生活紀錄: 2017

2017年12月18日星期一

使用 Arduino Pro Micro 當成 Arduino ISP 燒錄程式到 Atmega328P-PU 之二

請參考上一篇和 From Arduino to a Microcontroller on a Breadboard

雖然他只有提供 breadboard-1-6-x.zip，並沒有 1.8.5 的版本，是可以用的

秘訣是 Arduino IDE 不要使用安裝檔，使用 Windows zip file for non admin install
解開後取出 boards.txt 的內容加入 arduino-1.8.5 的 boards.txt

之前使用安裝檔，一直失敗

C:\Arduino\arduino-1.8.5-windows\arduino-1.8.5\hardware\arduino\avr\boards.txt
##############################################################
atmega328bb.name=ATmega328 on a breadboard (8 MHz internal clock)

atmega328bb.upload.protocol=arduino
atmega328bb.upload.maximum_size=30720
atmega328bb.upload.speed=57600

atmega328bb.bootloader.low_fuses=0xE2
atmega328bb.bootloader.high_fuses=0xDA
atmega328bb.bootloader.extended_fuses=0x05

atmega328bb.bootloader.file=atmega/ATmegaBOOT_168_atmega328_pro_8MHz.hex
atmega328bb.bootloader.unlock_bits=0x3F
atmega328bb.bootloader.lock_bits=0x0F

atmega328bb.build.mcu=atmega328p
atmega328bb.build.f_cpu=8000000L
atmega328bb.build.core=arduino:arduino
atmega328bb.build.variant=arduino:standard

##############################################################

參考上一篇 ProMicro 到 Atmega328P 接線

先燒錄 Bootloader

Tools/Board:ATmega328 on a breadboard (8 MHz internal clock)

Tools/Port 選正確
Tools/Programmer/Arduino as ISP(Pro Micro)
Tools/Burn Bootloader

Bootloader 燒錄完成後，即可透過 RS-232 燒錄程式

USB轉RS-232(如 FT232RL)

FTDI -> Atmega328P

GND -> GND

CTS -> GND

VCC -> VCC

TXO -> 2(RXD)

RXI -> 3(TXD)

DTL -> 1(RESET)

DTL 接 RESET 請參考 Arduino Pro Mini 電路

中間串接 0.1uF, Atmega328P 端的 Reset 要 Pull Up 10K

Tools/Board:ATmega328 on a breadboard (8 MHz internal clock)

Tools/Port 選RS-232 的 Port

Sketch/Upload (不要 Using Programmer)

2017年12月12日星期二

使用 Arduino Pro Micro 當成 Arduino ISP 燒錄程式到 Atmega328P-PU

Arduino 1.8.5

File/Preferences/Additional Boards Manager URLs
https://raw.githubusercontent.com/sparkfun/Arduino_Boards/master/IDE_Board_Manager/package_sparkfun_index.json
Tools/Board/Boards Manager
安裝 SparkFun AVR Boards

修改 File/Examples/11.ArduinoISP/ArduinoISP
重新定義下列程式碼
#define RESET 10 // Use pin 10 to reset the target rather than SS
#define LED_HB 9
#define LED_ERR 8
#define LED_PMODE 7
#define PIN_SCK 15
#define PIN_MOSI 16
#define PIN_MISO 14

Tools/Board/SparkFun Pro Micro

Tools/Processor/Atmega32U4(5V,16MHz)

Tools/Port/(選正確 Com)

Sketch/Upload

主要接線

ProMicro -> Atmega328P-PU

VCC -> 7(VCC)

GND -> 8(GND)

VCC -> 20(AVCC)

15(SCK) -> 19(SCK)

14(MISO) -> 18(MISO)

16(MOSI) -> 17(MOSI)

10 -> 1(RESET)

以下不須使用了，可以直接參考使用 Arduino Pro Micro 當成 Arduino ISP 燒錄程式到 Atmega328P-PU 之二

File/Preferences/Additional Boards Manager URLs
https://github.com/Optiboot/optiboot/releases/download/v6.2/package_optiboot_optiboot-additional_index.json
Tools/Board/Boards Manager
安裝 Optiboot 6.2
若找不到, 並且有錯誤訊息
Error downloading https://github.com/Optiboot/optiboot/releases/download/v6.2/package_optiboot_optiboot-additional_index.json
下載並置於
C:\Arduino\arduino-1.8.5-windows\arduino-1.8.5\hardware/package_optiboot_optiboot-additional_index.json
更改 File/Preferences/Additional Boards Manager URLs 為

file://C:\Arduino\arduino-1.8.5-windows\arduino-1.8.5\hardware/package_optiboot_optiboot-additional_index.json

修改 C:\Arduino\arduino-1.8.5-windows\arduino-1.8.5\hardware\arduino\avr\programmers.txt

增加

arduinopromicro.name=Arduino as ISP(Pro Micro)

arduinopromicro.communication=serial

arduinopromicro.protocol=arduino

arduinopromicro.speed=19200

arduinopromicro.program.protocol=stk500v1

arduinopromicro.program.speed=19200

arduinopromicro.program.tool=avrdude

arduinopromicro.program.extra_params=-P{serial.port} -b{program.speed}

Tools/Programmer/Arduino as ISP(Pro Micro)

Tools/Processor/Atmega328p

Tools/Board/Optiboot on 28-pin cpus

Tools/CPU Speed/8MHz (int) (不使用外部震盪晶體)

Tools/Burn Bootloader ~~(好像可以不用，但是時脈會錯誤)~~

燒錄程式需使用 Sketch/Upload Using Programmer, 不能使用 Upload

2017年11月24日星期五

如何控制 DC-DC 輸出電壓

以下文章參考 Output voltage control of DC/DC converters

Vref 固定，且沒有電流
期望輸出電壓範圍 Vo1 ~ Vo2 (Vo1 < Vo2)
期望控制電壓範圍 Vc2 ~ Vc1(Vc1 < Vc2)
即是 Vc1 輸出 Vo1，Vc2 輸出 Vo2
以中間的節點來說 Ir1 + Ir2 + Ir3 = 0
Vref/R3 + (Vo1 - Vref)/R1 + (Vc1 - Vref)/R2 = 0
Vref/R3 + (Vo2 - Vref)/R1 + (Vc2 - Vref)/R2 = 0

因為 R3 固定，所以可以由聯立方程式解出 R1, R2

在上述範例中使用 LM2596(降壓)，我使用 TL431(升壓)

須注意上方的電阻值，至少要能提供 TL431 1mA，才能正常工作

原先是想用 LM317-ADJ(降壓)

Vout = 1.25(1 + R2/R1)

請注意此時的 Vref = Vout - Vadj = 1.25

Vref/R1 + [Vc1 - (Vo1 - Vref)]/R2 + (Vo1 - Vref)/R3 = 0

Vref/R1 + [Vc2 - (Vo2 - Vref)]/R2 + (Vo2 - Vref)/R3 = 0

以上沒有試過，請小心

沒猜錯 XL6003(升壓) 也可以

2017年9月15日星期五

Arduino pro mini

1. 製造 Arduino 燒錄器
接腳 FT232RL -> Arduino Pro Mini
DTR->DTR
RX->TXO
TX->RXI
VCC->VCC
CTX->GND
GND->GNC

選擇要當燒錄器的 Boards(Arduino Pro or Pro Mini) 和 Port
File/Examples/11.ArduinoISP/ArduinoISP
Sketch/Upload

2. 燒錄 bootloader
接腳 Arduino Pro Mini(Arduino 燒錄器)->Arduino Pro Mini
VCC->VCC
GND->GND
10->RST
11(MOSI)->11(MOSI)
12(MISO)->12(MISO)
13(SCK)->13(SCK)

File/Examples/01.Basics/Blank

選擇目標 Boards(Arduino Pro or Pro Mini)

Tools/Programmer/Arduino as ISP

Tools/Brun Bootloader

Sketch/Upload Using Programmer

2017年9月5日星期二

SSL, RaspberryPi Server, Android Client

請參考 Android 與 Raspberry 證書和 SSL 網路程式設計的 Server 端
在此提供 Android 的 Client

package com.example.mark.sslclient;

import android.content.Context;
import android.content.res.AssetManager;
import android.util.Log;

import java.io.IOException;
import java.io.InputStream;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;

import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;

/** * Created by mark on 2017/9/1. */
public class SSLClient {
    static SSLContext ssl_ctx;

    public SSLClient(Context context) {
        try {
            Log.d("SSLClient", "SSLClient");

            //  Setup truststore            KeyStore trustStore = KeyStore.getInstance("BKS");
            InputStream trustStoreStream = context.getResources().openRawResource(R.raw.android);
            trustStore.load(trustStoreStream, "store1234".toCharArray());
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            trustManagerFactory.init(trustStore);
            Log.d("SSLClient", "Trust " + trustStore.size());
            Log.d("SSLClient", "trustManagerFactory " + trustManagerFactory.getTrustManagers().length);

            //  Setup keystore            KeyStore keyStore = KeyStore.getInstance("BKS");
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
            InputStream keyStoreStream = context.getResources().openRawResource(R.raw.android);
            keyStore.load(keyStoreStream, "store1234".toCharArray());
            keyManagerFactory.init(keyStore, "key1234".toCharArray());
            Log.d("SSLClient", "Key " + keyStore.size());
            Log.d("SSLClient", "keyManagerFactory " + keyManagerFactory.getKeyManagers().length);

            // Setup the SSL context to use the truststore and keystore            ssl_ctx = SSLContext.getInstance("TLS");
            if (true) {
                ssl_ctx.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null);
            } else {
                TrustManager tm = new X509TrustManager() {
                    public void checkClientTrusted(X509Certificate[] chain, String authTyhpe) throws CertificateException {
                    }
                    public void checkServerTrusted(X509Certificate[] chain, String authTyhpe) throws CertificateException {
                    }
                    public X509Certificate[] getAcceptedIssuers() {
                        return null;
                    }
                };
                ssl_ctx.init(null, new TrustManager[] { tm }, null);
            }
        } catch (KeyStoreException e) {
            Log.d("SSLClient", e.getMessage());
        } catch (NoSuchAlgorithmException e) {
            Log.d("SSLClient", e.getMessage());
        } catch (CertificateException e) {
            Log.d("SSLClient", e.getMessage());
        } catch (IOException e) {
            Log.d("SSLClient", e.getMessage());
        } catch (KeyManagementException e) {
            Log.d("SSLClient", e.getMessage());
        } catch (UnrecoverableKeyException e) {
            Log.d("SSLClient", e.getMessage());
        }
    }
}

package com.example.mark.sslclient;

import android.support.v7.app.AppCompatActivity;
import android.os.Bundle;
import android.util.Log;

import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.OutputStreamWriter;
import java.io.PrintWriter;

import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;

public class MainActivity extends AppCompatActivity {
    private static final String TAG = "MainActivity";
    private SSLClient sslClient;

    private Runnable threadMain = new Runnable() {
        @Override        public void run() {
            SSLSocketFactory socketFactory = (SSLSocketFactory)sslClient.ssl_ctx.getSocketFactory();
            try {
                Log.d(TAG, "threadMain createSocket a");
                SSLSocket socket = (SSLSocket)socketFactory.createSocket("192.168.1.61", 8080);
                Log.d(TAG, "threadMain createSocket b");
                PrintWriter output = new PrintWriter(new OutputStreamWriter(socket.getOutputStream()));
                BufferedReader input = new BufferedReader((new InputStreamReader(socket.getInputStream())));
                output.println("\nthis is from client+++++++++++++++client send to server");
                output.flush();
                Log.d(TAG, "threadMain input.readLine() a");
                String line = input.readLine();
                while (line != null) {
                    Log.d(TAG, line);
                    line = input.readLine();
                }
                Log.d(TAG, "threadMain input.readLine() b");
            } catch (IOException e) {
                e.printStackTrace();
            }
        }
    };
    @Override    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        Log.d(TAG, "onCreate a");
        setContentView(R.layout.activity_main);

        sslClient = new SSLClient(this);
        Thread thread = new Thread(threadMain);
        thread.start();
        Log.d(TAG, "onCreate b");
    }
}

2017年9月4日星期一

Huawei 在 Android Studio 沒有 logcat

撥打 *#*#2846579#*#*
Project Menu > Background Setting > Log setting
選擇 AP Log

Android 與 Raspberry 證書

請參考先前的 Raspberry OPENSSL 根證書伺服端客戶端
和 Java keytool and Android

// 產生 Android 要用的 key 和 keystore
D:\SVN_Repository3\pi\Key>"C:\Program Files\Java\jdk1.7.0_67\bin\keytool.exe" -validity 3650 -genkey -v -alias android -keyalg RSA -keystore android.jks -dname "CN=AndroidClient,OU=R&D,O=SDL,L=Taichung,ST=Taiwan,c=TW" -storepass store1234 -keypass key1234
針對 CN=AndroidClient, OU=R&D, O=SDL, L=Taichung, ST=Taiwan, C=TW 產生有效期 3,650 天的 2,048 位元 RSA 金鑰組以及自我簽署憑證 (SHA256withRSA)

[儲存 android.jks]

D:\SVN_Repository3\pi\Key>
// 產生申請證書
D:\SVN_Repository3\pi\Key>"C:\Program Files\Java\jdk1.7.0_67\bin\keytool.exe" -certreq -keystore android.jks -alias android -file android.csr -storepass store1234 -keypass key1234

D:\SVN_Repository3\pi\Key>dir
磁碟區 D 中的磁碟是新增磁碟區
磁碟區序號: 3AAA-91FF

D:\SVN_Repository3\pi\Key 的目錄

2017/09/04 11:15 <DIR> .
2017/09/04 11:15 <DIR> ..
2017/09/04 11:15 1,086 android.csr
2017/09/04 11:14 2,231 android.jks
2 個檔案 3,317 位元組
2 個目錄 678,150,483,968 位元組可用

D:\SVN_Repository3\pi\Key>

// 傳送 android.csr 到 RaspberryPi, 並簽署
pi@raspberrypi:~/OpenSSL/openssl $ openssl ca -in android/android.csr -out android/android.crt -days 3650 -cert ca/ca.crt -keyfile ca/ca.key -config openssl.cnf

Using configuration from openssl.cnf
Check that the request matches the signature
Signature ok
The stateOrProvinceName field needed to be the same in the
CA certificate (Taiwan) and the request (Taiwan)
pi@raspberrypi:~/OpenSSL/openssl $
// 原因為編碼錯誤, 下兩個命令可以查詢, 並比較
pi@raspberrypi:~/OpenSSL/openssl $ openssl asn1parse -in androiid/android.csr
pi@raspberrypi:~/OpenSSL/openssl $ openssl asn1parse -in ca/ca.crt

// 修改設定

pi@raspberrypi:~/OpenSSL/openssl $ vi openssl.cnf
#string_mask = utf8only
string_mask = pkix
# For the CA policy
[ policy_match ]
#countryName = match
#stateOrProvinceName = match
#organizationName = match
countryName = optional
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

pi@raspberrypi:~/OpenSSL/openssl $ openssl ca -in android/android.csr -out android/android.crt -days 3650 -cert ca/ca.crt -keyfile ca/ca.key -config openssl.cnf
Using configuration from openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 4 (0x4)
Validity
Not Before: Sep 4 05:46:35 2017 GMT
Not After : Sep 2 05:46:35 2027 GMT
Subject:
countryName = TW
stateOrProvinceName = Taiwan
organizationName = SDL
organizationalUnitName = R&D
commonName = AndroidClient
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
99:6F:21:B8:C1:2A:DB:03:7F:37:47:17:F5:C8:6C:10:18:B2:75:50
X509v3 Authority Key Identifier:
keyid:F4:6D:3E:3D:93:2A:4A:81:85:62:C3:D7:4B:70:F9:28:F6:E6:A4:F4

Certificate is to be certified until Sep 2 05:46:35 2027 GMT (3650 days)
Sign the certificate? [y/n]:y
failed to update database
TXT_DB error number 2
// 不明原因失敗，下列為解決方法
pi@raspberrypi:~/OpenSSL/openssl $ ls newcerts/
01.pem 02.pem 03.pem
pi@raspberrypi:~/OpenSSL/openssl $ openssl ca -revoke newcerts/03.pem -config op
enssl.cnf -cert ca/ca.crt -keyfile ca/ca.key
Using configuration from openssl.cnf
Revoking Certificate 03.
Data Base Updated
pi@raspberrypi:~/OpenSSL/openssl $
// 重新簽署
pi@raspberrypi:~/OpenSSL/openssl $ openssl ca -in android/android.csr -out android/android.crt -days 3650 -cert ca/ca.crt -keyfile ca/ca.key -config openssl.cnf
Using configuration from openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 4 (0x4)
Validity
Not Before: Sep 4 05:51:48 2017 GMT
Not After : Sep 2 05:51:48 2027 GMT
Subject:
countryName = TW
stateOrProvinceName = Taiwan
organizationName = SDL
organizationalUnitName = R&D
commonName = AndroidClient
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
99:6F:21:B8:C1:2A:DB:03:7F:37:47:17:F5:C8:6C:10:18:B2:75:50
X509v3 Authority Key Identifier:
keyid:F4:6D:3E:3D:93:2A:4A:81:85:62:C3:D7:4B:70:F9:28:F6:E6:A4:F4

Certificate is to be certified until Sep 2 05:51:48 2027 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
pi@raspberrypi:~/OpenSSL/openssl $

//將 ca.crt 和 android.crt 傳回 PC
// 安裝根證書
D:\SVN_Repository3\pi\Key>"C:\Program Files\Java\jdk1.7.0_67\bin\keytool.exe" -import -trustcacerts -v -alias ca -file ca.crt -keystore android.jks -storepass store1234
擁有者: CN=PiCA, OU=R&D, O=SDL, L=Taichung, ST=Taiwan, C=TW
發出者: CN=PiCA, OU=R&D, O=SDL, L=Taichung, ST=Taiwan, C=TW
序號: e595993377a61f60
有效期自: Tue Aug 29 09:40:37 CST 2017 到: Fri Aug 27 09:40:37 CST 2027
憑證指紋:
MD5: 8D:94:79:EB:E6:81:8C:33:4F:BE:7C:EF:16:D3:23:28
SHA1: 7B:DF:78:14:87:F1:C8:DA:27:91:9B:6C:B7:7C:B6:6C:3F:84:59:13
SHA256: 38:C6:7B:DC:DB:28:EA:CC:6A:A0:38:4B:DF:D2:D6:B2:44:70:CE:B5:86:F0:DE:9B:99:49:3C:75:D6:5C:89:EB
簽章演算法名稱: SHA256withRSA
版本: 3

擴充套件:

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: F4 6D 3E 3D 93 2A 4A 81 85 62 C3 D7 4B 70 F9 28 .m>=.*J..b..Kp.(
0010: F6 E6 A4 F4 ....
]
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]

#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: F4 6D 3E 3D 93 2A 4A 81 85 62 C3 D7 4B 70 F9 28 .m>=.*J..b..Kp.(
0010: F6 E6 A4 F4 ....
]
]

信任這個憑證？ [否]: y
憑證已新增至金鑰儲存庫中
[儲存 android.jks]

D:\SVN_Repository3\pi\Key>
// 安裝證書
D:\SVN_Repository3\pi\Key>"C:\Program Files\Java\jdk1.7.0_67\bin\keytool.exe" -import -v -alias android -file android.crt -keystore android.jks -storepass store1234 -keypass key1234
憑證回覆已安裝在金鑰儲存庫中
[儲存 android.jks]

D:\SVN_Repository3\pi\Key>
// 產生 BKS 格式的 keystore

D:\SVN_Repository3\pi\Key>"C:\Program Files\Java\jdk1.7.0_67\bin\keytool.exe" -importkeystore -srckeystore android.jks -srcstorepass store1234 -destkeystore android.bks -deststoretype BKS -deststorepass store1234 -provider org.bouncycastle.jce.provider.BouncyCastleProvider
已成功匯入別名 ca 的項目。
輸入 <android> 的金鑰密碼
已成功匯入別名 android 的項目。
已完成匯入命令: 成功匯入 2 個項目，0 個項目失敗或已取消

D:\SVN_Repository3\pi\Key>dir
磁碟區 D 中的磁碟是新增磁碟區
磁碟區序號: 3AAA-91FF

D:\SVN_Repository3\pi\Key 的目錄

2017/09/04 14:39 <DIR> .
2017/09/04 14:39 <DIR> ..
2017/09/04 14:39 4,155 android.bks
2017/09/04 13:51 4,417 android.crt
2017/09/04 13:42 1,086 android.csr
2017/09/04 13:52 4,150 android.jks
2017/08/29 09:40 1,289 ca.crt
5 個檔案 15,097 位元組
2 個目錄 678,150,561,792 位元組可用

D:\SVN_Repository3\pi\Key>

Java keytool and Android

D:\SVN_Repository3\pi\Key>"C:\Program Files\Java\jdk1.7.0_67\bin\keytool.exe" -validity 3650 -genkey -v -alias server -keyalg RSA -keystore server.keystore -dname "CN=AndroidServer,OU=R&D,O=SDL,L=Taichung,ST=Taiwan,c=TW" -storepass store1234 -keypass key1234
針對 CN=AndroidServer, OU=R&D, O=SDL, L=Taichung, ST=Taiwan, C=TW 產生有效期 3,650 天的 2,048 位元 RSA 金鑰組以及自我簽署憑證 (SHA256withRSA)

[儲存 server.keystore]

D:\SVN_Repository3\pi\Key>dir
磁碟區 D 中的磁碟是新增磁碟區
磁碟區序號: 3AAA-91FF

D:\SVN_Repository3\pi\Key 的目錄

2017/08/31 13:27 <DIR> .
2017/08/31 13:27 <DIR> ..
2017/08/31 13:27 2,228 server.keystore
1 個檔案 2,228 位元組
2 個目錄 679,286,407,168 位元組可用

D:\SVN_Repository3\pi\Key>
D:\SVN_Repository3\pi\Key>"C:\Program Files\Java\jdk1.7.0_67\bin\keytool.exe" -validity 3650 -genkeypair -v -alias client -keyalg RSA -storetype PKCS12 -keystore client.p12 -dname "CN=AndroidClient,OU=R&D,O=SDL,L=Taichung,ST=Taiwan,c=TW" -storepass client1234
針對 CN=AndroidClient, OU=R&D, O=SDL, L=Taichung, ST=Taiwan, C=TW 產生有效期 3,650 天的 2,048 位元 RSA 金鑰組以及自我簽署憑證 (SHA256withRSA)

[儲存 client.p12]

D:\SVN_Repository3\pi\Key>dir
磁碟區 D 中的磁碟是新增磁碟區
磁碟區序號: 3AAA-91FF

D:\SVN_Repository3\pi\Key 的目錄

2017/08/31 13:32 <DIR> .
2017/08/31 13:32 <DIR> ..
2017/08/31 13:32 2,572 client.p12
2017/08/31 13:27 2,228 server.keystore
2 個檔案 4,800 位元組
2 個目錄 679,286,403,072 位元組可用

D:\SVN_Repository3\pi\Key>
D:\SVN_Repository3\pi\Key>"C:\Program Files\Java\jdk1.7.0_67\bin\keytool.exe" -export -v -alias client -keystore client.p12 -storetype PKCS12 -storepass client1234 -rfc -file client.cer
憑證儲存在檔案 <client.cer>

D:\SVN_Repository3\pi\Key>dir
磁碟區 D 中的磁碟是新增磁碟區
磁碟區序號: 3AAA-91FF

D:\SVN_Repository3\pi\Key 的目錄

2017/08/31 13:56 <DIR> .
2017/08/31 13:56 <DIR> ..
2017/08/31 13:57 1,260 client.cer
2017/08/31 13:55 2,572 client.p12
2017/08/31 13:54 2,230 server.keystore
3 個檔案 6,062 位元組
2 個目錄 679,286,390,784 位元組可用

D:\SVN_Repository3\pi\Key>
D:\SVN_Repository3\pi\Key>"C:\Program Files\Java\jdk1.7.0_67\bin\keytool.exe" -export -v -alias server -keystore server.keystore -storepass store1234 -rfc -file server.cer
憑證儲存在檔案 <server.cer>

D:\SVN_Repository3\pi\Key>dir
磁碟區 D 中的磁碟是新增磁碟區
磁碟區序號: 3AAA-91FF

D:\SVN_Repository3\pi\Key 的目錄

2017/08/31 13:58 <DIR> .
2017/08/31 13:58 <DIR> ..
2017/08/31 13:57 1,260 client.cer
2017/08/31 13:55 2,572 client.p12
2017/08/31 13:58 1,260 server.cer
2017/08/31 13:54 2,230 server.keystore
4 個檔案 7,322 位元組
2 個目錄 679,286,386,688 位元組可用

D:\SVN_Repository3\pi\Key>
D:\SVN_Repository3\pi\Key>"C:\Program Files\Java\jdk1.7.0_67\bin\keytool.exe" -import -v -alias server -file server.cer -keystore client.truststore -storepass trust1234
擁有者: CN=AndroidServer, OU=R&D, O=SDL, L=Taichung, ST=Taiwan, C=TW
發出者: CN=AndroidServer, OU=R&D, O=SDL, L=Taichung, ST=Taiwan, C=TW
序號: 33fc9a74
有效期自: Thu Aug 31 13:54:47 CST 2017 到: Sun Aug 29 13:54:47 CST 2027
憑證指紋:
MD5: C7:7E:71:51:21:79:BF:BE:D9:42:E5:42:B7:0F:4D:19
SHA1: DD:3E:87:9E:92:67:6D:F4:18:70:E8:23:82:93:A6:A9:9D:0A:7A:F4
SHA256: 05:EE:F8:9F:DB:89:C2:D0:20:40:C5:77:DF:50:2D:3D:06:E4:FC:EE:15:4A:39:14:0E:F2:AF:29:23:65:A6:49
簽章演算法名稱: SHA256withRSA
版本: 3

擴充套件:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: CB 69 A6 E6 E4 06 5F 7C EF 14 38 37 88 F8 30 A7 .i...._...87..0.
0010: 1A 7F 7F 3A ...:
]
]

信任這個憑證？ [否]: y
憑證已新增至金鑰儲存庫中
[儲存 client.truststore]

D:\SVN_Repository3\pi\Key>dir
磁碟區 D 中的磁碟是新增磁碟區
磁碟區序號: 3AAA-91FF

D:\SVN_Repository3\pi\Key 的目錄

2017/08/31 14:02 <DIR> .
2017/08/31 14:02 <DIR> ..
2017/08/31 13:57 1,260 client.cer
2017/08/31 13:55 2,572 client.p12
2017/08/31 14:02 940 client.truststore
2017/08/31 13:58 1,260 server.cer
2017/08/31 13:54 2,230 server.keystore
5 個檔案 8,262 位元組
2 個目錄 679,286,382,592 位元組可用

D:\SVN_Repository3\pi\Key>
D:\SVN_Repository3\pi\Key>"C:\Program Files\Java\jdk1.7.0_67\bin\keytool.exe" -import -v -alias client -file client.cer -keystore server.keystore -storepass store1234
擁有者: CN=AndroidClient, OU=R&D, O=SDL, L=Taichung, ST=Taiwan, C=TW
發出者: CN=AndroidClient, OU=R&D, O=SDL, L=Taichung, ST=Taiwan, C=TW
序號: 4a2adb9c
有效期自: Thu Aug 31 13:55:07 CST 2017 到: Sun Aug 29 13:55:07 CST 2027
憑證指紋:
MD5: A6:8C:FA:94:8C:F9:D5:09:54:DD:12:FE:75:51:19:86
SHA1: 10:7D:E3:DC:D8:42:43:FF:46:97:26:A2:8F:AA:B7:90:74:16:8D:24
SHA256: 3B:30:95:09:AE:1A:AC:AC:2D:3C:10:4B:7B:33:4B:E6:5B:51:AC:C7:C8:A0:99:EF:39:0F:64:DE:F5:56:6E:D8
簽章演算法名稱: SHA256withRSA
版本: 3

擴充套件:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 32 BA E6 02 8E A5 3D 02 77 01 21 29 B0 55 21 82 2.....=.w.!).U!.
0010: F6 8B 34 9B ..4.
]
]

信任這個憑證？ [否]: y
憑證已新增至金鑰儲存庫中
[儲存 server.keystore]

D:\SVN_Repository3\pi\Key>
D:\SVN_Repository3\pi\Key>dir
磁碟區 D 中的磁碟是新增磁碟區
磁碟區序號: 3AAA-91FF

D:\SVN_Repository3\pi\Key 的目錄

2017/08/31 14:02 <DIR> .
2017/08/31 14:02 <DIR> ..
2017/08/31 13:57 1,260 client.cer
2017/08/31 13:55 2,572 client.p12
2017/08/31 14:02 940 client.truststore
2017/08/31 13:58 1,260 server.cer
2017/08/31 14:04 3,138 server.keystore
5 個檔案 9,170 位元組
2 個目錄 679,286,382,592 位元組可用

D:\SVN_Repository3\pi\Key>
D:\SVN_Repository3\pi\Key>"C:\Program Files\Java\jdk1.7.0_67\bin\keytool.exe" -list -keystore server.keystore -storepass store1234

金鑰儲存庫類型: JKS
金鑰儲存庫提供者: SUN

您的金鑰儲存庫包含 2 項目

client, 2017/8/31, trustedCertEntry,
憑證指紋 (SHA1): 10:7D:E3:DC:D8:42:43:FF:46:97:26:A2:8F:AA:B7:90:74:16:8D:24
server, 2017/8/31, PrivateKeyEntry,
憑證指紋 (SHA1): DD:3E:87:9E:92:67:6D:F4:18:70:E8:23:82:93:A6:A9:9D:0A:7A:F4

D:\SVN_Repository3\pi\Key>
D:\SVN_Repository3\pi\Key>"C:\Program Files\Java\jdk1.7.0_67\bin\keytool.exe" -list -keystore client.truststore -storepass trust1234

金鑰儲存庫類型: JKS
金鑰儲存庫提供者: SUN

您的金鑰儲存庫包含 1 項目

server, 2017/8/31, trustedCertEntry,
憑證指紋 (SHA1): DD:3E:87:9E:92:67:6D:F4:18:70:E8:23:82:93:A6:A9:9D:0A:7A:F4

D:\SVN_Repository3\pi\Key>
D:\SVN_Repository3\pi\Key>"C:\Program Files\Java\jdk1.7.0_67\bin\keytool.exe" -import -v -alias server -file server.cer -keystore trust.bks -storepass trust1234 -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider
擁有者: CN=AndroidServer, OU=R&D, O=SDL, L=Taichung, ST=Taiwan, C=TW
發出者: CN=AndroidServer, OU=R&D, O=SDL, L=Taichung, ST=Taiwan, C=TW
序號: 33fc9a74
有效期自: Thu Aug 31 13:54:47 CST 2017 到: Sun Aug 29 13:54:47 CST 2027
憑證指紋:
MD5: C7:7E:71:51:21:79:BF:BE:D9:42:E5:42:B7:0F:4D:19
SHA1: DD:3E:87:9E:92:67:6D:F4:18:70:E8:23:82:93:A6:A9:9D:0A:7A:F4
SHA256: 05:EE:F8:9F:DB:89:C2:D0:20:40:C5:77:DF:50:2D:3D:06:E4:FC:EE:15:4A:39:14:0E:F2:AF:29:23:65:A6:49
簽章演算法名稱: SHA256withRSA
版本: 3

擴充套件:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: CB 69 A6 E6 E4 06 5F 7C EF 14 38 37 88 F8 30 A7 .i...._...87..0.
0010: 1A 7F 7F 3A ...:
]
]

信任這個憑證？ [否]: y
憑證已新增至金鑰儲存庫中
[儲存 trust.bks]

D:\SVN_Repository3\pi\Key>
D:\SVN_Repository3\pi\Key>dir
磁碟區 D 中的磁碟是新增磁碟區
磁碟區序號: 3AAA-91FF

D:\SVN_Repository3\pi\Key 的目錄

2017/09/01 09:44 <DIR> .
2017/09/01 09:44 <DIR> ..
2017/08/31 13:57 1,260 client.cer
2017/08/31 13:55 2,572 client.p12
2017/08/31 14:02 940 client.truststore
2017/08/31 13:58 1,260 server.cer
2017/08/31 14:04 3,138 server.keystore
2017/09/01 09:44 962 trust.bks
6 個檔案 10,132 位元組
2 個目錄 679,233,712,128 位元組可用

D:\SVN_Repository3\pi\Key>

//下載 Bouncy Castle
// https://www.bouncycastle.org/latest_releases.html
// 拷貝 bcprov-ext-jdk15on-158.jar 到 C:\Program Files\Java\jdk1.7.0_67\jre\lib\ext
// 拷貝 bcprov-ext-jdk15on-158.jar 到 C:\Program Files\Java\jre7\lib\ext
// 將下一行加入 C:\Program Files\Java\jre7\lib\security\java.security 和 C:\Program Files\Java\jdk1.7.0_67\jre\lib\security\java.security
// security.provider.11=org.bouncycastle.jce.provider.BouncyCastleProvider
// 新增 CLASSPATH=C:\Program Files\Java\jdk1.7.0_67\jre\lib\ext\bcprov-ext-jdk15on-158.jar
D:\SVN_Repository3\pi\Key>"C:\Program Files\Java\jdk1.7.0_67\bin\keytool.exe" -importkeystore -srckeystore client.p12 -srcstoretype PKCS12 -srcstorepass client1234 -destkeystore client.bks -deststoretype BKS -deststorepass client1234 -provider org.bouncycastle.jce.provider.BouncyCastleProvider
匯入別名 client 的項目時出現問題: java.security.KeyStoreException: java.io.IOException: Error initialising store of key store: java.security.InvalidKeyException: Illegal key size。
未匯入別名 client 的項目。
Do you want to quit the import process? [no]: y
已完成匯入命令: 成功匯入 0 個項目，1 個項目失敗或已取消

D:\SVN_Repository3\pi\Key>
//下載 Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7 Download
//http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html
//解壓縮 UnlimitedJCEPolicyJDK7.zip
//到 C:\Program Files\Java\jdk1.7.0_67\jre\lib\security
//備份舊的 local_policy.jar, US_export_policy.jar
//拷貝新的 local_policy.jar, US_export_policy.jar
D:\SVN_Repository3\pi\Key>"C:\Program Files\Java\jdk1.7.0_67\bin\keytool.exe" -importkeystore -srckeystore client.p12 -srcstoretype PKCS12 -srcstorepass client1234 -destkeystore client.bks -deststoretype BKS -deststorepass client1234 -provider org.bouncycastle.jce.provider.BouncyCastleProvider
已成功匯入別名 client 的項目。
已完成匯入命令: 成功匯入 1 個項目，0 個項目失敗或已取消

D:\SVN_Repository3\pi\Key>dir
磁碟區 D 中的磁碟是新增磁碟區
磁碟區序號: 3AAA-91FF

D:\SVN_Repository3\pi\Key 的目錄

2017/09/01 10:26 <DIR> .
2017/09/01 10:26 <DIR> ..
2017/09/01 10:26 2,234 client.bks
2017/08/31 13:57 1,260 client.cer
2017/08/31 13:55 2,572 client.p12
2017/08/31 14:02 940 client.truststore
2017/08/31 13:58 1,260 server.cer
2017/08/31 14:04 3,138 server.keystore
2017/09/01 09:44 962 trust.bks
7 個檔案 12,366 位元組
2 個目錄 679,233,679,360 位元組可用

D:\SVN_Repository3\pi\Key>

2017年8月30日星期三

SSL 網路程式設計

請參考 Raspberry OPENSSL 根證書伺服端客戶端產生所有需要的檔案

sudo apt-get install libssl-dev

伺服器端程式
gcc server.c -o server -lcrypto -lssl
vi server.c

#include "openssl/bio.h"

#include "openssl/ssl.h"

#include "openssl/err.h"

#include <sys/types.h>

#include <sys/socket.h>

#include <netinet/in.h>

#include <arpa/inet.h>

#include <unistd.h>

#define SERVER_PORT 8080

#define CA_CERT_FILE "../openssl/ca/ca.crt"

#define SERVER_CERT_FILE "../openssl/server/server.crt"

#define SERVER_KEY_FILE "../openssl/server/server.key"

typedef struct sockaddr SA;

int TcpInit()

{

int listener;

do{

listener = socket(AF_INET, SOCK_STREAM, 0);

if( listener == -1 )

return 0;

struct sockaddr_in sin;

sin.sin_family = AF_INET;

sin.sin_addr.s_addr = 0;

sin.sin_port = htons(SERVER_PORT);

if( bind(listener, (SA*)&sin, sizeof(sin)) < 0 )

break;

if( listen(listener, 5) < 0)

break;

return listener;

}while(0);

return -1;

}

void print_peer_certificate(SSL *ssl)

{

X509* cert= NULL;

X509_NAME *name=NULL;

char buf[8192]={0};

BIO *bio_cert = NULL;

cert = SSL_get_peer_certificate(ssl);

if (cert == NULL) {

printf("SSL_get_peer_certificate() == NULL\n");

return;

}

if (SSL_get_verify_result(ssl) == X509_V_OK) {

printf("SSL_get_verify_result(ssl) == X509_V_OK\n");

}

name = X509_get_subject_name(cert);

X509_NAME_oneline(name,buf,8191);

printf("ServerSubjectName:%s\n",buf);

memset(buf,0,sizeof(buf));

bio_cert = BIO_new(BIO_s_mem());

PEM_write_bio_X509(bio_cert, cert);

BIO_read( bio_cert, buf, 8191);

printf("SERVER CERT:\n%s\n",buf);

if(bio_cert)BIO_free(bio_cert);

if(cert)X509_free(cert);

}

static int verify_cb(int res, X509_STORE_CTX *xs)

{

printf("SSL VERIFY RESULT :%d\n",res);

switch (xs->error)

{

case X509_V_ERR_UNABLE_TO_GET_CRL:

printf(" NOT GET CRL!\n");

return 1;

default :

break;

}

return res;

}

int main(int argc, char **argv)

{

SSL_CTX *ctx;

SSL *ssl;

X509 *client_cert;

char szBuffer[1024];

int nLen;

struct sockaddr_in addr;

int nListenFd, nAcceptFd;

nListenFd = TcpInit();

SSLeay_add_ssl_algorithms();

OpenSSL_add_all_algorithms();

SSL_load_error_strings();

ERR_load_BIO_strings();

memset(&addr, 0, sizeof(addr));

int len = sizeof(addr);

nAcceptFd = accept(nListenFd, (struct sockaddr *)&addr, &len);

//int iMode = 1;

//int iret = ioctlsocket(nAcceptFd, FIONBIO, (u_long FAR*)&iMode);

ctx = SSL_CTX_new (SSLv23_method());

if( ctx == NULL)

{

printf("SSL_CTX_new error!\n");

return -1;

}

#define USE_CA_CERT

#ifdef USE_CA_CERT

// 使用 CA_CERT_FILE 檢查 Client 端的證書

printf("SSL_CTX_set_verify(SSL_VERIFY_PEER)\n");

SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_cb);

if(!SSL_CTX_load_verify_locations(ctx, CA_CERT_FILE, NULL))

{

printf("SSL_CTX_load_verify_locations error!\n");

ERR_print_errors_fp(stderr);

return -1;

}

#else

printf("SSL_CTX_set_verify(SSL_VERIFY_NONE)\n");

SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);

#endif

if(SSL_CTX_use_certificate_file(ctx, SERVER_CERT_FILE, SSL_FILETYPE_PEM) <= 0)

{

printf("SSL_CTX_use_certificate_file error!\n");

ERR_print_errors_fp(stderr);

return -1;

}

if(SSL_CTX_use_PrivateKey_file(ctx, SERVER_KEY_FILE, SSL_FILETYPE_PEM) <= 0)

{

printf("SSL_CTX_use_PrivateKey_file error!\n");

ERR_print_errors_fp(stderr);

return -1;

}

if(!SSL_CTX_check_private_key(ctx))

{

printf("SSL_CTX_check_private_key error!\n");

ERR_print_errors_fp(stderr);

return -1;

}

ssl = SSL_new (ctx);

if(!ssl)

{

printf("SSL_new error!\n");

ERR_print_errors_fp(stderr);

return -1;

}

SSL_set_fd (ssl, nAcceptFd);

while(1){

if(SSL_accept (ssl) != 1)

{

int icode = -1;

ERR_print_errors_fp(stderr);

int iret = SSL_get_error(ssl, icode);

printf("SSL_accept error! code = %d, iret = %d\n", icode, iret);

break;

} else

break;

}

print_peer_certificate(ssl);

memset(szBuffer, 0, sizeof(szBuffer));

nLen = SSL_read(ssl,szBuffer, sizeof(szBuffer));

fprintf(stderr, "Get Len %d %s ok\n", nLen, szBuffer);

strcat(szBuffer, "\n this is from server========server resend to client");

SSL_write(ssl, szBuffer, strlen(szBuffer));

SSL_free (ssl);

SSL_CTX_free (ctx);

close(nAcceptFd);

}

客戶端程式
gcc client.c -o client -lcrypto -lssl

vi client.c

#include "openssl/bio.h"

#include "openssl/ssl.h"

#include "openssl/err.h"

#include <sys/types.h>

#include <sys/socket.h>

#include <netinet/in.h>

#include <arpa/inet.h>

#include <unistd.h>

#define SERVER_PORT 8080

#define SERVER_IP "127.0.0.1"

#define CA_CERT_FILE "../openssl/ca/ca.crt"

#define CLIENT_CERT_FILE "../openssl/client/client.crt"

#define CLIENT_KEY_FILE "../openssl/client/client.key"

void print_client_cert(char* path)

{

X509 *cert =NULL;

FILE *fp = NULL;

fp = fopen(path,"rb");

cert = PEM_read_X509(fp, NULL, NULL, NULL);

X509_NAME *name=NULL;

char buf[8192]={0};

BIO *bio_cert = NULL;

name = X509_get_subject_name(cert);

X509_NAME_oneline(name,buf,8191);

printf("ClientSubjectName:%s\n",buf);

memset(buf,0,sizeof(buf));

bio_cert = BIO_new(BIO_s_mem());

PEM_write_bio_X509(bio_cert, cert);

BIO_read( bio_cert, buf, 8191);

printf("CLIENT CERT:\n%s\n",buf);

if(bio_cert)BIO_free(bio_cert);

fclose(fp);

if(cert) X509_free(cert);

}

void print_peer_certificate(SSL *ssl)

{

X509* cert= NULL;

X509_NAME *name=NULL;

char buf[8192]={0};

BIO *bio_cert = NULL;

cert = SSL_get_peer_certificate(ssl);

if (cert == NULL) {

printf("SSL_get_peer_certificate() == NULL\n");

return;

}

if (SSL_get_verify_result(ssl) == X509_V_OK) {

printf("SSL_get_verify_result(ssl) == X509_V_OK\n");

}

name = X509_get_subject_name(cert);

X509_NAME_oneline(name,buf,8191);

printf("ServerSubjectName:%s\n",buf);

memset(buf,0,sizeof(buf));

bio_cert = BIO_new(BIO_s_mem());

PEM_write_bio_X509(bio_cert, cert);

BIO_read( bio_cert, buf, 8191);

printf("SERVER CERT:\n%s\n",buf);

if(bio_cert)BIO_free(bio_cert);

if(cert)X509_free(cert);

}

static int verify_cb(int res, X509_STORE_CTX *xs)

{

printf("SSL VERIFY RESULT :%d\n",res);

switch (xs->error)

{

case X509_V_ERR_UNABLE_TO_GET_CRL:

printf(" NOT GET CRL!\n");

return 1;

default :

break;

}

return res;

}

int main(int argc, char **argv)

{

char *address = SERVER_IP;

if(argc > 1)

{

address = argv[1];

}

SSL_METHOD *meth;

SSL_CTX *ctx;

SSL *ssl;

int nFd;

int nLen;

char szBuffer[1024];

SSLeay_add_ssl_algorithms();

OpenSSL_add_all_algorithms();

SSL_load_error_strings();

ERR_load_BIO_strings();

print_client_cert(CLIENT_CERT_FILE);

// 使用SSL V3,V2

ctx = SSL_CTX_new (SSLv23_method());

if( ctx == NULL)

{

printf("SSL_CTX_new error!\n");

ERR_print_errors_fp(stderr);

return -1;

}

#define USE_CA_CERT

#ifdef USE_CA_CERT

// 使用 CA_CERT_FILE 檢查 Server 端的證書

printf("SSL_CTX_set_verify(SSL_VERIFY_PEER)\n");

SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, verify_cb);

if(!SSL_CTX_load_verify_locations(ctx, CA_CERT_FILE, NULL))

{

printf("SSL_CTX_load_verify_locations error!\n");

ERR_print_errors_fp(stderr);

return -1;

}

#else

printf("SSL_CTX_set_verify(SSL_VERIFY_NONE)\n");

SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);

#endif

#define USE_CERT

#ifdef USE_CERT

printf("SSL_CTX_use_certificate_file start!\n");

if(SSL_CTX_use_certificate_file(ctx, CLIENT_CERT_FILE, SSL_FILETYPE_PEM) <= 0)

{

printf("SSL_CTX_use_certificate_file error!\n");

ERR_print_errors_fp(stderr);

return -1;

}

printf("SSL_CTX_use_PrivateKey_file start!\n");

if(SSL_CTX_use_PrivateKey_file(ctx, CLIENT_KEY_FILE, SSL_FILETYPE_PEM) <= 0)

{

printf("SSL_CTX_use_PrivateKey_file error!\n");

ERR_print_errors_fp(stderr);

return -1;

}

if(!SSL_CTX_check_private_key(ctx))

{

printf("SSL_CTX_check_private_key error!\n");

ERR_print_errors_fp(stderr);

return -1;

}

#endif

nFd = socket(AF_INET, SOCK_STREAM, 0);

struct sockaddr_in addr;

addr.sin_addr.s_addr = inet_addr(address);

addr.sin_family = AF_INET;

addr.sin_port = htons(SERVER_PORT);

if(connect(nFd, (struct sockaddr *)&addr, sizeof(addr)) < 0)

{

printf("connect\n");

ERR_print_errors_fp(stderr);

return -1;

}

ssl = SSL_new (ctx);

if( ssl == NULL)

{

printf("SSL_new error!\n");

ERR_print_errors_fp(stderr);

return -1;

}

SSL_set_fd (ssl, nFd);

if( SSL_connect (ssl) != 1)

{

printf("SSL_new error!\n");

ERR_print_errors_fp(stderr);

return -1;

}

print_peer_certificate(ssl);

sprintf(szBuffer, "\nthis is from client+++++++++++++++client send to server");

SSL_write(ssl, szBuffer, strlen(szBuffer));

memset(szBuffer, 0, sizeof(szBuffer));

nLen = SSL_read(ssl,szBuffer, sizeof(szBuffer));

fprintf(stderr, "Get Len %d %s ok\n", nLen, szBuffer);

SSL_free (ssl);

SSL_CTX_free (ctx);

close(nFd);

}

2017年8月29日星期二

Raspberry OPENSSL 根證書伺服端客戶端

準備設定檔
pi@raspberrypi:~/OpenSSL/openssl $ cp /etc/ssl/openssl.cnf .
pi@raspberrypi:~/OpenSSL/openssl $ mkdir ca server client
pi@raspberrypi:~/OpenSSL/openssl $
產生根私鑰
pi@raspberrypi:~/OpenSSL/openssl $ openssl genrsa -out ca/ca.key 2048
Generating RSA private key, 2048 bit long modulus
..............................................................................................+++
......+++
e is 65537 (0x10001)
產生根證書
pi@raspberrypi:~/OpenSSL/openssl $ openssl req -new -x509 -key ca/ca.key -out ca
/ca.crt -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:TW
State or Province Name (full name) [Some-State]:Taiwan
Locality Name (eg, city) []:Taichung
Organization Name (eg, company) [Internet Widgits Pty Ltd]:SDL
Organizational Unit Name (eg, section) []:R&D
Common Name (e.g. server FQDN or YOUR name) []:PiCA
Email Address []:
pi@raspberrypi:~/OpenSSL/openssl $ ls ca
ca.crt ca.key
pi@raspberrypi:~/OpenSSL/openssl $
產生伺服端私鑰
pi@raspberrypi:~/OpenSSL/openssl $ openssl genrsa -out server/server.key 2048
Generating RSA private key, 2048 bit long modulus
.............................+++
..............+++
e is 65537 (0x10001)
產生伺服端需求證書
pi@raspberrypi:~/OpenSSL/openssl $ openssl req -new -key server/server.key -out server/server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:TW
State or Province Name (full name) [Some-State]:Taiwan
Locality Name (eg, city) []:Taichung
Organization Name (eg, company) [Internet Widgits Pty Ltd]:SDL
Organizational Unit Name (eg, section) []:R&D
Common Name (e.g. server FQDN or YOUR name) []:PiServer
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
pi@raspberrypi:~/OpenSSL/openssl $ ls server/
server.csr server.key
pi@raspberrypi:~/OpenSSL/openssl $
產生客戶端私鑰
pi@raspberrypi:~/OpenSSL/openssl $ openssl genrsa -out client/client.key 2048
Generating RSA private key, 2048 bit long modulus
..............................................+++
....................................+++
e is 65537 (0x10001)
產生客戶端需求證書
pi@raspberrypi:~/OpenSSL/openssl $ openssl req -new -key client/client.key -out
client/client.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:TW
State or Province Name (full name) [Some-State]:Taiwan
Locality Name (eg, city) []:Taichung
Organization Name (eg, company) [Internet Widgits Pty Ltd]:SDL
Organizational Unit Name (eg, section) []:R&D
Common Name (e.g. server FQDN or YOUR name) []:PiClient
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
pi@raspberrypi:~/OpenSSL/openssl $ ls client/
client.csr client.key
pi@raspberrypi:~/OpenSSL/openssl $
修改 dir 目錄
pi@raspberrypi:~/OpenSSL/openssl $ vi openssl.cnf
[ CA_default ]

#dir = ./demoCA # Where everything is kept
dir = . # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
pi@raspberrypi:~/OpenSSL/openssl $
簽署證書環境準備
pi@raspberrypi:~/OpenSSL/openssl $ touch index.txt
pi@raspberrypi:~/OpenSSL/openssl $ echo "01">serial
pi@raspberrypi:~/OpenSSL/openssl $ mkdir newcerts
簽署伺服端證書
pi@raspberrypi:~/OpenSSL/openssl $ openssl ca -in server/server.csr -out server/server.crt -days 3650 -cert ca/ca.crt -keyfile ca/ca.key -config openssl.cnf
Using configuration from openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Aug 29 02:08:38 2017 GMT
Not After : Aug 27 02:08:38 2027 GMT
Subject:
countryName = TW
stateOrProvinceName = Taiwan
organizationName = SDL
organizationalUnitName = R&D
commonName = PiServer
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
4D:26:A0:55:4D:37:58:EE:10:D3:A0:8E:B8:93:35:E9:E5:84:1F:BC
X509v3 Authority Key Identifier:
keyid:F4:6D:3E:3D:93:2A:4A:81:85:62:C3:D7:4B:70:F9:28:F6:E6:A4:F4

Certificate is to be certified until Aug 27 02:08:38 2027 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
pi@raspberrypi:~/OpenSSL/openssl $ ls server/
server.crt server.csr server.key
pi@raspberrypi:~/OpenSSL/openssl $
簽署客戶端證書
pi@raspberrypi:~/OpenSSL/openssl $ openssl ca -in client/client.csr -out client/
client.crt -days 3650 -cert ca/ca.crt -keyfile ca/ca.key -config openssl.cnf
Using configuration from openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Aug 29 02:12:26 2017 GMT
Not After : Aug 27 02:12:26 2027 GMT
Subject:
countryName = TW
stateOrProvinceName = Taiwan
organizationName = SDL
organizationalUnitName = R&D
commonName = PiClient
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
45:1F:CC:47:19:FF:37:04:7A:8D:40:B8:1E:CA:08:11:36:E0:E7:EF
X509v3 Authority Key Identifier:
keyid:F4:6D:3E:3D:93:2A:4A:81:85:62:C3:D7:4B:70:F9:28:F6:E6:A4:F4

Certificate is to be certified until Aug 27 02:12:26 2027 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
pi@raspberrypi:~/OpenSSL/openssl $ ls client/
client.crt client.csr client.key
pi@raspberrypi:~/OpenSSL/openssl $
pi@raspberrypi:~/OpenSSL/openssl $ ls
ca index.txt index.txt.attr.old newcerts serial server
client index.txt.attr index.txt.old openssl.cnf serial.old
pi@raspberrypi:~/OpenSSL/openssl $

2017年8月23日星期三

HDMI 開關

關閉

sudo /opt/vc/bin/tvservice -o

開啟
sudo /opt/vc/bin/tvservice -p

約可省下 20-30mA

2017年8月2日星期三

Raspberry & DS3231 RTC

由安裝作業系統後開始
Localisation Options/I1 Chance Locale
zh_TW.UTF-8 UTF-8
Localisation Options/I2 Chance Timezone
Asia/Taipei
Interfacing Options/P5 I2C

測試 I2C 上的裝置
sudo i2cdetect -y 1

sudo vi /etc/modules
#rtc-ds3231

sudo vi /boot/config.txt
dtoverlay=i2c-rtc,ds3231

sudo apt-get update
sudo apt-get -y upgrade
sudo apt-get purge fake-hwclock
sudo apt-get -y remove fake-hwclock
sudo update-rc.d -f fake-hwclock remove
sudo systemctl stop fake-hwclock.service
sudo update-rc.d fake-hwclock disable S 6

hwclock
-r 讀取時間
-w 系統時間寫入 RTC
-s 以 RTC 更新系統時間
sudo hwclock -r;date '+%a %d %b %Y %02l:%M:%S %p'
ntptime

同步網路時間
sudo ntpd -s -d

開機產生的錯誤訊息
pi@raspberrypi:~ $ systemctl status systemd-modules-load.service
● systemd-modules-load.service - Load Kernel Modules
Loaded: loaded (/lib/systemd/system/systemd-modules-load.service; static)
Active: failed (Result: exit-code) since Thu 1970-01-01 08:00:03 CST; 47 years 6 months ago
Docs: man:systemd-modules-load.service(8)
man:modules-load.d(5)
Process: 113 ExecStart=/lib/systemd/systemd-modules-load (code=exited, status=1/FAILURE)
Main PID: 113 (code=exited, status=1/FAILURE)

alias gshutdown='gpio mode 7 out'

解決與 witty 電源控制模組衝突
vi /etc/init.d/witty
# sudo /home/pi/WittyPi/wittyPi/runScript.sh >> /home/pi/WittyPi/wittyPi/schedule.log &
# sudo /home/pi/WittyPi/wittyPi/syncTime.sh 5 &

vi wittyPi/utilities.sh
is_rtc_connected()
{
return 1
...
}

2017年6月15日星期四

Witty Pi 電源管理

Raspberry Pi 沒有電源管理，必須要 shutdown 完成後才能關機，以免傷害檔案系統
Witty Pi 可以提供相關的功能

Witty Pi 需要軟體配合
pi@raspberrypi:~ $ wget!http://www.uugear.com/repo/WittyPi/installWittyPi.sh
pi@raspberrypi:~ $ sudo!sh!installWittyPi.sh

GPIO-17: LED
GPIO-4: 開關按鈕，若拉此腳為 LOW, 開始關機程序
若要更改 GPIO, 也要修改 /home/pi/wittyPi/daemon.sh 的 halt_pin 和 led_pin
不是所有腳位可以當 helt_pin, 需要
1. 開機預設為輸入
2. 預設狀態為 HIGH
可執行下列命令，查詢可用腳位
pi@raspberrypi:~/wittyPi $ gpio readall
如 GPIO-8(wiringPi pin 10)

不要使用 sudo shutdown -h now, 使用 gpio mode 7 out

使用 pin 腳
(3)GPIO-2: SDA1
(5)GPIO-3: SCL1
(7)GPIO-4:
(11)GPIO-17:
(8)GPIO-14:TXD

GPIO-14 非常特別，不能更換，開機後預設為HIGH, 關機後為LOW
Witty Pi 使用它來偵測 Raspberry Pi 的狀態

Raspberry Pi 3 新增藍芽裝置，藍芽對應UART0, GPIO-14 和 GPIO-15 對應 UART1
預設 Raspberry Pi 2
pi@raspberrypi:~ $ ls -al /dev/serial*
lrwxrwxrwx 1 root root 7 Jun 15 11:40 /dev/serial1 -> ttyAMA0
修改 /boot/config.txt, 單純使用 console
enable_uart=1
pi@raspberrypi:~ $ ls -al /dev/serial*
lrwxrwxrwx 1 root root 5 Jun 15 12:06 /dev/serial0 -> ttyS0
lrwxrwxrwx 1 root root 7 Jun 15 12:06 /dev/serial1 -> ttyAMA0
修改 /boot/config.txt, 讓藍芽使用 mini-uart(/dev/ttyS0)
dtoverlay=pi3-miniuart-bt
pi@raspberrypi:~ $ ls -al /dev/serial*
lrwxrwxrwx 1 root root 7 Jun 15 11:40 /dev/serial0 -> ttyAMA0
lrwxrwxrwx 1 root root 5 Jun 15 11:40 /dev/serial1 -> ttyS0

Raspberry Pi 網路設定

/etc/network/interfaces
---------------------------------
iface eth0 inet manual
allow-hotplug wlan0
iface wlan0 inet manual
wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf
---------------------------------

/etc/wpa_supplicant/wpa_supplicant.conf
---------------------------------
country=TW
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1

network={
ssid="SSID2"
psk="password"
key_mgmt=WPA-PSK
priority=2
id_str="id_SSID2"
}

network={
ssid="SSID1"
key_mgmt=NONE
priority=1
id_str="id_SSID1"
}
---------------------------------

/etc/dhcpcd.conf

---------------------------------

nohook lookup-hostname

interface eth0

static ip_address=192.168.1.61

netmask 255.255.255.0

static routers=192.168.1.1

static domain_name_servers=192.168.1.1

interface wlan0

SSID DigiChance

static ip_address=192.168.1.60

netmask 255.255.255.0

static routers=192.168.1.1

static domain_name_servers=192.168.1.1

---------------------------------

iwconfig wlan0 #查看目前無線網路設定

iwlist wlan0 scan #掃描無線網路

ifdown wlan0 #停用無線網路

ifup wlan0 #啟動無線網路

ssh 預設帳號

pi/raspberry

2017年5月24日星期三

Arduino Yun 網路

Arduino Yun 也可同時啟動 AP+STA 模式，但測試時花了很多時間
因為 Arduino Yun 真的比 Linkit 7688 慢很多

回復AP模式或出廠值
1. 使用 WLAN 按鈕
按5秒，wifi 回AP模式 SSID=Arduino-Yun-XXXXXXXXXXXX, IP=192.168.240.1
按30秒，linux 環境回復出廠值，清除板上的 Flash 記憶體
2. 登入作業系統，使用命令
wifi-reset-and-reboot
reset-to-factory-anyway

wifi-reset-and-reboot 中加入下一行，才能正確回復AP模式

$UCI "delete" "wireless.@wifi-iface[1]"

設定檔位於 /etc/config

dhcp, network, wireless, firewall

使用網頁 (Arduino Luci)設定，新增 Wi-Fi Station 網路

Network/Wifi/Scan
Join Network
取消勾選 An additional network will be created if you leave this unchecked.

沒有取消勾選，會導致 AP 網路被取消掉

uci set wireless.@wifi-iface[1].ssid='DigiChance'

uci set wireless.@wifi-iface[1].key='xxxxx'

uci set wireless.@wifi-iface[1].encryption='psk2'

uci set wireless.@wifi-iface[1].bssid='B8:55:10:56:05:20'

uci commit wireless

uci set network.wwan.proto='static'

uci set network.wwan.ipaddr='192.168.1.60'

uci set network.wwan.netmask='255.255.255.0'

uci set network.wwan.gateway='192.168.1.1'

uci set network.wwan.dns='192.168.1.1'

uci commit network

修改完執行

/etc/init.d/network restart

相關命令
wifi up
wifi down
wifi status
ifconfig
ifconfig eth1 up
ifconfig eth1 down
ifconfig eth1 192.168.1.61 netmask 255.255.255.0

ifup EWAN // 參考 /etc/config/network

ifdown EWAN // 參考 /etc/config/network

同時啟動 ap+sta 模式，網路不用密碼，使用 MAC filter，會出問題，一直找不到如何解決

1. 不用密碼命令

uci set wireless.@wifi-iface[1].encryption='none'

2. MAC filter 似乎會檢查 BSSID

uci set wireless.@wifi-iface[1].bssid='B8:55:10:56:05:20'

3. 切開不同的網段，似乎能解決問題，但不同網段

uci set network.wwan.ipaddr='192.168.3.60'

若開機時沒接上有線網路，會導致無線網路開不起來
停止網路
uci set network.EWAN.auto='0'

開機後(無線網路啟動後)再啟動有線網路

編輯 /etc/rc.local

加入

ifconfig eth1 192.168.1.61 netmask 255.255.255.0

或

ifup wan

ifup EWAN

uci delete wireless.@wifi-iface[1]
uci add wireless wifi-iface
uci set wireless.@wifi-iface[1].network='wwan'
uci set wireless.@wifi-iface[1].device='radio0'
uci set wireless.@wifi-iface[1].mode='sta'
uci set wireless.@wifi-iface[1].ssid='DigiChance'
uci set wireless.@wifi-iface[1].key='22463458'
uci set wireless.@wifi-iface[1].encryption='psk2'
uci set wireless.@wifi-iface[1].bssid='B8:55:10:56:05:20'
uci commit wireless

uci delete network.wwan
uci add network interface
uci rename network.@interface[-1]='wwan'
uci set network.wwan._orig_ifname='wlan0-1'
uci set network.wwan._orig_bridge='false'
uci set network.wwan.proto='static'
uci set network.wwan.ipaddr='192.168.1.60'
uci set network.wwan.netmask='255.255.255.0'
uci set network.wwan.gateway='192.168.1.1'
uci set network.wwan.dns='192.168.1.1'
uci commit network

uci delete network.ewan
uci add network interface
uci rename network.@interface[-1]='ewan'
uci set network.ewan.ifname='eth1'
uci set network.ewan._orig_ifname='eth1-1'
uci set network.ewan.proto='static'
uci set network.ewan.ipaddr='192.168.1.61'
uci set network.ewan.netmask='255.255.255.0'
uci set network.ewan.gateway='192.168.1.1'
uci set network.ewan.dns='192.168.1.1'
uci commit network

wifi-reset-and-reboot 中加入

$UCI "delete" "wireless.@wifi-iface[1]"

2017年5月17日星期三

Linkit 7688 網路-非 Bridge

以下設定透過有線和無線連接外網，並同時啟動 Wifi Ap mode
但是不可以同時連接同一路由器網段
如 192.168.1.60, 192.168.1.61
此時會有一個網路無法連接
故使用 192.168.1.60, 192.168.2.61
Wifi Ap 使用 192.168.100.1

新增對外有線網路
Network/Interfaces/Add new interface...
Name: EWAN
Protocol: Static address (192.168.2.61)
Interface: Ethernet Switch: "eth0"
Firewall Settings: wan

取消 Bridge
Network/Interfaces/LAN/Physical Settings
取消勾選 Bridge interfaces
選擇 Wireless Network: Master "LinkIt_Smark_7688_xxxxxx"
Static address(192.168.100.1)

此時網路(EWAN)生效

修改 Wifi 之 UplinkAp
Network/Wifi/radio0: Client "UplinkAp"
修改 ESSID: router

新增對外無線網路
Network/Interfaces/Add new interface...
Name: WWAN
Protocol: Static address (192.168.1.60)
Interface: Wireless Network: Client "router"
Firewall Settings: wan

使用終端機登入
root@mylinkit:~# wifi_mode apsta

Network/Interfaces/LAN
Protocol: static address (192.168.100.1)
取消 Disable DHCP for this interface

修改 WWAN 的 gateway 和 DNS

訂閱：文章 (Atom)

網頁

2017年12月18日 星期一

2017年12月12日 星期二

2017年11月24日 星期五

2017年9月15日 星期五

2017年9月5日 星期二

2017年9月4日 星期一

2017年8月30日 星期三

2017年8月29日 星期二

2017年8月23日 星期三

2017年8月2日 星期三

2017年6月15日 星期四

2017年5月24日 星期三

2017年5月17日 星期三

2017年12月18日星期一

2017年12月12日星期二

2017年11月24日星期五

2017年9月15日星期五

2017年9月5日星期二

2017年9月4日星期一

2017年8月30日星期三

2017年8月29日星期二

2017年8月23日星期三

2017年8月2日星期三

2017年6月15日星期四

2017年5月24日星期三

2017年5月17日星期三