Invalid Authentication-Results header fields are ignored for ARC signing

(LP: #1884044)

ChangeLog

@@ -17,6 +17,8 @@ Version 1.1.0
       installed (LP: #1954331) - see README.md for details
     - Add new dkim.DnsTimeoutError class to report queried domain and selector
       along with timeout error from dnspython (LP: #1873449)
+    - Invalid Authentication-Results header fields are ignored for ARC signing
+      (LP: #1884044)
 
 2019-12-31 Version 1.0.2
     - dknewkey: On posix operating systems set file permissions to 600 for

README.md

@@ -176,6 +176,9 @@ https://tools.ietf.org/html/rfc8617
 In addition to arcsign and arcverify, the dkim module now provides
 arc_sign and arc_verify functions as well as an ARC class.
 
+If an invalid authentication results header field is included in the set for
+ARC, it is ignored and no error is raised.
+
 Both DKIM ed25519 and ARC are now considered stable (no longer experimantal).
 
 ## ASYNC SUPPORT

dkim/__init__.py

@@ -45,7 +45,7 @@ USE_ASYNC = True
 
 # only needed for arc
 try:
-    from authres import AuthenticationResultsHeader
+    import authres
 except ImportError:
     pass
 
@@ -1037,10 +1037,10 @@ class ARC(DomainSigner):
     self.add_should_not(('Authentication-Results',))
     # check if authres has been imported
     try:
-        AuthenticationResultsHeader
+        authres.AuthenticationResultsHeader
     except:
         self.logger.debug("authres package not installed")
-        raise AuthresNotFoundError
+        raise authres.AuthresNotFoundError
 
     try:
         pk = parse_pem_private_key(privkey)
@@ -1049,8 +1049,14 @@ class ARC(DomainSigner):
 
     # extract, parse, filter & group AR headers
     ar_headers = [res.strip() for [ar, res] in self.headers if ar == b'Authentication-Results']
-    grouped_headers = [(res, AuthenticationResultsHeader.parse('Authentication-Results: ' + res.decode('utf-8')))
-                       for res in ar_headers]
+
+    grouped_headers = []
+    for res in ar_headers:
+        try: # see LP: #1884044
+            grouped_headers.append((res, authres.AuthenticationResultsHeader.parse('Authentication-Results: ' + res.decode('utf-8'))))
+        except authres.core.SyntaxError:
+            # Skip over invalid AR header fields
+            pass
     auth_headers = [res for res in grouped_headers if res[1].authserv_id == srv_id.decode('utf-8')]
 
     if len(auth_headers) == 0:
@@ -1064,7 +1070,7 @@ class ARC(DomainSigner):
     auth_results = srv_id + b'; ' + (b';' + self.linesep + b'  ').join(results)
 
     # extract cv
-    parsed_auth_results = AuthenticationResultsHeader.parse('Authentication-Results: ' + auth_results.decode('utf-8'))
+    parsed_auth_results = authres.AuthenticationResultsHeader.parse('Authentication-Results: ' + auth_results.decode('utf-8'))
     arc_results = [res for res in parsed_auth_results.results if res.method == 'arc']
     if len(arc_results) == 0:
       chain_validation_status = CV_None