Signing Jars with pvk

I had a little fun signing Jar files recently. I was using Comodo for my code signing certificate, which generates the CSR and private key using MSIE and xenroll - which suits me, (I once briefly ran a CA before, based on ssleay and xenroll). I exported the private key as a pvk file during the generation process.

The difficulty was getting the java keytool  to import a private key. The other difficulty was getting the secret proprietary microsoft .pvk format into a form that anything else knew about.

I got it working using pvktool to convert from pvk to pem format:

wine pvk.exe -in mykey.pvk -nocrypt -out mykey.pem 

I then used openssl to combine the key pem file with the cer file I had exported from MSIE to make a pkcs12 file:

openssl pkcs12 -export -chain -name FRIENDLYNAME -inkey mykey.pem -in mycert.cer -out all.pkcs12

The final clue was to give up using keytool to import the pkcs12 into the java keystore, but just use the pkcs12 file directly:

jarsigner -storetype pkcs12 -keystore all.pkcs12 JARFILE.JAR "FRIENDLYNAME"

For completeness I note that a pfx export from MS Windows is close enough a PKCS12 file, as is an export from Mozilla Firefox; however I wasn’t able to import the openssl generated pkcs12 file into MS IE, unless I imported it and exported through Firefox first. It may be something else I had done wrong at the same time that stopped it working otherwise/

And I’m not sure where the certificate chain came from, openssl’s root CA’s no doubt.

BYU-TV on linux

This weekend I was watching the General Conference of the Church of Jesus Christ of Latter-day Saints (the Mormons).

The church itself no longer provides windows media streams of the video during the event, but audio only. This allows them to use their resources to provide audio streams to a wider range of users and in more languages.

Users wanting video are instead directed to www.byu.tv. Alas, whereas before I was able to use my linux video player of favour (totem or mplayer) to watch video, BYU TV streams video using a proprietary video format and requires a proprietary video player which seems to require the purchase and licensed use of certain proprietary operating systems. (Windows or MacOS). I may have mentioned that I’m using Ubuntu Linux.

Fortunately, as I have an x86 platform, I was able to watch all of conference on Linux by using windows firefox running under WINE with the Move Networks plugin. It was a simpel matter of making sure I had WINE installed and then installing Firefox for windows and then browsing to www.byu.tv where I was prompted to load the Move Networks plugin.

Sadly the move-networks plugin thought it was running in 256 colour mode, and so rendered the 24 bit colour into 8 bit hatching. (I took a screen-grab I can send to demonstrate this if you like). This required the combined processing power of 2 3GHz CPU’s to show video at full screen.

Fortunately move networks plugin WOULD play even when it thought it was in 256 colour mode, and fortunately I did have 2 3GHz CPU so I COULD watch in full screen.

Implications are that move networks could do an x86 linux plugin without too much hard work, if they would link with winelib.

It would still be a horrible proprietary video format and player, btu at least i would be able to choose my operating system.

gL3tIyli

You all know who you are. Identify yourselves.

The SPAM solution -Demand Good Manners

About a year ago I recognized the SPAM problem for what it really is; how it really works; and what it really does. There is nothing new about SPAM, it pre-dates the printing press, it pre-dates common literacy, SPAM as we know it is just a special form of an old problem.

What problem?

Bad Manners

It’s rude to talk to someone you’ve not been introduced to. In Pride and Prejudice, Mr Collins tries to introduce himself to Mr Darcy by way of knowing his relative, but is scorned and ignored.

Why don’t well-mannered cultured people speak with those to whom they are not introduced? Simply because they would be mistaken for bad mannered hangers-on, butters-in or favour-grabbers.

Why do we have a problem with spam? Because we authorize our mail servers to accept mail from any ne’er-do-well without the slightest introduction.

Don’t talk to strangers

In the human world (body snatchers and manchurian candidates aside) the humans body and social knowledge is a good substitute for the persons own identity, and thus it is possible to recognize respectability (as we deem it) and trust (as we value it) in whatever circumstance we find ourselves.

In the electronic world of the internet the email From: address is a poor substitute identity, and often spoofed. SYN-spoofing was solved with SYN-cookies; but what is the email equivalent? SYN-cookies don’t avoid depleting resources when the claimed sending node really is the sending node. A higher level email equivalent would merely prove that there was such a valid email identity for the moment.

SPF is an attempt to filter out messages sent from a bogus location. If I know my mother is in Brighton, and I receive a letter asking me to remit 100 pounds to her sister, but the senders postmark is Liverpool, I could guess that the letter was a forgery. SPF is a way for domain administrators to allow mail spoofed from their domain to be recognized. As a consequence most SPAM spoofers will not spoof From: addresses using domains that have SPF records.

However my problem is how to stop hangers-on and cold-callers offering me the latest in pills or potions or job offers in the Belle Vue, California (instead of Belle Vue, Wakefield) from troubling me with their wares.  I want them to obtain an introduction, I want to assess how I trust them, and not be troubled by the quantity of callers jostling for attention.

The solution is to resurrect the habit of requiring introductions as we again live in a world inhabited by those who are anxious to push their message upon us as if it were the only thing we longed to hear.

Trusted Identity

If your friends get them selves an SSL certificate for email; or use PGP, establish a web-of-trust, it will be easily possible to recognize email from those friends as such howsoever sent. If the said friends can competently manage this electronic identity and associated cryptographic keys, you will be able to trust their identity,and their mail need never go astray - wrongly filtered as spam.

Those without such SSL or PGP signatures will be strangers, albeit recognizable stangers if they use SPF records.

Have an Identity, be trusted

Whats the solution? Have an identity, use it, be trusted.

Sadly some jurisdictions recognize such signed emails as legally binding, use of signing keys is not recommended to the incompetent in such jurisdictions.

Get your signing keys certified by http://www.thawte.com/

Why haven’t I done this? Because it’s too complicated, I’m too busy, and I don’t trust my computer with my keys (!!), so I’ll have to get a smart-card from FSFE-UK.

Collapsing on clusters

I’ve seen use of preceding-sibling to collapse on unique attributes, but how about collapsing clusters on unique attributes? For example:
a,a,a,b,a,b,b,c should collapse to a,b,a,b,c

Here’s some XSLT I came up with to detect which position a node is in it’s cluster, and what cluster number it is. NODE repesents the nodes being collapsed, and VALUE/@value a child node/attribute that is being collapsed upon.

Here we look for the number of nodes that are not preceded by a node having the same value - this will be the number of clusters.


<xsl:variable name="cluster-no" select="count(preceding-sibling::NODE[
  not(VALUE/@value = preceding-sibling::NODE[1]/VALUE/@value) ]
 |current()[not(VALUE/@value = preceding-sibling::NODE[1]/VALUE/@value)]
)"/>


He we count the number of nodes that precede the current node and have the same value, but there is no intervening node with a different value, this will be the position in the current cluster.


<xsl:variable name="position-in-cluster" select="count(preceding-sibling::NODE[VALUE/@value = current()/VALUE/@value
and not( VALUE/@value!=following-sibling::NODE[ count(following-sibling::NODE[ generate-id()=generate-id(current())]) &gt; 0 ]/VALUE/@value)])"/>


Abortion is Legal, Pictures are Not

Interesting story in The Register, Veronica Connelly’s guilty conviction was upheld. It appears that she had sent pictures of aborted foetus’s to pharmacists that sell the morning-after pill (which technically induces an immediate abortion).

Without discussing whether or not Veronica was intending to be malicious, or how closely the action of the morning-after pill resembles that of a surgical abortion we have an interesting case:

Jewish Holocaust pictures from Nazi Germany (begone, Goodwin!) were not considered more offensive than the actions they documented, although they are acknowledged to be "disturbing." Does this mean that it is or would be illegal to send these pictures or show these pictures to the perpetrators, knowing that it would - and in order to - cause offense? How else should one convict the perpetrators with a sense of their own guilt?

Now consider Veronica’s intentions; was it merely to distress or cause anxiety to the recipient, or to convict them of their "guilt"? - which indirectly but very connectedly leads to distress!

How will Oxfam stimulate my guilt over my greed without decidedly distressing me with imagery of poverty and dispair? Will their mailshots be replaced with advertising billboards instead, thus becoming legal?

I see animal-rights display stands in the streets at times, showing disturbing pictures of the results of shocking treatment of animals. Are the animal-rights activists forbidden from sending these pictures to the perpetrators but permitted to display them in public?

Will I be unable to disuade jihadists under criminal law because my arguments distress them? Or will I have to send only open letters generally published?

I guess the law is to save us from personally communicated harassment when others who are offended by some aspect of our legal activity try and convey that offense to us.

At the moment some forms of abortion are legal, but some ways of talking about it are not, and this puzzles my morals; perhaps Veronica was harassing those who were not directly involved in abortions - though this was not relevant to the judgement; BUT it seems it would still have been illegal for Veronica to have sent those pictures to anyone who had been practicing illegal abortion, even if they were photo’s of the very same aborted foetuses - would this lead to "Yes, I broke the law, but now I’m offended by pictures of it"

I can see this as a good defense for speeding camera tickets.

Don’t confuse the message

Design should not obscure the message.

Here’s a web page whose purpose is to help parents and carers in Yorkshire know if their children’s school has been closed due to bad weather.

How many parents or carers do you think will suppose that the school is closed?

In fact the "closed" message is just fancy artwork and conveys no particular information about any school. There are no schools closed at all.

The actual URL was: http://www.ridingsfm.co.uk/pages/home.asp?pageid=275&servername=www.ridingsfm.co.uk

You have to wonder why servername is part of the url… maybe it is to support vhosting for no-cookie http 0.9 clients?