December 18, 2014

Install a minimal X on Linux

apt-get install xinit i3 rxvt

i3 is the lightweight window manager
rxvt is the terminal
xinit gives you X windows and the famous "startx" command

To make i3 use your full screen resolution, create the file ~/.xinitrc and put the following there

xrandr --output Virtual1 --mode 1680x1050
exec i3

You may need to change the name "Virtual1" to something else. Use xrandr to list all the known windows (you first need to have X windows  running though)

December 9, 2014

p11tool, gnutls and PIV CAC card

p11tool --list-all-certs

p11tool --login --export "pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=36889385781093f6;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29;id=%02;object=Certificate%20for%20Digital%20Signature;object-type=cert" > /tmp/02.cert

p11tool --list-all-privkeys --login

x509 certificate subject name and OID

In a X509 certificate, there is always a subject name like the following:

$ openssl x509 -in user-cert.pem -text -noout
        Version: 3 (0x2)
        Serial Number: 1373122324 (0x51d82f14)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=CA
            Not Before: Jul  6 14:52:05 2013 GMT
            Not After : May 15 14:52:05 2023 GMT
        Subject: UID=test,CN=A user

Inside the subject line, there can be multiple subparts, such as CN=xxx, DC=xxxx, UID=xxx, OU=xxx, C=xxx, ... Each subpart is represented in the certificate as an OID that is globally unique and registred with IETF. For example, the OID of CN is, and the OID of UID is 0.9.2342.19200300.100.1.1. How are we supposed to find out the OID? Openssl provides a command option for just.  

openssl x509 -in user-cert.pem -text -noout -nameopt RFC2253,oid

This command will print out the cert with the OID=xxx instead of CN=xxx.

December 8, 2014

cross compile openconnect

Openconnect is a nice open source SSL VPN client for Cisco AnyConnect, and also for the open source SSL vpn server ocserv (hosted on the same website as openconnect). Below are some tips on how to cross compile openconnect for ARM, with GnuTLS

Openconnect works with both Openssl and GnuTLS. However, to use hardware token (smart card, etc), you will need GnuTLS.


Openconnect depends on GnuTLS (3.3.9)
GnuTLS depends on libnettle, and libhogweed 2.7.1 (both in the nettle package)
libnettle depends on gnu GMP (libgmp, version 6.0.0)

To use hardware token, GnuTLS also depends on p11-kit (version 0.22.1) and pcsc-lite (version 1.8.11), and opensc (0.14.0), which depends on pcsc-lite.

All of these packages support autoconfig so that one can run "configure" to generate the makefile(s).  We use the --prefix "/opt/ncs-install" to install all packages. Below are the customized "configure" scripts for each package:

CC=arm-none-linux-gnueabi-gcc CXX=arm-none-linux-gnueabi-g++ ./configure --host=arm-linux --prefix=/opt/ncs-install \
        --without-libffi --without-libtasn1

CC=arm-none-linux-gnueabi-gcc CXX=arm-none-linux-gnueabi-g++ ./configure --host=arm-linux --prefix=/opt/ncs-install

CFLAGS=-I/opt/ncs-install/include LDFLAGS=-L/opt/ncs-install/lib CC=arm-none-linux-gnueabi-gcc CXX=arm-none-linux-gnueabi-g++ ./configure --host=arm-linux --prefix=/opt/ncs-install

CC=arm-none-linux-gnueabi-gcc ./configure -host=arm-linux  --disable-libudev --enable-libusb \
        LIBUSB_CFLAGS="-I/opt/ezsdk/linux-devkit/arm-none-linux-gnueabi/usr/include/libusb-1.0/ -L/opt/ezsdk/linux-devkit/arm-none-linux-gnueabi/usr/lib"  \

DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
export LTLIB_LIBS="-L/opt/ezsdk/linux-devkit/arm-none-linux-gnueabi/usr/lib/ -lltdl"
export PCSC_CFLAGS="-I$DIR/../pcsc-lite-1.8.11/src/PCSC"
export LIBTOOL_SYSROOT_PATH=/opt/ezsdk/linux-devkit/arm-none-linux-gnueabi/
export CFLAGS="-I/opt/ezsdk/linux-devkit/arm-none-linux-gnueabi/usr/include -L/opt/ezsdk/linux-devkit/arm-none-linux-gnueabi/usr/lib"
export LDFLAGS="-lcrypto"
export CC=arm-none-linux-gnueabi-gcc
./configure -host=arm-linux  -v

CFLAGS=-I/opt/ncs-install/include LDFLAGS=-L/opt/ncs-install/lib \
ZLIB_CFLAGS=-I/opt/ezsdk/linux-devkit/arm-none-linux-gnueabi/usr/include/ \
ZLIB_LIBS="-L/opt/ezsdk/linux-devkit/arm-none-linux-gnueabi/usr/lib -lz" \
CC=arm-none-linux-gnueabi-gcc CXX=arm-none-linux-gnueabi-g++ ./configure --host=arm-linux --prefix=/opt/ncs-install \
 --with-nettle-mini --disable-crywrap \
 --with-p11-kit \

LIBPCSCLITE_CFLAGS=-I/opt/ncs-install/include/PCSC/ \
LIBPCSCLITE_LIBS="-L/opt/ncs-install/lib -lpcsclite" \
LIBXML2_CFLAGS=-I/opt/ezsdk/linux-devkit/arm-none-linux-gnueabi/usr/include/libxml2/ \
LIBXML2_LIBS="-L/opt/ezsdk/linux-devkit/arm-none-linux-gnueabi/usr/lib -lxml2" \
CFLAGS=-I/opt/ncs-install/include LDFLAGS=-L/opt/ncs-install/lib  \
LDFLAGS="-L/opt/ncs-install/lib -lp11-kit -lnettle -lhogweed -lgmp" \
ZLIB_CFLAGS=-I/opt/ezsdk/linux-devkit/arm-none-linux-gnueabi/usr/include/ \
ZLIB_LIBS="-L/opt/ezsdk/linux-devkit/arm-none-linux-gnueabi/usr/lib -lz" \
CC=arm-none-linux-gnueabi-gcc ./configure --prefix=/opt/install --disable-nls --host=arm-linux --without-openssl --with-gnutls

December 4, 2014

how to verify certificate signed by intermediate CA

 openssl verify -untrusted intermediate-ca.pem your-cert.pem

Put the list of intermediate CA (in PEM format, concatenated ) in intermediate-ca.pem, and use the "-untrusted" option. That name tricked me initially, and that's the one to use. 

The above command is to use the system CA list to verify the cert. If you have your own CA, just use the option "-CAfile your-ca.pem".