From 8365b52ac85787060d2962649a576722faa6f876 Mon Sep 17 00:00:00 2001
From: Scott Kitterman <scott@kitterman.com>
Date: Fri, 9 Aug 2019 09:21:26 -0400
Subject: [PATCH] =?UTF-8?q?=20=20=20=20-=20Fix=20default=20canonicalizatio?=
 =?UTF-8?q?n=20for=20DKIM=20signature=20verification=20to=20be=20=20=20=20?=
 =?UTF-8?q?=20=20=20simple/simple=20per=20RFC=206376=20(LP:=20#1839299)=20?=
 =?UTF-8?q?(Thanks=20to=20Cyril=20Nicod=C3=A8me=20for=20=20=20=20=20=20=20?=
 =?UTF-8?q?the=20report=20and=20a=20suggested=20fix)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 ChangeLog        | 3 +++
 dkim/__init__.py | 8 +++++++-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 2c0238e..fc8d164 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,9 @@
 UNRELEASED Version 0.9.3
     - Fix linesep setting in arcsign script (LP: #1838262) (Thanks to Gowtham
       Gopalakrishnan for the report and the patch)
+    - Fix default canonicalization for DKIM signature verification to be
+      simple/simple per RFC 6376 (LP: #1839299) (Thanks to Cyril Nicodème for
+      the report and a suggested fix)
 
 2019-04-14 Version 0.9.2
     - Fix the arcsign script so it works with the current API (Note: the new
diff --git a/dkim/__init__.py b/dkim/__init__.py
index 32ce8ba..dc11dfe 100644
--- a/dkim/__init__.py
+++ b/dkim/__init__.py
@@ -667,7 +667,7 @@ class DomainSigner(object):
       return False
 
     try:
-        canon_policy = CanonicalizationPolicy.from_c_value(sig.get(b'c', b'relaxed/relaxed'))
+        canon_policy = CanonicalizationPolicy.from_c_value(sig.get(b'c', b'simple/simple'))
     except InvalidCanonicalizationPolicyError as e:
         raise MessageFormatError("invalid c= value: %s" % e.args[0])
 
@@ -1189,6 +1189,9 @@ class ARC(DomainSigner):
     # and this can use simple canonicalization
     raw_ams_header = [(x, y) for (x, y) in self.headers if x.lower() == b'arc-message-signature'][0]
 
+    # Only relaxed canonicalization used by ARC
+    if b'c' not in sig:
+        sig[b'c'] = b'relaxed/relaxed'
     try:
       ams_valid = self.verify_sig(sig, include_headers, raw_ams_header, dnsfunc)
     except DKIMException as e:
@@ -1217,6 +1220,9 @@ class ARC(DomainSigner):
     as_include_headers = [x[0].lower() for x in arc_headers]
     as_include_headers.reverse()
     as_header = (b'ARC-Seal', b' ' + as_value)
+    # Only relaxed canonicalization used by ARC
+    if b'c' not in sig:
+        sig[b'c'] = b'relaxed/relaxed'
     try:
       as_valid = self.verify_sig(sig, as_include_headers[:-1], as_header, dnsfunc)
     except DKIMException as e: