dkimpy

dknewkey & OpenSSL 3 generated RSA key doesn't work

Bug #1978835 reported by Mika Tiainen
26
This bug affects 4 people
Affects Status Importance Assigned to Milestone
dkimpy
Fix Released
Medium
Unassigned
dkimpy 1.1.0

Bug Description

Hi,

I'm setting up dkimpy-milter on Ubuntu 22.04. RSA keys generated with dknewkey are not parseable be dkimpy:

XXX:~/test$ dknewkey test
generating test.key
extracting test.key
writing RSA key
writing test.dns
XXX:~/test$ dkimsign s1 example.com test.key < ~/test.mail
Unparsable private key: Unexpected tag (got 30, expecting 02)

This is because of OpenSSL 3 default PKCS#8 format, man openssl-rsa:
       -traditional
           When writing a private key, use the traditional PKCS#1 format instead of the PKCS#8 format.

After converting key it works:

XXX:~/test$ openssl rsa -in test.key -traditional -out test.key.trad
writing RSA key
XXX:~/test$ dkimsign s1 example.com test.key.trad < ~/test.mail
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=example.com;
 <email address hidden>; q=dns/txt; s=s1; t=1655303489; h=from : to : subject :
 from; bh=cuaAHru3/DpWEtwuuTIF4xJkcFZjeKd1iDLPF1BWMXA=;
 b=WdnSt2BM3EzT6Wd9FFUjxnR1nwS8IIQWyZ17aFkBhoSXU8GKC6r5hRLu1F5XcdxOa4nbh
 T5lFakKyMBYFKw805AHZu/GlTr3PD4e1t9oot9lOm54QiuOJP+PseJT+AVI4LkxwECgXZT3
 skTl/Oj93YpqoWWKblMlTslngGMmrw8IaRoGcBFxL6R5Gb2mI0ecXRDvuCelYTB8Uf26R4J
 Z1gX0MBGL2MNDNrDXMCDwjaPuD2gP5Vo0NLjhZG7SR2BoLyu0QkBE6Cte3+rlisfhU4KIIS
 Yc3Li5gM/fsHfVHDO+mul+ic5oh00jTxCDJIMxi7TRHysr9pOPrqRGZzNA8w==

Also, finding the issue took quite a while as dkimpy-milter with KeyTable/SignTable didn't log any errors. Only when testing with Domain/Keyfile/Selector I got the error:

dkimpy-milter[22326]: DKIM: Unparsable private key: Unexpected tag (got 30, expecting 02)

Related branches

~spitap/dkimpy:master
Scott Kitterman: Approve
Diff: 150 lines (+60/-6)
5 files modified
dkim/asn1.py (+3/-0)
dkim/crypto.py (+16/-3)
dkim/tests/data/2048_testkey_PKCS8.key (+28/-0)
dkim/tests/data/2048_testkey_PKCS8.key.pub.txt (+1/-0)
dkim/tests/test_dkim_rsavariants.py (+12/-3)
Revision history for this message
Alberto Bertogli (albertito) wrote (last edit ):

FWIW I ran into this same issue on Debian testing (python3-dkim 1.0.5-2).

Revision history for this message
Scott Kitterman (kitterman) wrote :

Thanks. Gotta love non-backward compatible changes. Appreciate the trouble shooting.

Changed in dkimpy:
status: New → Confirmed
Revision history for this message
Adrien (spitap) wrote :

I've just proposed a merge to fix the "Unparsable private key: Unexpected tag (got 30, expecting 02)".
As for key generation, adding "-traditional" seems the best option, or we want to test openSSL version ? I can add it to the branch if needed :)

Revision history for this message
Scott Kitterman (kitterman) wrote :

Fix merged for the next release. Thanks.

Changed in dkimpy:
importance: Undecided → Medium
milestone: none → 1.1.0
status: Confirmed → Fix Committed
Scott Kitterman (kitterman)
Changed in dkimpy:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.