Merge branch 'pkcs1.native.#2'

aaschmid · aaschmid · commit 28996917026e · 2020-02-08T16:52:47.000+01:00
* pkcs1.native.#2: document the new key probabilities in README.md use newly introduced PKCS1 and PKCS8 support for pem files (#2) add PKCS1 and PKCS8 support for pem files (#2)
diff --git a/README.md b/README.md
@@ -89,7 +89,6 @@ class Taskwarrior {
 Used `taskwarrior.properties` can be created by copying and adjusting
 [`src/main/resources/taskwarrior.properties.template`](https://github.com/aaschmid/taskwarrior-java-client/tree/master/src/main/resources/taskwarrior.properties.template).
 
-
 Testing
 -------
 
@@ -99,18 +98,29 @@ To run tests manually you will need to build and run taskwarrior server containe
 Keys formats
 ------------
 
-Unfortunately Java only has an encoded key spec for a private key in [PKCS#8](https://en.wikipedia.org/wiki/PKCS_8)
-format. However, [taskd](https://taskwarrior.org/docs/taskserver/setup.html) generates the private key in
-[PKCS#1](https://en.wikipedia.org/wiki/PKCS_1) format if you follow the
-[documentation](https://taskwarrior.org/docs/taskserver/user.html). The transformation command below also converts the
-key from [PEM](https://en.wikipedia.org/wiki/Privacy-Enhanced_Mail) to
-[DER](https://en.wikipedia.org/wiki/X.690#DER_encoding) format which does not need any further transformation as
-handling of the base64 encoded PEM keys.
+| Key specification | [PEM]() format¹ | [DER]() format |
+| ----------------- |:---------------:|:--------------:|
+| [PKCS#1]()        | yes             |                |
+| [PKCS#8]()        | yes             | yes            |
+
+¹: The kind of format is currently detected by file extentions.
+
+Note: Keys can be transformed using `openssl`, e.g. from [PKCS#8]() in [PEM]() format to [PKCS#1]() in [DER]() format:
 
 ```sh
 openssl pkcs8 -topk8 -nocrypt -in $TASKD_GENERATED_KEY.key.pem -inform PEM -out $KEY_NAME.key.pkcs8.der -outform DER
 ```
 
+**Word of warning**: Current key parsing algorithm for [PKCS#1]() [PEM](() key uses
+`sun.security.util.DerInputStream` and `sun.security.util.DerValue` which are not part of the public interface, see
+https://www.oracle.com/java/technologies/faq-sun-packages.html for further explainations.
+
+[PKCS#1]: https://en.wikipedia.org/wiki/PKCS_1
+[PKCS#8]: https://en.wikipedia.org/wiki/PKCS_8
+[PEM]: https://en.wikipedia.org/wiki/Privacy-Enhanced_Mail
+[DER]: https://en.wikipedia.org/wiki/X.690#DER_encoding
+
+
 Release notes
 -------------
 
diff --git a/build.gradle.kts b/build.gradle.kts
@@ -53,7 +53,7 @@ dependencies {
 tasks {
     withType<JavaCompile> {
         options.encoding = "UTF-8"
-        options.compilerArgs.addAll(listOf("-Xlint:all", "-Werror", "-Xlint:-processing"))
+        options.compilerArgs.addAll(listOf("-Xlint:all", "-Werror", "-Xlint:-processing", "-XDenableSunApiLintControl"))
     }
 
     withType<Jar> {
diff --git a/src/main/java/de/aaschmid/taskwarrior/client/KeyStoreBuilder.java b/src/main/java/de/aaschmid/taskwarrior/client/KeyStoreBuilder.java
@@ -4,6 +4,8 @@
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.IOException;
+import java.math.BigInteger;
+import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
 import java.security.KeyFactory;
 import java.security.KeyStore;
@@ -19,9 +21,13 @@
 import java.security.spec.InvalidKeySpecException;
 import java.security.spec.KeySpec;
 import java.security.spec.PKCS8EncodedKeySpec;
+import java.security.spec.RSAPrivateCrtKeySpec;
 import java.util.ArrayList;
+import java.util.Base64;
 import java.util.List;
 import java.util.concurrent.atomic.AtomicInteger;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
 
 import static java.util.Objects.requireNonNull;
 
@@ -30,6 +36,9 @@ class KeyStoreBuilder {
     private static final String TYPE_CERTIFICATE = "X.509";
     private static final String ALGORITHM_PRIVATE_KEY = "RSA";
 
+    private static final Pattern PATTERN_PKCS1_PEM = Pattern.compile("-----BEGIN RSA PRIVATE KEY-----(.*)-----END RSA PRIVATE KEY-----");
+    private static final Pattern PATTERN_PKCS8_PEM = Pattern.compile("-----BEGIN PRIVATE KEY-----(.*)-----END PRIVATE KEY-----");
+
     private ProtectionParameter keyStoreProtection;
     private File caCertFile;
     private File privateKeyCertFile;
@@ -62,17 +71,6 @@ KeyStoreBuilder withPrivateKeyCertFile(File privateKeyCertFile) {
         return this;
     }
 
-    /**
-     * Provide the private key file to use. It must be in {@code *.DER} format. If you have a *.PME private key, you can create it using
-     * {@code openssl}.
-     * <p>
-     * The required command looks like following:<br>
-     * <code>$ openssl pkcs8 -topk8 -nocrypt -in key.pem -inform PEM -out key.der -outform DER</code>
-     * </p>
-     *
-     * @param privateKeyFile private key file in {@code *.DER} format (must not be {@code null}
-     * @return the {@link KeyStore} builder itself
-     */
     KeyStoreBuilder withPrivateKeyFile(File privateKeyFile) {
         requireNonNull(privateKeyFile, "'privateKeyFile' must not be null.");
         if (!privateKeyFile.exists()) {
@@ -129,12 +127,56 @@ private List<Certificate> createCertificatesFor(File certFile) {
     private PrivateKey createPrivateKeyFor(File privateKeyFile) {
         try {
             byte[] bytes = Files.readAllBytes(privateKeyFile.toPath());
+            if (privateKeyFile.getName().endsWith("pem")) {
+                String content = new String(bytes, StandardCharsets.UTF_8).replaceAll("\\n", "");
+
+                Matcher pkcs1Matcher = PATTERN_PKCS1_PEM.matcher(content);
+                if (pkcs1Matcher.find()) {
+                    return createPrivateKeyFromPemPkcs1(pkcs1Matcher.group(1));
+                }
+
+                Matcher pkcs8Matcher = PATTERN_PKCS8_PEM.matcher(content);
+                if (pkcs8Matcher.find()) {
+                    return createPrivateKeyFromPemPkcs8(pkcs8Matcher.group(1));
+                }
+
+                throw new TaskwarriorKeyStoreException("Could not detect key algorithm for '%s'.", privateKeyFile);
+            }
             return createPrivateKeyFromPkcs8Der(bytes);
         } catch (IOException e) {
             throw new TaskwarriorKeyStoreException(e, "Could not read private key of '%s' via input stream.", privateKeyFile);
         }
     }
 
+    @SuppressWarnings("sunapi")
+    private PrivateKey createPrivateKeyFromPemPkcs1(String privateKeyContent) throws IOException {
+        try {
+            byte[] bytes = Base64.getDecoder().decode(privateKeyContent);
+
+            sun.security.util.DerInputStream derReader = new sun.security.util.DerInputStream(bytes);
+            sun.security.util.DerValue[] seq = derReader.getSequence(0);
+            // skip version seq[0];
+            BigInteger modulus = seq[1].getBigInteger();
+            BigInteger publicExp = seq[2].getBigInteger();
+            BigInteger privateExp = seq[3].getBigInteger();
+            BigInteger prime1 = seq[4].getBigInteger();
+            BigInteger prime2 = seq[5].getBigInteger();
+            BigInteger exp1 = seq[6].getBigInteger();
+            BigInteger exp2 = seq[7].getBigInteger();
+            BigInteger crtCoef = seq[8].getBigInteger();
+
+            RSAPrivateCrtKeySpec keySpec = new RSAPrivateCrtKeySpec(modulus, publicExp, privateExp, prime1, prime2, exp1, exp2, crtCoef);
+            return createPrivateKey(privateKeyFile, keySpec);
+        } catch (Error | Exception e) {
+            throw new TaskwarriorKeyStoreException("Could not use required but proprietary 'sun.security.util' package on this platform.", e);
+        }
+    }
+
+    private PrivateKey createPrivateKeyFromPemPkcs8(String privateKeyContent) {
+        byte[] bytes = Base64.getDecoder().decode(privateKeyContent);
+        return createPrivateKey(privateKeyFile, new PKCS8EncodedKeySpec(bytes));
+    }
+
     private PrivateKey createPrivateKeyFromPkcs8Der(byte[] privateKeyBytes) {
         return createPrivateKey(privateKeyFile, new PKCS8EncodedKeySpec(privateKeyBytes));
     }
diff --git a/src/test/java/de/aaschmid/taskwarrior/TaskwarriorClientIntegrationTest.java b/src/test/java/de/aaschmid/taskwarrior/TaskwarriorClientIntegrationTest.java
@@ -7,7 +7,6 @@
 import de.aaschmid.taskwarrior.message.TaskwarriorMessage;
 import de.aaschmid.taskwarrior.message.TaskwarriorRequestHeader;
 import de.aaschmid.taskwarrior.test.IntegrationTest;
-import org.junit.jupiter.api.Test;
 import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.Arguments;
 import org.junit.jupiter.params.provider.MethodSource;
@@ -24,8 +23,7 @@ class TaskwarriorClientIntegrationTest {
     private static final String SYNC_KEY = "f92d5c8d-4cf9-4cf5-b72f-1f4a70cf9b20";
 
     static Stream<Arguments> configs() {
-        return Stream.of("pkcs8-der")
-//        return Stream.of("pkcs1", "pkcs8", "pkcs8-der") // TODO use to test all key type to be supported
+        return Stream.of("pkcs1", "pkcs8", "pkcs8-der")
                 .map(keyType -> format("/taskwarrior.%s.properties", keyType))
                 .map(TaskwarriorClientIntegrationTest.class::getResource)
                 .map(TaskwarriorConfiguration::taskwarriorPropertiesConfiguration)

Original file line number	Diff line number	Diff line change
`@@ -53,7 +53,7 @@ dependencies {`
`53`	`53`	`tasks {`
`54`	`54`	`withType<JavaCompile> {`
`55`	`55`	`options.encoding = "UTF-8"`
`56`		`- options.compilerArgs.addAll(listOf("-Xlint:all", "-Werror", "-Xlint:-processing"))`
	`56`	`+ options.compilerArgs.addAll(listOf("-Xlint:all", "-Werror", "-Xlint:-processing", "-XDenableSunApiLintControl"))`
`57`	`57`	`}`
`58`	`58`
`59`	`59`	`withType<Jar> {`