On Wed, Oct 13, 2021 at 9:44 PM Vsevolod Stakhov via mailop < mailop@mailop.org> wrote:
> On 13/10/2021 13:35, Odhiambo Washington via mailop wrote: > > > > > > On Tue, Oct 12, 2021 at 10:16 PM Slavko via mailop <mailop@mailop.org > > <mailto:mailop@mailop.org>> wrote: > > > > Ahoj, > > > > Dňa Tue, 12 Oct 2021 19:52:38 +0100 Vsevolod Stakhov via mailop > > <mailop@mailop.org <mailto:mailop@mailop.org>> napísal: > > > > > You can do it with Rspamd as well: > > > > > > > rspamadm dkim_keygen -d example.com <http://example.com> -s dkim > > -t ed25519 > > > > > > > vYJfhPrDPls0CBf4Y5H1usrJu6OxDaYubEAldoyza9X4PwjpomnSnMJyf0tNLfDj5KvVAVGMI+DF3sPSDj3USA== > > > dkim._domainkey IN TXT ( "v=DKIM1; k=ed25519; " > > > "p=+D8I6aJp0pzCcn9LTS3w4+Sr1QFRjCPgxd7D0g491Eg=" ) ; > > > > And it is usable in exim? (i cannot to test it right now) > > AFAIK it expects: > > > > -----BEGIN PRIVATE KEY----- > > key-base64 > > -----END PRIVATE KEY----- > > > > regards > > > > -- > > Slavko > > http://slavino.sk > > > > > > I am also curious. > > > > Is the 1st line the private key in this case? > > > > Yes, it is the *expanded* ed25519 private key encoded with base64. > > The problem with ed25519 keys is that they exist in two formats: > expanded and compact. Naturally, the private key is a random biginteger > of size 32 bytes (256 bit with some bits unused/predefined). However, it > is required to have *both* private and public keys for signing. Public > key can be derived from a private one, but it requires quite an > expensive scalarmult operation on curve25519. Hence, it is usually > convenient to encode secret key as a concatenation of both private and > public keys: like sk || pk. > > Rspamd and many other crypto libraries (actually, Rspamd uses libsodium > under the hood) uses the expanded private keys that are 64 bytes size - > 32 for private part and 32 for public part. But I'm aware that there are > software that use truncated 32 bytes keys as private keys for ed25519 > (presumably expanding them on load). Unfortunately, I don't know what > type of secret key is expected in Exim (well, and I don't understand why > use DKIM signing in Exim whilst it works just perfect within Rspamd). > In Exim, maybe I do not want to DKIM-sign some domain's emails while I want to sign others. I think this is also possible in rspamd, but I have never checked since I was already signing within Exim when I switched from spamassassin to rspamd. Let me go and look at how this is done in rspamd. But I'd love to see an example of how this is done. -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", egrep -v '^$|^.*#' :-)
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
