Skip to content

Bens IT-Comments Posts

Apache Shiro: implementing new password hashing algorithms

As an Apache Shiro PMC member, I have occasionally contact to cryptographic functions. For example, Shiro 1.x allows hashed passwords in your shiro.ini configuration.

Now, everyone should know by now that just hashing (and salting) a password is not a good protection against brute force attacks. Even with hundreds or thousands of iterations, such a password can be prone to brute force attacks nowadays. This it is not a surprise that Lez Hazlewood (the original creator of Apache Shiro) had the idea to add an bcrypt implementation.

Maven JLink Plugin Version 3.1.0 released

The Apache Maven team is pleased to announce the release of the Apache Maven JLink Plugin, version 3.1.0.

This plugin is used to create a JLink distribution using Maven. It is as easy as creating a jar file, but will instead create a zip file containing a reduced Java Runtime along with a launcher script, as well as the actual application of course. A JLink zip file is therefore platform dependent.

Use SnakeYAML in a modular jlink distribution

Whenever you pull in SnakeYAML (either directly or via Jackson), you will break your modulear builds. The reason: SnakeYAML is a named automatic module. But then, automatic modules cannot be used in jlink images.

But this can be healed. You can rescue your builds using the moditect-maven-plugin. It is a little hard to use, as the documentation is very technical. It also has few examples, and the documentation does not explain when to use which goal, and how to proceed. So, if you want to see a simple example, read on! 🙂

Fixing old SHA1-infested OpenPGP keys

I recently created a new OpenPGP key for my Apache (ASF) account. Of course I wanted to sign it with my existing GnuPG key I have since 2007. To my surprise, it failed with these error messages:

gpg: Note: third-party key signatures using the SHA1 algorithm are rejected
gpg: signing failed: Invalid digest algorithm
gpg: signing failed: Invalid digest algorithm

It took me a few hours to figure out what’s wrong. Obviously something with SHA1, but GnuPG doesn’t tell you WHAT is wrong and HOW to fix it.