dkim 0.1.0 → 1.1.0

data/lib/dkim/signed_mail.rb

@@ -3,70 +3,50 @@ require 'openssl'
 require 'dkim/body'
 require 'dkim/dkim_header'
 require 'dkim/header'
-require 'dkim/header_list'
+require 'dkim/options'
+require 'dkim/canonicalized_headers'
 
 module Dkim
   class SignedMail
+    include Options
+
+    # A new instance of SignedMail
+    #
+    # @param [String,#to_s] message mail message to be signed
+    # @param [Hash] options hash of options for signing. Defaults are taken from {Dkim}. See {Options} for details.
     def initialize message, options={}
       message = message.to_s.gsub(/\r?\n/, "\r\n")
       headers, body = message.split(/\r?\n\r?\n/, 2)
-      @headers = HeaderList.new headers
+      @original_message = message
+      @headers = Header.parse headers
       @body    = Body.new body
 
-      @signable_headers  = options[:signable_headers]
-      @domain            = options[:domain]
-      @selector          = options[:selector]
-      @time              = options[:time]
-      @signing_algorithm = options[:signing_algorithm]
-      @private_key       = options[:private_key]
-      @header_canonicalization = options[:header_canonicalization]
-      @body_canonicalization   = options[:body_canonicalization]
+      # default options from Dkim.options
+      @options = Dkim.options.merge(options)
     end
 
-    # options for signatures
-    attr_writer :signing_algorithm, :signable_headers, :domain, :selector, :time, :header_canonicalization, :body_canonicalization
-
-    def private_key= key
-      key = OpenSSL::PKey::RSA.new(key) if key.is_a?(String)
-      @private_key = key
-    end
-    def private_key
-      @private_key || Dkim::private_key
-    end
-    def signing_algorithm
-      @signing_algorithm || Dkim::signing_algorithm
-    end
-    def signable_headers
-      @signable_headers || Dkim::signable_headers
-    end
-    def domain
-      @domain || Dkim::domain
-    end
-    def selector
-      @selector || Dkim::selector
-    end
-    def time
-      @time
-    end
-    def header_canonicalization
-      @header_canonicalization || Dkim::header_canonicalization
-    end
-    def body_canonicalization
-      @body_canonicalization || Dkim::body_canonicalization
+    def canonicalized_headers
+      CanonicalizedHeaders.new(@headers, signed_headers)
     end
 
+    # @return [Array<String>] lowercased names of headers in the order they are signed
     def signed_headers
-      (@headers.map(&:relaxed_key) & signable_headers.map(&:downcase)).sort
+      @headers.map(&:relaxed_key).select do |key|
+        signable_headers.map(&:downcase).include?(key)
+      end
     end
+
+    # @return [String] Signed headers of message in their canonical forms
     def canonical_header
-      headers = signed_headers.map do |key|
-        @headers[key].to_s(header_canonicalization) + "\r\n"
-      end.join
+      canonicalized_headers.to_s(header_canonicalization)
     end
+
+    # @return [String] Body of message in its canonical form
     def canonical_body
       @body.to_s(body_canonicalization)
     end
 
+    # @return [DkimHeader] Constructed signature for the mail message
     def dkim_header
       dkim_header = DkimHeader.new
 
@@ -79,41 +59,36 @@ module Dkim
       dkim_header['a'] = signing_algorithm
       dkim_header['c'] = "#{header_canonicalization}/#{body_canonicalization}"
       dkim_header['d'] = domain
+      dkim_header['i'] = identity if identity
       dkim_header['q'] = 'dns/txt'
       dkim_header['s'] = selector
       dkim_header['t'] = (time || Time.now).to_i
+      dkim_header['x'] = expire.to_i if expire
 
       # Add body hash and blank signature
-      dkim_header['bh']= base64_encode digest_alg.digest(canonical_body)
+      dkim_header['bh']= digest_alg.digest(canonical_body)
       dkim_header['h'] = signed_headers.join(':')
       dkim_header['b'] = ''
 
       # Calculate signature based on intermediate signature header
       headers = canonical_header
       headers << dkim_header.to_s(header_canonicalization)
-      signature = base64_encode private_key.sign(digest_alg, headers)
-      dkim_header['b'] = signature
+      dkim_header['b'] = private_key.sign(digest_alg, headers)
 
       dkim_header
     end
 
+    # @return [String] Message combined with calculated dkim header signature
     def to_s
-      # Return the original message with the calculated header
-      headers = @headers.to_a + [dkim_header]
-      headers.map(&:to_s).join("\r\n") +
-        "\r\n\r\n" +
-        @body.to_s
+      dkim_header.to_s + "\r\n" + @original_message
     end
 
     private
-    def base64_encode data
-      [data].pack('m0*').gsub("\n",'')
-    end
     def digest_alg
       case signing_algorithm
       when 'rsa-sha1'
         OpenSSL::Digest::SHA1.new
-      when 'rsa-sha256' 
+      when 'rsa-sha256'
         OpenSSL::Digest::SHA256.new
       else
         raise "Unknown digest algorithm: '#{signing_algorithm}'"

data/lib/dkim/tag_value_list.rb

@@ -0,0 +1,28 @@
+module Dkim
+  class TagValueList
+    def initialize values={}
+      @keys = values.keys
+      @values = values.dup
+    end
+    def to_s
+      @keys.map do |k|
+        "#{k}=#{@values[k]}"
+      end.join('; ')
+    end
+    def [] k
+      @values[k]
+    end
+    def []= k, v
+      @keys << k unless self[k]
+      @values[k] = v
+    end
+    def self.parse string
+      list = new
+      string.split(';').each do |keyval|
+        key, value = keyval.split('=', 2)
+        list[key.strip] = value.strip
+      end
+      list
+    end
+  end
+end

data/lib/dkim/version.rb

@@ -1,3 +1,3 @@
 module Dkim
-  VERSION = "0.1.0"
+  VERSION = "1.1.0"
 end

data/lib/dkim.rb

@@ -1,5 +1,6 @@
 
 require 'dkim/signed_mail'
+require 'dkim/options'
 require 'dkim/interceptor'
 
 module Dkim
@@ -14,13 +15,7 @@ module Dkim
     List-Post List-Owner List-Archive}
 
   class << self
-    attr_accessor :signing_algorithm, :signable_headers, :domain, :selector, :header_canonicalization, :body_canonicalization
-
-    attr_reader :private_key
-    def private_key= key
-      key = OpenSSL::PKey::RSA.new(key) if key.is_a?(String)
-      @private_key = key
-    end
+    include Dkim::Options
 
     def sign message, options={}
       SignedMail.new(message, options).to_s
@@ -28,8 +23,9 @@ module Dkim
   end
 end
 
-Dkim::signable_headers        = Dkim::DefaultHeaders
+Dkim::signable_headers        = Dkim::DefaultHeaders.dup
 Dkim::domain                  = nil
+Dkim::identity                = nil
 Dkim::selector                = nil
 Dkim::signing_algorithm       = 'rsa-sha256'
 Dkim::private_key             = nil

data/lib/mail/dkim_field.rb

@@ -9,17 +9,17 @@ module Mail
 
     def initialize(value = nil, charset = 'utf-8')
       self.charset = charset
-      super(CAPITALIZED_FIELD, strip_field(FIELD_NAME, value), charset)
+      value = strip_field(FIELD_NAME, value) if respond_to?(:strip_field)
+      super(CAPITALIZED_FIELD, value, charset)
       self
     end
 
     def encoded
-      "#{name}:#{value}\n"
+      "#{name}:#{value}\r\n"
     end
 
     def decoded
-      "#{name}:#{value}\n"
+      "#{name}:#{value}\r\n"
     end
   end
 end
-

data/test/dkim/canonicalization_test.rb

@@ -0,0 +1,80 @@
+
+require 'test_helper'
+
+module Dkim
+  class CanonicalizationTest < Minitest::Test
+    # from section 3.4.6 of RFC 6376
+    def setup
+      @input = <<-eos.rfc_format
+      A: <SP> X <CRLF>
+      B <SP> : <SP> Y <HTAB><CRLF>
+      <HTAB> Z <SP><SP><CRLF>
+      <CRLF>
+      <SP> C <SP><CRLF>
+      D <SP><HTAB><SP> E <CRLF>
+      <CRLF>
+      <CRLF>
+      eos
+      @mail = SignedMail.new(@input)
+      @mail.signable_headers = ['A', 'B']
+    end
+    def test_relaxed_header
+      @mail.header_canonicalization = 'relaxed'
+      expected_header = <<-eos.rfc_format
+      a:X <CRLF>
+      b:Y <SP> Z <CRLF>
+      eos
+      assert_equal expected_header, @mail.canonical_header
+    end
+    def test_relaxed_body
+      @mail.body_canonicalization = 'relaxed'
+      expected_body = <<-eos.rfc_format
+      <SP> C <CRLF>
+      D <SP> E <CRLF>
+      eos
+      assert_equal expected_body, @mail.canonical_body
+    end
+
+    def test_simple_header
+      @mail.header_canonicalization = 'simple'
+      expected_header = <<-eos.rfc_format
+      A: <SP> X <CRLF>
+      B <SP> : <SP> Y <HTAB><CRLF>
+      <HTAB> Z <SP><SP><CRLF>
+      eos
+      assert_equal expected_header, @mail.canonical_header
+    end
+    def test_simple_body
+      @mail.body_canonicalization = 'simple'
+      expected_body = <<-eos.rfc_format
+      <SP> C <SP><CRLF>
+      D <SP><HTAB><SP> E <CRLF>
+      eos
+      assert_equal expected_body, @mail.canonical_body
+    end
+
+    # from errata: empty bodies
+    def test_simple_empty_body
+      @mail = SignedMail.new("test: test\r\n\r\n")
+      @mail.body_canonicalization = 'simple'
+
+      assert_equal "\r\n", @mail.canonical_body
+    end
+
+    def test_relaxed_empty_body
+      @mail = SignedMail.new("test: test\r\n\r\n")
+      @mail.body_canonicalization = 'relaxed'
+
+      assert_equal "", @mail.canonical_body
+    end
+
+    def test_relaxed_errata_1384
+      body = "testing<crlf><sp><sp><cr><lf><cr><lf>".rfc_format
+      @mail = SignedMail.new("test: test\r\n\r\n#{body}")
+      @mail.body_canonicalization = 'relaxed'
+
+      assert_equal "testing\r\n", @mail.canonical_body
+    end
+  end
+end
+

data/test/dkim/canonicalized_headers_test.rb

@@ -0,0 +1,51 @@
+
+require 'test_helper'
+
+module Dkim
+  class CanonicalizedHeadersTest < Minitest::Test
+    def test_maintains_order
+      headers = "ABCD".chars.map {|c| Header.new(c, c) }
+      header_keys = headers.map &:relaxed_key
+      header_keys.permutation.each do |signed_headers|
+        ch = CanonicalizedHeaders.new(headers, signed_headers)
+        assert_equal signed_headers, ch.map(&:relaxed_key)
+      end
+    end
+
+    def test_repeated_headers
+      headers = [
+        Header.new('A', '1'),
+        Header.new('B', '2'),
+        Header.new('C', '3'),
+        Header.new('A', '4'),
+        Header.new('D', '5')
+      ]
+      ch = CanonicalizedHeaders.new(headers, %w{A A B C D})
+      assert_equal %w{4 1 2 3 5}, ch.map(&:value)
+      assert_equal <<-eos.rfc_format, ch.to_s('simple')
+      A:4<CRLF>
+      A:1<CRLF>
+      B:2<CRLF>
+      C:3<CRLF>
+      D:5<CRLF>
+      eos
+    end
+
+    # missing headers should be ignored
+    def test_missing_headers
+      headers = [
+        Header.new('A', '1'),
+        Header.new('B', '2'),
+        Header.new('C', '3'),
+      ]
+      ch = CanonicalizedHeaders.new(headers, %w{A A B C})
+      assert_equal %w{a b c}, ch.map(&:relaxed_key)
+      assert_equal <<-eos.rfc_format, ch.to_s('simple')
+      A:1<CRLF>
+      B:2<CRLF>
+      C:3<CRLF>
+      eos
+    end
+  end
+end
+

data/test/dkim/dkim_header_test.rb

@@ -0,0 +1,43 @@
+
+require 'test_helper'
+require 'base64'
+
+module Dkim
+  class DkimHeaderTest < Minitest::Test
+    def setup
+      @header = DkimHeader.new
+
+      # from Appendix A of RFC 6376
+      @header['v'] = '1'
+      @header['a'] = 'rsa-sha256'
+      @header['s'] = 'brisbane'
+      @header['d'] = 'example.com'
+      @header['c'] = 'simple/simple'
+      @header['q'] = 'dns/txt'
+      @header['i'] = 'joe@football.example.com'
+      @header['h'] = 'Received : From : To : Subject : Date : Message-ID'
+      @header['bh']= Base64.decode64 '2jUSOH9NhtVGCQWNr9BrIAPreKQjO6Sn7XIkfJVOzv8='
+      @header['b'] = Base64.decode64 'AuUoFEfDxTDkHlLXSZEpZj79LICEps6eda7W3deTVFOk4yAUoqOB4nujc7YopdG5dWLSdNg6xNAZpOPr+kHxt1IrE+NahM6L/LbvaHutKVdkLLkpVaVVQPzeRDI009SO2Il5Lu7rDNH6mZckBdrIx0orEtZV4bmp/YzhwvcubU4='
+    end
+
+    def test_correct_format
+      header = @header.to_s
+
+      # result from RFC 6376 minus trailing ';'
+      expected = %{
+   DKIM-Signature: v=1; a=rsa-sha256; s=brisbane; d=example.com;
+         c=simple/simple; q=dns/txt; i=joe@football.example.com;
+         h=Received : From : To : Subject : Date : Message-ID;
+         bh=2jUSOH9NhtVGCQWNr9BrIAPreKQjO6Sn7XIkfJVOzv8=;
+         b=AuUoFEfDxTDkHlLXSZEpZj79LICEps6eda7W3deTVFOk4yAUoqOB
+           4nujc7YopdG5dWLSdNg6xNAZpOPr+kHxt1IrE+NahM6L/LbvaHut
+           KVdkLLkpVaVVQPzeRDI009SO2Il5Lu7rDNH6mZckBdrIx0orEtZV
+           4bmp/YzhwvcubU4=
+      }
+
+      # compare removing whitespace
+      assert_equal expected.gsub(/\s/,''), header.gsub(/\s/,'')
+    end
+  end
+end
+

data/test/dkim/encodings_test.rb

@@ -0,0 +1,24 @@
+module Dkim
+  class EncodingsTest < Minitest::Test
+    def test_plain_text
+      @encoder = Encodings::PlainText.new
+      assert_equal 'testing123', @encoder.encode('testing123')
+      assert_equal 'testing123', @encoder.decode('testing123')
+    end
+    def test_base64
+      @encoder = Encodings::Base64.new
+      assert_equal 'dGVzdGluZzEyMw==', @encoder.encode('testing123')
+      assert_equal 'testing123',       @encoder.decode('dGVzdGluZzEyMw==')
+    end
+    def test_quoted_printable
+      @encoder = Encodings::DkimQuotedPrintable.new
+      assert_equal 'testing123', @encoder.encode('testing123')
+      assert_equal 'testing123', @encoder.decode('testing123')
+
+      encoded = 'From:foo@eng.example.net|To:joe@example.com|Subject:demo=20run|Date:July=205,=202005=203:44:08=20PM=20-0700'
+      decoded = 'From:foo@eng.example.net|To:joe@example.com|Subject:demo run|Date:July 5, 2005 3:44:08 PM -0700'
+      assert_equal encoded, @encoder.encode(decoded)
+      assert_equal decoded, @encoder.decode(encoded)
+    end
+  end
+end

data/test/dkim/interceptor_test.rb

@@ -0,0 +1,129 @@
+require 'test_helper'
+
+require 'mail'
+
+module Dkim
+  SIGNEDMAIL = <<-eos
+DKIM-Signature: v=1; a=rsa-sha256; s=brisbane; d=example.com;
+      c=simple/simple; q=dns/txt; i=joe@football.example.com;
+      h=Received : From : To : Subject : Date : Message-ID;
+      bh=2jUSOH9NhtVGCQWNr9BrIAPreKQjO6Sn7XIkfJVOzv8=;
+      b=AuUoFEfDxTDkHlLXSZEpZj79LICEps6eda7W3deTVFOk4yAUoqOB
+        4nujc7YopdG5dWLSdNg6xNAZpOPr+kHxt1IrE+NahM6L/LbvaHut
+        KVdkLLkpVaVVQPzeRDI009SO2Il5Lu7rDNH6mZckBdrIx0orEtZV
+        4bmp/YzhwvcubU4=;
+Received: from client1.football.example.com  [192.0.2.1]
+      by submitserver.example.com with SUBMISSION;
+      Fri, 11 Jul 2003 21:01:54 -0700 (PDT)
+From: Joe SixPack <joe@football.example.com>
+To: Suzie Q <suzie@shopping.example.net>
+Subject: Is dinner ready?
+Date: Fri, 11 Jul 2003 21:00:37 -0700 (PDT)
+Message-ID: <20030712040037.46341.5F8J@football.example.com>
+DKIM-Signature: v=1; a=rsa-sha256; s=brisbane; d=example.com;
+      c=simple/simple; q=dns/txt; i=joe@football.example.com;
+      h=Received : From : To : Subject : Date : Message-ID;
+      bh=2jUSOH9NhtVGCQWNr9BrIAPreKQjO6Sn7XIkfJVOzv8=;
+      b=AuUoFEfDxTDkHlLXSZEpZj79LICEps6eda7W3deTVFOk4yAUoqOB
+        4nujc7YopdG5dWLSdNg6xNAZpOPr+kHxt1IrE+NahM6L/LbvaHut
+        KVdkLLkpVaVVQPzeRDI009SO2Il5Lu7rDNH6mZckBdrIx0orEtZV
+        4bmp/YzhwvcubU4=;
+
+Hi.
+
+We lost the game. Are you hungry yet?
+
+Joe.
+  eos
+
+  class InterceptorTest < Minitest::Test
+    def setup
+      @original_options = Dkim.options.dup
+
+      # ensure time does not change
+      Dkim.time = Time.now
+
+      mail = EXAMPLEEMAIL.dup
+
+      @mail = Mail.new(mail)
+    end
+
+    def teardown
+      Dkim.options = @original_options
+    end
+
+    def test_header_with_relaxed
+      Dkim.header_canonicalization = 'relaxed'
+      Dkim.body_canonicalization = 'relaxed'
+      Dkim.signing_algorithm = 'rsa-sha256'
+      Dkim.identity = '@example.com'
+      Interceptor.delivering_email(@mail)
+      dkim_header = @mail['DKIM-Signature']
+
+      assert dkim_header
+      assert_includes dkim_header.to_s, 'rsa-sha256'
+      assert_includes dkim_header.to_s, 's=brisbane'
+      assert_includes dkim_header.to_s, 'd=example.com'
+      assert_includes dkim_header.to_s, 'i=@example.com'
+      assert_includes dkim_header.to_s, 'c=relaxed/relaxed'
+      assert_includes dkim_header.to_s, 'q=dns/txt'
+      assert_includes dkim_header.to_s, 'bh=2jUSOH9NhtVGCQWNr9BrIAPreKQjO6Sn7XIkfJVOzv8='
+
+      # TODO: double check signing of 'b' header
+    end
+
+    def test_header_with_simple
+      Dkim.header_canonicalization = 'simple'
+      Dkim.body_canonicalization = 'simple'
+      Dkim.signing_algorithm = 'rsa-sha256'
+      Dkim.identity = '@example.com'
+      Interceptor.delivering_email(@mail)
+      dkim_header = @mail['DKIM-Signature']
+      assert dkim_header
+      assert_includes dkim_header.to_s, 'rsa-sha256'
+      assert_includes dkim_header.to_s, 's=brisbane'
+      assert_includes dkim_header.to_s, 'd=example.com'
+      assert_includes dkim_header.to_s, 'i=@example.com'
+      assert_includes dkim_header.to_s, 'c=simple/simple'
+      assert_includes dkim_header.to_s, 'q=dns/txt'
+      assert_includes dkim_header.to_s, 'bh=2jUSOH9NhtVGCQWNr9BrIAPreKQjO6Sn7XIkfJVOzv8='
+
+      # TODO: double check signing of 'b' header
+    end
+
+    def test_strips_exsting_headers
+      warnings = ""
+      klass = Class.new(Interceptor)
+      klass.class.send(:define_method, :warn) do |message|
+        warnings << message << "\n"
+      end
+      @mail = Mail.new(SIGNEDMAIL)
+
+      assert_equal 2, @mail.header.fields.count { |field| field.name =~ /^DKIM-Signature$/i }
+      assert_equal 2, @mail.encoded.scan('DKIM-Signature').count
+
+      klass.delivering_email(@mail)
+
+      # should give a warning
+      assert_includes warnings, 'Interceptor'
+
+      assert_equal 1, @mail.header.fields.count { |field| field.name =~ /^DKIM-Signature$/i }
+      assert_equal 1, @mail.encoded.scan('DKIM-Signature').count
+    end
+
+    def test_same_output_as_direct_usage
+      dkim_header = @mail['DKIM-Signature']
+
+      # Most necessary under simple
+      Dkim.header_canonicalization = 'simple'
+      Dkim.body_canonicalization = 'simple'
+
+      expected = Dkim.sign @mail.to_s
+
+      Interceptor.delivering_email(@mail)
+
+      assert_equal expected, @mail.to_s
+    end
+  end
+end
+

data/test/dkim/options_test.rb

@@ -0,0 +1,40 @@
+require 'test_helper'
+
+module Dkim
+  class OptionsTest < Minitest::Test
+    def setup
+      klass = Class.new
+      klass.send :include, Options
+      @options = klass.new
+    end
+    def test_defaults_empty
+      assert_equal({}, @options.options)
+    end
+
+    def test_all_options
+      @options.signing_algorithm = 'abc123'
+      assert_equal({:signing_algorithm => 'abc123'}, @options.options)
+
+      desired_options = {
+        :signing_algorithm => 'abc123',
+        :signable_headers => [],
+        :domain => 'example.net',
+        :identity => '@example.net',
+        :selector => 'selector',
+        :time => 'time',
+        :header_canonicalization => 'simple',
+        :body_canonicalization => 'simple'
+      }
+
+      desired_options.each do |key, value|
+        @options.send("#{key}=", value)
+      end
+
+      assert_equal(desired_options, @options.options)
+
+      desired_options.each do |key, value|
+        assert_equal value, @options.send("#{key}")
+      end
+    end
+  end
+end