Support loading .pem private keys as issued by Github (#26)

* Construct JwtTokenIssuer through a factory method

This makes it easier to use from unit tests, and also avoids
throwing exceptions from the constructor.

* Implement loading PKCS#1 PEM files as issued by Github

* Extract PEM key handling into a utility class

* Update README to use .pem private keys

Author: mbruggmann

README.md

@@ -8,7 +8,7 @@
 
 A small Java library for talking to Github/Github Enterprise and interacting with projects.
 
-It supports authentication via simple access tokens, JWT endpoints and Github Apps (via DER private key).
+It supports authentication via simple access tokens, JWT endpoints and Github Apps (via private key).
 
 It is also very light on GitHub, doing as few requests as necessary.
 
@@ -51,7 +51,7 @@ To authenticate as a Github App, you must provide a private key and the App ID,
 final GitHubClient github =
   GitHubClient.create(
     URI.create("https://github.com/api/v3/"),
-    new File("/path-to-the/private-key.der"),
+    new File("/path-to-the/private-key.pem"),
     APP_ID);
 ```
 
@@ -69,14 +69,6 @@ It is also possible to provide the installation to the root client.
 
 Refer to [Github App Authentication Guide](https://developer.github.com/apps/building-github-apps/authenticating-with-github-apps/) for more information.
 
-#### Making the private key readable for Java
-
-Java does not natively support the PEM private keys that GitHub provides, without a third-party library. To convert it to the DER, java-friendly format, run:
-
-```bash
-openssl pkcs8 -topk8 -inform PEM -outform DER -in <path-to-private-key.pem> -out <path-to-private_key.der> -nocrypt
-```
-
 ## Usage
 
 This library attempts to mirror the structure of GitHub API endpoints. As an example, to get details of a Commit, there is 

checkstyle.xml

@@ -178,8 +178,13 @@
         <module name="TodoComment"/>
         <module name="UpperEll"/>
 
+        <!-- Enable suppressing warnings using the @SuppressWarning annotation -->
+        <module name="SuppressWarningsHolder" />
     </module>
 
+    <!-- Enable suppressing warnings using the @SuppressWarning annotation -->
+    <module name="SuppressWarningsFilter" />
+
     <!-- Allow turning checks off in the code -->
     <!-- See http://checkstyle.sourceforge.net/config.html#SuppressionCommentFilter -->
     <!--  <module name="SuppressionCommentFilter"/>-->

src/main/java/com/spotify/github/v3/clients/GitHubClient.java

@@ -525,7 +525,7 @@ private String getAuthorizationHeader(final String path) {
     } else if (getPrivateKey().isPresent()) {
       final String jwtToken;
       try {
-        jwtToken = new JwtTokenIssuer(privateKey).getToken(appId);
+        jwtToken = JwtTokenIssuer.fromFile(privateKey).getToken(appId);
       } catch (Exception e) {
         throw new RuntimeException("There was an error generating JWT token", e);
       }

src/main/java/com/spotify/github/v3/clients/JwtTokenIssuer.java

@@ -28,6 +28,7 @@
 import java.security.NoSuchAlgorithmException;
 import java.security.PrivateKey;
 import java.security.spec.InvalidKeySpecException;
+import java.security.spec.KeySpec;
 import java.security.spec.PKCS8EncodedKeySpec;
 import java.util.Date;
 import org.apache.commons.io.FileUtils;
@@ -36,9 +37,13 @@
 public class JwtTokenIssuer {
 
   private static final SignatureAlgorithm SIGNATURE_ALGORITHM = SignatureAlgorithm.RS256;
+  private static final long TOKEN_TTL = 600000;
 
   private final PrivateKey signingKey;
-  private static final long TOKEN_TTL = 600000;
+
+  private JwtTokenIssuer(final PrivateKey signingKey) {
+    this.signingKey = signingKey;
+  }
 
   /**
    * Instantiates a new Jwt token issuer.
@@ -48,12 +53,28 @@ public class JwtTokenIssuer {
    * @throws InvalidKeySpecException the invalid key spec exception
    * @throws IOException the io exception
    */
-  public JwtTokenIssuer(final File privateKeyFile)
+  public static JwtTokenIssuer fromFile(final File privateKeyFile)
       throws NoSuchAlgorithmException, InvalidKeySpecException, IOException {
     byte[] apiKeySecretBytes = FileUtils.readFileToByteArray(privateKeyFile);
-    PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(apiKeySecretBytes);
+    return fromPrivateKey(apiKeySecretBytes);
+  }
+
+  /**
+   * Instantiates a new Jwt token issuer.
+   *
+   * @param privateKey the private key to use
+   * @throws NoSuchAlgorithmException the no such algorithm exception
+   * @throws InvalidKeySpecException the invalid key spec exception
+   */
+  public static JwtTokenIssuer fromPrivateKey(final byte[] privateKey)
+      throws NoSuchAlgorithmException, InvalidKeySpecException {
+
+    KeySpec keySpec = PKCS1PEMKey.loadKeySpec(privateKey)
+        .orElseGet(() -> new PKCS8EncodedKeySpec(privateKey));
+
     KeyFactory kf = KeyFactory.getInstance("RSA");
-    signingKey = kf.generatePrivate(spec);
+    PrivateKey signingKey = kf.generatePrivate(keySpec);
+    return new JwtTokenIssuer(signingKey);
   }
 
   /**

src/main/java/com/spotify/github/v3/clients/PKCS1PEMKey.java

@@ -0,0 +1,82 @@
+/*-
+ * -\-\-
+ * github-api
+ * --
+ * Copyright (C) 2016 - 2020 Spotify AB
+ * --
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * -/-/-
+ */
+
+package com.spotify.github.v3.clients;
+
+import java.security.spec.KeySpec;
+import java.security.spec.PKCS8EncodedKeySpec;
+import java.util.Base64;
+import java.util.Optional;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+/**
+ * Loads PEM key files as issued by the Github apps page.
+ */
+final class PKCS1PEMKey {
+
+  private static final Pattern PKCS1_PEM_KEY_PATTERN =
+      Pattern.compile("(?m)(?s)^---*BEGIN RSA PRIVATE KEY.*---*$(.*)^---*END.*---*$.*");
+
+  private PKCS1PEMKey() {}
+
+  /**
+   * Try to interpret the supplied key as a PKCS#1 PEM file.
+   *
+   * @param privateKey the private key to use
+   */
+  public static Optional<KeySpec> loadKeySpec(final byte[] privateKey) {
+    final Matcher isPEM = PKCS1_PEM_KEY_PATTERN.matcher(new String(privateKey));
+    if (!isPEM.matches()) {
+      return Optional.empty();
+    }
+
+    byte[] pkcs1Key = Base64.getMimeDecoder().decode(isPEM.group(1));
+    byte[] pkcs8Key = toPkcs8(pkcs1Key);
+    final PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(pkcs8Key);
+    return Optional.of(keySpec);
+  }
+
+  /**
+   * Convert a PKCS#1 key to a PKCS#8 key.
+   *
+   * <p>The Github app key comes in PKCS#1 format, while the Java security utilities only natively
+   * understand PKCS#8. Fortunately, we can convert between the two by adding the PKCS#8 headers
+   * manually.
+   *
+   * <p>Adapted from code in https://github.com/Mastercard/client-encryption-java
+   */
+  @SuppressWarnings("checkstyle:magicnumber")
+  private static byte[] toPkcs8(final byte[] pkcs1Bytes) {
+    final int pkcs1Length = pkcs1Bytes.length;
+    final int totalLength = pkcs1Length + 22;
+    byte[] pkcs8Header = new byte[] {
+        0x30, (byte) 0x82, (byte) ((totalLength >> 8) & 0xff), (byte) (totalLength & 0xff), // Sequence + total length
+        0x2, 0x1, 0x0, // Integer (0)
+        0x30, 0xD, 0x6, 0x9, 0x2A, (byte) 0x86, 0x48, (byte) 0x86, (byte) 0xF7, 0xD, 0x1, 0x1, 0x1, 0x5, 0x0, // Sequence: 1.2.840.113549.1.1.1, NULL
+        0x4, (byte) 0x82, (byte) ((pkcs1Length >> 8) & 0xff), (byte) (pkcs1Length & 0xff) // Octet string + length
+    };
+
+    byte[] pkcs8bytes = new byte[pkcs8Header.length + pkcs1Bytes.length];
+    System.arraycopy(pkcs8Header, 0, pkcs8bytes, 0, pkcs8Header.length);
+    System.arraycopy(pkcs1Bytes, 0, pkcs8bytes, pkcs8Header.length, pkcs1Bytes.length);
+    return pkcs8bytes;
+  }
+}

src/test/java/com/spotify/github/v3/clients/JwtTokenIssuerTest.java

@@ -0,0 +1,58 @@
+/*-
+ * -\-\-
+ * github-api
+ * --
+ * Copyright (C) 2020 Spotify AB
+ * --
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * -/-/-
+ */
+
+package com.spotify.github.v3.clients;
+
+import static org.hamcrest.CoreMatchers.not;
+import static org.hamcrest.CoreMatchers.nullValue;
+import static org.hamcrest.MatcherAssert.assertThat;
+
+import com.google.common.io.Resources;
+import java.net.URL;
+import org.junit.Test;
+
+public class JwtTokenIssuerTest {
+
+  private static final URL DER_KEY_RESOURCE =
+      Resources.getResource("com/spotify/github/v3/github-private-key");
+
+  // generated using this command: "openssl genrsa -out fake-github-app-key.pem 2048"
+  private static final URL PEM_KEY_RESOURCE =
+      Resources.getResource("com/spotify/github/v3/fake-github-app-key.pem");
+
+  @Test
+  public void loadsDERFileWithPKCS8Key() throws Exception {
+    final byte[] key = Resources.toByteArray(DER_KEY_RESOURCE);
+    final JwtTokenIssuer tokenIssuer = JwtTokenIssuer.fromPrivateKey(key);
+
+    final String token = tokenIssuer.getToken(42);
+    assertThat(token, not(nullValue()));
+  }
+
+  @Test
+  public void loadsPEMFile() throws Exception {
+    final byte[] key = Resources.toByteArray(PEM_KEY_RESOURCE);
+    final JwtTokenIssuer tokenIssuer = JwtTokenIssuer.fromPrivateKey(key);
+
+    final String token = tokenIssuer.getToken(42);
+    assertThat(token, not(nullValue()));
+  }
+
+}

src/test/resources/com/spotify/github/v3/fake-github-app-key.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAoNgYPu88oscyUIZbyRNOxsYBH0qtLshUnUScoOYWVkvt/6Gn
+8Eh6orxZs+G3LhMSd4l108X2UyQGe7DAQk2qr7+wxY/ZrWI3M4AYt154qagj2Z68
+OVQohZIqPUxMPx2R2AsL3L2WDoeILniNqkntQFn8RZ6LH+34PvtQQ055vgA66uWL
+bWBgR+sg7RPbhbYLf5n5UluApd6uXqRPU10NCzWww7U71ubjahmJVT7vcyEFmOmF
+u1Bf2K6f+raXIVkOFDPzxTq07vGmnkJHvc1BGFAwBnpLdqq34ZdFfv9F+kJ0tCyH
+eKuAx6gctPkDbHxxTp/0DG8NnOo+coBz2m09FQIDAQABAoIBAFIQr548tjVfaR6I
+zv/y5/inQh9THLWH5RQw07GMc80oBJCvTF5evKOXcjVDbxEFDiELc6DPmnSlJuGp
+Nw8dTX9KUMkcMjYyrHOMYg/9FZeKgHAie2rMs7gi8YZBDY4OakFOsYi4+n0DTcpY
+G//MpE53Gy3yTI3H/yczVqpgueDksgMNlOJhl+AvXN005vC+/uL9mNoOaAwTjYC8
+DrzKixQ5/uj9Eu+P8ctMzDAETzIasiQkPo9XP27CAADkqVbJFmg0INP4LAa1+xWs
+MbqyydCi3SD/L2PaztrDQQa4Nd6W1N0NEenqKuImYIYNSXagNcTZCzpendnMr5f1
+3I262SkCgYEA0Org/OrrysauyEzBl8svfLfM3ax3/ZXOCnYdyWS8gWCnychrP8tu
+4TzpUdqffIV9bafPB8fkwvD6fHd0EuJNAb6ZPwWcpz2tJyhCab1h9iZOMOD5G2Yi
+ZqTBNbYWgmGbDZLBa56fEciVF9UtS3k+1KPnHc61piHJ4txNFulu/b8CgYEAxRe1
+XSjYrRJSbuqCZ3Q6pOAskE/q/6rfH+7Cw6nOONaRXo9mvayqe0TbJcmZEeS6c8yc
+utWQR28UqMP6bSEnqWjU/ZoUiYNgsE8BaxQuzoZrydyxrXn/3gyiJ+a6Nhe8zDxt
+24i93KxZgo0Y+I1ECjsbce/s8UUOT0VfiLS64isCgYEAlZ2AHuDGmGONTFjb069p
+hLHEf4RCMlMUSZ2pW09PSIBF6VYkqH0yHRAYL8yXpv+agetJctMO2yTk3jpV4Cg8
+6eDrspx8QbEDziUg2sUL4NIx8QNMoviT7lpTG/oZSKpJ9oCBEGd6l6vESlsaoxBj
+lLkEjO46XI2aHWOTubLXD9UCgYAJkog1eRlk9oHYbz1cJvH+NgEUFT2Vo0fo9iCx
+fhrM+ebfj9luludEy2hVYoAztUc0/pgSHvM99PAs7i/Igxa5DKVjl8stjprwlTW9
+bKKFV1P+3uAmS8mYkEaD55ndrLN3u+ueAPsvr5M9Wvr+f2XxlUNU+lEourDiOr1U
+F2sINwKBgEM+72eQ82UOGCz/5UGcVR9vKLn6y0jbEZ8f04O/54uSZSxJ+ddPkGj7
+cWAQItbRV+Cjo+LzFy+sUPk0XJQny5aC5Iy//Qn1chYpek4IUELtz7UOYitL/xXU
++ERPV2A7uNg9rKhmWKqz76wgp8SyucUdQERL2CeQEtoTT3gKXmWF
+-----END RSA PRIVATE KEY-----