232809 2021-11-08 00:31:33 -0800 REGRESSION (Safari 15): Safari keeps asking for client certificate, and polluting Keychain 2022-01-12 08:09:12 -0800 1 1 1 Unclassified WebKit Page Loading Safari 15 Mac (Intel) macOS 11 RESOLVED MOVED https://bugs.webkit.org/show_bug.cgi?id=234314 InRadar P2 Major --- 1 Seppo.Laaksonen achristensen achristensen beidson cdumez webkit-bug-importer oldest_to_newest 1812547 0 Seppo.Laaksonen 2021-11-08 00:31:33 -0800 When accessing a site that requires a client certificate, Safari 15.0/15.1 keeps asking for the certificate over and over again and creates an entry for each URL to Keychain. The previous Safari versions cached the certificate and asked the vertificate only once when you had https://server.domain.com/ identity preference in the Keychain. The continuous asking for the certificate and the numerous entries in Keychain makes Safari 15.0/15.1 unusable for sites that require a client certificate. How to produce the behavior: - Set up a web server that requires client certificate. Apache config: SSLEngine on SSLVerifyClient require SSLVerifyDepth 1 SSLCertificateFile /etc/ssl/private/internal_server.crt SSLCertificateKeyFile /etc/ssl/private/internal_server.key SSLCACertificateFile /etc/ssl/private/internal_ca.crt SSLCertificateChainFile /etc/ssl/private/internal_ca.crt - Access different URL's in the server 1812674 1 webkit-bug-importer 2021-11-08 10:12:34 -0800 <rdar://problem/85161182> 1812676 2 achristensen 2021-11-08 10:15:16 -0800 Are you seeing this issue on iOS or macOS or both? Are the URLs all from https://server.domain.com/something or are there other hosts involved? 1812737 3 Seppo.Laaksonen 2021-11-08 11:47:53 -0800 This happens just on macOS. iOS devices work as expected. No change on the server. The issue came up when Safari was updated to 15.0. Safari 15.1 has the same issue. 1813518 4 Seppo.Laaksonen 2021-11-10 02:47:50 -0800 Tested with multiple servers and multiple macOS machines. Safari 14.1.2 works as expected, but when you run the updater to get 15.0 (or 15.1), the Safari keeps asking for the for the certificate. 1814690 5 ap 2021-11-12 16:54:53 -0800 <rdar://83736480> 1828659 6 448508 achristensen 2022-01-06 10:29:21 -0800 Created attachment 448508 Patch 1828663 7 achristensen 2022-01-06 10:34:37 -0800 I'm unable to reproduce this issue with the description provided. Perhaps there is something special about your certificate or keychain setup that was not described. Perhaps there's something special about your website. Any additional details would be much appreciated, ideally with a site and cert that reproduce the issue reliably. 1828845 8 Seppo.Laaksonen 2022-01-07 01:16:04 -0800 A live setup to showcase the problem ==================================== 1. Download the client certificate from https://mydbr.com/fileserve.php?get=safariuser.p12 2. Install it into your login keychain and trust the certificate 3. Access https://safaritest.mydbr.com and log into the application 4. Access the reports (browse through different URLs) in the application. Safari will pop up the question about the client certificate every now and then 5. Notice Safari populating certificate preferences into the keychain with entries for each URL. This used not to be the case when you had one ending with a slash in earlier versions of Safari (https://safaritest.mydbr.com/). How to create the setup ======================= Server running Apache 2.4.29. (Ubuntu in this case) Safari Version 15.2 (16612.3.6.1.8, 16612) Create self-signed certificate and a client certificate: Certificate Authority (CA) -------------------------- openssl genrsa -out safaritest_ca.key 2048 openssl req -new -sha256 -key safaritest_ca.key -out safaritest_ca.csr openssl x509 -req -days 365 -sha256 -in safaritest_ca.csr -signkey safaritest_ca.key -out safaritest_ca.crt Web Server Certificate ---------------------- openssl genrsa -out safaritest_server.key 2048 openssl req -new -sha256 -key safaritest_server.key -out safaritest_server.csr openssl x509 -req -days 365 -sha256 -in safaritest_server.csr -signkey safaritest_server.key -out safaritest_server.crt Create a Client Certificate --------------------------- openssl req -newkey rsa:2048 -days 365 -nodes -keyout safariuser-key.pem > safariuser-req.pem openssl x509 -req -in safariuser-req.pem -days 365 -CA safaritest_ca.crt -CAkey safaritest_ca.key -set_serial 01 > safariuser-cert1.pem openssl pkcs12 -export -in safariuser-cert1.pem -inkey safariuser-key.pem -out safariuser.p12 The Apache config for the site ------------------------------ <VirtualHost *:443> ServerName safaritest.mydbr.com ServerAdmin support@mydbr.com SSLEngine on SSLVerifyClient require SSLVerifyDepth 1 SSLCertificateFile /etc/ssl/private/safaritest_server.crt SSLCertificateKeyFile /etc/ssl/private/safaritest_server.key SSLCACertificateFile /etc/ssl/private/safaritest_ca.crt DocumentRoot /var/www/safaritest <Directory /> Options FollowSymLinks AllowOverride All </Directory> <Directory /var/www/internal> Options Indexes FollowSymLinks MultiViews AllowOverride All Require all granted </Directory> ErrorLog /var/log/apache2/safaritest_error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog /var/log/apache2/safaritest_access.log combined <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> </VirtualHost> The problem looks like to be related (just a guess) to the fact that Safari seems to forget the certificate and asks it again at random times. This happens when you access different URLs in the site. 1829823 9 cdumez 2022-01-11 09:19:55 -0800 (In reply to Seppo Laaksonen from comment #8) > A live setup to showcase the problem > ==================================== > 1. Download the client certificate from > https://mydbr.com/fileserve.php?get=safariuser.p12 > 2. Install it into your login keychain and trust the certificate > 3. Access https://safaritest.mydbr.com and log into the application > 4. Access the reports (browse through different URLs) in the application. > Safari will pop up the question about the client certificate every now and > then > 5. Notice Safari populating certificate preferences into the keychain with > entries for each URL. This used not to be the case when you had one ending > with a slash in earlier versions of Safari (https://safaritest.mydbr.com/). > > > How to create the setup > ======================= > Server running Apache 2.4.29. (Ubuntu in this case) > > Safari Version 15.2 (16612.3.6.1.8, 16612) > > Create self-signed certificate and a client certificate: > > Certificate Authority (CA) > -------------------------- > openssl genrsa -out safaritest_ca.key 2048 > openssl req -new -sha256 -key safaritest_ca.key -out safaritest_ca.csr > openssl x509 -req -days 365 -sha256 -in safaritest_ca.csr -signkey > safaritest_ca.key -out safaritest_ca.crt > > > Web Server Certificate > ---------------------- > openssl genrsa -out safaritest_server.key 2048 > openssl req -new -sha256 -key safaritest_server.key -out > safaritest_server.csr > openssl x509 -req -days 365 -sha256 -in safaritest_server.csr -signkey > safaritest_server.key -out safaritest_server.crt > > Create a Client Certificate > --------------------------- > openssl req -newkey rsa:2048 -days 365 -nodes -keyout safariuser-key.pem > > safariuser-req.pem > openssl x509 -req -in safariuser-req.pem -days 365 -CA safaritest_ca.crt > -CAkey safaritest_ca.key -set_serial 01 > safariuser-cert1.pem > openssl pkcs12 -export -in safariuser-cert1.pem -inkey safariuser-key.pem > -out safariuser.p12 > > > The Apache config for the site > ------------------------------ > > <VirtualHost *:443> > ServerName safaritest.mydbr.com > ServerAdmin support@mydbr.com > > SSLEngine on > SSLVerifyClient require > SSLVerifyDepth 1 > > SSLCertificateFile /etc/ssl/private/safaritest_server.crt > SSLCertificateKeyFile /etc/ssl/private/safaritest_server.key > SSLCACertificateFile /etc/ssl/private/safaritest_ca.crt > > DocumentRoot /var/www/safaritest > <Directory /> > Options FollowSymLinks > AllowOverride All > </Directory> > <Directory /var/www/internal> > Options Indexes FollowSymLinks MultiViews > AllowOverride All > Require all granted > </Directory> > > ErrorLog /var/log/apache2/safaritest_error.log > > # Possible values include: debug, info, notice, warn, error, crit, > # alert, emerg. > LogLevel warn > > CustomLog /var/log/apache2/safaritest_access.log combined > > <FilesMatch "\.(cgi|shtml|phtml|php)$"> > SSLOptions +StdEnvVars > </FilesMatch> > </VirtualHost> > > > The problem looks like to be related (just a guess) to the fact that Safari > seems to forget the certificate and asks it again at random times. This > happens when you access different URLs in the site. It asks for a password when I try to install the certificate at https://mydbr.com/fileserve.php?get=safariuser.p12 I do know know what the password is. 1829826 10 cdumez 2022-01-11 09:22:03 -0800 It might be the same as Bug 234314 which I fixed recently (hasn't shipped yet) but I haven't been able to confirm since I haven't been able to reproduce yet. 1829827 11 Seppo.Laaksonen 2022-01-11 09:24:24 -0800 Ah, sorry about that. The password is 'pass'. 1829829 12 cdumez 2022-01-11 09:37:02 -0800 (In reply to Seppo Laaksonen from comment #11) > Ah, sorry about that. The password is 'pass'. It looks like I can now reproduce with my System Safari. I am investigating. Thanks for the test server. 1829835 13 cdumez 2022-01-11 10:04:45 -0800 (In reply to Chris Dumez from comment #12) > (In reply to Seppo Laaksonen from comment #11) > > Ah, sorry about that. The password is 'pass'. > > It looks like I can now reproduce with my System Safari. I am investigating. > Thanks for the test server. I can still reproduce with a local WebKit trunk build so this is definitely not fixed yet. 1830128 14 cdumez 2022-01-12 08:09:12 -0800 This is a Safari bug and the issue was fixed on the Safari side. Thank you for the bug report and the reproduction case. 448508 2022-01-06 10:29:21 -0800 2022-01-06 19:48:09 -0800 Patch bug-232809-20220106102920.patch text/plain 5144 achristensen U3VidmVyc2lvbiBSZXZpc2lvbjogMjg3NjUzCmRpZmYgLS1naXQgYS9Ub29scy9DaGFuZ2VMb2cg Yi9Ub29scy9DaGFuZ2VMb2cKaW5kZXggNDIwMGNjY2Y1ZDIwODEyZmNlOWMxMTlhNzJlYmYwODQ1 M2JiZGQxYS4uZjFmOTc0YmMzYmNlNmExNjUxNzI3YzE5NmM4MDkwYWZmMjQzOGNlOSAxMDA2NDQK LS0tIGEvVG9vbHMvQ2hhbmdlTG9nCisrKyBiL1Rvb2xzL0NoYW5nZUxvZwpAQCAtMSwzICsxLDE3 IEBACisyMDIyLTAxLTA2ICBBbGV4IENocmlzdGVuc2VuICA8YWNocmlzdGVuc2VuQHdlYmtpdC5v cmc+CisKKyAgICAgICAgUkVHUkVTU0lPTiAoU2FmYXJpIDE1KTogU2FmYXJpIGtlZXBzIGFza2lu ZyBmb3IgY2xpZW50IGNlcnRpZmljYXRlLCBhbmQgcG9sbHV0aW5nIEtleWNoYWluCisgICAgICAg IGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0yMzI4MDkKKworICAgICAg ICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICAqIFRlc3RXZWJLaXRBUEkv VGVzdHMvV2ViS2l0Q29jb2EvSFNUUy5tbToKKyAgICAgICAgKFRlc3RXZWJLaXRBUEk6OnNlcnZl ckxvb3ApOgorICAgICAgICAqIFRlc3RXZWJLaXRBUEkvY29jb2EvSFRUUFNlcnZlci5oOgorICAg ICAgICAqIFRlc3RXZWJLaXRBUEkvY29jb2EvSFRUUFNlcnZlci5tbToKKyAgICAgICAgKFRlc3RX ZWJLaXRBUEk6OkhUVFBTZXJ2ZXI6OkhUVFBTZXJ2ZXIpOgorICAgICAgICAoVGVzdFdlYktpdEFQ STo6bV9saXN0ZW5lcik6CisKIDIwMjItMDEtMDUgIEpvbmF0aGFuIEJlZGFyZCAgPGpiZWRhcmRA YXBwbGUuY29tPgogCiAgICAgICAgIFJ1bm5pbmcgbGF5b3V0IHRlc3RzIHNvbWV0aW1lcyB0aHJv d3MgYW4gQXNzZXJ0aW9uRXJyb3IgaW4gcHl0aG9uMi43L211bHRpcHJvY2Vzc2luZwpkaWZmIC0t Z2l0IGEvVG9vbHMvVGVzdFdlYktpdEFQSS9UZXN0cy9XZWJLaXRDb2NvYS9IU1RTLm1tIGIvVG9v bHMvVGVzdFdlYktpdEFQSS9UZXN0cy9XZWJLaXRDb2NvYS9IU1RTLm1tCmluZGV4IGIzM2Q3NjY5 NmFjYzRhMmIwMDkzZjIwY2I2OTZiNTE0NDQxY2Q3NWUuLmRiYTcxODhlMWEyNzllM2QzZjQyNTY1 MTJhNjQ0NDJkNjEyMWE1M2MgMTAwNjQ0Ci0tLSBhL1Rvb2xzL1Rlc3RXZWJLaXRBUEkvVGVzdHMv V2ViS2l0Q29jb2EvSFNUUy5tbQorKysgYi9Ub29scy9UZXN0V2ViS2l0QVBJL1Rlc3RzL1dlYktp dENvY29hL0hTVFMubW0KQEAgLTkxLDYgKzkxLDU1IEBAIFRFU1QoSFNUUywgQmFzaWMpCiAgICAg RVhQRUNUX1dLX1NUUkVRKHdlYlZpZXcuZ2V0KCkuVVJMLmFic29sdXRlU3RyaW5nLCAiaHR0cHM6 Ly9leGFtcGxlLmNvbS8iKTsKIH0KIAorc3RhdGljIHZvaWQgc2VydmVyTG9vcChjb25zdCBDb25u ZWN0aW9uJiBjb25uZWN0aW9uKQoreworICAgIGNvbm5lY3Rpb24ucmVjZWl2ZUhUVFBSZXF1ZXN0 KFs9XSAoVmVjdG9yPGNoYXI+JiYgcmVxdWVzdCkgeworICAgICAgICBhdXRvIHBhdGggPSBIVFRQ U2VydmVyOjpwYXJzZVBhdGgocmVxdWVzdCk7CisgICAgICAgIGlmIChwYXRoID09ICIvIikgewor ICAgICAgICAgICAgY29uc3QgY2hhciogaHRtbCA9IFIiSFRNTCgKKyAgICAgICAgICAgICAgICA8 c2NyaXB0PgorICAgICAgICAgICAgICAgIGZ1bmN0aW9uIGFkZEltYWdlcygpIHsKKyAgICAgICAg ICAgICAgICAgICAgZm9yICh2YXIgaSA9IDA7IGkgPCAxMDsgaSsrKSB7CisgICAgICAgICAgICAg ICAgICAgICAgICBzZXRUaW1lb3V0KCgpID0+IHsgYWRkSW1hZ2UoaSkgfSwgaSAqIDEwMCk7Cisg ICAgICAgICAgICAgICAgICAgIH0KKyAgICAgICAgICAgICAgICB9CisgICAgICAgICAgICAgICAg ZnVuY3Rpb24gYWRkSW1hZ2UoaSkgeworICAgICAgICAgICAgICAgICAgICB2YXIgaW1nID0gZG9j dW1lbnQuY3JlYXRlRWxlbWVudCgnaW1nJyk7CisgICAgICAgICAgICAgICAgICAgIGltZy5zcmMg PSBpICsgJy5wbmcnOworICAgICAgICAgICAgICAgICAgICBkb2N1bWVudC5nZXRFbGVtZW50QnlJ ZCgncGFyYWdyYXBoJykuYXBwZW5kQ2hpbGQoaW1nKTsKKyAgICAgICAgICAgICAgICB9CisgICAg ICAgICAgICAgICAgPC9zY3JpcHQ+CisgICAgICAgICAgICAgICAgPGJvZHkgb25sb2FkPSJhZGRJ bWFnZXMoKSI+PHAgaWQ9J3BhcmFncmFwaCcvPjwvYm9keT4KKyAgICAgICAgICAgIClIVE1MIjsK KyAgICAgICAgICAgIGNvbm5lY3Rpb24uc2VuZChIVFRQUmVzcG9uc2Uoe3sgIkNvbnRlbnQtVHlw ZSIsICJ0ZXh0L2h0bWwiIH19LCBodG1sKS5zZXJpYWxpemUoKSwgWz1dIHsKKyAgICAgICAgICAg ICAgICBzZXJ2ZXJMb29wKGNvbm5lY3Rpb24pOworICAgICAgICAgICAgfSk7CisgICAgICAgICAg ICByZXR1cm47CisgICAgICAgIH0KKyAgICAgICAgZGlzcGF0Y2hfYWZ0ZXIoZGlzcGF0Y2hfdGlt ZShESVNQQVRDSF9USU1FX05PVywgMC41ICogTlNFQ19QRVJfU0VDKSwgZGlzcGF0Y2hfZ2V0X21h aW5fcXVldWUoKSwgXnsKKyAgICAgICAgICAgIGNvbm5lY3Rpb24uc2VuZChIVFRQUmVzcG9uc2Uo ImhpIikuc2VyaWFsaXplKCksIFs9XSB7CisgICAgICAgICAgICAgICAgc2VydmVyTG9vcChjb25u ZWN0aW9uKTsKKyAgICAgICAgICAgIH0pOworICAgICAgICB9KTsKKyAgICB9KTsKK30KKworVEVT VChDbGllbnRDZXJ0LCBUZXN0KQoreworICAgIEhUVFBTZXJ2ZXIgc2VydmVyKFtdIChjb25zdCBD b25uZWN0aW9uJiBjb25uZWN0aW9uKSB7CisgICAgICAgIFdURkxvZ0Fsd2F5cygiTmV3IGNvbm5l Y3Rpb24gcmVjZWl2ZWQiKTsKKyAgICAgICAgc2VydmVyTG9vcChjb25uZWN0aW9uKTsKKyAgICB9 LCBIVFRQU2VydmVyOjpQcm90b2NvbDo6SHR0cHMsIFtdIChzZWNfcHJvdG9jb2xfbWV0YWRhdGFf dCwgc2VjX3RydXN0X3QsIHNlY19wcm90b2NvbF92ZXJpZnlfY29tcGxldGVfdCBjb21wbGV0aW9u SGFuZGxlcikgeworICAgICAgICBXVEZMb2dBbHdheXMoInZlcmlmaWVyIGNhbGxlZCIpOworICAg ICAgICBjb21wbGV0aW9uSGFuZGxlcih0cnVlKTsKKyAgICB9KTsKKyAgICBXVEZMb2dBbHdheXMo IiVAIiwgc2VydmVyLnJlcXVlc3QoKS5VUkwpOworICAgIHdoaWxlKDEpIHsKKyAgICAgICAgdXNs ZWVwKDEwMCk7CisgICAgICAgIFV0aWw6OnNwaW5SdW5Mb29wKCk7CisgICAgfQorfQorCiBURVNU KEhTVFMsIFRoaXJkUGFydHkpCiB7CiAgICAgYXV0byBodHRwc1NlcnZlciA9IGhzdHNTZXJ2ZXIo KTsKZGlmZiAtLWdpdCBhL1Rvb2xzL1Rlc3RXZWJLaXRBUEkvY29jb2EvSFRUUFNlcnZlci5oIGIv VG9vbHMvVGVzdFdlYktpdEFQSS9jb2NvYS9IVFRQU2VydmVyLmgKaW5kZXggNzVkMjgyZWE5ZTQw ZDIxMTVhZjE5NDhhZDNmOGViOGZjNjM3Y2NkNC4uZDE2NTFmZTVhOGRhMjdjMmViMzkzMzg4NWI5 NDFmMGMwZDI4YzZhZCAxMDA2NDQKLS0tIGEvVG9vbHMvVGVzdFdlYktpdEFQSS9jb2NvYS9IVFRQ U2VydmVyLmgKKysrIGIvVG9vbHMvVGVzdFdlYktpdEFQSS9jb2NvYS9IVFRQU2VydmVyLmgKQEAg LTQ3LDcgKzQ3LDcgQEAgcHVibGljOgogICAgIHVzaW5nIENlcnRpZmljYXRlVmVyaWZpZXIgPSBG dW5jdGlvbjx2b2lkKHNlY19wcm90b2NvbF9tZXRhZGF0YV90LCBzZWNfdHJ1c3RfdCwgc2VjX3By b3RvY29sX3ZlcmlmeV9jb21wbGV0ZV90KT47CiAKICAgICBIVFRQU2VydmVyKHN0ZDo6aW5pdGlh bGl6ZXJfbGlzdDxzdGQ6OnBhaXI8U3RyaW5nLCBIVFRQUmVzcG9uc2U+PiwgUHJvdG9jb2wgPSBQ cm90b2NvbDo6SHR0cCwgQ2VydGlmaWNhdGVWZXJpZmllciYmID0gbnVsbHB0ciwgUmV0YWluUHRy PFNlY0lkZW50aXR5UmVmPiYmID0gbnVsbHB0ciwgc3RkOjpvcHRpb25hbDx1aW50MTZfdD4gcG9y dCA9IHsgfSk7Ci0gICAgSFRUUFNlcnZlcihGdW5jdGlvbjx2b2lkKENvbm5lY3Rpb24pPiYmLCBQ cm90b2NvbCA9IFByb3RvY29sOjpIdHRwKTsKKyAgICBIVFRQU2VydmVyKEZ1bmN0aW9uPHZvaWQo Q29ubmVjdGlvbik+JiYsIFByb3RvY29sID0gUHJvdG9jb2w6Okh0dHAsIENlcnRpZmljYXRlVmVy aWZpZXImJiA9IG51bGxwdHIpOwogICAgIH5IVFRQU2VydmVyKCk7CiAgICAgdWludDE2X3QgcG9y dCgpIGNvbnN0OwogICAgIE5TVVJMUmVxdWVzdCAqcmVxdWVzdChjb25zdCBTdHJpbmcmIHBhdGgg PSAiLyJfc3RyKSBjb25zdDsKZGlmZiAtLWdpdCBhL1Rvb2xzL1Rlc3RXZWJLaXRBUEkvY29jb2Ev SFRUUFNlcnZlci5tbSBiL1Rvb2xzL1Rlc3RXZWJLaXRBUEkvY29jb2EvSFRUUFNlcnZlci5tbQpp bmRleCA4OGQ4NmJmMWQwYzE5ZjBjY2YzMDVmZDA4NWRhYTRkNzg3MzRkNDkwLi4yNmMzMTk4MDdm NWQ4ODNhNzQ5M2U4MTdiZjE1NWViMmQ2MTIyYzM5IDEwMDY0NAotLS0gYS9Ub29scy9UZXN0V2Vi S2l0QVBJL2NvY29hL0hUVFBTZXJ2ZXIubW0KKysrIGIvVG9vbHMvVGVzdFdlYktpdEFQSS9jb2Nv YS9IVFRQU2VydmVyLm1tCkBAIC0xOTksOSArMTk5LDkgQEAgSFRUUFNlcnZlcjo6SFRUUFNlcnZl cihzdGQ6OmluaXRpYWxpemVyX2xpc3Q8c3RkOjpwYWlyPFN0cmluZywgSFRUUFJlc3BvbnNlPj4g cmUKICAgICBzdGFydExpc3RlbmluZyhtX2xpc3RlbmVyLmdldCgpKTsKIH0KIAotSFRUUFNlcnZl cjo6SFRUUFNlcnZlcihGdW5jdGlvbjx2b2lkKENvbm5lY3Rpb24pPiYmIGNvbm5lY3Rpb25IYW5k bGVyLCBQcm90b2NvbCBwcm90b2NvbCkKK0hUVFBTZXJ2ZXI6OkhUVFBTZXJ2ZXIoRnVuY3Rpb248 dm9pZChDb25uZWN0aW9uKT4mJiBjb25uZWN0aW9uSGFuZGxlciwgUHJvdG9jb2wgcHJvdG9jb2ws IENlcnRpZmljYXRlVmVyaWZpZXImJiB2ZXJpZmllcikKICAgICA6IG1fcmVxdWVzdERhdGEoYWRv cHRSZWYoKm5ldyBSZXF1ZXN0RGF0YSh7IH0pKSkKLSAgICAsIG1fbGlzdGVuZXIoYWRvcHROUyhu d19saXN0ZW5lcl9jcmVhdGUobGlzdGVuZXJQYXJhbWV0ZXJzKHByb3RvY29sLCBudWxscHRyLCBu dWxscHRyLCB7IH0pLmdldCgpKSkpCisgICAgLCBtX2xpc3RlbmVyKGFkb3B0TlMobndfbGlzdGVu ZXJfY3JlYXRlKGxpc3RlbmVyUGFyYW1ldGVycyhwcm90b2NvbCwgV1RGTW92ZSh2ZXJpZmllciks IG51bGxwdHIsIHsgfSkuZ2V0KCkpKSkKICAgICAsIG1fcHJvdG9jb2wocHJvdG9jb2wpCiB7CiAg ICAgbndfbGlzdGVuZXJfc2V0X3F1ZXVlKG1fbGlzdGVuZXIuZ2V0KCksIGRpc3BhdGNoX2dldF9t YWluX3F1ZXVlKCkpOwo=