[MRESOLVER-516] Align GPG generator (apache#448)

Align with latest changes. 

Also, trivial fix to align doco generator, now "java.lang." prefix is stripped off to align all the doco.

---

https://issues.apache.org/jira/browse/MRESOLVER-516

Author: cstamas

maven-resolver-generator-gnupg/src/main/java/org/eclipse/aether/generator/gnupg/GnupgConfigurationKeys.java

@@ -64,6 +64,17 @@ private GnupgConfigurationKeys() {}
 
     public static final String DEFAULT_KEY_FILE_PATH = "maven-signing-key.key";
 
+    /**
+     * Whether GnuPG agent should be used.
+     *
+     * @configurationSource {@link RepositorySystemSession#getConfigProperties()}
+     * @configurationType {@link java.lang.Boolean}
+     * @configurationDefaultValue {@link #DEFAULT_USE_AGENT}
+     */
+    public static final String CONFIG_PROP_USE_AGENT = CONFIG_PROPS_PREFIX + "useAgent";
+
+    public static final boolean DEFAULT_USE_AGENT = true;
+
     /**
      * The GnuPG agent socket(s) to try. Comma separated list of socket paths. If relative, will be resolved from
      * user home directory.

maven-resolver-generator-gnupg/src/main/java/org/eclipse/aether/generator/gnupg/GnupgSignatureArtifactGenerator.java

@@ -32,33 +32,45 @@
 import org.bouncycastle.bcpg.ArmoredOutputStream;
 import org.bouncycastle.bcpg.BCPGOutputStream;
 import org.bouncycastle.bcpg.HashAlgorithmTags;
-import org.bouncycastle.openpgp.*;
+import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPPrivateKey;
+import org.bouncycastle.openpgp.PGPSecretKey;
+import org.bouncycastle.openpgp.PGPSignature;
+import org.bouncycastle.openpgp.PGPSignatureGenerator;
+import org.bouncycastle.openpgp.PGPSignatureSubpacketVector;
 import org.bouncycastle.openpgp.operator.bc.BcPGPContentSignerBuilder;
 import org.eclipse.aether.artifact.Artifact;
 import org.eclipse.aether.spi.artifact.generator.ArtifactGenerator;
 import org.eclipse.aether.util.artifact.SubArtifact;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 final class GnupgSignatureArtifactGenerator implements ArtifactGenerator {
     private static final String ARTIFACT_EXTENSION = ".asc";
+    private final Logger logger = LoggerFactory.getLogger(getClass());
     private final ArrayList<Artifact> artifacts;
     private final Predicate<Artifact> signableArtifactPredicate;
     private final PGPSecretKey secretKey;
     private final PGPPrivateKey privateKey;
     private final PGPSignatureSubpacketVector hashSubPackets;
+    private final String keyInfo;
     private final ArrayList<Path> signatureTempFiles;
 
     GnupgSignatureArtifactGenerator(
             Collection<Artifact> artifacts,
             Predicate<Artifact> signableArtifactPredicate,
             PGPSecretKey secretKey,
             PGPPrivateKey privateKey,
-            PGPSignatureSubpacketVector hashSubPackets) {
+            PGPSignatureSubpacketVector hashSubPackets,
+            String keyInfo) {
         this.artifacts = new ArrayList<>(artifacts);
         this.signableArtifactPredicate = signableArtifactPredicate;
         this.secretKey = secretKey;
         this.privateKey = privateKey;
         this.hashSubPackets = hashSubPackets;
+        this.keyInfo = keyInfo;
         this.signatureTempFiles = new ArrayList<>();
+        logger.debug("Created generator using key {}", keyInfo);
     }
 
     @Override
@@ -73,6 +85,7 @@ public Collection<? extends Artifact> generate(Collection<? extends Artifact> ge
 
             // back out if PGP signatures found among artifacts
             if (artifacts.stream().anyMatch(a -> a.getExtension().endsWith(ARTIFACT_EXTENSION))) {
+                logger.debug("GPG signatures are present among artifacts, bailing out");
                 return Collections.emptyList();
             }
 
@@ -93,6 +106,7 @@ public Collection<? extends Artifact> generate(Collection<? extends Artifact> ge
                             signatureTempFile.toFile()));
                 }
             }
+            logger.debug("Signed {} artifacts with key {}", result.size(), keyInfo);
             return result;
         } catch (IOException e) {
             throw new UncheckedIOException(e);

maven-resolver-generator-gnupg/src/main/java/org/eclipse/aether/generator/gnupg/GnupgSignatureArtifactGeneratorFactory.java

@@ -29,16 +29,23 @@
 import java.time.ZoneId;
 import java.util.Arrays;
 import java.util.Collection;
-import java.util.List;
+import java.util.Iterator;
 import java.util.Map;
 import java.util.function.Predicate;
 
 import org.bouncycastle.bcpg.SymmetricKeyAlgorithmTags;
-import org.bouncycastle.openpgp.*;
+import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPPrivateKey;
+import org.bouncycastle.openpgp.PGPSecretKey;
+import org.bouncycastle.openpgp.PGPSecretKeyRing;
+import org.bouncycastle.openpgp.PGPSecretKeyRingCollection;
+import org.bouncycastle.openpgp.PGPSignatureSubpacketGenerator;
+import org.bouncycastle.openpgp.PGPSignatureSubpacketVector;
+import org.bouncycastle.openpgp.PGPUtil;
 import org.bouncycastle.openpgp.operator.bc.BcKeyFingerprintCalculator;
 import org.bouncycastle.openpgp.operator.bc.BcPBESecretKeyDecryptorBuilder;
 import org.bouncycastle.openpgp.operator.bc.BcPGPDigestCalculatorProvider;
-import org.eclipse.aether.ConfigurationProperties;
+import org.bouncycastle.util.encoders.Hex;
 import org.eclipse.aether.RepositorySystemSession;
 import org.eclipse.aether.artifact.Artifact;
 import org.eclipse.aether.deployment.DeployRequest;
@@ -53,11 +60,6 @@
 public final class GnupgSignatureArtifactGeneratorFactory implements ArtifactGeneratorFactory {
 
     public interface Loader {
-        /**
-         * Returns {@code true} if this loader requires user interactivity.
-         */
-        boolean isInteractive();
-
         /**
          * Returns the key ring material, or {@code null}.
          */
@@ -75,7 +77,7 @@ default byte[] loadKeyFingerprint(RepositorySystemSession session) throws IOExce
         /**
          * Returns the key password, or {@code null}.
          */
-        default char[] loadPassword(RepositorySystemSession session, long keyId) throws IOException {
+        default char[] loadPassword(RepositorySystemSession session, byte[] fingerprint) throws IOException {
             return null;
         }
     }
@@ -121,14 +123,9 @@ public float getPriority() {
     private GnupgSignatureArtifactGenerator doCreateArtifactGenerator(
             RepositorySystemSession session, Collection<Artifact> artifacts, Predicate<Artifact> artifactPredicate)
             throws IOException {
-        boolean interactive = ConfigUtils.getBoolean(
-                session, ConfigurationProperties.DEFAULT_INTERACTIVE, ConfigurationProperties.INTERACTIVE);
-        List<Loader> loaders = this.loaders.values().stream()
-                .filter(l -> interactive || !l.isInteractive())
-                .toList();
 
         byte[] keyRingMaterial = null;
-        for (Loader loader : loaders) {
+        for (Loader loader : loaders.values()) {
             keyRingMaterial = loader.loadKeyRingMaterial(session);
             if (keyRingMaterial != null) {
                 break;
@@ -139,7 +136,7 @@ private GnupgSignatureArtifactGenerator doCreateArtifactGenerator(
         }
 
         byte[] fingerprint = null;
-        for (Loader loader : loaders) {
+        for (Loader loader : loaders.values()) {
             fingerprint = loader.loadKeyFingerprint(session);
             if (fingerprint != null) {
                 break;
@@ -186,8 +183,8 @@ private GnupgSignatureArtifactGenerator doCreateArtifactGenerator(
             char[] keyPassword = null;
             final boolean keyPassNeeded = secretKey.getKeyEncryptionAlgorithm() != SymmetricKeyAlgorithmTags.NULL;
             if (keyPassNeeded) {
-                for (Loader loader : loaders) {
-                    keyPassword = loader.loadPassword(session, secretKey.getKeyID());
+                for (Loader loader : loaders.values()) {
+                    keyPassword = loader.loadPassword(session, secretKey.getFingerprint());
                     if (keyPassword != null) {
                         break;
                     }
@@ -199,14 +196,25 @@ private GnupgSignatureArtifactGenerator doCreateArtifactGenerator(
 
             PGPPrivateKey privateKey = secretKey.extractPrivateKey(
                     new BcPBESecretKeyDecryptorBuilder(new BcPGPDigestCalculatorProvider()).build(keyPassword));
+            if (keyPassword != null) {
+                Arrays.fill(keyPassword, ' ');
+            }
             PGPSignatureSubpacketGenerator subPacketGenerator = new PGPSignatureSubpacketGenerator();
             subPacketGenerator.setIssuerFingerprint(false, secretKey);
             PGPSignatureSubpacketVector hashSubPackets = subPacketGenerator.generate();
 
             return new GnupgSignatureArtifactGenerator(
-                    artifacts, artifactPredicate, secretKey, privateKey, hashSubPackets);
+                    artifacts, artifactPredicate, secretKey, privateKey, hashSubPackets, getKeyInfo(secretKey));
         } catch (PGPException | IOException e) {
             throw new IllegalStateException(e);
         }
     }
+
+    private static String getKeyInfo(PGPSecretKey secretKey) {
+        Iterator<String> userIds = secretKey.getPublicKey().getUserIDs();
+        if (userIds.hasNext()) {
+            return userIds.next();
+        }
+        return Hex.toHexString(secretKey.getPublicKey().getFingerprint());
+    }
 }

maven-resolver-generator-gnupg/src/main/java/org/eclipse/aether/generator/gnupg/loaders/GpgAgentPasswordLoader.java

@@ -34,9 +34,11 @@
 import java.nio.file.Paths;
 import java.util.Arrays;
 import java.util.List;
+import java.util.Locale;
 import java.util.stream.Collectors;
 
 import org.bouncycastle.util.encoders.Hex;
+import org.eclipse.aether.ConfigurationProperties;
 import org.eclipse.aether.RepositorySystemSession;
 import org.eclipse.aether.generator.gnupg.GnupgSignatureArtifactGeneratorFactory;
 import org.eclipse.aether.util.ConfigUtils;
@@ -45,7 +47,9 @@
 import org.slf4j.LoggerFactory;
 
 import static org.eclipse.aether.generator.gnupg.GnupgConfigurationKeys.CONFIG_PROP_AGENT_SOCKET_LOCATIONS;
+import static org.eclipse.aether.generator.gnupg.GnupgConfigurationKeys.CONFIG_PROP_USE_AGENT;
 import static org.eclipse.aether.generator.gnupg.GnupgConfigurationKeys.DEFAULT_AGENT_SOCKET_LOCATIONS;
+import static org.eclipse.aether.generator.gnupg.GnupgConfigurationKeys.DEFAULT_USE_AGENT;
 
 /**
  * Password loader that uses GnuPG Agent. Is interactive.
@@ -59,21 +63,26 @@ public final class GpgAgentPasswordLoader implements GnupgSignatureArtifactGener
     private final Logger logger = LoggerFactory.getLogger(getClass());
 
     @Override
-    public boolean isInteractive() {
-        return true;
-    }
-
-    @Override
-    public char[] loadPassword(RepositorySystemSession session, long keyId) throws IOException {
+    public char[] loadPassword(RepositorySystemSession session, byte[] fingerprint) throws IOException {
+        if (!ConfigUtils.getBoolean(session, DEFAULT_USE_AGENT, CONFIG_PROP_USE_AGENT)) {
+            return null;
+        }
         String socketLocationsStr =
                 ConfigUtils.getString(session, DEFAULT_AGENT_SOCKET_LOCATIONS, CONFIG_PROP_AGENT_SOCKET_LOCATIONS);
+        boolean interactive = ConfigUtils.getBoolean(
+                session, ConfigurationProperties.DEFAULT_INTERACTIVE, ConfigurationProperties.INTERACTIVE);
         List<String> socketLocations = Arrays.stream(socketLocationsStr.split(","))
                 .filter(s -> s != null && !s.isEmpty())
                 .collect(Collectors.toList());
         for (String socketLocation : socketLocations) {
             try {
-                return load(keyId, Paths.get(System.getProperty("user.home"), socketLocation))
-                        .toCharArray();
+                Path socketLocationPath = Paths.get(socketLocation);
+                if (!socketLocationPath.isAbsolute()) {
+                    socketLocationPath = Paths.get(System.getProperty("user.home"))
+                            .resolve(socketLocationPath)
+                            .toAbsolutePath();
+                }
+                return load(fingerprint, socketLocationPath, interactive);
             } catch (SocketException e) {
                 // try next location
                 logger.debug("Problem communicating with agent on socket: {}", socketLocation, e);
@@ -83,7 +92,7 @@ public char[] loadPassword(RepositorySystemSession session, long keyId) throws I
         return null;
     }
 
-    private String load(long keyId, Path socketPath) throws IOException {
+    private char[] load(byte[] fingerprint, Path socketPath, boolean interactive) throws IOException {
         try (SocketChannel sock = SocketChannel.open(StandardProtocolFamily.UNIX)) {
             sock.connect(UnixDomainSocketAddress.of(socketPath));
             try (BufferedReader in = new BufferedReader(new InputStreamReader(Channels.newInputStream(sock)));
@@ -102,23 +111,41 @@ private String load(long keyId, Path socketPath) throws IOException {
                     os.flush();
                     expectOK(in);
                 }
-                String hexKeyId = Long.toHexString(keyId & 0xFFFFFFFFL);
+                String hexKeyFingerprint = Hex.toHexString(fingerprint);
+                String displayFingerprint = hexKeyFingerprint.toUpperCase(Locale.ROOT);
                 // https://unix.stackexchange.com/questions/71135/how-can-i-find-out-what-keys-gpg-agent-has-cached-like-how-ssh-add-l-shows-yo
-                String instruction = "GET_PASSPHRASE " + hexKeyId + " " + "Passphrase+incorrect"
-                        + " GnuPG+Key+Passphrase Enter+passphrase+for+encrypted+GnuPG+key+" + hexKeyId
+                String instruction = "GET_PASSPHRASE "
+                        + (!interactive ? "--no-ask " : "")
+                        + hexKeyFingerprint
+                        + " "
+                        + "X "
+                        + "GnuPG+Passphrase "
+                        + "Please+enter+the+passphrase+to+unlock+the+OpenPGP+secret+key+with+fingerprint:+"
+                        + displayFingerprint
                         + "+to+use+it+for+signing+Maven+Artifacts\n";
                 os.write((instruction).getBytes());
                 os.flush();
-                return new String(Hex.decode(expectOK(in).trim()));
+                return mayExpectOK(in);
             }
         }
     }
 
-    private String expectOK(BufferedReader in) throws IOException {
+    private void expectOK(BufferedReader in) throws IOException {
         String response = in.readLine();
         if (!response.startsWith("OK")) {
             throw new IOException("Expected OK but got this instead: " + response);
         }
-        return response.substring(Math.min(response.length(), 3));
+    }
+
+    private char[] mayExpectOK(BufferedReader in) throws IOException {
+        String response = in.readLine();
+        if (response.startsWith("ERR")) {
+            return null;
+        } else if (!response.startsWith("OK")) {
+            throw new IOException("Expected OK/ERR but got this instead: " + response);
+        }
+        return new String(Hex.decode(
+                        response.substring(Math.min(response.length(), 3)).trim()))
+                .toCharArray();
     }
 }

maven-resolver-generator-gnupg/src/main/java/org/eclipse/aether/generator/gnupg/loaders/GpgConfLoader.java

@@ -50,14 +50,14 @@ public final class GpgConfLoader implements GnupgSignatureArtifactGeneratorFacto
     private final Logger logger = LoggerFactory.getLogger(getClass());
 
     /**
-     * Maximum key size, see <a href="https://wiki.gnupg.org/LargeKeys">Large Keys</a>.
+     * Maximum file size allowed to load (as we load it into heap).
+     * <p>
+     * This barrier exists to prevent us to load big/huge files, if this code is pointed at one
+     * (by mistake or by malicious intent).
+     *
+     * @see <a href="https://wiki.gnupg.org/LargeKeys">Large Keys</a>
      */
-    private static final long MAX_SIZE = 5 * 1024 + 1L;
-
-    @Override
-    public boolean isInteractive() {
-        return false;
-    }
+    private static final long MAX_SIZE = 64 * 1000 + 1L;
 
     @Override
     public byte[] loadKeyRingMaterial(RepositorySystemSession session) throws IOException {
@@ -66,13 +66,14 @@ public byte[] loadKeyRingMaterial(RepositorySystemSession session) throws IOExce
                 GnupgConfigurationKeys.DEFAULT_KEY_FILE_PATH,
                 GnupgConfigurationKeys.CONFIG_PROP_KEY_FILE_PATH));
         if (!keyPath.isAbsolute()) {
-            keyPath = session.getLocalRepository().getBasePath().resolve(keyPath);
+            keyPath =
+                    Paths.get(System.getProperty("user.home")).resolve(keyPath).toAbsolutePath();
         }
         if (Files.isRegularFile(keyPath)) {
             if (Files.size(keyPath) < MAX_SIZE) {
                 return Files.readAllBytes(keyPath);
             } else {
-                logger.warn("Refusing to load key {}; is larger than 5KB", keyPath);
+                logger.warn("Refusing to load file {}; is larger than 64 kB", keyPath);
             }
         }
         return null;

maven-resolver-generator-gnupg/src/main/java/org/eclipse/aether/generator/gnupg/loaders/GpgEnvLoader.java

@@ -41,11 +41,6 @@
 public final class GpgEnvLoader implements GnupgSignatureArtifactGeneratorFactory.Loader {
     public static final String NAME = "env";
 
-    @Override
-    public boolean isInteractive() {
-        return false;
-    }
-
     @Override
     public byte[] loadKeyRingMaterial(RepositorySystemSession session) {
         String keyMaterial = ConfigUtils.getString(session, null, "env." + RESOLVER_GPG_KEY);
@@ -70,7 +65,7 @@ public byte[] loadKeyFingerprint(RepositorySystemSession session) {
     }
 
     @Override
-    public char[] loadPassword(RepositorySystemSession session, long keyId) {
+    public char[] loadPassword(RepositorySystemSession session, byte[] fingerprint) {
         String keyPassword = ConfigUtils.getString(session, null, "env." + RESOLVER_GPG_KEY_PASS);
         if (keyPassword != null) {
             return keyPassword.toCharArray();

maven-resolver-tools/src/main/java/org/eclipse/aether/tools/CollectConfiguration.java

@@ -205,8 +205,14 @@ private static boolean hasConfigurationSource(JavaDocCapable<?> javaDocCapable)
     private static String getConfigurationType(JavaDocCapable<?> javaDocCapable) {
         String type = getTag(javaDocCapable, "@configurationType");
         if (type != null) {
-            if (type.startsWith("{@link ") && type.endsWith("}")) {
-                type = type.substring(7, type.length() - 1);
+            String linkPrefix = "{@link ";
+            String linkSuffix = "}";
+            if (type.startsWith(linkPrefix) && type.endsWith(linkSuffix)) {
+                type = type.substring(linkPrefix.length(), type.length() - linkSuffix.length());
+            }
+            String javaLangPackage = "java.lang.";
+            if (type.startsWith(javaLangPackage)) {
+                type = type.substring(javaLangPackage.length());
             }
         }
         return nvl(type, "n/a");