The easier way to get to this same result:
~$ openssl ecparam -genkey -name secp521r1 | openssl pkey -aes-256-cbc -passout pass:foobar
Deciding whether these parameters are safe is your job, I personally think secp521r1 is reasonably safe.
Aki
On 20/02/2021 14:39 Antti Antinoja reader@fennosys.fi wrote:
https://github.com/dovecot/core/blob/master/src/plugins/mail-crypt/test-mail... <- This test code has an encrypted private key included.
After decoding this I learned that it looks different than the one we used.
Dovecot test code key:
-----BEGIN ENCRYPTED PRIVATE KEY----- MIHeMEkGCSqGSIb3DQEFDTA8MBsGCSqGSIb3DQEFDDAOBAip6qJckQDOqwICCAAw HQYJYIZIAWUDBAEqBBAW7OhPTeSLR8LKpf0f6GkvBIGQfNkaJhvs6UeVKdd7cstS 1DR5rXMkN7OEmScM9cFY6P5k37gcUIPVnu4+91XeA5156rpiPJrpGdfzkr8O5Qjd l1drrdzgHjdq8OefmDu0A324YwnRKxFDLTr9G2LU2HhbezkLcWQp1RHH6l5tQqKp 6bwNb2w79xBoMXJ3z1VjpINfOpFrz3ynqYjQxly2+B86 -----END ENCRYPTED PRIVATE KEY-----
Our key:
-----BEGIN EC PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-256-CTR,F7C4B1E7041D0A455B1F9E08046DA401
Pta8OAtA3ujv0vSMctiHiTd2j0GSSdzV57QGmUwCMMQp7QoqBHt/dDMEPbPF5lG1 j0PDu5/FVuTtUlRZS16+NSWiorgkvVHTh3+47tx/uviQwQP/43tEaFpf77SAZlDw xB2SjM4Zv1hdSpjxWDGGJFBDv/2/dj9UpTxwkAwuX+QQhRlVzSyr0BAXG9yOq/GT ws8Q5GevzvHGh1YyPgpL9jtbizGIa4US0f7hEfGGHfJ/3RIdz0xeihv8Ga0huj48 dS/QScE7Bv+Ymzzcg2dlvY96G5xRIOwB8ADwR/lwbw== -----END EC PRIVATE KEY-----
Compared these two keys to the examples at:
... and learned that mine was in encrypted 'EC specific' format whereas the test key was in encrypted 'PKCS8' format.
The solution was to convert our private key to pkcs8 format:
cat private_key_encrypted.pem | base64 -d | \ openssl pkcs8 -topk8 -v2 aes-256-cbc -v2prf hmacWithSHA256 | \ base64 -w0 > private_key_encrypted_pkcs8.pemDo you think these parameters are safe?
Cheers, Antti
On Sat, 20 Feb 2021 12:38:00 +0200 Aki Tuomi aki.tuomi@open-xchange.com wrote:
Can you tell us what you did differently?
Aki
On 20 February 2021 11.33.15 EET, Antti Antinoja reader@fennosys.fi wrote:
Got it! My private test key was in wrong format.
Cheers, Antti
On Sat, 20 Feb 2021 14:15:07 +0800 Antti Antinoja reader@fennosys.fi wrote:
Version: Dovecot 2.3.13 (89f716dc2)
Issue: Dovecot states it can't parse the private key
= Background =
== Creating private EC key ==
Curve: secp521r1
Encryption: aes-256-ctr
Format: pkey
Enacapsulation: Base64
# openssl ecparam -name secp521r1 -genkey | openssl pkey |
openssl ec -aes-256-ctr | base64 -w0 > test_keys_remove/private_key_encrypted.pem== Extract public key ==
# cat test_keys_remove/private_key_encrypted.pem | base64 -d |
openssl ec -pubout | base64 -w0 > test_keys_remove/public_key.pem== Checking keys ==
- 592 Feb 20 07:27 private_key_encrypted.pem:
LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tClByb2MtVHlwZTogNCxFTkNSWVBURUQKREVLLUluZm86IEFFUy0yNTYtQ1RSLEY3QzRCMUU3MDQxRDBBNDU1QjFGOUUwODA0NkRBNDAxCgpQdGE4T0F0QTN1anYwdlNNY3RpSGlUZDJqMEdTU2R6VjU3UUdtVXdDTU1RcDdRb3FCSHQvZERNRVBiUEY1bEcxCmowUER1NS9GVnVUdFVsUlpTMTYrTlNXaW9yZ2t2VkhUaDMrNDd0eC91dmlRd1FQLzQzdEVhRnBmNzdTQVpsRHcKeEIyU2pNNFp2MWhkU3BqeFdER0dKRkJEdi8yL2RqOVVwVHh3a0F3dVgrUVFoUmxWelN5cjBCQVhHOXlPcS9HVAp3czhRNUdldnp2SEdoMVl5UGdwTDlqdGJpekdJYTRVUzBmN2hFZkdHSGZKLzNSSWR6MHhlaWh2OEdhMGh1ajQ4CmRTL1FTY0U3QnYrWW16emNnMmRsdlk5Nkc1eFJJT3dCOEFEd1IvbHdidz09Ci0tLS0tRU5EIEVDIFBSSVZBVEUgS0VZLS0tLS0K
- 360 Feb 20 07:28 public_key.pem:
LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHYk1CQUdCeXFHU000OUFnRUdCU3VCQkFBakE0R0dBQVFBK2w2M0ZIckpuT0dPZ1lDTG5PRVpOaHpSdW5YWgpoMHd5dTNPS1VzSEozUDJPVWxNWmxKOFFjZTF0SExUTWFxMWxkOTIwbkdJQmo1TGNYUklVdWRweElTd0I2Tld0Ck1TWncrZFBEUVRjc0hQMFRqWUh5Njl4d25BZHV4ZHZYdnh0Uk5TRzZGNlJPUnR0L2t2ekk3bWRPM0NpQ1FyMTQKTjZWalZyYWVpaXZkR2dPQ250bz0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==
== Notes ==
- The keys are then saved in database and fetched to userdb by
Dovecot via passdb lookup (Details in the logs)
mail-crypt settings:
mail_plugins = $mail_plugins mail_crypt plugin { mail_crypt_curve = secp521r1 mail_crypt_save_version = 0 }
Note: User record on database has mail_crypt_save_version = 2 as can be seen from the log extract below.
= Dovecot log on client IMAP message retrieval =
Feb 20 07:45:01 pf1 dovecot[19612]: auth: Debug: sql(test1@g1.fi,x.x.x.x,<wFzVEb67CMQKZgkb>): Performing passdb lookup Feb 20 07:45:02 pf1 dovecot[19612]: auth: Debug: sql(test1@g1.fi,x.x.x.x,<wFzVEb67CMQKZgkb>): Finished passdb lookup Feb 20 07:45:02 pf1 dovecot[19612]: auth: Debug: auth(test1@g1.fi,x.x.x.x,<wFzVEb67CMQKZgkb>): Auth request finished Feb 20 07:45:02 pf1 dovecot[19612]: auth: Debug: client passdb out: OK 1 user=test1@g1.fi
Feb 20 07:45:02 pf1 dovecot[19612]: auth: Debug: sql(test1@g1.fi,x.x.x.x,<wFzVEb67CMQKZgkb>): Performing userdb lookup Feb 20 07:45:02 pf1 dovecot[19612]: auth: Debug: sql(test1@g1.fi,x.x.x.x,<wFzVEb67CMQKZgkb>): Finished userdb lookup Feb 20 07:45:02 pf1 dovecot[19612]: auth: Debug: master userdb out: USER 1609957377 test1@g1.fi
mail_crypt_global_private_password=key_pass_we_know_this_is_correct mail_crypt_global_private_key=LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tClByb2MtVHlwZTogNCxFTkNSWVBURUQKREVLLUluZm86IEFFUy0yNTYtQ1RSLEY3QzRCMUU3MDQxRDBBNDU1QjFGOUUwODA0NkRBNDAxCgpQdGE4T0F0QTN1anYwdlNNY3RpSGlUZDJqMEdTU2R6VjU3UUdtVXdDTU1RcDdRb3FCSHQvZERNRVBiUEY1bEcxCmowUER1NS9GVnVUdFVsUlpTMTYrTlNXaW9yZ2t2VkhUaDMrNDd0eC91dmlRd1FQLzQzdEVhRnBmNzdTQVpsRHcKeEIyU2pNNFp2MWhkU3BqeFdER0dKRkJEdi8yL2RqOVVwVHh3a0F3dVgrUVFoUmxWelN5cjBCQVhHOXlPcS9HVAp3czhRNUdldnp2SEdoMVl5UGdwTDlqdGJpekdJYTRVUzBmN2hFZkdHSGZKLzNSSWR6MHhlaWh2OEdhMGh1ajQ4CmRTL1FTY0U3QnYrWW16emNnMmRsdlk5Nkc1eFJJT3dCOEFEd1IvbHdidz09Ci0tLS0tRU5EIEVDIFBSSVZBVEUgS0VZLS0tLS0K mail_crypt_global_public_key=LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHYk1CQUdCeXFHU000OUFnRUdCU3VCQkFBakE0R0dBQVFBK2w2M0ZIckpuT0dPZ1lDTG5PRVpOaHpSdW5YWgpoMHd5dTNPS1VzSEozUDJPVWxNWmxKOFFjZTF0SEx UTFeb 20 07:45:02 pf1 dovecot[19612]: imap-login: Login: user=test1@g1.fi, method=PLAIN, rip=x.x.x.x, lip=y.y,y,y, mpid=19618, TLS, session=<wFzVEb67CMQKZgkb> Feb 20 07:45:02 pf1 dovecot[19612]: imap(test1@g1.fi)<19618><wFzVEb67CMQKZgkb>: Debug: Added userdb setting:
Feb 20 07:45:02 pf1 dovecot[19612]: imap(test1@g1.fi)<19618><wFzVEb67CMQKZgkb>: Debug: Added userdb setting: plugin/mail_crypt_global_private_password=<hidden> Feb 20 07:45:02 pf1 dovecot[19612]: imap(test1@g1.fi)<19618><wFzVEb67CMQKZgkb>: Debug: Added userdb setting:
WFxMWxkOTIwbkdJQmo1TGNYUklVdWRweElTd0I2Tld0Ck1TWncrZFBEUVRjc0hQMFRqWUh5Njl4d25BZHV4ZHZYdnh0Uk5TRzZGNlJPUnR0L2t2ekk3bWRPM0NpQ1FyMTQKTjZWalZyYWVpaXZkR2dPQ250bz0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg== mail_crypt_save_version=2 quota_rule=*:bytes=0
home=/var/vmail/g1.fi/test1 uid=10000 gid=10000
auth_mech=PLAIN auth_token=66d2d0f66bcce2758235fb53dbfe821804c6e79c plugin/mail_crypt_global_private_key=LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tClByb2MtVHlwZTogNCxFTkNSWVBURUQKREVLLUluZm86IEFFUy0yNTYtQ1RSLEY3QzRCMUU3MDQxRDBBNDU1QjFGOUUwODA0NkRBNDAxCgpQdGE4T0F0QTN1anYwdlNNY3RpSGlUZDJqMEdTU2R6VjU3UUdtVXdDTU1RcDdRb3FCSHQvZERNRVBiUEY1bEcxCmowUER1NS9GVnVUdFVsUlpTMTYrTlNXaW9yZ2t2VkhUaDMrNDd0eC91dmlRd1FQLzQzdEVhRnBmNzdTQVpsRHcKeEIyU2pNNFp2MWhkU3BqeFdER0dKRkJEdi8yL2RqOVVwVHh3a0F3dVgrUVFoUmxWelN5cjBCQVhHOXlPcS9HVAp3czhRNUdldnp2SEdoMVl5UGdwTDlqdGJpekdJYTRVUzBmN2hFZkdHSGZKLzNSSWR6MHhlaWh2OEdhMGh1ajQ4CmRTL1FTY0U3QnYrWW16emNnMmRsdlk5Nkc1eFJJT3dCOEFEd1IvbHdidz09Ci0tLS0tRU5EIEVDIFBSSVZBVEUgS0VZLS0tLS0K plugin/mail_crypt_global_public_key=LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHYk1CQUdCeXFHU000OUFnRUdCU3VCQkFBakE0R0dBQVFBK2w2M0ZIckpuT0dPZ1lDTG5PRVpOaHpSdW5YWgpoMHd5dTNPS1VzSEozUDJPVWxNWmxKOFFjZTF0SExUTWFxMWxkOTIwbkdJQmo1TGNYUklVdWRweElTd0I2Tld0Ck1TWncrZFBEUVRjc0hQMFRqWUh5Njl4d25BZHV4ZHZYdnh0Uk5TRzZGNlJPUnR0L2t2ekk3bWRPM0NpQ1FyMTQKTjZWalZyYWVpaXZkR2dPQ250bz0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==Feb 20 07:45:02 pf1 dovecot[19612]: imap(test1@g1.fi)<19618><wFzVEb67CMQKZgkb>: Debug: Added userdb setting: plugin/=2 Feb 20 07:45:02 pf1 dovecot[19612]: imap(test1@g1.fi)<19618><wFzVEb67CMQKZgkb>: Debug: Added userdb setting: plugin/quota_rule=*:bytes=0 Feb 20 07:45:02 pf1 dovecot[19612]: imap(test1@g1.fi)<19618><wFzVEb67CMQKZgkb>: Error: mail_crypt_plugin: mail_crypt_global_private_key: Couldn't parse private key: Unknown/invalid PEM key type
== Question ==
Any idea why Dovecot can't parse the private key?
I tested this with several keys. Even with some without encryption -> Always same error.
According to the debug messages the private key is correctly loaded (and indeed matches the one created on command line).
Thank you for your time.
Cheers, Antti
-- Antti Antinoja reader@fennosys.fi
-- Antti Antinoja reader@fennosys.fi
-- Sent from my Android device with K-9 Mail. Please excuse my brevity.
-- Antti Antinoja reader@fennosys.fi