Switch to setuptools/entrypoints from distutils/scripts

dkim/arcsign.py

@@ -0,0 +1,66 @@
+#!/usr/bin/env python
+
+# This software is provided 'as-is', without any express or implied
+# warranty.  In no event will the author be held liable for any damages
+# arising from the use of this software.
+#
+# Permission is granted to anyone to use this software for any purpose,
+# including commercial applications, and to alter it and redistribute it
+# freely, subject to the following restrictions:
+#
+# 1. The origin of this software must not be misrepresented; you must not
+#    claim that you wrote the original software. If you use this software
+#    in a product, an acknowledgment in the product documentation would be
+#    appreciated but is not required.
+# 2. Altered source versions must be plainly marked as such, and must not be
+#    misrepresented as being the original software.
+# 3. This notice may not be removed or altered from any source distribution.
+#
+# Copyright (c) 2008 Greg Hewgill http://hewgill.com
+#
+# This has been modified from the original software.
+# Copyright (c) 2011 William Grant <me@williamgrant.id.au>
+#
+# This has been modified from the original software.
+# Copyright (c) 2016 Google, Inc.
+# Contact: Brandon Long <blong@google.com>
+
+from __future__ import print_function
+
+import logging
+import re
+import sys
+
+import dkim
+
+logging.basicConfig(level=10)
+
+if len(sys.argv) != 4:
+    print("Usage: arcsign.py selector domain privatekeyfile", file=sys.stderr)
+    sys.exit(1)
+
+if sys.version_info[0] >= 3:
+    # Make sys.stdin and stdout binary streams.
+    sys.stdin = sys.stdin.detach()
+    sys.stdout = sys.stdout.detach()
+
+selector = sys.argv[1].encode('ascii')
+domain = sys.argv[2].encode('ascii')
+privatekeyfile = sys.argv[3]
+
+message = sys.stdin.read()
+
+# Pick a cv status
+cv = dkim.CV_None
+if re.search('arc-seal', message, re.IGNORECASE):
+  cv = dkim.CV_Pass
+
+#try:
+sig = dkim.arc_sign(message, selector, domain, open(privatekeyfile, "rb").read(),
+               domain + ": none", cv)
+for line in sig:
+  sys.stdout.write(line)
+sys.stdout.write(message)
+#except Exception as e:
+#    print(e, file=sys.stderr)
+    #sys.stdout.write(message)

dkim/arcverify.py

@@ -0,0 +1,50 @@
+#!/usr/bin/env python
+
+# This software is provided 'as-is', without any express or implied
+# warranty.  In no event will the author be held liable for any damages
+# arising from the use of this software.
+#
+# Permission is granted to anyone to use this software for any purpose,
+# including commercial applications, and to alter it and redistribute it
+# freely, subject to the following restrictions:
+#
+# 1. The origin of this software must not be misrepresented; you must not
+#    claim that you wrote the original software. If you use this software
+#    in a product, an acknowledgment in the product documentation would be
+#    appreciated but is not required.
+# 2. Altered source versions must be plainly marked as such, and must not be
+#    misrepresented as being the original software.
+# 3. This notice may not be removed or altered from any source distribution.
+#
+# Copyright (c) 2008 Greg Hewgill http://hewgill.com
+#
+# This has been modified from the original software.
+# Copyright (c) 2011 William Grant <me@williamgrant.id.au>
+#
+# This has been modified from the original software.
+# Copyright (c) 2016 Google, Inc.
+# Contact: Brandon Long <blong@google.com>
+
+from __future__ import print_function
+
+import logging
+import sys
+
+import dkim
+
+if sys.version_info[0] >= 3:
+    # Make sys.stdin a binary stream.
+    sys.stdin = sys.stdin.detach()
+
+message = sys.stdin.read()
+verbose = '-v' in sys.argv
+if verbose:
+  logging.basicConfig(level=10)
+  a = dkim.ARC(message)
+  cv, results, comment = a.verify()
+else:
+  cv, results, comment = dkim.arc_verify(message)
+
+print("arc verification: cv=%s %s" % (cv, comment))
+if verbose:
+  print(repr(results))

dkim/dkimsign.py

@@ -0,0 +1,81 @@
+#!/usr/bin/env python
+
+# This software is provided 'as-is', without any express or implied
+# warranty.  In no event will the author be held liable for any damages
+# arising from the use of this software.
+#
+# Permission is granted to anyone to use this software for any purpose,
+# including commercial applications, and to alter it and redistribute it
+# freely, subject to the following restrictions:
+#
+# 1. The origin of this software must not be misrepresented; you must not
+#    claim that you wrote the original software. If you use this software
+#    in a product, an acknowledgment in the product documentation would be
+#    appreciated but is not required.
+# 2. Altered source versions must be plainly marked as such, and must not be
+#    misrepresented as being the original software.
+# 3. This notice may not be removed or altered from any source distribution.
+#
+# Copyright (c) 2008 Greg Hewgill http://hewgill.com
+#
+# This has been modified from the original software.
+# Copyright (c) 2011 William Grant <me@williamgrant.id.au>
+# Copyright (c) 2017 Scott Kitterman <scott@kitterman.com>
+
+from __future__ import print_function
+
+import sys
+import argparse
+
+import dkim
+
+# Backward compatibility hack because argparse doesn't support optional
+# positional arguments
+arguments=['--'+arg if arg[:8] == 'identity' else arg for arg in sys.argv[1:]]
+parser = argparse.ArgumentParser(
+    description='Produce DKIM signature for email messages.',
+    epilog="message to be signed follows commands on stdin")
+parser.add_argument('selector', action="store")
+parser.add_argument('domain', action="store")
+parser.add_argument('privatekeyfile', action="store")
+parser.add_argument('--hcanon', choices=['simple', 'relaxed'],
+    default='relaxed',
+    help='Header canonicalization algorithm: default=relaxed')
+parser.add_argument('--bcanon', choices=['simple', 'relaxed'],
+    default='simple',
+    help='Body canonicalization algorithm: default=simple')
+parser.add_argument('--signalg', choices=['rsa-sha256', 'ed25519-sha256', 'rsa-sha1'],
+    default='rsa-sha256',
+    help='Signature algorithm: default=rsa-sha256')
+parser.add_argument('--identity', help='Optional value for i= tag.')
+args=parser.parse_args(arguments)
+include_headers = None
+length = None
+logger = None
+
+if sys.version_info[0] >= 3:
+    args.selector = bytes(args.selector, encoding='UTF-8')
+    args.domain = bytes(args.domain, encoding='UTF-8')
+    if args.identity is not None:
+        args.identity = bytes(args.identity, encoding='UTF-8')
+    args.hcanon = bytes(args.hcanon, encoding='UTF-8')
+    args.bcanon = bytes(args.bcanon, encoding='UTF-8')
+    args.signalg = bytes(args.signalg, encoding='UTF-8')
+    # Make sys.stdin and stdout binary streams.
+    sys.stdin = sys.stdin.detach()
+    sys.stdout = sys.stdout.detach()
+canonicalize = (args.hcanon, args.bcanon)
+
+message = sys.stdin.read()
+try:
+    d = dkim.DKIM(message,logger=logger,
+                  signature_algorithm=args.signalg)
+    sig = d.sign(args.selector, args.domain, open(
+                 args.privatekeyfile, "rb").read(), identity = args.identity,
+                 canonicalize=canonicalize, include_headers=include_headers,
+                 length=length)
+    sys.stdout.write(sig)
+    sys.stdout.write(message)
+except Exception as e:
+    print(e, file=sys.stderr)
+    sys.stdout.write(message)

dkim/dkimverify.py

@@ -0,0 +1,45 @@
+#!/usr/bin/env python
+
+# This software is provided 'as-is', without any express or implied
+# warranty.  In no event will the author be held liable for any damages
+# arising from the use of this software.
+#
+# Permission is granted to anyone to use this software for any purpose,
+# including commercial applications, and to alter it and redistribute it
+# freely, subject to the following restrictions:
+#
+# 1. The origin of this software must not be misrepresented; you must not
+#    claim that you wrote the original software. If you use this software
+#    in a product, an acknowledgment in the product documentation would be
+#    appreciated but is not required.
+# 2. Altered source versions must be plainly marked as such, and must not be
+#    misrepresented as being the original software.
+# 3. This notice may not be removed or altered from any source distribution.
+#
+# Copyright (c) 2008 Greg Hewgill http://hewgill.com
+#
+# This has been modified from the original software.
+# Copyright (c) 2011 William Grant <me@williamgrant.id.au>
+
+from __future__ import print_function
+
+import sys
+
+import dkim
+
+if sys.version_info[0] >= 3:
+    # Make sys.stdin a binary stream.
+    sys.stdin = sys.stdin.detach()
+
+message = sys.stdin.read()
+verbose = '-v' in sys.argv
+if verbose:
+  import logging
+  d = dkim.DKIM(message, logger=logging)
+  res = d.verify()
+else:
+  res = dkim.verify(message)
+if not res:
+    print("signature verification failed")
+    sys.exit(1)
+print("signature ok")

dkim/dknewkey.py

@@ -0,0 +1,124 @@
+#!/usr/bin/python
+# This software is provided 'as-is', without any express or implied
+# warranty.  In no event will the author be held liable for any damages
+# arising from the use of this software.
+#
+# Permission is granted to anyone to use this software for any purpose,
+# including commercial applications, and to alter it and redistribute it
+# freely, subject to the following restrictions:
+#
+# 1. The origin of this software must not be misrepresented; you must not
+#    claim that you wrote the original software. If you use this software
+#    in a product, an acknowledgment in the product documentation would be
+#    appreciated but is not required.
+# 2. Altered source versions must be plainly marked as such, and must not be
+#    misrepresented as being the original software.
+# 3. This notice may not be removed or altered from any source distribution.
+#
+# Copyright (c) 2016 Google, Inc.
+# Contact: Brandon Long <blong@google.com>
+# Modified by Scott Kitterman <scott@kitterman.com>
+# Copyright (c) 2017,2018 Scott Kitterman
+
+"""Generates new domainkeys pairs.
+
+"""
+
+
+import os
+import subprocess
+import sys
+import tempfile
+import argparse
+import hashlib
+import base64
+
+# how strong are our keys?
+BITS_REQUIRED = 2048
+
+# what openssl binary do we use to do key manipulation?
+OPENSSL_BINARY = '/usr/bin/openssl'
+
+def GenRSAKeys(private_key_file):
+  """ Generates a suitable private key.  Output is unprotected.
+  You should encrypt your keys.
+  """
+  print >> sys.stderr, 'generating ' + private_key_file
+  subprocess.check_call([OPENSSL_BINARY, 'genrsa', '-out', private_key_file,
+                         str(BITS_REQUIRED)])
+
+def GenEd25519Keys(private_key_file):
+    """Generates a base64 encoded private key for ed25519 DKIM signing.
+    Output is unprotected.  You should encrypt your keys.
+    """
+    import nacl.signing # Yes, pep-8, but let's not make everyone install nacl
+    import nacl.encoding
+    import os
+    skg = nacl.signing.SigningKey(seed=os.urandom(32))
+    priv_key = skg.generate()
+    print >> sys.stderr, 'generating ' + private_key_file
+    pkf = open(private_key_file, "w+")
+    print >> pkf, priv_key.encode(encoder=nacl.encoding.Base64Encoder)
+    pkf.close()
+    return(priv_key)
+
+def ExtractRSADnsPublicKey(private_key_file, dns_file):
+  """ Given a key, extract the bit we should place in DNS.
+  """
+  print >> sys.stderr, 'extracting ' + private_key_file
+  working_file = tempfile.NamedTemporaryFile(delete=False).name
+  subprocess.check_call([OPENSSL_BINARY, 'rsa', '-in', private_key_file,
+                         '-out', working_file, '-pubout', '-outform', 'PEM'])
+  cmd = 'grep -v ^-- %s | tr -d \'\\n\'' % working_file
+  try:
+    output = subprocess.check_output(cmd, shell=True)
+  finally:
+    os.unlink(working_file)
+  dns_fp = open(dns_file, "w+")
+  print >> sys.stderr, 'writing ' + dns_file
+  print >> dns_fp, "k=rsa; h=sha256; p={0}".format(output)
+  dns_fp.close()
+
+def ExtractEd25519PublicKey(private_key_file, dns_file, priv_key):
+    """ Given a ed25519 key, extract the bit we should place in DNS.
+    """
+    import nacl.encoding # Yes, pep-8, but let's not make everyone install nacl
+    pubkey = priv_key.verify_key
+    output = pubkey.encode(encoder=nacl.encoding.Base64Encoder)
+    dns_fp = open(dns_file, "w+")
+    print >> sys.stderr, 'writing ' + dns_file
+    print >> dns_fp, "k=ed25519; p={0}".format(output)
+    dns_fp.close()
+
+def main(argv):
+  parser = argparse.ArgumentParser(
+    description='Produce DKIM keys.',)
+  parser.add_argument('key_name', action="store")
+  parser.add_argument('--ktype', choices=['rsa', 'ed25519'],
+    default='rsa',
+    help='DKIM key type: Default is rsa')
+  args=parser.parse_args()
+  if sys.version_info[0] >= 3:
+    args.key_name = bytes(args.key_name, encoding='UTF-8')
+    args.ktype = bytes(args.ktype, encoding='UTF-8')
+    # Make sys.stdin and stdout binary streams.
+    sys.stdin = sys.stdin.detach()
+    sys.stdout = sys.stdout.detach()
+
+  key_name = args.key_name
+  key_type = args.ktype
+  private_key_file = key_name + '.key'
+  dns_file = key_name + '.dns'
+
+  if key_type == 'rsa':
+      GenRSAKeys(private_key_file)
+      ExtractRSADnsPublicKey(private_key_file, dns_file)
+  elif key_type == 'ed25519':
+      priv_key = GenEd25519Keys(private_key_file)
+      ExtractEd25519PublicKey(private_key_file, dns_file, priv_key)
+  else:
+      print >> sys.stderr, "Unknown key type - no key generated."
+
+
+if __name__ == '__main__':
+  main(sys.argv)