From d1360c8e25d0348948aadab045f1bce5ea99e146 Mon Sep 17 00:00:00 2001
From: Scott Kitterman <scott@kitterman.com>
Date: Tue, 21 Apr 2020 20:29:45 -0400
Subject: [PATCH] Add tests for invalid domains, probably not a security issue
 in the DKIM context, but we should raise errors here.

---
 dkim/tests/data/test.message.baddomain | 16 ++++++++++++++
 dkim/tests/test_dkim.py                | 30 ++++++++++++++++++++++++++
 2 files changed, 46 insertions(+)
 create mode 100644 dkim/tests/data/test.message.baddomain

diff --git a/dkim/tests/data/test.message.baddomain b/dkim/tests/data/test.message.baddomain
new file mode 100644
index 0000000..0428fbf
--- /dev/null
+++ b/dkim/tests/data/test.message.baddomain
@@ -0,0 +1,16 @@
+DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
+ d=legitimate.com(.attacker.com; i=@legitimate.com(.attacker.com;
+ q=dns/txt; s=test; t=1587514615; h=message-id : date : from : to :
+ subject : from; bh=wE7NXSkgnx9PGiavN4OZhJztvkqPDlemV3OGuEnLwNo=;
+ b=LsTV4fcR29N8CuUyrGn92jsTb67oAHx88vVIefoaUDghWxF5TpCyqcWbk/94Nt4PyxwUZ
+ pgzF4UM/zF1rclCeNm/V4m0wMj3X2eeOIUUa8GRQ0g7DzixiQ5qHLUGpRT4BHfPmdHZHYj8
+ xv7+1O0/SJDK0YkaBjvhjDfkOoJhMmc=
+Authentication-Results: lists.example.org; arc=none; spf=pass smtp.mfrom=jqd@d1.example; dkim=pass (1024-bit key) header.i=@d1.example; dmarc=pass
+Received: from localhost
+Message-ID: <example@example.com>
+Date: Mon, 01 Jan 2011 01:02:03 +0400
+From: Test User <test@example.com>
+To: somebody@example.com
+Subject: Testing
+
+This is a test message.
diff --git a/dkim/tests/test_dkim.py b/dkim/tests/test_dkim.py
index 83f4b7e..dc589d6 100644
--- a/dkim/tests/test_dkim.py
+++ b/dkim/tests/test_dkim.py
@@ -60,6 +60,7 @@ class TestSignAndVerify(unittest.TestCase):
         self.message3 = read_test_data("rfc6376.msg")
         self.message4 = read_test_data("rfc6376.signed.msg")
         self.message5 = read_test_data("rfc6376.signed.rsa.msg")
+        self.message6 = read_test_data("test.message.baddomain")
         self.key = read_test_data("test.private")
         self.rfckey = read_test_data("rfc8032_7_1.key")
 
@@ -196,6 +197,23 @@ p=11qYAYKxCrfVS/7TyWQHOg7hcvPapiMlrwIaaPcHURo="""
         self.assertTrue(domain in _dns_responses,domain)
         return _dns_responses[domain]
 
+    def dnsfunc7(self, domain, timeout=5):
+        sample_dns = """\
+k=rsa; s=email;\
+p=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANmBe10IgY+u7h3enWTukkqtUD5PR52T\
+b/mPfjC0QJTocVBq6Za/PlzfV+Py92VaCak19F4WrbVTK5Gg5tW220MCAwEAAQ=="""
+
+        _dns_responses = {
+          'test._domainkey.legitimate.com(.attacker.com.': read_test_data("test.txt"),
+        }
+        try:
+            domain = domain.decode('ascii')
+        except UnicodeDecodeError:
+            return None
+        self.assertTrue(domain in _dns_responses,domain)
+        return _dns_responses[domain]
+
+
     def test_verifies(self):
         # A message verifies after being signed.
         for header_algo in (b"simple", b"relaxed"):
@@ -279,6 +297,18 @@ p=11qYAYKxCrfVS/7TyWQHOg7hcvPapiMlrwIaaPcHURo="""
                 res = dkim.verify(sig + self.message, dnsfunc=self.dnsfunc4)
                 self.assertFalse(res)
 
+    def test_invalid_domain_sign(self):
+        # RFC6376 says domain can be Alpha, Num, - only.
+        sig = dkim.sign(
+            self.message, b"test", b"legitimate.com(.attacker.com", self.key)
+        res = dkim.verify(sig + self.message, dnsfunc=self.dnsfunc7)
+        self.assertFalse(res)
+
+    def test_invalid_domain_verify(self):
+        # RFC6376 says domain can be Alpha, Num, - only.
+        res = dkim.verify(self.message6, dnsfunc=self.dnsfunc7)
+        self.assertFalse(res)
+
     def test_simple_signature(self):
         # A message verifies after being signed with SHOULD headers
         for header_algo in (b"simple", b"relaxed"):