- Refactored dknewkey so that it correctly writes out text instead of bytes
This commit is contained in:
Scott Kitterman
@@ -1,6 +1,8 @@
|
|||||||
UNRELEASED Version 0.9.1
|
UNRELEASED Version 0.9.1
|
||||||
- Fixed ARC verification to fail if h= tag is present in Arc-Seal and
|
- Fixed ARC verification to fail if h= tag is present in Arc-Seal and
|
||||||
added tests
|
added tests
|
||||||
|
- Refactored dknewkey so that it correctly writes out text instead of
|
||||||
|
bytes
|
||||||
|
|
||||||
2018-10-30 Version 0.9.0
|
2018-10-30 Version 0.9.0
|
||||||
- Update oversigned (frozen) header field list to reduce signature
|
- Update oversigned (frozen) header field list to reduce signature
|
||||||
|
|||||||
+26
-32
@@ -25,6 +25,7 @@
|
|||||||
"""
|
"""
|
||||||
|
|
||||||
|
|
||||||
|
from __future__ import print_function
|
||||||
import os
|
import os
|
||||||
import subprocess
|
import subprocess
|
||||||
import sys
|
import sys
|
||||||
@@ -39,61 +40,60 @@ BITS_REQUIRED = 2048
|
|||||||
# what openssl binary do we use to do key manipulation?
|
# what openssl binary do we use to do key manipulation?
|
||||||
OPENSSL_BINARY = '/usr/bin/openssl'
|
OPENSSL_BINARY = '/usr/bin/openssl'
|
||||||
|
|
||||||
|
def eprint(*args, **kwargs):
|
||||||
|
print(*args, file=sys.stderr, **kwargs)
|
||||||
|
|
||||||
def GenRSAKeys(private_key_file):
|
def GenRSAKeys(private_key_file):
|
||||||
""" Generates a suitable private key. Output is unprotected.
|
""" Generates a suitable private key. Output is unprotected.
|
||||||
You should encrypt your keys.
|
You should encrypt your keys.
|
||||||
"""
|
"""
|
||||||
print >> sys.stderr, 'generating ' + private_key_file
|
eprint('generating ' + private_key_file)
|
||||||
subprocess.check_call([OPENSSL_BINARY, 'genrsa', '-out', private_key_file,
|
subprocess.check_call([OPENSSL_BINARY, 'genrsa', '-out', private_key_file,
|
||||||
str(BITS_REQUIRED)])
|
str(BITS_REQUIRED)])
|
||||||
|
|
||||||
|
|
||||||
def GenEd25519Keys(private_key_file):
|
def GenEd25519Keys(private_key_file):
|
||||||
"""Generates a base64 encoded private key for ed25519 DKIM signing.
|
"""Generates a base64 encoded private key for ed25519 DKIM signing.
|
||||||
Output is unprotected. You should encrypt your keys.
|
Output is unprotected. You should protect your keys.
|
||||||
"""
|
"""
|
||||||
import nacl.signing # Yes, pep-8, but let's not make everyone install nacl
|
import nacl.signing # Yes, pep-8, but let's not make everyone install nacl
|
||||||
import nacl.encoding
|
import nacl.encoding
|
||||||
import os
|
import os
|
||||||
skg = nacl.signing.SigningKey(seed=os.urandom(32))
|
skg = nacl.signing.SigningKey(seed=os.urandom(32))
|
||||||
|
eprint('generating ' + private_key_file)
|
||||||
priv_key = skg.generate()
|
priv_key = skg.generate()
|
||||||
print >> sys.stderr, 'generating ' + private_key_file
|
with open(private_key_file, 'w') as pkf:
|
||||||
pkf = open(private_key_file, "w+")
|
pkf.write(priv_key.encode(encoder=nacl.encoding.Base64Encoder).decode("utf-8"))
|
||||||
print >> pkf, priv_key.encode(encoder=nacl.encoding.Base64Encoder)
|
|
||||||
pkf.close()
|
|
||||||
return(priv_key)
|
return(priv_key)
|
||||||
|
|
||||||
|
|
||||||
def ExtractRSADnsPublicKey(private_key_file, dns_file):
|
def ExtractRSADnsPublicKey(private_key_file, dns_file):
|
||||||
""" Given a key, extract the bit we should place in DNS.
|
""" Given a key, extract the bit we should place in DNS.
|
||||||
"""
|
"""
|
||||||
print >> sys.stderr, 'extracting ' + private_key_file
|
eprint('extracting ' + private_key_file)
|
||||||
working_file = tempfile.NamedTemporaryFile(delete=False).name
|
working_file = tempfile.NamedTemporaryFile(delete=False).name
|
||||||
subprocess.check_call([OPENSSL_BINARY, 'rsa', '-in', private_key_file,
|
subprocess.check_call([OPENSSL_BINARY, 'rsa', '-in', private_key_file,
|
||||||
'-out', working_file, '-pubout', '-outform', 'PEM'])
|
'-out', working_file, '-pubout', '-outform', 'PEM'])
|
||||||
cmd = 'grep -v ^-- %s | tr -d \'\\n\'' % working_file
|
|
||||||
try:
|
try:
|
||||||
output = subprocess.check_output(cmd, shell=True)
|
with open(working_file) as wf:
|
||||||
|
y = ''
|
||||||
|
for line in wf.readlines():
|
||||||
|
if not line.startswith('---'):
|
||||||
|
y+= line
|
||||||
|
output = ''.join(y.split())
|
||||||
finally:
|
finally:
|
||||||
os.unlink(working_file)
|
os.unlink(working_file)
|
||||||
dns_fp = open(dns_file, "w+")
|
with open(dns_file, 'w') as dns_fp:
|
||||||
print >> sys.stderr, 'writing ' + dns_file
|
eprint('writing ' + dns_file)
|
||||||
print >> dns_fp, "k=rsa; h=sha256; p={0}".format(output)
|
dns_fp.write("v=DKIM1; k=rsa; h=sha256; p={0}".format(output))
|
||||||
dns_fp.close()
|
|
||||||
|
|
||||||
|
def ExtractEd25519PublicKey(dns_file, priv_key):
|
||||||
def ExtractEd25519PublicKey(private_key_file, dns_file, priv_key):
|
|
||||||
""" Given a ed25519 key, extract the bit we should place in DNS.
|
""" Given a ed25519 key, extract the bit we should place in DNS.
|
||||||
"""
|
"""
|
||||||
import nacl.encoding # Yes, pep-8, but let's not make everyone install nacl
|
import nacl.encoding # Yes, pep-8, but let's not make everyone install nacl
|
||||||
pubkey = priv_key.verify_key
|
pubkey = priv_key.verify_key
|
||||||
output = pubkey.encode(encoder=nacl.encoding.Base64Encoder)
|
output = pubkey.encode(encoder=nacl.encoding.Base64Encoder).decode("utf-8")
|
||||||
dns_fp = open(dns_file, "w+")
|
with open(dns_file, 'w') as dns_fp:
|
||||||
print >> sys.stderr, 'writing ' + dns_file
|
eprint('writing ' + dns_file)
|
||||||
print >> dns_fp, "k=ed25519; p={0}".format(output)
|
dns_fp.write("v=DKIM1; k=ed25519; p={0}".format(output))
|
||||||
dns_fp.close()
|
|
||||||
|
|
||||||
|
|
||||||
def main():
|
def main():
|
||||||
parser = argparse.ArgumentParser(
|
parser = argparse.ArgumentParser(
|
||||||
@@ -103,12 +103,6 @@ def main():
|
|||||||
default='rsa',
|
default='rsa',
|
||||||
help='DKIM key type: Default is rsa')
|
help='DKIM key type: Default is rsa')
|
||||||
args=parser.parse_args()
|
args=parser.parse_args()
|
||||||
if sys.version_info[0] >= 3:
|
|
||||||
args.key_name = bytes(args.key_name, encoding='UTF-8')
|
|
||||||
args.ktype = bytes(args.ktype, encoding='UTF-8')
|
|
||||||
# Make sys.stdin and stdout binary streams.
|
|
||||||
sys.stdin = sys.stdin.detach()
|
|
||||||
sys.stdout = sys.stdout.detach()
|
|
||||||
|
|
||||||
key_name = args.key_name
|
key_name = args.key_name
|
||||||
key_type = args.ktype
|
key_type = args.ktype
|
||||||
@@ -120,9 +114,9 @@ def main():
|
|||||||
ExtractRSADnsPublicKey(private_key_file, dns_file)
|
ExtractRSADnsPublicKey(private_key_file, dns_file)
|
||||||
elif key_type == 'ed25519':
|
elif key_type == 'ed25519':
|
||||||
priv_key = GenEd25519Keys(private_key_file)
|
priv_key = GenEd25519Keys(private_key_file)
|
||||||
ExtractEd25519PublicKey(private_key_file, dns_file, priv_key)
|
ExtractEd25519PublicKey(dns_file, priv_key)
|
||||||
else:
|
else:
|
||||||
print >> sys.stderr, "Unknown key type - no key generated."
|
eprint("Unknown key type - no key generated.")
|
||||||
|
|
||||||
|
|
||||||
if __name__ == '__main__':
|
if __name__ == '__main__':
|
||||||
|
|||||||
Reference in New Issue
Block a user