I wanted to use a Logitech R400 that a friend loaned my in a presentation, but I wanted to tweak the mappings for the buttons a bit. My presentation is done using Reveal.js and uses both left/right and up/down. The R400 has four buttons but two of them are mapped to “go to black screen” and “slideshow mode” neither of which is useful to me. Here is how I fixed it in Fedora 20.
- Create the directory
/etc/udev/hwdb.d - Write the following out to
/etc/udev/hwdb.d/99-logitech-r400.hwdb# The lower left button actually emits two # different scancodes depending on the state of # the "presentation". # E.g. one code to start and one to stop. keyboard:usb:v046DpC538 KEYBOARD_KEY_70029=up KEYBOARD_KEY_7003E=up KEYBOARD_KEY_70037=down KEYBOARD_KEY_7004B=left KEYBOARD_KEY_7004E=rightThis maps the left and right buttons to left and right, the both states of the slideshow button to up, and the blank screen button to down. The
046Dis the Logitech vendor code and theC538is the model number. Those magic numbers after “KEYBOARD_KEY” are the scancodes associated with the button. Supposedlyshowkey --scancodeswill display them but I couldn’t get that to work and ended up taking them from another blog post. - Now we need to load this information.
# udevadm hwdb --update && udevadm trigger - We can test by running the command below and pushing the buttons
# xev | grep -A2 --line-buffered '^KeyRelease' | sed -n '/keycode /s/^.*keycode \([0-9]*\).* (.*, \(.*\)).*$/\1 \2/p' - Everything should work now, but if we unplug the USB receiver everything gets reset. That’s annoying so we will fix it
- Write the following to
/etc/udev/rules.d/99-logitech-r400.rulesSUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c538", IMPORT{builtin}="hwdb 'keyboard:usb:v046DpC538'", RUN{builtin}+="keyboard"That will import our custom mapping when the USB receiver is plugged in.
Thanks to the following who helped me figure all this out:
- Create the directory
In my experience, the best way to learn about how to package RPMs is to look at how other people package RPMs. That means looking at lots of spec files. Sure
fedpkgwill let you clone lots of package repos, but what if you only have the SRPM? You can get the spec file out of a SRPM, but it takes a little work withcpio, a tool with so many options that I can never remember the exact invocation. So I wrote a quick two-liner to save me some aggravation:#! /bin/sh spec=$(rpm -qlp $1 | grep -E '\.spec$') rpm2cpio $1 | cpio -i --to-stdout $specAnd how can you get the SRPM? Simple, install
yum-utilsthen run$ yumdownloader --source --downloadonly PACKAGE_NAMEI use mock frequently when I am building packages for Fedora. Koji is great, but mock really shines when you are rapidly iterating over spec file changes. The
--no-cleanoption keeps the chroot around so you don’t have to download packages repeatedly and you can actually look around inside the chroot to see where a build is going wrong if you need to.I also use repoquery a lot to see what a package requires or provides. Knowing what a package requires or provides is especially helpful when you’re doing builds. By default repoquery runs against the repos in
/etc/yum.repos.d. Wouldn’t it be nice if we could run repoquery against the repos set up in our mock configs?It turns out that you can. Repoquery takes a
--repofrompathargument that can be used to create an ad hoc repo to query. The only missing piece is reading the mock config, grabbing the repo URL, and formatting it.I wrote a little Zsh function to do just that.
#! /bin/zsh mock-repoquery() { local profile="$1" [ -f "$profile" ] || profile="/etc/mock/${1}.cfg" # Take all baseurls in a file and make them into an array # See Parameter Expansion Flags section of the zshexpn man page and # http://unix.stackexchange.com/a/29748 local repo_urls repo_urls=("${(@f)$(sed -n -r 's/.*baseurl=(.*)(\\n|$)/\1/p' $profile | cut -d'\' -f1)}") local repo_args repo_args=() for ((i=1; i <= ${#repo_urls}; i++)); do repo_args+="--repofrompath=r${i},$repo_urls[i]" repo_args+="--repoid=r${i}" done repoquery "${repo_args[@]}" "$@[2,-1]" } mock-repoquery "$@"Drop the above code into
~/.zfunc/mock-repoqueryand then add the following to~/.zshrcfpath=( ~/.zfunc "${fpath[@]}" ) autoload -Uz mock-repoqueryThen you can use
mock-repoqueryby passing a mock profile as the first argument. Any additional arguments will be forwarded to repoquery. For example:$ mock-repoquery /etc/mock/fedora-20-x86_64.cfg --requires tig git libc.so.6(GLIBC_2.15)(64bit) libncursesw.so.5()(64bit) libtinfo.so.5()(64bit) rtld(GNU_HASH)Note that
mock-repoquerywill only work in Zsh due to my usage of Zsh parameter expansion. Converting this function to work in Bash is possible, but I use Zsh so I didn’t bother. Patches will be accepted happily!Much of the data in the PKI world is stored in Abstract Syntax Notation One (ASN.1) so a basic understanding is necessary. ASN.1 is a way to describe data by starting from primitive types and building up to more complex types. Do you remember Backus-Naur Form? What about writing XML schemas in XSD? It’s the same concept.
Let’s say we have a Widget. Every Widget has a model name, a serial number, and some inspection information with the name of the inspector and the dates of the inspections. Our Widget then looks like this in ASN.1:
Widget ::= SEQUENCE { model IA5String, serialNumber INTEGER, inspections InspectionInfo } InspectionInfo ::= SEQUENCE { inspectorName IA5String, inspectionDates SEQUENCE OF DATE }Now let’s go over that. A SEQUENCE is one of the four ASN.1 structured types and it’s just an ordered collection of items. Inside that sequence we have an IA5String (International Alphabet 5 — basically ASCII), an INTEGER, and then an item of InspectionInfo type. We continue down and see InspectionInfo is also a SEQUENCE containing the inspector’s name and the inspection dates. The inspection dates are a SEQUENCE OF, another structured type that holds zero or more occurrences of a given type. In this case, the given type is DATE.
There is more to it that I don’t understand, but that is enough for the RFCs to make sense.
Now that we have our widget defined, we’ll use an ASN.1 library to build a data structure and then write it to DER. DER (Distinguished Encoding Rules) is just a way to encode an object in binary in a strict, unambiguous manner. Alternatively, we can define an ASN.1 structure and decode DER into it.
DER vs PEM
DER is the ASN.1 data encoded in binary, but DER isn’t so great if you need to email a public key to someone for example. The binary is apt to get screwed up in transit. So we just take the DER, encode it in Base64 and add on BEGIN and END markers. If you need something in DER, it’s as simple as striping off the markers, removing all the newlines, and then Base64 decoding. Do note, however, that OpenSSL can add “headers” to PEM files. For instance, if an RSA private key has been encrypted with DES3, you’ll see something like
Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,C0F5225DEC6ADA07before the actual Base64 encoded data. This is weird and from what I can tell non-standard. Here is how BouncyCastle reads PEM files.
PKCS Specifications
The PKCS specifications are just ways to specify the ASN.1 for different PKI needs. There is a good overview here. If you’re ever in doubt, use openssl’s asn1parse command and it will show you all the gory details.
Let’s look at an example. PKCS1 defines the format of public and private RSA keys. OpenSSL outputs the RSA keys it generates in PKCS1 (this example goes for unencrypted keys; encrypted keys are in the non-standard format I mentioned earlier). Now that we know ASN.1, we can decode them. Here is the ASN.1 for RSA private keys in PKCS1:
RSAPrivateKey ::= SEQUENCE { version Version, modulus INTEGER, -- n publicExponent INTEGER, -- e privateExponent INTEGER, -- d prime1 INTEGER, -- p prime2 INTEGER, -- q exponent1 INTEGER, -- d mod (p-1) exponent2 INTEGER, -- d mod (q-1) coefficient INTEGER, -- (inverse of q) mod p otherPrimeInfos OtherPrimeInfos OPTIONAL } Version ::= INTEGER { two-prime(0), multi(1) } (CONSTRAINED BY { -- version must be multi if otherPrimeInfos present -- }) OtherPrimeInfos ::= SEQUENCE SIZE(1..MAX) OF OtherPrimeInfo OtherPrimeInfo ::= SEQUENCE { prime INTEGER, -- ri exponent INTEGER, -- di coefficient INTEGER -- ti }That’s a lot of stuff, but the otherPrimeInfos bit is optional and it’s unlikely that we’ll care about the version. Here’s how we would parse this using JSS and turn it into a usable Java object:
private KeyPair readPrivateKey(byte[] der, String password) throws CertificateException { try { SEQUENCE.Template template = SEQUENCE.getTemplate(); // Create a template for the sequence matching the PKCS1 format for (int i = 0; i < 9; i++) { template.addElement(INTEGER.getTemplate()); } SEQUENCE seq = (SEQUENCE) template.decode(new ByteArrayInputStream(der)); //element 0 is the version which we don't need INTEGER mod = (INTEGER) seq.elementAt(1); INTEGER pubExp = (INTEGER) seq.elementAt(2); INTEGER privExp = (INTEGER) seq.elementAt(3); INTEGER p1 = (INTEGER) seq.elementAt(4); INTEGER p2 = (INTEGER) seq.elementAt(5); INTEGER exp1 = (INTEGER) seq.elementAt(6); INTEGER exp2 = (INTEGER) seq.elementAt(7); INTEGER crtCoef = (INTEGER) seq.elementAt(8); rsaKeyFactory = KeyFactory.getInstance("RSA"); RSAPublicKeySpec pubSpec = new RSAPublicKeySpec(mod, pubExp); RSAPrivateCrtKeySpec privSpec = new RSAPrivateCrtKeySpec( mod, pubExp, privExp, p1, p2, exp1, exp2, crtCoef); return new KeyPair( rsaKeyFactory.generatePublic(pubSpec), rsaKeyFactory.generatePrivate(privSpec)); } catch (Exception e) { throw new CertificateException("Could not read private key", e); } }What does that method do? First it defines a template that matches the PKCS1 ASN.1 (a SEQUENCE of 10 INTEGERs). Then we give the template a byte array and tell it to decode our DER data. Now we have the data in a SEQUENCE and we just pluck out the elements that we care about (in this case all the math stuff). We take the elements and define a KeySpec from them. We feed the KeySpec into a KeyFactory and build the KeyPair.
PKCS12 Keystores
The PKCS12 format is a little more complicated. It defines a way to store a bunch of X509 certs and key pairs all in one file and then have that file encrypted. Thus, these files are often called “keystores”. If you are dealing with keystores often (either PKCS12 or the Java alternative, JKS), I recommend a tool called Portecle. It’s a GUI that let’s you see everything in a keystore, import or export items, and generate CSRs or import signed certs.
Why do we need a keystore? A freshly installed Fedora machine is only going to have a small list of accepted certificate authorities (CAs). You can either get a certificate that has a chain stretching back to one of these root CAs (like Thawte or Verisign) or you can install an additional CA into the system’s list of acceptable CAs. If you opt for the chain of trust approach, then a keystore is a good way of keeping everything in one package.
(On a side note, if you want to install an additional CA into your Fedora machine, drop it in /etc/pki/ca-trust/source/anchors/ and run the
update-ca-trustcommand.)PKI File Extensions
There are a lot of file extensions for PKI objects: pem, der, csr, key, crt, p12, etc. Naming a file “.pem” is pretty pointless as that only tells you the format and not what the object in the file is. In my opinion, it’s best to use extensions that mean something like “.key” for a private key, “.csr” for a certificate signing request, or “.p12″ for a PKCS12 keystore.
Conclusion
Of course there is a lot more to learn about PKI, but hopefully this primer will give you a basic foundation.
For me, the holy grail of working with virtual machines is
$ ssh root@my-vmI am tired of manually updating /etc/hosts or looking at arp tables1. There’s got to be a better way. And there is! Here’s how. This works with Fedora 20. Your mileage may vary with other distros.
- Read this article. It will explain the basics, but follow the instructions below because there are a few differences in the process on Fedora.
Add the following line to
/etc/NetworkManager/NetworkManager.confunder the [main] block:dns=dnsmasqThis line tells NetworkManager to run a dnsmasq process.
- Download this script that will take care of writing out a
hostsstyle file that dnsmasq will use for name resolution.$ curl -o /usr/bin/virt-hosts https://raw.github.com/awood/virt-utils/master/virt-hosts && chmod 755 /usr/bin/virt-hosts $ echo "addn-hosts=/var/lib/libvirt/dnsmasq/default.addnhosts" >> /etc/NetworkManager/dnsmasq.d/virt-hostsThis line tells NetworkManager to add the
default.addnhostsfile to the list of places that dnsmasq looks at for name resolution.$ yum install -y incron$ systemctl enable incrond.service && systemctl start incrond.serviceSet up incron to run
virt-hostsevery time we detect a change in the status of a virtual machine.$ echo "/var/lib/libvirt/dnsmasq/default.leases IN_MODIFY /usr/bin/virt-hosts -ur" > /etc/incron.d/virt-hostsAdd the following line to
/etc/sysconfig/network-scripts/ifcfg-em1DOMAIN="default.virt"$ systemctl restart NetworkManager$ ssh root@your-vm
Done!
1 The arp table solution seems really simple, but half the time my VMs vanish from the arp table and I can’t get their IP anymore.
h4ck teh world
tbielawa - Push
bitmath
February 25, 2015 - 3:59 pm UTC - Issues
RHInception/jsonstats
February 17, 2015 - 3:40 pm UTC - Issue Comment
RHInception/jsonstats
February 17, 2015 - 3:39 pm UTC - Push
RHInception/jsonstats
February 17, 2015 - 3:39 pm UTC - Pull Request
RHInception/jsonstats
February 17, 2015 - 3:39 pm UTC
- Push
Technitribe by Tim Bielawa is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.