From cd0ebc1ecbfd73a888a22c08d8639326d78a2fb8 Mon Sep 17 00:00:00 2001
From: Scott Kitterman <scott@kitterman.com>
Date: Tue, 30 Oct 2018 08:13:06 -0400
Subject: [PATCH]     - Updates for experimental ARC support:       - Limit to
 rsa-sha256, rsa-sha1 not used by ARC and multi-signature         design TBD

---
 ChangeLog        | 3 +++
 dkim/__init__.py | 9 +++++++--
 dkim/crypto.py   | 5 +++++
 3 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 4ca8318..c2f58b4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,7 @@
 UNRELEASED Version 0.8.2
+    - Updates for experimental ARC support:
+      - Limit to rsa-sha256, rsa-sha1 not used by ARC and multi-signature
+        design TBD
     - Fix DNS lookups to be compatible with EAI addresses in domains and
       selectors (John Levine)
     - Add type Hinting for sign and verify functions (LP: #1782596)
diff --git a/dkim/__init__.py b/dkim/__init__.py
index b7e5ca1..9ea29cb 100644
--- a/dkim/__init__.py
+++ b/dkim/__init__.py
@@ -60,6 +60,7 @@ from dkim.canonicalization import Relaxed as RelaxedCanonicalization
 from dkim.crypto import (
     DigestTooLargeError,
     HASH_ALGORITHMS,
+    ARC_HASH_ALGORITHMS,
     parse_pem_private_key,
     parse_public_key,
     RSASSA_PKCS1_v1_5_sign,
@@ -251,11 +252,15 @@ def validate_signature_fields(sig, mandatory_fields=[b'v', b'a', b'b', b'bh', b'
     @param mandatory_fields: A list of non-optional fields
     @param arc: flag to differentiate between dkim & arc
     """
+    if arc:
+        hashes = ARC_HASH_ALGORITHMS
+    else:
+        hashes = HASH_ALGORITHMS
     for field in mandatory_fields:
         if field not in sig:
             raise ValidationError("missing %s=" % field)
 
-    if b'a' in sig and not sig[b'a'] in HASH_ALGORITHMS:
+    if b'a' in sig and not sig[b'a'] in hashes:
         raise ValidationError("unknown signature algorithm: %s" % sig[b'a'])
 
     if b'b' in sig:
@@ -1242,7 +1247,7 @@ def arc_sign(message, selector, domain, privkey,
     @raise DKIMException: when the message, include_headers, or key are badly formed.
     """
 
-    a = ARC(message,logger=logger,signature_algorithm=signature_algorithm)
+    a = ARC(message,logger=logger,signature_algorithm=b'rsa-sha256')
     if not include_headers:
         include_headers = a.default_sign_headers()
     return a.sign(selector, domain, privkey, srv_id, include_headers=include_headers,
diff --git a/dkim/crypto.py b/dkim/crypto.py
index 39d89fe..144bbde 100644
--- a/dkim/crypto.py
+++ b/dkim/crypto.py
@@ -23,6 +23,7 @@
 __all__ = [
     'DigestTooLargeError',
     'HASH_ALGORITHMS',
+    'ARC_HASH_ALGORITHMS',
     'parse_pem_private_key',
     'parse_private_key',
     'parse_public_key',
@@ -85,6 +86,10 @@ HASH_ALGORITHMS = {
     b'ed25519-sha256': hashlib.sha256
     }
 
+ARC_HASH_ALGORITHMS = {
+    b'rsa-sha256': hashlib.sha256,
+    }
+
 # These values come from RFC 8017, section 9.2 Notes, page 46.
 HASH_ID_MAP = {
     'sha1': b"\x2b\x0e\x03\x02\x1a",