mail_crypt_global_private_key: Couldn't parse private key: Unknown/invalid PEM key type

Antti Antinoja reader at fennosys.fi
Sat Feb 20 14:39:56 EET 2021


https://github.com/dovecot/core/blob/master/src/plugins/mail-crypt/test-mail-global-key.c <- This test code has an encrypted private key included.

After decoding this I learned that it looks different than the one we used.

Dovecot test code key:

-----BEGIN ENCRYPTED PRIVATE KEY-----
MIHeMEkGCSqGSIb3DQEFDTA8MBsGCSqGSIb3DQEFDDAOBAip6qJckQDOqwICCAAw
HQYJYIZIAWUDBAEqBBAW7OhPTeSLR8LKpf0f6GkvBIGQfNkaJhvs6UeVKdd7cstS
1DR5rXMkN7OEmScM9cFY6P5k37gcUIPVnu4+91XeA5156rpiPJrpGdfzkr8O5Qjd
l1drrdzgHjdq8OefmDu0A324YwnRKxFDLTr9G2LU2HhbezkLcWQp1RHH6l5tQqKp
6bwNb2w79xBoMXJ3z1VjpINfOpFrz3ynqYjQxly2+B86
-----END ENCRYPTED PRIVATE KEY-----

Our key:

-----BEGIN EC PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CTR,F7C4B1E7041D0A455B1F9E08046DA401

Pta8OAtA3ujv0vSMctiHiTd2j0GSSdzV57QGmUwCMMQp7QoqBHt/dDMEPbPF5lG1
j0PDu5/FVuTtUlRZS16+NSWiorgkvVHTh3+47tx/uviQwQP/43tEaFpf77SAZlDw
xB2SjM4Zv1hdSpjxWDGGJFBDv/2/dj9UpTxwkAwuX+QQhRlVzSyr0BAXG9yOq/GT
ws8Q5GevzvHGh1YyPgpL9jtbizGIa4US0f7hEfGGHfJ/3RIdz0xeihv8Ga0huj48
dS/QScE7Bv+Ymzzcg2dlvY96G5xRIOwB8ADwR/lwbw==
-----END EC PRIVATE KEY-----

Compared these two keys to the examples at:

* https://wiki.openssl.org/index.php/Command_Line_Elliptic_Curve_Operations

... and learned that mine was in encrypted 'EC specific' format whereas the test key was in encrypted 'PKCS8' format.

The solution was to convert our private key to pkcs8 format:

    cat private_key_encrypted.pem  | base64 -d | \
    openssl pkcs8 -topk8 -v2 aes-256-cbc -v2prf hmacWithSHA256 | \
    base64 -w0 > private_key_encrypted_pkcs8.pem

Do you think these parameters are safe?

Cheers,
Antti

On Sat, 20 Feb 2021 12:38:00 +0200
Aki Tuomi <aki.tuomi at open-xchange.com> wrote:

> Can you tell us what you did differently?
> 
> Aki
> 
> On 20 February 2021 11.33.15 EET, Antti Antinoja <reader at fennosys.fi> wrote:
> >Got it! My private test key was in wrong format.
> >
> >Cheers,
> >Antti
> >
> >On Sat, 20 Feb 2021 14:15:07 +0800
> >Antti Antinoja <reader at fennosys.fi> wrote:
> >
> >> Version: Dovecot 2.3.13 (89f716dc2)
> >> 
> >> Issue: Dovecot states it can't parse the private key
> >> 
> >> = Background =
> >> 
> >> == Creating private EC key ==
> >> 
> >> * Curve: secp521r1
> >> * Encryption: aes-256-ctr
> >> * Format: pkey
> >> * Enacapsulation: Base64
> >> 
> >>   # openssl ecparam -name secp521r1 -genkey | openssl pkey |\
> >>     openssl ec -aes-256-ctr | base64 -w0 >
> >test_keys_remove/private_key_encrypted.pem
> >> 
> >> == Extract public key ==
> >> 
> >>   # cat test_keys_remove/private_key_encrypted.pem | base64 -d |\
> >>     openssl ec -pubout | base64 -w0 > test_keys_remove/public_key.pem
> >> 
> >> == Checking keys ==
> >> 
> >> * 592 Feb 20 07:27 private_key_encrypted.pem:
> >>
> >LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tClByb2MtVHlwZTogNCxFTkNSWVBURUQKREVLLUluZm86IEFFUy0yNTYtQ1RSLEY3QzRCMUU3MDQxRDBBNDU1QjFGOUUwODA0NkRBNDAxCgpQdGE4T0F0QTN1anYwdlNNY3RpSGlUZDJqMEdTU2R6VjU3UUdtVXdDTU1RcDdRb3FCSHQvZERNRVBiUEY1bEcxCmowUER1NS9GVnVUdFVsUlpTMTYrTlNXaW9yZ2t2VkhUaDMrNDd0eC91dmlRd1FQLzQzdEVhRnBmNzdTQVpsRHcKeEIyU2pNNFp2MWhkU3BqeFdER0dKRkJEdi8yL2RqOVVwVHh3a0F3dVgrUVFoUmxWelN5cjBCQVhHOXlPcS9HVAp3czhRNUdldnp2SEdoMVl5UGdwTDlqdGJpekdJYTRVUzBmN2hFZkdHSGZKLzNSSWR6MHhlaWh2OEdhMGh1ajQ4CmRTL1FTY0U3QnYrWW16emNnMmRsdlk5Nkc1eFJJT3dCOEFEd1IvbHdidz09Ci0tLS0tRU5EIEVDIFBSSVZBVEUgS0VZLS0tLS0K
> >> 
> >> * 360 Feb 20 07:28 public_key.pem:
> >>
> >LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHYk1CQUdCeXFHU000OUFnRUdCU3VCQkFBakE0R0dBQVFBK2w2M0ZIckpuT0dPZ1lDTG5PRVpOaHpSdW5YWgpoMHd5dTNPS1VzSEozUDJPVWxNWmxKOFFjZTF0SExUTWFxMWxkOTIwbkdJQmo1TGNYUklVdWRweElTd0I2Tld0Ck1TWncrZFBEUVRjc0hQMFRqWUh5Njl4d25BZHV4ZHZYdnh0Uk5TRzZGNlJPUnR0L2t2ekk3bWRPM0NpQ1FyMTQKTjZWalZyYWVpaXZkR2dPQ250bz0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==
> >> 
> >> == Notes ==
> >> 
> >> * The keys are then saved in database and fetched to userdb by
> >Dovecot via passdb lookup (Details in the logs)
> >> * mail-crypt settings:
> >> 
> >>     mail_plugins = $mail_plugins mail_crypt
> >>     plugin {
> >>         mail_crypt_curve = secp521r1
> >>         mail_crypt_save_version = 0
> >>     }
> >> 
> >> * Note: User record on database has mail_crypt_save_version = 2 as
> >can be seen from the log extract below.
> >> 
> >> = Dovecot log on client IMAP message retrieval =
> >> 
> >> Feb 20 07:45:01 pf1 dovecot[19612]: auth: Debug:
> >sql(test1 at g1.fi,x.x.x.x,<wFzVEb67CMQKZgkb>): Performing passdb lookup
> >> Feb 20 07:45:02 pf1 dovecot[19612]: auth: Debug:
> >sql(test1 at g1.fi,x.x.x.x,<wFzVEb67CMQKZgkb>): Finished passdb lookup
> >> Feb 20 07:45:02 pf1 dovecot[19612]: auth: Debug:
> >auth(test1 at g1.fi,x.x.x.x,<wFzVEb67CMQKZgkb>): Auth request finished
> >> Feb 20 07:45:02 pf1 dovecot[19612]: auth: Debug: client passdb out:
> >OK  1       user=test1 at g1.fi        
> >> Feb 20 07:45:02 pf1 dovecot[19612]: auth: Debug:
> >sql(test1 at g1.fi,x.x.x.x,<wFzVEb67CMQKZgkb>): Performing userdb lookup
> >> Feb 20 07:45:02 pf1 dovecot[19612]: auth: Debug:
> >sql(test1 at g1.fi,x.x.x.x,<wFzVEb67CMQKZgkb>): Finished userdb lookup
> >> Feb 20 07:45:02 pf1 dovecot[19612]: auth: Debug: master userdb out:
> >USER        1609957377      test1 at g1.fi    
> >mail_crypt_global_private_password=key_pass_we_know_this_is_correct
> >mail_crypt_global_private_key=LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tClByb2MtVHlwZTogNCxFTkNSWVBURUQKREVLLUluZm86IEFFUy0yNTYtQ1RSLEY3QzRCMUU3MDQxRDBBNDU1QjFGOUUwODA0NkRBNDAxCgpQdGE4T0F0QTN1anYwdlNNY3RpSGlUZDJqMEdTU2R6VjU3UUdtVXdDTU1RcDdRb3FCSHQvZERNRVBiUEY1bEcxCmowUER1NS9GVnVUdFVsUlpTMTYrTlNXaW9yZ2t2VkhUaDMrNDd0eC91dmlRd1FQLzQzdEVhRnBmNzdTQVpsRHcKeEIyU2pNNFp2MWhkU3BqeFdER0dKRkJEdi8yL2RqOVVwVHh3a0F3dVgrUVFoUmxWelN5cjBCQVhHOXlPcS9HVAp3czhRNUdldnp2SEdoMVl5UGdwTDlqdGJpekdJYTRVUzBmN2hFZkdHSGZKLzNSSWR6MHhlaWh2OEdhMGh1ajQ4CmRTL1FTY0U3QnYrWW16emNnMmRsdlk5Nkc1eFJJT3dCOEFEd1IvbHdidz09Ci0tLS0tRU5EIEVDIFBSSVZBVEUgS0VZLS0tLS0K
> >mail_crypt_global_public_key=LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHYk1CQUdCeXFHU000OUFnRUdCU3VCQkFBakE0R0dBQVFBK2w2M0ZIckpuT0dPZ1lDTG5PRVpOaHpSdW5YWgpoMHd5dTNPS1VzSEozUDJPVWxNWmxKOFFjZTF0SEx
> > UT
> >> 
> >WFxMWxkOTIwbkdJQmo1TGNYUklVdWRweElTd0I2Tld0Ck1TWncrZFBEUVRjc0hQMFRqWUh5Njl4d25BZHV4ZHZYdnh0Uk5TRzZGNlJPUnR0L2t2ekk3bWRPM0NpQ1FyMTQKTjZWalZyYWVpaXZkR2dPQ250bz0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==
> >mail_crypt_save_version=2       quota_rule=*:bytes=0   
> >home=/var/vmail/g1.fi/test1     uid=10000       gid=10000      
> >auth_mech=PLAIN auth_token=66d2d0f66bcce2758235fb53dbfe821804c6e79c
> >> Feb 20 07:45:02 pf1 dovecot[19612]: imap-login: Login:
> >user=<test1 at g1.fi>, method=PLAIN, rip=x.x.x.x, lip=y.y,y,y, mpid=19618,
> >TLS, session=<wFzVEb67CMQKZgkb>
> >> Feb 20 07:45:02 pf1 dovecot[19612]:
> >imap(test1 at g1.fi)<19618><wFzVEb67CMQKZgkb>: Debug: Added userdb
> >setting:
> >plugin/mail_crypt_global_private_key=LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tClByb2MtVHlwZTogNCxFTkNSWVBURUQKREVLLUluZm86IEFFUy0yNTYtQ1RSLEY3QzRCMUU3MDQxRDBBNDU1QjFGOUUwODA0NkRBNDAxCgpQdGE4T0F0QTN1anYwdlNNY3RpSGlUZDJqMEdTU2R6VjU3UUdtVXdDTU1RcDdRb3FCSHQvZERNRVBiUEY1bEcxCmowUER1NS9GVnVUdFVsUlpTMTYrTlNXaW9yZ2t2VkhUaDMrNDd0eC91dmlRd1FQLzQzdEVhRnBmNzdTQVpsRHcKeEIyU2pNNFp2MWhkU3BqeFdER0dKRkJEdi8yL2RqOVVwVHh3a0F3dVgrUVFoUmxWelN5cjBCQVhHOXlPcS9HVAp3czhRNUdldnp2SEdoMVl5UGdwTDlqdGJpekdJYTRVUzBmN2hFZkdHSGZKLzNSSWR6MHhlaWh2OEdhMGh1ajQ4CmRTL1FTY0U3QnYrWW16emNnMmRsdlk5Nkc1eFJJT3dCOEFEd1IvbHdidz09Ci0tLS0tRU5EIEVDIFBSSVZBVEUgS0VZLS0tLS0K
> >> Feb 20 07:45:02 pf1 dovecot[19612]:
> >imap(test1 at g1.fi)<19618><wFzVEb67CMQKZgkb>: Debug: Added userdb
> >setting: plugin/mail_crypt_global_private_password=<hidden>
> >> Feb 20 07:45:02 pf1 dovecot[19612]:
> >imap(test1 at g1.fi)<19618><wFzVEb67CMQKZgkb>: Debug: Added userdb
> >setting:
> >plugin/mail_crypt_global_public_key=LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHYk1CQUdCeXFHU000OUFnRUdCU3VCQkFBakE0R0dBQVFBK2w2M0ZIckpuT0dPZ1lDTG5PRVpOaHpSdW5YWgpoMHd5dTNPS1VzSEozUDJPVWxNWmxKOFFjZTF0SExUTWFxMWxkOTIwbkdJQmo1TGNYUklVdWRweElTd0I2Tld0Ck1TWncrZFBEUVRjc0hQMFRqWUh5Njl4d25BZHV4ZHZYdnh0Uk5TRzZGNlJPUnR0L2t2ekk3bWRPM0NpQ1FyMTQKTjZWalZyYWVpaXZkR2dPQ250bz0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==
> >> Feb 20 07:45:02 pf1 dovecot[19612]:
> >imap(test1 at g1.fi)<19618><wFzVEb67CMQKZgkb>: Debug: Added userdb
> >setting: plugin/=2
> >> Feb 20 07:45:02 pf1 dovecot[19612]:
> >imap(test1 at g1.fi)<19618><wFzVEb67CMQKZgkb>: Debug: Added userdb
> >setting: plugin/quota_rule=*:bytes=0
> >> Feb 20 07:45:02 pf1 dovecot[19612]:
> >imap(test1 at g1.fi)<19618><wFzVEb67CMQKZgkb>: Error: mail_crypt_plugin:
> >mail_crypt_global_private_key: Couldn't parse private key:
> >Unknown/invalid PEM key type
> >> 
> >> == Question ==
> >> 
> >> Any idea why Dovecot can't parse the private key?
> >> 
> >> I tested this with several keys. Even with some without encryption ->
> >Always same error.
> >> 
> >> According to the debug messages the private key is correctly loaded
> >(and indeed matches the one created on command line).
> >> 
> >> Thank you for your time.
> >> 
> >> Cheers,
> >> Antti
> >> 
> >> -- 
> >> Antti Antinoja <reader at fennosys.fi>
> >
> >
> >-- 
> >Antti Antinoja <reader at fennosys.fi>
> 
> -- 
> Sent from my Android device with K-9 Mail. Please excuse my brevity.


-- 
Antti Antinoja <reader at fennosys.fi>


More information about the dovecot mailing list