[FEATURE REQUEST] Support keys in PKCS1 PEM format

[ngortheone]

Hey @aaschmid

I have my key formatted in PKCS1 PEM format and it works perfectly fine with taskwarrior client and server .In fact the key was generated by taskd scripts that way, I never bothered to check what kind of key I had until I tried using it with this client. Hence the following feature request:

What

minimal

Support private key formatted in PKCS1 PEM

desired

Automatically detect key file format and use any valid format

Rationale

The rationale of this feature request is that it would be nice from user friendliness to support keys that are generated when user follows taskserver docs so that user does not have to manually convert they key

stacktrace I try to use my key with this library

Exception in thread "main" de.aaschmid.taskwarrior.ssl.TaskwarriorKeyStoreException: Could not generate private key for '/Users/ihorantonov/.task/client.key.pem': java.security.InvalidKeyException: invalid key format
	at de.aaschmid.taskwarrior.ssl.KeyStoreBuilder.createPrivateKeyFor(KeyStoreBuilder.java:143)
	at de.aaschmid.taskwarrior.ssl.KeyStoreBuilder.build(KeyStoreBuilder.java:100)
	at de.aaschmid.taskwarrior.TaskwarriorClient.<init>(TaskwarriorClient.java:46)
	at de.aaschmid.taskwarrior.TaskwarriorClientTest.main(TaskwarriorClientTest.java:24)
Caused by: java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: invalid key format
Caused by: java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: invalid key format

	at sun.security.rsa.RSAKeyFactory.engineGeneratePrivate(RSAKeyFactory.java:217)
	at java.security.KeyFactory.generatePrivate(KeyFactory.java:372)
	at de.aaschmid.taskwarrior.ssl.KeyStoreBuilder.createPrivateKeyFor(KeyStoreBuilder.java:138)
	... 3 more
Caused by: java.security.InvalidKeyException: invalid key format
Caused by: java.security.InvalidKeyException: invalid key format

	at sun.security.pkcs.PKCS8Key.decode(PKCS8Key.java:331)
	at sun.security.pkcs.PKCS8Key.decode(PKCS8Key.java:356)
	at sun.security.rsa.RSAPrivateCrtKeyImpl.<init>(RSAPrivateCrtKeyImpl.java:91)
	at sun.security.rsa.RSAPrivateCrtKeyImpl.newKey(RSAPrivateCrtKeyImpl.java:75)
	at sun.security.rsa.RSAKeyFactory.generatePrivate(RSAKeyFactory.java:316)
	at sun.security.rsa.RSAKeyFactory.engineGeneratePrivate(RSAKeyFactory.java:213)
	... 5 more

Execution failed for task ':TaskwarriorClientTest.main()'.

I have to convert my key with

# convert PKCS1 to PKCS8
openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in client.key.pem -out  client.pkcs8.key.pem   

# convert PEM to DER  
openssl pkcs8 -topk8 -nocrypt -in client.pkcs8.key.pem -inform PEM -out client.pkcs8.key.der -outform DER

It is likely that above is also doable in a single invocation, but this is how I got it to work.

---

more about key formats:
https://stackoverflow.com/a/48960291/3177479

[aaschmid]

This is a very good and useful one, thanks @ngortheone.
IIRC I really tried quite a long to get it working this way but hadn't managed to. Therefore, I haven't implemented yet. I think Java at least 8 and below does not support this out of the box. There are some third party libraries providing this feature, though.

Maybe also the Java environment improved which I need to check. Maybe you also wanna try yourself ;-)

[ngortheone]

I will probably start by adding some information to readme. (expect a PR)

Maybe you also wanna try yourself ;-)

I can definitely try. My experience in this area is a bit low, so at least some hand-holding in form of design discussion and/or what issues you had before would definitely help.

Additionally, I want this to be compatible with Android (starting API 22) so that is additional challenge for me.

Separately, the whole user experience on mobile with adding a bunch of certificate files is far from smooth. Only advanced users can do that now and I wonder is there a way to simplify/improve initial setup process. Any thoughts/ideas on this regard?

[aaschmid]

I will probably start by adding some information to readme. (expect a PR)

sounds great.

I can definitely try. My experience in this area is a bit low, so at least some hand-holding in form of design discussion and/or what issues you had before would definitely help.

Of course, I will help as much as I can.

Additionally, I want this to be compatible with Android (starting API 22) so that is additional challenge for me.

Android 5.1 sounds a bit old for me ;-) but here is an already working Java7 version which still might be required for API 22: https://github.com/aaschmid/taskwarrior-java-client/tree/java7

Separately, the whole user experience on mobile with adding a bunch of certificate files is far from smooth. Only advanced users can do that now and I wonder is there a way to simplify/improve initial setup process. Any thoughts/ideas on this regard?

Good point, I actually integrated over these three certificates while working on "tasks" App mentioned above. This was a good enough starting point because you will need the certificates eventually. At least I currently have no better solution but besides reading https://taskwarrior.org/docs/taskserver/taskwarrior.html I haven't looked deeply into the taskwarrior encryption process.
So the only solution - I can currently think of - is transferring the certificates more smoothly to the android device...

[bgregos]

Hello! I really appreciate you open-sourcing this library. I ended up building an app around this (bgregos/foreground) and ran into the same issue when trying to sync with inthe.am. I just opened up a pull request #6 that adds support for this. The main drawback is that it pulls in BouncyCastle as a dependency.

[aaschmid]

I will have a look during the next days or would it be more urgent?

I think there is a lot to do with the project as it is a bit old already. And there are some things missing like tests, making it available in Maven Central etc.

[bgregos]

No, it's not urgent at all. I've been using the library with this tweak for a while, I just thought I'd open a PR in case anyone else wanted/needed it.

[aaschmid]

Finally I managed to bring the library up-to-date again. Now I am starting to deal with PKCS1 keys.