Problem with new public Key

General
1

Hello,
we changed ower key for pgp a while ago. Some partners now send us mails te gateway can not decrypt.
We create a new key with ed25519 and import this key to the gateway. When I test sending a mail with this key I can send it via Thunderbird from private to the mail behind the gateway. But our partner see on his gateway that the message was encrypted, but the ciphermail gateway did not decrypt the message. I just receive an asc file.
So to verify we also create a RSA4096 ke also with no success.
When the partner changed back to 2048 everthing is fine.
Is it possible to modify the log settings so I can see for what header the ciphermail gateway is looking or some other possibility to check where the problem is located.

Regards
Robert

2

To make sure I understand the issue, so you can send an email encrypted with ed25519 from your Thunderbird to the gateway and this email is then decrypted but, not when your partner sends the email?

3

Correct. The email from Thunderbird is working.
The partner gateway is “Julia Mailoffice” and the log from them say it was encrypted correctly. I cann decrypt the received *asc file local via gpg so the key is the correct one.

4

Maybe some usefull header from t different senders where the message isn’t decrypted when it comes with ed25519

Content-Type: multipart/encrypted; boundary=--mime6428d0b64adc0a4ee6cd2e1cd7b42916; protocol="application/pgp-encrypted"

----mime6428d0b64adc0a4ee6cd2e1cd7b42916
Content-Type: application/pgp-encrypted

Version: 1.0

----mime6428d0b64adc0a4ee6cd2e1cd7b42916
Content-Type: application/octet-stream; name=encrypted.asc

and the other

Content-Type: multipart/encrypted;
boundary=NoSpamProxy_efaed941-2aae-4e6b-a260-2c1430f86bf6; 
protocol="application/pgp-encrypted"
Content-Language: de-DE

This is an OpenPGP/MIME encrypted message (RFC 2440 and 3156)

--NoSpamProxy_efaed941-2aae-4e6b-a260-2c1430f86bf6
Content-Type: application/pgp-encrypted;
Content-Disposition: inline;

Version: 1
--NoSpamProxy_efaed941-2aae-4e6b-a260-2c1430f86bf6
Content-Type: application/octet-stream; charset=us-ascii; name=encrypted.asc
Content-Disposition: attachment; filename=encrypted.asc
5

Do you see any error message in the MPA log? Or some warning?

6

I found a error, but this is strange. From the partner I get this error:

03 Apr 2025 11:00:45 | ERROR Unhandled RuntimeException. (mitm.application.djigzo.james.mailets.PGPHandler) [Spool Thread #0]
java.lang.IllegalArgumentException: Invalid Curve25519 public key
at org.bouncycastle.openpgp.operator.jcajce.JcePublicKeyDataDecryptorFactoryBuilder.decryptSessionData(Unknown Source) ~[bcpg.jar:1.71.00.0]
at org.bouncycastle.openpgp.operator.jcajce.JcePublicKeyDataDecryptorFactoryBuilder.access$400(Unknown Source) ~[bcpg.jar:1.71.00.0]
at org.bouncycastle.openpgp.operator.jcajce.JcePublicKeyDataDecryptorFactoryBuilder$2.recoverSessionData(Unknown Source) ~[bcpg.jar:1.71.00.0]
at org.bouncycastle.openpgp.PGPPublicKeyEncryptedData.getSessionKey(Unknown Source) ~[bcpg.jar:1.71.00.0]
at org.bouncycastle.openpgp.PGPPublicKeyEncryptedData.getDataStream(Unknown Source) ~[bcpg.jar:1.71.00.0]
at mitm.common.security.openpgp.PGPHandler.handleEncryptedDataList(PGPHandler.java:272) ~[ciphermail-core.jar:5.5.3.0g99d2faca]
at mitm.common.security.openpgp.PGPHandler.handle(PGPHandler.java:180) ~[ciphermail-core.jar:5.5.3.0g99d2faca]
at mitm.common.security.openpgp.PGPHandler.handle(PGPHandler.java:141) ~[ciphermail-core.jar:5.5.3.0g99d2faca]
at mitm.common.security.openpgp.PGPMIMEHandler.handlePGPMIMEEncrypted(PGPMIMEHandler.java:706) ~[ciphermail-core.jar:5.5.3.0g99d2faca]
at mitm.common.security.openpgp.PGPMIMEHandler.handleMessage(PGPMIMEHandler.java:270) ~[ciphermail-core.jar:5.5.3.0g99d2faca]
at mitm.common.security.openpgp.PGPRecursiveValidatingMIMEHandler.handleMessage(PGPRecursiveValidatingMIMEHandler.java:1125) ~[ciphermail-core.jar:5.5.3.0g99d2faca]
at mitm.common.security.openpgp.PGPRecursiveValidatingMIMEHandler.handleMessage(PGPRecursiveValidatingMIMEHandler.java:1102) ~[ciphermail-core.jar:5.5.3.0g99d2faca]
at mitm.application.djigzo.james.mailets.PGPHandler.serviceMailTransacted(PGPHandler.java:498) ~[ciphermail-core.jar:5.5.3.0g99d2faca]
at mitm.application.djigzo.james.mailets.AbstractTransactedMailet$1.doAction(AbstractTransactedMailet.java:137) ~[ciphermail-core.jar:5.5.3.0g99d2faca]
at mitm.common.hibernate.DatabaseActionExecutorImpl$1.doAction(DatabaseActionExecutorImpl.java:164) ~[ciphermail-core.jar:5.5.3.0g99d2faca]
at mitm.common.hibernate.DatabaseActionExecutorImpl.executeTransaction(DatabaseActionExecutorImpl.java:81) ~[ciphermail-core.jar:5.5.3.0g99d2faca]
at mitm.common.hibernate.DatabaseActionExecutorImpl.executeTransaction(DatabaseActionExecutorImpl.java:158) ~[ciphermail-core.jar:5.5.3.0g99d2faca]
at mitm.application.djigzo.james.mailets.AbstractTransactedMailet.serviceMail(AbstractTransactedMailet.java:122) ~[ciphermail-core.jar:5.5.3.0g99d2faca]
at mitm.application.djigzo.james.mailets.AbstractDjigzoMailet.service(AbstractDjigzoMailet.java:281) [ciphermail-core.jar:5.5.3.0g99d2faca]
at org.apache.james.transport.LinearProcessor.service(LinearProcessor.java:424) [james-2.3.1.jar:?]
at org.apache.james.transport.JamesSpoolManager.process(JamesSpoolManager.java:405) [james-2.3.1.jar:?]
at org.apache.james.transport.JamesSpoolManager.run(JamesSpoolManager.java:309) [james-2.3.1.jar:?]
at java.lang.Thread.run(Thread.java:750) [?:1.8.0_372]

Same key from Thunderbird just show:

INFO Message has been PGP decrypted;
7

and here the log entry from the other partner, a bit different

02 Apr 2025 15:35:56 | ERROR Database error servicing email. (mitm.application.djigzo.james.mailets.PGPHandler) [Spool Thread #3]
mitm.common.hibernate.DatabaseException: javax.mail.MessagingException: Error handling message;
nested exception is:
java.io.IOException: unknown packet type encountered: 20
at mitm.application.djigzo.james.mailets.AbstractTransactedMailet$1.doAction(AbstractTransactedMailet.java:140) ~[ciphermail-core.jar:5.5.3.0g99d2faca]
at mitm.common.hibernate.DatabaseActionExecutorImpl$1.doAction(DatabaseActionExecutorImpl.java:164) ~[ciphermail-core.jar:5.5.3.0g99d2faca]
at mitm.common.hibernate.DatabaseActionExecutorImpl.executeTransaction(DatabaseActionExecutorImpl.java:81) ~[ciphermail-core.jar:5.5.3.0g99d2faca]
at mitm.common.hibernate.DatabaseActionExecutorImpl.executeTransaction(DatabaseActionExecutorImpl.java:158) ~[ciphermail-core.jar:5.5.3.0g99d2faca]
at mitm.application.djigzo.james.mailets.AbstractTransactedMailet.serviceMail(AbstractTransactedMailet.java:122) [ciphermail-core.jar:5.5.3.0g99d2faca]
at mitm.application.djigzo.james.mailets.AbstractDjigzoMailet.service(AbstractDjigzoMailet.java:281) [ciphermail-core.jar:5.5.3.0g99d2faca]
at org.apache.james.transport.LinearProcessor.service(LinearProcessor.java:424) [james-2.3.1.jar:?]
at org.apache.james.transport.JamesSpoolManager.process(JamesSpoolManager.java:405) [james-2.3.1.jar:?]
at org.apache.james.transport.JamesSpoolManager.run(JamesSpoolManager.java:309) [james-2.3.1.jar:?]
at java.lang.Thread.run(Thread.java:750) [?:1.8.0_372]
Caused by: javax.mail.MessagingException: Error handling message
at mitm.application.djigzo.james.mailets.PGPHandler.serviceMailTransacted(PGPHandler.java:501) ~[ciphermail-core.jar:5.5.3.0g99d2faca]
at mitm.application.djigzo.james.mailets.AbstractTransactedMailet$1.doAction(AbstractTransactedMailet.java:137) ~[ciphermail-core.jar:5.5.3.0g99d2faca]
... 9 more
Caused by: java.io.IOException: unknown packet type encountered: 20
at org.bouncycastle.bcpg.BCPGInputStream.readPacket(Unknown Source) ~[bcpg.jar:1.71.00.0]
at org.bouncycastle.openpgp.PGPEncryptedDataList.<init>(Unknown Source) ~[bcpg.jar:1.71.00.0]
at org.bouncycastle.openpgp.PGPObjectFactory.nextObject(Unknown Source) ~[bcpg.jar:1.71.00.0]
at mitm.common.security.openpgp.PGPHandler.handle(PGPHandler.java:163) ~[ciphermail-core.jar:5.5.3.0g99d2faca]
at mitm.common.security.openpgp.PGPHandler.handle(PGPHandler.java:141) ~[ciphermail-core.jar:5.5.3.0g99d2faca]
at mitm.common.security.openpgp.PGPMIMEHandler.handlePGPMIMEEncrypted(PGPMIMEHandler.java:706) ~[ciphermail-core.jar:5.5.3.0g99d2faca]
at mitm.common.security.openpgp.PGPMIMEHandler.handleMessage(PGPMIMEHandler.java:270) ~[ciphermail-core.jar:5.5.3.0g99d2faca]
at mitm.common.security.openpgp.PGPRecursiveValidatingMIMEHandler.handleMessage(PGPRecursiveValidatingMIMEHandler.java:1125) ~[ciphermail-core.jar:5.5.3.0g99d2faca]
at mitm.common.security.openpgp.PGPRecursiveValidatingMIMEHandler.handleMessage(PGPRecursiveValidatingMIMEHandler.java:1102) ~[ciphermail-core.jar:5.5.3.0g99d2faca]
at mitm.application.djigzo.james.mailets.PGPHandler.serviceMailTransacted(PGPHandler.java:498) ~[ciphermail-core.jar:5.5.3.0g99d2faca]
at mitm.application.djigzo.james.mailets.AbstractTransactedMailet$1.doAction(AbstractTransactedMailet.java:137) ~[ciphermail-core.jar:5.5.3.0g99d2faca]
... 9 more
8

Dear Martijn,

I found the solution. The ed25519 key I had generated with gpg2 had the following attributes:
Enc.: AES256, AES192, AES, 3DES
AEAD: OCB
Digest: SHA512, SHA384, SHA256, SHA224, SHA1
Compression: ZLIB, BZIP2, ZIP, not comp
Attributes: MDC, AEAD, Keyserver no-modify

The problem seems to be the AEAD, after I removed the attribute, no one can use it (without manuell modification) so I can not get a message with the following info if I use gpg2 external:
AES256.OCB

That seems the problem. This attribute is for example also added in Outlook and the gpg Addon, if the generate key supports it.

So maybe a update is possible where the AEAD attribute is supported, because anyone could add this attribute, if he modify the key or the gateway on the other hand use it.

Regards
Robert