Self consistent, but not externally verified ed25519 based on draft-ietf-dcrup-dkim-crypto-08

2018-02-05 03:53:03 -05:00
parent 10e12c60d8
commit 077bf4813c
18 changed files with 447 additions and 32 deletions
@@ -1,6 +1,6 @@
 UNRELEASED Version 0.7.0
-    - Initial ed25519 implementation assuming use of ed25519-sh512 and base64
+    - Initial ed25519 implementation based on draft-ietf-dcrup-dkim-crypto-08
-      encoded keys - experimental - IETF draft not updated yet
+      experimental - IETF draft, design not finalized
    - Port dkimsign.py to use argparse; now gives standard usage message and
      is more extensible
    - Add command line options to dkimsign.py to select header and body
@@ -44,6 +44,12 @@ try:
 except:
  pass
 # only needed for ed25519 signing/verification
 try:
    import nacl.signing
    import nacl.encoding
 except:
    pass
 from dkim.canonicalization import (
    CanonicalizationPolicy,
@@ -78,6 +84,8 @@ __all__ = [
    "MessageFormatError",
    "ParameterError",
    "ValidationError",
    "AuthresNotFoundError",
    "NaClNotFoundError",
    "CV_Pass",
    "CV_Fail",
    "CV_None",
@@ -152,6 +160,13 @@ class AuthresNotFoundError(DKIMException):
    """ Authres Package not installed, needed for ARC """
    pass
 class NaClNotFoundError(DKIMException):
    """ Nacl package not installed, needed for ed25119 signatures """
    pass
 class UnknownKeyTypeError(DKIMException):
    """ Key type (k tag) is not known (rsa/ed25519) """
 def select_headers(headers, include_headers):
    """Select message header fields to be signed/verified.
@@ -197,6 +212,20 @@ def hash_headers(hasher, canonicalize_headers, headers, include_headers,
        hasher.update(y)
    return sign_headers
 def hash_headers_ed25519(pk, canonicalize_headers, headers, include_headers,
                 sigheader, sig):
    """Update hash for signed message header fields."""
    hash_header = ''
    sign_headers = select_headers(headers,include_headers)
    # The call to _remove() assumes that the signature b= only appears
    # once in the signature header
    cheaders = canonicalize_headers.canonicalize_headers(
        [(sigheader[0], RE_BTAG.sub(b'\\1',sigheader[1]))])
    # the dkim sig is hashed with no trailing crlf, even if the
    # canonicalization algorithm would add one.
    for x,y in sign_headers + [(x, y.rstrip()) for x,y in cheaders]:
        hash_header += x + y
    return sign_headers, hash_header
 def validate_signature_fields(sig, mandatory_fields=[b'v', b'a', b'b', b'bh', b'd', b'h', b's'], arc=False):
    """Validate DKIM or ARC Signature fields.
@@ -356,13 +385,22 @@ def load_pk_from_dns(name, dnsfunc=get_txt):
  except InvalidTagValueList as e:
      raise KeyFormatError(e)
  try:
-      pk = parse_public_key(base64.b64decode(pub[b'p']))
+      if pub[b'k'] == b'ed25519':
-      keysize = bitsize(pk['modulus'])
+          pk = nacl.signing.VerifyKey(pub[b'p'], encoder=nacl.encoding.Base64Encoder)
          keysize = 256
          ktag = b'ed25519'
  except KeyError:
-      raise KeyFormatError("incomplete public key: %s" % s)
+      pub[b'k'] = b'rsa'
-  except (TypeError,UnparsableKeyError) as e:
+  if pub[b'k'] == b'rsa':
-      raise KeyFormatError("could not parse public key (%s): %s" % (pub[b'p'],e))
+      try:
-  return pk, keysize
+          pk = parse_public_key(base64.b64decode(pub[b'p']))
          keysize = bitsize(pk['modulus'])
      except KeyError:
          raise KeyFormatError("incomplete public key: %s" % s)
      except (TypeError,UnparsableKeyError) as e:
          raise KeyFormatError("could not parse public key (%s): %s" % (pub[b'p'],e))
      ktag = b'rsa'
  return pk, keysize, ktag
 #: Abstract base class for holding messages and options during DKIM/ARC signing and verification.
 class DomainSigner(object):
@@ -513,10 +551,14 @@ class DomainSigner(object):
        h, canon_policy, headers, include_headers, header, sig)
    self.logger.debug("sign %s headers: %r" % (header_name, h.hashed()))
-    try:
+    if self.signature_algorithm == b'rsa-sha256' or self.signature_algorithm == b'rsa-sha1':
-        sig2 = RSASSA_PKCS1_v1_5_sign(h, pk)
+        try:
-    except DigestTooLargeError:
+            sig2 = RSASSA_PKCS1_v1_5_sign(h, pk)
-        raise ParameterError("digest too large for modulus")
+        except DigestTooLargeError:
            raise ParameterError("digest too large for modulus")
    elif self.signature_algorithm == b'ed25519':
        sigobj = pk.sign(h.digest())
        sig2 = sigobj.signature
    # Folding b= is explicity allowed, but yahoo and live.com are broken
    #header_value += base64.b64encode(bytes(sig2))
    # Instead of leaving unfolded (which lets an MTA fold it later and still
@@ -539,7 +581,7 @@ class DomainSigner(object):
  def verify_sig(self, sig, include_headers, sig_header, dnsfunc):
    name = sig[b's'] + b"._domainkey." + sig[b'd'] + b"."
    try:
-      pk, self.keysize = load_pk_from_dns(name, dnsfunc)
+      pk, self.keysize, ktag = load_pk_from_dns(name, dnsfunc)
    except KeyFormatError as e:
      self.logger.error("%s" % e)
      return False
@@ -584,16 +626,25 @@ class DomainSigner(object):
    self.signed_headers = hash_headers(
        h, canon_policy, headers, include_headers, sig_header, sig)
    self.logger.debug("signed for %s: %r" % (sig_header[0], h.hashed()))
-
+    signature = base64.b64decode(re.sub(br"\s+", b"", sig[b'b']))
-    try:
+    if ktag == b'rsa':
-        signature = base64.b64decode(re.sub(br"\s+", b"", sig[b'b']))
+        try:
-        res = RSASSA_PKCS1_v1_5_verify(h, signature, pk)
+            res = RSASSA_PKCS1_v1_5_verify(h, signature, pk)
-        self.logger.debug("%s valid: %s" % (sig_header[0], res))
+            self.logger.debug("%s valid: %s" % (sig_header[0], res))
-        if res and self.keysize < self.minkey:
+            if res and self.keysize < self.minkey:
-          raise KeyFormatError("public key too small: %d" % self.keysize)
+                raise KeyFormatError("public key too small: %d" % self.keysize)
-        return res
+            return res
-    except (TypeError,DigestTooLargeError) as e:
+        except (TypeError,DigestTooLargeError) as e:
-        raise KeyFormatError("digest too large for modulus: %s"%e)
+            raise KeyFormatError("digest too large for modulus: %s"%e)
    elif ktag == b'ed25519':
        try:
            pk.verify(h.digest(), signature)
            self.logger.debug("%s valid" % (sig_header[0]))
            return True
        except (nacl.exceptions.BadSignatureError) as e:
            return False
    else:
        raise UnknownKeyTypeError(ktag)
 #: Hold messages and options during DKIM signing and verification.
 class DKIM(DomainSigner):
@@ -632,12 +683,17 @@ class DKIM(DomainSigner):
  #: @return: DKIM-Signature header field terminated by '\r\n'
  #: @raise DKIMException: when the message, include_headers, or key are badly
  #: formed.
-  def sign(self, selector, domain, privkey, identity=None,
+  def sign(self, selector, domain, privkey, signature_algorithm=None, identity=None,
        canonicalize=(b'relaxed',b'simple'), include_headers=None, length=False):
-    try:
+    if signature_algorithm:
-        pk = parse_pem_private_key(privkey)
+        self.signature_algorithm = signature_algorithm
-    except UnparsableKeyError as e:
+    if self.signature_algorithm == b'rsa-sha256' or self.signature_algorithm == b'rsa-sha1':
-        raise KeyFormatError(str(e))
+        try:
            pk = parse_pem_private_key(privkey)
        except UnparsableKeyError as e:
            raise KeyFormatError(str(e))
    elif self.signature_algorithm == b'ed25519':
        pk = nacl.signing.SigningKey(privkey, encoder=nacl.encoding.Base64Encoder)
    if identity is not None and not identity.endswith(domain):
        raise ParameterError("identity must end with domain")
@@ -81,6 +81,7 @@ ASN1_RSAPrivateKey = [
 HASH_ALGORITHMS = {
    b'rsa-sha1': hashlib.sha1,
    b'rsa-sha256': hashlib.sha256,
    b'ed25519': hashlib.sha256
    }
 # These values come from RFC 8017, section 9.2 Notes, page 46.
@@ -28,6 +28,7 @@ def test_suite():
        test_canonicalization,
        test_crypto,
        test_dkim,
        test_dkim_ed25519,
        test_util,
        test_arc,
        test_dnsplug,
@@ -36,6 +37,7 @@ def test_suite():
        test_canonicalization,
        test_crypto,
        test_dkim,
        test_dkim_ed25519,
        test_util,
        test_arc,
        test_dnsplug,
@@ -0,0 +1 @@
 k=ed25519; p=yi50DjK5O9pqbFpNHklsv9lqaS0ArSYu02qp1S0DW1Y=
@@ -0,0 +1 @@
 fL+5V9EquCZAovKik3pA6Lk9zwCzoEtjIuIqK9ZXHHA=
@@ -0,0 +1,9 @@
 Authentication-Results: lists.example.org; arc=none; spf=pass smtp.mfrom=jqd@d1.example; dkim=pass (1024-bit key) header.i=@d1.example; dmarc=pass
 Received: from localhost
 Message-ID: <example@example.com>
 Date: Mon, 01 Jan 2011 01:02:03 +0400
 From: Test User <test@example.com>
 To: somebody@example.com
 Subject: Testing
 This is a test message.
@@ -0,0 +1,16 @@
 DKIM-Signature: v=1; a=ed25519; c=relaxed/simple; d=example.com;
 i=@example.com; q=dns/txt; s=test; t=5; h=message-id :
 date : from : to : subject : date : from : subject;
 bh=wE7NXSkgnx9PGiavN4OZhJztvkqPDlemV3OGuEnLwNo=;
 b=wt7P+9DoBwcln1RKE3LN7069ZEEiSyVE/NH1YXnqnJy4JcrSCZUbeIEh
 vXssPHelX4yNSXG9eTGTwwk5NxYqBw==
 Authentication-Results: lists.example.org; arc=none; spf=pass smtp.mfrom=jqd@d1.example; dkim=pass (1024-bit key) header.i=@d1.example; dmarc=pass
 Received: from localhost
 Message-ID: <example@example.com>
 Date: Mon, 01 Jan 2011 01:02:03 +0400
 From: Test User <test@example.com>
 To: somebody@example.com
 Subject: Testing
 This is a test message.
@@ -0,0 +1,11 @@
 DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed; d=test.ex
        ; s=sed; h=From:To:Subject; bh=/Ab0giHZitYQbDhFszoqQRUkgqueaX9zatJttIU/plc=;
         b=5fhyD3EILDrnL4DnkD4hDaeis7+GSzL9GMHrhIDZJjuJ00WD5iI8SQ1q9rDfzFL/Kdw0VIyB4R
        Dq0a4H6HI+Bw==;
 Received: from jgh by myhost.test.ex with local (Exim x.yz)
        envelope-from <jgh@myhost.test.ex>)
         1dtXln-0000YP-Hb
         a@test.ex; Sun, 17 Sep 2017 12:29:51 +0100
 From: nobody@example.com
 content
@@ -0,0 +1,16 @@
 DKIM-Signature: v=1; a=ed25519; c=relaxed/simple; d=kitterman.org;
 i=@kitterman.org; q=dns/txt; s=ed25519; t=1517819503;
 h=message-id : date : from : to : subject : date : from :
 subject; bh=wE7NXSkgnx9PGiavN4OZhJztvkqPDlemV3OGuEnLwNo=;
 b=79R3A+GEIghZIWWOfAxXUEVI/NhyOCH0QWVhYV2+sN8MPVfPfYQAMRi0
 mlXux2AHLc7yihFV5SJWrsvqm62uCw==
 Authentication-Results: lists.example.org; arc=none; spf=pass smtp.mfrom=example.com; dmarc=pass
 Received: from localhost
 Message-ID: <example@example.com>
 Date: Mon, 01 Jan 2011 01:02:03 +0400
 From: Test User <test@example.com>
 To: somebody@example.com
 Subject: Testing
 This is a test message.
@@ -0,0 +1,9 @@
 Authentication-Results: lists.example.org; arc=none; spf=pass smtp.mfrom=example.com; dmarc=pass
 Received: from localhost
 Message-ID: <example@example.com>
 Date: Mon, 01 Jan 2011 01:02:03 +0400
 From: Test User <test@example.com>
 To: somebody@example.com
 Subject: Testing
 This is a test message.
@@ -0,0 +1 @@
 v=DKIM1; k=ed25519; p=sPs07Vu29FpHT/80UXUcYHFOHifD4o2ZlP2+XUh9g6E=
@@ -0,0 +1,15 @@
 -----BEGIN RSA PRIVATE KEY-----
 MIICXQIBAAKBgQDkHlOQoBTzWRiGs5V6NpP3idY6Wk08a5qhdR6wy5bdOKb2jLQi
 Y/J16JYi0Qvx/byYzCNb3W91y3FutACDfzwQ/BC/e/8uBsCR+yz1Lxj+PL6lHvqM
 KrM3rG4hstT5QjvHO9PzoxZyVYLzBfO2EeC3Ip3G+2kryOTIKT+l/K4w3QIDAQAB
 AoGAH0cxOhFZDgzXWhDhnAJDw5s4roOXN4OhjiXa8W7Y3rhX3FJqmJSPuC8N9vQm
 6SVbaLAE4SG5mLMueHlh4KXffEpuLEiNp9Ss3O4YfLiQpbRqE7Tm5SxKjvvQoZZe
 zHorimOaChRL2it47iuWxzxSiRMv4c+j70GiWdxXnxe4UoECQQDzJB/0U58W7RZy
 6enGVj2kWF732CoWFZWzi1FicudrBFoy63QwcowpoCazKtvZGMNlPWnC7x/6o8Gc
 uSe0ga2xAkEA8C7PipPm1/1fTRQvj1o/dDmZp243044ZNyxjg+/OPN0oWCbXIGxy
 WvmZbXriOWoSALJTjExEgraHEgnXssuk7QJBALl5ICsYMu6hMxO73gnfNayNgPxd
 WFV6Z7ULnKyV7HSVYF0hgYOHjeYe9gaMtiJYoo0zGN+L3AAtNP9huqkWlzECQE1a
 licIeVlo1e+qJ6Mgqr0Q7Aa7falZ448ccbSFYEPD6oFxiOl9Y9se9iYHZKKfIcst
 o7DUw1/hz2Ck4N5JrgUCQQCyKveNvjzkkd8HjYs0SwM0fPjK16//5qDZ2UiDGnOe
 uEzxBDAr518Z8VFbR41in3W4Y3yCDgQlLlcETrS+zYcL
 -----END RSA PRIVATE KEY-----
@@ -0,0 +1 @@
 v=DKIM1; g=*; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDkHlOQoBTzWRiGs5V6NpP3idY6Wk08a5qhdR6wy5bdOKb2jLQiY/J16JYi0Qvx/byYzCNb3W91y3FutACDfzwQ/BC/e/8uBsCR+yz1Lxj+PL6lHvqMKrM3rG4hstT5QjvHO9PzoxZyVYLzBfO2EeC3Ip3G+2kryOTIKT+l/K4w3QIDAQAB
@@ -113,7 +113,7 @@ Y+vtSBczUiKERHv1yRbcaQtZFh5wtiRrN04BLUTD21MycBX5jYchHjPY/wIDAQAB"""
                self.assertTrue(res)
    def test_implicit_k(self):
-        # A message verifies after being signed.
+        # A message verifies after being signed when k= tag is not provided.
        for header_algo in (b"simple", b"relaxed"):
            for body_algo in (b"simple", b"relaxed"):
                sig = dkim.sign(
@@ -0,0 +1,273 @@
 # This software is provided 'as-is', without any express or implied
 # warranty.  In no event will the author be held liable for any damages
 # arising from the use of this software.
 #
 # Permission is granted to anyone to use this software for any purpose,
 # including commercial applications, and to alter it and redistribute it
 # freely, subject to the following restrictions:
 #
 # 1. The origin of this software must not be misrepresented; you must not
 #    claim that you wrote the original software. If you use this software
 #    in a product, an acknowledgment in the product documentation would be
 #    appreciated but is not required.
 # 2. Altered source versions must be plainly marked as such, and must not be
 #    misrepresented as being the original software.
 # 3. This notice may not be removed or altered from any source distribution.
 #
 # Copyright (c) 2011 William Grant <me@williamgrant.id.au>
 # Copyright (c) 2017 Scott Kitterman <scott@kitterman.com>
 import email
 import os.path
 import unittest
 import time
 import dkim
 def read_test_data(filename):
    """Get the content of the given test data file.
    The files live in dkim/tests/data.
    """
    path = os.path.join(os.path.dirname(__file__), 'data', filename)
    with open(path, 'rb') as f:
        return f.read()
 class TestFold(unittest.TestCase):
    def test_short_line(self):
        self.assertEqual(
            b"foo", dkim.fold(b"foo"))
    def test_long_line(self):
        # The function is terribly broken, not passing even this simple
        # test.
        self.assertEqual(
            b"foo" * 24 + b"\r\n foo", dkim.fold(b"foo" * 25))
 class TestSignAndVerify(unittest.TestCase):
    """End-to-end signature and verification tests."""
    def setUp(self):
        self.message = read_test_data("ed25519test.msg")
        self.message2 = read_test_data("ed25519test2.msg")
        self.key = read_test_data("ed25519test.key")
    def dnsfunc(self, domain):
        sample_dns = """\
 k=ed25519; \
 p=yi50DjK5O9pqbFpNHklsv9lqaS0ArSYu02qp1S0DW1Y="""
        _dns_responses = {
          'example._domainkey.canonical.com.': sample_dns,
          'test._domainkey.example.com.': """v=DKIM1; k=ed25519; \
 p=yi50DjK5O9pqbFpNHklsv9lqaS0ArSYu02qp1S0DW1Y=""",
          '20120113._domainkey.gmail.com.': """k=ed25519; \
 p=yi50DjK5O9pqbFpNHklsv9lqaS0ArSYu02qp1S0DW1Y=""",
          'sed._domainkey.test.ex.': read_test_data("eximtest.dns")
        }
        try:
            domain = domain.decode('ascii')
        except UnicodeDecodeError:
            return None
        self.assertTrue(domain in _dns_responses,domain)
        return _dns_responses[domain]
    def test_verifies(self):
        # A message verifies after being signed.
        for header_algo in (b"simple", b"relaxed"):
            for body_algo in (b"simple", b"relaxed"):
                sig = dkim.sign(
                    self.message, b"test", b"example.com", self.key,
                    canonicalize=(header_algo, body_algo), signature_algorithm=b'ed25519')
                res = dkim.verify(sig + self.message, dnsfunc=self.dnsfunc)
                self.assertTrue(res)
    def test_simple_signature(self):
        # A message verifies after being signed with SHOULD headers
        for header_algo in (b"simple", b"relaxed"):
             for body_algo in (b"simple", b"relaxed"):
                sig = dkim.sign(
                    self.message, b"test", b"example.com", self.key,
                    canonicalize=(header_algo, body_algo),
                    include_headers=(b'from',) + dkim.DKIM.SHOULD,
                    signature_algorithm=b'ed25519')
                res = dkim.verify(sig + self.message, dnsfunc=self.dnsfunc)
                self.assertTrue(res)
    def test_verify_third_party(self):
        # Message signed by prototype Exim implementation
        res = dkim.verify(self.message2)
        self.assertTrue(res)
    def test_add_body_length(self):
        sig = dkim.sign(
            self.message, b"test", b"example.com", self.key, length=True,
                signature_algorithm=b'ed25519')
        msg = email.message_from_string(self.message.decode('utf-8'))
        self.assertIn('; l=%s' % len(msg.get_payload() + '\n'), sig.decode('utf-8'))
        res = dkim.verify(sig + self.message, dnsfunc=self.dnsfunc)
        self.assertTrue(res)
    def test_altered_body_fails(self):
        # An altered body fails verification.
        for header_algo in (b"simple", b"relaxed"):
            for body_algo in (b"simple", b"relaxed"):
                sig = dkim.sign(
                    self.message, b"test", b"example.com", self.key,
                    signature_algorithm=b'ed25519')
                res = dkim.verify(
                    sig + self.message + b"foo", dnsfunc=self.dnsfunc)
                self.assertFalse(res)
    def test_badly_encoded_domain_fails(self):
        # Domains should be ASCII. Bad ASCII causes verification to fail.
        sig = dkim.sign(self.message, b"test", b"example.com\xe9", self.key,
            signature_algorithm=b'ed25519')
        res = dkim.verify(sig + self.message, dnsfunc=self.dnsfunc)
        self.assertFalse(res)
    def test_dkim_signature_canonicalization(self):
      # <https://bugs.launchpad.net/ubuntu/+source/pydkim/+bug/587783>
      # Relaxed-mode header signing is wrong
      # <https://bugs.launchpad.net/dkimpy/+bug/939128>
      # Simple-mode signature header verification is wrong
      # (should ignore FWS anywhere in signature tag: b=)
      sample_msg = b"""\
 From: mbp@canonical.com
 To: scottk@example.com
 Subject: this is my
    test message
 """.replace(b'\n', b'\r\n')
      sample_privkey = b"""\
 fL+5V9EquCZAovKik3pA6Lk9zwCzoEtjIuIqK9ZXHHA=\
 """
      sample_pubkey = """\
 yi50DjK5O9pqbFpNHklsv9lqaS0ArSYu02qp1S0DW1Y=\
 """
      for header_mode in [dkim.Relaxed, dkim.Simple]:
        dkim_header = dkim.sign(sample_msg, b'example', b'canonical.com',
            sample_privkey, canonicalize=(header_mode, dkim.Relaxed),
            signature_algorithm=b'ed25519')
        # Folding dkim_header affects b= tag only, since dkim.sign folds
        # sig_value with empty b= before hashing, and then appends the
        # signature.  So folding dkim_header again adds FWS to
        # the b= tag only.  This should be ignored even with
        # simple canonicalization.
        # http://tools.ietf.org/html/rfc4871#section-3.5
        signed = dkim.fold(dkim_header) + sample_msg
        result = dkim.verify(signed,dnsfunc=self.dnsfunc)
        self.assertTrue(result)
        dkim_header = dkim.fold(dkim_header)
        # use a tab for last fold to test tab in FWS bug
        pos = dkim_header.rindex(b'\r\n ')
        dkim_header = dkim_header[:pos]+b'\r\n\t'+dkim_header[pos+3:]
        result = dkim.verify(dkim_header + sample_msg,
                dnsfunc=self.dnsfunc)
        self.assertTrue(result)
    def test_extra_headers(self):
        # <https://bugs.launchpad.net/dkimpy/+bug/737311>
        # extra headers above From caused failure
        #message = read_test_data("test_extra.message")
        message = read_test_data("message.mbox")
        for header_algo in (b"simple", b"relaxed"):
            for body_algo in (b"simple", b"relaxed"):
                d = dkim.DKIM(message)
                # bug requires a repeated header to manifest
                d.should_not_sign.remove(b'received')
                sig = d.sign(b"test", b"example.com", self.key,
                    signature_algorithm=b'ed25519',
                    include_headers=d.all_sign_headers(),
                    canonicalize=(header_algo, body_algo))
                dv = dkim.DKIM(sig + message)
                res = dv.verify(dnsfunc=self.dnsfunc)
                self.assertEquals(d.include_headers,dv.include_headers)
                s = dkim.select_headers(d.headers,d.include_headers)
                sv = dkim.select_headers(dv.headers,dv.include_headers)
                self.assertEquals(s,sv)
                self.assertTrue(res)
    def test_multiple_from_fails(self):
        # <https://bugs.launchpad.net/dkimpy/+bug/644046>
        # additional From header fields should cause verify failure
        hfrom = b'From: "Resident Evil" <sales@spammer.com>\r\n'
        h,b = self.message.split(b'\n\n',1)
        for header_algo in (b"simple", b"relaxed"):
            for body_algo in (b"simple", b"relaxed"):
                sig = dkim.sign(
                    self.message, b"test", b"example.com", self.key,
                    signature_algorithm=b'ed25519')
                # adding an unknown header still verifies
                h1 = h+b'\r\n'+b'X-Foo: bar'
                message = b'\n\n'.join((h1,b))
                res = dkim.verify(sig+message, dnsfunc=self.dnsfunc)
                self.assertTrue(res)
                # adding extra from at end should not verify
                h1 = h+b'\r\n'+hfrom.strip()
                message = b'\n\n'.join((h1,b))
                res = dkim.verify(sig+message, dnsfunc=self.dnsfunc)
                self.assertFalse(res)
                # add extra from in front should not verify either
                h1 = hfrom+h
                message = b'\n\n'.join((h1,b))
                res = dkim.verify(sig+message, dnsfunc=self.dnsfunc)
                self.assertFalse(res)
    def test_no_from_fails(self):
        # Body From is mandatory to be in the message and mandatory to sign
        sigerror = False
        sig = ''
        message = read_test_data('test_nofrom.message')
        selector = 'test'
        domain = 'example.com'
        identity = None
        try:
            sig = dkim.sign(message, selector, domain,
                read_test_data('ed25519test.key'), identity = identity,
                signature_algorithm=b'ed25519')
        except dkim.ParameterError as x:
            sigerror = True
        self.assertTrue(sigerror)
    def test_validate_signature_fields(self):
      sig = {b'v': b'1',
      b'a': b'ed25519',
      b'b': b'K/UUOt8lCtgjp3kSTogqBm9lY1Yax/NwZ+bKm39/WKzo5KYe3L/6RoIA/0oiDX4kO\n \t Qut49HCV6ZUe6dY9V5qWBwLanRs1sCnObaOGMpFfs8tU4TWpDSVXaNZAqn15XVW0WH\n \t EzOzUfVuatpa1kF4voIgSbmZHR1vN3WpRtcTBe/I=',
      b'bh': b'n0HUwGCP28PkesXBPH82Kboy8LhNFWU9zUISIpAez7M=',
      b'c': b'simple/simple',
      b'd': b'kitterman.com',
      b'i': b'scott@Kitterman.com',
      b'h': b'From:To:Subject:Date:Cc:MIME-Version:Content-Type:\n \t Content-Transfer-Encoding:Message-Id',
      b's': b'2007-00',
      b't': b'1299525798'}
      dkim.validate_signature_fields(sig)
      # try new version
      sigVer = sig.copy()
      sigVer[b'v'] = 2
      self.assertRaises(dkim.ValidationError, dkim.validate_signature_fields, sigVer)
      # try with x
      sigX = sig.copy()
      sigX[b'x'] = b'1399525798'
      dkim.validate_signature_fields(sig)
      # try with late t
      sigX[b't'] = b'1400000000'
      self.assertRaises(dkim.ValidationError, dkim.validate_signature_fields, sigX)
      # try without t
      now = int(time.time())
      sigX[b'x'] = str(now+400000).encode('ascii')
      dkim.validate_signature_fields(sigX)
      # try when expired a day ago
      sigX[b'x'] = str(now - 24*3600).encode('ascii')
      self.assertRaises(dkim.ValidationError, dkim.validate_signature_fields, sigX)
 def test_suite():
    from unittest import TestLoader
    return TestLoader().loadTestsFromName(__name__)
@@ -44,7 +44,7 @@ parser.add_argument('--hcanon', choices=['simple', 'relaxed'],
 parser.add_argument('--bcanon', choices=['simple', 'relaxed'],
    default='simple',
    help='Body canonicalization algorithm: default=simple')
-parser.add_argument('--signalg', choices=['rsa-sha256', 'rsa-sha1'],
+parser.add_argument('--signalg', choices=['rsa-sha256', 'ed25519', 'rsa-sha1'],
    default='rsa-sha256',
    help='Signature algorithm: default=rsa-sha256')
 parser.add_argument('--identity', help='Optional value for i= tag.')
@@ -52,12 +52,13 @@ def GenEd25519Keys(private_key_file):
    Output is unprotected.  You should encrypt your keys.
    """
    import nacl.signing # Yes, pep-8, but let's not make everyone install nacl
    import nacl.encoding
    import os
    skg = nacl.signing.SigningKey(seed=os.urandom(32))
    priv_key = skg.generate()
    print >> sys.stderr, 'generating ' + private_key_file
    pkf = open(private_key_file, "w+")
-    print >> pkf, base64.b64encode(bytes(priv_key))
+    print >> pkf, priv_key.encode(encoder=nacl.encoding.Base64Encoder)
    pkf.close()
    return(priv_key)
@@ -81,7 +82,9 @@ def ExtractRSADnsPublicKey(private_key_file, dns_file):
 def ExtractEd25519PublicKey(private_key_file, dns_file, priv_key):
    """ Given a ed25519 key, extract the bit we should place in DNS.
    """
-    output = base64.b64encode(bytes(priv_key.verify_key))
+    import nacl.encoding # Yes, pep-8, but let's not make everyone install nacl
    pubkey = priv_key.verify_key
    output = pubkey.encode(encoder=nacl.encoding.Base64Encoder)
    dns_fp = open(dns_file, "w+")
    print >> sys.stderr, 'writing ' + dns_file
    print >> dns_fp, "k=ed25519; p={0}".format(output)
		`@@ -0,0 +1 @@`
							`k=ed25519; p=yi50DjK5O9pqbFpNHklsv9lqaS0ArSYu02qp1S0DW1Y=`
		`@@ -0,0 +1 @@`
							`fL+5V9EquCZAovKik3pA6Lk9zwCzoEtjIuIqK9ZXHHA=`
		`@@ -0,0 +1 @@`
							`v=DKIM1; k=ed25519; p=sPs07Vu29FpHT/80UXUcYHFOHifD4o2ZlP2+XUh9g6E=`
		`@@ -0,0 +1 @@`
							`v=DKIM1; g=*; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDkHlOQoBTzWRiGs5V6NpP3idY6Wk08a5qhdR6wy5bdOKb2jLQiY/J16JYi0Qvx/byYzCNb3W91y3FutACDfzwQ/BC/e/8uBsCR+yz1Lxj+PL6lHvqMKrM3rG4hstT5QjvHO9PzoxZyVYLzBfO2EeC3Ip3G+2kryOTIKT+l/K4w3QIDAQAB`