I'm doing it the same way Exim is.
Interesting, if I add an extra newline before and after the key -
OpenDKIM no longer crashes but it still won't sign, could be coincidence
- I'll have to test - but now I'm getting this:
0EF125EA6: SSL ASN1 parser: Error in DER parsing.
0EF125EA6: dkim_eom(): resource unavailable:
gnutls_x509_privkey_import() failed
If there really is a difference depending upon whether or not there are
excess blank lines above and below the cert, then I'm guessing there
might be a bug in how it is being read before being passed to GnuTLS.
On 12/19/18 10:37 AM, Scott Kitterman wrote:
> The Exim implementation of DKIM/Ed25519 uses GnuTLS. You can probably look at their code to see how they handled it.
>
> This was also discussed during the IETF DCRUP (DKIM Crypto UPdate) working group. The WG mailing list archive will have information on this.
>
> The Ed25519 public keys that go in DNS are definitely not ASN.1. I don't recall about private keys and GnuTLS. For libsodium, they aren't ASN.1. For my dkimpy-milter, I use Base64 encoded binary for the private keys.
>
> Scott K
>
> On December 19, 2018 6:00:59 PM UTC, Alice Wonder <alice_at_librelamp.com> wrote:
>> Hi -
>>
>> OpenDKIM 2.11.0 Beta2 w/ patch from
>> https://github.com/trusteddomainproject/OpenDKIM/issues/33
>>
>> Built against GnuTLS 3.6.5 / Nettle 3.4.1
>>
>> It works beautifully with rsa-sha256
>>
>> If I try ed25519-sha256 I get an error:
>>
>> opendkim.service: main process exited, code=killed, status=6/ABRT
>>
>> This is what private key looks like (yes I'm aware this one is now no
>> longer usable):
>>
>> -----BEGIN PRIVATE KEY-----
>> MC4CAQAwBQYDK2VwBCIEINRFq9VHSh4sso/vsSITQzBWWpdVzIOk6oTmHs26rzAp
>> -----END PRIVATE KEY-----
>>
>> I can use certtool from GnuTLS to generate a self-signed cert from the
>> private key so I know GnuTLS is able to work with it.
>>
>> My question of course is, does OpenDKIM expect Ed25519 private keys to
>> be in a different format than base64 encoded ANS.1 DER?
>>
>> Or is it an issue with the build? Or support just not finished yet?
>>
>> Playing around I tried a private key file with just a base64 encoding
>> of
>> the raw bytes, and in that case OpenDKIM doesn't crash but I do get an
>> obvious error from GnuTLS function stating it can't import it.
>>
>> Any suggestions appreciated. Mainly I'm just looking to be able to test
>>
>> validation, but I have to be able to sign to have something to test
>> validation with ;)
>
>
Received on Wed Dec 19 2018 - 19:34:20 PST