RSA Public Key Format Inconsistency

[AGWA]

RFC 6376 Section 3.6.1 states that RSA public keys are encoded in the TXT record as "an ASN.1 DER-encoded [ITU-X660-1997] RSAPublicKey". This is the encoding produced by the dkim-keygen command.

Unfortunately, RFC 6376 contradicts itself in Appendix C, where it shows a public key in SubjectPublicKeyInfo format instead. Although Appendix C is only informative, it seems that other implementations have adopted it. opendkim's key generation tool uses SubjectPublicKeyInfo, as do the DKIM records for Gmail and Fastmail. Erratum 3017 has been filed against RFC 6376 proposing that both RSAPublicKey and SubjectPublicKeyInfo be allowed in the TXT record.

Currently, go-msgauth's DKIM verifier expects RSA public keys to use SubjectPublicKeyInfo format. If you try to verify a signature from a domain which uses RSAPublicKey format instead, you get this error:

dkim: key syntax error: x509: failed to parse public key (use ParsePKCS1PublicKey instead for this key format)

I propose the following fix:

1. go-msgauth's verifier should accept both formats (i.e. it should try parsing the key with both x509.ParsePKIXPublicKey and x509.ParsePKCS1PublicKey) in accordance with Erratum 3017.
2. dkim-keygen should produce SubjectPublicKeyInfo format. Given the use of SubjectPublicKeyInfo with providers like Gmail and Fastmail, there are probably more DKIM implementations that only accept SubjectPublicKeyInfo than implementations that only accept RSAPublicKey.

I'm happy to submit a PR for this.

[emersion]

Thanks for the detailed explanation. Looks like a good plan to me!

[emersion]

Though I've never hit this "failed to parse public key" error I think, even when verifying Gmail/Fastmail emails. I wonder why?

[AGWA]

Though I've never hit this "failed to parse public key" error I think, even when verifying Gmail/Fastmail emails. I wonder why?

Gmail and Fastmail use SubjectPublicKeyInfo, which is what go-msgauth currently expects.

I'll work on a PR.

[emersion]

Oh, I see, makes sense.