Antti Antinoja
2021-Feb-20 09:33 UTC
mail_crypt_global_private_key: Couldn't parse private key: Unknown/invalid PEM key type
Got it! My private test key was in wrong format. Cheers, Antti On Sat, 20 Feb 2021 14:15:07 +0800 Antti Antinoja <reader at fennosys.fi> wrote:> Version: Dovecot 2.3.13 (89f716dc2) > > Issue: Dovecot states it can't parse the private key > > = Background > > == Creating private EC key => > * Curve: secp521r1 > * Encryption: aes-256-ctr > * Format: pkey > * Enacapsulation: Base64 > > # openssl ecparam -name secp521r1 -genkey | openssl pkey |\ > openssl ec -aes-256-ctr | base64 -w0 > test_keys_remove/private_key_encrypted.pem > > == Extract public key => > # cat test_keys_remove/private_key_encrypted.pem | base64 -d |\ > openssl ec -pubout | base64 -w0 > test_keys_remove/public_key.pem > > == Checking keys => > * 592 Feb 20 07:27 private_key_encrypted.pem: > LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tClByb2MtVHlwZTogNCxFTkNSWVBURUQKREVLLUluZm86IEFFUy0yNTYtQ1RSLEY3QzRCMUU3MDQxRDBBNDU1QjFGOUUwODA0NkRBNDAxCgpQdGE4T0F0QTN1anYwdlNNY3RpSGlUZDJqMEdTU2R6VjU3UUdtVXdDTU1RcDdRb3FCSHQvZERNRVBiUEY1bEcxCmowUER1NS9GVnVUdFVsUlpTMTYrTlNXaW9yZ2t2VkhUaDMrNDd0eC91dmlRd1FQLzQzdEVhRnBmNzdTQVpsRHcKeEIyU2pNNFp2MWhkU3BqeFdER0dKRkJEdi8yL2RqOVVwVHh3a0F3dVgrUVFoUmxWelN5cjBCQVhHOXlPcS9HVAp3czhRNUdldnp2SEdoMVl5UGdwTDlqdGJpekdJYTRVUzBmN2hFZkdHSGZKLzNSSWR6MHhlaWh2OEdhMGh1ajQ4CmRTL1FTY0U3QnYrWW16emNnMmRsdlk5Nkc1eFJJT3dCOEFEd1IvbHdidz09Ci0tLS0tRU5EIEVDIFBSSVZBVEUgS0VZLS0tLS0K > > * 360 Feb 20 07:28 public_key.pem: > LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHYk1CQUdCeXFHU000OUFnRUdCU3VCQkFBakE0R0dBQVFBK2w2M0ZIckpuT0dPZ1lDTG5PRVpOaHpSdW5YWgpoMHd5dTNPS1VzSEozUDJPVWxNWmxKOFFjZTF0SExUTWFxMWxkOTIwbkdJQmo1TGNYUklVdWRweElTd0I2Tld0Ck1TWncrZFBEUVRjc0hQMFRqWUh5Njl4d25BZHV4ZHZYdnh0Uk5TRzZGNlJPUnR0L2t2ekk3bWRPM0NpQ1FyMTQKTjZWalZyYWVpaXZkR2dPQ250bz0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg=> > == Notes => > * The keys are then saved in database and fetched to userdb by Dovecot via passdb lookup (Details in the logs) > * mail-crypt settings: > > mail_plugins = $mail_plugins mail_crypt > plugin { > mail_crypt_curve = secp521r1 > mail_crypt_save_version = 0 > } > > * Note: User record on database has mail_crypt_save_version = 2 as can be seen from the log extract below. > > = Dovecot log on client IMAP message retrieval > > Feb 20 07:45:01 pf1 dovecot[19612]: auth: Debug: sql(test1 at g1.fi,x.x.x.x,<wFzVEb67CMQKZgkb>): Performing passdb lookup > Feb 20 07:45:02 pf1 dovecot[19612]: auth: Debug: sql(test1 at g1.fi,x.x.x.x,<wFzVEb67CMQKZgkb>): Finished passdb lookup > Feb 20 07:45:02 pf1 dovecot[19612]: auth: Debug: auth(test1 at g1.fi,x.x.x.x,<wFzVEb67CMQKZgkb>): Auth request finished > Feb 20 07:45:02 pf1 dovecot[19612]: auth: Debug: client passdb out: OK 1 user=test1 at g1.fi > Feb 20 07:45:02 pf1 dovecot[19612]: auth: Debug: sql(test1 at g1.fi,x.x.x.x,<wFzVEb67CMQKZgkb>): Performing userdb lookup > Feb 20 07:45:02 pf1 dovecot[19612]: auth: Debug: sql(test1 at g1.fi,x.x.x.x,<wFzVEb67CMQKZgkb>): Finished userdb lookup > Feb 20 07:45:02 pf1 dovecot[19612]: auth: Debug: master userdb out: USER 1609957377 test1 at g1.fi mail_crypt_global_private_password=key_pass_we_know_this_is_correct mail_crypt_global_private_key=LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tClByb2MtVHlwZTogNCxFTkNSWVBURUQKREVLLUluZm86IEFFUy0yNTYtQ1RSLEY3QzRCMUU3MDQxRDBBNDU1QjFGOUUwODA0NkRBNDAxCgpQdGE4T0F0QTN1anYwdlNNY3RpSGlUZDJqMEdTU2R6VjU3UUdtVXdDTU1RcDdRb3FCSHQvZERNRVBiUEY1bEcxCmowUER1NS9GVnVUdFVsUlpTMTYrTlNXaW9yZ2t2VkhUaDMrNDd0eC91dmlRd1FQLzQzdEVhRnBmNzdTQVpsRHcKeEIyU2pNNFp2MWhkU3BqeFdER0dKRkJEdi8yL2RqOVVwVHh3a0F3dVgrUVFoUmxWelN5cjBCQVhHOXlPcS9HVAp3czhRNUdldnp2SEdoMVl5UGdwTDlqdGJpekdJYTRVUzBmN2hFZkdHSGZKLzNSSWR6MHhlaWh2OEdhMGh1ajQ4CmRTL1FTY0U3QnYrWW16emNnMmRsdlk5Nkc1eFJJT3dCOEFEd1IvbHdidz09Ci0tLS0tRU5EIEVDIFBSSVZBVEUgS0VZLS0tLS0K mail_crypt_global_public_key=LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHYk1CQUdCeXFHU000OUFnRUdCU3VCQkFBakE0R0dBQVFBK2w2M0ZIckpuT0dPZ1lDTG5PRVpOaHpSdW5YWgpoMHd5dTNPS1VzSEozUDJPVWxNWmxKOFFjZTF0SExUT > WFxMWxkOTIwbkdJQmo1TGNYUklVdWRweElTd0I2Tld0Ck1TWncrZFBEUVRjc0hQMFRqWUh5Njl4d25BZHV4ZHZYdnh0Uk5TRzZGNlJPUnR0L2t2ekk3bWRPM0NpQ1FyMTQKTjZWalZyYWVpaXZkR2dPQ250bz0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg== mail_crypt_save_version=2 quota_rule=*:bytes=0 home=/var/vmail/g1.fi/test1 uid=10000 gid=10000 auth_mech=PLAIN auth_token=66d2d0f66bcce2758235fb53dbfe821804c6e79c > Feb 20 07:45:02 pf1 dovecot[19612]: imap-login: Login: user=<test1 at g1.fi>, method=PLAIN, rip=x.x.x.x, lip=y.y,y,y, mpid=19618, TLS, session=<wFzVEb67CMQKZgkb> > Feb 20 07:45:02 pf1 dovecot[19612]: imap(test1 at g1.fi)<19618><wFzVEb67CMQKZgkb>: Debug: Added userdb setting: plugin/mail_crypt_global_private_key=LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tClByb2MtVHlwZTogNCxFTkNSWVBURUQKREVLLUluZm86IEFFUy0yNTYtQ1RSLEY3QzRCMUU3MDQxRDBBNDU1QjFGOUUwODA0NkRBNDAxCgpQdGE4T0F0QTN1anYwdlNNY3RpSGlUZDJqMEdTU2R6VjU3UUdtVXdDTU1RcDdRb3FCSHQvZERNRVBiUEY1bEcxCmowUER1NS9GVnVUdFVsUlpTMTYrTlNXaW9yZ2t2VkhUaDMrNDd0eC91dmlRd1FQLzQzdEVhRnBmNzdTQVpsRHcKeEIyU2pNNFp2MWhkU3BqeFdER0dKRkJEdi8yL2RqOVVwVHh3a0F3dVgrUVFoUmxWelN5cjBCQVhHOXlPcS9HVAp3czhRNUdldnp2SEdoMVl5UGdwTDlqdGJpekdJYTRVUzBmN2hFZkdHSGZKLzNSSWR6MHhlaWh2OEdhMGh1ajQ4CmRTL1FTY0U3QnYrWW16emNnMmRsdlk5Nkc1eFJJT3dCOEFEd1IvbHdidz09Ci0tLS0tRU5EIEVDIFBSSVZBVEUgS0VZLS0tLS0K > Feb 20 07:45:02 pf1 dovecot[19612]: imap(test1 at g1.fi)<19618><wFzVEb67CMQKZgkb>: Debug: Added userdb setting: plugin/mail_crypt_global_private_password=<hidden> > Feb 20 07:45:02 pf1 dovecot[19612]: imap(test1 at g1.fi)<19618><wFzVEb67CMQKZgkb>: Debug: Added userdb setting: plugin/mail_crypt_global_public_key=LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHYk1CQUdCeXFHU000OUFnRUdCU3VCQkFBakE0R0dBQVFBK2w2M0ZIckpuT0dPZ1lDTG5PRVpOaHpSdW5YWgpoMHd5dTNPS1VzSEozUDJPVWxNWmxKOFFjZTF0SExUTWFxMWxkOTIwbkdJQmo1TGNYUklVdWRweElTd0I2Tld0Ck1TWncrZFBEUVRjc0hQMFRqWUh5Njl4d25BZHV4ZHZYdnh0Uk5TRzZGNlJPUnR0L2t2ekk3bWRPM0NpQ1FyMTQKTjZWalZyYWVpaXZkR2dPQ250bz0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg=> Feb 20 07:45:02 pf1 dovecot[19612]: imap(test1 at g1.fi)<19618><wFzVEb67CMQKZgkb>: Debug: Added userdb setting: plugin/=2 > Feb 20 07:45:02 pf1 dovecot[19612]: imap(test1 at g1.fi)<19618><wFzVEb67CMQKZgkb>: Debug: Added userdb setting: plugin/quota_rule=*:bytes=0 > Feb 20 07:45:02 pf1 dovecot[19612]: imap(test1 at g1.fi)<19618><wFzVEb67CMQKZgkb>: Error: mail_crypt_plugin: mail_crypt_global_private_key: Couldn't parse private key: Unknown/invalid PEM key type > > == Question => > Any idea why Dovecot can't parse the private key? > > I tested this with several keys. Even with some without encryption -> Always same error. > > According to the debug messages the private key is correctly loaded (and indeed matches the one created on command line). > > Thank you for your time. > > Cheers, > Antti > > -- > Antti Antinoja <reader at fennosys.fi>-- Antti Antinoja <reader at fennosys.fi>
Aki Tuomi
2021-Feb-20 10:38 UTC
mail_crypt_global_private_key: Couldn't parse private key: Unknown/invalid PEM key type
Can you tell us what you did differently? Aki On 20 February 2021 11.33.15 EET, Antti Antinoja <reader at fennosys.fi> wrote:>Got it! My private test key was in wrong format. > >Cheers, >Antti > >On Sat, 20 Feb 2021 14:15:07 +0800 >Antti Antinoja <reader at fennosys.fi> wrote: > >> Version: Dovecot 2.3.13 (89f716dc2) >> >> Issue: Dovecot states it can't parse the private key >> >> = Background >> >> == Creating private EC key =>> >> * Curve: secp521r1 >> * Encryption: aes-256-ctr >> * Format: pkey >> * Enacapsulation: Base64 >> >> # openssl ecparam -name secp521r1 -genkey | openssl pkey |\ >> openssl ec -aes-256-ctr | base64 -w0 > >test_keys_remove/private_key_encrypted.pem >> >> == Extract public key =>> >> # cat test_keys_remove/private_key_encrypted.pem | base64 -d |\ >> openssl ec -pubout | base64 -w0 > test_keys_remove/public_key.pem >> >> == Checking keys =>> >> * 592 Feb 20 07:27 private_key_encrypted.pem: >> >LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tClByb2MtVHlwZTogNCxFTkNSWVBURUQKREVLLUluZm86IEFFUy0yNTYtQ1RSLEY3QzRCMUU3MDQxRDBBNDU1QjFGOUUwODA0NkRBNDAxCgpQdGE4T0F0QTN1anYwdlNNY3RpSGlUZDJqMEdTU2R6VjU3UUdtVXdDTU1RcDdRb3FCSHQvZERNRVBiUEY1bEcxCmowUER1NS9GVnVUdFVsUlpTMTYrTlNXaW9yZ2t2VkhUaDMrNDd0eC91dmlRd1FQLzQzdEVhRnBmNzdTQVpsRHcKeEIyU2pNNFp2MWhkU3BqeFdER0dKRkJEdi8yL2RqOVVwVHh3a0F3dVgrUVFoUmxWelN5cjBCQVhHOXlPcS9HVAp3czhRNUdldnp2SEdoMVl5UGdwTDlqdGJpekdJYTRVUzBmN2hFZkdHSGZKLzNSSWR6MHhlaWh2OEdhMGh1ajQ4CmRTL1FTY0U3QnYrWW16emNnMmRsdlk5Nkc1eFJJT3dCOEFEd1IvbHdidz09Ci0tLS0tRU5EIEVDIFBSSVZBVEUgS0VZLS0tLS0K >> >> * 360 Feb 20 07:28 public_key.pem: >> >LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHYk1CQUdCeXFHU000OUFnRUdCU3VCQkFBakE0R0dBQVFBK2w2M0ZIckpuT0dPZ1lDTG5PRVpOaHpSdW5YWgpoMHd5dTNPS1VzSEozUDJPVWxNWmxKOFFjZTF0SExUTWFxMWxkOTIwbkdJQmo1TGNYUklVdWRweElTd0I2Tld0Ck1TWncrZFBEUVRjc0hQMFRqWUh5Njl4d25BZHV4ZHZYdnh0Uk5TRzZGNlJPUnR0L2t2ekk3bWRPM0NpQ1FyMTQKTjZWalZyYWVpaXZkR2dPQ250bz0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg=>> >> == Notes =>> >> * The keys are then saved in database and fetched to userdb by >Dovecot via passdb lookup (Details in the logs) >> * mail-crypt settings: >> >> mail_plugins = $mail_plugins mail_crypt >> plugin { >> mail_crypt_curve = secp521r1 >> mail_crypt_save_version = 0 >> } >> >> * Note: User record on database has mail_crypt_save_version = 2 as >can be seen from the log extract below. >> >> = Dovecot log on client IMAP message retrieval >> >> Feb 20 07:45:01 pf1 dovecot[19612]: auth: Debug: >sql(test1 at g1.fi,x.x.x.x,<wFzVEb67CMQKZgkb>): Performing passdb lookup >> Feb 20 07:45:02 pf1 dovecot[19612]: auth: Debug: >sql(test1 at g1.fi,x.x.x.x,<wFzVEb67CMQKZgkb>): Finished passdb lookup >> Feb 20 07:45:02 pf1 dovecot[19612]: auth: Debug: >auth(test1 at g1.fi,x.x.x.x,<wFzVEb67CMQKZgkb>): Auth request finished >> Feb 20 07:45:02 pf1 dovecot[19612]: auth: Debug: client passdb out: >OK 1 user=test1 at g1.fi >> Feb 20 07:45:02 pf1 dovecot[19612]: auth: Debug: >sql(test1 at g1.fi,x.x.x.x,<wFzVEb67CMQKZgkb>): Performing userdb lookup >> Feb 20 07:45:02 pf1 dovecot[19612]: auth: Debug: >sql(test1 at g1.fi,x.x.x.x,<wFzVEb67CMQKZgkb>): Finished userdb lookup >> Feb 20 07:45:02 pf1 dovecot[19612]: auth: Debug: master userdb out: >USER 1609957377 test1 at g1.fi >mail_crypt_global_private_password=key_pass_we_know_this_is_correct >mail_crypt_global_private_key=LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tClByb2MtVHlwZTogNCxFTkNSWVBURUQKREVLLUluZm86IEFFUy0yNTYtQ1RSLEY3QzRCMUU3MDQxRDBBNDU1QjFGOUUwODA0NkRBNDAxCgpQdGE4T0F0QTN1anYwdlNNY3RpSGlUZDJqMEdTU2R6VjU3UUdtVXdDTU1RcDdRb3FCSHQvZERNRVBiUEY1bEcxCmowUER1NS9GVnVUdFVsUlpTMTYrTlNXaW9yZ2t2VkhUaDMrNDd0eC91dmlRd1FQLzQzdEVhRnBmNzdTQVpsRHcKeEIyU2pNNFp2MWhkU3BqeFdER0dKRkJEdi8yL2RqOVVwVHh3a0F3dVgrUVFoUmxWelN5cjBCQVhHOXlPcS9HVAp3czhRNUdldnp2SEdoMVl5UGdwTDlqdGJpekdJYTRVUzBmN2hFZkdHSGZKLzNSSWR6MHhlaWh2OEdhMGh1ajQ4CmRTL1FTY0U3QnYrWW16emNnMmRsdlk5Nkc1eFJJT3dCOEFEd1IvbHdidz09Ci0tLS0tRU5EIEVDIFBSSVZBVEUgS0VZLS0tLS0K >mail_crypt_global_public_key=LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHYk1CQUdCeXFHU000OUFnRUdCU3VCQkFBakE0R0dBQVFBK2w2M0ZIckpuT0dPZ1lDTG5PRVpOaHpSdW5YWgpoMHd5dTNPS1VzSEozUDJPVWxNWmxKOFFjZTF0SEx > UT >> >WFxMWxkOTIwbkdJQmo1TGNYUklVdWRweElTd0I2Tld0Ck1TWncrZFBEUVRjc0hQMFRqWUh5Njl4d25BZHV4ZHZYdnh0Uk5TRzZGNlJPUnR0L2t2ekk3bWRPM0NpQ1FyMTQKTjZWalZyYWVpaXZkR2dPQ250bz0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg=>mail_crypt_save_version=2 quota_rule=*:bytes=0 >home=/var/vmail/g1.fi/test1 uid=10000 gid=10000 >auth_mech=PLAIN auth_token=66d2d0f66bcce2758235fb53dbfe821804c6e79c >> Feb 20 07:45:02 pf1 dovecot[19612]: imap-login: Login: >user=<test1 at g1.fi>, method=PLAIN, rip=x.x.x.x, lip=y.y,y,y, mpid=19618, >TLS, session=<wFzVEb67CMQKZgkb> >> Feb 20 07:45:02 pf1 dovecot[19612]: >imap(test1 at g1.fi)<19618><wFzVEb67CMQKZgkb>: Debug: Added userdb >setting: >plugin/mail_crypt_global_private_key=LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tClByb2MtVHlwZTogNCxFTkNSWVBURUQKREVLLUluZm86IEFFUy0yNTYtQ1RSLEY3QzRCMUU3MDQxRDBBNDU1QjFGOUUwODA0NkRBNDAxCgpQdGE4T0F0QTN1anYwdlNNY3RpSGlUZDJqMEdTU2R6VjU3UUdtVXdDTU1RcDdRb3FCSHQvZERNRVBiUEY1bEcxCmowUER1NS9GVnVUdFVsUlpTMTYrTlNXaW9yZ2t2VkhUaDMrNDd0eC91dmlRd1FQLzQzdEVhRnBmNzdTQVpsRHcKeEIyU2pNNFp2MWhkU3BqeFdER0dKRkJEdi8yL2RqOVVwVHh3a0F3dVgrUVFoUmxWelN5cjBCQVhHOXlPcS9HVAp3czhRNUdldnp2SEdoMVl5UGdwTDlqdGJpekdJYTRVUzBmN2hFZkdHSGZKLzNSSWR6MHhlaWh2OEdhMGh1ajQ4CmRTL1FTY0U3QnYrWW16emNnMmRsdlk5Nkc1eFJJT3dCOEFEd1IvbHdidz09Ci0tLS0tRU5EIEVDIFBSSVZBVEUgS0VZLS0tLS0K >> Feb 20 07:45:02 pf1 dovecot[19612]: >imap(test1 at g1.fi)<19618><wFzVEb67CMQKZgkb>: Debug: Added userdb >setting: plugin/mail_crypt_global_private_password=<hidden> >> Feb 20 07:45:02 pf1 dovecot[19612]: >imap(test1 at g1.fi)<19618><wFzVEb67CMQKZgkb>: Debug: Added userdb >setting: >plugin/mail_crypt_global_public_key=LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHYk1CQUdCeXFHU000OUFnRUdCU3VCQkFBakE0R0dBQVFBK2w2M0ZIckpuT0dPZ1lDTG5PRVpOaHpSdW5YWgpoMHd5dTNPS1VzSEozUDJPVWxNWmxKOFFjZTF0SExUTWFxMWxkOTIwbkdJQmo1TGNYUklVdWRweElTd0I2Tld0Ck1TWncrZFBEUVRjc0hQMFRqWUh5Njl4d25BZHV4ZHZYdnh0Uk5TRzZGNlJPUnR0L2t2ekk3bWRPM0NpQ1FyMTQKTjZWalZyYWVpaXZkR2dPQ250bz0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg=>> Feb 20 07:45:02 pf1 dovecot[19612]: >imap(test1 at g1.fi)<19618><wFzVEb67CMQKZgkb>: Debug: Added userdb >setting: plugin/=2 >> Feb 20 07:45:02 pf1 dovecot[19612]: >imap(test1 at g1.fi)<19618><wFzVEb67CMQKZgkb>: Debug: Added userdb >setting: plugin/quota_rule=*:bytes=0 >> Feb 20 07:45:02 pf1 dovecot[19612]: >imap(test1 at g1.fi)<19618><wFzVEb67CMQKZgkb>: Error: mail_crypt_plugin: >mail_crypt_global_private_key: Couldn't parse private key: >Unknown/invalid PEM key type >> >> == Question =>> >> Any idea why Dovecot can't parse the private key? >> >> I tested this with several keys. Even with some without encryption -> >Always same error. >> >> According to the debug messages the private key is correctly loaded >(and indeed matches the one created on command line). >> >> Thank you for your time. >> >> Cheers, >> Antti >> >> -- >> Antti Antinoja <reader at fennosys.fi> > > >-- >Antti Antinoja <reader at fennosys.fi>-- Sent from my Android device with K-9 Mail. Please excuse my brevity. -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20210220/88b2ae4b/attachment.html>