Older blog entries for Chicago (starting at number 123)

.Net Interop

This post should really be titled "Please write 1000 times, Vista is Not XP". Yesterday, I had the pleasure of having to look at how to write .Net wrappers around a Windows dll - to be precise, the Smart Card interface - WinSCard.dll. We've previously written code in C, but really the time is to move on and use C#. The problem's been addressed before, and it dosn't take a genius to find Google has references to Smart Cards in .NET. In particular, this is the second part of a three part essay. The first part discusses using a COM object to wrap around the dll functions, but this is the simpler way of doing it.

Apart from the required usinglines, the code to do this, is relativly simple:

public class MyClass{
  [DllImport("WinScard.dll")]
  public static extern int SCardEstablishContext(
    uint dwScope,
    int nNotUsed1,
    int nNotUsed2,
    ref int phContext);
}

This is a fully functioning class which provides the interface to one of the functions in the DLL. Now, whats the problem?

Well, in this instance, its a security violation. Some of the dll functions can be called and run without any problems at all, but some of them cause AccessViolationException. The helpful hint that comes with it suggests that this is because memory is corrupt (and after lots of uhming and ahhing we decide its not). No, the problem is because the memory is protected. In Vista that is. The same code running on XP provides no problems whatsoever.

Now heres my problem - my Google skills, usually pretty nifty, are failing me - I am struggling to search the great intertubes for a solution I am still scratching my head. The combinations of keywords I'm using still only come back with results are either:

1) Useless 2) People suffering the problem who havn't solved it. 3) Results about something similar in XP which has the same exception which is fixed by a MS .Net hotfix (which is irrelevant). 4) People who have a solution along the lines of "run your code as root".

So I need to spend more time looking at that soon.

Build Tools

Ok I'm pretty on top of the world at the moment, mostly because I've spent two days in "the Zone", and in that time I've managed to write some very handy new tools for the new project, mainly: The new improved build procedure is now in place, and its using a streamlined batch file to build it. It basically uses a program that I've written (CompilerWriter) that is called both Before and After the compilation - using arguments Pre and Post.

It also uses Cloc as an alternative to Sloccount (Cloc is much faster in a Windows Environment, not to mention running nativly without having to mess around with Cygwin).

  1. Call Pre-compiler to make entries into Database and generate the unique id for the build. Write the assembly info.cs file and return the id of the database entry.
  2. Call the compiler and capture the return code. Send all errors, warnings and notices to a file.
  3. Call the code line counter and put its output into a file (CSV)
  4. Call the post-compiler giving it the return information from the compiler, along with the error file, and the code line counter. It then moves the build to the test folder, corrects the databse entry line for its counts of error and file size, and also moves it into the historic build folder along with copies of all the reports

All together, its working very nicely - it generates a HTML report of the build and opens it in a tab in Firefox. Now, I could combine these tools in an ANT or a MSBuild file, but instead I just made a batch file to do it all.

MSSQL

Oh that wonderful height of confusing riddles. Some interesting things that I've noted (and mentioned before no doubt) that in the connection string, the use of Localhost actually causes a network / tcp connection. It seems that the way to force a local area connection (Shared Memory or Named Pipe) is to use (Local) or .. However, if you're connecting to an SQL Express install (and what ms "indie" developer isn't) then you need to use something along the lines of data source=.\SQLEXPRESS in your connection string.

Also note that some confusing errors might occur if you don't - "Failure to connect" is the main essence, but the message goes on (unhelpfully) to explain that this might be caused by a lack of allowance for a) named pipes or b) remote connections. How many hours have people spent scratching their heads going "But I've turned those on!".

In fact, you don't need to turn either on, just adding the \SQLEXPRESS should be all that you need to do.

Jmon / AngryBot

So, with Log4net now logging to the MS-SQL database, the framework for Jmon is now being built for the second time. My original framework (which the project name still is AngryBot) was quite good apart from it had too many hacks in it where I taught it how to play Poker (it required some not very nice hacks to listen to the poker bot and work out what hand it had. It also didn't have a very good idea of some of the specific differences in hands).

I know I haven't released the source code yet - I'm trying to tidy it all up, and the main reason is that I'm slightly embarrassed about a bit of it, and that bit is this - the main core, which I never got round to writing properly.

The IRC side uses SmartIrc4Net by Meebey, which deals with everything IRC related. I hook into the message received event, and deal with it basically like this:

if (e.Data.Message.StartsWith("!")) {
    string classname = "AngryBot.Commands." + tag.Substring(1).ToUpper();
    ObjectHandle handle = Activator.CreateInstance(null, classname);
    BaseCommand command = (BaseCommand)handle.Unwrap();
    command.Run(irc, e);
}

But what if the command dosn't exist I hear you say - what if someone goes !Bang and the class AngryBot.Commands.BANG does not exist? What if it does exist, but isn't a BaseCommand? What happens when someone sends "!"? Well, around that is a try-catch which gets everything that breaks, and just ignores it.

I know. Eww. And that's why you haven't got the code released yet, because its just not worth it.

In fact, my previous-to-previous post also contains more issues which I had not really looked into, partially because of unreliable information that sites had told me, and also partially because I forget that when you read Blog posts (even blog posts from the company who are producing the software), anything that speculates about the future is doing just that - speculating.

Windows 2008, being launched officially in some 26 days according to Microsoft is the reason that people don't have a migration path from Windows 2003 to Vista-servers. Blatantly because they will be migrating to Windows 2008.

Starting a project right now is really bad timing. We basically have no choice but to write it for Windows 2003 & IIS 6, because our deployment date will be before 2008 has passed our stringent "hmm well it hasn't fallen over *yet*" style credence plans. If only 2008 had been released in 2007...

surely it doesn't matter but it does. We don't make "websites". We're doing funky things with managed code and talking to hardware modules. We have a vision of what we want to write, we know how it breaks down in the project, and now, we have the leisure of being able to select our tools. And this selection process is killing my mind.

My previous post about Modules is actually slightly wrong - it seems that you *can* have modules in IIS6, although the documentation for this is pretty sparse from Googles point of view. I'm also struggling to find concrete information on the IIS6 Pipeline, which is essential when writing Modules to make sure they go "off" at the right time.

31 Jan 2008 (updated 31 Jan 2008 at 12:29 UTC) »
Windows Vista & IIS 7

Ok, Mvolo has a fantastic article and a really good guide on how to write Modules and Handlers for IIS7.

http://mvolo.com/blogs/serverside/archive/2007/08/15/Developing-IIS7-web-server-features-with-the-.NET-framework.aspx

Now, one of the biggest problems I had with the old system was that ISAPI (Internet Server API) Filters had to be written in C as a wrapper around .NET code - bearing in mind that we where trying to have a single language company, this was a pain in the ass, as it meant that the number of developers who understood the ISAPI Filter code - we solved it by using a mod-rewrite and using a single ASPX page which called our .NET dll.

The new IIS7 system still has ISAPI filters, but it also has very funky Modules. Modules are, in short, very easy to write. Once you understand the IIS execution pipeline, you can register a module to go off at any point in that pipeline where you want to be able to control the data. And, whats great for me, is that they're written *in* .NET, which means that all our code remains in one language.

Now for the bad news: There is a social problem with IIS7 & Vista - companies are often unwilling to start Vista Servers - Why not? I mean It's only been available as a product for a year-ish and beta slightly longer then that. The main difference between Vista and 2003 is that the migration from 2000 to 2003 was relatively painless - 2003 and 2000 are basically the same operating system, the terms, the interfaces and everything are the same (you *can* effectively use your training manuals for 2000 to run 2003 software).

Also remember that IIS is packaged WITH the operating system. This does actually make a lot of sense, but IIS7 is a fully modular system. People installing IIS7 without finding out about how it works will usually complain that .NET code doesn't work, because everything (including .NET) is installed in modules, and, possibly more surprising then this, .NET extensions aren't installed as a standard module. The downside of this is that IIS7 will never actually run as an application on Windows 2003, which is pretty much the only Windows Server we can rent.

Microsoft Visual Studio 2008 & Other IDE's in Vista

I'm having continued problems with Vista's security when developing applications. The problems seem to come from two main areas:

1) The programs I write use ports to communicate with each other, and I change what ports I'm using when I write mini-test programs. The creation of ACL rules to allow these take too long when the program is only going to run for a couple of hours and never again.

2) I often use debuggers to inspect the memory of the current running program. Various IDE's have problems with this, because the operating system prevents different programs from reading each others memories.

Both these problems I have solved by running the IDE's in Administrator mode. Its not elegant - my development workstation is now technically vulnerable to any flaws in the IDE's, and it also means that when I'm debugging, my application is running as administrator (Which it doesn't do on the live system). However, this is a minor inconvenience considering that I am writing code in Windows Vista for Windows Server 2003.

So, The future

Do companies running Windows 2003 as servers have a plan on moving over to Windows Vista? With a lot of Business-ware applications not yet working on Vista (maybe because they where designed for NT and never re-written), do companies have a long term plan on how they are going to migrate? Is there a time-scale to these plans?

Windows Vista & Carbide. To install Carbide on Vista, download the setup, then run it as administrator (*) and also with Windows 2000 compatibility. This allows the installer to install correctly without hanging half way through.

* I suppose you don't have to run as administrator and install it to your user area and then get NetBeans / whatever to link to that user area.

One of our projects was to deal with communication through the NXP chip from an external card to the internal secure element of the Nokia 6131. Unfortunately, we have just discovered that [in a Java Midlet] you are unable to talk to both devices at the same time. We're yet to confirm if this is a Java limitation, an O/S limitation or a Hardware limitation.

Sometimes I think that developers and controllers of areas of technology are criminal in their invention of wording and descriptions of the technology in such a way that actually obscures whats going on.

Partially this is salesmanship (look, what we are doing here is actually uber difficult you wouldn't ever do it), but thats not the criminal part. Whats getting me worked up at the moment is the overuse of the same couple of words which have multiple meanings.

We're working on some payment implementations on Java card, and applets on the cards have several "states" they might be in, one of which is Personalized, which is to do with the keys being set in the applet. The payment implementation we're working with also has some states, of which there is pre-personalized and personalized. Its only just clicked, that when the implementation is in its "prepersonalized" state, this is the same as the Java-card-applet-state of personalized.

The other problem we are hitting is that the "cards" we are working on are actually Nokia 6131-NFC phones, and these have some interesting properties in that they don't seem to allow us to authenticate to them in plain-text. We can do (the equivilent of JCOP Shell):

 set-key 42.... (keyset 42)
 init-update 42
 ext-auth enc

but any other kind of ext-auth (such as ext-auth plain) fails. Unfortunately, all our working example code for normal cards used normal plain text mode, so we've had to do a fair bit of work writing libraries to allow us to do cmac and encryption on the APDU's being sent back and forth.

Stranger things have happened at sea

But theres a major difference between the JCOP Shell commands "send" and "/send"... observe on the sample card (edited to remove irrelevent stuff

cm>  set-key 255...
cm>  init-update 255
cm>  ext-auth enc
cm>  /send 80010000#(|test)
 => 80 01 00 00 04 74 65 73 74  
cm>  send 80010000#(|test)
 => 84 01 00 00 10 D8 E6 3B 3D 79 D6 BC B4 1F 28 4F

The first (/send) keeps the data exactly as it was. The second (send) converts the data into cmac+encryption mode (i.e. class changes from 80 to 84 and the data is padded and encrypted). This *is* documented in the help of send and /send (them having completely different help files, being completely different commands, not aliases for each other)

All in all, I'm hoping to crack the personalization states of this applet today, mainly by moving the commands from /send to send.

JavaCard / Openplatform / Globalplatform whatever you want to call it platform SUCCESS AT LAST!!!

Success finally achieved. Unlike what I was expecting, the application runs not from when you power the card to dispower it, it runs from when you install it to when you delete/block/whatever it.

This way, when you define a variable as a global for that class (is that the right way to say that?), its actually permanent storage across power-cycles. I would at this point paste proof that it works, but the minimal demonstration I can make is approximately 12 lines of preformatted hex strings long, and with comments thats incredibly boring reading.

Code for applet is here

114 older entries...

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!