DKIM failures for gitlab mail

[Viktor Dukhovni]

On Mon, Jan 23, 2023 at 03:41:21PM +0100, Joachim Breitner wrote:
> Hi Ben,
> 
> gentle reminder about this issue? I’m worried I (and maybe others) are
> going to miss gitlab notifications.

A recent gitlab notice has:

    Received: by gitlab.haskell.org (Postfix, from userid 165)
            id AF9E627CA9; Mon, 16 Jan 2023 20:50:59 -0500 (EST)
    DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=gitlab.haskell.org;
            s=mail; t=1673920259;
            bh=bezCH96kI1N9pklJv6GEpVDADij1+8Q/zwCT65Djz/4=;
            h=Date:From:Reply-To:To:Subject:List-Id;
            b=L7ikqNV+Hn0OZzM9AH+rLIvP5P9COe8/zuP7bmSsMJ50kFJ2a7gJy4cbxoX83bNqU
            oBQV78j6nIFV/SRgbaF9vQciNBzWu1GNACMGaqVMVjTBki93xw/hvMv8JDIhAdAYaV
            da96BBtxrTDoDUtFBtYlb5n361TqIDHXHkCqE5Dc=

The DKIM data in DNS is:

    $ dig +short +nosplit -t txt mail._domainkey.gitlab.haskell.org
    "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDiTJ9J8+wWWFRzHjjr5CCbOx33rZaDH2PQsQtTLwOPVZDTSjz8pwUuyQ4s+Xxq6f6UEEAIo/8ZHySJqXG6HN3b6/Gq2SwnE2xLk307gcWzZgyF/9UM5SpcJ46VxYPu2spBQSWhDnRbp849ZouuY/orKT/HMb/9xow25KwWbAyh8wIDAQAB"

Putting it together:

    $ echo MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDiTJ9J8+wWWFRzHjjr5CCbOx33rZaDH2PQsQtTLwOPVZDTSjz8pwUuyQ4s+Xxq6f6UEEAIo/8ZHySJqXG6HN3b6/Gq2SwnE2xLk307gcWzZgyF/9UM5SpcJ46VxYPu2spBQSWhDnRbp849ZouuY/orKT/HMb/9xow25KwWbAyh8wIDAQAB |
	openssl base64 -A -d |
	openssl pkey -pubin -inform DER -out /tmp/pkey.pem

    $ openssl base64 -d <<-\EOF > /tmp/sig.dat
	L7ikqNV+Hn0OZzM9AH+rLIvP5P9COe8/zuP7bmSsMJ50kFJ2a7gJy4cbxoX83bNq
	UoBQV78j6nIFV/SRgbaF9vQciNBzWu1GNACMGaqVMVjTBki93xw/hvMv8JDIhAdA
	YaVda96BBtxrTDoDUtFBtYlb5n361TqIDHXHkCqE5Dc=
	EOF

    $ openssl pkeyutl -pubin -inkey /tmp/pkey.pem \
	-encrypt -pkeyopt rsa_padding_mode:none \
	-in /tmp/sig.dat -hexdump

    0000 - 52 90 e5 01 80 fa 77 53-b3 19 97 16 33 70 1e 29   R.....wS....3p.)
    0010 - 7e 7b cf 5c a4 51 b2 eb-7c fa 88 dc ce 92 b2 ac   ~{.\.Q..|.......
    0020 - 4f 86 d4 f1 32 83 55 0a-0b c0 49 92 a3 4a 54 47   O...2.U...I..JTG
    0030 - dc 6b 5d bd 2c 1e 5d 85-cf f4 4f c8 3c c5 3f bd   .k].,.]...O.<.?.
    0040 - 9d 56 29 a2 b5 dc 94 13-50 c3 28 23 0c a0 64 0b   .V).....P.(#..d.
    0050 - 0e 99 96 4a 0f b4 36 1a-3a d6 ff 6f 50 00 1a 38   ...J..6.:..oP..8
    0060 - 09 34 75 a6 d5 29 da 80-7c c1 bd 77 c4 a3 01 32   .4u..)..|..w...2
    0070 - d1 16 b4 8f 6c 3d fd a4-25 8d 53 2b 64 9c d8 ed   ....l=..%.S+d...

We see that the RSA public key operation does not produce a valid PKCS#1
padded block, so most likely an outdated key is published in DNS, or the
wrong "selector" ("s=" value, currently "mail") was added to the DKIM
signature header (if the correct key is published under some other
selector).

-- 
    Viktor.