starred/dkim-exchange-Pro
1
0
Fork 0
mirror of https://github.com/Pro/dkim-exchange.git synced 2026-04-25 08:55:52 +03:00
Code Issues 4 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #120] Support private key files from OpenSSL #96

New issue
Closed
opened 2026-02-26 10:35:53 +03:00 by kerem · 13 comments
kerem commented 2026-02-26 10:35:53 +03:00
Owner
Copy link

Originally created by @matbech on GitHub (Jan 3, 2016).
Original GitHub issue: https://github.com/Pro/dkim-exchange/issues/120

Currently it seems that DKIM agent fails to read private key files (.pem) which contain line breaks at position 65. When creating private keys with openssl, it creates .pem with line breaks at position 65:
openssl genrsa -out private.pem
I believe the DKIM signer should support .pem key files with line breaks.

Originally created by @matbech on GitHub (Jan 3, 2016). Original GitHub issue: https://github.com/Pro/dkim-exchange/issues/120 Currently it seems that DKIM agent fails to read private key files (.pem) which contain line breaks at position 65. When creating private keys with openssl, it creates .pem with line breaks at position 65: openssl genrsa -out private.pem I believe the DKIM signer should support .pem key files with line breaks.
kerem 2026-02-26 10:35:53 +03:00
  • closed this issue
  • added the
    gui
    agent
         labels
kerem commented 2026-02-26 10:35:54 +03:00
Author
Owner
Copy link

@Pro commented on GitHub (Jan 3, 2016):

I tested with a key from openssl genrsa -out private.pem and it works for me now.

<!-- gh-comment-id:168499243 --> @Pro commented on GitHub (Jan 3, 2016): I tested with a key from `openssl genrsa -out private.pem` and it works for me now.
kerem commented 2026-02-26 10:35:54 +03:00
Author
Owner
Copy link

@matbech commented on GitHub (Jan 3, 2016):

Thank you. I get the following error now with my key:

Couldn't load private key for domain abcd.com from C:\Program Files\Exchange DkimSigner\keys\abcd.com.pem: Unable to cast object of type 'Org.BouncyCastle.Crypto.Parameters.RsaPrivateCrtKeyParameters' to type 'Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair'.

I think the AsymmetricKeyParameters you used before was correct:
github.com/Pro/dkim-exchange@d8fa12dee2 (diff-80fbe89954)

<!-- gh-comment-id:168499799 --> @matbech commented on GitHub (Jan 3, 2016): Thank you. I get the following error now with my key: Couldn't load private key for domain abcd.com from C:\Program Files\Exchange DkimSigner\keys\abcd.com.pem: Unable to cast object of type 'Org.BouncyCastle.Crypto.Parameters.RsaPrivateCrtKeyParameters' to type 'Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair'. I think the AsymmetricKeyParameters you used before was correct: https://github.com/Pro/dkim-exchange/commit/d8fa12dee2dc77636ba48ed6e035de803a9b1892#diff-80fbe899548913d9af44190d7c253f97L969
kerem commented 2026-02-26 10:35:54 +03:00
Author
Owner
Copy link

@Pro commented on GitHub (Jan 3, 2016):

Unfortunately, the MimeKit DKIM signer expects the key to be of type AsymmetricCipherKeyPair thus I had it to change from AsymmetricKeyParameters.

If the key is of type AsymmetricKeyParameters it means that it is in the PKCS#8 format (and does only contain the private key, not the public key).

Which command did you use to generate your key? Because openssl genrsa -out private.pem generates a key pair.

<!-- gh-comment-id:168500102 --> @Pro commented on GitHub (Jan 3, 2016): Unfortunately, the MimeKit DKIM signer expects the key to be of type `AsymmetricCipherKeyPair` thus I had it to change from `AsymmetricKeyParameters`. If the key is of type `AsymmetricKeyParameters` it means that it is in the PKCS#8 format (and does only contain the private key, not the public key). Which command did you use to generate your key? Because `openssl genrsa -out private.pem` generates a key pair.
kerem commented 2026-02-26 10:35:54 +03:00
Author
Owner
Copy link

@matbech commented on GitHub (Jan 3, 2016):

I have extracted the private key from PKCS12 .pfx using this command:
openssl pkcs12 -in abcd.com.pfx -nocerts -out abcd.com.pem -nodes

<!-- gh-comment-id:168500516 --> @matbech commented on GitHub (Jan 3, 2016): I have extracted the private key from PKCS12 .pfx using this command: openssl pkcs12 -in abcd.com.pfx -nocerts -out abcd.com.pem -nodes
kerem commented 2026-02-26 10:35:54 +03:00
Author
Owner
Copy link

@Pro commented on GitHub (Jan 3, 2016):

What happens, if you take the PKCS12 abcd.com.pfx instead of the extracted key? Just to see what happens...

<!-- gh-comment-id:168500818 --> @Pro commented on GitHub (Jan 3, 2016): What happens, if you take the PKCS12 `abcd.com.pfx` instead of the extracted key? Just to see what happens...
kerem commented 2026-02-26 10:35:54 +03:00
Author
Owner
Copy link

@matbech commented on GitHub (Jan 3, 2016):

I removed the password from the .pfx and verified the output. Then tried to select it in the configurator:
"The selected key is not a valid private key"

<!-- gh-comment-id:168501125 --> @matbech commented on GitHub (Jan 3, 2016): I removed the password from the .pfx and verified the output. Then tried to select it in the configurator: "The selected key is not a valid private key"
kerem commented 2026-02-26 10:35:54 +03:00
Author
Owner
Copy link

@matbech commented on GitHub (Jan 3, 2016):

Maybe if you get a RSAPrivateCrtKeyParameters object you could build a AsymmetricCipherKeyPair as following:

RSAPrivateCrtKeyParameters rsaParameters;
var publicParameters = new RSAKeyParameters(rsaParameters.getModulus(), rsaParameters.getExponent());
var pair = new AsymmetricCipherKeyPair(rsaParameters, publicParameters);
// or new AsymmetricCipherKeyPair(rsaParameters, rsaParameters);?
<!-- gh-comment-id:168501784 --> @matbech commented on GitHub (Jan 3, 2016): Maybe if you get a RSAPrivateCrtKeyParameters object you could build a AsymmetricCipherKeyPair as following: ``` RSAPrivateCrtKeyParameters rsaParameters; var publicParameters = new RSAKeyParameters(rsaParameters.getModulus(), rsaParameters.getExponent()); var pair = new AsymmetricCipherKeyPair(rsaParameters, publicParameters); // or new AsymmetricCipherKeyPair(rsaParameters, rsaParameters);? ```
kerem commented 2026-02-26 10:35:54 +03:00
Author
Owner
Copy link

@Pro commented on GitHub (Jan 3, 2016):

And another try. The configurator and signer now supports default RSA private keys and the ones exported from PKCS12 files.

@matbech please try the newly compiled .dll (and configurator) in https://github.com/Pro/dkim-exchange/tree/master/Src/Exchange.DkimSigner/bin

<!-- gh-comment-id:168517661 --> @Pro commented on GitHub (Jan 3, 2016): And another try. The configurator and signer now supports default RSA private keys and the ones exported from PKCS12 files. @matbech please try the newly compiled .dll (and configurator) in https://github.com/Pro/dkim-exchange/tree/master/Src/Exchange.DkimSigner/bin
kerem commented 2026-02-26 10:35:54 +03:00
Author
Owner
Copy link

@matbech commented on GitHub (Jan 3, 2016):

The configurator is able to load the private key now. However I get this message from the agent:
"Could not initialize MimeKit DkimSigner for domain abcd.com: Private key not found."

Looking at the MimeKit source:

public DkimSigner(string fileName, string domain, string selector)
...
    using (FileStream stream = File.OpenRead(fileName))
    {
        using (StreamReader reader = new StreamReader(stream))
        {
            PemReader reader2 = new PemReader(reader);
            pair = reader2.ReadObject() as AsymmetricCipherKeyPair;
        }
    }
    if (pair == null)
    {
        throw new FormatException("Private key not found.");
    }

It tells me that you cannot use this constructor because it always expects a AsymmetricCipherKeyPair. Instead read the private key into an AsymmetricKeyParameter object, and use the DkimSigner ctor which takes the AsymmetricKeyParameter argument.

public DkimSigner(AsymmetricKeyParameter key, string domain, string selector)

Please also note the extra whitespace in front of the domain name in the error message. PR: https://github.com/Pro/dkim-exchange/pull/124

<!-- gh-comment-id:168518500 --> @matbech commented on GitHub (Jan 3, 2016): The configurator is able to load the private key now. However I get this message from the agent: "Could not initialize MimeKit DkimSigner for domain abcd.com: Private key not found." Looking at the MimeKit source: ``` public DkimSigner(string fileName, string domain, string selector) ... using (FileStream stream = File.OpenRead(fileName)) { using (StreamReader reader = new StreamReader(stream)) { PemReader reader2 = new PemReader(reader); pair = reader2.ReadObject() as AsymmetricCipherKeyPair; } } if (pair == null) { throw new FormatException("Private key not found."); } ``` It tells me that you cannot use this constructor because it always expects a AsymmetricCipherKeyPair. Instead read the private key into an AsymmetricKeyParameter object, and use the DkimSigner ctor which takes the AsymmetricKeyParameter argument. ``` public DkimSigner(AsymmetricKeyParameter key, string domain, string selector) ``` Please also note the extra whitespace in front of the domain name in the error message. PR: https://github.com/Pro/dkim-exchange/pull/124
kerem commented 2026-02-26 10:35:54 +03:00
Author
Owner
Copy link

@matbech commented on GitHub (Jan 3, 2016):

In an earlier comment you mentioned that the DKIM signer requires a AsymmetricCipherKeyPair. However when I look at the documentation it says it expects a AsymmetricKeyParameter:
http://www.mimekit.net/docs/html/M_MimeKit_Cryptography_DkimSigner__ctor.htm

So I would rewrite the KeyHelper.ParseKeyPair
https://github.com/Pro/dkim-exchange/blob/master/Src/Exchange.DkimSigner/Helper/KeyHelper.cs#L19

 public static AsymmetricKeyParameter ParseKeyPair(string privateKeyFile)
        {
            object obj = ReadPem(privateKeyFile);
            if (obj == null)
                throw new FormatException("The key file has an invalid PEM format. " + privateKeyFile);

            if (obj is AsymmetricKeyParameter)
            {
                return obj as AsymmetricKeyParameter;
            }
            if (obj is AsymmetricCipherKeyPair)
            {
                var pair = obj as AsymmetricCipherKeyPair;
                return pair.Private;
            }

            throw new FormatException("The given key does not have the correct type. The keyfile must include the private and public key in PEM format. It is of type: " +
                                      obj.GetType());

        }

and something similar in the agent.

<!-- gh-comment-id:168521437 --> @matbech commented on GitHub (Jan 3, 2016): In an earlier comment you mentioned that the DKIM signer requires a AsymmetricCipherKeyPair. However when I look at the documentation it says it expects a AsymmetricKeyParameter: http://www.mimekit.net/docs/html/M_MimeKit_Cryptography_DkimSigner__ctor.htm So I would rewrite the KeyHelper.ParseKeyPair https://github.com/Pro/dkim-exchange/blob/master/Src/Exchange.DkimSigner/Helper/KeyHelper.cs#L19 ``` public static AsymmetricKeyParameter ParseKeyPair(string privateKeyFile) { object obj = ReadPem(privateKeyFile); if (obj == null) throw new FormatException("The key file has an invalid PEM format. " + privateKeyFile); if (obj is AsymmetricKeyParameter) { return obj as AsymmetricKeyParameter; } if (obj is AsymmetricCipherKeyPair) { var pair = obj as AsymmetricCipherKeyPair; return pair.Private; } throw new FormatException("The given key does not have the correct type. The keyfile must include the private and public key in PEM format. It is of type: " + obj.GetType()); } ``` and something similar in the agent.
kerem commented 2026-02-26 10:35:54 +03:00
Author
Owner
Copy link

@matbech commented on GitHub (Jan 3, 2016):

MimeKit just merged a related patch I have submitted:
https://github.com/jstedfast/MimeKit/pull/216

It should simplify the required changes now.

<!-- gh-comment-id:168526909 --> @matbech commented on GitHub (Jan 3, 2016): MimeKit just merged a related patch I have submitted: https://github.com/jstedfast/MimeKit/pull/216 It should simplify the required changes now.
kerem commented 2026-02-26 10:35:54 +03:00
Author
Owner
Copy link

@Pro commented on GitHub (Jan 3, 2016):

@matbech thanks again! Totally missed that constructor. Recompiled sources are in the repo. Lets see if this fixes it

<!-- gh-comment-id:168527163 --> @Pro commented on GitHub (Jan 3, 2016): @matbech thanks again! Totally missed that constructor. Recompiled sources are in the repo. Lets see if this fixes it
kerem commented 2026-02-26 10:35:54 +03:00
Author
Owner
Copy link

@matbech commented on GitHub (Jan 3, 2016):

Thank you. It is working now :-)

<!-- gh-comment-id:168527503 --> @matbech commented on GitHub (Jan 3, 2016): Thank you. It is working now :-)
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
dependabot/nuget/Src/Configuration.DkimSigner/MimeKit-4.7.1
Ed25519-SHA256
feature/dkim-verify
coverity_scan
v3.4.1.2
v3.4.2
v3.4.1.1
v3.4.1
v3.4.0
v3.3.4
v3.3.3
v3.3.2
v3.3.1
v3.2.9
v3.2.8
v3.2.7
3.2.6
v3.2.5
v3.2.4
v3.2.4-alpha
v3.2.3.1
v3.2.3
v3.2.2
v3.2.0
v3.1.0
v3.0.13
v3.0.12
v3.0.11
v3.0.10
v3.0.9
v3.0.8
v3.0.7
v3.0.6
v3.0.5
v3.0.4
v3.0.3
v3.0.2
v3.0.1
v3.0.0
v3.0.0-beta.2
v3.0.0-beta
v2.1.8
v2.1.7
v2.1.6
v2.1.5
v2.1.5-beta.2
v2.1.5-beta
v2.1.4
v2.1.3
v.2.1.2
v2.1.1
v2.1.0
v2.0.3
v2.0.2
v2.0.1
v2.0.0-beta.4
v2.0.0-rc.1
v2.0.0-beta.3
v2.0.0-beta.2
v2.0.0-beta
v2.0.0-alpha.1
v2.0.0-alpha
v1.8.3
1.8.2
v1.8.1
v1.8.0
v1.7.0
v1.6.0
v1.5.2
Labels
Clear labels   
agent

   
agent

   
bug

   
bug

   
enhancement

   
gui

   
invalid

   
need-info

   
question

   
wontfix
No labels
agent
agent
bug
bug
enhancement
gui
invalid
need-info
question
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/dkim-exchange-Pro#96
No description provided.