All posts by Chris

Invited To Speak During That Conference On August 7th, 2017

Do you have plans this August? Come join me at That Conference on August 7th, 2017! I will be attending this casual and family friendly event for software developers.

I will be speaking about JSON web tokens and Auth0. I will explain what a JSON web token is and how to use them for projects of all sizes and complexity. I will also explain some of the things I have learned along the way as I deployed solutions  and how I troubleshoot problems.

If you are attending That Conference, please stop by and see my presentation!

Secrets In ASP.NET Core!

I admit right now that I titled this article to be click bait. I am not going to be revealing any tabloid rumors or dark secrets about ASP.NET Core, but totally call me if you want to share a few. Instead, I am going to explain how to make use of the Secret Manager in ASP.NET Core.

The Secret Manager is a tool in ASP.NET Core that assists you, the developer, in storing any sensitive data you might have that your project needs but you don’t want to store it in your GitHub repository for all the world to see (think SQL user credentials).

When you store your “secrets” with Secret Manager, your data is saved as key value pairs inside a non-encrypted (plain text) JSON file that is saved inside your user profile directory if you are on a Windows operating system or beneath a hidden directory created in your project’s root directory called “.microsoft”. Specifically, these locations depending on what your operating system is.

If you are using Linux or MacOS to code your project on or maybe you think you may, you will likely want to add the folder “.microsoft” to your “.gitignore” file to ensure your “secrets” aren’t accidentally committed to your Git repository. It is a common practice within JavaScript developer circles to have a “secrets.json” file and to add “secrets.json” to your “.gitignore” file.

When you save your “secrets” using this feature, you can drop out to your favorite command prompt or terminal session and use this command:

For example, say you have a secret key called “MySecret” and its value you want to save is “mindyourownbusiness”, you can save this key-value pair on your secrets.json file by typing:

“dotnet user-secrets set MySecret mindyourownbusiness”

If you need to do this from a directory other than where your project’s “.csproj” file is, then you need to specify an additional parameter that specifies the path to your project. So, then you would type this instead:

“dotnet user-secrets set MySecret mindyourownbusiness –project c:\MyCode\MyProject\src\myproject”

Now that we understand what Secret Manager is and where our secrets are stored for our project’s to reference, let examine how to set up Secret Manager inside a ASP.NET Core project and then see an example of how to use it.

Setting Up Secret Manager

First, we need to add the “Microsoft.Extensions.SecretManager.Tools” assembly to our ASP.NET Core project’s “.csproj” file. So right click on your project inside Visual Studio, click “Manage NuGet Packages” and then search and install this assembly.

Sadly, right now anyway, results in this unexpected error message:

Context: Microsoft made Visual Studio 2017 generally available today and I have come up with a couple errors that seem to resolve by simply building and rebuilding again. I assume there will be updates sometime soon to fix some of these types of errors. So if this is your experience, just rebuild a second time and you should get the error message to clear and get a successful build.

Ok, so now type out a “dotnet restore” command from your project directory and then build and rebuild again (if you get the odd error I got) and make sure you get a successful build.

At this point, you should be able to test out the Secret Manager tool and make sure it is working for your project:

Also, notice the commands that are available for this feature. They make sense when you think about it, right?

Also, notice if you go back and look inside your “.csproj” file you’ll see Secret Manager made up a “UserSecretsId” for our project:

The “UserSecretsId” value is used in the path to our project’s “secrets.json” file so the tool can keep separate JSON files for each individual ASP.NET Core project.

Now that we have this setup in project, we can use it in our code. Open up your “Startup.cs” file and notice you probably already have code like the following when your project was created:

To use your secret now, all you need to do is something like this:

So this will nicely swap in my SQL credential’s password at run-time assuming that I edit my connection string to look like this:

See how I turned my password stored in my project’s “appsettings.json” file into a “token” my code can use to swap in my real, but secret password?

Enjoy!

Validating Your DKIM Configuration

DomainKeys Identified Mail or DKIM, as it is called, is an email authentication method that essentially acts as something of an email driver’s license for an Internet domain. It is one popular method for a SMTP mail server to separate credible senders of email messages from spam. If you own your own internet domain name and operate your own SMTP mail server then you will want to make sure that your domain’s DKIM and SPF DNS records are valid and correctly published by DNS (domain name server). Otherwise, the email messages you send from your mail server will likely end up in your recipient’s spam folder or, worse, rejected for delivery all together. In this article, I will focus on showing you how to validate your DKIM record.

 

How DKIM Works

When you send an email message to someone else, your message is transported over the internet traveling from mail server to mail server via SMTP. When your message finally arrives at your recipient’s mail server, the mail server will process your message and determine whether it is spam or not using one or more email authentication methods, like DKIM. To do this, your email message’s header will have a DKIM signature like the example one depicted below:

The highlighted parts of this signature shows a “d” tag that is the internet domain this email message was sent from (the domain name of your SMTP mail server) and it also has a “s” tag (or “selector”, as it is called) that is the name of the published DKIM record from the domain we see in the “d” tag. Using this information, the receiver’s mail server queries DNS to get the published DKIM record that contains the published RSA public key and then that public key use used to decrypt the hash value in the header field. It is also used to recalculate the hash (the “bh” tag) and then compares these two. If they are a match then the message is valid. If they do not match, then this message will be considered as spam and be treated accordingly (sent to the spam folder or rejected from being delivered, etc.)

Also, note that when the receiver’s mail server looks up the DKIM key in our example it also uses the “q” tag to look for a DKIM key with a name that matches the “s” tag and is a TXT DNS type record as the “q” tag specifies, which is “dns/txt”.

Now that we have a primer, let’s take a look at how to validate a real internet domain’s DKIM record!

 

Validating Your Internet Domain’s Published DKIM Record

So now drop out to your favorite terminal or command prompt and lets use our “nslookup” console command:

Now, set the query type to DNS TXT records and then query for your domain name. In my example, I am using my internet domain name, “chrisgruber.com”.

This will produce only my published SPF record, which we are not interested in for this example. However, if you next type a query that follows this format:

“<selector>._domainkey.<domain.com>”

You will retrieve your DKIM record. So for my example, I will type “default._domainkey.chrisgruber.com” because “default” is the DKIM key name specified in the “s” tag (“selector” tag) and “chrisgruber.com” was the value specified in the “d” tag.

Success! To validate the DKIM record we can now see is published, we can use any one of many online DKIM validators. One that I use is available for free at:

Here I can specify the name of my DKIM key and the domain name it is published by:

And this will provide me with the following quick report that shows I have a well constructed and publicly available DKIM key in my DNS zone:

Another resource I like to use is made available by a message systems company called port25. I am not associated with this company and I am not promoting them beyond simply using a tool they make available to the public that gives you really good information about how your email authentication is configured. Again, I will focus in on only DKIM email authentication:

So, assuming you don’t mind sending your email address to port25‘s Authentication Checker service, compose an email addressed to their service’s email address that I circled in red in the above screenshot. After a few minutes, port25‘s service will send a reply to your email message that will have a very detailed report of your mail server’s email authentication support.

Here is a snippet from the very good report they sent to me for my domain, chrisgruber.com:

Further down in the report is a section that is specific to my DKIM configuration they analyzed:

Thank you to port25 for making this very useful tool available!

I hope this article was helpful for you and now you understand what DKIM is and how it works. Please share your experiences in my comments section!