Self consistent, but not externally verified ed25519 based on draft-ietf-dcrup-dkim-crypto-08

ChangeLog

@@ -1,6 +1,6 @@
 UNRELEASED Version 0.7.0
-    - Initial ed25519 implementation assuming use of ed25519-sh512 and base64
-      encoded keys - experimental - IETF draft not updated yet
+    - Initial ed25519 implementation based on draft-ietf-dcrup-dkim-crypto-08
+      experimental - IETF draft, design not finalized
     - Port dkimsign.py to use argparse; now gives standard usage message and
       is more extensible
     - Add command line options to dkimsign.py to select header and body

dkim/__init__.py

@@ -44,6 +44,12 @@ try:
 except:
   pass
 
+# only needed for ed25519 signing/verification
+try:
+    import nacl.signing
+    import nacl.encoding
+except:
+    pass
 
 from dkim.canonicalization import (
     CanonicalizationPolicy,
@@ -78,6 +84,8 @@ __all__ = [
     "MessageFormatError",
     "ParameterError",
     "ValidationError",
+    "AuthresNotFoundError",
+    "NaClNotFoundError",
     "CV_Pass",
     "CV_Fail",
     "CV_None",
@@ -152,6 +160,13 @@ class AuthresNotFoundError(DKIMException):
     """ Authres Package not installed, needed for ARC """
     pass
 
+class NaClNotFoundError(DKIMException):
+    """ Nacl package not installed, needed for ed25119 signatures """
+    pass
+
+class UnknownKeyTypeError(DKIMException):
+    """ Key type (k tag) is not known (rsa/ed25519) """
+
 def select_headers(headers, include_headers):
     """Select message header fields to be signed/verified.
 
@@ -197,6 +212,20 @@ def hash_headers(hasher, canonicalize_headers, headers, include_headers,
         hasher.update(y)
     return sign_headers
 
+def hash_headers_ed25519(pk, canonicalize_headers, headers, include_headers,
+                 sigheader, sig):
+    """Update hash for signed message header fields."""
+    hash_header = ''
+    sign_headers = select_headers(headers,include_headers)
+    # The call to _remove() assumes that the signature b= only appears
+    # once in the signature header
+    cheaders = canonicalize_headers.canonicalize_headers(
+        [(sigheader[0], RE_BTAG.sub(b'\\1',sigheader[1]))])
+    # the dkim sig is hashed with no trailing crlf, even if the
+    # canonicalization algorithm would add one.
+    for x,y in sign_headers + [(x, y.rstrip()) for x,y in cheaders]:
+        hash_header += x + y
+    return sign_headers, hash_header
 
 def validate_signature_fields(sig, mandatory_fields=[b'v', b'a', b'b', b'bh', b'd', b'h', b's'], arc=False):
     """Validate DKIM or ARC Signature fields.
@@ -355,6 +384,14 @@ def load_pk_from_dns(name, dnsfunc=get_txt):
       pub = parse_tag_value(s)
   except InvalidTagValueList as e:
       raise KeyFormatError(e)
+  try:
+      if pub[b'k'] == b'ed25519':
+          pk = nacl.signing.VerifyKey(pub[b'p'], encoder=nacl.encoding.Base64Encoder)
+          keysize = 256
+          ktag = b'ed25519'
+  except KeyError:
+      pub[b'k'] = b'rsa'
+  if pub[b'k'] == b'rsa':
       try:
           pk = parse_public_key(base64.b64decode(pub[b'p']))
           keysize = bitsize(pk['modulus'])
@@ -362,7 +399,8 @@ def load_pk_from_dns(name, dnsfunc=get_txt):
           raise KeyFormatError("incomplete public key: %s" % s)
       except (TypeError,UnparsableKeyError) as e:
           raise KeyFormatError("could not parse public key (%s): %s" % (pub[b'p'],e))
-  return pk, keysize
+      ktag = b'rsa'
+  return pk, keysize, ktag
 
 #: Abstract base class for holding messages and options during DKIM/ARC signing and verification.
 class DomainSigner(object):
@@ -513,10 +551,14 @@ class DomainSigner(object):
         h, canon_policy, headers, include_headers, header, sig)
     self.logger.debug("sign %s headers: %r" % (header_name, h.hashed()))
 
+    if self.signature_algorithm == b'rsa-sha256' or self.signature_algorithm == b'rsa-sha1':
         try:
             sig2 = RSASSA_PKCS1_v1_5_sign(h, pk)
         except DigestTooLargeError:
             raise ParameterError("digest too large for modulus")
+    elif self.signature_algorithm == b'ed25519':
+        sigobj = pk.sign(h.digest())
+        sig2 = sigobj.signature
     # Folding b= is explicity allowed, but yahoo and live.com are broken
     #header_value += base64.b64encode(bytes(sig2))
     # Instead of leaving unfolded (which lets an MTA fold it later and still
@@ -539,7 +581,7 @@ class DomainSigner(object):
   def verify_sig(self, sig, include_headers, sig_header, dnsfunc):
     name = sig[b's'] + b"._domainkey." + sig[b'd'] + b"."
     try:
-      pk, self.keysize = load_pk_from_dns(name, dnsfunc)
+      pk, self.keysize, ktag = load_pk_from_dns(name, dnsfunc)
     except KeyFormatError as e:
       self.logger.error("%s" % e)
       return False
@@ -584,9 +626,9 @@ class DomainSigner(object):
     self.signed_headers = hash_headers(
         h, canon_policy, headers, include_headers, sig_header, sig)
     self.logger.debug("signed for %s: %r" % (sig_header[0], h.hashed()))
-
-    try:
     signature = base64.b64decode(re.sub(br"\s+", b"", sig[b'b']))
+    if ktag == b'rsa':
+        try:
             res = RSASSA_PKCS1_v1_5_verify(h, signature, pk)
             self.logger.debug("%s valid: %s" % (sig_header[0], res))
             if res and self.keysize < self.minkey:
@@ -594,6 +636,15 @@ class DomainSigner(object):
             return res
         except (TypeError,DigestTooLargeError) as e:
             raise KeyFormatError("digest too large for modulus: %s"%e)
+    elif ktag == b'ed25519':
+        try:
+            pk.verify(h.digest(), signature)
+            self.logger.debug("%s valid" % (sig_header[0]))
+            return True
+        except (nacl.exceptions.BadSignatureError) as e:
+            return False
+    else:
+        raise UnknownKeyTypeError(ktag)
 
 #: Hold messages and options during DKIM signing and verification.
 class DKIM(DomainSigner):
@@ -632,12 +683,17 @@ class DKIM(DomainSigner):
   #: @return: DKIM-Signature header field terminated by '\r\n'
   #: @raise DKIMException: when the message, include_headers, or key are badly
   #: formed.
-  def sign(self, selector, domain, privkey, identity=None,
+  def sign(self, selector, domain, privkey, signature_algorithm=None, identity=None,
         canonicalize=(b'relaxed',b'simple'), include_headers=None, length=False):
+    if signature_algorithm:
+        self.signature_algorithm = signature_algorithm
+    if self.signature_algorithm == b'rsa-sha256' or self.signature_algorithm == b'rsa-sha1':
         try:
             pk = parse_pem_private_key(privkey)
         except UnparsableKeyError as e:
             raise KeyFormatError(str(e))
+    elif self.signature_algorithm == b'ed25519':
+        pk = nacl.signing.SigningKey(privkey, encoder=nacl.encoding.Base64Encoder)
 
     if identity is not None and not identity.endswith(domain):
         raise ParameterError("identity must end with domain")

dkim/crypto.py

@@ -81,6 +81,7 @@ ASN1_RSAPrivateKey = [
 HASH_ALGORITHMS = {
     b'rsa-sha1': hashlib.sha1,
     b'rsa-sha256': hashlib.sha256,
+    b'ed25519': hashlib.sha256
     }
 
 # These values come from RFC 8017, section 9.2 Notes, page 46.

dkim/tests/__init__.py

@@ -28,6 +28,7 @@ def test_suite():
         test_canonicalization,
         test_crypto,
         test_dkim,
+        test_dkim_ed25519,
         test_util,
         test_arc,
         test_dnsplug,
@@ -36,6 +37,7 @@ def test_suite():
         test_canonicalization,
         test_crypto,
         test_dkim,
+        test_dkim_ed25519,
         test_util,
         test_arc,
         test_dnsplug,

dkim/tests/data/ed25519test.dns

@@ -0,0 +1 @@
+k=ed25519; p=yi50DjK5O9pqbFpNHklsv9lqaS0ArSYu02qp1S0DW1Y=

dkim/tests/data/ed25519test.key

@@ -0,0 +1 @@
+fL+5V9EquCZAovKik3pA6Lk9zwCzoEtjIuIqK9ZXHHA=

dkim/tests/data/ed25519test.msg

@@ -0,0 +1,9 @@
+Authentication-Results: lists.example.org; arc=none; spf=pass smtp.mfrom=jqd@d1.example; dkim=pass (1024-bit key) header.i=@d1.example; dmarc=pass
+Received: from localhost
+Message-ID: <example@example.com>
+Date: Mon, 01 Jan 2011 01:02:03 +0400
+From: Test User <test@example.com>
+To: somebody@example.com
+Subject: Testing
+
+This is a test message.

dkim/tests/data/ed25519test.verify.msg

@@ -0,0 +1,16 @@
+DKIM-Signature: v=1; a=ed25519; c=relaxed/simple; d=example.com;
+ i=@example.com; q=dns/txt; s=test; t=5; h=message-id :
+ date : from : to : subject : date : from : subject;
+ bh=wE7NXSkgnx9PGiavN4OZhJztvkqPDlemV3OGuEnLwNo=;
+ b=wt7P+9DoBwcln1RKE3LN7069ZEEiSyVE/NH1YXnqnJy4JcrSCZUbeIEh
+ vXssPHelX4yNSXG9eTGTwwk5NxYqBw==
+Authentication-Results: lists.example.org; arc=none; spf=pass smtp.mfrom=jqd@d1.example; dkim=pass (1024-bit key) header.i=@d1.example; dmarc=pass
+Received: from localhost
+Message-ID: <example@example.com>
+Date: Mon, 01 Jan 2011 01:02:03 +0400
+From: Test User <test@example.com>
+To: somebody@example.com
+Subject: Testing
+
+This is a test message.
+

dkim/tests/data/ed25519test2.msg

@@ -0,0 +1,11 @@
+DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed; d=test.ex
+        ; s=sed; h=From:To:Subject; bh=/Ab0giHZitYQbDhFszoqQRUkgqueaX9zatJttIU/plc=;
+         b=5fhyD3EILDrnL4DnkD4hDaeis7+GSzL9GMHrhIDZJjuJ00WD5iI8SQ1q9rDfzFL/Kdw0VIyB4R
+        Dq0a4H6HI+Bw==;
+Received: from jgh by myhost.test.ex with local (Exim x.yz)
+        envelope-from <jgh@myhost.test.ex>)
+         1dtXln-0000YP-Hb
+         a@test.ex; Sun, 17 Sep 2017 12:29:51 +0100
+From: nobody@example.com
+
+content

dkim/tests/data/ed25519test3.msg

@@ -0,0 +1,16 @@
+DKIM-Signature: v=1; a=ed25519; c=relaxed/simple; d=kitterman.org;
+ i=@kitterman.org; q=dns/txt; s=ed25519; t=1517819503;
+ h=message-id : date : from : to : subject : date : from :
+ subject; bh=wE7NXSkgnx9PGiavN4OZhJztvkqPDlemV3OGuEnLwNo=;
+ b=79R3A+GEIghZIWWOfAxXUEVI/NhyOCH0QWVhYV2+sN8MPVfPfYQAMRi0
+ mlXux2AHLc7yihFV5SJWrsvqm62uCw==
+Authentication-Results: lists.example.org; arc=none; spf=pass smtp.mfrom=example.com; dmarc=pass
+Received: from localhost
+Message-ID: <example@example.com>
+Date: Mon, 01 Jan 2011 01:02:03 +0400
+From: Test User <test@example.com>
+To: somebody@example.com
+Subject: Testing
+
+This is a test message.
+

dkim/tests/data/ed25519test3.unsigned.msg

@@ -0,0 +1,9 @@
+Authentication-Results: lists.example.org; arc=none; spf=pass smtp.mfrom=example.com; dmarc=pass
+Received: from localhost
+Message-ID: <example@example.com>
+Date: Mon, 01 Jan 2011 01:02:03 +0400
+From: Test User <test@example.com>
+To: somebody@example.com
+Subject: Testing
+
+This is a test message.

dkim/tests/data/eximtest.dns

@@ -0,0 +1 @@
+v=DKIM1; k=ed25519; p=sPs07Vu29FpHT/80UXUcYHFOHifD4o2ZlP2+XUh9g6E=

dkim/tests/data/test2.private

@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQDkHlOQoBTzWRiGs5V6NpP3idY6Wk08a5qhdR6wy5bdOKb2jLQi
+Y/J16JYi0Qvx/byYzCNb3W91y3FutACDfzwQ/BC/e/8uBsCR+yz1Lxj+PL6lHvqM
+KrM3rG4hstT5QjvHO9PzoxZyVYLzBfO2EeC3Ip3G+2kryOTIKT+l/K4w3QIDAQAB
+AoGAH0cxOhFZDgzXWhDhnAJDw5s4roOXN4OhjiXa8W7Y3rhX3FJqmJSPuC8N9vQm
+6SVbaLAE4SG5mLMueHlh4KXffEpuLEiNp9Ss3O4YfLiQpbRqE7Tm5SxKjvvQoZZe
+zHorimOaChRL2it47iuWxzxSiRMv4c+j70GiWdxXnxe4UoECQQDzJB/0U58W7RZy
+6enGVj2kWF732CoWFZWzi1FicudrBFoy63QwcowpoCazKtvZGMNlPWnC7x/6o8Gc
+uSe0ga2xAkEA8C7PipPm1/1fTRQvj1o/dDmZp243044ZNyxjg+/OPN0oWCbXIGxy
+WvmZbXriOWoSALJTjExEgraHEgnXssuk7QJBALl5ICsYMu6hMxO73gnfNayNgPxd
+WFV6Z7ULnKyV7HSVYF0hgYOHjeYe9gaMtiJYoo0zGN+L3AAtNP9huqkWlzECQE1a
+licIeVlo1e+qJ6Mgqr0Q7Aa7falZ448ccbSFYEPD6oFxiOl9Y9se9iYHZKKfIcst
+o7DUw1/hz2Ck4N5JrgUCQQCyKveNvjzkkd8HjYs0SwM0fPjK16//5qDZ2UiDGnOe
+uEzxBDAr518Z8VFbR41in3W4Y3yCDgQlLlcETrS+zYcL
+-----END RSA PRIVATE KEY-----

dkim/tests/data/test2.txt

@@ -0,0 +1 @@
+v=DKIM1; g=*; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDkHlOQoBTzWRiGs5V6NpP3idY6Wk08a5qhdR6wy5bdOKb2jLQiY/J16JYi0Qvx/byYzCNb3W91y3FutACDfzwQ/BC/e/8uBsCR+yz1Lxj+PL6lHvqMKrM3rG4hstT5QjvHO9PzoxZyVYLzBfO2EeC3Ip3G+2kryOTIKT+l/K4w3QIDAQAB

dkim/tests/test_dkim.py

@@ -113,7 +113,7 @@ Y+vtSBczUiKERHv1yRbcaQtZFh5wtiRrN04BLUTD21MycBX5jYchHjPY/wIDAQAB"""
                 self.assertTrue(res)
 
     def test_implicit_k(self):
-        # A message verifies after being signed.
+        # A message verifies after being signed when k= tag is not provided.
         for header_algo in (b"simple", b"relaxed"):
             for body_algo in (b"simple", b"relaxed"):
                 sig = dkim.sign(

dkim/tests/test_dkim_ed25519.py

@@ -0,0 +1,273 @@
+# This software is provided 'as-is', without any express or implied
+# warranty.  In no event will the author be held liable for any damages
+# arising from the use of this software.
+#
+# Permission is granted to anyone to use this software for any purpose,
+# including commercial applications, and to alter it and redistribute it
+# freely, subject to the following restrictions:
+#
+# 1. The origin of this software must not be misrepresented; you must not
+#    claim that you wrote the original software. If you use this software
+#    in a product, an acknowledgment in the product documentation would be
+#    appreciated but is not required.
+# 2. Altered source versions must be plainly marked as such, and must not be
+#    misrepresented as being the original software.
+# 3. This notice may not be removed or altered from any source distribution.
+#
+# Copyright (c) 2011 William Grant <me@williamgrant.id.au>
+# Copyright (c) 2017 Scott Kitterman <scott@kitterman.com>
+
+import email
+import os.path
+import unittest
+import time
+
+import dkim
+
+
+def read_test_data(filename):
+    """Get the content of the given test data file.
+
+    The files live in dkim/tests/data.
+    """
+    path = os.path.join(os.path.dirname(__file__), 'data', filename)
+    with open(path, 'rb') as f:
+        return f.read()
+
+
+class TestFold(unittest.TestCase):
+
+    def test_short_line(self):
+        self.assertEqual(
+            b"foo", dkim.fold(b"foo"))
+
+    def test_long_line(self):
+        # The function is terribly broken, not passing even this simple
+        # test.
+        self.assertEqual(
+            b"foo" * 24 + b"\r\n foo", dkim.fold(b"foo" * 25))
+
+
+class TestSignAndVerify(unittest.TestCase):
+    """End-to-end signature and verification tests."""
+
+    def setUp(self):
+        self.message = read_test_data("ed25519test.msg")
+        self.message2 = read_test_data("ed25519test2.msg")
+        self.key = read_test_data("ed25519test.key")
+
+    def dnsfunc(self, domain):
+        sample_dns = """\
+k=ed25519; \
+p=yi50DjK5O9pqbFpNHklsv9lqaS0ArSYu02qp1S0DW1Y="""
+
+        _dns_responses = {
+          'example._domainkey.canonical.com.': sample_dns,
+          'test._domainkey.example.com.': """v=DKIM1; k=ed25519; \
+p=yi50DjK5O9pqbFpNHklsv9lqaS0ArSYu02qp1S0DW1Y=""",
+          '20120113._domainkey.gmail.com.': """k=ed25519; \
+p=yi50DjK5O9pqbFpNHklsv9lqaS0ArSYu02qp1S0DW1Y=""",
+          'sed._domainkey.test.ex.': read_test_data("eximtest.dns")
+        }
+        try:
+            domain = domain.decode('ascii')
+        except UnicodeDecodeError:
+            return None
+        self.assertTrue(domain in _dns_responses,domain)
+        return _dns_responses[domain]
+
+    def test_verifies(self):
+        # A message verifies after being signed.
+        for header_algo in (b"simple", b"relaxed"):
+            for body_algo in (b"simple", b"relaxed"):
+                sig = dkim.sign(
+                    self.message, b"test", b"example.com", self.key,
+                    canonicalize=(header_algo, body_algo), signature_algorithm=b'ed25519')
+                res = dkim.verify(sig + self.message, dnsfunc=self.dnsfunc)
+                self.assertTrue(res)
+
+    def test_simple_signature(self):
+        # A message verifies after being signed with SHOULD headers
+        for header_algo in (b"simple", b"relaxed"):
+             for body_algo in (b"simple", b"relaxed"):
+                sig = dkim.sign(
+                    self.message, b"test", b"example.com", self.key,
+                    canonicalize=(header_algo, body_algo),
+                    include_headers=(b'from',) + dkim.DKIM.SHOULD,
+                    signature_algorithm=b'ed25519')
+                res = dkim.verify(sig + self.message, dnsfunc=self.dnsfunc)
+                self.assertTrue(res)
+
+    def test_verify_third_party(self):
+        # Message signed by prototype Exim implementation
+        res = dkim.verify(self.message2)
+        self.assertTrue(res)
+
+    def test_add_body_length(self):
+        sig = dkim.sign(
+            self.message, b"test", b"example.com", self.key, length=True,
+                signature_algorithm=b'ed25519')
+        msg = email.message_from_string(self.message.decode('utf-8'))
+        self.assertIn('; l=%s' % len(msg.get_payload() + '\n'), sig.decode('utf-8'))
+        res = dkim.verify(sig + self.message, dnsfunc=self.dnsfunc)
+        self.assertTrue(res)
+
+    def test_altered_body_fails(self):
+        # An altered body fails verification.
+        for header_algo in (b"simple", b"relaxed"):
+            for body_algo in (b"simple", b"relaxed"):
+                sig = dkim.sign(
+                    self.message, b"test", b"example.com", self.key,
+                    signature_algorithm=b'ed25519')
+                res = dkim.verify(
+                    sig + self.message + b"foo", dnsfunc=self.dnsfunc)
+                self.assertFalse(res)
+
+    def test_badly_encoded_domain_fails(self):
+        # Domains should be ASCII. Bad ASCII causes verification to fail.
+        sig = dkim.sign(self.message, b"test", b"example.com\xe9", self.key,
+            signature_algorithm=b'ed25519')
+        res = dkim.verify(sig + self.message, dnsfunc=self.dnsfunc)
+        self.assertFalse(res)
+
+    def test_dkim_signature_canonicalization(self):
+      # <https://bugs.launchpad.net/ubuntu/+source/pydkim/+bug/587783>
+      # Relaxed-mode header signing is wrong
+      # <https://bugs.launchpad.net/dkimpy/+bug/939128>
+      # Simple-mode signature header verification is wrong
+      # (should ignore FWS anywhere in signature tag: b=)
+      sample_msg = b"""\
+From: mbp@canonical.com
+To: scottk@example.com
+Subject: this is my
+    test message
+""".replace(b'\n', b'\r\n')
+
+      sample_privkey = b"""\
+fL+5V9EquCZAovKik3pA6Lk9zwCzoEtjIuIqK9ZXHHA=\
+"""
+
+      sample_pubkey = """\
+yi50DjK5O9pqbFpNHklsv9lqaS0ArSYu02qp1S0DW1Y=\
+"""
+
+      for header_mode in [dkim.Relaxed, dkim.Simple]:
+
+        dkim_header = dkim.sign(sample_msg, b'example', b'canonical.com',
+            sample_privkey, canonicalize=(header_mode, dkim.Relaxed),
+            signature_algorithm=b'ed25519')
+        # Folding dkim_header affects b= tag only, since dkim.sign folds
+        # sig_value with empty b= before hashing, and then appends the
+        # signature.  So folding dkim_header again adds FWS to
+        # the b= tag only.  This should be ignored even with
+        # simple canonicalization.
+        # http://tools.ietf.org/html/rfc4871#section-3.5
+        signed = dkim.fold(dkim_header) + sample_msg
+        result = dkim.verify(signed,dnsfunc=self.dnsfunc)
+        self.assertTrue(result)
+        dkim_header = dkim.fold(dkim_header)
+        # use a tab for last fold to test tab in FWS bug
+        pos = dkim_header.rindex(b'\r\n ')
+        dkim_header = dkim_header[:pos]+b'\r\n\t'+dkim_header[pos+3:]
+        result = dkim.verify(dkim_header + sample_msg,
+                dnsfunc=self.dnsfunc)
+        self.assertTrue(result)
+
+    def test_extra_headers(self):
+        # <https://bugs.launchpad.net/dkimpy/+bug/737311>
+        # extra headers above From caused failure
+        #message = read_test_data("test_extra.message")
+        message = read_test_data("message.mbox")
+        for header_algo in (b"simple", b"relaxed"):
+            for body_algo in (b"simple", b"relaxed"):
+                d = dkim.DKIM(message)
+                # bug requires a repeated header to manifest
+                d.should_not_sign.remove(b'received')
+                sig = d.sign(b"test", b"example.com", self.key,
+                    signature_algorithm=b'ed25519',
+                    include_headers=d.all_sign_headers(),
+                    canonicalize=(header_algo, body_algo))
+                dv = dkim.DKIM(sig + message)
+                res = dv.verify(dnsfunc=self.dnsfunc)
+                self.assertEquals(d.include_headers,dv.include_headers)
+                s = dkim.select_headers(d.headers,d.include_headers)
+                sv = dkim.select_headers(dv.headers,dv.include_headers)
+                self.assertEquals(s,sv)
+                self.assertTrue(res)
+
+    def test_multiple_from_fails(self):
+        # <https://bugs.launchpad.net/dkimpy/+bug/644046>
+        # additional From header fields should cause verify failure
+        hfrom = b'From: "Resident Evil" <sales@spammer.com>\r\n'
+        h,b = self.message.split(b'\n\n',1)
+        for header_algo in (b"simple", b"relaxed"):
+            for body_algo in (b"simple", b"relaxed"):
+                sig = dkim.sign(
+                    self.message, b"test", b"example.com", self.key,
+                    signature_algorithm=b'ed25519')
+                # adding an unknown header still verifies
+                h1 = h+b'\r\n'+b'X-Foo: bar'
+                message = b'\n\n'.join((h1,b))
+                res = dkim.verify(sig+message, dnsfunc=self.dnsfunc)
+                self.assertTrue(res)
+                # adding extra from at end should not verify
+                h1 = h+b'\r\n'+hfrom.strip()
+                message = b'\n\n'.join((h1,b))
+                res = dkim.verify(sig+message, dnsfunc=self.dnsfunc)
+                self.assertFalse(res)
+                # add extra from in front should not verify either
+                h1 = hfrom+h
+                message = b'\n\n'.join((h1,b))
+                res = dkim.verify(sig+message, dnsfunc=self.dnsfunc)
+                self.assertFalse(res)
+
+    def test_no_from_fails(self):
+        # Body From is mandatory to be in the message and mandatory to sign
+        sigerror = False
+        sig = ''
+        message = read_test_data('test_nofrom.message')
+        selector = 'test'
+        domain = 'example.com'
+        identity = None
+        try:
+            sig = dkim.sign(message, selector, domain,
+                read_test_data('ed25519test.key'), identity = identity,
+                signature_algorithm=b'ed25519')
+        except dkim.ParameterError as x:
+            sigerror = True
+        self.assertTrue(sigerror)
+
+    def test_validate_signature_fields(self):
+      sig = {b'v': b'1',
+      b'a': b'ed25519',
+      b'b': b'K/UUOt8lCtgjp3kSTogqBm9lY1Yax/NwZ+bKm39/WKzo5KYe3L/6RoIA/0oiDX4kO\n \t Qut49HCV6ZUe6dY9V5qWBwLanRs1sCnObaOGMpFfs8tU4TWpDSVXaNZAqn15XVW0WH\n \t EzOzUfVuatpa1kF4voIgSbmZHR1vN3WpRtcTBe/I=',
+      b'bh': b'n0HUwGCP28PkesXBPH82Kboy8LhNFWU9zUISIpAez7M=',
+      b'c': b'simple/simple',
+      b'd': b'kitterman.com',
+      b'i': b'scott@Kitterman.com',
+      b'h': b'From:To:Subject:Date:Cc:MIME-Version:Content-Type:\n \t Content-Transfer-Encoding:Message-Id',
+      b's': b'2007-00',
+      b't': b'1299525798'}
+      dkim.validate_signature_fields(sig)
+      # try new version
+      sigVer = sig.copy()
+      sigVer[b'v'] = 2
+      self.assertRaises(dkim.ValidationError, dkim.validate_signature_fields, sigVer)
+      # try with x
+      sigX = sig.copy()
+      sigX[b'x'] = b'1399525798'
+      dkim.validate_signature_fields(sig)
+      # try with late t
+      sigX[b't'] = b'1400000000'
+      self.assertRaises(dkim.ValidationError, dkim.validate_signature_fields, sigX)
+      # try without t
+      now = int(time.time())
+      sigX[b'x'] = str(now+400000).encode('ascii')
+      dkim.validate_signature_fields(sigX)
+      # try when expired a day ago
+      sigX[b'x'] = str(now - 24*3600).encode('ascii')
+      self.assertRaises(dkim.ValidationError, dkim.validate_signature_fields, sigX)
+
+def test_suite():
+    from unittest import TestLoader
+    return TestLoader().loadTestsFromName(__name__)

dkimsign.py

@@ -44,7 +44,7 @@ parser.add_argument('--hcanon', choices=['simple', 'relaxed'],
 parser.add_argument('--bcanon', choices=['simple', 'relaxed'],
     default='simple',
     help='Body canonicalization algorithm: default=simple')
-parser.add_argument('--signalg', choices=['rsa-sha256', 'rsa-sha1'],
+parser.add_argument('--signalg', choices=['rsa-sha256', 'ed25519', 'rsa-sha1'],
     default='rsa-sha256',
     help='Signature algorithm: default=rsa-sha256')
 parser.add_argument('--identity', help='Optional value for i= tag.')

dknewkey.py

@@ -52,12 +52,13 @@ def GenEd25519Keys(private_key_file):
     Output is unprotected.  You should encrypt your keys.
     """
     import nacl.signing # Yes, pep-8, but let's not make everyone install nacl
+    import nacl.encoding
     import os
     skg = nacl.signing.SigningKey(seed=os.urandom(32))
     priv_key = skg.generate()
     print >> sys.stderr, 'generating ' + private_key_file
     pkf = open(private_key_file, "w+")
-    print >> pkf, base64.b64encode(bytes(priv_key))
+    print >> pkf, priv_key.encode(encoder=nacl.encoding.Base64Encoder)
     pkf.close()
     return(priv_key)
 
@@ -81,7 +82,9 @@ def ExtractRSADnsPublicKey(private_key_file, dns_file):
 def ExtractEd25519PublicKey(private_key_file, dns_file, priv_key):
     """ Given a ed25519 key, extract the bit we should place in DNS.
     """
-    output = base64.b64encode(bytes(priv_key.verify_key))
+    import nacl.encoding # Yes, pep-8, but let's not make everyone install nacl
+    pubkey = priv_key.verify_key
+    output = pubkey.encode(encoder=nacl.encoding.Base64Encoder)
     dns_fp = open(dns_file, "w+")
     print >> sys.stderr, 'writing ' + dns_file
     print >> dns_fp, "k=ed25519; p={0}".format(output)