update SSLUtils to use default JVM trustStore for SSL connections as optional

author: Thomas Lenz <tlenz@iaik.tugraz.at> 2019-02-04 08:58:10 +0100
committer: Thomas Lenz <tlenz@iaik.tugraz.at> 2019-02-04 08:58:10 +0100
commit: a917335ea69ab857f00bd17679e259fcc215cad9 (patch)
tree: 2aff94e138b0a88d68e10a057071a7cd289978f1
parent: 9ddeacf32976d14c3f2f70ec446262998eb8a68e (diff)
download: moa-id-spss-a917335ea69ab857f00bd17679e259fcc215cad9.tar.gz
moa-id-spss-a917335ea69ab857f00bd17679e259fcc215cad9.tar.bz2
moa-id-spss-a917335ea69ab857f00bd17679e259fcc215cad9.zip
12 files changed, 79 insertions, 24 deletions
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java
index d249fa597..41a86cef2 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java
@@ -633,6 +633,7 @@ public class ConfigurationProvider {
 				try {
 					MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory(
 							"MOAMetaDataProvider",
+							true,
 							ConfigurationProvider.getInstance().getCertStoreDirectory(), 
 							ConfigurationProvider.getInstance().getTrustStoreDirectory(),
 							null,
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java
index 8b41823e1..cbb7c88b2 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java
@@ -129,6 +129,7 @@ public class OAPVP2ConfigValidation {
 								try {
 									MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory(
 											"MOAMetaDataProvider",
+											true,
 											ConfigurationProvider.getInstance().getCertStoreDirectory(), 
 											ConfigurationProvider.getInstance().getTrustStoreDirectory(),
 											null,
@@ -145,7 +146,7 @@ public class OAPVP2ConfigValidation {
 									log.warn("MOA SSL-TrustStore can not initialized. Use default Java TrustStore.", e);
 								
 								} catch (ConfigurationException e) {
-									log.info("No MOA specific SSL-TrustStore configured. Use default Java TrustStore.", e);
+									log.info("No MOA specific SSL-TrustStore configured. Use default Java TrustStore.");
 								
 								} 
 
diff --git a/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/ServicesProtocolPVP2XTask.java b/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/ServicesProtocolPVP2XTask.java
index 2d6f7c9a9..1e5762f04 100644
--- a/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/ServicesProtocolPVP2XTask.java
+++ b/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/ServicesProtocolPVP2XTask.java
@@ -192,6 +192,7 @@ public class ServicesProtocolPVP2XTask extends AbstractTaskValidator implements
 							try {
 								MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory(
 										"MOAMetaDataProvider",
+										true,
 										MOAIDWebGUIConfiguration.getInstance().getCertStoreDirectory(), 
 										MOAIDWebGUIConfiguration.getInstance().getTrustStoreDirectory(),
 										null,
@@ -208,7 +209,7 @@ public class ServicesProtocolPVP2XTask extends AbstractTaskValidator implements
 								log.warn("MOA SSL-TrustStore can not initialized. Use default Java TrustStore.", e);
 								
 							} catch (at.gv.egovernment.moa.id.config.webgui.exception.ConfigurationException e) {
-								log.info("No MOA specific SSL-TrustStore configured. Use default Java TrustStore.", e);
+								log.info("No MOA specific SSL-TrustStore configured. Use default Java TrustStore.");
 								
 							} 
 
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
index 1fa17c683..4fc37d88f 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
@@ -145,7 +145,9 @@ public class MOAMetadataProvider extends AbstractChainingMetadataProvider {
 			try {
 				//FIX: change hostname validation default flag to true when httpClient is updated to > 4.4
 				MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory(
-						PVPConstants.SSLSOCKETFACTORYNAME, 
+						PVPConstants.SSLSOCKETFACTORYNAME,
+						moaAuthConfig.getBasicMOAIDConfigurationBoolean(
+								AuthConfiguration.PROP_KEY_SSL_USE_JVM_TRUSTSTORE, false),
 						moaAuthConfig.getTrustedCACertificates(),
 						null,
 						AuthConfiguration.DEFAULT_X509_CHAININGMODE, 
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/MOASAMLSOAPClient.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/MOASAMLSOAPClient.java
index d7ada1f36..bd908f894 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/MOASAMLSOAPClient.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/MOASAMLSOAPClient.java
@@ -75,7 +75,9 @@ public class MOASAMLSOAPClient {
 				//FIX: change hostname validation default flag to true when httpClient is updated to > 4.4
 				SecureProtocolSocketFactory sslprotocolsocketfactory = 
 						new MOAHttpProtocolSocketFactory(
-								PVPConstants.SSLSOCKETFACTORYNAME,  
+								PVPConstants.SSLSOCKETFACTORYNAME,
+								AuthConfigurationProviderFactory.getInstance().getBasicMOAIDConfigurationBoolean(
+										AuthConfiguration.PROP_KEY_SSL_USE_JVM_TRUSTSTORE, false),
 								AuthConfigurationProviderFactory.getInstance().getTrustedCACertificates(),
 								null,
 								AuthConfigurationProviderFactory.getInstance().getDefaultChainingMode(), 
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java
index 611dff3b1..6bf44a527 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java
@@ -61,6 +61,7 @@ import javax.net.ssl.SSLSocketFactory;
 import org.apache.regexp.RE;
 import org.apache.regexp.RESyntaxException;
 
+import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
 import at.gv.egovernment.moa.id.commons.api.ConfigurationProvider;
 import at.gv.egovernment.moa.id.commons.api.ConnectionParameterInterface;
 import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
@@ -93,6 +94,10 @@ public class SSLUtils {
 		    ConfigurationProvider conf, String url )
 		    throws IOException, GeneralSecurityException, ConfigurationException, PKIException {
 		    
+	  			boolean useStandardJavaTrustStore = conf.getBasicMOAIDConfigurationBoolean(
+	  					AuthConfiguration.PROP_KEY_SSL_USE_JVM_TRUSTSTORE, 
+	  					false);
+	  
 			    // else create new SSLSocketFactory
 			    String trustStoreURL = conf.getTrustedCACertificates();
 			    
@@ -107,6 +112,7 @@ public class SSLUtils {
 			    try {	    
 			    	SSLSocketFactory ssf = at.gv.egovernment.moa.id.commons.utils.ssl.SSLUtils.getSSLSocketFactory(
 			    					url,
+			    					useStandardJavaTrustStore,
 			    					null,
 			    					trustStoreURL, 
 			    					acceptedServerCertURL, 
@@ -148,6 +154,10 @@ public class SSLUtils {
     ConnectionParameterInterface connParam)
     throws IOException, GeneralSecurityException, ConfigurationException, PKIException {
     
+	  boolean useStandardJavaTrustStore = conf.getBasicMOAIDConfigurationBoolean(
+			  AuthConfiguration.PROP_KEY_SSL_USE_JVM_TRUSTSTORE, 
+			  false);
+	  
 	    // else create new SSLSocketFactory
 	    String trustStoreURL = conf.getTrustedCACertificates();
 	    
@@ -162,6 +172,7 @@ public class SSLUtils {
 	    try {	    
 	    	SSLSocketFactory ssf = at.gv.egovernment.moa.id.commons.utils.ssl.SSLUtils.getSSLSocketFactory(
 	    					connParam.getUrl(),
+	    					useStandardJavaTrustStore,
 	    					null,
 	    					trustStoreURL, 
 	    					acceptedServerCertURL, 
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java
index a787cea00..4dd0a857f 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java
@@ -11,6 +11,7 @@ import iaik.pki.revocation.RevocationSourceTypes;
 
 public interface AuthConfiguration extends ConfigurationProvider{
 
+	public static final String PROP_KEY_SSL_USE_JVM_TRUSTSTORE = "configuration.ssl.useStandardJavaTrustStore";
 	public static final String PROP_KEY_SSL_HOSTNAME_VALIDATION = "configuration.ssl.validation.hostname";
 	public static final String PROP_KEY_OVS_SSL_HOSTNAME_VALIDATION = "service.onlinemandates.ssl.validation.hostname";
 	public static final String PROP_KEY_PROTOCOL_PVP_METADATA_ENTITYCATEGORY_RESOLVER = "protocols.pvp2.metadata.entitycategories.active";
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java
index bdadf681d..6c8c092ed 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java
@@ -34,7 +34,6 @@ import java.util.Arrays;
 import java.util.List;
 
 import javax.net.ssl.SSLException;
-import javax.net.ssl.SSLParameters;
 import javax.net.ssl.SSLPeerUnverifiedException;
 import javax.net.ssl.SSLSession;
 import javax.net.ssl.SSLSocket;
@@ -51,7 +50,6 @@ import at.gv.egovernment.moa.id.commons.utils.ssl.SSLConfigurationException;
 import at.gv.egovernment.moa.util.MiscUtil;
 import at.gv.egovernment.moaspss.logging.Logger;
 import iaik.pki.PKIException;
-import sun.security.ssl.ProtocolVersion;
 
 /**
  * @author tlenz
@@ -77,14 +75,15 @@ public class MOAHttpProtocolSocketFactory implements SecureProtocolSocketFactory
 	 * @throws MOAHttpProtocolSocketFactoryException
 	 */
 	public MOAHttpProtocolSocketFactory (
-			String url, 
+			String url,
+			boolean useStandardJavaTrustStore,
 			String trustStoreURL,
 			String acceptedServerCertURL,
 			String chainingMode,
 			boolean checkRevocation,
 			String[] revocationMethodOrder,
 			boolean verifyHostName) throws MOAHttpProtocolSocketFactoryException {
-		internalInitialize(url, null, trustStoreURL, acceptedServerCertURL, chainingMode, checkRevocation, revocationMethodOrder);
+		internalInitialize(url, useStandardJavaTrustStore, null, trustStoreURL, acceptedServerCertURL, chainingMode, checkRevocation, revocationMethodOrder);
 		
 		this.verifyHostName = verifyHostName;
 		
@@ -103,26 +102,31 @@ public class MOAHttpProtocolSocketFactory implements SecureProtocolSocketFactory
 	 * @param verifyHostName Enables / Disables hostName verfication
 	 * @throws MOAHttpProtocolSocketFactoryException
 	 */
-	public MOAHttpProtocolSocketFactory(String url, String certStoreDirectory, String trustStoreURL,
+	public MOAHttpProtocolSocketFactory(String url, boolean useStandardJavaTrustStore,
+			String certStoreDirectory, 
+			String trustStoreURL,
 			String acceptedServerCertURL,
 			String chainingMode,
 			boolean checkRevocation,
 			String[] revocationMethodOrder,
 			boolean verifyHostName) throws MOAHttpProtocolSocketFactoryException {
-		internalInitialize(url, certStoreDirectory, trustStoreURL, acceptedServerCertURL, chainingMode, checkRevocation, revocationMethodOrder);
+		internalInitialize(url, useStandardJavaTrustStore, certStoreDirectory, trustStoreURL, acceptedServerCertURL, chainingMode, checkRevocation, revocationMethodOrder);
 
 		this.verifyHostName = verifyHostName;
 		
 	}
 
-	private void internalInitialize(String url, String certStoreDirectory, String trustStoreURL,
+	private void internalInitialize(String url, boolean useStandardJavaTrustStore, 
+			String certStoreDirectory, 
+			String trustStoreURL,
 			String acceptedServerCertURL,
 			String chainingMode,
 			boolean checkRevocation,
 			String[] revocationMethodOrder) throws MOAHttpProtocolSocketFactoryException {
 		try {
 			this.sslfactory = at.gv.egovernment.moa.id.commons.utils.ssl.SSLUtils.getSSLSocketFactory(
-					url, 
+					url,
+					useStandardJavaTrustStore,
 					certStoreDirectory,
 					trustStoreURL, 
 					acceptedServerCertURL, 
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java
index e6efca4ea..a96daead3 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java
@@ -108,8 +108,29 @@ public class SSLUtils {
 	  }	  
   }
   
+  /**
+   * Get SSLSocketFactory with TrustStore and KeyStore implementations
+   * 
+   * @param url URL of the Service that should be connected
+   * @param useStandardJavaTrustStore Flag to use standard JVM truststore
+   * @param certStoreRootDirParam Path to certStore, if own truststore is used
+   * @param trustStoreURL Path to truststore, if own truststore is used
+   * @param acceptedServerCertURL Path to whitelist with EE-Server certificats, if own truststore is used
+   * @param chainingMode PKIX-Mode or Onion-Model for certificate validation, if own truststore is used
+   * @param checkRevocation Flag to activate or deactivate revocation checks, if own truststore is used
+   * @param revocationMethodOrder Revocation check order (CLR, OCSP), if own truststore is used
+   * @param clientKeyStoreURL Path to KeyStore for SSL Client-Authentication, or null
+   * @param clientKeyStorePassword KeyStore password
+   * @param clientKeyStoreType KeyStore type
+   * @return
+   * @throws IOException
+   * @throws GeneralSecurityException
+   * @throws SSLConfigurationException
+   * @throws PKIException
+   */
   public static SSLSocketFactory getSSLSocketFactory(
-		  String url, 
+		  String url,
+		  boolean useStandardJavaTrustStore,
 		  String certStoreRootDirParam, 
 		  String trustStoreURL, 
 		  String acceptedServerCertURL,
@@ -130,14 +151,19 @@ public class SSLUtils {
     	return ssf;
     	
     }
-        
-    TrustManager[] tms = getTrustManagers(
-    		 certStoreRootDirParam,
-    		 chainingMode,    		 
-    		 trustStoreURL, 
-    		 acceptedServerCertURL,
-    		 checkRevocation,
-    		 revocationMethodOrder);
+
+    //initialize own trust-store implementation
+    TrustManager[] tms = null;
+    if (useStandardJavaTrustStore) {
+    	tms = getTrustManagers(
+    			certStoreRootDirParam,
+    			chainingMode,    		 
+    			trustStoreURL, 
+    			acceptedServerCertURL,
+    			checkRevocation,
+    			revocationMethodOrder);
+    	
+    }
     
     KeyManager[] kms = getKeyManagers(
       clientKeyStoreType, clientKeyStoreURL, clientKeyStorePassword);
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/utils/EidasCentralAuthMetadataProvider.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/utils/EidasCentralAuthMetadataProvider.java
index 5cee90658..cd3f1f788 100644
--- a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/utils/EidasCentralAuthMetadataProvider.java
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/utils/EidasCentralAuthMetadataProvider.java
@@ -322,7 +322,9 @@ public class EidasCentralAuthMetadataProvider extends SimpleMetadataProvider
 			try {
 				//FIX: change hostname validation default flag to true when httpClient is updated to > 4.4
 				MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory(
-						PVPConstants.SSLSOCKETFACTORYNAME, 
+						PVPConstants.SSLSOCKETFACTORYNAME,
+						moaAuthConfig.getBasicMOAIDConfigurationBoolean(
+								AuthConfiguration.PROP_KEY_SSL_USE_JVM_TRUSTSTORE, false),
 						moaAuthConfig.getTrustedCACertificates(),
 						null,
 						AuthConfiguration.DEFAULT_X509_CHAININGMODE, 
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java
index aca818532..feeff6f84 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java
@@ -440,7 +440,9 @@ public class MOAeIDASChainingMetadataProvider extends SimpleMetadataProvider imp
 					AuthConfiguration moaAuthConfig = (AuthConfiguration) basicConfig;
 					//FIX: change hostname validation default flag to true when httpClient is updated to > 4.4
 					MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory(
-							PVPConstants.SSLSOCKETFACTORYNAME, 
+							PVPConstants.SSLSOCKETFACTORYNAME,
+							basicConfig.getBasicMOAIDConfigurationBoolean(
+									AuthConfiguration.PROP_KEY_SSL_USE_JVM_TRUSTSTORE, false),
 							moaAuthConfig.getTrustedCACertificates(),
 							null,
 							AuthConfiguration.DEFAULT_X509_CHAININGMODE, 
diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/utils/ELGAMandateServiceMetadataProvider.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/utils/ELGAMandateServiceMetadataProvider.java
index e8cfae10a..7bb98c719 100644
--- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/utils/ELGAMandateServiceMetadataProvider.java
+++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/utils/ELGAMandateServiceMetadataProvider.java
@@ -322,7 +322,9 @@ public class ELGAMandateServiceMetadataProvider extends SimpleMetadataProvider
 			try {
 				//FIX: change hostname validation default flag to true when httpClient is updated to > 4.4
 				MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory(
-						PVPConstants.SSLSOCKETFACTORYNAME, 
+						PVPConstants.SSLSOCKETFACTORYNAME,
+						moaAuthConfig.getBasicMOAIDConfigurationBoolean(
+								AuthConfiguration.PROP_KEY_SSL_USE_JVM_TRUSTSTORE, false),
 						moaAuthConfig.getTrustedCACertificates(),
 						null,
 						AuthConfiguration.DEFAULT_X509_CHAININGMODE,
author	Thomas Lenz <tlenz@iaik.tugraz.at>	2019-02-04 08:58:10 +0100
committer	Thomas Lenz <tlenz@iaik.tugraz.at>	2019-02-04 08:58:10 +0100
commit	a917335ea69ab857f00bd17679e259fcc215cad9 (patch)
tree	2aff94e138b0a88d68e10a057071a7cd289978f1
parent	9ddeacf32976d14c3f2f70ec446262998eb8a68e (diff)
download	moa-id-spss-a917335ea69ab857f00bd17679e259fcc215cad9.tar.gz moa-id-spss-a917335ea69ab857f00bd17679e259fcc215cad9.tar.bz2 moa-id-spss-a917335ea69ab857f00bd17679e259fcc215cad9.zip