I found a Fedora bug that caused import to fail under certain conditions
but still succeed with certtool. Different issue, but it gave me a clue
to look at, trying a few things - I may have been over-zealous with what
I disabled during gnutls compile.
On 12/19/18 11:34 AM, Alice Wonder wrote:
> I'm doing it the same way Exim is.
>
> Interesting, if I add an extra newline before and after the key -
> OpenDKIM no longer crashes but it still won't sign, could be coincidence
> - I'll have to test - but now I'm getting this:
>
> 0EF125EA6: SSL ASN1 parser: Error in DER parsing.
> 0EF125EA6: dkim_eom(): resource unavailable:
> gnutls_x509_privkey_import() failed
>
> If there really is a difference depending upon whether or not there are
> excess blank lines above and below the cert, then I'm guessing there
> might be a bug in how it is being read before being passed to GnuTLS.
>
> On 12/19/18 10:37 AM, Scott Kitterman wrote:
>> The Exim implementation of DKIM/Ed25519 uses GnuTLS. You can probably
>> look at their code to see how they handled it.
>>
>> This was also discussed during the IETF DCRUP (DKIM Crypto UPdate)
>> working group. The WG mailing list archive will have information on this.
>>
>> The Ed25519 public keys that go in DNS are definitely not ASN.1. I
>> don't recall about private keys and GnuTLS. For libsodium, they
>> aren't ASN.1. For my dkimpy-milter, I use Base64 encoded binary for
>> the private keys.
>>
>> Scott K
>>
>> On December 19, 2018 6:00:59 PM UTC, Alice Wonder
>> <alice_at_librelamp.com> wrote:
>>> Hi -
>>>
>>> OpenDKIM 2.11.0 Beta2 w/ patch from
>>> https://github.com/trusteddomainproject/OpenDKIM/issues/33
>>>
>>> Built against GnuTLS 3.6.5 / Nettle 3.4.1
>>>
>>> It works beautifully with rsa-sha256
>>>
>>> If I try ed25519-sha256 I get an error:
>>>
>>> opendkim.service: main process exited, code=killed, status=6/ABRT
>>>
>>> This is what private key looks like (yes I'm aware this one is now no
>>> longer usable):
>>>
>>> -----BEGIN PRIVATE KEY-----
>>> MC4CAQAwBQYDK2VwBCIEINRFq9VHSh4sso/vsSITQzBWWpdVzIOk6oTmHs26rzAp
>>> -----END PRIVATE KEY-----
>>>
>>> I can use certtool from GnuTLS to generate a self-signed cert from the
>>> private key so I know GnuTLS is able to work with it.
>>>
>>> My question of course is, does OpenDKIM expect Ed25519 private keys to
>>> be in a different format than base64 encoded ANS.1 DER?
>>>
>>> Or is it an issue with the build? Or support just not finished yet?
>>>
>>> Playing around I tried a private key file with just a base64 encoding
>>> of
>>> the raw bytes, and in that case OpenDKIM doesn't crash but I do get an
>>> obvious error from GnuTLS function stating it can't import it.
>>>
>>> Any suggestions appreciated. Mainly I'm just looking to be able to test
>>>
>>> validation, but I have to be able to sign to have something to test
>>> validation with ;)
>>
>>
>
>
Received on Wed Dec 19 2018 - 20:01:17 PST