Thursday, June 07, 2007

Our Contribution to Advanced Rails Recipes

We submitted a few recipes, answering the call for sharing what is happing in the rails community, and a half a dozen of them were accepted as entries to the upcoming book. If you enjoyed reading the blog, you would soon have a chance to see some of it on paper.

Monday, June 04, 2007

Revolution Health Traffic Doubles in 4 Weeks

Hitwise has recently publish traffic statistics on our growth over the past month.

This Wednesday AOL Founder Steve Case spoke at D5 about his new venture, Revolution Health. Revolution Health is setting out to be far more than just a health information source on the web, but it is already succeeding on that front. For the week ending May 26, 2007, Revolution Health was ranked #11 in the Health & Medical - Information category, and traffic increased by 113% since the week ending April 28, 2007, when it was ranked #23.

Sunday, June 03, 2007

Ruby vs. JRuby - The path to consistent behavior + OpenSSL

In Ola Bini's recent post There can be only one, a tale about Ruby, IronRuby, MS and whatnot, he stresses the importance of documenting Ruby's API so that other implementations can match MRI's behavior. I have to strongly agree. We've recently been bitten by this, which I'll outline using OpenSSL as an example.

Ruby's OpenSSL library does not strictly enforce a ciphers's initialization vector (IV) size specification. It simply truncates to the appropriate size.

Ola's JRuby OpenSSL library (which is awesome btw!) leverages the Bouncy Castle's JCE implementation which strictly enforces IV specifications.

Below is a simple example that works fine on MRI, and fails on JRuby.

require 'openssl'
text = "abc123"
cipher = OpenSSL::Cipher::Cipher.new("des-ecb")

#The DES Cipher specifies a length of 8 bytes, the below IV exceeds that
key, iv = "1234567890", "1234567890"

cipher.encrypt
cipher.key, cipher.iv = key, iv
encrypted = cipher.update(text) << cipher.final

cipher.reset
cipher.decrypt

#I double the length of the cipher here, just to prove that MRI truncates it.
cipher.key, cipher.iv = key*2, iv*2
decrypted = cipher.update(encrypted) << cipher.final
puts "#{text} == #{decrypted}"



> jruby test_openssl_iv.rb
java.security.InvalidKeyException: DES key too long - should be 8 bytes
at org.bouncycastle.jce.provider.JCEBlockCipher.engineInit(Unknown Source)
at org.bouncycastle.jce.provider.JCEBlockCipher.engineInit(Unknown Source)
at javax.crypto.Cipher.init(DashoA12275)
at javax.crypto.Cipher.init(DashoA12275)
at org.jruby.ext.openssl.Cipher.doInitialize(Cipher.java:416)
at org.jruby.ext.openssl.Cipher.update(Cipher.java:432)

> ruby test_openssl_iv.rb 
Result is: abc123 == abc123



Yes, this is obviously an edge case, and one could argue that the Java implementation is more correct than MRI's, but the goal is any piece of code should run the same on either platform.

Charles Nutter (Headius) has started a RubySpec Wiki where I've noted this issue there.

I've submitted a bug against JRuby to track the issue, but arguably its not a JRuby bug. Its a difference between BouncyCastle and SSLeay's implementation. I'd be interested in some community feedback on how to correctly implement this. For now, we've worked around this by simply truncating if the RUBY_PLATFORM =~ /java/, which I know if horrible, but it allows me to move on.