[MGPG-117] Improve passphrase handling

src/main/java/org/apache/maven/plugins/gpg/BcSigner.java

@@ -129,7 +129,7 @@ public final class GpgConfLoader implements Loader {
          *
          * @see <a href="https://wiki.gnupg.org/LargeKeys">Large Keys</a>
          */
-        private static final long MAX_SIZE = 64 * 1024 + 1L;
+        private static final long MAX_SIZE = 64 * 1000 + 1L;
 
         @Override
         public byte[] loadKeyRingMaterial(RepositorySystemSession session) throws IOException {
@@ -143,7 +143,7 @@ public byte[] loadKeyRingMaterial(RepositorySystemSession session) throws IOExce
                 if (Files.size(keyPath) < MAX_SIZE) {
                     return Files.readAllBytes(keyPath);
                 } else {
-                    throw new IOException("Refusing to load file " + keyPath + "; is larger than 64KB");
+                    throw new IOException("Refusing to load file " + keyPath + "; is larger than 64 kB");
                 }
             }
             return null;
@@ -180,18 +180,15 @@ public char[] loadPassword(RepositorySystemSession session, byte[] fingerprint)
                                 .resolve(socketLocationPath)
                                 .toAbsolutePath();
                     }
-                    String pw = load(fingerprint, socketLocationPath);
-                    if (pw != null) {
-                        return pw.toCharArray();
-                    }
+                    return load(fingerprint, socketLocationPath);
                 } catch (SocketException e) {
                     // try next location
                 }
             }
             return null;
         }
 
-        private String load(byte[] fingerprint, Path socketPath) throws IOException {
+        private char[] load(byte[] fingerprint, Path socketPath) throws IOException {
             try (AFUNIXSocket sock = AFUNIXSocket.newInstance()) {
                 sock.connect(AFUNIXSocketAddress.of(socketPath));
                 try (BufferedReader in = new BufferedReader(new InputStreamReader(sock.getInputStream()));
@@ -224,11 +221,7 @@ private String load(byte[] fingerprint, Path socketPath) throws IOException {
                             + "+to+use+it+for+signing+Maven+Artifacts\n";
                     os.write((instruction).getBytes());
                     os.flush();
-                    String pw = mayExpectOK(in);
-                    if (pw != null) {
-                        return new String(Hex.decode(pw.trim()));
-                    }
-                    return null;
+                    return mayExpectOK(in);
                 }
             }
         }
@@ -240,14 +233,16 @@ private void expectOK(BufferedReader in) throws IOException {
             }
         }
 
-        private String mayExpectOK(BufferedReader in) throws IOException {
+        private char[] mayExpectOK(BufferedReader in) throws IOException {
             String response = in.readLine();
             if (response.startsWith("ERR")) {
                 return null;
             } else if (!response.startsWith("OK")) {
                 throw new IOException("Expected OK/ERR but got this instead: " + response);
             }
-            return response.substring(Math.min(response.length(), 3));
+            return new String(Hex.decode(
+                            response.substring(Math.min(response.length(), 3)).trim()))
+                    .toCharArray();
         }
     }
 
@@ -359,6 +354,9 @@ public void prepare() throws MojoFailureException {
             this.secretKey = secretKey;
             this.privateKey = secretKey.extractPrivateKey(
                     new BcPBESecretKeyDecryptorBuilder(new BcPGPDigestCalculatorProvider()).build(keyPassword));
+            if (keyPassword != null) {
+                Arrays.fill(keyPassword, ' ');
+            }
             PGPSignatureSubpacketGenerator subPacketGenerator = new PGPSignatureSubpacketGenerator();
             subPacketGenerator.setIssuerFingerprint(false, secretKey);
             this.hashSubPackets = subPacketGenerator.generate();