DandelionNStuff/dkimpy-smtputf8
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fixed ARC verification to fail is h= tag is present in Arc-Seal, added test, bumped version to start 0.9.1

Browse Source
This commit is contained in:
Scott Kitterman
2018-11-09 19:58:11 -05:00
parent d659c496e5
commit c3eb342611
4 changed files with 19 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
ChangeLog
+4
View File
@@ -1,3 +1,7 @@
UNRELEASED Version 0.9.1
- Fixed ARC verification to fail if h= tag is present in Arc-Seal and
added tests
2018-10-30 Version 0.9.0 2018-10-30 Version 0.9.0
- Update oversigned (frozen) header field list to reduce signature - Update oversigned (frozen) header field list to reduce signature
fragility (removes 'date' and 'subject' fields from being oversigned by fragility (removes 'date' and 'subject' fields from being oversigned by
dkim/__init__.py
+5 -1
View File
@@ -1056,7 +1056,8 @@ class ARC(DomainSigner):
# reversing the order of the headers accomplishes this # reversing the order of the headers accomplishes this
if chain_validation_status == CV_Fail: if chain_validation_status == CV_Fail:
self.headers.reverse() self.headers.reverse()
if b'h' in as_fields:
raise ValidationError("h= tag not permitted in ARC-Seal header field")
res = self.gen_header(as_fields, as_include_headers, canon_policy, res = self.gen_header(as_fields, as_include_headers, canon_policy,
b"ARC-Seal", pk, standardize) b"ARC-Seal", pk, standardize)
@@ -1190,6 +1191,9 @@ class ARC(DomainSigner):
self.logger.debug("as sig[%d]: %r" % (instance, sig)) self.logger.debug("as sig[%d]: %r" % (instance, sig))
validate_signature_fields(sig, [b'i', b'a', b'b', b'cv', b'd', b's'], True) validate_signature_fields(sig, [b'i', b'a', b'b', b'cv', b'd', b's'], True)
if b'h' in sig:
raise ValidationError("h= tag not permitted in ARC-Seal header field")
output['as-domain'] = sig[b'd'] output['as-domain'] = sig[b'd']
output['as-selector'] = sig[b's'] output['as-selector'] = sig[b's']
output['cv'] = sig[b'cv'] output['cv'] = sig[b'cv']
dkim/tests/test_arc.py
+9
View File
@@ -81,6 +81,15 @@ Y+vtSBczUiKERHv1yRbcaQtZFh5wtiRrN04BLUTD21MycBX5jYchHjPY/wIDAQAB"""
(cv, res, reason) = dkim.arc_verify(b''.join(sig_lines) + self.message, dnsfunc=self.dnsfunc) (cv, res, reason) = dkim.arc_verify(b''.join(sig_lines) + self.message, dnsfunc=self.dnsfunc)
self.assertEqual(cv, dkim.CV_Pass) self.assertEqual(cv, dkim.CV_Pass)
def test_fails_h_in_as(self):
# ARC 4.1.3, h= not allowed in AS
self.maxDiff = None
sig_lines = [b'ARC-Seal: i=1; cv=none; a=rsa-sha256; d=example.com; s=test; t=12345; \r\n h=message-id : date : from : to : subject : from; \r\n b=mIurIuLl0/wAxWhA4DBS1wsUE15IBnmJ7o3sH15hIuesdD4smz1cCLXVhRtxQE\r\n rVtVLv4OgNCgdFsB5zbSOUao2bSSYP6y0BGyCWvr+hU4tai5axIc1Kfwbtv/0Mqg\r\n waiGJPreOAAeZOJ4vPfdaAbSXlN5MI4PHW89U82FSIBKI=\r\n', b'ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; \r\n d=example.com; s=test; t=12345; h=message-id : \r\n date : from : to : subject : from; \r\n bh=wE7NXSkgnx9PGiavN4OZhJztvkqPDlemV3OGuEnLwNo=; \r\n b=a0f6qc3k9eECTSR155A0TQS+LjqPFWfI/brQBA83EUz00SNxj\r\n 1wmWykvs1hhBVeM0r1kEQc6CKbzRYaBNSiFj4q8JBpRIujLz1qL\r\n yGmPuAI6ddu/Z/1hQxgpVcp/odmI1UMV2R+d+yQ7tUp3EQxF/GY\r\n Nt22rV4rNmDmANZVqJ90=\r\n', b'ARC-Authentication-Results: i=1; lists.example.org; arc=none;\r\n spf=pass smtp.mfrom=jqd@d1.example;\r\n dkim=pass (1024-bit key) header.i=@d1.example;\r\n dmarc=pass\r\n']
(cv, res, reason) = dkim.arc_verify(b''.join(sig_lines) + self.message, dnsfunc=self.dnsfunc)
self.assertEqual(cv, dkim.CV_Fail)
def test_suite(): def test_suite():
from unittest import TestLoader from unittest import TestLoader
setup.py
+1 -1
View File
@@ -25,7 +25,7 @@ from setuptools import setup
import os import os
import sys import sys
version = "0.9.0" version = "0.9.1"
kw = {} # Work-around for lack of 'or' requires in setuptools. kw = {} # Work-around for lack of 'or' requires in setuptools.
try: try: