Generating private keys with openssl

Keys are the basis of public key algorithms and PKI. Keys usually come in pairs, with one half being the public key and the other half being the private key. With OpenSSL, the private key contains the public key information as well, so a public key doesn’t need to be generated separately.

Public keys come in several flavors, using different cryptographic algorithms. The most popular ones associated with certificates are RSA and DSA, and this  article will show how to generate each of them.

Generating an RSA key

A RSA key can be used both for encryption and for signing and generating a key is quite easy, all you have to do is the following:

  openssl genrsa -des3 -out privkey.pem 2048

That will generate a private key with is password protected (it will prompt you for the password during generation). If you don’t want it password protected (usually for server side use) then leave the -des3 parameter out, i.e.:

  openssl genrsa -out privkey.pem 2048
 The number 2048 is the size of the key, in bits. Today, 2048 or higher is recommended for RSA keys, as fewer amount of bits is considered insecure.

Generating a DSA key

A DSA key can be used for signing only. This is important to keep in mind to know what kind of purposes a certificate request with a DSA key can really be used for.

Generating a key for the DSA algorithm is a two-step process. First, you have to generate parameters from which to generate the key then to generate the key itself.

  openssl dsaparam -out dsaparam.pem 2048
  openssl gendsa -des3 -out privkey.pem dsaparam.pem

Again like RSA, 2048 is the size of the key, in bits with anything smaller than 2048 being insecure in todays standards.

Also the -des3 parameter will prompt you for a pass phrase – for server use leave it out:

  openssl dsaparam -out dsaparam.pem 2048
  openssl gendsa -out privkey.pem dsaparam.pem

How to flush the DNS Cache on OSX

I keep forgetting this one hence writing it up. Every so often you need to flush the local dns cache – usually you’ve made a change in some dns & you want to test it immediately etc.

dscacheutil -flushcache

It’s that simple – so simple it’s an easy one to forget 😦

How to add a static route on OSX

I’ve just had this one with a pptp vpn – one network was accessible over it but another behind it wasnt so I had to add a static route.

First you need to know the remote ip address of the vpn connection:

sabrina:table peter$ ifconfig ppp0
ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1444
 inet 192.168.1.3 --> 192.168.1.1 netmask 0xffffff00

Here the address we want is the first one, 192.168.1.3

Now to create the route

sabrina:table peter$ sudo route add -net 192l168.2.0/24 192.168.1.3
Password:
add net 192.168.2.0: gateway 192.168.1.3

Thats it, now that route will work as long as the vpn connection stays up. When you disconnect it will then be removed & you’ll have to add it again later.

Compiling Java 7.0 on OS X

Since the announcement by Apple last week about deprecating Java on OS X, there’s been a few people wanting to know how to compile OpenJDK on the Mac.

Although I’ve not done this for JDK 6, this article cover’s how to compile and use the current development version of JDK 7.0 on OS X.

First a few notes:

  1. This only enables Java 7 within an X environment, native UI’s are not supported – one of the main parts of the Apple JVM
  2. When I tested this by running Netbeans 7.0 M2 within X the menus were a bit screwey – try it you’ll see what I mean
  3. These instructions are for 10.5.8 but should work for 10.6.x
  4. This is for Intel processors only

So as a word of warning: Don’t expect this to either work, or work well – and don’t use this in production – JDK7 isn’t due out for another 12 months or so…

Ok, first we need a bootstrap JDK6 environment. This is needed to do some of the initial java compilation during the build. For this the apple JVM can’t be used so we need to download and install the i386 Soylate binaries JDK – don’t get the amd64 version, get the i386 one…

Once you have it downloaded, copy it to /usr/local/soylatte16-i386-1.0.3 and test it:

sabrina:~ peter$ /usr/local/soylatte16-i386-1.0.3/bin/java -version
java version "1.6.0_03-p3"
Java(TM) SE Runtime Environment (build 1.6.0_03-p3-landonf_19_aug_2008_14_55-b00)
Java HotSpot(TM) Server VM (build 1.6.0_03-p3-landonf_19_aug_2008_14_55-b00, mixed mode)

Next create a blank directory under which we will build everything. I’m using ~/dev/ojdk but you could use any directory. Under this we need to create a couple of directories and some symlinks:

sabrina:~ peter$ mkdir -p dev/ojdk
sabrina:~ peter$ cd dev/ojdk
sabrina:~ peter$ mkdir -p bin ALT_COMPILER_PATH
sabrina:~ peter$ cd ALT_COMPILER_PATH
sabrina:~ peter$ ln -s /usr/bin .SOURCE
sabrina:~ peter$ ln -s .SOURCE/g++-4.0 g++
sabrina:~ peter$ ln -s .SOURCE/gcc-4.0 gcc
sabrina:~ peter$ cd ../bin

Now in the bin directory you need to create two scripts. Fortunately these are readily available from http://gist.github.com/617451 – specifically update.sh and update-usr-local.sh. Copy these two files into the bin directory and ensure they are executable.

Now open update.sh in your favourite editor and find the line with ALT_COMPILER_PATH in it. Change it to hold the full path to the ALT_COMPILER_PATH directory defined above. In my case this looks like:

ALT_COMPILER_PATH=/Users/peter/dev/ojdk/ALT_COMPILER_PATH/ \

Next we need to checkout a copy of the source:

sabrina:~ peter$ cd ~/dev/ojdk
sabrina:~ peter$ hg fclone http://hg.openjdk.java.net/bsd-port/bsd-port bsd

We should now be setup. The last step is to run a build. This can be done at any time. It will check for any updates, clear down and then run a full build:

sabrina:~ peter$ cd ~/dev/ojdk/bsd
sabrina:~ peter$ source ../bin/update.sh

If all goes well, after about 20 minutes you should see something like the following at the end of the build:

testing build: ./build/bsd-amd64/j2sdk-image/bin/java -version

openjdk version "1.7.0-internal"
OpenJDK Runtime Environment (build 1.7.0-internal-peter_2010_10_25_11_19-b00)
OpenJDK 64-Bit Server VM (build 19.0-b05, mixed mode)

If the build succedes the last step is to install it under /usr/local/java-1.7.0:

sabrina:~ peter$ cd ~/dev/ojdk/bsd
sabrina:~ peter$ source ../bin/update-usr-local.sh

To use Java 7, you need to simply point the app to the installed application, usually by setting JAVA_HOME=/usr/local/java-1.7.0 and running $JAVA_HOME/bin/java…

sabrina:bin peter$ /usr/local/java-1.7.0/bin/java -version
openjdk version "1.7.0-internal"
OpenJDK Runtime Environment (build 1.7.0-internal-peter_2010_10_25_11_19-b00)
OpenJDK 64-Bit Server VM (build 19.0-b05, mixed mode)

Turn your Mac into a Wifi Base Station

Some people like myself use mobile broadband for their internet connection, either because it’s the only option where they live or like me have had enough of BT (in the UK you usually still need BT for the physical line regardless of the ISP).

Now with the various dongles they work fine on the the local machine and for the local wired network its usually as simple as turning on Internet Sharing (for the 3 network you have to do things differently due to them using a special profile). The problem comes to when you want to share the connection via wifi – but don’t have a wifi router.

On Linux boxes some wifi chipsets support base station mode but things become complicated due to having to configure the card, the firmware etcetera… but what about on a Mac? All recent Mac’s have AirPort cards so can a Mac act as a base station?

To put it simply, yes and it’s supported as standard (I’m using OSX10.5.7). Not only that it can be enabled from a couple of extra clicks.

First open System Preferences and select Sharing:

Next Select (not check) Internet Sharing and make sure AirPort is turned on (I also have Ethernet enabled as well).

Now at this point when you turn on sharing the WiFi connection will be open to anyone – so it’s probably advisable to turn on encryption by Selecting AirPort Options:

That’s all there is to it. You simply turn it on by turning Internet Sharing on and pressing start.

ssh-askpass on OSX 10.5

I’ve been playing with NetBeans 6.7M3 and the latest Mercurial plugin and found that I couldn’t push to a remote repository via ssh. All netbeans would return was:

Mercurial Push
--------------
INFO Pushing To: ssh://pmount@lego.office.gameaccount.com/hg/ga4Partner ...
ERROR Command failed:
Command: [/usr/local/bin/hg, outgoing, -v, --template=rev:{rev}\nauth:{author}\ndesc:{desc}\ndate:{date|hgdate}\nid:{node|short}\n\nendCS:\n, --repository, /Users/peter/dev/gameaccount/maven/ga4Partner, ssh://pmount@lego.office.gameaccount.com/hg/ga4Partner]
Output: [running ssh pmount@lego.office.gameaccount.com “hg -R hg/ga4Partner serve --stdio”, remote: ssh_askpass: exec(/usr/libexec/ssh-askpass): No such file or directory, remote: Host key verification failed., abort: no suitable response from remote hg!]
INFO: End of Mercurial Push

Here the remote server is trying to prompt for the login password but fails because OSX 10.5 does not have the ssk-askpass command.

After some searching on the net (ok Google who else) I found Mercurial Push from IntelliJ where someone had a similar position with IntelliJ. By creating the following script mercurial in NB6.7M3 works flawlessly:

sabrina:~ peter$ sudo vi /usr/libexec/ssh-askpass
#! /bin/sh  
  
#  
# An SSH_ASKPASS command for MacOS X  
#  
# Author: Joseph Mocker, Sun Microsystems  
  
#  
# To use this script:  
#     setenv SSH_ASKPASS "macos-askpass"  
#     setenv DISPLAY ":0"  
#  
  
TITLE=${MACOS_ASKPASS_TITLE:-"SSH"}  
  
DIALOG="display dialog \"$@\" default answer \"\" with title \"$TITLE\""  
DIALOG="$DIALOG with icon caution with hidden answer"  
  
result=`osascript -e 'tell application "Finder"' -e "activate"  -e "$DIALOG" -e 'end tell'`  
  
if [ "$result" = "" ]; then  
    exit 1  
else  
    echo "$result" | sed -e 's/^text returned://' -e 's/, button returned:.*$//'  
    exit 0  
fi  

sabrina:~ peter$ sudo chmod +x /usr/libexec/ssh-askpass

Nikkai A88JB FreeView PVR

Maplin currently have some special offers on at the moment and one of them is the Nikkai A88JB USB PVR Digital TV Receiver for £39.99. Now I wasn’t really in the market for a new receiver but what caught my eye was that, unlike other standalone Freeview boxes with a card slot or usb port, this one supposedly records onto an external HD connected to the USB port – so I thought I’d give it a try.

First the manual – what crap. It looks like it’s a photocopy of some original written in the usual pigeon english you’d expect of something mass made in China.

As for the unit, it doesn’t look that well built with three buttons on the front (Power, Channel Up and Down) and a display showing the time when in standby or the channel number. On the right hand side there’s a cover which when opened shows the SD/MMC slot and the USB port.

View of the unit sitting on top of my old PS2.

The white cable is plugged in to the USB port and connects an old USB Harddrive to the unit.

Once plugged in it runs relatively well. Scanning for channels is quick and when in use it’s a lot more responsive than my existing Freeview box (built into the TV).(a lot quicker than the one I’ve been using) and the user interface is not the best I’ve seen – I’ve seen better with units far cheaper than this one, but at least it works.Now apparently it has text support but I can’t get that to work, and you cannot record radio (no big deal there), but the main thing is the recording of programs.

Recording live TV is simple, just press REC and it records. To stop you’d have thought you would press the stop button next to it but no, it’s press REC again then confirm by pressing left and Enter – 3 button presses when there’s a button next to it!

Playback from the unit appears fine as well, but the timer is sheer crap. You can only program in up to 8 timers and you can set them with the date, time and channel and if it occurs once, every day, week or year (why?). It takes me back to programming VHS recorders twenty years ago.

So, now begs the question – can the recordings be played back on the Mac?

Well, the files are stored on the HD as .mpg files and they are readable. However Quicktime doesn’t recognise it (this is with Perian installed). Not looking good so far. I then tried Media Player 10 that I have installed inside VMWare and again no go. Media Player plays the audio but could not find a video codec.

Not wanting to give up on 40 quid I then turned to good old Open Source.

So I fired up VideoLan and tried playing the recorded program – presto it works.

A test recording being played with VLC on Mac OSX10.5

Now if VideoLan works on the Mac then will it work with Linux? Yep even on Linux it will play a recording 🙂

A test recording being played with VLC running on Ubuntu 8.10

So all in all it seems that it might be a decent unit. The timers could do with some work, and it looks ugly with the USB cable showing from the front (no rear USB port), but it might be a good buy – we’ll see.

I’m going to set it up to record some shows during the next week (ones on whilst I’m at work) and see how it performs, so expect an update next week.