Monday, December 28, 2009

Web Hosting Experience

I have recently changed by web hosting from HostMonster to Awardspace. HostMonster served me well these two years until when it was about to renew a month ago. I got notified that my my account got suspended because of "spam/phishing". After checking with the customer service, the reason was some "suspicious" files were found in my web site content.

The suspicious files are actually the executables of my personal projects: the JavaScript obfuscator (JSO) and the solution to convert base64 images in data URI to MIME (Base64Html).

As the projects contributes quite a lot of traffic to the website, I immediately asked for the reason of suspension. They explained that there are viruses found in the executables, blah, blah, blah... After I explained the purpose of my files and verified the MD5 were the same as in my computer, they re-activated the websites.

Everything sounds OK but it already took two days! I believe there are better ways to handle my case:
1. Why did they suspend all my websites? The files are only in one website.
2. Why the whole web sites were get suspended at all? The suspicious files can be redirected to some other safe URL.
3. Why spam/phishing turned out to be a possible virus notification? Why I had to ask to know the real reason of getting suspended? If they cannot distinguish the difference between phishing and virus, it is very unprofessional.
4. There was one statement in the last email I received made me very angry: "The report that we received was from a reputable web security company, so we did take action based on their report." Why couldn't they send me the report to let me take action before suspending my account (thus, suspending all websites)? The action taken is not customer friendly. Suspending account should be the last measure, not the first.

After this incident, I took some time to shop around. I used Awardspace free hosting before so it sounds OK for me. The price is reasonable and it supports ASP.NET. Not sure if it is a good choice since the websites have just migrated for a few days. I did have some trouble on transferring the domain but the customer service responded quickly and nicely.

I might have part 2 of this post to share the experience of website migrations.

P.S.: HostMonster does have a tracked record of over sensitive scam alert (use "oversensitive scam alert" as the keyword to search in Google). So, if you are not living in US (like me), you might get into the same trouble.

Saturday, October 10, 2009

Accessing Private Key from PFX (PKCS#12) in .Net Framework

You may know that .Net Framework has X509Certificate2 class to read X.509 certificate and obtain the public key from the certificate:

var cert = new X509Certificate2("my.cer");
var key = cert.PublicKey.Key as RSACryptoServiceProvider;
var cipher = key.Encrypt(Encoding.UTF8.GetBytes(txtClear.Text), false);
txtCipher.Text = Convert.ToBase64String(cipher);

However, you may not know that X509Certificate2 class can also read the first private key from a PFX file without CryptoAPI:

var cert = new X509Certificate2("my.pfx", "password");
var key = cert.PrivateKey as RSACryptoServiceProvider;
var clear = Convert.FromBase64String(txtCipher.Text);
txtClear.Text = Encoding.UTF8.GetString(key.Decrypt(clear, false));

To read all private keys from PFX, use PKCS12.Read() method below. It uses CryptoAPI and it will return an array of X509Certificate2. You can get the private key to decrypt the cipher as shown above. The full sample code can be download at Shane's Shelf.

using System;
using System.IO;
using System.Runtime.InteropServices;
using System.Security.Cryptography.X509Certificates;
using System.Collections.Generic;

namespace X509Cert
{
public class PKCS12
{
public static X509Certificate2[] Read(string filename, string password)
{

FileStream stream = new FileStream(filename, FileMode.Open);
byte[] buffer = new byte[stream.Length];
stream.Read(buffer, 0, buffer.Length);
stream.Close();


WIN32.CRYPT_DATA_BLOB cryptdata = new WIN32.CRYPT_DATA_BLOB();
cryptdata.cbData = buffer.Length;
cryptdata.pbData = Marshal.AllocHGlobal(cryptdata.cbData);
Marshal.Copy(buffer, 0, cryptdata.pbData, buffer.Length);
IntPtr hMemStore = WIN32.PFXImportCertStore(ref cryptdata, password, WIN32.CRYPT_USER_KEYSET);
Marshal.FreeHGlobal(cryptdata.pbData);

uint provinfosize = 0;

List<X509Certificate2> certs = new List<X509Certificate2>();

IntPtr certHandle = IntPtr.Zero;
while ((certHandle = WIN32.CertEnumCertificatesInStore(hMemStore, certHandle)) != IntPtr.Zero)
{

if (WIN32.CertGetCertificateContextProperty(certHandle, WIN32.CERT_KEY_PROV_INFO_PROP_ID, IntPtr.Zero, ref provinfosize))
{

IntPtr info = Marshal.AllocHGlobal((int)provinfosize);

if (WIN32.CertGetCertificateContextProperty(certHandle, WIN32.CERT_KEY_PROV_INFO_PROP_ID, info, ref provinfosize))
{
var certData = new X509Certificate2(certHandle).Export(X509ContentType.SerializedCert);
certs.Add(new X509Certificate2(certData));
}
Marshal.FreeHGlobal(info);

}
}

Marshal.FreeHGlobal(hMemStore);
return certs.ToArray();

}
}

public class WIN32
{
public const uint CRYPT_USER_KEYSET = 0x00001000;
public const uint CERT_KEY_PROV_INFO_PROP_ID = 0x00000002;

[DllImport("crypt32.dll", SetLastError = true)]
public static extern IntPtr PFXImportCertStore(ref CRYPT_DATA_BLOB pPfx, [MarshalAs(UnmanagedType.LPWStr)] String szPassword, uint dwFlags);

[DllImport("CRYPT32.DLL", EntryPoint = "CertEnumCertificatesInStore", CharSet = CharSet.Auto, SetLastError = true)]
public static extern IntPtr CertEnumCertificatesInStore(IntPtr storeProvider, IntPtr prevCertContext);

[DllImport("CRYPT32.DLL", CharSet = CharSet.Auto, SetLastError = true)]
public static extern bool CertGetCertificateContextProperty(IntPtr pCertContext, uint dwPropId, IntPtr pvData, ref uint pcbData);

[DllImport("advapi32.dll", EntryPoint = "CryptAcquireContext", CharSet = CharSet.Auto, SetLastError = true)]
public static extern bool CryptAcquireContext(ref IntPtr phProv, string szContainer, string szProvider, uint dwProvType, uint dwFlags);

[StructLayout(LayoutKind.Sequential)]
public struct CRYPT_DATA_BLOB
{
public int cbData;
public IntPtr pbData;
}

public WIN32()
{

}
}
}

The above code is altered base on http://www.cnblogs.com/rainlake/archive/2005/09/15/237997.html

Thursday, May 21, 2009

MXHR

Digg is creating a multipart capable XHR library. Good try but not very useful. Here is why:
  1. MXHR response is not compressed by default.
    This is illustrated very well in their text only demo. MXHR stream is always slower than normal mode. I opened up the packet sniffer. The normal stream is compressed while the MXHR is not.
  2. Data URI scheme is broken.
    The web is broken by IE for a long time. IE6 and IE7 will be still around for a few years. Image data cannot be served in cross-browser manner. The same performance can be achieved by spriting: putting the tiny-images into one image (overhead is small if the image is large enough), preload the combined imaged, and use background-position to get the coordination.
  3. Multipart is not streaming
    Well, it is under DUI.Stream namespace. However, it is not streaming. The server is packing up the data into one response. The library is processing the data on-the-fly but the received data is accumulating.
    1. If the size of the response is not large (i.e. can be stream in a couple seconds), enveloping the message in JSON or XML could be easier.
    2. If the size of the response is large (i.e. comet style), the responseText is going to become very large. We call it memory leak.
HTTP is broken because it is not intended to serve for Web 2.0. That's why there are so many facilities in CSS and JavaScript to patch the protocol. MXHR is definitely not the answer.

Monday, May 04, 2009

E4X Alternative - JSOM

I have been expecting the popularity of E4X for a long time. However, as long as Internet Explorer is the most popular browser, "new" standards will never get popular (Microsoft is suffered from Windows XP legacy, too). Instead of waiting for E4X, some developers use XPath to query the DOM nodes while the other traverse the DOM node by node. However, it would be good if we could access XML content in JavaScript Object Model (JSOM):

xml='<invoice date="01-20-2000" number="123">' +
' <address country="US">' +
' <name>John Smith</name>' +
' <street>123 George St.</street>' +
' <city>Mountain View</city>' +
' <state>CA</state>' +
' <zip>94041</zip>' +
' </address>' +
'</invoice>';
invoice = JSOM(xml);
alert(invoice.$number);
alert(invoice.address.name);

There is a project, IEE4X, in SourceForge for the same purpose but it does not work quite well for a few cases. So, I grabbed the idea and implement the JSOM library myself. The code can be download at Shane's Shelf.

Wednesday, April 22, 2009

XML vs. JSON - Size Comparison

I was wondering how compact is JSON comparing to XML. I grabbed an arbitrary XML from the web and convert it to an equivalent JSON format. It turns out that JSON is around two-third of the XML size.

XML: 596 bytes

JSON: 402 bytes

<?xml version="1.0"?>
<message>
<header>
<to>companyReceiver</to>
<from>companySender</from>
<type>saveInvoice</type>
</header>
<info>
<saveInvoice>
<invoice date="01-20-2000" number="123">
<address country="US">
<name>John Smith</name>
<street>123 George St.</street>
<city>Mountain View</city>
<state>CA</state>
<zip>94041</zip>
</address>
<billTo country="US">
<name>Company A</name>
<street>100 Main St.</street>
<city>Washington</city>
<state>DC</state>
<zip>20015</zip>
</billTo>
<items>
<item number="1">
<name>IBM A20 Laptop</name>
<quantity>1</quantity>
<USPrice>2000.00</USPrice>
</item>
</items>
</invoice>
</saveInvoice>
</info>
</message>
 
{
header:{
to:"companyReceiver",
from:"companySender",
type:"saveInvoice”
},
info:{
saveInvoice:{
invoice:{date:"01-20-2000,number:"123",
address:{country:"US",
name:"John Smith",
street:"123 George St.",
city:"Mountain View",
state:"CA",
zip:"94041"
},
billTo:{country="US",
name:"Company A",
street:"100 Main St.",
city:"Washington",
state:"DC",
zip:"20015"
},
items:[
{
name:"IBM A20 Laptop",
quantity:1,
USPrice:2000.00
}
]
}
}
}
}

Saturday, March 14, 2009

Secure WCF Services with Authentication Service

We can use WCF Authentication Service to authenticate users with ASP.NET membership provider. However, other WCF services are not protected by the authentication service out-of-the-box. That is, WCF services is not using ASP.NET forms authentication.

Fortunately, it is not hard to enable it. The magic point is set the HttpContext.Current.User in Global.asax
public class Global : System.Web.HttpApplication
{
// other methods snipped...
protected void Application_AuthenticateRequest(object sender, EventArgs e)
{
HttpCookie ticketCookie = Context.Request.Cookies[FormsAuthentication.FormsCookieName];
if (null == ticketCookie)
{
return;
}

FormsAuthenticationTicket ticket = FormsAuthentication.Decrypt(ticketCookie.Value);
if (null != ticket)
{
HttpContext.Current.User = new GenericPrincipal(new FormsIdentity(ticket), null);
}
}
}
In the service you want to protect, set the requirement mode to allowed or required.
    [AspNetCompatibilityRequirements(RequirementsMode = AspNetCompatibilityRequirementsMode.Allowed)]
public class PrimeService : IPrimeService
Then, throw in the following checking at the beginning of the method.
            if (!HttpContext.Current.User.Identity.IsAuthenticated)
{
throw new FaultException<SecurityAccessDeniedException>(new SecurityAccessDeniedException());
}
That would be good enough for Silverlight client. For .Net WCF client, you need to handle the HTTP cookies by yourself (Authentication Service is using the authentication ticket in cookies). Detail discussion can be found in the article in Shane's Shelf.

Tuesday, March 03, 2009

Silverlight Multi-part File Upload Form Post

Silverlight not actually very web friendly. It lacks of built-in support for the current HTML form post protocol. So, we have to write it our own. I have written an extension class and two serializer classes, one for normal form post (DataContractQueryStringSerializer) while the other for multipart upload form post (DataContractMultiPartSerializer).

If you only want to have the working code, just copy the code below. Detail explanation is available at Multi-Part Form Post in Shane's Shelf

  public static class Extensions
  {
      public static void PostFormAsync(this HttpWebRequest request, object parameters, AsyncCallback callback)
      {
          request.Method = "POST";
          request.ContentType = "application/x-www-form-urlencoded";
          request.BeginGetRequestStream(new AsyncCallback(asyncResult =>
          {
              Stream stream = request.EndGetRequestStream(asyncResult);
              DataContractQueryStringSerializer ser = new DataContractQueryStringSerializer();
              ser.WriteObject(stream, parameters);
              stream.Close();
              request.BeginGetResponse(callback, request);
          }), request);
      }

      public static void PostMultiPartAsync(this HttpWebRequest request, object parameters, AsyncCallback callback)
      {
          request.Method = "POST";
          string boundary = "---------------" + DateTime.Now.Ticks.ToString();
          request.ContentType = "multipart/form-data; boundary=" + boundary;
          request.BeginGetRequestStream(new AsyncCallback(asyncResult =>
          {
              Stream stream = request.EndGetRequestStream(asyncResult);

              DataContractMultiPartSerializer ser = new DataContractMultiPartSerializer(boundary);
              ser.WriteObject(stream, parameters);
              stream.Close();
              request.BeginGetResponse(callback, request);
          }), request);
      }
  }

  public class DataContractQueryStringSerializer
  {
      public void WriteObject(Stream stream, object data)
      {
          StreamWriter writer = new StreamWriter(stream);
          if (data != null)
          {
              if (data is Dictionary<string, string>)
              {
                  foreach (var entry in data as Dictionary<string, string>)
                  {
                      writer.Write("{0}={1}&", entry.Key, entry.Value);
                  }
              }
              else
              {
                  foreach (var prop in data.GetType().GetFields())
                  {
                      foreach (var attribute in prop.GetCustomAttributes(true))
                      {
                          if (attribute is DataMemberAttribute)
                          {
                              DataMemberAttribute member = attribute as DataMemberAttribute;
                              writer.Write("{0}={1}&", member.Name ?? prop.Name, prop.GetValue(data));
                          }
                      }
                  }
                  foreach (var prop in data.GetType().GetProperties())
                  {
                      if (prop.CanRead)
                      {
                          foreach (var attribute in prop.GetCustomAttributes(true))
                          {
                              if (attribute is DataMemberAttribute)
                              {
                                  DataMemberAttribute member = attribute as DataMemberAttribute;
                                  writer.Write("{0}={1}&", member.Name ?? prop.Name, prop.GetValue(data, null));
                              }
                          }
                      }
                  }
              }
              writer.Flush();
          }
      }
  }

  public class DataContractMultiPartSerializer
  {
      private string boundary;
      public DataContractMultiPartSerializer(string boundary)
      {
          this.boundary = boundary;
      }

      private void WriteEntry(StreamWriter writer, string key, object value)
      {
          if (value != null)
          {
              writer.Write("--");
              writer.WriteLine(boundary);
              if (value is FileInfo)
              {
                
                  FileInfo f = value as FileInfo;
                  writer.WriteLine(@"Content-Disposition: form-data; name=""{0}""; filename=""{1}""", key, f.Name);
                  writer.WriteLine("Content-Type: application/octet-stream");
                  writer.WriteLine("Content-Length: " + f.Length);
                  writer.WriteLine();
                  writer.Flush();
                  Stream output = writer.BaseStream;
                  Stream input = f.OpenRead();
                  byte[] buffer = new byte[4096];
                  for (int size = input.Read(buffer, 0, buffer.Length); size > 0; size = input.Read(buffer, 0, buffer.Length))
                  {
                      output.Write(buffer, 0, size);
                  }
                  output.Flush();
                  writer.WriteLine();
              }
              else
              {
                  writer.WriteLine(@"Content-Disposition: form-data; name=""{0}""", key);
                  writer.WriteLine();
                  writer.WriteLine(value.ToString());
              }
          }
      }

      public void WriteObject(Stream stream, object data)
      {
          StreamWriter writer = new StreamWriter(stream);
          if (data != null)
          {
              if (data is Dictionary<string, object>)
              {
                  foreach (var entry in data as Dictionary<string, object>)
                  {
                      WriteEntry(writer, entry.Key, entry.Value);
                  }
              }
              else
              {
                  foreach (var prop in data.GetType().GetFields())
                  {
                      foreach (var attribute in prop.GetCustomAttributes(true))
                      {
                          if (attribute is DataMemberAttribute)
                          {
                              DataMemberAttribute member = attribute as DataMemberAttribute;
                              WriteEntry(writer, member.Name ?? prop.Name, prop.GetValue(data));
                          }
                      }
                  }
                  foreach (var prop in data.GetType().GetProperties())
                  {
                      if (prop.CanRead)
                      {
                          foreach (var attribute in prop.GetCustomAttributes(true))
                          {
                              if (attribute is DataMemberAttribute)
                              {
                                  DataMemberAttribute member = attribute as DataMemberAttribute;
                                  WriteEntry(writer, member.Name ?? prop.Name, prop.GetValue(data, null));
                              }
                          }
                      }
                  }
              }
          }
          writer.Write("--");
          writer.Write(boundary);
          writer.WriteLine("--");
          writer.Flush();
      }
  }
The usage is as follows:
First a PHP file
<?php
print_r($_REQUEST);
$src = $_FILES['y']['tmp_name'];
$dest = "C:\\Windows\\Temp\\".$_FILES['y']['name'];
echo $src;
echo "\r\n";
echo $dest;
echo @copy($src, $dest);
?>
Then the Page control
    public partial class Page : UserControl
  {
      public Page()
      {
          InitializeComponent();
          // Create a request object
          HttpWebRequest request = (HttpWebRequest)WebRequest.Create(new Uri("http://localhost/rms/test.php"));
          OpenFileDialog dlg = new OpenFileDialog();
          if (dlg.ShowDialog().Value)
          {
              request.PostMultiPartAsync(new Dictionary<string, object> { { "x", "1" }, { "y", dlg.File } }, new AsyncCallback(asyncResult =>
              {
                  HttpWebResponse response = (HttpWebResponse)request.EndGetResponse(asyncResult);

                  Stream responseStream = response.GetResponseStream();
                  StreamReader reader = new StreamReader(responseStream);
                  this.Dispatcher.BeginInvoke(delegate
                  {
                      // output is a TextBlock
                      output.Text = reader.ReadToEnd();
                      response.Close();
                  });
              }));
          }
      }
  }
Since it is able to serialize data contract, you could actually replace
new Dictionary<string, object> { { "x", "1" }, { "y", dlg.File } }

with
new Point(){X=1, Y=2}

given the point class is like this:
    [DataContract]
  public class Point
  {
      [DataMember]
      public int X { get; set; }
      [DataMember(Name="y")]
      public int Y { get; set; }
  }