FormatException on certs

[mekanix]

I have server and cli app working together, so I know my cert is valid, but for some reason I get exception. For example, I generated cert for user "nobody" and nobody.cert.pem is:

-----BEGIN CERTIFICATE-----
MIIFoDCCA4igAwIBAgIUDOkCrsQ0bP5dRvD8btYGJAKdpM4wDQYJKoZIhvcNAQEM
BQAwaDEbMBkGA1UEAxMSdGFza3MudGlsZGEuY2VudGVyMRUwEwYDVQQKEwxUaWxk
YSBDZW50ZXIxETAPBgNVBAcTCE5vdmkgU2FkMRIwEAYDVQQIEwlWb2p2b2RpbmEx
CzAJBgNVBAYTAlJTMB4XDTIxMDkxMjEzMTUzNVoXDTIyMDkxMjEzMTUzNVowNDEb
MBkGA1UEAxMSdGFza3MudGlsZGEuY2VudGVyMRUwEwYDVQQKEwxUaWxkYSBDZW50
ZXIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCzshOdkJvG1rQI3Qgf
83GH3cwZQ+Xi7+b1nIaEQi4LGj5CSjbfrUP9zwStyUdslA/trRF+F3o0WZiIvWao
NYlMjjL+rOeS9CLq3/2dYYe3l8YYKru4pAp68ycThKGGyT4vxm2KCEr8N4E5m4aA
7DmXu2Hjxws/LonneOe7TAN5mOi9QIhS8XBWn9hevK7h+MWR6kbkTnxqGj+pMfoM
HQQj2BmOToRk2Yb3sDFT4ulgpExmGYmed7GDRay1cSZeJRUSaw4m+Ed1rAfF5MZ4
NQho7vC5kTX2qk9oZkcP2C5EmUpRAHmgnxZS6LdqkP4BUSpCIqaSbCi8pWCPF0Ww
RvQDXN4zMdqeXIbEduGzH9rM11/AVL5vx95rGJ4TXrpYxPSJ+rJfMou+xj/ug+j4
cadlbfHWolquCMucxAcHfdgc7AoeHu8983bTga8UFVCByfQhhTXmCvca8kbX7hHN
9mHUcTorNZ1Y5V7k9Mp+oIgLXzdp3q3693GEERabN0nrmnWNqp+AYRhizzIyNN3T
ZJEpxgPxEPiuxwuyyxegkZKVe422BwM/uA7LJEiu9KF4gAtfxuhu5K2qYFsidHY/
sR48KDk1TZ8KZEpT87po71Nmfa8eaohTD45gj12+RqMGniaauLye4yfB+YmlEHKe
FFvs89YcKiNCq9dRntQ8u+8ykQIDAQABo3YwdDAMBgNVHRMBAf8EAjAAMBMGA1Ud
JQQMMAoGCCsGAQUFBwMCMA8GA1UdDwEB/wQFAwMHoAAwHQYDVR0OBBYEFH5DgyHO
4XSdmrm2fGf8/DbjUgpFMB8GA1UdIwQYMBaAFIS+gcU1mhRPvKOHaGKDSLiKA/Dz
MA0GCSqGSIb3DQEBDAUAA4ICAQBIFpt9iCjzz9w76RZORSiIhYM5ODaXsvMHyeXH
QyAZH2vks/fcTPoapvQl/6WBx/Kz58TxN6foBS1dZUX6eSn4X5PiAwqXwNNfjXZt
bEwARGj0Bi1Dpp5h5KD6d87OKvVHMZlPPmrUyEhvRknO5y8Qua/WAETEQseCzF43
zHETqkZ/Pz/gnAkJbENvATNUlUmCP0VClJC3iaeFS9jnNZPUrl8SWocG/bHb+hMv
OoKg7bYkl/budbut2FQ5OaGXrbMW+teMa+C9+hn/eC8QZ82qBYO3EZJ8QmZ0vqv5
jg2s6jO7Pr29PNsALLagCOiK3fu3E+aOgiq+7eerv7IZ5u/TkuIkVPXPUZrx53y1
SErUI8zU1bsnUBIPaQwyfPC0m8+XKChQqHjwfeA1hsTXkTcTt1UJQAazZDY3dF7E
5ASTEOJbfgCjNi9quZQ3WKPTNJ8hnuktM3mQYHwyNuF1TMSIRIf/8s/UummA1K5r
S7f+R+BdN6udOQ9x1V7e2JPq8plEjeSycJGdx4fA2nNC7iNfvh3yVZgEP4E7B4ye
DADm8E+eb+T4Zq1xgvcqt/flNXmas4IfDjTO0LWI1QJcvq4CIA50T+lcL2MFV7jt
95piQJLPFm1ZxuYTEIEXGtNgG6Ti6uzPTGupMsZFFb19OKUuKInrvxX0mnW5b2To
j0mAvA==
-----END CERTIFICATE-----

What am I doing wrong?

[bradyt]

What are you seeing that tells you the format exception is for the cert?

Can you provide more of the info during the FormatException? More of the trace may be visible if you try the sync button on the task list view, versus the statistics button in the configure screen. (That discrepancy is probably just a buggy inconsistency in my implementation.)

When the code throws an exception, and the exception is displayed to user, I believe I made that text so that you could select it and copy it. Maybe I should put a copy button in top right of text rectangle, with text flowing around it.

[bradyt]

I also don't know ~if this is Android or iOS, or~ what version of app. The app version might appear ~in the App Store in iOS, or~ by long pressing an app in Android.

I don't know if I need that information, but right now I think I have too little information to understand, let alone to reproduce. I just tested to make sure the new fingerprint feature wasn't an issue, with its first and second implementation.

At v0.0.13, was the first implementation of displaying fingerprint of certs, but I checked that with your cert and I didn't see an exception.

[bradyt]

Oh, are you seeing in the UI, something like the following?

taskd.cert = nobody.cert.pem
FormatException

Maybe the fingerprint display failed somehow. That wouldn't necessarily stop you from using the cert.

[mekanix]

Ah, yes, I did provide scarce info. It is Android mobile device with Android version 8.0.0. Taskw-dart version is 0.0.13 from F-Droid. On the server is FreeBSD 13 with TaskWarrior version 2.5.3. Can I somehow provide more info?

Please ignore "wrong" port in the screenshots, I had to move it to 5358 on the server for reasons unrelated to this issue.

[bradyt]

I just tried the Play Store version of app, and while I see FormatException before I add nobody.cert.pem, after I select the file, it shows SHA-1: 9B242AFFD26537C760BD93902255F41BA618321B.

The next version Version 0.1.1 (12) should be on F-Droid in a few days. It won't display FormatException when there is no file selected. It is showing in the current build status at https://monitor.f-droid.org/builds/running, so it might be available on their store in a day or two.

As for the error code 430, that suggests to me that your PEM files are actually working. But in order to improve the organization of issue threads, I have opened issue #12 for the 430 error response code. I think this potentially will be a very common issue for users. I would like to reply to this aspect of your issue there.

[bradyt]

I don't have a way to be notified when the app is on F-Droid. I am closing now, as I assume this is fixed. Let me know if you still see the FormatException on Version 0.1.1 (12).

[mekanix]

CA and cert show SHA-1, but key is not. I still get the same error on sync, of course. I even tried to strip the .key.pem file of all except the data between BEGIN RSA PRIVATE KEY and END RSA PRIVATE KEY with no results. The version I have now is 0.1.2. So definitely a progress!

[bradyt]

Hello @mekanix.

Regarding the private key fingerprint, here's a hint in the changelog, https://github.com/bradyt/taskw-dart/blob/main/task/CHANGELOG.md#010.

- Do not show misleading/invented fingerprint for private key

Regarding the 430 Access denied error, I had already replied above. If you have the 430 error, I think you have the PEM files setup correctly. I don't believe you should edit your PEM files in an effort to fix the 430 error. If I understand correctly, the PEM files are providing you access to a taskd process at the address and port you indicated. Please consider going to the new issue I created, to address the 430 error, considering your credentials, credentials key, org, etc.

[bradyt]

In version 0.2.0, I've changed the UI a bit so that it's more clear before any files are even added, that taskd.key won't have a SHA1 fingerprint. So now all the certificate fields will show SHA1: null before a file is added.

Computing a SHA1 for a private key may be a difficult low priority issue. If anyone prefers to have an issue to track on that, you're welcome to file such.

In the release after 0.2.0, I expect to add a special case for that 430; Access denied message so the app will propose there may be an issue with taskd.credentials value.

The order of possible errors is basically as follows:

1. taskd.server
2. taskd.ca (this is optional, but we're basically checking $TASKDDATA/server.cert.pem)
3. taskd.certificate and taskd.key
4. taskd.credentials

If you see an issue with one of the later values, it suggests the earlier values are configured correctly.

In other words, the above is a way to summarize that your 430; Access denied was about taskd.credentials, and therefore your PEM files were likely configured correctly.