Accepting Invalid SSL Certificates in .NET WCF Clients

There are times when SSL certificates are used to verify identity and to provide TLS and there are cases when only the wire encryption matters.  In the later case, I sometimes need to be able handle server certificates that are not valid by SSL’s standard rules.  This could be because the cert is not signed by a trusted certificate authority or is expired, etc.  When I encounter this problem and am for various reasons unable to deal with the root cause, there is a simple technique that allows you to plug in your own strategy to determine certificate validity.

Basically you do the following:

  • In a seam of bootstrapping code, you’ll want to add a ServerCertificateValidationCallback to the WCF ServicePointManager

Here’s a working example that accepts any SSL Certificate as valid:

ServicePointManager.ServerCertificateValidationCallback =
     (object sender, X509Certificate cert, X509Chain chain, SslPolicyErrors errors) 
          => true;

With this patched strategy in place, your WCF client will now accept any SSL certificate its given. Note that, in the lambda body, you can put in your own logic to interrogate the parameters for what you consider to be acceptable:

X509Certificate cert

X509Chain chain

SslPolicyErrors errors

The logic applied can be more or less rigorous than the default certificate validation strategy.  The beauty of this approach is in the power of its simple implementation.

Enjoy..

XML Interoperability of Serialized Entities in Java and .NET

Abstract:

In order to exchange structured data directly between the platforms, we must be able to easily take the marshalled or serialized definition of the object and turn it into an object in memory.  There are standard ways of marshalling of objects to XML in both Java and .NET.  I have found it a little frustrating in the past when I’ve had to adopt large frameworks or external machinery in order to easily move structured data between the JVM and CLR.   It seems that we should be able to bring these worlds together in a simple set of OOTB idioms, while providing a convenient way (one liner) to move back and forth between object and stringified forms.   For this I have created a minimal helper class for both languages that does the following:

  • Provides a common API between languages for moving between XML string and Objects (entities)
  • Provides adaptation capabilities between canonical XML representations for both Java’s JAXB and .NET’s XmlSerializer
  • Provides a façade to the underlying language and framework mechanics for going between representations
  • Implementation of SerializationHelper.java
  • Implementation of SerializationHelper.cs

The Need for Interoperable Xml Representation of Entities in Java and .NET

Both the Java and .NET ecosystems provide many ways to work with XML, JSON, Binary, YAML, etc. serialization.  In this article I’m focused on the base case between the standard platform-level mechanisms for moving between XML and Object graphs in memory.  The Web Services stacks in both platforms are of course built on top of their respective XML binding or serialization standards.  The standards however differ, in some slight but important ways.  Here I do not seek to build a bullet proof general purpose adapter between languages.  I’ll leave that to the WS-* ppl.  However, I think there is a common and often overlooked ability to do marshalling with XML with little to no additional framework or specialized stack.  Here are some scenarios that make sense with this kind capability.

  • Intersystem Messaging
  • Transforming and Adapting Data Structures
  • Database stored and shared XML
  • Queue-based storage and shared XML
  • File-based storage and shared XML
  • Web Request/Response shared XML

The Specifications:

Java:

JAXB (Java XML Binding)

JSR: 222

.NET

XmlSerializer

Version >= .NET 2.0

First, we need to understand the default differences between the XML output by JAXB and XmlSerializer. To start we’ll create the same entity in both Java and C#. Then we can compare them.

The entity: DataObject

.NET Entity Class:

[Serializable]
public class DataObject
{
   public string Id { get; set; }
   public string Name { get; set; }
   public bool Processed { get; set; }
}

Java Entity Class:

public class DataObject implements Serializable {

	private String id;
	private String name;
	private boolean processed = false;

	public String getId() {
		return id;
	}

	public void setId(String id) {
		this.id = id;
	}

	public String getName() {
		return name;
	}

	public void setName(String name) {
		this.name = name;
	}

	public boolean isProcessed() {
		return processed;
	}

	public void setProcessed(boolean processed) {
		this.processed = processed;
	}
}

Java Entity XML:

<DataObject>
  <id>ea9b96a6-1f8a-4563-9a15-b1ec0ea1bc34</id>
  <name>blah</name>
  <processed>false</processed>
</DataObject>

.NET Entity XML:

<DataObject xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <Id>b3766011-a1ab-41bf-9ce2-8566fca5736f</Id>
  <Name>blah</Name>
  <Processed>false</Processed>
</DataObject>

The notable differences in the XML are these:

  • xsi and xsd namespaces are put in by .NET and not by Java
  • The casing of the element names are different.  In fact, they follow the style convention used to create the entity.  The property naming styles between the languages are as follows:
    • Java: CamelCase
    • .NET: PascalCase

Let’s have a look at how we can use a class called SerializationHelper to round-trip objects to xml and back objects. We want it to easily dehydrate (stringify) and rehydrate (objectify) data objects.

The implementation of this class in both Java and C# provides the following api:

String serialize(Object object)
Object deserialize(String str, Class klass)

This is useful for quickly reversing objects to XML and visaversa.

I’ll walk you through how to use it with some tests.

Round Tripping (Java Usage):

@Test
public void can_round_trip_a_pojo_to_xml() throws Exception
{
	SerializationHelper helper = new SerializationHelper();
	DataObject obj = buildDataObject();

	String strObj = helper.serialize(obj);

	DataObject obj2 = (DataObject) helper.deserialize(strObj, DataObject.class);

	Assert.isTrue(obj.getId().equals(obj2.getId()));
	Assert.isTrue(obj.getName().equals(obj2.getName()));

}

Round Tripping (C# Usage):

[TestMethod]
public void can_round_trip_a_poco_to_xml()
{
    SerializationHelper helper = new SerializationHelper();
    DataObject obj = BuildDataObject();

    string strObj = helper.serialize(obj);

    DataObject obj2 = (DataObject)helper.deserialize(strObj, typeof(DataObject));

    Assert.IsTrue(obj.Id.Equals(obj2.Id));
    Assert.IsTrue(obj.Name.Equals(obj2.Name));
}

No problem. A simple single line expression reverses the representation. Now lets see if we can move the stringified representations between runtimes to become objects.

Adapting .NET XML to Java (Java Usage):

@Test
public void can_materialize_an_object_in_java_from_net_xml() throws Exception
{
	SerializationHelper helper = new SerializationHelper();

	String netStrObj = Files.toString(new File("DOTNET_SERIALIZED_DATAOBJECT.XML"), Charsets.UTF_8);

	DataObject obj2 = (DataObject) helper.deserialize(netStrObj, DataObject.class);

	Assert.isTrue(obj2.getName().equals("blah"));
}

Behind the scenes here there is a StreamReaderDelegateunder the hood in the SerializationHelper that is intercepting the inbound XML and camel-casing the names before it attempts to bind them onto the DataObject instance directly.

SerializationHelper.java:

public class SerializationHelper {

	public String serialize(Object object) throws Exception{
		StringWriter resultWriter = new StringWriter();
		StreamResult result = new StreamResult( resultWriter );
		XMLStreamWriter xmlStreamWriter =
		           XMLOutputFactory.newInstance().createXMLStreamWriter(result);

		JAXBContext context = JAXBContext.newInstance(object.getClass());
		Marshaller marshaller = context.createMarshaller();
		marshaller.marshal(new JAXBElement(new QName(object.getClass().getSimpleName()), object.getClass(), object), xmlStreamWriter);

		String res = resultWriter.toString();
	    return res;
	}

	public Object deserialize(String str, Class klass) throws Exception{

        InputStream is = new ByteArrayInputStream(str.getBytes("UTF-8"));
        XMLStreamReader reader = XMLInputFactory.newInstance().createXMLStreamReader(is);
        reader = new CamelCaseTransfomingReaderDelegate(reader, klass);

		JAXBContext context = JAXBContext.newInstance(klass);
		Unmarshaller unmarshaller = context.createUnmarshaller();

		JAXBElement elem = unmarshaller.unmarshal(reader, klass);
		Object object = elem.getValue();

		return object;
	}

	//adapts to Java property naming style
	private static class CamelCaseTransfomingReaderDelegate extends StreamReaderDelegate {

		Class klass = null;

        public CamelCaseTransfomingReaderDelegate(XMLStreamReader xsr, Class klass) {
        	super(xsr);
        	this.klass = klass;
        }

        @Override
        public String getLocalName() {
            String nodeName = super.getLocalName();
            if (!nodeName.equals(klass.getSimpleName()))
            {
            	nodeName = nodeName.substring(0, 1).toLowerCase() +
            			   nodeName.substring(1, nodeName.length());
            }
            return nodeName.intern(); //NOTE: intern very important!..
        }
    }
}

Note the deserialize method is able to do just-in-time fixup of the property name xml nodes to ensure they meet the expection (a camelCased fieldname) of the default jaxb unmarshalling behavior.

Now to go from XML produced by the default JAXB serializer to .NET objects with the same api. To do this I’ll switch back to C# now.

Adapting Java XML to .NET (C# Usage):

[TestMethod]
public void can_materialize_an_object_in_net_from_java_xml()
{
    string javaStrObj = File.ReadAllText("JAVA_SERIALIZED_DATAOBJECT.XML");

    SerializationHelper helper = new SerializationHelper();

    DataObject obj2 = (DataObject)helper.deserialize(javaStrObj, typeof(DataObject));

    Assert.isTrue(obj2.getName().equals("blah"));
}

In this case, I’m using a custom XmlReader that adapts the XML from Java style property names to .NET style. The pattern in Java and .NET is roughly the same for adapting the XML into a consumable form. This is the convenience and power that using an intermediary stream reader gives you. It basically applies changes to the node names it needs to bind them to the correct property names. The nice thing is that this happens just-in-time, as the XML being deserialized into a local Object.

Here is the C# implementation of the same SerializationHelper api in .NET.

SerializationHelper.cs:

public class SerializationHelper
{

    public string serialize(object obj)
    {
        using (MemoryStream stream = new MemoryStream())
        {
            XmlSerializer xs = new XmlSerializer(obj.GetType());
            xs.Serialize(stream, obj);
            return Encoding.UTF8.GetString(stream.ToArray());
        }
    }

    public object deserialize(string serialized, Type type)
    {
        using (MemoryStream stream = new MemoryStream(Encoding.UTF8.GetBytes(serialized)))
        {
            using (var reader = new PascalCaseTransfomingReader(stream))
            {
                XmlSerializer xs = new XmlSerializer(type);
                return xs.Deserialize(reader);
            }
        }
    }

    private class PascalCaseTransfomingReader : XmlTextReader
    {
        public PascalCaseTransfomingReader(Stream input) : base(input) { }

        public override string this[string name]
        {
            get { return this[name, String.Empty]; }
        }

        public override string LocalName
        {
            get
            {
                // Capitalize first letter of elements and attributes.
                if (base.NodeType == XmlNodeType.Element ||
                    base.NodeType == XmlNodeType.EndElement ||
                    base.NodeType == XmlNodeType.Attribute)
                {
                    return base.NamespaceURI == "http://www.w3.org/2000/xmlns/" ?
                           base.LocalName : MakeFirstUpper(base.LocalName);
                }
                return base.LocalName;
            }
        }

        public override string Name
        {
            get
            {
                if (base.NamespaceURI == "http://www.w3.org/2000/xmlns/")
                    return base.Name;
                if (base.Name.IndexOf(":") == -1)
                    return MakeFirstUpper(base.Name);
                else
                {
                    // Turn local name into upper, not the prefix.
                    string name = base.Name.Substring(0, base.Name.IndexOf(":") + 1);
                    name += MakeFirstUpper(base.Name.Substring(base.Name.IndexOf(":") + 1));
                    return NameTable.Add(name);
                }
            }
        }

        private string MakeFirstUpper(string name)
        {
            if (name.Length == 0) return name;
            if (Char.IsUpper(name[0])) return name;
            if (name.Length == 1) return name.ToUpper();
            Char[] letters = name.ToCharArray();
            letters[0] = Char.ToUpper(letters[0]);
            return NameTable.Add(new string(letters));
        }

    }
}

I think it’s important to have a thorough understanding and good control of the basics of serialization. In some cases, we’re just consuming a serialized object from a message queue, a file, or a database. The ability to move entities between process and stack boundaries should be easy.

It should take only 1 line of code.

Hacking C#’s Lambda Expressions Into Hash Rockets

c# loves RubyAs I move between C# and Ruby, I have found my brain’s internal syntax parser always needing to switch gears and repurpose its understanding of Fat Arrow, =>. In Ruby, it provides a visually salient means of expressing key => value pairing within a Hash. C# on the other hand uses it to indicate the opening of a lambda expression’s body block, x => x + y. Its notable that in other languages, such as Coffee Script, it has a similar meaning. In any case, the lines sometimes blur as I’m dreaming up new ways to make C# look and behave more like my favorite dynamic language.

In this post, I’m going to show you how to repurpose C#’s lambda expression syntax for creating key,value pairs.  My goal is be able create nestable enumerable graph structures with a syntax like this:

var rockets = __.Rocketize(
                               foo => "asdf",
                               bar => 42,
                               biz => new Business{ Name = "AMD" },
                               now => DateTime.Now,
                               fun => new Func(() => return new Awesome(source: "Joel Holder")),
                               sub => __.Rocketize(a => 'b',
                                                   c => 'd',
                                                   e => 'f'),
                               xml => File.ReadAllText(@"data.xml"),
                               web => new Uri("https://uberpwn.wordpress.com/"),
                               ___ => typeof(__),
                               tru => (2*2+3*3)/(5*5) == 1,
                               etc => "..."
                          );

First we need a few functions that leverage the Expression API to provide a means of taking in a series of lambda expressions. Internally, we will convert each expression’s AST into a named key and value of Func<> that  returns an optional state object.

using System;
using System.Collections.Generic;
using System.Linq;
using System.Linq.Expressions;
using System.Text;
using System.Threading;

namespace HashRocket
{
    public class __
    {
        public static IEnumerable<KeyValuePair<object, Func<object, object>>> Rocketize(params Expression<Func<object, object>>[] exprs)
        {
            return exprs.Select(expr =>
            {
                var key = expr.Parameters.FirstOrDefault() != null
                            ? expr.Parameters.FirstOrDefault().Name
                            : DateTime.Now.Ticks.ToString();
                return Rocketize(key, expr).First();
            });
        }
        public static IEnumerable<KeyValuePair<object, Func<object, object>>> Rocketize(object key, params Expression<Func<object, object>>[] exprs)
        {
            return exprs.Select(expr =>
            {
                var fn = expr.Compile();
                return new KeyValuePair<object, Func<object, object>>(key, fn);
            });
        }
    }
}

Now that we have this in place, we can run a few tests to show off the behavior. Note that I’ve opted for IEnumerables of KeyValuePair instead of a Dictionary or Hashtable. This just a personal preference, in that I wanted to support multiple objects with the same key within the data structure.

using System;
using System.Linq;
using Microsoft.VisualStudio.TestTools.UnitTesting;

namespace HashRocket.Tests
{
    [TestClass]
    public class Tests
    {
        [TestMethod]
        public void Can_Convert_Lambda_Into_Kvp()
        {
            //arrange
            var testInput = "asdf";

            //act
            var rocket = __.Rocketize(input => input).First();

            //assert
            Assert.IsTrue(rocket.Key.Equals("input"));
            Assert.IsTrue(rocket.Value(testInput).Equals("asdf"));
        }

        [TestMethod]
        public void Can_Convert_Multiple_Lambdas_Into_Multiple_Kvps()
        {
            //arrange
            var testInputs = new object[] {"asdf","zxcv",2};

            //act
            var rockets = __.Rocketize(foo => foo + "qwer0",
                                       bar => bar + "qwer1",
                                       biz => biz + "qwer2").ToList();

            //assert
            for (var i = 0; i < rockets.Count; i++)
            {
                Assert.IsTrue(rockets[i].Value(testInputs[i]).Equals(testInputs[i] + "qwer" + i));
            }
        }
}

What’s surprisingly cool about this approach is that it becomes very easy create configuration objects with lambda syntax that can be passed directly into objects for initialization. If you’re familiar with this pattern in Ruby or JavaScript, you’ll appreciate the power and elegance it also affords to C#. To better understand the benefits and potential tradeoffs to using this trick, see Jeremy Skinner’s article on the topic.

Namaste..

C# Deserves A Better Message Passing API

The structured programming model of C# is decisive and straightforward. There is generally one or only a handful of idiomatically correct ways to facilitate a particular design need. In the case of API design, the language’s conception of access modifiers is fundamental. Exposures of behaviors to client code are controlled by applying public, private, or protected modifiers to individual methods. While this basic security mechanism, does allow us to build cleaner APIs, it does not strictly limit our ability to reach inside objects and work with their internal private methods. We can both interrogate and mutate the internal state of objects with no public API whatsoever.

In this post I’m going to show you how use reflection to add a feature to C# that mimics the simple message passing API that I like in Ruby. With this in place, we’ll be able to run any private method on any instance object with a more straightforward syntax.

First, we’ll give System.Object the ability to receive messages via an Extension Method called send.

namespace MessagePassingExtensions
{
    public static class Extensions
    {
        //PUBLIC API
        public static bool respond_to(this object o, string responder, params object[] paramSoak)
        {
            return respond_by(o, responder, paramSoak) != null;
        }
 
        public static object send(this object o, string responder, params object[] paramSoak)
        {
            if (!o.respond_to(responder, paramSoak))
            {
                var reason = string.Format("This object does not respond to messages sent to: {0} with parameters: {1}",
                                           responder,
                                           string.Join(", ", paramSoak));
                throw new MissingMethodException(reason);
            }
            var result = o.respond_by(responder, paramSoak).InvokeMember(responder, send_flags, null, o, paramSoak);
            return result;
        }
 
        //PRIVATE HELPERS
        private const BindingFlags send_flags = BindingFlags.InvokeMethod | BindingFlags.Instance |
                                                BindingFlags.Public | BindingFlags.NonPublic;
 
        private static Type respond_by(this object o, string responder, params object[] paramSoak)
        {
            var class_lookup_path = o.GetType().GetBaseTypes().Reverse().Concat(new[] { o.GetType() }).Reverse().ToList();
            return class_lookup_path.FirstOrDefault(t => t.GetMethods(send_flags)
                                                          .Any(m => m.Name == responder &&
                                                                    m.GetParameters().Count() == paramSoak.Count() &&
                                                                    m.GetParameters().All(p => paramSoak[p.Position].GetType().IsAssignableFrom(p.ParameterType))));
        }
 
        private static IEnumerable<Type> GetBaseTypes(this Type type)
        {
            if (type.BaseType == null) return type.GetInterfaces();
            return Enumerable.Repeat(type.BaseType, 1)
                             .Concat(type.GetInterfaces())
                             .Concat(type.GetInterfaces().SelectMany<Type, Type>(GetBaseTypes))
                             .Concat(type.BaseType.GetBaseTypes())
                             .Distinct();
        }
    }

This gives the API we need. Note that there are only 2 public methods added to the builtin object type:

respond_to() – allows you to ask an instance if it can respond to a particular message.

send() – allows you to send an instance a message.

Now let’s create a class that we can use as our test subject. We’ll use domain of the animal kingdom. First we need a base Animal:

public class Animal
{
    private bool Eat()
    {
        return true;
    }
}

Note that there is only a private method in here, an Eat() behavior. This symbol will not be visible to subclasses nor will it be available via the public API. Next, let’s derive a specific animal by inheriting from this base class. Say in this case, a Duck:

public class Duck: Animal
{
    private string Quack(int times)
    {
        var noises = new List<string>();
        for (var i = 0; i < times; i++)
        {
            noises.Add(MethodBase.GetCurrentMethod().Name);
        }
        return string.Join(" ", noises);
    }
 
    private string Quack()
    {
        return Quack(1);
    }
}

Note that Duck is an Animal, and that it only has a few private methods. It cannot see Animal.Eat(). Now, let’s test it out. The following Test class exercises the implementation of Object.send() and demonstrates that we’re able to run all of the private methods that we just created.

[TestClass]
public class SendTests
{
    [TestMethod]
    public void can_resolve_correct_signature_with_params()
    {
        var duck = new Duck();
        var result = duck.send("Quack", 2);
        Assert.AreEqual(result, "Quack Quack");
    }
 
    [TestMethod]
    public void can_resolve_correct_signature_with_no_params()
    {
        var duck = new Duck();
        var result = duck.send("Quack");
        Assert.AreEqual(result, "Quack");
    }
 
    [TestMethod]
    public void can_respond_to_messages_from_a_base_class()
    {
        var duck = new Duck();
        var result = duck.send("Eat");
        Assert.AreEqual(result, true);
    }
 
    [TestMethod]
    [ExpectedException(typeof(MissingMethodException), "You sent a message that I could not respond to")]
    public void blows_up_if_sent_message_cannot_be_responded_to()
    {
        var duck = new Duck();
        var result = duck.send("Bark");
    }
}

All of these tests pass. They are self-explanatory. I think that the most interesting one is can_respond_to_messages_from_a_base_class(), which shows that we can also get and run a private method from the underlying Animal class. By sending a message to a symbol on an instance object, we’re able to program against it in a looser style. This opens up a number of interesting ways to work with an object. Suppose for example you wanted to build an XML-driven execution system. By simply reading in instructions from an external xml source, we can emit and drive code execution that was not known at design time. Here’s an example of a declarative approach to driving execution.

DuckDriver.xml:


<?xml version="1.0" encoding="UTF-8" ?>
<Obj type="DynamicSpikes.Tests.Duck">
  <Run method="Quack" times="3" />
</Obj>

Given the above XML File, I can process and verify it like this:

[TestClass]
[DeploymentItem(@".\Assets\DuckDriver.xml")]
public class XmlDeclarativeTests
{
    [TestMethod]
    public void can_create_and_run_from_xml()
    {
        var xml = XDocument.Load(@".\DuckDriver.xml");
 
        var objects = xml.Root.Descendants().Where(elem => elem.Name.LocalName == "Obj").ToList();
        objects.ForEach(objElem =>
            {
                var runs = objElem.Descendants().Where(elem => elem.Name.LocalName == "Run").ToList();
                runs.ForEach(runElem =>
                    {
                        var type = Type.GetType(objElem.Attribute("type").Value);
                        var method = runElem.Attributes().Where(attr => attr.Name == "method").FirstOrDefault().Value;
                        var parameters = runElem.Attributes().Where(attr => attr.Name != "method").Select(attr => attr.Value).Cast<object>().ToArray();
 
                        var obj = Activator.CreateInstance(type);
                        var result = obj.send(method, parameters);
                        Assert.AreEqual(result, "Quack Quack Quack"); //<Run method="Quack" times="3" />
                    });
            });
    }
}

The test reads in the XML File, finds the Obj elements, finds the Run elements, and grabs the method name and parameters from the attributes. With this information, we have all we need to create the object and send it the message. This test passes as expected.

The ability to turn a markup into runnable code is not new, but the ease with which it can be done with the nuts and bolts of the C# language are impressive. The fact that we can easily marshal declarative instructions into an unknown but completely runnable instruction set is more than just a little bit awesome.

Namaste…