Add support for specifying MinimumKeyBits for RSA signatures
This commit is contained in:
Scott Kitterman
@@ -1,5 +1,6 @@
|
|||||||
1.2.0 UNRELEASED
|
1.2.0 UNRELEASED
|
||||||
- Add support for SigningTable, KeyTable, and KeyTableEd25519 (LP: #1797397)
|
- Add support for SigningTable, KeyTable, and KeyTableEd25519 (LP: #1797397)
|
||||||
|
- Add support for specifying MinimumKeyBits for RSA signatures
|
||||||
- Add support for SignHeaders feature, thanks to Ralph Seichter for the patch
|
- Add support for SignHeaders feature, thanks to Ralph Seichter for the patch
|
||||||
- Add information on message content conversion to README
|
- Add information on message content conversion to README
|
||||||
- Add new expand option to setup.py so various file system locations can be
|
- Add new expand option to setup.py so various file system locations can be
|
||||||
|
|||||||
@@ -53,7 +53,7 @@ Test suite implemented verified
|
|||||||
DNSTimeout (requires dkimpy change)
|
DNSTimeout (requires dkimpy change)
|
||||||
KeyTable implemented verified
|
KeyTable implemented verified
|
||||||
KeytableEd25519 implemented verified
|
KeytableEd25519 implemented verified
|
||||||
MinimumKeyBits
|
MinimumKeyBits implemented verified
|
||||||
SignHeaders implemented
|
SignHeaders implemented
|
||||||
SigningTable implemented verified
|
SigningTable implemented verified
|
||||||
TemporaryDirectory
|
TemporaryDirectory
|
||||||
|
|||||||
@@ -359,7 +359,7 @@ class dkimMilter(Milter.Base):
|
|||||||
res = False
|
res = False
|
||||||
self.header_a = None
|
self.header_a = None
|
||||||
for y in range(self.has_dkim): # Verify _ALL_ the signatures
|
for y in range(self.has_dkim): # Verify _ALL_ the signatures
|
||||||
d = dkim.DKIM(txt)
|
d = dkim.DKIM(txt, minkey=self.conf.get('MinimumKeyBits'))
|
||||||
try:
|
try:
|
||||||
dnsoverride = self.conf.get('DNSOverride')
|
dnsoverride = self.conf.get('DNSOverride')
|
||||||
if isinstance(dnsoverride, str):
|
if isinstance(dnsoverride, str):
|
||||||
|
|||||||
@@ -39,6 +39,7 @@ defaultConfigData = {
|
|||||||
'SyslogFacility': 'mail',
|
'SyslogFacility': 'mail',
|
||||||
'UMask': 0o07,
|
'UMask': 0o07,
|
||||||
'Mode': 'sv',
|
'Mode': 'sv',
|
||||||
|
'MinimumKeyBits': 1024,
|
||||||
'Socket': None,
|
'Socket': None,
|
||||||
'PidFile': None,
|
'PidFile': None,
|
||||||
'UserID': 'dkimpy-milter',
|
'UserID': 'dkimpy-milter',
|
||||||
@@ -336,6 +337,7 @@ def _readConfigFile(path, configData=None, configGlobal={}):
|
|||||||
'SyslogSuccess': 'bool',
|
'SyslogSuccess': 'bool',
|
||||||
'UMask': 'int',
|
'UMask': 'int',
|
||||||
'Mode': 'str',
|
'Mode': 'str',
|
||||||
|
'MinimumKeyBits': 'int',
|
||||||
'Socket': 'str',
|
'Socket': 'str',
|
||||||
'PidFile': 'str',
|
'PidFile': 'str',
|
||||||
'UserID': 'str',
|
'UserID': 'str',
|
||||||
@@ -421,6 +423,10 @@ def _readConfigFile(path, configData=None, configGlobal={}):
|
|||||||
else:
|
else:
|
||||||
configData[name] = str(value)
|
configData[name] = str(value)
|
||||||
elif conversion == 'int':
|
elif conversion == 'int':
|
||||||
|
if name == 'MinimumKeyBits':
|
||||||
|
if int(value) == 0:
|
||||||
|
# Odd inheritence from OpenDKIM where value of 0 means use default.
|
||||||
|
value = configData.get(name)
|
||||||
configData[name] = int(value)
|
configData[name] = int(value)
|
||||||
elif conversion == 'dataset':
|
elif conversion == 'dataset':
|
||||||
configData[name] = _dataset_to_list(value)
|
configData[name] = _dataset_to_list(value)
|
||||||
|
|||||||
@@ -325,6 +325,13 @@ be set:
|
|||||||
(a) Domain, KeyFile, Selector, no KeyTable, no SigningTable;
|
(a) Domain, KeyFile, Selector, no KeyTable, no SigningTable;
|
||||||
(b) KeyTable, SigningTable, no Domain, no KeyFile, no Selector;
|
(b) KeyTable, SigningTable, no Domain, no KeyFile, no Selector;
|
||||||
|
|
||||||
|
TP
|
||||||
|
.I MinimumKeyBits (integer)
|
||||||
|
Establishes a minimum key size for acceptable RSA signatures. Signatures with
|
||||||
|
smaller key sizes, even if they otherwise pass DKIM validation, will me marked
|
||||||
|
as invalid. The default is 1024, which accepts all signatures. A value of
|
||||||
|
0 causes the default to be used. Not Applicable to ed25519 signatures.
|
||||||
|
|
||||||
.TP
|
.TP
|
||||||
.I OmitHeaders (dataset)
|
.I OmitHeaders (dataset)
|
||||||
Specifies a set of header fields that should be omitted when generating
|
Specifies a set of header fields that should be omitted when generating
|
||||||
|
|||||||
@@ -325,6 +325,13 @@ be set:
|
|||||||
(a) Domain, KeyFile, Selector, no KeyTable, no SigningTable;
|
(a) Domain, KeyFile, Selector, no KeyTable, no SigningTable;
|
||||||
(b) KeyTable, SigningTable, no Domain, no KeyFile, no Selector;
|
(b) KeyTable, SigningTable, no Domain, no KeyFile, no Selector;
|
||||||
|
|
||||||
|
TP
|
||||||
|
.I MinimumKeyBits (integer)
|
||||||
|
Establishes a minimum key size for acceptable RSA signatures. Signatures with
|
||||||
|
smaller key sizes, even if they otherwise pass DKIM validation, will me marked
|
||||||
|
as invalid. The default is 1024, which accepts all signatures. A value of
|
||||||
|
0 causes the default to be used. Not Applicable to ed25519 signatures.
|
||||||
|
|
||||||
.TP
|
.TP
|
||||||
.I OmitHeaders (dataset)
|
.I OmitHeaders (dataset)
|
||||||
Specifies a set of header fields that should be omitted when generating
|
Specifies a set of header fields that should be omitted when generating
|
||||||
|
|||||||
@@ -43,6 +43,7 @@ Socket unix:$keytype.verify.sock
|
|||||||
PidFile $keytype.verify.pid
|
PidFile $keytype.verify.pid
|
||||||
Mode v
|
Mode v
|
||||||
DNSOverride $(cat testkey.$keytype.dns)
|
DNSOverride $(cat testkey.$keytype.dns)
|
||||||
|
MinimumKeyBits 2048
|
||||||
UserID $(id --name --user):$(id --name --group)
|
UserID $(id --name --user):$(id --name --group)
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user