- Updates for experimental ARC support:

- Limit to rsa-sha256, rsa-sha1 not used by ARC and multi-signature design TBD
2018-10-30 08:13:06 -04:00
parent 3aaa7e2ab5
commit cd0ebc1ecb
3 changed files with 15 additions and 2 deletions
@@ -1,4 +1,7 @@
 UNRELEASED Version 0.8.2
+    - Updates for experimental ARC support:
+      - Limit to rsa-sha256, rsa-sha1 not used by ARC and multi-signature
+        design TBD
    - Fix DNS lookups to be compatible with EAI addresses in domains and
      selectors (John Levine)
    - Add type Hinting for sign and verify functions (LP: #1782596)
@@ -60,6 +60,7 @@ from dkim.canonicalization import Relaxed as RelaxedCanonicalization
 from dkim.crypto import (
    DigestTooLargeError,
    HASH_ALGORITHMS,
+    ARC_HASH_ALGORITHMS,
    parse_pem_private_key,
    parse_public_key,
    RSASSA_PKCS1_v1_5_sign,
@@ -251,11 +252,15 @@ def validate_signature_fields(sig, mandatory_fields=[b'v', b'a', b'b', b'bh', b'
    @param mandatory_fields: A list of non-optional fields
    @param arc: flag to differentiate between dkim & arc
    """
+    if arc:
+        hashes = ARC_HASH_ALGORITHMS
+    else:
+        hashes = HASH_ALGORITHMS
    for field in mandatory_fields:
        if field not in sig:
            raise ValidationError("missing %s=" % field)

-    if b'a' in sig and not sig[b'a'] in HASH_ALGORITHMS:
+    if b'a' in sig and not sig[b'a'] in hashes:
        raise ValidationError("unknown signature algorithm: %s" % sig[b'a'])

    if b'b' in sig:
@@ -1242,7 +1247,7 @@ def arc_sign(message, selector, domain, privkey,
    @raise DKIMException: when the message, include_headers, or key are badly formed.
    """

-    a = ARC(message,logger=logger,signature_algorithm=signature_algorithm)
+    a = ARC(message,logger=logger,signature_algorithm=b'rsa-sha256')
    if not include_headers:
        include_headers = a.default_sign_headers()
    return a.sign(selector, domain, privkey, srv_id, include_headers=include_headers,
@@ -23,6 +23,7 @@
 __all__ = [
    'DigestTooLargeError',
    'HASH_ALGORITHMS',
+    'ARC_HASH_ALGORITHMS',
    'parse_pem_private_key',
    'parse_private_key',
    'parse_public_key',
@@ -85,6 +86,10 @@ HASH_ALGORITHMS = {
    b'ed25519-sha256': hashlib.sha256
    }

+ARC_HASH_ALGORITHMS = {
+    b'rsa-sha256': hashlib.sha256,
+    }
+
 # These values come from RFC 8017, section 9.2 Notes, page 46.
 HASH_ID_MAP = {
    'sha1': b"\x2b\x0e\x03\x02\x1a",