Archive for the ‘Posts’ Category.

« Previous Entries

Validating names in SSL certificates using OpenSSL (0.9.8)

2010-03-17, 01:38

Recently I’ve battled with OpenSSL at work. One thing I needed to do was add name validation to a program that previously hasn’t had it. In an attempt to avoid obvious mistakes I went looking for existing examples for how to do it. I came across some code from Secure Programming.com, it can be found in the code from the book in “/spc-1.1/chapter10/8-unix.c”. Just too bad only a part of the code actually works as advertised. On top of that the working part uses old functions which remain in the API only for backwards compatibility.

In trying to fix up that code I wrote the following little example code for extracting CN and subjectAltName:

#include <stdlib.h>
#include <stdio.h>
 
#include <openssl/pem.h>
#include <openssl/x509v3.h>
 
void getCN( X509 * );
void getSubjectAltName( X509 * );
 
int
main( int argc, char **argv )
{
    FILE *fpem;
    X509 *cert;
 
    if( !( fpem = fopen( argv[1], "r" ))) {
        fprintf( stderr, "Couldn't open the PEM file: %s\n", argv[1] );
        return( EXIT_FAILURE );
    }
 
    if( !( cert = PEM_read_X509( fpem, NULL, NULL, NULL ))) {
        fclose( fpem );
        fprintf( stderr, "Failed to read the PEM file: %s\n", argv[1] );
        return( EXIT_FAILURE );
    }
 
    getCN( cert );
    getSubjectAltName( cert );
 
    fclose( fpem );
    return( EXIT_SUCCESS );
}
 
void
getCN( X509 *cert )
{
    printf( "## %s\n", __PRETTY_FUNCTION__ );
 
    X509_NAME *subjName;
    int idx;
 
    if( !( subjName = X509_get_subject_name( cert )))
        fprintf( stderr, "X509_get_subject_name failed" );
 
    idx = X509_NAME_get_index_by_NID( subjName, NID_commonName, -1 );
    X509_NAME_ENTRY *entry = X509_NAME_get_entry( subjName, idx );
    ASN1_STRING *entryData = X509_NAME_ENTRY_get_data( entry );
    unsigned char *utf8;
    int length = ASN1_STRING_to_UTF8( &utf8, entryData );
    printf( "CN value: %s\n", utf8 );
    printf( "CN length: %d\n", length );
    OPENSSL_free( utf8 );
 
    return;
}
 
void getSubjectAltName( X509 *cert )
{
    printf( "## %s\n", __PRETTY_FUNCTION__ );
 
    GENERAL_NAMES *sANs;
 
    if( !( sANs = X509_get_ext_d2i( cert, NID_subject_alt_name, 0, 0 ))) {
        printf( "No subjectAltName extension\n" );
        return;
    }
 
    int i, numAN = sk_GENERAL_NAME_num( sANs );
    printf( "subjectAltName entries: %d\n", numAN );
    for( i = 0; i < numAN; ++i ) {
        GENERAL_NAME *sAN = sk_GENERAL_NAME_value( sANs, i );
        // we only care about DNS entries
        if( GEN_DNS == sAN->type ) {
            unsigned char *dns;
            ASN1_STRING_to_UTF8( &dns, sAN->d.dNSName );
            printf( "subjectAltName DNS: %s\n", dns );
            OPENSSL_free( dns );
        }
    }
 
    return;
}

Based on this I should be able to finish the patch I’ve been working on.

[Digg] [Reddit] More »
Tags: ,
Category: Posts  |  Comment

My new browser setup at work

2010-02-12, 00:11

I am very keen on keeping my private and work information separate. E.g. I would never read my personal and work email in the same MUA, instead I read work email in Thunderbird and the few times I read private email during working hours I do that using the web interface to GMail. At home it’s the other way around, Thunderbird for personal email, and a web interface to read work email. I used to have a similar setup for my browsing to keep bookmarks and saved passwords for the different areas of my life separate. Firefox was my work browser and Epiphany was my personal browser.

With the recent move to use webkit I noticed that there are a few bits with Epiphany that really bugs me though. Especially its inability to remember passwords; on my Eee it’s just a killer to not be able to do that. So, I decided to take a look at Firefox again, especially to see whether there are any add-ons that would help. And there are. These are the add-ons I found useful for this:

Profile Manager and Synchronizer

The most important piece of the setup is the addon Profile Manager and Synchronizer. It make sit easy to have more than one instance of Firefox running at the same time, with different profiles active in each one.

At first I tried synchronising profiles via dropbox, but that resulted in a lot of updates each time so I quickly stopped. I can recommend using it once though, to get the profiles to all the computers in the first place.

The plugin author says there will be a version that works with 3.6 soon. In the meantime I can report that I’ve had no issues with manually modifying the version range just to get it to install.

Xmarks

Since I don’t synchronise my profiles I do need to synchronise my bookmarks, and for that I use Xmarks.

Diigo

Diigo is a social bookmarking site. There seems to be about 13 to a dozen of those, but there are a couple of things that make Diigo different.

With the plugin I can easily store away pages for reading at some later date. In the past I’ve had a bookmark folder, or slightly more recently a tag, that I used to mark up pages that I’d like to take a closer look at. I’ve stopped that completely, and now I just mark pages as unread in Diigo. Just another way of reducing the clutter among my bookmarks.

The probably coolest feature is commenting on webpages. I mostly use that to add private comments to web pages, e.g. when I do some research into some topic (so far it’s mostly been for items I’m considering buying), but it’s also possible to make public comments. I’ve found it useful on more than one occasion to have a quick look through the public comments other people have put on pages.

[Digg] [Reddit] More »
Tags: ,
Category: Posts  |  Comment

Good online stores for yoga equipment

2010-02-11, 00:25

The condensed version: I’ve found both YogaStudio and Yoga United to be excellent online stores for yoga equipment.

Longer version

About a month ago I decided to finally invest in a yoga mat. After a bit of research I found the prAna Revolution, it’s an extra wide, extra long mat made of natural rubber. I decided to order it from YogaStudio. It was completely eventless and slightly quicker than I expected. So two big thumbs up for YogaStudio.

After receiving the mat I realised I really would need a bag for it. I found it very difficult to find a bag that would fit my slightly over-sized mat. Finally I stumbled on Yoga United, who had a good price on an extra long bag made out of cotton. They also delivered quicker than expected, unfortunately they didn’t ship the one I actually ordered. What I got was the smaller size bag, too small for my mat, but it fit my wife’s mat perfectly and she wanted to keep it. Instead of the hazzle of sending it back I agreed with the lady at Yoga United that it would be simpler for them to just let me order another extra long bag and let me keep the one I had. The second bag arrived the next day. Again brilliant service.

Finally, I can really recommend the mat I bought. Yes, it’s pricy, but so far I’ve found it to be brilliant. The bag, you ask. Well, the mat doesn’t really want to stay rolled up, if I put it that way. Also, cotton isn’t a material that natural rubber slides easily on. It isn’t that hard to get the mat into the bag, but it helps to be patient :-)

[Digg] [Reddit] More »
Tags: , , ,
Category: Posts  |  Comment

Gnome: 2 questions that go unanswered

2009-11-27, 18:25

Since no one on the Gnome mailing list seems to be able to answer these questions I thought I’d try some other venues for getting them answered. The audience for my blog isn’t that big, but just maybe there’s someone out there who knows the answers to these questions related to Gnome configuration. Mail one and mail two.

1: Running GUI tool after NM has brought up network

I run dropbox on my laptop, but their software is crap at handling that the network comes up only after the dropbox service has startedi

I know of the possibility of dropping a file in /etc/NetworkManager/dispatcher.d/, but that doesn’t work in this case since I need the program to run “in my desktop”. Well, at least I haven’t managed to get the dropbox server to throw up an icon in my Gnome tool bar like it should, unless I run it from inside the desktop environment.

Any suggestions on how to solve this problem?

2: Changing background of the Gnome screensaver

I think Gnome comes with quite possibly the ugliest background for a screensaver I’ve ever seen. It’s a close-up on a green leaf or something. Absolutely hideous. I want to change it. To something nice, like a solid black. Actually just about anything else would do. But how?

GDM came with the same ugly background. Luckily I managed to find instructions on the Arch wiki to change GDM background. I’ve tried and failed to use a similar trick on the screensaver.

Please, help me escape the ugly background of the Gnome screensaver!

[Digg] [Reddit] More »
  1. I’ve noticed no problem when network goes away and then comes back, dropbox picks that up just fine. But if the network isn’t there to start with, that it can’t handle. I’m somehow at a loss how to write a program that handles the former but not the latter. :-) [back]
Tags: , ,
Category: Posts  |  2 Comments

Bash is simply insane

2009-11-05, 11:31

What do you think the following scripti will print?

foo() {
    true | while true; do
        false
        rc=$?
        if [ $rc -eq 1 ]; then
            return 1
        fi
    done
    echo $?
    return 0
}
 
foo || echo "Failed foo"

Run it and see. I suspect everyone but the script gurus out there will be surprised.

What about this script then?

bar () {
    local rc=0
    true | while true; do
        false
        rc=$?
        if [ $rc -eq 1 ]; then
            return 1
        fi
    done
    echo $?
    echo $rc
    return 0
}
 
bar

Surprised again?

I guess this means that scoping in bash is somewhat more complicated then I would have ever guessed.

[Digg] [Reddit] More »
  1. The script is somewhat artificial, who would ever use the construct true | while ...? I’ve used this just to show the point while keeping the examples short. Feel free to replace that part with something more useful, like cat myfile | while read ....[back]
Tags: ,
Category: Posts  |  6 Comments

Playing with sockets in Haskell

2009-10-30, 22:27

This is another one of those posts that I make mostly for myself, you know for organising and help my memory :-)

There are as far as I can see three ways to deal with sockets in Haskell. There’s the type Socket which is used throughout Network.Socket. From that it’s possible to get to the underlying filedescriptor, and it in turn can be converted to a Handle.

When coupled with fork+exec it’s crucial to make sure the child process can find the socket Leaving it in a predictable place seems to be the easiest way to do that, and as far as I can see that requires using dupTo from System.Posix.IO. So, on the child-side it’s necessary to find a way to turn an integer (CInt) into something that can be treated as a socket (i.e. a Socket, a Handle, or a filedescriptor).

A basic parent-child which obviously won’t work since the child’s socket is represented as a Socket:

import Control.Concurrent
import System.Posix.Process
import Network.Socket
 
childFunc s = send s "Ping from child" >> return ()
 
main = do
    (childSock, parentSock) <- socketPair AF_UNIX Stream defaultProtocol
    print (childSock, parentSock)
    child <- forkProcess $ childFunc childSock
    recv parentSock 10 >>= print

Let the child take a CInt and turn it into a filedescriptor:

import Control.Concurrent
import Control.Concurrent.MVar
import System.Posix.Process
import System.Posix.IO
import System.Posix.Types
import Network.Socket
 
childFunc sInt = do
    let fd = Fd sInt
    fdWrite fd "Ping from child" >> return ()
 
main = do
    (childSock, parentSock) <- socketPair AF_UNIX Stream defaultProtocol
    let childInt = fdSocket childSock
    print (childInt, parentSock)
    child <- forkProcess $ childFunc childInt
    recv parentSock 10 >>= print

Let the child take a CInt and turn it into a Handle:

import Control.Concurrent
import System.Posix.Process
import System.Posix.IO
import System.Posix.Types
import Network.Socket
import System.IO
 
childFunc sInt = do
    h <- fdToHandle $ Fd sInt
    hPutStr h "Ping from child"
    hFlush h
 
main = do
    (childSock, parentSock) <- socketPair AF_UNIX Stream defaultProtocol
    let childInt = fdSocket childSock
    print (childSock, parentSock)
    child <- forkProcess $ childFunc childInt
    recv parentSock 10 >>= print

Let the child take a CInt and turn it into a Socketi:

import Control.Concurrent
import Control.Concurrent.MVar
import System.Posix.Process
import System.Posix.IO
import System.Posix.Types
import Network.Socket
 
childFunc sInt = do
    s <- mkSocket sInt AF_UNIX Stream defaultProtocol Connected
    send s "Ping from child" >> return ()
 
main = do
    (childSock, parentSock) <- socketPair AF_UNIX Stream defaultProtocol
    let childInt = fdSocket childSock
    print (childInt, parentSock)
    child <- forkProcess $ childFunc childInt
    recv parentSock 10 >>= print
[Digg] [Reddit] More »
  1. It seems the socket is in the Connected state after socketPair succeeds.[back]
Tags: , ,
Category: Posts  |  2 Comments

Dents for 2009-10-23

2009-10-23, 23:59
  • How any serious project ever can choose git for version control is beyond me! #
  • @shapr It’s available for pre-order already (£499), it should be available end of Oct I think. http://tinyurl.com/yhpyr3e #
  • C++ is getting crazier and crazier: http://tinyurl.com/yk4nhz5 #

Powered by modified Twitter Tools.

[Digg] [Reddit] More »
Category: Posts  |  Comment

Epilicious is dead, say hello to BMS

2009-10-23, 21:38

With Python being dropped as a language for extensions in epiphany 2.28 I needed to replace epilicious. I tried writing it in JavaScript (seed was integrated in 2.28), but I gave up due to hitting too many hurdles on the way. Instead I decided to rewrite epilicious using Vala and a minimal layer of C.

It turned out to be very doable, despite epiphany’s extension API lacking Vala bindings (Cosimo Cecchi, I’m looking at you :-) ). Basically I did the following setup:

  1. Add the extension following the instructions in Writing Epiphany Extensions by Adam Hooper.
  2. Add a check for valac in configure.ac.
  3. Add a rule in the extension’s Makefile.am to generate a C header file for all the Vala code, for use from C.

Then I started writing the actual extension. I did the minimal amount of work in C, trying to escape as soon as possible into Vala. In the few places I needed to call from Vala into C I would declare a delegate in Vala, and pass a function from Ci.

I call this new version BMS, for bookmark synchronisation. I have a patch for BMS that applies to epiphany 2.28.1. (The file also contain a PKGBUILD in order to delight Arch users :-) )

I should probably point out that while epilicious never could be called polished, BMS is even less so. I might find the time to make it multi-threaded, so that it’s possible to do some sort of progress dialogue, but don’t hold your breath. In the back of my mind is also the thought of rewriting it yet again, in JavaScript/seed.

[Digg] [Reddit] More »
  1. The format of .vapi files are unknown to me, and I haven’t managed to find much documentation. Using function pointers seemed like an easier way, especially given that I needed this in exactly 3 places.[back]
Tags: , , ,
Category: Posts  |  4 Comments

Dents for 2009-10-22

2009-10-22, 23:59
  • #identi.ca I’m confused, does Twitter config option “Import my Friends Timeline.” not mean what I think it does? AFAICT nothing’s imported. #
  • Dear CNNMoney.com, you need a meta tag for Content-Type on your printer-friendly pages to make sure the character set is set correctly. #
  • I hate shell scripting! #
  • @drewfitzsimmons I too want an N900, still slightly confused as to what sort of suitable PAYG/subscription different operators offer though. #

Powered by modified Twitter Tools.

[Digg] [Reddit] More »
Category: Posts  |  Comment

Twitter Weekly Updates for 2009-10-18

2009-10-18, 15:59
  • Viv seemed to enjoy her first night in her new, non-cot, bed. #
  • Almost at a fully working vimoutliner now. #
  • Hmm, was that a "Programming Perl" on Chuck's bedside table? #
  • Ah! Gnome 2.28 has hit Arch. Joy! #
  • How to change peoples' behaviour: http://tinyurl.com/y8aa9us #
  • Some ups and downs with new Gnome 2.28, mostly ups, as expected. #
  • Back on xmonad at home again. What a relief! #
  • Epiphany bookmark sync slowly getting getting there, all that's left is dealing with removed bookmarks. #
  • Impressed with Thunderbird 3 so far, the real test will be tomorrow when I try it out at work. #
  • Implementation of algorithm for bookmark sync is done, now it's only the boring usability stuff left. #
  • There are some fields where ALL bugs should be fixed, and bugfixes issued and applied ASAP: http://tinyurl.com/yfhu3×6 #
  • Times Online now requires logging in to comment. No more commenting from me until they start using #OpenID. #
  • FLOSS weekly on Boycott Novell: the first episode I couldn't stand listening to in its entirety. #
  • Catching up on subscriptions, it seems there are quite a few CLUGgers on identi.ca :-) #
  • Ah, damn it! Stuck on a bug in a vapi file, and that format is almost completely undocumented. Well, off to relax with some telly instead. #
  • Playing with Gnome Keyring, in C, since the Vala binding has some bugs. #
  • How irritating. Can't find the drill. Has someone borrowed it? #
  • Drill reserved at Argos for tomorrow. Picking up at lunch unless the old one surfaces. #

Powered by Twitter Tools

[Digg] [Reddit] More »
Tags:
Category: Posts  |  Comment
« Previous Entries