diff --git a/CHANGES b/CHANGES index 8cb7fcf..80bae87 100644 --- a/CHANGES +++ b/CHANGES @@ -1,5 +1,6 @@ 1.2.0 UNRELEASED - Add support for SigningTable, KeyTable, and KeyTableEd25519 (LP: #1797397) + - Add support for specifying MinimumKeyBits for RSA signatures - Add support for SignHeaders feature, thanks to Ralph Seichter for the patch - Add information on message content conversion to README - Add new expand option to setup.py so various file system locations can be diff --git a/TODO b/TODO index 5b9d83f..7af0af8 100644 --- a/TODO +++ b/TODO @@ -53,7 +53,7 @@ Test suite implemented verified DNSTimeout (requires dkimpy change) KeyTable implemented verified KeytableEd25519 implemented verified -MinimumKeyBits +MinimumKeyBits implemented verified SignHeaders implemented SigningTable implemented verified TemporaryDirectory diff --git a/dkimpy_milter/__init__.py b/dkimpy_milter/__init__.py index d25f611..73a94f0 100644 --- a/dkimpy_milter/__init__.py +++ b/dkimpy_milter/__init__.py @@ -359,7 +359,7 @@ class dkimMilter(Milter.Base): res = False self.header_a = None for y in range(self.has_dkim): # Verify _ALL_ the signatures - d = dkim.DKIM(txt) + d = dkim.DKIM(txt, minkey=self.conf.get('MinimumKeyBits')) try: dnsoverride = self.conf.get('DNSOverride') if isinstance(dnsoverride, str): diff --git a/dkimpy_milter/config.py b/dkimpy_milter/config.py index b880815..de62947 100644 --- a/dkimpy_milter/config.py +++ b/dkimpy_milter/config.py @@ -39,6 +39,7 @@ defaultConfigData = { 'SyslogFacility': 'mail', 'UMask': 0o07, 'Mode': 'sv', + 'MinimumKeyBits': 1024, 'Socket': None, 'PidFile': None, 'UserID': 'dkimpy-milter', @@ -336,6 +337,7 @@ def _readConfigFile(path, configData=None, configGlobal={}): 'SyslogSuccess': 'bool', 'UMask': 'int', 'Mode': 'str', + 'MinimumKeyBits': 'int', 'Socket': 'str', 'PidFile': 'str', 'UserID': 'str', @@ -421,6 +423,10 @@ def _readConfigFile(path, configData=None, configGlobal={}): else: configData[name] = str(value) elif conversion == 'int': + if name == 'MinimumKeyBits': + if int(value) == 0: + # Odd inheritence from OpenDKIM where value of 0 means use default. + value = configData.get(name) configData[name] = int(value) elif conversion == 'dataset': configData[name] = _dataset_to_list(value) diff --git a/man/dkimpy-milter.conf.5 b/man/dkimpy-milter.conf.5 index bf9f978..28e10a2 100644 --- a/man/dkimpy-milter.conf.5 +++ b/man/dkimpy-milter.conf.5 @@ -325,6 +325,13 @@ be set: (a) Domain, KeyFile, Selector, no KeyTable, no SigningTable; (b) KeyTable, SigningTable, no Domain, no KeyFile, no Selector; +TP +.I MinimumKeyBits (integer) +Establishes a minimum key size for acceptable RSA signatures. Signatures with +smaller key sizes, even if they otherwise pass DKIM validation, will me marked +as invalid. The default is 1024, which accepts all signatures. A value of +0 causes the default to be used. Not Applicable to ed25519 signatures. + .TP .I OmitHeaders (dataset) Specifies a set of header fields that should be omitted when generating diff --git a/man/dkimpy-milter.conf.5.in b/man/dkimpy-milter.conf.5.in index 2f80a40..f1f40f1 100644 --- a/man/dkimpy-milter.conf.5.in +++ b/man/dkimpy-milter.conf.5.in @@ -325,6 +325,13 @@ be set: (a) Domain, KeyFile, Selector, no KeyTable, no SigningTable; (b) KeyTable, SigningTable, no Domain, no KeyFile, no Selector; +TP +.I MinimumKeyBits (integer) +Establishes a minimum key size for acceptable RSA signatures. Signatures with +smaller key sizes, even if they otherwise pass DKIM validation, will me marked +as invalid. The default is 1024, which accepts all signatures. A value of +0 causes the default to be used. Not Applicable to ed25519 signatures. + .TP .I OmitHeaders (dataset) Specifies a set of header fields that should be omitted when generating diff --git a/tests/runtests b/tests/runtests index cb922ad..c3d063a 100755 --- a/tests/runtests +++ b/tests/runtests @@ -43,6 +43,7 @@ Socket unix:$keytype.verify.sock PidFile $keytype.verify.pid Mode v DNSOverride $(cat testkey.$keytype.dns) +MinimumKeyBits 2048 UserID $(id --name --user):$(id --name --group) EOF