pkg_signature.c revision 1.1.1.3
1 /* $NetBSD: pkg_signature.c,v 1.1.1.3 2009/03/02 22:31:17 joerg Exp $ */ 2 3 #if HAVE_CONFIG_H 4 #include "config.h" 5 #endif 6 #include <nbcompat.h> 7 #if HAVE_SYS_CDEFS_H 8 #include <sys/cdefs.h> 9 #endif 10 __RCSID("$NetBSD: pkg_signature.c,v 1.1.1.3 2009/03/02 22:31:17 joerg Exp $"); 11 12 /*- 13 * Copyright (c) 2008 Joerg Sonnenberger <joerg (at) NetBSD.org>. 14 * All rights reserved. 15 * 16 * Redistribution and use in source and binary forms, with or without 17 * modification, are permitted provided that the following conditions 18 * are met: 19 * 20 * 1. Redistributions of source code must retain the above copyright 21 * notice, this list of conditions and the following disclaimer. 22 * 2. Redistributions in binary form must reproduce the above copyright 23 * notice, this list of conditions and the following disclaimer in 24 * the documentation and/or other materials provided with the 25 * distribution. 26 * 27 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 28 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 29 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 30 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 31 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 32 * INCIDENTAL, SPECIAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES (INCLUDING, 33 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 34 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED 35 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 36 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT 37 * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 38 * SUCH DAMAGE. 39 */ 40 41 #if HAVE_SYS_WAIT_H 42 #include <sys/wait.h> 43 #endif 44 #include <ctype.h> 45 #if HAVE_ERR_H 46 #include <err.h> 47 #endif 48 #include <errno.h> 49 #include <fcntl.h> 50 #include <stdlib.h> 51 #ifndef NETBSD 52 #include <nbcompat/sha2.h> 53 #else 54 #include <sha2.h> 55 #endif 56 #include <signal.h> 57 #ifdef NETBSD 58 #include <unistd.h> 59 #else 60 #include <nbcompat/unistd.h> 61 #endif 62 63 #include <archive.h> 64 #include <archive_entry.h> 65 66 #include "lib.h" 67 68 #define HASH_FNAME "+PKG_HASH" 69 #define SIGNATURE_FNAME "+PKG_SIGNATURE" 70 #define GPG_SIGNATURE_FNAME "+PKG_GPG_SIGNATURE" 71 72 struct signature_archive { 73 struct archive *archive; 74 off_t pkg_size; 75 size_t sign_block_len, sign_block_number, sign_cur_block; 76 char **sign_blocks; 77 unsigned char *sign_buf; 78 }; 79 80 static void 81 hash_block(unsigned char *buf, size_t buf_len, 82 char hash[SHA512_DIGEST_STRING_LENGTH]) 83 { 84 unsigned char digest[SHA512_DIGEST_LENGTH]; 85 SHA512_CTX hash_ctx; 86 int i; 87 88 SHA512_Init(&hash_ctx); 89 SHA512_Update(&hash_ctx, buf, buf_len); 90 SHA512_Final(digest, &hash_ctx); 91 for (i = 0; i < SHA512_DIGEST_LENGTH; ++i) { 92 unsigned char c; 93 94 c = digest[i] / 16; 95 if (c < 10) 96 hash[2 * i] = '0' + c; 97 else 98 hash[2 * i] = 'a' - 10 + c; 99 100 c = digest[i] % 16; 101 if (c < 10) 102 hash[2 * i + 1] = '0' + c; 103 else 104 hash[2 * i + 1] = 'a' - 10 + c; 105 } 106 hash[2 * i] = '\0'; 107 } 108 109 static ssize_t 110 verify_signature_read_cb(struct archive *archive, void *cookie, const void **buf) 111 { 112 struct signature_archive *state = cookie; 113 char hash[SHA512_DIGEST_STRING_LENGTH]; 114 ssize_t len, expected; 115 116 if (state->sign_cur_block >= state->sign_block_number) 117 return 0; 118 119 /* The following works for sign_block_len > 1 */ 120 if (state->sign_cur_block + 1 == state->sign_block_number) 121 expected = state->pkg_size % state->sign_block_len; 122 else 123 expected = state->sign_block_len; 124 125 len = archive_read_data(state->archive, state->sign_buf, expected); 126 if (len != expected) { 127 warnx("Short read from package"); 128 return -1; 129 } 130 131 hash_block(state->sign_buf, len, hash); 132 133 if (strcmp(hash, state->sign_blocks[state->sign_cur_block]) != 0) { 134 warnx("Invalid signature of block %llu", 135 (unsigned long long)state->sign_cur_block); 136 return -1; 137 } 138 ++state->sign_cur_block; 139 *buf = state->sign_buf; 140 return len; 141 } 142 143 static void 144 free_signature_int(struct signature_archive *state) 145 { 146 size_t i; 147 148 if (state->sign_blocks != NULL) { 149 for (i = 0; i < state->sign_block_number; ++i) 150 free(state->sign_blocks[i]); 151 } 152 free(state->sign_blocks); 153 free(state->sign_buf); 154 free(state); 155 } 156 157 void 158 pkg_free_signature(void *cookie) 159 { 160 struct signature_archive *state = cookie; 161 162 if (state == NULL) 163 return; 164 165 archive_read_finish(state->archive); 166 free_signature_int(state); 167 } 168 169 static int 170 read_file_from_archive(struct archive *archive, struct archive_entry **entry, 171 const char *fname, char **content, size_t *len) 172 { 173 int r; 174 175 *content = NULL; 176 *len = 0; 177 178 retry: 179 if (*entry == NULL && 180 (r = archive_read_next_header(archive, entry)) != ARCHIVE_OK) { 181 if (r == ARCHIVE_FATAL) { 182 warnx("Cannot read from archive: %s", 183 archive_error_string(archive)); 184 return -1; 185 } 186 return 1; 187 } 188 if (strcmp(archive_entry_pathname(*entry), "//") == 0) { 189 archive_read_data_skip(archive); 190 *entry = NULL; 191 goto retry; 192 } 193 194 if (strcmp(fname, archive_entry_pathname(*entry)) != 0) 195 return 1; 196 197 if (archive_entry_size(*entry) > SSIZE_MAX - 1) { 198 warnx("signature too large to process"); 199 return 1; 200 } 201 *len = archive_entry_size(*entry); 202 *content = xmalloc(*len + 1); 203 204 if (archive_read_data(archive, *content, *len) != *len) { 205 warnx("cannot read complete %s from archive", fname); 206 free(*content); 207 *len = 0; 208 *content = NULL; 209 return 1; 210 } 211 (*content)[*len] = '\0'; 212 *entry = NULL; 213 214 return 0; 215 } 216 217 static int 218 parse_hash_file(const char *hash_file, char **pkgname, 219 struct signature_archive *state) 220 { 221 static const char block1[] = "pkgsrc signature\n\nversion: 1\npkgname: "; 222 static const char block2[] = "algorithm: SHA512\nblock size: "; 223 static const char block3[] = "file size: "; 224 static const char block4[] = "end pkgsrc signature\n"; 225 char *next; 226 size_t i, len; 227 228 *pkgname = NULL; 229 230 if (strncmp(hash_file, block1, strlen(block1)) != 0) 231 goto cleanup; 232 hash_file += strlen(block1); 233 234 len = strcspn(hash_file, "\n"); 235 *pkgname = xmalloc(len + 1); 236 memcpy(*pkgname, hash_file, len); 237 (*pkgname)[len] = '\0'; 238 for (i = 0; i < len; ++i) { 239 if (!isgraph((unsigned char)(*pkgname)[i])) 240 goto cleanup; 241 } 242 hash_file += len + 1; 243 244 if (strncmp(hash_file, block2, strlen(block2)) != 0) 245 goto cleanup; 246 hash_file += strlen(block2); 247 248 errno = 0; 249 if (!isdigit((unsigned char)*hash_file)) 250 goto cleanup; 251 state->sign_block_len = strtoul(hash_file, &next, 10); 252 hash_file = next; 253 254 /* Assert sane minimum block size of 1KB */ 255 if (*hash_file++ != '\n' || errno == ERANGE || state->sign_block_len < 1024) 256 goto cleanup; 257 258 if (strncmp(hash_file, block3, strlen(block3)) != 0) 259 goto cleanup; 260 hash_file += strlen(block3); 261 262 errno = 0; 263 if (!isdigit((unsigned char)*hash_file)) 264 goto cleanup; 265 if (sizeof(off_t) >= sizeof(long long)) 266 state->pkg_size = strtoll(hash_file, &next, 10); 267 else 268 state->pkg_size = strtol(hash_file, &next, 10); 269 hash_file = next; 270 if (*hash_file++ != '\n' || errno == ERANGE || state->pkg_size < 1) 271 goto cleanup; 272 273 if (*hash_file++ != '\n') 274 goto cleanup; 275 276 if (state->pkg_size / state->sign_block_len > SSIZE_MAX) 277 goto cleanup; 278 state->sign_block_number = (state->pkg_size + 279 state->sign_block_len - 1) / state->sign_block_len; 280 281 state->sign_buf = xmalloc(state->sign_block_len); 282 state->sign_blocks = xcalloc(state->sign_block_number, sizeof(char *)); 283 284 for (i = 0; i < state->sign_block_number; ++i) { 285 len = strspn(hash_file, "01234567889abcdef"); 286 if (len != SHA512_DIGEST_LENGTH * 2 || hash_file[len] != '\n') 287 goto cleanup_hashes; 288 state->sign_blocks[i] = xmalloc(len + 1); 289 memcpy(state->sign_blocks[i], hash_file, len); 290 state->sign_blocks[i][len] = '\0'; 291 hash_file += len + 1; 292 } 293 294 if (strcmp(hash_file, block4) != 0) 295 goto cleanup_hashes; 296 297 return 0; 298 299 cleanup_hashes: 300 for (i = 0; i < state->sign_block_number; ++i) 301 free(state->sign_blocks[i]); 302 free(state->sign_blocks); 303 state->sign_blocks = NULL; 304 305 cleanup: 306 warnx("Unknown format of hash file"); 307 free(*pkgname); 308 *pkgname = NULL; 309 return -1; 310 } 311 312 int 313 pkg_verify_signature(struct archive **archive, struct archive_entry **entry, 314 char **pkgname, void **cookie) 315 { 316 struct signature_archive *state; 317 struct archive_entry *my_entry; 318 struct archive *a; 319 char *hash_file, *signature_file; 320 size_t hash_len, signature_len; 321 int r, has_sig; 322 323 *pkgname = NULL; 324 *cookie = NULL; 325 326 state = xmalloc(sizeof(*state)); 327 state->sign_blocks = NULL; 328 state->sign_buf = NULL; 329 state->archive = NULL; 330 331 r = read_file_from_archive(*archive, entry, HASH_FNAME, 332 &hash_file, &hash_len); 333 if (r == -1) { 334 archive_read_finish(*archive); 335 *archive = NULL; 336 free(state); 337 goto no_valid_signature; 338 } else if (r == 1) { 339 free(state); 340 goto no_valid_signature; 341 } 342 343 if (parse_hash_file(hash_file, pkgname, state)) 344 goto no_valid_signature; 345 346 r = read_file_from_archive(*archive, entry, SIGNATURE_FNAME, 347 &signature_file, &signature_len); 348 if (r == -1) { 349 archive_read_finish(*archive); 350 *archive = NULL; 351 free(state); 352 free(hash_file); 353 goto no_valid_signature; 354 } else if (r != 0) { 355 if (*entry != NULL) 356 r = read_file_from_archive(*archive, entry, 357 GPG_SIGNATURE_FNAME, 358 &signature_file, &signature_len); 359 if (r == -1) { 360 archive_read_finish(*archive); 361 *archive = NULL; 362 free(state); 363 free(hash_file); 364 goto no_valid_signature; 365 } else if (r != 0) { 366 free(hash_file); 367 free(state); 368 goto no_valid_signature; 369 } 370 has_sig = !detached_gpg_verify(hash_file, hash_len, 371 signature_file, signature_len, gpg_keyring_verify); 372 373 free(signature_file); 374 } else { 375 #ifdef HAVE_SSL 376 has_sig = !easy_pkcs7_verify(hash_file, hash_len, signature_file, 377 signature_len, certs_packages, 1); 378 379 free(signature_file); 380 #else 381 warnx("No OpenSSL support compiled in, skipping signature"); 382 has_sig = 0; 383 free(signature_file); 384 #endif 385 } 386 387 r = archive_read_next_header(*archive, &my_entry); 388 if (r != ARCHIVE_OK) { 389 warnx("Cannot read inner package: %s", 390 archive_error_string(*archive)); 391 free_signature_int(state); 392 goto no_valid_signature; 393 } 394 395 if (archive_entry_size(my_entry) != state->pkg_size) { 396 warnx("Package size doesn't match signature"); 397 free_signature_int(state); 398 goto no_valid_signature; 399 } 400 401 state->archive = *archive; 402 403 a = archive_read_new(); 404 archive_read_support_compression_all(a); 405 archive_read_support_format_all(a); 406 if (archive_read_open(a, state, NULL, verify_signature_read_cb, NULL)) { 407 warnx("Can't open signed package file"); 408 archive_read_finish(a); 409 free_signature_int(state); 410 goto no_valid_signature; 411 } 412 *archive = a; 413 *entry = NULL; 414 *cookie = state; 415 416 return has_sig ? 0 : -1; 417 418 no_valid_signature: 419 return -1; 420 } 421 422 int 423 pkg_full_signature_check(struct archive **archive) 424 { 425 struct archive_entry *entry = NULL; 426 char *pkgname; 427 void *cookie; 428 int r; 429 430 if (pkg_verify_signature(archive, &entry, &pkgname, &cookie)) 431 return -1; 432 if (pkgname == NULL) 433 return 0; 434 435 /* XXX read PLIST and compare pkgname */ 436 while ((r = archive_read_next_header(*archive, &entry)) == ARCHIVE_OK) 437 archive_read_data_skip(*archive); 438 439 pkg_free_signature(cookie); 440 free(pkgname); 441 return r == ARCHIVE_EOF ? 0 : -1; 442 } 443 444 static char * 445 extract_pkgname(int fd) 446 { 447 package_t plist; 448 plist_t *p; 449 struct archive *a; 450 struct archive_entry *entry; 451 char *buf; 452 ssize_t len; 453 int r; 454 455 a = archive_read_new(); 456 archive_read_support_compression_all(a); 457 archive_read_support_format_all(a); 458 if (archive_read_open_fd(a, fd, 1024)) { 459 warnx("Cannot open binary package: %s", 460 archive_error_string(a)); 461 archive_read_finish(a); 462 return NULL; 463 } 464 465 r = archive_read_next_header(a, &entry); 466 if (r != ARCHIVE_OK) { 467 warnx("Cannot extract package name: %s", 468 r == ARCHIVE_EOF ? "EOF" : archive_error_string(a)); 469 archive_read_finish(a); 470 return NULL; 471 } 472 if (strcmp(archive_entry_pathname(entry), "+CONTENTS") != 0) { 473 warnx("Invalid binary package, doesn't start with +CONTENTS"); 474 archive_read_finish(a); 475 return NULL; 476 } 477 if (archive_entry_size(entry) > SSIZE_MAX - 1) { 478 warnx("+CONTENTS too large to process"); 479 archive_read_finish(a); 480 return NULL; 481 } 482 483 len = archive_entry_size(entry); 484 buf = xmalloc(len + 1); 485 486 if (archive_read_data(a, buf, len) != len) { 487 warnx("Short read when extracing +CONTENTS"); 488 free(buf); 489 archive_read_finish(a); 490 return NULL; 491 } 492 buf[len] = '\0'; 493 494 archive_read_finish(a); 495 496 parse_plist(&plist, buf); 497 free(buf); 498 p = find_plist(&plist, PLIST_NAME); 499 if (p != NULL) { 500 buf = xstrdup(p->name); 501 } else { 502 warnx("Invalid PLIST: missing @name"); 503 buf = NULL; 504 } 505 free_plist(&plist); 506 507 if (lseek(fd, 0, SEEK_SET) != 0) { 508 warn("Cannot seek in archive"); 509 free(buf); 510 return NULL; 511 } 512 513 return buf; 514 } 515 516 static const char hash_template[] = 517 "pkgsrc signature\n" 518 "\n" 519 "version: 1\n" 520 "pkgname: %s\n" 521 "algorithm: SHA512\n" 522 "block size: 65536\n" 523 "file size: %lld\n" 524 "\n"; 525 526 static const char hash_trailer[] = "end pkgsrc signature\n"; 527 528 #ifdef HAVE_SSL 529 void 530 pkg_sign_x509(const char *name, const char *output, const char *key_file, const char *cert_file) 531 { 532 struct archive *pkg; 533 struct archive_entry *entry, *hash_entry, *sign_entry; 534 int fd; 535 struct stat sb; 536 char *hash_file, *signature_file, *tmp, *pkgname, hash[SHA512_DIGEST_STRING_LENGTH]; 537 unsigned char block[65536]; 538 off_t i, size; 539 size_t block_len, signature_len; 540 541 if ((fd = open(name, O_RDONLY)) == -1) 542 err(EXIT_FAILURE, "Cannot open binary package %s", name); 543 if (fstat(fd, &sb) == -1) 544 err(EXIT_FAILURE, "Cannot stat %s", name); 545 546 entry = archive_entry_new(); 547 archive_entry_copy_stat(entry, &sb); 548 549 pkgname = extract_pkgname(fd); 550 hash_file = xasprintf(hash_template, pkgname, 551 (long long)archive_entry_size(entry)); 552 free(pkgname); 553 554 for (i = 0; i < archive_entry_size(entry); i += block_len) { 555 if (i + sizeof(block) < archive_entry_size(entry)) 556 block_len = sizeof(block); 557 else 558 block_len = archive_entry_size(entry) % sizeof(block); 559 if (read(fd, block, block_len) != block_len) 560 err(2, "short read"); 561 hash_block(block, block_len, hash); 562 tmp = xasprintf("%s%s\n", hash_file, hash); 563 free(hash_file); 564 hash_file = tmp; 565 } 566 tmp = xasprintf("%s%s", hash_file, hash_trailer); 567 free(hash_file); 568 hash_file = tmp; 569 570 if (easy_pkcs7_sign(hash_file, strlen(hash_file), &signature_file, 571 &signature_len, key_file, cert_file)) 572 err(EXIT_FAILURE, "Cannot sign hash file"); 573 574 lseek(fd, 0, SEEK_SET); 575 576 sign_entry = archive_entry_clone(entry); 577 hash_entry = archive_entry_clone(entry); 578 pkgname = strrchr(name, '/'); 579 archive_entry_set_pathname(entry, pkgname != NULL ? pkgname + 1 : name); 580 archive_entry_set_pathname(hash_entry, HASH_FNAME); 581 archive_entry_set_pathname(sign_entry, SIGNATURE_FNAME); 582 archive_entry_set_size(hash_entry, strlen(hash_file)); 583 archive_entry_set_size(sign_entry, signature_len); 584 585 pkg = archive_write_new(); 586 archive_write_set_compression_none(pkg); 587 archive_write_set_format_ar_bsd(pkg); 588 archive_write_open_filename(pkg, output); 589 590 archive_write_header(pkg, hash_entry); 591 archive_write_data(pkg, hash_file, strlen(hash_file)); 592 archive_write_finish_entry(pkg); 593 archive_entry_free(hash_entry); 594 595 archive_write_header(pkg, sign_entry); 596 archive_write_data(pkg, signature_file, signature_len); 597 archive_write_finish_entry(pkg); 598 archive_entry_free(sign_entry); 599 600 size = archive_entry_size(entry); 601 archive_write_header(pkg, entry); 602 603 for (i = 0; i < size; i += block_len) { 604 if (i + sizeof(block) < size) 605 block_len = sizeof(block); 606 else 607 block_len = size % sizeof(block); 608 if (read(fd, block, block_len) != block_len) 609 err(2, "short read"); 610 archive_write_data(pkg, block, block_len); 611 } 612 archive_write_finish_entry(pkg); 613 archive_entry_free(entry); 614 615 archive_write_finish(pkg); 616 617 close(fd); 618 619 exit(0); 620 } 621 #endif 622 623 void 624 pkg_sign_gpg(const char *name, const char *output) 625 { 626 struct archive *pkg; 627 struct archive_entry *entry, *hash_entry, *sign_entry; 628 int fd; 629 struct stat sb; 630 char *hash_file, *signature_file, *tmp, *pkgname, hash[SHA512_DIGEST_STRING_LENGTH]; 631 unsigned char block[65536]; 632 off_t i, size; 633 size_t block_len, signature_len; 634 635 if ((fd = open(name, O_RDONLY)) == -1) 636 err(EXIT_FAILURE, "Cannot open binary package %s", name); 637 if (fstat(fd, &sb) == -1) 638 err(EXIT_FAILURE, "Cannot stat %s", name); 639 640 entry = archive_entry_new(); 641 archive_entry_copy_stat(entry, &sb); 642 643 pkgname = extract_pkgname(fd); 644 hash_file = xasprintf(hash_template, pkgname, 645 (long long)archive_entry_size(entry)); 646 free(pkgname); 647 648 for (i = 0; i < archive_entry_size(entry); i += block_len) { 649 if (i + sizeof(block) < archive_entry_size(entry)) 650 block_len = sizeof(block); 651 else 652 block_len = archive_entry_size(entry) % sizeof(block); 653 if (read(fd, block, block_len) != block_len) 654 err(2, "short read"); 655 hash_block(block, block_len, hash); 656 tmp = xasprintf("%s%s\n", hash_file, hash); 657 free(hash_file); 658 hash_file = tmp; 659 } 660 tmp = xasprintf("%s%s", hash_file, hash_trailer); 661 free(hash_file); 662 hash_file = tmp; 663 664 if (detached_gpg_sign(hash_file, strlen(hash_file), &signature_file, 665 &signature_len, gpg_keyring_sign, gpg_sign_as)) 666 err(EXIT_FAILURE, "Cannot sign hash file"); 667 668 lseek(fd, 0, SEEK_SET); 669 670 sign_entry = archive_entry_clone(entry); 671 hash_entry = archive_entry_clone(entry); 672 pkgname = strrchr(name, '/'); 673 archive_entry_set_pathname(entry, pkgname != NULL ? pkgname + 1 : name); 674 archive_entry_set_pathname(hash_entry, HASH_FNAME); 675 archive_entry_set_pathname(sign_entry, GPG_SIGNATURE_FNAME); 676 archive_entry_set_size(hash_entry, strlen(hash_file)); 677 archive_entry_set_size(sign_entry, signature_len); 678 679 pkg = archive_write_new(); 680 archive_write_set_compression_none(pkg); 681 archive_write_set_format_ar_bsd(pkg); 682 archive_write_open_filename(pkg, output); 683 684 archive_write_header(pkg, hash_entry); 685 archive_write_data(pkg, hash_file, strlen(hash_file)); 686 archive_write_finish_entry(pkg); 687 archive_entry_free(hash_entry); 688 689 archive_write_header(pkg, sign_entry); 690 archive_write_data(pkg, signature_file, signature_len); 691 archive_write_finish_entry(pkg); 692 archive_entry_free(sign_entry); 693 694 size = archive_entry_size(entry); 695 archive_write_header(pkg, entry); 696 697 for (i = 0; i < size; i += block_len) { 698 if (i + sizeof(block) < size) 699 block_len = sizeof(block); 700 else 701 block_len = size % sizeof(block); 702 if (read(fd, block, block_len) != block_len) 703 err(2, "short read"); 704 archive_write_data(pkg, block, block_len); 705 } 706 archive_write_finish_entry(pkg); 707 archive_entry_free(entry); 708 709 archive_write_finish(pkg); 710 711 close(fd); 712 713 exit(0); 714 } 715
Indexes created Mon Apr 27 00:23:16 UTC 2026