjOXvxqr;TJIZrJY-AG!vl%p4#+O=yRF+y?N6hqH1_-{eD*8bnUN7rVqe40@R@
zrp;H-xFo8E<7n3;{8H$o9>*E&qc_W@_gYlC(}}@mV$XC^%KB~Df(sfglRH=g4Itjt
zF`EmUkHs{po~G1l73|BP?cK`#KM(%@{PVy5r#SxcZ~vP7Ur6+y%J}#HohZ}pTF>in
z$5aIypNS?Yjw+ov+`ZYy_2SZL9P*XJ`Qw)#;`~%5z^~__W`8b;J#2s!JnVA7R>@?c
zBvfU+=uiM9PBT#inK^b}W6|eK)cteO9>-X^Dm>Q{ojasJH*Tj`O7cz|8R<%Qx8E2(
zzoa$FFHF8u^26VWshWtN?5p9kpyY>r=-FT%haDZNhLi$W7=xwC)IAS;TfW@mGdJP6
z*-va*T%y)V6uR9!kol~gU+S)sFAJ`~TLoMPi3C-<Q);C5@j2g}v~m09etwWhO%T1j
zw>vOMh%c7y?v2ezExnq!TG0hGT(>Dpy|<uW?)vSmgopgH#eRKKE_Aht&C3G!MWd`6
zx2NP00v9ywNkSniK6Un9iL&Iu7e?<}%6bA-_Lk!3l8Ya7<a=zq*G)+GXZ8utviY^!
z9kzJC#8;?Eb<I!1tMCga`4lx`7;?As?%q#%=eq)k5liVUmur0^Z>2?2#O2k)?q@kD
z6tDW>F`>#_eZ4jPl=sVb1oZp~l92xVuyEJC0BNroGTKR}a93F{4c9pA(DxJuGh-~F
z)y=@Vzwk2pes`)_4_$Vmludr-*epNyVGLZtG?F50<pk;+zO;S<doKPeUSG1)aquI0
zB41AVDf!*8M?_?bTzbO&Q)j`-*~9m|Dlk35Ghuzsq{Gk*5;YCihM3=jFn&EYkg@yq
zai8Mf+#Tt;8;{xECvv}c9~w-jr!t#4Vh&4^^$=RMU>}BWW!&4rB-y2R<`$QGOCO&X
zpU*&QA9uhJ1<<}*-=X23AK2swu&^hfhHaa?K<|<(W0JOJ>dlhA=A=j3tT}vvt@zb^
z;CoQEr({gzNObJjTu=A?2GP;E_PNPr*|uE7PP~%~fIb|p5FS6n#kFn#SGRCjMgDA%
zNS}eW#SMEDqcu{w<iVDtlKgDrg{eb$`<@0)_S>?S;M8#;?o!ZI?gQ9(V~8pC==o%)
ze0?Q-zLQHLw^!Yu?iTBNh^cX4L_cp{ZEIaDdeiFL9%TC>hEgk+${ZanFxn}$YMn?b
zcb<mY=Xd(2CMgv>i?Dmf^F6T?+gWo$`{{{og|v4XH2w$?x;e5H6xG18i!TZeyI8T}
ziP>HYMJH*0eJOvw9;d~ieeigu2Wk6+LSx_@Y<GTr>kHn>t%hf&_ZHMdBrhRKyj|et
zuwaSi)d6Vl!-l|VQ~LVW_xX-Y)Oor@6d$w@$>S>Bfbb$r!u|Q`2k;mPwy$Q$r}sTZ
zQ`J7#cS0Okv7PLXr=F-<(?W*le0{CZXAswYd;0`fR`D|Lkz2j-!9(f{TluY7T*Z}n
zLcm8>u7?zy4wc0ZgC_4$xe^x=fD~O}qi5HrOX+tHBE{hF7*J8aRrfWK2e}Dq&nC|0
zr)TBB@==%?sBKUT_V$E`)0`h=)K<`DlI<3woD#4~2EF(B#h<TieA;jJYI<Yd+t-!1
z=I>eMa>-*wp!|t)y)Bs~SXZ#uStU}J$|>!wxhQJEK%nSPD*A|d(K<jsuj2OItqfdl
zZ1E9l76OekT0s}Hr@4+?GmZa@beapVwe?s94^Ll1j)pNuKs~f)9ei%t<;YbeRd@}1
z2cLfC-yIC(!JCt*64S7yM!lq%y=>27Q5Z$iOZe#+aB(8lB9l+Gny2wRoF(-^JTaOz
z9(_BiPZNhr)oKkgzP>x?^SigJfK1}-F^^ssXehTmQ0#FoDZWcR<o@l;`fB^EOs?H!
z#D#<2QQ5F%_1^F#l2$qXA%zKnLWNuVeNp`U^1SJw$HVgyLPb1Tp_{CIT<M_JcuLki
zQ+_&$*gQ?G_RC^cKw+O8vI}q3_ZXPEIglQ|Cf{-&$a}Aa`t#fU)2FNbx!UQ)#!d4g
zJndXgp*GujF0Qak3d>OV^XsicRDeh7O_k}p^HsgH*9#ZOG#RkT^7vGvV+MR5@-lyZ
zJ?eMHXdxDpjM#oo7HRn;HvBFC13jM!@ME&Q67lylZR#xQ%TUshd?#;QUN(wHykkjU
zR@!b8J`r@XfZ&(3FrZ)G|Gi#-^P=(Vn;7-JYqahwL^FsI9@3|jeEjsv+M-;3cFr;d
zMykOgi)%G{7DL#w!!K5DLk~P25L-P#c|u0mFA_g1;O|!(%FXK`cal*1oZbTv^l^Mh
z=O&i|Lb#;sve^L*@Aqc-nnY&b9!A6DD~O_{%O*SmcwSErtr^rMYafiXJwCSY9S?l6
zz=^Kzh0qN<=bUqp{v15R(Al{k7_{~~3W0Eq$fo|iHp`cA*H3{pJQwmE552<bN7<G%
zHbK0WG79vB*J*@_`@0JNOo#7Eumo*RTe7=kfav_lCm{-fnC1}^+%?nGcC)k8?@b9E
zrktU~^4rAdnKszED96K8oqC`sW1GX>cvvBCoRagt>iAxj#L;zI2h2jiXu0*+hM_lZ
zY8N4*U(?8JT-eH#X5&U9{GKJnZeiJbIFa6FYLD9)Bv@2;gK_f1^@c4B(<@FsE3@}i
z$@g|;)(?v>^OeDaohQo8<tyPNjOOdMZ(z=3-yI#z&PYNnyq`TT14MxfUH9J6NYP;R
zO$xkL-;u2-Xe-;K1VAx4$<$c&uUftrGD?T?wmIHFwTTTpX$x;Jw***Fk%8x!HZ*Z1
zKEb)uYFhF;Yuw#%ob?kl_bp)5dlZ|H){yNGsAAbkekck%VkYbT8tJQ=?;TFj^ljW>
zEERFDO;SDr8(!JARzylqqTCKONq1%Q#kW#dIq#<n>xtC%p!z~^RMI5`kXWISU8}yp
zeD4L5MM`aU#qwie`c&HY+UMDchGly*K8OZacQSsKikvJ;@UWG+4-e1PRZ>hB$XRx%
z>BY~f+@HRvyPoGlRzdFTlX5~=S)}l$B?J2vl-oSBsj+%cnxB~}zOy${>QK<CZ5Q1>
z*SZZ-g%D1Y=kM<IJK9bv$b+4pdCbvTwEI@x&zk0eNWJBy+{9Mvj<|UcBlcE!aVfMf
zcF(w<QC3iDmnwWET!v3S2;)AgH+@i-Zd4C3UKdE!TU1j>^atbom;oI~OfhU5V=3_k
zkKg-!ArXz&NyinTM5O74%3178Qa$bAX-sol)T~o)%Uw~+?crBd_~{G|wOc*3e4g<H
z=e>wf>@db$RqJVbn?TUZ6`8N9A?+-dA%ovjn|$@tBfO8?a)7g5+5=Z5=*!o=_U`$m
z^c2cAP~jP&vF1B}u?k;x(WggPRwmLmrSUVhx9>fCkPBBTG2n}>I@{x;n;RsTPjFO@
z8yI{k-qZ5^z2j^d$s@`)7uf?1qL&QgOAksdl3?DDGLXWV#hs&cI*rX|WuI=*?z0;~
zrWWOSk0`4v`^dQh-W}s&XN$KvhC`gnh=a{jBQAndt5k%hvR}19wh39}+^ML-(<cH+
z&bK{pK@rCNSj1lQShfriDJ9+dS8e?18-V-xmIbc2pTKq$0)g;q$%rn5hc3)afW2E}
zUj=qTAcJ;(y}CI~RjzgVQ<E5IxfC!}iAEmjskYLzUP!|;3ws+E0T`ZW%6IR0Che=b
z_vs+a2E=TT&r50du{=GretT5sW7~uC;sPp5;gxeVt*+D%%7dY(B+K$;h<v}<L-sXU
zqnnu^TM1;8JRi<Va@b2&Vn}9)46B}%G;c=nPluH6l;J`0;6h(}+pD1|poSdxCkS2a
zdGj879^-W&ndtG}wiZ)~Z#DZhrB)zIX!_4|i`A3Ex5q2x5?v5TNfEf0s#rOWWX~vQ
z56&X}y0zZMr#|)5RZc>2Zm96?Zt~sLF^EE=O5IMD_d>0Z_><Z4X+?lnHpTwb2;^k?
zieFOpZD{{?&e5A_ktnDa&o7YK0u}r<fK#F-m`FhaI3k2@81M7q{;u)cUlJ6PwzPN0
z-LaQI42{M$#yBwqS9!!pk^PlJZ^;u}vjXjdlY~u_&H&rRCfmxNTAd-zwagjCHKdwx
zs!>RTnHbfM8;hwMSB>S(tg`^@>8~p7(`nEirx^*320b!?euwx#n0mOGFG{-SOz^FX
zzj-MaS7Qv-=Wk%1k+Qyux{xdqoT#7uo!_~FZ6h=UHC95YsPrm^fl|N4WJzCdBi`pp
zLl3pt;<FF>_Y~uom3V^j`c289>1ExWiw3<tB}=v*@IDa*uS!2$rZ?7hC`RF%)o*%j
zJbDF{Uc|*uMk8I!t^+PtMpKIx8t+g<Pz0zi(ZqnFA!@5GNqHh!`K!|Sbf4N#f3*hu
zz!liIqn}fypshz-J62{Qt+b9AS(psY!%D9`bMGnXdkWgo*mjD!BXME#tJav9s@H1+
zH~_ImsS1MGjp`u#;v~FlA4AK$CQ5fqeZ^l>_Ji+qvnWFqoAx>tPPKh5i_Io5ysS`X
zOA{+$liPL)9-YUqxvp9CfpD9dOJ=MFof96uv=jW@R}LlwOW$)umZ#d+T`Tm^yK#W8
zP)kZfn`MmN>4|ie&S$lsjuc54wT}(CM$7?a<0e%bj>fsOMY+s0D~|nm-`O5fbiKz6
z?<ybQUQtbrZEtWO5QVE?`_G(kMYmP}Wzvrrq>phH--KVlTkogSVpV$anw&blk*A+b
zebtNlo$!uIgKJ<+_98mBripUyfqRA|%cD~^0$y^iY9@7aSaTcoA@61ndqSs4l<8vJ
zy>;{?jDEWD$m=>AX@^|Ign`O=8<K@ya$x=ER(Kq&?^!<IJx3qV{i>KgU1}RH!Vm$q
zH7UVz90v8znYCB%Jp_px(s++5Gs#;!fvt#kvtNvi$7`rlC5)p6-xyfWBAgZa$?}0f
zKFQg=*Vi_o4}mJ(tR0vj*({z1uewU8Y?D0ec^zLh^QT|I^b>SswoayWBD%HYx<}V>
z9`+td^qmR|yipLm^;ej7Hw0bJ=4ogzA*H%jMQx;KVQX0FXfpqN%hg!j2B+*HK7|09
z$5udF;~{TbqBy&9kT!d#T8eN3{HyBs>0GnqTKNccy#U1Uox>IOTyD(<4#oLX;C;zk
z4NqM!BA<4wJ5*?kJtq;Tbw^6lm2|PYR<Sr`dvrh9wwfi59B|9D$=XNVZ@6EuLjq|J
zaim@5@k=7+r;+dFo6ovGJ#4qS(Ls!ax{faz3=Y$nkXdwOUNuHG<wM-|p53(+!=)wI
zJjEMm=7hT~3Y#gj3_Hk&!q28utMg~&d;TP|Df1vL7{LkN9Xl)}!;y%uWzRlg%pyA9
zwph~CPo2xBn?2N$o{rlPtYO6(%eqE_6p&})Tj_o?>NozDW4Iu)NnY5n*5j_Va!F0@
ztx2DHEApawSFlR2OS5r*&I>vv_!e-1U#od3>pZArwMja*Qv>rVF}<U5kti0l=ijXB
zr>{xN<*6Ri!Z{;0)B2>7zkE9i9+;B00#_8G#a)>e*Q%Xt`V<xc9?Ao}rgA}VeFAjo
zwu!H<Lx4@f;P-WMYF>%>Q^rt2d@7CCOb_sy#`ob?%WCBej-T~A2sk7EOeyy1aE5A&
z3sj3~of>2As(MbG`*x3m43C>MrO$d7q&l5Z5mcvX39Xo6&Iu9NBIb1LIl}I+a!$Xj
zh+~DPKf4->w8f3CUb^o*pwh6oS=@1u7oN3+fcJ>8Wb_R_juD|x_WjfA=q4F)s*;Qe
zTbM!+E?49E0TV)*&f~TBd{8|Sl-;a!@bx<#*v!yI0T5)vvl-8a7-y5x&$*jdjkp1?
ze&<x4=%|AjcS3Ai08vC5Fy3_;fb7gSX{qX$fL2V#J#SupBJiEuWboNb$t)RqMA@nP
z9MR30Qwgbt1}^XkrrM0T&UN72j$pCev&Gr+^sHCWrB()L(M@_HoNFZ-q0x(i<v%e{
z3x^?JTK)4mdPx$T<fxX&6JP^+&x~T8b-r6Pqx0hVd<F5H<_v2r9^S(_crPi)((gp-
z)l+Nc0gr=l&m`fYcsWy3Ov2DGkH8CIA|#ynpy9yysXqXnvp9nYH#n^mCdBmLD5TG6
zna(|ocxMuPn2w>gX1nOHjOaYrFGXX@<*njI6vzh(0-sKJVyzEACpJydgBG83#2gkq
zec;ZM785%{N-i-y>CMfwAO$?(?=b5nG0>wdE%RaZX~|4n9e&{>%!cc)pmARP^aQfh
z_i#5j>giIm`B>f-tOxe9Bu9dM?t2GWhI!!T-dp^I1Acnq25GJr<mn2d>C{~}rIveZ
zjj3F43=f)T)NJf=CNj3-GB)m`p38gnrf0<>*%k%%YEML@USrpT$1%>5MsMkI?H3aL
zsz8mM0ch&IPBRYlDtid86kdw+A{A(@Xp_NtJr<;+FC^&G9Z}bd$1mJBs^HB=haM@J
zBX$_~z7z_rXGWd8ds_~vLN!Nt0)N_Pnj*e9<Kf_<5t~S$u(PD2wdkAVxa8nD%m(=R
zI`*%0>C{K#@Q|6IV_`RHKvlQ_h+7)S3;~V{g>*9o=M#%hpS*tbc8jdh6R`o0qeW!A
z%+o>2eJXL9^3jegHEbK(oqEv|9fvKKMKpYue7;#%0Xp1hp|9(mtZ7j+n#vUL1lF=$
z|GvCmjP^#Cii>EO_SjbP3UaVU<Oo1v7M~~@+4Cto303<-gFhWJYxx<Kyfrd@HI+7j
z;>P;)kzl_gEat1~ps~x2Wa+oeM0bEg?9i3@_WTNL2$PV!tm33};`lA{akSkvt<gSn
zcZsN!-y2zlb&sV&Aefw2Ld<|Cr&U?n=9ovO;F71NB2TZcLbAW`c%R<MdU22{N1ZQx
zjHBYc(Y@nI*{T#<o9KrUo>Z`p9gh26J&SGP=L0Brt0YRsf{60+`nX=bI*8GJ_TJ6F
zDUAtO%zI#<^*dS4yt`MzAVT*%FVch|_33kr9ZV@>27hM|`*89wyI8jG^SuatE2P~_
zxpT2IyvAF~sk2gEwlle&+lC?_dG4E4&kmWBWr}76L#yEzM_O(q<S(exI$l%b;+|;P
zn<|y2Y!(d1n_?W$Hp}-56U+8_Rl?Vg-;5j5<lfe^r|KsUANuMk+EfbhI0tQksqPmh
z`st_f&N_WD<q^Nu5$-mARXmIW?Umkg?yy-tB)5ZX!5Id)wM-xo<a*=#h&C7}qQfWO
zoUK9bdsbQAcN4@;<7s9JNfOuZYK(r*-35!1%EXjZ4p79!h{IxvHgkg%ym+^KW~4zm
z%a06&K2iB}R^%FT#M2!rJ$QHQA=$fQwdd3GWD5x`uo~kfoP!c*-8EN`V^cABVH!m*
zfFs5XgX#vGXHU04hNsgK7`p?M_DrqZhQ`a$pLwi!K=N$8A81;WK@hP84xijBMhd2g
zU?KqFWToJ2Dp=4jTueW4*`4T0v`B#1rfm^$GoE3PXV!^mt0Nk#T5|eYtMxfxFG>2N
z*ZY!m#H2j+3So2j1|w)^X18f;4F#sdPdTTV*!ILKki#-Pf94YHXG@!}l48*;X!iP*
zftkF1s;_2IP(1|!>fCYL8mLJ83mN}(+e#_5l5I}D%caJcaWqZZGim4vU?Z6)9bE<x
z82}9hot6}88Ir3`8mUv~PqnSo-%A_?&sN2=y#o;TW#TD0YJIQFi{|+(CV1x0PDH6%
zJE}h2`0|h%Ux#V03c!nv!HLi)=fN2+J#4Tcq58rmK7AMVk~CY?7}ch;vs@vVb`<GU
z?p~C`W#p<nl@)o^r35B(*pe&nD&LfY)shq#0P|iFam`5KaK~$142T9QC74%OoZ4|a
z^v1wmDExF_I>G@PD+G0}$hK78xNd{KICtv`kc+w#W)eYiFLD=pALuB2I&jrZFc02X
zoy5zwdn{x&jW#}#Qoe7HCv@oatr=$32&Saxrai3fu9-r!>P--OyfpyaH=FBb-T5Zt
zDM+blU|@_FFrV45zfM32Zmgf`0RlR}HGDAjZubTJ`B`4xoaXaR=3%8aHz{AAijDyl
z`NZebivz$sB5t@@%Jb?TsCLaViwCmG!L>;vx%Q0vrQl`7yC|PM>&O<Tl&PK&N6RZ4
ztmmg}@D`(~GT$6OyXW&#M}Yyki4QjvaU^6bo2`GkGBHD<2RvIwv}ciY1jP?5Z4hH$
z&SSg<y~8_71U<^)q%VZ<)0Ooh$acE2pftf+Uu8l<xkJEH)OT!eG_a>e1w1pW(J?Nv
z{gqJVH5S}j&s2-NQt$?B4|uH_<5P^95W@LdeS4YSw&aVuDT%}yO$y3{{fSXUMU}cV
zJv<-fn>v`vtll#)$r-DBAW3((mLo;HK-l($5q<jeJe5~V?iI&nh)n|oC}E!7E%ppY
z)FB}#Q}~^+Q5*JVmXRbo_q)C~KAS0ao!kqe$4H^L-52G0_`<PLYDcrA-V0wmZKu}G
z)oXnIq`3X3Q=c<xvRWoE>LiQOF~$hdI^IjKp(O+#5+)?QmjP_>D)|c~{&Z@j36AIP
z43ZtXDo1s&Sm;gB0k<)RZ${!&@Px{}7{FWHAB#K()lIs7jev;WfyX4GL@(vRtnSTJ
zCx!0e6#zdxDZtyl#-}w!g2gpCBHBYgJt_9j@u-NR$0QUfMF_{$vM5pFRYT#erg>S&
z>u!IY2cI~-PtSJ4gt3%kZJxxrUa{=)EPrlI_AZB6tC4MM^zNy6$+O1k%ThUD%M?GB
zJ=DB=S!-6Qcq&eMR;!LBr6Y-(4lYZ%(Ib5jfo`6RSn?uuG>;g5cDJ=|H(`)Xt%{~=
zGpHDUH^CM9K<1)?8SJ!VmUNND==CR3pYFW@_3rlGJh5ss#JiViM2wvzd0MmtdS2%e
z<0f7nX+5k6GDX5Zpp(v(Bd5xhh$*M1c*J@m=Of&*9*54!y{#xE(AMg>W;_USXD_g%
zn}|aD=X|=IWpd<c<d353F>fO?!eF^T_X$z64_)e9K95iy9qs(|DA7->jC@vUOk7j|
z`n6d;az*NKc*oFu2*Y|s7%iQU$zY^e7_f4DWU*k(W41<WjaExGges7cZ*ZATUnrTf
zPvvA7P+KPhlg17{z*ltK=jHJ>+eLonCLrv15`$0hc=9z^14X(z#*=nysjb##n8XQb
z=@;W!A)m_9Pe)gNenhcWILBoMZ6@!npz4C73tVDryQ9XGy*AxPTj6}!MW#8LFnDPt
zFuYuPJr=PY_6&j`Eo<l5ko%oGFTGB}wsSzO;Hs!tFaSY7zQ3=jFyNsw$5Pav9q{R+
zB~+qADTs=PtP<*gsC9IqolWeoye$ryd}M}oECIjpvQKY+g=9A?v&NjL4ow!o%1XA%
z*`9n@&%h>}IyXsNMJDRd&m(W;A=z`P1YB@`BJoNM88m^UBc-MEf(w#Eh^F1_vDHe`
zW9>Qy=(Q}hXTk6Knjtsy^ry>D=CfuoLNQX!0Wuv4(!3)#I?#e1tFV_2W2sIy56Ap7
zSNW&QgFnRs(7t=!`pSel#K>(W;WDd1I_l12h;IUDm|j~1a6P{+KfhOi$NOgLIZN=6
z900JZhM(lDUFK{k%1sLlleugP&I^yXPb!nA4Qz>?y0<>?QZK|`nDG-<A*SBQYZaN^
zSJ}k(xIMe(0#N5w6TesM!=d>CqxpSe_UZTP?dSfYkYIJ8BQ#Q6HBSQ5DJtlgdm>*l
zhK5+;^L~Nsi%TbMijg|9v$YYDJ&xO66>SxLooYVdxEV{5Cc`lWZ_($O1VOKpSG+Z%
zhevP9NS+o8CG1ZxJE29O6{BD`Z}Ov<t!Ea*^lqO>DqY%pm|5MZ8GZfWF27KVPv<Wm
z(PtF$mhnp7l3%AiK7ZrW{5-Hr^tHYMKPy9JovqQ=i90owb}h~O0ABQlQ&oD~f&l}+
zWk&X=Ase%%B?#~6s-LiI*KRd)HQ7-d`stCa198Ds>4|dxOc&*m>0VfNalZK!`?YlL
za|$H6Cnp*<n^QhT8~TJ^!^D@T+4p@AMm$?pF8%SNRp`B4#=?A?Jq1CBM02gq5MY)&
zc)UV>V(t>Vv9I^)rIBwuWqLtYYSQ!WW&1mQQ#{$XF3>oGZtu0d-tLLpH%<7!1;OvZ
z+bkWwCsgtt<@<eO=VJ(Bm2hgPN9G_>yBolC7lWX%z|942i>Vkkdw;fo`Gp*QCw&uH
z8d@1_EI`pGTEbz%cMnws=RFNyHvpPG#pz3`w?;?$CUPWj4sUj?9u{o@kaJ6J6+c8K
zE;ZUreA0p>=<=sJIA(Ep1;iw!v#FxM$1m=UjF&mh@YCr2ja}QzTsnS`^w7L3OAz37
zC1y5HATl=t7|NzoqZw&5i0Bt~-#5rYhxx-E5pmbVUnTV`Adv7Lv6pSO58k@)pd<pe
zo+Pcb1CEW$bO^a7I=ps+syKj~H(kJ)&g5i*;*K$$V<ddMJj9lpX<<R?DO1?m3!brU
zO=4lr?RkwC_<K_dDAup?Jw=}##0>|?OR$8I(l*3v)D+W}oigm#tsd{3KGFN^5PdAp
zU32rg8V!^S*CwEV4px_TK`vs<mfng22MNnQTM#fqu?ux%c`wo6Y2drqD}APv#C?`8
zZiN!^HDD`4-@1{N<5fg@+*vo`bP5`S*uq0AzqO3LN}Z4vk^7xWgr^e0GPBDc(Wt7O
znz?hFhsycB_Iv4q<gYsr)iZ$M3qRIR&ojCP;s<*Xh*CL57u10J8iFe%;<T@ybg{#(
zx^~GHV61~?MUBWRzbu4Ir3^vn1~uy8ohk8Xo1;>@9%hQuKVN+hx6>_|+fQWjT~&_s
zQIU|9Z#Y*mCSA_93Gpuk1(gqon3tJyqL!(NpLSf|a^$64ZB%35R?xj5K#?NY{zCBk
zGHSZp7osVoFV4+`9G}iI&(Vt>2UtR9IF$`JIFim7l?ONbK!J&2JJl2pk)!QMeYTQ7
zK^b>5sPOJUF8D^o=xQm%VtbxfbNXo0)=MqYWgl(1I%;ruFL(19q#qsq%*K~_upxxj
z`3gnd1ovoP4?mpPW?obUsDr4W*2B~}e?$9)q0lFWISr*6yoya4N9L>XUP{t91BBx~
z0HSk_Y<-X2>aqh|RRCO?dRkm=^I65v3XMuqQKU_?!2{frQJ8@tyjZG$%MA?1D17BD
zqEhgPd#{{q<dA?FC}RMH_=V@2LSTEpH@A%@6BCq~v1_D87a`?yLz8(bA_+{E0#4`|
z^`0F-t$(5TeSKZLy9_7oUN6_`zX~kgKJTYJ$3}pB=Cr+o%jTp}R!e1df@}|hNHG@)
z)`@D><!CLPRbTbhvfsKgAH7xPyTx!{td{JPNO1#;6w5%UNd-_?my(mxGt&d1P>zZ2
zeKkMTSi<f|#Gu30yB5$nINURpzLCKr7h_KD1wzlsINF_WK5_h>I^rU$QbmGx0jJ*d
z3Qc7N6!<kf3|1fu+I^Er%D_Al;3#edQME4y>P3f>43R%5x|4|(6uB@tKWbXbfHoQ0
zmktkZIZnAMuO9Hkl6P~tF1+P<8U5$IQp4?X83%11r~to^#HRCk=yz)9g+BAzM5o(#
z;GT)BH_;1A?Z!AC%e6nb+82`F7hd*6NEYgp+`06{Xnp23zR{c}Q^)0MuP%$CWa=6v
zl?UN+ReLaXb?6C=h=tl_jz_)@e=p3fpcwUaN*P+lpE3(dKzqxetGaxQiqa^8FCa1}
z=-|DDlBAC8=t52Cq;tF%zp%7TN7U8Fudy@X1!zpwMCrlCwD#O+x(7cVE>a-}2J`#u
zGv7C19dF(Dq8eHG9irHarss{;gU`zd#gdw>&O>9<x!!1{H|&xjHu)~%3%SSeLPCY0
z_pt)J0@BjPGYYEc$66rLRYoHW;|hahnkYai_+YvD<Yllb?;C=hZKffAOCtJC>4iuM
z{X~;>+}#8(v)}ld*OLm#DwKIJ;p4#GMkKXxLOk*~Hl;pOchD!AdtIIP1RE))7NDZ{
zpxIsw@5VfAs}X>lebCb?vr|<$<t{0Oub2`V2Hc#40GENuJ&oBPUD`@SLkqqI^8;xo
zY|Hn;3$Pym)5f72C3cWpqV<ySda&$kZbNdSM_q<m1RmXuzwiuLgu+fA7P5F_Q)89;
z5NeO)VA}>97KHD)+9S4Q-h6T&c>4F<`7yUJFfuB=1|S?)PX;G>ChG$=3_=M+=)mFk
zI^QF%aKcwwo7sfz4u2x%^A4_gR1nmS1=>5uL~mpVw<*lud+&%AJVi3a<xvT}0_x$B
zk<$RnTf>&Ir$qFUFD6!aZNZ;TSH0e!$vh!_bVRzl7G&GrG#MA_sCHBUsH*ICNhuHy
zZF00ek@tz{XBSF0UTC#W<p9!Bbq4UWOl5lW!a@W#su%Qi;^I|UG88^bddH`#4QVun
z{CsB(u#X09iG-Wq;5L^&o9aC}x45_Ej{TgWERfAR0Jn@}QyPsJwRIG9A<yRCoSo^u
zfF6dT%DE@%zo#7}@{m!^RA9LFBaR0x<ZCGtZC7ZJ7PnUYh!uJTmZU7dFvag_2Q<)1
z-^KJC4vkxTDjJu*Q*lG}b+}B2a~glAz<?`?%SaPfy-LTCdi6{faD(JXt2=O33Ezua
z6?iT1oFQ{L9)z}Eo5oW?5M-5ky8#9WxE-Yqu1A}Go@M2To1PQ=MmkEV74n(=-qJ3-
zUEvUr78=LbS=`byHb<kot7Mz+p*sq1YI%FDoHl)-`h5*Q<PM`2>f-K~Z;rgfj^+@1
z!J{1Isn)u?GCkg6^roD`d}v(=4;fs-<)IN^SVdu%R1%}th}avPBea)?&;8+x$|$<`
zbQEHa9`rJcM1)xRwu75aB)H^)zW}S2P%MHvIqei5nJo64`i1MVLOpsZ4QlWPpR>@y
zyQhNZ!^JKQc=T=(Vn}t~j@_w#;`)6*Ulw!N3X8~jZ6+-9W=fs=nD<!CP?)Um^-J-c
z=$f8+uBRI3fF2_+GFacGQwpY#%G)-=D$cBs>8+Qpsd*Xfq*FmGXdC3mynK}|Fi%ur
z&$+@)vpX*-BixeY6|%K1K1f0hTm+4W?9YE83&XWtu~;t`52a%_+?eWF=tkUF#F_3G
zGo^YKYnvtR#TT;Q7k7QzK-eKJ3wXCWj8y{jUR#t#@EEB%Do;Io@hm}D?J35fIH2Yf
zJw9n4fy|&2$YNcwxTDD`b4V(oV1vn|2m<S?p5crn0nowdcX-RZuW)mlQN~+$ag9NV
zZ!jLZNd>(vvC)C1oqlUR`qK?EXKV>vhn=12d1NxUZvdaPUiz}nQJ<SG)SI5^ln&xg
zY(M*!guKcUq&_Aa)sl&$P;>x?2c-0JOvwebL}WLeokWT0^*y1hd`ZYK%Zn<5=!{7Q
z6J24w-ZV@ZdIDpp09CJ()ce9WVDyC+q$);AdMi)qc!KhqYi-;1&1e8E?I(Iz1U(pQ
zj(G%6UbZ{@%&jQBBW9WowB@@%9rIKk-#xvxj2;ZSw0U=>>-flSu?)Y^mG2J56Bks}
zqGAv!>P9ai?*h(`pWWjEV)l!dz&lK<$E>P%;y{zH9cy}FU|kzt-n^ZrYp;h7o5G~@
zz?7pf;&m8LWaRbo#ITAh0q_eK<hn%FA*EQxH(~Fgsuh4ed}|zIw{>vK&D3a_=$@|5
zzwn(|#q(N{@*-X&q{fEwbV(SXad}>aHf)B>%MChH;+>zKtKYqhalPKff)b7}4pFj0
ztxRN%=;gL>*KibG7BOt9p}+TFrEpN5SPjXE61>YmyL`T?0jOQi8}Awy_X*i6u4inq
z0QuM-_qhV5h~PuqMiSta%ziwsrin!qwrvRxFm=1|C}@N22pd2S?IAv6c=*$MC5~$6
zUh3{u$h9=&qKRm)*G$WzJ6sl>x+icxts?L5Nx{B%ed3#Zo5mi-Q&3)OD-l(DPcYbc
zbai?RLpI&zIs(T-O(}v*qA4K&D3Gqe7rLZO?*%I5miM_88uf7w29WTaBAr>`K?~Dz
z$#q22FrJ?ZAZkd0Te9rF-IZm2%^KsoG8CsFjxw$~88OFa@qmBlTq)Q!H%L9(dN-jm
zu}}eHad*}7k^uc)s}ntSI#%H0PmKM08nf1grm`2$pGpwAy2Cp-s}Y!CVsV}}e;45y
z+=HF3b<f{CoOW#L2gk3Zb~S@tt+=KVK&a&;R*zLI(3_ps42KyZkf__MU~z@}Ee~=%
z?tL!|P8J$0hH`8ySzh#*m_id)q11aO9_zY3riB~5LqBKUG+!u5eqD!#dieUR)b^&I
zJV=vneJbpUn7%hL)?-5Pjk14wg$5)tWj!tOolAWd<UIP`TQ+Qc5(u6*(JWI#EDNQj
zcdy^3_?pP80idVwn2S(fr{KE!Sv>m#2*!f;WgXPYJpmW)e(>jfQdI6@n~Wu!y080^
zj??y-9YA$#JS=Xq6+Lr!Y~6J>-vLPO%K=#d{XMlkVvr=kbb#2oQEHpOK&a4)k{Q2A
zDP+>yhkLqvVLn*<g>!uNJn_+tsMaU$^om3S)eO=f8ayz<?!I|tvDxFLl5A?dQfX@s
z;dQuVi<WmsZVl>f&Fe|YDP$<PBc|x~QN%5LlTGSL7pu%2G0PlbxB0Mz(pnZ7ZKPy!
zhh-~mBo+3_;H7P5HOom;LBbJR5Mu~4QNR6#v{tMiuhS;l+iLd|ZkZiWG931^*ywFB
z%oq&WlNSiI<sV1~e0IOu%MyDWI(A-aAWI`9Uewr5P(^R~Ugh%oRS)ab8NXe8E2CLq
zlsm)nfLNaDI*AMHz80j-u#l`9=3|D58#{|tsw(BwO_y1e+T2Y&AA*<UAqo;p$~1_s
zI9ISL)nM74D8cR{&1AMjMy{uFCo3hn{d;N_pM8xx4EMai--Y6-@NKmQqhGK)E7C~9
zt3Zy#w{1ZCg*ATmL0@rv?=sM0)b*JwQSTFIdrk@+GFbVz{GueXw$ms0xlbBD<-G?O
zUT;vZpuoTgke@9G=pDuY)+XGe^1N8X#KRg?H%HKzH_U#s2T=Dgt_pyGaZU~IC0kgC
zzSAJ5*=Usq=FeteQb4j$A2!gRm%uo`aQ*2aX*KA%2wU;QgI=a|0t}z>%L)@#as)e+
zJF27CJzVkbeW6Y8scex(*j(6Fe~miGPx&Y)u#U8ymM-BDWkefJy*zv~(RR!`DRg5z
zfYuF1Q)~Rj84tz@26W^+CcB@Dao~IBee*1Whzs*BfH4uIOA{z64OdrOZCq01MPRef
zamSuFE^eeLL#<+GR;LCzG)FXESt1Qm?)A^!=pOru3n^X#is)s`YHA92Mw;>nGT-#P
zU@NU6?&QS){KWgSH`4B=2A{ax+tJf=SE<T<mKxx>J=Tw6Uv0mGSsdsDbiO3Ogf4t3
z6lG)CuzIHomQ0U#;|j6*c!}ZNn%wowXiL*lzMdzi+@Umppie-2SjF(cOC73r@0rNs
zH>MH3&JUuQKr&HLrrrawsR$&-p{_?tPwbsM`ROMER1d?YX3$x>p1mv9*Cb8d8I!O>
zSCwTV^y(o5u%lFbA<my&a<UMoq2SpRJc1OL6YWP6j3%PwLXZ4KoNB_9BmO~_MQ1&C
zJ1CD=u8a_&^r>sLmAYFBd(L|e0*CuZ8LQv6XB;IwL*;RzWDk$smsx=I8V?l<l*Ww<
z`;y&n7*Oz?6467kirRa`ZRT8-***-T(t}m$qaIE3`@T6rz)}0eq1DwwM*?7X9^+Py
zZi?y#y|<>7>c)FrFS5Qcf1myG(MBYlL+-)?AXy|merJpeIQ;Ux!gK^Q(jaV*fMz&G
zf-Pr|I3`(-my#V4(`ndCgwG-Z_0e0G7_u>s$5t_9^q|h0C8zRwyP2q-XA($Ja43z7
zt58;Ujks5zb~U>XL~xA~UFeQH#n&XI8JR*R9-DdBhc<KeGo?7RLD6GWu0KoL;qs+%
zS@n1;>mh*s-fM428Z*t#afwf*%V+20j(Yk88jd>Gm!0^$rXHCcW7&JXw1o!pYNmDW
zSo7>&TzL``baT!5LeeHh4yVX0qRJ3P&d!ve2?;L^K97ykn*myC9?n<tMqxRhF~4RD
z<Q5HK^HhzEGMa6sJbC;s_@1Ka*1>!I%->UM19%1l4fUWs!Mz>D@n;Vmm388w-nVxZ
zMK)EZdp&9FIVf~hNJ9udw5<aI$yXHeg}cJ1!{DmCGV4N-lQs*()HfF^!>>t`J4f42
zivfmXwlEMNo(AS*LP+halyTL74AV!hEF(gCyz%sGnrq%vn@7Z|@Oy}E>3EUTBgrjC
z@~WLg3sC&zsqu6pF`aIpZ(VB(_Nr}e!J~;2+wE7kfv~8NXI?z}e2{JK9r=S_$oJ~d
zjE}sB*C^%gw_^l~ixf!m7;9&fX#sX2O+^~CS^N|E&u*%ur{3tPktzWwk<m|Ufk#3`
z!;dDLXU(Ggub${fxNw9OB8l3D(zuOF)XQ7?q`cmd@+qjoCIfjm?$&5~bFvz_lm@o%
zipG0sJxFK~wm8v*N>IXDQzNq;BzK0htyc}I^s=-Fmnj^1HehhYXs$dG9SNFGL0M$z
zXI~`;LvFY<R3MM5+m%dl$Z--R=Ro1feKre&^4MR#@#38?>`gzh7fik4e&x{C>aBpN
zCaVx{OEl}`nn8@|ZM8l#CjrHaBU{UO%A7TLDdA~P_obM1p3rNdZ8Z01ctPdOcElFa
zi7_HE?`dbDcJ=fIl*J_iY44iVy(}yNZmD=pB${JVyxDpq(-oSXuYl9})z#a`3-{ix
zqg)B=3J8ne$~VFrH`34}oXrdgY3N<62BQ}W7-SuqDo$F@-Fhl9H}ngA|Lm}yd0=$C
zo;0D=2*n-P4zU{yMpp#VX@`(CPTS+u2M-FXUu+@|x|pLhY=k+^a!!@J$GzAdwj$`>
zn@5D1p^nNv3zCb)M8SSft5;ASm)Q2yYf>d6k{Gn`S>)P)McCV>0ek)?iZIy?mNH{O
zn=q3GI{F>~IHW@c&MxZx!oP&`TnUP!b7(X?(KNvzH#4r(YJgdqpG$IS8>iv4wDcGL
z@!4yIFVJrQ3JtJE;GOquI&gL;VK#b;zN~<zM4ObLw$V`cQ*jUz4iUli9_EGH1Mk$G
zC+_nG9~AF<4NNRDhb@evZ|t74m@vP`Pg2cs5qo4Iq>Sg}oZ53a2f)pO)kD>A<5{=R
zQc+CLQ=Wi?j-WvDNg^sqLVN;M4GZ+1Fa3N0p6GRuLaS$XC}(&3I=Lfa#TJ`S>kvXf
z9Pa@?ft|9j4+aq6v+brni6~FSlJ4zTwcOEo&z?m4BoA(DTU$G&J@SeYf0t?-aOz79
za8)}`kyUjC)hAz~9*3MIH#<{tA-}qguFR03gj*82_p((Tw{#w41vU<l)9t7Mw%Ai1
zZaJ#*)-(pZdSaT%C5IviQy!vsX3xAy(;A{StvI}|odx)WeSeXVc7TGrt3`P0WUE1<
zBMOU~KEY8Ap>%DRt_a!a@qlvZn}p8}49i)tAkR1opr<t5YLGe?=#{)KSrJ(6N5TqC
z>$VaP@MN3b9xy%^IXKaNrXeGmc7+d3gYzhHM=0><c0<l&cjP4&HmxI(Uft;_=dAb(
z#5N4I^euy6uI7_LsSYe@()T6=b+|dbQQq$JMf4hcj~X7gB}}DcOW_DBWUf?z{_Mq&
z5d8}M1kn!m$vj?SslvA+g-RQ-#r7VmVCcY0mq!#ApERI;zXiIMka`fh%B(AVJ=Z?i
zjV5C_*)b-Nip)cd5u4fMPGIp~Z)%|qnKA}SJ;gYCJW0!t&;V6aSXC@pF0{uLxvd51
z)2$neS(%)plntpZv!*gj&4yT}v3#@dr9D8sJE!cYmwsqr!$oPNrJ>8SDZ=nLvUfS3
zG^JoQ(+r5HK>chBHo%yvQC4qAlchX#Op);&j^Y;5bmJOjo?=DMa{$h7B7i>oGL=qQ
z@3^XLZOj%pPza$v(wa<bos66za1W-QyUN7IhZNO4V{ojoSNMWlTzsf-P-O7U(oLyD
zdI1^v0}*se=v*=(e%;YQuH0BJOZ6CDA1GmuJW)BRyQer@PqF5~965$B8<POmbA`<r
z0UpxP)nN8}3r}=oqw;v1ELUBwa2$V5!`tBE9Rp}d!$#Jbv$oHT)Zd|%6LsG9<a?4R
zeGHfFeeg*If3|3ZDS;^J>8#WSrCjFP=ZKmVTj<LHi&Z%(oseYcdDTPw7~cZ~m3STu
zkGt(iNyxFzW=TcdAykvtKn_|^r0JwP<ERNAZRkMKnsOPaYtJJrnR2Ab-htLp0hXH;
z@r`$+#j7(bHOS%6?La|g#DH7_%;Zn})g76NxnV&cSo({5`MX&gE{-CUn1b?AA)N*i
zL2b?nXl+Asf@{@^>${S7!BZmoNyhtZ*1`N{6*|IdQo$7gQyJgs+xNsz?&1lwK+FN?
zddstLZWZhda|<-dtb`VhbsCVy1?uMzCSApV=tu~Pg<IM0d?MK#m!`DP;n4zaUjSO_
zOIWe@Y}>ADHSL_l<?I3P5)qHku+^)3q>o&YN9&PTID}C`c9wvrDM4cw`PSPQhU<r{
zxcz&2NKbpg3;_<=-APGFIQsCYLS4#OsrH3VTQxJN#ChN1HyxjCd)>3Z)dMv+Q&@V7
zVD+_Sg|*GFJU=#9=J2qTgXRE6dC}<xsJhS09(P|Ypw@fj<6-RkNKfw8QAv^Q&~p1u
zv5cm6X__Du-Jx&EaV|@C*$acv9iPCW0@JMQ8<8BJcby7hgasN@*%q~upo?a=-VP1z
zEEreJ&t~HukBDNIBUnYr&QC(}FgDzWZAr`~-#vcH=JCga49mOju0iObR=k?_DnO_2
zFe{%8{03tI(|Jp`9iifhQ<q;|(se~p39G*=dp<<^4hV)T6uNM<y!m-k$;-IjG-8IP
z%#5VBJq6H@HLDGX71OE8oxEIFqr8o_7r^NjRK!r(BbpNS@~Jj+!{f*491jh|I3ksk
zgQ6C9pM#9{^2)$KsNDv@)6f)EzSr4-766*mTPE^oOh)||C5Iaoy+_5iZ<`aYNA^zY
zY<XTFKyDqNPX}FTKG;WL2Je#+{cPnDxdf$W3&m|29(hI1^zy-Vl8mchAKuekcHYzR
z_fXt2vEel@*SW7FW3S?qzVa}hP+WgZML?I5#|tq^a+%{K)fkge(%J+Alr>4$EnZT?
zw*pp2fTVm3^4Kv1p^>VImuBjnAr82u>rP>@2qUv{(rkp52Lj3BGhhX`2iSewX^v9I
z{o)rXGrYCXozOX)XOw4r^<o}OP4_E2yn8C$xwmR`W)YN~-%Z^<o4VPq!>c%^kSt;)
z3ooOB#G+veoZfQe@K6?UhT~UUOfHJTcn%h2k-8BM27&^v`had4O&i3+mL*cVFf9wz
z*m>)Pp;OvQ?isM}>(D{wB6A9~hqfFjEG3I2c+bXnY~MT}xecFot7udr#aDMc2o$Tn
zY&2^a4(wu`LZH?&nG@n6*hQe;tv~GxV|Rn92*OI=I`K%Dg=eDIMp+wcIY?yPs99vQ
zWIL98(&FD|WHTJ;JsHf089XTZcnlqflJ+2d{Y{`F9l;La;j`K^raDfAy$5Q|#;;te
zz2_O4!y!z^It7+EbEKM8C=mJ?t_2@iSZ?x*2P#NT0V=~*C9-Lum+wSx+(YX{Q4dBv
zCX}2|YeOn}E5J0MLQD(PNcJFxb{;;h7?UyO5t<60crjdXJDLtcSM~F~oEqOl5Vp9}
zGLhXZg5H8@vl4P;eYdDB(d`*vc?V`p-^BPQF-#LuP?0&5?x?dmpo8ZM-~v+PjSuOa
zZX_y~B;~BgIm^H{yThJ<0Sp((KI(=%5a=GPl@*a92DgPbRu_(}MCQ=O$cZ8E+#Zzf
z((oCcsn0yL6N2Yd!wEj`h^XFfObwvCXT>aFGXlq1kDj&6MtasLrO);z;BvXOSCE|)
zcx|z%z1H((hlcl)8llJ3$EEcuUS#_71@Y-o8e>^NGqNC}wQR_9foDpW`E6zK+4A8%
zgk=P$d?x<tfgT8Qcxu+#+czmurRTC*FV+*!jyeJ6D&;9P^-$fcm%b~)F=%i;L`E;s
z6dK@i>}=U>iY>+(0P|85HP=ZV9dBj`Z|P@MYT5dx@S#ecO1&rVjf2jt+;baY<F*S6
zYKquU*RmBSTx(x?;*3%eTB2qXq?0XHd_<FO+zJS&3G<5_uvIa6qqKk(2`>g^wqYO|
z=$=I<<<=|oWdnmEIG4nt&v^ymd%s?e8<jH)q=#=p8Zg2P=yfdel%@0#UTj>yz%f+R
zSCu_&pfK*FDDw~>dv1bg^MjrXGjl&(v_bS)5g>Ju3nqhSG<btvv9^v>xd^r}H*28G
zfMs~vw{MB0v$%*UKvHxg-huCu2UZ5ryl9@hEt9j>Fo7<$aiR`I(|%gxNpWa^Y<vZg
zn7Z7C;`fUlw0w%?y8@Qgw<DMWd-yz%A#NW~i^jy`c%7CEjJ4Mz@JSDT#(+!R9eR_h
zs!2rP__Q!mn3}euGTuQP&K|B^BR5Cn^L?1zl;SZEL8cVS&yPb%xWu|(A5dToIhnDF
zmM)CfCiW!wOEz{#O@HuQu8*%6?9A*^ZnK|jNK@W34I?1&HjBqsPehxQCc4t=5IDC2
z_*JHFdR;}o^HqD)3nSDoHhsh1F^3|pGi<D7GzI)#NG5P=NeSk@On^Yj!@knC3WYs!
zU`5dv)-7s<tbs35;>9OH^gZuay*#XU5DkXC+<6(aZ_BvXQ%}YzU5xoXVD;I3TiDfB
zBH1Wl#-+E<rWRQHi8$@3E%Cj!CoYpE5OY}0iXi&ri9RYS+<wZ74$rTNpIK{BCa_4n
z?P0dSJk5JuO^K+Ql|D+|VryUr1?vXZd4WCe)l{G?Q0M{%jOZ|r&n!YoDX^KdhjHV?
z<0jf+mi_sLUTd^$*6ejGCqBhwi|wFhs@Bo~L!jtl6+ww9Od-LvZ;C#n0ioIfA$qqG
zJl=r7)MuSjJ0XggLU;?KZ(Yz2wH-W*!i+@1b1Bpv(u@@>E&Qyxuh(HnaBExL1yC-s
z&Nj1hpIZ1ibxDxUN)z9E$rl&GuekLdND1p}I!~`@>3q@lqISIZRX+DHP|Ed3uTy7M
zPNZQUWys)CP^Y}Br|IviqsQ%NpkwVlpJjNQOLQ|tKj$6pT2Oau&t-)Tu`TdUF>`+X
z#4hI^`aqX)s9ic)66Kq3lK3+u#4EdmYV7wmUKEZg+A!8Lg08hrvDV9X58}-;MNwP!
z*lvBNp}r6F%^A!&Yd#xjLuS?zATO3+7>X@RyGY549O-)x?MdZ!Q~|!;y_0-cDUH40
za$Dh0S<z>4gyIXlXREvv%|7OTMmg^c7fzm+T{9}U<gzCy+(r3pvtD3MY&E2mHnVq?
zpQ^<0qol{`{j(pfc*e60ADyucrlDJ)i3nOn^oFKZ(3+kEU5m#<9kQ_UNz?m`3!4wt
zxeL8G=~3f$Yxh8z3+LmQENao{Yn^6KjFS$?t~1TO*kpTj$0cvihIPw&-yL>jaW!J}
zoz@07@DjK=GfP93BU`N$LQkvS@p&ZHOl#uq*gJvOwMGFNP(>l>MitAq)Vs0TYW;A^
z_r}JR`w-3_+$#E7uuk%HN~g{R^U*sEd6nRRi4?EL$5wSN@Au*}gY_!%+^*DItax*z
zO^Gze-{dnjKW@5PNsgP6KZV`ZCsFc!6c8IJ+b3YBI+3LIOo!PS*Q!i?-oWeT$3BU4
z0SKhLDc5;5OJXrarzL)YI1)T^7FQs*ETPMn4tI2>I9RY^-~b|x=q<d$J*5mHq&U`5
zR2(${+07&bT{SgH{chYvr+OESkts<nFnscy0W71W1qCtpg{ig$C4~^M`+IL|Z^=pY
zig_L>JdUn3&UhBP0ImGf`cmbU`?-T_lL_wR>Tu9=eB7tR(ppd!8vLlABn!qXwf&?@
zKO=;*7QYgdXL^c!`<~@nXg)4Kf<VajNDea)=};IN87iY1&u&A>02U@JR|C$6IJ59n
zM?57=Lya;Oa>T9tInKVS6rn_YVix8hfZM_&4=Ug};V~7|po<i|eg6F7yl-P`JP>O`
z%rQ-3EGLX!8UjtNn3`!>D^oQ`Mag1-*b=D-r9`~Osp670H%!D6VFN^XujMCM7|C6{
zE`kSsRVh=7Z%O@>2Tv24)uU>|cqE3U>fI9=_$KQ!Omv(1%NIy#S(3v_kXaO!ZeZ5K
zUCzpy({Vf<?*w;F2#Zj055bQxAt_wM!m(k6d$o6-)SNjr?h(LHRF>n6J_T_NeLGp!
zTT``da$`XP3TKm4E?iXLA?}xO-l*I9!V6!EOz$#F7iZvT_`c!bEMMPjaFX+!t=+}Y
zxrYSOfT;FX_>p$z6F#5Ct`dtsiP*z=zxQ>W-dD(BeCHB2nwbt-!?aHKHq|SeujKKO
zs@v?V=vuG&q{}{Ig(*ip#k(Veq9>A#gL%E?6z}DxY=GO=OOCD3Drv6FgLU<GAsv43
zE*{8QtXW;Q+?7WihFA&lq76SBW8!9@O#^2)nvrz_(RkT2$vTo)9+H`;+o=ezozz{J
z+UpiApkzAkZOd&)<qq58kXx-GJjTP7^<4z1eze0j_6k=d{MBJY+-l+_@*Y>{<>rni
zC5AvE;qUhqxoU9fk|nLh)utBKN3Vxn5W&Eat@M0vd@u={!yOy_lQ91d7^Q-Itym0w
zmE!Zp*5Tp}KJkEnJ{*U_Ia+mapH_qy5|uFGJmT`_Nm-EF(8t=(AIp}|PGr5RUQ5YZ
zwdk;1np&3iZk#6tI+NV@&{d_yx^`bxJ-d9JXMS&2MQ@wfZr^TIUJ~fy9@W6^%QdWl
zjiQrxfs;9hw{>H{#Ezq^Wz5sXb*5MNmN@V5)OUEQ&!nRwT95Q+CS;mZLa#KrdFGzB
zVq|Hf-r^Mff}g7MH6ia~&f}?+tnW-1-%&&2jlDXV+4ml)%xid)6GnK)%dhK{X!7{s
zEoy~6#?yXtc&0G?jzYJ>CVWI8N67WI-}Iu<JA#sTV{?M@>X0pGRJ0xB=@r%q>L~3x
zRb~VQ!rtpfFN5QA4JXs<tM?YR<!MuM^o{QZ0>8UpU=XiILQm;j+ljYO>Yn3jS#)y(
z5xRsFtN41cu~Ut}^UWQ(0cy5*Z;k60X+Vy~%dO2pD}$V8&yUT09={jWG9w|3^fqPZ
zI2g#}R6j{0_zWGdFOkdx7)Vd`cIF}56Y*LsaT(y27MbjLtT;!m^J+NSx*XVcxJa$Q
znx87^doj>01vAt~glGGj--~>;5#cg4vTAilLCj(^n<ZIYPce>@Q>>^j$P<XR$kep8
z&q34!;9cjNhnw0okk35Y6y&VR*=O9jIEPn(Y|W(lNXZ=^IYhMGT}a_;2-!r2g^FNL
zS)ywp6*vj}X^-{<uAd&Q%=tMgabb5pz7#mYO=H>j2*>75mGO-)Ay$9W_8C8hSEVbc
zFD+E*H17qEh9+3|F=gg-?;YqGuTPv_KoG>L8p`N~xw-d?y$WzEG}u1QbRC*En4ppi
zd+kB*SY_0-xGR=wJJ4@J2kP<cIvZI>2G@ypQqfA}RJv%WJWWRdwQEar;82Qr@qAEh
ztzevVu+G<!*ec7IkdbaO-w2_-ci}#zHwRB%4BT{b@F+(cMV_H<v{&WxpYvF~l{DZ0
zF+0yCg%R$8H3)p?6&#+G=?~8w?C_bw)7E#N#NlTU@kia_EbxRwiN?-wZ5drTsobSS
z6DpOaUQ_bX4bobu!n6@cCq=?Eq}$Y+R@!}*52siwW{N4eBKuY5+MKkm5#XYop=F6K
zQs+F=+7}9*LnFWtYx8_)eD+<6XLH}??e6o2jNNvB;mdn1c=Cn;#>r=<yJDa~XMiv%
z`lL&W1T;`;%M&re%gbFCF3Qqj!zM6o0LkDY&Cq^P=ZJpPC^m;AF!i_?(fQt^^C%|T
z7aHi!-cqW5q0h2)v_7e$&q$*E3K9%Mj8}}FtKx>=)-tIWUL<xp^02ZCV=j3;S2*J4
z<n(N85&(Xw3QJ?SsKeR)>Y|rWS`VeL;o8=0c*sy}RVSl&J4pQes4f<$UUskr&*)Mt
zgY7J9NWz?Q*EC$KUYUU-Z{dqh%0Lao+I<1k&)OVlHTHqra>MH_5h4pp5#URwI0GXi
zB2~h(e(q@+-Y^=OqF5Wp_Ve8t>oR0_i%6jRLuw04OsQ2Iynw?O5Ac*x!s0y?NtesB
zPxAOPoCuapmG#oy)+5Wn?pq=Bn+F#QWlPUQ=k>E55d{VCnkF062N28wdK1U6cQel&
zfM~!GMfg!3Uulo98fDp)6em~LKC8tWP9pQp^^_aM#>ad%ETAScgbr*^JEv3ZA;SR@
z0MKjY2U*ZfefExspK2Vx4S?9At$0p6O2zoV?o~cLOx*2<`f&Y?nUR&m+SBq>!`chh
z1F3ZaleqlZ?<8V&yIaGPUOvUNhp~ad(e_Z0@AbOdRC-L?GTEPH)VFOu__R%yhzULs
z#dX3Oz<fsRT1|Ivujb{B!iW>Dzs$8a4u(MC2q#Of=ZB_(J!F$$g<FrE&gAuAhmg8C
z=Rgp_i2(TnHkcQ$w$P9s5uE1r25x)8i4fz33O(kPUVa{BWQN-Jaw~0mlAwnoGtwmp
zkc2Ou&&1=9tc+zBs=-m1Nz0XKcv9p%380HzInLe46qJlIB_hlqt>iNhh)*ScnrAJH
z8!BkNMvC53)O+j-Fw)hqaW95)+S64G8-rM}`QCjK_<ek-jXELi7)g^6l^Mi6<qC@d
zb(Ls4AZ_s4e0iuiF8P$kVV}T*4ZMdc4fgtRwkom%Bc^xlNOb$YeuBOZJ=Eq|*jcAq
zcg~x|>448gfWa6c1m@3@$+d$Mx7UMWm0envt8~-T8m@GdnU)FGu={O2rKD6^s$1}b
z?wsINteuh>D059C&r;O`TM*Mhj}EGfD}w2Kkxj!PI?vc;=@*4>7!;rtcH$)rRX3U#
zCPodQK~HwJ`M@JwsLG{e&F7`_Nuhj3mrm2+M3RtnG<8xm0QKi;BF~1`PoRkqF7g7j
zVXar7-cvx=TZ1Q-v2L*zH*YZ2y$zC|v10qPN|@11p<vxSU-86RI%#Z!w*>ffST(oU
zg=;5fqxLpLBil1K*)pySIT91oM%tb$Nc!v*g}KJo&KQoOq)ZaO&_P_ptSTfe0=<MZ
z3){6>L<?6y8epaAJu_*##V0wbHHqEDq;>k<FA}*%uZ&FJS<d6YvU-r4k6zZupYLUh
zUMv{336Da+<*WM+G5Q%|&a_;n)gB>`jJ^$q(7`dJvdXh705sGC8s;KYXli$AM%Y76
zF)eHwhCM&?Js-NK0$>P{Il*VIE7rzp&pISvJ&%jj+M`jXh#lGci8FV2_seIP=0HZg
z_uAe|7w&UNXcG0Aw<Dg^q3=29JwkZBE3D)zHD{$<P|Uu;xQyl2^a`K04m?m0QS054
zP?(DaqOPYgug&dVS8~gHiP?b{a=&O)^{67L+=UjW^TUF61LIm&)%PY{f{|<c-qXi2
zbh;j~pEMeM+NqRxG%#&y^%(PAyP;ndr2yyK^fR1IL{s!QjmPi~?$p<n(lM-@BgEvz
z9z9MWi)+%SHLn4pbZ}?u=ovePW!38lIxU=zN)J3SaEt67NiB2@%;2_x^kKh{QjW&S
zt>^uk4yF5~Vg&r0nVV_W+#Ktn3mhqyi}b6lZX`)|Xn7-mEyFcnt0ja$hzjm2Jf`AY
zfQm~gK49htfdraaBl&ZXCncY0GjRgXjKh8L!ie4$skaVQPi8$Qn2knFmDW>0%TFR5
zK8eJ>X-exZJ7z2%+PyoreV!AS(dOQK+yt<I#uE|Bi(Q?;N?fFGgMj1ZKCgPsDOI6&
z)qb$T$FM{pnv>OJDkpYjii^*->s-`?c}iEHJ@GsqBV@dtbI=*@)P%){4VTt&x!Rhm
za_AkLE)=UPCBk(gM^a1ckl{`>Y==*7yS8}Vv*dpJv<Zb?w@A+@oe*XPrB@o2hec?=
zs3KzwFDvZWUsTS$=fS#bG;yolS8RjMnK#oG;0vf^n3s;*;G77F@14vym7fvk?Gvhe
zgk;klqI>WBSZ36_h~&z+q}mp@B|W?<DHuh0?Oon+sWHBzhubgirGesd4G?m!lU5cx
z93H;QEHBub8M(o#7i{dp34RPBJdz^aRplr=`wZSubW+Xk!NYj!3o;`pV%_b~kf9h*
z)&0h7`;M?xYwo!|iFsrft`FhdIUQ1}o2dy7o_SSdSR(1QT*wpL2S-8q6kjk5$ZHqO
z9>D1SX|PoFdYdTUZIAO+RSqsY3qM}g)-Kg14So5TwqF|@FIv4%GDAQ6WV)!~oK4O}
zq~7g@C1*ths^N)JU<kZ$hZpwTTrIWV(^3Gp%Z`Mj>-OcMw_*E;pHy(k*{}vW#qfFe
zyeig*ST5JZ<Xg~!U5tWf;0ifRPkTX$)2F?-UtEZvYry%kE3Dxb6+VlU-h|@w+8ej*
zJYl8Bvbo(QbnJ>&tu0NhOB$PlSEI4<a9$1p(j>JMVfEF8?@O~R%ERNEWMV#eI_!tj
zKgWN3N=KX6EPs-t^@d_-vQ+SK>M^j>!Gz3_ZfhPaA8m#&IvKvtNdf*WS1s(Sp|n^>
zSKJ%Y9*>cjd#6C@SP%<sI>kGwRC$TQs^yDC?&I$S&FO)Yg-M!n^^>-O$FQCv@n=3R
zAPW$!JQ?v0AMib}5GUZ?DqXhm=y)lceF_}OWT*Y6sx2uQY{E2?V;|<Ju+igdLZ3^`
zdNYnznjAJKof-(1f#DXhL(lbLDc7T}*A#U#7AD!DJJ)0{Ta*T#y;k673Ff`8N!EW7
zs%Z6)cJ!U-=oD+&3T=*}Pe?-GsDM!Ov1tm^c-7=t+b5y;8Guelno2u3<XtP70yRLt
z&PW^HK`JsdJ}Bxa*q0I<9G<GOYO66&NLRM6w@7#$oCkZ$=w*W)Kpe!|M@OSaNbx+@
zpKjiP0i@4+!h26Rd1o5^9(bFjGnpvbW%b+SBxlYvexMB-s$>cl!@j=k!jT4x@w!Ej
zGxLeHMzHe@20-B&)m%Bt;0+TNTcv}%C@{|#o8Tzq8X4%FVkaeU$8g^bXG?<`#V<;o
zS{`mn7s_BhBspPql3;IQ@!h7HX&LN(@MxCvfVETPlT!MOLVYeug|*}1L8CU4c|5yC
zPEVich7pra^_2AS6?tSQ;Hpo`NO<USDypz}fnhPc(JUT7kN0W?UW_a(RXIlXsigua
zB7(=NsUg!C&A8OgbQO)h7di#qK_Qa$T8ZD`Zqhp%!RLIm1hG#%>OwFsTd>}M;yNIb
ztb&|FaFs?_H7bt?O6cv&vc6ouiVQdnhv(1>O%yk%CJ&;<+*#h_F)BUiTgVIE`uR@%
zRar1SW<qa8J&=F`j^4`-BPV|b`fN}Fd$Zl6J(!HXN&VjYWG`b@LDDj*#d||%vM3Va
zGG#2U^$!yCX@3Tf_&OQNm~o<*`{iR&a~|x>#d-$@3VRpk`|N2Qv@JuAB0Q*(ZL+6D
z;mTWf2)s3^`1(;`I!I~0cEU#tqAx+jstth_YIuj(Fi7a^v5dYUgk8$K7MI!pzI?bC
z>Md|1BdivrbCw{>`KS+URrD@s*0_MR&kMuD8@l+3SVJQ<jhDX-M8~|RR&A0oKgSjU
zFUn)nN_}d5;nb$q{(Pt=eLy{hAL@a<gbwd#JV2-QNh^QGBN!iu+`%{m<k0AqwXL9Y
zPJ+latz~SJ=kIL>qV^U?5^a?NFrZcSk&4KrDm`>Tw<$m9V$oM#*r0XlGS805btehR
znZ-{chTy%b1984AAM<m0w~!Kw&cx8N=PU1#n!x5!_gjkLngO;oe&fnbHDMn0njS+a
zvY)9@6BFaxySY|Deq>9Nrh!^Q&x5&^k+x)JU!Q@)yCU&yxpEru0Y|fJy=S6;c6aiV
zSXm;ku1Nz$eKY`%jpwaCurf+Eb{wp|>$<u)Io*Wd%}-+A`!r!D)-s+gQ>8jSo=ovW
zwqo&0MG%EOdm`qNQF~LslAyW)2JeERCe)+%pqFb>vhO{I>Mb9LK`02%aRHbp1;e@K
z#FwXSCWzy>oaz2vxHi|O-qW~PAdJ^RuHGXjs831M!tdbG3we!?U(M~rWfun&*zlu`
zpkQ4%_qu^~e+e_C76bCEd$yJRkxM>#6oV+)HpG&KMvs7SaGFIQo*d-!_4i~d#aFwi
zee)N!AjAz()pz^Qhp&gIHS0pMuGlYLuZU84T@USMTp0yC{G?VsBU5qQmXq`5wDLOo
zE5SL*<(r3@?HS5dP>Vg_nc`~W69}yuM7YNEm=*NtsmPxpgQUOpX_y5meHh#PqBG(>
z2Miv-4ib{%E1upf@VwR`jb}AgH!c`_!X=;(t@t27S~yi*OMHcsF;c8Ti5Yh`9AD(|
zEF*e4#^f7Q15J4J>MafhLctDcp5mauR@YMrnMbM#HFhdk`D~!=(4v!Eo&eYctv`%;
zeseYUUjJS`bTx_7!<-$qhzM=U(H&SGdwtz%_G0)s6lJ9O%6Z=Tcc0bI@RZ>^@=kyq
zc)cwm?(I~q(+2pvM}&_vm}X}BS)vt`iN3UB%ZLGU-H2!U$cN(3A{)cfs4ffnQ6nW>
zKXbb=KpRU%d+=iOafw-=#-2T+nyQJ1)8%w+oY_y(GhWA04L`F}yy3FY14=9>eM$IQ
zZ_{2G2o{mH5kbVZxpO|HaxTrAc>qDr%ahnnL2f0%Z*9DuFySNIs#L2nNGO1rx_FgY
zb}TV6xSI%a<kR;vMs=+-`dZPgQC$xSLw9d)K0q%Nw|mZId;-0){(47cA^4l#&lt6D
zu+hU3(p7s!pR$xaBD&DfI%+$8Fk?Qpl%1-JrP%tY3V73mHFG7*5jW~yT0P;NWxTL@
znsTrwm|&Px9O!eXg+hXn%Vv6UxRdpolFgbaXhR=3OAITrzc;eQ!2m$cBRTv4lhF(5
z2A{ohMLMbyxYG2B1>%%9HnZgYcy!$5wa=deORzLXIO5c`+r|PIZNQehI(C~-7{2o>
zPwE(VQOmgsd%FaZQD^1Pe-1yrNudC4@O*W3o-L!uI|jLK#|7SiN<U|&8Q0d*Vqf?s
z*!0t!5n95Cm#1?^$7IfJAW<CF7@0H52B0fs8{<Tt0T~n5nxJ?go<r&4qt-MRMt7Zn
zX9d0@xF)NlxEAKZs$)Q}#(JWUi6&}o#I95kG>)EQTa`)l7}hJ+PO7Fk9Zn{{+?tAz
z42zdOMkul)f{EwW4s{9=_4wNK1wf%EHob>u&&?k9`CCyr#q$~3UM=nJc<;dr49m<D
z-XOi&<+@I<758nkqZmT0^_WF3l+#}nzqe!>fh+7(V_TBbhiAb`4sZBr?Obc1-kZ)>
zV)S66BR(ni&uBG;cnVQjX$76iFGve#grmJHC+UUSSkAl&H$AhaacH<Vy;oyMD9_ng
zoD8Hp>4nr#J~q@_eLJKB5`87A#jLO9#V#0H&4eS&;2XajhpC!=omXt#3RiGT>2USr
zVR>ha#PmKfW6u~KKYf_z%{MxUO4F#<fSE01`4UK^-VkF$t-!r^Fa>4EdB79uw{~!f
zJK*$Mq+bcC$n)D8%^Ydjom1Xh3w|EWQGP=)2=8|vcJROi*F1Is5>U5@!=Q)Q>e2lc
zCQ{<~9!?cd^5era`6fBOL)O;3!}NFUg|hDnrMw!T(O8C8c1((zITIjk!G@r@Z^>t4
zJhOlXqnej)7Doj|Vkz_q@0-eaY>@b-s%UWD5)d)aZom>a6Yll6kmq>p(`o0}j5$T$
zbdHx=cMQH}q?HSeQ9Z9#Xi`ahY42@lCLz7|DDK6cbUoLxJC@GI$}ZawLyY&TyC{pF
z0nDSpE%uTT){1BRJfHZ^^0e0Iwmd5==v*lht7T0?dW)dYXmIy4OPkFc@GF}eEeguy
zg2ol0dsaB!#9$7Oy2Yz_<{3f7?wc=~AAH6w$xhJ(PGs{}(@Y){tnVzA(xs8ev|d!u
z6y#*SBhV2bKSDk=Zx)0_#Ea?I*mz!=U1+HfIg`i~tOcc&(wH5sQr48Z)t;{{jJi>W
zzcJ#DDlSCZ@=!(>21tjxRO#6lG6wmy-*a&Vx$fEl*QR>Xd!anc6mM$7KnppK=&-C`
zk0b#0ZIj?tqOTFPF7_)#)j+Rzde1Yw^c6SQwQK5MVFS-0%VOT@Ln$FR?B{RPq<-IL
zc}U&I)e;>ZtkapBW*@w1&S<~~w==<8YdIGLMdv*EzKQnFTrHUc`}AotwM$=T8z0cM
zFu-9rT~^T%S}ZvO?|bI*AYRY4%VUI<hEs^(-aC2YZ?v8=@dQIofi;>$6iW%nL9F?!
zP6?L<G$JtzyAswHOB+VKH>j@Cj3vz@h+N`TP}d#=mo<~%IwowZItDQyP=jxvL&1#?
zMK4E+hy6j%^>ox~o?uLoQj*;R56vR!=D5)CH!7fr4I|0mFjAaYhpt)kC`84*xWs$n
zc^C|Zn<*&#q<T(OuVvomU~?f<oX@Lr%*}Vf!)`p%D}9yyO5?FCmh~sq_`TE8u3EK?
zmtju8o1+b4i75r)&%9o}u06@H4Q}5@Ct_sCVscIC{)BN%iO$b0*ezWm9S&g+$iRF2
z>>+2dOJ1{>npcQ<!`A7;Jupp7hQl*qi;d}`beEc;kO0|rXh8K;%8;-@=tG*J@!ox^
zPuf-zAD%8OaprT%T2aMDU5!0layDFAVr`bFd>hmxN}5)7hkUyEasza+Z&7&z4WsZ(
zAVa%m<*Gw?V#TzFQ1d!~iGLb+9<)4rLJmwzN>P4Qu>2m#*^%HpT;mc|tK|mkE^6!$
z{v?||!`NX9d7l}F+cU6v<2h2{XKjWWvruB_K1a+&)1Fd{J1J9-0%zjXS1X6DeC)KN
z0p2UFvscwTHfZ6C>;_RVCTlIh!`(fNMbL)!>a7Olj1y!pDb17a%Ox;dH@8rJhU%b@
zsI=Yb&EA;qEKs9dB^=1_4B+PF%t%Nqi7?w_f>yh-_+@qN&6QNUhdGZwZt%=$?RVO&
zr*bH|F4&Q9fwnJMtt2OS+@2#P&T3i(_Xy{N5z{ZaqiWC6gacV#vU_G)C$LN_4HIKI
zKwy;sOhB{0+4D19q4A9)IQXQSKVw-;9H(uMU_Cq)qZ=4-$7SGvxiW_coLrmYdZrl2
z&(K#d+#F%$kz&kcS_w#-ma#zVV;Zl+zO6X~jS5JXgMrsIhYSUCZEkWe-zxQ#uaIQU
zSg$`4f_zTd=m+s0jX8tdx}?43SX0R7Y|m+j?y=1v7i}Xv%Ik~Sp5}G46}Wo{nuCx+
zLJWf#1WYd-A>Jh8Y?eOL%tuGi{`_%YV~flCvltet8MX&Any40(OXGTo`moB-`X}Lq
z;7=^Ih8b%gciiGq0<E{b*Hqm>meJhL^$=mYFThUglkoQ)(9pu&jh<s%<#1jG*|3;d
zs4A?cV+&3A1_P7gNWOF?rqeU=;5P!9&Udi{DM327mDw+ZVgPh2h+A?6p6|$e+s|;v
zFmUIdvNAh6y$cl6C|-4kc&$zagn}!(fGY^~7~5SX@4U41=p?#ykYdte!&-;RFST`&
zPk}LFXs|j<o~cth_Gq8VsR$w=2ab7l6PMJ$2GO>T*M)Tmt-l%a+zW`TWZbC$F7m5u
z<}w5BiBLjGL}LGG>52&9>~krFPv_ohb4|77Gpl7SCGxEa1QI~Xd)=`0AigR0Ps&aA
zSO|upET2b|H;gPx?2{Js$QcCK$F+|lfv$K~?%w$gti^;XXLlO)P;@+TDhvur5o;-A
z6bc(uzbbhfOWT9&5KSf58{s>xVjxczU&PefmA!e^W5?peMMwow$0upgnf!>}&8WdJ
z%XJ~>$pkgW(|d0?uPc}KVYbK{Up0wirZTPdNML%ING;E4aFcgEX6FU#@p6O1V?E)x
zM7FipI?Nt5C;0^I^|NX#f`WMdz*2QwWa)m9{tk|zJ)j`#!3#wc7h_?+jie%e6)zzI
zk91@c-pzEhsC<$x-=S@eQ0VgAW3hI7C=@ehYtBJ3Jf<5`c}XRYlA8H=a1d=!qVE}>
z6C<$b?Y<7kSOHms^P}eyD$44W5bStKPqwsqO!*js589)`XjMyiBp&F*0p=#yd2uO9
zXTRMyASaL31}5vtsC9P_r-F9Z7UL#f8h})Sq3J42mW}zTBkY0eJv#7}kb`YPW1|WW
zgKlL)F`b}Z_Os@&e882HD9?vLnjdFF%yzmm2^%+;>BKPs`EB|Zlc4;f-Q`L26_AHS
z^o&|R<Ah3`RMb}RWwjG;fdm$%M{oLYKtE~M&-liR!UE$qx>eGi6ETkjrEk%~A(-3J
zPs^+7AeD{0_cDh-NQoP2Bp96ok@C4RUvU$_Td)`HmJf?Gy`IMt;TXJon6F6VDcxX1
z-S#|TdnS4!8Hl<;5S$(H1aq$_FK(Dd$4;)=&QczXKv+ZQR&#M0p*)-g<HT;Dvn#m5
z3MRXPLPGC+(ed1}ghQ1mk#pr~hh@#4mMA;SqybVo`-8wz6&=VTqhaOVG)Lt-Q|TGx
zEHw6t2ZP$Vzwgr=Lo1Y$SjA0G3s9Uzmx|2k8o3eZd9Wq)%LfI4r}XTTc%$$8w2u~)
ziFJuk?Spu*y#Nq<Tu>4W*7yX~^)QJHD2N<j#H-g*SsRUPSDrOs5k9k655I;Lh4WlH
z#oBvgvY8rML3pEOEQ5x^vavIy))-U~?$B-#W{3a;5D+q+mXB>o9O31|6p)oY!xcrI
z83J$&IcTxBTFJK$Afhi3b>%SW(o-klRZiDi8X1^nyy@ov9@tOJF(I?91FS?x8Lv}%
zy{KoEU=Rn*Y$q-i_)l#XZ>Gh>uSYJ&ynoK;I?4}&z$#+i6y}VDj0>etW+Rq)<U!jg
z3j=Ex@#!P4_es5fMmisw<%42NWtR>x4hJbT0I`F>9%xIb4ncWvq$z1qyc$m#tMs)g
z%kD7h2{QV|_$+c8BxNPM#OJIoaxD8CguKjjAaOm3OP;ltk0uO6(Zk`|U^7(c&bMm8
z1CW9;O%c>(*Y<F-6Ad5ZWJLGsnRy&iEM-fdN<A0@29_Q|m#ScGCjgo}?`pENj1_qW
zilNHzo~9lozDg9?A)SyKB`YJ42BQHgg(<kPeX$ARO$(I-G<gTJf$LBDEPjzc1Obx^
z*92Hp(ZDm$DSZp?hWiX!<ibafBOjL6WRoS@H~F98uAjcD$sv;#n4WMhl^g_&iaVFY
zHEahvCU{lUK{(BL)#EMKPh34W_FPIk%DE~jC7p->chtpoTeiur$i-3ylLlfS5ao!b
zo8wmTWU&(NbiH17z1B&4UTen(&S4xJ@6IlLInK`3Uotnls+%-mbs;HtJdg<t@QsBM
zSbGweRm$V7Rb@QB{G1yiN~D_M4ubB~OLKN^p4ljiLC1-p__JeOdX-QHB4WtU+hSWe
zI8cnq<{Rkoc1f2L-Y@z))-SZuWb@c?I$5SQkbOJ7i;tZ6xK;!wrae>h?L5@)Y#*O7
z&&x->%G1P{Zpp||Qa!PwC6lop&QALaUQ;0%96%oC-kMm#l&X*^Qq(X_Z?Nloh$pAj
zdbUtv*=gQQ7La;T9`54V(H4a&cl1_O&4h6|PK;`09JiSC2|aW~lw&dn6057o-PSy$
zJn|K{&Ia|wq!2EN9Cf(Y^rUEcoAo5(!LTh3Pq8oZPEnLJ+=F*|=XMU)UTaAtcSKhe
z?WKid%+O-~VCYqw6lggN!{n%g%6lUSdD_oh)`_!uq5StAo(rnU@o_VysuyI*nAVCR
zHLx3qUcp)%HJu$c<GyswF98UA20kr7H-z`}Sbgmg9#%v5iPA))KlZ29KH-BMbv7}2
zUC-;9>zs>q-s^W6{21~~dN817S<^1)T<yfufdgR90UZU{-?)quG93~FXg1|miZ4(C
z+pXr+sBEY8dto-i)AsIp=~`mlNcWpQdizFbgKFLr@#p)3ykN7v?3vzjH}JYr=9|0s
z45n^JXP@swI1&hbZrj&PNk(SJCqP_eBsu#O3t7ZHL|(eHcJv9?nA(Z4jR^YNP0ZpG
z-Wdqfe*QD_mqp1rIt^dFtSsfVF4FV`SIPCUsCg~;ay-yRw##nE?^6Q!9sNT1B|XDe
z^J>}JJ$VwrX(z3-2IVzFjMb>YbWcd8ut>b84B|;~7Qi^Vof)SlgM_%j617gMkrwSD
zn?4>h>`iToGXvYu8yhBJk7*;ZHW!q7#&GB6=IKL>+E|T2PfNS8URXlVgZ6@~dxo;q
z`Ft<#$(ttN4pmVVE+YeHK|bFr*L~4~TxH_L1wyxkhYeE2+-yiO+U<Cldz#Zv3f7%0
zo#9rV^ob3GhyyjE4RLpgY?5C{!+6t0OVXoa{yFcTI$-!L#p5B^7>BrVMjEx(kt8rl
zRH+*T`@m0+8WxP>Qv~!G0>J{b-6*VFE$g0`ZX9>pIUP}<yu7ZX;0ne#ED(Q_nh%<+
zm=+4l?jiL%ET`wN1{uUsNZVu(kdn-3l2k=Lp3~2y_m=t0fzNx%LXFVa@qkt>x!(Cp
z!^0LLUuen+LpDA=HBx%ln?9IvE@*H$43|(fB*4;K4^z=(o?3+0AfcQdyXp!1vx`3U
zJzlyhdDRhbmKdm<qGdPLx8K9-${QQh+;<yy7hVUjQcXGXW&-cxCf|%%X`8$Z43WXB
z%=tMBBnHeFizv8m8dNg^(P+L48INg*SOSK|V8m_@cXA~A_5z{rU7!2Ls{nafP3SSF
zQC`W9AC_6q2>F^Ttju0#S`>8T6Uuqzl*ypA{)BbQdZ%kae60MX=AM%lke4TrVQFNu
zf@CPmW}Iw7rU4vpnX^>OQ^X3Q(8mBB!h35ka9PcodTYUnHbi?+A9De<dcPzlq2`N4
z!F;IoLYc(MoEO+n>y30ABAgqlP+RJYwCbI%?$)CLBdH4DZVat7ZPUy+gv5ZtK~#_6
z%8a`XO;iy=HRC5<+eQV;(Q(vB$mX|MZ%y-OE<jWTeJxbt-nea>I)?$0R1%f*BI+3&
zgC}X}vb>pF`4)n(e)@rjMB2W}T(=kGj?DVN5aTTchZ!Bglr^Imn1@@7SX1gq)~b&X
z>>f|QKn+@4!s>B{oUK!?dW2j89(D;JB)apkL<7$Jgj}S30@d@Cs$MTmQa#bJw6#Xd
zlA|l!4JeD%a6{TqHk5F_0n>-MuinPAF#%sT<|1C=d0RZZZl}$nXE{@%OUnM9ZHz*!
zB9uZexT<L8*5M?#Cozsqyrmn++o#2Wclgq1bBpi2oHys<s<Zcao;fBIi+Oc~wp$n!
z{=V^n;9>;m)3<Fm&BM0K)qBd1eOq>FQ!)uC>6M*fK&i*Vrxf02MC_s@e)nW)d&HGJ
zB%k20N3up{MfB~#NXK0#uCDT#a!KR6ihAaZ+`ithx5e2Z0DW>3Y=LDStG3xlH^9Cm
z&$@l#I;JG>m=pH}SnJCmnn~jAa56?H28D2umoLo^1W0L0N}d!-EZ*UC>Xz{<H{!?T
zk6LW=`X>E>>`vA5J*JJ&&_R~4AeQC?VSUSnO=Ef(K!@XuPv_!=G^DoJSY7Ozt;2=6
z<t|w*-XdvF$DRl0OPj80R@(=+Z~s(Wk2Xp20Dp-A{Z_T12SPf!9r5HLl=Mwwp-?V&
z7Bn+?*jt-dwe<kL@B1R3VR2Ava}FpA=S}Omm-iESEx4{a=M3f1plhxv=O(ru5R8x~
z*#2N|eF%z$8Sk;kIGizsggq6W871hMea3L5?E^#8MfGHY=3PyRT0`=>)?j*CNFM3c
zQCw@Q#KWE`2)MHzV#pR!&w2`a-IcMk14$(V_;#WB9Td4^Hn1+eMZsE+-O`>&OAE;B
zz9W8PU5FL2b>cnH;&B8u+3(_D$<JhY;jI+UR<DBP3mtzxYL`|okf{yJ&2L1+7Mv1&
zJMn5V-n{xbJ4`)N_8`QFQFs)uM9h0DyXTN;aV*c&q|DS;K!mSL;eE<MzjueHa#}5s
zE(QXqOO<Q4V&O2$NVbwiCMU+j{Lc7Xff00@MHo;Oe2->yHHuy>lp%7RrYThFMlbgB
zi$zyJ>I+Sr=P$-&PO6+y*zLxAV^Mfb&ns<P+x>+joW#|uiUN3yP6)+zND)Hns`nm9
zETApXhIZ{k*N6dpt($-y2f$tk6yg4+wizR;Kyo_XhDf3?6GkJV+zzZ9A(0mt-h&yj
ze)M3%hpmkFA>G2|GhiebYiPAF+9BqZ*<yesQjlkK$;p+jzXZ`W?gUZ70O;wWElo@~
zw$DWnJ5i8T@$hEx67-$|&m!8lApBDh&jVLzVV<BP6GHQivJ^)Gr<SELS`lGdR+GV8
z#?yYJ8kt>Ha}KyD{*D=zyp6)2ZQ?_r8f7aUI4bsfHBuLCfi3Q!<cPq@n^n29vWB?A
zv6^1gM`3*|*kE4o($9{iPqDVn9bX+iPr!M&t}TYL`Jk20*n}<8ws6dkOo^_ZdY1Xi
z%*waIFLiEkPA^deksq#+?9jShxUqGYm8Q<+KGbLSj0&FCp(CQ(pkQ6bSy5eNPZ1~A
z3RutK>zfm_p)R?KeOW&xanP@k?HzLlPOI2?@};0DcMV)6cHRuNgzPX-W?_~|evg*+
z86|JVG9Ghsy}Yck<do$nwxY9j=IgI4p`a7iTSvGCnkJXA$N*ZAocZ13aIEDb<ifE;
z^pR*=Eq%f1dajzNEREz6eHA%qPa)0f2~kR;J2#JJx9ch@soM6#w~+`h(}O@bsc?)?
zC0(Sl$1l%;U&>6Bq299uM{kHKtvsSk0dCNGouqgoW{Tl4lvm?knrfbd<az39gkS@Q
z*TyZK_TWiSSTO|^Ic{+EmMPY(5n*$R82HMzzh~4lo#}7;h>f@#B9KK|$>FCc2*nyz
zc580nJ;9CDJ}5-0!slDj57vtw*{*Mjt-{EReu~0BL#07JsH?poGE2-Hqtmh&Kr;;M
zw>6JR)%&(V1|qV%R1lO(<_<+0ii}y+E#nobTJ+7t<XH~EWA>ToH~0`AFsC$;)F2+A
zmE1F?NmSeA3l3762am6#D}xxgtYkxT6Dem>pG(ZWa^2X45?>AoTrG632c8{ok>aHX
zB0bq<#Z_1Z+&l5XVN;G{6RvHCt$KU2B#!o2!BmN_RUXQ%;9vncu<9VS$QxICeB4|r
zM*9F*F%^sy8Q;Uo7o5&l8+nrfXL*=wXv980XANh~sx#X&UsRg)E7eyKp(6<#7-bK)
zUh)C0RhW~C#(l4&gFa>PSajcudv&hwomt_#H)>s46OAXiET)7b<@jtxsZ?53Tsn{T
z1=e$+NWkPbL^_W(Bv9B<*kMFHmZ4Z!tS4I+eE6tf-Io9qV3ca&Wb>Z;oNK;kut{V9
zicb5ULjZ)U_iJ+K$77=}h14$%1MGzYxD}^nwX?a?xzpcY`3Xx<uty>lwK=*iZG!E2
z`R<WTy8uvgF3VvG)UGD>^GaJZIc8KfD6(*VMwyz5y924t$+64C;GhJX?`535hnOq9
z5x^ki7g;ab;(iXH{=%Rw7<E0$V5!hGHKs6M^D?(3o7R)YvZ&#wGt7Ih_e&TG-$Aq4
z!dI|b{W*;>+i+HyOvl~2g5k@^F&4o^0+4WpnWdNI#$-fP`ufb?LrH@(dOb%5vwZt(
zCc#RvV~>(W@SdcIKUbjVmo=-Vi#;Z%ERxBao3&hm(~dlGMVt8!4kym}jdf16wT9&S
zE2dzVYN$OAsW{xZ_Y!zsJ%n!Jv`8(beaBBz)@NL>$;BdMrcR2+&~nS4F~Z_$KF#JK
zO}nV~!X-~dhsru0=z7NbJ)5q#r{&z4eUW>mh+fxsw(r%R2HVz5d!Vaxl-W<u&>h<9
zhcO@=FV?*~8XgpG_1a^T9O#8;=y@Ybt#tmv=35&6nJ-eb&KUZgbBLRuM<evRB0&W)
zvGm(+#tUOxZW7=EQt(w{T$izA=ipYG71VNJcuudbkY$<ch>DZA0=Z7Jhsv^CFuWYy
zimK<y8(C)b&Mu}KCB<gUwbPcjr)f#~I*zx?v6n?;-a*b&oq3Jm8Nd-^01qRqxk&g)
zh6*2dq#9xtR^VvH5TU+Dlhk3{HR`f!`nYb)m@MfmH@e7K2@>2;=jth~G>*z+>WmT1
zfOW+8xCgh(4`$J#qw9I)JH2gIXw@U3)77`rq4jefxd4Sc-na9NQL|5QrGk*Sr=OG6
zyxfaGai1Os^NQVk@F@=b44<XQ@1l7FXB+_R!2raJgVF;>9KkG<ry2ID3w`)KeN>s!
zBLSS}Z^XBy5{&^zw&4)E2Lz(4_=fK;&}c9?56+xO=mwd+jozCF3;T$b$fSq{uwOHK
z9L9`B&4u{Zk}qSvyQPvtPd8`mD}#^|Pq&Us!YQLl(qN0CX<~oHlOfy|B&K*fOiu~2
zHy_Ii)uWeY#HUFt#`aJw`Smynv0#%V7BM+#?=9Bw8r(HXGOjg9IAM$(z+<I&gXn?f
z^unsmGli8sDCvdFdE@TSvzPKdFb24YJ7R?c%3R1vmea-z$Q^2Ba;iU@45(ZNBYB_l
zp!a?IeArXb<XMmwc(l^KUM1uLN}B0GAhpeDOQcSWJQ!Yh$$V`T!j3G@#Z5d{+qd<y
znVz)nlQ*cBbb|d*^|A!#$jHTyMuE+sAB5ZKdynS1<-O>U<_PR{@l8sF$<kCweh*)$
z1alZ?(-Q-aWeHR$>)Gi?N3jSQ7=-3>T1NDCq4)&{_w=2jU<nkPjY5b-5D$dEo>TyE
ziVD;$^-vAo(<F>2Zlbek5r9M~C-FzHjIW8P8UU)_%0phAaq0*@XNHs3!P-}Cao~vw
z`F;+skL*vbFtUUaumVrgp8%n<N@YmX8a<KZsnK|cj3TpG_9+nl45aTx?A>L*>P;bg
zwl}!%2+DY$n|N)Yw0q*+3PltYfH+$|EjogXE^b|Y8OtsDlC0sdH3vh1je&Jr>K4<l
zH6Ke8y6nIqz7|+7-q*GhTA&H6j?wXy*Y&0ND7l`wEK@qX_c%rKpx&Hjwb+g{6}rsq
z`t#TXhuPg#&17y`oh()o><6SyrB2TYFT$G%l~EssFJ9g-R#x?0NxTkp_g2CHiwUrs
zdh9zMLNPj_gmfd4wFDe7wKx2To(tGx4aT0$d7)dnFCADsyUq34z~f&MDOrUCjP-|a
zo<Xhw8GAL0AGSl4-dWAQqp1>YifGeUsGkyfpV4%;tNiBjO)8<m4XBZwhK=Jnp90<~
z?lVV_;Vu)PqxPud^%LEhr!nxt!IIsb(sr-f<vKD1LTKaCUwPivaIZPdo0M<>a<am$
zaCh3ogY>h^=mq4|jq0a#rP@9((I*KX;9>={=oZqkk(5rM`a5EP46jJUSQ)ZAgO_)u
z=!<0FYqq*_{E#ChA0p!ojxuYLQTjC-I2=4|Lw;Dhnk52VF9}j-O4Ao8;;8Ud8$-)0
zFKq1RRxe&n_YJ48uw>B@qXg7ZKTx`%9Pta#q=EUFL&CKtHwyWxgDhAv_Ju)KGjsS+
zNs6U*)q_+b30l&Sxo?s9r%3c2@5^3kf9Ruf+f*$>$-pyD9QYaQa>1NoKzOYsfzIX$
zjaE7_YUeS-o(r)Fy7w#<M|Zr;_d?9mmeQ9`GDdwJwR}+B<EmlnAUFozDFbtE<WfzR
zak)3?Xbs8kQ`p5l@hiy7pl;zfZ`0v{u(i}w-l`~Zx1HlYFa`3Ks*#E*CPX&O;aen}
zw^8>VQQTYHK1sMZ*vdE3TSji4Mbvz-C8;D#oUM8Wiucm-vYp>ETxbaqJ_LUzw-hjs
zR}(~XdH3m++9Nv0m+Jj$dA;N3*_~e7wI^(|hpdN2ueF_RXUe;!-Ht3q0wYDxBg&*O
zdH5+4`HZVWT{OlF%oiKTA&lhU?A-khI>X+&ZL2?k5!%q=OAUY7;uAR#>@zDF#sEH!
z-Y*nvVwT9?nxY?;=Z>?{)d=m#6S2HU1eXmlm;N3DqDEBM*yHn~!rWtF+o~ti9g93y
zkNuJFVnDvVDel~|<6uU#I_0csTd~@DXxO%xLkd|SZVuXSkgb$aOCYPGdtvT4J13u2
zm20h;t)f+}nBP6Y@b{)zVIf0X4UhuXv?^ps56<DW=Q}dA&3<dManyHQ)gp<uX4)`7
zE(%PkJqS7E?7xI^d9qxV`jp~scfnF^$1FMDsU3O;JKjcNobD>%$yG#t`-y%A*P{pz
z5k;PP__`5sPI?(KLaOY~rl4TiQVJ&?-3FjxzHB<xc|ksw!)EseL|)gu7UChiKU23D
zy;nfq(-nm#K3p8COporkOLtb2HT6KIxccG3xMH!t(%BZTg3y6{L^twi4owzoQ4Fty
za#fGUHR;sprT1laWxuo+lmm}>w@{wEJU>P%E=n;of#tm#Hds&ZY!oMP48yDB%2xwp
zx`sa4=Z|@qQ)0;NygP{attA=4!xGYEkG+C@P@3q)nWy6Gw1aJ~j5oyfnzzWBFSlJ?
zen}-g!&i$FK(321ZdbhJi4DBc7>N^h<J0R_P#N`e2WS44iqUt3H49tvh%!nRtrV$y
zbDZ6&J%#Xa>zUP{^UJu%uI2|x@x~~QE^Lld5o+NMWv8NbWa^>5SK;<p0UuoJJE2VA
z19ELoeV_)Qmi`vdf;0^t`xI8O;_U4jqXFR~Id{U@BOTluvuhVFN0%o9A~_x8&q7z6
z+jRBTUPm^GTjtZuKfK=2ZHcpXzv8T{EPoU!=DcVl5phiPXiH*`p~rHv8g-1OrXWm-
z;aP`=$GH!_%>zm!q*~N%8nAH8%!qg~a~|6hz|3h@{T9PLowCl_I*%#vXHM}rDt?M&
zn-xnAA=B>#dShbd=E8Hu#u>o(5_iGQi5vY>EdCj0<EYVdHi{kE{4E+>nes*^ft)@D
z2DL4$-VC0T$$oW`v;bv}A?M(8^sY^pw99H4r&$jCy`CKuwW_3W@xJS@D+)kh#sVBo
zzG9T<#tP#hk;(AK%P%1xD0bFV?64g@tjj8Hf?=}9_kgq{@^v@6Br)JQHxwiW6dVm;
zcKN|PM8riny0`d(EyzS7QfL}Hisfd6_!ab(m5%4uh;k=hs&GpK;oRs+5Ud`0UEb7o
z9b^HJBQx&^RAfZRi^lfzRvuH*e$GT27C3TeMDgH7%?7UV{cJ;P>6l%6EMrBl3{+m!
z!>n;q^6tCHzK2KcIYVxb)jb#RTP~lmHWww1FPRksfO56E*Sl)QhJ0lwMp5`lNWYGI
z+z%+Dit)G@u<PdK<KEZwdZfc&bSp`0XTVZgEZ|*bgH^)fv&%<nnmDR11`8a@ZY9+t
z5$mg(xr612fi3w=o}D5a1L394=5&d$@(^>=dk>D<c&Y^Btm9JBLuqg1l!O`{*kQoj
zUXFnsw*lB_+_9EFkCf7~7O}OMc_+}If_M^fqV1u@(t%dWl`O4y4ndV?gDSpe*CFGn
z`FOWp10M4MyV(Vqy;_e(#5W_14Tvk8{HE!7(!uI4!Hgrlz{jbvi5=6ZULto3I!_0#
z8o)pW5m<OkTf6t&t$q*7@fmQre8XDqnnv@%rOn#)UI!c(Qpba}tcSvcOR=j#bJ-SA
z0MQZCGiBh{D~aYU&9Y17iiVGO`t^f)!^o<5FS2HWd(&bNP0$_Wh2CoRQBc38#51i2
zoMB_l5tHXqPjmb&Dm`trQD-%=nq}6efRTBCtBvfM#bjZ5T1A2zMdP<7ub(}qGFm8(
zw^^oviljH{n>H$2!6R`}uO<7zS#z<i9c#R!c=VcHp0^+DN%X|j;gByZ!dXP>nRgD(
zlZq)Go86ZN5?LF8PKGa>D>~-Au@ikPq4SP^=9l!Ud5(mS2$7IXxz2ar=tAb?t*nse
zCSGAJqC4omxNpfAyidtIe%p+N@aLqr+c2Xw@z&w2GNuz_4@}Os08NncR7dkwpABjy
zI7XrerLxgQu~fHpI*ROKtUvN<q9J@Px+9mt_L>`_W>G_dx(P!qP9;%PuZ>afb#p0W
zqF=rD;!^VxHF=7vA0h3XaI{(<`cnrd6&CSmL&PzzyWYoGuOGaiHRTDi5QWTS-=b-J
zNl0VF7x5BrRrK!7;1j{#x7JEnlqm`?5dg5r&C|n@Ji#HPnPd@?bm$7xq;B*z2{1&J
zNWOQ(RoO5isEMs^!}V~FuIi#&be{3gLHdD5q2ruvryRb?LJ-T$-OfssBY>Mpn0>)w
zqZoRb^<I6720ufuwT19Fwhw{dV27#WJiiw+0Q^K}6`o1?1B1Qi&zhObo|qI~`%t25
z=zA{7<;w3ilO-fGG3lO!q>YxMuqe+iV^#Kh+@8$4qazcd84jt=s!c*xBCs0*BrsPR
zxY;!_qPh4g3{<@q?X|}o-R9$5p+m+;%F*ucMk!gH8=5WX;OJ!`qgNN%65cbm%Tj8y
zP4?<PNbcd;Wa(?<+gd}RI;pZON%IqaI*+^UVV9m!S$Q}dsh4`4Qr29dn5EETzr|M)
z_`<tG4h)I>DYUhW^wvwOS#e)G!v5Kwwoamom<L2&xUj>!R`Ul=SR)Q}Zr7fHQid?R
zPGArMpRytNluc^Bdp9kSI7G~jxsvz7$6gr;ZJ)%l$G$*@w#{87U8@NX+q($@w0qsN
zss-=CQ|j5dVWDvpUd`7&mf%QdfZfJcg62&kdSHl109#5n)fCa07BrXQ#}X_QammSo
zu~ERNI(LZ@2z-|;>tc4+kgl!u^cH!_mwG0quhOMvrh6eReNp5b&ydD9ZuKb&4-Zj0
zVhzVR!(%QY<e8@o7!ON=f^Q(1mr6OOCWJVu0U4#A-jtfVNpU+a2<L+n$G+O8m-yfn
zs$pWerw%9*5QU&$A*a1g$d=q+!hxGgY>N{)VooHq6Qa>}JTp6HxSSG|MKnB)MRN~i
ze)KJz&mcT;nfQ8Zqij|LOB+n(K_qjqixME0tS>Asq(1aH<A{OOG{Y;$=FX_$Dqjl0
zf@%vAlB9TBgW#<04tgtVhl_Uemh<5Nw8#4Oy=3Liox<!A@#PVvLk21y=PGyIAuCg0
zws2&eERcGH#*UkrR*ACh1Xa?=C8#s{U~^lNY(Q?V6ON@gg^}>7gVt*xlj?!Y<RU;j
zei|lIqIywpknP?sg1*<3G^skfox+cnSYJqUD>(>x-7sxH-s_2~06%_!R6_NtMdx|9
zr<O!z0lskGtU+2#NNid(So=9c&65P(kW}Fyg94&}F$9nUY>`SZd-$5Gr`ST+R;Ttl
zKBdE-k(kCG*<&7P#iI%BTZcZ}U?P>oKvrok#mwZ<=?0F|O3D#RP48y7MmPgmEi(`V
z3A4)=+Smr3WR^&e;T>K-2*kDbaIj>}Dg-mf3h+jzu-I%+r9i6A!{O0#s6yv?k;SbL
z#bElBYePirsI2e+c2~c8jK<v;LB)wrTu&<>o!m0yrRP3qnWG5R3w}B&=f!fUiL;!g
zvvALBd|VX*9Te8RqGF>{^AQ*@ms>j0)QP+|9Q)h}5YDNz7eLO}@AQ_N9kiOtxT&1;
z%HZ)6rC@j$=gQ)Sv~juI$v=IEZLLo;lCdD1ik`(|Dsy%fvxfz{7CDnx<R$`JOw#7v
zpW=C+;aC=9!rbjTvw_`~sP!DU`6W;GkitWw$9$HamO|S3k`l>q`&vfEY9$-SWr7ew
zSYWPIB5dB{CTxdz3(2=P6pGaqFL!_`FqaX!Cr!q)_f^|?tPQUWsz6Q3sCsz`)U~gI
zFZ#PToRL&H{qE$z78<HO<7lBMNpEz#MF7ArGt1=0Fpu)ltL;eZiE+N1*S^6Rh@ztD
zhBjP6oa%QD@JPHO0(Mx5!JneTtK{Xh4H`eX%ax|96seTtCTmDK!x}>zx<!j<$|=So
z0AP8J8@tjk=O`;0E(MA>O!|JyhYjB8!^@)z^d;KBM_H%!vJFe!Is1(zn4FSsJae|;
z`;?D-#^m-5)2yfL0l{v)Tt06Fp_v#~G+=@H2?Q4og#|)ZKgSi_O*jg@aJHE10Eaw{
zH7??a!N$k6>yV2~j!L~)X{YIIPc4cdvxgnF-YT+FM?|>68zlqG%fNS$WFS2SD(-Ru
z1Fp?mV!{T{?1t!7_~>|b5;xrEiZR<{jMam2pA2$flD#52=iUONi|VX~B2;y$8}m2;
z;xGhyg>Ie%@*WA%#ios0SUv<wo_lD(rcQ!4vVhhug9MOIAEIZnsJyjKj^k#N@;&cb
z6Mj>zubQCt>Y?>1YzLk4#IAAtZeA-9uXvbha>dt3RIllkyFNuiyBQ<nMFl@73evJ5
zmiIlJ>vv$rCznXC>`^3M6EPB7#*0cL!0JXP8YZJz04a6ia13pdvz2Z-^0>P99?EG%
zm))v~SzzIN{1Av=E-3Dt60^ioy=7{QI`=2=m}USwQ?^hOr`h~Cuv3=%tsILQdCklV
zlPPNtnDnal*KK@9?{U0=c^>k@+*I}@KuPc!9Cd<|8Ye04xKH&SBAJno_jpuOOV|bi
z^^O9<sa%>QzO8*~mtwtK^Wu4_tBt*kIceC|6Nav%UBzBK&}u(&eRC(`Y^KFH=WTag
zijO=+>#T+i-Rq?wan&(92j@NANtfR%K~3>@aW8xP+81TAhe;{$HW;x9!i`8;u<w!J
z3e~eqBL0?;e@f`)a=K$EDu*~1*jrnrCo%U-j0nr!Xott-&gX0rlx#?KiQYO=bDV|q
zJ`t}QNIa@NzAe#82qf4ur9i7_2zIr2F3)l|Tmc4Q+=>7}-8_AWS|6L&DZjHb34jI;
z*8;PGIxl;WPVZSMR>bWJo3?DJI&8->xF6IEw5U5j<WXp3vEg>a5LoemH3dN64pe?v
z4sDNH(}l|FT`4qI5*}Bhl(W-gOZ6wuEc&>|E-s+EeUE&g3{+SO_aXR}C|T8$F^n#F
z>KwVth@F@<?ToP?Flu4c#gba6fJHKO&wu*RyCCQ2nSwdSK~0zvu39h+PiqXM5eXPV
z6qzSeSkF7_eTv9FLv*++J7L@~ggnA?(i7cx5X+(zT1wvBtHIE5v?hLo>CjHbN2j=N
zGFPSFA;R!lCxlA24ZY>pF#RfN^bYEzYJ-c#<yhXBJnoW5iJ9`$-mnRn9Stj_-<wCr
zQ^?p{mSqe|YLy7460R=;+B+bgLK-XK;K{`BO-OBF6!8>xX~V!(1`ewS3PpL1lX7Qb
zWr^m?yWDv%l;$9Ge57#8pX@QBd+{P1<~d>_ABxtNCAnv=1aA#K!%}*gnAVzefJ+2W
zJVxW5oI8vF?M{sQaIe`kKo3eBrak1q;U>i%{*~~vo#l-x9zV`?eyxNH_OdmAla^PR
z-myyYW171(rh8`DNZ+%Vf5+*}QZmtDuvCq~r&$^96JW0;QKER(1qIVF3eh_8P9^LV
zMc3hG$UB<R)LBs9uua+|;>25soH2t^PhD{AA?kz%cy((%<XrbS#eFjH1fs}N#a};r
z`I3%z;qXM?Gq#`yDOq@BcGLNy805ezUF)x`tJte|O(gB=PYy^o<q?=xU_v$Z46-f~
zwMx{I#DuT-!@1XV3d}HXyl2<yFd^wZp|{(uen+_{bpRS2>z0VED;Tqw50nz2ot=%{
z&-TP6JlUV#i+K_1RO;L>L8%_0#Jjv|Wao~@mCiMLg0k0#Fh7I!^tNiW44`RYO#_gT
z4?Sven@Ql}tV;!ZLOguA_ne^iQ%La{te=$=Y9?Hjj9RE3ty7~lSSF1!*@j+^^YW}Q
zvw9rwT133Wx+mb&Z;WKe=OKY~N%fpGKRmO`E}VRtQc={^FE;1QwR+s~*f2vb(dLX#
zK?Nf>;m%?t5g%EF@7f`!G=Q=#xjf{jfgs@=NO+r(wbX;vRdr--uk%>V7o@JR<AsN9
z0-oqyzR9a~eNPe9r4=oiK-<!QbziolTEuDa<gFdXF>vqON{As`U_~Inx>l7kdH^ZU
z5*Oey%5r@CoxkFjdx$P5Yj5@tE6}|L7cXogk(vRSw#h-6qb4VNl5V`rf3~)oGsddo
zfu$_i;t3-pPD@B|S<mon&GVcZW+^r@nYqsy&EYd*d*9)y-3m8^d*}qRvPX@(qoa0b
z@pGjrwN%mN3HQ+BUcH+)X&fdFaXlBRY6_z(iY-FyMIhtwqOo^&kL?W_%VY{OKC8=6
zDC*vq??@h+R=vR*To0A^n98RX6IuEZq7=s~py#4V={)T+YEHGU-h0F$YTetf(BC|H
zzPWs-i9yGYDX5Z`Dd9-%7`sUgW6On}%tN{Iuxy%q%)5aZ@#uAo9hz#shlYbH2!PFg
zZ9(y}yVZM3RApER{mC1yM2%b!PiJKIMzhBXe2%+lT-Oj}Pv1q2k<V_t*4!-1T;1hV
zvi&V4yMTAQsbECXS+v|j_T0@wU)@gMg1V8-D#9s0LRPE3Z!vv_?adyrFzmai2#x?g
zZyfI`nKy+c&(me#EwBl`6laCE=5|aGR7Z$dVcCBwXD4P6GDap8qAXb#XHg`DvO(V3
zJ##7Ie0bwxnmTFv(sy*6XkLh=JQ<<)OtjH69Tqd^4PG?Cki_hwAue_M4Irb&m36;f
z_F|>;g<#DM3@=+}pWb|DDHV^RichQhXgWw#mesVeWp#^ZDB)Z)iFbwvJn%5=J<}kI
zS3H-bp@=zQXH*uVK=p14!;f!x>tQ_<&_|-nPu9m<utj9rlQ7_A6ddNj-esA&=AV|i
zFjT-cj=7UXAKA|~M=#hEY~oP!9K`_b#Q~cYlVe`AREf&yQH3H3Q)wN%_bDg*-d%I{
z+sH?)drz8~wO8kw?rhfGUk~wgAl)9EnP@`{vov}f=Wr5hSk|NqrlUJ1w0GxqIAl>9
zkmzfwMY(<bDh^?;h@KA&bkUN#-8>0ToR>Z6VewwlU5mqAkYRL4A7wt87Jq85OERj(
zR4PViPRzps2jzSwNHUS?F0XnOoUC3zmCf-?>QUn3_PWrl4&ZSfiL}6_QF46gQ4S7C
z4ho{)M=u?67183>-@;uE0K21km!_f(+uq3Q1`LCI`EW3Oc&7L1PF21v>wp|l;qYP8
zdyMGO>y6F4$aI^l={;zv*vbG%zXVm`uW7XOrpd)#=7``mYN?+~opwKmL}?_?6-5=r
zd1{28f}+m=4rnxIOytxt&s{Z|#g|_YDRgb%AA!}le4E;@U>hmw$<d?ig*X(tR^qo<
zyPjFzBf4JCb#b~f8svdBUC5-5A2#Hf@6wJ_a$0Od7Z?PG?kZ(Y`8&_I>uKGc+_>v+
z87Lt(9f;uNZ67=cTeX4n^^74EMAC+o@MHtWeKe?Ekn3p}f-Uq&V&4+TTVW})P>Y(J
z71di218{LgUnQ-VaCsh5-5Y=?@bbli+=wFC=JMcqpyic3-_FUJL?A%K+YZLp5BY^B
zD-^gskQYhRMcl@iz4n-d(upi#NImAY0-%Db`CJ9zFG&TaR9w?^%jHgr4Xx$F4WenL
z5u@Ci(~;NZ&AE@Btc%L0r1&$6vzt`VgFaqJFNs!hd2pm@fPLuxLYJD*p1Bv2-cUTC
z(KLC&m7px-Z@``99)Ms{hB{9N<yEk=VPGIJq5)e}>b;zH)Z4Cti+)ebT<V0tLjB>2
zyLlP6`0!RiSno5%o6TC3Svtm;t30$vJzMM{5^e6tm}<d`!7i$bY}$^!A?lMDnHnVZ
z>~75Raa+Qgc(aWL$qR@(xSEHu=Uc&6Jufcssn?6J*I?6*ku_=@G6f6b_U@c#Cd)(k
zy{v&XL@b(%6(7@a$q7f$Vx<r#t%Wy_MNuR~LH5<Fa(czwFK<iMs$eiKAbyI<rV~LR
zpGqlg;MS5ZMNUbQYl1lKF0Ds-1z^ad;8XnGd;9y|dq3;Ol(@ahco}U{>8i~zEsb5!
zaK6Ec6aM^#=!^{JgH!aESId(fXA0zlo!fnN8W_>qOZ6IplJ5<r=&dAk0+`snvDuZm
z0-?u<8I}vGp3lOtLQHk(bmn>UiTT3|Ja`F^Bbx?C^DL5-U|M?2H?ugo0MRhY)_gE#
z&S2sZTX>$Cpl!7X2VD=~wE~RKQ>|D_OP4z4i*9)s8#Qik=0+hLQD7#|$8Ib0vAqK~
zN>TD*bO2z)r4tolm7F(!ZVf99Zw@VqXl-`eq9qFvbzF=tum^OpyRCPGjrH2qZeDC}
zt=2g>t>-UU=>YS%OztqNj+~9`JK*90DHSu{-2{6Dt<HVdqbE30^DV2-crKO~hS#0j
zVUJ~+wqp+-MfFZ==`*9)M0FQW-51#ihHIerQc|CE;#+UCr=uc>N}x_1pzY<l9e~F(
zI}g>051>H1E?aY#jT{7vSMCt%UF>)bluyQE;C5ycDemOlnS+v7?W4+s>?K1|S-^u<
z{KPZHoDdv9PpWLzq@<zJ<<%n|uX4aOz>S!Gx0xeRjcthZgbUs<Z?du|$CU%MaZ?$N
zc#2ky8W#F3za3hhPIf07<(tBJS4=Js1mG1FFDW>t-+}k&P=TMXm2E&$7VcO+EF3^`
zA!<6WJJGaTwa|D(z0Q#_Pr(oPm#_f0s*E4PZe^=Vb3Fj%0l<4awJ~T!TTFZlZpveK
zps4*REYZ(g^%iw@8i_1`D)X3Wc)){L0c%FziScD(l@VZ|_bqDSBB0>py2&IojB-mf
z&wxO`)^vM-Sb+Wr^ZF@q7O<l;7EMxm<)aSWcLuI6`@Kcbi^qr{xc1ttkpk;vDuiP-
zM6FH}u}_1ks&bgm<7u5Zz6RBCL1i9HK^6qyD1H$fb@QlPya}DG{SM@CAPNgiW!gNE
zrKI!CRe}Rn=gcLVC~<q~v(3JG@4a%#_s-Y@6l_38!1A4Qu!@_zYMk!9*%BY{7U%>M
z9a*{;gK0U&3kSu+B?kf7r$mKr-V(^XFa7y~ps)mOI<{WjFKPL3zUUI8tcZ>}AVyZL
z0<?~tBY76X@*Zax?h|ucWAFXWSNc9%VLM8*zuko+_w6O?-VsVb1xB(0iv}<@ua?2p
zmW|cHHWnk!t{QQ`>=!Pts6=DlGaBZ5P*v_uAxcl0Ri{~;#!y2uEZ<^?*gjl&v-_M9
zA5j3v1?LU*OB+{wgOFhva|w3V6HhOnkTNLG48@dREWas*$z)Q02Vk^G8IN>(>r#m0
zO6@2by(^RQbm!GQ`jdkbXQKt6zT1{3meG~grq(IJK@+dD>^(n$Eq)sroDM+t40|Pv
z^&q0%bv7~Ub>$n6lWWVRBkUfsQ^f6jN?J7F(?smFL5+Jwr+L$U(>#Pm3hxA1`e`|a
z%}?LDDoMz~<a+%sMRN)}gmEjvqD5W+gD@aB!R-y7SV{NPr?~7hyf4KF2#Qb51lz>&
z5I#}yT|J4Qq-zVfcM3kyQ|~1Nj#RvIU&qUSHz)n#Jv!tH#1?Var=b)gh#s4FO3(c;
zpGDaeVxlN4hR<|&p8!fg@FTgi!!92jq^AR6Zu-D&w6aMINDBh?a=o|Zh)R#JC9)T@
zja^U5ovl+7sr2eZ_|1SQ?16NeBfQ~?$1_C)x4G?+DXT#Va88tz6-l=WEHEZ(wWxO_
zq|^G?jRa@_@6n-q)()g@q@LWsV6TmsNXK2O7UV$@)HvvYFDQy?z&K_*qM3K{WK+|N
z3I!lQyWZdxu;mKj?28C}<<EZRt>WpnY)$EMDYa|EdLS}v;mB`xkMxGOfD;}qOeRaW
ze|wjI#`y6+351@QuF7@-iX4X=^kt9pv1SA!?ue<+(IDy&5-t;qRlbwAvq5&~aTGS3
zVVCnZ5>D#j_;}3NEdh#JL{nL5U37?5!l)^qG*=5!*t4n<R-t-90ey$<w$yXfuR_K%
zcOk0%>Qdc#m4?{d#Sva$T_fP(cq{Ajz|J~*4oDMN^4z-|(<c-bTM<W*m)kpotz15=
zeQf^ZC041WJ#4dVEiJx~dk0kdCaX~%yCQGCFoC&8y8#Gzh>{su6?giW-ps~iRRMy$
z#Tu<wJ#E2|?=>;NxOJL0XwVyA;v93gecA!*{RRQDCw7N$e+f(mr_v9_Up60Wadwbw
zBWII8K(0`Ip^~MfQt{}imW*$I3+yw{b0VD!cs*#Qw)cWcm5JG8`t}9-Yx6Tki(|%D
z7OTvr<=N_dl7ffAuf`|}sNf9%ok-XC`gN3S<EB=vCJd}SMnPY#d@@K6ST2UA7t*V&
z4j)6tsn|lj%{YQBf;QI_N5{k^$k0P2KR5D3t~twBub8eq(?DMLbH`k}#K=pP*5+L-
z&RNEwyhk7}Jp-|P8=cfu=II0<uC*+cIdTW3fUdB+9?vtts^Fni#~g%ce-iMjTrtn{
zK%bT_M-+Q0J`fy!r~XKk6OL^gpo_;<u4U|Lzi^wSQ~^T-aOb3qwxqhnr5OdD*rYdY
zEjOU`Q(_*i?K%bN9+_(6UEp$YkCF6A7)_Y9R0vI+(&Mq=+Be@G7N5}`U2&)P>80eL
zE#Bd5F8G^mak#L7RCAZPb$%6d*_aEa_NX_O)C8$h@N`b{iR3}cjb>fE>`eqtW`kyV
z&n3;DUimxDwx)nrQgn4h20*=ngv?d8*lz_utZs1Mn__P3snE!XC4YtfP9X6Ws3%?v
zKui>cPi+u!h*6r7Wj0XO`tfo-<A-*v^M(XuP|L*Zo{)A-yd;C9xqSiyI_amEA?g+h
zDblwQYmYWXWb>I-@<zSaJp$fr@`x2NFK9*h$uyyuMbQXiY~_nKoEH_hd?*^1^j11~
znQ7qBBT6qv@!@UNbO59<J;u8^207?x`6;q&pvROV51W+OTQA~rii)`8u5<k0)x744
zR3+#vB-Pc=92W4sm-m6YSx()zr=sASYP8Q88Yv!+p<DMI_`P`8*T^eRjw{-7WVdRm
z0QFHl*Uod1rZztD#(m2iIO$8HJfVwn<1d7BrHL^R3m`{9pvN+AGCK-Rm2)+-o(RUk
z2?wS;G_ZLVz;BIHa~vd>B^*NY!2FPd8Sn*<D$f|6vukvcRSJ072Cm~Gd846DbM`HR
zzaj!$czq6_iniN_r4OFHlzGxO8~29yf<^~KDj+-v<Bg{i`jn0naQY*~A%HP_#$(U@
z_>n!-QV(rpn<sL_2!@?q?Yi(#vfOjqA5LgldEUbXsd|d}K%dm1sRACZDa^|KjQb*)
zfU{Xh_<UJRV#?7EL4pNQWn=Y%haVkeT_*x9IN+zukUsO6Ic1emN-cAciPZuP?~__x
zf{4)rfPqKtDUVNJN4FY8(hivmW_+WXp9||wXD%($Hu}1=%~@h`yKO%mfu@JE>jXFA
zieVx&O;EcjaPLWiCHtYNC&yCJ9mve=oCzMzo+1tH8%LN-PUsGJf_jmU^HhOR*agi~
zC|2-1bMc{rw^z$pDReezRrt$B4;Xl?d*<*+Tb^yav;sfC?7Du*PO`c1P6#pp_2|m$
z1XXsBjP=@ZS@T62D?a1cOx|{Wpix*44q2e7ILlocsP#d`nY!-CMF`nG?CY`6+t(!8
zfyU_CM2Z@BBo^|vCLJ4AF5;Katf3~Y>(S)Y0NV+q9NBV~Op^FKH8`xz0F>8m9geJ(
z-$J9$;4jzf2$3u<2KykK7t!C!LualE2wZYF67MT~kKGDnFkl~J7e-~Ok#Qxoc-96o
z_@cizJy5LXmHFtH<>(TG)Dq}HaT|I{JSr|;uFLQgX_CaJx;~Z)Y(!mDb-;Nkug5ep
z;uyhLb|pb3mzroetR_TRPQ0I|+663@apv{#IU(8ss;bzZ$svFg`lKE|9NmCx>?sy1
zhRc02{G8&g0G2Wd&Em5MN9B?$6fv{SXf*4k1C@l41W8;ai*Wb&4aXFpI5Wt`Ndw1(
zi^j59nWRCMvklIXMtQyx)q7ACSYq}>Zn*hRbng<hBCVHR8>1x}%}-BLXyHmiCJHWh
zJP_oytY^1jPj_Bwc681vu8sqZxDgwDOYL(6P&7IW!_>unt7wo{IUysr9Z{!I^h)hj
zqs^EDqN1z-&FYDkYhfA=-{a@tM(EjAHV_OH!L?+xFC{S4a}Pa{ltxt)VGs;<1G{~a
zb@BXRYNVw)wK%M^#={|;fJn}3Jg87!?364FUZj_p!gJW-_6%0s@k-w0V!`->gZ7KT
zg4g<_65(On_|y>rLn?75in13^L{dM1JJVwl0*gHNp<+9hUDd|?!zIawhuyQEK!uGQ
zoW(wQXd*0HT$rMv1;odZWm$6MbB}<6wK|N0E4VsPx=>;hYb+rjzOGl6n9X_WComQV
z9c_$nP2g;RE>pbj=K%>@^-rP#J7$9x3H{hcJfOo_68QqsI02a{3yd)zCZg=8*jPV(
zP1Uz2Vy>1@`XM@pXGh28Vd7)Htk*rmp$_^?sFY+g-ZRECndeD1@NCrN+2NakyG)Tw
zS&Fkf7*rgW&Fgmr6lG`~=$jS8@Z>QC)KnUZmpTwMRK5j^>X4FZxQ6#Kf+}9U?%^8M
zfz2wJs;q!FN(*2@{gw+LaLl;+UgN9BW|O>k=kyA@=n}A)2KQ+P#470yO>Pj}Yn$3q
zmTHrC*)={dYAgAO8~b5*T@UO+Bfixzwi5|!sKarIgEqBA2cTSEjwU6=yIBf?;epD7
z4Nzp)(7u(jWhw=@Cv%*c9Km#)HWyL~mu^T&WO$v&f!J#$h=sr8_B;V9iC(sd_&rRE
z6GFDBK&K2ogeUXZJXQjEtoFeJ?{9B=-(vxfl00{oH^;DiZj$Od*T?VAQZ#)rOYLH$
z<+*04Q_N+9n3D%M6{QlQE%rV1dRzeuIqi<un(GMC?!K`-gt>_wxtI^w=LU_<Z^v+e
za$gX*jrH_|pFMREA`7)H%zB286nD8chwn`xI#Ud9?Y-*f=_ZX)Y09BG30s>Euz*D;
zPyib<ud`F9i}4Kr`r9+yBn})?=nyc3sh0*9gmm|Z1YS&=P%pZxmFGY|pYx}>XT-Rc
zEoui_A`r1kv{kNM#3lq7kczFE!|(9kl1CSlQ!a02D+=w<098P$zZ>eH%9S(~C!rMX
z7i9%BxAJa^HUR9E_Ax@X>QBMZgZy&=I|kIopd4AWl?yI?e9QZ10&$O6gOlGRn?EPZ
zPr=FOfIvG<PInbhVTe8hoSDFdPmYxXWVvf-1hz+mimeU+(4|#yc*96r1BT6b8~3>&
z?4v@nM+F6Jwl=HfC$a$P`KF#d=v|!xXAp`R3`G;bY209mOs+nBwveX9SqA;WUn4Jb
ztU72F%c^sp3mF8fflC~ZCtTaS;Oa`PLMl0xHCzMfl+ljoqq@Um3`IJ{A;s^Ru{G)C
zfJY|ez%pnTc^zaQf}Ten+mnNBqY-|g-ktKehdKp1Uf~n9$0ToAyphowEWzriU^^ds
z8U(9dUVEe%aRB+X-1d!d`Cf?cA?$*Jmz{J)5a)z}_%^5+K({?@Bum9z{wcZ47)YF`
zC=IMvt`Apzp1h%n=GXf;r9@`LB*0M1^J$-bN=`pVg@7VY&BR+_4wUNhb==X;o<<0z
zvOA||@BGPbxrUhn^cfUbr7v43KHTL8%h&6Vl060TY6BQBxu#nJkJct;h4+OBi6~Tn
zw+B6r2uSKAwP+EJyE$bwvz%z`*>i}VjP>cMCzw^S(P(@5*dlA_6*|>~W9PL6>4QY)
zQq*`1IPhAEH*+*zYR&5g-IGbbB(8T!sZS(YQk}zs0W5|DTCn;6mI^hsU!dV*F36l4
z2Vx{sQ7DHeK4S(RWr<bYv9_<`+;Ou<JE$L{^YcW$7x=cw5GAp%Wl+a%;)T3sVcN@1
z>MS5Z;GzL)y)m5RG`oj37EJ2m?mu&!ct4HBG<BA4Ob;t}DJ)9<tE+lnUzLgw4=oJ%
z=wLqNZ_)Xu&xOW&HfZt!jxwVPL;&B^9<92(4mlr%5U5*ksP$Qr*Q7<mSg~(5TD>FZ
zUhLbA!X_68wWBy0aASYY_0Xz9i&FHUJv)`DL<l5WBD47v&+18sYMC5P1moRX34Ne!
z-n)UBX{5>NubGc+qo-C$OYBKPfr7sD^buX*%tN3do{2d~zBx-}7l>3-Oy<i+mp)VD
zi;5B*4B#bfDuB^^uyF{5@AXo)*vS}$U3A2YeRt|*FwAjo0@&*!P-b*Yt&^TZy@UYi
zA>##piMu)0Y+4V@APl$#p#;utjrZ~S8b3d`W@k!ywntSf7Lm2nCyU2Mn+`$D2cSRi
zq3v^yg^N1|DG!;|0evczykMc8C_mx`!IU=ukU6u^pr5j{&+)+s^@%d)dr56x7(j1x
z`^3d0i@3=!z?qxWO{U>s1nOySM)Tuw+O(1471%ZadD4n9xw)y&ND~f3!NhcWICLDT
zfUi^pTOWd(iw+1B!fL(|F)ODG&nu7Kb&1z8jj<NDcfd~9H%N9^4xFzdp5Dujd~CkB
zy6~`&JyLl23G^^c48_BOuB<76N#7(v#wVz+IZLZ+NU-1Yp?L*v*<vZtL@p!x4t4VF
z$ST-QSV#~)y(`$`<0%He;zx6`B|$HrljyZ6<HIC#$Jb7yqx@XV<cS;PayqvWLpD&N
zJh(**Kih*?W=U5`%7u7Qg!|5(UwI1NdnT}ioPPClZUw))ha=Ue^1!g(!?&t>vsLTn
z%@CtA9gvqNtvKf*aquZT{~RQ=TwyqjB=OY?uQGgMuimhAn%jeC>Zh;ud7%jw3ugya
zHZ>>tW<cB=JYr^jfC;q9+w_=(0mg|-U0;;}UW~ORo^QuME{nfRol)Av2<vgidX+Vi
zZ&Dzb=Iu?|pQiUAg9j{%=B^^Lp-x_i=_8^HM7Js0yUiCP0}_frqZl=$si;*q>C7S^
zR|OMLuhC&JiCHR8*cVm(;zA!;K)n^Y=q$LUnxSAB0NmAwk(DJ+%pC@%?g)0=#P2o1
ztx4<^Gd}Et^&oM(b#z;~YB6&yTQBfXqz=}(1|G7#s<n1CK2*>e!I3+5y_c4yzH<`C
zE?Y=}hiG+cXdJ&+!GfEamoK+Hdq@>@^l`LENvm$#l!J-IPOC?}Vt}&*`_6YkpVCV}
zXUJpsND_3W_h!2UyatejM@qo6UcfNY%d2~&q(y7s@it17irfd1o<Lvr;Y*mwm4;`i
zD+%D#%;9(nY(qS<@MIVFh@7vyl+82nwM@K+N|r{{<aGChmLzRc!AGNa9|tEG$)JVu
z06$WHM<OqDJkgs%5uY#$GRO-?yaqd9q$~4PFk^n_wwZ2RyPg@M;Sst;$R=A<Z%?@K
zJwO7RttaXnzA_VOePQbzs=UO^ubu|dIltE!dwt$isRxfq4wGy_sgzQDz*Mhw>J7Cf
z2D!p3K$CH!K`jgLt%irDh;H5HBBV{pZhV`~sgJ5SPFPR`^1=+7$@A=|?*%lCoG)oX
z&1@P5=&J%srAJ5Il8=J5@ZF-FE7r5JMgMBJ1n@ar6t}Fs(g@}zVMfpv<$9e2#C}w|
zYO=15%P-l(<C#lM&Pu4zyfhw%ly<3k@@{bBZgQ~MQBHt;WA8C#wlw#<^#|Q-(B~=+
zseowaRXcftn1Urbn6#zN@iHl5Nhc#GHR(7iF7NCrpO|`7G^UspC9Z(noJm_k>MNXc
zEKU{$z&e<F3zT>*aVpp`;<BwouZk>MYbz;K*WGE<*%TZr+@AVc?%-a))<8h6lUPVk
zC)PWN42$-;Cd}vKDcn;<+HXppU4!l|UAVx`kh<hk#jY2Khbr?*d5@&r1~PPb?lcQb
zJR&lO@C{haJ7i8ZemDD`+&+7TSQ;6Aw)9heOyL>Qw-ObjofXln)5!ENUPD~ifya9Z
zG$Hn?IvHK-;kW!g#|-B@eq_;I@)&Mw8!R0|U>NR|>OFr>nzw6D^Z*P~aIvaI#Gs_x
zw)KJ`8m&%hZ^l|Hbwj<6(36T^jr0XsmOowgd{8xxCb6;1><Fl7BBv2^ETaklR<b!q
zLAQHlECjZ71|>CU&hM-)VNtsXBj@D_y)4{hV}6;ck7Z>z>>3hO`XO#rFH_Tl3V5c&
zV7(5s?bO&Ws<F18H>k-rrM4dL@JiXkL4IryVqh&Qi!h!9<xTL^??UihA7edw(c?6|
zE8dWlC+tOm>9))PV{90hV9#I5@bQ(mA4)HXuB@Ej*2?0Q#Hc+8hfL5;PiTS@L#o%a
zGQhM!Ssn+u`1@Y*&?v~e5EeCydy4rS1%V3yQrkv}O*@Ao5BOeD!6NXd0P%C+NZave
zFS=W_3g;@t5M#(<9#VORtGkXP9H`~-i*<Xkv1w0Jp@8j?vi8$=jl0C0-9nAw9QZV-
z^fAQF%~2d?1=2RJPlCPS!y!gNJTcLO(%l?hkJNO(Wrjq!>?O6jt7~3{fVP`R7ZAl`
z<s6eucU+_Q&f!kPfkyT$G2dEwTwgjI>YTj60?}P%TMc~`3wMK3ilH@QQ)JMh^^63c
z3qRi%j$Cgmc919mi#MO-$YKV?oZ?8s@tQ5(G>ew9JEy`%SH(3iK+`cz&C^f`cRmeh
zHKS#gQ?zR4L&ee4@JB+sNUKx|0NFx}3mw%ewM0BVH}P5kULs&#+-Sq^(c`4A-W;E`
zq?sRkay>56XOXa;FMy#XvN5jU4^0Kf&X=DOr1vR7y=9obp2TE|b;=T0rjirbB55~n
z8DbDuNN36IT_t^)toiIw1W~{8;=BQvL<JUS*eMTl#(rxBaMZ-tP$)OeFfLaH&Crjr
zm3=WuO0e^AY`s9B>^$m<;Uo@@;I{90lq0Jji4?o~^^+OLeYS;^_24M8jb%;-r!gnO
zdavI&Yq`AMjclL*0M=tyyM^(WcgI$<%-~G~+DiTGF`Ga<1b4GGF1I3idJD3NY_)R@
znq;A54<Zsq<W2h77!l|5u462l?M&QiFMMLk%W913jfG_>jXe?D!!t$f1qv_RWjiPM
zS<_>kJEk_n<CpB>mhYug%kUsu0(U0as<z+hFA;)f`AzMc-eB2B0NiMI3YElqkJBGV
zNZIXiQp_#1)8V{N5i)%@VpO{mHh9gM7#mm2z`|h?{dDF*U<%FTMvm(PFAZi1k5zp5
zstK~*020Bn(8Ilx4k0SAxJn6Ad+lSWx9{PKDk78;qA>P$pWlF1`wHR!n9GWp`%Wab
zw6V}TKxY_Q#OEC}u+w3Pyj)h&!|+1MvZlN^X5Od=EbInG@C6kx%S-nYBEgoYtMBof
zXdZj=-Vt8~uOtl}UZKd7dW)>qVa!rMf$?5@8AA@wGY>MpeD5lJ%#*db+4N=YW?PF!
z<33InS}8MV7I^0d0kaDxiT&E8p*i{<VNJK9T<o28y<2_i057*!j$v`Tb&4n_f}@HG
zx;s<|=jvWAfS1(MY5?6|GHk?SAxgipVqqGG(s=;H8C1_BXL5q;Wb_sBv23Wa5ca1G
z-{&~O$>|vVd~cR=0^ijEEP9q!zr!cUS!4r^=85j5_!!qtl(<W^i213R47--VhEu=b
zoT_Vi70Es9%udXjm{5cQiNfN?tOJ~jeyZ9g#v{`21|6GXwfkn3H(3sHPTZxhA$j~I
z744g$_d=)4V^tXqde5GPXJS>)6MLIbl@FfBn7*QO&YV^)d|of1Cxo6hl8v}wze9ZJ
z8jvz`fb=w>9rAG-z#ksY$}xSD4@qheIsIPj67MkRWww|$UqR!Ns2Yx=U6b%jp_6(X
zXS9#rESuhIQRz-62AhdJ(@81ow`B`1XtYf3U=1{Ycvr`4E^Iy))1-QuQma+4FN3ys
zE4ThvF8t@8|Mfq`@sEG|*W~}g{{E?qfB)ZlWGkmh`ICKT1BhVbLi?JYOADqzW@fx=
z#Ryr$s@-r-%4S1$M$(s4&#trv7sN*n;LAfll?(9mdb4ZC_QJU5Rq^!0WpL!D7XHHS
zbXmKCg~)Mk!3OMF7&;@z_bhWn_hcT{I*+V8cKBL3ea>9nKlAsDqe4tK1?=5eHe|@W
zByd7;SkW4Rsqx1_paQj)4vB^#W|Pd;H|M&7ZTdQs7NO?jOTW|k!{12_-|0QqtMHwt
z`4Yq7!K8!5TI_p1nZ30Ea`pOP&UKH{Q1Fy)A*9X)bqmz&R>6$l(wBRE<~Tez`-$xY
zRgJ={8G04&A>ijCUdS6NA=v@dp6}u0MG1~(HNLw6XSoViT@ECHNBVl*_7QgZ$LD@`
z{KoB@`}x63&qwe0(Xb@LHZfER_7o}t$>?E|V0LOQ3*&)0HR?;e1|un~y>sv+fJR0U
zOCpE(_~7r}KzPV6TkI#sIzv0)ji>LqSfWf`o`bO0u7r_!N7ll#y2`rp!s{}5ybif>
zhK~o}-eev}A$u0zeSPxxQ_~ZuvbXee<NTr%w|oo-Z`#smGMS+LqEjBLVN;jiMv=0o
zKh!yaw15;CsM2z`hhvU93X1nMH~kA|(N7&?7;?As?%uD@_L#cY9OYL}Zw^v}w6}pp
z^3~KuYrdz856aqW!0+^)#}UZn`Q9xm++#bn7r5tPO<%LTzE7{ncLenO36hZh775DJ
zhhr0SN(a5uRHJX#=^+)T!|7(P^^*$&W@EMhu+2IN8X7{>h2UxC>8gDCV!!Y<`t}Xg
ztcNZ;QOYL2KAm=DjwG<JUl%S8)Oe8_*}<i-M4FsAMg}E!In0z8_&x(cvkFHJt>@^2
zxZJ5I+wq0De?H0Gu}4H?id=fa{rj@w+I+@W5LAo)uBk9ig5Y@K9mzZ)MwMKri{dD1
zqj#e;9m%8&fk_-Adzd3iGw+7<>*M|N<8ybU=WaY^d!NYR&(9BZM~-dk93KoD1}_Kg
zV`p<}iu5MirD$2kM^ZF{UUYIV@al?v49rhl5RjxnU&7boAU>a|)IRQjBMP8>x4uKe
zKZnY8DsPjPkq2v|^n#omuhPp03dMQs9UpAIBY?wRc_#Rx$!S5RG-O(>@*d6JP4kI-
zHFx-4eArVmCUPV?c5JSv`+k$)3`0!P0I0+}w;8sH1FI5F^L8w&eD!TAw#!B}y3-(D
zKNN0;TIFlildE2PRUA)3ziPnG$IC5l*rOP&k;)|xwj`D0cg(8AYK4r}t3^m7TS^@c
z3x<(rIn*3LuJODX)ppJ9bjf7fA7e|-tG90@S1n()`@km?^!bi2iQHawgSuO+?;)nf
zff4<x<93(!m`PB`-$ErlYo#N77y<7Mu$#5`$}7QCT8<5Dvdmoe=WJUs&!S!fgZH(T
zS=478pHEsS6+DZud&cuUu@u``b3)UfjJW%Tu#t5++w6nZa1Bvt0;6aFW#1=?#V)~C
z*RLsT&0|v=c(0G<m;wrKSZhhWnZ7FF&)4m=7_<)_&-5T|pHOHFoP+JouUZ&pt>isY
zc|^VHv8r~@U-&(d^*RI*6+S|Ww>dVn9$p}qCcB+ar%6oune=nWe9@_&wY<-FZlcc9
zC8GGCg-9M(=>~)sVG{07*Lqmi9yPDTDQyT=ELv|0y%HKpaI&&n-SXb^trsX*)$nq<
z9LK`uRSO<)-5oL9b$`Bi`F!!9`}Xz;u&m-`-Xphq<AaCP8Mg8>Rp*)DuC7TYwdfN*
zMs2{TNgK<>n*=V4?1x;1NB&^MGc()lXc|F>=r9dY?Be`kzt1<L-#wfZgTrG$Mg3OY
z*F+xVCa67|IG3NEjM^{lY`xMpky}DcYZd6+WeIDo`4wk_boL{q${f$+3#kcGIOGEt
zfnH|ZHseYY@6U=pU0{6LZ}w_>W8T}>mAB^aS><xcV@06+IkF>0zH7wEqdl1|%Pkgp
zfl3p3?PMI3?&@pj5-+7O-bDLpK87xKEgvW8*2#K1WsmZ!Cj0L81}-<Y_y{!%fyNoF
zpo`hlTt}{%#(zfk3_L)CC${FrRVW2D4R>#EeT<QZjAVR$%1x^Csu39<l8VGVS=Tj3
z)-A$!2W0v>KegxI2>|55o0F*$)3BvRy`-4EY|mm*7)8=c_*GZ<t)o5dKI>Z%!_o1A
zh{xNx@126a_bw*uFvV`)y5VUkk?NqU(9PSeseM6xEk#9mUv&k2*0o&)WD;kOdGxwK
zL%HpNVvlo4@m=a6xBm3<nE-i>ApO9?=brSHxWk2I2<xTQARmsSmhZaTb>%ezrOm6^
zxYZ>UVc%^Mk`fq??~DCsWqH#<kB8?ago=2wLN{6axY9wb@szB4ru=lm*&Z`5k9rgW
zMpGBA9!pyas{24$bn}&UjtBt8y`-!nLFElG9LTB2X-x+zTi`~a{;ciOH>}#9tDRnK
z+%zx3)6V4-YO|f^;tIQ@undJit7AKS#c1=irg&vWPd!`{JR!WFR*cKwk-S86^9Jw>
z3)1#PZgzGf>|0K8Fg=c-BmJxn^*iIW5Q|AhY(FQ9w0sg9eiwj&p3emMG1*>;`1?6c
z=)<%;<Z_R}gu_hUx9`roC4l?cVhYu4lGr#b+e)bD%VOTm0X4Lq(lXF44Oa@DcVG3<
zr<cHa(fIXEjC$WSTK5&A8AJ&W=~GHRetKnXQ7-$luMw4(D+1qgqu-IEd6H;$L1($3
zGy70iYS{9L!uIV#6ws@%@%i%@rW`zKIZ^WA{j89`T_u#8*F)|kq4qhw2O#L<_>j&`
zE(L^eN!Mkw0~+4X1kaKbv=|0pOWvzO`Ns+$t3(Ty!DG*ieazrEJZD%h5tol^C68&T
z!G}1Z-dl!(n$H^Fr@sIvy1ExaH|(5q&O!Qf@C-v|=YC+&+V3a?!ZjkB`uEx-CA8kt
zk?!$>AWK@dfIwV;!xQSO>xYL#0bSXH9l&jGcF!N&Acrr~t}ACxQ03Nlm7h-I?@F))
zZBARVyJUdq{KzLE3W1pB5fj`s)6{mev()cRVr8yn?!2pebit@?>t{r}1)36G0&(cC
zh^|J`v4bb%?hNr{Ho%`1)AQ0f)6VJz+x@CjK0POnuG>0b76L}gt;aSDy>U~!2oe37
zMrPx}R;Dx?HyYumyHa0!qNgG1yb7QI!FcH4&BaW6Q^?eUa)AhoQO@#MWa24mN2pZO
z;L-Cqe?ob7MW2l7r~AzMVew_YGI+4_M7g<qC7guOeBJg9%$e-FqodgwNvMVQGXogE
z$D8cw4#*)5?=5$2&yyLY(Pelo@4;o<h6?6mZ$L;>Lo$h40(CrmsH(X3bY;uzt5*B;
zA*Dlk+Z=D8+QbH)w1u~qTLLVo$iQ<<8=ANhpWxhSH7)s_<#e6yDX7BnP&ad?M6w-|
z><%FFEk#DxBTsH3F)FRomPs0zr%(C?vZ!#v3k#XIlmlPY`lllmP2a{H#!?aY+9c&8
zu;G<$Yel5=B+BhjlXO=$UwkWdmGkzeH&LKMD)x~-Dz;4*bFac)r+Bjyn?tHBF^Y3M
zIv2i+B0IoYn1Z7eSP#`90YsR>w?6Cr^rmMg8kX(N_#hfw-O2b_Dsr+Y!NXSOK0G{E
zS4lBlAZOX3rWe1rMl#MmI|r7{Df*NMb6Ptk;7ORyMKiP7O(xWGUW@G>%;UEk)T8Ld
zm!xf*HRxk*Mqd@j_iTlfIux{O+eNp}wQhq{A%xT9`MZ1lj<%Bu@?fWD9&@x7?Y@=w
zv*vl2OfS(ms`@&dlZpgPAQ914tcFyOx@9^IRL3ifa$*arxNTW0%HK7tBSmTSu)nW2
z%<$<~VcbXcrVr}Ujp`xB>jJ5Ii)spq{$QLRGoS;BDTZxhEG53+@q73CLTfO_m1nlO
zmM)Z7g;A-ha<TVFQuRn*Y)F)Jrqcl4lt+8prQQPrI&0>@!l$Q~%==X}ema*!?N$#h
zpJzP5c`qUqJB%?`)q0xVCJ^*;Mdqt&NIQ#V$l&+XCSU#Zu=IPWkbWn{TlF@lqMsh#
z1J1HLWok>rbGQx^cJX@tD6lwK4H-;Bgun*c7DL}O^3$)n>C?k3D-&s(()gL$+xH$m
z$b~DF81Thbo$c|_%?*;vCpap{4Gg{%?`iq|zA=cSjCpp30w@!4l=V8hjIFbsJG+<y
z?v?pP(_}}6=0e>dn2;W+59rk+vUz4NV~y;y@=rHw_t}jgQ;YJvN0il-edJsL?~ZY?
zv&GvS!y!&(#KGpN5f{O!RVqSL*-zGG0t-+DhF(1rzK3pjX#g8xBZqs@pyL<C8AZeB
zhWfx4MYRfEy(oWcc5=q!rw`=eSMB`iYk>RsmIbc2pTKq$0)g;q$%rn5hc3)afW2E}
zUj=qTAcJ;(y}CI~RjzeEQ%YMUsJi1+FmANk8+*OP5XAu0I#NvpqW$ENVo$Y9@GT>3
z&X~wPyuvY$n~F5PN%H%u{(U+evjH(1<nvP6eJoE8t=}Hi`Pla0ytshMQh4PYO{*(4
zgz{i0D#@~Z86sc(W?!h2A99s*@GIP$r>>_Q70|NFT~cdHk(ffk?dtF0Sk%%UJ*`J}
z*9W3LZvboM-NAg-FW)K6gXF=5zV^0PLsLKvIqpvoy4dsPJ@!1t>p(Km<GpPyrV`(3
z_G?P5K$g(-pKi~qAo4EJd(W*mYw?*pbk_-Mx{`Zvs5~LephHPofLzR71T^Nk_u}T+
z+BUX534;DaKtEmYBoya{3h(YF-(4MpC^V|n?PPf`)C!3|nJu4I1bAgr>`#qAPNuK;
zC1u}+_D|>Ex4_+%K~+PJP6HsPG5glA6<eu?iD&zYa;A3gY}Z~eXIi4#zQw8HIa}#K
z^mjDwpBQ}mUxH%NmiF$rJN6QYq0zX;7$=6{DvuZ`vcGcZEqQ`#R-k=wlCX)=8DP8E
zWLx<Qg(%XEI^@!8<{M_23)A++GRJlR57`={<#(Z5Zc+~qUgoZo^!UM+_TzEjd#iiu
zp7Di(eL5l9<1{0|(V#~r(C-i*2vZL?^F>MboC&^l@i#B!;%bbc`uq*dGg8)9Q5TX$
zf)iCgJpsvXuV?7NnNs)i$)N~d+hWgFTL=vH#A|i;djVZUE{SjhyB1cc-qQI@@sgM_
z59A96|DIC)vJy`)UcV_hG`+05bJ3u;r)0_21Kua1;8p2|%k;+D4#g;Zv-(Z1jYqGb
z(u=tGeJL(UdOHPDd;YW_@%Wxk64G4LKxNxg515x@bhVsT@6MM>9+i`s#ZyBfGAvw}
zqZ;}`B0k-*Hq>9O0Y7jBHty)>R4Hid5!a5DnMf<GV@4JxgY&S`YtP(!O8TCHb~Lt~
zV(v&>*!;r6C*Sd4B4ZdD7SLjMfz=82RMt52O>?t_B_j8ww4sHVQ$OovZT7gzd5Qxg
zCDEz=KCpQ3oemdesAAJzr^2bW&t<XM1csLt>TGFZC2VrrF2SSo7&g~6i#`x;Gjqv|
z)u402!<TlyuZM$i`%*5rdY<!STAp_)tAmBoJjja_u<3XC7H^(I>iQ)&$tA;<mc6jp
zeWH!}UP|M9qVegNk%UqE*pO?)98flHQnle|oI6{T%S^N4*pK&}?GZ)Sd(7~z@&WD@
z)zsMb1_uIBxC*xa%u&jB48qx~ZdZX|&}rA2f=v>OJn7jmV-K@f2QPzRxhk?X@p4q&
z8L{{EdoC>(=Opxn2kLi%J}M2afic;O=-iqn%DD&b8ImlIPT2@}$+@bT)XibdZPbUn
zn?39aohDJHi*fhX(UY*>w^)vu1xm&!S=YGNf{DX$_vVfJ)(X6qcPNr6m&1(u;N8?<
zpo6_(8GM!PK6)&H;EB^;h|s5tZo@?wBA~V=C0LHbpguAI?bUk^LE?rq-lNJ)^43mZ
zE27=(7bD~G8tPOD<EX(m2G+9(XN7)dt&m{zV?wkQZ@`DBu&9@P%d8TBp|uV&_+m?P
zH}&B~6=D?c%<YY%8DKjNosgH)=Vbl((@$ag2|6-cCsR5R-CA<pqw6>idygdgPK5>D
zC<xyAD@?l^g05%tG_;qHQeCT}Hqx`OHLP?r`RDX$g+>`wj9ADfi?Y4gxPA~++n2W;
z$N1g`pM-ANYStCM>zxAMNpt6|x(C2smL~7wzEF9e&N@r3m5)Hz3qTCtIb31S<<@NA
zP@F#n-j}@9@YMAp@@dDqLxr~3a}se{ccdg;Nf*0o6^m20NB7fHDw(!36EdSE)(DM{
z(i}Bg@EEzDS^^pdOocPGGU7II`G}Sk5nMuKfMY1_?Fjm}THdF}?p8NCh>=j&@kN8d
zVHy)Mi;m2z#>l38h}+(?yOv_Ov;>={cmvIxaJNNaGi8=x2l-I=*_3K^{zOLP=4hL2
zm|sar>{XPGpf5=+oZKl}oK;vnIbI}|Z37A^j;+l)gX=t8#ht<?%-5h_$jGPLKGc$)
zj@uBdVZ|EDx<-N&kZ0ms>3%cnH~yAmxFE7gUf8hK<F2)GNlospNuPQv@}hZHuu88>
zvvGfRX2IlR4vbrwguPAO$sxc4y!40K?2;Z6I%kiE9;aqjN|^=>x>ZQ$-DD50%ZZjF
z*B3VW>ATW$d8)^>aL$O$v_9$NFW-)W2d1R0z!imPaaX3rwQ47uK7~bqhw=cgsa()o
zp8y@YZQ`rz5MYxqke`VbN7pZ;U)V@(UOhrtu%41wST=}0QB?F(TLuiqA$YC5&urmL
z03yU+>64{1bQN&qFLdnFfeqCb7pNA~IyJ`JRrQ=W_w61B86G!jN}u&ENOd}+BB)N&
z5?V3CoD(9jMa=2gbA;Vt<(z(55yuKoe|GJ{;b#M4-DBixg;WPnCy3`Zdp&TeIXQW+
z3Ue&rK)0*#-g8f2i~{MWX>QNO*r3-wUzUG*G2J91PF0dIVGC0T!sTi_KVU*A(|Nr1
zo)4-=g0h>H4!(Y;1DhGzC;)<NcsAqt5aVo8`Z;&=su4Hf)$cjr9R}@O%De5=mkq_+
zu}Dx9n6nY_+(FW<s^G=54e~14O1Gt5i3o*$tee*6{?KjB`xBw><ST>EUP@-k&?CxD
z-RFpI&YVg}H8gO6PcYSH%yq5<=XL~(<(@6hmZxXEiY~P>K#OkD6X9Gd(Fl!R6fFOV
zk;xL@4wuA~77nv{*}56&qprF$Lm1D%q8C-#>dXFm9_nFa<N8ie84h$Z@X)i}sL$yj
zzSFQ_jm5)zI0x?~1zGx?NWFS$%{<_75bl{IJQOcyYKlo18s-srAxwmX6CX4j7(ev~
zpmP>y5a9-=b;5+0{u`zC!PQ!MF4xF)kNFT&9I|RX3Mo|wR=V)v;wbgBCaW2V1z(Z)
zgJSJ606toq<CXioh6{W;^@+9q)e@Vg=s}B5I${oso<4BrNsEacAtjfXp7iEsT95*s
z@OPN?k{IYwmX`Uj`m|&wt`5KO5oW{nSI{`GetOa)u0(#r)g}8LWIMA_+s;&SF4xQ<
z5uJcEM$gjI9MhzN0V9r-w>S{|I*Ny4UaZ`wngl;RdxJFB3-WY@(RAvrn^McYwZ>E~
zIEDw!Gio;WI1?FLaTy!;QP1VQdegIFk!*_sd$lJbQm?V=!Q&WbNu#%Px%M+LD)n>0
zVZ=1o+1Hb{v59*Jb@`M`@lN|3-b&z3Buc?_a8i|~_T99P4RI243bpIzCsOq3-l*%v
z;}`B5Rq$q`Lywfq5j%`~UkZiRGow!4y)B1Sp_(H+fjNs~nj*e9<Kf_<5t~S$u(PD2
zwdkAVxa8nD%m(<GAx~c6<fYn9)C)(F1$_qvcJkKbEgyps%)ESt8&$dtb|6<8)sDk~
zC%_%jT&0GqVf=~Jr;lGhdb>r|=!w{X$I&7(Ugqf_<vx`-P5Ed?mKwH=?M}VuiH^gT
z%OV=SOFrMMs{kEtw9wb}PS&(28ck&icmiwLu79DGge5XNe*5r>3WG0Sz#~X6rR&^C
zbeVKn5}w>!7cwXfc$IIvO{)aSgY@oVEY8TkmBpWqp0)gpO5Pe7znV&$KyhPz`be<f
z5f<}Rb<o&lN3!%=W}-X5A$I7>e0zQcHiSt?URH5ZI&u6K`8e9{n$~Eaxw}ME{>+*D
zuvXM8L3YPclQ2|c)S>For5O8o3x+%{fDo=QEgnqN-3tgN$bHLYWN)SRS@hGxFTCET
zx3gXxq{>m}3m@aCcyDy?cv7}1#nvYJp@b(D>|=-HzE{s;oA~(v%H1l7lCdD7yu3cH
zSFa9Yw4c3qGjK{{0v7Wg7-;=Y=3{W?9&ahAz$D>T^eTjkdfhT!Cs6P+l(;ISB0}Jq
zH~pGa%5vR9pgTSKK?&ny%Y0vm34JT9-AuW2u`|5JTgs`kQeL(*xt`mGA|QG0n^n&a
znUiITW(7m5;TK0*ZY1O{sM9)LQ{&>EXxW=8m8NVK49A;d9MCq)_X{(R8ZGONoSD0Q
zTIbTD<-Mwlh4nNv3d3^hX!(_a#CR3R#R=D7il;54>dGF0*NKLFVWyvcAMdQw7gHYb
zYaQWk<5$JQD9~Q%E$0rK<wJ5i$QGPofLqH10zs}fzK>{waUwc=^3B;A<i2N><$X6n
z>@=QcrjR6Y{jSF7r<bh??g=D8!M)H!cqe-Pgg|%Xy&@lAdtGG~_;l`QQ#{@l1q0qP
zyU|5aL|Qa79C^P_)IOabxrQ9^bcae0-W_{L_U>5i`Sd*5LP86y#&`+mpafcX%@yR>
zR1992M$rr4h%v*Uy20kz(=CwU>9hpK?f|7dQ!BTj@p5#2;^vP6eXi=b?z&sZN@u8H
z?rrfQz<~xC*`(Rzy_YJ_O#!*sfU#e2HhKsE@NNx)CB+wRrk}X&PIM(&BtUG_wg|Wx
z&oIa{>qNBG5sg(XIeo3w`W&#AB>mCreMvfEQl5H+usM8#5wtV2+qAWY0@LBAoYPEf
zdtw#HVVRyka~Z*)c59y08_Dh79Ef9p!fBigP6cO!T`1~9X+{<Bl0EOJB^x*+cSS2)
zp}3}C0`@QDzAuWEQfejJoP3u{jWOeBnzU!q&=bH$GEX|X3?MQ98VWisDbz9~SDiFc
zr_P^hTdBX7I0~Mvif4NVAneP;Q*zY$UYQro^I1&r%%7PylB-xxXiEiJ*Xhv|h)RfY
zo+BovOa=Iv@u;l5VX~7_Vc;2<i5jpw1Q-z5r?+9B$>aM5342MJEozKv)7e?B5KKFY
zbSif*%Hc9{Ri4U<JnB*clR0e3m3NhI%E4+$3JidGFNwHjq;R<7wJruk1C<iYD=bd!
zxE*?9U@sJYc8DR4qf1ni#018r)AbY{T{^Y_$DRTTBP-6X8SA>XVR5Wk9|rZzNCwD7
zDx)VzPvA>=`hB&mx(VjN8>^Fe*>;bG%%;)CM^ei74f2EzoxU~0tQx_T^xU+EwcRyS
zXjZ)mLXWowfcs{1-K;y`WIP2aH4O}m@dD;E8}`=;D8Y^O^W~n8J)1dwOh94v-nl&6
zdvv|#`TQUy5`7B$D(-Q^3njm>hN|G4%nC(A5i)x8&K{6`;`hDn0Wgn<8*Y~Jyt)Uf
zU9-&Mfvj?HZPG}tJ>z~Ucv<l-%4g3yvc)N7swc$J^2!G5`6(N`#b~O`H^<NJ`MlIo
zU_fr-!wp3o3E9eK`#CunzFIxH;I~kEqp=(`5!oFsK?NxLJW<(5=_1HgfC|*?nR8Vf
z8@4GlZ<*)jTn)^@7lPlHQGE!qovth>O|aHinUGNK5bzZB9oriX?5R-!&&+CcjEii4
zB~*Eh1-I5S)grGHyaC$-UaQ9V6r(1DaK2XGUZ%G#`QmO$BC$r3f-+%$s*v(wA==Y-
zb}!Uv9XS$4YKU(E1~H(p9>$T?3n-%~(W;DDeKBJl?xn@xz^;mm%}QSwe&15(sk~Zp
zuQ)D4Y#Jay3G?)Bv1d4<4hcb-!tacY+ORjXj3n8)-}Sxm*-WwP<X#XxMheC4z9`qj
z7mk%uJDMf+Uiji^JGFMMUgPs8#qIf1iDnMR`gF*h0xjSu<z8lVc<M_;6b6lWJt}QV
zFteb;f@r<3EG8Gcq~2QilK_NxSoMYC_w^NNg5$Y6gJg%U%26FG7J5^3z-^4-n~^vb
zJfU(g2Jja5$0E-`b(5}NBOs!8;4z6P(Mx$St9vumNuhgq1;7ta3h=hC@o7zwU~x^3
zi1z%<&(b?w#_HlUqqBAUa5V46sf;{c3EsVa*<A_I5>l*7y!<TdRc65o29E2Ju1e@A
zE%6tQ-}hQKOc+Z!*5*l^>lMo$&+_NiWbbmAwHn#BM(>`Ampp5nzATjkwoLJ3*+b2{
zm$hb<il^eFXSM2BQaX~j>EN=I8$Hqo5$NX0h$SylNArl`7n1l8_9Cl%!V6nv5jhnD
zrC>Fft0g8G+pn9W3{}=p0t5ZA$v9DhwV9vtW2~jz?TPqA^83OYQ15Q<%@eCOL%e&L
zM#R`jlBY#WpyzciF>d1Jk=DbCAX6ml13KwkIdZC8iI{SFibt$Baz4T>>v8Cu+}ny$
z0&T61YsP~RclH8Hx``;Xe{WnEb_5HaJj2=az9SWcQGf9iar;K`&5M<cZuh5&OoCC>
z_aeYFFk7<w8iafj8sEIwFDykru{82or7>|)0qECe`N$Qi$Kf4A^C1lD6=Ae=LMDTe
zW?{g}@sY)XF^}0AsWn<H*$}EgM!vyiI(?yJ%088oVL)x23``n3_yAwgai5pR+iVwk
zKhbnU#3aybeeP#I56#tGGgh|aj2Dq{f{p@CU67a{ANa^AZ>D4=(}W9eA(j-l+kSVP
z?<=zM^COD2!Z|K8Xft_l1yvUuUEmU1+Z{Eg?6v7W+6w2(E;7y0guzQIf#K!S>#>OK
zuxAhiX<0kZhTQMmdFgc$ww(iN1y@DIf_Y7a0S}cqmZI*@-s56?GGIag!%mFx(r`uG
z;ohzJ^B{gx$8)@F{JJ{Vr*XV7H{@b3BY>x0KXELHnfX-b_ucswlHIJ#8grsLG+6*E
zE7>Y%d-7pD1DkN_+$3=onW#fQkGz$KWY4J*aKZhF#49yq&;*i>l$O#9E=Ud`ns&3t
zRx3@9wd)w5*Rs@}1;6WShTP24Ux?n^zQY23#@y8L(u#Gdgv?%sG}SE8_0092(An)-
zs~z~#Sw(rM?R$2ndx4=aX-fV%*?eEB!Jpy*Xy3hVePu!&V&t}xaGBL09d+k1#5Vyn
zOs_2hxSn5^pWiFM<9##roF#Zj4glCy!%uS7E^{^%<)#IO$y_!C=Y_}HCzZ+52DU^`
z-CG}csTbleOrMWxK2*t+C*<4fQ4^T}n}wmrG&lXm^oUhOoJGho6ZO$*-P<{O2Mi~>
zdtjFjPKG`){p?5T?dSfYkYIJ8BQ#Q6HBSQ5DJtlgdm>*lhK5+;^L~Nsi%TbMijg|9
zv$YYDJ&xO66>SxLooYVdxEV{5Cc`lWZ_($O1VOKpSG+Z%hevP9NS+o8CG2l6Z4whU
z>cwM+)K#qlldIhDYg!#1QcHq6VC1akSrS^{8>zYUYATCsx7R)SvZm^#exdq(4KE+j
zXB6_5@k-v3U#C4jf8*2qJg`gjwY~yBD???St<l$sJ2jPdEzSD?Ui5}jReIZk0Rz8f
zM)s#68?&Y*2=C~spRjD#ZZ&f?*-;$&>5;7ialuvTiSp0M5_UDW(`OvY9+6}}cUr2(
zRmbS4cn1U3khp}Ib*~V+>`gu6SM7snF*dy?EVXewNnZ|N@ID=2#Isf9(jPxsh2Gm`
zEX=prQxJ4WG}r130cN>_$1CI~<}R@t`+Bcl8u`XkrWa(TCOz+7w!hOi#gl#O0*y21
z_FmiT?Vh-O(}WLP5d0pz&C>CELM87}KAT_2I*_fvdqI4@yEupbT%{+hlqJn4G2+G{
zhld}h<N^;Cs;u~6K@9}&1!|&>>cg5u>n~*Sdr~ryrJ<F<#sU<5q9q(AeD_dQaNg7K
zbpxR3Q=Gn}dTVr~Zz4wm=kR9N>S56q06DkhR`Ek*;!>l{#3wCCf-Zlmg<}?nS3pcs
zI-4pAeEj0x$atC43_p$TpV(Tcqc1!Q<dM93xv!<HWn@nyk~6mU>b<A5>$eKrDM}v3
ztg$a+d=U`kW=z_{z|t?iuqF6(19X_hR76DFHSt$T{R#*qyhrS1o9%<QE<7lSfUPG<
zEA4<|<1!sWu89t>-JmKC;O0#iaHcaknV`61Oy?L0A1@EF<z`w~kb24#w)TQ&Y+I99
zm~(qx;|2cSwBv^EozliVef1nDjBc{cnl}*{i=0R?hFZpzm&FF+Nuyox&Z_2t%+pnF
za<P<mYWF_T{p?_UEY4kX^ST-hlnd7;pnwimmv%ueV$7D_iUJ1-%RXBWFhj8mb!2%j
z(co#|yVxszrj*2emM?CF67n@*D?{J9k(J|BM0(s=H{x^(8iUxvLo2_vjJ-;okQR~q
znGm`kHeJ~mPGS!0paaF3$mH>(HKuLGg9cqP2xKrr&o1FhM9vlPIrj1nb$+wV7l&W?
zvVMB5(KQf1*o#1v$}zg22He*WTp<ysef^}19d^~VOSS-G9W*OyL{|A_A!I6L2tqfg
zQ4jA-iAUQUmD=?%Q=I<!`g^#YZpqw!B9rf`a-@%ngsgnSxr#CAa<)x~e<2*{^GXyR
zVLL@&&2@r@Cq+us6vPmmrxaO0s1a8dJDJCU<K_qq8E@xfZ6VD{9qIe@-uKznOn3W2
zG==oVxtWmT(^=*@deP$mOXv)zvH=H2(ix-j;AS5vFfnYWn!+J+v>mC>RuU*E<8B5O
z-W|vV--sApErnQY&+}?dA8p!tsYSZ%qb*lQ4G!<+Za#zbqa*#9$ke*{7C5=91TGhE
zZPT3-a)rCrjLsmYML>=_z(ikzU%xQ0z6<3jlD4O%z;X9H_tS%gJ~7T|DAnLqY|=O~
zUyb)tlExVz9QOebopWUCd+b)19pI`0;L_C7;&PkMDuz~QRFaA!ZJG@p;GT@a3=HAL
zQUzRYU@%7ED{m2%f=AqY<zyp=1k6Ag11Q8VJl_-o+t1uvRRb~_V+l^zlfEM?WBXQS
zk<DrX*JvJ1hfqkzlsTZr(uERiTT0%A#2rmMy&*`WFO>DO(=FazhLd)$muvN3g%)q0
z_tTzZBS1cL+TOusbJ8fQrLsCfwg*9^n2QAKM78R2w3g1Qulj1)Z(W&>-YWCmVz@6>
zOZG{mxPe8AWgyg~0w}CY$w}#%>48uv$3*wOnx8nY*ETe58{tATDX{grCJOo$hcst6
z&@5o{5<gPks>qJyNZkkTNUrR*rVr1KWEz}5asHm#;v%b3MS^w#r{44mO=SfX_%%EX
zRv-)7eUnMbz&sM*C~gH&wJ!$hMTe6Nkv}N9lZh4-xiC3DYFf*HHW}KN4i9cQPPr<t
z9`MAHcXPQeyybWq{pbBs!|iez2W=jx0Kbr?+|8q)93>&bN{duNLc77@^DwV;zO_5#
zVi$YYmv=P;M&T~6^rFc|)$GM1ctm)UUr5_$_hV0lWT8&Uol9Sg)@N?x8_j7lbzH9Y
z>ar+Grmj&^c@QpFwFgsIhn~=gSg390c;xHw_rlx?icw#ul%Zw(DZ8Kqw6_eps>{cy
zD2*cc0wQyQ4&GZRN$SXsF4TlhI>&qQyAPr%wwOe(T1P|hwzM-g-dShq%eHm^0@a<)
z9e8i{#CntWv^HGKS$U|J2Tv;B^ZT6c{CfjA-n#EaHL~(MM6nl5&l{}=pO+DeB{f@}
zhsLIJz0pc<*d;@3@?FFia*yGKgbG3LV+D8xq@|5#6jafVwLqk+j7Av76$Z&PQGinL
z!E*D-%V1UBHv~J|Ohf*bMD(4~3y~7~nd_2XVxIbxN^_V!#$87UYBN3SVjey4cz^(#
z^dM>QT#57Hfb~YORoAw6A{Zs6`Fee!9rTIzURUQm!A6Ry1*qsfXto!_yD<;jY6Ku>
zAM~`!>{L}wxl2mnE2e~o0XHWhz-3@^Ph<8+m$nko(1LHl{6N|X+w#5e0_+FCv~lQ0
zi5(=DXuTx79xVHs+mM{-QJ0|>fk$`aPj!=Tyur9u0F{(I+vkAJZtZY1EN~1uaEgG&
zhB4A^Z(e$K^Ml)*SIc6HXO8qRJjd(<Z->v`_?TN57#Wpb0}zg@Cxeqbll6fb2B8EZ
zbl~uNo$nD>IN>X;&1}MU2TN+^^A4_gR1nmS1=>5uL~mpVw<*lud+&%AJVi3a<xvT}
z0_x$Bk<$RnTf>&Ir$qFUFD6!aZNZ;TSH0ff8~8*YrSr7ClhzrN@-8sGVc1n~H*eY&
z&m3%-fi1{=tl_C>RnTg1y_5;z3pw{liartl?2_rm3$50v96(yC&H#RvsZ4KPSct$z
z^@6@mT)YZPhQen_@Ay=;A&th6pYN;z_R*j%k#O@H+~(3}Q@uy$7WcN?v7a-P1+sYu
z;FghWN}~~@wvK`><k{StvoqZn(8EwvIrl{U_q4dXCEC35E}gl;WiKU&n-7TO9){}c
zo$>ItIDKO@l=BKnlD!rP(4Y2uw0Qu6BdF8yg*kpti=cs4`YxvDaA@56k5Vpur{ad{
z>u{M4=QRFKfdN+(mysr}dX<hN_3D`};0DQ&R(Ig6622F;D)3t1IYZ`hJP2*SHjSr(
zAjm57b^{C$a63vJT#q*WJj==vH$5l#jdYY!E95i#=`E1XZxONH`hzvM#<1s4C7+FZ
z@xk$A9?BGnu-3GK`DHZ7YKO2hkUb&}b$>SLbwe;;sMBZXJme0e7V6^emv4@|!;a<<
zd%>d|<*C-XyD~lAV)Uk*!hC352oD)t!sVe6U|2<AmsAp?*NE5~oFlZChtK`ti^?dv
z_jD9ujvn+fi$sK2`L=_bP9(VGg1-Q(mQXB$IyvnWADJxnoce|PV8f+L`=E2}T|`cd
z2^A?Xxz;l~ivvR_KwvaL<1k0&_bOuYxXKEvWqpjOvR&eFe&NoaJ#<;jVJj>m=e3!z
z%$q57?ql9#HA7*tzSl3sccN>0=DD6~oCA7{yvSgEmrf~|LMm_D2&*`=LZ-J~x~Ar3
zu#-*&v7l{`AM^56y1+b9g+1pAH_h(6q>OM&l2^#qy7(XoHE<C$9<o3Gg}mlY-+QD*
z&$(e>;Au#8gHY`ZyvsLeiB&}wc1lK<&$O<QeIEoqh}*(!Sg$)4NLA%8<lkpE)wd0V
z9pbWpcdNr#B{1)`MQH?&k(#6O)Uy}Q5`@*BVhoA{YEIGPllBqF3_5`<))k98nyfO1
zq!J1?m`sWwu)gXU&PWmf9gKd5x6JzrH@6vOymc4X7?k)1<Dr{W(AyFl9cbF=x8|e2
zu+J_7<X#h`$L{Dh4Qr2~%U&|RQNYsnv9wv~1IDoQcjor)K-|H_q>By#T}~9MKnp*y
z|Lm(0@+wP^`j~7~OD2v&(E%JDkkZRBB^S^Vk==B55+$bB_k^zUB_YEsFRBcpGbR~K
zbcOYL(=cV|35=lvRJ~48?+f36(HB~fsu(HhtvsdU3CeG-wQbusqXD$EpXgx`^kA$x
z<`F!3+3r6l(u-$LW6F>=Nsr_V;?CRxSvM&y7Lo>bWcTG9EUF!XRzHLe&czAWZ9-hQ
ziF{xWT|RT9e0Nx$xS*mI6@y4oH+l(q7jS<3>>d{ovtPUf-eFojW>vit2bz5CSknsw
z>)P=0=Iu0Hdp&&E6egtyrW}P4ufupEBd?byhE-e%fM2*E*CnbBDaA6r340G!tpM!d
zTjLnJt%F-`rbf#|_jGms={yo1b#JTgHDU1#KM@>0MYTX6RyC}$<LA>Nlv57m`P45T
z?7j3xB1_DNO^zU|FPq>CfBo*YjO+C-7L;&=afp%~YGop8L@&36yN09ivWQ_*4gI|b
zD}{sd#A--Rl;B+k+U4_A4M6RB-gwuzxKGGlaXn*;1<1$#xX%?ZMFbz>Hj)6ZWcK56
zHBBs{ux(3lfT`PsM?o8GN7w*zXb<rj!~2<b$}BaOjq~7)xhIDsItoc2B|KeB^Wb52
zipS}!Hf;7_PB>6cCoe$IibDw-A3rvE`I+nOdzUM|$+v0jVLS!pwYCybwf6*rjYn6f
z$1r5mU9KZ=Jk*pT$RwH)0)PVP3VfkU%Jg2KQf_&lTcJ@O=U@N{&neQG6&|!OEtgzJ
zG!5hVsQ{veB)BEZ?%Q2i=GUw-zAHm<8saG9s*@3Od=?LWz5*V6rI)KHy5^>==3)7Q
zG|+KVyqi1!z=d-hO}Wxj6m^(@D2mfOTcyi^HwN&uHsaHT{Ck?U)`h0B7tfzc5W2d<
zJ2<Nmm|<dZo;H6M;Thb6ov(Gz-#nalZ0ZNcucUT0gI%q-rV>D?<s?>*RV>h(oz@J8
z86l9U+pA!4h5IcJay{;SFAPo=8Z3r#Y%Ez`^q81J6IP+rdnO+1x<00b8@=;;ha;K;
z7~qR;ozxp^`6hSV+&dsPs>9yiU`M`}%{mpOli||wtZgBmWs%h(^q9is^Sn<M{L_mx
zAdxBSX_4<->a!r{(f8i6Ve6AX@Vtp;nHpkQC@sBv{WitdL|zR5J%z_yg!(!K*VWJB
z*&l!~7PK$xpjPe)xN!G_ad|F9<u10#ShA`6x-aQCZI9UjRL91{;wD?sGl$34U1#$h
zfaJa$kQLD1Q*V>jWIuU}ISm5=11%&kDMD2dOVt?gb!8{LAuT=SZCk$xuH-qJ^Du)A
zppjFtcbfjiLwxpR@zIQ^)+g@tibMm|4ALJOJTSuUzIkP_+2f^>Y-+tyX=@MRb+}}U
zmUl;P4eD*p>q*HeWGJ{Jrs(!j#4UW2P3lP(tIQoS%N$|1`LKo3S{4~?q-1i3Wh-qY
z752&CrEO+4%Slr~!Vy~#V+b=*zx~Aoj!Ru+Qt5Ovf~<{QAZQ%mzK-zG11>Wa7!&6h
zm9&Hx7<v;dd3!foDpu_mTGnVKA4~*%cIVp55_=pvc3x^AOCu#-)Ywi?MQ{0D<?{Mf
z59`z!zg>JQqgi2;JHzsTSf1)Si3{w$7NpIvkgOZ#V}^+vJBwASD&^EomsynB+)X_n
zf|ukW3KC1oG>EP^SFkG8VA-B1!R{l?WVQfZK%&1yMy{uFCo3hn{d+6n(wE}c$M+87
zq1G<%NH)oPs+1{Mb2zm8e4@I^`0;a_BPjHV(<^<V;_3n~)j<YLzqr89KJ6=x?_CC3
zjJiH^CF*?wZO=)eLk24!mtT}b)^_>?Kle%Fr@Z$7!|M&|6%-g40rIm20lmW*z}kd+
zRGt@Wn0Q!&>gEU<^M=`P_5kW0##I3@FwUvry<`gu(RUi;G#jn*!2H<^ObSRA>ca+_
zKd&0+7ykPKZVK)P0UVwApbq1Y&BNg9*e*rXgzREs%goXq2dlBXC*$zO*%E!ICeoWH
zlM@Gpzu2J9j$I;+u(`0U{u*_VpYl;qU>#{YEnUJR%7`|cdU^O}qV1S>Qs~Bb0IeI2
zrq=k4Gaif+4Cu&tOm;sP<G}aM`{r2$5f|oN0AnIZmnKkD8m_Lm+PI|1i@;`|<BmOV
zT--=ghFZnWtWFJbXpU&SvP2rB-0Pn`V;&UC)dUp00eyIe;C|MM660H_v!1yS$0BZ)
zz|19#0_8ZYEluxfon$|yJ%967j6V7J?A^4xslg{M_jdI3+*PV_pQQ$PZjbe&*jL-{
zU={~D0i7=iFrf=y3PssiHmu&Mf+f@A-MB)mK3-yYw<dQzGuqO$l&|N>DR(FhAm|ei
zA67AZ@KT5B-FqhT_>F0Vuk(XwCXh^2l&SYXY$^hYaj5H&(i3|pPku2nh3`Fj021bg
zm!gAk!nIcQ0I1(ndi~ydbVP+9k(#FI9l1Xs7vfmjcXefg`_Mwn#=jWh&n`Y$h|^H;
zYziJhipz=iqX|Y6QF5V2{vu8_VagHzAkCt)p1U2C$17Jxh*0{}wc1MEErmVjy#|59
zeWZ-lZ`(7D5}u**I8m~P$L`B4z<P~`iUmsJ#)W;!?l%l5_)dxFp;$%jJ>oWVF3W5m
zhEeIks`OEhrum(4A#zI5tXgNQ)0Q=!9~c0lM2c;DcT$<Q85m1Tb+=kfYSvqQ6DR|V
zY4VzH60wBd7bowtpFi4&q;tq!SO6r8q{r`!aRG;4zE_xzfJPdG4HD1{$4Ic{3=+pA
z>+w>uLt;7&dx`K_M4&!;>k>mY=JD7nhKwH6d9&nHUT-%O)$>dODGCmyad8#O%B~Uj
z>eH@f_kjqmQKAdok*D~Yq%<Q_$i!na@A}YY&VHt>;5@^cA@VF<&lOlK>^cm81$jZ4
zEos=bik>$Q-DXGYDL%yHSfkCignSDr#Mm!<zF3jZ&dwe6^a(T^b*?Wv@p(->GCRhy
z_j+jy4dm5K>)f&C*}b^(Bqr$Qn)8LEO^O^&ky%8QA&i`zDM1qwUK)HJ8>Ke`wA4JD
zujGxwaz0~z%@)Wl8p7tO8XILa+e~@#_+9WlMboW=_xhQ?r`87W3<etNL3@IGJBs7)
z9={JmH1c6sm0{&Q)M7WI-I-_{NhTpgREUE+PxQ1GBPoiH6JL;|Qx8kO_W<%m-duh0
zqVVZpxGJyAx=`e#&B8GC&Be;_YtrP-(YDiKfZ>=e3<QX$fjOBFQu``pTs0uW^pPve
zh>#v{JUyG{nm5(v5wR-#9->=1UgY#ha?6ptYA4YG6hC=tJl#l4ryJ;7*V=-;YMWc|
zXyU|n`_*kAENbML7tcN)WSe_O{@@ogN+=C~tQNZ`@-tOn=~o$ok5|D5rSt5Og)+Rm
z#8g@lRmh4gJQenOd3e0(QEMZ3_sPs>w^!0rZ}ikil>n5;=%=;7BcY<<N0ZI7W>NlE
zZ}cNvIKm2%L~TQ9+{Pv9<t=?uUhhcx6jWi8fjk^{YqY&NS&dvu1KW2+<Gr*VB(w-y
zoM=KNC}FLsky#ItJHy%5s|HniSz3h46plO_Ft}ngS00Iu1kI<QEHd=7@57R1<+zYY
zsuG$JmCajVs-rk%uiQ|ni1W>32r#_!MzE98s?sbB7b0H`n^lmIxz9Pp^phLG)GO{+
z4sEU83W#d53h}l?vreuV#F*Yz>oao_P`o&@wT!3CS%a4np7wNKidp9gy%yR=bAN^x
zRNibyY$2T(BNFqTb{1+^Pj5h3Tq2P6u36p7!V=(?iq}M<IVQ!Mtv51Vq1pKgIGtZz
zy^XwZ@9jFum9VaWu=xFQvf@UtIP>+yds(GD1<D3qG)Tasl9;qr&leiQh!VYGPu^G}
zo~gg5R1s1->^;-)^mA_U&jjF^2S(THNfTO)P~3s-5WB%(bVVSYb_iMHv^`FJ@Sw2z
z#U}Egi#bZeMwsI)=Tymi+>7mDD}wI5c|@2Q>Zt6qAh}pf6zuo3dIjZiiEU54CRH*b
zi9rjWMXn84guQJVu;*{02$S7lDKi$d2{UP+qwf)bLpo&O?4sV!*TeCINwNi2wAxEh
z#8fD<G9!tqDXn(`AEilea3s6u0TAU|lVlEkRmI{U`WEsWVm|qa&nzH(fqnx}Xn-{W
z@4RQzfwMaav(a1hWd$@P+N1=vjfT3Pii4PNhzPFtFfZI5c&F|>ai2H%pm^VFU}BLu
zY+)3AWA~iJg!w&wl4_2N*dq%eWjrV6)Sk;Z0B#nn9;${L&$@+{ieh@6@&qJw1O<{$
z5>ZJK;uEN9SfKZO=@&y1NE!&qPieU<o5+Js*~V=G)U_His^%rrQolA#RIgN*BlIT<
zizHJ#O*{b=>ja1S!4Lv`#)8x*5#^~^(!Cw4mOC2n*^_9W<iTxiYip;pM_y6l?^108
zPJO8Xu4?BgvZ}72`s7R0<B+rDW@joc<X6|xl^HUWa7#k>Ubd>^md=B$z{UY`x*avZ
z7JJIWEk{+}n#O=vPfRnp<WK}*%0u+d?3p)dT0_*P6^Hk=vjCs4@6X|ri6faSQ>5Ss
zQDfm|74a1~f>s{itAszRwvxX0fC0p^)u>k}w&1uXSsf$P93%7co21W#0LxjhAkR1o
zpr<t5YLGe?=#{)KSrJ(6N5TqC>$VaP@MN3b9xy%^IXKaNrXeGmc7+d3gYzhHM=0><
zc0<l&cjP4&HmxI(Uft;_=dAb(#5N4I^euy6uI7_LsSYe@()T6=b+|dbQQq$JMf4hc
zj~X7gB}}DcOW_DBWUf?z%Fl%Di71Za_EPKxMGKx!cdP&gfIW77xy{+&9;?&{hMjU=
z+I`VbQ(VO=fx7khK^RZlCrzl|Z;7rYq#lH>GV2Oo&$SPBqsbUfc8m$6BJ&Vq#AY_R
z6Ii_0n_8$tri_77PchCOPtr0ZG(go9{yB4&3+-`5ZfimMbnC`qRwm~tWkYJqtf|aW
zvmusgEZ^*VX%A5E&MEupr5{?@a8Vj*Y3TB7iZDEm>|M?$O(|H-Gy@_kP``-s8^C~I
z$1Ov4;D^DA<Lk6R&osezx{0L96Iq5(x}FbMfjy;neYD1_s#7V!{0zf6K8d2w+(4yM
z);q2$TN|?l4irM@kF+M!S|=lC2;76I=dLob@gYTZ&lntQ>=nKs7Z)EY926ORvvgDH
zkX}GW{y+qs5;~Vmh+lVfkSjOV%Thgt*9S`2BTrOL>h38H*Hf%{Fh`Ez%f=*t^;}_d
zMu3NObTyd$-og{z*r+@nC(BirD;!7r*`LOy<vM2F3mf`rrp^m87LYqj(?pA9%#sPy
z)EJL)o=ct0jl~Ln54J&M7Q3C^XrX*k#h(!ZVM-v1dO9n$K`EEH_Bo;^#TNQ<z+zQS
zN+%>4dS3MqKgRa}K_#9C!{cr{QWA2kvsqFRcL>!aHjslB6lpr?&NynqM;khjw5D7J
z>e}-NOQsxYvUi|$RDk7XMSSBOY4PgJN)2*2bURQ`88IN&05ka$e|1NuVs2Q_2bTWg
zUj7afJX)3bWNbC2s^B1Eo+Tb3`@94=(gJIxKK5sLa21_E)QW#}1|VnD_{g}8FW^MI
z`6TOohKXQ)vkDzyHL2i=fT@h{^zD1%CwK7#S|H{CbiL(SIJXLRhPefrWL828$2tv2
z;{x?_2$Qa2Ky)Mo#lo%ZcRrD9j!RQo=<sL(w=V!K^(Cy>d$w)YwVHNL;&S$YcZrBc
zXxQr2J<><6$fNa0EF8ipAv;UJ)0CjGi+t;C48!$9R^0wY*H!O1%z&;f6qltumrkjs
zV)w4VBo8=rY!@qD$l4nPl@~EiGa|>=gSIT#kgTlb@@<3fGghp77Pxw#24@OOZxO7%
zwydzW8J6eA=E@u%mU7S>z$h;|-2hehnc3s+s|D10k9<6geIMz`-8w2MvK?A(-zk>S
z)GkdEgrYn2Eji9*$u4_g5W3?NSX5w|m3<?U<MXalA&js<gDTsiRuXj4?AF_%p`8We
ziuu`W+~W~Z>~aLFDB1Z*7_(<~WqY<%H}d5*Z0peWy>!Eif*32TmKr@D>zF~7SH9$}
zj^fEGf-{rlrT)ZX7e5J;&wz1*v4H8krQ42B@x-aiuP*7jBB+Gb-<3TdB7Fx0!xai$
zI9lHPys6}6TyGjNLsMo((%YT_=*ODX2E>Z#ROL=yF04`BM%xSEbPFnCsO%9<348fe
zo4Mif<8+RP24WnM%E>`di@VQ3MtgZ>U?9|P1K??BiYnjh>_7_uP3kQZc{C=Y{_~Ap
zhmXG|^%{uIf#|V%bulbE8@4UtF6$gCVnevyu;l3?0Kl%RewoXwFEQ#pE)utIOVrP(
zA(2Z^dbUv9mf?|C<V-IgTqnu63ijbW&1L639e)qSEfX7F^Kza0Ix_YuKItnD;|ay}
z$5aG#DS5mQqa>F(PEw6A86~YvFhE(8blu`5HGC^zbp%Mt#~_a#Ll7FNns{lZ-WlS6
zTe|KP7K<=4D<{oHXn7!zEItEPaC?B=$DQUVb=)t0k@gIqiU%}TH1N*V!KpissMv$b
zNiI|J98Iz_ie_m{SJe<+uZW@c*jcEdkukX0L#$8I>@#$j?K-@QV+zS4R<iIiDo89E
zroibfM-C5V5ob7l#l_^JD2(S|Q5LBi;b0&r;HnSkrqQ%PJZxDawF}d-K#iTZUKl#1
zt>m5o`@RkxWG*tNKznG*fx=R<Sc3O#e8=|91CrbDX}5|-B~pBK$Adtz>dQv6hT*_2
z)+q#PJ(D>h9)ev2>fQQ_HaM>|!Z!=c8H?QHRF@FFX->`9AasH{keLs7!VGm`zzfeV
zsvfwMh}eU6<bK<W74S)$f5wk8!;#*T!F-s(gQAbe&~Yef57O7)1Uk|Y><}J4t36|?
z<5bvtpw?{s%B9+So}oD$!gQ=tV2LwFs#%2sp`YPe@R5b(Cck)~g5(sSGHg{Mn-+Tc
zPV~k-v|beTVANwm$qBVKq@uS1Oam&!v_Oqy4`OKN;nRvS8B-pisql#x!v(ja=^%9V
za~|s)8uF{@=9DqK;+)=XAx6%5IPVTGP&$*}E|NLN)X_#-fiCvj9wm_=ZPW%`!M%ZR
z;{201rU@yi$Q(*{)L9+S!E*(00jcrEhxAT25|vAma#rM=Wni1#VNbvShKpn$bweHq
zbPv|bibxTI+rk^G3rAKWb7*7a#E^Gx4@!4w_zcg~XCB%K!E>tN1fO?ARBtz?22kF!
zVivF&f#a-4&st_9J!_QGXL}QHx!l?-$W98pw%F8O>-n-n!}~d(6$Wi(JtLI#jVs?b
zqF6*wIL&Hc$p<cHRe&bU(i}{J%TMj%i5NVBw#Te8a1a#>-x)GKBMH2Ru#Di8&%|Fn
z&;vmZPt96;`z9r-^juc!#d_k|Q76D$r97pk9;%!5(sxBT1`W=K$mk`SLIYfmoh`df
zvBg*eU|x!%<~qrv<IN1=E&Z%YEnD9dK2*t5srTf)anPBSdu}6a+;(9>O%WUFTDIbZ
zYwb%<oKY%5OVn(Fbh5>Yk7&}3TLA$zVSbS}r{_>QqJ5VxPm(O@NeZks4WeDMgx^ys
z?J*aHd&O--NPOg{))}i(w@`MX+F})ZU*sWt-%rYMqjF|}^zcnc14ftuy^ckmvXmae
zi;e3SIEIS)s<NjI6vmwtWgg;V&rJ|*e$aDaX6~npHi$ke0;Dc-!DR4^25-<S*4B|K
z7r_?hW(|}XunbT8_AQZg78fxENQ!R6JMdldz{((+7tNEmWpdUUCeWoePSl}j+D~gd
zDGm*gjjtdQQ<vLN{C?WzhHcD&o5%P=!3=3feg{+bR^~03E;LH0I!Uu(SrlW?jdirv
z<hqubIJ^>89z>zGPx|mPrd;ao(3@0MO(Fuvr-hNi)U+Ly@ebl}_HgYQxj7=A@5Ah-
z6pw)jGNn*{ejG}|CDsM|fC6jC$&6LBbYZ+Uu_wV_vavgA`h(|keSF1WXJ(gjoBdov
zn)04$7y*g5Sv<aaBHFAp(Uo3@z_}H`uQGkp>ni%4uiB$t7@>Z#=^OTrITUG~VPh?$
zDd6|Q*rU!puEvu6QNVEF2pPmwsw)ewaIh&uS=#|t&m=~npbevq%38##Ya1qHy-_KJ
z@=pTkdtXxZ^03}PG#K`B=Vj2oE#qEKJsGETG3NJx)o1r@VOLv;WTSu?m)<^`T43!b
z;<Tf-#P`~sxJ;Hn%wahzg6NYc`lzUI`zbFvJijJ>X01h;z#{RshuH%2H1BmaC8BCp
z`Y3set$`gBtQ%P81@^pGQ-QKTp$ix=qQg8svj`=nz-G=K#*Gt?n`nnw_V<4B!E#X3
zN>Q{!)0jdAXX0Y;GaB2KSOT7T=C|}(Qc2&E8|N`*%{n@nD+OS#gcw$RQ}`KO2-OY<
z(Yux4@dgB@KI@#?2~orp!dn=9>w<o$?ciAyW+W1xOQG(NW~^Xo;b+Z#y$(ZyTifa`
zfO3&_wwaat)WXlHOM-M(n)u#JzPJ#6#jW>1N?2dhd3sGt=Zm%%wd1|7^0|kBQm#LG
zojS8}A`SZ}Lk5?EI^|tGO@CJ%J#I$>9c%CTEW_hmqMIT5Iqz93Cro2=^u5cXAv&eT
z0x+@6R~|bshUAm<cmkYqpv}!+HoZB1Cs_<^aya6+_6TY|N#xHE6R+$Ns<GeOcu_c}
zXv0{~2)fof#ab`lJ%~5Y6h&>>W4ra8hWb9xH)k;Ctodx94VhU>fV^0OVJNmN?II;F
za-{D)v?rC@Q3d#V_fGO*r8M?}%WZ{2WksLG5sEMHo~`myH2awU8S%U`TsV1NcFm~Z
zlFOc;a2MsX&3b`3vDJ`L+RWZneyS3~kCGm%_s@Q~11{qXc|+r8p=9LPl#a^HfwxU9
zPU@$6_WCYNu!>?~z;M%V==$O@5Des)I62mR)A&B)%;tl2?m{n4depex+C5O_!udER
zi&`}LTBq3)<D>(!>r8VmHrXECamm}WVcoLccZVHWT#Xogr?tTiyaaB}%+iqM$W|+b
z(9^1Sd>)B4)0((D_D<k+tx<pmR8dH}QN{8t^=_=TT0flfy|HoSK7{iJw~D?Ntdl&Q
z(y4R7eDqF3UL`nSBE{?Ru~nVR`@NW^Kzb(BJulnnWi*d)L9tLCO^vBhoVT<-FWeY2
z$2g{?v{_gba((7WZ!W6X;9R7!KZ%s@qmS4~***a~)rlmvXFANzxK?HA^9EiwKlVwa
z3qT;{O}WmiSrUsWIxX=F#F5~Uv$z7eWeHurbhx84#leCV0|yXkL~r30?kQyuA;qzd
zqT;9t$ZjSf=&Gqn>UZNVI@P;qj7&*tf#H+q3}6{0Ehvb&FHE&9C@F-1-QRm#drMBD
zSIqNB;c;}OamKUQ1!(18R9<eDsM~RDhsSH_zALeHN`F;l^MboIuYm_F+v*)UuA*{O
z<TJyL2$vnZL^EFO<a?h~>Sx4p*5X%!@=Q;WZ{M?g3(d#nM-T|v9?4+_A{`1tBSU3W
z<JoN}8NkAX<!ZqB5N8&i>WHU=X{b@ALXNnVKgZcul_Hd=Pt3wR1aMn;<Us{ICp@Nt
z8g!9@x6hwnocC>PjR#_Fh&iT7jOB#UOGBWk6;m@UYh|kDs3=(s5L+S@p_GW%I8|KI
z=7x!QB5Z&N@3rtxgMG_Fg+mi=$=1%O6t~ct6`MuPvJY^u<lf_)mY1P>+<^mb+I>%R
z_8g<10&5`aq}w-{pJAul%wN7hO3RWQR)Wl;sB{Cf9`15h)|`&x>3Ao&b3#~zihBrt
zgb7LEA{LGfE8MHS^Q7j?sd0}0hN7|@XY?tEYv|j_vfi4iZIc@d5>Pmsq;lb+0uOP&
zg!4w-))!v*T4Z{cS-Lm_N5l6G2WR>EW`mQQ=WOjRhR!`CkOoAxx5AIKGoSGJEOwPx
z{7J|j&ilPD)h74bm-Y^JuviD_XiCGb`aM9a5*zl8t$A{iUhlRf@Hr^tzDm4HR9b}9
zK<!OTi|@B-pRvc3qn_g3kwMWD$;QFFUUQ1~a#J?IZR;h+R%n$pSLVUGdb^MgKX?}p
zWG&XLE?e%(qYgu?gm}@0AC56`Gtj1ivm4FGx`AlC?3rX8Nh}Y^Ow{dEgx5~$E==up
zixyBa9rw27Hl%WgZE?u0)({@!;mZ0hf>b}+VH<meD-!<dupw?W@e+BDEA(=6N0Smm
zAdyghzfUZkY(8W!Ic7aP6OVUJa@QE<tQ}Ox5+zbaX-*tR@1kEOE+}_26&Y9brKw(B
z<;o|a{vCiy1^HUB82T#3=Z&qy#T$I$0ReqD4ux~H>fk=D2rncmVZ?dF<<Il7Ah)59
zwVywhEuo#rdR4ualC^5lVYxK5EbHAkPYQG<x$mK?N{e;vzN&h5`8v=1-mZ$?HnH8l
z-KxAK(8WEff!&vDSOXhHC+`9$a}ICo#(;?(M_J35r;F=MukbB#-r=e5@Km2kM@6(A
z{eGhhRuUUrM9)N-ODZu_JrFVaP6IS7TP-&D#k$68l?V1FR1TWyPS6Tr*H0t(be}%`
zq%^*xki;8%buzQ>JyMz1@FpjW@Q#;X*D2BD@xxox3Vn>H{pRpYVfY<|ZiP+wh(eB#
z>uta3MWc5FCGW=O1n1QuTh6FxJIK>3tP|8x+I6bT2nvL~*Nt8V$LAVOrq@^REo{rv
zrsn7y-wgzQcfr6QUXO&H(z&)1Z=uvZ$JMgv<^&>i2`N_b^<rbE8iD7VJ8}cmZ1LV2
z*Dq2rwrEjEDV;;u{plGAsc9GzSRj){MQ)T<vI>kJr>}??a<dfUVU|6LWm6Ji_I{c4
zMJmB(D0+Q~WFEjkdaAcG580lG*J6pw0JpTrWXEI0IdYv>!_n5|z_!ChY6aH(R7u~9
zfo>_7p*|u!+t>VF<g1Mcm!XkWt2+u}7Ms~D$?AHFah#lDMSVe@K(s}srmcMrq8<S6
zI^R6p)TV)a=Fz4gXI0KV<Icr7yb5G%Ce=qu?)b<dqV4WN3SUFWCNeBk1bfO7T??te
zN#M_{`z9TV^h#FGR_68@lJ72r%+rbNy;{?=w^!|nIqK_ARQYYNDUj&%JxgW*ia1tX
zif>v!<I(V{bOrULg({uqz2MQ%1nWMg%$)AM16||wiPH-Rf>>2U8Qm~9_kOWg0d9o`
z+sB!%L-Pg`RB~ajJ?I^)jG7jA#Zqkt`c3FSJ)T`>BkRcEI?+xlT8W%W7Y&uC=_sIf
zZD|f1N--~<4~nf7jFS%5`8pC?Wf>DP(oN<YA++}{+^6*B;K_@Dn@$cM<!GbGGt`at
zs(k*7*qTan_QbVRz!8aiv5ibz)^b^kix4-RcYNk57kLjuv+5MGkr=|#$`x)OyZU31
zE%+oBKZBA#>K12#Cmc#Nc7|)q=*mguE-ji+sWkPPl8<hX)<PAgjX*jn5~d;DrrxyD
z?z4P2#ab~_Ou-e|uQJ!>q;-t|7wrr!OLUPs=b6^NQ1BcY0ftzc=R@PO?@~OQ`!;WP
zpEqRew)+cT-fO{=Hw-XNJ~Q1F0|hz*gh|mST~Z{Vfl^zZh!I|1?z(VMmJS;>foTIs
z1{Z0D_KVukxs3>|yOfo2ZjM5{XNNS1gm5;G0m{%}&;vI!?e;mu#q%g!dSG{MSES@K
zhu1*g)Y4~U(tZUAh9Sl)M$c7o!*6SuR17Z?I~{pg*@ZEeyq+r@adUEdHZ}<Wzf^^#
zF<jK)?0$98ODL^}QrK{9Yc@P&D7LDT(YqZaetuLJ3sf&V*n($tDVD)@mNg_{PPuCu
zu2rwhz>&A`MJHvT24d~L0P1IL4zwEkKyJC=^_B>c1*Hh^rBj@Nkr9z9;aNZTG!1VU
zjZ9Ijjbr=yZY}yK8PLv2gBwy9lhx35K;(Lr!Exupp*5jGt#rHBWR#`CpUXyRkxPLy
z>m9#U>~BNn&+sHzHdWS3cUzAv1G{g9&~F}GER-!h6P?%3dPEcyz-yXpP#-`r2k1>4
z!`{t2cL1URM-<^ld3>ck!fKRdS5ll@UHhySZ#ap}JJ(Zg6dND&*|30`%n&-TJ?)%M
zv4;!?NB}^ul^<k5H}%;&B7UlI{5Ak$kGA4D@hBDJ1G`uG^e}O^AL_&PH)cjw5^GP(
zQw?h`SP!Ju2~6Vh7rn5<ou~x8oI#vK8-rYRCXcgsK~A;QR!8r#R15Mw4UZR1Cgh-g
z9(3S_fqF{=kGc7i-Upwy%n~udC!)AcSOb{Ph+V7c?(NmQ+))^D!u6NA_Qt^wC>-Hr
z$@TouRIrC^60C6RvD2Bn9_$cOH|HD(A~+Esf4~Ow;?))!(j$V?yxzcVPdE``yilRX
zywc0hqm0Z@`(AFPO-~Z^P-I5B1Obxp#q*hX9Fmo>>_Rm-3NvZBG7V3PoF@Tvu`9>9
z8<~QVQKm$M8KnQL5d!h4#7}e9NV2K}hXoV~^5EeT84R%@HS;GLL7Yz&RZ_2zLXpQe
z^%UXQ6qaAi(}EzgE|(`yzX|?6uGL1Jkamou$%x7f;+}Ga#elj>v>lK(cx}EsR2-Ll
zO5?Ck;K2soLzM=5{Wx0{*?|$$yLKeHeP2I8UxyxQ^DOMFQ>{Da&Ej;x=OVyhj1U6z
zXZhsX!HL`JL9xm%Ez4E9>1hpDI?7DT1Z&v+ww_W_DlOG5_(6A0@G90$$qbaarjci<
z>VYkY>7Yjk)x{OTbiT-@;Sil??6UNW;*EA^zz0g98i~`=zDriC8f8dyZ`z&cDND~X
zznlm~Ilk%V8Y@c5%Wd}_fw7+9Tl%J0KBHBq>2M-RNIIH2DH?$Kb2X7?!|Nx|L<kpo
z0ot(ED^Tw#pzE!{6U$h)Sc{uCnCjjJ$<J7^{aGc<Xr@rGZl14rVlACCw!vEhd^)U}
zTkOKM6SGl!8={fznVW1GSB4ykiD@Hk&lMzn_KLz>V{2y&M^REHiC^d-E@D;{k`{qp
zLYjr`+AN}lD<BQ9()6C0G~MEpoYb1c?qbq9eeV~^Zw?g56hZ0$=zQb&z(-2(tSRSK
zGAj~Oog0J~p0r20GmsZT@Ka=UQrdJmA&zV-{3KaFL)Mv=%e2}f1d`FW!4Nt)hE!I0
zb_IZjdO*WmgbGdVPR$5=$SJ0UO~bI~XTIk{_f!B3Au=cU>~+Q3SnXMd1gz(Aky?8+
z$`r99dp~jJ4)1>X4AUIQi1%LGd+EY`4hc=7KJ#|OlRET02farKuXlx&e5K~BlnaX4
zHyD?(+?rnD)7F6p3L<K~dlCwBu|U-IH0HIr-Rnwjc`q?L@Ivkv&5oL>Q&Fl+?kg8e
z2e)|#yXGd%#j97@&@=tSYxF4_hDM*j&_F!8ZhOFDTz~~qPvnzkqffh*@{R_kO|2ed
zzH2x1tD+R(e4BoTvx#Vm9;fjb-oc&vx>7oZm2-rcyx611DP(a?`n2XXK$H&dY#lvg
z$FQt=9YLps(^2VxCkAej-6N@mu7MfcHjqB-7gEa6IJxz_U(=y<pHz&1pEGka&6=BI
zJ#>L1#d48;wbhLz$qp@V1h8ee25hy25C~DheTBzVoC{EKDa8lO{2-7(GixOA7tu&k
zf=$94sAetEz)Y=)JYcgTo8{nQ5`5qsDSD~qElX!zbiprcWyRebUS`SoA@BElcK9S3
z`=%+ayX=^;cxd<T*!Fo&Tt=IF^Klcv0vb<5C@*$(1}kxqz6}D7m;1cxHK$aC-c|d-
z3LnD~g=kJzlc}88l_@Sh+pcp_6Xq#hf%e4nc#M$ocFsX(yi*evA2wWC$K`5kuF9cz
zaJo>eu9OJZi5y8StwV-8)vz5tx$WBGdC!vj?b9X{dfg&DqjW-;6_j3SR2~+g{i2GD
zF}$p>V}DZ3(62yK<Ph7TA1Zjxjn(UQ3vt8hLk)l<7&5^{;(9n-1kZ0kNUiBYg}0ZL
zp=Oxjo9fR9_Vx)?K0>nT4$-}Lek?QUT|{zaTvBa|+maq$l@yGky!I~dxYQWm(ZlT*
z_tHRdxdsS1*GVgj9S#rQWtJE0&5Yb&)eAOu;RHVh5gtjA?y7PWo_z-IC_1TT_uyeX
z^#z#`6tV7hXvk0usOo-WwtYv~sx|jqpTs<}3)hEm?wk%O)y>od2hY4JGAxnwS}x=X
z?t`PCe2Om^2IRF1W)EO=|1@ykgiF2#mdyuUwUOM|dbW~}t&-qKjrGVw&T)imJ1Eh0
z?U_;_^vhHd6*eCBA|JW=Bs=u8Pp69-&e`N#MC#pcSaMcGpc<Yi1%|*2cX(mX&DB!-
zJuL-ryX;6fx^7=CdK<Qn_(=tqoDFNBQw*PX&#Pj6h~;ukOuhvz*u^M#2Ck69^t2b0
zIDOiS`^AO$xdxmsyTTf7QQ@;l=}jm;uf1{0&J$L8ESuY1LdULX)!Ne3x}>o=cr_Xu
z59j3&AWc$B5msMa_`WpDqC7mlNhaolr^9|Y{d+yqc$iQ3LBP|JWPGN!Uba>^kwL-u
z9=8loiX$5qJLDz0+KRm9vpL!)V%axwzQoY)ebLSEeJ%{}XSr%&R}H1bI=bTCkoI_t
z#N0atO2>j&Xwxa)Nu|n56jm)?EOH-zCumL&oGeVzl&hb#6+DLZ6p6X_+y!I-qLn8j
z-r)nj2NvQ4+*_r~HXa=>WwTF#Bbn^9-&D0FC4)_vW^(MqJQX&2d`;+csabEv(MprU
z=A=^t!7?!1B6jGxJ}l*W)b*O8ZpOkSJ9Ouo>}8A6z_Zs1{4Bw|_ch7-Pr@mO*wFx}
z{Qx}X5u3t^Xl$u<?G7CrWg?yLthwkeQKoLGzjMtEw1@dJxgD~@`X$sS;rJQQPDh$b
zJ2>QBE13c{K)=pN8{R=GGBiFY>L}Qk5*!?!s<LXUF;GZXwy(EHcpaPvd&}r$gB?H|
z#M?(lqen>bJl3CX-hlz6&wIjqPdIsJ8vP!4o24_EDB5N9+vFr?&NP0Y4I8Rt3Kqk@
zzU;!028;2!MUXS|iM2+s^9=?-;TqLkIm_S;6Bb*ggS;p(&lj8EDC8O$=$&FGC2z-Y
z-wkI=gBryz%7<UrGl|xGnK77ehiCa=QY8@0Az5wE7F0C`z?NiNdEN#@2~CROQ}yP4
zWmCa%^jJSBr_ZR?=b}_tJ02c1YBQO~vs>i!^oed5G3iuKNgrR4M|J|P`lO76hc2h0
z3X2yQ7Q-9O;sNw{uU6p2$ih;UV`QINDu5y)c&wTlGL6xUOYKZo(dc`jQ_vk0B3ZAM
z_#N&hy`vF)&PPiS`^2Lz1mm&=>kTNb10u;P$T<X8X@pgy@`#{>-o7mB%k`_sfYWez
z4!zJsaf52|AZpB=<xL)=(u2N*yx^^0q{9_^E-?$iyc2sGPkH}96hYs78!9H!z&THR
zhFtQB<^;WY*rSFOyQcSPsXS#&^rmmpzxQU@%a~P=v`lL8-q4vWibS|f8Ov+^gA9Gz
zpTQ%(PKGjOoG9jg`Iyw42Rn1I-hqL_-i7%-ds+u=%h00;4{Bta>}gTB@|GO}Z%rz`
zeiWDvQkt)w@DYRPOAxVYL!gBk-XS&&5;}V<qi+admol%#r8a;sA1;P^3*5*Es|D$t
zCCG9<>H}L9y$hN(E@18R!tn5hE`B1`&`3?=<!=MgG4H8Wn`F$-v8>AvyW`LMRM51-
zN{KZ6&nwMZ1p^RY_u@H2^4wlZdXo7_pTsLP&K7UbZF?bp=l%WG`7^%3_(0?i#vvew
zMz5@G1)XyeM6PKqW1BpGZ!-|Jw>Xk$s}z6%t*VbyL@rh7p$ocA`9T+pzVgBbty7nI
zc1*52Nl?x#eiAVR?^PX$^JV#%pUb<2lu&dghL$~Fd5_ctHjldBQViD&u&wbMS8l2a
z^QhPK7($W#OpThD7~kH_wF>ehTbeWt)Dn6g%(aZPB{Tc_3>@ASiD%1|(})i^nq})f
z69u%plV8NUndul1O`}UtiFpgZrRx)mrweDVpUt@_(s{H>@Qpymz9$XOM|(072M1x3
zi#v=5K8b(t)8v_0%Xqd-mFoC-GQ|(sip47xK@|4viI_`9?M(qog6aksybFq&P><e&
zUam>WzV{rew|pQ5p&&fR1z@5S4Ck5?U!Jy^Adcg5ru%#0+FYA@Pvc^NFkT0_dXJo-
zJ|$5Lzk^3F<TXBiHMbL&T^vwg!;dzCf_35C>ju{SCCrps49K(Y*;e*PF8Sn945DP)
z5K9^wJp#hPX%>BWa*)s0-;=2nU+tpy&7aisz4r*8-Cp}j<?zPtYgNTG!(4B-C!VE-
z!m~Xrlcy%Sd*u6ajaFsra>3m-b<KFcsh7`4R~)zH<h(hpypH}#a87dh=3!=ghH@3u
zVh?zxxZ3yxLaPQ5t}#7k1$}xd@@M!U>2G}+W<g3H#x}p`jCjuhg9osKgyi^&r}qjx
zuXRY{SxwcA3kIKX2`EG>J_wK&PF2?uU*Tko6su5T#+?nv7kNC(h@Ory`Nq^h6CS;K
zi$j4>utS=sI4H2y^;AOUk!nJXoeEYy8)!SU=p>gX05(DE4`ZI+T#dcg`-^-*7DoxN
zH=)o_F~%c@ls9?hCu0FplS*unx-e>F1H3n+yD3<YAFD5|sCGSjHc-j(NxpuDyA0=%
zcLMCd>unKnZ>MUVHo)IKB7B^|G&9rB60M+2^ranJMhuwiMm*C;J`{fz+!&Tdby>)d
z8Y$uWncIy4+E^;ugBP2ROUwc__UsweR82gbE~jhb%zl!d@j8xb_?eyJ4VQ%;P+~dh
zOTyQBoA$~;u!yvc2qL!4o%1P`b7|hp0|<Ivp2T(vaw`dbYvc8V2_NBBrCN<aLIKRw
z#jDJ+V~LT$-9(ThpT7FNuIWwhJQ&~0M<Xv=_E=Zx5!=LxfbZya>EkzQ$5-aw!rsba
z;U`pdV4N?FO>Y?cC4bZZ8T0lHHhNe>x@xcJQ<kzvL>C%bM{TDMX3WQyvQu@j6k8uv
z0dJbHX0C)e;zr#|t0%m(j2Bi<Qx5h76AY7z1APv)P)IOx*-S4Ecd}knvRN|)ZRi7M
ziD5<d_eQoj7y!t5B!?ehGI}B1;Imh*NJmuySDIe2K%DZ%W|q7kkB+;%_W5&o36{nP
zN1VEL+gJdj4cKy5$8Hk}!*_n=Ngd-ZYB^V7Z<jza>a6_zoafWs^!BMx_8CpL-v~0V
z%<Fv1rkWLQeX5%)%Vw}7G;~Ah0YU<(O1!H9`ZU1F+sMA>dDBnxM`#HnUY^bw9g{h?
zfkbgwV`R=K8-T8mZHyCn24qZJYl7m1cn+nDk6P1Q7~OROo)!3t;F_$G;#!ystBwJ^
z8taKZCYq?V5xY`F&^UUIZB-`GV_2_PJE@xHbU2y(a%(C=GAv&D7@^3H2qvCeJJcyi
z)Z=T@7XXEx*z_KrJvV#Y=Wj*j6wha9d$qK?<GlwjFf21qc!Tt6m+LycR@}GEj$#P0
z)?*gEP)>hIKoi1PjMW?tBgUi^0yvZ2*m)+JplX22I}@TksJdtKuxr|Din{2yMM4EZ
zIMhtRHa;cbpV4m$@f4!6(h542Uyv5g2uFKYPSOjtv7C7mZhB@-<Ir$#dauTiP@c1~
zI2lNH(hI4fd~B$<`gTYMB>GBJi&<aIi(N3Znh8gk!8d+64pTM#I<MHe6|Ufx(&6gK
z!}87;iRpb}#-1@ee)=%an{RXym8Maz0W(|3@+FW+y&=YiT7i4-U<%5R^MEJRZ|&d|
zcfjejNWT(Nk>|HHnmN+4JEy$27W_P#qx^<q5MJ-^5O_@$nB_RHP+0j;R=7?%K)JF-
z1gPF4?28nx&WgKdH)gYvt-<fq@*!<vAY6``seg(fzC+;Fyu<W&?S-=M38lOmpwU={
zS9VN_nmH37Y{7=0xo^p5V?48f2BVsnZWc!cMPe!R3GbWAcx;gPrmARg-VzWo&~CsI
zI1}#mxRB>~?9*xI*o-+v-*k?bT6YY-W~7x1jZr<XR%lX5d};4(XeJ@O_bBego^(Ce
zu{)N|#>y_+5JQajs=FwQp8?FH!7cWZ5!Q-l{5+rd&hoU@=(ap7Ea+S*602oRLwbv#
z&}eY?a~3dbcn%eKOnVM7-o#nNDvk%$=@su;zF{SD5Gu|p&C+Pa!5AZWuE}>VET0;e
zzpjwav+RS<I4IdEn!t%{{%V@ZV}kXa#ZtO75}DSE3YvnP%y$Gj0^~=?r{>Lqu!wju
z{Tdt3OS20t^&w{xnS!;Tv{D+gqgBe9Qn%XkwS`eP>hL#4+)>4aXj>l2=)wT$P?st_
z`$EPbpZ0q$t{~T4JK)+>PkJwuhneC{Z5U`F=Mf#2_3M!Yz`kt~yh`*nqSnQJg{T_n
z^-k}3hL^tL2D^4m{VQzXIb>PPTYV@c1c&|njhYnx6oTVZT@o9*lz7WAO$12_ZO?oN
z#j6bVkzQ<w+er$hHN{O^9`RaMwAowc2G3&eow9Esd<Mgm%z=ISG@06^ud|I0=vo-y
zFq|%{=m;&AoPqZ}b9oT2=i22l!b-y_L~!q&yzw_$PnmdvA*a9^O(Ke=1mqyr{8guf
z%K{pan1x*l>x-ogBi<WSS82wQ<`G0L@hYfm4}!~@NpKw#wpAU27!atzH_)Nr#)qPp
zBgMo1pyzrzYBf(VrbsEt?tzD9k#uuhX!siyP{f9jWN;WMPOL-Mta%io;$B?hJ@GsY
zhQiGh6n>A0wRI(#w`O)6u;hYeTan2Qf$?s+64fJX*Y@$em*VyonuIKPZXPv~K`ZwI
z%RM!RPbuK{PEfmQ)iz#+IRS5uHi#vr6ofzXdiA>YB*QkieIK2Oks*u8HKqF##xW&2
zKeu4Fbcu90ggqbw@A0#ToW(AA&0=a^A?6KRrw{kQG%*<t&x9>Dri;>DYKB4rWY?hq
z)l(@$!UmxaX@<so_o+T<TS<I)y0FBV&nas~6&rOm_HfDBaA}FPS)%f7P?IQWTG<`)
z>E_D~(8az*<qb59!ZU#k?V6RV4&jLv(;h<2>i{PH*&wdx0GN(nrS_vyi$bRXD};M<
zN9a+IvZwm!stgPD0%4gR>_iDrVQX<n?b^$MtB3L3Am}qJ9=4G8nQ^#11DiLVBNcwu
zW~ea>C5G;E#9TD(DaE*xGW95MCQf~|a@fkpPCFXlz2Z81Rn23A7QV=C5Cvnh))GA2
z-P2eEZD_CFYEaHNLH3f;Jn6n%0<(2<3*~314ho4%+nwI*jp@z;HOf`Of&9(@ZeGre
zgv62vvrQ&wwJVEXR@dHKNws^J^Z5HS+ML#Yr_FjQhob9(9SIj``;yg4a)QV0Ia1=R
zrd4o{a84L8{gOja<}^@MSV%rEU<7`<n&rlG&vA$;n6BhTn@wp2R($g5;K|CmJqbIM
zc1E&;WO!8Ha^TO{7!${7+ap*HPsQj42HbHOIAE^KAp$4YrnsId2J$oX)eARASb3xv
zbD35G(xzoB(E6Ch>#%QY4nd;=lI39Fb<H6|!Caf0+{?F0J>@GTnKRbwkAxtfQ#SfR
zyhmfsAh#}QZ#mW!@;Tdc+M#=FGss2T2#@mmVz#Gw-E0N!9)ji|q>vE9AO-=`OGk(|
z$vB&(&ouMV5wt&l+}GIR^8PG}g=&WF!Hg!V1?AGX9-=<1GPM3F2pH&|x-H0HK0@5g
zcw0{>0GJ*>5RmTkDa#4oFeSrtq$>|F2RUWrfr4N>=^)^mO8FGT`woz3;qFGyF|Kkr
zFN17Y%q&zDR@1SCCVYc|NpU1!Iuq0BnRxIUflTMSSb~%wo!iRn7eX-rx)sDNxdP93
z<h|`@xMLW&b5B{Bot@qVifI(Dx<kBHrvgI3m0iFUgnEqau9A0NT6%O6T{=iHX|Z9g
zL*<v+I?1QN7%?<hoh8rIDII&XPvukuk&pw&yt;`?YG8wCTgU6dI)v8W40-MaL{>8H
zQ~($G)iraO0rx~Gp(G-)|7;n1T6kmyz12_D#eJ1*$Y(?&#nUfRFmcG;>cNRTD{8ei
z47Az^9}Kr_^9?ZTwt%c}N%*HEO!rs_hM_E<N0c{=EKBT@7WBv&1lY&5k0ODtcvkM-
z`3<bageqru8ud_gJaH-v3Q7@cDP$B18&tn4c^gaHgX|DZCD$9_JFQ|MPZnRq)Y_H3
zdDdgc;>1Nr1yaW+Y0;Vdh~CYp!7$5pA?V2jHOJF?Z#b_jm-b<{$QxfZiDRZRt@X%1
zdq|{~=QOy<yB@Rig7tX0!Qru<a9kqW+G`zVkD8Nw0`~e@wG}}@Jbz%RIxezwzeKSS
zV#c&KS^7la0C-miSUA_Crgbz1#8iP^-=W98Yro8gQ$`_geI*-;f>heiT-Nw|zL4)w
zIY%gT`R=h;yFC<&8M8I#AQ>Lh4XM1Ol1E9+d^|XaHYm~ejL(S?SoC&Z2V|^(tik!w
za|sn?^-2hKyrd^v+B~Lw48aHOQDL;IB|H)jbm9PW6YRXW6s5D@?i-MkM{5I<^<>n#
zyN6RjyK9Sa6E6)wD#6fn6(-BZ{L~Tl!1W#-_)5sZHleXmg@-}6GNG7GP%rygb67s$
z%1M;xLm<tMvms_XU73W9o6B_Kn1K8?eTzv@e&z`u<6;px00!~1lEf$Dak>4p(I6sO
z-X1%@B)~^gBapBT@+7?1;$fZ4ygBPWLO-DUl!boAOI{Qf7`M@_lJ=a4c_b)(ixv*S
z+?IY?UR4LFY~;O{IRrvV+)yLI=p2ZY&z1R#n*iQ|y=b?5SfuIoJe~;0;N8P~MH)}(
z1|#aW=Ly?0(G$r))D42*?1(3rdqsJ1!!$Z}a@BU0@?ZqQ8bY_4i_-|@;Vc*@b_1PV
z!4+08*%cHLdgqId=awZLsziyLD^EKtYxcB6*<mIPkkZ*71eU7kKo%JdEBB^3D&Lt(
z&md=^u~$48)Xx2RsIrjR7jTa&JR+VoHiI<7k}_i@tRhaYg(4ai?W2fb!e`a7^st#$
z@iO$yyT`iSH~j4v_8ByreYBuVtV@JyAH;+01%TM&f|6jc#wVz*he>2WLF51<UcHve
z+Gu3E@~i=i@R`MW_%*C3oafpp*4`VF&D78e!W%7P88j4@jh!L2#-NIDhjxoFLj)jz
zfRORDd~8eN2rnO|fUN8pt|;=%5P)OIL5scBO1^yn5q*iMD~Cy!o;nGya=PBq$iOV)
zO+N?lz<y$m37KsjU?n=rc%9PgMLnwogE(krJ8`MNe`>UNGc6{5J#snb4ZmB-k;kf`
zJiP5E5rL905iE7m1c}rHTs`ZaPd86Gi{`OiT+g0bg`0YnLr1#3;(OZP((up7=|i)8
zP;9B}(gDWdAcY1Xb`aPDZ3)#OC=ZS_B~6M~<0)g6zBXmq9Y#GtM&B5pMQ($ntb~{N
zoYh5+WuJqPmzfSEt|xKHv-a}Qgn=k}I9wZSh6>&JRxNk{Qc$KTg1YS59!_?m;bWYP
z=w3ZDk3)*3Z0S>}2V=m%(nIJ{6|C(9K$GWPO_r9iBCkL(R2kmW)PuxVi6T3s6H=pO
zWdzb-G(e>=1vj=YHbJ~;p^|_m?_f4?{Yjt2&%1^<aV<Qk)i=bs>tnm2MC7Rl=8Odk
za<z0M2WAup(A0{yrD1Yn#fLT{57xIjRbIxoIQ-K$p1!KdA(IxEo^URe90ZJtJD0>Y
zYzI3gcvaLvIL&y~<1N=uTs=4TTuM92xhg3oornN;)WvmMw#lx@#Zm^724Wx(<%p)6
z<5uxxu@dfdy<T>`)=7I_YsUx9VH_Oq&Mtj9&d%0fGB>-bn>1i`At`q}kO>U%jfE0e
zdlHvb%Hyq7Wjwz8oEsuaq?+Llg6`Byb9Qc?*(i%a$BCf$vtwO)l~4vEV#v_jVp};l
zP>jju8|d+NNtYAe&)a7|nq9@7uogJs2Yqk)oh@Tr$z@xT*2CFV9rJK_HF$ftM}er1
zI~tc7o=b;Cu};vpcZ7a=NBR7@PnsChEg3mVswZ}|WHQ#n*=c{lYbqpz1IWYNTN6u|
zQWY{qiW;Wr4R(DG@#M5x&lXB7JI%Yv0#Yx^!(BW(+M-b9j^3)OnJ_NLiBYYL;}(-X
zp@)u$a!lqxVs#a{+nR@zN510L*`S`76v8EuqYn3)o)j%_vz|me7`DaXDfUI)DT<PY
zd+<*0+|J?JYb}Z7j_9hQy|i$Q8CuLA483ZT0xgGOm>hLbd2a+EPy3n6I&n5H)X(A7
z2vFcg68qxiqYI+Ft}^1gcz*Uebs+gTB3s_17gvKF$Ldm8G-|tvtM<`}zfL=v&*4?z
zGmvTlx*@!$$Led3@UR-XPn0Ga{joo-_6Z;CsI!UD>v~?-T<2V@^IpHp;Kz_>(t`mt
z%bIpU=V~XO4jce;4(KSr{>EjTkm-;ZK(i^gQhb3D*lsniMrAv#-wU%Dp0;<-OV<+X
zM!Mhh(c3pd8&vb2h(F&K<OQ4UWzY1MyMfo0GT+?2XE1d;I{SPd!jVAebKAaVN-{D#
zJ^|t)BgxsPSjZyoA@b6lwWCkC#?(%XZA8%DZekXn@XkP(_Vb@J%cWjGu=wM7C%$H#
zwXaf@>Rnc&F&W9_h0yMf!6jslX85hzajCH;wx6}s&YLJeTlka+en-;~eo4>p)x27^
zc2Ax}aN0@htU-Cr5MwoJFx?Z9DJ&B2DT8=YoCPqBZfC}+$si$autcqsYNSQG$fl3S
z40}_X;>^G{^u~rs*kjsAtjz_bo-y3Hxq12!qc&D!(9_axtQVFL^q{>U>z<)3bw1yV
zd-A3UxI<M`h0DmmS&+~7%5`6~AXk}qae>e+;bDVRF*h4hjCMO7=AP#ClY(_8OJ}&1
zCw*cAA>u%dXhYmxBAetF(lFk1(USD2nD3WJ-jXxjE(Ht*TB8)B2cL?0BSpL?6;b`%
zz!#aHC*l?z*)5@^@(GhTTkxRwY<H%4#ivN<Go*qAXuDBZxmwmeG2J-swsSh7LV0;z
zN5K`0aabV!CN&>4SurgXmfb_@cUVr(VGS~frI5DCARr}~(Ilygd_1S0N$)N5nFF8q
zl7$+fvEu=)T5`SfmxhNeM843J6NYSjdTONft~Y%!<6O|-au_b5YDj>kxgMsX$vm|P
zuR%gNJ$BU-_GcG;>U+F&Rr0DM-YhXtIYrBEs&BuC*OfOmsJZVp?k>CzV5ORJ<jn-$
z#ZA5$v(h$s85kmiSDEv3mcgsA(R+Vr#vym`>z8iN&C<aS$C&Z8yf-ce4ff&)E?G`E
zp`j-65C#(=fg-C)pxVA=^1Ul{-*^=uFRKYX<}}JH`SHUt>lq<mbA^@J>r9J+j(kEn
zubeU&wAP=nZdvbiEr^emztr4w(gO1G1Trj*Y*vsAW!a3AO~^EW<1KTRYI%xSK@|EJ
zphI|X?FBBYSyOK<IMIe^59(tspjPjf#3a;wu_%}iwO%NbSef$z`)R$AjzffVLltUE
zeUVnZ)79O2G+-oE0o;wDm8NZ)8HbP<P&kO{5nP#Z*P)3jLa1i^#B1BAU^zOD8VT9_
zHtVfv{+w&HxE(V&yxlSK`W-pVRWH4J08K!$zZg^`3{7fj&c;K+&C)pC?;bddP>Ax)
zqh!9Ju2Ba;`4kH4r=NI8r0uKBb$dbX$gB?xG2T*en9&hTSu=`(dAPNRHKmSZt@;ST
z?(y^s)S$&BtR8pB**fK_N601MVV3|xqB{>uG~mon$VJ*GP(5F%>h;nj)e{{{TWho|
zIl98#fU;N(H>3?^LkZ^_FnyT&>TOIL6YynYF5)Ggx5dNjcG@g@mNO-~r0nn6#wf%p
zLMilutBPiB9Zqt4664s!Te^X~eOerNhcAsbxA@-6d2=qVI(v`jnPWn+m{&(=yM;mF
z?;CAuojlLNxKkKSH;PN8n~stoHh*j!d3SC`%sXta`V11#kTmQy4JH%O_ylOJ3na;W
zO67e<*e*)qcTbkKM_k!M@(B)mBx__=MBg5abli2~>MEZpmo&bssAtZ|?duJDTbvyN
z&?h&+7Fg!7YMYI81MExktlJl^V@d*#IdNZrwZ06ZnIzs0Cu4+SPzV=!`O^GAfRv`B
z<Vm5#;vG(>ZW+IFBYs@|sKqv~Z_*#g?o>VBW7-G}9b^d$Vrfng*0*ffG^U3EbU4oV
zbS_><Lu!kS)y1yaI$W4r?vmBwEt2+h?0Im$wCSp5wS92=_D|*YXp<xl@RwLBZMZZ~
zLbbighzl9r2?S)|!K5P~X;$;9fcx|#+^54UZ-&v#S~zmSxvV_j5(7Kyr&#1O%noX8
z&H-iNylFl6@_r((1=m&QoS{4#bj>y8+{D%cf)Vlr+aK($4?(do<2@D`hcl*-u&2T^
zqXa#(&ls+>ePC$1sGdyFysIfuYe-(#8ca_M$s@fwife6^c-S)q0e99z4B0~JSx-T)
zyE1lmAgN>k-!3%2gCcj#2G*swC|K*UTiO$8X#siNcf@b33$Y@$PP_+NJdU6y`&}F?
z`I#&)yp`hF>Q%6Oq2td-?b7N6GPPm3`HhI!f>WYzCtgj)n^!+$t#?WwH6l)_TAI~b
zo1H&gFE(VL=WLc3J#@)EwA;^%+4>f&Dd0#0a$c-OFK1k=@TXk#d-r-Or_~baVjzIJ
zRJnF577nwFWGh)@a$-Ep?~KnC7(usLgaK8-_h?2}qv+K_86wwdnnI;+^kP51Sab!X
zzR<*Z{$fn#q{<nE-EPb`7KPXJywbL{-CsDuNnE|ED1gW4givgU6d|Opdhdb60@@O7
zXxBb;jTpe!x(V2E0PKZ85$<nln=zsaB&XwTh$IR#VKgGj?ZC<r5_y5)J(v;eM-L`^
z*vfbx(k)y*14e?ehE@xs9b#UYEe1#;1$jo7oLuSpQ!vH;q99Ob-jhNXU914_hp$a&
z$YGYyc?J(Kc#Utc8VJKBLV!4Mz4Q5~tRjr=^!R=Y#y<t~JaB~;<_S77AvE78OK~J{
zYFQei6%nRoH5trhJncuSk=a!>=YWgi@0el9+bI0mCO#CZQMTfNqhhaDBX!Xh*y0XK
zjtHE*S(Q60YltfxtLa636xPRr4d(SO{p?u!6l?3;@zv4u1e}NK+F~f14_f(*P1quB
z3&;G(l<4ZIXPLjutb8l{Qs)Ne^b$o7`QaML4z1gT8(Vi-Y3f|=Lw#n?sNiWGIwHCa
z3f5(u71c%d6mfE`fb|@{zBxe~>XNJ2m-SOJKpo%&BbSkZU=)GtR=3-B=!|mSi2=S-
zhvBaMI;BQlR&0l+W?4B(i3|IIyQ=}ieM-hYqwdXE#$!&dmzOn`oU;7HR&=(`eEpRr
z6m-IR>j>9C)8sN189*zNGrxNrj<sBbTsW49J`!!Kr7t*L&s7tZrIB2suObKSDWq9F
zAxdd<=jPGuc3nj!Roi~}HWJ}wdJqUF6^;?Aq>EJc_~kk9OPPr>)O(iT=nYY&l}D5*
zzztfjlN3+HOffu$@@m{mQ_XXbJWpMX5NzP^+PJ0D9y|#OE2f|##|^IDGR2xTB5Y0(
z17F$p_l$a`GyQEJu@QGe1hPmg`OiVxB-8}(&K&oeJ4V9LqP;tJ9~)29X{M&sjvzV%
z@3faa^L%#Hn+K^SWkhd<M-F@HyD|A^=rza(b+s2nW{H_&bXpbzXog|^w&pRZdfzt4
zKty(z3W8F}+@WYgkuj^fWxOI)i@uqdJj)??%svzS1|Q-B=9DIq8pI>Cl6%H9iE6ui
z!9hy%;PG{IWe@|Gm27BkBIQi#bBVcEt{b~h;>!VntA+0Mz_a5mQoQs)q$j(qxC*O)
zdnZ0PY|3$L!nN(NRc~*W#L*rrm@4tL%0syo94sIQRvn}kdE;u2kDE)yXdeJ8rh<_o
z<9k^7g46kGBX2U`EDv)Hjo9axY$%-FDm{72eV4T!fv!9Zt`-+NN(SzIICs`uBfMw3
zJp6KPp$#7+rq%e62vBD|eD%G53Hp@HW6^yt?$x=zcV>m}-l%nHO*Ee5vX~N%l;g7%
zrBZ2Cap^qT7g*1QA_0@%5a~SDkU(KaVTTd*ScYO@v7T&Q@ZqC^bzcHdfKjT6lg)eX
zbFTTG!6uObC_3$X4gnCZ-ml4_ACHZ`6jHx546qjp;8vWP)z0Ql=T3ir<tHpb!5)cJ
z)aK~6v<bH7<-12V?E*l}xh#h%P`jGg&ns=w<d{*_pvc1c8D(lJ?hd3nC&w-mgM$)m
zzL#<K9%8QaMgW75Uu3;#i=&^yvEEY|%<VD|tQ?U^7zM13u|%C<Pcam>myZ!*=3z;b
z4QU5<y|=HP0nkJRWF?5d!7t$`d<WrX3tz!%_2)FkY{OY)G97p83WhHu$5;dx2|&UX
zW|m%-8<P=H>FYCl4<!xG==B^K%<}ECnFK4vjy*~i!F!S-{#=2cU)HReF7}w5vPdRx
zZq{-MPCN3%6>a7_IGi}=H`Y1P)*6!Qub6^es-gBgq~dVr-b>(l^$@y=(;~H$_8mV>
zS)XyiCKrp4nK~&NL(46H#t4h2`81n{H0`3^3zs|<9V+X1pz9gy_iVb}o|bcG_C@ZM
zB6?ll*}hkM8f;rL?SZb&QD#3Qady<)#2MNEN_c=*J~1U5&a-wTK0|~VyQv2oxT~E_
zfazuA$^KTAJ;0yM&6~AL({JhcXTC|%I%DW}&LM7s9*xlNiUbwJ#L{oO883`&xk-Qv
zNWoW)ab3oeor7C#R#3}@;W@p!LY8H&BPvef3gkM?9xBUn!SHf)E2^F+Z)BO#JG+=}
zloXpW*G^mBo~9+`>p0#n$6gkZc?UU9b>=mKX8=cx0X&Sb<|5%I87h3-k!pxpSb?J%
zLxlPsO;U$(*Qm>`>EpUFW3r^P+~^`_B}i~XovWv`(l{!QsWV121J)7W;~v~DKbS>}
zj;`mG@AS4=p;eEBPFLSfhyEPE5BL&zUtcuw`!n2{D%FXs%G)ay0DOE0btPk?om7Wo
zJ@7cK()Q~4p=`DK;Kh^hwNLTjXE-iJeizLfIO70d4+bD+9F!h7;s|D;Jk79IUFgH_
z>7&Y&9tq$)e<Qvvm1qn&vJHpOJs=QW#W#F+fkuPDd2r@LLO00lZS>weSlCCbL?%Tv
zfc=`;<1l74YA(dLmV6oW-7S?Idb&AdUm1j)c)E355>6Rak_KB8O%wYoo($o(ATh<;
zVR}lCz4=&Hs2;sEBR)-HF}8<d$*;#rhy|M@v53h@dvCFZ*Wj*El5wp;!U<#S03IvF
z8$=H*rx#Xjo++&CK}j!U&Kq}so+YErV#4vFY+vA=tJe}0+hxod&5Ec|0+FT@7DdC8
zxp!yomqvyoVtWcCyGbGrarD017QOG=^~0WuCeMPjz@wG+^(rA3P|{2f0;z3ITOxI0
z<iYU5OXh2%5O!pFE^gwv+P<xq&Ge*opS(f6q!a9is+T1=M@BAwGzx46{UF><-+MIA
zE$>B-G)G{si*HgYOqQlf@_YC~C78oFo1PeWEK8t5S<g;CI*LWez#uf2(=wvB3&k%u
zxTo(F1xujVY!pHyf_NbO^`ruTQ&ga4sfTLto+e>LaTA?QivT1_If*}lWqeIU)c{ca
zRvz-|j8jMOIWwHJ4%WVEivv$g$frMZPeZl5R4afS1HP6J69jwx_C4F11?bH4_UoJz
zQ*UM{Z95F~gZEBaTEr0s%!OZCea~6SpMm+kh`qb)SG_4@&-MoQ9YGoIa}%!(ly*<N
zTcL=80uX1*r$tAQ(Z#K+FJrkyUy?N(w&q|curaW1OWk7nwdP}KLYEyl#Mc7r#rxWJ
zLJKs3)iFAr^18khA0^i_mt{(a_a3Kc9@LxDtQOmmrb3sQU4I^%;4r(ps+r79tCPh_
zg8hKhsnqE?;YD~ep)%^D@Wsm;#>%R`D~Z>E?%qlmU@-x9Q;&VeLnuZkl#p&jvX+1&
zruK#((Q^TNtijl`IWKfe_oV}iXScaN8+iOvLQ@!>B4)%r+-Pg#_@I*kQ<A#OmJd%t
zPRa$+JRY|l>opsQP9IfH1<a&bU4}+O=BI?-XLR1}D!;jWlS*iC18QWaVdHqtr+{~g
z`^*t!xXT3Ss6Fa<{X}=>X$-t@uw-|qwB4(AxsD8h5Zbu(SDv>u+-pwrCM6tzoUCvw
z+?_V@ApI;edI33gqxvabskYBc^hv@8xLCm~x`lLXB&AcR{*D+R!z&UoR)*}(;N@K@
z`XU+lnys!JKjcWshsbz?qs-c5l>Udd!@<Kg<cGDZSt8K&k|1@aG<|_0jtXD3F|@q$
z!p44X_2SiZ-*5^GOBNk5N<ba;1Em|v5x)RU8u&T58?MZNiS&6nRa@kaUMY6$yK`3T
z$ZN?72M15Dehv#U5=H#L-ZOGRa4>ueWYTLiE#D&YPZ8-m-j}`7{?JF|wy9c%l7VNQ
zIPf#p<$^iGfbd#N0-enh8m)9<)XrmuJr`mVbnjUzj_!Dw?}eDBEu}A?WQ_VcYWbkL
z$5q4DL2wMbQwHYT$fcSr<8p7((HfH7r?88A;#ZKDLEXY}-loF?VQZ<Wyj4-+Zac?)
zU<%|dRU;KsOo(il!?#E{Z=>!#qPVxXeUfl-u$6D5w~X98i>UcvOHxUgI9v4$6z`?u
zWjnuTxX=<Jd<gzbZYf|MuO^7(^6t|swMTT0FV*|i@_NTF83|qpmLCFgWmNA3JoBaJ
zJs$IBt2HrtOZOZrF=c$1Ip&d$K*nq9<-y1OWVU-RUg)=s<TFkWb<r3zFkfsShcJ?Z
zvvc=5=nQ-7wypjEMrcEeFE#vSi%;Z0u+OYy7z6k?dcRPxiCH3lYl?nYo;%J)S0l6|
zPsH*b5nMLJT>5(qh#FC0V~@{|3UiNzZL6M4cP#Q;J@!Ywivjuernqy<j)NJ|>Xfsl
zZN+Nqp<&x%4k=`TxH)LQLAFvxErG0#?uEJI?3{d7Rj##Wwu)A@Vt)4o!{3`?g@p`l
zH9!hj)2fgmJvfKgp6|%eHv6s3#!=sKRf{CrnrXuTxhOED_8{btv;S;r2wROJx{OJ-
zc?v1Fyy%E5Et`n8d`Fl^1FtqKk{;jPDbw<pnO~$1Fuca>W0gqmPa)}Nus(|L5K-ir
zhp!tE=cJb*Bc#fLmJ|w>Ev0bc(QN=4=F6s2ofqU|Ic#=sK;(7ZYat%O)0Jb3(R&5t
zJzY^~;={$E%Jk@tyL4wYSyK;WimM+kj4KxVE1hleDhM6OM|2~P=FnuZ7RB&NC|C7p
zT$4_nUV2|<SN2PLK{@c4cMIjo%kyKT;-VBY6IkA>VT1Mb&PH(($1uD~u6#8xrfcYv
zeg2q-IVFbN&bxz%-&&F(JS-ty_Sh@f2c?N#oOvp~PCMA<%6LOuuX&5C`EuLU<>!bm
zrxK?TQ90hzX8kAt(??(9rIVfc^Kd~{d{8IzimQqz^bL)p=*10C>9A9^KZNw}lc^eg
zM{KjOC66ehWYJ2Ix;Mw!o!V0f54WCK4LZM!i|lHCkQ8r>;^@NWI2EB5?of6rT1TcH
z>U$M#j}`F2wZ0R|1U?|w_S6Sz0BY%P0WC<=;IU6(6)Vo(t}z-AK9X}MoITRPy)nCX
z;c|3&G9Z%ELH;as#koyaZ|!wtlelF*&Gd7JcXV6gtlh6TD=W(%MT$8u+DJqk6Fu6J
z*kkCioUBG2qp2wfQ(}15;o))agKzVI(g>**b(;n(95XW_Ud)`w_5?6<npMBWa8IYK
zv$oD-3j8IeLczN57CPmlc=-x90@}69xL?gY(;{hP?^G?S1b@%uK|z|^+)O49d)|AU
zzEwN+#y`d6pJ6+W8a-#D*rCneqQR9ZZ)6h4>0@9}+rsM2;5nJ>S0_meQ05qN4n9Zk
z+H^^~td?<_<-p(T*+EgON(vY6yAHde00d?%z|rI@Mu~2$Fdh<_41c`*67qp!XHCTp
z+tI_itl}mZCVPAjNJ}DLce6_p1D<n3L1I9`(Ew(bAIw8UT!f>0i!a!MOe7+Orop3F
zZbpb-L0?(vcy5g-cjBcAw=@vWjh+O->Y>-=O>Ngf763Ui^Nv78Mufa*Y(H=1F(vKi
zOtfKvBX>p=4_?%4;2Pi0Hur4o-Ap7#3VSfJBIx5wm$-u(D{(G}xS5I$hv^1@ye;LJ
zi2%b*#xR{^DXWebHSgP-{4;jvqQvnfvtj^Hu2%PYSIyXvuk6Gq3O@<y*Kv>g0cBJ%
z9v1_4-MoC<`<h;lboh&IC5i0}SW1fpysK=mN?3e$`AAI@N7cn(fkWA?q<SP`eN{7e
zuskuaC7;Q&Q)FWxywus8E)iB9Vs3ix!BHDem0+B8TuOQ<?Twt0P{RW|44B)?F|gw{
z02_@v*7E0(Qd-s`wiYw*1R7KjPa;mVJ+xRl&`P<IrS;AssPb%3#n<dQWIQz=@78O;
zV?JOvyCAby>(Pk#W`wZ;afOrLG(Ar`Sp6laD2KrC>0Wwhvdj?9jKleW(g|~eN!Q3s
zGMC?AMwReTiMeus^o@c%uIfki<N;VSeh2XQ4B%Y8VJ&w}qxs;{X6<^f1C9%+<H1_i
zLt(<D*wvu9Y>Oy>=!of=GVtq_MDvzr*`;zt!^b=Q`a!*6WL3NuSu?@CX)%Z<=nnEi
zZ#DZUs9#g!nbrf&u(9Td$#bcvIsO)vp0?Vkvzl1VGHX-7$UMN+Mt03&vamd@BEgNK
z@mrJE&z@5mEfmMwEYm<m(i`<n8<nl#kvOT>lKtSUx!Bf@HQrG?dQC6S+Yk06dSdEu
z$QKsjEF$&HI|t`U#T1Xt?n?uStc^e?!xzpK9rNDUi9VLldB;B`#U0L10I!W)z!POF
z2xQefoR4b?D&MnR<H!|onqoUTn&$%U$goh@bpRZLUUQG)K2IbD?^9Bb-!@|*{5kdQ
zHq2;EymdIMjOoPK1Cz5YKog`q)zN&_XM<V^j*;j=scdvnEY)qDjv~7l>yNyeXb7K+
z?#N}Zz2=6fS=3OVZo*KDQ%MxnYh%=V-CW9;=vVK(xYWEvO`f9aM@V}o9Ie)e{?x%q
zg+)Bt5OIv_uJ<w4>jy7rO?iSWL?JWTw`dw)64Ds)MZCmY6}@{i_(ZVxt+f&sWs1T}
z1OO~@^YpMJPjConCRv0e9lF9asT+Mw0t`_llJ6aHRW^(WYGSL~a6R0ktGehGoo5`s
zMAeYv&1;(yg7D^5LxN9NyTGFzff=7Dz^rE-2dWpC!*#c_55W$%@T3$wZ5{-UI@7nP
z@H3QKTL_P1`w;jIc9=TO^LsG^z)y5m;hB^_FxY$kteLs&iAmwL4<)*WzUPu$uKaE@
zSwb=slkQ1K+Gr^Xi}LI;R%O4(?a915Ix-=e;gIUA+9YHp0=pqV0&}H-n_VL#nv1W(
zK-Fu}UVF^ZZ9dKwI%IsL9PR#Yl#<oCq1l2Cj$RfrdUcU4;XPx!ETuNvWUu~%<Q|?)
zmcB;5tu+*?lPb%SG(X{|^SIj{cIg?Fm50NTda2hbWz7|eSqeS&TYM#fFT6YCz>vtF
zLR-s7Z@sjd75B9x>|e6V^vMLu>T1bX48V0KT}|yz;<Y54znb?VF-2=7M0Jt3)qw$F
z9#Oug_bS4X?g?85&!?;iK4q1f@7_&IBn}a?W3J@A@Ud4$Lfa>??6EJ9p>1<lN!Mz^
z!}e~10PSA)tZKn~@RWLXZdhm>g;(>nk0m(L8DO`um7sZ(h#nXs62O*{O*KVyrUlKV
z_^|{FMO<>SU~CjHs?J@a1OneB%et7IHKc26J-tPq@}-`M>8o_9ndx3gOJ5W@$1|ky
zjaz++!ox$<j#$HS&hVIv2zlly1IELWpx_%w=A}~3sR<#DYCuNmr#GeMZc^Ni3&Q!}
z#Idio=_NjRg=&~s?x_Qc1Vka|SIB9v6S5`ur(fmPJEzDXQHzIq)`ey}uOp1GTrf*w
zgu<e3TZb|eSAp&^LZK+Vi?KQy7MwD!E7|-O)@M+kxJ-P#wNW-Jf~5_n@*t8q*hLAD
zOV$?_7g8VkoN>fJYMSAdV{>QJaFs8GU_rG72}x4CtwC^BcL%+dwZlcbdCU250NP{y
z`d+ef=T2dEiTLt}(jfyCk8_o~?vRx!Fk3h>P8LW#LSx6xOshoMc7iHt<Py{weXzML
zNj4xi*9pf`oWe->)IsYtkV*AGW^xgr9X}0|DN((sH^_Ex7eU`^N}5!i-A>_0ORO)X
zxs@D*yl$8_An)}=Re&EqKq{en)uQvf+fz%TvH)MWZ`L3!CL}g38m#@2)-_(+VVrgh
z<ls{(dX0qbQGoRpoOg17(x+xC0w%ok7V;KwX)E=q8}&G92?6hV`gbej&&W>WkL)oI
zwBpf(_N_x7ZZMHbVj!zDmttn}=yU_eX(i<drKWc?TqB%;td<!Ff`r-S3vFxzPcloS
z$M6oX9|YpsdpKCKW)*^&V+D94Q&?;^s8S$R=i%^ZIaHzZyvX8Kh+;5(%C#XPc2rh)
z0K2PSJx1g1i=g7fC$6WJk4|nG^3ro3w9HY2>IFZYl=EUa)WliN(pk7?Ha@Njfes4m
zUQw~psrd*Dn9D64Y3fAY8;*VM1PJF;+6y4(>vwv~%??^kW!zNGd1dhUiBd4Ui*sdh
zL)y4p?&P1o<<EgvV73GBE*RR=bgS{gw~gH1>>dog0D{7)t+#38ZIjOwcNWZ0{3$HR
zOFP5Ci1#V3_Zi-0F(%C2t}`3hZHZdXftz3QWDhAkG<wWu>1ipXoi8bo47aakWUN-Q
zVO%B%A%q3yS|!5fJ#NBwh_{e@dqbgEUGZ`Um;!Sdp?lI~JbPcYjmO&X%Ag9=q>QSU
zmq1<nD)^$md&3z?mDBG|4s4;J+B1$8ijwq3$6Evd{4%plZVdA%AHCX+w4NB}%X#e^
zjDaXBnr>*rCB&(I=KznyD<WWrl^FafI=o6=PTQdIqq|&bx=N8sNp7-+q%*8B#GzZX
zh^CxkECK+Q=eV&e{c?`7qTy1Yh{L4sm%Kp4wYnV47UTFH0}7#z5*I#>ez85nEleUJ
zyn)O&m;vA(C<H^hwW9u7o&tF%^~~+3yyP>+w{MtcJ!KCFcI)Nxc`FFb#IT|P3)D{_
zxNs;e5VHC?uIO&UQRs!U#astC<Y}yN5l0L*KCWGdTx4=o>cvVsO=o**Q3RPi?6CD#
zk)1js!VTUi8DL%pzKbLS=_ycgmlGIpZQc?SHh^X~M6bd}$E%aL;XYT4*(PJG9*p~B
zkOPzK7125O78qSrXEhX|s!QFN#|aRJA<!#y^CXb>NQf>rZQR20AyD$%LjyK-61<TG
zw00RJfPDH8J(ES{t#xu7H=C62dDoion`(X41hrQWtxsV)=#(dRjpJu?Oad6+<3WN7
zG*R4Xe*`rPM8(-_K|#`fSx1r+1(#|%L<(8s5Pt03aKZ3+WcWn;eK$w_4)pls66uva
zio|OoMq<l&QE3EN-RMNaWHbvPrA{1<p-pnO(oIJmSNGmSIgRMDTQxBYEPRh20`bcQ
z#hp`PmRPE{OpQ_J{sbP=3}9!<7HZ-&n;!>u%5uMzV^JfonR#I{W$gizUe*4(jqm6^
zjyEvRLtdDh%Dx0B2|k0PPH<A=B*h)~sop~*GxG5sk7{ZO+d!b+Q9wAAOOwR6wNLF*
zte0zEJTG;%v6nF?4cmIc&~>z{*sBLx?MJR}?nIo;v>4~S?XFAlk*8>#)v%#^y%Z#_
zI%enKyr(<qviehE9w37o_pU>a#x#bpBavYCaY7LwO8cPI0V5OWR`j^#KAfX@?{$pH
z1*=9lDUV`<eM`(gC3bT;-7yrEL!1ljt*z3Nn0qEhgyn9u!((#ib2bS|Hl(^lZyl*Q
z&cb=0h}R7y9@QS-mS`me66~2$pj9*kyIMS#XSo}$0D~}YMS!4go<2makIn0p-`SZ2
zKm&(sfmuPFmpw?Q_pB5v;&z2iTeegkwqqIG4{8Ql)SVylC^WLza64iMta!kh0w8b)
zDnBfTw#TjMLS^-?6q+jukE>D2+3B&R`jclCecWRg7tr0lM?O#nDlCQj5PVCNtm?@a
zMi)GFj@)I$PRyEi##j&-wJ_>pNi9^sBAL49KYh%dUgY^pJKPt8@3}_uyj#!I#e8mW
z_o-D!Y&7!{g5=Ra*h3pFb72b-4w|BtE?lUfPm$SY$PagACyX10kVkk<dZPOdVp)_z
zOUaviH5fXM*2Hfx9ootG=oI%&=Bo5NL>OM{giy)0p||`Rre7tE-a(yIZE&%;9LpP%
z$6fL$F;kw}8#V#6qhW>gd-Ldc3K^TrvW!7VtrEdh!u4f9dk4f*NMj`&Jee5238^iN
zBA&u7Z5X)9z+v@3p(w9$QtnKwEYW;<mpku;(j0`2j}&hClRZXsFJ6ShJV#9AL($r@
zB=^jf;H|-DSV}Jw(^_*5aESnl$7tM>bB7V2-HCA@?lqeR=s}6Yw1*rx+@#pUzY>1Q
zte+y$0F>fd%mGQh5t8y$ptfv)$M7<O-Do*IlkFPTH*@83B8i}-HLphUnX@_o^7op;
zzvF&pDVgXnSgOY0)2s~l39#3aC{aA?f`aK7g=n34rxJFGqU&%o<Q>gu>MW>l*d}cf
zapEmR&X_@|r!F}55OqQWyt=g>a;|%v;yxL80#RhC;;)~*d`ZW<aCoBc8C%eUlq|e5
zyXkyU402$VuJu>eRqWNfCX#mbCkLdP@(4^TFrk`y23Z%0S|w^pV!~Ja;oNIF1!kBx
z-m`0Un2_|I(A(`+zoXofIslE1bxXw76^vQT2TF<1&d$c}XM5rjp6pNW#k>f0Ds}Fc
zpj3}g;$2=fvUA7dO6QtALD}m=n4e9v5_Y*!ho?>Wbf0Q7XN0FQIW<geo*>f;ixhus
z%IdBwLRg~KkxKJGc18SdD>tzEQ)uxS{GXK*Y9?Hjj9RE3ty7~lSSF1!*@j+^^YW}Q
zvw9rwT133Wx+mb&Z;WKe=OKY~N%fpGKRmO`E}VRtQc={^FE;1QwR+s~*f2vb(dLX#
zK?Nf>;m%?t5g%EF@7f`!G=Q=#xjf{jfgs@=NO+r(wbX;vRdr--uk%>V7o@JR<AsN9
z0-oqyzR9a~eNPe9r4=oiK-<!QbziolTEuDa<gFdXF>vqON{As`U_~Inx>l7kdH^ZU
z5*Oey%5r@CoxkFjdx$P5Yj5@tE6}|L7cXogk(vRSw#h-6qb4VNl5V`re@TtJ*pTFi
zxzb0-R>)tXuI_E*`WxPA-F@wzyO4z{jflx~M?Kw-kh7W83gqcDjJ@{H6^6s-2;hB(
zr*<pc5bmK9$jTly?v9SyoyE_Us?<_NmnYmqk9+lQ-lTDuIK=f_sH!Q9t|+z$u@`}i
z!;8k=**&&5Xe^T{%=oM>L!qd9U%n%GXj=6KYj8bO-eW4CT1;f=M~G4!uYjJ5CZ+SV
z%cwckzIyKwhp2ULze0cW<oV|EohAkyKc=8cTBd{}wPWliHH<A6dNL2?%EPj0@-goQ
zX2he{F?MLG`5qb$svrP1`?Uqd%kEb1Em4(WCG;n6xDqvTK|Gz2*&EFsEATn)qH$eA
zkUf1DHAX(W@mh1UEOT|2Q_1$X*u=wq<&Ek>3l}L@s!uFuJ{vNhb8A7u=w3aNXXLo4
z;wTT6ym4$ngXCG@!LZAw#<$qua~Rm{0Sm*vi;Ca~;Pb}uu9A6ESn@nw2Hpaj;7f5<
zcx!IQ6hU=_h!vJC>ly6CEJDV}ghG@h>*6emq);}<Tf1j2MVt?BTuf6ZO<($sjuXub
zv6Lqx^qz?}dZxo-=Dfj+CK!^KT{Og{ZodI!)VQ+l*UMh4biNR*xq;zj>+I8;?<}R_
zQB?71RUb_UiORB?Hnyy8@eC!LYbNo|@PG#%hP`JRWbumUk~9=CC+v*MLKLXpO=0-)
z4R1ZHhXVRYbot5pcnh|OOnVXryo`dw9N4=oGuQmnIv0it*v2t;vgo7VyMN8#h<Z-R
zDVut0ku+tMYb)*@Ws|@&E{z0;bW=_ISU@Nek1eaVw#<Mc79Z}WRr06Y@O$^q*>58s
zweCG>X4YPvYr3;pcYi&^(}8q*aAu+nG0f8Fah$_RtYKM`E|`w)n9$yx*Wr*wZ9t;0
zsTSq-^{Y69xgvT#FwjLy?soGeJaJz3q=&_ONp~#{cR_~HA$^qjXj=TKy)Mb97E`Gh
zojEZN3mla5nIOqTs=K`ERdBL;0aZ4~GpR?3kK5})vpRssc_h*Tmqy9)rAIk9BsnOE
zdLO-X$W=s(TYn38IRNaA=3SbKHf(z%uNyE7^5w(9^x>J_r#n^ovaADgM1{kLP46+H
zN3S<F^CHu2uBP{(rD7`sApIN=;6iML_Q6H@W;~e(W<joJB$o4(Gx!y}n0wHS!}2Wm
z9_A*^gyRi~1(Oj)$=ijus-J?R&jA6@XwI0(sbikIYBY;4zaUcR+Q2`8t8w`@wO_$D
zQq+^9N7)N;D0HpFZ?Segv%E)iy`JmhbY(Qi18cgFNgqFK$TQ!i9jD~9*oH1J2oBv<
z%AE3do^RLFx;wdX*WWTwLTow^!OPn|co4Q~1Lx}*Ln?@*4JqNt29En^P`x16(=Y^E
z=#j*}C6KqmQf8qRH90G)w;~4M;)=dXS})=9Jfyle08!xOiv_t6MY7H1!Sg`ND|x=1
zlQoGzfQYvpjIST^3r|)kaD5;zlBkQgjWK)eF$tv;S;CNd%xeWe1y%F83c_EKGmG6m
z4n|~j5Uexq_wdRh3_OtF#gfnQ<;=bp`+A(9`*mUsoC|W0O{Bh);dhyp!0{<L{u~w9
zO)BU?A1|brM60+wIMOu0K6HPfOHF9c+zUx>C?3#gnmpl3P!{qx;LdUnKrksoou`BH
zD%jaDFpwD0fGsNZUQRpeZCAlXzo%s`bwXgF{&2<Jyo_6Xc&i|+_nG3&W-ZDr9b?Q@
z9@?XxE%p$JHg{x9wcy2I7ga?zZO7ga^+}9O4U&3xH)i>`En!W(*+zrp1;ia(%|qGq
ztzfI37Z>={>qXdWuxZE08Z{1?f(3DVcg{1D<stlD*1#Gf7R|+qkLkGNgd=FNQizk*
z!kfpUC=#L|`|4FWy<+Z{w<T*;Fc=pQzeLBQFJy}+-#QLIg9L$ls7vixr(#Ju??zu9
zi?NiLQz`x_)6?ko&s*1G;Dw%s%IkLc6y5v28$9dAl(@ahco}U{>8i~zEsb5!aK6Ec
z6aM^#=!^{JgH!aESId(fXA0zlo!fnN8W_>qOZ6IplJ5<r=&dAk0+`snvDuZm0-?u<
z8I}vGp3lOtLQHk(bmn>UiTT3|Ja`F^Bbx?C^DL5-U|M?2H?ugo0MRhY)_gE#&S2sZ
zTX>$Cpl!7X2VD=~wE~RKQ>|D_OP4z4i*9)s8#Qik=0+hLQD7#|$8Ib0vAqK~N>TD*
zbO2z)r4tolm7F(!ZVxLBZw@VqXl-`eq9qFvbzF=tum^OpyRCPGjrH2qZeDC}t=2g>
zt>@1?=jgt914|ce_ud*5`xM^tA{9Oj<LJ~x-jQ@wRO4iH3cbtoVLQFvCQ2HB-KDIp
z{FdG4_#l=ShS#0jVUJ~+wqp+-MfFZ==`*9)M0FQW-51#ihHIerQc|CE;#+UCr=uc>
zN}x_1pzY<l9e~F(I}g>051>H1E?aY#js9GpSMCt%UF>)bluyQE;C5ycDemOlnS+v7
z?W4+s>?K1|S-^u<{KPZHoDdv9PpWLzq@<zJ<<%n|uX4aOz>S!Gx0xeRjcthZgbUs<
zZ?du|$CU%MaZ?$Nc#2ky8W#F3za3hhPIf07<(tBJS4=Js1mG1FFDW>t-+}k&P=TMX
zm2E&$7VcO+EF3^`A!<6WJJGaTwa|D(z0Q#_Pr(oPXOkW0<|9(+fZKc3S_6ZYgnqCX
z`aHU5{E1ZUI%I{%-R9F-6XvHoHPY_y`Rx?U%bYi#!V~?>b#GB;r;*44s4|b4h6g-|
z6|iRXofuyxRv7^Xdf%cJE&>WpuA59k!zi~z^9%^|YfZNYhz016Ft48yX8}7pW6>m~
zS3c^{eP`hMvfo<-y?BfWf@`nM8Y!?&rb0MYL)7Xt5&JZlsw#*1Jf7Bx<7-eI7gXlK
z6l6gFj^Y==Q8$mu#hcK{+V4OP2codRRHn@nSxP$JTqQVQb<SL(i4wP$KHKc8_uea)
zeD91sK*0ud1T5b<2dlWbtH$Zxn=SDHZ-GuQ(UGNlF_@NPyl_xFTyhYQeM(g5<}HED
z`_i8;2ntKkreo{X{q($UxxPKAbbHBYW!zC%uTR~KjpyM(IXI-uJ0M&bwd0EO?##Y<
z^xic>rFd~ZgQ@5BDLs9kt+pMd+28KMk^A<Nb?*ozpaLUVfkgutn^()=YRkszU>l1O
zXIG6lVD<}_S5%@g?->pAJ*X;orx2wl&8pKZPGhK{8J2G`L~I|fyxDzDiH|4%<bv~t
z`lXF4zCp;ajJX6m>xrkAPe>V*XNF?RFP7hw!elb3zXLGZq>M+py>%(Xaiw+?joy_>
zdAjrJ9{tJ1iL=oHP~UCK6U*pIYg6l#;Gl`uS@xcvz!txa3{D3idxpId#(EIZ?mC;8
z^}6zn$H}$j(h+tK*(u_7J|!(0@M$7;+Mve0qSL%-ziA#qBZYSYEd8_`!{(>&MKNo=
zrV@rzX}~-_$ftc+N;)!iShNCX0TsuuJ6VlUZm!NI6r(5KB++tQFbV@Ze$TV^Ib1Bo
z2ndQ#%>>)T@(?~z@m)QMprmUHxOWOZ(Npgw1ddd^a$m>Gem5um;ypU#3d9z1*QcQr
zB8VQFcS_IwFrP))6k?(%EQZf?cb@=CK=32Ev%@YQ9HgfMVQ%`sZM3pU3`h$C_Hw<q
z<%mj;uqCn=vyEL(%AKuK6RGs-MEK2sDC~iBnj^g7ipMiW1h={EktwS|32;u7lod(0
z3M?=tYqh9%B&5^&*o_2e0PoSEd)5x5Zls>vz+kV9m`KN6sutuy5!5*7fiEbEYQQ*V
zJEEC)@?=xfiwXrGK)c@H6|m(B;p~eDedW)7$*;5DBO*J5e!()2ngSm@Ml}y;-o<+&
zI_yJWYU>Xux8E2b;t}v8(+xOs1e#TTOPcrHcKvhA82^(<=!xm7Y$u?|amYbm_BbDF
zMj+yjnED(Iq7EV9GO<|YJ9#@BWQQI{VZ#}AId3E3q#lls$Bf+)pr}POm6g^-hgc<y
zn(|3=wIGE(t14j?suvW{ci3)AJxBd2WIS^hqS~)6)ty&qh|OIb;RV(;0v?XHvMvwo
zth48UG=U}0y~{CuLSeBLaTIyEy))R#<-^*?=1*Q?m0H@vHp|x1;tRQVK&5Z88s)Jo
z^5zQ@n0vGvfPjZ6nUPg-r;q8)Y)n=aAjn&+(R$U>77Y1b69bG}r+I@0y#Xf9F?ZXi
z9kAYS5FmSEcL?{F06~_ooOgW`!tIR&3ppFmQLL<oRzW~N2j=HNA>q+aW~f0=YDB!W
z+FY}c1kXhE6@2@je-0d+Naq4x51Og%y`WNMVm6t+eS!Yk{EX4!nDLdxDzj;MwmP4r
z;GyuVF^U2zcmqHu(lx$*9VOeisa2~918a{_&{r#;4AKLZi{a^o^eU^v$B=O<woq>~
zj$n)6uV!&{Ok9EtJyh~@BTwX-vwZc6>Dn_5<aIxH%(Y95yi{pz-o@gaWem!D1oF}|
z5X-mGNnK^0PVnJc%Tk#mcTfuG3cKs^JOiu>9!ho0L5TJz0k6sx^E?mqY3XuAv6tcl
z!Qpr6k3>1)*tP+>cwFUL#-8>Iw^>RRFhl@%PReLYs#{!|QQ(P9dehc&16n^NsQZ-L
zuB7j=7QXj_FmFwVF5g-b?_9^c&^(;BHBUg}v9P^!II3dm8-9}~%G__YdcGwXpQ8u5
z;!f|=OUXf7yu;aC@HgAyaA5<f<}P#V{3_<MF&9kjQEx1%2~wxv>73*f$%B>~&ANEm
zn+TlD2F>!GOPW8u@^_qVO#!c@=<0|JfO-W9nX7EE-wJ?O-Qd1A#oX3Yp^*_w{tEq_
zK;kP<PrMd@m?#RL+92W(qckPUY@n?5<K=qB5A9gz4GGAgmWkOtA?=uWNd`%C`veAb
z(oZi#)GZQHq;DhE9&L)q<}<70je4(p1iabg5i4R|(2DSrX+klJq7lT{$`@@oFDh>N
zP&6*-t#tA-)4-!glwOYF!`rIq07zkajCXSka?sK8Q-lFeY<ZZk7l9uEh$glny@w0W
zMGLKuE#D%uKU|&2c&}t@FT4vIyGKlvsfSA%%~WH*L>TaW*YJV6Sx()zr=sASYP8Q8
z8Yv!+p<DMI_`P`8*T^eRjw{-7WVdRm0QFHl*Uod1rZztD#(m2iIO$8HJfVwn<1d7B
zrHL^R3m`{9pvN+AGCK-Rm2)+-o(RUk2?wS;G_ZLVz;BIHa~vd>B^*NY!2FPd8Sn*<
zD$f|6vukvcRSJ072Cm~Gd846DbM`HRzaj!$czq6_iniN_r4OFHlzGxO8~29yf<^~K
zDj+-v<Bg{i`jn0naQY*~A%HP_#$(U@_>n!-QV(rpn<sL_2!@?q?Yi(#vfOjqA5Lgl
zdEUbXsd|d}K%dm1sRACZDa^{xS$O5zxD9}Ou$(e7!*uwaTpI<da{w8zuf-fK1-@8U
zJcxXlPQblEM8IbVp|9RaZPT|5kv{XFIc1emN-cAciPZuP?~__xf{4)rfPqKtDUVNJ
zN4FY8(hivmW_+WXp9||wXD%($Hu}1=%~@h`yKO%mfu@JE>jXFAieVx&O;EcjaPLWi
zCHtYNC&yCJ9mve=oCzMzo+1tH8%LN-PUsGJf_jmU^HhOR*agi~C|2-1bMc{rw^z$p
zDReezRrt$B4;Xl?d*<*+Tb^yav;sfC?7Du*PO`c1P6#pp_2|m$1XXsBjP=@ZS@T62
zD?a1cOx|{Wpix*44q2e7ILlocsP#d`nY!-CMF`nG?CY`6+t(!8fyU_CM2Z@BBo^|v
zCLJ4AE`HuW3KFX_kS0^dVW(9vN&rhKo+!r~t4VtEG_T_tCpe)blrG<e5I!=dfMF`$
z+&jIP`xYX74kmKFju6S>Vz3Xwc@h1sJap!&fWRe(Bk{h%_t>pK1_Smnc41Ve8W~qY
zi)U>hgD?7f(*wn7UYU=MS&lA2NG*XL6t|(L#G~Tk<+=<{ktRues_SE^z(&+XRR^4x
z@_I}oBaRV_Wmghpa;b@i!)ij5<;44Ws$IZh8E0M(pA(`TpsI@fnIr;8p-<}Z!_f`6
z#-3uKVz}HV!_O(+{xQWQG>gw39F<G1P{hnOqtUFF4pb6G5+rezEW+L6Hyl%Z;>;i$
zCk-4EE*i^bWs(M2&Netl8s+&)RPRAmV2Rlix#8wNQNByiinLyOZH$&^G{5(Q`;^VY
zE1_#*td#Y(W*R6TO8|D&p4XWUud7bjh_Jjeyhd8Jgjfq6d%>t<_-?`bTZ*3}ilWhB
z7^W`nTSbGs$_W{{?T9*!qE~9K8g0fL5EW$wXjV_OTnp21_#Qt8H$u<0vVmZr2(Bfg
zeJO#Vo_pwtq%^9c2!mj-8`$lWtc&LlQzI?asl{QPH69M(1VnOP<3WY;Vy9$b@FKm$
z6rRHtw`Z{8j#u&~7YoK89JF5y7QEIcl?V^p#;1-57*dHdQIx%SB9i(6+?gJe5Lo27
z4;9<7?5Z~AA1+BgJnWwR1S)Lg;4JpZLla@q;=&XSEg(LQEX$H3pL+xptkq#0T*1|W
z(uES6SYrwK@O8bi#B9z}KY_70=xAenYXWBjbeZCHKM!<N@(eGR9mIw1^>N6<^Mqux
z=jdl~EAUL0NXDa-_Hiwf$c7F^S2MrdgNH$XFq^c^rx;m3eNol7Ct|LaQ2HS{hi6B}
z=3(MvzO2_h!=VoPOsJG(Gu|`CGnwZ}Ht=lJ<k{hyfxAqROIeDuJQ!3Qm(A;U1Qcax
z9q5}C!|>!W1=Lg;ikCVNG*rF?i|UY)YPg2?GJ+~zz3$-})q%|_nX0USH%bd&Lj9Ht
zAaKmM`d;I!$7Ykfcjxp9yXX?Im<IQ02gEAr4oz+l+-sZKQkH6yciA;QFKR3Kh#UK1
zcU=$cLL<J_Ft!s3YpBC<iGwz^MF*f<Uyddv#k*Mwg5iP6gAGt**U-L|vSlg-xF>U*
znH<4%oHiFy3YTt3No07P$AQ>uC5VN;<T!7*UbuN~8!fF}Ua8xp?JYg(Qph=Jl@_yp
z@AY*^Qqr~>06=@1dw7C9fMo$1<0Jc&<NF?4c$DP1v%EQm<#Ur%-?=`1f0m@_i&<(H
zBQ4K0L!DwS8^oMEz^N#e5N)yVq1WRISjcI2yw+StkaqWt?IFxf?8wD@z&<x<Y<@e2
z1C;xMz-_FjC;aTGix63;bz#;se5AO`wK;rm3elNjcx&%fKTkJlj7n1u)k)aebbtjc
zI)MV%n0cL@I$ex!0MOr_;U;n5m_mnuAxynAxFDpvKP2#C+Jt)1U9CI^`uUtc)jcD|
zwQNy4*b;$=RidqO?IJcIz<^Y2)f|3@_m(`mn4EHXGh0z;hu%;JRj#C|I0>b2zbGr9
zxs`WQv;knRw2u+8ReuWd7Mt+#QHVLlTy)HU48W^}6|vp%mZY-YCpO}u$W+*mcYB*P
z$KYi!q|0+je$B3M-?>pf2N>FEa=NR43Pbc6;LHRrd~&QDAj@4tBd|RhRBUwsfG(|q
z!y8808Zd0e+qlmKVILKmJt`<*v$a_*KamAU&o}k#LGS7mID=5kU?`dZPU8kkWODW4
zvxPJ*&NAp1{u+6iW7R>cSXQ0$T*x3;4P4@QJmK2r1y@&U6;jEmtl=6+r;K(yAJrWm
zV<^%o4k>=mjIBv82Rt$%2bMv*$m<~c5cE9q*q$708;$S__3o6%J=7`C@d}@)Jtld}
z;*E^fU<p=71>5=9(;!&w^4cTChy%#4<+g8x%lATj4`CM+yzHbaf;cA(#J54s0J`mI
zBUvi${yg!$!BbLoU-gKR>z-$qSx+{!6&E#JqqFuNkaN*PpDS|rD~IklY9W1LEzm;m
znZLu3@BFBrqf9`Nr)J`<Fb7I?`8w`sXHO%9QrVr;vv>Yvw_L+a0s0IItkRb)6d&&L
zgXQb>N6DT7d9?uym|W8>fk$f-v%>pAghUi7z}tf!M+78wl3KI~$K9N=npsXX_Ut)C
zPsaN6)Dz6A*l4u9d~A_5^a`D7!m;z(g7iV6b17;(1{`=T#hW=AFSX`%gYL<sUlP~5
zq|_%8Eve37!2lLR0xej50853M+Aq-XF&AXcjRP@~sVJ1g6Q3~ykFvz7?pWJbaqhU;
zqaD<b(fN5I-wS+OWQda3*D|PMH}OJVvoP&tCv_H(AaKzDwcZ#`a+=*k8w)0Nard7&
zGC_IFydWtNhcmkJk?cyaUuWu49Ueof%B3SJ;CpYxUgRaZsZPnkBW)??AYw0brEi~9
z|Mbbwc+Un+UcgaiRDlTKo7$sQm)9ZZqYwgh>kYL&OY)kuXc#N@%|@$t<lKvWyHVKW
z0-<&kCj)Nm&$%92RcKL)9<*ntGL;B{L`!5gpW<0P=};|`!--(Ldn=(2l+AlLFf)xb
zIsG;Bv2FC!Drt#5Nhnazm!3YNE1Y=<G{iG82gx^Qsq6xgYKqBx`RLMTYJ5>qqJsgv
zgiQr7nh!P(q42$4$`(5rqp*vPc(LzJy$psq&P@P&T?EREj;VFhbEuaPAU$Nfz%Ow(
z$C^#+ff<AWw;+_jxvlX&K40VK=ho~@DbMz(YQ-Y5cKT%T*l5!si1`5Yr&k*6>ad`g
zKlOkFEOv;kAntxLcSqMrPI^zANuFwlb7AYNP4?>C&LHf78Gy&M-RJQsOZyyej8LB_
zbH10<=7j<DHn&e)OtOfZ3<I3GN!?@`4o0A!=4LcM9;ZzkDPDnX1CS@JD3hC;`iwN;
zKom?&r-wtwkqY=qMX>cDxVh+nKq0K=8xgZ|%J97M=v|k19n%<VaeD{sbbW(lhvmTe
zD&pzA?8wLFi>nI{3)v%um!Cin)5K6bEa=Lb5}5Q&5@dXW`kJ$}x`qV%Js+A^;Fc|x
z5>4bXqVG^A-;S(;?SzE{;nTZ<JwBdd@GE{aCtDKq@;QlKn=(F3GIxCKG&;)9#Y~>K
zK`y6r8!==9CCY<awD7Y%h-H>^m84vV7e%=5?D>_a;Js%8OUUV0KmF1VlG~%tRy4cO
zvlo@U`j8po-Ncz3h?+I`zz!?El;E!3f@t%0T^6_jyL*o!HBseLnEpBFXt~007)j!*
z7hYxf#9qB&>om6q&(u#}>+?brEEdiVs%&ab^38y_Ie5g(`T!GXmAC0J2?LB1m%6?x
z1H2e(OFZ9>fm{}UnL4Aii4oT0jP)vOBHyGyFwNVWv_H-7Lk1666wO^lWJ8_25YtCQ
z8HjFEw0D~?Mg}AlfkrWENK;X(Zqk`WK&}cVpkAZHU=p)bps+8h`o)DlvVeLka?x3E
zOEp8mG61-%4<jo}o|rofOx+RexQX9uf?Jc=D`tGy2kSxNcI)W2a@AtyTDD%`p-3I9
za}7LXdsS=gYJ8}mHG(5|?0PRPOMT}gj$O8p0uRyZ*3kI(s=PfT={<c%SjfD!1eK34
z9e4RnZ}!N+o4!&V!Z^E!fBvRHEk>mbV9qZe==N2xC%)59X$E~tGXb3;kKH3l(3#$w
z?Go@BKoTA)0nd5?!$>c$?vauft%1keC{ZeMA4qxvec6XEVJ24^o}sQJfKxMv<0-HW
z@yNoHUECvbzVcEw&%oC*@g6E!8c~ze-4j}pv`qycjoy76oM0q_7Rm$sNc|m&ywLGP
zZwf_x!YIffFBtI}?0}K3%vZsT`JLNlx^eA#W{8GI=oTTHY*D>E;l}p>32e5WsB`$r
zOr-UNt#_#M5;MPg8c65-USsU_c~hkxJSI6zvIV75O7Q_xz1FEW)S4LN3a<c7#*GHG
zEWo!K9-1P$b(@QjHYL09Z8oPqs^U0dK@rFcGiWByv!A{hSUJg9V)^QLXbU6x-38$k
zLXAF941BIbGSc~GWdTZ-9A$FtA?RBvH_H|i#EKUe_#sXL_#A$UTh?A_1ap%xBWR0q
zy-osRKPp`{Sy#v9m+ay3%%vu0B~)l$8jnLtyVN{+H@I;(IoRwdC&0e3_n0zUn)}`Q
zgKjqHa}|eFKs58JojgHI!4e%z+EV9unG~_4laZ5}bQ~3zcXpLeOg$<ZQ_PAIS3qvg
zq%9%!70x*pCyN4L9n8H2O1zdh73>&s*;b-gMHa2Kl@zM$?lkIb3XT<SPkk+Sa4%qM
zARyOCETjNTK(oK66YCvBhDG~a6Xx^r6z-`a?KdUQu0i*fE?i(|NL})&V%H1ALzQ`@
zyhl=Q0~tCzcbWwz9ub*C_y(-z9WtjHzngteZl66vER765Tly)_V}x}G!L};pkWN(3
zT-$y$d#C++_@p-4>qWWL136<1#9Sw}yRDJOQ*#eun;>0$=v$tjV~}$mKeFg9c?`F;
z4VI1}Fbwxf^`1W`&D*sndH{wgxLDO9Vo=g;+j_wejaDbMH)E}px}n}j=t;$|M*4y*
z%bzZLKByW;lh{~hb_CQkk<*AdmQe)&E7_c*pxeDN76RKkgOVCF=XX|@u&7;xk@NC|
zUKVb$F~3aJ$FedUb`1$C{SddRm#OJN1w7MXuwDn+c53Vw)mYol8`NZ*Qd^IAc%|&&
zAU`$;F|ZbuMHo+l@+NrdcOm$$kFg%T=y96f6>mt&6ZWFObX(?tF*XcLu;(vj`1s1(
z52Y7GS60q%Yi03DV$>dlLndgaCp5u{A=T?y8DQF=ERTa+{Mp=ZKo%S#-nEY99*wu|
zd*dk^aFWERrVEz~L*>1w)ENV6NaD~D5te2U35pIgkFMg|Kk;)QO55>gFS=W_3g;@t
z5M#(<9#VORtGkXP9H`~-i*<Xkv1w0Jp@8j?vi8$=jl0C0-9nAw9QZV-^fAQF%~2d?
z1=2RJPlCPS!y!gNJTcLO(%l?hkJNO(Wrjq!>?O6jt7~3{fVP`R7ZAl`<s6eucU+_Q
z&f!kPfkyT$G2dEwTwgjI>YTj60?}P%TMc~`3wMK3ilH@QQ)JMh^^63c3qRi%j$Cgm
zc919mi#MO-$YKV?oZ?8s@tQ5(G>ew9JEy`%SH(3iK+`cz&C^f`cRmehHKS#gQ?zR4
zL&ee4@JB+sNUKx|0NFx}3mw%ewM0BVH}P5kULs&#+-Sq^(a0}JXC&p-#Y<pIRN0nZ
z-f_ie2|j(x_1w`58ftehnG2sVaY^`@;w+VN3<#1P_VIp7l-{RA^_F4!dJ>Z<)+tM1
znMzJzi=^GSWr#ssA)O_+ca`*IvgWf#5k&pUi}MCx5*1jSVW&LI8T+jjz)=%lL!sO>
z!?;`-G($heR`$gtDZ$RevGoFhvh%1bhLborg4@31QI4#BBvS0^*H2~~_t_Rw)`O$W
zHkLUVoW`68>%D&CtmX20H?n~O09cP*?H0yg-W^-bGJ`h}Xe;%z$7}-e5Zuk$xZH~5
z=`F}6venKtXp)7JJ%~sckvHjQV?><KyN<DJwli_7z3_=CFRL-CHx`zmH1<Sn56={_
z7bv`Nm+hS3XHAcF?wHyPk6*HjTfUc0EyIIs3EY`vtJ;32Kkw$wH;RKRAVzx+xGq}c
zjp=B-ly?EtFDzuRPe2cLNqMa@;+;`VKVuTcOT&01b~HEnDN?5IMvrQD!UnH76Jz6w
z8CW<>qMyz@2uz`w+{kf#;HAMV;jxMjUo}D28$cph7J9gM(ji0z7FQ`@YOj3^_4Ykn
zQALDOLKMc{?(-YaYF|Md0CQO}bKi-?mNpi82j~n#i}<{Q26j3Ok(bL#dKg|PS=N*n
z$IKh`fQ8+_2)>{KW_js;LL}JoboD)c6U}2!-aF!};FYAI!z&bdQg4yfI*eHgC@|h@
zFJs8zdFDaJm+xJLk9o2-H=Dk!-E3>oXxzuiLMvqk%>wV-AYgXEB(Yz+G&D!wBdqCG
zl#9L7u6L_X9pL5m$}uc%w@wk|L~vA5L3f7=;auIz1@Mx3S`DE4OQuLZt%#;n8-*;z
z#_|01WlpC($59u2$8)16V_t=>oU4uu&eGEcifKEcub2*}Om@H9{reo3I5{1opYP35
zPT;#bfJM*J>Ua1AIg4zd(LB+;6d&W-i4u3I7BN3HlVR5q*l_9>oKtlzuOhjJo!N<5
z6BCM1AW>NSn00`2(N9&|#CSyd-JoMrtajh5@+Qkc&WXG9H6)L}q@sN@^j_$cd8{g<
zLGRhK@Jy`gd17x9s`A0}7}HmD&Y9Dyh0p6H^n}pUMzRq%?01L{T?0~P4v?NEv_n2_
z1Ng(kSvjU}@*znLBB$SrUE&=Ez04NV<|}Ai5>>--v}+Q6DRfeg<Bayvn`P5`Eh^pV
z#9%YAXF4fm{kCku1&x-;9jt){5bx@k&4ta!VwzM>Q);ye_GQraZspeh%BBDO^S}P5
zIR5c(|C;<?1nHm3`1k+qj#T4}yOTI0TiQ$1rqLx$bi+EFP~R<yODqgdH$IbgNJS|^
z;ygULc#XKc@qn7MMf?N+BPOJDcp1>d#g!bVhx9|-pUMXK^$a;UuG>qjlod%HO){qQ
zTbXXwrCm4`$~IacrFTgyIlJ99qg5;pM6cc`vK#2Nu7iY?kb@vG6o3+TQxQePW)jFp
zC7&~6_peGaA;?wofySFalQ-3-Rzg639!#WehR-sj%j>oO`QokjXn>GtfyX49hi*zI
z#!ydW#cRW$YmT#?HxeEu$$;D%AC-Jh7Y~0Y%`SrJlNTcA5QvECUfaF*yfNuuK*5_+
zOi<Yb4}hi^?!nQiq4O)EA#e%o`_tR@?c;vo$|+n-BsDkIDuI=z;`LF?cMipKv!C3|
zt5<V-qUD6cdhZOfV2H7Npac0S`;EMQ$`FI^axy5%AE4{*$V17oJ`RnVtE0*D?ljH1
zl^3-t=B@Yev7+TW{K_ofiKTJ-=6)6={s<%ety?IV)*+e~zKX%63(Z$=5AhJX1@&q%
zDU@Th(%w~&qg*VvV9?H+PJ-N&LWmI}wvG^efH&_I5uQ^P+ebm)y^ZjYU$)q<k{&;)
zprkC@oYJJXi-RWFB;I{=8ZR4SJLVZj?3>V2JceSTmdD<Ll|3*LHUQ5sAMW@@$Klhe
zcCgiIb~zWg%DVk3>DvnQ1gh*U#ZR6996Pwqc)R7L-0kCQeCL(BQ)`pJK-uB1V^y6!
z+_eVuRTk+?m!fXHg*8%mR2auM0yP6eEyd4+7GU)_VwU9HM^W-=3W#CI-OjsvKf{y2
znA_;q3pHrU*F9*f-D?T2@s{Cwfd}_U08MCua^ZFHlbc5?2<+`#RPX%eu@BZOk#2Es
ztw2Vm!&LDrB<d3SC`;d`*X26`dj14SNPn6*a))4R3m&m1U|3S5N4&x|innN$g1&=5
zF?#ZHjAPtXf`A;W%H<8}RVgg6OWx?}KIT=<OtUpEuU)%Y(HM36YDY%jzNeb?&}An|
z+2p4bQ&g|eu~s-ALXe5Djl;?f9OD~x_a_vcs^tY6M-NhsOJ9-S-M+@{m(qK1kAWy!
zOl)h=s9r&-r{j2wXKd)AzOPREX&Jj?kBG<=x%7nl=R31DTZZio-*XRrPh6c_7Rar{
zLl;%MI}L~G#>cB#M{mU=fk?J+G}DR*4j)2C#x|%?_e>@lQ}dFWUC9trQ$F&q;{3C?
z+#Tt;8;{xECvy0!ypuTzp`f?H%nUVBV@j4v&1!V?@<rg}<e59_0<mdy;9wvK+eKqs
z&njH%Y><W1jGTnQ*;|IAf(NI@&yzV`Kktw7;?qW?_HhRsQ2_0`^&J}iRiHy6qiqYn
zo#*4}$P3j8y$kOQB<WmPh(R-$c3PfSq#yQKTnLce<C>gwLVhn=-l^Z4aezYUmzCp|
zW68yaX&v~*AHt`jq&+2LB1fWQ$L4yv?>C9^n(Q^t9O*c{lbh?}7pVXq0AgFT1Vr?t
ztGuRRh#vH%^Ya73z{_e_gbQ**7eeef(LknMo!QqMs_ONs1ahzWzG}ozbKw>@>`{!?
zNad0TTarpYZ3e*9h&7FcM6k#?efwTpkiGMMy(z+3kFO2;h_2|=RdRsZy$&Gg2pPoq
zLA#_d`YGLuzy@gLE)emqKIGByx5o2TC4KtLC6U{!ZculN^*zMYI548$b)urP(VF11
zynu#2)aI(m1dW+$rRQ86G(bK(FU|z~rOb5;=k~;j%~TmrCOo_`1ds76**WdY)5CpB
zlEbs4+MjiPT8>aEcot#zjOTk|DYmobg!Z#1hQ7Dl0j0J?NN+>uc6x<}xu3!zldB(u
z$)Fce-$<OY&A4PfkmYdjd?E(<!W+tux>DkN@v&|0c^pBxQ+UoL&3;wNpYG$d7_<)_
z&-5T|pHOHFoP+Jo&k$-H5sw3m{9Xq8oD~ybkFpuM_!B<3!<mhwie^u;gwuBQr!WA!
zz%yNNpnP&(WnB;wWl2ONF$qU4cKHBGAYAIJ*7xZ{Ch9z0B8m@Mh~#mVZa{buCgJ`}
zJExIPg{;vKZFTOLx{^G0W^lJBkyjXbpQ`zm1L&G^xV+{tnA>_2U{i>KjV-$*oq8Bj
z5S^0J9hPtOWxqBN^G{~w(~&^;?d=m_S;fn|M{f1T2M?(;Y=3$a2KFAdW&%WER;s;P
zDn6Ke=r<RuY1>D&kFxQdjV>57J`!Y3=XwjM*ln|QF+Fz6<~CibM9Kb4&|~KoXSG0h
z^m9c2&OoFX93BHI>bL5?Ch{ORLG9VZx!_NR6~@Hv(JP}z6I|UZD2Hv5OSNVQXSBoj
zRyMtwDt+`p#O<SUPYPM2o4l;|aLlM*M%q}sA~W}$O)?b2gvTI9!k-m?y43iz-|W@&
z#=N($D{sx;v&!X?$BIDt)0yKsCv20uwCq|@9A+WZhu8tMYz+@;#IuqzV_r_V$e6;P
zyb0O68!|zq6DsHtk<tRiB-$AFFd*KMi-ERXV}7dIzSEL{%Z)8QLd`;;aYifXV)iuG
zk!z;$`xy}xFSEd*FH+9rffYC=@a(;NkqVep<xK0X53m+GytudcOge}%utq?kn9$DH
z9=yG$NEHbXrO~O+3zw~E=LJ!G_Fex@P#_Q9oJ^INhAlPfCB^JzdlrkrD3V^n&s2r8
zkV<r|*9O$qG$q{y(g`zXLE*aZ)f;9_OPM^3BuF-#sI!@MqU{;T*Gs-Hp`P9fCS}%M
znyWb29uF6~+u{4HJLt3S?J6LXID5>a*998NZ4VTCoJ)%DQV+R*_GKm4<|((~deS#<
z)+H@x&=)M1=<wj4nk>#+yf#y2<2M#cj-GK`p~ZG<_O3~1)7+j5qg5yonVfRkjE>T%
zz%bb7g#$h-&zlZ<JUlNURK$}Ny2;wdl@4l+r)1qT<)@Q7KJCW|cl#XO2p^qjMsL2y
zOgn8_ZzGy&nq%x7ic(ADwMqCvxJaF4wX8NguQfe6*4Qd?f2+%O=(=tgb38)4@3Zz#
zU$bg|u6BB{anrmAPdk@WsLghsi!1Ds!ZH;8tp1hj)x}(?scor3UNl2E@2HgCfFM1~
zl4ojj^+Fi7xB&s*7U`Vw3TvOpLiN%qsk|$?UUrUpb;E#SP?%-$=G5k^derZX-9juT
z8L|DGEYk8xZ1`OO26{dd;KyWpCF1Yrv`C0d*NCU^Am;^-k^xzpP%nj}ipQ+gnu}84
zE9Joq!f@c3no#3RdvR=cZ*;LFml8>tE4`p2;w><4o%W*@PYeF4pFX_~&WpycZ(`K@
zuF<-$5X~S;cu1d8^6}FvYm0K(pZZT>dlPgQDZcOoS0OT`p{3ENia@;`L}`HOU36&z
z+hYxcRtdfk==a!Oy_GsW9nQzPy*im&qJz)Idz_;?SvLC<0seNqP;Ooixs!z2=ky+c
zppWB2Iybo#5W*#0m(31nc)u_(1d;)d<QOt0>!(dt^VURVrY@RX4_y)*%@we@vYx6P
zt0$+|O!ko!6=X`sLXWoFG*i1gAWIK<C9QeG=>lQdUl_bk{{v2RbuWZ&*g5B%gY@U%
z8HUcz{lK8L-%$vJYeY8vK5aC`mLY>9r3&ToU6h$ps6XW=K%1&+Ya8bP0o#-@8qnU6
z=KACc-b4>+tby)Qhps&WyQ)c%m?oEwYN10(67Bp%;nNBIT?v+;&1p+^mkbb{ANeFi
zArR9%VuHJ7n%Zu5mioPEFL3LCN0?jZ7Kr+6Hs+~xO`>Y4(e|_Mc_1$hSrYf$Wi5b9
zsQIY*)`$ulH7G0t%juDaXacn|CeedKLZ!B9BmKfbK0PsxuG>0b76L}gt;aSDy>U~!
z2oe37MrPx}R;Dx?HyYumA}B*zui-e_&(gKujFMtnbUe5&My|ffs52C@lWK!KC+i8D
zOLTHrnc0=@Y8>TW_g<==ahfbeI15)xYl1@DcV9^8r#sI2Vew_YGI+4_M7g<qC7guO
zeBJg9%$e-FqodiGKPQ2wzb9O8xEiD4bFit94q~i+8;ru!s^CR*&%hWpvv@S}V3jGb
zMB@;>q+>O>rLvzg^vfX5XOG2^p62j-I+O1LOmC*Xu&_^`R63Nm&G81RO>E#vTX=i9
zCBTA;3_QoQp@}Q;3C^8X(~{p=xvp(OeV*_m&~UJp!wP*QeRmtNgRJvRRW^VYNE^`&
zu*#a(ZZyzb5T$R5_J}1_s~g#0;(&X3cLq$1C<L;+nEgV-KOM7Z`Zn$`mWsI7CMh3*
z4X<olD<Y*QQErEtq`R{D;#;Y!ocFVfM)Grckfj<u<ALvyUR4eTRl*diIIquJS1Z+S
z^VS!-Z=7f9tiq^3)#v_P1a2eCsZ>z-;#nW%kpv=P$6%VTpnT%->7CC`G%VYj@j*1W
zx|8v<RODn)f`_fleRz1Tu99N9K+dv5O)u!@6nRtnVldP0NTZ?(autKls;fa2Nyz75
z)rD}RJ#eEck%9~pY+96qs|X4GWa%oX@6MSY6R2h?I~<Exf<0fA;?G<W-?KAP>QK<C
zZ5Q1>*SZZ-g%D1Y=kM<IJK9bv$b+4pdCbvTwEI@xPfS8p9DF$H)%MLqrUOAj8uiUP
zCr*@6gApY2e7PY4wx~dmJ3G4CurygvIUbO)CPEK*DANbG8p=1fBRPGlC}Y3;l;P7)
z!?=&?O&`>y8`VRM*9B7b7S$9I{lPdtW<UoLQw-b2SW0}s<M*z9rmw8jit|IC7^8CM
zt#D7dch?PsmORO*d52i+VY&eY#@Yn{Cqz?6GhL-v`Rd+l7TuP5dhMEm%om0k@0K#c
znH0WI!B1y(sNL$J<@1auIPXP-Vuvy2s#;Ie+XRAMuE=~<4QXew3>o~M+T^RB9xERG
zR7p~^BdMb!-QPX3<_0Er%N0(IU@D`<WecqeQ4fkiWe!Qs^r9@{7Jb3iV-y5BQA*tk
zEL`fTk;b8@TP$C=(5J^*RwmLmrSUVhx9>fCkPBBTG2n}>I@{x;n;RsTPjFO@8yI{k
z-qZ3O{^>2&<HnYl#ae8Nv|@uR$@7vl2EC8EOy5f+d9YmQPZ=%VHYQFYdLl&b3BD<o
zfLpR!FrjU5((Jq^eg$drYFhB{6PZu9ZTH!YAXAI-yhoJPm3`z~0q>4+v9rb79K#__
zWyHbesSy{!sZ}aMQ`yhXOjxtC&tE6{sS${)S{EHn2T{Mrf*aD*lO}n#PsFTFVEG6b
zIZjE5EOM@y2rFKKkv=@HDUs<0I>G_B*pjuUnqS!Pr|$yp<69QE-hKkxQ3wRWt0g14
z5FWZPGXeH)k$n}|34sjS`St4NG*!9Q>CZ%4qNGy6PeVO9V8b7dl(~7Lc;!w!1@(3C
zeWJ#aYWso+E=!d-Mn*tqOj7))MVF+b5hU5k8Xvz_Bayxi1WXx-FLd6g12Y>Cvq3&D
zrQOH!^w9e4QJs%%56+7Vs4Rt7&e62GQbQ;YhN6-z%a<YY{Z`LwC%K8VknSN!@SsT)
zql&^as06vAp-IkXq-pOWOPIL3`cc4>XsmjAkhpl)EOz%y_1-<Vn9RUo+|F>#WN0h+
z^kVr=xgI1BF7&mxy&9SVYRGYag3!gDH}A3MF<u9fi5~B5YcZAhR<mDIY6Y@{rvF07
z-;)F})nu3%00;3nU++5GmbkLyUgHLWu)xCTGo(ILmQikJQ70lJhG?xgKxG4WH=nwz
zogy7dQAHOb={G4_UkK@^E1!ho+)&}&-Q>HgV-ST#mAaiQ?}b_+@h7w8(~1DEY>NH;
zna9cW6~CnH+tB{mxoDaMRr(lh$7ZSC(G5h%n7M>`r;FpJ1M>#b(Z08<$g_1V!qU%2
z+1Zat1|Mn#Iy6DeIw?MZSB8ogt{@ECY0#e-efx8QV$zoO?zlVl5{RMExW*VKhTtlX
z7%8&9a_B92f@@ZweQ=VniP9NhyVzt~`3t2kMT7(z>r~dKe7Y<^-3Mq~0PvjJ7Jzbs
z%o+!Q(Q0O^dD1R$0F9TIE<~v2X7kNpUY!YeL1<>7!wbR<F?nnLg_3<bHQM7eBf-(2
zM<&qk5FZFr4>$8gN%x!yzIE|8FXiHDjG_Ac4a_rA)>ly%l0||O^*bN#agxVt-9LW;
zEEIlz0ct2H*<H!)sH%kL`ZCa89eDFeddO)>#BkTcBS=r2Bgyr5m^#)zYwyZ>@A=t=
z-mK5#FP!|-v&Szh@dV@bo03D*%ep%k4SIV@mTW!XeIg28m43KPZ>;T5jKVjo-}Kse
z^a?7yh>KrHakS;aIUvQvP&lO0)1}fwNRGX{(Rj0ilnNdKF(KP4pwsLP8MDuAVjkcW
z9ts9Oc!3BS!d#vE`gsc<S?zK!<mbDKPxr13^;c`a4_twbJNh|Q3fg+awPR%_(n{-?
zk%h_NJgoHEGxwg7zNerajcuoxI}#T*KWDM>w4rms$kAyYs+Q8wVtFm;^(^!O^&&lL
zA!Xl9_25L(aDvoF)v>ptJ+`FNPd6;>TKw|(FfB>Wb$c3*4sG>)VD;cTT`$T|#iqSZ
zg;Q;x%VM($3@<Cx+0w*H*yOfdf=A~uY_4k-eIVRs=8_q!LFa^rFYSI`|4VxJh)=ZE
z!AeovZt}TW;vfwqsy}%W*9Naw8FQE{vWRFpEoX8iWXPi{JwoTHid;r%t+)X&(5gra
zwv!xV740WlpN<|$7`2ZLxkk(ZW#cAQ8;-`gvqibgG%Jq%c;DF`QFOh>4DTu*;9gNp
zjcspmAP|MCVEfOUiH`^9U7EDdQ!*Bh@-u%-^I{Jln(xa@vT0WB=rXsXSH|}+ERE=p
zfe{^3FLmFkBAEwIS`nvMR0ZGK7+XG!2f<%>p?*&&N2S3vFeZBuom<mHIrqRlLz3mu
zDH{PVIaf84x;d=5jrx#xvxhyQ(<I7tG49?vdJ;xIyCK~30q_~lREBj@RPhukQ7JX!
z2zsOiE<yDg$1KGQ)DC1x!rls?k|#|m)6vX~u^J;rPKw$a=nZPi4DgDLek`8~qfeLL
zhKn#nKy6J*upEa$ePjaKtM?v)#0_b@N0pi6t)0MDM7!B9M#kec)Tt82QG;&`tY;C<
z3jNGkVJ}=ct}XMSkjmSqzTiiZcVnP9?=7D&)xOF`jdru7O{+Hsqt$R~UJITH`bd0F
z3=tV&kjp&`X+VXcG{7HDePYI+eh<@6(2?0XnbL{q){^TUUB`LYdnD0!DlG6uLGadJ
zVcOjgbUmA=p}mBZ>RJ`Gk)DOEVWp$V{PS&=PNJgV^`Nse8>#biK#XK~7Fv|D^3HZz
z+p1k1jV0Fj^jgHN&Fb2)M7Pxf<kAiWgD(!bFEOCn3PgZY%&9%UP<x-wKTEEak3iQ8
zKn&kGTw%}U)@<NVoIeHLm%P>R)b%3rX~()lg|^sp5^-90q$FKQ7rSc}i&M5o_j|K&
z4}xW_1JE5`za=A_D9PO&W&;gi^L<7&6h~z5QRj<C1&SWcPjB*tBk}f10Qx>^FWY6u
zzzZ{vdYQpQoIVbFpSXSYfZggw2Qd=rI=*NyI80+gX3>#()fm~74{_UjcGpr2mzH4j
z6mOuJ6YjPsY^KaI>>wWsKbumm&Y#G&4?Vh)J8bPiOn8u+$I=b4ERtce@MZ_c`JtQF
zj?A4`)nIAd8zkx#W{7NX6Rwb<6f?rPL0W_KJ)}ik)LFQRFXX;2iVwA<r{gvRYgn<y
zvaXRJ1>~9dR=VGe`i;Nk7%qrxk{33t^|))TTvC&JYtpCQio9sv6|B<h(rnyc*bR=1
z%-CRPxz)a8KbokQ8gntXkh<P$Sm1p`ZKnp?N5-4SA%k?Syl4++50SeK;e`RlOKWQf
zTVaf`Dg!!#67?_azHgAya(Sx9v~bRd&9px0<S*Zjf(NFgt-uw9XmMAj#kFcDn?8j_
zfQRw`uc=(nTb}?Ox^3dC>kwd*Fp!_<InpyI8e}P5tcG@(1{JD{)254E14~*}L&xqo
z^{BSF=#Gd2H&j>8%QmO?3I)qZ638Y<Aj=Yr^J%OdL`^}7e4+P!wKP;)T%cM^>(m%?
zSJiXk+_!riWO&@9DSg(vAl2!Nil918OK8Omb54lB7BQz|&k=Tqm2>)KMI0+U&7U0>
zcu%VYnKI_R%?)lNpu(ro)KtL+I*^P-LB#zKlS2ef;W#Qp^adW(m0X-b1S6Nbz4je7
z>ub5-iKKX#QGon?=X~FHPP$1(oT?;a!WO0wgv-@<e!zrKrt^61Js(t$1Z6iX9en*x
z2R1XbQ2+$l@NCBOA;#IH^mFd!RU>Y|tKV}LacvHSfu&hd$PLjg0Fo24Hw~*ZP=Z_`
zzDi0!>Nk6RpvUeuI%Nrov+$}pqGp3eYYhWlMy6Fz?OXx@AC4F3eIochImqC%my%gB
z^oX)k_c@}QGp7<#4Gmo26HK)kbDitJxgEh`xo3;B<>^_kqD!p|(4w34L^#(<G(w{n
z1<QZWs+>OMV)lv&A;1CW-ZXccY`i?>JDom(8bVkpl`EFT+T7U@QJ^g*b}&+)aDL%5
zX7%`OJhT`{-bIk$CxNhw)BS~Ed`}aGH5L!=;T*h|6lCdlBK7L2HS>VSLAYm<@KC&*
zsVOF5XqZRfg)k8kPJGaCVEoh{fX-Q*L4+He)(I10`fn7uY{Kstg^GY)=DbU&2h;j!
z{n0#O2HD;tbFsJVibltc`u6QrG=*RiUmK5eqt*+6tDxNSy#+1t3-s!j&v9Q9e{~Z1
zzP_GV>tC(0X^I}S_@pD|u;}Rncb>GE*b!24iRnpiZl(n(;0b?+Sucr!9%X5n535g0
zX5#Ab3m;)NTz>_P^XjK3ZV9N>nNm_<ABpE^q@yMjcr4VscfL~g`V^{HpYdA>7w#?}
z2<)L{zJN?nzOs1KC!sP=f&lQn#smk<8jXyEc=?6n_q}$5G}jCAbcNA$>aLqo%e}S6
zR4zD%2hH=(Q}#F$8C!7~8~0Jq<-K~-vtp5KivoMKCn8d>vFpL(7-vbNw{*F`Z*{Q5
zqX3nUP|jim;91q}2+Y~&nug#T3(Xr;o!w6N8thugYomO)z-URtL{jg>oz95!x{~v(
zpV*d=#M4P_;VSq-^83Pzx?Vhf;l5D?Z#FvgNXZ<r!?^dQP-s0f>g3(qa!3`bIl}v^
zD2{20_~ML*gNsINB7wrrl8)A*Z<6DZgXb_C;1`z8KnO~RHW|TWD}-Ym$czMD#|Ifk
zscj<L`P38|!k-)70vo*)yps2@xo3FjU1B+s3BqVT>Ra>zUx&~g1KMNmPb@$C%=M$U
zTV#!%hz)ogEh6J(o(@v(Q;E}*k9K6KVcXd5)Qg_zIBdBrqT##b^Ub;n(BVc4eO>Ql
zO^c$@ROZhUu$Jxmr!qU^KuasK{7m~DPpz7b)GJ2dN38EXe{I$?-ZG<&33Z0nrt3Tz
zMfG-WUpF#0Ub}MWdUM7;x)}n&xX#1~4fMD#G{3LNS<BC;<gJnMtEsdJ6gSqVj|BT2
zVKHA-2aR2JBul?#Cb|P0Vu!BGx93-2Lzsl*Wfdo-6UT3nkE89bX^r-oyGumn?;PH9
zrf6p|>CdD%-xM-vN9Va6=DKW$8KDP_FTudd+jiQugrh+_!c@%d@ks60Cx9_l4rcG!
z-U82_5I7*DC$7IQJm2@-SuYM!<*4(8k8xDIH@bH`DO;6dYZLuY!jlU2vBPoSt7oxI
z{CoiAZk0sISP)TOULV)1R|hfL&)&NkIHfTGi+K+Ww0=)EQQn4+(BWXmg(XS{U2{Ro
ztZ2%b7Y|f9XpOmS_in5a&r%y&49Ga~_%<;iC<f5l@?8R;Nl8|kx?*+Ou7f`D`a)Fb
zTcPb{%AJdy;Wge;PMwwVvYpBG+%^;e$#dVVdUnX1EK@Wq7+MX#IMQ+>A%8)g*72Ge
z7xzTV-c+eHWwT&7-W212wpqTP2`S4sAx$d68g`v2nt62(*<-^A4bj!kO!6oMZRf7`
zAq=qL<JQM`v%}-PMh>pcg0%4t*emF933NHZG`%OnGJ#*1e&4p^opt(R$|HWQBiwEL
zs(2U$+AF=~++nkPNNxw&f-?+oYnebG$o0ne5p6I|M2AnlIa`C=_pGwK?<R<y#?#Cc
zk|eI*)foMJ`+F}-d(xf5C=z%9z@I9-LObA=k+E&!e$Hx;$cre(jT`(dmA5rgvWk#F
zF4$>%GP7D;;DY?Yx}N*J$-184ZumsiKf65FkRzV%Q0c+DV-LyR9jiT`o+n#KXo1xj
zFX0@NK<lo#f*hNQ!3)zUdI20UW*AgA*gSi>1u{IHmcZB@ptNUd<u){4j{eN^$&2a*
zqm7SuW6?G@C>SbiRRLJEjB~4G)B$7$2kgarg2@I#XT@;`42`)sw%2c=S=F{IO<T#f
z@v*#qr)i-}tzWpBe&V`2(UoYC0I^NmBH(5`!ywPB6VX;jG*-3b^tD#&bHHAb^hdAv
zCFzJsdFmCy=I{+h(9X<m)7BaaOoyLxPBXFXiB%wnWqSV1rOILti|tf<r1wn?o_Tgp
zfL$m)T{9@+fTwvC=okp4NCT_l5AR&nL3hWwIoAN`T4WzJ-*vPu4{$HJ!FzNRob}nQ
zzAx^TQfejJoP3u{jWOeBnzU!q&=bH$GEX|X3?MQ98VWisDbz9~SDiFcr_P^hTdBX7
zI0~Mvif4NVAneP;Q*zY$UYQro^I1&r%%5(c6p@5oSd0g$TWaGpZ;hQ^0CJghRM*RQ
z`!Ikt6&|M{@J45p4T(vhS-;W;fNTcAeH_QqQK%%Xj=>t2Y;yTxzOaq&o6TO5W{Vo5
z+H`i7D+JSyBAv?Ji*mS(T$QJ?B9FS1z+?_va^+p+n{u#Pk^%!@-b*5`87Um@c&&>8
z(LkjH^9qYoJ8p;G7}yJipB)VBAkm-kt9(^Pc&uZE#m=X75j}Dy@o@X_j*3YRI4=wa
zr|^I!ObiHuPa;hb>OkHg0owK`!XNYpidpzV&&~DAYxVo8Uv(4AgEv+u@v`k63z<!$
zjgO?1?;GR^9Xfq$hFLX&De1Xs4{N(?rqHZ<6NDab4FLDe=DJyTzR7qBQfe9)7~=)Z
zXEyAw6HtO1>*tgeU{GGTOw@fb%3wQ<c+GE--Cn;in~YOn8PLnqXJcn0ubc!*9@={p
zp4szS-b6jD2QD)#{Q~nTj=-y_N7qOP+@JV<Z}R}mBjSder97|hfoj(*vv?q@99)|;
zl55YnUkYAUyo>VLvyN<WN}1{jakRX$!Fqnm25&K%D)Y_pvwJ=-brcwooA_`;5l2F{
zvf28l_cmWGlZd`2lk*t*P;QYPmu9`kFLs-15t$0qVP)r_z)R#XYoGDsXjw1;WQtG>
zxj}*^wF(62XJ%H+flS-{y8TnZ_}SI;A;@;RvY<4<T3=;CLb*f0Q`C2CZ#1x{Mg=@G
ztI;tovi+4%<uw-ETF+FAyi)K6Y!7&?8sk%pnh?VIT77$&-nQh6yD5pp8chnyg#C$e
zF0YFA#hXIN<wh4)N>!5H7G9`)(>AE!$w$}8{f_ZGZm~dbqm!R3pKPclZ}n+nqAool
z9O<V46Qz%ybGD_2eql_X{cWDgt0nh}<1)mi0RogTPwy6ch9l~b5R@tW&e*68do#;O
zlAZfq-y5IJ6#FY>LG&0Y6u0}LTn}G3R!Z$?mehOUi>K|>+PQj-&z}^x|Lk-*>1*E0
ztMi^!QrYx{8~Uxy<6<9mL|ZY7e7G}yX@ud+#f=Sw5+v0z0Cq#oB0Hn%2~D;KcOGZj
z=fcYKI(7l@3uXT7bVw5%&)pd$J9Jf!>R_?Zo1z15V+`Mn#Hrv3m3uLOx41tRc@C<Z
zbp09u5xoPCNkoZW%7a<mo2gC;-NP#Yet1%Vw|$LIYl;MmYjQ-ihkj0NqA`)+a|Hlc
zYsm4SpT0(nlYEU8cVXicHt^btrk6(j<u2-b+)OJ~#3I?A%t|i?D|55n)xgUNr_n<5
z8AvIq_Ai{@XU}uPgt3%kZJxxrUa{=)EPrlI_AZB6tC4MM^zNy6$+O1k%ThUD%M?GB
zJ=DB=S!-6Qcq&eMR;!LBr6Y-(4lYZ%(Ib5jfo`6RSn?uuG>;g5A&vZaxd)ZT!u2s$
z)~d2|`2z}7(ZFTxys)0^MB9xG8+!yelukZI8&@^5V9q!J2eEnFu3UpaJ%u}4?K$Ep
zyuF`D`}gJ>>fP<Vd1BROh<7j3h!{Ib^0a6P^t{d`#!b9D(t21CWQv4+Kqs9mM^2S1
z5mQc2@rd<C&PTXqJr13dds|UTpsm$$&3F*v&R$?iHxY%l{KC2_0jD-Y6)u``>^+52
zOQ-k10JkCpAK&%a<5w~?`<A7hx=n1(Oy?;^%=j9M<QCqebU!_)61X9bHui87-8WP9
znKVQ{u{QEqr7>|)0qECe`N$Qi$Kf4A^C1lD6=Ae=LMDTeW?{g}@sY)XF^}0AsWn<H
z*$}EgM!vyiI(?yJ%088oVL)x23``n3_yAwgai5pR+iVwkKRtxhtLZHT2hAj^Sy^%~
zBVxpRPJ>oC*eH<gE{8+W46b6War4f4CDaDqbypBfb^#3ZLI~?_P^#+dB3KQY!0~To
z>t{z)ettx;RyfCH25lzqt)S|HqYGSOYrCVyl)X0HM_b{1*+r%~nlN~2B`~~PdOa4g
z9rg@@AT4X>*^v94J1@OX!nSijt>CJtSTL`tFyNsw$5Pav31l02Ip9*|rV&BjGIgBP
z$?Aq(HNPeY4}N+_G+|1$b(;7t?V@Q_9}n)>wg$<-B|-Q(z5wx!7@!>KQmofqsZZ?-
zZ~N?xuaN9!W!9Jz)uG7(SXs$dIop#D>lxUDQ|Bg$tH?wh`g!E7JS2Ngm4FNGPb6Nc
zA%iB6bfmPDUT{Hj2+_2gJ+@kDdaPZ?0KJx__AK~aUo+%pp8m{yH<HY6UfD$(rB5LR
zb^Bq|Q39Makv1wTJqLP5+~uZVkfCDtJc|qG5d{I2Rkc14&gac{TESU}NqJ0cM%d8}
z@rAg5c1iH3cmUdWuUlW4P=^?~tt4D#HAqL@c?|JQ01eY?ivX_Y*X8H;3h?;P(4Mmd
z56J-lyK4AJ&e~<phN9fGz%ZH1rr^Brc>AO>dD_61=&5__126SL{5g%IwnJCe4p<8u
zHI|z7;}x3qK{UaYw-UP0@QR%+ZTV%~$<T(cwKzJtMWgt$L7!gt%>ZDw>h~OxHoO-R
z-3eO!6LbG`6>mTH7lj0?3mu`6;;MNPm`+ha$J`V7k})*I5})@AWM5o5X;X~Uk)5rL
zknC~X_Nr*B=<8JT0msc)k~A5PDR_%M&m;(XoxI|$5j{M5Q%3T%SSVqCdU?KexpRF^
zjnJBz)fOqnUFVUIL52upB1cq0QDc34+O1vTiYpK*Mvv0GpdruvE-b4X)7hO2M%#yh
z=1E7T_=ER_dVF@y@)3PTA#WM4<SqGi+T-&#KF!YqyF_2>EAX>2RMy!VeVw>dQ)$=I
zybs_-Z#Y$@w=Ebj@LOhNe;TqeYg&Tvj;{I%%XaNnGgp%x#i5@b**XvxT$P?E|Gt@q
z<(1iRoCmyIPeF>bnfC3Vfb0h>x>&+9Aa-fuuaYq@FZQHV48pDvWiy%Ac9wMpz?nwP
zwg#;E6&S9uILvT<;BN3f9cIL{RprtjKU#&}+hr`wx7kw=bVxMU>I?y9xr4_m<R|7X
zu^an(uU;DY##5#jWThrO?_RdQ(>KMFed_{^GwAkS+w1L~xP8-v4_pxZ9=y%c@q0og
z?@>PceF-SKmdM9Rs@g%I6^!;Q$YoWb)S&ec@ghP**HLg`%Ll32sUvNz_<Z!(DSblC
zWb>h&$-5Jw#mXkbs{yA6hvoW(Jbq7_CbBfNGT2yvqEEDh!-Vf1stV3~8oq7-G<}NG
zmsD?!j`U6BNZ=ga>{>l6+5#ZwmfR|Sh)i5+w3+y%1xe85PxWxj;_wQHNlIr^MS+iB
z+#4A$bDH6&(ft#9NHxy$w=~3P<&bV%x9mkiZe-xao);CO%OWqErkBpF9YumCA{f>(
zRkg)R!Wax`rC&yg`HP(yLrOM>2U|{W{0n=6Pq#sbSxiMl#9b4AmDI0*K*D>(Ubfjj
zc<aK0k_gy(lC;teI5sZRA>^9q@Y)Tk;s9>mbOC2NlamRGJH~X5k?`^I5L<4hg$1dn
zOkry;c*eFhiG?}0=QUp7?@J91KYj9)w`zi^jbZ-)Z3NGBb+9Qlmjmh7>u|izK<Bns
z-Gy21Z%GcPN1n^DivUH)TGrAYV*M#%fpu&vxZZJmqW{@p`&gX2=H_)Z8Yma8O+W!1
ztS;?>T*R0yy%hxx5|(|oAYg`K7wX9JUZTO%z<04%`b;T_`z&AF3MJ%gz*dI7bt5as
ztBCZtvu?!c6f_30g@;ytYZ-f$Iw370_j7JKvCBY7b6W1!aFj~IxJQ}PMAT!)5QmWG
zkJ(@GaByTo1<iyQs%u*)E@<7Zqa)e1lpIs5-OHprgn5_jr?LU_g+J@3=NnxE@q@hx
zM5!F33u?f94Z#%>aoX2Uy4Yb?UAtrpFxEk{qDEwuUlu~9QidROgBtbl&Xjnx%~7dc
z4>QFn7Up{ox6>_|+fQWjT~&_sQIU|9Z#Y*mCSA_93GvStAjnRgELQ~OAsN$PZ`AGR
zm}T?Cp6IYxs>_}UO-i7>;UkXBSa^qzkbUAI7h%9tmAyAdr@X3MFMyp@;W?f;D}6EW
zKD(~zZeNI|kiIxK6LNey%REOfdK_R0o#FoYJvfri7?lS%`#^z-VLR0n4w0knNPV`F
zKtUOIGpO+HKrZ-3#OP`%#A17%S9AJk)7DEZ(q$iQxjJfacrSPJ8KfT_{hY0cGhf+j
zdF%HCKwfFqRO@N;zQ?M0y$unCB4#oR59+w0XQ15VVqU;yYP>`5uDfmRESnWeiEU*v
zdXOzKN+VE&{l$UMCkHtVr5e17O&Uk$tMOh+(l`Tz<30eQbB=6%kKO9B16)-AT$*}X
zTyFDO#n1|kN>WjzO|!uR+>=q5fg!wDs({N448|yY<t?I8@Q8b_oNVNffEg%b0EPI4
z=bJ)cdq2HML3$fCEz^sH<XK!dQpiIr%@CSiV(!Rp7abk64oB)BKyv};0U$4l@BxFT
zttovRzKh#obAe9He4VcP%oW`}JF$Lt;>EkmaMJGea;^SDz~b%me%f<v1juJj+dH^y
zP8wykR8}X*_8^E9bCF=3s8(H$*3wz^RbMUptt<1<TV=jm4EM!q$v%k`H?T;t41}6g
z0EKlaIVn9eJrD}znCRYDKNC?)3h9_Q>O3srI@DM2)E3GiBm50I!%oG#INRp!+bh7N
zc6te?PfR%TDUYaikvZjcQBe~DZK}Q&jqtMoC1t(FPaeLf-nhuBRFR-vz^OOALQ`1*
z1%3?=gB8evcHd-@GBA$>IEq_ARPBp_dePw|L*x&N?qs3`MJ`OvkDAsppiPGMrNe_;
zj#IA6s|P%><lS7Z3vW4IM#nm+)Ns38#zC70D!|W)j5y+9G9o}07QH+gyghs|l?;F&
z$yi3|M`+8S2?{hu)IAcM#H+$FybnXt7O4{>mnzrGIpQp11g01Wb;J0m?u!Zg?9S|o
zkSx?GxpV1@(fZ77e4{x{rjE<iUR@SN$<#GUDi6Zts`g;&>d+G!5ev1=9FKe*{$7|{
zK{4v<lrppoK6+bF0@_;!UDf4dRFp;$d;yU;K?m<Glq7XzM;B^BC!OQH_{GI&77Wxw
z9jt2qGpBF?aWTaTG?P?du)ORuh{v}ju44A56qz=KtmsQMYAq3=OtreigVEHB$Hjrv
zL{YwgA`S4_r~P}wJl?wRMK!YWJ4CS;P0t&x2cMS_iX}B$orlJzbG^|@Z`dV6Z1P>i
z7jlo`g@g)0?_&jc1*D~oXB1S?kF`LgtBgh%#uWz1G*N(3@WFEP$;)6>-Zun0+e}0L
zmPGWO(hHFi`uQ>%lKcs<dXqaKFKr=)u6Qu_g1APP$R*XJ;=}}<a|Q59%q&!pb?Q_<
zJ;|djTX)8FRd@Hg&8K62Z^)jbk0{e;uL$~NW3Q|8o?s)z)B;rW9yHsF;oX>rZ8ZXr
zvk!V&Wp=76r`#o_@D)=+!+@KU5a2Q}xu-Gvqf1+fXlTK=V16L&gl+j=cmehUVA?oz
zqr?u9OSE1RUJsUi&230d^r*{Fi@>A1@fRQF1W5p*bM|mC?%tq)DnIu=*9%q_-iRfs
zU?MmnhPrBGR<0*LIu&#=gg6GmN(E?6+lZchD_ps+HJjR21`zS;gAa$#-u;+c7#JCq
zUIP%0t0#k#Jd^c-8U~>RB6Q&Jd!6qQS2*D-t<7x0b_Yvp=JO7&c~lV8jRo2}$3$;r
z2e&EA-+S+f7Cc2V#pO{6y#ngtk&)8?%Ui>iv8P1zk}oD!cx}O-PFKC&UyMNb%g5xJ
z+(mRHapn$-_?CD%hYRL0kQ|5GK&D>$3a^6dIovZ1dN@6x^cdSt4XMRim&s&@kE$hb
zN~Z}{Y9WL_8Tstu>BbAK)~OtSzM{?mewL|BZ(dl4z()0gzD``c3QLB<XG!n)RJ9?E
z#*m-ytO54Xpe>Pb^Bdge(q~h>N9Pvzw%oCwGn56gc?aN@k!(t%5u>(_f-dCQ+?%sA
z-51cqP*gehME&=)oyq_&>{P%ddh9*5aF-r=Y^krCLs9Ha_o^%^qM~M87zP{%GE@o^
z#H&$y`Uc8Nh{BROnk<SsT%p0J=e_qLqvyUj!S87sG|)=l#q=Bwjaz#v8kfFPaYOZW
zxJ-w08h@w2fGdj2NE27RO2?6U^-LFVgXBo7J8)JB--}umcrEapA#*t%gtlLs##2EM
zWR-cl0R{-T9i<MgN1J}0W#x#Qo)i2=I!dV(@|pegt|bt1e}hQG?qChn$U^UrXjuM(
zTAVALcgPs~)DOhSl#I#)(-eEQbv%cbk9l2lV<L&4I#sWwu%i--1`YK&;TJ3P+1U@d
z!>EP2xclXsBk!=IImBM@C`Wm!weGG=kGB}TDW@<WS{K4Y2A6PoXapEmQP?Gw#OO65
z_6Fw&?d9QffB2#@itarfg_xrUz04vJAy&Ta;HDD^F1g?@z^Ww_i=a+UJH<yPi#?})
z@p7kW1ACiKRt~bd(D-_(*0h8Mj;~ocZyAR$o{>Eo;}z{)$_mVQ^N?BkU6ORo=+<C@
zo3eE#2}F!!jDiODDOG&&!k;~US<GQ8EF$N%nXt^8DRu5+-eWaGVY0s0FU5DFYkKCn
zo@$%}dW^itV11WPDVRbkZ`%l~II}{gw_duY=4G&xP6e@`ZIB=H@>ROPJW+)`=L$E?
z?!2Uoa7&U`$kw{}APF^a5i}mMKmWzdL+1-MiM0kLKe~1d3$k~Q5HTOu$W*bqR1q4y
zUM<++L4C7*<jEO<#lVYW<+@a8Qt1&-(uLkd2csWSp+e%m`Ft_&v)k+22Eq<;S-`v1
zVXP9E_u8T~g2zbBQF-dwi)RVKYELl+#Q`;^=<!MW2xJDGKo;wY#T`vnnL|<u1shBz
zMG#nD^$ceu34jhpzr$PReTAFbj56N3i)#!@e1q}OO)BVZiH#04?etso(O=xegVuw}
zKE!<mPwp`R@VN(>8^lHP_&$P;L_?7iTQeP_dJI~XFXxQVz)$y{*n2PQ&mq}p2`ua3
z$eyISQ0zdF_9r)=eP2ReWeHLrlZ|T0#8D_ZfWre)dO4=#0$L)no6b(6#Ps@}&{e)9
zWSHeel|gjIB!h{ruwHK(rVKrSF;sx6*GcMq;TtgeLJLwABPG3+r*u3)`OUSqZTn_4
zfR^?XJuHGAj5WtRf+sKA{pUoFMhC49jKC%+8i);6=okkTgY*R7HZ_|-7cEDSCV4((
z&9d$3nHbGb7}R!sGvcC8#_jM)OEC&N9*e5zDB5k<e6b_n34kXqsHjE7AX3zgUP9gl
zoF6~C#|6af7cYT#m{yNjRqw=sCSN<&^uoZpHoUxfJ5ASK4<9y#N$G(pM`6V4FrLWB
z>*a}I6;}e_7cR(kiK;_Nv5arR-a}O@0DJh>IL2=4;Fg=I(K69JU7deB8%$-&@)JIq
zyk2CP27E_;bsF6MwrpN)mqYRt)1s~iC>7sHG|tUsF^#_=Ab-k~lx^qdKCcXj&n=#E
zCHkGpcWTz}EWo&4?_xm-M;M1F*`Zb@vPSfBTexdD3NMQoHr3GId$3YCC{L`0<U|SH
zWuRR?U)2EAuIG(+jf?w)>=oBDwpf6C?2r3g0aHZqA#NiH@JePs9#_-EA`08K1P7S9
zU3e6<!FGfVAcyu4pD{fAnF@jvB2c0^6s=4O-ABl--xRrZ)w`Lgl$<wRukZRzOPEqs
zKTPrAH22L#q1*&|)vx;<#kG}Zse?+Yt3bjlK}XLohU|M+FTTmQY3yM<1?9E25>d7H
z1cQx7SEt7?WYb-)BXB&_lp@F^ni2wl0_h5Tp-am2UZ7HLd7oRMQ6J}E013}2(wP+=
zv@k7~Tt_qw<N2uoqJ|{6CCl#HU0LSWtTDbTLvb47DC4S=5p#SN4}QKPkktr(yAhdG
z?SkN(`QEPR?Vf8tad%hyvomN*hZo?GYc5{FjS<4>j<wRjTI09QO5U`b8Nrd{UN8Gq
zlbbeOefA*#-Ue9fLQ~m`=T9XFUESdwoYe@-FtIpKo4<?j4DP|s*ShC#9!@(p^@HPA
zQoEYLu2x)A2_V#R606557U<1RYlg#&5J=SRRj|0i{gwy09{0W%1}6&*7DG8UmMkxN
zOiZB(t5E7a6OVOWAJf8(-ub;lTcYD7;U-aTX5rP~p^;RX*2<=?p7edZF8(gY1y_OQ
zvAtk@z&GlCfGo?(vknnQFJ=f^Q9~Lbnruhz-D`C4x=)t;)9W-KktyqGk?&mUvmocu
z_ujH$>ytq6yoqL+8e&-}ExmjFHpSOOUJU>}g~wck`Z@*I)z9MDAHXmcv@h$RR_+P7
zaQB08c`ileF1E>7vZ?#JFX=dKkJ$lK$Hv3rCR@=nhsV}kXY(C^<h~q`70};X0~~bL
zeoM_;WN9y>M*$l2abQjC%#)`t#X``j-QwBvO2OnOt(Qv`cw*uYaNj+$5h!)1!Z`@D
zFm391OpO`Exxk-1#b;&^AI*qred129NHkE*ApN1i10(G2n^zW_Jzgrwrq(N!w)PNS
zhfB6-d3WU2px)NJo|K$IhJrg{if$i8+`>26q@HxK%G?pN%n^2*4_hd$Ws%WFN+x$$
zw$esYVV?|M+GbX>oHP|A9I*v4hA<QL+h0s|!7w)(x2aSm8@>_E*Z2HJnIOws7;P;J
z^XW6nD-$KA9<mdB#?u!yHrbeIry4AL<HtibXv4R>#q8>)+sU3TA4~;&ria?g5_=pv
zc3x^AOCu#-)Ywi?MQ{0D<?{Mf59`z!zg>JQqgi2;JHzsTSf1)Si3{w$7NpIvkgOZ#
zV}^+vJBwASD&^EomsynB+)X_nf|ukW3KC1oG>EP^SFkG8VA-B1!R{l?WVS>`uBUP*
zD<!#&Kiy9(a-dD10vFV<$_}1W3Wl=`isWLxsUSpJ)vG~qXIW?fNkF#0ilsxM^p@Ac
za6!s^x@|>7o!mQ5>XjtDM>-KL(O9YwUtHm5j_?)7_bvl1MqQt|67@cTw&$eKA%m5V
z%P&eIYdd{{pZlcoQ{H=k;q?af3JMI20QuR1fZkyYU~R%ZD$k2GOgyYXb#nxbdBf~C
zdjNG0<Ej7{80XaRUb2OS=sOK^nvGU@VE$|dCIuu5^<e|epBIkv3;#LQsz<x|c)r&b
zn+IYs9on#VYs35kPa+k>Ygb|Ml>=zaX(|{Ll@3?wSTlC#LTo?axfe4?l}7Etl)lfj
zUOkj?)=#$RGf|XCBWx~gtG`Aa<fnWT6j(>vPD_{Yh%%xLr(PbunP@xaofNt;9zg4c
zqp3B1<BSL61Oqy99+TbA#W?W2^S*f&LBxf57r>YZ(xnL$m4>S;t~M?y@*=R==eT3f
z8y7dyl%ZC!GpkdB9GW8<uPl)UDfjy49JO!y#Xfv(@$!|94?*y4*3$`O!oC5I!W-`r
zly|)RNS~Y%a|WSK!8>qR$@4<dHK!cZg+dv}hsJAueX`c)n}YYr*Jrk%-AxTXak;mn
zr|16X-uo;yz;k=7AH}}feh0HS&<W^#Nq`Am_);j!#<F4cP8BSf9`D8#V)gM7!@D)P
z>zUD(rlov6Pfoc*X#hc=fcUVA;e(etRPWw1k;iXLBYd47L^FY8qM}T_2VzqZNQ^^W
zkCdL+J9+YpF>1djdI5og)_ECoI1sx^xN}?70FxE(vB*f!+$55pvk|$NFNeyosfEOF
z&+J<(wFRPwN8a+#mU+|Oasbl>`{oy8{FyQ)3vn6>o=w3cNO3vQel)>oB1$gw$X~>%
zCQLcvALLnd)^oRm@_6OS2oXx3x>j4MyQQ$_yw@ObxQ~>v`fYp0QNlA+9w$on@YsEs
z1z4}~P_aO1+_<nW+5LtA1>Y$VJrt{`y+_<;&SjbH!!Rm6Sd~8N(KNp}<6QIyl=F}{
z4|81o2}oc+J=MoJk0>c7nC9Z;MHVlKo`Z@>@fHldoi<@Kk_Be<XGJT9xvEx*kues@
zi|X+_Pv(oW_n9{yZA8*J<Sr}#l10+vcgDDY!!O?}Oh-T?4Z;QqXoh1X*m4GmW0LiF
zDcK=0orb+c_$(q&AH8*nAsh2}Y!yRB59+*Gaw@O4n~CaqCV><MhtjyX3T0*2h<o*E
zSF`&-1lK6hh3?2xd`(iCktt;2v6**$XftO&d)e_K#VfUO6I8i@n0di7B0+Cs$yYcp
zY0@E3$41^_G#UsJj-svbiEiaHwb942;d;Bd6)M{=L~po(W|7>lS{1)olh5SA9rg4H
zG#quVFFWyhO+7L@#<KT%X$uYH)lBQ$vF6#mxbh?>=;oU9g``c298Qs0M3o_ooSi8_
z6B1q;d>$L6Hv_cPJe;rOjlyz1V}8vR$SoSe=BXMRWi;DNdGh#O@I6J-t%LXanZKvj
z2Jj398tOrNf_poP<IfC|$sAs7lUwhII(0DE3R)p7U*wcdHSjf@5NYarM`#pUCt}Y?
zqg?UYil|ybw3o*x$v2K<yh9?YRk#Osp<U=1fAOa9>5#Z8ugtno<fP5QF!jyF%J6H_
z<j&Ey(_(<(m@Nzhh^K)$nGjO@DrH<XAj9;LE6a$G9&bE7o93D~)#eegD*PUzTRL9k
z^hk2ck-Tar(E=1dd1^e}NKB_2=v&v?g1u^+TkvS&#CH4DZ6GXa<e3-GJ|AS8dq@7@
z7js@+wX9RiAXg>gn@^2!NM<dw%)?il*K3Z{0Er&Ewa{yIekM(i+GZg@!SfxODi5KN
z>BYN;?iG&`7&uCneKhx*xz9ABq^I8KsgWuHD3Q@mYk@~XMZ=FKn`h0U{11=lN4Ri=
z6(Wh+hSIo=OVrC-`lP(xk@6|1!X^WGIPTVHdvmfHxs(RB?~2BIX+2125w<wdgi27t
zT2mvl9wc{$v#nPRs`Rq72$v}wc{X5h#b~ZP5*-PePeEB^NPZ?sbDHZc6<AB3+(<y^
z0-zaS<GLC~dUhGE;HG1DH#B0+B1a&vi}tpjw7B7szk6ChV&VK=vSI9H@f#Ernt`g;
z{^HK`lRLrGEACegZLQu4h-$J5@wP;>POcfmnBG?FGjkG9yg0J8jHk?5gO?JX_H<v0
zS?3A87TQL0e})%S-fTx~A)Oc_67!yR7HU^dZ$MdGB9Qj3S>4OR65y7K*F>T@CdHer
zH!@wJ+4%}MonKwOjl6L0?K;Ypu&#ix`2F(ojj-=~u~fWuk$LSt6f5{DVW@qU4D|T)
zQj+>z$jOvcmPBJ}H0nN=NDO1hDq5`rMWOd(Cmoh+rB{W3cvEa;zu5E7gyNY8M%U{}
z6IzW>+=1;7yTM>|MIfDa2wCH_Jx+b_ps@PICi0+*IZDGunBy$xRLOhXi|t`6g6_R}
zM3@=ssO+;KxmZjT?Dw>K1?6#xZBM->RWc%pK?|Qnt_@g(y=@w>=Wn72ligq`GZwT7
zGijis?-77QI%MGNqTWyEG^U})hsFHj0$}bjs6<6p>_nWB=CE`T_$#qdSV^g8gq%aj
zF46NK^tB|ZHL(sXJE{rEnfa<M+q_faboYnk`<XD~Gph(+px*!#8eomUJMY<a;OtJq
zZ1fg=SpiLnHYq`EqoMAn;vgm*B7*BZ%nP>%-l;oJ+~*BGDBkxPm{?>ETNp*(*ga=4
zVSbOFq?+R*_Q*m=8PCZ%wdZmUfSU!YhpOSmvu>fKqL`kiJOK$EL4o9xL{yT5_ynpN
z7U(@+`o&<_G%4ufJFC0H>wICMvaFrS>DV{=BnC*HP@KNW2X|}lQG+K6j`l9s(>i|m
z)&UU`&Tx0%8;b`(HoE~E82iFU<%2;4_>3*7Pa?`wv7~!DRxNil-m@psKFNdI+Sb-i
zX^*_3#NVab2Auj*16<Y4Q)E?LLG{U(sK+5^$<5AGT*$AkqboCHDB+fb?!9bP$1R-)
zS%HlM<a9e~fGzfvhg*)Syfuvhub!A@a>=0x!jy;To!K*Q(zJ%CO)C!XYi9vIVc%aQ
z&PteX_P!N78}c}+z1l9$Y~Sdd=a+EC2(88=RMoj#voE?NO^5l7&dmsBV-~%Q#hwln
z(3qMj9$JQif+j8A#cvWn6AUb8!Gb*FD1e^QbgMz?T%cF-x@1LQwI2y9G_Bi8JiwD}
zdV9e5T;$+H`<aG}XxbG%G!4$9#2ul)quUKRliiV*SlG0VM0$0nr<}9mFA&=>)Y7*M
zg1MSc2BkW%q)FeK5Y*x3^hSBR&lk~a@I7jH+?Ftvk}ZWJtdO}<0s1q`FlTjAq^Ci=
zzCx&d>9CIH0Jv4b+%T`gQ$va<ON1}pf$7t%Ud_1|=xBph=Ka8)jp*gMry?VJC#-}j
zYpW55)%&Co_4_T-wS?4z&{bw#;p@5f!EQ7e!^w^@fmCE3VvN|#CU*jh_j*$cb;y)4
zQ0ghh+2cuChJ*&Fn!>7L$#S7RuE=dINS|)qSj@`g9HneXZJ9NdS!y=KGL7Y%eJ||+
z>fJeIKfUxr3mYy<BP|VGo=p*k$C16u`J^cYtC?m%L<Q<+D7~yF4q8viLH&uB3?$8~
zL%{O74l><y&5?0uQ|ZTN)axl{^;$|;GEk7A3SCwsvXqD%@U6T#3uxHj%&E2ISd331
z=`+_*>6G=3tIF2KY=HxX5c(sn$+XtV$Qc6nVCuQ6Ol*8eQQb2J#~OQuFUZBkhYANp
z2Hz~*lscprkdZ$SL8pYyB@^P;9UbJ#jrForkKy%!686Xwm6N)Aio^93YaYyzWB9T$
z31B@}*qjmIAst-}X1}-aL^n1nkH^V!)#VDu(SA`W2X*!EX(04LGXd)>&G7^(2vwrU
zA~l^*gM%4*xQ_6qfGlkHHld=kY6J2;6Dwdgksv9$?&Aaic^A2U)q5tC{z)Z&MjV7G
zfhg+ftkedjT;|&6h?*2z=*t0%RXHi0kYwn2)kFLk-vb1dcpeOoyX{Cx$g$35Nk!Zt
zRFl|14q8y8>7+a3s0kl!=s?n%av7*=&m%0Ea-_-Lf!0w0mYWsvjd!HQt1~M#$l=iK
zKtW~1fLsI2<WKz79hr)`VL=~Q`ipz{JM0Ym9v9MPLY-2Yl$LVeamOAS&SIII43JW=
zO7*QurOgb(^`6~UIUUAD?Q~=JYqh9HL7PfV8IUGQlaa{iw`AXBzR$1|%x_kqBdjJB
zToEvp@twYXPyFOAo<Ix49DuI3JPYSm!Ok$ZK$FZ$XyI6=0cl*Iehy*MRSbxZgrHcs
zmHo~qlFe~xN(&txE#USApryWq6?@ON?YdUe&PiO(9`G&^@dyoDy}C#G$Q60C9*KoR
z7$sz933!?kG<K11y^TMJAF|^1FFF-Eq{-ezl<VU}SAMS=aF8qjp;lzD*7V-$1;%N~
z8)n&s#m*pPJ|0UFf*z-S0I(=~J3gMO$5^NZVb;pCSX&_9bbiL3b<YA<57gjHVd*V`
z)z_94);7cP{McNX!^2VzngbZ+MW-8}>OM1j+<moxTJMpMhq3P?J-J&)B}KMF%k4YG
zGMd_@X@XF6hrT7pxh&abFAPF=d;*IKOtZ3YL~?xIbt;4r7HCjqThvN|E}GqXJ2bSj
zU|cajn~i%sB8pv(U=<}hKM4(X8Q6(6e&I{6ymjqqVr#7f;x5B=c2uGfy<Gw%HW#8c
zKR31{dP;be82tzyw6q<2HdsAaSd*=m7_>0ibs3d!Lgh06-C!(WI&bN=BUC(b>hh~g
zx~>Q+VfA-q&xc6g0l{#ELKlvfH$QJGc^TK6M$FKZnUVCirvUn~X0-vaVmej1la~u?
zl(*6L0yy1*iWn+;L{q|EKGkM!c>Fk><Dr2VN2GFcP}Jh?bCA(qUKtn&wc7xA8k(ZY
z_c}Y!0zi{`%S0ZH$*BLL)Sesan+NXp^5(#{CTG2s)<p4HZ59)Ixv}T&1lh^E)nU%#
zK%2MdSOQ(`o@~*^;&O47ud&qX)xH-1Zxc>+5OY2$)z2s-kxNi|wou%b;gMJ5OfMf?
zC&{=9_TfFvW#>H|e-Fhi6B}Oha-I7+GWIGy=_?Q83B~otR0MP>dAty#B$qi(QjIYg
zC9O>`Kv|P?-Qp!Rd@Epe1W3xqAdekG5E`kPcxk5I8RCFjy6zMfi!d@PC(TA^c_5H1
zJ_A;8dw|`?o#rTY+%JBS3imLJ2B8I)T-hfF%~j-3q3BF_>b>33-iPosxcg<WkGm<F
z*~{B5=JJ4DyB0GQ?M3z7eAEhWP^dzvqs*wIgyEA^`wT^9yAH47m_o9Ml`OoB3KENk
zDR6qrk;6k-#2JoXaWT0l3gbCgltt=BI2Z^DxatGCX*6vR4_lT<?ZUJyP-Ew<7lux0
zE4gRDzOO?EnTyOR&>q@yps<uImf$@b-?4r3faErO+O48di4<Sm@gPvF`m)iiVK}gh
zbqax6&ty)BhhP_hdbj?3t74LP^{ylRqT#95$aTKZ!7g(RHRB|tlv5g@!M98jgF)%G
zmG6PgID4>=G2;U(ot(@Gf~kJ`JW9=8aIYLeNqpO{f5xLS!;#*T!F-s(gQAbe&~Yef
z57O7)1Uk|Y>=53c*PJocaVqRRP-`}R<x=fE&(ItWVLH|+u*8`o)vQ8+(9du!_{hR?
zlV3bgL2?RE8MZ2sO$)tzCwk)^S}%%vFzPX(<b+xqQqfxhrU4aVTA)U<2Qjqs@M*=E
zj46-MRQSY;;ey-IbP&4wIgip(u&DsiJde;`-#e(4w{CkCFY&d}tYi<uz?N(;P;|~E
zSEA*EqPrwij=(}Q*A?unv{+fV8-9J@vXl^B>y=&K#QG<(OcPR2kvWv^sIxktgXaq1
z0#f6R59yt5Br2CA<*dj#%fL3f!=8Wv3>V2h>V`ZJ=pL+<6_Fwaw}m%W7mln%=FrB-
zi6QUY9+d9V@EM+|&pfmfg6CAj2|n+LsNQZ&4WPVd#VlYm0>@d8p0&(Ide$hV&-NzZ
za=Eovkew8GZLz7n*7IeDhWCrwT3>vnCU&>N9c6MlvyoQX51u`EIO{ww74%6u=~y0S
zE$&{ImAz8x)D(OxM;bQbQn$UmNWoaOIB&<c&I)Q(VLz#j&&UMtAuJ;}<umbD5A;Bg
z!&9@?-o8nRDm|Cgda<5(cGL+lS1C`asfX%jz4ToXjzNR-Au@W2rqBSFV`s~5Q*1HT
z0GOAesJTw^=y)?jcuPO4Qp?sig%4HoRO&r>Zya=H<(}IJ8@F9pP*cQ)x|Xdt;adCB
z6K9l)&=NJ9Af0Tn;v<@L<5oaGO_-kpPTT6+g>h0ao_Ft6ABt-_SN8GJBKzEwN_ly)
z+}PwYz@{!!D?RB>vQ~SyMHp%#@g&PyrZ-}<0>#rr(6h<<F@BMY@O>XE$BoLF1=7Pe
zAq^N|2J|`>dCF3H2ro9SU*H%j>Z{70Hc%LMQj~d!k3Ba*wE02Lg_*gZF4`datO$_0
z$OV(ZGa9@>uUK10s$2wHn42|FX23E$?c29R(pg-@6d)<O5%0iv$pb5cXkIi=-j>N(
zYnVWn+Bi{%qG>;^@uWC3KsLUDNK9RBL-G4XulS>Rlhh0`QIu(Yxduc^X9nr3PnBR)
z8jTDe>c&_&-USbl_b5zbH);?9!T7^{9P9Sy!~#4|wF6$(dC$mpXT~SJ_!*-vb$94Z
zs;VXtf#cJ{NMUN)j>>okaX5Rpc8%N|k<a&Gc2kPSKm?gmC_g_ACE*h5f_*@NHRNQ*
zDq6ZQUYppH;4j(O9X0*IbGbggVz4u_OS#Q{t|3i%&oqpH#M>+$Up*0RR+{KauS4M6
z3gB0nzUg%p{mxhIQ7?>8zu5E*d&eA#w9c@xmeCaOd!c_`^n|RW{dGnf&=j4pocRtg
zaZ@lQiA>QuHxj{4J85`M#Tw8`yX`p|3_e9;#Nho#QF@l0r8w%H-XY3UJtkBBB$&SU
zO;s-s>m5XcVJ~-H2JPE2?)B7@aY`3seh*lEcHb6uwUtOV3Yc-}?X#%`)_x*RJ8DaO
zukDG;WC_F^ma`&=K6#>#iVC-%@}k4@YvO0tT9gSa5^sB$Eig~>URP5hs%E8+lDF6z
z*g?U%fpuPB&wDi$C<_$2fB_>q%;PhQP*MtP=ImkIIPtiNc9>;<jzZqL9PG2t(J&+Q
zX$=IFjqu$g%2mDy7XYRjWX!gjtMqezsyU38!>BQyOmGwOyylMjK_$V$0Ao7H1B`yK
zL#p&m@n^ImR68I<?^c4x8xWZKtaEB7L=jU6Z(;PU3;Ln9gJ)5gkw|zhg}OtUv4W+A
zpEdXOIt&SJZL7Ng%0<@MW>)S~3qPkW3DQ|<;(IUo;zIZpx84IOVSP>K=`}5#FWO$z
zj`zOG=N<-1x&G*N>deZCH0+}c8C(kLly~(s{atnRxE&32ti9*643Be(ZiXm+_Tezk
zdDZXW`n_gp)xgfDN;dwWGR0^%3J6t=JKQl01AESq`UrzyL8v==aRh9z(x&uKZ~&Dc
z=g%Zs+3EruqVe0P`7>n2E4zeh?DsZa6pks{FxE4IuC-3F*2{Mf;>|NfQCs%dZhfbr
zz7O=x8O%9rJ{xF5X4VoQFP2~!iY-gKNXd&F>3a|DN#%A_0lwb7lYCeyjlJM<Tj5Yy
z(Pwdl;tRZItGpD=KIVT$Kkp0|PM()tGb*^`vL`6qMfq&AUSLjaHKdd_vv-xBs>JZ4
zq{r(0vmbN%275m_J~WF!3N3n~GLfnvf~qJJnxNEPE1WRelKR|gS%%V&`&0=Anx>Lk
z6h@swj{McyIUQF}U;uMRuZ+Vd&F?dAZ9Z7%F7)E0M~&O9-2-JVoR4F&s70f%b(%df
zPC6jF&NTO8lkL$Rm%Ke2)-CIOci54|)riq|S{vNJOW@|rEDc$XY_(DdJ*|4j=aE=5
zt%<v1?*v}g8U<)T6@{c5RV?39@5XAY^}{LO8yi>dLpXnMtLSUNI?2;1ojMoHNAEP`
zRe}R1QoJ4?Th+O|--m<SC*<Mw+`<TYDgC`%epSXoWG2(4fH6Hp<?a&k)F{C{T4Nni
zS|3h(IWNZ<BRWc=zUik6m2{o_-nh=Iracm-{v=wyk9uMwW%~r|R40<up6M_<<64!e
z&l`B%{MaXvE&zd)H|097W=Slj=(NNy5J!SX&f*H>mL+ug(&3KI6bB1d3>-kD5xs?1
zxTlmsgcQd*ii)EqAiJ4_psS`Pso#ye=v42bF)}5o1%^+aGk|53w4fm7zA)9cprjB2
zc7N|}?JYTpUNO%jg~!pA#u?9I7oe4YQJr^+t&3RUE0Rsfg$dO*3lD?{vt_T4DE!er
z#dj}(qN4_1!j9cU<gq$FisNI5n-WIV%t-Eu!$Tq-c=a*>W#i>1)%qF1oVECspghx4
z<lFZw-$L_o`4I#{wnuW9fk=nK(8y33)p&LrN(QhnVYwP`KE#=Yr#j*(VH#?bsgNUX
z<<D{URiy|e>Jzgt4*}d39(hm!&k2vIpaxx};O+D07w3H&TjPOP8)A-W5@R`G^wJP$
zYQ@w{%UYSLIVwsP1H_g{MJOfWHBJ?mw7Fp-o(LNt!h0=0$tHaWiwT3vD)HE7rYMBB
zI1`+D3n-cF5+GdcjmHJCp3Ge|+U&8N_P&y7+?69fF~7yYT`$4Ia^P28Rb{0q04d*O
ze}=JcGk^I4DJ@HKSP3$VqS6h_dbrD3S#vs$r{kUA&Iw@=D()fp5hf&si&!`|tZ=XP
z&Xbxmr^Y=37>deroYAKsuAy%y%X(|7woPs<NI>CilFEgP3OvO963!cSTVHtLYmw<)
zX6fP#91Y($9GvCrn+;BKp0l;P7&`ZmKpGI$-U>g`&V0h>v)EN)@h35RIPdqqS^#B|
zk``5QIE7MWFb*h~fx<b?$k5WP1fF2HszC6?dwu7!5N{qjho)eQJrvuWxYC+=+bK-u
zm!*`a5hdJCC;mydea13Vj(UoBM+QYtBpV0wdd(@`%T3t;x2=~PTcK6bT$u;!>g_^0
z{NP<YkhNH|x@@^Ck2(yo65>T0emKU&%|M$5&Tcd#>jt9nvS*TYB(XdsGf}rw5nel~
zyD+uaEm}aybllsP+mOl~w#6a0T0?k@hb!y52vYrMhi&W?u1NT+!-lxk#7pEouF%WP
z9ZgCMfkeXJ@4LvHyl<=TjfZa5;rSb|aI&)Lwqx)lc&5+Zte`tZdSo_F3y@J?hG{{G
zWAu}b-D|;eOR_=iSh)}jBt(*QH+kQ~mVXDdQbE2}EQY>H@p)tGaPbD8ctAiOjzi%b
ztva|*E5ZwjN*Hk-aryJqEXZx>W9{dUWlLx$vR+lMrDUyIbXYD;Ez5d0&XWS2N$z{-
zs?uUzyRWLAUB1pUzqhNRw@qxfZ?`Hh33PFfYGC)}8rHx@(aF2O$(+O6x-np4$5GZY
z=IP=((<^*SoOgKYJ3Q5A(oqquM?c^AqifLVi>S8_uZmwFU_Bj8O=H!4CL#}XQ{>U}
z$~~b)%gYB&abgeycK5*CaSlNbMLUf}i3$z`$D55#*AaVi>D$udJE}>%u~#QE``#m!
zc@1xJ!U*qp`E{KVO&&kIMXk`sc-n6c&lHB=QRr6KgpVlX2)W+&n_e_}M^N%^Y))`q
z9kS(&infD1y}~*{9i?5T%8Z~u*n8dRWpI41;beM!_1?m^JZ)-@zVY2a;CB}c4C3`j
z=qa6RJMk7u-E&+mi*8OJLYI(Y6<;qlcB&D0zPTeeK+P8Kt#SP#9XdTa%E)+@{oOGi
zR(6#Oh?4gkUIrE@W?@B9&UvUgDa1%LY}vIfW`t+eGEwki@!l=>>sxrX%nAFR@5zX;
z_I(aw1fQYp^(B&d00Zf%-p)K^dm>(oB`yQp(jt=`j}_<0bzTieTbBdd4i~8vSo2dQ
zeJ=*OrC^5oi12J*^Lvr6HX>YxMpmuvD2Q2XX0s%#>nX-@a*7r81$hF|7MYs1_Bn`p
z0KDsb^Kes}2J)Fln}VEGIs1$|7w7OQkgb_iA1S%xBZr8#y9+6N4I!Jzuuu`~DNA%M
zqyi^_zi2maiS(X(g9DbTRdktlmxM?o4cA#`%i^(NN?cPxloxsQ0==pGda2x@P9HvL
zgXze3v*tGkfj&dMa+}c?kv$K;Y5$CG!>iI2)Rz{jbei{qM?({=`<OCwy7vxrjn^km
zFCYkFRSjiy!`$5a#a;!t6&h?GXSxo}8%$8ig}wHmcdRmMTHF;&wH@d;p#$}JcAbr^
zBZKQiJE>?Taw=UkRGy}zfZDaCIdCY&ym&q+wpK7sI#}oHNNkm5Ovp$#nQw&9-n($0
z(wl=PF9vQpIe3(#jUvxbH`=T6`7h%8-Utl=8O;K|VKqiD6LQ;?l`ejLk!QXtgM+tr
zg@;^9Gf~dXe`cpy?=)UK^L7cpJ@fSu7Dl|raPTgZC7PU_PvY@2$oZpgaTa*Op+sY6
zxVDV0oK)`8q6w8sQ?Duc=mu#mRAJf(q?00H8q#g*O)Kp_%ZF2}6*I*YT#@}Mb8Svq
z*9dUY&d{<%7pZfeY3&OI&!G`uh_!h>G(P(-#k09@^LF=nL&k2qzwqU~7Cd>w0ORB{
z(_Jx8pff<26n)YqMFJWqwdIKz;pOG73m0YSuwfIJHh^Ssk!EPWsAnE!+6UZmk-;yD
zJo7nWA{9=F*m#fw@G!L47+~LFzo_hZM!kLa1olnfu(tM?6QKp{ogQ4>3kQCHudA|G
zrVrwidisoX+OHtNFvNJp=(#Fx_-!qdis40Kry~z5yD;XG*K>s<Zca|m#wG#am#VNd
zhKo9!-LEcs38nQ=3LCC%&4z~z#a4APdbfkb&yVV2f$C)kTkwo7#WL8=vW6tgDR)i7
zwd$1_IPw<0=%ftPK&;&tK>e)EfmUN5$SpU#-V!0QpcDbVbc!=DG9pqXJnQG4rr`~v
zktvF`acn=|eaLHr$m)VBca)$BK52T&z22aZgL4eR476#5aa7N$4{li^o#`T7C4G2m
zxK_gFMhC93#ol&8ZkvxUlRHP$f_#$CpW#lhY^to6?zSFT26o>Hq2D~XSSVY1COWU5
z^@u1afY&tHpgw?L4$zx8hP|74?f^ssjwr&9^7u-7gw-g^uB14*y7pNu-f$9`cdn=0
zC^kOkvta=>nIUvwd)hgjVh<S(kN|*QD?iABZtAmlMEq3a_-z2h9&N>Q;!!Hb2X?RW
z>0#n-Kh%foZ_JFWB-WmmryAB?upUUQ6PU#1FZz?&K<Q+qqgnW23KG4elvwQxj8v|Z
zNbTz-MT}Q9s&M2@@qB=LdZn#Va2uo^WzIN*V4|kdLE9WhX1=|4>V3nX^gsBteU^wn
zX^P@HVGUqDBX+H(ySG>Kaz|mr3D;ld+8YN$pm2nfCD-#qQ^6jxNwC7L$4+PRday%C
z-JEkEh~Pwk`~e%xi&tA{NRJ3k^LhifJ>f)%@j`_j^GYv2k1{et?R&YEHa$tuLy;Nj
z5(G%X7td$naY$CivJ2JVD9ohg$}~JFa-Iax#jYIZZe$8dMwt>3W{_6$83@Fu5<kuV
z@y5WWuaK@Y@f$1UaeA+9t&nmlyB(Y^Tv?6O4*^BR9s{6}8~c+Yurv}<dh~Q{n0n!i
zoc8}un4RNR5QIPgy%IEg$O892k|oC@{mkhfKS5Ok&@A#!(cy?!0`~1UfbZjJZPdxr
zj*&DOQJF#9Q>w5SP*;hzgQpE%o1BM=<C3gz9F_$bHt-l#8jPDMTNTNH5YxMMB)WaM
zS<u&^=e2njcGjuZozrGfIv~3U5EvnZzyNXTbM2tS?e%!EN-ix+Rl4bE4Oco!^p+m1
zVK;BFzI>@~U)_Qqbms)EV(pa7K$&aW^DI?8umv$4^yqkXarIz2IkMkShz=XM?E86&
zu}L3Xj)4hf2H0h|X!iw!C+P(R&^fJ-Q)%C(OQD4Cd+iRd78>tJT`+_rP2R#2RtOrZ
zaNfrXQ2DZ~EndZfaefkz&*;}_I+XY%BpprtDH?z}yP62w(E17Vdk7bK0ot(ED^Sb|
z=z43wVj1feYjMMasqSr%#72tkY?Uyhneu{k^L)h<Yu`y@8}L3r)*;p0A{VNin2p-o
z5RGil+$77mGNedMOdDxqSCI7Cs~6@PTRUSoijp$<h(iZ)5woiBX+6+ONVBkAn?<y6
z1$+afZ+g#6`rRT+PHIhJchS>2W&VX=BKeu(g+rS+X`gWO11m^<A-pIVU}?RH97UGA
zkV>Wx-kl%5McvAw+-|$0jL{qjDo~%>XK$%OSqpQgfkScHzl)!KhQKo|muWSA2v0_N
zgCKNp3}0F0*%bg9>cJbLdZ^H^-Cq;J9#V>FVZR~R^E2P`dB-XMh7g$(bjDq=HdcGq
zApz@oR8Orv8fEH{BYCqpQHOVPvSFITvqyW}#+)wH=aA4()Mt1{JYR=0JLvI4;NBI|
z=PNa5rBqNvzCpNz<<^f2Sz8Af6hzc|_aqeNV&T0m));PcJMKzqVNT2rypW&w_bQd~
zU}B`+^SCLHB1w^L6QE^bO@V9LZhtaajfs=1ZH84CcJxS}xY<H=XEHvajwsc5VOkN_
z>Q+!%w2@hC-u%hH-sd`y@{R_2n_4|abk}a^SM^eWk~jSfXA{vBJx+rO_~1@`U0*te
zl~aV6aO^#%lxK1Ml(mK%AW8>!w(hZ!V^~&kN4(R*>8SL;69c!%?vd0&*T4*F8%Q7W
z3n`^&oZMn>?sq8NClw>$=S0->X3fp97+v6=V!23jZFS?5B!?Cr0c;tn0b4D32oF)g
zeTBwUoC;8JUy2Wy`9a_V&8(5cpNAcWx%beaG%C`GKoz52r}y}RC2`f(dl=c)=U%Ly
z!Pd;|>`??%qavUki@g%Wo-wYJS%SjOz9A*#VNRzfSDNFW5F9=sVBhph>n=MYESk4_
zcVx?+6PMBE-gMLtU;&LLB9s=pI)n64J>`uD6r9Um#Z4(yp?B4OutG<$?}cbiRzFiY
zu`5$tWZSNDQ4^vmU4iz*^I$^A;GJ{O8Sm7DMaG6p>$qHP%~d({4oa67t1Bf!bt3nq
z_N_yP`>P>4WV!9yqG7hA=4I`N^0-^1XY`#s%!-#@X|FsiLYt%N8DV%?VaNV_3f8xr
zh-q<C(bbf&+;ZV2otdIuZAhTH@aAQ7@;r0b-bZHuPWkG1V68<8AKdC-*aMozemBG#
zh%dpN)SkJ-;yHa&_>73WEU%IuKAY|k-Q)8knNjb0Pp*tgs%>#w(!;Cr1)(Ud@#P(r
z8X@0f+~zn=1I48pcu2Yaw6e(I@Q^RFykKu;<OZua$jF5f{0Ky7Bt^Qb%28;R4ftMk
zzM9<w#$fdYnGqDR?sjO%Pz<Q*<}us8d)TTq$F3|f{OrP&5zd{`A*H(M^@9U8uZj#y
ze0nVx!h*|iFJ7`D2f=`FyI}SJM)%JJ5sR(6&}{YQb(x*Q>nx#cZjIJ3^B3m9B8;J3
z;-EnEI&M539ZPfh_R~d88Q@g{yNYmuWMSBJTDqrCkBDi*-uE%+g?{FQbWy`Oo1BYC
zz1s~-%8Ce7!xMdhA;94d9L8?0mfFl(3gC9xk#O(2eW@OA*zzNm3Mx4p(m;PPblyE&
zMaqcfa{cJ}7PMd&q2L*~LJmFFUeHJB(_YjZ7vkp{aK7XUYq<3a*&?Mkq3FE!#w|Nf
zNFS4IZg<H$az(4wmVT}KG&TpXMq`6<IOhSr$=6a3tFJD6InA<O9v<B!J)#5FAwQh<
zpWOldpuk>gor0&f@q_iiTC$MT!KkFgXWIVsFxO1_@X7M?Tuch<8!)bgp2uehaDonS
z$ZXhseC(1chWm=%!c)Zi;z00y4i0d(T(z*PhSDM(U2$(nV;Xy6?wtaqWARAdroZ5m
zN)=8NQY~Ms=RVFSX#N=dS(v0LRkO4eFu{6?#2mA`fGj|?(qsf5GSD$th(Dm-DqXVi
z=-`yiJ_U-TXQ$0m)s`;_Y{E2?Vj1&P$R5-6L!V2{;u%LPO$wWnP7MUhz;KJ$dF;wq
zO2w~>`$gT1g-Lek&h<0S7JUP3+zP~&VBX99Wc??I=MqV%a^zhSv;0g{yec;ma+Gbt
zUSIen>^3*puE~h$)WyjRM!Mq^FP}{jZo`<NN+8mUuJvRc<e^Qw>GG6z_ymFPb3W)u
zztRp0;cI=S@EV}GGt!23@YORkI;huCu$&SU6rQTGYO66&_^xcZx1P{CI1ToeJ<bL@
zfH(+Ve)mT2;S2UyXWhI514ticp*<E#+L=Z_25+-;dM1i?S<Rc2&xtaP7_?zS^_haj
zkgqSfP^7_PaJL9jX0ljo1UcPc02Hphnky$6yrG9hR_P!d1?I`I36AnyBLlrt?4*Qu
z43}>xTN>0}{9GB&u?FZiL|9hnVFo7T_@zk#NX7GZVu3joV+=QF-f&oY?0kKA5^nHz
z9x(82FMGb-nCg2EAE<CH!wW$LsT~a4PZIAlO7^+vE36$4k2h*FnMbo*&mSv`ZrG!z
zQ#~bpboD&46L8fhWh6XwDHT;nyuh#scr=R!(1W>FfMaA~UzKBIpIRz_A|iOKni|p@
zdowPzGhOvYnM0?bJ6?!naqA;K+|9@LMv$HE?SohrkGc?y%N8siP+SMZC#xXm5LBfR
zR*gy{f)aYmS=N{9SCIjy;lK{P(C@_!stH5Xm^%qi9-%&lzJ<J?tzRg#)8NrQFcN*d
zP7#u^o?EF}QSAdsFsFv#d*`{cMMa(L%wje0%=(GEuC`H{cH0usdl=Een?{wZY^FSm
z&K`w_-zdJ{9kZ7(t03RfQw!#KXR;^~;WA|;-1`4X(Wjja_|bI|lo8=X5j7{%Q~Mtd
znTy2-1`2x@=F7%f2W?BxqX-N&vi*#;Ubxbh9Rh7lDsuA+Ob01VZhy#+K$H_itlALX
zLJjRaGK?qhj7dg$9>VU+ycU<*0J>yc4D}Yckr7ghr*oDdOUbVfY*q9w-mFmpX`dH{
zhc|Q)i&#VB>o;D`8;Fj1tX6H3F+Xc(hRSM0<6Z8OMv)3OC83MITzZi!xY~Us&*a3<
z*n6k^w48}An-h^FCrU&zy&LZ$^1TOL>r~g+WPI20tO_9O`yN5`882acAaV!e5RgKn
zSJt-Tol`!DT+>>@HeqMp3`FfMihOUY6o3G&s_&_YT&g}s7j&EQgDw)~^1=qKQ<q^o
zdagV9pqxnjBw`*gR~?AcW%-z&3*SOYC^|iYmOWo#erf`n_quss4Al&ftr3qa^{WZ<
zDDKAup-6tF_WIEy<h`3~6(oMPZ_+eSOCEa=)e^ofnOW{LaNw&ao-J4YMts20EL)FF
z6wvNYe%>jHdHW4I`@l9+7FZAk%wr)rqUSk}TF$STPQ;=Hb)2gbydF_O$v)oq>a_FC
z-exCiRrq<&<~`l*d)L8v%L?4bpD>s|mk2%5GMX(@eRXs+nc|0JMdFo;APRfNBIc4&
zds9G?pt=DDeDR_t)T8&Hmugb7kJ+Jm%Lif*3c_<-047SoaIPtl^R&$baU7R2-I>F+
zsW$ak<6_}qaL04?9yvi}eWDhA2mCmM8=1J~cH**&0t#%1-$uM3T{!o;fpzDEnNo`Z
zVe6i4CFkdoEc{{+CEMnaq@g{2@NjUNL>W&Gl6{?7rc!*h>$UIC8>SIz9MnE#QCXHN
zKUNhJT9JDU&bkG|j=cxZcsXfYLLQph#HmSxKA-7Dk*8LvuJ@3igBa31XznKq^_aq2
zWr_Vea>{4qEQ;Im=d?Mkw2satI48Mu!<gBgp;QI6*aMy^t~Ne_(5mqsuF+#61!X-I
zp}|g&bY7o^S&&l3*d~t72xbQi8o-VxPmZo=dauCqTIXr7)l}WMV9*JbfI_q)Lx8kU
zs=Ai=3MFBrScN_!+}UvC$fH?8^mL3#9#aEN;K#*_^8%q@=V_kepukoatAq?c)r1;5
z6|7_%Xgjp%d@d{iHu2UOW7u!5#+ZA5zgJ*mXqVC8UOx9x3V5yDi%AUCQ;uQBdE14E
zJ~;yerX^Q)dJdtg-Qx4o8&kbi1~yQHn{mMDM8}F|$mX!LIlkwHeumEsrx88@a-j9L
zh&bM<T7MhheEc3VWzd_MX|_ZwC==zhBg=>ZbKM9w<>&L_f5bP2rM<c=Bz}!A;hN3u
z#sF<B6^(&olc~fkP-D;7UQN{m<8=AEHp*<4^bGE}S3_)eiZ@gidhim<pK?Cr*4s2L
z1HpPv+unnSZF8q&edSb|H^Tt&*vs>gor2s-g5TPBvCu<)xK*iEV~|h)Gj+k0S#~5b
zGPs)va?hvlXAFhr7u~4*gc?G~RUJt>nDnOFV$v6{Hr`rQ>lT4NlfX4%>n^6V+<rrL
zN0ZgpaS839FM_P0(X6p;2d+&MWe!Zfd3?su<-tY|OGsDk6=fwU<M-Z$hSt5dQ-&Gy
zv3=R8x>$;>{HlO9O-M6W!W?m<j?;>Tc9!tMiZ$h6PcXqSUs0gXp%%&$j9fC)i^H8P
z?w4fN^x|zOgOkLNB02NO76k#oa~jDZ224UPd^gC(<%;iKmB5vzS1deA;jx*0-b|z8
zF5Esbh$2DK7~zOh*KQjNU~dDq+|{w$<b@%hUwOWcaTm3mt1#YuAQ^R5&i-?`03g20
zfW&+^K#`24?81Obye8%h%kSkD=Ob0(5XX3T_3q7Fz9)2z+w~CJ7Dyqy40-jP)xFX%
zDcq3DjPik(M)?WE^mDl&w1hocn$8&=lR3A6L~&RnB+4iofUb~jj1yslXY{Dn1jP&S
z97-4YwWhfcy6Xh675Iwanyfy>wJ;Y_9fQX;))Rg7-bAg9*p(`R#yxgyt1^im!{Q?C
zeARDGhmxLOZcRl<h6SgOJrvmy!NhZGhdKp`V!Afv04Vgte$05rZpPH-yrOc7=QD46
zwY0l~nSletGV_Eso?h)zU8mQI`?lG=n1@*FF^gU(r$1K=VC%RD!~rJT=G$lSQl{+r
zCdG;Y?at;hlFH5@q^nlER|r8XZ`ExH-xR)>!~>x{b@nbOLheY)h}fbvS>%rH_esP*
zqv;glDMV$Z6?7_bJT06NiuSIYd>m?HIl~ifdS?B`q2YLXug379u#=JaGm!3l98&X=
z$xv^Vcb*PN^p&U<k#Y^kE*M(Pgd@x#k6(_%R84c|6<N2!72LjbxME=}?~IX{UKTU*
zjG^&U#yoGj(Mi-djd~53+43wo;fWN_BW$P@IOc;XC_~Bvnoz&BgHzlAf7~L?B~L}z
zZ)-Gjq-A$bX>TovJ({BY=EWfJ?;OJ2k&1T<9?pzr_{!lzAF1S#?x?0`)=P7r_flHx
zQRtgT;;iIr_%_g~A)g^RO@W)8y*Ctrs28<ok)l};y7$mHK9R(CNZlGfOy_Galx3Ee
z!Zq+lV+pwI=qYOEOn{ID8G`2WKA(;8%z`%<)wJ(saa2$w_Jy+0@>B+sK_X98y}{vq
z@E*b24cG@x5BGXpp67Th>$FpB#+;&WIt8cJ9f7ae)5?X$s2;ABH>pp2-yUyh=EKL#
zFOFkRy4ZE>j-<1(vdcEa5QDk8>tzue!0;Q~A}<*stzaYeWbvJ)X|2(1VJj@?T&X8k
zOPYp{7eS%X;O=LaDbh{RDy?&vz>!ptbB4&(vT=)T21hB9R^@Ijz&dS1&tc_5Y2q0q
zl(a};(bA^#9gkI@fNH}%V_SSZZDyd4Kl2E~XIz!+6iuK+GUuA6=P^ObXR$9`8s9T5
zj*2%0IhlM9bOfH?Lpn8Y5`;y>i)n6bJTJ{Iv{XjQe9siD1*P?+5jk3=tm*4kV_#bs
zb$cDoV~;wjs1R+-LkV37ARX#brDr*043f2(U0gw~yLP~}U$OLFC=JmIp4u?bLdtvZ
zu&lX95&-+QpWs!Zuf5m0*j$LJfnI!i>=|ClMGbcCn)?642G}9XVtAENN*)|GJCB+a
z{(|D$<)`mWmVw(whV%e2V!Yeb!Vb~7$f4QsN5Nj^9L+~4&><4?AcVGN!*@(im#J>~
z>d8$SK6%nQG?@<csMeSB8_H*JP01WsR@S7~E`6PCbnvc)01m_7W!1Zf7W<rlmf2hw
zf_tuAm=IPPP9cJN?}W#Bv{>oU1VK)LHJU^eNeRe7tT|Vwgv$cjdtw%LC8QktHtf;f
zpt?#EmNbnZQi)eVU3)yZteFJYF(F&kF^B<y8svcv1vfery&NeTa)zGk>8RB_!I*mb
z^4T$XXx5W%iVF?rQ2|A47)b($k)p&pbj=!mAu8@gCEgS4VK6V;OhMrn6~TBYlf>EA
zqi;shwnxI8R2Xf<`l(@Bv8zaV9JAM>!skOdz=4ohRnq_)!imdaDrlOXo!n$2nsu;H
z_Ld0K$NG~Be!r<|SFPFxXP7^r&Cv$2#FT<?HZLyj+LH|1p!Vf=BK8bPOs-$Lvk;Ey
zd*|mC<d!ax4u`M@&%k^9jFGa)C9g?L%`3#bVe6D}4@?u2;P6byVq>~qx=YQxkO0|r
zXh8MUmmy(;(1&m4jrT6Avb3!vGM+B%qfGXfwW5lRx*B`9&&hD#KGG(MO5S+=M4zUW
z-65TBa&CYw_AM%HpkWlA31n#3tXy>nO{|#qJk-1nphrI!5DYfv@M7QIt_wG(Q6vz*
zr5FR4%3}`<^Rae{b!&Anv{B09Ox&?873-ZipV!CsfS<lq2t{yy*HRB7`_8t|z4;T%
z`wX*(EzkSRDBRe<hR1WH!q3_aHD;m2(0%R^)tmN|BHT%t;ukm*r@mS_WaVS09Sy)-
zRA*e(G&X4Ai{u7TFeYm)K||d=jrE`njf+>~<%~bb-luO^x-a*E*}A!f5*w<6LZZIy
zPH*zYbSHrtr7EF7;xm97&Y6*r*e60{lL=bwO5&H*wKrE%?H=Yd&eY(U)7pI6q^EKy
zx-Qs}aDld*q*js>G;Zwp5@$87f_j8<!XCY!Tv8_X7%E?d@6=eJcdJ>jQ(^+t1b5>i
zhj2*eX%AcLqY%R;e|{_~2_s~#<~WA05%!FT-m_D|FxKbpHq0+&FXodAea70DILiOI
zhsAg*_HJOn9hZOt=E@u*aB^*micK+)*w9xm+#F$rpJL2qS_w#-mXSa!(;KhDzO6X~
zjS5JTg8}ZELxO_2Ha9s=UVS~~D^D_Ktk?O;ga6sk=m)|4#+*QIUD9|d))bPRjQ#Dr
zW3m~fdfN#6^7>-7r)k}61@0I@a}ZLVJc2=t2lO}{A$XE-HcQzwlixjPXJ_hbY;ocL
z5l8ZBhKylG6V>A7zHvQ7Wvnu^{t0H&X*O~}%m7cf)$i0c-U1Of`c_%wVF>jTWCkDc
z)i?xUM&*|{QZ@<*XI&_Rgfl|uBArB*R!|mvsiX1e04?u3xA1qsMGJSg$BuE8LwOm`
zhQ!Q5Rbe$9Ti%3k5YST`NlvFn@AOPOh({pP=`Qv`N<5w0%4`mKF#x(1k6LmC*ms0^
zn+<mi19y&<l*q{+U!a&q(W*NHxB4r1D7dl<xPnkj*zPKM=cT3hPNGW(UrbtTSnIs<
zOKqK`Qy`3(H&~q|Z0au^d$dpGR0Q!M1&(=jKPst#jrX>7ye_Om-a5}b&%J=iO2VBA
zpn86FO;lz;JrVj)67iA$BBLtUPljj^%ASxMPCZSW+qV_bGXlcwfG!>-<zCiVN?T0P
zgvrLOhZs1Ayw^6MD&1E8(x!#eS_}H!;F&bRsN4G{<DX<q_edTLL0Pg#lsAklNi0hX
zdgKfOEK@DNNO)H?D|dW;18Xs%O4*(EdR}y}_$!PTFGZ}SkWgOOp!!t_Z|vJ1B!}o%
za=j70(<%nSvd9rrYgfj@)?-KFkLuwokUBa^i_Ro|k8ef|hDfdpK~E-LQ?MTMP+nK=
zTgGe=9$z(yBYI_8>yiKCCGoYezrjt~^_U$F(xasY2PQqCxJ0rwZXF_znv-M!<7TV2
zdQcGT43?_nBKz(anlxdR_t?&!OYfWUL;#Z32*u@#h9`?R;MO&SPZu~c*6B4JB?n&5
z5_x$825ZmQY|~4>u^sFpV5!a{3J;LND*i?z-=TNzp}b2zCb4#7lovB*YfkZGXiPVx
z^757N%hyClgM(;;5`AoR{s@6YZ<jkDV+CXl&hN2Hs3@sdLXhL-W7*QCF{L92I%tmy
zd#hSPBf+2(2bh~+=S8I`oz1&EASe9R1}2MT)VjNeQbD_Gi*OS!4L~Zv&~z0h%f|fF
z5%$3K_#OC4$ienQBYPDd2Hi>z#dPBJlAkq&B?DDXqOi{cX=2KTnC*0>CuG!ArV~dG
zp5LZ#(G!$kY_1WXovOgmQ*su{GNY4Tg^N>Esg8KQcj#?N&rulKQc>oOzKpjbHk`PP
z@5MSh#=NNm?H!(ly8vL=u238`Uv&Irqo47Y7KH@HZFH-oJtt!L2}<9hg+mavrJt5p
z)j=xR^WMvx2lDh$LyZKXQy{)%SE4KG2fz!)(Qe6DPt%J%ScGEmjxo8O2J5@Qh`Q}z
zA!8FgkqkuLco38w!GgJ0FE4KBjgFmMwVkCfj6hgJ=vGrv+CyQS1*61ncxP8|g%$Md
z3JM>3Cr1anWeJ7qdx?}QtR0p$ds?F8Fp~!O(#aVDOI36r>)9Jp>P>T0x-*rYLCQiS
zuV5I|&fo95)DNpW+p>3khsnx~cdX|gY`%@@@GO7$SP`cAoKYWp2@(Xb^j!7E+sjzd
zmLeTpnP=ia7`+<(-pXjZtqAT8f9D$e48l!5T2Lm|CGu(+f?<0BAoi%BBnYgL1=aO1
z-!pjeo&$_{^;#-vqdnUdwg#++Y!>U`*RY~+o@=LAdpstasi74QZ?ueL&`?M=cIK%y
z#;XW-XtxM6M1Thn5Hg;YOtw!Pfs-)>WM$8AMUiIa0XT*nv>2~e(k%l-^d+LM9Ok?9
z)JfpV>EeAO1G9uT%?{v!&0>xTnQa|lB|1uYozm;|dR89{;-H!B#H9lLYqj8+78Ac7
zxg7I`pHF!~L0sNSkWptyt$a6#&o|p-u=i$9mEYB~d(b7S!Tm11Quq33VMW`_qc5|y
z-dR1i*>qC7o2RkH6+KrVWI(vzbo?_C`@C5?D6&*?=>Vf}kU|3xI|%H7wuI^s6oz}6
zk|sr~!Ae-A+@>VEL#QW6=o{m+NNtcWD}fW)NnPYfmL24Indv~{dOj*)YcC&77>Ig|
zL$yI>sL-9fYC!{#f-?OgUYA`P<76iqGT~%I_v)E>9KP6>EqyA*Fa`u9Jr7-~g0%es
zyvg&fewLQ8B3z&tsszlMdXUJKD6;c(LTdC`*#l{?H}Fbf3T|vUHbK1KLgj-uc?YwB
z>nwd1KMw}nB|gq!VIHW{q;JS_7GGP!_$?K9k%3Covxoiy7kH1DAS46bt$-n%yBrGI
z74ZgNqi+sbh0ueM*qNe-NXswz8;^g^9agTIoM+Mk(-Tgml7oOzap#h_hV5WS54h@e
zJe(%H>hYFq7FW-WJ(tpsa;nOglK$QU+))?TZP|Wy^;|4vFyBB71ftw~(@k-!c(Pat
zce-AjUEDfp?6r1u;1otd!FP7)OL2C#&Pmkds&3MN)rC)~gFz-Rz&933V2vd%tCYrD
ztIBA6iJclEN~D_L4&vRZm*(u;u-PbyLC1-pINOo#<4Pz45ium_ZLzH!94Nvh^9}Ui
z-KR?l{EH7s)A_;la|PcHeqH+9*x$n_e)YDxa^e*?@tW<!vI#0!m#t%`sW+Tq(d;XJ
z#+psjCrX{RST7jJaD1HVzyLZx#lJ$f`TO1!`Z;^bN4?6^#OU2VdybOoi5)GOgvB^J
z?HshG@?>xTX^47jVjredg-ks~4b$`nyFNxdIjz>Sg%Zn7^X_K>sTbwpE}k82QK)kF
zcvaO*2$$l-UagGd7CmKojE;zM^vvOj)m7wfYaYJ5=PPcV4eE*cLZ~Ei)Zw@vOTDFS
z(vt{=AzK`pB44DPdQsAF419X$b`IBGYx$nsy?0g7URpRt1TE$a^SIiiK+9nWCPy7q
zm`4!uwAozNA7#@*`Oo<iu+Xj5Lg=sg-k@a)QegWNXaahPZ}Q%CD`RnFI_?B>Fp#K~
z$uK@7(;4r6^J*$DS(LzYtf7%AT@+(XNWh*geE|~q49r@9ZV1eJq`t-v538a3MBhZC
zGdXLuPxxR*olT5h7kgb(ol}txbMs{o6XconU_i~1rd_;qwG&SV3V=BWbQB=xaT$L|
z@9+_TX20A@@r9Q_cB^?cD%)wz9A+~#ZG7ydYl(Fu-8_Admq*^lt6>&#_T_k9u-RV5
zrnl4$w5~6c=Z@K6>UMONeHr1NKq$LyU(?HH&+O;~9@VoaIm?QLB;p<-obIF@eL^*+
zc4A~Bg3h~%S#&}>17X_iKRZ_hhmlAwTA)P?qL8+cg7ge>Xd5qW5R^W9i9k)6-r+oN
zj0-T=UI*Vx9!k*IY+ZnGo`;)DGgkC+z+X|Q0zy#bCn5Zf&LPD4*pO?umaN^ACK3GY
zq;=Mya1+E>jT%h%gk%bd1hW!|=Zmud!qM%_I5io3h#MqP>rXY(qFrRu$76=PUz_60
zz&7;8hDjLH+eoa<1${kZxN~#E%7{@Lt1;+lX*bpj`w;Y?y&&t@Q1*4Q@5Qn3^aJWp
z6;+|KXW%4A=X>S494$yyCSFt^@AlzggH#bU8NL|pc09~I&1sf`b$^yla4Rf*Vgn)K
z@EXzPQFn=KKEIHL@qQOA`S=yl{X*2?PlZDN=k2x7!zZ%?VW}>7Ep=p_^tPWK(<;01
zV<d<Z^?YcEQ5nuH3=!uZksVwX0Le2k<YtRbh9{FZ7!MEp6Vdw&(O?1EZZE7{E$diJ
zH;%gP{M~zn!g*cyf+`5(ut1zAH5vL@(OW1iJI2?1SpL{y4Kf}{;oE)&0Vzp@Ci$wK
zkLNU-^xhJkIna6Uvrv0z<aqE_EvfjN)9|q6JzwaT6NY4TdTLJ}UvK(g#<`%u<q%v#
z)jR=`reaJ*lVP<8ufd0MdgQ7n<ZKsx>U*^Bs)VZ}c=i#z@)s?;slLsO*OfOmsJVO_
zcNbm<uu}bUgl7Wp;wE{<th7xy14Cr+Ds$lX`wvhp2Bqx4YLUQG#eNgZ`%-}V=%yZ_
zJk5Zn=6(tuZEm~TbpjKRr`TvMb5JjujEbKcLl2BzlfkU=)<fm0+<M=PzTcYNH@E_X
zv-+XOoJM&iF)@}|&&cyNS6G?7&a^1#NS2qw<u8*!Yn_F3%X+74L42&7Q*+Os7CbLc
zc!s5sO$w5sB%5)v37H0Pv}I0GEv$$Y?}ah}bO`OOap01g_3Nz#e{Vyy2bGBmUaL3f
zqbINFVo@*|wK$ZXSeerT`DyV;$05SGp~`DZ<w&dE>FRF1H(*by0;n59D^1%pGY%m!
zpl}e?Bd9Xtu0s=5<e{1oi`TZjf~DxV*Z7dkZ?kw!^CzT=rVMl{ohMkQczNhdEYcN?
zwIrK0jf5k0<Qq<8K^*EYaAR~Dfyub~5#PPn{isKe$k&nzFnT)Xbjbut3-D$?A(4L0
zBM*tR<;q+)j^~a<%3z4W`+~yk-GeD>LNPE8w-&K}sUumdKJsAqXqp2x-r_#29(Tyu
zI;ARpNG0H5mjLoacNj}F;LJ~+i?mOmdUC1i^}fkhEIO99)@WIB?+SMV%3?L#@NFm=
zN;utsDPt}dZ%i9Kpv%Tw#7jJH3&!jAw^@%ZXG(ORk~7=JD8wp4DfEJ?ie_#dPEvb5
z!m$b7cLRCLS`>JPoc1=i=$LbO&c#({k7?K(6N<#VIzrnm3<`hW*v~?x3^80u5A}^C
zFZdX(w`XKy&eYskqeHVtcN!@a-7Y0RR}^N2I#-KFMeKD;Z!IQ}BB4uOvtB+hm&?tC
z^y*Ja%%AzFUOwVu*|$C7N*<CdIOLI}ky#Oadoa>**NLmEbf#3&$X8KpPDt(R4SQRZ
z9RkoNH$fIy=CNv<jqe7?_X%6KFI>lz1Rhc1a)7mR#(OjQXgmBFAryf^xCkew`GLUG
zHzg%3g%XQ*IGws>#O3ygshnSnZC>A`Gsx~#vG38_2n`)135!S4lpv(MWY}*^4+Gxe
zI3ep?a7aUHi;dOAuGu<Vm|N~XtHoP<+S9S;LCI;;RZVKkaLbFk0mX0gNgm)YOhROA
z#%>9DOj}kF@`5^F?dfJcrdLQr)44eY$_%>ix#IPvKDzO8DFRk8H<Fj69ZZUF$l^Ee
zEuF~BU`T3qCK-QXlFzU`sI@r<FAImK_1w#wMYsjmRp*?bJQ{S(HRasI)&qhN@&wx%
z_SWY?kr3fAiHyS;y^t_gp_$PKJ+o{CSK2->Z@ONwOuXT%DN$=kTGtv(PYcO=dUY?Z
zwN-+#X9@!DtmhGA%Tv!{1-<Ud*x7-6B?HL2(8LGz+%X$S_wk}&t;cR@Po$*<<aOUY
z;;}Boir6~w9%%8n2Q}Gzaj?(NWNCp{ie{@<!IDGA*+=ctiUaAjVY&H@h}eR^MBh%l
znhYMUU!0z2N$U$wg_kS1yUpP6Sk5{TF4CKT@4b>t_krbjPaCk`4Ry=-Mi7LlIqLH1
z$TJK#1r-jNDa9E?>bnCi#BqghPWt_JeJZEb66s<ffV!`8?N%%tW(l9IWIdA;qaorm
zI#(bB-6jzNR0ZFAGrAh}xE9I~sZP@rDs`h5oBd+Z74Y?iCJsBtn9NC)6AHQAm~Si!
zt?7BCZEL%8IKoL>aa9xm6Z%6avcnf4PhItxL1F=I-`mixWps@gKyKXx>^K1OLU<AG
zJhe?2Q3aCI!5bopLi8{i5#@GZ<sQE01%}5kBi8&FCVa@sXc^xvT(SY-gRzEI3wt|{
zXl1qtAm39Ews%QMm99TQ<!&~hOweOFt+Qu6=+A>8tO8ySgN-fBfKFm69kXDo*d4{i
zlePBr;9LnB#I1fKgR?Y|=z#8^hVjfMg3c~$=NpuNf?^L`c?-jWj`R?kZj_`b5-7DS
zjnL{nOv~zLFqgsF{8S^et7^^x7sdIAV4t_WaJEfklvkr<MFaPWytqc{qAjq+9rQUO
zP|{{q?yRgKu28I|*Xw&>eI(dmUVQ0iN7AQQTj!2k_t+C~7}vGMP&OG_>5NRsB5e!D
z{GRE1SFE08&Y4-sE5xaDgL8U`B8bGe_GIU++l3ohcUfubTrQ)s8QUvhtwTpdw?V<W
zjI(-mkv;V&saC*x4!Lhm(B^f?RV-)yBsGwTp=f1G&@WxKtElSe$;^lc6Snu;cX6#t
zk5hNN@(|r19YnMn)ctmO%HZCs;K#*BmT<VXNyzFvNm$25MMvK=%08p`%~%E#B^Bpo
zjU}ZlvDk{v)|sz!SwcZ4thbI(4fLB_!g>bKiqDDon8LA^>LC@5C8Cc++iEEXrR%wB
zqLMT|m*}g=L1Tq9E0*_C8r`XBG`n3_QJ<=9GxA0vaHhutp?rm74^`4dDtr9$9Eek9
zq73!e5*)oDs<iUn%M_pnE$)1ZCt{`;9`o{Q+)Go<bMSedy4pjqfx~N~mQG_}i5FJ%
z;?;B9pz1ACtXX>xn^MHUSGJwmUe9!<^Y%TmN8J#CB+~jEexbs4HxGB2?v7kXc#(Zj
z+A-kNQ(?wUEQf6(E8Hv_c}i(8{jzdz3v(Ftu!bf|W4M`t=e>4WCH<eWrqO`-N(9P3
zQTb;mH%NxM+Kczh5;Mo%X;}=Q8HP1)4bxNgzHN|!i0m#E1broQhoTMjj7ZfjgX^hU
z^v%TNS<V9{@|kEJWJCs{lzvZY5bvRt92>n!RNJKsil=WFn69HM;}K9<$%f`8zMM&A
zmzd*n-PnZ^UkV6ZEp#si&kkOE!RdkcSawNq6;=WFPJD34l;X&QYTIF}cyIQJqcJI%
z>Z5BFM!6LnEO-v2I`~?I$JLmQno7mqG5{&2f;~k-W~}6(bh_Hen+!P1!(2mq<ny!Z
z$s3!o`=7{IomPf?$Z0Vrrh22+0EEeg-2!nWsAEm+O>{O~*hz#H^vFZYz<3eT1AEg2
zFR~vz7ROiKmnoto?~_%$PgYE#%N)mbuFPjv$j77Br8Uubl1pOxaHJgBR`iuhtBOnK
zz2(4Smlp|`#PgmGlZFHeISM(9sK*i%35oS&>w*v6D_Hk^017brYT{(`*nQ45nGH7I
zGXO<@%j^&U;p)x(9GYotlvAGirD1?^D1cj0YF0a$`#bmd|0l7K#0&CBeD&HK-S%yQ
z?Roj`J)3p`culz^hbd6In%L}>wrFxhsA^Ep!inu=YAWsyq&g+VE<FMVeXz-#amI|8
zE4>jwAkQzdINIXgFIefh%P-A3O37_Hj4;G8BqnOyd_a-iZa^bDfk)4Ih;1K<TWVX2
z(u;a??k(De06T)&D<x;<qr&C~5}h~N5PqMzO5r=GH(B@!R;#nWF(MnvDwFBBTURjT
zj2t5oTzmi$t}wHYv)t&}d#{xH%$QNq;OueFJ%d@gWt&N`Qta4!Ng{YGDdOx3kNvV{
z)pW7P<dj4*X>+rdN^shdCa&IQ^1<Q6Iq_KML|bb}u5-}~a;b*e^N@<eonua*;bMgD
zM`@8-`j(GaQ`To(u%C-X$V{Eo8$-)2XCs8g(`3!2d75@n%;A!!qVvi+7<4^j{n)09
z_q3ckvoCV56w&MY&X&3MG|0AQ+5=skqRf8L;tIv)Dg~0Yn#s4ARC>`PZ_qqk6_}ed
zo@h{Qx}VAb>m#q);<cdyg=Ks0z{p?}uU=rTB2*fT7LW28ucZw<(fg+5pZO|9>x`iJ
zoI>0LJsP3;>Io`{iKX9m6J8kEQa=GIcnZF1gzGYv<P_9uvw~VK1niIN3Q3lz?!BUX
zRDo2d+4IV>Trj*G-Re~j3y&-jdS@5C8-0pRm}{pkyr*gTk~@yJ%dwY4WcVP5RcE*n
zJOe0V41h7hn(7I$WT?<lN2(!aVFiw6%zLQJZ}N2*b&b00nljam89mE)mK$BqNgpJ*
zq0SZSTWK5>rq>xGngQ#G%+!P1<p;B9(b2_T$)~qX3axri-svjubZGs&>w%z@N-0Cp
z-9V!FOX1`8E0RWtvMaWystZg*4UkI<3zsO`+<V1ZQdZos?4XYp^C_U$<WAE*n`jv3
zrp0l6fbxk8Kf`+|5??fJ;EV%+F$_S=IOt<=#1YIwVa+hEF7zR0<yV=~BLS4>JmT9@
ziAI1U+i(co0|L=ibVGL+Xm2nm56=8Oc{fPpZI5{v7M36BdnWbX05&&~$6?H9)Le*f
z?eir}zS~!F=;`K!ePs}G;_23L`Ebf!<<lUGdee`bizY*;EuNU-?a*U=kiE$yE3f!*
znmszrM`C1*VoBWNPaX;Olf-)T{Auqk*3cT<HA)h$HAwiw7&`zaeZhn1f#r|Gs?9Tn
zlssNO4w>`D-TOJaq{Ug3Cl<;dMK?a@pr~Z9^py=q4cshE;0Y4$Xct)qC;~DR#P@pV
zktyjarro^&S$IgP14f|D68q3&X*FZvJI3q#ep?U5o{D~+1!;lzR@&FA<hg)8&GdL6
zwM}XJp86xC!SKRMqHB90<VeCUZsNJxzO9!{kEL~4cu+6j2{xnZWeLtbdoF%&6vzyk
zA>2-x`3<|}ar8)21opc4=1Yai(o{)eMh=xA3Zv}DV&JhPfeK|kJI(K2EJ6mxLvuMT
zdyjXah=YQ9`c6@>1d7Z?Aw(h`4TN(~DggM43e+t1Pz~DCd>B#G@10GH03=HJ6Xyp@
z$o<}{27qc_VWia=e;q;RL~znNSj*KG2cDRatUr4qsXZbA7h50`J$S3Yg86(6Q4!-=
zIg(D_(Tdu%qTi7gA%Kx}m}5mdr<fW`<7zDsOtw2v8nSX8#Z>SBJfS?=Phj*J=$Rw-
z?y|XhQ=YNy4KCk<GFo;MuML!TPrO@s5d{SxPL{0o?m<QuwXSl;Qj2mvYdCDp!B8M0
zAl;U_#q?`UCh3PRJ8+2H0_#P~Z9Aa_nn3Cp9jvsjoZ_R;^~`1Ir2{ilisnJ_oMyGy
zj`S;Znb~#r*aU~!-Bryb>bE*sq))IJp86~G$Numlyy>A5D!=f>%NxSVs=g};?m%~M
zeHdUd0d`YNzT+V;Mkn;)yAjFS2NW^2H^lF;3mB6IVbA7p=$0<01Bqw1xv~u~{a%r0
zhLi~p6Ih;{3EF!ZxzgMg!~^+U53fM{(YR*(|7hUZo=_Mc9@Tv<Dyt7HITYXG-YmHa
zsSB58MY4kxB(l^uG5(D9yItismprKt4Q@c~*=g7~p3^Ddo#L`Nf(&(;z`NHTb+mq>
zJHr|S91fP`?k{cks$H%lLm=dBTsoKMZ4LFBzu`#<2YCLha4X#XZQ?=tS!VPCQtC!E
z>$_5IA5QeihYYw_K_t3`@5r8%PN6#ABY+IANW@r~XLkmicctiy&%oDgb>)bWA|)A-
z@CHYTw4c57Ycg;+U~EHTtX<6#fiBJmsWYYN3oqhcAy*qg3zru*HoFxE*L2@d3JFQp
zyGJMib*~xp-Mk#}3($N6zaJ(RyVS<)ij~gH*ly>=%kW5I1m^Toxx_hS#!SYPwva&8
zrwhv#H&AI8h0`dv^H?fE!iR(;oOu1_Ngsx~JdE1+jm$rhDIYCoue3AzsND9emU&4)
zGb|3oM!HlmXBZG(YxzKD^W=?I`XkiNBZ57bM<(drv#%(+gEN^!%+vOzFP&tJ`Z{X)
zpt{FZ!`4Ai4DcxdQEueEnk=Jo@28_RPj*>h7x%=kATQ%}3&nYx4h@8@rKZwWMTxuZ
z9QA=IJa4HQshFaNNQOCdiw}o4>X_e)<HhZhgo}f%<dNR8=jK`OH63h8>JxgDt$GHE
z$LV<4PRxc2Eg?dO;B0dH0)}ZdK_r)US+CUiy>sMLZ?2{Fj-Po9n0kf|HZ5p5(znUq
zIT)V8gOV40-u^Z;_ywXB>BARg>M?Y<X?JG30#B*8CtH#!^W|<>AFZl%pOBo+s^kCy
zd@_^IxIeG!jS&IS#RgIc;d5|u>gI#aFkZK9bp{xD8(MU!;hZf#kpn?Kvyx#1;N$4c
zp<olU?>Vn2`eAwQIN7@zc{{=)mdEeGWkbxRGZP?cM1_qpo!=|WJrc65Vwvt(q`6{p
ze!hzV$$L}Oxn)N|glKh2S<|*+wZ&-IwwUu2vOwG%w0V%Mlu%0`tD}2i?kGDa*{aI5
z*34GXs#eVJSTLM<iWC+ywABD#z?xQt%+rH&;P&KuhPK(fHXHZ)j;dND(bh~G2A+!o
zz0@9roaf}fpc%!hVU`o`k+Gr9aIxshj0`3l=#aIbR}8?2b`R`4lLAGn`3YG;TL20S
zGxZzwe$BL`Z!QKf6wty@-ztG=kT!in)6d|4FTz7ak!BdV8xiNEmmnjg%Hr))C|I(T
z!U=x20ce<<{Z4f_o{!~_+3|n~cOADpnun(=M;4>U1<!lBqR_;Lib9nhzdP#Eoz)~w
zJ&-A?W?UFoEOIWLZSg7y9Y}ufM)=L4$zm;v;g!5x)qCTb@6;cs_hoiva~j9X0Vdil
z6c*0&BYZ{mQp`+XX|IM1*3&y1#h*Ba;Z;&4*T9&rp-=WX6Ae*H%yT>Mj`xVy@)-hS
z$<rl|y@F*ZP4uG7Q}Ok;gKe&aH;;;&ww^UzZo9htq84{>Fb17q+R5A`l+<e84?^1G
z6r)OLJG$82_Z{*ITs5+$l{_R-(m1RbQ57d$mJtTHaM5m^q@ujlqXIU(j@D0V_P#5C
zS=c_0D0@kwl_GUKN7<d)QwWS(Y*vF#oN<v|O$_;h$6nmKusKRasD(R}or>0xDMn?k
zaAQ(HhHK@MmkD(6T-#F_)Bx1dc>yh+rU8>rVHGLP-mVcEJme?m{&4o54(^TFwF{M_
z3(J5=PRDb$&=sdPUA;B#$bRCM$(rfs4t(#n#7VokC@U+=`9+F3E!s##9KFYHOJa|p
z$8xe7b?i+|L6|-Qwhj-Eb06f*gO~R3)uL{{0Sm{>j0ldI^VpsMB1*GrUJUp2mvz?G
zdGrE*zVnCUWyVlvbG&+&U_OZA=lIy?e2O%?Mk<F=TZyVx0Jhk1UXa!9Mw+(sPR}J=
zgzfYi_<^|~zn3Oq`&j8317FW4HvcRGaj(&HHi{hDoEHtQOlc$Yft)e{f!Y>UZwAfD
zWOJS5TYxghkaO_4$JeI&w99G<r%4W+xn~DOttwx*c;9u{)eAr%!U7ykx+0Y5#tNf(
zB9q}vOPr7lik&qTJ7o75>#~aa!O%0NV|ZE;$=yvZ`3Ufw8VV8v3hoVHcKN|DBH|+4
zJ6_}<i)SJcDQ_A)isWYG5f}88m5%4uh*BqBs!&VA!@1Fuc(8itb$L_Ub&v({9EoU0
zpduqeI2zl}TWL(6HaoqyVSyue_Fgb>)NJ4y-On}Z0Z$sKT1zppE~jwFMopJv)r2?Z
z8ertL>>*W(wX+Ozw#i7Y9;hM1a|CMQ$A)&?@9K2i2ShX=-1I@V6f=lveslY*1-U43
zbV;Nb054aod%de>Y@V;|#3%}}gfw>?Q!~7bD#D{8z^)rkre5yHJ<{PE-TEZ9Ghkm@
zEZ|*bgH^&J+a*6WO&nDhg9QpDx033Si1k&?+`;n1z?Nhawo@b{czCI^Ib9;8G>@ns
zGsC?$nkvCK>$sHk(6={o`s6h**kQojUXFnswE@^@+>w^EM@nf~i`ZJs@Ch`iAf7~=
zXnSapbfA?|B}wa@L%hnfK^0%K>yYu(WZErmz#}>!H@kRdT<g(@$TLFNfVe_QJpI`7
z9qjM-G+`MhVkbRg(lfh<Lhob<#Fqr8oW%AT7d*r%p&9;XU7p;#T?-nz#bSGS>S#$u
z98nJfUy?K{#AS?g%`@IGzy1Ulp9O)+H>~BZ-)J&i+N@pgb-+>K>tI;RVibC~FLpKF
zT((6NKy<|POd0s~N}_p7lkC27MMI{Y=4L1!LQ=)!$eIc2O^ZP^L3a=iz18e{@tXT3
zo@p^qhK)5vOrA@z<~T3vV{NrjCpEE}CDMKYBg25JjpUj|&%*Mw>IrVt8^1N-W@CS4
zZ=oo7vrGdOpWdi%+Nf*=jl@ZDOE$w<Q<1G5Y4E+^$Nf0Z+Yk06dSdEuo-ZuISw!lY
zcMc9q#T1RrE~kM+)<&Q|Lk_2kj$s}<Q6>o;KKi**FYf_Xk`SRbrj;WcKIpq(tWxm;
zQ`$WVCSss*LMlIiI&?Ji@La<H8!CCc>Q(T36Pcf@x+o$RKJcin9W=Y)&-`Y<pX8W$
zo3IcrZ|Zg%X0#@F9nLCaIx+UZ<ZKJj1Ye%&Xma)0pjLuoBznA5vUgD=)oq=QBD)yt
z{Ji?TdB`rhBbPzOO$|}AsG;z>ABI|-N}{M<8=)R|Qz>DhUomrBYF?ryO}%P<`1VdH
zTCESA)xn<%iFmXj;uzIkFB29w1IJrans^qXkeTFLZyGrtzOhFa!HKsjddD-!BG}7o
ztq<#EiUKDB0M>K!^ss!M;1JUEWD)Y|yemwTx>4>YKoC_T$$XEhvSCC}6I<PeigE8<
z)kU}Huu=R%M^}6g^AU#8yvKGAbl3`G7e!FnZg}_}UiIjykeD@QYiur0F};RIoL!4n
zuXo^)r)YK)k5&1*Y77V<ASr7hcd<`&_*ojPEriCgeIED?c9=R2`*F+w5R1+#ut_<C
z!5%wX6Hyt9N#V86OLProc1bE%;@eD;kj%t<#}bk@T8cuVG`oaV+04|QM7yIS6QUUo
zsZOf><XMTpZU{VqxzfPRu8|SVMXoSV^;$G;kGXf7Ou6z73Hd2SyYr2{Bz0<NvUmsg
zI135Ax}NRBV<WpPeQmZ$Uj6?`j`3`=lpE=`)=*xZR9Tj!`3bQOQ@1g8>DenQ4~Ki|
zrCz5mYpzhtQXZ4vB9{bmcz4Kw;d{;sZ7n0c#c4Gw?rZn3f3btY7Fu;xBjl2!gCp1{
zt?w14>mV55Z~`0MFx-1BkX>w}w0SB1@?EX4P|_LIRcAa>hvR;27t!J5-e5ChdG}iP
zlih<)cB#q7H!YDk?-4oXN*;%gaoLl%eG*F^%Yg)Ko4fjSttLEd?<O9g9e2;F7BB<r
z>)E*>dE+Rwn%q8?;P}n}yN#>_&HIVyfg$1p*wSZH{USQk;?1S_kp#($xTGY(*eD=W
zox4N{1iDL-bul|@NY~b4y+xYxeLWM?SLsqS)4h<Ez9@2zXZXf9Zj}{<hUUF?#2Sio
z0w${WkY-p3Fc?eX1>Har?JK36nvh3P4M-@>dQ)odCPnSIAe0Ozj(xTLIFW%1)iAN#
zQwJ0uycdFgg_OpfkS)2t;Ej_G^in?0F>FdVwa_}1%yRN^UUqmp9NEC^oC}%>zC$=$
z(&UZs-a+>6aCC_;`A}v->}~G^aojW!Sv<if;ZMKeeHMv{%S7(2jj~x0ENw6qhDf3y
z7kz+Kvc9mmkjm(DMiB$4X@*yhO`TCgRlY9-3#u)iJjoZlH3&}X?x44_cDQIayp)Us
z&>rj8$4N?^JB8UL;!7j?4hde-I90jp&a*NFA`3^t$pR^UXymw=X_YA3{-8=4sRVUK
z88){ipAE>(b;6Mpr4T-3b<pC5XHq?onN$zZj#$HFN>ne32g#0i5tO-KzDd>D?G)m-
zkCa22TAzbFuN!(BkjFhy72rn<_)1=Jwdk;SdumBk79fZFW(~f@gv5S}25Z0QDVC?n
zgURBd5MVCM=x#oFN;|ngPfTrTUc%mc5=7~Ewq&8t!40M+%UNv1r5Qm9rG!j{rfJMJ
zP!Qnw;S|L&6@Aj9&r0#e`56-pwBo%9?OTUF+@SYV5(7!4sT4DlMyDGnPAgxIywvn=
zf@_2`kkv8+L69)J<j}@8@O);8j|uqjnjsL^m~pUV%_;;l#|rR9rm)CtP^Cbs&clJ<
zQm8`bc|D6;c`pXjr(7E%Vn=0#2C%!DiwTXoFX9y?vbdgB@;kXD$V<;<XqkHvsu#pM
zDd$CUsEM<brL%BsHa@Njfes4mUQw~psmTuvh{`P;-_(gP55=<k1BCNe+6y4(>vwuf
zO%7W9%BWvC<&^;wi@qS>i*qG$!?$s{)JZ?*UO8L6c#ggfP??O<PadYDcxsk$1o4yx
z4a{3sq@G-b8c{Imd;Q|XZJLAtl`)|DHM|Myq(^L*FOvyZ5UXsk-PS+x@n^Y^#h5U6
zyUuJNw|%em9H@ztCVQR&qdg`%OHWIA+R6D6pW*hkjEvPvHjK-}LkJ;(xmJm=VWxiA
z4#5jaw>K{ot1CEnfL>rOA#_igjAt)b+jy)EtqiI_P0FZxc?s0DuYxZ+9}i{ZtDNRL
zIk1I>YR|a0P%od}=y;0&fL~^o$&F#&OMYD2k=7IAbUEC<K^TalqUnY<RPrd*?;L=i
zctr&4kUj!uMF*~=rL>JVe(x?<`dy_+r6l#UhJ0sOV~F!^(IWcg6k$C8AYsRiU1`p_
zmlX|{0`(|N`hMOfWJkwE&5T!-fv@S6CE#M~lWV8<vZ5Axtb^1DmArr(!q~%TLR2M5
z>Y)z`AtN4T%1X1X%D7lEnbW=+>X;V*^2tv=YexHqX%;JaK#*H6l@G5VG(Cb94On>1
z0zrlI!U7?y*>Od86YhmxI9beffJ2_f8r7qS!A7Rqb;w0}j{17B(oWOKSS{*7W)C@R
z@hXzPj)-sr9(@Lwmw|kd&p>(#RNUnR23(uA#Dol>$qmt~kl)ejByPCR6=Al?7^w&0
zvJ6sSKI3}toO%oFT~uc^)I(L5x-pLvcoc^4xX{h>fiORL?_$%&Ei4(~CCxD!kf}ex
z8(BbWm%#^+tc>WHBr3etNpaL<QoiS1YeGEL%GD2QuNbXQVLRR_P3#(l{RHSFU_sX?
z47v79tlwZIToTV=JnC>eQZaevzSJr~Xsk^-NH;HN$~Uo;jNM-M8E+Kyom%T`6+a~k
z=n36dGp>A}0QI|YAj>5_F5?%8*Y6QNvJ8$&dw|uA{@&2DHwz%8{wN$n`^ni#_q*qD
zb<B)%8qsC9YGM{x$V`mzh;u=4=kyUt>?>Y+jZx>$0!(iPurp-~HF28Ej{-Yosd?o{
z)SlPOaF|S4d%&buwR5-8-D9TUfng8fFgKOu1SknQgL|FePmS^^?zm6&9^x~5KHlR|
z{aV5{5MJ*nAe_pjNg{78t6hrqQVj=tsjH1~#+)>4>j^>Ey<Np#J<w{u=gM;@;$)^p
zIOlD5U5flXMeD4F4Bd-U@KMzfIR)jh?xf4_C*^(|GzyD*sm1n!XlIoNk7Mu5NJ&n$
zm4#Pq*@7hDxTS)HeNvh<YO)PkSNH&}=|+uv>77pq3bu7MEmb9LEew4V^iP5}m(%~#
zvvMBg0(onz^d#n<iM@yAZf}Ri<j&`867<<T)qRiG@ioO+I4z5K-9X~K+N0YNt%Se_
zd!{eYDjI@ZE!c%Ecf%E65XP+@AgG(C&wH&*=5<PZb|wMPK;c?oR#4|<4C#;AO0gnt
zSID$wOVwdJmcad>W}rpgiIGO3k;I1D5kp|b1J)D(fjUr$u^if%TGQo~6<;YdRX#kb
zMkyzMOqS{_Y!-dgV;2|D-M;sHpbS(<3YQUlOY~V4%NRx%usTKV5@IK2O*>&M2#i|T
z>mo@lRKR*Nb?iUqput$Bic8Pi3#@vI@Z@5;9nMLjW166?Unm|7o`P6KGcRSTC07F+
zlDX?r9}?=AoNt{9w#8gzL}v|<6M&OF!0-NRpCu&RmHc7c5QOl<^QR}ed=N{bFSPV|
zQ?CX=$GtW28%&4xXLRormnU;onhz0%);b|nvTYtOal<rMzR^3Vld26W5|<<4F=6Tw
zeu<gFYCL2DX7`2^(vOGV(G(Ikm1P-$KD9~&Qwdkjfc6duR!Ad#ICwHKbQ4lr81-lh
zyR>28Dg%eq1LZ||jX$N%#L5y)&b!=U4t;YFIzCdk<t%%I=w7r4hk1^eNQa`eW%=AQ
zSAw<%*|79+CZ@IK9N@kOP&D?&Jt=nx0owf$F5_O4X@DM-I81xUfx}ITG5-IApLIlF
zU^0rPP*}Qg-jT3M8xNQ;6^ZiWID9Rv32tG#X+%$Z_3;BrnkOBvS4pdTT_>X}j-uK`
zw&5rm0ut8K-lRc&GW72{l3DspbO<a}V~{l~!+ipbTM{LTW?fJ)9itGf6Yo^QPEm9n
zZsvJM6Ph{+Di7JDO(IV4Lgb7YlzQrdW6yh?&;VSw*7Ka|m{Qy)15Y68S*kcU8z<*G
z+J(atWj3;S3@KT7Wp>laQ3P^em9F*wv#w&V`1(C*S7$kRx+(m?v;q^VU(X=v;(M(U
zwNGNgSDbN<`<((243GEhS{)|jW0uFe-RgHQ_oNO$qhs9?v2_Jw7L!3=BD9l}k^9-6
zxP&J;>v0T6sJ~LD<^+Ak4<-2Ws*#*Jm@1uW_5@|G4`F^mbTWDA-hncVK`+#v%ytWO
zG{`&|t(wSt3wxl?b^CThaW*7srwR!Sc$i+lYL6gz;Ku?B3Gb<*JqD(E>Rpf5uKD}^
z5ue3`t^A>8!d1zrh3dWa*Jurv`9|s4hF*`;(yS4YdK~RqL~vpq3;1gud$Qxh_&~a(
zdQO@c&+M`bCs|V}>UA~8=A5}!k2@Y2X2>PloY5($VB{v;S&SqiKdbOvJEW8bP_lh4
zjKmrU5>9~+Z!@y?^<Z^X-Lp3CJW}%osVnT@@UTt56TM5GyjoXgMO2qow4?{xmIkED
z*^X)vr$Ljqb{I!My}XqW^KgL_;Q`jQs+2tjNMTD{fXgV$@o_%qBF;TT7nC)gJ;Vxh
zuffF&n@D_3fb_PXgAzqePWI%x@iPCpnx8vAu5^(!ZDWU0(DS3W!4zr{mE~1*?Kckx
z9YVF0!w?MjDT}@*kGE}5S$5OP8ZRH7os?F<(MoMay!Q@dGrl{r!)HbDzQa?y6>13g
z&<P|Zj~aJJNA1occ70W9siI30?x9D$dN(|26ebRFJr}BK3ZpBEE%M0gfs6x3WAE%9
z84nuCWC{_o)nzEu>t0U2Cyb_5JXnM4p~6hBd}=X~r1>FAQE<Uy7tNPW(=Matua=9M
zABCuOZ*!sZu&{3~-DzUHBc>Ox@-4lDdum76{nRkFTpr6X%9V#@zey(A4a^9B+%a}&
zs>zIogDMDsO@3|hg0s8TdrMShNFO>24^^T@E{LZS5_zK;lLDRNE*jM}#4}dDsIlj>
z8{C?kWtpqHl=^IcV%(qzG98cR8D`~W@h8Uwucv#s8K-zX1Z&Z%TUpS>i5`WQEw7#I
zt~x;*3JWf0_7qyo$YZP25qsV>3<|kr))n6vKg-Hy4_FxXT~q``0G&6Eca;oJVF`P>
z4DbS(Ag4Gf@S5Avi+FVp5i2ZP)-%W-k;pSbdMNK@$+|d+;!`Laq^;dEmwJ?pH!h~B
zlct=$qvP)lhgb^B$YVCqM$dFu%p4xP=m+y8W)}@{U$@@?5^7voH}{ek={sKt(%iuR
zuj}N~n|zj1!7r-lw5sn-#}kz$HEnEJ-J+S7aITq;c7_H#@Gy+oG@b<)&E?Zj#GJ6R
zR~Dl1if;<Tk8Ws-u^0uEpXd_H`gjYrh)jDv4B(7{!yMSVEHl^4ev?!fDqtH&)JdZJ
z>}PlGO=jC$JulE~eqj0>$V^F2Zot%z^SmC*tx{Rsau{!*s4=g?h7UeKf5=U7p8j+M
zbYLXdm1X1HsUP@|O*~7+PmcI~JE3geNPew*EKNk(t8@MCY}Vbm=h1ZFyFEBF(S{fz
zY4kYCp?suaS(7f9j_#Py-ksOskoDT&iE_VMlv{4DIE1-+k9}aE>+N&58<z0I;p|Bd
z3+8-xEe?0_45LH(UM9b3aaQ9l$*2}nsTiF(F%JtIl=GQ*l8LYG@~T(CpA`pG*&NNJ
z-b-X^uM5rU02-%}NDJII`W!hu%E2L@gMz5{Jx+&QMYOneUbxEvAa^wH(p0n|+Z*9-
zz%WQo#=-QVnO@eNs^l!|fE-bw@FCM<LiFhM#wJ>%cblu}J!q-eN&xtNF6#xlUMjV%
zdQRZ}=tMJvriv%_rY490Camxx_PYEvsdGz8N~ZE!61PTqP(){e+<WWmu3+U#M7rE{
z-luC^;r$KreHIu%dviwb`Rf>VSB)m|C64zLx;F41Ks7GirZyLB<BMXs$1i&!4&`0z
zBVMds&n)i|T`zWBoUV)pVX%G|GU?-o4SD9fZ^vI!T5LlX7zBmx>dTyRK2P5DwC+x7
z+;v`pmk^r{?*Zp+A25Wi+Q9jG#yl0orwu9LNd}I~Z&1A;*V8ZrTOL1&<$WN$LQ-a-
z7Bx95s<$Er;NptD`m{LV@;s!vHvmz9lVd?{MDf|?(%^ZZ<(05+=VVPHJV3<T4nl55
z;_xJe0#^p%$oIM)wGn2oF+F+d?^(h;^%!miKm}Fvxr&EB@5{+zxyI+w{Ho^Fysf*d
zF+3o>vodYYo4Kozcl1`=GlZ#kASNSeksuorV-K_IU8-j@2HK8R4p}OMzd|k9;yd~z
zNuO1Q+@#_$^wC0kNwkU!!#zy{>_c}B-PaF|&AssH%?pM%nkFn%2}<&u2i!@H0R;19
zsMB=3yb5wM3=DjPXh0T~dYsdadfQcS(ac)rQYQ~A)EQUY&C968hqemBdf60jHfvF4
z-x0=K<)QKG*&+{-XmdxxR0~=Ra#2+z({}6)QJ=)f)Ob>CcVm`JZ3%1QO*R@&I3Vue
zY8YkDw}PyCI4+RYizAF1Y}zrhMvX$IU_spY&S_?{JcO9D2G$U<-dwEsn2t+MID!`G
z3-PD5z{4bpA|VR0TwLXki>NtoOV+AjFfJf|-d(V~$3g~E{kZ}zz!Y@gU8J6qG4lys
zpT|Z(xt|;@@fHWHy+jMSEax+yq_e#C@X)rN6;~Oo9^(<ESPr08r`u1I{C#&}>&BG0
zy~^N>HmP*gCYYASE@(L4AjJu1=MbHd!DKi^=e$~)>^M_+KG?b4SEqpyt-Y_fAzsq)
zycE5aBuW4iJ06=|nJbXTgqUHupz6sMh81F}`%Y)rn@-FbFYtg9AV)S0?hRYy(+AVi
zW4@V1Nd<_8QMTrTF>?kJ{K&%d%mi(#MJV3&0A4G=_^@ilT3Wi)5nXf(V{Fv8@yv}v
zIHJHzo{!yDCX?}j+e^{sL+AiNi2F`dgj8~P7_1+xH1Hf+zW3H<w=G(-5K+g)-Uar6
zE_S!|j*yXFyV?!M_SR~hgTM9sxxSTTEE<d6au9C;1hfuoLp_Gmr)@UQ=bLq6Sm`$#
zkB<}kSk!<E0Z-K~@XbzD*WNvJNXAI@wz7aq1zlBmBZ%_N^0VHE<%QvO=XMyAOuy~e
z1AbAx(^|@AFE&x##Z#9f8^Lf5^f)Dzr4xC*%~(f85cPrj>i}&p*X;m2n%QAgD>{Gz
z?YeBuU9#sOShRA7P<*lDHBdeoOhD~KCQ{T%xibePT<xPu56MgBNo4^IS`mw9jQK-w
z06nR)S(B26N*6AEG+yO^Yk(Uu&9|8&QH^bgkA(_&h&D+{l;X<awNbw^9Pt#b8Z|8R
zTjHI!G@a!BY?N*ahp*_lFbDwGE83^vn0^P|qw@;<e64H)@@3(UC1c?LK9~3Uo!6ac
z+O1k>@O!;Zkuj{`2lNZ(%s|V-9fcM-mCAjL8DMYh^t3zel=bm;yauv5uSPvkcx$rD
z>K1v7M|&r|k0d~jTr`2OsXHLq1&@22l`>an{S&6>XRhQ$ot?(_EZ|k<5xt=Sk4Fkv
zGs-7Mmx)#O00X^mQ41FV1t-@{CZS=JTB2zN1e#mZjRCO$ogd~k>!U0nM<=W|`O+)-
zb?EXLxN<i0BIpGZA_%T=n>D_`I++TgSPfCD(?smkpjTBnMCZX;Cyv~pIxeV0gDFUY
z02D<WK~XpS%EkMkKWo1OIUI<>0#lhbPb4Yn<he?4!0Md2L=%0~Udp!FSIo@ilFVo1
z0SY#tBVftr6r|$jt{SI%JX_)e-U6Lqq9gl`V=yhpXyKq}sN^6Z`}Dm+H*X0fT25zQ
z5EPPln~tql_p^gLH;^a~JiY)?0KiV}Jy**!i-=%aLh3}L=O)@r^KJ?I!X4jGT4te;
z^z)q;qw%KLAFq#2FK9;uPjxMvKP9^QUggT4tGpeh$$59-p8NJb>)w%<fC_}q3M?AH
z$h=wxS6en#2ir*OQFhgc17>r$aJ>?ZVYW9!$52)7{zCMzG^tLL_!~nF&9LOf5V2)k
z;n`(>iTqvw$OYxiYfc+i<Uz==jJX6m>j~CNmZt<tGxK7~FP3;pVKV8d^8wh~d>Q<7
zd+Smj#g*E<X!Nekm!~^i$M2t$Kgvc6K;_#O7R%^LYg6l#pm-D9S;p)qutmI)LFoX`
z*sxc^NDm^~U1t-sxGQ-)POdHY-NWvAc8a*2tWWC=`1E_^Z{s!Y)jQ3b_M4`8XitGp
zfTUT=F>HR$&0<l)KsCX@9Ueunm3N7f(=i6hkHp8DmUs@~8Sj%JqZ=QLjmP%NAMNw1
z8608EkeeA8rna~)szguQ2J)djjnq$^_E~=R#Rv$BPt63`#L_%uQSn_piFo<0E#UYR
ze4?kA69PvnxZKzAviatuIhfxeRUo#AyRwG95JB|Vywk_-hshRYQ;3P8uoynm-F*Tm
z0YUua&JMeLaPYAXgt;k$+h}D!F?d=Ku$Sw-E%#pOJ#2~W#cU(jlX55P)WlbMbt1$w
zAPRdRo#qHURKYY;@4;<udt}OLyaYIZFJD&VyHy~8F<Glcy?gR>TAAFQz#G8hcj%tA
z1F0LSCpR$IYa=GoahIwEc~B2(9Q42!6h$>)9J3wK%sXkaUq6lt1$cmVy+JErOBF)d
z7ZJ+kY`=IWL5)KfWf#?@Es!M*%oBhx9>WkjbtFL|c+m8=c+~xn-oO>G)WWmF$3+t)
zUGA~e)tsFC0G?L8?3Y|vC@of{{K?ZlYtZ;Vq0kf4RoPBJk)x1<zU*;2(u_dF9WnK}
zH;6h9A1*x-tK<{j*?4y7aW8Br!!Cz65>AS7d^~3C_5q4oM8C4qy66zAgi%vEX{r`{
zVQf_;r1Fa61@s-Z+rFNA%@s19xeHP4SC{Het8X5eyEp;|)-?hij<=F74eYFw=YaGB
zOPb@$F=csSu@!MI@^X7;u$9V(w2#bLII&7Cjj_$LwY2C$jt^cbPgbKaxgu?Hn7|yr
z-2enUM9GY-iaTX`JhL%bRe&J8Sfj<&(-s8D+>Zdpt<$_g<M9AJ$}x9a)(%*29t6mq
z*qw*_3n-^J#Io24PqeK+h|^|&BQJSxbvz$5w_c@_y1n3d@#xKy9;*|?@ztw)_BNaj
zY=HUP9zpn6lH&nyh!vO{xb4CF2KrfuDDj;Ocri4+Hs*MxN{`57`j!Ko+x(2s;)syT
zVwK3WJX@VkQt(iSYwShAE8qcmC(<>(ejO#-xT#gE2?J|PDCnz|EQ61M<YH)gA-&4#
zkO?wQ#TJS;;~s21Xmd?*bWGd_8G5MC&+U04)tn_47rkrGG!X7)cg(d*jJ#B7ZQ8}6
zoF$Bx#}9<lGZ4$S(Vx1?uujn7TFbsNN9uSfpey9AN5ckK6*Mo^F$W>qSpvAq74tj~
zl(lpzqR2~;L2!sqou4Qr9N9KN7mcf2%NT2OxXr#)0Ye0Er+gW0`RW$;%_z{s=HqE=
zxdE;HIYTV~wTWw&F-y7-o;jPRl*oYfTW~@rnOQx*^U2F5OF8$e1nb_rC2@|a!AAu;
z_lTqbp0W&>-(rC~Q$Ml9s+I2*AD`6-U2&(E^-^-s7VmI27o2BX94>4i)!b!now#By
z8*{<b`1Qs<HNn>@cseJ^B6-kqqgfZ6y@^0cWY8qcE@{qs<$RQF{Q|h8-qpQl0Iyf@
zAyJhrHm?AP)eSE56j57Gg+@l~b1rl~fkZA)PrMd@n5Y*%wecQ>*h|xAnGG*%{b;G!
zh|!L8c%Fa^YMGcF%hQet&S#KsZdqVJC;jv?MBO4GMfx^kjo+q-Y_eG;Z4`6&2zZkT
zKT^cJcq>9I(+|Zg>Wv`AR&uoAa8%sVp=ew_Ug@MIdIS9Uz4USvAKF$;2f!DmM|d|!
zAO{^SKancXSwV=35)U&%iE;9DY_b}Yg|eWn?4@9mz9d+0rPm^;FNp-JMCdI;uxCc%
zQo6Y|@O!yU+eF@WTw-eR09amqAr1Jx3;Dp^ETt~*sVMlS+FN#l#urRu=+=D)ejJQ_
zjkLmYRMD0ryH)!NQ27<RcAks$YoilyTwbEUN#8e06S^oj&LNa5{RjiG0CE%rdMxuM
zv!mctDOWR#MKA_VC@_W5z=kb=c#TqX93+<{976NJ{E&hOkb_2*W(?2CH9DVF3V7KD
zuH)kKMnj#Z>{|lodJk}c`y4<OZMP3g8Q3^wSo&t;cxW%)=zvHCgvZ0+@$`p2rQ;7M
zouA@7fH7pFF?K)VXN+3vp^aq2BKHWvu(PXO7Z@eWJ-3~4Ld(kY7#F096_Y_(>d;gH
z57!iC<!6^iK-YL91T9jT;*g7L<V=DHFsx)f^#92WSHU!CcnM)bxg1A=*2B=9CEL<t
zJx9PuK>1l~``P7OLd!JuWy-|kPp0@j^QigDDtjrlMDa|l7T(aZ)apKn7(D<O;MbnQ
zbOJlN)gY2~NK`Q68`Z=vq&uCtZ}DxTuRGbCB^I^YHtPuVW1L-oa3ii5Ci12q)NTqK
zvm{uOADVhn?5lSNGBZ18f`_xG_~tE-BTObGbO*4YUL;eVDi8{}pn1xR6+F*eWOVTM
zY8fkq&VE`I&e`Yz15CPS4*ax*ZG+Pa`~b7-nv?v=<^rEQ$N<!PS6(NmvV+e^uML+p
zInqdxjbbxt+lfJ=uow<WpkGmzyEMF3hKe(F-I0rsXZt@M#zJqopJ)dfp=-aVsB!ni
zLU?P^v0>%n=ly7@Ve_s@)N1T?!$W~IIeIfIH2YLu3n6XMh5>rc%;}3szzG}3*e4h)
znD*kG%mVB(i{9$;Az$dotgRjz@6_}DhWb8>lU%POM3T4|EJHXgqVo!)6IBHS?sK>&
z-dD&>ZUr(JuuRy6QJHGbs1jN{YXb><(V3?QiqyO^`5lqmy99Y^36G(u4Lv3J6%{Sj
zWq6A8lSEcsA4>(Y_qtxy0p+D|k7;DY5rUEIN`g%8>-UDjYC@Fc#G5_UE?}{YGOvfu
zAEF(gs*3#&Sp<+mpVTA9(G9r9o+5cgaJei)>@Ro)u#}#>S!83lS1!5oB4)M;?ag}W
zK;^^82l=Q<7U7PGhhmCOoCsv&q=90>MPtdVOwu6B$p+`1MtO3H>M>LWmYA`~4K@9v
z<x9|twBE;UgqCP;e$Lc*xt4I2j(S7G@StY;UgpV5<yCT?PI-1jdAzFu5z`q~9*_}z
zSup{eB=-!=MK!buTAALQL2B<AaMe=>k<<bErutc-6zv^`Vd~=YDjMWfPRPh@N7QN5
z<5J^lv>9_iRFoBXvwEWCT9}4I$HWe94?Ww;27=&4Q0=p~oDvx7xrd(k^o^=0!XOyz
z26p=->EbzKYNVz5YjId74aRvm0g;r~cu=9V*eO{UwD>qNh32rujSW`Z@k)4dv0$9x
zp#5U7fLmEA5g6OXr|vx<NPU!vqU1#rk*^ux&h+TX1B*QOc|~?4yQ+=(|6TI=(2#pJ
z3sl(1!C5Q|qlu7cQDKUP7CbtNEX$I6KF1GUkXDCLPz6;7N*79OVvQvvBX@CGVm9Te
zpTJlgbhHujn!wq>yG-%A{Fzg$$JUx8ZYC&2$Kt}S-w3f{9P%wQWqZd0zZL|!%6n#J
z=(Aw_IQ0?H-7uv9rVBH3q;)p6k3U>;DClyuSHVHwIhFKtuB!U>M9kGblx9Sy@a*W=
zJWOPw%i``C3UyF6d8JP_gV_krWZ3iB0Nbbu+ab@uU8cyT?2EHJ7*rgW&1=2~FUrt5
z&^IfFfQ9J=)KnUZmpVLXsN@BU>X4FZxCZ8ocokgSJyfGQuvsNjl@-9FZvjkR^HKo>
zju}-SH*ztVP14?-KQ8Qgmw-iYa9KMbR-f*?$&ClcZBtuHQf<PQUE{-1TS@n*u^GGT
zdSDkCkypdWP9&_M4#y=9+SC>u;N|*K^wXz!H~Zqj&_LzE1}KtiXx~cN(klfxmO08y
zilBFtHWyL~mu~p-J;Uof3dCM3K`i_^TdxO~JPW8zfK>ZjXY6fL-FqihXSWH+F@&Y5
zR_Y~WB~eKhXgBV?6PZ3Q7*pj$URgXZGM82zWjHG1JfPS?@BQS;-?fTHpRhX#&k-!0
zo22^A^%4J%G)-U3Qo9&wVb=`x7jxMl=FbEC)k}Sdw%Et$#Z&<cIqi<un(GMC?!K`-
z4|5Ycaxodm=LU_;Z^v-p<#If58|&!_KVx-~_bk-9FpCZODeh8j4joS+I=vX$+T&{W
zbd$!YG^J3Tgsn{nSipKGPyib<+}WwqMaTny&U=QNj{?UOIs^=1iqqiY;k*0)5_mCf
z@_Nx-tvm;sea=~R&mQ4gwx}I!i9p2adt2q&^~mG_07F2$zXqgYtL6|N9`Ez$qUSG{
zHnSDw?L3~>@hVr+RQ$<Hq2?$ncylX!Q*Q&nxU`QDvQ>YAJ&HZhr$bj0Jxr28YrD(1
zobOIZ--&j(*8?|5s=X9ogK4>}rSOmjQ+ytmH-T(fS@1;h2w<SMB8}c6ce-2Wp?`vv
z&w}-K`uV%7fC@wO8KBGrDr7lQ3Xr9)c_Xkr8n4Le003QD1&225X=}ic8ExaT3&Qd%
zG~-uLKxS*RT7Du6ke)on#?ZSu1x_F@W-t^@0H<+-Br>V`kZmDNi?R%w!?}@`C{`V`
zie%L(&*d2esewxzjVD~&a8PxnR^cl-l{H)g>6Fn9_EFuTF@kzJMIlAZW@P>Ja=;@K
za$pIx>v<hyAA+7o9vREQw!IPJQ14D*>Uo_49bCww#`J`j#2X2%!4j<Q6>KMyr$La~
z<+VqOJqmb!Ew_CmRK6GDdkDLr;AJOW5sz}hKztk244~Us8=s}(?#~md<9bQV^gMRN
zVvsX=F^NwOrZI9Ku3JcNtZKZ;QkJriVAh<@Bv71Y<(GovDf;#bC`}#m;N&$RgO2n=
z+RWBkkx#PvS+xS{d1@x!3Q?d`m#^cFcJ?$v=qtPP$HwO@yX6{Y3eaazV3odPp~$#P
z3`^JR{E|Ec@@fMJFsY_n0`IL&%nB`s$P-bh0B?`S6cLcG^QlFPP~6QashQ<OW6z#L
z^kl40PqAQD#YUs;C6h(gJTCNC6ONtN7Ec)xok~%I32=a0iZ*jJIJJhmLHA_RFCP_O
zzEl>8mQ<&(AOMSb0xej50Q(9xwK>p`i3&33#^Dh@Q&A`f7N0Q#kFvz7?pRx{ICtFa
z(T>+l=)|5#$AP@{3{evMS_XCOCOCwfgx+3uzWyIz2vl$2wcZ#`Qkos3jRie*arfUj
zmiTc&fX3Clfy)MPkjw$Q5nX~RN7NEF%?+s2>}}_!Vj=a6t+MM)AC*u!d4ilTB@%RX
zK?`hJbJxy9>l)qn$v0a6oU@_9Y=b5oa4$2eKm?Gd_TH)scgXoDgh1VTL#@v~;eJ|g
z2rHInqt!cdj$?T@3j4W0sNIW`0XK4XDn_dct(T$)?b)gHO5}k=OJp{k;#skDsFum$
zL=fKbN+^SpdG7{hraetc=O#L`jh<S4T4F2-1q#aP=_9&AnTPP^(M-%i(#=^axj>|v
zViH~QyY!hFUsROnAOJ5RQvr;ogN;KdWbS?0VkcuS?4lz$mhaTdV2I+}1hCgdpv>OU
zYn}9**ZUA4J!HJVFL5`=noNtq48nj~5K7?O)@Yf|*NFYxnw(w=+uo~Mv52glK3P1n
zx9Jd%=m7L*o?U~uA_2T~^b=cyCY33c?t5FFeyKVeCHD|V54ywN%h^!sP|1<gAgk23
z({DVSoN3`mEhajw2zrF?F~m&DvGFHc`>bE~P+62Hne(-IVZh_f?GqQ1tVjI}1DvRz
zy2&&gj6kvGW;8L4zfBt{T7hi?5SCVy$<0k=dzx?{3MQu0L!smN3g}8ju$2+qTy#L7
z5LS~%#H{>fcwTw*u1j#oG{#!o-U0c$zQJdQ<v__5!Frq>$z;B`y1-aS9x1fM0zLF5
z<^^LxSJsrkq;Eb!LKakR%F^nZC)mtBZ@9oMTP!8|J(m&XL!IOuSq0k(3yFuUcLjTN
zG)3T7#BWZvBpxUG6TLPiWXxyo$n9@*l-R{gSll3&(y8qcWW!4ohFi4ovpt9<l5~}P
zxey%naQTe=%2V)|O<*5V`qeMEQgP72tj{iUHvRdN6pcxuG-;XCZq$gUvml~rWXqEY
zmUTEyQ((X+qjp`*UHUSc`E75zTE0eg*258+2h!#CvOnSaXA#qKg`uz~iCi3BWyoS&
zJY=2b#=xe2%B}2$CRikt9j~%qQ$F7eh?@g`M5GLu@K$O2F+CxG@kgbuTxEb4V{M7&
z+cA(!;+&~7`Zh7bdYrJhvL=!z1%lr2-lVa#;xZC=z@ljGDk2%`<b{~>doKggZR+ja
zCdbHtgd)6AjGCvZs8u)VL?R$p1rt!*=rEX%NGeds7ghb@Lit%h@rqn@7Tms?c|kG&
zxT}njl_f0Z4g*tn4|d$dkNd%`N$eF7GWNlGJaM~qbX&P<F>@_jFYr)&9i(#&G|%>`
z*4owRP(f=1NAAe=I4w(k=Om6?w(tcWqSdXT(eG125M=SoI60}7d+)tA_Iqre0LRc&
zI?8UNV>>X02yhJ7Rj*Y=b@OQsB%|qzlT@5eM(m!4XQVa+epFbG1JEB|Mt#za_enPa
zogk0gBcGttW1j62@EX7;G*SYd#Q{V3IIoVMKCQO~9=uVaub%rrJ{IW9KIDX%TxnoK
zT}c3cO%#r&KsJv?7Fc$1?>(n0FD3H~<dz9$)Msh$_49Yf^7cvErh<<~?=l4?*popE
zr2*on&i6z(bUe}fg(9*L3K9qhAzp(W5WXw(RWKvsbK6Wes$I_v(eMb}dPpW)uXs<W
zks0uT%@&I~g|Ey+T3^_DhbrwOA}-dzcTUWWvDfGQD)oTr$zeWQ&{z6We85z%b&BV;
zCdP9GE<lrUdxKgQ;9CuhrigCc<|0q~CAraUHl^~bqBtQz5y%TOXnLM!Kj$v^0}7@V
ze+Wb8&%~d-+N+93d>cp%kzm2BEFn>tn)i-LDQk=cA3c3EnZ7FRcEmx^$e`dMa5Yuy
zG^z|1%qRRPKkz<)&vI7Ovc{zmME!&aL0goHJ0Cpqd!?%;>*~0~Ngf_-E;TtTq4I{)
zXdF`7rG|xXaN}-ru*p$QfP7<*>1DPwHQzczHyQM~ibE<Ont9buo*<@Ri4Nx5Qm5d|
z7qL$#BPTWAQB+*s*;TTbdQ>!~nAJ;M0l7JowuDqJoO3Kn5(U6InB#?)cr9@%*fHX=
zt?zNwvuLfYe4)DT{zjcl!Lh=P)z@+d_X4&C0&@L{h4ge{@j+x*w9oa!WFJqVo~ozK
zQ^Ix)y0`Db1$O4COR_3<aUdS5442a0lX4r#(4o20EHLqi$ef2fU^RS5lxoB`%PhBS
zY>1_i;b;4P^3BIHngT?0&!f?#hquvXG6HnT`?)1iO!MsJjbXh_da0+mw<f+%uKj>%
z9rUo?E?_KDxd>?w?Pb1<k_f)eWpn@L`&rYR@`#^BcL@{R);3r=hQJUUm+G;zKh4`U
z7CivN6kM!o5iuy~wr#y2h(@cE+MBV~O5ITJd+7O!xJLToS(dXdc`{Uuqe*Nm5jg^C
zn#gIy9LcBxfR${{y?D2KWh4)5>kLY2(46?JE@4r-9!3u5$>S{CBqQQXRVG;(3cH2`
zm1e}P>ZR9@p#s=+2&~uPZTo9%j%uuJ_69ZCeyOcTJG4^9I7mzeAqLi>vIyh(pu8Wj
z`dtX}^$`|7jvjy0yW$P`@`SuzV7e_)z!(_@CKx-X3>{s0`=RuL=*r6ZZLKU`NsJmp
zIAnr$dO|-qF?_{6D+Ba4UY5r}F8%`CgFA9}dP&1VZch+O>lwc7Xx+*XCL<nqLEK@J
z09kyrqkF24?>%6aTaSKX85b?6n$PU*nR*FqynrhlHpT7K{sxSng)MEz**Lmev<l}c
z#Smkj#W23|3|Ds@M>tT+BaU_B*w{4IR45?hr=-ow*SPzLvRhtbI0drCD`kS%xw#jI
zS%Ghx)+fPu=x`pPAfA}$LFsM|tw(CQ-x5J0T=qV-x~pqif`GQ0NEZ;rBc&XZO?O;-
z%;#_?;_ycHEHQblJgzSt4s}j=ut0QI$yP(TV&QI3N-?x%Z0Z@bXt6y(b|LoVaHQg`
z*unP_uxOJdM;0?)%qfmE9Ie^nO_OLTxl<}^bX8o_0`xn2Q^Oi6;ZCOkt!8hD<P@!%
z=umO=G@PHjU3{yr6acd25iWF8tJJ<n<8u?-0>FuYd2yo+zpGncCTwBH!E0cR-7CVx
z6zareQ#tc(H0(o}w2>Bkj#gf0V?9>Ls714{DnWLxpg4#_vLAvam%5J3_-GDeaVCv@
z5`O$iSZ@iYuO~6-#rn$<Sb8NVu=S+fsAV33xI#KfZtv<-&LmAXei83Amlx#?z$7Y=
zIKfVNm=iXy6~MiIbPa`a(*)ykWzYo8gstR@`J@Cp569LE1j^2%t_V)z;2zxe9gR|C
zH9wIeSHEVNaa^`7d|3?lGTTVzWN;dDBCPkC$4SeDdpEM-1pts9x!Ns^bKV_U%@Tq4
zd!Vha*_g-#f)U)!+Nj*>3F|G$CX&_8HE2EyeZ~-xFd{tZXJhYCvUeR}*=%RxR(m0f
zDJ`iHsy7yvp)~eHY!A)UBQH?kaF^|zAhv!?I(PKi439X;#VwiBU(3)SSps$DvsG=s
z(_e^Rt>OQd**DcUOrrx28tgIu|CsiCeJF+lmpA|%L`Jdy|MN#6YGDi9M08SzZmWDa
z?zjR^?TOkw;8|Fs-luCAFrSF&eFq6tyAv|trc8{DD<UAFFo|ZJVF*llGr5uD%HX9z
zB;m1&j9mR7iwE#MSdz!MchVv66<A!QgsE}+80sxEuBakH=|dF4-tO}o&}v^n8~}4!
zF>~LE#Fn-{!t5Q_wq`X0XkXj{pm;#Y17ykJ4X@n)Zus|-oK0&dN9*jYs80iG@`U&R
z{lU;8vUkwHPKP1BePty*4>*)8Ys%}z43B!i!fs&1yP$&igwy?mNU()<mHF{RzcCi(
zqjwc=C28pJ3Po6o7oS>(y(a|}7|iWu4|3kHd62zJ=Bw~A&!_$RnR3={wzX(9F28(2
zD`f`#1o+$_V0OVIvAJCu`b8fT)^sb%#olQb-zuvEaBi>MgT?LEDWaT+7gbcy-JwD_
zSI4;kUQ(>p0J?v!E!N9xFr;QgK|S*5vDdV5mi2(_ctwgC;>IucVWc<75_r2v1hSKz
z=X6(<hdOt$29yTwO5lL1O?O)PEUN9U=`+Us`J8+C(lMHSZ<cZb`RV``Jxi<kkOf~B
z*+8RtqI)Uw!?hEo*QHwY9;=zmb1i`lr{;J$RoB85`Ffte=k%T?CKRDSqCD|?PX}Hu
z`l)K0*c*}N8+2@n)$W_sxB28C=fqw58uE>EQql4ZF^5i>$ErRw=sjZ#&%~-87UNB*
zN(S~AQ!YAxnbWF;?8ON^A;j89HsXfOhsfv}kTP?C#G23!$*&FIR}X*sV)`Z-Noo*Z
z`f=>i+j*du*<#x73L2M0)o>i`n&fc`ofN+~qh;dRXL{VC(w$BZY$o<hC#9@;%NAVF
zXdk(QHP8U!UEO=;^32C#np96yYPAZMGiZCaa_j%*;(z}A@Ba<QfBfq|^S>6!|4GKb
z|G#kCMN=iO`#IStDzFHcg1EdLd*u-Cbg$Zd3sX1yQgx5?b>VJ?I{;Tagx6P)yEl~T
zx`3CQ;_LbJMW-k3yT}z=dQ#r)_L|<bQu&YqYUCxINmihy_=Itw`;#GAO@0C{MU``-
zbD8}lQueB>y167qp3g-BKcGcuug0#!gnB7Ru!+`_)|X={CrXcv=c#vhdL95+Pn;~b
za~!IrI23Yb&0g->?y+^jb%v?c;!SEW##{y2#vIsVFAUYdtlScZdNh0D^1OWLotr({
z)K@^omvHR%p2Ctd26>Od4EL^g!*B;thNAnxBQ<Hyc7b@WE$>j?tKjy>IaM01h*CMM
zLF0;X0R=thX%$V%K#`3uWl;W(9PsG4-WjyS+kClOiZAW3aQ3|$6L35UdLT#3Lb}rs
z`mhi}{8)M1;~rK50twut9X|DK3bkwJJ<5%|BlU$s1IW8pCn%wpZvqXU9L*i=g4V53
zJtQ{5;UsO~m6s;_VC|)4G-t>Jw#abE#tF_q$;S9=9a-;nc$vQhs_>M&fheE8BYQo!
zCH5}IfA)xZZPS{;0PfAYt`X)tYwcb#nXJ_%<ad~dK52V1&242+vX5mdUUxjL%}0*|
zyX$#A_Y>BPJAfHpd;k?iC~pWDhd_$?En~5y$~#JF=Ag!$5oSS}NfHWwkCn<W8Iz?p
zi~>sUqq%%`7J$FnB+qaG0H;l?;`_zdi=Fix7*Gz*yQfml8r2c1S`u5YNO-RuL!)Jj
zW7Vm$a)Ic1KD;3VUq&A*6JEmQGAWg{c~MeKV=q8;t@TOB<dODEO*#X>U47ctMX9Y(
zxNQ$P3Gaygz0Fc2@kb_TrOrX##>~&*C*LTfZZN>)vs46u<sQ760hw6{z)iY$YNB@5
zQD>R*B;Y7IxQmH&&02j?0hUdrHW}(EbMfHD+ey8G=kUxLX{0LV*vKJb-AiPgpzWLt
z9*;w;iTcBQj~mRd$+OF}B&S~8>5NKrCP(+<Gg5aridXZl@ez>angS6MDDQ3a#Hi?k
z#_(J&6hq@^X-^T3#{ev<7nJcBZPhC^DzUt`5$!Tb$JlG2Mm?|~glc{*x>@>=e>k6)
z5kJ!g<oCuo_@%u(gEtgUA6FAUq6jk4T~fR|7{j_N&#glsP0h!0w7DZ7)wVz!o{vbb
z136+w?#IP*6|t6ENcU=b&)Q*Zlc^MxC=}>{nDsh9mp%zT#VDJ7xIoGjWy;>-Px2Z-
zBrds4Lq=!ftVo_Eschs~Qitn#DXdNF)@vRIN!`8DtCG4|!W~=2zNsysg32<zi112W
zAxBAKEpXn;wa}lSR4J`&YuzAwjs&94kLG4^j9A&;19tFmQGmp}Ca4H>$s<{hY1-Cf
zcbK-Q9D%v(j?E8A{7aJVza)X^P@$?&kI;Ow?8r+dZus!z-2i6Atv?gb-g10=y`9AE
zd=k{V{F2#p-Q`_p+2rk6DQw@?jlo=>xYf&h;z_Qz&+yf;JxS*<sZ!Y|uI;#KsC5+)
zN;)0(l0#A#fEW~?+bH?QO3V$_i&k&%%~6#sey2l9k_h_16z58TOgF=d9GHofh_!W$
z6GI`LG14^O4<(L_WwOz<ZM>ReQ*gE%Jv~YA-YZk<+|s7!bbN1MIcAy3dzcvXNe4a+
z#B{oYiZ&LF#Ip80qb%H%qtnx5*;fTl6ghJlsD+-!XYry1AD~dSKYodz!6<ywx+n(Q
zww+Z4xHBEJ2US>aDv;Z_dtXF$N15u4ad6QdS+-a?jF3DDrV&}1x=h8Md&h1PnTj+!
zh)n1rIVg8ofvl9G=k}`d_|~1plC88sf*pMz13f&1UNkbrj+^lA3WpyLTxrL^9Bj!$
zC66^~&D`=<d}zfGC^}4pz1r8-axche+?vLn&;78xUW0VT(vzK_wi$EKo}4sP?ZyfO
zo0L^~I(&zSb%7D1Wt5FJZv5zt`k3Z6tH5D$fm#a?%2Oi1v@=B1I@R~`z{ijrxcnV>
z%CvP4Ka|jipd-NYhI#KKI$DK}Gl*;BHB^Xil50V7Ntj0@c}I;fMgx<oXIepDXLHX5
zDI7U**1cVe+mpAoub<BO!w*Tmzn(Mx{Uvp29x|&&mY6@b>rN;!GJi=L>3xwi$>U~D
zAa5K-4sM3bpY*vuc)Iem*Yx((BW0~dS<|j;j1K}ZUeOC!MK+1DEt?ILeE!Id#RCfW
za4mPtQGFwHEZdBS?fekE-U6i6pddc1d<K&1SYlV!b+?GTblk5Kh05LdDnQqjoI!~f
zsOmz1mUZ0S`MrF;P7B<bT?&9fM8of`AFYYkFlN>Zsq?3ZH_-3wM$p~^MJMK{NTO!I
zcSQP%akF_~CsAEE6t6Nh2RJ>}C>1DMLM65-6&eQ!D!Yx-5Qj-PX}jh8K*@^FC>I~J
zfCQXZU<-v<S;!zwLevbyFz)MN-v|5bR&JnNx1MLQDuT<NpsWEsOgY4hsWX1h^cC7T
z-_ts#D;+WOXq}{59|GANx0>#Eso5^q{nkJXw~BVTs;+_8uwJ?^0I>3pX6fLzv2Con
z-VTRCRS4avnGFnTdHV$BRnWaGxZdOCSdgk}^g`UuU}{e=(;YsFS9TrcYYh)xQY7Q7
za^2QYsJRIR3>zv#26BO!^xPpsQK@!8M1q_=v5t|oi^DN5C+{A5*VZHcC=}l;*M@5p
zA5Ed3SdfME<K{Q?mbyhqiu38qP>dY0W$LHfEOD1BT8f6Y_cX8LY9)=*hTia#qP^!y
z1xu7AbL~}bY^7U=mikVgx`nhR>g<9%B_{g7<a>{S=VpJ-CM8?pw$^oR9fJ&cLr?;+
z501_d-K*DKLhy*L`pGQA8Y4c$YG;e{kOU0{V1Fh^At(J@gpEgqpVnhjaPfyEsWpt9
z52ho!9#a`*=y?+1+werKs@Ug=jKx=}-k3&jaKt<VixVqv;1x;D>nj~zTwvB`{!6^&
z0YOZaEP_89X^FrgQw5~8bxkLKUMy0f<4$Eu(g8-PI!RQJT@iHix=*f}TuI79YtDzu
zo_GKbl7`<ny<3R9;-lyKa2LtUgpLAWpSNA3zUP>L3OF_EJr6R{cm2tmJ#9rOflwOQ
z#^ZatO?hM2BNVz6(ewZ$6dE(@9)s^}=q&mo+-!sym(;umLHc66HpY$cL5DuXEuBuM
zZt_%Wz<n3Z!X!9ummWaQ4T^3Tz<u<(TS)_yyd|L8%XxRzpW!@4nl4fH)W=6pA_RK?
z5y)4u$@9H!-iIR4*szTB1|e{XMzluU)?V2RzsBN+6T<ewTh_L;)oGJ%OuStiiKt;T
zi=LJv=wxHO=j+<#r`vF)U}MnnytC1$9l)Xhy-F!w2&;gUmoBpA%dvcN1Y;NZ<Q=Zc
zlctv&uh-AKfrWwAz*3b@0)5q=&f`Z6tBACh6m!jkZsr}hR4xye?{qoXl-@j?yzD3#
z4Bn^Bya<Kqtnoyh&m*Up&1wDaXx}Q8%Ag~|A<WYrM>~JA1q~mZd~cK*w{PxGP^_+s
zVe%PpiZ}(<i^Ub)iPIC!HGgD~1(XB?3LR+gs-RfJq#ix?)E(*|%NO}z5|XMK9gM?r
z1dc2b%!KolOsSz_eU<n*0?u~+2#6NKF4Hy{ir86<N`s}Wz{%JbThoE|L`rYTcS*RR
zhy7lXUkRG(jW`N-cuK24^0G4y@>2Ur<<?2&Q4$i6#n8M*$SFVWniqs1szw1pyC1)8
zSKGUG(ym8IYfqaqMe#1Ti}kLI2kYHDB_?8iNTAl%o3vGZ;l60b)UO@ZXIDocBFt6u
zfj0sY^0|T_&GUVw{lFS~&EkgXrYj~Ol149PB%it&c!0bBwg`a{S@(cJ7y~ia*9V~R
zICTKW?CQOSB`=6~``)u!XH){3c2x_t7i8G6j}#*y=#orCJC0#&qq1G2bZi~a8DcXi
zk65|IiDf-Rbn>l3X)ys*th{T7j)xrkra1^xuGZ$%4hPEQbtPk&>`GUfr$<t{Bx}`W
zDoHZzDk<u!7g&S77lzi3#gCsUY}k^T_G6n+lI?x|uF9Ex&7Vyh@KT5tdbfb?t3*ca
zcv?5A8@cn6+6vNVC#Qh33~`X{u(AC;qHSC~Wc3^~P<?Ijd>9^?I4cQ072@zdBrbho
z#b<5HQ!vobSVnAa(xvLMAZqDZ-d7vX-{fYJ4H0)nYcyD12E|=NB)mnHF+zDcU-QZL
zZjbQrakkiBr1-dLtEF_Kq%dzeZoJZK6vKCeEiz_Kz+0MU;F|Yt!v?8%hNvxbgtww&
zUtk5KwMbTWzjmBKbN7%#gZD-hL1C$)?}jam4?|l6EWqZbReJ8d%Dgn-&?jl|<V{eD
zro{F^4+UmL3B*w76J0Op!0<OHK82#Lj<fJ&May+_ALYCSjMwF;H8hCWq^gf*F2JhD
zbdlXb3<Y$lA9=pr%rIs`*t*R@dP|Jy&Cx+QX;FqgVQ{c6B&l$>0mf^O16L1r2N&43
zLb`;S?KH8n%m8hG-~hFhEqrC{`YDWD624(xDU%NLj_oRZ+>29-uNh-f>5--g<Zu!#
z8upsx)2MQS9+R5|jCh^+@E%aD1>;!=WQ4|;Bm1p2OVtqF`pbbQjKMB(bTE_HK}YR7
zH}5QC{1km)fQX2h<`~DtyULPvrH~SW-gL<mw-DO}+j)!4$-0He*t;({jEr;!;L(fi
zTfdp+6>otjk@wEyR{W$#a;srlD@FnC?SKm?i5|L!%rx#RmdG)IfCE#$^jPWM4&Q}(
zZY5V{t^_q{)b*Bf1!lcqwD=wA;!D(<1FuaJDi*6_*Ip*OL95{w4@i$ZYL}v*7VK>k
z4rpwhjZv89n3ra|Ws3noC}6?#7=sa|T3t56@!Sg*CtAhjsO4hXLGH9opEfS&#7P7C
z87K7y?VT3s7b)MLV)X>7jF;l??<g7atg>J8TnB(Rre&qdbAMxrb5GP|>Nv7i(l%Zl
zFjv2al(IZw{Klw;JiAd(Ia?qg4NY<4=~YZxn^Rs?<LT3ZMeAa0TiBSZDFU?ZtkkLP
z>80H6eLH*-k9dtoeE2cMPZ3e8C)qA%oss2G*x}Y|a1oxhDo=0OC0#X%db*!Yfp;5I
zu_7U1-{YoX;Ci;c=@ZZyeFN>S+oi=^XYY7`J>kYh0>_QCR*7|vLD{GiWYFhsYqM-8
z0&BI0f?+#~^rC|>=I(lo@MI=lpFF1YNNo*Ncf&%C$HRvfyvP-_8G&g|K}_$Y2U6y-
z@QTbX8JLacnU7o5yNbmZ?_t(G(wn7QoL4CCWy141iJGR-_uhrNA|_u{s_t!2t~W$%
zUt>P4HBv{tylyB!ZSlfo8tOJsS;MRv>uuZ-w%j__lldivje1PEyIyl%b_zpHlbz7%
zL&1%kfE=kxJLisV+X&U5a;7Ux;UQPZ2beLZ_r#hOq>)khemJD-@?>lzyy%%Ngwd5*
zT1aszGQeS9r|>$%lQVjP=UeY8g-OXZowCYgleMnlRFalM)cQIM`swH^>b93-7Z!*X
zg$d2$tb)@kR-wuWo%H&;qE2cIM)af((>h+v8VB)CUAH15zV_$v3hCY3y<TdENXxha
zY=fwVC^^$dqb0EqQ(0pI(1p!DP!at?1u+a?x4+%JzgP(~dy+11-0034tvQ_}Z(`0}
zv-v%@Ib!K&so>dmys!f(j)-bR1OT~<p&kloyes+QX(YXtxhsyq9AYbXz*)oE3<Hf#
zGXjc;^Yy;x6pp$p;RVnP9HcT=MTO4`-}b}c3U^|vh6rM>yoj*eaoCWObBSRpq^S|}
zo6TkGZaSa00d=}Q;d!-m?D$T-^s2ehJIYhU62@(eIhmf12Pp(2JO~zfUNi@`AU7-}
zP-6iJg0RE<Ag5lLsn2<HATI>+6~H9Kdw7V?5QOFd!b6wWcCQ}^d4m$AS+ldg9_$I-
zKI4EhIMfZsuFF}&8E3QYJ4CZGjJGVh-AuJt3kIq-dM~ner7NFsy_fzJsIk$=VQ6Zg
zSHiXrZ~GOQBg{Q-a**+I8HEVm8EStg9^S1=j~EZNxr3PbN)rruybe7wCAVXw4w>CS
zOnDQ!+e`OFgyLLUSB%g4H~={8mJA?NXJ@OCug|hmKO+N{n67p>4kfi`Hers29M330
zUeU-Sh^84uLhXK;L(xXhM+=$8FoSw`*$~*YDcLWl)L#YDGqPSYx?ZZOK67luxZ)?I
z<(qjp2uHZ$8bU<26qT!ZNo_l=q;RHL!jG6&o})ugKoi(|ut(9G;dYiimq4EO3+_9_
zO_V6Yx_1JXTNa9LypD=W!(>l7=80NfvJ8%wYVVb}nt!mO{KX0<9|5tmAPMPTu;7F)
zuy8Fr8xOeJGSgn^AgZ}?vR{$1cCp&)<%Y04c{B_S^)5QzGQgd|>DBNIu)!Q2=mKYP
zN@(c?Rdwb(6&QsI1_&huA`N`}q@(KOC}zF7!w8Li-{EZ8<+>XqI1AWfrBRYvQxlnv
z*Z2-Oi+Qo;I?{uC{s<YL^;lzo5Iee<o>@W4>&Ju(Y&wC9Sh*J2%@LBsH~7L&Pi=|d
zz3S(fwK~fSqK}^6^ozuLAeX`LcAq!^KZ=O0$As<OXlHhm!W?3GO})XPLuD@nv0k^(
z6r%6C@$%b{OO3HTAdZL6EYCHA+3$J845Zsm-}W_DpEcUBK^u0nyD=Y?k|`-7<u0q_
z%totWWW(tOd7BkfLawLu5&%fEnmQ2j^HM}7Rg;AZzG-9Ud@dYM33Z8Hs6bor9sut7
z#c>xis4^Qdi<=B+3&tXMh>c!f*}F0-*1l{O_R8Q235#2~%?5)f3pYcUXZuQn$n%OO
z>?q%RDZ`M?FQRq$ByDRivIl%ro6K=5z$KaXdGlj>;HVWa<Ij^0VU288PJE0titR=o
z@t(YNC-7ztegKhcNe*vBOd&Ogt93)My}Iq}qy}tKpFxa^KUz{VT0nO#8Yz37>|V}5
zt%)*}+X^x$e36WM8BYO+^cl~)^_2H)!>cT@<NyrkwO5x$*FZh>x0W32;2qV>0Uxj!
zeeZo#vlv}=qV$>kMGLe{$riV?znk9M*i(8EdZ9yL-a6efQL=ovC0VseZ-?33LnbEL
zZ<g)7crRRAyLjMbw#u~CC^>4FOJB>x@VvL()|wsukPZk6(b^vtWv|O(PA#N7j;f8@
z{@qo0>m)ASd#@4XDG8{l4uYJ4O@MSM{;1)iw<BP*?|7IPY2S{v2lqT1zev_v-HVhr
z3M72Ip=3&uPYsJ6tFkdPaZM_CGVe@6w+fZ>n=_)E=M^`0NYozVbCBu_@2cSuR3)G$
z-0P=Tsbqf9lo!?4aSy3i<N%RG-Xj6It~|(TL2~8M_qySV$FXw5VMB;=t0=)RqUgB<
zEk6r+w!qRo>jl@$Mdrwa(<&CvUGNc~T<K!jgs`VTmo`uu7V2bgKsoQhdlFpqJDHze
z7)Bz1H?rW9ckUs%SXQV-mK|Jb_W~xwwQToco|Uc*A~?R(<OLk=;6qE?DbV*4n@?jF
zo$L6aOo!L7ylbLO#Pdx#5%!j8h<S&u#n5d2GLvf-(~oj@04$-F8ER3L0}+Gp%%W|{
zx%`ou%eeKM15J>6&)&KV>BM^8<c+V|8+21cyrWak$|>s{7M6p#Q?APJb{%7)=DEJ~
zqdFU-J5aP5FfE>iVzHA;DtEk2F(Oyq>O@qapjQK<MVK*$fIE1PbJ*eh>@DS-6BZRo
zj84mw%;0&QV<<j{ydShUe9^Ky#zaJ>_)1S+$Dg=}G^A4?$q^(>Wh#QshKNNiqx;j>
zHn#8HUNhv~Q=o7U3-uy_az=29p6QjHb|_O$$vf1$!+t}d$gS1f4g(<vZIAh_-%4n^
zw!dtgsMK(_(^c+NetT~W5LzyRIaQ&MMdFTZI3+V&sqady*c@Si+n&}r6APrR(2JI#
zRs=V9-}0b}N)FjGczCyzqSd^9%bh_J;HnCN!*D*8Q-H2h5Aq%+SI@h=P%2R}Om1mT
zpf)+g!FO+V3QlZSgex-H3IieLbyK$ZM2o1rVyctw*N*(y5m~E*OUW6`HaN9tGN*g$
zt;@~U1i)*gYo)mXo1W-3Hjg*0h+Br@aFlng#38=e=8Yn3po!x2Bu+zV$Kd*$u6yR<
z>hb{SUE-}7&J#}=jn(r&+kQ+U{6s7(Lx<tPYk|ktmTs>TY1k#g(?zGmhykM9Spu4z
zOI>C~&Du1W2W$%OT*UZ^+cTax$TGmEdAm5cbD=bt8xvFT^vF3PXZ^XZ`OpZTpK!YD
z!I+^5q>P{-@{8@uqGZ=g>@!;rdmCo8jjlT^r_JFk8;c=8-Szsa`AAGB=0O6y^9GnE
zh+XwVwm!7ll9gqI=bq5pto-s-5|_%O9(z;3QO3*LGQ}w33L(#&!cw7WuME_<*&e$;
zmtxzDjd>A5xsigh_@W5LG#{+WL6nUF)<YwYP<~&y_$My8JJNGE9<#kHa`+c7aeipV
zSDU_VFrbR()14IZwua!wUfme4*1@yltJ_0Ev%>`1z__MjsGUA#sFlOOQ8B6(YdG2b
z>BIQeGpw4ph69QSFIh-}&m5n&dJ%^6<ffLQNAz<IeVck<o{<6XKm>H4MS}J*riD+l
zHeh(ei%SZ8WoM$$scG<1)3wlh)N)E*;-iq9g-Q=0>I)}*5L{2GL7#X)AKxGk^vZ0m
z32?OJJ=>|228UOqTN{EA3h1Ny0<PxST^#YXr12BMHxKPC>7only<DT%JMZV2=*d`N
zi<p+pLd-I@t!U*79*pt|)V7|(_#=n`sm4MtMl#y2JqkA34p3JTJ?N^76Yxm$ad{<R
zM$5r<WY;h?kAtpI%QHvEa)E3Zb4%ar%hwqXd$K3g8;@9>NiFMG<nejrQ)<MJ^R9=7
zKss+kIL~0V6IyOw*gKIUAaoGDH7MhJ4>9`%?=4>gJ}9Yzpn9+JRp1i2J4$88!xkl>
zu%>(HFu7b#%n-#-oGBCO>;My8P9tuLS~G^Ji%kkR-j<rgjW~okih`2f9w!UYE@;xc
z+qF(2cw5e8Xo=}0Nue^-*w_sWq~hB$#O$GXLYV!~FFDod;2Z>VB^u-fpYxC;UMyJ=
zia;7}lS_NixmJx|!z6?vSCu}w0Lk1p47e5=Gaa|!&q5;AI5JJI=cPdqn5rs$@DlpP
zi`4S#fFlZ^<y+sOd4B=3_6BiJ6&fz;NiS+6wKxcdye5il3Zl4qz5rR9dToKmWb+_|
zriJeKNe1~nu0!7BoePCFPXX{_H8--F;+DW+YnYdq)epIwO_r@sy@+4JVZ4%rTTsQ<
zWGGItYP7iu5+JK5q{J77_AqyRup5Z_P_^v^E^#R7U5oiqH~V>*^VmI~K?Wog^v5$d
znZy!ANp>@dtdb6*Er@B9<_sYmdI=;BU@y2a-j0EYyMoPOq_WWQN_)VqvcDH8VT@i$
zYipqWblx<_%a`g*_ktmM(Upku%5e*r!Lb!ty3Y&Ng{BoKsSF-Ikw8pqEYuz2^%`y7
z_H0o>H1!7XN|ML#R=O>ll$up3+u>~^IHgd6JUD3Qho`<5XU%PM9SuU{`}BEPl1@+D
zkiUm#1zdYCL`R$BI#{Q}HlCzuy`tjTo>at_F`X5t@>~dteD(@tO5|uz{YEcO&0BZg
zlYFmbQcFy(`%3wa_Nt}&NB|B%m+s9Kw?a~7Z96d_zc!0}6DIEvtokAx2{edIY=N)i
zfxjJuG#hD!w|D0fl>Gu|X~4=TrA^wf^x@ppy$Cbr8+{}&v{l<Q^QsUQ<f>jqJbyS!
zsSWQK-agoT<#5#g`@!~_hK^dWyhQXZYeI@8Q1jZG1P**iuCgf2BsgzM1vLeyZ?6#5
zde4Ax#o(svT&YURu~>1xfI;9dVbWO19+4x_J;#2<y8QPLQ{*FixYp%T%%C^#actwr
zJtNDwjy8O>rxMRB3g)SqAdMVCDiF<u=H3;P5K45fh!TMBTdf0{4osY6i;{xCb}yB7
zI9?xrWHGnhxki&l&zW|*sPb3ZxA90EIDwz)+U4}FSJ9~XJ`D1aI66pSZDSh$MTk!h
z$Pq@Wryqffpz<jYsjJlVHuAG0rO_dx!LD>M3j}8?laXfOsF~?})X&rp%RG8d=|m%5
zm(hDp#w*4EO0{p>^6umj%6hN@)RURr!c5!<r6PJ1*NiC|Dh|`VEHJB$ctP(`zMGKf
zlzM6v+bDWD@X#^vA#Zr&(m7pk<#nmh(|8H3@0Ak?W=a-2U}0VX@D=&2l?ANI2`qHG
zpyN#-x9J2*;}Sv21B0<w)7V%?0~7f+Sv0JlJkQIL6SIY2e;BguW%i7oav<^>%Yt(x
za(LL&$y-Itlp}dTow*&<jc2rvR_u*f75kPr%PUwIbtua>ti>sYT4ti>XRq2#XVI~l
zUxO16wdH$6AaVXOQLpDt7R>YLTtw+$6!g(?nij>8)dW7kBGYb0&a<|HB)EkEVVG(v
zOFj+sdREzwg%OGE=xj%FXOPw?XH9gHL#b&oD#CLyDHbMApGC6d+#YFex5LB^8nQT@
z4Z|$-tIIjgCzDD${KU$=S%}OLM&G?x8z2<Nq@{U+ud(=5ei?)GWz1`F!yd(Gjnr4d
zuqCM^e<?FI`FsN&-F41cSG<nUK*I!%CnV>)`@r6GM_&7D19pDtXm3xRar20B%@OM`
z=IPFW8?Ef}I~i(e7krGW7e!e?@cKGKlR+*X-z$Gi5go$$=0Q@o+Ov2v<qg65bW~zI
z9|mQ6kT`^>8OG(|%VFrQwJU^(I=((eakP5W8}tfuOu5`wFNre_+_as?ORowZYq}A8
zMl4DT`S@O;+Uel|K*Xq>lv~_-S@1K`Q+5<@c%tFb%|1a)oXi!Vg}mj2R?;Tpz5)*s
zz#4n4a%v*kw|n?Jo|fZ4Q<?^Pg6<nCil;4!ViV5<#8HVP#s+dorjj@y7c1*D(6nCg
zEgir#0PLhBOaceWYcLzZ^gw_aDc|Gm=jtaN<I9b1aun2jL)3!Xcl#idVT<nsE&)>U
z6jAd%s~sMECA3HfTE*w-4hm&fargjA#zW2?a;}jxVP^>5`Xtwi7`<GP_f}#-7pi@n
zT;cW3%*|DdlYk=Q;so6Fs4%<?7S|4vNbN!wff}MBMnsy4an(c0IVylKh8#nE&`%0=
zL5UUG!2RJId7!6EE^=jIr#bFjUJa>%W7_o;qcfV}Prb)A;b{>CbVo}j7_XqQjIc>V
zbL>&JSso!xvJ}ygjqspIB=%UnNRCu;od+_*Nn$Lt@nGbrUmt3#8t0s2EsoQ}DQzsz
z=*~;s@cL4Q;7gfHA~&vXP<M;<J;c;FFrvSlc?p-D1|37?I0(wa6q~O=a>$<QDTm9m
zm>H95d!y;k5m=gXX`_uEEA2w;Rbf;5jwKkyz(f%oysAEtbajdCT8H+|Qm8C$8PGSI
zM7&P2&y@*@Hx1;GEtr(zfG-rsG&;9nFa=d{T38S91aY^rqt*rD)p5AsgOnKcJ5YPw
z-kdKWN8;7ip)$rDD{t4kHg8lYor*J&l*_b?r&8j*b^)xC7YfZ@W~dPhTSRv944&I6
zu`k*#1_2n7?^@2A;HpT%cvZuSo>wnlL>B?-_Q=ID<{=p19R^D3Lf|pqFQI1?-JB=4
zed@2UZHAP2jK!PfZuH4+xwOR+W8<-F^kl5rI-Hf8H}OWE*$|DlH8g{^XP&@`RhIg-
z_DcdXF0Fp@R!3oyVf|^~i(&zv+|a2+n$8%9!~n*87G5NDLtIC-%J8HobwWm03^rYT
z%N-o!)w3WEOG366nruVXj>B-rbwNm3^kOW{W4vdCCBuu^PP6Kc>-1J1_7VGY$Bp+I
zS1Ac=Ti~T`D%>lyxad?Dn#@Y>9m`qSCmRZ^?~?oFqvIBbgV#gLatQlKz^=$0oa{vF
zTHrx)XRtomDSRvrhLZH!ZA|1QuuxP7lMU}7>=ZRpCgRbMgZevuC^BkG+rZn@MZGI8
zc>vBV)86!G=O_+lSwBc6>oz%m!(MZdrdcfd>5P9lBa{lBMc6&#$t;#)J8Mp8`lmFb
zv;wn1bqxA!*s*tNh>oVRa<^fF2QT8@9<6%eiA-2d;v0HK2t4|Nb>Eh?z}SkPWWtC&
zSbnNiUE1>=<sQqVHm~g6O$Ph&+Uiv_N3mvyaM#GoAZgz^d)0g+Z~Gn}j2e*Q)Ahc4
z?d7W2F)|oTAP~it7{l%C?XN6w@SNZIoSnwm(`4kT0F&Y>1%pcnPJoa@z+2H+mgTjZ
zp?XSGQi0Tjwd4fe8_?E|X?2!e#vb$Zz4e%A!+Qh(*g_z@Ik5e#xa)~_p98qh4Q=Uj
zdW6vVOf9SMDZP%$&8U^_@~QH9(_!s?S{cn5&HNHzBiZyOCtgm*DG!pvo3>kQL(-wg
z5Bk*Mf)9$&6LjQ?&oq3xq&*Z265hz<<_Pao;!Tka)lKCAL(aTdwA+(Oi15>VfJLz3
zE*3Z8{!lqe&al*aT~7tz?a84+p?4DcFl%d~-(w`FZjTig4^HYS;zh9PtyP^zDjt$b
zw1TB*DFy^ZvGjD#oD2)gt>tcaujbx8-FhgbZUhk&?En>BoD_X)dB+c^BVZN!6tkzY
z`t{g_*JX;-D7H;ly@HG<OTvT0>VQ|8K%zDqXY%-!B3;O|h&+bcHCV+;ueUhH=3_QO
zE%!nmAes-;^_!W&N7VChyL{>Cp|O*~vE)5Zu}q&q3$3Y+$VMJ?z}k=mZ)|PFGRXas
z=INI-PK!ayz;C7pY5RmiW8fTYcm8}mfl~V+p&w4my-sPmd-tBR-8<vfWXRXl+9>-_
zOFOQfrZrARllXf>(mrk1$LB)(LZrBZSdY8=T}5pxN5INB+k+8ZS@sv3^oqo5pDF-y
zb0|xa`WC#piAUoWMWj&2t=+sE)?U-mK&ueXXz-dCC@>zIL{O5oP!k-U6CSzL4Ia1d
z1oN&(hPuL2Ugj`dD9zj+W*t}WI75@Rrnljclb5cr8nBhfWq7uGsFMn4mGAO;J(T>E
zRVfdtHeos*5#3(ed;B=r%ny!E8YYQfw6vH#mXa{T<OodBt<DY)#kD=peTV0u)JW>H
zxY{WcI6QXP*sMayk(=m{qAnM!?UjJ%`)aLmWf(FN`iJ$k*(vcodmS)|Zc6BBUaJDu
zv=Nacw{9!<9`E>5k9e8`ns)F|0&?&n$n@N-iSRI;OI7;Muh+;DNpfHtugoZ3v9FIm
z+<t~j>iZN~xD!xbJh9<MAd!7jAf}ymv3i_qs!l}4sj87h=xls3&?Oam11U0mEZn;L
za9;w0sP~y&*hqQvrTNPgC8_bv5S%TpJ#@WisxQ}HQ4blJ<_j2muvb%M;lNQSxEx9)
zh1P5@E|9F;dL+95n)`q$B)jV5J>q^XFKTvVm9IEoH8_}_&=w?DmI6Lsf$6JdHx*#J
zV^(KiCjfVL3FG7D8y8l2uHl<6fGuRctYQAL#zg&1mxv-m3z6`v(hUeN!X(_kw8?68
z${6x`3;fRA8jP|xabdMdGoVgyW3etsh5!NjoiFQ*=;K~6J2iC{P*MaTgsORJ9=D~u
zv5>GO0JgcpL;Mg$Q!A5WT<T#OYH7TuQ=MZq{0=(uhDWJtHAXhc^Z*O%MeDOld>12q
zqt9+H-#8ekhaOvsj{>2pvSdo<)k%}X=9x;e9fxCv+S@5I@VJK$IrXX4)q8I_<5_pV
zHDE&5(2MYVq#@{`QkxKx@wn0O%)?@|cjEc^)f?^hQ{36Cn@xB=b%qjww(o+mY0&lw
zzJM$<HD|Lz9GY8tg6Oah1V|X(m6MXl>^;vs*a5AkJOg{rrl)Zw!EfPh^Z>t+M4`QB
zH|+69^_K;c8S<qzR4@RK7`Yd7GMh~sh!3Aa5FKTe)-^}^HIzQ@!B+~;E}{m;C`BKu
z123|!7r94{^K*QYU7|NW5fB+3?F7op{(SfV8zX&vu+U=*6i%5srT37N?kP6j;|cYf
zzGq|pY+q)StHu)u2~~t>)7L(O-3D`kS8FBNcCGy0$rP74R7WlExl&2!g6BMH0!*+2
zUQ*j710j}X5A-r@=P|Ej&of9iQ=vD{(ko!(<*=~IWF-}QFEm7$UzQvv^rfQlh$vDS
z0`*Q=O5m2Jnb$D(y(W(VUDx7y6lXZC{c26dRu$JaN{)Mih~!El@a)mEB_XKDRNyad
zgub)^UEW(3c(RI@c}#A_<AaCP8MgA5H+5ZC@~}}okhJO1yP)94+9U_Sm-J9lLUZ!*
z0a2CC8&8d>^raTgeN|SEnu*%Tic!ta97lzw>o6J0m8?V;fHURL<Q1Y&5FlY;(s++-
zbOHrMtsQOgdzHC#$><LbS=%U)GBa%byj-7g)C1CuSg5jvjAsY%6u8)+1D~+2J;s-=
zyR_j!*GXyqq6i*DUgLEn>>;!LqR}PYwa-|iY_eZk85haxKH347i-g*HCXoz4ORIK{
z6Y@4{<R#CGB(-iBQd${@6F4uoanue>YUQzTb52n+W8MWSnWR3ju^^{9Zwuu27V0g9
z_Vb)rK&8r^_BgDkF3%9&o`vNKuX<(;y;;XH1@-V3j}b-UfraK+au^WeJ9{?ZNJ~&I
z(9ips8WW;fy|_}icRf&!DUhzjD^_Ys@M^8Srd4Yrt0XZCO$=n}RBBEJG44GikWAy%
z1#VMa1|KL=K|$<k!Ph3O`$&mk=1p=UwbMgmkzs*jJ~>>GD$Bsi#(vzm3{rXWuD!bM
zY!fj$<(<x4mn<K7Q28@w?adp{I;qM&h<r$<F6G6L#6l~ysSTh<v~4#r7bF!g!~jB9
z7IKY8ZCO_sXgYW}*_IW?&^tVtN$;)tY%V6RKp0pO6h6KFNu%u{+Q<*7#zhY5U2BH*
zVcSN|a&myBb>Hfi_=7=X!DpU*yU(51^UE8BFK?C<<HgT8QNLC9H4%o~1U0sabHTsF
z*_R-vC{`KZ=Ii}}7sBMF#*kr~6}@K>3!|Qo2;!jUdSu@*P6tAqKTU2H;J3C}#~7?P
zAVFmG3RZ=5r6LMpJ?b@gYOf@<Hb1;VUhQfN*XB+QglC2KK+m@`k#*iei9JnuNwvm{
z2D~b++%Nlpi6yG8iW#=;ZM*Y$<gN)xZ&#`yQyld`&~m*x;!I?Ads}W`9HN{;xk}fr
zYFsdJy{k6sfiO3Y)M=7z=QmLF;;o|IIth40KW(z9eqg8_Czt4$t*M|=_V&$GFtaVu
zmW!_sE>aVh!$b_PQeeV}yMRB8mJ(h?C4=i0;E^CH*e;|a#D1lZT%SJ<zr?iS!kQNm
zkEeBx%TjCMnBp-AWv(glCYSoN1>4HlqXE?n#6CkaP1;Sy1xBKkywnSHmC06CS3=5o
z-AnjDCP)<YGB4|_b;!~)u%(9B9xUy_A!e}JnJU^-q_<YSO;Mbkb&)&tV(VU89QU&m
zo(iNu-O87NIr@~Q6?N>r$YL?2s2R8lE6-ApirXudr8T(Sca#+QMu*+hsdn8)T2b7f
zOHpzT!*Ux}cAqpcA;%PrOwUO8l!Rl-w%9!EQ0BgxX?Qnua_){p#GDX($H*`wv?L(l
z@t#$XjPt%debk}uzHlo|uW-~-`R<WM@`EW1vff?`-$9AV%vTzYaXS*aSt+G;eEU}2
zKgIDcamJ_pX0N6<hIzRwZ_Syla$gBQMWFo492&<{LuBO~tv9O|E(<h5{a~h^Ky^;g
zHOkyeH40cB<E70O+PYwiX`*KaqwH9i%3#i=%lUBA88m2>q>6?CQX1Mqb)`9%l6xQ@
z0gp|Qs<DhR5}iL}yqQ+h5;J_u(g}<&hNF&Yr{|boi2|s4qdX3InIYH5b&<a7C8Q1=
ztZ$`DG7sX=cZ=L5L2+`I`|Zk%t`pbnJ<NCuLG<(j%a?K%g4fW`m*6eGJ%Dt6Ny5%z
z1AFvP?gCec5D?3adn}xUuQ+MBRTxB>7iP0nDE1_Fg^oCMqA=KH9m&&F*qe|>)$|$R
zD}5Fi=$e=3WQhq~a^ie!V)Vv_c8^hMK`yd~2>UVW+PV+XaI;~8Y{9gF6Kx;`6De*y
zjfQ!WYLwlQ?Cm=0Pj(`z2{3_r8P;{7A+)F;uT&?2t+aGNpKI0Y9=q~Td@FA|fLJcZ
zAIcyCu~IKW<}NEZ0_ILVbFnF+>>eo~-g)#;a7>8aY8UJ=&>`(ofVjpB-P0V1)9Y)o
zhfuYwo#tpjILGg5x+g{n#q-jS-~pUpq7?zzd;GldwBT^?3a>rK8F^iKwrZ>7LZ2Ew
zA!2c?C|}`Kj%R1!Nqt~qFPWN!nfuvHA-N3?S<lOuS~lG*>lgXVh^jg9vE<`M_33!S
zUS}9<aU^$$bfa$N+5{ag?{#v)RpY(k)K1pe&sUY{mpNkKa$}23s96X!{?H1#-t#oq
zk?Tj}_m?_-GpX?8A$k{uCm9l}yDqm~n6gS^say%J+u2G+EeO=}%C|-Dgb?*0@#Q$s
zBIP+I07F2$zbI)6HrmF{p7agIvl=rlUVVj8ht-P7JM@yWkHs~X_cr>vy*={O6_=4n
zP?kzIed>Vtp6>0Gt&Yy5Q=}}*60+)XU5iMlv1i;uD%Pv0$f5uR@ab1xSB9pzo87B^
zJ9KbR&p{Ra;j#&%Nv_34L%b<FB8+~~{dC)C^F^y5`S=qg>*wIJd=K$$^fJ}qxspI&
zv<KJ{76izI0y|8Y>yFgwZE`09nt?AS%5&CShx2xvQ$(MQCYkjzVtXq|#}E#TMiQMg
z@3LQBH`C(C%pN?o*G&^?t7!0k(Mo($4@=kI<9QF4h(P2PF#FA<C>x1UUr&HrSk+kh
zq#7+<Bm##m)60%^ZnSnh#|-8WY7@lk$1O_AhUGF2U9IS;KHZO>m=H!p9QgpAJzCT0
z(E`y^7|7@?Cu*!RqZ6rixj~|YFe+%c^>QD3=x!<sPm`0$eBfA%tm4Uoc{6FL9#d8J
zCT3rxUMM)VPgLYKUhgTl@#B78_$XEDEzJl%wJm?QEvtE6=!t?LJ`l9?9J4rGyM*b4
zw@wP2c+N;GaQ4-Jd!G-k$QB;8KhBb@SdyB7WM*j%8c{E0@oI|RDeaP$wWc`K#R@s1
zCKI|vG`SnbL!{j=b)3J{Ne~8}lc^HZu%$-5q?o;I&w8RTilmqDmpgt_P}hu0FPL4N
z0mq-Q$e@Ml6ytHlP-O`%ffwzgB3it<*W>T-l~%+dSI?SSk?Yx@zK1uWQ%uR(6a5S-
zFTEo!Fr~MMN2r9lRZLw`ABeHx(Rhbbo>>$~B`yad*ND_eEY3}99LHwpnc)?mmfE0#
zu8s;l^?ca<&KRA^(&zN<e4%9d?Uhbg$e1dik+WN5VnnHtwzJaP(I9tyFCWh{rXe^a
zj>R^322~i3K*=P02s}+5Zqj>eMtycKf*bU1(pF!&)Slbx@<@LifyTv(^)#Q!<?4u8
zEWO={Q6-+Gy$4~0&E(^$oOEefvsfj1ss~IY`#=CQCn_euynC<xjF5zq9+lIC^Rx^m
zyp0Ri2gN|IySY-6?XIe`cE*IO7+#ZX4cRb@@msXn<Jdw?lOhSi<#_gzQ#JC{Yps*)
zGrG*7iG|#LM(-MIg|Un_!>8X`!0Yyy12`>$L$(JrnumTJe3i^P&rUX9a%2<*(=-R^
zf}YNEVF;7AZwEUT)u_zha-cpbGQjICIDD_M=i(`s)rj<Ar^l>h5560#;Cj2xvF5?T
z+b`Hyp9;|}<K`3KUVN+wqb4JL6mf5Z)%7qZYQ^)2EXXV1J*U@c7_#c3X9VE&@HodH
z<id+nNOUOG)X^4b&0iFio0LQj5L8%o?v0=nC?1E9IwA0@SD1JdrFc?b?gV|hvt0#b
z5@-D0=yidHzBUHM9)BhE?otn5>tFIHw?n<2t>i#-$=I=llD&q9`*iq-E-E4)(6bhn
zXq$Xis1%wuv_x1Bx!6vK6L5l^<*e|YkB!izKUY{WT@Qq(l7zNZ`Iy?4G@rm-PYPd-
z1)1m;jvIs?D9LEivo!;SeF7C-ffiGtRyW@I79}%@-_!DkTpDyh))6~ZCbnW!FbPmB
z6F>kpW?nCJ(4WbeE%ZHF+iU@N7My@kFLAmh)K4OzcZQ3$jt>q6SH{o1DNH~q1ROfB
z6LFII9x)rSEU4Px@Ree;AOmvFmDzg}Mi^en&N^bdK5=JngkRUAE_I>^9pD1b!#DR*
zL+741MX6b(Ub16K5)CP0`556IV)IkXM<8d?0cFK6ip}HoNIz#KWql$Jup2lNPj$TW
zHSL*j`AqSpzZZ6yyHQ2F%QxvEk9utJK)QK^OnAE_rnNeszKM0<dem&HTpN`1fL_g3
zRvS#S97-DaNJ6Kr9xJw!jJP=)J2@NC96C`b!W*(AS8veS>-7WGNVJ!+X&qygm}7*=
zo(86!wg56v3#}(}?qO^xjwP(dGlQNFfK(}c@bKB|zGyIo0`PQ@wP&i(OI}M;d~=-)
zb+hoq6s5c%ij*rd`t4j9T&PtEK|!Rc3U6oJoaSK^{V;y)Ybj=UuisMEu9!MTVoSK=
zYWWpTVIlGu>jw1d#c4ximo#g^Q+Zz#4*`72lQ$j2Z{Bc1sEFrN=q76)S30P*Hzn(y
zDe{*+0tnRg;;ttA9!K2C3uHIwT4sh$FCE3QC|hO63V!1&kAiJLQx-UN+gCzDoLIp9
z(!ms<@B!@bEL+k#z&KLnq&(jzIN8cG5BRN}iWDOfV+TCkAyXmceMYS(!B4_H^zHeB
za25gzQyhNF^C-G%fStrJa<VW8rgkEtv7M?TpHh}K%%Y^qrmk&Xl*uKE@C$^sz9!@&
z>AY$)oLFVNR7pLd%dlQ14}>uKCB5n0m1w4HcfP#^UnC^i*Y2%C?O`feSVkR#n)~{=
zJsDqiikdV!zql6=)jk=tW7tL*=`lT3Z^81V4<k#_sB8$yycK_KARc2O7#8nX->h21
zsM8X!zYWaLb=9ha8lwirxnaJ0ESLV8xbfwJddxD@3}CyU#cJHdg5A<m9-a)AJe6D2
zeiM^&IQ~*=41*pCJ;R{~Lon-UnvSqX!5aAtx<#lOZv9d8oJ)Y<<4QhjKC^3owdZ^$
z3OQYMKF^uda*6l4#=LxX8Xr{Ji<aKd@g5M0XaRUu!5762NOg~O!J=6rn&zqs?}bC6
z1Jp>o>^W)MCo->_xs#FdiOSV@QO0`4GOJoxbQCFOj&D;DAW0;REssp<$Sg>%qABe9
zY#Q{+J%_q?s08&|ZG2m%hiwbF!F=x!UxrXwo0YFWn(HcA<Di3p@!<@QH$;?WR=a2d
zSl(6N_V|}QR_*L+rxzPH{T6|>b6*Oz*$%t7!Y(Q7gTg=c*`(A)&d$VF-ivbl^bx3#
zBy+Am9;X6;y#;=r{0O&kOJ^UxfGQ5zv;(!_d^b^x_QDZNtCoZOXansX=R@&no{bBJ
z8g5_HrgPVp;RZ|c)lRG@$^EcV-lHerQ%IvPz;{d>L%LF=u)IUvhA@^3<T=L(KAu-I
zK3<Sh)Ib(b&0OB-6^A;$F`8kNi(QG*evn&>wbU)wZ=!gZMYC0EF$`8*-nq3{ZIj1F
z$YsXep=K6rr|hmj3=bRP)lol+iu8DvFyV%lqxcM#q~V~{!+038PNw=bNRl>})Nm`D
z3>_UHshX6zbW_4W4HoS+)eW)*<d(=3Im(j|@W85o)C3|67pevuJ$Pr$RJ>F?2>`y@
z-H?7Wi{U77np8c4y6G_N=ezpEA?w1zK^|m@$2Fn2fowqupo~_~Fb+?+sABDa_2BZ8
zkj9J-paT!nBU(Tw>7kA=NE(Ps$X4&i<hN8DVk_jcSv2^Fr_j_CcOqZ!4N~l6x>Gy*
zMsTr=&6y>8h(@6iH2Mpml(cn3C3@4Z2X396G|7iZ)gKQOMBd?JMI?CR27Fs~_=~)5
zhpQi-K9}$sd2l)~nHI9?(iFne=$>SWoY}RsX+3i;^`_%!P7zJy0g~lC3Eq5xt`~{^
z*e^z5hU(E2fvvpolbFiKB8U?fuJ}gvp|{-=;N*u1UA{5#r4Q<tK9?=@#3UoO*~ua;
zSz^QQ0x-~%P2lk(+ba?0_m@BKk*H!ixl@4hM&#@PY{Ys+fv3FW)&lU$^(jn$ua9*6
z-8*l^H+vcGBJm<LC)XrGW-!#_&02aGI)xsRBG!8-OGN19OS+E4m8QVOeJjUgla~Q&
zK2WmAPjG}T%6C^KN_fEz(=)-zv1nY4dKlzMq&l|oIv1XvioBgDLFYl(Qt*1_U@Pgw
z{SFq9)QPhXgE~wtFb=_B&6dtFv1DZ?Z+anSMX5894XP37E$oyB;8t{BIlia5r!d<`
zFi=|}wC4Uc8T37Wh4d!4pPUT9h&kCP%+(VCb}5q~dcpvyq3TQ?q11GSMAptG?4ekE
zPan35W_Jc$WDyEmMqpS!x|(5xE1Nx~!J>FoaQQR{YgZvs$C^4uvx?ldC<p*v<AzGj
ztVsqWqoBJ8yx6yMdzf!#GBM~{F+3}+K_3RkAp-?o&y~+}%i+d2!_sX|?RQc{3FlP}
z=RylF<bhakHlRPza1<puQ9TgI)<Ujvn+KxlmogEng!(8mYmFXy6s+6yyzVy?$@{X8
zHUlL+ZDGe=9#jQL@_K<p48dr`P={gFzULjvRrchJgkgMc8Z<5hGV!$|AFHe8qkek>
z+cM<rMB%jyeLGfeB&*yeJCIMtr%;T{2Q{3dMDq?%6y73$HmZ~9gl1;oR$ptY2aG(Y
zp2OCb#463#5OB}3Q$aS?SYkh?AL1{6;Jj%3`X)xb?;5T93egOr<P9k+<-5mvWo=O|
z`<FnNUC#xP?rE$J025puQea`_7Lzvwpp~+XJ$^HEC*THM!=`|Hs}|W{#MAn^PWZLk
zoPa_X9Aca6hB<Qr)np0zyi4(bsm__$nWI^N)E5PJ<yX|RYVTBAxJHE6o|W7)IC)O5
z@JT%q%X=@F!PDibY83#!IAm+x#_$xUSWh_@vZx1|Og>Fwv8s!UzV({JP?@K8jxVBS
zI+h`HpgK@;@Qg-?UP$W$9boGhQH9NJR^w!TLlLC?$~d!ykvA6N=>ksfA}F@>5Wjv7
zIS#}UVKlF4jx7u$MYty(dirHPK+V)$5KCUM?k){aF4$(odpL*($^`P<L6x@NLio9#
zajOuCY9x32y#!u*rz^{Fk+1EViX)ymjd+or12D`4vq`!na<v7umaCA=ljy8R#=KNh
z>;d_LcAc$3<tf)Cdb^D6BVWm$IN;S(VQMdXoNu3nc=*_|-=(W-Hxh@rKL~mu^dd!8
zG#kBn^ktCamFIR+Lqtt?tMt%|u9dJp88H)=o7s0<VlP#-X>eaF;#_b?3&!+5MCkW6
zHS8Kg1j#zEW|&}Bwp1<NOO8beiLD15Z9^(u`n=}$jWWp+Os@)f(8Bd&4WeW+YwW_D
zm2lT{06iE0<9N0%lpstciHO~tJu3H##6b<_hOwbz_jSs3&zSKWe7Jj+ApDfI9%gK2
zbI*hM6zF|_bq;;~)<f<jp_ZMP0R(*<8R^{QQa}iobX_((pn?CKg4zHmX?y2sVdNV_
zRzBAh(t)E4>NLH5L5`rPYmy{Q^bWKNw_lZ1!T_XTh?~c(nh`IKShItkn$Rl3BP(v_
zjh1zkb5mI@7J8;#xGDQkunE^Zt}9V@KptqzJ38<v!lM!i=;2~lw$2=8W`V?1SnPos
zH&$uN*EA%Bf~=-iI=zYMx#eYOjIdi-_@aREsuE9y)9`5-7>d1zS}$#-`aCGQkyY+y
zMdpk-+CY5^$GD-87`+65^^!0w*^YZq*5(<|l0u_<-&~DIAHPSn+Epla>8msVZvu$l
zGmH|{mY9d<7f*Tz4iI)#*O#5yucGdyi_}hZEAX7*OZ5N<qIWJn%Z$(ZCXWh(@nJcO
zM26?hF9wBgEO8ES895P5{dCxuNjH@f6sRUUu~W1IUNGd7BX_1CYD7MgGXNMP*cpb*
zeQ*yTtCue&Un#g3*)tn6HB%}gn0)>o_y8ooeHELD9?@@jNpTAwH6u`D1M!$60G4PX
zk`ZY?K}$d}CkPu8ruW9*JbISECVcORgsu4zUZcsy`dhUq*fvp~U>dVi-ed=JAg1nw
zO6BxsY}?=!lb%?GCW>WKX|IlWz@Cm<Jdt*Ic*`7F-PkQ9eF88+ly8P~G^>@sg*fso
z703|H3gc){fJ5$H@p>jOa*JPMVpwcNJiorytd|#7k=EY9gVav=We~&X6!a2Z-3y@`
zcFteUK{`8lhM_-y&0x^ld=vuV8j(%?mqJUFZMQLnfow%nBd((@{w!tY&Cz4sRGe&+
zSMUtUcp4EDDfdl1fz8`3k1E7p1;#l+0*d$z%tU1ZSSUOgGN%L7w=R!7Armx=(;nff
zDhD}Ec?&25JcO*bgv9T-satxyo@QG=X?pTNRtv?Y-ZN(p8>ggsc&a?1FDD<pj1Hny
zoXC{gg9>OZLw|=iu)|1RbPJ2LrNxS9+CsT?qu>qDHWn5EhFK3L-|LJ_(s-1+3nMN8
zQq?YR9Wss8Krhc~1v;Sds?nDM1cb~ss-iBVO>ILc)tfI~0`n;?sIFo{&I7Ev3c_}D
z4XD#W)Yh)GIW$gNu_dD52hRyO*u?6Qa5e)2ryZvbUMTTO-%B%iK}B<MgLiv?*^xJG
z%uEeidWegg)e>Y-JgG;cPjoF5Y?PH6JoPA0xH{+fZgdH@%K#SLSLoG?2m7Qw0`hVQ
z8Se}ODW|}u0Y<9K$F4;JSj|x?<5+w7q;nnzLW;4vjh|gMokBex?pLWpGH(UZ%LS{;
zUSlBur_wv0X-^oi9KvEb;n(SFAoW~%u=y5<6JtlNK$xZy`o%4z)A%FRiALg8oGAnw
zU&s>cFz8!xi^)tw10Z7Xvy3Ei3~g!4R^+bmZZaJ_*&d6>mW&hj6cS@q)G?(@*1YX3
za;Ap?Cw10l=M~N!p0PS;F1+K=P6KRb_D_ZUOCjeg!4kANZOQJE0iyFGpM)p`dNfRr
z;I1D{ZTIshMe&zI*RwfJ_oC-|FQT!sN{utpmpEI3m9-xZ5G40dHHmQEm^UxuJ9FSm
zH1LXJ0Jw35ePD33SQ)$f9OMaQj*1i)q>&$uTsJ@B=OooIz3+7zs*+BdZV-%-m@Mhc
z7$OW@1ZE%sl;F!<df8EJz%NlKd!Yx4109E|wC3r?YbYhl&S=fjcG)rLH6^BKKT<Mq
zgh$Q|X+ik>5Y|O~ujob8^Lz**jp$w}@t9YW%HBu=X9_WhDu*)<PEHTlJeiYm!L7XO
z6oXd|C~s5A3M=P|+~o|;T<7tL3f$V;rvd31st6!K@@8IE$)&Y$pRSpP3~{OigV`?6
zQ+pTJqOEjoX9#_61o%7QtQU4_uJ>N%Y@Qqsh}@Y<4x<~sqZ#ncD_PXtiQC7#>%-6e
zriq^5>GQ{cR`O!s9rC*uTvEmZdMX>5mT!Rk2KlrN0JkiMrmv5Sm@O0SCFS}~iDOCC
zc&sO@-$FhYFnLg6A(O9qTW7X<W9#9gJ@k&I^opm+58Dd~FC+9WDy3J5!nM>qWji7f
zUIzBPhoKAJPSYx@o;&nB<DsU#HSCjA>t%+DS5wYXFBRm)c26&3wb9#-MBe2Er&DOC
zeIqL{*ItY3nqk|!G44xMlrQhtu0}`IWE}Sv3_M87G3z0x5MLV$1fbGTw$W>Tqze~|
zdNq|)xDm)zyK@&>Uk-_WITT0NZ5=QR0i)&CV;hFvxT#%)h<;5YvvFZ7Q<{w%jqs;L
zkv#gwsdX=<@GhW81!4O@TV56RD`T=!ZpK->gjWql4lW%=8=Q7^EB8<!t>VVnthF1P
z1g7;C&<X}rJ*N|CUt>p2n-iN*%;0HYcopO`1fv5YVS>Dw8|7>~OFz)tn{{|%!GYs-
zild#*8!m-gZ3o5fMCCOZeUW)4W&K{uJOyFP$E}XY>*>Lx;>$<2ukqPpQ4&0g*MJfx
zxy6z7PzITR*wp;#-ZIYgF|l|{2|dqQum_Z|)8r}3r>=t+{)`eWre|pH%mX?1l7ku~
z@8G3$zD4&_#BAaq>L$;2KoFy2(1snXO6O4J5Xz<JOe}l~W5*CUkX%ij+E#C|ZQ4jB
z<}?jL+-mB<UB9~37kIaCg28#>9ib}_S7h3j&`8&s!pgqn;Ls#`(b0xC)aZ>7%y=dc
z2wuLAsux@n5d;jLgT_U$*-V_t-sJd>EB5nNTypob%D0$J&yoyY^(Y@k?QIZ}#JLZV
zRFtsdfdPdjd4T7WF|ScYmG(|~v@PDslNj#%VvwGRyDG+ekDwjuL8Ct;O#~tuZJMoA
zNRcfS<2(d`EKVhPj<y$&IO)Zt?^W1YPzXHb!L{aql%%TievCvOk7B4GmH9lGt)<tK
z37UbJqJoca5v$wqk{<G~22HVT)0TKY5_|<#)@M^>I+$e`K#$gd<Q$}v?&8Suwh8u2
zBIPfMX8o|<WpWuX?6BzTSH2QX^3Z(UmIvlcmhb3jc199vf%Pwox>R;%VkfQ&W8uxz
zE)8tSL6agJ<i>flK(fAk@cQ-EC_k2aaoB4MTqAjhS|}s4W3h(T3$~rRQC5e}SZIl)
zT5>^088liK$}6v*k+r~0FnVK84d}svAl%-|+Ogv9hw^ycWoH1c@S!T&D8E<45u%Ht
zQfsur{&redHlWy`ixxakU|zj4xVuMW_;6t^k&=kLL3ytI8PGK=T@k8u-qhZM*g32+
zmz=3ZYh9f+ph~VqqDafK-_HlS4|IbDW(^3gu}joXHcJkYkf8uU+-7UW8F(hCd323D
z`7lM$X#w3l`WBu7JV0d}nWbs*+s?_zSY(pPIy`_)z}FyqZ<G<=-4i^7K;`GH6;xVU
zEjMqpv-qh-Vk>OV3#aHu<`KWbS7MZB6i1MQ1ZuOwO34|WJYpIG9jZ6^GEB|+nxQoL
z;Cj}Wh~<gO3r}FUSP_<Hr@gwEhX@ETSHM$O#2I{j?-GPTf6-bstAu$e1dnp7sVjwN
zX1p5$paYJ*D{>KR7O)?oAM8m@OvTuoZ;-A+KIiEaickc`_fV@lkDRcA6pi<)EO1!m
z+^zQkK?Qh$t+3>CC4Y-{;h-<paSaOyUcMpPqxXu7R^nYw0Sml?zLw1~1`|^wauzS#
z<CaOYLDJDF+sx6VI=PKTUs1|iQN!sjh4Yy`RDUM5EPIqMP(<&`BBL*hln#ZrU+_S+
zi4Cx{g}0Ym0xYP=06V4)O<ajjyxeIuEy+J8Bg?ncX9}ZcSxiV$ZT^VUm&sL^8ri|^
zg6_x`Ii`!Y``sgmc>o~(CbSi@yGoxKax<C~OyPx7Mx+fAnsHt}%gHvzoai&ETSJqR
zz(ps~3`ywPP0*6gUZA#sSIF$ML+@T%j^ag2FPtJh5ds5MwG9TPt^_`N(szz8rAz?B
zq{?OujBOQTFNa6iyV5TmJ>j?{&cm1~z+{?(7LfUA_paHU2HWj3AeBhu%JaC{WtpA6
z<-WpU8HrsPi<xz6bj!g7K2Sny#(r{$E~~GUWFM?r%QH*FfKa5#R(WwosdcP-iE2EI
z2XIYuFBM+0gP?hExr=BRmc_e$gS@5@rlgF4FMER(k}Z(k;@P!!aA`t9V6#fTJ>qSV
z?DkrAB@t(zw#r`4cdpPj2M??auHG9*<=c0gkv&xR*txQIuZo9w%xcy|`%ICm>3HDT
zq6WVO=Vux+xdhw^9!9m!?<7XSA4%KjC>K6Oc6Td|Yr~usD#UdV)61?jhH;O0(`Iu~
zma{FKI(ZK{im+l}0^w-)s9$8g2Yj@mqI1f+B3L=NTvVB_t<qeqlb+iNYQn55z#*5)
z1Cc2t!W8SxrR7|nhd`xJyJ{&cy0Fx+l904b9Qkq(OWp&JV69eop5cQO*BW~42XYX|
zfp1u9Oi6(?XG(Hk6*n)|p1en<RvhCcrXkNCeQD(IrBTuJZQNlj6}?`Yq+|k{x3X=m
zh?Jg0xgBbf?)uCZd8Mv$c>nSUlxRDvXCl3+n&1{H>P0W6ravh`$46$tQ?ytNU~m)T
zksLn6l$q&Q0{TXl@>mjkfV;>mbmyEo^I2P;?(K`GFLOl~R~uKJ_4$f7!APE1Ca7DO
zuWz!()7cwMy~nOu6^jR4isXiHCJ%W|*+4PiII}zbGL9Dk{JE?$9>Zk~kyp$x;XXj;
z2r+`;K%{G?K$XnW$tmb7y>MMbR~>vllb%wnq6JE0udl1U-0ca(ZITl#3aC-8HQ;8S
zOo++07Ea&ciL5qFCvUG@aq8i=)qqD6BgY{=%?m&ef-n<|djVG#6t~VqKC)fs*CP~Y
zfqizRokrkKpl@U>O|i>Mg?Ludh1F)435XsMdau@t6#>};Vxi(|NVk5}QPELeCs!jT
z^6;GqdSJ^SF6oU}sU*|vz1jk6_d&ECRDVy>jHAK|Zwk0==M80I(iE=&k=`3Gx9rA9
zyvL_d*VqG_=*le_ft`eH)TnQuv{L-N@x8XpoRw;w_hgk^C}*;s`@>A&X(qO5TkMpD
zqRH59dE)6Fn?pxESMq!U;IdaCQy!5ci!xtxCe=QDDzc;9%{KJ9GhsIYeo`*A8f0;{
zOSR!(=UHL{ZM`<<EA+@U(cQrJ5QQFP5P}rEhwP0V4(f!pB`okH@kw+s1(ZFVH^?m)
z0XejM1(awG`*_Orc3%zU%eeXU$iF;dJJGOg?}rT0;Ob8H*i!N36D445eXkD>&(&2@
zOc%(X>`)U2{VCEQse|uOcCh$40QI3!sJ2fY5U>dPPW8FnJd}I5X^w4AEM}rs^8vuw
z=t?s{7z~%%!wVRbPQVq}S$;5{ERo@DIMIt*ef=KSCHDHFr$GwrD+?({xP4@=V#{WI
zq6|$gtRG#0n3|7c6yoFT2NrgEXQf2F?25`y@2sD*JfN7dda}yi$k|4+#Q|!wbTHRD
z)a8+_;ogbnYcwzz+s%%~UW>L~nORdgRn7xNN6FE=3Jn10+od?vLo)7+C^k{LW84O9
z7I=E@y^1BbaO5*X#hWWjX*hQr5@0v(uX}`O6K6yyFr~=2_`SEKqyi&S(5twOKZ9sw
z^F<rdQ+W{bEYP>Ib;}cK-(d6%+@tHHesq&ETk4w;cXC#$+k8_^=jjy5^#mz}fI01~
zMNJ+((+R^|0aid~Y==M%k@rY-kP|tZHSHNZBMj*(t|p{CqeMRorQKC~zK5wArTXeU
z?RvyJ4&E>CmhOch*Y?P$u%Wcey_KGt0E)&Fj~*D&ml@uA8DScZ5=5Pr5AFx7^P35w
z6C>`PD)A(ZNgGg2VHbv`cbvvBP8UF|gYlXup$8PO2_7u?%0Wh!6|2vJJUD?u(SAO4
z;DlEC%1FzF$WkuH>jG8Qw1Bz*`fTP3-o!j_cUs3)v0IVQQe87!HM(Qed?+%!w6&Wp
z#gU%-Trdk?<(EjIUm^)o>QK<CZ5Q3LYuyH^LdZ)KcE020qwS=EJlN?OelJ>!c6o*W
zG|BbNuso*4JjPR}#^<{}d7%%yFznSchThs}iilwhD3CUNu+wfA!E_H3JPfIh%0Le9
zjXznE6<n{@k-Gu3lxw;N+m}wQ74Tl>dzziw;+L{8d|V8*d<q3w4_*#{y{9Du9v-Vt
zHmI%Ph`P3bql!&&&GlwsE%TY5HV4&vVu3m<57urji)9E=>*2G4O08;1;D^t|inQyo
z8ay1Q3<r``@`HTUQ}lRv?J~E<&W<-Ysd=U**z)Djs-6wYs<uZaJgX4RQyWW~(a@oX
z^AIIUmeBS%12Kt<8<29;P^csE>Rjq>_EhL8Mdg|55*<L4KEvb=wwFxV&P%l(LmIxS
z{_G`S()!LRT(ph9N=Df_7xxB7N@j?ZT>=>k-j;nO`P6+}2s(TOwcYH5*-Lw_F>#Jr
z0K9k21Qj5Zp6xZ+&7(!7@F%6JPXU!JbCyFA(Hck=UOS9W(><&z>lq$ufwpj42YA`Q
zM7pvdxIPpQE?y(QBL|+Ddi*4?7x7l4b{Kxxf{|~Di3Sg!QrTJn?n?m42O5eXm_Qhp
z983DvW!;M0p*K1@=h?~h0pJ{|TroSu>jU4FpjI8KnP&ku%0UIPN4%j0KFKSR<guF6
zeJV;!VrjyS@0IYB@Vo1Mg9!1&^og~}KrE~b`h*PK2!SS^m;gMuG>`I^j-~53;f3=Q
z8ZACddca>Mg}pv1o<68cH!4O9?gFXeMKy&)XBdC{9-sq>DTZxhEG2Th@#CvMCnc0B
znAIe=XY*8^yp018+9@HUR6BpJ?=hy8g?9#qB?!Wca9g6)yO4XhN3|>xqGv4ze8~uY
z3NS@%4rE9>q<&9|EXyMY5S3WW-?Y_63F0m%JomJ{NP4`8il-3>^BUUJo=<Ttv%@B=
zS7jAAGC3pk<1XP)KbtD=+4r74w9;{W8R-(sxf*pnE;6LJ?UBMQ2+cEe>OC?FRun<N
zDtv&ml8)j>OI6oJ;9>_9DHdI(QSazcqMfj&${XO@yV|+e>LydKFhJH`a$D8&ms(EJ
z#BjitRC-#$T(1S6(hN-}>(J{Gpfpm;o{dOf)71yAthn0-sz@xf#BgD5uaody+-e%F
z>IBxjQyAd0N$Ua$5_gk>VR0llaDbZYt+`vuT60DZ2JNWQcW)i6*1e5-H-%G#n2R0V
zWSZKZjz>&nkoN&Km7wW(wv=*J+5|_3@hZM!Ea}Bkw+fuv?Jd>ZO7C@xsK?F|Br?Jx
zkyC&Z3WhKke(5cVzISZ<-mgZ~&vl%&CPh~!);idHM)bA7IK#9m4}xq4l~SvUE_Kht
z5ZSfn=OkK0Ch&B&=s7g_kPd0%>hrVBMLJoR7iTP}hmT>>3N?A_Jg4KG2Hd@<7p+Lc
zbUxfQrd)K^+k->`Lgom~0R?xSF9P=k@#Z$XQ>%<H33@aDJ>vMF>eU84S!6R}r7x9`
zzEpCk-Rhxz=NT+G%n_m3VGnavt*41MfuQ$QWO7wQ+F9&_jK{1t$pwG86up9xc+ZO3
zp!Jlo!Su{+J&P1w_p-LM7k$guq#%8F7WBq^9_d!S0*+jE9?i4D$<486D$md?G#}66
zR9^sGOB6+z=nLQJ1$`|lOdu^cq@HP*`l6rgli}H|E1ym@buIDK7YCC9i)rz^*pgKT
z-mC#*2?pKd!Bb%?JED=KcV3#!zSe4G&nOS}iTBwXx(uSM*X#6By+W#A3cpHvx{NPh
zH`PPOIi9B+Y)tqP&XL`p(u2z493v{qcg?K*Lc*-;xk-aIz{7R0Ca$&3C?FyB!;EMS
zW}`kvONZA#?9SbxVV<%eq3YQ_zVK%ytr`yjEqU^-z6c*U1{z5dLTU#lL(1hmE)Iab
z)sDq&$xg6qda%0Yk5kfBjwTIvJ3yGpf+YiA%VQDH-AAjrx4ik5-7CRZWWqbR1kBfD
z=>Z?D%S_C0E&2hy!EDW13F7v(a>Cg6D+6zFnU^-|E%nP}s4!8@c~u@L9Hf=!PB6B<
zEMn*Qd?$<PbwfMARBn3^JC&jc6Ak6Q#toS3&@2bIc`_FUL0ORglA*1FM3B4l`FquP
zr)5jR8l%RXh^7(Ej>|i<;6#WU6P)%En&P&n$Z$<^;Q8)A+eo=+qp3Gn7)Oyf;-MBc
zgEt=SJF1($_LY1Tr6!D?)$9<{bCj?7TrDdW8gj{l_<92z$WU&CiP!u!f4M~P<&tG(
zB5hOJV^ia0W@N~PE0q}V#a5l|@zKo<l1mmGm3s{jd?}c<eCPcold_|l85cyx)z!@t
z1i?YSK%~)Epjw+JU@*@d&_l&<YZH>iaq?P&eH$-B51#Vg8$5dS_Espk#<a=x(ar3n
zAXscvr!?+u$eC6TOFVyC(aPgAqdP!3U`kX+g=Yr^_IzPqP#nij_9G<qHXpWec`x8*
z{IH6mb&fTj!kTO-$D83>siFZ#jprlERBi{4`Igaj=DHJ9`K1Qd1Q{KJjm}x3z9#|)
zrocpI{YX%#UG3ew(GG{vn&r*n2k85VW}dQ5qQ5}s<LY^=+;a;9<ZmqqP~_FYD<Hqs
zV^<1!=PIoTUcGA6JS76JaYEzVYWg9ZmHEURc+Rq(@SdTAzYACeiCD(&eT)dTSNl-b
z6RHA-$>*NrN%ZhRJ4lr7sJ|Bvj2sH&$3#F`05raSi*%TrFZ@l(K`H@S<i%b9$di49
ztnCiiCIAlm^rfcSat1uR<_CC1UI6Mu5?;@zpU*C8UL+!!psRD;a6%BYky?&WGF#Uu
znkPJp;YnmwG2!Ux9oxQW0(rt1{PKDP{M1Z1?kSI*#Y-!z@;jt53BEJ+%hMUNdcC({
zhH`5#-s`NMTTZH75JyNZ34poy2Cn@m`usVl3p`H$#cX|Ej@YAEy$Tviuvp0hJhR*z
z^Q0IGPEFruOMns#UX^?Zr&lQ>Jls6-3bRLLoWVUS6}KrCiT0*T_fsbSlBwNiH-bzp
z%JY~gt1J7+Uj^{p!^O@PZ*vTXIF%6x8&;!N1gBQ12u)>w*;LCjl@qm*)lTnJQrQ9_
z6O>d+*b3-zW1c2bxB<W!0-#dJrdYS!0~Kx2R6X)_X<|{!IU-^}#J~iWrZ>!iKXs8`
zP#M=%E4cU?Myl1#R^t;RnGMA~OUJB$UdA8<OX+mZthxz|>M19Kb+A~9o#ZB3e2{p+
zx{_|mM?F`?lb8FRHQtoeOw86JG~gDO(MMfn3H+SN(zW|cOkA|&Nzn%7bEBh@c^xc`
zdQaGj&0@vEtDW56x`4Q(T`mD6TdChwu5h8z^RcdXNgdBPn1r4<kINyughriWo-Cq~
z$>orV*<{Z1&1XO*le2Hgij$U7_1wEBMSWyA5f^7t#w%?nx@J3&-5O)@BE?1`Z=bO-
zj$g;zqk2^e=a;pKn;AkL#c%M|kW!%R)v0$5Y9>kIOvpGS92$dS0!|#dK!^vr54zS=
z1ZGDvGQG+R6effn?Sk-8XV!=V%jdqkrt4GbfMj|)lxd*?D)&0*WhpDcBraMqvjtp~
z)g#R(78NO*a@!BzQ1FFaJL?!>u$1P^29_!d-_cPz_9ez?v9#cT)jFZxTH}IH5(jY6
zHf;pOL+*)5b{42DzuWQV2uE!&&n-$Up#v)kwAqHV+HER-XXbT<(#!Zdk{?)iS^I0Z
zaN>c!?&f;A-GcE*@3Nk}eby3H5qGu4oFTP^lSAVCYP$u$Y<l`-6X5c@eFE3pEU+Dg
zKp=0mWJDLjLl<Ty!1xxQuflUeAcOYDy}CI~RjzgVmrnG|+jLzm*fzM~`E$ipSe0PF
zLNu#s#P_b|DxU}yi%%a`GPaZK_%WWHw})#%vK2|)$N>f4w1Krh4^gO%M=efEC9SW=
z#e_E|G{Z<5DTf}HyWPl!c8`#NRg3aTEG?wpdL%PvK4EIA2Q*l5es35LI}{dOE%{b?
z<djfX86)nE>Mhq0Wvvyxy|71qa#PYHK#Ax8u%MvxP!yWFhP!O*0unOONxL3pyP#;P
zIff6B9FO=sFugl>oLF^~$#ulF1jaxGS|+zM>X78HrfIeglCr`wuf6xUP@br!7i+ek
zc7v%rfDMB}$~j+{%kI>afFKVXdpjaCN}R;X0&yjZP)oU>p%6BrEL|NNL1l;c0zh^X
zav{A$auSbxn^Krbm6cZWRfZ)1Y#NaPY5;(3+708?JAZX9Ba4xR3`cjXGX{qdWf2l#
zyUnk{vpQidfS76Ekk^)r+|%Fr^2x7Sequ>;Avj7k6%~DRZ^#dxan-!ytPmmQTxMQ+
z;ckR0^_owfro&YkBF~z}h?@d*ki3|nenm>yY5~d`uO>WR?Yw^S^5n4@SgE)M(rE8U
zz{@JesU9h=Qrn|^DCc!U5A2Ppp{#2h8_(%Uhwp1#6+|m^=7Q%>&@Htn7lb!g(86X7
zxNW%Ilf?H5Y4AqTCpM%x_t_?#@ZK$<wqe47AlHaSed)yfrPF%`^qxVom(ngjVLi0w
zJ*xAu?ZM%=fXY(f@)u33D>a0|Fcg(!S-uY<`S0mTwT0w$p*C9-jg`K&Dbr3eIpl{i
z*^L9x;Ax8n6ZTZ~d2rmqEeSFEgmG*m2!gCvu|FaP)5{>>i)3**6xhs}cvvzXvNL}4
zE9Zlo2t;F0KI@5B@c3~PrLXjm^({up_;C$`WDGhjk6k1cK(zWETX?dDDlG%6<tXXR
zfXFM@b$tZ&rogQsw1jWso*G7EE_1+HXx$pkA(&_t!oH_dsSl*oH7Rfq!fs-^FqPt-
z5A8fCxAc?7O-#yt&NXrmwGNR^YsY6=pm@;)qTgV!2@FuK=`|vV$ty5?;EL<2>rpfp
z&Ef4<NfoGQ@*cc}smGU^LNB$di<IWIG7oOMU)-W0qzVO0Y1}#6xB!AJknd_AGp}TZ
zYlqJp5tmUdzP!Zu@QzbYc(ccl?!|S{<Ky8j?+6;OV8bMho;UC8y#ohL^SXX;e)TfL
zj*fDku4e(p*!p`eLJ?aX*eOU?L^>8mr0k0F@I4n-j(*t7?}4u_aKz4{=E-$ScSyW6
ztld!p1%1PYX>ls64CPIb`0xsaUsT+aQII#4tVKuaM2;I`WCS%YSUOwbt>QXWFClYc
zOyiL-S}Y(Agx16rb)H#G3Pqir3M2Z+6!y@Cy%X8CLd;UswTB^MLO1@{483oP`gBW0
zu$iM%0Vx7iXKWF+lG*0GDK?a!mipsErLl0EIFUm7@=55+C-op<xKM6y;~JU*YRGYC
zLFjs(H_XrT9$p8MiQe1W)_PRpTmAf+QY-LDX!_sVI`V=@Ku3A@oOMeHo)JrNoe({E
zcW0cY1=(oqlw+|_Me6E?g@HPU!f65;E=T!N#}$k_+?y^*WTr{A%lB@U2FRr5J%z>%
z0ts1k*~yR+PAH(!%5gt^0?|^A+Ve~r$Z_zN;t(Ht&6DN4g`N|vXzSi27jwHbP9ry;
zd2TK$3VQ4w^H@0W6-<|9H5VQD<vYsUQWs4UbV-21T2HUGjC`yH7BA>2TP~AUg}2GF
zc<AtyX9Nrx5(8@R63`y)yZ7c02{vP$Fx`07?wPWuhj))jBu?q2-bf>xs60O-X;!a!
z4W(f(O@i9{00QT+q4D~J@QQ`ZQ)r&W0du)!DZ@#3R*4R;><1t#HSUha0#Bj@1tBNo
zP!D{&mAk^34$e0L<e{8)p*8mD0#+)YI@{JT8%<%}bv3M&o$UIw%%B&tR|``ggxgYZ
z-qB9IU4`~cF0ZR$;`fN(h!j^WK=<sJk>Hs}<`}D^J7k+m5ia0xgviU@OLi7bTZ4>z
zf%=*jJdU)3?Y$X&n~g)&Y2bt`40K~ks?zU_Okw&CUnj4_2{5uFGYFR<i@oRAW(NJ<
zg3U{F%Wg2b*H0?M-u3ho>T#=em8a-~5@%j{sN1LK`%p71dycD@TBQ@K!;i!Q`Ff*P
zX+5IzRWf9FiskhieFX&-R2nxh2P`;tk10&(WyFYo38nBQ)JZ7L4He$qP4Zpc15s#H
zsoTl&UZ@okXPGUZRs`U(spqUlAScsTkCU=*LmU1w>WV<eArpu4yjR%+=3P1~z&S9z
z%y4G2ptDEU%Z9oladyM+dF7=-JTu2qx2FoPEL{)PJ!xCP9ZoaA9H+hVP1K_pRho6C
zP|S87zjjmRnDKt`n9<Y-6x~M@^CW6-wF394Fus&~VoH>1utaMQ(BBikP>(e@EEtH+
z2;zYEEMD*lD!|)k<p2t_Q_g|JLFAsa5XD;Am+x53hKg80Qk?7cJ~X}_%;njdj_62}
zO*>vQSlUD9bHL?6#9b-G5GaagdWTUDQlNP*UOH`iU_Qc&)J<Ht(4C}9Xu3wz5fn_F
zT<eghS!k7Pxes$Rit>WkSLkV`_*l6z0SVH|6P+Z|5fkV|YEZKGYV4JvK1bRc7P@Qh
z8DCMv2wi&JkmAHGxtvuJDU-_}`a*^Ml`20gT$879r&$lPt{#hH_W*R7_8H~bcB(jW
zvL^eLdwX_*cD2kim#LR!UWI7<gxm5iUBH!@=WPec^UgwZptr1TD=V9HyO?2cjPs1s
z-lYzk4G|xNq*LVjf<GAyn^qm1ovdK8X>du+kmduGJ{8SDWZi*g*|qA6Q*?Ra2Ba<<
z@}h%K0QbG;O{sHMawJv1n^8MLd#K#gH9mQO58R^DpHjDWlAk;r$5Aj6FVzu`&5RyN
zq8sCYiUjP^h7fOZf;)e-6@0MJ84?w5I#)FLN+=u;;?t<_@8b!INn6^x<L=l?AcjWc
z8e=ap1XtgPk>YbMhu#tvT(bi0gOh|!l+FO##U|Uzzm(cCeiFHlxk&fPd%?D(y;tiH
z@ub&!VI*v@8A*ict`5x~2rXPdGSHa2cc)xvZ;Tta0u(KfR`OcxFxkDyP-d^)V*_lm
z&WEmG0Vulh3Mu25f+GEV!VEiKl|=ReG~1)_7h%)c2&^l{Td~rCl*9WR9{{#%2bMmU
z4Vv4aJLwBhA$52``QB+_JWI2=sMsSBRelc~D5j<4mR@$0sI9i+zy?H;#flTk5aFX8
zf756DK&7Dzb;~LO&zX>fge%){97_2JWGvz|{NUzn6QhG3Kd}~no=~SbgQko+^&W8-
zSP4HA?dMH*1#<{|``kIT{NNR=3D$Gs8wk6aCt@uX9ZDNl6lgMd1QtJ0CY;}5N+}nu
z#_fwUYZ}aV^K#17XwVFA)HGVyOy<H0LV1yk>XAOB2@7gy?&)WF_h9-BfMqM;&ki^U
z=i_>VT5h-JKyE>uLA|O3AvC7S#-iG|p>t|<uiuk83JxL%&{`@Cq=uPW)k;<NE!}h_
zE}5#?HmHF#7JfV}4BVD&(;bXq=gofk98=cU?gsk_Gd1uoJ@X+`tfy>g`i$v4fNqFD
zs7T%m7>=OyJHO0ViqCTZ*ZQ@GDs1ShA|_G}@tBi0f{tv_Ba$M8MGm%u1ealE*>~nb
zBuJ5k4zx{d%|69dP0prX(<m}#1xBN;tTg_R1KYub7T=drre8{-@k=uj91UVJf#ySG
zkVieQ-@7R3o-;vS7w6%Wi>t8*)#p4gY@|=QqAnzh1ShKga!Lc?y)5a+Ba~gGo2#iB
zeI>77qys_f)`kLPCru<}Uwe4MWSfN!>*_sV5lHvojKvnz#6&W38{RYCNQO6$bg~w&
zg?%s+AHAk*hInq^V{Q}*i%9JBWGM4R-`jCd^z)=^vS2ix8g9JuR@Zu_jBP#BqN4r|
z2JMB=P~$Y|j+~T(Hj*K7Ab3z=B@}FdH9_tHYPP>LZxkwS-e&9`595iq>Uu(*uA-AV
zF10m_(9CQALgxBFLY~EmwNNzg2A3}*Kvp~;(24F{cf`x4!xAPbJurr=JUVBCjBqJ4
zS22M{+M{qTa?E6>Ta`)HbCAHycVu2olp@tB7m(sbHWsw2>k+=ej!|l_j07w?<Y05z
z-YGT2L=}R<Zk&?75I_M|OnhVF<&zvv&gb_;NTR6TqufBWp?tEi5Y^tvppCq45#4nl
zL3MS-&^T!&>8=oC2=R(F1Ftr?%~LyiqaBkLJ!<^XjIs7&biV93Q8BvIz%BvpTt+(v
z0r#p_CPDO?YUqdyGa#U7G#lT3;d70V;khs0x#nUz66LgnP@xBsMzcC$qbL^Pa<Sdh
z0KT(UM{Y>)Qea_#TBB`TWplSB%VXW-=-B2vC0t>C0d)#Y(R28~I$plS_RFQcQc$XR
z$O(Fx>*vgl`7}zI9&c|3^R`~SzI;gHfHqUlUW=r1!^Ilkms8GPPK{qy;t2*fPsyR_
zW!;^N2JxPf<+C2}J`n}4N<Z93Jl1w7M&X;)JiRs^y@E;{aq*{Az7~j}lYsHww!xMP
zWYfXhJyaLMCqzf<zG>%kc|n=ACYvy*F;R^;_?Cj-^Aw{HvMBOm98WHL-gl!EH#{~n
zo^8bsc%Sps!-7Zt0vn?<<~gqFFgofgTXw15LrO-skcLsY$<!suBz8m~YN{2A_E*bB
z#_J6@oMZ^2SzdDxBC3b=rY3Fpuu7`tZQd}u=B-+(6R4K=_ApyT)5Zp)9`#D6cOp3z
z=SJ07JJXqI-Ptpez^=DD=F(0{2BvJVohbR<NIlO5y6)Z=`bZC}mOMfl&S#dXA<!v8
z4*4Y<4KvyL5r-WViFH>cxi(#yyOc6<@Wp#2&IO(RN?7ht2v2R>S8{pcT{{W$HG!G;
zV%WW;Q{H<Mo#HQHoG=9ikCl21+Mf|$gei;da?I=8xhU;}ETdbShK^&rXxSd5k)!b%
z-6`r?!~<5Er+vhpAwmVDvd?vfxx(cgWb3=_<#PoD3wY;Kw0L?9Xb1A1->$P-Lo*nG
z>MP+BQC2=)w<EwHir8y3ueNtp_XNyI2m(NvNyYUMy(*@Z9a=`Mn1}a(aBC_xUXN&V
zp=~beU?SvmG<>-)MshTXpeH>8bFMF2uvG?LAk1-Q*;zGqa&&4A_|A2Q=`0XMZp^b-
zP|J*Z*DtjPrp5-Z^)+V`qF&Uz9)k)_d1V-Gjdm&{YnCHw+>QDvRnV7IwV}?n29LoN
zp1qD{r%FLvkGOWM%tTsg9W$~p863t+uRU|`Dd}Sc?PzQ}#oUp&u=&fXmlJSe*LPJ6
zVA>V#8iG*Etmmkh%lGWW;>9^Q_w*F6^0eJ^xIHiRJ~B3k)Reo2g(LQYX$_4HjA=cv
zz<G%;m~qI?F4r}k%-2}~D~A0+PF!x=^Q$`7Oo~u>P22g3-rJ<XComhgd1-p(@yl_N
z?#%VQcN?Z)Sg#FZ6D5hl2NX{7-1i;mU2z*^;d57YEmwZduT^T?se^b;p<>L(K+3#m
z2RR%z)?;)d)`O*9232H}lQOB`1S`P!%8I{~s9f&T=6wF-Re%Sl<sG?W)q=9}ZO=>L
zA|p+a+lE`IGC77fds*ReCey%3??m)P#Gt@qe2lcHqlTf80~40&;DsTU#*Xu-x@&gZ
z93lfAzg>xT?$I24EEK&h%ajkDUv=kWj+vLVU=rcx?ue;?`BZU<G2Iz{r4ML#i@0Yn
z?XQ@jgV^RSi$Y{t_Plc08gl~0df;SA@se1^&?4Q`t6tHh<&q->iC=jVUEFY5fbyfw
zeGkQlvrz>0S?p~=V7tEr1Uj4C+NMn2>>;zXWtoQ8?Q$DJ^GN#%VcmtpqE-Pg=@358
zxJMGN2cO86b<f)6C2EfA^NdFAeH;XCu_mvLUUTsBd7+cw5Nz|a8>TBX2edWOP&Ol&
z2LWLnPI>o6TR4l}T&oJuOTc;&u$mqbYw)arL6SQw&`qmU;d0lrAKX;bhgA&lWtA<;
zP{pQkr^2bW&t*Nc2@EeQ)Y;O+O4xjDy97+<G0$ArEc!rRo0&^ytOlJE9&*|V{-u?8
z0Yk9@P&K{*Y14HEcvf!<d`8e6JCz(IWL}gP(qN-p^e{~D<N&Znoov}7kZa{=0W7h6
z?|AD)+Ks7cq;A1ES6{faW*0dwhsViI$~wJ%xWUJ`Vpaee4zbv;AdcBV%|^7@trOX2
zgcN|RCiY%Lz5_owsdbHPONLkS<WYs0%<O471bW?5%X0%5tyq(rZk8<unP(drV;6Nx
zf_5d9LL_aJNkQ4>Pg3gml33Q9Hr2q9+3%qXU*HkWMO5Q!MM<@s9A&=L_q2%I50|2q
z<1w}-hr|jfWW;HNV<OykKUj)xGiQ|Ns5L}>V=jTN&*VmRy3KbvQ#PidFyP8l`=}SC
z?cPEOOIV6TO|Mm7mR}Fa7A&;Q0l8DB+R_29lB$Te-P0RLsvVXnflC_q*HNz7z6|Lb
zbPN%lRlBivgXDCe^+p0btR`<<`58q)6q_(tzI(akv)6BSUyq7wJqCYrFX!>-qJq4o
z?BJ5F;p?hi8Xy)X%mc#Jg%)Xf;@ll*6XEE?2jY^WDgb$fudOej=)D1)n`wLAk7Nl-
zU!PMxuw!oFS1TUIh)|Q;$B)%JfS6+H3Rpazo?4eg^D?893_OHbcNPqf?j3wOl>tB|
z)TiJ~uTzNq6_dOnUMUvl2dJ}4W3sjtvy76+-uwcDlrS6TELNdQT#^gC(|}ytEI2;3
z@-M9-38R*u;j0mIK-suS)rO<-*V&@4%rq<R`Mu?{J)-Dheh>I68E~(trpC56ULX*K
zt6;nS<<-El3barS-YGYol)1e14A3zaE48joq(@XTI8t5SZ|gX^b#DEN(L?ZIh^k_n
z(NG1<agElqFcdQHSfkRLc>O~C>gHi^Qw!Okv_8bc2$-g<T`5%-LnOg^^MZgn=3OCM
zy%?M~iQpuB=d(GJs}iwj{Q#@cXZI+h(r@5N06jp$zk>5fpk2lCieBoj*~9m!1UlbP
z4QQOj%T`xob`5(W-GXfFcyY=R{N5-r3D7345^1`FIy^cRz4j4^0mj3DFy9(J+Innj
zV&X|bZYQ<RE=C)9IUcVps)LTsGTu3<SLZg_Mnqbry&`;wY_}j6yPh1lZ28jKyW_16
zO+DipSqOB5gE53hC`Ouk4x`i<6SWmIlk3eA0Q5{xTo5g&uhx=Ke5*2uRCLE3^?^~H
zs@fr;u^mV`4;x^-?e?n6GJ!#*-Zgx&w|(xB-Fv0I{m2uYPr7n@R}eAMt%nd1t_gNs
zM4>w@o>C(nwy8?iDvji%(j?qHb*e|LlZFD$NFa61&z>0Lf<1i|T_}?~1@8&f+$r?|
zyohe5NKcYZ>^7C$L9{Xov?A#tqv&J3pz(Q!_%JU@>rjal8M?%3r9-=DIiJQ5>7`R0
z%)MJm-hKA?aZ9JVIyJNem-$O5x>N<;drmG0i~ST*(ZoI5vC;<{z3JtHA(qMM!B&qq
z&ml&)9>~h`doi6~UZH+@)qYeOuLj0sFQRj6nkeTO+%qJfFr7XlcuW4O`jNUhthtT)
zkas^1W1-U|%5<^Uy>-MAM){XmxVbVX%mK=F2QOSy++0ekksU^6?rpuqTjdaf1#3X#
zo5PunbU}9ue{YmC;vR{JI?-F2fsRzG%$g&jrhLfpv`0+LUkJGm!wj&ETFyCn5Lj!g
z5zt$blv5q5%&Da?+I%FaSthUZS&ke(&EURKLZ`A(--WdV)OKNThQZCLmnc5&8EYMI
zB6#a!jYcZj5>=_ecEsZJFgU=`Dk3E?%sYc+c;M)9#LUaIN2p~@zB?uD_ZnQ#B}OZw
zfTz`NiYu4LUZpUssywZ|rMoJb%nR%-CF^6?cw{Z}ntCk^z(Ur-B)#>b!77AQ6nTzi
z1vWiqF7D(g3k8%So>gGj3ct<=;JQwcSF<9-(+J8rp?AgOZ!@shI^Fp-7iJid8-Z9s
zcJzv^b=VMfgWlm8t9T}P-3#B@ICRa^WtUL~@8o1rRuA--BeV_ooCJEtpN%>vE?+Lv
z107I3I?NtX3p<>pj9G_}8CI?oA1NB~i-&Y*7F$%5b7=O?=_;FFp>Ik-cl_#I6GM4(
zia`4GIa*mrk_5b`yXYd%c_~TT7G>Q)bC0pr@MwG~VUr3{#JirPLkKxZJBynXWq_^o
z3tP%JNOH>k@HNWxK~JkbL(>$$(}vmy55@JhauOz9B3mA8?=;a(T}GD&U7-zWvqIVS
zb{M`5NLG%he$Yeq<TkwUt=!y~Sj1mqZNo(vBA~V=C0LHbpfZ_&_UbVsNZgPHGgW4i
zw|2s_BHGR77#R<4s8c13qXyp?SkEGy75dAp^n5lfnOzFjFKH$$`7O~B=^<_=;pAQU
z_J%Ff9Ei<yu*Bw44mNPsJOF=hb@VB~BiN07>OC}Dvd?$SNL&0}#}*?t#%rb-PaF}m
z>?A1nNO?{Thbcj#wHuKMky_Mk6q-IO$i2vDZ`FUQv)c2f^DT<e6U^qvb%JhGtE9xZ
z{LtTNn-a1`DcOq(lhPwueG{ra55w1KRX0|y+;9$ZUV=_Om*%wVK<;{m)3}*IA^r||
zDiGS;Ut0y}la+Z_l23&;JWDCto!ecS6?FYrUU^hbp`2CBa_rUA5Q0nOHCWtG;*Hae
zTX5t-fR?PuiXsBpi{WnZ>|g>7K55`L)2wfSpYL<QENAR}I1#*f`^@)D)-Ei{95Bf_
z(`!kIsHpNlU2J_vO{JrO!NQADg<wV9tZ|vbGWn$|oIOrewMNC)uxYwwz)xzF=W!t#
zIpV99PGWnUjQ0qhGEO|~YvX0TH}v4yJ~uap)Iy;&t3t5Ag<ygr_wiWJsnK$$z$YH#
zG(8R;=-DnWXD!Og5m=v{x4mHSfGp;HIGg4Vj;g_%bSt0lD=Z9GfeZ}1r#b<3i^-j7
z3vbGwSdEkT;ajN%!PV#Lu@QBtQzc8O^eVjw!Lls5O#}lyv4P&<t<8uiyW-^?fWkg#
z<Y0Ujh?Z~AS)6I&Ni!G~dEm>}9)qcGSjB<8{L8FIUuMBH3p&1MosZIq=+^SpF<r-b
z7&A%qoyrs7Q4qX!E=;={f-bgU4eceQRM)Dgjr1&R4J#eZ_x_x;80IoOl(Kj<N<m)%
z3C+s#s4O=?MlGK2tU0DIAP!CeK2?mDOixbNMxD#qil#Xsg<gn9aRaG3+Vrz=ft8|{
z3?+~{F<7~}$~Q@nZ^$m*%XQU@_5&CenXqcZk(0CzGw=3Wlu!(8Ds-pmt)6EY>HQSs
zNvyjDQvq*PXZyRg2jyJ(it7Q<LSZ5zZ1K<=S{jfsYkIIx6SKSArQtI3A(dU2^!cQW
z7UIw3*K*h<PjyifvrTFr#MUF9bnm#G!Nk|jOXs3nFjd4+ukm;0+d#{B`Sz4}hRvz)
zoa-&^7%azAl+nrva(7J$Maw6-w<E<mX75Ids4E{3fpkw8la@h<8&$Op#-mddt9jQk
zoP<tS)yK72h6$vZgjD0*?YO(7vV8JhfHCabDBNGH)A}V}I`KeWW|nn(^b->uKL-z8
zS65Q#o?sVq0}jaa+@+i6Os$k8iePC8dTt)PYcPafimJP%R(ggwOxP@U)ZGDZ2G!pn
zZOK*zD{n)+4(d|c)UJCbfu*=wi*mgMjrOpZ#^;HfDWU!j^iJtcY{ZX}h^^=Nb(!dC
zl3Xu<^B7mAz4TtBWej-@uPNg$nAKC`_lJ_xa!ESW7xqZoW<+TN&iTa}L1Q))lfAT=
zE<<sg!qF6~<OTAoP*$22?(Nvxr)|K^ymATyToI3jCyzlaWa&#ShA*{d$+eORbiDw?
zkk8=?doH(T1Bc?A72a~btp--ti%8avb%zRVF?JGhT6d%*T}c<aYZZ&rXH55(TL;&o
zO2b25kDe??-x>G>RA&j8ax*wC-Gc+R5PLg(os*a@%x~~%EJSBc7>Ge~?;GDN*6!Z7
z>~nIYt=`5ifk>`1h4nNBA6Rg>$}7Tsm3EZ@U;<DZWE}9Gf>YzzrIdM<F*Zw}S%a)n
z@a%%{)e7l^zv9rfhxMMttdMX#d+&iv;^IOmQV&|}W#Q_o<#nHeneM|-!Cp+fR?QBU
z+SX>th?E*LeOVa<5BY#sZ5QLQ^9r+KtFKxH(c}ezTpq%)$`i(;l+Iioa^~m`jK|ok
zFJ2_@dl^&nz<^*KN+rvRvR-5~#h}{sHHZ?sLJ1V~yMEzXKv3)_*9XuqwZ`viTk~<w
z*oGB?7B^02tn3Arg|*1+({kU)#;6Av7PWOxuUwDMC{+}ak)#?=#Z2Qo`U>wQMNtB|
zfsrw+P%1RGhi@|V#PxN(a7#d$ouRPv=QR4F#}K{Kg+vA~JnQgef|Vmt5uC<Gg1M-8
zZ#hgxHlO433e1vHObd7%Bdl*|hRiYaDI-dwSI7nG?$#J4;VgPbZV`#<yxaqbbj}jC
zAfi3LXEPLSMKo}zWKFWmY6^C)vo%g?$?<xnpJM7Ml1{agzS2t>>8Lo*j+;rQ%i;H`
zBTbXg8}V^tmmIu%XU}bk1w2v;y+h|75@JdCBji%Pdy5lLO^=gK_G}|w`|-+U)PB0<
zpD)C%ZgdbMp{{!u4F-p4kMKRwk>P5LY)VGl_MY9f6vL$@*gVA>==T!twkT|-%rfjC
z8RfA}saEHoa%J|jySUU-29Dw}VzG9s-FMgYfH`a7aFFl?F<>d|yKV3o&V7#|6a%HI
zEv7Txv*rZajmU~e^;n+?YJk{!wLQE{4kqdo3PmC|6o*{?-Dv}k*G1de)8sA{%9MRV
zSaZG9i})U`JbJpzr}&B-pvhMPY^Wb0pMs$xa_BioFvgp1h`ipnS!fz5moyhyi<$)(
zCXrw$JcRw8$}~aESjToc0Sg3e3WJoWD^{h(yGP`PHKV+=jNxJ?JC^SdLfUw1I#DXN
z;;3Bdai~qXdV*6TYw`<Y4Zy9G$(n`3_a>q}l1I-p23xPt#Orn8dblQ#oMcn_=wU`~
zsm{D+97ZBE&}1j>%huE>jeUb+#7w~zLsAlCTzGR46z=y9y#jB{O>Mj936*uvdvc-k
z>IJ?4YIkWiXgV7zfD9rHgK&LoHt&izu^qa^JNhO<7h11e?p4VHuaNcPCnDX$B_2*O
z$xKyU2Pth8MZ9m;SvS`Cy~E^uq*-lw{!*&?Hi~PUoso+~p~dTM<m(*vbA?LQ6hs`z
zQi=+E8X3xUL?unF)6y@6e!k6h^Q)p&#=K_LGP!<2QOy-m&MzIp?9C89V4+pqMy2cS
zf()*g1<t-T5*^nh>-;!+2!&Vnk@iuAf#F)S9h?{sqEYNlPQ8H{xYkHJBVrHS%UaW5
za_~`>AhZKbn=iRUzvN=nlAey+5UhEMHI{Xa1SueF;#=u{GwL_a`(j=}WRq~%JS~1*
zYvq!fueT<BidTfA->zVlUYBO${$<yT2V-)c+x#@hPbpj2Z?p)dY4w_D16>0SdNd-T
z3$qEm_7T$~3K7<>*G#zaf{2{V1JbWW-{~}qlnrzqaa&<6Gl|YB%hnA!9_i}<&@)es
z^?2bB@;r@KS=Xd_==Ff^sh6Uyw#?IZdF;>L^>rUc=Bv?I^iDN^z@ZW-Xv&wFOL(<+
z9-QbQNXNT}M&fzEK41?mjs@naQphQUsO_e|E=^i0M}yN?doji4#*0TB*&!j!B!+_k
zz4NG1aED*SNp6R^2{LWtdKr7hrS#ib5%zMERY)S9@CS^s^xk!(dmmgp6V)y9kibA~
z9F(Y0ujg>)T=P~FV7SdigYWt68^5|)0euyC`NHx#!5&r^1(U{}qgctq0$-GFp=@7S
zQ(v8V0a6u<#Y*g$m*K&TeP9l~S{S5b7!1SPPC}Uc*dnN&<wY1An~E1mmT)Q>nVjH_
z(aR@mbaA0l$?t(^h`kg~0K&z|f;^&4c#Cz5>%K)p6}IAH7Vp+d-!r@?8f}(l`yK}I
z^krN*7#(lkOY<vbrIc1b(t*cy4fU!$Cpm&zwYa_LfIX5~i}byRti?>wM<uz%7?109
zgOp{jQl4>ym4&sFvm7^%-HsT##gNF>V|FUn=Wl~}Sc*ILgx2(qo+eBtcAU;*syn9#
za^3Fdh3~42IOEnHb-kB5@+QROT|I&3FT0e#?2?wtQ@uwE=MS+Ttxq~RC+{eDU`pBw
zTv3SD>&mpaR_%PItgr~cC=7T_<$~VI0(9uMiCotq@Jzx${?ZHE+m&D8r4|gK4dDut
z3m}<?%<!_v+~CvZB|>vczt?%DY+kd1);9fiDy%)ni79C3)UcY}7?>+G5u!?*(8X7n
zAz(eI-fni;i@YaWAk!;Y`0xdHgb}eFHjK@CGUydgL?Eg*xOuh;8Vg;K``)D^Mj2e6
zl*B$$d&LHwh5UfVL8>1;p?VBghG*-<dvj!u_TCsrcuJ0eha*Zy*WDWdwLOq=iMx38
zfK#&NG_P6PEe>k$X>5;`fJ$~@w2GWv(`@pL<vdTyb;eZN#w~V@ZE`6|LF;(%1jf25
zTCt}R-9=u-@E$VEVEWEOa-y}^R9B^{!tAH~GDT-40#6Rf51!T|px67jEG^Hv`Hhy^
zY)-Os)ZO+|)QD_DlZS{QPV}5WuxbfJMT7u(H2LxC2|hc{G?2xS=bpDTp;haEa0%=5
zKq|NlazeO9POoP3ARt>1%A`ARiUqcW2>m_7(TahXcb#Z>gMh}__paF{P!wYt26SB1
zn%CWAfKX?nEgRPcO?*Z|?2$cp^|0sE>uV-Lp*Vs&P;Pgf&udEUaniemj%0XQ#kXT`
zdIXp}))qNH6QPhW#VWX|p9#~Zzt<v-_#nsNOkPJm^|Q9Y5@dm@S_?jMV#9~>&fl%(
zK?uuE;K9DQv_}L2B+0QT&+lw9cchGV+ufC>f$$|D(Tmv{;_CwY(#z;eFGID(1**lg
zPK_~lRXwMd%e(i24DU5*N}u&ENOk%{MNpllCA4}E=A01WS;U-<u_Nrx)0fkn6>(32
zHUIQ$^7$MSW=_3H4LT0DMMK25DD%{13IT1aZosP4r|4<GyVvu!)uOaI02qumV7mrx
z;pm!A<lzus>XB6I=5Yy25^@MyFGd*d%PUu%Oaq#(;BaErwLCLMN9C3c+9~7---PK$
z`4;Lnc?~z(PdrUf%n87Z5*Jtj`~jf|-A*!TZfiW&g`0<$i(VdFYSYihR=8BD7X;H;
zUgH$Oi9krB*@^p8l3}Rk;s}*yZ%#z_5N?6FT&9;u4`p^2ZtDqqW|$B^>QNWVJf=Da
zHbV0OLmo53Cmw!=<Ih3-;vTMM2aRJivzavQEIB-1QJH@4Fi~vWP;%9>A|6_>#%PDH
zi*efc9i<%7lXvLCyfjKLlPS*yCHVOfTV}8YQA*~8*N9TCutb<Ym)CVEU20o+{j{%E
z^03i6VqC2YC{!n4(|45JA0`pGiiMFfCECp68-9)0W5Zyb?Yacxj=CDAuM{Y_F*vMI
zPzjPMUcGwjrZ1Y_YqW}Tl?{T^&C)g^^hBo_Ry0e?LEmR4*N~F19ik;0G+yjUl=_qb
zv~I}x)!XDQedP_=2w~vz215gVZUo=(Vxov|%^PloN|FcWjP`(2zy+&Im$Age6TJ34
zAEg2ybirf_rH8K(D>FluAD=#o8yRhvQA<@xHR%+x7Lhh<<0s}?Q$C?gAP^5*tji*I
zCG2H>`Q`BC7v1DToT?;yge{Lk5H44P{ooNonGU}-W*=0K1buE+I>^nZ1DhGzC;)=b
z@NCAD5#wx9n*DXZRioE{S2lkMrV5p8co~e`;gW2H!RWvgl9TIRjg`nUd&OWms)zAv
z8F!Z#&T!D=bZ}Ifi^$R=7KWU%4S5Cj0Z`_-h895D(^Tl_zTiPw)+u!&uSDa?MKQtW
z^DeebyHKwnQXusVhzWE!fyiuVpyVBT^!T!@%W=cyT+)*ceHp3G_>KGT&)OAH$99j{
zy?6nl*v{%C60jzyp>)k~-JDA;A$KRVC{_~-5z5sInGvL18nGL&#Uni)(+rC)3MUMu
zKEJ&!cp%<g5Aa3=DVPN3QN4p#qm(V%CrKQ^(8Pdef*IEbPxCqNke+A^k<pVbHnn#K
z@S6APshR@wK=g=f3Xd^oaS&C#XT$uox!Saklg$VF&dw%mmnJumT53BGZqF+3pgQ)^
zoMf+0)&pnAhn*O-B%X|nWFn8BVweqG6K!E*l~NLx$4iw$ZI+yw2ak@rbD!6i&OTZ!
zxi%o=rCKbjp6$Fb=5yNV?T8B+)=X7k-n%2+d({h$iE&u=f?9ouktb-Fbj*vZb~y9V
zfYhe2rB8RNd+%vMwFzIYHNHTpFgCACqpe|xtCU>!ZjX8v=m*@Oo{8@7C__L^Oc4pf
zBjd~oE#hQLxxpwRXI&Pjv5MWR(<-#m4tO{^i;B_V9a>dz*8!I@E;5X(>+bZ1@D8RS
z)vS5+!vi`aJXTv&>$g$xMBP3G^Dn_d2H7|zvt)>gvQw8G(aqmWC8Qb}xIh+6wHb4r
z>%h4k!FqCRi?ikFSzOVjRt9L%O?o0P*Ge=(qZb9s|1>NH$WHii>*+R1k=DIYyocjB
ztPOWeI!q7?H}4|f0uJO!<!y#v?7LE3e*u}a0}u_PQ|VN1pZ1Od+*&l8z%R>Z^56(Y
z(3~1yT4doswTd9p7z^+V#F7jlUfp&_qMpe!pniPm&aiGSX~0@)!K?Iy)JcmCd*YP(
zA`fU^c!OEnxq{mRG0!1N=AL{p=ZApZM+ibKbd3~hGuLK~^2R|usi4f?Grbipoa~8&
zdh4bv_^7twUQ<U3;cPa!nm|)C6(>beAoCR#oODN6j@SU#W~e-V&d=N@D@6g)vW4M|
zazNM?0})6sS0U~B(;F`9y))qRq{>bieU1Wb@eW&yZBXWt<%}cA+pbYtLlSCFgP-NR
z^Y(d@@?29VOh_oUdYt=$Mj4Yk(L~U!&K9*3nU@TfF>sT#u8>*Cg>W9tr9X_@XFWi=
zat3yev+MlGdZ3IOq)$WmZLqWVD(W?&pFILCd~`r!K~g^PrW7u9;qj2A$|e+Tp@V2Q
zYe22}L`@gZmg22|M~mlp5BL;iM^aOPBkmbKh$-}k6FUfx5=m_y3N7c<5io7CgT{bh
zTuZ@Ac_v#=q`DuOsTS80341ofn>{rrMSe*5LvnW`y%ARRh`JrN8FGz!3yPeu$_S-9
zR#{4AO%+VD%m>&ECkaac!|l9s)TMQI89GiuK_>NK&zE7LUxu||jRoT|&H-~$kfq;=
z6c?-YdjlQ^;hstIhJtgZrXI<IhG7CPgo%)FdIt>$_E?<(bk5=oBHZA#P97nq|E<^y
z!4l%|drkX*5mU#bMIJ-i1J!z3m@6{TA;@%zyZCm!j6%V9oR)b^XqUo36m*=PL;N(B
zq=$4KM9VF32V)dgu6*6E#_=JJ#*m7khS_Vz^s|FiS};9n0Fg;xnpv=MLZiCdt15VS
zWhlbh$rkWDWV+bFDw>}R>IF1omig0^$HEI9NfLs>a!@bQIqp&9hN$OLh68^T1x(~%
zStzV{+G>l5E9Ly+ctG*B6sPwhWaE^?B=t?>`K5U)tb5vO!x6jZZ7ph5r#kGaRLNt)
zrD&(;We0=Ltra#~V7vI`@g0~50Y=pBLuKsb_wLCkRp>37^#djq0AdC}UrufnRSWdk
zPJMFA5MadSe4<m&Mc*Ds`qm_qVNNe{xiVKCMEMirnNo)rVcBf2PM#fHyriodSZI@e
zZb!INv|9_{-s|qVdKn=!MG)1ftHfzE`JS80bK%JJ3z5!Bv|zj1(tN;MQCJ+D80N^k
zOpa;%9-pB(ut+|kT@=?k3V({tfDHXg^EsoMJ{sE_yLa=*7Tq*v*pZnTpj4w4Y-euB
z{DqPUdT1HEdW)eujfjjmg(eRxbU?&Fbw-CS-)1c=+Y^5_IBB(M!f&)Ba7BtHWLVFM
z`m!R}49-t5#jCFoiqoc}J(VS%o#dTrN~jx)bv|jPY3dl0UC6wN+Ix=&Y5KitaL0@f
z#RT|Eu@h_kSreP4=s}At9WjSRtPJjN(qdvqNXaFpC%s=kT9AS_;e43INe_rAOUrzo
z`m|&wuFm7|k@pPOxu9{l@-N4VuxLm9QeGYJT=}k$Qz*AzKZ7)&B#L>>b#8MhWKoz)
zSM8Djpmxq+C$1$_a+rBxh6*Ixv=l_3i!KH^0$qX&MrjFZj$5%<SoB&<TRmpCd6Gf!
zJ;h>tC-@S!2|4g!b+0T)-36m@wZIhWEzUmnfTpUFe#t!9QBbf)g~i>x4<_y6ozSSL
zA#EYe^*v|@vUe-#$5a84NgazD?Sv7Gp5@|;<sO!!j~W^tbeyP}KJ#>))0fgs&N+F#
zComW0Y_maj6uSE2y=yeydH~TP4t@Kg%<7&*y2|W?`@AZBNTRd4Wlvk5X}oE%aHimJ
zg-9j9){V{{GpE@#t5?HDUim0t(mjz0sfK_lsC4%R+P2Y=%K&Kny1>I^IHQ#i;DQ;r
zZys$O2ZL2|tA_Qcj5R|D_L>>f<L0z@q|&(o&wyZ`%=3;0)Iu3T7J&>tEn=DGlZwK2
z3Lo{CEs<S^W=E=rj;`dzXgsP&(I8g%o}Qtf+DNbEQ?h+HzRI1&l_~2{RuqQC?KJfI
z=>sXid2s%qa*H}UU*%4sUmz_{b>T@*U&e{jzFI0kC*3{igK?NdR8v_PR(nFE+@8@$
zOlLgd^W@CfsFUZM9<S+{0+fQ#nxM8IYe@YFvv?UDd4jY!v@^y5<Fx`{2=zcNPWWzl
z+)BVqlcI^JAPxiH8lJw~sYhRqA$>WvL7M9YdAjn@bn32~Qp>%y##Am|%o{Y%sM*+i
znfS03_hI8Q^;{koPtS@)K3f#nt345s;>Iopelh+ejd<yD?Jvn7Ev4%^b~r`K+xs?R
zV+@D4A7^6ot*1u5m>FtV40`#7$9Bt2!ywSeRSz!SgbMHjGk`HU4x%mS#)$0fd$?Xx
zm#F%fdW?e8=qb36+oNiiv23vi*3Skk8{R|!L=y<jnmnxljsg=%L01>4W4sm@h21LS
zcPd7WKu0()gU$n-9}C9#S=ba?U&X81NKwm5$GC(ir@WMg&S5u>66$B*8lal%Q}K`w
zKw0&w<*7n-O1Da>xb~Q=IFn6Vy|clzgA@lg6MEb}5MV6<np?chbAStu8scH~h%<~`
zn&>om*>`6e5C+3nrnyy;_>@L(Z5LLdX!$Hs>mJ92B0YFrWYlmtkRkMt4h8pW7Io0(
z6&+QDQ5-W*L19I_)E?Rld&3VXaLBZaEyfS5;ueVRIUB#N*C_E0lp=V@<>j`L+N!q^
zUr6kPPs}s~#>tx+;U%vs@?1ICtm>!fxFiXL#*O^k)*ChC!e&+5xRRjTw{c76P2M0|
zdT?eA7r~q*=vI`PIxD{C>Ibx0hCr)hn_iV_UNBXMr=z1eaLJF6(o<gRIC3TFbFV${
z^8lt5dzYOp;=WwcyyT$5bhPToeq7dfxcw#xPv3h+C29b2)U}Q?Gc2$Yc3EPU7*ELY
zOdR9&9=}lR=TJ%qeFM%{e1`!nz4e%=0av;&HaGg!14u+W9LM>RjNnT$)b)Df7w#KX
zz_ZbzM@r_19rk)Tg+hzXsPpaKmP4vg%@Ll!oW(twqIYrj=EW--v55o<J4-rRi@wPh
zmoMHNW&`|b*#TghXZUjhb5a|bb;ol<E0KKIXpU^J5<J?drwFh&UIjmO+vobKiECv@
zB)Nf>-xh~g?DBX*7n^w+69~={HeZ{u2uaqV`#mo!)+w2>tOo&lmJb&S9?YZzw3+G_
z`@(S{H5>PnC(IZw$M8&dD&m?Fs;Dv}C$~8oPi|f+@UBnEKnv#C&QLs1b**P1DsO2k
zYiI+}%RF2??VRvRs%5#)9<eC1GurVx1+w?7cyZWqREA#6plqq0v^II{x-6(%=bJ1<
z(q$o<+ej=Xe+X@J!moB@m|v`$aAZNPW+xgt81j%ly~?4p%9|<-MN>X@LEpsfseF%o
z)>GBl9;~sU@nb175L)lvFqN#FIIEY<>rE(fDS60O+W=GqHMGlUr=7Cp6#{PkcvGl-
za5{wLof<P4RSh0;V%}{nn{3e#bd$DtyfciD(ziykRzR0P^^hf)C&u&9dHCGo*^Q;W
z9UQfpeT>Z)QVLJP&X_d(i76%CV_$?ixkD+-M*?P<IvJ5(LGF@|Iq%8D?c<aZ;h1OJ
z*z$C&3`1!#g_jg?;b0FV=^Rlo*=(NN(`USP%nMK?O=rzF4$J{nrCx0!hp|O+z<198
z!RQ&vTY)M(ceOz4Duef^7@4t@AG3Hndl*!$D<s%-m#$tkm_~RB=eUmm=;L5dd->Qr
zudplQs$Rsr__WMFUzg3qyG7RMiP(VmqD5r9%+o>2eJXL9l4(bl8n*4(oq7?Aj>DGA
zA{z4LJKwCU0G-!pq1?qMYg!bIrZNR@0&AaL|E1Y5QwixV%tBh2WdmQd6YagH(L=qH
z-5^<8ZHVLt4N2!CO`_U8*S%}@@@A;vJacI!N;E=_Fft0X^!ZHSKvT94Vottp4onFb
z5;4>^DK@^k<v9W_6EtOYL3A)SzjJ$sMkE77X^xB)zrgWM+r_I{jA<JOZp7vYrWEc~
z&_|^4oTU-BU<p<s+Y*J`oV}lI_U?r1g|lh4QqtR}>cCqg8sMU%u}+;8rfCrmZv?~-
zM5zFDoe11!e8}uQPhAmd;gqLC;SWc}t=K}*BK26>V>;Gl=7Czy0l$6S0UP=PM*&%;
z9@d(f&nW|qIry<IQ+w5hn*{Eh#OoChl;OEiw!F1e5sUTUZ4JSugV$Yr#m7fT_r`5Q
z-f*2lyybZTq+o$Tyw&`?L^a-aA=Z``Lb>#a&WjAGOAF$PGhcLk&sGHTZW;PEq75Q~
zx8fWtd68RHpS{Osk6`zuQiz1f%Dp4mdO<W(Y6tm{CQ!@osF68dIJTu;E-dm9(P40@
zG1_Yo+$js09Rx<OSC^+$rt_5EfXZ1|I#qH&Z|@>LZE%b?tan-kT8!MDu9&RA$zAQ%
ztwNi*Z<Kv`sCPE;J?3npuHnh%>=;$0c^X{L>yS|65tI-I5VlJin=OgkTqxSuFfT-%
z-Q<qpz7a>Cgm|k17{o8pChk!RuwH8=#!f-5KK|6~>6d0%``D<2*T^2%RN4fJ+f!C1
z!R8~Z_pYjg#x6VZN%Ou(bO$)}9J(@j&#%CSFbT=aDo#o#?(yQg7j1V<YqV_cE)kXT
zmuI?7uKv;(o}X(Zy&_bNBP(M~%%&Q~eO0-GebZ+#HkiQ?M>%YOr|b_7xyf!D`jllw
zUcE6L7o>8Fp~2W^6R%+7iJ`(>0~|q5=rv{vL4g~b%d1C>rEbD8O@oIR7~Xfe&l#wf
zyUjA}^>G|V3hfy^+7~7Iywzct-(yo!u@~06F|Bg>tS>I{0w{|D&U?AHowAZe(t=A&
zYZ-WlxJIBNIp_^=zr*Nqqy-qAm`;EU&~3QK3Wq$ed$n&9+kBk?8m{pvCZ~cU)CuP0
z>m)4nwmG@Esu{mVH5|g;V&IFJX8_I^J-1hfBX*W$s#3W(0?^M>vVeEkmg|vdK>^Bu
zAgUMzF#5>ccJFW|+a+>F!iK5dLwfB{DmM+*wL|R%Chw>ScFAxMhx~Ryy=GqXF-O>A
zeT{a6r;xG|wS4vRalnpSCK^O4DZf>@b2<u#I%0*(>IB1BF;V11LL3rpiF3`W&gWE5
zFASPJRH50qH_HVQA0S>PSjQW>ruAjEjIe^bCRft{H1tUIv00FwISt*4cjXpzBt>D7
zJCmE1@kBgo*-6&lM%4rAm%8rbuPO($QY*<g)u?yqk!f<o<N%7uxU>?KUMsf}Ikm80
z$nGk(Cz5S?1m{Q^Xwo!VuCyMi6q~8YfEuZd`!hZ@u0=ZWd@||gkF|#V38KlSQ9_q2
z!<T2wU!Fa^I7pSFP7WV?QNcXAcW+X*D#g|&no+`&3YMS4y*@6s*rvxmfO5A=qGV4H
zQ8=&f6&Ke*j5Ztd&A=&*30Mp>7-+$tqTRt1%hGyCJd=5WGF2?skEXS6ZK#UKl<m~b
z6r)PrdA#aE)sMl<*<Q@!FcH&=$ihcrs7>XMkft_P_PvtSZS@-yKtbZeNqcyLapAAq
z{2iK-E0M1RsOPp4V-Y(zgZ3z#+DKxSfxj^q4(G%(cu+P5Ff#1B*IEm?$=VJ?B<iZY
zJ?UZ7M8k<*<VecQ6QUIl1I7{*daG%@R%HVE%%5ezTu1hCEn~d&psDnF3F>P#1cTIU
z8M44mNj*$L`FQd0Rab9CLn5tVB-xTl+$<KIu1P{Z?{e5;ZlHGsTm4?OQ-I)`kmiSD
z!~!9>jp>>mBQgA>=M5JxXozS6B=b99A>v_8pGxns^{Vzr!g-xQ+`JuHZK$!DcU2&>
zC!TO5Pa^CdOS>wt;96IYzgD81f${WvF#gP{9@frY32TQ3J#2Z*R_18g@0@5Pw4{x7
z#9xed`{}SWJ2^hFb$dwt-YIR1`V{A$9R|;;h2y9dm8t}(i|Fq2xscoD>c^0;D&)nM
zBEPzsMyjFr>h9zgjNjy&_BgQ_lt?xi9e1b7S=Hr^HyQ#vK-$I@>gPN=>g0TKKpAJk
zQSL{~H%*H5xJI>)?j$uxL?ywiJ>}fV%_JqCAX|&|J+kKL+hhyt#s`DznPg6)*R_nw
z1Xrg1RtHiFSvAFV!yB28d*q7D8dst)K1CDyp3vIO^mQ(FhSzvYIdxVFXZs`9bK6h^
zB+unp_3V&2*+<b&!O&_R$B~vB2{{LKS_d~ZF7Anz@l>faWk11iys3u++GfdrnI;WD
zENBV_J#_RATNb4VGf=U%lDN`v!lQOPz?^noY`NGzlDs61oPu|Uxo1PVE5xI{PB_%g
z)cgi6kF6AFMan|q3NrNh>ZFs=WJ&pyIZtNWgF1M@Bajm9R!jsA7-$+zSOcDq^0-M~
zL5yPJ8`vf-9UOg0dnv_N(ZhtiX<F2Qas*3EgTThJ8F}_d@Tj|E&9nXHwQR0Kr>dk|
z3)-d<^a`Ohq2xaA=67VG6YpWc`{|U?dwx|nPeC)~YH6hAAtR=X)oWjiq&qBteZR|X
zl7aCT;-x%24I#wn&-T5y;>(lD_ex6affuR-adFETh?-dt`yMku?OTV_h^tq+4E?ln
zn(9h`tIf>btBjIRiE~vPv3kO<h7<v>-`r^T@dJ2jrgLx<76otaY_({^4;2>#^7$F=
z@^f&Xkhf<vqJkxAys3Bdm?6)zgGbWAcbPOK@ZqvTyLg&4Yk&im)JyW#IuSXbl2({~
z(EI?Oz8ZZ*NgnsK9xTA3kdoaQyBs_!MPM9m+;XF*QeH!JnEJp^x<!W#%!H=jK6)ta
zB9X5g{0*J)GmCtih46yU=M2-$yVngD{7H$;x=J5v4h_}d%8G%UdTZq_!fSI`e)q)b
zByds$%vvk<(l6cvaH7`D>?ldYD>ZFcdqJMF4}nUNoLfyB8ScGAyDWA9dcj*yNoDZM
zG=(qIg3mgAF@@=I>&WZ2$5n403ba>x%elj5`H<WWK8u%OfLr?r1cF>|e3@wD;Y4)!
zB+uCz<T6`jdEZUYa~e-GQ%I7y=BqLKOEpJo<TB6QRVUcQK3}-kin-P`l*{n|EoZ?*
zuUbr4{6QehG}%4$H^<(%I69bdZ<YuSje-0@w!JgUp)jl21AJ{SI$>iQF`KV;Pl*q%
zs^#$ks~yCeNlle!S7&>@Y2CgIx+hy>6p7UV^z_7X9^DmdgGk3?q<ODTkwBt(q;^V|
z#lg~gX$2@6B)IExd;49W`4-?PWS6AT$W+$og=k>n1;_HF6?>+6W9>RZp$Vb41dz!q
zcanE|V(PdGH;FEo=-YTN<n?4~ML!yFY1@n1osjS++?&t+-uUi5qlbj*B>~w3{T?`K
za1i2nZ*JPNEw{Q@9S(}|S8hvg?QZ+1R4)&Op_E&m#H(Jgm$_VZhIrGKr)yns8_$Q%
zP5E8(WO3Rs3IobIF;OEcz%no60LYX>S8-F=d$J3wsQYMaqf)A1+^-6xc*G*+gq4<s
zd7k_0re+toS}A^t&lw9wP$1qAYZ>x}s_5b=kv+yW1;LSy7P1GUI$$yf89Tcp<Ll;$
zH~Vs^LrKAV(NrYYG@6}PO#?V7jwoNT5YLhaXX<-%aVmY6k0K95H)?s+*0#!Av!5_F
zKw3~Sp{;Dv3SLcEbbISEoJ47=%3-ap9^LWau#-S7vlv}V*+T;>SH$%mQww-DqEcxE
zs^-YgE~kp^)N@T}-GW?`1PIO-;Ko)dPd`=jFV*nXkRzV%Q0W2RJrBv=9jiT`9+oX6
zw7_Z%PB;f8(7NkaL5@xJzzfqTdI20UW*(?+JoD`77Rc~)S^|6S0Hr-sE4QJ+IXZv2
z)_IBUTjM?Vg0_6s%yjg`_>2@Kt4b!HM1+8`!WGUFi{~eVRp=Ta2=nC4E2cf8HQ@ba
z1SoOW_Nltzkr&BXxRG?e8)Q41q~drK*OCCsu8Fb1DrHWEXj;y!lA#CwLhRm%2-0cq
zah|LPB6zX-BW(o1T@;Ka1i>foa5E|AMLt@|xp@Gj!zG%;;SZw83SMH!ouqY=t)TNh
zqKYzq&D^};Os5)B<1wP_wGb6#5itG2VeK6K1w996SZsa>n`&8S<kGhUEfDWz&>G*K
zzr57a9?fTzdG~Z$oPePouL~i$>_)25lL6Gu>tOS87^^Vz&XY-A8+4VLtAIB<V^_{*
z2Vkp^7YfzD>9}TToI|3FHx=WU+iv=JG-#Q{!5Xp`f-hnU>@ESDCQZ-=sr^CN8z%7=
zMzjqrNpleI0Jq{Kb!fq)bJN>0HL5*=^$n~@J4$GP9TuEp<>uPsBEH-=5#c<tFSgi;
znsatj8Hjw0o|}rs^S+g-kk_~q@ovIEI-{cvR_6drUeJY#I#r{-8ka!q2toAF%IhZ+
z&%BTpK*@LSZ6a=fUl50Pz(Z~k4Nt9T9lvqU;xQ6H)myQRM$k(&R*c4x*Y#$_)Ip8u
zQl6KnyjmM*aB@mOiM8T;WUskv(VpBZuuK5p9%(z%7yf!ygmWTDukUa$o4vx!+DNs1
zzFaf?bZvK{E72kWVw<)_z|G#w17WjHL|YxvSk;nKZmm{!z+RGcChp}V9Wg0Sy+YWW
zcY_hMGqc;YwT1%I;ioUBA3fU>tH2kQ>1lt-h9Ef!fDWkd;gWkkk;zVDQbcWQ$a4jS
z#8jcY$E~B4EWj(Rj>qvbnX6nQ!uo)i;oXLyB2wF<CY@bjSIIe*;5tiTEs5|=1k&3g
zh<z}xGRdPHRj?=mb+?OswRrTrcOTlZ+M}XsR~hp=pl8!*xZD1WP)6;dtcjT(3B?sU
zAUT~`7x>I8j-Z6%6hSmWdo=>LZsGp46{?JVbsi#(Z5G)<w$QO(ndt?MM|;Rv;UW9c
z??#GkZj)c;F0>1n3Qy;AzP47b7erRNCQ$rP+(%T@HkSl;G<W>MZ6p;L4$?Z3hi#UM
z;3+&GeiQm&or52i<vVMa_afY|@+lw~Km-UXPuNc>#{oz()d=Fq?!BHoL{A^`TMN8|
zYaUMObfv(@05>8a_y)SSIoVAJx8>D)!&gHir-tv~@LuC;l7}=emFTzzaOdpX1J2_f
zytkfZZaV94@I5rx7wG!p1l+~*JsBqE_DT16BbYYYIg-SPQ~4@n_f^QfqHUd0Ay-dF
z@w*&*ff3Etk0z1>EeEt`3_0xix~LayX;}gZEegtWavdbf($rK>t;$Lc@dhzclC@)h
zR&!x6rIEpJr5#o-d<L#t0?M2oxC)f(LL(*g(QSc5l8Yh!67!<DMB6y-IYSP<N7Ay+
zZwEc(w0qd<=tg}Eys-!X6a1OkPw1e^4qS5hlFj)`wn{0rlI@r8E|(f(#?drs&!nLz
z;2FuVbaWX&WB@c2bXroVWk{|%X{1h_vuazZGbfIMXRG4b-T}z-ee|Z}sFk_Qi-vs`
z6Fl=T+v?dNj`}lDo)?daG9Psc(CRhJx@g$O%%K#EvQI=073>q0cLRpPIvy{(0ymwX
zuc_BDt2riBE=Oyht$5rz6t&(HCC?DEZoB|GP+a~IKSVq<-g3hYdf3*RMpY;8!bwSI
zkidJN$u6J7+ntMdMu6B^PL9BlrrUS{LO${`X+b>d0+=Dd3J$0R6B8$ro9p4tJ@XXy
z=27Y8ty;6<3)#q}$kz*Klspdo3`Rq(j%;R%0#rn`s2_pcCN8<*sgcf&UrB9XL_b_J
zMX3XYeD7Y)MPj=Sfi!XGTx#$<ehuPhM@SP3qN75>7IV<t=)cNgV8*3$T*FjRHJLH?
zNbzfxDKngja3fa|){?<~_*j(bt#WL*M)E7&&MSD}VFMfib`Pvg&0PTbY`O@qxow3O
zPd6k1?ILp?N8KVsj#qb2;_{^_KC~JugQp1rA*h@dX~`jUNrIG8P6`l=TnjD0N!I=H
zK*P`{x2Kkm-^5GI<;9F5PxjN0_g43M3rz^de3MZCEUeHM<8^q8amsr!<Q9|q7{<32
z%;*Wn3Z7wIh}HzG@gu1Tq|5TwhXPfzGb|GJ8k|!%wAM0Td8NP`A(S#hK>$meN83Ay
zCh!hVAd*f^pol43-%!ePd*fa6^1&epm>=YHy1{gSHuPE7B8D}-hE}<8Hmnxf0UL*a
z_SbjCU$zB(*#>(_nk{M%)uywvTp=FqDAK9iag@Vl<f^dBiZFF4fyo@U<O*LUPdQjE
zNr3^px0gh(W~6Xl2e&Q;L<5x)3>Vf*?YJG{F)$7V{!6z6U|OXodB^-f>8&s<ii+Ti
zy|{9&bBr*c?MU@u2U@#lk36Nv@)+gy5WILkJ;8R+)@Ap?lU?n)o@;RR>pO0QFl^>+
zR6Qc;;ex{^W#i{4eOC7@-rMQt{SsN83+*c+Xc-}Wqt;Got8|Sq#2xjh5z<qOrY=DO
z!#ZrXl@f$Sle9}jgf*EkGC*pE67Kc}M_-DP_({gq$P+S6)MqT~fjA;5%a+`a5fjOe
z6_KOf9YMtw6RBdV6`RXF?{0o)<#yuC<IAd2aDb54NCt(Brh#upv`p(}wsX*)vB<k>
z>4#}azTqbhPtmaI`Yd`8T(KMa9zQ2~5yH9%(DJB~RsbK8hUo&enLmuT&97~rT+`fX
z7P7yyl9dqYz_YWgE}_In3D2)Lo?Ej%S<Lr>>sCBQJ4A6nx(K02Moj7&Nbni2FpkkQ
zHNW+1!3&>C)|whiZrvL*SzPI?;P!<l3^&Jvo0fa)6dvNG=t=JRu&U$Mik>3@sL)8!
z=C!8BIVb|1$#dfEJ?`m#YmZ{u&pO@&UwEZ-2~PPb%1E$jJ*rv)M4Z{OY^})lKGi;}
z_k4+@W+#V}S`M0m(ZP4EhK5#R(g2}XRrItFZzV_sd?iVBq4mH*-s`YyxDt_AP>Yuv
zb#>cb$MX=`{AHgGtU+WVGC$G*A4XZr>vS-Z*(UafZ^LQ!LpKHZoZRXr-W$BJItk9U
z<0oV`jW#}#QocO+CUoeO*9^021XI#;(->>JYo^ewdJ}~BZ4JQdo6U8z?&Qf}1t~QR
z42<!D_s(pdb0?t0YplO~;}`pIJ8vAce8pZKbLK!9@*AhCHj)l~`rfFiN)n<5$L?T_
zyyyO+3y$&5V!0&kpkC5VPUoD^*t5uZk^@g{O~vm>o>xRhyiMK6n~tQy$td-Uj%PO0
z*qL?q9zz81TZph@)~U+PLQVlAg5IZlh=Ak^Su<}^FMNpcEgRE1jdAdMEi9XrAt<OJ
z^?Y#Ir8zo{EfLFKXEAwb-;*K}4(RH3(IT>jszTgFgnb6W72~VC%CcC!_<VEG5&env
zQ_7_@3I^NTyXQHSeaVAH@CL2oJ+=teebKyJ)vVT5N)MQt%M2PVBCrl6&J*WwUg9J4
zWX869N1^?=(4MB!VM72&*M(84R<VvvBXJeK-sv8&i?)c@u}>xOW#uWmL=O`)(Hk%Z
zkN_2NWZPBr^Hyhg_3XV&eQ(a}_>7+l?aFJ?OXVTKhG@^}h}?ano%lLiT9fN{9kFyP
zxQOGjpwMNy@1c?pa4?}>(K8RUfk+c^Qkn(G$1;`+q}6Tly!utci;WgYrSnV6EXieF
zuSmR3D3#gw<YbJlYdZj;5(60ec}YE6Jb1n1p$OWKgjHWkwx_VIY_L7way7RudX|){
zk}x*?_LvRvk<?%fPjOaZqfN!-Qrqk`^@3;OTB)n>#nUIUEs#~|iP<b26LQ#~8taa9
z58vpUYCD@|7}_+P_KQPtJbwA<n}7Kh0Ok>K^ZH47ULAvK*RN0>_*4$AO&ZCyXWTCZ
zFDv+>eD<s(Tbxp+dO{p6uWYc`PoDuVMpI?-++#cT;nY!hfUoHtZYbhN$X52V{!6&P
z$I+afw2Mi~nwmk&@5x%@WSp~8lLcOd+T(o>5a}(0#3{TgZl>Zp5$EnT35AjzIaRw%
z;YpY5l-n8!@Vm9dtpUl2<+=3s@d+xsU{!6zm}SF9x_D}DQ*9?@RNLXn0$Ub1iY*d(
zaX~zY!$=_Ty|r32_og#@Y^}`2FF4*i&3uc{Sdrm8NT~y@zT{vodx>~x55-}$4Lf{v
z^}2dabVg*{TqUPo$Xei=9NkFXj^~MEOE2&Wu}=Z)IvQxx;FwEor;tFWT^nF<P6M>v
z{BGhEJU)NWAm?J33hLvQl+C0;v#oUe(9dsm?rA`?!?NEpXt{J;Po9Wp1H&B(AeJ^}
zqrcoqD}WmIMJ)?62(JuADmExvI|fvONT7ogm!@bDF6r~EG+$d;LuLz#m2hCKT&jK)
z;;WK&mPwHmP1|0NR|spK0-lM~FzuW|!2rvP;W~ZW4H5hn8p#z7T2#ft(izr;L!0-_
z0oT)Bze=W=6p7IX)zsU@5<qbM=ulWn2nrmuvR!yJjFbE-q!@Seun%yq-g=a~;t@zA
zz+8jA9)I!PgVO}KdKLjV&}`eZyeSiEM0@ydS#;qcSPr6vl3b{}@)g5aDZ7O{=}vup
zGpeA1m;F3?*_EqbJtwd?#v_k)l_MPRs-`5Mad^UCZ5m%{l3rf&ij_*OyN*Z-E76y5
zs9(Y<Bgl5TK0#@MwZ6)PgmQ-fR#d)cJQ~<jqXM3p)#w-(+0G?Yd5s0P)-(0XkAgQ~
zdjPj;j88q(gpilq>f8H>w<S65rX&(;G$|+(_Ale)e7g-(hLp2r^03%Lx)8TxM&RCb
z7cPp@p)({jhNcTT)>3Hz;w<ND6L8Cy51xoL{4#^Ji?FJhbSSGS4_ENLQZPB^bgJxZ
z8#C;;)y9*Q*o{G0uL(9{$yMQDoskT9F$3K5y1j&Rgmb#V<!YqqSb};KVk~8ckK}>)
zYvx3E(358qTJN6FD&`!yIKn(KadIAtT!lM!7LT_Bws~X(<OHaFAxqv-!*P(~P;SX>
zh!#6BV$9BO9dV*jsZR{>rCmm54CKQ%%&oO{2O0tjYK~U7We+#+oS+@aR22DMW4@QQ
zATT{EdLylujmb|?mQFga3Ls6U=u!|_GJ=7n{0vhgeD#*Cht-5*g?*c^_%*#XlVFyr
zr^(D$(1BC$A{`HbeF^&>RljAjRD_syzJX0I0PP*~0k5(aHQ!~xEh>8lJ*3Zz+VJtt
z*-uj4qBo*v%e8|<We|?%_+Cjc5@v1ATkX(=rZJs(#gE>!ca3W#I$~!jxh!-ZH4s`*
zn#B24fL*dI6`4MNr}<pADB@BY46?1T44=A;vT$BSF1tYPR%!y%krW2dp!W%A?ChFB
zC)H!BH;=$;wr&KRsIU_{g!F+nC>9lOs}bjuajhpLz+-XDn^u?}r2T>baPtVzhn+zH
zRs?{JvOpx>z1#&7XtJ%Tw_6e-GdA{S(vc?I?^wQ!BmOdOScPlJz2aUOV$%QtN|>j2
zi?QK|IwS;T%Hy+V)P}v8WhD9hHD4c(&t{5U=j#R0dq|<U-52G0$l+KiwWC>5%;Aft
z?bO=2dX4NX_1g0<<?d7pVj&%rfEFRbw)vP6I2JNYg_RUUx6UdknHMzk4WenFLdw?Z
z6Pr;9tY_~c_#wh6L?uf7h%nbEw0@2y9HfR1fUS{SccMklpP43H1QMUG$BXvOF|$d2
z@4U^mwyaR=b@KAz>%Dlz^mLro4SHT{u-sVrL8p-Au2ia)$s1Umc3#eI8$oq#npoSH
z539f)-oPHaA9gOKcZz#4IjAqh>eJ8zDZ{#{@i<<a&Za5{ju);zx8@wz>IEU~t!s5N
zKVLV}8|%qK@y2`dUP3-H^XMeQ(~?~@#GG10Le=dvt%2&mx)2*Kg>hzv+U(A*UTQLv
z98BV8clpYuZ>cz;YnHqqmivK@<9pi~LXI#*jgM+t9s1hVxK4s&ZRF7;ai(Dr6^m&n
z`!-&Y@}O8kZ#zD-oJNwPD6+l-WmxE0k9lrV#<7f)0vQ+yF0QFmZtl(5o7qjy)MgQb
zBpcD1)Od;l-2(512~GlFS|ExYC56l5mEY6CTQU$zY1KzOwz>X7Yzps`Ou)<R5{!-#
zu=yCY^!8d#gu0$@f?m^9Y6g=Zhr_so2`)<{j#SiJeHLhkW<l_f+uSLyABERj!bR^!
z($#>J;M+^cGNPrzoxvt<*h2J+MqLi&(Pzzdt*%nB6wo|n*n*JQtMu^EO&e2pNlR5#
z?)9x+$T74lhVp$X_vlMGq=^^o?hhn8bXAV(V6o7fq62PY40%T4RPcn#y&eEnK&roh
zx482YVF%Ssy5>eeMDM_RB%(x|!Z53QGu26<dw2!#7*7iDwy%-3rbw_}O^%56&|l6$
zzcX@9eZ!h22DZJSBQt^wk+2GAD(j|j8j2?TUfts~$Fk|ehsz{K($c*`S1i^g#<EIl
z=@-@26^QRDks`)v8QwllUE}AfFwhnc%2WE@AsINk3$tb5;K|4#+P+<1YN5zlbT<}-
z*a-Fo8mGf^bCIfJU0=R=!9ZsmIRLlrY7!xOd1edh!7dFBM2{b;Ej@HNIV_y_%4<u`
z-nOGx5R>*QoB(S1D)UtKR7L=Frs9}{OUZz~d{r}2A@Pj;Wf)X8LxL)ANL%xfCRv~f
zk6G%iw5P-L8+(M6)4QTp76PfRg&c4Nos4+kH<_R&uhiJ=)Dk;0pC5!gxD`j|P7#{z
zh7~R@0DEh8$4~I)TFzQm59P&^#uakkF0p<y3PdyD!bKOZOF`FpIlzROTWo2S@;V%6
zZ=<i|b;xD{W!vEliY%L!8tV)lYEatJ=+0TJg#>Xz1x9U=dD5!n8D3&%JGPAM6+SPV
zdBzuB;a!r*6FNa02Nyj|E}CR=L16M86b9+cLQNggORw!JEv;u^Gai+^*+#xvq8gee
zlwiAs3E>FC0!8X{q!H7KXm!PM`#`hGJ;KzV&tTm{3uK^P;v)|^1Acrtn8VYq2lpU$
z11>MSZH*er(8yynWElW1r$IasW1_icBOA_(rE}QZyoS^jK_-$+9lD$xKp+B{K);-0
z_;St-6UI{RX}?LF>lMo$&vJHaGQOPmv>Kmnjoz_}m#{TXUzW<jvrO@OvWJ>?oV8|^
zil^eFXSM2BQaX~j>EN=I8$Hqo5$NXm5KA~xNAu{xU(&hv3p_UWsmiC%B{=L1E%<TV
zOULdQG}cbCN8sv^(97A~NI<x_mk)CpHcb*BHe{0I;-HV^cMN;6#PY~tTS;DB<M@ox
z1{P;cUl%d7?iH_7#N*my1r0Jz{bg#-HSI{H=z+&{LyTE@T_jLCZ(ns{JOa-hRs=lu
zMlf^5XcRto@OanI%%DnHzzAAolyQSzZuB;L%5yMaMtnn%tA}3(MO;0_Nz=0hi-h&3
zD5c%2tI_+`i2JE1wvht@KF(Qg=0YF5URUyX2=f3#GM-l9(rf4opUYuf1+W$E06CfR
zX?!KRsQp+NS^Hs!t17uYEjf8c>I-+v`lhz%-sB;?A-<44sf6SSZuL<teHhQf6!$RU
zi0Tcau3BE8X0jQP+3^a_OP>pj2jCzHo#*{D`4P(611pZq(6G|m+TG^kle1IhMuI!C
z_L)v1;@)I?Z;A#JoBX`tLDGX4H6X}2>fjD?C5U)}oCtf{d`z;~fd#v7>dv71^s%lU
zE5nqd^CbC=w>}gtaw6rx#vm$JB6vry-5_b)x8zPz<AD<-k7Fv$c=J8Sd(!BD^qvCZ
z^cjx$pxSv$)x4F1BXa>8a5=z&DcU4g;DF3pk~ha1OzxYmbdhC#t>9$DXzFvTXlo?w
zG^a!+@Q{rqD8+8xySo{Grov6sp-h|*sg!cadR@JEl=CT_e@V9i#dmu=ELLrXc*mJW
z^stj8Pm7j7&+A-b+{DWxt>^u?Et2O0I_a-+<WyfJV#?_$9zDI0^O4uG9*6$&^|qpv
zKwGQhn!Q1YJLABTZXyb8`O7+j^Xv3#CgauKkQVXllfAXm<afnZ`I2*s^QueU)JYu?
zt8fz2T;o0T<RlH^l_QhL>d^6u7HC74lC*x=OVyB*hx?*+_r{{nW9VMGQye;I#GC`E
z(veFjY^j=xf{I-B2$+zME3rMLm$_lEB7tb?c5Zo`;n;R`xD1I4c$6<2)?=`hc1*CM
z&>TgM(&z|f1(zdv#pRfZ+QiNSa~Oax6@5~LD_<|SrYUj|S2Sdm7q#|mly@Id;yy^i
ze9!1bP|m(!ViIxzc`_-t#|LaZ5x#9XZqw#GX=5UF6(grT9lJu6D1BvzOpz$(2d#GD
zqs!dYUWqy|H>qQE)tJojDEFGiQ_&qc#Kz0m7dl~H34~O;xs)~m$XiYVe*7Nl7+=Rv
zS~JPw*Ztld6(9Gyfa|bT4?b!rSPXs41=y$SHTf2FNzq3XxJrP5jTzsSuxeBpvjLAs
zOM%XAiVrWv>0ES>ruHUMSg1{_ia!;;nRm(@@LqB#Ml6@!vxTdNwF1WWOpz!A#RNiF
z4G;iy<YLnx1`Z|25){VC^B5goyv@8MGr$Ur$z$TWsdo~2Pz(df9sr;n?!h(3K(5%P
zD#FOQ`Y;7<91d1m9{`mC=U`T-b3<_Tlv9H++~`UWXA9oD)=4nVwi%nmbW44&QMYFe
zRT;wsog5y#pofoO;}Vr0)R%RlpVk@qtkRgcr~ov#Su(jI^*Hc7=ywS7^olTAIwA9c
zk!E4Q%Dp3t1$%GI)<~_<YRQIB1u~Kc_t7bblIioQoD2hM>wNG?V+R?Ki|+M#dGKbt
z2>+$s!SbQ=ytiI*o>`6d3V0RkiV5~{4$;2#?1!EMIzj6tb8}p9<S2F>YojbICuHp)
z6BqK7wE9WV>ma&@SQ`qqc}#VIE4=skO2W;6&j$KwN5*5jmk~g=7!+WSsYo8y;3TNd
z<L$;Pfp%$9oK!i^i>8i^XD0Vz^wGY#MncW1>h>8@hjVaDa@4A6R90c=y=8a2UfK~W
zcA`aO#gbL#mrJwKolHvNqh5eQAi)*FmWEuA&n)MKACp8p@w0o+MOOKc&V6DjAXZ;k
z_C3x%3w@L~D~9Oej$F>iMq54bwmQ`CUbu9`bXL&qFwBPKYbKfJQ_a5fxC!W);m##r
zxW~h?%F>%rq~R=`elh%3b&Ma_re{2f9D56)vhI=-7>Bgl%F-|$LDH*oa&HSCwLw75
z9n*s@)Y1-7%T$^P3XVL4)LYeVfuiU`kEs$uHp_@<mX2pGI_o0+;HB)g7)?SKocND1
z!$cV`2rv{(VC}}jcq?+Y&KL^Vs1Z{_Rd)}W$l!=Z$xmLQud+RDoNkCS4(k%ln#hwt
z+Xm|=b?XC+15nQb)Q-kwLF~~88MI<c&^frzPC}Py6*(yfrDAQ6L3)o}4Cx6@5rLV$
zI>uy`?e=oBYkBx0NQOliw;^D*NQqo|VxLeP9KC{oKw99ckP|JedG9$Y;)K22$9CQH
zsOt{kOFQK+?ewu9QLGity)uI~6Xq3EU2t@POKfd-)R;1E(`DKUf0tcknxhGWmsSGv
z_LW|bMQn$$K@g;6?XV5G-?_gf?j&qG2h@sJ6%`BSH5CSLsLZhxb^r1XJ>H#jK;@pX
zy@2d&lws<f3W%n=HxG(PAm7C-;#vg1ip-Q2W3#7Au_AHt5T&4jB1d!FEF2j8^*cgr
zAMIVyT$O`Tfo_(HIpL=)>K3P@?Awl47wY0qocb8_l^lRA7H~#&5pno?XwVqy`+%Vx
z{Agk;>G>MR!>+u%3D$rllflHsrZ~g$>F(_24dHhO5&(=gwydpu#VlNJrYxZvuv`*y
zyXJz7cCRMgaVTreaykwzNn2o6dG;`e5+W_O<D!*4L>O*FHy+cQvAMURI;g%R3gho7
zn#HqYopZ~kxVW0#z?ktNR=UP1gC(m7+9!w4lqIfF%JimR>qNiPiQswwOz%**^osnP
zCG$<YJeyS-$2NbYRp;rkFWOb^h15Q*=aoa+H{9c@<wnC~+iT&WzN#wjFOcv7Rtqgy
z=aNxrKYIn(ygf{3GOvfFs0;BST4WsIdAD<eKXqZ7?Cuc_7d9&fwQ`jLQg3{!^Q0xl
znzvSXp>6B=bA{c$+XtSshAy7H3cH--;dgf}U<ZJBY=v4KqoE<vzSMT5e7qa;yT6NY
z+okS;D|4tjb7&@c`@&6MwyOG_fm1qrjV$iN)sn?E!?Rq%KyS>+M{Dlm;Y8c>fFfHI
z7$2oN<_<sh(uYYM-G?#AT?i)z`^qlv0TwW>RsePbSWh8IPV~)Lx<~HkbZ7MC9T$?_
ztjyYbiR#c~0Z*Tjt-fr}cUWv-6Hc9*B(5S8b?E1jx57xqPL+TQ?ko~qYWP4CNIFtl
zN-thPz7V2mH{)lu(!@`@?g8{#mKs|;zP^5tn|b<|c%mlWtH5Ob`e4wLn)&KN9;k?6
z_4ON!*=_QJQBf}RBC^uSty~qK0hMFq<-0r+9Rw%1ecp;`YISr2O-!3_Be=U&P_IwD
z#st~lTTo1u7c^+nrCV;#c$P`+!Sb46TYwm7m5l9s$``EV35u*F7z4F>Mg>H`f=8{b
zE4_q9N{`<1wd2$sYD_2aW4CcXpeku1eti89_$j;;WO&MDO?_x_hmRP02Ldst_d)Ym
z*={~w2yWLBqD}V$Bn^JowC}vJ9Zg<yB9t@djJZ0C&2=CIv$%s6HKHU4)hH_JFZR`_
z0V|UUQ8{<@Y9$`}Sk^Z1T1oMX3R-=YZ)?^tbG@au9Xr4t7;SQ_OUaWLO{|p6%IwGU
zl<=uO-))2=vV;t?daS?^X_m1eh{PrG7?$H=s2~*_9OcauD{(pMV0ht$ROMi64<<#l
z-=OF?uQb$BE6Kh~Bgqz(Sg^<L!OmoeX~2m>fNgYqLo3|5Z1S+d+6Hf`6`6IPs4Ch|
zQ!A2`+nvUh+Zz(LWAK9w9F?{lSbchJ<CRzWM93tw2bStGH}0%VAeW$>d{ix7+K|bt
zJI$777yxyYRlrGB^59y<$Z};#OgHngTP=bMx9QNXZi$i~t_7AoTq*2(FUVj6>K#d@
zd6Dl;1!xwHh{A+vrr&UiLQ>2kHCsLfd{`xi=QoD=C7#2Vc;Kvf0NQultz0J5Ax3U1
z371(7(ouIFL+>Vl<`K6=z$^Ca^7G>Yyth14>`&qi$pOG~)$o&?wac6hMY(B#d1Nk|
zg2Um#%Tk$d+Q62G)xDL$OT7^PGH(P-Z$YP77#NRn%;r!XLcEK&{2>Ozh<7E8b~l#T
zo{j3j1Y3c6kS~yPQqbr<MX0sz=^;cLiJfEh<KBC3mTHA^ZWBaLT!HQUYF^FFjyOGQ
z?h{4=VE25p4{+q3wms?RHseAep%57gG0))iZTq5fAjWB^x?4Z*hzl;Fc)dcq^f*)U
zL<+WEUU^C4kiVMsd*X1CgCRIxJLQjeyRuz7jrd6k2?hjCu(D-WbzzCjO{6?*?NBXt
zyuHL1+Q)RYPigxY-W9Os9TqqYTQxZy56G*0(3AjAc@g)VZtt2QbPmt65TaP#Lq$x_
zb}pZTvI-8Nlx&9rle()z1(orYWIHo#xbU~YGK|1w>nlXMH8GYm&u!L)=16yA^6eV5
zEkU_ivRK%xKNWUW2GV>E_dpGV9_>6kMqor9aZo92V`kint^+6sdyk|TT(Fqoy-Qvd
zWJkq<S!firQh)G^gl)bC;4)Te_KPA@ZGPP=_IzXabYkErbh@S(r=A4yHkPpx2{M@p
zsRwxK+gc=s-sS@eBca#cHp|5<4+fpEhM)d!`<}=(u)VPwp0_#=Hd)@@Z1xLXn1**2
zdIkn@h#myzX*xVElT<QIp`7l-RiT+4wEV7fLfD{Z)`j02>8$5WtiQ}VE#A(VnI4VV
z(cOfB-66v7`Zz9_=n&(*(eBlm!%y@4^HuBZ=gv_`u)5F@8Y!-tCxPh{6?E_QL~=e1
z4Y5S_=D_ERODAoLkvg)owGom%j@w=pZ54f;YChn&8B3BT^I{5k(T7cfpx4POc#Vkh
zh^LH%wVqJI@?Yu&u(?i`q~B|<<>}BqRBx5Nd9x~48#Fheg<TQ%o;aQ;E>Om}7{j$u
zh>_mY3)L4CqD8HUMC>>=`HWO);Ha2ti;3LLs$BBrl~Aiky-5>&Rzl@ifliyE;jq+@
zH!x(%JkaA>W^nb6??}<_0N~D?6-1b0F}t1-9=wEAxqfDc9!|WVg>O^S!lrFKJr9(@
zB!h|5AXv03m6~4(9wW=>35%kHnis?!W>^)*aWbYqEm(yBMN6uRimbBXQZr+ZJM4bC
zdgtU-WJNloNG$nI{P~OHy~JjDqazzd^@448Nd`b?*|h4}2*|Y@WJ6Zid5M;bTlyVs
zDfT;m5{?AL8XH|L*YNU|&S)13(azDgyx!}P=Xp5}*kv+Ybb?|&N}gzdbD|X$Rfmud
zX2Ii??&}<0Qf_gI!j^tgFR@&r(w3tsI^Kn^#@5z(K%6`Y(djd_7F^0}4usbrl-Zas
z1}Gq&zigl^CxYd0aic(;(b>${cVcXk?-k6p#*yk_MZlb0oXci9T@vZkR4@fqV827+
z@=ARDvK9h-g-UJH@Zl=v)e%s<RP1^x!6>^PKb}*RoJdA-b`)uHgr$_mF_P~M=4^B>
zzly%O<bISssEC^4yU+NsKh?LvfPF{~ldJ+Hdxh}u#qzof3_gm(iaJ?LZ;&C_(6>&!
zxsWHW`eZN$A2H9DdZAzHm5(SJh44PS5?=D_G=AqiKK<AOyF|H_3;e7M_33PlawqQ8
zRNA%lTL$3h4X3K~wgrO+kM})%&Kj~YYg&T9M_0}AWV?2&->W7&ibFp=vUQ+Wa8-Ju
zum5!K>L&|<$m_)8a=_~{c~b?;lJ^c3j3Ys=Dd+qSPr#-hFd>h*v@BRy)9IPonC9Ch
z>RK2?J~{74Rp*l~AQ12z7ZsEn01q9EJO-x3wIR}F&&ck@tD!x-ke)^}TYOghW)+4>
zT24k?hTq6(AhGyOzT@oeX#(OdTRnaZ*Qf8jE{aNYz)XjR^Cb2pd?1xdqqOQVA`>86
z@SeK)>w0vik|Og!(TqDD^Sbnt^9p7rI5se-#~tet+T=JMuo5^@(tGe&-?*+jAqLvo
zl%3S@Jr$K27ulOBm*}u2(2;xo)EVxc>#KN+mWe@*1eB-SP*^hE)&LXJ;7!xrxs1DX
z<tu^7nUix=<ky7nf!eTKc=2{s(PN2+67GKfsOPYTUAerBV3`ObiJ<K^Pa8%P8##{-
zfq>9kCE4V;rlGl?)lH#MAvwm;n2!ztJf{enxEBJ@d??Gjxa>D#j|UO%219Kj{L~%?
z=>ssHdygOY)9ttgwe_`N3&y~EB26R8mt3WR1~e^lyxRT-o87XC91n=qkrTI8Ne|>e
z2O^(gUhx{M%5$UhS4;vSzy)GcRtK6l9r#WyHWx2>f~Dd$SAng;u^+P4sCpq`fuxzG
z=(D~hPO3(c4y$+%>g_9MKlMm}EWALyM|j&Hrf;ToRP?Q7=IeYA+1pj%&a*9!BI4tB
zM(YG0?iujs3wOk`Rprw8F|9)H?LI6_-s~v|IwYEF^#=iFxr6ss$WP2&VmFq1uQ-i-
zgY^*yS*b}6A7?wC^3<E`TNh}YK{w_$?(Lqq<!M3&7X&{B-YgwI7Aj$;WShSyKCNpg
zd{g6^-H$3>i?*R#cH>GoH>PEI7jM5vfG6V5&Y;u+o<epsvn~0?>$wu|%X-tk%T3RG
z)hT>CiNQ6lM1>sQNdU2&AA=*@*1UH|V!`{u#5clu*_3oQJ&TZ~hn5uF-mnmxM7l`P
zB($ePYd@7WU9V?ZT#-8APHr$wbc*>Huj3I4)k-_(Da)4Os^Ke~C~@LIm6!fhYUSaG
zN|B+&MN8Y|b^_nxDrsX!+S=W7CsitNE+?xDT~{fScWZB7JYBZEINU@*H$OGZ6Evb^
z69L9h*rv3m=ANhA9LT4<0o8d|d&su&B(>n7DyRtPr5!;USPq-v9gvPy!IZ5r-}dM;
zr|FuQG_f~k=d_x_tc4PCw&w`WotqoDLUgIX`3w{(wT_iX+-Q4dj+I=J!N&Z_67lnO
zTBS}nyg4f-Sd@!tP|PP7<@Y>*s0MVS9_Hh7;e#`|if(zH(~yf3j#KK5wt6oEM_Xa9
zGM`v-Tn(~k*)C1!W_m!F(;8=ZhzAVNt+y9MdB#!tq7#6Vw4jGJQ%mGUPP}op<K*i*
z03WRK(JESNlR!#vO?t{2FJ?8ys+msIuM14~qMrp)bv2O0-2!)_okiSPcH%s~+BDtT
zn?4_+n$*X$QR+e|lm2jLpn|d?CdTPWLLSw~r52!=5h02w?yWU)6Cn#e8>9G=59v!j
zG?AsDmBGdW6lKwp7bfqHQB`o5HGJIwX!;bVFR6Hqj+7^IBybLIcC8qTwgAXqOK#O;
z#7D2xXfu(e1xe5afsf$c69+D!M^ZYQDhlr&$MMK`nbXW;jqX3~TQb(3_u@SYe9KR7
zT8fZR>czk#-4J&=3UrRzdoQoGts;SrpEs=@qsgq?0ha}dma`DP3bcBhfQXKqCtjfK
zC3!K#<~isGNY7ry!Go-_sIj`|(A2aC28wGkR*CqWr5%=Em7zZ~dj!hm@LsGxR8X(J
zd6u=Bo4S*)#j7qP%`5^%>cNegDIgt$@5NC}1>z!Brdm8pp<R+@3V(XZl9ba|ZNSOE
zdCr7auT17P!{SsJr583z2d!wuNrD1VCNF&>1sC;vN%Xm?0WGi#4|_JDM3p&ZYGIjj
z`ja@@W_n!!8-Y@-ugFf<#2KhWEn=)6#4Ai9x+`xuaI%*=f+$1X#uOFL$@Dqc^@UZ+
zuG5*HKdHV{QI?#iCpr?c0~*9)T;e#|tWX66(W4=b_Gm8#XUz}F5h8WC$?zx}3@y^R
z?rH8LFC1{CQz_26yN2b`M7vpXf57y(o0u&tGl|}yPD$qa0_mV-<V<C>;Jwnvtg}}Y
z-42i5Y7x!t#>DdT>XSv@ndX3r>1{e`eKL;{OIvxcZ@{LFHiSEDic;5U%0x`i=rjw4
z1p~#;x&7(AvSNSG3ohEv{KbroU6y8K0bEQq5ahD7vOtqqS%WI}n4F;O{_^k22a1sD
zG#p(#7z~jQEfYpnZQm+hHBA87aY`LuVZtC2`a9>ly{(|l(e0xAw2$EPwTlk3n2Lyq
z`^#D-H5U*_c#jxon=J#c%NvwLz}Azbm3F|fahVPw*F*<yH>ipOxZ&x7m+6n3Oi<i0
zrgMzs-P<?xEH~4_g49!{u(cOFW80d<!u+-8HC|xaU;05gu?QNP0XW@p^5uBSY{Z<Q
z!h1sohGf3cNTQ>!ADekNxW`SIDx$n_+AX*X;3b}i?ZZAE$4F?tLN*|LPBcSv+I%A-
zE7E<Bg>D<<qU+W0LGjS83+}!p+Chhd23kcIeU%=|)ZCgji5Vmc6s63O(fX96_j&-{
z#Z$!xL46XZrrCiM-cG<zPrSN{PVru_tlE>;F5LZ`N5Q5MD?k$)Q;^?8W>Rq1!n<JY
zBZJov{*3H0J1@(n)kxMeI@2;WJkTOq6za6xg+$aiDHvvRiJ)qdgjSz63n_C{ddMu=
zL)wKJ5Q0nfDe^ibB8(No2FE${CVsYz#)G3J6#IgkAz<Y)#4<ufc@XmztB?@gQbYv2
zQwU+A;@qWSJL(yJfK|(sr-mm^<YPM4b<^tx#N<YME(3#$-kS>TCMwIG$ok-csCMk*
zId_T_zkF&2>x!eouLQC+`9)TP5<N{&shV-sq-PD`VfT7zQwj>lOH6@XT~gkpB|}{6
zA>riHY<d-paU|TPYe0N?7sFD!{DOM9Lw)Vp`o(S!JHS~7`99cF<r^MKLxB)pkceJs
zKCp@>m<-<g1XU-Q7!KD2J2|bJgY|?36Ke38i%kQ(Qe@&(b(&y0o(yGHqwTfC-KCJ-
zV=c+7e8&nA8*c$?EhkczY@WFR_JttVGbZ49ZpiXDPCoVXFa7$S`0JV*?rJp9SGYC-
z1$3~wv<q?(W46RA3NJ{WEZc&B8H!z~;}hmY1J*#k*ehjIN_u^k9JfLV$qm^0pl{vC
z%JC{9J?^X<aXJO<f!G40mET&%UZqY*i^%=uAER3J61xg1<>a*aDq@C$gPHiY4h-wQ
z&L+a*+i>)F20=A1TL|Oe##Bo29c|e@O*!`K+Sl8yCJYzkG=<J|A-#Q|?2WWSYn#xa
zcSaoP%sMbLrX<xOqOMGnbkyx(g*+4?)6a?G_0d#D>f5Y14TkLKbi0+lOAMWk2Y2tu
z+s6-|2j?3~NY{evGks`Jl3Mjum*GgTH5Y9dGlo-HVDb@Ext?9YdxWrjD?YtOq7UMx
zw#UZq-5w3j*#fcMh2t<<i*8vVmvyi_b8V{!hxYmzk;x-oe>}lct%G3547O?RIzi_M
zzk}b1v2#L<K?wG_G?Y1k@*7y&GthY4o6y}CTsU|phYM0N@LozUo&)!*wv6rrXz$ya
zQaW!Hc953r;j7&)H5P|wgoAce{@`VJRz<m@BUmxVvnRy>Xks2PW_0EdFLOJId4<CI
z>Y##|o<YYg>}_KN0j{gsDBf~KFTu__8Nb(oCxm-c6j~^Kr{arFq=z<#$ZB$88}5l*
zaR_|zUX{A!%b1!B%_z5{&08Q(YZZL}j;ulbrVn7^!20efo&wfU;$_FC_?Ylh;ODes
zeNSdB$DRnWJ#-6YRdBq@1i8snQ59yN#ap#3Q6PaNe76cGpc}hu1ed0iXG2MkgCwl(
z*#f9V7=+x7K6a?fJGBPqot9c{sJjb|I?yHAFaMr?`3FYVK#yTB0#Pc*=z<z>xglPK
zM4a|DOV@MQRo5=r0*rOgtf&!LeVm1msgxlI-JnK2Z)Zw8+UBU#uID|9Q!Gqo#_e>=
z_u5ZnlCLU9`lv|A$~XK~JxscsZ4-Kb3b@U@vUp1IWII`agL6i6&!(`k{mDCg!p$8|
zbz?=-M`{M>`Kw6aN)ED+kcSnhp`bnCR9Z$sHnjZS1i-ywps|zc42yckw6xSX=fjKo
zl>CY1*0T;q#q$i(@JG|+$;;udSdbwltt0v2yM0kbjc6>dX{EPc!|+HWY7{W-!)P-@
zYCyw%?A8)+8%6ZWP90C1i#4YMsj~7NE(Ua|PC`Ae_dK#XJKykTHz}}o8#dS5MIqR9
zPAvDZw0%*rH!ApG)=z^I(($-Af)kE!u_u^cjEZ2VmxiPq(Y7EE<s@;xtz&YAW-8jp
za-I!VBceFPFshSocSr02v3cq9q@M%6m+ki8wZHVI&Or=XEKJ-3ZOE@WrA}u`i!NDi
zj-^6tu<N};ZFGL&(vn_S0rV6Hq3FrIP+_s|I?7pM>v@J1ISzi?Hv*50h6BC&b?VMR
z)NGIF+&!aNUs{|e-6yiPj@dF}Xw7jPRD(rK@8OmzxgElyj8$vQZuC2ZM~zAa&I0~+
zRNg#4GB7qlIH%=zu(`T5*Lf5=Pa(ona((T|^_u4{y+>!Jdg(<T#oB|16txXBqy5HO
z-w1OPsauXMJJ7<@Hz4I@q0%_fvFig~P{QdWGL%9K3G(Kli|svuHhi6DV+C+2g0HJa
zue&olOaS+V@=QHI8d?Nwi7vnKBF_{x3R<!+0hzx9G~MkB(G*gSb2A}F*4g*wh@-~=
zme3!Z$_5-9NoR}-!_6`%JbJL5Y6^$=qU}h1wvs?WAMR#Q;oX5;yc-dttECW&?P0He
z>7z|soLZ#&e6;22sKJ3bcasg$kB;<D1BWC`Sl%;bOC(iFOMIXLgsDTITZ4}!rXG9a
z$y02JfXO@7P_tE>jO3glPAtx8wS=IWK8Fc!NEhD>EvQ9z#Ym^b6A&p@RE0hV$u(I%
z*XZ&Gi}KbPMh}%|vo=6QLr&W-oT|!(vg>+mHr_grXNUR1nD@H*ymNe6hl?fXpb#<X
zW4fr#HqbcQWw54ta_{IpRi=uXrVyXqe4~5);F?!B18zFCE@gd~5$1VsuMpMCM~65p
z5yQ$GeW=0lTo7Rl$2BSVHM~_Tj7i|_IhzOhDi(D}bfgP~rSKt@u2L?LkK#jH_2_<^
z{R9ghufMJhM200;3d)zq+++!)(<y3P!C{Hurk!wvV}Z^=)N6Q+m>mvAO;7y{2Jt21
zTdKG`Mcro<D=4=_$eK^O;timAV}sqrF}%uPGl@>PDu^4^wk=V5V8_~EEP$KF=-0}D
zm>mpFz9vh^N)Hz**yHU@!R&;wxrMIVOn~0q20eP}J)rh3LUpYkQZpZ^ay$`czopCF
z#PF2UEf!!HQBYs0@SkJBPG*a@0*ZUr1>~h@>`Q}y<O>UDWw7ntdN*L$DkY5-y~EZ~
zFlRciAcaJh>;*DJffY0&bu#nP25DX273Nw2kkF|=ygQDd(N{@`EI@ORk3F)*kM*@*
zB-ZPi*X~b`JM#gSy{F^TLm~~P)F?~*WuVZffjJGO8gCVwG>*(ygE=K>`~igHG62!}
zi)>|nZgtrKt||a7O+76xx5-v9v_hkjR1|5`&wv5<WE5s#2rrf@;Bo`wVH9$Ci>MSZ
zz1}M)8#yF+4=7^*g&v0|Pa!<xzZ3*X$AHk1Qhx#gog)a*^Y|E&9v_NE5ot3W5Lhng
z>ejOq$Wixp%<zsiw%Wof$}vV3<_8V?G`)BhUgE6v8@w8SdI2+a2!)Un(@b^%FJ`SF
z{XH#&l%pixql8%-F_o-++nsCta^8C(gkuh%Cob_`97;)YJKdT%1^0B$1DyvewsoD*
zM8I?dooZf3D<jeUq7TuyP$`HXqErxDDM1x7p|$O7TGwR{LEM@VD4BG=7?jfpSuzCg
zFoq=C@M;24&{01gksuR&0n-=#N?Kf8kf}=dVUTCNaDMU}0LOx+j2T&07TFKwJ#8Gl
z_gKM4klPc6Tu>UV$GzDyuS3#?$y~;nBy(kGe2g<7kTW0DF!=#Ftst|^?m3h-CNstI
zIzpSgS<WIHT3rvhWDC1j+@#i5NUz_su7#a2%jh?ZZ00aSP_)o!j{DNLHQ?Sny5}P@
zo~w+fD9;v@<3=4_3`PCf4C~-3fSeecJDrE9bE=~a!zRvIX#vNS5_XbUJ_GU4$tc<9
zsUv%XLsuN2<WiU?MDsZ1kg>6h*7)jxI_moQ7<2Pznf0TGX2!?&j9=NRa~fp{*XAlm
z@DWUV))TnwtS3fVBC3|v)7I1IVhW}u*O{fHtZu_$^Jp6eQkv=Z+#{Iro}QIakUUa%
zSuC}Y7^}9~Cv@)2$K0><vB`5JXI}YIP~l6##k<RJ((d(gt^NsQ!OPyPJ@<?N-<i|)
z4(>B2jj~!Qs}p?25JZZ(NU%;+t1d@t=}(obulD(^>w8DM`rh4QxGz>q_DQ6;fkldC
zAk?G+D6C7#N$HvCfl%m+iSFf^zZ@)o!xwU!*S3<WP=)a1G}^(qFiGwNHAfSD79D=^
z%q67KcLQ?aFI6g!yoh}BWr<s%zI~6=V0)7^FwL@qfh3&liL|i9fU!Kvw>OS>jIk6q
zYU905ReTmKc$x+2o2}LChA)Bdp=Yv8DzRR9PqeFEUPrRGthNrw2;cxL_}TCySXm0b
zPAcUWGq(9^Po=MqL^qmOFMw*|H20G79=ru0ADDr%CDnVlgh}s&^_qJtYEzQo@w}O{
zI(;Rq=ZRzQ;zSqQptNLhyPB9)@DTwCxMsXJ!GlNGQ3;RZ?eih;nR|lAvmMd)SUkE}
z)OmIzvn}qaRWOV$W{KrZ-Z9a|D6GF5O>h_mQX7m}RnqI81(VRQY3ttB=UkR;8&A^?
zY4LG`ymIK9ey$M6QDjze>W&;DN?WX25yQiY<<QRrPq5y|BgGl1nmjCFz-JE``pG;D
zuuTkmVRM_-Opp#uD7f|(c74e>q@ZIb@m0L_nF}Uu(g=BIJ!CHw9$?tJ%*ed0*+!lq
zRxOa2cWFH%?}5pQE4Dlzjal&H07Weo$dZH`G%Eo(kOjotmkrv)4vuOD1G{GdZi;!}
z4`{Bl!?_mftwP@Q2{~TtlIQLNCS07_Q#0v|>LQ01!VR?oI3gnhiQVQ-S#n5jCHeM5
zxdQD;MW@Ti8p0bulcG+5&9+jq%9Z_e(7znixX7whk)U0`DV|=TsjPqkzXry53S>dM
zJei~q-Wv&U6t{w?T8@F@=x~xDa)zQinP@?g3zPGsrnL-clcD8wV7Ps8`l|AZ;Y}=g
z_bb;0-WQzFu?{LVuU#(Vpv?mn;4cX!9j_eEyOixUa6G7KX~^gd9ZmsAtCS2><3O>O
zX=sjsqkOCxk6js5k+b4n*qRq$_;t8<r*rHX^oxRe>C7CDU-WiTS>Jg+8gz20nn#5z
zyQEogPD*-=4;qW1N0&OLM%8RpnG<(30d;B;UzDp~(^&`Ut7CbxzTL#rN?Ld?>$t#|
zD7pts=eozEeP`Ni;|@ruX8Xz18B!mlR8?AWTNzMSJb9a3`34r|*hgD*paeTfqhp!8
zh(b_A+Iv+>47mFp?>tuyHg0a<NPQm6An3Y?x{5mL+Sc%1-;_x?0bOh9ZtiJV@(Gzu
zYRlSIIC83mlaf54pe(gOeXmE|R(+4?u`<WY^}!`OFFN*jQuu7yk6%DH*@UJBhhdR-
z^b{tsvL`HvJ!G8J#4KU+z=-t?h|`+_Q=LtFvNUep^-KJE&uAO@oV(wS9&iBoJdR}3
zEq&>>(347ZQHn_BuD<?4>v-L~uEaB)?SPy1Wx&)u*ARB&Dl1&?ZKlI))J7-1N1hj5
zDBO9&9ZQcrfeJ44dAlg7NRRBhrkWjPo>JU|<{7f}vS_OnI+1>aic!*DJE<@LGjH-W
z#&8p9&e2G7stS5A95G{c-lYMzLjVYppw^NhJV3EHp!ec=&=uKkOtoRo<2_OpTzs!y
z6OIRRm2NQWA(H!In)1Vb5uvW`I7(j<ntn<6JQ4B<bxQ7B`eL-Qxs7l1OOvU4<!W4)
zMNu+!jgtBX;c``bFm-i^g+|0eZ8OIsxx<;m+zRTUa;KD`WxONaf)dc)GU%!<AETl)
zig*_gnG<xtyik(VksV#A37vF~$MKhi%Lrs^njmtJPRfq00@uW6j>-x<f|2JAl!bxI
zh}&rxov5Lk$URCA6by$KXH?#MiZOukCj3F^x`oo?^B_P_$DmjDATc4!W1RNs^xn&E
zfEjWvXJQy2r;}WCx+~|Jl#qul7|(b|lGb60@LBCzKp#iNWeV|`Wc9RUzkWb=I-Sg~
zs7u1MqI^_0HWM#SDd~-LWQ^Q4YD$o7_aP9@BY8Dy$A*<C4;mD3CNz0$NB7xmzP%zQ
z=TZb96wfo?C+9Va*0DD4T{4pQ!*EC)*M|uZw*~N`^vNJRXadMm!F~qVTkA)iSt+(G
z)UbZbc-dDkJjpaNtGftuDD%Zk$=f#2wa~Rkwhyj2_2KGKK1rWWSJS9d4Lj$6Z3%~a
z$ZwObEG{!rj<T%;9-u+8u;)2ik3*9#7T~Md-srj(d8~XWVPLjzho3m`^qt&-)Vx@?
zih43}<Ouy}_k16)gs5)5zUPp3vA9(8mYv^#7ND01fZi0*E_OHMDoUWO584%AoH54j
z6fqsB=^Z;tcsL<G0edTbfpbjV+IsS6UX9lVqHpSozj+FW=S`phX$%t&A;UTEwNtWR
zrE@yx9n;a_wl^b6i2)mMHi5k(K(5-uz;}D*N+-yL;o+}R-|;+O$8n;*`jy)BL~$!C
z+={>p(TUmdL6qgr!5;H7bv9Ibq!@2H^UFf#&#7>{b(y0YpFTcBF^(qoM(aWLGD5MW
zepct9vFWdPw9*@P$q<`-7m-7bA8<&h5cKj>04^XcZ9Jo(isq*UB3)%P@?czHkW3Q=
zC<Phz^*iB=r}~zMU}yW$kn@s=@+onMl+a%qk}m=0V*v}TM5lZ&dQUiC5wVi0V+&GP
z8a7o!&WP5DwW++y=|+COug_3)&vtk-5}fY=V>*g0-cW9ilclT$i8a>QJ{!Jj@L;0s
zt3}kLeeR*i<po$XefmmOJU}ruzyh9F^}|*N<X$EMh0X#yN)m2=i)k6znBZWnv^vXP
z7@RAYFj{pla?qc&YZb{!lf5odoe@-f0s*{9bb<8vEh+BvqHqqW=YV0viM#zocL23!
zJss<ra=sXpm!g4<p(3_=BQPz?RJ!_1_qk6rau}4_Mj&v+1fTeeop_H}C$9`CkqG#W
zjR4zW$qRao92UepxAVG;sj=n(nubd*ooNM9YQ8LxII3xmN#4?odDqdEI9Ip>$=S#1
z6eD<(u2?=jN=%%(Oh$>-N1o;8mthc7{Kf$`R`<QrQRY(Gd{AfN%b_(Ww2X$bnmJ>t
zhu2yaGIbcoVMbB)peSydtNBELUTA3aX^7SOr5#%G0jJ)qAt@Ie7Q^1njVQP}h)yO#
zYWHeLrl+GUKP2ohTyD;HEvs8(XfP}<?&Y&&RXMci)^^~jD~xdDD;hz<tBaRxG^@vh
zQ)t>d6i32G<np{g<(z|adio6_TD_N;f?JsVPRH6G%1WxS!E>^P7SJ#o>``}n#fLtT
z@H&Ohc<h`4Aj#HUUoXB5TG&k2rXHz|K*Ga;FAak}HQej!JQi%Em|B2}-h+O|F>g19
zv8_e`a+aZ|Rc5EEa>`v&3b`I7Gz_>o2?6edNA79wIn$-BL^QM@FPI-lJ7HTghZkTo
zz@v>rH%javxkT$FdF%0HxnCQS6ESreY7uyJH~!_}?L(HNjTJ6;_r@!?G+>}DR)B(}
z(Wi4o?_5Lt1%NQ00#!^ulG2Rzh71f+pe@-I$9)C0DjVoiRUCVOc4*u$w~(4(@C`w~
zXRz4U82Z>F{Jji(Ci>9uO;HG^?|Ys8Vpk5y;I$*CJ`Szo=NK{`dD63ZL_41M7|N*h
zCPWpg9<ZqA2_GsATlX`64ob!sYW@VCySQN_??aR|)qvu4_8ZOK){uH=+*Y-N3{!sH
zgl^X$F2@@tm$LT)Ox%}I^!XvXtrGLSG<)Yu^(LBLF$xRBxruVM=?y<?L$8~injGSN
zFJ8Lf)`N6PWt>;Yyl-NNUf~8gzF9V#O!DgJQo{3k16rJK-$e@TO+d&~2~%W#B&2}~
zXXO&xVvxu){6MUZvtAEvAHEI3D<`DmXVDV%9$liNJq2Ss@zl3)`s7lmCH7$`g<xhX
zlk&_v((QyiYo^yQZ#tDYdEV>iuM&<ISRagWGMp(q4n!U8#`H?GBl592;yeQzd@%U3
zon*>aceuieGsS}*^hUDbY**1#cAPqCz=ND2ZbLe3>b2FWc@Jjm5yx2`(>`27Q&oC8
zYZO8LK;OI>?RFo4&?k|&{w&0q4Y|5w+$Z%aK?hM3kz47mWFp1MIF}7an8!8@aC@?%
z^c8LM?G_l4o;UV+b*|G}t3uBZRVC{SSsl-_+F&w?M@sSGp#yw*$nUj0c=%9>8-Q?J
zJs&s;o2(DiJP=ACLWdWA+{sL@!U?&wHnR!a9W1HeJMVZkOa(#RSfIUgkBCQhaGS!M
znfZtoJVi3ag{g$NfO_7@$Z3G(tzpX;D-m(Ni;0!Dw&1MORowfRh@3#!8pE=EL3(Qv
zlnoMs<9gW@CJ@CE11!;#Hhom!T!HN(ka3hj%>hjYodL}V=*>qUEBRibI9~}@;i0~K
zwf^RyjgX!!@h~Hty&`pJ@F(RAQ`}6<jpriaP4!YBJ@gpbZ-`?f#63M1Z*&YaU$8J%
zFl`IJ$M5QyxiB*3lbR=o5dMT;p<PQqsE6m;?5BVN+Ju{|!~`u7bW$>dl>1)KMAS@>
zsts4WF+w4W2E`K?&<;!yPfD~<?zeeXb82V&@-!zigG}|Fsz?ThlD>L=q-lqfQz4}(
zrSINdEP&%F4m`nK5yJ=<l+cwS!d(ySO0vgMT&aeeE5Y{epdTDeCS4e4n6-tmwl|hR
zCcdz_I1QTSL3G+;iw=MMW~~}=f?=x6JlE6Y4q{&ABTsmQL=U}zunsI6Eou*TnQr!t
zr}8DR{D8%xJ9Xe}HT;3}$UxZ^nQCR;^FkIs@3tJ%XTg-i2iI9oH}%fc$=*{c-vhuA
zXkMwQH9q#4Ko`!SJ0Le|2z^OSEi{0lD_)6nP<9iE=Cc-EJv&X%NlBz4*slI0H@0&j
z?hYfjv=I5MTY*5O>ohfu!Hus*RVm*t4uidC6;GPOWJqJmTDVzWHmh+(-y!)lK`V8;
zRtz#pEa*eoY{#HCjIwx7s{7cFy-r0|%k4a&M3OMu6l%)JE1%%pr-=R~V!FMBR_oLk
zKw7H)0Q@XdAMtQlh`>hmf^sJ=UWMg@LbfEncdFWuMq~Kcch&&=Xwa5OUOyh(ex+<v
zy+`L3$6M~$><`KUpLqx1mXT~qqtQcc9R*#;vpJr#GhGhoc~De2$D%Ix=c{=D{Cr2S
zHC+RtA8hAQDKnDNShwm5*NckG>fO$x4NWLH>`HokEW}jf7n)*~8QwV$$dNl_L9Ne^
zttff*N~>GiAT3ScOxTGxE)14ic=+}C@xt(X6%XgAw6+j#rO1y`OS+eMptTrz+V?dm
z*SsRFbXsQRdfd;RY&_Y1WtmS`^8hFzGiSrKAW`yQ<1kywd+u!jQI`(YMxWG!Y+tI9
zHPsVx2fEIB{rWM;kvz5Ay+%50n+QWY+Ef|?z+z{yct!3rv1UdF3VzEVt_qUp9d|+l
zw~UDElim*{#5Fi;pKH6MYvvI=pHp%i@3FT881@W!9`f8-O26V!;g^qF?^+Zwr0bPA
zHD)(iyh=@zFh<gvw~X$W39C^g@}54`*%2Ct7(Ii@L#z}l1)gbt5{)Yp>qo9{=hiTu
zRH7%(v$vdG_PW#Dt>9id7u8kCW5_GF+AP~=;Otz*o3v<s$1zz(Piy?mAQqWo-dkI7
z7TT!1l~$Fk7JkP#;jL`WDphK&6FGOYw_TXiv_usqz!ETE*NC+62A2qXTp`E@UxeJ@
z6p#d2QQ1!M<2k@X4a#~H1D4ntY^zM-D=!_KHZ@olZwa%j8`%Ve6EZkn_B~rE1#62G
z?r>Ryi~z=aTW>@VUqIqHUOP+2Qe3|{qydbCSyH+TCT*m*?M-d(<rERxY-W9#i27wB
zfCgGAUrf*8(73gyqP<c+6*p90hs$(0r*S@o2e_iR4{746SLt4)Ua{!{Zjc;lbqCHW
zA#>EK0Ji}9gUo%w5ZZoi8mxjK_*8~>0}K#wJ4zi~k2d{0%gPZqJtrQIbd*vnB%A&D
zcD7`#r&gIjZx@3oAA=XNOjd`b$X1*8-G$uvD1ojt!d^$$K4nghCIASlv^ezw$9S!Q
zyns4c;ZM;(hOE4R^}ub;W+J?SsvWA(o*6kmWof>6;83usVp|YEc{4>G`sx>loV<I<
z4-KS^C+M-(sQIo&TqA81=t9GSn@ciAR|oT&L3f=8!Mi+}S4uI$SR=T3DK2*6BF{P%
zwwH7vMk@vcRi6T*m5{_-*Gx<4rIgBJdbc37;m@tZa>wSf8OeB}CXi}I6%(k-p)(h2
z(10I7rEqqqY^w_opTCXg=kjEa+;T`ShHZeYjqh}M`#mS3YD?V5x?KWkBu4YjGL&!z
z#5f}nA}k{4&^5pW2A-r!Q5-zCTk{PJ_VP{Ne3)Q-$spMehWYaKq1Ltzb4iN@PSZ23
z!Nwpo0rBQeDO{NF7+0NGFkL61OnEKkF_w8NW%3LJ2xjaoI^H}yQ_opEVGb>&)3HL*
zBoSXO%2zgbc))sb(^f?R^gI?DE;$z9cs*!Lu1XTUh|cwujad4jhZMf-2w*C&MdSxw
z_8_O5%2%3Jr?74ANq4NH!kkF$PzU%+s<UW6WL)N9&*GTWG#kqzI$lp@z>ZV^6>Hu%
zss?Z@L>RSL0^pDN=9RALATW!|YjWhV%`<r?mIe#T+`&ovhLFv7m`7Vi)K{GzW}-uV
zs!05$;^FHsYN4*z&B=4*9d<N_*b5%zD6CrR?)r$|)<bW~DNIJ|LSTI05-yBJfMFGd
zT~bL8y+*`%aE{P8580iOqcVz)Sw|t}h@tmAk%$m0-*#}*i3FEia1O9)3B@9)lhaP|
zk;!_VQ-4m2#QQj8!qbi7+(Dz7#Qeg~boY(D!Uu6CPi#*@hR~MB1#9;J<rhA97v=4c
zgN2Xsup*9$C4}rsEo-@C>rHJ}z^Vlc2fVrx+{oT|$>wZCMFTAF9s}s3bajJdvN_89
zp^14BeFaDkW~$8$2?(p3px#us&;3Xzq^2;~Y7X})4+*uSKglximn%I#NOv(FpsrL)
z1~dr;W6V**BA?#`z;K0N7zh!z!IYtSIXYTFZD;pxnA8hheb3*)yLJfc)!j%%8hKkS
zM)thWn5n(xXnd{Jz+UMsF|N)4%o9~c5!xLX>_-WakBQ#lyoCpn&(&lXR7)R<R8yG?
zE}USf%>`uk+p%*m+^IRFH$Y9tmGo}taFY6(7@>0n-NU3xSmgw$-b+5lv7)KdSBBs+
zv%6bbQ3D<4am>UgGL!7U>$+6o4<8gO!@F54gBAe2P2j%w1a1_G+ny-C>21@{>vtx-
z<@9_Y28$WiB=Qm|%sm5}-<>hN18LpBN2kmz-s?|e#*jN>*%{}mC@Prv2e?1GtHYBp
z&_LO0w&&_;=tu6B+3r5ncH7r@zS1`(^NQNA4|^FPp|jA#sWKVMnNbpwBS{uL{a8$j
zHHG;QEcoHdfdxthjaLfNV>nuVr5>}Zh;FV)j4<N8vZw3Jy35f$lma3)k8W^dA%v5k
zJz<$7f$lFCAAPyFPt0K}EFy>7Or8wSl=|y?Z||uY$|LLJ<`mzFuIU+eJ=Hh|^cdmD
zc*>VfDVRbkylsS4FSA0Xw>Vu>^D>^3P6a(d+aSO9_Fbh542vr4`Kxf#?9NNd2)88R
z!e_0E3`wYgi=e^yoc%8uyIhzgv0IZbbzI`rz#~vsvuEdH978pRPjVK<5|2=?g0iLA
z!+M{HKj8q4NH{}DdSVFB<?*QYa&kl(N+zHK;(&|}wRYE{)6Nb7=nSzgU(F)ZrH*uf
zub%`x3S1a=4q1U&Q0Y5`NaD;x<G>;El`JA%!nJ_LcOGbs<Xj8<xV@+-U$+_!J10r9
zIl&9K7C5q}mq)rP3o)gBLK&$-4(0)9hwmu~3}eF_cf7pVV0gL`zIvb>4C==z;rIq$
zXaTIsqJ<b;ZR<Rk$*Y$h-c8Jl1?vR-8rh&sfd*1#S!5{83`pgS#%aV^#UAPkbso1@
zdKd589w&ZpYI=oqs}%@MDEi<Ddlw>)5qQNj(h?C}o~|QPHY8*QVnN7zKq@zUg>Ro%
zs#!fA4TiYD(_@}fppJ8XN~SirSmFl4ch*_q`Fgl|=wXog0Wwdz^8;0d$yp%?O@ttC
z$#Ve5*f$<9)l+FbhjqylL0~)zJzDu*hxgLNIL9dLq(88N6Np@MLa7XZkrcyvo27Fo
zCSyb8olOU?xkPA%*fMYFah&WHWTvQ+ZShFI*FVGXRz?DENSr(cksHqIm99lpY2@?`
zJW*{6iNPtt(%Z6FAOIZ<g3c$sIcZWv3FY);qZOUp=$Vyhno_oK8pe3;_*A0j1j!9y
zo2~N%rOCb9at%V}vmyVIk>N{5<!vDB5SInKTb+kh0>j)Er4et8)ExCqv2m~^$Wvp*
z7!(K8oFaZF?IVyGbOKpVS1j&mvdSEiN+_PeWYX_i`>JPNMv}m<Jk5u<?=2T@Za<Xq
z)?HkCp!9Aq7~Q0TcuQ<_plPRh%}4*TF<u?M>6tw=+wIH7aeGM5y3Tu<C35ciF?j%L
zs>iyo6aa|40}qcqDgeta&equ3(q39gJC}|zIa5&=Pb(*8qbiT4Au+)2J@j=08|uf*
zNuEnA^PY9Rso^C67;ENX<L-J4?`09ZiNa0|N6lUq4KrLkJJq&jr*q8rXnarylCuPv
z=ERu9AbWtlh1RRgY}A1<)z%GyHMjju2`lH4>jQ#hB;9_rILal3NysFv%7$%M+S1v{
z5SXFa8&xE8D@rCx9)uiwtZzqQ;0Z@pD8G$rV|Yc(2^%Tt`TWLQ!dVqNNN+*{(V8f>
z=7~Amxja)peUy-taA@$dWbuIz=X>WQ_Rtt|pup#X&hK>B05w3$zh2`i<dfMUcT$tq
zv|yaQgNeu0RJ{QpbHkC*TX5h>)*VKvN{<rMGhS11BEJ@UZcSo@zAn&{Tk)EW+e>o$
ziB#oF9w>;*IJ-ykxHHqpkf3SeS??menAMjldE)TS607J4Ub{_}OLo$#r+Y`6I5+YS
zd4#xFpson+vG!QE3e(g&8<Q1-;Y1u1Wk{wcs-_y1m!sSl3@BceqUfBJ2CERZ%SX?`
z$j<6o?$jit-c*(CRpZ;_%xHvoyM)Fi2M@Rq5<GG+9NJSkqj)J!{eD%?vU!;OpkljZ
z0RlA`Un!3&u2t&<#0zbb-M7lK#(WpgjyOD@;-`)NWut^}WeHN>BOBF{iK9?-00#zA
z;v7?Q0WA^PO@B_J^oaXd=qfo0AI!c*l|l4}Nd^;LVZGiok23TG#!vyOxRccT!Z%=)
zLkm(BBPG4{P3d@oKAvlB+xE?904;46JuHGAj5WtR0v678hre`$$*2n^l$#%8`Se$M
za5(l`hz=6ubmq15l@wkkim+O=h0THX&NE4};xWS0H~Wq=9_bo`<F;8E&I)Dn+T3Gp
zBhdEj?Ik>W@q~)@Mw!*k!KB2+p0Ht}M?E^mK4|ua4XWcH6SANI*++acwVCER+w&Th
zxb}7394Z`3k6WL;Rcz(AtY)<5tu&d77z==K<17z=WV;u`i^}y%*LU4do9(pN5LQh2
z7-Y>w)qM{htXw%4aj{d-90e&<pwIBNa6b|QFMk=!oE3CxgjTT$$?hG+5(H(Mrp*0(
zo?hf)vY#k9cR%5}CtdOm)>4cmL>4yEi~+VUtYCKIxE`&qO%(zp8iy%4VKx|Rcit8U
zDit6~@xCG5dKFivN<E#}J9(1h@m||D_UhK5FdN@&XD>3Jm+KOjOY<FUQ`plgC^OFn
z!y$6rBzQm_Uh4jYV5GQ`D6h7;6y0xc_o~@#kWGo|ZP;YR!<as8+ne`{Z(C!;q$b;7
z7$E4;<8DTNk`8Ys^{{aR9q2>{*h`QtvBJ!6dP(w<3!HUq<Z6Hwc~gn>J%i%T)OA}Z
z9jd)f^VNj1mDG~;z_U8e?jph`(c$$VuublU#6h-M=!^u%jUZPrn?ng&bDrtpOVlKd
zU~;C*9+IY0Pp)_=X}z)Yyp3Fn%q;KG0~_ab?v{&ZWg(y*eP24t_Xg%oTu@Pqib15P
z8*xJ31)SewJAMW9o?mdn+j+El@2TpYIM5`wV@)p%tZM`34evBvdoeOLg-Pjw>5IY$
z?yxtJk=Oes=Bc<6z~gYiSC^<dq!jy*CyW_YtpJRX*Ita>*1_%TM~#+=?&<39FCV2E
zWf{Rq#t_>G0~I;2<v@L!Y@k$2(hl<YT&L1r5IkFV9eR4#v56swnfxxvW~jLwNC%AT
z!Fyxq+#xPLB}dQFdE<e~MJ5*m(#yPu{zN+~0h^%1=6w5v{6vc=gRBkYbV{36xfJH<
z<rIypHJqfNBu(2KX`$d4!15D@a!Tl?MG(^1($1QP>~7dSujrl@0uBg{!jfP5^Hy6w
z6)BWQVY-4eWkN~8ICXkgeGPd#5%VmD*R{MKJ+e~-sWKT;jik}2v7~00dxg&<o>@}l
z*ch=GpRn`<rkYCBGsiOb;*Gt+XSG<beBw0+RvU<86Jz}fj#4UU&k~9<q6F5>bq>_}
zmif8Ga2@Ssgh5gh^2+ljaLu-Awn+p1MY5Z_T1W1=W$deLaKPtBWB6J-GKUs=E#rC4
zab3PXb?;hRq8l-=-J>zE6#(uFn0AMKdGwN>B&pLyBU){4`ALeM5E}TN(R<aJBPK9M
zWVHP(kcs@&$sPw0!+T;3$8Sb}35h%E*%~Q7e`0I|__Ee9YpEZtuS+ZsDEDh7f|Y}k
z>2Th{^r{=3Vq^m}t}9R6kvWk_mBKrq?%QLU5!Sx5n8&w^@1fNKY}R_~osJO=uy2{z
zT0U=;PE0Fe^avh#y$%6L)WI2#MR=h4x#$ApKvJB`3t|o8Gksh_Dh5vA#Vs-2;QZyI
ze(z!)t`}b{DB;M%A<E}aD-&5GdbusHYhDyy7CqQhLuY1KDI63Qt06g20=^8iOZHU_
zK<#30ylY%s7Ba3^Y|ml=lArVIa|KKhK}Ot05_l__&2L;y6N@Np+Y%gL>UM!CXye%t
zHh>%&BeFeU{7c9ok89<Ci@AO8$!#1ze3-NHoE*x0nikcGMy}Ujq3VHMbJ*ewSYQNi
z)mEn)-DxN`7RaXS<ku(|PDeW%=Y*l1#n18FUbZeFxD=Ig6DFoiOEfd&oT#FNg^!xO
zgt)e6rF~ep&;uP6@K_HiU{+RhyYX0gvEB;N9A>zV=U7uR6{dn(K4!nZSgtC1Px393
zX}t%{gdSYk&FoVUXJmpyn*wexV=e&NOh)#pSWJ`pgMQ|Mbu0=lL4qz7*nN>t>gmc8
zZ|>&9cCaBACd8mxAn&q~c~fech*_%ooRl$Z_8n>f2h75VXhD(y>PQ(H=8{TKNwdN-
zQfLDb(SUJz%gZ=>xlPgfR(KCa{SsHK6*%em0hQ%}6v2?M7*PRHY?kRwPvOwnitpBP
zUAI&5a_PwG<sM`+Q<)e0Q=+Y&@V%7hLN?s6MnXE#H+cA#Sn<`uON(Aoq{0~MD19-n
zsdC6S)Yn{Mh&aR>(DWIL3#kyc8BAv>rZYPBzy@WqOE%4Oe_*ga6<2bgTe60O&}gzS
zwyhCtgI9N+F7}k3zo&jejq&#S&G|dYD4iL3V^8x5zhQmuMb4s+8sI=p4W-u`GvA{S
z6b{+VbA^n&>CguSx>3?Q-PR?BXmL;M$p8(yj1|0{WS<Auu1zm8pEx+`y}YMzYrf7;
z*^QcdB3ri7P4j|3CrG0&Ax(Vq-KIScds9$eYby~|dn_2w-stM|7=~=R%XI{fhni9Z
znM6}U08k)ZfiHAPnH~o!<(Buk6&m%u91I|NbBc6kg$FH<_LW>mG|j{FQvpN`NpQ<2
zyS%%y?{Pnk@m(2;(-21)SDlQQduPG$=M-7qgtK@^&|=I_Xv=VO*KuRk)BAMyExllV
z4)`Vt$IQXuH95NOdz_Dp`_M!n_ey-$T=t0%WojzcNYoY<9S3(un2s8_5W*<mVEbLc
zt%f5v0sBBaE3~!9j$VE6L<v-e+k&63TbsI-7eWrMUp(cl*o&}&sL<DzVwbUbJ1&MN
zcTpCOjGpNMeBDH9_l(|+S~A&M&l}lQC8(A6)Up!mVrbX6->XI7c%nU?uQ-<-jopn5
z?FEloyd>!Zx{%UcrM>Yb4QHgs2L_BI{eq#b=I)ugmakFMdrV?}2~#{xcsvbnp1dd*
zJYmKXuAT^dM0;@EE{!~UQEOCQOu>7PQ<cDln*uMeQw@cRT@=*c9KPdO076BF7nqwb
zYKCY;-?DcrQB50l1e}F*YfqCyU7#7i1a{%7&ZItNB%h6D+ULc9U>SCXJy;%dn}@+_
z+*3~$o)$}IKWUaN+R>Ug&#qvg+E}sd23W|_mU^^X6|UyyP4AdYrYYToANlN{EP>`e
zEQQ+5BRgA4F>Iy?X5=T*<c6Yz^Fmawb8D3Zw<JWaJfpCV$HS82Var-m9NCd)@lZtw
zq~l~&+OED*i#c6soaCif6+#iL%g1VIZx3kjPGSrhS4U!zS)eSRRI!C@?yjJ)h`ySO
zs41C-LhDwz1fHu02Jv8*Rm@1>E?u9HCx?F->F{MFTkAqo83#M71fi=t@WEM)z|5m3
z{-(|OB0S^uU?;ckIS=EsV^cHS<C5CdjOS|gYAOMQT25m1o{9x}Kc_Xrc@H6wsN1Vx
zapg7d8+^sDmpKeh78)#ua%?Q0aP*j%LK9Y@6tjuPx~`9D;YRP!UrHV>t^on!alXK?
zF^$wbeW*}7;V@<3?xdR6Wz6ZfjE6OmSgKx}p{f0vZu4!UC`%ANcHtu3hX^!SA%{qa
z-XXyznR+zW4`83i4Jh8Is!cuZM<5b_3b7|qFMXCTszFA`SlWDjP{f|!gRPgouN3QP
z&g0ZNYl)I*ys%es!5uq_X{_g>2n7o3HNf4Wfooy0H7gtbUhW>@#q@@rViFFOyYhkE
z^ys{!sy9W^+ofu-E|DBcDYt+Y^t9HPbfcpvp~42Sv}1uIE3-IQ@F6)Ho_ip#fVQRp
z=njP(KV^g-;^H3MmQ3ihR9%WW?WgoS+A_)>E*Jp=Gz7gGZ_e;k!BWcf%*m9?VaEke
zw4{3HnnUkSA3WAKsSlvo*x#9khSI#3hqGia`oUvWl~d?|%O_>rO$_t=VFT`XSK#I2
z6zAD|=B$03Q2a^;n^eMzGO@#6g25rdfwy_awT}?rHXZ^QAH3wW_4Ve)n_`s2EcD{W
z16z!z=Xkevl#rN?vUC*h@nPXQP^>LdS~$9O7r|-c<^>jVDHh#wKNqT20}83097gZ7
z>wD1}mvPZ6oQJj=ayW`yUBhv^FP_lzUWti)=J!@Y>oIa5$0ARZ<3SZf)10raKH{fa
zBP3N*D&|DNFeHYr>{-&>^c)nQ&R7tn53a`MS()-cvPL)d>TDUzjK+Q{>7Q?H4M=>H
z#aiS$m&z98Z<Lw$8Md+ng6B>2lc}L63#FxZ+`K8iCc-rU#0vag5h`~IuB)E~+YdMx
z3tG-PsFh;@m)FfOF6>fN?qZt{OEz`6`;zXZ?Y-v!s$=6}ag(j+ne)chU1yUIKyo<;
zWCc|2FDJtvX)T@MW6|x<4#rC;@qLI*q-@M?XKs(%2Lw59mLJ7K)X{$L@@=cz;0Cyf
zQLD2>E`r0I7t!-Z%uRd~2?S~NZg)km=~5$**<%;6(7Iw?9<vKczX+m7C4PiXIb;(r
z%e{!EgP-~!6e4A2L+JE)mMIB@^DZyX>&~*vhs0+EG$4pLVSCUm)KX4_&tEEuHj^o>
zux5{H;A}X;HId;2`Qu59pgx9&72X4Zv4HbrX4;;Q<^yS61^|u>Tjabt1}746e>C(^
zrL*%;Q;_#YhrlxA!umbveDAd*G)C^_BHha*weGmig0eSMwsNlktj9rQpjlNqTHdvz
zr@ZZnhDkHstrx%yv7@ivvon!yGk=rbW%x?4jiAX%4e{>jgd4r~0%&%5yMy(X&dbMm
z`*Oe{IqsRN%nCd_x;o)WJ-o8ez*jN7REY$-Od|K9A96m<-2^-gm44cJ9!Y0cv3a)9
zVM}G8PqPko08V0XCWj%i-vg1=GeO%>s+K3ab6vSj@GkIbsPHvu5?nOV(-t`{0d31o
zvDkSD1pG4+Xi$6{@Wr#3rZ)*%FngO|v3`vs7^Wt+kt|{u%~BpJA(0e6GRjsbL$zFi
zVu&sUoRNbcyeutL1$e}Jfu46Uhl)gen0BOPb5GffjCi;(uM)AO5n1$IOp*d84VFT6
zzed!Qjh4@8GW5$y@zIQ^Ru*^SBGEuKgLFm%1|#h58!n5@9xs)Arq(N!w#EqD;gT&{
z-W|C$sJAuTlaf>Tpx}-kMYoS4ZXr)LsV7~mzSj}6??u>cGPY1!%i=>DDVf}PvXwTH
z3d=HhX`5O7<fN$};pkb=!;trgn)fd$M_v?zKBUw{PU`ZeqUtX4vPR|U<m$(wyej2j
zC*cqa&V21*Rg-jM3E))w(8_y)n~J7A^;gyr%_2-{7w*;&N`A)OkDqa7PC&pT9gerT
z-NEAQ*R1jqWl2;s6ngd!UkJE6m8mA~DD+TJYiPF#K24o!s7WQ?!9_)i3?LapDLa3?
zFP|LmwV`=U4(P4Ig9X=NR5PiKxtLPTr*fi5aaJVh1}H!^PkZ=9ayJr9@|YKnKRSW;
zklsYb80{?W*qEbiS-#DxAzWGko8@iJO(+Hnde1`M^u$<I2%RCESM}I>H)h`}%i`UP
z2GxmyA<G;EV2~`C%)(n1!JgSvi3e7;gMqKc^+_f}m~f&iJhKIsm-=?CskI05J%~t0
zVyK|!Bu1V0G`t;xo(VeuZC-Cm4KPi;Gyz4AeOJXZsdI%LQj1Rk@e;`jE?;s!*U8t9
ztiXuTs#+dv3Mh;j#Cyn8+Pk|5gw-$$rcKwreU_-HT_$ud$}e$q+|!1iG6B~qzLP@m
zr7Hy&J_jTObf}nS6B}e%Lm6Hgi?reOOb-mRxdqRlOs1D0LsX!x`35&7<Poxq)LPd@
z(<&XMp<x{$-#akNA?C}vXcXsNq`9t5UUt-GgWTck3V;+e=_ly%9Gqf<9Aw!-<4zL$
zmC%g~TrqInqKB(G^ID1P^mG+H4Fo{^kTQV3q^!LxF@B+A=cNX+G*aS4jqL<g#QTmb
z_pM*`Je@jwyo<atniWR5Gfx=k39GJ?xWF#AAZ><)WZk@X@4>{4oy96umA=$XmsynB
z+)X_n0#5P}1&JknG>EP^SFkG8VA-B1@!UuHk=YU%xt_|Mtd!(7{$-_ts3dV2v?=TB
zX?bBa&|p?(-3EQ{A$h`6P3s4!xP<-a=zv%dGZX|EMk5v(;UR9n^$?2Z9XR%K3>{wW
zJIhj7%52NPQMv}Bpy28%csMf>q-Q3VE<@5Ti(UOV=-I{KGQcV~N?KT>3SR9`^B8fh
zGQq_%m42EG0N&Axl%8tMku=;W04PdhXBgItV40?X%K<m9ckTJSu#}0#3{ihBN&Ld3
zBKKs8o9Ri{QzRiP%PO0`Axb2^sFTG-jiVD6r1C7_<B&HDtA)dN6$I$I++czy<AQp~
z)J%HM<CPX4i>R?8NQC;+s5kGuGQLO&T@#m9WzA!8v?l-sLWFNy!Po=xkRw%uGYCOl
zJ(c@~*zs$(2XpoCDKKoSd(I84#isFsou)Fniavfryvz#ta>f+IiSaN_dYFzx&o{g+
z<*cH)_nizzU#>=;&${|uiG$57G^b29G6aRSl;@B&E|%Yo7*sQ!;SuIphrXy*0TRT!
z812(nx3r#Xfh8bhWAPq$xlL4OVEB7uNUwa%E_A>Uw59~|HCMR8%3@F5a&h!9=o@IZ
z(7K~r6!=wbS39)^1D^M28KNUWlWf8aRt^ZD&w)>=<)OMeG&xV6&AgXZhfeI3wib2h
zrQUCmRe50XaSV(1+9G*G^rY+>=nebj_yBu!dW)g=y`e@GeQ2Kh9>kZGNMBa^iX-!7
zpv9;wn=4T-3$(G5LWc}i@+-e6iLCAPiO24f_E_H@1BMq5>J=0i7y&-E1p&Ro7{J<u
zV=B*!HB3CLL3MKkjp2FEZ}tG{7~`q{9z2{=!{dAw7NUF_<TM+t!eGue1Cs)hh054K
zv&jeJkHhsZE$v1u+vOpwv8pwYC`3}vvq9Q=mmC)p6`3sRjSrx?<Wi$l0?%o<t))nI
z^*D7&2q7RlQQXI*__P{FybyGqq>>oooNJY{grJWFe?d8+OG~vh#d6&k<G5=>d2|Gn
zRElwDM%yF}(4?_;hp_#;;zh)aS6jU)hOTvku3wxX)tS=h!n`u_)U1yWL`*5GuzgaY
zPi*4}HG4r#13bK0Ph>40cbwsY0jZHeE}{0wDNVAzNvb!d0-GvOWiqbDo<=mb58y4r
z@*9s_!VMImhay_`o}8Fw5E1((0mH1aCk)5<mir_zthml*UU*0s-IJbMg;g9?ek=9-
zY8lq4x}B9SJN&?WZcm13aYQM?wrX=vpI!Q?2*N7xM#Os)WZ|74bGxwdBoJx^T&LPA
zgX8rIb#s(Uff6d8*80{JA2gXVmP)^{3PPu38{Qyo9Sye3lJHF!K-z0I5#6>^21}Z&
z*OhBX&nDFO`T~QV#dE%)nG}S|k$P}|E(FT)Jkk1jDXOBuEy_WhvUD56^Jgg2PdfZ`
z$)2;ldBkn4r*BP>*oj5BVDm8&T=tNYwjHIR4LRDlVP$0>9w>G;uxu*Ujt^&M;xHze
ztw2L4XrZ~*sw`&hA)HR@kZ(DG&f8a>qSyY6oC293yG}v-aZ$Z>q35{wi_uNyV_cBh
z4VaEBLwob3CBf%pDbfg=3)|}4sDqF79R&r}k+##)B`{G&wBZ!zA<snHy|<G>H}(e5
zy5VSQ?eX}-gK>fZ9XXH5Zg#O3$b8;6Y!O7SFz*5$CW3Tn0!5|a>WZt4ONwv=_Vc;d
zvFDA88)^EWR<SdyQ-d7(MKoSnA`MdR^<Q3g!%L~`CS4SVd*=970YDIu6mx|TCBU^U
zwI8@GJs+}%2~<n(5x}Kz%}%`0keGp2hKb2--AS;aE)04GV?=X_hF&jGqgK;fF3DuG
z9aRljQ$ccFkSm+`2=$34*}>B)MGwKmJIU>&Q@%wp>;c?1d~vSx45}+NjZg@x5#>F2
z;U}VjV@XK0PJCpU2oFT)oi!pU4Q-MTj8Pu$<8-&G;`F%))tgNddxBePb2t|lb7Ny3
zG_P;)pgdoq<_L(41n|rRz;en32jiuMuHT~sUI*J*3~>w`aS?pxDF$w-bnN?b$%VGz
zsc;uE4V4SFM93o^lpwn|nVE&|Go`As;1XJf6HR3diE_T?2h^HQ&=&oOUWSjw5Xmz+
zeJ0z4DTJCafCKdWibY*)ZB!9Er)kcaC!+N^^hvDMG^zInj=gsaup5yA*;hN^tJ!EX
zp3iKT^Wq+Q<sl=#9Cmw5G%cE`%X6g#{gASd4;4YiySD7aCS8;nKsuR%uU*v|yYbqb
zL`A8`ax=`rBaR<liDQoT1}5tPJYr9#8gkt@P6&vZjaa%<<KdAt+({&jkV%w_1~|k@
z)xdp<+^cs7k~vz|`qF5Uo@@YU_&`)Xb2FwrMFZR-={E*JMn=qN5JO5*^sd9MZVRtL
z=V?5FVB$NOIsgHBy`bYT7NUdG01qnH2dY24^e-=IcT?k?xE$~3>A9;^<+7y)cy5n1
zQ!LjuAI#!FC!oJe0!-*aPN66p%ZAlERj_=-Z#S+GtM4s6;9HZso*8XvT1xI=Iei^U
z0|?3j;`3At88~&Q_?S(EACGB-uRn(9M<AJ~C{xTJHWh*NaHxw(iN*MY<u5UBa)&g?
zrsW;d0Z>M>v0Cz$ya~nvN6^t8sJT-hEX_q!Q5qr<Q96TKcV@Em(vf%zT?Py}Q*Nqn
z<=};51o4xm%ItM(j-ISZG#^lXeU2O2v~yiL0>i$8<Vb#cuSEB~y7$nnx=Wg>w-|l0
zhuaA@&mGEPA00p$f+$Mw0|6C7eW*kT80p+eLvbl4D!nQ6f}P7Zj3E~c*lXZSO2Ek)
zpNGYDsA2J{a|q2vs^dc2jw9flfD+8!IN_sh#}lv@fvd7OW0XQAp*?x4Eu|9#BJb^?
z3_eS|-84~dc>5A#sp1$E;0{wYiP4_z*=15}`LlS{41>$wlYK9qHb;~g<<`;c3AjGt
zIh$K`s%UaN?o(%w0a8cx6AlS{7Y|AS;)%K13(s!35FC+l;euuwT0*kUwwD8Cf-ew}
zkxxfceF1yQf;V-Acv(^@ox)&<Q2n0m7>P*=J`;TEhMva(OP<|qLsd2sCu)<q;{fr3
z;_@1{67W<<ZL-5M!d(XnaT}VOUP`>G1G#q&32X`0?ho{3T!mU!q=gPTst=@{J;X<u
zQ*RKYkWE_rRS#FZ0F+~e+l|trS1_;YEv=QcC`z{P*#i-^7q-ofv%V(@(v-*;nggH;
zGjN0G&(pvfF6a3?emOBJAe!9I06CyuCp`guV?$U6bXT-6`6enLXbC0_wT=b8#C-ZC
z=42sGLjl_qFhPpTi8j;3LlaSQAtvXDQ%#t1#2<NCbk=jXgTim+$_NokSzW8G)ZJ2^
z=P)-294?bStmbXcI7(nced9#=JUn(evjB@54;2fP#_bjM<#WGzfP#EVM2un;wa4_@
z%wJh%`#czx9;`|q^=O(u&3q<T0&LC(Iz3YTQUEH~XH_2n#JGyRNT>(x*v1RbA|)b}
z5nTA@E<%g-;vUq_*i>SR1E%`mJPSgMvD>0ZWnXXs>IBwjc@<0sWFxULNlz-1M}e~F
zj>M|uDml}lW5{JAuK6LW3pxTp(?(-o5e=>t=1ep^OFPH11$=U$<UMNT5=e&CNCPB~
zsG4xCjyJG?V<~WwoO~9Lo^z(kzFyJ`M^`7$*T|d@GEP+|`AC*=nmpfg@(Dw$+~F#(
z7C_X#7wua*2hWybNAuCOz>94(;Khi%^JnTSe(2&m#yB&5ChJ8?SXGP61ccU;Yogf1
zgzrq{0Rbc9p0xEsnzpz#5j}J~Ihqr%l=0Xaf@lCfNkWmX@z6vwz`_{mkr9!j4CT7o
zBO9VCCZ9sZhOCGIhCB@2D^rHO7AfoW#maU)e(I-4JB0*GX`SF)akA%=kcjxSO=0?&
zNjt-jK#+l>cIjgER5P!cNcw8{g;mv6x>2&#2E1LE+G^W#NqixNEWnMPUQ#WLYA+^J
z_|4^Lae2B|xz%$|4dbi;6J38gE99=RN%nY6#xuux4^yG$8DfBg^V5+weUx-S*01~4
z?@e$)lhT!CM<Bccb*JaG>PK4M_ry(0mymZb>|HTe^t(50V-#BJivs7g4idbN^DThy
zF-$1iF6rWO-;7VIy`yaTGL!ksOs0)UI)~ha1wgV$;>TwX7jPaYb749H8fg$VNI*Zh
zhXh;xK;j<BdT>g1NKB_;FA=gu1S%7+OAOhV2S2MAGGeInev(spz1@$f*fR;FC|)Ry
zi>pvpc8$1KpLX?gABcE0N_3$+!iwA^r5Tw*CLWu4*M~N9_LrLBLzb<CETmXRJr{9)
zX4$|RHgv0p@^D_^BEGcR<ceBzc)>j@+x+&NpkQ7sL6Y0=IFRZPm>$pfL>c&5!a<yn
zQeAP2oWUFBwI$rrXfjbP)tU}TA*pb$B}d{n+0c8kz!*{wy{ALr34wICh~_XA5nLB6
zprEemcqa|8<U*d^T_9rga0jg_U%eLuZ@r<OskXTrPrD5Jt*Te{nnH%2j40i5_J&=(
z*YOS&K&*jHwwVDDo7Kz;mO5lkRkuwZh)Jm7yJMkUi5XiQo+fj8F6c|I&DY)O#Vc1P
zTR%nju>>D8C>o3f?^L7q5GQ_k5BfNv*JIsMpKQ~Dn98IAAW9kVJ}Gm%49FH1H`{7Y
zQPiyne-6W&*jh;D%*jONQBf}$CwGJ4O!~s4SlON`>Nt$Yb89r5z;NSx&hqk@cTnA(
zkg~~Q*aNys)QE(~bmS_C7%6FYQo_Ma#0%F$$ggmdTpqmbW9L`sJ9&x^2A?t6o1Kl#
zywTNTc46Dl%;!Q+0z(0o>jt=+YQ|&L6>_o_*WNyB(Pt3%(2ZZ@1F6{bS>F<&R1`yE
z!NExmNnfA}doL5u%6wKE4*E2oMM&(`rKfq9ZoD*c_ZTM~+c#~DiBMM}!W{9`U(xf&
z81qi*DhuBhZi1MskYCRr+)hCQzSq9ymoT%8?<NFEX`wsBhx~ie6#7#0brdTLG#quV
z?{j+RHN|9h56hT)X$uX6Yo>MXp61zcTzS$X=zcZl3rU+4IWI+K5mkmTa(1Q!O-SC-
zAbV_--VD%Ezj?_eJPP}g?LF>ifv-hFo_VUqMj6faqdeiq7w=fnbnAe**_>Ie4S)>>
z8j7Jk!Mz>DQUBhUhqQMd&_u{&ww(3^=X<x%*JS*}xSr7UlLS$GG6c0qm*%81jFsJq
z-T|P{;4PKy_0~X@D5=^r2d{K59!aE>Ly$0>I)@#^va#vK1S4Y6<t<qk@a*OtzvL%N
zDGke<**g6YnB{qBM;p-kNmMDOQuetA8iz=2Hav`L533804tro3VaH-{PncH{;2lv~
z3xya60UnU-+Gt6U`D~>~+?CT2<(*9F$m7)(xaJkP$%N^-Fhlbx%ccou)YOHOEJ=>0
zSVpdfY(Sz>@RXodkY)6p9`IMBOi>AmDNmfYZi}x0<dFG*d$T(XJ9dU%2qc!RCTBeG
z7PLEutwKdOU-JolOGI_Zt`fDU1?{zXta@v%NX`#4LSSASaJ<1DBYQZIuS0Yn-;?(u
zH^uxE*+HjrUIRT3<@Xq-P)QX5-cTRYVF$jn%QD-373=%ZY#Lth18Kt14a0Yj1+{k{
zVFWGLb@G(Vz*}NSyQ%i)q<eQxOZBuSAL;lFw2K$O0;Ru!IV03$lb(ZoR`5I^<OHyf
ztvPJz9Y%~HM&PaCT#1f(+=F(VSA*7Gv*&4H)i-aeM^>pXq7oQhSyZ(rTpwRr^Qx2@
zr-kOZtPKP{z9r;de<Hi@+2!d0tAfdE%+Lu5<rTLxI=Ga&<0obg&YM%{VAHB*<N_#^
zo6pfz38+1v8$Bfaa#P{+g^sJjW!8lvCv6snsXP}e^SDX#b&j^3)&rOqvxR{G!5Wy8
z2_dyyDdVaE8Kz9GPez3F-UjR0^sC{iHjju^dCZ7z>3EUTBl%j6gsYuI3sC%o)!uX?
zJv!Y$-@4Wo>{Z*`0;Y)*+ikAfKv>ksGp{$xKKN{okDTEzIZY+mmt>b;HtK^`sS|vD
zaux(3i%#rs*4^#kM6>1^gfyjM*MgGdJ%+e<okJBp{Koo9SQvvJGiuD{yH@KisR#|`
zVBtk~jkUgU!X3CbDsocqwUE~int6=?7qxTE^Qo?@lg_bay=O02iJA*k)Ya@|0~+ob
z7}|Pkx?4^NJ$?hU8(NGM^$tB+AEsdh!U;cNnB^Rmh*$bJukYbQ05fFub}U#jFpaFG
z8dZ2JB<hrTXw*BKGe{H9qg-c{C8jx`%OmyK=@Pd%##{-uqvgvEe+EIr;H{2YV#x*5
z12@=~&2bG#)zL(Q+GYW&sRkq@DDm8sj~C=xEWoeS^0fw8vAzK0+yvbVJRg25V9lPQ
zc26r<0ypttj2)>OQFY|#Nta`21fR`pih&XAOz>)p4xx-wKpzm<EP$2aI+V%-9C=UQ
z2)4Zk@8;GtLAeT1!<7=~gmKL2TDjjO%grs_UhR3t^QQraqpcw>^4z)!v|^1^M^`(N
zPyviHlx6{M>$0+2*S*iqh`YGxAY5tm^>rVPJ4}eKtvttL7WG-JoP0s==pZ`RVMtW5
zf*%rKW1!FBGSiV7!b2XfckUZ3K&u;q+_bmbmX5kkf@W%U7Dl6wqDnXi>(rd7nd5}p
z`<CwVAt6PC92!WR#9A)M5N@KKZ@k7ko>*GLj_r;a5u}@E{3)k@$*H8L-sq{3Dgh{w
z(X6%bMnXlyk0$%gnnn4~qi7~vIKm2%L~TQ9+{Pv9eOt;>UVNnQ6jWjJ0eLv?)@Xab
zd}`!U8rZ%o8q8@uNN5qZIMIYkQ1Y~<MrJ)o?hI#JuNqW|v$P2JQ8>QYfWZ}`x$;PK
zB<Obv`b380FFVO#S9$sIL|=M37KvuMhQ#Q^1{K01Npw^*%?ANMYaNgE2<y7`uITDv
zoe{Dar5!)p#{zkz#;+K?XOktDT*Sb9oJ^KMUAZ~~_0Sw0JM+EJa&anPWG4;;8dF3>
z0c&<663~H%oFJyQ9`z<hkR<sf6~0Y(vhMBNPVH(}E-#b7LaAD)Lx|Ud($dJq^$cX6
z^@N#FUw2|-@?&Tq3NIi}eXp}%30+7wxZk3{Zh7U?e%ZXfc_}*}6KNqBy-VrkyBXtK
zdBRGZT~s6Sy6VZRp%b&tQV{UT0>>H(0@%pdcw%ARjdEP!`TR8}s{}uI$S(&lMyd;h
z1bA;~d$I=Y;S|v5C1=OtJa|?nWhs5<26VoYcGT<a2^G3cXRTCIxb$ZGMIIs~uQo{7
zD7NQr0Fddm6=u=ts}46#fVMD@ahoN4Lg;(+UVFSy!xxc{8fc1B$1Kh+-dj6MRvUVX
z=1chOaOF;3zV)k`@c}G*wi(i<R6IN?HFE+jWD7Wn`G`=^#1;-gNHBCB#am>4)kaPn
zdT%leU1N6GX0EIzVl84<;pTNetl@egI(a$<XEB_z{MZ5bgmeNr*~a>1Y(aqWZUKx%
z9P+H?O0uGi8;4#VwZb46HwLfu%ruxv+pV?UFvfd=9!(?8{Cu8Uw7~FN?IIa5(_#m5
zjF#E9F2b;Sj}_(1PSa021yiqHb2+rNdMhBR$tnbIiDsQ#KM;GwTdi#7B%pY4WNR6$
z?_~{MN_ZOUa{e-YLfk^zXzpxyLFN7I=vhc7#)!l)YiFT$_4Edm#U%o1@0!(d7M8$k
zso*9O%`vIB*?J?>6`Gw~@X{aG6>sE)dvDiKu7q_3gvH;JrwXN(+rXMZKvZQC8Xa2?
zNLhlF*u*y53*G2WhMh94h{}cZ%S%BUq#dP_4axBkg?pPl#F&&vT!jZzlX{Sned%(1
zu6<`x8*3@QL_2vvzsN3~b&nz5d<rv?+!8B1o%TR8m(|n>q#rZnm|42KX}_hRJz7n<
z*`rq{$ZS*|404NQk13O{n0;Y)JXuSRB)}esiDAJ@o}<mvP=B6+%#m_7wV})z13}s9
z75M-jvqGZ>=JOcPr0j<(+ZlKSZ+6&9FsS`BlU6Qk7R?ioCOAExBo4C<_|AzOFQdMu
zs%Taq87F!54wQm)(9Y!<`QBb3jK-?7R<ErkJd02jUhE(5A`F~(DHe$%aure!wiLIJ
zlcKJK-MnEWk_lq5jrFW3=_tvoFj5X46Oh(8Sk+T~`jlRc`f$fY71L0*+8oEsGqU5M
z%o0j9KfQ2Ay>_hxuy>r7?`b~j5t+=plZkjiDnw%jnarbfns>G)p7Y-1zE-A(?!iry
z5yvm*=)zWBCA*3#FiE6WHj{e1cUWOHY*!C1B!`^OAIs<hzTApwV)I^(-U49}8IpZk
z`05d@U>!EDH7M;P&t!&k+jW0!rf^H=TI^Pp_E2BqGm+J<bl`(ceG%&>HASI1Ocw8r
z>NqtI+U04_RZl)W2qnxH^oqCQCD}4tXb(1;fj=pK>oMdzUwS%!>FJpVM%U{}6IzW>
zuLIj5cH@E36@hfxA!Loy_BizcLt!<?CcZ%zbCiaSFvr=KQzgu=7u&;D1l@b{h%htM
zQJ>F(<YGOdcz(Y?3ktsy+n(YkRWc%pK?|S7R~xVhd)qW%>^xC~`P^VBGZwT7Gijis
zj|spb9WrosQSa~R6E$BFMvVqk6tF-y)bWAgYu4rlGUoF$oF&ByMhP+(Rq;1G1KcC_
z)}qC<@ksn}2hPjWxR(zw_fk;7$u;iv7F?iaz?%R<lRb)rqR8E#&T$b*(zPCVAyx6r
z1c)_#B#me~XZe^}B2l)Rq6qB9@5%+ih$cvs>=})#kXMx83$>E!s-pLbCGtvgvzLA4
ziS%2`=XNpOks@Y~Ob5AL%6Dtu5aK0x*NkU2tLOpwHEQZ8_{-3!(Jdi14H-Y36>NB#
z#&2lK*kLvqo5=6x@{pqXU|{4-nHl8H^UORaQs0*FDJ=@xCii6q9UaNa0bq(!Y4MQP
z)eCRZIbZiC_uP@PymfWW<jgi}cr=6r@5(AI3@mK{p5ck!+!m~Ykr1=@<iqF}%(h+D
z8uyfm$9Ufxqn9f$LhH$j2%{6AaJ*c2liSh{3t-r>haVgpJvD2q_fGebq>DU&Rh<%v
znd%-9m<1XO8!ht0UBF9xsdPqI-C~y7@99f;J7M|)H#D9_<*U-Fiy*^$D|0zBbx`$a
zDz-<(4<^a=-TJZjQsR>r<LhMF;IFx}Ff%47kh6=P_uGS%5L!{!eKF*~vttYkEOr{V
z8|+cG!Y;_Sg?_z+M=H}JdH{|>p2XK_60)K5uyYSW<3tOIjH8V&5xg1aaR51a5uGE~
zJ)y*s6542$GdX&+Uw#IC`6=%L{RW`W0BZ#Jyl2zlWp@&0qqit$1vDkvqy)8%hPt1M
zgP6P!5nS(iZ{ha9J9US}eRz<e-ZD2ldLnb!@=%n=j{S+rd(4j|)f^YGM;1cL-kh9M
zd+y5taI<*op=!9n)-AMD6w|}{CLp0BD3E-Th)R+WS)i(6ftY>i&j~a_G62Ol<wp2)
zcoG^ZDrobqp)Q8bayB4$9)j+1XU$dYScI@7th{}cm9%M|+SV0MgY7IFZ3y5VfxLAb
z1bj&5U0ne$92OsvbVQ+s9_c(0cS;1iRJr75svQ*UqM;)?9P<p7-^M(JB~kT~vTEyD
ze5K|_@1|M8OQEzdip>HmBaTTtdx91CNJqqN*XK_0&B$Bu*F^<MK=EJ{`H2E1&g=9E
zYYguu^H8hgc%>#o$JEEi2u5WY3~%n~!lINr;y&v|#1N(yRPT@%s`Ae0I#$BSW}lYE
z>lD9z#<}aW*D3~2uHCrI1-D^#mW*pbc}TpWUL-vqa(#7Pwl#3J)bEPYc2XT+vS{`c
zFa2cI169aEn>PBywF-pe^z7Ap#>r!?kLAwZ)kR#9bh0_U<N`LZ=b36fq(fUFyvLA?
zgmXLMiN?71o~-B8qZD@*GUGea0^VGTZOnc({)X-)Sso=T4~2MS`ZEt0GsJGlGu<9V
zrrka40B-23BDc!A5G+pwa!l*N;uupk;3v?gNNKE~Lsbs5i21BDG84Ni@Hn%5o>NMq
zE_7QlDX84b6IBUn!4j&f1F+-cvOt)DHeh1VQ(W0AUEs}Z(*;Xg*VcV023r1J3)Rdy
z@**i3@r6xBnY+D+vYWm_euU$Rs{R_M6=l=go*&dHm@bHmoWuAezk?4!5dgjjO=XEF
zPsNh%?O3(k(O@=~XrFw8+uGLFPH9YDQQ~~5wgIQU)Bsnt!-`K;S5SSD6ZKxmS-yV$
zs9xdYx{j{QkfDTI5<2E=RmUwIhOEHG0dl$>HNX~Qee+t5s=PJr0ba3~X1<a`5rioZ
z(K|CXZ_>1es7<RE-q-#F-pTX*3sDPfF9*Wfl^5?W58zcaQ>0`K?UR<a6VY{kV^2t>
zrOd$|zujQ1yNAb8qNF0yHx_gvtdbLVA<CAF6DBds&IzK-LG<*-40hg`caR`gfIjWr
zHl26PoZ6l2RDCS-N~(IQaQAd%bhB>Y2BDxhH{Dw<)zK+E!$C?mpwQGh)<OX2*?`qb
zG#o@m9?{dx5WbknoaLa=z<qk}82BA|9aQS$kU#@yCPZ|Zh%OS5w{&_8axuODS1Mj}
zoDkU620`&Sby`PdnYsg*E?`hYmCj*QpDTL|t(^&wAU;?WiXN{t2nrGs!2(6=P#}0a
zD^I&qwxEU3HkM6vti-x&1>BOa!Vq>n?v$Pg!JA{0Fv&sCah?$&t+)61kr@=~bJ5~q
zJ$opJI|d-q)y-|*($K?&alIofn*aw(8zz)Q#w@d~BT#SbWetsEM`mluTLhm3Zl>Wt
z63%-e&Y-@Jd+8WRuk<xV3RU1+8M<V;vz%jmL{{c(i1`FxZE9wQO#?=fBpk#pS+d?{
z^ESTXw~w&}q#t-r;*^Zhf<h#ux`wwyfZEX>8b7{AAPcWnjo)h=H85K599SY#qnB$F
zCqi==jZCSYR&LT`Y41v07s*{TgCx$LJz{DOUnN{S)U`aZdm8cpFh~%^LBnW=ETkgo
zUbvdpJv-X-8-66NZzN(7Zk)%*Z15XV|3Vb@Wx;~5y(oa5(sZjq>Rcc$;VxMbSZyYG
z3Qg;_5)62<O}qyW*+mXcwAnOdMANR2(KKEjCGH3X9^G!pne2{mVqw!d66w{Qp1zzF
z=Rj=3P)px3i1(`B$)HpRmNY5zgrLsrm)<D6%f5(SgUr;xuPtFJC0hzdo<inI1*rVR
zC{yn715~CR;V!(3V%EAWdp(y8j{wy=A1h?!VT6>-2sGvt1Eom5mFBZr)hYtUd&?a=
zb9UfPdS20p`U-lz9-2m`Q5Ls^*Q>%FvB1>o2ZMMZfdiXakH_Kgu{|COs&3s>%#<g`
zNB$mW>PCvu@H;boj2(tf(P|BA6OXVU94u58H`-toF}bQ=Ga0|60X_i-wg>HE2ekUI
zu^gx7y?L7?FD`PoGn}bjhg@QLVZR4KdMmB@LJ3)()qoa9SqSFAMK185_&sG4OQ9@0
z!eSKhkf30Pam#utX(3RLaO4IW{r27ID};G{W1Pog#sZM@E+>3ah8RZi)pK1n8!<vG
zH^<zxJqDp9StJ7G%GDW(0vLI3wSW;Hl!uv5xt;sWv)MAorzMghZp;;?p-2hSIuxZ1
zd#*1YKOmrJ2PlE8=Q3+d!%rQeO;yU(+ut+`EI;4i&4<L(;P6CpB_3MXn#^SnL|TVE
z76o4*tRZ-OrV87G!KdUIu3inZ2lQ}KHOpgZ4tJ88;SszG!^TxyhVYvQN<bAC+UDK;
zY%kNoU(1*w!Q)3hxGGm0Iu%^6#@!yRLiWmDu&#$@4KJRCxdAj%b9z3bPT|t?y?P8(
z9`4VRbUXk~<HcLip_~~?*d$#$eNd@`(X6u^uLYINt~v1Vmh27SJI+Tn%P)cp9&QRY
zb^FODqp07rC|yfPF@&zZrz`Jzu6?i@O~!DtV@x0w-y3=uv6)To1QyJ_sf9XZ`Y=$6
z72}NGB<+KQ2B@0Cs(O;;LVK?wx3wUBx^-hQEA!<jWkYJqtf|aWKSM0j*mtwcX$+`$
z=akKQ>4z3JuPBYQG<4r=iag*K*}E@Uno_X((F};FK>Y=&ENHw{o?0~rk$gA~lP>9)
zSSefBr7yUwFq3kc${TN&k8$pv(i5QTejLL^wN;G|agPG`*p35Qukq0XlM;+}n;NsO
z;3j-q!cOL?jabl+u!HexD~zc$Aj8buWIXW(l&qxpsYU8kx0k#zleL!}7lOud{p9Vg
z5kY4$9G^Aq=0og(5(wiwbl(hP5{PCbyar2yYw`nquS6@WSWtv(en6-MmssJs&n4Il
zpEp~U+*J;|Nt{%sJx*Pd459Vxdf|aj%hQ5Z@4X_Pq;6g&!l2#CLqbukc`tP==2Xz?
z9RRKx-;1j7iA-1&B7Gi(rXp)a7CI(73;ZBqZNT6~`94u5F*s$h^T(VLQ!|3(XMB<6
zuLp&u(83KcGNH&y*Fv!O)Jlv8M4t4PYyrJ|QDP5E^H#gc>vrJ`9b+u8$-Qo4Yt=x_
z{8lL)a*wDh8iF963(!4Cf-6pTqJf5C8i7%})HK}-j1HI92YQ?K^3^c{=)tW*!vvKB
zf{wSLRM<Y*7ni=B5=2n0P0d=-io4YdHp!*jImDJ~h;%CKnHsOIxvnGE9GS(iYpop1
zU%Nkw=V^HJvbB6Uw-4=xoc$(5d|GCT6uUDI{N-If#!U)oBjtNyk5AA7o@W_!z{0DO
zx9^UhXEdnD_Vbg9$+F~rl`fQ&Ao1EEA{@O~0Z`fk;uVg5LQ4DvDV0uH@3^XLZOj%p
zPza$jX-%fJPDaiUxW}WOyUN5yMvCg5F}SC(SI9vwE<RK^C^E>ibW`e(UO-09Ac9T_
zol7S4xH~$?^)(h}son$b110Pc7L}8_W5s#JiZu*#<QTrs9tmKvD{RgPydfQ3jraU`
zfkihqD({Vx<*LgSj-&lWX(>T(CO=!$bg4DPbkUdXFwq<eJ_B19$p;)2!l?9)^O?Vn
zRVx=KsANuu!@PYr{=@<&?zOqpc$#%6z0E^B4N;SQNmn5_!XPjp0P5}vHDoZaj9#sv
zSd?QQ?*#W&Q*egWZk419q5>cZ^1RC1)g_ahw(3^iGPmeQ;|mHxjOIH1y0M0NO1Y|N
zqjm9G98-`u?Xi;dIAUql0u;e}7->&;6D%*xFksBAkyvF>k*`y9%24>CS@a~r1C&O=
zBgT3xNak=cn|6Dmz~F43LxGuq$31xE$|JqN(IRNJj|rJy3HZ+LWa|S9wd6;Lgu6s!
z&9+bMGN_F4vR*)lbx*u!#Z-;H8jd%y*FlUoLtHt~YDR=w-CaRVo1OLYA@u?Qq0V%m
z$-Q%Z{FZ<h(^TwH@T_iYm5EwB3uU<qd;RPQKYEKoK#YP$WA{cALE(CyOao%QqAR{!
z!q&(E#K6ExCbJzqLtwccjU%;HwP_y0xFpfKCs~)E31ZKOkeX?;0-HMGrIhAe<TM<a
zuElojjvk`qadlp0^ftc&c?8eb^%bdWgl>d6*pAw)9eX1e+A#EW?@eUz>l^FPYgO5-
zHdqBEe3Q?5Y)dbgQd1QCft2@nMGcRV%*xnwmk7`6W!2G5Z=5(pyyOinlDCOiJiD)!
z(AyoH89+xFP$l|FQ&PN1`lR&H7o`YO0#Ve{S*Z<5x$o7oBWhA?q3;V=tjbC0gd{`H
zs~&p%kQoqEf;}Ga>$W2$A;&tKB^7apP)&LUa?pYzO()$MM@`7Ip#w>4`pQ6Edzi3f
z%8@2}2U<r3p4_a6Z}5@UTb)^{!50qQ4ir>I5AfB%d*m$6bw{RRZdlL<md<gUe=nPe
zcwp9wPy@;+pGklvLNYmTtUXAAu2+2fLc0~rCuULx)7LQ`8_QE1-yNujrDQtgM-B+w
z4GVW%PmNyJ1A2}bwFa+XmRpIFEJ9I4A_#bfmN4$j0G##J7PI0k%|1X#0J^CM(8Pu5
z&_4GN+hNdH0)XH4Q@LzpOEsL#WxVHsytt~!T}sVUC~QxjzOlA4d;+0kJFQc9IK^NM
zpx6(eRI-?jsMCr8SdOk#<h0u~*=E0iSMRo$CyJYjRBd(QA?{-ucsAm7YJJa>vzR@T
zr>LE6)%;YmSPp8i#4%6T9arBq8XWTtoR8b+6)L1Tge7}uEr<-D8h}l7r6Np%xA$XO
zuAb~|J*cV&2!0ev7;G8iOoFiLS7-v}6`=f-fpvu$=ym4?vo{#o`VHxOaHN+CdmhLh
z<$ak-4_u#7Lo_^l9d~2<lzkJ<C+#v~;%HRS8d&Y<K;v9;c14~bKnq3+d27IKU{Jby
zb~R${ZBjX|-#mvdSBuhd*k@h)$S?=@^gRMjudqp45K%c7fT<|Fad^}kC&myY7>~N<
zfOR1&!b1__XbTDL2^KMJ-lM1Z;s|!LCD;V$A-XC#%L{{h?JTq`T>FN{VIu_IJ%L)>
zJ2&$keD}tk+|-v&b>TI!7GFtpQ}0O6km@`F3`qrSUJmkcZl#{_T-tnM%jx%+=v|@b
zC#DQvn8tfNtI!cvlM1c~nEH@Ud6~se?t%qcAm#vcy@f6OwF-8IxdobJRzk~*bsCVy
z1!{H(lm3Me9SK3Pa4Vb7C-Rx&(v%iDFfHKr1)!yJ!iq85wq4h1+Bu2K8N=HpqBlbG
zthkOznOyOW7L!;wgi%6vmVl=zL1P#B7H`ahYsROz{THX^K(AS*!-esXn{bYiJsq|O
z@PxKDx6hh<<CcnAqqyA3K?DVq9RNI551r_x5~IlMvu)o7TlFO;0=}0W)$g6}=uG$y
z-A!!OfRYvLwfk9BmpO`s1i7hd_>4TLflOA+362QE+jvs9&r8#Jhkg<m?N-<r1!OP2
zX7mUZt$y&(GGs4rQ6C3y**@{>hxsB204beLlpP;E9tq!@O2nO^f_q6KT*p_03eILU
z7rbxyt;nH!jhB}cg)M^~l{47g?5yo<5ZR9Am@kC?+!rT}ChcxG3ikt@1yI2>6lJi^
zF>&XeIngwcof#H*klg&zX+#uY{3ZuQ1|J~zke!p|gHw38fcBEsCnNnP&Lm(v<(?Va
zN>+C?By5TY6V-*X-Mb8rSNRmRpEt^m_Tj}grE)21zLwP%SGw7Ix|GZrh@^3xvwl_q
zWVBg=H~Dm;2g-fgLlE4zU~JTDtKOp_Y9@x0nJ3(>rUHG-Dlt#km~v8`Jgw)_>C6t>
zS)U@f4Kms@lVfgIz!WuOa+qK|5>1cYasd#n=j;$hsnswZF9|_foU8k7=$oVIgnCg<
zPVXd{6t7~Kk+QPV%;h@uNjg`V*y3}LhbMdCdN0jzIoMSmninzTqjNPXFBLhc_DARP
znm~t6*WOf3lWI(=scNw83UoSkC(tX&*X)upgi3Eb-}pDD{>ACKXMw8+YP<kDK*YaH
zdD2@1tK60q*7my#zh|!Rg@>ga^b2?>9Gz}}s>^1^uls5NwV27r!=5jbp4_dYlH#*N
z%k4YGGMd_@X@XF6hrT7pxh&azUKoV#$O4NBk7i|gL~?xiIu*hQ3pA**Eovn}7tL<H
z9U9u7U|hY&HXFxpL=?Lm!7562{si^mPU*Wur_{-uT+s%vw%|2ZGZt%&E_&NeL*-{&
zt{i7!!s!z=OqH)DYoR$&@r;#+dVWE4;?)GMiQewC@TMh=XL%V9gNc>ZN445bBT2zs
z@P!gTnKwC6I3>congjy$Jc;Rr-RT-*h(^}yrETOEX2;RTCpvhKhUH~$(JKOT0m6Xx
z!9L+-wZ0LYuGV$B5Dd$~)1C+D9A(-)D-3<-3~w;D%YDi*S+4OZg#!!#Tua}afCKXI
zBfiriMwTZldymmYq#QF}cN^ceL+kOOLB5%Jz=I=u*(buNys&BEVl-9n#XEgz6%DF6
z>U|`6Fi#m^nJi^0>h<c2TAK2mY|X+g+NY#WqXj!KRL))GC3=|0#~E{Qd5?cVOLE5I
z=%TzMrkB(w9uEd;^*wwXg4m>^2bPdEk5c#y>Q0VdOGM@X#KTQH@^k@&to4p}!B|`z
z4;`O{GR76-y&6a*c!gY5<c_HJv|c{!l6ObCmCsCx8xxWo%G4((vn^Z0pN#h-rpH?W
zR>~kx%}*)JxwY@{LY4^8=*A<B@XR9~Y;2{9r$Qdutr;~o%g4QTIu9Z{#G0y@b+xv<
zfK;BHU6(COC4#@h(SYhnltOl!y*i2M#+1~ZdUI|5iiy~O(oUCEi<f;;8?$BtU69OQ
zY1)-C>pZ#=hZ_ny+B)Ai@PLG+yiwmLsG?t>-e4?X`rFcNN2p+N>hh~gx~>Q+dFp&+
z>_en{KrpXDp$kXL`>{8baK`nf(R<L8nUTcXQvl6Rv)X{3Vmej1lb6fWC~u?f1#r3r
z6*1K35lsnu$*TQc13!N0FBlEPUPS847ZkO)%MLQy`&I@9LhUvHSVL1(-*IOLS^#KL
zZ<z?wn2h?LPku#=phhAsDF!+WRl2!1(aeMB6&&rE2=>bBJZ178OgPY-6>i^ZM&ia)
zWX`^N;I8(<YS_zTH}7e`t?96OvfE8fjKSDzKnb~_2ej^ZPPybvi)ob@^IkyFaLH2L
zbAQ`8?U=Wv!f$$?i(QsnkQOT8JjzTctVLj<<mDlvC|H4F^Cg#%6=fuP=-bJ&>ab5Z
zjYR;{6ETPMEm28oES*8VlPAH#P*i~m{Xi@qt-jZadO9`dqq`XKwAZ)RtE{RKeT-n+
z{hmC%9E2;S=YVYl1NKyqU5%b|O$WR<K=gj1y#%}Ez3OZ2lCWI)vZdOJaJ5A3@Ll3a
z@>IwZkHFVQOk7rP_FmEB=U(>6lGmP<1XN_<E|N}gv_4>h1nx&Wy+o6bl%9rzJtmI6
zT=Z<XrX+d2W<!oogYR0kU=`-&5K9*44Ac~Mr!5nC*=zLoM8rcPL96D7Cmll2xgPc`
z9na>3zmBDtqTzfk&Cq5hn-9{Vr<1vOip<}$0AoPAD?R$D=6a-^OvW^Yg}8{-QV}D{
zwCuzXnU_V?{$4#a<MeDXue(S1a16QVd~O4er<mFM@jk{Oy;9BvSlMtn)O_M%%UqGp
z%0Moj7_`&STb6ot8E~+rWBh88tD<9-aE#x})p&i~5m<)1{R-Y3UcsxW1WA1rb!h!M
zvxdRJyEbVKG_1d8ROK&HC2|Q$&lc*nWq9Nj`6Et->m(Uh!9G0J+~;pk$C**wGO>aC
z?W=QN$A`U&EPdr+Z$fdM9~A*zO5R(DQIg9XC#lAmjFQ$S7@(|4x^D53ns+N;bp%NI
z?t$=g3_)n5YI;jE#b<~EZt1#HSWo2Pd-{@QBeXmaNEX@PDY!9U_q|SYl)Bd(f1#>t
zL<tc^#kS8|BcVc#39hBFlY&&#tCydwT-XFlkzy;dzhXH-bF%4#clUDD!2N;Qh>{>u
zc0RMUhfg^knc7OdTn5c)Q1T}nqkMI5H?PJ5l$l^>ggKBe+2V<uR%;KWJ85iTam(t`
z@w?|xDUI{^z2~>~CV_1uGZM5pkuwcKOLBq4B#1d9(yvyrY#*sJ?#wfbbe6!4WnM?<
zCU%2js$K&*P<U}0PsvJfsvPz8`EWMmyzsZ(^D-b^T0D!0Sl^>Ja^^}wbGKltV2uDn
z?GN~ACN3LePFotk0C~W&`{cP3b<XWG#<yp|UTWv!AvhO+Y5V5IRyHtf=5Z^Tsp#Gr
zB0S!8rRgR%HJX9CixM+(H39H<d+*WdgU5~-tk^kC;L-2VMFN-)828pLt(TN1rW8AR
z%G>COeh(&5oxon2KFmI>Q^J<WWQiwNPOFcHgyW7u=4sJ;WUYEp+_n%@3_;}Q1sx(U
z`elsAjok$eog;$C=?=ZV31?<GtAz^C(+q-L$a|#6r!Za;Zf#Eu!9wf36(3T?JjC;v
znL<jW!q5kP%JD=kfQJK#CpCrw$6g_DNk=pQr7EbQZ#H!Xou}67BTt#rP@j_533C(y
zrGAhoY3Bu?m3PGc5>6)`IkwWRdYrguK=i#9Z7EdLV5c6l$cN8L+ko1Xv1pGr!tI2^
zK2bILLe*^7fh+D&NESUM3ooOB#G-i=IKAcg!b6{kKe)&B>XD10JUj=BvPj(s2LnL?
zS7o4^M$-oIuzeD#U6_^yYR}&mhoMv2O70mvU+&Ps_lnFZ&=_rBpgbvAEWu+N-?8Ok
zAh`{ncB^PqB1NvdHwYA~zRzgZFdUwXbqax6&ty)BhhP_hdbj??s?`%0DdSPIES;LF
z+8sZyomb#<C?KMsX=}G}vJa!$peE)3(#0^VbhQbH6*mEr#sDX!UoeG9vyXYNsHn$2
zeHNPv?+RO6UJ3X@2$ct=WTmP?IOOxIvkn}7H92^1iy#ncD^P$KxCrO9kiUd<XLzld
zY!fq(z)5d<ujdKb@`j>0C9Jq)u2x6cYW7ssU38nCiMbmZ_ips1JnZMdYR~<KP+p~H
zH{}`VJyA81N2v1>SLvm(8T;k1=BSX$vOLIgo);70zU8JaZ^INt17Kp7mAk3Mp38|4
zlY)0_G-;`+KZ;j){?M@%YRrVA#q_AQe1+?6OD)}Id(UI&L*Rnsn7Cr+lIIj!5BI@}
zoTW42%A!`FYY_6#+3~cxJza=93P(Y|^LNA}xN<S^0OGj<Y-$5oM~CMNDq8*3rSZV_
zcogW^8jl{Ai;b(m(A$~Ej6z!_lgU<hzArc)zOXE!hjX|@EvnBMk=8|FHFlZE#Mjew
z;SH)8tPG=-UP-G@bjMp%lb<mQROKB}K2M$4Q$1czZMyqI8O|ZWYq2ZbtfH)kT*TY+
zjE_Y%Jm5J#HurnXEYFY+BpthRYlGT^0B$@1W8cfCWJE_q2Ht$ngCE#HBp1(9RRBug
zJR0r6m_m#Uv7u5eXmcmVE;FE+?b3%#nbs)<<d3XNaEt=@XdI&qzFBqnVztb0r1xYn
z88hCXD8Dgu97@`Q^mU#<M>>KX!b7&&vqyC=74{g^`q}TotG$N}&EXKHW1Rv^{Jlsu
zt56{HGhB;zWMR4aI2crroB~wlS(V79g<kTB-nfSrM^O((@gtO+P-{af;uUx_phAxp
zsF92zhISZPE5>9@-v~{GPjJjDxE)Ogp{x1}R;h<=lpzzFoTXb=R3w0hyv<1T5)c;Y
zmAb3Um4V`UH^6Dsx~^zG(|l$d!t4siT*9x|+f%ePNrW}i#9mWORz?|X2JbrMdrksu
z4H&yQv6dDi@RUwDvIqCb=DcRJfI=k`8hX_p62G?~h=q|dgl{j5VAVYxx~8oXTL2yz
zpqkcjW?87oxtwVki{D!vqt{9fROmqmO~r!Gktrwk9>tj9s@toD@Gfrw>}QYs>Fxxo
zltvCiuB0+eIJ8wezf03nkSldJniYC2fxQq%7^Yclcgkn>O2)Q?pK3M0yZMpN(p<=U
zHJClO?fgOn)RDl2-?9c7C*Dk<4kJkdZXlS8AV=;@*%DItjQ4}c!p0f_J(_0*Oh<N2
zCV*DT#G)PV+MV|GF*k<!16!-8O4L)NCEtjlMIRcMnM`_etFp^50g}#Q>d$CK30Gfm
zUUEx3^C`LAoL$|=Gyp8&W^v$Kk@T<<x+fvAZ7{NpQ9uqR9=5$B#=(f#on^?Bm!52=
z6!B~*22+P}4;`%5`n@-q?@@7!2&UaLG&^=ShFUY)f;YhHRK#wXDoM*Z04MT5p*2Iy
zhA_2X*~5uJm000A<X&Dbi$^4oe$NnZ%O)Z$rA2rupYjYIY8Kz)dUk!1S1AQrJL0R^
zLytxy^kwcuyc0}pPI_$Ph%wJmU9%vVFhCu;^BY$Gg!R#c6jWpmr90}Z4(Q;y0=R(G
zcq1e6=|-ZylBAp!Ie#*+{oG+szyRhI$uf0A9td;~*2;=V(F3;y9;*w-r$pw^_V6W!
z@VPOR?$W$7JX4=xv=ah$s(A@Md_+{d8&d-)%vSFS*o?rvEGD*=*+|bCrS#d}1l(6{
z?G<Dv1zuav)VTG0pF;!xMeFeRML>47Db>9?eonjQtU6C~*VpDrSbO&5Mk=uYL8VMQ
zU8kn@v2#Uq9VWk*l`V@W$Co6V@3#25Tp+9LR2bC|U5wKn^cHT)aK1gU$QDP99-!GP
z550o*1`C_WN7|UFp<9@X0$a4bQ5;5ctxYa@K1l(-JMl^jP>{-D;nlS9Mhdy}%O0w@
z*?L0spc-r9;DWcL<B5`lJXl`<g@r9J!CgA(>n0CaxbhW2k_VeGn#Lx1BTxEq-5_r@
zdjhH7yHvw<+q-4p(U<UcgG{2819B#br8<a5oCso#K?6k1duBx_PJK#Lfks$|_UQ?u
zP1(Hcy2)%MN)=I1#Jlh$B@wR&Y~)>ImBx<74O?`X9$<?gTAT;x1mzqx!H7t4e0|Ve
znU4XQ$_h0JNn75Yc0NI(^YjW5j@7L9pqZbNIyiWEb~L;u>)k-*t%~Nt6&^w?6><i)
zqn0Q0&JFJb%CY&`<W@rnSU&Wo(8D`+F<P#y%?kymLbKv>sJW(#xR#O{4Sx%>SL7Xj
zvPC;MTu+s8-puUKIH@;60FZMzvOWn7J|2ie)7=t*GNo9}c)C!%<Yw(c(#PTNkrCPA
zE5xwCVU>&9${dp5m$RY|4=3wM?v_2IO{)MOj3Y5XY3$RwObR3CXJ<;#9SsGr7N^e3
z#}D5#ah8e_;(E?>2{R}P^+{{!7p=gIun)m0*~GaR^g!^1r)I73@}xwSp37=+tS6ow
zbpp&)3M)1BP~EJT@)hA2H26EjhhCy7H1Nu?vt_p_wjS01n3tlcxlX>(@qQ1&Tbiv(
zEn9gC8CCLBidmS)L1$Ku-A10hwhIetir7%svK1#>YhPmVhf)z*qGl7MlPy;7h$h`$
zD<GgI%wM>gC8F5eJV=XvJj&e^6^7KY*lF4+qB7u$^PVYL6C}yFWP)P3X}Uo1YuPjo
z)`7QAN>$@M&17qFiLE=Q_g=#@#+rh7@J#wKnH&{$Zu#pQ@=%#XI)zl$U7=@W_GW<<
zU%r`LQeA?DY+x%0QdlUB<HN@#S-!i=j^}RR)^M&bdLA{#r6A`+<c;Us2J369eGG&6
zn9QUhH}l5Ni>BM1J5%9R`(0U*)1^{i)ysT#&-%i^^pRW0qwaXEC(U}Pqx59#etDQc
z;LBrYGU?VQ{mvfsgF=xd5}~2mrclcRAoVwg<a*&pGJ(1oVKl8nEqRzIM%D840X-$m
z_Zn^)$pzUvqi)+CW}k`i>uBX-uM59?R60Sm*JgHF6cPF`YDOQ8=wbDyw9r(nQMKV{
zHxKrjn-<Uw`|=hd!Wdaz<&(TRZ+`ojrBvWRJFo%@sUJMus>!W4gz=D~h!)*hBVW_7
z#u1l1Ab<qlcv!R{9yp=emI6&rCG8Dr3?STem)%QyF`VL&&gQT^<6QN4gm<NPsEs0l
zi|nGEX6sQb2euU}J@9^EwcE<EJf`#_O{%?)yfD419FOGet-Qr3cRFy9EZlg*azXI~
zyj7bBal@R{)b-?qbHi;U#@>`8vp>EmnxhfYhiz(@oe`W7<p9y)$>(fkm=yIA^r;#c
zVWxOxN+Oot`WLPU{DrHR<3{Do0_h=7NCQTg0ddFTo3fN1!i$Y-4je;8<*Mvy1BG!X
zMHxoq=eY@@{TO;K%*_3C(FW0HMS#>rE*=@M(clew#o9Vj<s#U^+^m7V2Uv!uealNE
zo%M<y1xSi+1RwY=d0=G_4M)Gp+cG(84HM{68z<^eG;P)zPl`hWeD<y&5>xlJq4@p9
zE5pMwYfAU5$cOpFRH$SdonCA*-JaA7K+&-jNNgM@O(6;^)TnlFBPoDX!}E78di^ZR
zn|)=Fmdr%lLl5I-1)ev&49RCockFYyJjz@F>@3rjh%Df|TJ}({ON{9rK9UC>OxF*`
zj#W;ZM_p^f+-IL%iKTY6T6e!V2!EJeSU3&{B)s_W&JqM39z0xqCVjQT40SN7XF!-i
zmO~shug#Yvbh>%@uEht=-ox6F>LZSJ2=Ygb)&|%rHHp*F0v>Fn1+0oESA1JyFfz~V
z?R!Jh6Jm{qJNj@rThfoIo|B(>B|Opx5<27Mtdw*lD?mjuiN-b#7dm-&Pj$^LA45VO
zzufW(8Br;$@v-wMzT`GNIcK8PCWiN--`x7};9HzBmT^L=zNJT*(t=UjeaiJ5ToA(K
zE!_$rUu>?L;^-*ACP*LT>hJ?-Q-e!%j`v=by(oTZz2XtReE#@BYzT;p?f}7-6Nnhj
zyRLf~^H7u1OZVjqYaoCy>kL^J&fF&{;@IxY9;%3R*MQ`wX(h851{mWHS~14J;g!)m
z^fA8#wW-cgRu{YRPAR>s9$VNqK&69k6R4se>jD5YvHNxE`nvkfu6f`kQbC9-6k=Hm
zOR&m7l%~~lpQzKFf{I|*^bU^cB7WHId-&X-3ME7fjX`D**h)vZ+jwAjr{A1<EX3Gz
zZ2IIC>5JD(-5ugdRn;USaAYlvlt)e5Q5k#?hqH%k*ZBHHB>OUEH>G$CM35<kKK6T|
zB(KD}U>PW|hMdfvik2>n*CzHPIOntHj+)NEF4y<29@v@LrQBw-Ye-Wbn}!jPc$)>k
zD;CjyN)uh_bqFuF0v=bUZ+cxt^ZBYV^}+}>$EI%>-+Q4*>kl^8GMWNZ{sQ)438rz`
z3o7KLo8Tq(wJS3Qd3vSm-YMV%7@*qPbN(uiQ0aIEO=@h-AL(JrXwA!*C~@Ov;|5ox
zoqq9Tm$*jxCFIN66(wzc8&TKxHu<p|WfIk<+e6GUbO#9Sr3Wt4!yZ>fy_eiq1v*H*
zS;K`xu80cSxxjmdYxQj1v8fR}7M#?3Sr&#Q^VInjOQyh4UDx?71zwS{lo@o5iFZM|
zwqNoKk2mp3R1FZ*x9+iA3P>C%O&SfX^kcNDd97J@LA<5a#-}q-59-*R9nsdDAUiy0
z8-1>@L`{*D?4n6r9@C%-qYoi=+9fCEs36WOb$QW8Q*_!dxe-LnMbH+6JhiU?w1gdg
zxP}!x*E2!(FgI>V&X*6y$CJ!bQ^F7iD&1gC=qMpjbEm)!LSGX|9Y<>t32p{0T@+_j
z%!OC238hSv_==?0bKyD+w|5xe8&dLYmJJ?8?^E`wl!WJl*lxvFG1sx(iM8_r8;0FU
z3W)I06zSy~v{49`kpV?~@-DRCHJA9qtEh%%#KC}g@k-bpmqelLk|u@_KW}#(#g@w)
z#MoLF)64)q^sB{a;m8_;11hWypU1Bkz^O|CWJ)kK5wc_j(qotTo&aTGj8X&Zv+R-P
zm^D91fl%XI-`oJzcsGs+3u6MOC`tqF3*|PG7kX_by#<HQ0aT-o5`c+UcRqn7_yRVn
zI1h^tqQS8DbzTN7Z`teh)RS>a7kiHxp8D+a7Iw9jNHz+Xz0zB@sfDM_B2GJMOYgXi
z#bvStVh+onB8alEC{t14HtSn-V85ovX01h;@I->Q=RFI|(>(5KN<`JH^ilE_TLU{N
zSU0fF3+!R8sX$qv&;<+_(RputW)VtC;hFjKu-7=juZecvll_y}Zo8pO<cz5_$Vs4x
zAZMb7ExbK8$d{~cOni$aoZ@YBp19F&qEQ;slTnmp!v4aUq0LfKwKAB{riopcl`gZf
zGkwr-6`^#<LDlQ3-P(5v6&Bf3cavfoIK}Q7Uw}uBY`UDs?syQ=w($#jU}~ZdpCvbt
zr(BUYX3MLmq2weAi_$1AD_9mm_6(w15*ssKn{iEHH1B)bb5k0cFZMKj$9HpsT2#T%
z(>9<ru$@!1?#^YB(L3fW1K$(6lsB$VF78;F%lF`U(A{0fv+7;07*!MwWu-S2P+2Hj
z=5Gtx-5IfOX_L|N*{dzC)lM<P(`(ptQXNq;IefA8GN50e<meM2w*|fHRUYRXFIdpZ
ziMc#G+iJ8P+j*#Amc@?QY$R_<z~^y9yxV!iR~H6qIT%eMWHPo(ix}5%%mJ;mGid-#
zRs!xLmPYi9B9*f-866CdpGqs9hvyUMigG#$QF1mwO@=i(S6YM@e$$;$u9tX0gLY36
ztXb>rh=DyHdN}vWp`eKrcjA!~jU$GEK#a924?*2XnDDE2r#RaCO1m$Jx3lDCVxVBQ
zfSFfmLZC}i-Rsz(<;8<yzT@jCp0<FuVRaNO&z?BVj71~Lsm{am7h_fP*umumkmSC}
zcQ>MDjtYx@em!++%=~beIuAvFd_#K?LeE9lLB{w=7ETJ0fivPavHnFYq1pi<dbbkr
z+kn7Sw$7=Y5JgNOyoFI-7xY7I2hXA~Ba!f23U!AxdkU5oe%7zA*I`I-Yg^p~P%g60
zHnVbBE&QCiBuHna=^b;viwk*Nuk{$D<S93ur`NP}a<p;Oj`wmUyN7{Nt}}6`&a9kB
z!!l*a;8IYh@D*!1Uv>1j9SwA>G5hQTez`<9Lll1@%gFptCKoUL5@H#5G|K48ua#5j
z9N*iD<{EjUoz{;{fIV+<pxVsUXbfcsutgr#i|6h&Q`0>B=Emu2Rut0VQ4G8+IUc1a
zzAE!{a~Xo&VI5(BNGQ^SB|B=JL^|8RuldPCNHaz!A+gFDgLSU;1c>NVHQ~l5Z2A}u
z`8hosYa;81Pu@H?U$sORb@f)2KHyl?%c4t7dZ-}JkoxU9xG4p}wIkQN_w>#?oVAM|
z6S4RizwCbD7eu?srcSSWBeRlyP@+X@diCkh!$Uugjxw;|tHY`0GaR=HwCxzo5n)MY
zLkV(!qwfOy@@$nI<eV6B4W&x4Cv@{D^E8PX*#fRjAHrqdYq~P8$MgD5pz7UA3?fVP
z3|vc{*YkXY9D9;_Yu|fqd&l#{TEsmNVq~FAi49v+7Bfe{Ukp(AW|7g`;*G&tdsnvt
zh8`<N(85Qe;JmWcz}-qz;IJpu&mYA-!1D{cJ4zcTj-|cM2X$uY`6~25m*mMtK7QyG
zyl6E}>^oVrb<@xGu_=o1<9Sq;79i%zZk6=NT$=)F#sacQqy_=@a=BLGQVZ3%Rd9VP
zZYZa@PHHuO!SneQh@@T;)gj|0%j%pfg~Y|NWnj%3N?xi!gxEU-rT5<54nH^O?aO3(
zH$;f%^gL=D4i4TczC;RTW_Q*V$)!rx{2@WqL_Q{o^*zTv{hVXD>=LT6nKw8J#}sWI
z78^m=TBlg+B_BiZ{Hm(9&ttolPeXkfl;;fQ{AsccwBdVCOMtwd#Dk&Ovb2koyvUJ0
zW;B+{?Wh9e-o2A#tdz!HaJj8;sI2I-I70D-w`Z$wDf;=Cqo(ul87`c#mt8+paLIk1
zpl}!Ev;Fh}b7HF@rL^DkuJTirn8%dFPrdIiW<w;5gL>Y>^k~30iWcy2CKEgZE}f($
z&8lR{_R+3w;Q?*JJob`jw0jE4lFsEkERC)qWN>{Ac5gdm0g~=E09QJ8-{dF&*~^2m
zcej0c$k?y+-Micj(DwpuNx{W>uz3f=uZB(DIwcd5-_Kj+l4MBLMWt7c4qWpNO^GDD
z?!|SAjkgahEp4+T@8L@-Eyx~Sb@NK8+#L(uSC7M=OOCC(m~MhEvTJy)v(y`7f6uV^
zT}C|_b4dX5O6P+18%HFHC({tFv7j<+6GCqDepKstb$Xo)Pv@(h!pt$)d?ne#-qJv~
z^Pt#38-b@$Vly-h*N>Ul1+dDTW|{y+Lx~zMd_CSd!5{}JUo@*UV@CL0iDF-m)!RpQ
z=Ao!hF=!OUCmqtlP2Ow3rkUpuNR8Qt{2r9c#_I(+qUSl#m>>~S`Y@}buht+tMP(zg
zXP9{2`ONK1!@PM<p)=6x!5E>YOCnd{Tc4yL@)gVN!vHOCZX<eHfukDvkPa}p%-ou1
zdzVjNCz+l;Q{5R_RuSn(KJr`~*Y#-M7@tT`BcQ%eaM}UQIiHJ7c_j-C1lcB~Pt(b}
z^R7Wz#ZtwNc$E-r%qXvjQ+DPilQ)kl;xXo3CaNGHEXwKeGNxMNCLv&*q+)a6NV<zz
z<K?S`gavbKd6jWd<uWPJGH|abvmYKyM<@9U@=s=&znI-*SbtsU^^%wxw_Cdh%3NOZ
zi^-xEjlS0D=ZSIB0oiq?xfh$ynC@N)@7X-vvR=N!j;vRW7=5R;@fzL|xcPfe8nPUp
z)k-1swCdeEkHng3P2Bxm6L8lW1!zDOg`^u*?7OAjjn!6b#wp($8`sx|aL#b6=xgzG
z@=d37>Rh~c#HS%#2@aS@!96~<s&jeUe?hzE$ZOt54n00lWc3i)^aw}MCF`Eu+>#3-
zzwO5)hcw;YaG4=RtLNM6%_xe*9dmV;W=g!0oFVcKQB9n=UmmQZ_FnhfO@1)e_Mi`+
z+-W{uVOoJBxvr^u34-^c3&@Y4eDqw1uxxr3U~E~+TqyLpfM?Nam5;laP^Weni>#t3
zH{E5cuXs?+&Q;EJy90U#l|(q0_}eJ29Hj>u?6*So!us5YV3@(f!DOEr-$1a&;7wK0
z6EMLeT=rVyqXJ$_WGB}fk_?EDk_<7_QOgq5GJnCwI_dmK%U|EI(>cvWdDq;Vpa>c`
z5Hgu(dGC6-mk=}9VRDS6w5!=XIshe?-eA8Z8BpuUI9o-`0VyBmV8~ITX153AWFF}+
z^5PBH6C>%`jcKNb>t?TXavq{N$OGg<WWpTC>bggTtIt&fO=86NY$<iAsvEInm3qgc
zxi(C0(l~45h0NW=dLvK@GR1o&G{FU=dS|8^L>w;njym+Lb_ZUiJ5~f+xYBvqT!!XC
z(NKn+*+b>UVtWa#hTGkn%F}B1QeG0SU|Dcpvpme@WAyMPfp$=$MS4YcNxo$VHe7tG
zZ%kbEYQ`Rva0Z2G*a_nmQ-E_0ziEx`wb$BcB(K>q0Vv0I5pTgvgp;dSvXeK)%iGr(
z%vBo@%Q*T?<uhsu)l6uD<JYbYxM^G~b@vIa&=<5QHd3}MV5d5fq{gQ6o<CfxGWFpB
z?tc7y66pdENZ+Ph=hZBU#T1>E_yyufypglG0=az>y6@8Aj?NSZ3swvqK%^19<*mG)
z(gz}>IMz{AFKPm^`;icI)zl<4-?)oT^)A}OM@edd;gjbNz%oi&P!MxDOtmd2DTLs;
zGxOHol9TAwd&8u_FS^oR23za`w7$Qn6*x8Tr7&pcO~k3mdlB*^HE1q`)E+~=U_~{B
zN~g+kl?#G+G`%VVhftD-^~}$-YC(FueNk78V1?|FUfnZEIq<v_ZWdv30&#uX8l`~n
z9yHEgCDEZt)h$0R<p)jNpa+jnD_dd^^d(RIlFJX3?x{bQ7Vwwx(pKXEL}kIf@gvS+
zxi<tG;xxE1kSFGK?HvgRkwMF2s{FQ+bq%x7?1Al6(KIW*m>r?ZL6%5HMBa5jelatk
ztN;wO^vs`FSaGe|UT<GE`NX~R@@}(-Yz!cz1QgB<-PEm$nnQcCaE&Su&*)-r^^Ix|
zV=Lym2RS2xaLB6(aeONT3zStQRL#+Q5q%KVul-Hm_R;CFsc(0;>kAV~a(UR04A05A
z(YPLmxeFA~vWz)G^KB9FzFBCGUX22s+l^kzTF)zjSPBfzE^Q&*Yz`R75cH9>#m2Ng
zd)z@{F{pIpN?Qv?v^2f)=5C!+C|RPSaUj(!84C_GSh6H+Yh0M~rZ6w88}|X(Ho46y
zZQ?p^U>`q{A)uKorG;39;LCbsJ$*}+dZy5HXJZkR?@CP??98U5ax_4+YF-K?B=MYb
z+RN(K`x*})uC2D|!4-j>j!p@;50W3Xml`|)1sW?zA(Y2L-9fv2=yEIu46?#qA<Aar
z`LLWHZ}r}E9YFGPu@pZQ&^|BAynDs<Nv*;cwf?jom!PoeDZX1~OJ3-AulxuCA=@Kg
zn1M)#!qCW28P#}p8%hQ|d4%O^@RAW{7Fcz}Q^GXVC{rOv+{)Q;ma9^P5|za)%tHXT
z<&7{@06XD5DyTshDd1&izc}yP*cuPS+7NS0lNiehBThr0sTET*Eo*&L{i32|F+gmI
zRD@C@xN)jpNt+uc;)y&1L||_D6Wex$p0`2t7Q2FR@xjFz_A}jm8RaqgUbNx_+)=R)
z9=TkzCzp;}V?=n&>$_gQan^|2=hD^*=)?E$0G5$Z87Us6zh}XD1cr|``9XmZ;O>}n
z(^XywXoy|K*`ja7O@ST=GDdaVsAW&Z%Q$nPm?(M7xv%-U@0vlMfU_-;*AjHRA~J<a
zeqqLf^^Bo5_7(YS*O2G~rP3Iw?tD@yPiYT|wr_HYq;EHy?JW~*VwQEn8$M2_(|&Y!
z&d-p_oK3Tvb-CP+9QG;FNG{z}@HOd3GdNPghM3Jn$PJ&6)1pH^OQ2C?xOU$<2_t(k
z5_tG>vpo2SVTWrU#ANclf~AqC_h!$nQeL{F1((C#?zu?K6CmA<aSrML0`G^9+<VqA
z5)rFv`c;W$68a7ntFA7fkx$YKfpbDYy@xL~RAu<pQ7eW!55f8yC7|p&mpa!W!$f`W
z9zCN1wOSD|=x%CLfP&sseDAK!t&HEjp~ou9Nh9IFF+ms2sNnXpZQ&um>X$7~byu5}
zut_o-7jk*;G@s-Q(M!b{V3v4F(cq-;oUM+^4lEf_rm@}f;LL?Z-xm5^`V#L#EJfJ!
zyWzvN0F3M9WpOIdw~hCdnF?Ia>8>J%A&O6f(ziA;`$#+<C;{KXq58AOrZ1lPb7LX7
za`2`KIJ}mzeCi#LS(eMXgtuAjqiQMnjjexS+im8Y97t(dlJk@xvnVRvz^vzW`O~L4
z9rvb#PjKgium~0R5c~)elEOtS92-_%ul5d0&6!i<9svwRWjW3$D~M|-?_^nTP1Ux^
zjRgrPoJ~@>yrKdRaleG~M%`8pFXR@P-hEHHUIvbaFVBmY<?EXbPI8{JwYwNP$4DRz
zh-$p@n6xul-uWzcm00|UH^$-Czqk#{+Y#KfUL63Zggs*FXE#bZrD&7e(4hvV<EwAk
z6{lV<KJdfX<BEeaV$Fmlku`Zz(gyVyYf&~?p7r1XJ!!aDg(g&QD&U)XGj7NV3sr~v
zFx~(!8ZIPpZLbPi7jQxWK@Kn-xjO7H?E(%bNIwrMP~i?m<0pYe1j5|~Ci)mlSot}c
z1JzrQF&M*rFP7a1bo;TXoHPtQR(t{mCotsYc@wxv>wXnejTw(_x6JYI-O2*n+3`C;
zR<0QG-txkzdwlR3I|irC(r?+M9tR1o<w6b`HeNfHE1jLa2Xt2K@7Ycp&5M>WmliP!
ziqz!`Hhol#+r_(4EvwO0#=0a(;W{trwH=FGtsHt_8v@qN%e3b$?Oct)CT~Iw%kS;3
z<dYYnDDn&m4d1lO&|63=wi20jYDb7ET<8pKHoT|$&{u9k4M$l$pVn%yJ~<WQ7?p~w
zNL@{Niu>dV^pJS@46@`a_2~`(wO50Q?`fdEm6CbYLhKx8uhkE*t-ahkl;2|<B3XQs
zoh+?1QKIpd78vziC<~`hapft`Em6GX=PQUVoDu2-5|smw4e9c2#B(O*^Ot+Z73%Es
zo_8O=r~-Q;gwHnMnHr*nMAA58qS&$eN|+D{N;SVi!XmNKaC$r#<j{PKTdv|x%UM?}
zhI3ss+ma9ZY;;}iykx;0Cg;v4-!po!-?Odh7q_M_iWTpU42oDJ8wc}x%_*33Q#QbD
zi}S@+XqEJ<%!76Hb|Ia|z!wa%7Hd|QEqCQnhapx%Z_(y4jy-z)fHn>MxzUWQ8;AyH
z&*amQ#PX2LMBPqB;C51XdDLFFXaObDal9?JA(cDN7Khww4S^pXuB`7ONHx>WvoS7Q
zk#MfVhPc(lOMH8;LN7OWG$}Cz5()pFZ!taOskm_(96ew+FMN+H6JpQ96BO(o@neKN
z;6hI4fW~-<eofbq2P(3J5u)icuMI>d0Uk>iBjyFFbwy2<$BRKxQMN4-EMo~^LFXzE
zxMu*prR0Lh0@03YbB#pxUeB8|#e0@d?4`*`qh``Gtw#n)Dnzb<V)^Pwo997B<5=+;
z2VBRsB=2UwhY?z+Vw`0CNF@gHgcerdpo#D?RozlHFpHE*lp}Y!`&4zn^h=MpX?dRO
z>$gi+;Bqx(;SXLAIA5YECWm4G`pMR9KdeQUgJ3!Ci<2bGY@B(A_u48hK|q6)PoMfO
z&#NWQ8SRxa*hfBh3l99mtzQtn8P!w|xXTgOi^A6jKFjQn$$Wt)=>lg#NNgdmnM*38
z?ohh*Z1;h(lL61dl|#kLS(Rr`yhvz3p!V1+l2|)UMyYp$fQ%}d3-sp2P5R{UV7~&)
zZW#fih+&=?cszs-w0POEKxu6~1#rsOX2D7F3Tqme`U#_ME9ZMbHx<I8uV$gK#umJ<
zRit`=mQ0@QDqgN~1G;tRG_YLYy}CjZKO)X_Qx8W)JA!tPd;ujP?)y}gz3Qc_Lp^?&
zJRqUhQgR{9=v?;{%aXcwi-~W*GrS&AKRbh$_AcExSo`=v@_~944yuPw`b8CR!^?UH
z>iKlD_bn0G+6GmjM`3azckqKf@%IQhmG*nS_3s5)so=X-tOtFS;=^O>aKVEt9uUxn
z<4`z9s}AndiohXJ2_ybSTsFi!3vwI!o;Eu_*%I1`EUxOcl&n>Y4$GyfeX`z-!&0C#
z`T7`LRa&fTm#d2Hk~`1*cvnSlo1WeBZdG0q=;9vLz%J(+*1$&5318r3&f#s{7(9B8
zqfg7;o32-9dWF37@(xdZ=S}sQbW}v^k^Vj7UMo^O$@CX!QA4Wsgg7^=B`#HS_zVL<
zoph8&bQcIPREAZ;&4L`<1}uVoxZd4rmq-;Mtphn&LdEo2YbSMr^%Dzz9{4LU%_Omx
z-|xhFy}q*y+o}+grwd3H*zy*k008!0`5Xo~<=Z@IXec3e)Kaao0`JmNA+Uk5cIHQU
z2q{8yOmbax87fA;M-|3b5}>kMg&>A8B#%>^pQzv%zYe^_kVhhCW_@}=^Bzl9<RRAH
z%W8mY)@j~N5V1Kc^>-`Y`P}Ux60xYcL)(?y%}5c~E8kUJeU}gfG!Nf1^=wLx_d4jI
z#HipXss$z{)okFVJbSvS#R*}xYjCg^{AP$1o%eDR&?{z_nlGo~t!2DrAbTb8T-j0+
zVIC$t;n@aHc=4=bCEM_Xrr-ol2UJm`;jQ~)(>+1juBAbU5kN_-Q-w`u;-{dH-T7#p
zRgu<jEMoTpd2yE@UKQ;F6074!Ba`WQZc0*M{aPQHsUNsn9+boMhPwML8NsUr)0OfH
z$S%R5TxKdJ9#z5hDyye8X3!5LIuAWEwcEwyP)nQ`ub_;D7d(RF=4E<4wuLkuYN-`Y
zg^5Y7H4hcN9;=b83K!hAGRomvc@slphMS1WoRM1!iepUiT(t|4#$)4ELQes`fK1hs
z-sTGx+z0BWSAqcNo2xlpS8mnI?}a~8AL{QJH@;V85<JFrGPBG~D#HytIbno%Zy$G^
z5>4J?yhW{0et6nEhi3}&_$YKMY{Ewra)exOo2M6z_y|h)#^wZv>+o65sAxL~>lM}s
z>L~3xRb~VQ!X9^{m%+Vr4JXs<E9Ql5VQuOcedD`<@c1qsJP<D?Ayzuqc6wVVb?mrW
z7Tqs_2wg(zsrY(5drmb1?3+7s1JuugdF|C-=*q*<0<FD+JZI~=$IgS(LPcv9F|Vbc
zbCI~X!mBkbXt8Xtm+wJ2YSpfzGNLkZw&eLrF|V6!q}~a)@G?B;6C@N78hJNIe5r3k
zBw)A@({&$6W(lRz*?B45zNa$uqU4n@<n-eQZ{%+FNg0qc4@kXk2YxEm&)f8Z4)+{Y
z;o8?L<;k}E^4DCjmpaaH^2`|2Byk%RBRxbb1LsxX5Ti8@3g#X43A;nVS$Xf%<VV-c
z_241hhNIP5$bq%55GMMI_X`6NSX7|gYW8BhvXcn%q;pY_A+fuDmxZR(mD#H%xA>rk
zuLJOTt~_|}(UiRg<zR{C^Mz)nz)Z!hHxf>3wm5^EPg$EpY?Y?*#q)KLNy~*Es<+p7
zy1I(#M;32`RV5Q2i?Td&YMZj{K5L;GsUA#AAGmEu8I5VfEA#a`@U|Rdf`(3^c33i=
zs8)LNaG%L7BR?$$rM)&nVHK07FR%iKUvJx96h;Lg`YQuh-K1tl1;TtU%E^YFl0Jtq
z%Jh7rTEmMNMMJ`yOnO)h-J(1N3bKG=_5y4sl-bY_*0vr$Y3;TUtkoPQuw!5sjdx<(
z#W-rl=?u#uoj5(Uc!+e0=ZjAciRB6cBxZ6MNWhiaqV`(&Q3;fnC-;H_=R-0LtGV|c
z&g+~_9F{mySvbnZ_vkSyoFk&C&cpO*<tON9xt#9{T>|(*m-`aQJm3N8sou^oK4THD
z#S)i+*U}=B9sCsM$aT2pMO&A{vz=F@R$%>Dm6SOKx}{)-`iSssxgT>R*G7cP(8#LQ
z9R<B7HnUlh)y0Z&FJFok^#yqX(H5DSw)Q!QdI0cs@-S{{(?GI$v?<70l|P?xfAw<S
zDv+(2R39n1Ba=f!+uel}azn@_K3J%T=P65cEu;b`fq${fCwf$wGgL}^s{9(KN_IjH
z<Z3_!`mHzx8`<O9R}9KR(fy|Dox8Tmfw8=pcUbrcg+%i>gv|MJ<^UF*32}<H>3Pc5
ztjOf0f)?cIAh-pdJ|uLN(gEdOq-EBIGK_T5LS>ugN_>heAQSa6kkRDXLLtI{s|h@k
zY)=g3@_brZft88KIK8ffYKgl%nShg8Z`)1sLZ6a)PlU{b!(1twHdNP)^8;4O6s@aG
z4SX=ePZ^fpO!GvsMhaodd(#=~iDCGlUxvVY@ixTMtfww6-gRmalD`h!ecrYk)OKKw
zxuMkR2?ofct@QG}=ZT3ys6mqaC?gElPM>N{8Q@;?Fas~p91C5fR^;}gXDYU6XOTED
z#PS+rK`&bCojdM3fjD`3e(Ff-YnYq*Oik@%IOZO`XcaTTh*EFo=P@{(Oqz`_Ou%}h
zxeGMBaO{<|*W2e0A6QU?I^ZgoqlFQ2(oRYdg^EDp+vjVO_w?c@tvniMAVVZzsmvIq
zUp}eWEsxrW_udo15%MRuPbYBb2;`LX8eTVFJlExMl+*G;@{Gop$M9U`dET(23hcS-
zyqU5BGa{j~w{gs4PShR2BDaX%ItcJ?iSGfIztuKn3?V!0ZCU9QI}1b+9u$-W(iM9X
z!*z0J@{~<-kZa00p!dmJ+_^4zKGozH!#np#M*FeFQNIFOwQqL)i`{vv(iPN~7OHfb
z$MHr(6Ri6lW#)A69q8IypE$jMAc$2pl+g`yb8n8l3UDhl*uIzPIy5|(pppxF?LmA`
zWz@7@S1i?bpx=ZJ6u;T^XJj22uTHd+idG`0(nUjsH5~=it}V^sg;ER$`=Hob!8qw)
zov$N3t1Nqj59ub8M+lAi!hK3_4p=w_ZaQDQ(HCtLd4{^tUX|>B!Fwn#?~KFy=^NlX
zuPqGR7wkf1al-1jKJX5>9#+FM1gh)dwK0f%Zt2lBgT&W>K_#wdIc6gLG<{^QOJ`g}
z4JjNz_nyU2R}E6PGzhvHTE1|R;KR7$Y^7Fvy{+?%5t$6OAFVe8Yd?6Lo88yX%UH(5
zEzp@Fq;?7-+03g)fHM^PW*>nYd5I0NW>rT_>!YL>nkn@-Z20hkuc!l35>Ifh?=mYD
zp^dE<VP%i9JF?(Cf9>Vd_5^Kt9$gxu*PTS9zl&#2{EWehH`xqFT7VzobZ<41Qn50l
zY$xqgrB0jczI~2jhf+_~i3m@n^i<r;NWrKgA2a~@)Z8GqInzX_n3?x`kwWablQ@@N
zu_Ia*hhSZAHDE;ZO^-~$Yqn(_istuf(}M?}E54WJ>s$VsR;y`E;&s1V9%`sbu~%KF
zYt3wr@)_Lh%j0Pl8laz4wQ%yn5odO(^D-vSgizzQopzh=3B;pk2RqoQy-JBhnAdIq
z1O=UhG4NKhZ;vEsP6G8d!%%pY*d?FuCC?GOT?a2D4Fcs>h@;qq)=&_QMIa=~Hr|Mg
zpnKMs5RegMvsn@T;4K@wEd_!pq>cioy*3|J!k04C<Q*vFkD+Mv8RiS@_a59_ra{Xf
zL=prF4Poi)Q`C+&SHivO69VN)@Cguvt*Z&KB?ozX17&{XlLI7ag!BzB>KDAu)Ghu5
zSY9a6*cq<vL)Vv7?$V+Ol}c0Gl<(*UX)RP?+6bhRB4HZRZHlLrcG;3~>S@JHJ&IS6
z&6T+}C#`D)xM*i+S)z;7Ic!?Xq2M_*0uN$s*oVev`BFUl^=;nnvNvSxwmXOK+iSrS
zo(C{aJ~Q1F0|hz*gh|mST~Z{Vfl^zZh!I|1?z(VMmJS;>foTIs1{Z0D_7}awjL(OJ
zF>ZRRjNd~ZQk$1W{-Wmr?G)%N>}^T;v%?tcuJyzt3L<`X&07*!MQ@iR51<;W-nAaT
z5#o_@X3I;q2~}n|B^Z`|y;kgW-DB#@Pjh#rNjCbp-;E;&M=2IV3U|7ilT=cQtoB<o
zzmuLFeysAKs(esg@;!i!5DF~NT#($#eNX#Y)~pM!7&@dyoz$|Pwp$e9U8>kKv}{z*
zM(w()lV&}~<gG<MNVwefff!fiA?-(IghR3-sHO?PLCm!8>@AnE2fsr1owo={)WVHg
z)8<)t=_xQetXm*94OhUv$yd9)l9(zFAG%1wo1*J}aT-3zLw*ze6dj$^mWZ-C-M8S8
z9;?wbK9D>xS|}4Wme5pG2AqqOH_RjNQYg}zyw^t3u*2NJNJcQl6IAdiJf41IpodS{
zQ$34Sf5{jbxP&|A!THs%nd>FKA$!iAuS&$Lx+LNO7<t)s>n&<aYOq&9++aDnRIBT2
zoH)5VJ4mOUJLm=8J^&WC9HG3~QC?mMu2+qc?@SPtAjGdPQ)69YT_(?F`c8XOs8Jv8
zD5JL%J%`(y+C~xyM5kDDxQNM&*5fgX3_S8ZoHy435{42_^%=rBRfSyNVBJW+t_#$>
zsj)7Pt6Ommr-3S4^MQw3`w$dV#Li#3T_G5h`U{R&o~N)hPZf*>+6b~djZQx4CH|sU
zn+p;QL+q^>v8&>S-_|}-F}z6ZbbRylxjf7zFLs5a*DqgsHZ}>s<5Y#EF<jJn+0Av)
zODL^}QrK{9Yc_AlP;6Bvqjx(<{QRgc7N|Hop2eHdrPv3yvrj`3=Ja(<!?o&_892Tz
z<mjXf)Ih9V4xnahbD-5&2DyC=+*=|<7L+3JE}h~GjEsm>3D26{(=@zcG%`i8Htw1K
zi7&hzdl9SGOq{392W}|E5S7C8tgpJc$dV?^5fA(F{MHlKsEj%q`WNi+n3z|r?6#9H
zo9#_Mk|j2~8{~U7$+`MGsgM`pEoH~j1*g|?6!{b*^U|KD+GC_5<Xr)}60~Lqq(>gJ
zOd|YJFc7NimC!~(%8^v20pyzna~iH<h<LtMlTncm2Xj_K43`i6$y$0e<2_N(iW{2|
zd<4+1Co`c)N{cEtBg*1A%zH_w=5==CP*jGz9=wW=a798{fbG;JjF__&@hUYe!9pK1
zQYkNG%iE?0F0t+U0E&f~UR0gCi1!S89s0XNAl0XdNnV0vz^$+j(pk26E|06X3Ws5{
z$}8N>s`F*|Gdb!9;_&oYnXK8~&7?&H9!Q*q1p><(+HmbyWr0*gsdN(1XG%o3qLZw8
z>BeASh<XA?7KoKVp8DQCNIriezNgBiuhav|RF~CFQnTnbPr0AC<-6xbgBI(gL+h<z
zaVXKA!uPbx41i=!$v2)BRqp`Sd$IU-=Lq`%%lz3xH>o;|AhL>dTbbd#e2V2-yNKZ>
ztfYe=cOXUa9(dZM#|uA!vZn)#`0n|>Er(Zmpa&d7V2h>uIxz4>rDpJ6m~x=tBP&vl
zvs~<TAExeIuyN9Q9Q?Xvh@lAvoL}H3+{?DP6f>&pH}j17HL^No7Zj4UYLoLl#*xbD
z>*x51@1rk#1<R(&dg*S9$uh9}RtWuu;bNg|iA{94*?L426u@hmY)}~>-V4y1xCg&%
zu{!|KfFp`Lro4BhJ@V8j%dVtezUo@GTD*BlWZt=+a--PD@14yPP?H%#hi9yv(<#RI
z-~b5#h+7{+7Iage@ew^%jeEQS5PP&0?DR&d9x~W*CF^10ZZj(5I**x=mBbord8%RU
z#nS_+bpn&P{EJ^{a)eha)a2r^t>v5Yw%9Z>1N+L;PuwJx0BiZ+T}NVP`ifH`-nDkz
za96&QeMcx9g4}h^2BJQfw7o=(j^!###ODXrnVjH()2Xn#W8F9OQpp~AP~zUB5foIZ
zZg!Ul%Nh5R7(n8Zx5#RC-h6jqu@T{Ex|R<Z=Uu^W+zR=Cw*xzt@7pp%k4%bH<}lJY
zcMqOAL&hUS6MVGY%_~~B20fJ71fH7U;mO8qkP?cIcu}1&&GVY%rmPRunL=9NX@|@R
zv3U*MByrk%*S6qw*Xi`!9@%PC={sN3D5lqwm!V>hOI4dafVt@@ngrK_$SXQhs;y(T
zbUVg<P8>#eH*uUWpv5)4#)R}*udQ6-#f+an%Q}jH*4caEb5zXBu&+r{CzivlutuL=
zlW7+K0EF~0W97Rf<HHNddW5r)l2Ltx!5o{#8@O`=;%c0{-Yw@1{xCFVq0t6*JABUl
zDaIwvS@6+7JfpNdf+|oZLz2=4=h$+f=PuGSud}&1)D>_*-q?nbx#V5w2>Z**7?FJ%
zq9S+e7DINYeS7f8O?lkTTu-Zwdl-tn1!|DVt5-5Zlg&1P%3#pmdv|Dhv<9VHR<kuV
zU;>Q1a*wKo@SfwLlM(Xqh_NPvh=cNQtg!P4Gt(I(*OAPy20D%qvr?A5ig}nuF?9tx
z35s%c%i$UmKA-$DeDUi~A|~F6D6SLM045tf*J`@sy&BFPg%KxQ=gc)82ScE6gp(!L
z^Fvd?9<oWW!YzJIXTm+$A*62pav+G{M1Y*(84L&478(*0!D(J^;I=262tB+|A%1VA
z_pwJAnW6S^Zlz6667*1HM!Ez6lDrG{ncx?am9fu-YH$>0(sE@QSc?2j0_b8_j=yev
z6qFBTN<`iRX(gY5KxCD$zW|0ze2TiU3(fuHmMRDlz15JVoW)nsf*-CU%cN5z?TwWC
z!vZyiVE-l5RmyubG~}wNusIj63y_7OoayB1Z8A)sHR>IO6p<mJoIJIg&3KJg@}SwM
zlmMPm*7-Qza|V09n~0%!MoNwPPAXS!hjy4Up7vs5pv}=!m^q&9$z@p-A_ll;Bcg6S
z?{TqRd5N%cmh}KTK*YbD$;LGF3XVeYtEOS~!x^b#kJ5m)>Fd)qd4Nq^DUX58UffF1
zx;{g&?p~}nv|J6(GE2DL`P_<Ch(l*R&+xY`vw_Ze;xX~!%1(FMT`gd+liM85iJ$G>
zlHxAgGhx}XXK@En${bJ6x5G>}4$%`sd~I3Xnn0L%IUhE7rDL2rnF{X?vEXSEF`Z*(
zy^P$sG~{P1+2mf89RgBd`+%ya5aOm|sZ1U}%2ol&cX_cbTsMimFG3U<p_H2M{3eJJ
z>ng$UvG2rT5!0L*Ri$d0HZ*n-ME9AKgWy5BR0<D5@f3{VK1;K#89~^@JD_c&O06wn
zp*PEcYIT4TJkT6K(3|EE)$Ng5+ZU;=A`^oL+SG+ZgM#E&+jRZhr(fjGssKd@+Y@qO
zeM{<0q={e#PaH)%`~h4VTrD*LOf`(cJq)g1!s?`#sUke00<T5ahm(s~AA9=b>J6em
zm#V%-eDx0H*5@2lJL+Cobk&>c<d^&nuzvwewNWRe9V2NnqB4WHr?0|dKwTx;4oDlk
zHaQO!$0b>59F_$bHt-l#8jPD?wkke{hnU{ABhl^4&4RuTJ=Eq|*jcAqcm6i(r312y
zzyo^-Au#Ybm0UYs;`Vw_tUi~PeO0>YX$@C8`X22gSi^4KVx^>1TB=*{gYKMot5`cF
zGf?K5MxLdr2eu%lgB~4J7gq$+$&pR-LUh=k%hF#2FIi!~O0sG8BdAc2=DS-sMYs!y
zVy7W|{kS*|t_wJW?4YoDs5MJFs#@2kH1up4FVRf~JXMx(fF;mixjIDFRzfoY+fN9|
z*2UFr<sF&^=3rs&S=E{hgyJK|zR-2ui{}DaOlB!uEVEDbWq_7Q^%e<vigfCtLGa4J
z=(|V3<8?eolR`|PeZ9G@hoCR5E`#a;BsN#tQg51WbK7mm!?g(lsV!bAx!p(I;EoK~
zVlUk*V<<{aQaTTq3)13Yje>x^!We;b8Yjx0!&Eiys?>IWN|k3C$3!sp@ZS2=8dxC>
zGl8$NCNtg|69sJCnLlGLI8n0R#R{C|hjY_oxzjzhz`Hp*t$VT20{HOuS*d~ToF@?0
zo2V{0rL6bx__afE+?$acw*KWVsaR4FZu^PX5Mt5QftF5hIpxEE8ptAV>%6{7=0^zB
z`9O^T<-JiJ=IQm+M@_)p+3H2?2RA*!we<k@QK#v_V|>L7Sjk4{`ozo?+Ji`F>Y*8L
z?P#4d`W_^bfL9etF;2tLuA~P9N>0(h>5}gd*shn#Q$Q)xmkNm)+7T?d#fqx<61MV{
zTLWF;Bwl2q#vZ41PpGXU*7+MU@^Y_|K1#W51p<85s=mudxVbuH5(mOrC=wUMxJ#wd
z_cQ~{2-2o|RpjzYRvvH8qhw>rV5`*TA|Qqtyk__$SoDkFPSbgbBq8Z&>ZE7@>g;MF
zZ1dJnpotJJ@&dGBtyiF!70~t8fW<P_E!N_O2UFeKARpUPY-g*48O;=mr<><1o>)sK
zjcve7fUNUWbL+Xh+KJhyy$#XG_RP&^8CQlc5);!#+SnB&efEmNTw`lz3`bE?Ch2kL
zATDB76_OT#UP79M?b<A&g)1NpJf-P9Gika-mYmd@#O`{eb;|q~!Ufl|+4yoiUpGgE
zE>2vA_OgoaWw*WHS&U3e^6r{_)`tW*o94w$hh+1@vSg>gQ$WtB4N6hXbHQ=(#hK#N
zh%wGV&j62P07^rugvr_z#6(0~nLXmCx<^!{@5oFq()=aq>wPHx23+A@1*R&&L&{Eg
zn@#<^QmLck5(*TO&%5DzIv0nLAHAbdj`WRl@GGFH3(`rtdD_a`-M|5{^uUK2o?3#&
zjPlal+>WJWFb<V-OKEC^=<suX9c71{piki`GrK`y#iOX_<dO)&iGWeMfK%A2`C>1M
zV4GJ^9QK5D-K8QL_HAO15uaC|=->bhX1?-?Vz*FUv-cj<J7+PQwBC3w^DO-Y9*cU|
zd9BZ7q{1M@%JW?4q|>T%!NV2pd57%EyHJRcSlNt@t!i7P&B|G(sb!>&Cf){2L}06@
zw9C(T^pe#Wyc2lYTiz46LL{g47{+|ER}b5v(5sG@ym!US!Yhn4$$(hy$z{r$B$=*Q
zW=Urn=Ql}s7<Nxbi{JX|r)WjlL7DMP!$!nIln1W3iNwW9drvn<594JHi=~{L?Ty{I
z7iK>$fMauSPT^qVbRmYf*H<Vw!Pvo3%ZP$$_+W(X!70k>^T{QCn^~sp3FO@alEMVS
zt6FbFz{VWW>@hlwspy!gSyC$k!?fj!ItF_*41(6LQY{?7N`j~_zvp1(FNDvuT&C5S
z5J*OO<3Z@)7*bi~*%bg9>H*DrMX1o!?$i%q4_}IDVbeU=^E2P`p<@*QLx{|Ycg9_@
zHdcGqApz@ouSl&u8fA)}<MU?m_d2|rlMT}x$ms2H8*{q6K8J)RQJ>)*@uUuAcF<!&
z;NF#|<SR92rLUmg^Nol5u-uxskhOJyK|w^VcTYlLE*6NoSYx=&?YJvn3v*(2;Dy{@
z3|nd4P&jr|s74~ekjI1W7nNc*q_vz*#1S_#Pupry$fuI=C>0tG{ZZz^PWN*z5h1`=
zi?-N~{YbkP?@snn5r<3C5)u{|1yBuLYcB|!X4lb>VIX-H_LGaZ=R^T1DohE?MIlMr
zF3XkY<-+W!2bIkxZy2Pb7btHR>LHbEdk#{9)x1Ho<7&&>(}kd+*EY;@UW8K;9jWUW
zd67387+E5)n5qn+HWWH<?oGIru2P>lrb;Cvn&p&2S*O1fYq{IR!3nL4EehoBv4=|O
zrC2V6IDn8>p0~5U8Ortw95#H*k`4garEYa`ZFOm;F#y-B6{cRQG@Yziu2DfJSC%eq
zGn~@Bx2|%)5`L<;$nfG8Ud!CGco>Y28S<eyHQh1<6_f!kmj&%I$0Z9j(7UwQY)iys
z@!~MTw|3b%GP1)aYj|136Q@Z{iZ6Y5?wuHyG^IN$OX<k%bv=<g^eN98PnV-=dAL_w
zp+~#~Z0~LCzJndgp1cUdmvfJ%Q_x4oRV9vOuY6lp#%YyV0fNhYN(n>hOgj!~?L`VG
z=9D7=zls{b+bCY)sNL8H96tpQWLUCyhS4hO*%2}$o=Gv;(nc?G>2&gCLAA#Nz%EM=
zibf_}DI?6N3wSuF+}eskSI?U$+J)G-D`zx_yFD3Dm8Q_%*mYb3kavKHu>)<IIYG}S
z!$w~WlazNfJlfRivG?xU4gIPp1zz%|pW$pGnxe;P@B==$Q(sp~$FTAjAtoGq#4m*`
zu1Q&IxB;ScaA)g??Ky^J6?X)k7EVW{2c8(XMRt#*7P<yzytaY#d43_KFB&Je*qfUU
zrTe5}1pNHH*N<k+&9N9=;7GAtq`9`bktCl(3y%P{%&P%gEg=L#RB&H;V=Dd%P;n{6
z2h98+kU%qQB=IkZbspNghw_vz6pxI&74~jq+XzQ}%Z3)QG3=#tVt~Sytn!RsHbI-F
z$2ejyDU1QZW}I!e`PQ2bM8mEcaP)fEJcdTb)2O^HdF(Y9s0GYWT${Q)?DQxaEmOp%
zi>Gola*S(H6!r@EmH7j#S2#=?O$DKSGLFw3ad!3YnLH3_vny&2sIyo)Yxd!wl_(iw
z3r~cQi5hr&#yx1biZb(@g(Ff}>ojsmUt>8-ft1widh`T)0k;q;&<BGC6~uv36>M8(
zA)MF(N=!gq(pxP`*gR?*Mlb6eR`~fv?ZBi@i`ly(Z0@6ni>R+2jGCr;CGc5m-AZPX
zgQZY9FAkE6Y+X^!G56yfXQg;!xUWD4t#KHEM%v8e9t^&73TThHbJxN_QhzL{H!r)L
zy~2Hmn-5s)MJLqJp(VI!$)-7>!fc%+8AQ$VYdEcYgG;Vu`8Xx==D18Ga*N)B2^Q08
zggO}{w%tN17C~(yw^4fz4x(`zXi@%>>;MexF?riV%?{(K3157+W_WGKJ6LAXuhoo`
z@@YzE<so#pF->4VJ~GeuM)Np;%q?`&blgBILKI)Xf^NVIZSFh-%)@atb~GHY5(~cc
zhuIyR#6qUg{s>;tIZIx+wPV!)Wd<g8vSU_3kwjp_D*Dr$1=Ay$K^IDRlti!I_#pKN
z^A03k*w~YV#mvb5gxKK|V(goywC=Kd59<x>-rcih&xy-ubMJSr319*3O+@Hh?COlC
z^oo=>2wre5dlmOfsS3TT_Jfso50)rIbF!LD<;1Q`aglAi&P7e$o6;3%PdpEP2pPO{
z4m#tVny|>&aA_TvtF5^zhu-nhg<^H3L|&c9k<`*UWVln!vqP5KuB|uBmalnPn^1_m
zMS4c*gfJ^8z0#;WEJB;3itJ%{Sz*WiMKM^9FB}HykV+bR`es)<7O)HeUn1~j;yx3q
z$is(E?G8Ha^i8p{L#Z``Y@=>b5Uql$0eVH&1YR!?<wn6}5(hIE64C48X9CGoc!8=X
z>`&WVwRV4TRmT#-QQS?jrgcs~?+Pbff*dO3XI2j%k(5AUapWDioJZyo&8y8FWNLAF
zsER_4<KDtf8)r+;3?`k9Y)BCI!3>6Y$4})vEdnzVYBRuL<MT;Ijx3gODD91H>;reR
z(ky(vV>inniL)bdE(+@N6eBl-%wv5Y)~Zc49RuCW_S?4ta+Uc)t4rrvTyZ&UPfTwa
zQ1*;pHIKy8^Aut$Q?-1AiYzZ`c&=_N?o|h@b}u-uXKF`IqctrW@bc1@TTJn2TB;Iu
z80`x8iqk!Y*QRyvRw3t*hj5giBkOjM+AAJ1bCSbKL21{=(oGIGstKU^+}OQ(<XKC>
zBPqfvja3TMM-uM5(T{)<HM@i!cV4(tR!2cRVby~+1Ww>^JQH@`ozBkK6FGSM9=#g|
z*Tn#SQ+T#x7kPOd>SYh#ts02h>wfs$;>iUyX&y2RWma32>4oWbQR?Xo4y?*dgq<sU
zSydc%WN+PKxNivZ`7dca2PJziY{l82Rn)^(Eop(!+n_hAdxL?bUm$m2HCCIhQ(>c}
zRXpFI6x)#3<&cG9q-Oe@+IVV8E_YM(n_~Z>n3shrnUHL{Lv)YN@5zjM7m-}qE2*}{
zZAlNWN{WY~Z;dbSUa39gBgSox<1|p*R|AAE*GVhuIUFAHWtJE0&5Yb&700vZ@)G<W
zh`f;$>8>hAd9!T5N6|?&y9bQH>I*U>C}Q31(2$`RP}R+2wtYv~sx`;1EHO-W;mQc-
z{?Z|(x*s*c0h?Dvh9#0-%Z0GuG8_dZD{?#-5N;RD9>D0nzc5Da%m8X&CLXy;=6X4k
zk00soozmzN-nS<NFb$UQNQwZsuljWuCCj^fR5j{(&+*J}OdZ8BI43U(At^&9He-E&
zR9oheVU?8xk+yGU9LmMcBhC)Iaj!^vC$M>NXyf9v&Zg@QdJjuHyPs}lX}M@G+H(Uo
zd1*Tj&xvaNEid>{zI!u5!!_p+FgXDUC>!XUkATA1!$wGsUh?J*rl^!DBaWB(oUrFm
z?LL2SnfcaphNfoOf}ZBk9Fj9Ck(+Jtu7@P#g+<I5*-mKo=CFDDaYgRTtzAC15Q<g+
z(n?4RRg0)+R6$hSckh(&wT!)nG4pP&=v4!J6CiF-NL_E~krKTVyP5RKNB0b1UF7E8
zBwKYdLlH&>35k!^b0x_^2G4r%Tx6d;2DKe@zeS>!CJRGY-?<R(<>Pl6G-*3Cubff2
zMXkt%_L7wH3gS3cpnQtVcL-%~@!<GvdF@EQ!|f~yTny}aTDoaM3gmLC)&#sLu|{CD
zsKR222KOlKmO_<5@P$@lH36x<!%jc6jF9j-@f4&|b+Pc3jdyub936Sk>9<@e%p3${
zT_O?8uKX7FTAA9~&<U$SM_K{Wp^x9C@?+}DUT85eRI-3Kdrk>iFCTa`=y_a3O1(uC
z;vKpi*Rpr-*sG-isqZ1VHitiuGVAuU5x&PS;<<b8JcH?Y3!NRG7>9mgeCeWwb2d2_
zk$SfqmM<$JPz_I%0z-hq9XO2LTrIVkwG_bZvLoT>x_w^}Z`d+DmWo$$HctbcV%~Z8
zaMe>rESGC~<Xg~!T@MA%z!h>HvG#(}OP}_7&2b@qt^w!!Twx8jsE{pEdK2oM*WS2g
z=gCvzC!5<{Lib$Js<ox5bxC7$@M<(R7>9ERkS3|62&=Cyd^ydsC=c)5<fHcvSm*iS
zwExNR{>V&IO$12h$2p=tX>0Ntd`(wSrY(7xGP+it#=gGHvV^dRiZ0b)m^BMh1wnCK
zEqJk}$E=SG-BatasEj>7%pje7wWxi%HF{@f?l+ay5Q-@N2={T564>@)BGK9#xlog&
z>!M{hyaslYtEs5pHEz{St>KLFtJEr5>OR)N#<`f*1~Xer45!yPBB|`<Z2Q7bXn;oa
zQEEJTEAH8a_{f74OsLi+nT&Onz^x=7%{h{z4J0u{KRs=SKpM_+7`C=qyIaylC~Oxf
zdoRd%u2X`C(fc(Ad({*2<4xArSHfq(T#p(A8vCgrs@F`n+uLyvdq&1DwcDSH=_{dk
z^(IUx`KC}UO?^Y#hL6l@6CPGDRv7?I;e#?odI>wt!aNCYf<$V1Jk&gp-b6%XYRz^h
z;PTb&d#=#-gJepWk*0!dj>bcWJkm`9pIOk`sXiLYCE#4$bSccpp{69Gn94W0dRa;u
z<j$xg8uG~EEypRY0gxM(AE)}P^Gq`hI1V;<?R%6h-ftW|H2L|UE3O1jS-gO3s*V>v
zO;}{BXKI$g7r3<p2(M_plR<ryJ!&9VM#~K3De8N&-8M$(g++4)Nft<t)Dv_wBtoSV
zGf5Yx$sRKGb&eRk2bq(pw7~uRWjybF935db&A3thyeUkrLiv`)Pv=7SFr^0a`GMNw
zNA^&@IDWui9B+WL<*J2UHI&xV(G~ZGG=5_w=H4k#Iu`VVHl2b`Dpfd9o@)7Gk^4BG
zpgA!(S(v2ht7d5{;0Nm|5_8P%0<r+n`X(dzkl`JJg*d_Mt<rrq9vz&r*{AR#AK7X1
zRJA4L1Di0-e6fsqD$j`DHKEU?X7P-pmF5eZlTHl;%fN7p*dcahEPch)#Z6H+V_}jV
zx^qp&*`hSS#;x$!63lzKN!I@aS)9StgbW%HjyJ+5w&J2X3r&^>?WkY6d+0sv4$J3Z
z<n=P1QDo=KOeS6GJjCo6B&<g-0;OH-=9yiR8=mRPdl|y3_Pgmjc=8Yt)1#hXP>m9&
z+=A1Kpo_F7F~UXgu-g~bG;2=YB)+HMPna_c+b$)q%Zlv!*(%T6I+^>sgy&Jd=Axz@
z^g{bBHZCeInW;SQTP|G!m3LyG2akhd6M%xWp{{hIAG%mo?Fn{5@MUURM{7Nv2|}kO
z%w!9C9pIM$igvMquv>Rj`!uw)YS?3p1i={&OqRGEPhSd|QF+Nd3T-=skm4PCbTZw0
z`Y4|rFvc_AITf5EH$aT!!!77g%(bAgDZFj>N~Bt3AyD@0*XCmn_<@wkyuwU<D1nXT
zNIsPdTbq`PGt4^}0_j$jSY>nr)raC|eaY@Pdr#{@K4p?-ihaYC>$vTNC0@FVEmzSo
z@giO~_G1h}3$w6!(Jl1mQMhfvm^7>aozNcM)tg303{!1FG$aCqOrv<D*+TYeM~QlX
zD~Ma6hd~l~2Q=q8?@3{fY_dkrX6PH+up$s2689QcO|&sUQ{)%TfeCr>?5w<G{n{Mu
zS-1*FPq)OI1|@5_%W6opXL-38yu|MQ%<>{~-plj^7U@c4#AFy8)vSScG|ADA+qhNQ
zA5^RN({sC6F$beuwNz+&sabG93!fk(ea^=^(p1{<Lik$A6sQ53J0or04pNb!y@R5T
zg5{KW@xoJ8R&6x~3hBz0dyC|)gTKMvGU9Bo1Bip*WjY!?LJIa+XWhI514ticd3!7`
z-_A7pF?gG$KQd9Y%WB?yN&a4@JqB&qP$g5anCI*JTwbKXVsN(z{umQ$jd=cUFaQeI
zsOHL_4BkA#dRFNm90lgdu?dbsu91P>DRxrAJBG_QFIyVaDE=aO5U5Td*&1n++ec8N
zZjif!_G%iTfJq+~F7)lxqgjby+j_!4SDS@mpj55vvCx(4UagJ+C3uI&vP<U4uIuuo
zCx(oY`Nj4-Tb08`B#1Ht@-p9CON`EjS`fYkN8ItmqX!{;V~!7oYyv_=w#6q0(m1%X
z<<YwqT}8E!SsB#ERVGWIwSMo?+n6PiIQ!)@OB<Phr+I5f&mUaA9X~dub*-1Ra1SM(
zS#K4tI<r4{#`5@F8@Pl}9!s$85Gc9Pz4q&Na?*k<eHkfx8li5@tU#w&hZ}hh-i29R
zKYBz@CZwb^w}co0;Q*(T9PDcNjkB7x_>0t~u~!NW&oY)K{9YbLbdfJ_YQ5TuS%);B
z_A+RAQIE<-UwcsM6qepf#*#i?f6U9<v}P~(5}rM2BfwPAJIIj5NIf4(Z$<@4vWN7f
z(g>5&_^f)Pn+k6SE9jV-wp1k<_aMsOnhe%Uem;9;z*SFyfh%p)ssU!og)unvy+qKY
zN|ShS4^F|NrT|5KS@}t));aX%y@PS{6on2A(nmn)n;`&Y_%u4i?b*0gzq;anER<~B
zk(E3eVvrk2%+c88+{t!C%7#quAWK+KS-k1(!#OyIi+o$p3f6eChKsBQXG%Z?I_L&4
zCujKuvm^))>$_K=zHlDU?@e4(aX(CyU;zh1>u%^NLyRcvQ?R@_*-w%QzDVwKQ7Wt*
z4-Xo(naq2$Tja#bq8mn!bgHMM?_H5cb^@;Yq>O}z?n_0LCthG!4|p`|4WI{etpLZ!
z!cvuEWS?3pfFdGzteP4=8lxGP+L^ARQRdJo=ne{zEN-R8hr3C9G=l8!XbECjJnBL)
zE?cm8Kye)qNmfD5Azqb6ST*V!5tPtd&a%E-zlsbv4F`7Ug(iv{R1=1%G504tc@LEs
z`WEuyZT*EZ#i2+HX1|q_(R=DbtCyg;Mo{tM-Y)VT)f4WhU`##*fB0@tg^XR7r={W1
z0GU&mg>^|_Io!j5Z8*FHKerT$Euti1Tf+mn;=&z9vRcAed*xzukxTeQ$D3HLUJlQ`
zm&Q+?&bZK#8A-@c=g7JQc_~KtgH7|%0U})+>gy+Yj9VoEgtClEfGIu^kj{=I#Fm);
zF!aHc-q^_<_Yp^2@L>Zm=5?5IQ_WGqWoKBujPnz4R06XrLgC08fskxC8e;~P3aIE#
zb5sVxS1$;PoLh5s!_A&*Hfu;>RNJiky;a0_s~ouI4~l!vc;2GH*bA5_V0b~Vy_5~N
zWc0<70nh8FaJ<h?&A2t0Vbq&Ed=L*!0q?y{kJqwXOhak4GGH7u1cM?_`JU_>1S$6L
zBm-ONuu=p>1A8VTd2oBkX1A#{&tDVS(iHbdl*_WDW3ni%3F9<5^3e}UAn){qjYfX1
zsqBx{!>4AS(M~i(G9=~cLbfp0LRMut7tLtWO?GTnmABi8&xBN^O@%VNiW(y0r^YYL
z1TiLUtGt@^Dk%lpgoXFH_A`!wr-7#ivIaSZ3L#w&9%<n!dBIYQ<;9~D;nZswFpcJc
z6g7)PH=nhBYFO&Yq1=*jJ+6~!)lwm?z?|(Qm0NsZFE2@e`rdP=fD;vm;JJHv(dv6?
z**M1T*b715DEk-6l)VqL3X=AbS}+ft$)ZSv%alFg)*or;)6ND=?>Zlpy@wO^UUTvz
zHGhMhxmbK)ps;sgzHF>@(6$eH6oH{ew#itF!u4(0A-t_gMQ*0Rbdb{Ic0#5HqMRUN
z)rLR|HE)NWVUW-nKN;mAgk8$K7MI$9cgeUI>Md|1BTp?z=PW_?B~u^Rs_0$Nti6J#
zeO?$I-q7_}#2Ol@X}p{_5FPVat=c4G@Gq9z-uPvf3>1$l)Cf2&bHC0GTSaBBg#<1{
zHR9FNQZaQ_<Klu17|0E6aCuwf&uW}Fa%x^FB<A4td1{s~on+b_hUFWZ+Sx09uN0p=
z&21hPDXShc7t&f)bGGcE1yP>RUO|Qqd}5cg0I=7^z+#J~y~B8kK>Ktp!h)vYZ6rfm
zM0Ey|Qm`+Yf`H1^>GLawM6qJ&vp`IfH!uV;=WM7chDfzp%%=o+XOcM!l~*ai#?rU+
zmRDib_C-7;${l-&Gn%YY!}4ZcOQj9<+&i2X&otGV-ipXc_K{RCuE;$w5~|2-YRDJu
zE^W(v1l;9>4f8CCW?vfKOALrYEJMd;s*N(wgn>k1=6eqSOoXei8^&+kM)~1YyteM=
zrj{b}V4kpuLd|oS^5%w}j2Ch0=fcWNs*PnKUSzN)Wr2?~0oSGvS8qxua%F(J*L!{0
zflW3Pt(z$W8+;;9R}io~Tl{fOQLBdAF{L<E3B2TboN*{QJ+Sl!hJk`DOxYg}Xi4Y2
zL#{yPIFzKo<7^TrGAQkO{eX?6BleN9EM5a8^vuK>S|A=hrU`aBUkHnENkD@!lF8yt
z)%hhvE7>GSE?->7>;^@H4nQz!Lr&v_TaS_?L3Sl~yPeS~f~)mQ%OKB}@GR7H{g%WK
zEQ?MW9@G#!>>G4_qO^De7C;W~y`31Dk(B;q`RNzSFg_5ugK-G>LZesKwt~)I5=5?P
z?ZY-<XWk4%?X4F{v{ef50IjNzR75USiO~h!ru?AmiE?>igVw3bu-zlqog^rKPy8fe
z2$-u5#NTE4*e`OokP?di=t0Y#uP~FEz~)gmFU7o?foE%v$MrSUgn1M<@q<u&ex^oE
zj~?>g&9w?XCR>^`4b&21kN0XH(w59D_Zc|w6^UodmD7k1IGSbav55lO-N|1tbAlZ0
zVdlskKTxLFhQk16FuPK&TbyozGwyf5vXRkmmh+W_zT7jz0uDqhD^`XjD6DkevAo?!
zB8J)b*!CgbdyT_{M>whvRGKGeYS3I-CL2bCd#5m2^3jqb%Z4Av?2=2pH;dfw=^%u_
zc0UN!vRGGqcUxsZ*A0-^Oae2{C9C9FlJf?F4{GUwA1}f?YS~z6x9AcGk;f>wuOlDo
zfKIQxvI8t8o@Y{`e5?LqaPR<<R!M<DA;Z|Krycp(vyix~>Rfa|!nZn2UVD@5$T6##
z$Eh%^D7B+Dh!%Q^_WDg9zJO=-aJM6!f#<*^teRBkwM}eAT4$YcTrn@h80)~sTuFP?
z7RkOtMH+bXwxCgXmWvF$`8+*LY0>bES<rJEA1Bam9>)|dwRQxuA(H!OL9d&+;zS{2
zUpI#Gv*+YC2_WQj@7n3&1Txj}=tOSOAv%^`zLZ$OruE=6^k;N&iK1L=S?~BA7+a$G
zi;ef5MyZ*DyhT$!p_Y3X`(AsIsQDSaNBdrPhPC=(EQqf`KV*bCp0x!>jZp|KE8b)$
z!!32b-MID=#eTO-)9Y^_sF10)k<Ev+*!#7vgryZNGmtHACp|Qum)EUUB@a?4+7{o_
z#hhH@J*bTy#SLuDO|i4?qF2gA=j@8TC_xanXX#;ynr@gGvHDVwbdCz%b6ci<gZ>FK
z^B2th=xN!TEmNhscW*Mq51-W&uT%t4*fSO}myFt*f+q>88(_c}6g8n9y$8LoCMElr
z9jdo{AO@izJjVrKq7)40`XzFnwwWM~<GxIH=5Xy-n|iEqu|OEyL9X5-C#b9>YT<Xl
z#39_sk85rxF1ubpfz4yu2#Ti*=Uz9k?wl}FYB3;e-LtLFnOu^EDF#upZRklF8ZiOk
z;Pew^JUK}Ab!M4L@zpMB-~5Z_iC99_HF^=pWhU*-tX&Rq$N?d9M9+LC%Mi=e_H_=L
zKiKP6aW(;0iH~d%-aHJHkQ_$YGgRQV44G?2JLHp+Y%C3s7rGNXqB{|9i9uX9WWw*w
zV|~z%uF){oOt_8@DIcK*?oAKVbZSUVie8v(75GS;X&`QIO9{L+crdt1y6w?7D+o-7
zWdi#0O5o0lpXf`7C5SR-60lNRmvzgCyGx@<BZ^+>IC=1P5)_jlj<ro|8Ih|_wpwy$
zZHZ2TaMF!b8spp!_gQxndUgf8y5do^u8_H461i{);slloiOh`_pSqd6V(Z8;f5bz^
zA)9lnD(ht^yepLR%Pk=w-v&#jH{B~GdKa;1Ff^#q_!<U#*nf9~iDod@^<ulL7_QX<
zR-+X=wsj-&bVY18DRXG;ji=My4Bb3xeN)RWK4B>#(prxRE|K!2XAow*V{~5A12RIl
zb&-l=5SO=Fz8G;}c(84bwLaGr8;{(N=oH`qu}Lqg;Jhw1OwcEl`6l<u9=oOEOJMd*
zIoj($X=k&LDmXrIi#aRlkffQH(rYp2QhkjRksEI8Ae3ZfCZz#)Q9uj})le4kBrn3N
zdTyR2IR!gqoZwxNJQUjQc_QvZJ)u<?%$UeyU9W75j;-%bYy8e$&Ba7hD!#328I62n
zfz;eb#W+RGq?YF%!<O)DD-=Iz7W$&OUfh<Gzs+fV>*!p9bCUaR7&F^5^i@GE_JC)K
ztBp?}v}zFH+9Q5XL0L~l-e4z4I<HT|EJ!J1Y(I|92xbS2H-H@^B=@e~^j?AIwGL^p
z)l}WMV7!x80t(TJ3<1*eQq{G@S6)7h6su5r4|g^kIr84@L-cfvNgh)JO<>~U#i2kb
z*dfhR92D5<VwI3#Qcb9_Q^88Mfwn`7PI6%ZunAgcjA6gI8e{JL3+FCNJik|*K?1%z
z3FNl-7_8+m1&<V9-r;LP&Zj4Qa;eYFr%u;&#h{FK^r6H8Rt5XOjw#T_C`aBV)eLu7
zTM=bHVi!l9IH>VkWPWW1;m+^za&8F%Uk*rVD_vFcNlOiNN1vER;3RP_pp)I(G!Teo
zS*!wMx_5-5_VV#YZUklBalW^AtJu_*Jp-lkOsvCg8c$5h&~YscsGah86wIum&#df*
zC8nS}l>xrT`0DOqzl$THx=I4Yh}R}cnP!S;aw9nGwRs!7sM(LvqHonL@GeK+6L*&;
zkA}gKj+kaDn_cmV9SP|Z6dxV|kuKtZUyw62AkjNmVr(4|%RTeikk)ffs{z`e*Oa|8
zwGUJ8(X;MMGaor?!_Lq(TErlDW^FFH8<R19h{?m9+1jO=%SVDtgupBBK^<rVum$F%
z+NfIsD}g}?Hn_rJp5<|<-{uyIB_}g`Y2+fRin#;Nb2fsc$`m=!EVNrFPFdaq@kAc9
zi>S^g(SsW@3s7<o0)+0E9%gSWR+p;t6WKWn;_3|{<$iaqjN*RV{mdj!R-R(XZiJl6
zMJiGPh!oM$FvHw9Y~Z6vx&&GRHtlmp0)2eZk6_i|MUbNf+ulU=DZz2U^PZc;9+7as
zUemii&eNBir{qlW%%g<;As3Z<)66_f?V#mVDg#*z?JJrvAH7HS?h|K)FPt;{jqnLP
zhqvAq5yv}K>$CyR$3)04<I&7avn5(VnJA~-vy2!p*NtFPCLfBWnAaGVMs->Em>MbJ
zn$7LT0BtN4je%p6Ux`_u#-6cJP1OYBbU9ty%WRhP4DL9pd2DuyH?J)8fD+3|ISIM-
zHjT?bu!yvc2qL!4{Us}vztX%J1_)v=PkMF=aw`dbYvaZ82$^uJQmw`yp#Wy;f-AG^
zp2W!DZX(E$Phb7TbAVs#yWLpCVP31=>}pgbjSP)=gMg%RPExLoV6E6Uh+FykrXc)P
zN99Y$nHm?gp?&xwEW4IH*>aD)UNxrZZqsFxLx)b}l!z7bd)(S0a?d#P;zAT0Wy{EX
zsvXmO-!vn0xdmeMLr5Zjt|Z0-B0~k^BabkeE!LY(C;Opm<L1*;K^xLVKB5N)kXR3j
zxh~x5<vTWF;Bb4q>f+3tPCE$U%%tw{c%HYIZ-g-M;x#?jD}+_2tt7X5CRU!@dl<sp
zlkljY1TDS=BgWk42X$pu@PO<U`9SEi;+!YZX5oFBrs0rp^F5TX$>K%NnXqyO9?s>J
zZ8sjchpC`Xi)xmyud_ll2xN^EuZ=tn@G$mSV9E0;%=JZnk}hZKXBCpkGGvlx1~+l%
zqNl3bF5ybrCCtEA`J{y2iEM}A87#s=To$DJzUag?bSQQTmv!3gaqJpuSCjJ^Mh)z%
zd_m;Hw<L;9>y<e9kT~}du%I187iW#Ih93gLqCZ_^Yy+*hgFvn9GXR8yGeLy4*pOtu
z{#|=DsBuSLAJVMEJZ$BaM`AR|;#zGlwYGMMOejHWFlPi=869Rrdy07w74cFP2R0kQ
zVQNU`1e4kXgFO~xu~rJC6~JK2!6f6L-py$vk2V;Xiuuk<)bR!OC(s*3A-V&QrC30m
zo3UW+rYdFk-qK0sH_!gX^YUP$hb5$|_KLDTDPtnK(9k++J7t(LA6v>!)x}b5WvYU=
zY4S94CCm{w>Nu@f-p)R}uwqR)*b_`JOsW^?bEt(vf|2{o^x|+Qi<|P9^`oE-W$-64
zPw_eP$kvMo0OW5Z=P_VD^g_BpHZE7Bqbh+bO|Mv>m%?K+OWyoO$6dI6Vh}~*Nn?Z~
zPF=fgEP&AlY`Lprw+V$IpI>=W$GD4H&Q%!i5=cg!m9zf^G&uAN+67J+-diBJ)Fz;(
zYmF2D?sa<C)YoS;Sg1+30|3{Spv-|DQInX%F3KF^k!{t&`#e-0`?GDX3xPz>w>@%4
zu7d*!v;p#v!jJd?JEyA60un9^)C*FJoIv%u;)4N#wQbC80Ih-b6u~OngEGMZFgZnO
zAT#OkcPxaod@p!S9VX6^g!y4z#hTF`bqXuM(BbhE(&!XNRpcDJO6@>eNUzHxXgHoX
zsU{iVWF|!Ip`5)ShtCIt%98fRZ&lwF7qRPmAtIUBPbSgFJpwu2i^FU-5djA!>z8{b
zlkunu^xeG4E?oeOwwV?sGgA_P_g0T>OX5L*T{j+<l9do-q8CviA-sG06dka2%gbod
zJEQsS4X!6}uxF&@Vg)UlW$V1YOF~<G-D?4Rtxr+jEwK}(T?xP{-h*&MJcZjE-3&NA
zeWOnF9**~BuQdkkV<!wMNCsbN$){;;DI8#;w+uvWgStgdkJ4ZpYt&@+HqI@Dy7awi
zsfp<17^+=iH@JepAT&qF27gGIG=nOl;BoB+IzaKZZmZ@H3E1KVAO_U6<z2K}NAYbS
z>I^QL$AX*b-j?AhhLfcSxh?veF>9u=z_l*kp#{OC-ewxg@mB(SuYYvRb>$8_yKD0F
z9iua6)g>#SCS2VdjR#gZJ<)n7(`XY{N`kfz^<})w14*QBpiRGkE`*jadi$nxM#p5%
zZ6Hw`)*il>Q8oZwA=?-y!UklIUabj=7vedTE;6;Ixjb~&31BPm6~Q%GCB?Ncm!~=g
z#5L9veUE6O)<*0~6+z>O9owo*qQ|hfo_10-&FQ>+<d<7h5t3oS>0^W<J0h5PZtYN~
zAW{6TO*sGxJ+X-y&)CiQ^*OJooZ|TmZLgMgcQ7+>U|43JybaQ;-B;J?wc@^Qb`(R1
zwH~wRg>w2A(JtrId6;i>%GX+ZI9kJ|A98M{#e=x*%qF~J)fc<c(`6W`&tlvVp9AAj
zfDg|oNcO{<jq^yrr+}_bci0X4G#_9jDcmI7@`C~=W+^*_6HS5DNGF95KBIb~WeE8s
zB`Jw6FH`C*?>h*L#2e-&p7-`vEa2kOz~*2<yZA8VFwcs_e7B#Mi^@En4OI!ZdxkLn
z+|e|%^xjx^mZIS+G#PpPLYy(qnnuM;%4$2OG0W$cUH2+{-qTF9Z3cg{izF{?sUGpO
zF}bdJ&(Ew1g}n_J0{Su96p_f|bLpU5+$hvjO(i~g5EOQF`R0%=+w-0#9wj2g8y4n;
zRBI<4>q!rL01t=rNh{Y~bcG-_#4XFgD0zd4J#!2as^>;rCHWZV0ZZ{Emsc871>2Tt
zMg|fldwE~^E5;5;OEpTas6HCZN2J<*__kT+cpRQ{BU*~0!wVlG^>%>h6W6RNW1&F2
zvDeX$IRH2jbBD1+EZ-Y*l4cT<Hfd1C7w@sQ$tz@(;o)o|Zhv^_(p37SxwNpK`x9?^
zG_4c~0oO2Wl-#{L{BA<Uw%&6AG`tucnoWMsjf?HfrW3WN$DFn?-;<%q*YqTiA4(Fx
z&895J1)Z>|Op<M&NTm}`oHieEZ6XC$cWrw4Ce(4%1)j${&)A8Sl9xn@k7WwgY9&&$
zoI;B6nw1|#YL~tEB-;6l=qbcgh{{SU=+wtSS~w#w+PiX+IMl{+h9}(g%$mlb;dpwl
z#*k3hpFMFhknSW7siEX&sJF^HqyrLtC93tFat+5W7+TGQBg`O=Uyj36O>^hfvu=ee
zxTSQsVqq-rjFFgL7PIFW^TtmZ^Ss}UPNLE@>NQ|y3t4gki4+e#Y^W7D=7T9H!<PrY
z8@RQDQ``Y3Zjt5^QW5ss8qFMO*`3q3w-%2*`bGH-#USwC-=P<*a|@9x&|xQt#JF+_
z3`;_3I}4qS2h)jA3x#H2a;1Bb0q|-imgGbfxcfEf%D5-Vi}&E&u{9oYyKVBI79>AO
ze)(pGD6`sfiq)b0E<q}f{8%m|>*AfWyd|}g73a3h@})j9dfP{c72-2aX5}&Oj@Y1Q
zS-@=8<cTvB)b06Do?Pea3B1%ze=TPv-X@a|DAiDyjZ5_9MoARrtBqGl)s(`{mBif)
z;h_l8BbKF4?3rFesU)j_&g1D$G?+B(7MeT0d|b^H7Ksn`MD=wy`PICATH1r~2q{C$
z4WT%;Ci^(O8B<&VO-h5$<iO0(J02Qj_->dOJ=+af*P!JbZOqfK7*T5kzIyjytE5_}
zA~GJ2klipF@T>|y90z@KB+K<MJ(ObctSon6IhwL`9*C$(TkFf@HFa%wxR>`%JI_e4
z#w)fO@-=H46-YKuF|P}#JK`P)95B`5+O{)J``H$yO$;@{)>C*FLi@nTqfsBXO{}u_
z(=xe-n}KaeGFvS*?+nhmGu{Js&MHZJLJ#mw3)tedsE4zUhRfM=)g9#Dg&tvb_&lj5
zCeh{##D2rQ{LI4n;i<1}#wqw(P59WH2Z>{mi6Ur9n*^Npdx%=rq%oWi5Dp1*3kpG1
z^JcaNJumLWkQjGgEFY~oP`Al!<BqN!M!1;qfxXxMUU$Vfb>jCN9p6jBt>MFTzV<>{
zW}y_W0UC{cz-9MHQ8Q-(<XJpJ&|F^f*%;3(puwnqOE-(7f+DdL%JP<{GWZ!J@>CTK
z4le=G1Nx<xz#rjWj|+K@$FffQi_Mr*^i6-ksde|j*Nn7sp)sn5YlSA2#FzGXLo*49
znJJEAPrBH3?CwctV`Z0Zh#>}Zbr)qlHh^Io+<IOz^0b2Ou_ue~?3>ma-4?dOg3gs9
zvD&9;NW2INjRtr57t>hzR@AA45Sj$uQ|k-52CCHCOKpCAMl!LGk`{WwQKujs3^+<p
z8iG_B0P?ysF8dx8w)U()91xsp1umlsP>;TQ8)#7l>4Snz*J)FMZ0Q-2>;ACWq)?04
z{KkU8ZD7LUQgu>@A=|8$d%ND$tibIvY5|s7dN*s`P+G1D05)v14kM8?)#m=Hiq5o*
z*S6%XcTi;6bBrp89z{S<kICLctKFQ0hj?@<!9ld^Pi7!eu^2N?EU5MMwnZ~+BWbG7
z7Qk+&W^N8YFv?b0L%`y;d{;~eSeHSx{2s;H)4{0@*kgf5?X>ixoY1t-IiN&1J6i8<
z9fusdj-pOLv_X5RCj-6eb(|kZ0?Q0_^Qc3mCy^)}PRsM>s$vA&3d{Sd%M_4HF?NaX
z7>it?UM2H$A)7Esd_e1W81xA7o~pfqS}*ZBXuG|F9)Tp!=h~~2WBs7~G+*+wb!Fs-
z{8pb|D;p=Jrz(Rh-ElJq-i*-pf<H!bd<KZax@!e}idgh4M^LI8@yZI4Rp3Tfq0&pM
z6>wJiOj5Pqq2}h`9!9e<L54GQa^Vxo<CZ40C*TY@@I(nW>u7V5QqV|XUTTg%?mS91
zDjJ#2=M?>nc3Ros5$RTS=gmW1-h3I=k?Au`8HQ3622_=iOOM(dbfuwza#LM_j!PU~
zXpvR$bICWowY`tU$-kIpfG?&cJ4F*-;xp%(e&jLnl+R)*T^fl@i=%?3ASaWLKu3W5
z2;ZrBKS5YTyqM<3#`DtbLQ7?QnM9^wEhw#&_MW3v%9>KQ8vEM9s2g=SkJ0O>dWC3P
z9{SMb0i;7+s`M;}j6t$Cvx_Upb=MBKHWf?ng}!-@f~PhNwD9E-9hNosNCIHrHVIxO
z`WjK|Vsjy?272-7v1fQG*K4qA*VNy^2G}9XVtAENN(c^{okvXy|AN}i2eKY0l%!_g
z6QcB&jmeK@VrxdJcBK=!TlltNUX~7ScE6|aj*$DwdXs3?+CgF?LaL;$ootQTdrx4x
zDqWBa6E@X3Aur+4o;(o5lAECSBIe?W+C&xZw(;mCXA29C<LzEAKpGe)-XjjrReugk
z6AqB`CQTOVvgcGQ?r|@-f}&)xray#pX-d0Dd$zt93)LkImvKt?%$s>>s!psyVua4(
zCUMI1jTCc>czd@&01`&7X`h@<g;GwH3QCcbTs!u35|*W4Ahw*e(E3rjzKw&}AR9l`
z0)2UHuP<GK$`C-GFeAV8k^${DPX*p6BQu;0Joa6Yj+^m^b%AIok8)+FvlDBUD)cE0
z?*l|xq?|O(PLLTSzb+x}bbr`KERpgiY^z_kB#EFM2`BPHO$JJVxD!|Jp@4Qjene3#
zoR9fc3tK`wb*tBJ!jcCQ0)V?RHD0W1kI4x>nYg-{74=m?2hC$Z2<fLll_7p*3CCn=
zfkmELWs(}qyRBQ^6=@ku?tz*p$)R%&W_G&?$D|?IN=tG0Y@bNtD}8VeR)&}PNk4Sh
zbwzt8QH@a+pwjp5z4NNQz1b(}SrCnHCgzcDc!xcxf%m#-atZ3dbT@iUdD!bb;jAjq
zaTVNy;<@T#D`3`hBqD;O?#zzRD>Q??speJks-${Iw9xqkFDISP(cc|^L+xKsr(_N+
zD{DS#m%h%ncR<(j01m_HvWkw-V#y!8Wi}Uv;GSz2eh4cKrx5Xa?}W#Bv{)a#i3d3a
z)@Tw@Pf9=zV$HcaC0rKJh{P=HN}h5oZ5X}1L3NdWSki9<@s)TL)U^k}Wz8hGj>)rC
z9fKGUs6ig+P;h&PqL(A}<~c*p^>ox~o?uLoQj#5mhh~v<zqrtF9u-i;hLL>WFj6nE
z4qdZ`DMZD+UWxYvdl(Fbn<*&#MRhC5w!PH}!7YziS1AFc9V4O$@go;Vi!LX^93uAg
zQG;|a5{z7(JMXKrByfE<faq^TAYMCk4>E!>saWjLO@x@sql@D4MXbe0I7oj_uj{Z1
zM<<Zjrrk>PHNJ=wK;{#D=i+aw2^>`#K}Bs_@NORA#8FmS4y_$EhQI)C0NL16-tmV`
zD6(h`1^$Y5sd<ecNuPIBg<*GB;$*8U1lo|#V@!^orE()fi}sSx2A1cvy4Lja$*{RY
zak9;uwotdgz~C3wZyR7DlOC<ARuU)Xi>`IHqIG39&!dw#dqr7C8P1OUAozttC5BDu
zs-@dKb1JKeNL{jXI(%=cb&RN_XCcV!h{4qGj=2%h7D?q~J1#3BgSFIVNWEW$)na%J
zm7vQO*fYPH?4{xgYoDbCLDL>|Ey#IiBRpvasKQ$~cu4>l*qfmP2h^^eNoKb#vDon-
z>`DfPp91V-crDMu^SwRk&UzyZvN9zGN!l-=rXKJkzn-W2$Vw)}0$*lN^ThKS05J=F
zBbSdKLL3{$I0h9G8O>b2=Zch>JyqNlxJa?gfQy=HZ}hfMDfqEm4{TJn*Yty}?S9od
zeRCu^)x~6HsdwBUCE+NBd7kf0tj%M2e10A$B8e$tidRcBsuk}&aDsVT@MtVWrz|q9
z`x!lk3V9I5@&w|Dp)Rs@dSDKG2p8d#YSb^PLAz?zHaNqa;BAgJh$W^JgtK{Zao3(?
z*v4yLrV}wTd}4A<>CW<SOo`6VEuLGtL^>S89*}|e_!;BNdM<hW#MHb(%p0~&8TY_6
zF&`YB$+Os)E=qT)843xIU55r#Po)eA8-zZj85-|hR%K~hNn|`-SbCZ4l(nLYjk+3p
zxa7}pY3XS{iAvs}CQ;I~vO9dIo17b<i+zjwHqbB%&jd2GYgVp0<V~!Y_7G}b2RwTD
z7uIrJNe|v6?U<M4t2Z@oY{aVWS&@`Uoxcb3LQHo_#~%RD$<0#)s)0xa5_$9tQ;C()
zE;xmZ2r&4_t+F0xJoTr!&g0f3sK$piPx10(=QYsF&}>}r0D-nJ8NSk)M0_A)?`Wb9
z-t`pc^uv}Xy7W*S@?z<gXIm6GLrn9|Qcuf-x0-<O@TmJU6MqYOxqcW@2(56bSc#C9
zV(BRa6wj~|spBeTXXu&Vny+*thK5|q>2~p1lNE?iAw3*UtbB-}eQon#gA`sL)gdnp
z_qi+ND=y);><l<@(^@{Tn3*E6fjfTtMrW4J6E!6=JMs4B0S`1&nKR>X-XeQp*12|&
zfwnXX`3Q^Z*1_@FX(i<3X;z-p`D`j!X}h+0tZhD`fQMBYt59hyCyE4)fK$t6oVl-i
zZ1Sx(D@lPd*L$lP)(=(SE*L^u`pON6FI$ktvFC-1=YwleT3<&SnKjr5T&|aO5GaAB
zvH6M#!;+6@n@#TZU9lO!`lBl_DmH)9#|+5IG!YLDB57Z9I442v7%mU(V9Tuu6r95w
z_P|7PdwA?~&&Kw_=Hs&+M{U7-v!fJk#}B&R;f}E)ERV{QS&%JV6N17%Re6*2bUK#L
zyVGk+L-QzKqcqd%xi#(L2H;z}eYhTYdZFS+O9sjGP}qsPM{AA4Q}4<*wRxpHwGaEf
zhurW!u_pe)`mlw(&+LU88`$u8j#T(ro1w-mlo-0t(R)SHo>C8YQl^*!XX4aXE9Y7H
z*l9-tFxRUyuIe{7XyJ>`4WeL7)>`7t>+WeRf;KcRUJc3_C&*q>8kX+MB`{kzx6sFi
z>Y$LQwB70byfNLMK#jgCd4Z450B$&EMnYmq<UN~A&}!Ewepy|6b0yX8VgAPXHF)N<
zHlOy>Q#lk}7wky5KwHkIR+1BM+}M#4XEm+j^~lQ!qep*n4R##w9i=sed&QVMVrbl|
z&F34Ei9jLX6k5emHTSAf*<ZBj1c-!gqP%8fExt|A7)o=V=<Jg4B(BWSA(ZoXM#Ckf
zz`G5g`j~G(snDN@0gyM|D2^1H%bipJpG?7P-YdmoVj>mu7gVuI5;v~XVIia~3LsYT
zLiQ1&KErzU%t<oDqJkE)<Sqa-Z`M=M)r~;-`9zd0R>JcjDrBgI$tz=e5Oh!J<XLAs
z8D+{Ga?xB<**iH#;7Ytzcngr{%jV$?8zLh%I~LTh;|Y3?^JN(&0nwp{*}GgZ9(hc=
zRrJorIP4xE&}&3~U5_2N3wG_%Ae*h$xzQ#JOoP%(X~-4Qad(-*d5xWrf^TSf<So9s
zaYBlzOiQX$03L$CRk9!_cmq<16Q}RVT-)o4w3B{){32j|4oKrNstT{yl(n_erS|4s
zY_EI9>)P&je(Ie(kn0%M$rgJHkBs$YNtvrlB?ACEiFj{|j8{B1(sF`Lz6>_ZJqo3?
z#V#)Lz=jeQVM}D~B+q#p-I{e8V{_$J6y8Zf&&}PJpgXH$V~3qdDPL*gx!7s|ya!op
z%)+U(G&{Hb^3H0>m!DvBHrR7`RE`aINO{FwSixtAk$RNHDAr|7m&NE7!7sst-s?S2
zWubQl`&v)6W%rHTR0I(f<=cX|%j#@bTPPaP5b1JQ+gvm?_fM`LeQ_NV_tLgUuozFp
z=mrMdaUZ;ZxiW_coLrlF#ikhe*w9xm+#CQwK)%0Wg-J2yGOYxpP0OA@D?b{q!@jLK
z1dR&FCkF%EHHQxh=GxrkIC+(N%2!A-XROzmgdo`|8~q@dY0MwUtxFp3i#3I0f5uKb
zbo^`vU(q%KQ(j-p_VimfTY)=9&>Vym5_&L*LGXyv5rQWl&Soi_W-=W?J3GI=#ugWr
zU56)BGtU@iG*K-mm&WxFm9fgu`cJTJ-&GDVN711&sS0iqpE6x}S1}ZZ#?>LTr1o1Y
z%%Nd?jpu3JJ#w4{m5{(fv0LwqN<}vj9`poHO0SlVHM5a7^xoFkrG$aK^V%D&OnD@M
z-dLIa%4cnGxr|<epvTj`*>~_F81J@USmX}AMqN4L^aea0w*@;3TbkmLUbN+G22q(u
z9=fk|YD(ams+tF1(>{|!!|`pUW_pRF#WJt)mG0Y%zKZf2lDafbw0K*!i0TGXmZW<~
zO-#I@9ux5@y@4!X{q>^iOj-N$SyVRW%0e}M^iVXErI0xv*X&CMLps1|pk-5J7_iDW
z%_lhN!A8dXJZP<uL?j+%rkKc0xLd|%dk4oF?ml5;6exWKKy01UGZ{@+#A58zg3&Lw
z-Obt+jA8<+_R6DW0{J5H^cl$pGT?Tuo<^&6E_85Z-y1D_P4)nz`;`o%jwbOu<UPRF
z$9}Z(Ld-9odeh^*5{W0YlD#wX8abbwIxu-vk|YToh&C?^We_f(zfpF7zFlB?Y|11W
zNW(Y+49u14NA`G(o?iC^@etXQ)4rUf$H9bkBls9ME5j$n>K!IllogA6-%A)wTSPU0
ztAKv9@5Nlj=2NAo>|hmmHiRG}0gqEp92E>onu|CmS4bM`Xh?073m#Z7Nb=K3CgpB{
zqI!@&M0to319;jVV&@CXvln5H6MD+x6KwuoFrtOK8?j?t<-EKMvUy@=p{lT&jx99d
z8xI~SjwGi)dUSdw9*;*L)8AbzK}wL$ZDlrxPz-=>1-+JB0rnkX-e$uc!@!+mefpk1
zC%!;2je4u@5ZvliKq$Df3%G(%{IK0s^3F?3k4~aX2Pq~kHmr51{8C#d-zhwd7#gh3
z5;k>8#~$rdITb-9e1T(L-SkRoV1sB|$Lqp6gw}b6Jof@3D<AGuz$@~r>-WkGUQdJ)
zN+QzpzsN3ijYIS}q0Q@tC+{q8%E7dy7xXR7G4Q>?hnzes_JlFWHjY~@MY!5&!}=wi
zwpz3!bxf)-sUs^^9zfjNK^PlqF(mh7+&jItH+P=-x){j4ojZ1<FAYxOg)Bth>lyLl
zp;SS)zUNL};kYH0ezp<_1{YQ@MGf6^xLM@31Gk$xoMHj=MV<EIOzyJuVoW6ZJJ@*o
zz+F!ekt8(;eOy}r+!WS#p@$+ssRt8uU?^q567s>M%|4Ka__VlkU05lAH7>ExMQmT;
zL*4N^tPaM98y2?LkTel?K1tN8v+%@`JTLD!bV^y35YpA@V#qa1^#QL%Zx9-1^$avm
z3HZTls$FQe(|$2<Nqcs0YM20vll2(A6K5Y%(si8EDuCC40uu;yKA?_#u9+42(yv5(
zvo_TXTdyDB*=$PVn>66%W1MT+6!62nJmYu6`L-sWLHBDnO2+0IhMl>G*mP3X1YR|5
z)tvDhco6E5Y2<rvy_y6J`2|uhPoNJ>7mu>ifdw2w-As?&7~&!yBc}F>kH8u%Zqieh
z4J&OF-dB|`>j@*uvugJT+jSwY$_aTcWc5lit9rrD2hc*?*#q?!xZcpnX-ow@CW6WL
z-1j|~?h3%*kN`4>m+{Vk{hsVgDfkhP7UTp)O#RpZuGY>LpaDj+=5k4AI;4{=jqtq-
z3*u3uz}EXF+ds)R-FreX56Y4~qP$^bpTx4XphwOi!1AkQiUhiPvvSAhH?S5HsxQ0K
zsE4A1#i=kTC`GKL@S#xHp!!t_Z!B#OK8I*3x!wrhX%z!uS>%YRwJYOc>#=*{^oo!Q
zr0$)hMQ1)H;+s)}c~7njK~E;AU$7qYyu7YlTE=V<9$z(ydymSr)+6B&XCk$*)8OXY
z^_U%wr}y?XIPlYx7nk^Kja%nEkD8NY0pn(?wjwA9b_Pq;agn9_3+>%GXXNb47Z1Bj
znz4Xo4LnG@)m!jAqoS0K^V%|PP+-NLnq}8>3?bAgRsls}+!uyHofTBdJ(3Gx<cNTV
z3?t7KPc%bQl@PBU)Zhl<JiHl-UR8Gz3O6?5R3_BMm%EM#75cV2qK|c`@i}+BD6*q1
zml8COm(7w$dSV-IcDBuX$iSD{(8v6Zvn^e<*Sl#oQmFS_NK6A^X!!-b>T-9Qhn_7=
zSP`|d@(2O_J#krME|uMU2>hPi<=ru<mgbBcI4)DNwmg+?I(T#Z`enX>i;QNoQCZnq
zecTR8tioJjn~fG7kM>!xSIJ5{Pd#FRdli?$?QsL|R@@cK*Hhd3jS)y$sw7YaEHF}Y
zyzJ`tTox0<=FFvl_LvH4t48?YuEg9!At?8KQ1eWyd5vHU4;wmix#?<=baGZt)s}jl
zq!SVSq@0e@^+swOl<-n-6WP@F27FAGn^A9&SPB|U)aRIpdFo6RdEp))s52of$AGK%
z%Q|cia25nrs_DLXgr<`hFJ1v8-&`PWdnNKZ7AX4)l9rWr<6H+&${VOO0&WtWRl6!7
zIc*wlo&sm*MCOO}1j@8vW;cR3ePO0~wPG#<ZlV@y4eG8=FS2f7n?0PUg6DQJ5HHh|
zlnhB30hW>>DJvdzZBQLeo!F4Qf&$UhnWLzDns$!QUx2IR#CDrjwSJ;4-%H0iLZM4O
zeq!y$C=@ehYyN^{-k5Gk<t3FcCG~sv1_#jwCHmOjIX#3Ydb`{K87m-baDK!tp`uT{
z65=^t63dqM8`F0W;vKX{h0&^(ypdqgi37|{u=9GQD4or_JRm1bYXg(TGHTu3^HM>(
zYwO`AUK)T@f}!auOqPxLsUz%x>oFbpO31-Bp*^Dt4})%fgkm~Dz0c43g(btQoJ3(C
z0_n#u8)CN8^^rV#{mOLW9s&7n`qm>s`HOAE(uKf#>9zOVm7VQ@Qsg6%SGZ?;>FSZI
z4G2mnAlt{j&I+Z<?DIr`_0q`m#LREY%gHJq5aLQ<mD6c$+0l-%z{V~lMzZDUt5Uaw
z<W<Carc_~d)4GJTvv_XY@9EPl-c)>*5x8C<;zvB#KrQyLP-Gf+MmL;W`UI=xM=Ut!
zdbC?M<%tEg&O(_od+vG55qqcJppckBdoe#wQxWpVeaMc^FJoU42qO5rDJ>_Jv!^e_
z*(a&RL`r~<E5uEt5}janH#X-XcL+*FXjW+ZJ&tN5MZe_r1k$}00XMKyrjyQF+`}iP
zEGWmlH2cIRUc$YaTi=(qfXF~dX-_V<i$f*gMJC8W%O+^RKHx@?RCeGHUSfDL0GN2z
zbf|&rhy*uel6pl!_pY%D)%3aBzPd+t^YjjRygUXd0&-)xsQ83~;xSkZTCga-On7Ff
zAVm_)s>+wML_zR$JH>;Wx8JDRy9!Y>GsqL}6vvv@5`wUJp5e8#+Noq2k7)SLUcg-B
zTh?o7P<`p1sA<Ey20lSsvZ=EmWS3I?SeQjh%`I@j#1-lFw!88REv_)Cr096EI<Jz>
zif$eXK5RGuA7ESUrpNMRg6%+E*vSnUh9A7A5&^4J>@4}#dID4pUNnK!VENN#Vkkm_
z5}re9RvIdVyQNVq7Ci{qOVXCNc!EO|G!MULZRIbv-=aK$aU0z#Y0rrmCPC?2v~Y;`
z+R{(UtLh;28F}wz4uO!;Yp9WU=r0f{+4a4v*95=|#?fxcSfuI29xU==@QyLLNQ0Gb
zFrsdISe~(oo=66wZV<%Fj$pyuE6R(TN26mWS8Zo03?mTM5W3Z`UK*h=&Vs$fZlJR(
zxWbA@b_Iom-pSFyZdvj|l_>G$3TuaD&7PL%bC^j3r1a+ufu$-skVQuG^!27W>bo<Q
zp23%e_Pl~&P&@a}d7D?1D8dC|$s~7t5Z;nFx>-St80@Wx_rX)rn|nzO49t!4aNY$a
zkaTLi>nw>0*rBAE_l`~dM1QHKb(_cQNAX;#i4<ryeyQ!pcT3cW-fYZj0MaCIW??uI
zHSxr8WvBV5_O;>(BTq8S+&qvcA*-l)Tj=w;*G&WSxQTpHBxI?X!*6cZpTblhAlFk*
z_m&+?!`&@_x9%_U8J3UhS&2_Rc{^9+fpwD7U7L+7M?2fdOg9##`LJA;4QNh%=Oqa6
zlCnpkG&H7AF~6TZYIs9n52(0uD&rU{j4Kr_Hc<_iRiWEY^2r&dS5)Rsv)COz(pR7~
zr66&|WHRIr3B7=emiTaAy=m^<AjQPMc>G4lc$9k)7n;mfxAS#iZMZ4<V`OT3aNO?+
zAGqqoLDwv-aGkL&jIThu3MaPP&DoX?z6MPnNT6%oG-|WK39$-=Q6t@w!{K@jqD7@P
z(e!3syd)WTNO8sE!PC1QG(6T-o5#R6v*!lZ;sW(B7I;oZxhjrCQ;X8-vR2uxP^S|5
z80CC6JljVfhtH|c#1cf&qp-FZ1h3s^qTw+nIDt11!f7Xkst9q3*p|mt=%pcdiU=yP
z&(z-qRl;lHsUXvFU%eDJ;kV|JJRJ9o7`nzuQE8zm3u$)CP=u~9hh=TW9L^t&KOD+z
z5zUtXApNY7y%}@y6K<m~xcm8NL77;W2-PwK!}bC|?7f1LcwmhzsIG@eWI#dW03%+#
zmin~O$aaOT0gI5$Vm<sCRus;2?G$T|$7C}#w1V(P%bpAx%9D+qA+^S!ig1T^i!eh3
zAb^07@wDV;Kh1!XF$H90&u~TY%?trJh8(mQuU5WW28ifOL|r*dy7bgZ;L7RZrICTz
zhd0d*;DOCzjtQA<9bhFo`tUlX*Nb{q2?lY{%y!~Z;R)lc1<$mY`1Q!;m^b`I_r09S
z<mZ%%eb1Xh-(wZFAX26R<=&^o!^Fp!T|jwjxmBJ1=EQ@*ubq5P`~hre@(@T+-H0ng
zPjZLBVvcwvBV>1*^y!eOmL|g3%>fN+tX8duycI|4t#e*oiwYriDDIMY_Qq3<u^;<;
z9;=8+0fU{$XfC1yeQN@3Zp~9D;)(Yn>0Vp_;o&mDiFF3{;NH+E4vhCa&cQod1%uEE
zb4$T4Q|EDDxK=fU);BIG2s1bHP60$gkU`gu&<@Gf9ukIWz^-q;w;E3#Xqo0XD)74=
zArcAG3k~dtdG!<($z4sn)^h`q7>PxTUkIS(hUObY-zT_BgLajn_414~3yby+@cNY(
zPcJJb3mvSw%Pz;WdR#U0#L{1?XUHJcMbBbOR*pfh<%2S<DFrOwlJ`bzd9nmNM490(
zVe{>g*-K_!>OwqlB7H7tIPp5w`n0=!%a@&*N5D7XNtQ(3SuB{|oeT7En1vrlwZ6B<
zSddIF)NztLU-cE;<;w^Ph=l}XH^;<kc(?E7qO2ke3ExHKd$>|aPabl;Lwmzs{fJ|O
zRmsj746<pw#1@?k);A9xVLf-T=dT)@tS?@`S|lw*z7i2i%ZzT3%#z1-HYSGicEXy(
z_d1s5HO}K{=gmBkK_kg}?hPrIJVyrlU|BsJZttZ<s&y5SM-{vtdeO*-k^&6R-12?W
z?eImn56!-VdY1ZJI>25yNTC6U9R&73TS9dR3d516q)ENiV0~Dn+@?=<=b@h9L*E#m
z#n%Q&SqYrT{?tY8$+ClxmzfSEt|z?`w)XPTgn=kxoL3vq3>CVQS1sNEq@YYw1a;Z9
zF-~@(AwQgq=w3ZDk3)*3Z0S=ehB0{Xq=(R@DxS6z08O5EHCbB5ig1Bqs6JrU)PqE>
zM3EiR38_)CG6HEZ8lX~`f*V_oO%QKds3f4tJD3ezXX&%}bM7wf&Yai-DHSXACn{p>
zAh_?5K=Y*n)Z>R63i1kaG-uDoSGsqSL?^VX&+siqcwwBwdv)-rqbNlmL_IW-Dfg5v
zMAb-+JdTJK!R=*Qjj865SCB;pLLsRfPkB9;L)zk%y=*?oOu)2MJr<_ql%mKaRTQ81
zEV7E5R6@Jo8is5JA_-VlLSxnVUW&PpusSYccAZLw8Ac2Yd-U)V>p8`P$ydq{;&*S`
zI!kt--x|rb@}PIM*A#?>+V#G?NJBdboZ-mp=U2u2EKtS@6;~ag-+04jmSW2e$haXE
zz?yhaW(#U8Q-x#`SdxXKI;SORMcV?LWku4AGd~N4G}Ne$@DyFhhZ^s(WXn62inIZF
zl-&*s@szmbF+QZVqqVz}0z+CV#5is}>BJTBh<m~90$cFB_G}C1@WCtVFbc9q7kYeJ
z-gA|s?W0#>gelBe>|xi}MIiyCv)PB15lOZ+jo@22W`f?2seHqOdYOswg3I0EjqMpN
z={iAFli=lvmoF^!WTzAh1R57uhv!Ze^>f49FiP%+b9tSN5aANQli69=NW3Z`N@YfF
zr4v*3@_CZxz#3~AUV`gsChrRZgLnztQ>_v4nh2zCr+FTs2G6@Jf7D|X+a!Q{G|zPl
z4H6J5bKm+)+Z#l<dD@Y7HB<iN65jK`JHqDD$4~ugJtqQ{BjFow|D3y7xoUFAqy?rY
z{FO=$0!GE1OX3=~gWV(GD(WDdet6a6E!Qlro*R2Er5)w3Dk&wMhyZug#dTY@$*#!7
zQU;R-VjvLZh^G6+t>VdICEV$HadvU*q_Nl9y#s$?FJADSUHZN_J6q>`ub->BNds0F
zlD-ZGnZN+wSSW!tmbk3aH{M!R_Qv<IzlMksseW(=L3iq<IXgFOHu}V%<3v!L?Vc`i
zC6s}P7(VE2v8@~&sE7H?H_(H3N%tl2Uwo4rVM?bb6di277+k?azY{xuUT}6H2)g(}
zU<_?vEx<+3;?>*CXZs4~3LFX(d`kzcxSw9Fy(ac6*Nu2-$(&3ADDldT5S;SVpY9c^
zfOD42;A>LGm&p&_V4%OQgAme<(UX7(XiG(ecTWBGt$3=v^GzIpcG(+O8y>qzSPIdn
z@g6<z7iok$4{#XOiymtsN`#X|B{<9*eQD<@wTn~!j!`ZyNxPs`5c6eGr}Zw^19TUI
z+vyCU3QUTa3YUdV8FyCJSqVPLmp!j9Ou9VW0DVtKy0i_LCs+}2NT6U>j^R;^ZWGfR
zaGCb>^V-elyL@kXYzee<u);mFR;a*O?KO^Z>(ry@4)by^X!m5S3LIgq<at^5{5)s_
z^u=~PYYQ}bLYGALa^~D?v`5pl9>@aVnQx3XMYFQmtn6sqz`XEw0B?WMZZ{z<I8X9k
zwi{pUd#m91GMw*rDMHw4?tz$S#+fKEVp$cNxWRb#ni@95TSAyuQwa0$*cZ}#aAMyw
zV?;Mc*-*w(Cv5uG4h*SWEh{FH``Z<i8+%^aP7x2HUCS(|HeIZ_gLZu3o`bztY%Z@?
z9zbB~7(nshR);@mVt#G&%PTCib{h@fnxyp0;(Z>5n~b*+uZ|3w&29shmcZsD1`wB?
znO)^87RKlG@NhxI(R&q@<6w9|O@-Jp%5Tf(lkd>a*}Htyt2|BY(JdJ{N~$Mzv}8Uk
z#@T7-cxx&og9G^Hz22Hw!j!6zDN@uhO>eO4W5kowYCT&hvFtSOCJRWtC=Yk>>}ZQZ
zl{?~9RWo_GFHVeVWgNF2DGM<=BFa572NJ8R$lcaFq&)H!x6TIj#H5f{5;^K{+{99}
zZ~N&<1j9UAoHzA+@$D2vNy9Pl>7Cm-Tzjo0k=zkoRkW8Dj=cvh<_tqzZBn4+Fb^h2
z9aNY{5c0IyT-NDjzlHL@0LKj<kSFUC1em_YC!=utP%ulHSR>w0zsRKyP$M`GpEMAF
zLEhk;0cV<-;J8!d#yNW<<`(soqx;evh6o={m*66Io<*<^hYci`_p1eZBG~HVKK=G-
zmXAFrxN(Pjp&ZJWbqaL>5J7e%^R{~Tv9)l$wTcX}gC2w&l!1(-$?R1_(f2YKVA7r5
zvvmPUen^6KiS-ad0eE%c7!KgHpGU@x%v7DN9qA!S49QWWX>l1IG{9^Hy4=CCfZq%(
zh~@F|(A-OuxfDjt>O62AK=fM7G-ylYNyZ9Aa^!wdx;C{H$tX9xmhJZzSPyDRs$oD9
z{UzUBb2tJt;Q+odq_Hb@Rb%1g6t33ZCxT$4w#1?)0F>=-0g^OL_vh((E1?qfvxIkb
zHLYhg?kN+Ywdsf#XY!KRm6TRl=sYybkD;h0>_XuAl=|&(3Sn@?x;V<JO?Kk$YJs^w
zei6a))=fNb>`lML3UC+22eLttfaI-16vj`~+T3L`>n3W`mHF1EcreiIj`g`uNu&6i
zyET~9$FZHH>o2Av;!GObh((lN1`w+@v7v#+Ue3<*#^<BS5!V?JSt{?OWcHMJHv*0o
z&2HNSPsHC_Bb*aEEytH4O#{vPhGaui-W2j`7e9tmkmw-pvgVx&cBGIXL2@cN)|`n9
zoAwYa%{4l^Jl$KWL7b?^Uw{kn7vNfeZV1eJPkoIE538a3L}{YY`8jK~PxxR*olT5h
z7kgd5I)C+an42%-@q;{*9t^12r)d{-u6E+-@B(1Y0UZUN^SF!?K02fapxKmLDZW4n
z&u%rZMrAv#nZs=6O&cG3=~`mlNH<R(@$v|5Pz|$)vo8mE!Df3Io8G=|c<V};Ja^0n
zQ@5kD?8^v80-@}-ef=oO$n4$;&?_>MoMpwrC*mF=obFFM`sCG^+KD|I5p>>7%z7tp
zXCO?QUH&3m&>iTe<5DOo4Q}cv4~yT<KGu~eGKh!KC3dUq(5!8O&(+nn=NV`68x?J>
z3{Oh8NX$23uUQjeLu%lb94J<*Jr5pGj4>Y<O;pGD>-7*tuUNv>=BA;LB$p$>CLN+K
zRHdX$URQ{Af!7%w;Cn8wl91Ak5kUgcCA8fwq{Ha^PDH`#oXQ)?vt)pAT}RBhp6u+R
z!d(yOLl%T-&Wnm`!H5`xjznONmQpHlR%By>N418q0>zY_!PM6F%yhE^3vTb(3A3&D
z5{8rN+70eAAL*i_(7ZBJfKpboOMF#@G0CLleoSv$6|Dv%&HTLs?37aHnwH9q7im#S
z@QUd8itM;HXzSjy3zXOM#(WY&8rHPK%@WgLD3|A~S2X?H^d2qZ<AoMnAq#&V{X|*k
zp~^HWx18CIU_6!~91zL(=-j$1ZQdS6Z3u*!A#50E4%j{ja(#j9g(Lu^ck~K4L075C
zBETpg#`<I3b+|}KdLGT?P?0aJS*r11gOq?p5)-(zb{q<;u*{!91hp*VmFR{u6JFsu
ztKg%2Z*+*PUBX~4XbdG*Ph!hd`w3z>w~MRH;?=u)3^Ig3hn<kgja!<q9dKG6WB!=l
zID3sjI}x-U5GOx(uL!omjTK5I;7+sxHkA{2>28}rk<G5^0f=xrVE7W)qV-BK8oZ9W
zh!;q=T2b(maQt3fhCEJUL$2Z4XYHPE62WOFt+NJ&`$3G=sKInkNTxiIVAcoXNpTkN
zaCAE}PE7_0apOtUI;lolw2N%|c+5O+YEzsU*oNNNFbU&F8;P~Kpwu&lJ2yA1jK5T^
z#-OLA-B>RyA?QJSLDsRMEOoN)#j)@-!Rt^JRe5D(;7{<K@0IIvwBV~U@p=V9w}gic
zQuSUxLyFOE$HUyyoMtIlce3;cx5CmVHV`5X)QC3px=Un}{6ZSWn=V?CnCiXz3-OsM
zfBam8TQxH#L?ch$7QRUpW>_f98~1XUlUP$*(8%RBFve5QX-YL7)kUYsvN^)a2~}Cy
z9u+wgP4lfd^YQ1bnD81?2mNW0&7=-#?5LFO6M_c}nB7jQ$9R>z^mvG5_fg#;G3ePT
zLDysFQ4`yHSsL4;CK)6^0QSU5OCOZcDj(s#aV~t4PZp1J*|TUJn79#YwaPNh&*!28
z<=JIb;1rKIlb_BiJ!J|)#*MVQop^^jI8Xca7Kg%GmtT)p;NF=OkfDUQPCsA}6wyTn
zOl=WK2UgT9GO^K!y25?Nq~Wh$+~YZIywnEgn~v7^N;BWXmK7kcL6_vMdt1=S-7jp|
z@fesHj<e`@Z3}lDPbP2}ZGtCU{5*!dH~>~3r*vk{#vw;*CoUjvt8-tzdcbs%k3ay0
zsFV;V<wQi<4T0vK9ollvs}#v+&v6L&D#Z}9b~ttg?}f|urY*g=N?1=&NR9vru#la>
zjHit*b<gsmLN4Db1*bVo$KB=F#KQofLAT&Ln3U+&oY<EWV_Z|6kKdjK_sx6n+{k<-
zx|!u_VU@_m?itJ7cn2gZo*l=gn^a*JJ#KxO&>|}j(x@=H%-}ZAjWUo4Zm_e2U^j@G
zO0Oikd<C^1yyG@@A=B7HbGsU2ig~Z-8gd%F=)q%qdf5^er0YIMHjXHP2X74^Fy4G3
zPVj{|Sb(-0g_Wyi9gFG4y>2_FBPtZm>pF^8@h}bx#CcMap~>peLSfl4QuARsvBMf<
z(33*iCWC;Kd=E{Ms>sK4noW9d-#c@7=e=a1MrhCRfL1ME@j0jAVGEHjH06Zhvv+!G
zq{P>oKA3SXXmB|XE}?2j;7Pw?OhuDnwFs|4LOH$XswdCcF8b8>-qKYGS4Z$HJ)m-m
zmfcj}X2$Ev8ynPIzKy#JuLD@ArX1m!z`M9fo-r$J6VAX88NA9I_>1wEz^3g>?4WjV
zp$906J#e}rRS$2+U?@k9oDLoU^G^s(f<rzM9_&QiT_(~;&y5q|Ny7;dIV)KS9>p%d
zqQD^rz~*FbeV)0J9>CJbxTqyc*XZ%?MIT31>Y(jaUvgk1w!$d%6h7)bP*0F_yp(>%
zWbgK=9(N|HyS3yXxz~Vd8RO97JAIiOrfW<m(|3x{neRDinv1TikjhP60t49HJ2(S$
zf!Vi#cw@K#fHWIUZ_M{Oc2^!mnBJ(XBa#TyOY7;J8W*k|XWxY#3bShr5_?DYw3Sli
zMX!T36=1FrK`Xu(%<gUNe0J2KTpL8fR;@u~JR+9WxHdxg3uU(`DGapjalhS59bt63
z#ULL?iyId3^5nLBXFfF0bEa7*jtA;7Se1)sJ1;$t-l$tYjThdAa)!@rGAIRoa~<2n
z%}q5h&#}VkF^u88yXQ}HW8HSorjYZtS59nMj1}#z`D1)^L6jwVv-ZHW)RtKj4nlXR
z+HH{twX%Eja097pJ=kB#LiLk5>*r^24;w{oQ1cN6LD9hKJ$+WxD%qw)FNBES%M{#t
zoRnzX@lxY8x@}m!y5#nbwi!W6<0IWO-d*B($0P^cAP4zUA2{e$DDbn>ouYnNfbi<Y
zd*NCc3q?a(B77BjHYF^a=;<T0>CAHK%$4>G1+fSDYSFNYfu-%4iM+LM#{G+Nao^wy
z5YB2sk2#I<%Eynf%z8%1*IZ#`_Bzv|pd(o*hs!DRfz~?9(=F?rt_AV2a!$=XCoLc^
zPawn6$bJfvp-(pBWD_zC;NF(`lWJi_tRM>I2hbsJZ;b=@saaEREjZDJXb&pCS3s@a
zob*Vj-^HR}GHP+?Be61n3(rrBM>-A>&J9(lEtMm!dZ(+q^=QCIssdg&hE|%kX=WTk
zVnE>_sz<!ajJpm^R1rcodn{htMg{w#<EWAFncrsdn&w}SyLy|b?wnx^@ED6#r*uYf
zDcys(S_Ia#CwRouwX{UU`?#ClQoF?ZD=&yexe=3FA(DhQ=o&rf7DnzQsRrO(gKY=$
z1YBnwUcMEX%E6k5@U6|>=vsZv0#LH^o&(BD#(po@*J){<$r>!B_d9IN%{3YT*y|d*
zn0&XuM7b4-P>uz*-Mi347Hn%XvQ%W24u%dWb<)Wl^)_YOI$OG?EtIJnO4y7dAw=6=
zbchbb<pI89pfTk=w-g`)j^<0K@m(LYiMWTvhA`zt#)ao@o@3nSeuP;q1Sqda)yv|X
zc#NA5@ug~#$(=iuvIXx0L#LKa?a(xg+m`E@QVg*m*1haQrVG<q!t5<Ve7cdDb@b3c
z+tgB(6{yv8leG;FYANj^z>=M76qFb1@X_re%2S%gC#q-qj=L!Gb(gvXPpmQ7(NGlT
z8z3P_$GjNE2w30_QzZpwT-Q*Uk|<MNbhV44;=0zxSJmLnQ_e4(mXyw<R}U5*m-wu1
zPZ_4{qm2vf^cTKOu4Gm)qbca{uu-#IISiZl^;X|Aku=KdM%R`h0JpbAR$!p;Qg1mp
zr?WjCD)n6nb5m)6KaH0RHWSpvr-k(xx0VC#If-w}AcTw7A!v!NRwz4Gya(~7d1|Q#
zOj`DpDa_M*6_n(9fq7yITm}T%9z;8Y0J<PahKG!D&Zm{1kU#yL$2}y{mMe4JILIB}
zQwBo}UWylHbOck@55>Sd+*-t%Qb)2@eS~25-ZTel(BcwSk2~aSoxUn2d?nyvmjFVd
zJB%e7aONlEBJC5Xo?NPWy);S1qGM@mjg}=xSGXHc7OUZgw4u*X!ru*;GUjse#<V?x
zciEVWc!}q2!Fb(Hn?-CnQ=&`yoY^);AyyGep%+|LG;`~4^0g;D9Gl>!8^~MMdVzPy
zX|%cZjyZ?tTwHbb_zjz5LOn6Bj?i`sgThCDQO+@T`BL95D&ofWUb>&dT<7>$j>c+w
zL=NyEkh|m}W1MfSdf4G;JVUd^8t+8lv?j9h>B(Vx14-3LjY;HIGOe0$4n9E5LN!+>
z*?j!!If9gA9IaY%YdhY`OgHAd%~6t~fQL77xQBk6xhT8cRC<#9p03os8=DsfBS4CG
zdJ(jeaE@O4m?{v8)Y^@q?B2r#rB`C{hLLq@yz=SOK?>x#C*4=Ot5o+E;Juk4MdV$B
zNM+m+Zo<R|?e!Kfk|R`>y*w+BGpQ(_*%Z3HM0Zk>t-cxTr}`Air&=FQ1=pRTRA&W@
zSJrFfqdrbuZpH_BOd>z7i|T2_&bi5JW4Rcgrk7X890_s@a^3!}^k+#*twn*Z*t}(u
zhdbT)3UkY}R=9W0RfS*J!`@|N?wyA9?2BE>BNo#b;z=dNed>KM5<w*W!dfxiHoaj_
z+0(cS_qFU$YfqW#`m0u_h{7Cq>OCobs^HEh?8tbFQx9HE;WNWM3^hIs-P<QXg`Adb
z<ZoB2DqWv&xu;*DpxZ*Wb1!W4oIN|GM%j7Esh42j7dS~6K<W)aZ*VoVWWz}?)%>x=
zY9;x5+Ao$&9jaVwn<8+W_KKlzHC%#u=N0-=cH0V85f2<SM$I~Rk>O2hRmrRt1HsD@
z?%m9SanAQ*#u>qbLiMG<9=+<rwFrnMGP#*r`JTy{zbNmbq{qjyv_0bbJS16go<}~7
z%!=sSgOQHAPF!7mXZlJS`6`OdAHMeeUG~<?4gu(sn|Kyj=CNv<jdTOgmxQg`7p`MU
z0`I-V<p68t45FE&w;fLQ5bD7%!otaEejq?fQ&PfGD6x2l)2UnbxZLRRD`#r4&Fh<V
z2HBk|_Ps|Np`n9M!h)XkOOU6$&#-As4+H3M{2}XHa7aUHi;dOAuGu<Vm|O0W)#5FZ
z_H^udyyUd$s(xzAaLbFk0mZaQk_Y(bT#iyjoJ4j970l+_2&2W9{qT+GP0S9y4NfuF
z7_XKUre*618>YkOW@7RpS*WEMIB3$7M+F0NpVrZ$2D4VJ^nx)ZX1EHHZi3}JHyO5;
z9XXfAv=r-p0t=EnU3efgamTsyyk&7z8l+#_lxL(iKrYoQmfPv{eh@|dG}0;*JoBjl
zN*>0$_aJD%xhO4L`nmx<fhBP~!s9aK3iVu=<xQl%rxgI(%@dn@G0Uw<Zp}Qf?5f?q
zeBQJ2&~_IP@l9&#4-sSye^QkoW(wOl@J8Q6CqrhB^^GgW2HA_AG3rRf0s~22f$8Tu
zJkNZU*wKsTY4Kg@4CYYB#ZY=Rr(M}|vUsrJeF?9Lu&iU0o%NMB<>3s5q@y)#xUSD?
zBR<0{f3RoVEo+ZUw6y`>6KEu)0DMGsUC=Xg_#QLc+ZO`;;<4)7l*HY|iql3}oW%12
zHl0P1>!)|d4X>}%r3<3&xaskc(L`aTCW*oWXXW0fGYwnn`f`}c1~>o$8zhaTQ;yv0
z!ArOSuRE(GQYmeuB5{T%Hre*1Hz!uXZJuWs6ZY^53;I|?AB4Iqls@)BdDx<j#iu20
zX86o7c#n7kFDB+fNnSYs#A93pBx>XdjD%<H1WuInmQ4xj$-tyhB<4Pfi`eQWy&mt1
zR(p@{S3KmQG94M%R1`(G4nSK|&P~;IuTRW{zAzuu+MEN*!r^H>_wr^DZozfcIe$<d
z4Z7x<a&BVl0r3#>1lt+**5`Mc_we|MjKkTZkT6zxGou7OvuqEpw0&S`x~NztX!vSM
z)Ee@wYYnESh2)W59mTb_N-*|JLBO5$(1UCt^(<D<>#mHQ9Y`t}K;DIZd{E?$+3<9U
z7X@oQc1wFAEiE9g`;H!ubs<*7)`|B(i^mbvWb?(rlAp=G1zxE)TfGXF96HWEYL`|V
z_^1ub&2L1+7Mv1&JMn5Vc)0$Y%`Gwe7@qb^r6fK}T12)JqnL8n_oA)WGE&zRUzI|$
zi4l+3TjgaSI|>DQYf7C2=MGug_K<1b;5==N0I5o3duZ-36NHc^H`XEqrbmpykCwGv
zd^O6>+UOb83c`UMVVKRPk_qzZcGcsV9_^EHEx_70$<B^NGNNGEyGzKF5u%yJrl6{`
zPa>a|JNV$-yVod3g!+2h8qtwi=4?RMq9!dOwfV?A)Jx5-%-d0{C+W(VExT#hWi^P#
zX)#Yi+Z3*w#>QW2atSfOzME4{N?V?oXo+|r7Q=$7=(iCTg&<1x<VbsWeB{kaJ)(M5
zd|2VJc@G6G$3uJHik(}G&c<*$+wxh*F2ozlVW)APVCyU>Rg7^Dx!)<$D;r!FgzIf@
z8L7vd*n>-5!3!sl!b{1H$#Y6`S1T2%7Z%j&D(JNjh*K_1HY|bgl&?(yS)V+^j_LLg
zIx1mcadMHn0uE8Uw*-K1joTCCh93(mp?B-DzEcvEV&Qt?t%yefR56H^!_SpCOdicS
z&)Q2M5N3(8=nB!*xg(18tM+aYA5~ohRVcTL0)IGX6g_T9borhKPV^RaTkjU$LsftZ
ze)L!euL-digEd(1y-JDEl6OJi=ZBa6l!Tbs``pq6I~Q!AdtFz8OE$X?iVxwuc^Ekx
zg9D;(g|yr4x)+~o+lf3IgeP?J$+^N8=YA@u)e`AqAb`45xppfS4zmx*R<g+C#NNEe
zXYX9$A?WrKd4Q_mdo-h~QN*=ShWP3<O`%dZda>Cr7F_|UFEnx3ImTp8s{Elmw;S_~
zMR{v_UTNFf?i`MA5?5Rm1;7uT5bD_>MF^>@9y3TRpe@mcb}gf8!~k;ZCSb<_JTC-_
zaObJ*hY?jEIUT$qk|^&HMkAu!4y+s@krx;q!;DxnF--V8D|^dGw{Xb@4++K^S}lxr
z=)INMdH_kJAZ&E`@>RP21v(vQ`y1(MGwoPf4q&GVsv4h11y%^;3#{TagBF5~uji7i
zK_$rvC&KPo@8G=C*zxq;ev%@Mj8Wuf-~g$b-rXSYQ7aeZLr6T%h}}r^oyXJ-FFi0`
zl|JW4Js|g@C~!ak*oJ+fc;m9#$L{d(fSewc-_EL&wKefozn7%xmQhLw01VGtZMP5h
zVletm`z^Iic{0bLdWQEk1^~YsUAlX!-A_amgZ9OsDr4|y@VnTQVl^27K?GRju*NWG
z3NisLDMK5Yy6cWpO2~fCA47Yyy?S94?nu>U1e9t_nqB^m6XB^FlT4h&dq`q%r(NS=
z_Fk{Oh<q;3-2y#h&j;$VB_F(sRqZXQ6e=g(ob;7NaVAO~rt{cv?FSd*i`-uC+9p#9
zkXT4n6)Afc-MK;I!k10YV~y*{UN8U|GlD1VUPVR(A#m7RMAM^OI8m^`3U*yfvNow4
zCJ+X;b-M~Vez}BrJGL*_jYWyiH<#0~@4C41c`Ryll*r90PxZr9azo|;hqwI>R?>A=
zt_QldGMixx;ni!XZqJ+Lz#_?HquRZ|p}drsaM;82_W;PBC!s{c#ZB%D_9$If$(ekc
zI_;|_%aSZEhKNa99Jep0M`$mXkxO@(9y2gTJ%oLICU_i{vlBJ1w*!rm-d(%-Ox!8F
zx7pF$YZ_J=yQffUs?u9o&9A;e_fOE-16OEaSkUniLcbe*QZEu-YFXMtD<VwGYBHG1
zU~MMV$n2_`bHHD|?mbxYHVS9kL`I<+eO7PasGb+sNL{oAwzz|mBf`tKS(Q60Yltf^
zR@006D6H=ZHkcP*`q@3{Q>?9XN3J9G1RTb7Z84NhhSqoXOrAyB7LNImDbW?HXPI+m
zR`SZ@)VaYqy+jej$GAqaL+f_o_N=?CG<AMgscgnZ1*~=Gi0C#bSeJ2DR2SJ(^zzjT
zSkEE%%?a92mt4hi)}N$jm+JGD2UIu2e9?TEvk9yyN<Gy<YH-xhfln&kgzIkSR0*%x
z%YZEC46|Q3KxNNMbPH4_S0T1C8F0;Y)LyjHfu7MfkaSZSZTzldAK6>=$3u8XB3xmX
z$Qq#PR5CX%$5>l~JMcPRsm-E$g0OKslgBD!iYzDR3OhsR_ZlK+6JPXO5X)9(w@})*
z`+V^#j-pDgkH#S4<sRFLCTSZC0n8IK@#K136OU{v`@+qH$3ePFhK@T6mY&ZV>FS+1
zy=XXEAV|FB;nQxi24maKXT@ifh)}QGQ1(rMO=VWWibL}e%yilIDinnfVwUxui=(`$
zd*=g7c1kFM_0Z(;hB}DpC`C(<A11txAkTQER(zL$F_m+XX*kc;Vi-X1v|1-=L~Y-)
z8|Y&tlgVTOP3TqireRaRyFg3C<whfQrg<n+Jm_(K>e^n7pqTouK+>KOfP2SHr}^6)
zym|pyRR^Ut-Dc7m*^d&tYE)|+CM8g)!<Is_p3H0+uveILETsiUJQuo$iS7(SK6Dhu
z!V;eE9@a(JtLPOTSxN__E$ZDEjvJ?l$&o5iRf^MH-kC969q=Z41Bu68<-ibH#Putl
zl|wdd&RJQ#Xo`DNE24R-tj}BwEa`E`(p{#bC_{CS(1V%Pl@*q>W@O<vB7I5kJ*bs#
zG=g;0Wl+9psA6fDNGAOx-Sms}o3RXjFJEz9)>yujeJr-3vvua{T$WJK3G1yRuLhbX
z_hFF%v?BR?eEh<(_7&kP97{wWiMG{Jj+d_Is)_ofkzAs$A_t8X(yUmBQX1V~ztQY=
zT}35T+h*jAMBq#h0(nV=V}vT{B9%RUc@B?LW}*!B*b*GQA*!_Uh%yCUgBEv^;)$3k
zhR0A|jeBXTc@C22sjCr!4IEzEYw0uwmY}eD6jbE6@v65>v1W}3`=yA1uWUQBQO|Uy
z^Y+m*dfgC#Po$L`{+!cY6dt9$h-w;69)4rfK%Du2VFwMv378fJlR;mp!V}Uho=ujU
z0<dgYMc|i+DL})`!3>SYRp>7)Qs(88mUxQ^=&r56M#C_um>@{|o>7gQ&yysy7dVoG
zJcYJJueyxK43JzC#S2~rS>M2G2BmFa#q*AS!{xIu2E8p?fc{JtpOg7c>^#*G*7498
zcbSBKg0CgZ_LjEO*^3N%vft3HE%Lotb@p4pQ66VJ3~!fSu|+M=JI1?V;nG$VjWQg0
z-YZ5iEh(8eJU4PU@3=eRnAiZ<U2I#mefkaaWOh~zh?1HhF)Xeh<}@xSXC7OtPV5xy
zB62E<EO{N9#<@4hd-yD<C#q;d-Bv>85iSb#71OD0$E5DFx2A;4&mvzF6+1a25xv|Y
z4_0&TQ!DL_2=s+ULK8qGmWbuG*Z@Gy8d6!p4I~gJF1xCbjh%>SfeUCc_Vc%fn^mgQ
z)To`MuR*!Wy<O$z!Djj8EeOR!sx>Z=%4zOkZjJJo@U;a4;e^cg%n3Ys;#7fML@8>F
z%^2a^ZeECLnAb5!T0)AovYR6+wV||b$&f+-2`-BCc5H~9AMR~ijKw1cOB++dXS<hG
zwb0t^)YXe9m(gV;tjM#%`xINcnl~GsiIu<O<qWN18-Hv&vedDmbMN3~m{Pcp8fKbo
z$GwvE_r&1v^``ZsCq$p9JAa{WkPLOT7er=>nPYTX76WL8Va;2^k5s*H8)P6NyGsQ@
zsbua@w4un}Q+3PWB2|mNnV3AwA>j9XCYlEsk>S0RCXyP&BearZdo+n^yYJ!!DGdX^
z>*&g$2d}JTLvs@;XHwZE=D1upcA>=g1q7}Zx)+0I2QN}^dLR<Z?o(WaRlvOyADn0U
z;-1N?ZHKMmy;%}R<ELP%^sZGH<yLU8fE=FcAhigOtMR+nuT+ed0iI$i7%4tv#!8Nt
z{;oFiCIim$FxSxN`TWJYX8FOflq(?Vd$f;o&@pZ#>CNpfwcWCTW44O~;Lzkd3Aj?e
z@Yqz;%LI9EIr0^_c-+yPmnT`}k|e#$c!mIvj%K!b-vvmgXFuyooERc0I;F>NMi`y^
zP1)!&*`7R8fnYXzGh=f*`hqJ_7>aI<g1O&=zT7j-=zbC2SlZ9i-=<-K$>FMW5Jc^a
zs2~SEORmLMhU0D56w$)annOP6_mt766W@cbMRT0%nrqS$B_QdT3SdPQZ$1pR#KLDh
zjs&QlnB@b#X+m}&@D8I{L0DfeKJKi=HgeT_wn>K|!<_F39A=m%1!8*&H@zW;UpT>V
z^<B60<2v&muif!|!J?Mtt}JLh=x>{!Dsf!KW4Pr+q^V-`dX#&_Oxhi?NHxUoUJb7?
zGuXXi#j^FbI|w}@i%=ScHS@)ON-4*-oSh4z7|gXu+P?FgD`gGOo8C<zkC4pEy9|`x
zN};Y-N-7KRMvK^ATfc`>aH3msJW!lACE|&~`}pJqK5cakB)xrUSJhw{)JcM=I}fl6
z(;4LswVQm9ovzB#U=H_aBvT~88BxXT0d8iGd)*1X7ziAw$`#p%D{yt>A+!dD5`5!W
zN_xo{JYix4;zwvZU{GN@Oyg}6(`yfg3=*);*@EH@mN0->$LZotG}S$b^QVqDi^~Qu
zQE5-rs2FVJ1!3spdlaJE{mFXJC+qw~mpP8>T$#_TkdH^LOKYO>B=?Ca;Yc~MttgdB
ztBOnK(Q;t13q=Cv;~~=Fry+sz9OXHTsK-92Cr_*=TNixZQNg+|0Vu#I)x^o>vHP5B
zG8=3X8GxeGGCKr7xO#JwL-QLO<rGrCGz>5f1#qjEn$`Zyoz9(pKOf7Jpm-jMRMh6^
zwzLVh=jFRcHthmH{c@iira<j#VzXD;qRG97ss=?C{@5r}Q*n17)nC5Yee}RV2{xHC
z&X^H%r8fc|2>C@8M_U~I3H!#_imVrj6Zow*wm>fj)HxdaY*8@-IzSWC+hB{lSB=H}
zj5v~}0S*bKWeJgU7P<WaKN~H;fZLYLJh9=87BDYYD+-WdUp4l1>8W~$5%N5;o;^Tb
zrDwrj{`h4vx}hFygyEDXS`;FgWf#q9X-UA_x`%i)!G+K-2Wsair;S~MqP_X`!H%lE
zR#xxRD2~^$*_5-8^}-D;#K2vXyuk;i+g|}Hr4LJ}!_5#AH8n#r@4FQl$Rh5|Sq6O_
zzZ_d|K|7P!TUu+bJ6{5vcTsQsI3@sHGpl2!6%jUkA0sH*B=KFPq^<PBc#T>HJ=zx-
zGkPeKPsxs{lt?y@>(B*L3>G48U-{Y?Yd;oyX>82Hgiqe1$?V8@j4R=7$d^|OLT76%
zl{ie?wa|s}C}TNn2obX->}&-P(pA)2kkDCh`wg<<;Lr%4tebGVa1W0{7*#{C6F6tN
z%G@O2U|TM?an#k!U{v*ltfxGH5DHeW=4P7!lthe*el|mm9Idk25gO4N{rZwYT4iAc
z^NGtm*&GABE%C!_qcL8$p;oy9qed)xa@VsjL?T(v9jA+eI(I_qW$D7Q`ne`OSsH%^
z4$Nb+rk-?f3!l(?&rNZvpQkS%gV5BlCV+A-kVxfKYC`+f6+;)}^ki2HtD2iWuK>(p
zp|KH2Xhi_PtI|W#02;cHFW42n7p46yd<Co3*=g)Oo0nB4({Z=1V8|Ic_C#=z03=*t
zW{I=h9vKmpa-SJ9N*bII_Z%6_zFW4L1S`dkJ<2D7$C4t>u0ZUUHLIqJJtn75B=c=<
z*1i&)c6<|8w3&QxIC1`XtaGBRH6+)$9>sI1hT8Lxio=~_PI$w`2;KD3BDIv3@3E$=
z&$wWdi$%yxofM6s<(9KOgvHZj&3;3gc2UgXlBc3WWgQH<p0R#x)5UvQ{yMWSa<3H8
z>-x@?x%M=kZOya?y84SU`-}EEq3kprV(b!)d9g*~sxerkObtEdg^cUgudt@@2uK+d
z6(HxiJ7{H`ObMj*-Gz10+YPgZc^+|$d?(E|>fsD0v9>lvI}?<5@9OCdhOgDhI9`&)
z8NZv-iU!y)1{DVic+(8sZwd9z$kOOYO^H4D5V@7s3IQi3U*NtZkhbEWvQ6^wr`f7v
zq0m*!{XFfR+a{hTilkCQ%1EUXPUPG$RUcE=Ljh9D&0GOX28c?ZK7+)Ux6?&PDDe7j
z&GiBA%M6Es>#+`S2EC!4=v<cBFh*9kS>S=!NXQ*(iEN_&ATRa&<pg%BPRt6FAF#iR
z5ThjLx?uIxtSy#%Pc{$Csewh`Tpc|O(MlGRnW(u$SUR0^H)oW3Vy?E*L=}CHqu5~v
zI`OQBA6-v^Sjt7NI5=`z-#Wibf0)u!ZpvC+Yd{qFcCD)(1g`{McDp(pg)hS5^EWT`
zxuw9nk!PtpK^*Y913BCxLlTwK>($J2NsWxx;+fr`dbPX~ZKsRc0LxO-7~7<Frp^Y^
zdymH-WOu`JqP>mAdI7K5t}g?xEv>|f!BlpS&>rJm=)pkG2`G&h#tU?5w#!=K@HA&7
z8Z4TGsRNx{Jyj&o3*VX|u`0UecHPsp)_u5UqV0Wa&Cb-5;pU?xwlj7FoB)xrm>hJH
z^@}LG#G{9g*vQXQ5Sr}-b?KXS|Dyd;w9XzhpT7_{L61ggz9K;dF|qX9?uQrlY+sYW
zD<B15wTJ66md{_jR+|;na(Tc`TvzyH->W04m-H&|)oJ!nS(Xcim!n%z^|0{BzK7n~
z_2@=Pu^;BzX$$XZT2gYyz3p=BeIhb^ki)7o+z6flFJcUUF~a&4$z#b-dG|U}4KWKV
za5Q6xP?>3xI_!0gy6l?rs~fXNmUNaIUF1&*65LSdij`IxM};4C#)xLXIwJGy!R_*c
zS+wZrVz1=W+kOhIdL(qZ$~zref8h?k#zkb|a_(h~?wn{bP|<PXH3a78@mw&D6$G&W
z0Nx6w?{UXFjrtt`agO|jx+8eb8L{c0nk>(~7ttUjRyZY06Lhd-*Af|I2heQdISDr*
zQ!$SO8?Y--t!VTiEC@1K(&jNr(z1E2ynexw26VtnV)(XcX>kNcpSpoEodUh&cLOew
zuUI`pfYSH252G$DKo=t#LReV=3d#}-9m*L|ytTszUq8dMEKv^KMDDwX2$?bOxdvz?
zUJy#^O+;@H>F!CAQ30@%%`7Yy)^R~YSE)hgp%ywr>$<O)WjF0G$7>0%c%IvfPHbqQ
z4D9AQ(OI#BJUMZ0bGXsZ7!bx|I9*Y@r%v4#X{_h!xp!5$m+0-j+^LqQ0Pe|gjYW$y
zBIpYXa02@}h}t_9AQ{i7!sUSWQQ}47?c!okoEYofmfJStfxF`7V|`f_4zGK?oy1(;
zO+!J0*)WMr4qnE}xJrj(B?>)t^0j4>lgVx_dp?W4+UlttBxTgd`+zA>5p4szG#(;2
zF0Zo`gj#fhf>q^p<6|uHS2@Be`X1O@ncN)}#=;v2dA5^uFqDFQ<AyR1l&`?J06jp$
zzl4T;cnwX8b08rVoROS~L!3-Ny>diLa>z6Sy)?7ZvT(iQ++CvHWIcqdq&u~mdDpQ}
zv@;83s2)ZHStg1YCX3Iegk+XkWxI+d20w8}{ldKzA7Av_z!?VsV;F##aZqA##1YIw
zVa+hEF7$cK%2b)sBLOeZdBnG+672zwY{MaR4+un8y_<J;fkuPz^5D#ggl_OXZzJYm
zSXic~L?%TvfX)4$$6?H9)Le*fE%`o7zFR6e^mOxwePs}G;_23LNjPOxNgB_hXqujL
zy~&W*79^&4JC9fivN!q33KbKl8NJh_C-#g{EFbqc2|d9kNi2Hgq`kLT^VZ<5QS#wh
zgM<^t*a7fU3LZocEGG`DHqVr&&x4XUWX>CR?=Rk8y(NT&D|;g9fJr29xTeiAIS&`<
zV)rq-GL*fMywRc2%bv!9zLa;YDH`<pP)ln%OH}VAAjmS)j;(t`jDZkG?PJzA{G^db
z5It>yeEP{{h9lBBjH6~P@Y!S86j?h{p$NGKw!G8w<pF8pgf_p48wUT~!K*b_dr0~q
z;$6o|*A*MEv%Dq{ci7!c+KI&QY-EvVwMk8=sbI#<0L<KAeJZRdvAJwF+HKLvZ(vB<
zVg}#6F!t2YL&tC~Dc{_23e%2)*4KejO-XZs_(IXMotD{rlk~zK4imKo<zV%(zj!(k
zr_${!y#zhMSxwDoTB<(i_%h#)bJwbucQ~b=JF8*$P?W)5rKxmrtqlymu<)yU%wvO2
zaW5}}wV#L=cZg@uljRL9@>&vQM1lp_TQq;b4m<(D+A}z%MA3k3??vL7Tx~08zIr!3
zGeJ)_wdNhF=HR3ACZc6Y2N_g7zirWB_oOUUd$y0BuNq@42CK?U4v!P^3r?QIT!@8j
z-j*VWMhD<y0MELOuw~Jzi#WWAdbk=Dk1I7eJ7-27FIO=ep#{UM3qa1;eu#zINdeHR
zksgk<uOvNVUL6kzkl*UO2^-;xTIP3AaQ0Th90nq<<JsUnZSL{T#4Sn}qRd2-J6g_1
zF3!;)5rJr2+gPc~v@fDL3sO|;sv-KY{AnE%J_piI-ig0>?_lhyX!0yb3p`qBU#}8!
z0VU1!AduRAX-lL|58q&T;pKbRMj_Af3A?z7=W6@5UiKrF)@9*Ay`&RtM%Bv_oFgL_
zKN^K+2F(y|r_4;lZh0I%(k}vgU3`;LVX`z;@-ZWaO1u~LvWdmOW1j>nl=bX1(@`u!
z1_q(IoR$&sF4W_A@p}4BQLqH+nT<k-M9>=u=blsmaEc1lEcH;0x2H)MQLl;4rbPe}
zrJTf>U>|Z5Q8fTm^9tizopI`jcm5unv<}vCwZ(xaCM4@$z$?ntF^-}09_*ZDL4ie?
zCa2X=A*4mp-TDwM9i*3%gGkhk@$#v!X&@=56suq^?6d%%W`mk7^7ELWz^4jpqNIwV
zL^CX2*15cOILT)@1!kBIQB%wt=x3vjhPb)5<7_O6YxnXF;vp(kU2T~33(i&N*PFw_
z39u<VB`K2W{3~O-*N@fMpAhX_U8axe(kn5UJ<qyQ2M#-wcf&FF2wF(J8vEtGGkVKD
z7>{}ixk8j;x`i~3HqDOAo^V|t6iCfZ&}ez(g#v;DitfRn0<6P02vh{|Yh@zbD9?2=
zd#$x0PC@XlcC~ZoC_*4clP1OB5p*geY`8oz$;WiDk!!kSiv{gLMIDdEA%`k3eU!#Q
z?q)G`8V@ywDn{_gFIR=t-O#B5DZH%cX4$Cj#`QVxVwo40sPMh%=eNuNy(jRVAC5(_
zd8;{YC*gy>m#z~?+z(ASJd)^uNX7e7$=~adBS|1Ec<G#$`OZBch;q<k#A8`Yo)oOY
zd+pC(kCwwD-t)bB)!G$(QVDf(TIf>#c52^29a%>F0%3zjDIFACqwj@o`(jGlF4Wj0
zB1CE|?F2cHls|th(z>$)Rk8FI<piEPLDUoQtL(DL7J`LGc7*J=WGpby(x8TvEP&V{
zV+GW(a42=&L?mP^*f_~q27StrKyuz8J%O?Dtia-)a)*5a|L6;N=7_z!Y_8rEGPb?J
z<s&G2%WmSefzs}YcPkW8Pypi3lC|gvGP+*tDrf9#QBJak!`2)Og=Y_*ZcE)_`n4uM
zX+oDBI7DuN^?J)~JD~-d@YFFnSl_yGijR`(nae&(2WEaLng_*mn$==E(p2a&v+L}!
z2@bQntD5;<)9PeBCBbGObt-jYC%g#nN2m{#DSYwr=3!-3-<1S+pu4vc23Smh-4s9H
z@eqp92_>W(k*p<n5mS5fn224#_-Q=s*&Ght(&cn`;@NGkYy<rMBHn?Y7-zy8Yh?&E
zTUoKVu3ij8^d(emLRN+`l6lVgCKz3e!@Et`L5wfz_)PH;Bl;^Ve8R&6o{@uj@aTa)
zP2^$72Z_BtI1^oW%Ls_eFz@<J<93(7XMD&6vE{D@)fE>N-Kno#Q{JOGcw)28^Sn!M
zRqlNIwI|?KPBz5VhQi8-oC&#kDtNtB+jItjHxi{vQcPlS#%fqhYQ!2LC1OIsLr}UJ
zZ-8D%wmb?JyZ|ZWvAc6kX23IF?Y8pgpp9`4^0ZCN?L>*F;!f?I=tET5@gtbThib=j
z$t{mf$Ck#<^mtQe%)sdONV8wIoysOPAL8?{;RD!TMbfiSsj&K?;F!h`C)3QiUkFM9
z@4FSd;_b{OJq5qignfXjCy7M#8X>1d9p2-&@qEj@{l#8f;I$=G%y~r4n||b|+Mf5`
ztc$|VhHpQ^B#P%G#E&k;47C}=%X+SG#!kSkhh=l64wL)k!fTA~5{GRhnj7I6LeS)u
zR5lSW;z5}Qy>y)*YVSM(0p7ME85~)ZHO;CG#)Fg&_70L5-k6#!n&4?%WOy3J5yG5!
zKh;AtlW3CNOEJSX-n;E=2}4}0kx-jM#|ND+_$Gm*@;xqcvBaJ20-#FK>E6Bo<`oO%
zH_cWH4~!<BDA+8n8h41KJ^}BNVal_ca$t$$q!-iX{Sd;|ut9?ug7TAihA-lGyUK4a
zc~S`tZa|IfG;AEt-zngo;<7n{%<D1%I%<!)w|=5K!x{q|4wlc|DQ)+vU9KZTAcQt9
zoy+sK=JlG>@T7zTkdqZ|g}c)x9;BaTMlaw?-Kb`zE7kVlM4u#Nz{QI9M7NOc8A<6B
zs`JqU$nc6pjFlm~GvK@{MPDQXU$fPfdyFqqk`W)?;OKkWWR!mW3>*#^+wd{gu4aiq
z7bijLOlkT8MI04!wLNIz^1{Yux8mTM?wgnL<VhACJ(PetY6hhn$`QW+O&XZLkf*G4
zgfc-YtXF6eA!mBdukOX|lvHSt+Q<n@Do9q<J0&X#5m58uef`Q8LSiJq&b=I&@uf^~
z0U%y`HM2ly9~Q?TUQzNU?%@%}*~~V)dTM?&Av1n8Wr+%$2jeOCrr%o<OX1G9CD0rV
zuUbS{^65EP_DX6Tje*8Id2kQ-7^8e-x*R+Jo>By>^y_GrYmT&cQLF75h%X!7v`i+V
zRx6yk&DqowCcw#w9%p2=CR;tonv<Qx^D<?9DjBcRaPdx?eEem}=7U)307^|veW5~<
zVViY)8ZBB+$Q%(^)%YTIhRh=O$y4EQN`xk=JiD1?z+Sa=V3zm0Rw1t!J~J!$=o&>=
z#4RIVy^%+8KF2MxuJ>;Hfw_+_z?_D5H*1RW(KC!kOPDOe_)y0C;q1Ib#f6iQJ+||!
zpVL@k^6c{IAjn}3tU?Fc0Zz30B>=(W=uR)dG0VH9*U2R&S%=GHq(z3eW_NJwn4Sa;
zn(b2>kx7eqAl<T2Wx-{O=WNG_*Q|u(I3z|G1~Jbo>ERkEoUz>AX>skz9GfNaj_F&f
z;RuS=_V%}JrnTXoF64z*PoYl6sz-(IBC&6AYvl9@L-<gn@O1k!ZMBD2XrjPdJ@^$x
z3AZTuy}g&An!%T$oZ`kcbd#r&s?Ycx*cOb|tH)$BjM2WQWNISujND!F%@poyo^Ry+
z6M5x(%h@aKj6N#2P1Q1#58e!m!()58uVBtFAiUO+KxgxWMk}2jYUjNNdoJ`$(7k7=
zUUUa%GKZL_Ev4@}$r$x@)bc@fkE@2QgLpB(rw`uCja;h9vRCd+I$A@r%L===Cw>Ka
z8PqK=&f9d}K-gMp>f5R)akrg&eP9aYEmb2GQ;!gzVa~fn!r_fNW}-M=+&)RTIM_-a
z=`ABS&m!t~uqCM^k6yOw87Lm7<7N9}He6^4k#`8rCbtwY{8kf0a^EiNl^PSBBd2<E
z?OX5oi}@!`vnLJPuT9X%y5>$ML~&oj#oq0aH|S$U1wn=+Bqfzg_eQDMd^yrLPS5<z
zv%@P>cGN<H?d=4b?I9m?B_UMa)^$evOxj|Ww7O&F`YyB+7aPax=bKi74v${jhEi7I
zY>+2pS4wEnd08I1lgd_5OKo-RK{B2OEte@pKr*;$Zin`67r|bfb=Q@@bYU0NXC97t
zJ667s{BBVClB@7R#J$c6vB2{JIRP>?+H9H^cC*-H3wk*M+KGEjloMU`geSaKET9+&
z+wxZTNQUSMf-29pzIlS;5z*1pE%@5oHXfR!n&ktM=pu*ge12`|5mu@%DYhnju%Dbw
z<7C#T8Pv@y=fj4FylRKMb{Xl8O;`;pO?e}Sg}lc*7dg-AY-|BM9`Bh_F`CnKZj>^!
zXXV-($=B@w!NnKhuPbO2`-#YkHw>|nu7kaP(T^Rjs4~vgqGDaq`w}<^jj`UYQIe^s
zgZg{Cir~?kWY!1sc=Nplf{@zx2xwbl=piHdOpd+-z`5rTm1(js#R%&0dRyvS&`HKf
zcJyVh2jc~~w8S7FucOyAo27+zHc#mpDI9t*96SId=~d%eW1gl2Bc(*vu2&}^C9%a3
z{9=O7@yV?HN^=8Y%v)7qHQWe|<^g;{ZR}V)4!){yW~%Pd6KC$tH}&XM^){MlHM2wW
z?LZ?h^1M&xMZcII>Y}mt;Ju3td?63X!JofwKIjbNb=y{FfDzizdY2l`+2Rv95YJ~;
zGVB5PIC^s^*u*T6^O~X`mgkN?qpK0x5f-sLCW6a`m`i7VfT$4_HpcJ#s4(}QJliUk
z>5j!WSNxpGcQGJ&Z|Ze!*}ZrV(dzVNP1}mq7NcR?Vh$-}fw(zn^Wd}6hgt$z9o-9a
z_p)=6t*TsW&1@B|YQ_AH1;d%Ap29+gwi+M>tZ7xqkRF@^w<jMN+Gg|GY#jC7t7?%%
zTQhAKAQy#4sXYie<j?<t-W#Mtp9E8bDmFz=!ZUfl07^P77w)-@sjZ|FbZeOWs(Nl^
zdK$A*6=k-_Ca-C4ugjh&;GA^vOrAJGl}EO_zGs0!E#~=-Zu3C|@0|EaMu`7z*YTRK
zGDT=rlyf1l-!`>e2{KzagM?9Qunmibo^7CyIsqA1Ht*mX;kxXq``VtZ7PnhxaF^yh
zA}lFDkD+^!!cKQto<W{|%Z+GGw(o7U7Z6uJ*#{YHGQt$^Ftq*c&MOulTQyDgp=w%)
zoKRF-5j_BlSbgmcs-F1_!8BUsy*xf(M|~o7yzWU`l~~MFdr%!`GcJjjOvd8zdhpy7
z`H3#mdYBVd%|dh~KFMBDMar?rh<q<>sH*h3rUfM78O>StJ}i0k(A`qem)BYMEsKMB
zaaLUN=<p!=p>F?<p~cWMD8UWQc)K*$?W%W$7v;H^!2IMqq;%{pU8YCfx!fT)zGoEm
z%!34%lDeLkk6f&tAM76KB_>)riR8wf_$60Hji=u%>y8xkZPax&LCs`6bEHe=g2aqS
zJ%m13t%--Fc}tW>;q32<ho!nVZY)|ddTHxDiLNSEdkeQkgKBo5iE<Fn!F4jD=cvGM
z4<A%pJbe5#h9C2=@x|-cvE^n1v(UHq1g}Uu`01<?TM0g)&cN4i&A1FyB!|8BN|%R&
zQ&$msLVdkk@x2#g9*sKp3BB?c^hXgMB8qQ@k-HIbPWl)7kSYsWQYhGGDTNbEw*hFF
zoK2@X9OPp;&+K?Wgu9Mg=ndiN$~}wG;{x)Yt|&C|dG$i|5!2o4(w)_OntC8pubOdT
zT(O>W>1>NvLFhm-(Ty<8p~+$`is6+|uIkaaCY?HQdS7N&Hm7k=4)A-sg~Gyleh;Z$
zQHq%f?Axn(2J7jajp8JZVR)6Vl51d0*U%^XoZp-GQew#MygP^<uO%4*V+rX#kG+Cr
zC{6TwnWy6Gw1aJ~4{zud_uC@tce(BA@+bAYrsBs+ryeNX-GNr`ECCOFW8Gg*;-$8W
zF3l^mmRGUS&l&fOD5Uo>`omb9yrUD(gzocbM6hOw5|Ct_d&sK>C1~=x_ZgrQHD4|s
z_+~uwxLiz6MH9Jhv=eJ@-^WbgNf8l}uiuW6s)-KTTp6s|kttznUhD<w&eMBcsL@eZ
z<va&PEvP^N)JP{7oAmk>mse3CF<ST;rLni>^74y5zCO50GzJ@ds=!v9K0El{Bw9*0
zRS$1Cy!nN>P17E2EBA1V=yX{7daYCr+{!I8EGtc-USV6IXV{5Pa>-`ox&h={8hj*M
zvoVzucA0~3%60tsxwz-xhU#+KWDQhuz5tur8Y+?qLoau+2h}*nfeA~Oto~E(ZLO>b
zF7)0Io{OlDrdhe5>@fxSQz)^{u_ypwBc4GtAg}7poD$?=8Pn@EyR1v)My$xD>hcF?
z))v>LmWHDmbv8%$%1$mWFEhlj@hIVW&}y}qYJ`Kzi#))_bcWGFb#-kyaO0|cJIhh1
zXc$3OvX7PzBb-L(Q3A_zvjcAl+Um2+NAJv2b=R?1C~RLjCg7g(b+GW&PNOuwd~urX
zRgutJ$m<s9ct(bCkEDE8p<bV8_Z8FK1@z%{xE*JY9S9vh6C;PHnQI*#NIP)4aP@l}
z6vXEhl`=uxp_p7jPWO-k6#;SwLRILseo}Ary@E9hTk?o9$|qVWQpa;IyHk4#fpLq?
zYS15NTx3^2hNR#zilYmgd#MPuaEG!}(K<54sLT~^{1lMkTKR-B;T@1`dn$t(fLb~)
zpap3f@bf9GdWy5RYYz<wndICFXODDnZ_KV;UOBq342a}(kh6uZ_-oVETjP#w61Pm&
zOh0$vquUaH+RgQ{va*~hQq13?jYPyfBBm{gy$3y(lhvqWG&KcbN)OmNJUq^QkT(w~
zjgV?lw`st_F*75AW9B@zC*Zx8X4SkH?&*|u*4BBC0{_JREn1gGIKR!*2YyJwPw-{&
zav%{rAU#%jduoU)q24#tjZY?}c-;)F#~z(LuK-5&f)uEmd1r(o<B~-2w5jHKO$`-3
zWZ992>vFX4FiL@F{RmN3FC*3`Xg!P3(>ZsZju@9yk`qKs$yIfNhIr)Le&B0b@Y+xN
zwe%v+!H7OFhUc6_7r@p+=PimE&VGQvs5V{;$<=ICp327PP}Tc(H4xd#cv|e{M47<Z
zXM65lOM)tUV>2b7(IwDafSf;cb~;Coktb+^v$!LvPmppoxmoneM&$e<Q)jaU3%SJ_
zUYl`8P247nLUx(C_K99r)jW5s&2RukrKc>_heN>Z*>xJ1gYW>r>(VIvX7z=>=b9%?
zMGrRisg-$ip-~}I+a5n4YFFJbIYT5jjOl7ped9r`&ExK?+G-PPYI#ERu;NX|j(JFN
z0m{TUE4_XI?uHfeoVLyVN}PzAXWSoyaBHv;5&Lo4K$<PrP)aj;l@LY4(st~;g|`;_
z&WW2^7k9gj65l??W4*Tzz@=WkOK6dkXwhC2kZ1cq`WflV9ry9QsDqx1FxRIGZ*8^=
z@UcuVlaZ+Mbv@tN3wqs%eHEOGLIag+v=Hg|@-+znT~^{$H`ECNRkP|m_EjJ|$uYW%
z=_eCS*4(%<^CFe4kC-%8`Pn5Rw{dBs0#|^xpJXNGf)>`qC-x3s*vC<$=WNt-XmegP
zxH5eknFMmm4<4v(VfALbIhky(lcWVGa|}5LpCi6DUD7VAeK`H(z?pk?P}HiD!o~Zp
z!>%X*;XN$C(R^1ACAzV~-jK-T&#=b{$)MO-Q?c{xh_NoKUK7kC<97_CC6V0S&n4*r
zp1+2I#DIdM0n9Ex7)C@~grnm{j%Pt85|KjF;89O*M(A-tUs>sRZjI>c#7mXe(m*&j
zdJ+VyhhCRAwOt2U0Oa`I+YzY9h!Bp(_Vd;^rligOh&C*6<j#nKfum*v*WUSG+*9oV
zWo8+hryZB>Yobiau&AjF=nYIJb6RuB(E&ZDJpi;4ZU*l$AiH`XR-1*BSSYZ<7+kYk
zZl|)jrzV`^3$V@gE_{bpxm@xESUq{8uE>Itlr)HtxQ{r<^_eki%X>l2_4;kq`8eZn
z<m0op=y;MEy^l#W7VVAO9C*D)$I?t4_0U@j=vV|md}%?$4j0#S8m7$;XY(wXt4bV&
zLV1$(oxXPvx3|<v$H`6vaUF(I&`eB(XVs3acKm#TU~QuJ-h@}yOR_9ke9A8-UrV_e
zH{fc3GU~ywtBDDs@j*-vp-T?2_RJGx<cbmrTmdMG%xYjgV6Pf6(@7L5d?{gYr1j!$
zc0HpS^5S@$dL&fMaz<!HabuP^+g$_&3LP$<;q0P@3zXF?(-)#7vO*<8m=Xb$?=eY@
zy1Wr>bO1OReb%#d2(hgbH?M`sR;!8C)3EQf#n|);(*@=pu(C9)@`XkUqasrHVqsj!
zrjp0ArkoqmcljXv`7Rq=vLie+G#kYo=cu?%VMb^-D{N^ACCQbCyiTvHao&tYHI{Pt
z5}ggoBi|AkaC(^-2SHTJqbDroNhG?9jJq}HH>k`{J(p(|ft}V(eA!j5(OJ3#P~^mT
z(JWs<GV4=xz$RzAoq{J@Qw?pYHiVkInYO^LG};jJ23X_Gk<`$>TS$I64jF_r`OUq5
zai5D4_b%U43;@d2>R#`v85{DIoft)VEFsMu$FCVEqw3+kdVpOwocwyZiF>5OIl7f3
zwliQUEf(;uvcW20k?oR6O%q4e#bDuuKDUzUk%;wG&D_EA#K4wh6Sh-)_JHtGXLGtl
zp1z^?nwS}m+TK(N##zUuq=(Yp$SDamFxX+h++L1>-D?A|(YSkB&K@bHWi4WBF~cX&
zpn`Z3aiZ;^^`rx>^i@7-y>kevJR4N;HM<TOPfdQi#SM7x9XvO?ATzG@Xhh^0dDwus
z^78RCu_qm@{yE<hlVSSP+mJ8>mS;>G6Jp`m)R$`H!R_g;Cw3MJKBIKW58)cbNyrza
z6QV7H2Eln)b|@bZWF#d*(-XNl5ZcN_04r#~#ZHU~DJ+nNhiXAD$g)ZIy&X-b*G7XN
zN%aI=g0yDGS0XvO##%uUwN4Z+8=rF9iYsJbpxQb!xQ?<{*OVNxcg}7tb<$8j-l$m=
zneOO|m?AQl@smfE$5<IJ6K5on<VY3eMz?gt?vzb#5o%|)YfyWgA+)D8S5nI^2kPc@
zy|2T#z$xEB>v&6%P)It~kP0yC8ncDq835hTG1~Eoyd!&WDEKa*m16he@}OQ!M>lV3
z2@F4f8n-Q=RgEt5Y$j<BTi3v%AZk6{YGW%k@hXM3cTNQ1G&&u<2C^=bM@aj28JhuL
z=p#yg#}3f!*^``#;mc5_2dBN}Pq@0e-vhL(2mRhy2IPtAam}lyt^!{NsA{_hF~)H*
zluu})$hn{R9U(*wHT7=mx>Tc<zqC=+6{mjt=0$1-HHIc)zA%D!(W3a4w%dy;u!-W<
zT!10b*rnc74i$<t8DvokLQgtu#9~_10=AJ-6WYvb45*vDi)GIDGa8}FGUeS18%x{{
zc}z1M_IhSR{FOiU@kbS=MIuj$7+QjCh!X$=E)3q|Oa^XwIPsKFP$$cA;l@J|o1Tvg
z3%8EhVU~;)wN!nAANmFUE8nn|yQa}(xU^Zj-s^ySh19{Ymc=NKa4B{*XfE3#3LrXS
zdZrBgdL_}krJw9lxuPMzo#tjJo`+8rk0Wa)UT<0qq6xZ#aOkaO9|bixC7x+9ybK%b
z7cqG*#hT;1sKnZ8qyE&yYW6*C3K$s%Ty1==S&u9%Ppe39qiForgqw|>%4nfp@Mf6?
zDw5u)Z`!DA#T$u};+AZNvwrn#?Vbi71rs-Mp0^+DN%X|j;gByZ!dXP>nRgBjOU2Y1
zn_W%=iL8x4CqoW@6&=GocB1?wbokz1<Udny_Bx<}smPqXyBZ=-MvQDNOGlY#<2K~Y
z=Hg0DP&(TPr3&w-m|7C*&sz;U#Dgw*oid~qD%LB_4aFV2sR3&9)edB_v)+iUKA)i|
z+F_fM9t@3m6iRwpGlN`Z5R8^#l<Pn+AenQE1dlWP0tpiXgH%+TBU+vo2}o{LSVwc1
z!^#4H?TUmN+FC8sFibt7nw7E}A}f?|D~V{s!z0-8S|ggNdu@8LDPA0~h4?~hFM*mQ
z1mxg(G3-Ms$wR@Y(#hC}1ww8jj>Pqr$7AYgQ?bVy2C3Y-a>iQL0&39hYo^j%B1L*H
z<t_I^^9zaKCz%};ngp*0INS#(WU-_vP9JTLDgl>OQQ4X4(X85ZogJj(U1ATqfR^9H
zRMkA;eLc_p2zRz4dFx@cscz+4To;vs?!Bks60{iL$VLF1x6g09&{hXi@^*xFnIk~L
zd(jqRc2q(opTj;D>Rug?cSMKlJ;Z6+#;2(v0{yi3c|hCJ3l%S$)Jao!jd>IL-m5hx
z%Ce@C2`K6p_C{5U_eCVN93YG8zRJMJ!B9?QpQL%hriEq^<+LfBrJYcj5I$g!!Le<G
z$|fBJvR-5P45Bfk8$h$d(|v)yl7wrZ7Go4bKyoFt@z@2T_z;ef(%TzxPh!OKrCAFr
zk-T<elY1VBIaJ{GXlkZgM-z*md*~yZFY*oelYD->{jd-&Z|Zg%X0#@F9nLCaIx+UZ
z<ZKJj1SwB-G`ae0P%FVP5<MvO8C}$q>b6ctkzI^+Ca)$MLUz#|xr}GruOVs{H590u
zFx28y5=Hge9_n%TD}9*gSIiujnwO~grl^_;Y47AktM#F?Iyk935sx-R9D8-w%MXj2
zfrHlcO^}5sWajfNnnq4S8l!g+oOr9EcRYhEg1x-fN?4RB3Y-W4SmfsEVM(6g5Ymri
z5t4N13e%)+l$!(|M3qP~AHAw<7!lOOR=0V@xJOrY(JeY`FaAP*GkDT&=eUSMo!*w%
z!HpxUAG7J|1v~+M=Uf>=fRg9F>hvCAEYHJnh>XIQ25(n4qUpin!m}~6o7Up$edl;b
zYl%`ZIj+Z!I+$~C(vMen>9$FqJZ9c&MysqvZI+sau2-O0gK<yzq*5rnhh1lqTM2d8
zN&9VK5n&UjzFM0$!SgI(aR6xYc;*mKBDpyTAUJ>>MTdRl8LRHyfQup=5wdX3Oo(8B
zVSB3KW?rS0o(Jb6V~J?fItXP4ynJ2?=o-Tfyc^e=Z7W=yIxa+kbaL+~t+i{L;PP-$
z`MFO#Y9R&F$6`Y!B;;NTu|1cG=|L5d1Cw!$U2hZ$%Vj#`^+r82#9Xa%O1#iMVha?h
ze)Y&5-r(km?!o~Py*gC8dT(_N1CB9~a8{z?HY}k1s+tPREN7x0>X@V*PfZC;($2)t
z6K%~jOYH5E_aLjEQyP1F7+sC|Lz$uEoVoX8&__B<*p%_KB&)gQP?c0h<8hn0MM`n!
z3|V^G#W`Ab;R8$eFc^xNpcpB5X*g1@FC(m-2e8DaQeJeQYP?bab|fP!5*{LUs1ayc
zutTLOiETt$oW65>)ueg`{KN<-2aH}ldo{;Vxci2ec!FtY{X&-UjzcSsPo5}XI6T!$
zi&7;4>pb_&UbG$M@YR`8X^Ys@@V4^gsAC7hz8?^wMAH1&v8?eEeWWk+tu5q@WBU;J
z4R)A14*PM;06Z3*RbZ2H27^6zwtnxGv6vKI`%t25D6>nxa(#T8`6MJWG3i)B(nd>B
zp6Hw1hgI3kuRY(}9UYkv&2UKdr`jZBB?7x4Kmv26fty_;Bbtj`VW8@@XxtuibesHg
zg$^Gw>5F#f8>M{euc4m>9UO5MKJ@A$Tf$>|c3Dbow)wpJSCV5qn=IwVcUx;HR3}xI
zC24;0SchM?F?Q)0m6eCXk$S1uDP_$SidhQr^IPPSKo0K?IWQ!0R%mM(=`BvHS#e)G
z!v2eWd#gsvT4X#A!Xxge9bNM{<CxqCpFD_mQNqX8B0J~vO46nT3y4Y4vvf>g&!o>$
zn_j}qC1FlSnD()yhS&yjWfstK)3if044vAoNo>%ViS&lbCKm(CC>kv$v~d)3xP@Fl
zlT7tsL{F?GCroqmAvp=t_j*^vwBDdBy-pidHi(=g*w>9t^8mOIsHRUuHBX3I1Q9rH
zyU$@bwF$?%bFheKW@Zv53!3g27DNZqQ1ao-6ScVE<W8>{G>Uh2qwir<NpaRZ4IeSC
zlzGZ5Ygd!8S-^3cUS!rF@q%O0*+JlGndws()l;ImXE$${_6BqdM;e=)&CpJ8=;`o7
z<8VQqki}zhQ;lB7m?e&__5m4@rG7G1cdr4hEqz1^3!S&m=*T_Tfov(8x>m)bo*+M4
zbV+yLlw2c>3M5>9zWush7`|5~??EA>=Yh*wF<o)Lf@92(Y8C%o+Kwk1EcG@$1AKGQ
zRj$gyN2bbNI1P2vS}l+DvD*_<K8ynoki$W{nPK5tELfj=>=wmq22q{BoWqgG7rS9d
z{*IEMPoG&U`^LCP#Pzb1hLztIp)-2n9)v|aSvdcdfabY?hKM{$sF?I@TvJ9Rn$9@d
zhsu=6IAz!N9=QaR21^)Ygl7eeg;KnTsPrU6oFgF7p<97$EvUYcol$I35TxxVw$3b}
zdx!AJKEWsZsmaGTEs;1x?>Xj59*2){83}El#6FMZzz1!cyGpuN6CSpA69j0--Lt9%
z%)m-LJ2y{g9ObPhw~r+_(ivd4Ju5-;CJ{X_L?nPMC7WuB=u8WmOYwUWPblK@<r9pJ
zf`_Vemnebo?()gHn4LAGYiqII;+yiNo{8zJbg7x?UPwz{6gkH;r16bgWkq@OhNvB}
z=EeB~ey@n|&9FYeU@QrWcLVv}Qt8X7385F&fDffvZ%WPGq+UBN$V-M3$G+MoPGsOh
zHB2n`)B!~Tq7d{ed}-VX*^>Jg{52;}$BTRe51<TTwg(|RtawA+Dfd9%vs-@!@-~~G
zTUh7~u{LAJ>_ZecD5u0K+M>b*>OM<e1*_hC(|MiGkDkr7(J)(|w=kbDHkQ0K(<tcC
zqir1%^}xAy^hd877js1A0w0`&dsz4~`mNj+ny%T&ogYGL_Dr=z`+##6#w6`Z*|U{r
z3Q?DOj&ta&1@Ec85!c?q<8_?~d^pcG#lhThXx2C!-oE$psGq|5Zrns9s@}WugBGYg
zpgDnEMQQMLr-;ORJ#!S0uR4~W*u9B2rrR>dN@%jvGRuUil`Ohx&9uEqyxYcrh>x1=
zTHoP@MzJwJC!)65_e|;JnKg#ZY~*DGQUKhMJbQcn@(s{i2z&wqLmJg}r@Z%MX>qY1
z03r8N!+6x)Io57?d)%Q>kNb4Jz#W^;47gb25Pe_Gvox;tc*5iDbA8Hj3C{p?(aJ#5
zRoZ%E$8q`U8E+{+3Vx!y!(LA;9!hmR>eaS;Ks!=B>PP4g5%%m(A@{PiuAGFbRU3|h
zbo$xW@`U;8G?sY58x-Z~@5Z0`#6nnJ7o?%SLtPPz^%G(B@a7UiQtnIut#{pXtamw$
zL1IFCY?BY}36JWTzRYD!sH^94SBvtLQ8ZSTi0&DmFX8Un^I=kb$<4$LZ!J`h4iYzw
zUV?T|9=&+&muiUPA;?WoiU!lk>^EfJ@cS416PJnHTN`DwB3RmBDh!eD#dA>td?o7(
ziwmiYK4&jtAT`bK%CTQ()VwNR3c-SE3lfr~;H^RMr|u4VD{F^~cEkIUaRAz5{rWhc
zzRsP(>=N;PBT9!4sNVRia@QTQGKKdn93M^=NHL*3$IVQuMA>$NDrtNrs58p2xh+XH
zAUD?u_oQCRLqb*uEp8x_>VeFBMSymXHB6>N^`dz2+3_xdGB+hns?KhwJf@|m9MZ3q
z9E7}X9&JD#_e52I-(x^3q2g-MVej_TlBg^|4)@I(q{W29rbUCbKk1j+?tDH0?`Yim
zDkB|Qa5%x<Q{y(@bE%@I>zB$kJ5e)$Qy3u2dQ1paDs@8|Dw!{5rad0G<&`LSfWJ06
zQ;r@9w_}bARqs{ZAr#~WSv!am8t0pRu%S=hu+IU3Gs=|UrVJ9Kq0@A*c(Wmrk-Y2#
z8KLV&FMFNXFQxj9=anX7vw)Mnu!(w}E$#aN+mgX-r>8Vo>xBi9A3-5FoSFJg<Eh}_
zAkl>>K^+xu+z_Bg)q8jsK)NYDM)2;MV*~J}g5D#MdmM?8xs$Pp%lDdPGg|l<dr?Um
z_JF3IK|lmY)m-H!$L+p-U1hxJU?=jD03ctRylNStC|(j2UTW7f5oLM6M}xitt5izu
z77wQ;M+Up2tCab{i00MWa2xn`1Z}1-zLt8u@c8wE+;<S0Z$}zB-b-lHgKPA=;mV6w
z7gE#+^rqd0M;W(T7kg9JM33c$R(wH}j^Fc01orf5r1pA+u^{LmVI`dwW%97K{5s1$
z8*@`#Ik>`?5IanYy$r=JT#lqrz2e=b6QL)O4U|Xi1xU)_+j_>&{b5s&8{T+6P2MDO
z3o$67)>mp(3fs7ha;(Cq`8Fl{jOQ3{A!c9r6TI17j_3)W@~B6U;=4-cqOk~*-0Bsj
zs014$n2+Cp_7*#L%A>sWJ7i4W@y#Z3gE2Z;1Q!G|$Dw7Sdb^!<?$@96KmDSg#+i)Y
z8)(I&3GG{lKHPXjDv5zlrC%v#<{O=EcyU@uIYO!F-4Cu2&Olbn3<N>K?2<zp+rX2|
z5{V!1;Wa}bt})|a$(mINW{wr$jZ9%Zvq6;tsX7k_rhTCbo##asw?Y(y=~J!^5wWAP
z@&>TGnu{OW>%Iu8m&oFJTFG>B`yekpm!V~jB2+IP>!h65lS56MeOWpS$7bW>su1X)
zu<jKV8=aa=VDMhKr6Wz92=lyHb|*kMr_x>kIbXli+t<%QtEucYmA||);K!mA5BTC-
zpSU4yT<+_9f6o2emJkWNO)x9F>Q5bq3C#@UTtsP30L{7<iDs^%WgT}P$GoLPH_}>K
zR&q0m(IJ1~F1SOKm*!PmFB#kP3_#CZ+-+#!0h90O_StOL64XHy<|C|7MZFk2-tK^E
zx*hBXjb54bSmeP2<3q?wsVND)S0&YWnI7ViL75>_7#=8%xBZx4G&yB092}5l4U4hc
z(kv^~2}^2lohU(9!x3<8c@|gJx-TGJ1T~ZrW27o9X7lYr;Xt!JVbn$!0}UgBoT^Sy
z@@Qg{Ma$Mpj}6Vt^pQj3(TRLJ#i_N+rJw_49v4iB=OdMA;(2;HSG5xAdZ+25Bo8Pa
z_T%;m@T!6q(#Yu$L%9Hwc+LsuURs%WlPNV~C$~knP@#?lnLwZyh(m}?W7f?oRl4Xe
z8pyCu<d9T6@dl5M<$0ZL+?exnBjtvqB!$|Lvu)O*z|kVUabc=R>l_HGH?BEM82YH?
zo-yn$OJ=7~jK71r*Q27(+1Yc%tXJX9!!l@w6qyo3S8qHi%gWd1^15J0ooY6e`+?xv
zIu5gNfX-s5a^Pa;8Q6m-r2Y`AvFAyEiWWY?@lkgfl!iKIsA6ci<UukwUnZLCw0>3V
zoy=?_M1KC3<#jLsHNTT_+wf4b^XQXO5S!I;9ZIL2aDpd-acmCOtF1WG6R2<pGxh2g
zd?!>J{Glyx$tV8IU--*nOqjb}XEr>yC2Bo~*N^i}_K*Uj5x;kqo|Zz|$w`T1xP2`n
zW3`eE<1#@AAx~hgRU&MdUlX=N@It=Z8w$nh3eFvP6qx%Ex+hJ>vzM!FJl5u|45~m)
z%BXsI3DmW(f-gEB&&x=voaQ?@u!V+d&p28rO41u0ZxI0S%gi#lG0dZ6;@Xb1o?qf}
zxP9YcAc~5n8```QdZ~Wr08HW)5wP==9ylvHaOK;Vwn5`Zce&DZl_HgrugMyc&alQ1
zhi=g#nsVx45db`4$BkWS&N<48hD(8>7bbmw@~<*aZ<Gt)lv2;RGOQ+{^>7H)21G3)
zMgjMhwx^*8Y{;vH?0xp=VJMGcd8C-+iBqbMRUtEOzKD@XYjGJ<;`c`Rm|NaVl;8S2
zu_T>VUEo5gxEr{(#^N2Yskht?`Gib?W>6~&&v#tX2|@J2ZYhu$@vKj4D!?GZI(eiT
zwV+5*;_O~uwviAqHdyF;Jx*@jj92fhOVQ=JcX1!9ZGgE~Z1C%N+SpErvLz*ndGA^a
z5I7_@d||8Lj4pvL#aNz02&Fb{L6&pxK2gPc+y}F~8ZMQ4mnSU4o^zmb_$tT<!bbvh
zQrb)1^K}qq8jmx~MC0zm+Rkc5+XP!`mJC?TTXA0%glL~sV|i}`bkVjFv#LpEoVzWO
zJ7G}(-^2j&WVf7#rqy;fx*enyz4yE5N_E0|J8jqw_KtR;Gri+N;Zg4D#8soz4$8X4
zz;RfW&$4<k2;9t|bXXoUzUDp!m)HbGc!|$|yQ2(DpTv?URzPr|>PaDjNHNN`SELAK
z2QLpE3&YEkt!yx*!5s*-TzE9~VD8%SQ7|2glD4ft)j7;umIK0DrdJ1$EhZSu9<@M9
zTsx@EgEu_@hy$&Bd0M5nMYwRF@(yJDN~6yMAKTnPzQCtdGCTwb*!6Y;paeYe{bD%-
zcfz+<-P)kBnEakGjUZAamWX!sl&7ufG{2Jk<X`BE|Mm^jEY{}%@!Wb}`S1!tKYFmD
z0SnYD5U+43ED*Aq9anTW;VAUNpT%4UIOJ)py`mQ}*vPMT9dhxJqf#$c+G+YTR*NFY
z?0F7byo%4MBO=^@N67&5GLSEl45X((#a&Kdz_s6&m^=gM=Z5H2$aHUY5;xrE>S4CY
z*i(;(%QE-^lZ=b#{Ph+XT~uc^6rrk1-I&J-&<jH#E_CxG5M~mhi%lE1uw(?vH^*r3
zOq~R8WC5*R1_>Zp8PPMJsPJ0ni+lY{%J;l$O&(9Ray3Ei6{GbjYzLjbiCuf~=f@u^
z9jRxNtdt-Stix>2WRqt*9>n&8D{Z?}KegPl(#0T5<GUw24@F@$gd>hp@_OF}z+&rR
z#IqNI$)M>cHanBvQ85J1*W9{=OQ~zZdYIUD;=Ng{QNL6J6gR*F_trI+^_g{p2U-rZ
zokLU2klu7a`hX)SC^6oP<<a*9cO{wk>1~425Xn>H6M0zJf|sYk2^;!cqDT|5*8}pc
zG(1PCZ0c@)neCv#SbGW3t<`IECvghxQUakhwlQ1^LoY#KUh#V`NejBPG*;=}TenrY
zMp0TBe9p%&#?UetmXZQJEP3l)Fut(OyFT8w=hMn>jf}8Fl}^KJMu2uOohFE@Vay?c
z<7`5uN?Zm`jT7`1-a(<~ik9W3fjn|BTFz%&R$(aaRAa9nZ-k0&gS}FDO$wgC<D7HF
z3RX(RCBVz?z%GVGB%bUWel&AOZzA*Bt&Lw}ooC=Ct6{=hVZ}atYr3z|EPBEw8ALYA
z*FZ#c%jCJdxYoNyeZB_NNvUukpc-$4^T}DB-h$anHB)nydWSDejrZ=U)N_s@#ib}z
z=;^?x?h&r09xD;)B1Wuy;~`y1b;Vi9q4z@8LSR9;Qy{W@oCB*co+>U0+>?=|Jfy`7
z$1r#S$D$!G{cg^vF2V<H?8WQ%t}A;%U&H9Tz%|ATxe=z;76^Fi#6{+OFL=pLtJl5o
zzCZrx_re!hE|Iv5DH5-V9@4W6j!GlI>P9D;M@F*%QtI@=F|<j}R=VlP<La0h<uszp
zZq>vru#ovN0zJ+J#hp`nPhzQfA2mjuI}7|G1K63eg_=11%<lzu%D(26d!j~OGs9sr
zW$gizUe(Us_U?%J1rH2+2#2|;EGIxoyfZlJ1ShqZq`2cg)q99!Mn2x-QB5sj8wk`p
z3J9liX_ClW%W9Wmy|0FYz0}plIAcy4w)Nye*U_$GuO4W%AGz|}iTE?qdN}88cU_81
zo}zVD^9<dKQ;=TOz2`4p9_voJtp521@Dfymg&~_b3lC<?um&3+WOCqh(>1{4SZz+&
zMUHsxjsc+0vh7jqX5rz&qnRcQE@CtnWk68aJiy4|iOE-OKs5%nauX9B<$4Uv*~};k
z>u$M(`}*y@1KH<o=LP2TQnmHkD}3ME^c)<Z;P;fYH<ws_A3W}2ex&U&mWJ*rWYmZ{
z&-`7Y=7m>2Fvt#Vuw{wgZ9ic4m-K@D*)Apm5TwPqU|5KU9GmM&qTu5h=IffM!M%a4
z-ROxx0KD$f3|bDbc%_HR_PYigjf-9mAZT3QS1hlmF`dK5TM){J@DhMtfct_<8B+_A
zn5iDdqSXs~O0yj-?*txs%Ock~zza>tmzW_|6kXVU2@*B?q9SBi0-!{f+I#4Dy|PX8
z3CupHc!RghPuXLl=()mT&XXlZ93X_5!G7ZrtWS<YjZ-;OE~p6H@2wTzHYvMIJoc9t
zdd)4@agRxO0ePmfp5nB~!U<qh#+~n2A@D*VQ99JV8j5_&%}ts%RN&`<0&WwjNo($I
z2q{J7#_Z*I?%@xXbk*@amomlMuzg0616+OJCr=ZF;Kczq`I~uKA<WIAT^Y8drMU2z
zBsw#5dIkLPo4gvH>gpv4F$OK7#Wz(|=-TMhHBz35-mc@Spy7F>5oV-UmPgtzY|a(j
zz;k3&hyhR^i%HTU7^LjkkLL|+L+9fBZUO$;0&Xs+JBFfi=;gxm)>i3B%smq$!g4p-
zd1G?tb2bS|Hl(^lypGiGC(T<H@w$P;quP77C0YrA1be0wXcZ0dTrJpzEqB8eU=YTw
z2oTiG(}$>)pLv}=K0A{DXn5gTU{+A)Wen-WY^7Kcw=2)IWlPmzJNAM5LCrvmx<AG@
z3XM-}UOQq4ta!kh0wBB&)W=v3ZTwo(h02Pr6#7*X-m69_e@^@?)mhjq`d*J+TtIjG
z9{E5Ss5~iLM({0BvMQD_j4ojH7rFZoJ27k8AI5^fsD)A2lhi^5ERv~X|MMMy1f8}|
zF;x=6Mf3quSAYXKf@Do~3HJDACo-y1L8J3V(db-H&W??B4HJvhJIOc{2_35J#SjD%
zB@=?^4v$E;RwADB4Gb3FWX&gC?W3CP4jKlpt7bQKOs)H&T%Dkw6(pcAv!9Q(=p+`R
z+JiI=;U@QD4=mB!VJzC4)h3(adb3g8BuN>7!|fI(>-3EB&|WwxU@6Er%j{ZZ2X8S#
zJ&mfG6@X#!i}QT(-n{CZ>UP-#$=>ToOS2_i@^zX*v2E<4j%YHv_X>;DMc(TP_o*pe
z7pQq{xF8;hD%bQhRSFNMOd#J);|ogDHA7~NVq1doV9m2p--|*;2sA%cdIY18FwSqU
zTMAdSPscC4lw+pJS3LY>Wm{1%U}VCA)pHxKWbJvE$5ui#rW%Ho3a_2jxe9{!`8aKL
zA$Tu5dHehllE*0ctgP~k<=(>6ZJ>vz`HO|zSueH)ExSb(^Ky=gp@mR^Lv7~b4Rm>~
z+v?$i3#<aYkQKfR;-!IR3c|6@2$fueeByRUfYyi0T?T^&oPv8xHa8O(ZMOy&YJCRG
ztu%T^kA8@d`38p{vE>AfY;fQd9KeXb1`K3M-_ob%^l*{v9VF>%u?k<vQ-MnY8!kc>
zV6>Sj27hoKi_$I|kFSj-bKEMQOrw^iQ+HU9a&UFyZSfBOTo&}~CK>{t_t^yOa|s;o
z`kXLs9)vLAIq8WmAH+UU3N0n?*Q@cM<7iF%2GgOP>>Zur@?@?`^C7~#wN40?Y#ZWz
z+%V0Rzsf?LRBgO^;&M-TO!##PQ(~sD8qYHUv!i(m>Bqx#ZwepwE6cJ6N@|q|rV_54
z0qq?StdRDUaPVYe-c3ktVHCY7?9zsTs|=i{9w-#$HBS0E6DvzJIq!0ZIh5ugbbO?6
z%USjwqI<nXILvdz#CIrKTbAUWxe{+{kPS<TGcm0-=Kz-opxzjbd%oOx2+;lu593}x
z(*QjvahUdy1BaUwWBeWAuQqUCD6>yA=*9r)O{+ikf!l4+gf{N;oC29?5@EN(^x;9m
zx3O7yjEAUb7y~L}!DRyHT>B^=JuV)3$_gVwpzbMYk!Z=49&XpASZ9;zC2V!l*!#3Z
z(;kUU)nR3o@)1W(Z~bn!-TfJ4=$jiYP0Cs7y+Q6rLS4_qh2Wr7j)hpA%!ngcUoPfj
zbO7|1sj!zIh@RvGXv}AoP>?UkXRLwr-H>uwj}<K~L_MOq-t^r8CKC&(wT1&&#OGws
zU_fvLNJAVR0Dxp8x!<PtL~b14vtBsQUaxywi(?>4A|c$S7!T()(~i>FVJ}v&^lUez
z@go{L<xv2>BUESPcwppS%)TuA9-9<y;zKTg!)q1*kBq@HLuegSq3u)Qd&O=8<ZpO9
z$@fY?wV4D)ax{EVrqX?bWO+8CG^(G!YzLOILm<kT7sLF7H5Y>T@Ev<7gwD-9>og*;
zaBEI8khH8d;<8JG4v2d}!W;((qqqc?Ga-ZlhS|GQQ8B&qC}WYHD2{^Du;yMa*e=%K
zBU9P8g0EEtu%25M?Ls7QuD&I4a6!x4d<%l8(KmE=-s0j*6H3p+I@SeEvL#(#a1Z38
zgj7mD8SU;mjyIY7&ipA=bu#3fy?1W7&;SuWQ8(%iDyphIR?D~HL9IAF(nBw0nap<A
zi}Qwlm9G?0g(NgYy3>6uTKL%p{CgdoSxP244=hz<kTomAeFBVI5+&-*x}ab>Mj=`!
z-l>G0qUbu@40%UCH1#K_JkKU=5^;hTB4^B?)KeE6dx$!r0l03hhy2y?OL3nJJb@^(
zRB>)LPENYF3x_AlY|nxiQnK*M?52~W9>{@Jy4LSlSFu-oO(gB=EC-~U!UU!jm{3hU
zgHIQUS|w^pV!~IPagLi#;XN20@7c9FOh{rD;@xibJIXz&1JLMLw?u4R!I;HlP)daM
z=g*$|*`BzB=X2KM7>-b<Qh&_}O2vc{e0kOQ{B`iF^jEVdD0_Vf^XFb*$sBQL@llH>
z4#?}i%p}KGN+80`(GU9wJe2zqJ>QlX@$gnX+h;GlHwduvy_VAqhB#8nYuP#ogIZAZ
zZClYsX?#ToWRN8p^7L}HoVRG=afQbd9=7YjsVjz?P<FW-pR?9gN(EOv6b`^;CTl8L
z1&KB#V)00=eL`xF9~eWxTPBjmXCaEYGEcG8?qz3ZwCQ`@J*0p;WM0xXn$LU;U$t;7
zSy<=e>w*MW<;Z@?B>{jd<BLn?!td><wCV9}bAecZ#0*bzRIQqm#mVDxPI5SpxtfGn
zhz5I`h<TkiqAqF3+Yi^zwK#@4Y&9uWi;pr*C+29#`m&ptUM4yREgkP^#(5YjnZI}@
z5A0adixl6x!vQ)3*aMkE^`u&$gGTGFfTNdi)pGK*86oHu3a?|Th{cm7F+!EJeR0Ys
zwp89bKGcIivNJN9IyKqtu27>1E#bR|tQf=9h^4u?C4*3R?_#6~%8s&}gr}g<R1zVP
zWW&dlT<}0hadJV6h?l?=ky5F+-@OzC;|1(`Go;*w$0fdZl-QBoY|5#w4#{wx-G)J~
z>U;}nOoy+eCfhUXvenVJZBd?uHZhPzL3SGkiVxoMnQy;g+w}5ziS<&QDGYA-MMFU7
zdcmU=!Kt}{J=aN)XUA)F=1;vIM(LD2$-7MleedXeD~7bauODGsKi0F)Mi8HiVYYHY
z&4jCxQ47_hb!xN*%cKBGK()WoN4BBY<8R-rz4z4P-mXOiC)TlmQ}Y<fjt?V&bV>D`
z^kY1;%PyQ`O{pmAYL3l0bFChCyl0ppmuPeLPC*4DH{s4=BoUdc!guZPr8Iy(TXJE1
ztbrimFOcvyBWtM#tE=kB+PL$cnlDIQVF!nYZ33R?UGn7Bx-u)Gy0oI@Bha=qc)FbJ
zs1|V=Z}Qd-;~u<T-b#oeTzHB=fOV}ZWyAm}Y>5kS8D%*>&gWc@a}Uu4WsPSKu>##|
zaPh(>5~&~Hqiy<Kder1(PtuK-`CqNTG&%enk?JWgOc8YPT5cwGC<EkM+`=T@aTS8s
zoZ_!nIuVL(jijHFh92as+?as)s5=!uaSnLk>g@W^S5#{SOD9~?w4P4*c)SGeHk2OH
zW~3_ao`xwMEPUNycy;aX5V?)!m2g+ziV;8bAi=Z-1+UIThA859q(Xht&Cj)uMQ|uY
z?ios8Ljrf*B-zsx<TZOGyWY|_PLL){U8zDWXB4Xf11|MWVXK#V8^$|?az-#!+1%@4
zSO~2ROx$$mlU+ow24q%uC7i2guc;bmt<$PaaO4G<CSq*odM<_A0{X^{LF=QV6gI#I
z)JPSE3%l~bpSfymA`EP#RfyDLV^yr(sf+cCEiEu^P(1R%u&DR4eCQm({E>8=g{p%N
zbtwhBt2}O`Y|cbEK!C^KAcnOY>-rkIJh}kORryWfU}_U_JWh)V4MpvK7md%U9Jl<X
z_a*flK^43%wVAxW=y9?!O;E*hStnJl=^fa6Jai706QV}ENnI_7`e>+Q<9zwXaFJ}p
zv8(EZIn{~>P>>ZgOb~HA5;+HH={C>M+;!do*UWh5S7+oj=938(jiiKH6BL`Ayz<T*
z+&fWtBlXoIvLrDOd2||~pu6@`u2)w(c=qrS-_gR(se>87?9hSx(wLQ<2CTBKrM*s&
z+bYt><4R*im`mBWFQwkJ?jRTz+*{eNR^aftBKE$+Q@fSd5bmK9`1E<yxH~#(ch+N9
zs!~f8-8bPLdaqaSh9~WXi9=k^g{qpu=!#;C(DNdYao}j|o!xuJgZ5-H<vnDp%TOrl
zUQRv|M$;-DtiknAVSZFTwV3#%nGmI3Z~?K4CZ)e=m(kyqb1^f$5Vh`YE_5Ci_RW2F
znizDC9|cv?K1w)JyNBJRhOy;BEW;>Q9+pj${N8S0Mlf;5*rBN=Ga3%6AOQCBYYPg_
z?pE(DQI&a0=qx<15;bx`JpJK&-e|^8;hp0y+N)~_GFHB*G4k0BZq3cI%+=kOO1A!Y
zGk_V>6=;0Lhy%P6;|S&lD;3u=7eeo>DR+y}J0JN18yLFKwQSRcHsO2CnbztL^ll8&
zoH*cu9BF~`J$@Ae)W~Iy$qtYn<RQArV)^<iIQ3OAg9-6;PbofaA@XbNVbU{MG{A!_
z8_P)ti)B;1Zk}!<6e%vUXOOm~Df=QMjUva#OP*+gbAg%{B7=Fs@M{%IdIvG!N~56Z
z$u75}zE#!w5=pPJ=ANS9NWQ2;(?|6t)WYA5(qeQlGr(D@zjz9d`1Nu`u-)6~wR=FI
z)ph4jQKqs?nOeqa76eAE<CQ-x5e|+D4YsmDdAwjEE|F7KDcNy?QRw|LRUbh1MUpy)
zsyG4(0I*QJ$EZPwO5B?Io<O~z(`hw%Ba!eT3?0H@7uJ}bds5AHDuxixppt+C1p0<_
zRv>TH6%su<RJU3vRwi8}HMf1i8F*%L8MuorBbJ4C`KzjMS<L!wWIW3}>2MCqOe5_B
z%$Vxc6-%)5f$$<{-rf!uoi|?SF@Rc+o3j)%9|qQ2ZYt)}>fbf3LcA0e7J6`fIT%S@
zNSt*-tRBawDo5))2uZ(t>13qRA%`Y)*kDcVAd)G)uynnAjFQeHboUYxW!ief?0G@a
zH1dNQ(JI3%k6i>WsVM_(3yhI%wPv@8_PNxd_g+g7I|AQ($BjxUD4H)-HQ4v1PU0Jw
z?`H71EZ*z^3&XyPig*$5&Kt+ON`|Mfggspbc;T5Kr}$IgHMe^dL3M<P6_zdQ8PDlG
z5weGmP>8Z*UHpk6DU=Pqt=%)1qL+*}E~crIrkuW`<3z(DmclYZ%qH6CnGTDY!-E%1
zFeEX%XoySQegpVW<I1|Z_jx^~^M!bt8yH@;{(O3q&r&LwqUxPi_0e>YsO(eI#+KEs
zH$w^Mnn`bG-hc-lhB2E4S#Z6%Bn?H(2|J^*5Ctl}DGa}N^R^g^Q9zkQ_pz*xw_uCN
zv?pNzXA~Ufz}{t<xn?#^zQRxe+qm~SpD2_4-43d<WsT}GN<wJ((jUI2_6RvFQz~$g
zO>#y{;GV<kNF#U-$j5_u&qm+#CA7&bk9d7eM1qj6!SJS8OUA;LwaPT>7(nk~?Rz}u
zt&?C`-nuIErnBOyt(LJVz?#b@)I4@bu(2F`z<|+k02fe{Dj*RB#i%Nhi-qHtUA@l-
zCQDL(nPm$oI9qSU;tZ#-Hs96j!~ntRQz+iT(`$*jYN^4Z9j$1iv6AWc)(4-cR;vNN
zZbRhF(KjU9or9q%P2#ik#%aBaD%Iq5R7-dYUl4W%u?Zy0lUKtm@lzycNU#)`#qxFD
zn^eb!tK+wP&yjO;z%`AM%`K2`z^jccH9AFEvkjtRVNOc4{myBp_BB01PaJtpx%0eU
zo$%JB0!lyk_6-`b?h3ngG+Z3wr|=L*cH{|53FF!kcXvih3BheA3EPe?x<`U+B{ulO
z@ybA@dd`95R;*P$8#RRCyOVMQu95zPpW&;a;BkJ2hw*6N)-%`#gm6<$F7L>m(Hw-F
zVLra(Dp<UkR3|h@ii@Ras=i?DAy;vgG?;9nbgX`Er3vZ`^x)1dptKG{-jq8{c4-EI
z8$=^v9&su^Elhbx^;XBsgYGWW@%e0f#e4gJs2CZOixotOJA~DHJTgV=#B5RXsmMcq
zd=-A<FJfj&ykVtRwLLw4>EH3q6%qteS8OLq{cH#Lxi+Sk%^S(oy2sM*J?+)GraPN;
zckZD#9Z0taXC~SZ^PV(%+{<}MPs6e%T`(QpF`>OXufrjW+JHp4sTSpyn=1}su87zN
z2D)g;-ELUI6Nj@WJuH}$?phq~f()ZW`Y4lWTAbCmOERj(R4PViPRzps2jzSwNHUS?
zF0XnOoUAyY%I4lo>QN%U_PWrl4tV2lB+>$xM#+)WqZ}NP927*ok2oE27183>dEqVx
z;JKrDm!_i4v%L}S1`LDbWE@PNH`B|yQ<a=$9grg`FMOWq@k8|J^~Qd0@zHIrruU$w
zV(SAy`l}(}TF>f(45~p!fLsT#*S+unGgVaQwgngf*)ry8gRt&NAwqRDl;vn&37AXk
zbH`c~4Gw`ISFPU2eemiTMj<ELZ2Bce=R81}N6>2CHB`p#YlsdLYE{|Ssjhnm$Yr}j
z#;4}p{G4Ph+L1IaVz8We0^fOdB~R7~GbTmTnnp2KZG><dGuI_Q-@{5O%{PU(h$xt7
zPpiC>h=Ygo4U!%LB;#<bB65#v7jro@?R($}C4!|v)lwR-GW78h#=@?z9r+xFj<=v)
zjA4o&POvPzYZ4}1e2TQkDBfri5JWwiKC5OgTm#Y*9kn$93zcql<=_P9A-6DHiTWXR
zx}J3Eq}5XrVZo=+`Ggu|5Srqp=MzSYz`YHXN<FD^mfBcvAS^1*qg(+3Xoa#$rYo6;
zY>M(;+!#K7sssT?YnQ`4kPSN={jObI5H)=ShtXem$Gs>99JZddJ=;xv*M#1oJ9~x!
zNkW07`d-?--DN^HAJyKcc5{=OkqX)QiriaSspgJg>df=aP^`VdeCzjaoH(DN8qqG4
zTgJY4ogOH$>8LTC2!6hFTTeQk(e|rAq?N}zXYakRGI0Sx5=&7oXKt`5nLbg5w-TGB
zCu$NS&}?Qg69CT9!PAr3m?sGA5MCFOP_dKr=0FJYO^s_pN%Ss(6YWjKRO*mXT90&x
zaQHq3P?8s)4S_xv$bd$3_K2K1hTT=8pZGowB89FE`~h5z`)*U43$~G>SdN&o7vfOp
zTIum(?RsW;kLY@_>*91}Gzfz=UC5-5A2#Hf@6wJ_zO>keE-;7}x~r5q<$RvJ>uKGc
zuW{FTA5cPUIuHTpZ67d%t=ho(dd83nB56ZPcs>KiWg1j3$n`V~!4_hYSY86*l_zBu
zYEhH3qIxT004}cRtE9yVm**kXy#a^<oE!^sBZ_33`v%VgEw6-qJ11)rfdCP2J05Z~
zJ`T^PP~gfS97)tgukB&>8b1<BC$fYg^%!miKm}FvxeCI+T0)4aJ}o{Td?}_yGkjGK
zg6@g0buVzwB%i-TNH3WuCA;ug_(AwYg1*a+9@0)$f7a5a8+s<8!w0shH{*F;5*O>L
zh=+naG7V+PgxVSv?ebJXqITY<^v?4{T^<dVwhno*pfoFZNwbTss#6%KPvcUnVJyiJ
zcd&M|6kk|*#^n+56=#o~Pqd{AzV?haL43u#K<0#5Itz@F7nLo2Z=}n>q*hXg5e_M%
zszdAE9SJ*9vopPW{+7r1u4HE{=W*-8C|9i=3%Mu9$!ugJ-$ScmS6V!hea{mfguQ5=
z88UxSp7jd2;;L7rH?vq_vY<kPh)Cc%bHJ#XW!R{W1e*h~ZDgoy7(0fX!ATb?)m$IM
zl&){XO)xxMnz<?%cjz()Gs<`k#r^1+^=t19YkQ1z(r>ZbD7P8}>=}o&!DEREde|Ur
z))Ogns7fc-?k@w2X~%N1R=aRlg>PdOwHSH>p7gv5OppbEE)sENNr)FMPm}guN&Ay$
z6#aJTc}u%bnKa0h7TwnV5V&~OX*qm(9FhoKuV2NQaEd`)${M}$hHeBq*ts+91xxCC
z+1p&jyojyu)zo>c2;e9H66mm4C}q-#bu`_(p20HBUJ5euBTUVi92UVaD3nJvZ&@c&
zP@ynI`nVST5+&zg3Ph@kFl!>E;HufUcc|Rl?9p{q(L**liu-H{?{k&>+@yjS`riH!
zh*oi7IMOu0K6K~Mr6x2s_d?Pe3I-ZY6P8yA`h=VZ+@Bl+2qtByzv-a7is#QTFpwUi
z!Lz8;<D7QX+pdC(X4W#7Iw7!7XIybNFMBOMZ>u1zmre0zvleBR?qSST9vV~6*7FdF
zHg|lOYVj81xu_~W({}6)QJ=)f)F3IgyD>|CZ3%1Q{cJQyI3VueY8YkDx8hm#a9kj(
z7e^R3*tBD0joJ&Df(3EoJAX5i<spwbYhVo#i{@g*$8=nB!V$EdQizk*0uMh?6bVs~
z<>D$QuJ@Yrwq&ge2IB(aucn}`=*LB_u8+s>=CQv^&Wt92;&<yd5(rk=%C0Jk&q0W(
zu&a2AOmVntQ{J<c1p|<h;`Mfb=YTP@ZTdng!*QNEJt5NY4ljp!_|i%dA)#h%M>a_P
zQbo$Ao7$8F;SQdFPGhH=Mm?hg8`wu;u2<ON1S;mM02>f5)0x!|Flmm&R}DfUREsex
zWw;ddb%Z(5f;~eMmDY=5Gh1{`sL?Sxm8#dBwoVFoB&v1^=t|&c;jV~jTFrx~SudDJ
zEzHTU<@(TaE+Zx+P5|E(32M^3X%GS5X!0z%STKWuDZ0AodF@#NM<T^48D+#1&?Jky
z=UDzC!*IsAc@$v*c3iy8i>?*fy0nl~b1qwMdoohbydLI0snw^^Z=C{GkHX4s>Pgi|
z9Mml;vi7}{G@-D&kpWVdez6lTIOpcIwIk=cZmH0qP+4v`)FZ#QsOSFLTIW=aHgQuI
zycGpxRa_{s7IC)Ab^N)4#iFgzo?kvMjcp8Sr~oBGft2Pa&izoLPZ2%vIe4hNTxEGf
ze5^d788y&1d)C-7LBqN(JjxtSHFdC3YyEuZSR>~(Y~>2aBdQ}q3E1bksEL;~$&sUV
zUP$OS0Y*&%WLXc*t>T^w1&SiRbV{Egt0C%3!>E@9^N_+4W+N{Ellg(zJnm^kV;dFI
zG6fnNofB^gN{wRS*e(?G1o~_W{JB&%wr)&`+p7%DXp>4;?FZA+*aZ#e8&7e<**QdK
zWH1>{(K)a7O?I3qkPmil_tj}&L~Ab<Hw5K79!k+$$@db##E!>iSLO<Y_#tLkE~t94
zg<*x5>eA^9d%qKN#tS^)1jvz1gQH=KBqf-Z9`nttm#+ZPFv`|^FlNqRg6Ua!o|&L+
zwa5#)9>8k_7#~)xSW8Qny7w-+g)ug2+<4|jAskU)CeO!iE0dq`fg7bL`8;$0c!*0U
zD)Llvco?h+RvLH?Es1DtcH5#Q3lVi(j4rSTbg{dwcjVdAYgfDB*xp*Lb8uSEKi>-Z
zdQuE9gnc#D$D?O!E>y%Ov$H8$_FNuKC(@&b14KG7c1plB2GvB;Rk-5;G`?DEQdG|b
zI0D%42JpC5boI2%La|L=n!^O%!jtez8aahBqk0_ZQ~q?Qhs>`Si|C~e9!Uo#S9mE`
zzO6@dDbuppEtSY>M{Xn98_wpnyMf>~*@;WHkkk3x{dJ^0jmQqqoRa1OH^bOUGbzX_
zELh1dK8u4hnJ!vel1`!qEmVqa><o__JUpakaaewnrbQ+GSV|FGL|!^sCCm%qg4*l!
z7hEwIKs4{oX_zBBJ?=qm<3KPGG;k!vjXb|)YSlDxz(<?!f#tnt#2({&3)qq?78&#+
z%9%-Z@Hud~n>-(bq2$edt+EiOb#8|EBB+^$16Z`TiSE1=3fhJQEjfmqsEdlSwDye8
ztrs7kIWnTy0EZu`buiLfRM6pG%=Iy6>x(OT<B1r66x8?hDok$faVGR4lnXAR?ix}Q
z=)66IZp=zOQ{1J)<>IhO#Or+P%;__jiWE~)?_A$ApU3XKwggU$!CKk0oOvBc-K;CA
zEa;Dtk{_Bb=+tm*%(F<1)dL5|Q;0GGYw3A`%(4iBa7PufFly8oT@xpFt(~knAy32J
zQ%_?{OFDX)vyRDcIfgd6cit&?5;q|Ay?mg}uzgRR-$SeQp>TLVna^--gD6nAp!vHk
ze6E+p^1|@Cb32TmOw)Gk0aH}(w3f0N#U`q|c<ORwBN(oM9_O!goyhBL#yTp3s08ZN
z0oq=!+W~lQW`|L&-T@S7*JW$&J|hRgdMkGb#TPqX1Lc#!4_^CwCQ`5S<<1<GaJ7%>
zBYa*mB$Wkk(CV>x#+Va=1L#SW&6<=nRJw36z40msTm#&QX}--IiE3;^B$ije^WNsu
zC;H;bf!bbE8IE|0R*f1K`t9Q#+BZLU$VT5y;qcWX7X|^~qIydTj_G&cJvvn2=WAsf
zkd%cxmW+i1NG?Q8=XEEVcB>W|Ow{WyGKLlW;QiGYXtuEwlfo>8@9_0rgI{dxA=Wyq
zos?N~_mKv%K(A}Zh;52@J<g&CNyT{aWM-Y~Mv45TJN8bUx^$AJr;(8m(d*H*D$mzu
zg5^fIgE~kMis<mne9o*j0c0^jGArzqKo%NX>%BN1f2`@;nmVp~TWF={?fW1UCa3bv
zOu53b4jFpe18b2|$vp(83SS00(bD%4Rm_FFoDfO)QuCg39_&7?<k08Om4o-OZ77b8
zO7|R%3=w7vpC+9)Z<bP7i7Y7wB`wjb0(l~y+D}=Z$USwP!Fh(nplWvLZ-e`sXdo|x
zQ5~g`E6Yw=ikJDGGP5o?D?fu(NPepFie@NQL6i&$p9aGm=VB<D8Jp>WIiIa(D?s)6
zlUSevg9diEXEZk&bJ6c@&tqpb2RCqQn;hjug?g0mj2?R4p{k!G6ub_Ge$MnFf=^g)
zH+bI;TzNK00MJ16Lj(uCD^dO-+NMX|eoj6Gx&0!=UIx76Xy`bz0|BmR@7hj(rSsDA
zi1p#waz$(u(=Gw_BxK`VS!5I66Vx%)f-_v)+w;|~ecr_5TK=B<=)9(j8qEtXPtnqn
z9(j2T{_M6}*zqC{Zwb|fnj9C@4?HlyOZ+)Yi6?h4Y9t(G7WLB`bS{*B%K*O57oeeZ
zibTt!xu3oDM?U!08Ae4xnmHHH3f#0yvKF&>q7yk^eKrQs&%FXK>g+TUSpZe$y+`u~
zJm@K4%_yJPyG*Py0u1!NMJ-$e6r5Z)nS_SX*Ao3^K%lub-53xH(3vo=S?OiLbM%Kr
zlayY`)S=5~;L6#|i=Y?$5J7N_+pLiS>trhA#cGIJohD+R#-pmrdG9<}>%@^8RL2GN
zy}=ZGf&ee-am0(dVJa7ILMLm#134Us!U9v7Hcxy~(#dm`;DFURbBQKOuf3FQv#*$$
z%O#o5o(Cw{fR2DApTBr2Ztkjay2rC6KHx3T2_`zSbR2_eIrbI~>dh-T2*^GqDs=Of
z!1tEZ*%t)mNzkTa>(%|$8m0-Jx8h4Ve_Hd#lHIYSUfn&QH)%8^Z?S}+I!91x(NSGg
zX&6YTcEf4w5pt%%%t3~<48p_NFh^1?TnMA<Ftgz_M&(KMlwol>OJC#Xx8&n_V)j7G
zm%2_}U;E>S-P|5NlL8&QHykAV=sKUKK41&DI=;Q!U9xDv^3wFdCX;<#yk3Vk?hx><
z^2q8^C28N3FS)pR28YP$HS&QZT#|@JaJeE?S#ogkjMwYK>R7Jx_lE20+`M^SP5ZUM
zkdBq@<U!ujg}!NZ=XS$JHaV`KXI|mNVXzF7kP_yw&e?*`GjT6j8%v;H0ZXj}JZnv8
zkHvX?#CrIYEO;Hk%DU3n-4E)x0;I2^-xIWBqsm4l35T$-qigqfS2NZ-8-jiwSb=D>
zGSfP5DK15~6zxbhwy;#smUTzCark9}vEe*vvGTT8t$w0NJHS+Tvg-Oc`O0x=4<_jD
za1oc^jZS1dQS+gj0bWp0oP3ow%P1AEC4CB2ULW`@y6Q>4d9U_SzVe~6suvr^(z@<#
zPDcd&)Gk<@yrO~xW)0U9dE42lcAE;5U3(SnVeb(Z=SzL^n%Y22;__19=TK=@(<_!E
z-!*$Wrzeql&qu-?g^i5+B9HpouW>u)9J7q}c~<w3<6MXySyXnTh34P|jK+f$r>F|q
z;B<9L!Bpdy8(7*%4Zg@K`PmwjKR+e4qx5s$T{v>zUb5~Tp#)TTNLFCc0QStQWpK4+
zV|B3YiP6ih8gamE4i_#e(HLf<dG8pi%H1hMiKU<F^b@Bs)X)q|UJMai#uc7jc1mQT
z0FaB9H`JUquE>LsVHtA?cGeTDmn@_Y^vw*#lwa)QDTT>=q|OImv`HCEy1jKN^x{hG
zC>p&hlk#+j>zIC=JH2eQ093whVX=&^v^KR)i5E1%on_2^0$YzaGG00W85{OW*wcfE
zcGua&EbdAkkCSW5r6cSfvQxzEWF;*c@M)swv_Xw~MW=bwe$#IVjTHC<o-}JYhRvVv
zhQRF-d{0Q00_|y^A6vYd0!ZF`bnN|(xN9CgUuE#yxzx2Z0fsmX14aOBObAekbGPUs
z4WwdCSX*8TygJdKo2T2(DZ)x+ZfeAv!Q5-aN{UAc&kI#meYI?}pae0Bd08Cq<s%0H
z@9}!(k^Sr<Xe-RDVi6k-Bj2PPm(K&v=2`W6O+Bg-_ukbK6x-ryK`-bwgue4NM!Fv7
zeUs1C`VRb@GSQk}W7OQMh9Rb#WH+AKejcLySaJ}P)W(ukgJf`{c3ag7C?+AC>RAag
zzG4OJY_tUGYIVFIo4wqbg45KvxqgvlPuO5x6X2XSr-K1Kbtx&<?!~(Y6T<BjPZ!1W
zDPQ4>JBnqx2MrZcBZj<XDNj-g2kX_-bftYV2!rP-d9^#+EtoE1#AG-bcjbGniqcF4
zFU69^l!|p^f)~OjZ)GfLPl#rYW^x+O-{zE&AgmeK6V}He1%y^!9XKUn>W_p^7qVfa
za7A~3P`5+T(O#jxu6HjU3b6*MH;5J{0gKw!+EY8%SBWhBs-D{AYrqxJQMzh>j$N-k
zqjmyp*s&qrA(z2m&BM%Oyfk^e53ePRA=&CA9L^K=(PpP7yNgl244eW>l79RiblIdW
zT-l&7_Pf{5EcDH?D5Q@#FXBdPVg=d-SU)~O>@g2uHpGbQdoYX+=e|}m4KE18m^r5~
z)aQH8V4ut9r5FK0@u``3HnDFASyX&iPa-Jk+5(PG!6$l(IU#VQg3Em!FPm>pnuD1R
zUj<@|xGQTYg$Sa@=A9C|A0}IrO(7<V!eaPLclQaP1jJ*KJ3H+1!9ijj2y;^gx6#Tb
zF(54n*vs|amLn=X!j{Nh%(mxxQtr<>HIYiMPUP_nh{7I7r#S-8tKc_NL~xti9+|Ql
zlmO>MNm-F}tMCNIWUUtUj)Zht`MHq*4d5{yx@YY`>PG6x4Gi|$h>3LErD{PQ6hV!H
z9{7Tys0NH<wj-K(=bLP5;;2vn0<`Omw*t1WLSFVogmO9CU+qCSU%z9#OH8B((cL&&
z7AT9PUHG11QpmgaMg@r&Q_7zJNZPeK^YThHgjKYR?{l9iNs;3hAdA?~p?nXgRk6$@
z-qhul79}S+yvRB+1KmN4x319JcrwvK<S!H~f$rtPfEWVw%q@G3^C?V$zRU-Rd!Cv(
zFWAP<btyH;m&7w-j5flTk$u|Dg2kC37)hq67PP_z+<^B5U=EEBbxvVWV4m~SY3}iu
zFi@C_vtF?0JJQIaeS7GxG+FDM;7L^X5N^pHhccjI9E$F2JVXr>)%w+}3Sl@~%x!p-
z1H1SYk44LYlCoU(4ExS0ggtA!Ya-pJ;#MzA;^<9kU-0ATOM!|-KWyz`njzW*PEJdE
z*}X<@c_rAdyTiqH>xeo`G0XGL-g6x`$j2mX0@Z6f?VhYBoTYrCRGY4k-OpLoP~ffX
z1G(3&NJtwpAmW0_!x@Pzb3${K&O<if971P{l=qsKz!j1$P_)>4RI;dcg~2ijpqD`Q
zEo(oS<`N)~Mnt!5$L*BbSF{0%1|x4(p9LEm5J6GuPNg>t>=Tk&7G<>6O}GiK6Ham9
z%+k6t@*+wZz{>jt*q#%fESMxLmnp|Sc!Nfv;kZ}sk8GqcUwWqzQdC&XRo^tr_8Y7l
zz(H{2Ba+rSh)_D<Koji?1)CSfO?;C&bGmMTZ(F*k++Pi(z<jm`|6D_l{|FB~F<q7I
z1QfX!a?qDO{_bf;AmWag`Wy|S4k6(_dSaD)!aEyehaN{^^D^vmcq8GY7{|wB#%>8v
z)FPV7O6#IStP(~|-$}n}K?-B5DtRhY92C%Z*ltTbN6i&7p1BKA?N^uT{#I$|nY%aw
z2i7$L9*(y@-8Zna{yYby2`t|nUydmYg~e9HQRL<J&S2{+pQnA#oP`ss)Y2H+EL%(K
zUC8kPmGWdY3O`qTn;a%E$Fv)OfQKlVkyUZ0{D@~ZCaVe%gcobHxO&>+K{7WzfN|?I
zZ_pqfc=U42-Ilcj)|&?bvL|+jaR1ypD5s5KrLUUV%a$zYeTsUBY>#ngw-OW0)`g;A
z_8|IY!~_DxnDx6j7Xi;To<*a3;ypvvyw_f2b>y(9RPYj<j0R9;0+1l0d>hEv0rTP)
z1G-5Tgob!*Iitz~Qp=B7qt|>+!qPn8IbQ8n?^@h!@GdbV)teiIqIZm>Dc3KoxOim=
zJznQk*0yq;yi<7m_)z`2RL#lP;+PACbi++9wj-RBy`uFRb5zL2ZYXm=naC#6WiRZ#
zqGD$PT7dJQSagr5ORb=OnO-0ln?o`Ov_Ng^P0FRV4VJ~0HX#9Ws?e=Ql%3>+lDoq1
z%0l3PfXzAY%${-i&*M~!BT6_?iG2EYktox&rrmLid}JS+GZl3^-T||fdU&icFS<GS
zSRMdkJ}T7<5I{v#A3b7CX)8kV=j9LAa10gn2$NwvBlnn!kX6*9tT)uAY2}@39EkH`
z%(PN~dSmw3YK3dR!NVmk%m6#v;g#~YWd$j%$pXGGO;}5fRU)8ORACcFSYopk!}DUq
z%WQ77UE}2H##ki4sbsI82CY#>g<@%{#*P7WGv009GdTBWZ=@!DN@u8FbsdhscU;jm
zuNWT-P&`EQ7Qenrhb|7iae*hKkI&u!&^4zTiL>{TFuGE`7E#SWar0HESKPQ~2gnEa
zh*>Gz1M~SieWKpZF-J+@YqGh|cKo|Rd@iJ4BAp9(G4!K0=Acr2^q$G|EeATc`PoB@
zdk?uRR^Kx%&sKjYDR?N4YmB0R3ix+Wk*@Le>nPdAO|4o@7+B+ng1%bGGDr+hF6K=y
zq*qxT@`H?1v4!HzID##LHrEtK$HXPb&_g9ZH}b?+bCz6OkFGt_K)9RTG1o3J@=~R>
z-!9h6*@r=SOdy<|fmptcPU<SdI`IzIT9(QjUk9att~__WH*A1a@rF_za}c7PC4j43
zG0*crSxfgt)bmng5S+)S&LsL0?%6g#*Be*4mNC}maGRx60Ye0Ee@Pi_Np*`$GYW5F
zlX%)%Zb0kL7SV3q#<ylxG#&XK+dKE?Z*F^unA5@Tf+}mv>cH>WW=%Yh+IWO7^(DJt
z^|Z1#Z9S|J2xm^wvhn~kT3}eUd6W#{d(}O#qeD`Z6}vZ3DqCeb!Z2{#+hmp<jxTck
z)PQ8RE!Wfq7T6$M#D?~4;$c*yJY_5#%4d4?mJ^R|4pDte0<hj9CNM&~=$qy`yn<8I
zzRjWn*XK-NeV7O%sE^&4<4u9QXKoFm+{ggcqCI8(DD{#Z;9%7SMUSfVrM^--9fmA1
z?uBjP<dpY9yk4@C>MlHA8JAVNSIHEcsD|T_;I9}oMLoenT67PX+%Zc{RY-hir^0f8
zOY*^UAKQc3<lstWIlpCF$E0q~Xmytzht|`1Rt4*r3SvTl4cl+y?!g)48f&>`zP)-7
zhwpNvliG=!uIF(c&Zexwa(YkDTB*DTXoT@>;cYkNh%)61qTx|hW;cmYY#o2lT`Z%j
zr6wH&*~G4e03|7yrV>YNPa5rA+#FCL117v3sb<-O@U@7wd`+=MO2gotkvi1qE&B9c
zJ@eIf-iB=e;$gb(FrIMq7LE=(7vOk7ZxqyCAB1|+zLp6~3zevLJk=Ms8in4vJb158
zo;Y&yD7xLdsIfDFDBALf)E#yqZB;1)O(8v4+2!}9>y@<Cbp)6{rZV5@3;`NFd!kxd
znzwoSwj+TcZBIU1M0~EM(G_=kSuZ6AZSj7$y5Kz9;&5RDspc+o>yInuvN0D-jj1=5
z)C8$h@N`a+Me?BKMzbzBdlTX1dj|c4*(J?cubl5?TT=j+6kQ#W0Z^|X;d@oK*t`ND
zRyVlJQ}4C)RA^+xl5?T+2_$lXdg8SJ#6(f})CSQDF-lXi%m&I@zqha09;4mU;UNJT
z)G{$U7SfIhPBKWETNW75Nk6>|QMX7)k-m*sW7-svO*X518^zo`0^ZMr=_z7f(26{k
zX+klJq7lT{N{%)hj*8oNC>oc<E1hrOqX8x+N-sz8dE2V#07zka5AWt4$U#TTpG`vX
z1>745>`Nj*w!(I4iNn#diF2EJ>4D(Rxid7ydnz?%hXaA*&jf%B-y^!0t>{QPY}336
z49q}xxA>wR_4T>2!h@m}tD-ax6_hw;=Y7e|xOUD_w{A4`ift=!xntF)A+q4g{boJG
zQ7Usf5$Sn_%>gHztcbx(yAAs4zV}|tu;UPP87rHkQV+6nP)sjg1!$?TjI)jh_69!j
zicO$6a@?L4u`bit_QuQ1LHHfC98AH8MQZltBhyY6U%zYKXO^A9{$4-a0Cm-k*|yEi
zGtLEjFUBC}F_{;bb_!$f@eIPLUr{vL!2=L7pt5os7duvB<hri7N+zq_gNg@p5N)Yd
zPn2NK`E|JJ64MsdgMHA<WQ{9oc=Q5JFOI3q9!OV&1`$7zD@zkx0@W*T4jKgm;Am4X
zA$`i^KtrgHrcYp}spE+y=j$YBXV#ua)FtCP=QI!9kcq|QfM~odwX8Dv^pW<OSdP#u
zufgIpYnjls-HWBrS3reeXJ_2;7$=m+U^1;^al5*oa6H)s!=NK-l+k!Ai@$pDrI&FR
zb-Pul9U?uemnHK~-tI<KEO(-o%>gazW*jn3PsWR)u?}T1PFTc!0%D*I8@KP(l2Y2L
zc#PFBk!kls)`K*1e7G@>wE`z`x3u0q-jrN)c%e%eC3mIghU_~&T-k(c3a(fjNBsGY
z2>4u5gAd%zzSQMC6$Rf^qh){4NWpIm-Ma6<kAtzV@vX4jt7yxS-KwPmRHkCr&U2Bb
zws+!<%lls7q%V!W30;&M=a82xO%DUH0CE%rdMxuMv!mctU#?~ri(m|#yucJj0~@x0
z$7?S&$3b$RghOZ^m><4)50K-H>YFh<f3DF<Rw>|R8@P^(<c)?p{jzT#I2RG%0{1z9
zD%x%zmNKw$%CPj!#__zppwR)53J4Fv;PG@qpVD!Hm(HX(1TcndZ;ajVF&U$ldT8Ub
zVUeSUVA$E!t_zHk<(}LAOL$p%9^-;kv0^ePOC6dj;QhidEB9BMc(MIt9tJ&ez8ZUJ
zD1g#?AQdbrc|(H`YqU?arWVd#&#7vr72ulHylQBMh`>Xn2*uNyF{7Nd&9FQu_jEVG
zfMR*7d{@fXeA%xN!Sgi{9lb&-Q+&Z#_>4K&u#%l^GdWRfOCS{PPUfm;O*Ed@^Nc4D
z)hibODX|(?@IVq{S>Z0%eT>t{+UeTxdAU!4?Gzf-3sIdRI#?GvL&=MI{SLrmV=ImB
z6!bl@*+^qPg2l<Fc4VztdL2U#Q$f=rmGB$|%--PK2)Viw>`FEHkn4`I*5>))BYeU>
z2Ps+w3%F9h;$jEjrnd#I1?q}gwEOV5bYXU<z9z&qLci55%DSP-sd|WPXm&{N1`#Wp
z-QkdkcL48^#PU|)Y?&x^ML&S3r=}5}m*pcvT(>r4wRSJXG9I;ultRX(u>iA?gR{lG
zM>i2D<vY-b3cL<1*1zx?pfpA*{47{zzXq>D7eQOiv6=TES>*!wC9wHo7uN>5pqm2U
zgG6;`wRs6sSlQhm!+@FT*Qyif0Uld6Q&|aenLgw1QkZX6JuO~79TzsCBf7-*-fKmn
zvqRr84`)w&j|>dQWn`Z=UsGV86j!{!^CiJIT&hq=0Tz%YFi2(ZIter0d4!J`Xv4F9
zZlg-q1hr3yd|Xy)04xpd)qt*al`SLa%Vp<R_fFERnHTfv4K4P=&o+VdxsNcXtTIZe
zeJ{wwYJui0ORX+J#OMLQ08@JkzZ2Netp<^_!}khie53lY%hR3CTw0`U^mTtWXNmRN
zZJTujniyx-32wv{!$fF)71$IwW=XJoerW3XVyWm3WM+2G1P^CVk%pGX5hn8`bO*4Y
zUL?OfRd^`R1<g|^R`5J?k<r21t7WVdI-9gAoU_pb2KecoIWTDp+Xkl<_yK0uHRp4Z
z%>_Oo$N<!%E3Xq&*+H_W*M|EvIntgY+l$S7+x{3d3X9?J2{hHqa+d~bWvDn)*B!YC
zAzQ}29t*wYCeaSGhptVesBuSPA-px|*syXDe>IAzt~?`fIo_3`qGu-rVb<2SZVoj{
z1zCx&QE^~x3!Y|?Z4@|z)d*k_J2g2(*ycuaiQ$g!i^Mm^V~I;7-gQs>75UopE95LH
zh1J7F_mDTC8BcM@sa$57_}yw-w=!1}yn5tU%?seZ4CJpgm5>Nj5;0ME1~);D35$0W
zj(Izr^yvY~%jMP0N3fIh1m|XfTn2YsAq6#J4Jbh{3i=@iD^*9=o9$6mHmA3XFQ#ta
zE|R34aqgS|Gd+JE3kA<z!*6_S+-U%zG5DCxM<@LnLxdvPBpxkap?Tj!&+#K>vZ@Mb
zDDa#tvRX;@4hPPjSkc8Us@tNc&ppssoWYw}TT2e-)re%n>0u6N7Gto&2}z0av|6=R
zQQv^~lpvtu874(;hqT(GM-olQ-7gq$+24lKu8L{eA*dI)KlVUPX|};<PETi!P3*mU
z!HZ0&L)nPLVibY^TL#Z@^^u#d0n8H#d%?WpkQJEy;%H)y_dRbQa1xLP@|`(XTZQbs
ztCV1e)sR=Yi6AOe**X-nXAnxIRq^&sFmamA!+Ah(Rj>BhT7aZJg~n3iM|PvW1EepK
zO86>oCLH+sMj^MUfVqP(&5EQ99`&gUo1DNKfQj@ed#_6orLl6bovpE|<}s}j8;s6b
z6Cy@FL5rN%cIrLET7K^Ym-NYGv%-|W>z0NY;7BU_Y!vjlxR&d6gvci@2Fnos7SVZy
z(ch~I2wZYF67MTyer^Ra7_j`X3!^gC$X+G1c-96!@I_~y9;m10mC1DP$<ZYUsU;9Y
zy*BieV5(PdUtNZ$NRuS8>iSqJJR|C&s)Lu8!ab&u5%&=6$*v^G<WdvO3#$pyCnw(Q
zsdfR2WiRu3-Z>%K0jjE)Ki5D2DfCIb$2htH*Vt1}s2*G{%RF`pUI8q9Bs7a`3`gaX
zD-<!a{m^LEO9v_mBMFjTl`O&?Kb{v;@5J8&**Ix<G2x=I&#X++Aj_W(&XGoWa*66O
zR0WopvB=HqC)$C030jfXOWgL*5{>4sR^jqAwMpV}GT((YB*X&g7E(n!cKZ`^iAsA~
z6jhI+(5Yn7@5ahS2%sxQ`IhxPv?hEJwl#;2Q1@&BM)XW9@R_t+I!|9d+s4o;nt83-
zIPbyZZ1!rq%|p2`ps_(*Hl%E~c)SG4<ZpmWv}Wq+m1w`7)hHW#ilG(LqV)3NquTfK
zkn*|a1K`~YA7-~wWMQk6*vTp=f2Ex-QbOc{<esDuL_?3LJq;6lNU5oB;MfU=nHss9
z^cvY#U$TlCi|XqMEkIB{h0Em1a1t+whVb`*m63=rC6?X@sa}pZsCNg)pph$WKiHbt
zBwXy9(UM!v6V=2R7{=>(<ePyqUSVB00k4`N8T_3_7{36KVonWV0eI035D)uabzG}e
zGg^8k859*KBUCRZ;X|Qk92sIm@f!JgMm&BLj2U-K2=!h{pBM9EkymJa>lzgds?iyT
zUPxZ~gk9voQ-iK`=+(g`(!}u`q!=#qFcGc;dNVnR#OfVw0d;3vTKU_@*=Zxf{oa9e
z<!*Bf2x=kBf>zH?Lku)$I6{Gil~UiO$u-QY84G=6Rd^}WC9L{jqY7ATfOx}cbSxgc
zKu~RQa;?o)veE5?C_bI*Zo^*jD4fLgfLv%v=#z&NjYIE2wZE`~IAXsDj0kz8S3$@Y
z68%<NG<H<!G}Mnb_LxeWu0nV$CW#R3*;}&jR`I#QRx~;c!_>v)RW!(}oRE>*j;PZp
z;!@*kv>9_iRFoB<Sv}EmElk6C$B!M{2tC`%2I2ulyjn6^P6-V4+(S<!rBM|{7zBge
zz;2&>x_Hi*8fmFcEe`8XgK-EaAoArk9#rUC?365ww@93r^5(F`jSW`Z@k)4dv0$9x
zp#5U7fLmEA5g6OXr;Z37q|(bo(dYFhBB>eR&h#D$fkmGCP(8aRyQ+=(t4os4o9CX*
z0u?rLa2CtLXd+LvUSW!c7SOvFS(YV7KF0(UPpiXTyoy&HC|xMAi8YpxjNHX#iP<kt
z{RGD1prh>}uL+zD&}E9(<zLOh2=JQn)CNLQ_Mwr+n!trhd2K($ogDN@;wM9H)BvK2
zc5vP8AVPp}5xP>3!MPyr;XQE!c1>@2Lj+?35O+;2ex%uql?$@Pt~;FQYkY(Kus4-q
zeb~mmWdyXvF!F6C8)^<;1!xMm<PEDB92KyW@^H-);gc*#C&N*ps8~AG$0co^m8DhL
z#|N0a?>)1N#Ve$10)8?Jd82dzOP%&=gcQi7PP(G_0p&xgTK0aWo;<1ROl9L%uNEqu
zI?6&`m%g&Kb*0d97qQx<?GV#s^%2oBJ2$E`^4kZ3%ke1OfnwYr0l1ezdtsEsHN2yH
zRQLFpj5T#bjhb-N1>BN#q;lE$SRqgO{FJH{Wi4_}Z7(AjXG`jdr}%r_%NaBYN6%6~
zM;?qaKT(gxDT}kbNf7L7P<de;FJ8TL8=Z{?7oytAJ*@YJHq%&Ba_w?R?NEJtaf)k>
z<s|}KKI1nrov#KOV8-CRT-*|SRTiy%@~WQWgFLcmNI1vv7Gz18%SZKy40TTtrGDD?
z3h$o1Rc~%89Oy@w@Jiciur_?IOQ6B$2tX$1N%I2$p7qt1hflrao~^vOH_x;)&xI*m
z#l&8%!E+F5LXGMGdyKsW6eQ0jfA`1$C$GCl=T*atYL2s&&Z$zrkwx+7!wTzYeG17l
zt89GtqC&grxHbF%Oi_-gdNszed^U@xpYIA)-=2uMT0&_?^cS8T9h--V{N818_sk1*
zP&T1blFeYYhi5YENjAVXYQlENGjNwFaw$u{{J@~%xNKhY5m1z&b)aun%mWsF6i`!X
zC|>G7&``+>7S$mo)o=~W89^0X+&!;GbzrkfrYb9dM`-~}sCi!j1diFOK5pdVXEyov
z?wq)=i!K4{(crRnK&+DP(BuZeaog0EKB+e0%dYX^sI7cQudx}s>v~`p8j)ASo}EZo
zLmiGw9JHw|IsoPRzGzZXyql#Um^V;)umOtCHMDP~Y#)^Z9LwCx%op+KUfNtpDO|cC
zC6VEE-V4NDD?u#$t6j7eY$705Ee+zFKY0V1nj>gB*>B&27p;V;PZp7Q=ZHyi+$%+B
zv=koazLcwJd$Rl-K{-h3M!RI+n!F)vOS9v;dGnqMvEm6sbW$`ZWJln=&VZz-I5h!E
zA-0gi2g(m_Efo1d@xzTS`-xbK+i!4`8Fo{dL+?SpWJaT+7B!fp<Jn|7^LK*JJ5*Dd
z*qt6ur$96^m&C$xGBgG@JXuaw&MG~wSh&a@*Rq-fcA@7fS`?4lGP~HB+;#z9vo8CU
zvah|IvGwiLqV(&>o6uXV1^pCK0k|GByj;0?ENNaM`nZUxYr#^l@LiS>?uBW+#dEsj
zDbREM9p<sW@WW|;*anJz_1q2$-#Ax$D(D)GmP-UCkD=hwL~+T2&4afz`eG=F-#*mR
ze&kz#C)7fGX=7^oc2*8<Tb+39?X9p1n}tubc@de)YV5)pl{{}pEqcI?gbWecXW|$y
zb3xs^Bx4cl(KFyIGvbxQ<|opKyCoqHDM`r8f-6E>t1;T_Ac4K-;k9QOw3U_?%<akP
zBe$6D>tm$=Kj6IfVup?8t1TukgA^6SEh|)zS4$*i)Vmz`RE;UkP$;7cE?b5a8!&4V
zOCOQPkzS9IOL*f&X%?pR(+kq13avatWo|HfscH6RkXtp);1Fw^HeFg3yqyqVDBwkf
z)1$g3Y|B@|3uj5G%e~+2g1^_=Z<K`HpYYs+edi{rzH@z#Vg0G5FJ`G-jI^+8hC0Pu
zHi$WSfKyQ_A=+XeqZhvlSjcI2yw+StkaqWt?IFxf?8wDrcs@61&-``_2Pl_=z-_Fj
zC;W`nMTjiax-g3knG|<lZO%KMLi9&5Z)=aM+0#uLqtf(+>LhG!I=})Joj?I>%y4I?
zPS-;o0Ce6n+@u#crqCf^2veK}7ld^8s{~$5n@}&htCi<Kv(GuJ?ioE?%NDhREfI)V
zCE6<2E_x;e7?6ssn)CSZc*&#dkyGy5%vKcIAs*_W%9S(~C!v(r9AyPGx576?8vw?o
zeGeg9_0NWJqgib}a;Iv!OF(g`{uZ~z)@e0X?}fg7&aM)m0*Su$QcDp>wrBKwMRe%A
zcAk+=3l@PZnFPJ1$`(^4xlTxgUhJ%gp6lSCL9s1+2=_?oSYb-%#po2;?Nhd(Z0eH&
zwIhY6dXw~c7s3=>JYUPsrH!{&*@k+Zc@T9DC7D9#f}--Em{S?ANmkdR!Ex)BN-T8G
zHM5dSF_^r5@!Bq-(^TmRze<xkLQXiq+{Ypr&B9e`_Ka}uJ=40N;?}9S;hi1_+6O(O
z;pr+(5lDizFc?xeApHVsfeir(+mz=7<p#EA4<=CIRa3r-3y_krCc*bq>`E;>D-AL3
zs>+`NxhYflHaOip?HZd$>Da<ik5<>Iy*=!q@9sc9Bgmyvf@H{Qw<cG7ne>Qu#vdb>
zr#u?=OEHb*^<-U?7^#aOZB;gZDr9w%MbB9`pWh?gwFfV8^70frY!oC4;UOQyy^*<l
z&m3sy432DphzAQ1SY81AT#y9gqf2?@qMQ5dfeBdCM(qost?pTrh<q9K9^RV5P#8hp
z1U@c3>Gygr6*kHM7Vc0M-(Z+OsEN1c!cJ8w)7!NWX8c}`D+xIqOt!QphrXld%x$}t
zt?fP#UXC6`#>0WZMuzC4YtO^Qxzca5G1wLgvdeMWN*oUKgi?&(`Pw?Dp0;TT;G5K7
zFyhAo-sC_FpAADk7u>Yd<aAd76^7_D@G=u#A<I2|0kW@aXau%LgX&ow0H8~&;JghZ
zZ4H=b_O@}^1!0*A&6o-bp4r;0mY>K1q$f|YG4!rZfj<z684N`ez-iog5}B|1kZmDN
z>tz`<hjZiG_hQvStDda-%X1-vcxvDh_r?>hZ8%<arB)%8oXQ%mfpp4f2m7e*ys-yG
zI`u;8F`GSW(#rvlOvr(Kpk3s3kbMYx9(m7L4z`U(9*25&3cnue6zJeW7Bzk(yidIG
zp*2{7)ltEA^7Ax^r*?Vmkz(`$$gkzLZ{(Hlh4>!AE+}}}Nmm5DoG=jI1~midHr7V6
zRNQ@kwT#?JTj64E-o|P2d>~m5dOEHOYl7Y}PAZ6ac6-08$K$ex@@9J;1h~RJe<-*$
z01nJWPy_|7ggU63M3^%NP!V&fLA@5Mk?rzs3|a@wT%m>U%(6v7sSgI!-FqQJX4`sA
zVSV8#=f;z6?+vBOD@B`HmSoj9IB88YwJYeTX_wc|J$rISG%5XXP|(pxQ2c_meH<ar
zD0DmU-nKc-^8yfk%fi_~5#^KAJap^P(A2sRoXFF!XSui}UA=3)6&^WK_n{@OAg--M
z1HD+)(57C9*L4=BjD1)V6ISkt`XnaTpX$<Ed~M|y-Q5szQQ8ej<V5dkMu-Vt+^eO=
zXwXCveapa14nq5AM^3j|F>jUWF(^q>pz%&9jc&^LXn{_qzMfh&?$oUF%$_r{>Qk~9
z&axsw9CK>IDXS#m*F^Thpc}pM=@^fSKXbZaW}>7Sz{(2Cqhx~f!&!xFI5x5h3?uRg
zekIfOh6o-^ywn|VeTzXb?WyWM*Oztuws$4++UjwflolwiL?Fu&F*V5O6V(7sh6+C)
za=3>>;tm5-kO6rF2yQ6bal3N2C|H$@E5RgOwt0#z#mo>~4@?jfEn;ZHp8(v3@|$T=
zp|Uc&B%5L^firg^uI1vh+2L2B`D$!SND0)Vc!*qL=Pj5aKScFGV&IY%eQcL^6^rj(
zi#^yi&CiyhpR4YGB2Uf4TX`=~s>|1LM>~5OA(YDQoY?rBWw%_zOab}~3arxiStv5@
zK8AhQ>rDAP1@dYG9$>zjZV5bEo0yfi93mv5PyyZ^#4jQssgu;AMPA&^=~FYyiN>Bi
zhv>;zpPpjDtcs0B+e>~HSwmdtR1=P!*A}D<iT+AagCF1kx76Fr(csh??grhHNx!65
zd`YP+5-q9z!r}o~3<<Pg^#LpuYHD+!A-`9UIX4dUkW59P99VqD3_QvbtGZ)tx#HY$
zvqw9q`Jq4d#CIIXTV#lm*w-?sV>iJe+)p0uWhZqOkRZIG0cyQ5oP23^j5ZdJ)WzNZ
z++)P;z2n>4i&uig)6g*QdMK`C^wi-5vDK-DabMVO2C^~ZYWQ+7K_4Zm6iVh(52^Ls
zK;Dse9U*Y2BMf%}!VO~&&0~-h0@LJL+Gbyqv-!F%NLwm!ZvapF*&aNcjtMaaEEE|;
zFqV7B(vM9zS;}rNc!1>1%G0`p9a$A2eybjL0Wmww!Jh9$k4Smg07@OldH_*CuD<{V
z4G1Q_CaoJ;U&CB-OI>PoK)a5xs%A`^7l}UW_2A?lzG03Q2zkhB3<9`>fDX2K@12AW
z<mij`S7-2S$r{HcthhSvJ>mE8*&c)AKF9Khhn59VZNPQd;&{B17Xm~986<!`mauY=
ziJ-=H9Yq~Y?MTP{jAV2zOcD<rEA>5&LEkGUo@yQ&CAGC?7s)F*p5!8}Gd7oO+^~6T
zJ{yJ>_JSRgO<jd0tsE~#s}sHZ0eI~L=*ReYrz_gc4aTc@61{W0DLNm=3%YSysOppi
zP2lIG7@R^m4vYONFUd{tJ+H|o)p2535D`{I?7E=n_FkQQqH3v{<+e@K_eywt8^?OK
zrA-#LU&-5nh6lM10$(F#W*UlG+rw<{=tQz;OTX++0ufFDRYiSpR9ay{Qzz{=!qVh#
zu2nY1#EZ)nEKW4?937uO;8nCS2FG#ez5}!nrqjD)M8R@7=b{<(>+z;C3n*m~p$=|%
z><^_TaIrSOn}&bBGeU#e22D8NC^M=+1dylpXw`)~<a`uDpl-dP)@Mn$NsH!T#qw;l
zdPmN2Ebm5PlM95}QJf68J!gN#XjP#_DSFVJo%*Om2qan}v)?J66-$R|nH)~U!#iFH
zWzc8dyMdW$r1{dh-@9iUJ+(?&Vk`*-3d-r}Bf9c34}pf>Ow2*Po3qsC0+DKp`Q9bd
zrO(v(qM}5{FV*r)1u*&@Y#c%%b1!9!os3b~MMrQf->H|uycg#tfW0mPWk&a?b<%UF
zmk=O5WW2yHaW}{MnHGZ?gu!b;D1mcZd&}>9?XjO*KYx_MwntSf7Lm2nCyV!tHXVZA
zI{^KwZLCt?G8bwjC|>T|YOkt+Xf=??;1Q+hyg3rNt3noj?<)IEHB^Kr0|1tT1X)ev
zCYvdRgSd8r`zTjdLv{_jw;XtR6Tyun%C=fCyF99jpr_DYs9NKDC2>@;5O|<nIOk(=
z7p2jh92wi&H_GrvFPt;n8m`w@cer7rb7!%IX!#5|<Xj?-T)CMXqT`_%=A-LWD(Kz<
zS{b`b6cb*}OR^R9alQh^o+rqV?8ilqfIBN*lr%e`8Da{P9tL;UfpK8NG@ZMkXfbr0
zIUOfjl_B`D%0w=nP;qb@D`MirJc~{DCkq#zt?tn8#Tb+dKTWU$(Tzs*^vGmPSZ00f
zR8sJ4L+$C1O6T^mDX$)ZX0dJgQ;&VmVM>hZ9OY~&yVa`l9S<1Kq0Xz2+`(o;-!vQC
z=L*gMo9?YAcL~m$y9B!1J|qgMfZ{gO;=tn?NXzBS<95__2>Q7D(Q#1K^`qi7*4=j-
z8yy92(q@@4<u&XpWq+#48DU92M~R^14BGMlO)&82L53|6JCSamQoMQL5Czk~@p`w}
z-!oSChbg-U@I3Dt73@(%SYK#W1)SsqV$l1^d3ZG@!i^1TF_ec9D=HJ3EgE)oXY74Y
zGj0i!m@#Vz1d|eV8aW+nS2kLn&k<k0XOKwXC^MPuy&OAi&-*1g2m;JnYY|ywW<Rxz
z2c6UX**5HR{cVKGqVFYhQkxeB5N~duxR_+oYcdS*_nOpArr}@&iZwT*AHQ+hw2^u%
zux$Xs(uy*<xv6ZV2?wHJVmdu9bR4PRU8xARGJ>0n4hR&&YVwGfl~ac2l}GQo1b0kh
zti|meJg4g$Bs(mJms}C7$Jvqm%okS|7z>|A%G<{RJ&z`ag0Y}0Yf50!H%agz3o7@^
z(&`!#Y-S%CE^x~hONl0O8BspeN#2oFu${1wAY{EO*n9V;9{AN`nv*RF;$$b$Ytx5}
zN#>5+PNSobUCe~V4RT-lYoiC*K#9U|ixz&i2eI!-x=K<m1V<4rpRr$g3LdiwEa6MP
z`m=F}h$wsXok(uXVHW$j!aDZb3YoA7irR@bwi{%%A;9Yc#({ccv`1v^)bUmyYZp*T
zo9FdGMVID@;D)j^1Tk-_EzqLXVKCkcgaVBQo*ucg;)>R&3VVAgsKt2)=fO4!OiNhj
z&oj8%Cww&@T>68nFyle)ou_~#lfiP#LS7Mb1R*WxYNo@Fle36`(tCvY-H|>$MMNU6
z!;_Ypt3D-j3Agvmv`Rea!5BYe@K@oltC~%hI}Rc=0cRGX{V`5*({l=XSNA9}%lFwv
zqE9|QVH9rW%W}_g7u%LQr>@10As)?C(=flaLqBX1czGI*B4`L2Fcm<@nkiY&MYk$_
ztChL!y%=5c-J;ymkwf(bX6xGI7u)S&{Oab?{X$=Ai5)qLok$;Ri8Z~@d}8U#ydBD&
zk6Q3jrqLP~PS4?z+J|(34_-g&F@2}q2ZwrrGDfExD1pYMAy0;gqCJJ*Mo<>4Yn9;S
zGv9jV2}i!ek$z%F#0#&Zk=PILy)npR$+m+bYjNQ2hz+Nt6o0v*N=o<oYAUb_nvO(K
z1=Eqbmgw*~1jV^z@TC#vtybbL89zAcTaQr92#hR3c)E_ElsAb$TCX@mZVoC1g8}3n
z;O=#{SPx=zD~#%_$vehG^KQ|M=V_E+fo{B6IyoG9q|(=#@BsB7F*#s+dw`|lOdt+1
z-o<C*@XtlKmMhE)BT3}q@G3(V<KlVNX>JT`>ZjbwUTA{#<Yfm{HuX#L&49Q$V0!N<
z118Yw+a`V_4`7^LsVi3*;Kf*5;`w$A<UVoE)ET8sjIbVmSX@~X$&&){Xn1eZSXyxz
zA9%o`XznWFGt|ioF=ZmkKy;g;z1!p%8IVu}8pWs~O+~G`Nq<iS<f>o-iW?mUlirgG
zl;?}8esQ5p7Ert*7o7#SR5KJ$1^{=JF|x9R#oS?F>W*N?P5ihCZcSpZ-b2PdSPv4n
zTSvE*s}?iYvh@NFMe2Au*YJjHuWGGb?Hwv;jo`@Lb3IPWQr|g=doEi@frn^yYiKXx
zuht>`dMx*527Dpz@k=LC6sdldAravekvrVW>(XlC{+_y|_)3=p&?TGucB#E}gbuGc
z!$dzznz??0AUdEgsukdpsRmx*L+R!YWk?^zVaIB_0JDz0+0^S7@giPtyR+kUB`mjK
z^i_!!tK8tec~8W~C(RyV7vYNYs@c6%o#!3PF_9rGqvf2J&xGx;w}_f{Vtm3hUTSP6
z4az;!)mgKGU2U5tzrx1qVybf!WPnX#gK|3ze~`NQ-XsLlv<G`oYZKE33^6_D7p)dd
z{8CZ{X&<|)!|?^GqJRJ;Rs+YeZ#xWW@SVTMg0jUKHtcV08L&>5S>egel$Qc@8k?6l
zLvEvKS#+!626X1i;5Nt#j;!s)c=6q<R}W(x8seqDd_#CdTRij1{j%_}6h)ShosULm
zt>5<Ak`6=at9J?h7z8jGhTj{r8A7@%c2Wtzi3C}+^&>Xdwx+iNeTg`d!(kIH76nww
zH0(FVoeDnvXifWt;(~!Ps+Wh~q!iyaf(YLuCY^EgvL&#4m!0#3M9fOA8so5UUfe3n
zD>8mc&7$Qu^)g8x=swUrtUEUl&5gK$?x@<Q+X60+*6BsPey`9#MkiGqpAxRm!(fFj
zt=iy@Zb-?Jjy`#ACc^~k6RJWl7B2^O{W@)voua*#<7Lw<b3FzipTZ-%SZ0HHyPCyb
zjN1G3vvmZ0wvGh!2YJsuk_7z`^K6%Z*8q~dkrMDM4w#3;d38)mTC@fpyiuZ5<UWwZ
zzZ>mCPMFD+1~$}{1aRv2!toTI4ZV>CmR;N<@^|H>&pZRUWr7)%ERCqi>5he#ByCgS
z7sXwE@e+(=&_dt9V^ZfM5e^+s^rlcmmWP55gySJzgB?7iEAv$_dymg;Gu>Y8dS-}*
zN9Y#eGufizJ$a4HfCM&MEb1?OWhT=4!qz)f-_m=Ji#3qWA9G{u^?6gJ9`GYMOtJ-~
zQcCdwQ@z$H9%@Ytas@6xlX0U#Eer6i21Zjvw{CM0(x!ZF?>76TGF81ed4eL47iQ3p
zJkS1ocla9<?y$FX*qe~Pd)!5j;i%5M%f0JmviMpDN=Z8-^)AEfLSIlC8V?<*yR{kY
z*GVh;Y%!h)Cz{q4wLZ-%bz4`<(~2#*O0j!}jcR>_5TY$Ea%5NQ0S2DrkFe@!aG0kp
z12I6m8H7h4LeDgdy{+pwBQkin3!6JH9U&9_sSTZ;XtB9Fo|1dmlA2%ki!)7QVTDNx
ze9yQe&yi6i$OGZY#Ut0c1DdvHTi`b3x3*@9?oFVb+s^(dkwDlc)DSE=@|cE+cI_!o
zNvQ;(OM^|@RntILQv&ttUI2rpcQkni?bnK;ugiL2<3X9Ufo3^6RBsP2HJeKiS}_^M
z-eWYCJ8Oxi7mX&AuhZTF{|@Y>m^|Tg!jAWfl3ucfjjFkJUoh;1jyl>X8lAC|60@g<
zGp|H%sJ))Zd?&dJVhTPyrwmMEp74U;lHROUtGFYp)Wc>1KK0S)nZDeLl+@$gY!#z9
z0(BsUH>j~CMWxZV@8)_IqcHrrC`h|<$pO`LR-Ll81dB(UkU!|xlL5i}I&@B_k<rww
z#z9S#&_sr9z;sS@awm~E-)Lc5>4L!NJRojSvQ%oZ4(8|S`5L+9#E1|)UgaH^Ew6J&
zw01&lJ*5D*!!`iHcf@Q$vP(~iAYy&IWT?{vy<5!Ww&Wh)3Nm(gylpf>b$y=pw6{PQ
z6AS(6*SmuNK9}S5TGqHU;=Lw$4?$b>6?YQQ^P|#LlXZ36$N4-w*j#FIRzih_)806w
zv`Y;O-{8jG<X}HXIf3UJd;BP~rC;-{Gju<LK38!_1w=Ei+Q}2d6fDufq%HLqoJkQ&
zIvF{sN%x}S^3JZ3#nhvsF~zJXaRub&OxhAsxp2<0UOrI(tb;jTpu}s5Q^AfAmu)5D
zDza#;t)x(0cc)Q*rr=oN#_DUigL?s60|B{CVj(@9SbPu}7VUFQnC#;zucwN%c}m!>
zLHCv}TwrHNU6NI?iv#gcWw`Y1k(Ap&hR&Ni%>omTh|D460juG|_fqZg%`(d^8yjM2
zWcb<ApY5Y{9)<1?rVCwPAmVEXCX2jj!Q)Y}fU;Rtq?D(FI-O!WCwcP9rtiW7;k+61
zBus-^DkPw6YYYi~CRaw#>!-ZHM6PGT$gk*d0h(=i0CzOOuU{zz`f%H|r{rzUS@}z#
z?7GQ$@Mw%$Vdd^I<;F8@h0caxbC@_ty}s4Qp^4Y3knb%b;vF;AlmgVVe2+x)$+~tC
zORvvR2(A{lb!fXN64)@%Ain@QaKS)u-hHut#YUlWf~_l}eZ09MEetumvlVNm5sixJ
zJ_82vNO0;H-dd7w>Rr5|l~!D7kmubLqcQ8C6CoW{5+xKUsaP?Y`HJxRk>uLqNYEQw
z>M1_MjmC}HdJhBjAc`m-cN*LfFv9K>5u%TRx&gXZRX6~%6h6J%dt>sV41ss&>AqEc
zC8(C790fN7_?Q^wRZyJ}I7=8cvYs!B8q_lM(H^e7rMC=xX!88MtSv-*Wa~-++}0Ty
zCr(g|t?ZoFtIxQNl%TO-&ZvQ3W9@0Zw}qC<1y{>H>Z@=8eW@CRe4z$mW)(^1rE(Y+
zqL1Z;05}<~cE6e9H}|w&EC+hnqt~18%6;g{uj1m6Fg65_dsHZsys-yfK8<l{+ur4V
zfZ87J^6X`2HNi5>CRbltaYQhV*MQpdG`v>~J05rI($>z~C#TGPcrW?!P$6x;_u|2O
z@;snkbBjFwZXcg(a({V`$)dZ2AKcb9SUQHlJUA}ZV`nGL+cg$F0K*hqtZET4DCxFs
zy?79fRwuPLW383Cq25R6N%go!`hqOWS@(G|RE?uaZ0vi_5m3`aP9x@?j4A+F$>tmd
z-R_k=A+W78D5*j7$7gj3i`qpPIh-fNS-AP^J<e3+CoA*9t|39C8F8z6A2l&l0GrMO
z>vf=Qr^e=}#@c3YP?K#+ZN0biR>~L$A3uW-18Y%Pgz+ROZvs}o3qiiVhsDIv<21c1
z-jI|h&x-=nZQlzRdxn7t#?C48?p=BNq4a|2%F6j|tt?(ij2c5YWP)~jLKB=AQgP49
zz@rVy@;J!FKldJ1^gBWG3n`lA3{cI-QYb+w4azZW+x~(aHB}m3iJ{%?5R;wY+kQN6
zN^&If6c@H-E>t=3h*uyVwl=a_gt4&7zQhOZTtYhyj0~BB>3LI4G>-aSjN~9`D{6^6
zpx!k0HRjf%ljlq1BF{B!2a6UpCh9#Y#o&@KlP-)xUP`F~6E={=$FwB7=)`Tp7W2@0
zoq5<yBDyv8nF7zvW+qU+9%?KDQ^l#F!kaN0Lbt{x3Ynk@A705}0-r)NG<;Qg@2$Q=
zMSZ7lJ4D;2*oRbB9*94E8T4udtDgcDI&U78yU1LjWCfs%TpC40Z{N(i`-PB@yM#Lk
zbsVbd@CKYyV<k4(a={(gMO1SNSKKVuN<Vk%7jhc8&xFPFR64y2-WGWPvvprROExif
zW6F+4r6}^O>~3me?cEmEP^80)!bf;sc3R_5y(~m%JX6i18*=EAwh6<N%Y&RZt8!jx
zq^czPnn-2|lF)-}sdvxBUY<XEQ}STswwS8u%8F+cbx5YV^_X8qbzr5UmW$^&Spi3?
z1Zv+vI=v(#C4S>C-V%HIVyY&HJplw8z*0G`OL(hCl-#7sQr6V1&(zlADBTtG5s~)j
zrKb9nMR4TZyuCmZNA;wTl*hCP%|J&*V4BkeuM)u$%|<UR4r!KPz`2X{)j=Cq%)8T_
zV37xyE&$*h(Yv1w1V0z%X*<rw(cPj|I9Dl#7(*7rNaY!>?mCWepqBSI){SFh(^ylX
z;2D!XZC1X<U3xFOg&M<OAZt)5KZu>1qd3e8r0usp3C8mdhaL*ziHRPR?&iGpNKN<K
z_aG52dr7VC>iX@2fVP`R7ZAmJ`f^M*-EobW&*4tQfkyT$F?p>#t}h)9bxwG&Ky+81
zt%h>N!rkDH8Lb(cB7+t!HWFl)$G#knuXrnVkSGD`ZL;LZVg|*W;z+~2HCw#tCtCX4
zUn*>LRb0OXXu3yJ!x}2#{!Rm0&1m0~Q?%;$gJtwIoJnXGX_ZO=AY16+LPxbqEzujF
zo8T4zP6W)08*RA1KVi+_xikW_9Y{%JB&4}GmI&kaYBH$NL>|43bI6!?9r{=o3+_!n
zh$=+bcX6z;;LmX4DJqFyOP|~$<<cYQv5?E&&dPyT_Y@!T64OEWt)VRPzz|po5*6UG
z(ew2j?}?^$<8{;ygY(WxX=JY$(&srXgYP-dh^whZi4*3tGAn7%HG3CM19tFiA4Wk_
zx|bX3xH9dOwP4;9GlgYR4$%(I-fdNRdZYr@Yu}-2^xz!dB^#IJau>Eye!&JIkHl#!
zB-JT<%bGxr^L2;DTjn>`Rk%2NOaY=q*|10h!mk$1wee-(8<y7BV+Xn*&J6W<h8e(m
zsH~Db#^Z^TX}*!L#Ym{IcOqU~yRK$P!mqKW9gRcg5z#Ok6@WR9^^L!(u3lTZ9=K@S
zh8uuaZ+zRB-pf~K8^RCJV>3&7AEUi!KMV(<G=CM_@E-OwF4cIETx}E^rm1&p`B4W@
zIEGfMxT2c3>7%kho~JU)Rn!+#%?Sw#j|~xA69yuq@dZ8-(Y>+WNs9NjqFi&Nk_bcR
z7+9SnUi#W?-|C9fO1@-6GkGibYLAs>+zINQi@D<n=i$In_L5~`6L`N7aGN5)LlIQ&
z7k-qpj=j%&VT>^do^p$cgAm=~0Y#*ezJAAPzVIHvGn!|SoRK1Mm%Ec>^`IUFKS?jz
z*GMMn#a@^utaM^Jc{8V<Erj^9h3M^r>FY_%N3l*>0{f`s1hz=p?X?U&5LZZllH0pV
z%9&4-jVXetxx8N908FC76MwK%9_A05*9zdM>0Lvi-1LKSxiaVn%@13jFD6L|b{>wc
z7YLM{M_oNQiGw4!?YlSnBCDB1>bd$g%Z%f)Z6Reb9A&mWnUle3%!#nxYaV}EF5J73
z4HN+I^q#BT!Z_#MJ*(OGz?%rPm70y;Gl5_PceA!vZbia+3$lsNYUdg>$wJ8(A`(V~
zC;e=U=p}pCJuI8;Ox$WOWHEjF)E=rg7M7tj_C##Yn<;u;pupiS+d1*rn)vD5J!&(&
z$N5~`k~y7P<_$hec%4bMs_l3BR}(>fMDqZo_B6Ez%o^X}OPET;&Q?MN8S|yiw^d-z
zwIRFd4HTi+Lwbuf{Ia|8kfypHyKzaQmkvCu_hLgli~^|gp>c*k+{}8yuL7{NkN2c&
zuop`qJ79xP7o}}-@MUv(-eo;xe5AP`=0cN2eubi(_Dl%aL5wX~8a8xkfmIRj3Tvix
zbx#^<OqNH54X}Fb0^Vdw(L7o}Ye~lpu*(2%7kcA_8Ns&7W@-m~tLXz76m}|#P`F+1
z(Y%>w+bn<#(64a;o+P^p&GJDtJnw*(;%l1FC=9__VE}YqZBuMR3Paq!cZ{q}<)ca+
znh!Y83@3+hVM5i;9ul&RyuxP|5eH;E^dcu=Y03Gi>Gn2^khe$5YV#%{X7|lz3_{I2
zi$_ZSQXvkPI&OxM;Hgau!y9?20|j&a@);?FZrf=udL+fs19@k$XmMn+kEZa6+9G)B
zYlHX5wfR(^=4D_%+eaxyb$}6q?_CaJhE@hqFV_hMCCJm`qvscWkefrKl56ko1wD0A
z<}OAq-=K|_Eg#l>v8*Zig2$wi1~Ac!9>i=%#KW6tiWx<)SM(BNrz^YDCx~qQmfk#k
z!Iq^H?O^Tws(sM|#S<Nc5i+>52`3(kLgl`^Wr*Pb?nlF!(srk;Z`+$6UD)1@Bh6IJ
z%G*>4(T=7(qnx6)l4{)RYv1ELPZY{6|7;?UzCUE4+MPTD?w5(NarGWNd0`UGI>Qi{
zLNmFM<I3Qr@t%aoDl&34K^6}n5$qFU+&k$Iq5_MnlrS}JA49!m#uZgWC?!OB*xP-6
z16u7Xhy!3QD`xIHk=WAqg!lmc!O$YIchJC2hatXwWhFfiIFu}F%In1pk9xquZeYZ_
zpn~^=)BS`<u!VJ%`SC=*F&5^dcNK3XY3T3@MOca#pIV2#Cj}H3%<W|la^A3ckiARh
ztMD<;r~Uewa@KCPwP-XhzkEU~Wd{8O_}n01cEKdExm_CiMIRH^bSuim-f0)#Dysu<
zZm-;f#qHK9qMV2qRaDU3p+Y!U$GHGrQmoYgx_`D2rl)ICVa{`WV)5jH<%xFf^LH!w
zb{>%H1%iS}R2S@VWwwiN=UVI9&T#kvCODP8OR*sm270)(B<*jnUcIA`mvU+>Kw0{P
zNSU>q<C*fC9x;zydxv9>tNm8a4%}ZBLMT?`!#jo9MMa5f4X3>V7nX3YGrS#a?s04g
z<l@G-zTFef<Eni|hu+uo5?#ekDp=qm(){3(`t@`gD>m<#XvkCdSE@a38%+SA6hNDa
zn!;0>kkU;$?g7smOu-RKs`%bJTp4{)dQokiN|k!vaXxDXq>#64#|!6l2!!EVNp`}I
zgtC2R{4JJGK?Y{4=zBLvDFRy?dhs&VfOjN7njT;31i=f0t^t}w)#iSW{mOCA$~hNV
z<o2PL+@OK`JB~^^V)AIVNNSUZ3|bi;wYm4w;#302m1(2ky|dYh?d_MAaX2-^g4e~?
zj!U?KLr_87S_9m8P-F;0D+WEpl_Mpyyd0Shr8y%4Ry?$V@C@4W(vim&)0WIv-dOi>
zB&4f$zO<4m!@b8O%L=z!6v%Oe2C9lrL(WA&6N0r*JuD757wqLZkcVj<wA3^a(t1B-
z@i!Y+1Fs&>?8-LxrSEvJ1cl)Mf?u9#doV1?YRkEbIQQeE_Zs;C<dNFDseSI<w&5w|
zYK1L<4=e*v5UE7%PK)oMBQhdhhpg0CM=O+Z<GGQ1wh{hZr@wsZ7|p&nOF4mjbpVT=
zrPX}Mf-j3~pwT?hy%hQ3+KJNZQZ0Iq)lBBOmcWKnbG)3YYvGD~J<s2BdQTG*icla?
zp7_0|11}f-RJBd)jY#tiIyS{>_s#0td~%R;;x2s+`Nlb^XnBU1L#NDRRUaDkp0R~z
zVpR`|@g`Iy1AB}q7oES%Y1KmZ;)I?MVr?WFal__AWONNknK?jWO=ySY*9P#bhd+HW
zeUpqNHHa_$ICkmhtX^h|X}>FIToP5oakOia$0>AD{Njw3iD#ebaf?cKIz6zN*fX7!
zvgR#Ya6zMe<PO$A1BiEZ@0rUpAB$;HJx!_ADp<~-?cK_)|J#fF^Y4HEZ#e$rU;ml^
zwIupaGXDMlH5b;387ioBAAIy)z1uQ=yG8u2M`%;29LuQ$noL=D#FTDKrg>((;Rv7$
z1TaReB<S?o37dm0ve=b@f;PKeS#vEiZm6PO;R`Vh>b9MMV#$5eU_`HdgW_53IakAG
zxsuC!9NQ+sdg52sWG4Nbm0AE{oVC%VQ4nz@M2J$W2er@j-XIY|>?^#P;8&X4te!MV
znAV`J8Dgze!jspp)=kt#&FJ9^IYl;#SL(f4ma)*{<I3xMv%FZ5tX=EEhEI)7Iy3hn
z?*#apEG~#R-v@Aj<tlJ^TsVGx?_QU@E8p0nO@dd`VQ>PuB21ovXD2V4REwN3`k8s6
z+z|V`7dvY%S9X$^nW6LWZFYM=JZ-es(*u{~PR(K>xAk%-blB`J^aa#Kst!K&BJd?V
zYlH#LH#NLZLEl@M;!+?5Y~<dwXH#$bj7T4Ko4H`u%u?n-zL#M2>@mw62Xy;2E~CO7
zqCfLPJYcg~5J|_3ofJz>>MLk}K`{>@kj^N!wJ)ExW^0=GGvo&>V}ac+dnZL0kB*)z
zRv*0-Dw$N<JgdxwlPi20Q|9-wS<aiY<!6A{lb)G^7%JSyiPxZd$B9Z^q;FIh$vBs;
z+f`1{vzDxpxW@~OyGKwTU<JB~6Awg)-(%b(<C-j}+=u#Jc<=+>CvH~I<QauGsM;1<
z(M{qB%IPPzWJmeYTs}Jsz+YqPOr6Nosf5|SrF?2U?=4%LIqDk;Qq^iPy)9X82HupF
zN6{}CwbsPdZ5C5x=}jzq+Pr(cI(|?DpczjbU^}DZI^d1#fyz@OLQqrj;xV?jBkTZ!
zp;wFG;fOO)Y)80H!wbcp%FD^2hyCJ^rNni#0pEM(jEc{fnci8RP4?Y}ih<^94j=}g
zl2-}hhWidwHMmfpJ}3ZrwTzc6!w+pUoe7zQ;dwsGXn&)$6`Q)6otIj5D|vCxLjy)K
zmaHzUvEog<?Rz?>lZ3QLMa+)ED7wMw_MVnb2JTZAq>6joii)bj6!h*Xx-v{WxFE_m
zGehSV1kYR;ne~Y1oy3cWHCPF>6kxrNftBz`D*y&05iv5B<8fM#qt66AW0pDrHc3F-
z1TZ&u2OPq=?XsjQ3SJJ;xilQ_W+Mi9Omz-OaEqQIIPRlaO+5Y%%<76{YgUd6o|=!E
z?JDc^J`Nqh=f5nNQ>P?A=H2V!Dz~={M;ni3jGYbM+m-_(;e9|>kc~8Dqw_AH<c+7)
z=&Oi+b<*>^Sl(C{(m*cNVc)!6_dLTYRnUU6z}agWQ)*YnDt{QaXpe9!8Eng#HDZG5
zN!D1LRHO@ocf3)g_ilUjInZ;HOrVOL%5G<Xm*m|^Ba&cDqfc(q-2)_CI{_P4nP51!
zNr-ryH&EsV^?7m-IUU}BJTpM`kk=oQ_?INze@Rlx+u0*$9Fg7N(g8kCrW>yTA3Exh
z&r^_~MN$Ea3raa>Zm!czfe9ZWBe1abj-cb$rfKgc<f58;$Oy%pDJMzLG2l8M(=@?A
zi}lO_)|)xAFx%PD$1KZG>on&>I;9jz^T2lFmVD?|#P)@ui?@ziGu2Wb^Nfjs5cYzy
zF{?32S!V8wseoXqoaYV@J7OrU&Q-h|j=TAYw@+1^bHFE#tTlQ16h#7EtlFOPdRpUC
zRm_#Ub@H~yGqNcOhGe?VX5~V%KxM@&6WFc$Y{ZRWnhG>(b%NIBLK?G#%Jj?>b00tQ
zP}*!m(Pf2t4Sctq+ipZDy7ugm%Q6jjws83Q*o<sX#zol6N9V&NXt?+S>e`Vyc6m6<
zFC$^%Wd<ZSiC-&^SydlLn5|nsM`(v;aY6M6&4<UV7cVd|Ub%bEBV3}5r+$2h9CC}q
z$k@PuB99)+SQjL|<e31lv1j!XP1Akl8s!aV(|V6GHbXNhR;9sWxgjz<xKryQ%H9sh
zCil^j7?J{j=d50A4kUcpyoci3)Faf86@<1sxC1F`#m)6nxzLH1iY!y!3pbUKCsczw
zu+diUij)T#jZr1e#&2MEJ1$UPGv!SQ!^ly)`Frk=(7}|;-J5oIbletRo_WOmUaf<0
zLa;=>JR^V+k@uJw4I<IE&%HNZN6_QZEFhOa&Ha!B^@|e5zc=}(b@0Nbu8Lqe_rXE3
z-G*roLe$HIDA;!tCko3u@4bcre~+}_oo;T4Etyr_V)s66j^M}R&%3z2#|tRkEZ{iR
z(28hSFNoj;HWMT!)@8<ylnbI(;>4oep`KQ+8gM%#$4z82smByVXlu<QRSgES)>$L~
ze(7Yx92ULa-I{4D4}2??voG%M1m|frGvGO*4Oi%6Xr)2Wf>dTXz;L^0Zb&9r%&6Rw
z;OfGfx|Jvem94<8EfQjTZ7#l@Y_iyn>rB$N)M%j1%~|zwb6>niY_UCia~ZD{wi&=u
zuw@3~m5`A#iX0Kp0uF({AsfTg(+(PcvAStP{EKVz(+7t&pi9M4)G&}^P?L!G^ig<L
znDCKK0pz=hH%8$&!}?}#$n_B<8J{rG1_Mm%TAPoFJZ_UbEqLJ)y1N4Gfl+?@9;-E#
zHIY@jM{tolhNFxVPLov*u=t1_Lm{PSyk`^%r<H3wH7M{%2Du-QKgkN2tXa3D?A>^5
z3XzH?Qzg%DuE@L=>Wv&Infk@T7G_63Enbj)IoD|~9D6HI7uXUVLpRNxbt28Fbg_2{
zp1SH(r*SCr8t+N6JRi<0G|+kqXOA8E;hSIFTS;rzvf(z4%!a*Mz)`cq_@&}LIxo^r
zJ)U;FwR<9-Nrx`3<B`4(3|zfUi#yrKP8h*xda~XK+X!Wq-V^=6<a>{g=VpJ-CcSpm
zC;~5B_m#6e80SRYQ+|(9H^ue|ZybSeT~nre-~|`o4ATvfb#T3Rk;BsW!iip-<5g2v
zwmHNBE;a>&y&N5K!bbAf(oA-YH>@nOXT_T^I<mx(7joGS>1y7X^3a*z>O-QL+aU?O
z)&L>9u!IPLU@Rbhk@qT}7TS%tFS=b<;~hd|amMzw8V2bebVobwf^MrxESY$^OO#*6
z%(0F(a46xOc-*@a?O=@2V^8%`zr6wVtZiZ^9=k>XGHc=&b>@RI5>uJfg|<RYs~bDU
z?2O0BRb}RVn+0sx>jFhd7wl6nNYCEevwE44<(tlAKAlPh8hA2;Zxc}!(wDBJ$19EV
z2{kaU5yqOpQIygJ?~r<`14RXw^1b0BjF)z;vGX`3RE!M|xH%NTd8@=Rt2;(upBksl
zR*}oK5lWpZ=oG%7v_r+H$Cf-`Lk}jw9Pwr;x0WRh(7ewXTQSa%_DE}YyBYl@0t1+?
zz3bD<T4|ExG8|FPu)f#shb}tNUQ8Q&#@fpYGL*R`IyfmpCgF>=q7L&Q%zYsOp|*_Y
zY+k<}-c|?jcj7F^iH!mVD;5?FSRQj$tISU}+0m*YhhBE4cDeZ(K0KfcLRlJVq`p@?
z#6_V5?SUzr?X|jZw!vSRyUoI;YdNN{M1}fQE_!jnBc8Rj#@xL&30LM`yz`3>PQEv~
zjoUZ(_hY9#o!JDfGCJ+@@peQy0Pqoc7CEtzGj6?kX-Xs=Q)_m%3<;`cI*-~o7zya&
zIFsKXwUTmPO6ZGbUc{3{K3vfd0-rL!XMHaljaXw=tsDS(Fu6iKMbAYl?@5wL`L<a_
zrv#E%ChY;c>gxd+(=zIN8ADafg~ElpAzNOGHO?sMYESI|9@d=<2R%cv#xS<`AZ{|R
z9a*#DdYFXStUxI1fmVshcB&h>zLMj2K-yIM$YWh>1eozX*akYy;?_q|==1U*aVMq>
z?lGWlLgyVG?15M6kc#S@c5ft$Ee60<zV|%Ma2fjQg*YB6V2lth-wT%)&8bJ7MB5iA
zUZJ4eaHQo4rYl}@Q2Eg9F{N~*h{o!GCuNh7cpot7M2HcKMH{_@ODBzDdI6*fKJNA$
zMT6hr-08yI$+Ctb2S4ozvqwz)RF$;XN-ba2vcob-3A$0{TCc<!L`Y-s0^F_>VkAF;
z<O)RbDV6evAsuBA^EU5wolCqyoL1ZQh92wW%hi}T*0eQ1*L-g-a|B_0_M9@s5DK!&
zV6I>2_RV`Ida5B-PDuoV+X;cHXY|C=5QGyg8bh&^k2K#{<`q0>^0fD!xzhSmo_C^D
zkGPYz_QcE54?GATnzs++Oi7{x5eoMKLK{(&MXo|-I7`^J3ezrTO=qr;2+JMI+K+fc
zmR!n*#9yF%@Ae1}A7_jGMT!OkZXFJ{Z3;lG!XBvkn=XJze8tz}^%z%<mf>EkJ)&pp
zYN$u*_8Og_`somyj;wM<%j#1Xc_3Z=j%zt1KuXTy$~4k~DPr@|*YPd|t9TTM9SWP_
zVmE3R&_>2iXVu%&VmBxWDki1o4PdpX^vqi^*J~d3GmHl8(RrQMBLK%|>I$&xfe3Wh
z2!}6tUos@t2tP+NsbYX#U4jZ>g6pDot-8MFP#v;+o$poqtkYY3#RZ&}i#J<N7Wekv
z@{K^z&B}v<;r7Xz)FYB)ButCju^3Ol*D;3(FYCaOg0HJuvW}qg`2v`rMn>c7y9>@O
zGE7!CF@#j;F%Oh}&x6LUM>{OBjh!`T(%DWtr`PvPX%L$a<<2YYqINoLF+Ep=8!A?{
z5{JF|a$rO+uvC_$;H4~kA5XzlvszU(E<7`S5twaMTqH3nfG^3wx13~dS_R@IAD?VE
zlg(Ny;B!_R4}hHO#Uo>IeLk%kVnfzt##MO-wX+MSBCoo#!-$h$eFu8A=uCO}U>uf(
z(A-nH-TTec!w8aWIs)m_En6LR_uU()<*4?$@pPzIkZBWqwUt&YG%xC+hKi;K-c9@Y
z+6AP)$)X&W6C7Zugu{l6>E|01DKKRhk)-}qkyZg)mmllOddMDkUyr7AKQp^Vyj0G}
zCL8KWwWa7nPuqy4POt~9U!;70iq#XSGG2;5A3i{$*ht+osMZ-06DHbi5Ugjn<CO-o
zZ>RaadCf9G5d*omvA!guK>bS(@^<dc&F#?a&o>!po@=12y}KDxwdBX~6a_~pGF}&{
zB0vS_0CPxKp#;3}#MIYJ%JE!^`!b!pJ>c2Gh1E_v3#7UbAV2rWpeAu;QROYMt_18?
zh>suoA|^Wf1k%7zS8k0&8kP`;s9_7c5FG=);9K@7ju35lz}$H?49{>+#SSxFmqUXk
zs%i*lQ}m@EJ0%;k?YXd9O7~RDqiV{nex$O7H9n%pLf8}U38%e5lj}aotUWUISsGs#
z9KI&JgGWxmh*PBM55VPB%6S#uP4Bytz_1$h_lB~rydRL&(;^IwvwhmH^xkD<uyD?7
zPhJzgd2GpCFi$zcGFHK>@7@pq<BJ{;0I8_)+lE*P)6ELAl3Cvu&t4-;?9$LShSq!P
zVgB}BR==s<&Zv8DeRd-;Z#L5~>6R&9K`WSJN79HPlX<swJ&t^(Yb02q%S)H7pv4kR
zp6gg5i0VV0J%Gar&Zwn^Jbq5>lGr-(*w3ap95bJ<-HV;94o4tr?s<>p`5SMN4vMQ&
z1=0&t<p{5Se4!rCWI*pihQNoj+bmGuD<aCid7Gr?CCx4#VTpHUAaLZ6ZDlKuBx_?u
zuE{oi2Pftc1{bu9JJ<#1>e(|g1(i<le)KkWnD7G?(JxdG!|-+c+ui$%6;B7ge#y71
zy{8V|CYor~b6WJo!8zWw`C1s@N@Q%L+9(_xiDqg{1BoXI!bLpIU8=5uQwt3}esRz0
zBCpV3m{WYJ&v5UMdmC4Y=ZzoE%*@;On6PjkNLz4IyI<#AjJ4niEkB{U=x7hgWU&+G
zSf{I}OQ}4VsbPkDZ`9-<;6a9{Jb#u&^lUQidi$vgK9M2;`xR4@&~-y#)@fQJkVu&^
z-ucnPR<KIDS2K`=T)Yh^G7kjp)bXY%J?0@lV5o(K(rH^kmo|E=+?`3ck1+2QqcQn=
zBDZg_cLaR_N<rVuC|IFt<#P{n3MS@F-!^+G<Nz;$1G!8$YTtV{4%$i3;#^dvn%9HO
zjJ9v$5x+y1A)U&A%@-umcJ#_qnJm-Ol<3GzL5`F4oq0l|NBb<b$jc=#dt+UEwxo&g
zn1Jh<&_wUdQ8<T%vqf?ZjP>#mbqk(5lJS!oR6HOpbi_1zYpzo`4R}F#3#R?#(Pe1t
z;d#VcNWRiWld$or=QEZ^68nfuup1J)lXf{6jyFYn11*BFk2RD;dw{cC9;pt}+N#Af
z8{ws<BlbsO++q)dX6R;kQuf9Okr9H}3*JF4JfufLcXwe{vu=4l4nLv<C)M}LEo*nu
z(rAkZ29vf_Ho3Rjy0h+?TSaa7A}=S|(<i5~Z@E&$5|e4LPGf7HM0v;~$PZSOzgXeq
zBOrDbBq99^7Ap~@taM#{6dJD=JF`eY^Wx=@*YYf|tZG`3S@ZO3>R1iWk<)P}r3d-^
zdfkv|#$S;ih+J9*A)Nr)GfvxVsWK;S6b1>KeOw#c9=ut7CRjHz3lxc+leQ8u{9a`P
zM`TWzlUNKn(MuUrQr@c**}`XF>}!+FB}yW!{!1Qby#56|P6H>B6TIXl$|+tZlKMW+
z+~Qa7dg`DO;4Q(kEur>}csLcUaMw6^y=$s(5YV!8y0L=TDBbgosOL%E#e>|O$~8fg
z*L8H^_MXocW;)R=xw*S4*n1eN#Lr7RPiuTEW|417=fPR{J26BwGnKKC#l2F5%j=l6
z_d2HD4ITCqCLD^c&~r<e!S$Dekv(lqb(VU-7Qq?1I)SzQI5Q7Dv#cH^)U!y1L&|Fn
zGlOo07x1w0mCUFv%u`p0d4QhXS3s8>_G;3=dJ;m%kS<T6_|?8W*|H`wdC=iD%@G(P
z7Fu-T{v;5oVog*#&81rmH2b|bNK2E?GA!|xhA@EhU`l}Ryvnneu-GE0HSqNCF`aL#
zp~R~w5t+Tps`r!wdHIEoE*0fmhG1%vzRXD-w<x}Q56;<#B)p5!R~}UBt3q5$Vrxli
z!jYzYJoJn(L_}?wh34X93Ben0)2~jAn5gQNOIwR7SD??kr_ArgQ|rB2g~%v?CILir
zz<&2sDow~B%5*<qG5X&7sAe&`>_q7^`SU3hbaR_Qw!3Q&m71Tn=DP}`z<xgy&zgE1
zX8RO?8~9bTKqU2L<JE3Kb+t8xaiMzNqrln4JQ{G)crt0xQfGZH3Gp6VQ!?v==_c4v
z-d9VU1g4s_E$|SI3nL(3xZU_5^Sso9z}EBavLet3khH|=_2kGfiw%5Kxk7l&tR82s
zSl0H$QJ6iPM;)RGpYJFqOY<XGh&q<Ya7o4i;%V-M2~o%Ccox?@yRU(mpRQ$ah({V1
zKRzuPF(v^VTsFmpIgjJR;HStf>IAOy@N|nxB?06*DT>|9j2#~(O7$8O`ASb$NQ0c9
zJy>6|jakDHrwqw?Yre`A=Ho^cnC`7;vi&Y-B(ssL_XbYKN0t_2mepDw+^lQn>80cX
z32y?9fh&-C6W7{V3#mr#ZVR=7-m3Cg`nuSba<Gr;n?~H2eJ>edy55%J&FO{`m1;%B
zalU9SF;Abz8lZ!mY50bURHvj|at8!myNev6o>$fDxQHfKw0PGB6GkO?gb`}I_IOxt
zVSP(Y%q%;WOU%<|dHPDSe*$a)sL`_u7Z4a#cR82d#|W%e()o-tjtRzlWs;NQ@vS+i
z2xH3|Fl_gOJAAa8vsaTX8%}~PVez1+9*u>HZZTg-n^#R<rbO93odi$uyf?WUAy4;8
z^kFE!J0|KYd4ocm4=9zzPrPI+j@q#wHh<9K@I}k+7!whh;wwFQ9e?3+W;EM-2Lyw)
z<gj+}<^)8=Y|RIOyKpIQn5clTl|UyrPjo97_?&_n9@<+@jYo-MTHS2oP})n~4n=TR
zWPI6xb_r5%95}Vd*Nyu~d}Ua>Z$Za&y3sq_xaXA#zp%Hp@2TZHU%`W9t)O8`bwE$Y
zIGO+>-i(uL!DD8CXJQ59R~LH1_$V|ps$3qKy)EyuzIJ$GetAORG+gC*3i<#qgDiuu
zl+xbP#_dyEb9#d4BB+gynQFWk4=|q(K9fZiPjsBRAPaj9L|~Qu5=y0^HGtPKBwwot
z48Fc$ZFHA#BYo@CE6Oe=QFlekc1)loN5%e{OyCNN4J-+e@5Bm|>6z5CV&(!z>>cik
zH_|L3II`G2M^N1p{H$#G1&Yo@4o`r*czN0Q*s>@r9I*#$v#nXUxeQgyrEZ1pv^hXp
zWc)Qszl=0fsL8nI3fSh%y6AeUknXS6@R_}r$Yx<UYyljko-@V^?SxR6aarkn6%40T
zi1E5J``s_z(2G3d4dTsO{lr-tED<I*8eYGhe)PJ!{e{~cUQyN{V_Sm;D{-d!T=WAS
zTC}+0QFzDH5t~n=0~$>^1c5JY){Hg{Gp+!+Sgn%?E*gN3+|CcowcfCGOy0ZQbtvlP
z49YFI^Yw;c_Q^3lxdI%Gu&u%uW0x}L4RuIW3wcz!Pq-O8?ooLQ1?&67#XoV$-I1QV
z@tEypk;A`u0k|h5<WcWky+(@{zHNH656g*D9u;M3(WKtx2)QlT#YNK1&=EY!CLqM<
zgaj<>Xq`1;H@j;$9$7I5)#O@!CRR-o1(9jR{)}Vc+{LLcy5F#sCuH~-WLvyPdM#Tj
z?;XHyKd#Gqf_}#vUKZk{giX~}W!avW>7y|B4veldPmnL|Cia#Jujh4zrkz2$@zWp@
z=Zd#yTm_GWQFm_}d2djFA3fE^#+9?+XcBupi<-pE6zCloSrhK(AxL1zac=L-hb-QW
zGTp1U@qn@1MasKRDd{w+e0zD?fcrEaXjGfWu)#IQ^Bj63B{KwrZy!FEBGfn&SdHeu
zw{I@-aE0>$M*4fNRM}M`HEH9y(>0&x0zJM#4x~5!@Q|JGotUqO;tW{tTyTJ8<(%z}
zvjD6B){(gHD->B9Vn>+_ah8z1p=&)f^;5ydErbQ25P5ta=`$PitU=C}_hOTtmZF?f
z-GHr~-WImfT+i@Hc+J)8D!6_mu@gE%xhPr$2d7&F9!S;~e!x=Gg*4^dw9DoIy-%|c
zE}ZD$t+CFdYXKkwSW?bR<wtAPTF1wEjO(-{+HXc@c8a*3f&og;oOv~7i=ICjc;ggS
zvnzIPdshRh{brxhk;@jXjXeo<t|2fg2&gjew`-Uz30>AiTMUl9^?J&qEAI^w=eTC1
zKVY#Xd+k|X?|twR`o)XX^6P*j3ZUg%-=TSb0fT+0;Rgn!@}4^D%h){xS{L^lSwlRo
zMBQiMV{P^zdwR81HlK6!bjE=5v)Y9?^AUPs9W-zN*&QPrEI|0~J*!9)4O_penNGFt
zDmyRgEF_2*mb{Z#8Ch7&Pj&e$VQ7kNgdK<tgNI#5-xyur_GWuuP1(6Q4|fM4*YkMS
zwp$&R?^Vofhk~$khgO+&E)O9cDpAY`m=YymyCU#=1QQMV>@6-#D93~pQ$|2RF<Z{n
zJg~{Z7u*j9X#pWePTRBFC<3^9u9HxyAGPd?3P03E$gsqqZF-e?5?qEzX88bbb+@>L
z1KwbjJsmdpQ<>V^E;dDVY4tZH+8_f*dT0R%U5{SVwO1tb3?~}Z5|OtSB$!2kK3grB
z1vWF4utd8J9@osBKunw&vh!0kgzof~doI8!aDWfEM1nC6wB&%_+=g@UY|@lMKx6vT
zBW*BpU~d=?1~j4yF%`2zG=Qp>)T+a#*XmZq=7=;2Gbz-#qeKHl_MFaiCs%Na?vNY8
zE7yl4DdkPLfKP^ZL~hTNZO-p6xr}v$DN*m1>&>ViT%i!t-UHFAGh?OUJGF&+%(Xz>
z2k$EUbVg3+fhIQ<vEa66QoM&o>QRH3wl5Hio(9P1crP|QSQAbtj@MV2FOXirG?#(P
z#jS*U0kf5X_7UmMJT7IfE(uHkO7O0P2d9NW_5ln6e+iSuO7@5xiS9Y}E7s+|hZx3(
z4|4{lk_wWY`OSL~9-5<4C&x@W^f;HGV`%D4%w;(;;Fu9PQ;I*N^Ji<b_&~#fPQ0x*
z^5vkx+h{|B!CVsrddSAgeXhZRk|j&(Pb;46aJ-69ogj)TDAmK3Y$F`cZ9Mlk+wToL
zhf0fD3{TC(qdpOF^bzhMZ&0T#=1VwqggJrq0}v7Gs1!P&G1xPWT{Gfxp$uL$gjN%O
zV0XI@qW#=?1|$rS)Z(ne`XtViu|U&Vx@T{sYm(I6CCMCbm;IKvj|W7;)fMcX5NDDM
zrgW|Jd$+K@zHFriLhy#8bM4SLCONvAHOk$fvBw4|PG5MRWx_l}KG8FG7l@Y<4UO(O
znG9j-WVr|cHJZh3NhmxH*=nxc^m6vzdr2+NQAnJDCEYfd%Hh2h6#=bz7&#H`lB^=9
z%N7<VQgU(OL>Kv<_f@9Ah{KYFyvi7SHT7<a9f)*iDE<6I+XPSyIR!WMwY|H`);ImG
z^~y&esu{|y;yt>2Hkrwc0}{@aqUM-OGLLu#ydJ=6fhonV)X?mE^Qu;FrZi%o^dr70
zA?(@feK3Gxkn7~|3Q9PwF^`J{30X0noy{8Y<VhKTzBlfvo<ms^c>|F=(^xBlSYq6%
zD<qq3sXf-DyYp656q&NTh$k#fFDrOwJdd!`&>+KAA%BTO36fQ7X|Z_vruj4sI^@e3
zq%UJ$iyQVRMr)+L5{4~FCHYGky3Kom!%|ePk2Vn;be{~X9G$66_hvj`0ZQ(RzHvG0
zVXcFeo}+%4{8}?-3!2qmy<6c0rUqmd8xW@SYzU!fjE6Vay9K+aEr~;Zc7tmXF3-li
zVtRArK|vOYE!pEo^Tr5dS+Mt71C#}4rnO$dBn}?Uy#szP)Wz2nqdb{lpo@C0YWXcj
z4OOeb(#fP?VmUINUBab>JiiWzdFX7-s`A>=8Ic8~1)HOtc^f@fTKCKe7+}C9>N&yf
zXaT*!d@Rybql;-nf*K`WWtdI~=JAefBe)W{EruX=!uClFP(|P}P#+BPmf~>ZPCP6Y
z($TlEA!wH=)&7#65GuiyRBU8p&#}nUJmD3!lZonw7&`P?yrB)^1&8HZ#7kk$XAxM^
zpygvHHV?$sU%$;m6W<y*(O5|ji+K#jka3AQD;X1_hlUdg1AFO)8=mVU_eSi!n}g?m
z;}fF1+N9RX&kxRgEQxq3=WKPAWm`k2LNi9Mn6YP+p~SSPgQ~6N3bEJJ3J_%00&E&!
zhR=^=+NCs|!Jh!!Lox&3ZX|(Blz9UDOqB;lcNEv()K&<RLZh)Z94OOkF6Ud5G@-SF
z$3@~C1mwP}VL@6^?REpM6hZwa;<1}%m>V<j8xIb$mrwkqwaiqL%rvysUQOaX(2hMz
zI>JQ}ep@4ZZvDcMJ8-cS3M>rZOBsSMWiE-_xVk~zE!OuCQ{%vh{&GePF`5PJ!XyVa
zHu(@$S1w8d>PQVUw-^T>47C_kUW-LR#WuTi+tY+}_NsQ*u1t%&9#HF5u2+m;j9Gx#
z!b~LU;K3kuxIQznuX=AW4c|<ncT?HBS=f5?E=|y9$-&!AQd<NOYu`c-f$A#@2KJLX
zW_`ZrhF1y4O*@PkI!_4|)EMH)#wKR%ElOg(8j<!~Eova_HlunxNf?OIehNkjaa4xB
zq}xOCeC3cp{lsj?23}HCw{_Z-<4{-bQMTWEg-^r)IY7q0!o{@b2}{Ma1>ICd`(Puz
zU0|@*N4^jU?^1iQcslM1YK@*w*2@}-HQ<4MLM_CXjl4)#ia{~qvlI5l*3Bh7`-JjD
z8?aX?C!Q*Fyi$MHMBqO5fX--Oa)m`+LBG{WYYwlim&v-u5@wNDuy}<bqG_m4ih&!d
z>fSw;r$=UbiA11+@2c=95qm@ZvBD6UxvOQRy(fe)j#frcZ#=!(iQgdkCM8#Tgbpe^
zK@4uldEveT*|MY9cw(CGbs#s@)-LSUin#ew@k_xK1QG=GeGO-A6oejPZ%gySq9?b~
z%lApFmOiSiynRA$_IidBU9l{S<PqXKDv}r$2~X1zZhJ9J$9ZG`_e%PR_~A~Ry^+^>
zjDwF)y4AMNFG4sP0y|a1?g$pVPIIHQ*0|d2NT&pb<k(j&gJ%px2oGpp*T{|Nr!)TL
zj8H0g7Gd{{C$m_J?W{SW>0i>g9i>2Q3{$~Lh$?l*gWw}Q&~zP(34h^b=eA2#az*l-
zFK*vi8fD2WVb?43r)N*m9~d!>ym;1X-EvRUMCbx-3Mu(1+tUJ9!-u@p^X_r0!9o?N
z&Re&j>?L{%ev&A(T^HBI#B@82ONRXX$w7lY0yJLR-7SUFlJx1w+_3HB;IXJTb2GJp
z^C&or`_=0je2kkMX!hO}zC@{fT&xEp;n*?FVu|#cQOHaerJlJ#6Yn(CM3=q3l%W87
z(P-q+H2cypD`75sUzyGs_LQ22Jwh{jV&b;1>0va=xLTT?wAD!`ozNqdVMN~?yU?l!
zkK?5I*&A8DEC$ow(kySp?nx~pBP2}3130y@k=%#tx|7A?)w96V;``=3^=Wpg$r^@y
zr)3n}@VtEI0qGiScWm1zC<ySy!^}!Y9m$mKxU}BeAESmX_yo<5gxn<!<s}>P!bFGU
zp<!xf#nXdg<t(s$lz9|AJn>MJ&Hy@*F{+bxkocYNVlh)s;Ry*5NeJW9rFBTV$_ofV
zaAnIoyNAQgoe2V4m;qThm<^{^af}F{$z?jy#l=2^!jo<f-p;d*3q(*}9y*YRY`o$3
zF0?Qq0eog4kIR*xoEK?bo5t(+yfsgp-koLCUW$#;(qR>a)8rFPuQ%YsjqyZobg!O_
zdc9;s=Hf7X$p&?b1Dzl%1k9%1^CivGFKL_>gO-8cOb^ob35CYMIoR&}`Fa9T41+qr
zWdyJ0@JTMe07$re=4LRN8wPJt)x+I5(FwDFAB}b4KpKFqu;R=Ej_1~lsE=%L-hzqr
zEI__ysFLfeS;>L4WmSP(>v}d#2g@g*Q_059cDLi4UiNt0+uSp?+<Gz3&mCY=*aGe;
z<!kiU71c}tY`d=YwuzRCjvFZUlvBu{2}xvLJbfOVyUOO~&QIIKml5y?LVN7+-I}g&
zxAeGlpug3{#C%EU&mzKdFD8}WI3OJZUDdg-4&+AQHY>|LM87>a)v@+nV<8_UTHM&f
z)YuoDwh0R?RiYja!z!^uaL}tR@RT5fcWk8N{ptt~GBjxehg_2NDxN+&GwfJ>10|NZ
z`{d=F8cArgDs;Vgjv0WU0KM@rtXmV5F!Gssc@&)H0=$xo+B5Aw9T6-SS};vDPvbRN
z245T=Eer*AzauO?E$atPAQ!JDCb4xAXT!iA7$ekJF3}zF5?9^iI>+6TsutG#lmYLH
zfqQ2f-hAP2xPo@cONz^D!uz4+UKitv&WJodiAinedP68~L%YUs!U=7cqm=q8JkQwZ
zS*f3SzUWGp&~r?p_tfUGh^c!$;*$5IFH>#J(;=jT#=wD+GEI?Ub~P$+(4?jz*(Jq0
zu*>%zX;J&&I6ac)tmT9=<!iu<gEW3?hhV+Wd79{r<rq6=dzMv^J$lw-Pxi|i<}YhZ
z)ZcW8C^EDV3BM}cfbb$r!u?B|qkynQm=*1poW#bu%WJ6u1_Fb=42NCb23WG<aiuKD
z%K-UqsH1t<SF9=)S+ffF!Uw8apGlLd3AY{gDXG&zYwBnrE-mCHqr5jg?Sc;@A75eE
zh#u#YdF9k^9`bfdEIcz_=NGu{tV2%+x&_x#B#=N_8|`@+>ndtdI;j~1!aKo%?0YC$
z$<#%pwQqxuDBi}xRb$kg7@EGfXeGg%KmyV&uK*v(;FyI9g=}hR2`o}Dn%Wt;R~)Z)
z-#bxD+<b%fENXD3pBTKjdZH677NY5k9Qz<sASn4<rgjPZrII2X@C|uNqC23!r%H(A
zw$W4TMT#3w#Pa#+HVwY(nUa|Rk%$u3AhCN#>kmmLSMI_3njnt|F(ToFx_}Q}iL~E)
zArF$D)l@BTGnE!msH*8>fD?|l4?D9!G1apB7(=)z6VfgL+>*=56Z5K-Dj_y7UncV<
zr?CpTQ`z0~jz$ft^LLe*X!mG#bw~vL5{!`by~mextpfrJT^O=#h60_4;akgtv7L*B
zj}YKFy*l9Wi(yx-e1NYb+3uj^U1}Sg*bu?EuGg($Dn8+Z2x0+Xb}N;&W?2Z(2diiA
zrbUbPR_n1w&BLMhoO?L^K^p1^v}NE7M6#sCv5mc|M}u6oE`23hmDy|)_EPU%T+`bb
zGtP%4?_J+dH%b#XY6)R;hp+{9mM?9DzO(^d-dh%UvWk~^Om4;FgNM`^w(^%Zb-cUs
zD!22+k~^D2;sIC*Xsl(xVO9;&o>`kE!}Cs2g&3iV+C_Zwbo{n$NckuP!RT`8XkJ1Q
zYQT=Lc?v@VO~9+CCgv6t+002btrAwWM<H5I8S0tgPNBz!U#(wp&$PEP=Cpwg+a^sd
znxbYxc5$AMVVIJNSxT0qVV)7aM|K<9%trN&@G6OkQIk|_Twm>z@DZB{gd~;sWYE$|
z@FZsI;utuxHlKCQd*w&)DEUUN^^h2tuZ}X7jR|kGk=^IqDwz5JFRtzIojGw^Lu8(g
zy*S?IruF;@>$W=0X6osCs}B%RS!<9*yNS{&TL1%ueOI*Q3J}F1YPE2zPuM+4Rbe3=
zrqg3jMKbiQ1HM%3C7Yy2`~dw8V@F3`Xd|z)=FB~HHm4=9Ky`u>Ti{mMh<FSa`e0o^
zI{a8|DUs;*2I1kTna6oRZRl7jg_HLr%Dd>ssPoc+0z<uccxZq;k<FzO{$?0=?y~yc
z(|BhhK3N)Ys?qYAFnN5|svl*icC!#kQintC(F03^un3v3T~Gj!u22!AZkKMyG?{mF
z5GLqvqIW4?wMK%rhw9@{dKwFOYy#n}G-8}Enqnz8SpYmU-fu#4FS}mUTV51;%vSBU
zFRa*oJY`as!#sC9EC-UV+*`KKwL2}<_<4nU1K(@pG~qPfc>{0Qyf^m7gc{`Gmp2Mu
z-YhA`3y%R6^;>mc6Jf|rP-B}o7yL_{)UbQ%t_0p!Bhs%Mo5A{BnCC+=Uam+BFw|AR
z)?LVICd`x-b}zA|c%9>U44~4e$Y2B0b6tZ*cWVHpFt(TE(QG32-laTwDpLXAw7XD_
z#7z6ts)t$dQ0RJu)oqq@3C^w+uIo(?He>9ZF$r!vv*A2h-sHFH93cppo!QeczI}2p
zoWTV|tPN_B&5{n)yEg1LT{h8Of|F}X{O!dIwUj!U@!HzLFOg{U`T`Z6#cM-cnpAO(
z+Ly$`jt!5})wpq?CooCv0d<3O$!q7lH;^_@ph_v}UImaX9?5IsVaI%&<>Q6QX<m>D
z9n$z%xSDg_T9y|9%Lcf$-vO*vb8%G=-HUch&T)PQyhw7=*EgQHz8*{udd8;4Y8Wy)
zD{D(CH@Z2dR5UwaYnStCpNAEkr7}oVy@$!B7XBFC+|v#WlgQD!d=^0<!2@R|mGlBq
zi27Yx!DBZ^6xkVyT6rE=jK{pF)zTEu*!OVzy;WUt&zUh;i!0LIC7hdM$k)Q-i#--c
z&R$H<&&uI>;5MMr%L!U}^EQbvY>uKzML0LTkA`BKOYL1IB($=c+^gvYBlq2bH{sAv
zmj^*TW@Lrr9?zK<u4#|k`DGJL;uPM5ym#VaHu&@w6;s{sT}59pO+f5bIJn$ijSne@
zr?Yi%yaif$$`sIb%OVDqFRB+AWk#y|Qyl*iXMEak_G)@#n3ucq)|}ZY_m%Kd1j@h6
znKV@Zf}y<w3z2?C+~-nQA@7m--Ox6O5S6E!P6f4HMEJo0MG=aQKA3v}_0CW7Vfq?Z
z@EfhCiyc<Y2NDcE%OR|kzVPBCVC1^`g-WWvd$0CAx>(V=XA=l6!qag*o3v(_vP3(p
zm?Lb8@<L;9`y{Inyejkb(HmPaC^EKf;C`|;E1Q%J4-}X>x9@oYD1<XB3;@i`o6hR#
z?DogVE4oX~d^$RP>?XU@&AVfYrL>suxrTul?jqSZi#~XKSQ&39ogYGowmdr6W=5_8
z%)zLgBxplM5;WZ=pp5g2KzkAvOfO~*p6O)?rl7*Xwe+B_mCY3dzaAk5WdyFl?hVVw
z1Wzv6@OhKX#1+7)kTb+0)Ha|Byh2mARy|4pFe)XMZBUf(Nin#m6}NuBy1w=6dYza)
zf$ug8J)k{z*2q?0E4Y+2hOSf9xlw?&BQtFO2$do-Bo{?(L&P?qP~Jz6vLCPYaE_da
zddEH}#}|wZ#H!_JT`2TM4Q<7Xx4U|bGw7{@j#J(fdLc(7qzjsc;!=j9v2OhaGjF|r
zxgcO*>Y`=bAVgax<?SJgw4*x8K=+hK${1p*2F4GHA6>skiwa||8H|!Z3Ud?4PNn{G
z8&;`cFxf!`fN{%u`ffTDFzd;iz_3mf1%86pL|P-p{Ytg4mB`BaRLtf8g@BMV6bBgI
zmpP_i=7@pIjV&^vW+Bk{Lo4Wd&(mB-t{;uxU+SE@C7_2(D`&kCg{UPYTzh9(2E!Rp
z$EFG^Ps(VnA#sji8~Pc!Qq>H$@sw%84pLRaBl4Fimx_}22o@XVp=_ez77?Sf1`fV?
zzV~9bE=eioe$20NbBrQ6P5IOfboPV7C-1=wABi%Ty;~>KR(&Lu;@*bl^I~&e`;^p`
zrrd**0Ca5U)^cwqOwL)M(z!AoJRGMj0=+s{^9f<5DW@Rx*nAxG-jnv^5?lA?3oN7_
z$ajU{56quyWVd@|@XH>3*)x}}k8j7{3niuZ6nU@r#VE|sc;RWan?*F2ZB^MYSc?*_
zXcw)|3!w!Y5d~pBM<}Z5-+!ks!5(Im8mRSPdvge0QI4`IgioS%2wS!ILuJjjS2dt3
zp}Es7=D-EG<!C#3F|7NH`~cpNYlW!tLwkyQP?FOC(}kx`okCP}j*_uM;HlLNNu^Iw
zX<6<TqT&sB4A4HQ3Upt~Kt`ELG`avK<p8PmUEG+IJbCr9?~0k9q1ZH;4C$lCKn>Pr
zU@&aa?U7fBjzDo0c5%=#hsCvUPympGzR#h{IT^BMESA*7eD_)OD>Y7%e6Rt;00nia
zsnKOwp{i((YkeT8M<n+EL8T-b-fJ1Rms0y4Sm{a_xI{?EWyw$mwgO(8Y}n+HRj|Ce
z4FQTBDLbl=e)7y#P~I%vMqWExI=TA>Ypl=o@!FR<&R^;z2m{Z_REcTWQlnl{%wD!<
zJy94%(o6Wu9hzD!y=Q*dqM2QCk%o!1^#nDTj)tX&m3(P*Dl@s0oJJWOw1ceU)tlDA
z4jm!CrmN||F|$`wO<J_V6rj&N4xC9DhPNO!j@m#H@rHq&4>f_<!OX+j;YEu{V`5u%
zCqxKs6$i4Ic4W+xBH-7SlC!uSRywRb%H}A+h|1ODgJ>(w9#oo=f+7W~)v1_4@zy|g
z24HrSfevY4^14sKU*Hj|82Lk>ez1mSR#tH@4m2vDm{Zqz+*Dz(`a;~2WJ}^4x$n}u
zdTng8pA^};ft|`pnO~vSTBA9Vi<Nh2GF#;}_MF8#f2Bj=#P#}#Y!3nJ!#!LyEqSTs
zbd&dnh+Xj7s^PT!r4GmdKe~D>YRO(JKPZfb0IA_9^buFGl=1V!XA;SYc@(dSxuqWI
zXsZu-O1|qo%q8jFem<@`#x_b_QF7k(ynqb_G3bu@Zn2(}4ETmT=7p#+4DM_mRU_)y
zr*f~Mtk`cMiQ+Ar7q7OjmUX;i)Mr(2gL2cvtISVAF0-{C)B5aL9N^r9t`et*a6xW7
z34A8ympZnSgkqk8xv-@%VY8OkczkJLmpX_eO{y=wAXJ6*nE?P0$CM;JdauskJZ(#q
zdFyKLgr*ym42oF6btMOsou0P(UL9~g#EgW1HcCwkMBS?7%D%N@Ezt)@))7Zy`C9aq
zE601~*H4Y|bJ_{|bZ5H?$Ry7Az0vCe4Sj74iaq{H>fNOtzSh6wkzkTrDU#S6TVQ%5
z{90v8vId%`^kU&PItTf>nS)fUZKLRTV-4(*Enmh%e^iX-I61Fv=+&k=wlN77ZVP4r
zm_5;XEuEBP7B#EKQmZ*laH}&=%^vkem)~sjo$h-{+)7NC1m(t1iHomBnQdvbdndaz
zD4EsU!_QIX+{^PV5JUAS50Tk8iz-tWQk*N<R?2h8cogv{%z$uil##=W;e1S{B>Cc$
zc4%+?;Z_E1DnNAz3e{V>NpgE9>;R3@M53k+5tWjiV-ogQ-djH|X`?8n>+HTw7;P(=
z&GD4Pfk701I{Mgj>vg~*xp&v>9m=Os6k>~n69UK}+b2CIZB7Olb(}$rR=CW~%;ROq
zyDlhPIm${8O;Gx<)FE@abKbqu7y~x}f=e?<ILpvjE>xrGH0Yl4F(gV`&o%3`1;-fe
zT>~A%1A8=sxhDwPDmmV&H&3AP9SsmY8!E2Ielsbw&kS#c?KNAQ)j7`u>^(=|aj~Cy
zr)9ZX6lCBB6>1sbspF^06piiJD-F;2xmhl^=po<oNfNhTJTU6D*q5)CAtr#_vFuIM
z%*%xKope7C#0}qyS7dl6N6ZzXg_GWve$VV)w8MKMhhs1zX3}<*q21vP6cNd`dlS4u
zj(B+w8X~~Ft+55n2*hqxHiWN^yql4`Mw+&ea$OSwX`Uk`aL&z#JOuD5Pu_G8zj?z6
zp(377p_{CIT<M_J-ju9+rpRCRuq#r%<Yx@TbppW<SFMG#z;Sc}Dhb^Wn`3uI>~1g)
z8}pR(<*dEprpPo~X^?8j9EJ{H1Wk<e8<8pY$TkaL(a0Vcr9-c5@+3Ek*wfA)sK;aq
zS-Fx=l2+|p)`jOpTI$vxGI%3zQbE3kyE%&SirX}{opRARmB4!4rt^-g%?$SW^(nk#
z7U?JfjI!~hju(%iwuRVM!uoojYqEIFaHRm)z^itudkDqpJ&!z<mM(Gqa)qBgZ3KO<
zUK<o)g|}(s9GIx}I~|V%&{{6aAyj^~4KRz_an@;__TKhX?`!d5L5!7?c+=C;AvIv&
z)F%@aiJ6G<U?0%pwT}*6zk*ADocoG4yqMhOwI^1PYHnFMKNWs;m#4vMW4pa<M^kM9
z*GGFx7D)Kmsg&`#k9Y~NnDGNQ-$P-S<!8x>N4M1z!42-@Z-P1?Ogc>8!vVofYT9(S
zB$$&9SiUyPcm@v?g>I-*TN&YMgrY7wiHh6rhM9Ty@aZ0uBAG5z!2lB<snbzlTN-e7
zhSn3wo#c5=jao0qEvmKD9m6P?;Hlyf?pt@PIwqCYGUSIP(-f!33jt&FD#5krfnWiY
ztz)haJ(On5fJFl7^~9Dm=5s0&r-X=6yp~HX+DP&sSb<lM()rjQ65!-f<)(LqFFZcW
z(x)P;1|hVY#`|V!2XHf{GvqyV{<O!x?6GQRS3AAfxaqeDteyK(sLgiR#T9l*VILI!
zsgIce$>QQdV!O&xiIo+<9kn|Enj@QqRLVv(Jr7=-nxY^CioDfdAt<~@MzA6&bvX=e
z)e{}I$SOiO9Zc1hhZu;bUn-<RI>yeC8<0Y7$`cL0C>ej{1b|Q2Rt%hNFOEfDJjCY~
zSj;&TPG|sd@FFALy926-EY%dlp^-%uu<4B56D|ydCEa_9?j}g1tX(<A7cpDlbe0o_
zOB=h-^32MiC{5oi*aQ;AdP%}Y9T5~X%5=OSc{Rt<d7O?$d6O~_T5J}N6;=2#4!A_r
z<t~RljgirPCQ28X{UVa_-FeW(G}tQfOl4skUBb~|X81NURbkbcLV)oq?w}6IQ*(`!
z6W;eqXm$k%Dzca7RuE+eI8u9+h)fl0W@qZmvT;}txyv3;bXM!*0KXH4rfgK|$}AP>
zdV<fp<{bOvp>L3&Zbx$;$RZ0{=L|Z;GZ7Y7!iIo%t65EvgU0A~Ffv*XxpO7?LR<l9
zUT9TojAN<>*%Qh*t{`3P+)zq;3@C1Q)jDx``DDAX)O=t-;4GlV`?z%T^()oaV|J|o
z+$8qMN%TkwWRr2vlIeAu*gDo&HG_xyWU;J|J}T9i&S7zxK7H)%Ekn~Pn4FCcdM`z$
zRxVd!1ePj}<U9yq#=SCIqLDYj!ZEl4lu?<ANgi6wM!XzkH3HyAg<D6D83xWgHYNRi
zPClq#`dqfq6O)YCW+#iZWQh&G3&226Hi5^FY_CL|-(UVbodg58!Iw&j<Rk5N8m=#6
z*XLSgW%0tALsCt4oaA-R@>vYa#6E7no;Q+b3Xl2Hw8$_6HRZ*y+Qn^>&OulBbOJ*t
zP#}yQg^zAL1=w6=wjSD9PE#QT<SX&4;bhOM=aZ7%`8W<4y6Od{8p!gZymm{6j<<o-
zfmG39T^@yitJMQ#FZw(Ny@V+7u3WtQSt~zcm~KB8c>*q>JC#6A&bDd9B}3Ay2Hf-J
z-X6mWBMh_}>xJD5m|uo9R-3U4Anv+j@3meOO{TKWfL-qk&ro>PL@$#l57aas4&RIn
zHE8S6@jM)M;WJw1P2|`?qdFAo8Sr^8Pu$JRm(+Wi*NOEh<S>HiHE-0!u|l8Z5O0DU
z@1tGH<H8dycYG3Y^kydQY63%&p+)_L`(Qd>U5DU2#h0ab&hv~iIbn-R{qCZk<zUvi
z8%YXVtl5g(BdGB@jig26Gn7IYzvJ~zqobwB62OZz?%|ocj1Z#1W^ctPRE_Ktk&_i7
zoX2hTv_)H9zs;BZfEvTb*q$U_QAobXeLil-g6G<gtkfDcaj;gPS>C-)>8NTs^RZ?<
zxmqmdeyS*u=N5J~6s-j$9$c!V`W}I~D-8Hcakp2#GfVaWiqY)2Fb(!d#1!E$if(+4
zHRw{<6VMZoPox6IZ0CuETf%!gzWx?0Wn`YRE0POuA@GAQe~7>Qf%BsA>zf$$zH7AZ
zD?~Ghk~gHRl<ywvm9<5=?4R$iA(l6QCH1Zju9{cRhK@Xt_h#*Zn~D0p$>=1}ek3Fc
z({Yg<oK5huD4$d0BcRpec`idJ<@`pugz9yZ7verQCHCTO4H`b18P<M!WfWw=ZZiJl
zO|bCux`Su-Y~KdHccmiHr?Q3=6|T(4n7HBwMP!0tdYl)Dd{i(Pe#d51fyXD0qNFY!
z>FtY=+KkfS9*o*uPc6U2zPI_7MB5fqGo+>BJ<awW%F}t$W?CZpL|?Z=fMy+LUm94h
z;pz&Frde0UhC=nyyhdD0&7o&*eELu)oCvH(dN#9O%jS~jTY1V#>VYC+gy#tAr|<v^
zr=r`(ZviHPV~--7>{ag^AZ0jlNig}tyx|}Ua3wx&nm2@g!wf2P5+_g3>%DFF?zb`J
z$%1do-JwE`!cCivE&corc(_GTJb~%b&SDNr-$KqyXXi%`p$Xp@zX<i=VCu<7C989!
zLvc*i6Mk#01_TcL90n$qGal|mCZe4iwKe1&tsEi?=9#>H{*ZYURuxC55HHPFm~N<J
zj^j-#c+cjj#zHP<kEt>Dr8>AX!6k9>D_v?d&_tMG_3^aQMekK_-aPEWim~9lU@;16
ziim0S_e>t<bV@A}Ni8}_J!G=IM6RV0fCe;v?{&=+c?*(*%S-0s)u~5yl%blwnF>h9
z+lTj_+r51ZF)v(?mg;PVUihPqt1p4x_gCl8*Ka-KP7-R_i5Wo9$B~iFO)dq5a7ou?
zvjZCV@68wMm>1Oqs&b#3gz-?{6y%aEz~#>Ndj>6C{*Yp8LALpMLITkv1?=~7lpZRT
zSE0hm_(^+ERkDH(#<Rrb3os`F>9d_Zu!f!Noe4R1MX`idUU=~40Z{bbQx8Ufwa|F?
z)`BIpHzKF<Xy0&gPRj7BuqU%z#6qwc?ZDXCo1U!_8Zqbe+G-=$X@shaf|FmGU>cq-
zRJ^E*gI|&#kR}CzcquvBb!_2_8PI2Cdui`6yEvHVj^4&gJ)*@$uAp`6eqGXhV`#wm
znuB9yKxc;eHXxg~Hka|GRc7H0RYc_-GcAg2@D|6I?9EIxRFyVvYqoMIvb2eq``nhP
zb^?jcMXPvOwJJFHxyi;pueTH?{DwN<QL!*8Ui7X*LE6P}zzZWEIwWM;Bx*MB2UaTa
z`Udvoo+mEFEk6)Xdr}EBywiZtK*yydndgt-L2#@iDHq|(^hB*Ign81EPorGB>Uej3
zP9y386$m|)EDotCa@%l!1=33Piu=)Z;-Kr$96O%y6PbK@Z*8+U8X45Zy5b~Yt+0Gk
z$`V?p%5Ka&`AQ6Gsmq=mVW&jodBBs<bvS<(C1|4wXJ;cwk~aKIY68$?uTLK8;cG7l
z!l-rzp|TsQ#t~7`n~FXR^awMw)}>6iDOP#VWQa`q7SL{G0#V-0BoWT&JLD$W$1fJ-
zWM=ARhw7I>44+fbOLTQFgl^b5e>n%~?BE%O{`@tAL2L6-2!v}yHuYZ$)tlzWl|$zH
zBV6Yy8yU5Z?dqAbWb10#^4wS~E6DDn3JcjmSAW+fdV#P+&w%fc01i+#uV@z(9XB=$
zE77WDoU4hFMj9VSU<YU#ju*k{_Gnd;-5SbH*7RZXVm{;gWo}G2HCr44xLOqudi)7>
z-cy-$fZ$_AFzCB{oUU^QQf}R3HVzotuB||ibbViDFV@-tK5Yp1%S24N3(O5hi`eGb
z(2Ya2WpHmNs>*KGxqM`EMhG4CFyrij=9)YdO4o~p?Sgl+WsK54Om!5m(~jr0neOV<
zY5=+d1zopxd0eri`YEdHQ+JtRP{ZA4ME)eOI-sdIg^8RBU+o%hRq`TP*qp>In{p&s
z9->ahF)kdGRw$j3!d%jcMuyd~F-Y<@r?NhE*cb4+tzReIi;bsxy`2sZCq0(g>e;<=
zFpZlA=AgjK!z#b%?VZ<X0!ou>{!UPziQ@)71a1SS>PNnKB!-<SVzef^?<C<wq69GT
z-gY(KHN2>KQyFjuV41U{0e4Tv$N2^_hRKT15R49Y1k*Po(-Ty0Ps=?}NM#&4$=_xn
zh?Z6-#2baWCHH+5K(UhfLOSm43w*;xR5?ioNlthEI`nPW;hFHu3@SOs2z$S)gqIeB
zFQ^%I#Yp8Q&m_z`4mP~0cV_IYg^H0Vc?FFeI)rU5;;tTO(9VmXxWsRT{7WI{E5RSD
zr!CoCGC*{G<dYDEK#zv$5#05osqKFLq$vJ$=q&l}w5{ZMyt>K|5DA{UduRzk=KWHF
z2+QYcDsRAd>DhIY(RN{*8Wm&tY}*J|xEFV)N*{$Sj_{;PqUjUJW{+Td5{tNxv)=Nk
zF>el<$y`8<)Pf<^2=B2@lZChmS(vioX!*rJ!!2?lJR=d<KI3{_51REI2?S)FO*zk_
z6I{<-qwwZXu;qC(78Q?u-#c3Iw1F{w!3~9Np-g?$56n8jl#c@M*wcHAUWYs~O{eI_
zwX*Qq&iB>}uAzpRh&#)p@;zRm(cqW3oo&?ls-2`pahf}KF_9MJ?L9;k7M<kB#+K=$
zv$vxA<W_BDP0<}k9dmqdUXHW|Ke#io;LA-Bc{hQ{+h_J**9jyu6Q&|^XQ_oGP(uYd
zchJttg9%7;QAbVOGx)6xzB;x;IZPHm&>ertu8hGrSsW<AGeE75AyCeS-nj>>=yvql
z<CZlUMw%#>!V+Y?6kn0@5b%3kD?yYxJ9koHZff*iws?@V8XX@Ol-VOqDe~8abA(ni
zH&=(Wd|S!1^cr1F7OoCRV`=0i5Eql{Wq`Ugjj!6iRH%h9FzT1%wQ-!!<Eru&1N%Vt
zE<{1nqhG6fWtOQ}1{}T8vOp#rLN+yf+NEf9$d0`T&(v4a^F8M<-%LNz)T1?u(FYdx
zb})(zh|SejToH{}%?XppjaEp-D(P<K6oi1}%OTM(hvMkEtpjEuV6@zNY{SqSH?@lp
z(XVM_HZE*sO0#jJ5&nFaZ8CJKDy7AcyyQ1U&LU4B{QP(<a9Q>gq1Y~9;K(1uHn7!U
zi^^F9$=gTyTApufjx#anL>-cKi{@4{Q*rrK$)vPNEY?C3AhA{`JmLhmdifyU9$3$@
zOrSI+7u*?)a-$+PS}R3uxKKBP=Pe;!KX{Fy$3zJ(X{64LzzR#jR|>sxG_sTuv3$7i
zvRsYf6nANQ@@%nvyqdy~p(0+_K>AMA!j>CKX^Ic^_7Gm{vjSR>$}!njz6VV;g<|A>
zrthFIfYkxD(KUkw9*NN!hR`FK2Sd}dl!1a8EjZB3uFPXD*(zRefRE~Rhq`k!&TLMU
z7?a#I;2TiWu!ft}q?w0#`>?w&#-&&v$!PD4Lm6xv8kvtl^J6wKa1YQFv!*S0aGpbj
zo|qUqORDUFA__y~XFwrZWWc(kZ&RyW-&t7CB4Pp+M(T0Yv~3o_0z*8n2(yvLH3K*p
zg<_8Mq=_SmxBZbBq^S^`G_0Itx312a*v(qZT8=kAAQzN!QsjY22WNm5<CP4jfxckH
z8j>v)LQqDbX{&n_A|Yjo$_RjT1(<uhquWQ+1aZB9=<Z8V-tU~dD2^!?wz0W&xPcVo
z0xC1l2%{E`kizI~4!*aYwlD&0KKocN06Z#pWN?5*-zo3QH?l+??qfLl=3FK~JMub=
zI`tv5Q>9XiSg-YZxbBxk%3l)A`eD7x<T7B`VbRyGd?lRZq4~Nk56qb?-_g<Rj3m?o
z>t7bJN75ub*PJ*vbniW`rXoVuGcFXxu^7+U@NL2XfL9R~GI@K8E=cyfk@vPEy8)S|
zGT$9eum<siQ)?<5he-ESe`Rk0sz%M{8Tn@TG^PpOh`%V`%faI=7Jy*H@{0;)%C@i)
zS#+|3(i=)H+&D15;Wr`jUPMI-t%+JsFDIF@Il(ylJJhFuz-ifjPl9{Q^#n6^(1`g}
zXLBqb*Q4bPlzd%d+32?#xLi^9<Q@*LUozn4GZx>f!Y*yzh}MFKt*zlWAxyN58F{kC
z4TOFSFH32Jmpl_u??QWFbRA5Yz*(pJLOL@0vR<+)U%Zleu8}r5DOKkf#)zScszt{q
zv=0St9jHT_EpIgAl+Q%?_Ki?k)MSr#2m^Mc`5{X1V_UN`vh0xseAwsV&G&SwKy4Rf
z`FZJO8jP12!B()5GXt^}N{CsP^mX4x#`Yrw$6<;)_vWkxYO75ugi>4~bdQzpreK3<
zRD8r9SNtHTv}3PB(7LCgz=<<N0LQqPMM0I25s?qJv@M}nqdRM!xUlx&+_TwK+ZU|a
zV~_%z=9Yb~1xDfV+?@tWZC7nH(mQLQ{0R!_d(|mv+O#?q;x|buCaM~P2$E{<asC=G
z&|i2Bh3+_DLdn6k=iZDEh{ek(m-Nw1l)frWCzQ9V(Fjc))b+drdSUJDuRuZ+!4P`j
z!(SE|eOaV*D7^iG2dYhMfTb<Gz1$LDK}81GF>Pq#N_^twPOE82{y7<mdC|N=E{uL0
z)BB)v6sekStk*{m9$y{LBVS7~*qpt0p~R&^f)_#fXh>F`z8aN>L?a{yK<A*-8*iXc
z0^=_Bs2{vG_6c(m_YT-s^mGJEqi{3v0j9w#FWtP-CIDj@DeweKjZy-xeN#{S6v<Z3
zU&KlPKJ<%&M(@2Kz^-}th{vs0AEdINXBseNy`@&Z7xXau&05vEM9)i}0E8$Ck*hVy
z=f~1q&e*oNkB(?dV=C-4lZR!HwgnyX&Rk!k-C~!`-Fr64dUjGUwdeSXVMgu3rNg{p
zyIa&{LE=PK;FZ({v1ugYExNr;2F<o0rn}K$d5_0h@P-FRHj{kux$mpq;!%496Gm@9
zVecHpRK@KYvGJ+Nbj!O3o2UxY-URPazB`bmHOO|tg&q>XM=3Ggd<<FDZvHgjvb@GL
zULAt2pSPus1czMN1AGCF(QfTp6U<ELGV8_N=A0TZ#+3Zx?B&`z3FRAUSZ-j1+ra3t
zly@#CM2*k$jS5dxu!X+rqj<IbhU86U`OS-D&&P0{Hzpk>7<I=2Dgw2B*x1&Or9E~s
zJw*@6^Jvo7H8D~-xca@xVWicWS;x2UJs;HOemo3KtBakAm)jMOhj*X~5@TML`{tvw
zC9^sg!c2Q_j2K?9y_YZX#*`lGbFoEz@8Gi6tNih^>3-nLrxrMF0V#av3wr*gk;9ip
zMbo!&hp|-jdTo-D32ffVwzVQsdJ^S!s7bo(GhgJDy2|1G%cHCve`jRxUR&Br0}z!%
z&Fv~!cthqAoD`Ssub!(%E=L+MVwYa0j6U5;Z&B!m=fyVZ#!OLbEs#MdB@lkWh_J`|
z{M^T<u-V_dO*Zo5S0od>&>mF+t=g9)sdRPnbZg)E+8PSQw!HU}oZc)`3mgz5cSK(+
z7OoYysX4i^6Kb6nvWhn%w@_KiYoUDSRZoEZ@hgm$!nj1dJ{fb<I5ecy^DC)`4QTV0
z9t0Myqq7O^fNEqtUk{i!<_>9CP(;W9&(|>zxVhW9E1lhdEWrEd1oqyj=tIV-it_LQ
zEhBlwAhwYj1EfiIGRIzZbh}gvj~Irzg5}+@OA#SCIVkp)aL+Va`z${gT329c3n+T+
z%n_|sz$jRoEY_ar(+3cIq4895@kroNE(mc`LX^fC*1SE|bvMkMSK=L1&85LLGHmJT
z(CL#~sp7mcQaoCshVArL&wRYpQjLY4)~U&oCtA~aXBU?Yszu<CIldMF2*H#!2iGmP
zMju#G*GCGcfe{`jTj;RKKCAgmpkk@<%z+*(fWZ>#JbUvNcHU&dsd~C2OqxXBAqVfP
zL93^+X*g@I57xF`APLH{urSw}qxlr$#Z_~yy}`})1{4l0aDVZbC-fZ{tmNL*QPhBF
znKf0oljgp#?F9pzPS0c^mLnZQpE%YIxW_rZXAnl&tpIhhoAK$9e|f}qqG8$I4;iAt
z)t&6IrQ*vcO2F9qULPKwtE;4#E|5Rjp(YOcQ=}O7p4kA1cjqu|&RV&B+%|e{YVb0d
zfonnFvDDen#ofDjz4&OKZ*2l*X<%i?dGPCcFLTY^Hq75bB5oxOzDPxx^Hkd9tXQ$?
z#j{I{e)Uc>-AmXGY9t$$=vfIevY@?OpWV_^(9T0)={RN@=XnYam4a*%`x*x4se8Wh
zvL>H#2F{d)$ZW`ajch?<&W}wAH99k%EalE4<-~>rkbV;NO1w%gDpFUrSJ3rhnzTbG
zDZEUZ1D_9ph1YdCzX9zd$ixu_M64cx)_F14^!6-0(>I=wYCyY!E4@UBLJ@9fIFwa`
zY3}#-)i|0nx%ImZzw24eJ(-jSc)kw@5&OM&>^Z8Bw~MV=2;b4mh8A<{3RRg`54S1d
zE?UBppV1ukJ|5<muH_JD6u{BEE55vgwjBcRDcFk+)xvrSAoQ$NJ(a{)tuIRIDPjg@
ziCK)2Q%;w0h?fmZgF42VZvYp!h}AYfG~l}yeaG+!S2?YlMG3K_!?Cr)jWw<p0n-so
zXR?-v!8bV8mBmzi!A|j{R_j{5LjCR*nCphjYXZ?BL6YHC<wz&MhCmpx++p4p2a5__
zLnD%qENHWZG~jWm)w-)o@G4qOnj))=)ovBFC}*i&U6{^uAv}NOb1q5nFzlc-H`(62
zz89>^({A=6865$0Phc?li4?A{ERH_Mz!^tLVU{nELcc^3q|~9HRogDQW!Jh5QiYJ0
zChUC2%}3iw1$nU3GyGn(7VYv1|7j9q55GL(S8E62kWmbpDPe0A;zPVFCzQ0964mmg
z32d*cW4u&S)H*>XS%Afx?nb=RJ6{1RT9(dXB=>Ws;7l|gBkzhgI!@L2WIO2axxw^^
z=oB+yW2@+Mc)KfGQ+>$wax8X=7nH)F^6ISvj?8j)9tfo_SOGmL=u7UI#TD+C(A&1o
zfXVZGkucs`*QgS{vbKV9U?qaPymj?`*c<QGt88;zaYDN#-_EcTR8uR>c=9mEZB#rz
zOc7FA>n5q$pog-LV*C_o&QLjaAv0h2yW(&zT|_c;-;8_1AOYjTC$(ZA{BmY|--D_o
z;J_FQ#1%E5y-Ihqc;L2u(wkwD?o$SO1)k}NP$_3L^nj)?0qan%`xQus#xnqc&K5l3
z2pF-6d}aY9OFG~sIt!VXid*zt-G*Oikw@I=kiZ2M&QNykR5vyx23G=1viU%jN=yI(
z#GS-DO+Hl!IyHJ85Fomku#4>@*z=<DS#W2Nxn>snz-xSc&3NF?-XNKb$+dXKL&o=3
zsgW0i)wabcLd``TZ7t7b8q#0hTQ>+Jgf$#{B*qRzOM=0Iw89mIu3`Pkph7!+#K;wg
z1kJlLU<F<|$AdaU&b;2h-tGt~QhKfLP!bPLz&TFr1fJDyBZv;8zA^Has98NBz4veq
ztt20#*;s)fJbS{5J&$C!-=kZgbSeBY=>dP46!!Y4c>16&-KZEbxC^9;7u6IJonid(
zdw>okrWm%3v6RU1#*eT5oRpx1V&(}poVC2D%a(i(=w#gkG$~e9Chvh5GF!jtwd&b)
zpnb}vQV*U5yq2AsBt}|r?&{$aOa|gkT@;=)Xg0^`YxAcEy0WaGgF3WWJ1`1YPs{nl
zY4Zw&FtE>o2MG^O;}N51*?UuMvG_zPiU*B!U%V!2r#jqqc}9J}DZzl=`Vwg8s>p+g
z&`pkD+TMGx)4Q-rU1CF({4Q}l&vFjM(!v$5*mpQO41rt6V<-R=iDCq6E-RI~%$mc~
z$MBTw84)uJ3CHjmYh*7j#rBI;SQmZs?kYRQfk#!Ltx+W0;tn0S&y{n1uzioji?Ilc
zodI%=U!-Y6%_v<}lY))QF@<D;n<(IQW4~H?SVFo3j_5x5ykHs5?szO2o4cmYr{1wP
zz|drjonJndIE6OG$kx+9wueu*cdQ@Nye-KWr--{#1vB-wkaE-xYc<qDDg@IW_?+C7
zzgnxqQh~+}B5EQvORi^o3*8HEjGk%4bv~ASNY6p-{0UnNGX?8q@ghad3`3kJplPpL
zKE|qk^7=gAmeEREriK<$p)OM6yB-M}S2n}uXJ+gCo=5z00W*Y%<}ZdS3D@P07UB|i
z>~-XkqP>cK<=Ikr&2`pp2U?P6O4^CCdln-UESx>`(v;r?I^t77)+_WLnCUmHZPYfn
zVatq6BxzbAiBUv4l4e&}GW?|y(w9mOwOc*3?>vJAhdCk?JM3Yus`WJSCJ^+#icGF*
zNIQ#tknxz+Cb|Cp#=R9zNhW;DIvC?!=UO}xJjlg_?O89E*_4=V<IIB$PZH6jGfG>5
zZyi`O(i<`3E}n2r2i6=2X6YrKCiB2Dg_(z)Jf;xOscu|FN{(XPRb_&Gd_?c9=eXFD
z*bLftweOrU5Xt<#(V9DVz^Ihca5`pvq;6Jko+_DI>joC2UJSW=ZPJS(IV??LPwmM@
zGYQiWzYHbbxwP2_0$uhLXov@&>1!Ib1k?v!$1QK7tvExngh@Dpxr~#x9-O)tUI#ue
zu`AQ8N04nb>_*ndy<GG7`V};7!-mw%z#g2O!Oi2=_JD8-bHz7=kFNWk2_rBu%FQh2
zJ@q88ks!enSmd#khfr1X%*}C55sOJU<XR&sRhh4~D6;!90)1;i_~~ve1_o<hbR7yH
zR>|w$5%A{ThH73E9dPHzmdTm{bcDL2Vz#14QOvlv_OMSIcJrS3Nm7XGNh%FOWs#X5
zf?jLCy*gr{HUX9q^L|c5i%e`&OqU9mIsvhe+Ymc<7tqaEk1~wJkeBf;<DS6XYXopX
zl*jMcY_D^|y^%R^iFh?{q)ntkR(H6bUhf)|dLEPYYlr6={(|6vxp`v(wv0LDxwJ=n
zbrtLsk#U`&(bS>lMkV%)W!Pv@H4W$y)BrzJbVPwLCCsPI*kSI|>J<_qo3apwW}{l*
zVQqDjJI-!tvB=YtUoH`Rxnx<HNZXY5*wlEL85wfnN+kw-u~lb#d~|bz<dOwP<zB-B
zUkYX|-+6z@WZpI~a8q(ueJhd;da%0U?I2fYdQF2b5KBv+yMuezj+`xl;aOE9fxcOA
zdBLfHvkNhUlS{h`Gr@sPuOK+u4G?H^m+r+9q|!ugNCA^JT!IKo!y);VyoK^w2xx4l
zgHoO2u^u>m9qF=Y&K&MSk3yXz&k*FCW#LE(AW0#Rko?w;NTp*L$8N=~wnw16jAENv
z+Ij<@bVwk#cBt#|OVK_RN}VB-PEGfxf@i*dU5@JOGk#+Z_T<2g;O$~QC`o)Hr)9nQ
zxV!V!yr)IrlPzw(E_KLOP`n1?cJ^k0-Kz6SccLEvEzOA@p_F+W5F}Q|@q4IPY1hHU
zy-zK6Lu4GDJ|-~rj<$WR8oI&TU696pjfclTTic)x=B{+OG}qpv*Ys`?1Xplw->B3x
zi=K5SuB-GceYeNPqwKewe$n7>7gqcHPECFAgzw=qkmGz~qK-imxN*SX>sy6@T^p7Y
zcczK=*zQp1SSE@fw`|tB3D}lRpTMJ#cP-u0%QC9jLyOpEmjjbNeJFQG@2O13J(&&i
z=V))MYceKLE}slSDX&!-$_oP@cTi+W^q{L@G%ebQhk{(&Xg4W6<J7(vr(3)f00S=&
zWu$O}VckM6{l*x{F6BjlzBqhfkG9zR1e73Srmp~RG&mr=1VQ@R@@<kafSw=`Ha$^7
z62~jl(6_eVGWnNG?LNB^WNJ}Ae<`ag`^aAf@ZH13&K7TT42L+C5eFMqqgMo{R;dV0
zWq;Y^k7_TsGvM|Z#Y{O$A3Hjkysh0wo9g~Rr*_X(W%RDKB}un6w!H%qZqtQ5UPH6H
zBuyvhni0RVC%}I9up9=H+xb9bwy+V;w2ozRLQp+IL^5yFHIbrucW}6`O@V=Bh>)Ot
zK~K%%DYLvsK&escuV}k4a_3E<_zUYGntmBj%IQubjFmDId1L1^)e7%WwBi&a{k7qv
zgz+3h0%?DloI<5UPrx|d!o_8UJTRrifR1Ykb?8tm@V=+BrIwLwbQe#<Z_0W4Uf(&l
zZVbBvXKiUFTaMCnu)fBJbvK1%7pL$1&V6EYwp$AppjE6_c&*L>D)I^1n`>2#D&Yi;
ziCv}2+o;zTI3t*Z5!}1*E}vbdjHsZemWmiP)=RWKp;M-|qTU4+a=JC9m5Yu_0eE$&
zrdeS8qPy?T#>#ZgdEZ1_CTSe7NtbNe6v@2$Wlk$pAD6g<W}AD<FFBKyPY7|?z_;+s
zyz_ZZaigR^95;<jR79A$X3zquK9XWl#D}5q8Z8-;xQqHZSgfdXvAwCe3U{-+1*PzQ
z?>&2@-IRlsyQk(gbvGVWxKEs{mqM4I0GxL-Aq%gSZLb^X;apUd<m~8VJ#LfLt|idf
zeQUv)OagE<{;c#g6HuzSgWmb!nMMJJyT^NGuZOtQz2M9(sf=?_$RtOb`#tTs!kVDS
zUh&>9o1T8z1i1WepTPAt3v5Rr5Xf6C8PSFC(1n=^Fuuj-tMHr<$e{gkuWn9Lm1~{;
zr4w{{7Oo=4F%AV9P8Bm3+-tDgn-!ht8bpC>en0PH;bf-;&STTMVN*Mn9zAW%Y@@38
z2vabx>(ND)41(YeF)yVLqwz!6ryLpqW?-?XZuRs`IzmR%yxcN2I8rpJuewosuQRo&
zOYlG#j1r`guF|y-=E1ACx7q0Df>PHrg=jRQ<sH<RH=HB0#HM{<uk4D;X3DRqxze+s
z<*~7g9p16^yh2b=q_Y;~a369<^dR;gd?TBW?GP4^a4CX<Rq!!wO(m+BD?LzWUNRml
znvQ9mpnD;CbW#IY_^z!j@ASdC@RYu7LA!Y*I7p39a@uIq<q>f8q7QRksT>_(6tM)B
z;~UXY#SCBunQ`RI<@Y#!_pC2jq$9ZBKCBS1Ygn2ENKDA%sqX5jd+}aiOK!)$;(6^W
z=N98@a{9o0)itqZWc7)+I9RI2d0fEoRy{0xp$#ZBGIgpl<kb?7tm?K{^>9rLSZT+@
z^Wi?%S&`>c0&+E20R$b+$x;0x)Kg=m-cm(IDUO=y$m1A(kNW{r!$V8T$Mkr;OSwFT
zVqbdcx<xqAiS=u3dr_}RUl$ko+k<n72hz@im@xyh`?TA`bafM}2bcv57WVe>)5mk$
z=IS{@TP=bkeGOz*DCNS6d^y7Yo*e<J4Vvt|slq4M&z@QZYUh(R<cjcqB5&k4IN+sM
zB$s{a#Qdexdj|BLL9&<9E<a&CwB|jk^Rey0;kbaxQsD9zO{*(4gu*Zsm1J4I4<h;R
z=_xKb8UZH)5ahLa6krO7%WHoIHv@2X+xW8XI<T!k7YT8i;$6cC1!6Z+X7r9et`|<u
z_uOEe%1-j4ABB&+>g$(pmfgdp2Z8OOH$9AsrEC`ys#j1+je^$$-Vuvv+9?qtHZS!Z
zA8s98KJ328E2A)c&n>O@uJjb|9F+=tg5LxRZ`V^=-ELh{jWgClCJNwu(-ZIETZV`9
zymSlEP_>@%rRO>`<P&e)v_dTRo2gl`XW&njxr`bJ!`KpTEnec79n-1~jfPa?gsAml
zVi~`FZ}&lTafsG6lNRVL!Ch~78eLD$!)=+J*kl<FZjW3st1gRB>yk$m*4=2}Ta@eT
z4>}t{UO(O;uMPM0h@g&x_G|GQS$nKgbi`F9rl1d~KnTV%SNI+W%_%ShY94SsI6Gp8
zBC2@VY}YbN-LplOY)t|z8j>6LR``kxgu29$G0+iYK?zaxjw?s=$(&SY!d3dHB|1Jh
zL`#UffO1nv12RRf6^$!3m8gU1!Fy$ckBIU;zgV%SBa@@>2t5`#hG;}xv5Zm_GbY7k
zjNnB3skF4$0E;wwS=pOQR-wibgM80Z3Wt&gAo;l|zCo-^F;qywcU;O7XfGBX?HE<j
z^yRHqDn7k>jxGj<B+#c11VQ4W@)^bhnfLZ$+ULC+9VTO--N*ij+dK%!d~~Hq%^RC<
z7~B-Td=mQdNj*pyE|lBbxQ3>H8gkrO5W1e{4fFH7hu48*qWAW;wH}rDRzJU{)CznO
zn*R5<C-iM!OnjlQA4Uyf1O+d$#G@yo^A<ZnHW9(`#z0l1v2!qk3^-&(VCHcej*b?I
za8vh&nbw0k=t99ANVgscd(vA~@Dkm(JaLq^;YyLKd~nnl{Q~D=?e=Ih!mx)maWzM1
zh~JyL4WE%%=(tD8$?>v#W3_04HAN@+QSw`sv_KAtJbH%%e$p*cuR&GgfdgR!@IhX^
zIjKfSJB+j)noeX2Bgf$gp#imm;ABwecx!VJ3=j0>09dd0nl7d70G$Cn;kW!Y`nES%
z0iQ(zd)iZd83kIv20RisrL&bB7BO!fgc`FRKcJ+f7gX|6u0q(9e232u#io2Lq-WFK
zMGz8&2~q-+M#0E2`jUmzt?9;#^XfRlXUI57(gz_&Wx}TeedAm&05jk*OIaE!lDs%R
zdpg%RJc$+Qed%^6`*=7VpM!VbQb$G_LSlspp=yNgtOzV}iA;`Av}Z(B+>*NYQ6B{p
zi-Dmu$L0k$Y(m`;*$%VtlYL5h4|`<Ytq(aMBdII|bC|YLinxGwjr2kmS6ylPfj$j?
z?LHkSPw@z1MiibJbrcWhBpSRE4G}=8K=M0l5VpCUGo#g)W82PF!J4Y2%K%V7ufOxA
zJ$?I?fU(?}Gd}bhM5$DcQl*Zluy?%Hq+O`M!(h1~y`jdSYw$uvypt?z0xt~%QU;E*
zJrWF#rChvRzl2iw66z!r=Y|UJ?k4%J?tv&Ys?_adc`wuoiL=a>Pb&g&+0=7ZBaoBn
ztH(*%x1s&_=I&HpBq9I?>E2tIy8>hq_u*yV;UpxJhvdy2%-t&RR&E#(#owr1-Eh$k
zjT5tNxXi%o;>qY9-#!x1Sm$D6Ol~pJQHmdMCJG4Q6QTJ`=K7)N$cZlbjo+(bi>H7J
zuR0>?;;F>wyH_DOkcTIW#xW-t)*-nC(&}&eo^9Myn!*`nF<;+_#_ofBIq_DboGu%H
zvx?ZGz#cbuwiISO)b0nzoXr%-xf-hBt`yH_V5;8urKY^WGZ>OYlRiht3BaM4ezgqC
zhmrEYyURk3`Dpto2kS(f#LzTO6SmBtQdxVCRIML(`YC9_o)jy_X1pTv>1o>F$0CR3
zJ4%<vhVckxOxw>C%q|Eb;~^fNvjYVCYo~Oo#f(d|U5&w6iOdHw89`?dM;(cK_1;uF
zf~O5p&hvOY6e0OiMtpk8m!AweL`>96x#%qP3WkftqN%73Q!gEgCI}~cwQtL8z@~NC
zUA=e5g`Jaig7Z08?-(@&-DpJil@?CIgUz}V7QLR!T!VGNN)BY|6!HlifL>%b@e)3u
zc&jb1O&Cgq+#gW^N-3z#pf+?FV(SZoZq&-la7gbrJ}GxZPsb-K1d}drDXxu3EGL2?
zj?tGvT>NS<W3x0KgjvJmdIJRM+9cw7F2ti^CSqfc)Q3pAe4l&JytM-eIrR*0EPEm)
z`yP%)4ZGd)eH!)seLO)iX-j`acgJ1=F*F+27<-8!xcWwn6rXcB^p>#TniXgtoFr_b
zbOzWiHrZDGrBpp6XhB^|gBNAzL+P%?W_%foTn=exh4<cI@nz;1k8mtu$V%yBDU7_H
zt$f)dIco$U0M!*8JnHOEZ1mE-FOXy<2D*CPbks4`OLKWiW+Z}#L(5wEpaO|&vmZS6
zO)Uq9cZb&Ctc!7xz03F(Z1v7L9I)}><XJvF+F8NA7{YGY(Fd?Cqourh6-OBr5VOUg
zVb4cl^y0KzV2mTv_DFfDYIIs1oL;kJ`n-G`B;xe;YPqwO8s>TOb1%G|hkMgf^G1mb
zL2uy|C&LlmJ77cxNlu3iy4MXXZK2j>d35i&#q`CbtmT~JgTSpPwjB*K5LT{!OJgXF
z#5s`6OQn-@QcvOXG>weeN5;xDi`r0yUqURM$%p~MOWzQWT=4-6;OtA76JEVLz#StY
z)w30<2)cTV%%YC=KxG*;al^-F7Tsf@jEn)X6X1ze57=;@KYEAoMxBa`GW><4LWa;Y
zb~=EW5hCFCDA<M#e4<>#E_#I`=bl6~Gb|N9IX)eDQBUxyFud+5%u94u)N&PjYx@ZC
z6{ak12_+6nZPjZI2Fp=$+9eTmiHknBf$@W^r<D9+Tb?i!7Z7i8l#uLDDCrah4ZinI
zEDAj|^@&{!lwb|{GxVXftnqv1nl?uzNMMlEky!Fr?8sWnC6Zc0wC)5lEkH+DTg_Zc
zeH-WA#_LvS4fQXjOuv*u<CkV6I2y!c0?qeJ>7$<4?_HF1&zT^vi}P^G#nsq@>T@0#
zHqxhDQ5TX$f)iDLIdu~8-o?f>8$YJ9>hj_lt+WEllbxYPCoUqZ8cI=eBQ*z>#~b`M
zHA)O4U~^uMOb%#gG}MLNCf;*%CpM=g<}qWied}-Jge>u-ZoG}{8oUJ!mQTA7IivgW
zhGvtAo6}=v!Mf>!0NNJHxOM_J4Cz6@NM9*<%c03+N;ln=x-Irb8jRruYS@It;|qWE
za3_>0p*87(FuXX_Ak)sY(NONSgR-xJR#=~bOK4V%&$JD^m`yyM<sn+#p)d=`u{W{R
zR9G$YP^uI*VB3-|BQ1z7C3&5=)|hsVQRAJ2h+*e@yLrcZbK+MG6@^`jkVUKFo%iro
z7jlh3c}l7Gy=Xjsks>z<C&Bte?6n{cFmy>A)t(65^KrX}d9>jrv2n0!)nX%Yf&{Gk
z1kqLMZn3YK3LqOsgWWQ#TiI*I3GgW;zg&zAF_=A*>bukdfKb|anDc0#W+3_)x0zj}
zj?3fF4SoI|^;;b)NI7^=RE*&r^)Q`!5si@=nFD#vd7@yd%kw>gJEG>}V@DWqm$tb#
zaC;AmkI0A~ka;VBKgRc(7cp0*I+sA>rm<aL&lup82}~~c+_R*Iyf3Cw19xmV0o=+#
zY?rLwX&!Pmq%k?^ZBBYi$q0#92u;%6vaIzZU*LW{iYenKi&!taRMirk!*fBLZec+Y
z1OdCZ6<gok>shZsi%+MVznmJsti%%xZl01u)62R$7Y*V)CCg_$;C&(rUX^~hk9e%@
zP>jMit9g2DJbDF{IO5{Zci)t#m4~3RlHkK~;4t!pRIQ$&BAaJUp2zs)%}HJ&%*Azg
zHzLgB1H*jsF!ltTun#S?q#wrc<??&$NfPl$S`hm+yw$C;M%Y*Tgau91<SffDHb9kO
zZo4Pv%=)p+Sa`NAmF@cL@EHv5#HdDmNB|t1Txv|-^gywv830VFkwoPZ+a9JE%Yz}O
zCINb)X>#z?CHV$?aN~J()9Bjn8v6{szz|60ywO+oc7(%24!WM74Fzdf1Pj3|BAhuD
z^s&_ySl?B5>agjsdJ$PY20iAkd#!sK1V!;KTO-J(iw5OAfwuNa8s}leeVqn76OXVP
zo?Gf%ITK-^K=AHDlF^acG$J1QvbK&>k5+iRM~Wrs4!3hdFN@Afdmo2+>}*&!JRVqJ
z@O}HrWI}Lk4qh05QuN~Qn6zX@n-1;jI6CE~YN>DE-4kEqEEYpLsKz!n5u6D<qf`oL
z*-(pQxo7csZHb<FQWYmW6q*|rsPHjudT$Y|#gM6tp2rgaBOt4uiyCyw2fSV+a^x&A
zq3Q<yOl4UwimQ;P`WaU-;3iC(h-DY4bA}#S;9~g{1jbWwf}V#`_F&Je{2{TJtw`dF
zS?-{x=v3~KbH|-T;fG?^tPn<{HEJWzyVCa21qkMK16<Ep*tOHcr%<V7+at}RZ14He
zTRbsmjYSbZj&r-cCGRoCn$<6<g1)4x4Rx+Hcnq%a>~%CdRSMdA#I<8(Celjln309a
z;4oHt?U{Q|Ngpd{M`PP5=8nXL&EK!TF*L7suMxAB2}!j=1Yv2<K0mz@Ety0)vFGNp
z+9B}R0;Ga`I%y4hC}qXi5ofABc+W0<`!Q>qhZR-PsHdXoOApdV`C3}@nQ|tam>OD6
zO84Z0%I?WCG=_&72;Jc8WK?QGNI|z~96)+GvuXUEI1_FbAcET<3={a}`p78QE{sQ*
zR*yv@9q)Ky%K&;5EbT}^z0h_kGSgR6Cp4lJw1CnF4s(38?eN0qYV1A1xECn%4uJ+h
zb(mx?ZZY%awTpB6@knr1y5<P2;iZ|!Bh}_s(A4LF&6sKt$|?JD51Y(J=gBa_b}EXV
z_wC@DoO2+`4wSgS*X+-8G0)yMsb9>i0~dWU8b{rN{bEysgZ+Bw`9Qq1h$Gdj2`I2*
z#n{KR&+`V&UD*_}5Tc8NV+H+zlv7TR`mJsd4Q6H0;G;oU$gIgTKj<st**){FE+(p)
z74WxW2dKv_YOyf_2*VIq?^aP*+%;A5lEYB<yh~CWwkkR4xu!~B^-ev}SCe+I7Su;R
zBv$jgAl{do>ukS+Uj{o}leXE|n|UZO@+J-w9)Lb13e=lat!%;8=*^Y)&Jsl<UxhsF
zc>-!%7%=2WThs#{^A@MVkLFfV{l!TEm+o|`J@RKm@4{uVJD52ecn*rHriyuq=fxZy
zvyIVR1(a>Hda^!>9evP~8*E?(%=9%?F~FBqwkSgto5r0Ar`kT3^~@$PysS`XOA{+$
z^R?{~FrCLdb6vCO19@#`E}5|!bWV84X(#xXR*x}L+D*3j9m4u7xq!I1tGK}`WhCFR
z)P-3E+dwT^(R3M)xWkn^)Ru;l#kNV}@%A=a=}FFDkU$!wZF#7QxW$m`oB_|^o!UG{
ztFo7EP0bv`qhrsy7POH$2`*yp8Y%q{crKRNGj#U(w2qy>M||~?l(agKL3Sn3?wQKO
z5xJY05oxVci1X;esWAV}KyvZoI`C;FEi{at?#l6I*lav|LK93*M5;DneC!Oj3ud5V
zlPg}8Q*vxu(eCu<%BourZzoL^;F470Z2cip)Z6Ex*{Nf`FxKMaLIN+<+|<pcRU-PQ
z@Kiaj<_!f#qAza)Zd<~m?4$HY(31PuhrF|%wo4C*PDwwg#B&b>kX66Hv4SqhW;Tsy
zgT{W8y^z>~lmjNn`>+f8#`vu?g}&FMtU2gTXj+M~*6mDoNl-)~2%v<i3wU<NN0yom
zrh3sN@pzSm^-xc-q_<rK$ZKG1I&bQY22zW;KBL9uoYroic?$_g5v5X_EtjjYP8jBv
zzIS_F0?W`|jr|7RGo}f@doaplG~kiDOU@n^cnT4{Px!e^`6E#jNW3WRHfC0pst`ra
z)zuTk-i78M_j+3oFWLsU-XLkBJduY2a?oT5ecEfOQx6aLwY5As4_52N({)LN%oBFa
zmm2bVp5VC3Ir?o#tgi9VEK}o+E@8};f@-^dYUN*AMG{6WKf_le=76&CBf8;e{B^eI
zD>KcCdwy^EY>z0qnBN1wN(S63s;RN<jTZ<+;VRg!e@<6P2E&ts;3{)!?_jE8jP}f3
zJ=7ke_B3mxcSU=wj*lQt-JM=OUkVcINO1ylgy09z;NCMyiI!J~%7bs8!Zz?Fb8dLo
zRT!oEJXyWneYuL=gvM@Tta$cNm}3cW4D7rIHm+KEf&i(A&}7vtAMgac715Nz+skt_
zOW%Ggpih`Xdo-Rr%qgN;h)Tm^LlBPY86DZhofjq~-e#s?B!kV2y7%rC%Zw8OzgNZV
zPO6rK!oz4m`Ru5yrCsLEz^W-d@<xTmUjT1|^Wehc(6nQq+sZgI5;mg%7KgqoTuVqF
z_9*Qfov{AZorUElpI%?mLh9Kf8bW$)zh`O>-mN=74B0re!ZJx#l2+RnH#yrmscCB_
zGHJ#n>}6r9RGP#XykNbw@PKabSPfTu!srpBy+b}pg<*cDsMJTJ`IZ*aj#8^~vbW{9
z_zh={LjXJ@3a4w!bHZFkeuMOKQ_IFhKo}=u40s$T7Rd>=;jJ@2SKUm9l*cLIPaF>?
zukDaHP=@IuiQSFBn&?r<UX0Jq%a_x|!|^WZW)u|f#gTWuVh=U#URzLrxm;pPr46n1
z)R$FZmV8gnpJExdi+RoHyC;Lzo5=cd!62TzV^w=<2bWM<TDn`8z)`FC-V->(jczOy
z+d=P`fW+j%$1CzsMK~HAfXN~&p?P!U9#c06yqH|<=*#=^3iZpY_M_5xH83W75uIDp
zL^;Rco+0^!>GT=FTk==ckJQa!&27|&y!&|=3!NrWri;Dqts|B&%D=>F3Pe+H7K?pu
zTAFo`oDY<BoD8q)-n2S3dm}7ky17C;z(W9g_cq<?CLX&mvJFzqRt6GZYm_cUlOZT|
zd%YBMd1^P?&uN~@@F=XUz719szF;qrwSAb-Su!NGX+7Oe<E2XgP2N@<ti_!ViZu+j
ziczl7C#n>h&oLi(ZC}wcoQ0N;ULarE;bT=U-@Ul&ROh15A+1UftYf*iQ|j3*18vdZ
zMqF*1eFmiObwsmG9WQtuzhqCrBvFFKL#?{yUQD4>D4tPxLOlCCyQx-%7*24Xw#s|s
zl2&j9dXvipY3tmq%oY4rx;dL&K>C1bd;O|7E1*!z@?OrqB|bNtq;Yk8i2&`iN*5gc
z#NZ0i7%a;$RiTQ>IT5+=)X|i1_m)_@0W~_UA#PQjGYq0i)>;}OpA?TQLM*;F^m^|u
zmY>%up_pa(L~#_{17ld*2hZE94{Y7D%hWECUnxvJw^FpxyYuvMa~6D~9D6U3DJvVQ
z$5G<=N@a>zQHkV=ul4C@;{;Ec*eY8*t~Bdlt+D}xTxs(KK`~a9fUe1arw<%LIcm=i
zh715QP_$@3raZC(GVpltC}b#f%>1po(PeiTbaf9g*D1jWM?5DcZ0~wbu_n4&jFR`7
z^g>8p402ViXv5<YN8+5Ymqx0lWk=>~!-!~rqoIzBRCD0=u(=C)v#!3xBK{I<8!o~S
z0kt(L!Ezi1mB|FOSC1J%;)XPssWOwiwG*Bd(QY=!$aru=oho4*HTcHBdKTfV(BEd|
zwY+YbT2>7^<&n~QR)<qIGoT~98<Xbt+H3-6*`C={%LqxOH}c34C)Etwo0WHk)s+i5
z7q3`I8q#bqgp#mQR!p)Y(>)SnToNcTmxl=yU)7e?P#QeKXNRE+qT1x#gXlzi@w_q6
z^wri2+T3@emt(eRB(!T};VZ=tJrwuURzm6)YT;?KdApZG3-mjy0X9%Q?pk=5uBOaF
zkyo_})_Q5CK-qhd`egPMUX6CBmEwEAFqo<whj$|3y|AWvp1mFndJS~s=zHE2mv?xq
zDS{=BtC#x0>UHWV&ApnL6}=l50aiWshC!~adafsx(@6~D?0cn}P4ix)a3*GVNt?U^
z$Ai){r{}&_PHpyp@4><=nOD~fhb1VUJKI@o9F6usrjH&b@FwxoV|pj)=*@~7Fe*E#
zG1D?(Rv1UR+%e_GM+%hhq*k)Lr44$j#a8M}44#?#Vkiw{YnZZ>gg5Kxi?)QBhh^PY
z?#sqfM`kJ@54_25roj2s6uq1WSTKt+S@;<Nv2j)=m_t0-H6OOE;stAE)p_UZud&GX
zt`U@P0o`FJZNxA`WP12SMjy^qy)F^hCyXTAFbs@raaHf(wgjH%t&}pK&c*QqcqR@~
zJ4m_}>hY?x>{_y=JLgI0cmpDd-`gRL)PmGzdpfLEyD=Oxj9hFo@r2R1o^F_^Nc)#r
zkG{-;X%=*R&pIEa6Va{Zt7E#3^Dt(T=sT4sz@s2|>s*+2Hw0a5!y4L4NU5$>Q5)%5
z*cw(kn(zJjHjFhn87||y8e;AVQJr%|AuX8=ah^vGm6Gbb*)hx=*f6~<PBzKgaA~J7
z6y!RO{lxTm=@MSH)cTQaTm({`01Wg9$H|ICXjm&AFuW$^=AsGLnYvq}8}C$paSb?l
zhR-u7*q-u;>!|euII?Zpw<Z_ho>Jz<0UW%w&`blsfJs@Y&$#RDdsSo4wy(}%mv}f_
zP6zRp_;zZqp4;$F9p~aP#Ht;FVI12F3-x8t6fBsm;*A%0d+;vKs@X6ep%BP(4dlz&
zXMnbI1#{~ySlmw<a!b$CSBFRAN}g{|ol0NOBS|}QSO<;1xW1lMgc>03N;fClpw1&=
zC&t$rd~ukwDy4S5IFFV~M)2Ty(`AguO;I&E`@XdjZtmd$!sGVJJ4H9~h_cw@L{=|g
zei|5#m(?KyreIJt;sJZPi@~YvyyE<nD;of>>sb@I_!%!I;HK}^a7?5~Vw{9pd3Z}1
zjvV#IJ6@q)E*^lfW?JzvY&70@q%FC)40SbL^K7a&o(3o(aTnXDzbRr#KJqvaIuA!;
zhFaPoF9zVqm}--HR|xQGJ+UIRmYEFF-!wr!AElNs9EbtEn||l<EHWbK9o5p6svv{y
zK0B^<u(vPN-B2}$50V!}+lck05dXrbbV`{;g8K+1y53kMb-ncKY78|(Wl|?)O@F%z
zOfq8xcJ>s$)MEHjYnEIqnLyVIKn(dDuCV8FYc_Bw&RO9t=i6#vb-jpW?O1oH&=zAS
z5vO%WO45~dvAb5WIDN)+f4Q|qyj|MS-IKUK_mWiomA>TH>B>tl)6_9J$nvhnb9S8!
zxQOc!j&?vKc3l_C%LZo=yLHYYSzvaT9S6aLttu9qaKeqoNA%#1tog`7kRMGl$^?u=
zpCP+wbR|&Uqx9o4<B?@m%a!1!ZZ^~0O6s(cQ}Y(0gjY<OMUMo@Rx}yJ{8`^FDHwsx
zrd;6bQLY_`wM(Oi?AeL$gs8+hFY@UcuPdXRH7K`<37WFIhaBu`s)dxGQDg^O9fYc9
z<m@&^NKly(*(ec+i<QX&uF}3C6FZ=056akR%0RcXdozVvmeb_@-idph+XcrKq~gjg
zKg`#N7&xheWOeNkJqhNvMH&MXdJpf3!^G)>1&wzUG*l77%)FxMG}?|2qbFiyrs#la
zgP4e!MMfr0qBkbzpw=8X_@=YkD0g4j;p-X|9bzpdhQubU99=-t&Q0ui5SomA%3cjS
zmLRzBrb}?C*>fMYJG$#*AWSahoaUm=NI~@BQVn0X#(l$0sv4o^CQM9(e6PS9w0*O^
zOJ80uB)n1{eZ!g~@8Gdazl>WE7=9Zo8s|-wRn$N-&hKnQeRj3ll;#yrIh5x^jOoHi
zv_82-ebM>wT^n!qX30fm(+X=pow25%3W=nS&hQ@O*WyIg!Dumi?+vmhDg>%~F9y}Y
zOWXIj2Hu-e%{RiFev3AA()H<<f4&g6y3s+5gu3osG#DJFJ;L`yM~160vMCvH+k1A`
zQVf@tVDl7jpx;Zl+oG_UGRv@oWR%A?rCObT%4LE;8KT1DE-F%iuxjS#X;h@Iz=fHA
zviNw=%j*tmsSe+jqxF%ui(7V<E@`546)I2iw9OAVa0{`xmbwkQbAXwql8MUs3Ux;)
z$h^f;_~k1Pgh8W6MP=7qj<qS8x)G<G0yFlqhjayWXB5)hg?%c?GF9tz7~4CcTj7m&
z3d+6eV9(p7we5G_TP>P^>a?l}PR_c%GtfIOsUtaQmLY0P-1ZJQriywR9ad*ta_o%~
z*DXRN^ge|!!xbn&0IpF23X*sL``#OL4a+wJ3_j0VmQ1=mxwR$71sI-6y=1Z@th+c=
zg~_oPe$g^H>LP363}RNA=|rc<#ndMzifORxgnH3E<ArcfStLo#`r?^rzJ0K?Xa*F`
z3;A538&ENXBeU$4(AvslD5kC4XKdc%5oLIBm1i^iw8dDUODx_#!wz^m>&Wk-^R;gh
zJ*<;^7?>RDxa-IAjK?v}c;mcvS6HP)t-2T6Y@IyXh!GRpPZ%gbf%TX=Z{15cWxegH
z<slZPHNQj%2DW&TWJTk#!3LY;qCtp<s}r$tJ(!yhFqI51-~?x~RAB>BU=RRa9h10t
zU%{yD=z}vJy<=UmyE1w@A_gx-<l%Wt&~7$bYl6Uu7HbW#YC;D3b{H)LTSj03aUS8s
z1(hNjiX`rVZ=Dicl}bMd*Ow&sYH(tE9DSegmt3M>axrR2PseQt);z@;%eqE_6c9G?
zt#rQ`^&97XF|Q!9NjPkt7Qe2wa!JkCTa!M;E5gxlSFlR2OS5tRvP<Fhm8`t+*FD=s
z)Y2xab~2YRW#h)HLk_cmEFy&u0D~sVG}y__Lm+#Ko!6~N@2L(=0mt2X2U$c2-#(mK
z(FDb%b4Zy)DV2nd=hS8aTf4q$`s^`CHCA737+Y9ZW`rj^l%4>=I@MSJMRbSU8TV-o
zz@YJA7b7h;w{XRDc^plEHsL`UH0yH@W&3UMY72O|0MNCqjye8*0m*d+9rCW&cAS81
zgIxI_zbV?&@>gyy<k56lDY&6jW+vPKj@?M|X1UM%=@1GO>AM76j1?5yY!SkxU}Ofn
z>Qdljrkh@yjgA=BF+B6Zig*a`<vkCEF;GEwE>krn1=(Cg7E6U=u9M!KXxPYT1(-A_
zw-Q?}X>!<?DeBd_FWgJm5kM)t`hs4FzkAWL$1hd{OHp<59)`ipS(TP8s86myql_ii
z8@?xQ8CbKK64R<m1Wj{8&ub6yB4*giZ7RJLB)sGy;A8boIh37(rQ<hzyq9Wk-81J{
zj8dRU>Xn7O<~!*0do<7ZreEWO?o->4teJ;$YcF5~6;A7c-Ae)vYtz%{K6DgZi4Yb#
zz?{Pose7sB1KD@XE#N{I43mMG@6uDMz1wKc@(}Z2F&foQ;o-D7%(?hG3IK_dtZfan
zvpwPWLY^}*J!WA5uH_fr1D)D~YdG+Xj)+16&y)?B8edC+hdJoI&)1^zmtE3wd8+ql
z;rt=?qxDHA=j0s)4@^m0fh!8pdR>_o*Q%Y*lob{M7=;0^sa()oS%41RHj(Q(1fEG4
z$e)uJ@sj2|1@(PSvUm~Jx8peo7+j%iy2m6nkBx-uFsfW>hB+3{X`_4z+Pj1q_HmcJ
zz<5%6G933FMuzh~d>O|(hG5Na?AZZo4Z+y4aH;`Dh-znrHxJ0cJS=j=WZz1j1B`fD
z(7NHTpNLK04HG?gm$a_LXWEm4QcbsqYXbOsUUs_PESI7l)$K#ThnceLq$dR|I6T*I
zur-@qPt!}YLdV9jC<)INqGbd8I{VV}%?>}srHO4<k(e_~CsU<84H|*hM&Z^SCmA;y
z7n#lUu#RlKm2>u8l;EAsv6)n;rZ!#b1-=^$yeNyAxdyYRZ*i3z;bNTHDWNlNSSm=Z
z&?3C)%GQxEr1J_A+#hzbx!3~iqW~j#Rxd-R!yIl(=vl0x!w#&os}7S{jK_&yaQe75
zD8K_s2ogDezL!-4erffXwtC&IYc|OE<<mw!#phZbm!e8%N&8}<2UQjpPM@&(7CE6c
zZrHBPg^sQwzd&#6TMBx*5r~7(ChCT397~->IL(IxlUHac5_r$R!;m3T*pS3M&wBIS
z(7=E;JndXQ({h&+sCSE)FYW<%7*L%Y@r)z^=*F$)(97+R@O@ldz^@>va|a&vyJUKx
zpzI)P?-rgYWbdnSn=o#_3YmmfU)bg%mUfP+0j=PC7z826239A`hWK`0A?J01rq(_1
zsfCyRrI*o{UWRIm3sj3~of>2As(MZ@mv`?48QyEsls@ZSkm~e@il918OK9~T%sC;#
zvxqqzV@KGXr!S{DE8?C4YyRcezy<XSc}*I6jgKzbE1zzen9k#t%D&`{iPPEivx3qx
z*3+{<-t~$m+3E}&1zdA1ijEkV3`%TQgFp|mWGTu+-KYcTjdZhpifdsPf>@D=nq@=~
zW9w4~OA!%RXm7by7zhO|gD;M|ZuOe0UcW6tLw-US+b|BbV*3K1dgGA|!rb&4RL`SE
ziW?cJZsF$YFgi6+vQSpNsBU`^Q_jpyyB@kd>ArBWV-(>MK?gMkw)3_(43ya+69-|q
z3Qg~S2(x$83Zf7Uz+3WtwDh6-UsB-K11SQRbn4HCXEdE+rk8Lm!`)0Mkf9nf`5wGe
zQ<oSdbzvpf#tJ8Y#Ct+5Plo{nGOw8U<<mgHoqY@s)+2Q2?omH_h384AdAy3qu5?=s
z6oT9|bc8O^eWzqmKIq;kZ{(I;crX;MAq1ilR&S_P?H%I541_yEkgS>*_i9-`;fKa;
z1eife)8gU)41C!KV+A1Hu2yZHJKHK@Kv?|J>=n@Iy?w+YE~ShIZ|8a0)|1z#p=@uP
z_n7Adhg3+?)lVUfM@ND8wmg(s#O#_2aMDOD)d4F83?9xiP17|wB9sd*J9vbsEIbd<
z;_cC*7%vd^@lN!0t)}CuOxB|qrK4kr+P<f<JVMY1onX+fR@7sjc)0+%;>&wM{Omci
zt0!xb6=Z4aPoXuhI)!ZVWTZID1-H8AY)DUH@}zJ5?bDR@n7wcZlVuu1JM3<JBlhK&
z!<S!llZ-f3NskFznL-gR*FyY&389{i@IDbAG>-&hf3Iv%TFwSGGptbo6#3!38Bals
zdz0GY+|6r`xB;);{3qBk&U)v(m(0>E4imgw3@$Q<+bohkB0WRz6+pz110Zp1!K9X&
z-84HNEb4n_Z)d0)4sq7r@xGLa*J>TdRd8K0yfWbTjz^o}YG}fwNA%d7><q=sF<4cS
zxeo9_Hm^w|tSsw;-E)~^e<6}4Z0RV|t!$zL80IZogEdey&saqr9JDScJ4_zjuu3Hv
z!@WDdmqkHNSs7x584JeEXlcXz^7S@dNvTnJ#2J~OR~c@}#YW953hB3<PqUP0OsH2v
zO<<)8mkK2j-qQy%y_(Z+-f}~r5|sE1dQzYZ_V((Y+G1D)>XpO`g8{_!6H6`dEe>KL
z=RIb+mj&ZDH9y1&0G-jTmN9Mb-swpXy+*3qoq~s&u(o)%tWWv&9Y<I{&1D%{-)Ad)
z5?eD0I=g1dwtB=&lP9}kRIilexOR|&t3~HR5wC%V9?K-KZSi><RlyoDFb2muKhY<0
zZ)$^A-;U{KBcQFIJk(OjbxzdFwtWWr=DlV|l)&SFhLTOFUJBwz>BhWdjnIh8fU7T@
z5h8%6>SVx$C5`-*&zWgWT>*!_-h8>TdkU6?_wta{x5W3|U59}+nXUB%a6f&Imezek
zMO|kD5HU$%*XSB)p0>7n*K6R825ZXf*s0qBN+fu>dXYiHG`*(eiTp@+YM;Ji2$4vE
z4JJ2sA8&|@x;lx~E2nS4{7bOVL3xszSvn*{*=Z||=+Bwc2&sk!E>INH-pq5G>%h4k
z#bP~qi?ikFSyItuuO8rwZn9J5+*fK57QLug{;y%l6WiMfoCs*?DwgxKU$G+4XjTCb
zUg=TcDVGKs$sU|FMx4o1ACoS>lVn3S?=v{A$vDL7(>vP2l!gKoD_svKkWF1de5V-q
z=;(A70bfz&!Xuu*6o#VW#_)GDBzG`y*s~<gNp#KcD6AJP!W$_<47e{#O2USjxkz`!
za|*YEEJb>B3Z)4isr#XBKBZ(#PtH`0WZmijxZV&)#Js0Oc{TT14NMEedIsR8GG{p*
zhNckcVa=JKADrX6jlgYC?M``8hKqStYj?(BSs)M1A%wZw^PaK=NUVW2HUN3T@PmCl
z(72@!ulPkhed{%ZnTAbEM+E~@L-RPhXa?M05SI(Ui|Qw5ZDCG`UQ|3cd>b;H&$hhA
zye~t5We!RO13~O*#p$Y@w=L`)(nJv~J!MUZjY|Y};4*5ndAShh%aM8tdR!Mg^mZ2u
zO~o!=9vE7U1hJ4N9^59HDzl`Lw@!+MD<qIU32P@vRvahWoh-3P_J`<HF06*S-i7V$
zI4tJ@GWX7L#P4P!pezmye62vUk>NoM&t<Gn919y!1Xi2dI+Psvdks8MxR4ky(#(xW
zVoA_f6mOB<HEZMz@GH!K27!r1xc8FJCay)3{Jn>$8tnza;zhvM5{d7@V;Cf`8Q_XF
zX%0vRucqf=3{gv4y@UC3*5{$W^|On7ro`7yu;1Un!oCdahczz*PjC)Il7e3PooY#m
zy=ETpI0*MlQXUG)nVMo!hK3OWFNBHEaN>i8gU4bn05<pH9z^(qvpQu$O#fdov16TH
zx#MKn5Xn|7lPrT_lx1k@jMfr+I!|M9UCCMFy|N{F4W#LJK;msgEkOxV{#uhdz=|5X
z{i2T+c&Zk}Ok{`b_!YHm(V&&8kJD1J0Bln2M#(_33DyJC>uQ#)vA0=sn)Qm0p0~Uq
z*+qJan$#hcp_+gR;k8#9WC%`2%+7>x>qOxCq(YzZbs93|6|aeiVc|SKZeNgbgDVK7
zi)7BXYK^&#J=__{oklmTSAAzx08HYt11~FD5n4UYC``wmvD5Zj)n$#-x_n5ID&^cH
z`bcwLSoqtM4Rq@#>xHG<2lSMg1?hP~S{dQIYx7dIgW|;uWu%iEmWO*-$IY$V>ts<B
zsVEO}RwMaPj|`w(ee=Am5P~`Suuuzjj%@)zBB*w3vCv<o!47Xws!%#V<waTObWNBO
z!PNrJco18d`%nzEU+dASG(WD^tYsl2sm_3?kuwVmg#~f0e&L{zAw52>G}gKrmez}O
z2g?5BL}SgtsMQp<J6LvSaUX%zEQ0hgcjzqw54}L}GAM!PQ=vphy+vN{&7QBUMhB}>
zc|$bJll9y#E^CEaXe3_R;*bXcUiHX*MX?pn?x6|_Pd^_$ZP^hZ!k1izV%F=>okaTP
zy{U>Q1B;usp3ab{K6+8SGOI7lXJF5{F<KWBUSX8$wZUqz0my^q69dNQmEfHpiYdsK
zVyCa|XH9HALl0UM?T9%n5)*Le$rlqlN=B|RJ?YKOw4en%;c}QINem>EW%Yd6d|ERT
z*M=p0l=<Ph6f}-h{^!_x^(1Tuyg8U_o`!QngM`$KlaU0cl<G`(o1ne5x7l#E#_+Nm
zwV98@_=zl8r?r9%2N&-;ny!q*7MHC_5Ij=`@$+(`J9n9W68uECuqEBSUq16T9xWY;
zeIn+MgScW|s$J^D20Vi-x6y~bEGAA^FSf)6El}_d4GHSX6#Cgn@oMo|ui<S?Eky3T
zlMV#43E(_iHDz4CU;aYD%T@?F+iK?)x;EFUiCmsldjo8)@CdY1*PN9YG(Vfyh$g;8
zj#{Q*StHC*q@zBfJp&09%bM;>iZ{(N;s|3JgD*~FYk(iV8^$ya=|$>MwE(k4c6aTf
znypGOwx{}fU1G~Ejys#(0Y<Tj%FJ@<0j@f{Fb<hZpp!tT({sx#<xnJMHrXWTN!Gl|
z64Bas=4QgKc23G6wXdXXr~`cf6;JFca@X@!(mb#g?}BQfC@>+T#)K_ak~<V*Iz<<K
z+NftI$s)GFU9xUv8H|-=E)cy8B^r7|ppo>@xwz5?ve#Ff+-$VpXaP_8)R0ufXl&W;
z-4MhgiLwr=RQN>%j>|1(KI2wo9>MJ<=3oeY(_7EO@*dn{O*(Dd7vhjN3L#vrfKq*s
zk5w|?J!CX4)x;I78PKcBXq=+90O6h3O}YHx0o^6((}H<f=x74ytJ3nawZ_8X=7nV+
z%#=_+5K8g))@yl|;>$6lFUK~>a=jqWRvDj7-E~u1xwq9k(+iH_!RHw@8+)9IjBU7#
zjVsi1c~Ua{^Ede|D(uyss%lANmw<4Lv*sgNy4?4lWKI-yZLIk$#?90?tllHO606E^
z^M`cwn%@i3PAgU~=fH&=Z-&W-*M9KOszS31CIQ;;IA68TA)`Lj4bsD{t1F#HUAz!}
z(14N->z*RSIFlGMm%gma8fUPn^HLWE*ChRBDdc2_mN%S2Cd=82+KMl)iy|}|U!Fa)
zNRq3Ej84qyH0>2E?G{`-_gqq|SbC$2Z}vrA*QHs*8zi6(m34{9X=og+d{LKA0;93*
z?xxCF$X~mX5~XP_57RQgraH9d(j^+v_f8A+u>29aGJ#-)1r=<op*zZp4wA~CMU~Q*
zm{)0pa^^Q+ZxAAbG71*yC8X8!b#-tuS9@K9Nv2GI#9XotwFtZwicdUo@H`3B)zTDN
zeGYYfv7ed9Dj7<aOx7tTF+qk8X`EB2AW@*0EKZ<zRQV}6F<`A;;B+gzLxFJ<s+V@d
zkLmTXpCZ@`7j@;n1dcoDx+gK>z%*tG)i0ZBJNH`cQRi#J^s~eoi($f{Y+QrT;=G55
zrx3LOMh~9hYokeKwq|f^j-u&`$#=xHk7<wT0*r)7p;w08%(L5jw|4!t@WFd?G>4mV
z#-j3`1l;m_q}yFSa`Fl#T?>Zoc5_A&2qt+ZCB;2-CR4O@&n04m-+<Mv&AEHLbn<D8
ziJagzq6ISEC+FxFge?T%Y8~4#Y~2xQ1vMJi-TSDQ=SwnzFUio>i^nhAH>yBpqr;Aj
zo+EZV?v+#uD|wGPdH1#)(v)hB@D%1=9Mcr>#XTMlE*gCk2^8;M($T)?o8-9U;5p0&
z_|GykBwKou-e>@2KColDaq?Qw^fHB~WeY3fZfBZ#4VRz*3k}-k2^3u1Qrsk7>E4lJ
zOn8I5o`F737!GrjRY?}pR|5^K+E4qv)#iyD0^Wz$^jy<<NTouV-YYWNh19Ay&?Gzh
zE_dXn!bWeN6Rhp+mS$|siML_2_@h29QnaZehsX4I$%0j6>EYPHnbi6;v270!HUMzk
zuu;13G@E0gSyz+5lh8#E;1vr2c6hf&d~D+PA`bm(4DRkd(19l=>wpWnBS!}&RFTyB
z>r?=hM&TqzLh#eZM#iUQ=nz=$P6_)6bk{h8Ft)2NLpTwJCQ_ljp>%``fY06@j8aZr
zoM}`UUD^WJ^C}+^2^0568L`__#nbFqiV-&o5J-6$+{S4|JOBeJXkvbo6`VU0h)Sll
zoFW1<0u*=e+$Wx@5$}5!!cf67xk^zRX~pmgi-NK=(6>kmMZ;C4q}#|sF!}*XNWHGq
z;;}gE=}~mN0bY3G1HQPBsV&<^EzjR;1Xq9DfVM}nZ$&2`4o}4taiMbePDVzSc8|A;
zS?^Ie0)%foTXB2v)Bw*pX{aYL<yqoJKrcv(+PkZW%og$>niwzAJo9D~<Kav>^XPfc
z@5Mghg(|&ZT^rGh=hH>GgEZIEDHf`xYKw8CBOMwY{#>u*;YbbI)8TS?LeFfpQtFP9
zFOWVh^Uv313(0QLYxG2Hz~g9D9k1u<pyfW5I87<Eqe~6jkKdhnk*JNsmg^!uluJI}
ztg8SUZhT?VC8ztWC>o#X6z~Mr^1J>|v%TB}js`)xUO&~deeaQbY@-ht$Q3#WOylZv
z*03HYC?QOk&Q$XDG%9>ageJmZk0xy#eQ8xS)Axm$rk$TY!j#2#>$j7tnB9SBho`Wi
z&T)4n^rmsby?`v79f4Hd$cQ!Kkc!vxxho=$@-Z0ZlX%o>`l8LT32JoYr8H$IarL4K
znBN>b^67}CkBB|>CL}{yPFshqzCFhk0hWcM0lFT@)wM#HCfS6jkg1mEkDqzNwDnO0
zR>*rIt^z^QrEgfB=9RA~Z-})%q#)N)@#}WR;$_6XyJR#BLGxJdF^T4rH(|ifK?d4V
zF1;ZNG2dvip0#9olu18UR2HJ-Rf@%^$a(j=S?mHNkQUP#!n=34Hl8Z-OR|91H}76<
zVd~?Ihb^hkpi?=bYfb0?!6aTL4x7yMWF0?kl~*%mfOur3CIj6k3#!xL7S-gyfvXJ!
z44@N4V$1JMtHGchXQ(@v%i}`1eamstqzJxAFD87BFo4!zMz(;-Z2j?YL6gidgINT!
zTMHwuI>tMaJcmnE0CR!ogiTCu1AqloVV{!~og!qLjuhbrvl&8&CaflG`ykU;2%{a9
zCt){<60{M>9<U)=(XCm&=qds_)5XE(l#9^)uvT$K<e@L!#t=n6&<d%jw4#?Bq^mkf
z0sd6o+jq(n-R!bsuig~}oke==yhq*UpPL!mmu6YZ@~Bky(POEpd=set*u;bsTaK`p
zud0LQU3MgE%Q6$)0S>W4SElUw6}%x#Lh^bQr)3kzvdG8L@2+Vdtvq+vh)Vs>voq=9
zum|{D%jDS`IehudcQKse<&)Jx!*};2nTZ?X2L;fJWyL0eSLGf(lKapLA}b%_EoY<T
zzIn3%kJhW8Eb)R8J9wtVW<9X4@Yoz>)%EOAr9U*lb$r!hOz$|~<(p;AvxE?zKAxRw
z&xb0#t`xw0_O4CsLT}`i!Ah8;hi)x6$(+LZCWu2RY%!UTaJttX#p%ga0#do9&UHAb
z<jJ6tcu!6j8es731M}X8ThEp$dj@7g&Wc_ss!y!(7O685#xoa{_6)@hdwzm@cBayq
zU2v48Glo(JRTE6JVAqWENP{7Yc+N}Rgo(Cj{5TTcYVt8jnfNn9s+Gi+S77&As~iO_
zCZwMC66Mw-i4IGOR;npgg?>dr9kv-e_5e<YfoUimd(3w@ZPu^zf?w>wgmy@E0XPNf
z-J8-)tR^+lJuVf?N1k`mNzisq?ssq}^`_3*7n8SDjI-Rko!$WF6Thk;dGRuQ7^1Qv
z_A#N>dF=~tR2(K6Lxd)WaV^p3I<7Lwkq&3#@dCZkqUJ4LD-8fgM1xD6MOoO|JbCLH
zGc>ksm&hE+p{_3PRZEayG0^ps1$0kJM|OqBj6vM2FH3fZ&*UxxelZF}1CA66qPR#S
zc<>^C4B~CS(|nlk3b0fjuLJ9_bHx$c(PhGdO%<|caO_1FV;(LeoxHY=T0DhGwlB{_
zzC2^QI7ri@P6?mKQ6Vz6cRZ<EmHPHgw4jD36|Atsai5gD*d`VqK)qWdHF~UwsFK&m
zB_(wbV=YhQX5ftGDZCgFcwhzpiq_*gTQRAQd1ej8NLm(;A0FB+i-D!Smt*7EZ)GJz
zyx7`Bwqw(E3(e=HCT>YRN^{LEhkOc8O9(njxx#qD;9j-+^o}w1V?mTAFIs{F(>FnC
zS%8IkJCjjyt~U$=vs~d*>{$V`1|aHeeTCG5t2Md$D)^Q0Ys4LS_hw0GEAG)SDYuS0
z7ZEcbI^N|NqzX=g8{iAPhVzLN$&gaT!t@vQ?3(HYW6}u&4icuUx#4NM+;stRT=OII
z(({z&8wqfTK9Mu8#x>Joi;;OU12vlucR*2^U&=$0UK9&@^khQ8UONEWP8_BdBtq`P
zb$$skwKC1>b7KBDXd;TT*K2b!OwHa?^g@HzzR2}X6angbFL7kqE2=2AhzDOqx7j@~
z*0ff}+UW9tTxafiy{r=69p~8kOo9Wsa{MV%J;dX4_s1JM;^|yg)C#;1mdxiQw<X>E
zfYzz^0Inw3@1pi>`5YD{wpf@QEphnv9e_R-4C*dTFPJyNOs|wx<z;lg(@S!@*le<m
zwZy)1n__jwdzukI$@~1QE=nG`v$bP!8_JKSP4}_ZQx%DH-by&VdnE@CTnKDL1L_=K
z<829Rs2Bmiyt1&!z}*Vt8WPDVEK|7-PbjF30E*(#nz0x{_23wLuRx_&b+!+VnOt!p
zpKKo0@s>Rr>B19x1FIZ(;R<-$v|pkreQ#*(?-_S4c81q@YdLjRs$@Hp+xgot1SHRu
zS@Z1BIbEh`HhB1ISmMaaA1S#6b-oU1YFyk?t0z-s+LX<T;doPw1J>`Q{AXGQfO7gh
z_B3zwE`L{<&JSu(=z$;&07~nu1Nc=vS;Ii51QBW^ytgD0sRbC*(5vz4aNh8m45CYj
zjVOVqn>^xt+>J{@_t2jswi2B?WS=sqjkDIE!gakVLpB~Fc)}8QD#@#Nqz~y)Amn4_
z&=~KgIEzw&)$LA&x%VQ7joFuiR81`ymdIWtr@Agvxi>vgs(o6skDo`08u41_)f4b(
zMGqW><T{sDaBn@kDy%0kTkn>=IzbPUt4h%}@^&Bv&#yN`5W8H)>qc=e@S#hZwOTPI
z2IK;j+ZpvF-8^}?4GbHyQ)-POK$=(?^@37Sr|JY~n5#?_ophDbU%hf_k=|u8iwip*
zpUl=EMtY@~rL8-{s~Id(Os&Zeltp*LyIV=4W0-}y5ylMY$&8U7HZ?Hb#tu0tz-V(g
z^^0dla3zKTt<Tj~G1{*286<->OT426z<!8K;-|ccDRnW$56E>_1XoH}G|J8`pbw!M
zpDVJTyXu^4R3B!l<CLWBl|K6k+4OkdAX#VDyXwj@n%cozYUU#`fxPsH*&`>-riR-f
zpCjTz5Jr3rhKK!j`w_QxT{@#I7W$@j88=YH*d-UepePxk!+EZbe0z%|ai;Z1M`ks0
z;bF>I3S=f(u%67`T=FyM@UC^xRG6(|KwJO=)T?y?=qoHM9zr8P8GAY>B%fQF!Ix<v
z_d0zsRfwf+l)E2G6%V6Ad!@IYJ8YH@>FprD;EV^jwM?K8<aXmLL>r6~(czOa_x3@q
z$g3>xy9r{a@qF(YBxzjB)jax7HF|Y~o`6WIC{<X`SDi8k?GcbYeq2TGE-W>q-XV13
zKyvWqQ$7XZ*B%V0LPM{S8u*m&-oqZ4lVU%CGI(XLPcVRBSQ`DbhHHdmI8NRmdb^}@
z8tdX?({s557N})H0<}if8=^N{N*A?H^%qqpf2FhAu=@D5i%V7|)LOUjgxcXt!9K_7
z)qT!n#@q+NWD5XN_~;pfM{4j~RbxUJB-#<Y6O)Tg%Da6`1itZL0WzTuiQHH=92ilx
z49|8I!o)`k>eR2JX9h|hRA@r(cyfl#7Tvo((_Zj&G6on~@ia%kXieW8vwb&u2jL8k
z>?MonZc3gRJ4}X;g9^?TnKQziCug#m+}Q!V_BN)?;StmcF|NCdn?d`YB*kM88{Y@x
zyFM=Qa>w(D7o%&wSHxaw3LOEV;}3`+8k+GI-vbc3<(ejSI=yniElpzSl8!QdSJFBY
z7eJ&_(nga)a6IUtSF{DXoILjI-Q$~TuaFT>Rqd6YRS>OHCaveR&?I!lJ@h7wGxh*w
zrcw$F{K)8CXBF+7K1hii<@XA!9|li!cN3ouYtxj*fX?|y`YMW1c-hwCENLZz$Mh51
z+q3E=D&eb$-K?3+XKE%&ry`r_+AFG2Y0im6z0ZOk34y{DvDG95ibEDw<aDBV8OMcN
z@&;Q~s%fd*qn9wE#};#>6}hhDpQ`znYREO@h-W)gb|81`q1n6hYR{)fbPEYzU^Rv$
zoP!Zq-8EN`V^cABVLpmp07r}&2D1%*o;}?P8J<o{@Yo%otY>QVHY_B^=3m#Ymr&U#
zm3Uq~yK=TIQ8#-K(dyNT^LFiQw!%ZolKJVgg2{_?FmZ1lVt+>UlJ*r+W)F^qDZbr7
zp-i3DgeUL7SC=D6+~(;?ysohpj~F|xqs;6;kF>0|ef|n2TFJRxU=_VB3plvXfcdcn
zDb59J0?mRLPhHCNG|mRFTt^e$RZPumadw$IMnJ03(~O>*ddSh-tfvNnJSIF-k30|r
z`H<|@VI8Vl>#oJ*kd-p31j{oTX@_PRMXVW54m{@}l8f_mF2l(Lu~wn#=ZDJ4xkGP}
z%t8Gult_K($sx8+7)xr+$Xc|)^x=8T5wUO1?Q`x*Q%Y4qw~2Lz*Y7=kM1vsF?5Ik1
z>TF0=<7ch@2Gq;pYS<Au^sNCQz4tQCUKtW2sq^iXJ!Nh%CAU6)2!J9`m@kEANkCUO
zXpH%g(s-A)TENjnMdyed_>MSc*K9Khp2HyUgn&D&*O^z0qwe*goyNkrdLHww4Eakc
zU&FSoBU`j(mEt|)_hc6^Q7o`fVjK?;(o~PZH_SQ$7HhA|R!I3yxK1AD<?~GUX4|TL
ztYt+PR2c&=ANvA8M+wz=a?1FXHG3voF;iSX*fVs#DkZ?Mf!S$?X{&@OnMc{CBC6QU
zUc`9|02z1)=@Du}NFX69ynLtg28&)G!E=Lz3c}f{+-I?>4>@rR@vIP^*1(r*&put-
zo#;w@kpQtx+p6I2@eG5?d!2}HZPa4TO3$RN+Qb2SNz;X-SCVY>X?fZe!shS|M$pd8
zZqwF2RG1Dw<D6#Vx2LZHIbNpc`%ktAT4&s-)0+s%$A`}%Iw3pvOxFo%wIwA~Elj0!
zN{OpLgt1;ABn#h>%84+EYe`zVKft_nk3wwGRxU|wN%Tk8<~k-aTRKZDpom8?V06|8
z$Kk-$%nTwu>x{stniBWkorhSycLhO%efUrhh~n+YSwRYuiW{3?OOwcyzguxj-g-X6
zrLTLz9#MDIDQ|bXQ97v^X%?^=-^ydSC++tf_|+`GQT9nE$_*4Ohw${$H&3oN6CORW
zsU2@A;tMRE^@@7T1J->>*XU2426SWtW?b6S@h(LLh4AwTZVAz#CN(@ix?L`^H-7bA
zVwNillPg?6c`FV05+??crQw2lxX|{NIB1+7){_`DUTRaS2Q6e3SYEIgdsK{ZG;gj+
z59T4|v(8|q3#wx8^O&7*psJUnrc%WEn6wM~?6BjCP4)zLy&%2v^e)!@`Knb)?dGye
z%>l(qAkO)^oR&U#AfsIN#;P#)_{FngKLMS{O?z!=^BzA~el^d5#Y8j81k@g}*)$l|
zvC9^0>|-&z(*g93N~IYxnvNF_x}-cy?76%qo`fp|Jk3|Jm5SMG4T!M=+%Hk`I_+8Q
zhy>A2S9bM_vMFM0gXxj1s!M3(hAbX)$nAW-6?FhPK*qmt4|~ns^3IweG$dn=2GD|9
zjZD)vNUhndrIpJXuG!1>(09D`;e_ncTUQwAFWFqaWUJJ&SGvu~ce&IUGmg)a_MSHM
z1n?sr(T=VM5E%ds1)VP`>}6=KIa#Dlor_t&G8ai41J5?YdwU0<?90ScdekOT&x=NU
z785-4KilMW{fLp=;(G@EYZJ>RizSu3c%@_L95pXd=Ril7RjKJIw#BQaR;H!m^kAvT
z9uHT0C<;@iV<$3Ew)EoB)q=uWK2v_X!y8wqF0o_STy(Y!=}J838(Npk8C=C+EKEp;
zP40-SAwo~1U7OdOBJo87pIeI1RMts^0L7c-qv(vYUDDl?sOVSxrbQw$25q>QCMk;p
zvvIA`j>DcZU81i-;VO*{Z;{B`CFm86op>-0mw6nLV1xM}RzmVA52^+vMWH_Cs}3f7
zC9l|A5g?Os6ey<9Zr)OGE4J#YEUM_c2!POlJ?~eq77;|b9+#L>(M5xJ%{$s84H)L_
zRt2vys^x@0Z+tQlt-*1-(c&7^*F<m{M}GR=dov@PnO#GihUxNnr27EbW5dbcBd2u>
zIbd_%DiHze7mgqm$3$E(r?4F+W-39ut8QJhqc5KxzGsvazy@-T1UES0n78xBa#Q2>
z!A$RCPr*|@L#&{;%`=?!)+3>yID|Ko^2sGN5QNM0mcDmZye~Jrs~nGe;yJ9+h}7&|
zo|xTazZ9XU_MlJ#DY&X=PomT#pmk+ap(c^8V*qIA#;$^vMNf+EAd6S9>RFikUM@o6
z@OIFa#bc9B3wqJAyT>u~8f=Xx`x%hWz0`~+=N&Ik`(-kgR_Wo%6s>XbNXMB=AO*Pe
zdpR3Vjmo}k3;MDR_L3}H?J?S$&dzd!VA?UHGrf~2hs(${71LD}>N0|-bJ&`za+NaW
z@M=j59su)R5^>FF;c$nvEe1pbl@W{-7N>RG4#_-t5(e_GZt8bv`_Oi!<sFwn@yg=~
zM19Ym5pFCe0c=7gdMRQ7bW}28zfmFb7~q4Kb7_cRPp3<GbbQ;QVfQS5Ns$YD3wY<#
zdIY>4DzFu10(TB?$6%ge%kTu9s)6jKiMMuEBEw_6rYdDcu|3<AJI>d~?j~=WwAo+S
zLw{098f{s{SdtC_wW*nJtUymqUgzfIt7I+F+ueO4)v(XTH?3T{1%ZdvF{rW&$sC|d
z(-u)4#J<V*%<37I-9S1Ma5>eJ^*2Jc53?~ZR|8HC48WD&zE}cMfY(Q-+XK~@uqdrv
z&Mp;`+X~ndt{tvUNWD~%MM89TZx<FEZ!-L42BeMROd~$-u3gZejR!qElS;za`YxIH
zsb@pV${Uc_<5ncZlnX{O6h<nWMhs?~S6g*V+SD>6kKR&1fVv9T3YfO~$;R^W!H#=*
zb5PeAf;k{DA&e4=DeU>IAl5tEsy><ty?2{E@FXb|ZH4w~`89EDWaiq!;$j<?px2$k
z!MsspdHN!sW~T>^VwX}x_<Jn71b#5CiqtNaJ2pj0C(4Bgw<J$pse|sYiiKlh?0D;0
zNi1>PBX=IKR~LhISA}KfWA9xEgh0iBP=oDU2C0?hW%9c~&j^NCS@}(dpG;};s}i0x
zFsHl00qnu8iw%f}w`llm?k3gkp~98((Zdx1+EHqpdwx`>^r4#pd~R-a6U>7*uTDd<
z-w7+dH;r$6G_`zXkSA>DO!hs@s!>c$&&?-T+g&q-?^SPtlJM35aNlgMzt^2I8DgMi
z&jJHuyny-M8+Pdg)ZoVY&o>}EuztvXW~@ZjBO<Hun(FyUJ6p8-lb5Ip4gk6kY2KEP
zTh0gjHMkG=B$fCv!YDsHW~(Mci>E?BKH_&lN<8zt5unG_uk{8`0v&}!-XfBtJ5Dr_
zIXJ*%KN|}W5m6uIWgRjuT5vph(6O%Xsp;N3Z)LdWxktc}P^6sXOR?4rH)MAg_THKz
zVJSX!qJa<^n5v9>CW>+uY;18)m}LDzp{^T)k|78WM3qQ%_eIwwV}S9>Y$Nj`Y+C^V
z(52y4lY6;<%sNh_B455+o1!+XmYlS?nUazy?cBwA-KUjy0?CmVv`I!pt}t?P8Svs>
zu&INIKzW#PKhPw3M$x|H``!({;m9t2HA%DgTwWv1J9J2U)zAHfj^zgWTg#n8lO?Cd
zea1xT$L?xv6DkJr-mRbIGdKxE6acZeZ(%bv=WVoJB)$@(ZZFYe@UFD?u(O2a1YW0g
zCqGQ<$H<)xs);<>FEDg!LL%il8lN@U+UWMNaACyC^CX=~)!UXEL0fv@c>q}D+58^w
zbCRlTY%sM@4wpiNIK0p)$ee{P<=Xewz0*0})Od0I0pdRND>k%BUX`S}n7e0~Lc6#Q
zF@q_L{nD94NDL<f_T}jHsH4-XD{8+fNDw=SVR(<P8pUxEt|}-kZ{Trdm?LJ-?oQ_9
z^}c?v()&~h+jXNcujs)b!J=D!`sQE01;F!&xZ!3k&#MzK>zZX&4`kDW>!*$6)-&#x
zikB5~Q9gUGBU_zPr+PviUtYbz5<lYyvKUR3DRV6E#7EM`fC0IQ4>t^PG;}MQU;iiE
zR0At?XYRhUMb~F5tew}d+jOfPi{2z1db)egE{34j*~wrrxUV`%of!jpS^%q@WGLr8
z?&-CH&~(-w(H(tC^Jpz1`+!j?<}r&C`ex~jUHI73Wp;<NeKByw`FvgY$QIB~h5b=7
zvKpKNN!n8b<SEWVz9KfmVcrWR*tB16o{CE8F<20T$OC{KN`H}9EOcs+o<qkkFVn%y
zHvj;KQ7g%8fKh25im+V4DJ}U+V%^heA*IY}e?(<LkYLf_XVE5g%~-g|12_YqBmy{c
zE+L4B{C3HCZ=IS5^)^))q?zKaC8qm|9RPq!4g{!TMhJtWX(kO!n7YnLJDIBVIt(`e
zi=e;=`(q+gIM>Gtj?~t&W-zq8tF!%h=%tD37(P&oU%|%6sfN{dgH?8oSZ(PH$K>)r
zVY68j7nK{JCd+xe_ZY)NrqE{`4iRb9V2PDyqiM?OM#!07W~GTVp<mYVJna@LevhXJ
zkq7vxdmiIq;SmlzJ90fd?Yvb++ShcQ@bYNwmQ6ADGO#x33FHknWxuxvT-CkF76O@(
zZyqywT<Ft{MKOGt`vhp_xjaPar&}UScTK|sHEM|Og4_&ZI&h=&2PBvr#E~gi251*j
zdzQ_6j|jLRZ;hE+HtunylqubzZ9I*u2RV8wt^)nG&)R0*;A<VqDA88&dfV<8>#1MD
zp?wKwf}q>!#){em`}!&q63QI{#L(pU$yi`djVX9$R-<EFWV@77<uw-EzMiR8l``-K
zY!8q&i}5K&O9<tZHs4+*+18Y}o6<<Ev813(*#C@s*`TjsCOw7|0J9?A(F$lu<6wYc
zU~?*PL`F&!EnpWl55bffdcNEiI!EDF2L(mZH5gkQQH@(ZvC~ZC#|pFsW|#)vjLuOl
z^DaelOx><Z`6@@l8?-`%$2#YMx0?yPxT0qvuVoL28mk}KE5XKRQY6v7uUK9kfX$(V
zFJpJ?k*Z(Vy?eP#JeJ11SVzoAjT=iSX3ri&sF?VpSB9xm3hyv9NMR&W>B2$GJd0Cp
zyR0QPpJNOJuWLdgvv!Z13LA*oz2-LuXWFZDuQ;qEh9fyM6K<Igls6wDE7om4Ph8Mb
z4V8JIR*xNop+xEFQlGwT<a@WwRL@|%<^}i4xf?Pxuc%{cgr1wuQJZ(sHDIZF#7mVd
zPjfk~vFEDssEcb<GK}CJ_6>I&+>t>!bfNUET*erxb6-{=)e5z=NxKdn*>Hi0W*dO%
z#k%$bcdmU0R>996zjJ2f+1k!*K18tsh4W&AG?cP_v>lkdB86cO`ShtAlEm5cZsn$f
z#2wQyxFTOPG_i7rqcp6&&M`?mW-<~9NRBzbsJ=98M(rat21cP!d&~mthXZc4P?1tO
zJ<*cj0xVu5&l(_K&yBm$I&4Kca}8CgjeD2s@PG-Em0yC(1szY*c+XYxa>DXf{Oa6W
zP~+;CPcQPZrN8t@)HFvzgxjF3)AD<7)4hq{DZcwMj^xX@5mTup_lo0sh)n|osPR0#
zTc11}HHU<tOl7&pkNRP6W<Anm=a%b}@!3p$*U7!0c8nB;+kH`PhZ2sJT054dB@(`P
z)=q7mYu6|)THK!hDR<DK{169vu{e>SE{{|nEN@5<ywj)8>8`ds%>d?gW(50?Z<{|F
zybhE)uL5Gm7I@^twaSR`ETq>&W(LIv_EZ|)8?`b8OUV!{@Rx?eqpv(y*-0jSybmk}
z`*coh83MuQ$uat{-(r{_szS~S!ii@)n$-rOymAANlXKrCKTiZ*xaR6E?q#t^W!p=>
zSZ&vU!`Oc74?Hg@qm#9B8=vqIxlA&wA?Fo8RCwElt@`9Wta-ww&Vo9=B4B$QsIUrM
zOU(Hk*WI3R%t&D2DHFb%#cQo#d)QbOj0-Q!W*_LF(V^^dhpxRA$ifB}WQU6kG;Jj!
zdGEI3Z6volg3RmPDE>{(61ER8d`P`w862F;$&TrE@hzpsH35iqI_fQiYNvZTUa95l
zfa)MZwk#+<USKIBW4U$)=XW$WZZA9$i&;mnk{*Yz0&&mUAq$Y8LTpf5N>O-m4Kr*P
z0aE#e&d%8@^HGMl#O#=IH8mVtM>9)_%vqUz7>g;T7`eSrBO#b<60}e+y58Pi&dE+&
zvPesT2_(LQefMAk_Pv=ENGH)ZJ?f^;XeAZ=ybjb0G?!zbpMnKdP!$bY=?N3S>^XL~
zVNsHGZv@r_hq8>J1~GYErFo`zoZ@kUh}qMaH&|izJgzHUcafmY(vO?L*AkVP2v(B4
z31>2;=vwhg;xyW&_)9saFXfOXIK<r<G&^ifkLqBt(3_$IZet$GjK-PbDV2LMfVa8}
ztBQl!CS6M-Afk8RF{v7nqzcU1-b{5;*dAU1u;6I{-u5+$)f6cf*W{>L5B=vH@jczC
z9vwZVIKUNEpfZclzKYa?C%&;*T`W?@;g75G#SreXm3L!}C$YZqxjJs9N^59Z54Ni?
zXOHngc5i};(?@mDd%+&qCOr12-BfGrZ8r~WhbXlTCOnTE?#EI=hVCng#bYjq(vUi_
zk9sH(TKm##r=e1hv#k^rlGKhWMAa=E&mm~R=~2j)i-p^;yB>SBU5HiyY?X>Z$WmPP
zY!=ou&b!67c3w3ahy`birRv1vt&w!9*sk%lVh^x!!=;4>vMZ-LJF+jI9J&+2u5h69
zI?ScN(8POsus0GZ*ZcG9&>tIER3{KUzEh!`D%)*jBtM)d?Qg8DL?781ZR*>RV8U9v
zRJ6iOVu|8*O}%*7vZxQWayD;hJqh0+x+6uOM5^4lI`CGp;XFPVAILYVZ(#AYk8{(T
z>6OO;p4b=L2j}3r@7*L%d$f~5q{&;-yY!)JHw-Dt7u>IyO4@@Fb+aNL2)Kg03nEPl
zVrxV91AI9WkIb-NSTd>aNJy|U*IuMX(wnY6L&?oNg4#p195Sp+;;UU6mwA>4`v@OL
z9?;xF7$E3!SP!iuFxTN+!`V)!VIeS9^aq($y~I7qYHu3zZZ8<43X_mVsWK;Mz#^Hc
z1_*@UhGp%_E*=7P<Z=6ZSrhpJYO>zG5Gd>hd_Y4hy_=YvbOg&KK(A)nmTuw8Ie{<d
z{9(ep)MIO&#JOI5+2dI*{+ga#4zpDwzpb%5G4)b;jnkK9dcZGJ{aE+V@=mh$y-LF~
zb+UW4=2%)bnz;GP2jxbO_CW;t^JK(QiL|jiV)#!w$fL(c>;lj0yta=YBS_>ke#$%L
z(TTZK30zKlI<wxo#A`v})Jg)ZBVbcGe&zA<bly}Lno`2pX`|1>Jv>Ym97qaq%}gA!
zp%ylqd@J}Io8?j<`TA`jQ}aRJ-I2Ye>i2Mlg3OlMBr@dqP_O!7s$rNf<Wn6P$bKqN
zvGzncGG$PQZXI*OVpoECJrLv~q>TVKi_Y?qO=P*ti)E7MQ8xg*Sxq6*!qs5dxFq#v
zZn4AROlLH_nL|jN<mt&ge6zXFD|tL$x<4eCNJklUtc}rNA<6>g#P_VZU)m(Y$T+Vr
z5@bJS25tc?^TEz%MM;n+cW^859G0|%U121&GBESen_64)viI8i&1BtHU*_2>-yW~U
z5{;TMFQM31q-6yOG(&Zez1P~+x7q`*9c7u!fZpaBQggt2?FjqK(jVoEF|YPp-?;?o
zrFLM_rrQE8ZD$u!Hz<;{Dw@E$)U$^`$!FQaGuFZUYL+*|B94oNah!th1-l!u6M4;?
z6#EgyEs12UJS?=t>V91HD%UdjxzEC|MAy?tF+!AAOr6`kcP&(}1}vmdh1^bhQWT%E
z3^ZN73g1V$2TSGS3sshS>9plQO-~U?t&x?AU}!Z4hR66$x0&t1CB06Ip;I>}8&2GW
z@Sf<-AjW-Cfg2HflSpTL>F_K?Jfs9%;HFxJ^cT;2pVIl4bQ@4|w<ja|s^3GrlgvlN
z*h!jaMN44kb*?e~)XO7Z4;z9`k+Kiiq;uuynQ<jz>e(3{vEAtTD7UW1p>uL?8)_-^
zYjfQ9co5?5NnmL=5rwt>XWhHTd)M@c_?fkzFar2XZk5#ZOfcLc7`BHYBwS_GZvr5~
zT&j-EyR7P=1GQ1dF{wvTL&po%XGE!2sGYD1N#=q3_yuh8oVbQll$<&DJ8hbRTk!3B
zRxz?3FUvt0CJqNlsD$uAV|YJTQnR_7Y<&V_m`W|~bYe@9x73eWTN6>=Y6Tm@K>CVO
zjLT0BmAAJ<Gx78({E&G$DH}z-S)Q%M&PQYTU~DY$HSlI!RB*(NHFl+u><h%%4G${D
z5#!<%39+jqv3ZY;VpCjt2nu*STga<D*I&1z(}bN55#(c}nK}$SQJ3InVS)S9wR@gG
zGu*y0MnE8TdmYIKG!an^Ii_3>ry~uqRxL$F=4fhGfD-DJ%`=hGr!orDj;C>j?_RU7
zk<d#QnG!G;t9~-MkKdBqIhcaBwy<KVWClU!0M3l3hCwb0pFA`0v?)XL8=Xg@ya@<}
z$RYUXy|q?E8yqG8Pk}B5uq)Hu7&*PjEHv@r2so{nVRmN|19)0qtso^cbPcktZ>o)l
zsgtAOZNDZKPtmwpROVth2|E`BVtcg?F^~mq>n2aOXkKzkFGaTxY+v~+F{7J#9vJ~F
zY0_E(_lyU^-TjJ*#kNeO$#1O2s*Dy!Gbiu%pbl!v0n;Jw*}Nzh14C!9R|;xM-gn1Y
zDF@py9b|WXP5d6PwwE5l=%;mRpVmF{S)+OCY6{TO@1>9%QjdciL-QdF+ZAE7c0wk@
zBg?{o)#IZV3y*o;+eh{qUoE{MG=+?m!DTv=FnY#5m6P#+`gJleS?r(yO3`tjmxpY&
ztIB`cVNHv0`Qcj1YkfZlyaBdjEkL}MC>!kcG!ipDOpASw%NV1eZh;&RI;&(7?`f+u
z6J%H#-TKTS3^d>Khd``G_})6bTPXDe8ur$d0It{L1)UCnMC|-%T4(YBrjWmZhnG|o
z@8LaA@m}HVf}_=xVC3s(TY2mCbdm6YLRRoG@pe>aT;8SQ?NH`>nn^=#g7a#PWYZ06
zv`M;evhi*%TZ~?FxTfH)Zs}X1SWK*7q_&$B3N+9ms}up;L$JBh+RHav^c3I_6T<MV
z_gxJ~Zs^4BKDMnC%oU4p4|(avcUHHXgtVI!6c0!*Oq8cNCs_CCA+_c^SZgFgu6ebA
zFb}rkxskYV=X(?yrGdT_nfzY95<w2JjJGP5k)U-5uiddjA}TiErP=EqEN+vrC(EfX
zY@7LPY$Yl84Wi5wsonP|-s3cS4aUfvyW8^gT|{iY1ElbL&dn4oLvg#JOCZifnS7N;
za4`=W#}m*wjbV8ochMGhuuRExAYg|?i#3MIgeJav!$#%rTCp~6!>^tdM!nk@oM#9!
zJQA1hu=ARfj#loNnmdJ)IOOflNV#vC!0L|%?ShO&B&2P;Dw66hjsnXLh{shk^g^GT
z*~*{=1r#u0YZ1mPOMM#GedB%U1X&5H=XeMVE^u6X?y<go=Wk#aTX`zt>^Z%MFav!W
zEOykRJoTlW$(MG<;ztzw3g@`qgMLp%R?%$1(G@PSt=-XL>PbIap{;Pf?4oBmmN0nv
zN?~}p?0R0rc073y1o^Ud<PEvsx$}~A681X>v<j|@iiPJj6%Tl*o?{u>{}))lbXvhj
zJ>DnSIXuF+9GlRV?kXZcrJWOZJl<o|?g3;l;gP%GZ?YsBf-)qY?(%5)0~<IzC0fm9
z1qLg?lEO$we$VU`K@%VeGHP>!X515(t$MI8)O|NcCu(aoyLpMM9A1fG(3m83x!X!P
zqT}m(M;O7<`bMW|0G4-&rSwHv+0rPB4g0g6;-_RJYbq@3KB|l4Lh(A+NFubb_}Rnq
zXnpI?uGnzLvyDY9c${js79gA7tQkJyAkf@Xvqr->0Xyl!j`v<3HN3OnWnCeU?3%#V
zII!0WBw|O{i3T(XT{zDNeY!xnrDVb45k9Xh=>RZdp*uFQ-gYEN?Lk?Lhk9n)c7`zt
zJ9XGGQ90>wP(=s_A<w|I=h&IRu4gO!8F7!rXy7s6_*4j>Z}J6{AJ}VNl=mJUil;$|
zK&REd#1K9e;isc8qEl3P%prmShaqD35)b6wijGEwiZ9^i*~-``Y4J<bXEEe3Wm6n@
z^fJa}W#aYgg}hF#?tB@~*zWkLwRNSd&S)E{KB4!v(~>Y0=si%U*RXOIqM7=Zbg#<v
z6v>B?P_#9D5>iHN9JKi?`>s&2KwS15@ja*+f5F-_3nD_#y1h)+rTo2Q9LKkzVSH?a
zd283JZ$d`lJ-omk$iiyFnRwL)yw%mzv~B+CfhJYA4$Kxo*P3XU$e<W=n--~kdH3kc
zJ1L}hvpV~j6V0LN1+cNvTjOj`J}i0gCY(AqN!?T@>d?<4Z&i?<I8_2JxQl8?*+T|P
zAnizPExX`?<WQn%e^2<;YLl>a9Ru{fEPL{T<@%Z-H}mX2@dRaa+MMYE6Qte)SToNQ
ze``Diii%6IhY!8q#7W!EV7nJ+ARO^{x=MxgL$ww{B%?<=^*C)&ofWoUa)iSq2BWdq
z;4wq<Rrs4%(qd&|Q7<*Ntk5K?>Q%$SlLkmsQhY{oL@BB603vUnf{yB$zXQJtj=@Zu
z^L<>|*6S|ziXon%g0Z2Pk^y67$C=s7e5hy_t@mIRXx^Z^`PmF>j1Q0{2;^~RDf6ag
z=*;UP08^zG*1EVw%_TN9aU_n1CFFfGNd72dUq7TMes4Kca$z^@Lbcujs~AGLn9>7H
z(2xev=AIfXHK}dko6;b!00rX0O2HEG<yezwDAUf`C)zk!8>}>-ho)6KXfRE!^g>z(
z4&LCRpS-S+ql<?DAyNz8Qn|`cwHOABipS#V(;T%M>8CpaeXofl1n(6nDZs9FzTU|U
z3<&p=mxP420WXdFg$_|rZ;*`&9y4~`WgMEKjY>q!bp#?K^r^}C;Q>@oO<Xo)c0`8a
z<}yCbAyD=83YG=EQ)fj`6SFkj);>AJ1YEv_9@`{`rRVG(QJwd$#(RXpA$)1~Vamof
zsShxsA5@EBwAm^h>tW^)KOd)>^qhJMjQl`Hkc|82W-BpA7f7$4O&dW^bD7KbERgd>
zzOhIb<5EA#ey4>?$EOaR?*!eC>4D87sudMpUkIUMv@l?a?`y2Xmw4b}cmURS(rr>t
zsY4(6TTQskYS50l^BCfr02(Ig7Xe)2*X8FY1$ewNQ{t?_LwW$fZWex;v+puz!%%Np
zVVIulrs7C=$ck1bPd|7|B<9{G;ALKj|CtAUkqHO#T!iNWYUi3nA3z+hdV%c~(cqEO
zq$Dwc5hp2(x*WZw5xoaKY4$Rzn`~Jdqg4wnBRDrEJjCya&BhZl!2)$xAJQPd5gYMV
zwy8+cnsdL13_){V7AjT2TyZR{v~-Vp*|m|T!L7^^jrGQ^{o2gvC0*Wg#D;^Em;fQM
z3f(9(U#}t^B|HdF7pzy5ZBn$XaV367F)taVaA@BG77QVTo0&98Og}^x6N&5hDtBd0
zg+;p2)6sIG!=VNy2CyYZ_Mjh7-}rM-1P+9C?BTOM8RS6@->14N50*H)(@GIKHSQ8h
zi8JQiz0`5N$}L{aXv7J5*?N-=Qc&-$<h~F-3v-D%xC_Q52Izu_gV}Q%XHCzOQogq4
zVXtIH^~4Lcfb~{2XfP;P@#ma}O8{5}(j^?xLysIDY9{RD%Y7>4iF_`BRsekdrgtk#
zgZ)}q2<`1<Qo2Wr_XVB#kF}rbhCNtZ7cz#_v}3^LZ`Mu3kPY-U4$M}r$M2p_`c+38
zH@`tAZ+u)W*=C;ELy(2bCldLp<zx@ivV624A9T|^u(CEMd=F=HUKhm?Go4V-+*^)U
zv&+GwufP&BhbI-g{BRIgc<83~(OFz54%`IcI}xL<)qa3?hd`>RPSIPHJK}y#_QGp7
za;(?=n1KQeQ{5NetH!P(+2UYvJT5~+`!vr#U$x$T?h=IrYYQD=k?Ll78kkN|LC4$^
zDajZX`Vz%k0@)XrPWu@~+UU;KMrigpZhKYqtLW>r=L3$Lv84HQIHo`redK8n^g4Nk
z>?0C9lBq{3R;-k;@}GKCek#N%_$JEfO?WmA;nr*HIbrc5zXLBjF!osKCPr+1gbI=B
z?sLHRPAX)Cy3CHtT{pduAy^WDln9>1V6)Oa8h(D9#=VLAjIuZNiCJ?Vy1z&MsL{qf
z4y+C`nGhdbW2Ot0AlF@7GF{_>!MS<z17YciTXkEXleRe=v=>Ony00pn$IOXzZZ!c&
zFcB0UP-^damu`o?dN0O0vE$6uv$te}-Xciiv_|U&6yr(S(lg=`8-bBWV<Tmo*6Wq>
z2vhT!&LT+5j)RwM&EqjhH8y_qdVwB4gf+hMq*2qBaAGIER{*#o?fS6XHM3<=&P}m9
zv=MiTHKN8fJUST9&FZ!BIqV&>PSGtEzR|fud7)uomz{7+v|88hBYXz>rUJJh2U;bt
z%!;<72sQziP){I;PH;zdObjgy=#k+&rZGBlk5>uYnr`|EXC$W%&R1E2B0PvvUKP#r
zcnWlG{#s1i^BF35fDwYv12nPs7IE>617FG!|5$#H#m*h-m2VH2z#teAGCsyWk!MDE
zTUEr+0aWDUBHDVq35>Zf59G9nhI3!9dRv!l3#w12l35<K!Wl#%wVo)wbGCB_dGFO&
zJDkp&C^*K~rD?{)^^S>@4L2PHwMX;R>PU=Y6fqsP2Q4x$R6S4pjaaIMgyw^O*0;`L
z^qA|^i}LmJe4BU!YKSxUrC!*VdgY@gk3wY`uT+-&I-l^lj8C(8V3(S-NrB(1hsHKr
zW73H`HI?sLn^yoNdc&zIz2CwE29{+;cCpZn*=MB)a&*<AtlPC)&0J0IC=UJX=&b{B
z!ByF*asTIDD*@mx<B{e3B+q#kvCEo`&*$Nl7Cc6ZP^Hp0M=7U-354BhqjFTjgFf$(
zUB-L2O@wETQCjbUxpryWgv;KdRX16_X{^FYE`g(4AQSD=nqw4LkF4wsvV90y2M3Qp
zDKME0{bg?F1V5Z)b$h!$?xG8EC66q2LI$MdC6~1r)CtBR=g^ssv6DFH4w>X#XYAXK
z_oQXnEY!i=8WL!`C!F46(-1i6+SC~>sCKz<Y_v=3qp`!JpzToWH}Fu}JaohIwY%Ws
zHKSggLO{P#q~7;<N1jq&)&+=?MGy_*LvMYQA=$r3HApYoD06{H37WY~5RO>-k!$Q5
z2s1b%n7nRc0*WMXw^XH}=xzpuNDe`lM<NChh@I9NwsaGymtM<n-j?79FbJD-ZuFDs
zH+J$KfLoupEdp+M+*oQGEDJif?168(#VzH*t?oU*v^3d;fpg?US$#4JvV=iFjlg1Y
zk%+TT!I_$B7RXSZy4q;RZ}P8GV$(6e6YpIn0g3nHz!%*R6TA|DJI05S`ifvLFaVz=
zy=r(DNZm#=$m9h~<-sO|=zA<=h3OTVux!`m`JO%?HL#5p*HT-Tfwe$lS$LFVa^>r6
zh;A(K<i^=ZK&Q54JQHbSUBG;oi=y7?<6bN!ljwwLyr<qca=KKH(hbL$>;S=~tRz;R
zUrCSe20euj_a4aS3wPAB&GgcRh1Q_=b{Pv(HhT(!4vFU4oFU-7+`;2j^3&(8u^TJB
zSCWr>LySp+UfI(gImvc8lPR9;TUThDL4P9sq_=zGR;CFBToL>PWV3AiM5$DSQr`S0
zAG<Xdrji_Ob2Rf6W6y9n-i*G(Wgd{rR&nxHIibC0>}vIhfL_E%&q;0{JT9-;Y>tDo
zP*Kr3gBjIcx-3!k*`BwUngZo7DR@{pWYQ$%3@p?LnaS>C+$E9^<2mMKOf}@dLhYy`
zn$XjcYeZwu<LnD<w+Lx^S&t4@ciF7d_c$5=%&=yTSQRtb{8(OzlF1VZ>qYr#z)gy*
zfC3W!L@Y6QatT_BT?QtC%uy;c-IxhNtm0|(tHWv!ICm$T)L0-t6YQINL_9@MEM@Fb
zAl_B3EeR{@GOev7I5fGLP8$%kLuT>t23?2C4C5ghG-yi+Rr=!kGTy3tLuEQ9)e+z;
zT&Rd@Hn==wM(uU)HRUF#>dQ>u0pu-@OP%DnmY9g;28A^uB&xR@TocUosFi~XP1iu#
zt86J|8B#+YD32sDuxIWS@|0J~6&I#y$&(3L=?m8)0jeYFd{>Wndd9iZpU!a`u!6gF
zmL=8zT^7^fbVB#|i(*9#TRg9BR>o{oHjrQ{i+yZbUWTjs)U{qZ8^0JJ3Kuym9cnqo
zv`XreBz3Ka%54BT2ue29D1sgZPhQum?;M@nbvoQdq}06j?&a!iwoDzEH%&#1spak%
zp7RiddNQ~*_eiXdulA)G-x^ed^!5XB=%#UQm&Xt9l;vgcsDMV0m6e}TujLJ`8h^@%
z^d%oY)uo};!Nvkq6SY!~r+g=9rZ^%NzWxAc`V6Npsbn7=nM~wp;2hrUz7j0j0wDiY
zSH*(J#AS~*6GdB*6kQSI2##4Dq=1;TY&J~|_*mj(biAI^42wngzxG)bdW+URRB#d8
zbyP6ic}^!)ntjT_)luc7*DpE;NZTeJjG>;8E4o@(FOh}C=z=Yp@OfqMso~2j2+KOL
zS=xQWRF%oBM&5#lcMLA*s@95YlMKdDsgrDp63^zQ0a+E#n2`AqXNIbl7h)Y~i0Dfz
zaxXx14SFdqNPw~GM(ALd8Rng2Y*y~lLT>Pe#%^OhNY=*ZS>zj<4ZzSWn_cm+tZYV%
z8`NDxQoPQ>VOLjrOKXee+n{xB8k;P-iqSbc^IojLkb+m+X4{oA&Z73cV|kuJ?sKX(
zQr0okdRPVzZ|At>BEz82&lwO*O3v8`js(b1+5k2kuBb?=qP*UFRmp&mjaO@!i(YpZ
z3Up?OSl)>XbM~+qG3^j7-i$Yiwp56fPXUiLygif_?Yn03wMGi@5#%@Kz+$lx);KQB
zjZ@`)y&6RLP<7fb7FX4~)GdBh=sP_}eSTn2#EJPdYaI}-m0d}uu~db}<@CsVRx%Z$
zJb^`tj?VCWIn8-<Shg2r*TszG>6ng9J?*ip1;nw#2$^TKtY#n+%!oZ82*U+LzgoLp
zVP17(Rama*dP&DB2gr?AdBG))XI4~gRl*~gN=xd8N1pRQuh!}&)Nds?Ti!fKY$>jJ
z?5!B8J{M<(3~la=`R0k&D|P~6M{v`g2#?3Qr08Y=m*{VON$S1&vX9{NwTlk3n1+am
zyH8yzsilBG!+Z2e_IoQJ>&k<g2-tR-wAv0hZ(OHC$t}@A+8<QK0o=%R0cSds(^FJ;
zjOm<5%E!w?{Bkp2ydd+`DQxQn&)9xV`r<ja=QUnnzW?-7Jf3AxMrJLbhV-6Pa=qG%
zJVRe$Mxl+3hs^E<R3L5{@!-`8L2j1v^kt`cw{=@GGQ-nU^r0<m1vtp2h4Ks>W?&7e
zV!vzAa>y%R(iR3uS8`ZG5)a(RaUFBMELjs|G+n|BO$|r1&qZGGr9FEuyYYB@oozQm
za#P08kjWG}$lXDjyHgJvki$q8!%cXUS||)a>8koX@&HEN05UXQ4N`I>b8hbz8ty7R
z4zCH+tTUk}w$fpm?`@#%1LzFUt_MVvoL=5K%h~rdBLPg!QQ{rF+_l0J0or_sy;dX|
zRBimux$**Oco7!zEpTrz$`zTc-c7TbFg!MLeodZNOC3_<k;6Tb;*Ck$>=4lGYh8j*
zP@)e;T@WN1=glOp;+!87T4y3g#xhZKCKv(77Mh-n&YEA>vmK_x#XvNxb?!2DxouH$
zbstYg_l(I`ji<BbEi|zdEZqnQ)5^N-&p{la0V14g&BTgZVLIz=o=m^zroczB#fPe%
zj|EqP#qY7aNE+U?@@#lkr#ble={R1jOck3JiO1n<fr^xFgtJ*-DJjR~k#m%%l~tjR
zEp@v_twwe&Y~idAM%z&2W;9h7Jv=bdYo(W;!xgDGQ+EbjxC6)_0Y`>B1tK(4d{5C}
z!rz?J3DeW-SDp;s##67!Ln9}~*M?qds^Xe!nQ=T3(}_?0{7b(+R_Cs{k*>xE#)bPP
zpnwk6mUcleV%}SlRRa!E)|I!Q@E+>BFh^FA#0O%5a<Nw?&nSueUP|05C8RW98$;jv
zqgRes5$SRFx)G;S@iFLI5PapgFJrILCbU)c{_{@|g?lly@WD0lj`F-*?=(D)*HiWA
z$nYuTt0C(<HA2dMRaoc)KoWd{j;`7LfagT;ok#_r<TIDyF+V>L%E!$vSXO!o@B)oT
z+_5>Tw=-2d6^P&R`5eK8n<~ZgoQ#$&T76(N<rAnTm9iD4z!glTSIgtRmvy3)z`MO#
zyw4?QT2;3@^r0lSHWmSP2`z#vb)?=R;PxnATlT!gfw8^qbF6%(PHP)|4*Ou08rWqQ
zG@d6TvCIrMjRMX#)Zvjmu*0@INt?dKeIz=st}1NOF!tz`^w?8+HCBrFR`%D03VD)R
zJ*0SW_zK}LtS>`%xYtnBvs<;BDxCx5g=Nk>+;~1>sB7vTD)&abu=;_P#9Megx0E$X
zBrj+?ts%w`n-N<@s+g&$V^CyBLg6^+xxR{v9GsH5irh1;UTPxQjoWyx8r&V-PX?Y<
z>9jsA*)+Y>NSo_5mOW>9)KyunnW>z6+9gAck%l|~Dm%%cQv22<nwq^Y<K7bs!KHd{
zwv5*(<8E7HP?@6V4bb&I028od#OTu(i)ROkC)ZE<0i%Zu36xfM<YTa>k{2aB=K!Gn
z%IMrxpX5f1RKRFo1xG+<310I?81=w8$m_)1LXNo1Ya6@nGb=ivz6xdXi0;KqUnklP
z2~T^?@krp!ZFpE*%tbGgr&J_PE}CNH6;m!notb_4$M)qPJh}#AfxQSst(->})PO4u
z!4(>D*4Lt4?67NYUAhGr>tI<?qq@eDg^+2Kp$Oezk9v4#N<I3`QQ5m5W{NW`OcBBD
z^q0)-r#dNDm7{%Br1Z)+oU0g<E@%5G@qYqh!LZ1zrl5qu+MAzMfB`tZ9!<J6_atO0
z67P0IR>#~4-ib1I&Olsyjga3oYfxxxK&T<tIQWZKx2MQ(b=`RVsMII8T9N|E1yM)0
z<OSkYLrSLl(@ZMc#l`BPFolQCnaUBljzQa&t1l*U@X<XwO$>dN2nCn2VP>}*hFBo}
z80cxj$=HZr__#rE1Y1W54(91RibCvQaAmRaXVEBFj<*ws@5Z$O<FSJ{iF50T7LV5^
zHEqD|(Uy3Wg<E=HH5|q6TMA)TT_NHoL7~?Y^U~vWs4?*lLctSc5{WD0hZ%J@Sw4tN
zPJot&_tuxp;UyH5I7BtDR<7I0vwL?7Kvnyep`^hIU?0-qsBEZ=Mjkj%A~CS+;|f<P
z(T!@_tExv%Pk35GsE!{^h%oVstxZW&i+JD;AgN8cH<r?Cw;@dl)}A0@5;{jDWU-8J
zIE^kd{I*wi#ekhH8W`^aa`^dU#w@GCuFQG~7;=>%@7lz*_+gsMzQyj7jgz5AsGe-4
z8lt%35L(<2Og>dg{Y<0ZqOpRgzc3nqscTThEpFahO(4X6310E?9?nMAz7vQX7z$Bc
z?9~uvbKTp_?XCqBqrzu!OIq10(wDYa+T_y-@B$`msO)n2y<Vy8*K3mT^2~PwxtS5(
zN*e8rbU&rZDPn)GR9<Kb=gV^qUT_tMAJ+XPpvaei&vyGlEtO2-{5>T{v03IhlIU@O
zC3J=}-GGB5?Tj%MxLE-MCWh^_XK;ud{f^9MD+vsYaW{hs?+)~WZ&V*$Erq_=9`R~U
zA8Xo@v?5#fvDT}j1_zPcO?i-hbY%Y-Xh9E`!T9wm8%IVusMGnz1TG{-9yV#pGFnP@
zU5m2JE1OcSnoWL3O19bw0&gHW25c#>OxYVri#Z_OV1b#Ri-2I<1sY3r3hj2}IIQZL
zjxfq&brb{kj>@ep2XD+Mnip0_RGFzVK@?6%`w(!|1{0Dfy82?lUtn8}m~2HnG*KWC
zZHnN+p|orvp}`XbZ_1Ua6TcSVD?e6l?c|+?XdQ`Q5D%llnUW_#Ubjnc&horAx5#8?
zAf_Y~vUQQv@F~`CRtt8d<5_DnM`qk3vo1;UU9zLlhxtxAiWTBXZ9!&^2~7mc#@@ZR
zgKTw9nl1{06%BZx8dVtnZtOY~nP?@YWLKeIzHVVA;Xnf(^QghdNtJL~;G`NPLr91k
zc-GK-Hnz~o;)pOlt&^$kLKvQ{+d=sPB62qICSeYWb=@EG<6@*SR22@K>R4>O0C*k4
zFQQ4NCBZ`$pFXg;Hy~Ry786ie`VilOlsR6Jgy?Z4&%DDx!iTCRCJHceRRJylo-a0A
zVZ2TQjq@sf;c)ew7L`;v{ER%HLkSb~p(7K*b(cChdfMQVmyAv{rP@+fhng7htlk()
z_~Uk8w;F!~z5wb;NYA0&0<}{$Rvou_`i<6QMXLat;X#PY1^8UigqP{L3SaRdP*dwb
zc@*lZ=|+Jpyn86PtO!(7pyq%GP-yUFpwg#-ISpkNyoOB{N6*(nBsFQA0m5+wfashf
z+eFx3U3P$*DS&HJPpj)~%BvV!r7=w^ihR@jKmhl23}#>mFP19casz`g3Z=YNO$&s$
z_sZ#w9uhDEWelJaOL)o@0zdgrL3#}K^z>xv*|5;&y7#$S@q=)p_m(8_LKhxxL6eV}
z>V)F!N_#WQRB0*6M8hvfQg$yO4VG>>)m-q^J{6|Z7baCW^HLK{o8;I}z_nXcu~}<i
z$&4|44rJHOf#>P2Zdakqt28tV7N&x`c0PLR1ZeY?g{_HQ2J>b4Tj_o3sp*_@W9*D$
z=f1KIgFU2gM@rCdu}Z=LWU$wJvUgS}Qu)BP-Wy2El2^OAi*#FC@J3jcEFXrxRXsT-
zmr6KCeY1SnzOdp?resZ5NjRM9MqkE081z~WaF&eb7r2&XEciGwj5EX*CmmBJiXTyB
z6C(z0CLphnG*y^}z1(mc1tFVoh7FR41qZ*e&7kx|P`TiQb7{mn!8Z$-ub@&r03TIn
zR`F0bu`4@K7_6D8dQpjm9(xj%K70Ba64OQa?JJ`f9x0$)D50{Q5OYL?V{PkhD!WPf
z1n0PFY>(1gjOWE8qJ1>$E7IO}bXy|JLyYjt21n-cEwvO?$2=5jpuoDgj`t9sr??0{
z0-An={>%Xu5LWpx9xWR~>GT4jvErIPRm!8wN{dKYUT9_4ahPU%H!$!>eMTd#Qim4q
zat%@!TAYMmNFaCiT%!yD0QN*eyo_#r!^i-(P#&T=8!yn2%6P+*0=ocWJz}o=)m)tV
zv74PWbMAW&9UN2fJ%VPL+`UwKCitbG!Iy%IcbDO0-RtF6{S)Ygtayv{96ti&drsRs
zxcr<f>eW)cIz@g0L1dVV1nWe#=6bX*oz0~BYT0kyn2%(Q`ED`X7ppb<G*bP+i`18a
zP?H8=u&$-2W%r&PD1~uMbg$I>=ir>(_{lzVU@Yh*ZHzdeZ3<A{bONZi#bE0|?Q_Ik
zgxr^4&CeK;3q>D<d5E`?McR8{L`tvyjW9v@L05M@=F}lCVC|e#qZ+twU>Z8nDIe+(
zzhc2`DrjwsXrszfMOB7~^(0jEymNr|9ibALea&zbYk`fz+WV->9vCpZ!NO+8pkJ4B
zcnCHYDZN7}&J$S@y0d-u7ks`39r0UQ-oaVTxrBPnBuubmL`;b?oDYo?Bpmwcz+Y{X
zEUV3p=gMpp7(v|)-UZ027YDc!Wg`!c3Z5BFD1aB9x6-6Nr>NIM;MGx{To&|JpVrmA
zr8w*yXPOwm9l=#a%3i^!pnG@;eR?mJ8PG--WA{!CJH+X!ixDIGCfl25UQH78I_MfB
zB5v=<mlI;>$gIePxu-`_J@g@7gX4MOpfD4cIjq+ci!Hbrv4_G<LG9y2-Drrokwpm|
zn<G%<_88dQ?xdnhW?R}zm6l&vPoN0rd5a2pyl1gFo0}ZTW*a!B8+2ejrYebNodFtQ
zr)ShRsxep$FoCpo7ii|n;tp%+Ehv}6jqnm3YI&jR<d}Psg@I`RJG_kv&SuqVvR<Ly
zjP28G&VD!WqA-w{#~)>}VlJlIK}vV}0HJo`jb60qE<QY|el+O&e8(on6jvbgJtaC@
z7R3m?Y9@Hsa14XRvFmIX{4m)*9rP~;EiSSuO*Lp2a7w0EX(}tAz^_3t*nnQpu1qEw
z1M_Hrqxvg|s+AZhi4G?nA{QvS(}`A8y?A<l)U+=H`svV0ItbiyoN-lN3Gl>{cXPQd
z$Z|+V$2yqSaJyc{K|c>Pfd3@q_CONYi8DG;Q!i~CUYYme>5BFhLW?SL(A$g&#Nrhc
zlxf&a_VzS4&sfMKxUkB0=Eli;I8e7)Cs^KO4TutYKHDMlD7&<^Bdf6a(RsZWwNJ3!
zU>{M!xprpr5Vmz}tznyZ+^IU|oSH(Jpe?L>x<{u$w+VvM7~n`C=&L=pl4&ljXO#!D
zvX8`5V4~JWHQ#!ZnX!`(xP(qIUr2VpeJhbK4Ud%^ZM>yniH}VM1U=WL0phZlJ4D-7
ze8-?#%;foV2OuJtj8ruc(lj*61kM|M0KIj&!Z8Htder4)-R>wMaMVY-EKg;84tQ3?
zZ*VY+y{f5D->brEj>%Vn_15^Fx1MnN(-wMFh_Env2X6r+JH`=)nHeDIJx?&UpTp*o
z?Uq{|Z(c=1h)}bxS&&x2N`tf(4<gw+ICiAe+Vw>@<q0n<bsK%GBf}lET+gPoRw1&O
zz+gjV;$3@L3b{gThOe9x!U;_=Q7pX0-AQvPd4Z^E>CJKl(+v@x&+)2LpImxilN2i{
zb_|RQ#WNQ3t^-0T8r%-a;>&efef`9dNEzEuYigt?)v}H;#y0OBdrdxbu9Tj6{`iI9
zbhccJF2ATTMcOPIl$PVsC!X9V`jB7HFv>X|4xVQ3*h|RB1TtYhCQt@rTD?a|RL0o{
zcvRh!Q6ty-Vr{08AI^2%V|n!@;j=FZ*%KjIsZ(?3(ifwD2_D~Q&Zkqy<@Tg5i=uSu
z8a0gv;d0G-Fl}u}lt%T1z0Dktlnxh(=dYj`O**w6z6?H+Ehq)+tp{Dz<@2a0A4Tv5
zMCJq?h%A&Qb!0~uT0$qC<4OGcItEn3!ZAP0t6&I!@70^oRjU_(Atws@ic8_ZH$8-H
zRVq7DH$-c&s}!@Z3dV4iW3YHVEU_AetnpI7O9yQpnCNTP<*~=_Ws&1Udg)4&VtflW
zv^PTvXi9h(<)f<tD5<g(4^W7q9Xs%4INyp;l)SSPgX@+|O<7zf>U)wgdBZS_Jk)Tp
zHJC2u$pDA6*3+=@u<F$vKGNWRQ{;AH&m$_5c!!sWY79xbqUDzIvQb~3;~j(_5LW0R
zSj;nsFgC(w^St5RJeS0GC>FUpliM_<b$8Xxk&iPejr93@iU1ju^JJ!%6Q+w^K7q7-
z4JXaZwvww_AP3UFnbN~&)e|zu<t{hUO`Bujoe5|=NlU~ukmv5nIfK-*FfQ(<ux%g@
zBU}j7o=ClS>0nh=VJUBilrd<;O5Qm6?o>=e7yIb5$GZN&$<8U}*{OHF<8-*rP3&x}
zW=~^|W_U+DO}b2s5JHI8Zm-~=CI;2z>P}N>n@f#k+EEC6#iew>qMoO|x7`i+Zl`LH
zqmfIYI5Y>XTNQ<YC`zqlo+gUA=QDle?@2eY3{Hz3tjRtX?IV87&^#nWJ$u@P^8}yZ
zB*Sq`1hCG#*AipNC^0}YV0f-fJhlKTQ;$Ql{93{Uz21Aks^uy-Y}YvZsP~v5o;6+C
z^<%N9hvjfOQQA2G-t12-RrGoDVCa{HE}vWBc-x9ZHL|fBqCSZx@y6GK;`IpiB{jb~
z4~tFblCer}*rkWq<hzIxdcq)~VM@>|YyeU~R@Qirf+||r3RJu5(I~^X!5}?LRG?H8
zSZ+R*3^wDHA=uew8gf}uH8~>*)l&LTL!s0_?Z&BWwYw)yIwekd<xeRBcSg%k2Lx_K
zivbP$DLx+^wez&wD8ziY7z4W`n5Kpgw<Z)YQ%aBefJLr`cvFFOBB_P0FT3=RCkV+w
zkClT7EfS1;0M$fxL}C5>;Y$p_(ImWyb2b2#5KD?q#@SkP4z=r!bE7KF9}X`I@t)$f
z&+93;j5f463w$AML)MLno}w=AHlG2$(Kk_Jb%U$DDIH`W+3g0TGy|vXZY@55{y?SX
z7K0;cZM5}4IyD2NsdDY=BD`J35Y~en^a@g?ohZ4xkw@L)H217*GFOFZ@HNR(5vh9C
z^Ma9kP>i5)s95|>V3Vf2oE5Rf*~`~9)U=(9#t3!@JE`x*rZwUDyyyMvr2*dRiCR6G
z0q?gx>vtMaWGY}Jl|{xVqD=BKL=8#K9M-%mu$<&AtR`3wo2?kA9^*rru5>I7xJs7x
zHH`M-z2O)ti|)4OL6;j)&!`<!6z?@Phhu!G{8-6aA@<H^j-MwWy+v_yh)(2mmMcyy
z0Af5Vi*zNvM|<jk3Mmd6ju(ab#68;`ss+#yR7D@Way=5YSUERohBe!#kV{}%*PBUG
zB0vgi-WCuVke98EbMC`y2Q*YN1|bG%b<gfzgly@V6o50fOWbqC<bA@EJM3nDgDPIk
zoPcVM0)^9=0E-Snv2AsGMo?fKK9lpMVbG_BdtIF;ij5Rg3sBK}(EKEZcVh(m)hIyD
z3iPz;>{L}wxoc{n6jMUOfIlZCz-3@^&&TXSmv1$qp%rD}`GK|*_DhlQ0&D?b+Boz_
zi5;Yu_<BisJy=(o`yn}zP}f5%0*~&-|2(Y8;LV$zS)u}p6GJaT){T34sm|?{*IY*3
zX0PReboGp6n-Q>Kf(2yxx;|!YRA`z9mrYGaV=yL<a-Tti(|bB9?Yk`sLO9A+m?5c?
zIu1Oc_#pC~*4-M53WLonqUat@kEsh`>*&A+OdJT4ahrAXlG|KcE_V$|*QJ_v>d{sT
z^L9O<DDb2;T)fPN5H+xEG1`1Zd9Gm)o4E|6D_kNT_X_Dr5M4epjEc=!I%|+oH!k44
zXXufR6}1y7uey~LaKoC|9@qmUU>kT9nhgeW1#9_&-Lc1ULf@;C(7R_*kEXp~RHgU9
z?Ks|W?x>I{DG3IN5T_I(2M%YUHITlSvy2QF2B|Ncx%o~nrePb*n>&bDDrOlJOPv{V
z{0&suJ&+=V#nwc7<^rU7@dBT|E|>(xx03X*J#u%qRw)cZDav9al^cyQ06{>$zsn;p
zdElniX@hw6h=K#So~AStBEG8aqeYZj1)cTIHt@#TY`bJ`Q=dnoa;?qJB|IEBonzE=
z5?t8!0UTHRTtp3vX_qvvyW153t1L35QCx>fAv}}=uy~Gy8;{>S$oHln-@WGyOLN6J
zm09g<`o<psf#os!LveeFm0Z*1tWtp|hv@}Tr{bWMfYl7Vdg1;EL0tm56&cEe4>ikx
zb2@nfy?OLdH{LeAn^as`>v}9ec{$+robat!!4f%tc<2CM9tv|S10$o6Gyvhac``Vu
zJY65CVNgmSLI(~%=@cQZa6&1o&1}MUhnLjM=N()lR1nmS1=c&qL^8UA+Z4}5M2={|
zQ#Dgvg-S^ZsE0>K&jMcFK5U&QMnsZ)F|o?~7F=w)N_zhjab*IMgDUI!3>&vUd97~1
z%IXJ-yB-kFsCgnwiVo{-DU>{RA#O<pf2oC(F}t_uHUMrXGjM^7*}WdP!t?9vW3*i3
zmVJYyFb=WLFJ$Q1o@jIXo+Q6)4TQrPz0mOJVDIo&eGkiKG1vS!15g{Ujzr$^J!({!
zx23v3Vf7H*aiLw&Bedq-)8@=*#Ngw5C9k59IS-;wdGS;mUr!jLw-ZiDTEBfU^U%$u
z$9aU8H*?VRmh6&1>cwk~V^)t1YT<qRB39G&W$!Y=njLmTl7RKekOfR`gF*LO28?b=
z7jj3_x9W~wiNP!F<%qobiYtR5Yt-|F=}F?V9^FKdSAtKTg<P?{r<VZ{G3enTao(jN
z49FQ>`|M}Syqed6+Bl?`L}TOk?BTp8_(X%v)Uj3lfoZE|Zf-V)xcjpm7+pO&K1g@~
zrT_!H=iR87WhFN1Z|*!8vVEu7MQcdI*k7tSX#%h<-rhb~O68QsC|%J!%fS|75ZYbj
zC=$u{6eqJsI$vuiJRK_IxU$@3)tQmoW<BJ7vQD&m)WoT@MNLZ(WrScDT2l^(v4_Ui
z>Bvhr6DFh`zi7gam6)flpBRl2uAsWjYZt#|1XhhPEp|^BIF~zXNpVK6WH;#5qZSMc
z3&tLg6MW2-^_Z^DRk37;Jo$zWXHbS}^Z|%p))<g=xNKMZr-=R~V*2BSw%2JKKvrhX
z0Ddpim}DegsKQ3|f=MSXUd2m>LU~DYd}h{=kLDqZ@9YEYqrtaC%FQyk&1LeYdXLUu
zoNT#ci!;;<<mVlLTaR>88y_)R+ZfnF-kX!Tch6P=dKii-=S0o*{xdO)jnd3sGYYTz
zl#VVsg@~vLA6^mCWnOQZT1iL8q(T_PzKY0#YV3E<soQIYnpz@(A`s$SNQBaac|uVu
zrz<uL8#WVq0s^cl9^k`0QVi~qxT`gTsD{%A)XjI;nXXX^tFdDOZ({Q0(1>iZRi781
zcxF9q+&pMXPr+rzANQL(+zOyQXNWSaE1Og(OXs^*5!(6q=IN4SbD}6iv=NlqLtju|
zeE0-RV(R3%t(S9Sr1rqAy)s|EC514f3G)*|B9aob0a@|q{h;It#OjsW9i<+VWZ1rl
z?rSsTBA<KDU)qE{Pz&=n&Z2jC=x??t1ES4N%LBT4ZqYSlMv2K!7l#Y=jKeRQ%N_D$
z7^N^s`skYB!b;RFR$wJj-h`yo1TA-+Nq473u{@La>P6|pYrQ~Jibcid8M@q5!;PD{
zH!B^y+RJrZ0Yhp+dqz)SH!qdDgw=X9e4|f*IeHw;Zn<l(SxX~eO=xsUpN|JOq?m%{
zNsz;+NUyo+V{XiPT6OrV!?Hl+?ZPqN)H<Z#y1_UAS<*oBHPMrf#9C^2txueam&2)7
zCA2Q#qBIePs>M#HpYL-tFIDQ5vFq5ohRf8hguXJ%h39M2K1HI@Nbll7@r(7BWUo0P
zb<rM`CRzutFL87<uVRL6zxUX1K%D_$B;h>{!fEj`u4Gi56z2vW?JpD2zDxwLz*i<0
z({ng9{@T;<ahaT{KQv#5%XB!WaXAA9Ts2%qnz-sUI*zm}dA5KXq(@fWfwM*^61Aov
ztsu^jxf}vv?bpvjOc4~>bYwT+0RnDEnS<NWrk`iMa>Px~36{~0GHQdA_x^o5j}F0;
zeIqKsBRp`u&zrLxmud_!f%z30XVKCkcFVy&u7(xN+1xJer2-+^jW;vsZc%-6QPP*u
zbEh*mt6ZRCTDn6DfmqJ9Ua{(?YOd+S+>e|rajWr2B!xLc1d3$(+5#u?`7!Z}8n2p@
z^Pg#xuM_*8T+4cM!()kACk}^+Z6}K47OqXbEvWJ%H3X!$gO~UOFQAWfZXYx1hyb`Z
zEAhl=Es`+quV1{UryE_U4-b5XB;S@0cIK1jC-=IiXSQTVAH^dgLb#M*aQBYPJ+Ni#
z=Pg_p80O+#@D?Wo`(bolS)Qi?%1*{y6oF0$Xp!&PQ7kn@pXg(J3s}XHJ-#e$@5H=M
z@KMw*E0Z%1%IlR?LwD6954PcyEn8qGkT8_gSt!tAd?b*z5ZHU3Wc?PI92RIW(u@_D
zjd`ztuSZ`l+4DAzBBKK|lh=m5Iy-=hq1bN=FLAkQ(7_2Id5E$y+*#Ay=Gc&OP1%Of
zVV0&8fmdp=Xr82tlPJ_-#mQx$8!G7O<2aLf?OooQoOEu2h8HEFBAR$+z7^@V(4>Pk
z&<d9(j4dOzJ8{Zo8|VODJiQlQ;(~_hla16SG#B*T0K3QGo=3e02fEH05<0V|W49{c
z=Jf8;_Z8I~a58hePV#U<nbl+)^lau`?1o*q7C}olN9|YPo8WCc#J!ss@6DHrBws2X
za>t`q>f&xmnIrFbM{|h1;8Bh$X0`5aOu}1?-jq|Ag0Blfkij)v1s?&%t0?T!N@DaH
z)hB~<girEN+yx~nqv%9z3}TK1dYM%tLSOl|gFl-{aLommfLE<ySOj%?)~P-^S?oFW
zpNpOj3(!oO5`!<hD(psZ{mJG5Bn%36Y0MxSv*{EV96=+X2F1EBRDyb3v39a}@d0&_
zT8~~{zrw+MBHF}`_Kr!D4Dnv;QoS7!4h{CyUIiTMd)`r@2IJ>K2;0foNIL?dvI*^b
zY%~krhj@MRnk9MEjvk6~jnO^P=Lc5U9O|_;{+Mwb$>BkhNC1@0EDCXv8Y&2?T{Vb4
z)y2|4VhMxA6uDIC?7|nC<GY!|ewo>jvgKllUP7s4fWFy~3W76804->NBpQ%?!AD0n
zrGt+R{0hpN+xfJi09m3{eFs)uv18Uyd&^vsJKBs9Lw<NqN+NBrTZb=dA93Gq(YY~g
z9V$BxJ~B_epc~W?lZnN%Jr8qoA?RRxh0;`S-R*>0I2>@{5MvPBjxwTj1!$jJ{g9~_
zKtuH84okZpST2-KMz8T^2$$#h6K=?p&c3wmNUAH*J#%1JHP7r;^ru=csbxpt=-HCi
zqR2Z$#sQPmRynRIhmo~KW=C*RET@pJmEl9D;}fIeaL%fCq$LyCp1gG2og5Fvx4Kbf
z_D!XxI6>Qcmor@oRF?MgU>XdlXSFh%`_%%mw%5*Kpq-*Hk3){X5=U)oj+YT&MFUUk
z8t#!WP9hvg<{GMK8nMYS+fyNN1Iq%V7ZL7j1@o|J>H^*pVux|E6Eo9T)`=(#BZ9-1
zi%efGF6(pHiWiY1{hqRp%#=CzG4HXxhsyN&q$SmNqHB6a+|De{0X;?~GT7wODHT)6
zRJI>s6=zoH^p>PsT3!Y_*;EiKz76tYUcO3K7*R9WbFT1b*`1e^5&n`?3i-7y3M8Qg
zE`o(1yZC=HmWc-N87(DnNWBS9CF`}uN1DJVKkX{$<;XQT<B371Z9!<%v`#=3zr}&&
znYON}@-v(utk*4J6TlgSW|bu=Y*lL;#4rOFn6~o*-J|S1dd$9QY^RcUt1(KQg9SsD
zm7WwG<WEY+=owpFi$05FChmCd`Lf6y9L>W}jHq^aE(u-&JDCGv3`voz>>dM2vdr?0
zWVh2Br8_!IDS^WceUHK*&WH2%h%;njd9N;c&8l%nq=jtg?Z{0+NmXSVC`>;bFqtK`
z83!0x5_I2$LXXI@fo!yJ1C}amPr`mV@4#Xo*kcfd1F_MI;s&#}t_yEP#nloWD>&ZX
z1AZ@eF~&IrJ4eJN2Y$_dlO)2i%kEDloZ$7%kL2Voug(JXeo*30uZifn*#oldUeok5
z;hJPfPP?trtykd~#(nV4ZjK;#{8_YbvkGYoo9%9rWs%nj@4IO)xo4Er*<gdPnBKO_
zT9YPi_plqto^DDHK_ODvB8}*r4Zm?dkY3fvsW_GPG+*jx*{YdWm`sdK@8!~~qbD@r
zcRL3@#|Po9ZBQCR=`oat3dPrtmm~H<N&#pZauDJ@dnd0F-igr2oTSX7)!fckl>9v6
z6fU`ECs3YDBG`3@75TWJZ?ZsjII~EV`jN<vJ=JU$s#q(4E{u!3-C|^2;3vHf+>;{9
zXqyRTiyQnUqrjJpCfh*Rp{@&fw>FGb3M0}l$|86k*>g0Wk|!ZALD`-d#-KW&<rE2@
zwvR$)&?#iGt-iRU$*Sj&R7$}QCX*t55v-o!j3foH!Du<WWnL-V+-B7Ig#!0681W5;
zpg*l3+0r*Q(6rOC&&U3?5p{67C5p6Yd(?iuo!DdQ9KKMEy}qi!7d$DJI#GQ&k9ZZN
zkm@y->E>0KylK`H7jb2girLoY=Q9gJ^zIQ!-`as?7#%z0A_$62H3{kM;=J6)pi4t7
zOBXnS?$z!uq8>xmvB^teQ#Hz-B<SjXbJN;3n?5r|Ai@=-EM_Z9sBCZoW)tWW>^DOo
zoldrr%<6*{S1f`sqUZaZ_g&Y;%jg3%U*9zWYA>TVtJN}h<GIxC@Xn0~VQ2Iya7LsU
zu;Sw+m`0f6wVE_4MPKy|Sv3;V@PI>nQe1CdIDuK<@LgJvgg6B|p`oG6qQMcrMiM;4
z_o8P@ZpPK?@$sDKfu3-+<HF{sOGHe9+`~-?l=Jaie6!%za~92b-6dX1{v5B)r>`GE
zwh#{a25*K=N!qYCj=Xk&>*8~?Wox&w;?=P##%9uf3DYUVp>FSl?clw(hgcOhT^VV!
zZH#^umE{z<0(B2s6~)Tm#N|XfNAHOdNz}ANIS>Wea+}GRX(%xgr|pJAS=6RK;m1Ui
zIAg?`PtZ8b8zLkdnh@3G**G7STfD?lgcmx&Hg!#XYi~yYdmnf|WjrjIeY&n-Q{Z$H
z#YJL|gPnx#PL82AUg!As(79LXNxbw!6)_FM4zZ{QSBWP&&pJ|o$TN8CIa}B3TRPIz
zQ)@y47bO&zd_<Bj;~CSpjs9h$hDv2AQXkVBv(ky9FmwP10Wy-DXXFZ2s=AxbPHMy?
zeWG-gl7tMiyl6Uz&Y1LIqAOmnHw{yUox(gcfGX)E^S<y67?ZGqG{Z<uZ{sN&PcW9b
zwtm~b84X}%Eoz5F(1WqhF^@o0vfbf79bX>yus#Zg5`puF-OTRxJh2UFEH$9#7YACX
zFhIzXMWQ}e3({$qOh|wIuFwoy`$>T#iu>@08=$OX!BEs=QAn@{Y3D>d7g{Q$0mWwu
z){Pz#SEj*-sY(kbC5!qj=jH1opoQ`a*t`IgHzIpzz&IQb0+TvVnl;IyB<Cc}SY0Rx
z;7z{w3ZzjR_@1%Wo?2t4!yD}4^vQKXcfuCww?<F9&SacK`JPFMdiIt(IvTM^$US_g
zB+!>L#fR9K2UKKnaL+2H+ILL&itBZprwXJfH*ULTU91bf!j;*WHbuu>CI`wI!w0F3
znKT24?oX*7kAR7x2Mr7aMC<S^Y*!}_`I%OLCe0lRtzj3qUx3?iOVB=U*gMXv=12Gg
zMVX7(1Z*5$ykK6H;U>(r!g4&(xSLmAgIoUS#;6-A^psu9Jh3h?<w;$|W7ethmS=ce
z6>Lku#HOTH%5vcwC&jH$0xa@;FUfpkC$_>(Kx6}^cTSSFE7lEP%SzV1E{Om|6mEvP
z$HVcQZG|YQdx$70!hn-kHaDY&n#UwzySV!`RP(sKenE^?)!wutgtXIMqz%&gHj;O}
z5jb}x$MS#_&>9opBlnZUcT148git@evW$nXWX<0WS5h?^AHEK-H}D#rKnC){Qn2T=
zHrmQVf#&rgIj@r-6r%F$4n`4%XJgRwrK5gdV0hw!idsz{M5_5CNyxi^^J94@TtLiz
zAql+0w06v9cBc+BDeYL(3j^!cAbBG@P1jz6f=%(X?BE$kVT5!%p2*1S<%wZaHv(V@
zSLC`xvmv8cMwxgbX!Z)=3Ccc>dAD_N%gxmIGSNNVod5Ij7v;>Bch8ByPa%&l-rGDs
z8jEWn4%o$4htF`k9uI>15L+sXvO^ig%fXu-MSO#n+=7t12|*JclpETw;=N!n)qdLd
zoTU-)EQXdjG4Z8%EC{qt@j0gw+K#^G!-2*y_ylwpGVJD+vxxXDR2%lT0!mt56r8Km
zbEbV_;T8q{Na6vr6AcT-2=j~FvSt*pyg`h}%I)K9UsAD($9CSb9MNv!Wl!d`&uSg}
z@hVMcyci}&0;rhtiKwzR%~y6tu(-0O>>21C(X-aYj0y)HR`pZ}%gHpengknYg4bA{
zH7j!1YPn6DC1^j%rEPzkIQVo>6DjA=FJ4eQnB|IP@PKg-V+cnbeYwQ$p_y-=%~*;7
z#sTPIa6f(}O2cFl>BmvH1CZrmn6?FS7O`o>`syWn3vp$P5Gn<kiN+oU6_X?y7%BUD
zn<|_WH8l!28Vg*&8y$pFV+^lC<tV4s+Svzi@3PFcd=f;97+7a}_<Rm=E<7n-N}QI5
zB`aH%CNI8>Nh~tkMZdF=wAIKn3<j%XV6>a=dRM0o5NM6=OeZ~rrtzK#;vwklu+DnH
zNI|JQRS{S+Vpzo}Gsdv6wX8vhJ7ttzbQvysj>qgb!^^?ysweFwK!_@vxAr8SMhxU~
za4MQT&UnyQQ4iFeY~H~&#qkcy4&#ZwfHYpseu19S+$AAjKHB#!hH<^*V!;SU8HXs@
zp;jldM(uK2xobEIFN+v9?V*bZtQHQc=&K<;H3GQ|e3#;D7J$|z-gwuzxT5r=xa9GR
z1xR5R?sEf7RYgJEMpEF_%oZNEXNg4=Z~G-Uz|`%6P|yayBkW(GpCHO(5d2Tbdsf2M
zqziR4PZQ<<l?DXy?f5k0suprmpL48W2DHHgLEZAb2N_UDpaoUTAgoy>Sj9{+fV#12
z>n7+m_HcloF6TL@ZMjpfVBk3|7%|7Ff+|^-P@VOt91I&N=JP#z($z0sdDx>)BI$|>
zSvC_dHe&XXaCE|gV)q5_jYrC*>;0Z>6z3-MT(hH=21T+1R5`2g2rV2lHklN<Y7RF5
z)i?~W1{0ajt@M}y92Fj+9@>L>DT=fn&4UU-53@>W$-w88WB@FH1}`YYy>_Q80Psxb
zQ-5&`6Pk>X0_x$<K~@2UkVa4|VX;ZzRb;+$2+=+<SObH|cGsFW#?evTVK~-I8FnD3
z<Yn^Ym1c$Ni-((&xV72x?s;(p?H<*UgAsBliAS*PI~4>2+JW#lE)Vkfk>@+DWU_kC
zSuJFl?CFYe8%U#1$;#<s)_|IMn3WF#;iDy{lFgmse!MRQtl4JT1jT|CMuVAcW3|1K
zo5WD1hCACArN^LS^O4+vMh9cP=LL}5wg_mAEm#ad2ROk`A{0HtVt{hMOS9ND4f=Ed
zeNRB=qBD)FB>+|66-aK?0v&-(mc4z%?m#pVqm^<t`YaUP{4qUy4@7AU$XIi$I^63$
z^t0WFivvvq@`WeW>voMSSt(ski%OB*v<j<yVpdV?H+=oj5sfF3OZ`wdvy9?>3Hj(t
z$fv%^xB1xP@f4KTzSW4TJy8sPJhnDH4?{QI^*RE_!=6zDJ&mS>0H8p+0$=FTdUg_M
zlw02CukcYH=U@OS&l%FaS9s9Mv|M@}(KL+bX9|cGn&2;4cV%~VnWfocd{>9!EYwlQ
z%_bw}_+AM7yG6D?=)NZx884jP;=r9RPIhq8!XYG7zLZ%Ibmc&udgIonfG{N}gainr
z!(w`eWN%aF+Bcx5WP<rp{WNu*p-n8GtkyX^37vQx6g@QZj1vqsfXe4+Kr)6@xjI8E
zY>JYZw$(}vX%?YtXc1o)kv)rq(?wc#SPu}7mfmGlE9t|LOS)BEf+?_ZnJTz&=43WG
z6LC~~{RAWw-;~eOGlM7g_I6-Ap5^rGcVx;BQ<a{*I-5Cv=RSiqOx9xEuOmHlaNI{k
zDRCa{%c(nSpjJfL(HGIOPeX)4>JDxCIgL`VU=4Xp8nP{<5b@DlcN@<EeImA2BbeoT
zW6w&#1zeJm7pjt>ajLn+FmJrHVHYS92I~eAvzL`E?)j)PlG_!TU&zRwLZzhwHEmHn
z5mT&(r4dgEC>`9NL(f*{p=WugujU3hL+nlIXd1`7cCI~ttC=Mu!1pqSXlJmiM<B|H
zj+sagG?%ccYGYqQAzCTWWbl~ETMou&d~&s@@TP&WD{l(?M1nYMWSDNwgKeM&oJMpX
z6!)B$!<%@L59;t;tE42bRL?t|NpA$83Q7~4eEaZ?_Y<mjM3*IjURb|`Q{Pi&Gebgj
zVdp1ytycxM^ul)6d5!%|8^XhPEB)>mZTzvlGh$mdCFxUA3mj9s_a0M8c#OZRoNjyW
zwy1b74X*<Q^Bn7Qi*)!hQeN9aQ#}cBF%3dDcaVd7H3~CKtj^QV<sv+Td$3d5_FP7A
z+Oeqxj-|AAErZ=&aZM$FQtN4~9h<&DZ+6=EaF`JSiMqWC7FW4td5}xES0o;sE;PIt
z%6apWRifwVGibsp)Dn5>v2N@0tZ<`u=>Kn#$&UwfMDbpv6u#;hUfPxs7JY4`xS_rx
z=c9XUutjRUx})G!!49Eww9PP^O%c1PWFBJOB#;Yz4drS|todH;NU5vAA>ySPLxklh
zf@xZYzIeeRP1bPL;liX?ChZYfiBqdcl7wj>`@m8`o=^D(A93^`j&jkVd4|}=i`)wz
zOYY4Dria`lSdPyQk15|F)AsiAwLXS8JD3iCR>AaI8n}h>$u^-aOf8VjpuOFYTQ2~n
zi%MYL;kDZH>6tEa@743clBotvty8>tqy$FJ{eXNNkP{yqOiLEROA+eO0z%1$!!<AI
zb&Ge_TFpvordar?k^17(N^HAVYx8yuy0lt?thZr8QixRLwuk1KnHVjSUUJiw%Z498
zXdy<n1nv12n^|(zDyFUUa^E07O~OHaQ0s|3L;$f)hQ&R0v;?jqoR;~l1Cu54wM3tu
zymt-wa?pjN)nO{HLpJPjJf@kP6Q{VC)axsA#k>sjCGZgl$cZ?^3)8n7>K1-8IHP-n
zDm=tKpe=16OE!el-QND3MK<02kRCrG^b|!b2VP#=1n!w4eX_>3CD2JiSBw@;0b9|4
zZ<s7u$6eCB!^@+Y*G;V+zM02D#JkT*w@_Z*Q^Gntr|0yFUz!@P0p?Bf3mc!5L2$Vg
zqaMi%i*$ffB7VBmPo<6kK@K@X?`U#T?a6&A>7Q?H3rJ+j5-akZOOqGmJSHN`58Ffo
z!Sg1Xb!v!pp{(pqS~k`9sY(q1iGeT|p-HFWy7|43_X7^*1+8Qq)ar?XD|ZWwtGE`G
zyS`1v(*5PGFX=en9<u|O%^QywH`#`sIXrLOZ8qfqG*@y!SHblDb24!N0=b*OYH6_9
zo2aZGQ-ZR2duB1XX|1wwE%)P0tGAwa7O5hnZwlAS?7g+_DcfT8gdGU0j=O`Y^C(<p
zQQ+q$$aMM231((S)4f8u*I5oTJ?hl13dkPJbzD+-(A}-!WTjxJD|DL0*-9>e`OB3&
zPSm28vf`1F37BiN#Fv27x9n90SS$>orIQ5RRN}1EMWU??mUJ0seZ?eYvo&doOoSM(
zNVagB)MQENNnj}ld2F5r2a>3dvo4>X*n)bG6_@LPGtXLJ;)3_s6WUi4`eu4yL0tXD
zB>c5mS>@$Ra5|<@R9D(yOm=!fS#r1dieo&``woD*02{h+@rJ3&3urD(o{|!;$(;3*
zauIqM&GV+8_Qv$8Jjt;mR&wYXJRtMKSPNANK-&<{hk|!vK+KR3*7hu-C}yh4&kW!_
z=o(lKFF+2a0#ULA)l!_GgIrhEd>a^Sb%ePO*nA-Xv`~(3V%b=aH4MgMk!7P$<i*2+
z!OlKaanal-J;C?*@-_rLs)+`t!co(-1Z8F|<OY;;yO*n)dmkGeD`yBxN?caY&0Fr;
z$J+}gvz-hpwSa}ldS?v0qU&I~C#bczmm!{WLeqPq1WoTz`?|1~0U`%RJne+(p%-2S
zWFw_993WSn65-06v*SdC+TCuVZ(ZSK=JZ?MB|;UJN9nH~!^vvXmy=;%PO6V(M74>!
zlN6~1+Ix^L_(0$hcK40ci_IP{)8uEbS1aE>L68pDY_;<4$gM%Ut&yJ8oI-|zJ7S7%
zA4A+inQSsox>#fGh*{={cbkH(l&^J>@r{;F?yzp<8%={19lU&-S<QOdRFH7QFNiUe
znW$y|lXA(2ttQAS)*C@@0V4ViL*LHJ?g~Q(dO~<x7c;|1akBQ1`B`zj-G?9yd+gYS
zRL<BA{R%7inclNt1$)f-G#l2hbhsJXPNpAgOS49x;SSJAR%uV+lU1JJ30!2totqa8
zXWT*kR+E$)%UfLNK)H7Sm<9B5_0X248Gt0M(2Uc~DYEV!&Dv20HukNCYG0|#d7D-+
ziw1PGm}eARHol)oiAwioXEWuJe(I+PGA5$%y#VEYOI@0Ip3_~H{fGfP=w6Tp)M;YI
z6TQ`7>4(%i?39ew;%{$Z?NF>e)o85*oaL6F*=Qy7Hded+;m*()vY`a+8uT974tvQY
zh(pO-nw{>$5jh0Z05k}8!3Am-0Ca%Xp3H%Z9!f@$Km<nQ=&@E2;lyzg&>$?g*#cfa
zXxtw4GcNZKL8k+j8h8Z*gj@AQ-kHIgRW+m&_H(5{=W?(ESIxzcae&9<a6Isurh)b0
zXxqSnJ<S{S?JGjur1zNDAEd2Yt|It&W3!S}go&$Q83yYUV}xtlh+y5<kvb@{@K}$!
znaZYxip5@l5&`FXFSn0uLJUL9BF<StpoZoAI{P)zQWO>Rb{n8`i=?J8JV$zs(AX%5
zL}W_PTNfiQ-_-~J<%m<ylE=Qu;Y<&#N+>HTy5#3WHbzm>E9A#dE0=FmSKA82gM2#(
zB95E)L&^a8lCt))^a+Q}J1={nOQWS;)Ywi?MY4QSxx9YW!!~t~Wfx_2EGr)6&aes)
ztC+2my27rsB5lSC&AMSeW|+8n_hOBz$~bM)br!WYchk;?K$1MvKx4_62GI@Y3f8n5
zUbZJ{u={8;y|+Y<+|Kk)S4(pn|Fx3Wf{WC(nS#unI$mv}!H8wAW*uD0%K(?_n<AR!
zHa+2okJX!+dd*>MkV%9`p3C!OkcU{ytuOR=3-Z;0aOZ-piwJLN#58FX_u>h<WF4-(
z5LMea%F2jUHlFIY(bNtU&)VP3yoF_Vsd$*hJZYU*rrlX%y%Llf!y482h6s%vbDTXq
zX5-e0M0??N7ZS&%CXbnnmLDw(LIW|FWy)J%xPDx#TS;%6$J7u^0BiH{vUNk8=ksbf
zxp^%`CHsc$WVxHs?G5e{ynMlS#iQ4!NM?~|TycOa=)S{Ih(eub`uv`IDL0QXaFe!*
zPA?x6@DsJ=eg1%hP8bxgX#Hl*xE)yGLhhx~C}OI0lR2{v?vQkZc-w-I<xVXwI5iwR
zb>rn}Ad6aU=j@FP&%<5Oeo;xrnT`Rpi02LjTCb|7Qstf*D(n-f!KIG3CMBtm_@Y9f
z0rTbFCh-zYvj~r=F5_KZ+PhZON3VT=ny+~FjWx2cpD}TH)a!V9traj1wZ1okRlNac
zY@L92wVcI~2`4ND$2^x3^w3ifAL7QoVc)D!GgU@8)?q^e;#ZsEyF0BCqy_;qyPhR=
zWERNSR~pc!RlR`TyUD#Qk>2IJtmwUdth@#90^k`y6Ij2qvcgG{!zAMaj`w&^FXD1-
zqNo@RFyioyM2^KM)|myWD4y{4oP1e{^kt>5I*MEdz8G_p=SI{k3jM^%phE{Mh08BW
zBWpW-g2jFEu^8_OV0g)(T|vQvM}RDELBZ}Y2Cz2agv#?`A0{5wp!stIi;-dWn>~O!
z!MG{_2F5vic#{0$g_@iNIn73!3OtuL1Ct7xg(lcQvndDTEaCS58~pik>63K9cHbi`
zOM*lIBW0G8+to13A~Z2KRLqLo0jEyMK-7fNgNW7{sg*qhr%`4?s&b<P7a}#)aaUW4
zqZficYgdnW2enzSmk~;NEwsVS<KD9sd2(e_Q*Tl%BWbQ)H9yI73zx-3$cYiJCz5&@
zo=|A`*u{Loc4eKd>Y>+OvSVj0`bIpygEzex1cfp4;+;#+w9?c_l%yElU?OD?n>a{P
zKy4O79`LhH2p^HvLBT;|JA=n+an$<=`Ap#L@-uT-AA1%;gqX2cPi-%zQ$U|&4uQ+%
zLK(h!^yY<PBNH0hk*URm&1z2iE&^8HPzyJ+pNGELCYB{WO-wj5-rBD4W<{V`Yy_-`
z^%JV`-PcN9Xo?V_qW7w!no--`@aAnDS;b4m2*xyCD6o87C_Tic>|7#A2=5m2Ai@vz
z$;72Q`n2Mh5D82TG=i)L2NyLvh6sa?lRpAAdB($ayF^%*5fjfI;KMgUDBVlfq|dmq
zNcZfKTh&{Mr@@5@?*-Cw-m?f!S%Q)EoO!t?_fS_4+iT3%19@T`^ohKq$Jc`QAb|o>
zw{CjH2m%6t$pMdgPoy1C*G=c?)96=(_}bRDtn_hsMNq-Q<HpP8C+!&Za?x5$vJ@~<
zbYEJIzIw_IcS6I;97il{38OCY?j_Pn^A?MvwPaQ#4Vx;wXru+*Wc$*R;B&K7ZG_E*
zZF6a~K^Ehqpujq^c3QdwA<Bq;I3;-~GtuvucT(x*@c_PVIGWnWGR}A~PB37j=P}tW
zu8#vn&ih7Q1Q8eJT>xVuXqP2WR6bl=b$jEQsuF?CKF1w<-nh7t&lqYAJF_}1$e}r+
z@#-bgAmv{F=Otq6%a<qW5N^Cc;;cvMR$Y$ISdgZAOZga4`7zwwG*fy`EvMJm$a}uY
zoY!Fdi*R);=j|r<^SeB~WFUs%e&NS~h>1>$M(79C&l?zCKiwjvf}I?6Q2;Vr04F{n
z9+zsG9KLI7%Ce_P(tUF<t7jI2n->_5;o&H3zoCY1DO({`!idh6G7a{7`#?y%>y93^
z$=guAiidIOnbC}K-J&a(15at6pk2%X7$2tB2`{55bAwpR(LPd1pxe!@>5(~%0&Mj1
zxosQ@ys-zBHo{VZTL$LIrtuh@5MI{UTp8U6c}1b~;`MczN?N~Et-u9CHFc%9lrwyO
zDW|>16#NV=@=&;tUqv|<J$_+5WPRiOD4Ws60JgeldciW^5jCjhD<gXNrhHNLVRjo%
z$oM2FT=^QSgpzkDg8~yNL6F|Q>jBf6J=lJc$$oeU%HoES`V6!~sz+hYVJ&D7@ilTK
zt8re5Z2bNgXDj<ISvlTZtKYt($()|+r?!))HOW4<xaAm$;Lyh^M_KR18821$Gj7j*
z+%}GwOQoc=cC-CrY2%H@!@)g{r9_c+*>&*O_BeBnTdZZRal)C_ygKi^ab*ruMP)ec
zJrIyzSyVg1SafgrSgi{TgfZV~VOd{|K8VMb0={Rxhb5|;PcZNxZuf{GF@eGy-g*|Z
z0B0<3qAB!H-lv!T<t6QITJWjs$&Q_!yJ=OfytDw%?RhN}E43{LvpCQR=zK|l30)|u
z6!qq1!`hu0ykrvIjVr|J<0S^UeR|h3W35d~DLtZR++j3;V4|QtZ2C|@(uPV-<f#hF
zJd5yk7Kmm7%|t_;5&?Zv5lD<fT|!2pPfkVu6Vn&Ct;9<<uuj>eFBlOYi4ZB5?WkAi
zpu7}&Qk}*zPo3aygB2nR{A%A;K2VViW^ArxmRC?B3%6_+^&-NUkQ610)*d7CrcU%R
zI^Jc!dm&HbAzR!_K=;FB^Y?;C-SG8O!amxL7bG~o!J-ueO2UafX+eU1?y8lBrLUj%
zdcL9o40jl6wKklF<<3s%F{X9Ln9jRkHVI!GecWhdF*IrlQQJHEq8*wKVg*gXaq|U2
zl@Ia(KfZLJlkhwY*gBu5rWu^?VP3bl;M){~wRe)69^Q|)d$sUw_1W%u+A<Cr0K0)m
zL~(>EA*s8Q4W5Sussc#7I=PTo>TYQk4o2OV*-ZhG?_~obC*|InoQ;v@+f#WPanl$4
zgaHz}QTefiR3jmj&uD2cNMS%aiJE2PN&?OGgFByN3{>(A+<21{5A<bT0qe_srx15<
z#l)T>$-oeEM3znQD+i8Oow?%WO5g_dVs9QzsGhPRuFrEy@_rPjIE+tRVdcg!g~=bp
ztmA{hs#lthSj`JJU`KGky{PuOr_}@PagVQQ$Rj}AwN!oMQ3$d``+!kP-~pCIKdS@`
zJM#=u-90kmRmOQdsF?4VP#|i?(YZ748oh1CxN$4x9lX-w5s)SV=EwUZbjZeIZv3>8
z?g5yX!pq}6<EemmaSvv?kd!ozoPNPS!7?5cP;dSclkH2)$wHil0(ny)1gWm4)<P4E
zPu0kkgj^!dEMdwKf8=G+y`H-rRN>XDM~F}+=2rd6++Qktj!1*T;R+dJwQPIFQGz@)
z9w$on@Yt2i0xW4fG%PS0e_Ys??0&<5igHFog8C|IPl)?H=X#m#!!V{jSd~8J(KP>>
zDY`K8t~YftR;Su}fJeQlvZWk*9is9L^wTc4H)-3`(OaGPURE^I<Mz#Y<sGLF#|8&w
z2RhI0GFJ}kZLKMb@J1a(%&7Eo0^vf4RN;BCba@{}>_idYb;#0n*;N9M!a%z;bqF86
z#+uk|GZKPbq3qGtLnq=2$|j3qf@%z4RcIX5db#Q#n_G7FTA%Vm!#x*+6<wCga^h^*
zy(A_9=@;;(+*b<cN#2{(q-8&+3rn|DusPg^Z;dSvFI}sXNu!_NzMl0vwH^|~h<E41
z#aJ7z^>}3qrjBhmg19RqoczJemQr>DWxURHb6;X$lTqV`51PsGDS@94kuDVmc_ama
zW~liI*-cHpDi9)Z@S-DJS%;-VKiL;xDhp#PZY&@sWtZX|dJ!oIwxMas&qcl5*i@|_
zz`VE?wRjDYE<@Xb)i-KzkSK3^O#loYa=IzncAF4~Em|5AaQ7lQ#J<TXtyw{5@eN#t
zY192pe<{kMqPJDWM{183HLXX2UrSKY!JYFAXYUcoo>?ZnM}~$e=uUuPk9})GElOe(
z2h|xV@^V)$ki1nL85KP=L2PBTWZ$5L7L2@V)3^6tD8fVWLel|pITq_^iS*e;f6I+W
zo;Lcfx!$A%2o*n4m;tH|hj)v4`bLw{OgdncAF5E1hv_;fk(lCzIUCAbV1T9!cH`JD
zGey446xxWSbI4s-0Hha5!g7ys0f!|;3eyqrkp*Fc1~kJl5^Onx#xd!7NNRRyOy|R1
zB9s>qXhO2CG4$qn2)~M<M*?-;tT~m}+s#BJo=KoZ!C^G6Zc16%HR@h{*46Aj5WzJ@
zbYVLxhSH>E8JS8?JvQ^M58uqa|J2;W6ex6zY=V~9#baEya%ID4-!PcO)M__-()tJ*
zj#SqnqDS=6KwN710c+N-UMD`%3-?e_<fVN#ok6LZPaldFEG7}>>yd>)AKrfLRm?<K
zB)PLG34VY@$S~@Qp%3Vhs9C%@cg~_X89BF^y1|Ke2<Y_Qx!jeZiXsL)ql$W@YWAK6
zu5BgXik?3Uc(lY~KubjZ-rRUMgx2H1BF5u`D37M?>3V{<qYkb;&v>Z-&4}xWgN!j;
z%2tMMRlVNfi^u7wUTZdw^Kx}oTT3jBKo|8q-)Zr7uW7jM)UCAJursU)b;OG7v1Y24
zvsl=)Vi+q4jHLx<Lv-<|Jp>g3kua03S60pTTAaGboC=dABSBFf?DFI}h!)IVF6<$w
zqcbEn;XMV>L5kP0C*@Bz0A!@j?dClwC&<Xe+aE$ssF?>aldbQfxS|iz-nHY>Q`5s^
zex63qkrAbk$AGM{;lsE&z%pIHEOny8y`2jgx^i$Z1_i$qzRZJdY}v$l14g5ToEBx?
zt5@uF_m(sXqu;If;5;vRX22L{n;?Q754O1U(%$oN*&5;Z+KZ>in7Rzj7^j^2%)2Fl
zQ{<T!IGv|n8Q9g%dN!L?3^;O?I^cuwjH1!Xi&jP!#e3I^BIoI`%`(Y7lU?v4!?<$Z
zf~So6EQ=u(q9v%m$9OX5$f^+`P@kKo(wCatQDUOdaMZcJ?8N6aCG_4g))VQaEqtI-
zGi`InmiJEL%9EI&n`_P&k~S%FI8|p6O@}aYcBT}clJe4^cx;s24A4^Za7w9+!E(xD
zmgX18trq%Ai^WDgnr)^$6_yJ=F?_alAky+&#9luDc`(pW0__Rz?Wm6SpPLnlNMd7*
z`8tj{5DE3z$PpMaB{WvUkCx4Va?F<4PBy1w{iPXQl`ey--a7(ueK_?HCyJaslyn;F
zPJtSqS>4-yNoMYS44a9T!~;+x;EVXw>R@A<$uw(6%h`m<U=r??dSJlwo$ffJqCo))
z(<fvCuWz*!W$_8ZF)OwJ?xOLa$5T=f9DD5BT^i3CZR;2!Yf-PYP>YS2UD2xiT4CB^
z>qeLR`qc}4*l#*tjJ|k~3jw0??7d>>nKuv#@i^CXYyplh2(%K$!TNZnG`p@e8)uI*
z{h6%<VF}H>isc-oh$oK$I)+TZ`Y?1l<)uAdViJ{U2VlI(gyl&ov&ooyR3PB-lWAux
z5QlYm0iKg@J&D?pMKgUH!|e7J7-MauauN=$#q7AST!Ctu)TO%SA$i8Lw)Q$2RUY;%
z@(L#h8eAi5d8NDH%5X=N;Y!(v+-fkhXTf;3hN8`@q^E0Sv2U(N8Wdlnxl5a4Va@ZA
z6jb04j%p2gZQ9LRqqJ{n;1=4wsDnCy6Q-VyRyGfhr6v=1?!v0J;d)ggBIg^=9VlP~
zf}Yn3ELPO9du!MPjgl4edg>JqD&wQkW2zy0CG%cB1M4dV2T(t?RqTy>yl<X%NQ$Lw
z;H%T8PH*_V$43`inyMrOxjEr;PLywV2uazOir$>=61uD5ds^d00dzcrk<s?$rorb6
z9oJOqy)INe?f2qgn#{%Ouryh6=UBh9Vu0b8Eer$*vA~>62(6V$9XAWecqZh=I;v#H
z8)EmSxkje?c|@!!iy-<-$BUdEO>R9>sdiE;K=o6x$J33(bhd%Mb#1NKYj1N4geFek
zZcE(;!lFgq^Ws_YL4I>`<O2V0ocYw^c`sJKchN41iUxB0ddF1?fXU}1#cjjL`b`>y
zAEvRx-ng(_Y83FxLT?uL5|9Q?arTV0HYk1_ES^c-ybuRyg$M6;d?cZQ>n8B$1VBD8
z_eb$EFc)dD*wq=7E#32SCLKl!<yyO=B?7IxtK?lg_}NgpX=kU-gN&=3`M@#ko`i|a
zpmH+4cR~_`q>}GCs8c&ha8%k7S4}B=sPe809}f{4kYFn7u(0|Kl!^)TT`Y(P)Ese5
z>hya+0=HG~`QSiFaff%lydg!>u&p_u^Tl25CzWK$x+qT1<&0bgMlbPowS_7;ko8C$
z!#LflWAO7?WK?iaRTZ%Et+J}}**euEFFj<1J<UU(?1vo*w9i0g^T?M5Nn_U@NYFlA
zEUp!mpt0p@g|JErrG14PZ|Zc>4Sn|&##_7Qf@CZ@c*xJrTD3R9tLBnlpFK;GS*IiR
z=W15sWPyT>uOEYqky0q3Iy^6NycBxSG-Hf;`vVAl@NiDJ!UYe(9}btpiaAV`N3XZ^
z<jJC?cu+cD(93=+n-<izhqsnibUWP6!Kny8-lf!TP<=%+)J2vs6b+h(7wGB~^Px5%
zKBL#qc@(&d1l!nVmPI({CdcV?g2+Z92=5G@JB6maf_auF9PeG{ZORx<4#X0pZ=x+z
zixf&`mJtaCH&^T)f`Y!J%6;@Hr+>+5WM|&!X_2M@sFBfPwZNlcYT-wd&9m=C`Ol+h
zAzV1Z3e`mGhuXM}OVrC-CR$!{WPAo@u*pCkj=MG1-kfZYT+0I6chy29Uk?(#h_^V=
zgho)xR#T(19;9~<XWOnC%t*4V2$v}wc{X5h_0e2;Bsvl_pMkOJkp5?<LCjk^V;K;A
z%ZTv^I2KKG%{Zv11_fm_y`AH{hzvdZajj!M(Tb&Vc9c|l_k7eHG46>;UlHr7O)T9D
zNv%-?05^~A<y}XA@M;k-xjc1|5SI}x8#bQUy-2{Um>$6AykXdkwkNv*-eb|PsbE<R
zu53n4!ovi3;2jVu$9c{Xb;`1`rsJLoXA?t0hXnG5y4-l)dqKtqLk_o{M9$|BZ^ng3
zAzGIu<I)SLDg#iT^6)+K+<Txb@G@Xp{7^UP(Hx#Uudp{M4b(nz6u=i5egU1R9<{3)
zfT0U#MH0v+*mPGylOSB8;^TCFaO%Kn8zBZn1vXPqvl8+~lJwbY)4@(46c3fbV?KC0
z;BKna#N=jSVDGZ$_?3>B7p5Ksk|jB4b*1?`!wG^`E@v@)u?xdU7C1K<t6ZG0HHp21
z+|OsFCzD$z+D22_EVY!0U%u6GSZ|z?FtsHwnp0??jcRpBqg`FQM-%2Ktd;qop%n9m
zx*H(|M$}l~QH_9v$(6_u!b|hTj2?qEE|<3%{d5myFc5G#aQqww^sElTtV3ebCfb+U
zO&i3#opdScDmn=sD0+^wrxhy0BR(TTdT;v;QXqnWgaTuDS#yOB4(#<lx6yDq8$g1I
zEE;T>iA@g^L0}QeXKN0U`by<GF=A~Viar}-6r!3WZ_0P>?7esXVqrdC>(4&zR7|_#
zmU8IV=52szPuC!1OD*g4nn53vY_-XIP6~z>M{i$-7<1O(rH1DdTS<Md^OU5Ow(+^k
z!wV{Jen<R5J26HzM#MS`t*fUupk7=ekoE3+b&`dpz^xV1L~1!ti#OYDbh^T_Qwlhp
zrLJTnFWh^(j&e0#S3tb@fAc&YFov-j!sjmq0hh?1D&*`?Q{@(P1`bJ=;b!+a7YynH
zXv@$w;qgsk=b#wkSxt0|t)~x<y%!%JKhJvf^gYY>kR3$0pd0%ZEA}eW^~J3%0Np+<
zhns$!L(q?20dN^Prq^D*dtIcWC!}s!{-WbfiN~_<!I4A=3vK1pB)wrY&!^fn*W3|o
zaLeztC&r<eo}s?JdzLt_J?$z2L4DL|^k^}5)EU{Bpk-1mCbm*6XrT&Yji3#H4C)Fx
z^j`X<s6k;p)JLxiBz^b^!elMww00JWm{wg0<~DAK)nY4br#(A)n-N3!#{8`OSlQNJ
z+$>tM>OORRD12|=btJ(%8N>1@CssK~pvSqL$cD`q5_?T4TH74V>uLMaZ37neRtNDc
z33kE}6T4I4Epwl|+a#N}_AdQb7Ks)n$@poj%j5=AE$)(Tx9%DaBO)db?$!~3nQjZ<
zl2^G_@EB^DY!2KWtmQq@PTh1-DSepFWiK>=fD~_uEtCcsENC1bP@$bqA8?OTI)uMh
z;O~jCrntspD%wU1vR(-)0<cD>O<D-q2y$$|0qk|opz67%WMMC=oOiX$-dsKdz7roE
z+zm+?def1ju&iw`(I>1S9q3dRw=t&zC*iFfG-VE^N88g%yKjgdn;KpkzIeb-&o+4g
z?>Ls0sN+SJ`kcev)YB4DKZ*R()8$J~&pdc^y`D5-)d<BM*bcE943Dk|wDTQ8);MjC
zQy&NvR!eLm54t`_ZP<wCILkRzD#E?k9&c6Ay*G~tGs7H>eHJtqi;05$#Hv?Og-hS|
zlr)*qBhnar;j_rK0gJG=O#@F{CW<iGA1r0Yf;C|#4RrJg0XU>X2F@<p{p%;!V_>>!
zQ7FQx*Vbg5m5!0!Me*v9^n|u5Ib6MywNwN^$D6SQgfMBNYsH2u6?h>%T-jrx2~I@-
zXp6OYe&ez4WlqAAmzQJNMHj|Z^6an_wHpkiSMwFRg4J#L(>ifRk0EnXMX}3z^_(Ed
z=5FKl<Ckx=cI`bSX(<!s=zRuVl4S#Ym8d$P$dC%7jhl}CxIIM=ubi8<8ZjxcW=1r#
zs#_mTY_K7=Bnm}2(B_HkVx-_B;RcJ2aMI9#;EaXUx<j{q`ts3(Wgeh%eC87ZD2H$F
zGP!7iZjT?VDz&HYQL*Z4x?rf+FE-8^^l{ydt1AG6$^@Ah;__G(gBEx^9#H3gO|3-*
zrI}c;Bj)d20hyRQvPVdm210@%jw1=Fy8yVjVDBv7E^bP>!vNfK)XOmSoR~3T<Vb$S
zw^d^5nv_p!VVlaUw{HB5?a@)=5waq#A-28O6I3+TvcfN@mmfqfc6KrX-y5<Q0tub!
z=6P!rChCq@X^%itYozF1m_9x)_wzY=%;nrd&_#ecwcWOWVy3Srm-{6R&FbcPb!-jf
zyDYfmS0n^hhUndD;IH8H@zrkBKubMPq)mA)<2s%m`*gw2Z3rYKfk&F;bzS7WCb&_i
zG#zLUMkKK=ebnzIYgb2`)(YIbO&Y=E)0EtUTELb$%RRsVd>BjxycGucDA^J4%g>-M
zKb0@gZvYA(V2y&D_iQ?Fb|+yrdaFrRKvUwI)S!N2VeV(@piene71w*17j6%{({@DN
zM+OCoSEPZ7Rp+pkQBCHZIO|hp5f)8*j*Hl%3!(LRPS2@5mvaF8y<qb&d$=L5TWP5%
zrbmn?AfY2DkbIJeN|O*pp{iklM11LAL93GGqP*NYTye21-H=T%$yV1w<hhH)zI)zg
z$CO#%P81rk_6o#7J*mnba=QR?624bzEb!`_X^`zIJr%5Yp*h=)>AY<Q)E9?@lH{q3
z$#}y0l#l>`8g43u?;Ncf0r5Mbcs)|I;_WX_vWgt-nNb1L8NTso>8b;hJ&0^dBzmr+
z+JYDl(hzc1OrCbb^26+9k>c9LNAq~&Qu=Pt!QjEZKJj`))7$XWwr~?P*2Qu5h-)q+
z0Tg=4#q$VDqBNLb^knDis4-2M!D<<gjb+szqFRd#>UneYJB9153U0%>AoX($!Q2gR
z$lPZWqz2a#{u(;H>)`cFRM_H?tn+ESm(*(L55{ifDZQ`&=oZYBqaw9%7ho{WXa&1`
z-U<t)6&jR+XgA9ayRp{q+TLB4BJuTd(My|$TmE$27t)U)yA+C#Ml6g2`Ffq<N*A#5
z;OKTPedFQNXBBqO{m#!HOEWk3gobX@89k^Cf=o)eQ9EZ5LczvHXK{kY6imfQ20!g`
z(YMyl+H&ypfq`Pap5g!$<f|y5nOI0FH<Q{Y0bK&Z**W&Q9n9S}wFRqv92Z~{yI)>u
zHOr#HHrdM9_~=1vvQd(E_>L6^YC^EiOX62Wl8HWoQ%VnOQRU<mr%CgiIOBQw2%cCj
z3dw_<mI3f0gCM`hPF3K|1SbykK=W*OJ_JPo_#!k-G@?8WOS`vY?d8so2hnJs<iTz0
z*RP%O33)}S%cZ>yIP;|jxT+m7WHVbu^GQjx<IsD_&CXO@$WqtQl^Hsea7#)jl5OU=
zWh0Ok*f>B=w_^{m^@;It>rs`r<zv7r(Px=ldZ>yp<)L=>o;+`|d<{{XuQ<G~ofY_$
zeg8vrMy_8R7mgC(v)3C5=P{fE$stkm)Xbkqg(|Tcr6RmO(VQ!e(ukNBJ=`^gXGBFs
z3hid{QdBUKgmX^zUG*)|yGx4DN{*Xqtz2}j=k`FxjdAbr+`G%w_z+11rp3o!#jEr6
z9xo5+-LVpG*Jt!{a4!HgK+3-zL9|yvZ}%NP=u3HCU6O)N2AL=FfxZW{4~dB4lzV}P
z9N)vfRo@yXZ6Vi^d71sX0Mc16A;g?dfj6iuASGD`R!$FacGmgYDOQeK?>RqyX+GDn
zncThRv^+}B?djl45{oNHN2z;wO-S?5Xvg8f%S=V-(K4qBtq@Pom>0X;ixoK{!)t3>
zqS}YyK@T2{A9*NbE|lJsk?$xuSm?fVHq#DC;;lhrWqa{<?J=WSo-rQbS>qjtj}IG<
z-P=+0+w9m)yzq_Xc=o`Kwu*%z&!p?QCy8M_wh8oSH{$qf8f%Gq>FWjvjq1ih(V}|K
z=9L!Kzz(X+l>y!J_ECGskbNvH*uiSG?r++4Lr@K9F{VIy!_)wKb;`{eGj`S+DIHzm
zFvWTrRS-!H5|_ON5>OTq0z>bJK_yg9j5D3|ZZY}2;Vzt_7elMn?>0fSkBiI^AM^>0
zG$?v?tYY)I3Mi5BFt&o*6Eam=>)cy@WG~+%O%a1z%6BxOIMb(^W?34um}dEIP|>1p
z_c4c%GkAl%SMZIfe<2FXS+Jn;I0~SrEdA9WbuN&UN|&xGthJD`LDTwM4FNpeCfNf<
zan*xUYk3wrYWc2E@L6ykCGIE%9^G!}J>4CZ#KNX^B(keJJL8;Hmq6@?VK05_K`>YI
z>7Z5zmNuElgrW^Mr#GtXiZ7zqpa?Yx_e+>c&DO$EHppD90MmbW(M5?2HCTh0XOj)D
z$Mg{iaJGr@17=gMF#zS`P#>7XJ)GQP;X4y|^>-2>ni%rJ2{L@n#ih4>*}&8L4XTEm
z;pMr?yMjs+&Pu)wp~b*4TuPTz@sxVDfFkv9!EgXqOUx*y)paKcEv)Pw+V;E&UzJ-4
z3o5;P`(y_dom)~Kd0NU%yI!h|grP2=V4E7stm1ptk5g<gmUi+Xk(EBQyK!zXM=oRR
z*|W-~(i4X+jVqO@frYyR<+yurji>%-yq*^?FtggzAYDqkdN&>Xe3*ca!wz(=2a+)O
zE_pIkwnW6OL1o@}H4%mw639C`Z@p0=R*<m-JGdTMLv)9JQtdKtw7JX{@J;uNJ>3<&
zV4{07Zk(w?E*#^lJ4{4JEVc~#G)m0L7C7$GlM4EwyrxVMFd!qldQo5zJE%L+sq!<4
zH!_rTir7=pANW3h5Tm^d$BAJjou!1~JDTbp{+{l3&GPmmB$TO_;n<EN7zfCQQ^fGZ
zDs}4^dil8%Kb!OCn$rmjva#p`+fUzfwz#Kgr-YgtH1=9ro+1R0So(23j5_D#VuUfg
zoT)%80tYf1D&b?ij^)&eCvUf|-O<i?IlSW(tO1;G;1J@m#BDcCgI){4tvx>F@Vj;L
zu888@t#y2xWd!cP%rQOz+Aew>EaLAJ?|Mqsd3>4QWLHn?JGZy>y^ErK@1k_Ap(PNu
z#%!y6J=Z?ijZf#{WXC*(G-MuPjM&U3cY+rpy=jFu^o%i3OAO<l@FXomLIYGyVO6na
zxzZk2<hB*0Pq%F>W@U1YQ8uKt&OXywYJQ0IES7IpB%c7<-8p58UHajRH(ZpDtSoGK
zHdPsfBYT%qv?&#<nPx!M6zV@nm;Jf!1e@FC6TB*0tu+beFm7&tbT4JSeN<qZ&xu?N
z)JTUZNvhXNfK0X&3r%L+j?uGk!tEW`5l1*Z1)<C%u1UZ%AR`j-&{vMDC{GWyrx-IR
z-Yy56Ij$IN1169hIwL|q@+yc#npuyv(^)DxZ+sJu%NwnXYa@*z;wfph<gT2Tbd`j5
zuYIXkR%RK`3Kl84bP~}^QbR3LI2s{zOQ98eoDsAzk&5quTgcmd>=+jLoWaj;Cfkd~
z--!yO@9S(2rp{*scy4N#GZ5p<Z0L%;6;C4vcXwm~b}-t6s%;>5fQ6ow**N<83(VJe
zLgxmuUO+Zttjje;uM@7w_bI+QGpdTn<>a>T9LS^t67YSNdcj%O!CYv8>9NaOo#d{Y
z#yoJFGSvfIpk=;rGGq@$ZW=s%RtylGDd(3b$#*aw%snGcoho<f_?}dP^YFwiyxEZR
z1->(zIIP>JAnPgdG_cZ7>8W4PLQ1D)aJ=ZjQ{9cJ#8=tY7VA8-BfT_rS5V>&ZMkFm
z1auaCp9dDVs~|nmSdUv3p-vlZA}$a^d3CcZtbMYVd-Fi~@wC4ss5gxLhF`!NhVo(p
zm8#fIhk?AT(rpFh2^qzAsJ<EM{Y1U*;dQ!}!An-kNG?A)G+Zus<+Cb7H>n(?nJ9hR
zlL{}nGmR5x`;nERcgfA{jwQ<{q$FREQrXn&9XHdhjoAVR3MF(QtI2$AlaVt7{!8}U
zRVFqHQdIZMgJX-mLJ4wp^`XK+)j^r1n=*&=0(#^Es_2x^x%8A+x}$^KxUnS5>=>jE
zjIc*VO;77i42Me$YXs)VF?{(kDPV~kY|bd~kd3Vcv!5)8+QvrZ@i@I)bG^cGeE(5u
zb`?@aCVF8vs+(lE;2E4*`<xFAGVc~1DJM3M=(Oos-fYYvVR}enBKMB0js)4$nq&>K
z#6o$ajBmIbVq{ph8moxdjEg0P&+I^F_NAGj?K_WxYIBX`Ef=72M-M2%cu{L-&^Hxl
zO*g9#=0#@=2}C%-3iC{at~AlZEwTuHT@~gW30(Q|9$C&2*Sn;1WAO&@Scp`Of!n(4
zI_7z=cgRyX4q|C9^Nlgf56`Ei?#R*>!kl|>Zl(>o@wO>%C75lOdK(^z3#ADX_d8+p
z7~FOD$LEom8;_wdDV}*PtVH@NrN+}7@Oc1xQTmeLbh=*?d+Mt7CMWFTMa`<h(F=Nl
zXYkhXiMVR&A;fK<`>R$5j0m&2B~OMMyxNRxA&q@C_mFiZW1NZQVqVsAUEz_*5~sZr
zH3(aJrvg_sItS}BrD-Xu+Y81cqvTEMRO^R`i}(5+ft1q-oIz8bLB!PDn9R9)L?tCq
zlKF$>+fHkE8<8V?!9zGrPZ#qB7ukkR0)<M3z_;D>0%t1KiBP=FUFvm_^Q>le%X*br
zEf=_hkXSpoS`^JeZh_ZGlWHzHMW#`1NN9QtvCjlA)tn9rYOJ^-TsxIM5+DX@<524%
zR2EDewuh`n+$I7cJuX_{S^d(xMvlwu#QEvmL)B`{=eQR1Xd8=jWw|eLd^qZ$r0|nc
zrY}knrWB&6r?b);jB=T4#Stwjw$PUY7OQenJ0a<z=T#4}Fp2<zX^01daQ8bhQgW<&
zvt+975N1jIKo43`wdu4w<ERORHf$hipK(1fw;mxZopPkf-hs9;1=gEY^$j_);<cI8
z8su>3cA%ho#DH7_%;cgjbw|(i`NM)fc<B-+`TwzrLKm)%TT2nfibUA4c8=h@nkP{E
zQtIMbXzDDOPGmX*pU5~;SDbNVG!H*(iC*qE88BpTUWkLH;SdZ!zc``hR}1KE&-Ilh
z(2A9fCCXDULNLW;EOG#0Lr|AQ5lDD7?JAHhw#M(?guEA&ra8S_FTmJt@r7)FhIbkZ
zgwwYAagpR=Kj5nh6r{u4*Tl)4_q?U5j;RBhO&{5gI1`|?CdP)CYrgJXeugfIP`hK3
zZ^;Hz$YAg4ZQM&p=!f$TO}fKgKP5{z+&R2c$t^@dh<nAthEtlk7n{SFGU8!fZmKq9
z7_*SQ@EVy51;7xaMykC}&bJ|YXeY2_l?0H;a66P=akaEP1VA7PcD5zTQYGnlaoCur
zc$G<6#|L|Bj$V_;ueW8aXF5D1r0y_V)Q#ULd8OV1oP|1B*;oriiL@TE_o^nGP!VS?
zO$}QxN*)hY0!AN}bG^*us$CRZx@13KGS*Dh=rjs2pAqBeK7E1c5|#m6`DWJrPQ}4;
zJt{e#R7^v*5|Ci+((~o5#Ns(@AWL687(Mc4Z7mQKEqyR_U_*MMwRJK}&vl*_RL9}k
zMQ$zSD#8d6I`kg$SwVY3=RGrsMD;5>E`0mQY0-ST5@VlDJr`VdDV5_aih15{Zm0%5
z6D&Pt{Dgv;l;>4Bl_>W)#W7bz`KncbwHq?ln4Ep@r2=1=2D8i>bi}Jk12+UrW0W&l
z5%tr%5QSEVIRIO4l^4!!ik<QN1wPHJgjSAq8qmfCYH^6CUB!UtNC<|7TiJ3xk^CH&
zrmWCGXaTn`0AHFUtUi&q{jO^*-#Mx4JptY&A|9pTS5hZrLT<=oC8RGL;!#3&mV)Oq
zg2pcLE!h}`Ye6>L{*TjG7xunu;#8Wa&Taww;K@)w<U(}kr-S+4`L#DmN_li@yf}3W
znt&;kxw_8OJ;;WpK|5ZTwR;b9n(Q*b@wgBcD0vr?X9cEo7T-N1ujD0IRpZJrt7fXY
z!rscK;h7>1?UvB8gTMyfy@kM;$mn$96IW~;$N*4js?n}$N+sJA16Cb@;%ZT5{obkP
z(^pTMYjlt9oau6bU>iFYqY?2X!aGokO|t`oml81r%@k%CI__i<71k0Gfy54|aG@B1
zx$l{;CK=gFPvOpIxzW0FjPqLQs31DFP#62;oof-)sCLS`Z4fV?^N0kWTH0v3M|E>t
z<-mCerHNHNuVgV$7b2R7;h_p3wY}uHeD4v=1F&*S+>wLOG84&*N4+D8qFg+yukdob
zgdDPs7Iz?)F#K@^)s=#Yv2cs^a0{)=M!y3+%+$P5=QGzNxCpD)V9o$!fj#6SD)*3C
zn%Li53lGy8a{yRG`?W47pGin3RAty6LcL>qGmJ(&(<mDO@8YhhO()H4z{1}Y&UsER
z_LG`?)z&sj#>+kLy?kB)1XKKm856D9=LyEP0^3b!c^E$y!?kjDDayXE73<fLWh30S
zyLCqOYV|_Tv#cmn7xb5Sne(Je%!%fnV51&%ZiM#kCA3@d%%Z}Uv%BQzjPrSglC4$a
z{qR)Zv$KXxSLf^=47L2`)W0}g_bhPpKnu=P*4`pmlYUw8`pvM4A3rzd@OY^Q%>j%m
z(diG+Y~{Tt+<moxRwCr%@z__$PVd&y$dKRR%k4YEdNj35(*$AY4t-0Gb6L8}UKoV#
zC<==POtZQ&syRM#od)p;3oNLzU({-XExvc_?a<K9igCp(Z#GVNR1Lcv;Z>CG{0k~P
zAbDuz8#)N`oRi-<t=Y(FLFKx~JKVDtovh>3AZ0RS0DhQqLtuakd^YH>cM$C5b|IFe
zlqTa%%}G*WWi;#-G}XSxfX{D*H9#B7A#b9GUUeH|>q~^=IzDo(a+qj2><2px5f*}j
zJ4DKE^-kV<jh=verH9~FOT>FK;Ix2Gbw}~#Sn>+-1_{c0h8<c@&T5$ba2i(mp=L5x
zw#&WM+L_K%(<eq&#M2~iAa{M|y=QRB`|eiksYxcIMkWK~payD?#x#@CgoY5Iw&RXo
z-a;3cKJ|OVW~(swZtbW9myI6^xB|B>aY`q2uoyJ#JY;`#tlbX>>tV8_10jG#A$8}A
zt||~`TboGKeV)c%;4kh8urNoJTyg9Uw2zrf+MDqx0xU5=xP08JSGnu&#$%+k1rB7Q
zw_Ooxng^b8v=cDi#$$1^KDH{sVi2-nN(3S$h$bmxOn7)(lu^#&2<upO{?d^A>^bU6
zo~5bNCfh`<PFLZ)8>mSdbsjvcrrdd{EX|xg=sdb}LdW1x1FtvcxyhRY@DY3iv!g&b
zuPnmGN(E=1&fwE^f=3SgN*R^V6+52r4)FQpQILxjZ370en<}a8hQUHOPQ5ZswxCit
zBVfLHkrXG%*7U0OCD*ILb>!ouoy6WMig+=BkDz;ybfAUjfqPIj`@m2<kZ1fvUSf1X
ze1fX>1?mmP0;cnpZ977Rs8g3;UD9<$P$`?s)e|2glLLa`3WF{jD{mHWDwT}u%}318
zl$ntv+fx87Y+3z)*f5={+{w$8Ez0}R_5wKFf~h_<_K2p0y%e)%ZV(nu=Ma3Lk0a7J
zIVfszR~&S#msbY{!rpBFh=rw^@kwU~z5uYK-g>G+^K{JrBUN3GUY@<%B@uh}3ba?i
z=v9G@01Lx}q|w8eTym2hk$vgA$pRHVIiLjNjn-I&S!&d9)3<gwE9VIYxE1;MZYs-3
zMD{)LN63S(l5we;<F+40ya0z(!1hHArW|z#fY3;Ekyqi5wI3&?pJYg+-=RMxSjz}N
zlXvo_M5wOlJz8I1qMN62?vE(LhhzX5yigOWA8OWynkNeZmfKSTsWZ>pT<-$ovF_M3
z&x@5F3%YpdSGrmBAgP{Y8F49LNrCGF=<G#gG(WYBkTed(cWldO3KVq+kaieolx|_=
z>Inr8?I{Yw)T@Ih4nnV~CjsHX={{ecohJ|d$xML`g-Bh2h(Dvq@CECZ4wqbSy=S2$
zK7hT8I8QVBor?CkRX)-3995HJE=aFO`#e<gU6FFb+x9CSu33ti37o148D_eTdcq$3
z0DYZ=n}(Xf^o7Qz3~@4st6Wi6g!GP(o3pJmlia3Ct52zBSfFX*Q=KqvL0cSqVxH9x
zFi20*p=u&CCY=VwlMK}#Qd5O9I7mtlcA_K|iOsFAC(>p|BfRylI+ndqeD;JD;_*Ix
z5lM>sC|POf0Z?E!A7+j~P6sH|UbrJZ*z93~mkq6tm)Ofx0V?86Z?U`zxgG_JKH)ml
z+&$ElM%Ed^5)dl_JV8|C+zg|raDPMC)56dE8XF5~Q#wUMbHw<QRFf}KHF62c?kyDe
z%kao6awbWE>m(gF#XdZ-Tz1~GaS>F1nb;uB%XRMS$k=Nr+E*TrCk)qxsR-y&^LQb~
zNH24ov>IbFO52)XfU+j(y46c-_*UW75g-{Kg9<x_A~aGp@zPAmJ;VWj>9$i?tjfr2
zoHQF@<$*xDC=b}cp8$3rcRok0<Cgdj)zvri=AJ0XDGfk5yfDU7p;RVAnD=H%>dphT
z=BlIoNLeY9Cz1xBlNP1lyEDV$Op#@%9v&$~NbfDvMTNNugxC%7yF=^&Jj?I~1Q=rC
zQ(7iorj6TIl{O-XyUX480Es5GZrdwpA0fs_VHYME*)(*$xRR9)_LO{``NF6`5|N@L
zA)`g#9sBw)zW|YyGA$=&dk_^WfIZM@(g>$RltgCF6E|h4RTKhTv!(@eH|H7l3$bHH
zfvop*4DS^H9tsY?DM5f^AzoAV>I4d3bv*=pR^6Vvqyy+AhS``RcAO#4y;zaUeP&Ll
zpmwi|8GA^T1ufaYPNcMtjnVs&0$vipyJwXOwyg*XUi8L-`ewEco)*U{V<ib6FFh>1
z2b)&vd7BC4WI{ld)WXorg92f}*-DCWA_ah1m(i-B4UcRFci7tN_0UmVW*{vY@?a}2
z4YZvXy{n!v<j3%`=31p;t?hcj7}$-{_qKPDw)}OS3vt~ZVB3{HBApg{oiCw)ggaxD
z(GgQuA%GPb`O@z32=Y@^#j}0r5A@xfbg3s67pL)&CqCv#XU)fTgxi3;Cq;E0U0jE3
zk^YDyRV>ZX#_QMi!qLPRYcJi*bocs%W6a*^g$GP}#p1rj9PoSkx?p+R#=HDR5(Qjr
z`I*DBVWFFYTIoX8F~2<R;LEENM}BUDpQt|iLiN2}2dOxw&@5u37haDF5{rf@aC*y;
z!^2qB8IGm6m|P8&@f=>%i?oe!c%Z1@W&(86_^d%a-m*qo7v{?Xd+fX=@z5#XYVJK?
zU+J(x=A!2m_ypf_pt6=Omg319-+3z|KzbWK?XRNIhzzCfcn~PoeEHGr!*F2N*Qo^d
zdM0y1JruhL%)9MBR;>*}b-FywxNQ2J?!5(zPQT^Jh%}os4GYpyeYX>M@*q&)jomC0
z5SPBCU1`gXSMZ*ZTsG<1BA;NOg_S_c+|x7cQ6-#kY8!}g7HWLSX4}SM%Sv8keHW;;
zAwm^f-3)hhmNT$Ul>yR^A3%3R_MJF%9*Do*Rq0B8%4MlDb}+Z54-XJ^{qZY!2#i2n
zRt59IO`4AxjrKWN^e*xB%B#SVn+v>fF-aW4eG!B2o;6lEyxBE-1x1fRrIx}eq6Vp6
zI$W_zFRu+|U$_YSi&T~Ev<jO8!vRUe*WtO_*t3|I(R)TS<~A8vMTLjNFRG^Fk}0h$
z!t1^DEhq(r=SF$?Uc><U(jy2w#m*VWoKk;#_A2cedW#Mok7`T}MPxPE_CuQVOO{IJ
zx)XrGgYz;L?bAmV<?8yp0Ul*w8t=JY3_lNm9!%At8Zm|`r`Qsg@#uXiDA|dRTS-}R
z^nz8_VL5bPpxQje42FB>r4uKkNger=A2B$$u5Vix$@pGy`|Z(St!yU|wXHQ}-<XRB
z_oivrX+c==xEa7hHY7{tJqfELMmP$tOX=V&Cv(E33MP#flZD&@8=LdHWGHOhx9rky
zg<eu6PsE+4nXyA_W7+e2Lanc$xxiiG#*_i(kR@WqL-v{((e@3zCt$*iHzV-GpWqwh
zsuXgih&)pm2Ga>e<Zo6TzF4jIaJ2VyFa<MsP)&FqIu0f6LHfE(pd%f@4&kA^+IviO
zoCbRW_L?6{xmJ6RJbVs^Fdgd@SnAA?_Fjbnq2I%O!ACD%ZnA`cDUwrw>F}#k-F#t}
za%wm3VI@)2gHghSniKZ=Ar;9gFb$Xz(*iZp6NsT5L9vQ?I?s5NrotyAh6`@T(n0B}
z{)4rfHWOs`Twe6#x|(hIT_OUcz>Cnjh{%n%vr1-;(<}jocH|;71d~BX(hH92UXBu&
zJ7?ON2Sab2QVJFaJB!$vnf$PPQW)A3{F$X2Ke%-9d{G+VQ`~n0`YLR3X&3g0Vmpz!
zQC0lHIRXfTAH#}ND>cXEG|ueigkA*45kV&dn4t>Hy`70Xex5p#7)2Gl*3VC(S($|s
zN)IuRsg#ihK%8*^pG7j-&?(lLbQeJqHub%1zp}Fpcwk6YlM9A8gB(Wdr98H|Wc><;
zRB`f*#5cy&@v&2Z3^4}{g0BpV@T}(aqsRRS)6bb;`_}QjY_Qkqsel$~`xpSWdKy=D
zjXAE}Uh}-%EEg2x@OhQ9NH`cCm!gkZ)nw!8dyt#}q|pifz!01aGig|60nR)7jp(qh
zW*To=EDk2!n=B51QCz4tW$`3c6@UjEsnpyI5e|c|a|jMmjS-Tghl8I%->RRT=d2Ji
zk~=vh>*AC@aCEM~zC3k$8&+`dNsB^o3BJ6G854Y~5he*(Lup8NeU<15hrv@6uOh7*
zhaOD4%=Po+v?8<6EHhzj0$Su4;~7qp_uQWK-trO_(6+3f_KlhPOQaHk=hwrryCPM4
zk|B}C4RfR3M_1IN2S7^&gh6I~4UCRY+-4t?kZXEAI3D&i97ffN$UJFM4w%O#n#Jqm
zaPSSQf5OT%p#>G0L+Oq-YXdfTZUC;JHQp#la<-9ZT$+@#s^_c&+w2Z|3J+koNLQ#E
z@<5?`uvS-9ix~VZ$h^96WFvYG{TMkhRL-A3*)9#=!+Yj4g71_-oN741M~;X}c4KM)
zRpb@3!kbYz&JvQ>IveR(W0XGIn}EyZuf2laX@S=kKYP-4zU<H-|Iv!{B160U74{sR
zr>DGL)q_cXX3M&*-WP-muY?Pq^^Ntqf+vA@jGYRSqAn0?hjP4>H<VJy$@-?moz9}7
z1EIq;^_<XOUAI_`c+X6}Gi}~baZG*$w0F^nR>k*RYQ*%()krKxiLNdU`su5ElkH?F
z^0w2K(yBxXz%Ur*)ZC=``2s<r^X#sRsEKdWh3@J>^c99Jk3)d6nu*wTS~Z)85o+}!
zYC-O*K7J`e_)`|tkEGc~j9!$eZvYObgAoG&37AjBcw>28+3~77*X?m*?x=<bDmHZv
zZiPU%6Nk?xu4WJ`9*kzbk+*0W631Z}vbnUiiC2%YwvmP&OVi;#G3lgRdIxNEMV?F<
zrmvrF?!Gv;qh8%R%$zcxgknmmb5DMUV>ZZhvc0CDQ6pIwn7no2lz6(4HfbD2JkY*+
ztqtw)FieTCrC#*x8<A^LKZ4F$Zgw|v#ZY>J*Riqw8Y~O?y!>{o(ao&2A8eAw<J)1I
z0HJ7=LVfroNu3vkmh5Opf-)|j9ER(yQVL<y#k-Jty#2-<4+aV@7{u_(!wMa&9|*(i
zJ#%uFE_E*32&-XCI~-TH5wsicz^&8>*4si#-1i2K7xWxls8EjO=;chv+vQGLm8u2w
zEAOOtH`pXZPak#Dd-sTywJQOcmo*6As1n&TaYe_h+M8;|b~HJBF7K1purFFc1YsG$
zDdnk43D|)mho@!jla)!0Dm&M;l2}i?chm_mSE*vu)I)W%UM5$B^Ps``5E;GHQfYw8
zv9oozDYh7E0G^kj+H;%avGHbx@Ya@BWiQ)g3I$E`OiM&X#=&M*PyCJY<9-(}s3~H@
z-0H15;lB1IQD@YOuu^+(f^4$&6(7;0KW+mAw1oK&*OxT6V8wZ<QWAo~FRG$nI_y>Z
zfH9PJ;)Amy>NBl7G(W1eWpc2!eG|iGqnwOUP3`5G{rVi$k=*bR#XQT^ker7N3o2M{
z@H~y?;Zg*xs_xp=W`K3ys^9cOz%beM<^~;T>NlQ%^%jky`izLVLHsS-Vw1{~MT&ZK
zcu{#{3->y1)@MX!8fU`HU4TMbi=zcR6Kjw|2TzjNd}44F%^^6AACrpSYDh8d2A)Sz
zyyav*<=RM00269_lMf6VVNgkr1sw*YpI6pdVY^v+HV(!$z9u>3P64Jdg_(TfO9?SN
z@sf~ql-3?JPD<XYt-;LmFz{2@Kw*4alZT|$oi5SK@7Q;5J;JM~un@Yj$a8b>TKwv;
zLyHm)jGsaDs0Aog>G4AZlAaB!+B@vW9cArP`LHOH*fYsW0A4)bD;68R1z>Cr%m>Ft
zEv>gWNyGhkrCKQkU^T+cV7!rDi*>&n^_Zd#rJ;lORsgW5ti*P8)lx*Cmy}OqUNSdF
zNbl>FC>cjb425SE>~#iuhWX^86|_y7@~Hvt+vW@@BGkv=RU?k7oOR<ns!z+w`$*o|
zFyS5PRVImE6hm>~!^OU1m5L)6RSerR8>SWuzB!UOC2zMar}v`tHi6GG^cbf>Ulev7
zJ}=^;XRC%Dg3q83-wzjOe$s(4HbPwbw6#T}G;=IzzHmj5FI>GGH!5cq$PQ&f8!+NM
zAn91-sh8SAc(HLUf%DMNq$+#*fx)<wp^hL5dv1bSvp~<qd(ZuB@eQKSssfp-UNAk7
zM}s%$75mnaDi`4`%*{S9X25!Q*0-`m+F4x06ricL5pv+W<bjnzG!o5|xApX1TRep>
zd*ehMhR<58#*^ak0rKN3h{UwzeyD!`@p_eF&XN|P!JIjBuBCAXTU_sz=CD^2rW?VF
z@gbtu6~(>0y&e<L4=MugDZJ6<RMU7OVx=;|<et;LR9ESNvL)fu27r}lA-_;ea`u_)
zbS?KKv_=>o9At$I$APBB=-e>Do<Ph#yK`MYV>^9QQ8XuP6S7S%deAT!8dJvLA-Dn^
zVkgbT^j?Cg%j;O~o<2mLZJn+?%}i{qz{Xh6-7-5{3&-d63g{M~Jf=Hb$u41EQ5(ry
zY<!x8n=GefP|%P@Ixlz89EzaC?3KtpI%MVQhjZ4Q!eU!03^vQn4#J*MzSb>oZP3T%
zYP&Adkm-yY1C2Ez5H##HEk3L#hI*nlw1~Lxc6APb@RdZB1U;y|)tc)?acktZ3|Yn`
zXdHg81%XK#Jn=OR$V2EPd+VCijf*cQ*<Qn$W^+Es)LRsO&JU3Z$k4*{4OU~hGzNH<
zn0ZJ@^Lny4>&dk6U~Dk?4kQ{2u5M(NL(S}Ao!*wtY^nh%D^r@mTUsO+huI}?&Qoc7
z8xOm!)Yv)Iq@ZeO9H{LwU$v1@XlUUZkmg*1dt9s;xiYLa0?48Z38VO=TJ(|HRE>*V
zq}27ojQFv(o@b!0VG?^p3tSqf;=v#qEE*Zq$s`6)9$?#Bk9b9yw-_D+$S&3wu4vN0
zf*uTOcmsAZ3<u`%#9%Hl{Ed{(<1+8OPhOF}c)hgUA(=EYOCkbCvBF4YYTAy<kb^j!
zJ=}MV+#HeOE12Ds>M;;O&nS$=kHbj0^mV}sP+$!?y~n0jwlH3s*puLr{Ma2WT|iu~
zkFOZsz4tElHe1|6oATsYJOWbh_d@teRIS-)qAR@)fpaT>r80ff>nd8#*Pc)>j8aQ%
z`o@!E4ntaJ*w~lR6kz%vuu=x00FL3Woth34t70oN^3fux>RSq{-tbU0Y|GH#hg+B(
zi5w^=f>Dx?2;#*fM5RoI1=(a<;Yu69Op1#t5jNXK82P|>{1JKj{CK$yN!X|2+J3}S
z#Dcp|I4;j$VzEYV-U<aU#>oRMiLQj4CYh33cYs__GienW<z2++lS6$pnXJ0vQwD0G
zHMv?x)OTgjfDtT5nV}Tu#qK*3tvv0QP3YDM_g=QCa5ldv%-)Sa?s?kj3m4;IXzbjf
zf(9%MnJT`KG2<6-CS-golu>?W5!glLC7OBWe2Rl12?*hdFj9#KuhsCeljhBfT}Wo>
zeH?*0av;`@B1m&emUAaZ?1**PmZZXu)>rHRz|WY;_=SVu1L4Z@Yr^G+S`Rr(YH+4_
z6s}@)EVnM?Zc=f$MwYalib5-=-}xbSK7Z2*qO(*=`GUx@Dn!rXF(nR6ax#&R$oL66
z`FN<W5xU}ulW0K0!w9FIDmEZ7ZSsuQBYnv{ww0#IXF{Gm{KhQom3M@N#kg4l-PvAa
z83|;mJ|-lCE$J9yzLUkK;O$N)o$L^v!HP7JY<}5;>F7iEBrBrGoe!Mfy*DxdsWb~g
zvZvZl*#gbp8_JT)^ut)6-gpga0s7z$5MMJTp8_=9I=&oJoTKF?KV7#6&S&t}2NdFo
zs(a3099BJX0)MICgl{rGfhG6?HmW2KOAeypVJ~-H2CZy8?)9|OaZ1<6ECOskyRwB{
z{Yo_(72e~rTX|CpY%QuzJNB0Nq@SqkWGTcPma`$KiHe#~QQ@{2FFJ@{6U%#TMVY{=
zA=|_J0`n|Sx|$NvEGvDCy!GvacTlkY;B{VLk4Q}g>H>u=V8Eyi^Z3jnl$HU%=j`#g
zaYDF>c9?blBUZbrgKvkx<VhkTz+yZOm(gk+u$-U>yY?V&T&tVD99<?eJ$b^L>o?@&
zF+*et$d*;3JCzD(8&BDBq`5m3OfRJ;o0zRQSg6+FK^B$9RMzx+<xgm(xZMtSV+Wc_
zf#DW&YRS*(A>tMCYjmiHkXuwJJVg<3%+Wx`G{DzeegzM8hGwm}YJ2D=rFmmLO{sLU
zWS}@Y&s>n5y$i#D1oJdftiAL)1ysp`dneVzjpl?}o!%BdWW?JGV!Xv7-hp?Irc4m<
zk;dD+(t-DK2hB0w5i}QIH@8xTs8~Isk}NesEO89F0N=MSUp*j5KjQ}p^>{&SnGolg
zm1YY^V<iMu6e-fo-l4(Jj%_{Qy)ZIo6<E&b*CA=>Pdgi;Wr?<XCzd*GS}`mfgw9^3
zqHi7#v$tmVXw$4V&sj+lJx;iCcj)7D91zR#BH733$2G6hw1+U8CKU25+dz`C(Q`k{
zB&&y=!jgls#|1!@XH0J-m4YX*%h^{5DJ1Oa9J<zn@e*oiz#|WNevonZ*w&nVw{=wn
zxzp|)(J5w5zT=Iyr~n9!s1|+=<6xCLYtvYC6;+kO*IZZHR|1|fzKxADsN~(0c_?yq
z0WZ!?-%CjlN^p&*RoJC7)$_>btkR;3IK3u;&4WbD(qr-kjxhPOssr4*afH9U#z$2Y
z&XxgKd~$pn_f4#S5ld+AfDpag2!uBvFil?P)J~`&rV`%5n5--Mp|yi&QM^a0;kgv%
z4*4D%ynNyJn)`Ykh7`B9&0PWYBJ18}R<76!Kc_AYvRQ576G^_fP?qAh6VOsNX*y4@
zY3-EgCs8}zE0y9N4~%kMNIGq1^;8>HC_@LAf;v^M#M0%eqsQOTK*v52pJfovCAt}+
z_z&66=zEg0W0+D+Pzlf1LHPkyV~R-cS!98FMZ>8Zxizx)0cEmvSuAvQE1jqs@zAT#
zcpYrMsgv76&-dw%=c^uZm^t6$C>{g{9|DpGgO2D)sLq~n)+%q9<TC3S-fQnYF{(v{
z8HpsDlNIHQc+Ge{^vGddtWeJc?z}l_>A_sANUy$5r?azX^xgvxdX~KQ#y1OA5}Fo6
z><Ya2X83Z2y_+_+y&9hiJ-t2wgJl%*iUZ$JzPOTeP=g~7SSjm%bz@D>?*Ow>@Pt)j
z8ZtrPt+un63Kt$W$>4&@Q>K^VPT1H8>aNh}@SbgsS%l4K0=ek}T3C6Y>r4AahV(#P
z$+N>@%NfV&!M<*=on(}8SQO@>G~R6itzF74^v)*stT|GdsoF;-(B1}d4+f;)8>$Tq
zxaaLF;=r0gU@q9IeSu23datwRg=bqBMW|xxi0&YAhxE7+#@j{o&XHH%;B|6|ZS)`w
zXKj>y41AHS;jXs&oyZ7!mA_Ses|r1n1WhgPsLxmh5j}=scBU%e>7^Yg;ZVyRtc(c)
zSfB1D5@Y%sATSd)+e&RUgfiaM(o|?_@3eVa-qSVHEV%=|^A>i6-x8}xj5PK^sG_Vo
zF1IJ@=1uNl+-xz<nqkzg6~1E3Fcj$7x~D7)P4De8w+dqv3giK@j$PorAv6QBw$~4n
zko<ij%l5g)O1(>{#unL-D4b{bhOy)kbnWZZ*LEo<5Hj)%)!wqlcAK1q`3jiKJ(zR0
zlsC{1nb}H#yjX)_D7Id{i`2Zx(LND;qLtfG1t`6Hrzu#ejlJM{Tj5Yy(f8sA)fag0
zt?^Pc`#eWWmyvt8a4KH!n$f^Dmp#GYF3M+{?E-URt0A?lnZ2w0%ru6Dl7!9s{$n<-
zo?U?To}~B7=$U0wSsPKu>3gC@7NOVGNW2g2;Kf2h#SgrmnASY^kfMp_%%S(HK__$x
z1fx;s$!=Z|mmO9Ly^<oRT=u3jN2(|J(jKx4vCgrf=Tk-`79>O-eHBeXvMYI0(G9Bb
zKwOi;V12a@;~_pg19^^aY9s|un;Y<w-bEQuQ!MFo!kwUEy%&PUuc_J&Ks@!uvWo(v
zQ>ROK?vvo*aC!FVCFL;Ta~-0`7pLN9+39fk4zn9kWOH9bu6lDzbrS4O2RA>VP&rx(
zV{!r)SI*P+V@OP4W`0tVX6Qcq_}=3?OMRA*Fvo2H-5N^B&pW4(xW*nQ$mJE;RE#N)
zLHav#7IU6>r(;WeN7+j`kb0f{unT|*ICcS(nwMYkVxwfQNNU;&7cM4TwdWPIBX%Gj
zxpKQ6!hn(TP_WT}E3vcC<1k!)Emg2Naxa#7-rE`&7k&_hgy*FYO~PR+F@*l+lsdw8
zGaR%fx#ixY0N{Bw?=EkQUEYhaGBnP4ZA>ZPL8S1|eUoU+bwS%*aWmT1NGHT_4=m43
zHu$1MMGk;O$YfgINd^YNZ37apzEWY3?ST}X@ic$G{+-zoQCrv6y5YM9D{==tap<}Y
z7@=ez4966F7OwAUchGXCG4;u4N)!QZE<H8!<jz+$5<$taqmN%Nlr+<hw2aHdqNdm<
zvm#&2ZVIe(7kY7$P~&!6_dq>YPT`m=YPINVn`Tdp(+<e4dzO2#$xrBxOJ(m3+t%xq
zJM75fYQ*R}s|{}8CGh9WtPNR?{A#rjdfM!c&m*yB+7fr?$tg(JJ_@jaDhf@1RIz+Z
zy&G$7uLY-kZ{E0ZAHuo7t)cG=wn?5&?X<aIK9aLgsRRd1q>vt;w`OyB+y6m3inQle
z7!8*t;Bye^y?5}|Nu#H`4jK&l_QtP=L$P*3s+$2oC&vMZ=w*wNq_5F~FeEcO6*q$?
zNAzf|JBibMG(l&yM5a#=7x|rtiK4$c;PFn3DQAr*y^ONs$A?`k@VdoKAq~@6>5`?T
z8D9Ccup3KL&<6U$)M?fCwDJj*FM?~MRKFJqWI*mE-VRw()O%;5*Ycj?*xWF1kXY)z
z^TIK^Tv)1y_^3%nBYM=?E)Sv9URODbgEZP8VyTUX;kLbAo9XZ<$c8J9r|LLd^8kb&
zDKnaDg~k%)nL><obd`@RLWe(_ITM31%7VyvNd&+iO80;?f{%||H*=?BB8zfE{M0Vg
zx-W6s9<;n(46&{1cX-OLYi2mu&23Fr{ZJn}*sjo&Ez#mAJaB^N55tdMxsX5<^Q(hY
zlh?*Gz^cxEO7YOpZXTnfNgp$s;APoz5jm+ma?fW~sTGeG*;ml%IbTkpMo%FMPKQE0
z*b{>QRd}{<uav1HL!<?xayL-6cK6<*2NVSzz3uXPlcWXxW~-GhpPmBAtFnjSFJZ1x
z?|AMkdG)=(BYEf^$7&;zoCridMa{kM`F3S1AJUuU6C+$3=ktfsFlNtK3=$AS9RZPe
zqnGhijq35%$bpAEdAdez<ES-2$<>8aKA=8(FJsnA@<9R&aIoVTPFn-xOPDpv{DfBN
z3tH4ST5m<+o!LZ^J$W|F&bY7YnU4%eHw*hD(gh%p@uptq)hy|YDLO0l3&hdj(R*<P
zddnKNeCcpU_Y4OMRv$QkY9o3puX0ZrgDM%$>nJLYnt<$PQi86UnxvK+ceSbB#mC5$
zWG^s$@|*!)MrkW5Vy?t9>lc(1O2F<SvbDG5q;|zTLI%Rom5(#z#V$Y_|3~fBioyxf
z%52&knn5JCD)LOL!o7J{do8CIhr!3$?yT5-g-sf&jy`v*a|$`&#dCStH?MBQC5`;7
zqe_<P=;4Wr)m1<(Kso56MiPBFtSZ>=7OwM9Ez3;B^G$%LKjia8*hkv>G{9|`&2@y2
zcg(5qltuZ$yTx}f>@koo@s`xpY=gn57?+iOC)5IaA4B0BorE7CBsI-~Ok21hB#)Q{
zQ>?i<z1du;JZjXb+IZSAnaIM>BA~)KAx5Hrna0^NfV7j#D0AlXMnYu-F<L7WbkwXo
zD@q06os>_|#O<~kRV*yO8#m#AH@>gzW}hpDnu0p;<Kb%y!?+pXFfcG#m$tSQLG+a%
zOqv>W-8UPc;CK7jVFx<`-@>xbl8uMpSQZSFToUq>6g*A-byKQeb01+k3$`JuBIvtV
zcoNh;K|CtVc6^X2B1A33OH(i!PH67&l*ysM5m@k@Fq-<|){;Hq=Rk{F*Xc$;FDY^>
z=X@v9fWvvArfOY^CsNOivg&lvS5>KDc%QykVS$FkB?^*xgz(OU!CtxNECrty-|$(e
zc2DHIMV5}!U4yg9=fISM?K%&knlLy391#r&<t^0VytsGDK<4%+Mr1|ur72-KJ?Pfg
z?P-Vh9#op`tY13uCAe3;$+x@V(AFVu-YLRt1=m682|I9rfID%fZ-qlI9LOiN24B=V
zTd|a)%Cj@%TalNt(0p8e1c8w4ksR-VYKOtl=ukbX@$7!68NkYf<@SJ65N8&|Y}8ZZ
zS=ggYgB<l&E{?NOm8z6zqVL7?P{3{FQGp5&Cp@NtUx2khR$Tnzyl-P`JP>O`pJP6a
zc{%Y&@*&XF>a+K(UK>+2M@8vkfW9R%RZ5MJ#;M}ce*Q2KPn91af=KJX*qW(t(QQRO
zjyrrLx2R<BgJ~UJh(5ulwk~5>Kdor@V^IZsHIAt}ej=DR3WBl&6;1Y5={+|PY*{{^
z>^___NXXfT5oaFl2MyBgVvK%J-YkVgRpIP*;stBL_=0`zSx4I_P+czGB)^$T1ka15
zf!DXCQ1xP*{6^DWNAr7lmkF<5%DXhjL{>M%%4Y>HPHs^qD-woNR)?|$PY(GBW86hK
zPCQUVF*%)#+!$k|ORqel>+PhH+Q#&8e<#lo5BFs^y36d!6Ud^orIPbTY{z~pP>XQ^
zNACt7QC4VW5=se#l@wxPMyYbk_B@Z=i6gpR^;`_&G+I%Zr_u%DZN7W3Z>T9zi~%x$
zT5ZP%C91U9)U3;s=hD?ljZ!@5&1{R-K7}(5ckF8B;Sz5opFjjZO4UbF(~3rAO5MPt
zr-2)GQYDc3aIuI^LDH&hd^}!0b{EjMIJAX23&ZMKjnXrh*ULFNmTow&&#Ck<@3|Pi
zjHnkEsN^m2>=7JGaw1hiO0`Qo?OjHDBm0PgHYn666nIQ1DKM;pWgoV&kmfu<C)gJ=
z9Yiqs`Xy!NUAfW=UMDIG)W>q$UcoF<Rc+RaLG=!^th$XKav^pTj|z%lg9!N!qKH({
zz0Ghm;2lBWb6YcFK)H+8!!*fli``AM=~c&NuKY~$F|Q%VW1tKZmaL-yy>D#&3)}AZ
zTv7rlUzX;u5o8ucr9XJDhr67OEvMsnI^-00P6><9aPOB3Oh^h>ec{-!%DvV*qBZxN
z8utibC@RZw#>7C~!el4w_108vKfQTD3I_Kksa(0Jz(d_H;k?ndO~MPMRi}5EwTm-w
zEPQ1+ILp^J8=Uk!XKQycY)+6s8xZZuDhpX>it_m^c9p*P5&r~7+WzCV?~TLkxbFj)
z9YrrX00{xjO$)WaASu}cBhVRgiG2wWVDg%iSm5=@)@Z3yGnJ`IE7%HJ#UKZ8a*hSD
zIN7o-x4Kc~UepBdu_%(-^JUr^ty~DhU?rx}T9xcac=PlY(Ub*K@Wvg6IA)Q+R37H8
z^~HlOOE{pM*>uC(y9-=vT5;NpYEr!d=w7__UY?W}TjbCDSgmQ#`2-;0pw~4F?AVQx
z^~D;*toUK?aJyw}GLRU}M$#)dQhebT1KCBi)(-*kU`DhM*Oys^lj&)Zl!-|=q?X-f
z(MCI{_9R-ZwZWC4r5~@?(@>?PIV#X{vD#ep1f0&o4N}p9;%=HIMHYSmgfnlNLTcjW
zd)oLUL5|Lz2D;#a1B18vTLK>}iMK>S1kElMA+jfUhH28y3zotG)yL?oyppy-C>O$m
zyP>ZhuB*dBqH|k;21y^2L%c^ll@DN(Ekry^?Kpy6N6N<)yM1gOfDeJSZ68MmF7V;?
zgc)T=EI%sIYj8s#(^ZC3zI$Y+5zXubSz^9cO|6OqLI(8kR;(c@o+f&A-}p=AqI|nc
z5Sr*vkXrr5Wc1znUK%+|EI_*yJ)F5k-U0~rR|u-d1^Y_XdMzJ&#k4yV(Y`P<6i;iJ
zctxG+=q7g}08ip6R2Fbv5R;?U5GJOHfjBE@vm7~%h8tI$1SZD-`RFIN&%U^Q#!+H;
zcl4l0RI_m~ulG5HNN(x|_}h}?*b1xC=E^)+H*Z(6VF9@i(0#G*)n)5ldDLO(D<xih
z!-DgexEW~kfwMoF(e(#vA=xv@Hkw!-nwe<ZX$aCz=B`Zbb&D^cbUIG9^)|F}hu`9m
zzuJc&jEAf1y9in>w8L+n6s~Hx)L}#1TH+=09#`1q=8h#LhC(9Y|NHGtN!OmcD#=5*
zu)`7$h)7?(INhV_?j|lv!>D$=n7T8r$To-?orKGmmkn#LDlAoglP{?dUPuW_t-Irh
z?nu0u(&tZDPJtyEI-k8BPsXyKXTsVMZF1adZ!3@6;;Oe*po^~TVJAE5_7Hi$ekLIZ
z2yZxIXUwqLL*59FR*PU3?Q!H~+jFn($yPBMweT}AG(<^fu?Nq<1{JWKMdSfv-)0b|
zYqmRK$WyrTl_Ao{N$)5C>uH<&8*oi4c}umUdC#?@3?|vD;|!m|p%pDyXJYqzokJDc
zI_f;ISUqnM3dS#e@-4(uc!TJVITX#7HL$W=aZh^Q;(_+K0Om^A<L4pU3X`%YPlZHW
zYc(Qeo&6Osgi(x^vD7?h>CoCo987yn(&=~cyoa&C&FtuGE;c0XJg;Zg+7d9g%QzHL
zN~*79yBcrvxKu=?s~-iWDLHi%%xg<fzH7uYcb}xH9+R-nCw+Nv5^1NWwkWF@s`WTR
z0F{viWW=fuI>A*0-h<cp?AV%fHQdf#xFqwDQn?j9^`3e|S7U5oMJs%-4g#a=;tehP
z0cNKchqDlNioASYDX2LE>Ts*J9O(F-^C2p8`#e}KziUbEo^3UXx1)FtgjyTkWW~ad
z4Z}{`JWY$ioweP9$pH-AR9M-W9_4!+Z^o{fB#L_RWwGGPj+r#tebU08;QIH0tW1%w
z4U3_#Qhj9JI$X%0s0Re};W!k|(VBz%v>`}nRKhR7>bjxNvmm#jkFCXpbxUa{vZSi_
zrDm<Y=y<s_wXEyiIHCnMliVlhX4?9?cBQK1T}tOYKiM_4+a`XuvRjpx1h%+GHLxqW
z4{Knf=u|FnGUxENZXPhP;}}~#=IP?PXICgooOgKUJ3Q6*w4);0j{e<opZILFt);u$
zMzf5))FLBg)bRq)_sn|9mCt8DUUI3YAQUmZRU;OCH1#&!tpm>H80&>@a9(IiD;d+g
z1s+m0b5cE(hG`^|-SAk_8Q6R;-BqifY$BK)0d_<*)EW;uzB%S8BRLh=Ix%i3akW6U
z^}t4ON`7lOV?os5w~91DY8>7Clr5R$*cF1Q<jFCz$y?K_Bkx8B8QMdYpk9b|5#$up
zwzy6gKsnT-JHFGpw2Wr&ve>6%hN9IqEk?^}*HiPHwM8l>bn$E+HRj8Mjg7~k8WN$(
z549lQ&X%pVw<arFXC;)qGmI?8m+5Da0O|%BQG<y)1b2gheJ_WsjLD=Ih!#6xx1De-
zrLJ+~iBmUoqSO)$pY4UEyh#V>#q=8s4zQS0Xap3kUGf)kp4h^}uQU0*++0mcjI~KR
ze2gT$1DR?{nJmUsi`cj2*W8g%(xUl-x$L1ZWt!RL-P#K^nn&-RTNoHb1`fodW-Y16
zp*J~cNwNUy(S=*F^1xD_wbnfe2%Hms&=+xMIki|op`cYcj+&#eHGM<`9{jG-Aw@YO
zIwb()fhBiyhW2H>gQgo=V8eI(;^xXTP=ub!tdWDhcsV6Kd2{vB;;5iErj;RM+xrQw
z2R(H~YRPN@SCe3Ufe*PPDl}t`P;chR1=#s!zCupeOc9>vDNbyXRqpKgO>TUj$~0u2
z)alHM2$_yF$mGN$yyIo*IwP7q7Q98PFkw7vnZtVq!*Ue16>q{v4RVy+Zd;}oAITAv
z%FUZo9H~QoIb&+=pkh~8r)Xoe>r|N$6bO6Ljb0Cq&n=vuU0;bTY^zvPbM%ex1_H}n
zFfgc>kdhdkTRZU<YMnT))r)RUAVSyBVpCr)e(Y4EAilYyH$crVMD}t0hc1GF#S5d&
z7Zr+e%b9!Z+7Yj49mvOgw!pKvp54P<G~ApGZ;v73Jzy7N%Hlju>%tM<(;;Xqu5t_^
zZXl~Ys8cy{fUfh6r4hJDY3tf2{tTc_6rXeQb5*aTN9L*UBoB<?^r*`NYBC<CWSRCf
zzXn2`!iJ~}BY|2lyU;`RJ~!@0XE8TZBBfB^HPn^9y$Co7b>3MIt1aU~@hD59s+?ek
z(dOB*$0LM_JK@Q$(zp%_Zoc%!yLu{M>R3Sy;T9h#zrfgjje+_C#TRVec+~P~ySFeb
z`wiPT!IWkQn!|#Z4!XuB(`%<ag`C3iwN-R6B{1n+YQx9;cG$WGcZ7P5cc2BaYcXSk
z7EZQ@`&_!L;X&{y_Q>eIekwfdT5&=^;!nb!cGkvK`8&0CQzk7ZYZ;~`FI=fZ_c$7W
zN`HHRk6<3}UNyUucRmApZEDL;eP*!tF)U?f1FLL4+!v$VFsx)dehnm5-eXU*DByO-
zdM5*uA|IYMlFQ@mkX?<WNOoKWvAw<YTF!fS;Oa9fU|NDV%X)@RtfNGjSxY6gMveP!
z)@yS@?$u1?m8U$!h~jF9*!RXU04Tbjf{#9%Vmvk~h}A}9EYL^eHj;0ol=<=7l6k8j
zGvG=KFOCw6ic`t(X^0cOO;W_|5q3R8E3N{!Ryhm=u^N0%yBkLO!T>>n>l0l9_(E6u
z66tvW1KF9~&Is}oRj<WT*8y&A)yWQF05?F$zr#6l8>!*w*X8hwV3ECo*DPjaA~Ddd
z1vAt~g!fjOMIxm(B3y??*IwOG5VO9S&C;wcF^uEn)K}CO<OxJu^z2z%pM#nQfLy1H
z;HEVVq&$y)270f`*=O9jIEUAO-oB^RM@H@_<Pg#C?m`QtA#@WN7Ak^0b&0N(OyM-}
zKX#ANI6C1%R2Pvwg5Sofzo6xLT+tN@IkgUE@CtL3$Kfb3;`F_x=g1FOku8Vv_MKne
z^}!k(6y?K(ny6qe^6Scw45TB8tH{Oo;`~)%=0h30Zha$l<q=8D6`^kDc;c?JX2H|@
ze4@-4L*Jo!tP3}aF^Kl0RS@E1P+64Pm>MwmfI0VII`i$ltY6!=v$3Q(oPtEG@U4?&
z`m&yZy$<laUa^}Xk9cJE-co~loRa1OVG^YQI!A5Z4!~LZoe}Z1X3$oj5j++w<4anz
zjoGE!L&7&P9Dy1nt3*{wHxvp;@(S}+Of{H2Z#{~<*PA^4i1>+!MNmrJ6)dk2uRHGL
zyU;g<Atqr>o4Mf!L9xek#=Q0(!+?qNdw}sOX7KgvaP~|E;MSUwYL$KLF`~TB;+gsj
zam^|oHGLB8J-P~$(W3Z{F{_gOa9+aY!jPkNLM6`Ks>PfT>JX|un}zFB&8L@oZ$08b
zG^Gp_XM$CMX|mO>)mp+mrNQaSwVtH3r@-sQ1Zx&4T4yH5PLrl1zVVEUuvX)ZJbyyS
z&+s*@SSy+@l(4@iVhc}=XN%{V%ETtO=kjc;w?5@#x!Ez$lpr={J1AD&(AneKe986{
z-eH_9q|E^DFa$KY-ZO0R<l)vA+DGrDzw0!23EjIn9fYfe=K{?~K;sG`ms~B_vn>Oe
zr&0CIu79yRyrx}2efh$S&hjL9EG*%5A5&&d_uhf+<MoNN3kZT(vxhpi@%*{B#9jsX
zD}1nhoar_+GMHeR3w!NBa%?*Gthg(dYCF(x!UjrscAX!+jts6->!hO9$f<O-FcnKj
z1$);op96<cjD+~0zI_GbWP^3Sj>NCB9uqRsO{R<zK9LLeDZ4okl^D3`<lr%meiV5R
zZKJ&^#s7sDq)74nFyq$W#(6=FrwOVVKItLUmvfb*nle)_0dRYw<V8Jyui01p%^i+2
z4B%vixf}|6izC&ZPXce>>f5(vp5`mJH@uJ!#^7zghd|0cs;o`H%%M!7jO-EGB}bh1
zAWj>B*Npb<w8)FlTdjU*{i?;O2YQeXUzYeVx7TIb%d#8>aVnegN-d-SQ>%4cEERsi
zBd>8__f>~-JJO;*Wlb=RqRzEidE_D(Poyo=tYVe#S;Ym6<etxUfn<0)T?tD=h^<!m
zQF9$>BYE$=w^wl{NLz@<w&HSm1i~rMC(_nD<j?S;>!C#Rlo-K46cIdvXD?T<3gWe!
zJ_2-YjFcxU&GW$0*j5M>lK7c5-Ek7OY|Okoqm#Ft_VDEKQi;Db&8q8s(mP<h%=a`@
zH$t5RsyX0Q1#H_%9J|cv23s!5busvPcH_Miut{@R*_)=JswWjh{Yqjb9xc0TSjmB2
zrFqUp65XObejGA4cS{GubV$ydjuBSQ5KV(HvP>iOs(IYSrLx#$px(0HsmTN7E*5lH
z;Fo4Bk))DKnSPGl?@ASApG_p-g>lGo0*C-di_-SN&1re+OG-6>EXKSWT+|U0I!u1E
zov>}N_mp3}95b&saa0X7OXB@77;)9Y7SY^iX71t9VT3SaS6@}!5ed7K8UZjrmZo=c
z`{<d~M87K_{Dc?n3tkuMR%ZoK4kMa(5BDvj8z+^!wpv1^(UdeLAKf7B3p1F01lmcF
zFb(N%N~Vo=<)z>hTg6N<1y^KCW$v5PwtWP+`0nA$Qd^|Xk!Q6M2A)Hsz!3XJd}w@D
zF4eQSZ}WCnydh(^-6ec^uN6;a7+{=yX1Xf|3Ty@llcG<%v`E1MwYEGFBfPxaZQ-I`
zI&8cN%r}7a;3D6{_aD9f$TPH5Cmubl2Uu7~P2n$#L3B87A)a@Ly%rpi1~75!<4(l#
zh9PRhNMA9f+**6Lar1_i^%-;fB9@!hNUQ3@c_wQYv=pTsY+&?Qi89o87rKa1*CVmC
zMfVvOiWZ_-%ER|uHiB33rA1t}v1{nd43xTdwe{{cn&Ci=gG(Jc=_e^2i^qv|Am{VA
zQj?LHgyXRq<*h$y0cHfZeHjll`&qAxQ@sKTdfsW+_oOs;$RTZCXn?gepOUtAvD2#N
zLAG{m-n0@FWIs8S1p+=Kh+8wk!HI|cj2{rlHA?kZIuS2Jr(?Z|4LR0nWn(e1By95a
z$CdX4ALxo3Wm$-taxxN<p0ecAvZKKs5s2|~p{cox+k}8KdoTD+9;=)o!_Irn^bj+l
zUyq1S5IhZto!7TxuWGb==aNN2jbvB&@t9rHago;Z981jDxQu)#n<ONFhV4D>M{@h9
zo6%tO%#YX~%PV!*5Iq4bC?HM3jd!~ZBhxKNLmE#(#G|;IV7cA7Vcd^Q1G8M<MU-w7
zDc=H_TBqe=;vUxOVHh4oPc3T-)a21K=vQ^1xLrm}G=tBda&ZvlN$)}4NvJl{F=dkv
zr%1iS^}gU+Q+eynGpwkwK^ezwD}9ttJ6>lu%wwu>Nw1fd7v<>TVYf|FwQ0~?Apvrz
zQqz7-feZ9@fOofV2keE#C%q(J^jb?n!o$$VtB=IZaKmqFnM@yEBz8LTu(2y+E_sO?
z9C34UdNwvG085&|(mY(W;p~>W=q1#)LoIB$e*50=&_jJ|HW|I!LF(s6b+JGt*}*S(
z#+G6k-p;axCd?UkO~bX>)qCK`TPV><8EAo6yAnVxub%_0#R}*xH%M=(61|{Q1-^8O
zd+_KHks0B=7WaG>-Y^!KYFHb`@87+*V3!66^)NJ8hJxQH@vtA}q4G5fHOT6ii?e9h
zaRmek279Uz#0W|a=0cb77L`~tN@GGoq3Q@z$ZJM7p<8V&xv_zjCd`=DkSPLXcqO=Z
zgMxyhva32dYWBLHXbg~Zr<qcZLeQR9vvz>z47?ki+%d~*djgf)?|Mwi+1Wh(4yJEO
z3r6gAp<L)<<1}^`eI7TdME3$jvwLa!R*g!r+OskgnB9T5H)15C`OeYMV=mu|plCfS
ztPqc-CqX%ISOc!R9`HhxqMj~7C4e=S+3}fCGt7A*g)ZJT15Q6M00cMcOq6+-5RUI)
z0yoIF$K%HL*;*9uNw_8I-1SaJHp%LeKWDS|7!O{ApC{X-B2{T6^eUJ@Vk(p00>4v#
zl&<8C>OI<KWet27q>V)C*;2apG<zODwA^g=xM*T6pj$T1@GgXjgc7;k3DzvI*R)#_
z(dm3U8}?40nPVb%L|nhdhMT3QGFSPKMOj7Lav#yjWv8AVnLK`884Ny6Zvtyj*^T6W
zX?hmNz`2gztz`1DQJ3<fwoRTTF*W8oR!XsI$5anLCLSau@>B-5g}mwT4n4I+N^uv)
z2OFLHfKLIilqQ85vSY}#J&|)B0fLaoVKhUrcaIV5xhM-@C){qempYJEwXHSvbN2{;
zIGmbnJc{EHSlXrFdY+@C`EbLvc=i)trZ0RI>rK_`rMoSmmx0~4O6WHN7Yp^4<f)Cc
zydG5p1MvFw98Ca%Ilyk>81`;P+yRIN98r~p^7zVnl<iU0yVBz1>RNfVc*9BbymLME
z#;{SC?+q*1(-}eseqx=|sZWsM00{s{+E^e9x~cEU5wV!Xv1|au9&Lp<@fa1Oz&oiF
zJ51bdK@(h;dGFCHjeTO}X%A~J*bcPT37*E~fBa%B$2}2ANmy(EHbx;%BWzF|Sa=7E
zxTm$~Z1vCrx?mR7)LfcXcjIVnO~bhy0ZS3!I8fhAdHV$QV>1v7&T2IYZ1o<q8Z!w;
zVO1IEWf=p6M|Cl<=$lx8o^L18bf*T&k&w2Lv!3W9-{EBPP1IM>QjDSJU0yjM8SepV
zh1@zQ9KVEWlvUsDXDY>P8Ou<aL$5`!&+`_7k%?G(<@NFvKcWaYYYj9pFNH*ILo5s#
z6i-yF$c~pD$}zY%bkTN?PAz?iQuP(__M2czTfyR^#`ikoXuBzKa|8@$u0gU8!>3@$
zS_*&xm$lG;7`<So6vKe+^JthfXL*c07)$MwoDe%`jy#lt_YzXF7N~>oF}&MG<(HKz
z=BCNWFznkcVXNZlTSKnC4Uqa4bs1h`vJSFpdBxk9?bS5Sd0ic^7>+t-Emq>`RCY5i
z$f2e;(CQHH04iAS?HZ&=%o4Pw!Xbe}yqeiL8|q>Kw#f%xsXTYD#u8T$^et$WzT$go
z7%#RgT7bo8?~&J~v(ss{PZ?h|_?m*{I8-n6!|M=W+s(p;_DE{a69B3~HGIyJ0eF`}
znIv&<^8u{gNfF|`0;L_T*(eg~@F&~HQH-AakPoLB%!D*+pS9%3JK^oyX}1(z++Y<6
zkKUKF`Bu8PFA(IlTx`zk@Z2!|5flET1b~+B@RMJGFMgdhVuDZAaGkIQFy#@uRnwj9
z)ky9bj5^`EWbTu3cnB1ZaJuAne)vqWhu$Q-!YyH^dn!HHp=AD?b0CP|RDoQ8AB=?5
z7Cs~)g0sBdz->=BRbsp_C1GCeW$~y-@1gZcZsnVvB<P{YjC2hGB;^b7nGg=m%2;-#
z8XSX}e7QOeqD9V=0Jhkb<J^r*LCL67s>%%7Mm__9D5mlL1=#cG-C{|ur#yJi#o<WZ
zk{@)i2~^KCvna0}Zz7A8rtI)0FKr4J3MbLEnF7uz%{`Ka^&=v7D5>;n;-j!PkZRi`
zn4nLVo^y&JgdZ6zGkc5zmyWAK`x)HWZ78=Iqp_AnfUumm`T0gRKfq!GXc~vpLK+l8
z7smh@Jk)&8`W7#rC<0f6UUd5UQYRR-CLi9ki`Ny*O3K^KNyJv{C)|VDOm#sx@Q#Ga
z8QjdkK#Ss<Etf-@P)V^QHr{&~oD+yI`U+HW5qX*)T?E;aoa&|t$gS2#CGAwA(p$`d
zPzHUDg_Ww_w1C?<&hK_v$_+^tbzW^fR9zLd>5w6zcW(l%qFIK7k+#SXQXGH;6`g=z
z-g*?p%<0VA2Sr}nl6ZVu^QilFoekF6Z=Sz_Ov>X_pfOQl&MoXadFyM>!ddztDP1dX
zBRxu(fvVc1-Lvdg9?~&7Ca4ABSvEPgKU&@*)PPo~Ks|PR<PzO3sFmYrIJb}-P0Exk
zswjf<+(~a=fYh%DKNGFhOuIMTwtHd12yV}@@fj)#j-bZaq(E|N6B%R8)H?tWI2aCu
zSH))I^yImsiXZRr)ByQ18LDCXyz7Sdh6D6YsE#``mK6ye^1HWA4|n4M;#;+0C{_wt
zuRwL5iHQK9CsQd1UW*#)%;W;{9>=t7z{L_&>RwSjwpmm0{s!2;0H)fgQ?icHd^&16
zgScm0@nXQ-H2NKoHF#}G9vY5oiqSZ%C<tue37R%MY2j=$WCun}@7mGm_LUYzUxyy*
z=ULcUXI6L4o5ksX;;O*#7$Fn}SklO?gA=#cgJO+cTbHYB)AKc4*%&h|6YRro*%G6q
zG+L@#@PqE0;5DqB(iy1dmXAEk%nsgyJ{$Dtpt`ssm`;go8V<FQ$F58N5uED;`m%M?
zq8m%MvN^P1@5o%CIV8{Vd8y_&xWC9T7PY7wA80+6i{v76!ZQY^)}dyiV|kYr&obS!
zFJs3!c#-Vh$(t)BZcu|sWqrXfpNM-YUfNUVe)$%Op#k+ukC>OVp2*RaIRiZ}B)<1t
zTF&4>`vvHQiCfX=E%K}N(T55rulr3m0OC!=vChfFq8?oEdq(XKm9z1g=#D*gEcT^h
z@rZo$$TGGY`)C!zcQo&ik5nWxF~OqOlcCFOvBCv_hTxt>!-aI{MO>f^lK?%z(UvjB
zim_G0VH(V-!NVB~s`5DTwrV-|GK*WOp&;tDWOOl5P-db~T14*fVg_~{YbjHD46Me}
za}ZHY2y}rub6gAIvF+7cK+$U$PqGD*Y;5|SvVf)>XCOms_vSr3CojHt>WFVko~0NW
z3-Ot6Hw(Rq3~375do7J)ubB82^(;JOj*V8OM6gmjWO$*}>OIOUy{_|KBa=6G^Stt%
z`0Na==*x}UHBbj|Nzh~TfHzkGm$?-u6O9I>k#?@cdGEFNcpi(K;EW=!SX)H;MQXZk
zcItZ$0Gh|h57Y_9L2;ggf(=kY6o@?F@PQmA&Z$f<o;t%k^NE|7qsV6q$<LlQc*h`6
zWf)9B=@67vPtJP^!{<F~8zE$GF<{>DBv`ZcJ>@7XeF7{ce5!js!w>G!t9YLTt9=pN
z`D{3mG&CKbIT=0xb8&mB@`l$>p@|SK@&c@3U#~)m7@*tj1JReU{$gL;$Y7d#KS-9x
zhVAkyVa76*f^GAB)e~#!w6Pz^5}??yS#Gf_*G|kv?QN(<wr6hg%eZ>Tk(iiow4b<v
zrq5ncJh#}|nTKPjsguMKHi(OuRfS|lV3&~Z#oK+eh%ej#X@HHU_ukW{TNKSnt4ZuG
zCaW`%{}ARVq+6qUIuBm^qTgbB5Aks0qSiaHyDpM`kT`Aza%)x1Mot>aV#)lZpol@w
zptt6|SwvEPd`b+;nguJBfY^pAXG&<j>S^j~{q_t3$=_R%9a4JDz}`tfr6RiV>KtE{
z3C1JMTER_Jin5tD34$5tuza^%WT4Uz%LrmxXPWs+t<c|_keEp@&{vNi1MwEbN+-U6
zG0XS3j^(go1Q3~M!K;1~E_@2~ylHyfjVuezksWxMKv7L#W@0Q~Yr)+4O^Ila=~$Jh
z?40vhogA~j?(k*DHqBv2Y@g<`6lwy#p&Y9gljmIUxG`h+H4eqOg5gFB*$jqe_#AIR
zle!Rwk?Y&@7!y9PLZ6~{%u$KY*A+!TplWZo5Dna^d5;oXLct$r%WAvwiqE{~P70Hy
zo?x}R7{E<yeh26C)=xFJ)Vp9zPxr}{E(2CBkvgM{meX>>ynfFq6N_aXYLB)^eW8Yl
zL=oZ@%!xAP!?$#Bjb@H-DPu{J(brO@481I!of2y>4It1v!MCc3BscOkcDKj#r*Voj
zFXOEY9w<I8=CcQN+yYAu56SN--B5&Xa~gP{J{5YpHH7MfDF>26IOD`DSg0v31C3P0
z;}mrfi%z%i$<SUuvMqkb-c_Z9cPNW6kNe$Kjn|7UH+e9LLTnBGwz+1QZJk8+If%+6
zrtbqKNsP%)giXE>zGvk+ZBGb+bWAoF!UpFd)vLUB1%MCjfQGpU4VwBF8-zXN)MtfF
z!?5S~e9wnYOaUH3WKQrs>56^xYVUPuz<M4R*=vtRog#K*Z&7FN@NP+Yn9qS8@t*V(
zNmuT3NN7^?8QD=!>M#)pJ0S$=U1cL*t+`jm1;y+ejLTU5nxs&yZ9u?4)n4zOhQVAc
z5Os;gNI!okUCFH?iP?b{djByT93#TVnfDxmg^IQfAY(A)Ewo^0$Kr(c5?yFlcxF5}
zxfzOl+c7H-6PtxboM8y&TC*<0&+A5d?kO!m-J#;VPLa{7ec9+4+l{D?Rf<403%oG*
z6@wV@4-6Z5c*N<{wAl6zag<)T5_qeGAiJYB_ZiVkOS|ljrNre?FQ%n1L0xr^RbQNT
z(^tSGHMrRZcRuB8PwJ^Tv-nuV^8>MXiG#yyLoq-Q()3;*u#6M%w9EsY^UZo7*5Zhb
zezYB6^;qi$n=+ZfE}<h+-l9R-W_c_W2OPguuAsz312x!4hD|;I9RxT~!n`9$nuVNI
zuCBdSd?v3Qv)o*Yp305U>Q2H|om%dWoJ3H<jSN|CQ`Dea(UQs}yv5cW;BySgVg*Hr
z@Z@U51K(qAL$Da^dP5KI&FdEd`qrAV8;5Uv#>^J$H$v^Ci&#}Ot^%yicQMLm?D0VS
zN%88`+CG`ULxet08QtuDsTgM_9Y%$i;tNE5rXy3bvI-W8iagF{(a-JXT=GTkP0mw6
zN$YmnblKv>$Ls!vgBXmltebMkTD60{t)0;E^f|$;`)r2gCKbUlLsK+Fnkcf!qryT4
zE<CYGfdEY7h8N~BMeVX;*D6jAZrxLou5^=LtEcdjd*l)ot^FE3m*A<2xp{)_PV>0E
z3j=Iz-&NN`NnB2srQ1l%h=fmuAAK=QTHevXv}x7znD5#j`c+XXaLT6N!`Vc9h8|}j
z403R1zHXF`@ya<upGxeJa4NmHCKIcX28go3ovkBz>=-Yrq$B98a5^eI@brPd$nMd!
zLbt#S?l+J=>=#<b(Kxv!-qLia-KQ0!;OETTOta6QV+p##kzu)NOKo){X|hABi~_a}
z*T7pVB?Lk=a9`zlrp^UuxRmMx@A*L>fo0Zc;(rj|!a6M5nk^WDIy&oE<l_K8oKQ^1
z+29+h)<bw~v*+plc5i3B%HW9`?WR=0A>)b<HQ%(CmsfD^NrTnJBb1YY4gd&&b2O6$
z8FxlIeoV!&@4{Sb`MnCbc`O|A_T`J)eKn^~U$fh+4G^&22sk~~Ub^-0L$5i2<2kKC
zgLy&2iE8SyyFo>dFH&iT2%Ry6w%|~Fu4<|Y!vIVMHWvF<7QA23yE!}vHF6h>0)8|+
zcW*FB$-!tCC*I(@cish&y@2TNA#6-jj|+8sLnI8|vIq$|U+>d35itYr+!xk(#;zA0
z*TKbjxYKMk)V#;_a8QmE#EX_8_2>mU-0=;RGk9n4$>2V^ccT3mIm;Mz@SrgKe6-{}
zp$*xoVK!loXNDY@PR{g1_98lqf{(0yqu^q!qn&DZ7g9>rc6g8Wap>&{5gpIH0;WxJ
zVUXty>?=BK{9<m<$=^GtH*Vl)@}^Xa5)|wO@~nlN%dTs67oI@?-SgK=Pv9L&i|Cf3
zM%9_{o?+-59dSXm;Eslx>By@<B7Oo7Vyd0eZCTGyJzn*!p2oWc1$k+`H>4CC(&gF`
zq9^E{@Z5r1Ee%N)1mMAYn6e51Y;)LABunTT;3>Rv=a|!P5JvTR0i;dEm0EAwC~81q
zPe%2wTh}-ltG>*<dgmzUS24W>Gxm0E_f<c`AlQ2@pAb8ILX3UWl&`zqF=O%2?%nZQ
z@tnAfe(uf3O#ln{cp}1hv8yxKh>J`%2sk8Hyh@r=tHSQ8{a}@kVTnR5C#&h1p1!MR
zxF~PC&efhWPuVK8C!U8eLWb;|gUxuSB`gXyT)vLWwYFT-L+{{prC3`nRjyM#(pp-F
z40o#GcPM(>wZ$Xyl3P}+36-Q<wP%b@3A2LID<74|i?EicqQ@9sudrkPqZphMw-R<y
zBq)yqp3#CmJ}SXRe9>-b{@_wGEn0xs()teLm?-7Sb8E&lTJK5^GnCi#+P#GuY585<
zjiC#$9vowi!@VVaSF|49u{xQW1O}Y2DR{XW`^?3}(#cvB@E~7$8&RJoz2UbJz7r}3
zbCYc8)~nH;KF5=$llpWHR4~Xw*bk=R1g}`YWW}pxZ?}W1(m_k7<K4@hyIAn$k$Ov+
zr~c%T>OrKGvZ>F@HJo^RLL7#MT}|LH{i+@Z)fJ29-a9D@(w>Vm!Q;A1J``v`p@B8*
zS{|GOD?rm1`NT`DJw_|t#cb-udSG9^dZ0`xV<ypp&#noT@r>?Oo=)shJR^ELwq+>O
zBApQz>d;Pte&=qB77BJ=wWH>jo3EEtk;V4<9^7a%l_i5ds(RG^+NeB&c8aH<q<POf
z#jF%XOubrAJRoX(Vlhj5Ine<J^@2l;@b$)c!;Z2QH|^8LSMN4yBb=ZEa2@ux;O<>H
zk#&x__B`_xEbm!r?e=Psvd6vJB4_LZ9kHtKxI{a)gTk?IikDy)1oDtGXijiF!QUHD
zjk7zQnChfcPFYGXd4%4V6P=dJ9(05W6Aib4DF^hbNy9bd<v|CS@>{1@+%KvUkKZo)
zk;m)W$jT7*?v05@+hjDX-posDN9QO9OJ4FInsyMQ6f~qZ{4}I{sNSd@@HfT&MX{_X
zRSF@!=?=9$IX~7J^DZL2dR$ul7PmD$yecUe)p(y=-f`Julq11yiIaR_xLgB-oa<zj
z#SVvua+&1?do!aqSS7)aT{*#zL6t{SwY#bum1pIF97QM9>>db)m@nvzqU!5zhlUKp
zfU0hp_qOi{+pOlqO*BU6UAPItxpO+CRyR`<9LV#k$asll*LtC%xB^E(DTWdZ11jx`
z*#j8e_aDZ2a3{2@Pz-PcWa3v#)8IlJB0{0&tfCL@`KvHxOaRe-h8`=*Y{8CQuOO9Q
z#WrXrk-gZkel@RC^##xL<Fe+<<b<IDo~MSxgxAIIC06=t2%oqfY~XqIs?x~F{LRC{
zGVnSSw-9?AX)(3_D)e9<ARurazO;f?m}2l*01-05Qfzgl4O}Bc<}EdB5>xFMjV3C~
zO?j{~#L5a{SMCV9Z{`}DIW}TEpF)}7I&Nl(C3@%bUZw=UfQ${H-LeSSf<>t<yPnBR
zsA(O0wd*%?7>opX=mQ0tLi7gLqk7kxf_JkGhVzkJ+RY^A8I88I62PJ?jll5&<33EE
zrPs^Dq1IU&ZK>5`ui=(-s%A?cK{@ez&r!GOz0!~ll!Mpd;Us-f2nIVaQoOx<Wty7%
z$OLKaSKTqlYh$t?N~pogXCTfnEhFK0hg85O!m1)8&ZeLbWB0szNGzGG6Z5HI@Fir(
z)`q7s^=iVnFQTS&4;C<NzCu$x;UgLvN@ZAb!XtKYeH&;&a9Qyrw=8bvHRmyMi5*Q1
z%4kV#DhdcLpl%1Jr7_o-yf^#26jy_a$6r41a>nFW53(OThBmN#?GC?QHDWz_OX?Cw
zwWe;v)c1~Y3G#7t7ik$aaO0Hb<tuD}0^pfwtxE|5bA}$xs34HVRNPB_Xzmg=ni40E
zc`}nibC>KB<FGG`FJ0~7+?$+>NW0sOmz)(5Xb(?~0z*N<9VDLkb9-qmVr2mSE;|yA
zuG^Q3WaF(6i&k*yy<rP<isAF_kt#MpEZ1vd@-1k^E=I+B;08HNV!dF*>C;}^5*O;{
z7I41o2K#V}3gty=Z$j~T?Tx?eJY^$c-Q4a{I(EZXZLLjhOBS1hS7WguIFdtvG)b*R
zSbcTjEBRg)<>B#7GBF>B4g2A=|HpCY5ZcHUVh2E%vpu<<h>?VXfGCES1O!z8V`Hfr
zP<BpaKK$O2YRydG3zBGl7FoOrF~Ryo-bP%sZ;)Jia}+;+0bNGXVjU>kFKSA1@3jo<
zC<K)eBzJM04aRiAj%?rLbu>uqOW(;J>%injou~d<-7FTe6&DrDkQI1}@;V{c@i}#>
z*CvtJtGIoAdJtOtta5H*tDz=$svDeX9CCZc0wart(ZnW%tXpgnS2=t}o^Hs^RfZ!)
zd&J9<owX#8#@BgKXn|;ODQpxFg^jh2LI6SOrvRFKJ!H3VJ)2_+X1cNyJw#Ja*=al+
zp4QNs4+$)CH4C(@q(*Ltq>-^i^3uC#r<2*$(%`PzN=T{{OKrHVRtm7EMOVhQ>*je|
z%X+T{{1EwN7gF0eKkN2={G8rl{K_sK&&=S*65SxhZDN7JIE{P=+uHh0MiV*Nm&{NY
zsEL>1$a5jgq9p<EU3T0-(IS|$up6<-zKAxSC;jTG^<LlYizZ3+YU)K01ko!%Q$~Fq
zAzDUO+{367L)rypA@C&Ek7D={*lPwqtAiHl?OJ)OO1`ic%a5mwS5<CO329k9Jf6-2
zH>I41jgpFOtLq8U6ZP0MYlP46`W5fh8az~e(vSny1&yOTb&B|C&0<*#<Cr<Qe-V`h
zH+(H`6|>ll$1su8lZr;KR4^c+9KJYakS~rmz~$xIi+9yfR%~Od?hW~b=aD}5PKC00
zL9Ddt6mnW=Dv8Qw<%>n`<8q46Nx<pF(|pF&qWublVLer2PQ+b77vMM7jF3YCK7kkN
z1l(I?%Wph7Bz3dTfFqgSS<6)QOG<_}@hp>L1@lb#k?=L4&!uI_jN>ayjyI>B76>l`
z!(YS>iJM><mr$29McvGcr`cgU*YqS?jRxdN8?d~D=e^RT>;Hn>)S85<S#mX;9Pw%Z
zc4*TNBnUKZ!OSNi7ACVL#H9eu*Pgwc=WfpO=+WAE$J;%yoFAoe7iiCC`>`vMWHyWA
zOPdkagmj<s#Ynk+x_+_6!q3(lyI&|8F+Q9kn!;|Ki{UYNt5^6|6dE-N@`*PKq#6p5
z$3o$@bFb692R2iQBu`^KwCh!%5><;WAeL-}2fcBFfv6PUJcq%%x#&(HD`kUhZ#s~T
zf@V-BLo8nh*YXXwA#Y}=zIB*BL=qcTk(1olrn+LLGOegcLVfwl2wEtfzQR#@@bGp$
zpdWA6VGSC?v{s1`?nrCf-8;dP>Kz%zBGehGwbW3m0h^o_N>)81H?*nv^)z~0Nb0&g
z_(J@UO>$o?-U~rae{so=_G&cF=$ie-RRSAPU&tG{p#~Cz!FjAJxV@N^6%Q`sxlG$T
zxYv}NkSYd;#RwEvrh^%24pDNHOL3g$-PF%v000hNK!i8k)@5oWrdsbr+*2}_Je%uv
zrU0x6N40*u0I%Px6TrU7lC^4eD(jK=uDc3VqW!^*t&uTTzzzcMl)QNo1JWEr)0sRY
zFF5q=4bnWX$EQBR;O|7unS}{SmXSsx-iw}GW2RjncR76+1Mj)zYu5}Dx^2TUbCwHl
z(uH)O;&Yi<H=00tLA;y<t4Xlv5-#Uv2<oGJm-(PItE#gUJAL6kK}P!Ak8QN6tb;@4
z+UOZj1GIETzTq9DqKA(UiaH8bQiFrT(@fXiS_~A@)m!N;QeFq=!QOf#+3*e^4nkJw
zXzU0n#A97-^9~+B`iLm+iE{GJH2Mj6zn9MR)bL$a%O)o|bLL|KYuGTOXYgX!*Oy&6
z^1)(Aw<>aGioUi8cD}&?DBMRiSI#<k!-U1J(m^E(o~OhnI4ZeC270Hy(^A=axN^hU
z+F+03Kaz{PSz4Sn1ZY!}AiDE(0ADqtpW!Oi&aScCsP!|nwVd1$8lZzmS+a}c)m;wk
z1#rjkXnNwIq1{+g0U)WPv7fW9il7S_;~?EK@YpKz5N+1$>v}*dHK`EoOjV^#vTc-N
z-s!GcZ)Lecv6UT?q00`L1bi4TXSVf$1C(#6XYRz-c*2;Wk8qUOIV0LbRrA!)H#8Np
z(A3ixPB?D)FvHr2Dz$&Epzu?3+lN1C<@z+ArcLSj7Cl*;;8IFTMTCZWFL4Q1BX%IG
zo@a2XSUh=YgV(aWT)BO|$E*$qFseNlNU~JBQ|>73r=$3=&ope7HLo|Mw@Ghx%-=hK
z$(Ev_n@rg7Yw#)Ho4n?fqzoTeH|>aeW~a&$W$p?#uO494@6XO*tTudxpVYVzVjCjT
z3{)iPUJ_n7$UG8MamN75SLdilU?-V~Pg$IhT1DAw*B+OeIw@e91{fyl6Ork4X(9`@
zjaWrek{?BLTR=zCW?J4YM%2J$@%-}TOCNkVBHFu(kxb+G2rptzDGa3!Vuc<TNt#3S
zWkupTu98E$>~L4wND&h_)C{m3dguutRPKopJn`_5NbFG$$~~PfDu@vyK!tF5_(DO$
zA<4y7eWr*u;}WiGIVa{WGlfoWPcmkl10}Rl9wco!j7HGp^Xc~W;KoYofar4qPxNNo
z%I;5+3BE|~b2Tcg9S;v0do!8Gvs>gOCTbgxm~5)2w2!aIBRc`td{Rfl!<N&~l+_C!
z7K4ms@c?>=)GA1fE-Y0!M)uiD129AckF{qHndZ@qYwb)|(U?fs6m$oLYL>JS%i(U4
z9F3wlA1y(ws7GBW#$_v(3>dBhBIz3FIRsZ(#H&W*QAG{Am7hwveia#T77pUj3r!R^
zXio*A=DD-V<S`lv^eyBCZ~ccdCT(fHWiso@X$u>0n#$3Md;H!zt<cHgjkXLndU#0B
z=#JM1Cp5Au+k&|YV<-Vhb2Q{VL%g^^x?mkM%2``n0YR!+UVw~fu#^C+09Va32%ULr
zh_Wd@)0oeW+wbmXHJijv8_rdnarc$@oF!9lZ^H@+=L_oP>lLWcEFx#0Z9~;|d_#|p
za}4Oz_x!;Cl5L{r4IV1JU~DE#ADhHF12Y|XF9&tcP}L<#V*B3kBX8IkzJ{pt;j4-v
zgG;$Xt{Rz2b5;!)dz*E671YHA!g^%;w#oF~61*p3i|TNLPu}{&c{#Wd)R+OWVBX2+
z<r(xqxsP%0Ej%3UR{|nOeTFk5zONpl=0Z2Q;nZ6)2ATuv95G<^0n4tpH1G_y;rO{#
z0s(*r-`0S;x@2cuZ5+zEwtEQM!y(z|f$~c+18iD>VSI156kt7*f>9n%bG6t#>?hIW
zxIkrZ{GfOMX;wn0u(%D9G<03GQ&fOlJOrN$O{BFvFd=DeNO)W~;IMj5(A~Qc-EzZ^
z3aVP<wH}|!_<O1isnOv!;mc^}haTaCeYuQOA!sQ^^xTR9ArQ)KFf6D&-;Tl<FDWIb
zn(Ej}<S{taR1G`}n6{Bkq4Rvz`lcK$C@SuppSEb&>6>7Ui|aX0zAWZkdPYK~6qXP?
z)is+GBnrc#<%m{p*D47mrFuyBjk15COxeqrRgkny_CjRno-V3JxK2G*Y5S3eKJD^A
zh_92O9y3l9b4v=7J?FvBTr4?wV6b=beC3JNLBD0_F$94c-KHm26mGor4uQ8O4W)$w
z(?QEp+6jdi)FeUmRX+q;sNo&rhe1mBgmp}Y5Oyi^T3u@c_)>5&%v<3`N7-JG&AkL&
zPN6<{Yif5vvyThd`n)hayrGLl^))n7(|EaTAUfuWz3QhKga5L;_BO5x)Z7fVQhcx<
z;5;?ui8qlU`yMo_E*+oEM7`#oeh+V*w*A%KN@fvOzBZ4`K1B`gqUZP0Q^v8P_l0-U
zRVtw9Zow?PI6z~go0UK#=z`=X>(bFHh;Z2F{GPPmP{()xY!w2}<Acfq8c1JqdPDMX
zisE=|S0}~@Mh1C2NDqU#u+7|}?#W)*BM@R=2n~8+xT8TjnDnrM-ph)amkhIb+aql?
zVW@^)_reu+-;z8e>>$sMT06&~66EI_E+>@|f)4XmwCiP+%`*6uvV&Bg@MJea7H2r>
zBiF0!D0I%0*hb&*jS?870-_TrLN>uJTJ&WGUg?16lg=h)Q@*sWVYI3Q8+T@X5f`@4
zA_&RRkc5#}D~;t{#N<PW5CBKPDA^r8*`a4VrkViTHt5{xFW|`$zp9oPfzj|gs_~OI
zFcwEE$nij^gu_Q}MWRoY&mgRlv@r=?6S;a-MQ>pCRt6ExYaGk9QwtP`m|M7P-B{%5
z^DR4gvP-*Hwbn`l>xCe83^GfdXX27g@|<VhdruB7Z!7yTu24*67ffia8SO+rycug)
z)6h;Z?kB!|7eQbmc)npB2F81a^8`!Ah|2aXZB$-8_AGj(a5=QCEiX15EGovHsWctZ
zI5A~;#%t$13@AT{rSdbXH<`>b?MIfpX_OHm%vbp!=~eW->oQFGWSQ-YWf&ib+`%{m
z<gn<~eOp22oCJ~ktd_B#ii>OpqV*O>5^a?MFyO1|BU9B&GZJ(~e^Y+Y#cEPs*kE<$
zI`WRmZ6^uJnbl7thCrn1K%Fnk=lQwHEu@B_GcmO8`Kk!nQ`kJ}mZcc38Q`~%W!$)_
zCZ0!0lQ4uK`#pQq#Kb6jH`k`fLT_pES)i4Ycre#8(w5Gw^gVEpD^kzaE2mK(aC|S@
zPM#XzyF2|4=0_msrgZ!UN$V^~ManCo-8E`+%~lE|C)HfrN}3zXlby6E$Eu4?MYyEN
zb50+-U*Cyir%?n;XPrM{m6c=;p?d7yBa0zugi5j=ita<%9eZst`w|~i$CDO@3TIf-
zxiE-V{9KdH%I!E-L!T^8G*#g45HXGn=3b3X@AB$p3dy687#NI64~M!odbWZyV*oSv
ze4RLWcQqpy+Mhm$hhz52-8QS%p1xGd3nx3%eVq<U;iSZ8h%TibB&NmZRJrE2bla%!
zZ3Qbs?5u;J@$8E2)oBOs%b4cM7d??~7G{-r4fzN=B?ljyG^YUbI;f#tromHtG-H>`
znD)j4O{|{GcxIq2Jg<C@Eu#SL@mxSbJf;*{_FLYL^Xq_@>gJvJpv@vHFG3#<%6nLW
zC)VbtZ`ug8LZ+b#_&lIyfo24Ib>RHOS8j51@E}1aBSme}p`1=+FO{dlBTlH2v9~AY
z^;+sIb3K?bp*NgSjP0DWi@Wf6!M26iZ&x+}DE!&2ZKuvYTN$P@Rg=BWWU@R~jGYwQ
z;uYa^-RJ2`HiU)hOrC0a0tGJz<FPCYrfBL34{lS(-c`TWnV{@FLxXqRH|f=nhPgpB
zt=u^t^~nvAQ$o&iJRfx6-RISIc0=*DV;PjhK%A%U#agrGO*O)$zj+q9ma^m$If%3~
z+lZ_^+q8XU{Ry+k7tGDXR*z@vnNb}dPp0}Izhd=DLr{agC#ugiqxPnNHNk8H9>@hn
zO_)dTK`+;&W}k>d^_CCBAQXh>xB^U+!Na-cM9H&$PZ7s)In!Mv+?s3CPAo1K2tzu^
z&3p6|O^noD_#FsIs5A;o&F#cx7Y7u)VWEwnU|Tr%x`B0<gqgAz11hh3wvAoLHARJD
z5H<S^vF5`^LO?h;&1!<D2PwWTqEo59)<x}`|IwU0+Sk(!%q+$P^e(Y5r{eV!xM&^b
zgR*fkFUgGJm%6zYZ*2BGd}a5V*B?!{q>(wz%(L-l`XFpjcy=z{QAH)&W2v}PM_ZCd
z!iC3l+KEJ25+?5^Eufrp;dVuhv?R&E+Lz6G6c`ga*acp92%(_#iZRN2%_9<`4+5=9
zunn$3vyn7;9a-#YOegf#%rh=S366O6o}@a-(;+fEyI*9e75l*~A`(BfEvr!9)g!o)
zln@G5pC`OhM)NE{hWJJ&JGSc%#Z~I)&7@-#pOO$VMS(u+=7`OHEc5s#s{B!)`LZr0
zOTfIkOpaAv6&4VExh<{jCk?k7%mK<KwlYulFj2s^lE9s)e9dMBp|3|G#bn}6MGd6M
zI#X_43eel479EjFo98j9IKuOONbzFY-G!E1Xb$5zfON=jPBeAK)^BK#euWdgeL)Ck
zWL9oH{i^L8r}X9N%Os`Ns?a3XCsxsJQTfh0U?GQ3XGb7H9zGs;I7?_dSjf-Co{}kd
zTVHZ3B~y-dLiJLl7Lq(|kP!ESe35gS)1nA#V!jWhD)}`4XhvW1Op&lL1tdu2Rb^0B
zQPZOJOpL&T*J>xxpsn<*J!-SLh+~#q+@2wJ@{E(hdcT`fqJ?$Yl$V@fsxo(H^(K*7
zBK6ohMV>^o=%lm+&NU)?kUc73Q+RirxNqT=@Kxw1%}QT17sqWmId4uIucJ#T&S@^+
z2xhit7*|0p_JC)q+Z&%iXtN-~eN4h^U}9&gJlF}EF6+}U3tA=^+bq!;A>x3+1K2@I
zdVIyxdj+1?He?~Mrs~EOgHO2>45AGM0<@LW%&pW{IT<7MRTwej&W58z9?vqOr(;aY
zJbPdXLQ=9g6bJ=7WO;^z3R_)b8ahH|2{rFbu~ObZzrz=u<SGjACTLwSM*QY#o=ES1
zI1_WcK5YZR>x@GME~J!q$Q~`t%7BMY-sqDOpDlXOO*bzl^`Q@pX4mt4$MBpCUnVVZ
z#fd#OBUnXB%am1Jsu1OuPgvh-;~JsW<Rh{7>RP(9d3pLImvG*yjp`2Vtz9W35z&St
z$6P;->!(qxFO0{9-azRP1o!C)vAnbiXIi|i5`7k|m*^WjQv~b1M@L)9+-8TXPY@qg
znY6?qdA@>-gV1C>O@fTD<coP}p2Y<N=dylsBMi^efz0^5fq6hMYj4qK2~4d<qud@@
zM-)!`C22V)UVFVJwVAwbdn(XK{<`_SY=q$;_g(<!$YV@wcwPdWZj2AR&0^+J*2#!>
zKguJb+u%r=r#<g5bhyU*94yXM-{BR%YQHFZ&rKJGxMnCiiUfKng8j+WjNWj0x4tqW
zYXJ`ceG!th$VhQw$iq8~o9Z9{cKVb--XW4-lsDwd%7>9C62(aalzj>Q-a0ZEzPQMG
z__AFb11JD&9*_90YA15?aO_ZU4&=3Owx5q+JR~81@40Uyx$UqX7&DmjEi(wEk*c%y
zsAR%xKr>b-SG@3}97?d8R4a5i#0o>JQrrnox*e^ii`{!5mh4ZZ0#$fx<CXK%bgXw9
zz3Q_vo!4`Y&MLSf-C^gdodYCIvgwbJr$ILpCz!{U*f)w3DvX>sSY&-2OIdIXwT#Cd
z?^eEXHu%Ch!+BIrfgO0gUqqbjRISqnxSSB7a0b)NOv_7r1@+V<-|@?cf#<dn@=VBw
zVkw3j<K?5eEM%cZO1PHi@8$u%d1?3rBsPUh-wU+Zd-ABJYC>?joUR{dwrF~WbR5;N
zymy8-Trcc^63fXX38n2epVR}zBC>u&5V8H-ImM`)%kpLfAV|DCiQgIMttR;G8!u5N
z6vC}ado>Rd3Sg!#q%!LrYm5%=CW0RM^wobn^HX-SYZ?#*jmsbvq~SZbK~i}nv(3H$
zhY*&>HjvMN0~kC4;6nSN`nI>FH&N=1Ll={@+8U@u=ETB@4(B5~e`|-X8V_*Sa$#S(
z5tZn4TLdQFq0U-8uj&fBcm^Ivmh5{NunTPvQz|FIr-y*@jE>pPXiM*Py+WXkxUBJa
zY`Md%u?182IOb%x<u_heu?85l5hNExq3odr@64&0b#vjIL0KMhA*0Y|v}&?=;wt;v
z@SXUU9bNW|yY!wZh)am{naA7gL9W1-N+KXQH3nG^&#yGL9velKq|?i%E=ABt6?TOO
z6$&-n{t(}!MZcYdMiVV-Z^ubb<9IVpnBhF@!U2Vy0d&ZU22<)6_v&TG079>i)jedR
z2bT-O5poWORD~315uEw>h%VQJp36L4?9%M1Zi3`26dyZ2d?-L1h=f%Fa(?=3_d2o%
z1Gp}7s7JPtzz>C|T}*hD^uY*NCFA*Y9FudA1)h_&<W!z8ZqeZ^t{YsGG@x?F0Z==H
z6Zz8%)O*OdXG}&}HC`vF6N45p9xSZ=7-z+wTKfQZ$RG}mxXetoHmeyFGrE}H-Z;JI
zeF5)IX-uhl&b$d&;!FUnO<-TD$ZX>+J_t~|o7j9Kr~&74rko@9<jDZ|Gp)<Ls|3{9
zh*9EHOY88cM9j;DcqgNm#s`uMfsc?@Hc$MUXaC}PWw6oXC8V46s)@1I6C%2>usZ5@
zCNT4S-coj&EtX-MP!;gzQ?|_2c#gPHC;3X0cb4(um00S*o?^noq~buILn~BLj9h-t
zE)I9Hq$&BmW(wLc0cVY2Lw1qTEe-|%avsfL0Zc|Oq#Kkc<%V=rrEq2G6$`|vGH+(d
zTX<~TRoW*8Q8ic_BOGz++TX?kJlcRQcXRB1O7T$6uRN(^+|^#rRXo`x(2TlQF8=@i
z?3jtmtRUQYj}6A8AMo`V20VFbXsrtO{55mx<D!doo)vmIzN=seNmm6gJ80zssd%*!
z01!kjshjVx37y&=RRg1Qo&t?2g9wiY<cU5s#5vQXYXyHX;2UEm^L+Fi=Sk=r_D9ya
ztD>0YKIg97EeR}O+RDUYDF>tCWBNq1Ov0S|7G2vUdN+~g#X^8AHE5{BdFXWE4$@%H
z0gN(?m~yG@#r64cbw9Wa<ap)pSnix-xM8+HdBkq+f{X|QK*BID2KW>f0c{^Y13lKA
z9kd<AlT5!`NK(!u1jK0oYHe63%zj|2Jasc&SU?RZ-kg^)7G-@e9~IsU-pP)P$nJ;>
z_pMz**hO#%?)BY4v8xFeHi{_Jcm_Mi1Fvq|G8)H4HhjjI3imyp;0gojGFH*I%nim7
zIFvRr<C%}#`DUKbvTP?(Jk6WBq^*c&5Es}bHOid=mGXisTq0`}BB`taAw&R_tR?u4
zdExvpz^m>#FU(C4f;vOUV|L}&aj&dsFu03?_(D4mkvmAd4RDJC<(c8VHjXP$a$I=i
z6=<z7;m0<)jc0f{F8e5`EY%4C;<_1jAK42F5-v7mv8TuFhljq=ESR^Y{GO0ifhfK~
z3BP<v4}l`s?y5>iJfGWU!6Wup5lBRU4@j$AwqzPyp5qacVvmn^Z=!Be^J@=ds<OAA
zKtKBex)5695id{YjLp+Ie*=l?u#b^Bquu~?g>GY<syv{_#I;XRy%5i#Y*DB!pDUxg
zO@O=tUsc?vYh<`Do-3Qp1CpB86MalHQTs;Ul^KG?kvR6NdKx_sONy<Ns%g%KlgTf)
zrXn=sg{03TRNYa<#Pin<bp{$GeEm!UpwJVWMDU*Yd%}G#tEOjoK117UW!)Vj0umT6
zGf#Pg>}r?mI=xoix8FO8A;embS@c3Z`*(*XO>^h9KnH!<E%Vmgct~_dBlLy7JXv3j
zZQD-PEp{-$8V*$;^EBVedBCZ7QSxR$J4wy4rd@dtJYLsG!lc#424a(~15WxW8=$~#
z(r(bRCvPza{Kd@^T%~-|ez4137~y0Wjl=O46-;n_o5dNRQtoZOC$<9{q6GTh&5-hf
zv^*kKLNiPTAM6OrfH}{|K^Jrk9u3&12Z!$#M7Xq&p)s>I&R~^&4TBTI0@ysM@hRH8
z+iIQ*ogEj^?IwdtF;r{!QbJ#Ky4~1nIr477hrxEQwe|pfUe2?8P|H1h@Bm-n14`nD
z1}~h5cdu@DUNwSm^b775x?py!iqVUQz!FiD#)iPasS575hj6>h&~mH;DFesW*a_AH
zE@4wJV5(eWNG?uD$}tOL;i(MM<nQPzXLc%c4={8=VL8lQ;no-X(fRTr9!Yh!Jk{V#
z@+|7MXuh@M9pGdiFM57s&n;f^+1!rxDCMPWguG6*!Jb3d-V3O-J%1BT&-CcM*C<R(
z+G5h?s``+^!F#y^8KD_a<&`}i2~YVc&!R@~B)Nv$<k}0Uc74-?3h6oTJlqKA45-k0
zKrkxmciH-Cg3q0fH)rI*>u?S1OtV)7le^&#%_?ylGxs_eh5e=LFu0<%$z6E&Dl94Y
z^g{@GGx=O*w^d$?2qic=h+5dmNTn>yqZs5*qFug-o<cl>sH}VioyHPmg)_?0-j$Oi
zVQ*f}$b>(;_nO9`;beNR<{_bq^J8^-pxsFlT0<%P&~8n3$Obg}O3jMdq()*F9=@6h
zN0>nwzZ{3DnwHKhe%%IFa7*cMB`R3n8KW`1qVKV143D1)=6UmtO`_2>+BINiE4`Ei
zQY{%`Y^YT@k%K9yhnxpIVSf7#&Tt2uq*Yr=$yCK}Yb<lLb$8BqZ(p!@G)MUj#URN4
z-=SgU#ad%OFO4^A?~dW17Kaq4-R>X@PDb0#q-Jk=EZ>_vih7T(vv_xcMTV)GcMPo&
z&Z1AUxL6*<aR?rV;&o!;<4)>%@Gb?*SJaJ#-_tNRtv&7b<UXZ_?a9~OFgKp*z0mWz
zG4SQ9isb45m%J6V)oCELD87`5ib>$|l_KJMeZbt9UNr_l#VPt4W?7Snk|AN;j`yPD
zNOeS_SN1fo6!kq0)F<ckaN%u+JHY~j@2VB<W?->`Ixu8e-YlziJCBmp<kG4Z=E%x8
zpxqt{$*X=7+AIe)S#RQQFyr=~VJ_hL?Ba+$#Yc??ov3Wsl@YQBMjBT2?6p$T(-(B&
zg@J|eJj@$kaK_LRG@H^OvbX3&>Uv$6@mNMmfln8^;Hl)BIC-qm9k^g(ElK-Sl0seB
zct_gX!Ct%@1R5iPS#*>&Q-MJEWoBQp*l;1)^(da|s*$EuXV#O0wW!2<nljpAq)Vr{
zNYdM~Y59O$J-L9px}X4McwDgOrN04cBf7B6<ID+5qu?;00A)a$zobmO824#a1$H$c
ze3e<IZ`U8&TTm8VG$duZC>v)Gp3-oBi}!S#%2A?%4-vE$xlVBj4!yTW=lp@agoieK
zZZPW|;VJ&w6XT)8zV<vRK_PtQ`l1=-Ed0ij%aDp@?A_V2Jao02II|aVy^CV>D0nku
zu$d-MyBu5l6Y2Oq5^jwgrpvV#>WV0(N)6ChEQ8cLCPT}d2~d8)55aO}$!B9cvw#Mp
znwM@C#}rj#DNK}CrZR*dB+6734UQ}U5d-Z8EP*rOUXLqzj>n2kJI7|s8TzJkNLt-7
z_`XM0xzHHZBehDCM(Rs@vSFEoBq9_iv8P?)Ht&wLv$3-4ZRkS`k?JnWpJgyYgInyS
zqihxOSUg32XL;IcY+L0O7Idx_>8oYSha`(&(D>jk|7AKgLV>h-CWN26VAvf*Lj{!<
zlwxTNG<Set7CuTe*O@LZU=nmY#HD%DWv+Pcp0nnlB=Ks{S`H_CTFl3pSMp{kV|jA=
z2HiUfm$fpkLM6_<y<b0JrF<m>jes$<ujhaaaMd7;b#ubH_1#jW=7bmB9Rn7dK&1$F
z)sDX>?=?*07z&Gus5R_udJC|V<Hl>C_axuWgGdnz!6e5x=0}TOjcJV-TO>VbX~bO@
z=xBWughSV+v)O^i3wtCNuT#+n?Hz@RN}dyV7O4slc}5o24eUVsK;-I+dWgmz6_shb
z>~2WM#Dj}QZ_w<Wtdg`E6-014yvl@i93T<|iIj$F-wu6%8(kopfh{aB-VFB4jpez$
zk(-baZ#A<=linU;J`YRW?~N`BMDbxJz5<NaH<}?0sGRO^lg&tZa@aPus|aT8tscaQ
zqD@}#GkgG5vJg`4J8FHwdNHsnDnn>~tEatSPR`D5IjSXXCQ4S~$i7VvY8jAq$0dz#
zLHa6Us@Lj4*Ax>XT&PGOh{S{8%qyc(Bt9zP<8pf1LxaEq=5CT9iDj%z$2hd66^-#0
z86(ck*d2WEO~>*CO13RL?^%Pyy_kv%S+%A(b`|u@($mpyCOIfvs<`M5(ujxG`jTqU
z%?(5sBsrfn8(8_y($Y#S6(3-4Nr|GZg|d4tGxj#ReK9QnUrcLuswHqDKbM+j@|a+g
zd$E+RjYQ8%qJpL%CsU5VMuGeY`RsYKA}k_aOiN?qd0BShOB3WwqG#}0QQIgVv*WAO
zeMa5(#P=<X`J)b(dBh!6T!?SW!x&u|ARX$`v}YxB9;8@{xVnK}ckO^%Q;GIo7!Nar
zOl>@{Le3*Ptk=?`34nduq<EF+`-s{WTME%E&`ZuvJj2VRxZz#9rTq#U5QnT6BWr?M
zN^scXGWN9aKd9pl)_82OhC0d~QurSDl^c-k_HhcD(TM3dAg)NOt}s&4i8*9YxX8nD
z*PF+X+?<)l6x|KBVJ@to!t!*yZ|TtC#pGoHS7aiaXWo!$>kbbL8tgH?I_)Gx6S~)K
zBdwtz?Q7$EI!gWC1JmfhTtvdn>J>&G^&=CRQycVv*pBz+>ChX}p}_42mK@1j$SYxi
zXU*u|3{XyQIS0?q!JW}3<=Mb9vs}TT1|P|K@m5(xiK92g^?@9aSxaQk+p#w!laHD6
zUPK8L17?o9^8-F$w=nYaLq#@<J8*YXdrnO}!XvC<lt5I2ar0L4yjGx(C2I-?rm`&@
zUNBP6jTYdb*;+8q>XSf8BYD(X6e>?3HOUCyM%rVFK6wQC0LLp&*9?{z7p=<Q-duOe
zhSQ03j&hL)r}NyBV)lAV6p=P>P!QqB)rwMA?b6w5+;j8uXG@T$dR{nPlB3-l2jyWl
ziby`-7M|l*WN#QvfH+)FPggvN-$@y}@LPCtDSghsFsUxKCJUUzJG6_mD`aAW@U;8_
z%MHgS)2pW7U5#4yqg%J9z}VOWMwEAR9YpVBy2^x5?EDP{L%9Yz_G!)=%j@=66`(on
zFWbxWO+M%~vaaPtUPRSL&tcf7SB^6+Lru_y5TfEK<nWc=LtH#$W5lRUmlE|Ds7L;)
zqz6LOWXhNn`{o;J|AIO-b6~~9lBr$$I{WbfT`L0|hSOyg9pQ^5XW$iit^y%F*RH|{
zs|{xm!M%4X<1$uaOgzDmQ}7y}Migr)=t1mrsZI^o1$;#MUc4)1lUUk##CwD0rp;K|
zJc`JrUIlgSL2y|!32yV0-<r*X7*MD|8R#(Z$A@Z{qs7B6&~rT<wU(zCQ)HC%PQb&m
zNV_>MEL_GE46$J}85~B76YJ0|YlK2g-HS`TC&c5yQ22WW2LDpM{YKHM=-KY8H4mh9
zyPk);;G0rinj#fSurBw6*%8rTHJ?zOuZS?k$<-3gqXVFG5{(&UpVwpp$Pwl4B*tA`
zN1`tuIGk@cP=X%ot30doS;lb5synkBaO#TCM2C5zT62|`>0D2GLdCtuPy2e&wu&YW
zd{ru0kVQ>=;9B(okodc`g8@NzbqnvzxDkBVee4d`kg-p(uGFkD;4O01^TgOU(5=E3
z^%%IH)Pz2is8&#AC=yE_L1PEvaxRzJ?H3u?LpU5x^;VxcJ%<je^-f17^df&v4k@&c
zXN%M25a<EIz1XDQ7}?b~Yhg1ulE?=UD~o+n{kk`o`lYD6r$#;yH$AP|R_v#uYGzKu
zDwcMZ>7{Q(cABlArJ}Kdx=BpSsviVyJ?{iyn0oV;(Lu9B0|X>w4v~Q2CCxgcHupM^
z1a1}F@i|`~UBtwx#qjbm9dsVe8v}iJW#~NgBrqyQO1id?v;%<B(b72tvr3U5C-MaH
z8HW#J!CNsAr_1bTuWsA8n+T^URotL<WOPG7ov;g^l{{xBi8hZroQQxf?rqt_gb8vu
z*7YMMG3Cd|_1=+<;v>R?B;2<)GUVfKOeHe!u-Wl^p9tl{h5~tfulfNo8JmblhHzOz
z52TlyAK|<sOU&f*ekuKWOP^d*ky(#}y>U+E9I=?Y&H(rA6%K;;Nj2IR)nHw<_BJHr
zIRS5uHRwxBEeMzACBKoJX1on<U!hZd^pN%GHKn^K<2)leKYzjg(lyfI5cYr`c#q!`
z<Scg0Yu0DaEA)B8)|ucQJWEW5!+XjvHl~ZxU2BFy19aD+0nO7WL*orXAJPns_pX?U
z_FGL9JX=`eOmWIuHN!?*i#=R&ez>&6)~rz}8`PvmmapC&^4X^32H0ZXqVWbkjKX^g
z8P+wcR~^a|tIv7}Ew2NZ`2P<eqD!?$z~%c039l*E`~dM;c@8Zc2`k;IYR5r6xGVO|
zo5{tZOOWPjnyfsj<I0|Urk+MDVmIaj%BGL@E;#r!%dEj6&4*Ypk0p~5xok_{__TFq
zcUEp{a6BlPz~pkn+=a4LJ|^Qy^O<|vv(Hv*Lh?$opJ(lOJoicu2N^qzc;?b~I|9Ye
zFrU-%HXbJ4A)TY*24=7(xDRC#Bew9(W9&Uf1@8CsIqvBrQSb_ccsAp)UAHd^-=QNH
zU^$gd_h!zRq4t#z?IykL$M2m7VsdOG>Kf5;2A(@JJ7Q0|0ld|>Yf3L(UEq7|;XNLT
z<&DJU=w4H_2E!!5CmYf%6?dEf9{fUc0m#7+6gC<-m9w9}=P#LQM*8V(H`dF>wMmAx
zNU`aV_Q&Q;sIXi7@Tt@2sw-Bhg?5*qt&EG&fru~6LoA`gvP+oC5!kS{vRHdn81PCA
zrWvFB05#C<^<z^#Px8}{O%nA*<2@KPDmHb<toDuTUc-UtajurxcCz++Q}YbS)xA1E
z-+NhBnmV<PW*QHRxI?CLy%afb-W-&*vsh#g(NCu^)~EymZaXFj=TxO9j#Lu+%sB1D
zO9-BL76KS;b;|UL2n_B;J*tyM!g>Zzhak3`W*Hiu^xe62ldqVhg@y&T*;Ir!y{J>@
zrL64=>1tO<W=37vK2x}BdN}#LSCf2Ueb`Fg_a28odGJQYbF{+m^?PVB3#AX;=ZLvz
z+Ea^hCv{3Fa3;=tt#bI4&pYdA0FmOlCsob!24DCh`-3Q$r~6uihr4?ki=ZDqDOn53
z87IhIG8)nD%O!Yk{rL-Hd1wv>iALL<-t3L(&I&cgRmy=Z_W*7rXGTL~NtO9cCRnu_
zt6x^v-dt(5dpzfH;Rer~wwAMIJJUn8b;XW^3w$fd_DXYt$A6JXoV9!v+@qWmkC^`B
z`rS}WJP42SgUL~H>+#-qx-YmK_WX<#?4BlKTyb`B%p>cmwUa<OPYs4)NXW)zTXM}E
z3Fu+CHBNfSSui7y^W`&1jC@cvk)zc`MF}~^>2f&^Vm8=uiaf$>%VYg6*hHHz8L~B1
zN{m36h)jofYNfr^OUH8)U2W*nu^kub=xxqgs2`y0@Flm4q$v|_p136KQ{iDFqj%KR
zlFov9$(@E)(epOF2Or4^Spyp83idiaJ<#x5$=tx?LmF#0jRNC4ZIjzk@g^{)IB1=e
z+^d`iGH8iqFWJZ8t;qo=XH2e?nDlcoDi<o4TmZH$G0T2klf-f~Yh;7+OwLXsJ#Pz)
z1gJZvGMvernTa&bo)6u`D%kd#A?sS+zKm&3Gzz_kBCrFpz8tvI$g+Wr7I83)=Xjll
zpeL?s*2o#0G)3rB>tk|Kv?L@(Y44UZJfCYFJzGV{NhewN)|{Gfk3DjIqbyHFRu~O<
zAHMCEZ}4?^zGkw9lynZ&e!GnPqDZjmC~JYei1iI;ObCoWJxVo}E_tLn9dw77^(I@!
zo-Q)7G|Am7P;a`34p$c-e_ad^W!*eaGj(4yMVrsv#Dp$C4Jre+l-_M!mfiN*_w&0P
z4i<s?;EmWmek|>b4c%0>jE!;(GVb%<2(v}pZ3YmipP%f&^~<Xkf6`;mZEc(~%!AYX
zlWV3gu4Cdj-}We$;F&(UfdO}11`e33=MaID`=+?$83wXE^tB6rj<70Z7;~Ag6tth!
zV}&+h8n45?tvLjX3P{$20qL4UhJv|%{`4eeje5#gNi%0&uL~(bic>cFL5R>iXV6>M
ze6k$-3{sq*IPK60zZvABZ3LmbzL@Q4UVm>D?gYVd5K>8rVGx6WNzxHQCK+e5OrB*5
z9YMRea9?AqtLUx+E7c4?ff-A*7nDomc8Dfe_3-t-VDBXbM`=v^vC`}3%Pxg|Nc|RF
z%wIxt;!WIDym<5Ikmr0cqA1YPDxGd#2Fe3Af4dJ}+xc@*5t{APIPk^M*%PmB;VMj%
zCo(bv1np)<FPD&3?_@8|xKV}%`>F(Ff%WmlAOZkp4XQnrJ;9U~Uo%<8(jZEDRY^8f
zoc-eTJ%SVr$W=`>mONYGo-2Q%u<P9x@FY@{?U6!?6uecr#!lbH&hCyEPf<nG`~dOg
zR;`^1YO<0@2B}^F@xEp#Kpty(vk`=XL2;zTDLfh2=dQf%UMV!mg|CkuD?ZmMG?!Sb
zG>0d8Kq2XBfTIcC9VAs@)Z=Au7tCHBE}}23q6k_{!qowHJlQS+x@&pNsOb8LOP>-x
zemz&c5i{j@?&H`GTMsB(ryNlDjo9QdRt1B@lO&uBKl6w)a#)dQEY;rP1yP~_c7~T(
z8z%J#vY0XPQ7U)u;gfVa5IZ3!7{rh_Sd6xF9MEo?wL}8G0N}@A3Hy#mu_D}i=&oAA
zEpA~OIGH^$eId=5#FF1^BI2x)1co6>gdq?SkCA6RxO%5tE>s4`PiO4Cm=Lnu%3YOb
zMrC2NYzPqT+|zqDUTuunjn818OBeSU36j38MY#!8*mg$y{d5ipi0UEUi+kSFC9W$i
z!1i$U2=;BBEHoI4jLM?E7kG`Oj+qTDdm%5o%Y^oMUwwit-v>r~;qH&bF|KkrFN5B&
zzW2h+U@aY6X~H)cm<&f#(wUgf?x_dMC}cX{#S)|j+1yrUODM$v*j5m?<|>HqsK~ZF
z+<6$db7E}F&Q5ZH`Yejq+##gRsen*%br*0Ip@gyBP4mvn%8pK>%LXYXUu?X#q4G;>
zo8&WKj2IfM&Qf{il#V^tXL_cJNXUWnyt;`?YhZ(D+s5nSbttXN40-MaL{>8HQ~($G
z)iray2iy~3gqn!N{vX-#f@qx{8kf7pL_Sl=6=m8ayYNsWMI}Hwlvj)E=yMKa9urn#
z(O$3t2m?Yq8IWbWL+z{y*eT6!Z45~??plg?NH1cuH^T<?r3h0p!SObBRayDo&hiFL
zMB%<*j|$Fv*+p;Obi6)yah<hx6@a7}_v}=G;toP|03erFEGa5tI)HNWgdBC-<n-!x
zj3_9iQa3#aaaoyOPi4PeS2f-8BW^*Jylt3Wbl(_P*-@)be6lFF*8@AiQ9hH+$t2WU
zk0uaJoX+bhB$6p8$J-&pc|Eu8=SwFm>0snzmd~Co`N*0#Z@iS(>>^iS7PNX|CgrKl
ziO!ajk=qbD@N0W<j+uJ_a1_>)0kp#!d9Q<MrZGfHj{#3cEno?0MTacFD<N8Gtdj`B
z>m@i8fZ9Qq2MXdqfnaaa1BRpvFv~pkPGx;8G84H81>+D*8@>d(%czVr7=la!McY!Y
z(uCDCjRpb_eMlh`wMMi|^?|d!*XT|oe&%lzHr)!en@^V+W~93Dt(F{h%Tb%W$2-R$
zdMVz@;20F!$G9#Tpz1c9SBwO}c=t4GyeH@Nt{J=K%ZHu;6}}q}+$7Q7rFhj#zUMjJ
zgrEzzMNd!)%UYvft=?0JRUI{KCMCZ1#zr#oT@#u}i+jTWC6T|<vBaOL7U4}>z_}@g
zCF>!3m9K?9B!}CRuy3;clk8`EtOUbQFU2Fu8%CEkR<sp8as~lbxK=0<=!$3cPR?&&
zUrd;BcITrWiVjhy!l0m3eXWIzO7RBGuS#WOX?u_zqN((HBYdY#AE@Y}L`?0wdNT5Q
z-myAy5mJHH@oB#3Oco-!8GA6ydR+*1Izi1Lb|S-hUAeS^*{U+W_B4)}>RGKv0+VDS
zwTjc=ChvO8js)BBa)X1gopM|vzkSj+%pNtTDGE<oUiB-2f)E#YX*RC9bpN4E9<9_I
zAX2^B>%#;~*}^mDQzfZu7Cy?h3?d{w)1-K>(DBrBB*fVu9yx1YlIcd7`q{madNn~~
zzE2M(T~1zyMZZJpQ+$B<>h11$y|<iuV5^i<=Lfr%131gux{s`KjWNy7?%1R<@u^IZ
zvzvqg!ojWv2P_D7L)w-fy9xNKdzG5{644yIM#78<90i~}x{K1&w_j)-yfz5M5_8nG
z%12YGTG0*MnJra529=}R*1F<jcG6ljXcmaNa8T`lV0&OAUP-a!5e<7X+Iq4ST@>x7
z&(leI#3%*O*FDPKBx43ttK;(tkQSz}mEn_k@1Pq2;#Tqa6`jY6jyKsI)IP9qEt&ul
z<QGN;x0H7DCQ%t)p6cFJwm3@1iHMOhn0UNPTzv9wO;=jLlKsW`($;F<EI-quc}ZZJ
zwlM5vWvLg}yv<!$ti#N1n@@LoNntebCBC$-7*u@bB9E@;=#60w@JW?$a~f-q+deLP
zgK6mbbgv_q2&qcp&0uvQ4HV)n0YhcG%(lRQFiAVBG#|I^yqHJ&$`d_WO;hk5<+8eF
z)C6|i2&0Rm)R^33V1w5KRA$JvkF5r|IMdtAFYq`#{WR0+d`~7o-S}N59~?Y{9fPJz
zIGbMI1ADrc4`U1XHtA)}8nhNW?g@}x?@45ns5no0MJY^9HzV|*w&A{n+)TSqwDtSw
zI7g^-DJQJ2{Rt|?%zOKsgLHVFZD{2sl?o*_^YP#yzCn#Xd3;Wcz-qTE9gwjKx)08e
z#5GKf%_||;@sdQhta+aCF$5p9N5!KxE9KD;u!#fAO?c<UWvHDkyE34sLi+|LOLXjY
zcMqq5b=MZ-CSE=Ot%Qfq)?l*UJU?@UJ#agr178h2*d~1ZsKVnxw=tnUo1k9yd(H7u
zfGa0a#fLzfg|i`MJKdO+A2-*tiDLrt+w?6aMg5O$;FX}Im1gC9LZVMJ9CH_;3t@X6
z0qQkBBOF?If|yyVlexLixA|EY!IAl`00;TAq$ok-=EKKyrGB+!{NmhO*j<r3)^x63
zN<EuO<S24`ylEB)VcSYJ3*d6qipB;7FQ;8OEr3k6y=~tSz&tDszRa~p+>qe)I-88=
z-J4c^R*Fge+5}kR5ncvoDCA2#c*kZ1*Q5PH9_|vqK@7Hf#x8)5AHtRQt>7g2JHtV~
zDtuC+cnp)6cm)U4R4nF^kF@aIGK}P{ow&zaC0UmVtnN7Q**x^vOP4%KrpYG`IT=o?
zFVdOrN8jzJt`Cf4K7>szsQ01|%-(iwoI1T5$T_>T37@@bNIqVd(OmMeXT1-2@xWlE
za;0H{@m%s*(|d0o7SO@m@C<-~v~3lW31w_;42uC?J<l~j(Pb*jp=6`FGl(wQ>uIy+
zSei@m?0_V0GTwB9rQhqVDW)WsC_@y=x2ip;cZ%tRL(Ij^I&l^wFRN^*RM8?g2{G--
z(;M;OD0AaITgl1wP=<nZIUCE20(nXv4KBH~2G5@>c`R_72u$s=QpIo#Vg~~}hLs_b
zTL8DP@}qZ_L59uH`d*0(V9^Hbs58{CH?p7&#zon7*b(c!1brBWhu(0U@!k{IIPH#J
zqqES9jC=8tIq8bzrBSu9ip0v@799zN*Ay!4dymNAVn5k7`C^+Fl@-R{*j8zKPQ(Z)
zYTx1uhhXlPepX&p2WkAsdoObcl#IBcMuX8g5Glot`HGtWWZ_A)zZ5L8^b!wI<rusZ
zOewMuqZ^E<+a6JV^3+Z>1JO1Jg0mw;G53n{;)ZE#-sx4pd#M7W5U(L@tGPHIp$g8z
z<HT;DdslFU6-@663JJYaqC@;;DTf(RBIl}D$IF^MD>ZhQ$p=X3>;i#hrZ$j8kA{tV
z^En#dJ=2~+&cerDAuwp2`ybra!EX#8w4PB}qy?hQEIv{!yMBiFhVb#i0}}AM@g&p)
zeMdTv;Icvx>NvK6dCa^0>7#zvUfe;@kDwu0?!^2d9@A4^UvuP%@vLUZ=G09-Q-~y5
zz+?}OxP$;DF=e#c2MSmZdaDUbd-dJKFY#o0g@DAgq2#ebEG3)`Ribs}Ng*Elng!t`
zO@O@f)ojHpria1FaNR108P2*|C-D}lX31jt04qo0W%EJ^X}y)v(PYtzo+dSOZl1@F
zsH~VzN$2JW5lo-#aAL7XKtrPEW-1zC+ZgbuXD$_v$LU)KTC?+fNK_{+jdSdGQ7Er!
zWWZ$+gTgyn^03-CAhQW-a7x#FGanloU<x2cD(;ajG5J}Kl0R8Hl43E)H_ABGIvY|j
zM$OuGY9s66QUtYNN#d*VRCp<xQO4dB6e2CEGvQiwNXVjeEb{|hd!83*(;`)B55?97
zI9CJup7k>hPZ_PNI5?!P2XFgDl~Sp=PxWD97;(pY?-&l1oA=@BMT!e9p7Od2VaN;M
zj;T`bxu=~&@t$fukhQ=#(ybF#g5I-vcq5oO^j>CBRl8NhD@)dv#`N+AS?l)%*S#0R
z(-d4V;*q~q?juRM368_udyyS5{ro+TTqqVPQ?HZYvq{_2K%~8AHyr5;eJ>s_0A0Uq
zQSFwS@CIP$*U#|z;Lczc(y|19!~N(B?q(k=sHd+>m1+e-V0!@|_PC%l7+#|&n%iL#
zJ)j_RfKjjBm&Vrk=<TY!1}s8(FV@4aVb$O~_nl$w$voXm3#%Z!v3jh750!OeXUJY-
zP(`>y`-^xF5r6;!LdWx^@LN(xkQ7V>UEO=QYREG~0FI#ttxwh}`BnfT`V!Gr50frE
zZ4#t%x@2i|V3zTw#Q{99MW16rX1@-2r8dTRo!aX~J!=GmIQZV%iAw`k!Pyrw)B4n}
zM=$4j!+&(+vvw5#%MJtpBk{xDyFRE+6hN&P90g#y8tLpu$Q3(cZJzvIHY36ecrL4t
zG<T2<8KneRW0(^S4FO{W3?5L)qcYa5c_p6n#KInKx|%bSXGpXZ;6~mI>~q*gI7-{?
z0VS#T);c^`(6%18GWk!P=|xn94XX#Ja*$w3h@tiBtjHk8-nib-aOH~$D{hye%?o1%
z7P?~YI$fDYns=|PH51M$m)s=Tfvk*!W=lDY-!O4&lGs+g^tb&$e6F`~I>U#F<4z4U
zJezS~A5rW=vei5Vs0gf_)_e4{#uR3sz~s6RF6JW!<c?L!6Y(VsjO_>4rz5R5?p|T`
zY)#8rX^53?b$C#S^RXZhOVXV&bwO+pnc6im*Mh=TmP8B}xQTGwi&C2l=Wct~Vo*RY
z2c>)w={)>BR8cUTIVDq?LCFLb<o8TwSI@(iuRF=^K^Ygn9v`232<FdDHn)!u{pm<D
z2Q5VT3Slr=WpK<r1wiNK1CBv;8-N<NtBU8W*V2z&bh5%Y5{R+sEjK%Ai9CM}JtlUD
z`l=@7k-m4CPH|qyOYM_*&s-nIdBx8ljj$Qe!D>C&@$+M#WnYnmQ+#s0#iYC&z4@3?
z6K70yBdtm!x$K=D>ItT=IFEPuV-7T9A6?(8O>eDA0)U~JV}{M+DcnedN2^sgqc;S2
zp2!Zc?_qq>?eImn56$vH@k?XZ4tN|6TKE9;9R&73zl7>gRDmN)&8Nj{A;wr`($83T
zhtW=v(Kp6tk^4bXR)Qpov$^WAt~e-py=Mc7>q%THuf2RMVIYbGhiil1Lxb*=wHG`9
zsi@NwL0#|q2~Kw6Lt&hZ=w7?`JPs+AvbE2&1m*z)YY(AoRj{=a08O5EHNAWpt11PC
zVa6b0X$Of?iK;tf6Ix^R>JezeqX8;|DY$tnu?gx;3zY;kc?YwB>!N)x{=@q;IxVXe
zW$x{2UR0o`vTEm==1ga3JGj}-qG`w}%9|aPs0#GAa*E12yn9V>8V`7J?@77kwCMRP
zlPSR~O)eqg=6bM^Q6vZ6RCuW8>d%-R+v6w;CAUrAzLoBrip>ocFEUZs=&XxUNi`3C
zVMQYil1at&1jo*GBfZP63T6WDDsZFl#i#{cw0X2JYW6ZW?F*KXK<88jEk6ZNB%yhn
zMB1uvp1;a=4;c-A?Ij(kKuw`HTO~o{s)po7Mw2g}r@sU9g;&ybPAsx^mE2wr@^x+i
zaTS0xdWzVb3sZY&D&ur!`2<3%5u0MNQOgprB%>Svs-zH38c0`Wsg=ORF$t}oVRvL?
zNe42By61(1qC<O5UC*P}1jBwbH%-!w>2i1H+_QcmtdXsQE<VhzB^aBR2eAi??;-@^
z9@AFd(|p(cB;}yq0K1XF^Y(mC3wNJtU|V0rE<Kgq-F(w=#ZE_hssjuZJjy$CF)@?d
zC5VsM-xbDVG>+o8oMd_G1<dOT?r_&BTiF$&_eMm+8H8?l>*O9xQypw*zRsBB_Jfe>
z;HTyZEN)wk^s-K5P$Ao<p&mG-pt~RtJ{nsq8^_23_fA#vHx@{MUOMljp(!mMuQL5c
zH6TEZN?NpU5i`V7+nM*~J@?|C6a}1l?vk55%B8@JtN_g;IeB;27D=1AJN=Eff9~C4
zQZ+gBv=yc&oXa!^0i)v1HE|!d!#gIBD(WDdX1wb0)@xBW&y79TvW{}DN=i*9BETJU
zb=%f$dROH7QU{X;VjvLph^Cw4*6?((67FohB)g<-@`=~J;{)e-92|1@E`2%f-CLJr
zZgw+&+JM!CWZWU36Bytd3#G76G%l-*$J?sv@%XYhH$;?bHNzbQ-I<r=?A*wEW2_H4
zP8HSV9ov#rLOoE`hYY=~Zz~4}iZS{5271UY*>ZyX$9H=340TaMc@JQdDkL@mgBPce
zL*_Y%JaL(xYm3sRrmJKGdb9>M*jI)F&zHsx4inUp7u@n<p12y~m<;ynxk3d7!M^8!
zki;AS%+sjLkMiI>L+mKc5Dmv3dJfo84{$sPg(u<MsdfC`fz_jW2=8i$QpN)Y3&8c=
z?As`G2lwudv{#K(kP>!$*^i#bzE#?JUB_1a%Eb;!hLZ@>DPBtLvqV!*RC&d8%5sC;
zVpfL^+{geLeBR1kstm?7Sq+?BY%y>B^^D=>o3hbxX!8Te(IG#D(vpbe$CHapj@UYR
zRXd%;xK9j$9##+RV@{3H9ZTDNFH3e|Ou7KF-?qBtFdQD&DVUMDVh}{eu7DRz6|U{;
zyfUuN_k>dO_49ebTns(Ea9#?uY-U#pO`TcR1x{vy`J{nXFXq6|8UX3B_!ECkTNb?T
z=t+)U>VvRwfq3aVsk6tuNyvur_C?}5^;K&jqvM(xe-kwVnS{@%h3`S2X;|=3osL%n
z8`I`Mn?u>wDsRs17(aR_d@Ijf&^;%O1NU~yQsX_C6tDsa&_)t-C@$hrX&}|G*Ien3
zXy(A=5ROSX9yO%gX<;S4^9qu;G>(_Ja&Nf?O!i^&$)UUYfB?`d(XOl9*KG&VNLp^M
z`&f}%-~ha-!w?8c<DHw-9kIOf?ddwn6@$V+O-<bj&td%JJM44!E+6wM&!>;+mL553
znkRO&W-^xG?6gbpK2y@c0pwxst%)T}tqPqYLyKqW4e$B{@${_P?k$wQ?0nu$FCgur
zJlxf@qhA!7-jS@Cy{C-Jar&rM$8n3vL`l#QQIF|4kiNQ#+-=K4$|GO(*V$m6m=wyT
zkz)=gO`=81+ia&10>f`{c#3_IcZ#C4;RNLD&fhs)d+kdiy(7A+XfG?A#|*8{1%{;h
zX@Ql)Fieg)n2L-d<XOveT_?`wh4TLZ2eTt*#M>Rh0UN{JQ?uD^Jooj9n2fVr=2c+A
zt9y+t>QlJTu1)5;4%X_-Y^O$WB6qABmXCD!73MpXD2Cm&oud}p^?P?%ilbT85StUZ
z_XORq685&7=G>Y=>J;<}=nk~-#ml$FDzO#&q|RIm_0~|U-({&q()wmAvR%C8;CKsx
z7jIr8j<1z*Ko~Y8CiqZ39e^%-(f+_+G)YPhT*>aCzcrwEW^OD8R_|!S%eAL>+l8i>
zu=~|>;_+jqJI#76GI4HHhQmUfon{;qyGbRlqo1D#j6%u{2)r1%_cDrsuR1+lX|!vh
zAm-lm5I%1g1%7Y_z0dNt`-V%3#rlOY3di^hgkXJ_B{|E_nMP<H{JMe9Zrp?vuT9HB
zr=I&MYdwSamd~QFsETUHsu~9AF+$u!j7W7*PS3Jo?#QR*{YHd1nPGri>ny3LSNP~D
zTV|_I%<FWH_cP2oY#zO6jO?|0;!lwJ@q-Auyxw>$v?%&Q=k*XBA?p~u(;6keWJN6A
z>rC>TL@Ga`sM3&iAVW<;9>Ts!2&~68nNa8x``$)QxCkC`kexNyY^PCG;F&P6(z?D(
z6!&s+f@348W!RTB^jz0B#*(`dGRSg;l#~|*U(SPbXzW{wehiC6{`TbEnv!bf9twDy
zoe}k5nYi3G+S9{)lGn`=d-B9e#C)<&-}?ewLB0UD0`!L<V#ntDgz&H$x=)QJ8eQ1M
zs(r!-JL=xV*ma55HP<;8+laJW1`9*p(;f_{S+;x^bZ+m|(}4qE&H)`2*kxSD37HOw
z0W6zxE7cb$f#0p=)tGMQYms<whNqvLc-g+hy3uZ#K9ZGD+MpT{RTp0g@`BCwdh+a+
zyMfn@GG*>W9!%Yi&5Exe94Ul}zwK+Lq(|=^p8|2wBh6VcEM!&pP?dCN>*!OidG<~p
zzfnb(-NY<D<(+|e*5djf;nS3?2F)hYvSS(~&>clj>!I;!yBE20Tt2x@Nl+~^U0<I?
zw{2F4r-*}eNLsOzEoQp6w1TsDH*(u)%5D>>1vax*n1lD=J=$)6*dj_Xg4_l?Z@iBB
zX8KVh4p*2<&xwU??P9uLaAd@DpxhO!+LyHus4a8mExZMmC`fGqJ9~aZcp-zfEpLR-
zycx=qo6_I1I4cnV2=w-|c+NUwmcF22Qz4u^ROv#JZ-B8i2bib>IWr2erEwv$`@BN%
zCaL!>n~%Ll__lcM4FIi==tM){kiXQkmU@utNa6Nc><%}41c-o|-h%t2f-&k_sFi%}
zWb9i;9P(0QPz$d*O!KiwJjC1GQ^GQAxsZB!1*qs+{o29^;1HTj-xBkga6=K~qg{Rb
z7T>mm6_g~BUmToO9#V9VQ(;{9qcgfh5Vfx5$M|Yiq7ruF##uF%i9pz2SLu*}3DOhs
zp`!=X#jm+jOCmh_RRFt6z+22GeiN%63Aj6HSNsH@_v&i{dd$KR`8=!xuaeK3wgcbM
z&2k8h!41FKn=}cCWH}wL+1<9;$qDw5jkfd<<5!Ns9vY8ZXIw~_tTgBmH<&t~Ig?{%
zK=T#nQ_1$+Gn8qDX#>w8+sqOw@d)I1GD0gTbioho+}k_6$_jNMf}G{KCcV4vxF+D2
zoLo}eWR$ZS%V`h2U!*s*(<kBheYy-~Ns@<BBene6J$VwrX(wN24XQLl%&V~n(><Y?
z%Bmq^4C+a7FMx4uJ2TFn4ie%9Yt%ZKMZRcP-SqL8VQ=bZI5V&fy|M8$o-l1B*5-my
z&ph0@xe*h@sExH4^nCelUN0;m*g<<i*2zO%>J;CL6P0NK?l4m`<$CnMS&`58%55cD
zk*l71ae>k;;bDVTF*iS?80&UC%stC#(SmiSm(FmjqJ8=XLe+s9@eOfzscw>AXv28Z
zMQf5!G2efP>u9dVdyj(j__fY+e72|@RHJ-lS`?&p>M?WiCTLfXj$B^$VrfbeDQX8o
zLOywsBYmeK-ja`P4+sy8T!Ec8-*fh;(_?OBeZ4q{gE&jCX5iT)u%O3p)%_J*TluBf
zkv%m9c;w<sHX);76@=tq66}%DXoSEoHzshzpeFscCZEx3bUfdx_fB}$>|#vza9)?0
z5iRm%?^eGo7HjB-iI)j;WEv9=xsrV#jE`TG<J9>Eft}gg>Y?;`Y|m`y+GJCNQYvAY
zao_MZWTBzg1Y}galq^%VEr>~ORm|q2hf*tD5Rxq_2eUO8CfkRK=x6VVNgE(|`djx<
z5F?8zLNs62ZJ9en@wdSxk$$=ByViUM${~XT9l(IZU00#cIsmm9E+#>ku_F`#Pt;@R
z^_t1hSdg~^@7j*3mKh$o9g;){y@KMA#z=qAZD6Y810znCi-gaNo@NiyV=ScCqB8iZ
zhUwmmnj4KFBJ2+0XOciX;)xJP8ci(|guJYRm~Z8P8~yp}vx___mkj4K*+Ej>eVvhF
zVbACRhC;_XesTma`viy^R>&0F6q*^flJdRBdCr`Xudss+YWv+h_bKB%=dy^!$_A8l
z%Z+D;>JTe)?ORTyv-&z-cMq8J4%C*tdP-?Ex`*Tw)t1A;1(KWV{cK*6ECcBX+xEl(
z3sVFp#$cfd<>@El1Yd~53$XS_@yhLGo#?ZT<L-A(M^vbi*L4(J!5D`H>N065(DaIF
zp|IWwQp;gEiNij~Al5?KrUwD3$&62vs>sK4TAudaGT(FH^Im#kkMObM0j<5{l5@$2
zhpj}u(3BGo`SID=BO|%q^udgC#Rr$ea0yjI3arf~n1)YB>_vDD66)Epo1L=DyXZ6D
z<E5)osg96YVxV%0*4;GU7QySvn>T2=avOISUI(yRO*twvfp>9}GV@+pKa~s&)xoRG
zf&UmUmJRcoL0j{FxMM*;$=<4R&PJE)bU5369?DiQbeFHsA8Bvn(7Zf-W-4K2!s`U4
zX6OAQr-i0W#qlXHM%D3~m_6hHg`&w;UNp{T({;>T;F=OBdjrpHXRoQ4<8~iDo1G5m
zphC+>wuZ?oSy~iN&@EEd??`2swT(b|H?B)7han2F0&QobQU^7pAglTw=SyNNK@i|K
z2+btS7ctG6tOo8EK;czUg9_J9N`SAn4-63}ce5X8bsy<Eghy!ly}hnNxS<wdB4*Od
z4t!MWrMIV7-R%=>I9rCrhF6<B+J}7d7}s;;)LzvdnQFcuWDG_|AVA{P%V~N}>qJ7}
zTjBlKE+db0lLw&lCPB9RKt)QuC?<7;J;MT}6Gz@rJ_;m1gH<~<mVAuNjS0e<0$1<O
z&K*H38D2@5ycn3Sa!5VQhoQ0y5*tw=vVyxFvr^CV`ExUaL`6%kGkGuO9!ZT8h?1xv
z_c(a~3k=1;^A`;O!E&`yayv;|((^)F$=A6OF@rkf*)lzz(GgXC;o?z#x6cq{4^?h^
zL04+yJteiH=f8=l5}7^GYr?s)h$&5$lgX7UUSbrRvS&{X4|VfBD|;l+L2aSi&btWl
z{Ccup>T3&f!$VzN%Z24>YIX4t(b;o6cS(gg-{-ydnmFtgy%LOLs{oy*i9H;8bsbWo
z=4|=RxPLLO?i*48Dp^hFF=tU;$-;v5Ue74`J~vpMz0Q15(2=5)BjuFIV6`sFw)J|a
zYe9WpxuoTulNFGcC(y&P$Yul0FxJgD-Gs~saJ==LwOYjxD~Q5`0XmfT_DSHfz1P%R
z3r@75)`KR@1=Qv(NlZ%37mJE1XeD7x`sz6^u%DHTb{ry{KQyI&X%hLWce=XUjs_lS
zRRDKmSmm>RmKleT7*IHf<`G<(ao1sqrb=k<v8dPfqk`q=IBF#1=eJq1&+<RWX~a7d
zm=EZ2?>-~}Ox8i+ej7+=$YD<TUgvvy;Fa$g!3@x*yP7>#eFAJep_ANu!yD%V`ZNUz
zxpCi7T1!1bnlXGG1t~b<_M|K^+PE=`k9yx>!li|Dx&S61A-s3w*rQ{qLXwTciI^Gh
z+@JF!TJx+KHkW{R#=9Uo?|2bZ^q9+~83<sO3t3BQ6`0Faz-2X%4qu@hWupzyy8*hs
z!(0gKa6UM>-ZxezI7AL}6)>J)Hr}Val$vM+(+U9I$xokf3tIDwo7UXnSz;2ICC;2?
zuA4B32Q(?~nL8$)y6@smxB*=`WBa(iuE&!K9g$ru(=P^&>9Use_DW@HBm_{BWLvdl
zWP2}0>ScI(&4MkHtQFPNzS><&(Un^d@nJ?agn)YddQpafI=XP)F7NY!dOc}3NPWP5
zUO~%xuf`V5B=zK;?yAMvYrzy2W|(WR^R|AdM&OB9V-LKDjuCZrWFk&Q6esLey<oi#
zep$3j*gP3rm^>FUGX^l0>nEJ7=lVjHYqG{^WV?g7pgM5VwK+*6PJ$$KJ#*v1qJdtS
zP+0{phrAM<=R1~ad>Mn#a~CXaIL}Kgx1LJhZ684HfH?=74yM$b=vG%sxu<%7kGOp~
z3_IwUAcePy$0?}gM3`-#3rWhF!aS*#w+*`KV?k;_U=`EE2<^cd&JR}Sbb_<XJ|SoO
z+{ZmM@~u?n`ja4cWHy0^7_t-`@6i!Vy=K%0&%<A<zNWO%tTi7c*gc+>Knq%2!s>B{
zoUJpi5<)Hok9P^6q_!hiY618Blw7ra0?kv(%&wOvsYGpFzI}}^OOLK_H=tgug+HVX
z<A)l~H}Fg_S4uXf9~1CpV=m$)p7#sE>vq~Kl9w~3wq)!gZ(|H%4WSHr!Ohe%w+<({
zJ&AGNge=`a-ij3m-l629%`HBW9GP=<v)L0Kd5#Ii`n)>A+Fv{<WcrVCyQdPPzJU|(
zppk@IF}5s+dLHG{TW+1Cwh9t>PCQ6Y31KI=LM_N00JW-7_K^oA+sH_er1;bf?R&Dr
zR*&P<-w?n=K94&!6#~O7nFX){e-h1D*`RMGFV(T_o?12E5m&WvBZ$|KixY^tx5rvD
zMr^ZB$4M1J^|q!Cv1O4X^2!R2Qp~!L9HMujq+S74KEg^dg}zHxGj;+LUx1|ahVqjp
zn5rdc6k92!ki^#!O>=M4=mOzokKS$pZcl^BQ6Q$6RU?oT<}JeU%yZ$IEjK6T$k2NU
zYp6+R?UDP|)7*p1UCybRQv7w1g|?|r*@JCzTjRXaB9Ty#c(u&n*qv~Lk`n5<vK>+;
zw4715ogt35JH5+N*2u?zeR=MLpp9|__M&v(3K=&A$2+5f5DBPRwXVV+VXEL53ps-{
z=^Ctgl+obIZ-;?pID)wx<l%%Ds!=6UM}?;tLGZp9l2^B~tI>0Drp%KYO<83o{3>8v
zw9r}^ePEEbwU;5&xICXqXYhd}F9UL7ykwd2JTcCfx#FYPZ+E9fOKap}wH9pT^^3qz
z+gIb{vrCxLk`~R?wG}8=!Om3c8Ey&hU2{eN11eMRltwpj!d|W3xeM~a6g+VpWU2QE
zU_n{130pYdHS7@_siX+|#Yr?dvTeOP9g}rO8bN+tEC@y7G)x}Z4eyh3kuS=-D2e4n
zm$paU*h5nkhdq)lGAp8Q4@NugI&p1{?-`f&uMs8B8M%GEVQ-7GLjn5qCin%`^H_VE
zjdTO-ODeD17p`MU1CKdzCE&G52GL9sZ->)kgkmrVSCy1}exN``Q(7uosIhp5(`j3e
zrTh^KmkYJN&Fh<V0o|P{@ja%Eu&_bactNbq3CbqR51Z!MVE`SDGm6cHgf^tLzIk=A
z``$WSJb$@MuNH5StfynogH!TNS2f#Pfm>PJ4Je^a(mcTb_i|;K4h3v0^b0dW@}(c(
zZ@l`Qy~iP1-f7Bp!50Ouu5w%sL%VPDSnoF8B0><-OrAc#Iy%RERElYKjT)dVPK=L&
zUNvvBP=?J#L7#?_1vp6abCk;A6m*GsnA!V~LC`rx-Wx_Xm41v}kdepH*`B^q=FWMq
z<w71oYG5?+!^T{B^hoZ3(aL)&U>46xoqO)Wy98gDnRFENGj36aE2C+m+*jOIGNr*G
zbcQ06FEX2tdz3GrUKvYg*^3=|EZEM;7qkA169$}HHf4*;8$H6_T0Fq#y=2KpBRrT!
zD?>Jh#zy+4P&7Su_sW|+Gsfb;7%HOVE-yGVEq9`g_j$ha-aK)a6*Jz~u^jjKJ>b*9
zeq6LJcBy&5O5X2qke_#Czg{4Xpy#4`X^Zu0=R|pX%ppC}`@O42FU>t$AE$1YiW2(i
zOcsO8)pH{ZQ51WUN=FA<go-u67Ei9U?7cI>yV#&a=x57i$+AK(>S#Ii32*!DuAEfi
zgks(kxu^=_L~a~A)VQz;7~qG6tm$XMiqqaP*O12!;lt_bJd+;J5x7Vtv@VMZMOMb?
zJ!!C(?yUva)C!<!4lDy;J=qM3Sx>bo+}pki^4fS!yf)eWVvibhw84+McssT48QCFc
z=ur?ywx8&mUROu0bUuhEoZc77)V3hxP~Lm%+l0KtPgQw{Q05bJr7z3}tv2U?vT$VD
z&b_=vRa$Y~Y|a_VqrvvMrJg^1>jA+Cd5Y}<d+S3`tju`As^f5vDKws#^2``P&#XL#
zD{CJZnl38Q2^zVYQhN=_>sEv5`9kx^u8!i`+B5`vrXb+%^$<h0l6jUG*mYON&JHA%
z4xsEpvm6w;V>YlY$)aMd$8K3q<jWV3*L_DU^STf#V(Zj<pw;6DYO>|xV9D?4@`9`u
z&sML&O9>knAA6UtB#@~emOsBy)wkf3=-Y``lOZGZALlZ#s`BV^C*Q_F(6*!+uCp!~
z25Y6R4We$0v;g5F-RF$0^$vlK1|_5b<8Gr)mDGt^;<@v|DuxskgvZomJ4@H~%`j5P
z<myw(DYYgZQ8Pb&5XOWtoKdSF;~V@4NoeYg40aFExtPD@5M2U(l_d7SBm(&%-CF5H
zR9U+OHJ2-|ICe%e6|VsfV;hW>o^X;t!9%>czJ|=UwAFLRqFhAcdundR<AOS++r<Eo
zS!7OX?mi>0;i|MlGc!aX<dMj(boFJ;GbS4vc+qiKEyp9AivtMc*Z4s1Ne|j@?lGLg
z$}yBKG)HAY!ae*XuqR7j_FGv1Ryc3)$FHorJYS2?D6na|HoR2QM$I$b=Avxu$C*|v
z%;G${{oal<)#GGnd$cii@SaaKL8T@u@^)|unx?^;KYW>4I|_mmyCQ0cTQlt%?<Tnt
zlthVqUaP%Y?A4*lr%7sTxK0`;d@Mi<QDKP!DC|+*iy?+-ij*?*&dv7m4q0J~$^yy-
z;0z;=?jw}mmqsnmX2@4iX?NG-7y=F3PeKlA*O2Rxg`I@eue?Zh5OaPMC16goI&k>%
z8ZM*h6?IstCTJ_$kaOsJ&Q-zf#|wnXFb0Yp&M_^X4;twiqDVM#fgQ|<K_|{cKyLN%
zb;e^FK-w^cfLGTdk7ACTUao-Zbtj4K@I0O7vY070vro<qzBu<YJ*(D8*9Qt{OO^X>
z^@YPMBfZrudV2bJnB^Xy8!&=xvnm6cf$!0btwoX4LOn#TvwQ}Xw$Y0%ezE8VNPS_6
zBQ7yd=d{WhmHpj3-&j=MXXlk~+uB{i5l-Vus-ggd(FvjW9a4mnx!H+;#sa=2+OVz_
zbc+~3Y1;(sH~{uSpa^%F+GdQX0?p}=4b?<tCX7Zzy&YIRLLx7Ccmgx}T1a5RhhIHj
zLAr%YdB8|8uc7V5qa9*ioh=4PA_M*L%*mB*|AF3bGjpL6ArrfRNP{5#h}?G@R^20O
z3&Jv-5uVcodY*K7LkhCX_(BVKDC}nFtasX$zteSl4p)H`+&U=v!Y3!{y-iOog~itx
zd;GFn(JY@N7Qcr?0eyYpxyBMxBQ7+awQY}edpKw`G|)-Hcm%k}L6EgZZ164FXiNCb
zL&Q3IPWRLuC<$^c(IV5d3&u=<!#13j0m+)*nJ-4?>RsgW6JGWUpkc7_+jbC|2^0Xn
zFfh{fBLr!-=xyloVVBqB0}2kbTgt6@;PYS`C|&@@16XvbhxE*F&Mh2Xqa8zRfge9>
zZH5B$I4mh9A+7}j0czZi!hLxpOqbUXD|`2*?Nn0<!CN(=YBb@UFc)vh2*(I-z7Tkq
z4-uI<BX#MNe9@io*vmuCNOpw;z?sh5H8TfpQ-utdO4Z~|-03l96VkqB?+!DMew1=5
zoTT=~H(vzuqc_=%kIteC%|cd3cIP#kge1jlf7Xvl?W`Eiy=>88eT}BfMg6E#&{`50
z-#tiP64PoGzJiyl=w<rQOm3rTC6+QrUrsQ)MS~=EmO%htWMQMMTydEK9s4T=3(l2v
zO?-4~j@&{(Hmi>Ui^o+G15cGbxOgOAv`c|EzjbKLnghNp^)M5Jrt%7fq^D=@N(W#?
z#hwxifu@<Ol}{>I(&{1e3gZDn#05j?<<JW_B-?M${S$QYz*SlpQFLTNXudJl;z;1M
zdifY%5n;ZprU!EwVl8AAnO#+L4!Ec;#|%r}kHY0`qM%ZZ@hcuUD)y2Zt&4tvt?ppt
zh``C4Rk^de4{?=aExo9Z;`Om&!}F3$zjv&ChP8F>D0L*BfFrnWtq*lmppEbGQ+|<e
z3+MUKGomXo&w4JISt+Y5X>)^fc8RKpEVz$!ht}VPKYrcy%F^a?1x?<QM+IVa=!ocV
zP_ZuKUQu0SPZ1~AD!iUU>6=r0LtT0mD_Q@OeyZx4LwzQMZ?%({F}4z*W&26JiWKF+
zd5t3LWq#?KiB_)6B3T`vyB$!hWsWzVl1gF_5w&Y19xe7zaZ?-SweL|yXxxYlJ{)Dp
zk<@1i{j5+P(hEYzS7`4_7!>9mohqI0dpnATSpWe~BeEQ>RjgfOY8vFIlb1c822T&s
zw#Pnh2@+K5H&{xJ7J(|sOp0L}Zy!%mkm4Csn?Epj6(ay@BvX6~FhG-*#08xp2wQ>H
z7`OdwHZtIey!2^2XOP`0TlN79al&0-H%+ab1-1pud6LEP@@mi8sCAkUQ(pD-%yx+v
zzB*;LJ7=7Fd(rz$xX4vOMnchWWZk6fcI^%9<&e8KNO}YvV60M_G2J8OxG|-N>!|$l
zYGdCEZBx&L=At&)VyPKeJ&aAlSGFBWa6KzxO$4tacSF)L@8s|}GBD^(-Za1JbbJgf
zsdA&Nb-;uaq4AUijsZx-CUFq4;o^1Ba_EFD5>%+433ti1Qrl3Y_*z0rJSJ9C1;|2t
zLfDef2MMavUNYqG%&zb4<OO3HihBHde_}4_kTG?Ynd1r?6&%q^hOYofK)1hC7o-W1
ziYW<Uo-!o2x;-x(@ja5ID=WKzk!u5W&<bF1#qgq55T=QY5S22|J?I!1$6!R_d4tk0
zedoW1@yPUaEHTv%+0q^}3lZEaj=h{L>WU?KyRz=^N&2%d(r@Nv2y=2tUe>(i)Me4P
zYO{6E*QH)UK_{%YjdBe%O)g{61875XW;x+-tmPu)!g-14qtS1zOoG$x+$_;p8_6~L
zDsu3NLB3a_M5&GL+&q@uZfj^{_O=COBM~IigFrc{a2}y)x@u*QU!MQ+HWT&GPF{ke
zH$;_H9#N(OH&{t08J_BUhT$=kSL0rm_B;p4^UUoL!W%fee%#vm1Vn@46;n`=;|5o6
zJ;R!PMA)3F4}5joMIQA`XS!@3@gwer2xQeZa`+E*S0Y{Zm=hIscg*MXo~sWR(zYtS
z+Jyl=!M#cndwAF+y2o7Yy?xwQZ_|m4_x$u^sbPS5aL#gA54UrRR^W(s;-m)#E3WWP
z^O|=IRN~OtmPvEW1Xn~PkTY_#j}7eQTid)`IURiLCna=>u6fLIyGzb~xoHFpOvkOw
zL*&K{^qdFPXpsu~@f<^VZxeX6tJb+>G%*5UjvijsDkkAlm07i_8j=Dy(Fsqfh762>
zGSwqnPGM-WiPh>JedpYRy_}kiGu?!9<N0iW6Tz<E+fv;*j1&Xn(s|&l?WUpBVk}Re
z1=zbRs-#4`x_1;~0x$^4QaB~?N(;xwlOeTbt_8Mcu%;u39pFiJX9vhM$q}i%jM#UY
z-O5$Ybs?!ltDzHFDlPkVK`HA(uk}tT>~+#r1-<NhNRK5d-wj!|6Er&@yn<yxH_JGE
zt~4jT<W1pmASrN%0?ft3mivYzefhmify%ma1uCd0q`4@eri^gPq_B8NJ4&=H;wY;z
zfyi_mnaVGfuuAGVc6I5Z0<+4kB`G{grB)ddU*vOAzRn9?m(X}kd=^Rr_l|uqW#52b
zUhZ*rT?;>aFWO${U}syMTeDmdz05txQfzT(QG|}e6XRY+><h+q!kCBE!&j=q=^JV7
z_7DdB;`S^72Cw`%Sma2`GMRG0E~=Z6`RIF8BN5-IyL_SkAO-4bFNoet%$!GO^<n_u
z!+0%QBTQ!Aw+%WFk=<pAU{pGHsMb*Qn9clUNRio#zL}W3mqQ@TJ`*j2g1_0PHj&mK
z9^orJc}$aNZ<jAP$Y=zFucIr27`R^PhUF$w&ZLQJ%t^Uz>_Vw82L!Gax|e`whb&S^
zdLWYME*q}F8sOfk4-P-$IDX2t?XXp{H%sdHgbkh<@wKU--YO0jkOP|yQme|iJ>lc#
zGJUiHz=mn?$dFM4D<wFcuQu`~1McNv?!!my^B?PKn7lqd`WBXH-o~b9*{SDlDn$4C
z6S!4bpNh<?LdkhfmCXGvQUTrz>!iv6k5kg>bEw`qX^16RAC$vqmKiUd%HdsM&Y22B
z)#>@mgM4>n`n=<1DWG^+p*}=LyxlNLuV^03$}<wd-a>#mPG5DOTRuxxD;8fy>I8fp
zg2Kgf_>NTPax@<c78*CG(U5q&+gPaxGP>0|3xax)Re7$~%bwRyE#Et;8*NVDXmD|;
zY{xOd^9t1>Dzg&RYA}8?5{ZP~vflZ)rp(J-VhF_>2>WTB%Y$J<d)Z9a?nvIUpyrRH
zipCiC-OgoI-~kH{*{kE!SJkPn2}f<2qYHU1b=8hD;D7|D8V2U^2~?6(*60Ewn`Gq)
zy@xEu+X|2B<#wmh!V`#B16_<3GYv+<2VO=>F9=U>I+$rAiq-;nOzRwCIv-eT!v*KL
zR@CjLfPy4X6$iAX;3MF8VgB;9Ti<F9A3T1OSOM?+LU89q&e>j>ZhBQvDY+)^_~N}S
zxCT(RMg`E7vx%dy$O(Idb^Fp%oFw_7#vXXVwLzOJ`i=CetN?Qh=B#xQde58OeP%@U
z5EBgo&8rbLN6rXi^Qt9iS!-Iv*3E>upNJ`#1%<2+I=v(XI9>)1ZWJe&CRw)P62%SC
zsGH6;Lh}bk<kb_+n?x;#1LVf``US@v<C5=7D)PQh)`LD-7gk%5IH_|Jx%Ud?WbAcW
zO*Ee7vOXgmEk}8)MrGP&>e_j<5?JC&k$}lEL^i?}8mR23>@aE`%TTPWuP56UeE6tf
z-Io9iV2o<wbo0c0&MieAY!W>HL#GvS2!L?&mL`W5o;N0`WPbTD;7J&Ozv8s4c7E=3
z?)3Y~qO3u|9*I=c&(Yt~CcHf_-#vQMt^m}W%X*j!wQGqjUilWE9y6LfD0<;6k1{O{
zcL&m(lVg{O!NCYNMKbP*Am(as1TZN1MV3UrIQkEEW`W|DJ3|L;b|lVO(`Fs7L_w9F
z660aN3{vw~A=ZJcRZlaE260V{;c;Sm@4%*W3O%-5*TISy9NLY{E4zx5eOcMXQ5|Qa
z;m#R@1#@mq8XS_KE@Uq2Df;*@xwpi&S7Yuy(nu&EEoW@%hRG!jRcyDZHw!H+*VU{{
z?g#`Jz!l^`Jv!MJX(u^dpxe4&6v>wnHAkskla%M!H7M*(n2aIdV{bJ=S*R|mWYV>!
zPq;N{bD~Qw$y8{wL1g-Y>$}6kzEB`56O#%{vExMc>mn;9T}z02xC6TSa!!&j%Mg1U
zEEdpi=T#gXO0y%7A&r>>?}4in^|R;e4{~3v^$PzOd@Iiyas=MNU~VpwsS=)Wj&&a%
zEws}rhh|+1E_h}MTRIpxFNt-wC@FHCZ*;7@S^I@37hNXY2Zp<Gb?z)Pym)uW_PKAe
zP+MW3kOd->c%cr|i?o`DyJ-z|F&-A4R3V&8axPo|#bN}r8?%~=m$(4--uO*Cv_9cY
z+?uLu3YRM^dLtrvTr_~`CP>Ky0V&F^8A!(={P@5S^4@TRjjPG!We%5nKftiW**TJz
zrKqdd?Gljgaq(o4#%J_q=6qIF0ebQb?x-H@8?q8d_Gluen_c1Dh$2D{zIr`n?hPhx
z`Y<6XGD?RgTOlgZY@qdYe6!h@Nr<IQpFL0Ld0(&_d>=}iU-&9kn~T#t<~N*GPp9K<
z-Qb~Q<UCfzMFP-pgPA4C^2hXus7(6a6G6=f_egq<9?bHsyqSboh8=s9tcoX^sxEFo
z;+HjR&lY>0p0R2sZ*JCdDNZ}`#1(C(92`!Zv&`$9=+_pS>rza?uGLU`9$Im@b0P^m
zQi9M;oWI~1tsIM`uFtq)lk1DnnK~_+hcCBW9wRKCrC2r(S-y)B3D-PR8>-hKVCxy{
zCvUoB&&s*;r_f#*qSy7^Tantc;I}o?9_Z#A_1=H9Uq`ElK!7ja^UQ#CcYo2b7r;HD
zFcq>|yD*-8ma?LpOlb&h1Tk@%BHLMGEF(G~rxRk;!|qEVJODYK)?!W*t|vM#ENj#C
z1Y<Y?s-`swDI^};2$c;O8!!6aYXDN%u*|T#$1qD1v=%iOP1^#M&o89jAVF_06r_j;
zbmLQs1eKkR*Q9kX%c{9URm{%RZbhMrv{@qFWC*FJ$YUg*sXE)M6l`?iv&g1$OFiUG
zQ`*MpOoSU411&kmUVLzIhhzPw!DLGitnK7f+C9a1Gb$c|t=cPoFugLJS`qGyY&6S0
zK3xsBAnUI(wyjeit|iwri4CKr>SbxKXF)w&Sl^j=0Y$bfP8r&dDH)`3Mm#xGcYXmb
zx6D_vCSU`;=%HcN-kN%bNjc26920Ve?vt9ha?~9fyg>!yu}EFAc5@!BO|s)WW~bR!
z1!>9cUZ~itNIXl&LxVm(40MG+5odm;9h<bOgt=o~ai`1rW*RF-Mr&RnPe;j}aR}Bn
z19U%smo@{{hVPU;whYt<w5~JJ4xEEe4yW}-h)jh};@-p64IY0B*0N@teMQ}DdVDVc
zjnz!;f_9arZDvu#X{p;YcJd*5EVrgG?k%K0^8u6t9Z_>#c~nQVtWloUE)?Sj;*3(a
zCy__S55f068C}7#V!z1;a7idyK&*>X30&<{$KSO37wwm7b&sLtoJ0L7dNe}I6)76%
z)0ckR&3N(nEjKA}0U7w(V_esH$<D!TZ&uODl|h`Ou8?(^>xhbzxB|J(vWMzrxng)Z
z`YWm)Q5juk^v*7(8zaMJ%zbCAvS;~{QaX;e%dwYLb>tvN%x0t!JOeml9)MuPYc5h2
z%`oNTj<koEg%voKF+^x0G)WzgyT)91p9$B^drU9sUT$=evk@ftLz^oxT5TLtVd{)g
z`+18f!acZMelUwKI=aLw<?OcEpv{hy&encvS^bOqBW4!h*K004Tf57LQZNWn@N{Qg
zTRe8|g=2A@dxhAND|U!-!FnJ|fP;WmbD?E~zqm2Zd5m)PhO9vW42P309xmmJmLg{M
z>!2kRv!+*@Rd@@c35jsbidOU9zVX)*0DRbukIQf*D_2o*G#_!(nm#P32OQTo`KVFi
zi73+OCBc;UW6KBE06~a1wJ?uFTbpdgpZ6+FK7-7F5lvOVy?kQtm1{n>A~*17MJyzP
z-SW%;1U4{ccJb`jg$ba<(Z*?udQiFP0i_nmMD19FFw>dbnbrLsta)KoYJoS;vuE$2
zfd@&t^38itlsn@iRJgCxx<MkA$iyDgPVQC6GZfHz)|~32J%hrrgH>R?v;AUvj(z#@
z4!#$jisfLY4P?_)mAsoJ+!a7_X9rUJu;B@DFAWqer2`ZpPuya#0N=VfI;h3g0FVZT
zM!ET0h;!^HDxZD!Xz=m**1!wN9)?IViXF&&i&E;wim0jHo1?Yh!w9;xrb01z&xvb%
zvLe7`ag3|l`0et`5u>;I7Il`jQ|ZbD-ZQA7+(CO~o2CW*sG^ixJ<$djlIZmW9mb(l
zYK~O_q`s#s34!xmB!^~2x?<c6RghjM7A6UiI46qrqsT4SwKp1X+wK8$OdIM^&7~!F
zWC43Q<^aQ++`R+Bt$kUQ@+twS=`|%hLj-!)79C|AL7%vzec@h)EEmliIO72D1O^~x
z9E=1UaTK#q#WJ2$7y7V>300={XaMKAjQX}#;$y(kZ8(JP0fp!)zTvwId^8xG2lt#v
z=?0m-ABl{>!V0kwJuRXEY-whX!<ezCxlrF)@?}i9TPi*D^yiFy^&s@r(_hCW;nbr_
zvfvj*)5I>tlcC%%NT1>DFo_XlZwl)wm5}6n#AivYkDs8vWa)8IV#Ov+EMju9-dn8U
zeQ?*P$+)jU!wF;F0SFs~459~?lf<ijo~dl?K}ixi=Z(AfAMgB9S-Q<<pP#>SB_uI%
z_2;lCoVqamMocia@U7^gKSH-T2Srv+%X`3$_9}?kkao;Bl$AtgBGQnrgpb~9XIA%n
zNjXQGgPM~xw)48vvY*=%tS8F5W1#)cH#vPN(?`vH9_?J1G`I>0(X4um08OGV!oKaQ
zL8e5wWv6_bkRctb{f@C;%>nv}RG9^Dn-rNX<{l<z2rjd&yx6OyYLC~!`t0<uI@(6g
zHpCNudG<HBPIEK3&<AP0ac5zrqa1Y7VlFy|k)u^dh3clUu2yySm@=|q=Mh!u7B%Ux
z-Z_^C%`j8}-V&TdlDAUXk*mV3+TgPnkV_M0;%&C<p%&FN@&@v!51bv=%kql|K`q{0
z&s<L~Gd|>noz-^i0YHX#SDKsTfSuQa1u=~1L<FZa9Im=J_m~d*$Q~+tF26@sT=JfQ
zGZY8zROLP>rNbjcdq!=pSFXfQXaZ8`bp)QnloKyYScIq<!XtPhHMDXSEilLrXKVTm
zV9{x<Xag}0#hZl~Gec8|swr0)m!x@(0_)=8E-z%*UflVT+&hq-N1(pVpxcB_oTVu*
zH}ZTC_NJChDC14eh#WpKB8|6F<8I-XPmhFA)+sv;O6bha#emuwuj2CYhK4FCUNE}g
zVa4ogzR;QH=D{U8b7ml#xu(pSsR0HhsJ9$ct*%?r9EjSD_Px84eDU5P*i+HuS&%RA
zXtjO4O34+BEYpKPYn$^ekvTE)V0hsr^Yx=pc4Yklqn>N++jiMZqHQZGgLX-$*n(!4
zr8q~AT>WSa_&sQW@OLI6G~zE$qDPw}u-DZ$DGese(ll8FB}{`k9%qy21CM15G^p3J
z(?UnF2pJfJ&-JVxk?caT1PAx@ouOhW6u&nHp&CIv5H3Aw0N@lAXj$g*1LZ6UBZ`~o
z-n1$}qL!1o5G<oK5mf^~wX6#A+Kf|2@HsP_whh)w^@{^fOh~c+fH!D!T&2fhV;$4D
zdh^hQ?ipP8V<XI{qlyY|ofC!WhavnT0_SB2$4deW<Xm(@(ijF$ot9BvRhl{?f8`c(
zP=+q`_>C^pBB}ShJN4DfC_R4qP>?yaoVmNz2$o+#njlh`kIc)yOHQ)|k!D+BHa<*<
z-4)-mhkTX2NwH&`2U8(CR7KPcSRMn)fsNJfBDG$JpducmImC}gY*_GJ5P;bFN?t-E
zrh~qc6uOko+t#4-rt`!7rP7ct+2@*vZ=U(yV|)(8Li=nV48s$>%4?_rczfqhx|p8f
zJb-pzdQ&^4uj_Wx+!qea0bO1rh;^O3rAFF@6hIqYC-y*_bbqs1PI_T_!PYPGF`Af`
zcv5+dx<?I&I^4bKz*d;`ErYx#`=m<F!|opU@L;Qkcw<aMR=eQ5YG#*Q8G{;EJ(8co
zK$oX0Z_H+f4wU&KAK!@ca+q$|>v+LVXTm+HtSz~m+f|dP*z?k(y=Y>qq25I|Hg2-&
z#cg*Pv1lzvzCn20m9MqMj?j3jaU%@__KaW*l*?V+_Hm)FqY+p>I*PX!V(rC1Y0K9^
z$@?-g{ViFen2};HRt<qv<s0zZBEN_}dNsxC@}i^lU6vof`;|KKaFi3x4Asial^g7>
ziG{}Vp^Y3Rg}bvJl)!tH4N>o9oe)V})fmr~21ep_Sjv)3#XJut$WP#zzJM2r*t^S?
z>P@95Z*Oqr2<q{QKlR!`ZTG~xRf;Gm0Cj#TR&)dzUEH=N8OyCENw49sEeFGZ9|POA
z)-9%ATMBCvy6(UsN-L}vuk_mqE3gDM$LJ8_b(2&dBe#35%ajfx!l{-AC3BY5`gXLb
z&~;|l#bXm3W_Q;tleuYaviLVl0WzmDCvn1y@Mc0|G@<at%NxeZs=g}?=|FdHBMf*k
z0q>@SeaAy7#wLuAZd9|DfFq{%hJ{F6;R#zX_H2%XZP`jXuzGesH+ciX{}DgFr?KL<
z@d}<v1VsggRJXp(@r6A=xG@FBMlb2>hG0e|P|3yTf&<oU)%>&zFMOPrE}G{?rQ8`Q
z_u;$*(13gzE9IjkNYW<`)!XK1*Snq7vB<1;5jjbW(YyuSv0SAfJJa`uokI~Tp#&)(
zHK(`4y)a2R+MQR9@`zIWEpOVgyq+d?g#ctInO4^3%kTx)LwJ|ML{w;RYmTbMG<z*@
zyotwTR_VeloRdf7MQ^re7QPqq;DxEBsMM<z6|WwBM)8D9`qdV`>5`jVeN<x)>>Yzd
zfFbVdcQOi9Lq#zd4K#{@K3Z$*YIWn&+nYt3aZabT%Bydr0J8a^u<adt_yz+8&tMX^
zmWqP4b>OC%4opN)ZA2VS3rnT?o0L7!DhdOCjM5_Dz0m54W-w4X_{4~5fiYOf<y`A!
zvJ1hbZHWawyv$nnbL}<BcY7`bIf)mQnNl4*??r2pdGg_T>g%B!E{vX$HSskfRcbsm
zQ9UMOOrF4Px|i-WH?W1=QmzF_yd>|H^1`hyJ~>b)^RpzW<i2Dd2*@>XXO7V4#*cY%
zl0=0m3pix6L3f;lyhYGwHUV06^(8)xenSJ2&+&W!{q<{R#Fu=h^0-DD2~nP1$(Bj(
ztY$1t-7bJV+?UaPd(TJ~&)n<1u70W&TDHxB;~O(jrhO-i*F>jg2c_Y4Z^!nNc!4kC
zce~1OE@jdPAKZXFdS~&*@tn^9?+jO-Bj|9~Q=p^vsN?lh+ZnMKkZ^d(?oRo3uiEuG
zG895-<I<%(Z)>>sIgLzeH~=}l!mV(3+QftOdzsM-$Y~qZVsvHJK9cB@gaWu&!K}80
zbo@xmrqEoD7$Czd5;0bX-rWPqyE61edf@xs+Ul_&M`{Wp;|-26ThpWTYkuHxAlMIC
zuy!p=6}lt|(q_ui7bxPWP^uq8tCSZuw)iUvsp-DqR94n3I%3p-I%)x<8_H3?081K}
z|Bw$CeUOgWWu;8W<Z#|#ZE=T#Z=bzF<MX_EW>2yKJ+bp9WkSlL`qYneJ(UaL#j~tU
zYeO5?+zPKoI0}3(Sp(`egim=$k(hXOUyRAcA!CfZu}YVIoBTMa29-!AqzY{!78dt`
z(N*)#yml1yakTZPR~_?&g(Su!4S=fNd&~Cj1z}Xb%TD0M3UOz6vl)I2Lh4uD%B`N_
zoOa#MCnkz~BBuC3EK}od;4OpRqXNNTZtq+>^ERR|_0hoIC`5p<c=Eui2~(6v-t$44
zt2FM~NKC#Bb4Zr=aH4WKN~WVRupwn3=zKRQj}oXuNvNwx)L}v1lPtl4cU^Xd+ilrJ
zE1vJIisZzRZo|$y5oogVjv?*WClZne4%AZOH0eN!_XhRR<TAfUT9NVW9#lOj1%AiO
zqg>5RN;#2<yqT|K7IURY&N^`LrFdk=a1gMU!``zO`?S*{#0d|T+i0xk?WqSnW81mV
zJv&e(0MeGKN@8<OH#!o@Vh75_aUpa`Jv|l~#Nb8Zh=68Bac@ko@WThM*`q=8GB8dX
z-)5san6N_5RVdRIWCtQHsgYtK4meGb6IdQ)E6Rg6p_Z&mCZRhk8{VYPg<gqQM^xk%
zMZtBgNW$tbFU8MIW~UjdO79{;Rfxx{MwHVuOJz-a?mh0bPzJsmdG;`POpok=-46D#
z?i1*5<oy$QljD`_)pkK2)7z$M9ZCkC5p`gBY|9064+Fw$UlQ1Cp3+#Q6Qgw=Gwit%
zKSlSRrQ+xg$rK5Fo^L6A`7~q9*U`!c%{{Ifwhn@0K+YJLb0e2(vL2Uvla1Ao?ux-K
z?x|lvUIuk5$9X>+9*DOuEseJ-O5NYiaUVPb^46-+iYX>Uewf3zNI0@lCqfh_i`%CO
z7YAD@qrLUWpJx#@A8ctFDHCU#-2=mubi8b5k%tSdp~{Eg^7NJhMtChjHJ5kAuIvfX
zIZB$h)be`Af6P<UTHf6>!l>Mnyv$MM?u41-Tut3st}R1cX%xX6S;exqnZ#gORUC*a
z`fd*Odc)vt^?~wRxyYmkJVcaKdTT)E@2ph1Uxv_gc!{uTwOSO_JQH|3z(hxZ<L}hC
z^0XePvgCSYvySAMCvg}z2%IG5P86>qk}&YxR^?7*vCiwRVIOhY6<so{-fQK7B%SNj
zxiaV?do(OPf-3&_f{OX_%E3HCMZFr)tk|04Jrk}(jWShJ8GNcYx*V1j7Vyx?Y|nD-
zfhb)qGu660g}Rqy@A<0gO=;x9iH~jboh0679o@adUYR;3i|Gkm?u;-R_o-;5=TCkk
zd1+H&PK5^(AesJjDAL_E*LVZOur12mLG1cHWWpOu!?eQ;z7D<YM|EyH&vt9>pvS^s
z9$kyUQ_f0YlB0P&j~|^NkEFyt!_HYb4a7me*AM9odoi`+;O$U>&}h4rOvPKQmzDaK
zj;6x9OF%Hub_o|edkI;P+QzVlTc}FMCu?45hUl##9j!@oq2rsVRu>psw0o;d*=*`s
z=Lj!n2AV9&6=7}>iD(vUk-M8xD_z;#Um_;tW8QL{;72jyPaIA4l(9}S*GK|g03qHs
zgyOwxW$hYQ3tU*(-E2v9@iff!u`whZzUoRA&3dXW>ms=GT=`C{GsPj`k>|_ikg#R|
zs?3P#fCGuWm2c+NzL+2CqIt}~e6fKX%192*&fRj*8Bf;Vwz&X|(uNgZTDWAZPvk(b
z&#Y!V2Jmt8mN0k|vqUcY4E?Y?cbp$xjna;a>dO-%xNL~IbP)zbi>P?>gwKx(bB~qZ
zR*6n`Eb?3lyO8f<K+4_}cW%AoU`Bj(##z&E_0^W(!+wi7WRL~w&%s&-`IRwRDP(nY
zFU%ch=cK%<a;tsst>LR$eSRm3;UZIPu#jPG50C=(Sykwe9h`%-ryM<en=Sih<EZbr
zs#O!;zGn>s<Z8f_)`O5k&i)_t%jRI&24l~hhGiUb5EBJ80I$0VZJvtH@{y1ihA|Ll
za7Z;QKC`74xvUVmuJaxb;<O)Pu4!w-m;mb2E@o#1M+s^w(|0V2vSS5v-DDhBPrdYJ
z&e-)?n$)m7jWLQlWJaWJB>=KF-VyN@m3<7TlhxJ<4{Xn+8A->*%pNmRTLAZ>*;Tyj
z;?0g>7{f(QoXx5rnzU7WI_>eSM}%zWUcP+sX2*kVA$cF+thP+3t&_i&0v#lTs$uJe
zWvh3Tj3IiRR@vB@#Vt0{PNK`J9#b<l0Lc|GKDW%znOK3WF(crx*}3mwKUEPMKb@0A
zlnMY*K`^Z;$1KMR-;tL%pc<N^i{_}YZ3Kmr!qL`U)-w8%a*8=&5%~tjv+GX#Y1Ca(
z6x+I>Z6%hUD7o(ON!VG4?c&V7@IF7SdL96)@mw_?0#0^p>*{GQ9E=q{E)(>8TFa0w
zC~(>05iMIj)8{YYo*&T?KL=azhdmkbY!ddZP)p9^ONrr&CVe~DZOtAIRz=NJc<+hK
zbShUWD)Bp1_tVSQ#>NI^<r6-6`S9r!6C@_zU~xjw#CnRD#l!NqTA=9R6gfUz0`ItW
zh3q##F9&Q6tc8n?sVq7*HaaI@mvN2F#hoY$JU!q;Ii!I*&zWo_5BJn~@GiTS*irm3
ziFL%(3x<fb=@$>F4QT`!=)5#Op*Q)0{wTsj)sSZdr5h3Fw3i_xwCV*d85AtP)WQj&
z+W>r+l1*ne66Eu8_`Q<>Rp~luB_6`F)#DdqCk5m^T~YYdhl|6EN$8HdY-cUm(hhWr
zs|6Rv4U1jMW?Q`q!Uj@^Zd7OvpDxy-KD<)OH9H!&q%$W;@5}7UmV6SF1H!ypsG^eR
z$4JFRsqa07<-Hnyu%6!8s7~q_53iCdr3U8NKJ>{x7v^D3jUj*M-9f~%FX<r&mXa-d
z>=mp)S)vzbo~f_X4)$|nydf@W-lErhx$WlqAN9d;l2W?-%AShCb1GO@l^RQO!fglb
zg?A&T$<^#=Nep_#%6ECF?!3<+c{agh4%NBubjLa4rO{jrKFM?l^?fEG23O(^b4fV!
z8sPYGW*i`F4bHyB%*UsAE^}-(G`&{*<|QIhTU+eaW9eSXLQ;H}%YJaIK`9nYid}Mo
zd2gNIaP5StE6%-~u1{YSrQX0sYH^dRP}XEdo8lfOXtFCPno}{claV~l-BR|Da(c4I
zuZZ}}lBr>MPW1RNP*AR6-JdUyx+|6R)HvA?TRuSOlxSfHeQrH#58=Vi@()cpmbuH`
zU2+7W&EuisSmh>7!{dUYd9lKv6^XCqJ%3N$aCeHWd+iG`skuR`64`#^MhXn?4X-S>
zY9%IKPZGXSK5e38J$Jqu*yonVPS1)3AM-iYZnYr#h+8uy?@KXQl2ELxeFmzwY~kpj
zB~Z?<6y>scosfgyb^*FbFh&mFV#78@DbV@?M{xM@c|S40Gt8)DAUssw5zUBdRLFF<
zItVC0mPyj0C$Oui*0<!SxRWGF{nQ!w6m-S(Vk`y16h|ItIuzfTLD87yfMFOUx0U0i
zk29KvGqjR$=8`c>;4_1}JFa-|YLXuVBR}QKzPF6gb9)UYNAM``VQ4<sd@@C{dNpig
zm(Lpp2Elbe*D;NTMdHu^-fz?tD*`;dItw`ZqCTmA^nHSTFW!<z)T3mzO4T}<<LplB
zDFneSd9MbYCF3Hyngx<V=20A7yg5!osD(S!or<>6DM1sd@F#450@o&|lnH!5ZtZCT
z_5kdq%L2Y2%Ll?fg;i`gd%KVE0ilqdJK^k+4erf**REWSuA&2~IUVHk!d9L8+1l-s
zj%-qYnPQoK?jT3ErOwtZ#aUTdE)=QHdGU=##4(Z3mc|}K&&$bbw0Sf&1@Vj+<aKy>
zoco|`9#B3)szuwTfftUM84(gQ=dnEj%$)C4%VM~vQ`WtHoyQdTANJhOn`<N_SPh6V
zAEw)@Dl=2IB2uG61tQT1T)rb;J5VQ+VyCJxyhyZ>nS|nebS?&V@%Hs9pQOG<rVN7H
z$9|5!;SWL^DQLnU=X<nB_oPl}7s>Gie42J%^={Fn-MCu41k6xn1$AmfEb6N=U9x(j
z!Lc|a&oO~aw>3v<@@8>UAV)#=3O0^qQ5Ti0&>tTu4s(;kMdv)M{$UxUdC@#I()Pk@
zIM_%5U+ZuIo7q)!?$Wbdv&f^3MaZQwaFTaCz5XnHlWW&@0kC=WT;6q1QbrHl%;tzT
zUXY*^@goAz%=3H+s4;={-buoW%vME0*o*fH1Rfc4iMr3hSVa3pz!=<V(n4538p+hU
zSA+|R5tJHB_B2pGogJIX5XQ`xa9a)7t&_<R($kJ!l-4QZ-~os%;A)x=Mb*n{nin5y
z4PM8s3n9##=L@Z{9)`{FNYDJh8A9m2di8dg0TQoH=pJQ9zPJl|EB7qxppuv~)@hZs
zndX5CJWoqW<HJo+Y0G48O`?doSKFl*h)r7aM45Klo$iE@hH@ciWZ>+DdMW`Rx?;Fr
z47*qZ0+cjjY&tp^CAWnDvPfUZNn}N6liP{lI0>FXK6Yax&+%OBeh!-vy>~E;o;<FL
z)(P;`jNVydJr!dOQ6%sHM&3m>VPC)$)ZntcAq%n-X9y(f!x;x_?@#O<zOav@M$g$O
zcIfA__~7apZ)6hanJ_Te+rsM2;5nUasr!Wt>N$p<gU^v%KU=b{SIaofdf*~GJE-=m
zlET&duH#)%00J`>;8^k%qeeGYJRVY=3>RLOgcLCBtf|=HcO+PsRon!_^n_1<tTa-(
zn_ZI_@SGb85(5g31~9w)U<46y5spq4CHMtB)reG@29ILB86}p2zItWjxixCsiI=9_
z+CVrrb{Yh0hhCRAwOt2U0OZKbI|>yU5h~Hxe%{9OjI70(XyXNr-aVoakf_<feSH2O
z_n42<*{_yzvo%PV>vd+`-~)3-C^Yr310Z~f7fTSVf%zUYtf^fq4-#>8h*%>IQ`qAY
zbW7K1gFqB$c;Ld%VDC~b&`(e@+KvXp_YE}0iR54muE&zHY3~VmK=>O{O+!<X9CLlr
z+~ne<Dc)RNP~s!FOD?5c8xQHt_5}#g`Ykd(G9G;4DEMBzm<y`thkF~%O~+m5Oi>dL
zagBpT-@&u?>O;#1>nfA?s#m=kPqk!V!yJp_rZEN{aK6wc7C>wD7q0I}(`57D0kk=;
z29ynjfimJ@O>N41MpajURENOB($rbXqr4bKmF5cdUX<J8N^&T;deP1PmQ({lXDZ2E
zZY8)}cj4g46E;BZ9mw8C4z99MJDx(<;nRn?dM;Y_-bp#o0OnpO#od)<UnR&Biji4H
z$IH-2t|z&r!Lod$65ideP?tMmkNvSt>1s_r&IU%KARb0Yyg*YQ)V@|SztQT6T)P-G
zB~`yCjWezmM$B2Ux2L_kPY;sC<HX!vLDdi8C0VU?&#DL3C6VxMmuEB(ryInr)bFT(
z<XoirJx*-kUe*I5HPn}uv}R~(arG3pn^*b(_adrb({LsCwz^G4VUHq0L4{rs_v;FJ
zzVx!xTQ6y}AcZLnA9Z09Pqq+rkTFW=G{e+F9+!p4;UeImnjIvbRDzXLv*qgnb2qu+
z`sUuhxX(q6<4b140H9o}?)9#kc|*Rs6Jw|>8rsrv!Yx1<RgA~QfL%9|!oAWYJ=)<C
z-9{SQ8L*Tu7VxgJ;Z?$-yh|Z_mN;gv4;DC#{gqaaMy#({<_?x82DYX=m3M~x7zi(I
zHm6IKjfa?<L<Eld@l+|sy^c#w52L-&Gg4|0c!vRVdpQr@aX)}J7I$pr;*nZbuT|f^
zn2}RxFhx9#IJNe$V(q|J#+9sXcMd_7_XbUU-@6VSPfOw5k_J5H1NQeW=sl_RXhf75
zWo$rP<z$&A@uY*b|G>8=ENmi$;gi?}58_;iI66@^vP^iz&v&Qzu|1T>og^8NPnICt
z*u2cJ5}hP3C|ry8UFf^$VC{#hj1M@iycCg>O-`xb+-nv0h?ji#&>!Dq7p9$La~WeY
z3s$prJ)v_1C~~0Ku@<>5!3{1ue3)QTaL7gHT=)W*VfKiU{k2l>y+a#Z4oBinAjWzo
zA@jhyEhNd89E)WKjq3#?BTc5-Qv!#UFgrJPWHE=Xu$FVwY<rGiS0uc{6&<M>G3<(U
zJRV)IQjGgyy7@gBcn574Z5INkJnoC`LA%zsdK-<eg4ANQk%(^B-wO(VX8iPtMzb12
z7ptC#8iSKLynv|Eu9nmGg=({?wSJ(DR9#dYsx*=(L?A=_E?a9`ZSRMyL8Y_hxM?`g
z(UB&eH=oW0pTDhV@@Q&nis0rvqyg=bzdcN2RS;+yNehV+cZ(<CN<sKmlqp5DXGfm-
z>&rx$3MYfvV8TSZby*pwp~8ZuUE?UqO7U@B8L(uFo{0iZNEh2W=k3uQ(&x`=ba|h%
zBls1UTbZh#SBc8uKD(?%KQ6OQ6!FFank=jyaoq>e=>VhjFq8~vqp(I@&oJ1=XY6?g
zfWY&hr<UN4p**lrrI^RLda&q3@Nh0)<Pj^Q)kg9XY;VaHan`em4K-=DS4~eyCYR$a
zYb9EGk5r=e)tlH|DyL8I!@j`h@{QMe*EE&_mv8o6?{&a&A$17s%Mw&3T#8)_n#+C>
z1rQxEJyQ?-dNuKRYqRcBx#2_Mot73T8Adk4lgOG0?#&m2_!QkiCG6I+kAhm767N|F
zaK@Y095H#WC6?o|Xe8G5#+>cxt664i3K$&$Tx(>vET$JP&#FjqqiFp0skA(Csz(dO
zA)ECq(2(rLeDjUzR`6(?mb7LI+-oj=`;IN-D1@X*^1S_EPopQM4u^bU5$;8#-Sf`D
z5v`cwd9y3|KqG4-(CMLs|3Dd$d8a0<VI#-?k^cf~Nfl4XdRT#pwlEvk0w}^%Y(%Vy
zVu9z$lJ;EZfb~Sw44XQT?bP}M&q1FGWYG73M4>W8-|n+l?+jcE4u>_}##`GcSyvOW
z97iA;sXa&EdrP9(%@$dun=wA2_;TNs0P|i|b=89#>&8_@f0>^2`spg7ZKc>Owe$0c
zry%LX0c!=WDcX9uO4p3C{%rE)y8t5Vo#B=ZSNC^lq{uas&BW{a_#KDJwE7@zxK*JG
z3~YfI0yQ8zPEnwSV-e5x%8zI)!BQKBW=-Tt!nUC-sCuDzAPy34(}eWy9dk?Y8+t;o
zUp+9|dpjE<djo)Kj!l=)h+6hcDSyu905@EV3RTX&o<uyzYklKOZF8_%r6SN&yh9GJ
z>4kSr+wsGsv7<40!B$SeRw;#%Xr~e8;V9WMOVIs#K$Asjg4~KlfnU}TyTTErT2(%H
zg%f=gvBR5$A?!|O@mSAdNRI^0-*K_@ypV!6RyIcf%WTbg+9y_RVxlkVv>s~q6YRlm
zu%1p^AANCj=NwDM9ir~tL*|9UPgm!(uDxD*+&t>5i#ip6y**`gD+P%+Ar!{D(_{IB
z?71BKxr4XDxxFE3giDz>J0+*Aa*JCiE*)p098aB`{ji_IGY@QCT#?Wy?I%k<ue$jx
zdskLDIJK8#<Mq^H5#_pat35E!-UaR{Mt#Y9rtgdV2l7e2uxv9H!sSifZo`b#gsj88
z%9u`!J$QO=3-BpYp4nJR^}Ru>1jk79pfrATQLNSdIvrJaG1i5=nrH~c)pqnU_(^j^
z)GS&UP&Z-Ni!)7Bv+KubC*54enCMp`5|@^jXvtGlErhgp%F*`v(8U~_Oj*^VA0p1<
zy6Y9jk`|DleZ~{?LJcyLeT$}1l91*RUxXyyn%bSrpr~T6>}w+|%2WeM1OP1Z=jrj1
zJi#HfnRF47Z0HK}Y2BDKDKJEpYKk0jRW^(&T4I~O;S$`VtGeh`8+jc6qTfLB3IjVx
zm~~vZ91W%6FfAhsbIO|Bf{5ddHx?NYBx@u0L&asii(*qwaGPX~O*~L{JVDu)Xl+<1
z%H;2Yq{TObIYI#-qoZJJbiMYdgPfrIqRP79#5A*!q;y}%O?4ZnOM!NC<$#S~U(D$6
zaJ^gXJ!6?w^)eG$4XmcK$l6@PJ)NXiJ4b;-DF{|P8DdxZn0%dH`^YXfn`z#Q3+twU
z3lbJ@1_GU@1y}`|8FS6}`et_PEk6_WXaHWy#F;Zl?(m#hQG6>f;C&7zMxfhqZ5zpp
zWm2>`Y8d*Ommb30J%XCI>Vo1pv6vt}*w2y|6TA)(guMNR(vGH6ZuYhJX|$8A&5>Bo
zzBlT`Gq}+3H1eF))?-H+n4TrSt;)yK7`87^OJ8NqBIiqbmYE`IOS~c~BSHofn=?;*
zWZ$CeD;t_<2Fx==rw6W)-NFXkFOts2!u{cmvdiQN7uxO0_9BYys4RApZ|2d2Fc>=<
zL|u`M8Ot01hA#|;0ubur^LdXc?kPx~!?e|-xA|TmgI=-UOkwZ6GqRM(wq<Ef+cAa<
zMmP`Ppa+uFvjE+$aQAxSVDX?!3I`euJGmT*A-cF@W8fi>jNvMo=EHqCt)4vcQth1<
z#>FDv^z^VC&lb`oqvEaOF933Sy+{sPVB(?n@SyqG%hTi`;DOLu1{+DTPxO(#(0~0x
zc^un^z;CeQnd69`#0&t7+N^;*Ef;vOCoZp<xt{3L!fPK&bPE%4O)fW<+f3Hb%*3P<
z4b3-JhRSL@yNp%YBHW(LyJMphY8eh`&Sp(YuT)_-6i8vNEO4`HbkuTDDjt}5Ek0?F
zIl4{ZT%|)sA>(LwxiLyM=Z5ANbZ{hD$mrEYZwXHxzsoY}_cqz9e=Rw|dy{3-$hWl*
zmFl$WWobS?Ww8<Neu7<gkLs0&!;yKJ*BNEa73zDbB<!~+rGXOO9eVJP$i<*v>u7ID
zzM56{eMi{;vd^bG=i0TQ(Q~y~wUl9rj)W}RG2C5`#(-nwdiJ37RXxh*RL{b=<K;rr
zL+&(v6++^Q(*fKK;+|-s><Lr6t-khJb`u*tYl?uaU$EmoJMB2@!*hm($$4*RE8vh|
zuTrQ83bnkw*OjTY%v?-zB;1l5_vy+Nb+ty;xm&sl7*Ug`-`-$AfG5QDyhAHnt?sv>
z5cpom?TBkT_3ph}xD_*92qFQ?#q(iVz4z)G^1P(ou`cdeKTl%z@IiubtPMMRgRGBO
z;O&r-Fa>$PBXziP0DvyV<z1fw8rhTUsjPY+Q_xefj92?C7=~OQ&;;g_DF>VEZoous
zK#F|#Mjn!x?-;Wfr6sUsY*S0VmCPO)qq&&G+t8Sb?13vgz<he4J@L#>z%vV<!A{PD
z4Yu88kqre)b*mVmsfax%U-cnJB)@{qMs%%xAl)%&%Nn~}jcl0j*{nD)GC9#j+*^6?
znREzvf#?%Og)Gk}jzeY<+JT#$FGJ#;bfSwp`IYV<y?QCBmvF>}f~M&!v$%$l0wb%M
zO%6}9=niXyY8T_^VvLQUvt4&PnIa+4-&+^IqBOy0f|&2RX~uZ06GN1qL)FS=5qQDn
zE7Bu8e6`s3S_L&huCvTvy^%^f)3+R>dyVhd5)+nZ#SotRb_;jygG!od=B$%u))1Ic
z_P{HfUV<6m$o^!X;FJBdl#`p*NE{+&$6U>m@Oe^?l(tV}*<&S;q2K1Nk?pGqkGFRd
z1o%$6XUz&kK#Y2JZdhp?mDf_*=OsAOJ;3hAuN0p*soKFqL;~0{dQ(jio%w?1QvFzi
zl_D-VSur*W7|rG`Q3HYRl676*yVsCzZ6$V#JmpJ06Vq4eS~JtVkS~2v^&IaZjc?qV
z7%C4BQ9EJ{$2o&A7ZLJ|7z2i2X;APDB=b@k=hTD}M>Qa$w%ASCbAMXgjtj~uaO&7s
z+a!qsQfLno%ROztkbo!@{R%msbV9b~{s(^?1J8DE23rU~D|0U`8aaCCTl6z+(6pxl
z(&xtSrt}??;!Tr_{4%{0uLlSPZJ)`)BMnEejfpox0RF(=^yzu_A;`;DqUdYRtJyY(
zdsz9lUkdsmExXOtOG(|C@bJ!6857N73=XFgHlDNxhgbbF6EP%#tDbRSKA+sTa(9n8
z?JziaqorH7_*8+%3wv+39<Udv=~0aJh!{Y?wefPxRKL;TL3rmIphegn6?@#unhE1u
zeb1jUK9O@s(9TX?g)mRhbKU5Ic~2*=`=Q*}1h*F=tolU`p2K_H4nj{+ueG5M9B1`L
z`qnmWhK@ODj*tR9`P{0?vr=>%ysD{ld<J4)MIJVD!Kzodllc?}q8AlGz-HxaL%G~I
z+mwaK`qC>sIWF>N@ZKnun7F&{sm|SzSwAvqu{}-hGFJD&bZe)<5Q&8jo-j9zP8sIv
zoG!w(=Pz{y4@Ne0spPE?UEgZW+iKHfAeI-*u;Ed>)6N7t?dDfVGzZV+K><I0OpE>y
zVK_|6_C0;;a`+yCHPvNnbqgo*v_PfjXyd*|tv(0GbO(pP;^x)|W^{B6BUmY3NVu3N
z)(_T@ago8H$ICeDg<Ir3S(6HnaMgAkf_utG)b<WnW=RyDK#265-0bXV1icH&Q1hwK
z)pA8`cy+RobD=bnBjLx>7)b<b0_prb;YRNpe*c1h;xbWsYop$*DwZ`oQ-Mh4U{@nR
zE?r+(Tu2l2xyKO$Y55*rIW~7j4OjV6C>B(|ASF!-*%}0Ab9b;?-FLY7Ze%$H2cSLH
zuTPSVJ9i4ROVyW0jSd;8c$}-;ZHHbx1LhZwjFSagLipHmGxJrVZaYDhHgYN2j0tRR
zYtkFgo9l#QEly=56mzhW26|dOkeOTr_>RTm>6DsXlnnAa*+npsrld);+3i#oT4IyX
z<~DLr^15N#fIR7mssKM0Kq{q@YPAvX_O#NdEI<kO%^IY|gv6%B2mAh`AG;Ye-eU@o
zmS{NJy!YNY)z1X!1Gszy{ia+VBL|u7V~}x-h-0E$bKu7|B(zV!r^-Wh{IH==+V0u&
z&Yq*=Zc2Ov4$SNQpjuHd;n4~1)5!7NxqG5>fJRN5{$9SZ$JNH;&~P~QOfOD*wrKAN
zMG!AE=QX$BS>E;wUjQ7&Tq0pgmCEU-c<&x^NwNi#y;|-WPMldxU1LY#q|4PvO4eA6
z*C(rs6U>tn7x5k+n&9K*b@cFe7=uKa^+@wbBwi<?Z4+RTI2|a*wy03hoD85Zxskl{
zc73JnXd6a6>M$0Udj<e;`{+nZ3}St99w%4>7&+_|AipFX6(cq;^z!4Uq)q+gZcFlo
zkU5uIcG?xrd%V#>jM(z4RmH3~pbxOkaGNH`cVSqQt`GJw{awDH@F#CYrZS}i+EiJ*
zyy-nWetwk)4`?sCq=b63$N+8p^s=#Dq{KN8B|03)dAOH)s1pguuvh{cQR<xM(DIoJ
zW}%qK89d2H)03n;uS1CE;u>|rPhz<!agG47H`B1{O>eOqRFv5q2U+62*vEU;A{3c%
zERxgvCi015PP~B*Q?5WOplFGQYftSe-_ygurzmL61?sQqT0!{Ohsp@lL0aA<uWLq>
zyu-{Bn&<~{gtZw`-uYPIs=UZ()>>Y@m{lUm+kJ%{Av;QzBcmpWY^Ovowd#|8wlDf=
zT<8h&KpP%SSl>GI;RX|#CI+%;a~WnPk4-mloK;eeQd)X9!!^P^(6xFG6n_F;N?2n*
z@TB(=Nf_ktS|AYjiQr)AzE`1`Ij;b3bP9{#8#FD@s`GFVS`IVlJTH22t3)xFKIPUB
z5j&=<Jb>NRQo{JS`y!|~QPl0MQt0%SAul~wpmmNS%r01LQqPO^&=O}k%Vy!^z437~
z2y`%5_lk;*PD>$pz+C>)k)}>nWH?sb2@uYytQSDf*YE6>n;op0>Ty#!=hXvYQKMjx
zi*sZ3hqQ6I+{yp${Wf7kBmg#7>$^?vK{r(A?sqDzfJf)KT2@>39{&2|ZVy+A9b_!@
zG29Gvf!vKhE?5CX;JI8sK)EZ}WG7}`=5QSZegX^>2W>)3jLz9^<^gZ^1=bYQJw&>p
z_DUVDV5Y~V2u_aBPf`0hKAx=Let9ikkk3ZNy`FW#>Ld|anMKlGsvRVOV7H_JAr+OJ
z6ws3>LUc9faP#hl4Av>U$Dn(x1|-+dU#JC?Mb{?aHk4+1aZ5H0Ix0RZePA>#PiXei
z92}33U9SBpbDTi9uIp?a=f<8xU*{9!rxIi+x4O?VY!ys^Z>dkKOE}k7*5a)j@mnXY
zDKzl6#WXzCeUwLKB-tey1`E$|Uz=M&aeBf^ZQ%vT!nhOwus`<%>NTrOjXiW-vgaBO
z$ZbI2tG%UA53pv)LXyP!-E#{@pqC9}l0+c@rO&yJB8y`#a(f55y<+S(m1cQ^2=r;m
zah@&Bp=uJ0zdJtNo(AF9_tMkE6KbO!54KtKRi%!GI7&3%ksyMyN@SDFU7MCll}8ah
ziC9)5yNShg-8!977FP<w+A^+lg`JYni)r*{Z7Gf$^`5Mauz5VG(R`IJ(KcY<d5tL^
zl6SsrG}vv>E<euY-j%ut*B9j?==1WyWayf%Ohz#8`Emqnj15Nc>cms-8!Uv!?<^SZ
zpetDshHIkl`RTow`NUu33x8dViRb>VGaK0761ANJH%szl4;ctP66W6&UMg9qBqh?r
z?Q0#KSF71Dt`me1$_jIB8u3Pio3I^17LspoC=9DBBzJ%*FqaX!C!daIuT;PB*f+d7
zXbLr{W9H?hP}jZ&zUXo?oRL&HEq8kG78<HO<7lBM$!=`CRRO>+GwbQi!#qkMsqM(u
z6XSe2(!RkMh-zx-58rSpahl&bfRK7c1njU8gNvbqRPu7Z4H`eX%hjf<RISwHrq_^k
z4{ILc&@H}*rkr9d0sz)u(ss2a=O`;0E)|M6p7#C6{{pjiUHW^IFf%XUQO!HCO=Dyf
zS!1rGCU{+AAx`|dnUZ4)>_RayrJ|q$0TI=QJ=k*^S4hB<#xt~ev-L#>Q3#`|k(@F5
zBGtYvOJ{qb;0u9pW$T(Q5q@yBU<Lm6+O`9Cm)<M!A&(hbq;`UVfLH>13hfl3Q*OYx
z4+{oBdp-QH@AY#!g!0}|e$Yp+p0qhpAe1Rr%`kbcrUaopPk~3}{o12MY(d}Iv{(?j
zbv8#I_;T|>hv>T#nS5OCy~vojRMM8jIwK}4@4W(x;mFvfRDW;bt(!%`7=j`rPyw7T
z<=ZBN7T}}h@Vz5i3{EqCHZb5>49K}Dqu{&lJHv)IshP6)Dm}uOx*iej%xEz|p1HNd
z(R*(~E-6{aQ(o?40Z<v5ZEPX6NZnn)r{Q8Z2zfD-L%DHwId@Jv=(2flJuBw*Ym;1f
zJ({6MMbgc#uZlQM8=PeGbwayz_k;ne!{$qA4}Jh{_{6*diAv0jWEAr#a<R+?rJ3nS
zS!-Ui0nfrqDAKkhgN=Q#H8g2N+0|(VBc!vmBK6itD4pTG8WJGQ8a+5V!Y6zV6KRL4
z)ExSX2*7>Z@OVj`SjB6)M0_xc`x52a53x5}tH_8=4gpMc6e31VK=2S*fpgpORRMQb
zq%9DJJ+P~Cwk8+CyoD@!_8y_a4cL3x`%HDy2;~fi(mwfD`r^NR<5`v%dqA+iUM?S5
zMQA35RSQ_47KPx#p?HCi)#A8ny9q~sg_%3b1zQS6^B#?E-=PnkMGxi9y)OqkEBGm>
ze5-s5U7;6F7IPiokf*Um^(bPnk*Rhaa*>{+zFw@f({wUci+YgRLk?TKisY{&BHVyS
zp8@7&AYbG&ke&h+cR7Ip*QPB1ML@d0F(CtJazpeg<ae|>i5u>7MVM_eM(RPhEQ1u7
z&$!+@r``g47u8t}^-$HNZp`BZ9)%%1E_CyJAk0tRyV$gG3rj|LNpp+_Wa>}wMi$W8
zW$*zcD<gU)i3+cEQXDmzl<#@hnh;O5a`l7SD@N;6*p7Ef6T3!Xe+pkNU(NSe7M<x$
zfl&eLC5)a@yCg`(6%|2v`@PJZAn$EYfAq3nH}}}4OTMTo&No1W*q3&=;|Mk>#;Xz}
z&fu+3*psWtm3jn$Vmx;d-eH}D%Lv6t50LV5g$Yb6J25=gN+!`(g;$l^MH66bmT8Of
zwUjThZBn6U@Cb1Ov#a6lYf=DW5jbSIK+G=d$C44ZWSywC<+*St8v~_sPh=j?@}sD9
z>$hGehVkG*Q9d6bSDY8^EW^wBP=R;e$h0pvg7vToptF@g?_+sMs4jr7B{&wklmOh(
zJTs-EU^A717XU(g@}|wviH@w5cVCE1K^!&}nOed@Ja;8g6Qq&)&EVrzO^Zzl7@69W
z^^%DY+KIEL2o1w0o1<354>!ONkbEJkP(osEBbUMRGP3VFF=oK2<^+8FD&tHN{q()a
zaDiD;6-r2oa5Klvr89<oz2w#aJZz4*bY5~k8QXaq(2~d5%N%!>Csxm}pa~>$`JqFi
zv2IajWiU^r)KRboSfUqB@Ekja+sntZJCl@WN#>TNMI(pL2b#LGGzXfP4695hlO8VV
z>0OZAh?fMo_<3*%*F}WQc^L&oVB`_MQ3*Q2Gi`c;S>*Wk*#R77E;I;9de=p3#yr@k
zs~Dpmv7Mf*@^tKhB;7j-!&X?P*URL`(64I`?&a7MD)bzorW!v4|33ccx9~-lOMG0$
zFA}fcBYb2T9F_I}s~i2jp=WOvKuY~lIEMC<vz6|5&*SQt8Rayh%Wl=gEU=K77~v7;
zg5u8UBa+xxy!0BQ&YcCA-V9)8$`)$kG?^a-cFI!o%8{r&ubJU6nX>kPNv~?>Zlk-$
zOu+-g9>QU6D$5B_5_AUlI>DbB<x|{opXxotXZC!&$D{hSgl!<a-cdj}l}nRE-da|>
z6zioL4)#)48{>>QY1q~ig06eJioJTE)qc;F=T5}QOp9>N+wQs)`FV=gSq&Mw7pLH(
zsv~j=%46M0m(@S-|4`3{WpM+WM7<*52y}RW$jPBOAGa_~S%BntKd5NdNQ)IXyETvo
znm5>Yv9C$47gzTI$<VQK={#55o%g8eZ75W|NB0nedf14Ml;3Nd)q``iz|oYADXa8;
zop`V8_TB}zP(0U=Kw`s^#e!ERS5YvDx5X+Cj@Ctdf%sV+8KT2hb_X7X$2mvwW<8>o
z7XZ2o4+O@ggq@fhqT5nio8fw;MTmW|wj7ZCRT_+TOFk|t=tz3v1wq`Dj8_M?C%_8(
zYEr-qF@)Rct^)gBJ%2WG-8#7jbK?Hgqs8b@BBNL|n8gRKJOuy>A!^grQQ<nx@dT!<
zWLGp-q;m0Uv!+pGo3&vJm5^QV7ML~r)uG`;T=mtyoU2?;CAZ>t%h<B(`*P4R#?GM%
zi?`q8_27W^>o9>-fL+yRrw=^p?MiI2;==T?q5EL^v_ruQW{b8hpb%<)GP*^bt#?hl
z?3^U{tQ4fPE+q^fGB#g=GhE4o#DVlFt`|O!XJ6W5z2^(0C5Tgj7Q7^7GP%`7<xXV5
zWy%+%4`9uli9J`KLP)9M*-@U0={qW4J;Jhn<2C4xoc5?;R?yChf-Fyrldk0C&3Yo_
z1CjMDevU&<7B<J_BQx?;TZYLKVU{ZgV7Z~5JVfXtbpy+Mx8`z!-u;dy<vmp5l85NT
zevdG7!SKyO=olnZy!b|de<I-Ka=K$)RL-MZAa8Azp2XZUvG=gt?d{N*-1(eMf<Bw4
zy6^EizNR<}r)3eZ8%VrYdvsf(l@Rz~&-4XaMMIFQ1-r22Zny#r!noA~1a<TDd9Rhp
zyiSSF&LjXDC|nE73hKO!A^kC1DOSYo3YoTSsXA=O61X4K478{_G14eBlGso?VhF5w
zz?uRePzNe8mO~p;Yr4F$;wy!w%7;hQDCOjj$x@w#&7zNb?BW8t+xMOilz|FK;WC16
zi9V}h8N=uTR;S2aLhQt>X(x;Yfl&*4T_mZ63Rq93j{VO)K!bqQj8N>sh^vCg!+kvT
zjAbqh{LQO=l!PkH7*5z2te)ULVJ}<lja6m^7=R??QXmW;=s~sQoMv7uj`vuX%M7Xx
zT!jJkv<=JTWwV1QJ|r8q2Um2x0i)r{47A!TdNpopM)-EDb0VLgWw;4Fl^1;M4=x2<
zy>Ao6wo+hPOljYvM}GBy-c;)}K$9VqhUuXKamKh{4_3}>D;RdpA+%py;-hQWa@@}2
zMlBzCsf~9_1cS(9*qgJ@tAO8gkxX1$C(j^xL?|_IPR^v5;_@QjQy$e(aZr_Lj<R!@
z5H?N=l>{Rin&ewTYspn~FxDEMHV}^sE0l%XdojeLwalp5MHgH7j+Xd*l{B>wac($!
z>vhb6U<JQDc-ZC(YItS{;>{&7#1T02_F99fbpb`YVd*vpA=J;Tjwk(9+)$QLG41n!
zYR@frV`zT4^=>gCF}P41PwBmJw7h$>HkqNvX-~FlyyH6BQ3ldCE}Ng+Ge3L?&N<<E
zQH2<f<nHFs1hX_9<kI1oQq*6+8>x%Oc%7~~t0j9wx*Cs=PVmxaluO?9yC!N;bz`&+
ze(Ip6$doJr>I|p>bMcTCU4cP-jRCO`@sJUO@M?#isO4D#VU#4Np`ADk>cj>yuK5|-
zK6~QnoUf;<q7%_?;2cF=DUJb66HT~{skmgxY^nfF1{I2tKOtbB5;)wI{9)V>gz&@j
zrzg665KE#jwDfsXuLeQKy*2S0Oo#Sobng_GCv#Pr4-tmeIw4fDZ5}Ui!!%dE(L1P<
zstqa<mm}dZVd@foiJ8J`JY)i9_l6YGkB8sU6cRR-Wf_4!wMqn230Ka5_6`VENF#kX
zcrr0`6H;3k^=Jyav|->X1BcWD<wbdoKc&vZ$`Vb^yWC+8eRB{xK2o^lEPI6LUbF~@
zd5)M!hoZG*`P?&Cg0=?Pu=H^zrnTlA;Jyb?H1@_lDR&3~+WiqO<6e_#{8CmNrak1q
z;U>ixe^2-e14VB`Tr^nd6#{yJRLo61Dv!tT#9U8|$TW%rsf-G)Nd#%Q;Sv*50Aot7
z9V{!ShsC3~Ma9#FuLA=?QV!fA&bpGy=hoh=GdwF|?80CjP0j!ty{kqkO#lbU+9$xq
zrWG+lshPFWCSFv>Y&y5M_m)%@Es?=os9@lk&+)r50IEVon0z_%_`QVfZevH^DxQ1F
z134A?sA3md$Z+FejmB;W^A+R8q<4e}A)xAYuGU7T$<SE~y+eUln|(cw3B)DC>85Nc
z75jcEUk4%y$JKNqa(jYoRaQ}BV)oqpX8LZ#?_NQq;wY#!9C7$wm0XvRI?`GAJ|u*<
zY)LbUsdW)k&xxm$YHw2a1#E^;dWBw+slc2dfWH^)f$i$?9*PSjaUSl1N@y?>PAX|f
zO}lVb__c-h^BR5jI$Gv%Frqh3q)JT8b*o2RaI(YVapo1m<G?yD2NKMir+e_Mjpf1>
ztTD1Lv{bh*d$<K(bw~Ot#H`%)EX={0nZo!mA3g#k(#Li}T|4f<PG~BF?>+2*htEo7
zMmScR9zI^^6cKT~P6s9ktH`B^>hp+8&|Miwv~9?@Dz;>OGMplP+z}gxpn(dH@y)Y~
z@+oQVr_9&>-Xc0t(L?oYk9#A5#y<E;p54f1y%%^7P%M%?Gnx#-V){Lma-$rTr@G;H
zsxB4<$IrNp?t2&TZylUj`b=~PELCHWH7mn?0*qS{C5mQUP%s^%5UmsMRKiYCbRBNy
zc}EkPIteNd*`!S(PVhqHj2V=A>Vjj>d!5h#T({Qqoa&fT+$RH1AnIAFI5!(7=R4Yk
z!xLpTvUm(BS$Ji3)5%c;a$uFN^?TM;>=j?XC++Gi2TwPJADC8PLiOtzBwc*3RigGu
zO!$g3&T+p}AcEoXo?WZMgnZ2Mc(+^q?&Y4;0cdorTOziuV9a7N=u3olax!v1+Y^`Y
zBxgO2;Ry9t>eQT|ulS(^UtTqmQwLL}Q_Y^B?DZkcpJG_6W?Bk`v$EX%cmev=HF`dP
zDV-hP$}!kppg|aX)bfT)@Nv)0zL9jG^4joL)_rlx_i9Fj;|XCsV{8S6Yr(TQbOfEq
zTz!W@P+3oJ1l2}Ro0s#3fMhgpW<V!XqC{)y(7me><wZc8c7mceJtU683iQU_<-qo_
z2t9;?w~*k{YXQpM;%W%PftvE1!Y>;aFAc+R+oc{*IoZQZ03Cy;{gkb@g<j}7?9x?f
zxkJqh9j%zVIffP?6TvN*S=V(*dpFO)-5Y$=GMr*l(K(9k3J`>$GEszpL%O{#7|&mE
z5h9=Ff=Ii(f-v9CR73FG-om%$O%!0*3F4QWLM-AQF@`&&{ZM%pI-cS?us&9~cnyi+
zcE<X02xykXr=ufYWIvE2)mu?+D0+p<qq4^f#ZoVGQ!}VVpYAZUgq3hUFuo^ptxa?`
zD<mbrc=W*K8E?(TSoTJ-_}W@G8wT<7bT<-(7R5(UKxuCx2m#9IrXN4Tr0DmoK$M{9
zxv~()0zBD+2k@GBHEj<pTh8`H^et?6AK>C#O?FguNI}%w6p-;XZkLK`-=H9+qXT_U
z!4R9dk>28wD&eDTD99%?Yg0J=5}X~y@RTc?t|vCz$ZCpTCJ)7%xezvdih(m-@7z-i
zq_(5h+Q)rE9`0FPm=KDb9;He4a7PD{xpdt*n&PC-7?pp5AU?$~TlquHgsYNK3)Oq;
zuhAMT^NrH84ZR+xrCB2)^*GwKh~UIJ7Vy_R_GHJ0@qu(n^_(;@p4nv=PO_#{)az=F
z%{g<e9(O!4%#cg8Iipih!N^UxvlvN4epcbTc1S4=pk(`87>P9yB%A^t-ezR&>%r=(
zx@T?Nd8FnGQdii);bEJACwiAWd9|+0il{EFXh{#WEe%MQvmMnUPJ<?I?J$mjdU-1$
z=HUV<!UL>pRVjN6kiwR@0GCmg<KukJMVxzxE+}g}d-#hsuffF&n@D_3fb_PXgAzqe
zPWI%x@iPAl1;<dFnl|q2uccCD(13i@(Rnd*)O3h}00_{Mi9Ky8>(;}8_f#fyQ<Bv>
zGsq1d7zR4a^I*;#5)Xw^O<41L%Z+i5x&3v)Ak^R-M_+mL<EviJ!)Yy~X~kne)Eycu
z!E(qx@U)D|X(jYYlP&J7I=1k5G)mF0sUMrUDu4$$&k`N%+J#t~57+q^@8Z&?ED<yb
zh;tLh3rE$Syjy6?UQK~P5iEjBa!uHgelSTmO>+BY%I<(5_pssKc0psHh_JmkGm_+U
zCcg9#*soccZZ1zaSHv%hVT*if1@(!pPnZG1d!@d35Kf6aHnmq0lPzEb`et3jYb!c<
zav?cx1XC3+HPiVP!F`JtE|fz^pQMKuPy}t)W8WKDRdP_Zemm%LE$X@Ai&BzeSvSt1
z3c<V5F3<Vsv3I;h0+@2>(OhuV$M^<NfJVX-ucu(oJI!cwvR9bO)hcHn@6{7QUx|Ho
z9S_H+bSV3|)?ii&4SP7vDGdi*NVzLQSD(&4B*;;^3Rg&{Xu9wdp;rO#$zV>7MX~uw
z$2cjIWOOua?R#;_!6nB}Xfj?K`O6~r<^y?wxN-Nqn~71{(;uiX(Rfc*puBD*3_P?K
zn;{xhT(#9yK=;D;w8$tDjyQz{!|!BX@r#$~qY3;BS!pf=Svq3dG*HbHHK4;tF`QFX
z3P$>&M$YWKFBCX@Dq`<DJhfY)hHwv^KvMFkad&jo?kr;0SEZIJx-{V)dep0T!;?l~
z;t<z!p{k}Zx}w-3kGvkpIB+!f&hC-%ppi_b5FuM#hC;pW<>Y(9Xj;XCHMkxs%=F5q
z786ODAEFcm7d&>+eCagpGHU*6xtRG;h+6kH7dj6M`{vS}CdNBrdhsgX(o49fc7)we
z4P(pYu?(YJd06(FWTM@`jNr!|V~3`i%xE~Mf&kd$*A_20yIZ}tL{*0Lp|kK%C2Hh?
zcse1GH<~di&^hj+QC&kkW95q)dp^6tt+`p2xw=cK&-PCk#0$aAw1*)?m_4H;_HGg1
z!W<V<Cze{JbfEL3s9HKxEai=xGb;kZmIIm>*gf-x8hPTc_oR4SW6ai+iJuB)ue`&P
zsS-j>(yo1@mn_0S>36^mDRTgiLd%z#D*z-T!-fFm#mVKKS;IAOQvtR$2iRd)JPY7z
z(aCo%kYH*X*ivTW$=G>aGtzD9`yQ+_n=1tM@{{VKI_;y|=<YgA>2e;{-0|81i)=W2
zr|zU_INmWveo-swg!m$M`{lZ3neo6lv9w-V661T6OjG5OBhT1D>rqnG5<YuWJHme4
z$|SV=+$5RPlMIC>uQq%`_c9sYTB=tk#7=q|b5oUHPwtFu3wJW8mPWBZ&s%*ir2$d>
zazlIc9i=?-aC;W_K>JD1&8y>)R3>&#L6N(A0Z&K;$gQoWq3FgqwlJN~643(kdWNp;
zT`pA>wupp^bJ=5EvjM{=`f~FQ`!^*TJ{6fHkEc10Gg&cOF1l(NGx6>vR1UsF+dk`n
z)vJE6^~)C}lD)@L#~e$$;sz=xZuV?Qs&<s!C4I<bnYu|}DZFW9)~Poh2{-tnre<s8
zA?)S$J9z3{b`joNEK}iL7}P!_>yhL(tNrlhn>Uhiw@t%y7jIM}o+!1;@*0>C)RbzN
z6N#<t0D1PNjXz{Ux`t;)G=lZ!;jyXeWNGWs3M7%NQ`^g$Zy0>a;>{kgFzmai2#NqY
zZyfI`8J@xt_H-HG1u{WSaZ=zlx1$&F>K-CiShlQZkUt`kXN2@n-pi78aT3L+P&P<g
zyJs%-C>d{DOj9RKIekaR-y06G6qb?4Y@&^x>9CkNJb2L$=1I&h8sffgzX2rFxUz2U
zB`?x<z7V9jf#GHA<kOpcmQukls_3+;?@h-Ol_fQ8Y+2o+nU`>`nU8jc20ZXEjM+4v
z1sBcb(@?~mu(MYdqVS4u3d4_XXp6BJ1(cuY63hB{3$}<%dp-={jDo`)*t;w<*UWyC
zR2V8?8%NYhqWtVn93WV=@I~&6n&+>{`nVQl-cEB#KDZulB-97Js~z+-?}>-jJQ0Cz
zD%QrR5+8q(hN8)t4Y~G~TmdsRbEkQx#e9$@*Aw!1l^~Fd<9aBXF&-zzj;_3I6d0_z
zx_yRLQLLl2QKMvTiic{ANVH2Bju)klqsIHxiW0EkSmYw1UCUOhXlJM2jBERzp4J&@
zW%M=YgH?EDanP+#7mftU!P=`0g>?oORvtoX*3{H<zJSfG%MF9xjV*8Sl!L>t+oBgQ
z({~+tPR4b#@R)MUZT)5GU<39s9~C`$Pa(PmL+vu=F<N>BvSKl&P(V%Yk|{09%QyAb
z%bZ^t9WF?MoTUxMwfl)_0mr$mi<4~f)DALcBRwp(+^L)AQp)aSiu6F2okSwNz@7|2
zU;-b4k#1r<xP8Pbp4%_w2F~RKYA1G+Rs?C6ishhl7b3BfW_&}piov%v2@foL8y-Vg
zKLGO7DKAL`ieJ(Rz40Q^8dc6{Y80CH*e}M#Z64-OPCXdVh6g9P$*`eqrVn1C8N*3b
zHa-j~j>X6-x6`0XC@e;9Zl@Vz<Ew}7;2cl}0Aq-rK$Qo8#WP=cc7TC}8Sk0_fI*;n
z-3NP!HA+SEoepNjav*x48{nl&N+E|G-oQ{tgs5G_fb{r1m}(FrI$@J=MY-L_@?0?w
zdiGg%^OzDC&pHDDf8qc?weh2D-bj9}dn`>v+N*Q@?rhfGx#!Vz;JZCIGtq_^B5CwE
z%AtIuVOf(dn2zq4(B7Tb;gI#(;E8g-T9jLEt~i9bdXIfzpzG~(w;Pu5#Nq5o4-4je
zcP$Qg@eHFw`d%i#X>nHLF3G4CQ>hr8IWZ3l9F+5!c#?^)?((Wv!JiceRM{NOq~1$p
zYOf2;>Hr$2kw^>NH~JhoJ<7o$pM!#^_dQOBTt&3FbzZp30U&oY@6uGXA=?|_Zon`|
zPR7CXp_yLRovP$4>wp|lq3|KoV?y-k^~NSzq<5RE={;zv*h&ES{sIELd02kCTqRLF
z6yrV@SZZSWlp%tLk^pM#NhEF9>^LFfn`cCE%_q@zXp^-&gs>Zc<1g}I5I<}le?Etg
zJ=IUM;`y#y-q^F5ex^DLh6q&13=9{0?@2s~NVwGA>32PmW?Xx&Z{7&D?-TOD*<SNV
zHPOTiAZ`ebraL4INMt;k;RBTPm{q1xS=r{SCj?*=9xojOajDtIQ~Xgpptkkr>#p_)
zmbJ=jZvcHGd*gxPzRH9sxblX+v>SoP-75YxGqh$>_u+Qgz?j{tVE2>lr_k7p#{+Ze
zFO>4_?m;%R;-d+Bn(!zzLGi6uY7d8dBfYiG!V(BW<I?K1@U{Y8IYX1Al)B8AM{|9$
zLMURjQK`oz<Dk#2dJek;i0^{WAcT1x$3=TQksQppg%k~e6-HjqZEoao9&JpXt(ID(
zmOCbyCqCg>Ll6p`ddy*D!~{(`k83#i$(kZvo(dY<L)&ZK$7zaPtik!RXrY+WlY3IO
zI>uf^J=;<Me6MX!*npP(1gBm~`q7p|zDDD@P|dODb5Q*@n9<E-0bPeuo}H_(g+qIU
z7rg^gnOG(mqKwxEj*0Tb<6ZaB_!Up#LfZ3m(R=&4eVY^f_D*QZrBxqvdx;?^gk@-{
z`h_*stoKca0x(9gZa#L3d6r^ar-W=7R<GE57h7+V-cbe1l3oLC7P}PJClKDJKnAoo
zXY`)Gj$wDzXcAxIcu%2g1AhTrjZ3$w%>~=|qFC<n%U*~>dDr@g7i-ru%X>uEi(MC|
zE2BXetlx!9`uJf(p84+E@t2eq+t39DL7}_)GN+u+lXpF>yOSDsotNMx#HPc0z<JvT
z3}LG_aK4@~PX+O5LrQp(f#dQUR4>T&Gz`I($4_E;9|*6Ilv$`nP0otyt%w1*xT3E<
zEl#*R52@}AKosEQSdbf0e73nXcphkZCG6WdS(6A45b?HykeiV>JV~Lzl|eZ2y{<=X
zgxPCMPhR?amM~8}hFbwpLDhV&;^ALNFb#}SnCB^GXxkWY9TBkf;K3@B`tu1G&v%@b
z^YGA<PYydxD5ncD0bv-3cyPtbYfz;C1y>2<35Xm!z%<~n>L9LrZm<Xosg#|9y&_%2
zE<Kb<t)voKd~8&^1JRQCOghIx7RbqS>x@$ilgN;m8<!BcXQ@pco`%xw%We;n6Vx|2
z5FM%|w=bBw?a?}bi9~~t;Zp`UOm3P0;5m1EnvX6(Pzh$^I$IvsaUw)_pY+&S*em7h
zlJu1{PnTVPw<44kV8T84w$1h}bwgz0p}kO=WS$q-b|D9CjSsA*UHsN7%w@AgN_UAA
zpDSJ8psMG)LNb)IKnQgMzxOiIeZtOpj~_k}9KSA*h^Gdb*Rdzv#0SpwSRZ4@E+Dc2
z5-zNkXvdx=EIB_4rb>ag9RuDJXJBD9E~gU@Or7Dq&gtiGcbur0dRc&3zyy#Ei=F|;
z%hY9j-Rm0@Lfnw#P%NDj^js14=(0EMPB7wdd4Tw#QlW-o!G$mDx}xO19^;9(Z;l{o
z4xp;?<uaw(32w{lDY6Bau*hD`qr4<e@$$X~n`!FstL2nM7m5MOzC=fP$367A#yOiH
zBbuIUjo99EgClK241n%OLQ!jtF&%s+ELL;(yrN{zO-sbIo9v39Uf|R*2XK)#O{lR=
zPrO7C=nHyuBt9r?cymM2@3^@TxI6GFKaoJ6Dw*7*;xY8mLV8KGiVMR%O#|#hcMjdx
z4~@;e@afG9hBulfEK~_f@|*|UNsa*o^JS>hbiBL@axx4Ie1vE~7L|IO(~f%ERdCVF
zTINzG4=mIfSKQ6ZsKtl23c`BX6mK?bQD)x}#$4s0@$1<l50PkdN5WJKS`2bgRV34P
z><v+$#K_cmQfzl)mP~C4YvN5d8c#SN?%-+|WzV;Qta>;ukkyMLj2mp)F|tODLZ)Cr
z-1yFEX0kkln6n1f5V77|toWFYOHMd~7U>J|r?tStB#I&-3bI^W<&TS~Id4nWs$eiK
zApV5HOJbUPjV=rzDzvyA?H3#`FZS%Rk9E#o<OIScrI!<g;k-ApfVMq?(y(C<!`dy>
zZ$L((#XyOZTzPI2CEg2T%}~qdYzN0n%|12taO;u*7QOCy<SS$~@y%W3%m?t?&Q4^-
z9Bq4n4Vpv<hosgY=h*s_wZ!WL>lJ!3tNU!UwGI{DHi8DC?IYNU1UDKLa(9e)H`N=I
zy!ZeqMUUsb6K5@6;2M;T+>n4apk2!))^dfx;zGv^rN-$Y&0&{JcJ38oBsY(KZk#3V
zUIzQjmq3WK=YGlL$-HQQ6U<gJdh_rRvjXMQ$e6dlWCVPILRVW>C5g*qr3A=3dVs^H
zNV10>yDwk~`pNV=rLyrpjE%97*m|dEK+bQWJvP~m87ms?QXL?bnh_6&?zl+~*Q3fG
zj6yx>!W_d@aiV}Vp&&Mi6joCQ1}W?)T?!nXX%>XL#~dmWw@-l^$W!K2$#3k;9TuFe
z+@VpQA6xBlsK-DPHoIEo>2-qNriX**bfKYk2r*_SsZ~!@k-ZF>cfG+@(pd(!#(XGO
z<?;w_?OZeVtVuzm(_+kVu-g=ah9A8bE7%K)FW)Gt!;tjNuldg?nBN7@0~veZP}`PI
zq8^n`6rbt6G<hW5RKE=I8#f4$%ZGJ~gi_FIJ~k!CbEGH3G{B8`RK0X%SX7qF2swg1
z3q+q#;7_S+Y~7d=w^tdQ(I%Cy+62?m*aZ#e8>Bel>>Q#qGMEgf=$uzelO1OY&j&lV
z`|30>qP6!GH^fUio|mGxl0*q$V#i~%D{}?%m=H587gRmj!mvV2b>Ha>d((+I;{_gY
z0_4c1!M$ONeEMKoddxSoD5(I^Fv`|^FlNqRf*)CUo|&L+wFt$#9>8k_7#~)xSW8Qn
zI--kiVT_F$H=ems2uBo{$@8(>%49M=aC<5Gd<Y!?2yx$uijYbU4}<lCl?I+e%lF>e
z?6yTq79#4n*t@_U(8cby-Vrj=YgfDB*xp*LbMUvGe_<hqXCg8Ur)IP6y=!ZKRZek%
zknb(`);Xbh#6X_gv)C$n*vxOP0-T!Fv{41L89)zxz0P?v;Bn#XE@!P?z|_Lt_11Bh
zRq%LvAy`W_VfZtvJ+}^1$bGfxnk~>2sj68J_e}3ya^seiH(5?oamOsz^m8!2<BBjr
zFXmg0g5l+J>f2a+dqy7m#8gwbHvLV}mDn>qwr2F2k$cdNtZnh8%a>nU)<F>ANd%!k
z6*KKBj8>^^o#s@h5N(i`E4>NtaCuV$E>?!>C_&Sn9_*D)mXLr6-KFI;n{DK>aLb}!
zjPlMNpxEF6UYgfEM^-=Nv1kegnO9Q3RNX~XBW!v7m>#<~OVWxCT|~Hu5|U%d9(6<l
z$!pY#=lGJ{qp>{gwevH|fUJAbwmJUpt+mdot&zqwyel{yeN{e>1qf2-=>`FtqM@)I
zQANj8kMKL-4lBrKK9Bd+?It{kOQ%udyj9tbwG<IB<DH$mBz*$Yk_?b5H>#ocVC7o#
z3gv{`9z#CvL##tJg7Q_<3w8n?+N>j#4JmtcSF<`nxP4Tstufy1?+6EvBdT&dCqspm
zU=3aBv~k?ui~*b-7G~9v^NC0Bh;*zIW~Z~2p9&Wk96x?)>ViO3M3LOXG#Bi_8~92&
zyHGM)<%UD~@y)@jwG3TU?9v1vj<A^y^wTQ^9-R>>o_OC__|(f{d0}|nxgEwN({DTW
zfL~Paw3f2ji%nE_@zmwWMlf6hJx)nw=|o;{GuBZNM17$CIzZdYbvpo$W_B3WiVmPa
zyDnREm+UzR7OmVN6kqIk4U|s?6Hq&mi4=8G?#w|6SNo{aL-LY&QdvNQR>a~NWBw2v
zKu@Y{)}*AN(uIp3jaNC~8sJ7u^KIrxRAU?BW1#{bqD@i~rMPl<ZPc#}M?6KVMhy%7
zmU!naO((fO8>O4V;VXJB3<ALQiuNfurr&}0=)3|yUn|>yd|9|-$yhjm&*i;-=XEEV
zcB>W|{9dn9WDG0#0sVbMdX$@}JCN;pkJ19M7Ep%yf{y4#4mQA}sz_aSWwVJsA+REG
zc~-|3H<@g7tI*Rc(L~LIQ$YY?Oy1eW06K5A=~>Yg5Y>|N9oQB_GUxJ8Y=#B*i;klV
zJhj+k4QNJwuP`WHsPF&`^MGD&6v@i%ru2hucsB@~#-@B!b@z<G6&~erUQxcdxNy=&
zYe{#iOStCo>kbFMt?@VKem2*1hSFYOQ+Tfw8K_H-&kFrK{Pw~a7f?H)i;~Mv_{65(
zy(*>Wkx8DGaa*(Wz+<`CVxkY7&jy>(OWFI@R>9(I8oNpEy(L_IV8BLN%(u9dYSwwD
zcoU-Tw0he0%%5|D)V<=KD5p33K>V^u6y&u?0nKBn%n>SAMrKApFtx1B2e?n~87Rjl
zNda4=YEA`Hv{;(0bD413((~oq0Yx`{Jsi0Qd5FsTj#BC|F)cD)3!YZok!ccyN1@em
zXH38Bt>Jrbe6zsc>btv$z82|}wdQhFBoaOB1Ib8Qzp=naR~Y&%O&nn;kNF|ZO-jIH
zxq7eI*SF=wcX0%3cX_lHYR=XNJ-5grWE9@wCSE@o7`9O!PxpF8m)@-$4QQ!!#ElGz
z<AC=>y#1FVo7saCiXOCx$O7fEodMQGr3%l)?KX;Hlw<&#n>56uVm!b`IHQbi*6w;I
zZkVaiJ>I>z*&8cbLo4|NgXpJM;6<IC#`i4XRpt@Bp#hIa3RpABCq|cvRrUY_y>C$q
z7Xbw)*G(p&VU${;X$AzEThomJu>hSP<~8f1EFecGtT*}6EBSTk@)@{tHuECr1rs6&
zu5p_+zQ8(}3ZYmHQLEEL?9-rERXIfG!CEJd+@Lxxs6>M)NP++qMI1p<H~h-Q`=LK;
zzXLfOh{6I>nKn-(De2_7N^rpHoVi33ebipcw%J$A%;l2IXXF72HlQP5$>$WL;^wXz
zr+YkG;sf3SonWFP`;KEUEyrl#plGP%ARznny+Su{2_#xhXI~H$l6aertylNw&hUCH
z_l3y5etpwT#yJtodM~aQ?CooCSvYvlF*#k*-^<63g_RLl^+j~209H!6Ha>8n2lECH
z6+?RnS8dUxE-N7RSvYI^<?Bf{Dd-pl4t}FV?`Vg09fzjV9pu?;Wvxhc?t2}+&ClPf
zK{pn~we$6Ehj`PhC}#I^g<Tvjvn2B7wvHs6ZFc1u_S>-6_y&m|r$9#0G|kGTo)iWg
zO@jhEB6><lx=U<Nwzt?7>J3kY!)vP}=2TC}z)sf}Gmw5&Pp=a8Ve^ELK0VcjA{v5z
zqA^BQd$wcX4`01govFypW{E`XaD82(#_pmR^B5{?$)V~ViSp?L>i}g6^AdY7CA&A=
zyhlYkB?Ws`E6s~fsOe4{#4|(EA)d%1<EVMh$D=Odq+1;y*-f{%+dGvvxk{k<V1nOs
z^z_+xsos)Aytn>5A0&HMb8P9@j#(7IoPY^3>p;7}9Ug>U3nWl_Ggvw4>jlz)c_SLp
z282|6ZzvW$Ya@KuXqKG7rz<<3m7jJM5lE4Ac<F<5#176}=90O5=c;_A=2tjIGjnnM
z?3XW7G15oH+UQdDnrNv8PVX8J!P`^C>}6jg&0gL^3BA`*A^7eW>wbD}YIllEnyt2-
zH2Y+<CBs<rii%h{IgV1CjG>v{j)T?>>SjF~iNqHsV*_!v-J{k|o)OVyh(Me@h`H`h
zG$?<blG;(4oOc)Qxo_{Y?j3mvs6hCvz@h<+%&TQ^wPj;<u#LnXWmk<jU^a&f*DKK&
zW_v?)3{~asFGL?plj<~yzcJL%3`<@N5nIL;o?Z5r$nOP!Tu|P;=CpA|9)t|bm`kv;
zo?yLXc}k!(GcTt6Vu_~|CX=2zAAr5hm%&fBw=U&TT&dlQM(@gedAh@O{C;unkFwDM
zQ2Dln#WK3m+SEEFDBc8jmNEMYY!Po{P&&XfHtdx!(u0V0*V)7@?n)kylWWU;_pp1O
zog!{0>(hDzKK&l~+jxz8^-lAq{ibOi+Ed^YAZgZe3>*3r4#wpM+?{y*h>c%LdyW>8
zulR^Q#}1#6Gp%b#$R&uO>Gw>SE^^lp+XWt$$32Mwc<6q-CNwk6#4w%D%9&a662KBy
z;3Wo7x|ldwXca!5xlu0Zz|!c6dIa}uE@j?JhyuG#99Nh=LhbifY?8#|3Jz@h)Nr~`
zAdq@pK_{b^BE`kZ$)5{>Xi5;=lO<&XlrpO~$01C}hv$WD#<Ng8==?f|>N-y**Rx{G
zUck&e#FqsMCk1Fq(1f0tG$)O+dY(z_yL8lO*t}lhU7RmOFCW9!^AN?gPJ-Rc=(A9#
zDa%)I&x;D{2x=ttb?A0`jq%{ULBbazVXf*;o<39$dNFyI2N7si*s>p<GQYXkiGYrT
z(WbfL&u$bpf0ORsMH&*g{Gw#4dP0DsZuh15i@O9yGka55b=hz85MPDiOL&dj>jaBd
z?`deJs{4Xh8_1@e0fIV@0cbTOpjBlSjv_{3iAT}X!ys*c%?6L<h2KN9ac2tOVQ@#L
zM?)Glh);oVZc8*#;Q~kkgc)Fpisq>ezq?7PG6ZF^hi*8-v+|e~fb#$<MGUlqYV!ck
z$4r&;o@I_o>nL9C<5jsWCWO4zPNDa9dFG`^r`*`8V73n-dc)1+a=qo}`ZBx6dma)K
z!_1gMwFP>zVxewll>)kAiSO*{nrG9U35Y~kR(eB=xp`Jf+9w?BQ$FvD5fBugnhCOr
zrFqDr;=6hh@$y|;!0{>gL{Bj%1ddd2xv%48^UX<fFuy~pKx`3rWet5Hg6Oe%r;pta
zlP$`o5EDgVF?^=G`vgz|g80du9d`NP;A0&Kb5jPl(aL^e@U$RcFV}lp?!D4`*b>=`
z*+#A><xbYAiLdnPM2KfV6!t(m%@KI0f@!ASgWKHp$duK132^>izO2Z1t3U!{vQ~?F
z_vGocGPym0H-N|Q&^>DhQa4ghZeXz2MogsRE>#QipdQpX=z%XNifX_(W;>#pchY3P
zejF7F@Br<4gI2(nDul8xB9zP7{=x$<z66R8Q*Q?bca4;0DKs{x&37fsjY9bvkdv-F
zE7Zrhqnu=-x#gOGOIE!vGVS%txqh>u*c}<LID(S&h^s6napaN+8ff;8bqM(2fXwM}
zE#LNYG4Xn{WbSLY(*t6{q}qmMPWf~YB-yJ@u=#jRqh>HV*=!sxMKmOV3p61ND!i6`
z57!kBtwI=9>4ZyB^!i0;y?LD)^mL)il2c5vC~m<6(CEFoM`a~5mB<0Y=uCA6B;Y54
z57Efr2|f0EbOh6V&p@&K92+5^+jm^`DP0NV=uyJ6y_(E1Q`o%ThIn4dfJQ0MiV|8T
znLPHwHNCPc6(?sBDad%xoXJR#w0#;Dx!+b-#}*=_`s*@Fdusu$zKG7wgv@wn&{Zu+
z8ABdJ9I2E!n!%p@W-R<L#dJ<=2Ndb<<V2%a<}oNHxz<Z5F1%S?B8gtcCy!B|SET#v
zz9GJ+TH|F7O7TYCw0G|~w7l(7de}!r9f<Ql9pdu*Cg}qGg6;$iJUY2X*>bpq!w>Gd
zO_XkB%Bn|^%6aEFLz2(u#ZuNnQ?#dP>6J_gPC?|uWFOksV6LT!M1qELKAlhYo_n(@
zVLcg<G&WiRiP1z=#S8ZFw8rAGd{{zwfpRU0P9UW>nNyAT06P+5_C3r=o%PC{OIG9+
za}-6gt7G!eF2!E*J#xKL9}z-qrSILrKQ;9DFTz7lOjl()0Y#2N4*Igk=}0pI5qHGY
z=iVUdJbbwHNUV}icxU6;p~t<jp$xkm-bgqp#_{o(vD*hIY7za)O6#IStP(~|>7=Pz
z@P)Bem5|CSju+5(*lzoJ?lo7)c;+rdwO?JTJFUKXWbWb!99Y)~csSllx-_t}PM!nO
z4=ibpFUOSSg~e9Hy~xY$oxxTrAJRTDXW_&uwKT>y%huAO3pqY`r94@U!sLpy$zcL>
z{B{En@DL?4vMTPB>G90QWK{uz@M4V?S5I3IBy&Fk7`IOI293u9^eD&NZCN{Dy?GEI
zdt!GU?q7iLDqMVc?Xd|*W3lOv#!WZVxU~DSNMmi;oVt3*0Nv!UR-)j%*!zjw8UU8A
z?Vvy0ryQWM&JR$W>WRLUV9Ap{Bi?t=3IWsp97Cf!q+M}4ce}7B&DU=cqZA6Hh1t2X
zL$J)8ci_pDo9~N<5~wZiS}ygt>dC{~t!*kd)k@@Bwq01q$x*LI9w20vH#H*5NXm&1
z9fx(^K6_P%SI3x6{bI+R6q$rV6*(Un!8oh)&`Iih`H1c?N5tvUz@`9vX?G;UP#?zD
zkr-ZKZ#ci<BrCx%wK9r#0FFVkYI@Lv@p^QiPX%}7oCpiT-=RR-bU)=rRzb6@@NNmH
zPR9+$oVVf2Hg8;{A&osG3^Fu=4IpJix+*sx+iOOJN!X*@*>KAUPzm;&7V)*N$dJb&
zXV5!q&<jhm-DTlh;=y?2&4tv@>#cP1Ev5BQhtU>MU>Qio#+rKUQ$9DR&|~tZpe>Fy
z7|mA&sTuDaZu<2*gS@JjIEUM;#MRI@9fOYo{mu2=5J2c6UUSl`V(t@!WFC@j>bfT3
z1^0y#3VH*xJm-|5GyyLRDP9>*NVCa2MQ4#Xy*Rl*ftO%_SOEs-8?|yWxDuhnOVv9j
znjG2I^^7R=EPL*XYH^uyeS8PReIN))$VjJgV%<XpN`R7Y>SWGJ41D;ZGcbV`EMg`&
zsFh8v(t3Xb;!{Xd;yV}cVrY78%<)Q<9+AoPEeATc`5B?b5h0hwDv@b<wmO}p;Gq!L
z*o%T!zyt73q-%WrI!d;2Q>#`J2G*ER&{r#21|I{-#nALZdX?276J(r<EfjCYJ=l8C
z=9=Q@n79uz^iZFl+w(-KIZG}sde@$5Al%LFm}{39d8yLcw2MVKOBgSY9|)&sAeL{V
zKXsL1ouI?DmVIT8)bUb4SIAwDh7GVPXkMyg4nnlE1aOrr=6N0{Yw1!%k(VNa;1HiW
zKT%3JvTcAa8dtfNG1lgAn|-MQh6vzJ`7+w_)h+IuQJ{&<$J5qw16qF~0^Lnakwb#d
zuICxDl$?+}jH+frT77F-r4%#@DC^5o?D-H0;GBT2qK*u1ArWn!x<0Nl#)WEPVmCl>
zdy9O|h1<CAa?78eJlx(`TiL7UIJXBft~I^|CD_N!I>Eb;*Y+k~G>zHjF4+F2C)F+9
z`exxmg+70a6H-_)qy;gWZ((Q1-m`*vaj_h5IEtcky(q$~ksM{JFweca^l~qf;Z!sO
z(w`()%Ptr}JndcNyQjfPH3%~9(eCM;IM2|Y&A@fT%wXr+4UvJ@=RIi`O9@a+`dTAf
z3FQ&7Ox92+3Fo*z7B|wt+H0;R*<&*~cn4^eZ!7LD-isHH>1BxmRX!kotIviU{4ogJ
zDfXk1HIKQsPI4pKDz`NNxT~Si=CAbG1*C!7?&G1CE(2o@>46w5M~2bTyA^Hlc)Ac@
z!}W~4M+OWn8_Jzxy8`SSOMuc3pqV=<VYeZy&d^UoqIqa3SR_m@d`fPd4{)=qv0jOl
zvQx*>i0_#$`uWu*F|JZX(uAuMFQMc!ee)=$N(c996e@W)jOEe1ZOb@FG-T(YgBS_G
zxUSM<hpeq@(0n*8d46?RLhjGJ&zTTclwPD>QwBd3w5D!xY;WJ3#8%N2^*RJU)#rAl
znhdf<U^^)UjXw2ycFo6UW4e5U4ns~DT+dB{<jhFh+GR5vK@VV_kD8D(eIp`1)ik=|
zPA}`F<e)9y;cPBA&$c*R*g&ee%iKC~#auS#f~oQAjeTl@uT$`JPLf6PpyfuhE;xG=
zfs)9eNtj*Iob}52DBJo4a7n$Zd(Qw~ui!(XDqCz`0T8PjT;?gFww?-&jM(Q~=zIc+
zT%ewKEdVi5FMMj_Jqodxrq41PUe@~2Qn3-E9qI5q0U6XXF*}y09TS|-Am7}wz<^Hr
z>1BwzMM8@7ZNwVCO%d5-vr5`1=I#;jCKG<7h<Wi=gjl8@idobfL5!{BXv5*CxTQnU
zxO}|QNlWww`0;z`<tRS1t(p#iFHDc{ZjL|>I$HjO#HKtb>rF6$_QPBrTWN<4L57hG
zhfzOv2U}q9gh87DXEDLRZM5`}qOoLgGj0~b#{!YNu8K}`ou;H?Or<3j-aPt3aBNDH
zVepvM#tmq}8Sxn$anNJTJ@P9PJAi{-P1QDfhvY99OlO}QIO6(Z<te<4Bkzm1q1mSd
zTiZSQ`Z?J&94R&+Yj{!jiR+NPDv-d;TlGQm#j69E2a<}93v%VysjB$J7S;$_Tg278
zibUa?vQxJidVru7G$He{x37yGvGrNebK?L+Z8=E-e+B)js0`@p)x;~6#cr@xT+C5x
zI4PDU>Tq1q-WqLu128c}Et8F&jE(Rl=dp#)J{R<r%hcY^7t(|Dgh}myJKNqZB;2|^
zWCXgJp2(w{C4Hl14G~tZJ(J~+AHtxA&X%=F(pJ1$MmZMv)jSh#c`Re{t(VxnCX9%4
z?DTvuNYxpMW@h7RTi)w<70)s7Jy?_Tn+N?OaZ>fM$gNdyz84QbL0*yY6dw?oWS0ss
z_q)lhFzfVnB=mWkAx+`fYdRAzo|;$7fso+5;^bt6*;Wgfz6{8+iSw~r!@|UUudZni
z^d7c#!~rfMC}d6Gdoy&GdeE;J-k`J&ub<1~lw3W0?4@pw2Is|T6VfgPEN-B>#DJpX
zP!HC?PuRc#k5i5{jc1pL-WB8=u)Xe)c=cG{=7vVLAj20V0zM@*_`uyPr7rKODEOw@
zTXurR7ffU5)_n(l9E^R9w8C;!(Uv2-Rr?B1`4zi%o{RKrqZ4mjUZTKB-#1DVx+pi!
zA(Siq2m`SIaufu5Eb}I_qu^92S2K%6Fa}O2Fon^;hAn`2jZ$+QB$p%{Li51<kb(%1
zgGQBR4A03mI-gYvc-aQ7<Kpv1L!GAVTLR~L4{(9|96%Lqw+~Ah*f?ca`ex&JXfNLA
zfJg;|$HU<9^oKsB;}0mEpW-}#F=V4Lc0b~0j9TiUjby_j_XxqTv#VVf7$wU+x1Di9
z%gXZ@7o>_6lR;VP&{P2r*A!;u{?ye;o-gz9I5mJsgCviy+~^AV%=S#Ry6HG-036ec
zl+^*qCxzUpPmem#MFJ89m&tqEP`SpCq)s8P%rl`G*>9^9v;`8FgA_tuV~sYeumdAJ
zc}OVBVtI3kE}}A_rS%Asi*#Y?9!g<cML`wyjiz_M<*d=f6qqpIDj5<yOO>H;k&Rrj
zF=AT3vn{=~Ft)&*Lw3a@NPgazaS6V(&CQ3cEqyN%bj*w;a=Xc*4sAVBxJ>A}j-1s=
zdN(eexa$Syl16w?PTQ=~gdU!CDHz4tsJ)Ca0P~9gy59`uIBkow@#C#2kBS5{eeQOY
z-0NlO6bE;+`_SK;xp--`E{FK$r7k>beE^~xw!|dejrP{m6GJKm4jy?9B^%#Nj&6@s
zz|)5YGw{@(o<{e}UL2dqtc*i$qt-*@9a%XOwNQ()eB15F^r|Z(sClt7N2hEez)N(I
zfp-NQlredp;;=i5B~IGN;z87HOg&oa;o3*#m(Cpoh#@{=;+~-6b4<j~Gm(04beq^y
z-U674^1-xofOsk(k~zr*uz4}oh|lAlC|TZ>U`Pn1D!#FNCyrK&0hDDE3Manjo`j$#
z*}(F$b#NDYRQ4gVt2F1Fd4<!Ktq0%pG}NqWQ%$Taba7>D?@CJaN)d5Ryy<riso10$
zDcS?i<B4?w!`q3dR)@^#dhy&4;}aA3K7EAw%PM;*wM6kutQOwTvefE6h!{Np7~t2Q
z!gK;Vy44_(c1Tn(;~Uk)E~Go1xo`1pqpv&JoFx{u+cxV6^kbY|e{dtN7$)+jAJlFN
z9J3@?k{_CSQtYdD2Qo7|XM%^br}*YAk0VSbC3FX{pk5?Xo+=OuxuAK<ixoW2Tx4|c
z_G%d`h0cCj70%h{0Rv3BXAb<dg>8e=3j6@G>zb4N$>su|Jjejldskj3sIr64NUsf-
zG&#~pk&R+AY1@fGqp%nbNuXa*mb)~(R)&f*b={GRkY~%-*JGi#+)uOvjnK8<Q`ES7
zVj;XW>DaJx5r2y7H-(nLfQW|~R50RnibfIm<UQAFf$&Ard4{1HmdjFZZfc8`>FZCY
zXVJCC^d3B3HG2v3%hmKL!;l!0zCE}HUESkyC|ME;4c(J+$dz#LLfqsfaPV*m?CVx*
z5ysHE2E|iBW@vSMeL@&YaY1u<D>x{KbDETzsX~6Nn{NP;5>C0EbjPmefGj;!j&N&I
za@#kAlV&@Oc^OJ?%y!@Kj&Q`Q5#)d*o-wBBZBd&Iu@MoF!SNZUS|W&hlB@Vk9#Bmf
z(-AzYIN~CnG6C*4c7vG_6{Ks=`C^~Exwk|T<LV9Vl!Xk7+<?WU0uzy~)52LKGyVio
zH$z))-Tl3KW9aW{qv)uwc6RZ_9yoHNVLq_yu%N{)dpkV}(zH}4#0UyOnIcf_edn{(
zGKTUFz1<cSC*e9kf>H5+3hv@!XBdwZri|DM)W&ad18~gK>~NcTiFPb=hLzezO;@0R
zGF}Oz>GQsD9l0P3Bci%387oa|b0q^S+Xi||C#|nj6JC%L5;Cklws3yOed;Nk$hnY3
zBINKS9vq<o1!^eiksQ4A1!-bl6pptE50zUV#VfFoVfQ%8QqK;JqJq$V*tclmM3r*o
zVkX#ZNZ0YaSRYMEPzQ@=l2%fY1}#`qOFOf{nXPoqO_+h3B}ByZ`5opyJHb-P+zS(4
zPeY@~2B?J#7T@oE;(dy1xn4(zByllVhHzR$=M_dLstO3)=WtKFuaKGC3S=-~nXn6^
zGS!|@CA4_f1`_z9Gfxi`sd;7cJ0iJv3G&nu9z#(ZdP?vsDq5<`@D%AMiLAOlmI`F=
zb-k(s%1hxM)5wS;1S8p%1ex5|?+u03geb|0H+!mGz+xF?UJso=L_0uL6?1Y81du|X
z)FZ~x4Y<ahB6&q{xhzBMFL(v8l%Bj<WMjBjF1hj|X0{3K&3frT<-^Da`KU@3;f{%i
zVv0_j2xQ}=fnvf%W67*c(jd#p2Irned2)&BF;oSXn6bzWHHmg0UxHSo^*(MRv_yOJ
zr^0^cjatrb3*gUL!fz*9)Sz8&N!n*qFk52C?LB|d!4O>aOf{2xl8_=%W?nWB#1q=a
zM5z}V=j;(mHncBgM0Rl9L@|XmUs_`TfL9;Y_9NOFoDq5a#x9#u-fIQa)u#rhx>NcB
z^40;BU|)4-6$>m6b4HDy(r^K9+;hm65caa(3la>_lcP6l$gZ}2!1GMm{a&W5z9}yy
zer^n$M)oMHY*8M9rA{gwwC!bv(3F8vctSYI%FaYk(3B+VyQLN77fvD9levCrYZ>5J
zzQ1m6#4^#sFw@iNx3NTIzG)bH<}d^#9tWx9j3pyuysi7Hz^Fu?TPkBzYo19A(s{d^
zG}&u>L-EGWLBSc{R%E<1S75J;)B_sCW<T}{y;`qIdhygBzZ6z#jzWAnhUMG*GScqZ
zyC;qz5G!qoFwt?C<hnpy`_d!#d7$+HGKxOLwvdU@y?Scn_o~@TGEJ?|p8-ZJxzk4K
z5{Ch<*`CG$U6pA2zJv}4ki(l)jxrfTZ8Z<xpw~);6o~CW6p3?OmivIDP3%>bM6Bvs
zPxLX{@!{cYDV?%_Z!HG9Owm@jf*rNnY${wP5fZ``SBeqzGCW?e;zHu*%J!<Qv>mnS
z)IrgM@j`{79OwM?pzI7keV|858Ov@Rms3?S6)@@d#%P0~1tqQcF2R^-NIDbRV>eb1
zN3~!3?K`;pM#ZPXR<w5*hN+9ot7wo{IUysr9Z{!Ik4ufK(Pqp6QBhXl&FYDkYhfA=
z9TPjaJ@jlV8wi3ILAB4`a!O#R=N@|E(>JQ32!mj-8`$lWq>JZ_sgaiIuf<`VG#KaM
z1VmC^<3WYeVy9$b(Bk976q>^pH#S&t$1CB<#e#8$gZ7KT0&ZogL||+ipSt&eAoWou
zijo&iM80N#JJX{l4=nQB=M~wJ?5Z~AuP*s~XvjUA1uAUh;4GGf(L_kJs4zuC3mzRs
zmSxF3pW_EFNUOsrsDi2kr3)oCvBnaTk-NAoF`M$#Phcz#I@$<%P2g<cU8Z<l{sjvI
z?L<K}K^xX)bLIi&f$QMTmU&bGHKp7O`Q|`g7FmbdiY1#~K58CnRA@Fb?8<4dWFJjy
zSSauHBC^ibx5kT5>aACW5CtS`y%BB>r6BxbbO{uRxD8%C^u|$jU0QFu?$<oqKwNRF
zF7}FL#b-kmAL?j6dV`d(Gm|VHFF7kqRlDT52G0tlz#ysDM$8kd_I@n<;#LFzhB~@k
z@iyM`)vYU=X(41UA=r1fC{%t70JcL9i&?p$MrHvzED($eBXYz}`|&&LGJAI*2|9o<
zD4Ihu13ShY667LcTG*CM3TBY$UUj0SLLr4pY`6?!^Q<IFgm=3qviu$&i!B47K+8Fm
z$QY1581?P31k5P9ZB{RnhV!Z_aB?T~5g78?o*sg8WzM%Xh&R4C2$Uxmr9AO!Tlr@8
zu8k&wo*Q-#PU{ntgS}*O3POlh@{>knkehfk=3Ec$h|y}>MbbK7z!U13fambGe&t5#
zetF88drIn@RTNd>nG&95YS}y&+H*=cAOO{h)BfJQ79LYP=y<yDh!C<7kBogiO+@)>
z%7CJ0DEXBF5=E_Y)g%|4fkzm?)uhNEk)15jNde4-t#&^2dHA->aQpUIJ(cub&yI;B
zuDoZ_97X6`SIJ?$W{;?|IRjbuWX>u`?WG7MZL?0^df5ftBSOWiz?16qnBtLp&F>Qy
zq@R0*{^lcMuJ)lcBRYj=N5|%2A`@K}ch69$gR;pheX<$MMtCN}p3er@Moribc?Rw>
zMJ{DuoaMow;<#*H^F4S`hSq_;Suq4GOz)RUX((Rm@SvfR7c8nnN~+-+m^0#4aB=rg
zjq1Q=l}uGu0FS-}FnP^O1rRu9RDImY#bh=~dw2f0u<Km{7QMk`?SNQ)y7MMC9vrt#
zZ7E5$314=N4@Ye!-J`~4?5^v9U1&sJ4I?{|u!cGumpEusTXcYz>r2s3pW@x@iw8pk
zl?NN3NUouMD`iWs6yR9qC^IR7-cj0INGV*p;mh|7uk$Dnd#wbq@K0Y6kjT+oR;e8B
zegXDy<1Vn9#A6=>7g#`qL`S0B0YWQ+KR!#29O`_o3?3VlV_?!4sz8(_vhkGMaArh<
zX+-@NT<tvs;s`F|q;nBrUb7{ne6d$aYDW-{Y08t}*%nU<88Ss5ML*mU^GA!TZPZ|3
zBwFhJJhQd^2ISs*$1Pq&y@{Dh%+o}d?h`4s-A}2k>i~d-%mcxZ+pOPvyrL6G^SY+l
zH`M@UVSzx4Ba+<xgyb26#@Y@CHNIh;M`gs^(}+b(v=lqhmz!#C27EV4wF_XcQsLz3
zmAuKBV%)a%hnoG;qH3Qlq2$}=j~8d4`UTU)qaYE;)M=B$4ii}!KS%7H>W35#G9nR;
zi>JdUnmObfcvtcw*&p0f7?YPlW3^({?@S)?rJ`ip%iA`^Sh%NPIG)r2hga;%VIz64
z%W@L~#hI{R53pk8p4l1=`_9#w%z4vcDoGlV1S(2Xyk0URcfonN&epmWSu%msleQrQ
zjNRG??_gDd*K@^0XXUxF+-Ac1Vaw@33uTqPa~`0uq)5A@w)JXz^~e^+%drD@&==wv
zbv`Il8sajGDvJqeGLFnNpjn|CyS^gDeM5@`>X%>&4;#s-H)1AX=7Mlu?F@t@UC1&f
z6hw;-;1jwRB2Mh1=Zpa!&Px!QmN2QaW+_wnIFtG9GzH_+ey3JgoG`nexZrQCO`}iP
zorLEImd;I5edqd!VVzXd7qiqZMq1c4L;b~EHi-H20DtvTAEGVxF?umoz(P*D<F)2G
zg0#DDY|q2o#Ex7{2J*Q<BlFua9C*1L58TFjdcx0GUF1CrwJywJLw<_8RGUM`Q;1G4
zhPL*&nmzp&Se2#}s*|v_=>Q8@?*s~9V}?6Bb-D<70ML2QaPv{%m_mnuAxv=^Ts(Yt
zze?c6w8`s5ceU~yX!bd0)jfNJYuTc9uq6T!tM6@<Yu6)_2N;lwt(rr8c)ZV}i=Mw+
z+RRpzxAS;j$E#dPQ}HJ+g_@(R;LWY@O}z~O<I+At$X5Lm7}q1W2eT&7T5F0@T`r)e
z8|(BUTHdQ^<g0Adck!$slQ(t7beReTpzYPdh=!<^7zkGo!$S?=5%le;CwmmB&jVjT
zA`suxm$I+nij0V=<}p1og1%w6M#Y^b+bwGi(-_LaLlzc=PV=kKJ|t3)JztX(>&N`|
zb>;F&E4!-JwOz`j+gig6JL-!!H=^~bi=2w?!Vq1`9y7s(gdPb*o7$p;8!2+(@HWe(
zi|h8Ihh>4HU@j|5y+}E-z9<4oF91!l?~QrSpfzkhkR5BJ(7KogXGZl(O4Z^nz<y6(
zw1b$<s*k;$VlKugq<m94YHl{s4G9mhktavvp0s-tqi3^h!dOm<C%h_~fqtfQSuap|
z(U~hJ0JBTUILl-o*6llzz<TY6h{+1t-txw!xWVYA>YiLXn)pNRM0;1a*jmVJD)f%z
z!m$aTQS>s&Sq=@D%k(Jwz7z^9WqFcrE=LQ>tgY3!5Os;s)+<j1>lX7ZiS$@wNAIXG
z3=szBd-&?5oBA5D0lyN3Q!n24mfwz_V3U){#U)E4Q3ed39$JsoVNAy&kj$B%Er1y#
z)(za`qg9h2_q=9dm%3-zep7^+^vc7VMyDH$yeJcxvIm|0%35z-)0wYLIfRDdiH1B_
z^Gn3)(Skgx^|k5(06kH6bdR3dXKrw79cw@*R@${NO7`y2d-Vwn`4rr5r=P#O3aBtd
zp8?8DphA`-r2tv#nl}R5qw$KY4gk=lRd8s-p0)-Inb9^byC5vTLNk5^1!T51tK}!M
z0O`q7Yz)1tQ{V*hVg^Ie1aKNRNFtM}57`#dv?$A<Ih-45iDK13t4LOz@?4%lkQ%te
z(RjkO4F^?MY8AecQ(40`kWLxxU?0^T8Y8HuQxsCfY(~~kF9$p_AqSQ~yPnrU_95tb
z<dLx)Y}*?l4)yL7rk>X+(7}Z)YD`afNxYHJ8Z5!;Ucq)Uc^U+%U0!>n*rR~w*K*r8
zLgjlQzK5_23SM^774ax148*rV%>cTMweeXh?$Te#7;ZcY2p@b@Fyk)3cbdhIm+)lB
zp6=DT3P7(BRIb~$8g|&3`h^6wGh&G?ffjU8@DY`(a!}PZ9e7;wx`~Tl^*ZuwRe)UD
z<2ajIBRe^@Cw->#QlJQ9LhE`&7ASS&Q2_$b>PVQTYNkAaCbEv^W_T4w)PDNZJgy$y
zAuw@p8im3O>kLGgN3(}xuN3gK`Sm#kIRF(Ux%SKsr$IdqlMZnS^WYoZ*Nm^Hb?I%|
zQTXF`&cnwwtTDThgHVRHmHG4@JHE%qh9nQ;5k8A1bu|-AHqBGW<~%<XJOb?OlQ9n%
zeTgK+j2zv@AP@ZED-*VDP_(QIO*6)=x8Q@GnP?<dd~YTz-V<97>gx)u8Kb$Q^VNQS
zbL7(=5Zs2b8UmhYS-U*QKnsTy#IE#`#lSP`*)Rj0jFd|{X4~7@*vIULS8ih1ouq^{
z85aZ7pa1{`!~$1s6P{;$P>`NjHM;}Y+)e-mvLJnyXa2YztEz4ZA;$G(4z*?O-oi6Z
zk*o&HI!JQ#Sk@lu6+K9v@{Qu~-Bw?qDZA-Fvqv!3_KqbP(?I$79ko15Sz)7kr#{$T
z845L2EMEI+?=|V8B2U$)y4jo59n=uVeWFUw)_j|ySA=odk>Bl+L!O}GPPCFezC<PG
z6XU|cuBO9wdGNd|(g%+bN3#)Q5mz6)71iP(#$gzYPh{w)>JF&qshM~yM1fLWzK%QE
z+0zK2uk6kr8=tf6mTQ<PK%YT@Rr->JBI7PGEM2ejOY#)Rs|_H)q?&FCytg(nE3_OU
zPeh>tygeRML_ogIrxq<jaW|)=W|k9;J$nw(ld(QM#e!KC8;!P?Ocq)5xX@osICfrJ
zJY`69Dn$(@zyWS4+RV}5)Ee#v-IGbbd{lh-QduNgQk}wr04(MSv|#lC>?_pN=0HOx
zD#)B0he!BKMWGy6e8vns$`Y%(V{N(O+;Ou<J6<!P6MG^Z2lCc4L`m#x8Pu_x;1F&S
zdVAUVIt!j4P`!cIdSf_AX?Bb@7WCA`-Sbaq=ryk5yy|D2G9%gZ0{S^27_4fOAJDw%
zKy=QG&CLVK=L-;tx!7iM{EUlowS)sZ3fjs00tQ`fgPUWIH7hIijqc!yz&Nq$UTcM!
zM<;0xrY5Z#P|9SO^0M8Fb_iV>Lc6xSgR&^>XRZi&ODAiWb|deG^jCQRm~;qYeU7`8
zxEocVnWK2L@cKBV%IYERW3ruxOm?~EWPZ;J8J){!Z5`HGoGjU?p>@vp5vki59$Xm9
zhzlbg0+DD!v+>0vXP{*Wg;Ppmbc~=Uo4UR^N!Y<>-gj6|`Sy~R16US%iBnn;o=^lm
z@3FH;T<*4b<GFE|8N!dG1O>%w<rtL9JsLSFow6kQo(9WQoxxGcQBAF@v9ONLk#jSQ
zXg${<h(u&JtVUmCo=3#(-t-O`Pv_FWB{J@8I6`aavJzf|1+Obkd95cs_V=0#=jzhn
zd;&R|rU4gLM5m3p!>`}PYgd4F(Hb;1i9A*tRrF?JBh_Bu0ZrKD+lqWv7PSLdTQ<9l
zF40J!K`|l)OBge6VFB<IjY+Y~fqN*Mh+g@4;`jp|c_Qa{nNZU&at$>|Tsz#Bq#c)#
zlbpSP`mD${cVCX~u#qm_gM{#z+*W+Ki}r#EX%dx%#saX<;o4q=z6YAa{-6NX_h2Hz
z#hl&~T`6;3Pmj5oAwOM|S#V5$i;*uuhS9#E;h%d(XfWHL2?yNEj4BWT<f*;4>cSmz
zJ_;dFx86|evro96)*Hf#<=JTUj-2CI-i^Y3E)Z(>;$*;$oSll%szU3f=s|mSD!meU
zAkh+;O{aKPEFG$4aySu$cf1nHpk&^=fthJflhV0~j%=f+R-cv_OG1Hya(eoRu2AM7
zym>SebC7g%mP#%Vsiv4jm;5e$rp6Z)B{~SeOUP6Jqv>Gd5DJ-lU$)rE*bBSp2#)1D
z^)eWuI5z?8brC4Dcl25(J?Hg41V|4VFYrs;&9NraVlaa+pcaG@IJY%grt>voKer~Q
zm%_I9s#Yu_Yo|{ZkL+za#3MQY{qsDfh$y-5Mwp+Q4fs-|*qjfi9HNa_KXq5M^hxCl
z_IHwwwlFlej2V4LgvTRGk71I0naav7p4^hT;OlWhd)L(cC^S8L>I4uv#Z-aBvCign
zOkVIKgD8S2M}1Ins!)>YZ&N#5MJJyX8^ol`kn%R5^xMpPnX{9xfuV9P3-zpDF2$rK
zY9NRaU|G|X=gvK`3l^*HVxvQ4$LAuV$S?)O4-aC)%ORcL6M!U+l7{iSdcs7>_^?d<
zoeP=(1i{KZQ*Cu~RuSqr(^>Lg$l;j|<$D@hA!b}7TgG<EEaSk8Y`f%z&ph67L1EBi
zgJR+H!zvBScd8OuNJskssKe&POLOzZ*UOd}igA7WkYwBg456M8%`se?OpaJZ0KerE
z&dnftJMucq?`8!<b`pft3u5C&#0V!J0KT+&BAH1v#`|8Nt$2;F?gj)~q5^Xv&)sE#
z1ZtDN!2|MAns*PTAsW%z?Q!xHg+W;tG8M{u0|@STtE$8ZQ^WvMM5Qlv4d#Zu->n&e
z@FE8Xb17WQP_+ZWv*yCLnvdX?v6Bbv9qIFVVE%e+mNz_K%z@MG3DC0cUYgr^!A9X)
zyK@D;7iL1Q#_&oBA2fmniVEsHm0J>tLJyS<^@^%dA$E3EXIs;!Z=kz&{R#*<y&1}z
z#GVjYC+B07c*{0Y9*#o~U+c@YeR9t@<P#hAslV-^vM5n9=WFxAfXAELCoU#gkNOz~
zI8i@!lW8~@fnv?gXkr?Fn>JFk0^0^4EUhS$o14n^G~qxLOiZVTLdWqH(3Of{D<inM
z=zu^WtR|0$S^3NGyz=N>m*9?RjJ3GE1M+u$gU=4jfs!kN^*B3{$$W8jfw7Q0QfP?<
zdgx8e3&w)3tSNy>-+Y3EEU4U+rPVc0u$g_{aDiL4SW5JJE+fi^I>|e-3bqp#5)WDL
z3ijw|iomak-<)hoJWlo}dTmO`n9tmi+u!IYv5T3oxIr$ZQ`;lRhL<P|w`k#Kdk{+`
z=_>hhAvo&c@)`S;r{FQ0z&@n(tG~cORY!1n@fbUn_SyDpw5-ROq(&A&hVr~CJawW1
zSA;}J9Ry^oM<syFvV>QrZLIA92?6A(U>0o3%gVUL;ecJ~kU~}@KgA2NmfrSZB|?*q
zNB{|#sc@UOKu_2vqBXGSHNG*5XZ%uf*#@X2!Bd!py=t4KLL6qXx63LHG~E?>G7)v`
z0ZjWk?onGy+AqM6XkMz`)g{TIs^3mD0?VY?Ts%=e1#lZQI>RzKV5rt^<aop?(fE*R
z_t0CYXK(M_v1-0U^+#hWvA{Wsr}b#2)9Xm`JYHRShP*l6dBS(u^7;&q+wJY4>>*xm
zgxa+q_CsImtQ7JWq{m$~XUCZN@=;VD=`D(vjTzSV{UT;EvkA|bCpainA9Ycc38TlA
ztockZ8aCEw4u#N6>hNR_mDrFKmeFOwyv~G@qSJgGM~{yyr~_XFuE4q5tA3^|7#eqE
zk-68@hA@kY&yh422A}#MXjSja<atxjvQua{cL+SkXTxy|XzdT2W^m(dcG;tfycYud
zz1NiB;fIzmiNp1rpslQ_$==Pq<c%IHR!1;F8ePii4m{QO(9=jcjTk~Tc{E-h1vAqF
znqDs=0m@x%d=m9*0SV>>?E#u{ExVFQ>_Ap$tVE{*@Vyly&$GR@TE9qK1Qo$D%e}gb
zsg2l?tit!e`pD0&qS9>4^b+Q%F0((u;h!R0%N2&go+NT{c$FcGaq*CKni~U~`YE@v
z7n)#^P<Fh^eogs&Gazmb_z{sZV8UCa?Z@<l0LCAcx^k5PUW~ORo^QuME{Sud&gk33
z2<vge;>wyxo)idr!+Vp)(u&JS-~o%GxvPj|sFN3B%J01lM7OE8cbgm|0}_hxMlouh
zrlMBeq!WpNTop_}aihavJ|d|=A>Ut2#D(&+fZ`Ro=q$K>HS>aG0B~0sBP&Z-%pC@%
z?jG#8i68faTa(x;B4q4?^?2fT>*%&})nevawqD?&_&P}E8fc#FRjswF(V>FY2#(y5
z>v39^`p!ulxoqJJJVdKoL!*d4(edu8LFon7ybiJHX;Y;)gVhUD*V)4Hp3gHI$I`6I
z03IeH*mH1PR35+1lLw2h$h{d*{e`5`kV=WAY4C6hIKGN#*9B5UO|S!0E(3QVQ}^M@
z!-eZ<=hjJ|c;>;Xsi23uPkN0NFIDD%Yqt7vQgUTe!7J8iUzZb_V8^L_%+qS+)$81C
zXo5(?WAzwG0XLAL%;8O38NMLjXaVBhO%p0>vj(rm1{y)!f#MMWtI8(dH7zwMqug_S
z)EV6)7W=$%Z8W6z$<>q^9Wh{<jHK8gKOj!4T@l_P=(YpuDpG2M6h21}vRqa_ah9Cq
zi+qW7>TU?)7L&%3xys{qPmeuP-y;JC$w?YgcMY5J0~RqOZ9#jIo$!{+^fY7Lr*-6w
zq>_VHCDy3hWwyLGR#K2Y3P#UKB|vn|nI8Cin`fY^=#X<$`P8I%bM&;{o<Cia@T&2~
z5KWXuSDwc~>ha4L4u4@yYnB*W`ydf<kgkC`-6x3N1;!@lpw#+OSXM&vzDk#)ONodr
z5i*B^c}Fs)sZ@ZV40=t)BEY6%Z;_QdT-^YkIY&;yp>na8Q)~})M&9P^(kW$XCul24
z1jKt0G6hu;$=O_X^s60c93g=!<idgRRVEGsCAgME?(!s|dw0@%rUo}m5|(w1`A+*%
z?eg&+)Pv&8+359E?=0e9nShl)(Gl+x9SP_JdE_4X1f3r9Y?px706w9S67Vbz7{bSS
zb^P>cy*2RQjS_wJ+z0ZpKwtJDC(PtZ0~_i}0{Cm9a6ARFc{H-XvWt7~IbC@vnP(uk
zOfaK9OM9=MzdM$<PtrCOd^CEODJa373|c4+5I=RkC&HoQiQX?1k%dr@KsX5T8tj1Z
zU74?f84;h`X1Y=BdS-}*N9fi=GTC~?dqR!OfDdf8Skx(eWhT=4!qz)fX&(`Bu?D_#
zVs4DRKJQnl2TV^6^Vx#F(wE``rh2VYJg+q|o-1$xnvB~U)Up8IYG5=)bn7-3dD<_@
zjc&6km0uOb2?>foUYJ4C^E~@=@2Gr*y^U4Hx`~lz=^8g})I}C(;IlU;1k(`_8-j3M
z@N!QKi(1y6__$6x?37R$Dl;NftiOH~cW8U^$Qf4icqD8bd3a^}ZH6xkHVC0Jypg)o
z)fFRA$x?;|sMGT%Wi2{YQDAF@9VQCOvwP!n9w-T?$2=Oh7&Ie_c1ux{O1?ZZX@&)B
zhJ>C%IomaL2R7QbnZW5}K-{_sYtVlEm<iZ{7uExg@Iny4@|}m((E+@NrL;*iJ~22$
z3NE30=4co&qC>hB@l?;L>@XiVoTV^G&$<Fyu-AoI>u(5DigsHJiu4*(R0ARekFawT
zg71Z%Nvw<4S!TTOddFucO{mt$vW-uh;dEuX$F2Rb2Ls%BMOhTavONh^^xdJW)>{#l
zDte|nhR})6llomoIpL*VQsGl_Xs+COG=Z*{?F1fp;q5pKm?}t%6sN*^pt7E)iy0E~
z&=a1Fzj$bRp52_CyGq~<J|z$38bEpMS==eA0MSCQURfj5$!x!Q8UppQ<_vRRNoBbx
zx#kl@d&nbBP&Tqp;N~7cx9lc>i?Uz7%+lQ^rAfxT@wdo38Dg81Wvzk$$LV00oqFhj
zC9G1`teqK(ue-oaNTav8`eGt#NfszqtevhM0w`~vY~P~+)IJT5os<fIy*`PS7dJ1W
z4@D9Qp&msKDHGtygF$WMeFg*b0gngpDaVUi*0?l+sGkraXp2&D=YvOnuXNR9T^*M=
z$-{%qr6y-3RNinJjYCSi)UfakZrn`{HaW@(kZ<fUz08)T=38gzCWAg#aYzM3Gq2jo
z6T}oO(ZPIM>J*&$BKGNI<fP_1ii*oSyGj;QkBY_=vwDduAU9{ymXOMYbB;wxq5xP2
zbG+~puO&_eJ4Rf#^*ye77Ol0FFI3mv->8!*I99l^`daSbUclBsK(0Trke*H~K8Os9
z_PKtT?BglaQ}wiYO4zPJ_x4@5z|K5%Nmj)!4#Y#1;ZoXrQf>noIy85h1tuO5ne&hb
ztcDMXQjPd#ndO#^4Y4#b{A}N!_+ZCA(|tRbxMd6i8%i&!dO48hjiBxmbkuw!VxWXP
z%1#v`<yMfo3rP3a_hqr5l>_Xf_8gaZ+N7J6h4-3NpA2xkwgW&@STdBYbjS>RCrgWI
zfj+pi@6v9%D)-TyNlv{QcX?L5dhl+~2u;|{9Pepc+tdv(GL^w7=|jsp+tVQB^0MZj
zR%YTE>@In<($($w5L5Z~GLG?XihN>xWFcb(Yssg3<vme(oh1o-KE7)+Xj1VaD>2yN
zMWE>zzSoOsO2m>7m|Na5=UHSuJfTgGV13is8s~Yq4pI1QI^1jareX$_$JN6wFbz*1
z78_*S+%vK_A^x6)tmhlY%<i#wLV^gFfHw!7H8##33JO#XCeEODX?~@xKE*f3(8x;Y
z{pN-CU`mZOF5+gWl|74>ly;RJ;34iqS0Zxw-dSF8L?#tA(}LB|_{D8FJfueBA)AV;
z_U$3`?gyqGrkeCjk$1EJs~{y`AMi;D?@U;&y_NG|dcNzL*fH;}R61_pHo4MO1~&On
zXHTscM~5GTG`6!lnI_Xy3cV#}XJ->ep?bp^+{~|Ltxs*eB7!%>hq}>53T`a<9uPd<
ze$iXUP{MI9NV~N$G|Oq*o5f|GFX7PkNtHy_<9gj1;47F>JyO+|@fzML7I>#EW#*1i
zvp_(!SJV{0*PR9F+LF@L2&u${M)bb%@u|t3@`#^BcL@{R);3r=hQJUUm+G;zKh4`U
z7CivN6kM!o5iuy~wr#y2h(@cE+MBV~O5ITJd+7O!xJLToS(dXdc`{Uuqe*Nm5jg^C
zn#gIy9LcBxfR${{y?D2KWh4)5>kLY2(46?JE@4r-9!3u5$>S{CBqQQXRVG;(3cH2`
zm1e}P>ZR9@p#s=+2&~uPZTo9%j%uuJ_69ZCeyOcTJG4^9I7mzeAqLi>vIyh(pu8Wj
z`dtX}^$`|7jvjy0yW$P`@`SuzV7e_)z!(_@CKx-X3>{s0`=RuL=*r6ZZLKU`NsJmp
zIAnr$dO|-qF?_{6D+Ba4UY5r}F8&D+ix+JJ%~N)<m3y)oRMl2bq<tU9&Uw%iYs;+&
z?e^U)OzmWOa6J6Pkhw=P(gl+2)c{O)5=FB)vc-mJnSiVNw30b>#<pc#IfmN9_I{jq
zQWxaHLL23hcy?`)@M0l`B@m_`9}@833T_*`wU{=-QhXqxbu>pX4QHZGoDEgM7x9=j
z+XDem24Py!pS(01uK;L9#=d*3*bLqn73PB_z8c^t4GmTSh-Arfz>-zt!q2l$kP(n%
z>lr@ZR(k^aRAq2AwR|gw%5g}|pr8ktfGVEyJek`?u4fj$?-gsB<s6IN<ZbCl*x3@w
z%N&M%k!5QRp1iEbwCFA>=)F3I3i{v$JkDF#gR~=aIui-A^Fr8d70;}GP;VF3hjP|v
zU)q{4_ck>|P7-)LwpQ~;E)E`;ldLcblP@fJ%VsLo2GRE68Y@<>^|gr+$<xqcWg4C6
z*bdub!c&yUW^%TuR$;3I7J0^whR3;?`SxJOw!1iM>MdB7kRG6upcYQo!Q#6?;)@)Y
za^bw`UgXA>H&BPWxbhO;%_u3oi8(CuHIFDDc{b@1hL3Zp-NII#9+C@qmIr9mX}pY;
zL3o`H94xs;fM~4FI?yA0XynynC})nrR}630PM{v*N!VcxMQJ3@T_mhdEwN=Ik`*c8
z49bN)w3NDitzuD4&3tYiv-4<gTQHSB0fL{xJZ;C>IJ#T33g;@t5M!RjFuw8(S9cvp
zI8e(Yj&<YM*fiEuC?Mmfq|M6Lxci8*TV7*01+vB~WrEnbxfh37fp44EC&75=a2}x`
zo|x!C>240KM{2s?5<wzd_CB?`t7}?<fVP`oI*H<uQjW={JFY$EbGQ?6cq4n3n7mdV
z*Ov~5Iww3>AiAq$tD#)6a5pHW7+Nzn^$c3H*q$J}5c_gCQt?*o;Cl&Jw8@eqiy1HG
z6h|74)@<>nNwk#QDHS%lDz0e(`W?NgVGWgVr_+E|v$sTYidIc@s5p8W&QIPhzSUO>
z0NL^g7dom{YTu*rxe0Co;6%W@xY36Ddj|o`=V8~W{!)Wu+%G7$FPM;FJNaF}xXzm<
zz`f1i3mPcGM_s44@i7q}v{afJ-;<s?(yL&H^{I!5mAvNf;h>9nP|DK_6Otg!Y#R6R
z05{h<$spq0#pH=1)(jD&2%55vwlwM0cyog2p#)B4=B`4a0_ZG@Z+T|cACMGKYBOnA
zPrbsH=B>vA!_L`-Aj0tiDy~P`i+2f!w}fB54ka63Vs$I@tT%n}(x1B7#i6NgS2HcS
z#j;~_X-))->mh=p=Y!G<YVRFyylN<6v1iD8_TD-HYX<c`8bn_X4vmo-%-CpSZb{L>
zpn25>!pR9$?}c0D>r{KI(XWiCUEyB5=6mQOR#x$_nbb-V7sqZ1`dE0k4k7|tvd4-k
z(KzERl#ips+%Uvbe8zVWCjv-mC;s@&3nJjBH9WrOq_RBg${Nk2*KpHRF21|8FZ%81
zslZcBE8=+xD?3cS3LZEY?^Y`WCZsCj0*Luq_M{$y#si6sbBScrq`c!QHb0q32Ys=R
zG;hfGEy=M0Yt5m&Cjp|boyeNvhP?d5dS^H={C;l>K_a;3ftnLWB9<y6l-*KWE*#O{
zq+iZGY6y!0(s36GRHiXOF1oB9RPxu|9IIsw237&taIR=NeKB@8J<ouQ=Vkfg#^sgG
zHeATN8fMXswd+ZTK1kNy@I2ipaZfTZ#!rMi{zQo05=>uDV$zHCmnE?DN={(wNxM<Y
zJOXirbducO)u)_Enr!?c-fJ!|${T=5R3LGJo$@dzY+fsXd;RDd3gxB=#^uVO37QF8
z$rtlU33eWitrrNCokv{}oW#LBxa~U{rO0Z2B1Nu#%`)S-Y+LxU817}Zk<7{9H0DHD
z?=_E;mJ9c8WWx&pAU$%mTNvlOJF=Q30`K=gTVJy=kqHDNxSO?6xz!WaTaZm8tDS4m
zd=~nQAtGT!c+$_t-lJsiI>KLrGjXfEkj0di)CkoZ3(HU%dm^@nX6lg_C~&yTc1{pm
zKPH_!dToYBoaEw`%;~RXXpk&{I`i48w%_Sr5b-t9g4jj1n5z)Wt(Fq$?qo*J%@Kbu
z5EK{^Q~cP}=P@R@MpD|SznLJrLLzymB-=D%PR<&YniZ5W?Yc)2enJb(w;4`=VVDp7
zCEAmwS10n~dVy7?<6h%48Fm(?1@aB$agoId45v-vvr%1)eO7uB^=Lx_`UNsQ3qrM&
z^^9W9t=O(i0obRg+4S<XH2X^X6(_sY@~wcq8a!C=Tw<z&mafN$i08p|!?l`Er`mQ%
z-WVElO(c)tAxAcEN)A0LP@13>&Ba%a<Guw>@OWrYx#7l&tJl*3PNU0ORf5N|9yt26
z#R0m|?K&2*JcOQmq1=>D5`uVpwUFRN$uG9ep~odzSC~WS`9WnWfq7A|qdjISv2ig>
ze{E>V6O?)rIZ26o&3L3?3NY}lOGI`LM^Il8>v+7)YK13Qz#bOIvE(8*k{t3N6$T=9
z-bqTkDZ5GX=Htg;E?P28L6x|MH^41~j$$t-U;&+jc&t<wHbv9rVLs>8lnSpl;GB4?
z;_1b$+^2?O*`P)!QL!&$GbXt8idJeuX|6Meo%=v*O_uIaB0jhBSFMU(x|60bF9ydM
zpc%KR_~qkmTrj9!*lnBE*2CDBT4|SA_GTQ9(2*0pH=NrtS0_3%9e~go{Y2fcy>Hyi
zFViN6_^ER&LIL9_25d14Bb=Npn}WJn+)j&Yd_siY_aO__?t~1uDHCJkiU>$3Orlw5
z7y?t?Om5`3GI(haNqDRxBUeAj;sJaQmgF(+opi{11r}E+VQSnyhI-44E2@Z4`VfV%
zxBL7CwAxn?2f$ob%-nY(v89dV@c}x)yhUX1cmq2fhDb|gB|QWj`Ydb8i(-aHJz!xs
zFoG^#0g-UJpS&m7!n(>#Jkd19!hDaef>!d)JG?>>mf}TH>o6iIc!9y(UPh2Z!{+gf
zE}5^w$2>`!noK!sH``h?8kZ?a-b$H4lK`I^1k5g&BsRB8LsRte!<ueIx!61H;#*~P
z0M6}|BUs#Soq8`Pf}-jbba$vcoU7wp052)lY5?6oF_MB2#c7K~`;^o5!LtV{;=#k-
zcf_3Wyw8d4*vX>zh;6Q=`YtP?o)w-)<};FgGz8#&mp~Oe1+PL$*dQwofjnGB<f7Az
z#oi2nvcaYbvap6iTwH<^*5Tbazv;)>Is2?89CfLr?zw3f;(PQGwwO&0=Ppj#kS6Yi
zyUQb26zrD72<JcvEjV^hSvMrGk7|W-M$2YiDTMATx&mF*x9#=DjNhBg30CSskq4YT
zHRMYeigXkgQ94&7ok1$70IE|MPU7zU9^+l45hiC>i7MH%%qC6-d~8>l#t~~HyHXlM
z2v1gNfSaT(ygKpe8&RW-J_v%69FH1yk%(z@mgkdf0SE3|g9fD}6XK}!=G_HMS*S|y
zFadbvA$8ot(_yA`bWlFD+>VVF76ZUbpVqv}sU;*oavzU@)qC$$)$obbLoneTrE#2I
zlU_gcC?Q@QEfR`M!F96cHy3jfZMcetJsj|Ev8Ii#&`e6&gcEmo(~c12T9|f$(I@AL
z9-SikrWqn9YNL=y@pH4psh2hfiz2x=t_E4XO)PM{Z@0tA&qMgpp3*!;B(Kbqi9_Hn
z$q>s;(1wcgHZK@vw9siFftk%J^CT)gyjb;}r9lU2E8EvM!V8z9?_j)BEzM+_g*7iA
z^xjUrhg1BVX;kQ$D?WeI!J1GBn24^F^#<n#bt#PI`<%s}I-QczF`9jE_T>cf)d4Je
zmR9p23sTmzfkyL0_fllSwG(~RrCN`O)l7z5OJKuab5KszwQxmJ4>^%PB27%FhXRR0
z;zy(dl#70<+9pOL(tLxC{bIHIW|cNc4suT1rLQ4rob%ONo_WlnQ|7U%ga*B5Y~h($
z)x%=E3029!9%IV&&M9+RwUE6yp(o_AHa;71!{$R|bPY(EIl#x7&<@Ge2JowglTu9I
zB;%7BL`px7-A6kFdYLVzO;^ykPgD)Z(XO8mr@WJ5inF);c$Q3$TU5H!AA!xpp6R5N
zHE-F13))+H?qCgX0P(Jl$Xv*LET*68X-chD!E(mi-mTpFzZd!U|KI=o^Y8aRCpfy)

diff --git a/vendor/golang.org/x/crypto/sha3/xor.go b/vendor/golang.org/x/crypto/sha3/xor.go
deleted file mode 100644
index 46a0d63a..00000000
--- a/vendor/golang.org/x/crypto/sha3/xor.go
+++ /dev/null
@@ -1,16 +0,0 @@
-// Copyright 2015 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build !amd64,!386,!ppc64le appengine
-
-package sha3
-
-var (
-	xorIn            = xorInGeneric
-	copyOut          = copyOutGeneric
-	xorInUnaligned   = xorInGeneric
-	copyOutUnaligned = copyOutGeneric
-)
-
-const xorImplementationUnaligned = "generic"
diff --git a/vendor/golang.org/x/crypto/sha3/xor_generic.go b/vendor/golang.org/x/crypto/sha3/xor_generic.go
deleted file mode 100644
index fd35f02e..00000000
--- a/vendor/golang.org/x/crypto/sha3/xor_generic.go
+++ /dev/null
@@ -1,28 +0,0 @@
-// Copyright 2015 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package sha3
-
-import "encoding/binary"
-
-// xorInGeneric xors the bytes in buf into the state; it
-// makes no non-portable assumptions about memory layout
-// or alignment.
-func xorInGeneric(d *state, buf []byte) {
-	n := len(buf) / 8
-
-	for i := 0; i < n; i++ {
-		a := binary.LittleEndian.Uint64(buf)
-		d.a[i] ^= a
-		buf = buf[8:]
-	}
-}
-
-// copyOutGeneric copies ulint64s to a byte buffer.
-func copyOutGeneric(d *state, b []byte) {
-	for i := 0; len(b) >= 8; i++ {
-		binary.LittleEndian.PutUint64(b, d.a[i])
-		b = b[8:]
-	}
-}
diff --git a/vendor/golang.org/x/crypto/sha3/xor_unaligned.go b/vendor/golang.org/x/crypto/sha3/xor_unaligned.go
deleted file mode 100644
index 929a486a..00000000
--- a/vendor/golang.org/x/crypto/sha3/xor_unaligned.go
+++ /dev/null
@@ -1,58 +0,0 @@
-// Copyright 2015 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build amd64 386 ppc64le
-// +build !appengine
-
-package sha3
-
-import "unsafe"
-
-func xorInUnaligned(d *state, buf []byte) {
-	bw := (*[maxRate / 8]uint64)(unsafe.Pointer(&buf[0]))
-	n := len(buf)
-	if n >= 72 {
-		d.a[0] ^= bw[0]
-		d.a[1] ^= bw[1]
-		d.a[2] ^= bw[2]
-		d.a[3] ^= bw[3]
-		d.a[4] ^= bw[4]
-		d.a[5] ^= bw[5]
-		d.a[6] ^= bw[6]
-		d.a[7] ^= bw[7]
-		d.a[8] ^= bw[8]
-	}
-	if n >= 104 {
-		d.a[9] ^= bw[9]
-		d.a[10] ^= bw[10]
-		d.a[11] ^= bw[11]
-		d.a[12] ^= bw[12]
-	}
-	if n >= 136 {
-		d.a[13] ^= bw[13]
-		d.a[14] ^= bw[14]
-		d.a[15] ^= bw[15]
-		d.a[16] ^= bw[16]
-	}
-	if n >= 144 {
-		d.a[17] ^= bw[17]
-	}
-	if n >= 168 {
-		d.a[18] ^= bw[18]
-		d.a[19] ^= bw[19]
-		d.a[20] ^= bw[20]
-	}
-}
-
-func copyOutUnaligned(d *state, buf []byte) {
-	ab := (*[maxRate]uint8)(unsafe.Pointer(&d.a[0]))
-	copy(buf, ab[:])
-}
-
-var (
-	xorIn   = xorInUnaligned
-	copyOut = copyOutUnaligned
-)
-
-const xorImplementationUnaligned = "unaligned"
diff --git a/vendor/golang.org/x/crypto/ssh/agent/client.go b/vendor/golang.org/x/crypto/ssh/agent/client.go
deleted file mode 100644
index acb5ad80..00000000
--- a/vendor/golang.org/x/crypto/ssh/agent/client.go
+++ /dev/null
@@ -1,683 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package agent implements the ssh-agent protocol, and provides both
-// a client and a server. The client can talk to a standard ssh-agent
-// that uses UNIX sockets, and one could implement an alternative
-// ssh-agent process using the sample server.
-//
-// References:
-//  [PROTOCOL.agent]:    http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL.agent?rev=HEAD
-package agent // import "golang.org/x/crypto/ssh/agent"
-
-import (
-	"bytes"
-	"crypto/dsa"
-	"crypto/ecdsa"
-	"crypto/elliptic"
-	"crypto/rsa"
-	"encoding/base64"
-	"encoding/binary"
-	"errors"
-	"fmt"
-	"io"
-	"math/big"
-	"sync"
-
-	"golang.org/x/crypto/ed25519"
-	"golang.org/x/crypto/ssh"
-)
-
-// Agent represents the capabilities of an ssh-agent.
-type Agent interface {
-	// List returns the identities known to the agent.
-	List() ([]*Key, error)
-
-	// Sign has the agent sign the data using a protocol 2 key as defined
-	// in [PROTOCOL.agent] section 2.6.2.
-	Sign(key ssh.PublicKey, data []byte) (*ssh.Signature, error)
-
-	// Add adds a private key to the agent.
-	Add(key AddedKey) error
-
-	// Remove removes all identities with the given public key.
-	Remove(key ssh.PublicKey) error
-
-	// RemoveAll removes all identities.
-	RemoveAll() error
-
-	// Lock locks the agent. Sign and Remove will fail, and List will empty an empty list.
-	Lock(passphrase []byte) error
-
-	// Unlock undoes the effect of Lock
-	Unlock(passphrase []byte) error
-
-	// Signers returns signers for all the known keys.
-	Signers() ([]ssh.Signer, error)
-}
-
-// ConstraintExtension describes an optional constraint defined by users.
-type ConstraintExtension struct {
-	// ExtensionName consist of a UTF-8 string suffixed by the
-	// implementation domain following the naming scheme defined
-	// in Section 4.2 of [RFC4251], e.g.  "foo@example.com".
-	ExtensionName string
-	// ExtensionDetails contains the actual content of the extended
-	// constraint.
-	ExtensionDetails []byte
-}
-
-// AddedKey describes an SSH key to be added to an Agent.
-type AddedKey struct {
-	// PrivateKey must be a *rsa.PrivateKey, *dsa.PrivateKey or
-	// *ecdsa.PrivateKey, which will be inserted into the agent.
-	PrivateKey interface{}
-	// Certificate, if not nil, is communicated to the agent and will be
-	// stored with the key.
-	Certificate *ssh.Certificate
-	// Comment is an optional, free-form string.
-	Comment string
-	// LifetimeSecs, if not zero, is the number of seconds that the
-	// agent will store the key for.
-	LifetimeSecs uint32
-	// ConfirmBeforeUse, if true, requests that the agent confirm with the
-	// user before each use of this key.
-	ConfirmBeforeUse bool
-	// ConstraintExtensions are the experimental or private-use constraints
-	// defined by users.
-	ConstraintExtensions []ConstraintExtension
-}
-
-// See [PROTOCOL.agent], section 3.
-const (
-	agentRequestV1Identities   = 1
-	agentRemoveAllV1Identities = 9
-
-	// 3.2 Requests from client to agent for protocol 2 key operations
-	agentAddIdentity         = 17
-	agentRemoveIdentity      = 18
-	agentRemoveAllIdentities = 19
-	agentAddIDConstrained    = 25
-
-	// 3.3 Key-type independent requests from client to agent
-	agentAddSmartcardKey            = 20
-	agentRemoveSmartcardKey         = 21
-	agentLock                       = 22
-	agentUnlock                     = 23
-	agentAddSmartcardKeyConstrained = 26
-
-	// 3.7 Key constraint identifiers
-	agentConstrainLifetime  = 1
-	agentConstrainConfirm   = 2
-	agentConstrainExtension = 3
-)
-
-// maxAgentResponseBytes is the maximum agent reply size that is accepted. This
-// is a sanity check, not a limit in the spec.
-const maxAgentResponseBytes = 16 << 20
-
-// Agent messages:
-// These structures mirror the wire format of the corresponding ssh agent
-// messages found in [PROTOCOL.agent].
-
-// 3.4 Generic replies from agent to client
-const agentFailure = 5
-
-type failureAgentMsg struct{}
-
-const agentSuccess = 6
-
-type successAgentMsg struct{}
-
-// See [PROTOCOL.agent], section 2.5.2.
-const agentRequestIdentities = 11
-
-type requestIdentitiesAgentMsg struct{}
-
-// See [PROTOCOL.agent], section 2.5.2.
-const agentIdentitiesAnswer = 12
-
-type identitiesAnswerAgentMsg struct {
-	NumKeys uint32 `sshtype:"12"`
-	Keys    []byte `ssh:"rest"`
-}
-
-// See [PROTOCOL.agent], section 2.6.2.
-const agentSignRequest = 13
-
-type signRequestAgentMsg struct {
-	KeyBlob []byte `sshtype:"13"`
-	Data    []byte
-	Flags   uint32
-}
-
-// See [PROTOCOL.agent], section 2.6.2.
-
-// 3.6 Replies from agent to client for protocol 2 key operations
-const agentSignResponse = 14
-
-type signResponseAgentMsg struct {
-	SigBlob []byte `sshtype:"14"`
-}
-
-type publicKey struct {
-	Format string
-	Rest   []byte `ssh:"rest"`
-}
-
-// 3.7 Key constraint identifiers
-type constrainLifetimeAgentMsg struct {
-	LifetimeSecs uint32 `sshtype:"1"`
-}
-
-type constrainExtensionAgentMsg struct {
-	ExtensionName    string `sshtype:"3"`
-	ExtensionDetails []byte
-
-	// Rest is a field used for parsing, not part of message
-	Rest []byte `ssh:"rest"`
-}
-
-// Key represents a protocol 2 public key as defined in
-// [PROTOCOL.agent], section 2.5.2.
-type Key struct {
-	Format  string
-	Blob    []byte
-	Comment string
-}
-
-func clientErr(err error) error {
-	return fmt.Errorf("agent: client error: %v", err)
-}
-
-// String returns the storage form of an agent key with the format, base64
-// encoded serialized key, and the comment if it is not empty.
-func (k *Key) String() string {
-	s := string(k.Format) + " " + base64.StdEncoding.EncodeToString(k.Blob)
-
-	if k.Comment != "" {
-		s += " " + k.Comment
-	}
-
-	return s
-}
-
-// Type returns the public key type.
-func (k *Key) Type() string {
-	return k.Format
-}
-
-// Marshal returns key blob to satisfy the ssh.PublicKey interface.
-func (k *Key) Marshal() []byte {
-	return k.Blob
-}
-
-// Verify satisfies the ssh.PublicKey interface.
-func (k *Key) Verify(data []byte, sig *ssh.Signature) error {
-	pubKey, err := ssh.ParsePublicKey(k.Blob)
-	if err != nil {
-		return fmt.Errorf("agent: bad public key: %v", err)
-	}
-	return pubKey.Verify(data, sig)
-}
-
-type wireKey struct {
-	Format string
-	Rest   []byte `ssh:"rest"`
-}
-
-func parseKey(in []byte) (out *Key, rest []byte, err error) {
-	var record struct {
-		Blob    []byte
-		Comment string
-		Rest    []byte `ssh:"rest"`
-	}
-
-	if err := ssh.Unmarshal(in, &record); err != nil {
-		return nil, nil, err
-	}
-
-	var wk wireKey
-	if err := ssh.Unmarshal(record.Blob, &wk); err != nil {
-		return nil, nil, err
-	}
-
-	return &Key{
-		Format:  wk.Format,
-		Blob:    record.Blob,
-		Comment: record.Comment,
-	}, record.Rest, nil
-}
-
-// client is a client for an ssh-agent process.
-type client struct {
-	// conn is typically a *net.UnixConn
-	conn io.ReadWriter
-	// mu is used to prevent concurrent access to the agent
-	mu sync.Mutex
-}
-
-// NewClient returns an Agent that talks to an ssh-agent process over
-// the given connection.
-func NewClient(rw io.ReadWriter) Agent {
-	return &client{conn: rw}
-}
-
-// call sends an RPC to the agent. On success, the reply is
-// unmarshaled into reply and replyType is set to the first byte of
-// the reply, which contains the type of the message.
-func (c *client) call(req []byte) (reply interface{}, err error) {
-	c.mu.Lock()
-	defer c.mu.Unlock()
-
-	msg := make([]byte, 4+len(req))
-	binary.BigEndian.PutUint32(msg, uint32(len(req)))
-	copy(msg[4:], req)
-	if _, err = c.conn.Write(msg); err != nil {
-		return nil, clientErr(err)
-	}
-
-	var respSizeBuf [4]byte
-	if _, err = io.ReadFull(c.conn, respSizeBuf[:]); err != nil {
-		return nil, clientErr(err)
-	}
-	respSize := binary.BigEndian.Uint32(respSizeBuf[:])
-	if respSize > maxAgentResponseBytes {
-		return nil, clientErr(err)
-	}
-
-	buf := make([]byte, respSize)
-	if _, err = io.ReadFull(c.conn, buf); err != nil {
-		return nil, clientErr(err)
-	}
-	reply, err = unmarshal(buf)
-	if err != nil {
-		return nil, clientErr(err)
-	}
-	return reply, err
-}
-
-func (c *client) simpleCall(req []byte) error {
-	resp, err := c.call(req)
-	if err != nil {
-		return err
-	}
-	if _, ok := resp.(*successAgentMsg); ok {
-		return nil
-	}
-	return errors.New("agent: failure")
-}
-
-func (c *client) RemoveAll() error {
-	return c.simpleCall([]byte{agentRemoveAllIdentities})
-}
-
-func (c *client) Remove(key ssh.PublicKey) error {
-	req := ssh.Marshal(&agentRemoveIdentityMsg{
-		KeyBlob: key.Marshal(),
-	})
-	return c.simpleCall(req)
-}
-
-func (c *client) Lock(passphrase []byte) error {
-	req := ssh.Marshal(&agentLockMsg{
-		Passphrase: passphrase,
-	})
-	return c.simpleCall(req)
-}
-
-func (c *client) Unlock(passphrase []byte) error {
-	req := ssh.Marshal(&agentUnlockMsg{
-		Passphrase: passphrase,
-	})
-	return c.simpleCall(req)
-}
-
-// List returns the identities known to the agent.
-func (c *client) List() ([]*Key, error) {
-	// see [PROTOCOL.agent] section 2.5.2.
-	req := []byte{agentRequestIdentities}
-
-	msg, err := c.call(req)
-	if err != nil {
-		return nil, err
-	}
-
-	switch msg := msg.(type) {
-	case *identitiesAnswerAgentMsg:
-		if msg.NumKeys > maxAgentResponseBytes/8 {
-			return nil, errors.New("agent: too many keys in agent reply")
-		}
-		keys := make([]*Key, msg.NumKeys)
-		data := msg.Keys
-		for i := uint32(0); i < msg.NumKeys; i++ {
-			var key *Key
-			var err error
-			if key, data, err = parseKey(data); err != nil {
-				return nil, err
-			}
-			keys[i] = key
-		}
-		return keys, nil
-	case *failureAgentMsg:
-		return nil, errors.New("agent: failed to list keys")
-	}
-	panic("unreachable")
-}
-
-// Sign has the agent sign the data using a protocol 2 key as defined
-// in [PROTOCOL.agent] section 2.6.2.
-func (c *client) Sign(key ssh.PublicKey, data []byte) (*ssh.Signature, error) {
-	req := ssh.Marshal(signRequestAgentMsg{
-		KeyBlob: key.Marshal(),
-		Data:    data,
-	})
-
-	msg, err := c.call(req)
-	if err != nil {
-		return nil, err
-	}
-
-	switch msg := msg.(type) {
-	case *signResponseAgentMsg:
-		var sig ssh.Signature
-		if err := ssh.Unmarshal(msg.SigBlob, &sig); err != nil {
-			return nil, err
-		}
-
-		return &sig, nil
-	case *failureAgentMsg:
-		return nil, errors.New("agent: failed to sign challenge")
-	}
-	panic("unreachable")
-}
-
-// unmarshal parses an agent message in packet, returning the parsed
-// form and the message type of packet.
-func unmarshal(packet []byte) (interface{}, error) {
-	if len(packet) < 1 {
-		return nil, errors.New("agent: empty packet")
-	}
-	var msg interface{}
-	switch packet[0] {
-	case agentFailure:
-		return new(failureAgentMsg), nil
-	case agentSuccess:
-		return new(successAgentMsg), nil
-	case agentIdentitiesAnswer:
-		msg = new(identitiesAnswerAgentMsg)
-	case agentSignResponse:
-		msg = new(signResponseAgentMsg)
-	case agentV1IdentitiesAnswer:
-		msg = new(agentV1IdentityMsg)
-	default:
-		return nil, fmt.Errorf("agent: unknown type tag %d", packet[0])
-	}
-	if err := ssh.Unmarshal(packet, msg); err != nil {
-		return nil, err
-	}
-	return msg, nil
-}
-
-type rsaKeyMsg struct {
-	Type        string `sshtype:"17|25"`
-	N           *big.Int
-	E           *big.Int
-	D           *big.Int
-	Iqmp        *big.Int // IQMP = Inverse Q Mod P
-	P           *big.Int
-	Q           *big.Int
-	Comments    string
-	Constraints []byte `ssh:"rest"`
-}
-
-type dsaKeyMsg struct {
-	Type        string `sshtype:"17|25"`
-	P           *big.Int
-	Q           *big.Int
-	G           *big.Int
-	Y           *big.Int
-	X           *big.Int
-	Comments    string
-	Constraints []byte `ssh:"rest"`
-}
-
-type ecdsaKeyMsg struct {
-	Type        string `sshtype:"17|25"`
-	Curve       string
-	KeyBytes    []byte
-	D           *big.Int
-	Comments    string
-	Constraints []byte `ssh:"rest"`
-}
-
-type ed25519KeyMsg struct {
-	Type        string `sshtype:"17|25"`
-	Pub         []byte
-	Priv        []byte
-	Comments    string
-	Constraints []byte `ssh:"rest"`
-}
-
-// Insert adds a private key to the agent.
-func (c *client) insertKey(s interface{}, comment string, constraints []byte) error {
-	var req []byte
-	switch k := s.(type) {
-	case *rsa.PrivateKey:
-		if len(k.Primes) != 2 {
-			return fmt.Errorf("agent: unsupported RSA key with %d primes", len(k.Primes))
-		}
-		k.Precompute()
-		req = ssh.Marshal(rsaKeyMsg{
-			Type:        ssh.KeyAlgoRSA,
-			N:           k.N,
-			E:           big.NewInt(int64(k.E)),
-			D:           k.D,
-			Iqmp:        k.Precomputed.Qinv,
-			P:           k.Primes[0],
-			Q:           k.Primes[1],
-			Comments:    comment,
-			Constraints: constraints,
-		})
-	case *dsa.PrivateKey:
-		req = ssh.Marshal(dsaKeyMsg{
-			Type:        ssh.KeyAlgoDSA,
-			P:           k.P,
-			Q:           k.Q,
-			G:           k.G,
-			Y:           k.Y,
-			X:           k.X,
-			Comments:    comment,
-			Constraints: constraints,
-		})
-	case *ecdsa.PrivateKey:
-		nistID := fmt.Sprintf("nistp%d", k.Params().BitSize)
-		req = ssh.Marshal(ecdsaKeyMsg{
-			Type:        "ecdsa-sha2-" + nistID,
-			Curve:       nistID,
-			KeyBytes:    elliptic.Marshal(k.Curve, k.X, k.Y),
-			D:           k.D,
-			Comments:    comment,
-			Constraints: constraints,
-		})
-	case *ed25519.PrivateKey:
-		req = ssh.Marshal(ed25519KeyMsg{
-			Type:        ssh.KeyAlgoED25519,
-			Pub:         []byte(*k)[32:],
-			Priv:        []byte(*k),
-			Comments:    comment,
-			Constraints: constraints,
-		})
-	default:
-		return fmt.Errorf("agent: unsupported key type %T", s)
-	}
-
-	// if constraints are present then the message type needs to be changed.
-	if len(constraints) != 0 {
-		req[0] = agentAddIDConstrained
-	}
-
-	resp, err := c.call(req)
-	if err != nil {
-		return err
-	}
-	if _, ok := resp.(*successAgentMsg); ok {
-		return nil
-	}
-	return errors.New("agent: failure")
-}
-
-type rsaCertMsg struct {
-	Type        string `sshtype:"17|25"`
-	CertBytes   []byte
-	D           *big.Int
-	Iqmp        *big.Int // IQMP = Inverse Q Mod P
-	P           *big.Int
-	Q           *big.Int
-	Comments    string
-	Constraints []byte `ssh:"rest"`
-}
-
-type dsaCertMsg struct {
-	Type        string `sshtype:"17|25"`
-	CertBytes   []byte
-	X           *big.Int
-	Comments    string
-	Constraints []byte `ssh:"rest"`
-}
-
-type ecdsaCertMsg struct {
-	Type        string `sshtype:"17|25"`
-	CertBytes   []byte
-	D           *big.Int
-	Comments    string
-	Constraints []byte `ssh:"rest"`
-}
-
-type ed25519CertMsg struct {
-	Type        string `sshtype:"17|25"`
-	CertBytes   []byte
-	Pub         []byte
-	Priv        []byte
-	Comments    string
-	Constraints []byte `ssh:"rest"`
-}
-
-// Add adds a private key to the agent. If a certificate is given,
-// that certificate is added instead as public key.
-func (c *client) Add(key AddedKey) error {
-	var constraints []byte
-
-	if secs := key.LifetimeSecs; secs != 0 {
-		constraints = append(constraints, ssh.Marshal(constrainLifetimeAgentMsg{secs})...)
-	}
-
-	if key.ConfirmBeforeUse {
-		constraints = append(constraints, agentConstrainConfirm)
-	}
-
-	cert := key.Certificate
-	if cert == nil {
-		return c.insertKey(key.PrivateKey, key.Comment, constraints)
-	}
-	return c.insertCert(key.PrivateKey, cert, key.Comment, constraints)
-}
-
-func (c *client) insertCert(s interface{}, cert *ssh.Certificate, comment string, constraints []byte) error {
-	var req []byte
-	switch k := s.(type) {
-	case *rsa.PrivateKey:
-		if len(k.Primes) != 2 {
-			return fmt.Errorf("agent: unsupported RSA key with %d primes", len(k.Primes))
-		}
-		k.Precompute()
-		req = ssh.Marshal(rsaCertMsg{
-			Type:        cert.Type(),
-			CertBytes:   cert.Marshal(),
-			D:           k.D,
-			Iqmp:        k.Precomputed.Qinv,
-			P:           k.Primes[0],
-			Q:           k.Primes[1],
-			Comments:    comment,
-			Constraints: constraints,
-		})
-	case *dsa.PrivateKey:
-		req = ssh.Marshal(dsaCertMsg{
-			Type:        cert.Type(),
-			CertBytes:   cert.Marshal(),
-			X:           k.X,
-			Comments:    comment,
-			Constraints: constraints,
-		})
-	case *ecdsa.PrivateKey:
-		req = ssh.Marshal(ecdsaCertMsg{
-			Type:        cert.Type(),
-			CertBytes:   cert.Marshal(),
-			D:           k.D,
-			Comments:    comment,
-			Constraints: constraints,
-		})
-	case *ed25519.PrivateKey:
-		req = ssh.Marshal(ed25519CertMsg{
-			Type:        cert.Type(),
-			CertBytes:   cert.Marshal(),
-			Pub:         []byte(*k)[32:],
-			Priv:        []byte(*k),
-			Comments:    comment,
-			Constraints: constraints,
-		})
-	default:
-		return fmt.Errorf("agent: unsupported key type %T", s)
-	}
-
-	// if constraints are present then the message type needs to be changed.
-	if len(constraints) != 0 {
-		req[0] = agentAddIDConstrained
-	}
-
-	signer, err := ssh.NewSignerFromKey(s)
-	if err != nil {
-		return err
-	}
-	if bytes.Compare(cert.Key.Marshal(), signer.PublicKey().Marshal()) != 0 {
-		return errors.New("agent: signer and cert have different public key")
-	}
-
-	resp, err := c.call(req)
-	if err != nil {
-		return err
-	}
-	if _, ok := resp.(*successAgentMsg); ok {
-		return nil
-	}
-	return errors.New("agent: failure")
-}
-
-// Signers provides a callback for client authentication.
-func (c *client) Signers() ([]ssh.Signer, error) {
-	keys, err := c.List()
-	if err != nil {
-		return nil, err
-	}
-
-	var result []ssh.Signer
-	for _, k := range keys {
-		result = append(result, &agentKeyringSigner{c, k})
-	}
-	return result, nil
-}
-
-type agentKeyringSigner struct {
-	agent *client
-	pub   ssh.PublicKey
-}
-
-func (s *agentKeyringSigner) PublicKey() ssh.PublicKey {
-	return s.pub
-}
-
-func (s *agentKeyringSigner) Sign(rand io.Reader, data []byte) (*ssh.Signature, error) {
-	// The agent has its own entropy source, so the rand argument is ignored.
-	return s.agent.Sign(s.pub, data)
-}
diff --git a/vendor/golang.org/x/crypto/ssh/agent/client_test.go b/vendor/golang.org/x/crypto/ssh/agent/client_test.go
deleted file mode 100644
index 266fd6d4..00000000
--- a/vendor/golang.org/x/crypto/ssh/agent/client_test.go
+++ /dev/null
@@ -1,379 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package agent
-
-import (
-	"bytes"
-	"crypto/rand"
-	"errors"
-	"net"
-	"os"
-	"os/exec"
-	"path/filepath"
-	"strconv"
-	"testing"
-	"time"
-
-	"golang.org/x/crypto/ssh"
-)
-
-// startOpenSSHAgent executes ssh-agent, and returns an Agent interface to it.
-func startOpenSSHAgent(t *testing.T) (client Agent, socket string, cleanup func()) {
-	if testing.Short() {
-		// ssh-agent is not always available, and the key
-		// types supported vary by platform.
-		t.Skip("skipping test due to -short")
-	}
-
-	bin, err := exec.LookPath("ssh-agent")
-	if err != nil {
-		t.Skip("could not find ssh-agent")
-	}
-
-	cmd := exec.Command(bin, "-s")
-	out, err := cmd.Output()
-	if err != nil {
-		t.Fatalf("cmd.Output: %v", err)
-	}
-
-	/* Output looks like:
-
-		   SSH_AUTH_SOCK=/tmp/ssh-P65gpcqArqvH/agent.15541; export SSH_AUTH_SOCK;
-	           SSH_AGENT_PID=15542; export SSH_AGENT_PID;
-	           echo Agent pid 15542;
-	*/
-	fields := bytes.Split(out, []byte(";"))
-	line := bytes.SplitN(fields[0], []byte("="), 2)
-	line[0] = bytes.TrimLeft(line[0], "\n")
-	if string(line[0]) != "SSH_AUTH_SOCK" {
-		t.Fatalf("could not find key SSH_AUTH_SOCK in %q", fields[0])
-	}
-	socket = string(line[1])
-
-	line = bytes.SplitN(fields[2], []byte("="), 2)
-	line[0] = bytes.TrimLeft(line[0], "\n")
-	if string(line[0]) != "SSH_AGENT_PID" {
-		t.Fatalf("could not find key SSH_AGENT_PID in %q", fields[2])
-	}
-	pidStr := line[1]
-	pid, err := strconv.Atoi(string(pidStr))
-	if err != nil {
-		t.Fatalf("Atoi(%q): %v", pidStr, err)
-	}
-
-	conn, err := net.Dial("unix", string(socket))
-	if err != nil {
-		t.Fatalf("net.Dial: %v", err)
-	}
-
-	ac := NewClient(conn)
-	return ac, socket, func() {
-		proc, _ := os.FindProcess(pid)
-		if proc != nil {
-			proc.Kill()
-		}
-		conn.Close()
-		os.RemoveAll(filepath.Dir(socket))
-	}
-}
-
-// startKeyringAgent uses Keyring to simulate a ssh-agent Server and returns a client.
-func startKeyringAgent(t *testing.T) (client Agent, cleanup func()) {
-	c1, c2, err := netPipe()
-	if err != nil {
-		t.Fatalf("netPipe: %v", err)
-	}
-	go ServeAgent(NewKeyring(), c2)
-
-	return NewClient(c1), func() {
-		c1.Close()
-		c2.Close()
-	}
-}
-
-func testOpenSSHAgent(t *testing.T, key interface{}, cert *ssh.Certificate, lifetimeSecs uint32) {
-	agent, _, cleanup := startOpenSSHAgent(t)
-	defer cleanup()
-
-	testAgentInterface(t, agent, key, cert, lifetimeSecs)
-}
-
-func testKeyringAgent(t *testing.T, key interface{}, cert *ssh.Certificate, lifetimeSecs uint32) {
-	agent, cleanup := startKeyringAgent(t)
-	defer cleanup()
-
-	testAgentInterface(t, agent, key, cert, lifetimeSecs)
-}
-
-func testAgentInterface(t *testing.T, agent Agent, key interface{}, cert *ssh.Certificate, lifetimeSecs uint32) {
-	signer, err := ssh.NewSignerFromKey(key)
-	if err != nil {
-		t.Fatalf("NewSignerFromKey(%T): %v", key, err)
-	}
-	// The agent should start up empty.
-	if keys, err := agent.List(); err != nil {
-		t.Fatalf("RequestIdentities: %v", err)
-	} else if len(keys) > 0 {
-		t.Fatalf("got %d keys, want 0: %v", len(keys), keys)
-	}
-
-	// Attempt to insert the key, with certificate if specified.
-	var pubKey ssh.PublicKey
-	if cert != nil {
-		err = agent.Add(AddedKey{
-			PrivateKey:   key,
-			Certificate:  cert,
-			Comment:      "comment",
-			LifetimeSecs: lifetimeSecs,
-		})
-		pubKey = cert
-	} else {
-		err = agent.Add(AddedKey{PrivateKey: key, Comment: "comment", LifetimeSecs: lifetimeSecs})
-		pubKey = signer.PublicKey()
-	}
-	if err != nil {
-		t.Fatalf("insert(%T): %v", key, err)
-	}
-
-	// Did the key get inserted successfully?
-	if keys, err := agent.List(); err != nil {
-		t.Fatalf("List: %v", err)
-	} else if len(keys) != 1 {
-		t.Fatalf("got %v, want 1 key", keys)
-	} else if keys[0].Comment != "comment" {
-		t.Fatalf("key comment: got %v, want %v", keys[0].Comment, "comment")
-	} else if !bytes.Equal(keys[0].Blob, pubKey.Marshal()) {
-		t.Fatalf("key mismatch")
-	}
-
-	// Can the agent make a valid signature?
-	data := []byte("hello")
-	sig, err := agent.Sign(pubKey, data)
-	if err != nil {
-		t.Fatalf("Sign(%s): %v", pubKey.Type(), err)
-	}
-
-	if err := pubKey.Verify(data, sig); err != nil {
-		t.Fatalf("Verify(%s): %v", pubKey.Type(), err)
-	}
-
-	// If the key has a lifetime, is it removed when it should be?
-	if lifetimeSecs > 0 {
-		time.Sleep(time.Second*time.Duration(lifetimeSecs) + 100*time.Millisecond)
-		keys, err := agent.List()
-		if err != nil {
-			t.Fatalf("List: %v", err)
-		}
-		if len(keys) > 0 {
-			t.Fatalf("key not expired")
-		}
-	}
-
-}
-
-func TestAgent(t *testing.T) {
-	for _, keyType := range []string{"rsa", "dsa", "ecdsa", "ed25519"} {
-		testOpenSSHAgent(t, testPrivateKeys[keyType], nil, 0)
-		testKeyringAgent(t, testPrivateKeys[keyType], nil, 0)
-	}
-}
-
-func TestCert(t *testing.T) {
-	cert := &ssh.Certificate{
-		Key:         testPublicKeys["rsa"],
-		ValidBefore: ssh.CertTimeInfinity,
-		CertType:    ssh.UserCert,
-	}
-	cert.SignCert(rand.Reader, testSigners["ecdsa"])
-
-	testOpenSSHAgent(t, testPrivateKeys["rsa"], cert, 0)
-	testKeyringAgent(t, testPrivateKeys["rsa"], cert, 0)
-}
-
-// netPipe is analogous to net.Pipe, but it uses a real net.Conn, and
-// therefore is buffered (net.Pipe deadlocks if both sides start with
-// a write.)
-func netPipe() (net.Conn, net.Conn, error) {
-	listener, err := net.Listen("tcp", "127.0.0.1:0")
-	if err != nil {
-		listener, err = net.Listen("tcp", "[::1]:0")
-		if err != nil {
-			return nil, nil, err
-		}
-	}
-	defer listener.Close()
-	c1, err := net.Dial("tcp", listener.Addr().String())
-	if err != nil {
-		return nil, nil, err
-	}
-
-	c2, err := listener.Accept()
-	if err != nil {
-		c1.Close()
-		return nil, nil, err
-	}
-
-	return c1, c2, nil
-}
-
-func TestAuth(t *testing.T) {
-	agent, _, cleanup := startOpenSSHAgent(t)
-	defer cleanup()
-
-	a, b, err := netPipe()
-	if err != nil {
-		t.Fatalf("netPipe: %v", err)
-	}
-
-	defer a.Close()
-	defer b.Close()
-
-	if err := agent.Add(AddedKey{PrivateKey: testPrivateKeys["rsa"], Comment: "comment"}); err != nil {
-		t.Errorf("Add: %v", err)
-	}
-
-	serverConf := ssh.ServerConfig{}
-	serverConf.AddHostKey(testSigners["rsa"])
-	serverConf.PublicKeyCallback = func(c ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
-		if bytes.Equal(key.Marshal(), testPublicKeys["rsa"].Marshal()) {
-			return nil, nil
-		}
-
-		return nil, errors.New("pubkey rejected")
-	}
-
-	go func() {
-		conn, _, _, err := ssh.NewServerConn(a, &serverConf)
-		if err != nil {
-			t.Fatalf("Server: %v", err)
-		}
-		conn.Close()
-	}()
-
-	conf := ssh.ClientConfig{
-		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
-	}
-	conf.Auth = append(conf.Auth, ssh.PublicKeysCallback(agent.Signers))
-	conn, _, _, err := ssh.NewClientConn(b, "", &conf)
-	if err != nil {
-		t.Fatalf("NewClientConn: %v", err)
-	}
-	conn.Close()
-}
-
-func TestLockOpenSSHAgent(t *testing.T) {
-	agent, _, cleanup := startOpenSSHAgent(t)
-	defer cleanup()
-	testLockAgent(agent, t)
-}
-
-func TestLockKeyringAgent(t *testing.T) {
-	agent, cleanup := startKeyringAgent(t)
-	defer cleanup()
-	testLockAgent(agent, t)
-}
-
-func testLockAgent(agent Agent, t *testing.T) {
-	if err := agent.Add(AddedKey{PrivateKey: testPrivateKeys["rsa"], Comment: "comment 1"}); err != nil {
-		t.Errorf("Add: %v", err)
-	}
-	if err := agent.Add(AddedKey{PrivateKey: testPrivateKeys["dsa"], Comment: "comment dsa"}); err != nil {
-		t.Errorf("Add: %v", err)
-	}
-	if keys, err := agent.List(); err != nil {
-		t.Errorf("List: %v", err)
-	} else if len(keys) != 2 {
-		t.Errorf("Want 2 keys, got %v", keys)
-	}
-
-	passphrase := []byte("secret")
-	if err := agent.Lock(passphrase); err != nil {
-		t.Errorf("Lock: %v", err)
-	}
-
-	if keys, err := agent.List(); err != nil {
-		t.Errorf("List: %v", err)
-	} else if len(keys) != 0 {
-		t.Errorf("Want 0 keys, got %v", keys)
-	}
-
-	signer, _ := ssh.NewSignerFromKey(testPrivateKeys["rsa"])
-	if _, err := agent.Sign(signer.PublicKey(), []byte("hello")); err == nil {
-		t.Fatalf("Sign did not fail")
-	}
-
-	if err := agent.Remove(signer.PublicKey()); err == nil {
-		t.Fatalf("Remove did not fail")
-	}
-
-	if err := agent.RemoveAll(); err == nil {
-		t.Fatalf("RemoveAll did not fail")
-	}
-
-	if err := agent.Unlock(nil); err == nil {
-		t.Errorf("Unlock with wrong passphrase succeeded")
-	}
-	if err := agent.Unlock(passphrase); err != nil {
-		t.Errorf("Unlock: %v", err)
-	}
-
-	if err := agent.Remove(signer.PublicKey()); err != nil {
-		t.Fatalf("Remove: %v", err)
-	}
-
-	if keys, err := agent.List(); err != nil {
-		t.Errorf("List: %v", err)
-	} else if len(keys) != 1 {
-		t.Errorf("Want 1 keys, got %v", keys)
-	}
-}
-
-func testOpenSSHAgentLifetime(t *testing.T) {
-	agent, _, cleanup := startOpenSSHAgent(t)
-	defer cleanup()
-	testAgentLifetime(t, agent)
-}
-
-func testKeyringAgentLifetime(t *testing.T) {
-	agent, cleanup := startKeyringAgent(t)
-	defer cleanup()
-	testAgentLifetime(t, agent)
-}
-
-func testAgentLifetime(t *testing.T, agent Agent) {
-	for _, keyType := range []string{"rsa", "dsa", "ecdsa"} {
-		// Add private keys to the agent.
-		err := agent.Add(AddedKey{
-			PrivateKey:   testPrivateKeys[keyType],
-			Comment:      "comment",
-			LifetimeSecs: 1,
-		})
-		if err != nil {
-			t.Fatalf("add: %v", err)
-		}
-		// Add certs to the agent.
-		cert := &ssh.Certificate{
-			Key:         testPublicKeys[keyType],
-			ValidBefore: ssh.CertTimeInfinity,
-			CertType:    ssh.UserCert,
-		}
-		cert.SignCert(rand.Reader, testSigners[keyType])
-		err = agent.Add(AddedKey{
-			PrivateKey:   testPrivateKeys[keyType],
-			Certificate:  cert,
-			Comment:      "comment",
-			LifetimeSecs: 1,
-		})
-		if err != nil {
-			t.Fatalf("add: %v", err)
-		}
-	}
-	time.Sleep(1100 * time.Millisecond)
-	if keys, err := agent.List(); err != nil {
-		t.Errorf("List: %v", err)
-	} else if len(keys) != 0 {
-		t.Errorf("Want 0 keys, got %v", len(keys))
-	}
-}
diff --git a/vendor/golang.org/x/crypto/ssh/agent/example_test.go b/vendor/golang.org/x/crypto/ssh/agent/example_test.go
deleted file mode 100644
index 85562253..00000000
--- a/vendor/golang.org/x/crypto/ssh/agent/example_test.go
+++ /dev/null
@@ -1,41 +0,0 @@
-// Copyright 2016 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package agent_test
-
-import (
-	"log"
-	"net"
-	"os"
-
-	"golang.org/x/crypto/ssh"
-	"golang.org/x/crypto/ssh/agent"
-)
-
-func ExampleClientAgent() {
-	// ssh-agent has a UNIX socket under $SSH_AUTH_SOCK
-	socket := os.Getenv("SSH_AUTH_SOCK")
-	conn, err := net.Dial("unix", socket)
-	if err != nil {
-		log.Fatalf("net.Dial: %v", err)
-	}
-	agentClient := agent.NewClient(conn)
-	config := &ssh.ClientConfig{
-		User: "username",
-		Auth: []ssh.AuthMethod{
-			// Use a callback rather than PublicKeys
-			// so we only consult the agent once the remote server
-			// wants it.
-			ssh.PublicKeysCallback(agentClient.Signers),
-		},
-		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
-	}
-
-	sshc, err := ssh.Dial("tcp", "localhost:22", config)
-	if err != nil {
-		log.Fatalf("Dial: %v", err)
-	}
-	// .. use sshc
-	sshc.Close()
-}
diff --git a/vendor/golang.org/x/crypto/ssh/agent/forward.go b/vendor/golang.org/x/crypto/ssh/agent/forward.go
deleted file mode 100644
index fd24ba90..00000000
--- a/vendor/golang.org/x/crypto/ssh/agent/forward.go
+++ /dev/null
@@ -1,103 +0,0 @@
-// Copyright 2014 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package agent
-
-import (
-	"errors"
-	"io"
-	"net"
-	"sync"
-
-	"golang.org/x/crypto/ssh"
-)
-
-// RequestAgentForwarding sets up agent forwarding for the session.
-// ForwardToAgent or ForwardToRemote should be called to route
-// the authentication requests.
-func RequestAgentForwarding(session *ssh.Session) error {
-	ok, err := session.SendRequest("auth-agent-req@openssh.com", true, nil)
-	if err != nil {
-		return err
-	}
-	if !ok {
-		return errors.New("forwarding request denied")
-	}
-	return nil
-}
-
-// ForwardToAgent routes authentication requests to the given keyring.
-func ForwardToAgent(client *ssh.Client, keyring Agent) error {
-	channels := client.HandleChannelOpen(channelType)
-	if channels == nil {
-		return errors.New("agent: already have handler for " + channelType)
-	}
-
-	go func() {
-		for ch := range channels {
-			channel, reqs, err := ch.Accept()
-			if err != nil {
-				continue
-			}
-			go ssh.DiscardRequests(reqs)
-			go func() {
-				ServeAgent(keyring, channel)
-				channel.Close()
-			}()
-		}
-	}()
-	return nil
-}
-
-const channelType = "auth-agent@openssh.com"
-
-// ForwardToRemote routes authentication requests to the ssh-agent
-// process serving on the given unix socket.
-func ForwardToRemote(client *ssh.Client, addr string) error {
-	channels := client.HandleChannelOpen(channelType)
-	if channels == nil {
-		return errors.New("agent: already have handler for " + channelType)
-	}
-	conn, err := net.Dial("unix", addr)
-	if err != nil {
-		return err
-	}
-	conn.Close()
-
-	go func() {
-		for ch := range channels {
-			channel, reqs, err := ch.Accept()
-			if err != nil {
-				continue
-			}
-			go ssh.DiscardRequests(reqs)
-			go forwardUnixSocket(channel, addr)
-		}
-	}()
-	return nil
-}
-
-func forwardUnixSocket(channel ssh.Channel, addr string) {
-	conn, err := net.Dial("unix", addr)
-	if err != nil {
-		return
-	}
-
-	var wg sync.WaitGroup
-	wg.Add(2)
-	go func() {
-		io.Copy(conn, channel)
-		conn.(*net.UnixConn).CloseWrite()
-		wg.Done()
-	}()
-	go func() {
-		io.Copy(channel, conn)
-		channel.CloseWrite()
-		wg.Done()
-	}()
-
-	wg.Wait()
-	conn.Close()
-	channel.Close()
-}
diff --git a/vendor/golang.org/x/crypto/ssh/agent/keyring.go b/vendor/golang.org/x/crypto/ssh/agent/keyring.go
deleted file mode 100644
index a6ba06ab..00000000
--- a/vendor/golang.org/x/crypto/ssh/agent/keyring.go
+++ /dev/null
@@ -1,215 +0,0 @@
-// Copyright 2014 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package agent
-
-import (
-	"bytes"
-	"crypto/rand"
-	"crypto/subtle"
-	"errors"
-	"fmt"
-	"sync"
-	"time"
-
-	"golang.org/x/crypto/ssh"
-)
-
-type privKey struct {
-	signer  ssh.Signer
-	comment string
-	expire  *time.Time
-}
-
-type keyring struct {
-	mu   sync.Mutex
-	keys []privKey
-
-	locked     bool
-	passphrase []byte
-}
-
-var errLocked = errors.New("agent: locked")
-
-// NewKeyring returns an Agent that holds keys in memory.  It is safe
-// for concurrent use by multiple goroutines.
-func NewKeyring() Agent {
-	return &keyring{}
-}
-
-// RemoveAll removes all identities.
-func (r *keyring) RemoveAll() error {
-	r.mu.Lock()
-	defer r.mu.Unlock()
-	if r.locked {
-		return errLocked
-	}
-
-	r.keys = nil
-	return nil
-}
-
-// removeLocked does the actual key removal. The caller must already be holding the
-// keyring mutex.
-func (r *keyring) removeLocked(want []byte) error {
-	found := false
-	for i := 0; i < len(r.keys); {
-		if bytes.Equal(r.keys[i].signer.PublicKey().Marshal(), want) {
-			found = true
-			r.keys[i] = r.keys[len(r.keys)-1]
-			r.keys = r.keys[:len(r.keys)-1]
-			continue
-		} else {
-			i++
-		}
-	}
-
-	if !found {
-		return errors.New("agent: key not found")
-	}
-	return nil
-}
-
-// Remove removes all identities with the given public key.
-func (r *keyring) Remove(key ssh.PublicKey) error {
-	r.mu.Lock()
-	defer r.mu.Unlock()
-	if r.locked {
-		return errLocked
-	}
-
-	return r.removeLocked(key.Marshal())
-}
-
-// Lock locks the agent. Sign and Remove will fail, and List will return an empty list.
-func (r *keyring) Lock(passphrase []byte) error {
-	r.mu.Lock()
-	defer r.mu.Unlock()
-	if r.locked {
-		return errLocked
-	}
-
-	r.locked = true
-	r.passphrase = passphrase
-	return nil
-}
-
-// Unlock undoes the effect of Lock
-func (r *keyring) Unlock(passphrase []byte) error {
-	r.mu.Lock()
-	defer r.mu.Unlock()
-	if !r.locked {
-		return errors.New("agent: not locked")
-	}
-	if len(passphrase) != len(r.passphrase) || 1 != subtle.ConstantTimeCompare(passphrase, r.passphrase) {
-		return fmt.Errorf("agent: incorrect passphrase")
-	}
-
-	r.locked = false
-	r.passphrase = nil
-	return nil
-}
-
-// expireKeysLocked removes expired keys from the keyring. If a key was added
-// with a lifetimesecs contraint and seconds >= lifetimesecs seconds have
-// ellapsed, it is removed. The caller *must* be holding the keyring mutex.
-func (r *keyring) expireKeysLocked() {
-	for _, k := range r.keys {
-		if k.expire != nil && time.Now().After(*k.expire) {
-			r.removeLocked(k.signer.PublicKey().Marshal())
-		}
-	}
-}
-
-// List returns the identities known to the agent.
-func (r *keyring) List() ([]*Key, error) {
-	r.mu.Lock()
-	defer r.mu.Unlock()
-	if r.locked {
-		// section 2.7: locked agents return empty.
-		return nil, nil
-	}
-
-	r.expireKeysLocked()
-	var ids []*Key
-	for _, k := range r.keys {
-		pub := k.signer.PublicKey()
-		ids = append(ids, &Key{
-			Format:  pub.Type(),
-			Blob:    pub.Marshal(),
-			Comment: k.comment})
-	}
-	return ids, nil
-}
-
-// Insert adds a private key to the keyring. If a certificate
-// is given, that certificate is added as public key. Note that
-// any constraints given are ignored.
-func (r *keyring) Add(key AddedKey) error {
-	r.mu.Lock()
-	defer r.mu.Unlock()
-	if r.locked {
-		return errLocked
-	}
-	signer, err := ssh.NewSignerFromKey(key.PrivateKey)
-
-	if err != nil {
-		return err
-	}
-
-	if cert := key.Certificate; cert != nil {
-		signer, err = ssh.NewCertSigner(cert, signer)
-		if err != nil {
-			return err
-		}
-	}
-
-	p := privKey{
-		signer:  signer,
-		comment: key.Comment,
-	}
-
-	if key.LifetimeSecs > 0 {
-		t := time.Now().Add(time.Duration(key.LifetimeSecs) * time.Second)
-		p.expire = &t
-	}
-
-	r.keys = append(r.keys, p)
-
-	return nil
-}
-
-// Sign returns a signature for the data.
-func (r *keyring) Sign(key ssh.PublicKey, data []byte) (*ssh.Signature, error) {
-	r.mu.Lock()
-	defer r.mu.Unlock()
-	if r.locked {
-		return nil, errLocked
-	}
-
-	r.expireKeysLocked()
-	wanted := key.Marshal()
-	for _, k := range r.keys {
-		if bytes.Equal(k.signer.PublicKey().Marshal(), wanted) {
-			return k.signer.Sign(rand.Reader, data)
-		}
-	}
-	return nil, errors.New("not found")
-}
-
-// Signers returns signers for all the known keys.
-func (r *keyring) Signers() ([]ssh.Signer, error) {
-	r.mu.Lock()
-	defer r.mu.Unlock()
-	if r.locked {
-		return nil, errLocked
-	}
-
-	r.expireKeysLocked()
-	s := make([]ssh.Signer, 0, len(r.keys))
-	for _, k := range r.keys {
-		s = append(s, k.signer)
-	}
-	return s, nil
-}
diff --git a/vendor/golang.org/x/crypto/ssh/agent/keyring_test.go b/vendor/golang.org/x/crypto/ssh/agent/keyring_test.go
deleted file mode 100644
index e5d50e7e..00000000
--- a/vendor/golang.org/x/crypto/ssh/agent/keyring_test.go
+++ /dev/null
@@ -1,76 +0,0 @@
-// Copyright 2015 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package agent
-
-import "testing"
-
-func addTestKey(t *testing.T, a Agent, keyName string) {
-	err := a.Add(AddedKey{
-		PrivateKey: testPrivateKeys[keyName],
-		Comment:    keyName,
-	})
-	if err != nil {
-		t.Fatalf("failed to add key %q: %v", keyName, err)
-	}
-}
-
-func removeTestKey(t *testing.T, a Agent, keyName string) {
-	err := a.Remove(testPublicKeys[keyName])
-	if err != nil {
-		t.Fatalf("failed to remove key %q: %v", keyName, err)
-	}
-}
-
-func validateListedKeys(t *testing.T, a Agent, expectedKeys []string) {
-	listedKeys, err := a.List()
-	if err != nil {
-		t.Fatalf("failed to list keys: %v", err)
-		return
-	}
-	actualKeys := make(map[string]bool)
-	for _, key := range listedKeys {
-		actualKeys[key.Comment] = true
-	}
-
-	matchedKeys := make(map[string]bool)
-	for _, expectedKey := range expectedKeys {
-		if !actualKeys[expectedKey] {
-			t.Fatalf("expected key %q, but was not found", expectedKey)
-		} else {
-			matchedKeys[expectedKey] = true
-		}
-	}
-
-	for actualKey := range actualKeys {
-		if !matchedKeys[actualKey] {
-			t.Fatalf("key %q was found, but was not expected", actualKey)
-		}
-	}
-}
-
-func TestKeyringAddingAndRemoving(t *testing.T) {
-	keyNames := []string{"dsa", "ecdsa", "rsa", "user"}
-
-	// add all test private keys
-	k := NewKeyring()
-	for _, keyName := range keyNames {
-		addTestKey(t, k, keyName)
-	}
-	validateListedKeys(t, k, keyNames)
-
-	// remove a key in the middle
-	keyToRemove := keyNames[1]
-	keyNames = append(keyNames[:1], keyNames[2:]...)
-
-	removeTestKey(t, k, keyToRemove)
-	validateListedKeys(t, k, keyNames)
-
-	// remove all keys
-	err := k.RemoveAll()
-	if err != nil {
-		t.Fatalf("failed to remove all keys: %v", err)
-	}
-	validateListedKeys(t, k, []string{})
-}
diff --git a/vendor/golang.org/x/crypto/ssh/agent/server.go b/vendor/golang.org/x/crypto/ssh/agent/server.go
deleted file mode 100644
index 2e4692cb..00000000
--- a/vendor/golang.org/x/crypto/ssh/agent/server.go
+++ /dev/null
@@ -1,523 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package agent
-
-import (
-	"crypto/dsa"
-	"crypto/ecdsa"
-	"crypto/elliptic"
-	"crypto/rsa"
-	"encoding/binary"
-	"errors"
-	"fmt"
-	"io"
-	"log"
-	"math/big"
-
-	"golang.org/x/crypto/ed25519"
-	"golang.org/x/crypto/ssh"
-)
-
-// Server wraps an Agent and uses it to implement the agent side of
-// the SSH-agent, wire protocol.
-type server struct {
-	agent Agent
-}
-
-func (s *server) processRequestBytes(reqData []byte) []byte {
-	rep, err := s.processRequest(reqData)
-	if err != nil {
-		if err != errLocked {
-			// TODO(hanwen): provide better logging interface?
-			log.Printf("agent %d: %v", reqData[0], err)
-		}
-		return []byte{agentFailure}
-	}
-
-	if err == nil && rep == nil {
-		return []byte{agentSuccess}
-	}
-
-	return ssh.Marshal(rep)
-}
-
-func marshalKey(k *Key) []byte {
-	var record struct {
-		Blob    []byte
-		Comment string
-	}
-	record.Blob = k.Marshal()
-	record.Comment = k.Comment
-
-	return ssh.Marshal(&record)
-}
-
-// See [PROTOCOL.agent], section 2.5.1.
-const agentV1IdentitiesAnswer = 2
-
-type agentV1IdentityMsg struct {
-	Numkeys uint32 `sshtype:"2"`
-}
-
-type agentRemoveIdentityMsg struct {
-	KeyBlob []byte `sshtype:"18"`
-}
-
-type agentLockMsg struct {
-	Passphrase []byte `sshtype:"22"`
-}
-
-type agentUnlockMsg struct {
-	Passphrase []byte `sshtype:"23"`
-}
-
-func (s *server) processRequest(data []byte) (interface{}, error) {
-	switch data[0] {
-	case agentRequestV1Identities:
-		return &agentV1IdentityMsg{0}, nil
-
-	case agentRemoveAllV1Identities:
-		return nil, nil
-
-	case agentRemoveIdentity:
-		var req agentRemoveIdentityMsg
-		if err := ssh.Unmarshal(data, &req); err != nil {
-			return nil, err
-		}
-
-		var wk wireKey
-		if err := ssh.Unmarshal(req.KeyBlob, &wk); err != nil {
-			return nil, err
-		}
-
-		return nil, s.agent.Remove(&Key{Format: wk.Format, Blob: req.KeyBlob})
-
-	case agentRemoveAllIdentities:
-		return nil, s.agent.RemoveAll()
-
-	case agentLock:
-		var req agentLockMsg
-		if err := ssh.Unmarshal(data, &req); err != nil {
-			return nil, err
-		}
-
-		return nil, s.agent.Lock(req.Passphrase)
-
-	case agentUnlock:
-		var req agentUnlockMsg
-		if err := ssh.Unmarshal(data, &req); err != nil {
-			return nil, err
-		}
-		return nil, s.agent.Unlock(req.Passphrase)
-
-	case agentSignRequest:
-		var req signRequestAgentMsg
-		if err := ssh.Unmarshal(data, &req); err != nil {
-			return nil, err
-		}
-
-		var wk wireKey
-		if err := ssh.Unmarshal(req.KeyBlob, &wk); err != nil {
-			return nil, err
-		}
-
-		k := &Key{
-			Format: wk.Format,
-			Blob:   req.KeyBlob,
-		}
-
-		sig, err := s.agent.Sign(k, req.Data) //  TODO(hanwen): flags.
-		if err != nil {
-			return nil, err
-		}
-		return &signResponseAgentMsg{SigBlob: ssh.Marshal(sig)}, nil
-
-	case agentRequestIdentities:
-		keys, err := s.agent.List()
-		if err != nil {
-			return nil, err
-		}
-
-		rep := identitiesAnswerAgentMsg{
-			NumKeys: uint32(len(keys)),
-		}
-		for _, k := range keys {
-			rep.Keys = append(rep.Keys, marshalKey(k)...)
-		}
-		return rep, nil
-
-	case agentAddIDConstrained, agentAddIdentity:
-		return nil, s.insertIdentity(data)
-	}
-
-	return nil, fmt.Errorf("unknown opcode %d", data[0])
-}
-
-func parseConstraints(constraints []byte) (lifetimeSecs uint32, confirmBeforeUse bool, extensions []ConstraintExtension, err error) {
-	for len(constraints) != 0 {
-		switch constraints[0] {
-		case agentConstrainLifetime:
-			lifetimeSecs = binary.BigEndian.Uint32(constraints[1:5])
-			constraints = constraints[5:]
-		case agentConstrainConfirm:
-			confirmBeforeUse = true
-			constraints = constraints[1:]
-		case agentConstrainExtension:
-			var msg constrainExtensionAgentMsg
-			if err = ssh.Unmarshal(constraints, &msg); err != nil {
-				return 0, false, nil, err
-			}
-			extensions = append(extensions, ConstraintExtension{
-				ExtensionName:    msg.ExtensionName,
-				ExtensionDetails: msg.ExtensionDetails,
-			})
-			constraints = msg.Rest
-		default:
-			return 0, false, nil, fmt.Errorf("unknown constraint type: %d", constraints[0])
-		}
-	}
-	return
-}
-
-func setConstraints(key *AddedKey, constraintBytes []byte) error {
-	lifetimeSecs, confirmBeforeUse, constraintExtensions, err := parseConstraints(constraintBytes)
-	if err != nil {
-		return err
-	}
-
-	key.LifetimeSecs = lifetimeSecs
-	key.ConfirmBeforeUse = confirmBeforeUse
-	key.ConstraintExtensions = constraintExtensions
-	return nil
-}
-
-func parseRSAKey(req []byte) (*AddedKey, error) {
-	var k rsaKeyMsg
-	if err := ssh.Unmarshal(req, &k); err != nil {
-		return nil, err
-	}
-	if k.E.BitLen() > 30 {
-		return nil, errors.New("agent: RSA public exponent too large")
-	}
-	priv := &rsa.PrivateKey{
-		PublicKey: rsa.PublicKey{
-			E: int(k.E.Int64()),
-			N: k.N,
-		},
-		D:      k.D,
-		Primes: []*big.Int{k.P, k.Q},
-	}
-	priv.Precompute()
-
-	addedKey := &AddedKey{PrivateKey: priv, Comment: k.Comments}
-	if err := setConstraints(addedKey, k.Constraints); err != nil {
-		return nil, err
-	}
-	return addedKey, nil
-}
-
-func parseEd25519Key(req []byte) (*AddedKey, error) {
-	var k ed25519KeyMsg
-	if err := ssh.Unmarshal(req, &k); err != nil {
-		return nil, err
-	}
-	priv := ed25519.PrivateKey(k.Priv)
-
-	addedKey := &AddedKey{PrivateKey: &priv, Comment: k.Comments}
-	if err := setConstraints(addedKey, k.Constraints); err != nil {
-		return nil, err
-	}
-	return addedKey, nil
-}
-
-func parseDSAKey(req []byte) (*AddedKey, error) {
-	var k dsaKeyMsg
-	if err := ssh.Unmarshal(req, &k); err != nil {
-		return nil, err
-	}
-	priv := &dsa.PrivateKey{
-		PublicKey: dsa.PublicKey{
-			Parameters: dsa.Parameters{
-				P: k.P,
-				Q: k.Q,
-				G: k.G,
-			},
-			Y: k.Y,
-		},
-		X: k.X,
-	}
-
-	addedKey := &AddedKey{PrivateKey: priv, Comment: k.Comments}
-	if err := setConstraints(addedKey, k.Constraints); err != nil {
-		return nil, err
-	}
-	return addedKey, nil
-}
-
-func unmarshalECDSA(curveName string, keyBytes []byte, privScalar *big.Int) (priv *ecdsa.PrivateKey, err error) {
-	priv = &ecdsa.PrivateKey{
-		D: privScalar,
-	}
-
-	switch curveName {
-	case "nistp256":
-		priv.Curve = elliptic.P256()
-	case "nistp384":
-		priv.Curve = elliptic.P384()
-	case "nistp521":
-		priv.Curve = elliptic.P521()
-	default:
-		return nil, fmt.Errorf("agent: unknown curve %q", curveName)
-	}
-
-	priv.X, priv.Y = elliptic.Unmarshal(priv.Curve, keyBytes)
-	if priv.X == nil || priv.Y == nil {
-		return nil, errors.New("agent: point not on curve")
-	}
-
-	return priv, nil
-}
-
-func parseEd25519Cert(req []byte) (*AddedKey, error) {
-	var k ed25519CertMsg
-	if err := ssh.Unmarshal(req, &k); err != nil {
-		return nil, err
-	}
-	pubKey, err := ssh.ParsePublicKey(k.CertBytes)
-	if err != nil {
-		return nil, err
-	}
-	priv := ed25519.PrivateKey(k.Priv)
-	cert, ok := pubKey.(*ssh.Certificate)
-	if !ok {
-		return nil, errors.New("agent: bad ED25519 certificate")
-	}
-
-	addedKey := &AddedKey{PrivateKey: &priv, Certificate: cert, Comment: k.Comments}
-	if err := setConstraints(addedKey, k.Constraints); err != nil {
-		return nil, err
-	}
-	return addedKey, nil
-}
-
-func parseECDSAKey(req []byte) (*AddedKey, error) {
-	var k ecdsaKeyMsg
-	if err := ssh.Unmarshal(req, &k); err != nil {
-		return nil, err
-	}
-
-	priv, err := unmarshalECDSA(k.Curve, k.KeyBytes, k.D)
-	if err != nil {
-		return nil, err
-	}
-
-	addedKey := &AddedKey{PrivateKey: priv, Comment: k.Comments}
-	if err := setConstraints(addedKey, k.Constraints); err != nil {
-		return nil, err
-	}
-	return addedKey, nil
-}
-
-func parseRSACert(req []byte) (*AddedKey, error) {
-	var k rsaCertMsg
-	if err := ssh.Unmarshal(req, &k); err != nil {
-		return nil, err
-	}
-
-	pubKey, err := ssh.ParsePublicKey(k.CertBytes)
-	if err != nil {
-		return nil, err
-	}
-
-	cert, ok := pubKey.(*ssh.Certificate)
-	if !ok {
-		return nil, errors.New("agent: bad RSA certificate")
-	}
-
-	// An RSA publickey as marshaled by rsaPublicKey.Marshal() in keys.go
-	var rsaPub struct {
-		Name string
-		E    *big.Int
-		N    *big.Int
-	}
-	if err := ssh.Unmarshal(cert.Key.Marshal(), &rsaPub); err != nil {
-		return nil, fmt.Errorf("agent: Unmarshal failed to parse public key: %v", err)
-	}
-
-	if rsaPub.E.BitLen() > 30 {
-		return nil, errors.New("agent: RSA public exponent too large")
-	}
-
-	priv := rsa.PrivateKey{
-		PublicKey: rsa.PublicKey{
-			E: int(rsaPub.E.Int64()),
-			N: rsaPub.N,
-		},
-		D:      k.D,
-		Primes: []*big.Int{k.Q, k.P},
-	}
-	priv.Precompute()
-
-	addedKey := &AddedKey{PrivateKey: &priv, Certificate: cert, Comment: k.Comments}
-	if err := setConstraints(addedKey, k.Constraints); err != nil {
-		return nil, err
-	}
-	return addedKey, nil
-}
-
-func parseDSACert(req []byte) (*AddedKey, error) {
-	var k dsaCertMsg
-	if err := ssh.Unmarshal(req, &k); err != nil {
-		return nil, err
-	}
-	pubKey, err := ssh.ParsePublicKey(k.CertBytes)
-	if err != nil {
-		return nil, err
-	}
-	cert, ok := pubKey.(*ssh.Certificate)
-	if !ok {
-		return nil, errors.New("agent: bad DSA certificate")
-	}
-
-	// A DSA publickey as marshaled by dsaPublicKey.Marshal() in keys.go
-	var w struct {
-		Name       string
-		P, Q, G, Y *big.Int
-	}
-	if err := ssh.Unmarshal(cert.Key.Marshal(), &w); err != nil {
-		return nil, fmt.Errorf("agent: Unmarshal failed to parse public key: %v", err)
-	}
-
-	priv := &dsa.PrivateKey{
-		PublicKey: dsa.PublicKey{
-			Parameters: dsa.Parameters{
-				P: w.P,
-				Q: w.Q,
-				G: w.G,
-			},
-			Y: w.Y,
-		},
-		X: k.X,
-	}
-
-	addedKey := &AddedKey{PrivateKey: priv, Certificate: cert, Comment: k.Comments}
-	if err := setConstraints(addedKey, k.Constraints); err != nil {
-		return nil, err
-	}
-	return addedKey, nil
-}
-
-func parseECDSACert(req []byte) (*AddedKey, error) {
-	var k ecdsaCertMsg
-	if err := ssh.Unmarshal(req, &k); err != nil {
-		return nil, err
-	}
-
-	pubKey, err := ssh.ParsePublicKey(k.CertBytes)
-	if err != nil {
-		return nil, err
-	}
-	cert, ok := pubKey.(*ssh.Certificate)
-	if !ok {
-		return nil, errors.New("agent: bad ECDSA certificate")
-	}
-
-	// An ECDSA publickey as marshaled by ecdsaPublicKey.Marshal() in keys.go
-	var ecdsaPub struct {
-		Name string
-		ID   string
-		Key  []byte
-	}
-	if err := ssh.Unmarshal(cert.Key.Marshal(), &ecdsaPub); err != nil {
-		return nil, err
-	}
-
-	priv, err := unmarshalECDSA(ecdsaPub.ID, ecdsaPub.Key, k.D)
-	if err != nil {
-		return nil, err
-	}
-
-	addedKey := &AddedKey{PrivateKey: priv, Certificate: cert, Comment: k.Comments}
-	if err := setConstraints(addedKey, k.Constraints); err != nil {
-		return nil, err
-	}
-	return addedKey, nil
-}
-
-func (s *server) insertIdentity(req []byte) error {
-	var record struct {
-		Type string `sshtype:"17|25"`
-		Rest []byte `ssh:"rest"`
-	}
-
-	if err := ssh.Unmarshal(req, &record); err != nil {
-		return err
-	}
-
-	var addedKey *AddedKey
-	var err error
-
-	switch record.Type {
-	case ssh.KeyAlgoRSA:
-		addedKey, err = parseRSAKey(req)
-	case ssh.KeyAlgoDSA:
-		addedKey, err = parseDSAKey(req)
-	case ssh.KeyAlgoECDSA256, ssh.KeyAlgoECDSA384, ssh.KeyAlgoECDSA521:
-		addedKey, err = parseECDSAKey(req)
-	case ssh.KeyAlgoED25519:
-		addedKey, err = parseEd25519Key(req)
-	case ssh.CertAlgoRSAv01:
-		addedKey, err = parseRSACert(req)
-	case ssh.CertAlgoDSAv01:
-		addedKey, err = parseDSACert(req)
-	case ssh.CertAlgoECDSA256v01, ssh.CertAlgoECDSA384v01, ssh.CertAlgoECDSA521v01:
-		addedKey, err = parseECDSACert(req)
-	case ssh.CertAlgoED25519v01:
-		addedKey, err = parseEd25519Cert(req)
-	default:
-		return fmt.Errorf("agent: not implemented: %q", record.Type)
-	}
-
-	if err != nil {
-		return err
-	}
-	return s.agent.Add(*addedKey)
-}
-
-// ServeAgent serves the agent protocol on the given connection. It
-// returns when an I/O error occurs.
-func ServeAgent(agent Agent, c io.ReadWriter) error {
-	s := &server{agent}
-
-	var length [4]byte
-	for {
-		if _, err := io.ReadFull(c, length[:]); err != nil {
-			return err
-		}
-		l := binary.BigEndian.Uint32(length[:])
-		if l > maxAgentResponseBytes {
-			// We also cap requests.
-			return fmt.Errorf("agent: request too large: %d", l)
-		}
-
-		req := make([]byte, l)
-		if _, err := io.ReadFull(c, req); err != nil {
-			return err
-		}
-
-		repData := s.processRequestBytes(req)
-		if len(repData) > maxAgentResponseBytes {
-			return fmt.Errorf("agent: reply too large: %d bytes", len(repData))
-		}
-
-		binary.BigEndian.PutUint32(length[:], uint32(len(repData)))
-		if _, err := c.Write(length[:]); err != nil {
-			return err
-		}
-		if _, err := c.Write(repData); err != nil {
-			return err
-		}
-	}
-}
diff --git a/vendor/golang.org/x/crypto/ssh/agent/server_test.go b/vendor/golang.org/x/crypto/ssh/agent/server_test.go
deleted file mode 100644
index 038018eb..00000000
--- a/vendor/golang.org/x/crypto/ssh/agent/server_test.go
+++ /dev/null
@@ -1,259 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package agent
-
-import (
-	"crypto"
-	"crypto/rand"
-	"fmt"
-	pseudorand "math/rand"
-	"reflect"
-	"strings"
-	"testing"
-
-	"golang.org/x/crypto/ssh"
-)
-
-func TestServer(t *testing.T) {
-	c1, c2, err := netPipe()
-	if err != nil {
-		t.Fatalf("netPipe: %v", err)
-	}
-	defer c1.Close()
-	defer c2.Close()
-	client := NewClient(c1)
-
-	go ServeAgent(NewKeyring(), c2)
-
-	testAgentInterface(t, client, testPrivateKeys["rsa"], nil, 0)
-}
-
-func TestLockServer(t *testing.T) {
-	testLockAgent(NewKeyring(), t)
-}
-
-func TestSetupForwardAgent(t *testing.T) {
-	a, b, err := netPipe()
-	if err != nil {
-		t.Fatalf("netPipe: %v", err)
-	}
-
-	defer a.Close()
-	defer b.Close()
-
-	_, socket, cleanup := startOpenSSHAgent(t)
-	defer cleanup()
-
-	serverConf := ssh.ServerConfig{
-		NoClientAuth: true,
-	}
-	serverConf.AddHostKey(testSigners["rsa"])
-	incoming := make(chan *ssh.ServerConn, 1)
-	go func() {
-		conn, _, _, err := ssh.NewServerConn(a, &serverConf)
-		if err != nil {
-			t.Fatalf("Server: %v", err)
-		}
-		incoming <- conn
-	}()
-
-	conf := ssh.ClientConfig{
-		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
-	}
-	conn, chans, reqs, err := ssh.NewClientConn(b, "", &conf)
-	if err != nil {
-		t.Fatalf("NewClientConn: %v", err)
-	}
-	client := ssh.NewClient(conn, chans, reqs)
-
-	if err := ForwardToRemote(client, socket); err != nil {
-		t.Fatalf("SetupForwardAgent: %v", err)
-	}
-
-	server := <-incoming
-	ch, reqs, err := server.OpenChannel(channelType, nil)
-	if err != nil {
-		t.Fatalf("OpenChannel(%q): %v", channelType, err)
-	}
-	go ssh.DiscardRequests(reqs)
-
-	agentClient := NewClient(ch)
-	testAgentInterface(t, agentClient, testPrivateKeys["rsa"], nil, 0)
-	conn.Close()
-}
-
-func TestV1ProtocolMessages(t *testing.T) {
-	c1, c2, err := netPipe()
-	if err != nil {
-		t.Fatalf("netPipe: %v", err)
-	}
-	defer c1.Close()
-	defer c2.Close()
-	c := NewClient(c1)
-
-	go ServeAgent(NewKeyring(), c2)
-
-	testV1ProtocolMessages(t, c.(*client))
-}
-
-func testV1ProtocolMessages(t *testing.T, c *client) {
-	reply, err := c.call([]byte{agentRequestV1Identities})
-	if err != nil {
-		t.Fatalf("v1 request all failed: %v", err)
-	}
-	if msg, ok := reply.(*agentV1IdentityMsg); !ok || msg.Numkeys != 0 {
-		t.Fatalf("invalid request all response: %#v", reply)
-	}
-
-	reply, err = c.call([]byte{agentRemoveAllV1Identities})
-	if err != nil {
-		t.Fatalf("v1 remove all failed: %v", err)
-	}
-	if _, ok := reply.(*successAgentMsg); !ok {
-		t.Fatalf("invalid remove all response: %#v", reply)
-	}
-}
-
-func verifyKey(sshAgent Agent) error {
-	keys, err := sshAgent.List()
-	if err != nil {
-		return fmt.Errorf("listing keys: %v", err)
-	}
-
-	if len(keys) != 1 {
-		return fmt.Errorf("bad number of keys found. expected 1, got %d", len(keys))
-	}
-
-	buf := make([]byte, 128)
-	if _, err := rand.Read(buf); err != nil {
-		return fmt.Errorf("rand: %v", err)
-	}
-
-	sig, err := sshAgent.Sign(keys[0], buf)
-	if err != nil {
-		return fmt.Errorf("sign: %v", err)
-	}
-
-	if err := keys[0].Verify(buf, sig); err != nil {
-		return fmt.Errorf("verify: %v", err)
-	}
-	return nil
-}
-
-func addKeyToAgent(key crypto.PrivateKey) error {
-	sshAgent := NewKeyring()
-	if err := sshAgent.Add(AddedKey{PrivateKey: key}); err != nil {
-		return fmt.Errorf("add: %v", err)
-	}
-	return verifyKey(sshAgent)
-}
-
-func TestKeyTypes(t *testing.T) {
-	for k, v := range testPrivateKeys {
-		if err := addKeyToAgent(v); err != nil {
-			t.Errorf("error adding key type %s, %v", k, err)
-		}
-		if err := addCertToAgentSock(v, nil); err != nil {
-			t.Errorf("error adding key type %s, %v", k, err)
-		}
-	}
-}
-
-func addCertToAgentSock(key crypto.PrivateKey, cert *ssh.Certificate) error {
-	a, b, err := netPipe()
-	if err != nil {
-		return err
-	}
-	agentServer := NewKeyring()
-	go ServeAgent(agentServer, a)
-
-	agentClient := NewClient(b)
-	if err := agentClient.Add(AddedKey{PrivateKey: key, Certificate: cert}); err != nil {
-		return fmt.Errorf("add: %v", err)
-	}
-	return verifyKey(agentClient)
-}
-
-func addCertToAgent(key crypto.PrivateKey, cert *ssh.Certificate) error {
-	sshAgent := NewKeyring()
-	if err := sshAgent.Add(AddedKey{PrivateKey: key, Certificate: cert}); err != nil {
-		return fmt.Errorf("add: %v", err)
-	}
-	return verifyKey(sshAgent)
-}
-
-func TestCertTypes(t *testing.T) {
-	for keyType, key := range testPublicKeys {
-		cert := &ssh.Certificate{
-			ValidPrincipals: []string{"gopher1"},
-			ValidAfter:      0,
-			ValidBefore:     ssh.CertTimeInfinity,
-			Key:             key,
-			Serial:          1,
-			CertType:        ssh.UserCert,
-			SignatureKey:    testPublicKeys["rsa"],
-			Permissions: ssh.Permissions{
-				CriticalOptions: map[string]string{},
-				Extensions:      map[string]string{},
-			},
-		}
-		if err := cert.SignCert(rand.Reader, testSigners["rsa"]); err != nil {
-			t.Fatalf("signcert: %v", err)
-		}
-		if err := addCertToAgent(testPrivateKeys[keyType], cert); err != nil {
-			t.Fatalf("%v", err)
-		}
-		if err := addCertToAgentSock(testPrivateKeys[keyType], cert); err != nil {
-			t.Fatalf("%v", err)
-		}
-	}
-}
-
-func TestParseConstraints(t *testing.T) {
-	// Test LifetimeSecs
-	var msg = constrainLifetimeAgentMsg{pseudorand.Uint32()}
-	lifetimeSecs, _, _, err := parseConstraints(ssh.Marshal(msg))
-	if err != nil {
-		t.Fatalf("parseConstraints: %v", err)
-	}
-	if lifetimeSecs != msg.LifetimeSecs {
-		t.Errorf("got lifetime %v, want %v", lifetimeSecs, msg.LifetimeSecs)
-	}
-
-	// Test ConfirmBeforeUse
-	_, confirmBeforeUse, _, err := parseConstraints([]byte{agentConstrainConfirm})
-	if err != nil {
-		t.Fatalf("%v", err)
-	}
-	if !confirmBeforeUse {
-		t.Error("got comfirmBeforeUse == false")
-	}
-
-	// Test ConstraintExtensions
-	var data []byte
-	var expect []ConstraintExtension
-	for i := 0; i < 10; i++ {
-		var ext = ConstraintExtension{
-			ExtensionName:    fmt.Sprintf("name%d", i),
-			ExtensionDetails: []byte(fmt.Sprintf("details: %d", i)),
-		}
-		expect = append(expect, ext)
-		data = append(data, agentConstrainExtension)
-		data = append(data, ssh.Marshal(ext)...)
-	}
-	_, _, extensions, err := parseConstraints(data)
-	if err != nil {
-		t.Fatalf("%v", err)
-	}
-	if !reflect.DeepEqual(expect, extensions) {
-		t.Errorf("got extension %v, want %v", extensions, expect)
-	}
-
-	// Test Unknown Constraint
-	_, _, _, err = parseConstraints([]byte{128})
-	if err == nil || !strings.Contains(err.Error(), "unknown constraint") {
-		t.Errorf("unexpected error: %v", err)
-	}
-}
diff --git a/vendor/golang.org/x/crypto/ssh/agent/testdata_test.go b/vendor/golang.org/x/crypto/ssh/agent/testdata_test.go
deleted file mode 100644
index cc42a87c..00000000
--- a/vendor/golang.org/x/crypto/ssh/agent/testdata_test.go
+++ /dev/null
@@ -1,64 +0,0 @@
-// Copyright 2014 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// IMPLEMENTATION NOTE: To avoid a package loop, this file is in three places:
-// ssh/, ssh/agent, and ssh/test/. It should be kept in sync across all three
-// instances.
-
-package agent
-
-import (
-	"crypto/rand"
-	"fmt"
-
-	"golang.org/x/crypto/ssh"
-	"golang.org/x/crypto/ssh/testdata"
-)
-
-var (
-	testPrivateKeys map[string]interface{}
-	testSigners     map[string]ssh.Signer
-	testPublicKeys  map[string]ssh.PublicKey
-)
-
-func init() {
-	var err error
-
-	n := len(testdata.PEMBytes)
-	testPrivateKeys = make(map[string]interface{}, n)
-	testSigners = make(map[string]ssh.Signer, n)
-	testPublicKeys = make(map[string]ssh.PublicKey, n)
-	for t, k := range testdata.PEMBytes {
-		testPrivateKeys[t], err = ssh.ParseRawPrivateKey(k)
-		if err != nil {
-			panic(fmt.Sprintf("Unable to parse test key %s: %v", t, err))
-		}
-		testSigners[t], err = ssh.NewSignerFromKey(testPrivateKeys[t])
-		if err != nil {
-			panic(fmt.Sprintf("Unable to create signer for test key %s: %v", t, err))
-		}
-		testPublicKeys[t] = testSigners[t].PublicKey()
-	}
-
-	// Create a cert and sign it for use in tests.
-	testCert := &ssh.Certificate{
-		Nonce:           []byte{},                       // To pass reflect.DeepEqual after marshal & parse, this must be non-nil
-		ValidPrincipals: []string{"gopher1", "gopher2"}, // increases test coverage
-		ValidAfter:      0,                              // unix epoch
-		ValidBefore:     ssh.CertTimeInfinity,           // The end of currently representable time.
-		Reserved:        []byte{},                       // To pass reflect.DeepEqual after marshal & parse, this must be non-nil
-		Key:             testPublicKeys["ecdsa"],
-		SignatureKey:    testPublicKeys["rsa"],
-		Permissions: ssh.Permissions{
-			CriticalOptions: map[string]string{},
-			Extensions:      map[string]string{},
-		},
-	}
-	testCert.SignCert(rand.Reader, testSigners["rsa"])
-	testPrivateKeys["cert"] = testPrivateKeys["ecdsa"]
-	testSigners["cert"], err = ssh.NewCertSigner(testCert, testSigners["ecdsa"])
-	if err != nil {
-		panic(fmt.Sprintf("Unable to create certificate signer: %v", err))
-	}
-}
diff --git a/vendor/golang.org/x/crypto/ssh/benchmark_test.go b/vendor/golang.org/x/crypto/ssh/benchmark_test.go
deleted file mode 100644
index 20c33077..00000000
--- a/vendor/golang.org/x/crypto/ssh/benchmark_test.go
+++ /dev/null
@@ -1,123 +0,0 @@
-// Copyright 2013 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package ssh
-
-import (
-	"errors"
-	"io"
-	"net"
-	"testing"
-)
-
-type server struct {
-	*ServerConn
-	chans <-chan NewChannel
-}
-
-func newServer(c net.Conn, conf *ServerConfig) (*server, error) {
-	sconn, chans, reqs, err := NewServerConn(c, conf)
-	if err != nil {
-		return nil, err
-	}
-	go DiscardRequests(reqs)
-	return &server{sconn, chans}, nil
-}
-
-func (s *server) Accept() (NewChannel, error) {
-	n, ok := <-s.chans
-	if !ok {
-		return nil, io.EOF
-	}
-	return n, nil
-}
-
-func sshPipe() (Conn, *server, error) {
-	c1, c2, err := netPipe()
-	if err != nil {
-		return nil, nil, err
-	}
-
-	clientConf := ClientConfig{
-		User:            "user",
-		HostKeyCallback: InsecureIgnoreHostKey(),
-	}
-	serverConf := ServerConfig{
-		NoClientAuth: true,
-	}
-	serverConf.AddHostKey(testSigners["ecdsa"])
-	done := make(chan *server, 1)
-	go func() {
-		server, err := newServer(c2, &serverConf)
-		if err != nil {
-			done <- nil
-		}
-		done <- server
-	}()
-
-	client, _, reqs, err := NewClientConn(c1, "", &clientConf)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	server := <-done
-	if server == nil {
-		return nil, nil, errors.New("server handshake failed.")
-	}
-	go DiscardRequests(reqs)
-
-	return client, server, nil
-}
-
-func BenchmarkEndToEnd(b *testing.B) {
-	b.StopTimer()
-
-	client, server, err := sshPipe()
-	if err != nil {
-		b.Fatalf("sshPipe: %v", err)
-	}
-
-	defer client.Close()
-	defer server.Close()
-
-	size := (1 << 20)
-	input := make([]byte, size)
-	output := make([]byte, size)
-	b.SetBytes(int64(size))
-	done := make(chan int, 1)
-
-	go func() {
-		newCh, err := server.Accept()
-		if err != nil {
-			b.Fatalf("Client: %v", err)
-		}
-		ch, incoming, err := newCh.Accept()
-		go DiscardRequests(incoming)
-		for i := 0; i < b.N; i++ {
-			if _, err := io.ReadFull(ch, output); err != nil {
-				b.Fatalf("ReadFull: %v", err)
-			}
-		}
-		ch.Close()
-		done <- 1
-	}()
-
-	ch, in, err := client.OpenChannel("speed", nil)
-	if err != nil {
-		b.Fatalf("OpenChannel: %v", err)
-	}
-	go DiscardRequests(in)
-
-	b.ResetTimer()
-	b.StartTimer()
-	for i := 0; i < b.N; i++ {
-		if _, err := ch.Write(input); err != nil {
-			b.Fatalf("WriteFull: %v", err)
-		}
-	}
-	ch.Close()
-	b.StopTimer()
-
-	<-done
-}
diff --git a/vendor/golang.org/x/crypto/ssh/buffer.go b/vendor/golang.org/x/crypto/ssh/buffer.go
deleted file mode 100644
index 1ab07d07..00000000
--- a/vendor/golang.org/x/crypto/ssh/buffer.go
+++ /dev/null
@@ -1,97 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package ssh
-
-import (
-	"io"
-	"sync"
-)
-
-// buffer provides a linked list buffer for data exchange
-// between producer and consumer. Theoretically the buffer is
-// of unlimited capacity as it does no allocation of its own.
-type buffer struct {
-	// protects concurrent access to head, tail and closed
-	*sync.Cond
-
-	head *element // the buffer that will be read first
-	tail *element // the buffer that will be read last
-
-	closed bool
-}
-
-// An element represents a single link in a linked list.
-type element struct {
-	buf  []byte
-	next *element
-}
-
-// newBuffer returns an empty buffer that is not closed.
-func newBuffer() *buffer {
-	e := new(element)
-	b := &buffer{
-		Cond: newCond(),
-		head: e,
-		tail: e,
-	}
-	return b
-}
-
-// write makes buf available for Read to receive.
-// buf must not be modified after the call to write.
-func (b *buffer) write(buf []byte) {
-	b.Cond.L.Lock()
-	e := &element{buf: buf}
-	b.tail.next = e
-	b.tail = e
-	b.Cond.Signal()
-	b.Cond.L.Unlock()
-}
-
-// eof closes the buffer. Reads from the buffer once all
-// the data has been consumed will receive io.EOF.
-func (b *buffer) eof() {
-	b.Cond.L.Lock()
-	b.closed = true
-	b.Cond.Signal()
-	b.Cond.L.Unlock()
-}
-
-// Read reads data from the internal buffer in buf.  Reads will block
-// if no data is available, or until the buffer is closed.
-func (b *buffer) Read(buf []byte) (n int, err error) {
-	b.Cond.L.Lock()
-	defer b.Cond.L.Unlock()
-
-	for len(buf) > 0 {
-		// if there is data in b.head, copy it
-		if len(b.head.buf) > 0 {
-			r := copy(buf, b.head.buf)
-			buf, b.head.buf = buf[r:], b.head.buf[r:]
-			n += r
-			continue
-		}
-		// if there is a next buffer, make it the head
-		if len(b.head.buf) == 0 && b.head != b.tail {
-			b.head = b.head.next
-			continue
-		}
-
-		// if at least one byte has been copied, return
-		if n > 0 {
-			break
-		}
-
-		// if nothing was read, and there is nothing outstanding
-		// check to see if the buffer is closed.
-		if b.closed {
-			err = io.EOF
-			break
-		}
-		// out of buffers, wait for producer
-		b.Cond.Wait()
-	}
-	return
-}
diff --git a/vendor/golang.org/x/crypto/ssh/buffer_test.go b/vendor/golang.org/x/crypto/ssh/buffer_test.go
deleted file mode 100644
index d5781cb3..00000000
--- a/vendor/golang.org/x/crypto/ssh/buffer_test.go
+++ /dev/null
@@ -1,87 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package ssh
-
-import (
-	"io"
-	"testing"
-)
-
-var alphabet = []byte("abcdefghijklmnopqrstuvwxyz")
-
-func TestBufferReadwrite(t *testing.T) {
-	b := newBuffer()
-	b.write(alphabet[:10])
-	r, _ := b.Read(make([]byte, 10))
-	if r != 10 {
-		t.Fatalf("Expected written == read == 10, written: 10, read %d", r)
-	}
-
-	b = newBuffer()
-	b.write(alphabet[:5])
-	r, _ = b.Read(make([]byte, 10))
-	if r != 5 {
-		t.Fatalf("Expected written == read == 5, written: 5, read %d", r)
-	}
-
-	b = newBuffer()
-	b.write(alphabet[:10])
-	r, _ = b.Read(make([]byte, 5))
-	if r != 5 {
-		t.Fatalf("Expected written == 10, read == 5, written: 10, read %d", r)
-	}
-
-	b = newBuffer()
-	b.write(alphabet[:5])
-	b.write(alphabet[5:15])
-	r, _ = b.Read(make([]byte, 10))
-	r2, _ := b.Read(make([]byte, 10))
-	if r != 10 || r2 != 5 || 15 != r+r2 {
-		t.Fatal("Expected written == read == 15")
-	}
-}
-
-func TestBufferClose(t *testing.T) {
-	b := newBuffer()
-	b.write(alphabet[:10])
-	b.eof()
-	_, err := b.Read(make([]byte, 5))
-	if err != nil {
-		t.Fatal("expected read of 5 to not return EOF")
-	}
-	b = newBuffer()
-	b.write(alphabet[:10])
-	b.eof()
-	r, err := b.Read(make([]byte, 5))
-	r2, err2 := b.Read(make([]byte, 10))
-	if r != 5 || r2 != 5 || err != nil || err2 != nil {
-		t.Fatal("expected reads of 5 and 5")
-	}
-
-	b = newBuffer()
-	b.write(alphabet[:10])
-	b.eof()
-	r, err = b.Read(make([]byte, 5))
-	r2, err2 = b.Read(make([]byte, 10))
-	r3, err3 := b.Read(make([]byte, 10))
-	if r != 5 || r2 != 5 || r3 != 0 || err != nil || err2 != nil || err3 != io.EOF {
-		t.Fatal("expected reads of 5 and 5 and 0, with EOF")
-	}
-
-	b = newBuffer()
-	b.write(make([]byte, 5))
-	b.write(make([]byte, 10))
-	b.eof()
-	r, err = b.Read(make([]byte, 9))
-	r2, err2 = b.Read(make([]byte, 3))
-	r3, err3 = b.Read(make([]byte, 3))
-	r4, err4 := b.Read(make([]byte, 10))
-	if err != nil || err2 != nil || err3 != nil || err4 != io.EOF {
-		t.Fatalf("Expected EOF on forth read only, err=%v, err2=%v, err3=%v, err4=%v", err, err2, err3, err4)
-	}
-	if r != 9 || r2 != 3 || r3 != 3 || r4 != 0 {
-		t.Fatal("Expected written == read == 15", r, r2, r3, r4)
-	}
-}
diff --git a/vendor/golang.org/x/crypto/ssh/certs.go b/vendor/golang.org/x/crypto/ssh/certs.go
deleted file mode 100644
index cfc8ead1..00000000
--- a/vendor/golang.org/x/crypto/ssh/certs.go
+++ /dev/null
@@ -1,519 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package ssh
-
-import (
-	"bytes"
-	"errors"
-	"fmt"
-	"io"
-	"net"
-	"sort"
-	"time"
-)
-
-// These constants from [PROTOCOL.certkeys] represent the algorithm names
-// for certificate types supported by this package.
-const (
-	CertAlgoRSAv01      = "ssh-rsa-cert-v01@openssh.com"
-	CertAlgoDSAv01      = "ssh-dss-cert-v01@openssh.com"
-	CertAlgoECDSA256v01 = "ecdsa-sha2-nistp256-cert-v01@openssh.com"
-	CertAlgoECDSA384v01 = "ecdsa-sha2-nistp384-cert-v01@openssh.com"
-	CertAlgoECDSA521v01 = "ecdsa-sha2-nistp521-cert-v01@openssh.com"
-	CertAlgoED25519v01  = "ssh-ed25519-cert-v01@openssh.com"
-)
-
-// Certificate types distinguish between host and user
-// certificates. The values can be set in the CertType field of
-// Certificate.
-const (
-	UserCert = 1
-	HostCert = 2
-)
-
-// Signature represents a cryptographic signature.
-type Signature struct {
-	Format string
-	Blob   []byte
-}
-
-// CertTimeInfinity can be used for OpenSSHCertV01.ValidBefore to indicate that
-// a certificate does not expire.
-const CertTimeInfinity = 1<<64 - 1
-
-// An Certificate represents an OpenSSH certificate as defined in
-// [PROTOCOL.certkeys]?rev=1.8.
-type Certificate struct {
-	Nonce           []byte
-	Key             PublicKey
-	Serial          uint64
-	CertType        uint32
-	KeyId           string
-	ValidPrincipals []string
-	ValidAfter      uint64
-	ValidBefore     uint64
-	Permissions
-	Reserved     []byte
-	SignatureKey PublicKey
-	Signature    *Signature
-}
-
-// genericCertData holds the key-independent part of the certificate data.
-// Overall, certificates contain an nonce, public key fields and
-// key-independent fields.
-type genericCertData struct {
-	Serial          uint64
-	CertType        uint32
-	KeyId           string
-	ValidPrincipals []byte
-	ValidAfter      uint64
-	ValidBefore     uint64
-	CriticalOptions []byte
-	Extensions      []byte
-	Reserved        []byte
-	SignatureKey    []byte
-	Signature       []byte
-}
-
-func marshalStringList(namelist []string) []byte {
-	var to []byte
-	for _, name := range namelist {
-		s := struct{ N string }{name}
-		to = append(to, Marshal(&s)...)
-	}
-	return to
-}
-
-type optionsTuple struct {
-	Key   string
-	Value []byte
-}
-
-type optionsTupleValue struct {
-	Value string
-}
-
-// serialize a map of critical options or extensions
-// issue #10569 - per [PROTOCOL.certkeys] and SSH implementation,
-// we need two length prefixes for a non-empty string value
-func marshalTuples(tups map[string]string) []byte {
-	keys := make([]string, 0, len(tups))
-	for key := range tups {
-		keys = append(keys, key)
-	}
-	sort.Strings(keys)
-
-	var ret []byte
-	for _, key := range keys {
-		s := optionsTuple{Key: key}
-		if value := tups[key]; len(value) > 0 {
-			s.Value = Marshal(&optionsTupleValue{value})
-		}
-		ret = append(ret, Marshal(&s)...)
-	}
-	return ret
-}
-
-// issue #10569 - per [PROTOCOL.certkeys] and SSH implementation,
-// we need two length prefixes for a non-empty option value
-func parseTuples(in []byte) (map[string]string, error) {
-	tups := map[string]string{}
-	var lastKey string
-	var haveLastKey bool
-
-	for len(in) > 0 {
-		var key, val, extra []byte
-		var ok bool
-
-		if key, in, ok = parseString(in); !ok {
-			return nil, errShortRead
-		}
-		keyStr := string(key)
-		// according to [PROTOCOL.certkeys], the names must be in
-		// lexical order.
-		if haveLastKey && keyStr <= lastKey {
-			return nil, fmt.Errorf("ssh: certificate options are not in lexical order")
-		}
-		lastKey, haveLastKey = keyStr, true
-		// the next field is a data field, which if non-empty has a string embedded
-		if val, in, ok = parseString(in); !ok {
-			return nil, errShortRead
-		}
-		if len(val) > 0 {
-			val, extra, ok = parseString(val)
-			if !ok {
-				return nil, errShortRead
-			}
-			if len(extra) > 0 {
-				return nil, fmt.Errorf("ssh: unexpected trailing data after certificate option value")
-			}
-			tups[keyStr] = string(val)
-		} else {
-			tups[keyStr] = ""
-		}
-	}
-	return tups, nil
-}
-
-func parseCert(in []byte, privAlgo string) (*Certificate, error) {
-	nonce, rest, ok := parseString(in)
-	if !ok {
-		return nil, errShortRead
-	}
-
-	key, rest, err := parsePubKey(rest, privAlgo)
-	if err != nil {
-		return nil, err
-	}
-
-	var g genericCertData
-	if err := Unmarshal(rest, &g); err != nil {
-		return nil, err
-	}
-
-	c := &Certificate{
-		Nonce:       nonce,
-		Key:         key,
-		Serial:      g.Serial,
-		CertType:    g.CertType,
-		KeyId:       g.KeyId,
-		ValidAfter:  g.ValidAfter,
-		ValidBefore: g.ValidBefore,
-	}
-
-	for principals := g.ValidPrincipals; len(principals) > 0; {
-		principal, rest, ok := parseString(principals)
-		if !ok {
-			return nil, errShortRead
-		}
-		c.ValidPrincipals = append(c.ValidPrincipals, string(principal))
-		principals = rest
-	}
-
-	c.CriticalOptions, err = parseTuples(g.CriticalOptions)
-	if err != nil {
-		return nil, err
-	}
-	c.Extensions, err = parseTuples(g.Extensions)
-	if err != nil {
-		return nil, err
-	}
-	c.Reserved = g.Reserved
-	k, err := ParsePublicKey(g.SignatureKey)
-	if err != nil {
-		return nil, err
-	}
-
-	c.SignatureKey = k
-	c.Signature, rest, ok = parseSignatureBody(g.Signature)
-	if !ok || len(rest) > 0 {
-		return nil, errors.New("ssh: signature parse error")
-	}
-
-	return c, nil
-}
-
-type openSSHCertSigner struct {
-	pub    *Certificate
-	signer Signer
-}
-
-// NewCertSigner returns a Signer that signs with the given Certificate, whose
-// private key is held by signer. It returns an error if the public key in cert
-// doesn't match the key used by signer.
-func NewCertSigner(cert *Certificate, signer Signer) (Signer, error) {
-	if bytes.Compare(cert.Key.Marshal(), signer.PublicKey().Marshal()) != 0 {
-		return nil, errors.New("ssh: signer and cert have different public key")
-	}
-
-	return &openSSHCertSigner{cert, signer}, nil
-}
-
-func (s *openSSHCertSigner) Sign(rand io.Reader, data []byte) (*Signature, error) {
-	return s.signer.Sign(rand, data)
-}
-
-func (s *openSSHCertSigner) PublicKey() PublicKey {
-	return s.pub
-}
-
-const sourceAddressCriticalOption = "source-address"
-
-// CertChecker does the work of verifying a certificate. Its methods
-// can be plugged into ClientConfig.HostKeyCallback and
-// ServerConfig.PublicKeyCallback. For the CertChecker to work,
-// minimally, the IsAuthority callback should be set.
-type CertChecker struct {
-	// SupportedCriticalOptions lists the CriticalOptions that the
-	// server application layer understands. These are only used
-	// for user certificates.
-	SupportedCriticalOptions []string
-
-	// IsUserAuthority should return true if the key is recognized as an
-	// authority for the given user certificate. This allows for
-	// certificates to be signed by other certificates. This must be set
-	// if this CertChecker will be checking user certificates.
-	IsUserAuthority func(auth PublicKey) bool
-
-	// IsHostAuthority should report whether the key is recognized as
-	// an authority for this host. This allows for certificates to be
-	// signed by other keys, and for those other keys to only be valid
-	// signers for particular hostnames. This must be set if this
-	// CertChecker will be checking host certificates.
-	IsHostAuthority func(auth PublicKey, address string) bool
-
-	// Clock is used for verifying time stamps. If nil, time.Now
-	// is used.
-	Clock func() time.Time
-
-	// UserKeyFallback is called when CertChecker.Authenticate encounters a
-	// public key that is not a certificate. It must implement validation
-	// of user keys or else, if nil, all such keys are rejected.
-	UserKeyFallback func(conn ConnMetadata, key PublicKey) (*Permissions, error)
-
-	// HostKeyFallback is called when CertChecker.CheckHostKey encounters a
-	// public key that is not a certificate. It must implement host key
-	// validation or else, if nil, all such keys are rejected.
-	HostKeyFallback HostKeyCallback
-
-	// IsRevoked is called for each certificate so that revocation checking
-	// can be implemented. It should return true if the given certificate
-	// is revoked and false otherwise. If nil, no certificates are
-	// considered to have been revoked.
-	IsRevoked func(cert *Certificate) bool
-}
-
-// CheckHostKey checks a host key certificate. This method can be
-// plugged into ClientConfig.HostKeyCallback.
-func (c *CertChecker) CheckHostKey(addr string, remote net.Addr, key PublicKey) error {
-	cert, ok := key.(*Certificate)
-	if !ok {
-		if c.HostKeyFallback != nil {
-			return c.HostKeyFallback(addr, remote, key)
-		}
-		return errors.New("ssh: non-certificate host key")
-	}
-	if cert.CertType != HostCert {
-		return fmt.Errorf("ssh: certificate presented as a host key has type %d", cert.CertType)
-	}
-	if !c.IsHostAuthority(cert.SignatureKey, addr) {
-		return fmt.Errorf("ssh: no authorities for hostname: %v", addr)
-	}
-
-	hostname, _, err := net.SplitHostPort(addr)
-	if err != nil {
-		return err
-	}
-
-	// Pass hostname only as principal for host certificates (consistent with OpenSSH)
-	return c.CheckCert(hostname, cert)
-}
-
-// Authenticate checks a user certificate. Authenticate can be used as
-// a value for ServerConfig.PublicKeyCallback.
-func (c *CertChecker) Authenticate(conn ConnMetadata, pubKey PublicKey) (*Permissions, error) {
-	cert, ok := pubKey.(*Certificate)
-	if !ok {
-		if c.UserKeyFallback != nil {
-			return c.UserKeyFallback(conn, pubKey)
-		}
-		return nil, errors.New("ssh: normal key pairs not accepted")
-	}
-
-	if cert.CertType != UserCert {
-		return nil, fmt.Errorf("ssh: cert has type %d", cert.CertType)
-	}
-	if !c.IsUserAuthority(cert.SignatureKey) {
-		return nil, fmt.Errorf("ssh: certificate signed by unrecognized authority")
-	}
-
-	if err := c.CheckCert(conn.User(), cert); err != nil {
-		return nil, err
-	}
-
-	return &cert.Permissions, nil
-}
-
-// CheckCert checks CriticalOptions, ValidPrincipals, revocation, timestamp and
-// the signature of the certificate.
-func (c *CertChecker) CheckCert(principal string, cert *Certificate) error {
-	if c.IsRevoked != nil && c.IsRevoked(cert) {
-		return fmt.Errorf("ssh: certificate serial %d revoked", cert.Serial)
-	}
-
-	for opt := range cert.CriticalOptions {
-		// sourceAddressCriticalOption will be enforced by
-		// serverAuthenticate
-		if opt == sourceAddressCriticalOption {
-			continue
-		}
-
-		found := false
-		for _, supp := range c.SupportedCriticalOptions {
-			if supp == opt {
-				found = true
-				break
-			}
-		}
-		if !found {
-			return fmt.Errorf("ssh: unsupported critical option %q in certificate", opt)
-		}
-	}
-
-	if len(cert.ValidPrincipals) > 0 {
-		// By default, certs are valid for all users/hosts.
-		found := false
-		for _, p := range cert.ValidPrincipals {
-			if p == principal {
-				found = true
-				break
-			}
-		}
-		if !found {
-			return fmt.Errorf("ssh: principal %q not in the set of valid principals for given certificate: %q", principal, cert.ValidPrincipals)
-		}
-	}
-
-	clock := c.Clock
-	if clock == nil {
-		clock = time.Now
-	}
-
-	unixNow := clock().Unix()
-	if after := int64(cert.ValidAfter); after < 0 || unixNow < int64(cert.ValidAfter) {
-		return fmt.Errorf("ssh: cert is not yet valid")
-	}
-	if before := int64(cert.ValidBefore); cert.ValidBefore != uint64(CertTimeInfinity) && (unixNow >= before || before < 0) {
-		return fmt.Errorf("ssh: cert has expired")
-	}
-	if err := cert.SignatureKey.Verify(cert.bytesForSigning(), cert.Signature); err != nil {
-		return fmt.Errorf("ssh: certificate signature does not verify")
-	}
-
-	return nil
-}
-
-// SignCert sets c.SignatureKey to the authority's public key and stores a
-// Signature, by authority, in the certificate.
-func (c *Certificate) SignCert(rand io.Reader, authority Signer) error {
-	c.Nonce = make([]byte, 32)
-	if _, err := io.ReadFull(rand, c.Nonce); err != nil {
-		return err
-	}
-	c.SignatureKey = authority.PublicKey()
-
-	sig, err := authority.Sign(rand, c.bytesForSigning())
-	if err != nil {
-		return err
-	}
-	c.Signature = sig
-	return nil
-}
-
-var certAlgoNames = map[string]string{
-	KeyAlgoRSA:      CertAlgoRSAv01,
-	KeyAlgoDSA:      CertAlgoDSAv01,
-	KeyAlgoECDSA256: CertAlgoECDSA256v01,
-	KeyAlgoECDSA384: CertAlgoECDSA384v01,
-	KeyAlgoECDSA521: CertAlgoECDSA521v01,
-	KeyAlgoED25519:  CertAlgoED25519v01,
-}
-
-// certToPrivAlgo returns the underlying algorithm for a certificate algorithm.
-// Panics if a non-certificate algorithm is passed.
-func certToPrivAlgo(algo string) string {
-	for privAlgo, pubAlgo := range certAlgoNames {
-		if pubAlgo == algo {
-			return privAlgo
-		}
-	}
-	panic("unknown cert algorithm")
-}
-
-func (cert *Certificate) bytesForSigning() []byte {
-	c2 := *cert
-	c2.Signature = nil
-	out := c2.Marshal()
-	// Drop trailing signature length.
-	return out[:len(out)-4]
-}
-
-// Marshal serializes c into OpenSSH's wire format. It is part of the
-// PublicKey interface.
-func (c *Certificate) Marshal() []byte {
-	generic := genericCertData{
-		Serial:          c.Serial,
-		CertType:        c.CertType,
-		KeyId:           c.KeyId,
-		ValidPrincipals: marshalStringList(c.ValidPrincipals),
-		ValidAfter:      uint64(c.ValidAfter),
-		ValidBefore:     uint64(c.ValidBefore),
-		CriticalOptions: marshalTuples(c.CriticalOptions),
-		Extensions:      marshalTuples(c.Extensions),
-		Reserved:        c.Reserved,
-		SignatureKey:    c.SignatureKey.Marshal(),
-	}
-	if c.Signature != nil {
-		generic.Signature = Marshal(c.Signature)
-	}
-	genericBytes := Marshal(&generic)
-	keyBytes := c.Key.Marshal()
-	_, keyBytes, _ = parseString(keyBytes)
-	prefix := Marshal(&struct {
-		Name  string
-		Nonce []byte
-		Key   []byte `ssh:"rest"`
-	}{c.Type(), c.Nonce, keyBytes})
-
-	result := make([]byte, 0, len(prefix)+len(genericBytes))
-	result = append(result, prefix...)
-	result = append(result, genericBytes...)
-	return result
-}
-
-// Type returns the key name. It is part of the PublicKey interface.
-func (c *Certificate) Type() string {
-	algo, ok := certAlgoNames[c.Key.Type()]
-	if !ok {
-		panic("unknown cert key type " + c.Key.Type())
-	}
-	return algo
-}
-
-// Verify verifies a signature against the certificate's public
-// key. It is part of the PublicKey interface.
-func (c *Certificate) Verify(data []byte, sig *Signature) error {
-	return c.Key.Verify(data, sig)
-}
-
-func parseSignatureBody(in []byte) (out *Signature, rest []byte, ok bool) {
-	format, in, ok := parseString(in)
-	if !ok {
-		return
-	}
-
-	out = &Signature{
-		Format: string(format),
-	}
-
-	if out.Blob, in, ok = parseString(in); !ok {
-		return
-	}
-
-	return out, in, ok
-}
-
-func parseSignature(in []byte) (out *Signature, rest []byte, ok bool) {
-	sigBytes, rest, ok := parseString(in)
-	if !ok {
-		return
-	}
-
-	out, trailing, ok := parseSignatureBody(sigBytes)
-	if !ok || len(trailing) > 0 {
-		return nil, nil, false
-	}
-	return
-}
diff --git a/vendor/golang.org/x/crypto/ssh/certs_test.go b/vendor/golang.org/x/crypto/ssh/certs_test.go
deleted file mode 100644
index c8e7cf58..00000000
--- a/vendor/golang.org/x/crypto/ssh/certs_test.go
+++ /dev/null
@@ -1,335 +0,0 @@
-// Copyright 2013 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package ssh
-
-import (
-	"bytes"
-	"crypto/ecdsa"
-	"crypto/elliptic"
-	"crypto/rand"
-	"net"
-	"reflect"
-	"testing"
-	"time"
-
-	"golang.org/x/crypto/ssh/testdata"
-)
-
-// Cert generated by ssh-keygen 6.0p1 Debian-4.
-// % ssh-keygen -s ca-key -I test user-key
-const exampleSSHCert = `ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgb1srW/W3ZDjYAO45xLYAwzHBDLsJ4Ux6ICFIkTjb1LEAAAADAQABAAAAYQCkoR51poH0wE8w72cqSB8Sszx+vAhzcMdCO0wqHTj7UNENHWEXGrU0E0UQekD7U+yhkhtoyjbPOVIP7hNa6aRk/ezdh/iUnCIt4Jt1v3Z1h1P+hA4QuYFMHNB+rmjPwAcAAAAAAAAAAAAAAAEAAAAEdGVzdAAAAAAAAAAAAAAAAP//////////AAAAAAAAAIIAAAAVcGVybWl0LVgxMS1mb3J3YXJkaW5nAAAAAAAAABdwZXJtaXQtYWdlbnQtZm9yd2FyZGluZwAAAAAAAAAWcGVybWl0LXBvcnQtZm9yd2FyZGluZwAAAAAAAAAKcGVybWl0LXB0eQAAAAAAAAAOcGVybWl0LXVzZXItcmMAAAAAAAAAAAAAAHcAAAAHc3NoLXJzYQAAAAMBAAEAAABhANFS2kaktpSGc+CcmEKPyw9mJC4nZKxHKTgLVZeaGbFZOvJTNzBspQHdy7Q1uKSfktxpgjZnksiu/tFF9ngyY2KFoc+U88ya95IZUycBGCUbBQ8+bhDtw/icdDGQD5WnUwAAAG8AAAAHc3NoLXJzYQAAAGC8Y9Z2LQKhIhxf52773XaWrXdxP0t3GBVo4A10vUWiYoAGepr6rQIoGGXFxT4B9Gp+nEBJjOwKDXPrAevow0T9ca8gZN+0ykbhSrXLE5Ao48rqr3zP4O1/9P7e6gp0gw8=`
-
-func TestParseCert(t *testing.T) {
-	authKeyBytes := []byte(exampleSSHCert)
-
-	key, _, _, rest, err := ParseAuthorizedKey(authKeyBytes)
-	if err != nil {
-		t.Fatalf("ParseAuthorizedKey: %v", err)
-	}
-	if len(rest) > 0 {
-		t.Errorf("rest: got %q, want empty", rest)
-	}
-
-	if _, ok := key.(*Certificate); !ok {
-		t.Fatalf("got %v (%T), want *Certificate", key, key)
-	}
-
-	marshaled := MarshalAuthorizedKey(key)
-	// Before comparison, remove the trailing newline that
-	// MarshalAuthorizedKey adds.
-	marshaled = marshaled[:len(marshaled)-1]
-	if !bytes.Equal(authKeyBytes, marshaled) {
-		t.Errorf("marshaled certificate does not match original: got %q, want %q", marshaled, authKeyBytes)
-	}
-}
-
-// Cert generated by ssh-keygen OpenSSH_6.8p1 OS X 10.10.3
-// % ssh-keygen -s ca -I testcert -O source-address=192.168.1.0/24 -O force-command=/bin/sleep user.pub
-// user.pub key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDACh1rt2DXfV3hk6fszSQcQ/rueMId0kVD9U7nl8cfEnFxqOCrNT92g4laQIGl2mn8lsGZfTLg8ksHq3gkvgO3oo/0wHy4v32JeBOHTsN5AL4gfHNEhWeWb50ev47hnTsRIt9P4dxogeUo/hTu7j9+s9lLpEQXCvq6xocXQt0j8MV9qZBBXFLXVT3cWIkSqOdwt/5ZBg+1GSrc7WfCXVWgTk4a20uPMuJPxU4RQwZW6X3+O8Pqo8C3cW0OzZRFP6gUYUKUsTI5WntlS+LAxgw1mZNsozFGdbiOPRnEryE3SRldh9vjDR3tin1fGpA5P7+CEB/bqaXtG3V+F2OkqaMN
-// Critical Options:
-//         force-command /bin/sleep
-//         source-address 192.168.1.0/24
-// Extensions:
-//         permit-X11-forwarding
-//         permit-agent-forwarding
-//         permit-port-forwarding
-//         permit-pty
-//         permit-user-rc
-const exampleSSHCertWithOptions = `ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgDyysCJY0XrO1n03EeRRoITnTPdjENFmWDs9X58PP3VUAAAADAQABAAABAQDACh1rt2DXfV3hk6fszSQcQ/rueMId0kVD9U7nl8cfEnFxqOCrNT92g4laQIGl2mn8lsGZfTLg8ksHq3gkvgO3oo/0wHy4v32JeBOHTsN5AL4gfHNEhWeWb50ev47hnTsRIt9P4dxogeUo/hTu7j9+s9lLpEQXCvq6xocXQt0j8MV9qZBBXFLXVT3cWIkSqOdwt/5ZBg+1GSrc7WfCXVWgTk4a20uPMuJPxU4RQwZW6X3+O8Pqo8C3cW0OzZRFP6gUYUKUsTI5WntlS+LAxgw1mZNsozFGdbiOPRnEryE3SRldh9vjDR3tin1fGpA5P7+CEB/bqaXtG3V+F2OkqaMNAAAAAAAAAAAAAAABAAAACHRlc3RjZXJ0AAAAAAAAAAAAAAAA//////////8AAABLAAAADWZvcmNlLWNvbW1hbmQAAAAOAAAACi9iaW4vc2xlZXAAAAAOc291cmNlLWFkZHJlc3MAAAASAAAADjE5Mi4xNjguMS4wLzI0AAAAggAAABVwZXJtaXQtWDExLWZvcndhcmRpbmcAAAAAAAAAF3Blcm1pdC1hZ2VudC1mb3J3YXJkaW5nAAAAAAAAABZwZXJtaXQtcG9ydC1mb3J3YXJkaW5nAAAAAAAAAApwZXJtaXQtcHR5AAAAAAAAAA5wZXJtaXQtdXNlci1yYwAAAAAAAAAAAAABFwAAAAdzc2gtcnNhAAAAAwEAAQAAAQEAwU+c5ui5A8+J/CFpjW8wCa52bEODA808WWQDCSuTG/eMXNf59v9Y8Pk0F1E9dGCosSNyVcB/hacUrc6He+i97+HJCyKavBsE6GDxrjRyxYqAlfcOXi/IVmaUGiO8OQ39d4GHrjToInKvExSUeleQyH4Y4/e27T/pILAqPFL3fyrvMLT5qU9QyIt6zIpa7GBP5+urouNavMprV3zsfIqNBbWypinOQAw823a5wN+zwXnhZrgQiHZ/USG09Y6k98y1dTVz8YHlQVR4D3lpTAsKDKJ5hCH9WU4fdf+lU8OyNGaJ/vz0XNqxcToe1l4numLTnaoSuH89pHryjqurB7lJKwAAAQ8AAAAHc3NoLXJzYQAAAQCaHvUIoPL1zWUHIXLvu96/HU1s/i4CAW2IIEuGgxCUCiFj6vyTyYtgxQxcmbfZf6eaITlS6XJZa7Qq4iaFZh75C1DXTX8labXhRSD4E2t//AIP9MC1rtQC5xo6FmbQ+BoKcDskr+mNACcbRSxs3IL3bwCfWDnIw2WbVox9ZdcthJKk4UoCW4ix4QwdHw7zlddlz++fGEEVhmTbll1SUkycGApPFBsAYRTMupUJcYPIeReBI/m8XfkoMk99bV8ZJQTAd7OekHY2/48Ff53jLmyDjP7kNw1F8OaPtkFs6dGJXta4krmaekPy87j+35In5hFj7yoOqvSbmYUkeX70/GGQ`
-
-func TestParseCertWithOptions(t *testing.T) {
-	opts := map[string]string{
-		"source-address": "192.168.1.0/24",
-		"force-command":  "/bin/sleep",
-	}
-	exts := map[string]string{
-		"permit-X11-forwarding":   "",
-		"permit-agent-forwarding": "",
-		"permit-port-forwarding":  "",
-		"permit-pty":              "",
-		"permit-user-rc":          "",
-	}
-	authKeyBytes := []byte(exampleSSHCertWithOptions)
-
-	key, _, _, rest, err := ParseAuthorizedKey(authKeyBytes)
-	if err != nil {
-		t.Fatalf("ParseAuthorizedKey: %v", err)
-	}
-	if len(rest) > 0 {
-		t.Errorf("rest: got %q, want empty", rest)
-	}
-	cert, ok := key.(*Certificate)
-	if !ok {
-		t.Fatalf("got %v (%T), want *Certificate", key, key)
-	}
-	if !reflect.DeepEqual(cert.CriticalOptions, opts) {
-		t.Errorf("unexpected critical options - got %v, want %v", cert.CriticalOptions, opts)
-	}
-	if !reflect.DeepEqual(cert.Extensions, exts) {
-		t.Errorf("unexpected Extensions - got %v, want %v", cert.Extensions, exts)
-	}
-	marshaled := MarshalAuthorizedKey(key)
-	// Before comparison, remove the trailing newline that
-	// MarshalAuthorizedKey adds.
-	marshaled = marshaled[:len(marshaled)-1]
-	if !bytes.Equal(authKeyBytes, marshaled) {
-		t.Errorf("marshaled certificate does not match original: got %q, want %q", marshaled, authKeyBytes)
-	}
-}
-
-func TestValidateCert(t *testing.T) {
-	key, _, _, _, err := ParseAuthorizedKey([]byte(exampleSSHCert))
-	if err != nil {
-		t.Fatalf("ParseAuthorizedKey: %v", err)
-	}
-	validCert, ok := key.(*Certificate)
-	if !ok {
-		t.Fatalf("got %v (%T), want *Certificate", key, key)
-	}
-	checker := CertChecker{}
-	checker.IsUserAuthority = func(k PublicKey) bool {
-		return bytes.Equal(k.Marshal(), validCert.SignatureKey.Marshal())
-	}
-
-	if err := checker.CheckCert("user", validCert); err != nil {
-		t.Errorf("Unable to validate certificate: %v", err)
-	}
-	invalidCert := &Certificate{
-		Key:          testPublicKeys["rsa"],
-		SignatureKey: testPublicKeys["ecdsa"],
-		ValidBefore:  CertTimeInfinity,
-		Signature:    &Signature{},
-	}
-	if err := checker.CheckCert("user", invalidCert); err == nil {
-		t.Error("Invalid cert signature passed validation")
-	}
-}
-
-func TestValidateCertTime(t *testing.T) {
-	cert := Certificate{
-		ValidPrincipals: []string{"user"},
-		Key:             testPublicKeys["rsa"],
-		ValidAfter:      50,
-		ValidBefore:     100,
-	}
-
-	cert.SignCert(rand.Reader, testSigners["ecdsa"])
-
-	for ts, ok := range map[int64]bool{
-		25:  false,
-		50:  true,
-		99:  true,
-		100: false,
-		125: false,
-	} {
-		checker := CertChecker{
-			Clock: func() time.Time { return time.Unix(ts, 0) },
-		}
-		checker.IsUserAuthority = func(k PublicKey) bool {
-			return bytes.Equal(k.Marshal(),
-				testPublicKeys["ecdsa"].Marshal())
-		}
-
-		if v := checker.CheckCert("user", &cert); (v == nil) != ok {
-			t.Errorf("Authenticate(%d): %v", ts, v)
-		}
-	}
-}
-
-// TODO(hanwen): tests for
-//
-// host keys:
-// * fallbacks
-
-func TestHostKeyCert(t *testing.T) {
-	cert := &Certificate{
-		ValidPrincipals: []string{"hostname", "hostname.domain", "otherhost"},
-		Key:             testPublicKeys["rsa"],
-		ValidBefore:     CertTimeInfinity,
-		CertType:        HostCert,
-	}
-	cert.SignCert(rand.Reader, testSigners["ecdsa"])
-
-	checker := &CertChecker{
-		IsHostAuthority: func(p PublicKey, addr string) bool {
-			return addr == "hostname:22" && bytes.Equal(testPublicKeys["ecdsa"].Marshal(), p.Marshal())
-		},
-	}
-
-	certSigner, err := NewCertSigner(cert, testSigners["rsa"])
-	if err != nil {
-		t.Errorf("NewCertSigner: %v", err)
-	}
-
-	for _, test := range []struct {
-		addr    string
-		succeed bool
-	}{
-		{addr: "hostname:22", succeed: true},
-		{addr: "otherhost:22", succeed: false}, // The certificate is valid for 'otherhost' as hostname, but we only recognize the authority of the signer for the address 'hostname:22'
-		{addr: "lasthost:22", succeed: false},
-	} {
-		c1, c2, err := netPipe()
-		if err != nil {
-			t.Fatalf("netPipe: %v", err)
-		}
-		defer c1.Close()
-		defer c2.Close()
-
-		errc := make(chan error)
-
-		go func() {
-			conf := ServerConfig{
-				NoClientAuth: true,
-			}
-			conf.AddHostKey(certSigner)
-			_, _, _, err := NewServerConn(c1, &conf)
-			errc <- err
-		}()
-
-		config := &ClientConfig{
-			User:            "user",
-			HostKeyCallback: checker.CheckHostKey,
-		}
-		_, _, _, err = NewClientConn(c2, test.addr, config)
-
-		if (err == nil) != test.succeed {
-			t.Fatalf("NewClientConn(%q): %v", test.addr, err)
-		}
-
-		err = <-errc
-		if (err == nil) != test.succeed {
-			t.Fatalf("NewServerConn(%q): %v", test.addr, err)
-		}
-	}
-}
-
-func TestCertTypes(t *testing.T) {
-	var testVars = []struct {
-		name string
-		keys func() Signer
-	}{
-		{
-			name: CertAlgoECDSA256v01,
-			keys: func() Signer {
-				s, _ := ParsePrivateKey(testdata.PEMBytes["ecdsap256"])
-				return s
-			},
-		},
-		{
-			name: CertAlgoECDSA384v01,
-			keys: func() Signer {
-				s, _ := ParsePrivateKey(testdata.PEMBytes["ecdsap384"])
-				return s
-			},
-		},
-		{
-			name: CertAlgoECDSA521v01,
-			keys: func() Signer {
-				s, _ := ParsePrivateKey(testdata.PEMBytes["ecdsap521"])
-				return s
-			},
-		},
-		{
-			name: CertAlgoED25519v01,
-			keys: func() Signer {
-				s, _ := ParsePrivateKey(testdata.PEMBytes["ed25519"])
-				return s
-			},
-		},
-		{
-			name: CertAlgoRSAv01,
-			keys: func() Signer {
-				s, _ := ParsePrivateKey(testdata.PEMBytes["rsa"])
-				return s
-			},
-		},
-		{
-			name: CertAlgoDSAv01,
-			keys: func() Signer {
-				s, _ := ParsePrivateKey(testdata.PEMBytes["dsa"])
-				return s
-			},
-		},
-	}
-
-	k, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-	if err != nil {
-		t.Fatalf("error generating host key: %v", err)
-	}
-
-	signer, err := NewSignerFromKey(k)
-	if err != nil {
-		t.Fatalf("error generating signer for ssh listener: %v", err)
-	}
-
-	conf := &ServerConfig{
-		PublicKeyCallback: func(c ConnMetadata, k PublicKey) (*Permissions, error) {
-			return new(Permissions), nil
-		},
-	}
-	conf.AddHostKey(signer)
-
-	for _, m := range testVars {
-		t.Run(m.name, func(t *testing.T) {
-
-			c1, c2, err := netPipe()
-			if err != nil {
-				t.Fatalf("netPipe: %v", err)
-			}
-			defer c1.Close()
-			defer c2.Close()
-
-			go NewServerConn(c1, conf)
-
-			priv := m.keys()
-			if err != nil {
-				t.Fatalf("error generating ssh pubkey: %v", err)
-			}
-
-			cert := &Certificate{
-				CertType: UserCert,
-				Key:      priv.PublicKey(),
-			}
-			cert.SignCert(rand.Reader, priv)
-
-			certSigner, err := NewCertSigner(cert, priv)
-			if err != nil {
-				t.Fatalf("error generating cert signer: %v", err)
-			}
-
-			config := &ClientConfig{
-				User:            "user",
-				HostKeyCallback: func(h string, r net.Addr, k PublicKey) error { return nil },
-				Auth:            []AuthMethod{PublicKeys(certSigner)},
-			}
-
-			_, _, _, err = NewClientConn(c2, "", config)
-			if err != nil {
-				t.Fatalf("error connecting: %v", err)
-			}
-		})
-	}
-}
diff --git a/vendor/golang.org/x/crypto/ssh/channel.go b/vendor/golang.org/x/crypto/ssh/channel.go
deleted file mode 100644
index c0834c00..00000000
--- a/vendor/golang.org/x/crypto/ssh/channel.go
+++ /dev/null
@@ -1,633 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package ssh
-
-import (
-	"encoding/binary"
-	"errors"
-	"fmt"
-	"io"
-	"log"
-	"sync"
-)
-
-const (
-	minPacketLength = 9
-	// channelMaxPacket contains the maximum number of bytes that will be
-	// sent in a single packet. As per RFC 4253, section 6.1, 32k is also
-	// the minimum.
-	channelMaxPacket = 1 << 15
-	// We follow OpenSSH here.
-	channelWindowSize = 64 * channelMaxPacket
-)
-
-// NewChannel represents an incoming request to a channel. It must either be
-// accepted for use by calling Accept, or rejected by calling Reject.
-type NewChannel interface {
-	// Accept accepts the channel creation request. It returns the Channel
-	// and a Go channel containing SSH requests. The Go channel must be
-	// serviced otherwise the Channel will hang.
-	Accept() (Channel, <-chan *Request, error)
-
-	// Reject rejects the channel creation request. After calling
-	// this, no other methods on the Channel may be called.
-	Reject(reason RejectionReason, message string) error
-
-	// ChannelType returns the type of the channel, as supplied by the
-	// client.
-	ChannelType() string
-
-	// ExtraData returns the arbitrary payload for this channel, as supplied
-	// by the client. This data is specific to the channel type.
-	ExtraData() []byte
-}
-
-// A Channel is an ordered, reliable, flow-controlled, duplex stream
-// that is multiplexed over an SSH connection.
-type Channel interface {
-	// Read reads up to len(data) bytes from the channel.
-	Read(data []byte) (int, error)
-
-	// Write writes len(data) bytes to the channel.
-	Write(data []byte) (int, error)
-
-	// Close signals end of channel use. No data may be sent after this
-	// call.
-	Close() error
-
-	// CloseWrite signals the end of sending in-band
-	// data. Requests may still be sent, and the other side may
-	// still send data
-	CloseWrite() error
-
-	// SendRequest sends a channel request.  If wantReply is true,
-	// it will wait for a reply and return the result as a
-	// boolean, otherwise the return value will be false. Channel
-	// requests are out-of-band messages so they may be sent even
-	// if the data stream is closed or blocked by flow control.
-	// If the channel is closed before a reply is returned, io.EOF
-	// is returned.
-	SendRequest(name string, wantReply bool, payload []byte) (bool, error)
-
-	// Stderr returns an io.ReadWriter that writes to this channel
-	// with the extended data type set to stderr. Stderr may
-	// safely be read and written from a different goroutine than
-	// Read and Write respectively.
-	Stderr() io.ReadWriter
-}
-
-// Request is a request sent outside of the normal stream of
-// data. Requests can either be specific to an SSH channel, or they
-// can be global.
-type Request struct {
-	Type      string
-	WantReply bool
-	Payload   []byte
-
-	ch  *channel
-	mux *mux
-}
-
-// Reply sends a response to a request. It must be called for all requests
-// where WantReply is true and is a no-op otherwise. The payload argument is
-// ignored for replies to channel-specific requests.
-func (r *Request) Reply(ok bool, payload []byte) error {
-	if !r.WantReply {
-		return nil
-	}
-
-	if r.ch == nil {
-		return r.mux.ackRequest(ok, payload)
-	}
-
-	return r.ch.ackRequest(ok)
-}
-
-// RejectionReason is an enumeration used when rejecting channel creation
-// requests. See RFC 4254, section 5.1.
-type RejectionReason uint32
-
-const (
-	Prohibited RejectionReason = iota + 1
-	ConnectionFailed
-	UnknownChannelType
-	ResourceShortage
-)
-
-// String converts the rejection reason to human readable form.
-func (r RejectionReason) String() string {
-	switch r {
-	case Prohibited:
-		return "administratively prohibited"
-	case ConnectionFailed:
-		return "connect failed"
-	case UnknownChannelType:
-		return "unknown channel type"
-	case ResourceShortage:
-		return "resource shortage"
-	}
-	return fmt.Sprintf("unknown reason %d", int(r))
-}
-
-func min(a uint32, b int) uint32 {
-	if a < uint32(b) {
-		return a
-	}
-	return uint32(b)
-}
-
-type channelDirection uint8
-
-const (
-	channelInbound channelDirection = iota
-	channelOutbound
-)
-
-// channel is an implementation of the Channel interface that works
-// with the mux class.
-type channel struct {
-	// R/O after creation
-	chanType          string
-	extraData         []byte
-	localId, remoteId uint32
-
-	// maxIncomingPayload and maxRemotePayload are the maximum
-	// payload sizes of normal and extended data packets for
-	// receiving and sending, respectively. The wire packet will
-	// be 9 or 13 bytes larger (excluding encryption overhead).
-	maxIncomingPayload uint32
-	maxRemotePayload   uint32
-
-	mux *mux
-
-	// decided is set to true if an accept or reject message has been sent
-	// (for outbound channels) or received (for inbound channels).
-	decided bool
-
-	// direction contains either channelOutbound, for channels created
-	// locally, or channelInbound, for channels created by the peer.
-	direction channelDirection
-
-	// Pending internal channel messages.
-	msg chan interface{}
-
-	// Since requests have no ID, there can be only one request
-	// with WantReply=true outstanding.  This lock is held by a
-	// goroutine that has such an outgoing request pending.
-	sentRequestMu sync.Mutex
-
-	incomingRequests chan *Request
-
-	sentEOF bool
-
-	// thread-safe data
-	remoteWin  window
-	pending    *buffer
-	extPending *buffer
-
-	// windowMu protects myWindow, the flow-control window.
-	windowMu sync.Mutex
-	myWindow uint32
-
-	// writeMu serializes calls to mux.conn.writePacket() and
-	// protects sentClose and packetPool. This mutex must be
-	// different from windowMu, as writePacket can block if there
-	// is a key exchange pending.
-	writeMu   sync.Mutex
-	sentClose bool
-
-	// packetPool has a buffer for each extended channel ID to
-	// save allocations during writes.
-	packetPool map[uint32][]byte
-}
-
-// writePacket sends a packet. If the packet is a channel close, it updates
-// sentClose. This method takes the lock c.writeMu.
-func (ch *channel) writePacket(packet []byte) error {
-	ch.writeMu.Lock()
-	if ch.sentClose {
-		ch.writeMu.Unlock()
-		return io.EOF
-	}
-	ch.sentClose = (packet[0] == msgChannelClose)
-	err := ch.mux.conn.writePacket(packet)
-	ch.writeMu.Unlock()
-	return err
-}
-
-func (ch *channel) sendMessage(msg interface{}) error {
-	if debugMux {
-		log.Printf("send(%d): %#v", ch.mux.chanList.offset, msg)
-	}
-
-	p := Marshal(msg)
-	binary.BigEndian.PutUint32(p[1:], ch.remoteId)
-	return ch.writePacket(p)
-}
-
-// WriteExtended writes data to a specific extended stream. These streams are
-// used, for example, for stderr.
-func (ch *channel) WriteExtended(data []byte, extendedCode uint32) (n int, err error) {
-	if ch.sentEOF {
-		return 0, io.EOF
-	}
-	// 1 byte message type, 4 bytes remoteId, 4 bytes data length
-	opCode := byte(msgChannelData)
-	headerLength := uint32(9)
-	if extendedCode > 0 {
-		headerLength += 4
-		opCode = msgChannelExtendedData
-	}
-
-	ch.writeMu.Lock()
-	packet := ch.packetPool[extendedCode]
-	// We don't remove the buffer from packetPool, so
-	// WriteExtended calls from different goroutines will be
-	// flagged as errors by the race detector.
-	ch.writeMu.Unlock()
-
-	for len(data) > 0 {
-		space := min(ch.maxRemotePayload, len(data))
-		if space, err = ch.remoteWin.reserve(space); err != nil {
-			return n, err
-		}
-		if want := headerLength + space; uint32(cap(packet)) < want {
-			packet = make([]byte, want)
-		} else {
-			packet = packet[:want]
-		}
-
-		todo := data[:space]
-
-		packet[0] = opCode
-		binary.BigEndian.PutUint32(packet[1:], ch.remoteId)
-		if extendedCode > 0 {
-			binary.BigEndian.PutUint32(packet[5:], uint32(extendedCode))
-		}
-		binary.BigEndian.PutUint32(packet[headerLength-4:], uint32(len(todo)))
-		copy(packet[headerLength:], todo)
-		if err = ch.writePacket(packet); err != nil {
-			return n, err
-		}
-
-		n += len(todo)
-		data = data[len(todo):]
-	}
-
-	ch.writeMu.Lock()
-	ch.packetPool[extendedCode] = packet
-	ch.writeMu.Unlock()
-
-	return n, err
-}
-
-func (ch *channel) handleData(packet []byte) error {
-	headerLen := 9
-	isExtendedData := packet[0] == msgChannelExtendedData
-	if isExtendedData {
-		headerLen = 13
-	}
-	if len(packet) < headerLen {
-		// malformed data packet
-		return parseError(packet[0])
-	}
-
-	var extended uint32
-	if isExtendedData {
-		extended = binary.BigEndian.Uint32(packet[5:])
-	}
-
-	length := binary.BigEndian.Uint32(packet[headerLen-4 : headerLen])
-	if length == 0 {
-		return nil
-	}
-	if length > ch.maxIncomingPayload {
-		// TODO(hanwen): should send Disconnect?
-		return errors.New("ssh: incoming packet exceeds maximum payload size")
-	}
-
-	data := packet[headerLen:]
-	if length != uint32(len(data)) {
-		return errors.New("ssh: wrong packet length")
-	}
-
-	ch.windowMu.Lock()
-	if ch.myWindow < length {
-		ch.windowMu.Unlock()
-		// TODO(hanwen): should send Disconnect with reason?
-		return errors.New("ssh: remote side wrote too much")
-	}
-	ch.myWindow -= length
-	ch.windowMu.Unlock()
-
-	if extended == 1 {
-		ch.extPending.write(data)
-	} else if extended > 0 {
-		// discard other extended data.
-	} else {
-		ch.pending.write(data)
-	}
-	return nil
-}
-
-func (c *channel) adjustWindow(n uint32) error {
-	c.windowMu.Lock()
-	// Since myWindow is managed on our side, and can never exceed
-	// the initial window setting, we don't worry about overflow.
-	c.myWindow += uint32(n)
-	c.windowMu.Unlock()
-	return c.sendMessage(windowAdjustMsg{
-		AdditionalBytes: uint32(n),
-	})
-}
-
-func (c *channel) ReadExtended(data []byte, extended uint32) (n int, err error) {
-	switch extended {
-	case 1:
-		n, err = c.extPending.Read(data)
-	case 0:
-		n, err = c.pending.Read(data)
-	default:
-		return 0, fmt.Errorf("ssh: extended code %d unimplemented", extended)
-	}
-
-	if n > 0 {
-		err = c.adjustWindow(uint32(n))
-		// sendWindowAdjust can return io.EOF if the remote
-		// peer has closed the connection, however we want to
-		// defer forwarding io.EOF to the caller of Read until
-		// the buffer has been drained.
-		if n > 0 && err == io.EOF {
-			err = nil
-		}
-	}
-
-	return n, err
-}
-
-func (c *channel) close() {
-	c.pending.eof()
-	c.extPending.eof()
-	close(c.msg)
-	close(c.incomingRequests)
-	c.writeMu.Lock()
-	// This is not necessary for a normal channel teardown, but if
-	// there was another error, it is.
-	c.sentClose = true
-	c.writeMu.Unlock()
-	// Unblock writers.
-	c.remoteWin.close()
-}
-
-// responseMessageReceived is called when a success or failure message is
-// received on a channel to check that such a message is reasonable for the
-// given channel.
-func (ch *channel) responseMessageReceived() error {
-	if ch.direction == channelInbound {
-		return errors.New("ssh: channel response message received on inbound channel")
-	}
-	if ch.decided {
-		return errors.New("ssh: duplicate response received for channel")
-	}
-	ch.decided = true
-	return nil
-}
-
-func (ch *channel) handlePacket(packet []byte) error {
-	switch packet[0] {
-	case msgChannelData, msgChannelExtendedData:
-		return ch.handleData(packet)
-	case msgChannelClose:
-		ch.sendMessage(channelCloseMsg{PeersID: ch.remoteId})
-		ch.mux.chanList.remove(ch.localId)
-		ch.close()
-		return nil
-	case msgChannelEOF:
-		// RFC 4254 is mute on how EOF affects dataExt messages but
-		// it is logical to signal EOF at the same time.
-		ch.extPending.eof()
-		ch.pending.eof()
-		return nil
-	}
-
-	decoded, err := decode(packet)
-	if err != nil {
-		return err
-	}
-
-	switch msg := decoded.(type) {
-	case *channelOpenFailureMsg:
-		if err := ch.responseMessageReceived(); err != nil {
-			return err
-		}
-		ch.mux.chanList.remove(msg.PeersID)
-		ch.msg <- msg
-	case *channelOpenConfirmMsg:
-		if err := ch.responseMessageReceived(); err != nil {
-			return err
-		}
-		if msg.MaxPacketSize < minPacketLength || msg.MaxPacketSize > 1<<31 {
-			return fmt.Errorf("ssh: invalid MaxPacketSize %d from peer", msg.MaxPacketSize)
-		}
-		ch.remoteId = msg.MyID
-		ch.maxRemotePayload = msg.MaxPacketSize
-		ch.remoteWin.add(msg.MyWindow)
-		ch.msg <- msg
-	case *windowAdjustMsg:
-		if !ch.remoteWin.add(msg.AdditionalBytes) {
-			return fmt.Errorf("ssh: invalid window update for %d bytes", msg.AdditionalBytes)
-		}
-	case *channelRequestMsg:
-		req := Request{
-			Type:      msg.Request,
-			WantReply: msg.WantReply,
-			Payload:   msg.RequestSpecificData,
-			ch:        ch,
-		}
-
-		ch.incomingRequests <- &req
-	default:
-		ch.msg <- msg
-	}
-	return nil
-}
-
-func (m *mux) newChannel(chanType string, direction channelDirection, extraData []byte) *channel {
-	ch := &channel{
-		remoteWin:        window{Cond: newCond()},
-		myWindow:         channelWindowSize,
-		pending:          newBuffer(),
-		extPending:       newBuffer(),
-		direction:        direction,
-		incomingRequests: make(chan *Request, chanSize),
-		msg:              make(chan interface{}, chanSize),
-		chanType:         chanType,
-		extraData:        extraData,
-		mux:              m,
-		packetPool:       make(map[uint32][]byte),
-	}
-	ch.localId = m.chanList.add(ch)
-	return ch
-}
-
-var errUndecided = errors.New("ssh: must Accept or Reject channel")
-var errDecidedAlready = errors.New("ssh: can call Accept or Reject only once")
-
-type extChannel struct {
-	code uint32
-	ch   *channel
-}
-
-func (e *extChannel) Write(data []byte) (n int, err error) {
-	return e.ch.WriteExtended(data, e.code)
-}
-
-func (e *extChannel) Read(data []byte) (n int, err error) {
-	return e.ch.ReadExtended(data, e.code)
-}
-
-func (ch *channel) Accept() (Channel, <-chan *Request, error) {
-	if ch.decided {
-		return nil, nil, errDecidedAlready
-	}
-	ch.maxIncomingPayload = channelMaxPacket
-	confirm := channelOpenConfirmMsg{
-		PeersID:       ch.remoteId,
-		MyID:          ch.localId,
-		MyWindow:      ch.myWindow,
-		MaxPacketSize: ch.maxIncomingPayload,
-	}
-	ch.decided = true
-	if err := ch.sendMessage(confirm); err != nil {
-		return nil, nil, err
-	}
-
-	return ch, ch.incomingRequests, nil
-}
-
-func (ch *channel) Reject(reason RejectionReason, message string) error {
-	if ch.decided {
-		return errDecidedAlready
-	}
-	reject := channelOpenFailureMsg{
-		PeersID:  ch.remoteId,
-		Reason:   reason,
-		Message:  message,
-		Language: "en",
-	}
-	ch.decided = true
-	return ch.sendMessage(reject)
-}
-
-func (ch *channel) Read(data []byte) (int, error) {
-	if !ch.decided {
-		return 0, errUndecided
-	}
-	return ch.ReadExtended(data, 0)
-}
-
-func (ch *channel) Write(data []byte) (int, error) {
-	if !ch.decided {
-		return 0, errUndecided
-	}
-	return ch.WriteExtended(data, 0)
-}
-
-func (ch *channel) CloseWrite() error {
-	if !ch.decided {
-		return errUndecided
-	}
-	ch.sentEOF = true
-	return ch.sendMessage(channelEOFMsg{
-		PeersID: ch.remoteId})
-}
-
-func (ch *channel) Close() error {
-	if !ch.decided {
-		return errUndecided
-	}
-
-	return ch.sendMessage(channelCloseMsg{
-		PeersID: ch.remoteId})
-}
-
-// Extended returns an io.ReadWriter that sends and receives data on the given,
-// SSH extended stream. Such streams are used, for example, for stderr.
-func (ch *channel) Extended(code uint32) io.ReadWriter {
-	if !ch.decided {
-		return nil
-	}
-	return &extChannel{code, ch}
-}
-
-func (ch *channel) Stderr() io.ReadWriter {
-	return ch.Extended(1)
-}
-
-func (ch *channel) SendRequest(name string, wantReply bool, payload []byte) (bool, error) {
-	if !ch.decided {
-		return false, errUndecided
-	}
-
-	if wantReply {
-		ch.sentRequestMu.Lock()
-		defer ch.sentRequestMu.Unlock()
-	}
-
-	msg := channelRequestMsg{
-		PeersID:             ch.remoteId,
-		Request:             name,
-		WantReply:           wantReply,
-		RequestSpecificData: payload,
-	}
-
-	if err := ch.sendMessage(msg); err != nil {
-		return false, err
-	}
-
-	if wantReply {
-		m, ok := (<-ch.msg)
-		if !ok {
-			return false, io.EOF
-		}
-		switch m.(type) {
-		case *channelRequestFailureMsg:
-			return false, nil
-		case *channelRequestSuccessMsg:
-			return true, nil
-		default:
-			return false, fmt.Errorf("ssh: unexpected response to channel request: %#v", m)
-		}
-	}
-
-	return false, nil
-}
-
-// ackRequest either sends an ack or nack to the channel request.
-func (ch *channel) ackRequest(ok bool) error {
-	if !ch.decided {
-		return errUndecided
-	}
-
-	var msg interface{}
-	if !ok {
-		msg = channelRequestFailureMsg{
-			PeersID: ch.remoteId,
-		}
-	} else {
-		msg = channelRequestSuccessMsg{
-			PeersID: ch.remoteId,
-		}
-	}
-	return ch.sendMessage(msg)
-}
-
-func (ch *channel) ChannelType() string {
-	return ch.chanType
-}
-
-func (ch *channel) ExtraData() []byte {
-	return ch.extraData
-}
diff --git a/vendor/golang.org/x/crypto/ssh/cipher.go b/vendor/golang.org/x/crypto/ssh/cipher.go
deleted file mode 100644
index 30a49fdf..00000000
--- a/vendor/golang.org/x/crypto/ssh/cipher.go
+++ /dev/null
@@ -1,771 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package ssh
-
-import (
-	"crypto/aes"
-	"crypto/cipher"
-	"crypto/des"
-	"crypto/rc4"
-	"crypto/subtle"
-	"encoding/binary"
-	"errors"
-	"fmt"
-	"hash"
-	"io"
-	"io/ioutil"
-
-	"golang.org/x/crypto/internal/chacha20"
-	"golang.org/x/crypto/poly1305"
-)
-
-const (
-	packetSizeMultiple = 16 // TODO(huin) this should be determined by the cipher.
-
-	// RFC 4253 section 6.1 defines a minimum packet size of 32768 that implementations
-	// MUST be able to process (plus a few more kilobytes for padding and mac). The RFC
-	// indicates implementations SHOULD be able to handle larger packet sizes, but then
-	// waffles on about reasonable limits.
-	//
-	// OpenSSH caps their maxPacket at 256kB so we choose to do
-	// the same. maxPacket is also used to ensure that uint32
-	// length fields do not overflow, so it should remain well
-	// below 4G.
-	maxPacket = 256 * 1024
-)
-
-// noneCipher implements cipher.Stream and provides no encryption. It is used
-// by the transport before the first key-exchange.
-type noneCipher struct{}
-
-func (c noneCipher) XORKeyStream(dst, src []byte) {
-	copy(dst, src)
-}
-
-func newAESCTR(key, iv []byte) (cipher.Stream, error) {
-	c, err := aes.NewCipher(key)
-	if err != nil {
-		return nil, err
-	}
-	return cipher.NewCTR(c, iv), nil
-}
-
-func newRC4(key, iv []byte) (cipher.Stream, error) {
-	return rc4.NewCipher(key)
-}
-
-type cipherMode struct {
-	keySize int
-	ivSize  int
-	create  func(key, iv []byte, macKey []byte, algs directionAlgorithms) (packetCipher, error)
-}
-
-func streamCipherMode(skip int, createFunc func(key, iv []byte) (cipher.Stream, error)) func(key, iv []byte, macKey []byte, algs directionAlgorithms) (packetCipher, error) {
-	return func(key, iv, macKey []byte, algs directionAlgorithms) (packetCipher, error) {
-		stream, err := createFunc(key, iv)
-		if err != nil {
-			return nil, err
-		}
-
-		var streamDump []byte
-		if skip > 0 {
-			streamDump = make([]byte, 512)
-		}
-
-		for remainingToDump := skip; remainingToDump > 0; {
-			dumpThisTime := remainingToDump
-			if dumpThisTime > len(streamDump) {
-				dumpThisTime = len(streamDump)
-			}
-			stream.XORKeyStream(streamDump[:dumpThisTime], streamDump[:dumpThisTime])
-			remainingToDump -= dumpThisTime
-		}
-
-		mac := macModes[algs.MAC].new(macKey)
-		return &streamPacketCipher{
-			mac:       mac,
-			etm:       macModes[algs.MAC].etm,
-			macResult: make([]byte, mac.Size()),
-			cipher:    stream,
-		}, nil
-	}
-}
-
-// cipherModes documents properties of supported ciphers. Ciphers not included
-// are not supported and will not be negotiated, even if explicitly requested in
-// ClientConfig.Crypto.Ciphers.
-var cipherModes = map[string]*cipherMode{
-	// Ciphers from RFC4344, which introduced many CTR-based ciphers. Algorithms
-	// are defined in the order specified in the RFC.
-	"aes128-ctr": {16, aes.BlockSize, streamCipherMode(0, newAESCTR)},
-	"aes192-ctr": {24, aes.BlockSize, streamCipherMode(0, newAESCTR)},
-	"aes256-ctr": {32, aes.BlockSize, streamCipherMode(0, newAESCTR)},
-
-	// Ciphers from RFC4345, which introduces security-improved arcfour ciphers.
-	// They are defined in the order specified in the RFC.
-	"arcfour128": {16, 0, streamCipherMode(1536, newRC4)},
-	"arcfour256": {32, 0, streamCipherMode(1536, newRC4)},
-
-	// Cipher defined in RFC 4253, which describes SSH Transport Layer Protocol.
-	// Note that this cipher is not safe, as stated in RFC 4253: "Arcfour (and
-	// RC4) has problems with weak keys, and should be used with caution."
-	// RFC4345 introduces improved versions of Arcfour.
-	"arcfour": {16, 0, streamCipherMode(0, newRC4)},
-
-	// AEAD ciphers
-	gcmCipherID:        {16, 12, newGCMCipher},
-	chacha20Poly1305ID: {64, 0, newChaCha20Cipher},
-
-	// CBC mode is insecure and so is not included in the default config.
-	// (See http://www.isg.rhul.ac.uk/~kp/SandPfinal.pdf). If absolutely
-	// needed, it's possible to specify a custom Config to enable it.
-	// You should expect that an active attacker can recover plaintext if
-	// you do.
-	aes128cbcID: {16, aes.BlockSize, newAESCBCCipher},
-
-	// 3des-cbc is insecure and is not included in the default
-	// config.
-	tripledescbcID: {24, des.BlockSize, newTripleDESCBCCipher},
-}
-
-// prefixLen is the length of the packet prefix that contains the packet length
-// and number of padding bytes.
-const prefixLen = 5
-
-// streamPacketCipher is a packetCipher using a stream cipher.
-type streamPacketCipher struct {
-	mac    hash.Hash
-	cipher cipher.Stream
-	etm    bool
-
-	// The following members are to avoid per-packet allocations.
-	prefix      [prefixLen]byte
-	seqNumBytes [4]byte
-	padding     [2 * packetSizeMultiple]byte
-	packetData  []byte
-	macResult   []byte
-}
-
-// readPacket reads and decrypt a single packet from the reader argument.
-func (s *streamPacketCipher) readPacket(seqNum uint32, r io.Reader) ([]byte, error) {
-	if _, err := io.ReadFull(r, s.prefix[:]); err != nil {
-		return nil, err
-	}
-
-	var encryptedPaddingLength [1]byte
-	if s.mac != nil && s.etm {
-		copy(encryptedPaddingLength[:], s.prefix[4:5])
-		s.cipher.XORKeyStream(s.prefix[4:5], s.prefix[4:5])
-	} else {
-		s.cipher.XORKeyStream(s.prefix[:], s.prefix[:])
-	}
-
-	length := binary.BigEndian.Uint32(s.prefix[0:4])
-	paddingLength := uint32(s.prefix[4])
-
-	var macSize uint32
-	if s.mac != nil {
-		s.mac.Reset()
-		binary.BigEndian.PutUint32(s.seqNumBytes[:], seqNum)
-		s.mac.Write(s.seqNumBytes[:])
-		if s.etm {
-			s.mac.Write(s.prefix[:4])
-			s.mac.Write(encryptedPaddingLength[:])
-		} else {
-			s.mac.Write(s.prefix[:])
-		}
-		macSize = uint32(s.mac.Size())
-	}
-
-	if length <= paddingLength+1 {
-		return nil, errors.New("ssh: invalid packet length, packet too small")
-	}
-
-	if length > maxPacket {
-		return nil, errors.New("ssh: invalid packet length, packet too large")
-	}
-
-	// the maxPacket check above ensures that length-1+macSize
-	// does not overflow.
-	if uint32(cap(s.packetData)) < length-1+macSize {
-		s.packetData = make([]byte, length-1+macSize)
-	} else {
-		s.packetData = s.packetData[:length-1+macSize]
-	}
-
-	if _, err := io.ReadFull(r, s.packetData); err != nil {
-		return nil, err
-	}
-	mac := s.packetData[length-1:]
-	data := s.packetData[:length-1]
-
-	if s.mac != nil && s.etm {
-		s.mac.Write(data)
-	}
-
-	s.cipher.XORKeyStream(data, data)
-
-	if s.mac != nil {
-		if !s.etm {
-			s.mac.Write(data)
-		}
-		s.macResult = s.mac.Sum(s.macResult[:0])
-		if subtle.ConstantTimeCompare(s.macResult, mac) != 1 {
-			return nil, errors.New("ssh: MAC failure")
-		}
-	}
-
-	return s.packetData[:length-paddingLength-1], nil
-}
-
-// writePacket encrypts and sends a packet of data to the writer argument
-func (s *streamPacketCipher) writePacket(seqNum uint32, w io.Writer, rand io.Reader, packet []byte) error {
-	if len(packet) > maxPacket {
-		return errors.New("ssh: packet too large")
-	}
-
-	aadlen := 0
-	if s.mac != nil && s.etm {
-		// packet length is not encrypted for EtM modes
-		aadlen = 4
-	}
-
-	paddingLength := packetSizeMultiple - (prefixLen+len(packet)-aadlen)%packetSizeMultiple
-	if paddingLength < 4 {
-		paddingLength += packetSizeMultiple
-	}
-
-	length := len(packet) + 1 + paddingLength
-	binary.BigEndian.PutUint32(s.prefix[:], uint32(length))
-	s.prefix[4] = byte(paddingLength)
-	padding := s.padding[:paddingLength]
-	if _, err := io.ReadFull(rand, padding); err != nil {
-		return err
-	}
-
-	if s.mac != nil {
-		s.mac.Reset()
-		binary.BigEndian.PutUint32(s.seqNumBytes[:], seqNum)
-		s.mac.Write(s.seqNumBytes[:])
-
-		if s.etm {
-			// For EtM algorithms, the packet length must stay unencrypted,
-			// but the following data (padding length) must be encrypted
-			s.cipher.XORKeyStream(s.prefix[4:5], s.prefix[4:5])
-		}
-
-		s.mac.Write(s.prefix[:])
-
-		if !s.etm {
-			// For non-EtM algorithms, the algorithm is applied on unencrypted data
-			s.mac.Write(packet)
-			s.mac.Write(padding)
-		}
-	}
-
-	if !(s.mac != nil && s.etm) {
-		// For EtM algorithms, the padding length has already been encrypted
-		// and the packet length must remain unencrypted
-		s.cipher.XORKeyStream(s.prefix[:], s.prefix[:])
-	}
-
-	s.cipher.XORKeyStream(packet, packet)
-	s.cipher.XORKeyStream(padding, padding)
-
-	if s.mac != nil && s.etm {
-		// For EtM algorithms, packet and padding must be encrypted
-		s.mac.Write(packet)
-		s.mac.Write(padding)
-	}
-
-	if _, err := w.Write(s.prefix[:]); err != nil {
-		return err
-	}
-	if _, err := w.Write(packet); err != nil {
-		return err
-	}
-	if _, err := w.Write(padding); err != nil {
-		return err
-	}
-
-	if s.mac != nil {
-		s.macResult = s.mac.Sum(s.macResult[:0])
-		if _, err := w.Write(s.macResult); err != nil {
-			return err
-		}
-	}
-
-	return nil
-}
-
-type gcmCipher struct {
-	aead   cipher.AEAD
-	prefix [4]byte
-	iv     []byte
-	buf    []byte
-}
-
-func newGCMCipher(key, iv, unusedMacKey []byte, unusedAlgs directionAlgorithms) (packetCipher, error) {
-	c, err := aes.NewCipher(key)
-	if err != nil {
-		return nil, err
-	}
-
-	aead, err := cipher.NewGCM(c)
-	if err != nil {
-		return nil, err
-	}
-
-	return &gcmCipher{
-		aead: aead,
-		iv:   iv,
-	}, nil
-}
-
-const gcmTagSize = 16
-
-func (c *gcmCipher) writePacket(seqNum uint32, w io.Writer, rand io.Reader, packet []byte) error {
-	// Pad out to multiple of 16 bytes. This is different from the
-	// stream cipher because that encrypts the length too.
-	padding := byte(packetSizeMultiple - (1+len(packet))%packetSizeMultiple)
-	if padding < 4 {
-		padding += packetSizeMultiple
-	}
-
-	length := uint32(len(packet) + int(padding) + 1)
-	binary.BigEndian.PutUint32(c.prefix[:], length)
-	if _, err := w.Write(c.prefix[:]); err != nil {
-		return err
-	}
-
-	if cap(c.buf) < int(length) {
-		c.buf = make([]byte, length)
-	} else {
-		c.buf = c.buf[:length]
-	}
-
-	c.buf[0] = padding
-	copy(c.buf[1:], packet)
-	if _, err := io.ReadFull(rand, c.buf[1+len(packet):]); err != nil {
-		return err
-	}
-	c.buf = c.aead.Seal(c.buf[:0], c.iv, c.buf, c.prefix[:])
-	if _, err := w.Write(c.buf); err != nil {
-		return err
-	}
-	c.incIV()
-
-	return nil
-}
-
-func (c *gcmCipher) incIV() {
-	for i := 4 + 7; i >= 4; i-- {
-		c.iv[i]++
-		if c.iv[i] != 0 {
-			break
-		}
-	}
-}
-
-func (c *gcmCipher) readPacket(seqNum uint32, r io.Reader) ([]byte, error) {
-	if _, err := io.ReadFull(r, c.prefix[:]); err != nil {
-		return nil, err
-	}
-	length := binary.BigEndian.Uint32(c.prefix[:])
-	if length > maxPacket {
-		return nil, errors.New("ssh: max packet length exceeded")
-	}
-
-	if cap(c.buf) < int(length+gcmTagSize) {
-		c.buf = make([]byte, length+gcmTagSize)
-	} else {
-		c.buf = c.buf[:length+gcmTagSize]
-	}
-
-	if _, err := io.ReadFull(r, c.buf); err != nil {
-		return nil, err
-	}
-
-	plain, err := c.aead.Open(c.buf[:0], c.iv, c.buf, c.prefix[:])
-	if err != nil {
-		return nil, err
-	}
-	c.incIV()
-
-	padding := plain[0]
-	if padding < 4 {
-		// padding is a byte, so it automatically satisfies
-		// the maximum size, which is 255.
-		return nil, fmt.Errorf("ssh: illegal padding %d", padding)
-	}
-
-	if int(padding+1) >= len(plain) {
-		return nil, fmt.Errorf("ssh: padding %d too large", padding)
-	}
-	plain = plain[1 : length-uint32(padding)]
-	return plain, nil
-}
-
-// cbcCipher implements aes128-cbc cipher defined in RFC 4253 section 6.1
-type cbcCipher struct {
-	mac       hash.Hash
-	macSize   uint32
-	decrypter cipher.BlockMode
-	encrypter cipher.BlockMode
-
-	// The following members are to avoid per-packet allocations.
-	seqNumBytes [4]byte
-	packetData  []byte
-	macResult   []byte
-
-	// Amount of data we should still read to hide which
-	// verification error triggered.
-	oracleCamouflage uint32
-}
-
-func newCBCCipher(c cipher.Block, key, iv, macKey []byte, algs directionAlgorithms) (packetCipher, error) {
-	cbc := &cbcCipher{
-		mac:        macModes[algs.MAC].new(macKey),
-		decrypter:  cipher.NewCBCDecrypter(c, iv),
-		encrypter:  cipher.NewCBCEncrypter(c, iv),
-		packetData: make([]byte, 1024),
-	}
-	if cbc.mac != nil {
-		cbc.macSize = uint32(cbc.mac.Size())
-	}
-
-	return cbc, nil
-}
-
-func newAESCBCCipher(key, iv, macKey []byte, algs directionAlgorithms) (packetCipher, error) {
-	c, err := aes.NewCipher(key)
-	if err != nil {
-		return nil, err
-	}
-
-	cbc, err := newCBCCipher(c, key, iv, macKey, algs)
-	if err != nil {
-		return nil, err
-	}
-
-	return cbc, nil
-}
-
-func newTripleDESCBCCipher(key, iv, macKey []byte, algs directionAlgorithms) (packetCipher, error) {
-	c, err := des.NewTripleDESCipher(key)
-	if err != nil {
-		return nil, err
-	}
-
-	cbc, err := newCBCCipher(c, key, iv, macKey, algs)
-	if err != nil {
-		return nil, err
-	}
-
-	return cbc, nil
-}
-
-func maxUInt32(a, b int) uint32 {
-	if a > b {
-		return uint32(a)
-	}
-	return uint32(b)
-}
-
-const (
-	cbcMinPacketSizeMultiple = 8
-	cbcMinPacketSize         = 16
-	cbcMinPaddingSize        = 4
-)
-
-// cbcError represents a verification error that may leak information.
-type cbcError string
-
-func (e cbcError) Error() string { return string(e) }
-
-func (c *cbcCipher) readPacket(seqNum uint32, r io.Reader) ([]byte, error) {
-	p, err := c.readPacketLeaky(seqNum, r)
-	if err != nil {
-		if _, ok := err.(cbcError); ok {
-			// Verification error: read a fixed amount of
-			// data, to make distinguishing between
-			// failing MAC and failing length check more
-			// difficult.
-			io.CopyN(ioutil.Discard, r, int64(c.oracleCamouflage))
-		}
-	}
-	return p, err
-}
-
-func (c *cbcCipher) readPacketLeaky(seqNum uint32, r io.Reader) ([]byte, error) {
-	blockSize := c.decrypter.BlockSize()
-
-	// Read the header, which will include some of the subsequent data in the
-	// case of block ciphers - this is copied back to the payload later.
-	// How many bytes of payload/padding will be read with this first read.
-	firstBlockLength := uint32((prefixLen + blockSize - 1) / blockSize * blockSize)
-	firstBlock := c.packetData[:firstBlockLength]
-	if _, err := io.ReadFull(r, firstBlock); err != nil {
-		return nil, err
-	}
-
-	c.oracleCamouflage = maxPacket + 4 + c.macSize - firstBlockLength
-
-	c.decrypter.CryptBlocks(firstBlock, firstBlock)
-	length := binary.BigEndian.Uint32(firstBlock[:4])
-	if length > maxPacket {
-		return nil, cbcError("ssh: packet too large")
-	}
-	if length+4 < maxUInt32(cbcMinPacketSize, blockSize) {
-		// The minimum size of a packet is 16 (or the cipher block size, whichever
-		// is larger) bytes.
-		return nil, cbcError("ssh: packet too small")
-	}
-	// The length of the packet (including the length field but not the MAC) must
-	// be a multiple of the block size or 8, whichever is larger.
-	if (length+4)%maxUInt32(cbcMinPacketSizeMultiple, blockSize) != 0 {
-		return nil, cbcError("ssh: invalid packet length multiple")
-	}
-
-	paddingLength := uint32(firstBlock[4])
-	if paddingLength < cbcMinPaddingSize || length <= paddingLength+1 {
-		return nil, cbcError("ssh: invalid packet length")
-	}
-
-	// Positions within the c.packetData buffer:
-	macStart := 4 + length
-	paddingStart := macStart - paddingLength
-
-	// Entire packet size, starting before length, ending at end of mac.
-	entirePacketSize := macStart + c.macSize
-
-	// Ensure c.packetData is large enough for the entire packet data.
-	if uint32(cap(c.packetData)) < entirePacketSize {
-		// Still need to upsize and copy, but this should be rare at runtime, only
-		// on upsizing the packetData buffer.
-		c.packetData = make([]byte, entirePacketSize)
-		copy(c.packetData, firstBlock)
-	} else {
-		c.packetData = c.packetData[:entirePacketSize]
-	}
-
-	n, err := io.ReadFull(r, c.packetData[firstBlockLength:])
-	if err != nil {
-		return nil, err
-	}
-	c.oracleCamouflage -= uint32(n)
-
-	remainingCrypted := c.packetData[firstBlockLength:macStart]
-	c.decrypter.CryptBlocks(remainingCrypted, remainingCrypted)
-
-	mac := c.packetData[macStart:]
-	if c.mac != nil {
-		c.mac.Reset()
-		binary.BigEndian.PutUint32(c.seqNumBytes[:], seqNum)
-		c.mac.Write(c.seqNumBytes[:])
-		c.mac.Write(c.packetData[:macStart])
-		c.macResult = c.mac.Sum(c.macResult[:0])
-		if subtle.ConstantTimeCompare(c.macResult, mac) != 1 {
-			return nil, cbcError("ssh: MAC failure")
-		}
-	}
-
-	return c.packetData[prefixLen:paddingStart], nil
-}
-
-func (c *cbcCipher) writePacket(seqNum uint32, w io.Writer, rand io.Reader, packet []byte) error {
-	effectiveBlockSize := maxUInt32(cbcMinPacketSizeMultiple, c.encrypter.BlockSize())
-
-	// Length of encrypted portion of the packet (header, payload, padding).
-	// Enforce minimum padding and packet size.
-	encLength := maxUInt32(prefixLen+len(packet)+cbcMinPaddingSize, cbcMinPaddingSize)
-	// Enforce block size.
-	encLength = (encLength + effectiveBlockSize - 1) / effectiveBlockSize * effectiveBlockSize
-
-	length := encLength - 4
-	paddingLength := int(length) - (1 + len(packet))
-
-	// Overall buffer contains: header, payload, padding, mac.
-	// Space for the MAC is reserved in the capacity but not the slice length.
-	bufferSize := encLength + c.macSize
-	if uint32(cap(c.packetData)) < bufferSize {
-		c.packetData = make([]byte, encLength, bufferSize)
-	} else {
-		c.packetData = c.packetData[:encLength]
-	}
-
-	p := c.packetData
-
-	// Packet header.
-	binary.BigEndian.PutUint32(p, length)
-	p = p[4:]
-	p[0] = byte(paddingLength)
-
-	// Payload.
-	p = p[1:]
-	copy(p, packet)
-
-	// Padding.
-	p = p[len(packet):]
-	if _, err := io.ReadFull(rand, p); err != nil {
-		return err
-	}
-
-	if c.mac != nil {
-		c.mac.Reset()
-		binary.BigEndian.PutUint32(c.seqNumBytes[:], seqNum)
-		c.mac.Write(c.seqNumBytes[:])
-		c.mac.Write(c.packetData)
-		// The MAC is now appended into the capacity reserved for it earlier.
-		c.packetData = c.mac.Sum(c.packetData)
-	}
-
-	c.encrypter.CryptBlocks(c.packetData[:encLength], c.packetData[:encLength])
-
-	if _, err := w.Write(c.packetData); err != nil {
-		return err
-	}
-
-	return nil
-}
-
-const chacha20Poly1305ID = "chacha20-poly1305@openssh.com"
-
-// chacha20Poly1305Cipher implements the chacha20-poly1305@openssh.com
-// AEAD, which is described here:
-//
-//   https://tools.ietf.org/html/draft-josefsson-ssh-chacha20-poly1305-openssh-00
-//
-// the methods here also implement padding, which RFC4253 Section 6
-// also requires of stream ciphers.
-type chacha20Poly1305Cipher struct {
-	lengthKey  [32]byte
-	contentKey [32]byte
-	buf        []byte
-}
-
-func newChaCha20Cipher(key, unusedIV, unusedMACKey []byte, unusedAlgs directionAlgorithms) (packetCipher, error) {
-	if len(key) != 64 {
-		panic(len(key))
-	}
-
-	c := &chacha20Poly1305Cipher{
-		buf: make([]byte, 256),
-	}
-
-	copy(c.contentKey[:], key[:32])
-	copy(c.lengthKey[:], key[32:])
-	return c, nil
-}
-
-// The Poly1305 key is obtained by encrypting 32 0-bytes.
-var chacha20PolyKeyInput [32]byte
-
-func (c *chacha20Poly1305Cipher) readPacket(seqNum uint32, r io.Reader) ([]byte, error) {
-	var counter [16]byte
-	binary.BigEndian.PutUint64(counter[8:], uint64(seqNum))
-
-	var polyKey [32]byte
-	chacha20.XORKeyStream(polyKey[:], chacha20PolyKeyInput[:], &counter, &c.contentKey)
-
-	encryptedLength := c.buf[:4]
-	if _, err := io.ReadFull(r, encryptedLength); err != nil {
-		return nil, err
-	}
-
-	var lenBytes [4]byte
-	chacha20.XORKeyStream(lenBytes[:], encryptedLength, &counter, &c.lengthKey)
-
-	length := binary.BigEndian.Uint32(lenBytes[:])
-	if length > maxPacket {
-		return nil, errors.New("ssh: invalid packet length, packet too large")
-	}
-
-	contentEnd := 4 + length
-	packetEnd := contentEnd + poly1305.TagSize
-	if uint32(cap(c.buf)) < packetEnd {
-		c.buf = make([]byte, packetEnd)
-		copy(c.buf[:], encryptedLength)
-	} else {
-		c.buf = c.buf[:packetEnd]
-	}
-
-	if _, err := io.ReadFull(r, c.buf[4:packetEnd]); err != nil {
-		return nil, err
-	}
-
-	var mac [poly1305.TagSize]byte
-	copy(mac[:], c.buf[contentEnd:packetEnd])
-	if !poly1305.Verify(&mac, c.buf[:contentEnd], &polyKey) {
-		return nil, errors.New("ssh: MAC failure")
-	}
-
-	counter[0] = 1
-
-	plain := c.buf[4:contentEnd]
-	chacha20.XORKeyStream(plain, plain, &counter, &c.contentKey)
-
-	padding := plain[0]
-	if padding < 4 {
-		// padding is a byte, so it automatically satisfies
-		// the maximum size, which is 255.
-		return nil, fmt.Errorf("ssh: illegal padding %d", padding)
-	}
-
-	if int(padding)+1 >= len(plain) {
-		return nil, fmt.Errorf("ssh: padding %d too large", padding)
-	}
-
-	plain = plain[1 : len(plain)-int(padding)]
-
-	return plain, nil
-}
-
-func (c *chacha20Poly1305Cipher) writePacket(seqNum uint32, w io.Writer, rand io.Reader, payload []byte) error {
-	var counter [16]byte
-	binary.BigEndian.PutUint64(counter[8:], uint64(seqNum))
-
-	var polyKey [32]byte
-	chacha20.XORKeyStream(polyKey[:], chacha20PolyKeyInput[:], &counter, &c.contentKey)
-
-	// There is no blocksize, so fall back to multiple of 8 byte
-	// padding, as described in RFC 4253, Sec 6.
-	const packetSizeMultiple = 8
-
-	padding := packetSizeMultiple - (1+len(payload))%packetSizeMultiple
-	if padding < 4 {
-		padding += packetSizeMultiple
-	}
-
-	// size (4 bytes), padding (1), payload, padding, tag.
-	totalLength := 4 + 1 + len(payload) + padding + poly1305.TagSize
-	if cap(c.buf) < totalLength {
-		c.buf = make([]byte, totalLength)
-	} else {
-		c.buf = c.buf[:totalLength]
-	}
-
-	binary.BigEndian.PutUint32(c.buf, uint32(1+len(payload)+padding))
-	chacha20.XORKeyStream(c.buf, c.buf[:4], &counter, &c.lengthKey)
-	c.buf[4] = byte(padding)
-	copy(c.buf[5:], payload)
-	packetEnd := 5 + len(payload) + padding
-	if _, err := io.ReadFull(rand, c.buf[5+len(payload):packetEnd]); err != nil {
-		return err
-	}
-
-	counter[0] = 1
-	chacha20.XORKeyStream(c.buf[4:], c.buf[4:packetEnd], &counter, &c.contentKey)
-
-	var mac [poly1305.TagSize]byte
-	poly1305.Sum(&mac, c.buf[:packetEnd], &polyKey)
-
-	copy(c.buf[packetEnd:], mac[:])
-
-	if _, err := w.Write(c.buf); err != nil {
-		return err
-	}
-	return nil
-}
diff --git a/vendor/golang.org/x/crypto/ssh/cipher_test.go b/vendor/golang.org/x/crypto/ssh/cipher_test.go
deleted file mode 100644
index a52d6e48..00000000
--- a/vendor/golang.org/x/crypto/ssh/cipher_test.go
+++ /dev/null
@@ -1,131 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package ssh
-
-import (
-	"bytes"
-	"crypto"
-	"crypto/rand"
-	"testing"
-)
-
-func TestDefaultCiphersExist(t *testing.T) {
-	for _, cipherAlgo := range supportedCiphers {
-		if _, ok := cipherModes[cipherAlgo]; !ok {
-			t.Errorf("supported cipher %q is unknown", cipherAlgo)
-		}
-	}
-	for _, cipherAlgo := range preferredCiphers {
-		if _, ok := cipherModes[cipherAlgo]; !ok {
-			t.Errorf("preferred cipher %q is unknown", cipherAlgo)
-		}
-	}
-}
-
-func TestPacketCiphers(t *testing.T) {
-	defaultMac := "hmac-sha2-256"
-	defaultCipher := "aes128-ctr"
-	for cipher := range cipherModes {
-		t.Run("cipher="+cipher,
-			func(t *testing.T) { testPacketCipher(t, cipher, defaultMac) })
-	}
-	for mac := range macModes {
-		t.Run("mac="+mac,
-			func(t *testing.T) { testPacketCipher(t, defaultCipher, mac) })
-	}
-}
-
-func testPacketCipher(t *testing.T, cipher, mac string) {
-	kr := &kexResult{Hash: crypto.SHA1}
-	algs := directionAlgorithms{
-		Cipher:      cipher,
-		MAC:         mac,
-		Compression: "none",
-	}
-	client, err := newPacketCipher(clientKeys, algs, kr)
-	if err != nil {
-		t.Fatalf("newPacketCipher(client, %q, %q): %v", cipher, mac, err)
-	}
-	server, err := newPacketCipher(clientKeys, algs, kr)
-	if err != nil {
-		t.Fatalf("newPacketCipher(client, %q, %q): %v", cipher, mac, err)
-	}
-
-	want := "bla bla"
-	input := []byte(want)
-	buf := &bytes.Buffer{}
-	if err := client.writePacket(0, buf, rand.Reader, input); err != nil {
-		t.Fatalf("writePacket(%q, %q): %v", cipher, mac, err)
-	}
-
-	packet, err := server.readPacket(0, buf)
-	if err != nil {
-		t.Fatalf("readPacket(%q, %q): %v", cipher, mac, err)
-	}
-
-	if string(packet) != want {
-		t.Errorf("roundtrip(%q, %q): got %q, want %q", cipher, mac, packet, want)
-	}
-}
-
-func TestCBCOracleCounterMeasure(t *testing.T) {
-	kr := &kexResult{Hash: crypto.SHA1}
-	algs := directionAlgorithms{
-		Cipher:      aes128cbcID,
-		MAC:         "hmac-sha1",
-		Compression: "none",
-	}
-	client, err := newPacketCipher(clientKeys, algs, kr)
-	if err != nil {
-		t.Fatalf("newPacketCipher(client): %v", err)
-	}
-
-	want := "bla bla"
-	input := []byte(want)
-	buf := &bytes.Buffer{}
-	if err := client.writePacket(0, buf, rand.Reader, input); err != nil {
-		t.Errorf("writePacket: %v", err)
-	}
-
-	packetSize := buf.Len()
-	buf.Write(make([]byte, 2*maxPacket))
-
-	// We corrupt each byte, but this usually will only test the
-	// 'packet too large' or 'MAC failure' cases.
-	lastRead := -1
-	for i := 0; i < packetSize; i++ {
-		server, err := newPacketCipher(clientKeys, algs, kr)
-		if err != nil {
-			t.Fatalf("newPacketCipher(client): %v", err)
-		}
-
-		fresh := &bytes.Buffer{}
-		fresh.Write(buf.Bytes())
-		fresh.Bytes()[i] ^= 0x01
-
-		before := fresh.Len()
-		_, err = server.readPacket(0, fresh)
-		if err == nil {
-			t.Errorf("corrupt byte %d: readPacket succeeded ", i)
-			continue
-		}
-		if _, ok := err.(cbcError); !ok {
-			t.Errorf("corrupt byte %d: got %v (%T), want cbcError", i, err, err)
-			continue
-		}
-
-		after := fresh.Len()
-		bytesRead := before - after
-		if bytesRead < maxPacket {
-			t.Errorf("corrupt byte %d: read %d bytes, want more than %d", i, bytesRead, maxPacket)
-			continue
-		}
-
-		if i > 0 && bytesRead != lastRead {
-			t.Errorf("corrupt byte %d: read %d bytes, want %d bytes read", i, bytesRead, lastRead)
-		}
-		lastRead = bytesRead
-	}
-}
diff --git a/vendor/golang.org/x/crypto/ssh/client.go b/vendor/golang.org/x/crypto/ssh/client.go
deleted file mode 100644
index 6fd19945..00000000
--- a/vendor/golang.org/x/crypto/ssh/client.go
+++ /dev/null
@@ -1,278 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package ssh
-
-import (
-	"bytes"
-	"errors"
-	"fmt"
-	"net"
-	"os"
-	"sync"
-	"time"
-)
-
-// Client implements a traditional SSH client that supports shells,
-// subprocesses, TCP port/streamlocal forwarding and tunneled dialing.
-type Client struct {
-	Conn
-
-	forwards        forwardList // forwarded tcpip connections from the remote side
-	mu              sync.Mutex
-	channelHandlers map[string]chan NewChannel
-}
-
-// HandleChannelOpen returns a channel on which NewChannel requests
-// for the given type are sent. If the type already is being handled,
-// nil is returned. The channel is closed when the connection is closed.
-func (c *Client) HandleChannelOpen(channelType string) <-chan NewChannel {
-	c.mu.Lock()
-	defer c.mu.Unlock()
-	if c.channelHandlers == nil {
-		// The SSH channel has been closed.
-		c := make(chan NewChannel)
-		close(c)
-		return c
-	}
-
-	ch := c.channelHandlers[channelType]
-	if ch != nil {
-		return nil
-	}
-
-	ch = make(chan NewChannel, chanSize)
-	c.channelHandlers[channelType] = ch
-	return ch
-}
-
-// NewClient creates a Client on top of the given connection.
-func NewClient(c Conn, chans <-chan NewChannel, reqs <-chan *Request) *Client {
-	conn := &Client{
-		Conn:            c,
-		channelHandlers: make(map[string]chan NewChannel, 1),
-	}
-
-	go conn.handleGlobalRequests(reqs)
-	go conn.handleChannelOpens(chans)
-	go func() {
-		conn.Wait()
-		conn.forwards.closeAll()
-	}()
-	go conn.forwards.handleChannels(conn.HandleChannelOpen("forwarded-tcpip"))
-	go conn.forwards.handleChannels(conn.HandleChannelOpen("forwarded-streamlocal@openssh.com"))
-	return conn
-}
-
-// NewClientConn establishes an authenticated SSH connection using c
-// as the underlying transport.  The Request and NewChannel channels
-// must be serviced or the connection will hang.
-func NewClientConn(c net.Conn, addr string, config *ClientConfig) (Conn, <-chan NewChannel, <-chan *Request, error) {
-	fullConf := *config
-	fullConf.SetDefaults()
-	if fullConf.HostKeyCallback == nil {
-		c.Close()
-		return nil, nil, nil, errors.New("ssh: must specify HostKeyCallback")
-	}
-
-	conn := &connection{
-		sshConn: sshConn{conn: c},
-	}
-
-	if err := conn.clientHandshake(addr, &fullConf); err != nil {
-		c.Close()
-		return nil, nil, nil, fmt.Errorf("ssh: handshake failed: %v", err)
-	}
-	conn.mux = newMux(conn.transport)
-	return conn, conn.mux.incomingChannels, conn.mux.incomingRequests, nil
-}
-
-// clientHandshake performs the client side key exchange. See RFC 4253 Section
-// 7.
-func (c *connection) clientHandshake(dialAddress string, config *ClientConfig) error {
-	if config.ClientVersion != "" {
-		c.clientVersion = []byte(config.ClientVersion)
-	} else {
-		c.clientVersion = []byte(packageVersion)
-	}
-	var err error
-	c.serverVersion, err = exchangeVersions(c.sshConn.conn, c.clientVersion)
-	if err != nil {
-		return err
-	}
-
-	c.transport = newClientTransport(
-		newTransport(c.sshConn.conn, config.Rand, true /* is client */),
-		c.clientVersion, c.serverVersion, config, dialAddress, c.sshConn.RemoteAddr())
-	if err := c.transport.waitSession(); err != nil {
-		return err
-	}
-
-	c.sessionID = c.transport.getSessionID()
-	return c.clientAuthenticate(config)
-}
-
-// verifyHostKeySignature verifies the host key obtained in the key
-// exchange.
-func verifyHostKeySignature(hostKey PublicKey, result *kexResult) error {
-	sig, rest, ok := parseSignatureBody(result.Signature)
-	if len(rest) > 0 || !ok {
-		return errors.New("ssh: signature parse error")
-	}
-
-	return hostKey.Verify(result.H, sig)
-}
-
-// NewSession opens a new Session for this client. (A session is a remote
-// execution of a program.)
-func (c *Client) NewSession() (*Session, error) {
-	ch, in, err := c.OpenChannel("session", nil)
-	if err != nil {
-		return nil, err
-	}
-	return newSession(ch, in)
-}
-
-func (c *Client) handleGlobalRequests(incoming <-chan *Request) {
-	for r := range incoming {
-		// This handles keepalive messages and matches
-		// the behaviour of OpenSSH.
-		r.Reply(false, nil)
-	}
-}
-
-// handleChannelOpens channel open messages from the remote side.
-func (c *Client) handleChannelOpens(in <-chan NewChannel) {
-	for ch := range in {
-		c.mu.Lock()
-		handler := c.channelHandlers[ch.ChannelType()]
-		c.mu.Unlock()
-
-		if handler != nil {
-			handler <- ch
-		} else {
-			ch.Reject(UnknownChannelType, fmt.Sprintf("unknown channel type: %v", ch.ChannelType()))
-		}
-	}
-
-	c.mu.Lock()
-	for _, ch := range c.channelHandlers {
-		close(ch)
-	}
-	c.channelHandlers = nil
-	c.mu.Unlock()
-}
-
-// Dial starts a client connection to the given SSH server. It is a
-// convenience function that connects to the given network address,
-// initiates the SSH handshake, and then sets up a Client.  For access
-// to incoming channels and requests, use net.Dial with NewClientConn
-// instead.
-func Dial(network, addr string, config *ClientConfig) (*Client, error) {
-	conn, err := net.DialTimeout(network, addr, config.Timeout)
-	if err != nil {
-		return nil, err
-	}
-	c, chans, reqs, err := NewClientConn(conn, addr, config)
-	if err != nil {
-		return nil, err
-	}
-	return NewClient(c, chans, reqs), nil
-}
-
-// HostKeyCallback is the function type used for verifying server
-// keys.  A HostKeyCallback must return nil if the host key is OK, or
-// an error to reject it. It receives the hostname as passed to Dial
-// or NewClientConn. The remote address is the RemoteAddr of the
-// net.Conn underlying the the SSH connection.
-type HostKeyCallback func(hostname string, remote net.Addr, key PublicKey) error
-
-// BannerCallback is the function type used for treat the banner sent by
-// the server. A BannerCallback receives the message sent by the remote server.
-type BannerCallback func(message string) error
-
-// A ClientConfig structure is used to configure a Client. It must not be
-// modified after having been passed to an SSH function.
-type ClientConfig struct {
-	// Config contains configuration that is shared between clients and
-	// servers.
-	Config
-
-	// User contains the username to authenticate as.
-	User string
-
-	// Auth contains possible authentication methods to use with the
-	// server. Only the first instance of a particular RFC 4252 method will
-	// be used during authentication.
-	Auth []AuthMethod
-
-	// HostKeyCallback is called during the cryptographic
-	// handshake to validate the server's host key. The client
-	// configuration must supply this callback for the connection
-	// to succeed. The functions InsecureIgnoreHostKey or
-	// FixedHostKey can be used for simplistic host key checks.
-	HostKeyCallback HostKeyCallback
-
-	// BannerCallback is called during the SSH dance to display a custom
-	// server's message. The client configuration can supply this callback to
-	// handle it as wished. The function BannerDisplayStderr can be used for
-	// simplistic display on Stderr.
-	BannerCallback BannerCallback
-
-	// ClientVersion contains the version identification string that will
-	// be used for the connection. If empty, a reasonable default is used.
-	ClientVersion string
-
-	// HostKeyAlgorithms lists the key types that the client will
-	// accept from the server as host key, in order of
-	// preference. If empty, a reasonable default is used. Any
-	// string returned from PublicKey.Type method may be used, or
-	// any of the CertAlgoXxxx and KeyAlgoXxxx constants.
-	HostKeyAlgorithms []string
-
-	// Timeout is the maximum amount of time for the TCP connection to establish.
-	//
-	// A Timeout of zero means no timeout.
-	Timeout time.Duration
-}
-
-// InsecureIgnoreHostKey returns a function that can be used for
-// ClientConfig.HostKeyCallback to accept any host key. It should
-// not be used for production code.
-func InsecureIgnoreHostKey() HostKeyCallback {
-	return func(hostname string, remote net.Addr, key PublicKey) error {
-		return nil
-	}
-}
-
-type fixedHostKey struct {
-	key PublicKey
-}
-
-func (f *fixedHostKey) check(hostname string, remote net.Addr, key PublicKey) error {
-	if f.key == nil {
-		return fmt.Errorf("ssh: required host key was nil")
-	}
-	if !bytes.Equal(key.Marshal(), f.key.Marshal()) {
-		return fmt.Errorf("ssh: host key mismatch")
-	}
-	return nil
-}
-
-// FixedHostKey returns a function for use in
-// ClientConfig.HostKeyCallback to accept only a specific host key.
-func FixedHostKey(key PublicKey) HostKeyCallback {
-	hk := &fixedHostKey{key}
-	return hk.check
-}
-
-// BannerDisplayStderr returns a function that can be used for
-// ClientConfig.BannerCallback to display banners on os.Stderr.
-func BannerDisplayStderr() BannerCallback {
-	return func(banner string) error {
-		_, err := os.Stderr.WriteString(banner)
-
-		return err
-	}
-}
diff --git a/vendor/golang.org/x/crypto/ssh/client_auth.go b/vendor/golang.org/x/crypto/ssh/client_auth.go
deleted file mode 100644
index a1252cb9..00000000
--- a/vendor/golang.org/x/crypto/ssh/client_auth.go
+++ /dev/null
@@ -1,510 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package ssh
-
-import (
-	"bytes"
-	"errors"
-	"fmt"
-	"io"
-)
-
-// clientAuthenticate authenticates with the remote server. See RFC 4252.
-func (c *connection) clientAuthenticate(config *ClientConfig) error {
-	// initiate user auth session
-	if err := c.transport.writePacket(Marshal(&serviceRequestMsg{serviceUserAuth})); err != nil {
-		return err
-	}
-	packet, err := c.transport.readPacket()
-	if err != nil {
-		return err
-	}
-	var serviceAccept serviceAcceptMsg
-	if err := Unmarshal(packet, &serviceAccept); err != nil {
-		return err
-	}
-
-	// during the authentication phase the client first attempts the "none" method
-	// then any untried methods suggested by the server.
-	tried := make(map[string]bool)
-	var lastMethods []string
-
-	sessionID := c.transport.getSessionID()
-	for auth := AuthMethod(new(noneAuth)); auth != nil; {
-		ok, methods, err := auth.auth(sessionID, config.User, c.transport, config.Rand)
-		if err != nil {
-			return err
-		}
-		if ok {
-			// success
-			return nil
-		}
-		tried[auth.method()] = true
-		if methods == nil {
-			methods = lastMethods
-		}
-		lastMethods = methods
-
-		auth = nil
-
-	findNext:
-		for _, a := range config.Auth {
-			candidateMethod := a.method()
-			if tried[candidateMethod] {
-				continue
-			}
-			for _, meth := range methods {
-				if meth == candidateMethod {
-					auth = a
-					break findNext
-				}
-			}
-		}
-	}
-	return fmt.Errorf("ssh: unable to authenticate, attempted methods %v, no supported methods remain", keys(tried))
-}
-
-func keys(m map[string]bool) []string {
-	s := make([]string, 0, len(m))
-
-	for key := range m {
-		s = append(s, key)
-	}
-	return s
-}
-
-// An AuthMethod represents an instance of an RFC 4252 authentication method.
-type AuthMethod interface {
-	// auth authenticates user over transport t.
-	// Returns true if authentication is successful.
-	// If authentication is not successful, a []string of alternative
-	// method names is returned. If the slice is nil, it will be ignored
-	// and the previous set of possible methods will be reused.
-	auth(session []byte, user string, p packetConn, rand io.Reader) (bool, []string, error)
-
-	// method returns the RFC 4252 method name.
-	method() string
-}
-
-// "none" authentication, RFC 4252 section 5.2.
-type noneAuth int
-
-func (n *noneAuth) auth(session []byte, user string, c packetConn, rand io.Reader) (bool, []string, error) {
-	if err := c.writePacket(Marshal(&userAuthRequestMsg{
-		User:    user,
-		Service: serviceSSH,
-		Method:  "none",
-	})); err != nil {
-		return false, nil, err
-	}
-
-	return handleAuthResponse(c)
-}
-
-func (n *noneAuth) method() string {
-	return "none"
-}
-
-// passwordCallback is an AuthMethod that fetches the password through
-// a function call, e.g. by prompting the user.
-type passwordCallback func() (password string, err error)
-
-func (cb passwordCallback) auth(session []byte, user string, c packetConn, rand io.Reader) (bool, []string, error) {
-	type passwordAuthMsg struct {
-		User     string `sshtype:"50"`
-		Service  string
-		Method   string
-		Reply    bool
-		Password string
-	}
-
-	pw, err := cb()
-	// REVIEW NOTE: is there a need to support skipping a password attempt?
-	// The program may only find out that the user doesn't have a password
-	// when prompting.
-	if err != nil {
-		return false, nil, err
-	}
-
-	if err := c.writePacket(Marshal(&passwordAuthMsg{
-		User:     user,
-		Service:  serviceSSH,
-		Method:   cb.method(),
-		Reply:    false,
-		Password: pw,
-	})); err != nil {
-		return false, nil, err
-	}
-
-	return handleAuthResponse(c)
-}
-
-func (cb passwordCallback) method() string {
-	return "password"
-}
-
-// Password returns an AuthMethod using the given password.
-func Password(secret string) AuthMethod {
-	return passwordCallback(func() (string, error) { return secret, nil })
-}
-
-// PasswordCallback returns an AuthMethod that uses a callback for
-// fetching a password.
-func PasswordCallback(prompt func() (secret string, err error)) AuthMethod {
-	return passwordCallback(prompt)
-}
-
-type publickeyAuthMsg struct {
-	User    string `sshtype:"50"`
-	Service string
-	Method  string
-	// HasSig indicates to the receiver packet that the auth request is signed and
-	// should be used for authentication of the request.
-	HasSig   bool
-	Algoname string
-	PubKey   []byte
-	// Sig is tagged with "rest" so Marshal will exclude it during
-	// validateKey
-	Sig []byte `ssh:"rest"`
-}
-
-// publicKeyCallback is an AuthMethod that uses a set of key
-// pairs for authentication.
-type publicKeyCallback func() ([]Signer, error)
-
-func (cb publicKeyCallback) method() string {
-	return "publickey"
-}
-
-func (cb publicKeyCallback) auth(session []byte, user string, c packetConn, rand io.Reader) (bool, []string, error) {
-	// Authentication is performed by sending an enquiry to test if a key is
-	// acceptable to the remote. If the key is acceptable, the client will
-	// attempt to authenticate with the valid key.  If not the client will repeat
-	// the process with the remaining keys.
-
-	signers, err := cb()
-	if err != nil {
-		return false, nil, err
-	}
-	var methods []string
-	for _, signer := range signers {
-		ok, err := validateKey(signer.PublicKey(), user, c)
-		if err != nil {
-			return false, nil, err
-		}
-		if !ok {
-			continue
-		}
-
-		pub := signer.PublicKey()
-		pubKey := pub.Marshal()
-		sign, err := signer.Sign(rand, buildDataSignedForAuth(session, userAuthRequestMsg{
-			User:    user,
-			Service: serviceSSH,
-			Method:  cb.method(),
-		}, []byte(pub.Type()), pubKey))
-		if err != nil {
-			return false, nil, err
-		}
-
-		// manually wrap the serialized signature in a string
-		s := Marshal(sign)
-		sig := make([]byte, stringLength(len(s)))
-		marshalString(sig, s)
-		msg := publickeyAuthMsg{
-			User:     user,
-			Service:  serviceSSH,
-			Method:   cb.method(),
-			HasSig:   true,
-			Algoname: pub.Type(),
-			PubKey:   pubKey,
-			Sig:      sig,
-		}
-		p := Marshal(&msg)
-		if err := c.writePacket(p); err != nil {
-			return false, nil, err
-		}
-		var success bool
-		success, methods, err = handleAuthResponse(c)
-		if err != nil {
-			return false, nil, err
-		}
-
-		// If authentication succeeds or the list of available methods does not
-		// contain the "publickey" method, do not attempt to authenticate with any
-		// other keys.  According to RFC 4252 Section 7, the latter can occur when
-		// additional authentication methods are required.
-		if success || !containsMethod(methods, cb.method()) {
-			return success, methods, err
-		}
-	}
-
-	return false, methods, nil
-}
-
-func containsMethod(methods []string, method string) bool {
-	for _, m := range methods {
-		if m == method {
-			return true
-		}
-	}
-
-	return false
-}
-
-// validateKey validates the key provided is acceptable to the server.
-func validateKey(key PublicKey, user string, c packetConn) (bool, error) {
-	pubKey := key.Marshal()
-	msg := publickeyAuthMsg{
-		User:     user,
-		Service:  serviceSSH,
-		Method:   "publickey",
-		HasSig:   false,
-		Algoname: key.Type(),
-		PubKey:   pubKey,
-	}
-	if err := c.writePacket(Marshal(&msg)); err != nil {
-		return false, err
-	}
-
-	return confirmKeyAck(key, c)
-}
-
-func confirmKeyAck(key PublicKey, c packetConn) (bool, error) {
-	pubKey := key.Marshal()
-	algoname := key.Type()
-
-	for {
-		packet, err := c.readPacket()
-		if err != nil {
-			return false, err
-		}
-		switch packet[0] {
-		case msgUserAuthBanner:
-			if err := handleBannerResponse(c, packet); err != nil {
-				return false, err
-			}
-		case msgUserAuthPubKeyOk:
-			var msg userAuthPubKeyOkMsg
-			if err := Unmarshal(packet, &msg); err != nil {
-				return false, err
-			}
-			if msg.Algo != algoname || !bytes.Equal(msg.PubKey, pubKey) {
-				return false, nil
-			}
-			return true, nil
-		case msgUserAuthFailure:
-			return false, nil
-		default:
-			return false, unexpectedMessageError(msgUserAuthSuccess, packet[0])
-		}
-	}
-}
-
-// PublicKeys returns an AuthMethod that uses the given key
-// pairs.
-func PublicKeys(signers ...Signer) AuthMethod {
-	return publicKeyCallback(func() ([]Signer, error) { return signers, nil })
-}
-
-// PublicKeysCallback returns an AuthMethod that runs the given
-// function to obtain a list of key pairs.
-func PublicKeysCallback(getSigners func() (signers []Signer, err error)) AuthMethod {
-	return publicKeyCallback(getSigners)
-}
-
-// handleAuthResponse returns whether the preceding authentication request succeeded
-// along with a list of remaining authentication methods to try next and
-// an error if an unexpected response was received.
-func handleAuthResponse(c packetConn) (bool, []string, error) {
-	for {
-		packet, err := c.readPacket()
-		if err != nil {
-			return false, nil, err
-		}
-
-		switch packet[0] {
-		case msgUserAuthBanner:
-			if err := handleBannerResponse(c, packet); err != nil {
-				return false, nil, err
-			}
-		case msgUserAuthFailure:
-			var msg userAuthFailureMsg
-			if err := Unmarshal(packet, &msg); err != nil {
-				return false, nil, err
-			}
-			return false, msg.Methods, nil
-		case msgUserAuthSuccess:
-			return true, nil, nil
-		default:
-			return false, nil, unexpectedMessageError(msgUserAuthSuccess, packet[0])
-		}
-	}
-}
-
-func handleBannerResponse(c packetConn, packet []byte) error {
-	var msg userAuthBannerMsg
-	if err := Unmarshal(packet, &msg); err != nil {
-		return err
-	}
-
-	transport, ok := c.(*handshakeTransport)
-	if !ok {
-		return nil
-	}
-
-	if transport.bannerCallback != nil {
-		return transport.bannerCallback(msg.Message)
-	}
-
-	return nil
-}
-
-// KeyboardInteractiveChallenge should print questions, optionally
-// disabling echoing (e.g. for passwords), and return all the answers.
-// Challenge may be called multiple times in a single session. After
-// successful authentication, the server may send a challenge with no
-// questions, for which the user and instruction messages should be
-// printed.  RFC 4256 section 3.3 details how the UI should behave for
-// both CLI and GUI environments.
-type KeyboardInteractiveChallenge func(user, instruction string, questions []string, echos []bool) (answers []string, err error)
-
-// KeyboardInteractive returns an AuthMethod using a prompt/response
-// sequence controlled by the server.
-func KeyboardInteractive(challenge KeyboardInteractiveChallenge) AuthMethod {
-	return challenge
-}
-
-func (cb KeyboardInteractiveChallenge) method() string {
-	return "keyboard-interactive"
-}
-
-func (cb KeyboardInteractiveChallenge) auth(session []byte, user string, c packetConn, rand io.Reader) (bool, []string, error) {
-	type initiateMsg struct {
-		User       string `sshtype:"50"`
-		Service    string
-		Method     string
-		Language   string
-		Submethods string
-	}
-
-	if err := c.writePacket(Marshal(&initiateMsg{
-		User:    user,
-		Service: serviceSSH,
-		Method:  "keyboard-interactive",
-	})); err != nil {
-		return false, nil, err
-	}
-
-	for {
-		packet, err := c.readPacket()
-		if err != nil {
-			return false, nil, err
-		}
-
-		// like handleAuthResponse, but with less options.
-		switch packet[0] {
-		case msgUserAuthBanner:
-			if err := handleBannerResponse(c, packet); err != nil {
-				return false, nil, err
-			}
-			continue
-		case msgUserAuthInfoRequest:
-			// OK
-		case msgUserAuthFailure:
-			var msg userAuthFailureMsg
-			if err := Unmarshal(packet, &msg); err != nil {
-				return false, nil, err
-			}
-			return false, msg.Methods, nil
-		case msgUserAuthSuccess:
-			return true, nil, nil
-		default:
-			return false, nil, unexpectedMessageError(msgUserAuthInfoRequest, packet[0])
-		}
-
-		var msg userAuthInfoRequestMsg
-		if err := Unmarshal(packet, &msg); err != nil {
-			return false, nil, err
-		}
-
-		// Manually unpack the prompt/echo pairs.
-		rest := msg.Prompts
-		var prompts []string
-		var echos []bool
-		for i := 0; i < int(msg.NumPrompts); i++ {
-			prompt, r, ok := parseString(rest)
-			if !ok || len(r) == 0 {
-				return false, nil, errors.New("ssh: prompt format error")
-			}
-			prompts = append(prompts, string(prompt))
-			echos = append(echos, r[0] != 0)
-			rest = r[1:]
-		}
-
-		if len(rest) != 0 {
-			return false, nil, errors.New("ssh: extra data following keyboard-interactive pairs")
-		}
-
-		answers, err := cb(msg.User, msg.Instruction, prompts, echos)
-		if err != nil {
-			return false, nil, err
-		}
-
-		if len(answers) != len(prompts) {
-			return false, nil, errors.New("ssh: not enough answers from keyboard-interactive callback")
-		}
-		responseLength := 1 + 4
-		for _, a := range answers {
-			responseLength += stringLength(len(a))
-		}
-		serialized := make([]byte, responseLength)
-		p := serialized
-		p[0] = msgUserAuthInfoResponse
-		p = p[1:]
-		p = marshalUint32(p, uint32(len(answers)))
-		for _, a := range answers {
-			p = marshalString(p, []byte(a))
-		}
-
-		if err := c.writePacket(serialized); err != nil {
-			return false, nil, err
-		}
-	}
-}
-
-type retryableAuthMethod struct {
-	authMethod AuthMethod
-	maxTries   int
-}
-
-func (r *retryableAuthMethod) auth(session []byte, user string, c packetConn, rand io.Reader) (ok bool, methods []string, err error) {
-	for i := 0; r.maxTries <= 0 || i < r.maxTries; i++ {
-		ok, methods, err = r.authMethod.auth(session, user, c, rand)
-		if ok || err != nil { // either success or error terminate
-			return ok, methods, err
-		}
-	}
-	return ok, methods, err
-}
-
-func (r *retryableAuthMethod) method() string {
-	return r.authMethod.method()
-}
-
-// RetryableAuthMethod is a decorator for other auth methods enabling them to
-// be retried up to maxTries before considering that AuthMethod itself failed.
-// If maxTries is <= 0, will retry indefinitely
-//
-// This is useful for interactive clients using challenge/response type
-// authentication (e.g. Keyboard-Interactive, Password, etc) where the user
-// could mistype their response resulting in the server issuing a
-// SSH_MSG_USERAUTH_FAILURE (rfc4252 #8 [password] and rfc4256 #3.4
-// [keyboard-interactive]); Without this decorator, the non-retryable
-// AuthMethod would be removed from future consideration, and never tried again
-// (and so the user would never be able to retry their entry).
-func RetryableAuthMethod(auth AuthMethod, maxTries int) AuthMethod {
-	return &retryableAuthMethod{authMethod: auth, maxTries: maxTries}
-}
diff --git a/vendor/golang.org/x/crypto/ssh/client_auth_test.go b/vendor/golang.org/x/crypto/ssh/client_auth_test.go
deleted file mode 100644
index 145b57a2..00000000
--- a/vendor/golang.org/x/crypto/ssh/client_auth_test.go
+++ /dev/null
@@ -1,628 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package ssh
-
-import (
-	"bytes"
-	"crypto/rand"
-	"errors"
-	"fmt"
-	"os"
-	"strings"
-	"testing"
-)
-
-type keyboardInteractive map[string]string
-
-func (cr keyboardInteractive) Challenge(user string, instruction string, questions []string, echos []bool) ([]string, error) {
-	var answers []string
-	for _, q := range questions {
-		answers = append(answers, cr[q])
-	}
-	return answers, nil
-}
-
-// reused internally by tests
-var clientPassword = "tiger"
-
-// tryAuth runs a handshake with a given config against an SSH server
-// with config serverConfig
-func tryAuth(t *testing.T, config *ClientConfig) error {
-	c1, c2, err := netPipe()
-	if err != nil {
-		t.Fatalf("netPipe: %v", err)
-	}
-	defer c1.Close()
-	defer c2.Close()
-
-	certChecker := CertChecker{
-		IsUserAuthority: func(k PublicKey) bool {
-			return bytes.Equal(k.Marshal(), testPublicKeys["ecdsa"].Marshal())
-		},
-		UserKeyFallback: func(conn ConnMetadata, key PublicKey) (*Permissions, error) {
-			if conn.User() == "testuser" && bytes.Equal(key.Marshal(), testPublicKeys["rsa"].Marshal()) {
-				return nil, nil
-			}
-
-			return nil, fmt.Errorf("pubkey for %q not acceptable", conn.User())
-		},
-		IsRevoked: func(c *Certificate) bool {
-			return c.Serial == 666
-		},
-	}
-
-	serverConfig := &ServerConfig{
-		PasswordCallback: func(conn ConnMetadata, pass []byte) (*Permissions, error) {
-			if conn.User() == "testuser" && string(pass) == clientPassword {
-				return nil, nil
-			}
-			return nil, errors.New("password auth failed")
-		},
-		PublicKeyCallback: certChecker.Authenticate,
-		KeyboardInteractiveCallback: func(conn ConnMetadata, challenge KeyboardInteractiveChallenge) (*Permissions, error) {
-			ans, err := challenge("user",
-				"instruction",
-				[]string{"question1", "question2"},
-				[]bool{true, true})
-			if err != nil {
-				return nil, err
-			}
-			ok := conn.User() == "testuser" && ans[0] == "answer1" && ans[1] == "answer2"
-			if ok {
-				challenge("user", "motd", nil, nil)
-				return nil, nil
-			}
-			return nil, errors.New("keyboard-interactive failed")
-		},
-	}
-	serverConfig.AddHostKey(testSigners["rsa"])
-
-	go newServer(c1, serverConfig)
-	_, _, _, err = NewClientConn(c2, "", config)
-	return err
-}
-
-func TestClientAuthPublicKey(t *testing.T) {
-	config := &ClientConfig{
-		User: "testuser",
-		Auth: []AuthMethod{
-			PublicKeys(testSigners["rsa"]),
-		},
-		HostKeyCallback: InsecureIgnoreHostKey(),
-	}
-	if err := tryAuth(t, config); err != nil {
-		t.Fatalf("unable to dial remote side: %s", err)
-	}
-}
-
-func TestAuthMethodPassword(t *testing.T) {
-	config := &ClientConfig{
-		User: "testuser",
-		Auth: []AuthMethod{
-			Password(clientPassword),
-		},
-		HostKeyCallback: InsecureIgnoreHostKey(),
-	}
-
-	if err := tryAuth(t, config); err != nil {
-		t.Fatalf("unable to dial remote side: %s", err)
-	}
-}
-
-func TestAuthMethodFallback(t *testing.T) {
-	var passwordCalled bool
-	config := &ClientConfig{
-		User: "testuser",
-		Auth: []AuthMethod{
-			PublicKeys(testSigners["rsa"]),
-			PasswordCallback(
-				func() (string, error) {
-					passwordCalled = true
-					return "WRONG", nil
-				}),
-		},
-		HostKeyCallback: InsecureIgnoreHostKey(),
-	}
-
-	if err := tryAuth(t, config); err != nil {
-		t.Fatalf("unable to dial remote side: %s", err)
-	}
-
-	if passwordCalled {
-		t.Errorf("password auth tried before public-key auth.")
-	}
-}
-
-func TestAuthMethodWrongPassword(t *testing.T) {
-	config := &ClientConfig{
-		User: "testuser",
-		Auth: []AuthMethod{
-			Password("wrong"),
-			PublicKeys(testSigners["rsa"]),
-		},
-		HostKeyCallback: InsecureIgnoreHostKey(),
-	}
-
-	if err := tryAuth(t, config); err != nil {
-		t.Fatalf("unable to dial remote side: %s", err)
-	}
-}
-
-func TestAuthMethodKeyboardInteractive(t *testing.T) {
-	answers := keyboardInteractive(map[string]string{
-		"question1": "answer1",
-		"question2": "answer2",
-	})
-	config := &ClientConfig{
-		User: "testuser",
-		Auth: []AuthMethod{
-			KeyboardInteractive(answers.Challenge),
-		},
-		HostKeyCallback: InsecureIgnoreHostKey(),
-	}
-
-	if err := tryAuth(t, config); err != nil {
-		t.Fatalf("unable to dial remote side: %s", err)
-	}
-}
-
-func TestAuthMethodWrongKeyboardInteractive(t *testing.T) {
-	answers := keyboardInteractive(map[string]string{
-		"question1": "answer1",
-		"question2": "WRONG",
-	})
-	config := &ClientConfig{
-		User: "testuser",
-		Auth: []AuthMethod{
-			KeyboardInteractive(answers.Challenge),
-		},
-	}
-
-	if err := tryAuth(t, config); err == nil {
-		t.Fatalf("wrong answers should not have authenticated with KeyboardInteractive")
-	}
-}
-
-// the mock server will only authenticate ssh-rsa keys
-func TestAuthMethodInvalidPublicKey(t *testing.T) {
-	config := &ClientConfig{
-		User: "testuser",
-		Auth: []AuthMethod{
-			PublicKeys(testSigners["dsa"]),
-		},
-	}
-
-	if err := tryAuth(t, config); err == nil {
-		t.Fatalf("dsa private key should not have authenticated with rsa public key")
-	}
-}
-
-// the client should authenticate with the second key
-func TestAuthMethodRSAandDSA(t *testing.T) {
-	config := &ClientConfig{
-		User: "testuser",
-		Auth: []AuthMethod{
-			PublicKeys(testSigners["dsa"], testSigners["rsa"]),
-		},
-		HostKeyCallback: InsecureIgnoreHostKey(),
-	}
-	if err := tryAuth(t, config); err != nil {
-		t.Fatalf("client could not authenticate with rsa key: %v", err)
-	}
-}
-
-func TestClientHMAC(t *testing.T) {
-	for _, mac := range supportedMACs {
-		config := &ClientConfig{
-			User: "testuser",
-			Auth: []AuthMethod{
-				PublicKeys(testSigners["rsa"]),
-			},
-			Config: Config{
-				MACs: []string{mac},
-			},
-			HostKeyCallback: InsecureIgnoreHostKey(),
-		}
-		if err := tryAuth(t, config); err != nil {
-			t.Fatalf("client could not authenticate with mac algo %s: %v", mac, err)
-		}
-	}
-}
-
-// issue 4285.
-func TestClientUnsupportedCipher(t *testing.T) {
-	config := &ClientConfig{
-		User: "testuser",
-		Auth: []AuthMethod{
-			PublicKeys(),
-		},
-		Config: Config{
-			Ciphers: []string{"aes128-cbc"}, // not currently supported
-		},
-	}
-	if err := tryAuth(t, config); err == nil {
-		t.Errorf("expected no ciphers in common")
-	}
-}
-
-func TestClientUnsupportedKex(t *testing.T) {
-	if os.Getenv("GO_BUILDER_NAME") != "" {
-		t.Skip("skipping known-flaky test on the Go build dashboard; see golang.org/issue/15198")
-	}
-	config := &ClientConfig{
-		User: "testuser",
-		Auth: []AuthMethod{
-			PublicKeys(),
-		},
-		Config: Config{
-			KeyExchanges: []string{"diffie-hellman-group-exchange-sha256"}, // not currently supported
-		},
-		HostKeyCallback: InsecureIgnoreHostKey(),
-	}
-	if err := tryAuth(t, config); err == nil || !strings.Contains(err.Error(), "common algorithm") {
-		t.Errorf("got %v, expected 'common algorithm'", err)
-	}
-}
-
-func TestClientLoginCert(t *testing.T) {
-	cert := &Certificate{
-		Key:         testPublicKeys["rsa"],
-		ValidBefore: CertTimeInfinity,
-		CertType:    UserCert,
-	}
-	cert.SignCert(rand.Reader, testSigners["ecdsa"])
-	certSigner, err := NewCertSigner(cert, testSigners["rsa"])
-	if err != nil {
-		t.Fatalf("NewCertSigner: %v", err)
-	}
-
-	clientConfig := &ClientConfig{
-		User:            "user",
-		HostKeyCallback: InsecureIgnoreHostKey(),
-	}
-	clientConfig.Auth = append(clientConfig.Auth, PublicKeys(certSigner))
-
-	// should succeed
-	if err := tryAuth(t, clientConfig); err != nil {
-		t.Errorf("cert login failed: %v", err)
-	}
-
-	// corrupted signature
-	cert.Signature.Blob[0]++
-	if err := tryAuth(t, clientConfig); err == nil {
-		t.Errorf("cert login passed with corrupted sig")
-	}
-
-	// revoked
-	cert.Serial = 666
-	cert.SignCert(rand.Reader, testSigners["ecdsa"])
-	if err := tryAuth(t, clientConfig); err == nil {
-		t.Errorf("revoked cert login succeeded")
-	}
-	cert.Serial = 1
-
-	// sign with wrong key
-	cert.SignCert(rand.Reader, testSigners["dsa"])
-	if err := tryAuth(t, clientConfig); err == nil {
-		t.Errorf("cert login passed with non-authoritative key")
-	}
-
-	// host cert
-	cert.CertType = HostCert
-	cert.SignCert(rand.Reader, testSigners["ecdsa"])
-	if err := tryAuth(t, clientConfig); err == nil {
-		t.Errorf("cert login passed with wrong type")
-	}
-	cert.CertType = UserCert
-
-	// principal specified
-	cert.ValidPrincipals = []string{"user"}
-	cert.SignCert(rand.Reader, testSigners["ecdsa"])
-	if err := tryAuth(t, clientConfig); err != nil {
-		t.Errorf("cert login failed: %v", err)
-	}
-
-	// wrong principal specified
-	cert.ValidPrincipals = []string{"fred"}
-	cert.SignCert(rand.Reader, testSigners["ecdsa"])
-	if err := tryAuth(t, clientConfig); err == nil {
-		t.Errorf("cert login passed with wrong principal")
-	}
-	cert.ValidPrincipals = nil
-
-	// added critical option
-	cert.CriticalOptions = map[string]string{"root-access": "yes"}
-	cert.SignCert(rand.Reader, testSigners["ecdsa"])
-	if err := tryAuth(t, clientConfig); err == nil {
-		t.Errorf("cert login passed with unrecognized critical option")
-	}
-
-	// allowed source address
-	cert.CriticalOptions = map[string]string{"source-address": "127.0.0.42/24,::42/120"}
-	cert.SignCert(rand.Reader, testSigners["ecdsa"])
-	if err := tryAuth(t, clientConfig); err != nil {
-		t.Errorf("cert login with source-address failed: %v", err)
-	}
-
-	// disallowed source address
-	cert.CriticalOptions = map[string]string{"source-address": "127.0.0.42,::42"}
-	cert.SignCert(rand.Reader, testSigners["ecdsa"])
-	if err := tryAuth(t, clientConfig); err == nil {
-		t.Errorf("cert login with source-address succeeded")
-	}
-}
-
-func testPermissionsPassing(withPermissions bool, t *testing.T) {
-	serverConfig := &ServerConfig{
-		PublicKeyCallback: func(conn ConnMetadata, key PublicKey) (*Permissions, error) {
-			if conn.User() == "nopermissions" {
-				return nil, nil
-			}
-			return &Permissions{}, nil
-		},
-	}
-	serverConfig.AddHostKey(testSigners["rsa"])
-
-	clientConfig := &ClientConfig{
-		Auth: []AuthMethod{
-			PublicKeys(testSigners["rsa"]),
-		},
-		HostKeyCallback: InsecureIgnoreHostKey(),
-	}
-	if withPermissions {
-		clientConfig.User = "permissions"
-	} else {
-		clientConfig.User = "nopermissions"
-	}
-
-	c1, c2, err := netPipe()
-	if err != nil {
-		t.Fatalf("netPipe: %v", err)
-	}
-	defer c1.Close()
-	defer c2.Close()
-
-	go NewClientConn(c2, "", clientConfig)
-	serverConn, err := newServer(c1, serverConfig)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if p := serverConn.Permissions; (p != nil) != withPermissions {
-		t.Fatalf("withPermissions is %t, but Permissions object is %#v", withPermissions, p)
-	}
-}
-
-func TestPermissionsPassing(t *testing.T) {
-	testPermissionsPassing(true, t)
-}
-
-func TestNoPermissionsPassing(t *testing.T) {
-	testPermissionsPassing(false, t)
-}
-
-func TestRetryableAuth(t *testing.T) {
-	n := 0
-	passwords := []string{"WRONG1", "WRONG2"}
-
-	config := &ClientConfig{
-		User: "testuser",
-		Auth: []AuthMethod{
-			RetryableAuthMethod(PasswordCallback(func() (string, error) {
-				p := passwords[n]
-				n++
-				return p, nil
-			}), 2),
-			PublicKeys(testSigners["rsa"]),
-		},
-		HostKeyCallback: InsecureIgnoreHostKey(),
-	}
-
-	if err := tryAuth(t, config); err != nil {
-		t.Fatalf("unable to dial remote side: %s", err)
-	}
-	if n != 2 {
-		t.Fatalf("Did not try all passwords")
-	}
-}
-
-func ExampleRetryableAuthMethod(t *testing.T) {
-	user := "testuser"
-	NumberOfPrompts := 3
-
-	// Normally this would be a callback that prompts the user to answer the
-	// provided questions
-	Cb := func(user, instruction string, questions []string, echos []bool) (answers []string, err error) {
-		return []string{"answer1", "answer2"}, nil
-	}
-
-	config := &ClientConfig{
-		HostKeyCallback: InsecureIgnoreHostKey(),
-		User:            user,
-		Auth: []AuthMethod{
-			RetryableAuthMethod(KeyboardInteractiveChallenge(Cb), NumberOfPrompts),
-		},
-	}
-
-	if err := tryAuth(t, config); err != nil {
-		t.Fatalf("unable to dial remote side: %s", err)
-	}
-}
-
-// Test if username is received on server side when NoClientAuth is used
-func TestClientAuthNone(t *testing.T) {
-	user := "testuser"
-	serverConfig := &ServerConfig{
-		NoClientAuth: true,
-	}
-	serverConfig.AddHostKey(testSigners["rsa"])
-
-	clientConfig := &ClientConfig{
-		User:            user,
-		HostKeyCallback: InsecureIgnoreHostKey(),
-	}
-
-	c1, c2, err := netPipe()
-	if err != nil {
-		t.Fatalf("netPipe: %v", err)
-	}
-	defer c1.Close()
-	defer c2.Close()
-
-	go NewClientConn(c2, "", clientConfig)
-	serverConn, err := newServer(c1, serverConfig)
-	if err != nil {
-		t.Fatalf("newServer: %v", err)
-	}
-	if serverConn.User() != user {
-		t.Fatalf("server: got %q, want %q", serverConn.User(), user)
-	}
-}
-
-// Test if authentication attempts are limited on server when MaxAuthTries is set
-func TestClientAuthMaxAuthTries(t *testing.T) {
-	user := "testuser"
-
-	serverConfig := &ServerConfig{
-		MaxAuthTries: 2,
-		PasswordCallback: func(conn ConnMetadata, pass []byte) (*Permissions, error) {
-			if conn.User() == "testuser" && string(pass) == "right" {
-				return nil, nil
-			}
-			return nil, errors.New("password auth failed")
-		},
-	}
-	serverConfig.AddHostKey(testSigners["rsa"])
-
-	expectedErr := fmt.Errorf("ssh: handshake failed: %v", &disconnectMsg{
-		Reason:  2,
-		Message: "too many authentication failures",
-	})
-
-	for tries := 2; tries < 4; tries++ {
-		n := tries
-		clientConfig := &ClientConfig{
-			User: user,
-			Auth: []AuthMethod{
-				RetryableAuthMethod(PasswordCallback(func() (string, error) {
-					n--
-					if n == 0 {
-						return "right", nil
-					}
-					return "wrong", nil
-				}), tries),
-			},
-			HostKeyCallback: InsecureIgnoreHostKey(),
-		}
-
-		c1, c2, err := netPipe()
-		if err != nil {
-			t.Fatalf("netPipe: %v", err)
-		}
-		defer c1.Close()
-		defer c2.Close()
-
-		go newServer(c1, serverConfig)
-		_, _, _, err = NewClientConn(c2, "", clientConfig)
-		if tries > 2 {
-			if err == nil {
-				t.Fatalf("client: got no error, want %s", expectedErr)
-			} else if err.Error() != expectedErr.Error() {
-				t.Fatalf("client: got %s, want %s", err, expectedErr)
-			}
-		} else {
-			if err != nil {
-				t.Fatalf("client: got %s, want no error", err)
-			}
-		}
-	}
-}
-
-// Test if authentication attempts are correctly limited on server
-// when more public keys are provided then MaxAuthTries
-func TestClientAuthMaxAuthTriesPublicKey(t *testing.T) {
-	signers := []Signer{}
-	for i := 0; i < 6; i++ {
-		signers = append(signers, testSigners["dsa"])
-	}
-
-	validConfig := &ClientConfig{
-		User: "testuser",
-		Auth: []AuthMethod{
-			PublicKeys(append([]Signer{testSigners["rsa"]}, signers...)...),
-		},
-		HostKeyCallback: InsecureIgnoreHostKey(),
-	}
-	if err := tryAuth(t, validConfig); err != nil {
-		t.Fatalf("unable to dial remote side: %s", err)
-	}
-
-	expectedErr := fmt.Errorf("ssh: handshake failed: %v", &disconnectMsg{
-		Reason:  2,
-		Message: "too many authentication failures",
-	})
-	invalidConfig := &ClientConfig{
-		User: "testuser",
-		Auth: []AuthMethod{
-			PublicKeys(append(signers, testSigners["rsa"])...),
-		},
-		HostKeyCallback: InsecureIgnoreHostKey(),
-	}
-	if err := tryAuth(t, invalidConfig); err == nil {
-		t.Fatalf("client: got no error, want %s", expectedErr)
-	} else if err.Error() != expectedErr.Error() {
-		t.Fatalf("client: got %s, want %s", err, expectedErr)
-	}
-}
-
-// Test whether authentication errors are being properly logged if all
-// authentication methods have been exhausted
-func TestClientAuthErrorList(t *testing.T) {
-	publicKeyErr := errors.New("This is an error from PublicKeyCallback")
-
-	clientConfig := &ClientConfig{
-		Auth: []AuthMethod{
-			PublicKeys(testSigners["rsa"]),
-		},
-		HostKeyCallback: InsecureIgnoreHostKey(),
-	}
-	serverConfig := &ServerConfig{
-		PublicKeyCallback: func(_ ConnMetadata, _ PublicKey) (*Permissions, error) {
-			return nil, publicKeyErr
-		},
-	}
-	serverConfig.AddHostKey(testSigners["rsa"])
-
-	c1, c2, err := netPipe()
-	if err != nil {
-		t.Fatalf("netPipe: %v", err)
-	}
-	defer c1.Close()
-	defer c2.Close()
-
-	go NewClientConn(c2, "", clientConfig)
-	_, err = newServer(c1, serverConfig)
-	if err == nil {
-		t.Fatal("newServer: got nil, expected errors")
-	}
-
-	authErrs, ok := err.(*ServerAuthError)
-	if !ok {
-		t.Fatalf("errors: got %T, want *ssh.ServerAuthError", err)
-	}
-	for i, e := range authErrs.Errors {
-		switch i {
-		case 0:
-			if e.Error() != "no auth passed yet" {
-				t.Fatalf("errors: got %v, want no auth passed yet", e.Error())
-			}
-		case 1:
-			if e != publicKeyErr {
-				t.Fatalf("errors: got %v, want %v", e, publicKeyErr)
-			}
-		default:
-			t.Fatalf("errors: got %v, expected 2 errors", authErrs.Errors)
-		}
-	}
-}
diff --git a/vendor/golang.org/x/crypto/ssh/client_test.go b/vendor/golang.org/x/crypto/ssh/client_test.go
deleted file mode 100644
index 81f9599e..00000000
--- a/vendor/golang.org/x/crypto/ssh/client_test.go
+++ /dev/null
@@ -1,166 +0,0 @@
-// Copyright 2014 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package ssh
-
-import (
-	"strings"
-	"testing"
-)
-
-func TestClientVersion(t *testing.T) {
-	for _, tt := range []struct {
-		name      string
-		version   string
-		multiLine string
-		wantErr   bool
-	}{
-		{
-			name:    "default version",
-			version: packageVersion,
-		},
-		{
-			name:    "custom version",
-			version: "SSH-2.0-CustomClientVersionString",
-		},
-		{
-			name:      "good multi line version",
-			version:   packageVersion,
-			multiLine: strings.Repeat("ignored\r\n", 20),
-		},
-		{
-			name:      "bad multi line version",
-			version:   packageVersion,
-			multiLine: "bad multi line version",
-			wantErr:   true,
-		},
-		{
-			name:      "long multi line version",
-			version:   packageVersion,
-			multiLine: strings.Repeat("long multi line version\r\n", 50)[:256],
-			wantErr:   true,
-		},
-	} {
-		t.Run(tt.name, func(t *testing.T) {
-			c1, c2, err := netPipe()
-			if err != nil {
-				t.Fatalf("netPipe: %v", err)
-			}
-			defer c1.Close()
-			defer c2.Close()
-			go func() {
-				if tt.multiLine != "" {
-					c1.Write([]byte(tt.multiLine))
-				}
-				NewClientConn(c1, "", &ClientConfig{
-					ClientVersion:   tt.version,
-					HostKeyCallback: InsecureIgnoreHostKey(),
-				})
-				c1.Close()
-			}()
-			conf := &ServerConfig{NoClientAuth: true}
-			conf.AddHostKey(testSigners["rsa"])
-			conn, _, _, err := NewServerConn(c2, conf)
-			if err == nil == tt.wantErr {
-				t.Fatalf("got err %v; wantErr %t", err, tt.wantErr)
-			}
-			if tt.wantErr {
-				// Don't verify the version on an expected error.
-				return
-			}
-			if got := string(conn.ClientVersion()); got != tt.version {
-				t.Fatalf("got %q; want %q", got, tt.version)
-			}
-		})
-	}
-}
-
-func TestHostKeyCheck(t *testing.T) {
-	for _, tt := range []struct {
-		name      string
-		wantError string
-		key       PublicKey
-	}{
-		{"no callback", "must specify HostKeyCallback", nil},
-		{"correct key", "", testSigners["rsa"].PublicKey()},
-		{"mismatch", "mismatch", testSigners["ecdsa"].PublicKey()},
-	} {
-		c1, c2, err := netPipe()
-		if err != nil {
-			t.Fatalf("netPipe: %v", err)
-		}
-		defer c1.Close()
-		defer c2.Close()
-		serverConf := &ServerConfig{
-			NoClientAuth: true,
-		}
-		serverConf.AddHostKey(testSigners["rsa"])
-
-		go NewServerConn(c1, serverConf)
-		clientConf := ClientConfig{
-			User: "user",
-		}
-		if tt.key != nil {
-			clientConf.HostKeyCallback = FixedHostKey(tt.key)
-		}
-
-		_, _, _, err = NewClientConn(c2, "", &clientConf)
-		if err != nil {
-			if tt.wantError == "" || !strings.Contains(err.Error(), tt.wantError) {
-				t.Errorf("%s: got error %q, missing %q", tt.name, err.Error(), tt.wantError)
-			}
-		} else if tt.wantError != "" {
-			t.Errorf("%s: succeeded, but want error string %q", tt.name, tt.wantError)
-		}
-	}
-}
-
-func TestBannerCallback(t *testing.T) {
-	c1, c2, err := netPipe()
-	if err != nil {
-		t.Fatalf("netPipe: %v", err)
-	}
-	defer c1.Close()
-	defer c2.Close()
-
-	serverConf := &ServerConfig{
-		PasswordCallback: func(conn ConnMetadata, password []byte) (*Permissions, error) {
-			return &Permissions{}, nil
-		},
-		BannerCallback: func(conn ConnMetadata) string {
-			return "Hello World"
-		},
-	}
-	serverConf.AddHostKey(testSigners["rsa"])
-	go NewServerConn(c1, serverConf)
-
-	var receivedBanner string
-	var bannerCount int
-	clientConf := ClientConfig{
-		Auth: []AuthMethod{
-			Password("123"),
-		},
-		User:            "user",
-		HostKeyCallback: InsecureIgnoreHostKey(),
-		BannerCallback: func(message string) error {
-			bannerCount++
-			receivedBanner = message
-			return nil
-		},
-	}
-
-	_, _, _, err = NewClientConn(c2, "", &clientConf)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if bannerCount != 1 {
-		t.Errorf("got %d banners; want 1", bannerCount)
-	}
-
-	expected := "Hello World"
-	if receivedBanner != expected {
-		t.Fatalf("got %s; want %s", receivedBanner, expected)
-	}
-}
diff --git a/vendor/golang.org/x/crypto/ssh/common.go b/vendor/golang.org/x/crypto/ssh/common.go
deleted file mode 100644
index 04f3620b..00000000
--- a/vendor/golang.org/x/crypto/ssh/common.go
+++ /dev/null
@@ -1,383 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package ssh
-
-import (
-	"crypto"
-	"crypto/rand"
-	"fmt"
-	"io"
-	"math"
-	"sync"
-
-	_ "crypto/sha1"
-	_ "crypto/sha256"
-	_ "crypto/sha512"
-)
-
-// These are string constants in the SSH protocol.
-const (
-	compressionNone = "none"
-	serviceUserAuth = "ssh-userauth"
-	serviceSSH      = "ssh-connection"
-)
-
-// supportedCiphers lists ciphers we support but might not recommend.
-var supportedCiphers = []string{
-	"aes128-ctr", "aes192-ctr", "aes256-ctr",
-	"aes128-gcm@openssh.com",
-	chacha20Poly1305ID,
-	"arcfour256", "arcfour128", "arcfour",
-	aes128cbcID,
-	tripledescbcID,
-}
-
-// preferredCiphers specifies the default preference for ciphers.
-var preferredCiphers = []string{
-	"aes128-gcm@openssh.com",
-	chacha20Poly1305ID,
-	"aes128-ctr", "aes192-ctr", "aes256-ctr",
-}
-
-// supportedKexAlgos specifies the supported key-exchange algorithms in
-// preference order.
-var supportedKexAlgos = []string{
-	kexAlgoCurve25519SHA256,
-	// P384 and P521 are not constant-time yet, but since we don't
-	// reuse ephemeral keys, using them for ECDH should be OK.
-	kexAlgoECDH256, kexAlgoECDH384, kexAlgoECDH521,
-	kexAlgoDH14SHA1, kexAlgoDH1SHA1,
-}
-
-// supportedHostKeyAlgos specifies the supported host-key algorithms (i.e. methods
-// of authenticating servers) in preference order.
-var supportedHostKeyAlgos = []string{
-	CertAlgoRSAv01, CertAlgoDSAv01, CertAlgoECDSA256v01,
-	CertAlgoECDSA384v01, CertAlgoECDSA521v01, CertAlgoED25519v01,
-
-	KeyAlgoECDSA256, KeyAlgoECDSA384, KeyAlgoECDSA521,
-	KeyAlgoRSA, KeyAlgoDSA,
-
-	KeyAlgoED25519,
-}
-
-// supportedMACs specifies a default set of MAC algorithms in preference order.
-// This is based on RFC 4253, section 6.4, but with hmac-md5 variants removed
-// because they have reached the end of their useful life.
-var supportedMACs = []string{
-	"hmac-sha2-256-etm@openssh.com", "hmac-sha2-256", "hmac-sha1", "hmac-sha1-96",
-}
-
-var supportedCompressions = []string{compressionNone}
-
-// hashFuncs keeps the mapping of supported algorithms to their respective
-// hashes needed for signature verification.
-var hashFuncs = map[string]crypto.Hash{
-	KeyAlgoRSA:          crypto.SHA1,
-	KeyAlgoDSA:          crypto.SHA1,
-	KeyAlgoECDSA256:     crypto.SHA256,
-	KeyAlgoECDSA384:     crypto.SHA384,
-	KeyAlgoECDSA521:     crypto.SHA512,
-	CertAlgoRSAv01:      crypto.SHA1,
-	CertAlgoDSAv01:      crypto.SHA1,
-	CertAlgoECDSA256v01: crypto.SHA256,
-	CertAlgoECDSA384v01: crypto.SHA384,
-	CertAlgoECDSA521v01: crypto.SHA512,
-}
-
-// unexpectedMessageError results when the SSH message that we received didn't
-// match what we wanted.
-func unexpectedMessageError(expected, got uint8) error {
-	return fmt.Errorf("ssh: unexpected message type %d (expected %d)", got, expected)
-}
-
-// parseError results from a malformed SSH message.
-func parseError(tag uint8) error {
-	return fmt.Errorf("ssh: parse error in message type %d", tag)
-}
-
-func findCommon(what string, client []string, server []string) (common string, err error) {
-	for _, c := range client {
-		for _, s := range server {
-			if c == s {
-				return c, nil
-			}
-		}
-	}
-	return "", fmt.Errorf("ssh: no common algorithm for %s; client offered: %v, server offered: %v", what, client, server)
-}
-
-type directionAlgorithms struct {
-	Cipher      string
-	MAC         string
-	Compression string
-}
-
-// rekeyBytes returns a rekeying intervals in bytes.
-func (a *directionAlgorithms) rekeyBytes() int64 {
-	// According to RFC4344 block ciphers should rekey after
-	// 2^(BLOCKSIZE/4) blocks. For all AES flavors BLOCKSIZE is
-	// 128.
-	switch a.Cipher {
-	case "aes128-ctr", "aes192-ctr", "aes256-ctr", gcmCipherID, aes128cbcID:
-		return 16 * (1 << 32)
-
-	}
-
-	// For others, stick with RFC4253 recommendation to rekey after 1 Gb of data.
-	return 1 << 30
-}
-
-type algorithms struct {
-	kex     string
-	hostKey string
-	w       directionAlgorithms
-	r       directionAlgorithms
-}
-
-func findAgreedAlgorithms(clientKexInit, serverKexInit *kexInitMsg) (algs *algorithms, err error) {
-	result := &algorithms{}
-
-	result.kex, err = findCommon("key exchange", clientKexInit.KexAlgos, serverKexInit.KexAlgos)
-	if err != nil {
-		return
-	}
-
-	result.hostKey, err = findCommon("host key", clientKexInit.ServerHostKeyAlgos, serverKexInit.ServerHostKeyAlgos)
-	if err != nil {
-		return
-	}
-
-	result.w.Cipher, err = findCommon("client to server cipher", clientKexInit.CiphersClientServer, serverKexInit.CiphersClientServer)
-	if err != nil {
-		return
-	}
-
-	result.r.Cipher, err = findCommon("server to client cipher", clientKexInit.CiphersServerClient, serverKexInit.CiphersServerClient)
-	if err != nil {
-		return
-	}
-
-	result.w.MAC, err = findCommon("client to server MAC", clientKexInit.MACsClientServer, serverKexInit.MACsClientServer)
-	if err != nil {
-		return
-	}
-
-	result.r.MAC, err = findCommon("server to client MAC", clientKexInit.MACsServerClient, serverKexInit.MACsServerClient)
-	if err != nil {
-		return
-	}
-
-	result.w.Compression, err = findCommon("client to server compression", clientKexInit.CompressionClientServer, serverKexInit.CompressionClientServer)
-	if err != nil {
-		return
-	}
-
-	result.r.Compression, err = findCommon("server to client compression", clientKexInit.CompressionServerClient, serverKexInit.CompressionServerClient)
-	if err != nil {
-		return
-	}
-
-	return result, nil
-}
-
-// If rekeythreshold is too small, we can't make any progress sending
-// stuff.
-const minRekeyThreshold uint64 = 256
-
-// Config contains configuration data common to both ServerConfig and
-// ClientConfig.
-type Config struct {
-	// Rand provides the source of entropy for cryptographic
-	// primitives. If Rand is nil, the cryptographic random reader
-	// in package crypto/rand will be used.
-	Rand io.Reader
-
-	// The maximum number of bytes sent or received after which a
-	// new key is negotiated. It must be at least 256. If
-	// unspecified, a size suitable for the chosen cipher is used.
-	RekeyThreshold uint64
-
-	// The allowed key exchanges algorithms. If unspecified then a
-	// default set of algorithms is used.
-	KeyExchanges []string
-
-	// The allowed cipher algorithms. If unspecified then a sensible
-	// default is used.
-	Ciphers []string
-
-	// The allowed MAC algorithms. If unspecified then a sensible default
-	// is used.
-	MACs []string
-}
-
-// SetDefaults sets sensible values for unset fields in config. This is
-// exported for testing: Configs passed to SSH functions are copied and have
-// default values set automatically.
-func (c *Config) SetDefaults() {
-	if c.Rand == nil {
-		c.Rand = rand.Reader
-	}
-	if c.Ciphers == nil {
-		c.Ciphers = preferredCiphers
-	}
-	var ciphers []string
-	for _, c := range c.Ciphers {
-		if cipherModes[c] != nil {
-			// reject the cipher if we have no cipherModes definition
-			ciphers = append(ciphers, c)
-		}
-	}
-	c.Ciphers = ciphers
-
-	if c.KeyExchanges == nil {
-		c.KeyExchanges = supportedKexAlgos
-	}
-
-	if c.MACs == nil {
-		c.MACs = supportedMACs
-	}
-
-	if c.RekeyThreshold == 0 {
-		// cipher specific default
-	} else if c.RekeyThreshold < minRekeyThreshold {
-		c.RekeyThreshold = minRekeyThreshold
-	} else if c.RekeyThreshold >= math.MaxInt64 {
-		// Avoid weirdness if somebody uses -1 as a threshold.
-		c.RekeyThreshold = math.MaxInt64
-	}
-}
-
-// buildDataSignedForAuth returns the data that is signed in order to prove
-// possession of a private key. See RFC 4252, section 7.
-func buildDataSignedForAuth(sessionID []byte, req userAuthRequestMsg, algo, pubKey []byte) []byte {
-	data := struct {
-		Session []byte
-		Type    byte
-		User    string
-		Service string
-		Method  string
-		Sign    bool
-		Algo    []byte
-		PubKey  []byte
-	}{
-		sessionID,
-		msgUserAuthRequest,
-		req.User,
-		req.Service,
-		req.Method,
-		true,
-		algo,
-		pubKey,
-	}
-	return Marshal(data)
-}
-
-func appendU16(buf []byte, n uint16) []byte {
-	return append(buf, byte(n>>8), byte(n))
-}
-
-func appendU32(buf []byte, n uint32) []byte {
-	return append(buf, byte(n>>24), byte(n>>16), byte(n>>8), byte(n))
-}
-
-func appendU64(buf []byte, n uint64) []byte {
-	return append(buf,
-		byte(n>>56), byte(n>>48), byte(n>>40), byte(n>>32),
-		byte(n>>24), byte(n>>16), byte(n>>8), byte(n))
-}
-
-func appendInt(buf []byte, n int) []byte {
-	return appendU32(buf, uint32(n))
-}
-
-func appendString(buf []byte, s string) []byte {
-	buf = appendU32(buf, uint32(len(s)))
-	buf = append(buf, s...)
-	return buf
-}
-
-func appendBool(buf []byte, b bool) []byte {
-	if b {
-		return append(buf, 1)
-	}
-	return append(buf, 0)
-}
-
-// newCond is a helper to hide the fact that there is no usable zero
-// value for sync.Cond.
-func newCond() *sync.Cond { return sync.NewCond(new(sync.Mutex)) }
-
-// window represents the buffer available to clients
-// wishing to write to a channel.
-type window struct {
-	*sync.Cond
-	win          uint32 // RFC 4254 5.2 says the window size can grow to 2^32-1
-	writeWaiters int
-	closed       bool
-}
-
-// add adds win to the amount of window available
-// for consumers.
-func (w *window) add(win uint32) bool {
-	// a zero sized window adjust is a noop.
-	if win == 0 {
-		return true
-	}
-	w.L.Lock()
-	if w.win+win < win {
-		w.L.Unlock()
-		return false
-	}
-	w.win += win
-	// It is unusual that multiple goroutines would be attempting to reserve
-	// window space, but not guaranteed. Use broadcast to notify all waiters
-	// that additional window is available.
-	w.Broadcast()
-	w.L.Unlock()
-	return true
-}
-
-// close sets the window to closed, so all reservations fail
-// immediately.
-func (w *window) close() {
-	w.L.Lock()
-	w.closed = true
-	w.Broadcast()
-	w.L.Unlock()
-}
-
-// reserve reserves win from the available window capacity.
-// If no capacity remains, reserve will block. reserve may
-// return less than requested.
-func (w *window) reserve(win uint32) (uint32, error) {
-	var err error
-	w.L.Lock()
-	w.writeWaiters++
-	w.Broadcast()
-	for w.win == 0 && !w.closed {
-		w.Wait()
-	}
-	w.writeWaiters--
-	if w.win < win {
-		win = w.win
-	}
-	w.win -= win
-	if w.closed {
-		err = io.EOF
-	}
-	w.L.Unlock()
-	return win, err
-}
-
-// waitWriterBlocked waits until some goroutine is blocked for further
-// writes. It is used in tests only.
-func (w *window) waitWriterBlocked() {
-	w.Cond.L.Lock()
-	for w.writeWaiters == 0 {
-		w.Cond.Wait()
-	}
-	w.Cond.L.Unlock()
-}
diff --git a/vendor/golang.org/x/crypto/ssh/connection.go b/vendor/golang.org/x/crypto/ssh/connection.go
deleted file mode 100644
index fd6b0681..00000000
--- a/vendor/golang.org/x/crypto/ssh/connection.go
+++ /dev/null
@@ -1,143 +0,0 @@
-// Copyright 2013 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package ssh
-
-import (
-	"fmt"
-	"net"
-)
-
-// OpenChannelError is returned if the other side rejects an
-// OpenChannel request.
-type OpenChannelError struct {
-	Reason  RejectionReason
-	Message string
-}
-
-func (e *OpenChannelError) Error() string {
-	return fmt.Sprintf("ssh: rejected: %s (%s)", e.Reason, e.Message)
-}
-
-// ConnMetadata holds metadata for the connection.
-type ConnMetadata interface {
-	// User returns the user ID for this connection.
-	User() string
-
-	// SessionID returns the session hash, also denoted by H.
-	SessionID() []byte
-
-	// ClientVersion returns the client's version string as hashed
-	// into the session ID.
-	ClientVersion() []byte
-
-	// ServerVersion returns the server's version string as hashed
-	// into the session ID.
-	ServerVersion() []byte
-
-	// RemoteAddr returns the remote address for this connection.
-	RemoteAddr() net.Addr
-
-	// LocalAddr returns the local address for this connection.
-	LocalAddr() net.Addr
-}
-
-// Conn represents an SSH connection for both server and client roles.
-// Conn is the basis for implementing an application layer, such
-// as ClientConn, which implements the traditional shell access for
-// clients.
-type Conn interface {
-	ConnMetadata
-
-	// SendRequest sends a global request, and returns the
-	// reply. If wantReply is true, it returns the response status
-	// and payload. See also RFC4254, section 4.
-	SendRequest(name string, wantReply bool, payload []byte) (bool, []byte, error)
-
-	// OpenChannel tries to open an channel. If the request is
-	// rejected, it returns *OpenChannelError. On success it returns
-	// the SSH Channel and a Go channel for incoming, out-of-band
-	// requests. The Go channel must be serviced, or the
-	// connection will hang.
-	OpenChannel(name string, data []byte) (Channel, <-chan *Request, error)
-
-	// Close closes the underlying network connection
-	Close() error
-
-	// Wait blocks until the connection has shut down, and returns the
-	// error causing the shutdown.
-	Wait() error
-
-	// TODO(hanwen): consider exposing:
-	//   RequestKeyChange
-	//   Disconnect
-}
-
-// DiscardRequests consumes and rejects all requests from the
-// passed-in channel.
-func DiscardRequests(in <-chan *Request) {
-	for req := range in {
-		if req.WantReply {
-			req.Reply(false, nil)
-		}
-	}
-}
-
-// A connection represents an incoming connection.
-type connection struct {
-	transport *handshakeTransport
-	sshConn
-
-	// The connection protocol.
-	*mux
-}
-
-func (c *connection) Close() error {
-	return c.sshConn.conn.Close()
-}
-
-// sshconn provides net.Conn metadata, but disallows direct reads and
-// writes.
-type sshConn struct {
-	conn net.Conn
-
-	user          string
-	sessionID     []byte
-	clientVersion []byte
-	serverVersion []byte
-}
-
-func dup(src []byte) []byte {
-	dst := make([]byte, len(src))
-	copy(dst, src)
-	return dst
-}
-
-func (c *sshConn) User() string {
-	return c.user
-}
-
-func (c *sshConn) RemoteAddr() net.Addr {
-	return c.conn.RemoteAddr()
-}
-
-func (c *sshConn) Close() error {
-	return c.conn.Close()
-}
-
-func (c *sshConn) LocalAddr() net.Addr {
-	return c.conn.LocalAddr()
-}
-
-func (c *sshConn) SessionID() []byte {
-	return dup(c.sessionID)
-}
-
-func (c *sshConn) ClientVersion() []byte {
-	return dup(c.clientVersion)
-}
-
-func (c *sshConn) ServerVersion() []byte {
-	return dup(c.serverVersion)
-}
diff --git a/vendor/golang.org/x/crypto/ssh/doc.go b/vendor/golang.org/x/crypto/ssh/doc.go
deleted file mode 100644
index 67b7322c..00000000
--- a/vendor/golang.org/x/crypto/ssh/doc.go
+++ /dev/null
@@ -1,21 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-/*
-Package ssh implements an SSH client and server.
-
-SSH is a transport security protocol, an authentication protocol and a
-family of application protocols. The most typical application level
-protocol is a remote shell and this is specifically implemented.  However,
-the multiplexed nature of SSH is exposed to users that wish to support
-others.
-
-References:
-  [PROTOCOL.certkeys]: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL.certkeys?rev=HEAD
-  [SSH-PARAMETERS]:    http://www.iana.org/assignments/ssh-parameters/ssh-parameters.xml#ssh-parameters-1
-
-This package does not fall under the stability promise of the Go language itself,
-so its API may be changed when pressing needs arise.
-*/
-package ssh // import "golang.org/x/crypto/ssh"
diff --git a/vendor/golang.org/x/crypto/ssh/example_test.go b/vendor/golang.org/x/crypto/ssh/example_test.go
deleted file mode 100644
index b910c7bf..00000000
--- a/vendor/golang.org/x/crypto/ssh/example_test.go
+++ /dev/null
@@ -1,320 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package ssh_test
-
-import (
-	"bufio"
-	"bytes"
-	"fmt"
-	"io/ioutil"
-	"log"
-	"net"
-	"net/http"
-	"os"
-	"path/filepath"
-	"strings"
-
-	"golang.org/x/crypto/ssh"
-	"golang.org/x/crypto/ssh/terminal"
-)
-
-func ExampleNewServerConn() {
-	// Public key authentication is done by comparing
-	// the public key of a received connection
-	// with the entries in the authorized_keys file.
-	authorizedKeysBytes, err := ioutil.ReadFile("authorized_keys")
-	if err != nil {
-		log.Fatalf("Failed to load authorized_keys, err: %v", err)
-	}
-
-	authorizedKeysMap := map[string]bool{}
-	for len(authorizedKeysBytes) > 0 {
-		pubKey, _, _, rest, err := ssh.ParseAuthorizedKey(authorizedKeysBytes)
-		if err != nil {
-			log.Fatal(err)
-		}
-
-		authorizedKeysMap[string(pubKey.Marshal())] = true
-		authorizedKeysBytes = rest
-	}
-
-	// An SSH server is represented by a ServerConfig, which holds
-	// certificate details and handles authentication of ServerConns.
-	config := &ssh.ServerConfig{
-		// Remove to disable password auth.
-		PasswordCallback: func(c ssh.ConnMetadata, pass []byte) (*ssh.Permissions, error) {
-			// Should use constant-time compare (or better, salt+hash) in
-			// a production setting.
-			if c.User() == "testuser" && string(pass) == "tiger" {
-				return nil, nil
-			}
-			return nil, fmt.Errorf("password rejected for %q", c.User())
-		},
-
-		// Remove to disable public key auth.
-		PublicKeyCallback: func(c ssh.ConnMetadata, pubKey ssh.PublicKey) (*ssh.Permissions, error) {
-			if authorizedKeysMap[string(pubKey.Marshal())] {
-				return &ssh.Permissions{
-					// Record the public key used for authentication.
-					Extensions: map[string]string{
-						"pubkey-fp": ssh.FingerprintSHA256(pubKey),
-					},
-				}, nil
-			}
-			return nil, fmt.Errorf("unknown public key for %q", c.User())
-		},
-	}
-
-	privateBytes, err := ioutil.ReadFile("id_rsa")
-	if err != nil {
-		log.Fatal("Failed to load private key: ", err)
-	}
-
-	private, err := ssh.ParsePrivateKey(privateBytes)
-	if err != nil {
-		log.Fatal("Failed to parse private key: ", err)
-	}
-
-	config.AddHostKey(private)
-
-	// Once a ServerConfig has been configured, connections can be
-	// accepted.
-	listener, err := net.Listen("tcp", "0.0.0.0:2022")
-	if err != nil {
-		log.Fatal("failed to listen for connection: ", err)
-	}
-	nConn, err := listener.Accept()
-	if err != nil {
-		log.Fatal("failed to accept incoming connection: ", err)
-	}
-
-	// Before use, a handshake must be performed on the incoming
-	// net.Conn.
-	conn, chans, reqs, err := ssh.NewServerConn(nConn, config)
-	if err != nil {
-		log.Fatal("failed to handshake: ", err)
-	}
-	log.Printf("logged in with key %s", conn.Permissions.Extensions["pubkey-fp"])
-
-	// The incoming Request channel must be serviced.
-	go ssh.DiscardRequests(reqs)
-
-	// Service the incoming Channel channel.
-	for newChannel := range chans {
-		// Channels have a type, depending on the application level
-		// protocol intended. In the case of a shell, the type is
-		// "session" and ServerShell may be used to present a simple
-		// terminal interface.
-		if newChannel.ChannelType() != "session" {
-			newChannel.Reject(ssh.UnknownChannelType, "unknown channel type")
-			continue
-		}
-		channel, requests, err := newChannel.Accept()
-		if err != nil {
-			log.Fatalf("Could not accept channel: %v", err)
-		}
-
-		// Sessions have out-of-band requests such as "shell",
-		// "pty-req" and "env".  Here we handle only the
-		// "shell" request.
-		go func(in <-chan *ssh.Request) {
-			for req := range in {
-				req.Reply(req.Type == "shell", nil)
-			}
-		}(requests)
-
-		term := terminal.NewTerminal(channel, "> ")
-
-		go func() {
-			defer channel.Close()
-			for {
-				line, err := term.ReadLine()
-				if err != nil {
-					break
-				}
-				fmt.Println(line)
-			}
-		}()
-	}
-}
-
-func ExampleHostKeyCheck() {
-	// Every client must provide a host key check.  Here is a
-	// simple-minded parse of OpenSSH's known_hosts file
-	host := "hostname"
-	file, err := os.Open(filepath.Join(os.Getenv("HOME"), ".ssh", "known_hosts"))
-	if err != nil {
-		log.Fatal(err)
-	}
-	defer file.Close()
-
-	scanner := bufio.NewScanner(file)
-	var hostKey ssh.PublicKey
-	for scanner.Scan() {
-		fields := strings.Split(scanner.Text(), " ")
-		if len(fields) != 3 {
-			continue
-		}
-		if strings.Contains(fields[0], host) {
-			var err error
-			hostKey, _, _, _, err = ssh.ParseAuthorizedKey(scanner.Bytes())
-			if err != nil {
-				log.Fatalf("error parsing %q: %v", fields[2], err)
-			}
-			break
-		}
-	}
-
-	if hostKey == nil {
-		log.Fatalf("no hostkey for %s", host)
-	}
-
-	config := ssh.ClientConfig{
-		User:            os.Getenv("USER"),
-		HostKeyCallback: ssh.FixedHostKey(hostKey),
-	}
-
-	_, err = ssh.Dial("tcp", host+":22", &config)
-	log.Println(err)
-}
-
-func ExampleDial() {
-	var hostKey ssh.PublicKey
-	// An SSH client is represented with a ClientConn.
-	//
-	// To authenticate with the remote server you must pass at least one
-	// implementation of AuthMethod via the Auth field in ClientConfig,
-	// and provide a HostKeyCallback.
-	config := &ssh.ClientConfig{
-		User: "username",
-		Auth: []ssh.AuthMethod{
-			ssh.Password("yourpassword"),
-		},
-		HostKeyCallback: ssh.FixedHostKey(hostKey),
-	}
-	client, err := ssh.Dial("tcp", "yourserver.com:22", config)
-	if err != nil {
-		log.Fatal("Failed to dial: ", err)
-	}
-
-	// Each ClientConn can support multiple interactive sessions,
-	// represented by a Session.
-	session, err := client.NewSession()
-	if err != nil {
-		log.Fatal("Failed to create session: ", err)
-	}
-	defer session.Close()
-
-	// Once a Session is created, you can execute a single command on
-	// the remote side using the Run method.
-	var b bytes.Buffer
-	session.Stdout = &b
-	if err := session.Run("/usr/bin/whoami"); err != nil {
-		log.Fatal("Failed to run: " + err.Error())
-	}
-	fmt.Println(b.String())
-}
-
-func ExamplePublicKeys() {
-	var hostKey ssh.PublicKey
-	// A public key may be used to authenticate against the remote
-	// server by using an unencrypted PEM-encoded private key file.
-	//
-	// If you have an encrypted private key, the crypto/x509 package
-	// can be used to decrypt it.
-	key, err := ioutil.ReadFile("/home/user/.ssh/id_rsa")
-	if err != nil {
-		log.Fatalf("unable to read private key: %v", err)
-	}
-
-	// Create the Signer for this private key.
-	signer, err := ssh.ParsePrivateKey(key)
-	if err != nil {
-		log.Fatalf("unable to parse private key: %v", err)
-	}
-
-	config := &ssh.ClientConfig{
-		User: "user",
-		Auth: []ssh.AuthMethod{
-			// Use the PublicKeys method for remote authentication.
-			ssh.PublicKeys(signer),
-		},
-		HostKeyCallback: ssh.FixedHostKey(hostKey),
-	}
-
-	// Connect to the remote server and perform the SSH handshake.
-	client, err := ssh.Dial("tcp", "host.com:22", config)
-	if err != nil {
-		log.Fatalf("unable to connect: %v", err)
-	}
-	defer client.Close()
-}
-
-func ExampleClient_Listen() {
-	var hostKey ssh.PublicKey
-	config := &ssh.ClientConfig{
-		User: "username",
-		Auth: []ssh.AuthMethod{
-			ssh.Password("password"),
-		},
-		HostKeyCallback: ssh.FixedHostKey(hostKey),
-	}
-	// Dial your ssh server.
-	conn, err := ssh.Dial("tcp", "localhost:22", config)
-	if err != nil {
-		log.Fatal("unable to connect: ", err)
-	}
-	defer conn.Close()
-
-	// Request the remote side to open port 8080 on all interfaces.
-	l, err := conn.Listen("tcp", "0.0.0.0:8080")
-	if err != nil {
-		log.Fatal("unable to register tcp forward: ", err)
-	}
-	defer l.Close()
-
-	// Serve HTTP with your SSH server acting as a reverse proxy.
-	http.Serve(l, http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) {
-		fmt.Fprintf(resp, "Hello world!\n")
-	}))
-}
-
-func ExampleSession_RequestPty() {
-	var hostKey ssh.PublicKey
-	// Create client config
-	config := &ssh.ClientConfig{
-		User: "username",
-		Auth: []ssh.AuthMethod{
-			ssh.Password("password"),
-		},
-		HostKeyCallback: ssh.FixedHostKey(hostKey),
-	}
-	// Connect to ssh server
-	conn, err := ssh.Dial("tcp", "localhost:22", config)
-	if err != nil {
-		log.Fatal("unable to connect: ", err)
-	}
-	defer conn.Close()
-	// Create a session
-	session, err := conn.NewSession()
-	if err != nil {
-		log.Fatal("unable to create session: ", err)
-	}
-	defer session.Close()
-	// Set up terminal modes
-	modes := ssh.TerminalModes{
-		ssh.ECHO:          0,     // disable echoing
-		ssh.TTY_OP_ISPEED: 14400, // input speed = 14.4kbaud
-		ssh.TTY_OP_OSPEED: 14400, // output speed = 14.4kbaud
-	}
-	// Request pseudo terminal
-	if err := session.RequestPty("xterm", 40, 80, modes); err != nil {
-		log.Fatal("request for pseudo terminal failed: ", err)
-	}
-	// Start remote shell
-	if err := session.Shell(); err != nil {
-		log.Fatal("failed to start shell: ", err)
-	}
-}
diff --git a/vendor/golang.org/x/crypto/ssh/handshake.go b/vendor/golang.org/x/crypto/ssh/handshake.go
deleted file mode 100644
index 4f7912ec..00000000
--- a/vendor/golang.org/x/crypto/ssh/handshake.go
+++ /dev/null
@@ -1,646 +0,0 @@
-// Copyright 2013 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package ssh
-
-import (
-	"crypto/rand"
-	"errors"
-	"fmt"
-	"io"
-	"log"
-	"net"
-	"sync"
-)
-
-// debugHandshake, if set, prints messages sent and received.  Key
-// exchange messages are printed as if DH were used, so the debug
-// messages are wrong when using ECDH.
-const debugHandshake = false
-
-// chanSize sets the amount of buffering SSH connections. This is
-// primarily for testing: setting chanSize=0 uncovers deadlocks more
-// quickly.
-const chanSize = 16
-
-// keyingTransport is a packet based transport that supports key
-// changes. It need not be thread-safe. It should pass through
-// msgNewKeys in both directions.
-type keyingTransport interface {
-	packetConn
-
-	// prepareKeyChange sets up a key change. The key change for a
-	// direction will be effected if a msgNewKeys message is sent
-	// or received.
-	prepareKeyChange(*algorithms, *kexResult) error
-}
-
-// handshakeTransport implements rekeying on top of a keyingTransport
-// and offers a thread-safe writePacket() interface.
-type handshakeTransport struct {
-	conn   keyingTransport
-	config *Config
-
-	serverVersion []byte
-	clientVersion []byte
-
-	// hostKeys is non-empty if we are the server. In that case,
-	// it contains all host keys that can be used to sign the
-	// connection.
-	hostKeys []Signer
-
-	// hostKeyAlgorithms is non-empty if we are the client. In that case,
-	// we accept these key types from the server as host key.
-	hostKeyAlgorithms []string
-
-	// On read error, incoming is closed, and readError is set.
-	incoming  chan []byte
-	readError error
-
-	mu             sync.Mutex
-	writeError     error
-	sentInitPacket []byte
-	sentInitMsg    *kexInitMsg
-	pendingPackets [][]byte // Used when a key exchange is in progress.
-
-	// If the read loop wants to schedule a kex, it pings this
-	// channel, and the write loop will send out a kex
-	// message.
-	requestKex chan struct{}
-
-	// If the other side requests or confirms a kex, its kexInit
-	// packet is sent here for the write loop to find it.
-	startKex chan *pendingKex
-
-	// data for host key checking
-	hostKeyCallback HostKeyCallback
-	dialAddress     string
-	remoteAddr      net.Addr
-
-	// bannerCallback is non-empty if we are the client and it has been set in
-	// ClientConfig. In that case it is called during the user authentication
-	// dance to handle a custom server's message.
-	bannerCallback BannerCallback
-
-	// Algorithms agreed in the last key exchange.
-	algorithms *algorithms
-
-	readPacketsLeft uint32
-	readBytesLeft   int64
-
-	writePacketsLeft uint32
-	writeBytesLeft   int64
-
-	// The session ID or nil if first kex did not complete yet.
-	sessionID []byte
-}
-
-type pendingKex struct {
-	otherInit []byte
-	done      chan error
-}
-
-func newHandshakeTransport(conn keyingTransport, config *Config, clientVersion, serverVersion []byte) *handshakeTransport {
-	t := &handshakeTransport{
-		conn:          conn,
-		serverVersion: serverVersion,
-		clientVersion: clientVersion,
-		incoming:      make(chan []byte, chanSize),
-		requestKex:    make(chan struct{}, 1),
-		startKex:      make(chan *pendingKex, 1),
-
-		config: config,
-	}
-	t.resetReadThresholds()
-	t.resetWriteThresholds()
-
-	// We always start with a mandatory key exchange.
-	t.requestKex <- struct{}{}
-	return t
-}
-
-func newClientTransport(conn keyingTransport, clientVersion, serverVersion []byte, config *ClientConfig, dialAddr string, addr net.Addr) *handshakeTransport {
-	t := newHandshakeTransport(conn, &config.Config, clientVersion, serverVersion)
-	t.dialAddress = dialAddr
-	t.remoteAddr = addr
-	t.hostKeyCallback = config.HostKeyCallback
-	t.bannerCallback = config.BannerCallback
-	if config.HostKeyAlgorithms != nil {
-		t.hostKeyAlgorithms = config.HostKeyAlgorithms
-	} else {
-		t.hostKeyAlgorithms = supportedHostKeyAlgos
-	}
-	go t.readLoop()
-	go t.kexLoop()
-	return t
-}
-
-func newServerTransport(conn keyingTransport, clientVersion, serverVersion []byte, config *ServerConfig) *handshakeTransport {
-	t := newHandshakeTransport(conn, &config.Config, clientVersion, serverVersion)
-	t.hostKeys = config.hostKeys
-	go t.readLoop()
-	go t.kexLoop()
-	return t
-}
-
-func (t *handshakeTransport) getSessionID() []byte {
-	return t.sessionID
-}
-
-// waitSession waits for the session to be established. This should be
-// the first thing to call after instantiating handshakeTransport.
-func (t *handshakeTransport) waitSession() error {
-	p, err := t.readPacket()
-	if err != nil {
-		return err
-	}
-	if p[0] != msgNewKeys {
-		return fmt.Errorf("ssh: first packet should be msgNewKeys")
-	}
-
-	return nil
-}
-
-func (t *handshakeTransport) id() string {
-	if len(t.hostKeys) > 0 {
-		return "server"
-	}
-	return "client"
-}
-
-func (t *handshakeTransport) printPacket(p []byte, write bool) {
-	action := "got"
-	if write {
-		action = "sent"
-	}
-
-	if p[0] == msgChannelData || p[0] == msgChannelExtendedData {
-		log.Printf("%s %s data (packet %d bytes)", t.id(), action, len(p))
-	} else {
-		msg, err := decode(p)
-		log.Printf("%s %s %T %v (%v)", t.id(), action, msg, msg, err)
-	}
-}
-
-func (t *handshakeTransport) readPacket() ([]byte, error) {
-	p, ok := <-t.incoming
-	if !ok {
-		return nil, t.readError
-	}
-	return p, nil
-}
-
-func (t *handshakeTransport) readLoop() {
-	first := true
-	for {
-		p, err := t.readOnePacket(first)
-		first = false
-		if err != nil {
-			t.readError = err
-			close(t.incoming)
-			break
-		}
-		if p[0] == msgIgnore || p[0] == msgDebug {
-			continue
-		}
-		t.incoming <- p
-	}
-
-	// Stop writers too.
-	t.recordWriteError(t.readError)
-
-	// Unblock the writer should it wait for this.
-	close(t.startKex)
-
-	// Don't close t.requestKex; it's also written to from writePacket.
-}
-
-func (t *handshakeTransport) pushPacket(p []byte) error {
-	if debugHandshake {
-		t.printPacket(p, true)
-	}
-	return t.conn.writePacket(p)
-}
-
-func (t *handshakeTransport) getWriteError() error {
-	t.mu.Lock()
-	defer t.mu.Unlock()
-	return t.writeError
-}
-
-func (t *handshakeTransport) recordWriteError(err error) {
-	t.mu.Lock()
-	defer t.mu.Unlock()
-	if t.writeError == nil && err != nil {
-		t.writeError = err
-	}
-}
-
-func (t *handshakeTransport) requestKeyExchange() {
-	select {
-	case t.requestKex <- struct{}{}:
-	default:
-		// something already requested a kex, so do nothing.
-	}
-}
-
-func (t *handshakeTransport) resetWriteThresholds() {
-	t.writePacketsLeft = packetRekeyThreshold
-	if t.config.RekeyThreshold > 0 {
-		t.writeBytesLeft = int64(t.config.RekeyThreshold)
-	} else if t.algorithms != nil {
-		t.writeBytesLeft = t.algorithms.w.rekeyBytes()
-	} else {
-		t.writeBytesLeft = 1 << 30
-	}
-}
-
-func (t *handshakeTransport) kexLoop() {
-
-write:
-	for t.getWriteError() == nil {
-		var request *pendingKex
-		var sent bool
-
-		for request == nil || !sent {
-			var ok bool
-			select {
-			case request, ok = <-t.startKex:
-				if !ok {
-					break write
-				}
-			case <-t.requestKex:
-				break
-			}
-
-			if !sent {
-				if err := t.sendKexInit(); err != nil {
-					t.recordWriteError(err)
-					break
-				}
-				sent = true
-			}
-		}
-
-		if err := t.getWriteError(); err != nil {
-			if request != nil {
-				request.done <- err
-			}
-			break
-		}
-
-		// We're not servicing t.requestKex, but that is OK:
-		// we never block on sending to t.requestKex.
-
-		// We're not servicing t.startKex, but the remote end
-		// has just sent us a kexInitMsg, so it can't send
-		// another key change request, until we close the done
-		// channel on the pendingKex request.
-
-		err := t.enterKeyExchange(request.otherInit)
-
-		t.mu.Lock()
-		t.writeError = err
-		t.sentInitPacket = nil
-		t.sentInitMsg = nil
-
-		t.resetWriteThresholds()
-
-		// we have completed the key exchange. Since the
-		// reader is still blocked, it is safe to clear out
-		// the requestKex channel. This avoids the situation
-		// where: 1) we consumed our own request for the
-		// initial kex, and 2) the kex from the remote side
-		// caused another send on the requestKex channel,
-	clear:
-		for {
-			select {
-			case <-t.requestKex:
-				//
-			default:
-				break clear
-			}
-		}
-
-		request.done <- t.writeError
-
-		// kex finished. Push packets that we received while
-		// the kex was in progress. Don't look at t.startKex
-		// and don't increment writtenSinceKex: if we trigger
-		// another kex while we are still busy with the last
-		// one, things will become very confusing.
-		for _, p := range t.pendingPackets {
-			t.writeError = t.pushPacket(p)
-			if t.writeError != nil {
-				break
-			}
-		}
-		t.pendingPackets = t.pendingPackets[:0]
-		t.mu.Unlock()
-	}
-
-	// drain startKex channel. We don't service t.requestKex
-	// because nobody does blocking sends there.
-	go func() {
-		for init := range t.startKex {
-			init.done <- t.writeError
-		}
-	}()
-
-	// Unblock reader.
-	t.conn.Close()
-}
-
-// The protocol uses uint32 for packet counters, so we can't let them
-// reach 1<<32.  We will actually read and write more packets than
-// this, though: the other side may send more packets, and after we
-// hit this limit on writing we will send a few more packets for the
-// key exchange itself.
-const packetRekeyThreshold = (1 << 31)
-
-func (t *handshakeTransport) resetReadThresholds() {
-	t.readPacketsLeft = packetRekeyThreshold
-	if t.config.RekeyThreshold > 0 {
-		t.readBytesLeft = int64(t.config.RekeyThreshold)
-	} else if t.algorithms != nil {
-		t.readBytesLeft = t.algorithms.r.rekeyBytes()
-	} else {
-		t.readBytesLeft = 1 << 30
-	}
-}
-
-func (t *handshakeTransport) readOnePacket(first bool) ([]byte, error) {
-	p, err := t.conn.readPacket()
-	if err != nil {
-		return nil, err
-	}
-
-	if t.readPacketsLeft > 0 {
-		t.readPacketsLeft--
-	} else {
-		t.requestKeyExchange()
-	}
-
-	if t.readBytesLeft > 0 {
-		t.readBytesLeft -= int64(len(p))
-	} else {
-		t.requestKeyExchange()
-	}
-
-	if debugHandshake {
-		t.printPacket(p, false)
-	}
-
-	if first && p[0] != msgKexInit {
-		return nil, fmt.Errorf("ssh: first packet should be msgKexInit")
-	}
-
-	if p[0] != msgKexInit {
-		return p, nil
-	}
-
-	firstKex := t.sessionID == nil
-
-	kex := pendingKex{
-		done:      make(chan error, 1),
-		otherInit: p,
-	}
-	t.startKex <- &kex
-	err = <-kex.done
-
-	if debugHandshake {
-		log.Printf("%s exited key exchange (first %v), err %v", t.id(), firstKex, err)
-	}
-
-	if err != nil {
-		return nil, err
-	}
-
-	t.resetReadThresholds()
-
-	// By default, a key exchange is hidden from higher layers by
-	// translating it into msgIgnore.
-	successPacket := []byte{msgIgnore}
-	if firstKex {
-		// sendKexInit() for the first kex waits for
-		// msgNewKeys so the authentication process is
-		// guaranteed to happen over an encrypted transport.
-		successPacket = []byte{msgNewKeys}
-	}
-
-	return successPacket, nil
-}
-
-// sendKexInit sends a key change message.
-func (t *handshakeTransport) sendKexInit() error {
-	t.mu.Lock()
-	defer t.mu.Unlock()
-	if t.sentInitMsg != nil {
-		// kexInits may be sent either in response to the other side,
-		// or because our side wants to initiate a key change, so we
-		// may have already sent a kexInit. In that case, don't send a
-		// second kexInit.
-		return nil
-	}
-
-	msg := &kexInitMsg{
-		KexAlgos:                t.config.KeyExchanges,
-		CiphersClientServer:     t.config.Ciphers,
-		CiphersServerClient:     t.config.Ciphers,
-		MACsClientServer:        t.config.MACs,
-		MACsServerClient:        t.config.MACs,
-		CompressionClientServer: supportedCompressions,
-		CompressionServerClient: supportedCompressions,
-	}
-	io.ReadFull(rand.Reader, msg.Cookie[:])
-
-	if len(t.hostKeys) > 0 {
-		for _, k := range t.hostKeys {
-			msg.ServerHostKeyAlgos = append(
-				msg.ServerHostKeyAlgos, k.PublicKey().Type())
-		}
-	} else {
-		msg.ServerHostKeyAlgos = t.hostKeyAlgorithms
-	}
-	packet := Marshal(msg)
-
-	// writePacket destroys the contents, so save a copy.
-	packetCopy := make([]byte, len(packet))
-	copy(packetCopy, packet)
-
-	if err := t.pushPacket(packetCopy); err != nil {
-		return err
-	}
-
-	t.sentInitMsg = msg
-	t.sentInitPacket = packet
-
-	return nil
-}
-
-func (t *handshakeTransport) writePacket(p []byte) error {
-	switch p[0] {
-	case msgKexInit:
-		return errors.New("ssh: only handshakeTransport can send kexInit")
-	case msgNewKeys:
-		return errors.New("ssh: only handshakeTransport can send newKeys")
-	}
-
-	t.mu.Lock()
-	defer t.mu.Unlock()
-	if t.writeError != nil {
-		return t.writeError
-	}
-
-	if t.sentInitMsg != nil {
-		// Copy the packet so the writer can reuse the buffer.
-		cp := make([]byte, len(p))
-		copy(cp, p)
-		t.pendingPackets = append(t.pendingPackets, cp)
-		return nil
-	}
-
-	if t.writeBytesLeft > 0 {
-		t.writeBytesLeft -= int64(len(p))
-	} else {
-		t.requestKeyExchange()
-	}
-
-	if t.writePacketsLeft > 0 {
-		t.writePacketsLeft--
-	} else {
-		t.requestKeyExchange()
-	}
-
-	if err := t.pushPacket(p); err != nil {
-		t.writeError = err
-	}
-
-	return nil
-}
-
-func (t *handshakeTransport) Close() error {
-	return t.conn.Close()
-}
-
-func (t *handshakeTransport) enterKeyExchange(otherInitPacket []byte) error {
-	if debugHandshake {
-		log.Printf("%s entered key exchange", t.id())
-	}
-
-	otherInit := &kexInitMsg{}
-	if err := Unmarshal(otherInitPacket, otherInit); err != nil {
-		return err
-	}
-
-	magics := handshakeMagics{
-		clientVersion: t.clientVersion,
-		serverVersion: t.serverVersion,
-		clientKexInit: otherInitPacket,
-		serverKexInit: t.sentInitPacket,
-	}
-
-	clientInit := otherInit
-	serverInit := t.sentInitMsg
-	if len(t.hostKeys) == 0 {
-		clientInit, serverInit = serverInit, clientInit
-
-		magics.clientKexInit = t.sentInitPacket
-		magics.serverKexInit = otherInitPacket
-	}
-
-	var err error
-	t.algorithms, err = findAgreedAlgorithms(clientInit, serverInit)
-	if err != nil {
-		return err
-	}
-
-	// We don't send FirstKexFollows, but we handle receiving it.
-	//
-	// RFC 4253 section 7 defines the kex and the agreement method for
-	// first_kex_packet_follows. It states that the guessed packet
-	// should be ignored if the "kex algorithm and/or the host
-	// key algorithm is guessed wrong (server and client have
-	// different preferred algorithm), or if any of the other
-	// algorithms cannot be agreed upon". The other algorithms have
-	// already been checked above so the kex algorithm and host key
-	// algorithm are checked here.
-	if otherInit.FirstKexFollows && (clientInit.KexAlgos[0] != serverInit.KexAlgos[0] || clientInit.ServerHostKeyAlgos[0] != serverInit.ServerHostKeyAlgos[0]) {
-		// other side sent a kex message for the wrong algorithm,
-		// which we have to ignore.
-		if _, err := t.conn.readPacket(); err != nil {
-			return err
-		}
-	}
-
-	kex, ok := kexAlgoMap[t.algorithms.kex]
-	if !ok {
-		return fmt.Errorf("ssh: unexpected key exchange algorithm %v", t.algorithms.kex)
-	}
-
-	var result *kexResult
-	if len(t.hostKeys) > 0 {
-		result, err = t.server(kex, t.algorithms, &magics)
-	} else {
-		result, err = t.client(kex, t.algorithms, &magics)
-	}
-
-	if err != nil {
-		return err
-	}
-
-	if t.sessionID == nil {
-		t.sessionID = result.H
-	}
-	result.SessionID = t.sessionID
-
-	if err := t.conn.prepareKeyChange(t.algorithms, result); err != nil {
-		return err
-	}
-	if err = t.conn.writePacket([]byte{msgNewKeys}); err != nil {
-		return err
-	}
-	if packet, err := t.conn.readPacket(); err != nil {
-		return err
-	} else if packet[0] != msgNewKeys {
-		return unexpectedMessageError(msgNewKeys, packet[0])
-	}
-
-	return nil
-}
-
-func (t *handshakeTransport) server(kex kexAlgorithm, algs *algorithms, magics *handshakeMagics) (*kexResult, error) {
-	var hostKey Signer
-	for _, k := range t.hostKeys {
-		if algs.hostKey == k.PublicKey().Type() {
-			hostKey = k
-		}
-	}
-
-	r, err := kex.Server(t.conn, t.config.Rand, magics, hostKey)
-	return r, err
-}
-
-func (t *handshakeTransport) client(kex kexAlgorithm, algs *algorithms, magics *handshakeMagics) (*kexResult, error) {
-	result, err := kex.Client(t.conn, t.config.Rand, magics)
-	if err != nil {
-		return nil, err
-	}
-
-	hostKey, err := ParsePublicKey(result.HostKey)
-	if err != nil {
-		return nil, err
-	}
-
-	if err := verifyHostKeySignature(hostKey, result); err != nil {
-		return nil, err
-	}
-
-	err = t.hostKeyCallback(t.dialAddress, t.remoteAddr, hostKey)
-	if err != nil {
-		return nil, err
-	}
-
-	return result, nil
-}
diff --git a/vendor/golang.org/x/crypto/ssh/handshake_test.go b/vendor/golang.org/x/crypto/ssh/handshake_test.go
deleted file mode 100644
index 91d49356..00000000
--- a/vendor/golang.org/x/crypto/ssh/handshake_test.go
+++ /dev/null
@@ -1,559 +0,0 @@
-// Copyright 2013 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package ssh
-
-import (
-	"bytes"
-	"crypto/rand"
-	"errors"
-	"fmt"
-	"io"
-	"net"
-	"reflect"
-	"runtime"
-	"strings"
-	"sync"
-	"testing"
-)
-
-type testChecker struct {
-	calls []string
-}
-
-func (t *testChecker) Check(dialAddr string, addr net.Addr, key PublicKey) error {
-	if dialAddr == "bad" {
-		return fmt.Errorf("dialAddr is bad")
-	}
-
-	if tcpAddr, ok := addr.(*net.TCPAddr); !ok || tcpAddr == nil {
-		return fmt.Errorf("testChecker: got %T want *net.TCPAddr", addr)
-	}
-
-	t.calls = append(t.calls, fmt.Sprintf("%s %v %s %x", dialAddr, addr, key.Type(), key.Marshal()))
-
-	return nil
-}
-
-// netPipe is analogous to net.Pipe, but it uses a real net.Conn, and
-// therefore is buffered (net.Pipe deadlocks if both sides start with
-// a write.)
-func netPipe() (net.Conn, net.Conn, error) {
-	listener, err := net.Listen("tcp", "127.0.0.1:0")
-	if err != nil {
-		listener, err = net.Listen("tcp", "[::1]:0")
-		if err != nil {
-			return nil, nil, err
-		}
-	}
-	defer listener.Close()
-	c1, err := net.Dial("tcp", listener.Addr().String())
-	if err != nil {
-		return nil, nil, err
-	}
-
-	c2, err := listener.Accept()
-	if err != nil {
-		c1.Close()
-		return nil, nil, err
-	}
-
-	return c1, c2, nil
-}
-
-// noiseTransport inserts ignore messages to check that the read loop
-// and the key exchange filters out these messages.
-type noiseTransport struct {
-	keyingTransport
-}
-
-func (t *noiseTransport) writePacket(p []byte) error {
-	ignore := []byte{msgIgnore}
-	if err := t.keyingTransport.writePacket(ignore); err != nil {
-		return err
-	}
-	debug := []byte{msgDebug, 1, 2, 3}
-	if err := t.keyingTransport.writePacket(debug); err != nil {
-		return err
-	}
-
-	return t.keyingTransport.writePacket(p)
-}
-
-func addNoiseTransport(t keyingTransport) keyingTransport {
-	return &noiseTransport{t}
-}
-
-// handshakePair creates two handshakeTransports connected with each
-// other. If the noise argument is true, both transports will try to
-// confuse the other side by sending ignore and debug messages.
-func handshakePair(clientConf *ClientConfig, addr string, noise bool) (client *handshakeTransport, server *handshakeTransport, err error) {
-	a, b, err := netPipe()
-	if err != nil {
-		return nil, nil, err
-	}
-
-	var trC, trS keyingTransport
-
-	trC = newTransport(a, rand.Reader, true)
-	trS = newTransport(b, rand.Reader, false)
-	if noise {
-		trC = addNoiseTransport(trC)
-		trS = addNoiseTransport(trS)
-	}
-	clientConf.SetDefaults()
-
-	v := []byte("version")
-	client = newClientTransport(trC, v, v, clientConf, addr, a.RemoteAddr())
-
-	serverConf := &ServerConfig{}
-	serverConf.AddHostKey(testSigners["ecdsa"])
-	serverConf.AddHostKey(testSigners["rsa"])
-	serverConf.SetDefaults()
-	server = newServerTransport(trS, v, v, serverConf)
-
-	if err := server.waitSession(); err != nil {
-		return nil, nil, fmt.Errorf("server.waitSession: %v", err)
-	}
-	if err := client.waitSession(); err != nil {
-		return nil, nil, fmt.Errorf("client.waitSession: %v", err)
-	}
-
-	return client, server, nil
-}
-
-func TestHandshakeBasic(t *testing.T) {
-	if runtime.GOOS == "plan9" {
-		t.Skip("see golang.org/issue/7237")
-	}
-
-	checker := &syncChecker{
-		waitCall: make(chan int, 10),
-		called:   make(chan int, 10),
-	}
-
-	checker.waitCall <- 1
-	trC, trS, err := handshakePair(&ClientConfig{HostKeyCallback: checker.Check}, "addr", false)
-	if err != nil {
-		t.Fatalf("handshakePair: %v", err)
-	}
-
-	defer trC.Close()
-	defer trS.Close()
-
-	// Let first kex complete normally.
-	<-checker.called
-
-	clientDone := make(chan int, 0)
-	gotHalf := make(chan int, 0)
-	const N = 20
-
-	go func() {
-		defer close(clientDone)
-		// Client writes a bunch of stuff, and does a key
-		// change in the middle. This should not confuse the
-		// handshake in progress. We do this twice, so we test
-		// that the packet buffer is reset correctly.
-		for i := 0; i < N; i++ {
-			p := []byte{msgRequestSuccess, byte(i)}
-			if err := trC.writePacket(p); err != nil {
-				t.Fatalf("sendPacket: %v", err)
-			}
-			if (i % 10) == 5 {
-				<-gotHalf
-				// halfway through, we request a key change.
-				trC.requestKeyExchange()
-
-				// Wait until we can be sure the key
-				// change has really started before we
-				// write more.
-				<-checker.called
-			}
-			if (i % 10) == 7 {
-				// write some packets until the kex
-				// completes, to test buffering of
-				// packets.
-				checker.waitCall <- 1
-			}
-		}
-	}()
-
-	// Server checks that client messages come in cleanly
-	i := 0
-	err = nil
-	for ; i < N; i++ {
-		var p []byte
-		p, err = trS.readPacket()
-		if err != nil {
-			break
-		}
-		if (i % 10) == 5 {
-			gotHalf <- 1
-		}
-
-		want := []byte{msgRequestSuccess, byte(i)}
-		if bytes.Compare(p, want) != 0 {
-			t.Errorf("message %d: got %v, want %v", i, p, want)
-		}
-	}
-	<-clientDone
-	if err != nil && err != io.EOF {
-		t.Fatalf("server error: %v", err)
-	}
-	if i != N {
-		t.Errorf("received %d messages, want 10.", i)
-	}
-
-	close(checker.called)
-	if _, ok := <-checker.called; ok {
-		// If all went well, we registered exactly 2 key changes: one
-		// that establishes the session, and one that we requested
-		// additionally.
-		t.Fatalf("got another host key checks after 2 handshakes")
-	}
-}
-
-func TestForceFirstKex(t *testing.T) {
-	// like handshakePair, but must access the keyingTransport.
-	checker := &testChecker{}
-	clientConf := &ClientConfig{HostKeyCallback: checker.Check}
-	a, b, err := netPipe()
-	if err != nil {
-		t.Fatalf("netPipe: %v", err)
-	}
-
-	var trC, trS keyingTransport
-
-	trC = newTransport(a, rand.Reader, true)
-
-	// This is the disallowed packet:
-	trC.writePacket(Marshal(&serviceRequestMsg{serviceUserAuth}))
-
-	// Rest of the setup.
-	trS = newTransport(b, rand.Reader, false)
-	clientConf.SetDefaults()
-
-	v := []byte("version")
-	client := newClientTransport(trC, v, v, clientConf, "addr", a.RemoteAddr())
-
-	serverConf := &ServerConfig{}
-	serverConf.AddHostKey(testSigners["ecdsa"])
-	serverConf.AddHostKey(testSigners["rsa"])
-	serverConf.SetDefaults()
-	server := newServerTransport(trS, v, v, serverConf)
-
-	defer client.Close()
-	defer server.Close()
-
-	// We setup the initial key exchange, but the remote side
-	// tries to send serviceRequestMsg in cleartext, which is
-	// disallowed.
-
-	if err := server.waitSession(); err == nil {
-		t.Errorf("server first kex init should reject unexpected packet")
-	}
-}
-
-func TestHandshakeAutoRekeyWrite(t *testing.T) {
-	checker := &syncChecker{
-		called:   make(chan int, 10),
-		waitCall: nil,
-	}
-	clientConf := &ClientConfig{HostKeyCallback: checker.Check}
-	clientConf.RekeyThreshold = 500
-	trC, trS, err := handshakePair(clientConf, "addr", false)
-	if err != nil {
-		t.Fatalf("handshakePair: %v", err)
-	}
-	defer trC.Close()
-	defer trS.Close()
-
-	input := make([]byte, 251)
-	input[0] = msgRequestSuccess
-
-	done := make(chan int, 1)
-	const numPacket = 5
-	go func() {
-		defer close(done)
-		j := 0
-		for ; j < numPacket; j++ {
-			if p, err := trS.readPacket(); err != nil {
-				break
-			} else if !bytes.Equal(input, p) {
-				t.Errorf("got packet type %d, want %d", p[0], input[0])
-			}
-		}
-
-		if j != numPacket {
-			t.Errorf("got %d, want 5 messages", j)
-		}
-	}()
-
-	<-checker.called
-
-	for i := 0; i < numPacket; i++ {
-		p := make([]byte, len(input))
-		copy(p, input)
-		if err := trC.writePacket(p); err != nil {
-			t.Errorf("writePacket: %v", err)
-		}
-		if i == 2 {
-			// Make sure the kex is in progress.
-			<-checker.called
-		}
-
-	}
-	<-done
-}
-
-type syncChecker struct {
-	waitCall chan int
-	called   chan int
-}
-
-func (c *syncChecker) Check(dialAddr string, addr net.Addr, key PublicKey) error {
-	c.called <- 1
-	if c.waitCall != nil {
-		<-c.waitCall
-	}
-	return nil
-}
-
-func TestHandshakeAutoRekeyRead(t *testing.T) {
-	sync := &syncChecker{
-		called:   make(chan int, 2),
-		waitCall: nil,
-	}
-	clientConf := &ClientConfig{
-		HostKeyCallback: sync.Check,
-	}
-	clientConf.RekeyThreshold = 500
-
-	trC, trS, err := handshakePair(clientConf, "addr", false)
-	if err != nil {
-		t.Fatalf("handshakePair: %v", err)
-	}
-	defer trC.Close()
-	defer trS.Close()
-
-	packet := make([]byte, 501)
-	packet[0] = msgRequestSuccess
-	if err := trS.writePacket(packet); err != nil {
-		t.Fatalf("writePacket: %v", err)
-	}
-
-	// While we read out the packet, a key change will be
-	// initiated.
-	done := make(chan int, 1)
-	go func() {
-		defer close(done)
-		if _, err := trC.readPacket(); err != nil {
-			t.Fatalf("readPacket(client): %v", err)
-		}
-
-	}()
-
-	<-done
-	<-sync.called
-}
-
-// errorKeyingTransport generates errors after a given number of
-// read/write operations.
-type errorKeyingTransport struct {
-	packetConn
-	readLeft, writeLeft int
-}
-
-func (n *errorKeyingTransport) prepareKeyChange(*algorithms, *kexResult) error {
-	return nil
-}
-
-func (n *errorKeyingTransport) getSessionID() []byte {
-	return nil
-}
-
-func (n *errorKeyingTransport) writePacket(packet []byte) error {
-	if n.writeLeft == 0 {
-		n.Close()
-		return errors.New("barf")
-	}
-
-	n.writeLeft--
-	return n.packetConn.writePacket(packet)
-}
-
-func (n *errorKeyingTransport) readPacket() ([]byte, error) {
-	if n.readLeft == 0 {
-		n.Close()
-		return nil, errors.New("barf")
-	}
-
-	n.readLeft--
-	return n.packetConn.readPacket()
-}
-
-func TestHandshakeErrorHandlingRead(t *testing.T) {
-	for i := 0; i < 20; i++ {
-		testHandshakeErrorHandlingN(t, i, -1, false)
-	}
-}
-
-func TestHandshakeErrorHandlingWrite(t *testing.T) {
-	for i := 0; i < 20; i++ {
-		testHandshakeErrorHandlingN(t, -1, i, false)
-	}
-}
-
-func TestHandshakeErrorHandlingReadCoupled(t *testing.T) {
-	for i := 0; i < 20; i++ {
-		testHandshakeErrorHandlingN(t, i, -1, true)
-	}
-}
-
-func TestHandshakeErrorHandlingWriteCoupled(t *testing.T) {
-	for i := 0; i < 20; i++ {
-		testHandshakeErrorHandlingN(t, -1, i, true)
-	}
-}
-
-// testHandshakeErrorHandlingN runs handshakes, injecting errors. If
-// handshakeTransport deadlocks, the go runtime will detect it and
-// panic.
-func testHandshakeErrorHandlingN(t *testing.T, readLimit, writeLimit int, coupled bool) {
-	msg := Marshal(&serviceRequestMsg{strings.Repeat("x", int(minRekeyThreshold)/4)})
-
-	a, b := memPipe()
-	defer a.Close()
-	defer b.Close()
-
-	key := testSigners["ecdsa"]
-	serverConf := Config{RekeyThreshold: minRekeyThreshold}
-	serverConf.SetDefaults()
-	serverConn := newHandshakeTransport(&errorKeyingTransport{a, readLimit, writeLimit}, &serverConf, []byte{'a'}, []byte{'b'})
-	serverConn.hostKeys = []Signer{key}
-	go serverConn.readLoop()
-	go serverConn.kexLoop()
-
-	clientConf := Config{RekeyThreshold: 10 * minRekeyThreshold}
-	clientConf.SetDefaults()
-	clientConn := newHandshakeTransport(&errorKeyingTransport{b, -1, -1}, &clientConf, []byte{'a'}, []byte{'b'})
-	clientConn.hostKeyAlgorithms = []string{key.PublicKey().Type()}
-	clientConn.hostKeyCallback = InsecureIgnoreHostKey()
-	go clientConn.readLoop()
-	go clientConn.kexLoop()
-
-	var wg sync.WaitGroup
-
-	for _, hs := range []packetConn{serverConn, clientConn} {
-		if !coupled {
-			wg.Add(2)
-			go func(c packetConn) {
-				for i := 0; ; i++ {
-					str := fmt.Sprintf("%08x", i) + strings.Repeat("x", int(minRekeyThreshold)/4-8)
-					err := c.writePacket(Marshal(&serviceRequestMsg{str}))
-					if err != nil {
-						break
-					}
-				}
-				wg.Done()
-				c.Close()
-			}(hs)
-			go func(c packetConn) {
-				for {
-					_, err := c.readPacket()
-					if err != nil {
-						break
-					}
-				}
-				wg.Done()
-			}(hs)
-		} else {
-			wg.Add(1)
-			go func(c packetConn) {
-				for {
-					_, err := c.readPacket()
-					if err != nil {
-						break
-					}
-					if err := c.writePacket(msg); err != nil {
-						break
-					}
-
-				}
-				wg.Done()
-			}(hs)
-		}
-	}
-	wg.Wait()
-}
-
-func TestDisconnect(t *testing.T) {
-	if runtime.GOOS == "plan9" {
-		t.Skip("see golang.org/issue/7237")
-	}
-	checker := &testChecker{}
-	trC, trS, err := handshakePair(&ClientConfig{HostKeyCallback: checker.Check}, "addr", false)
-	if err != nil {
-		t.Fatalf("handshakePair: %v", err)
-	}
-
-	defer trC.Close()
-	defer trS.Close()
-
-	trC.writePacket([]byte{msgRequestSuccess, 0, 0})
-	errMsg := &disconnectMsg{
-		Reason:  42,
-		Message: "such is life",
-	}
-	trC.writePacket(Marshal(errMsg))
-	trC.writePacket([]byte{msgRequestSuccess, 0, 0})
-
-	packet, err := trS.readPacket()
-	if err != nil {
-		t.Fatalf("readPacket 1: %v", err)
-	}
-	if packet[0] != msgRequestSuccess {
-		t.Errorf("got packet %v, want packet type %d", packet, msgRequestSuccess)
-	}
-
-	_, err = trS.readPacket()
-	if err == nil {
-		t.Errorf("readPacket 2 succeeded")
-	} else if !reflect.DeepEqual(err, errMsg) {
-		t.Errorf("got error %#v, want %#v", err, errMsg)
-	}
-
-	_, err = trS.readPacket()
-	if err == nil {
-		t.Errorf("readPacket 3 succeeded")
-	}
-}
-
-func TestHandshakeRekeyDefault(t *testing.T) {
-	clientConf := &ClientConfig{
-		Config: Config{
-			Ciphers: []string{"aes128-ctr"},
-		},
-		HostKeyCallback: InsecureIgnoreHostKey(),
-	}
-	trC, trS, err := handshakePair(clientConf, "addr", false)
-	if err != nil {
-		t.Fatalf("handshakePair: %v", err)
-	}
-	defer trC.Close()
-	defer trS.Close()
-
-	trC.writePacket([]byte{msgRequestSuccess, 0, 0})
-	trC.Close()
-
-	rgb := (1024 + trC.readBytesLeft) >> 30
-	wgb := (1024 + trC.writeBytesLeft) >> 30
-
-	if rgb != 64 {
-		t.Errorf("got rekey after %dG read, want 64G", rgb)
-	}
-	if wgb != 64 {
-		t.Errorf("got rekey after %dG write, want 64G", wgb)
-	}
-}
diff --git a/vendor/golang.org/x/crypto/ssh/kex.go b/vendor/golang.org/x/crypto/ssh/kex.go
deleted file mode 100644
index f34bcc01..00000000
--- a/vendor/golang.org/x/crypto/ssh/kex.go
+++ /dev/null
@@ -1,540 +0,0 @@
-// Copyright 2013 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package ssh
-
-import (
-	"crypto"
-	"crypto/ecdsa"
-	"crypto/elliptic"
-	"crypto/rand"
-	"crypto/subtle"
-	"errors"
-	"io"
-	"math/big"
-
-	"golang.org/x/crypto/curve25519"
-)
-
-const (
-	kexAlgoDH1SHA1          = "diffie-hellman-group1-sha1"
-	kexAlgoDH14SHA1         = "diffie-hellman-group14-sha1"
-	kexAlgoECDH256          = "ecdh-sha2-nistp256"
-	kexAlgoECDH384          = "ecdh-sha2-nistp384"
-	kexAlgoECDH521          = "ecdh-sha2-nistp521"
-	kexAlgoCurve25519SHA256 = "curve25519-sha256@libssh.org"
-)
-
-// kexResult captures the outcome of a key exchange.
-type kexResult struct {
-	// Session hash. See also RFC 4253, section 8.
-	H []byte
-
-	// Shared secret. See also RFC 4253, section 8.
-	K []byte
-
-	// Host key as hashed into H.
-	HostKey []byte
-
-	// Signature of H.
-	Signature []byte
-
-	// A cryptographic hash function that matches the security
-	// level of the key exchange algorithm. It is used for
-	// calculating H, and for deriving keys from H and K.
-	Hash crypto.Hash
-
-	// The session ID, which is the first H computed. This is used
-	// to derive key material inside the transport.
-	SessionID []byte
-}
-
-// handshakeMagics contains data that is always included in the
-// session hash.
-type handshakeMagics struct {
-	clientVersion, serverVersion []byte
-	clientKexInit, serverKexInit []byte
-}
-
-func (m *handshakeMagics) write(w io.Writer) {
-	writeString(w, m.clientVersion)
-	writeString(w, m.serverVersion)
-	writeString(w, m.clientKexInit)
-	writeString(w, m.serverKexInit)
-}
-
-// kexAlgorithm abstracts different key exchange algorithms.
-type kexAlgorithm interface {
-	// Server runs server-side key agreement, signing the result
-	// with a hostkey.
-	Server(p packetConn, rand io.Reader, magics *handshakeMagics, s Signer) (*kexResult, error)
-
-	// Client runs the client-side key agreement. Caller is
-	// responsible for verifying the host key signature.
-	Client(p packetConn, rand io.Reader, magics *handshakeMagics) (*kexResult, error)
-}
-
-// dhGroup is a multiplicative group suitable for implementing Diffie-Hellman key agreement.
-type dhGroup struct {
-	g, p, pMinus1 *big.Int
-}
-
-func (group *dhGroup) diffieHellman(theirPublic, myPrivate *big.Int) (*big.Int, error) {
-	if theirPublic.Cmp(bigOne) <= 0 || theirPublic.Cmp(group.pMinus1) >= 0 {
-		return nil, errors.New("ssh: DH parameter out of bounds")
-	}
-	return new(big.Int).Exp(theirPublic, myPrivate, group.p), nil
-}
-
-func (group *dhGroup) Client(c packetConn, randSource io.Reader, magics *handshakeMagics) (*kexResult, error) {
-	hashFunc := crypto.SHA1
-
-	var x *big.Int
-	for {
-		var err error
-		if x, err = rand.Int(randSource, group.pMinus1); err != nil {
-			return nil, err
-		}
-		if x.Sign() > 0 {
-			break
-		}
-	}
-
-	X := new(big.Int).Exp(group.g, x, group.p)
-	kexDHInit := kexDHInitMsg{
-		X: X,
-	}
-	if err := c.writePacket(Marshal(&kexDHInit)); err != nil {
-		return nil, err
-	}
-
-	packet, err := c.readPacket()
-	if err != nil {
-		return nil, err
-	}
-
-	var kexDHReply kexDHReplyMsg
-	if err = Unmarshal(packet, &kexDHReply); err != nil {
-		return nil, err
-	}
-
-	ki, err := group.diffieHellman(kexDHReply.Y, x)
-	if err != nil {
-		return nil, err
-	}
-
-	h := hashFunc.New()
-	magics.write(h)
-	writeString(h, kexDHReply.HostKey)
-	writeInt(h, X)
-	writeInt(h, kexDHReply.Y)
-	K := make([]byte, intLength(ki))
-	marshalInt(K, ki)
-	h.Write(K)
-
-	return &kexResult{
-		H:         h.Sum(nil),
-		K:         K,
-		HostKey:   kexDHReply.HostKey,
-		Signature: kexDHReply.Signature,
-		Hash:      crypto.SHA1,
-	}, nil
-}
-
-func (group *dhGroup) Server(c packetConn, randSource io.Reader, magics *handshakeMagics, priv Signer) (result *kexResult, err error) {
-	hashFunc := crypto.SHA1
-	packet, err := c.readPacket()
-	if err != nil {
-		return
-	}
-	var kexDHInit kexDHInitMsg
-	if err = Unmarshal(packet, &kexDHInit); err != nil {
-		return
-	}
-
-	var y *big.Int
-	for {
-		if y, err = rand.Int(randSource, group.pMinus1); err != nil {
-			return
-		}
-		if y.Sign() > 0 {
-			break
-		}
-	}
-
-	Y := new(big.Int).Exp(group.g, y, group.p)
-	ki, err := group.diffieHellman(kexDHInit.X, y)
-	if err != nil {
-		return nil, err
-	}
-
-	hostKeyBytes := priv.PublicKey().Marshal()
-
-	h := hashFunc.New()
-	magics.write(h)
-	writeString(h, hostKeyBytes)
-	writeInt(h, kexDHInit.X)
-	writeInt(h, Y)
-
-	K := make([]byte, intLength(ki))
-	marshalInt(K, ki)
-	h.Write(K)
-
-	H := h.Sum(nil)
-
-	// H is already a hash, but the hostkey signing will apply its
-	// own key-specific hash algorithm.
-	sig, err := signAndMarshal(priv, randSource, H)
-	if err != nil {
-		return nil, err
-	}
-
-	kexDHReply := kexDHReplyMsg{
-		HostKey:   hostKeyBytes,
-		Y:         Y,
-		Signature: sig,
-	}
-	packet = Marshal(&kexDHReply)
-
-	err = c.writePacket(packet)
-	return &kexResult{
-		H:         H,
-		K:         K,
-		HostKey:   hostKeyBytes,
-		Signature: sig,
-		Hash:      crypto.SHA1,
-	}, nil
-}
-
-// ecdh performs Elliptic Curve Diffie-Hellman key exchange as
-// described in RFC 5656, section 4.
-type ecdh struct {
-	curve elliptic.Curve
-}
-
-func (kex *ecdh) Client(c packetConn, rand io.Reader, magics *handshakeMagics) (*kexResult, error) {
-	ephKey, err := ecdsa.GenerateKey(kex.curve, rand)
-	if err != nil {
-		return nil, err
-	}
-
-	kexInit := kexECDHInitMsg{
-		ClientPubKey: elliptic.Marshal(kex.curve, ephKey.PublicKey.X, ephKey.PublicKey.Y),
-	}
-
-	serialized := Marshal(&kexInit)
-	if err := c.writePacket(serialized); err != nil {
-		return nil, err
-	}
-
-	packet, err := c.readPacket()
-	if err != nil {
-		return nil, err
-	}
-
-	var reply kexECDHReplyMsg
-	if err = Unmarshal(packet, &reply); err != nil {
-		return nil, err
-	}
-
-	x, y, err := unmarshalECKey(kex.curve, reply.EphemeralPubKey)
-	if err != nil {
-		return nil, err
-	}
-
-	// generate shared secret
-	secret, _ := kex.curve.ScalarMult(x, y, ephKey.D.Bytes())
-
-	h := ecHash(kex.curve).New()
-	magics.write(h)
-	writeString(h, reply.HostKey)
-	writeString(h, kexInit.ClientPubKey)
-	writeString(h, reply.EphemeralPubKey)
-	K := make([]byte, intLength(secret))
-	marshalInt(K, secret)
-	h.Write(K)
-
-	return &kexResult{
-		H:         h.Sum(nil),
-		K:         K,
-		HostKey:   reply.HostKey,
-		Signature: reply.Signature,
-		Hash:      ecHash(kex.curve),
-	}, nil
-}
-
-// unmarshalECKey parses and checks an EC key.
-func unmarshalECKey(curve elliptic.Curve, pubkey []byte) (x, y *big.Int, err error) {
-	x, y = elliptic.Unmarshal(curve, pubkey)
-	if x == nil {
-		return nil, nil, errors.New("ssh: elliptic.Unmarshal failure")
-	}
-	if !validateECPublicKey(curve, x, y) {
-		return nil, nil, errors.New("ssh: public key not on curve")
-	}
-	return x, y, nil
-}
-
-// validateECPublicKey checks that the point is a valid public key for
-// the given curve. See [SEC1], 3.2.2
-func validateECPublicKey(curve elliptic.Curve, x, y *big.Int) bool {
-	if x.Sign() == 0 && y.Sign() == 0 {
-		return false
-	}
-
-	if x.Cmp(curve.Params().P) >= 0 {
-		return false
-	}
-
-	if y.Cmp(curve.Params().P) >= 0 {
-		return false
-	}
-
-	if !curve.IsOnCurve(x, y) {
-		return false
-	}
-
-	// We don't check if N * PubKey == 0, since
-	//
-	// - the NIST curves have cofactor = 1, so this is implicit.
-	// (We don't foresee an implementation that supports non NIST
-	// curves)
-	//
-	// - for ephemeral keys, we don't need to worry about small
-	// subgroup attacks.
-	return true
-}
-
-func (kex *ecdh) Server(c packetConn, rand io.Reader, magics *handshakeMagics, priv Signer) (result *kexResult, err error) {
-	packet, err := c.readPacket()
-	if err != nil {
-		return nil, err
-	}
-
-	var kexECDHInit kexECDHInitMsg
-	if err = Unmarshal(packet, &kexECDHInit); err != nil {
-		return nil, err
-	}
-
-	clientX, clientY, err := unmarshalECKey(kex.curve, kexECDHInit.ClientPubKey)
-	if err != nil {
-		return nil, err
-	}
-
-	// We could cache this key across multiple users/multiple
-	// connection attempts, but the benefit is small. OpenSSH
-	// generates a new key for each incoming connection.
-	ephKey, err := ecdsa.GenerateKey(kex.curve, rand)
-	if err != nil {
-		return nil, err
-	}
-
-	hostKeyBytes := priv.PublicKey().Marshal()
-
-	serializedEphKey := elliptic.Marshal(kex.curve, ephKey.PublicKey.X, ephKey.PublicKey.Y)
-
-	// generate shared secret
-	secret, _ := kex.curve.ScalarMult(clientX, clientY, ephKey.D.Bytes())
-
-	h := ecHash(kex.curve).New()
-	magics.write(h)
-	writeString(h, hostKeyBytes)
-	writeString(h, kexECDHInit.ClientPubKey)
-	writeString(h, serializedEphKey)
-
-	K := make([]byte, intLength(secret))
-	marshalInt(K, secret)
-	h.Write(K)
-
-	H := h.Sum(nil)
-
-	// H is already a hash, but the hostkey signing will apply its
-	// own key-specific hash algorithm.
-	sig, err := signAndMarshal(priv, rand, H)
-	if err != nil {
-		return nil, err
-	}
-
-	reply := kexECDHReplyMsg{
-		EphemeralPubKey: serializedEphKey,
-		HostKey:         hostKeyBytes,
-		Signature:       sig,
-	}
-
-	serialized := Marshal(&reply)
-	if err := c.writePacket(serialized); err != nil {
-		return nil, err
-	}
-
-	return &kexResult{
-		H:         H,
-		K:         K,
-		HostKey:   reply.HostKey,
-		Signature: sig,
-		Hash:      ecHash(kex.curve),
-	}, nil
-}
-
-var kexAlgoMap = map[string]kexAlgorithm{}
-
-func init() {
-	// This is the group called diffie-hellman-group1-sha1 in RFC
-	// 4253 and Oakley Group 2 in RFC 2409.
-	p, _ := new(big.Int).SetString("FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE65381FFFFFFFFFFFFFFFF", 16)
-	kexAlgoMap[kexAlgoDH1SHA1] = &dhGroup{
-		g:       new(big.Int).SetInt64(2),
-		p:       p,
-		pMinus1: new(big.Int).Sub(p, bigOne),
-	}
-
-	// This is the group called diffie-hellman-group14-sha1 in RFC
-	// 4253 and Oakley Group 14 in RFC 3526.
-	p, _ = new(big.Int).SetString("FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AACAA68FFFFFFFFFFFFFFFF", 16)
-
-	kexAlgoMap[kexAlgoDH14SHA1] = &dhGroup{
-		g:       new(big.Int).SetInt64(2),
-		p:       p,
-		pMinus1: new(big.Int).Sub(p, bigOne),
-	}
-
-	kexAlgoMap[kexAlgoECDH521] = &ecdh{elliptic.P521()}
-	kexAlgoMap[kexAlgoECDH384] = &ecdh{elliptic.P384()}
-	kexAlgoMap[kexAlgoECDH256] = &ecdh{elliptic.P256()}
-	kexAlgoMap[kexAlgoCurve25519SHA256] = &curve25519sha256{}
-}
-
-// curve25519sha256 implements the curve25519-sha256@libssh.org key
-// agreement protocol, as described in
-// https://git.libssh.org/projects/libssh.git/tree/doc/curve25519-sha256@libssh.org.txt
-type curve25519sha256 struct{}
-
-type curve25519KeyPair struct {
-	priv [32]byte
-	pub  [32]byte
-}
-
-func (kp *curve25519KeyPair) generate(rand io.Reader) error {
-	if _, err := io.ReadFull(rand, kp.priv[:]); err != nil {
-		return err
-	}
-	curve25519.ScalarBaseMult(&kp.pub, &kp.priv)
-	return nil
-}
-
-// curve25519Zeros is just an array of 32 zero bytes so that we have something
-// convenient to compare against in order to reject curve25519 points with the
-// wrong order.
-var curve25519Zeros [32]byte
-
-func (kex *curve25519sha256) Client(c packetConn, rand io.Reader, magics *handshakeMagics) (*kexResult, error) {
-	var kp curve25519KeyPair
-	if err := kp.generate(rand); err != nil {
-		return nil, err
-	}
-	if err := c.writePacket(Marshal(&kexECDHInitMsg{kp.pub[:]})); err != nil {
-		return nil, err
-	}
-
-	packet, err := c.readPacket()
-	if err != nil {
-		return nil, err
-	}
-
-	var reply kexECDHReplyMsg
-	if err = Unmarshal(packet, &reply); err != nil {
-		return nil, err
-	}
-	if len(reply.EphemeralPubKey) != 32 {
-		return nil, errors.New("ssh: peer's curve25519 public value has wrong length")
-	}
-
-	var servPub, secret [32]byte
-	copy(servPub[:], reply.EphemeralPubKey)
-	curve25519.ScalarMult(&secret, &kp.priv, &servPub)
-	if subtle.ConstantTimeCompare(secret[:], curve25519Zeros[:]) == 1 {
-		return nil, errors.New("ssh: peer's curve25519 public value has wrong order")
-	}
-
-	h := crypto.SHA256.New()
-	magics.write(h)
-	writeString(h, reply.HostKey)
-	writeString(h, kp.pub[:])
-	writeString(h, reply.EphemeralPubKey)
-
-	ki := new(big.Int).SetBytes(secret[:])
-	K := make([]byte, intLength(ki))
-	marshalInt(K, ki)
-	h.Write(K)
-
-	return &kexResult{
-		H:         h.Sum(nil),
-		K:         K,
-		HostKey:   reply.HostKey,
-		Signature: reply.Signature,
-		Hash:      crypto.SHA256,
-	}, nil
-}
-
-func (kex *curve25519sha256) Server(c packetConn, rand io.Reader, magics *handshakeMagics, priv Signer) (result *kexResult, err error) {
-	packet, err := c.readPacket()
-	if err != nil {
-		return
-	}
-	var kexInit kexECDHInitMsg
-	if err = Unmarshal(packet, &kexInit); err != nil {
-		return
-	}
-
-	if len(kexInit.ClientPubKey) != 32 {
-		return nil, errors.New("ssh: peer's curve25519 public value has wrong length")
-	}
-
-	var kp curve25519KeyPair
-	if err := kp.generate(rand); err != nil {
-		return nil, err
-	}
-
-	var clientPub, secret [32]byte
-	copy(clientPub[:], kexInit.ClientPubKey)
-	curve25519.ScalarMult(&secret, &kp.priv, &clientPub)
-	if subtle.ConstantTimeCompare(secret[:], curve25519Zeros[:]) == 1 {
-		return nil, errors.New("ssh: peer's curve25519 public value has wrong order")
-	}
-
-	hostKeyBytes := priv.PublicKey().Marshal()
-
-	h := crypto.SHA256.New()
-	magics.write(h)
-	writeString(h, hostKeyBytes)
-	writeString(h, kexInit.ClientPubKey)
-	writeString(h, kp.pub[:])
-
-	ki := new(big.Int).SetBytes(secret[:])
-	K := make([]byte, intLength(ki))
-	marshalInt(K, ki)
-	h.Write(K)
-
-	H := h.Sum(nil)
-
-	sig, err := signAndMarshal(priv, rand, H)
-	if err != nil {
-		return nil, err
-	}
-
-	reply := kexECDHReplyMsg{
-		EphemeralPubKey: kp.pub[:],
-		HostKey:         hostKeyBytes,
-		Signature:       sig,
-	}
-	if err := c.writePacket(Marshal(&reply)); err != nil {
-		return nil, err
-	}
-	return &kexResult{
-		H:         H,
-		K:         K,
-		HostKey:   hostKeyBytes,
-		Signature: sig,
-		Hash:      crypto.SHA256,
-	}, nil
-}
diff --git a/vendor/golang.org/x/crypto/ssh/kex_test.go b/vendor/golang.org/x/crypto/ssh/kex_test.go
deleted file mode 100644
index 12ca0acd..00000000
--- a/vendor/golang.org/x/crypto/ssh/kex_test.go
+++ /dev/null
@@ -1,50 +0,0 @@
-// Copyright 2013 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package ssh
-
-// Key exchange tests.
-
-import (
-	"crypto/rand"
-	"reflect"
-	"testing"
-)
-
-func TestKexes(t *testing.T) {
-	type kexResultErr struct {
-		result *kexResult
-		err    error
-	}
-
-	for name, kex := range kexAlgoMap {
-		a, b := memPipe()
-
-		s := make(chan kexResultErr, 1)
-		c := make(chan kexResultErr, 1)
-		var magics handshakeMagics
-		go func() {
-			r, e := kex.Client(a, rand.Reader, &magics)
-			a.Close()
-			c <- kexResultErr{r, e}
-		}()
-		go func() {
-			r, e := kex.Server(b, rand.Reader, &magics, testSigners["ecdsa"])
-			b.Close()
-			s <- kexResultErr{r, e}
-		}()
-
-		clientRes := <-c
-		serverRes := <-s
-		if clientRes.err != nil {
-			t.Errorf("client: %v", clientRes.err)
-		}
-		if serverRes.err != nil {
-			t.Errorf("server: %v", serverRes.err)
-		}
-		if !reflect.DeepEqual(clientRes.result, serverRes.result) {
-			t.Errorf("kex %q: mismatch %#v, %#v", name, clientRes.result, serverRes.result)
-		}
-	}
-}
diff --git a/vendor/golang.org/x/crypto/ssh/keys.go b/vendor/golang.org/x/crypto/ssh/keys.go
deleted file mode 100644
index dadf41ab..00000000
--- a/vendor/golang.org/x/crypto/ssh/keys.go
+++ /dev/null
@@ -1,1031 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package ssh
-
-import (
-	"bytes"
-	"crypto"
-	"crypto/dsa"
-	"crypto/ecdsa"
-	"crypto/elliptic"
-	"crypto/md5"
-	"crypto/rsa"
-	"crypto/sha256"
-	"crypto/x509"
-	"encoding/asn1"
-	"encoding/base64"
-	"encoding/hex"
-	"encoding/pem"
-	"errors"
-	"fmt"
-	"io"
-	"math/big"
-	"strings"
-
-	"golang.org/x/crypto/ed25519"
-)
-
-// These constants represent the algorithm names for key types supported by this
-// package.
-const (
-	KeyAlgoRSA      = "ssh-rsa"
-	KeyAlgoDSA      = "ssh-dss"
-	KeyAlgoECDSA256 = "ecdsa-sha2-nistp256"
-	KeyAlgoECDSA384 = "ecdsa-sha2-nistp384"
-	KeyAlgoECDSA521 = "ecdsa-sha2-nistp521"
-	KeyAlgoED25519  = "ssh-ed25519"
-)
-
-// parsePubKey parses a public key of the given algorithm.
-// Use ParsePublicKey for keys with prepended algorithm.
-func parsePubKey(in []byte, algo string) (pubKey PublicKey, rest []byte, err error) {
-	switch algo {
-	case KeyAlgoRSA:
-		return parseRSA(in)
-	case KeyAlgoDSA:
-		return parseDSA(in)
-	case KeyAlgoECDSA256, KeyAlgoECDSA384, KeyAlgoECDSA521:
-		return parseECDSA(in)
-	case KeyAlgoED25519:
-		return parseED25519(in)
-	case CertAlgoRSAv01, CertAlgoDSAv01, CertAlgoECDSA256v01, CertAlgoECDSA384v01, CertAlgoECDSA521v01, CertAlgoED25519v01:
-		cert, err := parseCert(in, certToPrivAlgo(algo))
-		if err != nil {
-			return nil, nil, err
-		}
-		return cert, nil, nil
-	}
-	return nil, nil, fmt.Errorf("ssh: unknown key algorithm: %v", algo)
-}
-
-// parseAuthorizedKey parses a public key in OpenSSH authorized_keys format
-// (see sshd(8) manual page) once the options and key type fields have been
-// removed.
-func parseAuthorizedKey(in []byte) (out PublicKey, comment string, err error) {
-	in = bytes.TrimSpace(in)
-
-	i := bytes.IndexAny(in, " \t")
-	if i == -1 {
-		i = len(in)
-	}
-	base64Key := in[:i]
-
-	key := make([]byte, base64.StdEncoding.DecodedLen(len(base64Key)))
-	n, err := base64.StdEncoding.Decode(key, base64Key)
-	if err != nil {
-		return nil, "", err
-	}
-	key = key[:n]
-	out, err = ParsePublicKey(key)
-	if err != nil {
-		return nil, "", err
-	}
-	comment = string(bytes.TrimSpace(in[i:]))
-	return out, comment, nil
-}
-
-// ParseKnownHosts parses an entry in the format of the known_hosts file.
-//
-// The known_hosts format is documented in the sshd(8) manual page. This
-// function will parse a single entry from in. On successful return, marker
-// will contain the optional marker value (i.e. "cert-authority" or "revoked")
-// or else be empty, hosts will contain the hosts that this entry matches,
-// pubKey will contain the public key and comment will contain any trailing
-// comment at the end of the line. See the sshd(8) manual page for the various
-// forms that a host string can take.
-//
-// The unparsed remainder of the input will be returned in rest. This function
-// can be called repeatedly to parse multiple entries.
-//
-// If no entries were found in the input then err will be io.EOF. Otherwise a
-// non-nil err value indicates a parse error.
-func ParseKnownHosts(in []byte) (marker string, hosts []string, pubKey PublicKey, comment string, rest []byte, err error) {
-	for len(in) > 0 {
-		end := bytes.IndexByte(in, '\n')
-		if end != -1 {
-			rest = in[end+1:]
-			in = in[:end]
-		} else {
-			rest = nil
-		}
-
-		end = bytes.IndexByte(in, '\r')
-		if end != -1 {
-			in = in[:end]
-		}
-
-		in = bytes.TrimSpace(in)
-		if len(in) == 0 || in[0] == '#' {
-			in = rest
-			continue
-		}
-
-		i := bytes.IndexAny(in, " \t")
-		if i == -1 {
-			in = rest
-			continue
-		}
-
-		// Strip out the beginning of the known_host key.
-		// This is either an optional marker or a (set of) hostname(s).
-		keyFields := bytes.Fields(in)
-		if len(keyFields) < 3 || len(keyFields) > 5 {
-			return "", nil, nil, "", nil, errors.New("ssh: invalid entry in known_hosts data")
-		}
-
-		// keyFields[0] is either "@cert-authority", "@revoked" or a comma separated
-		// list of hosts
-		marker := ""
-		if keyFields[0][0] == '@' {
-			marker = string(keyFields[0][1:])
-			keyFields = keyFields[1:]
-		}
-
-		hosts := string(keyFields[0])
-		// keyFields[1] contains the key type (e.g. “ssh-rsa”).
-		// However, that information is duplicated inside the
-		// base64-encoded key and so is ignored here.
-
-		key := bytes.Join(keyFields[2:], []byte(" "))
-		if pubKey, comment, err = parseAuthorizedKey(key); err != nil {
-			return "", nil, nil, "", nil, err
-		}
-
-		return marker, strings.Split(hosts, ","), pubKey, comment, rest, nil
-	}
-
-	return "", nil, nil, "", nil, io.EOF
-}
-
-// ParseAuthorizedKeys parses a public key from an authorized_keys
-// file used in OpenSSH according to the sshd(8) manual page.
-func ParseAuthorizedKey(in []byte) (out PublicKey, comment string, options []string, rest []byte, err error) {
-	for len(in) > 0 {
-		end := bytes.IndexByte(in, '\n')
-		if end != -1 {
-			rest = in[end+1:]
-			in = in[:end]
-		} else {
-			rest = nil
-		}
-
-		end = bytes.IndexByte(in, '\r')
-		if end != -1 {
-			in = in[:end]
-		}
-
-		in = bytes.TrimSpace(in)
-		if len(in) == 0 || in[0] == '#' {
-			in = rest
-			continue
-		}
-
-		i := bytes.IndexAny(in, " \t")
-		if i == -1 {
-			in = rest
-			continue
-		}
-
-		if out, comment, err = parseAuthorizedKey(in[i:]); err == nil {
-			return out, comment, options, rest, nil
-		}
-
-		// No key type recognised. Maybe there's an options field at
-		// the beginning.
-		var b byte
-		inQuote := false
-		var candidateOptions []string
-		optionStart := 0
-		for i, b = range in {
-			isEnd := !inQuote && (b == ' ' || b == '\t')
-			if (b == ',' && !inQuote) || isEnd {
-				if i-optionStart > 0 {
-					candidateOptions = append(candidateOptions, string(in[optionStart:i]))
-				}
-				optionStart = i + 1
-			}
-			if isEnd {
-				break
-			}
-			if b == '"' && (i == 0 || (i > 0 && in[i-1] != '\\')) {
-				inQuote = !inQuote
-			}
-		}
-		for i < len(in) && (in[i] == ' ' || in[i] == '\t') {
-			i++
-		}
-		if i == len(in) {
-			// Invalid line: unmatched quote
-			in = rest
-			continue
-		}
-
-		in = in[i:]
-		i = bytes.IndexAny(in, " \t")
-		if i == -1 {
-			in = rest
-			continue
-		}
-
-		if out, comment, err = parseAuthorizedKey(in[i:]); err == nil {
-			options = candidateOptions
-			return out, comment, options, rest, nil
-		}
-
-		in = rest
-		continue
-	}
-
-	return nil, "", nil, nil, errors.New("ssh: no key found")
-}
-
-// ParsePublicKey parses an SSH public key formatted for use in
-// the SSH wire protocol according to RFC 4253, section 6.6.
-func ParsePublicKey(in []byte) (out PublicKey, err error) {
-	algo, in, ok := parseString(in)
-	if !ok {
-		return nil, errShortRead
-	}
-	var rest []byte
-	out, rest, err = parsePubKey(in, string(algo))
-	if len(rest) > 0 {
-		return nil, errors.New("ssh: trailing junk in public key")
-	}
-
-	return out, err
-}
-
-// MarshalAuthorizedKey serializes key for inclusion in an OpenSSH
-// authorized_keys file. The return value ends with newline.
-func MarshalAuthorizedKey(key PublicKey) []byte {
-	b := &bytes.Buffer{}
-	b.WriteString(key.Type())
-	b.WriteByte(' ')
-	e := base64.NewEncoder(base64.StdEncoding, b)
-	e.Write(key.Marshal())
-	e.Close()
-	b.WriteByte('\n')
-	return b.Bytes()
-}
-
-// PublicKey is an abstraction of different types of public keys.
-type PublicKey interface {
-	// Type returns the key's type, e.g. "ssh-rsa".
-	Type() string
-
-	// Marshal returns the serialized key data in SSH wire format,
-	// with the name prefix.
-	Marshal() []byte
-
-	// Verify that sig is a signature on the given data using this
-	// key. This function will hash the data appropriately first.
-	Verify(data []byte, sig *Signature) error
-}
-
-// CryptoPublicKey, if implemented by a PublicKey,
-// returns the underlying crypto.PublicKey form of the key.
-type CryptoPublicKey interface {
-	CryptoPublicKey() crypto.PublicKey
-}
-
-// A Signer can create signatures that verify against a public key.
-type Signer interface {
-	// PublicKey returns an associated PublicKey instance.
-	PublicKey() PublicKey
-
-	// Sign returns raw signature for the given data. This method
-	// will apply the hash specified for the keytype to the data.
-	Sign(rand io.Reader, data []byte) (*Signature, error)
-}
-
-type rsaPublicKey rsa.PublicKey
-
-func (r *rsaPublicKey) Type() string {
-	return "ssh-rsa"
-}
-
-// parseRSA parses an RSA key according to RFC 4253, section 6.6.
-func parseRSA(in []byte) (out PublicKey, rest []byte, err error) {
-	var w struct {
-		E    *big.Int
-		N    *big.Int
-		Rest []byte `ssh:"rest"`
-	}
-	if err := Unmarshal(in, &w); err != nil {
-		return nil, nil, err
-	}
-
-	if w.E.BitLen() > 24 {
-		return nil, nil, errors.New("ssh: exponent too large")
-	}
-	e := w.E.Int64()
-	if e < 3 || e&1 == 0 {
-		return nil, nil, errors.New("ssh: incorrect exponent")
-	}
-
-	var key rsa.PublicKey
-	key.E = int(e)
-	key.N = w.N
-	return (*rsaPublicKey)(&key), w.Rest, nil
-}
-
-func (r *rsaPublicKey) Marshal() []byte {
-	e := new(big.Int).SetInt64(int64(r.E))
-	// RSA publickey struct layout should match the struct used by
-	// parseRSACert in the x/crypto/ssh/agent package.
-	wirekey := struct {
-		Name string
-		E    *big.Int
-		N    *big.Int
-	}{
-		KeyAlgoRSA,
-		e,
-		r.N,
-	}
-	return Marshal(&wirekey)
-}
-
-func (r *rsaPublicKey) Verify(data []byte, sig *Signature) error {
-	if sig.Format != r.Type() {
-		return fmt.Errorf("ssh: signature type %s for key type %s", sig.Format, r.Type())
-	}
-	h := crypto.SHA1.New()
-	h.Write(data)
-	digest := h.Sum(nil)
-	return rsa.VerifyPKCS1v15((*rsa.PublicKey)(r), crypto.SHA1, digest, sig.Blob)
-}
-
-func (r *rsaPublicKey) CryptoPublicKey() crypto.PublicKey {
-	return (*rsa.PublicKey)(r)
-}
-
-type dsaPublicKey dsa.PublicKey
-
-func (k *dsaPublicKey) Type() string {
-	return "ssh-dss"
-}
-
-func checkDSAParams(param *dsa.Parameters) error {
-	// SSH specifies FIPS 186-2, which only provided a single size
-	// (1024 bits) DSA key. FIPS 186-3 allows for larger key
-	// sizes, which would confuse SSH.
-	if l := param.P.BitLen(); l != 1024 {
-		return fmt.Errorf("ssh: unsupported DSA key size %d", l)
-	}
-
-	return nil
-}
-
-// parseDSA parses an DSA key according to RFC 4253, section 6.6.
-func parseDSA(in []byte) (out PublicKey, rest []byte, err error) {
-	var w struct {
-		P, Q, G, Y *big.Int
-		Rest       []byte `ssh:"rest"`
-	}
-	if err := Unmarshal(in, &w); err != nil {
-		return nil, nil, err
-	}
-
-	param := dsa.Parameters{
-		P: w.P,
-		Q: w.Q,
-		G: w.G,
-	}
-	if err := checkDSAParams(&param); err != nil {
-		return nil, nil, err
-	}
-
-	key := &dsaPublicKey{
-		Parameters: param,
-		Y:          w.Y,
-	}
-	return key, w.Rest, nil
-}
-
-func (k *dsaPublicKey) Marshal() []byte {
-	// DSA publickey struct layout should match the struct used by
-	// parseDSACert in the x/crypto/ssh/agent package.
-	w := struct {
-		Name       string
-		P, Q, G, Y *big.Int
-	}{
-		k.Type(),
-		k.P,
-		k.Q,
-		k.G,
-		k.Y,
-	}
-
-	return Marshal(&w)
-}
-
-func (k *dsaPublicKey) Verify(data []byte, sig *Signature) error {
-	if sig.Format != k.Type() {
-		return fmt.Errorf("ssh: signature type %s for key type %s", sig.Format, k.Type())
-	}
-	h := crypto.SHA1.New()
-	h.Write(data)
-	digest := h.Sum(nil)
-
-	// Per RFC 4253, section 6.6,
-	// The value for 'dss_signature_blob' is encoded as a string containing
-	// r, followed by s (which are 160-bit integers, without lengths or
-	// padding, unsigned, and in network byte order).
-	// For DSS purposes, sig.Blob should be exactly 40 bytes in length.
-	if len(sig.Blob) != 40 {
-		return errors.New("ssh: DSA signature parse error")
-	}
-	r := new(big.Int).SetBytes(sig.Blob[:20])
-	s := new(big.Int).SetBytes(sig.Blob[20:])
-	if dsa.Verify((*dsa.PublicKey)(k), digest, r, s) {
-		return nil
-	}
-	return errors.New("ssh: signature did not verify")
-}
-
-func (k *dsaPublicKey) CryptoPublicKey() crypto.PublicKey {
-	return (*dsa.PublicKey)(k)
-}
-
-type dsaPrivateKey struct {
-	*dsa.PrivateKey
-}
-
-func (k *dsaPrivateKey) PublicKey() PublicKey {
-	return (*dsaPublicKey)(&k.PrivateKey.PublicKey)
-}
-
-func (k *dsaPrivateKey) Sign(rand io.Reader, data []byte) (*Signature, error) {
-	h := crypto.SHA1.New()
-	h.Write(data)
-	digest := h.Sum(nil)
-	r, s, err := dsa.Sign(rand, k.PrivateKey, digest)
-	if err != nil {
-		return nil, err
-	}
-
-	sig := make([]byte, 40)
-	rb := r.Bytes()
-	sb := s.Bytes()
-
-	copy(sig[20-len(rb):20], rb)
-	copy(sig[40-len(sb):], sb)
-
-	return &Signature{
-		Format: k.PublicKey().Type(),
-		Blob:   sig,
-	}, nil
-}
-
-type ecdsaPublicKey ecdsa.PublicKey
-
-func (k *ecdsaPublicKey) Type() string {
-	return "ecdsa-sha2-" + k.nistID()
-}
-
-func (k *ecdsaPublicKey) nistID() string {
-	switch k.Params().BitSize {
-	case 256:
-		return "nistp256"
-	case 384:
-		return "nistp384"
-	case 521:
-		return "nistp521"
-	}
-	panic("ssh: unsupported ecdsa key size")
-}
-
-type ed25519PublicKey ed25519.PublicKey
-
-func (k ed25519PublicKey) Type() string {
-	return KeyAlgoED25519
-}
-
-func parseED25519(in []byte) (out PublicKey, rest []byte, err error) {
-	var w struct {
-		KeyBytes []byte
-		Rest     []byte `ssh:"rest"`
-	}
-
-	if err := Unmarshal(in, &w); err != nil {
-		return nil, nil, err
-	}
-
-	key := ed25519.PublicKey(w.KeyBytes)
-
-	return (ed25519PublicKey)(key), w.Rest, nil
-}
-
-func (k ed25519PublicKey) Marshal() []byte {
-	w := struct {
-		Name     string
-		KeyBytes []byte
-	}{
-		KeyAlgoED25519,
-		[]byte(k),
-	}
-	return Marshal(&w)
-}
-
-func (k ed25519PublicKey) Verify(b []byte, sig *Signature) error {
-	if sig.Format != k.Type() {
-		return fmt.Errorf("ssh: signature type %s for key type %s", sig.Format, k.Type())
-	}
-
-	edKey := (ed25519.PublicKey)(k)
-	if ok := ed25519.Verify(edKey, b, sig.Blob); !ok {
-		return errors.New("ssh: signature did not verify")
-	}
-
-	return nil
-}
-
-func (k ed25519PublicKey) CryptoPublicKey() crypto.PublicKey {
-	return ed25519.PublicKey(k)
-}
-
-func supportedEllipticCurve(curve elliptic.Curve) bool {
-	return curve == elliptic.P256() || curve == elliptic.P384() || curve == elliptic.P521()
-}
-
-// ecHash returns the hash to match the given elliptic curve, see RFC
-// 5656, section 6.2.1
-func ecHash(curve elliptic.Curve) crypto.Hash {
-	bitSize := curve.Params().BitSize
-	switch {
-	case bitSize <= 256:
-		return crypto.SHA256
-	case bitSize <= 384:
-		return crypto.SHA384
-	}
-	return crypto.SHA512
-}
-
-// parseECDSA parses an ECDSA key according to RFC 5656, section 3.1.
-func parseECDSA(in []byte) (out PublicKey, rest []byte, err error) {
-	var w struct {
-		Curve    string
-		KeyBytes []byte
-		Rest     []byte `ssh:"rest"`
-	}
-
-	if err := Unmarshal(in, &w); err != nil {
-		return nil, nil, err
-	}
-
-	key := new(ecdsa.PublicKey)
-
-	switch w.Curve {
-	case "nistp256":
-		key.Curve = elliptic.P256()
-	case "nistp384":
-		key.Curve = elliptic.P384()
-	case "nistp521":
-		key.Curve = elliptic.P521()
-	default:
-		return nil, nil, errors.New("ssh: unsupported curve")
-	}
-
-	key.X, key.Y = elliptic.Unmarshal(key.Curve, w.KeyBytes)
-	if key.X == nil || key.Y == nil {
-		return nil, nil, errors.New("ssh: invalid curve point")
-	}
-	return (*ecdsaPublicKey)(key), w.Rest, nil
-}
-
-func (k *ecdsaPublicKey) Marshal() []byte {
-	// See RFC 5656, section 3.1.
-	keyBytes := elliptic.Marshal(k.Curve, k.X, k.Y)
-	// ECDSA publickey struct layout should match the struct used by
-	// parseECDSACert in the x/crypto/ssh/agent package.
-	w := struct {
-		Name string
-		ID   string
-		Key  []byte
-	}{
-		k.Type(),
-		k.nistID(),
-		keyBytes,
-	}
-
-	return Marshal(&w)
-}
-
-func (k *ecdsaPublicKey) Verify(data []byte, sig *Signature) error {
-	if sig.Format != k.Type() {
-		return fmt.Errorf("ssh: signature type %s for key type %s", sig.Format, k.Type())
-	}
-
-	h := ecHash(k.Curve).New()
-	h.Write(data)
-	digest := h.Sum(nil)
-
-	// Per RFC 5656, section 3.1.2,
-	// The ecdsa_signature_blob value has the following specific encoding:
-	//    mpint    r
-	//    mpint    s
-	var ecSig struct {
-		R *big.Int
-		S *big.Int
-	}
-
-	if err := Unmarshal(sig.Blob, &ecSig); err != nil {
-		return err
-	}
-
-	if ecdsa.Verify((*ecdsa.PublicKey)(k), digest, ecSig.R, ecSig.S) {
-		return nil
-	}
-	return errors.New("ssh: signature did not verify")
-}
-
-func (k *ecdsaPublicKey) CryptoPublicKey() crypto.PublicKey {
-	return (*ecdsa.PublicKey)(k)
-}
-
-// NewSignerFromKey takes an *rsa.PrivateKey, *dsa.PrivateKey,
-// *ecdsa.PrivateKey or any other crypto.Signer and returns a
-// corresponding Signer instance. ECDSA keys must use P-256, P-384 or
-// P-521. DSA keys must use parameter size L1024N160.
-func NewSignerFromKey(key interface{}) (Signer, error) {
-	switch key := key.(type) {
-	case crypto.Signer:
-		return NewSignerFromSigner(key)
-	case *dsa.PrivateKey:
-		return newDSAPrivateKey(key)
-	default:
-		return nil, fmt.Errorf("ssh: unsupported key type %T", key)
-	}
-}
-
-func newDSAPrivateKey(key *dsa.PrivateKey) (Signer, error) {
-	if err := checkDSAParams(&key.PublicKey.Parameters); err != nil {
-		return nil, err
-	}
-
-	return &dsaPrivateKey{key}, nil
-}
-
-type wrappedSigner struct {
-	signer crypto.Signer
-	pubKey PublicKey
-}
-
-// NewSignerFromSigner takes any crypto.Signer implementation and
-// returns a corresponding Signer interface. This can be used, for
-// example, with keys kept in hardware modules.
-func NewSignerFromSigner(signer crypto.Signer) (Signer, error) {
-	pubKey, err := NewPublicKey(signer.Public())
-	if err != nil {
-		return nil, err
-	}
-
-	return &wrappedSigner{signer, pubKey}, nil
-}
-
-func (s *wrappedSigner) PublicKey() PublicKey {
-	return s.pubKey
-}
-
-func (s *wrappedSigner) Sign(rand io.Reader, data []byte) (*Signature, error) {
-	var hashFunc crypto.Hash
-
-	switch key := s.pubKey.(type) {
-	case *rsaPublicKey, *dsaPublicKey:
-		hashFunc = crypto.SHA1
-	case *ecdsaPublicKey:
-		hashFunc = ecHash(key.Curve)
-	case ed25519PublicKey:
-	default:
-		return nil, fmt.Errorf("ssh: unsupported key type %T", key)
-	}
-
-	var digest []byte
-	if hashFunc != 0 {
-		h := hashFunc.New()
-		h.Write(data)
-		digest = h.Sum(nil)
-	} else {
-		digest = data
-	}
-
-	signature, err := s.signer.Sign(rand, digest, hashFunc)
-	if err != nil {
-		return nil, err
-	}
-
-	// crypto.Signer.Sign is expected to return an ASN.1-encoded signature
-	// for ECDSA and DSA, but that's not the encoding expected by SSH, so
-	// re-encode.
-	switch s.pubKey.(type) {
-	case *ecdsaPublicKey, *dsaPublicKey:
-		type asn1Signature struct {
-			R, S *big.Int
-		}
-		asn1Sig := new(asn1Signature)
-		_, err := asn1.Unmarshal(signature, asn1Sig)
-		if err != nil {
-			return nil, err
-		}
-
-		switch s.pubKey.(type) {
-		case *ecdsaPublicKey:
-			signature = Marshal(asn1Sig)
-
-		case *dsaPublicKey:
-			signature = make([]byte, 40)
-			r := asn1Sig.R.Bytes()
-			s := asn1Sig.S.Bytes()
-			copy(signature[20-len(r):20], r)
-			copy(signature[40-len(s):40], s)
-		}
-	}
-
-	return &Signature{
-		Format: s.pubKey.Type(),
-		Blob:   signature,
-	}, nil
-}
-
-// NewPublicKey takes an *rsa.PublicKey, *dsa.PublicKey, *ecdsa.PublicKey,
-// or ed25519.PublicKey returns a corresponding PublicKey instance.
-// ECDSA keys must use P-256, P-384 or P-521.
-func NewPublicKey(key interface{}) (PublicKey, error) {
-	switch key := key.(type) {
-	case *rsa.PublicKey:
-		return (*rsaPublicKey)(key), nil
-	case *ecdsa.PublicKey:
-		if !supportedEllipticCurve(key.Curve) {
-			return nil, errors.New("ssh: only P-256, P-384 and P-521 EC keys are supported")
-		}
-		return (*ecdsaPublicKey)(key), nil
-	case *dsa.PublicKey:
-		return (*dsaPublicKey)(key), nil
-	case ed25519.PublicKey:
-		return (ed25519PublicKey)(key), nil
-	default:
-		return nil, fmt.Errorf("ssh: unsupported key type %T", key)
-	}
-}
-
-// ParsePrivateKey returns a Signer from a PEM encoded private key. It supports
-// the same keys as ParseRawPrivateKey.
-func ParsePrivateKey(pemBytes []byte) (Signer, error) {
-	key, err := ParseRawPrivateKey(pemBytes)
-	if err != nil {
-		return nil, err
-	}
-
-	return NewSignerFromKey(key)
-}
-
-// ParsePrivateKeyWithPassphrase returns a Signer from a PEM encoded private
-// key and passphrase. It supports the same keys as
-// ParseRawPrivateKeyWithPassphrase.
-func ParsePrivateKeyWithPassphrase(pemBytes, passPhrase []byte) (Signer, error) {
-	key, err := ParseRawPrivateKeyWithPassphrase(pemBytes, passPhrase)
-	if err != nil {
-		return nil, err
-	}
-
-	return NewSignerFromKey(key)
-}
-
-// encryptedBlock tells whether a private key is
-// encrypted by examining its Proc-Type header
-// for a mention of ENCRYPTED
-// according to RFC 1421 Section 4.6.1.1.
-func encryptedBlock(block *pem.Block) bool {
-	return strings.Contains(block.Headers["Proc-Type"], "ENCRYPTED")
-}
-
-// ParseRawPrivateKey returns a private key from a PEM encoded private key. It
-// supports RSA (PKCS#1), DSA (OpenSSL), and ECDSA private keys.
-func ParseRawPrivateKey(pemBytes []byte) (interface{}, error) {
-	block, _ := pem.Decode(pemBytes)
-	if block == nil {
-		return nil, errors.New("ssh: no key found")
-	}
-
-	if encryptedBlock(block) {
-		return nil, errors.New("ssh: cannot decode encrypted private keys")
-	}
-
-	switch block.Type {
-	case "RSA PRIVATE KEY":
-		return x509.ParsePKCS1PrivateKey(block.Bytes)
-	case "EC PRIVATE KEY":
-		return x509.ParseECPrivateKey(block.Bytes)
-	case "DSA PRIVATE KEY":
-		return ParseDSAPrivateKey(block.Bytes)
-	case "OPENSSH PRIVATE KEY":
-		return parseOpenSSHPrivateKey(block.Bytes)
-	default:
-		return nil, fmt.Errorf("ssh: unsupported key type %q", block.Type)
-	}
-}
-
-// ParseRawPrivateKeyWithPassphrase returns a private key decrypted with
-// passphrase from a PEM encoded private key. If wrong passphrase, return
-// x509.IncorrectPasswordError.
-func ParseRawPrivateKeyWithPassphrase(pemBytes, passPhrase []byte) (interface{}, error) {
-	block, _ := pem.Decode(pemBytes)
-	if block == nil {
-		return nil, errors.New("ssh: no key found")
-	}
-	buf := block.Bytes
-
-	if encryptedBlock(block) {
-		if x509.IsEncryptedPEMBlock(block) {
-			var err error
-			buf, err = x509.DecryptPEMBlock(block, passPhrase)
-			if err != nil {
-				if err == x509.IncorrectPasswordError {
-					return nil, err
-				}
-				return nil, fmt.Errorf("ssh: cannot decode encrypted private keys: %v", err)
-			}
-		}
-	}
-
-	switch block.Type {
-	case "RSA PRIVATE KEY":
-		return x509.ParsePKCS1PrivateKey(buf)
-	case "EC PRIVATE KEY":
-		return x509.ParseECPrivateKey(buf)
-	case "DSA PRIVATE KEY":
-		return ParseDSAPrivateKey(buf)
-	case "OPENSSH PRIVATE KEY":
-		return parseOpenSSHPrivateKey(buf)
-	default:
-		return nil, fmt.Errorf("ssh: unsupported key type %q", block.Type)
-	}
-}
-
-// ParseDSAPrivateKey returns a DSA private key from its ASN.1 DER encoding, as
-// specified by the OpenSSL DSA man page.
-func ParseDSAPrivateKey(der []byte) (*dsa.PrivateKey, error) {
-	var k struct {
-		Version int
-		P       *big.Int
-		Q       *big.Int
-		G       *big.Int
-		Pub     *big.Int
-		Priv    *big.Int
-	}
-	rest, err := asn1.Unmarshal(der, &k)
-	if err != nil {
-		return nil, errors.New("ssh: failed to parse DSA key: " + err.Error())
-	}
-	if len(rest) > 0 {
-		return nil, errors.New("ssh: garbage after DSA key")
-	}
-
-	return &dsa.PrivateKey{
-		PublicKey: dsa.PublicKey{
-			Parameters: dsa.Parameters{
-				P: k.P,
-				Q: k.Q,
-				G: k.G,
-			},
-			Y: k.Pub,
-		},
-		X: k.Priv,
-	}, nil
-}
-
-// Implemented based on the documentation at
-// https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.key
-func parseOpenSSHPrivateKey(key []byte) (crypto.PrivateKey, error) {
-	magic := append([]byte("openssh-key-v1"), 0)
-	if !bytes.Equal(magic, key[0:len(magic)]) {
-		return nil, errors.New("ssh: invalid openssh private key format")
-	}
-	remaining := key[len(magic):]
-
-	var w struct {
-		CipherName   string
-		KdfName      string
-		KdfOpts      string
-		NumKeys      uint32
-		PubKey       []byte
-		PrivKeyBlock []byte
-	}
-
-	if err := Unmarshal(remaining, &w); err != nil {
-		return nil, err
-	}
-
-	if w.KdfName != "none" || w.CipherName != "none" {
-		return nil, errors.New("ssh: cannot decode encrypted private keys")
-	}
-
-	pk1 := struct {
-		Check1  uint32
-		Check2  uint32
-		Keytype string
-		Rest    []byte `ssh:"rest"`
-	}{}
-
-	if err := Unmarshal(w.PrivKeyBlock, &pk1); err != nil {
-		return nil, err
-	}
-
-	if pk1.Check1 != pk1.Check2 {
-		return nil, errors.New("ssh: checkint mismatch")
-	}
-
-	// we only handle ed25519 and rsa keys currently
-	switch pk1.Keytype {
-	case KeyAlgoRSA:
-		// https://github.com/openssh/openssh-portable/blob/master/sshkey.c#L2760-L2773
-		key := struct {
-			N       *big.Int
-			E       *big.Int
-			D       *big.Int
-			Iqmp    *big.Int
-			P       *big.Int
-			Q       *big.Int
-			Comment string
-			Pad     []byte `ssh:"rest"`
-		}{}
-
-		if err := Unmarshal(pk1.Rest, &key); err != nil {
-			return nil, err
-		}
-
-		for i, b := range key.Pad {
-			if int(b) != i+1 {
-				return nil, errors.New("ssh: padding not as expected")
-			}
-		}
-
-		pk := &rsa.PrivateKey{
-			PublicKey: rsa.PublicKey{
-				N: key.N,
-				E: int(key.E.Int64()),
-			},
-			D:      key.D,
-			Primes: []*big.Int{key.P, key.Q},
-		}
-
-		if err := pk.Validate(); err != nil {
-			return nil, err
-		}
-
-		pk.Precompute()
-
-		return pk, nil
-	case KeyAlgoED25519:
-		key := struct {
-			Pub     []byte
-			Priv    []byte
-			Comment string
-			Pad     []byte `ssh:"rest"`
-		}{}
-
-		if err := Unmarshal(pk1.Rest, &key); err != nil {
-			return nil, err
-		}
-
-		if len(key.Priv) != ed25519.PrivateKeySize {
-			return nil, errors.New("ssh: private key unexpected length")
-		}
-
-		for i, b := range key.Pad {
-			if int(b) != i+1 {
-				return nil, errors.New("ssh: padding not as expected")
-			}
-		}
-
-		pk := ed25519.PrivateKey(make([]byte, ed25519.PrivateKeySize))
-		copy(pk, key.Priv)
-		return &pk, nil
-	default:
-		return nil, errors.New("ssh: unhandled key type")
-	}
-}
-
-// FingerprintLegacyMD5 returns the user presentation of the key's
-// fingerprint as described by RFC 4716 section 4.
-func FingerprintLegacyMD5(pubKey PublicKey) string {
-	md5sum := md5.Sum(pubKey.Marshal())
-	hexarray := make([]string, len(md5sum))
-	for i, c := range md5sum {
-		hexarray[i] = hex.EncodeToString([]byte{c})
-	}
-	return strings.Join(hexarray, ":")
-}
-
-// FingerprintSHA256 returns the user presentation of the key's
-// fingerprint as unpadded base64 encoded sha256 hash.
-// This format was introduced from OpenSSH 6.8.
-// https://www.openssh.com/txt/release-6.8
-// https://tools.ietf.org/html/rfc4648#section-3.2 (unpadded base64 encoding)
-func FingerprintSHA256(pubKey PublicKey) string {
-	sha256sum := sha256.Sum256(pubKey.Marshal())
-	hash := base64.RawStdEncoding.EncodeToString(sha256sum[:])
-	return "SHA256:" + hash
-}
diff --git a/vendor/golang.org/x/crypto/ssh/keys_test.go b/vendor/golang.org/x/crypto/ssh/keys_test.go
deleted file mode 100644
index 20ab954e..00000000
--- a/vendor/golang.org/x/crypto/ssh/keys_test.go
+++ /dev/null
@@ -1,500 +0,0 @@
-// Copyright 2014 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package ssh
-
-import (
-	"bytes"
-	"crypto/dsa"
-	"crypto/ecdsa"
-	"crypto/elliptic"
-	"crypto/rand"
-	"crypto/rsa"
-	"crypto/x509"
-	"encoding/base64"
-	"fmt"
-	"reflect"
-	"strings"
-	"testing"
-
-	"golang.org/x/crypto/ed25519"
-	"golang.org/x/crypto/ssh/testdata"
-)
-
-func rawKey(pub PublicKey) interface{} {
-	switch k := pub.(type) {
-	case *rsaPublicKey:
-		return (*rsa.PublicKey)(k)
-	case *dsaPublicKey:
-		return (*dsa.PublicKey)(k)
-	case *ecdsaPublicKey:
-		return (*ecdsa.PublicKey)(k)
-	case ed25519PublicKey:
-		return (ed25519.PublicKey)(k)
-	case *Certificate:
-		return k
-	}
-	panic("unknown key type")
-}
-
-func TestKeyMarshalParse(t *testing.T) {
-	for _, priv := range testSigners {
-		pub := priv.PublicKey()
-		roundtrip, err := ParsePublicKey(pub.Marshal())
-		if err != nil {
-			t.Errorf("ParsePublicKey(%T): %v", pub, err)
-		}
-
-		k1 := rawKey(pub)
-		k2 := rawKey(roundtrip)
-
-		if !reflect.DeepEqual(k1, k2) {
-			t.Errorf("got %#v in roundtrip, want %#v", k2, k1)
-		}
-	}
-}
-
-func TestUnsupportedCurves(t *testing.T) {
-	raw, err := ecdsa.GenerateKey(elliptic.P224(), rand.Reader)
-	if err != nil {
-		t.Fatalf("GenerateKey: %v", err)
-	}
-
-	if _, err = NewSignerFromKey(raw); err == nil || !strings.Contains(err.Error(), "only P-256") {
-		t.Fatalf("NewPrivateKey should not succeed with P-224, got: %v", err)
-	}
-
-	if _, err = NewPublicKey(&raw.PublicKey); err == nil || !strings.Contains(err.Error(), "only P-256") {
-		t.Fatalf("NewPublicKey should not succeed with P-224, got: %v", err)
-	}
-}
-
-func TestNewPublicKey(t *testing.T) {
-	for _, k := range testSigners {
-		raw := rawKey(k.PublicKey())
-		// Skip certificates, as NewPublicKey does not support them.
-		if _, ok := raw.(*Certificate); ok {
-			continue
-		}
-		pub, err := NewPublicKey(raw)
-		if err != nil {
-			t.Errorf("NewPublicKey(%#v): %v", raw, err)
-		}
-		if !reflect.DeepEqual(k.PublicKey(), pub) {
-			t.Errorf("NewPublicKey(%#v) = %#v, want %#v", raw, pub, k.PublicKey())
-		}
-	}
-}
-
-func TestKeySignVerify(t *testing.T) {
-	for _, priv := range testSigners {
-		pub := priv.PublicKey()
-
-		data := []byte("sign me")
-		sig, err := priv.Sign(rand.Reader, data)
-		if err != nil {
-			t.Fatalf("Sign(%T): %v", priv, err)
-		}
-
-		if err := pub.Verify(data, sig); err != nil {
-			t.Errorf("publicKey.Verify(%T): %v", priv, err)
-		}
-		sig.Blob[5]++
-		if err := pub.Verify(data, sig); err == nil {
-			t.Errorf("publicKey.Verify on broken sig did not fail")
-		}
-	}
-}
-
-func TestParseRSAPrivateKey(t *testing.T) {
-	key := testPrivateKeys["rsa"]
-
-	rsa, ok := key.(*rsa.PrivateKey)
-	if !ok {
-		t.Fatalf("got %T, want *rsa.PrivateKey", rsa)
-	}
-
-	if err := rsa.Validate(); err != nil {
-		t.Errorf("Validate: %v", err)
-	}
-}
-
-func TestParseECPrivateKey(t *testing.T) {
-	key := testPrivateKeys["ecdsa"]
-
-	ecKey, ok := key.(*ecdsa.PrivateKey)
-	if !ok {
-		t.Fatalf("got %T, want *ecdsa.PrivateKey", ecKey)
-	}
-
-	if !validateECPublicKey(ecKey.Curve, ecKey.X, ecKey.Y) {
-		t.Fatalf("public key does not validate.")
-	}
-}
-
-// See Issue https://github.com/golang/go/issues/6650.
-func TestParseEncryptedPrivateKeysFails(t *testing.T) {
-	const wantSubstring = "encrypted"
-	for i, tt := range testdata.PEMEncryptedKeys {
-		_, err := ParsePrivateKey(tt.PEMBytes)
-		if err == nil {
-			t.Errorf("#%d key %s: ParsePrivateKey successfully parsed, expected an error", i, tt.Name)
-			continue
-		}
-
-		if !strings.Contains(err.Error(), wantSubstring) {
-			t.Errorf("#%d key %s: got error %q, want substring %q", i, tt.Name, err, wantSubstring)
-		}
-	}
-}
-
-// Parse encrypted private keys with passphrase
-func TestParseEncryptedPrivateKeysWithPassphrase(t *testing.T) {
-	data := []byte("sign me")
-	for _, tt := range testdata.PEMEncryptedKeys {
-		s, err := ParsePrivateKeyWithPassphrase(tt.PEMBytes, []byte(tt.EncryptionKey))
-		if err != nil {
-			t.Fatalf("ParsePrivateKeyWithPassphrase returned error: %s", err)
-			continue
-		}
-		sig, err := s.Sign(rand.Reader, data)
-		if err != nil {
-			t.Fatalf("dsa.Sign: %v", err)
-		}
-		if err := s.PublicKey().Verify(data, sig); err != nil {
-			t.Errorf("Verify failed: %v", err)
-		}
-	}
-
-	tt := testdata.PEMEncryptedKeys[0]
-	_, err := ParsePrivateKeyWithPassphrase(tt.PEMBytes, []byte("incorrect"))
-	if err != x509.IncorrectPasswordError {
-		t.Fatalf("got %v want IncorrectPasswordError", err)
-	}
-}
-
-func TestParseDSA(t *testing.T) {
-	// We actually exercise the ParsePrivateKey codepath here, as opposed to
-	// using the ParseRawPrivateKey+NewSignerFromKey path that testdata_test.go
-	// uses.
-	s, err := ParsePrivateKey(testdata.PEMBytes["dsa"])
-	if err != nil {
-		t.Fatalf("ParsePrivateKey returned error: %s", err)
-	}
-
-	data := []byte("sign me")
-	sig, err := s.Sign(rand.Reader, data)
-	if err != nil {
-		t.Fatalf("dsa.Sign: %v", err)
-	}
-
-	if err := s.PublicKey().Verify(data, sig); err != nil {
-		t.Errorf("Verify failed: %v", err)
-	}
-}
-
-// Tests for authorized_keys parsing.
-
-// getTestKey returns a public key, and its base64 encoding.
-func getTestKey() (PublicKey, string) {
-	k := testPublicKeys["rsa"]
-
-	b := &bytes.Buffer{}
-	e := base64.NewEncoder(base64.StdEncoding, b)
-	e.Write(k.Marshal())
-	e.Close()
-
-	return k, b.String()
-}
-
-func TestMarshalParsePublicKey(t *testing.T) {
-	pub, pubSerialized := getTestKey()
-	line := fmt.Sprintf("%s %s user@host", pub.Type(), pubSerialized)
-
-	authKeys := MarshalAuthorizedKey(pub)
-	actualFields := strings.Fields(string(authKeys))
-	if len(actualFields) == 0 {
-		t.Fatalf("failed authKeys: %v", authKeys)
-	}
-
-	// drop the comment
-	expectedFields := strings.Fields(line)[0:2]
-
-	if !reflect.DeepEqual(actualFields, expectedFields) {
-		t.Errorf("got %v, expected %v", actualFields, expectedFields)
-	}
-
-	actPub, _, _, _, err := ParseAuthorizedKey([]byte(line))
-	if err != nil {
-		t.Fatalf("cannot parse %v: %v", line, err)
-	}
-	if !reflect.DeepEqual(actPub, pub) {
-		t.Errorf("got %v, expected %v", actPub, pub)
-	}
-}
-
-type authResult struct {
-	pubKey   PublicKey
-	options  []string
-	comments string
-	rest     string
-	ok       bool
-}
-
-func testAuthorizedKeys(t *testing.T, authKeys []byte, expected []authResult) {
-	rest := authKeys
-	var values []authResult
-	for len(rest) > 0 {
-		var r authResult
-		var err error
-		r.pubKey, r.comments, r.options, rest, err = ParseAuthorizedKey(rest)
-		r.ok = (err == nil)
-		t.Log(err)
-		r.rest = string(rest)
-		values = append(values, r)
-	}
-
-	if !reflect.DeepEqual(values, expected) {
-		t.Errorf("got %#v, expected %#v", values, expected)
-	}
-}
-
-func TestAuthorizedKeyBasic(t *testing.T) {
-	pub, pubSerialized := getTestKey()
-	line := "ssh-rsa " + pubSerialized + " user@host"
-	testAuthorizedKeys(t, []byte(line),
-		[]authResult{
-			{pub, nil, "user@host", "", true},
-		})
-}
-
-func TestAuth(t *testing.T) {
-	pub, pubSerialized := getTestKey()
-	authWithOptions := []string{
-		`# comments to ignore before any keys...`,
-		``,
-		`env="HOME=/home/root",no-port-forwarding ssh-rsa ` + pubSerialized + ` user@host`,
-		`# comments to ignore, along with a blank line`,
-		``,
-		`env="HOME=/home/root2" ssh-rsa ` + pubSerialized + ` user2@host2`,
-		``,
-		`# more comments, plus a invalid entry`,
-		`ssh-rsa data-that-will-not-parse user@host3`,
-	}
-	for _, eol := range []string{"\n", "\r\n"} {
-		authOptions := strings.Join(authWithOptions, eol)
-		rest2 := strings.Join(authWithOptions[3:], eol)
-		rest3 := strings.Join(authWithOptions[6:], eol)
-		testAuthorizedKeys(t, []byte(authOptions), []authResult{
-			{pub, []string{`env="HOME=/home/root"`, "no-port-forwarding"}, "user@host", rest2, true},
-			{pub, []string{`env="HOME=/home/root2"`}, "user2@host2", rest3, true},
-			{nil, nil, "", "", false},
-		})
-	}
-}
-
-func TestAuthWithQuotedSpaceInEnv(t *testing.T) {
-	pub, pubSerialized := getTestKey()
-	authWithQuotedSpaceInEnv := []byte(`env="HOME=/home/root dir",no-port-forwarding ssh-rsa ` + pubSerialized + ` user@host`)
-	testAuthorizedKeys(t, []byte(authWithQuotedSpaceInEnv), []authResult{
-		{pub, []string{`env="HOME=/home/root dir"`, "no-port-forwarding"}, "user@host", "", true},
-	})
-}
-
-func TestAuthWithQuotedCommaInEnv(t *testing.T) {
-	pub, pubSerialized := getTestKey()
-	authWithQuotedCommaInEnv := []byte(`env="HOME=/home/root,dir",no-port-forwarding ssh-rsa ` + pubSerialized + `   user@host`)
-	testAuthorizedKeys(t, []byte(authWithQuotedCommaInEnv), []authResult{
-		{pub, []string{`env="HOME=/home/root,dir"`, "no-port-forwarding"}, "user@host", "", true},
-	})
-}
-
-func TestAuthWithQuotedQuoteInEnv(t *testing.T) {
-	pub, pubSerialized := getTestKey()
-	authWithQuotedQuoteInEnv := []byte(`env="HOME=/home/\"root dir",no-port-forwarding` + "\t" + `ssh-rsa` + "\t" + pubSerialized + `   user@host`)
-	authWithDoubleQuotedQuote := []byte(`no-port-forwarding,env="HOME=/home/ \"root dir\"" ssh-rsa ` + pubSerialized + "\t" + `user@host`)
-	testAuthorizedKeys(t, []byte(authWithQuotedQuoteInEnv), []authResult{
-		{pub, []string{`env="HOME=/home/\"root dir"`, "no-port-forwarding"}, "user@host", "", true},
-	})
-
-	testAuthorizedKeys(t, []byte(authWithDoubleQuotedQuote), []authResult{
-		{pub, []string{"no-port-forwarding", `env="HOME=/home/ \"root dir\""`}, "user@host", "", true},
-	})
-}
-
-func TestAuthWithInvalidSpace(t *testing.T) {
-	_, pubSerialized := getTestKey()
-	authWithInvalidSpace := []byte(`env="HOME=/home/root dir", no-port-forwarding ssh-rsa ` + pubSerialized + ` user@host
-#more to follow but still no valid keys`)
-	testAuthorizedKeys(t, []byte(authWithInvalidSpace), []authResult{
-		{nil, nil, "", "", false},
-	})
-}
-
-func TestAuthWithMissingQuote(t *testing.T) {
-	pub, pubSerialized := getTestKey()
-	authWithMissingQuote := []byte(`env="HOME=/home/root,no-port-forwarding ssh-rsa ` + pubSerialized + ` user@host
-env="HOME=/home/root",shared-control ssh-rsa ` + pubSerialized + ` user@host`)
-
-	testAuthorizedKeys(t, []byte(authWithMissingQuote), []authResult{
-		{pub, []string{`env="HOME=/home/root"`, `shared-control`}, "user@host", "", true},
-	})
-}
-
-func TestInvalidEntry(t *testing.T) {
-	authInvalid := []byte(`ssh-rsa`)
-	_, _, _, _, err := ParseAuthorizedKey(authInvalid)
-	if err == nil {
-		t.Errorf("got valid entry for %q", authInvalid)
-	}
-}
-
-var knownHostsParseTests = []struct {
-	input string
-	err   string
-
-	marker  string
-	comment string
-	hosts   []string
-	rest    string
-}{
-	{
-		"",
-		"EOF",
-
-		"", "", nil, "",
-	},
-	{
-		"# Just a comment",
-		"EOF",
-
-		"", "", nil, "",
-	},
-	{
-		"   \t   ",
-		"EOF",
-
-		"", "", nil, "",
-	},
-	{
-		"localhost ssh-rsa {RSAPUB}",
-		"",
-
-		"", "", []string{"localhost"}, "",
-	},
-	{
-		"localhost\tssh-rsa {RSAPUB}",
-		"",
-
-		"", "", []string{"localhost"}, "",
-	},
-	{
-		"localhost\tssh-rsa {RSAPUB}\tcomment comment",
-		"",
-
-		"", "comment comment", []string{"localhost"}, "",
-	},
-	{
-		"localhost\tssh-rsa {RSAPUB}\tcomment comment\n",
-		"",
-
-		"", "comment comment", []string{"localhost"}, "",
-	},
-	{
-		"localhost\tssh-rsa {RSAPUB}\tcomment comment\r\n",
-		"",
-
-		"", "comment comment", []string{"localhost"}, "",
-	},
-	{
-		"localhost\tssh-rsa {RSAPUB}\tcomment comment\r\nnext line",
-		"",
-
-		"", "comment comment", []string{"localhost"}, "next line",
-	},
-	{
-		"localhost,[host2:123]\tssh-rsa {RSAPUB}\tcomment comment",
-		"",
-
-		"", "comment comment", []string{"localhost", "[host2:123]"}, "",
-	},
-	{
-		"@marker \tlocalhost,[host2:123]\tssh-rsa {RSAPUB}",
-		"",
-
-		"marker", "", []string{"localhost", "[host2:123]"}, "",
-	},
-	{
-		"@marker \tlocalhost,[host2:123]\tssh-rsa aabbccdd",
-		"short read",
-
-		"", "", nil, "",
-	},
-}
-
-func TestKnownHostsParsing(t *testing.T) {
-	rsaPub, rsaPubSerialized := getTestKey()
-
-	for i, test := range knownHostsParseTests {
-		var expectedKey PublicKey
-		const rsaKeyToken = "{RSAPUB}"
-
-		input := test.input
-		if strings.Contains(input, rsaKeyToken) {
-			expectedKey = rsaPub
-			input = strings.Replace(test.input, rsaKeyToken, rsaPubSerialized, -1)
-		}
-
-		marker, hosts, pubKey, comment, rest, err := ParseKnownHosts([]byte(input))
-		if err != nil {
-			if len(test.err) == 0 {
-				t.Errorf("#%d: unexpectedly failed with %q", i, err)
-			} else if !strings.Contains(err.Error(), test.err) {
-				t.Errorf("#%d: expected error containing %q, but got %q", i, test.err, err)
-			}
-			continue
-		} else if len(test.err) != 0 {
-			t.Errorf("#%d: succeeded but expected error including %q", i, test.err)
-			continue
-		}
-
-		if !reflect.DeepEqual(expectedKey, pubKey) {
-			t.Errorf("#%d: expected key %#v, but got %#v", i, expectedKey, pubKey)
-		}
-
-		if marker != test.marker {
-			t.Errorf("#%d: expected marker %q, but got %q", i, test.marker, marker)
-		}
-
-		if comment != test.comment {
-			t.Errorf("#%d: expected comment %q, but got %q", i, test.comment, comment)
-		}
-
-		if !reflect.DeepEqual(test.hosts, hosts) {
-			t.Errorf("#%d: expected hosts %#v, but got %#v", i, test.hosts, hosts)
-		}
-
-		if rest := string(rest); rest != test.rest {
-			t.Errorf("#%d: expected remaining input to be %q, but got %q", i, test.rest, rest)
-		}
-	}
-}
-
-func TestFingerprintLegacyMD5(t *testing.T) {
-	pub, _ := getTestKey()
-	fingerprint := FingerprintLegacyMD5(pub)
-	want := "fb:61:6d:1a:e3:f0:95:45:3c:a0:79:be:4a:93:63:66" // ssh-keygen -lf -E md5 rsa
-	if fingerprint != want {
-		t.Errorf("got fingerprint %q want %q", fingerprint, want)
-	}
-}
-
-func TestFingerprintSHA256(t *testing.T) {
-	pub, _ := getTestKey()
-	fingerprint := FingerprintSHA256(pub)
-	want := "SHA256:Anr3LjZK8YVpjrxu79myrW9Hrb/wpcMNpVvTq/RcBm8" // ssh-keygen -lf rsa
-	if fingerprint != want {
-		t.Errorf("got fingerprint %q want %q", fingerprint, want)
-	}
-}
diff --git a/vendor/golang.org/x/crypto/ssh/knownhosts/knownhosts.go b/vendor/golang.org/x/crypto/ssh/knownhosts/knownhosts.go
deleted file mode 100644
index 448fc07f..00000000
--- a/vendor/golang.org/x/crypto/ssh/knownhosts/knownhosts.go
+++ /dev/null
@@ -1,546 +0,0 @@
-// Copyright 2017 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package knownhosts implements a parser for the OpenSSH
-// known_hosts host key database.
-package knownhosts
-
-import (
-	"bufio"
-	"bytes"
-	"crypto/hmac"
-	"crypto/rand"
-	"crypto/sha1"
-	"encoding/base64"
-	"errors"
-	"fmt"
-	"io"
-	"net"
-	"os"
-	"strings"
-
-	"golang.org/x/crypto/ssh"
-)
-
-// See the sshd manpage
-// (http://man.openbsd.org/sshd#SSH_KNOWN_HOSTS_FILE_FORMAT) for
-// background.
-
-type addr struct{ host, port string }
-
-func (a *addr) String() string {
-	h := a.host
-	if strings.Contains(h, ":") {
-		h = "[" + h + "]"
-	}
-	return h + ":" + a.port
-}
-
-type matcher interface {
-	match([]addr) bool
-}
-
-type hostPattern struct {
-	negate bool
-	addr   addr
-}
-
-func (p *hostPattern) String() string {
-	n := ""
-	if p.negate {
-		n = "!"
-	}
-
-	return n + p.addr.String()
-}
-
-type hostPatterns []hostPattern
-
-func (ps hostPatterns) match(addrs []addr) bool {
-	matched := false
-	for _, p := range ps {
-		for _, a := range addrs {
-			m := p.match(a)
-			if !m {
-				continue
-			}
-			if p.negate {
-				return false
-			}
-			matched = true
-		}
-	}
-	return matched
-}
-
-// See
-// https://android.googlesource.com/platform/external/openssh/+/ab28f5495c85297e7a597c1ba62e996416da7c7e/addrmatch.c
-// The matching of * has no regard for separators, unlike filesystem globs
-func wildcardMatch(pat []byte, str []byte) bool {
-	for {
-		if len(pat) == 0 {
-			return len(str) == 0
-		}
-		if len(str) == 0 {
-			return false
-		}
-
-		if pat[0] == '*' {
-			if len(pat) == 1 {
-				return true
-			}
-
-			for j := range str {
-				if wildcardMatch(pat[1:], str[j:]) {
-					return true
-				}
-			}
-			return false
-		}
-
-		if pat[0] == '?' || pat[0] == str[0] {
-			pat = pat[1:]
-			str = str[1:]
-		} else {
-			return false
-		}
-	}
-}
-
-func (p *hostPattern) match(a addr) bool {
-	return wildcardMatch([]byte(p.addr.host), []byte(a.host)) && p.addr.port == a.port
-}
-
-type keyDBLine struct {
-	cert     bool
-	matcher  matcher
-	knownKey KnownKey
-}
-
-func serialize(k ssh.PublicKey) string {
-	return k.Type() + " " + base64.StdEncoding.EncodeToString(k.Marshal())
-}
-
-func (l *keyDBLine) match(addrs []addr) bool {
-	return l.matcher.match(addrs)
-}
-
-type hostKeyDB struct {
-	// Serialized version of revoked keys
-	revoked map[string]*KnownKey
-	lines   []keyDBLine
-}
-
-func newHostKeyDB() *hostKeyDB {
-	db := &hostKeyDB{
-		revoked: make(map[string]*KnownKey),
-	}
-
-	return db
-}
-
-func keyEq(a, b ssh.PublicKey) bool {
-	return bytes.Equal(a.Marshal(), b.Marshal())
-}
-
-// IsAuthorityForHost can be used as a callback in ssh.CertChecker
-func (db *hostKeyDB) IsHostAuthority(remote ssh.PublicKey, address string) bool {
-	h, p, err := net.SplitHostPort(address)
-	if err != nil {
-		return false
-	}
-	a := addr{host: h, port: p}
-
-	for _, l := range db.lines {
-		if l.cert && keyEq(l.knownKey.Key, remote) && l.match([]addr{a}) {
-			return true
-		}
-	}
-	return false
-}
-
-// IsRevoked can be used as a callback in ssh.CertChecker
-func (db *hostKeyDB) IsRevoked(key *ssh.Certificate) bool {
-	_, ok := db.revoked[string(key.Marshal())]
-	return ok
-}
-
-const markerCert = "@cert-authority"
-const markerRevoked = "@revoked"
-
-func nextWord(line []byte) (string, []byte) {
-	i := bytes.IndexAny(line, "\t ")
-	if i == -1 {
-		return string(line), nil
-	}
-
-	return string(line[:i]), bytes.TrimSpace(line[i:])
-}
-
-func parseLine(line []byte) (marker, host string, key ssh.PublicKey, err error) {
-	if w, next := nextWord(line); w == markerCert || w == markerRevoked {
-		marker = w
-		line = next
-	}
-
-	host, line = nextWord(line)
-	if len(line) == 0 {
-		return "", "", nil, errors.New("knownhosts: missing host pattern")
-	}
-
-	// ignore the keytype as it's in the key blob anyway.
-	_, line = nextWord(line)
-	if len(line) == 0 {
-		return "", "", nil, errors.New("knownhosts: missing key type pattern")
-	}
-
-	keyBlob, _ := nextWord(line)
-
-	keyBytes, err := base64.StdEncoding.DecodeString(keyBlob)
-	if err != nil {
-		return "", "", nil, err
-	}
-	key, err = ssh.ParsePublicKey(keyBytes)
-	if err != nil {
-		return "", "", nil, err
-	}
-
-	return marker, host, key, nil
-}
-
-func (db *hostKeyDB) parseLine(line []byte, filename string, linenum int) error {
-	marker, pattern, key, err := parseLine(line)
-	if err != nil {
-		return err
-	}
-
-	if marker == markerRevoked {
-		db.revoked[string(key.Marshal())] = &KnownKey{
-			Key:      key,
-			Filename: filename,
-			Line:     linenum,
-		}
-
-		return nil
-	}
-
-	entry := keyDBLine{
-		cert: marker == markerCert,
-		knownKey: KnownKey{
-			Filename: filename,
-			Line:     linenum,
-			Key:      key,
-		},
-	}
-
-	if pattern[0] == '|' {
-		entry.matcher, err = newHashedHost(pattern)
-	} else {
-		entry.matcher, err = newHostnameMatcher(pattern)
-	}
-
-	if err != nil {
-		return err
-	}
-
-	db.lines = append(db.lines, entry)
-	return nil
-}
-
-func newHostnameMatcher(pattern string) (matcher, error) {
-	var hps hostPatterns
-	for _, p := range strings.Split(pattern, ",") {
-		if len(p) == 0 {
-			continue
-		}
-
-		var a addr
-		var negate bool
-		if p[0] == '!' {
-			negate = true
-			p = p[1:]
-		}
-
-		if len(p) == 0 {
-			return nil, errors.New("knownhosts: negation without following hostname")
-		}
-
-		var err error
-		if p[0] == '[' {
-			a.host, a.port, err = net.SplitHostPort(p)
-			if err != nil {
-				return nil, err
-			}
-		} else {
-			a.host, a.port, err = net.SplitHostPort(p)
-			if err != nil {
-				a.host = p
-				a.port = "22"
-			}
-		}
-		hps = append(hps, hostPattern{
-			negate: negate,
-			addr:   a,
-		})
-	}
-	return hps, nil
-}
-
-// KnownKey represents a key declared in a known_hosts file.
-type KnownKey struct {
-	Key      ssh.PublicKey
-	Filename string
-	Line     int
-}
-
-func (k *KnownKey) String() string {
-	return fmt.Sprintf("%s:%d: %s", k.Filename, k.Line, serialize(k.Key))
-}
-
-// KeyError is returned if we did not find the key in the host key
-// database, or there was a mismatch.  Typically, in batch
-// applications, this should be interpreted as failure. Interactive
-// applications can offer an interactive prompt to the user.
-type KeyError struct {
-	// Want holds the accepted host keys. For each key algorithm,
-	// there can be one hostkey.  If Want is empty, the host is
-	// unknown. If Want is non-empty, there was a mismatch, which
-	// can signify a MITM attack.
-	Want []KnownKey
-}
-
-func (u *KeyError) Error() string {
-	if len(u.Want) == 0 {
-		return "knownhosts: key is unknown"
-	}
-	return "knownhosts: key mismatch"
-}
-
-// RevokedError is returned if we found a key that was revoked.
-type RevokedError struct {
-	Revoked KnownKey
-}
-
-func (r *RevokedError) Error() string {
-	return "knownhosts: key is revoked"
-}
-
-// check checks a key against the host database. This should not be
-// used for verifying certificates.
-func (db *hostKeyDB) check(address string, remote net.Addr, remoteKey ssh.PublicKey) error {
-	if revoked := db.revoked[string(remoteKey.Marshal())]; revoked != nil {
-		return &RevokedError{Revoked: *revoked}
-	}
-
-	host, port, err := net.SplitHostPort(remote.String())
-	if err != nil {
-		return fmt.Errorf("knownhosts: SplitHostPort(%s): %v", remote, err)
-	}
-
-	addrs := []addr{
-		{host, port},
-	}
-
-	if address != "" {
-		host, port, err := net.SplitHostPort(address)
-		if err != nil {
-			return fmt.Errorf("knownhosts: SplitHostPort(%s): %v", address, err)
-		}
-
-		addrs = append(addrs, addr{host, port})
-	}
-
-	return db.checkAddrs(addrs, remoteKey)
-}
-
-// checkAddrs checks if we can find the given public key for any of
-// the given addresses.  If we only find an entry for the IP address,
-// or only the hostname, then this still succeeds.
-func (db *hostKeyDB) checkAddrs(addrs []addr, remoteKey ssh.PublicKey) error {
-	// TODO(hanwen): are these the right semantics? What if there
-	// is just a key for the IP address, but not for the
-	// hostname?
-
-	// Algorithm => key.
-	knownKeys := map[string]KnownKey{}
-	for _, l := range db.lines {
-		if l.match(addrs) {
-			typ := l.knownKey.Key.Type()
-			if _, ok := knownKeys[typ]; !ok {
-				knownKeys[typ] = l.knownKey
-			}
-		}
-	}
-
-	keyErr := &KeyError{}
-	for _, v := range knownKeys {
-		keyErr.Want = append(keyErr.Want, v)
-	}
-
-	// Unknown remote host.
-	if len(knownKeys) == 0 {
-		return keyErr
-	}
-
-	// If the remote host starts using a different, unknown key type, we
-	// also interpret that as a mismatch.
-	if known, ok := knownKeys[remoteKey.Type()]; !ok || !keyEq(known.Key, remoteKey) {
-		return keyErr
-	}
-
-	return nil
-}
-
-// The Read function parses file contents.
-func (db *hostKeyDB) Read(r io.Reader, filename string) error {
-	scanner := bufio.NewScanner(r)
-
-	lineNum := 0
-	for scanner.Scan() {
-		lineNum++
-		line := scanner.Bytes()
-		line = bytes.TrimSpace(line)
-		if len(line) == 0 || line[0] == '#' {
-			continue
-		}
-
-		if err := db.parseLine(line, filename, lineNum); err != nil {
-			return fmt.Errorf("knownhosts: %s:%d: %v", filename, lineNum, err)
-		}
-	}
-	return scanner.Err()
-}
-
-// New creates a host key callback from the given OpenSSH host key
-// files. The returned callback is for use in
-// ssh.ClientConfig.HostKeyCallback. Hashed hostnames are not supported.
-func New(files ...string) (ssh.HostKeyCallback, error) {
-	db := newHostKeyDB()
-	for _, fn := range files {
-		f, err := os.Open(fn)
-		if err != nil {
-			return nil, err
-		}
-		defer f.Close()
-		if err := db.Read(f, fn); err != nil {
-			return nil, err
-		}
-	}
-
-	var certChecker ssh.CertChecker
-	certChecker.IsHostAuthority = db.IsHostAuthority
-	certChecker.IsRevoked = db.IsRevoked
-	certChecker.HostKeyFallback = db.check
-
-	return certChecker.CheckHostKey, nil
-}
-
-// Normalize normalizes an address into the form used in known_hosts
-func Normalize(address string) string {
-	host, port, err := net.SplitHostPort(address)
-	if err != nil {
-		host = address
-		port = "22"
-	}
-	entry := host
-	if port != "22" {
-		entry = "[" + entry + "]:" + port
-	} else if strings.Contains(host, ":") && !strings.HasPrefix(host, "[") {
-		entry = "[" + entry + "]"
-	}
-	return entry
-}
-
-// Line returns a line to add append to the known_hosts files.
-func Line(addresses []string, key ssh.PublicKey) string {
-	var trimmed []string
-	for _, a := range addresses {
-		trimmed = append(trimmed, Normalize(a))
-	}
-
-	return strings.Join(trimmed, ",") + " " + serialize(key)
-}
-
-// HashHostname hashes the given hostname. The hostname is not
-// normalized before hashing.
-func HashHostname(hostname string) string {
-	// TODO(hanwen): check if we can safely normalize this always.
-	salt := make([]byte, sha1.Size)
-
-	_, err := rand.Read(salt)
-	if err != nil {
-		panic(fmt.Sprintf("crypto/rand failure %v", err))
-	}
-
-	hash := hashHost(hostname, salt)
-	return encodeHash(sha1HashType, salt, hash)
-}
-
-func decodeHash(encoded string) (hashType string, salt, hash []byte, err error) {
-	if len(encoded) == 0 || encoded[0] != '|' {
-		err = errors.New("knownhosts: hashed host must start with '|'")
-		return
-	}
-	components := strings.Split(encoded, "|")
-	if len(components) != 4 {
-		err = fmt.Errorf("knownhosts: got %d components, want 3", len(components))
-		return
-	}
-
-	hashType = components[1]
-	if salt, err = base64.StdEncoding.DecodeString(components[2]); err != nil {
-		return
-	}
-	if hash, err = base64.StdEncoding.DecodeString(components[3]); err != nil {
-		return
-	}
-	return
-}
-
-func encodeHash(typ string, salt []byte, hash []byte) string {
-	return strings.Join([]string{"",
-		typ,
-		base64.StdEncoding.EncodeToString(salt),
-		base64.StdEncoding.EncodeToString(hash),
-	}, "|")
-}
-
-// See https://android.googlesource.com/platform/external/openssh/+/ab28f5495c85297e7a597c1ba62e996416da7c7e/hostfile.c#120
-func hashHost(hostname string, salt []byte) []byte {
-	mac := hmac.New(sha1.New, salt)
-	mac.Write([]byte(hostname))
-	return mac.Sum(nil)
-}
-
-type hashedHost struct {
-	salt []byte
-	hash []byte
-}
-
-const sha1HashType = "1"
-
-func newHashedHost(encoded string) (*hashedHost, error) {
-	typ, salt, hash, err := decodeHash(encoded)
-	if err != nil {
-		return nil, err
-	}
-
-	// The type field seems for future algorithm agility, but it's
-	// actually hardcoded in openssh currently, see
-	// https://android.googlesource.com/platform/external/openssh/+/ab28f5495c85297e7a597c1ba62e996416da7c7e/hostfile.c#120
-	if typ != sha1HashType {
-		return nil, fmt.Errorf("knownhosts: got hash type %s, must be '1'", typ)
-	}
-
-	return &hashedHost{salt: salt, hash: hash}, nil
-}
-
-func (h *hashedHost) match(addrs []addr) bool {
-	for _, a := range addrs {
-		if bytes.Equal(hashHost(Normalize(a.String()), h.salt), h.hash) {
-			return true
-		}
-	}
-	return false
-}
diff --git a/vendor/golang.org/x/crypto/ssh/knownhosts/knownhosts_test.go b/vendor/golang.org/x/crypto/ssh/knownhosts/knownhosts_test.go
deleted file mode 100644
index be7cc0e8..00000000
--- a/vendor/golang.org/x/crypto/ssh/knownhosts/knownhosts_test.go
+++ /dev/null
@@ -1,329 +0,0 @@
-// Copyright 2017 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package knownhosts
-
-import (
-	"bytes"
-	"fmt"
-	"net"
-	"reflect"
-	"testing"
-
-	"golang.org/x/crypto/ssh"
-)
-
-const edKeyStr = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGBAarftlLeoyf+v+nVchEZII/vna2PCV8FaX4vsF5BX"
-const alternateEdKeyStr = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIXffBYeYL+WVzVru8npl5JHt2cjlr4ornFTWzoij9sx"
-const ecKeyStr = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNLCu01+wpXe3xB5olXCN4SqU2rQu0qjSRKJO4Bg+JRCPU+ENcgdA5srTU8xYDz/GEa4dzK5ldPw4J/gZgSXCMs="
-
-var ecKey, alternateEdKey, edKey ssh.PublicKey
-var testAddr = &net.TCPAddr{
-	IP:   net.IP{198, 41, 30, 196},
-	Port: 22,
-}
-
-var testAddr6 = &net.TCPAddr{
-	IP: net.IP{198, 41, 30, 196,
-		1, 2, 3, 4,
-		1, 2, 3, 4,
-		1, 2, 3, 4,
-	},
-	Port: 22,
-}
-
-func init() {
-	var err error
-	ecKey, _, _, _, err = ssh.ParseAuthorizedKey([]byte(ecKeyStr))
-	if err != nil {
-		panic(err)
-	}
-	edKey, _, _, _, err = ssh.ParseAuthorizedKey([]byte(edKeyStr))
-	if err != nil {
-		panic(err)
-	}
-	alternateEdKey, _, _, _, err = ssh.ParseAuthorizedKey([]byte(alternateEdKeyStr))
-	if err != nil {
-		panic(err)
-	}
-}
-
-func testDB(t *testing.T, s string) *hostKeyDB {
-	db := newHostKeyDB()
-	if err := db.Read(bytes.NewBufferString(s), "testdb"); err != nil {
-		t.Fatalf("Read: %v", err)
-	}
-
-	return db
-}
-
-func TestRevoked(t *testing.T) {
-	db := testDB(t, "\n\n@revoked * "+edKeyStr+"\n")
-	want := &RevokedError{
-		Revoked: KnownKey{
-			Key:      edKey,
-			Filename: "testdb",
-			Line:     3,
-		},
-	}
-	if err := db.check("", &net.TCPAddr{
-		Port: 42,
-	}, edKey); err == nil {
-		t.Fatal("no error for revoked key")
-	} else if !reflect.DeepEqual(want, err) {
-		t.Fatalf("got %#v, want %#v", want, err)
-	}
-}
-
-func TestHostAuthority(t *testing.T) {
-	for _, m := range []struct {
-		authorityFor string
-		address      string
-
-		good bool
-	}{
-		{authorityFor: "localhost", address: "localhost:22", good: true},
-		{authorityFor: "localhost", address: "localhost", good: false},
-		{authorityFor: "localhost", address: "localhost:1234", good: false},
-		{authorityFor: "[localhost]:1234", address: "localhost:1234", good: true},
-		{authorityFor: "[localhost]:1234", address: "localhost:22", good: false},
-		{authorityFor: "[localhost]:1234", address: "localhost", good: false},
-	} {
-		db := testDB(t, `@cert-authority `+m.authorityFor+` `+edKeyStr)
-		if ok := db.IsHostAuthority(db.lines[0].knownKey.Key, m.address); ok != m.good {
-			t.Errorf("IsHostAuthority: authority %s, address %s, wanted good = %v, got good = %v",
-				m.authorityFor, m.address, m.good, ok)
-		}
-	}
-}
-
-func TestBracket(t *testing.T) {
-	db := testDB(t, `[git.eclipse.org]:29418,[198.41.30.196]:29418 `+edKeyStr)
-
-	if err := db.check("git.eclipse.org:29418", &net.TCPAddr{
-		IP:   net.IP{198, 41, 30, 196},
-		Port: 29418,
-	}, edKey); err != nil {
-		t.Errorf("got error %v, want none", err)
-	}
-
-	if err := db.check("git.eclipse.org:29419", &net.TCPAddr{
-		Port: 42,
-	}, edKey); err == nil {
-		t.Fatalf("no error for unknown address")
-	} else if ke, ok := err.(*KeyError); !ok {
-		t.Fatalf("got type %T, want *KeyError", err)
-	} else if len(ke.Want) > 0 {
-		t.Fatalf("got Want %v, want []", ke.Want)
-	}
-}
-
-func TestNewKeyType(t *testing.T) {
-	str := fmt.Sprintf("%s %s", testAddr, edKeyStr)
-	db := testDB(t, str)
-	if err := db.check("", testAddr, ecKey); err == nil {
-		t.Fatalf("no error for unknown address")
-	} else if ke, ok := err.(*KeyError); !ok {
-		t.Fatalf("got type %T, want *KeyError", err)
-	} else if len(ke.Want) == 0 {
-		t.Fatalf("got empty KeyError.Want")
-	}
-}
-
-func TestSameKeyType(t *testing.T) {
-	str := fmt.Sprintf("%s %s", testAddr, edKeyStr)
-	db := testDB(t, str)
-	if err := db.check("", testAddr, alternateEdKey); err == nil {
-		t.Fatalf("no error for unknown address")
-	} else if ke, ok := err.(*KeyError); !ok {
-		t.Fatalf("got type %T, want *KeyError", err)
-	} else if len(ke.Want) == 0 {
-		t.Fatalf("got empty KeyError.Want")
-	} else if got, want := ke.Want[0].Key.Marshal(), edKey.Marshal(); !bytes.Equal(got, want) {
-		t.Fatalf("got key %q, want %q", got, want)
-	}
-}
-
-func TestIPAddress(t *testing.T) {
-	str := fmt.Sprintf("%s %s", testAddr, edKeyStr)
-	db := testDB(t, str)
-	if err := db.check("", testAddr, edKey); err != nil {
-		t.Errorf("got error %q, want none", err)
-	}
-}
-
-func TestIPv6Address(t *testing.T) {
-	str := fmt.Sprintf("%s %s", testAddr6, edKeyStr)
-	db := testDB(t, str)
-
-	if err := db.check("", testAddr6, edKey); err != nil {
-		t.Errorf("got error %q, want none", err)
-	}
-}
-
-func TestBasic(t *testing.T) {
-	str := fmt.Sprintf("#comment\n\nserver.org,%s %s\notherhost %s", testAddr, edKeyStr, ecKeyStr)
-	db := testDB(t, str)
-	if err := db.check("server.org:22", testAddr, edKey); err != nil {
-		t.Errorf("got error %q, want none", err)
-	}
-
-	want := KnownKey{
-		Key:      edKey,
-		Filename: "testdb",
-		Line:     3,
-	}
-	if err := db.check("server.org:22", testAddr, ecKey); err == nil {
-		t.Errorf("succeeded, want KeyError")
-	} else if ke, ok := err.(*KeyError); !ok {
-		t.Errorf("got %T, want *KeyError", err)
-	} else if len(ke.Want) != 1 {
-		t.Errorf("got %v, want 1 entry", ke)
-	} else if !reflect.DeepEqual(ke.Want[0], want) {
-		t.Errorf("got %v, want %v", ke.Want[0], want)
-	}
-}
-
-func TestNegate(t *testing.T) {
-	str := fmt.Sprintf("%s,!server.org %s", testAddr, edKeyStr)
-	db := testDB(t, str)
-	if err := db.check("server.org:22", testAddr, ecKey); err == nil {
-		t.Errorf("succeeded")
-	} else if ke, ok := err.(*KeyError); !ok {
-		t.Errorf("got error type %T, want *KeyError", err)
-	} else if len(ke.Want) != 0 {
-		t.Errorf("got expected keys %d (first of type %s), want []", len(ke.Want), ke.Want[0].Key.Type())
-	}
-}
-
-func TestWildcard(t *testing.T) {
-	str := fmt.Sprintf("server*.domain %s", edKeyStr)
-	db := testDB(t, str)
-
-	want := &KeyError{
-		Want: []KnownKey{{
-			Filename: "testdb",
-			Line:     1,
-			Key:      edKey,
-		}},
-	}
-
-	got := db.check("server.domain:22", &net.TCPAddr{}, ecKey)
-	if !reflect.DeepEqual(got, want) {
-		t.Errorf("got %s, want %s", got, want)
-	}
-}
-
-func TestLine(t *testing.T) {
-	for in, want := range map[string]string{
-		"server.org":                             "server.org " + edKeyStr,
-		"server.org:22":                          "server.org " + edKeyStr,
-		"server.org:23":                          "[server.org]:23 " + edKeyStr,
-		"[c629:1ec4:102:304:102:304:102:304]:22": "[c629:1ec4:102:304:102:304:102:304] " + edKeyStr,
-		"[c629:1ec4:102:304:102:304:102:304]:23": "[c629:1ec4:102:304:102:304:102:304]:23 " + edKeyStr,
-	} {
-		if got := Line([]string{in}, edKey); got != want {
-			t.Errorf("Line(%q) = %q, want %q", in, got, want)
-		}
-	}
-}
-
-func TestWildcardMatch(t *testing.T) {
-	for _, c := range []struct {
-		pat, str string
-		want     bool
-	}{
-		{"a?b", "abb", true},
-		{"ab", "abc", false},
-		{"abc", "ab", false},
-		{"a*b", "axxxb", true},
-		{"a*b", "axbxb", true},
-		{"a*b", "axbxbc", false},
-		{"a*?", "axbxc", true},
-		{"a*b*", "axxbxxxxxx", true},
-		{"a*b*c", "axxbxxxxxxc", true},
-		{"a*b*?", "axxbxxxxxxc", true},
-		{"a*b*z", "axxbxxbxxxz", true},
-		{"a*b*z", "axxbxxzxxxz", true},
-		{"a*b*z", "axxbxxzxxx", false},
-	} {
-		got := wildcardMatch([]byte(c.pat), []byte(c.str))
-		if got != c.want {
-			t.Errorf("wildcardMatch(%q, %q) = %v, want %v", c.pat, c.str, got, c.want)
-		}
-
-	}
-}
-
-// TODO(hanwen): test coverage for certificates.
-
-const testHostname = "hostname"
-
-// generated with keygen -H -f
-const encodedTestHostnameHash = "|1|IHXZvQMvTcZTUU29+2vXFgx8Frs=|UGccIWfRVDwilMBnA3WJoRAC75Y="
-
-func TestHostHash(t *testing.T) {
-	testHostHash(t, testHostname, encodedTestHostnameHash)
-}
-
-func TestHashList(t *testing.T) {
-	encoded := HashHostname(testHostname)
-	testHostHash(t, testHostname, encoded)
-}
-
-func testHostHash(t *testing.T, hostname, encoded string) {
-	typ, salt, hash, err := decodeHash(encoded)
-	if err != nil {
-		t.Fatalf("decodeHash: %v", err)
-	}
-
-	if got := encodeHash(typ, salt, hash); got != encoded {
-		t.Errorf("got encoding %s want %s", got, encoded)
-	}
-
-	if typ != sha1HashType {
-		t.Fatalf("got hash type %q, want %q", typ, sha1HashType)
-	}
-
-	got := hashHost(hostname, salt)
-	if !bytes.Equal(got, hash) {
-		t.Errorf("got hash %x want %x", got, hash)
-	}
-}
-
-func TestNormalize(t *testing.T) {
-	for in, want := range map[string]string{
-		"127.0.0.1:22":             "127.0.0.1",
-		"[127.0.0.1]:22":           "127.0.0.1",
-		"[127.0.0.1]:23":           "[127.0.0.1]:23",
-		"127.0.0.1:23":             "[127.0.0.1]:23",
-		"[a.b.c]:22":               "a.b.c",
-		"[abcd:abcd:abcd:abcd]":    "[abcd:abcd:abcd:abcd]",
-		"[abcd:abcd:abcd:abcd]:22": "[abcd:abcd:abcd:abcd]",
-		"[abcd:abcd:abcd:abcd]:23": "[abcd:abcd:abcd:abcd]:23",
-	} {
-		got := Normalize(in)
-		if got != want {
-			t.Errorf("Normalize(%q) = %q, want %q", in, got, want)
-		}
-	}
-}
-
-func TestHashedHostkeyCheck(t *testing.T) {
-	str := fmt.Sprintf("%s %s", HashHostname(testHostname), edKeyStr)
-	db := testDB(t, str)
-	if err := db.check(testHostname+":22", testAddr, edKey); err != nil {
-		t.Errorf("check(%s): %v", testHostname, err)
-	}
-	want := &KeyError{
-		Want: []KnownKey{{
-			Filename: "testdb",
-			Line:     1,
-			Key:      edKey,
-		}},
-	}
-	if got := db.check(testHostname+":22", testAddr, alternateEdKey); !reflect.DeepEqual(got, want) {
-		t.Errorf("got error %v, want %v", got, want)
-	}
-}
diff --git a/vendor/golang.org/x/crypto/ssh/mac.go b/vendor/golang.org/x/crypto/ssh/mac.go
deleted file mode 100644
index c07a0628..00000000
--- a/vendor/golang.org/x/crypto/ssh/mac.go
+++ /dev/null
@@ -1,61 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package ssh
-
-// Message authentication support
-
-import (
-	"crypto/hmac"
-	"crypto/sha1"
-	"crypto/sha256"
-	"hash"
-)
-
-type macMode struct {
-	keySize int
-	etm     bool
-	new     func(key []byte) hash.Hash
-}
-
-// truncatingMAC wraps around a hash.Hash and truncates the output digest to
-// a given size.
-type truncatingMAC struct {
-	length int
-	hmac   hash.Hash
-}
-
-func (t truncatingMAC) Write(data []byte) (int, error) {
-	return t.hmac.Write(data)
-}
-
-func (t truncatingMAC) Sum(in []byte) []byte {
-	out := t.hmac.Sum(in)
-	return out[:len(in)+t.length]
-}
-
-func (t truncatingMAC) Reset() {
-	t.hmac.Reset()
-}
-
-func (t truncatingMAC) Size() int {
-	return t.length
-}
-
-func (t truncatingMAC) BlockSize() int { return t.hmac.BlockSize() }
-
-var macModes = map[string]*macMode{
-	"hmac-sha2-256-etm@openssh.com": {32, true, func(key []byte) hash.Hash {
-		return hmac.New(sha256.New, key)
-	}},
-	"hmac-sha2-256": {32, false, func(key []byte) hash.Hash {
-		return hmac.New(sha256.New, key)
-	}},
-	"hmac-sha1": {20, false, func(key []byte) hash.Hash {
-		return hmac.New(sha1.New, key)
-	}},
-	"hmac-sha1-96": {20, false, func(key []byte) hash.Hash {
-		return truncatingMAC{12, hmac.New(sha1.New, key)}
-	}},
-}
diff --git a/vendor/golang.org/x/crypto/ssh/mempipe_test.go b/vendor/golang.org/x/crypto/ssh/mempipe_test.go
deleted file mode 100644
index 8697cd61..00000000
--- a/vendor/golang.org/x/crypto/ssh/mempipe_test.go
+++ /dev/null
@@ -1,110 +0,0 @@
-// Copyright 2013 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package ssh
-
-import (
-	"io"
-	"sync"
-	"testing"
-)
-
-// An in-memory packetConn. It is safe to call Close and writePacket
-// from different goroutines.
-type memTransport struct {
-	eof     bool
-	pending [][]byte
-	write   *memTransport
-	sync.Mutex
-	*sync.Cond
-}
-
-func (t *memTransport) readPacket() ([]byte, error) {
-	t.Lock()
-	defer t.Unlock()
-	for {
-		if len(t.pending) > 0 {
-			r := t.pending[0]
-			t.pending = t.pending[1:]
-			return r, nil
-		}
-		if t.eof {
-			return nil, io.EOF
-		}
-		t.Cond.Wait()
-	}
-}
-
-func (t *memTransport) closeSelf() error {
-	t.Lock()
-	defer t.Unlock()
-	if t.eof {
-		return io.EOF
-	}
-	t.eof = true
-	t.Cond.Broadcast()
-	return nil
-}
-
-func (t *memTransport) Close() error {
-	err := t.write.closeSelf()
-	t.closeSelf()
-	return err
-}
-
-func (t *memTransport) writePacket(p []byte) error {
-	t.write.Lock()
-	defer t.write.Unlock()
-	if t.write.eof {
-		return io.EOF
-	}
-	c := make([]byte, len(p))
-	copy(c, p)
-	t.write.pending = append(t.write.pending, c)
-	t.write.Cond.Signal()
-	return nil
-}
-
-func memPipe() (a, b packetConn) {
-	t1 := memTransport{}
-	t2 := memTransport{}
-	t1.write = &t2
-	t2.write = &t1
-	t1.Cond = sync.NewCond(&t1.Mutex)
-	t2.Cond = sync.NewCond(&t2.Mutex)
-	return &t1, &t2
-}
-
-func TestMemPipe(t *testing.T) {
-	a, b := memPipe()
-	if err := a.writePacket([]byte{42}); err != nil {
-		t.Fatalf("writePacket: %v", err)
-	}
-	if err := a.Close(); err != nil {
-		t.Fatal("Close: ", err)
-	}
-	p, err := b.readPacket()
-	if err != nil {
-		t.Fatal("readPacket: ", err)
-	}
-	if len(p) != 1 || p[0] != 42 {
-		t.Fatalf("got %v, want {42}", p)
-	}
-	p, err = b.readPacket()
-	if err != io.EOF {
-		t.Fatalf("got %v, %v, want EOF", p, err)
-	}
-}
-
-func TestDoubleClose(t *testing.T) {
-	a, _ := memPipe()
-	err := a.Close()
-	if err != nil {
-		t.Errorf("Close: %v", err)
-	}
-	err = a.Close()
-	if err != io.EOF {
-		t.Errorf("expect EOF on double close.")
-	}
-}
diff --git a/vendor/golang.org/x/crypto/ssh/messages.go b/vendor/golang.org/x/crypto/ssh/messages.go
deleted file mode 100644
index 08d28117..00000000
--- a/vendor/golang.org/x/crypto/ssh/messages.go
+++ /dev/null
@@ -1,766 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package ssh
-
-import (
-	"bytes"
-	"encoding/binary"
-	"errors"
-	"fmt"
-	"io"
-	"math/big"
-	"reflect"
-	"strconv"
-	"strings"
-)
-
-// These are SSH message type numbers. They are scattered around several
-// documents but many were taken from [SSH-PARAMETERS].
-const (
-	msgIgnore        = 2
-	msgUnimplemented = 3
-	msgDebug         = 4
-	msgNewKeys       = 21
-)
-
-// SSH messages:
-//
-// These structures mirror the wire format of the corresponding SSH messages.
-// They are marshaled using reflection with the marshal and unmarshal functions
-// in this file. The only wrinkle is that a final member of type []byte with a
-// ssh tag of "rest" receives the remainder of a packet when unmarshaling.
-
-// See RFC 4253, section 11.1.
-const msgDisconnect = 1
-
-// disconnectMsg is the message that signals a disconnect. It is also
-// the error type returned from mux.Wait()
-type disconnectMsg struct {
-	Reason   uint32 `sshtype:"1"`
-	Message  string
-	Language string
-}
-
-func (d *disconnectMsg) Error() string {
-	return fmt.Sprintf("ssh: disconnect, reason %d: %s", d.Reason, d.Message)
-}
-
-// See RFC 4253, section 7.1.
-const msgKexInit = 20
-
-type kexInitMsg struct {
-	Cookie                  [16]byte `sshtype:"20"`
-	KexAlgos                []string
-	ServerHostKeyAlgos      []string
-	CiphersClientServer     []string
-	CiphersServerClient     []string
-	MACsClientServer        []string
-	MACsServerClient        []string
-	CompressionClientServer []string
-	CompressionServerClient []string
-	LanguagesClientServer   []string
-	LanguagesServerClient   []string
-	FirstKexFollows         bool
-	Reserved                uint32
-}
-
-// See RFC 4253, section 8.
-
-// Diffie-Helman
-const msgKexDHInit = 30
-
-type kexDHInitMsg struct {
-	X *big.Int `sshtype:"30"`
-}
-
-const msgKexECDHInit = 30
-
-type kexECDHInitMsg struct {
-	ClientPubKey []byte `sshtype:"30"`
-}
-
-const msgKexECDHReply = 31
-
-type kexECDHReplyMsg struct {
-	HostKey         []byte `sshtype:"31"`
-	EphemeralPubKey []byte
-	Signature       []byte
-}
-
-const msgKexDHReply = 31
-
-type kexDHReplyMsg struct {
-	HostKey   []byte `sshtype:"31"`
-	Y         *big.Int
-	Signature []byte
-}
-
-// See RFC 4253, section 10.
-const msgServiceRequest = 5
-
-type serviceRequestMsg struct {
-	Service string `sshtype:"5"`
-}
-
-// See RFC 4253, section 10.
-const msgServiceAccept = 6
-
-type serviceAcceptMsg struct {
-	Service string `sshtype:"6"`
-}
-
-// See RFC 4252, section 5.
-const msgUserAuthRequest = 50
-
-type userAuthRequestMsg struct {
-	User    string `sshtype:"50"`
-	Service string
-	Method  string
-	Payload []byte `ssh:"rest"`
-}
-
-// Used for debug printouts of packets.
-type userAuthSuccessMsg struct {
-}
-
-// See RFC 4252, section 5.1
-const msgUserAuthFailure = 51
-
-type userAuthFailureMsg struct {
-	Methods        []string `sshtype:"51"`
-	PartialSuccess bool
-}
-
-// See RFC 4252, section 5.1
-const msgUserAuthSuccess = 52
-
-// See RFC 4252, section 5.4
-const msgUserAuthBanner = 53
-
-type userAuthBannerMsg struct {
-	Message string `sshtype:"53"`
-	// unused, but required to allow message parsing
-	Language string
-}
-
-// See RFC 4256, section 3.2
-const msgUserAuthInfoRequest = 60
-const msgUserAuthInfoResponse = 61
-
-type userAuthInfoRequestMsg struct {
-	User               string `sshtype:"60"`
-	Instruction        string
-	DeprecatedLanguage string
-	NumPrompts         uint32
-	Prompts            []byte `ssh:"rest"`
-}
-
-// See RFC 4254, section 5.1.
-const msgChannelOpen = 90
-
-type channelOpenMsg struct {
-	ChanType         string `sshtype:"90"`
-	PeersID          uint32
-	PeersWindow      uint32
-	MaxPacketSize    uint32
-	TypeSpecificData []byte `ssh:"rest"`
-}
-
-const msgChannelExtendedData = 95
-const msgChannelData = 94
-
-// Used for debug print outs of packets.
-type channelDataMsg struct {
-	PeersID uint32 `sshtype:"94"`
-	Length  uint32
-	Rest    []byte `ssh:"rest"`
-}
-
-// See RFC 4254, section 5.1.
-const msgChannelOpenConfirm = 91
-
-type channelOpenConfirmMsg struct {
-	PeersID          uint32 `sshtype:"91"`
-	MyID             uint32
-	MyWindow         uint32
-	MaxPacketSize    uint32
-	TypeSpecificData []byte `ssh:"rest"`
-}
-
-// See RFC 4254, section 5.1.
-const msgChannelOpenFailure = 92
-
-type channelOpenFailureMsg struct {
-	PeersID  uint32 `sshtype:"92"`
-	Reason   RejectionReason
-	Message  string
-	Language string
-}
-
-const msgChannelRequest = 98
-
-type channelRequestMsg struct {
-	PeersID             uint32 `sshtype:"98"`
-	Request             string
-	WantReply           bool
-	RequestSpecificData []byte `ssh:"rest"`
-}
-
-// See RFC 4254, section 5.4.
-const msgChannelSuccess = 99
-
-type channelRequestSuccessMsg struct {
-	PeersID uint32 `sshtype:"99"`
-}
-
-// See RFC 4254, section 5.4.
-const msgChannelFailure = 100
-
-type channelRequestFailureMsg struct {
-	PeersID uint32 `sshtype:"100"`
-}
-
-// See RFC 4254, section 5.3
-const msgChannelClose = 97
-
-type channelCloseMsg struct {
-	PeersID uint32 `sshtype:"97"`
-}
-
-// See RFC 4254, section 5.3
-const msgChannelEOF = 96
-
-type channelEOFMsg struct {
-	PeersID uint32 `sshtype:"96"`
-}
-
-// See RFC 4254, section 4
-const msgGlobalRequest = 80
-
-type globalRequestMsg struct {
-	Type      string `sshtype:"80"`
-	WantReply bool
-	Data      []byte `ssh:"rest"`
-}
-
-// See RFC 4254, section 4
-const msgRequestSuccess = 81
-
-type globalRequestSuccessMsg struct {
-	Data []byte `ssh:"rest" sshtype:"81"`
-}
-
-// See RFC 4254, section 4
-const msgRequestFailure = 82
-
-type globalRequestFailureMsg struct {
-	Data []byte `ssh:"rest" sshtype:"82"`
-}
-
-// See RFC 4254, section 5.2
-const msgChannelWindowAdjust = 93
-
-type windowAdjustMsg struct {
-	PeersID         uint32 `sshtype:"93"`
-	AdditionalBytes uint32
-}
-
-// See RFC 4252, section 7
-const msgUserAuthPubKeyOk = 60
-
-type userAuthPubKeyOkMsg struct {
-	Algo   string `sshtype:"60"`
-	PubKey []byte
-}
-
-// typeTags returns the possible type bytes for the given reflect.Type, which
-// should be a struct. The possible values are separated by a '|' character.
-func typeTags(structType reflect.Type) (tags []byte) {
-	tagStr := structType.Field(0).Tag.Get("sshtype")
-
-	for _, tag := range strings.Split(tagStr, "|") {
-		i, err := strconv.Atoi(tag)
-		if err == nil {
-			tags = append(tags, byte(i))
-		}
-	}
-
-	return tags
-}
-
-func fieldError(t reflect.Type, field int, problem string) error {
-	if problem != "" {
-		problem = ": " + problem
-	}
-	return fmt.Errorf("ssh: unmarshal error for field %s of type %s%s", t.Field(field).Name, t.Name(), problem)
-}
-
-var errShortRead = errors.New("ssh: short read")
-
-// Unmarshal parses data in SSH wire format into a structure. The out
-// argument should be a pointer to struct. If the first member of the
-// struct has the "sshtype" tag set to a '|'-separated set of numbers
-// in decimal, the packet must start with one of those numbers. In
-// case of error, Unmarshal returns a ParseError or
-// UnexpectedMessageError.
-func Unmarshal(data []byte, out interface{}) error {
-	v := reflect.ValueOf(out).Elem()
-	structType := v.Type()
-	expectedTypes := typeTags(structType)
-
-	var expectedType byte
-	if len(expectedTypes) > 0 {
-		expectedType = expectedTypes[0]
-	}
-
-	if len(data) == 0 {
-		return parseError(expectedType)
-	}
-
-	if len(expectedTypes) > 0 {
-		goodType := false
-		for _, e := range expectedTypes {
-			if e > 0 && data[0] == e {
-				goodType = true
-				break
-			}
-		}
-		if !goodType {
-			return fmt.Errorf("ssh: unexpected message type %d (expected one of %v)", data[0], expectedTypes)
-		}
-		data = data[1:]
-	}
-
-	var ok bool
-	for i := 0; i < v.NumField(); i++ {
-		field := v.Field(i)
-		t := field.Type()
-		switch t.Kind() {
-		case reflect.Bool:
-			if len(data) < 1 {
-				return errShortRead
-			}
-			field.SetBool(data[0] != 0)
-			data = data[1:]
-		case reflect.Array:
-			if t.Elem().Kind() != reflect.Uint8 {
-				return fieldError(structType, i, "array of unsupported type")
-			}
-			if len(data) < t.Len() {
-				return errShortRead
-			}
-			for j, n := 0, t.Len(); j < n; j++ {
-				field.Index(j).Set(reflect.ValueOf(data[j]))
-			}
-			data = data[t.Len():]
-		case reflect.Uint64:
-			var u64 uint64
-			if u64, data, ok = parseUint64(data); !ok {
-				return errShortRead
-			}
-			field.SetUint(u64)
-		case reflect.Uint32:
-			var u32 uint32
-			if u32, data, ok = parseUint32(data); !ok {
-				return errShortRead
-			}
-			field.SetUint(uint64(u32))
-		case reflect.Uint8:
-			if len(data) < 1 {
-				return errShortRead
-			}
-			field.SetUint(uint64(data[0]))
-			data = data[1:]
-		case reflect.String:
-			var s []byte
-			if s, data, ok = parseString(data); !ok {
-				return fieldError(structType, i, "")
-			}
-			field.SetString(string(s))
-		case reflect.Slice:
-			switch t.Elem().Kind() {
-			case reflect.Uint8:
-				if structType.Field(i).Tag.Get("ssh") == "rest" {
-					field.Set(reflect.ValueOf(data))
-					data = nil
-				} else {
-					var s []byte
-					if s, data, ok = parseString(data); !ok {
-						return errShortRead
-					}
-					field.Set(reflect.ValueOf(s))
-				}
-			case reflect.String:
-				var nl []string
-				if nl, data, ok = parseNameList(data); !ok {
-					return errShortRead
-				}
-				field.Set(reflect.ValueOf(nl))
-			default:
-				return fieldError(structType, i, "slice of unsupported type")
-			}
-		case reflect.Ptr:
-			if t == bigIntType {
-				var n *big.Int
-				if n, data, ok = parseInt(data); !ok {
-					return errShortRead
-				}
-				field.Set(reflect.ValueOf(n))
-			} else {
-				return fieldError(structType, i, "pointer to unsupported type")
-			}
-		default:
-			return fieldError(structType, i, fmt.Sprintf("unsupported type: %v", t))
-		}
-	}
-
-	if len(data) != 0 {
-		return parseError(expectedType)
-	}
-
-	return nil
-}
-
-// Marshal serializes the message in msg to SSH wire format.  The msg
-// argument should be a struct or pointer to struct. If the first
-// member has the "sshtype" tag set to a number in decimal, that
-// number is prepended to the result. If the last of member has the
-// "ssh" tag set to "rest", its contents are appended to the output.
-func Marshal(msg interface{}) []byte {
-	out := make([]byte, 0, 64)
-	return marshalStruct(out, msg)
-}
-
-func marshalStruct(out []byte, msg interface{}) []byte {
-	v := reflect.Indirect(reflect.ValueOf(msg))
-	msgTypes := typeTags(v.Type())
-	if len(msgTypes) > 0 {
-		out = append(out, msgTypes[0])
-	}
-
-	for i, n := 0, v.NumField(); i < n; i++ {
-		field := v.Field(i)
-		switch t := field.Type(); t.Kind() {
-		case reflect.Bool:
-			var v uint8
-			if field.Bool() {
-				v = 1
-			}
-			out = append(out, v)
-		case reflect.Array:
-			if t.Elem().Kind() != reflect.Uint8 {
-				panic(fmt.Sprintf("array of non-uint8 in field %d: %T", i, field.Interface()))
-			}
-			for j, l := 0, t.Len(); j < l; j++ {
-				out = append(out, uint8(field.Index(j).Uint()))
-			}
-		case reflect.Uint32:
-			out = appendU32(out, uint32(field.Uint()))
-		case reflect.Uint64:
-			out = appendU64(out, uint64(field.Uint()))
-		case reflect.Uint8:
-			out = append(out, uint8(field.Uint()))
-		case reflect.String:
-			s := field.String()
-			out = appendInt(out, len(s))
-			out = append(out, s...)
-		case reflect.Slice:
-			switch t.Elem().Kind() {
-			case reflect.Uint8:
-				if v.Type().Field(i).Tag.Get("ssh") != "rest" {
-					out = appendInt(out, field.Len())
-				}
-				out = append(out, field.Bytes()...)
-			case reflect.String:
-				offset := len(out)
-				out = appendU32(out, 0)
-				if n := field.Len(); n > 0 {
-					for j := 0; j < n; j++ {
-						f := field.Index(j)
-						if j != 0 {
-							out = append(out, ',')
-						}
-						out = append(out, f.String()...)
-					}
-					// overwrite length value
-					binary.BigEndian.PutUint32(out[offset:], uint32(len(out)-offset-4))
-				}
-			default:
-				panic(fmt.Sprintf("slice of unknown type in field %d: %T", i, field.Interface()))
-			}
-		case reflect.Ptr:
-			if t == bigIntType {
-				var n *big.Int
-				nValue := reflect.ValueOf(&n)
-				nValue.Elem().Set(field)
-				needed := intLength(n)
-				oldLength := len(out)
-
-				if cap(out)-len(out) < needed {
-					newOut := make([]byte, len(out), 2*(len(out)+needed))
-					copy(newOut, out)
-					out = newOut
-				}
-				out = out[:oldLength+needed]
-				marshalInt(out[oldLength:], n)
-			} else {
-				panic(fmt.Sprintf("pointer to unknown type in field %d: %T", i, field.Interface()))
-			}
-		}
-	}
-
-	return out
-}
-
-var bigOne = big.NewInt(1)
-
-func parseString(in []byte) (out, rest []byte, ok bool) {
-	if len(in) < 4 {
-		return
-	}
-	length := binary.BigEndian.Uint32(in)
-	in = in[4:]
-	if uint32(len(in)) < length {
-		return
-	}
-	out = in[:length]
-	rest = in[length:]
-	ok = true
-	return
-}
-
-var (
-	comma         = []byte{','}
-	emptyNameList = []string{}
-)
-
-func parseNameList(in []byte) (out []string, rest []byte, ok bool) {
-	contents, rest, ok := parseString(in)
-	if !ok {
-		return
-	}
-	if len(contents) == 0 {
-		out = emptyNameList
-		return
-	}
-	parts := bytes.Split(contents, comma)
-	out = make([]string, len(parts))
-	for i, part := range parts {
-		out[i] = string(part)
-	}
-	return
-}
-
-func parseInt(in []byte) (out *big.Int, rest []byte, ok bool) {
-	contents, rest, ok := parseString(in)
-	if !ok {
-		return
-	}
-	out = new(big.Int)
-
-	if len(contents) > 0 && contents[0]&0x80 == 0x80 {
-		// This is a negative number
-		notBytes := make([]byte, len(contents))
-		for i := range notBytes {
-			notBytes[i] = ^contents[i]
-		}
-		out.SetBytes(notBytes)
-		out.Add(out, bigOne)
-		out.Neg(out)
-	} else {
-		// Positive number
-		out.SetBytes(contents)
-	}
-	ok = true
-	return
-}
-
-func parseUint32(in []byte) (uint32, []byte, bool) {
-	if len(in) < 4 {
-		return 0, nil, false
-	}
-	return binary.BigEndian.Uint32(in), in[4:], true
-}
-
-func parseUint64(in []byte) (uint64, []byte, bool) {
-	if len(in) < 8 {
-		return 0, nil, false
-	}
-	return binary.BigEndian.Uint64(in), in[8:], true
-}
-
-func intLength(n *big.Int) int {
-	length := 4 /* length bytes */
-	if n.Sign() < 0 {
-		nMinus1 := new(big.Int).Neg(n)
-		nMinus1.Sub(nMinus1, bigOne)
-		bitLen := nMinus1.BitLen()
-		if bitLen%8 == 0 {
-			// The number will need 0xff padding
-			length++
-		}
-		length += (bitLen + 7) / 8
-	} else if n.Sign() == 0 {
-		// A zero is the zero length string
-	} else {
-		bitLen := n.BitLen()
-		if bitLen%8 == 0 {
-			// The number will need 0x00 padding
-			length++
-		}
-		length += (bitLen + 7) / 8
-	}
-
-	return length
-}
-
-func marshalUint32(to []byte, n uint32) []byte {
-	binary.BigEndian.PutUint32(to, n)
-	return to[4:]
-}
-
-func marshalUint64(to []byte, n uint64) []byte {
-	binary.BigEndian.PutUint64(to, n)
-	return to[8:]
-}
-
-func marshalInt(to []byte, n *big.Int) []byte {
-	lengthBytes := to
-	to = to[4:]
-	length := 0
-
-	if n.Sign() < 0 {
-		// A negative number has to be converted to two's-complement
-		// form. So we'll subtract 1 and invert. If the
-		// most-significant-bit isn't set then we'll need to pad the
-		// beginning with 0xff in order to keep the number negative.
-		nMinus1 := new(big.Int).Neg(n)
-		nMinus1.Sub(nMinus1, bigOne)
-		bytes := nMinus1.Bytes()
-		for i := range bytes {
-			bytes[i] ^= 0xff
-		}
-		if len(bytes) == 0 || bytes[0]&0x80 == 0 {
-			to[0] = 0xff
-			to = to[1:]
-			length++
-		}
-		nBytes := copy(to, bytes)
-		to = to[nBytes:]
-		length += nBytes
-	} else if n.Sign() == 0 {
-		// A zero is the zero length string
-	} else {
-		bytes := n.Bytes()
-		if len(bytes) > 0 && bytes[0]&0x80 != 0 {
-			// We'll have to pad this with a 0x00 in order to
-			// stop it looking like a negative number.
-			to[0] = 0
-			to = to[1:]
-			length++
-		}
-		nBytes := copy(to, bytes)
-		to = to[nBytes:]
-		length += nBytes
-	}
-
-	lengthBytes[0] = byte(length >> 24)
-	lengthBytes[1] = byte(length >> 16)
-	lengthBytes[2] = byte(length >> 8)
-	lengthBytes[3] = byte(length)
-	return to
-}
-
-func writeInt(w io.Writer, n *big.Int) {
-	length := intLength(n)
-	buf := make([]byte, length)
-	marshalInt(buf, n)
-	w.Write(buf)
-}
-
-func writeString(w io.Writer, s []byte) {
-	var lengthBytes [4]byte
-	lengthBytes[0] = byte(len(s) >> 24)
-	lengthBytes[1] = byte(len(s) >> 16)
-	lengthBytes[2] = byte(len(s) >> 8)
-	lengthBytes[3] = byte(len(s))
-	w.Write(lengthBytes[:])
-	w.Write(s)
-}
-
-func stringLength(n int) int {
-	return 4 + n
-}
-
-func marshalString(to []byte, s []byte) []byte {
-	to[0] = byte(len(s) >> 24)
-	to[1] = byte(len(s) >> 16)
-	to[2] = byte(len(s) >> 8)
-	to[3] = byte(len(s))
-	to = to[4:]
-	copy(to, s)
-	return to[len(s):]
-}
-
-var bigIntType = reflect.TypeOf((*big.Int)(nil))
-
-// Decode a packet into its corresponding message.
-func decode(packet []byte) (interface{}, error) {
-	var msg interface{}
-	switch packet[0] {
-	case msgDisconnect:
-		msg = new(disconnectMsg)
-	case msgServiceRequest:
-		msg = new(serviceRequestMsg)
-	case msgServiceAccept:
-		msg = new(serviceAcceptMsg)
-	case msgKexInit:
-		msg = new(kexInitMsg)
-	case msgKexDHInit:
-		msg = new(kexDHInitMsg)
-	case msgKexDHReply:
-		msg = new(kexDHReplyMsg)
-	case msgUserAuthRequest:
-		msg = new(userAuthRequestMsg)
-	case msgUserAuthSuccess:
-		return new(userAuthSuccessMsg), nil
-	case msgUserAuthFailure:
-		msg = new(userAuthFailureMsg)
-	case msgUserAuthPubKeyOk:
-		msg = new(userAuthPubKeyOkMsg)
-	case msgGlobalRequest:
-		msg = new(globalRequestMsg)
-	case msgRequestSuccess:
-		msg = new(globalRequestSuccessMsg)
-	case msgRequestFailure:
-		msg = new(globalRequestFailureMsg)
-	case msgChannelOpen:
-		msg = new(channelOpenMsg)
-	case msgChannelData:
-		msg = new(channelDataMsg)
-	case msgChannelOpenConfirm:
-		msg = new(channelOpenConfirmMsg)
-	case msgChannelOpenFailure:
-		msg = new(channelOpenFailureMsg)
-	case msgChannelWindowAdjust:
-		msg = new(windowAdjustMsg)
-	case msgChannelEOF:
-		msg = new(channelEOFMsg)
-	case msgChannelClose:
-		msg = new(channelCloseMsg)
-	case msgChannelRequest:
-		msg = new(channelRequestMsg)
-	case msgChannelSuccess:
-		msg = new(channelRequestSuccessMsg)
-	case msgChannelFailure:
-		msg = new(channelRequestFailureMsg)
-	default:
-		return nil, unexpectedMessageError(0, packet[0])
-	}
-	if err := Unmarshal(packet, msg); err != nil {
-		return nil, err
-	}
-	return msg, nil
-}
diff --git a/vendor/golang.org/x/crypto/ssh/messages_test.go b/vendor/golang.org/x/crypto/ssh/messages_test.go
deleted file mode 100644
index e7907641..00000000
--- a/vendor/golang.org/x/crypto/ssh/messages_test.go
+++ /dev/null
@@ -1,288 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package ssh
-
-import (
-	"bytes"
-	"math/big"
-	"math/rand"
-	"reflect"
-	"testing"
-	"testing/quick"
-)
-
-var intLengthTests = []struct {
-	val, length int
-}{
-	{0, 4 + 0},
-	{1, 4 + 1},
-	{127, 4 + 1},
-	{128, 4 + 2},
-	{-1, 4 + 1},
-}
-
-func TestIntLength(t *testing.T) {
-	for _, test := range intLengthTests {
-		v := new(big.Int).SetInt64(int64(test.val))
-		length := intLength(v)
-		if length != test.length {
-			t.Errorf("For %d, got length %d but expected %d", test.val, length, test.length)
-		}
-	}
-}
-
-type msgAllTypes struct {
-	Bool    bool `sshtype:"21"`
-	Array   [16]byte
-	Uint64  uint64
-	Uint32  uint32
-	Uint8   uint8
-	String  string
-	Strings []string
-	Bytes   []byte
-	Int     *big.Int
-	Rest    []byte `ssh:"rest"`
-}
-
-func (t *msgAllTypes) Generate(rand *rand.Rand, size int) reflect.Value {
-	m := &msgAllTypes{}
-	m.Bool = rand.Intn(2) == 1
-	randomBytes(m.Array[:], rand)
-	m.Uint64 = uint64(rand.Int63n(1<<63 - 1))
-	m.Uint32 = uint32(rand.Intn((1 << 31) - 1))
-	m.Uint8 = uint8(rand.Intn(1 << 8))
-	m.String = string(m.Array[:])
-	m.Strings = randomNameList(rand)
-	m.Bytes = m.Array[:]
-	m.Int = randomInt(rand)
-	m.Rest = m.Array[:]
-	return reflect.ValueOf(m)
-}
-
-func TestMarshalUnmarshal(t *testing.T) {
-	rand := rand.New(rand.NewSource(0))
-	iface := &msgAllTypes{}
-	ty := reflect.ValueOf(iface).Type()
-
-	n := 100
-	if testing.Short() {
-		n = 5
-	}
-	for j := 0; j < n; j++ {
-		v, ok := quick.Value(ty, rand)
-		if !ok {
-			t.Errorf("failed to create value")
-			break
-		}
-
-		m1 := v.Elem().Interface()
-		m2 := iface
-
-		marshaled := Marshal(m1)
-		if err := Unmarshal(marshaled, m2); err != nil {
-			t.Errorf("Unmarshal %#v: %s", m1, err)
-			break
-		}
-
-		if !reflect.DeepEqual(v.Interface(), m2) {
-			t.Errorf("got: %#v\nwant:%#v\n%x", m2, m1, marshaled)
-			break
-		}
-	}
-}
-
-func TestUnmarshalEmptyPacket(t *testing.T) {
-	var b []byte
-	var m channelRequestSuccessMsg
-	if err := Unmarshal(b, &m); err == nil {
-		t.Fatalf("unmarshal of empty slice succeeded")
-	}
-}
-
-func TestUnmarshalUnexpectedPacket(t *testing.T) {
-	type S struct {
-		I uint32 `sshtype:"43"`
-		S string
-		B bool
-	}
-
-	s := S{11, "hello", true}
-	packet := Marshal(s)
-	packet[0] = 42
-	roundtrip := S{}
-	err := Unmarshal(packet, &roundtrip)
-	if err == nil {
-		t.Fatal("expected error, not nil")
-	}
-}
-
-func TestMarshalPtr(t *testing.T) {
-	s := struct {
-		S string
-	}{"hello"}
-
-	m1 := Marshal(s)
-	m2 := Marshal(&s)
-	if !bytes.Equal(m1, m2) {
-		t.Errorf("got %q, want %q for marshaled pointer", m2, m1)
-	}
-}
-
-func TestBareMarshalUnmarshal(t *testing.T) {
-	type S struct {
-		I uint32
-		S string
-		B bool
-	}
-
-	s := S{42, "hello", true}
-	packet := Marshal(s)
-	roundtrip := S{}
-	Unmarshal(packet, &roundtrip)
-
-	if !reflect.DeepEqual(s, roundtrip) {
-		t.Errorf("got %#v, want %#v", roundtrip, s)
-	}
-}
-
-func TestBareMarshal(t *testing.T) {
-	type S2 struct {
-		I uint32
-	}
-	s := S2{42}
-	packet := Marshal(s)
-	i, rest, ok := parseUint32(packet)
-	if len(rest) > 0 || !ok {
-		t.Errorf("parseInt(%q): parse error", packet)
-	}
-	if i != s.I {
-		t.Errorf("got %d, want %d", i, s.I)
-	}
-}
-
-func TestUnmarshalShortKexInitPacket(t *testing.T) {
-	// This used to panic.
-	// Issue 11348
-	packet := []byte{0x14, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0xff, 0xff, 0xff, 0xff}
-	kim := &kexInitMsg{}
-	if err := Unmarshal(packet, kim); err == nil {
-		t.Error("truncated packet unmarshaled without error")
-	}
-}
-
-func TestMarshalMultiTag(t *testing.T) {
-	var res struct {
-		A uint32 `sshtype:"1|2"`
-	}
-
-	good1 := struct {
-		A uint32 `sshtype:"1"`
-	}{
-		1,
-	}
-	good2 := struct {
-		A uint32 `sshtype:"2"`
-	}{
-		1,
-	}
-
-	if e := Unmarshal(Marshal(good1), &res); e != nil {
-		t.Errorf("error unmarshaling multipart tag: %v", e)
-	}
-
-	if e := Unmarshal(Marshal(good2), &res); e != nil {
-		t.Errorf("error unmarshaling multipart tag: %v", e)
-	}
-
-	bad1 := struct {
-		A uint32 `sshtype:"3"`
-	}{
-		1,
-	}
-	if e := Unmarshal(Marshal(bad1), &res); e == nil {
-		t.Errorf("bad struct unmarshaled without error")
-	}
-}
-
-func randomBytes(out []byte, rand *rand.Rand) {
-	for i := 0; i < len(out); i++ {
-		out[i] = byte(rand.Int31())
-	}
-}
-
-func randomNameList(rand *rand.Rand) []string {
-	ret := make([]string, rand.Int31()&15)
-	for i := range ret {
-		s := make([]byte, 1+(rand.Int31()&15))
-		for j := range s {
-			s[j] = 'a' + uint8(rand.Int31()&15)
-		}
-		ret[i] = string(s)
-	}
-	return ret
-}
-
-func randomInt(rand *rand.Rand) *big.Int {
-	return new(big.Int).SetInt64(int64(int32(rand.Uint32())))
-}
-
-func (*kexInitMsg) Generate(rand *rand.Rand, size int) reflect.Value {
-	ki := &kexInitMsg{}
-	randomBytes(ki.Cookie[:], rand)
-	ki.KexAlgos = randomNameList(rand)
-	ki.ServerHostKeyAlgos = randomNameList(rand)
-	ki.CiphersClientServer = randomNameList(rand)
-	ki.CiphersServerClient = randomNameList(rand)
-	ki.MACsClientServer = randomNameList(rand)
-	ki.MACsServerClient = randomNameList(rand)
-	ki.CompressionClientServer = randomNameList(rand)
-	ki.CompressionServerClient = randomNameList(rand)
-	ki.LanguagesClientServer = randomNameList(rand)
-	ki.LanguagesServerClient = randomNameList(rand)
-	if rand.Int31()&1 == 1 {
-		ki.FirstKexFollows = true
-	}
-	return reflect.ValueOf(ki)
-}
-
-func (*kexDHInitMsg) Generate(rand *rand.Rand, size int) reflect.Value {
-	dhi := &kexDHInitMsg{}
-	dhi.X = randomInt(rand)
-	return reflect.ValueOf(dhi)
-}
-
-var (
-	_kexInitMsg   = new(kexInitMsg).Generate(rand.New(rand.NewSource(0)), 10).Elem().Interface()
-	_kexDHInitMsg = new(kexDHInitMsg).Generate(rand.New(rand.NewSource(0)), 10).Elem().Interface()
-
-	_kexInit   = Marshal(_kexInitMsg)
-	_kexDHInit = Marshal(_kexDHInitMsg)
-)
-
-func BenchmarkMarshalKexInitMsg(b *testing.B) {
-	for i := 0; i < b.N; i++ {
-		Marshal(_kexInitMsg)
-	}
-}
-
-func BenchmarkUnmarshalKexInitMsg(b *testing.B) {
-	m := new(kexInitMsg)
-	for i := 0; i < b.N; i++ {
-		Unmarshal(_kexInit, m)
-	}
-}
-
-func BenchmarkMarshalKexDHInitMsg(b *testing.B) {
-	for i := 0; i < b.N; i++ {
-		Marshal(_kexDHInitMsg)
-	}
-}
-
-func BenchmarkUnmarshalKexDHInitMsg(b *testing.B) {
-	m := new(kexDHInitMsg)
-	for i := 0; i < b.N; i++ {
-		Unmarshal(_kexDHInit, m)
-	}
-}
diff --git a/vendor/golang.org/x/crypto/ssh/mux.go b/vendor/golang.org/x/crypto/ssh/mux.go
deleted file mode 100644
index f1901627..00000000
--- a/vendor/golang.org/x/crypto/ssh/mux.go
+++ /dev/null
@@ -1,330 +0,0 @@
-// Copyright 2013 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package ssh
-
-import (
-	"encoding/binary"
-	"fmt"
-	"io"
-	"log"
-	"sync"
-	"sync/atomic"
-)
-
-// debugMux, if set, causes messages in the connection protocol to be
-// logged.
-const debugMux = false
-
-// chanList is a thread safe channel list.
-type chanList struct {
-	// protects concurrent access to chans
-	sync.Mutex
-
-	// chans are indexed by the local id of the channel, which the
-	// other side should send in the PeersId field.
-	chans []*channel
-
-	// This is a debugging aid: it offsets all IDs by this
-	// amount. This helps distinguish otherwise identical
-	// server/client muxes
-	offset uint32
-}
-
-// Assigns a channel ID to the given channel.
-func (c *chanList) add(ch *channel) uint32 {
-	c.Lock()
-	defer c.Unlock()
-	for i := range c.chans {
-		if c.chans[i] == nil {
-			c.chans[i] = ch
-			return uint32(i) + c.offset
-		}
-	}
-	c.chans = append(c.chans, ch)
-	return uint32(len(c.chans)-1) + c.offset
-}
-
-// getChan returns the channel for the given ID.
-func (c *chanList) getChan(id uint32) *channel {
-	id -= c.offset
-
-	c.Lock()
-	defer c.Unlock()
-	if id < uint32(len(c.chans)) {
-		return c.chans[id]
-	}
-	return nil
-}
-
-func (c *chanList) remove(id uint32) {
-	id -= c.offset
-	c.Lock()
-	if id < uint32(len(c.chans)) {
-		c.chans[id] = nil
-	}
-	c.Unlock()
-}
-
-// dropAll forgets all channels it knows, returning them in a slice.
-func (c *chanList) dropAll() []*channel {
-	c.Lock()
-	defer c.Unlock()
-	var r []*channel
-
-	for _, ch := range c.chans {
-		if ch == nil {
-			continue
-		}
-		r = append(r, ch)
-	}
-	c.chans = nil
-	return r
-}
-
-// mux represents the state for the SSH connection protocol, which
-// multiplexes many channels onto a single packet transport.
-type mux struct {
-	conn     packetConn
-	chanList chanList
-
-	incomingChannels chan NewChannel
-
-	globalSentMu     sync.Mutex
-	globalResponses  chan interface{}
-	incomingRequests chan *Request
-
-	errCond *sync.Cond
-	err     error
-}
-
-// When debugging, each new chanList instantiation has a different
-// offset.
-var globalOff uint32
-
-func (m *mux) Wait() error {
-	m.errCond.L.Lock()
-	defer m.errCond.L.Unlock()
-	for m.err == nil {
-		m.errCond.Wait()
-	}
-	return m.err
-}
-
-// newMux returns a mux that runs over the given connection.
-func newMux(p packetConn) *mux {
-	m := &mux{
-		conn:             p,
-		incomingChannels: make(chan NewChannel, chanSize),
-		globalResponses:  make(chan interface{}, 1),
-		incomingRequests: make(chan *Request, chanSize),
-		errCond:          newCond(),
-	}
-	if debugMux {
-		m.chanList.offset = atomic.AddUint32(&globalOff, 1)
-	}
-
-	go m.loop()
-	return m
-}
-
-func (m *mux) sendMessage(msg interface{}) error {
-	p := Marshal(msg)
-	if debugMux {
-		log.Printf("send global(%d): %#v", m.chanList.offset, msg)
-	}
-	return m.conn.writePacket(p)
-}
-
-func (m *mux) SendRequest(name string, wantReply bool, payload []byte) (bool, []byte, error) {
-	if wantReply {
-		m.globalSentMu.Lock()
-		defer m.globalSentMu.Unlock()
-	}
-
-	if err := m.sendMessage(globalRequestMsg{
-		Type:      name,
-		WantReply: wantReply,
-		Data:      payload,
-	}); err != nil {
-		return false, nil, err
-	}
-
-	if !wantReply {
-		return false, nil, nil
-	}
-
-	msg, ok := <-m.globalResponses
-	if !ok {
-		return false, nil, io.EOF
-	}
-	switch msg := msg.(type) {
-	case *globalRequestFailureMsg:
-		return false, msg.Data, nil
-	case *globalRequestSuccessMsg:
-		return true, msg.Data, nil
-	default:
-		return false, nil, fmt.Errorf("ssh: unexpected response to request: %#v", msg)
-	}
-}
-
-// ackRequest must be called after processing a global request that
-// has WantReply set.
-func (m *mux) ackRequest(ok bool, data []byte) error {
-	if ok {
-		return m.sendMessage(globalRequestSuccessMsg{Data: data})
-	}
-	return m.sendMessage(globalRequestFailureMsg{Data: data})
-}
-
-func (m *mux) Close() error {
-	return m.conn.Close()
-}
-
-// loop runs the connection machine. It will process packets until an
-// error is encountered. To synchronize on loop exit, use mux.Wait.
-func (m *mux) loop() {
-	var err error
-	for err == nil {
-		err = m.onePacket()
-	}
-
-	for _, ch := range m.chanList.dropAll() {
-		ch.close()
-	}
-
-	close(m.incomingChannels)
-	close(m.incomingRequests)
-	close(m.globalResponses)
-
-	m.conn.Close()
-
-	m.errCond.L.Lock()
-	m.err = err
-	m.errCond.Broadcast()
-	m.errCond.L.Unlock()
-
-	if debugMux {
-		log.Println("loop exit", err)
-	}
-}
-
-// onePacket reads and processes one packet.
-func (m *mux) onePacket() error {
-	packet, err := m.conn.readPacket()
-	if err != nil {
-		return err
-	}
-
-	if debugMux {
-		if packet[0] == msgChannelData || packet[0] == msgChannelExtendedData {
-			log.Printf("decoding(%d): data packet - %d bytes", m.chanList.offset, len(packet))
-		} else {
-			p, _ := decode(packet)
-			log.Printf("decoding(%d): %d %#v - %d bytes", m.chanList.offset, packet[0], p, len(packet))
-		}
-	}
-
-	switch packet[0] {
-	case msgChannelOpen:
-		return m.handleChannelOpen(packet)
-	case msgGlobalRequest, msgRequestSuccess, msgRequestFailure:
-		return m.handleGlobalPacket(packet)
-	}
-
-	// assume a channel packet.
-	if len(packet) < 5 {
-		return parseError(packet[0])
-	}
-	id := binary.BigEndian.Uint32(packet[1:])
-	ch := m.chanList.getChan(id)
-	if ch == nil {
-		return fmt.Errorf("ssh: invalid channel %d", id)
-	}
-
-	return ch.handlePacket(packet)
-}
-
-func (m *mux) handleGlobalPacket(packet []byte) error {
-	msg, err := decode(packet)
-	if err != nil {
-		return err
-	}
-
-	switch msg := msg.(type) {
-	case *globalRequestMsg:
-		m.incomingRequests <- &Request{
-			Type:      msg.Type,
-			WantReply: msg.WantReply,
-			Payload:   msg.Data,
-			mux:       m,
-		}
-	case *globalRequestSuccessMsg, *globalRequestFailureMsg:
-		m.globalResponses <- msg
-	default:
-		panic(fmt.Sprintf("not a global message %#v", msg))
-	}
-
-	return nil
-}
-
-// handleChannelOpen schedules a channel to be Accept()ed.
-func (m *mux) handleChannelOpen(packet []byte) error {
-	var msg channelOpenMsg
-	if err := Unmarshal(packet, &msg); err != nil {
-		return err
-	}
-
-	if msg.MaxPacketSize < minPacketLength || msg.MaxPacketSize > 1<<31 {
-		failMsg := channelOpenFailureMsg{
-			PeersID:  msg.PeersID,
-			Reason:   ConnectionFailed,
-			Message:  "invalid request",
-			Language: "en_US.UTF-8",
-		}
-		return m.sendMessage(failMsg)
-	}
-
-	c := m.newChannel(msg.ChanType, channelInbound, msg.TypeSpecificData)
-	c.remoteId = msg.PeersID
-	c.maxRemotePayload = msg.MaxPacketSize
-	c.remoteWin.add(msg.PeersWindow)
-	m.incomingChannels <- c
-	return nil
-}
-
-func (m *mux) OpenChannel(chanType string, extra []byte) (Channel, <-chan *Request, error) {
-	ch, err := m.openChannel(chanType, extra)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	return ch, ch.incomingRequests, nil
-}
-
-func (m *mux) openChannel(chanType string, extra []byte) (*channel, error) {
-	ch := m.newChannel(chanType, channelOutbound, extra)
-
-	ch.maxIncomingPayload = channelMaxPacket
-
-	open := channelOpenMsg{
-		ChanType:         chanType,
-		PeersWindow:      ch.myWindow,
-		MaxPacketSize:    ch.maxIncomingPayload,
-		TypeSpecificData: extra,
-		PeersID:          ch.localId,
-	}
-	if err := m.sendMessage(open); err != nil {
-		return nil, err
-	}
-
-	switch msg := (<-ch.msg).(type) {
-	case *channelOpenConfirmMsg:
-		return ch, nil
-	case *channelOpenFailureMsg:
-		return nil, &OpenChannelError{msg.Reason, msg.Message}
-	default:
-		return nil, fmt.Errorf("ssh: unexpected packet in response to channel open: %T", msg)
-	}
-}
diff --git a/vendor/golang.org/x/crypto/ssh/mux_test.go b/vendor/golang.org/x/crypto/ssh/mux_test.go
deleted file mode 100644
index 25d2181d..00000000
--- a/vendor/golang.org/x/crypto/ssh/mux_test.go
+++ /dev/null
@@ -1,505 +0,0 @@
-// Copyright 2013 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package ssh
-
-import (
-	"io"
-	"io/ioutil"
-	"sync"
-	"testing"
-)
-
-func muxPair() (*mux, *mux) {
-	a, b := memPipe()
-
-	s := newMux(a)
-	c := newMux(b)
-
-	return s, c
-}
-
-// Returns both ends of a channel, and the mux for the the 2nd
-// channel.
-func channelPair(t *testing.T) (*channel, *channel, *mux) {
-	c, s := muxPair()
-
-	res := make(chan *channel, 1)
-	go func() {
-		newCh, ok := <-s.incomingChannels
-		if !ok {
-			t.Fatalf("No incoming channel")
-		}
-		if newCh.ChannelType() != "chan" {
-			t.Fatalf("got type %q want chan", newCh.ChannelType())
-		}
-		ch, _, err := newCh.Accept()
-		if err != nil {
-			t.Fatalf("Accept %v", err)
-		}
-		res <- ch.(*channel)
-	}()
-
-	ch, err := c.openChannel("chan", nil)
-	if err != nil {
-		t.Fatalf("OpenChannel: %v", err)
-	}
-
-	return <-res, ch, c
-}
-
-// Test that stderr and stdout can be addressed from different
-// goroutines. This is intended for use with the race detector.
-func TestMuxChannelExtendedThreadSafety(t *testing.T) {
-	writer, reader, mux := channelPair(t)
-	defer writer.Close()
-	defer reader.Close()
-	defer mux.Close()
-
-	var wr, rd sync.WaitGroup
-	magic := "hello world"
-
-	wr.Add(2)
-	go func() {
-		io.WriteString(writer, magic)
-		wr.Done()
-	}()
-	go func() {
-		io.WriteString(writer.Stderr(), magic)
-		wr.Done()
-	}()
-
-	rd.Add(2)
-	go func() {
-		c, err := ioutil.ReadAll(reader)
-		if string(c) != magic {
-			t.Fatalf("stdout read got %q, want %q (error %s)", c, magic, err)
-		}
-		rd.Done()
-	}()
-	go func() {
-		c, err := ioutil.ReadAll(reader.Stderr())
-		if string(c) != magic {
-			t.Fatalf("stderr read got %q, want %q (error %s)", c, magic, err)
-		}
-		rd.Done()
-	}()
-
-	wr.Wait()
-	writer.CloseWrite()
-	rd.Wait()
-}
-
-func TestMuxReadWrite(t *testing.T) {
-	s, c, mux := channelPair(t)
-	defer s.Close()
-	defer c.Close()
-	defer mux.Close()
-
-	magic := "hello world"
-	magicExt := "hello stderr"
-	go func() {
-		_, err := s.Write([]byte(magic))
-		if err != nil {
-			t.Fatalf("Write: %v", err)
-		}
-		_, err = s.Extended(1).Write([]byte(magicExt))
-		if err != nil {
-			t.Fatalf("Write: %v", err)
-		}
-		err = s.Close()
-		if err != nil {
-			t.Fatalf("Close: %v", err)
-		}
-	}()
-
-	var buf [1024]byte
-	n, err := c.Read(buf[:])
-	if err != nil {
-		t.Fatalf("server Read: %v", err)
-	}
-	got := string(buf[:n])
-	if got != magic {
-		t.Fatalf("server: got %q want %q", got, magic)
-	}
-
-	n, err = c.Extended(1).Read(buf[:])
-	if err != nil {
-		t.Fatalf("server Read: %v", err)
-	}
-
-	got = string(buf[:n])
-	if got != magicExt {
-		t.Fatalf("server: got %q want %q", got, magic)
-	}
-}
-
-func TestMuxChannelOverflow(t *testing.T) {
-	reader, writer, mux := channelPair(t)
-	defer reader.Close()
-	defer writer.Close()
-	defer mux.Close()
-
-	wDone := make(chan int, 1)
-	go func() {
-		if _, err := writer.Write(make([]byte, channelWindowSize)); err != nil {
-			t.Errorf("could not fill window: %v", err)
-		}
-		writer.Write(make([]byte, 1))
-		wDone <- 1
-	}()
-	writer.remoteWin.waitWriterBlocked()
-
-	// Send 1 byte.
-	packet := make([]byte, 1+4+4+1)
-	packet[0] = msgChannelData
-	marshalUint32(packet[1:], writer.remoteId)
-	marshalUint32(packet[5:], uint32(1))
-	packet[9] = 42
-
-	if err := writer.mux.conn.writePacket(packet); err != nil {
-		t.Errorf("could not send packet")
-	}
-	if _, err := reader.SendRequest("hello", true, nil); err == nil {
-		t.Errorf("SendRequest succeeded.")
-	}
-	<-wDone
-}
-
-func TestMuxChannelCloseWriteUnblock(t *testing.T) {
-	reader, writer, mux := channelPair(t)
-	defer reader.Close()
-	defer writer.Close()
-	defer mux.Close()
-
-	wDone := make(chan int, 1)
-	go func() {
-		if _, err := writer.Write(make([]byte, channelWindowSize)); err != nil {
-			t.Errorf("could not fill window: %v", err)
-		}
-		if _, err := writer.Write(make([]byte, 1)); err != io.EOF {
-			t.Errorf("got %v, want EOF for unblock write", err)
-		}
-		wDone <- 1
-	}()
-
-	writer.remoteWin.waitWriterBlocked()
-	reader.Close()
-	<-wDone
-}
-
-func TestMuxConnectionCloseWriteUnblock(t *testing.T) {
-	reader, writer, mux := channelPair(t)
-	defer reader.Close()
-	defer writer.Close()
-	defer mux.Close()
-
-	wDone := make(chan int, 1)
-	go func() {
-		if _, err := writer.Write(make([]byte, channelWindowSize)); err != nil {
-			t.Errorf("could not fill window: %v", err)
-		}
-		if _, err := writer.Write(make([]byte, 1)); err != io.EOF {
-			t.Errorf("got %v, want EOF for unblock write", err)
-		}
-		wDone <- 1
-	}()
-
-	writer.remoteWin.waitWriterBlocked()
-	mux.Close()
-	<-wDone
-}
-
-func TestMuxReject(t *testing.T) {
-	client, server := muxPair()
-	defer server.Close()
-	defer client.Close()
-
-	go func() {
-		ch, ok := <-server.incomingChannels
-		if !ok {
-			t.Fatalf("Accept")
-		}
-		if ch.ChannelType() != "ch" || string(ch.ExtraData()) != "extra" {
-			t.Fatalf("unexpected channel: %q, %q", ch.ChannelType(), ch.ExtraData())
-		}
-		ch.Reject(RejectionReason(42), "message")
-	}()
-
-	ch, err := client.openChannel("ch", []byte("extra"))
-	if ch != nil {
-		t.Fatal("openChannel not rejected")
-	}
-
-	ocf, ok := err.(*OpenChannelError)
-	if !ok {
-		t.Errorf("got %#v want *OpenChannelError", err)
-	} else if ocf.Reason != 42 || ocf.Message != "message" {
-		t.Errorf("got %#v, want {Reason: 42, Message: %q}", ocf, "message")
-	}
-
-	want := "ssh: rejected: unknown reason 42 (message)"
-	if err.Error() != want {
-		t.Errorf("got %q, want %q", err.Error(), want)
-	}
-}
-
-func TestMuxChannelRequest(t *testing.T) {
-	client, server, mux := channelPair(t)
-	defer server.Close()
-	defer client.Close()
-	defer mux.Close()
-
-	var received int
-	var wg sync.WaitGroup
-	wg.Add(1)
-	go func() {
-		for r := range server.incomingRequests {
-			received++
-			r.Reply(r.Type == "yes", nil)
-		}
-		wg.Done()
-	}()
-	_, err := client.SendRequest("yes", false, nil)
-	if err != nil {
-		t.Fatalf("SendRequest: %v", err)
-	}
-	ok, err := client.SendRequest("yes", true, nil)
-	if err != nil {
-		t.Fatalf("SendRequest: %v", err)
-	}
-
-	if !ok {
-		t.Errorf("SendRequest(yes): %v", ok)
-
-	}
-
-	ok, err = client.SendRequest("no", true, nil)
-	if err != nil {
-		t.Fatalf("SendRequest: %v", err)
-	}
-	if ok {
-		t.Errorf("SendRequest(no): %v", ok)
-
-	}
-
-	client.Close()
-	wg.Wait()
-
-	if received != 3 {
-		t.Errorf("got %d requests, want %d", received, 3)
-	}
-}
-
-func TestMuxGlobalRequest(t *testing.T) {
-	clientMux, serverMux := muxPair()
-	defer serverMux.Close()
-	defer clientMux.Close()
-
-	var seen bool
-	go func() {
-		for r := range serverMux.incomingRequests {
-			seen = seen || r.Type == "peek"
-			if r.WantReply {
-				err := r.Reply(r.Type == "yes",
-					append([]byte(r.Type), r.Payload...))
-				if err != nil {
-					t.Errorf("AckRequest: %v", err)
-				}
-			}
-		}
-	}()
-
-	_, _, err := clientMux.SendRequest("peek", false, nil)
-	if err != nil {
-		t.Errorf("SendRequest: %v", err)
-	}
-
-	ok, data, err := clientMux.SendRequest("yes", true, []byte("a"))
-	if !ok || string(data) != "yesa" || err != nil {
-		t.Errorf("SendRequest(\"yes\", true, \"a\"): %v %v %v",
-			ok, data, err)
-	}
-	if ok, data, err := clientMux.SendRequest("yes", true, []byte("a")); !ok || string(data) != "yesa" || err != nil {
-		t.Errorf("SendRequest(\"yes\", true, \"a\"): %v %v %v",
-			ok, data, err)
-	}
-
-	if ok, data, err := clientMux.SendRequest("no", true, []byte("a")); ok || string(data) != "noa" || err != nil {
-		t.Errorf("SendRequest(\"no\", true, \"a\"): %v %v %v",
-			ok, data, err)
-	}
-
-	if !seen {
-		t.Errorf("never saw 'peek' request")
-	}
-}
-
-func TestMuxGlobalRequestUnblock(t *testing.T) {
-	clientMux, serverMux := muxPair()
-	defer serverMux.Close()
-	defer clientMux.Close()
-
-	result := make(chan error, 1)
-	go func() {
-		_, _, err := clientMux.SendRequest("hello", true, nil)
-		result <- err
-	}()
-
-	<-serverMux.incomingRequests
-	serverMux.conn.Close()
-	err := <-result
-
-	if err != io.EOF {
-		t.Errorf("want EOF, got %v", io.EOF)
-	}
-}
-
-func TestMuxChannelRequestUnblock(t *testing.T) {
-	a, b, connB := channelPair(t)
-	defer a.Close()
-	defer b.Close()
-	defer connB.Close()
-
-	result := make(chan error, 1)
-	go func() {
-		_, err := a.SendRequest("hello", true, nil)
-		result <- err
-	}()
-
-	<-b.incomingRequests
-	connB.conn.Close()
-	err := <-result
-
-	if err != io.EOF {
-		t.Errorf("want EOF, got %v", err)
-	}
-}
-
-func TestMuxCloseChannel(t *testing.T) {
-	r, w, mux := channelPair(t)
-	defer mux.Close()
-	defer r.Close()
-	defer w.Close()
-
-	result := make(chan error, 1)
-	go func() {
-		var b [1024]byte
-		_, err := r.Read(b[:])
-		result <- err
-	}()
-	if err := w.Close(); err != nil {
-		t.Errorf("w.Close: %v", err)
-	}
-
-	if _, err := w.Write([]byte("hello")); err != io.EOF {
-		t.Errorf("got err %v, want io.EOF after Close", err)
-	}
-
-	if err := <-result; err != io.EOF {
-		t.Errorf("got %v (%T), want io.EOF", err, err)
-	}
-}
-
-func TestMuxCloseWriteChannel(t *testing.T) {
-	r, w, mux := channelPair(t)
-	defer mux.Close()
-
-	result := make(chan error, 1)
-	go func() {
-		var b [1024]byte
-		_, err := r.Read(b[:])
-		result <- err
-	}()
-	if err := w.CloseWrite(); err != nil {
-		t.Errorf("w.CloseWrite: %v", err)
-	}
-
-	if _, err := w.Write([]byte("hello")); err != io.EOF {
-		t.Errorf("got err %v, want io.EOF after CloseWrite", err)
-	}
-
-	if err := <-result; err != io.EOF {
-		t.Errorf("got %v (%T), want io.EOF", err, err)
-	}
-}
-
-func TestMuxInvalidRecord(t *testing.T) {
-	a, b := muxPair()
-	defer a.Close()
-	defer b.Close()
-
-	packet := make([]byte, 1+4+4+1)
-	packet[0] = msgChannelData
-	marshalUint32(packet[1:], 29348723 /* invalid channel id */)
-	marshalUint32(packet[5:], 1)
-	packet[9] = 42
-
-	a.conn.writePacket(packet)
-	go a.SendRequest("hello", false, nil)
-	// 'a' wrote an invalid packet, so 'b' has exited.
-	req, ok := <-b.incomingRequests
-	if ok {
-		t.Errorf("got request %#v after receiving invalid packet", req)
-	}
-}
-
-func TestZeroWindowAdjust(t *testing.T) {
-	a, b, mux := channelPair(t)
-	defer a.Close()
-	defer b.Close()
-	defer mux.Close()
-
-	go func() {
-		io.WriteString(a, "hello")
-		// bogus adjust.
-		a.sendMessage(windowAdjustMsg{})
-		io.WriteString(a, "world")
-		a.Close()
-	}()
-
-	want := "helloworld"
-	c, _ := ioutil.ReadAll(b)
-	if string(c) != want {
-		t.Errorf("got %q want %q", c, want)
-	}
-}
-
-func TestMuxMaxPacketSize(t *testing.T) {
-	a, b, mux := channelPair(t)
-	defer a.Close()
-	defer b.Close()
-	defer mux.Close()
-
-	large := make([]byte, a.maxRemotePayload+1)
-	packet := make([]byte, 1+4+4+1+len(large))
-	packet[0] = msgChannelData
-	marshalUint32(packet[1:], a.remoteId)
-	marshalUint32(packet[5:], uint32(len(large)))
-	packet[9] = 42
-
-	if err := a.mux.conn.writePacket(packet); err != nil {
-		t.Errorf("could not send packet")
-	}
-
-	go a.SendRequest("hello", false, nil)
-
-	_, ok := <-b.incomingRequests
-	if ok {
-		t.Errorf("connection still alive after receiving large packet.")
-	}
-}
-
-// Don't ship code with debug=true.
-func TestDebug(t *testing.T) {
-	if debugMux {
-		t.Error("mux debug switched on")
-	}
-	if debugHandshake {
-		t.Error("handshake debug switched on")
-	}
-	if debugTransport {
-		t.Error("transport debug switched on")
-	}
-}
diff --git a/vendor/golang.org/x/crypto/ssh/server.go b/vendor/golang.org/x/crypto/ssh/server.go
deleted file mode 100644
index b83d4738..00000000
--- a/vendor/golang.org/x/crypto/ssh/server.go
+++ /dev/null
@@ -1,582 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package ssh
-
-import (
-	"bytes"
-	"errors"
-	"fmt"
-	"io"
-	"net"
-	"strings"
-)
-
-// The Permissions type holds fine-grained permissions that are
-// specific to a user or a specific authentication method for a user.
-// The Permissions value for a successful authentication attempt is
-// available in ServerConn, so it can be used to pass information from
-// the user-authentication phase to the application layer.
-type Permissions struct {
-	// CriticalOptions indicate restrictions to the default
-	// permissions, and are typically used in conjunction with
-	// user certificates. The standard for SSH certificates
-	// defines "force-command" (only allow the given command to
-	// execute) and "source-address" (only allow connections from
-	// the given address). The SSH package currently only enforces
-	// the "source-address" critical option. It is up to server
-	// implementations to enforce other critical options, such as
-	// "force-command", by checking them after the SSH handshake
-	// is successful. In general, SSH servers should reject
-	// connections that specify critical options that are unknown
-	// or not supported.
-	CriticalOptions map[string]string
-
-	// Extensions are extra functionality that the server may
-	// offer on authenticated connections. Lack of support for an
-	// extension does not preclude authenticating a user. Common
-	// extensions are "permit-agent-forwarding",
-	// "permit-X11-forwarding". The Go SSH library currently does
-	// not act on any extension, and it is up to server
-	// implementations to honor them. Extensions can be used to
-	// pass data from the authentication callbacks to the server
-	// application layer.
-	Extensions map[string]string
-}
-
-// ServerConfig holds server specific configuration data.
-type ServerConfig struct {
-	// Config contains configuration shared between client and server.
-	Config
-
-	hostKeys []Signer
-
-	// NoClientAuth is true if clients are allowed to connect without
-	// authenticating.
-	NoClientAuth bool
-
-	// MaxAuthTries specifies the maximum number of authentication attempts
-	// permitted per connection. If set to a negative number, the number of
-	// attempts are unlimited. If set to zero, the number of attempts are limited
-	// to 6.
-	MaxAuthTries int
-
-	// PasswordCallback, if non-nil, is called when a user
-	// attempts to authenticate using a password.
-	PasswordCallback func(conn ConnMetadata, password []byte) (*Permissions, error)
-
-	// PublicKeyCallback, if non-nil, is called when a client
-	// offers a public key for authentication. It must return a nil error
-	// if the given public key can be used to authenticate the
-	// given user. For example, see CertChecker.Authenticate. A
-	// call to this function does not guarantee that the key
-	// offered is in fact used to authenticate. To record any data
-	// depending on the public key, store it inside a
-	// Permissions.Extensions entry.
-	PublicKeyCallback func(conn ConnMetadata, key PublicKey) (*Permissions, error)
-
-	// KeyboardInteractiveCallback, if non-nil, is called when
-	// keyboard-interactive authentication is selected (RFC
-	// 4256). The client object's Challenge function should be
-	// used to query the user. The callback may offer multiple
-	// Challenge rounds. To avoid information leaks, the client
-	// should be presented a challenge even if the user is
-	// unknown.
-	KeyboardInteractiveCallback func(conn ConnMetadata, client KeyboardInteractiveChallenge) (*Permissions, error)
-
-	// AuthLogCallback, if non-nil, is called to log all authentication
-	// attempts.
-	AuthLogCallback func(conn ConnMetadata, method string, err error)
-
-	// ServerVersion is the version identification string to announce in
-	// the public handshake.
-	// If empty, a reasonable default is used.
-	// Note that RFC 4253 section 4.2 requires that this string start with
-	// "SSH-2.0-".
-	ServerVersion string
-
-	// BannerCallback, if present, is called and the return string is sent to
-	// the client after key exchange completed but before authentication.
-	BannerCallback func(conn ConnMetadata) string
-}
-
-// AddHostKey adds a private key as a host key. If an existing host
-// key exists with the same algorithm, it is overwritten. Each server
-// config must have at least one host key.
-func (s *ServerConfig) AddHostKey(key Signer) {
-	for i, k := range s.hostKeys {
-		if k.PublicKey().Type() == key.PublicKey().Type() {
-			s.hostKeys[i] = key
-			return
-		}
-	}
-
-	s.hostKeys = append(s.hostKeys, key)
-}
-
-// cachedPubKey contains the results of querying whether a public key is
-// acceptable for a user.
-type cachedPubKey struct {
-	user       string
-	pubKeyData []byte
-	result     error
-	perms      *Permissions
-}
-
-const maxCachedPubKeys = 16
-
-// pubKeyCache caches tests for public keys.  Since SSH clients
-// will query whether a public key is acceptable before attempting to
-// authenticate with it, we end up with duplicate queries for public
-// key validity.  The cache only applies to a single ServerConn.
-type pubKeyCache struct {
-	keys []cachedPubKey
-}
-
-// get returns the result for a given user/algo/key tuple.
-func (c *pubKeyCache) get(user string, pubKeyData []byte) (cachedPubKey, bool) {
-	for _, k := range c.keys {
-		if k.user == user && bytes.Equal(k.pubKeyData, pubKeyData) {
-			return k, true
-		}
-	}
-	return cachedPubKey{}, false
-}
-
-// add adds the given tuple to the cache.
-func (c *pubKeyCache) add(candidate cachedPubKey) {
-	if len(c.keys) < maxCachedPubKeys {
-		c.keys = append(c.keys, candidate)
-	}
-}
-
-// ServerConn is an authenticated SSH connection, as seen from the
-// server
-type ServerConn struct {
-	Conn
-
-	// If the succeeding authentication callback returned a
-	// non-nil Permissions pointer, it is stored here.
-	Permissions *Permissions
-}
-
-// NewServerConn starts a new SSH server with c as the underlying
-// transport.  It starts with a handshake and, if the handshake is
-// unsuccessful, it closes the connection and returns an error.  The
-// Request and NewChannel channels must be serviced, or the connection
-// will hang.
-func NewServerConn(c net.Conn, config *ServerConfig) (*ServerConn, <-chan NewChannel, <-chan *Request, error) {
-	fullConf := *config
-	fullConf.SetDefaults()
-	if fullConf.MaxAuthTries == 0 {
-		fullConf.MaxAuthTries = 6
-	}
-
-	s := &connection{
-		sshConn: sshConn{conn: c},
-	}
-	perms, err := s.serverHandshake(&fullConf)
-	if err != nil {
-		c.Close()
-		return nil, nil, nil, err
-	}
-	return &ServerConn{s, perms}, s.mux.incomingChannels, s.mux.incomingRequests, nil
-}
-
-// signAndMarshal signs the data with the appropriate algorithm,
-// and serializes the result in SSH wire format.
-func signAndMarshal(k Signer, rand io.Reader, data []byte) ([]byte, error) {
-	sig, err := k.Sign(rand, data)
-	if err != nil {
-		return nil, err
-	}
-
-	return Marshal(sig), nil
-}
-
-// handshake performs key exchange and user authentication.
-func (s *connection) serverHandshake(config *ServerConfig) (*Permissions, error) {
-	if len(config.hostKeys) == 0 {
-		return nil, errors.New("ssh: server has no host keys")
-	}
-
-	if !config.NoClientAuth && config.PasswordCallback == nil && config.PublicKeyCallback == nil && config.KeyboardInteractiveCallback == nil {
-		return nil, errors.New("ssh: no authentication methods configured but NoClientAuth is also false")
-	}
-
-	if config.ServerVersion != "" {
-		s.serverVersion = []byte(config.ServerVersion)
-	} else {
-		s.serverVersion = []byte(packageVersion)
-	}
-	var err error
-	s.clientVersion, err = exchangeVersions(s.sshConn.conn, s.serverVersion)
-	if err != nil {
-		return nil, err
-	}
-
-	tr := newTransport(s.sshConn.conn, config.Rand, false /* not client */)
-	s.transport = newServerTransport(tr, s.clientVersion, s.serverVersion, config)
-
-	if err := s.transport.waitSession(); err != nil {
-		return nil, err
-	}
-
-	// We just did the key change, so the session ID is established.
-	s.sessionID = s.transport.getSessionID()
-
-	var packet []byte
-	if packet, err = s.transport.readPacket(); err != nil {
-		return nil, err
-	}
-
-	var serviceRequest serviceRequestMsg
-	if err = Unmarshal(packet, &serviceRequest); err != nil {
-		return nil, err
-	}
-	if serviceRequest.Service != serviceUserAuth {
-		return nil, errors.New("ssh: requested service '" + serviceRequest.Service + "' before authenticating")
-	}
-	serviceAccept := serviceAcceptMsg{
-		Service: serviceUserAuth,
-	}
-	if err := s.transport.writePacket(Marshal(&serviceAccept)); err != nil {
-		return nil, err
-	}
-
-	perms, err := s.serverAuthenticate(config)
-	if err != nil {
-		return nil, err
-	}
-	s.mux = newMux(s.transport)
-	return perms, err
-}
-
-func isAcceptableAlgo(algo string) bool {
-	switch algo {
-	case KeyAlgoRSA, KeyAlgoDSA, KeyAlgoECDSA256, KeyAlgoECDSA384, KeyAlgoECDSA521, KeyAlgoED25519,
-		CertAlgoRSAv01, CertAlgoDSAv01, CertAlgoECDSA256v01, CertAlgoECDSA384v01, CertAlgoECDSA521v01, CertAlgoED25519v01:
-		return true
-	}
-	return false
-}
-
-func checkSourceAddress(addr net.Addr, sourceAddrs string) error {
-	if addr == nil {
-		return errors.New("ssh: no address known for client, but source-address match required")
-	}
-
-	tcpAddr, ok := addr.(*net.TCPAddr)
-	if !ok {
-		return fmt.Errorf("ssh: remote address %v is not an TCP address when checking source-address match", addr)
-	}
-
-	for _, sourceAddr := range strings.Split(sourceAddrs, ",") {
-		if allowedIP := net.ParseIP(sourceAddr); allowedIP != nil {
-			if allowedIP.Equal(tcpAddr.IP) {
-				return nil
-			}
-		} else {
-			_, ipNet, err := net.ParseCIDR(sourceAddr)
-			if err != nil {
-				return fmt.Errorf("ssh: error parsing source-address restriction %q: %v", sourceAddr, err)
-			}
-
-			if ipNet.Contains(tcpAddr.IP) {
-				return nil
-			}
-		}
-	}
-
-	return fmt.Errorf("ssh: remote address %v is not allowed because of source-address restriction", addr)
-}
-
-// ServerAuthError implements the error interface. It appends any authentication
-// errors that may occur, and is returned if all of the authentication methods
-// provided by the user failed to authenticate.
-type ServerAuthError struct {
-	// Errors contains authentication errors returned by the authentication
-	// callback methods.
-	Errors []error
-}
-
-func (l ServerAuthError) Error() string {
-	var errs []string
-	for _, err := range l.Errors {
-		errs = append(errs, err.Error())
-	}
-	return "[" + strings.Join(errs, ", ") + "]"
-}
-
-func (s *connection) serverAuthenticate(config *ServerConfig) (*Permissions, error) {
-	sessionID := s.transport.getSessionID()
-	var cache pubKeyCache
-	var perms *Permissions
-
-	authFailures := 0
-	var authErrs []error
-	var displayedBanner bool
-
-userAuthLoop:
-	for {
-		if authFailures >= config.MaxAuthTries && config.MaxAuthTries > 0 {
-			discMsg := &disconnectMsg{
-				Reason:  2,
-				Message: "too many authentication failures",
-			}
-
-			if err := s.transport.writePacket(Marshal(discMsg)); err != nil {
-				return nil, err
-			}
-
-			return nil, discMsg
-		}
-
-		var userAuthReq userAuthRequestMsg
-		if packet, err := s.transport.readPacket(); err != nil {
-			if err == io.EOF {
-				return nil, &ServerAuthError{Errors: authErrs}
-			}
-			return nil, err
-		} else if err = Unmarshal(packet, &userAuthReq); err != nil {
-			return nil, err
-		}
-
-		if userAuthReq.Service != serviceSSH {
-			return nil, errors.New("ssh: client attempted to negotiate for unknown service: " + userAuthReq.Service)
-		}
-
-		s.user = userAuthReq.User
-
-		if !displayedBanner && config.BannerCallback != nil {
-			displayedBanner = true
-			msg := config.BannerCallback(s)
-			if msg != "" {
-				bannerMsg := &userAuthBannerMsg{
-					Message: msg,
-				}
-				if err := s.transport.writePacket(Marshal(bannerMsg)); err != nil {
-					return nil, err
-				}
-			}
-		}
-
-		perms = nil
-		authErr := errors.New("no auth passed yet")
-
-		switch userAuthReq.Method {
-		case "none":
-			if config.NoClientAuth {
-				authErr = nil
-			}
-
-			// allow initial attempt of 'none' without penalty
-			if authFailures == 0 {
-				authFailures--
-			}
-		case "password":
-			if config.PasswordCallback == nil {
-				authErr = errors.New("ssh: password auth not configured")
-				break
-			}
-			payload := userAuthReq.Payload
-			if len(payload) < 1 || payload[0] != 0 {
-				return nil, parseError(msgUserAuthRequest)
-			}
-			payload = payload[1:]
-			password, payload, ok := parseString(payload)
-			if !ok || len(payload) > 0 {
-				return nil, parseError(msgUserAuthRequest)
-			}
-
-			perms, authErr = config.PasswordCallback(s, password)
-		case "keyboard-interactive":
-			if config.KeyboardInteractiveCallback == nil {
-				authErr = errors.New("ssh: keyboard-interactive auth not configubred")
-				break
-			}
-
-			prompter := &sshClientKeyboardInteractive{s}
-			perms, authErr = config.KeyboardInteractiveCallback(s, prompter.Challenge)
-		case "publickey":
-			if config.PublicKeyCallback == nil {
-				authErr = errors.New("ssh: publickey auth not configured")
-				break
-			}
-			payload := userAuthReq.Payload
-			if len(payload) < 1 {
-				return nil, parseError(msgUserAuthRequest)
-			}
-			isQuery := payload[0] == 0
-			payload = payload[1:]
-			algoBytes, payload, ok := parseString(payload)
-			if !ok {
-				return nil, parseError(msgUserAuthRequest)
-			}
-			algo := string(algoBytes)
-			if !isAcceptableAlgo(algo) {
-				authErr = fmt.Errorf("ssh: algorithm %q not accepted", algo)
-				break
-			}
-
-			pubKeyData, payload, ok := parseString(payload)
-			if !ok {
-				return nil, parseError(msgUserAuthRequest)
-			}
-
-			pubKey, err := ParsePublicKey(pubKeyData)
-			if err != nil {
-				return nil, err
-			}
-
-			candidate, ok := cache.get(s.user, pubKeyData)
-			if !ok {
-				candidate.user = s.user
-				candidate.pubKeyData = pubKeyData
-				candidate.perms, candidate.result = config.PublicKeyCallback(s, pubKey)
-				if candidate.result == nil && candidate.perms != nil && candidate.perms.CriticalOptions != nil && candidate.perms.CriticalOptions[sourceAddressCriticalOption] != "" {
-					candidate.result = checkSourceAddress(
-						s.RemoteAddr(),
-						candidate.perms.CriticalOptions[sourceAddressCriticalOption])
-				}
-				cache.add(candidate)
-			}
-
-			if isQuery {
-				// The client can query if the given public key
-				// would be okay.
-
-				if len(payload) > 0 {
-					return nil, parseError(msgUserAuthRequest)
-				}
-
-				if candidate.result == nil {
-					okMsg := userAuthPubKeyOkMsg{
-						Algo:   algo,
-						PubKey: pubKeyData,
-					}
-					if err = s.transport.writePacket(Marshal(&okMsg)); err != nil {
-						return nil, err
-					}
-					continue userAuthLoop
-				}
-				authErr = candidate.result
-			} else {
-				sig, payload, ok := parseSignature(payload)
-				if !ok || len(payload) > 0 {
-					return nil, parseError(msgUserAuthRequest)
-				}
-				// Ensure the public key algo and signature algo
-				// are supported.  Compare the private key
-				// algorithm name that corresponds to algo with
-				// sig.Format.  This is usually the same, but
-				// for certs, the names differ.
-				if !isAcceptableAlgo(sig.Format) {
-					break
-				}
-				signedData := buildDataSignedForAuth(sessionID, userAuthReq, algoBytes, pubKeyData)
-
-				if err := pubKey.Verify(signedData, sig); err != nil {
-					return nil, err
-				}
-
-				authErr = candidate.result
-				perms = candidate.perms
-			}
-		default:
-			authErr = fmt.Errorf("ssh: unknown method %q", userAuthReq.Method)
-		}
-
-		authErrs = append(authErrs, authErr)
-
-		if config.AuthLogCallback != nil {
-			config.AuthLogCallback(s, userAuthReq.Method, authErr)
-		}
-
-		if authErr == nil {
-			break userAuthLoop
-		}
-
-		authFailures++
-
-		var failureMsg userAuthFailureMsg
-		if config.PasswordCallback != nil {
-			failureMsg.Methods = append(failureMsg.Methods, "password")
-		}
-		if config.PublicKeyCallback != nil {
-			failureMsg.Methods = append(failureMsg.Methods, "publickey")
-		}
-		if config.KeyboardInteractiveCallback != nil {
-			failureMsg.Methods = append(failureMsg.Methods, "keyboard-interactive")
-		}
-
-		if len(failureMsg.Methods) == 0 {
-			return nil, errors.New("ssh: no authentication methods configured but NoClientAuth is also false")
-		}
-
-		if err := s.transport.writePacket(Marshal(&failureMsg)); err != nil {
-			return nil, err
-		}
-	}
-
-	if err := s.transport.writePacket([]byte{msgUserAuthSuccess}); err != nil {
-		return nil, err
-	}
-	return perms, nil
-}
-
-// sshClientKeyboardInteractive implements a ClientKeyboardInteractive by
-// asking the client on the other side of a ServerConn.
-type sshClientKeyboardInteractive struct {
-	*connection
-}
-
-func (c *sshClientKeyboardInteractive) Challenge(user, instruction string, questions []string, echos []bool) (answers []string, err error) {
-	if len(questions) != len(echos) {
-		return nil, errors.New("ssh: echos and questions must have equal length")
-	}
-
-	var prompts []byte
-	for i := range questions {
-		prompts = appendString(prompts, questions[i])
-		prompts = appendBool(prompts, echos[i])
-	}
-
-	if err := c.transport.writePacket(Marshal(&userAuthInfoRequestMsg{
-		Instruction: instruction,
-		NumPrompts:  uint32(len(questions)),
-		Prompts:     prompts,
-	})); err != nil {
-		return nil, err
-	}
-
-	packet, err := c.transport.readPacket()
-	if err != nil {
-		return nil, err
-	}
-	if packet[0] != msgUserAuthInfoResponse {
-		return nil, unexpectedMessageError(msgUserAuthInfoResponse, packet[0])
-	}
-	packet = packet[1:]
-
-	n, packet, ok := parseUint32(packet)
-	if !ok || int(n) != len(questions) {
-		return nil, parseError(msgUserAuthInfoResponse)
-	}
-
-	for i := uint32(0); i < n; i++ {
-		ans, rest, ok := parseString(packet)
-		if !ok {
-			return nil, parseError(msgUserAuthInfoResponse)
-		}
-
-		answers = append(answers, string(ans))
-		packet = rest
-	}
-	if len(packet) != 0 {
-		return nil, errors.New("ssh: junk at end of message")
-	}
-
-	return answers, nil
-}
diff --git a/vendor/golang.org/x/crypto/ssh/session.go b/vendor/golang.org/x/crypto/ssh/session.go
deleted file mode 100644
index d3321f6b..00000000
--- a/vendor/golang.org/x/crypto/ssh/session.go
+++ /dev/null
@@ -1,647 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package ssh
-
-// Session implements an interactive session described in
-// "RFC 4254, section 6".
-
-import (
-	"bytes"
-	"encoding/binary"
-	"errors"
-	"fmt"
-	"io"
-	"io/ioutil"
-	"sync"
-)
-
-type Signal string
-
-// POSIX signals as listed in RFC 4254 Section 6.10.
-const (
-	SIGABRT Signal = "ABRT"
-	SIGALRM Signal = "ALRM"
-	SIGFPE  Signal = "FPE"
-	SIGHUP  Signal = "HUP"
-	SIGILL  Signal = "ILL"
-	SIGINT  Signal = "INT"
-	SIGKILL Signal = "KILL"
-	SIGPIPE Signal = "PIPE"
-	SIGQUIT Signal = "QUIT"
-	SIGSEGV Signal = "SEGV"
-	SIGTERM Signal = "TERM"
-	SIGUSR1 Signal = "USR1"
-	SIGUSR2 Signal = "USR2"
-)
-
-var signals = map[Signal]int{
-	SIGABRT: 6,
-	SIGALRM: 14,
-	SIGFPE:  8,
-	SIGHUP:  1,
-	SIGILL:  4,
-	SIGINT:  2,
-	SIGKILL: 9,
-	SIGPIPE: 13,
-	SIGQUIT: 3,
-	SIGSEGV: 11,
-	SIGTERM: 15,
-}
-
-type TerminalModes map[uint8]uint32
-
-// POSIX terminal mode flags as listed in RFC 4254 Section 8.
-const (
-	tty_OP_END    = 0
-	VINTR         = 1
-	VQUIT         = 2
-	VERASE        = 3
-	VKILL         = 4
-	VEOF          = 5
-	VEOL          = 6
-	VEOL2         = 7
-	VSTART        = 8
-	VSTOP         = 9
-	VSUSP         = 10
-	VDSUSP        = 11
-	VREPRINT      = 12
-	VWERASE       = 13
-	VLNEXT        = 14
-	VFLUSH        = 15
-	VSWTCH        = 16
-	VSTATUS       = 17
-	VDISCARD      = 18
-	IGNPAR        = 30
-	PARMRK        = 31
-	INPCK         = 32
-	ISTRIP        = 33
-	INLCR         = 34
-	IGNCR         = 35
-	ICRNL         = 36
-	IUCLC         = 37
-	IXON          = 38
-	IXANY         = 39
-	IXOFF         = 40
-	IMAXBEL       = 41
-	ISIG          = 50
-	ICANON        = 51
-	XCASE         = 52
-	ECHO          = 53
-	ECHOE         = 54
-	ECHOK         = 55
-	ECHONL        = 56
-	NOFLSH        = 57
-	TOSTOP        = 58
-	IEXTEN        = 59
-	ECHOCTL       = 60
-	ECHOKE        = 61
-	PENDIN        = 62
-	OPOST         = 70
-	OLCUC         = 71
-	ONLCR         = 72
-	OCRNL         = 73
-	ONOCR         = 74
-	ONLRET        = 75
-	CS7           = 90
-	CS8           = 91
-	PARENB        = 92
-	PARODD        = 93
-	TTY_OP_ISPEED = 128
-	TTY_OP_OSPEED = 129
-)
-
-// A Session represents a connection to a remote command or shell.
-type Session struct {
-	// Stdin specifies the remote process's standard input.
-	// If Stdin is nil, the remote process reads from an empty
-	// bytes.Buffer.
-	Stdin io.Reader
-
-	// Stdout and Stderr specify the remote process's standard
-	// output and error.
-	//
-	// If either is nil, Run connects the corresponding file
-	// descriptor to an instance of ioutil.Discard. There is a
-	// fixed amount of buffering that is shared for the two streams.
-	// If either blocks it may eventually cause the remote
-	// command to block.
-	Stdout io.Writer
-	Stderr io.Writer
-
-	ch        Channel // the channel backing this session
-	started   bool    // true once Start, Run or Shell is invoked.
-	copyFuncs []func() error
-	errors    chan error // one send per copyFunc
-
-	// true if pipe method is active
-	stdinpipe, stdoutpipe, stderrpipe bool
-
-	// stdinPipeWriter is non-nil if StdinPipe has not been called
-	// and Stdin was specified by the user; it is the write end of
-	// a pipe connecting Session.Stdin to the stdin channel.
-	stdinPipeWriter io.WriteCloser
-
-	exitStatus chan error
-}
-
-// SendRequest sends an out-of-band channel request on the SSH channel
-// underlying the session.
-func (s *Session) SendRequest(name string, wantReply bool, payload []byte) (bool, error) {
-	return s.ch.SendRequest(name, wantReply, payload)
-}
-
-func (s *Session) Close() error {
-	return s.ch.Close()
-}
-
-// RFC 4254 Section 6.4.
-type setenvRequest struct {
-	Name  string
-	Value string
-}
-
-// Setenv sets an environment variable that will be applied to any
-// command executed by Shell or Run.
-func (s *Session) Setenv(name, value string) error {
-	msg := setenvRequest{
-		Name:  name,
-		Value: value,
-	}
-	ok, err := s.ch.SendRequest("env", true, Marshal(&msg))
-	if err == nil && !ok {
-		err = errors.New("ssh: setenv failed")
-	}
-	return err
-}
-
-// RFC 4254 Section 6.2.
-type ptyRequestMsg struct {
-	Term     string
-	Columns  uint32
-	Rows     uint32
-	Width    uint32
-	Height   uint32
-	Modelist string
-}
-
-// RequestPty requests the association of a pty with the session on the remote host.
-func (s *Session) RequestPty(term string, h, w int, termmodes TerminalModes) error {
-	var tm []byte
-	for k, v := range termmodes {
-		kv := struct {
-			Key byte
-			Val uint32
-		}{k, v}
-
-		tm = append(tm, Marshal(&kv)...)
-	}
-	tm = append(tm, tty_OP_END)
-	req := ptyRequestMsg{
-		Term:     term,
-		Columns:  uint32(w),
-		Rows:     uint32(h),
-		Width:    uint32(w * 8),
-		Height:   uint32(h * 8),
-		Modelist: string(tm),
-	}
-	ok, err := s.ch.SendRequest("pty-req", true, Marshal(&req))
-	if err == nil && !ok {
-		err = errors.New("ssh: pty-req failed")
-	}
-	return err
-}
-
-// RFC 4254 Section 6.5.
-type subsystemRequestMsg struct {
-	Subsystem string
-}
-
-// RequestSubsystem requests the association of a subsystem with the session on the remote host.
-// A subsystem is a predefined command that runs in the background when the ssh session is initiated
-func (s *Session) RequestSubsystem(subsystem string) error {
-	msg := subsystemRequestMsg{
-		Subsystem: subsystem,
-	}
-	ok, err := s.ch.SendRequest("subsystem", true, Marshal(&msg))
-	if err == nil && !ok {
-		err = errors.New("ssh: subsystem request failed")
-	}
-	return err
-}
-
-// RFC 4254 Section 6.7.
-type ptyWindowChangeMsg struct {
-	Columns uint32
-	Rows    uint32
-	Width   uint32
-	Height  uint32
-}
-
-// WindowChange informs the remote host about a terminal window dimension change to h rows and w columns.
-func (s *Session) WindowChange(h, w int) error {
-	req := ptyWindowChangeMsg{
-		Columns: uint32(w),
-		Rows:    uint32(h),
-		Width:   uint32(w * 8),
-		Height:  uint32(h * 8),
-	}
-	_, err := s.ch.SendRequest("window-change", false, Marshal(&req))
-	return err
-}
-
-// RFC 4254 Section 6.9.
-type signalMsg struct {
-	Signal string
-}
-
-// Signal sends the given signal to the remote process.
-// sig is one of the SIG* constants.
-func (s *Session) Signal(sig Signal) error {
-	msg := signalMsg{
-		Signal: string(sig),
-	}
-
-	_, err := s.ch.SendRequest("signal", false, Marshal(&msg))
-	return err
-}
-
-// RFC 4254 Section 6.5.
-type execMsg struct {
-	Command string
-}
-
-// Start runs cmd on the remote host. Typically, the remote
-// server passes cmd to the shell for interpretation.
-// A Session only accepts one call to Run, Start or Shell.
-func (s *Session) Start(cmd string) error {
-	if s.started {
-		return errors.New("ssh: session already started")
-	}
-	req := execMsg{
-		Command: cmd,
-	}
-
-	ok, err := s.ch.SendRequest("exec", true, Marshal(&req))
-	if err == nil && !ok {
-		err = fmt.Errorf("ssh: command %v failed", cmd)
-	}
-	if err != nil {
-		return err
-	}
-	return s.start()
-}
-
-// Run runs cmd on the remote host. Typically, the remote
-// server passes cmd to the shell for interpretation.
-// A Session only accepts one call to Run, Start, Shell, Output,
-// or CombinedOutput.
-//
-// The returned error is nil if the command runs, has no problems
-// copying stdin, stdout, and stderr, and exits with a zero exit
-// status.
-//
-// If the remote server does not send an exit status, an error of type
-// *ExitMissingError is returned. If the command completes
-// unsuccessfully or is interrupted by a signal, the error is of type
-// *ExitError. Other error types may be returned for I/O problems.
-func (s *Session) Run(cmd string) error {
-	err := s.Start(cmd)
-	if err != nil {
-		return err
-	}
-	return s.Wait()
-}
-
-// Output runs cmd on the remote host and returns its standard output.
-func (s *Session) Output(cmd string) ([]byte, error) {
-	if s.Stdout != nil {
-		return nil, errors.New("ssh: Stdout already set")
-	}
-	var b bytes.Buffer
-	s.Stdout = &b
-	err := s.Run(cmd)
-	return b.Bytes(), err
-}
-
-type singleWriter struct {
-	b  bytes.Buffer
-	mu sync.Mutex
-}
-
-func (w *singleWriter) Write(p []byte) (int, error) {
-	w.mu.Lock()
-	defer w.mu.Unlock()
-	return w.b.Write(p)
-}
-
-// CombinedOutput runs cmd on the remote host and returns its combined
-// standard output and standard error.
-func (s *Session) CombinedOutput(cmd string) ([]byte, error) {
-	if s.Stdout != nil {
-		return nil, errors.New("ssh: Stdout already set")
-	}
-	if s.Stderr != nil {
-		return nil, errors.New("ssh: Stderr already set")
-	}
-	var b singleWriter
-	s.Stdout = &b
-	s.Stderr = &b
-	err := s.Run(cmd)
-	return b.b.Bytes(), err
-}
-
-// Shell starts a login shell on the remote host. A Session only
-// accepts one call to Run, Start, Shell, Output, or CombinedOutput.
-func (s *Session) Shell() error {
-	if s.started {
-		return errors.New("ssh: session already started")
-	}
-
-	ok, err := s.ch.SendRequest("shell", true, nil)
-	if err == nil && !ok {
-		return errors.New("ssh: could not start shell")
-	}
-	if err != nil {
-		return err
-	}
-	return s.start()
-}
-
-func (s *Session) start() error {
-	s.started = true
-
-	type F func(*Session)
-	for _, setupFd := range []F{(*Session).stdin, (*Session).stdout, (*Session).stderr} {
-		setupFd(s)
-	}
-
-	s.errors = make(chan error, len(s.copyFuncs))
-	for _, fn := range s.copyFuncs {
-		go func(fn func() error) {
-			s.errors <- fn()
-		}(fn)
-	}
-	return nil
-}
-
-// Wait waits for the remote command to exit.
-//
-// The returned error is nil if the command runs, has no problems
-// copying stdin, stdout, and stderr, and exits with a zero exit
-// status.
-//
-// If the remote server does not send an exit status, an error of type
-// *ExitMissingError is returned. If the command completes
-// unsuccessfully or is interrupted by a signal, the error is of type
-// *ExitError. Other error types may be returned for I/O problems.
-func (s *Session) Wait() error {
-	if !s.started {
-		return errors.New("ssh: session not started")
-	}
-	waitErr := <-s.exitStatus
-
-	if s.stdinPipeWriter != nil {
-		s.stdinPipeWriter.Close()
-	}
-	var copyError error
-	for range s.copyFuncs {
-		if err := <-s.errors; err != nil && copyError == nil {
-			copyError = err
-		}
-	}
-	if waitErr != nil {
-		return waitErr
-	}
-	return copyError
-}
-
-func (s *Session) wait(reqs <-chan *Request) error {
-	wm := Waitmsg{status: -1}
-	// Wait for msg channel to be closed before returning.
-	for msg := range reqs {
-		switch msg.Type {
-		case "exit-status":
-			wm.status = int(binary.BigEndian.Uint32(msg.Payload))
-		case "exit-signal":
-			var sigval struct {
-				Signal     string
-				CoreDumped bool
-				Error      string
-				Lang       string
-			}
-			if err := Unmarshal(msg.Payload, &sigval); err != nil {
-				return err
-			}
-
-			// Must sanitize strings?
-			wm.signal = sigval.Signal
-			wm.msg = sigval.Error
-			wm.lang = sigval.Lang
-		default:
-			// This handles keepalives and matches
-			// OpenSSH's behaviour.
-			if msg.WantReply {
-				msg.Reply(false, nil)
-			}
-		}
-	}
-	if wm.status == 0 {
-		return nil
-	}
-	if wm.status == -1 {
-		// exit-status was never sent from server
-		if wm.signal == "" {
-			// signal was not sent either.  RFC 4254
-			// section 6.10 recommends against this
-			// behavior, but it is allowed, so we let
-			// clients handle it.
-			return &ExitMissingError{}
-		}
-		wm.status = 128
-		if _, ok := signals[Signal(wm.signal)]; ok {
-			wm.status += signals[Signal(wm.signal)]
-		}
-	}
-
-	return &ExitError{wm}
-}
-
-// ExitMissingError is returned if a session is torn down cleanly, but
-// the server sends no confirmation of the exit status.
-type ExitMissingError struct{}
-
-func (e *ExitMissingError) Error() string {
-	return "wait: remote command exited without exit status or exit signal"
-}
-
-func (s *Session) stdin() {
-	if s.stdinpipe {
-		return
-	}
-	var stdin io.Reader
-	if s.Stdin == nil {
-		stdin = new(bytes.Buffer)
-	} else {
-		r, w := io.Pipe()
-		go func() {
-			_, err := io.Copy(w, s.Stdin)
-			w.CloseWithError(err)
-		}()
-		stdin, s.stdinPipeWriter = r, w
-	}
-	s.copyFuncs = append(s.copyFuncs, func() error {
-		_, err := io.Copy(s.ch, stdin)
-		if err1 := s.ch.CloseWrite(); err == nil && err1 != io.EOF {
-			err = err1
-		}
-		return err
-	})
-}
-
-func (s *Session) stdout() {
-	if s.stdoutpipe {
-		return
-	}
-	if s.Stdout == nil {
-		s.Stdout = ioutil.Discard
-	}
-	s.copyFuncs = append(s.copyFuncs, func() error {
-		_, err := io.Copy(s.Stdout, s.ch)
-		return err
-	})
-}
-
-func (s *Session) stderr() {
-	if s.stderrpipe {
-		return
-	}
-	if s.Stderr == nil {
-		s.Stderr = ioutil.Discard
-	}
-	s.copyFuncs = append(s.copyFuncs, func() error {
-		_, err := io.Copy(s.Stderr, s.ch.Stderr())
-		return err
-	})
-}
-
-// sessionStdin reroutes Close to CloseWrite.
-type sessionStdin struct {
-	io.Writer
-	ch Channel
-}
-
-func (s *sessionStdin) Close() error {
-	return s.ch.CloseWrite()
-}
-
-// StdinPipe returns a pipe that will be connected to the
-// remote command's standard input when the command starts.
-func (s *Session) StdinPipe() (io.WriteCloser, error) {
-	if s.Stdin != nil {
-		return nil, errors.New("ssh: Stdin already set")
-	}
-	if s.started {
-		return nil, errors.New("ssh: StdinPipe after process started")
-	}
-	s.stdinpipe = true
-	return &sessionStdin{s.ch, s.ch}, nil
-}
-
-// StdoutPipe returns a pipe that will be connected to the
-// remote command's standard output when the command starts.
-// There is a fixed amount of buffering that is shared between
-// stdout and stderr streams. If the StdoutPipe reader is
-// not serviced fast enough it may eventually cause the
-// remote command to block.
-func (s *Session) StdoutPipe() (io.Reader, error) {
-	if s.Stdout != nil {
-		return nil, errors.New("ssh: Stdout already set")
-	}
-	if s.started {
-		return nil, errors.New("ssh: StdoutPipe after process started")
-	}
-	s.stdoutpipe = true
-	return s.ch, nil
-}
-
-// StderrPipe returns a pipe that will be connected to the
-// remote command's standard error when the command starts.
-// There is a fixed amount of buffering that is shared between
-// stdout and stderr streams. If the StderrPipe reader is
-// not serviced fast enough it may eventually cause the
-// remote command to block.
-func (s *Session) StderrPipe() (io.Reader, error) {
-	if s.Stderr != nil {
-		return nil, errors.New("ssh: Stderr already set")
-	}
-	if s.started {
-		return nil, errors.New("ssh: StderrPipe after process started")
-	}
-	s.stderrpipe = true
-	return s.ch.Stderr(), nil
-}
-
-// newSession returns a new interactive session on the remote host.
-func newSession(ch Channel, reqs <-chan *Request) (*Session, error) {
-	s := &Session{
-		ch: ch,
-	}
-	s.exitStatus = make(chan error, 1)
-	go func() {
-		s.exitStatus <- s.wait(reqs)
-	}()
-
-	return s, nil
-}
-
-// An ExitError reports unsuccessful completion of a remote command.
-type ExitError struct {
-	Waitmsg
-}
-
-func (e *ExitError) Error() string {
-	return e.Waitmsg.String()
-}
-
-// Waitmsg stores the information about an exited remote command
-// as reported by Wait.
-type Waitmsg struct {
-	status int
-	signal string
-	msg    string
-	lang   string
-}
-
-// ExitStatus returns the exit status of the remote command.
-func (w Waitmsg) ExitStatus() int {
-	return w.status
-}
-
-// Signal returns the exit signal of the remote command if
-// it was terminated violently.
-func (w Waitmsg) Signal() string {
-	return w.signal
-}
-
-// Msg returns the exit message given by the remote command
-func (w Waitmsg) Msg() string {
-	return w.msg
-}
-
-// Lang returns the language tag. See RFC 3066
-func (w Waitmsg) Lang() string {
-	return w.lang
-}
-
-func (w Waitmsg) String() string {
-	str := fmt.Sprintf("Process exited with status %v", w.status)
-	if w.signal != "" {
-		str += fmt.Sprintf(" from signal %v", w.signal)
-	}
-	if w.msg != "" {
-		str += fmt.Sprintf(". Reason was: %v", w.msg)
-	}
-	return str
-}
diff --git a/vendor/golang.org/x/crypto/ssh/session_test.go b/vendor/golang.org/x/crypto/ssh/session_test.go
deleted file mode 100644
index 7dce6dd6..00000000
--- a/vendor/golang.org/x/crypto/ssh/session_test.go
+++ /dev/null
@@ -1,774 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package ssh
-
-// Session tests.
-
-import (
-	"bytes"
-	crypto_rand "crypto/rand"
-	"errors"
-	"io"
-	"io/ioutil"
-	"math/rand"
-	"net"
-	"testing"
-
-	"golang.org/x/crypto/ssh/terminal"
-)
-
-type serverType func(Channel, <-chan *Request, *testing.T)
-
-// dial constructs a new test server and returns a *ClientConn.
-func dial(handler serverType, t *testing.T) *Client {
-	c1, c2, err := netPipe()
-	if err != nil {
-		t.Fatalf("netPipe: %v", err)
-	}
-
-	go func() {
-		defer c1.Close()
-		conf := ServerConfig{
-			NoClientAuth: true,
-		}
-		conf.AddHostKey(testSigners["rsa"])
-
-		_, chans, reqs, err := NewServerConn(c1, &conf)
-		if err != nil {
-			t.Fatalf("Unable to handshake: %v", err)
-		}
-		go DiscardRequests(reqs)
-
-		for newCh := range chans {
-			if newCh.ChannelType() != "session" {
-				newCh.Reject(UnknownChannelType, "unknown channel type")
-				continue
-			}
-
-			ch, inReqs, err := newCh.Accept()
-			if err != nil {
-				t.Errorf("Accept: %v", err)
-				continue
-			}
-			go func() {
-				handler(ch, inReqs, t)
-			}()
-		}
-	}()
-
-	config := &ClientConfig{
-		User:            "testuser",
-		HostKeyCallback: InsecureIgnoreHostKey(),
-	}
-
-	conn, chans, reqs, err := NewClientConn(c2, "", config)
-	if err != nil {
-		t.Fatalf("unable to dial remote side: %v", err)
-	}
-
-	return NewClient(conn, chans, reqs)
-}
-
-// Test a simple string is returned to session.Stdout.
-func TestSessionShell(t *testing.T) {
-	conn := dial(shellHandler, t)
-	defer conn.Close()
-	session, err := conn.NewSession()
-	if err != nil {
-		t.Fatalf("Unable to request new session: %v", err)
-	}
-	defer session.Close()
-	stdout := new(bytes.Buffer)
-	session.Stdout = stdout
-	if err := session.Shell(); err != nil {
-		t.Fatalf("Unable to execute command: %s", err)
-	}
-	if err := session.Wait(); err != nil {
-		t.Fatalf("Remote command did not exit cleanly: %v", err)
-	}
-	actual := stdout.String()
-	if actual != "golang" {
-		t.Fatalf("Remote shell did not return expected string: expected=golang, actual=%s", actual)
-	}
-}
-
-// TODO(dfc) add support for Std{in,err}Pipe when the Server supports it.
-
-// Test a simple string is returned via StdoutPipe.
-func TestSessionStdoutPipe(t *testing.T) {
-	conn := dial(shellHandler, t)
-	defer conn.Close()
-	session, err := conn.NewSession()
-	if err != nil {
-		t.Fatalf("Unable to request new session: %v", err)
-	}
-	defer session.Close()
-	stdout, err := session.StdoutPipe()
-	if err != nil {
-		t.Fatalf("Unable to request StdoutPipe(): %v", err)
-	}
-	var buf bytes.Buffer
-	if err := session.Shell(); err != nil {
-		t.Fatalf("Unable to execute command: %v", err)
-	}
-	done := make(chan bool, 1)
-	go func() {
-		if _, err := io.Copy(&buf, stdout); err != nil {
-			t.Errorf("Copy of stdout failed: %v", err)
-		}
-		done <- true
-	}()
-	if err := session.Wait(); err != nil {
-		t.Fatalf("Remote command did not exit cleanly: %v", err)
-	}
-	<-done
-	actual := buf.String()
-	if actual != "golang" {
-		t.Fatalf("Remote shell did not return expected string: expected=golang, actual=%s", actual)
-	}
-}
-
-// Test that a simple string is returned via the Output helper,
-// and that stderr is discarded.
-func TestSessionOutput(t *testing.T) {
-	conn := dial(fixedOutputHandler, t)
-	defer conn.Close()
-	session, err := conn.NewSession()
-	if err != nil {
-		t.Fatalf("Unable to request new session: %v", err)
-	}
-	defer session.Close()
-
-	buf, err := session.Output("") // cmd is ignored by fixedOutputHandler
-	if err != nil {
-		t.Error("Remote command did not exit cleanly:", err)
-	}
-	w := "this-is-stdout."
-	g := string(buf)
-	if g != w {
-		t.Error("Remote command did not return expected string:")
-		t.Logf("want %q", w)
-		t.Logf("got  %q", g)
-	}
-}
-
-// Test that both stdout and stderr are returned
-// via the CombinedOutput helper.
-func TestSessionCombinedOutput(t *testing.T) {
-	conn := dial(fixedOutputHandler, t)
-	defer conn.Close()
-	session, err := conn.NewSession()
-	if err != nil {
-		t.Fatalf("Unable to request new session: %v", err)
-	}
-	defer session.Close()
-
-	buf, err := session.CombinedOutput("") // cmd is ignored by fixedOutputHandler
-	if err != nil {
-		t.Error("Remote command did not exit cleanly:", err)
-	}
-	const stdout = "this-is-stdout."
-	const stderr = "this-is-stderr."
-	g := string(buf)
-	if g != stdout+stderr && g != stderr+stdout {
-		t.Error("Remote command did not return expected string:")
-		t.Logf("want %q, or %q", stdout+stderr, stderr+stdout)
-		t.Logf("got  %q", g)
-	}
-}
-
-// Test non-0 exit status is returned correctly.
-func TestExitStatusNonZero(t *testing.T) {
-	conn := dial(exitStatusNonZeroHandler, t)
-	defer conn.Close()
-	session, err := conn.NewSession()
-	if err != nil {
-		t.Fatalf("Unable to request new session: %v", err)
-	}
-	defer session.Close()
-	if err := session.Shell(); err != nil {
-		t.Fatalf("Unable to execute command: %v", err)
-	}
-	err = session.Wait()
-	if err == nil {
-		t.Fatalf("expected command to fail but it didn't")
-	}
-	e, ok := err.(*ExitError)
-	if !ok {
-		t.Fatalf("expected *ExitError but got %T", err)
-	}
-	if e.ExitStatus() != 15 {
-		t.Fatalf("expected command to exit with 15 but got %v", e.ExitStatus())
-	}
-}
-
-// Test 0 exit status is returned correctly.
-func TestExitStatusZero(t *testing.T) {
-	conn := dial(exitStatusZeroHandler, t)
-	defer conn.Close()
-	session, err := conn.NewSession()
-	if err != nil {
-		t.Fatalf("Unable to request new session: %v", err)
-	}
-	defer session.Close()
-
-	if err := session.Shell(); err != nil {
-		t.Fatalf("Unable to execute command: %v", err)
-	}
-	err = session.Wait()
-	if err != nil {
-		t.Fatalf("expected nil but got %v", err)
-	}
-}
-
-// Test exit signal and status are both returned correctly.
-func TestExitSignalAndStatus(t *testing.T) {
-	conn := dial(exitSignalAndStatusHandler, t)
-	defer conn.Close()
-	session, err := conn.NewSession()
-	if err != nil {
-		t.Fatalf("Unable to request new session: %v", err)
-	}
-	defer session.Close()
-	if err := session.Shell(); err != nil {
-		t.Fatalf("Unable to execute command: %v", err)
-	}
-	err = session.Wait()
-	if err == nil {
-		t.Fatalf("expected command to fail but it didn't")
-	}
-	e, ok := err.(*ExitError)
-	if !ok {
-		t.Fatalf("expected *ExitError but got %T", err)
-	}
-	if e.Signal() != "TERM" || e.ExitStatus() != 15 {
-		t.Fatalf("expected command to exit with signal TERM and status 15 but got signal %s and status %v", e.Signal(), e.ExitStatus())
-	}
-}
-
-// Test exit signal and status are both returned correctly.
-func TestKnownExitSignalOnly(t *testing.T) {
-	conn := dial(exitSignalHandler, t)
-	defer conn.Close()
-	session, err := conn.NewSession()
-	if err != nil {
-		t.Fatalf("Unable to request new session: %v", err)
-	}
-	defer session.Close()
-	if err := session.Shell(); err != nil {
-		t.Fatalf("Unable to execute command: %v", err)
-	}
-	err = session.Wait()
-	if err == nil {
-		t.Fatalf("expected command to fail but it didn't")
-	}
-	e, ok := err.(*ExitError)
-	if !ok {
-		t.Fatalf("expected *ExitError but got %T", err)
-	}
-	if e.Signal() != "TERM" || e.ExitStatus() != 143 {
-		t.Fatalf("expected command to exit with signal TERM and status 143 but got signal %s and status %v", e.Signal(), e.ExitStatus())
-	}
-}
-
-// Test exit signal and status are both returned correctly.
-func TestUnknownExitSignal(t *testing.T) {
-	conn := dial(exitSignalUnknownHandler, t)
-	defer conn.Close()
-	session, err := conn.NewSession()
-	if err != nil {
-		t.Fatalf("Unable to request new session: %v", err)
-	}
-	defer session.Close()
-	if err := session.Shell(); err != nil {
-		t.Fatalf("Unable to execute command: %v", err)
-	}
-	err = session.Wait()
-	if err == nil {
-		t.Fatalf("expected command to fail but it didn't")
-	}
-	e, ok := err.(*ExitError)
-	if !ok {
-		t.Fatalf("expected *ExitError but got %T", err)
-	}
-	if e.Signal() != "SYS" || e.ExitStatus() != 128 {
-		t.Fatalf("expected command to exit with signal SYS and status 128 but got signal %s and status %v", e.Signal(), e.ExitStatus())
-	}
-}
-
-func TestExitWithoutStatusOrSignal(t *testing.T) {
-	conn := dial(exitWithoutSignalOrStatus, t)
-	defer conn.Close()
-	session, err := conn.NewSession()
-	if err != nil {
-		t.Fatalf("Unable to request new session: %v", err)
-	}
-	defer session.Close()
-	if err := session.Shell(); err != nil {
-		t.Fatalf("Unable to execute command: %v", err)
-	}
-	err = session.Wait()
-	if err == nil {
-		t.Fatalf("expected command to fail but it didn't")
-	}
-	if _, ok := err.(*ExitMissingError); !ok {
-		t.Fatalf("got %T want *ExitMissingError", err)
-	}
-}
-
-// windowTestBytes is the number of bytes that we'll send to the SSH server.
-const windowTestBytes = 16000 * 200
-
-// TestServerWindow writes random data to the server. The server is expected to echo
-// the same data back, which is compared against the original.
-func TestServerWindow(t *testing.T) {
-	origBuf := bytes.NewBuffer(make([]byte, 0, windowTestBytes))
-	io.CopyN(origBuf, crypto_rand.Reader, windowTestBytes)
-	origBytes := origBuf.Bytes()
-
-	conn := dial(echoHandler, t)
-	defer conn.Close()
-	session, err := conn.NewSession()
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer session.Close()
-	result := make(chan []byte)
-
-	go func() {
-		defer close(result)
-		echoedBuf := bytes.NewBuffer(make([]byte, 0, windowTestBytes))
-		serverStdout, err := session.StdoutPipe()
-		if err != nil {
-			t.Errorf("StdoutPipe failed: %v", err)
-			return
-		}
-		n, err := copyNRandomly("stdout", echoedBuf, serverStdout, windowTestBytes)
-		if err != nil && err != io.EOF {
-			t.Errorf("Read only %d bytes from server, expected %d: %v", n, windowTestBytes, err)
-		}
-		result <- echoedBuf.Bytes()
-	}()
-
-	serverStdin, err := session.StdinPipe()
-	if err != nil {
-		t.Fatalf("StdinPipe failed: %v", err)
-	}
-	written, err := copyNRandomly("stdin", serverStdin, origBuf, windowTestBytes)
-	if err != nil {
-		t.Fatalf("failed to copy origBuf to serverStdin: %v", err)
-	}
-	if written != windowTestBytes {
-		t.Fatalf("Wrote only %d of %d bytes to server", written, windowTestBytes)
-	}
-
-	echoedBytes := <-result
-
-	if !bytes.Equal(origBytes, echoedBytes) {
-		t.Fatalf("Echoed buffer differed from original, orig %d, echoed %d", len(origBytes), len(echoedBytes))
-	}
-}
-
-// Verify the client can handle a keepalive packet from the server.
-func TestClientHandlesKeepalives(t *testing.T) {
-	conn := dial(channelKeepaliveSender, t)
-	defer conn.Close()
-	session, err := conn.NewSession()
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer session.Close()
-	if err := session.Shell(); err != nil {
-		t.Fatalf("Unable to execute command: %v", err)
-	}
-	err = session.Wait()
-	if err != nil {
-		t.Fatalf("expected nil but got: %v", err)
-	}
-}
-
-type exitStatusMsg struct {
-	Status uint32
-}
-
-type exitSignalMsg struct {
-	Signal     string
-	CoreDumped bool
-	Errmsg     string
-	Lang       string
-}
-
-func handleTerminalRequests(in <-chan *Request) {
-	for req := range in {
-		ok := false
-		switch req.Type {
-		case "shell":
-			ok = true
-			if len(req.Payload) > 0 {
-				// We don't accept any commands, only the default shell.
-				ok = false
-			}
-		case "env":
-			ok = true
-		}
-		req.Reply(ok, nil)
-	}
-}
-
-func newServerShell(ch Channel, in <-chan *Request, prompt string) *terminal.Terminal {
-	term := terminal.NewTerminal(ch, prompt)
-	go handleTerminalRequests(in)
-	return term
-}
-
-func exitStatusZeroHandler(ch Channel, in <-chan *Request, t *testing.T) {
-	defer ch.Close()
-	// this string is returned to stdout
-	shell := newServerShell(ch, in, "> ")
-	readLine(shell, t)
-	sendStatus(0, ch, t)
-}
-
-func exitStatusNonZeroHandler(ch Channel, in <-chan *Request, t *testing.T) {
-	defer ch.Close()
-	shell := newServerShell(ch, in, "> ")
-	readLine(shell, t)
-	sendStatus(15, ch, t)
-}
-
-func exitSignalAndStatusHandler(ch Channel, in <-chan *Request, t *testing.T) {
-	defer ch.Close()
-	shell := newServerShell(ch, in, "> ")
-	readLine(shell, t)
-	sendStatus(15, ch, t)
-	sendSignal("TERM", ch, t)
-}
-
-func exitSignalHandler(ch Channel, in <-chan *Request, t *testing.T) {
-	defer ch.Close()
-	shell := newServerShell(ch, in, "> ")
-	readLine(shell, t)
-	sendSignal("TERM", ch, t)
-}
-
-func exitSignalUnknownHandler(ch Channel, in <-chan *Request, t *testing.T) {
-	defer ch.Close()
-	shell := newServerShell(ch, in, "> ")
-	readLine(shell, t)
-	sendSignal("SYS", ch, t)
-}
-
-func exitWithoutSignalOrStatus(ch Channel, in <-chan *Request, t *testing.T) {
-	defer ch.Close()
-	shell := newServerShell(ch, in, "> ")
-	readLine(shell, t)
-}
-
-func shellHandler(ch Channel, in <-chan *Request, t *testing.T) {
-	defer ch.Close()
-	// this string is returned to stdout
-	shell := newServerShell(ch, in, "golang")
-	readLine(shell, t)
-	sendStatus(0, ch, t)
-}
-
-// Ignores the command, writes fixed strings to stderr and stdout.
-// Strings are "this-is-stdout." and "this-is-stderr.".
-func fixedOutputHandler(ch Channel, in <-chan *Request, t *testing.T) {
-	defer ch.Close()
-	_, err := ch.Read(nil)
-
-	req, ok := <-in
-	if !ok {
-		t.Fatalf("error: expected channel request, got: %#v", err)
-		return
-	}
-
-	// ignore request, always send some text
-	req.Reply(true, nil)
-
-	_, err = io.WriteString(ch, "this-is-stdout.")
-	if err != nil {
-		t.Fatalf("error writing on server: %v", err)
-	}
-	_, err = io.WriteString(ch.Stderr(), "this-is-stderr.")
-	if err != nil {
-		t.Fatalf("error writing on server: %v", err)
-	}
-	sendStatus(0, ch, t)
-}
-
-func readLine(shell *terminal.Terminal, t *testing.T) {
-	if _, err := shell.ReadLine(); err != nil && err != io.EOF {
-		t.Errorf("unable to read line: %v", err)
-	}
-}
-
-func sendStatus(status uint32, ch Channel, t *testing.T) {
-	msg := exitStatusMsg{
-		Status: status,
-	}
-	if _, err := ch.SendRequest("exit-status", false, Marshal(&msg)); err != nil {
-		t.Errorf("unable to send status: %v", err)
-	}
-}
-
-func sendSignal(signal string, ch Channel, t *testing.T) {
-	sig := exitSignalMsg{
-		Signal:     signal,
-		CoreDumped: false,
-		Errmsg:     "Process terminated",
-		Lang:       "en-GB-oed",
-	}
-	if _, err := ch.SendRequest("exit-signal", false, Marshal(&sig)); err != nil {
-		t.Errorf("unable to send signal: %v", err)
-	}
-}
-
-func discardHandler(ch Channel, t *testing.T) {
-	defer ch.Close()
-	io.Copy(ioutil.Discard, ch)
-}
-
-func echoHandler(ch Channel, in <-chan *Request, t *testing.T) {
-	defer ch.Close()
-	if n, err := copyNRandomly("echohandler", ch, ch, windowTestBytes); err != nil {
-		t.Errorf("short write, wrote %d, expected %d: %v ", n, windowTestBytes, err)
-	}
-}
-
-// copyNRandomly copies n bytes from src to dst. It uses a variable, and random,
-// buffer size to exercise more code paths.
-func copyNRandomly(title string, dst io.Writer, src io.Reader, n int) (int, error) {
-	var (
-		buf       = make([]byte, 32*1024)
-		written   int
-		remaining = n
-	)
-	for remaining > 0 {
-		l := rand.Intn(1 << 15)
-		if remaining < l {
-			l = remaining
-		}
-		nr, er := src.Read(buf[:l])
-		nw, ew := dst.Write(buf[:nr])
-		remaining -= nw
-		written += nw
-		if ew != nil {
-			return written, ew
-		}
-		if nr != nw {
-			return written, io.ErrShortWrite
-		}
-		if er != nil && er != io.EOF {
-			return written, er
-		}
-	}
-	return written, nil
-}
-
-func channelKeepaliveSender(ch Channel, in <-chan *Request, t *testing.T) {
-	defer ch.Close()
-	shell := newServerShell(ch, in, "> ")
-	readLine(shell, t)
-	if _, err := ch.SendRequest("keepalive@openssh.com", true, nil); err != nil {
-		t.Errorf("unable to send channel keepalive request: %v", err)
-	}
-	sendStatus(0, ch, t)
-}
-
-func TestClientWriteEOF(t *testing.T) {
-	conn := dial(simpleEchoHandler, t)
-	defer conn.Close()
-
-	session, err := conn.NewSession()
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer session.Close()
-	stdin, err := session.StdinPipe()
-	if err != nil {
-		t.Fatalf("StdinPipe failed: %v", err)
-	}
-	stdout, err := session.StdoutPipe()
-	if err != nil {
-		t.Fatalf("StdoutPipe failed: %v", err)
-	}
-
-	data := []byte(`0000`)
-	_, err = stdin.Write(data)
-	if err != nil {
-		t.Fatalf("Write failed: %v", err)
-	}
-	stdin.Close()
-
-	res, err := ioutil.ReadAll(stdout)
-	if err != nil {
-		t.Fatalf("Read failed: %v", err)
-	}
-
-	if !bytes.Equal(data, res) {
-		t.Fatalf("Read differed from write, wrote: %v, read: %v", data, res)
-	}
-}
-
-func simpleEchoHandler(ch Channel, in <-chan *Request, t *testing.T) {
-	defer ch.Close()
-	data, err := ioutil.ReadAll(ch)
-	if err != nil {
-		t.Errorf("handler read error: %v", err)
-	}
-	_, err = ch.Write(data)
-	if err != nil {
-		t.Errorf("handler write error: %v", err)
-	}
-}
-
-func TestSessionID(t *testing.T) {
-	c1, c2, err := netPipe()
-	if err != nil {
-		t.Fatalf("netPipe: %v", err)
-	}
-	defer c1.Close()
-	defer c2.Close()
-
-	serverID := make(chan []byte, 1)
-	clientID := make(chan []byte, 1)
-
-	serverConf := &ServerConfig{
-		NoClientAuth: true,
-	}
-	serverConf.AddHostKey(testSigners["ecdsa"])
-	clientConf := &ClientConfig{
-		HostKeyCallback: InsecureIgnoreHostKey(),
-		User:            "user",
-	}
-
-	go func() {
-		conn, chans, reqs, err := NewServerConn(c1, serverConf)
-		if err != nil {
-			t.Fatalf("server handshake: %v", err)
-		}
-		serverID <- conn.SessionID()
-		go DiscardRequests(reqs)
-		for ch := range chans {
-			ch.Reject(Prohibited, "")
-		}
-	}()
-
-	go func() {
-		conn, chans, reqs, err := NewClientConn(c2, "", clientConf)
-		if err != nil {
-			t.Fatalf("client handshake: %v", err)
-		}
-		clientID <- conn.SessionID()
-		go DiscardRequests(reqs)
-		for ch := range chans {
-			ch.Reject(Prohibited, "")
-		}
-	}()
-
-	s := <-serverID
-	c := <-clientID
-	if bytes.Compare(s, c) != 0 {
-		t.Errorf("server session ID (%x) != client session ID (%x)", s, c)
-	} else if len(s) == 0 {
-		t.Errorf("client and server SessionID were empty.")
-	}
-}
-
-type noReadConn struct {
-	readSeen bool
-	net.Conn
-}
-
-func (c *noReadConn) Close() error {
-	return nil
-}
-
-func (c *noReadConn) Read(b []byte) (int, error) {
-	c.readSeen = true
-	return 0, errors.New("noReadConn error")
-}
-
-func TestInvalidServerConfiguration(t *testing.T) {
-	c1, c2, err := netPipe()
-	if err != nil {
-		t.Fatalf("netPipe: %v", err)
-	}
-	defer c1.Close()
-	defer c2.Close()
-
-	serveConn := noReadConn{Conn: c1}
-	serverConf := &ServerConfig{}
-
-	NewServerConn(&serveConn, serverConf)
-	if serveConn.readSeen {
-		t.Fatalf("NewServerConn attempted to Read() from Conn while configuration is missing host key")
-	}
-
-	serverConf.AddHostKey(testSigners["ecdsa"])
-
-	NewServerConn(&serveConn, serverConf)
-	if serveConn.readSeen {
-		t.Fatalf("NewServerConn attempted to Read() from Conn while configuration is missing authentication method")
-	}
-}
-
-func TestHostKeyAlgorithms(t *testing.T) {
-	serverConf := &ServerConfig{
-		NoClientAuth: true,
-	}
-	serverConf.AddHostKey(testSigners["rsa"])
-	serverConf.AddHostKey(testSigners["ecdsa"])
-
-	connect := func(clientConf *ClientConfig, want string) {
-		var alg string
-		clientConf.HostKeyCallback = func(h string, a net.Addr, key PublicKey) error {
-			alg = key.Type()
-			return nil
-		}
-		c1, c2, err := netPipe()
-		if err != nil {
-			t.Fatalf("netPipe: %v", err)
-		}
-		defer c1.Close()
-		defer c2.Close()
-
-		go NewServerConn(c1, serverConf)
-		_, _, _, err = NewClientConn(c2, "", clientConf)
-		if err != nil {
-			t.Fatalf("NewClientConn: %v", err)
-		}
-		if alg != want {
-			t.Errorf("selected key algorithm %s, want %s", alg, want)
-		}
-	}
-
-	// By default, we get the preferred algorithm, which is ECDSA 256.
-
-	clientConf := &ClientConfig{
-		HostKeyCallback: InsecureIgnoreHostKey(),
-	}
-	connect(clientConf, KeyAlgoECDSA256)
-
-	// Client asks for RSA explicitly.
-	clientConf.HostKeyAlgorithms = []string{KeyAlgoRSA}
-	connect(clientConf, KeyAlgoRSA)
-
-	c1, c2, err := netPipe()
-	if err != nil {
-		t.Fatalf("netPipe: %v", err)
-	}
-	defer c1.Close()
-	defer c2.Close()
-
-	go NewServerConn(c1, serverConf)
-	clientConf.HostKeyAlgorithms = []string{"nonexistent-hostkey-algo"}
-	_, _, _, err = NewClientConn(c2, "", clientConf)
-	if err == nil {
-		t.Fatal("succeeded connecting with unknown hostkey algorithm")
-	}
-}
diff --git a/vendor/golang.org/x/crypto/ssh/streamlocal.go b/vendor/golang.org/x/crypto/ssh/streamlocal.go
deleted file mode 100644
index a2dccc64..00000000
--- a/vendor/golang.org/x/crypto/ssh/streamlocal.go
+++ /dev/null
@@ -1,115 +0,0 @@
-package ssh
-
-import (
-	"errors"
-	"io"
-	"net"
-)
-
-// streamLocalChannelOpenDirectMsg is a struct used for SSH_MSG_CHANNEL_OPEN message
-// with "direct-streamlocal@openssh.com" string.
-//
-// See openssh-portable/PROTOCOL, section 2.4. connection: Unix domain socket forwarding
-// https://github.com/openssh/openssh-portable/blob/master/PROTOCOL#L235
-type streamLocalChannelOpenDirectMsg struct {
-	socketPath string
-	reserved0  string
-	reserved1  uint32
-}
-
-// forwardedStreamLocalPayload is a struct used for SSH_MSG_CHANNEL_OPEN message
-// with "forwarded-streamlocal@openssh.com" string.
-type forwardedStreamLocalPayload struct {
-	SocketPath string
-	Reserved0  string
-}
-
-// streamLocalChannelForwardMsg is a struct used for SSH2_MSG_GLOBAL_REQUEST message
-// with "streamlocal-forward@openssh.com"/"cancel-streamlocal-forward@openssh.com" string.
-type streamLocalChannelForwardMsg struct {
-	socketPath string
-}
-
-// ListenUnix is similar to ListenTCP but uses a Unix domain socket.
-func (c *Client) ListenUnix(socketPath string) (net.Listener, error) {
-	m := streamLocalChannelForwardMsg{
-		socketPath,
-	}
-	// send message
-	ok, _, err := c.SendRequest("streamlocal-forward@openssh.com", true, Marshal(&m))
-	if err != nil {
-		return nil, err
-	}
-	if !ok {
-		return nil, errors.New("ssh: streamlocal-forward@openssh.com request denied by peer")
-	}
-	ch := c.forwards.add(&net.UnixAddr{Name: socketPath, Net: "unix"})
-
-	return &unixListener{socketPath, c, ch}, nil
-}
-
-func (c *Client) dialStreamLocal(socketPath string) (Channel, error) {
-	msg := streamLocalChannelOpenDirectMsg{
-		socketPath: socketPath,
-	}
-	ch, in, err := c.OpenChannel("direct-streamlocal@openssh.com", Marshal(&msg))
-	if err != nil {
-		return nil, err
-	}
-	go DiscardRequests(in)
-	return ch, err
-}
-
-type unixListener struct {
-	socketPath string
-
-	conn *Client
-	in   <-chan forward
-}
-
-// Accept waits for and returns the next connection to the listener.
-func (l *unixListener) Accept() (net.Conn, error) {
-	s, ok := <-l.in
-	if !ok {
-		return nil, io.EOF
-	}
-	ch, incoming, err := s.newCh.Accept()
-	if err != nil {
-		return nil, err
-	}
-	go DiscardRequests(incoming)
-
-	return &chanConn{
-		Channel: ch,
-		laddr: &net.UnixAddr{
-			Name: l.socketPath,
-			Net:  "unix",
-		},
-		raddr: &net.UnixAddr{
-			Name: "@",
-			Net:  "unix",
-		},
-	}, nil
-}
-
-// Close closes the listener.
-func (l *unixListener) Close() error {
-	// this also closes the listener.
-	l.conn.forwards.remove(&net.UnixAddr{Name: l.socketPath, Net: "unix"})
-	m := streamLocalChannelForwardMsg{
-		l.socketPath,
-	}
-	ok, _, err := l.conn.SendRequest("cancel-streamlocal-forward@openssh.com", true, Marshal(&m))
-	if err == nil && !ok {
-		err = errors.New("ssh: cancel-streamlocal-forward@openssh.com failed")
-	}
-	return err
-}
-
-// Addr returns the listener's network address.
-func (l *unixListener) Addr() net.Addr {
-	return &net.UnixAddr{
-		Name: l.socketPath,
-		Net:  "unix",
-	}
-}
diff --git a/vendor/golang.org/x/crypto/ssh/tcpip.go b/vendor/golang.org/x/crypto/ssh/tcpip.go
deleted file mode 100644
index acf17175..00000000
--- a/vendor/golang.org/x/crypto/ssh/tcpip.go
+++ /dev/null
@@ -1,465 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package ssh
-
-import (
-	"errors"
-	"fmt"
-	"io"
-	"math/rand"
-	"net"
-	"strconv"
-	"strings"
-	"sync"
-	"time"
-)
-
-// Listen requests the remote peer open a listening socket on
-// addr. Incoming connections will be available by calling Accept on
-// the returned net.Listener. The listener must be serviced, or the
-// SSH connection may hang.
-// N must be "tcp", "tcp4", "tcp6", or "unix".
-func (c *Client) Listen(n, addr string) (net.Listener, error) {
-	switch n {
-	case "tcp", "tcp4", "tcp6":
-		laddr, err := net.ResolveTCPAddr(n, addr)
-		if err != nil {
-			return nil, err
-		}
-		return c.ListenTCP(laddr)
-	case "unix":
-		return c.ListenUnix(addr)
-	default:
-		return nil, fmt.Errorf("ssh: unsupported protocol: %s", n)
-	}
-}
-
-// Automatic port allocation is broken with OpenSSH before 6.0. See
-// also https://bugzilla.mindrot.org/show_bug.cgi?id=2017.  In
-// particular, OpenSSH 5.9 sends a channelOpenMsg with port number 0,
-// rather than the actual port number. This means you can never open
-// two different listeners with auto allocated ports. We work around
-// this by trying explicit ports until we succeed.
-
-const openSSHPrefix = "OpenSSH_"
-
-var portRandomizer = rand.New(rand.NewSource(time.Now().UnixNano()))
-
-// isBrokenOpenSSHVersion returns true if the given version string
-// specifies a version of OpenSSH that is known to have a bug in port
-// forwarding.
-func isBrokenOpenSSHVersion(versionStr string) bool {
-	i := strings.Index(versionStr, openSSHPrefix)
-	if i < 0 {
-		return false
-	}
-	i += len(openSSHPrefix)
-	j := i
-	for ; j < len(versionStr); j++ {
-		if versionStr[j] < '0' || versionStr[j] > '9' {
-			break
-		}
-	}
-	version, _ := strconv.Atoi(versionStr[i:j])
-	return version < 6
-}
-
-// autoPortListenWorkaround simulates automatic port allocation by
-// trying random ports repeatedly.
-func (c *Client) autoPortListenWorkaround(laddr *net.TCPAddr) (net.Listener, error) {
-	var sshListener net.Listener
-	var err error
-	const tries = 10
-	for i := 0; i < tries; i++ {
-		addr := *laddr
-		addr.Port = 1024 + portRandomizer.Intn(60000)
-		sshListener, err = c.ListenTCP(&addr)
-		if err == nil {
-			laddr.Port = addr.Port
-			return sshListener, err
-		}
-	}
-	return nil, fmt.Errorf("ssh: listen on random port failed after %d tries: %v", tries, err)
-}
-
-// RFC 4254 7.1
-type channelForwardMsg struct {
-	addr  string
-	rport uint32
-}
-
-// ListenTCP requests the remote peer open a listening socket
-// on laddr. Incoming connections will be available by calling
-// Accept on the returned net.Listener.
-func (c *Client) ListenTCP(laddr *net.TCPAddr) (net.Listener, error) {
-	if laddr.Port == 0 && isBrokenOpenSSHVersion(string(c.ServerVersion())) {
-		return c.autoPortListenWorkaround(laddr)
-	}
-
-	m := channelForwardMsg{
-		laddr.IP.String(),
-		uint32(laddr.Port),
-	}
-	// send message
-	ok, resp, err := c.SendRequest("tcpip-forward", true, Marshal(&m))
-	if err != nil {
-		return nil, err
-	}
-	if !ok {
-		return nil, errors.New("ssh: tcpip-forward request denied by peer")
-	}
-
-	// If the original port was 0, then the remote side will
-	// supply a real port number in the response.
-	if laddr.Port == 0 {
-		var p struct {
-			Port uint32
-		}
-		if err := Unmarshal(resp, &p); err != nil {
-			return nil, err
-		}
-		laddr.Port = int(p.Port)
-	}
-
-	// Register this forward, using the port number we obtained.
-	ch := c.forwards.add(laddr)
-
-	return &tcpListener{laddr, c, ch}, nil
-}
-
-// forwardList stores a mapping between remote
-// forward requests and the tcpListeners.
-type forwardList struct {
-	sync.Mutex
-	entries []forwardEntry
-}
-
-// forwardEntry represents an established mapping of a laddr on a
-// remote ssh server to a channel connected to a tcpListener.
-type forwardEntry struct {
-	laddr net.Addr
-	c     chan forward
-}
-
-// forward represents an incoming forwarded tcpip connection. The
-// arguments to add/remove/lookup should be address as specified in
-// the original forward-request.
-type forward struct {
-	newCh NewChannel // the ssh client channel underlying this forward
-	raddr net.Addr   // the raddr of the incoming connection
-}
-
-func (l *forwardList) add(addr net.Addr) chan forward {
-	l.Lock()
-	defer l.Unlock()
-	f := forwardEntry{
-		laddr: addr,
-		c:     make(chan forward, 1),
-	}
-	l.entries = append(l.entries, f)
-	return f.c
-}
-
-// See RFC 4254, section 7.2
-type forwardedTCPPayload struct {
-	Addr       string
-	Port       uint32
-	OriginAddr string
-	OriginPort uint32
-}
-
-// parseTCPAddr parses the originating address from the remote into a *net.TCPAddr.
-func parseTCPAddr(addr string, port uint32) (*net.TCPAddr, error) {
-	if port == 0 || port > 65535 {
-		return nil, fmt.Errorf("ssh: port number out of range: %d", port)
-	}
-	ip := net.ParseIP(string(addr))
-	if ip == nil {
-		return nil, fmt.Errorf("ssh: cannot parse IP address %q", addr)
-	}
-	return &net.TCPAddr{IP: ip, Port: int(port)}, nil
-}
-
-func (l *forwardList) handleChannels(in <-chan NewChannel) {
-	for ch := range in {
-		var (
-			laddr net.Addr
-			raddr net.Addr
-			err   error
-		)
-		switch channelType := ch.ChannelType(); channelType {
-		case "forwarded-tcpip":
-			var payload forwardedTCPPayload
-			if err = Unmarshal(ch.ExtraData(), &payload); err != nil {
-				ch.Reject(ConnectionFailed, "could not parse forwarded-tcpip payload: "+err.Error())
-				continue
-			}
-
-			// RFC 4254 section 7.2 specifies that incoming
-			// addresses should list the address, in string
-			// format. It is implied that this should be an IP
-			// address, as it would be impossible to connect to it
-			// otherwise.
-			laddr, err = parseTCPAddr(payload.Addr, payload.Port)
-			if err != nil {
-				ch.Reject(ConnectionFailed, err.Error())
-				continue
-			}
-			raddr, err = parseTCPAddr(payload.OriginAddr, payload.OriginPort)
-			if err != nil {
-				ch.Reject(ConnectionFailed, err.Error())
-				continue
-			}
-
-		case "forwarded-streamlocal@openssh.com":
-			var payload forwardedStreamLocalPayload
-			if err = Unmarshal(ch.ExtraData(), &payload); err != nil {
-				ch.Reject(ConnectionFailed, "could not parse forwarded-streamlocal@openssh.com payload: "+err.Error())
-				continue
-			}
-			laddr = &net.UnixAddr{
-				Name: payload.SocketPath,
-				Net:  "unix",
-			}
-			raddr = &net.UnixAddr{
-				Name: "@",
-				Net:  "unix",
-			}
-		default:
-			panic(fmt.Errorf("ssh: unknown channel type %s", channelType))
-		}
-		if ok := l.forward(laddr, raddr, ch); !ok {
-			// Section 7.2, implementations MUST reject spurious incoming
-			// connections.
-			ch.Reject(Prohibited, "no forward for address")
-			continue
-		}
-
-	}
-}
-
-// remove removes the forward entry, and the channel feeding its
-// listener.
-func (l *forwardList) remove(addr net.Addr) {
-	l.Lock()
-	defer l.Unlock()
-	for i, f := range l.entries {
-		if addr.Network() == f.laddr.Network() && addr.String() == f.laddr.String() {
-			l.entries = append(l.entries[:i], l.entries[i+1:]...)
-			close(f.c)
-			return
-		}
-	}
-}
-
-// closeAll closes and clears all forwards.
-func (l *forwardList) closeAll() {
-	l.Lock()
-	defer l.Unlock()
-	for _, f := range l.entries {
-		close(f.c)
-	}
-	l.entries = nil
-}
-
-func (l *forwardList) forward(laddr, raddr net.Addr, ch NewChannel) bool {
-	l.Lock()
-	defer l.Unlock()
-	for _, f := range l.entries {
-		if laddr.Network() == f.laddr.Network() && laddr.String() == f.laddr.String() {
-			f.c <- forward{newCh: ch, raddr: raddr}
-			return true
-		}
-	}
-	return false
-}
-
-type tcpListener struct {
-	laddr *net.TCPAddr
-
-	conn *Client
-	in   <-chan forward
-}
-
-// Accept waits for and returns the next connection to the listener.
-func (l *tcpListener) Accept() (net.Conn, error) {
-	s, ok := <-l.in
-	if !ok {
-		return nil, io.EOF
-	}
-	ch, incoming, err := s.newCh.Accept()
-	if err != nil {
-		return nil, err
-	}
-	go DiscardRequests(incoming)
-
-	return &chanConn{
-		Channel: ch,
-		laddr:   l.laddr,
-		raddr:   s.raddr,
-	}, nil
-}
-
-// Close closes the listener.
-func (l *tcpListener) Close() error {
-	m := channelForwardMsg{
-		l.laddr.IP.String(),
-		uint32(l.laddr.Port),
-	}
-
-	// this also closes the listener.
-	l.conn.forwards.remove(l.laddr)
-	ok, _, err := l.conn.SendRequest("cancel-tcpip-forward", true, Marshal(&m))
-	if err == nil && !ok {
-		err = errors.New("ssh: cancel-tcpip-forward failed")
-	}
-	return err
-}
-
-// Addr returns the listener's network address.
-func (l *tcpListener) Addr() net.Addr {
-	return l.laddr
-}
-
-// Dial initiates a connection to the addr from the remote host.
-// The resulting connection has a zero LocalAddr() and RemoteAddr().
-func (c *Client) Dial(n, addr string) (net.Conn, error) {
-	var ch Channel
-	switch n {
-	case "tcp", "tcp4", "tcp6":
-		// Parse the address into host and numeric port.
-		host, portString, err := net.SplitHostPort(addr)
-		if err != nil {
-			return nil, err
-		}
-		port, err := strconv.ParseUint(portString, 10, 16)
-		if err != nil {
-			return nil, err
-		}
-		ch, err = c.dial(net.IPv4zero.String(), 0, host, int(port))
-		if err != nil {
-			return nil, err
-		}
-		// Use a zero address for local and remote address.
-		zeroAddr := &net.TCPAddr{
-			IP:   net.IPv4zero,
-			Port: 0,
-		}
-		return &chanConn{
-			Channel: ch,
-			laddr:   zeroAddr,
-			raddr:   zeroAddr,
-		}, nil
-	case "unix":
-		var err error
-		ch, err = c.dialStreamLocal(addr)
-		if err != nil {
-			return nil, err
-		}
-		return &chanConn{
-			Channel: ch,
-			laddr: &net.UnixAddr{
-				Name: "@",
-				Net:  "unix",
-			},
-			raddr: &net.UnixAddr{
-				Name: addr,
-				Net:  "unix",
-			},
-		}, nil
-	default:
-		return nil, fmt.Errorf("ssh: unsupported protocol: %s", n)
-	}
-}
-
-// DialTCP connects to the remote address raddr on the network net,
-// which must be "tcp", "tcp4", or "tcp6".  If laddr is not nil, it is used
-// as the local address for the connection.
-func (c *Client) DialTCP(n string, laddr, raddr *net.TCPAddr) (net.Conn, error) {
-	if laddr == nil {
-		laddr = &net.TCPAddr{
-			IP:   net.IPv4zero,
-			Port: 0,
-		}
-	}
-	ch, err := c.dial(laddr.IP.String(), laddr.Port, raddr.IP.String(), raddr.Port)
-	if err != nil {
-		return nil, err
-	}
-	return &chanConn{
-		Channel: ch,
-		laddr:   laddr,
-		raddr:   raddr,
-	}, nil
-}
-
-// RFC 4254 7.2
-type channelOpenDirectMsg struct {
-	raddr string
-	rport uint32
-	laddr string
-	lport uint32
-}
-
-func (c *Client) dial(laddr string, lport int, raddr string, rport int) (Channel, error) {
-	msg := channelOpenDirectMsg{
-		raddr: raddr,
-		rport: uint32(rport),
-		laddr: laddr,
-		lport: uint32(lport),
-	}
-	ch, in, err := c.OpenChannel("direct-tcpip", Marshal(&msg))
-	if err != nil {
-		return nil, err
-	}
-	go DiscardRequests(in)
-	return ch, err
-}
-
-type tcpChan struct {
-	Channel // the backing channel
-}
-
-// chanConn fulfills the net.Conn interface without
-// the tcpChan having to hold laddr or raddr directly.
-type chanConn struct {
-	Channel
-	laddr, raddr net.Addr
-}
-
-// LocalAddr returns the local network address.
-func (t *chanConn) LocalAddr() net.Addr {
-	return t.laddr
-}
-
-// RemoteAddr returns the remote network address.
-func (t *chanConn) RemoteAddr() net.Addr {
-	return t.raddr
-}
-
-// SetDeadline sets the read and write deadlines associated
-// with the connection.
-func (t *chanConn) SetDeadline(deadline time.Time) error {
-	if err := t.SetReadDeadline(deadline); err != nil {
-		return err
-	}
-	return t.SetWriteDeadline(deadline)
-}
-
-// SetReadDeadline sets the read deadline.
-// A zero value for t means Read will not time out.
-// After the deadline, the error from Read will implement net.Error
-// with Timeout() == true.
-func (t *chanConn) SetReadDeadline(deadline time.Time) error {
-	// for compatibility with previous version,
-	// the error message contains "tcpChan"
-	return errors.New("ssh: tcpChan: deadline not supported")
-}
-
-// SetWriteDeadline exists to satisfy the net.Conn interface
-// but is not implemented by this type.  It always returns an error.
-func (t *chanConn) SetWriteDeadline(deadline time.Time) error {
-	return errors.New("ssh: tcpChan: deadline not supported")
-}
diff --git a/vendor/golang.org/x/crypto/ssh/tcpip_test.go b/vendor/golang.org/x/crypto/ssh/tcpip_test.go
deleted file mode 100644
index f1265cb4..00000000
--- a/vendor/golang.org/x/crypto/ssh/tcpip_test.go
+++ /dev/null
@@ -1,20 +0,0 @@
-// Copyright 2014 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package ssh
-
-import (
-	"testing"
-)
-
-func TestAutoPortListenBroken(t *testing.T) {
-	broken := "SSH-2.0-OpenSSH_5.9hh11"
-	works := "SSH-2.0-OpenSSH_6.1"
-	if !isBrokenOpenSSHVersion(broken) {
-		t.Errorf("version %q not marked as broken", broken)
-	}
-	if isBrokenOpenSSHVersion(works) {
-		t.Errorf("version %q marked as broken", works)
-	}
-}
diff --git a/vendor/golang.org/x/crypto/ssh/terminal/terminal.go b/vendor/golang.org/x/crypto/ssh/terminal/terminal.go
deleted file mode 100644
index 9a887598..00000000
--- a/vendor/golang.org/x/crypto/ssh/terminal/terminal.go
+++ /dev/null
@@ -1,951 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package terminal
-
-import (
-	"bytes"
-	"io"
-	"sync"
-	"unicode/utf8"
-)
-
-// EscapeCodes contains escape sequences that can be written to the terminal in
-// order to achieve different styles of text.
-type EscapeCodes struct {
-	// Foreground colors
-	Black, Red, Green, Yellow, Blue, Magenta, Cyan, White []byte
-
-	// Reset all attributes
-	Reset []byte
-}
-
-var vt100EscapeCodes = EscapeCodes{
-	Black:   []byte{keyEscape, '[', '3', '0', 'm'},
-	Red:     []byte{keyEscape, '[', '3', '1', 'm'},
-	Green:   []byte{keyEscape, '[', '3', '2', 'm'},
-	Yellow:  []byte{keyEscape, '[', '3', '3', 'm'},
-	Blue:    []byte{keyEscape, '[', '3', '4', 'm'},
-	Magenta: []byte{keyEscape, '[', '3', '5', 'm'},
-	Cyan:    []byte{keyEscape, '[', '3', '6', 'm'},
-	White:   []byte{keyEscape, '[', '3', '7', 'm'},
-
-	Reset: []byte{keyEscape, '[', '0', 'm'},
-}
-
-// Terminal contains the state for running a VT100 terminal that is capable of
-// reading lines of input.
-type Terminal struct {
-	// AutoCompleteCallback, if non-null, is called for each keypress with
-	// the full input line and the current position of the cursor (in
-	// bytes, as an index into |line|). If it returns ok=false, the key
-	// press is processed normally. Otherwise it returns a replacement line
-	// and the new cursor position.
-	AutoCompleteCallback func(line string, pos int, key rune) (newLine string, newPos int, ok bool)
-
-	// Escape contains a pointer to the escape codes for this terminal.
-	// It's always a valid pointer, although the escape codes themselves
-	// may be empty if the terminal doesn't support them.
-	Escape *EscapeCodes
-
-	// lock protects the terminal and the state in this object from
-	// concurrent processing of a key press and a Write() call.
-	lock sync.Mutex
-
-	c      io.ReadWriter
-	prompt []rune
-
-	// line is the current line being entered.
-	line []rune
-	// pos is the logical position of the cursor in line
-	pos int
-	// echo is true if local echo is enabled
-	echo bool
-	// pasteActive is true iff there is a bracketed paste operation in
-	// progress.
-	pasteActive bool
-
-	// cursorX contains the current X value of the cursor where the left
-	// edge is 0. cursorY contains the row number where the first row of
-	// the current line is 0.
-	cursorX, cursorY int
-	// maxLine is the greatest value of cursorY so far.
-	maxLine int
-
-	termWidth, termHeight int
-
-	// outBuf contains the terminal data to be sent.
-	outBuf []byte
-	// remainder contains the remainder of any partial key sequences after
-	// a read. It aliases into inBuf.
-	remainder []byte
-	inBuf     [256]byte
-
-	// history contains previously entered commands so that they can be
-	// accessed with the up and down keys.
-	history stRingBuffer
-	// historyIndex stores the currently accessed history entry, where zero
-	// means the immediately previous entry.
-	historyIndex int
-	// When navigating up and down the history it's possible to return to
-	// the incomplete, initial line. That value is stored in
-	// historyPending.
-	historyPending string
-}
-
-// NewTerminal runs a VT100 terminal on the given ReadWriter. If the ReadWriter is
-// a local terminal, that terminal must first have been put into raw mode.
-// prompt is a string that is written at the start of each input line (i.e.
-// "> ").
-func NewTerminal(c io.ReadWriter, prompt string) *Terminal {
-	return &Terminal{
-		Escape:       &vt100EscapeCodes,
-		c:            c,
-		prompt:       []rune(prompt),
-		termWidth:    80,
-		termHeight:   24,
-		echo:         true,
-		historyIndex: -1,
-	}
-}
-
-const (
-	keyCtrlD     = 4
-	keyCtrlU     = 21
-	keyEnter     = '\r'
-	keyEscape    = 27
-	keyBackspace = 127
-	keyUnknown   = 0xd800 /* UTF-16 surrogate area */ + iota
-	keyUp
-	keyDown
-	keyLeft
-	keyRight
-	keyAltLeft
-	keyAltRight
-	keyHome
-	keyEnd
-	keyDeleteWord
-	keyDeleteLine
-	keyClearScreen
-	keyPasteStart
-	keyPasteEnd
-)
-
-var (
-	crlf       = []byte{'\r', '\n'}
-	pasteStart = []byte{keyEscape, '[', '2', '0', '0', '~'}
-	pasteEnd   = []byte{keyEscape, '[', '2', '0', '1', '~'}
-)
-
-// bytesToKey tries to parse a key sequence from b. If successful, it returns
-// the key and the remainder of the input. Otherwise it returns utf8.RuneError.
-func bytesToKey(b []byte, pasteActive bool) (rune, []byte) {
-	if len(b) == 0 {
-		return utf8.RuneError, nil
-	}
-
-	if !pasteActive {
-		switch b[0] {
-		case 1: // ^A
-			return keyHome, b[1:]
-		case 5: // ^E
-			return keyEnd, b[1:]
-		case 8: // ^H
-			return keyBackspace, b[1:]
-		case 11: // ^K
-			return keyDeleteLine, b[1:]
-		case 12: // ^L
-			return keyClearScreen, b[1:]
-		case 23: // ^W
-			return keyDeleteWord, b[1:]
-		}
-	}
-
-	if b[0] != keyEscape {
-		if !utf8.FullRune(b) {
-			return utf8.RuneError, b
-		}
-		r, l := utf8.DecodeRune(b)
-		return r, b[l:]
-	}
-
-	if !pasteActive && len(b) >= 3 && b[0] == keyEscape && b[1] == '[' {
-		switch b[2] {
-		case 'A':
-			return keyUp, b[3:]
-		case 'B':
-			return keyDown, b[3:]
-		case 'C':
-			return keyRight, b[3:]
-		case 'D':
-			return keyLeft, b[3:]
-		case 'H':
-			return keyHome, b[3:]
-		case 'F':
-			return keyEnd, b[3:]
-		}
-	}
-
-	if !pasteActive && len(b) >= 6 && b[0] == keyEscape && b[1] == '[' && b[2] == '1' && b[3] == ';' && b[4] == '3' {
-		switch b[5] {
-		case 'C':
-			return keyAltRight, b[6:]
-		case 'D':
-			return keyAltLeft, b[6:]
-		}
-	}
-
-	if !pasteActive && len(b) >= 6 && bytes.Equal(b[:6], pasteStart) {
-		return keyPasteStart, b[6:]
-	}
-
-	if pasteActive && len(b) >= 6 && bytes.Equal(b[:6], pasteEnd) {
-		return keyPasteEnd, b[6:]
-	}
-
-	// If we get here then we have a key that we don't recognise, or a
-	// partial sequence. It's not clear how one should find the end of a
-	// sequence without knowing them all, but it seems that [a-zA-Z~] only
-	// appears at the end of a sequence.
-	for i, c := range b[0:] {
-		if c >= 'a' && c <= 'z' || c >= 'A' && c <= 'Z' || c == '~' {
-			return keyUnknown, b[i+1:]
-		}
-	}
-
-	return utf8.RuneError, b
-}
-
-// queue appends data to the end of t.outBuf
-func (t *Terminal) queue(data []rune) {
-	t.outBuf = append(t.outBuf, []byte(string(data))...)
-}
-
-var eraseUnderCursor = []rune{' ', keyEscape, '[', 'D'}
-var space = []rune{' '}
-
-func isPrintable(key rune) bool {
-	isInSurrogateArea := key >= 0xd800 && key <= 0xdbff
-	return key >= 32 && !isInSurrogateArea
-}
-
-// moveCursorToPos appends data to t.outBuf which will move the cursor to the
-// given, logical position in the text.
-func (t *Terminal) moveCursorToPos(pos int) {
-	if !t.echo {
-		return
-	}
-
-	x := visualLength(t.prompt) + pos
-	y := x / t.termWidth
-	x = x % t.termWidth
-
-	up := 0
-	if y < t.cursorY {
-		up = t.cursorY - y
-	}
-
-	down := 0
-	if y > t.cursorY {
-		down = y - t.cursorY
-	}
-
-	left := 0
-	if x < t.cursorX {
-		left = t.cursorX - x
-	}
-
-	right := 0
-	if x > t.cursorX {
-		right = x - t.cursorX
-	}
-
-	t.cursorX = x
-	t.cursorY = y
-	t.move(up, down, left, right)
-}
-
-func (t *Terminal) move(up, down, left, right int) {
-	movement := make([]rune, 3*(up+down+left+right))
-	m := movement
-	for i := 0; i < up; i++ {
-		m[0] = keyEscape
-		m[1] = '['
-		m[2] = 'A'
-		m = m[3:]
-	}
-	for i := 0; i < down; i++ {
-		m[0] = keyEscape
-		m[1] = '['
-		m[2] = 'B'
-		m = m[3:]
-	}
-	for i := 0; i < left; i++ {
-		m[0] = keyEscape
-		m[1] = '['
-		m[2] = 'D'
-		m = m[3:]
-	}
-	for i := 0; i < right; i++ {
-		m[0] = keyEscape
-		m[1] = '['
-		m[2] = 'C'
-		m = m[3:]
-	}
-
-	t.queue(movement)
-}
-
-func (t *Terminal) clearLineToRight() {
-	op := []rune{keyEscape, '[', 'K'}
-	t.queue(op)
-}
-
-const maxLineLength = 4096
-
-func (t *Terminal) setLine(newLine []rune, newPos int) {
-	if t.echo {
-		t.moveCursorToPos(0)
-		t.writeLine(newLine)
-		for i := len(newLine); i < len(t.line); i++ {
-			t.writeLine(space)
-		}
-		t.moveCursorToPos(newPos)
-	}
-	t.line = newLine
-	t.pos = newPos
-}
-
-func (t *Terminal) advanceCursor(places int) {
-	t.cursorX += places
-	t.cursorY += t.cursorX / t.termWidth
-	if t.cursorY > t.maxLine {
-		t.maxLine = t.cursorY
-	}
-	t.cursorX = t.cursorX % t.termWidth
-
-	if places > 0 && t.cursorX == 0 {
-		// Normally terminals will advance the current position
-		// when writing a character. But that doesn't happen
-		// for the last character in a line. However, when
-		// writing a character (except a new line) that causes
-		// a line wrap, the position will be advanced two
-		// places.
-		//
-		// So, if we are stopping at the end of a line, we
-		// need to write a newline so that our cursor can be
-		// advanced to the next line.
-		t.outBuf = append(t.outBuf, '\r', '\n')
-	}
-}
-
-func (t *Terminal) eraseNPreviousChars(n int) {
-	if n == 0 {
-		return
-	}
-
-	if t.pos < n {
-		n = t.pos
-	}
-	t.pos -= n
-	t.moveCursorToPos(t.pos)
-
-	copy(t.line[t.pos:], t.line[n+t.pos:])
-	t.line = t.line[:len(t.line)-n]
-	if t.echo {
-		t.writeLine(t.line[t.pos:])
-		for i := 0; i < n; i++ {
-			t.queue(space)
-		}
-		t.advanceCursor(n)
-		t.moveCursorToPos(t.pos)
-	}
-}
-
-// countToLeftWord returns then number of characters from the cursor to the
-// start of the previous word.
-func (t *Terminal) countToLeftWord() int {
-	if t.pos == 0 {
-		return 0
-	}
-
-	pos := t.pos - 1
-	for pos > 0 {
-		if t.line[pos] != ' ' {
-			break
-		}
-		pos--
-	}
-	for pos > 0 {
-		if t.line[pos] == ' ' {
-			pos++
-			break
-		}
-		pos--
-	}
-
-	return t.pos - pos
-}
-
-// countToRightWord returns then number of characters from the cursor to the
-// start of the next word.
-func (t *Terminal) countToRightWord() int {
-	pos := t.pos
-	for pos < len(t.line) {
-		if t.line[pos] == ' ' {
-			break
-		}
-		pos++
-	}
-	for pos < len(t.line) {
-		if t.line[pos] != ' ' {
-			break
-		}
-		pos++
-	}
-	return pos - t.pos
-}
-
-// visualLength returns the number of visible glyphs in s.
-func visualLength(runes []rune) int {
-	inEscapeSeq := false
-	length := 0
-
-	for _, r := range runes {
-		switch {
-		case inEscapeSeq:
-			if (r >= 'a' && r <= 'z') || (r >= 'A' && r <= 'Z') {
-				inEscapeSeq = false
-			}
-		case r == '\x1b':
-			inEscapeSeq = true
-		default:
-			length++
-		}
-	}
-
-	return length
-}
-
-// handleKey processes the given key and, optionally, returns a line of text
-// that the user has entered.
-func (t *Terminal) handleKey(key rune) (line string, ok bool) {
-	if t.pasteActive && key != keyEnter {
-		t.addKeyToLine(key)
-		return
-	}
-
-	switch key {
-	case keyBackspace:
-		if t.pos == 0 {
-			return
-		}
-		t.eraseNPreviousChars(1)
-	case keyAltLeft:
-		// move left by a word.
-		t.pos -= t.countToLeftWord()
-		t.moveCursorToPos(t.pos)
-	case keyAltRight:
-		// move right by a word.
-		t.pos += t.countToRightWord()
-		t.moveCursorToPos(t.pos)
-	case keyLeft:
-		if t.pos == 0 {
-			return
-		}
-		t.pos--
-		t.moveCursorToPos(t.pos)
-	case keyRight:
-		if t.pos == len(t.line) {
-			return
-		}
-		t.pos++
-		t.moveCursorToPos(t.pos)
-	case keyHome:
-		if t.pos == 0 {
-			return
-		}
-		t.pos = 0
-		t.moveCursorToPos(t.pos)
-	case keyEnd:
-		if t.pos == len(t.line) {
-			return
-		}
-		t.pos = len(t.line)
-		t.moveCursorToPos(t.pos)
-	case keyUp:
-		entry, ok := t.history.NthPreviousEntry(t.historyIndex + 1)
-		if !ok {
-			return "", false
-		}
-		if t.historyIndex == -1 {
-			t.historyPending = string(t.line)
-		}
-		t.historyIndex++
-		runes := []rune(entry)
-		t.setLine(runes, len(runes))
-	case keyDown:
-		switch t.historyIndex {
-		case -1:
-			return
-		case 0:
-			runes := []rune(t.historyPending)
-			t.setLine(runes, len(runes))
-			t.historyIndex--
-		default:
-			entry, ok := t.history.NthPreviousEntry(t.historyIndex - 1)
-			if ok {
-				t.historyIndex--
-				runes := []rune(entry)
-				t.setLine(runes, len(runes))
-			}
-		}
-	case keyEnter:
-		t.moveCursorToPos(len(t.line))
-		t.queue([]rune("\r\n"))
-		line = string(t.line)
-		ok = true
-		t.line = t.line[:0]
-		t.pos = 0
-		t.cursorX = 0
-		t.cursorY = 0
-		t.maxLine = 0
-	case keyDeleteWord:
-		// Delete zero or more spaces and then one or more characters.
-		t.eraseNPreviousChars(t.countToLeftWord())
-	case keyDeleteLine:
-		// Delete everything from the current cursor position to the
-		// end of line.
-		for i := t.pos; i < len(t.line); i++ {
-			t.queue(space)
-			t.advanceCursor(1)
-		}
-		t.line = t.line[:t.pos]
-		t.moveCursorToPos(t.pos)
-	case keyCtrlD:
-		// Erase the character under the current position.
-		// The EOF case when the line is empty is handled in
-		// readLine().
-		if t.pos < len(t.line) {
-			t.pos++
-			t.eraseNPreviousChars(1)
-		}
-	case keyCtrlU:
-		t.eraseNPreviousChars(t.pos)
-	case keyClearScreen:
-		// Erases the screen and moves the cursor to the home position.
-		t.queue([]rune("\x1b[2J\x1b[H"))
-		t.queue(t.prompt)
-		t.cursorX, t.cursorY = 0, 0
-		t.advanceCursor(visualLength(t.prompt))
-		t.setLine(t.line, t.pos)
-	default:
-		if t.AutoCompleteCallback != nil {
-			prefix := string(t.line[:t.pos])
-			suffix := string(t.line[t.pos:])
-
-			t.lock.Unlock()
-			newLine, newPos, completeOk := t.AutoCompleteCallback(prefix+suffix, len(prefix), key)
-			t.lock.Lock()
-
-			if completeOk {
-				t.setLine([]rune(newLine), utf8.RuneCount([]byte(newLine)[:newPos]))
-				return
-			}
-		}
-		if !isPrintable(key) {
-			return
-		}
-		if len(t.line) == maxLineLength {
-			return
-		}
-		t.addKeyToLine(key)
-	}
-	return
-}
-
-// addKeyToLine inserts the given key at the current position in the current
-// line.
-func (t *Terminal) addKeyToLine(key rune) {
-	if len(t.line) == cap(t.line) {
-		newLine := make([]rune, len(t.line), 2*(1+len(t.line)))
-		copy(newLine, t.line)
-		t.line = newLine
-	}
-	t.line = t.line[:len(t.line)+1]
-	copy(t.line[t.pos+1:], t.line[t.pos:])
-	t.line[t.pos] = key
-	if t.echo {
-		t.writeLine(t.line[t.pos:])
-	}
-	t.pos++
-	t.moveCursorToPos(t.pos)
-}
-
-func (t *Terminal) writeLine(line []rune) {
-	for len(line) != 0 {
-		remainingOnLine := t.termWidth - t.cursorX
-		todo := len(line)
-		if todo > remainingOnLine {
-			todo = remainingOnLine
-		}
-		t.queue(line[:todo])
-		t.advanceCursor(visualLength(line[:todo]))
-		line = line[todo:]
-	}
-}
-
-// writeWithCRLF writes buf to w but replaces all occurrences of \n with \r\n.
-func writeWithCRLF(w io.Writer, buf []byte) (n int, err error) {
-	for len(buf) > 0 {
-		i := bytes.IndexByte(buf, '\n')
-		todo := len(buf)
-		if i >= 0 {
-			todo = i
-		}
-
-		var nn int
-		nn, err = w.Write(buf[:todo])
-		n += nn
-		if err != nil {
-			return n, err
-		}
-		buf = buf[todo:]
-
-		if i >= 0 {
-			if _, err = w.Write(crlf); err != nil {
-				return n, err
-			}
-			n++
-			buf = buf[1:]
-		}
-	}
-
-	return n, nil
-}
-
-func (t *Terminal) Write(buf []byte) (n int, err error) {
-	t.lock.Lock()
-	defer t.lock.Unlock()
-
-	if t.cursorX == 0 && t.cursorY == 0 {
-		// This is the easy case: there's nothing on the screen that we
-		// have to move out of the way.
-		return writeWithCRLF(t.c, buf)
-	}
-
-	// We have a prompt and possibly user input on the screen. We
-	// have to clear it first.
-	t.move(0 /* up */, 0 /* down */, t.cursorX /* left */, 0 /* right */)
-	t.cursorX = 0
-	t.clearLineToRight()
-
-	for t.cursorY > 0 {
-		t.move(1 /* up */, 0, 0, 0)
-		t.cursorY--
-		t.clearLineToRight()
-	}
-
-	if _, err = t.c.Write(t.outBuf); err != nil {
-		return
-	}
-	t.outBuf = t.outBuf[:0]
-
-	if n, err = writeWithCRLF(t.c, buf); err != nil {
-		return
-	}
-
-	t.writeLine(t.prompt)
-	if t.echo {
-		t.writeLine(t.line)
-	}
-
-	t.moveCursorToPos(t.pos)
-
-	if _, err = t.c.Write(t.outBuf); err != nil {
-		return
-	}
-	t.outBuf = t.outBuf[:0]
-	return
-}
-
-// ReadPassword temporarily changes the prompt and reads a password, without
-// echo, from the terminal.
-func (t *Terminal) ReadPassword(prompt string) (line string, err error) {
-	t.lock.Lock()
-	defer t.lock.Unlock()
-
-	oldPrompt := t.prompt
-	t.prompt = []rune(prompt)
-	t.echo = false
-
-	line, err = t.readLine()
-
-	t.prompt = oldPrompt
-	t.echo = true
-
-	return
-}
-
-// ReadLine returns a line of input from the terminal.
-func (t *Terminal) ReadLine() (line string, err error) {
-	t.lock.Lock()
-	defer t.lock.Unlock()
-
-	return t.readLine()
-}
-
-func (t *Terminal) readLine() (line string, err error) {
-	// t.lock must be held at this point
-
-	if t.cursorX == 0 && t.cursorY == 0 {
-		t.writeLine(t.prompt)
-		t.c.Write(t.outBuf)
-		t.outBuf = t.outBuf[:0]
-	}
-
-	lineIsPasted := t.pasteActive
-
-	for {
-		rest := t.remainder
-		lineOk := false
-		for !lineOk {
-			var key rune
-			key, rest = bytesToKey(rest, t.pasteActive)
-			if key == utf8.RuneError {
-				break
-			}
-			if !t.pasteActive {
-				if key == keyCtrlD {
-					if len(t.line) == 0 {
-						return "", io.EOF
-					}
-				}
-				if key == keyPasteStart {
-					t.pasteActive = true
-					if len(t.line) == 0 {
-						lineIsPasted = true
-					}
-					continue
-				}
-			} else if key == keyPasteEnd {
-				t.pasteActive = false
-				continue
-			}
-			if !t.pasteActive {
-				lineIsPasted = false
-			}
-			line, lineOk = t.handleKey(key)
-		}
-		if len(rest) > 0 {
-			n := copy(t.inBuf[:], rest)
-			t.remainder = t.inBuf[:n]
-		} else {
-			t.remainder = nil
-		}
-		t.c.Write(t.outBuf)
-		t.outBuf = t.outBuf[:0]
-		if lineOk {
-			if t.echo {
-				t.historyIndex = -1
-				t.history.Add(line)
-			}
-			if lineIsPasted {
-				err = ErrPasteIndicator
-			}
-			return
-		}
-
-		// t.remainder is a slice at the beginning of t.inBuf
-		// containing a partial key sequence
-		readBuf := t.inBuf[len(t.remainder):]
-		var n int
-
-		t.lock.Unlock()
-		n, err = t.c.Read(readBuf)
-		t.lock.Lock()
-
-		if err != nil {
-			return
-		}
-
-		t.remainder = t.inBuf[:n+len(t.remainder)]
-	}
-}
-
-// SetPrompt sets the prompt to be used when reading subsequent lines.
-func (t *Terminal) SetPrompt(prompt string) {
-	t.lock.Lock()
-	defer t.lock.Unlock()
-
-	t.prompt = []rune(prompt)
-}
-
-func (t *Terminal) clearAndRepaintLinePlusNPrevious(numPrevLines int) {
-	// Move cursor to column zero at the start of the line.
-	t.move(t.cursorY, 0, t.cursorX, 0)
-	t.cursorX, t.cursorY = 0, 0
-	t.clearLineToRight()
-	for t.cursorY < numPrevLines {
-		// Move down a line
-		t.move(0, 1, 0, 0)
-		t.cursorY++
-		t.clearLineToRight()
-	}
-	// Move back to beginning.
-	t.move(t.cursorY, 0, 0, 0)
-	t.cursorX, t.cursorY = 0, 0
-
-	t.queue(t.prompt)
-	t.advanceCursor(visualLength(t.prompt))
-	t.writeLine(t.line)
-	t.moveCursorToPos(t.pos)
-}
-
-func (t *Terminal) SetSize(width, height int) error {
-	t.lock.Lock()
-	defer t.lock.Unlock()
-
-	if width == 0 {
-		width = 1
-	}
-
-	oldWidth := t.termWidth
-	t.termWidth, t.termHeight = width, height
-
-	switch {
-	case width == oldWidth:
-		// If the width didn't change then nothing else needs to be
-		// done.
-		return nil
-	case len(t.line) == 0 && t.cursorX == 0 && t.cursorY == 0:
-		// If there is nothing on current line and no prompt printed,
-		// just do nothing
-		return nil
-	case width < oldWidth:
-		// Some terminals (e.g. xterm) will truncate lines that were
-		// too long when shinking. Others, (e.g. gnome-terminal) will
-		// attempt to wrap them. For the former, repainting t.maxLine
-		// works great, but that behaviour goes badly wrong in the case
-		// of the latter because they have doubled every full line.
-
-		// We assume that we are working on a terminal that wraps lines
-		// and adjust the cursor position based on every previous line
-		// wrapping and turning into two. This causes the prompt on
-		// xterms to move upwards, which isn't great, but it avoids a
-		// huge mess with gnome-terminal.
-		if t.cursorX >= t.termWidth {
-			t.cursorX = t.termWidth - 1
-		}
-		t.cursorY *= 2
-		t.clearAndRepaintLinePlusNPrevious(t.maxLine * 2)
-	case width > oldWidth:
-		// If the terminal expands then our position calculations will
-		// be wrong in the future because we think the cursor is
-		// |t.pos| chars into the string, but there will be a gap at
-		// the end of any wrapped line.
-		//
-		// But the position will actually be correct until we move, so
-		// we can move back to the beginning and repaint everything.
-		t.clearAndRepaintLinePlusNPrevious(t.maxLine)
-	}
-
-	_, err := t.c.Write(t.outBuf)
-	t.outBuf = t.outBuf[:0]
-	return err
-}
-
-type pasteIndicatorError struct{}
-
-func (pasteIndicatorError) Error() string {
-	return "terminal: ErrPasteIndicator not correctly handled"
-}
-
-// ErrPasteIndicator may be returned from ReadLine as the error, in addition
-// to valid line data. It indicates that bracketed paste mode is enabled and
-// that the returned line consists only of pasted data. Programs may wish to
-// interpret pasted data more literally than typed data.
-var ErrPasteIndicator = pasteIndicatorError{}
-
-// SetBracketedPasteMode requests that the terminal bracket paste operations
-// with markers. Not all terminals support this but, if it is supported, then
-// enabling this mode will stop any autocomplete callback from running due to
-// pastes. Additionally, any lines that are completely pasted will be returned
-// from ReadLine with the error set to ErrPasteIndicator.
-func (t *Terminal) SetBracketedPasteMode(on bool) {
-	if on {
-		io.WriteString(t.c, "\x1b[?2004h")
-	} else {
-		io.WriteString(t.c, "\x1b[?2004l")
-	}
-}
-
-// stRingBuffer is a ring buffer of strings.
-type stRingBuffer struct {
-	// entries contains max elements.
-	entries []string
-	max     int
-	// head contains the index of the element most recently added to the ring.
-	head int
-	// size contains the number of elements in the ring.
-	size int
-}
-
-func (s *stRingBuffer) Add(a string) {
-	if s.entries == nil {
-		const defaultNumEntries = 100
-		s.entries = make([]string, defaultNumEntries)
-		s.max = defaultNumEntries
-	}
-
-	s.head = (s.head + 1) % s.max
-	s.entries[s.head] = a
-	if s.size < s.max {
-		s.size++
-	}
-}
-
-// NthPreviousEntry returns the value passed to the nth previous call to Add.
-// If n is zero then the immediately prior value is returned, if one, then the
-// next most recent, and so on. If such an element doesn't exist then ok is
-// false.
-func (s *stRingBuffer) NthPreviousEntry(n int) (value string, ok bool) {
-	if n >= s.size {
-		return "", false
-	}
-	index := s.head - n
-	if index < 0 {
-		index += s.max
-	}
-	return s.entries[index], true
-}
-
-// readPasswordLine reads from reader until it finds \n or io.EOF.
-// The slice returned does not include the \n.
-// readPasswordLine also ignores any \r it finds.
-func readPasswordLine(reader io.Reader) ([]byte, error) {
-	var buf [1]byte
-	var ret []byte
-
-	for {
-		n, err := reader.Read(buf[:])
-		if n > 0 {
-			switch buf[0] {
-			case '\n':
-				return ret, nil
-			case '\r':
-				// remove \r from passwords on Windows
-			default:
-				ret = append(ret, buf[0])
-			}
-			continue
-		}
-		if err != nil {
-			if err == io.EOF && len(ret) > 0 {
-				return ret, nil
-			}
-			return ret, err
-		}
-	}
-}
diff --git a/vendor/golang.org/x/crypto/ssh/terminal/terminal_test.go b/vendor/golang.org/x/crypto/ssh/terminal/terminal_test.go
deleted file mode 100644
index 901c72ab..00000000
--- a/vendor/golang.org/x/crypto/ssh/terminal/terminal_test.go
+++ /dev/null
@@ -1,350 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package terminal
-
-import (
-	"bytes"
-	"io"
-	"os"
-	"testing"
-)
-
-type MockTerminal struct {
-	toSend       []byte
-	bytesPerRead int
-	received     []byte
-}
-
-func (c *MockTerminal) Read(data []byte) (n int, err error) {
-	n = len(data)
-	if n == 0 {
-		return
-	}
-	if n > len(c.toSend) {
-		n = len(c.toSend)
-	}
-	if n == 0 {
-		return 0, io.EOF
-	}
-	if c.bytesPerRead > 0 && n > c.bytesPerRead {
-		n = c.bytesPerRead
-	}
-	copy(data, c.toSend[:n])
-	c.toSend = c.toSend[n:]
-	return
-}
-
-func (c *MockTerminal) Write(data []byte) (n int, err error) {
-	c.received = append(c.received, data...)
-	return len(data), nil
-}
-
-func TestClose(t *testing.T) {
-	c := &MockTerminal{}
-	ss := NewTerminal(c, "> ")
-	line, err := ss.ReadLine()
-	if line != "" {
-		t.Errorf("Expected empty line but got: %s", line)
-	}
-	if err != io.EOF {
-		t.Errorf("Error should have been EOF but got: %s", err)
-	}
-}
-
-var keyPressTests = []struct {
-	in             string
-	line           string
-	err            error
-	throwAwayLines int
-}{
-	{
-		err: io.EOF,
-	},
-	{
-		in:   "\r",
-		line: "",
-	},
-	{
-		in:   "foo\r",
-		line: "foo",
-	},
-	{
-		in:   "a\x1b[Cb\r", // right
-		line: "ab",
-	},
-	{
-		in:   "a\x1b[Db\r", // left
-		line: "ba",
-	},
-	{
-		in:   "a\177b\r", // backspace
-		line: "b",
-	},
-	{
-		in: "\x1b[A\r", // up
-	},
-	{
-		in: "\x1b[B\r", // down
-	},
-	{
-		in:   "line\x1b[A\x1b[B\r", // up then down
-		line: "line",
-	},
-	{
-		in:             "line1\rline2\x1b[A\r", // recall previous line.
-		line:           "line1",
-		throwAwayLines: 1,
-	},
-	{
-		// recall two previous lines and append.
-		in:             "line1\rline2\rline3\x1b[A\x1b[Axxx\r",
-		line:           "line1xxx",
-		throwAwayLines: 2,
-	},
-	{
-		// Ctrl-A to move to beginning of line followed by ^K to kill
-		// line.
-		in:   "a b \001\013\r",
-		line: "",
-	},
-	{
-		// Ctrl-A to move to beginning of line, Ctrl-E to move to end,
-		// finally ^K to kill nothing.
-		in:   "a b \001\005\013\r",
-		line: "a b ",
-	},
-	{
-		in:   "\027\r",
-		line: "",
-	},
-	{
-		in:   "a\027\r",
-		line: "",
-	},
-	{
-		in:   "a \027\r",
-		line: "",
-	},
-	{
-		in:   "a b\027\r",
-		line: "a ",
-	},
-	{
-		in:   "a b \027\r",
-		line: "a ",
-	},
-	{
-		in:   "one two thr\x1b[D\027\r",
-		line: "one two r",
-	},
-	{
-		in:   "\013\r",
-		line: "",
-	},
-	{
-		in:   "a\013\r",
-		line: "a",
-	},
-	{
-		in:   "ab\x1b[D\013\r",
-		line: "a",
-	},
-	{
-		in:   "Ξεσκεπάζω\r",
-		line: "Ξεσκεπάζω",
-	},
-	{
-		in:             "£\r\x1b[A\177\r", // non-ASCII char, enter, up, backspace.
-		line:           "",
-		throwAwayLines: 1,
-	},
-	{
-		in:             "£\r££\x1b[A\x1b[B\177\r", // non-ASCII char, enter, 2x non-ASCII, up, down, backspace, enter.
-		line:           "£",
-		throwAwayLines: 1,
-	},
-	{
-		// Ctrl-D at the end of the line should be ignored.
-		in:   "a\004\r",
-		line: "a",
-	},
-	{
-		// a, b, left, Ctrl-D should erase the b.
-		in:   "ab\x1b[D\004\r",
-		line: "a",
-	},
-	{
-		// a, b, c, d, left, left, ^U should erase to the beginning of
-		// the line.
-		in:   "abcd\x1b[D\x1b[D\025\r",
-		line: "cd",
-	},
-	{
-		// Bracketed paste mode: control sequences should be returned
-		// verbatim in paste mode.
-		in:   "abc\x1b[200~de\177f\x1b[201~\177\r",
-		line: "abcde\177",
-	},
-	{
-		// Enter in bracketed paste mode should still work.
-		in:             "abc\x1b[200~d\refg\x1b[201~h\r",
-		line:           "efgh",
-		throwAwayLines: 1,
-	},
-	{
-		// Lines consisting entirely of pasted data should be indicated as such.
-		in:   "\x1b[200~a\r",
-		line: "a",
-		err:  ErrPasteIndicator,
-	},
-}
-
-func TestKeyPresses(t *testing.T) {
-	for i, test := range keyPressTests {
-		for j := 1; j < len(test.in); j++ {
-			c := &MockTerminal{
-				toSend:       []byte(test.in),
-				bytesPerRead: j,
-			}
-			ss := NewTerminal(c, "> ")
-			for k := 0; k < test.throwAwayLines; k++ {
-				_, err := ss.ReadLine()
-				if err != nil {
-					t.Errorf("Throwaway line %d from test %d resulted in error: %s", k, i, err)
-				}
-			}
-			line, err := ss.ReadLine()
-			if line != test.line {
-				t.Errorf("Line resulting from test %d (%d bytes per read) was '%s', expected '%s'", i, j, line, test.line)
-				break
-			}
-			if err != test.err {
-				t.Errorf("Error resulting from test %d (%d bytes per read) was '%v', expected '%v'", i, j, err, test.err)
-				break
-			}
-		}
-	}
-}
-
-func TestPasswordNotSaved(t *testing.T) {
-	c := &MockTerminal{
-		toSend:       []byte("password\r\x1b[A\r"),
-		bytesPerRead: 1,
-	}
-	ss := NewTerminal(c, "> ")
-	pw, _ := ss.ReadPassword("> ")
-	if pw != "password" {
-		t.Fatalf("failed to read password, got %s", pw)
-	}
-	line, _ := ss.ReadLine()
-	if len(line) > 0 {
-		t.Fatalf("password was saved in history")
-	}
-}
-
-var setSizeTests = []struct {
-	width, height int
-}{
-	{40, 13},
-	{80, 24},
-	{132, 43},
-}
-
-func TestTerminalSetSize(t *testing.T) {
-	for _, setSize := range setSizeTests {
-		c := &MockTerminal{
-			toSend:       []byte("password\r\x1b[A\r"),
-			bytesPerRead: 1,
-		}
-		ss := NewTerminal(c, "> ")
-		ss.SetSize(setSize.width, setSize.height)
-		pw, _ := ss.ReadPassword("Password: ")
-		if pw != "password" {
-			t.Fatalf("failed to read password, got %s", pw)
-		}
-		if string(c.received) != "Password: \r\n" {
-			t.Errorf("failed to set the temporary prompt expected %q, got %q", "Password: ", c.received)
-		}
-	}
-}
-
-func TestReadPasswordLineEnd(t *testing.T) {
-	var tests = []struct {
-		input string
-		want  string
-	}{
-		{"\n", ""},
-		{"\r\n", ""},
-		{"test\r\n", "test"},
-		{"testtesttesttes\n", "testtesttesttes"},
-		{"testtesttesttes\r\n", "testtesttesttes"},
-		{"testtesttesttesttest\n", "testtesttesttesttest"},
-		{"testtesttesttesttest\r\n", "testtesttesttesttest"},
-	}
-	for _, test := range tests {
-		buf := new(bytes.Buffer)
-		if _, err := buf.WriteString(test.input); err != nil {
-			t.Fatal(err)
-		}
-
-		have, err := readPasswordLine(buf)
-		if err != nil {
-			t.Errorf("readPasswordLine(%q) failed: %v", test.input, err)
-			continue
-		}
-		if string(have) != test.want {
-			t.Errorf("readPasswordLine(%q) returns %q, but %q is expected", test.input, string(have), test.want)
-			continue
-		}
-
-		if _, err = buf.WriteString(test.input); err != nil {
-			t.Fatal(err)
-		}
-		have, err = readPasswordLine(buf)
-		if err != nil {
-			t.Errorf("readPasswordLine(%q) failed: %v", test.input, err)
-			continue
-		}
-		if string(have) != test.want {
-			t.Errorf("readPasswordLine(%q) returns %q, but %q is expected", test.input, string(have), test.want)
-			continue
-		}
-	}
-}
-
-func TestMakeRawState(t *testing.T) {
-	fd := int(os.Stdout.Fd())
-	if !IsTerminal(fd) {
-		t.Skip("stdout is not a terminal; skipping test")
-	}
-
-	st, err := GetState(fd)
-	if err != nil {
-		t.Fatalf("failed to get terminal state from GetState: %s", err)
-	}
-	defer Restore(fd, st)
-	raw, err := MakeRaw(fd)
-	if err != nil {
-		t.Fatalf("failed to get terminal state from MakeRaw: %s", err)
-	}
-
-	if *st != *raw {
-		t.Errorf("states do not match; was %v, expected %v", raw, st)
-	}
-}
-
-func TestOutputNewlines(t *testing.T) {
-	// \n should be changed to \r\n in terminal output.
-	buf := new(bytes.Buffer)
-	term := NewTerminal(buf, ">")
-
-	term.Write([]byte("1\n2\n"))
-	output := string(buf.Bytes())
-	const expected = "1\r\n2\r\n"
-
-	if output != expected {
-		t.Errorf("incorrect output: was %q, expected %q", output, expected)
-	}
-}
diff --git a/vendor/golang.org/x/crypto/ssh/terminal/util.go b/vendor/golang.org/x/crypto/ssh/terminal/util.go
deleted file mode 100644
index 02dad484..00000000
--- a/vendor/golang.org/x/crypto/ssh/terminal/util.go
+++ /dev/null
@@ -1,116 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build darwin dragonfly freebsd linux,!appengine netbsd openbsd
-
-// Package terminal provides support functions for dealing with terminals, as
-// commonly found on UNIX systems.
-//
-// Putting a terminal into raw mode is the most common requirement:
-//
-// 	oldState, err := terminal.MakeRaw(0)
-// 	if err != nil {
-// 	        panic(err)
-// 	}
-// 	defer terminal.Restore(0, oldState)
-package terminal // import "golang.org/x/crypto/ssh/terminal"
-
-import (
-	"golang.org/x/sys/unix"
-)
-
-// State contains the state of a terminal.
-type State struct {
-	termios unix.Termios
-}
-
-// IsTerminal returns true if the given file descriptor is a terminal.
-func IsTerminal(fd int) bool {
-	_, err := unix.IoctlGetTermios(fd, ioctlReadTermios)
-	return err == nil
-}
-
-// MakeRaw put the terminal connected to the given file descriptor into raw
-// mode and returns the previous state of the terminal so that it can be
-// restored.
-func MakeRaw(fd int) (*State, error) {
-	termios, err := unix.IoctlGetTermios(fd, ioctlReadTermios)
-	if err != nil {
-		return nil, err
-	}
-
-	oldState := State{termios: *termios}
-
-	// This attempts to replicate the behaviour documented for cfmakeraw in
-	// the termios(3) manpage.
-	termios.Iflag &^= unix.IGNBRK | unix.BRKINT | unix.PARMRK | unix.ISTRIP | unix.INLCR | unix.IGNCR | unix.ICRNL | unix.IXON
-	termios.Oflag &^= unix.OPOST
-	termios.Lflag &^= unix.ECHO | unix.ECHONL | unix.ICANON | unix.ISIG | unix.IEXTEN
-	termios.Cflag &^= unix.CSIZE | unix.PARENB
-	termios.Cflag |= unix.CS8
-	termios.Cc[unix.VMIN] = 1
-	termios.Cc[unix.VTIME] = 0
-	if err := unix.IoctlSetTermios(fd, ioctlWriteTermios, termios); err != nil {
-		return nil, err
-	}
-
-	return &oldState, nil
-}
-
-// GetState returns the current state of a terminal which may be useful to
-// restore the terminal after a signal.
-func GetState(fd int) (*State, error) {
-	termios, err := unix.IoctlGetTermios(fd, ioctlReadTermios)
-	if err != nil {
-		return nil, err
-	}
-
-	return &State{termios: *termios}, nil
-}
-
-// Restore restores the terminal connected to the given file descriptor to a
-// previous state.
-func Restore(fd int, state *State) error {
-	return unix.IoctlSetTermios(fd, ioctlWriteTermios, &state.termios)
-}
-
-// GetSize returns the dimensions of the given terminal.
-func GetSize(fd int) (width, height int, err error) {
-	ws, err := unix.IoctlGetWinsize(fd, unix.TIOCGWINSZ)
-	if err != nil {
-		return -1, -1, err
-	}
-	return int(ws.Col), int(ws.Row), nil
-}
-
-// passwordReader is an io.Reader that reads from a specific file descriptor.
-type passwordReader int
-
-func (r passwordReader) Read(buf []byte) (int, error) {
-	return unix.Read(int(r), buf)
-}
-
-// ReadPassword reads a line of input from a terminal without local echo.  This
-// is commonly used for inputting passwords and other sensitive data. The slice
-// returned does not include the \n.
-func ReadPassword(fd int) ([]byte, error) {
-	termios, err := unix.IoctlGetTermios(fd, ioctlReadTermios)
-	if err != nil {
-		return nil, err
-	}
-
-	newState := *termios
-	newState.Lflag &^= unix.ECHO
-	newState.Lflag |= unix.ICANON | unix.ISIG
-	newState.Iflag |= unix.ICRNL
-	if err := unix.IoctlSetTermios(fd, ioctlWriteTermios, &newState); err != nil {
-		return nil, err
-	}
-
-	defer func() {
-		unix.IoctlSetTermios(fd, ioctlWriteTermios, termios)
-	}()
-
-	return readPasswordLine(passwordReader(fd))
-}
diff --git a/vendor/golang.org/x/crypto/ssh/terminal/util_bsd.go b/vendor/golang.org/x/crypto/ssh/terminal/util_bsd.go
deleted file mode 100644
index cb23a590..00000000
--- a/vendor/golang.org/x/crypto/ssh/terminal/util_bsd.go
+++ /dev/null
@@ -1,12 +0,0 @@
-// Copyright 2013 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build darwin dragonfly freebsd netbsd openbsd
-
-package terminal
-
-import "golang.org/x/sys/unix"
-
-const ioctlReadTermios = unix.TIOCGETA
-const ioctlWriteTermios = unix.TIOCSETA
diff --git a/vendor/golang.org/x/crypto/ssh/terminal/util_linux.go b/vendor/golang.org/x/crypto/ssh/terminal/util_linux.go
deleted file mode 100644
index 5fadfe8a..00000000
--- a/vendor/golang.org/x/crypto/ssh/terminal/util_linux.go
+++ /dev/null
@@ -1,10 +0,0 @@
-// Copyright 2013 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package terminal
-
-import "golang.org/x/sys/unix"
-
-const ioctlReadTermios = unix.TCGETS
-const ioctlWriteTermios = unix.TCSETS
diff --git a/vendor/golang.org/x/crypto/ssh/terminal/util_plan9.go b/vendor/golang.org/x/crypto/ssh/terminal/util_plan9.go
deleted file mode 100644
index 799f049f..00000000
--- a/vendor/golang.org/x/crypto/ssh/terminal/util_plan9.go
+++ /dev/null
@@ -1,58 +0,0 @@
-// Copyright 2016 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package terminal provides support functions for dealing with terminals, as
-// commonly found on UNIX systems.
-//
-// Putting a terminal into raw mode is the most common requirement:
-//
-// 	oldState, err := terminal.MakeRaw(0)
-// 	if err != nil {
-// 	        panic(err)
-// 	}
-// 	defer terminal.Restore(0, oldState)
-package terminal
-
-import (
-	"fmt"
-	"runtime"
-)
-
-type State struct{}
-
-// IsTerminal returns true if the given file descriptor is a terminal.
-func IsTerminal(fd int) bool {
-	return false
-}
-
-// MakeRaw put the terminal connected to the given file descriptor into raw
-// mode and returns the previous state of the terminal so that it can be
-// restored.
-func MakeRaw(fd int) (*State, error) {
-	return nil, fmt.Errorf("terminal: MakeRaw not implemented on %s/%s", runtime.GOOS, runtime.GOARCH)
-}
-
-// GetState returns the current state of a terminal which may be useful to
-// restore the terminal after a signal.
-func GetState(fd int) (*State, error) {
-	return nil, fmt.Errorf("terminal: GetState not implemented on %s/%s", runtime.GOOS, runtime.GOARCH)
-}
-
-// Restore restores the terminal connected to the given file descriptor to a
-// previous state.
-func Restore(fd int, state *State) error {
-	return fmt.Errorf("terminal: Restore not implemented on %s/%s", runtime.GOOS, runtime.GOARCH)
-}
-
-// GetSize returns the dimensions of the given terminal.
-func GetSize(fd int) (width, height int, err error) {
-	return 0, 0, fmt.Errorf("terminal: GetSize not implemented on %s/%s", runtime.GOOS, runtime.GOARCH)
-}
-
-// ReadPassword reads a line of input from a terminal without local echo.  This
-// is commonly used for inputting passwords and other sensitive data. The slice
-// returned does not include the \n.
-func ReadPassword(fd int) ([]byte, error) {
-	return nil, fmt.Errorf("terminal: ReadPassword not implemented on %s/%s", runtime.GOOS, runtime.GOARCH)
-}
diff --git a/vendor/golang.org/x/crypto/ssh/terminal/util_solaris.go b/vendor/golang.org/x/crypto/ssh/terminal/util_solaris.go
deleted file mode 100644
index a2e1b57d..00000000
--- a/vendor/golang.org/x/crypto/ssh/terminal/util_solaris.go
+++ /dev/null
@@ -1,128 +0,0 @@
-// Copyright 2015 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build solaris
-
-package terminal // import "golang.org/x/crypto/ssh/terminal"
-
-import (
-	"golang.org/x/sys/unix"
-	"io"
-	"syscall"
-)
-
-// State contains the state of a terminal.
-type State struct {
-	state *unix.Termios
-}
-
-// IsTerminal returns true if the given file descriptor is a terminal.
-func IsTerminal(fd int) bool {
-	_, err := unix.IoctlGetTermio(fd, unix.TCGETA)
-	return err == nil
-}
-
-// ReadPassword reads a line of input from a terminal without local echo.  This
-// is commonly used for inputting passwords and other sensitive data. The slice
-// returned does not include the \n.
-func ReadPassword(fd int) ([]byte, error) {
-	// see also: http://src.illumos.org/source/xref/illumos-gate/usr/src/lib/libast/common/uwin/getpass.c
-	val, err := unix.IoctlGetTermios(fd, unix.TCGETS)
-	if err != nil {
-		return nil, err
-	}
-	oldState := *val
-
-	newState := oldState
-	newState.Lflag &^= syscall.ECHO
-	newState.Lflag |= syscall.ICANON | syscall.ISIG
-	newState.Iflag |= syscall.ICRNL
-	err = unix.IoctlSetTermios(fd, unix.TCSETS, &newState)
-	if err != nil {
-		return nil, err
-	}
-
-	defer unix.IoctlSetTermios(fd, unix.TCSETS, &oldState)
-
-	var buf [16]byte
-	var ret []byte
-	for {
-		n, err := syscall.Read(fd, buf[:])
-		if err != nil {
-			return nil, err
-		}
-		if n == 0 {
-			if len(ret) == 0 {
-				return nil, io.EOF
-			}
-			break
-		}
-		if buf[n-1] == '\n' {
-			n--
-		}
-		ret = append(ret, buf[:n]...)
-		if n < len(buf) {
-			break
-		}
-	}
-
-	return ret, nil
-}
-
-// MakeRaw puts the terminal connected to the given file descriptor into raw
-// mode and returns the previous state of the terminal so that it can be
-// restored.
-// see http://cr.illumos.org/~webrev/andy_js/1060/
-func MakeRaw(fd int) (*State, error) {
-	oldTermiosPtr, err := unix.IoctlGetTermios(fd, unix.TCGETS)
-	if err != nil {
-		return nil, err
-	}
-	oldTermios := *oldTermiosPtr
-
-	newTermios := oldTermios
-	newTermios.Iflag &^= syscall.IGNBRK | syscall.BRKINT | syscall.PARMRK | syscall.ISTRIP | syscall.INLCR | syscall.IGNCR | syscall.ICRNL | syscall.IXON
-	newTermios.Oflag &^= syscall.OPOST
-	newTermios.Lflag &^= syscall.ECHO | syscall.ECHONL | syscall.ICANON | syscall.ISIG | syscall.IEXTEN
-	newTermios.Cflag &^= syscall.CSIZE | syscall.PARENB
-	newTermios.Cflag |= syscall.CS8
-	newTermios.Cc[unix.VMIN] = 1
-	newTermios.Cc[unix.VTIME] = 0
-
-	if err := unix.IoctlSetTermios(fd, unix.TCSETS, &newTermios); err != nil {
-		return nil, err
-	}
-
-	return &State{
-		state: oldTermiosPtr,
-	}, nil
-}
-
-// Restore restores the terminal connected to the given file descriptor to a
-// previous state.
-func Restore(fd int, oldState *State) error {
-	return unix.IoctlSetTermios(fd, unix.TCSETS, oldState.state)
-}
-
-// GetState returns the current state of a terminal which may be useful to
-// restore the terminal after a signal.
-func GetState(fd int) (*State, error) {
-	oldTermiosPtr, err := unix.IoctlGetTermios(fd, unix.TCGETS)
-	if err != nil {
-		return nil, err
-	}
-
-	return &State{
-		state: oldTermiosPtr,
-	}, nil
-}
-
-// GetSize returns the dimensions of the given terminal.
-func GetSize(fd int) (width, height int, err error) {
-	ws, err := unix.IoctlGetWinsize(fd, unix.TIOCGWINSZ)
-	if err != nil {
-		return 0, 0, err
-	}
-	return int(ws.Col), int(ws.Row), nil
-}
diff --git a/vendor/golang.org/x/crypto/ssh/terminal/util_windows.go b/vendor/golang.org/x/crypto/ssh/terminal/util_windows.go
deleted file mode 100644
index 92944f3b..00000000
--- a/vendor/golang.org/x/crypto/ssh/terminal/util_windows.go
+++ /dev/null
@@ -1,97 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build windows
-
-// Package terminal provides support functions for dealing with terminals, as
-// commonly found on UNIX systems.
-//
-// Putting a terminal into raw mode is the most common requirement:
-//
-// 	oldState, err := terminal.MakeRaw(0)
-// 	if err != nil {
-// 	        panic(err)
-// 	}
-// 	defer terminal.Restore(0, oldState)
-package terminal
-
-import (
-	"os"
-
-	"golang.org/x/sys/windows"
-)
-
-type State struct {
-	mode uint32
-}
-
-// IsTerminal returns true if the given file descriptor is a terminal.
-func IsTerminal(fd int) bool {
-	var st uint32
-	err := windows.GetConsoleMode(windows.Handle(fd), &st)
-	return err == nil
-}
-
-// MakeRaw put the terminal connected to the given file descriptor into raw
-// mode and returns the previous state of the terminal so that it can be
-// restored.
-func MakeRaw(fd int) (*State, error) {
-	var st uint32
-	if err := windows.GetConsoleMode(windows.Handle(fd), &st); err != nil {
-		return nil, err
-	}
-	raw := st &^ (windows.ENABLE_ECHO_INPUT | windows.ENABLE_PROCESSED_INPUT | windows.ENABLE_LINE_INPUT | windows.ENABLE_PROCESSED_OUTPUT)
-	if err := windows.SetConsoleMode(windows.Handle(fd), raw); err != nil {
-		return nil, err
-	}
-	return &State{st}, nil
-}
-
-// GetState returns the current state of a terminal which may be useful to
-// restore the terminal after a signal.
-func GetState(fd int) (*State, error) {
-	var st uint32
-	if err := windows.GetConsoleMode(windows.Handle(fd), &st); err != nil {
-		return nil, err
-	}
-	return &State{st}, nil
-}
-
-// Restore restores the terminal connected to the given file descriptor to a
-// previous state.
-func Restore(fd int, state *State) error {
-	return windows.SetConsoleMode(windows.Handle(fd), state.mode)
-}
-
-// GetSize returns the dimensions of the given terminal.
-func GetSize(fd int) (width, height int, err error) {
-	var info windows.ConsoleScreenBufferInfo
-	if err := windows.GetConsoleScreenBufferInfo(windows.Handle(fd), &info); err != nil {
-		return 0, 0, err
-	}
-	return int(info.Size.X), int(info.Size.Y), nil
-}
-
-// ReadPassword reads a line of input from a terminal without local echo.  This
-// is commonly used for inputting passwords and other sensitive data. The slice
-// returned does not include the \n.
-func ReadPassword(fd int) ([]byte, error) {
-	var st uint32
-	if err := windows.GetConsoleMode(windows.Handle(fd), &st); err != nil {
-		return nil, err
-	}
-	old := st
-
-	st &^= (windows.ENABLE_ECHO_INPUT)
-	st |= (windows.ENABLE_PROCESSED_INPUT | windows.ENABLE_LINE_INPUT | windows.ENABLE_PROCESSED_OUTPUT)
-	if err := windows.SetConsoleMode(windows.Handle(fd), st); err != nil {
-		return nil, err
-	}
-
-	defer func() {
-		windows.SetConsoleMode(windows.Handle(fd), old)
-	}()
-
-	return readPasswordLine(os.NewFile(uintptr(fd), "stdin"))
-}
diff --git a/vendor/golang.org/x/crypto/ssh/test/agent_unix_test.go b/vendor/golang.org/x/crypto/ssh/test/agent_unix_test.go
deleted file mode 100644
index f481253c..00000000
--- a/vendor/golang.org/x/crypto/ssh/test/agent_unix_test.go
+++ /dev/null
@@ -1,59 +0,0 @@
-// Copyright 2014 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build darwin dragonfly freebsd linux netbsd openbsd
-
-package test
-
-import (
-	"bytes"
-	"testing"
-
-	"golang.org/x/crypto/ssh"
-	"golang.org/x/crypto/ssh/agent"
-)
-
-func TestAgentForward(t *testing.T) {
-	server := newServer(t)
-	defer server.Shutdown()
-	conn := server.Dial(clientConfig())
-	defer conn.Close()
-
-	keyring := agent.NewKeyring()
-	if err := keyring.Add(agent.AddedKey{PrivateKey: testPrivateKeys["dsa"]}); err != nil {
-		t.Fatalf("Error adding key: %s", err)
-	}
-	if err := keyring.Add(agent.AddedKey{
-		PrivateKey:       testPrivateKeys["dsa"],
-		ConfirmBeforeUse: true,
-		LifetimeSecs:     3600,
-	}); err != nil {
-		t.Fatalf("Error adding key with constraints: %s", err)
-	}
-	pub := testPublicKeys["dsa"]
-
-	sess, err := conn.NewSession()
-	if err != nil {
-		t.Fatalf("NewSession: %v", err)
-	}
-	if err := agent.RequestAgentForwarding(sess); err != nil {
-		t.Fatalf("RequestAgentForwarding: %v", err)
-	}
-
-	if err := agent.ForwardToAgent(conn, keyring); err != nil {
-		t.Fatalf("SetupForwardKeyring: %v", err)
-	}
-	out, err := sess.CombinedOutput("ssh-add -L")
-	if err != nil {
-		t.Fatalf("running ssh-add: %v, out %s", err, out)
-	}
-	key, _, _, _, err := ssh.ParseAuthorizedKey(out)
-	if err != nil {
-		t.Fatalf("ParseAuthorizedKey(%q): %v", out, err)
-	}
-
-	if !bytes.Equal(key.Marshal(), pub.Marshal()) {
-		t.Fatalf("got key %s, want %s", ssh.MarshalAuthorizedKey(key), ssh.MarshalAuthorizedKey(pub))
-	}
-}
diff --git a/vendor/golang.org/x/crypto/ssh/test/banner_test.go b/vendor/golang.org/x/crypto/ssh/test/banner_test.go
deleted file mode 100644
index d3b21ac7..00000000
--- a/vendor/golang.org/x/crypto/ssh/test/banner_test.go
+++ /dev/null
@@ -1,32 +0,0 @@
-// Copyright 2014 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build darwin dragonfly freebsd linux netbsd openbsd
-
-package test
-
-import (
-	"testing"
-)
-
-func TestBannerCallbackAgainstOpenSSH(t *testing.T) {
-	server := newServer(t)
-	defer server.Shutdown()
-
-	clientConf := clientConfig()
-
-	var receivedBanner string
-	clientConf.BannerCallback = func(message string) error {
-		receivedBanner = message
-		return nil
-	}
-
-	conn := server.Dial(clientConf)
-	defer conn.Close()
-
-	expected := "Server Banner"
-	if receivedBanner != expected {
-		t.Fatalf("got %v; want %v", receivedBanner, expected)
-	}
-}
diff --git a/vendor/golang.org/x/crypto/ssh/test/cert_test.go b/vendor/golang.org/x/crypto/ssh/test/cert_test.go
deleted file mode 100644
index b231dd80..00000000
--- a/vendor/golang.org/x/crypto/ssh/test/cert_test.go
+++ /dev/null
@@ -1,77 +0,0 @@
-// Copyright 2014 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build darwin dragonfly freebsd linux netbsd openbsd
-
-package test
-
-import (
-	"bytes"
-	"crypto/rand"
-	"testing"
-
-	"golang.org/x/crypto/ssh"
-)
-
-// Test both logging in with a cert, and also that the certificate presented by an OpenSSH host can be validated correctly
-func TestCertLogin(t *testing.T) {
-	s := newServer(t)
-	defer s.Shutdown()
-
-	// Use a key different from the default.
-	clientKey := testSigners["dsa"]
-	caAuthKey := testSigners["ecdsa"]
-	cert := &ssh.Certificate{
-		Key:             clientKey.PublicKey(),
-		ValidPrincipals: []string{username()},
-		CertType:        ssh.UserCert,
-		ValidBefore:     ssh.CertTimeInfinity,
-	}
-	if err := cert.SignCert(rand.Reader, caAuthKey); err != nil {
-		t.Fatalf("SetSignature: %v", err)
-	}
-
-	certSigner, err := ssh.NewCertSigner(cert, clientKey)
-	if err != nil {
-		t.Fatalf("NewCertSigner: %v", err)
-	}
-
-	conf := &ssh.ClientConfig{
-		User: username(),
-		HostKeyCallback: (&ssh.CertChecker{
-			IsHostAuthority: func(pk ssh.PublicKey, addr string) bool {
-				return bytes.Equal(pk.Marshal(), testPublicKeys["ca"].Marshal())
-			},
-		}).CheckHostKey,
-	}
-	conf.Auth = append(conf.Auth, ssh.PublicKeys(certSigner))
-
-	for _, test := range []struct {
-		addr    string
-		succeed bool
-	}{
-		{addr: "host.example.com:22", succeed: true},
-		{addr: "host.example.com:10000", succeed: true}, // non-standard port must be OK
-		{addr: "host.example.com", succeed: false},      // port must be specified
-		{addr: "host.ex4mple.com:22", succeed: false},   // wrong host
-	} {
-		client, err := s.TryDialWithAddr(conf, test.addr)
-
-		// Always close client if opened successfully
-		if err == nil {
-			client.Close()
-		}
-
-		// Now evaluate whether the test failed or passed
-		if test.succeed {
-			if err != nil {
-				t.Fatalf("TryDialWithAddr: %v", err)
-			}
-		} else {
-			if err == nil {
-				t.Fatalf("TryDialWithAddr, unexpected success")
-			}
-		}
-	}
-}
diff --git a/vendor/golang.org/x/crypto/ssh/test/dial_unix_test.go b/vendor/golang.org/x/crypto/ssh/test/dial_unix_test.go
deleted file mode 100644
index 091e48cc..00000000
--- a/vendor/golang.org/x/crypto/ssh/test/dial_unix_test.go
+++ /dev/null
@@ -1,128 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build !windows
-
-package test
-
-// direct-tcpip and direct-streamlocal functional tests
-
-import (
-	"fmt"
-	"io"
-	"io/ioutil"
-	"net"
-	"strings"
-	"testing"
-)
-
-type dialTester interface {
-	TestServerConn(t *testing.T, c net.Conn)
-	TestClientConn(t *testing.T, c net.Conn)
-}
-
-func testDial(t *testing.T, n, listenAddr string, x dialTester) {
-	server := newServer(t)
-	defer server.Shutdown()
-	sshConn := server.Dial(clientConfig())
-	defer sshConn.Close()
-
-	l, err := net.Listen(n, listenAddr)
-	if err != nil {
-		t.Fatalf("Listen: %v", err)
-	}
-	defer l.Close()
-
-	testData := fmt.Sprintf("hello from %s, %s", n, listenAddr)
-	go func() {
-		for {
-			c, err := l.Accept()
-			if err != nil {
-				break
-			}
-			x.TestServerConn(t, c)
-
-			io.WriteString(c, testData)
-			c.Close()
-		}
-	}()
-
-	conn, err := sshConn.Dial(n, l.Addr().String())
-	if err != nil {
-		t.Fatalf("Dial: %v", err)
-	}
-	x.TestClientConn(t, conn)
-	defer conn.Close()
-	b, err := ioutil.ReadAll(conn)
-	if err != nil {
-		t.Fatalf("ReadAll: %v", err)
-	}
-	t.Logf("got %q", string(b))
-	if string(b) != testData {
-		t.Fatalf("expected %q, got %q", testData, string(b))
-	}
-}
-
-type tcpDialTester struct {
-	listenAddr string
-}
-
-func (x *tcpDialTester) TestServerConn(t *testing.T, c net.Conn) {
-	host := strings.Split(x.listenAddr, ":")[0]
-	prefix := host + ":"
-	if !strings.HasPrefix(c.LocalAddr().String(), prefix) {
-		t.Fatalf("expected to start with %q, got %q", prefix, c.LocalAddr().String())
-	}
-	if !strings.HasPrefix(c.RemoteAddr().String(), prefix) {
-		t.Fatalf("expected to start with %q, got %q", prefix, c.RemoteAddr().String())
-	}
-}
-
-func (x *tcpDialTester) TestClientConn(t *testing.T, c net.Conn) {
-	// we use zero addresses. see *Client.Dial.
-	if c.LocalAddr().String() != "0.0.0.0:0" {
-		t.Fatalf("expected \"0.0.0.0:0\", got %q", c.LocalAddr().String())
-	}
-	if c.RemoteAddr().String() != "0.0.0.0:0" {
-		t.Fatalf("expected \"0.0.0.0:0\", got %q", c.RemoteAddr().String())
-	}
-}
-
-func TestDialTCP(t *testing.T) {
-	x := &tcpDialTester{
-		listenAddr: "127.0.0.1:0",
-	}
-	testDial(t, "tcp", x.listenAddr, x)
-}
-
-type unixDialTester struct {
-	listenAddr string
-}
-
-func (x *unixDialTester) TestServerConn(t *testing.T, c net.Conn) {
-	if c.LocalAddr().String() != x.listenAddr {
-		t.Fatalf("expected %q, got %q", x.listenAddr, c.LocalAddr().String())
-	}
-	if c.RemoteAddr().String() != "@" {
-		t.Fatalf("expected \"@\", got %q", c.RemoteAddr().String())
-	}
-}
-
-func (x *unixDialTester) TestClientConn(t *testing.T, c net.Conn) {
-	if c.RemoteAddr().String() != x.listenAddr {
-		t.Fatalf("expected %q, got %q", x.listenAddr, c.RemoteAddr().String())
-	}
-	if c.LocalAddr().String() != "@" {
-		t.Fatalf("expected \"@\", got %q", c.LocalAddr().String())
-	}
-}
-
-func TestDialUnix(t *testing.T) {
-	addr, cleanup := newTempSocket(t)
-	defer cleanup()
-	x := &unixDialTester{
-		listenAddr: addr,
-	}
-	testDial(t, "unix", x.listenAddr, x)
-}
diff --git a/vendor/golang.org/x/crypto/ssh/test/doc.go b/vendor/golang.org/x/crypto/ssh/test/doc.go
deleted file mode 100644
index 198f0ca1..00000000
--- a/vendor/golang.org/x/crypto/ssh/test/doc.go
+++ /dev/null
@@ -1,7 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package test contains integration tests for the
-// golang.org/x/crypto/ssh package.
-package test // import "golang.org/x/crypto/ssh/test"
diff --git a/vendor/golang.org/x/crypto/ssh/test/forward_unix_test.go b/vendor/golang.org/x/crypto/ssh/test/forward_unix_test.go
deleted file mode 100644
index ea819378..00000000
--- a/vendor/golang.org/x/crypto/ssh/test/forward_unix_test.go
+++ /dev/null
@@ -1,194 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build darwin dragonfly freebsd linux netbsd openbsd
-
-package test
-
-import (
-	"bytes"
-	"io"
-	"io/ioutil"
-	"math/rand"
-	"net"
-	"testing"
-	"time"
-)
-
-type closeWriter interface {
-	CloseWrite() error
-}
-
-func testPortForward(t *testing.T, n, listenAddr string) {
-	server := newServer(t)
-	defer server.Shutdown()
-	conn := server.Dial(clientConfig())
-	defer conn.Close()
-
-	sshListener, err := conn.Listen(n, listenAddr)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	go func() {
-		sshConn, err := sshListener.Accept()
-		if err != nil {
-			t.Fatalf("listen.Accept failed: %v", err)
-		}
-
-		_, err = io.Copy(sshConn, sshConn)
-		if err != nil && err != io.EOF {
-			t.Fatalf("ssh client copy: %v", err)
-		}
-		sshConn.Close()
-	}()
-
-	forwardedAddr := sshListener.Addr().String()
-	netConn, err := net.Dial(n, forwardedAddr)
-	if err != nil {
-		t.Fatalf("net dial failed: %v", err)
-	}
-
-	readChan := make(chan []byte)
-	go func() {
-		data, _ := ioutil.ReadAll(netConn)
-		readChan <- data
-	}()
-
-	// Invent some data.
-	data := make([]byte, 100*1000)
-	for i := range data {
-		data[i] = byte(i % 255)
-	}
-
-	var sent []byte
-	for len(sent) < 1000*1000 {
-		// Send random sized chunks
-		m := rand.Intn(len(data))
-		n, err := netConn.Write(data[:m])
-		if err != nil {
-			break
-		}
-		sent = append(sent, data[:n]...)
-	}
-	if err := netConn.(closeWriter).CloseWrite(); err != nil {
-		t.Errorf("netConn.CloseWrite: %v", err)
-	}
-
-	read := <-readChan
-
-	if len(sent) != len(read) {
-		t.Fatalf("got %d bytes, want %d", len(read), len(sent))
-	}
-	if bytes.Compare(sent, read) != 0 {
-		t.Fatalf("read back data does not match")
-	}
-
-	if err := sshListener.Close(); err != nil {
-		t.Fatalf("sshListener.Close: %v", err)
-	}
-
-	// Check that the forward disappeared.
-	netConn, err = net.Dial(n, forwardedAddr)
-	if err == nil {
-		netConn.Close()
-		t.Errorf("still listening to %s after closing", forwardedAddr)
-	}
-}
-
-func TestPortForwardTCP(t *testing.T) {
-	testPortForward(t, "tcp", "localhost:0")
-}
-
-func TestPortForwardUnix(t *testing.T) {
-	addr, cleanup := newTempSocket(t)
-	defer cleanup()
-	testPortForward(t, "unix", addr)
-}
-
-func testAcceptClose(t *testing.T, n, listenAddr string) {
-	server := newServer(t)
-	defer server.Shutdown()
-	conn := server.Dial(clientConfig())
-
-	sshListener, err := conn.Listen(n, listenAddr)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	quit := make(chan error, 1)
-	go func() {
-		for {
-			c, err := sshListener.Accept()
-			if err != nil {
-				quit <- err
-				break
-			}
-			c.Close()
-		}
-	}()
-	sshListener.Close()
-
-	select {
-	case <-time.After(1 * time.Second):
-		t.Errorf("timeout: listener did not close.")
-	case err := <-quit:
-		t.Logf("quit as expected (error %v)", err)
-	}
-}
-
-func TestAcceptCloseTCP(t *testing.T) {
-	testAcceptClose(t, "tcp", "localhost:0")
-}
-
-func TestAcceptCloseUnix(t *testing.T) {
-	addr, cleanup := newTempSocket(t)
-	defer cleanup()
-	testAcceptClose(t, "unix", addr)
-}
-
-// Check that listeners exit if the underlying client transport dies.
-func testPortForwardConnectionClose(t *testing.T, n, listenAddr string) {
-	server := newServer(t)
-	defer server.Shutdown()
-	conn := server.Dial(clientConfig())
-
-	sshListener, err := conn.Listen(n, listenAddr)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	quit := make(chan error, 1)
-	go func() {
-		for {
-			c, err := sshListener.Accept()
-			if err != nil {
-				quit <- err
-				break
-			}
-			c.Close()
-		}
-	}()
-
-	// It would be even nicer if we closed the server side, but it
-	// is more involved as the fd for that side is dup()ed.
-	server.clientConn.Close()
-
-	select {
-	case <-time.After(1 * time.Second):
-		t.Errorf("timeout: listener did not close.")
-	case err := <-quit:
-		t.Logf("quit as expected (error %v)", err)
-	}
-}
-
-func TestPortForwardConnectionCloseTCP(t *testing.T) {
-	testPortForwardConnectionClose(t, "tcp", "localhost:0")
-}
-
-func TestPortForwardConnectionCloseUnix(t *testing.T) {
-	addr, cleanup := newTempSocket(t)
-	defer cleanup()
-	testPortForwardConnectionClose(t, "unix", addr)
-}
diff --git a/vendor/golang.org/x/crypto/ssh/test/session_test.go b/vendor/golang.org/x/crypto/ssh/test/session_test.go
deleted file mode 100644
index 4eb7afde..00000000
--- a/vendor/golang.org/x/crypto/ssh/test/session_test.go
+++ /dev/null
@@ -1,443 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build !windows
-
-package test
-
-// Session functional tests.
-
-import (
-	"bytes"
-	"errors"
-	"fmt"
-	"io"
-	"strings"
-	"testing"
-
-	"golang.org/x/crypto/ssh"
-)
-
-func TestRunCommandSuccess(t *testing.T) {
-	server := newServer(t)
-	defer server.Shutdown()
-	conn := server.Dial(clientConfig())
-	defer conn.Close()
-
-	session, err := conn.NewSession()
-	if err != nil {
-		t.Fatalf("session failed: %v", err)
-	}
-	defer session.Close()
-	err = session.Run("true")
-	if err != nil {
-		t.Fatalf("session failed: %v", err)
-	}
-}
-
-func TestHostKeyCheck(t *testing.T) {
-	server := newServer(t)
-	defer server.Shutdown()
-
-	conf := clientConfig()
-	hostDB := hostKeyDB()
-	conf.HostKeyCallback = hostDB.Check
-
-	// change the keys.
-	hostDB.keys[ssh.KeyAlgoRSA][25]++
-	hostDB.keys[ssh.KeyAlgoDSA][25]++
-	hostDB.keys[ssh.KeyAlgoECDSA256][25]++
-
-	conn, err := server.TryDial(conf)
-	if err == nil {
-		conn.Close()
-		t.Fatalf("dial should have failed.")
-	} else if !strings.Contains(err.Error(), "host key mismatch") {
-		t.Fatalf("'host key mismatch' not found in %v", err)
-	}
-}
-
-func TestRunCommandStdin(t *testing.T) {
-	server := newServer(t)
-	defer server.Shutdown()
-	conn := server.Dial(clientConfig())
-	defer conn.Close()
-
-	session, err := conn.NewSession()
-	if err != nil {
-		t.Fatalf("session failed: %v", err)
-	}
-	defer session.Close()
-
-	r, w := io.Pipe()
-	defer r.Close()
-	defer w.Close()
-	session.Stdin = r
-
-	err = session.Run("true")
-	if err != nil {
-		t.Fatalf("session failed: %v", err)
-	}
-}
-
-func TestRunCommandStdinError(t *testing.T) {
-	server := newServer(t)
-	defer server.Shutdown()
-	conn := server.Dial(clientConfig())
-	defer conn.Close()
-
-	session, err := conn.NewSession()
-	if err != nil {
-		t.Fatalf("session failed: %v", err)
-	}
-	defer session.Close()
-
-	r, w := io.Pipe()
-	defer r.Close()
-	session.Stdin = r
-	pipeErr := errors.New("closing write end of pipe")
-	w.CloseWithError(pipeErr)
-
-	err = session.Run("true")
-	if err != pipeErr {
-		t.Fatalf("expected %v, found %v", pipeErr, err)
-	}
-}
-
-func TestRunCommandFailed(t *testing.T) {
-	server := newServer(t)
-	defer server.Shutdown()
-	conn := server.Dial(clientConfig())
-	defer conn.Close()
-
-	session, err := conn.NewSession()
-	if err != nil {
-		t.Fatalf("session failed: %v", err)
-	}
-	defer session.Close()
-	err = session.Run(`bash -c "kill -9 $$"`)
-	if err == nil {
-		t.Fatalf("session succeeded: %v", err)
-	}
-}
-
-func TestRunCommandWeClosed(t *testing.T) {
-	server := newServer(t)
-	defer server.Shutdown()
-	conn := server.Dial(clientConfig())
-	defer conn.Close()
-
-	session, err := conn.NewSession()
-	if err != nil {
-		t.Fatalf("session failed: %v", err)
-	}
-	err = session.Shell()
-	if err != nil {
-		t.Fatalf("shell failed: %v", err)
-	}
-	err = session.Close()
-	if err != nil {
-		t.Fatalf("shell failed: %v", err)
-	}
-}
-
-func TestFuncLargeRead(t *testing.T) {
-	server := newServer(t)
-	defer server.Shutdown()
-	conn := server.Dial(clientConfig())
-	defer conn.Close()
-
-	session, err := conn.NewSession()
-	if err != nil {
-		t.Fatalf("unable to create new session: %s", err)
-	}
-
-	stdout, err := session.StdoutPipe()
-	if err != nil {
-		t.Fatalf("unable to acquire stdout pipe: %s", err)
-	}
-
-	err = session.Start("dd if=/dev/urandom bs=2048 count=1024")
-	if err != nil {
-		t.Fatalf("unable to execute remote command: %s", err)
-	}
-
-	buf := new(bytes.Buffer)
-	n, err := io.Copy(buf, stdout)
-	if err != nil {
-		t.Fatalf("error reading from remote stdout: %s", err)
-	}
-
-	if n != 2048*1024 {
-		t.Fatalf("Expected %d bytes but read only %d from remote command", 2048, n)
-	}
-}
-
-func TestKeyChange(t *testing.T) {
-	server := newServer(t)
-	defer server.Shutdown()
-	conf := clientConfig()
-	hostDB := hostKeyDB()
-	conf.HostKeyCallback = hostDB.Check
-	conf.RekeyThreshold = 1024
-	conn := server.Dial(conf)
-	defer conn.Close()
-
-	for i := 0; i < 4; i++ {
-		session, err := conn.NewSession()
-		if err != nil {
-			t.Fatalf("unable to create new session: %s", err)
-		}
-
-		stdout, err := session.StdoutPipe()
-		if err != nil {
-			t.Fatalf("unable to acquire stdout pipe: %s", err)
-		}
-
-		err = session.Start("dd if=/dev/urandom bs=1024 count=1")
-		if err != nil {
-			t.Fatalf("unable to execute remote command: %s", err)
-		}
-		buf := new(bytes.Buffer)
-		n, err := io.Copy(buf, stdout)
-		if err != nil {
-			t.Fatalf("error reading from remote stdout: %s", err)
-		}
-
-		want := int64(1024)
-		if n != want {
-			t.Fatalf("Expected %d bytes but read only %d from remote command", want, n)
-		}
-	}
-
-	if changes := hostDB.checkCount; changes < 4 {
-		t.Errorf("got %d key changes, want 4", changes)
-	}
-}
-
-func TestInvalidTerminalMode(t *testing.T) {
-	server := newServer(t)
-	defer server.Shutdown()
-	conn := server.Dial(clientConfig())
-	defer conn.Close()
-
-	session, err := conn.NewSession()
-	if err != nil {
-		t.Fatalf("session failed: %v", err)
-	}
-	defer session.Close()
-
-	if err = session.RequestPty("vt100", 80, 40, ssh.TerminalModes{255: 1984}); err == nil {
-		t.Fatalf("req-pty failed: successful request with invalid mode")
-	}
-}
-
-func TestValidTerminalMode(t *testing.T) {
-	server := newServer(t)
-	defer server.Shutdown()
-	conn := server.Dial(clientConfig())
-	defer conn.Close()
-
-	session, err := conn.NewSession()
-	if err != nil {
-		t.Fatalf("session failed: %v", err)
-	}
-	defer session.Close()
-
-	stdout, err := session.StdoutPipe()
-	if err != nil {
-		t.Fatalf("unable to acquire stdout pipe: %s", err)
-	}
-
-	stdin, err := session.StdinPipe()
-	if err != nil {
-		t.Fatalf("unable to acquire stdin pipe: %s", err)
-	}
-
-	tm := ssh.TerminalModes{ssh.ECHO: 0}
-	if err = session.RequestPty("xterm", 80, 40, tm); err != nil {
-		t.Fatalf("req-pty failed: %s", err)
-	}
-
-	err = session.Shell()
-	if err != nil {
-		t.Fatalf("session failed: %s", err)
-	}
-
-	stdin.Write([]byte("stty -a && exit\n"))
-
-	var buf bytes.Buffer
-	if _, err := io.Copy(&buf, stdout); err != nil {
-		t.Fatalf("reading failed: %s", err)
-	}
-
-	if sttyOutput := buf.String(); !strings.Contains(sttyOutput, "-echo ") {
-		t.Fatalf("terminal mode failure: expected -echo in stty output, got %s", sttyOutput)
-	}
-}
-
-func TestWindowChange(t *testing.T) {
-	server := newServer(t)
-	defer server.Shutdown()
-	conn := server.Dial(clientConfig())
-	defer conn.Close()
-
-	session, err := conn.NewSession()
-	if err != nil {
-		t.Fatalf("session failed: %v", err)
-	}
-	defer session.Close()
-
-	stdout, err := session.StdoutPipe()
-	if err != nil {
-		t.Fatalf("unable to acquire stdout pipe: %s", err)
-	}
-
-	stdin, err := session.StdinPipe()
-	if err != nil {
-		t.Fatalf("unable to acquire stdin pipe: %s", err)
-	}
-
-	tm := ssh.TerminalModes{ssh.ECHO: 0}
-	if err = session.RequestPty("xterm", 80, 40, tm); err != nil {
-		t.Fatalf("req-pty failed: %s", err)
-	}
-
-	if err := session.WindowChange(100, 100); err != nil {
-		t.Fatalf("window-change failed: %s", err)
-	}
-
-	err = session.Shell()
-	if err != nil {
-		t.Fatalf("session failed: %s", err)
-	}
-
-	stdin.Write([]byte("stty size && exit\n"))
-
-	var buf bytes.Buffer
-	if _, err := io.Copy(&buf, stdout); err != nil {
-		t.Fatalf("reading failed: %s", err)
-	}
-
-	if sttyOutput := buf.String(); !strings.Contains(sttyOutput, "100 100") {
-		t.Fatalf("terminal WindowChange failure: expected \"100 100\" stty output, got %s", sttyOutput)
-	}
-}
-
-func testOneCipher(t *testing.T, cipher string, cipherOrder []string) {
-	server := newServer(t)
-	defer server.Shutdown()
-	conf := clientConfig()
-	conf.Ciphers = []string{cipher}
-	// Don't fail if sshd doesn't have the cipher.
-	conf.Ciphers = append(conf.Ciphers, cipherOrder...)
-	conn, err := server.TryDial(conf)
-	if err != nil {
-		t.Fatalf("TryDial: %v", err)
-	}
-	defer conn.Close()
-
-	numBytes := 4096
-
-	// Exercise sending data to the server
-	if _, _, err := conn.Conn.SendRequest("drop-me", false, make([]byte, numBytes)); err != nil {
-		t.Fatalf("SendRequest: %v", err)
-	}
-
-	// Exercise receiving data from the server
-	session, err := conn.NewSession()
-	if err != nil {
-		t.Fatalf("NewSession: %v", err)
-	}
-
-	out, err := session.Output(fmt.Sprintf("dd if=/dev/zero of=/dev/stdout bs=%d count=1", numBytes))
-	if err != nil {
-		t.Fatalf("Output: %v", err)
-	}
-
-	if len(out) != numBytes {
-		t.Fatalf("got %d bytes, want %d bytes", len(out), numBytes)
-	}
-}
-
-var deprecatedCiphers = []string{
-	"aes128-cbc", "3des-cbc",
-	"arcfour128", "arcfour256",
-}
-
-func TestCiphers(t *testing.T) {
-	var config ssh.Config
-	config.SetDefaults()
-	cipherOrder := append(config.Ciphers, deprecatedCiphers...)
-
-	for _, ciph := range cipherOrder {
-		t.Run(ciph, func(t *testing.T) {
-			testOneCipher(t, ciph, cipherOrder)
-		})
-	}
-}
-
-func TestMACs(t *testing.T) {
-	var config ssh.Config
-	config.SetDefaults()
-	macOrder := config.MACs
-
-	for _, mac := range macOrder {
-		server := newServer(t)
-		defer server.Shutdown()
-		conf := clientConfig()
-		conf.MACs = []string{mac}
-		// Don't fail if sshd doesn't have the MAC.
-		conf.MACs = append(conf.MACs, macOrder...)
-		if conn, err := server.TryDial(conf); err == nil {
-			conn.Close()
-		} else {
-			t.Fatalf("failed for MAC %q", mac)
-		}
-	}
-}
-
-func TestKeyExchanges(t *testing.T) {
-	var config ssh.Config
-	config.SetDefaults()
-	kexOrder := config.KeyExchanges
-	for _, kex := range kexOrder {
-		server := newServer(t)
-		defer server.Shutdown()
-		conf := clientConfig()
-		// Don't fail if sshd doesn't have the kex.
-		conf.KeyExchanges = append([]string{kex}, kexOrder...)
-		conn, err := server.TryDial(conf)
-		if err == nil {
-			conn.Close()
-		} else {
-			t.Errorf("failed for kex %q", kex)
-		}
-	}
-}
-
-func TestClientAuthAlgorithms(t *testing.T) {
-	for _, key := range []string{
-		"rsa",
-		"dsa",
-		"ecdsa",
-		"ed25519",
-	} {
-		server := newServer(t)
-		conf := clientConfig()
-		conf.SetDefaults()
-		conf.Auth = []ssh.AuthMethod{
-			ssh.PublicKeys(testSigners[key]),
-		}
-
-		conn, err := server.TryDial(conf)
-		if err == nil {
-			conn.Close()
-		} else {
-			t.Errorf("failed for key %q", key)
-		}
-
-		server.Shutdown()
-	}
-}
diff --git a/vendor/golang.org/x/crypto/ssh/test/test_unix_test.go b/vendor/golang.org/x/crypto/ssh/test/test_unix_test.go
deleted file mode 100644
index 15b879d3..00000000
--- a/vendor/golang.org/x/crypto/ssh/test/test_unix_test.go
+++ /dev/null
@@ -1,298 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build darwin dragonfly freebsd linux netbsd openbsd plan9
-
-package test
-
-// functional test harness for unix.
-
-import (
-	"bytes"
-	"fmt"
-	"io/ioutil"
-	"log"
-	"net"
-	"os"
-	"os/exec"
-	"os/user"
-	"path/filepath"
-	"testing"
-	"text/template"
-
-	"golang.org/x/crypto/ssh"
-	"golang.org/x/crypto/ssh/testdata"
-)
-
-const sshdConfig = `
-Protocol 2
-Banner {{.Dir}}/banner
-HostKey {{.Dir}}/id_rsa
-HostKey {{.Dir}}/id_dsa
-HostKey {{.Dir}}/id_ecdsa
-HostCertificate {{.Dir}}/id_rsa-cert.pub
-Pidfile {{.Dir}}/sshd.pid
-#UsePrivilegeSeparation no
-KeyRegenerationInterval 3600
-ServerKeyBits 768
-SyslogFacility AUTH
-LogLevel DEBUG2
-LoginGraceTime 120
-PermitRootLogin no
-StrictModes no
-RSAAuthentication yes
-PubkeyAuthentication yes
-AuthorizedKeysFile	{{.Dir}}/authorized_keys
-TrustedUserCAKeys {{.Dir}}/id_ecdsa.pub
-IgnoreRhosts yes
-RhostsRSAAuthentication no
-HostbasedAuthentication no
-PubkeyAcceptedKeyTypes=*
-`
-
-var configTmpl = template.Must(template.New("").Parse(sshdConfig))
-
-type server struct {
-	t          *testing.T
-	cleanup    func() // executed during Shutdown
-	configfile string
-	cmd        *exec.Cmd
-	output     bytes.Buffer // holds stderr from sshd process
-
-	// Client half of the network connection.
-	clientConn net.Conn
-}
-
-func username() string {
-	var username string
-	if user, err := user.Current(); err == nil {
-		username = user.Username
-	} else {
-		// user.Current() currently requires cgo. If an error is
-		// returned attempt to get the username from the environment.
-		log.Printf("user.Current: %v; falling back on $USER", err)
-		username = os.Getenv("USER")
-	}
-	if username == "" {
-		panic("Unable to get username")
-	}
-	return username
-}
-
-type storedHostKey struct {
-	// keys map from an algorithm string to binary key data.
-	keys map[string][]byte
-
-	// checkCount counts the Check calls. Used for testing
-	// rekeying.
-	checkCount int
-}
-
-func (k *storedHostKey) Add(key ssh.PublicKey) {
-	if k.keys == nil {
-		k.keys = map[string][]byte{}
-	}
-	k.keys[key.Type()] = key.Marshal()
-}
-
-func (k *storedHostKey) Check(addr string, remote net.Addr, key ssh.PublicKey) error {
-	k.checkCount++
-	algo := key.Type()
-
-	if k.keys == nil || bytes.Compare(key.Marshal(), k.keys[algo]) != 0 {
-		return fmt.Errorf("host key mismatch. Got %q, want %q", key, k.keys[algo])
-	}
-	return nil
-}
-
-func hostKeyDB() *storedHostKey {
-	keyChecker := &storedHostKey{}
-	keyChecker.Add(testPublicKeys["ecdsa"])
-	keyChecker.Add(testPublicKeys["rsa"])
-	keyChecker.Add(testPublicKeys["dsa"])
-	return keyChecker
-}
-
-func clientConfig() *ssh.ClientConfig {
-	config := &ssh.ClientConfig{
-		User: username(),
-		Auth: []ssh.AuthMethod{
-			ssh.PublicKeys(testSigners["user"]),
-		},
-		HostKeyCallback: hostKeyDB().Check,
-		HostKeyAlgorithms: []string{ // by default, don't allow certs as this affects the hostKeyDB checker
-			ssh.KeyAlgoECDSA256, ssh.KeyAlgoECDSA384, ssh.KeyAlgoECDSA521,
-			ssh.KeyAlgoRSA, ssh.KeyAlgoDSA,
-			ssh.KeyAlgoED25519,
-		},
-	}
-	return config
-}
-
-// unixConnection creates two halves of a connected net.UnixConn.  It
-// is used for connecting the Go SSH client with sshd without opening
-// ports.
-func unixConnection() (*net.UnixConn, *net.UnixConn, error) {
-	dir, err := ioutil.TempDir("", "unixConnection")
-	if err != nil {
-		return nil, nil, err
-	}
-	defer os.Remove(dir)
-
-	addr := filepath.Join(dir, "ssh")
-	listener, err := net.Listen("unix", addr)
-	if err != nil {
-		return nil, nil, err
-	}
-	defer listener.Close()
-	c1, err := net.Dial("unix", addr)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	c2, err := listener.Accept()
-	if err != nil {
-		c1.Close()
-		return nil, nil, err
-	}
-
-	return c1.(*net.UnixConn), c2.(*net.UnixConn), nil
-}
-
-func (s *server) TryDial(config *ssh.ClientConfig) (*ssh.Client, error) {
-	return s.TryDialWithAddr(config, "")
-}
-
-// addr is the user specified host:port. While we don't actually dial it,
-// we need to know this for host key matching
-func (s *server) TryDialWithAddr(config *ssh.ClientConfig, addr string) (*ssh.Client, error) {
-	sshd, err := exec.LookPath("sshd")
-	if err != nil {
-		s.t.Skipf("skipping test: %v", err)
-	}
-
-	c1, c2, err := unixConnection()
-	if err != nil {
-		s.t.Fatalf("unixConnection: %v", err)
-	}
-
-	s.cmd = exec.Command(sshd, "-f", s.configfile, "-i", "-e")
-	f, err := c2.File()
-	if err != nil {
-		s.t.Fatalf("UnixConn.File: %v", err)
-	}
-	defer f.Close()
-	s.cmd.Stdin = f
-	s.cmd.Stdout = f
-	s.cmd.Stderr = &s.output
-	if err := s.cmd.Start(); err != nil {
-		s.t.Fail()
-		s.Shutdown()
-		s.t.Fatalf("s.cmd.Start: %v", err)
-	}
-	s.clientConn = c1
-	conn, chans, reqs, err := ssh.NewClientConn(c1, addr, config)
-	if err != nil {
-		return nil, err
-	}
-	return ssh.NewClient(conn, chans, reqs), nil
-}
-
-func (s *server) Dial(config *ssh.ClientConfig) *ssh.Client {
-	conn, err := s.TryDial(config)
-	if err != nil {
-		s.t.Fail()
-		s.Shutdown()
-		s.t.Fatalf("ssh.Client: %v", err)
-	}
-	return conn
-}
-
-func (s *server) Shutdown() {
-	if s.cmd != nil && s.cmd.Process != nil {
-		// Don't check for errors; if it fails it's most
-		// likely "os: process already finished", and we don't
-		// care about that. Use os.Interrupt, so child
-		// processes are killed too.
-		s.cmd.Process.Signal(os.Interrupt)
-		s.cmd.Wait()
-	}
-	if s.t.Failed() {
-		// log any output from sshd process
-		s.t.Logf("sshd: %s", s.output.String())
-	}
-	s.cleanup()
-}
-
-func writeFile(path string, contents []byte) {
-	f, err := os.OpenFile(path, os.O_WRONLY|os.O_TRUNC|os.O_CREATE, 0600)
-	if err != nil {
-		panic(err)
-	}
-	defer f.Close()
-	if _, err := f.Write(contents); err != nil {
-		panic(err)
-	}
-}
-
-// newServer returns a new mock ssh server.
-func newServer(t *testing.T) *server {
-	if testing.Short() {
-		t.Skip("skipping test due to -short")
-	}
-	dir, err := ioutil.TempDir("", "sshtest")
-	if err != nil {
-		t.Fatal(err)
-	}
-	f, err := os.Create(filepath.Join(dir, "sshd_config"))
-	if err != nil {
-		t.Fatal(err)
-	}
-	err = configTmpl.Execute(f, map[string]string{
-		"Dir": dir,
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-	f.Close()
-
-	writeFile(filepath.Join(dir, "banner"), []byte("Server Banner"))
-
-	for k, v := range testdata.PEMBytes {
-		filename := "id_" + k
-		writeFile(filepath.Join(dir, filename), v)
-		writeFile(filepath.Join(dir, filename+".pub"), ssh.MarshalAuthorizedKey(testPublicKeys[k]))
-	}
-
-	for k, v := range testdata.SSHCertificates {
-		filename := "id_" + k + "-cert.pub"
-		writeFile(filepath.Join(dir, filename), v)
-	}
-
-	var authkeys bytes.Buffer
-	for k := range testdata.PEMBytes {
-		authkeys.Write(ssh.MarshalAuthorizedKey(testPublicKeys[k]))
-	}
-	writeFile(filepath.Join(dir, "authorized_keys"), authkeys.Bytes())
-
-	return &server{
-		t:          t,
-		configfile: f.Name(),
-		cleanup: func() {
-			if err := os.RemoveAll(dir); err != nil {
-				t.Error(err)
-			}
-		},
-	}
-}
-
-func newTempSocket(t *testing.T) (string, func()) {
-	dir, err := ioutil.TempDir("", "socket")
-	if err != nil {
-		t.Fatal(err)
-	}
-	deferFunc := func() { os.RemoveAll(dir) }
-	addr := filepath.Join(dir, "sock")
-	return addr, deferFunc
-}
diff --git a/vendor/golang.org/x/crypto/ssh/test/testdata_test.go b/vendor/golang.org/x/crypto/ssh/test/testdata_test.go
deleted file mode 100644
index a053f67e..00000000
--- a/vendor/golang.org/x/crypto/ssh/test/testdata_test.go
+++ /dev/null
@@ -1,64 +0,0 @@
-// Copyright 2014 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// IMPLEMENTATION NOTE: To avoid a package loop, this file is in three places:
-// ssh/, ssh/agent, and ssh/test/. It should be kept in sync across all three
-// instances.
-
-package test
-
-import (
-	"crypto/rand"
-	"fmt"
-
-	"golang.org/x/crypto/ssh"
-	"golang.org/x/crypto/ssh/testdata"
-)
-
-var (
-	testPrivateKeys map[string]interface{}
-	testSigners     map[string]ssh.Signer
-	testPublicKeys  map[string]ssh.PublicKey
-)
-
-func init() {
-	var err error
-
-	n := len(testdata.PEMBytes)
-	testPrivateKeys = make(map[string]interface{}, n)
-	testSigners = make(map[string]ssh.Signer, n)
-	testPublicKeys = make(map[string]ssh.PublicKey, n)
-	for t, k := range testdata.PEMBytes {
-		testPrivateKeys[t], err = ssh.ParseRawPrivateKey(k)
-		if err != nil {
-			panic(fmt.Sprintf("Unable to parse test key %s: %v", t, err))
-		}
-		testSigners[t], err = ssh.NewSignerFromKey(testPrivateKeys[t])
-		if err != nil {
-			panic(fmt.Sprintf("Unable to create signer for test key %s: %v", t, err))
-		}
-		testPublicKeys[t] = testSigners[t].PublicKey()
-	}
-
-	// Create a cert and sign it for use in tests.
-	testCert := &ssh.Certificate{
-		Nonce:           []byte{},                       // To pass reflect.DeepEqual after marshal & parse, this must be non-nil
-		ValidPrincipals: []string{"gopher1", "gopher2"}, // increases test coverage
-		ValidAfter:      0,                              // unix epoch
-		ValidBefore:     ssh.CertTimeInfinity,           // The end of currently representable time.
-		Reserved:        []byte{},                       // To pass reflect.DeepEqual after marshal & parse, this must be non-nil
-		Key:             testPublicKeys["ecdsa"],
-		SignatureKey:    testPublicKeys["rsa"],
-		Permissions: ssh.Permissions{
-			CriticalOptions: map[string]string{},
-			Extensions:      map[string]string{},
-		},
-	}
-	testCert.SignCert(rand.Reader, testSigners["rsa"])
-	testPrivateKeys["cert"] = testPrivateKeys["ecdsa"]
-	testSigners["cert"], err = ssh.NewCertSigner(testCert, testSigners["ecdsa"])
-	if err != nil {
-		panic(fmt.Sprintf("Unable to create certificate signer: %v", err))
-	}
-}
diff --git a/vendor/golang.org/x/crypto/ssh/testdata/doc.go b/vendor/golang.org/x/crypto/ssh/testdata/doc.go
deleted file mode 100644
index fcae47ca..00000000
--- a/vendor/golang.org/x/crypto/ssh/testdata/doc.go
+++ /dev/null
@@ -1,8 +0,0 @@
-// Copyright 2014 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// This package contains test data shared between the various subpackages of
-// the golang.org/x/crypto/ssh package. Under no circumstance should
-// this data be used for production code.
-package testdata // import "golang.org/x/crypto/ssh/testdata"
diff --git a/vendor/golang.org/x/crypto/ssh/testdata/keys.go b/vendor/golang.org/x/crypto/ssh/testdata/keys.go
deleted file mode 100644
index 521b6be9..00000000
--- a/vendor/golang.org/x/crypto/ssh/testdata/keys.go
+++ /dev/null
@@ -1,198 +0,0 @@
-// Copyright 2014 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package testdata
-
-var PEMBytes = map[string][]byte{
-	"dsa": []byte(`-----BEGIN DSA PRIVATE KEY-----
-MIIBuwIBAAKBgQD6PDSEyXiI9jfNs97WuM46MSDCYlOqWw80ajN16AohtBncs1YB
-lHk//dQOvCYOsYaE+gNix2jtoRjwXhDsc25/IqQbU1ahb7mB8/rsaILRGIbA5WH3
-EgFtJmXFovDz3if6F6TzvhFpHgJRmLYVR8cqsezL3hEZOvvs2iH7MorkxwIVAJHD
-nD82+lxh2fb4PMsIiaXudAsBAoGAQRf7Q/iaPRn43ZquUhd6WwvirqUj+tkIu6eV
-2nZWYmXLlqFQKEy4Tejl7Wkyzr2OSYvbXLzo7TNxLKoWor6ips0phYPPMyXld14r
-juhT24CrhOzuLMhDduMDi032wDIZG4Y+K7ElU8Oufn8Sj5Wge8r6ANmmVgmFfynr
-FhdYCngCgYEA3ucGJ93/Mx4q4eKRDxcWD3QzWyqpbRVRRV1Vmih9Ha/qC994nJFz
-DQIdjxDIT2Rk2AGzMqFEB68Zc3O+Wcsmz5eWWzEwFxaTwOGWTyDqsDRLm3fD+QYj
-nOwuxb0Kce+gWI8voWcqC9cyRm09jGzu2Ab3Bhtpg8JJ8L7gS3MRZK4CFEx4UAfY
-Fmsr0W6fHB9nhS4/UXM8
------END DSA PRIVATE KEY-----
-`),
-	"ecdsa": []byte(`-----BEGIN EC PRIVATE KEY-----
-MHcCAQEEINGWx0zo6fhJ/0EAfrPzVFyFC9s18lBt3cRoEDhS3ARooAoGCCqGSM49
-AwEHoUQDQgAEi9Hdw6KvZcWxfg2IDhA7UkpDtzzt6ZqJXSsFdLd+Kx4S3Sx4cVO+
-6/ZOXRnPmNAlLUqjShUsUBBngG0u2fqEqA==
------END EC PRIVATE KEY-----
-`),
-	"ecdsap256": []byte(`-----BEGIN EC PRIVATE KEY-----
-MHcCAQEEIAPCE25zK0PQSnsgVcEbM1mbKTASH4pqb5QJajplDwDZoAoGCCqGSM49
-AwEHoUQDQgAEWy8TxGcIHRh5XGpO4dFVfDjeNY+VkgubQrf/eyFJZHxAn1SKraXU
-qJUjTKj1z622OxYtJ5P7s9CfAEVsTzLCzg==
------END EC PRIVATE KEY-----
-`),
-	"ecdsap384": []byte(`-----BEGIN EC PRIVATE KEY-----
-MIGkAgEBBDBWfSnMuNKq8J9rQLzzEkx3KAoEohSXqhE/4CdjEYtoU2i22HW80DDS
-qQhYNHRAduygBwYFK4EEACKhZANiAAQWaDMAd0HUd8ZiXCX7mYDDnC54gwH/nG43
-VhCUEYmF7HMZm/B9Yn3GjFk3qYEDEvuF/52+NvUKBKKaLbh32AWxMv0ibcoba4cz
-hL9+hWYhUD9XIUlzMWiZ2y6eBE9PdRI=
------END EC PRIVATE KEY-----
-`),
-	"ecdsap521": []byte(`-----BEGIN EC PRIVATE KEY-----
-MIHcAgEBBEIBrkYpQcy8KTVHNiAkjlFZwee90224Bu6wz94R4OBo+Ts0eoAQG7SF
-iaygEDMUbx6kTgXTBcKZ0jrWPKakayNZ/kigBwYFK4EEACOhgYkDgYYABADFuvLV
-UoaCDGHcw5uNfdRIsvaLKuWSpLsl48eWGZAwdNG432GDVKduO+pceuE+8XzcyJb+
-uMv+D2b11Q/LQUcHJwE6fqbm8m3EtDKPsoKs0u/XUJb0JsH4J8lkZzbUTjvGYamn
-FFlRjzoB3Oxu8UQgb+MWPedtH9XYBbg9biz4jJLkXQ==
------END EC PRIVATE KEY-----
-`),
-	"rsa": []byte(`-----BEGIN RSA PRIVATE KEY-----
-MIICXAIBAAKBgQC8A6FGHDiWCSREAXCq6yBfNVr0xCVG2CzvktFNRpue+RXrGs/2
-a6ySEJQb3IYquw7HlJgu6fg3WIWhOmHCjfpG0PrL4CRwbqQ2LaPPXhJErWYejcD8
-Di00cF3677+G10KMZk9RXbmHtuBFZT98wxg8j+ZsBMqGM1+7yrWUvynswQIDAQAB
-AoGAJMCk5vqfSRzyXOTXLGIYCuR4Kj6pdsbNSeuuRGfYBeR1F2c/XdFAg7D/8s5R
-38p/Ih52/Ty5S8BfJtwtvgVY9ecf/JlU/rl/QzhG8/8KC0NG7KsyXklbQ7gJT8UT
-Ojmw5QpMk+rKv17ipDVkQQmPaj+gJXYNAHqImke5mm/K/h0CQQDciPmviQ+DOhOq
-2ZBqUfH8oXHgFmp7/6pXw80DpMIxgV3CwkxxIVx6a8lVH9bT/AFySJ6vXq4zTuV9
-6QmZcZzDAkEA2j/UXJPIs1fQ8z/6sONOkU/BjtoePFIWJlRxdN35cZjXnBraX5UR
-fFHkePv4YwqmXNqrBOvSu+w2WdSDci+IKwJAcsPRc/jWmsrJW1q3Ha0hSf/WG/Bu
-X7MPuXaKpP/DkzGoUmb8ks7yqj6XWnYkPNLjCc8izU5vRwIiyWBRf4mxMwJBAILa
-NDvRS0rjwt6lJGv7zPZoqDc65VfrK2aNyHx2PgFyzwrEOtuF57bu7pnvEIxpLTeM
-z26i6XVMeYXAWZMTloMCQBbpGgEERQpeUknLBqUHhg/wXF6+lFA+vEGnkY+Dwab2
-KCXFGd+SQ5GdUcEMe9isUH6DYj/6/yCDoFrXXmpQb+M=
------END RSA PRIVATE KEY-----
-`),
-	"ed25519": []byte(`-----BEGIN OPENSSH PRIVATE KEY-----
-b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
-QyNTUxOQAAACA+3f7hS7g5UWwXOGVTrMfhmxyrjqz7Sxxbx7I1j8DvvwAAAJhAFfkOQBX5
-DgAAAAtzc2gtZWQyNTUxOQAAACA+3f7hS7g5UWwXOGVTrMfhmxyrjqz7Sxxbx7I1j8Dvvw
-AAAEAaYmXltfW6nhRo3iWGglRB48lYq0z0Q3I3KyrdutEr6j7d/uFLuDlRbBc4ZVOsx+Gb
-HKuOrPtLHFvHsjWPwO+/AAAAE2dhcnRvbm1AZ2FydG9ubS14cHMBAg==
------END OPENSSH PRIVATE KEY-----
-`),
-	"rsa-openssh-format": []byte(`-----BEGIN OPENSSH PRIVATE KEY-----
-b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAlwAAAAdzc2gtcn
-NhAAAAAwEAAQAAAIEAwa48yfWFi3uIdqzuf9X7C2Zxfea/Iaaw0zIwHudpF8U92WVIiC5l
-oEuW1+OaVi3UWfIEjWMV1tHGysrHOwtwc34BPCJqJknUQO/KtDTBTJ4Pryhw1bWPC999Lz
-a+yrCTdNQYBzoROXKExZgPFh9pTMi5wqpHDuOQ2qZFIEI3lT0AAAIQWL0H31i9B98AAAAH
-c3NoLXJzYQAAAIEAwa48yfWFi3uIdqzuf9X7C2Zxfea/Iaaw0zIwHudpF8U92WVIiC5loE
-uW1+OaVi3UWfIEjWMV1tHGysrHOwtwc34BPCJqJknUQO/KtDTBTJ4Pryhw1bWPC999Lza+
-yrCTdNQYBzoROXKExZgPFh9pTMi5wqpHDuOQ2qZFIEI3lT0AAAADAQABAAAAgCThyTGsT4
-IARDxVMhWl6eiB2ZrgFgWSeJm/NOqtppWgOebsIqPMMg4UVuVFsl422/lE3RkPhVkjGXgE
-pWvZAdCnmLmApK8wK12vF334lZhZT7t3Z9EzJps88PWEHo7kguf285HcnUM7FlFeissJdk
-kXly34y7/3X/a6Tclm+iABAAAAQE0xR/KxZ39slwfMv64Rz7WKk1PPskaryI29aHE3mKHk
-pY2QA+P3QlrKxT/VWUMjHUbNNdYfJm48xu0SGNMRdKMAAABBAORh2NP/06JUV3J9W/2Hju
-X1ViJuqqcQnJPVzpgSL826EC2xwOECTqoY8uvFpUdD7CtpksIxNVqRIhuNOlz0lqEAAABB
-ANkaHTTaPojClO0dKJ/Zjs7pWOCGliebBYprQ/Y4r9QLBkC/XaWMS26gFIrjgC7D2Rv+rZ
-wSD0v0RcmkITP1ZR0AAAAYcHF1ZXJuYUBMdWNreUh5ZHJvLmxvY2FsAQID
------END OPENSSH PRIVATE KEY-----`),
-	"user": []byte(`-----BEGIN EC PRIVATE KEY-----
-MHcCAQEEILYCAeq8f7V4vSSypRw7pxy8yz3V5W4qg8kSC3zJhqpQoAoGCCqGSM49
-AwEHoUQDQgAEYcO2xNKiRUYOLEHM7VYAp57HNyKbOdYtHD83Z4hzNPVC4tM5mdGD
-PLL8IEwvYu2wq+lpXfGQnNMbzYf9gspG0w==
------END EC PRIVATE KEY-----
-`),
-	"ca": []byte(`-----BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAvg9dQ9IRG59lYJb+GESfKWTch4yBpr7Ydw1jkK6vvtrx9jLo
-5hkA8X6+ElRPRqTAZSlN5cBm6YCAcQIOsmXDUn6Oj1lVPQAoOjTBTvsjM3NjGhvv
-52kHTY0nsMsBeY9q5DTtlzmlYkVUq2a6Htgf2mNi01dIw5fJ7uTTo8EbNf7O0i3u
-c9a8P19HaZl5NKiWN4EIZkfB2WdXYRJCVBsGgQj3dE/GrEmH9QINq1A+GkNvK96u
-vZm8H1jjmuqzHplWa7lFeXcx8FTVTbVb/iJrZ2Lc/JvIPitKZWhqbR59yrGjpwEp
-Id7bo4WhO5L3OB0fSIJYvfu+o4WYnt4f3UzecwIDAQABAoIBABRD9yHgKErVuC2Q
-bA+SYZY8VvdtF/X7q4EmQFORDNRA7EPgMc03JU6awRGbQ8i4kHs46EFzPoXvWcKz
-AXYsO6N0Myc900Tp22A5d9NAHATEbPC/wdje7hRq1KyZONMJY9BphFv3nZbY5apR
-Dc90JBFZP5RhXjTc3n9GjvqLAKfFEKVmPRCvqxCOZunw6XR+SgIQLJo36nsIsbhW
-QUXIVaCI6cXMN8bRPm8EITdBNZu06Fpu4ZHm6VaxlXN9smERCDkgBSNXNWHKxmmA
-c3Glo2DByUr2/JFBOrLEe9fkYgr24KNCQkHVcSaFxEcZvTggr7StjKISVHlCNEaB
-7Q+kPoECgYEA3zE9FmvFGoQCU4g4Nl3dpQHs6kaAW8vJlrmq3xsireIuaJoa2HMe
-wYdIvgCnK9DIjyxd5OWnE4jXtAEYPsyGD32B5rSLQrRO96lgb3f4bESCLUb3Bsn/
-sdgeE3p1xZMA0B59htqCrvVgN9k8WxyevBxYl3/gSBm/p8OVH1RTW/ECgYEA2f9Z
-95OLj0KQHQtxQXf+I3VjhCw3LkLW39QZOXVI0QrCJfqqP7uxsJXH9NYX0l0GFTcR
-kRrlyoaSU1EGQosZh+n1MvplGBTkTSV47/bPsTzFpgK2NfEZuFm9RoWgltS+nYeH
-Y2k4mnAN3PhReCMwuprmJz8GRLsO3Cs2s2YylKMCgYEA2UX+uO/q7jgqZ5UJW+ue
-1H5+W0aMuFA3i7JtZEnvRaUVFqFGlwXin/WJ2+WY1++k/rPrJ+Rk9IBXtBUIvEGw
-FC5TIfsKQsJyyWgqx/jbbtJ2g4s8+W/1qfTAuqeRNOg5d2DnRDs90wJuS4//0JaY
-9HkHyVwkQyxFxhSA/AHEMJECgYA2MvyFR1O9bIk0D3I7GsA+xKLXa77Ua53MzIjw
-9i4CezBGDQpjCiFli/fI8am+jY5DnAtsDknvjoG24UAzLy5L0mk6IXMdB6SzYYut
-7ak5oahqW+Y9hxIj+XvLmtGQbphtxhJtLu35x75KoBpxSh6FZpmuTEccs31AVCYn
-eFM/DQKBgQDOPUwbLKqVi6ddFGgrV9MrWw+SWsDa43bPuyvYppMM3oqesvyaX1Dt
-qDvN7owaNxNM4OnfKcZr91z8YPVCFo4RbBif3DXRzjNNBlxEjHBtuMOikwvsmucN
-vIrbeEpjTiUMTEAr6PoTiVHjsfS8WAM6MDlF5M+2PNswDsBpa2yLgA==
------END RSA PRIVATE KEY-----
-`),
-}
-
-var SSHCertificates = map[string][]byte{
-	// The following are corresponding certificates for the private keys above, signed by the CA key
-	// Generated by the following commands:
-	//
-	// 1. Assumes "rsa" key above in file named "rsa", write out the public key to "rsa.pub":
-	//    ssh-keygen -y -f rsa > rsa.pu
-	//
-	// 2. Assumes "ca" key above in file named "ca", sign a cert for "rsa.pub":
-	//    ssh-keygen -s ca -h -n host.example.com -V +500w -I host.example.com-key rsa.pub
-	"rsa": []byte(`ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgLjYqmmuTSEmjVhSfLQphBSTJMLwIZhRgmpn8FHKLiEIAAAADAQABAAAAgQC8A6FGHDiWCSREAXCq6yBfNVr0xCVG2CzvktFNRpue+RXrGs/2a6ySEJQb3IYquw7HlJgu6fg3WIWhOmHCjfpG0PrL4CRwbqQ2LaPPXhJErWYejcD8Di00cF3677+G10KMZk9RXbmHtuBFZT98wxg8j+ZsBMqGM1+7yrWUvynswQAAAAAAAAAAAAAAAgAAABRob3N0LmV4YW1wbGUuY29tLWtleQAAABQAAAAQaG9zdC5leGFtcGxlLmNvbQAAAABZHN8UAAAAAGsjIYUAAAAAAAAAAAAAAAAAAAEXAAAAB3NzaC1yc2EAAAADAQABAAABAQC+D11D0hEbn2Vglv4YRJ8pZNyHjIGmvth3DWOQrq++2vH2MujmGQDxfr4SVE9GpMBlKU3lwGbpgIBxAg6yZcNSfo6PWVU9ACg6NMFO+yMzc2MaG+/naQdNjSewywF5j2rkNO2XOaViRVSrZroe2B/aY2LTV0jDl8nu5NOjwRs1/s7SLe5z1rw/X0dpmXk0qJY3gQhmR8HZZ1dhEkJUGwaBCPd0T8asSYf1Ag2rUD4aQ28r3q69mbwfWOOa6rMemVZruUV5dzHwVNVNtVv+ImtnYtz8m8g+K0plaGptHn3KsaOnASkh3tujhaE7kvc4HR9Igli9+76jhZie3h/dTN5zAAABDwAAAAdzc2gtcnNhAAABALeDea+60H6xJGhktAyosHaSY7AYzLocaqd8hJQjEIDifBwzoTlnBmcK9CxGhKuaoJFThdCLdaevCeOSuquh8HTkf+2ebZZc/G5T+2thPvPqmcuEcmMosWo+SIjYhbP3S6KD49aLC1X0kz8IBQeauFvURhkZ5ZjhA1L4aQYt9NjL73nqOl8PplRui+Ov5w8b4ldul4zOvYAFrzfcP6wnnXk3c1Zzwwf5wynD5jakO8GpYKBuhM7Z4crzkKSQjU3hla7xqgfomC5Gz4XbR2TNjcQiRrJQ0UlKtX3X3ObRCEhuvG0Kzjklhv+Ddw6txrhKjMjiSi/Yyius/AE8TmC1p4U= host.example.com
-`),
-}
-
-var PEMEncryptedKeys = []struct {
-	Name          string
-	EncryptionKey string
-	PEMBytes      []byte
-}{
-	0: {
-		Name:          "rsa-encrypted",
-		EncryptionKey: "r54-G0pher_t3st$",
-		PEMBytes: []byte(`-----BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-128-CBC,3E1714DE130BC5E81327F36564B05462
-
-MqW88sud4fnWk/Jk3fkjh7ydu51ZkHLN5qlQgA4SkAXORPPMj2XvqZOv1v2LOgUV
-dUevUn8PZK7a9zbZg4QShUSzwE5k6wdB7XKPyBgI39mJ79GBd2U4W3h6KT6jIdWA
-goQpluxkrzr2/X602IaxLEre97FT9mpKC6zxKCLvyFWVIP9n3OSFS47cTTXyFr+l
-7PdRhe60nn6jSBgUNk/Q1lAvEQ9fufdPwDYY93F1wyJ6lOr0F1+mzRrMbH67NyKs
-rG8J1Fa7cIIre7ueKIAXTIne7OAWqpU9UDgQatDtZTbvA7ciqGsSFgiwwW13N+Rr
-hN8MkODKs9cjtONxSKi05s206A3NDU6STtZ3KuPDjFE1gMJODotOuqSM+cxKfyFq
-wxpk/CHYCDdMAVBSwxb/vraOHamylL4uCHpJdBHypzf2HABt+lS8Su23uAmL87DR
-yvyCS/lmpuNTndef6qHPRkoW2EV3xqD3ovosGf7kgwGJUk2ZpCLVteqmYehKlZDK
-r/Jy+J26ooI2jIg9bjvD1PZq+Mv+2dQ1RlDrPG3PB+rEixw6vBaL9x3jatCd4ej7
-XG7lb3qO9xFpLsx89tkEcvpGR+broSpUJ6Mu5LBCVmrvqHjvnDhrZVz1brMiQtU9
-iMZbgXqDLXHd6ERWygk7OTU03u+l1gs+KGMfmS0h0ZYw6KGVLgMnsoxqd6cFSKNB
-8Ohk9ZTZGCiovlXBUepyu8wKat1k8YlHSfIHoRUJRhhcd7DrmojC+bcbMIZBU22T
-Pl2ftVRGtcQY23lYd0NNKfebF7ncjuLWQGy+vZW+7cgfI6wPIbfYfP6g7QAutk6W
-KQx0AoX5woZ6cNxtpIrymaVjSMRRBkKQrJKmRp3pC/lul5E5P2cueMs1fj4OHTbJ
-lAUv88ywr+R+mRgYQlFW/XQ653f6DT4t6+njfO9oBcPrQDASZel3LjXLpjjYG/N5
-+BWnVexuJX9ika8HJiFl55oqaKb+WknfNhk5cPY+x7SDV9ywQeMiDZpr0ffeYAEP
-LlwwiWRDYpO+uwXHSFF3+JjWwjhs8m8g99iFb7U93yKgBB12dCEPPa2ZeH9wUHMJ
-sreYhNuq6f4iWWSXpzN45inQqtTi8jrJhuNLTT543ErW7DtntBO2rWMhff3aiXbn
-Uy3qzZM1nPbuCGuBmP9L2dJ3Z5ifDWB4JmOyWY4swTZGt9AVmUxMIKdZpRONx8vz
-I9u9nbVPGZBcou50Pa0qTLbkWsSL94MNXrARBxzhHC9Zs6XNEtwN7mOuii7uMkVc
-adrxgknBH1J1N+NX/eTKzUwJuPvDtA+Z5ILWNN9wpZT/7ed8zEnKHPNUexyeT5g3
-uw9z9jH7ffGxFYlx87oiVPHGOrCXYZYW5uoZE31SCBkbtNuffNRJRKIFeipmpJ3P
-7bpAG+kGHMelQH6b+5K1Qgsv4tpuSyKeTKpPFH9Av5nN4P1ZBm9N80tzbNWqjSJm
-S7rYdHnuNEVnUGnRmEUMmVuYZnNBEVN/fP2m2SEwXcP3Uh7TiYlcWw10ygaGmOr7
-MvMLGkYgQ4Utwnd98mtqa0jr0hK2TcOSFir3AqVvXN3XJj4cVULkrXe4Im1laWgp
------END RSA PRIVATE KEY-----
-`),
-	},
-
-	1: {
-		Name:          "dsa-encrypted",
-		EncryptionKey: "qG0pher-dsa_t3st$",
-		PEMBytes: []byte(`-----BEGIN DSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-128-CBC,7CE7A6E4A647DC01AF860210B15ADE3E
-
-hvnBpI99Hceq/55pYRdOzBLntIEis02JFNXuLEydWL+RJBFDn7tA+vXec0ERJd6J
-G8JXlSOAhmC2H4uK3q2xR8/Y3yL95n6OIcjvCBiLsV+o3jj1MYJmErxP6zRtq4w3
-JjIjGHWmaYFSxPKQ6e8fs74HEqaeMV9ONUoTtB+aISmgaBL15Fcoayg245dkBvVl
-h5Kqspe7yvOBmzA3zjRuxmSCqKJmasXM7mqs3vIrMxZE3XPo1/fWKcPuExgpVQoT
-HkJZEoIEIIPnPMwT2uYbFJSGgPJVMDT84xz7yvjCdhLmqrsXgs5Qw7Pw0i0c0BUJ
-b7fDJ2UhdiwSckWGmIhTLlJZzr8K+JpjCDlP+REYBI5meB7kosBnlvCEHdw2EJkH
-0QDc/2F4xlVrHOLbPRFyu1Oi2Gvbeoo9EsM/DThpd1hKAlb0sF5Y0y0d+owv0PnE
-R/4X3HWfIdOHsDUvJ8xVWZ4BZk9Zk9qol045DcFCehpr/3hslCrKSZHakLt9GI58
-vVQJ4L0aYp5nloLfzhViZtKJXRLkySMKdzYkIlNmW1oVGl7tce5UCNI8Nok4j6yn
-IiHM7GBn+0nJoKTXsOGMIBe3ulKlKVxLjEuk9yivh/8=
------END DSA PRIVATE KEY-----
-`),
-	},
-}
diff --git a/vendor/golang.org/x/crypto/ssh/testdata_test.go b/vendor/golang.org/x/crypto/ssh/testdata_test.go
deleted file mode 100644
index 2da8c79d..00000000
--- a/vendor/golang.org/x/crypto/ssh/testdata_test.go
+++ /dev/null
@@ -1,63 +0,0 @@
-// Copyright 2014 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// IMPLEMENTATION NOTE: To avoid a package loop, this file is in three places:
-// ssh/, ssh/agent, and ssh/test/. It should be kept in sync across all three
-// instances.
-
-package ssh
-
-import (
-	"crypto/rand"
-	"fmt"
-
-	"golang.org/x/crypto/ssh/testdata"
-)
-
-var (
-	testPrivateKeys map[string]interface{}
-	testSigners     map[string]Signer
-	testPublicKeys  map[string]PublicKey
-)
-
-func init() {
-	var err error
-
-	n := len(testdata.PEMBytes)
-	testPrivateKeys = make(map[string]interface{}, n)
-	testSigners = make(map[string]Signer, n)
-	testPublicKeys = make(map[string]PublicKey, n)
-	for t, k := range testdata.PEMBytes {
-		testPrivateKeys[t], err = ParseRawPrivateKey(k)
-		if err != nil {
-			panic(fmt.Sprintf("Unable to parse test key %s: %v", t, err))
-		}
-		testSigners[t], err = NewSignerFromKey(testPrivateKeys[t])
-		if err != nil {
-			panic(fmt.Sprintf("Unable to create signer for test key %s: %v", t, err))
-		}
-		testPublicKeys[t] = testSigners[t].PublicKey()
-	}
-
-	// Create a cert and sign it for use in tests.
-	testCert := &Certificate{
-		Nonce:           []byte{},                       // To pass reflect.DeepEqual after marshal & parse, this must be non-nil
-		ValidPrincipals: []string{"gopher1", "gopher2"}, // increases test coverage
-		ValidAfter:      0,                              // unix epoch
-		ValidBefore:     CertTimeInfinity,               // The end of currently representable time.
-		Reserved:        []byte{},                       // To pass reflect.DeepEqual after marshal & parse, this must be non-nil
-		Key:             testPublicKeys["ecdsa"],
-		SignatureKey:    testPublicKeys["rsa"],
-		Permissions: Permissions{
-			CriticalOptions: map[string]string{},
-			Extensions:      map[string]string{},
-		},
-	}
-	testCert.SignCert(rand.Reader, testSigners["rsa"])
-	testPrivateKeys["cert"] = testPrivateKeys["ecdsa"]
-	testSigners["cert"], err = NewCertSigner(testCert, testSigners["ecdsa"])
-	if err != nil {
-		panic(fmt.Sprintf("Unable to create certificate signer: %v", err))
-	}
-}
diff --git a/vendor/golang.org/x/crypto/ssh/transport.go b/vendor/golang.org/x/crypto/ssh/transport.go
deleted file mode 100644
index f6fae1db..00000000
--- a/vendor/golang.org/x/crypto/ssh/transport.go
+++ /dev/null
@@ -1,353 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package ssh
-
-import (
-	"bufio"
-	"bytes"
-	"errors"
-	"io"
-	"log"
-)
-
-// debugTransport if set, will print packet types as they go over the
-// wire. No message decoding is done, to minimize the impact on timing.
-const debugTransport = false
-
-const (
-	gcmCipherID    = "aes128-gcm@openssh.com"
-	aes128cbcID    = "aes128-cbc"
-	tripledescbcID = "3des-cbc"
-)
-
-// packetConn represents a transport that implements packet based
-// operations.
-type packetConn interface {
-	// Encrypt and send a packet of data to the remote peer.
-	writePacket(packet []byte) error
-
-	// Read a packet from the connection. The read is blocking,
-	// i.e. if error is nil, then the returned byte slice is
-	// always non-empty.
-	readPacket() ([]byte, error)
-
-	// Close closes the write-side of the connection.
-	Close() error
-}
-
-// transport is the keyingTransport that implements the SSH packet
-// protocol.
-type transport struct {
-	reader connectionState
-	writer connectionState
-
-	bufReader *bufio.Reader
-	bufWriter *bufio.Writer
-	rand      io.Reader
-	isClient  bool
-	io.Closer
-}
-
-// packetCipher represents a combination of SSH encryption/MAC
-// protocol.  A single instance should be used for one direction only.
-type packetCipher interface {
-	// writePacket encrypts the packet and writes it to w. The
-	// contents of the packet are generally scrambled.
-	writePacket(seqnum uint32, w io.Writer, rand io.Reader, packet []byte) error
-
-	// readPacket reads and decrypts a packet of data. The
-	// returned packet may be overwritten by future calls of
-	// readPacket.
-	readPacket(seqnum uint32, r io.Reader) ([]byte, error)
-}
-
-// connectionState represents one side (read or write) of the
-// connection. This is necessary because each direction has its own
-// keys, and can even have its own algorithms
-type connectionState struct {
-	packetCipher
-	seqNum           uint32
-	dir              direction
-	pendingKeyChange chan packetCipher
-}
-
-// prepareKeyChange sets up key material for a keychange. The key changes in
-// both directions are triggered by reading and writing a msgNewKey packet
-// respectively.
-func (t *transport) prepareKeyChange(algs *algorithms, kexResult *kexResult) error {
-	ciph, err := newPacketCipher(t.reader.dir, algs.r, kexResult)
-	if err != nil {
-		return err
-	}
-	t.reader.pendingKeyChange <- ciph
-
-	ciph, err = newPacketCipher(t.writer.dir, algs.w, kexResult)
-	if err != nil {
-		return err
-	}
-	t.writer.pendingKeyChange <- ciph
-
-	return nil
-}
-
-func (t *transport) printPacket(p []byte, write bool) {
-	if len(p) == 0 {
-		return
-	}
-	who := "server"
-	if t.isClient {
-		who = "client"
-	}
-	what := "read"
-	if write {
-		what = "write"
-	}
-
-	log.Println(what, who, p[0])
-}
-
-// Read and decrypt next packet.
-func (t *transport) readPacket() (p []byte, err error) {
-	for {
-		p, err = t.reader.readPacket(t.bufReader)
-		if err != nil {
-			break
-		}
-		if len(p) == 0 || (p[0] != msgIgnore && p[0] != msgDebug) {
-			break
-		}
-	}
-	if debugTransport {
-		t.printPacket(p, false)
-	}
-
-	return p, err
-}
-
-func (s *connectionState) readPacket(r *bufio.Reader) ([]byte, error) {
-	packet, err := s.packetCipher.readPacket(s.seqNum, r)
-	s.seqNum++
-	if err == nil && len(packet) == 0 {
-		err = errors.New("ssh: zero length packet")
-	}
-
-	if len(packet) > 0 {
-		switch packet[0] {
-		case msgNewKeys:
-			select {
-			case cipher := <-s.pendingKeyChange:
-				s.packetCipher = cipher
-			default:
-				return nil, errors.New("ssh: got bogus newkeys message")
-			}
-
-		case msgDisconnect:
-			// Transform a disconnect message into an
-			// error. Since this is lowest level at which
-			// we interpret message types, doing it here
-			// ensures that we don't have to handle it
-			// elsewhere.
-			var msg disconnectMsg
-			if err := Unmarshal(packet, &msg); err != nil {
-				return nil, err
-			}
-			return nil, &msg
-		}
-	}
-
-	// The packet may point to an internal buffer, so copy the
-	// packet out here.
-	fresh := make([]byte, len(packet))
-	copy(fresh, packet)
-
-	return fresh, err
-}
-
-func (t *transport) writePacket(packet []byte) error {
-	if debugTransport {
-		t.printPacket(packet, true)
-	}
-	return t.writer.writePacket(t.bufWriter, t.rand, packet)
-}
-
-func (s *connectionState) writePacket(w *bufio.Writer, rand io.Reader, packet []byte) error {
-	changeKeys := len(packet) > 0 && packet[0] == msgNewKeys
-
-	err := s.packetCipher.writePacket(s.seqNum, w, rand, packet)
-	if err != nil {
-		return err
-	}
-	if err = w.Flush(); err != nil {
-		return err
-	}
-	s.seqNum++
-	if changeKeys {
-		select {
-		case cipher := <-s.pendingKeyChange:
-			s.packetCipher = cipher
-		default:
-			panic("ssh: no key material for msgNewKeys")
-		}
-	}
-	return err
-}
-
-func newTransport(rwc io.ReadWriteCloser, rand io.Reader, isClient bool) *transport {
-	t := &transport{
-		bufReader: bufio.NewReader(rwc),
-		bufWriter: bufio.NewWriter(rwc),
-		rand:      rand,
-		reader: connectionState{
-			packetCipher:     &streamPacketCipher{cipher: noneCipher{}},
-			pendingKeyChange: make(chan packetCipher, 1),
-		},
-		writer: connectionState{
-			packetCipher:     &streamPacketCipher{cipher: noneCipher{}},
-			pendingKeyChange: make(chan packetCipher, 1),
-		},
-		Closer: rwc,
-	}
-	t.isClient = isClient
-
-	if isClient {
-		t.reader.dir = serverKeys
-		t.writer.dir = clientKeys
-	} else {
-		t.reader.dir = clientKeys
-		t.writer.dir = serverKeys
-	}
-
-	return t
-}
-
-type direction struct {
-	ivTag     []byte
-	keyTag    []byte
-	macKeyTag []byte
-}
-
-var (
-	serverKeys = direction{[]byte{'B'}, []byte{'D'}, []byte{'F'}}
-	clientKeys = direction{[]byte{'A'}, []byte{'C'}, []byte{'E'}}
-)
-
-// setupKeys sets the cipher and MAC keys from kex.K, kex.H and sessionId, as
-// described in RFC 4253, section 6.4. direction should either be serverKeys
-// (to setup server->client keys) or clientKeys (for client->server keys).
-func newPacketCipher(d direction, algs directionAlgorithms, kex *kexResult) (packetCipher, error) {
-	cipherMode := cipherModes[algs.Cipher]
-	macMode := macModes[algs.MAC]
-
-	iv := make([]byte, cipherMode.ivSize)
-	key := make([]byte, cipherMode.keySize)
-	macKey := make([]byte, macMode.keySize)
-
-	generateKeyMaterial(iv, d.ivTag, kex)
-	generateKeyMaterial(key, d.keyTag, kex)
-	generateKeyMaterial(macKey, d.macKeyTag, kex)
-
-	return cipherModes[algs.Cipher].create(key, iv, macKey, algs)
-}
-
-// generateKeyMaterial fills out with key material generated from tag, K, H
-// and sessionId, as specified in RFC 4253, section 7.2.
-func generateKeyMaterial(out, tag []byte, r *kexResult) {
-	var digestsSoFar []byte
-
-	h := r.Hash.New()
-	for len(out) > 0 {
-		h.Reset()
-		h.Write(r.K)
-		h.Write(r.H)
-
-		if len(digestsSoFar) == 0 {
-			h.Write(tag)
-			h.Write(r.SessionID)
-		} else {
-			h.Write(digestsSoFar)
-		}
-
-		digest := h.Sum(nil)
-		n := copy(out, digest)
-		out = out[n:]
-		if len(out) > 0 {
-			digestsSoFar = append(digestsSoFar, digest...)
-		}
-	}
-}
-
-const packageVersion = "SSH-2.0-Go"
-
-// Sends and receives a version line.  The versionLine string should
-// be US ASCII, start with "SSH-2.0-", and should not include a
-// newline. exchangeVersions returns the other side's version line.
-func exchangeVersions(rw io.ReadWriter, versionLine []byte) (them []byte, err error) {
-	// Contrary to the RFC, we do not ignore lines that don't
-	// start with "SSH-2.0-" to make the library usable with
-	// nonconforming servers.
-	for _, c := range versionLine {
-		// The spec disallows non US-ASCII chars, and
-		// specifically forbids null chars.
-		if c < 32 {
-			return nil, errors.New("ssh: junk character in version line")
-		}
-	}
-	if _, err = rw.Write(append(versionLine, '\r', '\n')); err != nil {
-		return
-	}
-
-	them, err = readVersion(rw)
-	return them, err
-}
-
-// maxVersionStringBytes is the maximum number of bytes that we'll
-// accept as a version string. RFC 4253 section 4.2 limits this at 255
-// chars
-const maxVersionStringBytes = 255
-
-// Read version string as specified by RFC 4253, section 4.2.
-func readVersion(r io.Reader) ([]byte, error) {
-	versionString := make([]byte, 0, 64)
-	var ok bool
-	var buf [1]byte
-
-	for length := 0; length < maxVersionStringBytes; length++ {
-		_, err := io.ReadFull(r, buf[:])
-		if err != nil {
-			return nil, err
-		}
-		// The RFC says that the version should be terminated with \r\n
-		// but several SSH servers actually only send a \n.
-		if buf[0] == '\n' {
-			if !bytes.HasPrefix(versionString, []byte("SSH-")) {
-				// RFC 4253 says we need to ignore all version string lines
-				// except the one containing the SSH version (provided that
-				// all the lines do not exceed 255 bytes in total).
-				versionString = versionString[:0]
-				continue
-			}
-			ok = true
-			break
-		}
-
-		// non ASCII chars are disallowed, but we are lenient,
-		// since Go doesn't use null-terminated strings.
-
-		// The RFC allows a comment after a space, however,
-		// all of it (version and comments) goes into the
-		// session hash.
-		versionString = append(versionString, buf[0])
-	}
-
-	if !ok {
-		return nil, errors.New("ssh: overflow reading version string")
-	}
-
-	// There might be a '\r' on the end which we should remove.
-	if len(versionString) > 0 && versionString[len(versionString)-1] == '\r' {
-		versionString = versionString[:len(versionString)-1]
-	}
-	return versionString, nil
-}
diff --git a/vendor/golang.org/x/crypto/ssh/transport_test.go b/vendor/golang.org/x/crypto/ssh/transport_test.go
deleted file mode 100644
index 8445e1e5..00000000
--- a/vendor/golang.org/x/crypto/ssh/transport_test.go
+++ /dev/null
@@ -1,113 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package ssh
-
-import (
-	"bytes"
-	"crypto/rand"
-	"encoding/binary"
-	"strings"
-	"testing"
-)
-
-func TestReadVersion(t *testing.T) {
-	longVersion := strings.Repeat("SSH-2.0-bla", 50)[:253]
-	multiLineVersion := strings.Repeat("ignored\r\n", 20) + "SSH-2.0-bla\r\n"
-	cases := map[string]string{
-		"SSH-2.0-bla\r\n":    "SSH-2.0-bla",
-		"SSH-2.0-bla\n":      "SSH-2.0-bla",
-		multiLineVersion:     "SSH-2.0-bla",
-		longVersion + "\r\n": longVersion,
-	}
-
-	for in, want := range cases {
-		result, err := readVersion(bytes.NewBufferString(in))
-		if err != nil {
-			t.Errorf("readVersion(%q): %s", in, err)
-		}
-		got := string(result)
-		if got != want {
-			t.Errorf("got %q, want %q", got, want)
-		}
-	}
-}
-
-func TestReadVersionError(t *testing.T) {
-	longVersion := strings.Repeat("SSH-2.0-bla", 50)[:253]
-	multiLineVersion := strings.Repeat("ignored\r\n", 50) + "SSH-2.0-bla\r\n"
-	cases := []string{
-		longVersion + "too-long\r\n",
-		multiLineVersion,
-	}
-	for _, in := range cases {
-		if _, err := readVersion(bytes.NewBufferString(in)); err == nil {
-			t.Errorf("readVersion(%q) should have failed", in)
-		}
-	}
-}
-
-func TestExchangeVersionsBasic(t *testing.T) {
-	v := "SSH-2.0-bla"
-	buf := bytes.NewBufferString(v + "\r\n")
-	them, err := exchangeVersions(buf, []byte("xyz"))
-	if err != nil {
-		t.Errorf("exchangeVersions: %v", err)
-	}
-
-	if want := "SSH-2.0-bla"; string(them) != want {
-		t.Errorf("got %q want %q for our version", them, want)
-	}
-}
-
-func TestExchangeVersions(t *testing.T) {
-	cases := []string{
-		"not\x000allowed",
-		"not allowed\x01\r\n",
-	}
-	for _, c := range cases {
-		buf := bytes.NewBufferString("SSH-2.0-bla\r\n")
-		if _, err := exchangeVersions(buf, []byte(c)); err == nil {
-			t.Errorf("exchangeVersions(%q): should have failed", c)
-		}
-	}
-}
-
-type closerBuffer struct {
-	bytes.Buffer
-}
-
-func (b *closerBuffer) Close() error {
-	return nil
-}
-
-func TestTransportMaxPacketWrite(t *testing.T) {
-	buf := &closerBuffer{}
-	tr := newTransport(buf, rand.Reader, true)
-	huge := make([]byte, maxPacket+1)
-	err := tr.writePacket(huge)
-	if err == nil {
-		t.Errorf("transport accepted write for a huge packet.")
-	}
-}
-
-func TestTransportMaxPacketReader(t *testing.T) {
-	var header [5]byte
-	huge := make([]byte, maxPacket+128)
-	binary.BigEndian.PutUint32(header[0:], uint32(len(huge)))
-	// padding.
-	header[4] = 0
-
-	buf := &closerBuffer{}
-	buf.Write(header[:])
-	buf.Write(huge)
-
-	tr := newTransport(buf, rand.Reader, true)
-	_, err := tr.readPacket()
-	if err == nil {
-		t.Errorf("transport succeeded reading huge packet.")
-	} else if !strings.Contains(err.Error(), "large") {
-		t.Errorf("got %q, should mention %q", err.Error(), "large")
-	}
-}
diff --git a/vendor/golang.org/x/crypto/tea/cipher.go b/vendor/golang.org/x/crypto/tea/cipher.go
deleted file mode 100644
index ce223b2c..00000000
--- a/vendor/golang.org/x/crypto/tea/cipher.go
+++ /dev/null
@@ -1,108 +0,0 @@
-// Copyright 2015 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package tea implements the TEA algorithm, as defined in Needham and
-// Wheeler's 1994 technical report, “TEA, a Tiny Encryption Algorithm”. See
-// http://www.cix.co.uk/~klockstone/tea.pdf for details.
-package tea
-
-import (
-	"crypto/cipher"
-	"encoding/binary"
-	"errors"
-)
-
-const (
-	// BlockSize is the size of a TEA block, in bytes.
-	BlockSize = 8
-
-	// KeySize is the size of a TEA key, in bytes.
-	KeySize = 16
-
-	// delta is the TEA key schedule constant.
-	delta = 0x9e3779b9
-
-	// numRounds is the standard number of rounds in TEA.
-	numRounds = 64
-)
-
-// tea is an instance of the TEA cipher with a particular key.
-type tea struct {
-	key    [16]byte
-	rounds int
-}
-
-// NewCipher returns an instance of the TEA cipher with the standard number of
-// rounds. The key argument must be 16 bytes long.
-func NewCipher(key []byte) (cipher.Block, error) {
-	return NewCipherWithRounds(key, numRounds)
-}
-
-// NewCipherWithRounds returns an instance of the TEA cipher with a given
-// number of rounds, which must be even. The key argument must be 16 bytes
-// long.
-func NewCipherWithRounds(key []byte, rounds int) (cipher.Block, error) {
-	if len(key) != 16 {
-		return nil, errors.New("tea: incorrect key size")
-	}
-
-	if rounds&1 != 0 {
-		return nil, errors.New("tea: odd number of rounds specified")
-	}
-
-	c := &tea{
-		rounds: rounds,
-	}
-	copy(c.key[:], key)
-
-	return c, nil
-}
-
-// BlockSize returns the TEA block size, which is eight bytes. It is necessary
-// to satisfy the Block interface in the package "crypto/cipher".
-func (*tea) BlockSize() int {
-	return BlockSize
-}
-
-// Encrypt encrypts the 8 byte buffer src using the key in t and stores the
-// result in dst. Note that for amounts of data larger than a block, it is not
-// safe to just call Encrypt on successive blocks; instead, use an encryption
-// mode like CBC (see crypto/cipher/cbc.go).
-func (t *tea) Encrypt(dst, src []byte) {
-	e := binary.BigEndian
-	v0, v1 := e.Uint32(src), e.Uint32(src[4:])
-	k0, k1, k2, k3 := e.Uint32(t.key[0:]), e.Uint32(t.key[4:]), e.Uint32(t.key[8:]), e.Uint32(t.key[12:])
-
-	sum := uint32(0)
-	delta := uint32(delta)
-
-	for i := 0; i < t.rounds/2; i++ {
-		sum += delta
-		v0 += ((v1 << 4) + k0) ^ (v1 + sum) ^ ((v1 >> 5) + k1)
-		v1 += ((v0 << 4) + k2) ^ (v0 + sum) ^ ((v0 >> 5) + k3)
-	}
-
-	e.PutUint32(dst, v0)
-	e.PutUint32(dst[4:], v1)
-}
-
-// Decrypt decrypts the 8 byte buffer src using the key in t and stores the
-// result in dst.
-func (t *tea) Decrypt(dst, src []byte) {
-	e := binary.BigEndian
-	v0, v1 := e.Uint32(src), e.Uint32(src[4:])
-	k0, k1, k2, k3 := e.Uint32(t.key[0:]), e.Uint32(t.key[4:]), e.Uint32(t.key[8:]), e.Uint32(t.key[12:])
-
-	delta := uint32(delta)
-	sum := delta * uint32(t.rounds/2) // in general, sum = delta * n
-
-	for i := 0; i < t.rounds/2; i++ {
-		v1 -= ((v0 << 4) + k2) ^ (v0 + sum) ^ ((v0 >> 5) + k3)
-		v0 -= ((v1 << 4) + k0) ^ (v1 + sum) ^ ((v1 >> 5) + k1)
-		sum -= delta
-	}
-
-	e.PutUint32(dst, v0)
-	e.PutUint32(dst[4:], v1)
-}
diff --git a/vendor/golang.org/x/crypto/tea/tea_test.go b/vendor/golang.org/x/crypto/tea/tea_test.go
deleted file mode 100644
index eb98d1e0..00000000
--- a/vendor/golang.org/x/crypto/tea/tea_test.go
+++ /dev/null
@@ -1,93 +0,0 @@
-// Copyright 2015 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package tea
-
-import (
-	"bytes"
-	"testing"
-)
-
-// A sample test key for when we just want to initialize a cipher
-var testKey = []byte{0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF}
-
-// Test that the block size for tea is correct
-func TestBlocksize(t *testing.T) {
-	c, err := NewCipher(testKey)
-	if err != nil {
-		t.Fatalf("NewCipher returned error: %s", err)
-	}
-
-	if result := c.BlockSize(); result != BlockSize {
-		t.Errorf("cipher.BlockSize returned %d, but expected %d", result, BlockSize)
-	}
-}
-
-// Test that invalid key sizes return an error
-func TestInvalidKeySize(t *testing.T) {
-	var key [KeySize + 1]byte
-
-	if _, err := NewCipher(key[:]); err == nil {
-		t.Errorf("invalid key size %d didn't result in an error.", len(key))
-	}
-
-	if _, err := NewCipher(key[:KeySize-1]); err == nil {
-		t.Errorf("invalid key size %d didn't result in an error.", KeySize-1)
-	}
-}
-
-// Test Vectors
-type teaTest struct {
-	rounds     int
-	key        []byte
-	plaintext  []byte
-	ciphertext []byte
-}
-
-var teaTests = []teaTest{
-	// These were sourced from https://github.com/froydnj/ironclad/blob/master/testing/test-vectors/tea.testvec
-	{
-		numRounds,
-		[]byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
-		[]byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
-		[]byte{0x41, 0xea, 0x3a, 0x0a, 0x94, 0xba, 0xa9, 0x40},
-	},
-	{
-		numRounds,
-		[]byte{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
-		[]byte{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
-		[]byte{0x31, 0x9b, 0xbe, 0xfb, 0x01, 0x6a, 0xbd, 0xb2},
-	},
-	{
-		16,
-		[]byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
-		[]byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
-		[]byte{0xed, 0x28, 0x5d, 0xa1, 0x45, 0x5b, 0x33, 0xc1},
-	},
-}
-
-// Test encryption
-func TestCipherEncrypt(t *testing.T) {
-	// Test encryption with standard 64 rounds
-	for i, test := range teaTests {
-		c, err := NewCipherWithRounds(test.key, test.rounds)
-		if err != nil {
-			t.Fatalf("#%d: NewCipher returned error: %s", i, err)
-		}
-
-		var ciphertext [BlockSize]byte
-		c.Encrypt(ciphertext[:], test.plaintext)
-
-		if !bytes.Equal(ciphertext[:], test.ciphertext) {
-			t.Errorf("#%d: incorrect ciphertext. Got %x, wanted %x", i, ciphertext, test.ciphertext)
-		}
-
-		var plaintext2 [BlockSize]byte
-		c.Decrypt(plaintext2[:], ciphertext[:])
-
-		if !bytes.Equal(plaintext2[:], test.plaintext) {
-			t.Errorf("#%d: incorrect plaintext. Got %x, wanted %x", i, plaintext2, test.plaintext)
-		}
-	}
-}
diff --git a/vendor/golang.org/x/crypto/twofish/twofish.go b/vendor/golang.org/x/crypto/twofish/twofish.go
deleted file mode 100644
index 6db01fcf..00000000
--- a/vendor/golang.org/x/crypto/twofish/twofish.go
+++ /dev/null
@@ -1,342 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package twofish implements Bruce Schneier's Twofish encryption algorithm.
-package twofish // import "golang.org/x/crypto/twofish"
-
-// Twofish is defined in https://www.schneier.com/paper-twofish-paper.pdf [TWOFISH]
-
-// This code is a port of the LibTom C implementation.
-// See http://libtom.org/?page=features&newsitems=5&whatfile=crypt.
-// LibTomCrypt is free for all purposes under the public domain.
-// It was heavily inspired by the go blowfish package.
-
-import "strconv"
-
-// BlockSize is the constant block size of Twofish.
-const BlockSize = 16
-
-const mdsPolynomial = 0x169 // x^8 + x^6 + x^5 + x^3 + 1, see [TWOFISH] 4.2
-const rsPolynomial = 0x14d  // x^8 + x^6 + x^3 + x^2 + 1, see [TWOFISH] 4.3
-
-// A Cipher is an instance of Twofish encryption using a particular key.
-type Cipher struct {
-	s [4][256]uint32
-	k [40]uint32
-}
-
-type KeySizeError int
-
-func (k KeySizeError) Error() string {
-	return "crypto/twofish: invalid key size " + strconv.Itoa(int(k))
-}
-
-// NewCipher creates and returns a Cipher.
-// The key argument should be the Twofish key, 16, 24 or 32 bytes.
-func NewCipher(key []byte) (*Cipher, error) {
-	keylen := len(key)
-
-	if keylen != 16 && keylen != 24 && keylen != 32 {
-		return nil, KeySizeError(keylen)
-	}
-
-	// k is the number of 64 bit words in key
-	k := keylen / 8
-
-	// Create the S[..] words
-	var S [4 * 4]byte
-	for i := 0; i < k; i++ {
-		// Computes [y0 y1 y2 y3] = rs . [x0 x1 x2 x3 x4 x5 x6 x7]
-		for j, rsRow := range rs {
-			for k, rsVal := range rsRow {
-				S[4*i+j] ^= gfMult(key[8*i+k], rsVal, rsPolynomial)
-			}
-		}
-	}
-
-	// Calculate subkeys
-	c := new(Cipher)
-	var tmp [4]byte
-	for i := byte(0); i < 20; i++ {
-		// A = h(p * 2x, Me)
-		for j := range tmp {
-			tmp[j] = 2 * i
-		}
-		A := h(tmp[:], key, 0)
-
-		// B = rolc(h(p * (2x + 1), Mo), 8)
-		for j := range tmp {
-			tmp[j] = 2*i + 1
-		}
-		B := h(tmp[:], key, 1)
-		B = rol(B, 8)
-
-		c.k[2*i] = A + B
-
-		// K[2i+1] = (A + 2B) <<< 9
-		c.k[2*i+1] = rol(2*B+A, 9)
-	}
-
-	// Calculate sboxes
-	switch k {
-	case 2:
-		for i := range c.s[0] {
-			c.s[0][i] = mdsColumnMult(sbox[1][sbox[0][sbox[0][byte(i)]^S[0]]^S[4]], 0)
-			c.s[1][i] = mdsColumnMult(sbox[0][sbox[0][sbox[1][byte(i)]^S[1]]^S[5]], 1)
-			c.s[2][i] = mdsColumnMult(sbox[1][sbox[1][sbox[0][byte(i)]^S[2]]^S[6]], 2)
-			c.s[3][i] = mdsColumnMult(sbox[0][sbox[1][sbox[1][byte(i)]^S[3]]^S[7]], 3)
-		}
-	case 3:
-		for i := range c.s[0] {
-			c.s[0][i] = mdsColumnMult(sbox[1][sbox[0][sbox[0][sbox[1][byte(i)]^S[0]]^S[4]]^S[8]], 0)
-			c.s[1][i] = mdsColumnMult(sbox[0][sbox[0][sbox[1][sbox[1][byte(i)]^S[1]]^S[5]]^S[9]], 1)
-			c.s[2][i] = mdsColumnMult(sbox[1][sbox[1][sbox[0][sbox[0][byte(i)]^S[2]]^S[6]]^S[10]], 2)
-			c.s[3][i] = mdsColumnMult(sbox[0][sbox[1][sbox[1][sbox[0][byte(i)]^S[3]]^S[7]]^S[11]], 3)
-		}
-	default:
-		for i := range c.s[0] {
-			c.s[0][i] = mdsColumnMult(sbox[1][sbox[0][sbox[0][sbox[1][sbox[1][byte(i)]^S[0]]^S[4]]^S[8]]^S[12]], 0)
-			c.s[1][i] = mdsColumnMult(sbox[0][sbox[0][sbox[1][sbox[1][sbox[0][byte(i)]^S[1]]^S[5]]^S[9]]^S[13]], 1)
-			c.s[2][i] = mdsColumnMult(sbox[1][sbox[1][sbox[0][sbox[0][sbox[0][byte(i)]^S[2]]^S[6]]^S[10]]^S[14]], 2)
-			c.s[3][i] = mdsColumnMult(sbox[0][sbox[1][sbox[1][sbox[0][sbox[1][byte(i)]^S[3]]^S[7]]^S[11]]^S[15]], 3)
-		}
-	}
-
-	return c, nil
-}
-
-// BlockSize returns the Twofish block size, 16 bytes.
-func (c *Cipher) BlockSize() int { return BlockSize }
-
-// store32l stores src in dst in little-endian form.
-func store32l(dst []byte, src uint32) {
-	dst[0] = byte(src)
-	dst[1] = byte(src >> 8)
-	dst[2] = byte(src >> 16)
-	dst[3] = byte(src >> 24)
-	return
-}
-
-// load32l reads a little-endian uint32 from src.
-func load32l(src []byte) uint32 {
-	return uint32(src[0]) | uint32(src[1])<<8 | uint32(src[2])<<16 | uint32(src[3])<<24
-}
-
-// rol returns x after a left circular rotation of y bits.
-func rol(x, y uint32) uint32 {
-	return (x << (y & 31)) | (x >> (32 - (y & 31)))
-}
-
-// ror returns x after a right circular rotation of y bits.
-func ror(x, y uint32) uint32 {
-	return (x >> (y & 31)) | (x << (32 - (y & 31)))
-}
-
-// The RS matrix. See [TWOFISH] 4.3
-var rs = [4][8]byte{
-	{0x01, 0xA4, 0x55, 0x87, 0x5A, 0x58, 0xDB, 0x9E},
-	{0xA4, 0x56, 0x82, 0xF3, 0x1E, 0xC6, 0x68, 0xE5},
-	{0x02, 0xA1, 0xFC, 0xC1, 0x47, 0xAE, 0x3D, 0x19},
-	{0xA4, 0x55, 0x87, 0x5A, 0x58, 0xDB, 0x9E, 0x03},
-}
-
-// sbox tables
-var sbox = [2][256]byte{
-	{
-		0xa9, 0x67, 0xb3, 0xe8, 0x04, 0xfd, 0xa3, 0x76, 0x9a, 0x92, 0x80, 0x78, 0xe4, 0xdd, 0xd1, 0x38,
-		0x0d, 0xc6, 0x35, 0x98, 0x18, 0xf7, 0xec, 0x6c, 0x43, 0x75, 0x37, 0x26, 0xfa, 0x13, 0x94, 0x48,
-		0xf2, 0xd0, 0x8b, 0x30, 0x84, 0x54, 0xdf, 0x23, 0x19, 0x5b, 0x3d, 0x59, 0xf3, 0xae, 0xa2, 0x82,
-		0x63, 0x01, 0x83, 0x2e, 0xd9, 0x51, 0x9b, 0x7c, 0xa6, 0xeb, 0xa5, 0xbe, 0x16, 0x0c, 0xe3, 0x61,
-		0xc0, 0x8c, 0x3a, 0xf5, 0x73, 0x2c, 0x25, 0x0b, 0xbb, 0x4e, 0x89, 0x6b, 0x53, 0x6a, 0xb4, 0xf1,
-		0xe1, 0xe6, 0xbd, 0x45, 0xe2, 0xf4, 0xb6, 0x66, 0xcc, 0x95, 0x03, 0x56, 0xd4, 0x1c, 0x1e, 0xd7,
-		0xfb, 0xc3, 0x8e, 0xb5, 0xe9, 0xcf, 0xbf, 0xba, 0xea, 0x77, 0x39, 0xaf, 0x33, 0xc9, 0x62, 0x71,
-		0x81, 0x79, 0x09, 0xad, 0x24, 0xcd, 0xf9, 0xd8, 0xe5, 0xc5, 0xb9, 0x4d, 0x44, 0x08, 0x86, 0xe7,
-		0xa1, 0x1d, 0xaa, 0xed, 0x06, 0x70, 0xb2, 0xd2, 0x41, 0x7b, 0xa0, 0x11, 0x31, 0xc2, 0x27, 0x90,
-		0x20, 0xf6, 0x60, 0xff, 0x96, 0x5c, 0xb1, 0xab, 0x9e, 0x9c, 0x52, 0x1b, 0x5f, 0x93, 0x0a, 0xef,
-		0x91, 0x85, 0x49, 0xee, 0x2d, 0x4f, 0x8f, 0x3b, 0x47, 0x87, 0x6d, 0x46, 0xd6, 0x3e, 0x69, 0x64,
-		0x2a, 0xce, 0xcb, 0x2f, 0xfc, 0x97, 0x05, 0x7a, 0xac, 0x7f, 0xd5, 0x1a, 0x4b, 0x0e, 0xa7, 0x5a,
-		0x28, 0x14, 0x3f, 0x29, 0x88, 0x3c, 0x4c, 0x02, 0xb8, 0xda, 0xb0, 0x17, 0x55, 0x1f, 0x8a, 0x7d,
-		0x57, 0xc7, 0x8d, 0x74, 0xb7, 0xc4, 0x9f, 0x72, 0x7e, 0x15, 0x22, 0x12, 0x58, 0x07, 0x99, 0x34,
-		0x6e, 0x50, 0xde, 0x68, 0x65, 0xbc, 0xdb, 0xf8, 0xc8, 0xa8, 0x2b, 0x40, 0xdc, 0xfe, 0x32, 0xa4,
-		0xca, 0x10, 0x21, 0xf0, 0xd3, 0x5d, 0x0f, 0x00, 0x6f, 0x9d, 0x36, 0x42, 0x4a, 0x5e, 0xc1, 0xe0,
-	},
-	{
-		0x75, 0xf3, 0xc6, 0xf4, 0xdb, 0x7b, 0xfb, 0xc8, 0x4a, 0xd3, 0xe6, 0x6b, 0x45, 0x7d, 0xe8, 0x4b,
-		0xd6, 0x32, 0xd8, 0xfd, 0x37, 0x71, 0xf1, 0xe1, 0x30, 0x0f, 0xf8, 0x1b, 0x87, 0xfa, 0x06, 0x3f,
-		0x5e, 0xba, 0xae, 0x5b, 0x8a, 0x00, 0xbc, 0x9d, 0x6d, 0xc1, 0xb1, 0x0e, 0x80, 0x5d, 0xd2, 0xd5,
-		0xa0, 0x84, 0x07, 0x14, 0xb5, 0x90, 0x2c, 0xa3, 0xb2, 0x73, 0x4c, 0x54, 0x92, 0x74, 0x36, 0x51,
-		0x38, 0xb0, 0xbd, 0x5a, 0xfc, 0x60, 0x62, 0x96, 0x6c, 0x42, 0xf7, 0x10, 0x7c, 0x28, 0x27, 0x8c,
-		0x13, 0x95, 0x9c, 0xc7, 0x24, 0x46, 0x3b, 0x70, 0xca, 0xe3, 0x85, 0xcb, 0x11, 0xd0, 0x93, 0xb8,
-		0xa6, 0x83, 0x20, 0xff, 0x9f, 0x77, 0xc3, 0xcc, 0x03, 0x6f, 0x08, 0xbf, 0x40, 0xe7, 0x2b, 0xe2,
-		0x79, 0x0c, 0xaa, 0x82, 0x41, 0x3a, 0xea, 0xb9, 0xe4, 0x9a, 0xa4, 0x97, 0x7e, 0xda, 0x7a, 0x17,
-		0x66, 0x94, 0xa1, 0x1d, 0x3d, 0xf0, 0xde, 0xb3, 0x0b, 0x72, 0xa7, 0x1c, 0xef, 0xd1, 0x53, 0x3e,
-		0x8f, 0x33, 0x26, 0x5f, 0xec, 0x76, 0x2a, 0x49, 0x81, 0x88, 0xee, 0x21, 0xc4, 0x1a, 0xeb, 0xd9,
-		0xc5, 0x39, 0x99, 0xcd, 0xad, 0x31, 0x8b, 0x01, 0x18, 0x23, 0xdd, 0x1f, 0x4e, 0x2d, 0xf9, 0x48,
-		0x4f, 0xf2, 0x65, 0x8e, 0x78, 0x5c, 0x58, 0x19, 0x8d, 0xe5, 0x98, 0x57, 0x67, 0x7f, 0x05, 0x64,
-		0xaf, 0x63, 0xb6, 0xfe, 0xf5, 0xb7, 0x3c, 0xa5, 0xce, 0xe9, 0x68, 0x44, 0xe0, 0x4d, 0x43, 0x69,
-		0x29, 0x2e, 0xac, 0x15, 0x59, 0xa8, 0x0a, 0x9e, 0x6e, 0x47, 0xdf, 0x34, 0x35, 0x6a, 0xcf, 0xdc,
-		0x22, 0xc9, 0xc0, 0x9b, 0x89, 0xd4, 0xed, 0xab, 0x12, 0xa2, 0x0d, 0x52, 0xbb, 0x02, 0x2f, 0xa9,
-		0xd7, 0x61, 0x1e, 0xb4, 0x50, 0x04, 0xf6, 0xc2, 0x16, 0x25, 0x86, 0x56, 0x55, 0x09, 0xbe, 0x91,
-	},
-}
-
-// gfMult returns a·b in GF(2^8)/p
-func gfMult(a, b byte, p uint32) byte {
-	B := [2]uint32{0, uint32(b)}
-	P := [2]uint32{0, p}
-	var result uint32
-
-	// branchless GF multiplier
-	for i := 0; i < 7; i++ {
-		result ^= B[a&1]
-		a >>= 1
-		B[1] = P[B[1]>>7] ^ (B[1] << 1)
-	}
-	result ^= B[a&1]
-	return byte(result)
-}
-
-// mdsColumnMult calculates y{col} where [y0 y1 y2 y3] = MDS · [x0]
-func mdsColumnMult(in byte, col int) uint32 {
-	mul01 := in
-	mul5B := gfMult(in, 0x5B, mdsPolynomial)
-	mulEF := gfMult(in, 0xEF, mdsPolynomial)
-
-	switch col {
-	case 0:
-		return uint32(mul01) | uint32(mul5B)<<8 | uint32(mulEF)<<16 | uint32(mulEF)<<24
-	case 1:
-		return uint32(mulEF) | uint32(mulEF)<<8 | uint32(mul5B)<<16 | uint32(mul01)<<24
-	case 2:
-		return uint32(mul5B) | uint32(mulEF)<<8 | uint32(mul01)<<16 | uint32(mulEF)<<24
-	case 3:
-		return uint32(mul5B) | uint32(mul01)<<8 | uint32(mulEF)<<16 | uint32(mul5B)<<24
-	}
-
-	panic("unreachable")
-}
-
-// h implements the S-box generation function. See [TWOFISH] 4.3.5
-func h(in, key []byte, offset int) uint32 {
-	var y [4]byte
-	for x := range y {
-		y[x] = in[x]
-	}
-	switch len(key) / 8 {
-	case 4:
-		y[0] = sbox[1][y[0]] ^ key[4*(6+offset)+0]
-		y[1] = sbox[0][y[1]] ^ key[4*(6+offset)+1]
-		y[2] = sbox[0][y[2]] ^ key[4*(6+offset)+2]
-		y[3] = sbox[1][y[3]] ^ key[4*(6+offset)+3]
-		fallthrough
-	case 3:
-		y[0] = sbox[1][y[0]] ^ key[4*(4+offset)+0]
-		y[1] = sbox[1][y[1]] ^ key[4*(4+offset)+1]
-		y[2] = sbox[0][y[2]] ^ key[4*(4+offset)+2]
-		y[3] = sbox[0][y[3]] ^ key[4*(4+offset)+3]
-		fallthrough
-	case 2:
-		y[0] = sbox[1][sbox[0][sbox[0][y[0]]^key[4*(2+offset)+0]]^key[4*(0+offset)+0]]
-		y[1] = sbox[0][sbox[0][sbox[1][y[1]]^key[4*(2+offset)+1]]^key[4*(0+offset)+1]]
-		y[2] = sbox[1][sbox[1][sbox[0][y[2]]^key[4*(2+offset)+2]]^key[4*(0+offset)+2]]
-		y[3] = sbox[0][sbox[1][sbox[1][y[3]]^key[4*(2+offset)+3]]^key[4*(0+offset)+3]]
-	}
-	// [y0 y1 y2 y3] = MDS . [x0 x1 x2 x3]
-	var mdsMult uint32
-	for i := range y {
-		mdsMult ^= mdsColumnMult(y[i], i)
-	}
-	return mdsMult
-}
-
-// Encrypt encrypts a 16-byte block from src to dst, which may overlap.
-// Note that for amounts of data larger than a block,
-// it is not safe to just call Encrypt on successive blocks;
-// instead, use an encryption mode like CBC (see crypto/cipher/cbc.go).
-func (c *Cipher) Encrypt(dst, src []byte) {
-	S1 := c.s[0]
-	S2 := c.s[1]
-	S3 := c.s[2]
-	S4 := c.s[3]
-
-	// Load input
-	ia := load32l(src[0:4])
-	ib := load32l(src[4:8])
-	ic := load32l(src[8:12])
-	id := load32l(src[12:16])
-
-	// Pre-whitening
-	ia ^= c.k[0]
-	ib ^= c.k[1]
-	ic ^= c.k[2]
-	id ^= c.k[3]
-
-	for i := 0; i < 8; i++ {
-		k := c.k[8+i*4 : 12+i*4]
-		t2 := S2[byte(ib)] ^ S3[byte(ib>>8)] ^ S4[byte(ib>>16)] ^ S1[byte(ib>>24)]
-		t1 := S1[byte(ia)] ^ S2[byte(ia>>8)] ^ S3[byte(ia>>16)] ^ S4[byte(ia>>24)] + t2
-		ic = ror(ic^(t1+k[0]), 1)
-		id = rol(id, 1) ^ (t2 + t1 + k[1])
-
-		t2 = S2[byte(id)] ^ S3[byte(id>>8)] ^ S4[byte(id>>16)] ^ S1[byte(id>>24)]
-		t1 = S1[byte(ic)] ^ S2[byte(ic>>8)] ^ S3[byte(ic>>16)] ^ S4[byte(ic>>24)] + t2
-		ia = ror(ia^(t1+k[2]), 1)
-		ib = rol(ib, 1) ^ (t2 + t1 + k[3])
-	}
-
-	// Output with "undo last swap"
-	ta := ic ^ c.k[4]
-	tb := id ^ c.k[5]
-	tc := ia ^ c.k[6]
-	td := ib ^ c.k[7]
-
-	store32l(dst[0:4], ta)
-	store32l(dst[4:8], tb)
-	store32l(dst[8:12], tc)
-	store32l(dst[12:16], td)
-}
-
-// Decrypt decrypts a 16-byte block from src to dst, which may overlap.
-func (c *Cipher) Decrypt(dst, src []byte) {
-	S1 := c.s[0]
-	S2 := c.s[1]
-	S3 := c.s[2]
-	S4 := c.s[3]
-
-	// Load input
-	ta := load32l(src[0:4])
-	tb := load32l(src[4:8])
-	tc := load32l(src[8:12])
-	td := load32l(src[12:16])
-
-	// Undo undo final swap
-	ia := tc ^ c.k[6]
-	ib := td ^ c.k[7]
-	ic := ta ^ c.k[4]
-	id := tb ^ c.k[5]
-
-	for i := 8; i > 0; i-- {
-		k := c.k[4+i*4 : 8+i*4]
-		t2 := S2[byte(id)] ^ S3[byte(id>>8)] ^ S4[byte(id>>16)] ^ S1[byte(id>>24)]
-		t1 := S1[byte(ic)] ^ S2[byte(ic>>8)] ^ S3[byte(ic>>16)] ^ S4[byte(ic>>24)] + t2
-		ia = rol(ia, 1) ^ (t1 + k[2])
-		ib = ror(ib^(t2+t1+k[3]), 1)
-
-		t2 = S2[byte(ib)] ^ S3[byte(ib>>8)] ^ S4[byte(ib>>16)] ^ S1[byte(ib>>24)]
-		t1 = S1[byte(ia)] ^ S2[byte(ia>>8)] ^ S3[byte(ia>>16)] ^ S4[byte(ia>>24)] + t2
-		ic = rol(ic, 1) ^ (t1 + k[0])
-		id = ror(id^(t2+t1+k[1]), 1)
-	}
-
-	// Undo pre-whitening
-	ia ^= c.k[0]
-	ib ^= c.k[1]
-	ic ^= c.k[2]
-	id ^= c.k[3]
-
-	store32l(dst[0:4], ia)
-	store32l(dst[4:8], ib)
-	store32l(dst[8:12], ic)
-	store32l(dst[12:16], id)
-}
diff --git a/vendor/golang.org/x/crypto/twofish/twofish_test.go b/vendor/golang.org/x/crypto/twofish/twofish_test.go
deleted file mode 100644
index ed6a1a8f..00000000
--- a/vendor/golang.org/x/crypto/twofish/twofish_test.go
+++ /dev/null
@@ -1,129 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package twofish
-
-import (
-	"bytes"
-	"testing"
-)
-
-var qbox = [2][4][16]byte{
-	{
-		{0x8, 0x1, 0x7, 0xD, 0x6, 0xF, 0x3, 0x2, 0x0, 0xB, 0x5, 0x9, 0xE, 0xC, 0xA, 0x4},
-		{0xE, 0xC, 0xB, 0x8, 0x1, 0x2, 0x3, 0x5, 0xF, 0x4, 0xA, 0x6, 0x7, 0x0, 0x9, 0xD},
-		{0xB, 0xA, 0x5, 0xE, 0x6, 0xD, 0x9, 0x0, 0xC, 0x8, 0xF, 0x3, 0x2, 0x4, 0x7, 0x1},
-		{0xD, 0x7, 0xF, 0x4, 0x1, 0x2, 0x6, 0xE, 0x9, 0xB, 0x3, 0x0, 0x8, 0x5, 0xC, 0xA},
-	},
-	{
-		{0x2, 0x8, 0xB, 0xD, 0xF, 0x7, 0x6, 0xE, 0x3, 0x1, 0x9, 0x4, 0x0, 0xA, 0xC, 0x5},
-		{0x1, 0xE, 0x2, 0xB, 0x4, 0xC, 0x3, 0x7, 0x6, 0xD, 0xA, 0x5, 0xF, 0x9, 0x0, 0x8},
-		{0x4, 0xC, 0x7, 0x5, 0x1, 0x6, 0x9, 0xA, 0x0, 0xE, 0xD, 0x8, 0x2, 0xB, 0x3, 0xF},
-		{0xB, 0x9, 0x5, 0x1, 0xC, 0x3, 0xD, 0xE, 0x6, 0x4, 0x7, 0xF, 0x2, 0x0, 0x8, 0xA},
-	},
-}
-
-// genSbox generates the variable sbox
-func genSbox(qi int, x byte) byte {
-	a0, b0 := x/16, x%16
-	for i := 0; i < 2; i++ {
-		a1 := a0 ^ b0
-		b1 := (a0 ^ ((b0 << 3) | (b0 >> 1)) ^ (a0 << 3)) & 15
-		a0 = qbox[qi][2*i][a1]
-		b0 = qbox[qi][2*i+1][b1]
-	}
-	return (b0 << 4) + a0
-}
-
-func TestSbox(t *testing.T) {
-	for n := range sbox {
-		for m := range sbox[n] {
-			if genSbox(n, byte(m)) != sbox[n][m] {
-				t.Errorf("#%d|%d: sbox value = %d want %d", n, m, sbox[n][m], genSbox(n, byte(m)))
-			}
-		}
-	}
-}
-
-var testVectors = []struct {
-	key []byte
-	dec []byte
-	enc []byte
-}{
-	// These tests are extracted from LibTom
-	{
-		[]byte{0x9F, 0x58, 0x9F, 0x5C, 0xF6, 0x12, 0x2C, 0x32, 0xB6, 0xBF, 0xEC, 0x2F, 0x2A, 0xE8, 0xC3, 0x5A},
-		[]byte{0xD4, 0x91, 0xDB, 0x16, 0xE7, 0xB1, 0xC3, 0x9E, 0x86, 0xCB, 0x08, 0x6B, 0x78, 0x9F, 0x54, 0x19},
-		[]byte{0x01, 0x9F, 0x98, 0x09, 0xDE, 0x17, 0x11, 0x85, 0x8F, 0xAA, 0xC3, 0xA3, 0xBA, 0x20, 0xFB, 0xC3},
-	},
-	{
-		[]byte{0x88, 0xB2, 0xB2, 0x70, 0x6B, 0x10, 0x5E, 0x36, 0xB4, 0x46, 0xBB, 0x6D, 0x73, 0x1A, 0x1E, 0x88,
-			0xEF, 0xA7, 0x1F, 0x78, 0x89, 0x65, 0xBD, 0x44},
-		[]byte{0x39, 0xDA, 0x69, 0xD6, 0xBA, 0x49, 0x97, 0xD5, 0x85, 0xB6, 0xDC, 0x07, 0x3C, 0xA3, 0x41, 0xB2},
-		[]byte{0x18, 0x2B, 0x02, 0xD8, 0x14, 0x97, 0xEA, 0x45, 0xF9, 0xDA, 0xAC, 0xDC, 0x29, 0x19, 0x3A, 0x65},
-	},
-	{
-		[]byte{0xD4, 0x3B, 0xB7, 0x55, 0x6E, 0xA3, 0x2E, 0x46, 0xF2, 0xA2, 0x82, 0xB7, 0xD4, 0x5B, 0x4E, 0x0D,
-			0x57, 0xFF, 0x73, 0x9D, 0x4D, 0xC9, 0x2C, 0x1B, 0xD7, 0xFC, 0x01, 0x70, 0x0C, 0xC8, 0x21, 0x6F},
-		[]byte{0x90, 0xAF, 0xE9, 0x1B, 0xB2, 0x88, 0x54, 0x4F, 0x2C, 0x32, 0xDC, 0x23, 0x9B, 0x26, 0x35, 0xE6},
-		[]byte{0x6C, 0xB4, 0x56, 0x1C, 0x40, 0xBF, 0x0A, 0x97, 0x05, 0x93, 0x1C, 0xB6, 0xD4, 0x08, 0xE7, 0xFA},
-	},
-	// These tests are derived from https://www.schneier.com/code/ecb_ival.txt
-	{
-		[]byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
-		[]byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
-		[]byte{0x9F, 0x58, 0x9F, 0x5C, 0xF6, 0x12, 0x2C, 0x32, 0xB6, 0xBF, 0xEC, 0x2F, 0x2A, 0xE8, 0xC3, 0x5A},
-	},
-	{
-		[]byte{0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0xFE, 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10,
-			0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
-		},
-		[]byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
-		[]byte{0xCF, 0xD1, 0xD2, 0xE5, 0xA9, 0xBE, 0x9C, 0xDF, 0x50, 0x1F, 0x13, 0xB8, 0x92, 0xBD, 0x22, 0x48},
-	},
-	{
-		[]byte{0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0xFE, 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10,
-			0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF,
-		},
-		[]byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
-		[]byte{0x37, 0x52, 0x7B, 0xE0, 0x05, 0x23, 0x34, 0xB8, 0x9F, 0x0C, 0xFC, 0xCA, 0xE8, 0x7C, 0xFA, 0x20},
-	},
-}
-
-func TestCipher(t *testing.T) {
-	for n, tt := range testVectors {
-		// Test if the plaintext (dec) is encrypts to the given
-		// ciphertext (enc) using the given key. Test also if enc can
-		// be decrypted again into dec.
-		c, err := NewCipher(tt.key)
-		if err != nil {
-			t.Errorf("#%d: NewCipher: %v", n, err)
-			return
-		}
-
-		buf := make([]byte, 16)
-		c.Encrypt(buf, tt.dec)
-		if !bytes.Equal(buf, tt.enc) {
-			t.Errorf("#%d: encrypt = %x want %x", n, buf, tt.enc)
-		}
-		c.Decrypt(buf, tt.enc)
-		if !bytes.Equal(buf, tt.dec) {
-			t.Errorf("#%d: decrypt = %x want %x", n, buf, tt.dec)
-		}
-
-		// Test that 16 zero bytes, encrypted 1000 times then decrypted
-		// 1000 times results in zero bytes again.
-		zero := make([]byte, 16)
-		buf = make([]byte, 16)
-		for i := 0; i < 1000; i++ {
-			c.Encrypt(buf, buf)
-		}
-		for i := 0; i < 1000; i++ {
-			c.Decrypt(buf, buf)
-		}
-		if !bytes.Equal(buf, zero) {
-			t.Errorf("#%d: encrypt/decrypt 1000: have %x want %x", n, buf, zero)
-		}
-	}
-}
diff --git a/vendor/golang.org/x/crypto/xtea/block.go b/vendor/golang.org/x/crypto/xtea/block.go
deleted file mode 100644
index bf5d2459..00000000
--- a/vendor/golang.org/x/crypto/xtea/block.go
+++ /dev/null
@@ -1,66 +0,0 @@
-// Copyright 2009 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-/*
-	Implementation adapted from Needham and Wheeler's paper:
-	http://www.cix.co.uk/~klockstone/xtea.pdf
-
-	A precalculated look up table is used during encryption/decryption for values that are based purely on the key.
-*/
-
-package xtea
-
-// XTEA is based on 64 rounds.
-const numRounds = 64
-
-// blockToUint32 reads an 8 byte slice into two uint32s.
-// The block is treated as big endian.
-func blockToUint32(src []byte) (uint32, uint32) {
-	r0 := uint32(src[0])<<24 | uint32(src[1])<<16 | uint32(src[2])<<8 | uint32(src[3])
-	r1 := uint32(src[4])<<24 | uint32(src[5])<<16 | uint32(src[6])<<8 | uint32(src[7])
-	return r0, r1
-}
-
-// uint32ToBlock writes two uint32s into an 8 byte data block.
-// Values are written as big endian.
-func uint32ToBlock(v0, v1 uint32, dst []byte) {
-	dst[0] = byte(v0 >> 24)
-	dst[1] = byte(v0 >> 16)
-	dst[2] = byte(v0 >> 8)
-	dst[3] = byte(v0)
-	dst[4] = byte(v1 >> 24)
-	dst[5] = byte(v1 >> 16)
-	dst[6] = byte(v1 >> 8)
-	dst[7] = byte(v1 >> 0)
-}
-
-// encryptBlock encrypts a single 8 byte block using XTEA.
-func encryptBlock(c *Cipher, dst, src []byte) {
-	v0, v1 := blockToUint32(src)
-
-	// Two rounds of XTEA applied per loop
-	for i := 0; i < numRounds; {
-		v0 += ((v1<<4 ^ v1>>5) + v1) ^ c.table[i]
-		i++
-		v1 += ((v0<<4 ^ v0>>5) + v0) ^ c.table[i]
-		i++
-	}
-
-	uint32ToBlock(v0, v1, dst)
-}
-
-// decryptBlock decrypt a single 8 byte block using XTEA.
-func decryptBlock(c *Cipher, dst, src []byte) {
-	v0, v1 := blockToUint32(src)
-
-	// Two rounds of XTEA applied per loop
-	for i := numRounds; i > 0; {
-		i--
-		v1 -= ((v0<<4 ^ v0>>5) + v0) ^ c.table[i]
-		i--
-		v0 -= ((v1<<4 ^ v1>>5) + v1) ^ c.table[i]
-	}
-
-	uint32ToBlock(v0, v1, dst)
-}
diff --git a/vendor/golang.org/x/crypto/xtea/cipher.go b/vendor/golang.org/x/crypto/xtea/cipher.go
deleted file mode 100644
index 66ea0df1..00000000
--- a/vendor/golang.org/x/crypto/xtea/cipher.go
+++ /dev/null
@@ -1,82 +0,0 @@
-// Copyright 2009 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package xtea implements XTEA encryption, as defined in Needham and Wheeler's
-// 1997 technical report, "Tea extensions."
-package xtea // import "golang.org/x/crypto/xtea"
-
-// For details, see http://www.cix.co.uk/~klockstone/xtea.pdf
-
-import "strconv"
-
-// The XTEA block size in bytes.
-const BlockSize = 8
-
-// A Cipher is an instance of an XTEA cipher using a particular key.
-// table contains a series of precalculated values that are used each round.
-type Cipher struct {
-	table [64]uint32
-}
-
-type KeySizeError int
-
-func (k KeySizeError) Error() string {
-	return "crypto/xtea: invalid key size " + strconv.Itoa(int(k))
-}
-
-// NewCipher creates and returns a new Cipher.
-// The key argument should be the XTEA key.
-// XTEA only supports 128 bit (16 byte) keys.
-func NewCipher(key []byte) (*Cipher, error) {
-	k := len(key)
-	switch k {
-	default:
-		return nil, KeySizeError(k)
-	case 16:
-		break
-	}
-
-	c := new(Cipher)
-	initCipher(c, key)
-
-	return c, nil
-}
-
-// BlockSize returns the XTEA block size, 8 bytes.
-// It is necessary to satisfy the Block interface in the
-// package "crypto/cipher".
-func (c *Cipher) BlockSize() int { return BlockSize }
-
-// Encrypt encrypts the 8 byte buffer src using the key and stores the result in dst.
-// Note that for amounts of data larger than a block,
-// it is not safe to just call Encrypt on successive blocks;
-// instead, use an encryption mode like CBC (see crypto/cipher/cbc.go).
-func (c *Cipher) Encrypt(dst, src []byte) { encryptBlock(c, dst, src) }
-
-// Decrypt decrypts the 8 byte buffer src using the key k and stores the result in dst.
-func (c *Cipher) Decrypt(dst, src []byte) { decryptBlock(c, dst, src) }
-
-// initCipher initializes the cipher context by creating a look up table
-// of precalculated values that are based on the key.
-func initCipher(c *Cipher, key []byte) {
-	// Load the key into four uint32s
-	var k [4]uint32
-	for i := 0; i < len(k); i++ {
-		j := i << 2 // Multiply by 4
-		k[i] = uint32(key[j+0])<<24 | uint32(key[j+1])<<16 | uint32(key[j+2])<<8 | uint32(key[j+3])
-	}
-
-	// Precalculate the table
-	const delta = 0x9E3779B9
-	var sum uint32
-
-	// Two rounds of XTEA applied per loop
-	for i := 0; i < numRounds; {
-		c.table[i] = sum + k[sum&3]
-		i++
-		sum += delta
-		c.table[i] = sum + k[(sum>>11)&3]
-		i++
-	}
-}
diff --git a/vendor/golang.org/x/crypto/xtea/xtea_test.go b/vendor/golang.org/x/crypto/xtea/xtea_test.go
deleted file mode 100644
index be711bf5..00000000
--- a/vendor/golang.org/x/crypto/xtea/xtea_test.go
+++ /dev/null
@@ -1,229 +0,0 @@
-// Copyright 2009 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package xtea
-
-import (
-	"testing"
-)
-
-// A sample test key for when we just want to initialize a cipher
-var testKey = []byte{0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF}
-
-// Test that the block size for XTEA is correct
-func TestBlocksize(t *testing.T) {
-	if BlockSize != 8 {
-		t.Errorf("BlockSize constant - expected 8, got %d", BlockSize)
-		return
-	}
-
-	c, err := NewCipher(testKey)
-	if err != nil {
-		t.Errorf("NewCipher(%d bytes) = %s", len(testKey), err)
-		return
-	}
-
-	result := c.BlockSize()
-	if result != 8 {
-		t.Errorf("BlockSize function - expected 8, got %d", result)
-		return
-	}
-}
-
-// A series of test values to confirm that the Cipher.table array was initialized correctly
-var testTable = []uint32{
-	0x00112233, 0x6B1568B8, 0xE28CE030, 0xC5089E2D, 0xC5089E2D, 0x1EFBD3A2, 0xA7845C2A, 0x78EF0917,
-	0x78EF0917, 0x172682D0, 0x5B6AC714, 0x822AC955, 0x3DE68511, 0xDC1DFECA, 0x2062430E, 0x3611343F,
-	0xF1CCEFFB, 0x900469B4, 0xD448ADF8, 0x2E3BE36D, 0xB6C46BF5, 0x994029F2, 0x994029F2, 0xF3335F67,
-	0x6AAAD6DF, 0x4D2694DC, 0x4D2694DC, 0xEB5E0E95, 0x2FA252D9, 0x4551440A, 0x121E10D6, 0xB0558A8F,
-	0xE388BDC3, 0x0A48C004, 0xC6047BC0, 0x643BF579, 0xA88039BD, 0x02736F32, 0x8AFBF7BA, 0x5C66A4A7,
-	0x5C66A4A7, 0xC76AEB2C, 0x3EE262A4, 0x215E20A1, 0x215E20A1, 0x7B515616, 0x03D9DE9E, 0x1988CFCF,
-	0xD5448B8B, 0x737C0544, 0xB7C04988, 0xDE804BC9, 0x9A3C0785, 0x3873813E, 0x7CB7C582, 0xD6AAFAF7,
-	0x4E22726F, 0x309E306C, 0x309E306C, 0x8A9165E1, 0x1319EE69, 0xF595AC66, 0xF595AC66, 0x4F88E1DB,
-}
-
-// Test that the cipher context is initialized correctly
-func TestCipherInit(t *testing.T) {
-	c, err := NewCipher(testKey)
-	if err != nil {
-		t.Errorf("NewCipher(%d bytes) = %s", len(testKey), err)
-		return
-	}
-
-	for i := 0; i < len(c.table); i++ {
-		if c.table[i] != testTable[i] {
-			t.Errorf("NewCipher() failed to initialize Cipher.table[%d] correctly. Expected %08X, got %08X", i, testTable[i], c.table[i])
-			break
-		}
-	}
-}
-
-// Test that invalid key sizes return an error
-func TestInvalidKeySize(t *testing.T) {
-	// Test a long key
-	key := []byte{
-		0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF,
-		0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF,
-	}
-
-	_, err := NewCipher(key)
-	if err == nil {
-		t.Errorf("Invalid key size %d didn't result in an error.", len(key))
-	}
-
-	// Test a short key
-	key = []byte{0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77}
-
-	_, err = NewCipher(key)
-	if err == nil {
-		t.Errorf("Invalid key size %d didn't result in an error.", len(key))
-	}
-}
-
-// Test that we can correctly decode some bytes we have encoded
-func TestEncodeDecode(t *testing.T) {
-	original := []byte{0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF}
-	input := original
-	output := make([]byte, BlockSize)
-
-	c, err := NewCipher(testKey)
-	if err != nil {
-		t.Errorf("NewCipher(%d bytes) = %s", len(testKey), err)
-		return
-	}
-
-	// Encrypt the input block
-	c.Encrypt(output, input)
-
-	// Check that the output does not match the input
-	differs := false
-	for i := 0; i < len(input); i++ {
-		if output[i] != input[i] {
-			differs = true
-			break
-		}
-	}
-	if differs == false {
-		t.Error("Cipher.Encrypt: Failed to encrypt the input block.")
-		return
-	}
-
-	// Decrypt the block we just encrypted
-	input = output
-	output = make([]byte, BlockSize)
-	c.Decrypt(output, input)
-
-	// Check that the output from decrypt matches our initial input
-	for i := 0; i < len(input); i++ {
-		if output[i] != original[i] {
-			t.Errorf("Decrypted byte %d differed. Expected %02X, got %02X\n", i, original[i], output[i])
-			return
-		}
-	}
-}
-
-// Test Vectors
-type CryptTest struct {
-	key        []byte
-	plainText  []byte
-	cipherText []byte
-}
-
-var CryptTests = []CryptTest{
-	// These were sourced from http://www.freemedialibrary.com/index.php/XTEA_test_vectors
-	{
-		[]byte{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f},
-		[]byte{0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48},
-		[]byte{0x49, 0x7d, 0xf3, 0xd0, 0x72, 0x61, 0x2c, 0xb5},
-	},
-	{
-		[]byte{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f},
-		[]byte{0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41},
-		[]byte{0xe7, 0x8f, 0x2d, 0x13, 0x74, 0x43, 0x41, 0xd8},
-	},
-	{
-		[]byte{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f},
-		[]byte{0x5a, 0x5b, 0x6e, 0x27, 0x89, 0x48, 0xd7, 0x7f},
-		[]byte{0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41},
-	},
-	{
-		[]byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
-		[]byte{0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48},
-		[]byte{0xa0, 0x39, 0x05, 0x89, 0xf8, 0xb8, 0xef, 0xa5},
-	},
-	{
-		[]byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
-		[]byte{0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41},
-		[]byte{0xed, 0x23, 0x37, 0x5a, 0x82, 0x1a, 0x8c, 0x2d},
-	},
-	{
-		[]byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
-		[]byte{0x70, 0xe1, 0x22, 0x5d, 0x6e, 0x4e, 0x76, 0x55},
-		[]byte{0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41},
-	},
-
-	// These vectors are from http://wiki.secondlife.com/wiki/XTEA_Strong_Encryption_Implementation#Bouncy_Castle_C.23_API
-	{
-		[]byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
-		[]byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
-		[]byte{0xDE, 0xE9, 0xD4, 0xD8, 0xF7, 0x13, 0x1E, 0xD9},
-	},
-	{
-		[]byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
-		[]byte{0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08},
-		[]byte{0x06, 0x5C, 0x1B, 0x89, 0x75, 0xC6, 0xA8, 0x16},
-	},
-	{
-		[]byte{0x01, 0x23, 0x45, 0x67, 0x12, 0x34, 0x56, 0x78, 0x23, 0x45, 0x67, 0x89, 0x34, 0x56, 0x78, 0x9A},
-		[]byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
-		[]byte{0x1F, 0xF9, 0xA0, 0x26, 0x1A, 0xC6, 0x42, 0x64},
-	},
-	{
-		[]byte{0x01, 0x23, 0x45, 0x67, 0x12, 0x34, 0x56, 0x78, 0x23, 0x45, 0x67, 0x89, 0x34, 0x56, 0x78, 0x9A},
-		[]byte{0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08},
-		[]byte{0x8C, 0x67, 0x15, 0x5B, 0x2E, 0xF9, 0x1E, 0xAD},
-	},
-}
-
-// Test encryption
-func TestCipherEncrypt(t *testing.T) {
-	for i, tt := range CryptTests {
-		c, err := NewCipher(tt.key)
-		if err != nil {
-			t.Errorf("NewCipher(%d bytes), vector %d = %s", len(tt.key), i, err)
-			continue
-		}
-
-		out := make([]byte, len(tt.plainText))
-		c.Encrypt(out, tt.plainText)
-
-		for j := 0; j < len(out); j++ {
-			if out[j] != tt.cipherText[j] {
-				t.Errorf("Cipher.Encrypt %d: out[%d] = %02X, expected %02X", i, j, out[j], tt.cipherText[j])
-				break
-			}
-		}
-	}
-}
-
-// Test decryption
-func TestCipherDecrypt(t *testing.T) {
-	for i, tt := range CryptTests {
-		c, err := NewCipher(tt.key)
-		if err != nil {
-			t.Errorf("NewCipher(%d bytes), vector %d = %s", len(tt.key), i, err)
-			continue
-		}
-
-		out := make([]byte, len(tt.cipherText))
-		c.Decrypt(out, tt.cipherText)
-
-		for j := 0; j < len(out); j++ {
-			if out[j] != tt.plainText[j] {
-				t.Errorf("Cipher.Decrypt %d: out[%d] = %02X, expected %02X", i, j, out[j], tt.plainText[j])
-				break
-			}
-		}
-	}
-}
diff --git a/vendor/golang.org/x/crypto/xts/xts.go b/vendor/golang.org/x/crypto/xts/xts.go
deleted file mode 100644
index 92cbce99..00000000
--- a/vendor/golang.org/x/crypto/xts/xts.go
+++ /dev/null
@@ -1,137 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package xts implements the XTS cipher mode as specified in IEEE P1619/D16.
-//
-// XTS mode is typically used for disk encryption, which presents a number of
-// novel problems that make more common modes inapplicable. The disk is
-// conceptually an array of sectors and we must be able to encrypt and decrypt
-// a sector in isolation. However, an attacker must not be able to transpose
-// two sectors of plaintext by transposing their ciphertext.
-//
-// XTS wraps a block cipher with Rogaway's XEX mode in order to build a
-// tweakable block cipher. This allows each sector to have a unique tweak and
-// effectively create a unique key for each sector.
-//
-// XTS does not provide any authentication. An attacker can manipulate the
-// ciphertext and randomise a block (16 bytes) of the plaintext.
-//
-// (Note: this package does not implement ciphertext-stealing so sectors must
-// be a multiple of 16 bytes.)
-package xts // import "golang.org/x/crypto/xts"
-
-import (
-	"crypto/cipher"
-	"encoding/binary"
-	"errors"
-)
-
-// Cipher contains an expanded key structure. It doesn't contain mutable state
-// and therefore can be used concurrently.
-type Cipher struct {
-	k1, k2 cipher.Block
-}
-
-// blockSize is the block size that the underlying cipher must have. XTS is
-// only defined for 16-byte ciphers.
-const blockSize = 16
-
-// NewCipher creates a Cipher given a function for creating the underlying
-// block cipher (which must have a block size of 16 bytes). The key must be
-// twice the length of the underlying cipher's key.
-func NewCipher(cipherFunc func([]byte) (cipher.Block, error), key []byte) (c *Cipher, err error) {
-	c = new(Cipher)
-	if c.k1, err = cipherFunc(key[:len(key)/2]); err != nil {
-		return
-	}
-	c.k2, err = cipherFunc(key[len(key)/2:])
-
-	if c.k1.BlockSize() != blockSize {
-		err = errors.New("xts: cipher does not have a block size of 16")
-	}
-
-	return
-}
-
-// Encrypt encrypts a sector of plaintext and puts the result into ciphertext.
-// Plaintext and ciphertext must overlap entirely or not at all.
-// Sectors must be a multiple of 16 bytes and less than 2²⁴ bytes.
-func (c *Cipher) Encrypt(ciphertext, plaintext []byte, sectorNum uint64) {
-	if len(ciphertext) < len(plaintext) {
-		panic("xts: ciphertext is smaller than plaintext")
-	}
-	if len(plaintext)%blockSize != 0 {
-		panic("xts: plaintext is not a multiple of the block size")
-	}
-
-	var tweak [blockSize]byte
-	binary.LittleEndian.PutUint64(tweak[:8], sectorNum)
-
-	c.k2.Encrypt(tweak[:], tweak[:])
-
-	for len(plaintext) > 0 {
-		for j := range tweak {
-			ciphertext[j] = plaintext[j] ^ tweak[j]
-		}
-		c.k1.Encrypt(ciphertext, ciphertext)
-		for j := range tweak {
-			ciphertext[j] ^= tweak[j]
-		}
-		plaintext = plaintext[blockSize:]
-		ciphertext = ciphertext[blockSize:]
-
-		mul2(&tweak)
-	}
-}
-
-// Decrypt decrypts a sector of ciphertext and puts the result into plaintext.
-// Plaintext and ciphertext must overlap entirely or not at all.
-// Sectors must be a multiple of 16 bytes and less than 2²⁴ bytes.
-func (c *Cipher) Decrypt(plaintext, ciphertext []byte, sectorNum uint64) {
-	if len(plaintext) < len(ciphertext) {
-		panic("xts: plaintext is smaller than ciphertext")
-	}
-	if len(ciphertext)%blockSize != 0 {
-		panic("xts: ciphertext is not a multiple of the block size")
-	}
-
-	var tweak [blockSize]byte
-	binary.LittleEndian.PutUint64(tweak[:8], sectorNum)
-
-	c.k2.Encrypt(tweak[:], tweak[:])
-
-	for len(ciphertext) > 0 {
-		for j := range tweak {
-			plaintext[j] = ciphertext[j] ^ tweak[j]
-		}
-		c.k1.Decrypt(plaintext, plaintext)
-		for j := range tweak {
-			plaintext[j] ^= tweak[j]
-		}
-		plaintext = plaintext[blockSize:]
-		ciphertext = ciphertext[blockSize:]
-
-		mul2(&tweak)
-	}
-}
-
-// mul2 multiplies tweak by 2 in GF(2¹²⁸) with an irreducible polynomial of
-// x¹²⁸ + x⁷ + x² + x + 1.
-func mul2(tweak *[blockSize]byte) {
-	var carryIn byte
-	for j := range tweak {
-		carryOut := tweak[j] >> 7
-		tweak[j] = (tweak[j] << 1) + carryIn
-		carryIn = carryOut
-	}
-	if carryIn != 0 {
-		// If we have a carry bit then we need to subtract a multiple
-		// of the irreducible polynomial (x¹²⁸ + x⁷ + x² + x + 1).
-		// By dropping the carry bit, we're subtracting the x^128 term
-		// so all that remains is to subtract x⁷ + x² + x + 1.
-		// Subtraction (and addition) in this representation is just
-		// XOR.
-		tweak[0] ^= 1<<7 | 1<<2 | 1<<1 | 1
-	}
-}
diff --git a/vendor/golang.org/x/crypto/xts/xts_test.go b/vendor/golang.org/x/crypto/xts/xts_test.go
deleted file mode 100644
index 96d3b6cb..00000000
--- a/vendor/golang.org/x/crypto/xts/xts_test.go
+++ /dev/null
@@ -1,105 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package xts
-
-import (
-	"bytes"
-	"crypto/aes"
-	"encoding/hex"
-	"testing"
-)
-
-// These test vectors have been taken from IEEE P1619/D16, Annex B.
-var xtsTestVectors = []struct {
-	key        string
-	sector     uint64
-	plaintext  string
-	ciphertext string
-}{
-	{
-		"0000000000000000000000000000000000000000000000000000000000000000",
-		0,
-		"0000000000000000000000000000000000000000000000000000000000000000",
-		"917cf69ebd68b2ec9b9fe9a3eadda692cd43d2f59598ed858c02c2652fbf922e",
-	}, {
-		"1111111111111111111111111111111122222222222222222222222222222222",
-		0x3333333333,
-		"4444444444444444444444444444444444444444444444444444444444444444",
-		"c454185e6a16936e39334038acef838bfb186fff7480adc4289382ecd6d394f0",
-	}, {
-		"fffefdfcfbfaf9f8f7f6f5f4f3f2f1f022222222222222222222222222222222",
-		0x3333333333,
-		"4444444444444444444444444444444444444444444444444444444444444444",
-		"af85336b597afc1a900b2eb21ec949d292df4c047e0b21532186a5971a227a89",
-	}, {
-		"2718281828459045235360287471352631415926535897932384626433832795",
-		0,
-		"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
-		"27a7479befa1d476489f308cd4cfa6e2a96e4bbe3208ff25287dd3819616e89cc78cf7f5e543445f8333d8fa7f56000005279fa5d8b5e4ad40e736ddb4d35412328063fd2aab53e5ea1e0a9f332500a5df9487d07a5c92cc512c8866c7e860ce93fdf166a24912b422976146ae20ce846bb7dc9ba94a767aaef20c0d61ad02655ea92dc4c4e41a8952c651d33174be51a10c421110e6d81588ede82103a252d8a750e8768defffed9122810aaeb99f9172af82b604dc4b8e51bcb08235a6f4341332e4ca60482a4ba1a03b3e65008fc5da76b70bf1690db4eae29c5f1badd03c5ccf2a55d705ddcd86d449511ceb7ec30bf12b1fa35b913f9f747a8afd1b130e94bff94effd01a91735ca1726acd0b197c4e5b03393697e126826fb6bbde8ecc1e08298516e2c9ed03ff3c1b7860f6de76d4cecd94c8119855ef5297ca67e9f3e7ff72b1e99785ca0a7e7720c5b36dc6d72cac9574c8cbbc2f801e23e56fd344b07f22154beba0f08ce8891e643ed995c94d9a69c9f1b5f499027a78572aeebd74d20cc39881c213ee770b1010e4bea718846977ae119f7a023ab58cca0ad752afe656bb3c17256a9f6e9bf19fdd5a38fc82bbe872c5539edb609ef4f79c203ebb140f2e583cb2ad15b4aa5b655016a8449277dbd477ef2c8d6c017db738b18deb4a427d1923ce3ff262735779a418f20a282df920147beabe421ee5319d0568",
-	}, {
-		"2718281828459045235360287471352631415926535897932384626433832795",
-		1,
-		"27a7479befa1d476489f308cd4cfa6e2a96e4bbe3208ff25287dd3819616e89cc78cf7f5e543445f8333d8fa7f56000005279fa5d8b5e4ad40e736ddb4d35412328063fd2aab53e5ea1e0a9f332500a5df9487d07a5c92cc512c8866c7e860ce93fdf166a24912b422976146ae20ce846bb7dc9ba94a767aaef20c0d61ad02655ea92dc4c4e41a8952c651d33174be51a10c421110e6d81588ede82103a252d8a750e8768defffed9122810aaeb99f9172af82b604dc4b8e51bcb08235a6f4341332e4ca60482a4ba1a03b3e65008fc5da76b70bf1690db4eae29c5f1badd03c5ccf2a55d705ddcd86d449511ceb7ec30bf12b1fa35b913f9f747a8afd1b130e94bff94effd01a91735ca1726acd0b197c4e5b03393697e126826fb6bbde8ecc1e08298516e2c9ed03ff3c1b7860f6de76d4cecd94c8119855ef5297ca67e9f3e7ff72b1e99785ca0a7e7720c5b36dc6d72cac9574c8cbbc2f801e23e56fd344b07f22154beba0f08ce8891e643ed995c94d9a69c9f1b5f499027a78572aeebd74d20cc39881c213ee770b1010e4bea718846977ae119f7a023ab58cca0ad752afe656bb3c17256a9f6e9bf19fdd5a38fc82bbe872c5539edb609ef4f79c203ebb140f2e583cb2ad15b4aa5b655016a8449277dbd477ef2c8d6c017db738b18deb4a427d1923ce3ff262735779a418f20a282df920147beabe421ee5319d0568",
-		"264d3ca8512194fec312c8c9891f279fefdd608d0c027b60483a3fa811d65ee59d52d9e40ec5672d81532b38b6b089ce951f0f9c35590b8b978d175213f329bb1c2fd30f2f7f30492a61a532a79f51d36f5e31a7c9a12c286082ff7d2394d18f783e1a8e72c722caaaa52d8f065657d2631fd25bfd8e5baad6e527d763517501c68c5edc3cdd55435c532d7125c8614deed9adaa3acade5888b87bef641c4c994c8091b5bcd387f3963fb5bc37aa922fbfe3df4e5b915e6eb514717bdd2a74079a5073f5c4bfd46adf7d282e7a393a52579d11a028da4d9cd9c77124f9648ee383b1ac763930e7162a8d37f350b2f74b8472cf09902063c6b32e8c2d9290cefbd7346d1c779a0df50edcde4531da07b099c638e83a755944df2aef1aa31752fd323dcb710fb4bfbb9d22b925bc3577e1b8949e729a90bbafeacf7f7879e7b1147e28ba0bae940db795a61b15ecf4df8db07b824bb062802cc98a9545bb2aaeed77cb3fc6db15dcd7d80d7d5bc406c4970a3478ada8899b329198eb61c193fb6275aa8ca340344a75a862aebe92eee1ce032fd950b47d7704a3876923b4ad62844bf4a09c4dbe8b4397184b7471360c9564880aedddb9baa4af2e75394b08cd32ff479c57a07d3eab5d54de5f9738b8d27f27a9f0ab11799d7b7ffefb2704c95c6ad12c39f1e867a4b7b1d7818a4b753dfd2a89ccb45e001a03a867b187f225dd",
-	}, {
-		"27182818284590452353602874713526624977572470936999595749669676273141592653589793238462643383279502884197169399375105820974944592",
-		0xff,
-		"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
-		"1c3b3a102f770386e4836c99e370cf9bea00803f5e482357a4ae12d414a3e63b5d31e276f8fe4a8d66b317f9ac683f44680a86ac35adfc3345befecb4bb188fd5776926c49a3095eb108fd1098baec70aaa66999a72a82f27d848b21d4a741b0c5cd4d5fff9dac89aeba122961d03a757123e9870f8acf1000020887891429ca2a3e7a7d7df7b10355165c8b9a6d0a7de8b062c4500dc4cd120c0f7418dae3d0b5781c34803fa75421c790dfe1de1834f280d7667b327f6c8cd7557e12ac3a0f93ec05c52e0493ef31a12d3d9260f79a289d6a379bc70c50841473d1a8cc81ec583e9645e07b8d9670655ba5bbcfecc6dc3966380ad8fecb17b6ba02469a020a84e18e8f84252070c13e9f1f289be54fbc481457778f616015e1327a02b140f1505eb309326d68378f8374595c849d84f4c333ec4423885143cb47bd71c5edae9be69a2ffeceb1bec9de244fbe15992b11b77c040f12bd8f6a975a44a0f90c29a9abc3d4d893927284c58754cce294529f8614dcd2aba991925fedc4ae74ffac6e333b93eb4aff0479da9a410e4450e0dd7ae4c6e2910900575da401fc07059f645e8b7e9bfdef33943054ff84011493c27b3429eaedb4ed5376441a77ed43851ad77f16f541dfd269d50d6a5f14fb0aab1cbb4c1550be97f7ab4066193c4caa773dad38014bd2092fa755c824bb5e54c4f36ffda9fcea70b9c6e693e148c151",
-	},
-}
-
-func fromHex(s string) []byte {
-	ret, err := hex.DecodeString(s)
-	if err != nil {
-		panic("xts: invalid hex in test")
-	}
-	return ret
-}
-
-func TestXTS(t *testing.T) {
-	for i, test := range xtsTestVectors {
-		c, err := NewCipher(aes.NewCipher, fromHex(test.key))
-		if err != nil {
-			t.Errorf("#%d: failed to create cipher: %s", i, err)
-			continue
-		}
-		plaintext := fromHex(test.plaintext)
-		ciphertext := make([]byte, len(plaintext))
-		c.Encrypt(ciphertext, plaintext, test.sector)
-
-		expectedCiphertext := fromHex(test.ciphertext)
-		if !bytes.Equal(ciphertext, expectedCiphertext) {
-			t.Errorf("#%d: encrypted failed, got: %x, want: %x", i, ciphertext, expectedCiphertext)
-			continue
-		}
-
-		decrypted := make([]byte, len(ciphertext))
-		c.Decrypt(decrypted, ciphertext, test.sector)
-		if !bytes.Equal(decrypted, plaintext) {
-			t.Errorf("#%d: decryption failed, got: %x, want: %x", i, decrypted, plaintext)
-		}
-	}
-}
-
-func TestShorterCiphertext(t *testing.T) {
-	// Decrypt used to panic if the input was shorter than the output. See
-	// https://go-review.googlesource.com/c/39954/
-	c, err := NewCipher(aes.NewCipher, make([]byte, 32))
-	if err != nil {
-		t.Fatalf("NewCipher failed: %s", err)
-	}
-
-	plaintext := make([]byte, 32)
-	encrypted := make([]byte, 48)
-	decrypted := make([]byte, 48)
-
-	c.Encrypt(encrypted, plaintext, 0)
-	c.Decrypt(decrypted, encrypted[:len(plaintext)], 0)
-
-	if !bytes.Equal(plaintext, decrypted[:len(plaintext)]) {
-		t.Errorf("En/Decryption is not inverse")
-	}
-}
diff --git a/vendor/gopkg.in/check.v1/.gitignore b/vendor/gopkg.in/check.v1/.gitignore
deleted file mode 100644
index 191a5360..00000000
--- a/vendor/gopkg.in/check.v1/.gitignore
+++ /dev/null
@@ -1,4 +0,0 @@
-_*
-*.swp
-*.[568]
-[568].out
diff --git a/vendor/gopkg.in/check.v1/.travis.yml b/vendor/gopkg.in/check.v1/.travis.yml
deleted file mode 100644
index ead6735f..00000000
--- a/vendor/gopkg.in/check.v1/.travis.yml
+++ /dev/null
@@ -1,3 +0,0 @@
-language: go
-
-go_import_path: gopkg.in/check.v1
diff --git a/vendor/gopkg.in/check.v1/LICENSE b/vendor/gopkg.in/check.v1/LICENSE
deleted file mode 100644
index 545cf2d3..00000000
--- a/vendor/gopkg.in/check.v1/LICENSE
+++ /dev/null
@@ -1,25 +0,0 @@
-Gocheck - A rich testing framework for Go
- 
-Copyright (c) 2010-2013 Gustavo Niemeyer <gustavo@niemeyer.net>
-
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are met: 
-
-1. Redistributions of source code must retain the above copyright notice, this
-   list of conditions and the following disclaimer. 
-2. Redistributions in binary form must reproduce the above copyright notice,
-   this list of conditions and the following disclaimer in the documentation
-   and/or other materials provided with the distribution. 
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
-ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
-WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
-ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
-(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
-ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
-SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/vendor/gopkg.in/check.v1/README.md b/vendor/gopkg.in/check.v1/README.md
deleted file mode 100644
index 0ca9e572..00000000
--- a/vendor/gopkg.in/check.v1/README.md
+++ /dev/null
@@ -1,20 +0,0 @@
-Instructions
-============
-
-Install the package with:
-
-    go get gopkg.in/check.v1
-    
-Import it with:
-
-    import "gopkg.in/check.v1"
-
-and use _check_ as the package name inside the code.
-
-For more details, visit the project page:
-
-* http://labix.org/gocheck
-
-and the API documentation:
-
-* https://gopkg.in/check.v1
diff --git a/vendor/gopkg.in/check.v1/TODO b/vendor/gopkg.in/check.v1/TODO
deleted file mode 100644
index 33498270..00000000
--- a/vendor/gopkg.in/check.v1/TODO
+++ /dev/null
@@ -1,2 +0,0 @@
-- Assert(slice, Contains, item)
-- Parallel test support
diff --git a/vendor/gopkg.in/check.v1/benchmark.go b/vendor/gopkg.in/check.v1/benchmark.go
deleted file mode 100644
index 46ea9dc6..00000000
--- a/vendor/gopkg.in/check.v1/benchmark.go
+++ /dev/null
@@ -1,187 +0,0 @@
-// Copyright (c) 2012 The Go Authors. All rights reserved.
-// 
-// Redistribution and use in source and binary forms, with or without
-// modification, are permitted provided that the following conditions are
-// met:
-// 
-//    * Redistributions of source code must retain the above copyright
-// notice, this list of conditions and the following disclaimer.
-//    * Redistributions in binary form must reproduce the above
-// copyright notice, this list of conditions and the following disclaimer
-// in the documentation and/or other materials provided with the
-// distribution.
-//    * Neither the name of Google Inc. nor the names of its
-// contributors may be used to endorse or promote products derived from
-// this software without specific prior written permission.
-// 
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-package check
-
-import (
-	"fmt"
-	"runtime"
-	"time"
-)
-
-var memStats runtime.MemStats
-
-// testingB is a type passed to Benchmark functions to manage benchmark
-// timing and to specify the number of iterations to run.
-type timer struct {
-	start     time.Time // Time test or benchmark started
-	duration  time.Duration
-	N         int
-	bytes     int64
-	timerOn   bool
-	benchTime time.Duration
-	// The initial states of memStats.Mallocs and memStats.TotalAlloc.
-	startAllocs uint64
-	startBytes  uint64
-	// The net total of this test after being run.
-	netAllocs uint64
-	netBytes  uint64
-}
-
-// StartTimer starts timing a test. This function is called automatically
-// before a benchmark starts, but it can also used to resume timing after
-// a call to StopTimer.
-func (c *C) StartTimer() {
-	if !c.timerOn {
-		c.start = time.Now()
-		c.timerOn = true
-
-		runtime.ReadMemStats(&memStats)
-		c.startAllocs = memStats.Mallocs
-		c.startBytes = memStats.TotalAlloc
-	}
-}
-
-// StopTimer stops timing a test. This can be used to pause the timer
-// while performing complex initialization that you don't
-// want to measure.
-func (c *C) StopTimer() {
-	if c.timerOn {
-		c.duration += time.Now().Sub(c.start)
-		c.timerOn = false
-		runtime.ReadMemStats(&memStats)
-		c.netAllocs += memStats.Mallocs - c.startAllocs
-		c.netBytes += memStats.TotalAlloc - c.startBytes
-	}
-}
-
-// ResetTimer sets the elapsed benchmark time to zero.
-// It does not affect whether the timer is running.
-func (c *C) ResetTimer() {
-	if c.timerOn {
-		c.start = time.Now()
-		runtime.ReadMemStats(&memStats)
-		c.startAllocs = memStats.Mallocs
-		c.startBytes = memStats.TotalAlloc
-	}
-	c.duration = 0
-	c.netAllocs = 0
-	c.netBytes = 0
-}
-
-// SetBytes informs the number of bytes that the benchmark processes
-// on each iteration. If this is called in a benchmark it will also
-// report MB/s.
-func (c *C) SetBytes(n int64) {
-	c.bytes = n
-}
-
-func (c *C) nsPerOp() int64 {
-	if c.N <= 0 {
-		return 0
-	}
-	return c.duration.Nanoseconds() / int64(c.N)
-}
-
-func (c *C) mbPerSec() float64 {
-	if c.bytes <= 0 || c.duration <= 0 || c.N <= 0 {
-		return 0
-	}
-	return (float64(c.bytes) * float64(c.N) / 1e6) / c.duration.Seconds()
-}
-
-func (c *C) timerString() string {
-	if c.N <= 0 {
-		return fmt.Sprintf("%3.3fs", float64(c.duration.Nanoseconds())/1e9)
-	}
-	mbs := c.mbPerSec()
-	mb := ""
-	if mbs != 0 {
-		mb = fmt.Sprintf("\t%7.2f MB/s", mbs)
-	}
-	nsop := c.nsPerOp()
-	ns := fmt.Sprintf("%10d ns/op", nsop)
-	if c.N > 0 && nsop < 100 {
-		// The format specifiers here make sure that
-		// the ones digits line up for all three possible formats.
-		if nsop < 10 {
-			ns = fmt.Sprintf("%13.2f ns/op", float64(c.duration.Nanoseconds())/float64(c.N))
-		} else {
-			ns = fmt.Sprintf("%12.1f ns/op", float64(c.duration.Nanoseconds())/float64(c.N))
-		}
-	}
-	memStats := ""
-	if c.benchMem {
-		allocedBytes := fmt.Sprintf("%8d B/op", int64(c.netBytes)/int64(c.N))
-		allocs := fmt.Sprintf("%8d allocs/op", int64(c.netAllocs)/int64(c.N))
-		memStats = fmt.Sprintf("\t%s\t%s", allocedBytes, allocs)
-	}
-	return fmt.Sprintf("%8d\t%s%s%s", c.N, ns, mb, memStats)
-}
-
-func min(x, y int) int {
-	if x > y {
-		return y
-	}
-	return x
-}
-
-func max(x, y int) int {
-	if x < y {
-		return y
-	}
-	return x
-}
-
-// roundDown10 rounds a number down to the nearest power of 10.
-func roundDown10(n int) int {
-	var tens = 0
-	// tens = floor(log_10(n))
-	for n > 10 {
-		n = n / 10
-		tens++
-	}
-	// result = 10^tens
-	result := 1
-	for i := 0; i < tens; i++ {
-		result *= 10
-	}
-	return result
-}
-
-// roundUp rounds x up to a number of the form [1eX, 2eX, 5eX].
-func roundUp(n int) int {
-	base := roundDown10(n)
-	if n < (2 * base) {
-		return 2 * base
-	}
-	if n < (5 * base) {
-		return 5 * base
-	}
-	return 10 * base
-}
diff --git a/vendor/gopkg.in/check.v1/benchmark_test.go b/vendor/gopkg.in/check.v1/benchmark_test.go
deleted file mode 100644
index 8b6a8a64..00000000
--- a/vendor/gopkg.in/check.v1/benchmark_test.go
+++ /dev/null
@@ -1,91 +0,0 @@
-// These tests verify the test running logic.
-
-package check_test
-
-import (
-	"time"
-	. "gopkg.in/check.v1"
-)
-
-var benchmarkS = Suite(&BenchmarkS{})
-
-type BenchmarkS struct{}
-
-func (s *BenchmarkS) TestCountSuite(c *C) {
-	suitesRun += 1
-}
-
-func (s *BenchmarkS) TestBasicTestTiming(c *C) {
-	helper := FixtureHelper{sleepOn: "Test1", sleep: 1000000 * time.Nanosecond}
-	output := String{}
-	runConf := RunConf{Output: &output, Verbose: true}
-	Run(&helper, &runConf)
-
-	expected := "PASS: check_test\\.go:[0-9]+: FixtureHelper\\.Test1\t0\\.0[0-9]+s\n" +
-		"PASS: check_test\\.go:[0-9]+: FixtureHelper\\.Test2\t0\\.0[0-9]+s\n"
-	c.Assert(output.value, Matches, expected)
-}
-
-func (s *BenchmarkS) TestStreamTestTiming(c *C) {
-	helper := FixtureHelper{sleepOn: "SetUpSuite", sleep: 1000000 * time.Nanosecond}
-	output := String{}
-	runConf := RunConf{Output: &output, Stream: true}
-	Run(&helper, &runConf)
-
-	expected := "(?s).*\nPASS: check_test\\.go:[0-9]+: FixtureHelper\\.SetUpSuite\t[0-9]+\\.[0-9]+s\n.*"
-	c.Assert(output.value, Matches, expected)
-}
-
-func (s *BenchmarkS) TestBenchmark(c *C) {
-	helper := FixtureHelper{sleep: 100000}
-	output := String{}
-	runConf := RunConf{
-		Output:        &output,
-		Benchmark:     true,
-		BenchmarkTime: 10000000,
-		Filter:        "Benchmark1",
-	}
-	Run(&helper, &runConf)
-	c.Check(helper.calls[0], Equals, "SetUpSuite")
-	c.Check(helper.calls[1], Equals, "SetUpTest")
-	c.Check(helper.calls[2], Equals, "Benchmark1")
-	c.Check(helper.calls[3], Equals, "TearDownTest")
-	c.Check(helper.calls[4], Equals, "SetUpTest")
-	c.Check(helper.calls[5], Equals, "Benchmark1")
-	c.Check(helper.calls[6], Equals, "TearDownTest")
-	// ... and more.
-
-	expected := "PASS: check_test\\.go:[0-9]+: FixtureHelper\\.Benchmark1\t\\s+[0-9]+\t\\s+[0-9]+ ns/op\n"
-	c.Assert(output.value, Matches, expected)
-}
-
-func (s *BenchmarkS) TestBenchmarkBytes(c *C) {
-	helper := FixtureHelper{sleep: 100000}
-	output := String{}
-	runConf := RunConf{
-		Output:        &output,
-		Benchmark:     true,
-		BenchmarkTime: 10000000,
-		Filter:        "Benchmark2",
-	}
-	Run(&helper, &runConf)
-
-	expected := "PASS: check_test\\.go:[0-9]+: FixtureHelper\\.Benchmark2\t\\s+[0-9]+\t\\s+[0-9]+ ns/op\t\\s+ *[1-9]\\.[0-9]{2} MB/s\n"
-	c.Assert(output.value, Matches, expected)
-}
-
-func (s *BenchmarkS) TestBenchmarkMem(c *C) {
-	helper := FixtureHelper{sleep: 100000}
-	output := String{}
-	runConf := RunConf{
-		Output:        &output,
-		Benchmark:     true,
-		BenchmarkMem:  true,
-		BenchmarkTime: 10000000,
-		Filter:        "Benchmark3",
-	}
-	Run(&helper, &runConf)
-
-	expected := "PASS: check_test\\.go:[0-9]+: FixtureHelper\\.Benchmark3\t\\s+ [0-9]+\t\\s+ *[0-9]+ ns/op\t\\s+ [0-9]+ B/op\t\\s+ [1-9]+ allocs/op\n"
-	c.Assert(output.value, Matches, expected)
-}
diff --git a/vendor/gopkg.in/check.v1/bootstrap_test.go b/vendor/gopkg.in/check.v1/bootstrap_test.go
deleted file mode 100644
index e55f327c..00000000
--- a/vendor/gopkg.in/check.v1/bootstrap_test.go
+++ /dev/null
@@ -1,82 +0,0 @@
-// These initial tests are for bootstrapping.  They verify that we can
-// basically use the testing infrastructure itself to check if the test
-// system is working.
-//
-// These tests use will break down the test runner badly in case of
-// errors because if they simply fail, we can't be sure the developer
-// will ever see anything (because failing means the failing system
-// somehow isn't working! :-)
-//
-// Do not assume *any* internal functionality works as expected besides
-// what's actually tested here.
-
-package check_test
-
-import (
-	"fmt"
-	"gopkg.in/check.v1"
-	"strings"
-)
-
-type BootstrapS struct{}
-
-var boostrapS = check.Suite(&BootstrapS{})
-
-func (s *BootstrapS) TestCountSuite(c *check.C) {
-	suitesRun += 1
-}
-
-func (s *BootstrapS) TestFailedAndFail(c *check.C) {
-	if c.Failed() {
-		critical("c.Failed() must be false first!")
-	}
-	c.Fail()
-	if !c.Failed() {
-		critical("c.Fail() didn't put the test in a failed state!")
-	}
-	c.Succeed()
-}
-
-func (s *BootstrapS) TestFailedAndSucceed(c *check.C) {
-	c.Fail()
-	c.Succeed()
-	if c.Failed() {
-		critical("c.Succeed() didn't put the test back in a non-failed state")
-	}
-}
-
-func (s *BootstrapS) TestLogAndGetTestLog(c *check.C) {
-	c.Log("Hello there!")
-	log := c.GetTestLog()
-	if log != "Hello there!\n" {
-		critical(fmt.Sprintf("Log() or GetTestLog() is not working! Got: %#v", log))
-	}
-}
-
-func (s *BootstrapS) TestLogfAndGetTestLog(c *check.C) {
-	c.Logf("Hello %v", "there!")
-	log := c.GetTestLog()
-	if log != "Hello there!\n" {
-		critical(fmt.Sprintf("Logf() or GetTestLog() is not working! Got: %#v", log))
-	}
-}
-
-func (s *BootstrapS) TestRunShowsErrors(c *check.C) {
-	output := String{}
-	check.Run(&FailHelper{}, &check.RunConf{Output: &output})
-	if strings.Index(output.value, "Expected failure!") == -1 {
-		critical(fmt.Sprintf("RunWithWriter() output did not contain the "+
-			"expected failure! Got: %#v",
-			output.value))
-	}
-}
-
-func (s *BootstrapS) TestRunDoesntShowSuccesses(c *check.C) {
-	output := String{}
-	check.Run(&SuccessHelper{}, &check.RunConf{Output: &output})
-	if strings.Index(output.value, "Expected success!") != -1 {
-		critical(fmt.Sprintf("RunWithWriter() output contained a successful "+
-			"test! Got: %#v",
-			output.value))
-	}
-}
diff --git a/vendor/gopkg.in/check.v1/check.go b/vendor/gopkg.in/check.v1/check.go
deleted file mode 100644
index 137a2749..00000000
--- a/vendor/gopkg.in/check.v1/check.go
+++ /dev/null
@@ -1,873 +0,0 @@
-// Package check is a rich testing extension for Go's testing package.
-//
-// For details about the project, see:
-//
-//     http://labix.org/gocheck
-//
-package check
-
-import (
-	"bytes"
-	"errors"
-	"fmt"
-	"io"
-	"math/rand"
-	"os"
-	"path"
-	"path/filepath"
-	"reflect"
-	"regexp"
-	"runtime"
-	"strconv"
-	"strings"
-	"sync"
-	"sync/atomic"
-	"time"
-)
-
-// -----------------------------------------------------------------------
-// Internal type which deals with suite method calling.
-
-const (
-	fixtureKd = iota
-	testKd
-)
-
-type funcKind int
-
-const (
-	succeededSt = iota
-	failedSt
-	skippedSt
-	panickedSt
-	fixturePanickedSt
-	missedSt
-)
-
-type funcStatus uint32
-
-// A method value can't reach its own Method structure.
-type methodType struct {
-	reflect.Value
-	Info reflect.Method
-}
-
-func newMethod(receiver reflect.Value, i int) *methodType {
-	return &methodType{receiver.Method(i), receiver.Type().Method(i)}
-}
-
-func (method *methodType) PC() uintptr {
-	return method.Info.Func.Pointer()
-}
-
-func (method *methodType) suiteName() string {
-	t := method.Info.Type.In(0)
-	if t.Kind() == reflect.Ptr {
-		t = t.Elem()
-	}
-	return t.Name()
-}
-
-func (method *methodType) String() string {
-	return method.suiteName() + "." + method.Info.Name
-}
-
-func (method *methodType) matches(re *regexp.Regexp) bool {
-	return (re.MatchString(method.Info.Name) ||
-		re.MatchString(method.suiteName()) ||
-		re.MatchString(method.String()))
-}
-
-type C struct {
-	method    *methodType
-	kind      funcKind
-	testName  string
-	_status   funcStatus
-	logb      *logger
-	logw      io.Writer
-	done      chan *C
-	reason    string
-	mustFail  bool
-	tempDir   *tempDir
-	benchMem  bool
-	startTime time.Time
-	timer
-}
-
-func (c *C) status() funcStatus {
-	return funcStatus(atomic.LoadUint32((*uint32)(&c._status)))
-}
-
-func (c *C) setStatus(s funcStatus) {
-	atomic.StoreUint32((*uint32)(&c._status), uint32(s))
-}
-
-func (c *C) stopNow() {
-	runtime.Goexit()
-}
-
-// logger is a concurrency safe byte.Buffer
-type logger struct {
-	sync.Mutex
-	writer bytes.Buffer
-}
-
-func (l *logger) Write(buf []byte) (int, error) {
-	l.Lock()
-	defer l.Unlock()
-	return l.writer.Write(buf)
-}
-
-func (l *logger) WriteTo(w io.Writer) (int64, error) {
-	l.Lock()
-	defer l.Unlock()
-	return l.writer.WriteTo(w)
-}
-
-func (l *logger) String() string {
-	l.Lock()
-	defer l.Unlock()
-	return l.writer.String()
-}
-
-// -----------------------------------------------------------------------
-// Handling of temporary files and directories.
-
-type tempDir struct {
-	sync.Mutex
-	path    string
-	counter int
-}
-
-func (td *tempDir) newPath() string {
-	td.Lock()
-	defer td.Unlock()
-	if td.path == "" {
-		var err error
-		for i := 0; i != 100; i++ {
-			path := fmt.Sprintf("%s%ccheck-%d", os.TempDir(), os.PathSeparator, rand.Int())
-			if err = os.Mkdir(path, 0700); err == nil {
-				td.path = path
-				break
-			}
-		}
-		if td.path == "" {
-			panic("Couldn't create temporary directory: " + err.Error())
-		}
-	}
-	result := filepath.Join(td.path, strconv.Itoa(td.counter))
-	td.counter++
-	return result
-}
-
-func (td *tempDir) removeAll() {
-	td.Lock()
-	defer td.Unlock()
-	if td.path != "" {
-		err := os.RemoveAll(td.path)
-		if err != nil {
-			fmt.Fprintf(os.Stderr, "WARNING: Error cleaning up temporaries: "+err.Error())
-		}
-	}
-}
-
-// Create a new temporary directory which is automatically removed after
-// the suite finishes running.
-func (c *C) MkDir() string {
-	path := c.tempDir.newPath()
-	if err := os.Mkdir(path, 0700); err != nil {
-		panic(fmt.Sprintf("Couldn't create temporary directory %s: %s", path, err.Error()))
-	}
-	return path
-}
-
-// -----------------------------------------------------------------------
-// Low-level logging functions.
-
-func (c *C) log(args ...interface{}) {
-	c.writeLog([]byte(fmt.Sprint(args...) + "\n"))
-}
-
-func (c *C) logf(format string, args ...interface{}) {
-	c.writeLog([]byte(fmt.Sprintf(format+"\n", args...)))
-}
-
-func (c *C) logNewLine() {
-	c.writeLog([]byte{'\n'})
-}
-
-func (c *C) writeLog(buf []byte) {
-	c.logb.Write(buf)
-	if c.logw != nil {
-		c.logw.Write(buf)
-	}
-}
-
-func hasStringOrError(x interface{}) (ok bool) {
-	_, ok = x.(fmt.Stringer)
-	if ok {
-		return
-	}
-	_, ok = x.(error)
-	return
-}
-
-func (c *C) logValue(label string, value interface{}) {
-	if label == "" {
-		if hasStringOrError(value) {
-			c.logf("... %#v (%q)", value, value)
-		} else {
-			c.logf("... %#v", value)
-		}
-	} else if value == nil {
-		c.logf("... %s = nil", label)
-	} else {
-		if hasStringOrError(value) {
-			fv := fmt.Sprintf("%#v", value)
-			qv := fmt.Sprintf("%q", value)
-			if fv != qv {
-				c.logf("... %s %s = %s (%s)", label, reflect.TypeOf(value), fv, qv)
-				return
-			}
-		}
-		if s, ok := value.(string); ok && isMultiLine(s) {
-			c.logf(`... %s %s = "" +`, label, reflect.TypeOf(value))
-			c.logMultiLine(s)
-		} else {
-			c.logf("... %s %s = %#v", label, reflect.TypeOf(value), value)
-		}
-	}
-}
-
-func (c *C) logMultiLine(s string) {
-	b := make([]byte, 0, len(s)*2)
-	i := 0
-	n := len(s)
-	for i < n {
-		j := i + 1
-		for j < n && s[j-1] != '\n' {
-			j++
-		}
-		b = append(b, "...     "...)
-		b = strconv.AppendQuote(b, s[i:j])
-		if j < n {
-			b = append(b, " +"...)
-		}
-		b = append(b, '\n')
-		i = j
-	}
-	c.writeLog(b)
-}
-
-func isMultiLine(s string) bool {
-	for i := 0; i+1 < len(s); i++ {
-		if s[i] == '\n' {
-			return true
-		}
-	}
-	return false
-}
-
-func (c *C) logString(issue string) {
-	c.log("... ", issue)
-}
-
-func (c *C) logCaller(skip int) {
-	// This is a bit heavier than it ought to be.
-	skip++ // Our own frame.
-	pc, callerFile, callerLine, ok := runtime.Caller(skip)
-	if !ok {
-		return
-	}
-	var testFile string
-	var testLine int
-	testFunc := runtime.FuncForPC(c.method.PC())
-	if runtime.FuncForPC(pc) != testFunc {
-		for {
-			skip++
-			if pc, file, line, ok := runtime.Caller(skip); ok {
-				// Note that the test line may be different on
-				// distinct calls for the same test.  Showing
-				// the "internal" line is helpful when debugging.
-				if runtime.FuncForPC(pc) == testFunc {
-					testFile, testLine = file, line
-					break
-				}
-			} else {
-				break
-			}
-		}
-	}
-	if testFile != "" && (testFile != callerFile || testLine != callerLine) {
-		c.logCode(testFile, testLine)
-	}
-	c.logCode(callerFile, callerLine)
-}
-
-func (c *C) logCode(path string, line int) {
-	c.logf("%s:%d:", nicePath(path), line)
-	code, err := printLine(path, line)
-	if code == "" {
-		code = "..." // XXX Open the file and take the raw line.
-		if err != nil {
-			code += err.Error()
-		}
-	}
-	c.log(indent(code, "    "))
-}
-
-var valueGo = filepath.Join("reflect", "value.go")
-var asmGo = filepath.Join("runtime", "asm_")
-
-func (c *C) logPanic(skip int, value interface{}) {
-	skip++ // Our own frame.
-	initialSkip := skip
-	for ; ; skip++ {
-		if pc, file, line, ok := runtime.Caller(skip); ok {
-			if skip == initialSkip {
-				c.logf("... Panic: %s (PC=0x%X)\n", value, pc)
-			}
-			name := niceFuncName(pc)
-			path := nicePath(file)
-			if strings.Contains(path, "/gopkg.in/check.v") {
-				continue
-			}
-			if name == "Value.call" && strings.HasSuffix(path, valueGo) {
-				continue
-			}
-			if (name == "call16" || name == "call32") && strings.Contains(path, asmGo) {
-				continue
-			}
-			c.logf("%s:%d\n  in %s", nicePath(file), line, name)
-		} else {
-			break
-		}
-	}
-}
-
-func (c *C) logSoftPanic(issue string) {
-	c.log("... Panic: ", issue)
-}
-
-func (c *C) logArgPanic(method *methodType, expectedType string) {
-	c.logf("... Panic: %s argument should be %s",
-		niceFuncName(method.PC()), expectedType)
-}
-
-// -----------------------------------------------------------------------
-// Some simple formatting helpers.
-
-var initWD, initWDErr = os.Getwd()
-
-func init() {
-	if initWDErr == nil {
-		initWD = strings.Replace(initWD, "\\", "/", -1) + "/"
-	}
-}
-
-func nicePath(path string) string {
-	if initWDErr == nil {
-		if strings.HasPrefix(path, initWD) {
-			return path[len(initWD):]
-		}
-	}
-	return path
-}
-
-func niceFuncPath(pc uintptr) string {
-	function := runtime.FuncForPC(pc)
-	if function != nil {
-		filename, line := function.FileLine(pc)
-		return fmt.Sprintf("%s:%d", nicePath(filename), line)
-	}
-	return "<unknown path>"
-}
-
-func niceFuncName(pc uintptr) string {
-	function := runtime.FuncForPC(pc)
-	if function != nil {
-		name := path.Base(function.Name())
-		if i := strings.Index(name, "."); i > 0 {
-			name = name[i+1:]
-		}
-		if strings.HasPrefix(name, "(*") {
-			if i := strings.Index(name, ")"); i > 0 {
-				name = name[2:i] + name[i+1:]
-			}
-		}
-		if i := strings.LastIndex(name, ".*"); i != -1 {
-			name = name[:i] + "." + name[i+2:]
-		}
-		if i := strings.LastIndex(name, "·"); i != -1 {
-			name = name[:i] + "." + name[i+2:]
-		}
-		return name
-	}
-	return "<unknown function>"
-}
-
-// -----------------------------------------------------------------------
-// Result tracker to aggregate call results.
-
-type Result struct {
-	Succeeded        int
-	Failed           int
-	Skipped          int
-	Panicked         int
-	FixturePanicked  int
-	ExpectedFailures int
-	Missed           int    // Not even tried to run, related to a panic in the fixture.
-	RunError         error  // Houston, we've got a problem.
-	WorkDir          string // If KeepWorkDir is true
-}
-
-type resultTracker struct {
-	result          Result
-	_lastWasProblem bool
-	_waiting        int
-	_missed         int
-	_expectChan     chan *C
-	_doneChan       chan *C
-	_stopChan       chan bool
-}
-
-func newResultTracker() *resultTracker {
-	return &resultTracker{_expectChan: make(chan *C), // Synchronous
-		_doneChan: make(chan *C, 32), // Asynchronous
-		_stopChan: make(chan bool)}   // Synchronous
-}
-
-func (tracker *resultTracker) start() {
-	go tracker._loopRoutine()
-}
-
-func (tracker *resultTracker) waitAndStop() {
-	<-tracker._stopChan
-}
-
-func (tracker *resultTracker) expectCall(c *C) {
-	tracker._expectChan <- c
-}
-
-func (tracker *resultTracker) callDone(c *C) {
-	tracker._doneChan <- c
-}
-
-func (tracker *resultTracker) _loopRoutine() {
-	for {
-		var c *C
-		if tracker._waiting > 0 {
-			// Calls still running. Can't stop.
-			select {
-			// XXX Reindent this (not now to make diff clear)
-			case <-tracker._expectChan:
-				tracker._waiting++
-			case c = <-tracker._doneChan:
-				tracker._waiting--
-				switch c.status() {
-				case succeededSt:
-					if c.kind == testKd {
-						if c.mustFail {
-							tracker.result.ExpectedFailures++
-						} else {
-							tracker.result.Succeeded++
-						}
-					}
-				case failedSt:
-					tracker.result.Failed++
-				case panickedSt:
-					if c.kind == fixtureKd {
-						tracker.result.FixturePanicked++
-					} else {
-						tracker.result.Panicked++
-					}
-				case fixturePanickedSt:
-					// Track it as missed, since the panic
-					// was on the fixture, not on the test.
-					tracker.result.Missed++
-				case missedSt:
-					tracker.result.Missed++
-				case skippedSt:
-					if c.kind == testKd {
-						tracker.result.Skipped++
-					}
-				}
-			}
-		} else {
-			// No calls.  Can stop, but no done calls here.
-			select {
-			case tracker._stopChan <- true:
-				return
-			case <-tracker._expectChan:
-				tracker._waiting++
-			case <-tracker._doneChan:
-				panic("Tracker got an unexpected done call.")
-			}
-		}
-	}
-}
-
-// -----------------------------------------------------------------------
-// The underlying suite runner.
-
-type suiteRunner struct {
-	suite                     interface{}
-	setUpSuite, tearDownSuite *methodType
-	setUpTest, tearDownTest   *methodType
-	tests                     []*methodType
-	tracker                   *resultTracker
-	tempDir                   *tempDir
-	keepDir                   bool
-	output                    *outputWriter
-	reportedProblemLast       bool
-	benchTime                 time.Duration
-	benchMem                  bool
-}
-
-type RunConf struct {
-	Output        io.Writer
-	Stream        bool
-	Verbose       bool
-	Filter        string
-	Benchmark     bool
-	BenchmarkTime time.Duration // Defaults to 1 second
-	BenchmarkMem  bool
-	KeepWorkDir   bool
-}
-
-// Create a new suiteRunner able to run all methods in the given suite.
-func newSuiteRunner(suite interface{}, runConf *RunConf) *suiteRunner {
-	var conf RunConf
-	if runConf != nil {
-		conf = *runConf
-	}
-	if conf.Output == nil {
-		conf.Output = os.Stdout
-	}
-	if conf.Benchmark {
-		conf.Verbose = true
-	}
-
-	suiteType := reflect.TypeOf(suite)
-	suiteNumMethods := suiteType.NumMethod()
-	suiteValue := reflect.ValueOf(suite)
-
-	runner := &suiteRunner{
-		suite:     suite,
-		output:    newOutputWriter(conf.Output, conf.Stream, conf.Verbose),
-		tracker:   newResultTracker(),
-		benchTime: conf.BenchmarkTime,
-		benchMem:  conf.BenchmarkMem,
-		tempDir:   &tempDir{},
-		keepDir:   conf.KeepWorkDir,
-		tests:     make([]*methodType, 0, suiteNumMethods),
-	}
-	if runner.benchTime == 0 {
-		runner.benchTime = 1 * time.Second
-	}
-
-	var filterRegexp *regexp.Regexp
-	if conf.Filter != "" {
-		regexp, err := regexp.Compile(conf.Filter)
-		if err != nil {
-			msg := "Bad filter expression: " + err.Error()
-			runner.tracker.result.RunError = errors.New(msg)
-			return runner
-		}
-		filterRegexp = regexp
-	}
-
-	for i := 0; i != suiteNumMethods; i++ {
-		method := newMethod(suiteValue, i)
-		switch method.Info.Name {
-		case "SetUpSuite":
-			runner.setUpSuite = method
-		case "TearDownSuite":
-			runner.tearDownSuite = method
-		case "SetUpTest":
-			runner.setUpTest = method
-		case "TearDownTest":
-			runner.tearDownTest = method
-		default:
-			prefix := "Test"
-			if conf.Benchmark {
-				prefix = "Benchmark"
-			}
-			if !strings.HasPrefix(method.Info.Name, prefix) {
-				continue
-			}
-			if filterRegexp == nil || method.matches(filterRegexp) {
-				runner.tests = append(runner.tests, method)
-			}
-		}
-	}
-	return runner
-}
-
-// Run all methods in the given suite.
-func (runner *suiteRunner) run() *Result {
-	if runner.tracker.result.RunError == nil && len(runner.tests) > 0 {
-		runner.tracker.start()
-		if runner.checkFixtureArgs() {
-			c := runner.runFixture(runner.setUpSuite, "", nil)
-			if c == nil || c.status() == succeededSt {
-				for i := 0; i != len(runner.tests); i++ {
-					c := runner.runTest(runner.tests[i])
-					if c.status() == fixturePanickedSt {
-						runner.skipTests(missedSt, runner.tests[i+1:])
-						break
-					}
-				}
-			} else if c != nil && c.status() == skippedSt {
-				runner.skipTests(skippedSt, runner.tests)
-			} else {
-				runner.skipTests(missedSt, runner.tests)
-			}
-			runner.runFixture(runner.tearDownSuite, "", nil)
-		} else {
-			runner.skipTests(missedSt, runner.tests)
-		}
-		runner.tracker.waitAndStop()
-		if runner.keepDir {
-			runner.tracker.result.WorkDir = runner.tempDir.path
-		} else {
-			runner.tempDir.removeAll()
-		}
-	}
-	return &runner.tracker.result
-}
-
-// Create a call object with the given suite method, and fork a
-// goroutine with the provided dispatcher for running it.
-func (runner *suiteRunner) forkCall(method *methodType, kind funcKind, testName string, logb *logger, dispatcher func(c *C)) *C {
-	var logw io.Writer
-	if runner.output.Stream {
-		logw = runner.output
-	}
-	if logb == nil {
-		logb = new(logger)
-	}
-	c := &C{
-		method:    method,
-		kind:      kind,
-		testName:  testName,
-		logb:      logb,
-		logw:      logw,
-		tempDir:   runner.tempDir,
-		done:      make(chan *C, 1),
-		timer:     timer{benchTime: runner.benchTime},
-		startTime: time.Now(),
-		benchMem:  runner.benchMem,
-	}
-	runner.tracker.expectCall(c)
-	go (func() {
-		runner.reportCallStarted(c)
-		defer runner.callDone(c)
-		dispatcher(c)
-	})()
-	return c
-}
-
-// Same as forkCall(), but wait for call to finish before returning.
-func (runner *suiteRunner) runFunc(method *methodType, kind funcKind, testName string, logb *logger, dispatcher func(c *C)) *C {
-	c := runner.forkCall(method, kind, testName, logb, dispatcher)
-	<-c.done
-	return c
-}
-
-// Handle a finished call.  If there were any panics, update the call status
-// accordingly.  Then, mark the call as done and report to the tracker.
-func (runner *suiteRunner) callDone(c *C) {
-	value := recover()
-	if value != nil {
-		switch v := value.(type) {
-		case *fixturePanic:
-			if v.status == skippedSt {
-				c.setStatus(skippedSt)
-			} else {
-				c.logSoftPanic("Fixture has panicked (see related PANIC)")
-				c.setStatus(fixturePanickedSt)
-			}
-		default:
-			c.logPanic(1, value)
-			c.setStatus(panickedSt)
-		}
-	}
-	if c.mustFail {
-		switch c.status() {
-		case failedSt:
-			c.setStatus(succeededSt)
-		case succeededSt:
-			c.setStatus(failedSt)
-			c.logString("Error: Test succeeded, but was expected to fail")
-			c.logString("Reason: " + c.reason)
-		}
-	}
-
-	runner.reportCallDone(c)
-	c.done <- c
-}
-
-// Runs a fixture call synchronously.  The fixture will still be run in a
-// goroutine like all suite methods, but this method will not return
-// while the fixture goroutine is not done, because the fixture must be
-// run in a desired order.
-func (runner *suiteRunner) runFixture(method *methodType, testName string, logb *logger) *C {
-	if method != nil {
-		c := runner.runFunc(method, fixtureKd, testName, logb, func(c *C) {
-			c.ResetTimer()
-			c.StartTimer()
-			defer c.StopTimer()
-			c.method.Call([]reflect.Value{reflect.ValueOf(c)})
-		})
-		return c
-	}
-	return nil
-}
-
-// Run the fixture method with runFixture(), but panic with a fixturePanic{}
-// in case the fixture method panics.  This makes it easier to track the
-// fixture panic together with other call panics within forkTest().
-func (runner *suiteRunner) runFixtureWithPanic(method *methodType, testName string, logb *logger, skipped *bool) *C {
-	if skipped != nil && *skipped {
-		return nil
-	}
-	c := runner.runFixture(method, testName, logb)
-	if c != nil && c.status() != succeededSt {
-		if skipped != nil {
-			*skipped = c.status() == skippedSt
-		}
-		panic(&fixturePanic{c.status(), method})
-	}
-	return c
-}
-
-type fixturePanic struct {
-	status funcStatus
-	method *methodType
-}
-
-// Run the suite test method, together with the test-specific fixture,
-// asynchronously.
-func (runner *suiteRunner) forkTest(method *methodType) *C {
-	testName := method.String()
-	return runner.forkCall(method, testKd, testName, nil, func(c *C) {
-		var skipped bool
-		defer runner.runFixtureWithPanic(runner.tearDownTest, testName, nil, &skipped)
-		defer c.StopTimer()
-		benchN := 1
-		for {
-			runner.runFixtureWithPanic(runner.setUpTest, testName, c.logb, &skipped)
-			mt := c.method.Type()
-			if mt.NumIn() != 1 || mt.In(0) != reflect.TypeOf(c) {
-				// Rather than a plain panic, provide a more helpful message when
-				// the argument type is incorrect.
-				c.setStatus(panickedSt)
-				c.logArgPanic(c.method, "*check.C")
-				return
-			}
-			if strings.HasPrefix(c.method.Info.Name, "Test") {
-				c.ResetTimer()
-				c.StartTimer()
-				c.method.Call([]reflect.Value{reflect.ValueOf(c)})
-				return
-			}
-			if !strings.HasPrefix(c.method.Info.Name, "Benchmark") {
-				panic("unexpected method prefix: " + c.method.Info.Name)
-			}
-
-			runtime.GC()
-			c.N = benchN
-			c.ResetTimer()
-			c.StartTimer()
-			c.method.Call([]reflect.Value{reflect.ValueOf(c)})
-			c.StopTimer()
-			if c.status() != succeededSt || c.duration >= c.benchTime || benchN >= 1e9 {
-				return
-			}
-			perOpN := int(1e9)
-			if c.nsPerOp() != 0 {
-				perOpN = int(c.benchTime.Nanoseconds() / c.nsPerOp())
-			}
-
-			// Logic taken from the stock testing package:
-			// - Run more iterations than we think we'll need for a second (1.5x).
-			// - Don't grow too fast in case we had timing errors previously.
-			// - Be sure to run at least one more than last time.
-			benchN = max(min(perOpN+perOpN/2, 100*benchN), benchN+1)
-			benchN = roundUp(benchN)
-
-			skipped = true // Don't run the deferred one if this panics.
-			runner.runFixtureWithPanic(runner.tearDownTest, testName, nil, nil)
-			skipped = false
-		}
-	})
-}
-
-// Same as forkTest(), but wait for the test to finish before returning.
-func (runner *suiteRunner) runTest(method *methodType) *C {
-	c := runner.forkTest(method)
-	<-c.done
-	return c
-}
-
-// Helper to mark tests as skipped or missed.  A bit heavy for what
-// it does, but it enables homogeneous handling of tracking, including
-// nice verbose output.
-func (runner *suiteRunner) skipTests(status funcStatus, methods []*methodType) {
-	for _, method := range methods {
-		runner.runFunc(method, testKd, "", nil, func(c *C) {
-			c.setStatus(status)
-		})
-	}
-}
-
-// Verify if the fixture arguments are *check.C.  In case of errors,
-// log the error as a panic in the fixture method call, and return false.
-func (runner *suiteRunner) checkFixtureArgs() bool {
-	succeeded := true
-	argType := reflect.TypeOf(&C{})
-	for _, method := range []*methodType{runner.setUpSuite, runner.tearDownSuite, runner.setUpTest, runner.tearDownTest} {
-		if method != nil {
-			mt := method.Type()
-			if mt.NumIn() != 1 || mt.In(0) != argType {
-				succeeded = false
-				runner.runFunc(method, fixtureKd, "", nil, func(c *C) {
-					c.logArgPanic(method, "*check.C")
-					c.setStatus(panickedSt)
-				})
-			}
-		}
-	}
-	return succeeded
-}
-
-func (runner *suiteRunner) reportCallStarted(c *C) {
-	runner.output.WriteCallStarted("START", c)
-}
-
-func (runner *suiteRunner) reportCallDone(c *C) {
-	runner.tracker.callDone(c)
-	switch c.status() {
-	case succeededSt:
-		if c.mustFail {
-			runner.output.WriteCallSuccess("FAIL EXPECTED", c)
-		} else {
-			runner.output.WriteCallSuccess("PASS", c)
-		}
-	case skippedSt:
-		runner.output.WriteCallSuccess("SKIP", c)
-	case failedSt:
-		runner.output.WriteCallProblem("FAIL", c)
-	case panickedSt:
-		runner.output.WriteCallProblem("PANIC", c)
-	case fixturePanickedSt:
-		// That's a testKd call reporting that its fixture
-		// has panicked. The fixture call which caused the
-		// panic itself was tracked above. We'll report to
-		// aid debugging.
-		runner.output.WriteCallProblem("PANIC", c)
-	case missedSt:
-		runner.output.WriteCallSuccess("MISS", c)
-	}
-}
diff --git a/vendor/gopkg.in/check.v1/check_test.go b/vendor/gopkg.in/check.v1/check_test.go
deleted file mode 100644
index 871b3252..00000000
--- a/vendor/gopkg.in/check.v1/check_test.go
+++ /dev/null
@@ -1,207 +0,0 @@
-// This file contains just a few generic helpers which are used by the
-// other test files.
-
-package check_test
-
-import (
-	"flag"
-	"fmt"
-	"os"
-	"regexp"
-	"runtime"
-	"testing"
-	"time"
-
-	"gopkg.in/check.v1"
-)
-
-// We count the number of suites run at least to get a vague hint that the
-// test suite is behaving as it should.  Otherwise a bug introduced at the
-// very core of the system could go unperceived.
-const suitesRunExpected = 8
-
-var suitesRun int = 0
-
-func Test(t *testing.T) {
-	check.TestingT(t)
-	if suitesRun != suitesRunExpected && flag.Lookup("check.f").Value.String() == "" {
-		critical(fmt.Sprintf("Expected %d suites to run rather than %d",
-			suitesRunExpected, suitesRun))
-	}
-}
-
-// -----------------------------------------------------------------------
-// Helper functions.
-
-// Break down badly.  This is used in test cases which can't yet assume
-// that the fundamental bits are working.
-func critical(error string) {
-	fmt.Fprintln(os.Stderr, "CRITICAL: "+error)
-	os.Exit(1)
-}
-
-// Return the file line where it's called.
-func getMyLine() int {
-	if _, _, line, ok := runtime.Caller(1); ok {
-		return line
-	}
-	return -1
-}
-
-// -----------------------------------------------------------------------
-// Helper type implementing a basic io.Writer for testing output.
-
-// Type implementing the io.Writer interface for analyzing output.
-type String struct {
-	value string
-}
-
-// The only function required by the io.Writer interface.  Will append
-// written data to the String.value string.
-func (s *String) Write(p []byte) (n int, err error) {
-	s.value += string(p)
-	return len(p), nil
-}
-
-// Trivial wrapper to test errors happening on a different file
-// than the test itself.
-func checkEqualWrapper(c *check.C, obtained, expected interface{}) (result bool, line int) {
-	return c.Check(obtained, check.Equals, expected), getMyLine()
-}
-
-// -----------------------------------------------------------------------
-// Helper suite for testing basic fail behavior.
-
-type FailHelper struct {
-	testLine int
-}
-
-func (s *FailHelper) TestLogAndFail(c *check.C) {
-	s.testLine = getMyLine() - 1
-	c.Log("Expected failure!")
-	c.Fail()
-}
-
-// -----------------------------------------------------------------------
-// Helper suite for testing basic success behavior.
-
-type SuccessHelper struct{}
-
-func (s *SuccessHelper) TestLogAndSucceed(c *check.C) {
-	c.Log("Expected success!")
-}
-
-// -----------------------------------------------------------------------
-// Helper suite for testing ordering and behavior of fixture.
-
-type FixtureHelper struct {
-	calls   []string
-	panicOn string
-	skip    bool
-	skipOnN int
-	sleepOn string
-	sleep   time.Duration
-	bytes   int64
-}
-
-func (s *FixtureHelper) trace(name string, c *check.C) {
-	s.calls = append(s.calls, name)
-	if name == s.panicOn {
-		panic(name)
-	}
-	if s.sleep > 0 && s.sleepOn == name {
-		time.Sleep(s.sleep)
-	}
-	if s.skip && s.skipOnN == len(s.calls)-1 {
-		c.Skip("skipOnN == n")
-	}
-}
-
-func (s *FixtureHelper) SetUpSuite(c *check.C) {
-	s.trace("SetUpSuite", c)
-}
-
-func (s *FixtureHelper) TearDownSuite(c *check.C) {
-	s.trace("TearDownSuite", c)
-}
-
-func (s *FixtureHelper) SetUpTest(c *check.C) {
-	s.trace("SetUpTest", c)
-}
-
-func (s *FixtureHelper) TearDownTest(c *check.C) {
-	s.trace("TearDownTest", c)
-}
-
-func (s *FixtureHelper) Test1(c *check.C) {
-	s.trace("Test1", c)
-}
-
-func (s *FixtureHelper) Test2(c *check.C) {
-	s.trace("Test2", c)
-}
-
-func (s *FixtureHelper) Benchmark1(c *check.C) {
-	s.trace("Benchmark1", c)
-	for i := 0; i < c.N; i++ {
-		time.Sleep(s.sleep)
-	}
-}
-
-func (s *FixtureHelper) Benchmark2(c *check.C) {
-	s.trace("Benchmark2", c)
-	c.SetBytes(1024)
-	for i := 0; i < c.N; i++ {
-		time.Sleep(s.sleep)
-	}
-}
-
-func (s *FixtureHelper) Benchmark3(c *check.C) {
-	var x []int64
-	s.trace("Benchmark3", c)
-	for i := 0; i < c.N; i++ {
-		time.Sleep(s.sleep)
-		x = make([]int64, 5)
-		_ = x
-	}
-}
-
-// -----------------------------------------------------------------------
-// Helper which checks the state of the test and ensures that it matches
-// the given expectations.  Depends on c.Errorf() working, so shouldn't
-// be used to test this one function.
-
-type expectedState struct {
-	name   string
-	result interface{}
-	failed bool
-	log    string
-}
-
-// Verify the state of the test.  Note that since this also verifies if
-// the test is supposed to be in a failed state, no other checks should
-// be done in addition to what is being tested.
-func checkState(c *check.C, result interface{}, expected *expectedState) {
-	failed := c.Failed()
-	c.Succeed()
-	log := c.GetTestLog()
-	matched, matchError := regexp.MatchString("^"+expected.log+"$", log)
-	if matchError != nil {
-		c.Errorf("Error in matching expression used in testing %s",
-			expected.name)
-	} else if !matched {
-		c.Errorf("%s logged:\n----------\n%s----------\n\nExpected:\n----------\n%s\n----------",
-			expected.name, log, expected.log)
-	}
-	if result != expected.result {
-		c.Errorf("%s returned %#v rather than %#v",
-			expected.name, result, expected.result)
-	}
-	if failed != expected.failed {
-		if failed {
-			c.Errorf("%s has failed when it shouldn't", expected.name)
-		} else {
-			c.Errorf("%s has not failed when it should", expected.name)
-		}
-	}
-}
diff --git a/vendor/gopkg.in/check.v1/checkers.go b/vendor/gopkg.in/check.v1/checkers.go
deleted file mode 100644
index 37495458..00000000
--- a/vendor/gopkg.in/check.v1/checkers.go
+++ /dev/null
@@ -1,458 +0,0 @@
-package check
-
-import (
-	"fmt"
-	"reflect"
-	"regexp"
-)
-
-// -----------------------------------------------------------------------
-// CommentInterface and Commentf helper, to attach extra information to checks.
-
-type comment struct {
-	format string
-	args   []interface{}
-}
-
-// Commentf returns an infomational value to use with Assert or Check calls.
-// If the checker test fails, the provided arguments will be passed to
-// fmt.Sprintf, and will be presented next to the logged failure.
-//
-// For example:
-//
-//     c.Assert(v, Equals, 42, Commentf("Iteration #%d failed.", i))
-//
-// Note that if the comment is constant, a better option is to
-// simply use a normal comment right above or next to the line, as
-// it will also get printed with any errors:
-//
-//     c.Assert(l, Equals, 8192) // Ensure buffer size is correct (bug #123)
-//
-func Commentf(format string, args ...interface{}) CommentInterface {
-	return &comment{format, args}
-}
-
-// CommentInterface must be implemented by types that attach extra
-// information to failed checks. See the Commentf function for details.
-type CommentInterface interface {
-	CheckCommentString() string
-}
-
-func (c *comment) CheckCommentString() string {
-	return fmt.Sprintf(c.format, c.args...)
-}
-
-// -----------------------------------------------------------------------
-// The Checker interface.
-
-// The Checker interface must be provided by checkers used with
-// the Assert and Check verification methods.
-type Checker interface {
-	Info() *CheckerInfo
-	Check(params []interface{}, names []string) (result bool, error string)
-}
-
-// See the Checker interface.
-type CheckerInfo struct {
-	Name   string
-	Params []string
-}
-
-func (info *CheckerInfo) Info() *CheckerInfo {
-	return info
-}
-
-// -----------------------------------------------------------------------
-// Not checker logic inverter.
-
-// The Not checker inverts the logic of the provided checker.  The
-// resulting checker will succeed where the original one failed, and
-// vice-versa.
-//
-// For example:
-//
-//     c.Assert(a, Not(Equals), b)
-//
-func Not(checker Checker) Checker {
-	return &notChecker{checker}
-}
-
-type notChecker struct {
-	sub Checker
-}
-
-func (checker *notChecker) Info() *CheckerInfo {
-	info := *checker.sub.Info()
-	info.Name = "Not(" + info.Name + ")"
-	return &info
-}
-
-func (checker *notChecker) Check(params []interface{}, names []string) (result bool, error string) {
-	result, error = checker.sub.Check(params, names)
-	result = !result
-	return
-}
-
-// -----------------------------------------------------------------------
-// IsNil checker.
-
-type isNilChecker struct {
-	*CheckerInfo
-}
-
-// The IsNil checker tests whether the obtained value is nil.
-//
-// For example:
-//
-//    c.Assert(err, IsNil)
-//
-var IsNil Checker = &isNilChecker{
-	&CheckerInfo{Name: "IsNil", Params: []string{"value"}},
-}
-
-func (checker *isNilChecker) Check(params []interface{}, names []string) (result bool, error string) {
-	return isNil(params[0]), ""
-}
-
-func isNil(obtained interface{}) (result bool) {
-	if obtained == nil {
-		result = true
-	} else {
-		switch v := reflect.ValueOf(obtained); v.Kind() {
-		case reflect.Chan, reflect.Func, reflect.Interface, reflect.Map, reflect.Ptr, reflect.Slice:
-			return v.IsNil()
-		}
-	}
-	return
-}
-
-// -----------------------------------------------------------------------
-// NotNil checker. Alias for Not(IsNil), since it's so common.
-
-type notNilChecker struct {
-	*CheckerInfo
-}
-
-// The NotNil checker verifies that the obtained value is not nil.
-//
-// For example:
-//
-//     c.Assert(iface, NotNil)
-//
-// This is an alias for Not(IsNil), made available since it's a
-// fairly common check.
-//
-var NotNil Checker = &notNilChecker{
-	&CheckerInfo{Name: "NotNil", Params: []string{"value"}},
-}
-
-func (checker *notNilChecker) Check(params []interface{}, names []string) (result bool, error string) {
-	return !isNil(params[0]), ""
-}
-
-// -----------------------------------------------------------------------
-// Equals checker.
-
-type equalsChecker struct {
-	*CheckerInfo
-}
-
-// The Equals checker verifies that the obtained value is equal to
-// the expected value, according to usual Go semantics for ==.
-//
-// For example:
-//
-//     c.Assert(value, Equals, 42)
-//
-var Equals Checker = &equalsChecker{
-	&CheckerInfo{Name: "Equals", Params: []string{"obtained", "expected"}},
-}
-
-func (checker *equalsChecker) Check(params []interface{}, names []string) (result bool, error string) {
-	defer func() {
-		if v := recover(); v != nil {
-			result = false
-			error = fmt.Sprint(v)
-		}
-	}()
-	return params[0] == params[1], ""
-}
-
-// -----------------------------------------------------------------------
-// DeepEquals checker.
-
-type deepEqualsChecker struct {
-	*CheckerInfo
-}
-
-// The DeepEquals checker verifies that the obtained value is deep-equal to
-// the expected value.  The check will work correctly even when facing
-// slices, interfaces, and values of different types (which always fail
-// the test).
-//
-// For example:
-//
-//     c.Assert(value, DeepEquals, 42)
-//     c.Assert(array, DeepEquals, []string{"hi", "there"})
-//
-var DeepEquals Checker = &deepEqualsChecker{
-	&CheckerInfo{Name: "DeepEquals", Params: []string{"obtained", "expected"}},
-}
-
-func (checker *deepEqualsChecker) Check(params []interface{}, names []string) (result bool, error string) {
-	return reflect.DeepEqual(params[0], params[1]), ""
-}
-
-// -----------------------------------------------------------------------
-// HasLen checker.
-
-type hasLenChecker struct {
-	*CheckerInfo
-}
-
-// The HasLen checker verifies that the obtained value has the
-// provided length. In many cases this is superior to using Equals
-// in conjunction with the len function because in case the check
-// fails the value itself will be printed, instead of its length,
-// providing more details for figuring the problem.
-//
-// For example:
-//
-//     c.Assert(list, HasLen, 5)
-//
-var HasLen Checker = &hasLenChecker{
-	&CheckerInfo{Name: "HasLen", Params: []string{"obtained", "n"}},
-}
-
-func (checker *hasLenChecker) Check(params []interface{}, names []string) (result bool, error string) {
-	n, ok := params[1].(int)
-	if !ok {
-		return false, "n must be an int"
-	}
-	value := reflect.ValueOf(params[0])
-	switch value.Kind() {
-	case reflect.Map, reflect.Array, reflect.Slice, reflect.Chan, reflect.String:
-	default:
-		return false, "obtained value type has no length"
-	}
-	return value.Len() == n, ""
-}
-
-// -----------------------------------------------------------------------
-// ErrorMatches checker.
-
-type errorMatchesChecker struct {
-	*CheckerInfo
-}
-
-// The ErrorMatches checker verifies that the error value
-// is non nil and matches the regular expression provided.
-//
-// For example:
-//
-//     c.Assert(err, ErrorMatches, "perm.*denied")
-//
-var ErrorMatches Checker = errorMatchesChecker{
-	&CheckerInfo{Name: "ErrorMatches", Params: []string{"value", "regex"}},
-}
-
-func (checker errorMatchesChecker) Check(params []interface{}, names []string) (result bool, errStr string) {
-	if params[0] == nil {
-		return false, "Error value is nil"
-	}
-	err, ok := params[0].(error)
-	if !ok {
-		return false, "Value is not an error"
-	}
-	params[0] = err.Error()
-	names[0] = "error"
-	return matches(params[0], params[1])
-}
-
-// -----------------------------------------------------------------------
-// Matches checker.
-
-type matchesChecker struct {
-	*CheckerInfo
-}
-
-// The Matches checker verifies that the string provided as the obtained
-// value (or the string resulting from obtained.String()) matches the
-// regular expression provided.
-//
-// For example:
-//
-//     c.Assert(err, Matches, "perm.*denied")
-//
-var Matches Checker = &matchesChecker{
-	&CheckerInfo{Name: "Matches", Params: []string{"value", "regex"}},
-}
-
-func (checker *matchesChecker) Check(params []interface{}, names []string) (result bool, error string) {
-	return matches(params[0], params[1])
-}
-
-func matches(value, regex interface{}) (result bool, error string) {
-	reStr, ok := regex.(string)
-	if !ok {
-		return false, "Regex must be a string"
-	}
-	valueStr, valueIsStr := value.(string)
-	if !valueIsStr {
-		if valueWithStr, valueHasStr := value.(fmt.Stringer); valueHasStr {
-			valueStr, valueIsStr = valueWithStr.String(), true
-		}
-	}
-	if valueIsStr {
-		matches, err := regexp.MatchString("^"+reStr+"$", valueStr)
-		if err != nil {
-			return false, "Can't compile regex: " + err.Error()
-		}
-		return matches, ""
-	}
-	return false, "Obtained value is not a string and has no .String()"
-}
-
-// -----------------------------------------------------------------------
-// Panics checker.
-
-type panicsChecker struct {
-	*CheckerInfo
-}
-
-// The Panics checker verifies that calling the provided zero-argument
-// function will cause a panic which is deep-equal to the provided value.
-//
-// For example:
-//
-//     c.Assert(func() { f(1, 2) }, Panics, &SomeErrorType{"BOOM"}).
-//
-//
-var Panics Checker = &panicsChecker{
-	&CheckerInfo{Name: "Panics", Params: []string{"function", "expected"}},
-}
-
-func (checker *panicsChecker) Check(params []interface{}, names []string) (result bool, error string) {
-	f := reflect.ValueOf(params[0])
-	if f.Kind() != reflect.Func || f.Type().NumIn() != 0 {
-		return false, "Function must take zero arguments"
-	}
-	defer func() {
-		// If the function has not panicked, then don't do the check.
-		if error != "" {
-			return
-		}
-		params[0] = recover()
-		names[0] = "panic"
-		result = reflect.DeepEqual(params[0], params[1])
-	}()
-	f.Call(nil)
-	return false, "Function has not panicked"
-}
-
-type panicMatchesChecker struct {
-	*CheckerInfo
-}
-
-// The PanicMatches checker verifies that calling the provided zero-argument
-// function will cause a panic with an error value matching
-// the regular expression provided.
-//
-// For example:
-//
-//     c.Assert(func() { f(1, 2) }, PanicMatches, `open.*: no such file or directory`).
-//
-//
-var PanicMatches Checker = &panicMatchesChecker{
-	&CheckerInfo{Name: "PanicMatches", Params: []string{"function", "expected"}},
-}
-
-func (checker *panicMatchesChecker) Check(params []interface{}, names []string) (result bool, errmsg string) {
-	f := reflect.ValueOf(params[0])
-	if f.Kind() != reflect.Func || f.Type().NumIn() != 0 {
-		return false, "Function must take zero arguments"
-	}
-	defer func() {
-		// If the function has not panicked, then don't do the check.
-		if errmsg != "" {
-			return
-		}
-		obtained := recover()
-		names[0] = "panic"
-		if e, ok := obtained.(error); ok {
-			params[0] = e.Error()
-		} else if _, ok := obtained.(string); ok {
-			params[0] = obtained
-		} else {
-			errmsg = "Panic value is not a string or an error"
-			return
-		}
-		result, errmsg = matches(params[0], params[1])
-	}()
-	f.Call(nil)
-	return false, "Function has not panicked"
-}
-
-// -----------------------------------------------------------------------
-// FitsTypeOf checker.
-
-type fitsTypeChecker struct {
-	*CheckerInfo
-}
-
-// The FitsTypeOf checker verifies that the obtained value is
-// assignable to a variable with the same type as the provided
-// sample value.
-//
-// For example:
-//
-//     c.Assert(value, FitsTypeOf, int64(0))
-//     c.Assert(value, FitsTypeOf, os.Error(nil))
-//
-var FitsTypeOf Checker = &fitsTypeChecker{
-	&CheckerInfo{Name: "FitsTypeOf", Params: []string{"obtained", "sample"}},
-}
-
-func (checker *fitsTypeChecker) Check(params []interface{}, names []string) (result bool, error string) {
-	obtained := reflect.ValueOf(params[0])
-	sample := reflect.ValueOf(params[1])
-	if !obtained.IsValid() {
-		return false, ""
-	}
-	if !sample.IsValid() {
-		return false, "Invalid sample value"
-	}
-	return obtained.Type().AssignableTo(sample.Type()), ""
-}
-
-// -----------------------------------------------------------------------
-// Implements checker.
-
-type implementsChecker struct {
-	*CheckerInfo
-}
-
-// The Implements checker verifies that the obtained value
-// implements the interface specified via a pointer to an interface
-// variable.
-//
-// For example:
-//
-//     var e os.Error
-//     c.Assert(err, Implements, &e)
-//
-var Implements Checker = &implementsChecker{
-	&CheckerInfo{Name: "Implements", Params: []string{"obtained", "ifaceptr"}},
-}
-
-func (checker *implementsChecker) Check(params []interface{}, names []string) (result bool, error string) {
-	obtained := reflect.ValueOf(params[0])
-	ifaceptr := reflect.ValueOf(params[1])
-	if !obtained.IsValid() {
-		return false, ""
-	}
-	if !ifaceptr.IsValid() || ifaceptr.Kind() != reflect.Ptr || ifaceptr.Elem().Kind() != reflect.Interface {
-		return false, "ifaceptr should be a pointer to an interface variable"
-	}
-	return obtained.Type().Implements(ifaceptr.Elem().Type()), ""
-}
diff --git a/vendor/gopkg.in/check.v1/checkers_test.go b/vendor/gopkg.in/check.v1/checkers_test.go
deleted file mode 100644
index 5c697474..00000000
--- a/vendor/gopkg.in/check.v1/checkers_test.go
+++ /dev/null
@@ -1,272 +0,0 @@
-package check_test
-
-import (
-	"errors"
-	"gopkg.in/check.v1"
-	"reflect"
-	"runtime"
-)
-
-type CheckersS struct{}
-
-var _ = check.Suite(&CheckersS{})
-
-func testInfo(c *check.C, checker check.Checker, name string, paramNames []string) {
-	info := checker.Info()
-	if info.Name != name {
-		c.Fatalf("Got name %s, expected %s", info.Name, name)
-	}
-	if !reflect.DeepEqual(info.Params, paramNames) {
-		c.Fatalf("Got param names %#v, expected %#v", info.Params, paramNames)
-	}
-}
-
-func testCheck(c *check.C, checker check.Checker, result bool, error string, params ...interface{}) ([]interface{}, []string) {
-	info := checker.Info()
-	if len(params) != len(info.Params) {
-		c.Fatalf("unexpected param count in test; expected %d got %d", len(info.Params), len(params))
-	}
-	names := append([]string{}, info.Params...)
-	result_, error_ := checker.Check(params, names)
-	if result_ != result || error_ != error {
-		c.Fatalf("%s.Check(%#v) returned (%#v, %#v) rather than (%#v, %#v)",
-			info.Name, params, result_, error_, result, error)
-	}
-	return params, names
-}
-
-func (s *CheckersS) TestComment(c *check.C) {
-	bug := check.Commentf("a %d bc", 42)
-	comment := bug.CheckCommentString()
-	if comment != "a 42 bc" {
-		c.Fatalf("Commentf returned %#v", comment)
-	}
-}
-
-func (s *CheckersS) TestIsNil(c *check.C) {
-	testInfo(c, check.IsNil, "IsNil", []string{"value"})
-
-	testCheck(c, check.IsNil, true, "", nil)
-	testCheck(c, check.IsNil, false, "", "a")
-
-	testCheck(c, check.IsNil, true, "", (chan int)(nil))
-	testCheck(c, check.IsNil, false, "", make(chan int))
-	testCheck(c, check.IsNil, true, "", (error)(nil))
-	testCheck(c, check.IsNil, false, "", errors.New(""))
-	testCheck(c, check.IsNil, true, "", ([]int)(nil))
-	testCheck(c, check.IsNil, false, "", make([]int, 1))
-	testCheck(c, check.IsNil, false, "", int(0))
-}
-
-func (s *CheckersS) TestNotNil(c *check.C) {
-	testInfo(c, check.NotNil, "NotNil", []string{"value"})
-
-	testCheck(c, check.NotNil, false, "", nil)
-	testCheck(c, check.NotNil, true, "", "a")
-
-	testCheck(c, check.NotNil, false, "", (chan int)(nil))
-	testCheck(c, check.NotNil, true, "", make(chan int))
-	testCheck(c, check.NotNil, false, "", (error)(nil))
-	testCheck(c, check.NotNil, true, "", errors.New(""))
-	testCheck(c, check.NotNil, false, "", ([]int)(nil))
-	testCheck(c, check.NotNil, true, "", make([]int, 1))
-}
-
-func (s *CheckersS) TestNot(c *check.C) {
-	testInfo(c, check.Not(check.IsNil), "Not(IsNil)", []string{"value"})
-
-	testCheck(c, check.Not(check.IsNil), false, "", nil)
-	testCheck(c, check.Not(check.IsNil), true, "", "a")
-}
-
-type simpleStruct struct {
-	i int
-}
-
-func (s *CheckersS) TestEquals(c *check.C) {
-	testInfo(c, check.Equals, "Equals", []string{"obtained", "expected"})
-
-	// The simplest.
-	testCheck(c, check.Equals, true, "", 42, 42)
-	testCheck(c, check.Equals, false, "", 42, 43)
-
-	// Different native types.
-	testCheck(c, check.Equals, false, "", int32(42), int64(42))
-
-	// With nil.
-	testCheck(c, check.Equals, false, "", 42, nil)
-
-	// Slices
-	testCheck(c, check.Equals, false, "runtime error: comparing uncomparable type []uint8", []byte{1, 2}, []byte{1, 2})
-
-	// Struct values
-	testCheck(c, check.Equals, true, "", simpleStruct{1}, simpleStruct{1})
-	testCheck(c, check.Equals, false, "", simpleStruct{1}, simpleStruct{2})
-
-	// Struct pointers
-	testCheck(c, check.Equals, false, "", &simpleStruct{1}, &simpleStruct{1})
-	testCheck(c, check.Equals, false, "", &simpleStruct{1}, &simpleStruct{2})
-}
-
-func (s *CheckersS) TestDeepEquals(c *check.C) {
-	testInfo(c, check.DeepEquals, "DeepEquals", []string{"obtained", "expected"})
-
-	// The simplest.
-	testCheck(c, check.DeepEquals, true, "", 42, 42)
-	testCheck(c, check.DeepEquals, false, "", 42, 43)
-
-	// Different native types.
-	testCheck(c, check.DeepEquals, false, "", int32(42), int64(42))
-
-	// With nil.
-	testCheck(c, check.DeepEquals, false, "", 42, nil)
-
-	// Slices
-	testCheck(c, check.DeepEquals, true, "", []byte{1, 2}, []byte{1, 2})
-	testCheck(c, check.DeepEquals, false, "", []byte{1, 2}, []byte{1, 3})
-
-	// Struct values
-	testCheck(c, check.DeepEquals, true, "", simpleStruct{1}, simpleStruct{1})
-	testCheck(c, check.DeepEquals, false, "", simpleStruct{1}, simpleStruct{2})
-
-	// Struct pointers
-	testCheck(c, check.DeepEquals, true, "", &simpleStruct{1}, &simpleStruct{1})
-	testCheck(c, check.DeepEquals, false, "", &simpleStruct{1}, &simpleStruct{2})
-}
-
-func (s *CheckersS) TestHasLen(c *check.C) {
-	testInfo(c, check.HasLen, "HasLen", []string{"obtained", "n"})
-
-	testCheck(c, check.HasLen, true, "", "abcd", 4)
-	testCheck(c, check.HasLen, true, "", []int{1, 2}, 2)
-	testCheck(c, check.HasLen, false, "", []int{1, 2}, 3)
-
-	testCheck(c, check.HasLen, false, "n must be an int", []int{1, 2}, "2")
-	testCheck(c, check.HasLen, false, "obtained value type has no length", nil, 2)
-}
-
-func (s *CheckersS) TestErrorMatches(c *check.C) {
-	testInfo(c, check.ErrorMatches, "ErrorMatches", []string{"value", "regex"})
-
-	testCheck(c, check.ErrorMatches, false, "Error value is nil", nil, "some error")
-	testCheck(c, check.ErrorMatches, false, "Value is not an error", 1, "some error")
-	testCheck(c, check.ErrorMatches, true, "", errors.New("some error"), "some error")
-	testCheck(c, check.ErrorMatches, true, "", errors.New("some error"), "so.*or")
-
-	// Verify params mutation
-	params, names := testCheck(c, check.ErrorMatches, false, "", errors.New("some error"), "other error")
-	c.Assert(params[0], check.Equals, "some error")
-	c.Assert(names[0], check.Equals, "error")
-}
-
-func (s *CheckersS) TestMatches(c *check.C) {
-	testInfo(c, check.Matches, "Matches", []string{"value", "regex"})
-
-	// Simple matching
-	testCheck(c, check.Matches, true, "", "abc", "abc")
-	testCheck(c, check.Matches, true, "", "abc", "a.c")
-
-	// Must match fully
-	testCheck(c, check.Matches, false, "", "abc", "ab")
-	testCheck(c, check.Matches, false, "", "abc", "bc")
-
-	// String()-enabled values accepted
-	testCheck(c, check.Matches, true, "", reflect.ValueOf("abc"), "a.c")
-	testCheck(c, check.Matches, false, "", reflect.ValueOf("abc"), "a.d")
-
-	// Some error conditions.
-	testCheck(c, check.Matches, false, "Obtained value is not a string and has no .String()", 1, "a.c")
-	testCheck(c, check.Matches, false, "Can't compile regex: error parsing regexp: missing closing ]: `[c$`", "abc", "a[c")
-}
-
-func (s *CheckersS) TestPanics(c *check.C) {
-	testInfo(c, check.Panics, "Panics", []string{"function", "expected"})
-
-	// Some errors.
-	testCheck(c, check.Panics, false, "Function has not panicked", func() bool { return false }, "BOOM")
-	testCheck(c, check.Panics, false, "Function must take zero arguments", 1, "BOOM")
-
-	// Plain strings.
-	testCheck(c, check.Panics, true, "", func() { panic("BOOM") }, "BOOM")
-	testCheck(c, check.Panics, false, "", func() { panic("KABOOM") }, "BOOM")
-	testCheck(c, check.Panics, true, "", func() bool { panic("BOOM") }, "BOOM")
-
-	// Error values.
-	testCheck(c, check.Panics, true, "", func() { panic(errors.New("BOOM")) }, errors.New("BOOM"))
-	testCheck(c, check.Panics, false, "", func() { panic(errors.New("KABOOM")) }, errors.New("BOOM"))
-
-	type deep struct{ i int }
-	// Deep value
-	testCheck(c, check.Panics, true, "", func() { panic(&deep{99}) }, &deep{99})
-
-	// Verify params/names mutation
-	params, names := testCheck(c, check.Panics, false, "", func() { panic(errors.New("KABOOM")) }, errors.New("BOOM"))
-	c.Assert(params[0], check.ErrorMatches, "KABOOM")
-	c.Assert(names[0], check.Equals, "panic")
-
-	// Verify a nil panic
-	testCheck(c, check.Panics, true, "", func() { panic(nil) }, nil)
-	testCheck(c, check.Panics, false, "", func() { panic(nil) }, "NOPE")
-}
-
-func (s *CheckersS) TestPanicMatches(c *check.C) {
-	testInfo(c, check.PanicMatches, "PanicMatches", []string{"function", "expected"})
-
-	// Error matching.
-	testCheck(c, check.PanicMatches, true, "", func() { panic(errors.New("BOOM")) }, "BO.M")
-	testCheck(c, check.PanicMatches, false, "", func() { panic(errors.New("KABOOM")) }, "BO.M")
-
-	// Some errors.
-	testCheck(c, check.PanicMatches, false, "Function has not panicked", func() bool { return false }, "BOOM")
-	testCheck(c, check.PanicMatches, false, "Function must take zero arguments", 1, "BOOM")
-
-	// Plain strings.
-	testCheck(c, check.PanicMatches, true, "", func() { panic("BOOM") }, "BO.M")
-	testCheck(c, check.PanicMatches, false, "", func() { panic("KABOOM") }, "BOOM")
-	testCheck(c, check.PanicMatches, true, "", func() bool { panic("BOOM") }, "BO.M")
-
-	// Verify params/names mutation
-	params, names := testCheck(c, check.PanicMatches, false, "", func() { panic(errors.New("KABOOM")) }, "BOOM")
-	c.Assert(params[0], check.Equals, "KABOOM")
-	c.Assert(names[0], check.Equals, "panic")
-
-	// Verify a nil panic
-	testCheck(c, check.PanicMatches, false, "Panic value is not a string or an error", func() { panic(nil) }, "")
-}
-
-func (s *CheckersS) TestFitsTypeOf(c *check.C) {
-	testInfo(c, check.FitsTypeOf, "FitsTypeOf", []string{"obtained", "sample"})
-
-	// Basic types
-	testCheck(c, check.FitsTypeOf, true, "", 1, 0)
-	testCheck(c, check.FitsTypeOf, false, "", 1, int64(0))
-
-	// Aliases
-	testCheck(c, check.FitsTypeOf, false, "", 1, errors.New(""))
-	testCheck(c, check.FitsTypeOf, false, "", "error", errors.New(""))
-	testCheck(c, check.FitsTypeOf, true, "", errors.New("error"), errors.New(""))
-
-	// Structures
-	testCheck(c, check.FitsTypeOf, false, "", 1, simpleStruct{})
-	testCheck(c, check.FitsTypeOf, false, "", simpleStruct{42}, &simpleStruct{})
-	testCheck(c, check.FitsTypeOf, true, "", simpleStruct{42}, simpleStruct{})
-	testCheck(c, check.FitsTypeOf, true, "", &simpleStruct{42}, &simpleStruct{})
-
-	// Some bad values
-	testCheck(c, check.FitsTypeOf, false, "Invalid sample value", 1, interface{}(nil))
-	testCheck(c, check.FitsTypeOf, false, "", interface{}(nil), 0)
-}
-
-func (s *CheckersS) TestImplements(c *check.C) {
-	testInfo(c, check.Implements, "Implements", []string{"obtained", "ifaceptr"})
-
-	var e error
-	var re runtime.Error
-	testCheck(c, check.Implements, true, "", errors.New(""), &e)
-	testCheck(c, check.Implements, false, "", errors.New(""), &re)
-
-	// Some bad values
-	testCheck(c, check.Implements, false, "ifaceptr should be a pointer to an interface variable", 0, errors.New(""))
-	testCheck(c, check.Implements, false, "ifaceptr should be a pointer to an interface variable", 0, interface{}(nil))
-	testCheck(c, check.Implements, false, "", interface{}(nil), &e)
-}
diff --git a/vendor/gopkg.in/check.v1/export_test.go b/vendor/gopkg.in/check.v1/export_test.go
deleted file mode 100644
index abb89a2d..00000000
--- a/vendor/gopkg.in/check.v1/export_test.go
+++ /dev/null
@@ -1,19 +0,0 @@
-package check
-
-import "io"
-
-func PrintLine(filename string, line int) (string, error) {
-	return printLine(filename, line)
-}
-
-func Indent(s, with string) string {
-	return indent(s, with)
-}
-
-func NewOutputWriter(writer io.Writer, stream, verbose bool) *outputWriter {
-	return newOutputWriter(writer, stream, verbose)
-}
-
-func (c *C) FakeSkip(reason string) {
-	c.reason = reason
-}
diff --git a/vendor/gopkg.in/check.v1/fixture_test.go b/vendor/gopkg.in/check.v1/fixture_test.go
deleted file mode 100644
index 2bff9e16..00000000
--- a/vendor/gopkg.in/check.v1/fixture_test.go
+++ /dev/null
@@ -1,484 +0,0 @@
-// Tests for the behavior of the test fixture system.
-
-package check_test
-
-import (
-	. "gopkg.in/check.v1"
-)
-
-// -----------------------------------------------------------------------
-// Fixture test suite.
-
-type FixtureS struct{}
-
-var fixtureS = Suite(&FixtureS{})
-
-func (s *FixtureS) TestCountSuite(c *C) {
-	suitesRun += 1
-}
-
-// -----------------------------------------------------------------------
-// Basic fixture ordering verification.
-
-func (s *FixtureS) TestOrder(c *C) {
-	helper := FixtureHelper{}
-	Run(&helper, nil)
-	c.Check(helper.calls[0], Equals, "SetUpSuite")
-	c.Check(helper.calls[1], Equals, "SetUpTest")
-	c.Check(helper.calls[2], Equals, "Test1")
-	c.Check(helper.calls[3], Equals, "TearDownTest")
-	c.Check(helper.calls[4], Equals, "SetUpTest")
-	c.Check(helper.calls[5], Equals, "Test2")
-	c.Check(helper.calls[6], Equals, "TearDownTest")
-	c.Check(helper.calls[7], Equals, "TearDownSuite")
-	c.Check(len(helper.calls), Equals, 8)
-}
-
-// -----------------------------------------------------------------------
-// Check the behavior when panics occur within tests and fixtures.
-
-func (s *FixtureS) TestPanicOnTest(c *C) {
-	helper := FixtureHelper{panicOn: "Test1"}
-	output := String{}
-	Run(&helper, &RunConf{Output: &output})
-	c.Check(helper.calls[0], Equals, "SetUpSuite")
-	c.Check(helper.calls[1], Equals, "SetUpTest")
-	c.Check(helper.calls[2], Equals, "Test1")
-	c.Check(helper.calls[3], Equals, "TearDownTest")
-	c.Check(helper.calls[4], Equals, "SetUpTest")
-	c.Check(helper.calls[5], Equals, "Test2")
-	c.Check(helper.calls[6], Equals, "TearDownTest")
-	c.Check(helper.calls[7], Equals, "TearDownSuite")
-	c.Check(len(helper.calls), Equals, 8)
-
-	expected := "^\n-+\n" +
-		"PANIC: check_test\\.go:[0-9]+: FixtureHelper.Test1\n\n" +
-		"\\.\\.\\. Panic: Test1 \\(PC=[xA-F0-9]+\\)\n\n" +
-		".+:[0-9]+\n" +
-		"  in (go)?panic\n" +
-		".*check_test.go:[0-9]+\n" +
-		"  in FixtureHelper.trace\n" +
-		".*check_test.go:[0-9]+\n" +
-		"  in FixtureHelper.Test1\n" +
-		"(.|\n)*$"
-
-	c.Check(output.value, Matches, expected)
-}
-
-func (s *FixtureS) TestPanicOnSetUpTest(c *C) {
-	helper := FixtureHelper{panicOn: "SetUpTest"}
-	output := String{}
-	Run(&helper, &RunConf{Output: &output})
-	c.Check(helper.calls[0], Equals, "SetUpSuite")
-	c.Check(helper.calls[1], Equals, "SetUpTest")
-	c.Check(helper.calls[2], Equals, "TearDownTest")
-	c.Check(helper.calls[3], Equals, "TearDownSuite")
-	c.Check(len(helper.calls), Equals, 4)
-
-	expected := "^\n-+\n" +
-		"PANIC: check_test\\.go:[0-9]+: " +
-		"FixtureHelper\\.SetUpTest\n\n" +
-		"\\.\\.\\. Panic: SetUpTest \\(PC=[xA-F0-9]+\\)\n\n" +
-		".+:[0-9]+\n" +
-		"  in (go)?panic\n" +
-		".*check_test.go:[0-9]+\n" +
-		"  in FixtureHelper.trace\n" +
-		".*check_test.go:[0-9]+\n" +
-		"  in FixtureHelper.SetUpTest\n" +
-		"(.|\n)*" +
-		"\n-+\n" +
-		"PANIC: check_test\\.go:[0-9]+: " +
-		"FixtureHelper\\.Test1\n\n" +
-		"\\.\\.\\. Panic: Fixture has panicked " +
-		"\\(see related PANIC\\)\n$"
-
-	c.Check(output.value, Matches, expected)
-}
-
-func (s *FixtureS) TestPanicOnTearDownTest(c *C) {
-	helper := FixtureHelper{panicOn: "TearDownTest"}
-	output := String{}
-	Run(&helper, &RunConf{Output: &output})
-	c.Check(helper.calls[0], Equals, "SetUpSuite")
-	c.Check(helper.calls[1], Equals, "SetUpTest")
-	c.Check(helper.calls[2], Equals, "Test1")
-	c.Check(helper.calls[3], Equals, "TearDownTest")
-	c.Check(helper.calls[4], Equals, "TearDownSuite")
-	c.Check(len(helper.calls), Equals, 5)
-
-	expected := "^\n-+\n" +
-		"PANIC: check_test\\.go:[0-9]+: " +
-		"FixtureHelper.TearDownTest\n\n" +
-		"\\.\\.\\. Panic: TearDownTest \\(PC=[xA-F0-9]+\\)\n\n" +
-		".+:[0-9]+\n" +
-		"  in (go)?panic\n" +
-		".*check_test.go:[0-9]+\n" +
-		"  in FixtureHelper.trace\n" +
-		".*check_test.go:[0-9]+\n" +
-		"  in FixtureHelper.TearDownTest\n" +
-		"(.|\n)*" +
-		"\n-+\n" +
-		"PANIC: check_test\\.go:[0-9]+: " +
-		"FixtureHelper\\.Test1\n\n" +
-		"\\.\\.\\. Panic: Fixture has panicked " +
-		"\\(see related PANIC\\)\n$"
-
-	c.Check(output.value, Matches, expected)
-}
-
-func (s *FixtureS) TestPanicOnSetUpSuite(c *C) {
-	helper := FixtureHelper{panicOn: "SetUpSuite"}
-	output := String{}
-	Run(&helper, &RunConf{Output: &output})
-	c.Check(helper.calls[0], Equals, "SetUpSuite")
-	c.Check(helper.calls[1], Equals, "TearDownSuite")
-	c.Check(len(helper.calls), Equals, 2)
-
-	expected := "^\n-+\n" +
-		"PANIC: check_test\\.go:[0-9]+: " +
-		"FixtureHelper.SetUpSuite\n\n" +
-		"\\.\\.\\. Panic: SetUpSuite \\(PC=[xA-F0-9]+\\)\n\n" +
-		".+:[0-9]+\n" +
-		"  in (go)?panic\n" +
-		".*check_test.go:[0-9]+\n" +
-		"  in FixtureHelper.trace\n" +
-		".*check_test.go:[0-9]+\n" +
-		"  in FixtureHelper.SetUpSuite\n" +
-		"(.|\n)*$"
-
-	c.Check(output.value, Matches, expected)
-}
-
-func (s *FixtureS) TestPanicOnTearDownSuite(c *C) {
-	helper := FixtureHelper{panicOn: "TearDownSuite"}
-	output := String{}
-	Run(&helper, &RunConf{Output: &output})
-	c.Check(helper.calls[0], Equals, "SetUpSuite")
-	c.Check(helper.calls[1], Equals, "SetUpTest")
-	c.Check(helper.calls[2], Equals, "Test1")
-	c.Check(helper.calls[3], Equals, "TearDownTest")
-	c.Check(helper.calls[4], Equals, "SetUpTest")
-	c.Check(helper.calls[5], Equals, "Test2")
-	c.Check(helper.calls[6], Equals, "TearDownTest")
-	c.Check(helper.calls[7], Equals, "TearDownSuite")
-	c.Check(len(helper.calls), Equals, 8)
-
-	expected := "^\n-+\n" +
-		"PANIC: check_test\\.go:[0-9]+: " +
-		"FixtureHelper.TearDownSuite\n\n" +
-		"\\.\\.\\. Panic: TearDownSuite \\(PC=[xA-F0-9]+\\)\n\n" +
-		".+:[0-9]+\n" +
-		"  in (go)?panic\n" +
-		".*check_test.go:[0-9]+\n" +
-		"  in FixtureHelper.trace\n" +
-		".*check_test.go:[0-9]+\n" +
-		"  in FixtureHelper.TearDownSuite\n" +
-		"(.|\n)*$"
-
-	c.Check(output.value, Matches, expected)
-}
-
-// -----------------------------------------------------------------------
-// A wrong argument on a test or fixture will produce a nice error.
-
-func (s *FixtureS) TestPanicOnWrongTestArg(c *C) {
-	helper := WrongTestArgHelper{}
-	output := String{}
-	Run(&helper, &RunConf{Output: &output})
-	c.Check(helper.calls[0], Equals, "SetUpSuite")
-	c.Check(helper.calls[1], Equals, "SetUpTest")
-	c.Check(helper.calls[2], Equals, "TearDownTest")
-	c.Check(helper.calls[3], Equals, "SetUpTest")
-	c.Check(helper.calls[4], Equals, "Test2")
-	c.Check(helper.calls[5], Equals, "TearDownTest")
-	c.Check(helper.calls[6], Equals, "TearDownSuite")
-	c.Check(len(helper.calls), Equals, 7)
-
-	expected := "^\n-+\n" +
-		"PANIC: fixture_test\\.go:[0-9]+: " +
-		"WrongTestArgHelper\\.Test1\n\n" +
-		"\\.\\.\\. Panic: WrongTestArgHelper\\.Test1 argument " +
-		"should be \\*check\\.C\n"
-
-	c.Check(output.value, Matches, expected)
-}
-
-func (s *FixtureS) TestPanicOnWrongSetUpTestArg(c *C) {
-	helper := WrongSetUpTestArgHelper{}
-	output := String{}
-	Run(&helper, &RunConf{Output: &output})
-	c.Check(len(helper.calls), Equals, 0)
-
-	expected :=
-		"^\n-+\n" +
-			"PANIC: fixture_test\\.go:[0-9]+: " +
-			"WrongSetUpTestArgHelper\\.SetUpTest\n\n" +
-			"\\.\\.\\. Panic: WrongSetUpTestArgHelper\\.SetUpTest argument " +
-			"should be \\*check\\.C\n"
-
-	c.Check(output.value, Matches, expected)
-}
-
-func (s *FixtureS) TestPanicOnWrongSetUpSuiteArg(c *C) {
-	helper := WrongSetUpSuiteArgHelper{}
-	output := String{}
-	Run(&helper, &RunConf{Output: &output})
-	c.Check(len(helper.calls), Equals, 0)
-
-	expected :=
-		"^\n-+\n" +
-			"PANIC: fixture_test\\.go:[0-9]+: " +
-			"WrongSetUpSuiteArgHelper\\.SetUpSuite\n\n" +
-			"\\.\\.\\. Panic: WrongSetUpSuiteArgHelper\\.SetUpSuite argument " +
-			"should be \\*check\\.C\n"
-
-	c.Check(output.value, Matches, expected)
-}
-
-// -----------------------------------------------------------------------
-// Nice errors also when tests or fixture have wrong arg count.
-
-func (s *FixtureS) TestPanicOnWrongTestArgCount(c *C) {
-	helper := WrongTestArgCountHelper{}
-	output := String{}
-	Run(&helper, &RunConf{Output: &output})
-	c.Check(helper.calls[0], Equals, "SetUpSuite")
-	c.Check(helper.calls[1], Equals, "SetUpTest")
-	c.Check(helper.calls[2], Equals, "TearDownTest")
-	c.Check(helper.calls[3], Equals, "SetUpTest")
-	c.Check(helper.calls[4], Equals, "Test2")
-	c.Check(helper.calls[5], Equals, "TearDownTest")
-	c.Check(helper.calls[6], Equals, "TearDownSuite")
-	c.Check(len(helper.calls), Equals, 7)
-
-	expected := "^\n-+\n" +
-		"PANIC: fixture_test\\.go:[0-9]+: " +
-		"WrongTestArgCountHelper\\.Test1\n\n" +
-		"\\.\\.\\. Panic: WrongTestArgCountHelper\\.Test1 argument " +
-		"should be \\*check\\.C\n"
-
-	c.Check(output.value, Matches, expected)
-}
-
-func (s *FixtureS) TestPanicOnWrongSetUpTestArgCount(c *C) {
-	helper := WrongSetUpTestArgCountHelper{}
-	output := String{}
-	Run(&helper, &RunConf{Output: &output})
-	c.Check(len(helper.calls), Equals, 0)
-
-	expected :=
-		"^\n-+\n" +
-			"PANIC: fixture_test\\.go:[0-9]+: " +
-			"WrongSetUpTestArgCountHelper\\.SetUpTest\n\n" +
-			"\\.\\.\\. Panic: WrongSetUpTestArgCountHelper\\.SetUpTest argument " +
-			"should be \\*check\\.C\n"
-
-	c.Check(output.value, Matches, expected)
-}
-
-func (s *FixtureS) TestPanicOnWrongSetUpSuiteArgCount(c *C) {
-	helper := WrongSetUpSuiteArgCountHelper{}
-	output := String{}
-	Run(&helper, &RunConf{Output: &output})
-	c.Check(len(helper.calls), Equals, 0)
-
-	expected :=
-		"^\n-+\n" +
-			"PANIC: fixture_test\\.go:[0-9]+: " +
-			"WrongSetUpSuiteArgCountHelper\\.SetUpSuite\n\n" +
-			"\\.\\.\\. Panic: WrongSetUpSuiteArgCountHelper" +
-			"\\.SetUpSuite argument should be \\*check\\.C\n"
-
-	c.Check(output.value, Matches, expected)
-}
-
-// -----------------------------------------------------------------------
-// Helper test suites with wrong function arguments.
-
-type WrongTestArgHelper struct {
-	FixtureHelper
-}
-
-func (s *WrongTestArgHelper) Test1(t int) {
-}
-
-type WrongSetUpTestArgHelper struct {
-	FixtureHelper
-}
-
-func (s *WrongSetUpTestArgHelper) SetUpTest(t int) {
-}
-
-type WrongSetUpSuiteArgHelper struct {
-	FixtureHelper
-}
-
-func (s *WrongSetUpSuiteArgHelper) SetUpSuite(t int) {
-}
-
-type WrongTestArgCountHelper struct {
-	FixtureHelper
-}
-
-func (s *WrongTestArgCountHelper) Test1(c *C, i int) {
-}
-
-type WrongSetUpTestArgCountHelper struct {
-	FixtureHelper
-}
-
-func (s *WrongSetUpTestArgCountHelper) SetUpTest(c *C, i int) {
-}
-
-type WrongSetUpSuiteArgCountHelper struct {
-	FixtureHelper
-}
-
-func (s *WrongSetUpSuiteArgCountHelper) SetUpSuite(c *C, i int) {
-}
-
-// -----------------------------------------------------------------------
-// Ensure fixture doesn't run without tests.
-
-type NoTestsHelper struct {
-	hasRun bool
-}
-
-func (s *NoTestsHelper) SetUpSuite(c *C) {
-	s.hasRun = true
-}
-
-func (s *NoTestsHelper) TearDownSuite(c *C) {
-	s.hasRun = true
-}
-
-func (s *FixtureS) TestFixtureDoesntRunWithoutTests(c *C) {
-	helper := NoTestsHelper{}
-	output := String{}
-	Run(&helper, &RunConf{Output: &output})
-	c.Check(helper.hasRun, Equals, false)
-}
-
-// -----------------------------------------------------------------------
-// Verify that checks and assertions work correctly inside the fixture.
-
-type FixtureCheckHelper struct {
-	fail      string
-	completed bool
-}
-
-func (s *FixtureCheckHelper) SetUpSuite(c *C) {
-	switch s.fail {
-	case "SetUpSuiteAssert":
-		c.Assert(false, Equals, true)
-	case "SetUpSuiteCheck":
-		c.Check(false, Equals, true)
-	}
-	s.completed = true
-}
-
-func (s *FixtureCheckHelper) SetUpTest(c *C) {
-	switch s.fail {
-	case "SetUpTestAssert":
-		c.Assert(false, Equals, true)
-	case "SetUpTestCheck":
-		c.Check(false, Equals, true)
-	}
-	s.completed = true
-}
-
-func (s *FixtureCheckHelper) Test(c *C) {
-	// Do nothing.
-}
-
-func (s *FixtureS) TestSetUpSuiteCheck(c *C) {
-	helper := FixtureCheckHelper{fail: "SetUpSuiteCheck"}
-	output := String{}
-	Run(&helper, &RunConf{Output: &output})
-	c.Assert(output.value, Matches,
-		"\n---+\n"+
-			"FAIL: fixture_test\\.go:[0-9]+: "+
-			"FixtureCheckHelper\\.SetUpSuite\n\n"+
-			"fixture_test\\.go:[0-9]+:\n"+
-			"    c\\.Check\\(false, Equals, true\\)\n"+
-			"\\.+ obtained bool = false\n"+
-			"\\.+ expected bool = true\n\n")
-	c.Assert(helper.completed, Equals, true)
-}
-
-func (s *FixtureS) TestSetUpSuiteAssert(c *C) {
-	helper := FixtureCheckHelper{fail: "SetUpSuiteAssert"}
-	output := String{}
-	Run(&helper, &RunConf{Output: &output})
-	c.Assert(output.value, Matches,
-		"\n---+\n"+
-			"FAIL: fixture_test\\.go:[0-9]+: "+
-			"FixtureCheckHelper\\.SetUpSuite\n\n"+
-			"fixture_test\\.go:[0-9]+:\n"+
-			"    c\\.Assert\\(false, Equals, true\\)\n"+
-			"\\.+ obtained bool = false\n"+
-			"\\.+ expected bool = true\n\n")
-	c.Assert(helper.completed, Equals, false)
-}
-
-// -----------------------------------------------------------------------
-// Verify that logging within SetUpTest() persists within the test log itself.
-
-type FixtureLogHelper struct {
-	c *C
-}
-
-func (s *FixtureLogHelper) SetUpTest(c *C) {
-	s.c = c
-	c.Log("1")
-}
-
-func (s *FixtureLogHelper) Test(c *C) {
-	c.Log("2")
-	s.c.Log("3")
-	c.Log("4")
-	c.Fail()
-}
-
-func (s *FixtureLogHelper) TearDownTest(c *C) {
-	s.c.Log("5")
-}
-
-func (s *FixtureS) TestFixtureLogging(c *C) {
-	helper := FixtureLogHelper{}
-	output := String{}
-	Run(&helper, &RunConf{Output: &output})
-	c.Assert(output.value, Matches,
-		"\n---+\n"+
-			"FAIL: fixture_test\\.go:[0-9]+: "+
-			"FixtureLogHelper\\.Test\n\n"+
-			"1\n2\n3\n4\n5\n")
-}
-
-// -----------------------------------------------------------------------
-// Skip() within fixture methods.
-
-func (s *FixtureS) TestSkipSuite(c *C) {
-	helper := FixtureHelper{skip: true, skipOnN: 0}
-	output := String{}
-	result := Run(&helper, &RunConf{Output: &output})
-	c.Assert(output.value, Equals, "")
-	c.Assert(helper.calls[0], Equals, "SetUpSuite")
-	c.Assert(helper.calls[1], Equals, "TearDownSuite")
-	c.Assert(len(helper.calls), Equals, 2)
-	c.Assert(result.Skipped, Equals, 2)
-}
-
-func (s *FixtureS) TestSkipTest(c *C) {
-	helper := FixtureHelper{skip: true, skipOnN: 1}
-	output := String{}
-	result := Run(&helper, &RunConf{Output: &output})
-	c.Assert(helper.calls[0], Equals, "SetUpSuite")
-	c.Assert(helper.calls[1], Equals, "SetUpTest")
-	c.Assert(helper.calls[2], Equals, "SetUpTest")
-	c.Assert(helper.calls[3], Equals, "Test2")
-	c.Assert(helper.calls[4], Equals, "TearDownTest")
-	c.Assert(helper.calls[5], Equals, "TearDownSuite")
-	c.Assert(len(helper.calls), Equals, 6)
-	c.Assert(result.Skipped, Equals, 1)
-}
diff --git a/vendor/gopkg.in/check.v1/foundation_test.go b/vendor/gopkg.in/check.v1/foundation_test.go
deleted file mode 100644
index 8ecf7915..00000000
--- a/vendor/gopkg.in/check.v1/foundation_test.go
+++ /dev/null
@@ -1,335 +0,0 @@
-// These tests check that the foundations of gocheck are working properly.
-// They already assume that fundamental failing is working already, though,
-// since this was tested in bootstrap_test.go. Even then, some care may
-// still have to be taken when using external functions, since they should
-// of course not rely on functionality tested here.
-
-package check_test
-
-import (
-	"fmt"
-	"gopkg.in/check.v1"
-	"log"
-	"os"
-	"regexp"
-	"strings"
-)
-
-// -----------------------------------------------------------------------
-// Foundation test suite.
-
-type FoundationS struct{}
-
-var foundationS = check.Suite(&FoundationS{})
-
-func (s *FoundationS) TestCountSuite(c *check.C) {
-	suitesRun += 1
-}
-
-func (s *FoundationS) TestErrorf(c *check.C) {
-	// Do not use checkState() here.  It depends on Errorf() working.
-	expectedLog := fmt.Sprintf("foundation_test.go:%d:\n"+
-		"    c.Errorf(\"Error %%v!\", \"message\")\n"+
-		"... Error: Error message!\n\n",
-		getMyLine()+1)
-	c.Errorf("Error %v!", "message")
-	failed := c.Failed()
-	c.Succeed()
-	if log := c.GetTestLog(); log != expectedLog {
-		c.Logf("Errorf() logged %#v rather than %#v", log, expectedLog)
-		c.Fail()
-	}
-	if !failed {
-		c.Logf("Errorf() didn't put the test in a failed state")
-		c.Fail()
-	}
-}
-
-func (s *FoundationS) TestError(c *check.C) {
-	expectedLog := fmt.Sprintf("foundation_test.go:%d:\n"+
-		"    c\\.Error\\(\"Error \", \"message!\"\\)\n"+
-		"\\.\\.\\. Error: Error message!\n\n",
-		getMyLine()+1)
-	c.Error("Error ", "message!")
-	checkState(c, nil,
-		&expectedState{
-			name:   "Error(`Error `, `message!`)",
-			failed: true,
-			log:    expectedLog,
-		})
-}
-
-func (s *FoundationS) TestFailNow(c *check.C) {
-	defer (func() {
-		if !c.Failed() {
-			c.Error("FailNow() didn't fail the test")
-		} else {
-			c.Succeed()
-			if c.GetTestLog() != "" {
-				c.Error("Something got logged:\n" + c.GetTestLog())
-			}
-		}
-	})()
-
-	c.FailNow()
-	c.Log("FailNow() didn't stop the test")
-}
-
-func (s *FoundationS) TestSucceedNow(c *check.C) {
-	defer (func() {
-		if c.Failed() {
-			c.Error("SucceedNow() didn't succeed the test")
-		}
-		if c.GetTestLog() != "" {
-			c.Error("Something got logged:\n" + c.GetTestLog())
-		}
-	})()
-
-	c.Fail()
-	c.SucceedNow()
-	c.Log("SucceedNow() didn't stop the test")
-}
-
-func (s *FoundationS) TestFailureHeader(c *check.C) {
-	output := String{}
-	failHelper := FailHelper{}
-	check.Run(&failHelper, &check.RunConf{Output: &output})
-	header := fmt.Sprintf(""+
-		"\n-----------------------------------"+
-		"-----------------------------------\n"+
-		"FAIL: check_test.go:%d: FailHelper.TestLogAndFail\n",
-		failHelper.testLine)
-	if strings.Index(output.value, header) == -1 {
-		c.Errorf(""+
-			"Failure didn't print a proper header.\n"+
-			"... Got:\n%s... Expected something with:\n%s",
-			output.value, header)
-	}
-}
-
-func (s *FoundationS) TestFatal(c *check.C) {
-	var line int
-	defer (func() {
-		if !c.Failed() {
-			c.Error("Fatal() didn't fail the test")
-		} else {
-			c.Succeed()
-			expected := fmt.Sprintf("foundation_test.go:%d:\n"+
-				"    c.Fatal(\"Die \", \"now!\")\n"+
-				"... Error: Die now!\n\n",
-				line)
-			if c.GetTestLog() != expected {
-				c.Error("Incorrect log:", c.GetTestLog())
-			}
-		}
-	})()
-
-	line = getMyLine() + 1
-	c.Fatal("Die ", "now!")
-	c.Log("Fatal() didn't stop the test")
-}
-
-func (s *FoundationS) TestFatalf(c *check.C) {
-	var line int
-	defer (func() {
-		if !c.Failed() {
-			c.Error("Fatalf() didn't fail the test")
-		} else {
-			c.Succeed()
-			expected := fmt.Sprintf("foundation_test.go:%d:\n"+
-				"    c.Fatalf(\"Die %%s!\", \"now\")\n"+
-				"... Error: Die now!\n\n",
-				line)
-			if c.GetTestLog() != expected {
-				c.Error("Incorrect log:", c.GetTestLog())
-			}
-		}
-	})()
-
-	line = getMyLine() + 1
-	c.Fatalf("Die %s!", "now")
-	c.Log("Fatalf() didn't stop the test")
-}
-
-func (s *FoundationS) TestCallerLoggingInsideTest(c *check.C) {
-	log := fmt.Sprintf(""+
-		"foundation_test.go:%d:\n"+
-		"    result := c.Check\\(10, check.Equals, 20\\)\n"+
-		"\\.\\.\\. obtained int = 10\n"+
-		"\\.\\.\\. expected int = 20\n\n",
-		getMyLine()+1)
-	result := c.Check(10, check.Equals, 20)
-	checkState(c, result,
-		&expectedState{
-			name:   "Check(10, Equals, 20)",
-			result: false,
-			failed: true,
-			log:    log,
-		})
-}
-
-func (s *FoundationS) TestCallerLoggingInDifferentFile(c *check.C) {
-	result, line := checkEqualWrapper(c, 10, 20)
-	testLine := getMyLine() - 1
-	log := fmt.Sprintf(""+
-		"foundation_test.go:%d:\n"+
-		"    result, line := checkEqualWrapper\\(c, 10, 20\\)\n"+
-		"check_test.go:%d:\n"+
-		"    return c.Check\\(obtained, check.Equals, expected\\), getMyLine\\(\\)\n"+
-		"\\.\\.\\. obtained int = 10\n"+
-		"\\.\\.\\. expected int = 20\n\n",
-		testLine, line)
-	checkState(c, result,
-		&expectedState{
-			name:   "Check(10, Equals, 20)",
-			result: false,
-			failed: true,
-			log:    log,
-		})
-}
-
-// -----------------------------------------------------------------------
-// ExpectFailure() inverts the logic of failure.
-
-type ExpectFailureSucceedHelper struct{}
-
-func (s *ExpectFailureSucceedHelper) TestSucceed(c *check.C) {
-	c.ExpectFailure("It booms!")
-	c.Error("Boom!")
-}
-
-type ExpectFailureFailHelper struct{}
-
-func (s *ExpectFailureFailHelper) TestFail(c *check.C) {
-	c.ExpectFailure("Bug #XYZ")
-}
-
-func (s *FoundationS) TestExpectFailureFail(c *check.C) {
-	helper := ExpectFailureFailHelper{}
-	output := String{}
-	result := check.Run(&helper, &check.RunConf{Output: &output})
-
-	expected := "" +
-		"^\n-+\n" +
-		"FAIL: foundation_test\\.go:[0-9]+:" +
-		" ExpectFailureFailHelper\\.TestFail\n\n" +
-		"\\.\\.\\. Error: Test succeeded, but was expected to fail\n" +
-		"\\.\\.\\. Reason: Bug #XYZ\n$"
-
-	matched, err := regexp.MatchString(expected, output.value)
-	if err != nil {
-		c.Error("Bad expression: ", expected)
-	} else if !matched {
-		c.Error("ExpectFailure() didn't log properly:\n", output.value)
-	}
-
-	c.Assert(result.ExpectedFailures, check.Equals, 0)
-}
-
-func (s *FoundationS) TestExpectFailureSucceed(c *check.C) {
-	helper := ExpectFailureSucceedHelper{}
-	output := String{}
-	result := check.Run(&helper, &check.RunConf{Output: &output})
-
-	c.Assert(output.value, check.Equals, "")
-	c.Assert(result.ExpectedFailures, check.Equals, 1)
-}
-
-func (s *FoundationS) TestExpectFailureSucceedVerbose(c *check.C) {
-	helper := ExpectFailureSucceedHelper{}
-	output := String{}
-	result := check.Run(&helper, &check.RunConf{Output: &output, Verbose: true})
-
-	expected := "" +
-		"FAIL EXPECTED: foundation_test\\.go:[0-9]+:" +
-		" ExpectFailureSucceedHelper\\.TestSucceed \\(It booms!\\)\t *[.0-9]+s\n"
-
-	matched, err := regexp.MatchString(expected, output.value)
-	if err != nil {
-		c.Error("Bad expression: ", expected)
-	} else if !matched {
-		c.Error("ExpectFailure() didn't log properly:\n", output.value)
-	}
-
-	c.Assert(result.ExpectedFailures, check.Equals, 1)
-}
-
-// -----------------------------------------------------------------------
-// Skip() allows stopping a test without positive/negative results.
-
-type SkipTestHelper struct{}
-
-func (s *SkipTestHelper) TestFail(c *check.C) {
-	c.Skip("Wrong platform or whatever")
-	c.Error("Boom!")
-}
-
-func (s *FoundationS) TestSkip(c *check.C) {
-	helper := SkipTestHelper{}
-	output := String{}
-	check.Run(&helper, &check.RunConf{Output: &output})
-
-	if output.value != "" {
-		c.Error("Skip() logged something:\n", output.value)
-	}
-}
-
-func (s *FoundationS) TestSkipVerbose(c *check.C) {
-	helper := SkipTestHelper{}
-	output := String{}
-	check.Run(&helper, &check.RunConf{Output: &output, Verbose: true})
-
-	expected := "SKIP: foundation_test\\.go:[0-9]+: SkipTestHelper\\.TestFail" +
-		" \\(Wrong platform or whatever\\)"
-	matched, err := regexp.MatchString(expected, output.value)
-	if err != nil {
-		c.Error("Bad expression: ", expected)
-	} else if !matched {
-		c.Error("Skip() didn't log properly:\n", output.value)
-	}
-}
-
-// -----------------------------------------------------------------------
-// Check minimum *log.Logger interface provided by *check.C.
-
-type minLogger interface {
-	Output(calldepth int, s string) error
-}
-
-func (s *BootstrapS) TestMinLogger(c *check.C) {
-	var logger minLogger
-	logger = log.New(os.Stderr, "", 0)
-	logger = c
-	logger.Output(0, "Hello there")
-	expected := `\[LOG\] [0-9]+:[0-9][0-9]\.[0-9][0-9][0-9] +Hello there\n`
-	output := c.GetTestLog()
-	c.Assert(output, check.Matches, expected)
-}
-
-// -----------------------------------------------------------------------
-// Ensure that suites with embedded types are working fine, including the
-// the workaround for issue 906.
-
-type EmbeddedInternalS struct {
-	called bool
-}
-
-type EmbeddedS struct {
-	EmbeddedInternalS
-}
-
-var embeddedS = check.Suite(&EmbeddedS{})
-
-func (s *EmbeddedS) TestCountSuite(c *check.C) {
-	suitesRun += 1
-}
-
-func (s *EmbeddedInternalS) TestMethod(c *check.C) {
-	c.Error("TestMethod() of the embedded type was called!?")
-}
-
-func (s *EmbeddedS) TestMethod(c *check.C) {
-	// http://code.google.com/p/go/issues/detail?id=906
-	c.Check(s.called, check.Equals, false) // Go issue 906 is affecting the runner?
-	s.called = true
-}
diff --git a/vendor/gopkg.in/check.v1/helpers.go b/vendor/gopkg.in/check.v1/helpers.go
deleted file mode 100644
index 58a733b5..00000000
--- a/vendor/gopkg.in/check.v1/helpers.go
+++ /dev/null
@@ -1,231 +0,0 @@
-package check
-
-import (
-	"fmt"
-	"strings"
-	"time"
-)
-
-// TestName returns the current test name in the form "SuiteName.TestName"
-func (c *C) TestName() string {
-	return c.testName
-}
-
-// -----------------------------------------------------------------------
-// Basic succeeding/failing logic.
-
-// Failed returns whether the currently running test has already failed.
-func (c *C) Failed() bool {
-	return c.status() == failedSt
-}
-
-// Fail marks the currently running test as failed.
-//
-// Something ought to have been previously logged so the developer can tell
-// what went wrong. The higher level helper functions will fail the test
-// and do the logging properly.
-func (c *C) Fail() {
-	c.setStatus(failedSt)
-}
-
-// FailNow marks the currently running test as failed and stops running it.
-// Something ought to have been previously logged so the developer can tell
-// what went wrong. The higher level helper functions will fail the test
-// and do the logging properly.
-func (c *C) FailNow() {
-	c.Fail()
-	c.stopNow()
-}
-
-// Succeed marks the currently running test as succeeded, undoing any
-// previous failures.
-func (c *C) Succeed() {
-	c.setStatus(succeededSt)
-}
-
-// SucceedNow marks the currently running test as succeeded, undoing any
-// previous failures, and stops running the test.
-func (c *C) SucceedNow() {
-	c.Succeed()
-	c.stopNow()
-}
-
-// ExpectFailure informs that the running test is knowingly broken for
-// the provided reason. If the test does not fail, an error will be reported
-// to raise attention to this fact. This method is useful to temporarily
-// disable tests which cover well known problems until a better time to
-// fix the problem is found, without forgetting about the fact that a
-// failure still exists.
-func (c *C) ExpectFailure(reason string) {
-	if reason == "" {
-		panic("Missing reason why the test is expected to fail")
-	}
-	c.mustFail = true
-	c.reason = reason
-}
-
-// Skip skips the running test for the provided reason. If run from within
-// SetUpTest, the individual test being set up will be skipped, and if run
-// from within SetUpSuite, the whole suite is skipped.
-func (c *C) Skip(reason string) {
-	if reason == "" {
-		panic("Missing reason why the test is being skipped")
-	}
-	c.reason = reason
-	c.setStatus(skippedSt)
-	c.stopNow()
-}
-
-// -----------------------------------------------------------------------
-// Basic logging.
-
-// GetTestLog returns the current test error output.
-func (c *C) GetTestLog() string {
-	return c.logb.String()
-}
-
-// Log logs some information into the test error output.
-// The provided arguments are assembled together into a string with fmt.Sprint.
-func (c *C) Log(args ...interface{}) {
-	c.log(args...)
-}
-
-// Log logs some information into the test error output.
-// The provided arguments are assembled together into a string with fmt.Sprintf.
-func (c *C) Logf(format string, args ...interface{}) {
-	c.logf(format, args...)
-}
-
-// Output enables *C to be used as a logger in functions that require only
-// the minimum interface of *log.Logger.
-func (c *C) Output(calldepth int, s string) error {
-	d := time.Now().Sub(c.startTime)
-	msec := d / time.Millisecond
-	sec := d / time.Second
-	min := d / time.Minute
-
-	c.Logf("[LOG] %d:%02d.%03d %s", min, sec%60, msec%1000, s)
-	return nil
-}
-
-// Error logs an error into the test error output and marks the test as failed.
-// The provided arguments are assembled together into a string with fmt.Sprint.
-func (c *C) Error(args ...interface{}) {
-	c.logCaller(1)
-	c.logString(fmt.Sprint("Error: ", fmt.Sprint(args...)))
-	c.logNewLine()
-	c.Fail()
-}
-
-// Errorf logs an error into the test error output and marks the test as failed.
-// The provided arguments are assembled together into a string with fmt.Sprintf.
-func (c *C) Errorf(format string, args ...interface{}) {
-	c.logCaller(1)
-	c.logString(fmt.Sprintf("Error: "+format, args...))
-	c.logNewLine()
-	c.Fail()
-}
-
-// Fatal logs an error into the test error output, marks the test as failed, and
-// stops the test execution. The provided arguments are assembled together into
-// a string with fmt.Sprint.
-func (c *C) Fatal(args ...interface{}) {
-	c.logCaller(1)
-	c.logString(fmt.Sprint("Error: ", fmt.Sprint(args...)))
-	c.logNewLine()
-	c.FailNow()
-}
-
-// Fatlaf logs an error into the test error output, marks the test as failed, and
-// stops the test execution. The provided arguments are assembled together into
-// a string with fmt.Sprintf.
-func (c *C) Fatalf(format string, args ...interface{}) {
-	c.logCaller(1)
-	c.logString(fmt.Sprint("Error: ", fmt.Sprintf(format, args...)))
-	c.logNewLine()
-	c.FailNow()
-}
-
-// -----------------------------------------------------------------------
-// Generic checks and assertions based on checkers.
-
-// Check verifies if the first value matches the expected value according
-// to the provided checker. If they do not match, an error is logged, the
-// test is marked as failed, and the test execution continues.
-//
-// Some checkers may not need the expected argument (e.g. IsNil).
-//
-// Extra arguments provided to the function are logged next to the reported
-// problem when the matching fails.
-func (c *C) Check(obtained interface{}, checker Checker, args ...interface{}) bool {
-	return c.internalCheck("Check", obtained, checker, args...)
-}
-
-// Assert ensures that the first value matches the expected value according
-// to the provided checker. If they do not match, an error is logged, the
-// test is marked as failed, and the test execution stops.
-//
-// Some checkers may not need the expected argument (e.g. IsNil).
-//
-// Extra arguments provided to the function are logged next to the reported
-// problem when the matching fails.
-func (c *C) Assert(obtained interface{}, checker Checker, args ...interface{}) {
-	if !c.internalCheck("Assert", obtained, checker, args...) {
-		c.stopNow()
-	}
-}
-
-func (c *C) internalCheck(funcName string, obtained interface{}, checker Checker, args ...interface{}) bool {
-	if checker == nil {
-		c.logCaller(2)
-		c.logString(fmt.Sprintf("%s(obtained, nil!?, ...):", funcName))
-		c.logString("Oops.. you've provided a nil checker!")
-		c.logNewLine()
-		c.Fail()
-		return false
-	}
-
-	// If the last argument is a bug info, extract it out.
-	var comment CommentInterface
-	if len(args) > 0 {
-		if c, ok := args[len(args)-1].(CommentInterface); ok {
-			comment = c
-			args = args[:len(args)-1]
-		}
-	}
-
-	params := append([]interface{}{obtained}, args...)
-	info := checker.Info()
-
-	if len(params) != len(info.Params) {
-		names := append([]string{info.Params[0], info.Name}, info.Params[1:]...)
-		c.logCaller(2)
-		c.logString(fmt.Sprintf("%s(%s):", funcName, strings.Join(names, ", ")))
-		c.logString(fmt.Sprintf("Wrong number of parameters for %s: want %d, got %d", info.Name, len(names), len(params)+1))
-		c.logNewLine()
-		c.Fail()
-		return false
-	}
-
-	// Copy since it may be mutated by Check.
-	names := append([]string{}, info.Params...)
-
-	// Do the actual check.
-	result, error := checker.Check(params, names)
-	if !result || error != "" {
-		c.logCaller(2)
-		for i := 0; i != len(params); i++ {
-			c.logValue(names[i], params[i])
-		}
-		if comment != nil {
-			c.logString(comment.CheckCommentString())
-		}
-		if error != "" {
-			c.logString(error)
-		}
-		c.logNewLine()
-		c.Fail()
-		return false
-	}
-	return true
-}
diff --git a/vendor/gopkg.in/check.v1/helpers_test.go b/vendor/gopkg.in/check.v1/helpers_test.go
deleted file mode 100644
index 4baa656b..00000000
--- a/vendor/gopkg.in/check.v1/helpers_test.go
+++ /dev/null
@@ -1,519 +0,0 @@
-// These tests verify the inner workings of the helper methods associated
-// with check.T.
-
-package check_test
-
-import (
-	"gopkg.in/check.v1"
-	"os"
-	"reflect"
-	"runtime"
-	"sync"
-)
-
-var helpersS = check.Suite(&HelpersS{})
-
-type HelpersS struct{}
-
-func (s *HelpersS) TestCountSuite(c *check.C) {
-	suitesRun += 1
-}
-
-// -----------------------------------------------------------------------
-// Fake checker and bug info to verify the behavior of Assert() and Check().
-
-type MyChecker struct {
-	info   *check.CheckerInfo
-	params []interface{}
-	names  []string
-	result bool
-	error  string
-}
-
-func (checker *MyChecker) Info() *check.CheckerInfo {
-	if checker.info == nil {
-		return &check.CheckerInfo{Name: "MyChecker", Params: []string{"myobtained", "myexpected"}}
-	}
-	return checker.info
-}
-
-func (checker *MyChecker) Check(params []interface{}, names []string) (bool, string) {
-	rparams := checker.params
-	rnames := checker.names
-	checker.params = append([]interface{}{}, params...)
-	checker.names = append([]string{}, names...)
-	if rparams != nil {
-		copy(params, rparams)
-	}
-	if rnames != nil {
-		copy(names, rnames)
-	}
-	return checker.result, checker.error
-}
-
-type myCommentType string
-
-func (c myCommentType) CheckCommentString() string {
-	return string(c)
-}
-
-func myComment(s string) myCommentType {
-	return myCommentType(s)
-}
-
-// -----------------------------------------------------------------------
-// Ensure a real checker actually works fine.
-
-func (s *HelpersS) TestCheckerInterface(c *check.C) {
-	testHelperSuccess(c, "Check(1, Equals, 1)", true, func() interface{} {
-		return c.Check(1, check.Equals, 1)
-	})
-}
-
-// -----------------------------------------------------------------------
-// Tests for Check(), mostly the same as for Assert() following these.
-
-func (s *HelpersS) TestCheckSucceedWithExpected(c *check.C) {
-	checker := &MyChecker{result: true}
-	testHelperSuccess(c, "Check(1, checker, 2)", true, func() interface{} {
-		return c.Check(1, checker, 2)
-	})
-	if !reflect.DeepEqual(checker.params, []interface{}{1, 2}) {
-		c.Fatalf("Bad params for check: %#v", checker.params)
-	}
-}
-
-func (s *HelpersS) TestCheckSucceedWithoutExpected(c *check.C) {
-	checker := &MyChecker{result: true, info: &check.CheckerInfo{Params: []string{"myvalue"}}}
-	testHelperSuccess(c, "Check(1, checker)", true, func() interface{} {
-		return c.Check(1, checker)
-	})
-	if !reflect.DeepEqual(checker.params, []interface{}{1}) {
-		c.Fatalf("Bad params for check: %#v", checker.params)
-	}
-}
-
-func (s *HelpersS) TestCheckFailWithExpected(c *check.C) {
-	checker := &MyChecker{result: false}
-	log := "(?s)helpers_test\\.go:[0-9]+:.*\nhelpers_test\\.go:[0-9]+:\n" +
-		"    return c\\.Check\\(1, checker, 2\\)\n" +
-		"\\.+ myobtained int = 1\n" +
-		"\\.+ myexpected int = 2\n\n"
-	testHelperFailure(c, "Check(1, checker, 2)", false, false, log,
-		func() interface{} {
-			return c.Check(1, checker, 2)
-		})
-}
-
-func (s *HelpersS) TestCheckFailWithExpectedAndComment(c *check.C) {
-	checker := &MyChecker{result: false}
-	log := "(?s)helpers_test\\.go:[0-9]+:.*\nhelpers_test\\.go:[0-9]+:\n" +
-		"    return c\\.Check\\(1, checker, 2, myComment\\(\"Hello world!\"\\)\\)\n" +
-		"\\.+ myobtained int = 1\n" +
-		"\\.+ myexpected int = 2\n" +
-		"\\.+ Hello world!\n\n"
-	testHelperFailure(c, "Check(1, checker, 2, msg)", false, false, log,
-		func() interface{} {
-			return c.Check(1, checker, 2, myComment("Hello world!"))
-		})
-}
-
-func (s *HelpersS) TestCheckFailWithExpectedAndStaticComment(c *check.C) {
-	checker := &MyChecker{result: false}
-	log := "(?s)helpers_test\\.go:[0-9]+:.*\nhelpers_test\\.go:[0-9]+:\n" +
-		"    // Nice leading comment\\.\n" +
-		"    return c\\.Check\\(1, checker, 2\\) // Hello there\n" +
-		"\\.+ myobtained int = 1\n" +
-		"\\.+ myexpected int = 2\n\n"
-	testHelperFailure(c, "Check(1, checker, 2, msg)", false, false, log,
-		func() interface{} {
-			// Nice leading comment.
-			return c.Check(1, checker, 2) // Hello there
-		})
-}
-
-func (s *HelpersS) TestCheckFailWithoutExpected(c *check.C) {
-	checker := &MyChecker{result: false, info: &check.CheckerInfo{Params: []string{"myvalue"}}}
-	log := "(?s)helpers_test\\.go:[0-9]+:.*\nhelpers_test\\.go:[0-9]+:\n" +
-		"    return c\\.Check\\(1, checker\\)\n" +
-		"\\.+ myvalue int = 1\n\n"
-	testHelperFailure(c, "Check(1, checker)", false, false, log,
-		func() interface{} {
-			return c.Check(1, checker)
-		})
-}
-
-func (s *HelpersS) TestCheckFailWithoutExpectedAndMessage(c *check.C) {
-	checker := &MyChecker{result: false, info: &check.CheckerInfo{Params: []string{"myvalue"}}}
-	log := "(?s)helpers_test\\.go:[0-9]+:.*\nhelpers_test\\.go:[0-9]+:\n" +
-		"    return c\\.Check\\(1, checker, myComment\\(\"Hello world!\"\\)\\)\n" +
-		"\\.+ myvalue int = 1\n" +
-		"\\.+ Hello world!\n\n"
-	testHelperFailure(c, "Check(1, checker, msg)", false, false, log,
-		func() interface{} {
-			return c.Check(1, checker, myComment("Hello world!"))
-		})
-}
-
-func (s *HelpersS) TestCheckWithMissingExpected(c *check.C) {
-	checker := &MyChecker{result: true}
-	log := "(?s)helpers_test\\.go:[0-9]+:.*\nhelpers_test\\.go:[0-9]+:\n" +
-		"    return c\\.Check\\(1, checker\\)\n" +
-		"\\.+ Check\\(myobtained, MyChecker, myexpected\\):\n" +
-		"\\.+ Wrong number of parameters for MyChecker: " +
-		"want 3, got 2\n\n"
-	testHelperFailure(c, "Check(1, checker, !?)", false, false, log,
-		func() interface{} {
-			return c.Check(1, checker)
-		})
-}
-
-func (s *HelpersS) TestCheckWithTooManyExpected(c *check.C) {
-	checker := &MyChecker{result: true}
-	log := "(?s)helpers_test\\.go:[0-9]+:.*\nhelpers_test\\.go:[0-9]+:\n" +
-		"    return c\\.Check\\(1, checker, 2, 3\\)\n" +
-		"\\.+ Check\\(myobtained, MyChecker, myexpected\\):\n" +
-		"\\.+ Wrong number of parameters for MyChecker: " +
-		"want 3, got 4\n\n"
-	testHelperFailure(c, "Check(1, checker, 2, 3)", false, false, log,
-		func() interface{} {
-			return c.Check(1, checker, 2, 3)
-		})
-}
-
-func (s *HelpersS) TestCheckWithError(c *check.C) {
-	checker := &MyChecker{result: false, error: "Some not so cool data provided!"}
-	log := "(?s)helpers_test\\.go:[0-9]+:.*\nhelpers_test\\.go:[0-9]+:\n" +
-		"    return c\\.Check\\(1, checker, 2\\)\n" +
-		"\\.+ myobtained int = 1\n" +
-		"\\.+ myexpected int = 2\n" +
-		"\\.+ Some not so cool data provided!\n\n"
-	testHelperFailure(c, "Check(1, checker, 2)", false, false, log,
-		func() interface{} {
-			return c.Check(1, checker, 2)
-		})
-}
-
-func (s *HelpersS) TestCheckWithNilChecker(c *check.C) {
-	log := "(?s)helpers_test\\.go:[0-9]+:.*\nhelpers_test\\.go:[0-9]+:\n" +
-		"    return c\\.Check\\(1, nil\\)\n" +
-		"\\.+ Check\\(obtained, nil!\\?, \\.\\.\\.\\):\n" +
-		"\\.+ Oops\\.\\. you've provided a nil checker!\n\n"
-	testHelperFailure(c, "Check(obtained, nil)", false, false, log,
-		func() interface{} {
-			return c.Check(1, nil)
-		})
-}
-
-func (s *HelpersS) TestCheckWithParamsAndNamesMutation(c *check.C) {
-	checker := &MyChecker{result: false, params: []interface{}{3, 4}, names: []string{"newobtained", "newexpected"}}
-	log := "(?s)helpers_test\\.go:[0-9]+:.*\nhelpers_test\\.go:[0-9]+:\n" +
-		"    return c\\.Check\\(1, checker, 2\\)\n" +
-		"\\.+ newobtained int = 3\n" +
-		"\\.+ newexpected int = 4\n\n"
-	testHelperFailure(c, "Check(1, checker, 2) with mutation", false, false, log,
-		func() interface{} {
-			return c.Check(1, checker, 2)
-		})
-}
-
-// -----------------------------------------------------------------------
-// Tests for Assert(), mostly the same as for Check() above.
-
-func (s *HelpersS) TestAssertSucceedWithExpected(c *check.C) {
-	checker := &MyChecker{result: true}
-	testHelperSuccess(c, "Assert(1, checker, 2)", nil, func() interface{} {
-		c.Assert(1, checker, 2)
-		return nil
-	})
-	if !reflect.DeepEqual(checker.params, []interface{}{1, 2}) {
-		c.Fatalf("Bad params for check: %#v", checker.params)
-	}
-}
-
-func (s *HelpersS) TestAssertSucceedWithoutExpected(c *check.C) {
-	checker := &MyChecker{result: true, info: &check.CheckerInfo{Params: []string{"myvalue"}}}
-	testHelperSuccess(c, "Assert(1, checker)", nil, func() interface{} {
-		c.Assert(1, checker)
-		return nil
-	})
-	if !reflect.DeepEqual(checker.params, []interface{}{1}) {
-		c.Fatalf("Bad params for check: %#v", checker.params)
-	}
-}
-
-func (s *HelpersS) TestAssertFailWithExpected(c *check.C) {
-	checker := &MyChecker{result: false}
-	log := "(?s)helpers_test\\.go:[0-9]+:.*\nhelpers_test\\.go:[0-9]+:\n" +
-		"    c\\.Assert\\(1, checker, 2\\)\n" +
-		"\\.+ myobtained int = 1\n" +
-		"\\.+ myexpected int = 2\n\n"
-	testHelperFailure(c, "Assert(1, checker, 2)", nil, true, log,
-		func() interface{} {
-			c.Assert(1, checker, 2)
-			return nil
-		})
-}
-
-func (s *HelpersS) TestAssertFailWithExpectedAndMessage(c *check.C) {
-	checker := &MyChecker{result: false}
-	log := "(?s)helpers_test\\.go:[0-9]+:.*\nhelpers_test\\.go:[0-9]+:\n" +
-		"    c\\.Assert\\(1, checker, 2, myComment\\(\"Hello world!\"\\)\\)\n" +
-		"\\.+ myobtained int = 1\n" +
-		"\\.+ myexpected int = 2\n" +
-		"\\.+ Hello world!\n\n"
-	testHelperFailure(c, "Assert(1, checker, 2, msg)", nil, true, log,
-		func() interface{} {
-			c.Assert(1, checker, 2, myComment("Hello world!"))
-			return nil
-		})
-}
-
-func (s *HelpersS) TestAssertFailWithoutExpected(c *check.C) {
-	checker := &MyChecker{result: false, info: &check.CheckerInfo{Params: []string{"myvalue"}}}
-	log := "(?s)helpers_test\\.go:[0-9]+:.*\nhelpers_test\\.go:[0-9]+:\n" +
-		"    c\\.Assert\\(1, checker\\)\n" +
-		"\\.+ myvalue int = 1\n\n"
-	testHelperFailure(c, "Assert(1, checker)", nil, true, log,
-		func() interface{} {
-			c.Assert(1, checker)
-			return nil
-		})
-}
-
-func (s *HelpersS) TestAssertFailWithoutExpectedAndMessage(c *check.C) {
-	checker := &MyChecker{result: false, info: &check.CheckerInfo{Params: []string{"myvalue"}}}
-	log := "(?s)helpers_test\\.go:[0-9]+:.*\nhelpers_test\\.go:[0-9]+:\n" +
-		"    c\\.Assert\\(1, checker, myComment\\(\"Hello world!\"\\)\\)\n" +
-		"\\.+ myvalue int = 1\n" +
-		"\\.+ Hello world!\n\n"
-	testHelperFailure(c, "Assert(1, checker, msg)", nil, true, log,
-		func() interface{} {
-			c.Assert(1, checker, myComment("Hello world!"))
-			return nil
-		})
-}
-
-func (s *HelpersS) TestAssertWithMissingExpected(c *check.C) {
-	checker := &MyChecker{result: true}
-	log := "(?s)helpers_test\\.go:[0-9]+:.*\nhelpers_test\\.go:[0-9]+:\n" +
-		"    c\\.Assert\\(1, checker\\)\n" +
-		"\\.+ Assert\\(myobtained, MyChecker, myexpected\\):\n" +
-		"\\.+ Wrong number of parameters for MyChecker: " +
-		"want 3, got 2\n\n"
-	testHelperFailure(c, "Assert(1, checker, !?)", nil, true, log,
-		func() interface{} {
-			c.Assert(1, checker)
-			return nil
-		})
-}
-
-func (s *HelpersS) TestAssertWithError(c *check.C) {
-	checker := &MyChecker{result: false, error: "Some not so cool data provided!"}
-	log := "(?s)helpers_test\\.go:[0-9]+:.*\nhelpers_test\\.go:[0-9]+:\n" +
-		"    c\\.Assert\\(1, checker, 2\\)\n" +
-		"\\.+ myobtained int = 1\n" +
-		"\\.+ myexpected int = 2\n" +
-		"\\.+ Some not so cool data provided!\n\n"
-	testHelperFailure(c, "Assert(1, checker, 2)", nil, true, log,
-		func() interface{} {
-			c.Assert(1, checker, 2)
-			return nil
-		})
-}
-
-func (s *HelpersS) TestAssertWithNilChecker(c *check.C) {
-	log := "(?s)helpers_test\\.go:[0-9]+:.*\nhelpers_test\\.go:[0-9]+:\n" +
-		"    c\\.Assert\\(1, nil\\)\n" +
-		"\\.+ Assert\\(obtained, nil!\\?, \\.\\.\\.\\):\n" +
-		"\\.+ Oops\\.\\. you've provided a nil checker!\n\n"
-	testHelperFailure(c, "Assert(obtained, nil)", nil, true, log,
-		func() interface{} {
-			c.Assert(1, nil)
-			return nil
-		})
-}
-
-// -----------------------------------------------------------------------
-// Ensure that values logged work properly in some interesting cases.
-
-func (s *HelpersS) TestValueLoggingWithArrays(c *check.C) {
-	checker := &MyChecker{result: false}
-	log := "(?s)helpers_test.go:[0-9]+:.*\nhelpers_test.go:[0-9]+:\n" +
-		"    return c\\.Check\\(\\[\\]byte{1, 2}, checker, \\[\\]byte{1, 3}\\)\n" +
-		"\\.+ myobtained \\[\\]uint8 = \\[\\]byte{0x1, 0x2}\n" +
-		"\\.+ myexpected \\[\\]uint8 = \\[\\]byte{0x1, 0x3}\n\n"
-	testHelperFailure(c, "Check([]byte{1}, chk, []byte{3})", false, false, log,
-		func() interface{} {
-			return c.Check([]byte{1, 2}, checker, []byte{1, 3})
-		})
-}
-
-func (s *HelpersS) TestValueLoggingWithMultiLine(c *check.C) {
-	checker := &MyChecker{result: false}
-	log := "(?s)helpers_test.go:[0-9]+:.*\nhelpers_test.go:[0-9]+:\n" +
-		"    return c\\.Check\\(\"a\\\\nb\\\\n\", checker, \"a\\\\nb\\\\nc\"\\)\n" +
-		"\\.+ myobtained string = \"\" \\+\n" +
-		"\\.+     \"a\\\\n\" \\+\n" +
-		"\\.+     \"b\\\\n\"\n" +
-		"\\.+ myexpected string = \"\" \\+\n" +
-		"\\.+     \"a\\\\n\" \\+\n" +
-		"\\.+     \"b\\\\n\" \\+\n" +
-		"\\.+     \"c\"\n\n"
-	testHelperFailure(c, `Check("a\nb\n", chk, "a\nb\nc")`, false, false, log,
-		func() interface{} {
-			return c.Check("a\nb\n", checker, "a\nb\nc")
-		})
-}
-
-func (s *HelpersS) TestValueLoggingWithMultiLineException(c *check.C) {
-	// If the newline is at the end of the string, don't log as multi-line.
-	checker := &MyChecker{result: false}
-	log := "(?s)helpers_test.go:[0-9]+:.*\nhelpers_test.go:[0-9]+:\n" +
-		"    return c\\.Check\\(\"a b\\\\n\", checker, \"a\\\\nb\"\\)\n" +
-		"\\.+ myobtained string = \"a b\\\\n\"\n" +
-		"\\.+ myexpected string = \"\" \\+\n" +
-		"\\.+     \"a\\\\n\" \\+\n" +
-		"\\.+     \"b\"\n\n"
-	testHelperFailure(c, `Check("a b\n", chk, "a\nb")`, false, false, log,
-		func() interface{} {
-			return c.Check("a b\n", checker, "a\nb")
-		})
-}
-
-// -----------------------------------------------------------------------
-// MakeDir() tests.
-
-type MkDirHelper struct {
-	path1  string
-	path2  string
-	isDir1 bool
-	isDir2 bool
-	isDir3 bool
-	isDir4 bool
-}
-
-func (s *MkDirHelper) SetUpSuite(c *check.C) {
-	s.path1 = c.MkDir()
-	s.isDir1 = isDir(s.path1)
-}
-
-func (s *MkDirHelper) Test(c *check.C) {
-	s.path2 = c.MkDir()
-	s.isDir2 = isDir(s.path2)
-}
-
-func (s *MkDirHelper) TearDownSuite(c *check.C) {
-	s.isDir3 = isDir(s.path1)
-	s.isDir4 = isDir(s.path2)
-}
-
-func (s *HelpersS) TestMkDir(c *check.C) {
-	helper := MkDirHelper{}
-	output := String{}
-	check.Run(&helper, &check.RunConf{Output: &output})
-	c.Assert(output.value, check.Equals, "")
-	c.Check(helper.isDir1, check.Equals, true)
-	c.Check(helper.isDir2, check.Equals, true)
-	c.Check(helper.isDir3, check.Equals, true)
-	c.Check(helper.isDir4, check.Equals, true)
-	c.Check(helper.path1, check.Not(check.Equals),
-		helper.path2)
-	c.Check(isDir(helper.path1), check.Equals, false)
-	c.Check(isDir(helper.path2), check.Equals, false)
-}
-
-func isDir(path string) bool {
-	if stat, err := os.Stat(path); err == nil {
-		return stat.IsDir()
-	}
-	return false
-}
-
-// Concurrent logging should not corrupt the underling buffer.
-// Use go test -race to detect the race in this test.
-func (s *HelpersS) TestConcurrentLogging(c *check.C) {
-	defer runtime.GOMAXPROCS(runtime.GOMAXPROCS(runtime.NumCPU()))
-	var start, stop sync.WaitGroup
-	start.Add(1)
-	for i, n := 0, runtime.NumCPU()*2; i < n; i++ {
-		stop.Add(1)
-		go func(i int) {
-			start.Wait()
-			for j := 0; j < 30; j++ {
-				c.Logf("Worker %d: line %d", i, j)
-			}
-			stop.Done()
-		}(i)
-	}
-	start.Done()
-	stop.Wait()
-}
-
-// -----------------------------------------------------------------------
-// Test the TestName function
-
-type TestNameHelper struct {
-	name1 string
-	name2 string
-	name3 string
-	name4 string
-	name5 string
-}
-
-func (s *TestNameHelper) SetUpSuite(c *check.C)    { s.name1 = c.TestName() }
-func (s *TestNameHelper) SetUpTest(c *check.C)     { s.name2 = c.TestName() }
-func (s *TestNameHelper) Test(c *check.C)          { s.name3 = c.TestName() }
-func (s *TestNameHelper) TearDownTest(c *check.C)  { s.name4 = c.TestName() }
-func (s *TestNameHelper) TearDownSuite(c *check.C) { s.name5 = c.TestName() }
-
-func (s *HelpersS) TestTestName(c *check.C) {
-	helper := TestNameHelper{}
-	output := String{}
-	check.Run(&helper, &check.RunConf{Output: &output})
-	c.Check(helper.name1, check.Equals, "")
-	c.Check(helper.name2, check.Equals, "TestNameHelper.Test")
-	c.Check(helper.name3, check.Equals, "TestNameHelper.Test")
-	c.Check(helper.name4, check.Equals, "TestNameHelper.Test")
-	c.Check(helper.name5, check.Equals, "")
-}
-
-// -----------------------------------------------------------------------
-// A couple of helper functions to test helper functions. :-)
-
-func testHelperSuccess(c *check.C, name string, expectedResult interface{}, closure func() interface{}) {
-	var result interface{}
-	defer (func() {
-		if err := recover(); err != nil {
-			panic(err)
-		}
-		checkState(c, result,
-			&expectedState{
-				name:   name,
-				result: expectedResult,
-				failed: false,
-				log:    "",
-			})
-	})()
-	result = closure()
-}
-
-func testHelperFailure(c *check.C, name string, expectedResult interface{}, shouldStop bool, log string, closure func() interface{}) {
-	var result interface{}
-	defer (func() {
-		if err := recover(); err != nil {
-			panic(err)
-		}
-		checkState(c, result,
-			&expectedState{
-				name:   name,
-				result: expectedResult,
-				failed: true,
-				log:    log,
-			})
-	})()
-	result = closure()
-	if shouldStop {
-		c.Logf("%s didn't stop when it should", name)
-	}
-}
diff --git a/vendor/gopkg.in/check.v1/printer.go b/vendor/gopkg.in/check.v1/printer.go
deleted file mode 100644
index e0f7557b..00000000
--- a/vendor/gopkg.in/check.v1/printer.go
+++ /dev/null
@@ -1,168 +0,0 @@
-package check
-
-import (
-	"bytes"
-	"go/ast"
-	"go/parser"
-	"go/printer"
-	"go/token"
-	"os"
-)
-
-func indent(s, with string) (r string) {
-	eol := true
-	for i := 0; i != len(s); i++ {
-		c := s[i]
-		switch {
-		case eol && c == '\n' || c == '\r':
-		case c == '\n' || c == '\r':
-			eol = true
-		case eol:
-			eol = false
-			s = s[:i] + with + s[i:]
-			i += len(with)
-		}
-	}
-	return s
-}
-
-func printLine(filename string, line int) (string, error) {
-	fset := token.NewFileSet()
-	file, err := os.Open(filename)
-	if err != nil {
-		return "", err
-	}
-	fnode, err := parser.ParseFile(fset, filename, file, parser.ParseComments)
-	if err != nil {
-		return "", err
-	}
-	config := &printer.Config{Mode: printer.UseSpaces, Tabwidth: 4}
-	lp := &linePrinter{fset: fset, fnode: fnode, line: line, config: config}
-	ast.Walk(lp, fnode)
-	result := lp.output.Bytes()
-	// Comments leave \n at the end.
-	n := len(result)
-	for n > 0 && result[n-1] == '\n' {
-		n--
-	}
-	return string(result[:n]), nil
-}
-
-type linePrinter struct {
-	config *printer.Config
-	fset   *token.FileSet
-	fnode  *ast.File
-	line   int
-	output bytes.Buffer
-	stmt   ast.Stmt
-}
-
-func (lp *linePrinter) emit() bool {
-	if lp.stmt != nil {
-		lp.trim(lp.stmt)
-		lp.printWithComments(lp.stmt)
-		lp.stmt = nil
-		return true
-	}
-	return false
-}
-
-func (lp *linePrinter) printWithComments(n ast.Node) {
-	nfirst := lp.fset.Position(n.Pos()).Line
-	nlast := lp.fset.Position(n.End()).Line
-	for _, g := range lp.fnode.Comments {
-		cfirst := lp.fset.Position(g.Pos()).Line
-		clast := lp.fset.Position(g.End()).Line
-		if clast == nfirst-1 && lp.fset.Position(n.Pos()).Column == lp.fset.Position(g.Pos()).Column {
-			for _, c := range g.List {
-				lp.output.WriteString(c.Text)
-				lp.output.WriteByte('\n')
-			}
-		}
-		if cfirst >= nfirst && cfirst <= nlast && n.End() <= g.List[0].Slash {
-			// The printer will not include the comment if it starts past
-			// the node itself. Trick it into printing by overlapping the
-			// slash with the end of the statement.
-			g.List[0].Slash = n.End() - 1
-		}
-	}
-	node := &printer.CommentedNode{n, lp.fnode.Comments}
-	lp.config.Fprint(&lp.output, lp.fset, node)
-}
-
-func (lp *linePrinter) Visit(n ast.Node) (w ast.Visitor) {
-	if n == nil {
-		if lp.output.Len() == 0 {
-			lp.emit()
-		}
-		return nil
-	}
-	first := lp.fset.Position(n.Pos()).Line
-	last := lp.fset.Position(n.End()).Line
-	if first <= lp.line && last >= lp.line {
-		// Print the innermost statement containing the line.
-		if stmt, ok := n.(ast.Stmt); ok {
-			if _, ok := n.(*ast.BlockStmt); !ok {
-				lp.stmt = stmt
-			}
-		}
-		if first == lp.line && lp.emit() {
-			return nil
-		}
-		return lp
-	}
-	return nil
-}
-
-func (lp *linePrinter) trim(n ast.Node) bool {
-	stmt, ok := n.(ast.Stmt)
-	if !ok {
-		return true
-	}
-	line := lp.fset.Position(n.Pos()).Line
-	if line != lp.line {
-		return false
-	}
-	switch stmt := stmt.(type) {
-	case *ast.IfStmt:
-		stmt.Body = lp.trimBlock(stmt.Body)
-	case *ast.SwitchStmt:
-		stmt.Body = lp.trimBlock(stmt.Body)
-	case *ast.TypeSwitchStmt:
-		stmt.Body = lp.trimBlock(stmt.Body)
-	case *ast.CaseClause:
-		stmt.Body = lp.trimList(stmt.Body)
-	case *ast.CommClause:
-		stmt.Body = lp.trimList(stmt.Body)
-	case *ast.BlockStmt:
-		stmt.List = lp.trimList(stmt.List)
-	}
-	return true
-}
-
-func (lp *linePrinter) trimBlock(stmt *ast.BlockStmt) *ast.BlockStmt {
-	if !lp.trim(stmt) {
-		return lp.emptyBlock(stmt)
-	}
-	stmt.Rbrace = stmt.Lbrace
-	return stmt
-}
-
-func (lp *linePrinter) trimList(stmts []ast.Stmt) []ast.Stmt {
-	for i := 0; i != len(stmts); i++ {
-		if !lp.trim(stmts[i]) {
-			stmts[i] = lp.emptyStmt(stmts[i])
-			break
-		}
-	}
-	return stmts
-}
-
-func (lp *linePrinter) emptyStmt(n ast.Node) *ast.ExprStmt {
-	return &ast.ExprStmt{&ast.Ellipsis{n.Pos(), nil}}
-}
-
-func (lp *linePrinter) emptyBlock(n ast.Node) *ast.BlockStmt {
-	p := n.Pos()
-	return &ast.BlockStmt{p, []ast.Stmt{lp.emptyStmt(n)}, p}
-}
diff --git a/vendor/gopkg.in/check.v1/printer_test.go b/vendor/gopkg.in/check.v1/printer_test.go
deleted file mode 100644
index 538b2d52..00000000
--- a/vendor/gopkg.in/check.v1/printer_test.go
+++ /dev/null
@@ -1,104 +0,0 @@
-package check_test
-
-import (
-    .   "gopkg.in/check.v1"
-)
-
-var _ = Suite(&PrinterS{})
-
-type PrinterS struct{}
-
-func (s *PrinterS) TestCountSuite(c *C) {
-    suitesRun += 1
-}
-
-var printTestFuncLine int
-
-func init() {
-    printTestFuncLine = getMyLine() + 3
-}
-
-func printTestFunc() {
-    println(1)           // Comment1
-    if 2 == 2 {          // Comment2
-        println(3)       // Comment3
-    }
-    switch 5 {
-    case 6: println(6)   // Comment6
-        println(7)
-    }
-    switch interface{}(9).(type) {// Comment9
-    case int: println(10)
-        println(11)
-    }
-    select {
-    case <-(chan bool)(nil): println(14)
-        println(15)
-    default: println(16)
-        println(17)
-    }
-    println(19,
-        20)
-    _ = func() { println(21)
-        println(22)
-    }
-    println(24, func() {
-        println(25)
-    })
-    // Leading comment
-    // with multiple lines.
-    println(29)  // Comment29
-}
-
-var printLineTests = []struct {
-    line   int
-    output string
-}{
-    {1, "println(1) // Comment1"},
-    {2, "if 2 == 2 { // Comment2\n    ...\n}"},
-    {3, "println(3) // Comment3"},
-    {5, "switch 5 {\n...\n}"},
-    {6, "case 6:\n    println(6) // Comment6\n    ..."},
-    {7, "println(7)"},
-    {9, "switch interface{}(9).(type) { // Comment9\n...\n}"},
-    {10, "case int:\n    println(10)\n    ..."},
-    {14, "case <-(chan bool)(nil):\n    println(14)\n    ..."},
-    {15, "println(15)"},
-    {16, "default:\n    println(16)\n    ..."},
-    {17, "println(17)"},
-    {19, "println(19,\n    20)"},
-    {20, "println(19,\n    20)"},
-    {21, "_ = func() {\n    println(21)\n    println(22)\n}"},
-    {22, "println(22)"},
-    {24, "println(24, func() {\n    println(25)\n})"},
-    {25, "println(25)"},
-    {26, "println(24, func() {\n    println(25)\n})"},
-    {29, "// Leading comment\n// with multiple lines.\nprintln(29) // Comment29"},
-}
-
-func (s *PrinterS) TestPrintLine(c *C) {
-    for _, test := range printLineTests {
-        output, err := PrintLine("printer_test.go", printTestFuncLine+test.line)
-        c.Assert(err, IsNil)
-        c.Assert(output, Equals, test.output)
-    }
-}
-
-var indentTests = []struct {
-    in, out string
-}{
-    {"", ""},
-    {"\n", "\n"},
-    {"a", ">>>a"},
-    {"a\n", ">>>a\n"},
-    {"a\nb", ">>>a\n>>>b"},
-    {" ", ">>> "},
-}
-
-func (s *PrinterS) TestIndent(c *C) {
-    for _, test := range indentTests {
-        out := Indent(test.in, ">>>")
-        c.Assert(out, Equals, test.out)
-    }
-
-}
diff --git a/vendor/gopkg.in/check.v1/reporter.go b/vendor/gopkg.in/check.v1/reporter.go
deleted file mode 100644
index fb04f76f..00000000
--- a/vendor/gopkg.in/check.v1/reporter.go
+++ /dev/null
@@ -1,88 +0,0 @@
-package check
-
-import (
-	"fmt"
-	"io"
-	"sync"
-)
-
-// -----------------------------------------------------------------------
-// Output writer manages atomic output writing according to settings.
-
-type outputWriter struct {
-	m                    sync.Mutex
-	writer               io.Writer
-	wroteCallProblemLast bool
-	Stream               bool
-	Verbose              bool
-}
-
-func newOutputWriter(writer io.Writer, stream, verbose bool) *outputWriter {
-	return &outputWriter{writer: writer, Stream: stream, Verbose: verbose}
-}
-
-func (ow *outputWriter) Write(content []byte) (n int, err error) {
-	ow.m.Lock()
-	n, err = ow.writer.Write(content)
-	ow.m.Unlock()
-	return
-}
-
-func (ow *outputWriter) WriteCallStarted(label string, c *C) {
-	if ow.Stream {
-		header := renderCallHeader(label, c, "", "\n")
-		ow.m.Lock()
-		ow.writer.Write([]byte(header))
-		ow.m.Unlock()
-	}
-}
-
-func (ow *outputWriter) WriteCallProblem(label string, c *C) {
-	var prefix string
-	if !ow.Stream {
-		prefix = "\n-----------------------------------" +
-			"-----------------------------------\n"
-	}
-	header := renderCallHeader(label, c, prefix, "\n\n")
-	ow.m.Lock()
-	ow.wroteCallProblemLast = true
-	ow.writer.Write([]byte(header))
-	if !ow.Stream {
-		c.logb.WriteTo(ow.writer)
-	}
-	ow.m.Unlock()
-}
-
-func (ow *outputWriter) WriteCallSuccess(label string, c *C) {
-	if ow.Stream || (ow.Verbose && c.kind == testKd) {
-		// TODO Use a buffer here.
-		var suffix string
-		if c.reason != "" {
-			suffix = " (" + c.reason + ")"
-		}
-		if c.status() == succeededSt {
-			suffix += "\t" + c.timerString()
-		}
-		suffix += "\n"
-		if ow.Stream {
-			suffix += "\n"
-		}
-		header := renderCallHeader(label, c, "", suffix)
-		ow.m.Lock()
-		// Resist temptation of using line as prefix above due to race.
-		if !ow.Stream && ow.wroteCallProblemLast {
-			header = "\n-----------------------------------" +
-				"-----------------------------------\n" +
-				header
-		}
-		ow.wroteCallProblemLast = false
-		ow.writer.Write([]byte(header))
-		ow.m.Unlock()
-	}
-}
-
-func renderCallHeader(label string, c *C, prefix, suffix string) string {
-	pc := c.method.PC()
-	return fmt.Sprintf("%s%s: %s: %s%s", prefix, label, niceFuncPath(pc),
-		niceFuncName(pc), suffix)
-}
diff --git a/vendor/gopkg.in/check.v1/reporter_test.go b/vendor/gopkg.in/check.v1/reporter_test.go
deleted file mode 100644
index 0b7ed762..00000000
--- a/vendor/gopkg.in/check.v1/reporter_test.go
+++ /dev/null
@@ -1,159 +0,0 @@
-package check_test
-
-import (
-	"fmt"
-	"path/filepath"
-	"runtime"
-
-	. "gopkg.in/check.v1"
-)
-
-var _ = Suite(&reporterS{})
-
-type reporterS struct {
-	testFile string
-}
-
-func (s *reporterS) SetUpSuite(c *C) {
-	_, fileName, _, ok := runtime.Caller(0)
-	c.Assert(ok, Equals, true)
-	s.testFile = filepath.Base(fileName)
-}
-
-func (s *reporterS) TestWrite(c *C) {
-	testString := "test string"
-	output := String{}
-
-	dummyStream := true
-	dummyVerbose := true
-	o := NewOutputWriter(&output, dummyStream, dummyVerbose)
-
-	o.Write([]byte(testString))
-	c.Assert(output.value, Equals, testString)
-}
-
-func (s *reporterS) TestWriteCallStartedWithStreamFlag(c *C) {
-	testLabel := "test started label"
-	stream := true
-	output := String{}
-
-	dummyVerbose := true
-	o := NewOutputWriter(&output, stream, dummyVerbose)
-
-	o.WriteCallStarted(testLabel, c)
-	expected := fmt.Sprintf("%s: %s:\\d+: %s\n", testLabel, s.testFile, c.TestName())
-	c.Assert(output.value, Matches, expected)
-}
-
-func (s *reporterS) TestWriteCallStartedWithoutStreamFlag(c *C) {
-	stream := false
-	output := String{}
-
-	dummyLabel := "dummy"
-	dummyVerbose := true
-	o := NewOutputWriter(&output, stream, dummyVerbose)
-
-	o.WriteCallStarted(dummyLabel, c)
-	c.Assert(output.value, Equals, "")
-}
-
-func (s *reporterS) TestWriteCallProblemWithStreamFlag(c *C) {
-	testLabel := "test problem label"
-	stream := true
-	output := String{}
-
-	dummyVerbose := true
-	o := NewOutputWriter(&output, stream, dummyVerbose)
-
-	o.WriteCallProblem(testLabel, c)
-	expected := fmt.Sprintf("%s: %s:\\d+: %s\n\n", testLabel, s.testFile, c.TestName())
-	c.Assert(output.value, Matches, expected)
-}
-
-func (s *reporterS) TestWriteCallProblemWithoutStreamFlag(c *C) {
-	testLabel := "test problem label"
-	stream := false
-	output := String{}
-
-	dummyVerbose := true
-	o := NewOutputWriter(&output, stream, dummyVerbose)
-
-	o.WriteCallProblem(testLabel, c)
-	expected := fmt.Sprintf(""+
-		"\n"+
-		"----------------------------------------------------------------------\n"+
-		"%s: %s:\\d+: %s\n\n", testLabel, s.testFile, c.TestName())
-	c.Assert(output.value, Matches, expected)
-}
-
-func (s *reporterS) TestWriteCallProblemWithoutStreamFlagWithLog(c *C) {
-	testLabel := "test problem label"
-	testLog := "test log"
-	stream := false
-	output := String{}
-
-	dummyVerbose := true
-	o := NewOutputWriter(&output, stream, dummyVerbose)
-
-	c.Log(testLog)
-	o.WriteCallProblem(testLabel, c)
-	expected := fmt.Sprintf(""+
-		"\n"+
-		"----------------------------------------------------------------------\n"+
-		"%s: %s:\\d+: %s\n\n%s\n", testLabel, s.testFile, c.TestName(), testLog)
-	c.Assert(output.value, Matches, expected)
-}
-
-func (s *reporterS) TestWriteCallSuccessWithStreamFlag(c *C) {
-	testLabel := "test success label"
-	stream := true
-	output := String{}
-
-	dummyVerbose := true
-	o := NewOutputWriter(&output, stream, dummyVerbose)
-
-	o.WriteCallSuccess(testLabel, c)
-	expected := fmt.Sprintf("%s: %s:\\d+: %s\t\\d\\.\\d+s\n\n", testLabel, s.testFile, c.TestName())
-	c.Assert(output.value, Matches, expected)
-}
-
-func (s *reporterS) TestWriteCallSuccessWithStreamFlagAndReason(c *C) {
-	testLabel := "test success label"
-	testReason := "test skip reason"
-	stream := true
-	output := String{}
-
-	dummyVerbose := true
-	o := NewOutputWriter(&output, stream, dummyVerbose)
-	c.FakeSkip(testReason)
-
-	o.WriteCallSuccess(testLabel, c)
-	expected := fmt.Sprintf("%s: %s:\\d+: %s \\(%s\\)\t\\d\\.\\d+s\n\n",
-		testLabel, s.testFile, c.TestName(), testReason)
-	c.Assert(output.value, Matches, expected)
-}
-
-func (s *reporterS) TestWriteCallSuccessWithoutStreamFlagWithVerboseFlag(c *C) {
-	testLabel := "test success label"
-	stream := false
-	verbose := true
-	output := String{}
-
-	o := NewOutputWriter(&output, stream, verbose)
-
-	o.WriteCallSuccess(testLabel, c)
-	expected := fmt.Sprintf("%s: %s:\\d+: %s\t\\d\\.\\d+s\n", testLabel, s.testFile, c.TestName())
-	c.Assert(output.value, Matches, expected)
-}
-
-func (s *reporterS) TestWriteCallSuccessWithoutStreamFlagWithoutVerboseFlag(c *C) {
-	testLabel := "test success label"
-	stream := false
-	verbose := false
-	output := String{}
-
-	o := NewOutputWriter(&output, stream, verbose)
-
-	o.WriteCallSuccess(testLabel, c)
-	c.Assert(output.value, Equals, "")
-}
diff --git a/vendor/gopkg.in/check.v1/run.go b/vendor/gopkg.in/check.v1/run.go
deleted file mode 100644
index da8fd798..00000000
--- a/vendor/gopkg.in/check.v1/run.go
+++ /dev/null
@@ -1,175 +0,0 @@
-package check
-
-import (
-	"bufio"
-	"flag"
-	"fmt"
-	"os"
-	"testing"
-	"time"
-)
-
-// -----------------------------------------------------------------------
-// Test suite registry.
-
-var allSuites []interface{}
-
-// Suite registers the given value as a test suite to be run. Any methods
-// starting with the Test prefix in the given value will be considered as
-// a test method.
-func Suite(suite interface{}) interface{} {
-	allSuites = append(allSuites, suite)
-	return suite
-}
-
-// -----------------------------------------------------------------------
-// Public running interface.
-
-var (
-	oldFilterFlag  = flag.String("gocheck.f", "", "Regular expression selecting which tests and/or suites to run")
-	oldVerboseFlag = flag.Bool("gocheck.v", false, "Verbose mode")
-	oldStreamFlag  = flag.Bool("gocheck.vv", false, "Super verbose mode (disables output caching)")
-	oldBenchFlag   = flag.Bool("gocheck.b", false, "Run benchmarks")
-	oldBenchTime   = flag.Duration("gocheck.btime", 1*time.Second, "approximate run time for each benchmark")
-	oldListFlag    = flag.Bool("gocheck.list", false, "List the names of all tests that will be run")
-	oldWorkFlag    = flag.Bool("gocheck.work", false, "Display and do not remove the test working directory")
-
-	newFilterFlag  = flag.String("check.f", "", "Regular expression selecting which tests and/or suites to run")
-	newVerboseFlag = flag.Bool("check.v", false, "Verbose mode")
-	newStreamFlag  = flag.Bool("check.vv", false, "Super verbose mode (disables output caching)")
-	newBenchFlag   = flag.Bool("check.b", false, "Run benchmarks")
-	newBenchTime   = flag.Duration("check.btime", 1*time.Second, "approximate run time for each benchmark")
-	newBenchMem    = flag.Bool("check.bmem", false, "Report memory benchmarks")
-	newListFlag    = flag.Bool("check.list", false, "List the names of all tests that will be run")
-	newWorkFlag    = flag.Bool("check.work", false, "Display and do not remove the test working directory")
-)
-
-// TestingT runs all test suites registered with the Suite function,
-// printing results to stdout, and reporting any failures back to
-// the "testing" package.
-func TestingT(testingT *testing.T) {
-	benchTime := *newBenchTime
-	if benchTime == 1*time.Second {
-		benchTime = *oldBenchTime
-	}
-	conf := &RunConf{
-		Filter:        *oldFilterFlag + *newFilterFlag,
-		Verbose:       *oldVerboseFlag || *newVerboseFlag,
-		Stream:        *oldStreamFlag || *newStreamFlag,
-		Benchmark:     *oldBenchFlag || *newBenchFlag,
-		BenchmarkTime: benchTime,
-		BenchmarkMem:  *newBenchMem,
-		KeepWorkDir:   *oldWorkFlag || *newWorkFlag,
-	}
-	if *oldListFlag || *newListFlag {
-		w := bufio.NewWriter(os.Stdout)
-		for _, name := range ListAll(conf) {
-			fmt.Fprintln(w, name)
-		}
-		w.Flush()
-		return
-	}
-	result := RunAll(conf)
-	println(result.String())
-	if !result.Passed() {
-		testingT.Fail()
-	}
-}
-
-// RunAll runs all test suites registered with the Suite function, using the
-// provided run configuration.
-func RunAll(runConf *RunConf) *Result {
-	result := Result{}
-	for _, suite := range allSuites {
-		result.Add(Run(suite, runConf))
-	}
-	return &result
-}
-
-// Run runs the provided test suite using the provided run configuration.
-func Run(suite interface{}, runConf *RunConf) *Result {
-	runner := newSuiteRunner(suite, runConf)
-	return runner.run()
-}
-
-// ListAll returns the names of all the test functions registered with the
-// Suite function that will be run with the provided run configuration.
-func ListAll(runConf *RunConf) []string {
-	var names []string
-	for _, suite := range allSuites {
-		names = append(names, List(suite, runConf)...)
-	}
-	return names
-}
-
-// List returns the names of the test functions in the given
-// suite that will be run with the provided run configuration.
-func List(suite interface{}, runConf *RunConf) []string {
-	var names []string
-	runner := newSuiteRunner(suite, runConf)
-	for _, t := range runner.tests {
-		names = append(names, t.String())
-	}
-	return names
-}
-
-// -----------------------------------------------------------------------
-// Result methods.
-
-func (r *Result) Add(other *Result) {
-	r.Succeeded += other.Succeeded
-	r.Skipped += other.Skipped
-	r.Failed += other.Failed
-	r.Panicked += other.Panicked
-	r.FixturePanicked += other.FixturePanicked
-	r.ExpectedFailures += other.ExpectedFailures
-	r.Missed += other.Missed
-	if r.WorkDir != "" && other.WorkDir != "" {
-		r.WorkDir += ":" + other.WorkDir
-	} else if other.WorkDir != "" {
-		r.WorkDir = other.WorkDir
-	}
-}
-
-func (r *Result) Passed() bool {
-	return (r.Failed == 0 && r.Panicked == 0 &&
-		r.FixturePanicked == 0 && r.Missed == 0 &&
-		r.RunError == nil)
-}
-
-func (r *Result) String() string {
-	if r.RunError != nil {
-		return "ERROR: " + r.RunError.Error()
-	}
-
-	var value string
-	if r.Failed == 0 && r.Panicked == 0 && r.FixturePanicked == 0 &&
-		r.Missed == 0 {
-		value = "OK: "
-	} else {
-		value = "OOPS: "
-	}
-	value += fmt.Sprintf("%d passed", r.Succeeded)
-	if r.Skipped != 0 {
-		value += fmt.Sprintf(", %d skipped", r.Skipped)
-	}
-	if r.ExpectedFailures != 0 {
-		value += fmt.Sprintf(", %d expected failures", r.ExpectedFailures)
-	}
-	if r.Failed != 0 {
-		value += fmt.Sprintf(", %d FAILED", r.Failed)
-	}
-	if r.Panicked != 0 {
-		value += fmt.Sprintf(", %d PANICKED", r.Panicked)
-	}
-	if r.FixturePanicked != 0 {
-		value += fmt.Sprintf(", %d FIXTURE-PANICKED", r.FixturePanicked)
-	}
-	if r.Missed != 0 {
-		value += fmt.Sprintf(", %d MISSED", r.Missed)
-	}
-	if r.WorkDir != "" {
-		value += "\nWORK=" + r.WorkDir
-	}
-	return value
-}
diff --git a/vendor/gopkg.in/check.v1/run_test.go b/vendor/gopkg.in/check.v1/run_test.go
deleted file mode 100644
index f41fffc3..00000000
--- a/vendor/gopkg.in/check.v1/run_test.go
+++ /dev/null
@@ -1,419 +0,0 @@
-// These tests verify the test running logic.
-
-package check_test
-
-import (
-	"errors"
-	. "gopkg.in/check.v1"
-	"os"
-	"sync"
-)
-
-var runnerS = Suite(&RunS{})
-
-type RunS struct{}
-
-func (s *RunS) TestCountSuite(c *C) {
-	suitesRun += 1
-}
-
-// -----------------------------------------------------------------------
-// Tests ensuring result counting works properly.
-
-func (s *RunS) TestSuccess(c *C) {
-	output := String{}
-	result := Run(&SuccessHelper{}, &RunConf{Output: &output})
-	c.Check(result.Succeeded, Equals, 1)
-	c.Check(result.Failed, Equals, 0)
-	c.Check(result.Skipped, Equals, 0)
-	c.Check(result.Panicked, Equals, 0)
-	c.Check(result.FixturePanicked, Equals, 0)
-	c.Check(result.Missed, Equals, 0)
-	c.Check(result.RunError, IsNil)
-}
-
-func (s *RunS) TestFailure(c *C) {
-	output := String{}
-	result := Run(&FailHelper{}, &RunConf{Output: &output})
-	c.Check(result.Succeeded, Equals, 0)
-	c.Check(result.Failed, Equals, 1)
-	c.Check(result.Skipped, Equals, 0)
-	c.Check(result.Panicked, Equals, 0)
-	c.Check(result.FixturePanicked, Equals, 0)
-	c.Check(result.Missed, Equals, 0)
-	c.Check(result.RunError, IsNil)
-}
-
-func (s *RunS) TestFixture(c *C) {
-	output := String{}
-	result := Run(&FixtureHelper{}, &RunConf{Output: &output})
-	c.Check(result.Succeeded, Equals, 2)
-	c.Check(result.Failed, Equals, 0)
-	c.Check(result.Skipped, Equals, 0)
-	c.Check(result.Panicked, Equals, 0)
-	c.Check(result.FixturePanicked, Equals, 0)
-	c.Check(result.Missed, Equals, 0)
-	c.Check(result.RunError, IsNil)
-}
-
-func (s *RunS) TestPanicOnTest(c *C) {
-	output := String{}
-	helper := &FixtureHelper{panicOn: "Test1"}
-	result := Run(helper, &RunConf{Output: &output})
-	c.Check(result.Succeeded, Equals, 1)
-	c.Check(result.Failed, Equals, 0)
-	c.Check(result.Skipped, Equals, 0)
-	c.Check(result.Panicked, Equals, 1)
-	c.Check(result.FixturePanicked, Equals, 0)
-	c.Check(result.Missed, Equals, 0)
-	c.Check(result.RunError, IsNil)
-}
-
-func (s *RunS) TestPanicOnSetUpTest(c *C) {
-	output := String{}
-	helper := &FixtureHelper{panicOn: "SetUpTest"}
-	result := Run(helper, &RunConf{Output: &output})
-	c.Check(result.Succeeded, Equals, 0)
-	c.Check(result.Failed, Equals, 0)
-	c.Check(result.Skipped, Equals, 0)
-	c.Check(result.Panicked, Equals, 0)
-	c.Check(result.FixturePanicked, Equals, 1)
-	c.Check(result.Missed, Equals, 2)
-	c.Check(result.RunError, IsNil)
-}
-
-func (s *RunS) TestPanicOnSetUpSuite(c *C) {
-	output := String{}
-	helper := &FixtureHelper{panicOn: "SetUpSuite"}
-	result := Run(helper, &RunConf{Output: &output})
-	c.Check(result.Succeeded, Equals, 0)
-	c.Check(result.Failed, Equals, 0)
-	c.Check(result.Skipped, Equals, 0)
-	c.Check(result.Panicked, Equals, 0)
-	c.Check(result.FixturePanicked, Equals, 1)
-	c.Check(result.Missed, Equals, 2)
-	c.Check(result.RunError, IsNil)
-}
-
-// -----------------------------------------------------------------------
-// Check result aggregation.
-
-func (s *RunS) TestAdd(c *C) {
-	result := &Result{
-		Succeeded:        1,
-		Skipped:          2,
-		Failed:           3,
-		Panicked:         4,
-		FixturePanicked:  5,
-		Missed:           6,
-		ExpectedFailures: 7,
-	}
-	result.Add(&Result{
-		Succeeded:        10,
-		Skipped:          20,
-		Failed:           30,
-		Panicked:         40,
-		FixturePanicked:  50,
-		Missed:           60,
-		ExpectedFailures: 70,
-	})
-	c.Check(result.Succeeded, Equals, 11)
-	c.Check(result.Skipped, Equals, 22)
-	c.Check(result.Failed, Equals, 33)
-	c.Check(result.Panicked, Equals, 44)
-	c.Check(result.FixturePanicked, Equals, 55)
-	c.Check(result.Missed, Equals, 66)
-	c.Check(result.ExpectedFailures, Equals, 77)
-	c.Check(result.RunError, IsNil)
-}
-
-// -----------------------------------------------------------------------
-// Check the Passed() method.
-
-func (s *RunS) TestPassed(c *C) {
-	c.Assert((&Result{}).Passed(), Equals, true)
-	c.Assert((&Result{Succeeded: 1}).Passed(), Equals, true)
-	c.Assert((&Result{Skipped: 1}).Passed(), Equals, true)
-	c.Assert((&Result{Failed: 1}).Passed(), Equals, false)
-	c.Assert((&Result{Panicked: 1}).Passed(), Equals, false)
-	c.Assert((&Result{FixturePanicked: 1}).Passed(), Equals, false)
-	c.Assert((&Result{Missed: 1}).Passed(), Equals, false)
-	c.Assert((&Result{RunError: errors.New("!")}).Passed(), Equals, false)
-}
-
-// -----------------------------------------------------------------------
-// Check that result printing is working correctly.
-
-func (s *RunS) TestPrintSuccess(c *C) {
-	result := &Result{Succeeded: 5}
-	c.Check(result.String(), Equals, "OK: 5 passed")
-}
-
-func (s *RunS) TestPrintFailure(c *C) {
-	result := &Result{Failed: 5}
-	c.Check(result.String(), Equals, "OOPS: 0 passed, 5 FAILED")
-}
-
-func (s *RunS) TestPrintSkipped(c *C) {
-	result := &Result{Skipped: 5}
-	c.Check(result.String(), Equals, "OK: 0 passed, 5 skipped")
-}
-
-func (s *RunS) TestPrintExpectedFailures(c *C) {
-	result := &Result{ExpectedFailures: 5}
-	c.Check(result.String(), Equals, "OK: 0 passed, 5 expected failures")
-}
-
-func (s *RunS) TestPrintPanicked(c *C) {
-	result := &Result{Panicked: 5}
-	c.Check(result.String(), Equals, "OOPS: 0 passed, 5 PANICKED")
-}
-
-func (s *RunS) TestPrintFixturePanicked(c *C) {
-	result := &Result{FixturePanicked: 5}
-	c.Check(result.String(), Equals, "OOPS: 0 passed, 5 FIXTURE-PANICKED")
-}
-
-func (s *RunS) TestPrintMissed(c *C) {
-	result := &Result{Missed: 5}
-	c.Check(result.String(), Equals, "OOPS: 0 passed, 5 MISSED")
-}
-
-func (s *RunS) TestPrintAll(c *C) {
-	result := &Result{Succeeded: 1, Skipped: 2, ExpectedFailures: 3,
-		Panicked: 4, FixturePanicked: 5, Missed: 6}
-	c.Check(result.String(), Equals,
-		"OOPS: 1 passed, 2 skipped, 3 expected failures, 4 PANICKED, "+
-			"5 FIXTURE-PANICKED, 6 MISSED")
-}
-
-func (s *RunS) TestPrintRunError(c *C) {
-	result := &Result{Succeeded: 1, Failed: 1,
-		RunError: errors.New("Kaboom!")}
-	c.Check(result.String(), Equals, "ERROR: Kaboom!")
-}
-
-// -----------------------------------------------------------------------
-// Verify that the method pattern flag works correctly.
-
-func (s *RunS) TestFilterTestName(c *C) {
-	helper := FixtureHelper{}
-	output := String{}
-	runConf := RunConf{Output: &output, Filter: "Test[91]"}
-	Run(&helper, &runConf)
-	c.Check(helper.calls[0], Equals, "SetUpSuite")
-	c.Check(helper.calls[1], Equals, "SetUpTest")
-	c.Check(helper.calls[2], Equals, "Test1")
-	c.Check(helper.calls[3], Equals, "TearDownTest")
-	c.Check(helper.calls[4], Equals, "TearDownSuite")
-	c.Check(len(helper.calls), Equals, 5)
-}
-
-func (s *RunS) TestFilterTestNameWithAll(c *C) {
-	helper := FixtureHelper{}
-	output := String{}
-	runConf := RunConf{Output: &output, Filter: ".*"}
-	Run(&helper, &runConf)
-	c.Check(helper.calls[0], Equals, "SetUpSuite")
-	c.Check(helper.calls[1], Equals, "SetUpTest")
-	c.Check(helper.calls[2], Equals, "Test1")
-	c.Check(helper.calls[3], Equals, "TearDownTest")
-	c.Check(helper.calls[4], Equals, "SetUpTest")
-	c.Check(helper.calls[5], Equals, "Test2")
-	c.Check(helper.calls[6], Equals, "TearDownTest")
-	c.Check(helper.calls[7], Equals, "TearDownSuite")
-	c.Check(len(helper.calls), Equals, 8)
-}
-
-func (s *RunS) TestFilterSuiteName(c *C) {
-	helper := FixtureHelper{}
-	output := String{}
-	runConf := RunConf{Output: &output, Filter: "FixtureHelper"}
-	Run(&helper, &runConf)
-	c.Check(helper.calls[0], Equals, "SetUpSuite")
-	c.Check(helper.calls[1], Equals, "SetUpTest")
-	c.Check(helper.calls[2], Equals, "Test1")
-	c.Check(helper.calls[3], Equals, "TearDownTest")
-	c.Check(helper.calls[4], Equals, "SetUpTest")
-	c.Check(helper.calls[5], Equals, "Test2")
-	c.Check(helper.calls[6], Equals, "TearDownTest")
-	c.Check(helper.calls[7], Equals, "TearDownSuite")
-	c.Check(len(helper.calls), Equals, 8)
-}
-
-func (s *RunS) TestFilterSuiteNameAndTestName(c *C) {
-	helper := FixtureHelper{}
-	output := String{}
-	runConf := RunConf{Output: &output, Filter: "FixtureHelper\\.Test2"}
-	Run(&helper, &runConf)
-	c.Check(helper.calls[0], Equals, "SetUpSuite")
-	c.Check(helper.calls[1], Equals, "SetUpTest")
-	c.Check(helper.calls[2], Equals, "Test2")
-	c.Check(helper.calls[3], Equals, "TearDownTest")
-	c.Check(helper.calls[4], Equals, "TearDownSuite")
-	c.Check(len(helper.calls), Equals, 5)
-}
-
-func (s *RunS) TestFilterAllOut(c *C) {
-	helper := FixtureHelper{}
-	output := String{}
-	runConf := RunConf{Output: &output, Filter: "NotFound"}
-	Run(&helper, &runConf)
-	c.Check(len(helper.calls), Equals, 0)
-}
-
-func (s *RunS) TestRequirePartialMatch(c *C) {
-	helper := FixtureHelper{}
-	output := String{}
-	runConf := RunConf{Output: &output, Filter: "est"}
-	Run(&helper, &runConf)
-	c.Check(len(helper.calls), Equals, 8)
-}
-
-func (s *RunS) TestFilterError(c *C) {
-	helper := FixtureHelper{}
-	output := String{}
-	runConf := RunConf{Output: &output, Filter: "]["}
-	result := Run(&helper, &runConf)
-	c.Check(result.String(), Equals,
-		"ERROR: Bad filter expression: error parsing regexp: missing closing ]: `[`")
-	c.Check(len(helper.calls), Equals, 0)
-}
-
-// -----------------------------------------------------------------------
-// Verify that List works correctly.
-
-func (s *RunS) TestListFiltered(c *C) {
-	names := List(&FixtureHelper{}, &RunConf{Filter: "1"})
-	c.Assert(names, DeepEquals, []string{
-		"FixtureHelper.Test1",
-	})
-}
-
-func (s *RunS) TestList(c *C) {
-	names := List(&FixtureHelper{}, &RunConf{})
-	c.Assert(names, DeepEquals, []string{
-		"FixtureHelper.Test1",
-		"FixtureHelper.Test2",
-	})
-}
-
-// -----------------------------------------------------------------------
-// Verify that verbose mode prints tests which pass as well.
-
-func (s *RunS) TestVerboseMode(c *C) {
-	helper := FixtureHelper{}
-	output := String{}
-	runConf := RunConf{Output: &output, Verbose: true}
-	Run(&helper, &runConf)
-
-	expected := "PASS: check_test\\.go:[0-9]+: FixtureHelper\\.Test1\t *[.0-9]+s\n" +
-		"PASS: check_test\\.go:[0-9]+: FixtureHelper\\.Test2\t *[.0-9]+s\n"
-
-	c.Assert(output.value, Matches, expected)
-}
-
-func (s *RunS) TestVerboseModeWithFailBeforePass(c *C) {
-	helper := FixtureHelper{panicOn: "Test1"}
-	output := String{}
-	runConf := RunConf{Output: &output, Verbose: true}
-	Run(&helper, &runConf)
-
-	expected := "(?s).*PANIC.*\n-+\n" + // Should have an extra line.
-		"PASS: check_test\\.go:[0-9]+: FixtureHelper\\.Test2\t *[.0-9]+s\n"
-
-	c.Assert(output.value, Matches, expected)
-}
-
-// -----------------------------------------------------------------------
-// Verify the stream output mode.  In this mode there's no output caching.
-
-type StreamHelper struct {
-	l2 sync.Mutex
-	l3 sync.Mutex
-}
-
-func (s *StreamHelper) SetUpSuite(c *C) {
-	c.Log("0")
-}
-
-func (s *StreamHelper) Test1(c *C) {
-	c.Log("1")
-	s.l2.Lock()
-	s.l3.Lock()
-	go func() {
-		s.l2.Lock() // Wait for "2".
-		c.Log("3")
-		s.l3.Unlock()
-	}()
-}
-
-func (s *StreamHelper) Test2(c *C) {
-	c.Log("2")
-	s.l2.Unlock()
-	s.l3.Lock() // Wait for "3".
-	c.Fail()
-	c.Log("4")
-}
-
-func (s *RunS) TestStreamMode(c *C) {
-	helper := &StreamHelper{}
-	output := String{}
-	runConf := RunConf{Output: &output, Stream: true}
-	Run(helper, &runConf)
-
-	expected := "START: run_test\\.go:[0-9]+: StreamHelper\\.SetUpSuite\n0\n" +
-		"PASS: run_test\\.go:[0-9]+: StreamHelper\\.SetUpSuite\t *[.0-9]+s\n\n" +
-		"START: run_test\\.go:[0-9]+: StreamHelper\\.Test1\n1\n" +
-		"PASS: run_test\\.go:[0-9]+: StreamHelper\\.Test1\t *[.0-9]+s\n\n" +
-		"START: run_test\\.go:[0-9]+: StreamHelper\\.Test2\n2\n3\n4\n" +
-		"FAIL: run_test\\.go:[0-9]+: StreamHelper\\.Test2\n\n"
-
-	c.Assert(output.value, Matches, expected)
-}
-
-type StreamMissHelper struct{}
-
-func (s *StreamMissHelper) SetUpSuite(c *C) {
-	c.Log("0")
-	c.Fail()
-}
-
-func (s *StreamMissHelper) Test1(c *C) {
-	c.Log("1")
-}
-
-func (s *RunS) TestStreamModeWithMiss(c *C) {
-	helper := &StreamMissHelper{}
-	output := String{}
-	runConf := RunConf{Output: &output, Stream: true}
-	Run(helper, &runConf)
-
-	expected := "START: run_test\\.go:[0-9]+: StreamMissHelper\\.SetUpSuite\n0\n" +
-		"FAIL: run_test\\.go:[0-9]+: StreamMissHelper\\.SetUpSuite\n\n" +
-		"START: run_test\\.go:[0-9]+: StreamMissHelper\\.Test1\n" +
-		"MISS: run_test\\.go:[0-9]+: StreamMissHelper\\.Test1\n\n"
-
-	c.Assert(output.value, Matches, expected)
-}
-
-// -----------------------------------------------------------------------
-// Verify that that the keep work dir request indeed does so.
-
-type WorkDirSuite struct {}
-
-func (s *WorkDirSuite) Test(c *C) {
-	c.MkDir()
-}
-
-func (s *RunS) TestKeepWorkDir(c *C) {
-	output := String{}
-	runConf := RunConf{Output: &output, Verbose: true, KeepWorkDir: true}
-	result := Run(&WorkDirSuite{}, &runConf)
-
-	c.Assert(result.String(), Matches, ".*\nWORK=" + result.WorkDir)
-
-	stat, err := os.Stat(result.WorkDir)
-	c.Assert(err, IsNil)
-	c.Assert(stat.IsDir(), Equals, true)
-}
diff --git a/xmlenc/cbc.go b/xmlenc/cbc.go
index 11ee210d..bf6a14f7 100644
--- a/xmlenc/cbc.go
+++ b/xmlenc/cbc.go
@@ -1,9 +1,10 @@
 package xmlenc
 
+// nolint: gas
 import (
 	"crypto/aes"
 	"crypto/cipher"
-	"crypto/des" // nolint: gas
+	"crypto/des"
 	"encoding/base64"
 	"errors"
 	"fmt"
diff --git a/xmlenc/decrypt.go b/xmlenc/decrypt.go
index f7d72023..f9859c06 100644
--- a/xmlenc/decrypt.go
+++ b/xmlenc/decrypt.go
@@ -9,7 +9,6 @@ import (
 	"encoding/pem"
 	"errors"
 	"fmt"
-
 	"strings"
 
 	"github.com/beevik/etree"
@@ -79,7 +78,7 @@ func getCiphertext(encryptedKey *etree.Element) ([]byte, error) {
 	return ciphertext, nil
 }
 
-func validateRSAKey(key interface{}, encryptedKey *etree.Element) (*rsa.PrivateKey, error) {
+func validateRSAKeyIfPresent(key interface{}, encryptedKey *etree.Element) (*rsa.PrivateKey, error) {
 	rsaKey, ok := key.(*rsa.PrivateKey)
 	if !ok {
 		return nil, errors.New("expected key to be a *rsa.PrivateKey")
@@ -110,8 +109,6 @@ func validateRSAKey(key interface{}, encryptedKey *etree.Element) (*rsa.PrivateK
 		}
 	} else if el = encryptedKey.FindElement("./KeyInfo/X509Data/X509IssuerSerial"); el != nil {
 		// TODO: determine how to validate the issuer serial information
-	} else {
-		return nil, ErrCannotFindRequiredElement("X509Certificate or X509IssuerSerial")
 	}
 	return rsaKey, nil
 }
diff --git a/xmlenc/decrypt_test.go b/xmlenc/decrypt_test.go
index aca92cf0..ecf46dda 100644
--- a/xmlenc/decrypt_test.go
+++ b/xmlenc/decrypt_test.go
@@ -3,90 +3,57 @@ package xmlenc
 import (
 	"crypto/x509"
 	"encoding/pem"
-	"fmt"
 	"testing"
 
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/golden"
+
 	"github.com/beevik/etree"
-	. "gopkg.in/check.v1"
 )
 
-// Hook up gocheck into the "go test" runner.
-func Test(t *testing.T) { TestingT(t) }
-
-var input = "<?xml version=\"1.0\" encoding=\"UTF-8\"?><saml2p:Response xmlns:saml2p=\"urn:oasis:names:tc:SAML:2.0:protocol\" Destination=\"https://15661444.ngrok.io/saml2/acs\" ID=\"_e9b3332eeaf348da6786aed16300aca9\" InResponseTo=\"id-9e61753d64e928af5a7a341a97f420c9\" IssueInstant=\"2015-12-01T01:56:21.375Z\" Version=\"2.0\"><saml2:Issuer xmlns:saml2=\"urn:oasis:names:tc:SAML:2.0:assertion\" Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:entity\">https://idp.testshib.org/idp/shibboleth</saml2:Issuer><saml2p:Status><saml2p:StatusCode Value=\"urn:oasis:names:tc:SAML:2.0:status:Success\"/></saml2p:Status><saml2:EncryptedAssertion xmlns:saml2=\"urn:oasis:names:tc:SAML:2.0:assertion\"><xenc:EncryptedData xmlns:xenc=\"http://www.w3.org/2001/04/xmlenc#\" Id=\"_dab0b1dbbc0595ab06473034e3bb798c\" Type=\"http://www.w3.org/2001/04/xmlenc#Element\"><xenc:EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#aes128-cbc\" xmlns:xenc=\"http://www.w3.org/2001/04/xmlenc#\"/><ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><xenc:EncryptedKey Id=\"_dd9264352cef16103cdb21fae97fa951\" xmlns:xenc=\"http://www.w3.org/2001/04/xmlenc#\"><xenc:EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p\" xmlns:xenc=\"http://www.w3.org/2001/04/xmlenc#\"><ds:DigestMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#sha1\" xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"/></xenc:EncryptionMethod><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIB7zCCAVgCCQDFzbKIp7b3MTANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGEwJVUzELMAkGA1UE\nCAwCR0ExDDAKBgNVBAoMA2ZvbzESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTEzMTAwMjAwMDg1MVoX\nDTE0MTAwMjAwMDg1MVowPDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkdBMQwwCgYDVQQKDANmb28x\nEjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1PMHYmhZj308\nkWLhZVT4vOulqx/9ibm5B86fPWwUKKQ2i12MYtz07tzukPymisTDhQaqyJ8Kqb/6JjhmeMnEOdTv\nSPmHO8m1ZVveJU6NoKRn/mP/BD7FW52WhbrUXLSeHVSKfWkNk6S4hk9MV9TswTvyRIKvRsw0X/gf\nnqkroJcCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCMMlIO+GNcGekevKgkakpMdAqJfs24maGb90Dv\nTLbRZRD7Xvn1MnVBBS9hzlXiFLYOInXACMW5gcoRFfeTQLSouMM8o57h0uKjfTmuoWHLQLi6hnF+\ncvCsEFiJZ4AbF+DgmO6TarJ8O05t8zvnOwJlNCASPZRH/JmF8tX0hoHuAQ==</ds:X509Certificate></ds:X509Data></ds:KeyInfo><xenc:CipherData xmlns:xenc=\"http://www.w3.org/2001/04/xmlenc#\"><xenc:CipherValue>i/wh2ubXbhTH5W3hwc5VEf4DH1xifeTuxoe64ULopGJ0M0XxBKgDEIfTg59JUMmDYB4L8UStTFfqJk9BRGcMeYWVfckn5gCwLptD9cz26irw+7Ud7MIorA7z68v8rEyzwagKjz8VKvX1afgec0wobVTNN3M1Bn+SOyMhAu+Z4tE=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedKey></ds:KeyInfo><xenc:CipherData xmlns:xenc=\"http://www.w3.org/2001/04/xmlenc#\"><xenc:CipherValue>a6PZohc8i16b2HG5irLqbzAt8zMI6OAjBprhcDb+w6zvjU2Pi9KgGRBAESLKmVfBR0Nf6C/cjozCGyelfVMtx9toIV1C3jtanoI45hq2EZZVprKMKGdCsAbXbhwYrd06QyGYvLjTn9iqako6+ifxtoFHJOkhMQShDMv8l3p5n36iFrJ4kUT3pSOIl4a479INcayp2B4u9MVJybvN7iqp/5dMEG5ZLRCmtczfo6NsUmu+bmT7O/Xs0XeDmqICrfI3TTLzKSOb8r0iZOaii5qjfTALDQ10hlqxV4fgd51FFGG7eHr+HHD+FT6Q9vhNjKd+4UVT2LZlaEiMw888vyBKtfl6gTsuJbln0fHRPmOGYeoJlAdfpukhxqTbgdzOke2NY5VLw72ieUWREAEdVXBolrzbSaafumQGuW7c8cjLCDPOlaYIvWsQzQOp5uL5mw4y4S7yNPtTAa5czcf+xgw4MGatcWeDFv0gMTlnBAGIT+QNLK/+idRSpnYwjPO407UNNa2HSX3QpZsutbxyskqvuMgp08DcI2+7+NrTXtQjR5knhCwRNkGTOqVxEBD6uExSjbLBbFmd4jgKn73SqHStk0wCkKatxbZMD8YosTu9mrU2wuWacZ1GFRMlk28oaeXl9qUDnqBwZ5EoxT/jDjWIMWw9b40InvZK6kKzn+v3BSGKqzq2Ecj9yxE7u5/51NC+tFyZiN2J9Lu9yehvW46xRrqFWqCyioFza5bw1yd3bzkuMMpd6UvsZPHKvWwap3+O6ngc8bMBBCLltJVOaTn/cBGsUvoARY6Rfftsx7BamrfGURd8vqq+AI6Z1OC8N3bcRCymIzw0nXdbUSqhKWwbw6P2szvAB6kCdu4+C3Bo01CEQyerCCbpfn/cZ+rPsBVlGdBOLl5eCW8oJOODruYgSRshrTnDffLQprxCddj7vSnFbVHirU8a0KwpCVCdAAL9nKppTHs0Mq2YaiMDo8mFvx+3kan/IBnJSOVL19vdLfHDbZqVh7UVFtiuWv3T15BoiefDdF/aR5joN0zRWf8l6IYcjBOskk/xgxOZhZzbJl8DcgTawD8giJ31SJ1NoOqgrSD4wBHGON4mInHkO0X5+vw1jVNPGF3BwHw0kxoCT3ZKdSsi8O4tlf1y227cf794AGnyQe13O032jYgOmM5qNkET6PyfkyD/h0ufgQq2vJvxSOiRv76Kdg0SeRuNPW9MyjO/5APHl7tBlDBEVq+LWDHl4g9h/bw+Fsi0WN4pLN1Yv9RANWpIsXWyvxTWIZHTuZEjNbHqFKpsefx/oY1b9cSzKR5fQ9vc32e17WykL0O7pwpzV6TrFN874GdmW5lG5zfqnRHUQh1aV2WwBJ74mB4tv/y5rmRjTe5h/rN90kN+eQGeR3eG7XUHLhK/yCV+xq8KKPxNZexcdHGA905rvYokbtmr/jIN5kAMBdlOU8akPAZdSMMh+g/RZo5MO50/gdg6MTpB4onU2FBd54FNDp2fuBUxBsnTqpZXkDcAPEfSBr+z2l8jTRmxMricWyeC55ILgxM4er68n0xYjwb2jyQum3IQq7TSYYU/qjNiH1fQBtdRmBkzXJYYk+9q7C6OZJUdR96ERnTIi93NaYmtpSEvZU9vS6MV1VBOnEf8UzUUT9ibMpP9XDSINX7dN24rKIufSY+3+70orQB07XOWp6++SWKgA+WThaoPhp8sWWMeSZuda/wq6jdVTAB8FOPiP3lNl0BqxagQEPmNxDWXwTplSFSR3SP0e4sHMSjLvysibV9Z87LZa1FG0cWU2hrhiyOLsIWMnd4vdTLaWjhXuGlrDShxSAiI39wsl5RB59E+DXVSTBQAoAkHCKGK69YiMKU9K8K/LeodApgw46oPL08EWvleKPCbdTyjKUADtxfAujR84GMEUz9Aml4Q497MfvABQOW6Hwg54Z3UbwLczDCOZyK1wIwZTyS9w3eTH/6EBeyzhtt4G2e/60jkywHOKn17wQgww2ZsDcukdsCMfo4FV0NzfhSER8BdL+hdLJS3R1F/Vf4aRBEuOuycv2AqB1ZqHhcjZh7yDv0RpBvn3+2rzfzmYIBlqL16d1aBnvL4C03I0J59AtXN9WlfJ8SlJhrduW/PF4pSCAQEyHGprP9hVhaXCOUuXCbjA2FI57NkxALQ2HpCVpXKGw0qO0rYxRYIRlKTl43VFcrSGJdVYOFUk0ZV3b+k+KoxLVSgBjIUWxio/tvVgUYDZsO3M3x0I+0r9xlWZSFFmhwdOFouD+Xy1NPTmgwlUXqZ4peyIE1oVntpcrTJuev2jNScXbU9PG8b589GM4Z09KS/fAyytTFKmUpBuTme969qu0eA7/kBSHAkKvbfj0hsrbkkF9y/rXi8xgcMXNgYayW8MHEhm506AyPIvJAreZL637/BENO1ABdWS1Enj/uGaLM1ED8UY94boh/lMhqa9jALgEOHHxspavexi3HIFwJ55s4ocQnjb4p6op4CRPUdPCfli5st9m3NtQoH9kT1FTRZa9sG8Ybhey5wP17YgPIg9ZZtvlvpSTwCwZxHZ348wXJWhbtId9DyOcIzsyK5HaJcRsp8SQVR5nbRW0pUyC/bFAtX1KOGJmtro/QfmnLG9ksuaZvxP6+bH1K+CibEFIRDllAUFFPiuT+2b3Yp3Tu1VvXokMAgmcB5iFDgTAglw5meJYJ99uIBmj0EVZm8snMhRrHjMPTAYD5kwPK/YDShPFFV3XEIFzLD3iYrzb7sub/Z4gTTELWzzS3bCpYPAh4KWeTih+p7Xj0Xf04nSONHZXsQnNenc+PNae+Zj5iCfJ/PpqhMn61n/YBP7gipYYEtOZYzDtvMz+mytYRUOaZTq3W4Wp64f+XVekn49CLarLm6qPyiz5kJwaT8lJ+VEZDPpS/ChLM4eq90GogJBvK0jxmQ1AGvnKpV2lw9XCudf3PXbaTb+r2QPcihKnmqcEgPgYlN8VLclicNW1WyjBJ+HvDTQPbs1r1/KnBK4O5HTT6ehuHpJsYlBN9vzjsD+ov6SRkBqiGPUg9CoKKmWS6dirxwOXi3OUFzkWFVDyDezfkJAzqkmG0nlEGb9mTHdVDfX010bPJ4ZQzQSyHp7Ht2mATyQwOEem2AMB/RpNwlOKXWIdsQ5p3dHF+kmsJHI8xjEv2GeUa/aXX3MF3fPfUA7La8J8fbnaDLbnEqMCLMfdfc9+kY7EKyqPiE5KFpF0EhQBrHl8SiPuFQCoxvlH2u+ujncW7Z5JiBmMKUWOXUHhIe4NckP1awRsEcfhEs664DqOp9CbLwTXk71hHVBtINylFcf7uBZwjxNW+hCfZEoVEjjs/V4J9QeXCxpTu5TcXxBxwN5zBdkCodNFPLUg+3UicaykaH0+wrGoTu/ugjF9rz7OezMMs3pep+bzLp+yZbFAL/z/yATY3UG+lpk6Rw4SkjbnAxBSedaEdqbotddkGzVQubHvHqCiKpkAw58rAa2v15hc+UmkrRFslS8SYxTIPXs2sTNhnCCrUn8nlKufeoAm65vgYtEQ4NzmG9tqKtTeBfZAvSToYaiQq+kPii1ssuu1OULAVuSx8x/CYO6orgX7h5wI0R/Ug1nux7cb2/+pFLbNyGvwKf1TLym2NvFMJpvFlTsOJJ4DxXM/v2JkC9umm93quXLsojx7KTEOFDQLsnMKsVo6ZzRQidEwK5gQPyZL1yjGirJcEuGMAEf6LA2AsKIIZhsMEPlLpzMiVo5Y0LoL6NFsXigceLaaJMEMuYNJJdh+uxyfW57+PoQ7V8KkzSHFsKan14GnpWeOV7r13uopwCPeIsEKUVG77ypd+ILQkbKxH2lQdsFyjpofqkbgEVM5XAnVbdhfwyebNHn5OJtadVkOMcJc/WMWJef1idcSfvP5ENkwp3pKg9Ljoi+hU2Chp1vTmksO2HJt0of4QnQ8jGlcqnOrAMiWUCd2W/8AmhRBjevt3UqxnqELVvg+HJPlyqFyuUlDxx25mXEdW0COpA3s9OlSgcMjvQbIJ42NUhGFZLoK1pvPLZo711w2Ex3Lm5qqcr/7I4+vTntd/Id5aJiP18LQpslTy614Wd4eD8+RfjEtmDAPXhgvfekVkS/rDnI/9H0k3AdHc78fJCJRPNwJrDTozzjxTvmVv9r4MtpoDELmnMxb3o7ZibUMxgptCTyDF+Q5m6T3GeD9G5ehgB3Tqsx3gcUGuDtP6KIqMGbj8YCFt8tjihDctYFAXj4AwPnIjMiI4T7skXwfrBLWCKfN1j5XrIn2paQgKln9hvaiRUpNpD3IXVyFl1WNrb21IcRinfkuCtrP2tTHqct6eSEh8sOzRkvZEArBQYD5paYyuNBcbVtsnl6PNE+DIcSIGvCVnzpMw1BeUExvQZoNdpHwhTQ3FSd1XN1nt0EWx6lve0Azl/zJBhj5hTdCd2RHdJWDtCZdOwWy/G+4dx3hEed0x6SoopOYdt5bq3lW+Ol0mbRzr1QJnuvt8FYjIfL8cIBqidkTpDjyh6V88yg1DNHDOBBqUz8IqOJ//vY0bmQMJp9gb+05UDW7u/Oe4gGIODQlswv534KF2DcaXW9OB7JQyl6f5+O8W6+zBYZ6DAL+J2vtf3CWKSZFomTwu65vrVaLRmTXIIBjQmZEUxWVeC4xN+4Cj5ORvO8GwzoePGDvqwKzrKoupSjqkL5eKqMpCLouOn8n/x5UWtHQS1NlKgMDFhRObzKMqQhS1S4mz84F3L492GFAlie0xRhywnF+FvAkm+ZIRO0UqM4IwvUXdlqTajjmUz2T0+eXKTKTR5UoNRgP51gdUMT5A4ggT5wU9WkRx7CR9KdWJwwcWzv2YrchoHIXBidQSk+f1ZSzqR7krKSOwFTVJUvEenU17qVaHoAf2he0dMgURJ8PM9JxnSr7p2pZeNPu/O5oPmLuOCmEPVRPSahJL7yj9PK5z3q57e5POIp/wXqFoniFdxRmtmpfZBxoKVlADkwRy34h8k6ZmgtqPTQfUUk/+yH2CAoQu+HyOtUnQof8vc1k4zs8nCTrCSjqvFPjU8mHtVHy1RY0qmK9t99ugXyAKaGON3PlseetIC8WCTt84nM5XGD3VQpbv139yhSPhp2Oiz0IiOsr+L9idVKSvfNSkdNq9aUC7963uAQNud8c4GuDmbENvZYvGNIMxxZhYA86n1RMNtGDZJs6/4hZTL18Kz1yCY9zbbSXTxWTmkaHJziHtgrEPoYpUeb85J229PDEX08yHOkj2HXVdnKKmEaHw3VkB4eM3PhGGdrw2CSUejSaqPQFLdhabcB2zdB4lj/AUnZvNaJc23nHHIauHnhhVrxh/KQ1H4YaYKT9ji/69BIfrTgvoGaPZC10pQKinBHEPMXoFrCd1RX1vutnXXcyT2KTBP4GG+Or0j6Sqxtp5WhxR0aJqIKM6LqMHtTooI0QhWbmSqDEBX/wRS70csVeJSrZ4dqRKit+hz8OalHA7At9e+7gSWTfHAwjl5JhtrltyAab/FII4yKQeZWG8j1fSFGHN+EbOrum2uWuVhxkUPy4coMu+yKY4GxlXfvP+yEVK5GrMECRmFBlySetJK3JOoQXiuLirlHUq+0u88QFMdAJ9+fIdU4+FxneqgW7qM7CHRE8jV4pPSWGFbGzxVZ9CWRWaYIw26VsC1qQJe1WmU7Mrp26IxmWHGwHvZ50uB0mjAHFCiln5QAvqTm2/fsY+Puk+Irt3LQbMwGVWPnb4eona2dSha+eMLOiAQkBvbaitsRqqrAVnndP7gHmO+nYZEKNx/740zTRrFBpOelrGdOa0/eV2mPhUQfozGooxoRADmT8fAcDXo0SsXCHzg9tBnmVMvInQ7+8nXfhcF/fEBjvW3gIWOmp2EWutHQ/sl73MieJWnP/n3DMk2HHcatoIZOMUzo4S4uztODHoSiOJDA1hVj7qADvKB37/OX0opnbii9o6W8naFkWG5Ie7+EWQZdo+xeVYpwGOzcNwDRrxbZpV3fTvWyWKToovncZq+TQj7c4Yhz6XDF0ffljN5hTm4ONwYViFNB4gTJlFxFX00wcWfwWah4uJs2Oa8dHPVT+7viagZiPrSDk/gythdY8glGm+F0DWlzQpWbgSI3ZbdiUQ+ox4GtLUtYgGIQFUvRYbuHqH6CXQ3SM6vkbhV/nAn6UDEWKXdJsO0u5q6UpXci7MlWDNLxoQ9dfGjSc28mX+q+4hkyho4u1XSMy9B6IdH304J7fuAQ88tTorT67AiqvqR6qnZ0icV+MMLh95moxFbrvch6sGAmMEixqeujmiZzBqBmNbzZVORiv9qcbe3CQ6X2i+9D8hMpaWj5jI0u+0wk3bRFK4uDn8T1mnD6l4TrJayf3cZI+duhKcabNj71i5w76S8RZSC6RX4ks0x+XIDc5v3223NmGvceYklbuOJtJa0/MBTOcSDKCM2kUXqPV2BlA9Za8WEO2UrdcyP+AXgM20af3thjlZvA494zdZ0mqjrsKp+VS2MVrBBtj+puSuSHJYf6bnA5/yjqQtbGvAp8hfXQURC53J5oD8rb9F7vQRqdfqpe6xd7DVd+wWZS86mWjyZYKXw312t8nM/gxo0pdvZ8F0x9y3xb9UBM2pZtdYvk3hPz6swhuE1N5j2u7nwtXuEDNcGCSfr+IempeFHFRqO8n8ikASEdKcq2XHGJwfc3lVXOQ5K4JlewcC7yQL1uNtL6iNKCtJmjJiH2PMmXrtpmCeTspFNZlwmiICyPWV9B5ce9H/qP1xjndBzFz0rn75SGDnWUhNZI/aYKNVyzkOleS5VSNxBx1hoiFuG8r+6ctYwF7XL94b95tXQ/+0V5dt0H1xVaOZ7QluoDtMSzuUjV4yUoQESa3zCfZwnW+b5SKndX5nx0GYrVxydMkUdfimZpX/fezcMiaAGwG/jgWF0zS+EL4T7gR8I5R3qUNTifKFJKJL1+AL8CgL+SRB1lgHDp2wQ7cqgqcmskAsT60qisL/UZGgmnlgZ8FkNhv0vAMkzIsz7o6cuLo15hZnrsZveIo+mZKY2cMJjJb4ZlJLcE+YcnpiM84OYjypa9lA7kv4XJaDX9oirhsl9IO/ImbFgYpR73y+xSolXYdDKfZjf/8NR7vE8fu+LYXGoZHO/hxousED6y3sCo/ItECYHWYIui+V5SmAoEvVV8FY8fFMYIc+Llc2CoX5HQISfUAtLu+fGNNV0muidXnBdtnJo25UEqxwvoENdI1lGPhlrXY6/h4kIT5djmsxxSG/EgG/4fPnrThgF9/fbG8n/3LweXvQOGjX0F1Ngt5wuMIWRQk5vtLdvv2M+BNwthHZ7xzIU7zqSVvngVPwgcsTr2d5pTVOxauT1K6ffiBF04jVZEcna+NXhJM5EcRHNuT/iOb0ncn1yuKU8JJnztEzMDjO1qCmaBTyWBR7nQS6K+nfstd/AnBWyGeC5Yi3wlvZAVMpc0m7I7McXb+rXiHM0mHoq0Z/2HOki5LP2cBuIkk84tJ3SRZwWnocrz4aTEIOmwftqMATy5Ur0KRxoUSFNMJYyc1iOfjk3H2JjgecWlQdYHcIEjxGDGeo4S9EKTRokMGNUN2nTj3SO2nHoWbx9WhGe6uB3OgDENGL9aNoPnYKXs4WcobctMxQjjBWa/zpCFwP8nr78xIFfy/64ZtsFBrxSrEHxeXiPa2Kpv456aQ9kDQjJt9XrWKe+JBawtpPUYHmWkUb3Gznp3tC2LbowvJlEe/17srb5yi+sUHEF1z/8Uk4eVYcUUXzyq3YEuqumIBIYqO8J3K5Us7tEXyzhHH8TMLNSQxmDi/w5oYccIwNFMM1+xRTsyjHHtB/rHYJjPW/50Xxb0CZF84NqotCcgIMrR4nUiPnAPd8ZvHeB/235gS1NtzBWtfcDmP8khibSQpY3JW+fdY/9W6iGlPyPIwOgH06fJayaT44sPFIm+QGIkPKSAJOFDeJNG8oc6SAqrYSfCffYfOAx3IsjSdnxQy9JAcS0HxjWnEO3rgSh7bNEecO3f4hb3TRNlczdzhfrwgxUZ0rURI3LfMCpGntF+8NrhtB7RT8sEOaa4NM13T7LWjykRQJFYKNZY0siPBP2WJxjBqL0KynlTPhAcfFyiLZbAhe7YC0XmYo8iJQqdzJQwBK9iOoDkg1XuGy7+Kfe0scamvHN2Z85umcPSiPEQRP3zAWcP5kRNDath7DKrBfQtvOJvEHiihE+qiASrCZep+m7jTD261U9vQGAnR4xBY08ChSh8XItWHvDHARN+GP08h9u6nlJ3rpOoVn9y22NNgx7bOe6QIYe9f6iYbbAzLR1/7AP1A4CQwFi39eZI9BZteze5eas+6JR2s1LqH9tncOmWAhXjE8p3hOtplh/tMbrx+pySNX4BKfZva54zccIa+e59NUifTRsq27AwAtcxg2Bk1Tu7B+LT9Yw2K8tRH6XTcGlvqDM4sYjNBqzh3yAga5iro706tg/Qaa50eln8rjISularEHlfaggogjvd+wNLg44Rj8pMr25+xxS0e9KoEGon5SutuhJ/HBGnEj3+4qNxHu27nkAmZIADiF+Jh53osDuA1fsUnRXf2lJABa30KDkG8E/eci+TkESrdfsPMo6yhWoyjtjYdJbGkjtsQCMW5DOSNYDH0FqDiiVU0nBLJ4+A4ep6aWTrv6w/ozuO4educ7x9IBpGmEY30rsXWwiGJbLGyIo+6qz6J5JBKdjNBsDO7RRweDNMp8ospaGNQSa4NKAHTG8BsGqJSP8oebpVqYpgPS1TiBWnYZKQSRJ5NFs+ULpdICekxevVXAH8uh+De9GT7KsJJzg0CFjALDbC0YrbmCigspJAh2455I6/xyWbPXCYMXwBzbioMgWcNhQBJJ6oIoQ7shwf2TP0Z+X/3NoMpWHmGpoV/JZind8lb9lcxoI44uf37+xc03O1R1bNucf0F5ljrgj2sZlGz/591EJen5GZhrT6qSTIcMu+xIyxyA/zzhy0jjkVfkDKfQ8mE9AmVtbbzHAQNy2PhDIeu7ngoFN635tSOJLR2c6pC/m6n50slFbo0oeHbbiGHyxDk7q3zXHWoHzeF1k4iVdHumYg/nwZOuRzms6rvkmwkJv59Z1p05jxA+Y0yHvDeq1WR8PfS/esm3RHfP3fM+zTlj9ZBJfzvn4OL+IIHRQ5l8pGKAeRL58OjeaU5QU98lAKHydOPDGBalsEHyIKD6iy3RZ65qIm956zQd98htZ1Vgkd7LVC7LSnLb9jRbqS1vHN7lR6bQMmXtQBYSA/+ZW2RQqSo7sToVh+Pxl3EVmsgyO8dXPL4biz7XM8eVz7CqHkrQUinnr79HJWC6Uk19cBurOD6PeOqNYy08Og/A0hbHOgN3dKmVRAPf7itK6x0eb5F70T2zVqG12GHVZieXwIcp/vahuFvriHLJtuM04laiRWNXSiL2MPHQ8e9rr8NIlWDm9uev55FI9zZxwFUPBSewawPe5vkqRLfwZCYd5mZoxtBhNBWvY3ZOVD/21dIUlQanG1n6RygbmAwCHnIB4c7EH2CBYEMDToRQuAuIssviIfdaJglwDgHbLWKNUVDOdqeclBNZjfQfVXbVukPk8DfWLqj9pD4xAOzDeVQcdmg2aLvNKgpZsWs4d+6GlKrpS7qEGvoBkIFh/cVY7DMYrt/JXYuF6DpwB+HbfnuDFc2p47SPNhnmt/ez6/DACBPQ+tgpyWYXUsiviGSp72JNTzd8uFJJZNeKUJZw1c0UTjxdwigh5tL/hWhPl48DY937zymSr1xVqC3RV6wSIpuplH+hss/rsRPAp1/TfxvhJuFsoPbW0586y9YzqEHT4FUu6WSRy0gMJLP2sLqiiZXZ6kPicXsW7M55mV3ugbGQjB7YS7EVqsQzvJTiQbOlcPqwoKK7DTqaeCOXd8kH1tNoe7hjx/UNNdLQQ7IhrJIzxqTTgwcXYMCxhoezDsIHReTIymsHPkCurfteTQcbfwoKN5E9zC2hINOPmhAxLvONzaLXQGMqofuTbFshkB4eUj8U4vBCNp+60iCLnibt4rPuyoWKEHWBYa6FfIykxVKuXkfcb64dCdGCWjv7x1XqkbpHxQB80qhipoSo244pyhIsN91ASu1Q7L75LxGXibY3jb0Y4KZ5zIWsH4kVlvPhangohDO1J9gmL9inGr9hy5BHTQiMcktGoUgOIbFJ72381vYpPxn3ngBbp48mVZd0w6xV8RBaqR3l7CxI9vvMAPYPoXBB18ERoZypza8mAlzv2QxIkNGuRzFENh1SXegBfN7eiazZnwnhbyeMghJpnXzfvHACyjkdH3shRYcJ+oMiOSpInGxm/hxFQxHJZA0Ft/lza</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></saml2:EncryptedAssertion></saml2p:Response>"
-var expectedPlaintext = "<saml2:Assertion xmlns:saml2=\"urn:oasis:names:tc:SAML:2.0:assertion\" xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" ID=\"_543eb64ea4ce19647a1f2aef5b91245d\" IssueInstant=\"2015-12-01T01:56:21.375Z\" Version=\"2.0\"><saml2:Issuer Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:entity\">https://idp.testshib.org/idp/shibboleth</saml2:Issuer><ds:Signature xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm=\"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256\"></ds:SignatureMethod><ds:Reference URI=\"#_543eb64ea4ce19647a1f2aef5b91245d\"><ds:Transforms><ds:Transform Algorithm=\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\"></ds:Transform><ds:Transform Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"><ec:InclusiveNamespaces xmlns:ec=\"http://www.w3.org/2001/10/xml-exc-c14n#\" PrefixList=\"xs\"></ec:InclusiveNamespaces></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#sha256\"></ds:DigestMethod><ds:DigestValue>cX9v4gtpluvP0P1TjYf+NJpli/PO5Abp/8bNxHFENGo=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>PmgDQrPcsntL0XsPnQXAXcdrjvD90hiTYWbj5+Bsn9WgI3HEDZh8RJAgei3LbFWDGOU6mBwYQU1PCxcAcXWkjamH4L0QDExA/5iHrhRXGQgwgEigKqLZH3h2EPVV1HYK5VLRs4ZI6uAgiY4wObHORxZevuM9NdgYRjKVUl0tSIXc6IfJqTNfCGfSQ9UIFNn8GI9GNaYBaHDhXyGJL1MnbHISQEJP7ingyHFKpc7UO0o8EGlgGJ4iVIe1ONBeSKs/d+dHwRKE1gUd4Ls3N7h8tBiCxr0ICSNANvLdAzGoefLCQe9UEh9QB3ZIQK1+sv9MzEFT+7bQY9GrZVszucBf4w==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIEDjCCAvagAwIBAgIBADANBgkqhkiG9w0BAQUFADBnMQswCQYDVQQGEwJVUzEVMBMGA1UECBMM\n" +
-	"UGVubnN5bHZhbmlhMRMwEQYDVQQHEwpQaXR0c2J1cmdoMREwDwYDVQQKEwhUZXN0U2hpYjEZMBcG\n" +
-	"A1UEAxMQaWRwLnRlc3RzaGliLm9yZzAeFw0wNjA4MzAyMTEyMjVaFw0xNjA4MjcyMTEyMjVaMGcx\n" +
-	"CzAJBgNVBAYTAlVTMRUwEwYDVQQIEwxQZW5uc3lsdmFuaWExEzARBgNVBAcTClBpdHRzYnVyZ2gx\n" +
-	"ETAPBgNVBAoTCFRlc3RTaGliMRkwFwYDVQQDExBpZHAudGVzdHNoaWIub3JnMIIBIjANBgkqhkiG\n" +
-	"9w0BAQEFAAOCAQ8AMIIBCgKCAQEArYkCGuTmJp9eAOSGHwRJo1SNatB5ZOKqDM9ysg7CyVTDClcp\n" +
-	"u93gSP10nH4gkCZOlnESNgttg0r+MqL8tfJC6ybddEFB3YBo8PZajKSe3OQ01Ow3yT4I+Wdg1tsT\n" +
-	"pSge9gEz7SrC07EkYmHuPtd71CHiUaCWDv+xVfUQX0aTNPFmDixzUjoYzbGDrtAyCqA8f9CN2txI\n" +
-	"fJnpHE6q6CmKcoLADS4UrNPlhHSzd614kR/JYiks0K4kbRqCQF0Dv0P5Di+rEfefC6glV8ysC8dB\n" +
-	"5/9nb0yh/ojRuJGmgMWHgWk6h0ihjihqiu4jACovUZ7vVOCgSE5Ipn7OIwqd93zp2wIDAQABo4HE\n" +
-	"MIHBMB0GA1UdDgQWBBSsBQ869nh83KqZr5jArr4/7b+QazCBkQYDVR0jBIGJMIGGgBSsBQ869nh8\n" +
-	"3KqZr5jArr4/7b+Qa6FrpGkwZzELMAkGA1UEBhMCVVMxFTATBgNVBAgTDFBlbm5zeWx2YW5pYTET\n" +
-	"MBEGA1UEBxMKUGl0dHNidXJnaDERMA8GA1UEChMIVGVzdFNoaWIxGTAXBgNVBAMTEGlkcC50ZXN0\n" +
-	"c2hpYi5vcmeCAQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAjR29PhrCbk8qLN5M\n" +
-	"FfSVk98t3CT9jHZoYxd8QMRLI4j7iYQxXiGJTT1FXs1nd4Rha9un+LqTfeMMYqISdDDI6tv8iNpk\n" +
-	"OAvZZUosVkUo93pv1T0RPz35hcHHYq2yee59HJOco2bFlcsH8JBXRSRrJ3Q7Eut+z9uo80JdGNJ4\n" +
-	"/SJy5UorZ8KazGj16lfJhOBXldgrhppQBb0Nq6HKHguqmwRfJ+WkxemZXzhediAjGeka8nz8Jjwx\n" +
-	"pUjAiSWYKLtJhGEaTqCYxCCX2Dw+dOTqUzHOZ7WKv4JXPK5G/Uhr8K/qhmFT2nIQi538n6rVYLeW\n" +
-	"j8Bbnl+ev0peYzxFyF5sQA==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:transient\" NameQualifier=\"https://idp.testshib.org/idp/shibboleth\" SPNameQualifier=\"https://15661444.ngrok.io/saml2/metadata\">_41bd295976dadd70e1480f318e772841</saml2:NameID><saml2:SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><saml2:SubjectConfirmationData Address=\"75.144.86.91\" InResponseTo=\"id-9e61753d64e928af5a7a341a97f420c9\" NotOnOrAfter=\"2015-12-01T02:01:21.375Z\" Recipient=\"https://15661444.ngrok.io/saml2/acs\"></saml2:SubjectConfirmationData></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore=\"2015-12-01T01:56:21.375Z\" NotOnOrAfter=\"2015-12-01T02:01:21.375Z\"><saml2:AudienceRestriction><saml2:Audience>https://15661444.ngrok.io/saml2/metadata</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AuthnStatement AuthnInstant=\"2015-12-01T01:56:21.091Z\" SessionIndex=\"_6149230ee8fb88d3635c238509d9a35a\"><saml2:SubjectLocality Address=\"75.144.86.91\"></saml2:SubjectLocality><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement><saml2:AttributeStatement><saml2:Attribute FriendlyName=\"uid\" Name=\"urn:oid:0.9.2342.19200300.100.1.1\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\"><saml2:AttributeValue xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:type=\"xs:string\">myself</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName=\"eduPersonAffiliation\" Name=\"urn:oid:1.3.6.1.4.1.5923.1.1.1.1\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\"><saml2:AttributeValue xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:type=\"xs:string\">Member</saml2:AttributeValue><saml2:AttributeValue xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:type=\"xs:string\">Staff</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName=\"eduPersonPrincipalName\" Name=\"urn:oid:1.3.6.1.4.1.5923.1.1.1.6\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\"><saml2:AttributeValue xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:type=\"xs:string\">myself@testshib.org</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName=\"sn\" Name=\"urn:oid:2.5.4.4\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\"><saml2:AttributeValue xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:type=\"xs:string\">And I</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName=\"eduPersonScopedAffiliation\" Name=\"urn:oid:1.3.6.1.4.1.5923.1.1.1.9\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\"><saml2:AttributeValue xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:type=\"xs:string\">Member@testshib.org</saml2:AttributeValue><saml2:AttributeValue xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:type=\"xs:string\">Staff@testshib.org</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName=\"givenName\" Name=\"urn:oid:2.5.4.42\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\"><saml2:AttributeValue xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:type=\"xs:string\">Me Myself</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName=\"eduPersonEntitlement\" Name=\"urn:oid:1.3.6.1.4.1.5923.1.1.1.7\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\"><saml2:AttributeValue xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:type=\"xs:string\">urn:mace:dir:entitlement:common-lib-terms</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName=\"cn\" Name=\"urn:oid:2.5.4.3\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\"><saml2:AttributeValue xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:type=\"xs:string\">Me Myself And I</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName=\"eduPersonTargetedID\" Name=\"urn:oid:1.3.6.1.4.1.5923.1.1.1.10\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\"><saml2:AttributeValue><saml2:NameID Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:persistent\" NameQualifier=\"https://idp.testshib.org/idp/shibboleth\" SPNameQualifier=\"https://15661444.ngrok.io/saml2/metadata\">8F+M9ovyaYNwCId0pVkVsnZYRDo=</saml2:NameID></saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName=\"telephoneNumber\" Name=\"urn:oid:2.5.4.20\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\"><saml2:AttributeValue xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:type=\"xs:string\">555-5555</saml2:AttributeValue></saml2:Attribute></saml2:AttributeStatement></saml2:Assertion>"
-
-type DecryptTest struct {
-}
-
-var _ = Suite(&DecryptTest{})
-
-func (test *DecryptTest) TestCanDecrypt(c *C) {
+func TestCanDecrypt(t *testing.T) {
 	doc := etree.NewDocument()
-	err := doc.ReadFromString(input)
-	c.Assert(err, IsNil)
-
-	//s, _ := doc.WriteToString()
-	//fmt.Println(s)
+	err := doc.ReadFromBytes(golden.Get(t, "input.xml"))
+	assert.Check(t, err)
 
 	keyPEM := "-----BEGIN RSA PRIVATE KEY-----\nMIICXgIBAAKBgQDU8wdiaFmPfTyRYuFlVPi866WrH/2JubkHzp89bBQopDaLXYxi\n3PTu3O6Q/KaKxMOFBqrInwqpv/omOGZ4ycQ51O9I+Yc7ybVlW94lTo2gpGf+Y/8E\nPsVbnZaFutRctJ4dVIp9aQ2TpLiGT0xX1OzBO/JEgq9GzDRf+B+eqSuglwIDAQAB\nAoGBAMuy1eN6cgFiCOgBsB3gVDdTKpww87Qk5ivjqEt28SmXO13A1KNVPS6oQ8SJ\nCT5Azc6X/BIAoJCURVL+LHdqebogKljhH/3yIel1kH19vr4E2kTM/tYH+qj8afUS\nJEmArUzsmmK8ccuNqBcllqdwCZjxL4CHDUmyRudFcHVX9oyhAkEA/OV1OkjM3CLU\nN3sqELdMmHq5QZCUihBmk3/N5OvGdqAFGBlEeewlepEVxkh7JnaNXAXrKHRVu/f/\nfbCQxH+qrwJBANeQERF97b9Sibp9xgolb749UWNlAdqmEpmlvmS202TdcaaT1msU\n4rRLiQN3X9O9mq4LZMSVethrQAdX1whawpkCQQDk1yGf7xZpMJ8F4U5sN+F4rLyM\nRq8Sy8p2OBTwzCUXXK+fYeXjybsUUMr6VMYTRP2fQr/LKJIX+E5ZxvcIyFmDAkEA\nyfjNVUNVaIbQTzEbRlRvT6MqR+PTCefC072NF9aJWR93JimspGZMR7viY6IM4lrr\nvBkm0F5yXKaYtoiiDMzlOQJADqmEwXl0D72ZG/2KDg8b4QZEmC9i5gidpQwJXUc6\nhU+IVQoLxRq0fBib/36K9tcrrO5Ba4iEvDcNY+D8yGbUtA==\n-----END RSA PRIVATE KEY-----\n"
 	b, _ := pem.Decode([]byte(keyPEM))
 	key, err := x509.ParsePKCS1PrivateKey(b.Bytes)
-	c.Assert(err, IsNil)
+	assert.Check(t, err)
 
 	el := doc.Root().FindElement("//EncryptedKey")
 	buf, err := Decrypt(key, el)
-	c.Assert(err, IsNil)
-	c.Assert(buf, DeepEquals, []byte{0xc, 0x70, 0xa2, 0xc8, 0x15, 0x74, 0x89, 0x3f, 0x36, 0xd2, 0x7c, 0x14, 0x2a, 0x9b, 0xaa, 0xd9})
+	assert.Check(t, err)
+	assert.Check(t, is.DeepEqual([]byte{0xc, 0x70, 0xa2, 0xc8, 0x15, 0x74, 0x89, 0x3f, 0x36, 0xd2, 0x7c, 0x14, 0x2a, 0x9b, 0xaa, 0xd9},
+		buf))
 
 	el = doc.Root().FindElement("//EncryptedData")
 	buf, err = Decrypt(key, el)
-	c.Assert(err, IsNil)
-	c.Assert(string(buf), DeepEquals, expectedPlaintext)
+	assert.Check(t, err)
+	golden.Assert(t, string(buf), "plaintext.xml")
 }
 
-// TODO(ross): remove 'Failing' from the function name when PR #80 lands
-func (test *DecryptTest) FailingTestCanDecryptWithoutCertificate(c *C) {
+func TestCanDecryptWithoutCertificate(t *testing.T) {
 	doc := etree.NewDocument()
-	err := doc.ReadFromString(input)
-	c.Assert(err, IsNil)
+	err := doc.ReadFromBytes(golden.Get(t, "input.xml"))
+	assert.Check(t, err)
 
 	el := doc.FindElement("//ds:X509Certificate")
 	el.Parent().RemoveChild(el)
 
-	s, _ := doc.WriteToString()
-	fmt.Println(s)
-
-	keyPEM := "-----BEGIN RSA PRIVATE KEY-----\nMIICXgIBAAKBgQDU8wdiaFmPfTyRYuFlVPi866WrH/2JubkHzp89bBQopDaLXYxi\n3PTu3O6Q/KaKxMOFBqrInwqpv/omOGZ4ycQ51O9I+Yc7ybVlW94lTo2gpGf+Y/8E\nPsVbnZaFutRctJ4dVIp9aQ2TpLiGT0xX1OzBO/JEgq9GzDRf+B+eqSuglwIDAQAB\nAoGBAMuy1eN6cgFiCOgBsB3gVDdTKpww87Qk5ivjqEt28SmXO13A1KNVPS6oQ8SJ\nCT5Azc6X/BIAoJCURVL+LHdqebogKljhH/3yIel1kH19vr4E2kTM/tYH+qj8afUS\nJEmArUzsmmK8ccuNqBcllqdwCZjxL4CHDUmyRudFcHVX9oyhAkEA/OV1OkjM3CLU\nN3sqELdMmHq5QZCUihBmk3/N5OvGdqAFGBlEeewlepEVxkh7JnaNXAXrKHRVu/f/\nfbCQxH+qrwJBANeQERF97b9Sibp9xgolb749UWNlAdqmEpmlvmS202TdcaaT1msU\n4rRLiQN3X9O9mq4LZMSVethrQAdX1whawpkCQQDk1yGf7xZpMJ8F4U5sN+F4rLyM\nRq8Sy8p2OBTwzCUXXK+fYeXjybsUUMr6VMYTRP2fQr/LKJIX+E5ZxvcIyFmDAkEA\nyfjNVUNVaIbQTzEbRlRvT6MqR+PTCefC072NF9aJWR93JimspGZMR7viY6IM4lrr\nvBkm0F5yXKaYtoiiDMzlOQJADqmEwXl0D72ZG/2KDg8b4QZEmC9i5gidpQwJXUc6\nhU+IVQoLxRq0fBib/36K9tcrrO5Ba4iEvDcNY+D8yGbUtA==\n-----END RSA PRIVATE KEY-----\n"
-	b, _ := pem.Decode([]byte(keyPEM))
+	keyPEM := golden.Get(t, "key.pem")
+	b, _ := pem.Decode(keyPEM)
 	key, err := x509.ParsePKCS1PrivateKey(b.Bytes)
-	c.Assert(err, IsNil)
+	assert.Check(t, err)
 
 	el = doc.Root().FindElement("//EncryptedKey")
 	buf, err := Decrypt(key, el)
-	c.Assert(err, IsNil)
-	c.Assert(buf, DeepEquals, []byte{0xc, 0x70, 0xa2, 0xc8, 0x15, 0x74, 0x89, 0x3f, 0x36, 0xd2, 0x7c, 0x14, 0x2a, 0x9b, 0xaa, 0xd9})
+	assert.Check(t, err)
+	assert.Check(t, is.DeepEqual([]byte{0xc, 0x70, 0xa2, 0xc8, 0x15, 0x74, 0x89, 0x3f, 0x36, 0xd2, 0x7c, 0x14, 0x2a, 0x9b, 0xaa, 0xd9}, buf))
 
 	el = doc.Root().FindElement("//EncryptedData")
 	buf, err = Decrypt(key, el)
-	c.Assert(err, IsNil)
-	c.Assert(string(buf), DeepEquals, expectedPlaintext)
+	assert.Check(t, err)
+	golden.Assert(t, string(buf), "plaintext.xml")
 }
diff --git a/xmlenc/digest.go b/xmlenc/digest.go
index 89f10226..801347f2 100644
--- a/xmlenc/digest.go
+++ b/xmlenc/digest.go
@@ -1,7 +1,7 @@
 package xmlenc
 
 import (
-	"crypto/sha1"
+	"crypto/sha1" //nolint:gosec // required for protocol support
 	"crypto/sha256"
 	"crypto/sha512"
 	"hash"
diff --git a/xmlenc/encrypt_test.go b/xmlenc/encrypt_test.go
index a4215d72..cca38604 100644
--- a/xmlenc/encrypt_test.go
+++ b/xmlenc/encrypt_test.go
@@ -1,76 +1,35 @@
 package xmlenc
 
 import (
+	"crypto/x509"
 	"encoding/pem"
-	"fmt"
 	"math/rand"
-	"strings"
+	"testing"
 
-	"crypto/x509"
+	"gotest.tools/assert"
+	"gotest.tools/golden"
 
 	"github.com/beevik/etree"
-	"github.com/kr/pretty"
-	. "gopkg.in/check.v1"
 )
 
-type EncryptTest struct {
-}
+func TestCanEncryptOAEP(t *testing.T) {
+	RandReader = rand.New(rand.NewSource(0)) //nolint:gosec // deterministic random numbers for tests
 
-var _ = Suite(&EncryptTest{})
-
-const (
-	testCertificate    = "-----BEGIN CERTIFICATE-----\nMIIB7zCCAVgCCQDFzbKIp7b3MTANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGEwJV\nUzELMAkGA1UECAwCR0ExDDAKBgNVBAoMA2ZvbzESMBAGA1UEAwwJbG9jYWxob3N0\nMB4XDTEzMTAwMjAwMDg1MVoXDTE0MTAwMjAwMDg1MVowPDELMAkGA1UEBhMCVVMx\nCzAJBgNVBAgMAkdBMQwwCgYDVQQKDANmb28xEjAQBgNVBAMMCWxvY2FsaG9zdDCB\nnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1PMHYmhZj308kWLhZVT4vOulqx/9\nibm5B86fPWwUKKQ2i12MYtz07tzukPymisTDhQaqyJ8Kqb/6JjhmeMnEOdTvSPmH\nO8m1ZVveJU6NoKRn/mP/BD7FW52WhbrUXLSeHVSKfWkNk6S4hk9MV9TswTvyRIKv\nRsw0X/gfnqkroJcCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCMMlIO+GNcGekevKgk\nakpMdAqJfs24maGb90DvTLbRZRD7Xvn1MnVBBS9hzlXiFLYOInXACMW5gcoRFfeT\nQLSouMM8o57h0uKjfTmuoWHLQLi6hnF+cvCsEFiJZ4AbF+DgmO6TarJ8O05t8zvn\nOwJlNCASPZRH/JmF8tX0hoHuAQ==\n-----END CERTIFICATE-----\n"
-	expectedCiphertext = `<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="_e285ece1511455780875d64ee2d3d0d0">
-	<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/>
-	<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
-		<xenc:EncryptedKey Id="_6e4ff95ff662a5eee82abdf44a2d0b75" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
-			<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
-				<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
-			</xenc:EncryptionMethod>
-			<ds:KeyInfo>
-				<ds:X509Data>
-					<ds:X509Certificate>MIIB7zCCAVgCCQDFzbKIp7b3MTANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGEwJVUzELMAkGA1UECAwCR0ExDDAKBgNVBAoMA2ZvbzESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTEzMTAwMjAwMDg1MVoXDTE0MTAwMjAwMDg1MVowPDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkdBMQwwCgYDVQQKDANmb28xEjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1PMHYmhZj308kWLhZVT4vOulqx/9ibm5B86fPWwUKKQ2i12MYtz07tzukPymisTDhQaqyJ8Kqb/6JjhmeMnEOdTvSPmHO8m1ZVveJU6NoKRn/mP/BD7FW52WhbrUXLSeHVSKfWkNk6S4hk9MV9TswTvyRIKvRsw0X/gfnqkroJcCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCMMlIO+GNcGekevKgkakpMdAqJfs24maGb90DvTLbRZRD7Xvn1MnVBBS9hzlXiFLYOInXACMW5gcoRFfeTQLSouMM8o57h0uKjfTmuoWHLQLi6hnF+cvCsEFiJZ4AbF+DgmO6TarJ8O05t8zvnOwJlNCASPZRH/JmF8tX0hoHuAQ==</ds:X509Certificate>
-				</ds:X509Data>
-			</ds:KeyInfo>
-			<xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
-				<xenc:CipherValue>R9aHQv2U2ZZSuvRaL4/X8TXpm2/1so2IiOz/+NsAzEKoLAg8Sj87Nj5oMrYY2HF5DPQm/N/3+v6wOU9dX62spTzoSWocVzQU+GdTG2DiIIiAAvQwZo1FyUDKS1Fs5voWzgKvs8G43nj68147T96sXY9SyeUBBdhQtXRsEsmKiAs=</xenc:CipherValue>
-			</xenc:CipherData>
-		</xenc:EncryptedKey>
-	</ds:KeyInfo>
-	<xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
-		<xenc:CipherValue>3mv4+bRM6F/wRMax+DuOiPPgKyrbyIdtVKYfbHe1qsBdqg7puXwsg01FOxCIRNGC5214Z+vEqMlG3d/bmCd4WBUBSgg1cU6PsFBaX7qu1SU++Sa0y8Ur5jWrQPFZMt2uSHPj5hL/ZnkEDiSqSB97sDTurSiJX8xOwqjif0NVheXrgk+HTCpZngyiKVeWY7f7nNcp4uL3Pbj3CrITykiH8R+nf++q0Ip8JU2ixQyUdZnYMbf9X9a0GTov6SKV4+gCDLcGMMTiXLEAdZajE5aIdZIO1Faqo2O/oYKYOl6VsUI258cW5ACr+nRCze7RMBpRTR+V6zLcLm2N5OM9LSHiDB3STysDKgrNV5tXub3uDs1peJkeMxpn2pzxbWpdwbUwGNDf6J4y7ILRMfiqoD6/enJvj/nzS8mgiHpmZ7vYxTd3mEYRr1hzLDoEbD35uq5pJj06KbdxM12Xl1wHB7p+ftLXf51QMjePrVTs1Kxzgqd3GvhDXc1Bgwwv2B2yLsWdfdGcCAgBE4uAXJiX9Lb1CMJs1E5w6RR11WD/ZOb8ontY0mpOcUk7sjxxVHYZo8cQi0Hy495yKDxRB0KxLq1uOmi3l1pLbEL9TqER9lHAXGz6MUGV4kbmnXbi1+9JNP2ovt9aPeMBcSabpyiaUU4/W3I4F4P8TUyBH52PZRISS+/R4qcmLRGslC3WzBVcBhLvvFLk0sa/ee5dJh4Xr1jHpZ+6hjTA3IRtn0axKKbDOwuNgJtNf4JwohRlqIoxcJM7sLFW6UpdTDflLEodNdnVJQ18yItPyoeLBfVocZEvmaiXFMayOfjXEcw+mTlX8GL2EQ9i1aJ8BZ+Ao5Uf7o9RK5BZzywo32Q92XJVpoQfO+88hAz+7i7Kx2KimTkHD6htQTNuOjWgWTb6/sxvqy9vOXE2CJk0nWmnzbSymszadI6dZ5vrP+ajUJfQiWDJ5cUcNv3xqNchDIZHebiAfFBSclukbPLDcqjQe/jSQdZxY6ILhgeTmnS7o+YpIWDNO3GG3/EkS9AMX7DiNkKeGxqHwvdDLzJXLhBU6QXNfnath6JARO1M6KotFHCH+S7Q6IZELG80ujETKGaoIGaBBZR+rJgBH6lN7LI4nlarPzHGAsJjff778185dJtbchXQxiZVDHOCoC2xnwOMY6qEJRq90iFTVt0RiyO1kBgeY3CWsjpHwrWZ1O09cdK6+tm4HtXvY0lmD8/7dw58htJw6PGvuZgmhRYdUAIi3STMUAZEJ9PSEpzt/qvrkn1Btd1OFryLd4RDXOUH+MgrV4OV7hdE2IiTKHQiOqbYQMoWcGar1OJ0pmTqk9d6idut+qu6lExuOI+wQToqgkmBlp62yUfOMaC9JfdF/4LZBo+ZpIlwcMS5LXrYrm4v5kEOw62jNXaCnuHL+kE1u2D+zMkNqc3DHJhm2zkjfu+dRB1H0RXJ23mzE4uzmRJvfFROJDBqgA1KfQ+62nx2RDmNZxJ9OZS8F4Cv1ZezthZij2+LHjkq+7cOquzQr8/qwndsNW0QB7vEnK/V050urdM4AWJjnMsw17dTiX9O4qbu+OAmVFyBdk/LL2ZrcVfE9ARTgB6v1xn3NhI1Il9CV7FyMansUY5cOHL9+PYyu0wp4+Se7xbZuKxEtparw48beTmgUL3rRzSWYXLVqfTDo0XtH8yRPNaPU29b7xMJsxJAVMaay6lC+AhSRwAJ+kqLV3J5Y59Itk4cFgErWlZW2IM6kd6csicDaAek5w500jy40Sgo7k0PeW1LVDLOBq3LlZo97+7eWXPNC6LpShL8LyFp38naMbAbmcPvZN83L8xQnGhcgGGGZtoyX4MfIOEyu4cxklT5WSMrriRO1+A2kvBf5vCQGq8oB7J03n6xWY7zW1zbEgnDEeNKApyLy33rEdnVW3CH3cS2LQk6sYZNEJ4Irha+RJWw7rGRDKr6s5fXTtCb/isfIpwLpu1/KTB06+Q9aqDq7yKW7Cg1nkigeC6R36UJfCVZGVhSvDIEz7STqM3S0uGraQ/Zy21rfFW4nniVW1EROUAGeSoLqPGVHf7Ki3un2ZPKyjC7rZ5iX71L2tvtM/xXnKbneTCwmvfblzDIgCNs6JQZNUbLygGf/8uqHCyE83+6WgD9hFNibMYh2MQuFsr5BJOIahEZg9PUbtzrfwCRUyw77eVTChxVYIi5PrGbyl7Z/fukIoKCyadJ4EDbwgCTUTqNO8/9xJ1OhNxG62ohqSebAx+iz1IIlPe20iFKQq2pWOlwz2bu8I2bzqa6FwEzTWxeVUjypRahxKzVDss7+eCHMycRFRJrY0XiWtaLY7u74q1Fo/AaE61ZIwlOk8j9sYqvNvYywhta4uNEEPWsqBWzK7kYPJuHfc/wV2p8H2xc8vFVEQ1EHWyjb9yqEbBxics1ZY5ocY4ENyfUPrNJCKG7TF7i7+WyC+/ogz3/rU/zse0tExMHYU9ozdS+Yi3x46sfrSLlKBXAqAJCnbgILpaCysohzeJNhPVH2ugMypa3fPZNrBUbTnYk8FD3/Xl4O7Bk7gKI02PxiIFABCes/FDbrZSrcGOpuwK6J7Kve/8RM8Qx2b8/Ky3/XoxhnWLNy9Cix8Y5vKQQTcgBVMgAFRLPO5C8fST4JUaLok9dphn8a/NEILL/3s6jJjPCO5geU2z4fUSjaJ6I/VH52oHfHdv8ArCYqsItzWlhOaSO4iEE9ilvSU4P5cfMjU8IxS+vwqHvfTpEzKZYV/TH3kRcyPILzUK/IgiPUrCUEGYXCVDpXY1DYWFoO+raOGDnLKCS99XxLG1L3lBSSBRTpbtn1HSGbNfLk+sim5mGb1J6f58kSsrdNI8WEDu3eDoP8MwWj3i8s0aSduJzA+LIzhVHXts7jLgxlQ9JKXlHEInAxG2Cr4u9SGI5HsbeAyF+XxXcR+OdZRlm75rt8dfQEZbpPs3P/cciTSA33J/TfRN+SHBf1wrnIcUDhoo7tmnwDUZJog3qir33lQeEoEDlYV4fT4kCjsjeJamuiohpEbMtAkE27x1u+ViBBjL9xpuXsCc0sdLgRZ0m2cGXRm35ipx2ZV6Mjo2moLotrRSEl+gRt+nCtV67n7B6oE+w1YQLqE0SRUSKpR8lgqrWFR+wR0hUFyx+2ZV65Co2xbm7opfr2HUKVno1kHk4Ul6SQe0Ci29cV1FPS4BqxDB3hgBw2/HCk3cX4is1R5CZ71QZbuu2pyAOwRFYRkdYdLBC3ztC+luaKfnWoUgCMyO0Jc1Pjq8nw7BkzA7cQCPGnIJ0Vor10FX31VRgpGKLcV5iylFuR9y1XKfC/SUXSSf8IHeS9CkkWof5AS7uO/aOfRouoV0XucWM/olyqLwAWc7zLjcARk/GfeaYCASGC4NPMKiepWGrJXPp17rwyPZz9bMYMbCAibwqZskkV4CyGv9tLUfuczSCmJ8lKTxbe5QLf5qFPKnXrTdlXWYrkNILHBcWMf4MIvg13Ie5VI+5shmaBf129JpnRm54dNoHtWJFP0ep06Mqay6Z6573rGNT39xKo1zLNvAC6JHGyDwINGzN7busUmdNVq4S7BO6C5HhrV6vALFA0ufKMtGyZqlsbe3Y3RgXrS8ueW7yJxLAKwWKmkgl7n/Gv6T7nllfUTzVfenkOIVyD3QdzwZKc3RciTNPxscDiS+kZ6xPiPD8B4GHeKWIRQF5n9vnotO1UM6b9vNS+zCNTab59u64ilb95FBTZd/VgjX4Hbiz5JXp8vB8b16sNhdgFg5uq90X/ZaZSq1l2SO5HlANiJcBM44XFO8HgVph3i1qAOEOKdRkAiWF3B2fhkQosT0TObQZ0McTgA+vkV1kjRQu1MslugFq1L2hpY2iiZRglePMsDz8brtOiIE/PrAyA4X1ti1sDnzBxoT/8N1Dd1WRnf29Bm/apPdjMaH1Cw9uYrtqmdATtQklvLI7g3aHZq57JWRyC+vmxwQHGQVls00Gu9jTj5DCr+nK0qAsvFYaqJjlstm2w4iw727vjLSmvfIdcoEDOJd5mMJpHbiVQ6nsAa0dcAzzDlD13XhpT9jeYW7gh7+4Rs/ioAs3dzT3ax0lKHN61CzuzJT+31vT06JNz0hEEQVR5xz8XlFYCOG0cvvM8/H9FrCC1hHE+vuWxDZNvuAC91ZfrKRdAVU3ISrnXiia9bQ4gZTW8QZJI/rYV2LiCLY2AgC7fwjjsSlWhxQkZIxpBHZkgcDlGqchFedqQoujnEbUglZKyGdoba/oGHOimPHuQJZYDCVBFQZLn/jZGTuBvgxXPzYehG3AzSbOrZy+jWt2sYUwd1KWBnJ3BDr6zWI0S3ckLUzSBZFclYTp9VmCXgtx+OpaVamKSLPcxTU283Yr75AaSkg8G0tUvHSdIC5op3Qz0HLm5gV/zlIV+gn96n0iPAZeTqDcHdr1ePBXyA9sV0/ZHfv6XV41j2LRqnkLEy9vlCI2KPMGDmPFspxefkHDBYyN0KI76Fp+fynngudL5OYAhyDhCflQkS+DG/Hcq2lwGtn0QJq3XCq8pgAux1TLD9nHK0EQMvcvzSFxB8aXMJ49dCft+OzondzI6PLQ681ydqC75idyNlEvWmPe+elTJjd5jT+XZrzqbuGw8xicNkerA6uYm2xaoyCd9oJumadfLEV5TUjCAiUC/tXm00cNH1YolEhpGc7cH96Ge4231+oSsOAleYZtPkRASSrZJM/LWJ08aYK1KrYiURuIgK8/gxk+2J1i+YQrK8ghvk6Ahzv4CF8DMJT65ghjkciG6brlWeQlGo/hcqQ8QkA1d6p1uruy9hgZAtLXwAt/heg9wG6SYeI3brh5OkOradChXdoHGyeZVmwdkaWvUACCQx2H880FBaa9U+hsVAABcsCVL7jTi9Lvbd6G+6aB254A9yFGd6GGCOC0N6T7dSbJCG4PPLJRpxZd+TvePVQD2DTbaDf/JQhZjAEEQz5/xMTpxx9y3G3ZKhXeRfs0YK+XgLrwb5MRJaWN78GKKeRAl4cS0TdnaI5OLL6JF+icr9S6Me1E5aBy8Sj+BybNW32o+Gw0TkgitTQNI4nAuAqU9TxjzjQpqyFrRfIKjrGwmso/f0utMjeb2DpCQ7zcfNHI5aCB7qudCvE93DrZFQC/5iT8xTwPoCW0q3xvUOTPdZxbKzVH1rIn3aCuFg4e7gtW0pnMUCGGFftvdv/NhNEOSgX8EHUBpk/sHY71KqQbPCWvj8xKgStQ+SYHWfPWZHhEM1ptmjwd92h9aK4MzMzOimeRDVzCZmDH87hAjpkryYA0vhuWanqVlulq2TU10qN/DqE8YBCDoRI47spxCIjq3Y0u5c+31A9bNgfVTnv18l48odhfnBxub8a4MVyLYunz/gW2d4Y2CLgcEj4DCFgBxPDQV5DfdQ2daYvAK1GqWzDbnui4jGkcWurpQ3NYQ7RGOV1K0UTrfcyfVXqaVznh40+r2kvQI4fxwNtpf0IC5xAwWYAk3O7ohOPGPqJf43IjwWWZmOF1IJ2mXn080R5c1pyB6kthKhm7HRF+UAQ2FT/Atf5J5uVXb5+Ggf6fN8UX/7hbf66IcAvtubwLlBLxUFe12MfXWap4jBhDW2mEXnnCXcMAD4eQ8AVL9p/Td8Kycnz9k75XBnLgUtvos5CKAXgO046gv/c4sLTqXfQ+F5xfizd7OWcDspTJCeTiBQjCG035qyEJoSMuhKQF8NifGqCrMgEdFygJStS9I8iOWcIVwlLGlIekaG3lZ5+9BJSRlcVwG/5bWiX90fmaFSYXuXAXKwfmCRYf2D4NlOaAXFMKAb9lpUZuphDwQ424aPz3G2eUtT4XF6qLQYVS7tZHU449ifmSOQvvOOwSsraWSiwDbdsOtBabzEy1nGtawoBKysNAVbx0H3T8rSeSV5oaeIm4WZdIEngrozoGqqHh8/WMhZzGshVPTmBPgG/qRDnR7Bf55hFd3QKsVjh8k1lLmw4wFnLDsibAdSdkEfQe+4N+C6v4m6hSpmzniwpZYb8CI6EmWYUwV4DKfPvQ5VwAcpVxcMz49ud6jFRknFESERWoB/AVh9NHW5JPBhONgnk3r+0wuVCbhOVmiGqxko3/nSshJx94vwAOr6hjkLGpQcT4iD9TrCcMlZFUJH7FdZMtvKZBM+yyqgrvw0Km3HQyP/8tSLHiiW2EjGyD7rRhZr642LJJ4EVeRuN2FYaERYfsV7n8buyyW6Id1x9yowmKyrtM0WpnUZpJTMJhALsSLYZCkyENxqe4BwDlMf4YIZ6qquqcDxyEimSOOhn1mCOXe7AMG3P+N+wwaOyIkIOcFH2Z0U9lfUu13z9hvvBE80/AxaLe7Vxqda/9/ZCE/qKcuJ6geyPjV6Bgqa6VF8Z8exIx76p3HTQhQ7kgRB4ZVT73KHOWGKHzvko9kN4FCJUnBADwdGUifG4McUkFS2bQ3bhWoD4rsqT4jUTMg29unj1FIQx6pvMo9JwfYmR9SD0JvFsYMM1/2RGvsIvjH4/d3UQwdj4yGqQuRDcuLN6W9kgHYKm7Lxj2h4IUhAYrBz8rNTQ2cn1tavKKkbuYjOHT0APs9yGjij32Swze1cr6QF6aIzRFo8OUW/Fjo5rpeyhMnLioHzLJ/qj9Lyh2doYz92oLmbz42uLObNe3qQ0ONsQaXUlFkwZYzmPH0JcnU3fiL7uiwzDA9JJS7ZyppF4NHvWufbsSCOIBysxaPA+5S89EQ/5ETn6foFUZQRevFh/WWXEoDg/LhyRuY8MGsqbfte2RmXDC3JAWc6VmGZohutJOvMuAiydhyidbm35b8EBWt51a0tMkUfm0FDLpz5iUcIpB7VJLr2fuzeIfVLO/qVKF04w7iaEHaNNXPnU/oxHJFF+KWxkBkDz88M9QcOQd8OetMpBKny+qDIuxoAXYlPQW4zpRtLfTkLr/29j72cvi9l2XhlsRPuF2X5C4y0muk5/n5vUQ0Q/+HSczmTFS94xoVGHmR67XQnn0g5x9H4/DfclSffOjrKIzqaep7crjcnNqpxHS+T5lcVDCPg2wkp4BhuwtVYD0//4B1oM8PVb9H11q9PyxBdnWm7xFg2Xc6NIpRmWy+KtY99xiv7sSHhRGeL7gIn/Uu6HULaxspO244bxh7IzsdRKlkstaLio2V4/4MOA1vN9yE5udmA8DFdfDqVXlgBUEPjdijlp42DEVSG0UWRsvhZjhnn8JKuXw8TizkOUwgZkjaJOwtG1d/QN46+YuAIfTWqr5MG1vTKOnjZ0FRQtSfXikK0ak9hdQppkZpa0IyAcr+j9zK3cBks9yKn0GhL5UXi6yGeo/cQT8rQ2SW03cLl1NWsxmbai3MUxo6Ggr1csgquARyJIE9sV6sgDfRWYXn1T7wYOqtHZ8ZD3gIiUi+BenIzWZDkPRDOcHJHTikiVIYPRYL1nSuJEmkLYETe5WUKP/cqbnO3cgUJHqptI7YVqsFpvtVmObYPKeC5rzMfvghCfhdKF0yv2fhvmzPs4upngUMp+mH3xUDJ7aNYvL1Mk6fzu3XEkyLK9iHlkFziv5sigUSbodzhK8OSOpnFYKhpjnfNd8I9R850Pxi8SDzQeIV/Qb2pmXcmPQoOj0Kqu4QfRdjtjPe7ejBqs8CQVA6+m0WNmSTQamhMSCm9zKQWaF0HM8TfRKwW7eg26sfufjxF/sA5i5SSCRV7SrseflshAw7T/t4dS/EpZtxF5djGJiUaESC57OfC4bdOjnHiojYNupvGeZXL0FFuK2eKAUChbxMw5YNK2N+fWyBlbfnuu9qDfuyBaFYiPfPMlySYO336FWKyWpuC9ywqtIJo27HgOBhNA3zpAdfGKWnBtIAWnsp5UVIEYX/57eld1ELjqSFdA/AXBDnT2G0ic9zHbNCSvhzSAFIcQWWRIuC5pYOV2q1NU736j6lm8Rxzyp5uStWW0G/rdCsl8HhmVBfqQwf0oSnGenQ7tFnAICFL23lJKPFhuINHQTXji0YJWhC448lIJAxbm6bwi3IdTCjU+L0K9LENX5VN/qZtPwwArfs34L9Liy8o/TLax+QuBVpiy0wOyEkcLvAK5mt2atRzgAL1l1tJZeh4REwuFsTktllkL5yZAsmEcuuq0CSrx83CsaAYBwEOPudc6AERvR3d6qtzSIcQ/QIOiNhKxr2y6F8BEuOkhul+ZwF5QJ9RI2DnZDW6mx//aFHk5TZWpcTYL0xHC3tZxHdtwAR+dWWJxJ7VvwjgxAoMJ9EkujoBtJ6FFSerZDclQHbqkswcsGotW4aIZvP8jz2ELLhWrVcF+BXLQ38CQ9WpLRLaRUe+FBSaxI9GQINkwFaXbVULpkmGVrko9xxISucg1TTvGje7PuORc7dtP6q33rLcSSY5bsXRXob0rPuEl+Bid6V/FayLnDiXzwS4XJ/JfKoYB1gjoZoyLPeazRF3FZx4Ufg+o3V/+1uDI6iVEq3d3S1HAO1rg4fRpyyD2YRApoElNXIjzIZhO+LY7NvWhAvFlqT4WTvCwuWyAuMheO13ePa9EgfVKVFrWAwlSlHmYJHFFMpnr6Q3yZnbc6HmZ/j3tHpnaDPyeYNhIJhLH8DR4Bb0+E55mpqYiwMt3zH2+NVFL+z5S0ZMYbvkmQxsv1XXReQeMNntHXa4y3ndmSsRdmkcRQQYweIWc9n98smGqXabTpTuZmeZ7w6ZSbVmlJTCwYzwCNwieYPnxofeYMoyec1DeyRDZZ9oDMxkofjEfvRixvBIDdFacg5yVlvyayHgNkwRnF/HiF5S9s3Hm+6cH8M2oUEiWtCags9462tzgCW2zmegQoSaJaVOD2cn93zGPHlHRML4MPGOcCafGV2eHU/U6SFoCkHf2+RQ3gyAR6rKTvZiwQuq3wnvQv/lO/LPUYG7lP/oPSFSQR1g9El9LDuRM6RL5B8/TH2u/TaCwE1ICsZFjHA8GgOrB5z5eapeYefnPE3GWvlSaD7cwfwZILU2eYSkrqax5rjcY61y12zK0zbqYGrEuU62POLbpbMO8MO1nk57HZTSmHAEv7B9q0j8kQp3RaPy8Hde7NMytr1c5Mr5S6XzzAiXdlFS9auERgI4X6aNbapvJy0IgVjM+Apfj5TUQXfVubwpBtyP4N81nh7/wAHz55Z3j3pi6zBSeS9nrdRP1kikVHm6Pfs+NPUPIOMdvQceFMfPjXYkrWe5AXjHBBAC8jfZZ5zeQ5lWpdEGnSuR+UksczVwBsU/PBHn4ZLuiDQtX+vpRDvjrLZEHIREExy32RwFj/EeNhnioqnlNsxARpw1GCpzqMBWB5wYuasFvKN0FKg7s3CFuCqNAzJtcue81K3/dODfHi2yg2XoalUQGfporjhu5XFkKMiptnPDtrzjypz8VXC7ClvMWc2JSjeh4KlcGW3pd1Be+WQu4fp+O9ieMH5YfG9C1PsFBc1hXi68vywvU8+ImrBnYE2PdgshpjgfBgO59V+E/3iAcqedyZR+P7GG50iDBTWpFcbRa4h2T+XM7FFET1VkQdQOs2Ykfx077iY8q1RBoOvMdU/nkadS2CK4DDpna2n9kemkMPg2VyfnszFiuFZKWSZZ6ZW29VuaK/S/jxWPqEji67uYKQrC66ToGZshALYhVFihnsk+pFXh06CivzUYjTu8O0xcRs5Uqzvp1IP7W35Mo8teIsSjW/SR6B3UIdTUaIDzOtR824THvtg7Y7SW6lNV6AHbV9qiO2TMh6wCIvIFc88FPVnlah+GzXnYDVfSRgQZgL1acBSa+z83Tzkoc8OIzFTJKwwfox+H9s+DkQ5mU+qKLsVdpWs5Y9WyKEIcJyiM1b00ENoAfERrXlwY2IKyllce1gqHUcW8w+yQ7Pp7fR/O7RYRPNkGYwidUzOa10ZN5I0UMOiUhqmAbEY/fOUWZRVE1jv00742njrBJiBF0bDfvFnVKcbV/uoQnfDZsG9/6EMaIzGdHcRnBw2duVhaVvfEnI7rLtRAIKdkY8Oxt3EFKuvXwIjSaNb+YoJuC/Df6EptZxwLbJqw2byW9QH6eG8aaz+i33GZjVLPyXr4lljcowC+hR0cv7m+8BDE9vmZ66NvKzdp2a97p2p24MA4HQELDpU+jJrlio6VM2RrS9GZOyS03ihkbIzXjUPBWpV5eBo2bFBV4tDw4CvaziSaatFVHKdq+VwfcWiByoq1LaEJGgYSbVj9vZS71QDONjzER8yw0UeqKpf8OhD+chhN8b3luUBDTKE2ux9U+Z+xedxb580aILwHBRsRenHF8yAot1eyK46hZDWO0HLsBupSMDi97GwPgXmjlfDnRfq5C6yxSmwWnjqDmbxpsAgu4DxU1B8aHxGk/I</xenc:CipherValue>
-	</xenc:CipherData>
-</xenc:EncryptedData>
-`
-)
-
-func (test *EncryptTest) SetUpTest(c *C) {
-	RandReader = rand.New(rand.NewSource(0)) // deterministic random numbers for tests
-}
-
-func (test *EncryptTest) TestCanEncryptOAEP(c *C) {
-	pemBlock, _ := pem.Decode([]byte(testCertificate))
+	pemBlock, _ := pem.Decode(golden.Get(t, "cert.pem"))
 	certificate, err := x509.ParseCertificate(pemBlock.Bytes)
-	c.Assert(err, IsNil)
+	assert.Check(t, err)
 
 	e := OAEP()
 	e.BlockCipher = AES128CBC
 	e.DigestMethod = &SHA1
 
-	el, err := e.Encrypt(certificate, []byte(expectedPlaintext))
-	c.Assert(err, IsNil)
+	el, err := e.Encrypt(certificate, golden.Get(t, "plaintext.xml"))
+	assert.Check(t, err)
 
 	doc := etree.NewDocument()
 	doc.SetRoot(el)
 	doc.IndentTabs()
 	ciphertext, _ := doc.WriteToString()
 
-	//f, _ := os.Create("ciphertext.actual")
-	//f.Write([]byte(ciphertext))
-
-	diff := pretty.Diff(strings.Split(ciphertext, "\n"), strings.Split(expectedCiphertext, "\n"))
-	for _, l := range diff {
-		fmt.Println(l)
-	}
-	c.Assert(ciphertext, Equals, expectedCiphertext)
+	golden.Assert(t, ciphertext, "ciphertext.xml")
 }
diff --git a/xmlenc/fuzz_test.go b/xmlenc/fuzz_test.go
index 07a40443..5a68b2bc 100644
--- a/xmlenc/fuzz_test.go
+++ b/xmlenc/fuzz_test.go
@@ -1,16 +1,16 @@
+//go:build gofuzz
 // +build gofuzz
 
 package xmlenc
 
 import (
-	"io/ioutil"
-	"testing"
-
+	"io"
 	"strings"
+	"testing"
 )
 
 func TestPastFuzzingFailures(t *testing.T) {
-	entries, err := ioutil.ReadDir("crashers")
+	entries, err := io.ReadDir("crashers")
 	if err != nil {
 		t.Errorf("%s", err)
 		return
@@ -23,7 +23,7 @@ func TestPastFuzzingFailures(t *testing.T) {
 			continue
 		}
 		t.Logf("%s", entry.Name())
-		data, err := ioutil.ReadFile("crashers/" + entry.Name())
+		data, err := io.ReadFile("crashers/" + entry.Name())
 		if err != nil {
 			t.Errorf("%s: %s", entry.Name(), err)
 			return
diff --git a/xmlenc/pubkey.go b/xmlenc/pubkey.go
index 7ccdd6c6..72286863 100644
--- a/xmlenc/pubkey.go
+++ b/xmlenc/pubkey.go
@@ -94,7 +94,7 @@ func (e RSA) Encrypt(certificate interface{}, plaintext []byte) (*etree.Element,
 
 // Decrypt implements Decryptor. `key` must be an *rsa.PrivateKey.
 func (e RSA) Decrypt(key interface{}, ciphertextEl *etree.Element) ([]byte, error) {
-	rsaKey, err := validateRSAKey(key, ciphertextEl)
+	rsaKey, err := validateRSAKeyIfPresent(key, ciphertextEl)
 	if err != nil {
 		return nil, err
 	}
@@ -107,14 +107,15 @@ func (e RSA) Decrypt(key interface{}, ciphertextEl *etree.Element) ([]byte, erro
 	{
 		digestMethodEl := ciphertextEl.FindElement("./EncryptionMethod/DigestMethod")
 		if digestMethodEl == nil {
-			return nil, fmt.Errorf("cannot find required DigestMethod element")
+			e.DigestMethod = SHA1
+		} else {
+			hashAlgorithmStr := digestMethodEl.SelectAttrValue("Algorithm", "")
+			digestMethod, ok := digestMethods[hashAlgorithmStr]
+			if !ok {
+				return nil, ErrAlgorithmNotImplemented(hashAlgorithmStr)
+			}
+			e.DigestMethod = digestMethod
 		}
-		hashAlgorithmStr := digestMethodEl.SelectAttrValue("Algorithm", "")
-		digestMethod, ok := digestMethods[hashAlgorithmStr]
-		if !ok {
-			return nil, ErrAlgorithmNotImplemented(hashAlgorithmStr)
-		}
-		e.DigestMethod = digestMethod
 	}
 
 	return e.keyDecrypter(e, rsaKey, ciphertext)
diff --git a/xmlenc/test_data/plaintext.xml b/xmlenc/test_data/plaintext.xml
deleted file mode 100644
index 26907987..00000000
--- a/xmlenc/test_data/plaintext.xml
+++ /dev/null
@@ -1,24 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<PurchaseOrder xmlns="urn:example:po">
-  <Items>
-    <Item Code="001-001-001" Quantity="1">
-      spade
-    </Item>
-    <Item Code="001-001-002" Quantity="1">
-      shovel
-    </Item>
-  </Items>
-  <ShippingAddress>
-    Dig PLC, 1 First Ave, Dublin 1, Ireland
-  </ShippingAddress>
-  <PaymentInfo>
-    <BillingAddress>
-      Dig PLC, 1 First Ave, Dublin 1, Ireland
-    </BillingAddress>
-    <CreditCard Type="Amex">
-      <Name>Foo B Baz</Name>
-      <Number>1234 567890 12345</Number>
-      <Expires Month="1" Year="2005" />
-    </CreditCard>
-  </PaymentInfo>
-</PurchaseOrder>
diff --git a/xmlenc/testdata/cert.pem b/xmlenc/testdata/cert.pem
new file mode 100644
index 00000000..cba15632
--- /dev/null
+++ b/xmlenc/testdata/cert.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB7zCCAVgCCQDFzbKIp7b3MTANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGEwJV
+UzELMAkGA1UECAwCR0ExDDAKBgNVBAoMA2ZvbzESMBAGA1UEAwwJbG9jYWxob3N0
+MB4XDTEzMTAwMjAwMDg1MVoXDTE0MTAwMjAwMDg1MVowPDELMAkGA1UEBhMCVVMx
+CzAJBgNVBAgMAkdBMQwwCgYDVQQKDANmb28xEjAQBgNVBAMMCWxvY2FsaG9zdDCB
+nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1PMHYmhZj308kWLhZVT4vOulqx/9
+ibm5B86fPWwUKKQ2i12MYtz07tzukPymisTDhQaqyJ8Kqb/6JjhmeMnEOdTvSPmH
+O8m1ZVveJU6NoKRn/mP/BD7FW52WhbrUXLSeHVSKfWkNk6S4hk9MV9TswTvyRIKv
+Rsw0X/gfnqkroJcCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCMMlIO+GNcGekevKgk
+akpMdAqJfs24maGb90DvTLbRZRD7Xvn1MnVBBS9hzlXiFLYOInXACMW5gcoRFfeT
+QLSouMM8o57h0uKjfTmuoWHLQLi6hnF+cvCsEFiJZ4AbF+DgmO6TarJ8O05t8zvn
+OwJlNCASPZRH/JmF8tX0hoHuAQ==
+-----END CERTIFICATE-----
diff --git a/xmlenc/testdata/ciphertext.xml b/xmlenc/testdata/ciphertext.xml
new file mode 100644
index 00000000..40d56c49
--- /dev/null
+++ b/xmlenc/testdata/ciphertext.xml
@@ -0,0 +1,21 @@
+<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="_e285ece1511455780875d64ee2d3d0d0">
+	<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/>
+	<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+		<xenc:EncryptedKey Id="_6e4ff95ff662a5eee82abdf44a2d0b75" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
+			<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
+				<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
+			</xenc:EncryptionMethod>
+			<ds:KeyInfo>
+				<ds:X509Data>
+					<ds:X509Certificate>MIIB7zCCAVgCCQDFzbKIp7b3MTANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGEwJVUzELMAkGA1UECAwCR0ExDDAKBgNVBAoMA2ZvbzESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTEzMTAwMjAwMDg1MVoXDTE0MTAwMjAwMDg1MVowPDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkdBMQwwCgYDVQQKDANmb28xEjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1PMHYmhZj308kWLhZVT4vOulqx/9ibm5B86fPWwUKKQ2i12MYtz07tzukPymisTDhQaqyJ8Kqb/6JjhmeMnEOdTvSPmHO8m1ZVveJU6NoKRn/mP/BD7FW52WhbrUXLSeHVSKfWkNk6S4hk9MV9TswTvyRIKvRsw0X/gfnqkroJcCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCMMlIO+GNcGekevKgkakpMdAqJfs24maGb90DvTLbRZRD7Xvn1MnVBBS9hzlXiFLYOInXACMW5gcoRFfeTQLSouMM8o57h0uKjfTmuoWHLQLi6hnF+cvCsEFiJZ4AbF+DgmO6TarJ8O05t8zvnOwJlNCASPZRH/JmF8tX0hoHuAQ==</ds:X509Certificate>
+				</ds:X509Data>
+			</ds:KeyInfo>
+			<xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
+				<xenc:CipherValue>R9aHQv2U2ZZSuvRaL4/X8TXpm2/1so2IiOz/+NsAzEKoLAg8Sj87Nj5oMrYY2HF5DPQm/N/3+v6wOU9dX62spTzoSWocVzQU+GdTG2DiIIiAAvQwZo1FyUDKS1Fs5voWzgKvs8G43nj68147T96sXY9SyeUBBdhQtXRsEsmKiAs=</xenc:CipherValue>
+			</xenc:CipherData>
+		</xenc:EncryptedKey>
+	</ds:KeyInfo>
+	<xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
+		<xenc:CipherValue>3mv4+bRM6F/wRMax+DuOiPPgKyrbyIdtVKYfbHe1qsBdqg7puXwsg01FOxCIRNGC5214Z+vEqMlG3d/bmCd4WBUBSgg1cU6PsFBaX7qu1SU++Sa0y8Ur5jWrQPFZMt2uSHPj5hL/ZnkEDiSqSB97sDTurSiJX8xOwqjif0NVheXrgk+HTCpZngyiKVeWY7f7nNcp4uL3Pbj3CrITykiH8R+nf++q0Ip8JU2ixQyUdZnYMbf9X9a0GTov6SKV4+gCDLcGMMTiXLEAdZajE5aIdZIO1Faqo2O/oYKYOl6VsUI258cW5ACr+nRCze7RMBpRTR+V6zLcLm2N5OM9LSHiDB3STysDKgrNV5tXub3uDs1peJkeMxpn2pzxbWpdwbUwGNDf6J4y7ILRMfiqoD6/enJvj/nzS8mgiHpmZ7vYxTd3mEYRr1hzLDoEbD35uq5pJj06KbdxM12Xl1wHB7p+ftLXf51QMjePrVTs1Kxzgqd3GvhDXc1Bgwwv2B2yLsWdfdGcCAgBE4uAXJiX9Lb1CMJs1E5w6RR11WD/ZOb8ontY0mpOcUk7sjxxVHYZo8cQi0Hy495yKDxRB0KxLq1uOmi3l1pLbEL9TqER9lHAXGz6MUGV4kbmnXbi1+9JNP2ovt9aPeMBcSabpyiaUU4/W3I4F4P8TUyBH52PZRISS+/R4qcmLRGslC3WzBVcBhLvvFLk0sa/ee5dJh4Xr1jHpZ+6hjTA3IRtn0axKKbDOwuNgJtNf4JwohRlqIoxcJM7sLFW6UpdTDflLEodNdnVJQ18yItPyoeLBfVocZEvmaiXFMayOfjXEcw+mTlX8GL2EQ9i1aJ8BZ+Ao5Uf7o9RK5BZzywo32Q92XJVpoQfO+88hAz+7i7Kx2KimTkHD6htQTNuOjWgWTb6/sxvqy9vOXE2CJk0nWmnzbSymszadI6dZ5vrP+ajUJfQiWDJ5cUcNv3xqNchDIZHebiAfFBSclukbPLDcqjQe/jSQdZxY6ILhgeTmnS7o+YpIWDNO3GG3/EkS9AMX7DiNkKeGxqHwvdDLzJXLhBU6QXNfnath6JARO1M6KotFHCH+S7Q6IZELG80ujETKGaoIGaBBZR+rJgBH6lN7LI4nlarPzHGAsJjff778185dJtbchXQxiZVDHOCoC2xnwOMY6qEJRq90iFTVt0RiyO1kBgeY3CWsjpHwrWZ1O09cdK6+tm4HtXvY0lmD8/7dw58htJw6PGvuZgmhRYdUAIi3STMUAZEJ9PSEpzt/qvrkn1Btd1OFryLd4RDXOUH+MgrV4OV7hdE2IiTKHQiOqbYQMoWcGar1OJ0pmTqk9d6idut+qu6lExuOI+wQToqgkmBlp62yUfOMaC9JfdF/4LZBo+ZpIlwcMS5LXrYrm4v5kEOw62jNXaCnuHL+kE1u2D+zMkNqc3DHJhm2zkjfu+dRB1H0RXJ23mzE4uzmRJvfFROJDBqgA1KfQ+62nx2RDmNZxJ9OZS8F4Cv1ZezthZij2+LHjkq+7cOquzQr8/qwndsNW0QB7vEnK/V050urdM4AWJjnMsw17dTiX9O4qbu+OAmVFyBdk/LL2ZrcVfE9ARTgB6v1xn3NhI1Il9CV7FyMansUY5cOHL9+PYyu0wp4+Se7xbZuKxEtparw48beTmgUL3rRzSWYXLVqfTDo0XtH8yRPNaPU29b7xMJsxJAVMaay6lC+AhSRwAJ+kqLV3J5Y59Itk4cFgErWlZW2IM6kd6csicDaAek5w500jy40Sgo7k0PeW1LVDLOBq3LlZo97+7eWXPNC6LpShL8LyFp38naMbAbmcPvZN83L8xQnGhcgGGGZtoyX4MfIOEyu4cxklT5WSMrriRO1+A2kvBf5vCQGq8oB7J03n6xWY7zW1zbEgnDEeNKApyLy33rEdnVW3CH3cS2LQk6sYZNEJ4Irha+RJWw7rGRDKr6s5fXTtCb/isfIpwLpu1/KTB06+Q9aqDq7yKW7Cg1nkigeC6R36UJfCVZGVhSvDIEz7STqM3S0uGraQ/Zy21rfFW4nniVW1EROUAGeSoLqPGVHf7Ki3un2ZPKyjC7rZ5iX71L2tvtM/xXnKbneTCwmvfblzDIgCNs6JQZNUbLygGf/8uqHCyE83+6WgD9hFNibMYh2MQuFsr5BJOIahEZg9PUbtzrfwCRUyw77eVTChxVYIi5PrGbyl7Z/fukIoKCyadJ4EDbwgCTUTqNO8/9xJ1OhNxG62ohqSebAx+iz1IIlPe20iFKQq2pWOlwz2bu8I2bzqa6FwEzTWxeVUjypRahxKzVDss7+eCHMycRFRJrY0XiWtaLY7u74q1Fo/AaE61ZIwlOk8j9sYqvNvYywhta4uNEEPWsqBWzK7kYPJuHfc/wV2p8H2xc8vFVEQ1EHWyjb9yqEbBxics1ZY5ocY4ENyfUPrNJCKG7TF7i7+WyC+/ogz3/rU/zse0tExMHYU9ozdS+Yi3x46sfrSLlKBXAqAJCnbgILpaCysohzeJNhPVH2ugMypa3fPZNrBUbTnYk8FD3/Xl4O7Bk7gKI02PxiIFABCes/FDbrZSrcGOpuwK6J7Kve/8RM8Qx2b8/Ky3/XoxhnWLNy9Cix8Y5vKQQTcgBVMgAFRLPO5C8fST4JUaLok9dphn8a/NEILL/3s6jJjPCO5geU2z4fUSjaJ6I/VH52oHfHdv8ArCYqsItzWlhOaSO4iEE9ilvSU4P5cfMjU8IxS+vwqHvfTpEzKZYV/TH3kRcyPILzUK/IgiPUrCUEGYXCVDpXY1DYWFoO+raOGDnLKCS99XxLG1L3lBSSBRTpbtn1HSGbNfLk+sim5mGb1J6f58kSsrdNI8WEDu3eDoP8MwWj3i8s0aSduJzA+LIzhVHXts7jLgxlQ9JKXlHEInAxG2Cr4u9SGI5HsbeAyF+XxXcR+OdZRlm75rt8dfQEZbpPs3P/cciTSA33J/TfRN+SHBf1wrnIcUDhoo7tmnwDUZJog3qir33lQeEoEDlYV4fT4kCjsjeJamuiohpEbMtAkE27x1u+ViBBjL9xpuXsCc0sdLgRZ0m2cGXRm35ipx2ZV6Mjo2moLotrRSEl+gRt+nCtV67n7B6oE+w1YQLqE0SRUSKpR8lgqrWFR+wR0hUFyx+2ZV65Co2xbm7opfr2HUKVno1kHk4Ul6SQe0Ci29cV1FPS4BqxDB3hgBw2/HCk3cX4is1R5CZ71QZbuu2pyAOwRFYRkdYdLBC3ztC+luaKfnWoUgCMyO0Jc1Pjq8nw7BkzA7cQCPGnIJ0Vor10FX31VRgpGKLcV5iylFuR9y1XKfC/SUXSSf8IHeS9CkkWof5AS7uO/aOfRouoV0XucWM/olyqLwAWc7zLjcARk/GfeaYCASGC4NPMKiepWGrJXPp17rwyPZz9bMYMbCAibwqZskkV4CyGv9tLUfuczSCmJ8lKTxbe5QLf5qFPKnXrTdlXWYrkNILHBcWMf4MIvg13Ie5VI+5shmaBf129JpnRm54dNoHtWJFP0ep06Mqay6Z6573rGNT39xKo1zLNvAC6JHGyDwINGzN7busUmdNVq4S7BO6C5HhrV6vALFA0ufKMtGyZqlsbe3Y3RgXrS8ueW7yJxLAKwWKmkgl7n/Gv6T7nllfUTzVfenkOIVyD3QdzwZKc3RciTNPxscDiS+kZ6xPiPD8B4GHeKWIRQF5n9vnotO1UM6b9vNS+zCNTab59u64ilb95FBTZd/VgjX4Hbiz5JXp8vB8b16sNhdgFg5uq90X/ZaZSq1l2SO5HlANiJcBM44XFO8HgVph3i1qAOEOKdRkAiWF3B2fhkQosT0TObQZ0McTgA+vkV1kjRQu1MslugFq1L2hpY2iiZRglePMsDz8brtOiIE/PrAyA4X1ti1sDnzBxoT/8N1Dd1WRnf29Bm/apPdjMaH1Cw9uYrtqmdATtQklvLI7g3aHZq57JWRyC+vmxwQHGQVls00Gu9jTj5DCr+nK0qAsvFYaqJjlstm2w4iw727vjLSmvfIdcoEDOJd5mMJpHbiVQ6nsAa0dcAzzDlD13XhpT9jeYW7gh7+4Rs/ioAs3dzT3ax0lKHN61CzuzJT+31vT06JNz0hEEQVR5xz8XlFYCOG0cvvM8/H9FrCC1hHE+vuWxDZNvuAC91ZfrKRdAVU3ISrnXiia9bQ4gZTW8QZJI/rYV2LiCLY2AgC7fwjjsSlWhxQkZIxpBHZkgcDlGqchFedqQoujnEbUglZKyGdoba/oGHOimPHuQJZYDCVBFQZLn/jZGTuBvgxXPzYehG3AzSbOrZy+jWt2sYUwd1KWBnJ3BDr6zWI0S3ckLUzSBZFclYTp9VmCXgtx+OpaVamKSLPcxTU283Yr75AaSkg8G0tUvHSdIC5op3Qz0HLm5gV/zlIV+gn96n0iPAZeTqDcHdr1ePBXyA9sV0/ZHfv6XV41j2LRqnkLEy9vlCI2KPMGDmPFspxefkHDBYyN0KI76Fp+fynngudL5OYAhyDhCflQkS+DG/Hcq2lwGtn0QJq3XCq8pgAux1TLD9nHK0EQMvcvzSFxB8aXMJ49dCft+OzondzI6PLQ681ydqC75idyNlEvWmPe+elTJjd5jT+XZrzqbuGw8xicNkerA6uYm2xaoyCd9oJumadfLEV5TUjCAiUC/tXm00cNH1YolEhpGc7cH96Ge4231+oSsOAleYZtPkRASSrZJM/LWJ08aYK1KrYiURuIgK8/gxk+2J1i+YQrK8ghvk6Ahzv4CF8DMJT65ghjkciG6brlWeQlGo/hcqQ8QkA1d6p1uruy9hgZAtLXwAt/heg9wG6SYeI3brh5OkOradChXdoHGyeZVmwdkaWvUACCQx2H880FBaa9U+hsVAABcsCVL7jTi9Lvbd6G+6aB254A9yFGd6GGCOC0N6T7dSbJCG4PPLJRpxZd+TvePVQD2DTbaDf/JQhZjAEEQz5/xMTpxx9y3G3ZKhXeRfs0YK+XgLrwb5MRJaWN78GKKeRAl4cS0TdnaI5OLL6JF+icr9S6Me1E5aBy8Sj+BybNW32o+Gw0TkgitTQNI4nAuAqU9TxjzjQpqyFrRfIKjrGwmso/f0utMjeb2DpCQ7zcfNHI5aCB7qudCvE93DrZFQC/5iT8xTwPoCW0q3xvUOTPdZxbKzVH1rIn3aCuFg4e7gtW0pnMUCGGFftvdv/NhNEOSgX8EHUBpk/sHY71KqQbPCWvj8xKgStQ+SYHWfPWZHhEM1ptmjwd92h9aK4MzMzOimeRDVzCZmDH87hAjpkryYA0vhuWanqVlulq2TU10qN/DqE8YBCDoRI47spxCIjq3Y0u5c+31A9bNgfVTnv18l48odhfnBxub8a4MVyLYunz/gW2d4Y2CLgcEj4DCFgBxPDQV5DfdQ2daYvAK1GqWzDbnui4jGkcWurpQ3NYQ7RGOV1K0UTrfcyfVXqaVznh40+r2kvQI4fxwNtpf0IC5xAwWYAk3O7ohOPGPqJf43IjwWWZmOF1IJ2mXn080R5c1pyB6kthKhm7HRF+UAQ2FT/Atf5J5uVXb5+Ggf6fN8UX/7hbf66IcAvtubwLlBLxUFe12MfXWap4jBhDW2mEXnnCXcMAD4eQ8AVL9p/Td8Kycnz9k75XBnLgUtvos5CKAXgO046gv/c4sLTqXfQ+F5xfizd7OWcDspTJCeTiBQjCG035qyEJoSMuhKQF8NifGqCrMgEdFygJStS9I8iOWcIVwlLGlIekaG3lZ5+9BJSRlcVwG/5bWiX90fmaFSYXuXAXKwfmCRYf2D4NlOaAXFMKAb9lpUZuphDwQ424aPz3G2eUtT4XF6qLQYVS7tZHU449ifmSOQvvOOwSsraWSiwDbdsOtBabzEy1nGtawoBKysNAVbx0H3T8rSeSV5oaeIm4WZdIEngrozoGqqHh8/WMhZzGshVPTmBPgG/qRDnR7Bf55hFd3QKsVjh8k1lLmw4wFnLDsibAdSdkEfQe+4N+C6v4m6hSpmzniwpZYb8CI6EmWYUwV4DKfPvQ5VwAcpVxcMz49ud6jFRknFESERWoB/AVh9NHW5JPBhONgnk3r+0wuVCbhOVmiGqxko3/nSshJx94vwAOr6hjkLGpQcT4iD9TrCcMlZFUJH7FdZMtvKZBM+yyqgrvw0Km3HQyP/8tSLHiiW2EjGyD7rRhZr642LJJ4EVeRuN2FYaERYfsV7n8buyyW6Id1x9yowmKyrtM0WpnUZpJTMJhALsSLYZCkyENxqe4BwDlMf4YIZ6qquqcDxyEimSOOhn1mCOXe7AMG3P+N+wwaOyIkIOcFH2Z0U9lfUu13z9hvvBE80/AxaLe7Vxqda/9/ZCE/qKcuJ6geyPjV6Bgqa6VF8Z8exIx76p3HTQhQ7kgRB4ZVT73KHOWGKHzvko9kN4FCJUnBADwdGUifG4McUkFS2bQ3bhWoD4rsqT4jUTMg29unj1FIQx6pvMo9JwfYmR9SD0JvFsYMM1/2RGvsIvjH4/d3UQwdj4yGqQuRDcuLN6W9kgHYKm7Lxj2h4IUhAYrBz8rNTQ2cn1tavKKkbuYjOHT0APs9yGjij32Swze1cr6QF6aIzRFo8OUW/Fjo5rpeyhMnLioHzLJ/qj9Lyh2doYz92oLmbz42uLObNe3qQ0ONsQaXUlFkwZYzmPH0JcnU3fiL7uiwzDA9JJS7ZyppF4NHvWufbsSCOIBysxaPA+5S89EQ/5ETn6foFUZQRevFh/WWXEoDg/LhyRuY8MGsqbfte2RmXDC3JAWc6VmGZohutJOvMuAiydhyidbm35b8EBWt51a0tMkUfm0FDLpz5iUcIpB7VJLr2fuzeIfVLO/qVKF04w7iaEHaNNXPnU/oxHJFF+KWxkBkDz88M9QcOQd8OetMpBKny+qDIuxoAXYlPQW4zpRtLfTkLr/29j72cvi9l2XhlsRPuF2X5C4y0muk5/n5vUQ0Q/+HSczmTFS94xoVGHmR67XQnn0g5x9H4/DfclSffOjrKIzqaep7crjcnNqpxHS+T5lcVDCPg2wkp4BhuwtVYD0//4B1oM8PVb9H11q9PyxBdnWm7xFg2Xc6NIpRmWy+KtY99xiv7sSHhRGeL7gIn/Uu6HULaxspO244bxh7IzsdRKlkstaLio2V4/4MOA1vN9yE5udmA8DFdfDqVXlgBUEPjdijlp42DEVSG0UWRsvhZjhnn8JKuXw8TizkOUwgZkjaJOwtG1d/QN46+YuAIfTWqr5MG1vTKOnjZ0FRQtSfXikK0ak9hdQppkZpa0IyAcr+j9zK3cBks9yKn0GhL5UXi6yGeo/cQT8rQ2SW03cLl1NWsxmbai3MUxo6Ggr1csgquARyJIE9sV6sgDfRWYXn1T7wYOqtHZ8ZD3gIiUi+BenIzWZDkPRDOcHJHTikiVIYPRYL1nSuJEmkLYETe5WUKP/cqbnO3cgUJHqptI7YVqsFpvtVmObYPKeC5rzMfvghCfhdKF0yv2fhvmzPs4upngUMp+mH3xUDJ7aNYvL1Mk6fzu3XEkyLK9iHlkFziv5sigUSbodzhK8OSOpnFYKhpjnfNd8I9R850Pxi8SDzQeIV/Qb2pmXcmPQoOj0Kqu4QfRdjtjPe7ejBqs8CQVA6+m0WNmSTQamhMSCm9zKQWaF0HM8TfRKwW7eg26sfufjxF/sA5i5SSCRV7SrseflshAw7T/t4dS/EpZtxF5djGJiUaESC57OfC4bdOjnHiojYNupvGeZXL0FFuK2eKAUChbxMw5YNK2N+fWyBlbfnuu9qDfuyBaFYiPfPMlySYO336FWKyWpuC9ywqtIJo27HgOBhNA3zpAdfGKWnBtIAWnsp5UVIEYX/57eld1ELjqSFdA/AXBDnT2G0ic9zHbNCSvhzSAFIcQWWRIuC5pYOV2q1NU736j6lm8Rxzyp5uStWW0G/rdCsl8HhmVBfqQwf0oSnGenQ7tFnAICFL23lJKPFhuINHQTXji0YJWhC448lIJAxbm6bwi3IdTCjU+L0K9LENX5VN/qZtPwwArfs34L9Liy8o/TLax+QuBVpiy0wOyEkcLvAK5mt2atRzgAL1l1tJZeh4REwuFsTktllkL5yZAsmEcuuq0CSrx83CsaAYBwEOPudc6AERvR3d6qtzSIcQ/QIOiNhKxr2y6F8BEuOkhul+ZwF5QJ9RI2DnZDW6mx//aFHk5TZWpcTYL0xHC3tZxHdtwAR+dWWJxJ7VvwjgxAoMJ9EkujoBtJ6FFSerZDclQHbqkswcsGotW4aIZvP8jz2ELLhWrVcF+BXLQ38CQ9WpLRLaRUe+FBSaxI9GQINkwFaXbVULpkmGVrko9xxISucg1TTvGje7PuORc7dtP6q33rLcSSY5bsXRXob0rPuEl+Bid6V/FayLnDiXzwS4XJ/JfKoYB1gjoZoyLPeazRF3FZx4Ufg+o3V/+1uDI6iVEq3d3S1HAO1rg4fRpyyD2YRApoElNXIjzIZhO+LY7NvWhAvFlqT4WTvCwuWyAuMheO13ePa9EgfVKVFrWAwlSlHmYJHFFMpnr6Q3yZnbc6HmZ/j3tHpnaDPyeYNhIJhLH8DR4Bb0+E55mpqYiwMt3zH2+NVFL+z5S0ZMYbvkmQxsv1XXReQeMNntHXa4y3ndmSsRdmkcRQQYweIWc9n98smGqXabTpTuZmeZ7w6ZSbVmlJTCwYzwCNwieYPnxofeYMoyec1DeyRDZZ9oDMxkofjEfvRixvBIDdFacg5yVlvyayHgNkwRnF/HiF5S9s3Hm+6cH8M2oUEiWtCags9462tzgCW2zmegQoSaJaVOD2cn93zGPHlHRML4MPGOcCafGV2eHU/U6SFoCkHf2+RQ3gyAR6rKTvZiwQuq3wnvQv/lO/LPUYG7lP/oPSFSQR1g9El9LDuRM6RL5B8/TH2u/TaCwE1ICsZFjHA8GgOrB5z5eapeYefnPE3GWvlSaD7cwfwZILU2eYSkrqax5rjcY61y12zK0zbqYGrEuU62POLbpbMO8MO1nk57HZTSmHAEv7B9q0j8kQp3RaPy8Hde7NMytr1c5Mr5S6XzzAiXdlFS9auERgI4X6aNbapvJy0IgVjM+Apfj5TUQXfVubwpBtyP4N81nh7/wAHz55Z3j3pi6zBSeS9nrdRP1kikVHm6Pfs+NPUPIOMdvQceFMfPjXYkrWe5AXjHBBAC8jfZZ5zeQ5lWpdEGnSuR+UksczVwBsU/PBHn4ZLuiDQtX+vpRDvjrLZEHIREExy32RwFj/EeNhnioqnlNsxARpw1GCpzqMBWB5wYuasFvKN0FKg7s3CFuCqNAzJtcue81K3/dODfHi2yg2XoalUQGfporjhu5XFkKMiptnPDtrzjypz8VXC7ClvMWc2JSjeh4KlcGW3pd1Be+WQu4fp+O9ieMH5YfG9C1PsFBc1hXi68vywvU8+ImrBnYE2PdgshpjgfBgO59V+E/3iAcqedyZR+P7GG50iDBTWpFcbRa4h2T+XM7FFET1VkQdQOs2Ykfx077iY8q1RBoOvMdU/nkadS2CK4DDpna2n9kemkMPg2VyfnszFiuFZKWSZZ6ZW29VuaK/S/jxWPqEji67uYKQrC66ToGZshALYhVFihnsk+pFXh06CivzUYjTu8O0xcRs5Uqzvp1IP7W35Mo8teIsSjW/SR6B3UIdTUaIDzOtR824THvtg7Y7SW6lNV6AHbV9qiO2TMh6wCIvIFc88FPVnlah+GzXnYDVfSRgQZgL1acBSa+z83Tzkoc8OIzFTJKwwfox+H9s+DkQ5mU+qKLsVdpWs5Y9WyKEIcJyiM1b00ENoAfERrXlwY2IKyllce1gqHUcW8w+yQ7Pp7fR/O7RYRPNkGYwidUzOa10ZN5I0UMOiUhqmAbEY/fOUWZRVE1jv00742njrBJiBF0bDfvFnVKcbV/uoQnfDZsG9/6EMaIzGdHcRnBw2duVhaVvfEnI7rLtRAIKdkY8Oxt3EFKuvXwIjSaNb+YoJuC/Df6EptZxwLbJqw2byW9QH6eG8aaz+i33GZjVLPyXr4lljcowC+hR0cv7m+8BDE9vmZ66NvKzdp2a97p2p24MA4HQELDpU+jJrlio6VM2RrS9GZOyS03ihkbIzXjUPBWpV5eBo2bFBV4tDw4CvaziSaatFVHKdq+VwfcWiByoq1LaEJGgYSbVj9vZS71QDONjzER8yw0UeqKpf8OhD+chhN8b3luUBDTKE2ux9U+Z+xedxb580aILwHBRsRenHF8yAot1eyK46hZDWO0HLsBupSMDi97GwPgXmjlfDnRfq5C6yxSmwWnjqDmbxpsAgu4DxU1B8aHxGk/I</xenc:CipherValue>
+	</xenc:CipherData>
+</xenc:EncryptedData>
diff --git a/xmlenc/test_data/encrypt-data-aes128-cbc.data b/xmlenc/testdata/encrypt-data-aes128-cbc.data
similarity index 100%
rename from xmlenc/test_data/encrypt-data-aes128-cbc.data
rename to xmlenc/testdata/encrypt-data-aes128-cbc.data
diff --git a/xmlenc/test_data/encrypt-data-aes128-cbc.xml b/xmlenc/testdata/encrypt-data-aes128-cbc.xml
similarity index 100%
rename from xmlenc/test_data/encrypt-data-aes128-cbc.xml
rename to xmlenc/testdata/encrypt-data-aes128-cbc.xml
diff --git a/xmlenc/testdata/input.xml b/xmlenc/testdata/input.xml
new file mode 100644
index 00000000..d5bb6a14
--- /dev/null
+++ b/xmlenc/testdata/input.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?><saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://15661444.ngrok.io/saml2/acs" ID="_e9b3332eeaf348da6786aed16300aca9" InResponseTo="id-9e61753d64e928af5a7a341a97f420c9" IssueInstant="2015-12-01T01:56:21.375Z" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://idp.testshib.org/idp/shibboleth</saml2:Issuer><saml2p:Status><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2p:Status><saml2:EncryptedAssertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="_dab0b1dbbc0595ab06473034e3bb798c" Type="http://www.w3.org/2001/04/xmlenc#Element"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><xenc:EncryptedKey Id="_dd9264352cef16103cdb21fae97fa951" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/></xenc:EncryptionMethod><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIB7zCCAVgCCQDFzbKIp7b3MTANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGEwJVUzELMAkGA1UE
+CAwCR0ExDDAKBgNVBAoMA2ZvbzESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTEzMTAwMjAwMDg1MVoX
+DTE0MTAwMjAwMDg1MVowPDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkdBMQwwCgYDVQQKDANmb28x
+EjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1PMHYmhZj308
+kWLhZVT4vOulqx/9ibm5B86fPWwUKKQ2i12MYtz07tzukPymisTDhQaqyJ8Kqb/6JjhmeMnEOdTv
+SPmHO8m1ZVveJU6NoKRn/mP/BD7FW52WhbrUXLSeHVSKfWkNk6S4hk9MV9TswTvyRIKvRsw0X/gf
+nqkroJcCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCMMlIO+GNcGekevKgkakpMdAqJfs24maGb90Dv
+TLbRZRD7Xvn1MnVBBS9hzlXiFLYOInXACMW5gcoRFfeTQLSouMM8o57h0uKjfTmuoWHLQLi6hnF+
+cvCsEFiJZ4AbF+DgmO6TarJ8O05t8zvnOwJlNCASPZRH/JmF8tX0hoHuAQ==</ds:X509Certificate></ds:X509Data></ds:KeyInfo><xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:CipherValue>i/wh2ubXbhTH5W3hwc5VEf4DH1xifeTuxoe64ULopGJ0M0XxBKgDEIfTg59JUMmDYB4L8UStTFfqJk9BRGcMeYWVfckn5gCwLptD9cz26irw+7Ud7MIorA7z68v8rEyzwagKjz8VKvX1afgec0wobVTNN3M1Bn+SOyMhAu+Z4tE=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedKey></ds:KeyInfo><xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:CipherValue>a6PZohc8i16b2HG5irLqbzAt8zMI6OAjBprhcDb+w6zvjU2Pi9KgGRBAESLKmVfBR0Nf6C/cjozCGyelfVMtx9toIV1C3jtanoI45hq2EZZVprKMKGdCsAbXbhwYrd06QyGYvLjTn9iqako6+ifxtoFHJOkhMQShDMv8l3p5n36iFrJ4kUT3pSOIl4a479INcayp2B4u9MVJybvN7iqp/5dMEG5ZLRCmtczfo6NsUmu+bmT7O/Xs0XeDmqICrfI3TTLzKSOb8r0iZOaii5qjfTALDQ10hlqxV4fgd51FFGG7eHr+HHD+FT6Q9vhNjKd+4UVT2LZlaEiMw888vyBKtfl6gTsuJbln0fHRPmOGYeoJlAdfpukhxqTbgdzOke2NY5VLw72ieUWREAEdVXBolrzbSaafumQGuW7c8cjLCDPOlaYIvWsQzQOp5uL5mw4y4S7yNPtTAa5czcf+xgw4MGatcWeDFv0gMTlnBAGIT+QNLK/+idRSpnYwjPO407UNNa2HSX3QpZsutbxyskqvuMgp08DcI2+7+NrTXtQjR5knhCwRNkGTOqVxEBD6uExSjbLBbFmd4jgKn73SqHStk0wCkKatxbZMD8YosTu9mrU2wuWacZ1GFRMlk28oaeXl9qUDnqBwZ5EoxT/jDjWIMWw9b40InvZK6kKzn+v3BSGKqzq2Ecj9yxE7u5/51NC+tFyZiN2J9Lu9yehvW46xRrqFWqCyioFza5bw1yd3bzkuMMpd6UvsZPHKvWwap3+O6ngc8bMBBCLltJVOaTn/cBGsUvoARY6Rfftsx7BamrfGURd8vqq+AI6Z1OC8N3bcRCymIzw0nXdbUSqhKWwbw6P2szvAB6kCdu4+C3Bo01CEQyerCCbpfn/cZ+rPsBVlGdBOLl5eCW8oJOODruYgSRshrTnDffLQprxCddj7vSnFbVHirU8a0KwpCVCdAAL9nKppTHs0Mq2YaiMDo8mFvx+3kan/IBnJSOVL19vdLfHDbZqVh7UVFtiuWv3T15BoiefDdF/aR5joN0zRWf8l6IYcjBOskk/xgxOZhZzbJl8DcgTawD8giJ31SJ1NoOqgrSD4wBHGON4mInHkO0X5+vw1jVNPGF3BwHw0kxoCT3ZKdSsi8O4tlf1y227cf794AGnyQe13O032jYgOmM5qNkET6PyfkyD/h0ufgQq2vJvxSOiRv76Kdg0SeRuNPW9MyjO/5APHl7tBlDBEVq+LWDHl4g9h/bw+Fsi0WN4pLN1Yv9RANWpIsXWyvxTWIZHTuZEjNbHqFKpsefx/oY1b9cSzKR5fQ9vc32e17WykL0O7pwpzV6TrFN874GdmW5lG5zfqnRHUQh1aV2WwBJ74mB4tv/y5rmRjTe5h/rN90kN+eQGeR3eG7XUHLhK/yCV+xq8KKPxNZexcdHGA905rvYokbtmr/jIN5kAMBdlOU8akPAZdSMMh+g/RZo5MO50/gdg6MTpB4onU2FBd54FNDp2fuBUxBsnTqpZXkDcAPEfSBr+z2l8jTRmxMricWyeC55ILgxM4er68n0xYjwb2jyQum3IQq7TSYYU/qjNiH1fQBtdRmBkzXJYYk+9q7C6OZJUdR96ERnTIi93NaYmtpSEvZU9vS6MV1VBOnEf8UzUUT9ibMpP9XDSINX7dN24rKIufSY+3+70orQB07XOWp6++SWKgA+WThaoPhp8sWWMeSZuda/wq6jdVTAB8FOPiP3lNl0BqxagQEPmNxDWXwTplSFSR3SP0e4sHMSjLvysibV9Z87LZa1FG0cWU2hrhiyOLsIWMnd4vdTLaWjhXuGlrDShxSAiI39wsl5RB59E+DXVSTBQAoAkHCKGK69YiMKU9K8K/LeodApgw46oPL08EWvleKPCbdTyjKUADtxfAujR84GMEUz9Aml4Q497MfvABQOW6Hwg54Z3UbwLczDCOZyK1wIwZTyS9w3eTH/6EBeyzhtt4G2e/60jkywHOKn17wQgww2ZsDcukdsCMfo4FV0NzfhSER8BdL+hdLJS3R1F/Vf4aRBEuOuycv2AqB1ZqHhcjZh7yDv0RpBvn3+2rzfzmYIBlqL16d1aBnvL4C03I0J59AtXN9WlfJ8SlJhrduW/PF4pSCAQEyHGprP9hVhaXCOUuXCbjA2FI57NkxALQ2HpCVpXKGw0qO0rYxRYIRlKTl43VFcrSGJdVYOFUk0ZV3b+k+KoxLVSgBjIUWxio/tvVgUYDZsO3M3x0I+0r9xlWZSFFmhwdOFouD+Xy1NPTmgwlUXqZ4peyIE1oVntpcrTJuev2jNScXbU9PG8b589GM4Z09KS/fAyytTFKmUpBuTme969qu0eA7/kBSHAkKvbfj0hsrbkkF9y/rXi8xgcMXNgYayW8MHEhm506AyPIvJAreZL637/BENO1ABdWS1Enj/uGaLM1ED8UY94boh/lMhqa9jALgEOHHxspavexi3HIFwJ55s4ocQnjb4p6op4CRPUdPCfli5st9m3NtQoH9kT1FTRZa9sG8Ybhey5wP17YgPIg9ZZtvlvpSTwCwZxHZ348wXJWhbtId9DyOcIzsyK5HaJcRsp8SQVR5nbRW0pUyC/bFAtX1KOGJmtro/QfmnLG9ksuaZvxP6+bH1K+CibEFIRDllAUFFPiuT+2b3Yp3Tu1VvXokMAgmcB5iFDgTAglw5meJYJ99uIBmj0EVZm8snMhRrHjMPTAYD5kwPK/YDShPFFV3XEIFzLD3iYrzb7sub/Z4gTTELWzzS3bCpYPAh4KWeTih+p7Xj0Xf04nSONHZXsQnNenc+PNae+Zj5iCfJ/PpqhMn61n/YBP7gipYYEtOZYzDtvMz+mytYRUOaZTq3W4Wp64f+XVekn49CLarLm6qPyiz5kJwaT8lJ+VEZDPpS/ChLM4eq90GogJBvK0jxmQ1AGvnKpV2lw9XCudf3PXbaTb+r2QPcihKnmqcEgPgYlN8VLclicNW1WyjBJ+HvDTQPbs1r1/KnBK4O5HTT6ehuHpJsYlBN9vzjsD+ov6SRkBqiGPUg9CoKKmWS6dirxwOXi3OUFzkWFVDyDezfkJAzqkmG0nlEGb9mTHdVDfX010bPJ4ZQzQSyHp7Ht2mATyQwOEem2AMB/RpNwlOKXWIdsQ5p3dHF+kmsJHI8xjEv2GeUa/aXX3MF3fPfUA7La8J8fbnaDLbnEqMCLMfdfc9+kY7EKyqPiE5KFpF0EhQBrHl8SiPuFQCoxvlH2u+ujncW7Z5JiBmMKUWOXUHhIe4NckP1awRsEcfhEs664DqOp9CbLwTXk71hHVBtINylFcf7uBZwjxNW+hCfZEoVEjjs/V4J9QeXCxpTu5TcXxBxwN5zBdkCodNFPLUg+3UicaykaH0+wrGoTu/ugjF9rz7OezMMs3pep+bzLp+yZbFAL/z/yATY3UG+lpk6Rw4SkjbnAxBSedaEdqbotddkGzVQubHvHqCiKpkAw58rAa2v15hc+UmkrRFslS8SYxTIPXs2sTNhnCCrUn8nlKufeoAm65vgYtEQ4NzmG9tqKtTeBfZAvSToYaiQq+kPii1ssuu1OULAVuSx8x/CYO6orgX7h5wI0R/Ug1nux7cb2/+pFLbNyGvwKf1TLym2NvFMJpvFlTsOJJ4DxXM/v2JkC9umm93quXLsojx7KTEOFDQLsnMKsVo6ZzRQidEwK5gQPyZL1yjGirJcEuGMAEf6LA2AsKIIZhsMEPlLpzMiVo5Y0LoL6NFsXigceLaaJMEMuYNJJdh+uxyfW57+PoQ7V8KkzSHFsKan14GnpWeOV7r13uopwCPeIsEKUVG77ypd+ILQkbKxH2lQdsFyjpofqkbgEVM5XAnVbdhfwyebNHn5OJtadVkOMcJc/WMWJef1idcSfvP5ENkwp3pKg9Ljoi+hU2Chp1vTmksO2HJt0of4QnQ8jGlcqnOrAMiWUCd2W/8AmhRBjevt3UqxnqELVvg+HJPlyqFyuUlDxx25mXEdW0COpA3s9OlSgcMjvQbIJ42NUhGFZLoK1pvPLZo711w2Ex3Lm5qqcr/7I4+vTntd/Id5aJiP18LQpslTy614Wd4eD8+RfjEtmDAPXhgvfekVkS/rDnI/9H0k3AdHc78fJCJRPNwJrDTozzjxTvmVv9r4MtpoDELmnMxb3o7ZibUMxgptCTyDF+Q5m6T3GeD9G5ehgB3Tqsx3gcUGuDtP6KIqMGbj8YCFt8tjihDctYFAXj4AwPnIjMiI4T7skXwfrBLWCKfN1j5XrIn2paQgKln9hvaiRUpNpD3IXVyFl1WNrb21IcRinfkuCtrP2tTHqct6eSEh8sOzRkvZEArBQYD5paYyuNBcbVtsnl6PNE+DIcSIGvCVnzpMw1BeUExvQZoNdpHwhTQ3FSd1XN1nt0EWx6lve0Azl/zJBhj5hTdCd2RHdJWDtCZdOwWy/G+4dx3hEed0x6SoopOYdt5bq3lW+Ol0mbRzr1QJnuvt8FYjIfL8cIBqidkTpDjyh6V88yg1DNHDOBBqUz8IqOJ//vY0bmQMJp9gb+05UDW7u/Oe4gGIODQlswv534KF2DcaXW9OB7JQyl6f5+O8W6+zBYZ6DAL+J2vtf3CWKSZFomTwu65vrVaLRmTXIIBjQmZEUxWVeC4xN+4Cj5ORvO8GwzoePGDvqwKzrKoupSjqkL5eKqMpCLouOn8n/x5UWtHQS1NlKgMDFhRObzKMqQhS1S4mz84F3L492GFAlie0xRhywnF+FvAkm+ZIRO0UqM4IwvUXdlqTajjmUz2T0+eXKTKTR5UoNRgP51gdUMT5A4ggT5wU9WkRx7CR9KdWJwwcWzv2YrchoHIXBidQSk+f1ZSzqR7krKSOwFTVJUvEenU17qVaHoAf2he0dMgURJ8PM9JxnSr7p2pZeNPu/O5oPmLuOCmEPVRPSahJL7yj9PK5z3q57e5POIp/wXqFoniFdxRmtmpfZBxoKVlADkwRy34h8k6ZmgtqPTQfUUk/+yH2CAoQu+HyOtUnQof8vc1k4zs8nCTrCSjqvFPjU8mHtVHy1RY0qmK9t99ugXyAKaGON3PlseetIC8WCTt84nM5XGD3VQpbv139yhSPhp2Oiz0IiOsr+L9idVKSvfNSkdNq9aUC7963uAQNud8c4GuDmbENvZYvGNIMxxZhYA86n1RMNtGDZJs6/4hZTL18Kz1yCY9zbbSXTxWTmkaHJziHtgrEPoYpUeb85J229PDEX08yHOkj2HXVdnKKmEaHw3VkB4eM3PhGGdrw2CSUejSaqPQFLdhabcB2zdB4lj/AUnZvNaJc23nHHIauHnhhVrxh/KQ1H4YaYKT9ji/69BIfrTgvoGaPZC10pQKinBHEPMXoFrCd1RX1vutnXXcyT2KTBP4GG+Or0j6Sqxtp5WhxR0aJqIKM6LqMHtTooI0QhWbmSqDEBX/wRS70csVeJSrZ4dqRKit+hz8OalHA7At9e+7gSWTfHAwjl5JhtrltyAab/FII4yKQeZWG8j1fSFGHN+EbOrum2uWuVhxkUPy4coMu+yKY4GxlXfvP+yEVK5GrMECRmFBlySetJK3JOoQXiuLirlHUq+0u88QFMdAJ9+fIdU4+FxneqgW7qM7CHRE8jV4pPSWGFbGzxVZ9CWRWaYIw26VsC1qQJe1WmU7Mrp26IxmWHGwHvZ50uB0mjAHFCiln5QAvqTm2/fsY+Puk+Irt3LQbMwGVWPnb4eona2dSha+eMLOiAQkBvbaitsRqqrAVnndP7gHmO+nYZEKNx/740zTRrFBpOelrGdOa0/eV2mPhUQfozGooxoRADmT8fAcDXo0SsXCHzg9tBnmVMvInQ7+8nXfhcF/fEBjvW3gIWOmp2EWutHQ/sl73MieJWnP/n3DMk2HHcatoIZOMUzo4S4uztODHoSiOJDA1hVj7qADvKB37/OX0opnbii9o6W8naFkWG5Ie7+EWQZdo+xeVYpwGOzcNwDRrxbZpV3fTvWyWKToovncZq+TQj7c4Yhz6XDF0ffljN5hTm4ONwYViFNB4gTJlFxFX00wcWfwWah4uJs2Oa8dHPVT+7viagZiPrSDk/gythdY8glGm+F0DWlzQpWbgSI3ZbdiUQ+ox4GtLUtYgGIQFUvRYbuHqH6CXQ3SM6vkbhV/nAn6UDEWKXdJsO0u5q6UpXci7MlWDNLxoQ9dfGjSc28mX+q+4hkyho4u1XSMy9B6IdH304J7fuAQ88tTorT67AiqvqR6qnZ0icV+MMLh95moxFbrvch6sGAmMEixqeujmiZzBqBmNbzZVORiv9qcbe3CQ6X2i+9D8hMpaWj5jI0u+0wk3bRFK4uDn8T1mnD6l4TrJayf3cZI+duhKcabNj71i5w76S8RZSC6RX4ks0x+XIDc5v3223NmGvceYklbuOJtJa0/MBTOcSDKCM2kUXqPV2BlA9Za8WEO2UrdcyP+AXgM20af3thjlZvA494zdZ0mqjrsKp+VS2MVrBBtj+puSuSHJYf6bnA5/yjqQtbGvAp8hfXQURC53J5oD8rb9F7vQRqdfqpe6xd7DVd+wWZS86mWjyZYKXw312t8nM/gxo0pdvZ8F0x9y3xb9UBM2pZtdYvk3hPz6swhuE1N5j2u7nwtXuEDNcGCSfr+IempeFHFRqO8n8ikASEdKcq2XHGJwfc3lVXOQ5K4JlewcC7yQL1uNtL6iNKCtJmjJiH2PMmXrtpmCeTspFNZlwmiICyPWV9B5ce9H/qP1xjndBzFz0rn75SGDnWUhNZI/aYKNVyzkOleS5VSNxBx1hoiFuG8r+6ctYwF7XL94b95tXQ/+0V5dt0H1xVaOZ7QluoDtMSzuUjV4yUoQESa3zCfZwnW+b5SKndX5nx0GYrVxydMkUdfimZpX/fezcMiaAGwG/jgWF0zS+EL4T7gR8I5R3qUNTifKFJKJL1+AL8CgL+SRB1lgHDp2wQ7cqgqcmskAsT60qisL/UZGgmnlgZ8FkNhv0vAMkzIsz7o6cuLo15hZnrsZveIo+mZKY2cMJjJb4ZlJLcE+YcnpiM84OYjypa9lA7kv4XJaDX9oirhsl9IO/ImbFgYpR73y+xSolXYdDKfZjf/8NR7vE8fu+LYXGoZHO/hxousED6y3sCo/ItECYHWYIui+V5SmAoEvVV8FY8fFMYIc+Llc2CoX5HQISfUAtLu+fGNNV0muidXnBdtnJo25UEqxwvoENdI1lGPhlrXY6/h4kIT5djmsxxSG/EgG/4fPnrThgF9/fbG8n/3LweXvQOGjX0F1Ngt5wuMIWRQk5vtLdvv2M+BNwthHZ7xzIU7zqSVvngVPwgcsTr2d5pTVOxauT1K6ffiBF04jVZEcna+NXhJM5EcRHNuT/iOb0ncn1yuKU8JJnztEzMDjO1qCmaBTyWBR7nQS6K+nfstd/AnBWyGeC5Yi3wlvZAVMpc0m7I7McXb+rXiHM0mHoq0Z/2HOki5LP2cBuIkk84tJ3SRZwWnocrz4aTEIOmwftqMATy5Ur0KRxoUSFNMJYyc1iOfjk3H2JjgecWlQdYHcIEjxGDGeo4S9EKTRokMGNUN2nTj3SO2nHoWbx9WhGe6uB3OgDENGL9aNoPnYKXs4WcobctMxQjjBWa/zpCFwP8nr78xIFfy/64ZtsFBrxSrEHxeXiPa2Kpv456aQ9kDQjJt9XrWKe+JBawtpPUYHmWkUb3Gznp3tC2LbowvJlEe/17srb5yi+sUHEF1z/8Uk4eVYcUUXzyq3YEuqumIBIYqO8J3K5Us7tEXyzhHH8TMLNSQxmDi/w5oYccIwNFMM1+xRTsyjHHtB/rHYJjPW/50Xxb0CZF84NqotCcgIMrR4nUiPnAPd8ZvHeB/235gS1NtzBWtfcDmP8khibSQpY3JW+fdY/9W6iGlPyPIwOgH06fJayaT44sPFIm+QGIkPKSAJOFDeJNG8oc6SAqrYSfCffYfOAx3IsjSdnxQy9JAcS0HxjWnEO3rgSh7bNEecO3f4hb3TRNlczdzhfrwgxUZ0rURI3LfMCpGntF+8NrhtB7RT8sEOaa4NM13T7LWjykRQJFYKNZY0siPBP2WJxjBqL0KynlTPhAcfFyiLZbAhe7YC0XmYo8iJQqdzJQwBK9iOoDkg1XuGy7+Kfe0scamvHN2Z85umcPSiPEQRP3zAWcP5kRNDath7DKrBfQtvOJvEHiihE+qiASrCZep+m7jTD261U9vQGAnR4xBY08ChSh8XItWHvDHARN+GP08h9u6nlJ3rpOoVn9y22NNgx7bOe6QIYe9f6iYbbAzLR1/7AP1A4CQwFi39eZI9BZteze5eas+6JR2s1LqH9tncOmWAhXjE8p3hOtplh/tMbrx+pySNX4BKfZva54zccIa+e59NUifTRsq27AwAtcxg2Bk1Tu7B+LT9Yw2K8tRH6XTcGlvqDM4sYjNBqzh3yAga5iro706tg/Qaa50eln8rjISularEHlfaggogjvd+wNLg44Rj8pMr25+xxS0e9KoEGon5SutuhJ/HBGnEj3+4qNxHu27nkAmZIADiF+Jh53osDuA1fsUnRXf2lJABa30KDkG8E/eci+TkESrdfsPMo6yhWoyjtjYdJbGkjtsQCMW5DOSNYDH0FqDiiVU0nBLJ4+A4ep6aWTrv6w/ozuO4educ7x9IBpGmEY30rsXWwiGJbLGyIo+6qz6J5JBKdjNBsDO7RRweDNMp8ospaGNQSa4NKAHTG8BsGqJSP8oebpVqYpgPS1TiBWnYZKQSRJ5NFs+ULpdICekxevVXAH8uh+De9GT7KsJJzg0CFjALDbC0YrbmCigspJAh2455I6/xyWbPXCYMXwBzbioMgWcNhQBJJ6oIoQ7shwf2TP0Z+X/3NoMpWHmGpoV/JZind8lb9lcxoI44uf37+xc03O1R1bNucf0F5ljrgj2sZlGz/591EJen5GZhrT6qSTIcMu+xIyxyA/zzhy0jjkVfkDKfQ8mE9AmVtbbzHAQNy2PhDIeu7ngoFN635tSOJLR2c6pC/m6n50slFbo0oeHbbiGHyxDk7q3zXHWoHzeF1k4iVdHumYg/nwZOuRzms6rvkmwkJv59Z1p05jxA+Y0yHvDeq1WR8PfS/esm3RHfP3fM+zTlj9ZBJfzvn4OL+IIHRQ5l8pGKAeRL58OjeaU5QU98lAKHydOPDGBalsEHyIKD6iy3RZ65qIm956zQd98htZ1Vgkd7LVC7LSnLb9jRbqS1vHN7lR6bQMmXtQBYSA/+ZW2RQqSo7sToVh+Pxl3EVmsgyO8dXPL4biz7XM8eVz7CqHkrQUinnr79HJWC6Uk19cBurOD6PeOqNYy08Og/A0hbHOgN3dKmVRAPf7itK6x0eb5F70T2zVqG12GHVZieXwIcp/vahuFvriHLJtuM04laiRWNXSiL2MPHQ8e9rr8NIlWDm9uev55FI9zZxwFUPBSewawPe5vkqRLfwZCYd5mZoxtBhNBWvY3ZOVD/21dIUlQanG1n6RygbmAwCHnIB4c7EH2CBYEMDToRQuAuIssviIfdaJglwDgHbLWKNUVDOdqeclBNZjfQfVXbVukPk8DfWLqj9pD4xAOzDeVQcdmg2aLvNKgpZsWs4d+6GlKrpS7qEGvoBkIFh/cVY7DMYrt/JXYuF6DpwB+HbfnuDFc2p47SPNhnmt/ez6/DACBPQ+tgpyWYXUsiviGSp72JNTzd8uFJJZNeKUJZw1c0UTjxdwigh5tL/hWhPl48DY937zymSr1xVqC3RV6wSIpuplH+hss/rsRPAp1/TfxvhJuFsoPbW0586y9YzqEHT4FUu6WSRy0gMJLP2sLqiiZXZ6kPicXsW7M55mV3ugbGQjB7YS7EVqsQzvJTiQbOlcPqwoKK7DTqaeCOXd8kH1tNoe7hjx/UNNdLQQ7IhrJIzxqTTgwcXYMCxhoezDsIHReTIymsHPkCurfteTQcbfwoKN5E9zC2hINOPmhAxLvONzaLXQGMqofuTbFshkB4eUj8U4vBCNp+60iCLnibt4rPuyoWKEHWBYa6FfIykxVKuXkfcb64dCdGCWjv7x1XqkbpHxQB80qhipoSo244pyhIsN91ASu1Q7L75LxGXibY3jb0Y4KZ5zIWsH4kVlvPhangohDO1J9gmL9inGr9hy5BHTQiMcktGoUgOIbFJ72381vYpPxn3ngBbp48mVZd0w6xV8RBaqR3l7CxI9vvMAPYPoXBB18ERoZypza8mAlzv2QxIkNGuRzFENh1SXegBfN7eiazZnwnhbyeMghJpnXzfvHACyjkdH3shRYcJ+oMiOSpInGxm/hxFQxHJZA0Ft/lza</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></saml2:EncryptedAssertion></saml2p:Response>
\ No newline at end of file
diff --git a/xmlenc/testdata/key.pem b/xmlenc/testdata/key.pem
new file mode 100644
index 00000000..c4530a84
--- /dev/null
+++ b/xmlenc/testdata/key.pem
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXgIBAAKBgQDU8wdiaFmPfTyRYuFlVPi866WrH/2JubkHzp89bBQopDaLXYxi
+3PTu3O6Q/KaKxMOFBqrInwqpv/omOGZ4ycQ51O9I+Yc7ybVlW94lTo2gpGf+Y/8E
+PsVbnZaFutRctJ4dVIp9aQ2TpLiGT0xX1OzBO/JEgq9GzDRf+B+eqSuglwIDAQAB
+AoGBAMuy1eN6cgFiCOgBsB3gVDdTKpww87Qk5ivjqEt28SmXO13A1KNVPS6oQ8SJ
+CT5Azc6X/BIAoJCURVL+LHdqebogKljhH/3yIel1kH19vr4E2kTM/tYH+qj8afUS
+JEmArUzsmmK8ccuNqBcllqdwCZjxL4CHDUmyRudFcHVX9oyhAkEA/OV1OkjM3CLU
+N3sqELdMmHq5QZCUihBmk3/N5OvGdqAFGBlEeewlepEVxkh7JnaNXAXrKHRVu/f/
+fbCQxH+qrwJBANeQERF97b9Sibp9xgolb749UWNlAdqmEpmlvmS202TdcaaT1msU
+4rRLiQN3X9O9mq4LZMSVethrQAdX1whawpkCQQDk1yGf7xZpMJ8F4U5sN+F4rLyM
+Rq8Sy8p2OBTwzCUXXK+fYeXjybsUUMr6VMYTRP2fQr/LKJIX+E5ZxvcIyFmDAkEA
+yfjNVUNVaIbQTzEbRlRvT6MqR+PTCefC072NF9aJWR93JimspGZMR7viY6IM4lrr
+vBkm0F5yXKaYtoiiDMzlOQJADqmEwXl0D72ZG/2KDg8b4QZEmC9i5gidpQwJXUc6
+hU+IVQoLxRq0fBib/36K9tcrrO5Ba4iEvDcNY+D8yGbUtA==
+-----END RSA PRIVATE KEY-----
diff --git a/xmlenc/testdata/plaintext.xml b/xmlenc/testdata/plaintext.xml
new file mode 100644
index 00000000..3b4aeeb3
--- /dev/null
+++ b/xmlenc/testdata/plaintext.xml
@@ -0,0 +1,19 @@
+<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="_543eb64ea4ce19647a1f2aef5b91245d" IssueInstant="2015-12-01T01:56:21.375Z" Version="2.0"><saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://idp.testshib.org/idp/shibboleth</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></ds:SignatureMethod><ds:Reference URI="#_543eb64ea4ce19647a1f2aef5b91245d"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"></ec:InclusiveNamespaces></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></ds:DigestMethod><ds:DigestValue>cX9v4gtpluvP0P1TjYf+NJpli/PO5Abp/8bNxHFENGo=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>PmgDQrPcsntL0XsPnQXAXcdrjvD90hiTYWbj5+Bsn9WgI3HEDZh8RJAgei3LbFWDGOU6mBwYQU1PCxcAcXWkjamH4L0QDExA/5iHrhRXGQgwgEigKqLZH3h2EPVV1HYK5VLRs4ZI6uAgiY4wObHORxZevuM9NdgYRjKVUl0tSIXc6IfJqTNfCGfSQ9UIFNn8GI9GNaYBaHDhXyGJL1MnbHISQEJP7ingyHFKpc7UO0o8EGlgGJ4iVIe1ONBeSKs/d+dHwRKE1gUd4Ls3N7h8tBiCxr0ICSNANvLdAzGoefLCQe9UEh9QB3ZIQK1+sv9MzEFT+7bQY9GrZVszucBf4w==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIEDjCCAvagAwIBAgIBADANBgkqhkiG9w0BAQUFADBnMQswCQYDVQQGEwJVUzEVMBMGA1UECBMM
+UGVubnN5bHZhbmlhMRMwEQYDVQQHEwpQaXR0c2J1cmdoMREwDwYDVQQKEwhUZXN0U2hpYjEZMBcG
+A1UEAxMQaWRwLnRlc3RzaGliLm9yZzAeFw0wNjA4MzAyMTEyMjVaFw0xNjA4MjcyMTEyMjVaMGcx
+CzAJBgNVBAYTAlVTMRUwEwYDVQQIEwxQZW5uc3lsdmFuaWExEzARBgNVBAcTClBpdHRzYnVyZ2gx
+ETAPBgNVBAoTCFRlc3RTaGliMRkwFwYDVQQDExBpZHAudGVzdHNoaWIub3JnMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEArYkCGuTmJp9eAOSGHwRJo1SNatB5ZOKqDM9ysg7CyVTDClcp
+u93gSP10nH4gkCZOlnESNgttg0r+MqL8tfJC6ybddEFB3YBo8PZajKSe3OQ01Ow3yT4I+Wdg1tsT
+pSge9gEz7SrC07EkYmHuPtd71CHiUaCWDv+xVfUQX0aTNPFmDixzUjoYzbGDrtAyCqA8f9CN2txI
+fJnpHE6q6CmKcoLADS4UrNPlhHSzd614kR/JYiks0K4kbRqCQF0Dv0P5Di+rEfefC6glV8ysC8dB
+5/9nb0yh/ojRuJGmgMWHgWk6h0ihjihqiu4jACovUZ7vVOCgSE5Ipn7OIwqd93zp2wIDAQABo4HE
+MIHBMB0GA1UdDgQWBBSsBQ869nh83KqZr5jArr4/7b+QazCBkQYDVR0jBIGJMIGGgBSsBQ869nh8
+3KqZr5jArr4/7b+Qa6FrpGkwZzELMAkGA1UEBhMCVVMxFTATBgNVBAgTDFBlbm5zeWx2YW5pYTET
+MBEGA1UEBxMKUGl0dHNidXJnaDERMA8GA1UEChMIVGVzdFNoaWIxGTAXBgNVBAMTEGlkcC50ZXN0
+c2hpYi5vcmeCAQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAjR29PhrCbk8qLN5M
+FfSVk98t3CT9jHZoYxd8QMRLI4j7iYQxXiGJTT1FXs1nd4Rha9un+LqTfeMMYqISdDDI6tv8iNpk
+OAvZZUosVkUo93pv1T0RPz35hcHHYq2yee59HJOco2bFlcsH8JBXRSRrJ3Q7Eut+z9uo80JdGNJ4
+/SJy5UorZ8KazGj16lfJhOBXldgrhppQBb0Nq6HKHguqmwRfJ+WkxemZXzhediAjGeka8nz8Jjwx
+pUjAiSWYKLtJhGEaTqCYxCCX2Dw+dOTqUzHOZ7WKv4JXPK5G/Uhr8K/qhmFT2nIQi538n6rVYLeW
+j8Bbnl+ev0peYzxFyF5sQA==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="https://idp.testshib.org/idp/shibboleth" SPNameQualifier="https://15661444.ngrok.io/saml2/metadata">_41bd295976dadd70e1480f318e772841</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData Address="75.144.86.91" InResponseTo="id-9e61753d64e928af5a7a341a97f420c9" NotOnOrAfter="2015-12-01T02:01:21.375Z" Recipient="https://15661444.ngrok.io/saml2/acs"></saml2:SubjectConfirmationData></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2015-12-01T01:56:21.375Z" NotOnOrAfter="2015-12-01T02:01:21.375Z"><saml2:AudienceRestriction><saml2:Audience>https://15661444.ngrok.io/saml2/metadata</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AuthnStatement AuthnInstant="2015-12-01T01:56:21.091Z" SessionIndex="_6149230ee8fb88d3635c238509d9a35a"><saml2:SubjectLocality Address="75.144.86.91"></saml2:SubjectLocality><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement><saml2:AttributeStatement><saml2:Attribute FriendlyName="uid" Name="urn:oid:0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">myself</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName="eduPersonAffiliation" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Member</saml2:AttributeValue><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Staff</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName="eduPersonPrincipalName" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">myself@testshib.org</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName="sn" Name="urn:oid:2.5.4.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">And I</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName="eduPersonScopedAffiliation" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Member@testshib.org</saml2:AttributeValue><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Staff@testshib.org</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName="givenName" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Me Myself</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName="eduPersonEntitlement" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">urn:mace:dir:entitlement:common-lib-terms</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName="cn" Name="urn:oid:2.5.4.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Me Myself And I</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName="eduPersonTargetedID" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue><saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://idp.testshib.org/idp/shibboleth" SPNameQualifier="https://15661444.ngrok.io/saml2/metadata">8F+M9ovyaYNwCId0pVkVsnZYRDo=</saml2:NameID></saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName="telephoneNumber" Name="urn:oid:2.5.4.20" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">555-5555</saml2:AttributeValue></saml2:Attribute></saml2:AttributeStatement></saml2:Assertion>
\ No newline at end of file
diff --git a/xmlenc/test_data/rsapriv.pem b/xmlenc/testdata/rsapriv.pem
similarity index 100%
rename from xmlenc/test_data/rsapriv.pem
rename to xmlenc/testdata/rsapriv.pem
diff --git a/xmlenc/test_data/rsapub.pem b/xmlenc/testdata/rsapub.pem
similarity index 100%
rename from xmlenc/test_data/rsapub.pem
rename to xmlenc/testdata/rsapub.pem
diff --git a/xmlenc/xmlenc.go b/xmlenc/xmlenc.go
index f7f94924..b0ed5bf1 100644
--- a/xmlenc/xmlenc.go
+++ b/xmlenc/xmlenc.go
@@ -6,14 +6,13 @@ package xmlenc
 import (
 	"crypto/rand"
 	"hash"
-	"io"
 
 	"github.com/beevik/etree"
 )
 
 // RandReader is a thunk that allows test to replace the source of randomness used by
 // this package. By default it is Reader from crypto/rand.
-var RandReader io.Reader = rand.Reader
+var RandReader = rand.Reader
 
 // Encrypter is an interface that encrypts things. Given a plaintext it returns an
 // XML EncryptedData or EncryptedKey element. The required type of `key` varies
diff --git a/xmlenc/xmlenc_test.go b/xmlenc/xmlenc_test.go
index d35f0c33..65683dfe 100644
--- a/xmlenc/xmlenc_test.go
+++ b/xmlenc/xmlenc_test.go
@@ -1,71 +1,66 @@
 package xmlenc
 
 import (
-	"io/ioutil"
 	"math/rand"
+	"os"
+	"testing"
 
 	"github.com/beevik/etree"
-	. "gopkg.in/check.v1"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
 )
 
-type TestFoo struct {
-}
-
-var _ = Suite(&TestFoo{})
-
-func (test *TestFoo) SetUpTest(c *C) {
-	RandReader = rand.New(rand.NewSource(0)) // deterministic random numbers for tests
-}
-
-func (test *TestFoo) TestDataAES128CBC(c *C) {
-	plaintext, err := ioutil.ReadFile("test_data/encrypt-data-aes128-cbc.data")
-	c.Assert(err, IsNil)
+func TestDataAES128CBC(t *testing.T) {
+	RandReader = rand.New(rand.NewSource(0)) //nolint:gosec  // deterministic random numbers for tests
+	plaintext, err := os.ReadFile("testdata/encrypt-data-aes128-cbc.data")
+	assert.Check(t, err)
 
 	var ciphertext string
 	{
 		encrypter := AES128CBC
-		cipherEl, encErr := encrypter.Encrypt([]byte("abcdefghijklmnop"), []byte(plaintext))
-		c.Assert(encErr, IsNil)
+		cipherEl, encErr := encrypter.Encrypt([]byte("abcdefghijklmnop"), plaintext)
+		assert.Check(t, encErr)
 
 		doc := etree.NewDocument()
 		doc.SetRoot(cipherEl)
 		doc.IndentTabs()
 		ciphertext, err = doc.WriteToString()
-		c.Assert(err, IsNil)
+		assert.Check(t, err)
 	}
 
 	{
 		decrypter := AES128CBC
 		doc := etree.NewDocument()
 		err = doc.ReadFromString(ciphertext)
-		c.Assert(err, IsNil)
+		assert.Check(t, err)
 
 		actualPlaintext, err := decrypter.Decrypt(
 			[]byte("abcdefghijklmnop"), doc.Root())
-		c.Assert(err, IsNil)
-		c.Assert(actualPlaintext, DeepEquals, plaintext)
+		assert.Check(t, err)
+		assert.Check(t, is.DeepEqual(plaintext, actualPlaintext))
 	}
 
 	{
 		decrypter := AES128CBC
 		doc := etree.NewDocument()
-		err := doc.ReadFromFile("test_data/encrypt-data-aes128-cbc.xml")
-		c.Assert(err, IsNil)
+		err := doc.ReadFromFile("testdata/encrypt-data-aes128-cbc.xml")
+		assert.Check(t, err)
 
 		actualPlaintext, err := decrypter.Decrypt([]byte("abcdefghijklmnop"), doc.Root())
-		c.Assert(err, IsNil)
-		c.Assert(actualPlaintext, DeepEquals, plaintext)
+		assert.Check(t, err)
+		assert.Check(t, is.DeepEqual(plaintext, actualPlaintext))
 	}
 }
 
 /*
-func (test *TestFoo) TestAES256CBC(c *C) {
+func TestAES256CBC(t *testing.T) {
+	RandReader = rand.New(rand.NewSource(0)) // deterministic random numbers for tests
 	doc := etree.NewDocument()
-	err := doc.ReadFromFile("test_data/plaintext.xml")
-	c.Assert(err, IsNil)
+	err := doc.ReadFromFile("testdata/plaintext.xml")
+	assert.NoError(t, err)
 
 	el := doc.FindElement("//PaymentInfo")
-	c.Assert(el, Not(IsNil))
+	assert.NotNil(t, el)
 
 	tmpDoc := etree.NewDocument()
 	tmpDoc.SetRoot(el.Copy())
@@ -74,7 +69,7 @@ func (test *TestFoo) TestAES256CBC(c *C) {
 	encrypter := AES256CBC
 	cipherEl, err := encrypter.Encrypt(
 		[]byte("abcdefghijklmnopqrstuvwxyz012345"), []byte(tmpBuf))
-	c.Assert(err, IsNil)
+	assert.NoError(t, err)
 
 	el.Child = nil
 	el.AddChild(cipherEl)