From 3f8033c03add257bdbb845f1c90361d04495ab92 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Mon, 22 Feb 2010 15:08:33 +0000
Subject: [PATCH] Include new version 1.2 of mdcheck that allows relative URLs
 to be used in checking rulesets, either for xsl:include, xsl:import or the
 document function.  Use this to refactor the rulesets into a common framework
 plus smaller rulesets for specific functional areas such as individual
 standards.

---
 build.xml                              |  11 +-
 build/check.xsl                        | 302 +------------------------
 build/check_framework.xsl              |  66 ++++++
 build/check_idpdisc.xsl                |  42 ++++
 build/check_imported.xsl               | 255 +--------------------
 build/check_misc.xsl                   | 168 ++++++++++++++
 build/check_shibboleth.xsl             | 140 ++++++++++++
 tools/mdcheck/lib/sdss-mdcheck-1.1.jar | Bin 6533 -> 0 bytes
 tools/mdcheck/lib/sdss-mdcheck-1.2.jar | Bin 0 -> 6782 bytes
 9 files changed, 434 insertions(+), 550 deletions(-)
 create mode 100644 build/check_framework.xsl
 create mode 100644 build/check_idpdisc.xsl
 create mode 100644 build/check_misc.xsl
 create mode 100644 build/check_shibboleth.xsl
 delete mode 100644 tools/mdcheck/lib/sdss-mdcheck-1.1.jar
 create mode 100644 tools/mdcheck/lib/sdss-mdcheck-1.2.jar

diff --git a/build.xml b/build.xml
index 5c7a8cb8..5090f0f5 100644
--- a/build.xml
+++ b/build.xml
@@ -742,8 +742,12 @@
 		Parameter 'i' is the file to be checked; no assumption is made
 		about its location so this must contain a full path.
 		
-		Parameter 's' is the checking stylesheet to use; assumed to be
+		Parameter 's' is the primary checking stylesheet to use; assumed to be
 		present in the build.dir.
+		
+		A fixed set of additional checking stylesheets are included in every run;
+		the one passed as a parameter should only contain rules specific to the
+		calling context.
 	-->
 	<macrodef name="CHECK">
 		<attribute name="i"/>
@@ -761,6 +765,11 @@
 				</classpath>
 				<jvmarg value="-Djava.endorsed.dirs=${tools.xalan}/endorsed"/>
 				<arg value="@{i}"/>
+				<!-- set of checking stylesheets applied in every case -->
+				<arg value="${build.dir}/check_shibboleth.xsl"/>
+                <arg value="${build.dir}/check_idpdisc.xsl"/>
+                <arg value="${build.dir}/check_misc.xsl"/>
+				<!-- single context-dependent ruleset -->
 				<arg value="${build.dir}/@{s}"/>
 			</java>
 		</sequential>
diff --git a/build/check.xsl b/build/check.xsl
index 755d18fd..7677c190 100644
--- a/build/check.xsl
+++ b/build/check.xsl
@@ -23,73 +23,18 @@
 	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
 
 	<!--
-		The stylesheet output will be a text file, which will probably be thrown
-		away in any case.  The real output from the check is sent using the
-		xsl:message element.
+		Common support functions.
 	-->
-	<xsl:output method="text"/>
-	
+	<xsl:import href="check_framework.xsl"/>
+
 	
 	<!--
 		Pick up the members.xml document, and create a Members class instance.
 	-->
-	<xsl:variable name="memberDocument" select="document('xml/members.xml')"/>
+	<xsl:variable name="memberDocument" select="document('../xml/members.xml')"/>
 	<xsl:variable name="members" select="ukfxMembers:new($memberDocument)"/>
 
 	
-	<!--
-		Checks across the whole of the document are defined here.
-		
-		Only bother with these when the document element is an EntitiesDescriptor.
-	-->
-	<xsl:template match="/md:EntitiesDescriptor">
-		<xsl:variable name="entities" select="//md:EntityDescriptor"/>
-		<xsl:variable name="idps" select="$entities[md:IDPSSODescriptor]"/>
-		
-		<!-- check for duplicate entityID values -->
-		<xsl:variable name="distinct.entityIDs" select="set:distinct($entities/@entityID)"/>
-		<xsl:variable name="dup.entityIDs"
-			select="set:distinct(set:difference($entities/@entityID, $distinct.entityIDs))"/>
-		<xsl:for-each select="$dup.entityIDs">
-			<xsl:variable name="dup.entityID" select="."/>
-			<xsl:for-each select="$entities[@entityID = $dup.entityID]">
-				<xsl:call-template name="fatal">
-					<xsl:with-param name="m">duplicate entityID: <xsl:value-of select='$dup.entityID'/></xsl:with-param>
-				</xsl:call-template>
-			</xsl:for-each>
-		</xsl:for-each>
-		
-		<!-- check for duplicate OrganisationDisplayName values -->
-		<xsl:variable name="distinct.ODNs"
-			select="set:distinct($idps/md:Organization/md:OrganizationDisplayName)"/>
-		<xsl:variable name="dup.ODNs"
-			select="set:distinct(set:difference($idps/md:Organization/md:OrganizationDisplayName, $distinct.ODNs))"/>
-		<xsl:for-each select="$dup.ODNs">
-			<xsl:variable name="dup.ODN" select="."/>
-			<xsl:for-each select="$idps[md:Organization/md:OrganizationDisplayName = $dup.ODN]">
-				<xsl:call-template name="fatal">
-					<xsl:with-param name="m">duplicate OrganisationDisplayName: <xsl:value-of select='$dup.ODN'/></xsl:with-param>
-				</xsl:call-template>
-			</xsl:for-each>
-		</xsl:for-each>
-		
-		<!--
-			Perform checks on child elements.
-		-->
-		<xsl:apply-templates/>
-	</xsl:template>
-	
-	
-	<!--
-		Check for entities which do not have an OrganizationName at all.
-	-->
-	<xsl:template match="md:EntityDescriptor[not(md:Organization/md:OrganizationName)]">
-		<xsl:call-template name="fatal">
-			<xsl:with-param name="m">entity lacks OrganizationName</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-
 	<!--
 		Check for entities with OrganizationName elements which don't correspond to
 		a canonical owner name.
@@ -102,196 +47,6 @@
 	</xsl:template>
 	
 	
-	<!--
-		OrganizationURL elements should contain actual URLs, or some software
-		will reject the metadata.  This is known to be true for at least the Shibboleth
-		1.3 IdP and the accompanying metadatatool application, because they pass the
-		string to the java.net.URL class.
-		
-		We perform a very cursory test for this by insisting that they start with
-		either "http://" or "https://".
-	-->
-	<xsl:template match="md:OrganizationURL[not(starts-with(., 'http://'))]
-		[not(starts-with(., 'https://'))]">
-		<xsl:call-template name="fatal">
-			<xsl:with-param name="m">OrganizationURL '<xsl:value-of select="."/>' does not start with acceptable prefix</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	
-	<!--
-		If an IDPSSODescriptor contains a SingleSignOnService with the Shibboleth 1.x
-		authentication request binding, the role descriptor's protocolSupportEnumeration
-		must include both of the following:
-		
-			urn:oasis:names:tc:SAML:1.1:protocol
-			urn:mace:shibboleth:1.0
-		
-		See the Shibboleth Protocols and Profiles document, section 3.4.3, for details.
-	-->
-	<xsl:template match="md:IDPSSODescriptor[md:SingleSignOnService[@Binding='urn:mace:shibboleth:1.0:profiles:AuthnRequest']]
-		[not(contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol'))]">
-		<xsl:call-template name="fatal">
-			<xsl:with-param name="m">Shibboleth 1.x auth request needs urn:oasis:names:tc:SAML:1.1:protocol in IDPSSODescriptor/@protocolSupportEnumeration</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<xsl:template match="md:IDPSSODescriptor[md:SingleSignOnService[@Binding='urn:mace:shibboleth:1.0:profiles:AuthnRequest']]
-		[not(contains(@protocolSupportEnumeration, 'urn:mace:shibboleth:1.0'))]">
-		<xsl:call-template name="fatal">
-			<xsl:with-param name="m">Shibboleth 1.x auth request needs urn:mace:shibboleth:1.0 in IDPSSODescriptor/@protocolSupportEnumeration</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	
-	<!--
-		Checks for an IdP whose KeyDescriptor elements do not include a @use attribute.
-		This causes problems with the Shibboleth 1.3 SP prior to V1.3.1, which
-		interprets this as "no use permitted" rather than "either signing or encryption use
-		permitted".
-		
-		Two checks are required, one for each of the IdP role descriptors.
-	-->
-	
-	<xsl:template match="md:IDPSSODescriptor/md:KeyDescriptor[not(@use)]">
-		<xsl:call-template name="fatal">
-			<xsl:with-param name="m">IdP SSO KeyDescriptor lacking @use</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<xsl:template match="md:AttributeAuthorityDescriptor/md:KeyDescriptor[not(@use)]">
-		<xsl:call-template name="fatal">
-			<xsl:with-param name="m">IdP AA KeyDescriptor lacking @use</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-
-	<!--
-		Check for role descriptors with missing KeyDescriptor elements.
-	-->
-	
-	<xsl:template match="md:IDPSSODescriptor[not(md:KeyDescriptor)]">
-		<xsl:call-template name="fatal">
-			<xsl:with-param name="m">IdP SSO Descriptor lacking KeyDescriptor</xsl:with-param>
-		</xsl:call-template>	
-	</xsl:template>
-
-	<xsl:template match="md:SPSSODescriptor[not(md:KeyDescriptor)]">
-		<xsl:call-template name="fatal">
-			<xsl:with-param name="m">SP SSO Descriptor lacking KeyDescriptor</xsl:with-param>
-		</xsl:call-template>	
-	</xsl:template>
-	
-	<xsl:template match="md:AttributeAuthorityDescriptor[not(md:KeyDescriptor)]">
-		<xsl:call-template name="fatal">
-			<xsl:with-param name="m">IdP AA Descriptor lacking KeyDescriptor</xsl:with-param>
-		</xsl:call-template>	
-	</xsl:template>
-	
-	
-	<!--
-		Check for a construct which is known to cause the Shibboleth 1.3 SP to dump core.
-		
-			<md:KeyDescriptor use="signing">
-				<ds:KeyInfo>
-					<KeyName>blabla<KeyName>
-				</ds:KeyInfo>
-			</md:KeyDescriptor>
-		
-		The issue here is that the KeyName does not have the ds: namespace.
-	-->
-	<xsl:template match="ds:KeyInfo/*[namespace-uri() != 'http://www.w3.org/2000/09/xmldsig#']">
-		<xsl:call-template name="fatal">
-			<xsl:with-param name="m">ds:KeyInfo child element not in ds namespace</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	
-	<!--
-		Check for IDP role descriptors containing (at any level of nesting)
-		SAML 2.0 attribute elements that do not include a NameFormat XML attribute.
-		
-		This combination causes the Shibboleth 1.3 and related code (such as metadatatool)
-		to reject the metadata.
-		
-		See https://bugs.internet2.edu/jira/browse/SIDPO-34
-	-->
-	<xsl:template match="md:IDPSSODescriptor[descendant::saml:Attribute[not(@NameFormat)]]">
-		<xsl:call-template name="fatal">
-			<xsl:with-param name="m">SIDPO-34: Attribute lacking NameFormat in IDPSSODescriptor</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	
-	<!--
-		Entity IDs should not contain space characters.
-	-->
-	<xsl:template match="md:EntityDescriptor[contains(@entityID, ' ')]">
-		<xsl:call-template name="fatal">
-			<xsl:with-param name="m">entity ID contains space character</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-
-	<!--
-		Entity IDs should start with one of "http://", "https://" or "urn:mace:".
-	-->
-	<xsl:template match="md:EntityDescriptor[not(starts-with(@entityID, 'urn:mace:'))]
-		[not(starts-with(@entityID, 'http://'))]
-		[not(starts-with(@entityID, 'https://'))]">
-		<xsl:call-template name="fatal">
-			<xsl:with-param name="m">entity ID <xsl:value-of select="@entityID"/> does not start with acceptable prefix</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-
-	<!--
-		@Location attributes should not contain space characters.
-		
-		This may be a little strict, and might be better confined to md:* elements.
-		At present, however, this produces no false positives.
-	-->
-	<xsl:template match="*[contains(@Location, ' ')]">
-		<xsl:call-template name="fatal">
-			<xsl:with-param name="m"><xsl:value-of select='local-name()'/> Location contains space character</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	
-	<!--
-		Checks on the DiscoveryResponse extension.
-	-->
-	
-	<xsl:template match="idpdisc:DiscoveryResponse[not(@Binding)]">
-		<xsl:call-template name="fatal">
-			<xsl:with-param name="m">missing Binding attribute on DiscoveryResponse</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<xsl:template match="idpdisc:DiscoveryResponse[@Binding]
-		[@Binding!='urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol']">
-		<xsl:call-template name="fatal">
-			<xsl:with-param name="m">incorrect Binding value on DiscoveryResponse</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	
-	<!--
-		Check for Locations that don't start with https://
-		
-		This may be a little strict, and might be better confined to md:* elements.
-		In addition, we might at some point require more complex rules: whitelisting certain
-		entities, or permitting http:// to Locations associated with certain bindngs.
-		
-		At present, however, this simpler rule produces no false positives.
-	-->
-	<xsl:template match="*[@Location and not(starts-with(@Location,'https://'))]">
-		<xsl:call-template name="fatal">
-			<xsl:with-param name="m"><xsl:value-of select='local-name()'/> Location does not start with https://</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	
 	<!--
 		Check for badly formatted e-mail addresses.
 	-->
@@ -302,53 +57,4 @@
 	</xsl:template>
 	
 	
-	<!--
-		Check for Shibboleth Scope elements that don't include a regexp attribute.
-		This has a default in the schema so omitting it can cause signing brittleness.
-	-->
-	<xsl:template match="shibmd:Scope[not(@regexp)]">
-		<xsl:call-template name="fatal">
-			<xsl:with-param name="m">Scope <xsl:value-of select="."/> lacks @regexp</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-
-	<!--
-		Check for empty xml:lang elements, automatically generated by OIOSAML.
-		
-		This is not schema-valid so would be caught further down the line anyway,
-		but it's nice to have a clear error message earlier in the process.
-	-->
-	<xsl:template match="@xml:lang[.='']">
-		<xsl:call-template name="fatal">
-			<xsl:with-param name="m">empty xml:lang attribute</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-
-
-	<!--
-		Common template to call to report a fatal error on some element within an entity.
-	-->
-	<xsl:template name="fatal">
-		<xsl:param name="m"/>
-		<xsl:message terminate='no'>
-			<xsl:text>*** </xsl:text>
-			<xsl:value-of select="ancestor-or-self::md:EntityDescriptor/@ID"/>
-			<xsl:text>: </xsl:text>
-			<xsl:value-of select="$m"/>
-		</xsl:message>
-	</xsl:template>
-
-
-	<!-- Recurse down through all elements by default. -->
-	<xsl:template match="*">
-		<xsl:apply-templates select="node()|@*"/>
-	</xsl:template>
-	
-	<!-- Discard text blocks, comments and attributes by default. -->
-	<xsl:template match="text()|comment()|@*">
-		<!-- do nothing -->
-	</xsl:template>
-
 </xsl:stylesheet>
diff --git a/build/check_framework.xsl b/build/check_framework.xsl
new file mode 100644
index 00000000..b673682d
--- /dev/null
+++ b/build/check_framework.xsl
@@ -0,0 +1,66 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+	check_framework.xsl
+	
+	XSL stylesheet providing a framework for use by rule checking files.
+	
+	Author: Ian A. Young <ian@iay.org.uk>
+
+-->
+<xsl:stylesheet version="1.0"
+	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+
+	<!--
+		The stylesheet output will be a text file, which will probably be thrown
+		away in any case.  The real output from the check is sent using the
+		xsl:message element.
+	-->
+	<xsl:output method="text"/>
+	
+
+	<!--
+		Common template to call to report a fatal error on some element within an entity.
+	-->
+	<xsl:template name="fatal">
+		<xsl:param name="m"/>
+		<xsl:variable name="entity" select="ancestor-or-self::md:EntityDescriptor"/>
+		<xsl:message terminate='no'>
+			<xsl:text>*** </xsl:text>
+			<!--
+				If we're processing an aggregate, we need to indicate which
+				individual entity we're dealing with.
+			-->
+			<xsl:if test="ancestor-or-self::md:EntitiesDescriptor">
+				<!--
+					Use an ID if available, otherwise the entityID.
+				-->
+				<xsl:choose>
+					<xsl:when test="$entity/@ID">
+						<xsl:value-of select="$entity/@ID"/>
+					</xsl:when>
+					<xsl:otherwise>
+						<xsl:value-of select="$entity/@entityID"/>
+					</xsl:otherwise>
+				</xsl:choose>
+				<xsl:text>: </xsl:text>
+			</xsl:if>
+			<xsl:value-of select="$m"/>
+		</xsl:message>
+	</xsl:template>
+
+
+	<!-- Recurse down through all elements by default. -->
+	<xsl:template match="*">
+		<xsl:apply-templates select="node()|@*"/>
+	</xsl:template>
+	
+
+	<!-- Discard text blocks, comments and attributes by default. -->
+	<xsl:template match="text()|comment()|@*">
+		<!-- do nothing -->
+	</xsl:template>
+
+</xsl:stylesheet>
diff --git a/build/check_idpdisc.xsl b/build/check_idpdisc.xsl
new file mode 100644
index 00000000..a42ee1d9
--- /dev/null
+++ b/build/check_idpdisc.xsl
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+	check_imported.xsl
+	
+	Checking ruleset containing rules associated with the SAML IdP Discovery Protocol.
+	
+	Author: Ian A. Young <ian@iay.org.uk>
+
+-->
+<xsl:stylesheet version="1.0"
+	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
+	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+	<!--
+		Common support functions.
+	-->
+	<xsl:import href="check_framework.xsl"/>
+
+	
+	<!--
+		Checks on the DiscoveryResponse extension.
+	-->
+	
+	<xsl:template match="idpdisc:DiscoveryResponse[not(@Binding)]">
+		<xsl:call-template name="fatal">
+			<xsl:with-param name="m">missing Binding attribute on DiscoveryResponse</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+	
+	<xsl:template match="idpdisc:DiscoveryResponse[@Binding]
+		[@Binding!='urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol']">
+		<xsl:call-template name="fatal">
+			<xsl:with-param name="m">incorrect Binding value on DiscoveryResponse</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+	
+	
+</xsl:stylesheet>
diff --git a/build/check_imported.xsl b/build/check_imported.xsl
index 9e18504a..6955e945 100644
--- a/build/check_imported.xsl
+++ b/build/check_imported.xsl
@@ -3,8 +3,7 @@
 
 	check_imported.xsl
 	
-	XSL stylesheet that takes an imported metadata document destined for
-	the UK federation and checks it against local conventions.
+	Checking ruleset containing rules associated with imported metadata.	
 	
 	Author: Ian A. Young <ian@iay.org.uk>
 
@@ -21,258 +20,12 @@
 	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
 
 	<!--
-		The stylesheet output will be a text file, which will probably be thrown
-		away in any case.  The real output from the check is sent using the
-		xsl:message element.
+		Common support functions.
 	-->
-	<xsl:output method="text"/>
-	
-	<!--
-		Check for entities which do not have an OrganizationName at all.
-	-->
-	<xsl:template match="md:EntityDescriptor[not(md:Organization/md:OrganizationName)]">
-		<xsl:call-template name="fatal">
-			<xsl:with-param name="m">entity lacks OrganizationName</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
+	<xsl:import href="check_framework.xsl"/>
 
 	<!--
-		OrganizationURL elements should contain actual URLs, or some software
-		will reject the metadata.  This is known to be true for at least the Shibboleth
-		1.3 IdP and the accompanying metadatatool application, because they pass the
-		string to the java.net.URL class.
-		
-		We perform a very cursory test for this by insisting that they start with
-		either "http://" or "https://".
-	-->
-	<xsl:template match="md:OrganizationURL[not(starts-with(., 'http://'))]
-		[not(starts-with(., 'https://'))]">
-		<xsl:call-template name="fatal">
-			<xsl:with-param name="m">OrganizationURL '<xsl:value-of select="."/>' does not start with acceptable prefix</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	
-	<!--
-		If an IDPSSODescriptor contains a SingleSignOnService with the Shibboleth 1.x
-		authentication request binding, the role descriptor's protocolSupportEnumeration
-		must include both of the following:
-		
-			urn:oasis:names:tc:SAML:1.1:protocol
-			urn:mace:shibboleth:1.0
-		
-		See the Shibboleth Protocols and Profiles document, section 3.4.3, for details.
-	-->
-	<xsl:template match="md:IDPSSODescriptor[md:SingleSignOnService[@Binding='urn:mace:shibboleth:1.0:profiles:AuthnRequest']]
-		[not(contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol'))]">
-		<xsl:call-template name="fatal">
-			<xsl:with-param name="m">Shibboleth 1.x auth request needs urn:oasis:names:tc:SAML:1.1:protocol in IDPSSODescriptor/@protocolSupportEnumeration</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<xsl:template match="md:IDPSSODescriptor[md:SingleSignOnService[@Binding='urn:mace:shibboleth:1.0:profiles:AuthnRequest']]
-		[not(contains(@protocolSupportEnumeration, 'urn:mace:shibboleth:1.0'))]">
-		<xsl:call-template name="fatal">
-			<xsl:with-param name="m">Shibboleth 1.x auth request needs urn:mace:shibboleth:1.0 in IDPSSODescriptor/@protocolSupportEnumeration</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	
-	<!--
-		Checks for an IdP whose KeyDescriptor elements do not include a @use attribute.
-		This causes problems with the Shibboleth 1.3 SP prior to V1.3.1, which
-		interprets this as "no use permitted" rather than "either signing or encryption use
-		permitted".
-		
-		Two checks are required, one for each of the IdP role descriptors.
-	-->
-	
-	<xsl:template match="md:IDPSSODescriptor/md:KeyDescriptor[not(@use)]">
-		<xsl:call-template name="fatal">
-			<xsl:with-param name="m">IdP SSO KeyDescriptor lacking @use</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<xsl:template match="md:AttributeAuthorityDescriptor/md:KeyDescriptor[not(@use)]">
-		<xsl:call-template name="fatal">
-			<xsl:with-param name="m">IdP AA KeyDescriptor lacking @use</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	
-	<!--
-		Check for role descriptors with missing KeyDescriptor elements.
-	-->
-	
-	<xsl:template match="md:IDPSSODescriptor[not(md:KeyDescriptor)]">
-		<xsl:call-template name="fatal">
-			<xsl:with-param name="m">IdP SSO Descriptor lacking KeyDescriptor</xsl:with-param>
-		</xsl:call-template>	
-	</xsl:template>
-	
-	<xsl:template match="md:SPSSODescriptor[not(md:KeyDescriptor)]">
-		<xsl:call-template name="fatal">
-			<xsl:with-param name="m">SP SSO Descriptor lacking KeyDescriptor</xsl:with-param>
-		</xsl:call-template>	
-	</xsl:template>
-	
-	<xsl:template match="md:AttributeAuthorityDescriptor[not(md:KeyDescriptor)]">
-		<xsl:call-template name="fatal">
-			<xsl:with-param name="m">IdP AA Descriptor lacking KeyDescriptor</xsl:with-param>
-		</xsl:call-template>	
-	</xsl:template>
-	
-	
-	<!--
-		Check for a construct which is known to cause the Shibboleth 1.3 SP to dump core.
-		
-			<md:KeyDescriptor use="signing">
-				<ds:KeyInfo>
-					<KeyName>blabla<KeyName>
-				</ds:KeyInfo>
-			</md:KeyDescriptor>
-		
-		The issue here is that the KeyName does not have the ds: namespace.
-	-->
-	<xsl:template match="ds:KeyInfo/*[namespace-uri() != 'http://www.w3.org/2000/09/xmldsig#']">
-		<xsl:call-template name="fatal">
-			<xsl:with-param name="m">ds:KeyInfo child element not in ds namespace</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	
-	<!--
-		Check for IDP role descriptors containing (at any level of nesting)
-		SAML 2.0 attribute elements that do not include a NameFormat XML attribute.
-		
-		This combination causes the Shibboleth 1.3 and related code (such as metadatatool)
-		to reject the metadata.
-		
-		See https://bugs.internet2.edu/jira/browse/SIDPO-34
+		There aren't any rules that apply only in this context.
 	-->
-	<xsl:template match="md:IDPSSODescriptor[descendant::saml:Attribute[not(@NameFormat)]]">
-		<xsl:call-template name="fatal">
-			<xsl:with-param name="m">SIDPO-34: Attribute lacking NameFormat in IDPSSODescriptor</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-
-	<!--
-		Entity IDs should not contain space characters.
-	-->
-	<xsl:template match="md:EntityDescriptor[contains(@entityID, ' ')]">
-		<xsl:call-template name="fatal">
-			<xsl:with-param name="m">entity ID contains space character</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	
-	<!--
-		Entity IDs should start with one of "http://", "https://" or "urn:mace:".
-	-->
-	<xsl:template match="md:EntityDescriptor[not(starts-with(@entityID, 'urn:mace:'))]
-		[not(starts-with(@entityID, 'http://'))]
-		[not(starts-with(@entityID, 'https://'))]">
-		<xsl:call-template name="fatal">
-			<xsl:with-param name="m">entity ID <xsl:value-of select="@entityID"/> does not start with acceptable prefix</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	
-	<!--
-		@Location attributes should not contain space characters.
-		
-		This may be a little strict, and might be better confined to md:* elements.
-		At present, however, this produces no false positives.
-	-->
-	<xsl:template match="*[contains(@Location, ' ')]">
-		<xsl:call-template name="fatal">
-			<xsl:with-param name="m"><xsl:value-of select='local-name()'/> Location contains space character</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	
-	<!--
-		Checks on the DiscoveryResponse extension.
-	-->
-	
-	<xsl:template match="idpdisc:DiscoveryResponse[not(@Binding)]">
-		<xsl:call-template name="fatal">
-			<xsl:with-param name="m">missing Binding attribute on DiscoveryResponse</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<xsl:template match="idpdisc:DiscoveryResponse[@Binding]
-		[@Binding!='urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol']">
-		<xsl:call-template name="fatal">
-			<xsl:with-param name="m">incorrect Binding value on DiscoveryResponse</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	
-	<!--
-		Check for Locations that don't start with https://
-		
-		This may be a little strict, and might be better confined to md:* elements.
-		In addition, we might at some point require more complex rules: whitelisting certain
-		entities, or permitting http:// to Locations associated with certain bindngs.
-		
-		At present, however, this simpler rule produces no false positives.
-	-->
-	<xsl:template match="*[@Location and not(starts-with(@Location,'https://'))]">
-		<xsl:call-template name="fatal">
-			<xsl:with-param name="m"><xsl:value-of select='local-name()'/> Location does not start with https://</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	
-	<!--
-		Check for Shibboleth Scope elements that don't include a regexp attribute.
-		This has a default in the schema so omitting it can cause signing brittleness.
-	-->
-	<xsl:template match="shibmd:Scope[not(@regexp)]">
-		<xsl:call-template name="fatal">
-			<xsl:with-param name="m">Scope <xsl:value-of select="."/> lacks @regexp</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	
-	<!--
-		Check for empty xml:lang elements, automatically generated by OIOSAML.
-		
-		This is not schema-valid so would be caught further down the line anyway,
-		but it's nice to have a clear error message earlier in the process.
-	-->
-	<xsl:template match="@xml:lang[.='']">
-		<xsl:call-template name="fatal">
-			<xsl:with-param name="m">empty xml:lang attribute</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	
-	<!--
-		Common template to call to report a fatal error on some element within an entity.
-	-->
-	<xsl:template name="fatal">
-		<xsl:param name="m"/>
-		<xsl:message terminate='no'>
-			<xsl:text>*** </xsl:text>
-			<xsl:value-of select="ancestor-or-self::md:EntityDescriptor/@entityID"/>
-			<xsl:text>: </xsl:text>
-			<xsl:value-of select="$m"/>
-		</xsl:message>
-	</xsl:template>
-
-
-	<!-- Recurse down through all elements by default. -->
-	<xsl:template match="*">
-		<xsl:apply-templates select="node()|@*"/>
-	</xsl:template>
-	
-	<!-- Discard text blocks, comments and attributes by default. -->
-	<xsl:template match="text()|comment()|@*">
-		<!-- do nothing -->
-	</xsl:template>
 
 </xsl:stylesheet>
diff --git a/build/check_misc.xsl b/build/check_misc.xsl
new file mode 100644
index 00000000..42f54668
--- /dev/null
+++ b/build/check_misc.xsl
@@ -0,0 +1,168 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+	check_misc.xsl
+	
+	Checking ruleset containing generally applicable rules not falling into any
+	other category.
+	
+	Author: Ian A. Young <ian@iay.org.uk>
+
+-->
+<xsl:stylesheet version="1.0"
+	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+	xmlns:set="http://exslt.org/sets"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
+	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+	<!--
+		Common support functions.
+	-->
+	<xsl:import href="check_framework.xsl"/>
+
+	
+	<!--
+		Checks across the whole of the document are defined here.
+		
+		Only bother with these when the document element is an EntitiesDescriptor.
+	-->
+	<xsl:template match="/md:EntitiesDescriptor">
+		<xsl:variable name="entities" select="//md:EntityDescriptor"/>
+		<xsl:variable name="idps" select="$entities[md:IDPSSODescriptor]"/>
+		
+		<!-- check for duplicate entityID values -->
+		<xsl:variable name="distinct.entityIDs" select="set:distinct($entities/@entityID)"/>
+		<xsl:variable name="dup.entityIDs"
+			select="set:distinct(set:difference($entities/@entityID, $distinct.entityIDs))"/>
+		<xsl:for-each select="$dup.entityIDs">
+			<xsl:variable name="dup.entityID" select="."/>
+			<xsl:for-each select="$entities[@entityID = $dup.entityID]">
+				<xsl:call-template name="fatal">
+					<xsl:with-param name="m">duplicate entityID: <xsl:value-of select='$dup.entityID'/></xsl:with-param>
+				</xsl:call-template>
+			</xsl:for-each>
+		</xsl:for-each>
+		
+		<!-- check for duplicate OrganisationDisplayName values -->
+		<xsl:variable name="distinct.ODNs"
+			select="set:distinct($idps/md:Organization/md:OrganizationDisplayName)"/>
+		<xsl:variable name="dup.ODNs"
+			select="set:distinct(set:difference($idps/md:Organization/md:OrganizationDisplayName, $distinct.ODNs))"/>
+		<xsl:for-each select="$dup.ODNs">
+			<xsl:variable name="dup.ODN" select="."/>
+			<xsl:for-each select="$idps[md:Organization/md:OrganizationDisplayName = $dup.ODN]">
+				<xsl:call-template name="fatal">
+					<xsl:with-param name="m">duplicate OrganisationDisplayName: <xsl:value-of select='$dup.ODN'/></xsl:with-param>
+				</xsl:call-template>
+			</xsl:for-each>
+		</xsl:for-each>
+		
+		<!--
+			Perform checks on child elements.
+		-->
+		<xsl:apply-templates/>
+	</xsl:template>
+	
+	
+	<!--
+		Check for entities which do not have an OrganizationName at all.
+	-->
+	<xsl:template match="md:EntityDescriptor[not(md:Organization/md:OrganizationName)]">
+		<xsl:call-template name="fatal">
+			<xsl:with-param name="m">entity lacks OrganizationName</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+
+
+	<!--
+		Check for role descriptors with missing KeyDescriptor elements.
+	-->
+	
+	<xsl:template match="md:IDPSSODescriptor[not(md:KeyDescriptor)]">
+		<xsl:call-template name="fatal">
+			<xsl:with-param name="m">IdP SSO Descriptor lacking KeyDescriptor</xsl:with-param>
+		</xsl:call-template>	
+	</xsl:template>
+
+	<xsl:template match="md:SPSSODescriptor[not(md:KeyDescriptor)]">
+		<xsl:call-template name="fatal">
+			<xsl:with-param name="m">SP SSO Descriptor lacking KeyDescriptor</xsl:with-param>
+		</xsl:call-template>	
+	</xsl:template>
+	
+	<xsl:template match="md:AttributeAuthorityDescriptor[not(md:KeyDescriptor)]">
+		<xsl:call-template name="fatal">
+			<xsl:with-param name="m">IdP AA Descriptor lacking KeyDescriptor</xsl:with-param>
+		</xsl:call-template>	
+	</xsl:template>
+	
+	
+	<!--
+		Entity IDs should not contain space characters.
+	-->
+	<xsl:template match="md:EntityDescriptor[contains(@entityID, ' ')]">
+		<xsl:call-template name="fatal">
+			<xsl:with-param name="m">entity ID contains space character</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+
+
+	<!--
+		Entity IDs should start with one of "http://", "https://" or "urn:mace:".
+	-->
+	<xsl:template match="md:EntityDescriptor[not(starts-with(@entityID, 'urn:mace:'))]
+		[not(starts-with(@entityID, 'http://'))]
+		[not(starts-with(@entityID, 'https://'))]">
+		<xsl:call-template name="fatal">
+			<xsl:with-param name="m">entity ID <xsl:value-of select="@entityID"/> does not start with acceptable prefix</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+
+
+	<!--
+		@Location attributes should not contain space characters.
+		
+		This may be a little strict, and might be better confined to md:* elements.
+		At present, however, this produces no false positives.
+	-->
+	<xsl:template match="*[contains(@Location, ' ')]">
+		<xsl:call-template name="fatal">
+			<xsl:with-param name="m"><xsl:value-of select='local-name()'/> Location contains space character</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+	
+	
+	<!--
+		Check for Locations that don't start with https://
+		
+		This may be a little strict, and might be better confined to md:* elements.
+		In addition, we might at some point require more complex rules: whitelisting certain
+		entities, or permitting http:// to Locations associated with certain bindngs.
+		
+		At present, however, this simpler rule produces no false positives.
+	-->
+	<xsl:template match="*[@Location and not(starts-with(@Location,'https://'))]">
+		<xsl:call-template name="fatal">
+			<xsl:with-param name="m"><xsl:value-of select='local-name()'/> Location does not start with https://</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+	
+	
+	<!--
+		Check for empty xml:lang elements, automatically generated by OIOSAML.
+		
+		This is not schema-valid so would be caught further down the line anyway,
+		but it's nice to have a clear error message earlier in the process.
+	-->
+	<xsl:template match="@xml:lang[.='']">
+		<xsl:call-template name="fatal">
+			<xsl:with-param name="m">empty xml:lang attribute</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+
+</xsl:stylesheet>
diff --git a/build/check_shibboleth.xsl b/build/check_shibboleth.xsl
new file mode 100644
index 00000000..c2e33385
--- /dev/null
+++ b/build/check_shibboleth.xsl
@@ -0,0 +1,140 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+	check_shibboleth.xsl
+
+	Checking ruleset containing rules associated with:
+	
+	* the Shibboleth profile specifications
+	
+	* known problems with Shibboleth implementations
+	
+	Author: Ian A. Young <ian@iay.org.uk>
+
+-->
+<xsl:stylesheet version="1.0"
+	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
+	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+	<!--
+		Common support functions.
+	-->
+	<xsl:import href="check_framework.xsl"/>
+
+	
+	<!--
+		OrganizationURL elements should contain actual URLs, or some software
+		will reject the metadata.  This is known to be true for at least the Shibboleth
+		1.3 IdP and the accompanying metadatatool application, because they pass the
+		string to the java.net.URL class.
+		
+		We perform a very cursory test for this by insisting that they start with
+		either "http://" or "https://".
+	-->
+	<xsl:template match="md:OrganizationURL[not(starts-with(., 'http://'))]
+		[not(starts-with(., 'https://'))]">
+		<xsl:call-template name="fatal">
+			<xsl:with-param name="m">OrganizationURL '<xsl:value-of select="."/>' does not start with acceptable prefix</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+	
+	
+	<!--
+		If an IDPSSODescriptor contains a SingleSignOnService with the Shibboleth 1.x
+		authentication request binding, the role descriptor's protocolSupportEnumeration
+		must include both of the following:
+		
+			urn:oasis:names:tc:SAML:1.1:protocol
+			urn:mace:shibboleth:1.0
+		
+		See the Shibboleth Protocols and Profiles document, section 3.4.3, for details.
+	-->
+	<xsl:template match="md:IDPSSODescriptor[md:SingleSignOnService[@Binding='urn:mace:shibboleth:1.0:profiles:AuthnRequest']]
+		[not(contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol'))]">
+		<xsl:call-template name="fatal">
+			<xsl:with-param name="m">Shibboleth 1.x auth request needs urn:oasis:names:tc:SAML:1.1:protocol in IDPSSODescriptor/@protocolSupportEnumeration</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+	
+	<xsl:template match="md:IDPSSODescriptor[md:SingleSignOnService[@Binding='urn:mace:shibboleth:1.0:profiles:AuthnRequest']]
+		[not(contains(@protocolSupportEnumeration, 'urn:mace:shibboleth:1.0'))]">
+		<xsl:call-template name="fatal">
+			<xsl:with-param name="m">Shibboleth 1.x auth request needs urn:mace:shibboleth:1.0 in IDPSSODescriptor/@protocolSupportEnumeration</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+	
+	
+	<!--
+		Checks for an IdP whose KeyDescriptor elements do not include a @use attribute.
+		This causes problems with the Shibboleth 1.3 SP prior to V1.3.1, which
+		interprets this as "no use permitted" rather than "either signing or encryption use
+		permitted".
+		
+		Two checks are required, one for each of the IdP role descriptors.
+	-->
+	
+	<xsl:template match="md:IDPSSODescriptor/md:KeyDescriptor[not(@use)]">
+		<xsl:call-template name="fatal">
+			<xsl:with-param name="m">IdP SSO KeyDescriptor lacking @use</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+	
+	<xsl:template match="md:AttributeAuthorityDescriptor/md:KeyDescriptor[not(@use)]">
+		<xsl:call-template name="fatal">
+			<xsl:with-param name="m">IdP AA KeyDescriptor lacking @use</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+	
+
+	<!--
+		Check for a construct which is known to cause the Shibboleth 1.3 SP to dump core.
+		
+			<md:KeyDescriptor use="signing">
+				<ds:KeyInfo>
+					<KeyName>blabla<KeyName>
+				</ds:KeyInfo>
+			</md:KeyDescriptor>
+		
+		The issue here is that the KeyName does not have the ds: namespace.
+	-->
+	<xsl:template match="ds:KeyInfo/*[namespace-uri() != 'http://www.w3.org/2000/09/xmldsig#']">
+		<xsl:call-template name="fatal">
+			<xsl:with-param name="m">ds:KeyInfo child element not in ds namespace</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+	
+	
+	<!--
+		Check for IDP role descriptors containing (at any level of nesting)
+		SAML 2.0 attribute elements that do not include a NameFormat XML attribute.
+		
+		This combination causes the Shibboleth 1.3 and related code (such as metadatatool)
+		to reject the metadata.
+		
+		See https://bugs.internet2.edu/jira/browse/SIDPO-34
+	-->
+	<xsl:template match="md:IDPSSODescriptor[descendant::saml:Attribute[not(@NameFormat)]]">
+		<xsl:call-template name="fatal">
+			<xsl:with-param name="m">SIDPO-34: Attribute lacking NameFormat in IDPSSODescriptor</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+	
+	
+	<!--
+		Check for Shibboleth Scope elements that don't include a regexp attribute.
+		This has a default in the schema so omitting it can cause signing brittleness.
+	-->
+	<xsl:template match="shibmd:Scope[not(@regexp)]">
+		<xsl:call-template name="fatal">
+			<xsl:with-param name="m">Scope <xsl:value-of select="."/> lacks @regexp</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+
+
+</xsl:stylesheet>
diff --git a/tools/mdcheck/lib/sdss-mdcheck-1.1.jar b/tools/mdcheck/lib/sdss-mdcheck-1.1.jar
deleted file mode 100644
index 470ce9c60e5f3873c1b8f43498112c0a0bc908e6..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 6533
zcma)B2Q*yU_nt%-y+xN0ee^n*BzhQwVK91+-UlOu5M7WEHAF8Fy$gbf=q+0G7DVuv
zgdimT#7m^S_x``V*1h+vb@%t3eb3$J?0dee4#B|02b@@}ou<^c#@{Er<117iF3qE)
zs=%lIw;L`X=Gd(n!rg6geEZh%LGiO2R9aO@L0%Ki3sv|C?dev5@bC^2LU_3PdipCg
z_=kn&mRy0#eH}muj|?u(+idNJRNT#1P<1I08srcSO=K!p5e5APvREMvN+0rWjgQB7
zl!e@sn-`M8;z%6Bi*=MmJM4wPcTuu#M!ZJ6fbUTOzD0E$$PdFfZn@k22>VY5>{AC*
z^Z)R<@WaQ=!p-eJ9Laxmbg(eDwlqKM{dCZHdOoND&jSGYm;eCpKLenaNK*?_q^ax)
z{K~hpr7N$wy{Vg9D%{YCOqv2*p&q|5$~>aiRF?T7fS`)_s&z7l?Q2YZa+RSmQ<~N4
zgTZxRSO06dOmqv=T(sZ}4P8E|?2hGMsotBQ-M*yMFJBke!~k?}5OPFox9YMIl+TI&
zMdeJq>i~BcrjBpGSY>G3#;9YF=~RDDAMP1|!%Vy7n7lVQCm=gR0geU-kEo^)>>WU(
zcNgz#T2ps%<Rly1ntQ4oVcIApweVuGpoD_>0K3b$6TU6aHE}ENY1-a{G)Docf<C?@
zx9kZ<*=mMeo4KVZrp{E;H?f^`gBN;8&D1cxnbA96uOyBv3cLx1u@UrnP;_Q9;O1Om
zovJg3tELOzo^R`jZGXa~*cEJ-<(MT6oA=Uq($z}!WXt|*9a~^klZ|bpp5_D;TEC-K
zDO6lO5E&B2z7rIy(RA+7vngrD2qJv(mFAY1yB|>|S*v&MPU!Scq-2OYJfD<&Xw+4j
z8x6w8D1I60nf8|&+yWsm;@eZ>sV3hm$AST(3X2I_D2a4vAJq5bR|zbZ#Oi?WB)}ev
zEy0K5sj5Eu&Cads%O)`<LreJX#*D@^#Ke<xP*r8JVZ^x8P=&wU7&1~Eo%&2ovny2Y
zXil&^N@rZkAH4Ixm5P`8F|Y`_@HWtCUa)bCOkSH)4OMs_XL0p8)snPP@FyMTs>F5?
z0~{eRNLRt5<qPIoYqoSBrlIWnL#}2*sPf#SS`mz%K0vO|cwvo8n7zL%=rfjK;12os
zX>po&=Bo6y702_T1qT2S{a^A9>Lu^$>g1|o<A$_!{GNYtT7H`3Iuu|&Jp1y(0O``I
zqDZRAQWCK@#(F?K&Qa_0)+G3&@5{XcM=WB;r{O8SWKGgX4tas9sjE2eLf&sTKmq%M
zms3;M8#kYO_t$OC)bsfreOxgH<X&<|>@f$ye3D*>7>sSjMPcT~)@HmNv$bLid!#(0
z5$}YYdSy>G`#!Oi!SbtWyCDVAb{Cn_S{ZyG5e$Qu!~}a0UZADIQmr$ppqz2BbDb%M
z_#@GEUt%3b>`QFpWM_8@hLEnJIUmhtpE$Md+*Q9`h_@Z`$dNz(VlCXhvDCgDpG(?g
zgc}yB6_a6DChM(T6e>Ii$(z?%_Gy~G@V1<EGQLWyL^s39yG5b3L?2S0yuDIQKTa?m
zECzlKyr1X*zi|zL1cPP^N+5onMkVsPV)XUZ_6Nm!o{@NQG>woF=4Y97fv;n;MerGy
z?0bpMD}_8|XS?cw8-PQ4h2Oj1=#mj}L1D^ziWIA74dynu=6Wkeu~>)xTKo-fn*+xB
zW|>)MuviKyhlN`4_8>1~Ret#UC53L!Y+IhED8OPkKK~YpCC26=1|bBS(O+PNh-KQb
zt}1++(4Y-Jq)oV2<so^EAolb20)J1J$Lt*q$X00bOsf}$9fuvtehx><)SWteUJ*kL
z-P4TalkY#Z=1gGW{D3Dyd^$KsP)kmY0Ip8eaWp%FN3gNdRQlCGg8pqpyT}K1MD^Is
ziUKW~cngv@TG~7I9*4C~?~8z4B^@v;QgQn8EN#;jyst$p?o_VX-YG9I{o+x<+1NEx
z<5rrbs4_juFGV9N!R9}2jw@~httt@s@?bGNfjD<6==I%!Ppu|Fx4%S-8<8f(-jbuA
zbU~DsJvkKd?*<d>q5Nqodfv+{gx>oQMUD#5G1cp(bsDTp7VJu-H8Qcj0i_(fUFn?t
z?snKyW0DmNsT6D3hdr~T-jNM7vkL2CFJ~{6J-hoH=|@Lf6GO2IR~+M<ptf#JpS{v%
z@fl8+XKa4w(Oo|i>!q>K1D5A}*B9%rFMIPlGg+y>bO+8+QK9ejQ+o=f0-b4eFTH+c
zD%gJYA%Bb8%X~G#HN?Xm0?T{lvng*{l5Vqs%deUZy9P>3peJNE6nSMDWx&!l=!8vD
z_sINcZ-vzNq&u9jw4G3V-%n{C2cLu-@VZh!Ws%ZuI5t8pxk*m^4H9*CD;)0Gv(WIk
z)kAKl`8=$g+lg72U9u6UzmMO|J!>oP$oIfNSiS6qCJSZWSKYvE(A6*^=1|XzOe~*%
z)T`5Fpl6Ic6>?nD9Vh_+w*O%n_`B@rc=^z4F&y>Xj2&0W8x!SGr+o(Ic%+mJ)w{*Y
znwa|p+if_T6S~%7A*56@of=tDAq>MD3=e2KD8RRcv4ki;pl8)^<UmF2hV2%ijD22i
zde=`+XVZypFnyePB-XSm+0-<9(5rb=zj@`3o|H~FAu9IOJT{@zD}7}b7Do-VHes9i
zLTj&??;~QTi%heZjb@(A8=`6y%6CJvHb=IuHW;_!IKvx!)!RaZ3!6hk_FN)@_0go1
zOq7yLL#3GQ!c)P~Pxk_YbHtgAu5zkI_O#?VAJ9+vOSU;DgsVkt^oPz@$kfzp(eKVP
zmK~;qd*7zsG3^O)X+g=*U(J|zrH8qs1>ZOE;bsdmOS{<m<!TBXeMkH-otlxXwUvtz
zJrARd-ruSXXZI1$Sx}-><4l|tomv-n$rFij=9zS*c*i5UlAE7&1A&KSJLJplqwd48
zu{LcQJY6eP*lZ0pF>)XZ3N{-YNMF4IWG9_qBxW~{-*AK|WZsUC%`MX57c(Pfn`U^B
zKjQcbh~?`gP9d`4ub!|bw|<Un{|c!W2jVrYC$>z;Xo&1>G$Obt-9-o=(~ZKJVMukm
zJr!X+wyIT(G8VTy7pZ$cCI!hdc)v8!7*fxSQN7B>z*X%&u~JmjdH1pqz4A6ISq38Q
zExB!lK}A0jx|%RzvpFnwUrXs)O%_E~B?kwQq|3)kU`nZ>iImjkj8c(z3JV^$+Z?fG
za#2h>iL<n2MV~AR$6P&<8eyyDs5kfi5={+7sX1}UP^`3h?GJ7?GLz+fNidEJPx9Gt
z-&O4Jvy{GwOT24kwzj&aRa(F=fl}^%rwsa>z7*Q56p#Px?*2~KVz+L{4e?q;=DmEP
zG=(YwZ|rT+=wgmQsn?VsrAOxK;RJaqALO*TIl8405q2Op0p-uoAe3m^#@CMPG22KT
z$9s`7>~3Kq6(xMJeGwls{6F`_eZE;yWnuR+s+LeruIJuB0c*?cePS+BEQsZsKtVjN
zk&#+<9Ut1f2dMlU7SAR&VgrvZFNKQ6T%qg3z^*L(FMa&@=B=jO4-kf$npx>02<mpL
z2lS6KXa$CE<_wS8YdfQX+3-?PYeRH4d39iP(uC%7oeQkU^_Shq^|q^&#sg@1dUZ4_
zgYhdJiWD)!ZluiWjX40fK?D>repA>atla4009wl@vMYRK3|$%JG-pFOJB;RO&}*+j
zGcZgJ7B19FJP+A?y5}FoWR@1iy`^CWW~$BRlbFyDeYZ#I3$(bFwZJan8=fZc7)!`@
zA}4EcWiQC&1B9~aHQMfQIY{19FU(?i1g(Fls>nS7KQwA*+ES$SdyNKuEnMW=<K7G%
zzgZoXkS^a&)PPXr3r!_lc^C!sag1jp>0`x5<UK(mGb6fsMV*qw>I{n3eVh63HAlTN
zj4bkB?(2){E57dLt*PjFP`uo?yx|}J3Gh*F0Jr}uw0#y$d{d?RtFS~A2q=@jn6{Td
z{k3TE+8&?#nrb43wxLOQ#d%Wwhx>Q7vk+Q3I+`IeSE*j$RZ0uUVaoKUJ(1x+^o|w!
z`<I#zdVXq#gH<Q_tL|+%L-Nh3LZ0>)kCI&AEKhm?%1Xx?m)m#;HVN`_->cA1Rhm?t
zUWoW$Fk^oXJ89A}!7iAXjKb6ozp2=C8G0`$3iMcC+cURMJtNUtv8P44`!CH>(apwd
zvJ9kSFYhc>m*taUG?WEc#dK){AM33IvM5S9A#AQc%taMt;70CZ>%Zh71-_xRxFyx(
zz>xe2I{YSF*Zm?lJ{j6J-nd-eC$*NVnv!>6Jl-t#f*E@FYfh>|Y6HtyPqCdAe{}WA
zI(My<U;Cqi7dw;{*2=2-bw-GBXKn4}bJx2;)A{?7Axl^f+4sofB{!~FLVZJ2GGeA6
zLQIsyP3adu`a%pvV}=@@G~q1du}-&!Rp&GNIjvlCOBgSkRjJgMEw(4y6$IJu3yO?u
zSjtw0tc*6QFEV@h4Cyrr>s)pxk{&f<HyEPAdWB0R2m6#)U@K~q$ZFiN7v>=-(4jYq
z>Y(t`pP8EppFYf+Zf?@W;*-HU${Y{hQk&*0HUoV$iWjOU?PGKqkF7Q=mfR~<TX;s1
zTnpc~yf|x5fxe(_2nx>ho=cT;=@(Z%d{6Cz&E&_4<2xiCY1&7P+{9dFOpvP25$0<z
zqUV#vqAiX8ys_LDL!o29=}!I>{4PT!+Im<Ve_RrD(dDt#RD_rLVSRCCI+mvu$}Xl|
zdXFSd3WL+OfxhIv)XIF^TUC=mx{?=K*`jr8EF)CInoQB})LxfI#pEWsfh~Db0-LNh
zFsUN5><J>)8ZHj3vw{^Ucl+qt_swgsukU$tDe;HpAUlH05u(%9IF=2?W6kmmF&Zrp
zO=dy-(X8mpu(!&Xoh&+3pP!h~@U{Rx#m1^nKngA~8GT-DmTCu^7DI!&)#jM1m*Ut<
z4Ki4l3`z~XNVq2md<{FTv_{0Wqos~|aQ%`G?YP*TJ8>(u{elqa3RjAjl)3Qca9QT(
zaYN_1kp>a82EY{w+qiNs24qw#N4s6^(Jc*wyLt^ok7|ost18zdgcoiFY!Oy2@SD|M
zUW|3^v7|oeRBGkI7E++Iqqz?bWa_?W(3X?7Ub!iiiK84+97i9hZTW&c7BOhf&#T2=
zI(nD8LO{uXNdfo*3IYJTUuNDzlbIwDJ&;rA>s^JvF}s&Fkti4Xynsf&4knD>mUw-G
zgUVG;Ectw)C&5}|7pzb)@akh&VGmbDur3?_O3waA&H{p(IT`v^<tc288kRuGQX0=?
zj%Tb{@2K$NR>R}TZgx@#KdiH{M$)lIM4Mj4SZfkyXi~C&ClEdwX>R^>x7_kor#V91
z2Do^T+sbJ9cHfF-qnD*Nzt>oYRX}5Oc{W+k#^Eb=nS|=7uYL9#9#_Xqlt7J=6W(I+
zoFxCN{74}z_C1elEIu)zUI49>vH8od(-!ta!tN;|3RNF;X90Dh(d(S9w^HO+@sdAe
zBd=qCc&w(1Z+d;$3cTKWxwyJ}ghXe<RRqW|0zGVucLOn?2n}<ATckl_x#oy=UG=z*
zL<@*gnA}(weMkaH3Fq;t#Y#NIpoBd}v#u7l%$`mM?#XGKd5Rla|KY=^Cemhxu>lqp
zQU=u~B(`)iiAPynb_!TI`o1gsQ)wYS{v7+Ev^bc0SUUdrcKg$r_D^SbJ6=<B-rqEe
z-{l<k|HPeudH&QbQY|#4Fq#9ts2}SV2Uw@N#cz@R)cG$Y&Q1=zC<psUc&FneKMA<q
zSbEP9W}|UjFf+i|&I9Ld!rxL1T*(@Uzu_N|;CnkH+a6X;4rlLsBsRIIo-K5XHBq*{
z8un>&ySL6U$^{}OLs^-%4yBkF-W%)p_R)VR4}$jW_jR!xe@{|PKI%At$B*r;`l12;
zJgG{S3|cBG?6}e|rxZ{bH0~Ntk2peR%;ij~>uz%zcbQr3R|b$}j~EF11(w}!49CM|
zH1&tmZPZH|?Ym3sn$}feGL_Edz3SBIqEBoA*?}l5?E-`p=cI+~^dMR~+_t!kJ#$mr
zSS1m50b;uD^7<|@Vlpl5L6!<0(vRK`b}BpryVA<jX5QpX&A1t@H_wq5#jH1!&M)|!
zR9igaWwFo;y_N^?cdMr8`b*+!wBe{Bcw<3EWV*kxc>o6EA=zKt<!M+Vlm_o~0@@L_
z?ku#^Eha4uwCmPJq@CPKyCj|7mx#O+DL=!~tv0m4J%mPY@W-zQekOv=2V}4ZkS9~?
zPMXeQPYg(u0y34qMy|PQIJ}jxy5@WT=wU);B=*P<h-L(a8IYBVLR|`;>_B#@Og^2!
zYYQ?H#Ckh$_1yURl7<+^%KE|7BAb3{KF2Ez+8=WFT+1^C9cYBLK&F=^QZ>a;Q>r)H
zqsVPmE!_$!7?l_24d0yW91swv<?EPj+S@)nkg_7TDjUyUC2m1Zb}A(5;y=%pr|PS`
z6;~zJ&I&pT9hu=jM|>c3BepLgEGk*AR&KpNA<O`H+Yq!UKOmISFWJgeiGB2#oQJr>
zG|btLmE1X-$ya0_=ld)=-PBMnh2dEpC$`P;A@aW`_(^U$yE-{rx*}~X-84PadLcZ@
zKqV;bMge>a3WW47YItyW!JQ#c4gN|vzi_o+d8weNrt>Z#j9-vnc#i9DNmFE4=&dqe
z7az}-N*Pb@C`4tHTa}Y{SsBRHsRB{qJr^FZ_pFYyljce1xWTbldG0&~#=mQ=$Kf9v
z31CC|<oaWloxx5Y`FHL0#QDUs{ePL^KPj<i41da?Cpzh=opjuI-2A4Ro<({h_kMRd
zxt{2zr*;CEIc^>UzNx7Hjycg$PwfPA{@i!W-z(O?15b3-Ga&b`z_ZorJHhDy{jRfq
zr^xm<_-BIuP+iZ4?v(p?E$xhZ_;@5wN8;O4eGl$e?tfI)e(&S=jrv(1lgA3)|JTRq
zw*8Fr&jNB%ZBFgvZP=3jlxyE>&-VfS6MRyA&cF$Of`2Lp{}seZuAcGq|0mBcW#x<%
z7w}Kj={s$<KLyzzPxe!AzmWc2tA6G_$@|||mox6t<G&t1X6Wgt{TKJyTB8oZ`Zj}z
R07L++;~xRG$7&1!@PF>`nM42p

diff --git a/tools/mdcheck/lib/sdss-mdcheck-1.2.jar b/tools/mdcheck/lib/sdss-mdcheck-1.2.jar
new file mode 100644
index 0000000000000000000000000000000000000000..47001af660361c1c4f0120378ab5ae42d47575ab
GIT binary patch
literal 6782
zcmb7I1yod9+XiHi&Y`=zI|k_n85kN#DPe|gluikeMw+2Zx<gXBq@@u>ln?|I)DN!L
zi{9&Z|L@;xopbh@d7o#$XRkNTel%5YAfqE(4OTyGi9aTP-q0?e>hch2PGt=RZp}Z<
zP!U)z&AL?Chwong?Q?kne>PK>)=*ZE*M@MZD;%kh46CVfa!q2Xa<Yw$jMr-Myx?DZ
z<-(yd_MAhNQwH_s7F;)xh`o!!t2yJL7J;gkwp%7!1&{&*KY?G1(2rnP>*(?y6@FKh
zu8p+FBwScjrJjn=a|eD<u$Qc>36}{M!Vj+y{_yJ3k-x@`%bC0VUvB@?0Oh-Zx#hpu
zVEkp{de_zUUknL;HH6-^w6(IlUj5HaW8is0ed$;K<<eZg2dG=Qncp>cGnc)BGyHM4
za^bRcFn4v$)PZVGOW{74B1WQ>;?M*G5y2`L#<^@NczsA(wirQtA9&%p$cxAckVDg*
z=m2{DuL%B$n<j=iG-{JL%dPFp_dT-Tt$du@r@n<4ZLSj(giIWlt|XB>5gii2Y@D{X
zQ4&Ivb+`-<Ay<k@-H;q-RNDlswkPrg>(Ob^Sp$$8qVu?N1Z(pjK+?>sy{8h8$TG)c
z%TlJc@Jr{TN)62HE1{_X*j$4<)N^(UIfOs?j#)N7*{~6#g5s;ku$HaqH5mDrl(Ce5
zVcReyM$~)2yr7MEsHUZCTSrgbIi{^IXm9%kKH)STX$yxHjn%8c#bjPJkRBKG?TL|l
z0x|WFe!8Kt9yEA&rU&7+Mln?z4CB#sVaZZS-dhnd(mZ#2vf?nUw@jtbQMM&A#8XJw
zlFfMmohx+4t%0Mpm(4@NcZdhe)38epF1g<siCuwVduZ&<&Sol?zBG3XntQ6I*qagI
zjaRh;nGslaM(N)?jv;=_EY1iC4{*Ho03~Z}ZTcJLgIrH7fZqyv!$flzc#msSsKx5#
zKtMF^BH;LrZmzKD@B(^rG!Ja(jZ{(eP5nocp+<fwg}QUt{I`sN)eQ8(<<S($^5xIH
zf?<g9yEXVZ8P$d>FDC`{q=>V9O>$+EDo5LHK_3U4B%n_X3l`<uz)v7clhE)AFZ&_B
z#%P%Z-DXquF0-wd%R`fZCJT!TJT7ti6eHi=Ly29_j8pL={{-I|SzNaY&$1W9ueL0n
zv<$yt@SZ9y)fkVm*Xf#2<(|j#`G6#VBY;<jacJVpE=Z*bTydTXJ~-S73=oIMOtVca
zl6*n=MvG)>yWex?G1iJVK8WE}6wY4mYVGuz&L%S}eIx4tDhyZQ#+P1t0h8Xes%PL*
zksPqEk_pA@8|!Cwl#%_|6F^W95TtO_e}K1j<1D{=ecx7;=2#`IBHUIy;OwJ-a;hz&
zoq&0~5;wR8Gc5k&<FLW-fZGYNW{>>*BD@kWNMwM#1@RY(rEvX^`N$>MtMW|MWK7c0
zE}H1p5vKSY#`LN0EVC#SsVndofS-?cLicfgRD$oRX6YI;U4NNs^*0d^g#MRQQ}>p4
zadC7}vvYN`g8fLjBnVWSTnG37hF>#S!zlnP)v-4$4g<90cGPQC6P3sle8xvE(Y+&-
z@|1A_-ugsFaUdmo(tk~l5-roCpL#9M#cz*E%G)_2VKB>e9Q4|I4D|Zt`RT3kZ%907
zB|Y8ec9`qI0+nl}VL0v#JW1VxjJLGJr&;~Vx7@8h$qitQzz<4d4PHXF$K76bXK1{4
zrL^HGSjV8e!BTu1+|w4eM7D>T;nc3c-?pRss_jk!Qd+m{c{NlAT4j+Wv-*)u8>xLP
z-EFpD)nmuN{R<5c_Z0AWJ)Jyy3%~_T-%Wn6FD;5%ZYYZWG>Wfo*u!?bIH~)vK>KvK
zw!`!kz~q8AS6FXQW|-^f`|RFwl>vr$`mv2L<pSz*i?Cn|%cIni6y;StCy?lBd4-by
zGm{bp(K*W27TfbmL(gcmB+~YWx9M7f$U~+Q;DXx{LusXy$d9p8;?(`N5Rh@`l*~M`
z+ojrwAo`*UlHP`U4rp&$VS!<-##N6S7g^&Q%+INOyJSpVLBbhCsl$|}J3Sx?2QcA`
z>c_%;rJ4J>&eZ*kgl210Dkvrc<YYvcerWv}q7iQSJG#SD!cL^B8O+lHwP1~xLu6;@
z!zd<w23a(%>tXf+?P0Yjd-?En`x~okh-E!ASgT}b*sJ6s;lhHCd;zh69AmXsctu8y
zkiw`pfq{G~NT0qfi3fgdzi_OQNW{MR=>i-hft$SBuuy(aK1`kz*&|d3lt~VHtI(b(
zzk?=vj{_-O*6it1*I98lEK-{H>0~(>_w=V=0&u;RcJXs@pXV>^uzIx3+oAX*B0&KO
zvzldW)6^2^KF<C_lq?`r=q=3T`MGZqn*{NoO2yu4%5VUA+K4G$(|lh*+!(KAvH?hm
zBA&Lx390IUcBI%~lRO=)tw5^XgK>OXR<h9&P817l=XUx?zHxzg+HZ&}e{{Pyi_WpX
z5%>JYA+ZvNV?J|&gY>3u6kP&rS4<wGos;C4yoh8x!*+d3``D#+pY(IegSe*fPoSGI
zrpntoB*kmMStr8XrdYPUyfC~y>m`FVIu|K;O!wVb5Q|0h>j*Hl&1^NxuH6uc)fB~2
ze+h^QR3mATNS%va-|hiUNR80s2H(~+ym;LzcVF#AOeL7PRqjh*@hy)?bdz&WvHQMq
zMnNv~6iYJM%`wqwX450YB>GgV{X0Y`jgR=48*=u+*zuTWXm;}=k=dd|ow)DjQpkAP
zRButlfH|gK(DapblGC<_H|8G$4q@w@y<Y*p7J><fZ|WMCA2JSv2nbC7Lm~LH*Xnuu
z0cR+`jaerwU=qYK($K}f!WB+<geA-n5kvc8o<e|DDJMK(nU=%BdV0YCtsTb*`p~9~
zP~P575ahr<%V1_$7rwaIIxh<)B=n^|>9~0DV0CG9kBI}e7U#V$y#Hlo|Lf%i`r3Ij
z4pBcWMYS4ze@?_ts%NID5J=q{4)N2M<vlrfsz|LmTKB2;4nAuJ_o$ymDAdJ8<qO+4
z0jQ^)*s&v4mjpPv-jiW(U=w;qWyjgG4BR1;43uS)EHTHHEZBfyxmKHUtk7#<X*?@B
zOk+LckYo<?)$udo@R!Ck1=cJVZ9K&}#W+x9qdG8u9&S#pfE-M}aRA05w(N|$DHwvh
z9!x?Qbl(8e^l&{jD!g|+yzfAV*H67~?*3U=l%k&(q|Z{)PrI)XB2j5(xZA-r5Gl?%
z8DhVXoG<0rAS&EHBG;|LqDk&)unw}w7nrIY#B6o8$wtbzYV<A;#U*?5F!ZxJv$<&G
zM8B8Fg3ZDn<De~vg{a+2AAl9O_0|q7s=r*Qc3f*MC0v$wdJoIJMdQUD<Kx?O@nJy=
zoX$nUb)NDfz{pdp=jar|^in*E2y?ved&ioli5K}$Ue%n2YLjWE?XZq13zK1>#WWi&
zlD@B37v9l)`jMbvu94w1WW<RDPnkjHKAtl3i+j!1y>9AuDSdXkFC1w~9%mZI#>Y&R
z=ZL)P9R<}v4j@oh-E@?0-A?kDrH@HQgkI#EctgAujQ5P7gB?`E3l=B6@WBmp{)QR1
zyp3D!#i+U&Hm?d4TTfAMM=x-9vLqGN*3T^yGJXjKsMBz?@oyU4hATeH>z;h3ZK$C8
zVe*_)QAFc0WP)&nTaU^}V^O}ltB-GpWM;j(ScvI%!0h%UAe1i7OI~AYn<SB=hc!uJ
zvJZX8m9BiDo+5!)<w7vjR;d4d=Hv>)p<SghHF>DUHl4jS!(-*w2A}c*KO`%A*De^=
zNZwOi#)^)R<X5S%zUjGjt5}Y3Bnd{)&A<Y&>1i-N*%689mmPiIyj$<xZB?6byR2c(
z&4*Nw|0qJHbvj07!D(KFfoN`amdzH8D0Y)y342_sf+X3hnWOAZ*;<gYQ^{TEgxIDs
zvjZAAfBnGwIaFFVhyGo6hXHKD)!9SJce;mnC|7$<2{ZV?LvAuVN@l|B#<inQYex0E
z@U7apayD<C(S{OE#5oxc5QtQ642V4lYJ79X`k>H~J{=-avdJn@vGH2$K_I0VSI@4S
zM6iuc#>62-R?!o5rlF8lxd99j)-4}!AGiAjdZ+ct7KWbP^2uzXPH*69o0vs-l2X4h
zWoO^MTV0M$-@f|=qCe!2nUZ^bT<mL5=ZDx-2kYG?;Ha3;dcBxW*Svwd?#}b>*VfKR
z>&EZ^!LWk-8<{{@jrVZdV8K1Bxf@~T$U=e+cD85&?rwFSZYb%CWJ|4!4Fc{0P)vbF
zKq@nmqW-a?*w<Kp9?P1KMbDf^?sw~neU0>wTwfLY8vISGp)zE_eg@D_%8pwvpN69(
zj$T|?7{&*zsWuyv+9j5S$i2y!)<Fe4{PaYJ2iJpRacqy0dmt5ia~KszIDC=WxoLak
z9+o9-sE3$mR`TSrLtew_yN2#Iv5SR*SU9u@c9`bP<=BAmWdzzdE!g8r0yMX$Xdk<;
z_EeHcY}*TFu$&<#8~9mH+~VZa$V2YgRNLuSySEWdOg@~AN%AqgUF7UuY^4r;8>}J&
zl%nsvdsF}xkUo1Xxso>Fc@9{l*|S-i>CI12`~46Q*pi)j<_-r-L~ohF-ra|1F3vi}
zhD{MRMp12zj-|2SFvf&kFrivOq3A9;*VyW6A?s@!@eTm#v|Z?gT@UH5z_aC18+ZTh
zeS&Rb+^pQJr!Uc}9y5Nz;=@+e$`<T!b+DA>oKxiw2fpYmbwAoGsH9M~dwZrB<kbQf
z7oDWg+1@|6D5~UB^hk>ovhPZ&*zhQf;Pme=GA{LsU^;x~L!x5b+u<nFlTygmq+xy_
zxP&%WC!fX}1juJUuPe<`<FlT$nW)MuQ9G{96MQGw_hgv-rAc!V_mYm^G@BQe${H~i
z+Uo8DXWHSk#@dX91gDb-_UtAoKJ4`XEYgWpz`5SV2IHFp(D`O@37Nv=mxI{6CSPR6
z2ks=2!P%XOH%<jKdQ$l?mwl0~!Wl=o21kdT$p>JN8bYHe%K4$B1=i9g;~}OTXs=l?
z<Dy_}(5dy9d`1x&j@etD)%lsb0$(~Xq3TmjWRk}8b|_l&UN=@)>@@nGC}jr9+qaSG
z;Vx~J#_8{B#yvb6=VBb)W!eC`nkbv_CsPIblko4hz1CX&0LxFus8!(cC3zi@B)Y6a
zFX9PwwTnCo<8{nyn9IeSvy_B&p}%BdG)l|MjCWw9I}W9zU8jr-;dlpkuxi3>pO;sW
zG32fey6}2k1p2@?7m_8!SRoR1w2-7n+2;qisVN<>Jk+B<anH$<wo`tFUSHyDC{ns3
z?LxIQcCB05mh-C$qO*}`fLW|wsA3=O`g|!G6(Jv&JSW#9SIPpFoi+-wfhXWVqoxOs
zNE$6jLk(n`up1|*8uJl7c|PyKi9B<0!uf<savFS#>%%*YLr6}6S)Aq^^C52;fhis}
z(+x)vL@e)XiL`LFk}y=GEu<TzJ0aA4S~y(epBV@lJuR8`1|!=(L~{?VKW9lJA&<n&
zwx1S#Iz}QL!yAPQ)e#Rt&$mU5az-8w;|ZSrkPCtPgjaVLlXcU{KHntm?k?w1O*QGl
zz0*WG-J}(pFM>1h6c^`N7d`4axV+C&G^lbIwM8RrNKRUHoh}U>tAK-&>`s66hHR?B
zz-PU}FTzne%L<bp@XBF_CIaIk9;nl0(cTxPu1Sidey<pPeBaZIIewhe875(M{8)8c
z+OW(&H~>4Lj=F5nBQt}1&}5`y%21|x_zb5bR>di!`4stE7Cb!LqE{m3-q`Rb2E&*H
ziEo(nn+Cci32>Jn_qU>1AZ3;DTC#R29g{?qc`22nokn(p6bT91Jag{c7<@9C7fiYL
zr!?<)v9I(u2ch_hs~4)Bu2Xv1EQY&h0CXddl^enmpT99ov^>CXV~1Ye&LP1GZ+#C|
z+_)-}KcT%*5O%d|Jw-?9ZTGg@Wo;9H;;b+alsQF~lTo2`vsp(f>K-U~ef{fb_D_Wg
z=kkl}FNFze?qLP{Nn`oD97Xm|V|RNlb4#wjX)}MvG5;&>3e5RWy@vi$<f70Er2-=%
zAe;lf>otG#^ryvtA#rkqa(O`=VjzRCB_3SRfT{EuOv?bh4u!pL00G;OMm;_QDcu6N
zh|lVDI90X(D3No>BlvBv_mQ<PMU;m^6|$%8oY2sN%ntFnQ8c>+1(p%9{#C$iA=52?
ziAUnbYZmFLN0~{ACmyYROH0pNS)=SfTs-v(=}I1j*Tk}N6%vHdSitDpCNe}zX8aRn
zzgftcH8lHjnqaim&eVnA*Uco^KESY~^(7_H<m*N%5nA*-)!CU#b#`F4XB9PjHXfbe
z7%k2d>^iHfnOMa-ND+8*wA_GG=T2p6?%m6ur-|G8g%cfW-bU4LFgS(;RpBR-F94uJ
z%*^CFC(rGGb`fa>ZeeMld!d$uu9(&7fYA8En5W$a3?7+yvr*{Ep;^?#oji=*Q<}X`
z3g78qL6Na8(lzl9)>52I<G;|QvaZW?YV!4Km61=r!A8N@o-tEAiW(|Sbij$%!Re*l
zPm@{Y^_eu8>3O*pTJZ==uGkTmkc-48k0CcQzMk>~nuAqw1B0e;E4#^rc}Ahq^<?_y
zr`z7Fi?*7e%mgr%d=A56q#}w%Q;b^CNL_nrre>0+abW<(A~TKAT9V#WjE8Vbt>Amo
z&Au3TkIKr%_?b^#?j%%HKu64+RxDFn`0h&$>w#DTyB#anav+t;=K7s^#K8$(5i;)Q
ztDR@Z7v~Z-1UA(R@Ex3I?n{FTsRrmBaCxG!dY^=P;Q>a`Z^bh!PKY??1WE~GDUq>h
zhD~zs##17b^gp+_^*_w95y|#ckhI163Su^-denm-|5b%)P3hK!%Ln4?gUwZhXB(m5
z*jz@o-Q^|tzeo60a5}j-I$626*;%=2d)yvX<y7HNRtGDULJrh9R7W?pJlKaIPO9o!
zJarHrfqFin20j5jr&BC24<C=f8rz>*uHXy)4HfPoZq5U>YR=JFRkc}m4OXsg6%MvR
zHB~h(#HgUNmS)yL(vrai<4ctm5eazXzl+S5?q3dEg!j@{&%e^_8uok9`O5fezyp6t
z@t-8<YleU7zgGhB_i?pw`{ncxx%k@CE1mm?$<^~pF#bNS04tZ%OTZuU@qfo$3CQ2a
z6$T0M2j<U`_1}S4g7P(x{a4_1x%xrydx7}}1w7FB_XPhUH(zhv?-jLc?g8Xq-s*>Q
zzjFUpU;FzSe?P2WuQ7r8f3NZV=zh)l`*w4^sTTM@#oCYN^J7E*3BGDS*WkE+f`94<
z|K`M1tX}gB{438dedU@I72$X7=?5)55c4v6{>q~7Z}yXOzmWdftbXSHU3IzUF1Zv^
b{vX`ewMJ7F@J9w=BVZ!{E<?tW=!*0|JniiH

literal 0
HcmV?d00001