RE: opendkim signed messages 'fail' spamassassin-based DKIM signature verification with 'OPENSSL ERROR: DATA TOO LARGE FOR KEY SIZE' ?

> -----Original Message-----
> From: dchilton_at_bestmail.us [mailto:dchilton_at_bestmail.us]
> Sent: Friday, April 15, 2011 10:15 AM
> To: Murray S. Kucherawy; opendkim-users_at_lists.opendkim.org
> Subject: RE: opendkim signed messages 'fail' spamassassin-based DKIM signature verification with 'OPENSSL ERROR: DATA TOO LARGE FOR KEY SIZE' ?
>
> other than your reminder to (re)check with opendkim-testkey, nothing i'd
> seen in logs, various receivers' headers, or any verifiers, had
> suggested to me directly that there was a key-mismatch.

An unfortunate property of crypto work is that the best you get out of some things is a Boolean indicating success or failure, and it's impossible to know what went wrong past that. The only thing it can tell you is that the bits didn't line up, and you're left to play detective.

Indeed, the RSA_Verify() function in OpenSSL returns a 1 or a 0; it can't determine further whether there was a mismatch in the signature (meaning a change to the message) or if the public key was the wrong one (how could it tell?). The only thing that can help is that the earlier functions that load the key detects the error, but if the error is hidden by base64 encoding issues, that too might get missed.

The nice thing about opendkim-testkey is that it has an opportunity to see the whole picture; it takes your private key, generates the matching public key from it, and makes sure that's what you've published. If that passes, signature verification errors are either DNS transport related or are truly broken signatures.

Anyway, glad you got it working.

-MSK
Received on Fri Apr 15 2011 - 17:20:52 PST