DandelionNStuff/dkimpy-smtputf8
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: DandelionNStuff/dkimpy-smtputf8:74fe4dc02e2a9dce3a29bbb9b71ff2f8c4b1aae8
Branches Tags
DandelionNStuff/dkimpy-smtputf8:master
..
compare: DandelionNStuff/dkimpy-smtputf8:master
Branches Tags
DandelionNStuff/dkimpy-smtputf8:master

11 Commits
74fe4dc02e .. master

Author SHA1 Message Date
diskette 2f2a9e17d4 Update README.md 2025-10-16 07:45:35 +00:00
diskette 015d4bacfa Update README.md 2025-10-15 21:02:50 +00:00
Diskette Guy 9503fd60b0 Final commit, I've learned my lesson 2025-10-16 04:01:34 +07:00
Diskette Guy 003a405242 Cheatsheet update: filled in the files of the dkim directory 2025-10-14 23:31:18 +07:00
Diskette Guy f5ae75cd9a Update README.md 2025-10-14 18:37:27 +07:00
Diskette Guy a4fdd73ecb I figured out what canonicalization is 2025-10-14 06:07:54 +07:00
Diskette Guy bb1d5699af Add: canonicalization... whatever that is... 2025-10-14 06:03:32 +07:00
Diskette Guy 1f8aea2173 cheatsheet for loser (me) 2025-10-14 05:58:46 +07:00
Diskette Guy 369cab0047 more test files 2025-10-12 23:47:03 +07:00
Diskette Guy 5b9aaba817 dkim files 2025-10-09 01:49:59 +07:00
Diskette Guy 7aedfbe7c8 change those twos 2025-10-09 01:49:33 +07:00
11 changed files with 427 additions and 562 deletions
Expand all files Collapse all files
Cheatsheet.txt
+85
View File
@@ -0,0 +1,85 @@
Welcome to this plaintext file.
This file is strictly licensed as CC0, public domain - only this file though.
I'm Uea-angkun "Diskette" Khunpradith (diskette@unix.in.th), the author of this file.
This file exists because I'm a self-taught ametuer programmer and I wanted to keep notes of the things that this software does. And I do not want to use generative AI, as it does not help or teach me in anyway. It's just a cheatsheet of doing something.
This is what Stallman would've wanted... a free software for education....
Flags:
[IDK] : Will return later and figure out how it works
[NSURE]: Not sure, under the assumption of guessing how it works
[IK] : The author seemed to have an understanding of this
[$TITLE] : the title of the file
[WONDR] : Wonder if I can improve this...
# Personal notes:
Python's __main__ and __init__
As far as I know, __init__ is the initialization script, just like Unix and alike's /etc/init.rc script. It's required to make it so that it's a package.
The double underscores is for signifying that it's a global variable.
b before string, for example b'relaxed' is a way to say that it's a binary string
-----START DKIM DIRECTORY-----
[__init__]
__init__ in this case, import the libraries required for dkim magic. And tests authres, the dkim magic library, and nacl (sodium) library for ed25519 signing.
dkim.canonicalization is quite literally, ../dkim/canonicalization/
[IDK]
There's a variable named "sig" in which I don't know
[arcsign.py]
This is for ARC... we don't use that YET
[arcverify.py]
Same goes for that too
[asn1.py]
cryptography interface language stuff
[asyncsupport.py]
asynchronous support. quite literally again..
[canonicalization.py]
Canonicalization, in computer science is a process for converting data that has more than one possible representation into a standard "canonical" form --- thanks wikipedia, CC BY-SA 4.0
imports regular expression module
unused (potential future code) exception
lots of regular expression codes..
[WONDR]
I wonder if I can fit my U-label convertor here...
[crypto.py]
quite literally cryptography stuff with private key and public key
[dkimsign.py]
this does dkim signing stuff
[dkimverify.py]
this does dkim verifying stuff
[dknewkey.py]
this generates a diffie-hellman private and public keys
[dnsplug.py]
this gets the DNS record
[util.py]
I'm not sure what this does yet. From the looks of it, it's just a logger and praser for tag value
-----START TEST DIRECTORY-----
-----START ROOT DIRECTORY-----
LICENSE
-4
View File
@@ -17,7 +17,3 @@ freely, subject to the following restrictions:
Copyright (c) 2008 Greg Hewgill http://hewgill.com
See individual files for information about modification to these files and
additional copyright information.
Copyright (c) 2025 Uea-angkun Khunpradith https://dailitation.xyz
See individual files for information about modification to these files and
additional copyright information.
README.md
+12
View File
@@ -1,3 +1,15 @@
dkimpy-smtputf8 an RFC 8616-compliant fork of dkimpy.
This fork adds support for internationalized email address (U-labels converter) and a cheatsheet note for learning
NOTE: For SMTPUTF8 support, make sure you use A-label (punycoded) domain name instead. Otherwise it will not work, per RFC 8616
**Another note: The actual repository that's responsible for UTF-8 converter is at** https://gitskette.dailitation.xyz/DandelionNStuff/dkimpy-milter-smtputf8
As this python module do not actually have the convertor, rather, it's the backend of the milter.
# Original README
dkimpy - DKIM (DomainKeys Identified Mail)
https://launchpad.net/dkimpy/
dkim/__init__.py
+5
View File
@@ -30,6 +30,9 @@
# Copyright (c) 2017 Valimail Inc
# Contact: Gene Shuman <gene@valimail.com>
#
# This has been modified from the original software.
# Copyright (c) 2025 dailitation.xyz
# Contact: Uea-angkun Khunpradith <diskette@dailitation.xyz>
import base64
@@ -298,6 +301,7 @@ def validate_signature_fields(sig, mandatory_fields=[b'v', b'a', b'b', b'bh', b'
if b'cv' in sig and sig[b'cv'] not in (CV_Pass, CV_Fail, CV_None):
raise ValidationError("cv= value is not valid (%s)" % sig[b'cv'])
# Somehow convert it to UTF8 before going to this?
# Limit domain validation to ASCII domains because too hard
try:
str(sig[b'd'], 'ascii')
@@ -308,6 +312,7 @@ def validate_signature_fields(sig, mandatory_fields=[b'v', b'a', b'b', b'bh', b'
# Not an ASCII domain
pass
# Nasty hack to support both str and bytes... check for both the
# character and integer values.
if not arc and b'i' in sig and (
dkim/__main__.py
+1 -1
View File
@@ -1,7 +1,7 @@
import unittest
import doctest
import dkim
from tests import test_suite
from dkim.tests import test_suite
doctest.testmod(dkim)
unittest.TextTestRunner().run(test_suite())
dkim/tests/__init__.py
+2
View File
@@ -36,6 +36,7 @@ def test_suite():
test_arc,
test_dnsplug,
test_dkim_generate,
test_dkim_utf8,
)
modules = [
test_canonicalization,
@@ -48,6 +49,7 @@ def test_suite():
test_arc,
test_dnsplug,
test_dkim_generate,
test_dkim_utf8,
]
suites = [x.test_suite() for x in modules]
return unittest.TestSuite(suites)
dkim/tests/data/utf8test.key
+1
View File
@@ -0,0 +1 @@
fL+5V9EquCZAovKik3pA6Lk9zwCzoEtjIuIqK9ZXHHA=
dkim/tests/data/utf8test.msg
+9
View File
@@ -0,0 +1,9 @@
Authentication-Results: lists.example.org; arc=none; spf=pass smtp.mfrom=jqd@d1.example; dkim=pass (1024-bit key) header.i=@d1.example; dmarc=pass
Received: from localhost
Message-ID: <example@example.com>
Date: Mon, 01 Jan 2011 01:02:03 +0400
From: Test User <test@example.com>
To: somebody@example.com
Subject: Testing
This is a test message.
dkim/tests/data/utf8test2.msg
+14
View File
@@ -0,0 +1,14 @@
DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed; d=test.ex
; s=sed; h=From:To:Subject; bh=/Ab0giHZitYQbDhFszoqQRUkgqueaX9zatJttIU/plc=;
b=5fhyD3EILDrnL4DnkD4hDaeis7+GSzL9GMHrhIDZJjuJ00WD5iI8SQ1q9rDfzFL/Kdw0VIyB4R
Dq0a4H6HI+Bw==;
Received: from jgh by myhost.test.ex with local (Exim x.yz)
envelope-from <jgh@myhost.test.ex>)
1dtXln-0000YP-Hb
a@test.ex; Sun, 17 Sep 2017 12:29:51 +0100
From: nobody@example.com
Message-Id: <E1dtXln-0000YP-Hb@myhost.test.ex>
Sender: CALLER_NAME <jgh@myhost.test.ex>
Date: Sun, 17 Sep 2017 12:29:51 +0100
content
dkim/tests/test_dkim_utf8.py
+298
View File
@@ -0,0 +1,298 @@
# This software is provided 'as-is', without any express or implied
# warranty. In no event will the author be held liable for any damages
# arising from the use of this software.
#
# Permission is granted to anyone to use this software for any purpose,
# including commercial applications, and to alter it and redistribute it
# freely, subject to the following restrictions:
#
# 1. The origin of this software must not be misrepresented; you must not
# claim that you wrote the original software. If you use this software
# in a product, an acknowledgment in the product documentation would be
# appreciated but is not required.
# 2. Altered source versions must be plainly marked as such, and must not be
# misrepresented as being the original software.
# 3. This notice may not be removed or altered from any source distribution.
#
# Copyright (c) 2011 William Grant <me@williamgrant.id.au>
# Copyright (c) 2018 Scott Kitterman <scott@kitterman.com>
import email
import os.path
import unittest
import time
import dkim
def read_test_data(filename):
"""Get the content of the given test data file.
The files live in dkim/tests/data.
"""
path = os.path.join(os.path.dirname(__file__), 'data', filename)
with open(path, 'rb') as f:
return f.read()
class TestFold(unittest.TestCase):
def test_short_line(self):
self.assertEqual(
b"foo", dkim.fold(b"foo"))
def test_long_line(self):
# The function is terribly broken, not passing even this simple
# test.
self.assertEqual(
b"foo" * 24 + b"\r\n foo", dkim.fold(b"foo" * 25))
class TestSignAndVerify(unittest.TestCase):
"""End-to-end signature and verification tests."""
def setUp(self):
self.message = read_test_data("utf8test.msg")
self.message2 = read_test_data("utf8test2.msg")
self.message3 = read_test_data("rfc6376.msg")
self.message4 = read_test_data("rfc6376.signed.msg")
self.key = read_test_data("utf8.key")
self.rfckey = read_test_data("rfc8032_7_1.key")
def dnsfunc(self, domain, timeout=5):
sample_dns = """\
k=ed25519; \
p=yi50DjK5O9pqbFpNHklsv9lqaS0ArSYu02qp1S0DW1Y="""
_dns_responses = {
'example._domainkey.canonical.com.': sample_dns,
'test._domainkey.example.net.': """v=DKIM1; k=ed25519; \
p=yi50DjK5O9pqbFpNHklsv9lqaS0ArSYu02qp1S0DW1Y=""",
'sed._domainkey.test.ex.': read_test_data("eximtest.dns"),
'brisbane._domainkey.football.example.com.': """v=DKIM1; k=ed25519; \
p=11qYAYKxCrfVS/7TyWQHOg7hcvPapiMlrwIaaPcHURo="""
}
try:
domain = domain.decode('ascii')
except UnicodeDecodeError:
return None
self.assertTrue(domain in _dns_responses,domain)
return _dns_responses[domain]
def test_verifies(self):
# A message verifies after being signed.
for header_algo in (b"simple", b"relaxed"):
for body_algo in (b"simple", b"relaxed"):
sig = dkim.sign(
self.message, b"test", b"example.net", self.key,
canonicalize=(header_algo, body_algo), signature_algorithm=b'ed25519-sha256')
res = dkim.verify(sig + self.message, dnsfunc=self.dnsfunc)
self.assertTrue(res)
def test_rfc8032_verifies(self):
# A message using RFC 8032 sample keys verifies after being signed.
for header_algo in (b"simple", b"relaxed"):
for body_algo in (b"simple", b"relaxed"):
sig = dkim.sign(
self.message3, b"brisbane", b"football.example.com", self.rfckey,
canonicalize=(header_algo, body_algo), signature_algorithm=b'ed25519-sha256')
res = dkim.verify(sig + self.message3, dnsfunc=self.dnsfunc)
self.assertTrue(res)
def test_rfc8032_previous_verifies(self):
# A message previously signed using RFC 8032 sample keys verifies after being signed.
for header_algo in (b"simple", b"relaxed"):
for body_algo in (b"simple", b"relaxed"):
sig = dkim.sign(
self.message3, b"brisbane", b"football.example.com", self.rfckey,
canonicalize=(header_algo, body_algo), signature_algorithm=b'ed25519-sha256')
d = dkim.DKIM(self.message4)
res = d.verify(dnsfunc=self.dnsfunc)
self.assertTrue(res)
def test_simple_signature(self):
# A message verifies after being signed with SHOULD headers
for header_algo in (b"simple", b"relaxed"):
for body_algo in (b"simple", b"relaxed"):
sig = dkim.sign(
self.message, b"test", b"example.net", self.key,
canonicalize=(header_algo, body_algo),
include_headers=(b'from',) + dkim.DKIM.SHOULD,
signature_algorithm=b'ed25519-sha256')
res = dkim.verify(sig + self.message, dnsfunc=self.dnsfunc)
self.assertTrue(res)
def test_verify_third_party(self):
# Message signed by prototype Exim implementation
res = dkim.verify(self.message2, dnsfunc=self.dnsfunc)
self.assertTrue(res)
def test_add_body_length(self):
sig = dkim.sign(
self.message, b"test", b"example.net", self.key, length=True,
signature_algorithm=b'ed25519-sha256')
msg = email.message_from_string(self.message.decode('utf-8'))
self.assertIn('; l=%s' % len(msg.get_payload() + '\n'), sig.decode('utf-8'))
res = dkim.verify(sig + self.message, dnsfunc=self.dnsfunc)
self.assertTrue(res)
def test_altered_body_fails(self):
# An altered body fails verification.
for header_algo in (b"simple", b"relaxed"):
for body_algo in (b"simple", b"relaxed"):
sig = dkim.sign(
self.message, b"test", b"example.net", self.key,
signature_algorithm=b'ed25519-sha256')
res = dkim.verify(
sig + self.message + b"foo", dnsfunc=self.dnsfunc)
self.assertFalse(res)
def test_badly_encoded_domain_fails(self):
# Domains should be ASCII. Bad ASCII causes verification to fail.
sig = dkim.sign(self.message, b"test", b"example.net\xe9", self.key,
signature_algorithm=b'ed25519-sha256')
res = dkim.verify(sig + self.message, dnsfunc=self.dnsfunc)
self.assertFalse(res)
def test_dkim_signature_canonicalization(self):
# <https://bugs.launchpad.net/ubuntu/+source/pydkim/+bug/587783>
# Relaxed-mode header signing is wrong
# <https://bugs.launchpad.net/dkimpy/+bug/939128>
# Simple-mode signature header verification is wrong
# (should ignore FWS anywhere in signature tag: b=)
sample_msg = b"""\
From: mbp@canonical.com
To: scottk@example.net
Subject: this is my
test message
""".replace(b'\n', b'\r\n')
sample_privkey = b"""\
fL+5V9EquCZAovKik3pA6Lk9zwCzoEtjIuIqK9ZXHHA=\
"""
sample_pubkey = """\
yi50DjK5O9pqbFpNHklsv9lqaS0ArSYu02qp1S0DW1Y=\
"""
for header_mode in [dkim.Relaxed, dkim.Simple]:
dkim_header = dkim.sign(sample_msg, b'example', b'canonical.com',
sample_privkey, canonicalize=(header_mode, dkim.Relaxed),
signature_algorithm=b'ed25519-sha256')
# Folding dkim_header affects b= tag only, since dkim.sign folds
# sig_value with empty b= before hashing, and then appends the
# signature. So folding dkim_header again adds FWS to
# the b= tag only. This should be ignored even with
# simple canonicalization.
# http://tools.ietf.org/html/rfc4871#section-3.5
signed = dkim.fold(dkim_header) + sample_msg
result = dkim.verify(signed,dnsfunc=self.dnsfunc)
self.assertTrue(result)
dkim_header = dkim.fold(dkim_header)
# use a tab for last fold to test tab in FWS bug
pos = dkim_header.rindex(b'\r\n ')
dkim_header = dkim_header[:pos]+b'\r\n\t'+dkim_header[pos+3:]
result = dkim.verify(dkim_header + sample_msg,
dnsfunc=self.dnsfunc)
self.assertTrue(result)
def test_extra_headers(self):
# <https://bugs.launchpad.net/dkimpy/+bug/737311>
# extra headers above From caused failure
#message = read_test_data("test_extra.message")
message = read_test_data("message.mbox")
for header_algo in (b"simple", b"relaxed"):
for body_algo in (b"simple", b"relaxed"):
d = dkim.DKIM(message)
# bug requires a repeated header to manifest
d.should_not_sign.remove(b'received')
sig = d.sign(b"test", b"example.net", self.key,
signature_algorithm=b'ed25519-sha256',
include_headers=d.all_sign_headers(),
canonicalize=(header_algo, body_algo))
dv = dkim.DKIM(sig + message)
res = dv.verify(dnsfunc=self.dnsfunc)
self.assertEqual(d.include_headers,dv.include_headers)
s = dkim.select_headers(d.headers,d.include_headers)
sv = dkim.select_headers(dv.headers,dv.include_headers)
self.assertEqual(s,sv)
self.assertTrue(res)
def test_multiple_from_fails(self):
# <https://bugs.launchpad.net/dkimpy/+bug/644046>
# additional From header fields should cause verify failure
hfrom = b'From: "Resident Evil" <sales@spammer.com>\r\n'
h,b = self.message.split(b'\n\n',1)
for header_algo in (b"simple", b"relaxed"):
for body_algo in (b"simple", b"relaxed"):
sig = dkim.sign(
self.message, b"test", b"example.net", self.key,
signature_algorithm=b'ed25519-sha256')
# adding an unknown header still verifies
h1 = h+b'\r\n'+b'X-Foo: bar'
message = b'\n\n'.join((h1,b))
res = dkim.verify(sig+message, dnsfunc=self.dnsfunc)
self.assertTrue(res)
# adding extra from at end should not verify
h1 = h+b'\r\n'+hfrom.strip()
message = b'\n\n'.join((h1,b))
res = dkim.verify(sig+message, dnsfunc=self.dnsfunc)
self.assertFalse(res)
# add extra from in front should not verify either
h1 = hfrom+h
message = b'\n\n'.join((h1,b))
res = dkim.verify(sig+message, dnsfunc=self.dnsfunc)
self.assertFalse(res)
def test_no_from_fails(self):
# Body From is mandatory to be in the message and mandatory to sign
sigerror = False
sig = ''
message = read_test_data('test_nofrom.message')
selector = 'test'
domain = 'example.net'
identity = None
try:
sig = dkim.sign(message, selector, domain,
read_test_data('ed25519test.key'), identity = identity,
signature_algorithm=b'ed25519-sha256')
except dkim.ParameterError as x:
sigerror = True
self.assertTrue(sigerror)
def test_validate_signature_fields(self):
sig = {b'v': b'1',
b'a': b'ed25519-sha256',
b'b': b'K/UUOt8lCtgjp3kSTogqBm9lY1Yax/NwZ+bKm39/WKzo5KYe3L/6RoIA/0oiDX4kO\n \t Qut49HCV6ZUe6dY9V5qWBwLanRs1sCnObaOGMpFfs8tU4TWpDSVXaNZAqn15XVW0WH\n \t EzOzUfVuatpa1kF4voIgSbmZHR1vN3WpRtcTBe/I=',
b'bh': b'n0HUwGCP28PkesXBPH82Kboy8LhNFWU9zUISIpAez7M=',
b'c': b'simple/simple',
b'd': b'kitterman.com',
b'i': b'scott@Kitterman.com',
b'h': b'From:To:Subject:Date:Cc:MIME-Version:Content-Type:\n \t Content-Transfer-Encoding:Message-Id',
b's': b'2007-00',
b't': b'1299525798'}
dkim.validate_signature_fields(sig)
# try new version
sigVer = sig.copy()
sigVer[b'v'] = 2
self.assertRaises(dkim.ValidationError, dkim.validate_signature_fields, sigVer)
# try with x
sigX = sig.copy()
sigX[b'x'] = b'1399525798'
dkim.validate_signature_fields(sig)
# try with late t
sigX[b't'] = b'1400000000'
self.assertRaises(dkim.ValidationError, dkim.validate_signature_fields, sigX)
# try without t
now = int(time.time())
sigX[b'x'] = str(now+400000).encode('ascii')
dkim.validate_signature_fields(sigX)
# try when expired a day ago
sigX[b'x'] = str(now - 24*3600).encode('ascii')
self.assertRaises(dkim.ValidationError, dkim.validate_signature_fields, sigX)
def test_suite():
from unittest import TestLoader
return TestLoader().loadTestsFromName(__name__)
dkim/tests/test_dkimutf8.py
-557
View File
@@ -1,557 +0,0 @@
# This software is provided 'as-is', without any express or implied
# warranty. In no event will the author be held liable for any damages
# arising from the use of this software.
#
# Permission is granted to anyone to use this software for any purpose,
# including commercial applications, and to alter it and redistribute it
# freely, subject to the following restrictions:
#
# 1. The origin of this software must not be misrepresented; you must not
# claim that you wrote the original software. If you use this software
# in a product, an acknowledgment in the product documentation would be
# appreciated but is not required.
# 2. Altered source versions must be plainly marked as such, and must not be
# misrepresented as being the original software.
# 3. This notice may not be removed or altered from any source distribution.
#
# Copyright (c) 2011 William Grant <me@williamgrant.id.au>
import email
import os.path
import unittest
import time
import dkim
def read_test_data(filename):
"""Get the content of the given test data file.
The files live in dkim/tests/data.
"""
path = os.path.join(os.path.dirname(__file__), 'data', filename)
with open(path, 'rb') as f:
return f.read()
class TestFold(unittest.TestCase):
def test_short_line(self):
self.assertEqual(
b"foo", dkim.fold(b"foo"))
def test_long_line(self):
# The function is terribly broken, not passing even this simple
# test.
self.assertEqual(
b"foo" * 24 + b"\r\n foo", dkim.fold(b"foo" * 25))
def test_linesep(self):
self.assertEqual(
b"foo" * 24 + b"\n foo", dkim.fold(b"foo" * 25, linesep=b"\n"))
class TestSignAndVerify(unittest.TestCase):
"""End-to-end signature and verification tests."""
def setUp(self):
self.message = read_test_data("test.message")
self.message3 = read_test_data("rfc6376.msg")
self.message4 = read_test_data("rfc6376.signed.msg")
self.message5 = read_test_data("rfc6376.signed.rsa.msg")
self.message6 = read_test_data("test.message.baddomain")
self.message7 = read_test_data("rfc6376.w1258.msg")
self.message8 = read_test_data("rfc6376.signed.no_t.msg")
self.key = read_test_data("test.private")
self.rfckey = read_test_data("rfc8032_7_1.key")
def dnsfunc(self, domain, timeout=5):
sample_dns = """\
k=rsa; s=email;\
p=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANmBe10IgY+u7h3enWTukkqtUD5PR52T\
b/mPfjC0QJTocVBq6Za/PlzfV+Py92VaCak19F4WrbVTK5Gg5tW220MCAwEAAQ=="""
_dns_responses = {
'example._domainkey.canonical.com.': sample_dns,
'test._domainkey.example.com.': read_test_data("test.txt"),
'20120113._domainkey.gmail.com.': """k=rsa; \
p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1Kd87/UeJjenpabgbFwh\
+eBCsSTrqmwIYYvywlbhbqoo2DymndFkbjOVIPIldNs/m40KF+yzMn1skyoxcTUGCQ\
s8g3FgD2Ap3ZB5DekAo5wMmk4wimDO+U8QzI3SD07y2+07wlNWwIt8svnxgdxGkVbb\
hzY8i+RQ9DpSVpPbF7ykQxtKXkv/ahW3KjViiAH+ghvvIhkx4xYSIc9oSwVmAl5Oct\
MEeWUwg8Istjqz8BZeTWbf41fbNhte7Y+YqZOwq1Sd0DbvYAD9NOZK9vlfuac0598H\
Y+vtSBczUiKERHv1yRbcaQtZFh5wtiRrN04BLUTD21MycBX5jYchHjPY/wIDAQAB"""
}
try:
domain = domain.decode('ascii')
except UnicodeDecodeError:
return None
self.assertTrue(domain in _dns_responses,domain)
return _dns_responses[domain]
def dnsfunc2(self, domain, timeout=5):
sample_dns = """\
k=rsa; \
p=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANmBe10IgY+u7h3enWTukkqtUD5PR52T\
b/mPfjC0QJTocVBq6Za/PlzfV+Py92VaCak19F4WrbVTK5Gg5tW220MCAwEAAQ=="""
_dns_responses = {
'example._domainkey.canonical.com.': sample_dns,
'test._domainkey.example.com.': read_test_data("test2.txt"),
'20120113._domainkey.gmail.com.': """\
p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1Kd87/UeJjenpabgbFwh\
+eBCsSTrqmwIYYvywlbhbqoo2DymndFkbjOVIPIldNs/m40KF+yzMn1skyoxcTUGCQ\
s8g3FgD2Ap3ZB5DekAo5wMmk4wimDO+U8QzI3SD07y2+07wlNWwIt8svnxgdxGkVbb\
hzY8i+RQ9DpSVpPbF7ykQxtKXkv/ahW3KjViiAH+ghvvIhkx4xYSIc9oSwVmAl5Oct\
MEeWUwg8Istjqz8BZeTWbf41fbNhte7Y+YqZOwq1Sd0DbvYAD9NOZK9vlfuac0598H\
Y+vtSBczUiKERHv1yRbcaQtZFh5wtiRrN04BLUTD21MycBX5jYchHjPY/wIDAQAB"""
}
try:
domain = domain.decode('ascii')
except UnicodeDecodeError:
return None
self.assertTrue(domain in _dns_responses,domain)
return _dns_responses[domain]
def dnsfunc3(self, domain, timeout=5):
sample_dns = """\
k=rsa; \
p=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANmBe10IgY+u7h3enWTukkqtUD5PR52T\
b/mPfjC0QJTocVBq6Za/PlzfV+Py92VaCak19F4WrbVTK5Gg5tW220MCAwEAAQ=="""
_dns_responses = {
'example._domainkey.canonical.com.': sample_dns,
'test._domainkey.example.com.': read_test_data("badversion.txt"),
'20120113._domainkey.gmail.com.': """\
p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1Kd87/UeJjenpabgbFwh\
+eBCsSTrqmwIYYvywlbhbqoo2DymndFkbjOVIPIldNs/m40KF+yzMn1skyoxcTUGCQ\
s8g3FgD2Ap3ZB5DekAo5wMmk4wimDO+U8QzI3SD07y2+07wlNWwIt8svnxgdxGkVbb\
hzY8i+RQ9DpSVpPbF7ykQxtKXkv/ahW3KjViiAH+ghvvIhkx4xYSIc9oSwVmAl5Oct\
MEeWUwg8Istjqz8BZeTWbf41fbNhte7Y+YqZOwq1Sd0DbvYAD9NOZK9vlfuac0598H\
Y+vtSBczUiKERHv1yRbcaQtZFh5wtiRrN04BLUTD21MycBX5jYchHjPY/wIDAQAB"""
}
try:
domain = domain.decode('ascii')
except UnicodeDecodeError:
return None
self.assertTrue(domain in _dns_responses,domain)
return _dns_responses[domain]
def dnsfunc4(self, domain, timeout=5):
sample_dns = """\
k=rsa; \
p=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANmBe10IgY+u7h3enWTukkqtUD5PR52T\
b/mPfjC0QJTocVBq6Za/PlzfV+Py92VaCak19F4WrbVTK5Gg5tW220MCAwEAAQ=="""
_dns_responses = {
'example._domainkey.canonical.com.': sample_dns,
'test._domainkey.example.com.': read_test_data("badk.txt"),
'20120113._domainkey.gmail.com.': """\
p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1Kd87/UeJjenpabgbFwh\
+eBCsSTrqmwIYYvywlbhbqoo2DymndFkbjOVIPIldNs/m40KF+yzMn1skyoxcTUGCQ\
s8g3FgD2Ap3ZB5DekAo5wMmk4wimDO+U8QzI3SD07y2+07wlNWwIt8svnxgdxGkVbb\
hzY8i+RQ9DpSVpPbF7ykQxtKXkv/ahW3KjViiAH+ghvvIhkx4xYSIc9oSwVmAl5Oct\
MEeWUwg8Istjqz8BZeTWbf41fbNhte7Y+YqZOwq1Sd0DbvYAD9NOZK9vlfuac0598H\
Y+vtSBczUiKERHv1yRbcaQtZFh5wtiRrN04BLUTD21MycBX5jYchHjPY/wIDAQAB"""
}
try:
domain = domain.decode('ascii')
except UnicodeDecodeError:
return None
self.assertTrue(domain in _dns_responses,domain)
return _dns_responses[domain]
def dnsfunc5(self, domain, timeout=5):
sample_dns = """\
k=rsa; \
p=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANmBe10IgY+u7h3enWTukkqtUD5PR52T\
b/mPfjC0QJTocVBq6Za/PlzfV+Py92VaCak19F4WrbVTK5Gg5tW220MCAwEAAQ=="""
_dns_responses = {
'example._domainkey.canonical.com.': sample_dns,
'test._domainkey.football.example.com.': read_test_data("test.txt"),
'brisbane._domainkey.football.example.com.': """v=DKIM1; k=ed25519; \
p=11qYAYKxCrfVS/7TyWQHOg7hcvPapiMlrwIaaPcHURo="""
}
try:
domain = domain.decode('ascii')
except UnicodeDecodeError:
return None
self.assertTrue(domain in _dns_responses,domain)
return _dns_responses[domain]
def dnsfunc6(self, domain, timeout=5):
sample_dns = """\
k=rsa; \
p=MFwwDQYJKoZIhvNAQEBBQADSwAwSAJBANmBe10IgY+u7h3enWTukkqtUD5PR52T\
b/mPfjC0QJTocVBq6Za/PlzfV+Py92VaCak19F4WrbVTK5Gg5tW220MCAwEAAQ=="""
_dns_responses = {
'test._domainkey.football.example.com.': sample_dns,
'brisbane._domainkey.football.example.com.': """v=DKIM1; k=ed25519; \
p=11qYAYKxCrfVS/7TyWQHOg7hcvPapiMlrwIaaPcHURo="""
}
try:
domain = domain.decode('ascii')
except UnicodeDecodeError:
return None
self.assertTrue(domain in _dns_responses,domain)
return _dns_responses[domain]
def dnsfunc7(self, domain, timeout=5):
sample_dns = """\
k=rsa; s=email;\
p=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANmBe10IgY+u7h3enWTukkqtUD5PR52T\
b/mPfjC0QJTocVBq6Za/PlzfV+Py92VaCak19F4WrbVTK5Gg5tW220MCAwEAAQ=="""
_dns_responses = {
'test._domainkey.legitimate.com(.attacker.com.': read_test_data("test.txt"),
}
try:
domain = domain.decode('ascii')
except UnicodeDecodeError:
return None
self.assertTrue(domain in _dns_responses,domain)
return _dns_responses[domain]
def test_verifies(self):
# A message verifies after being signed.
for header_algo in (b"simple", b"relaxed"):
for body_algo in (b"simple", b"relaxed"):
sig = dkim.sign(
self.message, b"test", b"example.com", self.key,
canonicalize=(header_algo, body_algo))
res = dkim.verify(sig + self.message, dnsfunc=self.dnsfunc)
self.assertTrue(res)
def test_verifies_nosig(self):
# A message without signature does not verify.
res = dkim.verify(self.message, dnsfunc=self.dnsfunc)
self.assertFalse(res)
def test_double_verifies(self):
# A message also containing a ed25519 signature verifies after being signed with rsa.
for header_algo in (b"simple", b"relaxed"):
for body_algo in (b"simple", b"relaxed"):
sig = dkim.sign(
self.message3, b"test", b"football.example.com", self.key,
canonicalize=(header_algo, body_algo), signature_algorithm=b'rsa-sha256')
res = dkim.verify(sig + self.message3, dnsfunc=self.dnsfunc5)
self.assertTrue(res)
def test_double_previous_verifies(self):
# A message previously signed using both rsa and ed25519 verifies after being signed.
for header_algo in (b"simple", b"relaxed"):
for body_algo in (b"simple", b"relaxed"):
sig = dkim.sign(
self.message3, b"test", b"football.example.com", self.key,
canonicalize=(header_algo, body_algo), signature_algorithm=b'rsa-sha256')
d = dkim.DKIM(self.message4)
res = d.verify(dnsfunc=self.dnsfunc5)
self.assertTrue(res)
def test_non_utf8(self):
# A message with Windows-1258 encoding is signed and verifies.
for header_algo in (b"simple", b"relaxed"):
for body_algo in (b"simple", b"relaxed"):
sig = dkim.sign(
self.message7, b"test", b"football.example.com", self.key,
canonicalize=(header_algo, body_algo), signature_algorithm=b'rsa-sha256')
d = dkim.DKIM(self.message7)
res = d.verify(dnsfunc=self.dnsfunc5)
# As of 1.1.0 this won't verify, but at least we don't crash. FIXME
self.assertFalse(res)
def test_no_t(self):
# Signature Timestamp is optional, so don't crash if it's missing.
d = dkim.DKIM(self.message8)
res = d.verify(dnsfunc=self.dnsfunc5)
# Signature won't verify, but that's not what we are testing.
self.assertFalse(res)
def test_catch_bad_key(self):
# Raise correct error for defective public key.
d = dkim.DKIM(self.message5)
res = d.verify(dnsfunc=self.dnsfunc6)
self.assertFalse(res)
def test_verifies_lflinesep(self):
# A message verifies after being signed.
for header_algo in (b"simple", b"relaxed"):
for body_algo in (b"simple", b"relaxed"):
sig = dkim.sign(
self.message, b"test", b"example.com", self.key,
canonicalize=(header_algo, body_algo), linesep=b"\n")
res = dkim.verify(sig + self.message, dnsfunc=self.dnsfunc)
self.assertFalse(b'\r\n' in sig)
self.assertTrue(res)
def test_implicit_k(self):
# A message verifies after being signed when k= tag is not provided.
for header_algo in (b"simple", b"relaxed"):
for body_algo in (b"simple", b"relaxed"):
sig = dkim.sign(
self.message, b"test", b"example.com", self.key,
canonicalize=(header_algo, body_algo))
res = dkim.verify(sig + self.message, dnsfunc=self.dnsfunc2)
self.assertTrue(res)
def test_bad_version(self):
# A error is detected if a bad version is used.
for header_algo in (b"simple", b"relaxed"):
for body_algo in (b"simple", b"relaxed"):
sig = dkim.sign(
self.message, b"test", b"example.com", self.key,
canonicalize=(header_algo, body_algo))
res = dkim.verify(sig + self.message, dnsfunc=self.dnsfunc3)
self.assertFalse(res)
def test_unknown_k(self):
# A error is detected if an unknown algorithm is in the k= tag.
for header_algo in (b"simple", b"relaxed"):
for body_algo in (b"simple", b"relaxed"):
sig = dkim.sign(
self.message, b"test", b"example.com", self.key,
canonicalize=(header_algo, body_algo))
res = dkim.verify(sig + self.message, dnsfunc=self.dnsfunc4)
self.assertFalse(res)
def test_invalid_domain_sign(self):
# RFC6376 says domain can be Alpha, Num, - only.
sig = dkim.sign(
self.message, b"test", b"legitimate.com(.attacker.com", self.key)
res = dkim.verify(sig + self.message, dnsfunc=self.dnsfunc7)
self.assertFalse(res)
def test_invalid_domain_verify(self):
# RFC6376 says domain can be Alpha, Num, - only.
res = dkim.verify(self.message6, dnsfunc=self.dnsfunc7)
self.assertFalse(res)
def test_simple_signature(self):
# A message verifies after being signed with SHOULD headers
for header_algo in (b"simple", b"relaxed"):
for body_algo in (b"simple", b"relaxed"):
sig = dkim.sign(
self.message, b"test", b"example.com", self.key,
canonicalize=(header_algo, body_algo),
include_headers=(b'from',) + dkim.DKIM.SHOULD)
res = dkim.verify(sig + self.message, dnsfunc=self.dnsfunc)
self.assertTrue(res)
def test_string_include(self):
# A message can be signed when the include_headers is string
for header_algo in (b"simple", b"relaxed"):
for body_algo in (b"simple", b"relaxed"):
sig = dkim.sign(
self.message, b"test", b"example.com", self.key,
canonicalize=(header_algo, body_algo),
include_headers=('from',) )
res = dkim.verify(sig + self.message, dnsfunc=self.dnsfunc)
self.assertTrue(res)
def test_add_body_length(self):
sig = dkim.sign(
self.message, b"test", b"example.com", self.key, length=True)
msg = email.message_from_string(self.message.decode('utf-8'))
self.assertIn('; l=%s' % len(msg.get_payload() + '\n'), sig.decode('utf-8'))
res = dkim.verify(sig + self.message, dnsfunc=self.dnsfunc)
self.assertTrue(res)
def test_altered_body_fails(self):
# An altered body fails verification.
for header_algo in (b"simple", b"relaxed"):
for body_algo in (b"simple", b"relaxed"):
sig = dkim.sign(
self.message, b"test", b"example.com", self.key)
res = dkim.verify(
sig + self.message + b"foo", dnsfunc=self.dnsfunc)
self.assertFalse(res)
def test_l_verify(self):
# Sign with l=, add text, should verify
for header_algo in (b"simple", b"relaxed"):
for body_algo in (b"simple", b"relaxed"):
sig = dkim.sign(
self.message, b"test", b"example.com", self.key,
canonicalize=(header_algo, body_algo), length=True)
self.message += b'added more text\n'
res = dkim.verify(sig + self.message, dnsfunc=self.dnsfunc)
self.assertTrue(res)
def test_present(self):
# Test DKIM.present().
d = dkim.DKIM(self.message,signature_algorithm=b'rsa-sha256')
present = d.present()
self.assertFalse(present)
sig = d.sign(b"test", b"example.com", self.key)
signed = sig + self.message
d2 = dkim.DKIM(signed)
present = d2.present()
self.assertTrue(present)
def test_badly_encoded_domain_fails(self):
# Domains should be ASCII. Bad ASCII causes verification to fail.
sig = dkim.sign(self.message, b"test", b"example.com\xe9", self.key)
res = dkim.verify(sig + self.message, dnsfunc=self.dnsfunc)
self.assertFalse(res)
def test_dkim_signature_canonicalization(self):
# <https://bugs.launchpad.net/ubuntu/+source/pydkim/+bug/587783>
# Relaxed-mode header signing is wrong
# <https://bugs.launchpad.net/dkimpy/+bug/939128>
# Simple-mode signature header verification is wrong
# (should ignore FWS anywhere in signature tag: b=)
sample_msg = b"""\
From: mbp@canonical.com
To: scottk@example.com
Subject: this is my
test message
""".replace(b'\n', b'\r\n')
sample_privkey = b"""\
-----BEGIN RSA PRIVATE KEY-----
MIIBOwIBAAJBANmBe10IgY+u7h3enWTukkqtUD5PR52Tb/mPfjC0QJTocVBq6Za/
PlzfV+Py92VaCak19F4WrbVTK5Gg5tW220MCAwEAAQJAYFUKsD+uMlcFu1D3YNaR
EGYGXjJ6w32jYGJ/P072M3yWOq2S1dvDthI3nRT8MFjZ1wHDAYHrSpfDNJ3v2fvZ
cQIhAPgRPmVYn+TGd59asiqG1SZqh+p+CRYHW7B8BsicG5t3AiEA4HYNOohlgWan
8tKgqLJgUdPFbaHZO1nDyBgvV8hvWZUCIQDDdCq6hYKuKeYUy8w3j7cgJq3ih922
2qNWwdJCfCWQbwIgTY0cBvQnNe0067WQIpj2pG7pkHZR6qqZ9SE+AjNTHX0CIQCI
Mgq55Y9MCq5wqzy141rnxrJxTwK9ABo3IAFMWEov3g==
-----END RSA PRIVATE KEY-----
"""
sample_pubkey = """\
-----BEGIN PUBLIC KEY-----
MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANmBe10IgY+u7h3enWTukkqtUD5PR52T
b/mPfjC0QJTocVBq6Za/PlzfV+Py92VaCak19F4WrbVTK5Gg5tW220MCAwEAAQ==
-----END PUBLIC KEY-----
"""
for header_mode in [dkim.Relaxed, dkim.Simple]:
dkim_header = dkim.sign(sample_msg, b'example', b'canonical.com',
sample_privkey, canonicalize=(header_mode, dkim.Relaxed))
# Folding dkim_header affects b= tag only, since dkim.sign folds
# sig_value with empty b= before hashing, and then appends the
# signature. So folding dkim_header again adds FWS to
# the b= tag only. This should be ignored even with
# simple canonicalization.
# http://tools.ietf.org/html/rfc4871#section-3.5
signed = dkim.fold(dkim_header) + sample_msg
result = dkim.verify(signed,dnsfunc=self.dnsfunc,
minkey=512)
self.assertTrue(result)
dkim_header = dkim.fold(dkim_header)
# use a tab for last fold to test tab in FWS bug
pos = dkim_header.rindex(b'\r\n ')
dkim_header = dkim_header[:pos]+b'\r\n\t'+dkim_header[pos+3:]
result = dkim.verify(dkim_header + sample_msg,
dnsfunc=self.dnsfunc, minkey=512)
self.assertTrue(result)
def test_degenerate_folding(self):
# <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=711751>
# degenerate folding is ugly but legal
message = read_test_data("test2.message")
dv = dkim.DKIM(message)
res = dv.verify(dnsfunc=self.dnsfunc)
self.assertTrue(res)
def test_extra_headers(self):
# <https://bugs.launchpad.net/dkimpy/+bug/737311>
# extra headers above From caused failure
#message = read_test_data("test_extra.message")
message = read_test_data("message.mbox")
for header_algo in (b"simple", b"relaxed"):
for body_algo in (b"simple", b"relaxed"):
d = dkim.DKIM(message)
# bug requires a repeated header to manifest
d.should_not_sign.remove(b'received')
sig = d.sign(b"test", b"example.com", self.key,
include_headers=d.all_sign_headers(),
canonicalize=(header_algo, body_algo))
dv = dkim.DKIM(sig + message)
res = dv.verify(dnsfunc=self.dnsfunc)
self.assertEqual(d.include_headers,dv.include_headers)
s = dkim.select_headers(d.headers,d.include_headers)
sv = dkim.select_headers(dv.headers,dv.include_headers)
self.assertEqual(s,sv)
self.assertTrue(res)
def test_multiple_from_fails(self):
# <https://bugs.launchpad.net/dkimpy/+bug/644046>
# additional From header fields should cause verify failure
hfrom = b'From: "Resident Evil" <sales@spammer.com>\r\n'
h,b = self.message.split(b'\n\n',1)
for header_algo in (b"simple", b"relaxed"):
for body_algo in (b"simple", b"relaxed"):
sig = dkim.sign(
self.message, b"test", b"example.com", self.key)
# adding an unknown header still verifies
h1 = h+b'\r\n'+b'X-Foo: bar'
message = b'\n\n'.join((h1,b))
res = dkim.verify(sig+message, dnsfunc=self.dnsfunc)
self.assertTrue(res)
# adding extra from at end should not verify
h1 = h+b'\r\n'+hfrom.strip()
message = b'\n\n'.join((h1,b))
res = dkim.verify(sig+message, dnsfunc=self.dnsfunc)
self.assertFalse(res)
# add extra from in front should not verify either
h1 = hfrom+h
message = b'\n\n'.join((h1,b))
res = dkim.verify(sig+message, dnsfunc=self.dnsfunc)
self.assertFalse(res)
def test_no_from_fails(self):
# Body From is mandatory to be in the message and mandatory to sign
sigerror = False
sig = ''
message = read_test_data('test_nofrom.message')
selector = 'test'
domain = 'example.com'
identity = None
try:
sig = dkim.sign(message, selector, domain, read_test_data('test.private'), identity = identity)
except dkim.ParameterError as x:
sigerror = True
self.assertTrue(sigerror)
def test_validate_signature_fields(self):
sig = {b'v': b'1',
b'a': b'rsa-sha256',
b'b': b'K/UUOt8lCtgjp3kSTogqBm9lY1Yax/NwZ+bKm39/WKzo5KYe3L/6RoIA/0oiDX4kO\n \t Qut49HCV6ZUe6dY9V5qWBwLanRs1sCnObaOGMpFfs8tU4TWpDSVXaNZAqn15XVW0WH\n \t EzOzUfVuatpa1kF4voIgSbmZHR1vN3WpRtcTBe/I=',
b'bh': b'n0HUwGCP28PkesXBPH82Kboy8LhNFWU9zUISIpAez7M=',
b'c': b'simple/simple',
b'd': b'kitterman.com',
b'i': b'scott@Kitterman.com',
b'h': b'From:To:Subject:Date:Cc:MIME-Version:Content-Type:\n \t Content-Transfer-Encoding:Message-Id',
b's': b'2007-00',
b't': b'1299525798'}
dkim.validate_signature_fields(sig)
# try new version
sigVer = sig.copy()
sigVer[b'v'] = 2
self.assertRaises(dkim.ValidationError, dkim.validate_signature_fields, sigVer)
# try with x
sigX = sig.copy()
sigX[b'x'] = b'1399525798'
dkim.validate_signature_fields(sig)
# try with late t
sigX[b't'] = b'1400000000'
self.assertRaises(dkim.ValidationError, dkim.validate_signature_fields, sigX)
# try without t
now = int(time.time())
sigX[b'x'] = str(now+400000).encode('ascii')
dkim.validate_signature_fields(sigX)
# try when expired a day ago
sigX[b'x'] = str(now - 24*3600).encode('ascii')
self.assertRaises(dkim.ValidationError, dkim.validate_signature_fields, sigX)
def test_suite():
from unittest import TestLoader
return TestLoader().loadTestsFromName(__name__)