Typical example of why dynamic languages suck

August 30, 2011

billburke flame bait, python 10 Comments

Awhile back I ranted against using dynamic languages like Ruby, Python etc.  Recently, I’ve been using Python as a way to test Resteasy’s SMIME integration.  It was an extremely frustrating experience that would have been much better if Python was statically typed.  Why?  Well, take a look at this documentation for doing SMIME with Python and M2Crypto.  The problem was is that the examples are interacting with Python’s mail API. I needed to be able to send SMIME over HTTP.  So, I needed to understand the M2Crypto API a little bit better.  If you look at the example code, you have no idea which additional methods are available, and more frustratingly, when types of objects these methods return.  The auto-generated javadoc-like docs for M2Crypto were even less helpful.  What I had to end up doing was diving into the M2Crypto codebase to figure out exactly what was going on.

Moral of the story?  Programming in dynamic languages can be a lot of fun.  But when you run into APIs you’re not familiar you’re pretty much at the mercy of the documentor.  If the documentation sucks, you’re pretty much up shit creek and forced to dive into the code to understand what is going on.

Is anybody doing HTTP message signing and encryption?

August 16, 2011

billburke REST, security 1 Comment

Over the past 6 months off and on I’ve been researching and prototyping various security related features for Resteasy.  One thing I’ve wondered is, is anybody really doing anything with HTTP message signing and encryption?  Email seems pretty well rounded in this area with specifications like DOSETA/DKIM and SMIME.  You could theoretically apply these specifications to HTTP, and I have, but I could find no examples of people doing so on the Web.  Maybe its just that my Google searching skillz are poor.

Another thing I’ve noticed is that the crypto libraries (bouncycastle and python’s M2Crypto) pretty much center around email as the protocol and you have to dive into the codebase a bit to figure out ways to transmit things over HTTP. Bouncycastle relies on javax.mail multipart implementation which is a bit limited and not very lenient on parsing (Didn’t like python’s SMIME output).

Anyways, I hope to do a Resteasy 2.3 beta soon with SMIME support.  With it I’ll have examples of Python clients posting to Resteasy services transmitting SMIME formated requests.  I’ll post a few blogs on the subject so you can see how to transmit SMIME between M2Crypto and Bouncycastle. (Python and Java).

In the meantime, does anybody have any experience in this area?

Resteasy 2.2.2 Released

August 3, 2011

billburke JAX-RS, REST, RESTEasy Leave a comment

This is just a maintenance release to fix a few minor and critical bugs found by the community.  You can download 2.2.2 here.  Release notes are here.

Hopefully we can now focus on getting a 2.3 beta out the door.  Currently I’m working on S/MIME integration as well as a decentralized auth protocol discussed in previous blogs.