DandelionNStuff/dkimpy-smtputf8
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add support for RFC 8460 tlsrpt DKIM signature processing (LP: #1847020)

Browse Source
This commit is contained in:
Scott Kitterman
2019-10-31 20:53:06 -04:00
parent 69049feda1
commit ebe8fc7c77
5 changed files with 324 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
ChangeLog
+1
View File
@@ -1,4 +1,5 @@
Version 1.0.0 Version 1.0.0
- Add support for RFC 8460 tlsrpt DKIM signature processing (LP: #1847020)
- Add new timeout parameter to enable DNS lookup timeouts to be adjusted - Add new timeout parameter to enable DNS lookup timeouts to be adjusted
- Drop usage of pymilter Milter.dns in dnsplug since it doesn't support - Drop usage of pymilter Milter.dns in dnsplug since it doesn't support
havine a timeout passed to it havine a timeout passed to it
dkim/__init__.py
+38 -9
View File
@@ -453,17 +453,20 @@ def load_pk_from_dns(name, dnsfunc=get_txt, timeout=5):
ktag = b'rsa' ktag = b'rsa'
if pub[b'k'] != b'rsa' and pub[b'k'] != b'ed25519': if pub[b'k'] != b'rsa' and pub[b'k'] != b'ed25519':
raise KeyFormatError('unknown algorithm in k= tag: {0}'.format(pub[b'k'])) raise KeyFormatError('unknown algorithm in k= tag: {0}'.format(pub[b'k']))
seqtlsrpt = False
try: try:
# Ignore unknown service types, RFC 6376 3.6.1 # Ignore unknown service types, RFC 6376 3.6.1
if pub[b's'] != b'*' and pub[b's'] != b'email': if pub[b's'] != b'*' and pub[b's'] != b'email' and pub[b's'] != b'tlsrpt':
pk = None pk = None
keysize = None keysize = None
ktag = None ktag = None
raise KeyFormatError('unknown service type in s= tag: {0}'.format(pub[b's'])) raise KeyFormatError('unknown service type in s= tag: {0}'.format(pub[b's']))
elif pub[b's'] == b'tlsrpt':
seqtlsrpt = True
except: except:
# Default is '*' - all service types, so no error if missing from key record # Default is '*' - all service types, so no error if missing from key record
pass pass
return pk, keysize, ktag return pk, keysize, ktag, seqtlsrpt
#: Abstract base class for holding messages and options during DKIM/ARC signing and verification. #: Abstract base class for holding messages and options during DKIM/ARC signing and verification.
@@ -478,8 +481,11 @@ class DomainSigner(object):
#: @param debug_content: log headers and body after canonicalization (default False) #: @param debug_content: log headers and body after canonicalization (default False)
#: @param linesep: use this line seperator for folding the headers #: @param linesep: use this line seperator for folding the headers
#: @param timeout: number of seconds for DNS lookup timeout (default = 5) #: @param timeout: number of seconds for DNS lookup timeout (default = 5)
#: @param tlsrpt: message is an RFC 8460 TLS report (default False)
#: False: Not a tlsrpt, True: Is a tlsrpt, 'strict': tlsrpt, invalid if
#: service type is missing. For signing, if True, length is never used.
def __init__(self,message=None,logger=None,signature_algorithm=b'rsa-sha256', def __init__(self,message=None,logger=None,signature_algorithm=b'rsa-sha256',
minkey=1024, linesep=b'\r\n', debug_content=False, timeout=5): minkey=1024, linesep=b'\r\n', debug_content=False, timeout=5, tlsrpt=False):
self.set_message(message) self.set_message(message)
if logger is None: if logger is None:
logger = get_default_logger() logger = get_default_logger()
@@ -504,6 +510,9 @@ class DomainSigner(object):
# use this line seperator for output # use this line seperator for output
self.linesep = linesep self.linesep = linesep
self.timeout = timeout self.timeout = timeout
self.tlsrpt = tlsrpt
# Service type in DKIM record is s=tlsrpt
self.seqtlsrpt = False
#: Header fields to protect from additions by default. #: Header fields to protect from additions by default.
@@ -673,11 +682,19 @@ class DomainSigner(object):
def verify_sig(self, sig, include_headers, sig_header, dnsfunc): def verify_sig(self, sig, include_headers, sig_header, dnsfunc):
name = sig[b's'] + b"._domainkey." + sig[b'd'] + b"." name = sig[b's'] + b"._domainkey." + sig[b'd'] + b"."
try: try:
pk, self.keysize, ktag = load_pk_from_dns(name, dnsfunc, timeout=self.timeout) pk, self.keysize, ktag, self.seqtlsrpt = load_pk_from_dns(name, dnsfunc, timeout=self.timeout)
except KeyFormatError as e: except KeyFormatError as e:
self.logger.error("%s" % e) self.logger.error("%s" % e)
return False return False
# RFC 8460 MAY ignore signatures without tlsrpt Service Type
if self.tlsrpt == 'strict' and not self.seqtlsrpt:
raise ValidationError("Message is tlsrpt and Service Type is not tlsrpt")
# Inferred requirement from both RFC 8460 and RFC 6376
if not self.tlsrpt and self.seqtlsrpt:
raise ValidationError("Message is not tlsrpt and Service Type is tlsrpt")
try: try:
canon_policy = CanonicalizationPolicy.from_c_value(sig.get(b'c', b'simple/simple')) canon_policy = CanonicalizationPolicy.from_c_value(sig.get(b'c', b'simple/simple'))
except InvalidCanonicalizationPolicyError as e: except InvalidCanonicalizationPolicyError as e:
@@ -690,7 +707,7 @@ class DomainSigner(object):
h = HashThrough(hasher(), self.debug_content) h = HashThrough(hasher(), self.debug_content)
body = canon_policy.canonicalize_body(self.body) body = canon_policy.canonicalize_body(self.body)
if b'l' in sig: if b'l' in sig and not self.tlsrpt:
body = body[:int(sig[b'l'])] body = body[:int(sig[b'l'])]
h.update(body) h.update(body)
if self.debug_content: if self.debug_content:
@@ -808,6 +825,10 @@ class DKIM(DomainSigner):
# record what verify should extract # record what verify should extract
self.include_headers = include_headers self.include_headers = include_headers
if self.tlsrpt:
# RFC 8460 MUST NOT
length = False
# rfc4871 says FROM is required # rfc4871 says FROM is required
if b'from' not in include_headers: if b'from' not in include_headers:
raise ParameterError("The From header field MUST be signed") raise ParameterError("The From header field MUST be signed")
@@ -1250,7 +1271,7 @@ def sign(message, selector, domain, privkey, identity=None,
canonicalize=(b'relaxed', b'simple'), canonicalize=(b'relaxed', b'simple'),
signature_algorithm=b'rsa-sha256', signature_algorithm=b'rsa-sha256',
include_headers=None, length=False, logger=None, include_headers=None, length=False, logger=None,
linesep=b'\r\n'): linesep=b'\r\n', tlsrpt=False):
# type: (bytes, bytes, bytes, bytes, bytes, tuple, bytes, list, bool, any) -> bytes # type: (bytes, bytes, bytes, bytes, bytes, tuple, bytes, list, bool, any) -> bytes
"""Sign an RFC822 message and return the DKIM-Signature header line. """Sign an RFC822 message and return the DKIM-Signature header line.
@param message: an RFC822 formatted message (with either \\n or \\r\\n line endings) @param message: an RFC822 formatted message (with either \\n or \\r\\n line endings)
@@ -1264,22 +1285,29 @@ def sign(message, selector, domain, privkey, identity=None,
@param length: true if the l= tag should be included to indicate body length (default False) @param length: true if the l= tag should be included to indicate body length (default False)
@param logger: a logger to which debug info will be written (default None) @param logger: a logger to which debug info will be written (default None)
@param linesep: use this line seperator for folding the headers @param linesep: use this line seperator for folding the headers
@param tlsrpt: message is an RFC 8460 TLS report (default False)
False: Not a tlsrpt, True: Is a tlsrpt, 'strict': tlsrpt, invalid if
service type is missing. For signing, if True, length is never used.
@return: DKIM-Signature header field terminated by \\r\\n @return: DKIM-Signature header field terminated by \\r\\n
@raise DKIMException: when the message, include_headers, or key are badly formed. @raise DKIMException: when the message, include_headers, or key are badly formed.
""" """
d = DKIM(message,logger=logger,signature_algorithm=signature_algorithm,linesep=linesep) d = DKIM(message,logger=logger,signature_algorithm=signature_algorithm,linesep=linesep,tlsrpt=tlsrpt)
return d.sign(selector, domain, privkey, identity=identity, canonicalize=canonicalize, include_headers=include_headers, length=length) return d.sign(selector, domain, privkey, identity=identity, canonicalize=canonicalize, include_headers=include_headers, length=length)
def verify(message, logger=None, dnsfunc=get_txt, minkey=1024, timeout=5): def verify(message, logger=None, dnsfunc=get_txt, minkey=1024, timeout=5, tlsrpt=False):
"""Verify the first (topmost) DKIM signature on an RFC822 formatted message. """Verify the first (topmost) DKIM signature on an RFC822 formatted message.
@param message: an RFC822 formatted message (with either \\n or \\r\\n line endings) @param message: an RFC822 formatted message (with either \\n or \\r\\n line endings)
@param logger: a logger to which debug info will be written (default None) @param logger: a logger to which debug info will be written (default None)
@param timeout: number of seconds for DNS lookup timeout (default = 5)
@param tlsrpt: message is an RFC 8460 TLS report (default False)
False: Not a tlsrpt, True: Is a tlsrpt, 'strict': tlsrpt, invalid if
service type is missing. For signing, if True, length is never used.
@return: True if signature verifies or False otherwise @return: True if signature verifies or False otherwise
""" """
# type: (bytes, any, function, int) -> bool # type: (bytes, any, function, int) -> bool
d = DKIM(message,logger=logger,minkey=minkey,timeout=timeout) d = DKIM(message,logger=logger,minkey=minkey,timeout=timeout,tlsrpt=tlsrpt)
try: try:
return d.verify(dnsfunc=dnsfunc) return d.verify(dnsfunc=dnsfunc)
except DKIMException as x: except DKIMException as x:
@@ -1326,6 +1354,7 @@ def arc_verify(message, logger=None, dnsfunc=get_txt, minkey=1024, timeout=5):
@param logger: a logger to which debug info will be written (default None) @param logger: a logger to which debug info will be written (default None)
@param dnsfunc: an optional function to lookup TXT resource records @param dnsfunc: an optional function to lookup TXT resource records
@param minkey: the minimum key size to accept @param minkey: the minimum key size to accept
@param timeout: number of seconds for DNS lookup timeout (default = 5)
@return: three-tuple of (CV Result (CV_Pass, CV_Fail or CV_None), list of @return: three-tuple of (CV Result (CV_Pass, CV_Fail or CV_None), list of
result dictionaries, result reason) result dictionaries, result reason)
""" """
dkim/tests/__init__.py
+2
View File
@@ -30,6 +30,7 @@ def test_suite():
test_crypto, test_crypto,
test_dkim, test_dkim,
test_dkim_ed25519, test_dkim_ed25519,
test_dkim_tlsrpt,
test_util, test_util,
test_arc, test_arc,
test_dnsplug, test_dnsplug,
@@ -39,6 +40,7 @@ def test_suite():
test_crypto, test_crypto,
test_dkim, test_dkim,
test_dkim_ed25519, test_dkim_ed25519,
test_dkim_tlsrpt,
test_util, test_util,
test_arc, test_arc,
test_dnsplug, test_dnsplug,
dkim/tests/data/test_tlsrpt.txt
+1
View File
@@ -0,0 +1 @@
v=DKIM1; g=*; k=rsa; s=tlsrpt; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDkHlOQoBTzWRiGs5V6NpP3idY6Wk08a5qhdR6wy5bdOKb2jLQiY/J16JYi0Qvx/byYzCNb3W91y3FutACDfzwQ/BC/e/8uBsCR+yz1Lxj+PL6lHvqMKrM3rG4hstT5QjvHO9PzoxZyVYLzBfO2EeC3Ip3G+2kryOTIKT+l/K4w3QIDAQAB
dkim/tests/test_dkim_tlsrpt.py
+282
View File
@@ -0,0 +1,282 @@
# This software is provided 'as-is', without any express or implied
# warranty. In no event will the author be held liable for any damages
# arising from the use of this software.
#
# Permission is granted to anyone to use this software for any purpose,
# including commercial applications, and to alter it and redistribute it
# freely, subject to the following restrictions:
#
# 1. The origin of this software must not be misrepresented; you must not
# claim that you wrote the original software. If you use this software
# in a product, an acknowledgment in the product documentation would be
# appreciated but is not required.
# 2. Altered source versions must be plainly marked as such, and must not be
# misrepresented as being the original software.
# 3. This notice may not be removed or altered from any source distribution.
#
# Copyright (c) 2011 William Grant <me@williamgrant.id.au>
import email
import os.path
import unittest
import time
import dkim
def read_test_data(filename):
"""Get the content of the given test data file.
The files live in dkim/tests/data.
"""
path = os.path.join(os.path.dirname(__file__), 'data', filename)
with open(path, 'rb') as f:
return f.read()
class TestFold(unittest.TestCase):
def test_short_line(self):
self.assertEqual(
b"foo", dkim.fold(b"foo"))
def test_long_line(self):
# The function is terribly broken, not passing even this simple
# test.
self.assertEqual(
b"foo" * 24 + b"\r\n foo", dkim.fold(b"foo" * 25))
def test_linesep(self):
self.assertEqual(
b"foo" * 24 + b"\n foo", dkim.fold(b"foo" * 25, linesep=b"\n"))
class TestSignAndVerify(unittest.TestCase):
"""End-to-end signature and verification tests."""
def setUp(self):
self.message = read_test_data("test.message")
self.message3 = read_test_data("rfc6376.msg")
self.message4 = read_test_data("rfc6376.signed.msg")
self.key = read_test_data("test.private")
self.rfckey = read_test_data("rfc8032_7_1.key")
def dnsfunc(self, domain, timeout=5):
sample_dns = """\
k=rsa; s=email;\
p=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANmBe10IgY+u7h3enWTukkqtUD5PR52T\
b/mPfjC0QJTocVBq6Za/PlzfV+Py92VaCak19F4WrbVTK5Gg5tW220MCAwEAAQ=="""
_dns_responses = {
'example._domainkey.canonical.com.': sample_dns,
'test._domainkey.example.com.': read_test_data("test.txt"),
'20120113._domainkey.gmail.com.': """k=rsa; \
p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1Kd87/UeJjenpabgbFwh\
+eBCsSTrqmwIYYvywlbhbqoo2DymndFkbjOVIPIldNs/m40KF+yzMn1skyoxcTUGCQ\
s8g3FgD2Ap3ZB5DekAo5wMmk4wimDO+U8QzI3SD07y2+07wlNWwIt8svnxgdxGkVbb\
hzY8i+RQ9DpSVpPbF7ykQxtKXkv/ahW3KjViiAH+ghvvIhkx4xYSIc9oSwVmAl5Oct\
MEeWUwg8Istjqz8BZeTWbf41fbNhte7Y+YqZOwq1Sd0DbvYAD9NOZK9vlfuac0598H\
Y+vtSBczUiKERHv1yRbcaQtZFh5wtiRrN04BLUTD21MycBX5jYchHjPY/wIDAQAB"""
}
try:
domain = domain.decode('ascii')
except UnicodeDecodeError:
return None
self.assertTrue(domain in _dns_responses,domain)
return _dns_responses[domain]
def dnsfunc2(self, domain, timeout=5):
sample_dns = """\
k=rsa; \
p=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANmBe10IgY+u7h3enWTukkqtUD5PR52T\
b/mPfjC0QJTocVBq6Za/PlzfV+Py92VaCak19F4WrbVTK5Gg5tW220MCAwEAAQ=="""
_dns_responses = {
'example._domainkey.canonical.com.': sample_dns,
'test._domainkey.example.com.': read_test_data("test2.txt"),
'20120113._domainkey.gmail.com.': """\
p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1Kd87/UeJjenpabgbFwh\
+eBCsSTrqmwIYYvywlbhbqoo2DymndFkbjOVIPIldNs/m40KF+yzMn1skyoxcTUGCQ\
s8g3FgD2Ap3ZB5DekAo5wMmk4wimDO+U8QzI3SD07y2+07wlNWwIt8svnxgdxGkVbb\
hzY8i+RQ9DpSVpPbF7ykQxtKXkv/ahW3KjViiAH+ghvvIhkx4xYSIc9oSwVmAl5Oct\
MEeWUwg8Istjqz8BZeTWbf41fbNhte7Y+YqZOwq1Sd0DbvYAD9NOZK9vlfuac0598H\
Y+vtSBczUiKERHv1yRbcaQtZFh5wtiRrN04BLUTD21MycBX5jYchHjPY/wIDAQAB"""
}
try:
domain = domain.decode('ascii')
except UnicodeDecodeError:
return None
self.assertTrue(domain in _dns_responses,domain)
return _dns_responses[domain]
def dnsfunc3(self, domain, timeout=5):
sample_dns = """\
k=rsa; \
p=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANmBe10IgY+u7h3enWTukkqtUD5PR52T\
b/mPfjC0QJTocVBq6Za/PlzfV+Py92VaCak19F4WrbVTK5Gg5tW220MCAwEAAQ=="""
_dns_responses = {
'example._domainkey.canonical.com.': sample_dns,
'test._domainkey.example.com.': read_test_data("badversion.txt"),
'20120113._domainkey.gmail.com.': """\
p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1Kd87/UeJjenpabgbFwh\
+eBCsSTrqmwIYYvywlbhbqoo2DymndFkbjOVIPIldNs/m40KF+yzMn1skyoxcTUGCQ\
s8g3FgD2Ap3ZB5DekAo5wMmk4wimDO+U8QzI3SD07y2+07wlNWwIt8svnxgdxGkVbb\
hzY8i+RQ9DpSVpPbF7ykQxtKXkv/ahW3KjViiAH+ghvvIhkx4xYSIc9oSwVmAl5Oct\
MEeWUwg8Istjqz8BZeTWbf41fbNhte7Y+YqZOwq1Sd0DbvYAD9NOZK9vlfuac0598H\
Y+vtSBczUiKERHv1yRbcaQtZFh5wtiRrN04BLUTD21MycBX5jYchHjPY/wIDAQAB"""
}
try:
domain = domain.decode('ascii')
except UnicodeDecodeError:
return None
self.assertTrue(domain in _dns_responses,domain)
return _dns_responses[domain]
def dnsfunc4(self, domain, timeout=5):
sample_dns = """\
k=rsa; \
p=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANmBe10IgY+u7h3enWTukkqtUD5PR52T\
b/mPfjC0QJTocVBq6Za/PlzfV+Py92VaCak19F4WrbVTK5Gg5tW220MCAwEAAQ=="""
_dns_responses = {
'example._domainkey.canonical.com.': sample_dns,
'test._domainkey.example.com.': read_test_data("badk.txt"),
'20120113._domainkey.gmail.com.': """\
p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1Kd87/UeJjenpabgbFwh\
+eBCsSTrqmwIYYvywlbhbqoo2DymndFkbjOVIPIldNs/m40KF+yzMn1skyoxcTUGCQ\
s8g3FgD2Ap3ZB5DekAo5wMmk4wimDO+U8QzI3SD07y2+07wlNWwIt8svnxgdxGkVbb\
hzY8i+RQ9DpSVpPbF7ykQxtKXkv/ahW3KjViiAH+ghvvIhkx4xYSIc9oSwVmAl5Oct\
MEeWUwg8Istjqz8BZeTWbf41fbNhte7Y+YqZOwq1Sd0DbvYAD9NOZK9vlfuac0598H\
Y+vtSBczUiKERHv1yRbcaQtZFh5wtiRrN04BLUTD21MycBX5jYchHjPY/wIDAQAB"""
}
try:
domain = domain.decode('ascii')
except UnicodeDecodeError:
return None
self.assertTrue(domain in _dns_responses,domain)
return _dns_responses[domain]
def dnsfunc5(self, domain, timeout=5):
sample_dns = """\
k=rsa; \
p=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANmBe10IgY+u7h3enWTukkqtUD5PR52T\
b/mPfjC0QJTocVBq6Za/PlzfV+Py92VaCak19F4WrbVTK5Gg5tW220MCAwEAAQ=="""
_dns_responses = {
'example._domainkey.canonical.com.': sample_dns,
'test._domainkey.football.example.com.': read_test_data("test.txt"),
'brisbane._domainkey.football.example.com.': """v=DKIM1; k=ed25519; \
p=11qYAYKxCrfVS/7TyWQHOg7hcvPapiMlrwIaaPcHURo="""
}
try:
domain = domain.decode('ascii')
except UnicodeDecodeError:
return None
self.assertTrue(domain in _dns_responses,domain)
return _dns_responses[domain]
def dnsfunc6(self, domain, timeout=5):
sample_dns = """\
k=rsa; s=email;\
p=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANmBe10IgY+u7h3enWTukkqtUD5PR52T\
b/mPfjC0QJTocVBq6Za/PlzfV+Py92VaCak19F4WrbVTK5Gg5tW220MCAwEAAQ=="""
_dns_responses = {
'example._domainkey.canonical.com.': sample_dns,
'test._domainkey.example.com.': read_test_data("test_tlsrpt.txt"),
'20120113._domainkey.gmail.com.': """k=rsa; \
p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1Kd87/UeJjenpabgbFwh\
+eBCsSTrqmwIYYvywlbhbqoo2DymndFkbjOVIPIldNs/m40KF+yzMn1skyoxcTUGCQ\
s8g3FgD2Ap3ZB5DekAo5wMmk4wimDO+U8QzI3SD07y2+07wlNWwIt8svnxgdxGkVbb\
hzY8i+RQ9DpSVpPbF7ykQxtKXkv/ahW3KjViiAH+ghvvIhkx4xYSIc9oSwVmAl5Oct\
MEeWUwg8Istjqz8BZeTWbf41fbNhte7Y+YqZOwq1Sd0DbvYAD9NOZK9vlfuac0598H\
Y+vtSBczUiKERHv1yRbcaQtZFh5wtiRrN04BLUTD21MycBX5jYchHjPY/wIDAQAB"""
}
try:
domain = domain.decode('ascii')
except UnicodeDecodeError:
return None
self.assertTrue(domain in _dns_responses,domain)
return _dns_responses[domain]
def test_ignores_tlsrptsvc(self):
# A non-tlsrpt signed with a key record with s=tlsrpt shouldn't verify.
for header_algo in (b"simple", b"relaxed"):
for body_algo in (b"simple", b"relaxed"):
sig = dkim.sign(
self.message, b"test", b"example.com", self.key,
canonicalize=(header_algo, body_algo))
res = dkim.verify(sig + self.message, dnsfunc=self.dnsfunc6)
self.assertFalse(res)
def test_tlsrpt_with_strict_tlsrptsvc(self):
# A tlsrpt signed with a key record with s=tlsrpt should verify with tlsrpt='strict'.
for header_algo in (b"simple", b"relaxed"):
for body_algo in (b"simple", b"relaxed"):
sig = dkim.sign(
self.message, b"test", b"example.com", self.key,
canonicalize=(header_algo, body_algo))
res = dkim.verify(sig + self.message, dnsfunc=self.dnsfunc6, tlsrpt='strict')
self.assertTrue(res)
def test_tlsrpt_with_tlsrptsvc(self):
# A tlsrpt signed with a key record with s=tlsrpt should verify.
for header_algo in (b"simple", b"relaxed"):
for body_algo in (b"simple", b"relaxed"):
sig = dkim.sign(
self.message, b"test", b"example.com", self.key,
canonicalize=(header_algo, body_algo))
res = dkim.verify(sig + self.message, dnsfunc=self.dnsfunc6, tlsrpt=True)
self.assertTrue(res)
def test_tlsrpt_with_strict_no_tlsrptsvc(self):
# A tlsrpt signed with a key record without s=tlsrpt not tlsrpt='strict' should not verify.
for header_algo in (b"simple", b"relaxed"):
for body_algo in (b"simple", b"relaxed"):
sig = dkim.sign(
self.message, b"test", b"example.com", self.key,
canonicalize=(header_algo, body_algo))
res = dkim.verify(sig + self.message, dnsfunc=self.dnsfunc, tlsrpt='strict')
self.assertFalse(res)
def test_tlsrpt_with_no_tlsrptsvc(self):
# A tlsrpt signed with a key record without s=tlsrpt and tlsrpt=True should verify.
for header_algo in (b"simple", b"relaxed"):
for body_algo in (b"simple", b"relaxed"):
sig = dkim.sign(
self.message, b"test", b"example.com", self.key,
canonicalize=(header_algo, body_algo))
res = dkim.verify(sig + self.message, dnsfunc=self.dnsfunc, tlsrpt=True)
self.assertTrue(res)
def test_tlsrpt_ignore_l_verify(self):
# For a tlsrpt, ignore l= on verify
for header_algo in (b"simple", b"relaxed"):
for body_algo in (b"simple", b"relaxed"):
sig = dkim.sign(
self.message, b"test", b"example.com", self.key,
canonicalize=(header_algo, body_algo), length=True)
self.message += b'added more text'
res = dkim.verify(sig + self.message, dnsfunc=self.dnsfunc, tlsrpt=True)
self.assertFalse(res)
def test_tlsrpt_ignore_l_sign(self):
# For a tlsrpt, don't add l= when signing tlsrpt
for header_algo in (b"simple", b"relaxed"):
for body_algo in (b"simple", b"relaxed"):
sig = dkim.sign(
self.message, b"test", b"example.com", self.key,
canonicalize=(header_algo, body_algo), length=True, tlsrpt=True)
self.message += b'added more text'
res = dkim.verify(sig + self.message, dnsfunc=self.dnsfunc)
self.assertFalse(res)
def test_suite():
from unittest import TestLoader
return TestLoader().loadTestsFromName(__name__)