Mitch Dempsey

Apartment Doorbell Notifications

2013-03-01T00:00:00-08:00

My apartment complex currently has a phone-based doorbell system to let visitors enter the complex. Visitors find the resident’s name on a callbox, and then call the resident. The resident verifies friend of foe, and can press 9 to open the door.

I didn’t want my visitors to have to rely on me being able to answer the phone in order to enter. Especially if I have them “follow me in”, there is no reception in the parking garage, so they would be stuck in the garage for a few minutes. Or, if I did not hear my phone ring, I still want friends to be able to come directly to my apartment door. I also thought it would just be pretty cool and nerdy to have it automated.

After doing some reading online about various setups, I decided to go with Asterisk and combine it with a small Rails application that would send notifications using Growl and Prowl. My goal was that whenever a guest dialed my extension on the gate, all my computers (including my media center) would show a notification on screen alerting me of their entry. As a bonus, it also would send a notification to my iPhone so that even if I wasn’t at home, I would know if someone was over.

Setting up Asterisk

The first step with Asterisk was routing a phone number to the asterisk server. Since I did not have a landline in my apartment, I decided to get a SIP endpoint that I could connect to asterisk. After looking around online, I decided to go with sipgate. I was able to get a free number that would take inbound calls and could route them to asterisk. Perfect.

To connect with sipgate, you need to tell asterisk how it should connect to your VoIP provider. You need to edit (or create) a sip.conf folder that will let you configure any SIP settings. Below is the file from my server.

; sip.conf
;
; SipGate Info
; SIPGATE_USER - your sipgate username
; SIPGATE_PASS - your sipgate secret/password

[general]
tcpenable=no
srvlookup=yes
register=> SIPGATE_USER:SIPGATE_PASS@sipgate/SIPGATE_USER

[sipgate]
type=peer
secret=SIPGATE_PASS
insecure=invite
username=SIPGATE_USER
defaultuser=SIPGATE_USER
fromuser=SIPGATE_USER
context=sipgate_in
fromdomain=sipgate.com
host=sipgate.com
outboundproxy=proxy.live.sipgate.com
qualify=yes
disallow=all
allow=ulaw
dtmfmode=rfc2833

Next, I needed to setup a route for sipgate. I decided that I wanted to route all inbound calls from sipgate directly to the door program. You can add this configuration to the bottom of your extensions.conf file. In sip.conf I configured asterisk to use [sipgate_in] as the “context” for any calls from sipgate. (You can see above the context= setting).

The block below configures the actions that should be taken should a call be in the sipgate_in context. I decided that I wanted all calls to be routed directly to my extension called door-access. After opening the door, asterisk should immediately hang up the call.

[sipgate_in]
exten => SIPGATE_USER,1,Goto(door-access,s,1)
exten => SIPGATE_USER,n,Hangup

Next, you need to configure the door-access extension to perform the required actions to open the door. What I wanted the system to do was:

Answer the call
Say “Access Granted”
Send a growl notification
“Press” 9 to open the door

So I added the following script to my extensions.conf file:

[door-access]
exten => s,1,Answer(500)
exten => s,n,Playback(silence/1)
exten => s,n,Playback(access-granted)
exten => s,n,System(curl -s -d "callerid=${CALLERID(num)}" http://doorbell.mitchdempsey.net/asterisk >/dev/null)
exten => s,n,SendDTMF(99999)
exten => s,n,Hangup

A few things I added were the Playback(silence/1) line. This plays a second of silence, which allows the other system to enable the speakers or whatever. I found after testing that if I didn’t have that line, then the “Access Granted” phrase would be cut off in the beginning.

The System() line is what submits a POST request to the rails application. It also passes the caller’s phone number. I realized that each door at my apartment had a different telephone number, so I could easily tell exactly which door someone entered from just based on the phone number.

Rails Application

The Rails application side was relatively simple. I have a single page that accepts a POST request containing the callerid. It does a simple lookup to find out which door the specified number corresponds to. Once it has determined the location of the door, it fires off a Growl notification to all computers in the apartment, and then submits a notification to Prowl, which is then sent to my iPhone.

# POST /asterisk
def asterisk
  # the phone number of the door
  callerid = params[:callerid]
    
  # Search the gate code
  @gate_phone = GatePhone.find_or_create_by_phone_number(callerid)
  
  # Submit a request to Prowl
  Prowler.notify "Gate Entry", "Visitor entered from #{@gate_phone.location}"
  
  # Notify all the computers over Growl
  NotifyGrowlHost.where(:gate_entry => true).each do |growl_host|
    g = Growl.new growl_host.host, "mr-universe", ["gate-entry"], nil, growl_host.password
    g.notify "gate-entry", "Gate Entry Notification", "Visitor entered via #{@gate_phone.location}"  
  end
end

That’s about it! Not very complicated, but pretty useful.

Signing Java code with a real certificate

2013-02-28T00:00:00-08:00

This guide will walk you through signing your java code using a legitimate certificate (instead of a self-signed certificate).

Step 1: Generate a key pair

You will need to generate a key as well as a certificate signing request (CSR). You must keep your key private. The CSR will be sent to the certificate authority (such as DigiCert for them to sign.

First, we need to generate a key/certificate pair and store it in a java key store. Make sure you specify actual values for -storepass and -keypass, which are the passwords for the keystore, and the keypair, respectively.

$ keytool -genkey -alias acme -keyalg RSA -keysize 2048 \
    -keystore mykeystore.jks \
    -storepass "changeme123" \
    -keypass "password123" \
    -dname "CN=Acme Company, O=Acme Company, L=New York City, ST=New York, C=US"

This will create the file mykeystore.jks which will contain a single keypair under the alias of acme. Right now, you have a self-signed certificate. When a user tries to start your program, they will be shown an error saying that the code was signed by an untrusted source. This is what we want to prevent.

Step 2: Generate a certificate signing request

Next, you will need to generate the CSR that can be sent to the certificate authority. The following command will export a CSR corresponding with the keypair that was generated above. You will be prompted to enter the keystore password (-storepass) as well as the key password for “acme” (-keypass).

$ keytool -certreq -alias acme -file acme_csr.csr -keystore mykeystore.jks

You now have a file called acme_csr.csr. You will send this to the certificate authority of your choice and they will sign it. You may be offered the option of various formats for them to give you the signed certificate in. I find the easiest is a single .p7b file with the entire certificate chain added.

Step 3: Import certificate authority reply

Now that you have your .p7b file (we will call it acme_certs.p7b) from the certificate authority, you need to import it into your keystore. Currently in your keystore, you have a key and a certificate (that form a “keypair”). The key must remain, but we want to overwrite the self-signed certificate with the certificate from the certificate authority.

To inspect the response, and make sure we have the certificate we need, you can run the following command:

$ openssl pkcs7 -in acme_certs.p7b -print_certs

Scroll to the top, and you should see subject=CN=Acme Company/O=Acme Company/L=New York City/ST=New York/C=US. If you do not see this anywhere in the output, then you have the wrong certificate or something went horribly wrong.

Once we verified we have the correct certificate, we need to import the reply. To import the response, run the following command:

$ keytool -import -trustcacerts -alias acme -file acme_certs.p7b -keystore mykeystore.jks

Step 4: Convert Java keystore to PFX (optional)

This step is only needed if you want to sign executables for Windows. Microsoft code-signing uses a .pfx file which is a PKCS12 keystore. (A PKCS12 keystore is very similar to Java’s keystore except that it only stores a single keypair).

To convert from your JKS to PFX, do the following:

$ keytool -importkeystore \
    -srckeystore mykeystore.jks -srcstoretype JKS \
    -destkeystore mykeystore.pfx -deststoretype PKCS12

You now have an acceptable certificate that can be used to sign JAR files and executables.

Generating a DIRECT Domain Certificate

2013-02-27T00:00:00-08:00

This article will show you how to take an existing trust anchor key-pair and use it to generate domain certificates that can be used by the DIRECT Project. This assumes you have the openssl command-line utility (available on Linux/Mac).

Prerequisites: You must have the certificate and key associated with your trust anchor (trustanchor.pem, trustanchor.key) before performing these steps. If your trust anchor key has a passphrase, you will need to know that as well.

Lets say our domain is direct.mydomain.com and we need to generate a certificate for this domain.

The first step is to generate a certificate signing request (CSR) for the domain.

$ openssl req \
    -newkey rsa:2048 \
    -nodes \
    -days 3650 \
    -out direct.mydomain.com.csr \
    -keyout direct.mydomain.com.key \
    -subj '/C=US/ST=New York/L=New York City/O=Acme Corp/emailAddress=direct.mydomain.com/CN=direct.mydomain.com'

This will create two files. The first is the CSR, and the second is the private key for this domain.

Next, we need to sign the certificate using our Trust Anchor.

$ openssl x509 -req \
    -in direct.mydomain.com.csr \
    -CA trustanchor.pem \
    -CAkey trustanchor.key \
    -CAcreateserial \
    -out direct.mydomain.com.pem \
    -days 3650

This will use the trust anchor’s certificate and key to issue a domain certificate. The new certificate will be available in direct.mydomain.com.pem. Note: If your CA has a passphrase, you will be prompted to enter it here.

The DIRECT project requires all certificates be in DER format. To convert from PEM to DER format, do the following:

$ openssl x509 -outform der -in direct.mydomain.com.pem -out direct.mydomain.com.der

Finally, you need to create a PKCS12 key-pair. This will need to be uploaded to the DIRECT application so it can be served over DNS.

$ openssl pkcs12 -export \
    -in direct.mydomain.com.pem \
    -inkey direct.mydomain.com.key \
    -out direct.mydomain.com.p12 \
    -name 'direct_keypair'

Note: Many DIRECT applications require that the .p12 file have an empty passphrase. When you are prompted to enter a passphrase, be sure to just push Enter.

You have now successfully generated a domain certificate for direct.mydomain.com!

Just to be sure, you should inspect your new certificate to make sure it looks correct. To view the certificate, do the following:

$ openssl x509 -in direct.mydomain.com.pem -text

You should see a response with something similar to:

Certificate:
  Data:
    Version: 1 (0x0)
    Serial Number:
        f9:68:b1:ca:a9:b2:56:db
    Signature Algorithm: sha1WithRSAEncryption
    Issuer: CN=Acme Corp Trust Authority
    Validity
        Not Before: Mar  1 21:05:07 2013 GMT
        Not After : Feb 27 21:05:07 2023 GMT
    Subject: C=US, ST=New York, L=New York City, O=Acme Corp/emailAddress=direct.mydomain.com, CN=direct.mydomain.com
    Subject Public Key Info:
    ...