Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Can't read DKIM key file if key type is ed25519 #2974

Closed
sauladam opened this issue Jul 11, 2019 · 4 comments
Closed

[BUG] Can't read DKIM key file if key type is ed25519 #2974

sauladam opened this issue Jul 11, 2019 · 4 comments
Labels
bug wontfix

Comments

@sauladam
Copy link

sauladam commented Jul 11, 2019
edited

Describe the bug
If the DKIM private key is of type 'ed25519' (instead of the default 'rsa') Rspamd fails to read the private key file for signing outgoing emails resulting in an invalid DKIM signature.

Steps to Reproduce

  1. Generate an ed25519 DKIM key pair:
    rspamadm dkim_keygen -b 4096 -t ed25519 -s myselector -k /var/lib/rspamd/dkim/domain.myselector.key

  2. Add the DKIM DNS record with the public key

  3. Point Rspamd to the private key file in the config:

path = "/var/lib/rspamd/dkim/domain.myselector.key";
selector = "myselector";

Expected behavior
Outgoing emails should have a valid DKIM signature.

Actual behavior: Emails do not have a valid signature and there is an error in Rspamd's log file stating that the private key could not be read:

#2003(rspamd_proxy) lua_rsa_privkey_load_file: cannot open private key from file: /var/lib/rspamd/dkim/domain.myselector.key, error:0909006C:PEM routines:get_name:no start line
#2003(rspamd_proxy) <301705>; lua; arc.lua:419: cannot load private key for signing

Versions

Rspamd 1.9.4
OS: Ubuntu Server 18.04.2

Additional Information

Everything works as expected with rsa keys. This is exclusively an issue with ed25519 keys.

(!) It might be important to point out that -t ed25519 creates a base64 encoded ed25519 key while the rsa keys are PEM. So while the rsa key looks like this:

-----BEGIN PRIVATE KEY-----
MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQC4vv7JWafu8tbX
M5Y0j2WZvdOXvFGz6Ouwz+QtYa+5rR8G+qlVr2SfkNkBaNAFHBv6nlei/enWtqqL
78RW6dluaA1y8TYZ8vT1X9gL7vXyL6bjF/nNTZSn9T7cHeLgW7jQi583wiB/wAFH
hKEv7NZLGC5NjvkK+JbL7Vj0ZE8fh0uM9OSQX58a+QRPcYcNdH0YMdkRy7LBBgHm
....

The ed25519 key is just:

YMCZE3gY6V2v3VjmCkXoDOWTmAwxm8roxczn5evAdxk0VMZnm+y6ueW+Z3mp51uFksITy43MVAO3fz03zReNXw==

And I'm explicitly talking about referencing the private key by file in the config. Putting the raw key directly into the config should probably work fine but I haven't tested it. My guess is that the key is being validated by checking if it starts with -----BEGIN or something and the validation fails because that's not the case with the ed25519 key.
@sauladam sauladam added the bug label Jul 11, 2019
@dejanstrbac
Copy link

I actually use ed25519 files without issues. This looks to me like problem with the files themselves. Make sure there are no empty lines or so in the file itself.

@sauladam
Copy link
Author

Hey @dejanstrbac, no there aren't any empty lines except for the obligatory newline at the bottom. The key was generatad with rspamadm dkim_keygen so I don't think there should be an issue with the file itself.

Would you mind sharing what your key file looks like? Which version are you using? As mentioned above, my ed25519 keys just look like this:

YMCZE3gY6V2v3VjmCkXoDOWTmAwxm8roxczn5evAdxk0VMZnm+y6ueW+Z3mp51uFksITy43MVAO3fz03zReNXw==

Just for fun, I've also tried wrapping it in BEGIN... and END...:

-----BEGIN PRIVATE KEY-----
YMCZE3gY6V2v3VjmCkXoDOWTmAwxm8roxczn5evAdxk0VMZnm+y6ueW+Z3mp51uFksITy43MVAO3fz03zReNXw==
-----END PRIVATE KEY-----

But that just gave this error:

#1698(rspamd_proxy) <f33783>; proxy; dkim_module_load_key_format: cannot load dkim key /var/lib/rspamd/dkim/eltini.de.201907.key: cannot parse raw private key: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag

@stale
Copy link

stale bot commented Sep 12, 2019

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the wontfix label Sep 12, 2019
@stale stale bot closed this as completed Sep 19, 2019
@IPTRACE IPTRACE mentioned this issue Oct 7, 2019
Closed
@kravietz
Copy link

kravietz commented Nov 1, 2021

It's caused by the extra DNS record data appended to the end of the private key by the dkim_keygen command. If you just write output from the command to the private key file, rspamd won't parse it:

# rspamadm dkim_keygen -s dkim -d example.com -t ed25519
zGcw+JV7jtYI6bf9aRCa18vfUu7tzjQeBquW9TKnrmBxBUtAd47/X4qQ5dhMAHXozSwwsQT1Ku9shrkBAOCuIQ==
dkim._domainkey IN TXT ( "v=DKIM1; k=ed25519; "
        "p=cQVLQHeO/1+KkOXYTAB16M0sMLEE9SrvbIa5AQDgriE=" ) ;

If you strip everything but the first line, it will work OK:

zGcw+JV7jtYI6bf9aRCa18vfUu7tzjQeBquW9TKnrmBxBUtAd47/X4qQ5dhMAHXozSwwsQT1Ku9shrkBAOCuIQ==

Interestingly, the same DNS data at the end of RSA key doesn't break parsing, probably because it's wrapped in the BEGIN/END lines.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug wontfix
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dejanstrbac @kravietz @sauladam