Merge ~mirespace/ubuntu/+source/libmail-dkim-perl:reverting-upstream-debian-ed25519-noble-proposed into ubuntu/+source/libmail-dkim-perl:ubuntu/devel
- Git
- lp:~mirespace/ubuntu/+source/libmail-dkim-perl
- reverting-upstream-debian-ed25519-noble-proposed
- Merge into ubuntu/devel
Status: | Rejected |
---|---|
Rejected by: | Andreas Hasenack |
Proposed branch: | ~mirespace/ubuntu/+source/libmail-dkim-perl:reverting-upstream-debian-ed25519-noble-proposed |
Merge into: | ubuntu/+source/libmail-dkim-perl:ubuntu/devel |
Diff against target: |
1764 lines (+1689/-3) 9 files modified
debian/changelog (+9/-0) debian/control (+2/-3) debian/patches/0001-Revert-Ed25519-Add-test-for-missing-public-key.patch (+94/-0) debian/patches/0002-Revert-Refactor-and-cleanup-some-ed25519-code.patch (+496/-0) debian/patches/0003-Revert-set-rsa-ed25519-type.patch (+84/-0) debian/patches/0004-Revert-added-ed25519-signing-support.patch (+327/-0) debian/patches/0005-Revert-added-support-for-verifying-Ed25519-signature.patch (+578/-0) debian/patches/0006-Revert-Debian-support-for-ed25519.patch (+93/-0) debian/patches/series (+6/-0) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Andreas Hasenack | Disapprove | ||
Ubuntu Sponsors | Pending | ||
Canonical Server Reporter | Pending | ||
Review via email: mp+460681@code.launchpad.net |
Commit message
Description of the change
Hi team,
I'm dropping lybcriptx-perl support (dependencies and related upstream commits) to avoid a component mismatched situation temporarily while packaging New libcrypt-
The patches correspond to this PR in upstream:
https:/
but, looking into the complete history, you can find these commits where added to a branch created by the maintainer and called "ed25519" which includes two more commits:
https:/
The 0006-Revert-*.patch is for undoing the changes related to ed25519 (only those) added by Debian when upgrading the package to version 1.20230630 ( commit message New upstream version 1.20230630) :
The changes in the code are only adding the use of ed25519, not affecting the use from other third packages of the existing rsa-sha256 algorithm, making a distinction between 'rsa' or 'ed25519' for selecting the correct algorithm.
PPA for this is:
ppa:mirespace/
https:/
Test passed locally:
autopkgtest [13:55:19]: @@@@@@@
autodep8-
autodep8-perl PASS (superficial)
autodep8-
Also, they ran in the infra with good results (i386 not passing is known):
✅ libmail-dkim-perl on noble for amd64 @ 19.02.24 08:59:17
• Log: https:/
✅ libmail-dkim-perl on noble for arm64 @ 19.02.24 09:35:18
• Log: https:/
✅ libmail-dkim-perl on noble for armhf @ 19.02.24 09:04:19
• Log: https:/
✅ libmail-dkim-perl on noble for ppc64el @ 19.02.24 09:01:02
• Log: https:/
✅ libmail-dkim-perl on noble for s390x @ 19.02.24 09:19:56
• Log: https:/
And all building tests passed:
All tests successful.
Files=19, Tests=455, 2 wallclock secs ( 0.08 usr 0.05 sys + 1.43 cusr 0.40 csys = 1.96 CPU)
Result: PASS
Checking spamassassin's tests again this libmail-dkim-perl was also OK:
$ autopkgtest -U -s --add-apt-
[...]
autopkgtest [16:51:09]: @@@@@@@
spamassassin.nospam PASS
spamassassin.spam PASS
daemon PASS
And looking into the building tests of spamassassin, the dkim test is disabled because it could be flaky due to network issues. But, I manually disabled the net verification (commenting line 19 in t/dkim.t) and I launched the test with the libmail-dkim-perl package proposed here:
All tests successful.
Files=1, Tests=258, 16 wallclock secs ( 0.03 usr 0.02 sys + 3.82 cusr 0.15 csys = 4.02 CPU)
Result: PASS
Complete log at https:/
Package installed :
root@Nspamassas
ii libmail-dkim-perl 1.20240124-
without libcryptx-perl:
root@Nspamassas
libcryptx-perl:
Installed: (none)
Candidate: 0.080-2build1
Version table:
0.080-2build1 500
500 http://
Please, review and sponsor if LGTY. Thanks in advance (also, for your time reviewing this)!
[1] https:/
Andreas Hasenack (ahasenack) wrote (last edit ): | # |
Miriam España Acebal (mirespace) wrote : | # |
Hi Andreas!
> I still have to go over this in more detail, but my first question (and sorry
> if I missed the answer somewhere)
Nothing to be sorry about... Maybe I missed this question in the standup :$.
> What about sympa and amavisd-new, do they indirectly rely on libcryptx-perl,
> or specifically, on the ed25519 code? Did you also rebuild these reverse
> dependencies, and their tests?
Good point (as ever) ! I'm on it with the tests and checking the code of those reverse dependencies to look for Mail::Dkim inclusions and calls to any removed code in this MP.
I'll go back to you with the conclusions... thanks Andreas!
Miriam España Acebal (mirespace) wrote (last edit ): | # |
TL;DR: Checking that amavisd-new or sympa still work ok when dropping this change: OK
All tested against the package in the ppa.
A. Code Insights: No one of the packages calls directly or indirectly the added (and removed here) code.
In both cases, an 'ack ed25519' search doesn't return anything.
Files modified by these MP are
lib/Mail/
lib/Mail/
-- > Modified functions
lib/Mail/
lib/Mail/
A.1. Sympa:
sympa
-------------
❯ ack Mail::DKIM:
❯ ack Mail::DKIM:
❯ ack Mail::DKIM:
cpanfile
182:recommends 'Mail::
272:feature 'Mail::
273: requires 'Mail::
src/lib/
648: eval 'use Mail::DKIM:
655: return unless $Mail::
668: unless ($dkim = Mail::DKIM:
669: $log->syslog('err', 'Could not create Mail::DKIM:
Checking Algorithm used is rsa:
❯ ack -C2 Algorithm
src/lib/
502- # create a signer object
503- my $dkim = Mail::DKIM:
504: Algorithm => "rsa-sha256",
505- Method => "relaxed",
506- Domain => $dkim_d,
--
600- # create a signer object
601- my $arc = Mail::DKIM:
602: Algorithm => "rsa-sha256",
603- Chain => $arc_cv,
604- SrvId => $arc_srvid,
A.2. amavisd-new:
amavisd-new
-------------------
❯ ack Mail::DKIM:
lib/Amavis/Tools.pm
116: $dkim->
lib/Amavis/DKIM.pm
27:use Mail::DKIM:
336:# returning them as a list of Mail::DKIM:
694: $dkim->
838: # map a Mail::DKIM:
❯ ack Mail::DKIM:
❯ ack Mail::DKIM:
lib/Amavis.pm
900: Net::Patricia Net::LDAP Mail::SpamAssassin Mail::DKIM:
6221: if (!defined $dns_resolver && Mail::DKIM:
6223: # of Mail::DKIM:
6254: $dkim_verifier = Mail::DKIM:
lib/Amavis/
123: push(@modules, qw(Mail::DKIM Mail::DKIM:
lib/Amavis/Tools.pm
139: my $dkim_verifier = Mail::DKIM:
140: $dkim_verifier or die "Could not create a Mail::DKIM:
lib/Amavis/DKIM.pm
24:use Mail::DKIM:
Checking Algorithm used is rsa:
❯ ack -C2 Algorithm
lib/Amavis/Tools.pm
116- $dkim->
117- Selector => $selector_ace, Domain => $domain_ace,
118: Method => 'simple/simple', Algorithm => 'rsa-sha256',
119- Timestamp => int($now), Expiration => int($now)+24*3600, Key => $key,
120- )); under;
lib/Amavis/DKIM.pm
299-
300-# a CustomSigner callback routine passed to Mail::DKIM in place of a key;
301:# the ro...
Andreas Hasenack (ahasenack) wrote : | # |
So I'm looking at this, and here are my concerns:
a) complex delta
These patches look like they will be hard to carry forward. Even though we are unlikely to see big changes in noble SRUs, and there they should be more maintainable, this is delta that will be hard to maintain post-noble.
b) we are making a big change to a package
Ed25519 was announced by upstream as part of the 1.20230630 release. Except, in Ubuntu, it's not. configure-like and other version checks might be assuming that after this version, Ed25519 support is there for granted. But not in Ubuntu. In other words, we are deviating quite harshly from upstream and removing a feature they added more than a year ago. Granted, most good such checks will look for the actual feature being present, and not just a version number, but still.
c) there is no guarantee that we will benefit from this work
For this to be complete, we still need the MIR LP: #2023971 to be complete. It's currently in the security review queue, and it might come out from there as a +1 or a -1.
We currently have these versions in noble:
libmail-dkim-perl | 1.20230212-1 | noble | source
libmail-dkim-perl | 1.20240124-1 | noble-proposed | source
The upstream change that added Ed25519 support is in 1.20230630, which mean it's *NOT* in noble release at the moment, only noble-proposed.
I propose that we kick out 1.20240124-1 from noble-proposed, and keep the one in noble-release. We can either add this package to the sync-blocklist[1], or upload a no-change rebuild with an ubuntu suffix to block it from syncing that way. I seem to remember there was a discussion on a suitable suffix for such changes, something like adding "maysync" or similar. We can find that, I think it was used recently in an MP in the server team even, for dns root data?
Yes:
dns-root-data | 2023112702~
But maybe for now, just before FF, we should add a block to it, just to be safe. Although, if we do nothing, it will just stay in proposed without migrating...
Now, if there is something in newer libmail-dkim-perl that we want, maybe the plan above doesn't work so well. Or we could cherry-pick what we want that is in newer versions only.
So, what do you think?
1. https:/
Miriam España Acebal (mirespace) wrote : | # |
Thanks Andreas!
It makes perfect sense for a user to trust that a new package version will come with all the features announced upstream.... thanks for bringing up this point.
I checked spamassassin versions and we are in 4.0.0 since Mantic, so new features that can come in -proposed libmail-dkim-perl version are not in use yet:
spamassassin | 3.4.6-1ubuntu0.
spamassassin | 4.0.0-7ubuntu1 | mantic | source, all
spamassassin | 4.0.0-8ubuntu1 | noble | source, all
for libmail-dmar-perl is the same case:
libmail-dmarc-perl | 1.20230215-1 | mantic/universe | source, all
libmail-dmarc-perl | 1.20230215-1 | noble/universe | source, all
Only for the records, the changes that come with the dkim -proposed version are:
1.20240124 2024-01-24 UTC
* ARC: Return fail for any ARC set with an instance number greater than 50.
This brings ARC verification in line with DKIM verification limits.
1.20230911 2023-09-11 UTC
* Option to add custom tags to generated ARC signatures and seals
1.20230630 2023-06-30 UTC
* Add support for Ed25519 signature types
Thanks to Matthäus Wander @mwander
* Option to add custom tags to generated signatures
So I'm okay with adding libmail-dkim-perl to the sync-blocklist.
Andreas Hasenack (ahasenack) wrote : | # |
Ok, the "maysync" or "willsync" ideas don't apply here, because the version in noble is way lower then debian unstable:
1.20230212-1 vs 1.20240124-1
Also, the sync blocklist is meant for more permanent blocks, and I don't think we will want to block this package forever.
So my suggestion is, if we all agree on this plan, to:
- remove libmail-dkim-perl 1.20240124-1 from noble-proposed
- prepare and upload libmail-dkim-perl 1.20230212-1ubuntu1 with no changes. The "ubuntu1" suffix will block it from syncing
Miriam España Acebal (mirespace) wrote : | # |
MP for blocking is here: https:/
(I didn't say anything in #ubuntu-release yet; I am waiting for comments from Christian)
Christian Ehrhardt (paelzer) wrote : | # |
Thanks Andreas, this really is a much more maintainable approach to this.
The current version as it is not too old but would get the rest of the stack resolved.
I'd be ok on either sync-blockist or delta to avoid a sync.
I'm already +0.99 on this, but let me ask one crucial question though...
The intent originally was to add back Ed25519 once we managed to create a wrapper we'd trust.
But if we now hold back 1.20240124-1, we'd have a much bigger change to "later add Ed25519".
As we'd then need to go to "at least 1.20230630 for the general infrastructure and then adopt it to use the alternative library for that encryption.
So we'd buy an easier current time, for a more complex future.
Yet OTOH the success, acceptance and all that of the to be created wrapper isn't entirely certain.
We are not taking away anything, it is already without Ed25519, no loss on upgrade. We'd just have that feature later.
And while intention is well meant - there still is the chance we need to decide later, "yeah Ed25519 will only be added in 24.10 but not backported".
With that in mind I'm adding another +0.01 for not spending effort now which might end up being totally different than we thought.
Objections after I forced that thought to be present in your mind?
Miriam España Acebal (mirespace) wrote : | # |
Hi Andreas, Christian:
Adding here the third scenario (blocking by suffix):
As the sync-blocklist MP.
Both are in WIP, but ready. If I'm OOO after the decision on this is taken, feel free to mark Needs Review and Approve/Reject depending on the taken decision.
About the complexity in the long-term: how feasible would it be to upgrade to a new version of this package with new features in noble as LTS? It sounds like we would need a SRU exception for only once... Oh, I forgot Robie's comment (https:/
1- This MP, removing all the patches and restoring the dependency in d/control as SRU?
2- removing the package from sync-blocklist, and doing a "sync-SRU"?
3- removing the suffix as SRU-change, and sync automatically in MM and "SRU-sync" to noble?
I don't know if a sync to a GA LTS can be done, hence my questions.
Andreas Hasenack (ahasenack) wrote : | # |
> About the complexity in the long-term: how feasible would it be to upgrade to a new version of this
> package with new features
We don't have to upgrade, we can patch the ed25519 support in. Basically the revert of you patches here.
It's still a new feature, of course, and one could argue it's a delta as complicated as the one here dropping the patches. So updating the version might be less risky. Both scenarios, however, will require an FFe for noble. Personally, I would prefer upgrading to 1.20240124-1 when the time comes.
So let's think about the scenarios:
a) Proceed as planned with this MP, which means:
- remove Ed25519 support from src:libmail-
- that will make src:libmail-
- feature freeze happens without Ed25519 support
Then:
- fingers crossed that security ACKs MIR LP: #2023971 for src:libmail-
- the Ed25519 perl+openssl wrapper happens, passes NEW review, goes into noble
- we restore Ed25519 support in src:libmail-
- change src:spamassassin to again recommend (instead of suggest) bin:libmail-
b) Revert to src:libmail-
- remove src:libmail-
- upload src:libmail-
- feature freeze happens without Ed25519 support
Then:
- fingers crossed that security ACKs MIR LP: #2023971 for src:libmail-
- the Ed25519 perl+openssl wrapper happens, passes NEW review, goes into noble
- we restore Ed25519 support in src:libmail-
- change src:spamassassin to again recommend (instead of suggest) bin:libmail-
So.
If all goes to plan, in *both* cases we will need a FFe for src:libmail-
If something fails along the way (MIR is not granted for src:libmail-
In the failed (a) case, we will have in noble a src:libmail-
In the failed (b) case, we will have in noble a normal src:libmail-
If we...
Andreas Hasenack (ahasenack) wrote : | # |
Let's take a look at the patches, while we are at it (inline).
Andreas Hasenack (ahasenack) wrote : | # |
Oh, and after looking more closely at the reverts, and I think I haven't mentioned this before: there is risk in us missing something in these reverts, or later, miss something if we decide to patch ed25519 back in (instead of bumping the version).
Miriam España Acebal (mirespace) wrote : | # |
I understand completely that the patches way could be more risky and are ugly/tedious/
(ofi) I did the patches 1-5 with git format-patch -5 HEAD from marcbrashaw/ed25519 (upstream/ed25519) branch, I didn't do it manually
Andreas Hasenack (ahasenack) wrote : | # |
We decided to go with (b) and drop[1] libmail-dkim-perl 1.20240124-1 from noble-proposed.
1. https:/
Andreas Hasenack (ahasenack) : | # |
Unmerged commits
- 4844d33... by Miriam España Acebal
-
changelog
- e23ee2c... by Miriam España Acebal
-
update-maintainer
- 9b1b276... by Miriam España Acebal
-
d/control: Dropping libcryptc-perl dependency.
- f5552de... by Miriam España Acebal
-
d/p/0006-
Revert- *.patch: Reverting changes applied by debian to support ed25519 - 959e0c1... by Miriam España Acebal
-
d/patches/
*-Revert- *.patch: Dropping ed25519 support while replacing
using of libcryptx-perl as dependency. Reverting upstream changes.
Preview Diff
1 | diff --git a/debian/changelog b/debian/changelog |
2 | index 4a792c5..edafb42 100644 |
3 | --- a/debian/changelog |
4 | +++ b/debian/changelog |
5 | @@ -1,3 +1,12 @@ |
6 | +libmail-dkim-perl (1.20240124-1ubuntu1) noble; urgency=medium |
7 | + |
8 | + * d/patches/*-Revert-*.patch: Drop ed25519 support while replacing |
9 | + the use of libcryptx-perl as dependency. Revert upstream and debian |
10 | + changes due to that (LP: #2046154). |
11 | + * d/control: Drop libcryptx-perl dependency. |
12 | + |
13 | + -- Miriam España Acebal <miriam.espana@canonical.com> Fri, 16 Feb 2024 13:20:59 +0100 |
14 | + |
15 | libmail-dkim-perl (1.20240124-1) unstable; urgency=medium |
16 | |
17 | * Team upload. |
18 | diff --git a/debian/control b/debian/control |
19 | index 9c1240c..9bf4a65 100644 |
20 | --- a/debian/control |
21 | +++ b/debian/control |
22 | @@ -1,12 +1,12 @@ |
23 | Source: libmail-dkim-perl |
24 | -Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org> |
25 | +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> |
26 | +XSBC-Original-Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org> |
27 | Uploaders: Magnus Holmgren <holmgren@debian.org> |
28 | Section: perl |
29 | Testsuite: autopkgtest-pkg-perl |
30 | Priority: optional |
31 | Build-Depends: debhelper-compat (= 13) |
32 | Build-Depends-Indep: libcrypt-openssl-rsa-perl <!nocheck>, |
33 | - libcryptx-perl <!nocheck>, |
34 | libdigest-sha-perl <!nocheck>, |
35 | liberror-perl <!nocheck>, |
36 | libmail-authenticationresults-perl <!nocheck>, |
37 | @@ -27,7 +27,6 @@ Architecture: all |
38 | Depends: ${misc:Depends}, |
39 | ${perl:Depends}, |
40 | libcrypt-openssl-rsa-perl, |
41 | - libcryptx-perl, |
42 | libdigest-sha-perl, |
43 | liberror-perl, |
44 | libgetopt-long-descriptive-perl, |
45 | diff --git a/debian/patches/0001-Revert-Ed25519-Add-test-for-missing-public-key.patch b/debian/patches/0001-Revert-Ed25519-Add-test-for-missing-public-key.patch |
46 | new file mode 100644 |
47 | index 0000000..71b97c9 |
48 | --- /dev/null |
49 | +++ b/debian/patches/0001-Revert-Ed25519-Add-test-for-missing-public-key.patch |
50 | @@ -0,0 +1,94 @@ |
51 | +From d7cd937e612f44d8862999f4a8894384ac8eb8c1 Mon Sep 17 00:00:00 2001 |
52 | +From: Miriam Espana Acebal <miriam.espana@canonical.com> |
53 | +Date: Fri, 16 Feb 2024 13:11:48 +0100 |
54 | +Subject: [PATCH 1/5] Revert "Ed25519: Add test for missing public key" |
55 | + |
56 | +This reverts commit 1d37a260ec2090aaccb3bbe6bb668d7ca1569836. |
57 | +--- |
58 | + t/FAKE_DNS.dat | 1 - |
59 | + t/corpus/badkey4_ed25519.txt | 16 ---------------- |
60 | + t/corpus/badkey5_ed25519.txt | 16 ---------------- |
61 | + t/verifier.t | 4 +--- |
62 | + 4 files changed, 1 insertion(+), 36 deletions(-) |
63 | + delete mode 100644 t/corpus/badkey4_ed25519.txt |
64 | + delete mode 100644 t/corpus/badkey5_ed25519.txt |
65 | + |
66 | +diff --git a/t/FAKE_DNS.dat b/t/FAKE_DNS.dat |
67 | +index 602c13b..22e24da 100644 |
68 | +--- a/t/FAKE_DNS.dat |
69 | ++++ b/t/FAKE_DNS.dat |
70 | +@@ -25,5 +25,4 @@ nonexistent._domainkey.messiah.edu NXDOMAIN |
71 | + test3._domainkey.blackhole.messiah.edu ~~Query timed out~~ |
72 | + test3._domainkey.blackhole2.messiah.edu ~~SERVFAIL~~ |
73 | + 2023-05-ed25519._domainkey.wander.science v=DKIM1; k=ed25519; p=pP+YUyRjAvKha4Oc49KAY703oLUS1NLMEuGD3IHMKww= |
74 | +-2023-05-ed25519-empty._domainkey.wander.science "" |
75 | + invalid._domainkey.wander.science v=DKIM1; k=ed25519; p=MCowBQYDK2VwAyEA3SUqa9UbfciWkk7tlcJ9P1VD5pXAasg0JUn/OgjVbKE= |
76 | +diff --git a/t/corpus/badkey4_ed25519.txt b/t/corpus/badkey4_ed25519.txt |
77 | +deleted file mode 100644 |
78 | +index 4693bc2..0000000 |
79 | +--- a/t/corpus/badkey4_ed25519.txt |
80 | ++++ /dev/null |
81 | +@@ -1,16 +0,0 @@ |
82 | +-DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed; |
83 | +- d=wander.science; s=2023-05-ed25519-does-not-exist; h=Subject:Content-Transfer-Encoding: |
84 | +- Content-Type:From:To:MIME-Version:Date:Message-ID:In-Reply-To:Cc:References: |
85 | +- Sender:Reply-To; bh=P//FppzGgSSJDjYgpnZ255T9+DxXvu14MiedTEyE5UY=; b=85mI8hH/s |
86 | +- TYf2w8vAF3BKeRs/7EMD8yGrrekJNcoZ8LxDd3RnpejvsG43I6vryFIx6xFmVSx65+zmxXu9/kvDg |
87 | +- ==; |
88 | +-Message-ID: <505c05af-3dd2-be13-df41-464353251933@wander.science> |
89 | +-Date: Wed, 10 May 2023 21:54:21 +0200 |
90 | +-MIME-Version: 1.0 |
91 | +-To: echo@mail.town |
92 | +-From: mail@wander.science |
93 | +-Content-Type: text/plain; charset=UTF-8; format=flowed |
94 | +-Content-Transfer-Encoding: 7bit |
95 | +-Subject: Test ed25519 |
96 | +- |
97 | +-This is an elliptic test, with a missing key. |
98 | +diff --git a/t/corpus/badkey5_ed25519.txt b/t/corpus/badkey5_ed25519.txt |
99 | +deleted file mode 100644 |
100 | +index f60f504..0000000 |
101 | +--- a/t/corpus/badkey5_ed25519.txt |
102 | ++++ /dev/null |
103 | +@@ -1,16 +0,0 @@ |
104 | +-DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed; |
105 | +- d=wander.science; s=2023-05-ed25519-empty; h=Subject:Content-Transfer-Encoding: |
106 | +- Content-Type:From:To:MIME-Version:Date:Message-ID:In-Reply-To:Cc:References: |
107 | +- Sender:Reply-To; bh=P//FppzGgSSJDjYgpnZ255T9+DxXvu14MiedTEyE5UY=; b=85mI8hH/s |
108 | +- TYf2w8vAF3BKeRs/7EMD8yGrrekJNcoZ8LxDd3RnpejvsG43I6vryFIx6xFmVSx65+zmxXu9/kvDg |
109 | +- ==; |
110 | +-Message-ID: <505c05af-3dd2-be13-df41-464353251933@wander.science> |
111 | +-Date: Wed, 10 May 2023 21:54:21 +0200 |
112 | +-MIME-Version: 1.0 |
113 | +-To: echo@mail.town |
114 | +-From: mail@wander.science |
115 | +-Content-Type: text/plain; charset=UTF-8; format=flowed |
116 | +-Content-Transfer-Encoding: 7bit |
117 | +-Subject: Test ed25519 |
118 | +- |
119 | +-This is an elliptic test, with a missing key. |
120 | +diff --git a/t/verifier.t b/t/verifier.t |
121 | +index 3f802c9..90320d4 100755 |
122 | +--- a/t/verifier.t |
123 | ++++ b/t/verifier.t |
124 | +@@ -2,7 +2,7 @@ |
125 | + |
126 | + use strict; |
127 | + use warnings; |
128 | +-use Test::More tests => 111; |
129 | ++use Test::More tests => 109; |
130 | + |
131 | + use Mail::DKIM::Verifier; |
132 | + |
133 | +@@ -167,8 +167,6 @@ test_email( "goodkey_ed25519.txt", "pass" ); |
134 | + test_email( "badkey1_ed25519.txt", "invalid" ); # key has invalid length |
135 | + test_email( "badkey2_ed25519.txt", "fail" ); # header modified |
136 | + test_email( "badkey3_ed25519.txt", "fail" ); # body modified |
137 | +-test_email( "badkey4_ed25519.txt", "invalid" ); # missing key |
138 | +-test_email( "badkey5_ed25519.txt", "invalid" ); # empty key |
139 | + |
140 | + sub read_file { |
141 | + my $srcfile = shift; |
142 | +-- |
143 | +2.40.1 |
144 | + |
145 | diff --git a/debian/patches/0002-Revert-Refactor-and-cleanup-some-ed25519-code.patch b/debian/patches/0002-Revert-Refactor-and-cleanup-some-ed25519-code.patch |
146 | new file mode 100644 |
147 | index 0000000..10aeb9d |
148 | --- /dev/null |
149 | +++ b/debian/patches/0002-Revert-Refactor-and-cleanup-some-ed25519-code.patch |
150 | @@ -0,0 +1,496 @@ |
151 | +From 3d65013b6cc172343354bfa33e59330b9b44ee57 Mon Sep 17 00:00:00 2001 |
152 | +From: Miriam Espana Acebal <miriam.espana@canonical.com> |
153 | +Date: Fri, 16 Feb 2024 13:15:07 +0100 |
154 | +Subject: [PATCH 2/5] Revert "Refactor and cleanup some ed25519 code" |
155 | + |
156 | +This reverts commit 86f65f4e6d7b99e759de2ea23c56e16b5e76ab15. |
157 | +--- |
158 | + Changes | 2 - |
159 | + lib/Mail/DKIM/Algorithm/ed25519_sha256.pm | 4 +- |
160 | + lib/Mail/DKIM/PrivateKey.pm | 161 ++++++++++---------- |
161 | + lib/Mail/DKIM/PublicKey.pm | 175 ++++++++++------------ |
162 | + 4 files changed, 163 insertions(+), 179 deletions(-) |
163 | + |
164 | +diff --git a/Changes b/Changes |
165 | +index f898dc5..39b645a 100644 |
166 | +--- a/Changes |
167 | ++++ b/Changes |
168 | +@@ -8,8 +8,6 @@ This file summarizes what's changed between releases of Mail-DKIM. |
169 | + * Option to add custom tags to generated ARC signatures and seals |
170 | + |
171 | + 1.20230630 2023-06-30 UTC |
172 | +- * Add support for Ed25519 signature types |
173 | +- Thanks to Matthäus Wander @mwander |
174 | + * Option to add custom tags to generated signatures |
175 | + |
176 | + 1.20230212 2023-02-12 UTC |
177 | +diff --git a/lib/Mail/DKIM/Algorithm/ed25519_sha256.pm b/lib/Mail/DKIM/Algorithm/ed25519_sha256.pm |
178 | +index 9a4a2f3..d97deeb 100644 |
179 | +--- a/lib/Mail/DKIM/Algorithm/ed25519_sha256.pm |
180 | ++++ b/lib/Mail/DKIM/Algorithm/ed25519_sha256.pm |
181 | +@@ -1,8 +1,8 @@ |
182 | + package Mail::DKIM::Algorithm::ed25519_sha256; |
183 | + use strict; |
184 | + use warnings; |
185 | +-our $VERSION = '1.20240124'; # VERSION |
186 | +-# ABSTRACT: ed25519 sha256 algorithm class |
187 | ++# VERSION |
188 | ++# ABSTRACT: edd2519 sha256 algorithm class |
189 | + |
190 | + # Copyright 2005-2006 Messiah College. All rights reserved. |
191 | + # Jason Long <jlong@messiah.edu> |
192 | +diff --git a/lib/Mail/DKIM/PrivateKey.pm b/lib/Mail/DKIM/PrivateKey.pm |
193 | +index af08573..1a9526d 100644 |
194 | +--- a/lib/Mail/DKIM/PrivateKey.pm |
195 | ++++ b/lib/Mail/DKIM/PrivateKey.pm |
196 | +@@ -15,8 +15,6 @@ our $VERSION = '1.20240124'; # VERSION |
197 | + use base 'Mail::DKIM::Key'; |
198 | + use Carp; |
199 | + *calculate_EM = \&Mail::DKIM::Key::calculate_EM; |
200 | +-use Crypt::OpenSSL::RSA; |
201 | +-use Crypt::PK::Ed25519; |
202 | + |
203 | + |
204 | + sub load { |
205 | +@@ -53,86 +51,88 @@ sub load { |
206 | + } |
207 | + |
208 | + |
209 | +-sub _convert_rsa { |
210 | ++sub convert { |
211 | + my $self = shift; |
212 | + |
213 | +- # have to PKCS1ify the privkey because openssl is too finicky... |
214 | +- my $pkcs = "-----BEGIN RSA PRIVATE KEY-----\n"; |
215 | +- |
216 | +- for ( my $i = 0 ; $i < length $self->data ; $i += 64 ) { |
217 | +- $pkcs .= substr $self->data, $i, 64; |
218 | +- $pkcs .= "\n"; |
219 | ++ # Use different libs subject to key type. |
220 | ++ if ( $self->{'TYPE'} eq 'rsa' ) { |
221 | ++ use Crypt::OpenSSL::RSA; |
222 | ++ } |
223 | ++ elsif ( $self->{'TYPE'} eq 'ed25519' ) { |
224 | ++ use Crypt::PK::Ed25519; |
225 | + } |
226 | + |
227 | +- $pkcs .= "-----END RSA PRIVATE KEY-----\n"; |
228 | ++ $self->data |
229 | ++ or return; |
230 | ++ |
231 | ++ if ( $self->{'TYPE'} eq 'rsa' ) { |
232 | ++ |
233 | ++ # have to PKCS1ify the privkey because openssl is too finicky... |
234 | ++ my $pkcs = "-----BEGIN RSA PRIVATE KEY-----\n"; |
235 | ++ |
236 | ++ for ( my $i = 0 ; $i < length $self->data ; $i += 64 ) { |
237 | ++ $pkcs .= substr $self->data, $i, 64; |
238 | ++ $pkcs .= "\n"; |
239 | ++ } |
240 | ++ |
241 | ++ $pkcs .= "-----END RSA PRIVATE KEY-----\n"; |
242 | + |
243 | +- my $cork; |
244 | ++ my $cork; |
245 | + |
246 | +- eval { |
247 | +- local $SIG{__DIE__}; |
248 | +- $cork = new_private_key Crypt::OpenSSL::RSA($pkcs); |
249 | +- 1 |
250 | +- } || do { |
251 | ++ eval { |
252 | ++ local $SIG{__DIE__}; |
253 | ++ $cork = new_private_key Crypt::OpenSSL::RSA($pkcs); |
254 | ++ 1 |
255 | ++ } || do { |
256 | + $self->errorstr($@); |
257 | + return; |
258 | +- }; |
259 | ++ }; |
260 | + |
261 | +- $cork |
262 | +- or return; |
263 | ++ $cork |
264 | ++ or return; |
265 | + |
266 | +- # segfaults on my machine |
267 | +- # $cork->check_key or |
268 | +- # return; |
269 | ++ # segfaults on my machine |
270 | ++ # $cork->check_key or |
271 | ++ # return; |
272 | + |
273 | +- $self->cork($cork); |
274 | +- return 1; |
275 | +-} |
276 | ++ $self->cork($cork); |
277 | + |
278 | +-sub _convert_ed25519 { |
279 | +- my $self = shift; |
280 | +- my $cork; |
281 | ++ } |
282 | ++ elsif ( $self->{'TYPE'} eq 'ed25519' ) { |
283 | ++ my $cork; |
284 | + |
285 | +- eval { |
286 | +- local $SIG{__DIE__}; |
287 | +- $cork = new Crypt::PK::Ed25519; |
288 | ++ eval { |
289 | ++ local $SIG{__DIE__}; |
290 | ++ $cork = new Crypt::PK::Ed25519; |
291 | + |
292 | +- # Prepend/append with PEM boilerplate |
293 | +- my $pem = "-----BEGIN ED25519 PRIVATE KEY-----\n"; |
294 | +- $pem .= $self->data; |
295 | +- $pem .= "\n"; |
296 | +- $pem .= "-----END ED25519 PRIVATE KEY-----\n"; |
297 | ++ # Prepend/append with PEM boilerplate |
298 | ++ my $pem = "-----BEGIN ED25519 PRIVATE KEY-----\n"; |
299 | ++ $pem .= $self->data; |
300 | ++ $pem .= "\n"; |
301 | ++ $pem .= "-----END ED25519 PRIVATE KEY-----\n"; |
302 | + |
303 | +- # Pass PEM text buffer |
304 | +- $cork->import_key(\$pem) |
305 | +- or die 'failed to load Ed25519 private key'; |
306 | ++ # Pass PEM text buffer |
307 | ++ $cork->import_key(\$pem) |
308 | ++ or die 'failed to load Ed25519 private key'; |
309 | + |
310 | +- # Alternatively, import_raw_key() could be used, |
311 | +- # but requires the 32-byte key, which must be extracted |
312 | +- # from the ASN.1 structure first. |
313 | ++ # Alternatively, import_raw_key() could be used, |
314 | ++ # but requires the 32-byte key, which must be extracted |
315 | ++ # from the ASN.1 structure first. |
316 | + |
317 | +- 1 |
318 | +- } || do { |
319 | +- $self->errorstr($@); |
320 | +- return; |
321 | +- }; |
322 | ++ 1 |
323 | ++ } || do { |
324 | ++ $self->errorstr($@); |
325 | ++ return; |
326 | ++ }; |
327 | + |
328 | +- $cork |
329 | +- or return; |
330 | ++ $cork |
331 | ++ or return; |
332 | + |
333 | +- $self->cork($cork); |
334 | +- return 1; |
335 | +-} |
336 | ++ $self->cork($cork); |
337 | + |
338 | +-sub convert { |
339 | +- my $self = shift; |
340 | +- |
341 | +- $self->data |
342 | +- or return; |
343 | ++ } |
344 | + |
345 | +- return $self->_convert_rsa if $self->{TYPE} eq 'rsa'; |
346 | +- return $self->_convert_ed25519 if $self->{TYPE} eq 'ed25519'; |
347 | +- self->errorstr('unsupported key type'); |
348 | +- return; |
349 | ++ return 1; |
350 | + } |
351 | + |
352 | + #deprecated |
353 | +@@ -151,36 +151,31 @@ sub sign_sha1_digest { |
354 | + } |
355 | + |
356 | + |
357 | +-sub _sign_digest_rsa { |
358 | ++sub sign_digest { |
359 | + my $self = shift; |
360 | + my ( $digest_algorithm, $digest ) = @_; |
361 | + |
362 | +- my $rsa_priv = $self->cork; |
363 | +- $rsa_priv->use_no_padding; |
364 | +- my $k = $rsa_priv->size; |
365 | +- my $EM = calculate_EM( $digest_algorithm, $digest, $k ); |
366 | +- return $rsa_priv->decrypt($EM); |
367 | +-} |
368 | ++ if ( $self->{'TYPE'} eq 'rsa') { |
369 | + |
370 | +-sub _sign_digest_ed25519 { |
371 | +- my $self = shift; |
372 | +- my ( $digest_algorithm, $digest ) = @_; |
373 | ++ my $rsa_priv = $self->cork; |
374 | ++ $rsa_priv->use_no_padding; |
375 | ++ |
376 | ++ my $k = $rsa_priv->size; |
377 | ++ my $EM = calculate_EM( $digest_algorithm, $digest, $k ); |
378 | ++ return $rsa_priv->decrypt($EM); |
379 | + |
380 | +- my $ed = $self->cork; |
381 | +- if ( !$ed ) { |
382 | +- $@ = $@ ne '' ? "Ed25519 failed: $@" : 'Ed25519 unknown problem'; |
383 | +- die; |
384 | + } |
385 | +- return $ed->sign_message($digest); |
386 | +-} |
387 | ++ elsif ( $self->{'TYPE'} eq 'ed25519' ) { |
388 | + |
389 | +-sub sign_digest { |
390 | +- my $self = shift; |
391 | +- my ( $digest_algorithm, $digest ) = @_; |
392 | ++ my $ed = $self->cork; |
393 | ++ if ( !$ed ) { |
394 | ++ $@ = $@ ne '' ? "Ed25519 failed: $@" : 'Ed25519 unknown problem'; |
395 | ++ die; |
396 | ++ } |
397 | + |
398 | +- return $self->_sign_digest_rsa($digest_algorithm, $digest) if $self->{TYPE} eq 'rsa'; |
399 | +- return $self->_sign_digest_ed25519($digest_algorithm, $digest) if $self->{TYPE} eq 'ed25519'; |
400 | +- die 'unsupported key type'; |
401 | ++ return $ed->sign_message($digest); |
402 | ++ |
403 | ++ } |
404 | + } |
405 | + |
406 | + __END__ |
407 | +diff --git a/lib/Mail/DKIM/PublicKey.pm b/lib/Mail/DKIM/PublicKey.pm |
408 | +index bbae0e7..bd45aeb 100644 |
409 | +--- a/lib/Mail/DKIM/PublicKey.pm |
410 | ++++ b/lib/Mail/DKIM/PublicKey.pm |
411 | +@@ -14,9 +14,6 @@ our $VERSION = '1.20240124'; # VERSION |
412 | + use base ( 'Mail::DKIM::KeyValueList', 'Mail::DKIM::Key' ); |
413 | + *calculate_EM = \&Mail::DKIM::Key::calculate_EM; |
414 | + |
415 | +-use Crypt::OpenSSL::RSA; |
416 | +-use Crypt::PK::Ed25519; |
417 | +-use MIME::Base64; |
418 | + use Mail::DKIM::DNS; |
419 | + |
420 | + sub new { |
421 | +@@ -102,7 +99,7 @@ sub fetch_async { |
422 | + my $self = $class->parse($strn); |
423 | + $self->{Selector} = $prms{'Selector'}; |
424 | + $self->{Domain} = $prms{'Domain'}; |
425 | +- $self->{TYPE} = $self->get_tag('k') || 'rsa'; |
426 | ++ $self->{TYPE} = ( $self->get_tag('k') or 'rsa' ); |
427 | + $self->check; |
428 | + |
429 | + return $on_success->($self); |
430 | +@@ -284,54 +281,57 @@ sub check_hash_algorithm { |
431 | + # Create an OpenSSL public key object from the Base64-encoded data |
432 | + # found in this public key's DNS record. The OpenSSL object is saved |
433 | + # in the "cork" property. |
434 | +-sub _convert_rsa { |
435 | ++sub convert { |
436 | + my $self = shift; |
437 | +- # have to PKCS1ify the pubkey because openssl is too finicky... |
438 | +- my $cert = "-----BEGIN PUBLIC KEY-----\n"; |
439 | + |
440 | +- for ( my $i = 0 ; $i < length $self->data ; $i += 64 ) { |
441 | +- $cert .= substr $self->data, $i, 64; |
442 | +- $cert .= "\n"; |
443 | ++ # Use different libs subject to k= tag. |
444 | ++ # Without k= tag, default to RSA to maintain prior behavior |
445 | ++ my $k = ( $self->get_tag('k') or 'rsa' ); |
446 | ++ if ( $k eq 'rsa' ) { |
447 | ++ use Crypt::OpenSSL::RSA; |
448 | ++ } |
449 | ++ elsif ( $k eq 'ed25519' ) { |
450 | ++ use Crypt::PK::Ed25519; |
451 | ++ use MIME::Base64; |
452 | + } |
453 | + |
454 | +- $cert .= "-----END PUBLIC KEY-----\n"; |
455 | ++ $self->data |
456 | ++ or return; |
457 | + |
458 | +- my $cork = Crypt::OpenSSL::RSA->new_public_key($cert) |
459 | +- or die 'unable to generate public key object'; |
460 | ++ if ( $k eq 'rsa' ) { |
461 | ++ # have to PKCS1ify the pubkey because openssl is too finicky... |
462 | ++ my $cert = "-----BEGIN PUBLIC KEY-----\n"; |
463 | + |
464 | +- # segfaults on my machine |
465 | +- # $cork->check_key or |
466 | +- # return; |
467 | ++ for ( my $i = 0 ; $i < length $self->data ; $i += 64 ) { |
468 | ++ $cert .= substr $self->data, $i, 64; |
469 | ++ $cert .= "\n"; |
470 | ++ } |
471 | + |
472 | +- $self->cork($cork); |
473 | +- return 1; |
474 | +-} |
475 | ++ $cert .= "-----END PUBLIC KEY-----\n"; |
476 | + |
477 | +-sub _convert_ed25519 { |
478 | +- my $self = shift; |
479 | +- my $cork = Crypt::PK::Ed25519->new |
480 | +- or die 'unable to generate Ed25519 public key object'; |
481 | ++ my $cork = Crypt::OpenSSL::RSA->new_public_key($cert) |
482 | ++ or die 'unable to generate public key object'; |
483 | + |
484 | +- my $keybin = decode_base64($self->data); |
485 | +- $cork->import_key_raw($keybin, 'public') |
486 | +- or die 'failed to load Ed25519 public key'; |
487 | ++ # segfaults on my machine |
488 | ++ # $cork->check_key or |
489 | ++ # return; |
490 | + |
491 | +- $self->cork($cork); |
492 | +- return 1; |
493 | +-} |
494 | ++ $self->cork($cork); |
495 | + |
496 | +-sub convert { |
497 | +- my $self = shift; |
498 | ++ } |
499 | ++ elsif ( $k eq 'ed25519' ) { |
500 | ++ my $cork = Crypt::PK::Ed25519->new |
501 | ++ or die 'unable to generate Ed25519 public key object'; |
502 | + |
503 | +- my $k_tag = $self->get_tag('k'); |
504 | +- $k_tag = 'rsa' unless defined $k_tag; |
505 | ++ my $keybin = decode_base64($self->data); |
506 | ++ $cork->import_key_raw($keybin, 'public') |
507 | ++ or die 'failed to load Ed25519 public key'; |
508 | + |
509 | +- $self->data |
510 | +- or return; |
511 | ++ $self->cork($cork); |
512 | ++ |
513 | ++ } |
514 | + |
515 | +- return $self->_convert_rsa if $k_tag eq 'rsa'; |
516 | +- return $self->_convert_ed25519 if $k_tag eq 'ed25519'; |
517 | +- die 'unsupported key type'; |
518 | ++ return 1; |
519 | + } |
520 | + |
521 | + sub verify { |
522 | +@@ -436,76 +436,67 @@ sub verify_sha1_digest { |
523 | + return $self->verify_digest( 'SHA-1', $digest, $signature ); |
524 | + } |
525 | + |
526 | +-sub _verify_digest_rsa { |
527 | ++# verify_digest() - returns true if the digest verifies, false otherwise |
528 | ++# |
529 | ++# if false, $@ is set to a description of the problem |
530 | ++# |
531 | ++sub verify_digest { |
532 | + my $self = shift; |
533 | + my ( $digest_algorithm, $digest, $signature ) = @_; |
534 | + |
535 | +- my $rsa_pub = $self->cork; |
536 | +- if ( !$rsa_pub ) { |
537 | +- $@ = $@ ne '' ? "RSA failed: $@" : 'RSA unknown problem'; |
538 | +- $@ .= ", s=$self->{Selector} d=$self->{Domain}"; |
539 | +- return; |
540 | +- } |
541 | +- |
542 | +- $rsa_pub->use_no_padding; |
543 | +- my $verify_result = $rsa_pub->encrypt($signature); |
544 | ++ my $k_tag = $self->get_tag('k') || 'rsa'; |
545 | + |
546 | +- my $k = $rsa_pub->size; |
547 | +- my $expected = calculate_EM( $digest_algorithm, $digest, $k ); |
548 | +- return 1 if ( $verify_result eq $expected ); |
549 | ++ if ($k_tag eq 'rsa') { |
550 | ++ my $rsa_pub = $self->cork; |
551 | ++ if ( !$rsa_pub ) { |
552 | ++ $@ = $@ ne '' ? "RSA failed: $@" : 'RSA unknown problem'; |
553 | ++ $@ .= ", s=$self->{Selector} d=$self->{Domain}"; |
554 | ++ return; |
555 | ++ } |
556 | + |
557 | +- # well, the RSA verification failed; I wonder if the RSA signing |
558 | +- # was performed on a different digest value? I think we can check... |
559 | ++ $rsa_pub->use_no_padding; |
560 | ++ my $verify_result = $rsa_pub->encrypt($signature); |
561 | + |
562 | +- # basically, if the $verify_result has the same prefix as $expected, |
563 | +- # then only the digest was different |
564 | ++ my $k = $rsa_pub->size; |
565 | ++ my $expected = calculate_EM( $digest_algorithm, $digest, $k ); |
566 | ++ return 1 if ( $verify_result eq $expected ); |
567 | + |
568 | +- my $digest_len = length $digest; |
569 | +- my $prefix_len = length($expected) - $digest_len; |
570 | +- if ( |
571 | +- substr( $verify_result, 0, $prefix_len ) eq |
572 | +- substr( $expected, 0, $prefix_len ) ) |
573 | +- { |
574 | +- $@ = 'message has been altered'; |
575 | +- return; |
576 | +- } |
577 | ++ # well, the RSA verification failed; I wonder if the RSA signing |
578 | ++ # was performed on a different digest value? I think we can check... |
579 | + |
580 | +- $@ = 'bad RSA signature'; |
581 | +- return; |
582 | +-} |
583 | ++ # basically, if the $verify_result has the same prefix as $expected, |
584 | ++ # then only the digest was different |
585 | + |
586 | +-sub _verify_digest_ed25519 { |
587 | +- my $self = shift; |
588 | +- my ( $digest_algorithm, $digest, $signature ) = @_; |
589 | ++ my $digest_len = length $digest; |
590 | ++ my $prefix_len = length($expected) - $digest_len; |
591 | ++ if ( |
592 | ++ substr( $verify_result, 0, $prefix_len ) eq |
593 | ++ substr( $expected, 0, $prefix_len ) ) |
594 | ++ { |
595 | ++ $@ = 'message has been altered'; |
596 | ++ return; |
597 | ++ } |
598 | + |
599 | +- my $ed = $self->cork; |
600 | +- if ( !$ed ) { |
601 | +- $@ = $@ ne '' ? "Ed25519 failed: $@" : 'Ed25519 unknown problem'; |
602 | +- $@ .= ", s=$self->{Selector} d=$self->{Domain}"; |
603 | ++ $@ = 'bad RSA signature'; |
604 | + return; |
605 | +- } |
606 | + |
607 | +- my $verify_result = $ed->verify_message($signature, $digest); |
608 | +- return $verify_result if ($verify_result == 1); |
609 | ++ } elsif ($k_tag eq 'ed25519') { |
610 | + |
611 | +- $@ = 'bad Ed25519 signature'; |
612 | +- return; |
613 | +-} |
614 | ++ my $ed = $self->cork; |
615 | ++ if ( !$ed ) { |
616 | ++ $@ = $@ ne '' ? "Ed25519 failed: $@" : 'Ed25519 unknown problem'; |
617 | ++ $@ .= ", s=$self->{Selector} d=$self->{Domain}"; |
618 | ++ return; |
619 | ++ } |
620 | + |
621 | +-# verify_digest() - returns true if the digest verifies, false otherwise |
622 | +-# |
623 | +-# if false, $@ is set to a description of the problem |
624 | +-# |
625 | +-sub verify_digest { |
626 | +- my $self = shift; |
627 | +- my ( $digest_algorithm, $digest, $signature ) = @_; |
628 | ++ my $verify_result = $ed->verify_message($signature, $digest); |
629 | ++ return $verify_result if ($verify_result == 1); |
630 | + |
631 | +- my $k_tag = $self->get_tag('k') || 'rsa'; |
632 | ++ $@ = 'bad Ed25519 signature'; |
633 | ++ return; |
634 | ++ |
635 | ++ } |
636 | + |
637 | +- return $self->_verify_digest_rsa($digest_algorithm, $digest, $signature) if $k_tag eq 'rsa'; |
638 | +- return $self->_verify_digest_ed25519($digest_algorithm, $digest, $signature) if $k_tag eq 'ed25519'; |
639 | +- $@ = 'unsupported key type'; |
640 | +- return; |
641 | + } |
642 | + |
643 | + 1; |
644 | +-- |
645 | +2.40.1 |
646 | + |
647 | diff --git a/debian/patches/0003-Revert-set-rsa-ed25519-type.patch b/debian/patches/0003-Revert-set-rsa-ed25519-type.patch |
648 | new file mode 100644 |
649 | index 0000000..8e8ded8 |
650 | --- /dev/null |
651 | +++ b/debian/patches/0003-Revert-set-rsa-ed25519-type.patch |
652 | @@ -0,0 +1,84 @@ |
653 | +From 7f8a91d1c8643967907843e45ee75ca0ae5a2157 Mon Sep 17 00:00:00 2001 |
654 | +From: Miriam Espana Acebal <miriam.espana@canonical.com> |
655 | +Date: Fri, 16 Feb 2024 13:15:15 +0100 |
656 | +Subject: [PATCH 3/5] Revert "set rsa/ed25519 type" |
657 | + |
658 | +This reverts commit d146356d5f0ec41f796cc40f0db76ba400efe12a. |
659 | +--- |
660 | + lib/Mail/DKIM/PrivateKey.pm | 2 +- |
661 | + lib/Mail/DKIM/PublicKey.pm | 6 ++---- |
662 | + lib/Mail/DKIM/Signer.pm | 6 +----- |
663 | + 3 files changed, 4 insertions(+), 10 deletions(-) |
664 | + |
665 | +diff --git a/lib/Mail/DKIM/PrivateKey.pm b/lib/Mail/DKIM/PrivateKey.pm |
666 | +index 1a9526d..ad98dd2 100644 |
667 | +--- a/lib/Mail/DKIM/PrivateKey.pm |
668 | ++++ b/lib/Mail/DKIM/PrivateKey.pm |
669 | +@@ -165,7 +165,7 @@ sub sign_digest { |
670 | + return $rsa_priv->decrypt($EM); |
671 | + |
672 | + } |
673 | +- elsif ( $self->{'TYPE'} eq 'ed25519' ) { |
674 | ++ elsif ( $self->{'TYPE'} eq 'ed25519') { |
675 | + |
676 | + my $ed = $self->cork; |
677 | + if ( !$ed ) { |
678 | +diff --git a/lib/Mail/DKIM/PublicKey.pm b/lib/Mail/DKIM/PublicKey.pm |
679 | +index bd45aeb..dce1736 100644 |
680 | +--- a/lib/Mail/DKIM/PublicKey.pm |
681 | ++++ b/lib/Mail/DKIM/PublicKey.pm |
682 | +@@ -25,7 +25,7 @@ sub new { |
683 | + $self->{'GRAN'} = $prms{'Granularity'}; |
684 | + $self->{'NOTE'} = $prms{'Note'}; |
685 | + $self->{'TEST'} = $prms{'Testing'}; |
686 | +- $self->{'TYPE'} = ( $prms{'Type'} or 'rsa' ); |
687 | ++ #$self->{'TYPE'} = ( $prms{'Type'} or 'rsa' ); # unused |
688 | + $self->{'DATA'} = $prms{'Data'}; |
689 | + |
690 | + bless $self, $type; |
691 | +@@ -99,9 +99,7 @@ sub fetch_async { |
692 | + my $self = $class->parse($strn); |
693 | + $self->{Selector} = $prms{'Selector'}; |
694 | + $self->{Domain} = $prms{'Domain'}; |
695 | +- $self->{TYPE} = ( $self->get_tag('k') or 'rsa' ); |
696 | + $self->check; |
697 | +- |
698 | + return $on_success->($self); |
699 | + }; |
700 | + |
701 | +@@ -286,7 +284,7 @@ sub convert { |
702 | + |
703 | + # Use different libs subject to k= tag. |
704 | + # Without k= tag, default to RSA to maintain prior behavior |
705 | +- my $k = ( $self->get_tag('k') or 'rsa' ); |
706 | ++ my $k = $self->get_tag('k') || 'rsa'; |
707 | + if ( $k eq 'rsa' ) { |
708 | + use Crypt::OpenSSL::RSA; |
709 | + } |
710 | +diff --git a/lib/Mail/DKIM/Signer.pm b/lib/Mail/DKIM/Signer.pm |
711 | +index 7aebced..24b5285 100644 |
712 | +--- a/lib/Mail/DKIM/Signer.pm |
713 | ++++ b/lib/Mail/DKIM/Signer.pm |
714 | +@@ -185,9 +185,6 @@ sub finish_body { |
715 | + # finished canonicalizing |
716 | + $algorithm->finish_body; |
717 | + |
718 | +- my $type = 'rsa'; # default |
719 | +- $type = 'ed25519' if ( $self->{'Algorithm'} =~ /^ed25519/ ); |
720 | +- |
721 | + # load the private key file if necessary |
722 | + my $signature = $algorithm->signature; |
723 | + my $key = |
724 | +@@ -196,8 +193,7 @@ sub finish_body { |
725 | + || $self->{Key} |
726 | + || $self->{KeyFile}; |
727 | + if ( defined($key) && !ref($key) ) { |
728 | +- $key = Mail::DKIM::PrivateKey->load( File => $key, |
729 | +- Type => $type ); |
730 | ++ $key = Mail::DKIM::PrivateKey->load( File => $key ); |
731 | + } |
732 | + $key |
733 | + or die "no key available to sign with\n"; |
734 | +-- |
735 | +2.40.1 |
736 | + |
737 | diff --git a/debian/patches/0004-Revert-added-ed25519-signing-support.patch b/debian/patches/0004-Revert-added-ed25519-signing-support.patch |
738 | new file mode 100644 |
739 | index 0000000..7966790 |
740 | --- /dev/null |
741 | +++ b/debian/patches/0004-Revert-added-ed25519-signing-support.patch |
742 | @@ -0,0 +1,327 @@ |
743 | +From 74064a137e63c028a815eb24dcd8b52c616a08bc Mon Sep 17 00:00:00 2001 |
744 | +From: Miriam Espana Acebal <miriam.espana@canonical.com> |
745 | +Date: Fri, 16 Feb 2024 13:15:23 +0100 |
746 | +Subject: [PATCH 4/5] Revert "added ed25519 signing support." |
747 | + |
748 | +This reverts commit edd9897ee9208f41035f311d5b8443a5513a6037. |
749 | +--- |
750 | + lib/Mail/DKIM/PrivateKey.pm | 114 +++++++++--------------------------- |
751 | + lib/Mail/DKIM/PublicKey.pm | 12 ++-- |
752 | + lib/Mail/DKIM/Signer.pm | 16 ++--- |
753 | + t/signer.t | 54 +---------------- |
754 | + t/test.ed.key | 3 - |
755 | + 5 files changed, 38 insertions(+), 161 deletions(-) |
756 | + delete mode 100644 t/test.ed.key |
757 | + |
758 | +diff --git a/lib/Mail/DKIM/PrivateKey.pm b/lib/Mail/DKIM/PrivateKey.pm |
759 | +index ad98dd2..261f866 100644 |
760 | +--- a/lib/Mail/DKIM/PrivateKey.pm |
761 | ++++ b/lib/Mail/DKIM/PrivateKey.pm |
762 | +@@ -52,85 +52,42 @@ sub load { |
763 | + |
764 | + |
765 | + sub convert { |
766 | +- my $self = shift; |
767 | ++ use Crypt::OpenSSL::RSA; |
768 | + |
769 | +- # Use different libs subject to key type. |
770 | +- if ( $self->{'TYPE'} eq 'rsa' ) { |
771 | +- use Crypt::OpenSSL::RSA; |
772 | +- } |
773 | +- elsif ( $self->{'TYPE'} eq 'ed25519' ) { |
774 | +- use Crypt::PK::Ed25519; |
775 | +- } |
776 | ++ my $self = shift; |
777 | + |
778 | + $self->data |
779 | + or return; |
780 | + |
781 | +- if ( $self->{'TYPE'} eq 'rsa' ) { |
782 | +- |
783 | +- # have to PKCS1ify the privkey because openssl is too finicky... |
784 | +- my $pkcs = "-----BEGIN RSA PRIVATE KEY-----\n"; |
785 | +- |
786 | +- for ( my $i = 0 ; $i < length $self->data ; $i += 64 ) { |
787 | +- $pkcs .= substr $self->data, $i, 64; |
788 | +- $pkcs .= "\n"; |
789 | +- } |
790 | +- |
791 | +- $pkcs .= "-----END RSA PRIVATE KEY-----\n"; |
792 | +- |
793 | +- my $cork; |
794 | +- |
795 | +- eval { |
796 | +- local $SIG{__DIE__}; |
797 | +- $cork = new_private_key Crypt::OpenSSL::RSA($pkcs); |
798 | +- 1 |
799 | +- } || do { |
800 | +- $self->errorstr($@); |
801 | +- return; |
802 | +- }; |
803 | +- |
804 | +- $cork |
805 | +- or return; |
806 | +- |
807 | +- # segfaults on my machine |
808 | +- # $cork->check_key or |
809 | +- # return; |
810 | +- |
811 | +- $self->cork($cork); |
812 | ++ # have to PKCS1ify the privkey because openssl is too finicky... |
813 | ++ my $pkcs = "-----BEGIN RSA PRIVATE KEY-----\n"; |
814 | + |
815 | ++ for ( my $i = 0 ; $i < length $self->data ; $i += 64 ) { |
816 | ++ $pkcs .= substr $self->data, $i, 64; |
817 | ++ $pkcs .= "\n"; |
818 | + } |
819 | +- elsif ( $self->{'TYPE'} eq 'ed25519' ) { |
820 | +- my $cork; |
821 | + |
822 | +- eval { |
823 | +- local $SIG{__DIE__}; |
824 | +- $cork = new Crypt::PK::Ed25519; |
825 | ++ $pkcs .= "-----END RSA PRIVATE KEY-----\n"; |
826 | + |
827 | +- # Prepend/append with PEM boilerplate |
828 | +- my $pem = "-----BEGIN ED25519 PRIVATE KEY-----\n"; |
829 | +- $pem .= $self->data; |
830 | +- $pem .= "\n"; |
831 | +- $pem .= "-----END ED25519 PRIVATE KEY-----\n"; |
832 | ++ my $cork; |
833 | + |
834 | +- # Pass PEM text buffer |
835 | +- $cork->import_key(\$pem) |
836 | +- or die 'failed to load Ed25519 private key'; |
837 | ++ eval { |
838 | ++ local $SIG{__DIE__}; |
839 | ++ $cork = new_private_key Crypt::OpenSSL::RSA($pkcs); |
840 | ++ 1 |
841 | ++ } || do { |
842 | ++ $self->errorstr($@); |
843 | ++ return; |
844 | ++ }; |
845 | + |
846 | +- # Alternatively, import_raw_key() could be used, |
847 | +- # but requires the 32-byte key, which must be extracted |
848 | +- # from the ASN.1 structure first. |
849 | +- |
850 | +- 1 |
851 | +- } || do { |
852 | +- $self->errorstr($@); |
853 | +- return; |
854 | +- }; |
855 | +- |
856 | +- $cork |
857 | +- or return; |
858 | ++ $cork |
859 | ++ or return; |
860 | + |
861 | +- $self->cork($cork); |
862 | ++ # segfaults on my machine |
863 | ++ # $cork->check_key or |
864 | ++ # return; |
865 | + |
866 | +- } |
867 | ++ $self->cork($cork); |
868 | + |
869 | + return 1; |
870 | + } |
871 | +@@ -155,27 +112,12 @@ sub sign_digest { |
872 | + my $self = shift; |
873 | + my ( $digest_algorithm, $digest ) = @_; |
874 | + |
875 | +- if ( $self->{'TYPE'} eq 'rsa') { |
876 | +- |
877 | +- my $rsa_priv = $self->cork; |
878 | +- $rsa_priv->use_no_padding; |
879 | +- |
880 | +- my $k = $rsa_priv->size; |
881 | +- my $EM = calculate_EM( $digest_algorithm, $digest, $k ); |
882 | +- return $rsa_priv->decrypt($EM); |
883 | ++ my $rsa_priv = $self->cork; |
884 | ++ $rsa_priv->use_no_padding; |
885 | + |
886 | +- } |
887 | +- elsif ( $self->{'TYPE'} eq 'ed25519') { |
888 | +- |
889 | +- my $ed = $self->cork; |
890 | +- if ( !$ed ) { |
891 | +- $@ = $@ ne '' ? "Ed25519 failed: $@" : 'Ed25519 unknown problem'; |
892 | +- die; |
893 | +- } |
894 | +- |
895 | +- return $ed->sign_message($digest); |
896 | +- |
897 | +- } |
898 | ++ my $k = $rsa_priv->size; |
899 | ++ my $EM = calculate_EM( $digest_algorithm, $digest, $k ); |
900 | ++ return $rsa_priv->decrypt($EM); |
901 | + } |
902 | + |
903 | + __END__ |
904 | +diff --git a/lib/Mail/DKIM/PublicKey.pm b/lib/Mail/DKIM/PublicKey.pm |
905 | +index dce1736..b7b2a49 100644 |
906 | +--- a/lib/Mail/DKIM/PublicKey.pm |
907 | ++++ b/lib/Mail/DKIM/PublicKey.pm |
908 | +@@ -285,10 +285,9 @@ sub convert { |
909 | + # Use different libs subject to k= tag. |
910 | + # Without k= tag, default to RSA to maintain prior behavior |
911 | + my $k = $self->get_tag('k') || 'rsa'; |
912 | +- if ( $k eq 'rsa' ) { |
913 | ++ if ($k eq 'rsa') { |
914 | + use Crypt::OpenSSL::RSA; |
915 | +- } |
916 | +- elsif ( $k eq 'ed25519' ) { |
917 | ++ } elsif ($k eq 'ed25519') { |
918 | + use Crypt::PK::Ed25519; |
919 | + use MIME::Base64; |
920 | + } |
921 | +@@ -296,7 +295,7 @@ sub convert { |
922 | + $self->data |
923 | + or return; |
924 | + |
925 | +- if ( $k eq 'rsa' ) { |
926 | ++ if ($k eq 'rsa') { |
927 | + # have to PKCS1ify the pubkey because openssl is too finicky... |
928 | + my $cert = "-----BEGIN PUBLIC KEY-----\n"; |
929 | + |
930 | +@@ -316,8 +315,7 @@ sub convert { |
931 | + |
932 | + $self->cork($cork); |
933 | + |
934 | +- } |
935 | +- elsif ( $k eq 'ed25519' ) { |
936 | ++ } elsif ($k eq 'ed25519') { |
937 | + my $cork = Crypt::PK::Ed25519->new |
938 | + or die 'unable to generate Ed25519 public key object'; |
939 | + |
940 | +@@ -492,9 +490,7 @@ sub verify_digest { |
941 | + |
942 | + $@ = 'bad Ed25519 signature'; |
943 | + return; |
944 | +- |
945 | + } |
946 | +- |
947 | + } |
948 | + |
949 | + 1; |
950 | +diff --git a/lib/Mail/DKIM/Signer.pm b/lib/Mail/DKIM/Signer.pm |
951 | +index 24b5285..b1d751a 100644 |
952 | +--- a/lib/Mail/DKIM/Signer.pm |
953 | ++++ b/lib/Mail/DKIM/Signer.pm |
954 | +@@ -61,21 +61,16 @@ sub init { |
955 | + my $self = shift; |
956 | + $self->SUPER::init; |
957 | + |
958 | ++ if ( defined $self->{KeyFile} ) { |
959 | ++ $self->{Key} ||= |
960 | ++ Mail::DKIM::PrivateKey->load( File => $self->{KeyFile} ); |
961 | ++ } |
962 | ++ |
963 | + unless ( $self->{'Algorithm'} ) { |
964 | + |
965 | + # use default algorithm |
966 | + $self->{'Algorithm'} = 'rsa-sha1'; |
967 | + } |
968 | +- |
969 | +- my $type = 'rsa'; # default |
970 | +- $type = 'ed25519' if ( $self->{'Algorithm'} =~ /^ed25519/ ); |
971 | +- |
972 | +- if ( defined $self->{KeyFile} ) { |
973 | +- $self->{Key} ||= |
974 | +- Mail::DKIM::PrivateKey->load( File => $self->{KeyFile}, |
975 | +- Type => $type ); |
976 | +- } |
977 | +- |
978 | + unless ( $self->{'Method'} ) { |
979 | + |
980 | + # use default canonicalization method |
981 | +@@ -91,7 +86,6 @@ sub init { |
982 | + # use default selector |
983 | + $self->{'Selector'} = 'unknown'; |
984 | + } |
985 | +- |
986 | + } |
987 | + |
988 | + sub finish_header { |
989 | +diff --git a/t/signer.t b/t/signer.t |
990 | +index 7cc4738..203a671 100755 |
991 | +--- a/t/signer.t |
992 | ++++ b/t/signer.t |
993 | +@@ -2,7 +2,7 @@ |
994 | + |
995 | + use strict; |
996 | + use warnings; |
997 | +-use Test::Simple tests => 35; |
998 | ++use Test::Simple tests => 31; |
999 | + |
1000 | + use Mail::DKIM::Signer; |
1001 | + |
1002 | +@@ -238,55 +238,3 @@ END_OF_SAMPLE |
1003 | + ok( $sigstr =~ /subject/i, "subject was signed" ); |
1004 | + ok( $sigstr =~ /from/i, "from was signed" ); |
1005 | + } |
1006 | +- |
1007 | +-{ |
1008 | +- my $EXPECTED_RE = qr/4goHxydMueA3ev5toKlGLc7sUrwPG/; |
1009 | +- |
1010 | +- my $tdir = -f "t/test.ed.key" ? "t" : "."; |
1011 | +- my $keyfile = "$tdir/test.ed.key"; |
1012 | +- my $dkim = Mail::DKIM::Signer->new( |
1013 | +- Algorithm => "ed25519-sha256", |
1014 | +- Method => "relaxed", |
1015 | +- Domain => "example.org", |
1016 | +- Selector => "test", |
1017 | +- KeyFile => $keyfile |
1018 | +- ); |
1019 | +- ok( $dkim, "new() works" ); |
1020 | +- |
1021 | +- my $sample_email = <<END_OF_SAMPLE; |
1022 | +-From: alice <alice\@example.org> |
1023 | +-Date: Wed, 12 May 2023 14:00:00 +0200 |
1024 | +-Subject: ed25519 |
1025 | +- |
1026 | +-this is an elliptic test. |
1027 | +-END_OF_SAMPLE |
1028 | +- $sample_email =~ s/\n/\015\012/gs; |
1029 | +- |
1030 | +- $dkim->PRINT($sample_email); |
1031 | +- $dkim->CLOSE; |
1032 | +- |
1033 | +- my $signature = $dkim->signature; |
1034 | +- ok( $signature, "signature() works" ); |
1035 | +- |
1036 | +- print "# signature=" . $signature->as_string . "\n"; |
1037 | +- ok( $signature->as_string =~ /$EXPECTED_RE/, "got expected signature value" ); |
1038 | +- |
1039 | +- # Modify sample email and sign again |
1040 | +- |
1041 | +- $sample_email =~ s/Wed, 12/Tue, 11/; |
1042 | +- $dkim = Mail::DKIM::Signer->new( |
1043 | +- Algorithm => "ed25519-sha256", |
1044 | +- Method => "relaxed", |
1045 | +- Domain => "example.org", |
1046 | +- Selector => "test", |
1047 | +- KeyFile => $keyfile |
1048 | +- ); |
1049 | +- $dkim->PRINT($sample_email); |
1050 | +- $dkim->CLOSE; |
1051 | +- |
1052 | +- $signature = $dkim->signature; |
1053 | +- |
1054 | +- print "# signature=" . $signature->as_string . "\n"; |
1055 | +- ok( $signature->as_string !~ /$EXPECTED_RE/, "got expected signature mismatch" ); |
1056 | +- |
1057 | +-} |
1058 | +diff --git a/t/test.ed.key b/t/test.ed.key |
1059 | +deleted file mode 100644 |
1060 | +index 8e3a9d3..0000000 |
1061 | +--- a/t/test.ed.key |
1062 | ++++ /dev/null |
1063 | +@@ -1,3 +0,0 @@ |
1064 | +------BEGIN PRIVATE KEY----- |
1065 | +-MC4CAQAwBQYDK2VwBCIEIBNq8eB74GQ0uhob9AKDiQFK2vPZy3Rpqw6ec66p3A+m |
1066 | +------END PRIVATE KEY----- |
1067 | +-- |
1068 | +2.40.1 |
1069 | + |
1070 | diff --git a/debian/patches/0005-Revert-added-support-for-verifying-Ed25519-signature.patch b/debian/patches/0005-Revert-added-support-for-verifying-Ed25519-signature.patch |
1071 | new file mode 100644 |
1072 | index 0000000..5f2b978 |
1073 | --- /dev/null |
1074 | +++ b/debian/patches/0005-Revert-added-support-for-verifying-Ed25519-signature.patch |
1075 | @@ -0,0 +1,578 @@ |
1076 | +From 007bf781b0efd2f9f41cd6c259ad02fb488337c6 Mon Sep 17 00:00:00 2001 |
1077 | +From: Miriam Espana Acebal <miriam.espana@canonical.com> |
1078 | +Date: Fri, 16 Feb 2024 13:17:00 +0100 |
1079 | +Subject: [PATCH 5/5] Revert "added support for *verifying* Ed25519 signatures |
1080 | + (depends on Crypt::PK::Ed25519)." |
1081 | + |
1082 | +This reverts commit 3aa592be9bff03672e229a7e70abef0a5b302ce7. |
1083 | +--- |
1084 | + HACKING.DKIM | 9 +- |
1085 | + README.md | 1 - |
1086 | + lib/Mail/DKIM/Algorithm/ed25519_sha256.pm | 121 --------------------- |
1087 | + lib/Mail/DKIM/PublicKey.pm | 127 +++++++--------------- |
1088 | + lib/Mail/DKIM/Signature.pm | 11 +- |
1089 | + lib/Mail/DKIM/Verifier.pm | 17 +-- |
1090 | + t/FAKE_DNS.dat | 2 - |
1091 | + t/corpus/badkey1_ed25519.txt | 16 --- |
1092 | + t/corpus/badkey2_ed25519.txt | 16 --- |
1093 | + t/corpus/badkey3_ed25519.txt | 16 --- |
1094 | + t/corpus/goodkey_ed25519.txt | 16 --- |
1095 | + t/verifier.t | 8 +- |
1096 | + 12 files changed, 57 insertions(+), 303 deletions(-) |
1097 | + delete mode 100644 lib/Mail/DKIM/Algorithm/ed25519_sha256.pm |
1098 | + delete mode 100644 t/corpus/badkey1_ed25519.txt |
1099 | + delete mode 100644 t/corpus/badkey2_ed25519.txt |
1100 | + delete mode 100644 t/corpus/badkey3_ed25519.txt |
1101 | + delete mode 100644 t/corpus/goodkey_ed25519.txt |
1102 | + |
1103 | +diff --git a/HACKING.DKIM b/HACKING.DKIM |
1104 | +index 9d8354a..e21ab49 100644 |
1105 | +--- a/HACKING.DKIM |
1106 | ++++ b/HACKING.DKIM |
1107 | +@@ -30,18 +30,11 @@ New version - update version numbers in these files: |
1108 | + New algorithm: |
1109 | + create new algorithm class by copying and editing |
1110 | + lib/Mail/DKIM/Algorithm/rsa_sha1.pm |
1111 | +- edit lib/Mail/DKIM/Signature.pm: |
1112 | ++ edit lib/Mail/DKIM/Common.pm: |
1113 | + get_algorithm_class() - add a check for your new algorithm and return |
1114 | + the name of your new algorithm class |
1115 | + add a "use" line at the top of this file so that your algorithm class |
1116 | + gets imported |
1117 | +- if the new algorithm uses a different key type (k=), also edit |
1118 | +- lib/Mail/DKIM/PublicKey.pm: |
1119 | +- check() |
1120 | +- convert() |
1121 | +- verify_digest() |
1122 | +- lib/Mail/DKIM/Verifier.pm: |
1123 | +- _check_and_verify_signature() |
1124 | + |
1125 | + -- |
1126 | + |
1127 | +diff --git a/README.md b/README.md |
1128 | +index 5b937a9..cf1dd52 100644 |
1129 | +--- a/README.md |
1130 | ++++ b/README.md |
1131 | +@@ -30,7 +30,6 @@ DEPENDENCIES |
1132 | + This module requires these other modules and libraries: |
1133 | + |
1134 | + Crypt::OpenSSL::RSA |
1135 | +- Crypt::PK::Ed25519 |
1136 | + Digest::SHA |
1137 | + Mail::Address (part of the MailTools package) |
1138 | + MIME::Base64 |
1139 | +diff --git a/lib/Mail/DKIM/Algorithm/ed25519_sha256.pm b/lib/Mail/DKIM/Algorithm/ed25519_sha256.pm |
1140 | +deleted file mode 100644 |
1141 | +index d97deeb..0000000 |
1142 | +--- a/lib/Mail/DKIM/Algorithm/ed25519_sha256.pm |
1143 | ++++ /dev/null |
1144 | +@@ -1,121 +0,0 @@ |
1145 | +-package Mail::DKIM::Algorithm::ed25519_sha256; |
1146 | +-use strict; |
1147 | +-use warnings; |
1148 | +-# VERSION |
1149 | +-# ABSTRACT: edd2519 sha256 algorithm class |
1150 | +- |
1151 | +-# Copyright 2005-2006 Messiah College. All rights reserved. |
1152 | +-# Jason Long <jlong@messiah.edu> |
1153 | +- |
1154 | +-# Copyright (c) 2004 Anthony D. Urso. All rights reserved. |
1155 | +-# This program is free software; you can redistribute it and/or |
1156 | +-# modify it under the same terms as Perl itself. |
1157 | +- |
1158 | +-use base 'Mail::DKIM::Algorithm::Base'; |
1159 | +-use Carp; |
1160 | +-use MIME::Base64; |
1161 | +-use Digest::SHA; |
1162 | +- |
1163 | +-sub init_digests { |
1164 | +- my $self = shift; |
1165 | +- |
1166 | +- # initialize a SHA-256 Digest |
1167 | +- $self->{header_digest} = new Digest::SHA(256); |
1168 | +- $self->{body_digest} = new Digest::SHA(256); |
1169 | +-} |
1170 | +- |
1171 | +-sub sign { |
1172 | +- my $self = shift; |
1173 | +- croak 'wrong number of arguments' unless ( @_ == 1 ); |
1174 | +- my ($private_key) = @_; |
1175 | +- |
1176 | +- my $digest = $self->{header_digest}->digest; |
1177 | +- my $signature = $private_key->sign_digest( 'SHA-256', $digest ); |
1178 | +- |
1179 | +- return encode_base64( $signature, '' ); |
1180 | +-} |
1181 | +- |
1182 | +-sub verify { |
1183 | +- my $self = shift; |
1184 | +- croak 'wrong number of arguments' unless ( @_ == 0 ); |
1185 | +- |
1186 | +- my $base64 = $self->signature->data; |
1187 | +- my $public_key = $self->signature->get_public_key; |
1188 | +- |
1189 | +- my $digest = $self->{header_digest}->digest; |
1190 | +- my $sig = decode_base64($base64); |
1191 | +- |
1192 | +- return unless $public_key->verify_digest( 'SHA-256', $digest, $sig ); |
1193 | +- return $self->check_body_hash; |
1194 | +-} |
1195 | +- |
1196 | +-sub wants_pre_signature_headers { |
1197 | +- return 1; |
1198 | +-} |
1199 | +- |
1200 | +-1; |
1201 | +- |
1202 | +-__END__ |
1203 | +- |
1204 | +-=pod |
1205 | +- |
1206 | +-=encoding UTF-8 |
1207 | +- |
1208 | +-=head1 NAME |
1209 | +- |
1210 | +-Mail::DKIM::Algorithm::ed25519_sha256 - ed25519 sha256 algorithm class |
1211 | +- |
1212 | +-=head1 VERSION |
1213 | +- |
1214 | +-version 1.20240124 |
1215 | +- |
1216 | +-=head1 AUTHORS |
1217 | +- |
1218 | +-=over 4 |
1219 | +- |
1220 | +-=item * |
1221 | +- |
1222 | +-Jason Long <jason@long.name> |
1223 | +- |
1224 | +-=item * |
1225 | +- |
1226 | +-Marc Bradshaw <marc@marcbradshaw.net> |
1227 | +- |
1228 | +-=item * |
1229 | +- |
1230 | +-Bron Gondwana <brong@fastmailteam.com> (ARC) |
1231 | +- |
1232 | +-=back |
1233 | +- |
1234 | +-=head1 THANKS |
1235 | +- |
1236 | +-Work on ensuring that this module passes the ARC test suite was |
1237 | +-generously sponsored by Valimail (https://www.valimail.com/) |
1238 | +- |
1239 | +-=head1 COPYRIGHT AND LICENSE |
1240 | +- |
1241 | +-=over 4 |
1242 | +- |
1243 | +-=item * |
1244 | +- |
1245 | +-Copyright (C) 2013 by Messiah College |
1246 | +- |
1247 | +-=item * |
1248 | +- |
1249 | +-Copyright (C) 2010 by Jason Long |
1250 | +- |
1251 | +-=item * |
1252 | +- |
1253 | +-Copyright (C) 2017 by Standcore LLC |
1254 | +- |
1255 | +-=item * |
1256 | +- |
1257 | +-Copyright (C) 2020 by FastMail Pty Ltd |
1258 | +- |
1259 | +-=back |
1260 | +- |
1261 | +-This library is free software; you can redistribute it and/or modify |
1262 | +-it under the same terms as Perl itself, either Perl version 5.8.6 or, |
1263 | +-at your option, any later version of Perl 5 you may have available. |
1264 | +- |
1265 | +-=cut |
1266 | +diff --git a/lib/Mail/DKIM/PublicKey.pm b/lib/Mail/DKIM/PublicKey.pm |
1267 | +index b7b2a49..0080c67 100644 |
1268 | +--- a/lib/Mail/DKIM/PublicKey.pm |
1269 | ++++ b/lib/Mail/DKIM/PublicKey.pm |
1270 | +@@ -25,7 +25,7 @@ sub new { |
1271 | + $self->{'GRAN'} = $prms{'Granularity'}; |
1272 | + $self->{'NOTE'} = $prms{'Note'}; |
1273 | + $self->{'TEST'} = $prms{'Testing'}; |
1274 | +- #$self->{'TYPE'} = ( $prms{'Type'} or 'rsa' ); # unused |
1275 | ++ $self->{'TYPE'} = ( $prms{'Type'} or 'rsa' ); |
1276 | + $self->{'DATA'} = $prms{'Data'}; |
1277 | + |
1278 | + bless $self, $type; |
1279 | +@@ -130,7 +130,7 @@ sub check { |
1280 | + |
1281 | + # check key type |
1282 | + if ( my $k = $self->get_tag('k') ) { |
1283 | +- unless ( $k eq 'rsa' || $k eq 'ed25519' ) { |
1284 | ++ unless ( $k eq 'rsa' ) { |
1285 | + die "unsupported key type\n"; |
1286 | + } |
1287 | + } |
1288 | +@@ -162,9 +162,6 @@ sub check { |
1289 | + elsif ( $E =~ /^(panic:.*?) at / ) { |
1290 | + $E = "OpenSSL $1"; |
1291 | + } |
1292 | +- elsif ( $E =~ /^FATAL: (.*) at / ) { |
1293 | +- $E = "Ed25519 $1"; |
1294 | +- } |
1295 | + die "$E\n"; |
1296 | + }; |
1297 | + |
1298 | +@@ -280,52 +277,31 @@ sub check_hash_algorithm { |
1299 | + # found in this public key's DNS record. The OpenSSL object is saved |
1300 | + # in the "cork" property. |
1301 | + sub convert { |
1302 | +- my $self = shift; |
1303 | ++ use Crypt::OpenSSL::RSA; |
1304 | + |
1305 | +- # Use different libs subject to k= tag. |
1306 | +- # Without k= tag, default to RSA to maintain prior behavior |
1307 | +- my $k = $self->get_tag('k') || 'rsa'; |
1308 | +- if ($k eq 'rsa') { |
1309 | +- use Crypt::OpenSSL::RSA; |
1310 | +- } elsif ($k eq 'ed25519') { |
1311 | +- use Crypt::PK::Ed25519; |
1312 | +- use MIME::Base64; |
1313 | +- } |
1314 | ++ my $self = shift; |
1315 | + |
1316 | + $self->data |
1317 | + or return; |
1318 | + |
1319 | +- if ($k eq 'rsa') { |
1320 | +- # have to PKCS1ify the pubkey because openssl is too finicky... |
1321 | +- my $cert = "-----BEGIN PUBLIC KEY-----\n"; |
1322 | +- |
1323 | +- for ( my $i = 0 ; $i < length $self->data ; $i += 64 ) { |
1324 | +- $cert .= substr $self->data, $i, 64; |
1325 | +- $cert .= "\n"; |
1326 | +- } |
1327 | +- |
1328 | +- $cert .= "-----END PUBLIC KEY-----\n"; |
1329 | +- |
1330 | +- my $cork = Crypt::OpenSSL::RSA->new_public_key($cert) |
1331 | +- or die 'unable to generate public key object'; |
1332 | ++ # have to PKCS1ify the pubkey because openssl is too finicky... |
1333 | ++ my $cert = "-----BEGIN PUBLIC KEY-----\n"; |
1334 | + |
1335 | +- # segfaults on my machine |
1336 | +- # $cork->check_key or |
1337 | +- # return; |
1338 | +- |
1339 | +- $self->cork($cork); |
1340 | ++ for ( my $i = 0 ; $i < length $self->data ; $i += 64 ) { |
1341 | ++ $cert .= substr $self->data, $i, 64; |
1342 | ++ $cert .= "\n"; |
1343 | ++ } |
1344 | + |
1345 | +- } elsif ($k eq 'ed25519') { |
1346 | +- my $cork = Crypt::PK::Ed25519->new |
1347 | +- or die 'unable to generate Ed25519 public key object'; |
1348 | ++ $cert .= "-----END PUBLIC KEY-----\n"; |
1349 | + |
1350 | +- my $keybin = decode_base64($self->data); |
1351 | +- $cork->import_key_raw($keybin, 'public') |
1352 | +- or die 'failed to load Ed25519 public key'; |
1353 | ++ my $cork = Crypt::OpenSSL::RSA->new_public_key($cert) |
1354 | ++ or die 'unable to generate public key object'; |
1355 | + |
1356 | +- $self->cork($cork); |
1357 | ++ # segfaults on my machine |
1358 | ++ # $cork->check_key or |
1359 | ++ # return; |
1360 | + |
1361 | +- } |
1362 | ++ $self->cork($cork); |
1363 | + |
1364 | + return 1; |
1365 | + } |
1366 | +@@ -440,57 +416,38 @@ sub verify_digest { |
1367 | + my $self = shift; |
1368 | + my ( $digest_algorithm, $digest, $signature ) = @_; |
1369 | + |
1370 | +- my $k_tag = $self->get_tag('k') || 'rsa'; |
1371 | +- |
1372 | +- if ($k_tag eq 'rsa') { |
1373 | +- my $rsa_pub = $self->cork; |
1374 | +- if ( !$rsa_pub ) { |
1375 | +- $@ = $@ ne '' ? "RSA failed: $@" : 'RSA unknown problem'; |
1376 | +- $@ .= ", s=$self->{Selector} d=$self->{Domain}"; |
1377 | +- return; |
1378 | +- } |
1379 | +- |
1380 | +- $rsa_pub->use_no_padding; |
1381 | +- my $verify_result = $rsa_pub->encrypt($signature); |
1382 | +- |
1383 | +- my $k = $rsa_pub->size; |
1384 | +- my $expected = calculate_EM( $digest_algorithm, $digest, $k ); |
1385 | +- return 1 if ( $verify_result eq $expected ); |
1386 | +- |
1387 | +- # well, the RSA verification failed; I wonder if the RSA signing |
1388 | +- # was performed on a different digest value? I think we can check... |
1389 | +- |
1390 | +- # basically, if the $verify_result has the same prefix as $expected, |
1391 | +- # then only the digest was different |
1392 | +- |
1393 | +- my $digest_len = length $digest; |
1394 | +- my $prefix_len = length($expected) - $digest_len; |
1395 | +- if ( |
1396 | +- substr( $verify_result, 0, $prefix_len ) eq |
1397 | +- substr( $expected, 0, $prefix_len ) ) |
1398 | +- { |
1399 | +- $@ = 'message has been altered'; |
1400 | +- return; |
1401 | +- } |
1402 | +- |
1403 | +- $@ = 'bad RSA signature'; |
1404 | ++ my $rsa_pub = $self->cork; |
1405 | ++ if ( !$rsa_pub ) { |
1406 | ++ $@ = $@ ne '' ? "RSA failed: $@" : 'RSA unknown problem'; |
1407 | ++ $@ .= ", s=$self->{Selector} d=$self->{Domain}"; |
1408 | + return; |
1409 | ++ } |
1410 | + |
1411 | +- } elsif ($k_tag eq 'ed25519') { |
1412 | ++ $rsa_pub->use_no_padding; |
1413 | ++ my $verify_result = $rsa_pub->encrypt($signature); |
1414 | + |
1415 | +- my $ed = $self->cork; |
1416 | +- if ( !$ed ) { |
1417 | +- $@ = $@ ne '' ? "Ed25519 failed: $@" : 'Ed25519 unknown problem'; |
1418 | +- $@ .= ", s=$self->{Selector} d=$self->{Domain}"; |
1419 | +- return; |
1420 | +- } |
1421 | ++ my $k = $rsa_pub->size; |
1422 | ++ my $expected = calculate_EM( $digest_algorithm, $digest, $k ); |
1423 | ++ return 1 if ( $verify_result eq $expected ); |
1424 | + |
1425 | +- my $verify_result = $ed->verify_message($signature, $digest); |
1426 | +- return $verify_result if ($verify_result == 1); |
1427 | ++ # well, the RSA verification failed; I wonder if the RSA signing |
1428 | ++ # was performed on a different digest value? I think we can check... |
1429 | + |
1430 | +- $@ = 'bad Ed25519 signature'; |
1431 | ++ # basically, if the $verify_result has the same prefix as $expected, |
1432 | ++ # then only the digest was different |
1433 | ++ |
1434 | ++ my $digest_len = length $digest; |
1435 | ++ my $prefix_len = length($expected) - $digest_len; |
1436 | ++ if ( |
1437 | ++ substr( $verify_result, 0, $prefix_len ) eq |
1438 | ++ substr( $expected, 0, $prefix_len ) ) |
1439 | ++ { |
1440 | ++ $@ = 'message has been altered'; |
1441 | + return; |
1442 | + } |
1443 | ++ |
1444 | ++ $@ = 'bad RSA signature'; |
1445 | ++ return; |
1446 | + } |
1447 | + |
1448 | + 1; |
1449 | +diff --git a/lib/Mail/DKIM/Signature.pm b/lib/Mail/DKIM/Signature.pm |
1450 | +index 7beb5e9..0504329 100644 |
1451 | +--- a/lib/Mail/DKIM/Signature.pm |
1452 | ++++ b/lib/Mail/DKIM/Signature.pm |
1453 | +@@ -14,7 +14,6 @@ our $VERSION = '1.20240124'; # VERSION |
1454 | + use Mail::DKIM::PublicKey; |
1455 | + use Mail::DKIM::Algorithm::rsa_sha1; |
1456 | + use Mail::DKIM::Algorithm::rsa_sha256; |
1457 | +-use Mail::DKIM::Algorithm::ed25519_sha256; |
1458 | + |
1459 | + use base 'Mail::DKIM::KeyValueList'; |
1460 | + use Carp; |
1461 | +@@ -83,6 +82,14 @@ sub wantheader { |
1462 | + return; |
1463 | + } |
1464 | + |
1465 | ++=head2 algorithm() - get or set the algorithm (a=) field |
1466 | ++ |
1467 | ++The algorithm used to generate the signature. Should be either "rsa-sha1", |
1468 | ++an RSA-signed SHA-1 digest, or "rsa-sha256", an RSA-signed SHA-256 digest. |
1469 | ++ |
1470 | ++See also hash_algorithm(). |
1471 | ++ |
1472 | ++=cut |
1473 | + |
1474 | + sub algorithm { |
1475 | + my $self = shift; |
1476 | +@@ -343,7 +350,6 @@ sub get_algorithm_class { |
1477 | + my $class = |
1478 | + $algorithm eq 'rsa-sha1' ? 'Mail::DKIM::Algorithm::rsa_sha1' |
1479 | + : $algorithm eq 'rsa-sha256' ? 'Mail::DKIM::Algorithm::rsa_sha256' |
1480 | +- : $algorithm eq 'ed25519-sha256' ? 'Mail::DKIM::Algorithm::ed25519_sha256' |
1481 | + : undef; |
1482 | + return $class; |
1483 | + } |
1484 | +@@ -426,7 +432,6 @@ sub hash_algorithm { |
1485 | + return |
1486 | + $algorithm eq 'rsa-sha1' ? 'sha1' |
1487 | + : $algorithm eq 'rsa-sha256' ? 'sha256' |
1488 | +- : $algorithm eq 'ed25519-sha256' ? 'sha256' |
1489 | + : undef; |
1490 | + } |
1491 | + |
1492 | +diff --git a/lib/Mail/DKIM/Verifier.pm b/lib/Mail/DKIM/Verifier.pm |
1493 | +index 8dfa65b..c1ca743 100644 |
1494 | +--- a/lib/Mail/DKIM/Verifier.pm |
1495 | ++++ b/lib/Mail/DKIM/Verifier.pm |
1496 | +@@ -348,15 +348,11 @@ sub _check_and_verify_signature { |
1497 | + return ( 'invalid', $self->{signature_reject_reason} ); |
1498 | + } |
1499 | + |
1500 | +- # special handling for RSA signatures |
1501 | +- my $k = $pkey->get_tag('k') || 'rsa'; |
1502 | +- if ($k eq 'rsa') { |
1503 | +- # make sure key is big enough |
1504 | +- my $keysize = $pkey->cork->size * 8; # in bits |
1505 | +- if ( $keysize < 1024 && $self->{Strict} ) { |
1506 | +- $self->{signature_reject_reason} = "Key length $keysize too short"; |
1507 | +- return ( 'fail', $self->{signature_reject_reason} ); |
1508 | +- } |
1509 | ++ # make sure key is big enough |
1510 | ++ my $keysize = $pkey->cork->size * 8; # in bits |
1511 | ++ if ( $keysize < 1024 && $self->{Strict} ) { |
1512 | ++ $self->{signature_reject_reason} = "Key length $keysize too short"; |
1513 | ++ return ( 'fail', $self->{signature_reject_reason} ); |
1514 | + } |
1515 | + |
1516 | + # verify signature |
1517 | +@@ -377,9 +373,6 @@ sub _check_and_verify_signature { |
1518 | + elsif ( $E =~ /^(panic:.*?) at / ) { |
1519 | + $E = "OpenSSL $1"; |
1520 | + } |
1521 | +- elsif ( $E =~ /^FATAL: (.*) at / ) { |
1522 | +- $E = "Ed25519 $1"; |
1523 | +- } |
1524 | + $result = 'fail'; |
1525 | + $details = $E; |
1526 | + }; |
1527 | +diff --git a/t/FAKE_DNS.dat b/t/FAKE_DNS.dat |
1528 | +index 22e24da..e1683da 100644 |
1529 | +--- a/t/FAKE_DNS.dat |
1530 | ++++ b/t/FAKE_DNS.dat |
1531 | +@@ -24,5 +24,3 @@ foo._domainkey.vmt2.cis.att.net v=DKIM1; k=rsa; n=send%20comments%20to%20tony%4 |
1532 | + nonexistent._domainkey.messiah.edu NXDOMAIN |
1533 | + test3._domainkey.blackhole.messiah.edu ~~Query timed out~~ |
1534 | + test3._domainkey.blackhole2.messiah.edu ~~SERVFAIL~~ |
1535 | +-2023-05-ed25519._domainkey.wander.science v=DKIM1; k=ed25519; p=pP+YUyRjAvKha4Oc49KAY703oLUS1NLMEuGD3IHMKww= |
1536 | +-invalid._domainkey.wander.science v=DKIM1; k=ed25519; p=MCowBQYDK2VwAyEA3SUqa9UbfciWkk7tlcJ9P1VD5pXAasg0JUn/OgjVbKE= |
1537 | +diff --git a/t/corpus/badkey1_ed25519.txt b/t/corpus/badkey1_ed25519.txt |
1538 | +deleted file mode 100644 |
1539 | +index 48dca6c..0000000 |
1540 | +--- a/t/corpus/badkey1_ed25519.txt |
1541 | ++++ /dev/null |
1542 | +@@ -1,16 +0,0 @@ |
1543 | +-DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed; |
1544 | +- d=wander.science; s=invalid; h=Subject:Content-Transfer-Encoding: |
1545 | +- Content-Type:From:To:MIME-Version:Date:Message-ID:In-Reply-To:Cc:References: |
1546 | +- Sender:Reply-To; bh=P//FppzGgSSJDjYgpnZ255T9+DxXvu14MiedTEyE5UY=; b=85mI8hH/s |
1547 | +- TYf2w8vAF3BKeRs/7EMD8yGrrekJNcoZ8LxDd3RnpejvsG43I6vryFIx6xFmVSx65+zmxXu9/kvDg |
1548 | +- ==; |
1549 | +-Message-ID: <505c05af-3dd2-be13-df41-464353251933@wander.science> |
1550 | +-Date: Wed, 10 May 2023 21:54:21 +0200 |
1551 | +-MIME-Version: 1.0 |
1552 | +-To: echo@mail.town |
1553 | +-From: mail@wander.science |
1554 | +-Content-Type: text/plain; charset=UTF-8; format=flowed |
1555 | +-Content-Transfer-Encoding: 7bit |
1556 | +-Subject: Test ed25519 |
1557 | +- |
1558 | +-The public key is invalid (wrong key length). |
1559 | +diff --git a/t/corpus/badkey2_ed25519.txt b/t/corpus/badkey2_ed25519.txt |
1560 | +deleted file mode 100644 |
1561 | +index bbb0d6b..0000000 |
1562 | +--- a/t/corpus/badkey2_ed25519.txt |
1563 | ++++ /dev/null |
1564 | +@@ -1,16 +0,0 @@ |
1565 | +-DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed; |
1566 | +- d=wander.science; s=2023-05-ed25519; h=Subject:Content-Transfer-Encoding: |
1567 | +- Content-Type:From:To:MIME-Version:Date:Message-ID:In-Reply-To:Cc:References: |
1568 | +- Sender:Reply-To; bh=P//FppzGgSSJDjYgpnZ255T9+DxXvu14MiedTEyE5UY=; b=85mI8hH/s |
1569 | +- TYf2w8vAF3BKeRs/7EMD8yGrrekJNcoZ8LxDd3RnpejvsG43I6vryFIx6xFmVSx65+zmxXu9/kvDg |
1570 | +- ==; |
1571 | +-Message-ID: <505c05af-3dd2-be13-df41-464353251933@wander.science> |
1572 | +-Date: Wed, 10 May 2023 21:54:21 +0200 |
1573 | +-MIME-Version: 1.0 |
1574 | +-To: echo@mail.town |
1575 | +-From: mail@wander.science |
1576 | +-Content-Type: text/plain; charset=UTF-8; format=flowed |
1577 | +-Content-Transfer-Encoding: 7bit |
1578 | +-Subject: Test ed25519 wrong signature - subject modified |
1579 | +- |
1580 | +-This is an elliptic test. |
1581 | +diff --git a/t/corpus/badkey3_ed25519.txt b/t/corpus/badkey3_ed25519.txt |
1582 | +deleted file mode 100644 |
1583 | +index 02ea252..0000000 |
1584 | +--- a/t/corpus/badkey3_ed25519.txt |
1585 | ++++ /dev/null |
1586 | +@@ -1,16 +0,0 @@ |
1587 | +-DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed; |
1588 | +- d=wander.science; s=2023-05-ed25519; h=Subject:Content-Transfer-Encoding: |
1589 | +- Content-Type:From:To:MIME-Version:Date:Message-ID:In-Reply-To:Cc:References: |
1590 | +- Sender:Reply-To; bh=P//FppzGgSSJDjYgpnZ255T9+DxXvu14MiedTEyE5UY=; b=85mI8hH/s |
1591 | +- TYf2w8vAF3BKeRs/7EMD8yGrrekJNcoZ8LxDd3RnpejvsG43I6vryFIx6xFmVSx65+zmxXu9/kvDg |
1592 | +- ==; |
1593 | +-Message-ID: <505c05af-3dd2-be13-df41-464353251933@wander.science> |
1594 | +-Date: Wed, 10 May 2023 21:54:21 +0200 |
1595 | +-MIME-Version: 1.0 |
1596 | +-To: echo@mail.town |
1597 | +-From: mail@wander.science |
1598 | +-Content-Type: text/plain; charset=UTF-8; format=flowed |
1599 | +-Content-Transfer-Encoding: 7bit |
1600 | +-Subject: Test ed25519 |
1601 | +- |
1602 | +-Signature invalid - body modified. |
1603 | +diff --git a/t/corpus/goodkey_ed25519.txt b/t/corpus/goodkey_ed25519.txt |
1604 | +deleted file mode 100644 |
1605 | +index 42c2eb3..0000000 |
1606 | +--- a/t/corpus/goodkey_ed25519.txt |
1607 | ++++ /dev/null |
1608 | +@@ -1,16 +0,0 @@ |
1609 | +-DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed; |
1610 | +- d=wander.science; s=2023-05-ed25519; h=Subject:Content-Transfer-Encoding: |
1611 | +- Content-Type:From:To:MIME-Version:Date:Message-ID:In-Reply-To:Cc:References: |
1612 | +- Sender:Reply-To; bh=P//FppzGgSSJDjYgpnZ255T9+DxXvu14MiedTEyE5UY=; b=85mI8hH/s |
1613 | +- TYf2w8vAF3BKeRs/7EMD8yGrrekJNcoZ8LxDd3RnpejvsG43I6vryFIx6xFmVSx65+zmxXu9/kvDg |
1614 | +- ==; |
1615 | +-Message-ID: <505c05af-3dd2-be13-df41-464353251933@wander.science> |
1616 | +-Date: Wed, 10 May 2023 21:54:21 +0200 |
1617 | +-MIME-Version: 1.0 |
1618 | +-To: echo@mail.town |
1619 | +-From: mail@wander.science |
1620 | +-Content-Type: text/plain; charset=UTF-8; format=flowed |
1621 | +-Content-Transfer-Encoding: 7bit |
1622 | +-Subject: Test ed25519 |
1623 | +- |
1624 | +-This is an elliptic test. |
1625 | +diff --git a/t/verifier.t b/t/verifier.t |
1626 | +index 90320d4..b1b1e28 100755 |
1627 | +--- a/t/verifier.t |
1628 | ++++ b/t/verifier.t |
1629 | +@@ -2,7 +2,7 @@ |
1630 | + |
1631 | + use strict; |
1632 | + use warnings; |
1633 | +-use Test::More tests => 109; |
1634 | ++use Test::More tests => 105; |
1635 | + |
1636 | + use Mail::DKIM::Verifier; |
1637 | + |
1638 | +@@ -162,12 +162,6 @@ test_email( "badkey_15.txt", "invalid" ); # dns error (SERVFAIL) |
1639 | + ok( $dkim->result_detail =~ /public key/, "detail mentions public key" ); |
1640 | + ok( $dkim->result_detail =~ /dns.*SERVFAIL/i, "type of dns failure" ); |
1641 | + |
1642 | +-# test ed25519 |
1643 | +-test_email( "goodkey_ed25519.txt", "pass" ); |
1644 | +-test_email( "badkey1_ed25519.txt", "invalid" ); # key has invalid length |
1645 | +-test_email( "badkey2_ed25519.txt", "fail" ); # header modified |
1646 | +-test_email( "badkey3_ed25519.txt", "fail" ); # body modified |
1647 | +- |
1648 | + sub read_file { |
1649 | + my $srcfile = shift; |
1650 | + open my $fh, "<", $srcfile |
1651 | +-- |
1652 | +2.40.1 |
1653 | + |
1654 | diff --git a/debian/patches/0006-Revert-Debian-support-for-ed25519.patch b/debian/patches/0006-Revert-Debian-support-for-ed25519.patch |
1655 | new file mode 100644 |
1656 | index 0000000..1ae3d6d |
1657 | --- /dev/null |
1658 | +++ b/debian/patches/0006-Revert-Debian-support-for-ed25519.patch |
1659 | @@ -0,0 +1,93 @@ |
1660 | +From 2ff36de8102d340f4b2f25fc538891049af1692b Mon Sep 17 00:00:00 2001 |
1661 | +From: Miriam Espana Acebal <miriam.espana@canonical.com> |
1662 | +Date: Thu, 15 Feb 2024 16:50:10 +0100 |
1663 | +Subject: [PATCH] Revert-Debian-support-for-ed25519 |
1664 | + |
1665 | +Reverting partially commit b0358e44077951cabd3f27ad99473ef3bd778e67 from Debian, |
1666 | +just removing perl dependencies and files related to ed25519 in 1.20230630-1. |
1667 | +--- |
1668 | + MANIFEST | 7 ------- |
1669 | + META.json | 1 - |
1670 | + META.yml | 1 - |
1671 | + Makefile.PL | 2 -- |
1672 | + 4 files changed, 11 deletions(-) |
1673 | + |
1674 | +diff --git a/MANIFEST b/MANIFEST |
1675 | +index edf3b5f..067c052 100644 |
1676 | +--- a/MANIFEST |
1677 | ++++ b/MANIFEST |
1678 | +@@ -23,7 +23,6 @@ lib/Mail/DKIM/ARC/Signer.pm |
1679 | + lib/Mail/DKIM/ARC/Verifier.pm |
1680 | + lib/Mail/DKIM/Algorithm/Base.pm |
1681 | + lib/Mail/DKIM/Algorithm/dk_rsa_sha1.pm |
1682 | +-lib/Mail/DKIM/Algorithm/ed25519_sha256.pm |
1683 | + lib/Mail/DKIM/Algorithm/rsa_sha1.pm |
1684 | + lib/Mail/DKIM/Algorithm/rsa_sha256.pm |
1685 | + lib/Mail/DKIM/AuthorDomainPolicy.pm |
1686 | +@@ -83,11 +82,6 @@ t/corpus/bad_dk_5.txt |
1687 | + t/corpus/bad_ietf01_1.txt |
1688 | + t/corpus/bad_ietf01_2.txt |
1689 | + t/corpus/bad_ietf01_3.txt |
1690 | +-t/corpus/badkey1_ed25519.txt |
1691 | +-t/corpus/badkey2_ed25519.txt |
1692 | +-t/corpus/badkey3_ed25519.txt |
1693 | +-t/corpus/badkey4_ed25519.txt |
1694 | +-t/corpus/badkey5_ed25519.txt |
1695 | + t/corpus/badkey_1.txt |
1696 | + t/corpus/badkey_10.txt |
1697 | + t/corpus/badkey_11.txt |
1698 | +@@ -133,7 +127,6 @@ t/corpus/goodkey_1.txt |
1699 | + t/corpus/goodkey_2.txt |
1700 | + t/corpus/goodkey_3.txt |
1701 | + t/corpus/goodkey_4.txt |
1702 | +-t/corpus/goodkey_ed25519.txt |
1703 | + t/corpus/ignore_1.txt |
1704 | + t/corpus/ignore_2.txt |
1705 | + t/corpus/ignore_3.txt |
1706 | +diff --git a/META.json b/META.json |
1707 | +index 0491f11..557b36e 100644 |
1708 | +--- a/META.json |
1709 | ++++ b/META.json |
1710 | +@@ -31,7 +31,6 @@ |
1711 | + "requires" : { |
1712 | + "Carp" : "0", |
1713 | + "Crypt::OpenSSL::RSA" : "0", |
1714 | +- "Crypt::PK::Ed25519" : "0", |
1715 | + "Digest::SHA" : "0", |
1716 | + "MIME::Base64" : "0", |
1717 | + "Mail::Address" : "0", |
1718 | +diff --git a/META.yml b/META.yml |
1719 | +index 9a226c5..240ba76 100644 |
1720 | +--- a/META.yml |
1721 | ++++ b/META.yml |
1722 | +@@ -24,7 +24,6 @@ name: Mail-DKIM |
1723 | + requires: |
1724 | + Carp: '0' |
1725 | + Crypt::OpenSSL::RSA: '0' |
1726 | +- Crypt::PK::Ed25519: '0' |
1727 | + Digest::SHA: '0' |
1728 | + MIME::Base64: '0' |
1729 | + Mail::Address: '0' |
1730 | +diff --git a/Makefile.PL b/Makefile.PL |
1731 | +index d36be4e..43ab54e 100644 |
1732 | +--- a/Makefile.PL |
1733 | ++++ b/Makefile.PL |
1734 | +@@ -19,7 +19,6 @@ my %WriteMakefileArgs = ( |
1735 | + "PREREQ_PM" => { |
1736 | + "Carp" => 0, |
1737 | + "Crypt::OpenSSL::RSA" => 0, |
1738 | +- "Crypt::PK::Ed25519" => 0, |
1739 | + "Digest::SHA" => 0, |
1740 | + "MIME::Base64" => 0, |
1741 | + "Mail::Address" => 0, |
1742 | +@@ -50,7 +49,6 @@ my %WriteMakefileArgs = ( |
1743 | + my %FallbackPrereqs = ( |
1744 | + "Carp" => 0, |
1745 | + "Crypt::OpenSSL::RSA" => 0, |
1746 | +- "Crypt::PK::Ed25519" => 0, |
1747 | + "Data::Dumper" => 0, |
1748 | + "Digest::SHA" => 0, |
1749 | + "MIME::Base64" => 0, |
1750 | +-- |
1751 | +2.40.1 |
1752 | + |
1753 | diff --git a/debian/patches/series b/debian/patches/series |
1754 | new file mode 100644 |
1755 | index 0000000..6e5e0f9 |
1756 | --- /dev/null |
1757 | +++ b/debian/patches/series |
1758 | @@ -0,0 +1,6 @@ |
1759 | +0001-Revert-Ed25519-Add-test-for-missing-public-key.patch |
1760 | +0002-Revert-Refactor-and-cleanup-some-ed25519-code.patch |
1761 | +0003-Revert-set-rsa-ed25519-type.patch |
1762 | +0004-Revert-added-ed25519-signing-support.patch |
1763 | +0005-Revert-added-support-for-verifying-Ed25519-signature.patch |
1764 | +0006-Revert-Debian-support-for-ed25519.patch |
I still have to go over this in more detail, but my first question (and sorry if I missed the answer somewhere), is about the reverse dependencies of libmail-dkim-perl: dmarc-perl
$ apt-cache rdepends libmail-dkim-perl
libmail-dkim-perl
Reverse Depends:
sympa
amavisd-new
libmail-
spamassassin
What about sympa and amavisd-new, do they indirectly rely on libcryptx-perl, or specifically, on the ed25519 code? Did you also rebuild these reverse dependencies, and their tests?