Add support for specifying MinimumKeyBits for RSA signatures

CHANGES

@@ -1,5 +1,6 @@
 1.2.0 UNRELEASED
  - Add support for SigningTable, KeyTable, and KeyTableEd25519 (LP: #1797397)
+ - Add support for specifying MinimumKeyBits for RSA signatures
  - Add support for SignHeaders feature, thanks to Ralph Seichter for the patch
  - Add information on message content conversion to README
  - Add new expand option to setup.py so various file system locations can be

TODO

@@ -53,7 +53,7 @@ Test suite	  implemented	verified
 DNSTimeout (requires dkimpy change)
 KeyTable            implemented  verified
 KeytableEd25519     implemented  verified
-MinimumKeyBits
+MinimumKeyBits      implemented  verified
 SignHeaders	    implemented
 SigningTable        implemented  verified
 TemporaryDirectory

dkimpy_milter/__init__.py

@@ -359,7 +359,7 @@ class dkimMilter(Milter.Base):
         res = False
         self.header_a = None
         for y in range(self.has_dkim):  # Verify _ALL_ the signatures
-            d = dkim.DKIM(txt)
+            d = dkim.DKIM(txt, minkey=self.conf.get('MinimumKeyBits'))
             try:
                 dnsoverride = self.conf.get('DNSOverride')
                 if isinstance(dnsoverride, str):

dkimpy_milter/config.py

@@ -39,6 +39,7 @@ defaultConfigData = {
     'SyslogFacility': 'mail',
     'UMask': 0o07,
     'Mode': 'sv',
+    'MinimumKeyBits': 1024,
     'Socket': None,
     'PidFile': None,
     'UserID': 'dkimpy-milter',
@@ -336,6 +337,7 @@ def _readConfigFile(path, configData=None, configGlobal={}):
         'SyslogSuccess': 'bool',
         'UMask': 'int',
         'Mode': 'str',
+        'MinimumKeyBits': 'int',
         'Socket': 'str',
         'PidFile': 'str',
         'UserID': 'str',
@@ -421,6 +423,10 @@ def _readConfigFile(path, configData=None, configGlobal={}):
             else:
                 configData[name] = str(value)
         elif conversion == 'int':
+            if name == 'MinimumKeyBits':
+                if int(value) == 0:
+                    # Odd inheritence from OpenDKIM where value of 0 means use default.
+                    value = configData.get(name)
             configData[name] = int(value)
         elif conversion == 'dataset':
             configData[name] = _dataset_to_list(value)

man/dkimpy-milter.conf.5

@@ -325,6 +325,13 @@ be set:
 (a) Domain, KeyFile, Selector, no KeyTable, no SigningTable;
 (b) KeyTable, SigningTable, no Domain, no KeyFile, no Selector;
 
+TP
+.I MinimumKeyBits (integer)
+Establishes a minimum key size for acceptable RSA signatures.  Signatures with
+smaller key sizes, even if they otherwise pass DKIM validation, will me marked
+as invalid.  The default is 1024, which accepts all signatures.  A value of
+0 causes the default to be used. Not Applicable to ed25519 signatures.
+
 .TP
 .I OmitHeaders (dataset)
 Specifies a set of header fields that should be omitted when generating

man/dkimpy-milter.conf.5.in

@@ -325,6 +325,13 @@ be set:
 (a) Domain, KeyFile, Selector, no KeyTable, no SigningTable;
 (b) KeyTable, SigningTable, no Domain, no KeyFile, no Selector;
 
+TP
+.I MinimumKeyBits (integer)
+Establishes a minimum key size for acceptable RSA signatures.  Signatures with
+smaller key sizes, even if they otherwise pass DKIM validation, will me marked
+as invalid.  The default is 1024, which accepts all signatures.  A value of
+0 causes the default to be used. Not Applicable to ed25519 signatures.
+
 .TP
 .I OmitHeaders (dataset)
 Specifies a set of header fields that should be omitted when generating

tests/runtests

@@ -43,6 +43,7 @@ Socket unix:$keytype.verify.sock
 PidFile $keytype.verify.pid
 Mode v
 DNSOverride $(cat testkey.$keytype.dns)
+MinimumKeyBits 2048
 UserID $(id --name --user):$(id --name --group)
 EOF