[PATCH 0/3] Improve SSL certificate handling

[PATCH 0/3] Improve SSL certificate handling

[Otavio Salvador]

This patchset leverage the OpenSSL certificate handling so it works
aligned with Debian and other generic distributions regarding where
the certificates are stored and how they are installed.

This all started when debugging why SSL certificates were not working
properly for a customer which was using QtWebEngine. It turned out to
be the integration which was not complete so this patch addresses it.


Otavio Salvador (3):
  openssl: Add Shell-Script based c_rehash utility
  ca-certificates: Use c_rehash utility
  openssl: Ensure SSL certificates are stored on sysconfdir

 meta/recipes-connectivity/openssl/openssl.inc      |  26 ++-
 .../openssl/openssl/openssl-c_rehash.sh            | 210 +++++++++++++++++++++
 .../recipes-connectivity/openssl/openssl_1.0.2h.bb |   1 +
 ...01-update-ca-certificates-remove-c-rehash.patch |  46 -----
 .../ca-certificates/ca-certificates_20160104.bb    |   1 -
 5 files changed, 229 insertions(+), 55 deletions(-)
 create mode 100644 meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh
 delete mode 100644 meta/recipes-support/ca-certificates/ca-certificates/0001-update-ca-certificates-remove-c-rehash.patch

-- 
2.8.2

[PATCH 1/3] openssl: Add Shell-Script based c_rehash utility

[Otavio Salvador]

The PLD Linux distribution has ported the c_rehash[1] utility from Perl
to Shell-Script, allowing it to be shipped by default.

1. https://git.pld-linux.org/?p=packages/openssl.git;a=blob;f=openssl-c_rehash.sh;h=0ea22637ee6dbce845a9e2caf62540aaaf5d0761

The OpenSSL upstream intends[2] to convert the utility for C however
did not yet finished the conversion.

2. https://rt.openssl.org/Ticket/Display.html?id=2324

This patch adds this script and thus removed the Perl requirement for
it.

Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
---

 meta/recipes-connectivity/openssl/openssl.inc      |   9 +-
 .../openssl/openssl/openssl-c_rehash.sh            | 210 +++++++++++++++++++++
 .../recipes-connectivity/openssl/openssl_1.0.2h.bb |   1 +
 3 files changed, 215 insertions(+), 5 deletions(-)
 create mode 100644 meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh

diff --git a/meta/recipes-connectivity/openssl/openssl.inc b/meta/recipes-connectivity/openssl/openssl.inc
index a5ddf4d..668e34e 100644
--- a/meta/recipes-connectivity/openssl/openssl.inc
+++ b/meta/recipes-connectivity/openssl/openssl.inc
@@ -36,7 +36,7 @@ PACKAGES =+ "libcrypto libssl ${PN}-misc openssl-conf"
 FILES_libcrypto = "${libdir}/libcrypto${SOLIBS}"
 FILES_libssl = "${libdir}/libssl${SOLIBS}"
 FILES_${PN} =+ " ${libdir}/ssl/*"
-FILES_${PN}-misc = "${libdir}/ssl/misc ${bindir}/c_rehash"
+FILES_${PN}-misc = "${libdir}/ssl/misc"
 RDEPENDS_${PN}-misc = "${@bb.utils.contains('PACKAGECONFIG', 'perl', 'perl', '', d)}"
 
 # Add the openssl.cnf file to the openssl-conf package.  Make the libcrypto
@@ -168,15 +168,14 @@ do_install () {
 	install -d ${D}${includedir}
 	cp --dereference -R include/openssl ${D}${includedir}
 
+	install -Dm 0755 ${WORKDIR}/openssl-c_rehash.sh ${D}${bindir}/c_rehash
+	sed -i -e 's,/etc/openssl,${sysconfdir}/ssl,g' ${D}${bindir}/c_rehash
+
 	oe_multilib_header openssl/opensslconf.h
 	if [ "${@bb.utils.contains('PACKAGECONFIG', 'perl', 'perl', '', d)}" = "perl" ]; then
-		install -m 0755 ${S}/tools/c_rehash ${D}${bindir}
-		sed -i -e '1s,.*,#!${bindir}/env perl,' ${D}${bindir}/c_rehash
 		sed -i -e '1s,.*,#!${bindir}/env perl,' ${D}${libdir}/ssl/misc/CA.pl
 		sed -i -e '1s,.*,#!${bindir}/env perl,' ${D}${libdir}/ssl/misc/tsget
-		# The c_rehash utility isn't installed by the normal installation process.
 	else
-		rm -f ${D}${bindir}/c_rehash
 		rm -f ${D}${libdir}/ssl/misc/CA.pl ${D}${libdir}/ssl/misc/tsget
 	fi
 }
diff --git a/meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh b/meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh
new file mode 100644
index 0000000..0ea2263
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh
@@ -0,0 +1,210 @@
+#!/bin/sh
+#
+# Ben Secrest <blsecres@gmail.com>
+#
+# sh c_rehash script, scan all files in a directory
+# and add symbolic links to their hash values.
+#
+# based on the c_rehash perl script distributed with openssl
+#
+# LICENSE: See OpenSSL license
+# ^^acceptable?^^
+#
+
+# default certificate location
+DIR=/etc/openssl
+
+# for filetype bitfield
+IS_CERT=$(( 1 << 0 ))
+IS_CRL=$(( 1 << 1 ))
+
+
+# check to see if a file is a certificate file or a CRL file
+# arguments:
+#       1. the filename to be scanned
+# returns:
+#       bitfield of file type; uses ${IS_CERT} and ${IS_CRL}
+#
+check_file()
+{
+    local IS_TYPE=0
+
+    # make IFS a newline so we can process grep output line by line
+    local OLDIFS=${IFS}
+    IFS=$( printf "\n" )
+
+    # XXX: could be more efficient to have two 'grep -m' but is -m portable?
+    for LINE in $( grep '^-----BEGIN .*-----' ${1} )
+    do
+	if echo ${LINE} \
+	    | grep -q -E '^-----BEGIN (X509 |TRUSTED )?CERTIFICATE-----'
+	then
+	    IS_TYPE=$(( ${IS_TYPE} | ${IS_CERT} ))
+
+	    if [ $(( ${IS_TYPE} & ${IS_CRL} )) -ne 0 ]
+	    then
+	    	break
+	    fi
+	elif echo ${LINE} | grep -q '^-----BEGIN X509 CRL-----'
+	then
+	    IS_TYPE=$(( ${IS_TYPE} | ${IS_CRL} ))
+
+	    if [ $(( ${IS_TYPE} & ${IS_CERT} )) -ne 0 ]
+	    then
+	    	break
+	    fi
+	fi
+    done
+
+    # restore IFS
+    IFS=${OLDIFS}
+
+    return ${IS_TYPE}
+}
+
+
+#
+# use openssl to fingerprint a file
+#    arguments:
+#	1. the filename to fingerprint
+#	2. the method to use (x509, crl)
+#    returns:
+#	none
+#    assumptions:
+#	user will capture output from last stage of pipeline
+#
+fingerprint()
+{
+    ${SSL_CMD} ${2} -fingerprint -noout -in ${1} | sed 's/^.*=//' | tr -d ':'
+}
+
+
+#
+# link_hash - create links to certificate files
+#    arguments:
+#       1. the filename to create a link for
+#	2. the type of certificate being linked (x509, crl)
+#    returns:
+#	0 on success, 1 otherwise
+#
+link_hash()
+{
+    local FINGERPRINT=$( fingerprint ${1} ${2} )
+    local HASH=$( ${SSL_CMD} ${2} -hash -noout -in ${1} )
+    local SUFFIX=0
+    local LINKFILE=''
+    local TAG=''
+
+    if [ ${2} = "crl" ]
+    then
+    	TAG='r'
+    fi
+
+    LINKFILE=${HASH}.${TAG}${SUFFIX}
+
+    while [ -f ${LINKFILE} ]
+    do
+	if [ ${FINGERPRINT} = $( fingerprint ${LINKFILE} ${2} ) ]
+	then
+	    echo "WARNING: Skipping duplicate file ${1}" >&2
+	    return 1
+	fi	
+
+	SUFFIX=$(( ${SUFFIX} + 1 ))
+	LINKFILE=${HASH}.${TAG}${SUFFIX}
+    done
+
+    echo "${1} => ${LINKFILE}"
+
+    # assume any system with a POSIX shell will either support symlinks or
+    # do something to handle this gracefully
+    ln -s ${1} ${LINKFILE}
+
+    return 0
+}
+
+
+# hash_dir create hash links in a given directory
+hash_dir()
+{
+    echo "Doing ${1}"
+
+    cd ${1}
+
+    ls -1 * 2>/dev/null | while read FILE
+    do
+        if echo ${FILE} | grep -q -E '^[[:xdigit:]]{8}\.r?[[:digit:]]+$' \
+	    	&& [ -h "${FILE}" ]
+        then
+            rm ${FILE}
+        fi
+    done
+
+    ls -1 *.pem *.cer *.crt *.crl 2>/dev/null | while read FILE
+    do
+	check_file ${FILE}
+        local FILE_TYPE=${?}
+	local TYPE_STR=''
+
+        if [ $(( ${FILE_TYPE} & ${IS_CERT} )) -ne 0 ]
+        then
+            TYPE_STR='x509'
+        elif [ $(( ${FILE_TYPE} & ${IS_CRL} )) -ne 0 ]
+        then
+            TYPE_STR='crl'
+        else
+            echo "WARNING: ${FILE} does not contain a certificate or CRL: skipping" >&2
+	    continue
+        fi
+
+	link_hash ${FILE} ${TYPE_STR}
+    done
+}
+
+
+# choose the name of an ssl application
+if [ -n "${OPENSSL}" ]
+then
+    SSL_CMD=$(which ${OPENSSL} 2>/dev/null)
+else
+    SSL_CMD=/usr/bin/openssl
+    OPENSSL=${SSL_CMD}
+    export OPENSSL
+fi
+
+# fix paths
+PATH=${PATH}:${DIR}/bin
+export PATH
+
+# confirm existance/executability of ssl command
+if ! [ -x ${SSL_CMD} ]
+then
+    echo "${0}: rehashing skipped ('openssl' program not available)" >&2
+    exit 0
+fi
+
+# determine which directories to process
+old_IFS=$IFS
+if [ ${#} -gt 0 ]
+then
+    IFS=':'
+    DIRLIST=${*}
+elif [ -n "${SSL_CERT_DIR}" ]
+then
+    DIRLIST=$SSL_CERT_DIR
+else
+    DIRLIST=${DIR}/certs
+fi
+
+IFS=':'
+
+# process directories
+for CERT_DIR in ${DIRLIST}
+do
+    if [ -d ${CERT_DIR} -a -w ${CERT_DIR} ]
+    then
+        IFS=$old_IFS
+        hash_dir ${CERT_DIR}
+        IFS=':'
+    fi
+done
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb b/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb
index ae65992..699fe62 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb
@@ -13,6 +13,7 @@ export OE_LDFLAGS="${LDFLAGS}"
 
 SRC_URI += "file://find.pl;subdir=${BP}/util/ \
             file://run-ptest \
+            file://openssl-c_rehash.sh \
             file://configure-targets.patch \
             file://shared-libs.patch \
             file://oe-ldflags.patch \
-- 
2.8.2

[PATCH 2/3] ca-certificates: Use c_rehash utility

[Otavio Salvador]

As now the c_rehash utility is available, we can use it. This removes
the patch to disable its usage allowing for a standard SSL behaviour.

Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
---

 ...01-update-ca-certificates-remove-c-rehash.patch | 46 ----------------------
 .../ca-certificates/ca-certificates_20160104.bb    |  1 -
 2 files changed, 47 deletions(-)
 delete mode 100644 meta/recipes-support/ca-certificates/ca-certificates/0001-update-ca-certificates-remove-c-rehash.patch

diff --git a/meta/recipes-support/ca-certificates/ca-certificates/0001-update-ca-certificates-remove-c-rehash.patch b/meta/recipes-support/ca-certificates/ca-certificates/0001-update-ca-certificates-remove-c-rehash.patch
deleted file mode 100644
index bf02723..0000000
--- a/meta/recipes-support/ca-certificates/ca-certificates/0001-update-ca-certificates-remove-c-rehash.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-Upstream-Status: Pending
-
-From 111e905fe931da1a3800accfc675cc01c8ee080c Mon Sep 17 00:00:00 2001
-From: Ulf Samuelsson <ulf@emagii.com>
-Date: Tue, 28 Feb 2012 06:42:58 +0100
-Subject: [PATCH] update-ca-certificates: remove c rehash
-
-Updated earlier patch to apply clean on 2012-02-12
-Signed-off-by: Ulf Samuelsson <ulf@emagii.com>
----
- sbin/update-ca-certificates |   20 ++++++++++----------
- 1 files changed, 10 insertions(+), 10 deletions(-)
-
-diff --git a/sbin/update-ca-certificates b/sbin/update-ca-certificates
-index 5375950..c567e3d 100755
---- a/sbin/update-ca-certificates
-+++ b/sbin/update-ca-certificates
-@@ -132,16 +132,16 @@ rm -f "$CERTBUNDLE"
- ADDED_CNT=$(wc -l < "$ADDED")
- REMOVED_CNT=$(wc -l < "$REMOVED")
-
--if [ "$ADDED_CNT" -gt 0 ] || [ "$REMOVED_CNT" -gt 0 ]
--then
--  # only run if set of files has changed
--  if [ "$verbose" = 0 ]
--  then
--    c_rehash . > /dev/null
--  else
--    c_rehash .
--  fi
--fi
-+#if [ "$ADDED_CNT" -gt 0 ] || [ "$REMOVED_CNT" -gt 0 ]
-+#then
-+#  # only run if set of files has changed
-+#  if [ "$verbose" = 0 ]
-+#  then
-+#    c_rehash . > /dev/null
-+#  else
-+#    c_rehash .
-+#  fi
-+#fi
-
- chmod 0644 "$TEMPBUNDLE"
- mv -f "$TEMPBUNDLE" "$CERTBUNDLE"
---
-1.7.4.1
diff --git a/meta/recipes-support/ca-certificates/ca-certificates_20160104.bb b/meta/recipes-support/ca-certificates/ca-certificates_20160104.bb
index e0f1939..871bc2e 100644
--- a/meta/recipes-support/ca-certificates/ca-certificates_20160104.bb
+++ b/meta/recipes-support/ca-certificates/ca-certificates_20160104.bb
@@ -14,7 +14,6 @@ DEPENDS_class-native = ""
 SRCREV = "f54715702c5c0581c9461f78fd84e2c8d2ec243c"
 
 SRC_URI = "git://anonscm.debian.org/collab-maint/ca-certificates.git \
-           file://0001-update-ca-certificates-remove-c-rehash.patch \
            file://0002-update-ca-certificates-use-SYSROOT.patch \
            file://0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch \
            file://update-ca-certificates-support-Toybox.patch \
-- 
2.8.2

[PATCH 3/3] openssl: Ensure SSL certificates are stored on sysconfdir

[Otavio Salvador]

Debian and other generic distributions has moved the certificates for
sysconfdir (/etc/ssl) and made the libdir content to link for it.

This provides several advantages specially for read-only
rootfs. Another benefit is that it ensures foreign implementations
(e.g: BoringSSL, from Chromium, when running with OpenSSL backend for
the certificates) to find the content correctly.

Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
---

 meta/recipes-connectivity/openssl/openssl.inc | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/meta/recipes-connectivity/openssl/openssl.inc b/meta/recipes-connectivity/openssl/openssl.inc
index 668e34e..3412c66 100644
--- a/meta/recipes-connectivity/openssl/openssl.inc
+++ b/meta/recipes-connectivity/openssl/openssl.inc
@@ -43,8 +43,8 @@ RDEPENDS_${PN}-misc = "${@bb.utils.contains('PACKAGECONFIG', 'perl', 'perl', '',
 # package RRECOMMENDS on this package.  This will enable the configuration
 # file to be installed for both the base openssl package and the libcrypto
 # package since the base openssl package depends on the libcrypto package.
-FILES_openssl-conf = "${libdir}/ssl/openssl.cnf"
-CONFFILES_openssl-conf = "${libdir}/ssl/openssl.cnf"
+FILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf"
+CONFFILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf"
 RRECOMMENDS_libcrypto += "openssl-conf"
 RDEPENDS_${PN}-ptest += "${PN}-misc make perl perl-module-filehandle bc"
 
@@ -178,6 +178,17 @@ do_install () {
 	else
 		rm -f ${D}${libdir}/ssl/misc/CA.pl ${D}${libdir}/ssl/misc/tsget
 	fi
+
+	# Create SSL structure
+	install -d ${D}${sysconfdir}/ssl/
+	mv ${D}${libdir}/ssl/openssl.cnf \
+	   ${D}${libdir}/ssl/certs \
+	   ${D}${libdir}/ssl/private \
+	   \
+	   ${D}${sysconfdir}/ssl/
+	ln -sf ${sysconfdir}/ssl/certs ${D}${libdir}/ssl/certs
+	ln -sf ${sysconfdir}/ssl/private ${D}${libdir}/ssl/private
+	ln -sf ${sysconfdir}/ssl/openssl.cnf ${D}${libdir}/ssl/openssl.cnf
 }
 
 do_install_ptest () {
@@ -191,7 +202,7 @@ do_install_ptest () {
 	cp -r certs ${D}${PTEST_PATH}
 	mkdir -p ${D}${PTEST_PATH}/apps
 	ln -sf ${libdir}/ssl/misc/CA.sh  ${D}${PTEST_PATH}/apps
-	ln -sf ${libdir}/ssl/openssl.cnf ${D}${PTEST_PATH}/apps
+	ln -sf ${sysconfdir}/ssl/openssl.cnf ${D}${PTEST_PATH}/apps
 	ln -sf ${bindir}/openssl         ${D}${PTEST_PATH}/apps
 	cp apps/server2.pem             ${D}${PTEST_PATH}/apps
 	mkdir -p ${D}${PTEST_PATH}/util
-- 
2.8.2

Re: [PATCH 0/3] Improve SSL certificate handling

[Richard Purdie]

On Mon, 2016-05-23 at 17:45 -0300, Otavio Salvador wrote:
> This patchset leverage the OpenSSL certificate handling so it works
> aligned with Debian and other generic distributions regarding where
> the certificates are stored and how they are installed.
> 
> This all started when debugging why SSL certificates were not working
> properly for a customer which was using QtWebEngine. It turned out to
> be the integration which was not complete so this patch addresses it.
> 
> 
> Otavio Salvador (3):
>   openssl: Add Shell-Script based c_rehash utility
>   ca-certificates: Use c_rehash utility
>   openssl: Ensure SSL certificates are stored on sysconfdir

Initial tests were ok but we've just seen:

https://autobuilder.yoctoproject.org/main/builders/nightly-oecore/build
s/792/steps/BuildImages/logs/stdio

I've not looked into it but it would seem to implicate these patches :/

Cheers,

Richard

Re: [PATCH 0/3] Improve SSL certificate handling

[Otavio Salvador]

On Thu, May 26, 2016 at 10:41 AM, Richard Purdie
<richard.purdie@linuxfoundation.org> wrote:
> On Mon, 2016-05-23 at 17:45 -0300, Otavio Salvador wrote:
>> This patchset leverage the OpenSSL certificate handling so it works
>> aligned with Debian and other generic distributions regarding where
>> the certificates are stored and how they are installed.
>>
>> This all started when debugging why SSL certificates were not working
>> properly for a customer which was using QtWebEngine. It turned out to
>> be the integration which was not complete so this patch addresses it.
>>
>>
>> Otavio Salvador (3):
>>   openssl: Add Shell-Script based c_rehash utility
>>   ca-certificates: Use c_rehash utility
>>   openssl: Ensure SSL certificates are stored on sysconfdir
>
> Initial tests were ok but we've just seen:
>
> https://autobuilder.yoctoproject.org/main/builders/nightly-oecore/build
> s/792/steps/BuildImages/logs/stdio
>
> I've not looked into it but it would seem to implicate these patches :/

It does seem to be caused by it. I sent a v2 fixing it.

-- 
Otavio Salvador                             O.S. Systems
http://www.ossystems.com.br        http://code.ossystems.com.br
Mobile: +55 (53) 9981-7854            Mobile: +1 (347) 903-9750

Re: [PATCH 0/3] Improve SSL certificate handling

[Martin Jansa]

[-- Attachment #1: Type: text/plain, Size: 1332 bytes --]

On Fri, May 27, 2016 at 06:55:30AM -0300, Otavio Salvador wrote:
> On Thu, May 26, 2016 at 10:41 AM, Richard Purdie
> <richard.purdie@linuxfoundation.org> wrote:
> > On Mon, 2016-05-23 at 17:45 -0300, Otavio Salvador wrote:
> >> This patchset leverage the OpenSSL certificate handling so it works
> >> aligned with Debian and other generic distributions regarding where
> >> the certificates are stored and how they are installed.
> >>
> >> This all started when debugging why SSL certificates were not working
> >> properly for a customer which was using QtWebEngine. It turned out to
> >> be the integration which was not complete so this patch addresses it.
> >>
> >>
> >> Otavio Salvador (3):
> >>   openssl: Add Shell-Script based c_rehash utility
> >>   ca-certificates: Use c_rehash utility
> >>   openssl: Ensure SSL certificates are stored on sysconfdir
> >
> > Initial tests were ok but we've just seen:
> >
> > https://autobuilder.yoctoproject.org/main/builders/nightly-oecore/build
> > s/792/steps/BuildImages/logs/stdio
> >
> > I've not looked into it but it would seem to implicate these patches :/
> 
> It does seem to be caused by it. I sent a v2 fixing it.

v1 was already merged, so you might want to send just rebased fix

-- 
Martin 'JaMa' Jansa     jabber: Martin.Jansa@gmail.com

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 188 bytes --]

Re: [PATCH 0/3] Improve SSL certificate handling

[Otavio Salvador]

On Fri, May 27, 2016 at 7:10 AM, Martin Jansa <martin.jansa@gmail.com> wrote:
> On Fri, May 27, 2016 at 06:55:30AM -0300, Otavio Salvador wrote:
>> On Thu, May 26, 2016 at 10:41 AM, Richard Purdie
>> <richard.purdie@linuxfoundation.org> wrote:
>> > On Mon, 2016-05-23 at 17:45 -0300, Otavio Salvador wrote:
>> >> This patchset leverage the OpenSSL certificate handling so it works
>> >> aligned with Debian and other generic distributions regarding where
>> >> the certificates are stored and how they are installed.
>> >>
>> >> This all started when debugging why SSL certificates were not working
>> >> properly for a customer which was using QtWebEngine. It turned out to
>> >> be the integration which was not complete so this patch addresses it.
>> >>
>> >>
>> >> Otavio Salvador (3):
>> >>   openssl: Add Shell-Script based c_rehash utility
>> >>   ca-certificates: Use c_rehash utility
>> >>   openssl: Ensure SSL certificates are stored on sysconfdir
>> >
>> > Initial tests were ok but we've just seen:
>> >
>> > https://autobuilder.yoctoproject.org/main/builders/nightly-oecore/build
>> > s/792/steps/BuildImages/logs/stdio
>> >
>> > I've not looked into it but it would seem to implicate these patches :/
>>
>> It does seem to be caused by it. I sent a v2 fixing it.
>
> v1 was already merged, so you might want to send just rebased fix

Thanks; I sent a new patch for it.

-- 
Otavio Salvador                             O.S. Systems
http://www.ossystems.com.br        http://code.ossystems.com.br
Mobile: +55 (53) 9981-7854            Mobile: +1 (347) 903-9750