Skip to content

Commit

Permalink
[MGPG-117] Improve passphrase handling (#86)
Browse files Browse the repository at this point in the history
Make sure is gone from heap once not needed. Other smaller improvements as well.

---

https://issues.apache.org/jira/browse/MGPG-117
  • Loading branch information
cstamas authored Mar 29, 2024
1 parent 0adc6b8 commit 582df74
Showing 1 changed file with 12 additions and 14 deletions.
26 changes: 12 additions & 14 deletions src/main/java/org/apache/maven/plugins/gpg/BcSigner.java
Original file line number Diff line number Diff line change
Expand Up @@ -129,7 +129,7 @@ public final class GpgConfLoader implements Loader {
*
* @see <a href="https://wiki.gnupg.org/LargeKeys">Large Keys</a>
*/
private static final long MAX_SIZE = 64 * 1024 + 1L;
private static final long MAX_SIZE = 64 * 1000 + 1L;

@Override
public byte[] loadKeyRingMaterial(RepositorySystemSession session) throws IOException {
Expand All @@ -143,7 +143,7 @@ public byte[] loadKeyRingMaterial(RepositorySystemSession session) throws IOExce
if (Files.size(keyPath) < MAX_SIZE) {
return Files.readAllBytes(keyPath);
} else {
throw new IOException("Refusing to load file " + keyPath + "; is larger than 64KB");
throw new IOException("Refusing to load file " + keyPath + "; is larger than 64 kB");
}
}
return null;
Expand Down Expand Up @@ -180,18 +180,15 @@ public char[] loadPassword(RepositorySystemSession session, byte[] fingerprint)
.resolve(socketLocationPath)
.toAbsolutePath();
}
String pw = load(fingerprint, socketLocationPath);
if (pw != null) {
return pw.toCharArray();
}
return load(fingerprint, socketLocationPath);
} catch (SocketException e) {
// try next location
}
}
return null;
}

private String load(byte[] fingerprint, Path socketPath) throws IOException {
private char[] load(byte[] fingerprint, Path socketPath) throws IOException {
try (AFUNIXSocket sock = AFUNIXSocket.newInstance()) {
sock.connect(AFUNIXSocketAddress.of(socketPath));
try (BufferedReader in = new BufferedReader(new InputStreamReader(sock.getInputStream()));
Expand Down Expand Up @@ -224,11 +221,7 @@ private String load(byte[] fingerprint, Path socketPath) throws IOException {
+ "+to+use+it+for+signing+Maven+Artifacts\n";
os.write((instruction).getBytes());
os.flush();
String pw = mayExpectOK(in);
if (pw != null) {
return new String(Hex.decode(pw.trim()));
}
return null;
return mayExpectOK(in);
}
}
}
Expand All @@ -240,14 +233,16 @@ private void expectOK(BufferedReader in) throws IOException {
}
}

private String mayExpectOK(BufferedReader in) throws IOException {
private char[] mayExpectOK(BufferedReader in) throws IOException {
String response = in.readLine();
if (response.startsWith("ERR")) {
return null;
} else if (!response.startsWith("OK")) {
throw new IOException("Expected OK/ERR but got this instead: " + response);
}
return response.substring(Math.min(response.length(), 3));
return new String(Hex.decode(
response.substring(Math.min(response.length(), 3)).trim()))
.toCharArray();
}
}

Expand Down Expand Up @@ -359,6 +354,9 @@ public void prepare() throws MojoFailureException {
this.secretKey = secretKey;
this.privateKey = secretKey.extractPrivateKey(
new BcPBESecretKeyDecryptorBuilder(new BcPGPDigestCalculatorProvider()).build(keyPassword));
if (keyPassword != null) {
Arrays.fill(keyPassword, ' ');
}
PGPSignatureSubpacketGenerator subPacketGenerator = new PGPSignatureSubpacketGenerator();
subPacketGenerator.setIssuerFingerprint(false, secretKey);
this.hashSubPackets = subPacketGenerator.generate();
Expand Down

0 comments on commit 582df74

Please sign in to comment.