mail_crypt_global_private_key: Couldn't parse private key: Unknown/invalid PEM key type
Aki Tuomi
aki.tuomi at open-xchange.com
Sat Feb 20 15:44:00 EET 2021
The easier way to get to this same result:
~$ openssl ecparam -genkey -name secp521r1 | openssl pkey -aes-256-cbc -passout pass:foobar
Deciding whether these parameters are safe is your job, I personally think secp521r1 is reasonably safe.
Aki
> On 20/02/2021 14:39 Antti Antinoja <reader at fennosys.fi> wrote:
>
>
> https://github.com/dovecot/core/blob/master/src/plugins/mail-crypt/test-mail-global-key.c <- This test code has an encrypted private key included.
>
> After decoding this I learned that it looks different than the one we used.
>
> Dovecot test code key:
>
> -----BEGIN ENCRYPTED PRIVATE KEY-----
> MIHeMEkGCSqGSIb3DQEFDTA8MBsGCSqGSIb3DQEFDDAOBAip6qJckQDOqwICCAAw
> HQYJYIZIAWUDBAEqBBAW7OhPTeSLR8LKpf0f6GkvBIGQfNkaJhvs6UeVKdd7cstS
> 1DR5rXMkN7OEmScM9cFY6P5k37gcUIPVnu4+91XeA5156rpiPJrpGdfzkr8O5Qjd
> l1drrdzgHjdq8OefmDu0A324YwnRKxFDLTr9G2LU2HhbezkLcWQp1RHH6l5tQqKp
> 6bwNb2w79xBoMXJ3z1VjpINfOpFrz3ynqYjQxly2+B86
> -----END ENCRYPTED PRIVATE KEY-----
>
> Our key:
>
> -----BEGIN EC PRIVATE KEY-----
> Proc-Type: 4,ENCRYPTED
> DEK-Info: AES-256-CTR,F7C4B1E7041D0A455B1F9E08046DA401
>
> Pta8OAtA3ujv0vSMctiHiTd2j0GSSdzV57QGmUwCMMQp7QoqBHt/dDMEPbPF5lG1
> j0PDu5/FVuTtUlRZS16+NSWiorgkvVHTh3+47tx/uviQwQP/43tEaFpf77SAZlDw
> xB2SjM4Zv1hdSpjxWDGGJFBDv/2/dj9UpTxwkAwuX+QQhRlVzSyr0BAXG9yOq/GT
> ws8Q5GevzvHGh1YyPgpL9jtbizGIa4US0f7hEfGGHfJ/3RIdz0xeihv8Ga0huj48
> dS/QScE7Bv+Ymzzcg2dlvY96G5xRIOwB8ADwR/lwbw==
> -----END EC PRIVATE KEY-----
>
> Compared these two keys to the examples at:
>
> * https://wiki.openssl.org/index.php/Command_Line_Elliptic_Curve_Operations
>
> ... and learned that mine was in encrypted 'EC specific' format whereas the test key was in encrypted 'PKCS8' format.
>
> The solution was to convert our private key to pkcs8 format:
>
> cat private_key_encrypted.pem | base64 -d | \
> openssl pkcs8 -topk8 -v2 aes-256-cbc -v2prf hmacWithSHA256 | \
> base64 -w0 > private_key_encrypted_pkcs8.pem
>
> Do you think these parameters are safe?
>
> Cheers,
> Antti
>
> On Sat, 20 Feb 2021 12:38:00 +0200
> Aki Tuomi <aki.tuomi at open-xchange.com> wrote:
>
> > Can you tell us what you did differently?
> >
> > Aki
> >
> > On 20 February 2021 11.33.15 EET, Antti Antinoja <reader at fennosys.fi> wrote:
> > >Got it! My private test key was in wrong format.
> > >
> > >Cheers,
> > >Antti
> > >
> > >On Sat, 20 Feb 2021 14:15:07 +0800
> > >Antti Antinoja <reader at fennosys.fi> wrote:
> > >
> > >> Version: Dovecot 2.3.13 (89f716dc2)
> > >>
> > >> Issue: Dovecot states it can't parse the private key
> > >>
> > >> = Background =
> > >>
> > >> == Creating private EC key ==
> > >>
> > >> * Curve: secp521r1
> > >> * Encryption: aes-256-ctr
> > >> * Format: pkey
> > >> * Enacapsulation: Base64
> > >>
> > >> # openssl ecparam -name secp521r1 -genkey | openssl pkey |\
> > >> openssl ec -aes-256-ctr | base64 -w0 >
> > >test_keys_remove/private_key_encrypted.pem
> > >>
> > >> == Extract public key ==
> > >>
> > >> # cat test_keys_remove/private_key_encrypted.pem | base64 -d |\
> > >> openssl ec -pubout | base64 -w0 > test_keys_remove/public_key.pem
> > >>
> > >> == Checking keys ==
> > >>
> > >> * 592 Feb 20 07:27 private_key_encrypted.pem:
> > >>
> > >LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tClByb2MtVHlwZTogNCxFTkNSWVBURUQKREVLLUluZm86IEFFUy0yNTYtQ1RSLEY3QzRCMUU3MDQxRDBBNDU1QjFGOUUwODA0NkRBNDAxCgpQdGE4T0F0QTN1anYwdlNNY3RpSGlUZDJqMEdTU2R6VjU3UUdtVXdDTU1RcDdRb3FCSHQvZERNRVBiUEY1bEcxCmowUER1NS9GVnVUdFVsUlpTMTYrTlNXaW9yZ2t2VkhUaDMrNDd0eC91dmlRd1FQLzQzdEVhRnBmNzdTQVpsRHcKeEIyU2pNNFp2MWhkU3BqeFdER0dKRkJEdi8yL2RqOVVwVHh3a0F3dVgrUVFoUmxWelN5cjBCQVhHOXlPcS9HVAp3czhRNUdldnp2SEdoMVl5UGdwTDlqdGJpekdJYTRVUzBmN2hFZkdHSGZKLzNSSWR6MHhlaWh2OEdhMGh1ajQ4CmRTL1FTY0U3QnYrWW16emNnMmRsdlk5Nkc1eFJJT3dCOEFEd1IvbHdidz09Ci0tLS0tRU5EIEVDIFBSSVZBVEUgS0VZLS0tLS0K
> > >>
> > >> * 360 Feb 20 07:28 public_key.pem:
> > >>
> > >LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHYk1CQUdCeXFHU000OUFnRUdCU3VCQkFBakE0R0dBQVFBK2w2M0ZIckpuT0dPZ1lDTG5PRVpOaHpSdW5YWgpoMHd5dTNPS1VzSEozUDJPVWxNWmxKOFFjZTF0SExUTWFxMWxkOTIwbkdJQmo1TGNYUklVdWRweElTd0I2Tld0Ck1TWncrZFBEUVRjc0hQMFRqWUh5Njl4d25BZHV4ZHZYdnh0Uk5TRzZGNlJPUnR0L2t2ekk3bWRPM0NpQ1FyMTQKTjZWalZyYWVpaXZkR2dPQ250bz0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==
> > >>
> > >> == Notes ==
> > >>
> > >> * The keys are then saved in database and fetched to userdb by
> > >Dovecot via passdb lookup (Details in the logs)
> > >> * mail-crypt settings:
> > >>
> > >> mail_plugins = $mail_plugins mail_crypt
> > >> plugin {
> > >> mail_crypt_curve = secp521r1
> > >> mail_crypt_save_version = 0
> > >> }
> > >>
> > >> * Note: User record on database has mail_crypt_save_version = 2 as
> > >can be seen from the log extract below.
> > >>
> > >> = Dovecot log on client IMAP message retrieval =
> > >>
> > >> Feb 20 07:45:01 pf1 dovecot[19612]: auth: Debug:
> > >sql(test1 at g1.fi,x.x.x.x,<wFzVEb67CMQKZgkb>): Performing passdb lookup
> > >> Feb 20 07:45:02 pf1 dovecot[19612]: auth: Debug:
> > >sql(test1 at g1.fi,x.x.x.x,<wFzVEb67CMQKZgkb>): Finished passdb lookup
> > >> Feb 20 07:45:02 pf1 dovecot[19612]: auth: Debug:
> > >auth(test1 at g1.fi,x.x.x.x,<wFzVEb67CMQKZgkb>): Auth request finished
> > >> Feb 20 07:45:02 pf1 dovecot[19612]: auth: Debug: client passdb out:
> > >OK 1 user=test1 at g1.fi
> > >> Feb 20 07:45:02 pf1 dovecot[19612]: auth: Debug:
> > >sql(test1 at g1.fi,x.x.x.x,<wFzVEb67CMQKZgkb>): Performing userdb lookup
> > >> Feb 20 07:45:02 pf1 dovecot[19612]: auth: Debug:
> > >sql(test1 at g1.fi,x.x.x.x,<wFzVEb67CMQKZgkb>): Finished userdb lookup
> > >> Feb 20 07:45:02 pf1 dovecot[19612]: auth: Debug: master userdb out:
> > >USER 1609957377 test1 at g1.fi
> > >mail_crypt_global_private_password=key_pass_we_know_this_is_correct
> > >mail_crypt_global_private_key=LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tClByb2MtVHlwZTogNCxFTkNSWVBURUQKREVLLUluZm86IEFFUy0yNTYtQ1RSLEY3QzRCMUU3MDQxRDBBNDU1QjFGOUUwODA0NkRBNDAxCgpQdGE4T0F0QTN1anYwdlNNY3RpSGlUZDJqMEdTU2R6VjU3UUdtVXdDTU1RcDdRb3FCSHQvZERNRVBiUEY1bEcxCmowUER1NS9GVnVUdFVsUlpTMTYrTlNXaW9yZ2t2VkhUaDMrNDd0eC91dmlRd1FQLzQzdEVhRnBmNzdTQVpsRHcKeEIyU2pNNFp2MWhkU3BqeFdER0dKRkJEdi8yL2RqOVVwVHh3a0F3dVgrUVFoUmxWelN5cjBCQVhHOXlPcS9HVAp3czhRNUdldnp2SEdoMVl5UGdwTDlqdGJpekdJYTRVUzBmN2hFZkdHSGZKLzNSSWR6MHhlaWh2OEdhMGh1ajQ4CmRTL1FTY0U3QnYrWW16emNnMmRsdlk5Nkc1eFJJT3dCOEFEd1IvbHdidz09Ci0tLS0tRU5EIEVDIFBSSVZBVEUgS0VZLS0tLS0K
> > >mail_crypt_global_public_key=LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHYk1CQUdCeXFHU000OUFnRUdCU3VCQkFBakE0R0dBQVFBK2w2M0ZIckpuT0dPZ1lDTG5PRVpOaHpSdW5YWgpoMHd5dTNPS1VzSEozUDJPVWxNWmxKOFFjZTF0SEx
> > > UT
> > >>
> > >WFxMWxkOTIwbkdJQmo1TGNYUklVdWRweElTd0I2Tld0Ck1TWncrZFBEUVRjc0hQMFRqWUh5Njl4d25BZHV4ZHZYdnh0Uk5TRzZGNlJPUnR0L2t2ekk3bWRPM0NpQ1FyMTQKTjZWalZyYWVpaXZkR2dPQ250bz0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==
> > >mail_crypt_save_version=2 quota_rule=*:bytes=0
> > >home=/var/vmail/g1.fi/test1 uid=10000 gid=10000
> > >auth_mech=PLAIN auth_token=66d2d0f66bcce2758235fb53dbfe821804c6e79c
> > >> Feb 20 07:45:02 pf1 dovecot[19612]: imap-login: Login:
> > >user=<test1 at g1.fi>, method=PLAIN, rip=x.x.x.x, lip=y.y,y,y, mpid=19618,
> > >TLS, session=<wFzVEb67CMQKZgkb>
> > >> Feb 20 07:45:02 pf1 dovecot[19612]:
> > >imap(test1 at g1.fi)<19618><wFzVEb67CMQKZgkb>: Debug: Added userdb
> > >setting:
> > >plugin/mail_crypt_global_private_key=LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tClByb2MtVHlwZTogNCxFTkNSWVBURUQKREVLLUluZm86IEFFUy0yNTYtQ1RSLEY3QzRCMUU3MDQxRDBBNDU1QjFGOUUwODA0NkRBNDAxCgpQdGE4T0F0QTN1anYwdlNNY3RpSGlUZDJqMEdTU2R6VjU3UUdtVXdDTU1RcDdRb3FCSHQvZERNRVBiUEY1bEcxCmowUER1NS9GVnVUdFVsUlpTMTYrTlNXaW9yZ2t2VkhUaDMrNDd0eC91dmlRd1FQLzQzdEVhRnBmNzdTQVpsRHcKeEIyU2pNNFp2MWhkU3BqeFdER0dKRkJEdi8yL2RqOVVwVHh3a0F3dVgrUVFoUmxWelN5cjBCQVhHOXlPcS9HVAp3czhRNUdldnp2SEdoMVl5UGdwTDlqdGJpekdJYTRVUzBmN2hFZkdHSGZKLzNSSWR6MHhlaWh2OEdhMGh1ajQ4CmRTL1FTY0U3QnYrWW16emNnMmRsdlk5Nkc1eFJJT3dCOEFEd1IvbHdidz09Ci0tLS0tRU5EIEVDIFBSSVZBVEUgS0VZLS0tLS0K
> > >> Feb 20 07:45:02 pf1 dovecot[19612]:
> > >imap(test1 at g1.fi)<19618><wFzVEb67CMQKZgkb>: Debug: Added userdb
> > >setting: plugin/mail_crypt_global_private_password=<hidden>
> > >> Feb 20 07:45:02 pf1 dovecot[19612]:
> > >imap(test1 at g1.fi)<19618><wFzVEb67CMQKZgkb>: Debug: Added userdb
> > >setting:
> > >plugin/mail_crypt_global_public_key=LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHYk1CQUdCeXFHU000OUFnRUdCU3VCQkFBakE0R0dBQVFBK2w2M0ZIckpuT0dPZ1lDTG5PRVpOaHpSdW5YWgpoMHd5dTNPS1VzSEozUDJPVWxNWmxKOFFjZTF0SExUTWFxMWxkOTIwbkdJQmo1TGNYUklVdWRweElTd0I2Tld0Ck1TWncrZFBEUVRjc0hQMFRqWUh5Njl4d25BZHV4ZHZYdnh0Uk5TRzZGNlJPUnR0L2t2ekk3bWRPM0NpQ1FyMTQKTjZWalZyYWVpaXZkR2dPQ250bz0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==
> > >> Feb 20 07:45:02 pf1 dovecot[19612]:
> > >imap(test1 at g1.fi)<19618><wFzVEb67CMQKZgkb>: Debug: Added userdb
> > >setting: plugin/=2
> > >> Feb 20 07:45:02 pf1 dovecot[19612]:
> > >imap(test1 at g1.fi)<19618><wFzVEb67CMQKZgkb>: Debug: Added userdb
> > >setting: plugin/quota_rule=*:bytes=0
> > >> Feb 20 07:45:02 pf1 dovecot[19612]:
> > >imap(test1 at g1.fi)<19618><wFzVEb67CMQKZgkb>: Error: mail_crypt_plugin:
> > >mail_crypt_global_private_key: Couldn't parse private key:
> > >Unknown/invalid PEM key type
> > >>
> > >> == Question ==
> > >>
> > >> Any idea why Dovecot can't parse the private key?
> > >>
> > >> I tested this with several keys. Even with some without encryption ->
> > >Always same error.
> > >>
> > >> According to the debug messages the private key is correctly loaded
> > >(and indeed matches the one created on command line).
> > >>
> > >> Thank you for your time.
> > >>
> > >> Cheers,
> > >> Antti
> > >>
> > >> --
> > >> Antti Antinoja <reader at fennosys.fi>
> > >
> > >
> > >--
> > >Antti Antinoja <reader at fennosys.fi>
> >
> > --
> > Sent from my Android device with K-9 Mail. Please excuse my brevity.
>
>
> --
> Antti Antinoja <reader at fennosys.fi>
More information about the dovecot
mailing list