dkimpy

Merge lp:~mbp/dkimpy/587783-relaxed into lp:dkimpy

  1. 587783-relaxed
  2. Merge into trunk
Proposed by Martin Pool
Status: Merged
Approved by: Scott Kitterman
Approved revision: 10
Merged at revision: 10
Proposed branch: lp:~mbp/dkimpy/587783-relaxed
Merge into: lp:dkimpy
Diff against target: 56 lines (+16/-6)
2 files modified
ChangeLog (+5/-0)
dkim/__init__.py (+11/-6)
To merge this branch: bzr merge lp:~mbp/dkimpy/587783-relaxed
Reviewer Review Type Date Requested Status
Scott Kitterman Approve
Review via email: mp+53373@code.launchpad.net

Commit message

* when verifying Relaxed mode signatures, the partial DKIM-Signature
   header must be canonicalized before hashing (Martin Pool)
   <https://launchpad.net/bugs/587783>

Description of the change

This is a forward-port and update of the fix originally done in <https://bugs.launchpad.net/pydkim/+bug/587783>:

When generating a signature dkim specifies that a placeholder DKIM-Signature should be hashed. Without this patch, pydkim doesn't apply the right canonicalization rules and therefore can't it can't verify Relaxed-mode signatures it generates itself.

To post a comment you must log in.
Revision history for this message
Scott Kitterman (kitterman) wrote :

Ship it.

review: Approve
lp:~mbp/dkimpy/587783-relaxed updated
11. By Martin Pool

ChangeLog correction

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'ChangeLog'
2--- ChangeLog 2011-03-08 04:25:49 +0000
3+++ ChangeLog 2011-03-15 05:46:12 +0000
4@@ -1,3 +1,8 @@
5+Not yet released
6+ - when producing Relaxed mode signatures, the partial DKIM-Signature
7+ header must be canonicalized before hashing (Martin Pool)
8+ <https://launchpad.net/bugs/587783>
9+
10 2008-06-25 Version 0.3
11
12 - length parameter to sign() is now a boolean
13
14=== modified file 'dkim/__init__.py'
15--- dkim/__init__.py 2011-03-15 04:10:03 +0000
16+++ dkim/__init__.py 2011-03-15 05:46:12 +0000
17@@ -313,18 +313,23 @@
18 ('bh', bodyhash),
19 ('b', ""),
20 ] if x]
21- sig = "DKIM-Signature: " + "; ".join("%s=%s" % x for x in sigfields)
22
23- sig = fold(sig)
24+ sig_value = fold("; ".join("%s=%s" % x for x in sigfields))
25+ dkim_header = canonicalize[0].canonicalize_headers([
26+ ['DKIM-Signature', ' ' + sig_value]])[0]
27+ # the dkim sig is hashed with no trailing crlf, even if the
28+ # canonicalization algorithm would add one.
29+ if dkim_header[1][-2:] == '\r\n':
30+ dkim_header = (dkim_header[0], dkim_header[1][:-2])
31+ sign_headers.append(dkim_header)
32
33 if debuglog is not None:
34- print >>debuglog, "sign headers:", sign_headers + [("DKIM-Signature", " "+"; ".join("%s=%s" % x for x in sigfields))]
35+ print >>debuglog, "sign headers:", sign_headers
36 h = hashlib.sha256()
37 for x in sign_headers:
38 h.update(x[0])
39 h.update(":")
40 h.update(x[1])
41- h.update(sig)
42 d = h.digest()
43 if debuglog is not None:
44 print >>debuglog, "sign digest:", " ".join("%02x" % ord(x) for x in d)
45@@ -334,9 +339,9 @@
46 d, HASHID_SHA256, pk['privateExponent'], pk['modulus'])
47 except DigestTooLargeError:
48 raise ParameterError("digest too large for modulus")
49- sig += base64.b64encode(sig2)
50+ sig_value += base64.b64encode(sig2)
51
52- return sig + "\r\n"
53+ return 'DKIM-Signature: ' + sig_value + "\r\n"
54
55 def verify(message, debuglog=None, dnsfunc=dnstxt):
56 """Verify a DKIM signature on an RFC822 formatted message.

Subscribers

People subscribed via source and target branches