mailauth 2.3.3 → 3.0.1

package/README.md

@@ -327,15 +327,6 @@ Some example authority evidence documents:
 -   [from default.\_bimi.cnn.com](https://amplify.valimail.com/bimi/time-warner/LysAFUdG-Hw-cnn_vmc.pem)
 -   [from default.\_bimi.entrustdatacard.com](https://www.entrustdatacard.com/-/media/certificate/Entrust%20VMC%20July%2014%202020.pem)
 
-You can parse logos from these certificate files using the `parseLogoFromX509` function.
-
-```js
-const { parseLogoFromX509 } = require('mailauth/lib/tools');
-let { altnNames, svg } = await parseLogoFromX509(fs.readFileSync('vmc.pem'));
-```
-
-> **NB!** `parseLogoFromX509` does not verify the validity of the VMC certificate. It could be self-signed or expired and still be processed.
-
 ## MTA-STS
 
 `mailauth` allows you to fetch MTA-STS information for a domain name.

package/bin/mailauth.js

@@ -6,10 +6,13 @@ const yargs = require('yargs/yargs');
 const { hideBin } = require('yargs/helpers');
 const os = require('os');
 const assert = require('assert');
+
 const commandReport = require('../lib/commands/report');
 const commandSign = require('../lib/commands/sign');
 const commandSeal = require('../lib/commands/seal');
 const commandSpf = require('../lib/commands/spf');
+const commandVmc = require('../lib/commands/vmc');
+
 const fs = require('fs');
 const pathlib = require('path');
 
@@ -287,6 +290,42 @@ const argv = yargs(hideBin(process.argv))
                 });
         }
     )
+    .command(
+        ['vmc'],
+        'Validate VMC logo',
+        yargs => {
+            yargs
+                .option('authorityPath', {
+                    alias: 'p',
+                    type: 'string',
+                    description: 'Path to a VMC file',
+                    demandOption: false
+                })
+                .option('authority', {
+                    alias: 'a',
+                    type: 'string',
+                    description: 'URL to a VMC file',
+                    demandOption: false
+                })
+                .option('domain', {
+                    alias: 'd',
+                    type: 'string',
+                    description: 'Sending domain to validate',
+                    demandOption: false
+                });
+        },
+        argv => {
+            commandVmc(argv)
+                .then(() => {
+                    process.exit();
+                })
+                .catch(err => {
+                    console.error('Failed to verify VMC file');
+                    console.error(err);
+                    process.exit(1);
+                });
+        }
+    )
     .command(
         ['license'],
         'Show license information',

package/cli.md

@@ -1,3 +1,7 @@
+![](https://github.com/postalsys/mailauth/raw/master/assets/mailauth.png)
+
+Command line utility and a [Node.js library](README.md) for email authentication.
+
 # CLI USAGE
 
 ## TOC
@@ -9,6 +13,7 @@
     -   [sign](#sign) - to sign an email with DKIM
     -   [seal](#seal) - to seal an email with ARC
     -   [spf](#spf) - to validate SPF for an IP address and an email address
+    -   [vmc](#vmc) - to validate BIMI VMC logo files
     -   [license](#license) - display licenses for `mailauth` and included modules
 -   [DNS cache file](#dns-cache-file)
 
@@ -208,6 +213,88 @@ DNS query for A mail.wildduck.email: ["217.146.76.20"]
   ...
 ```
 
+### vmc
+
+`vmc` command takes either the URL for a VMC file or a file path or both. It then verifies if the VMC resource is a valid file or not and exposes its contents.
+
+```
+$ mailauth vmc [options]
+```
+
+Where
+
+-   **options** are option flags and arguments
+
+**Options**
+
+-   `--authority <url>` or `-a <url>` is the URL for the VMC resource
+-   `--authorityPath <path>` or `-p <path>` is the cached file for the authority URL to avoid network requests
+-   `--domain <domain>` or `-d <domain>` is the sender domain to compare the certificate against
+
+**Example**
+
+```
+$ mailauth vmc -a https://amplify.valimail.com/bimi/time-warner/yV3KRIg4nJW-cnn.pem -d cnn.com
+{
+  "url": "https://amplify.valimail.com/bimi/time-warner/yV3KRIg4nJW-cnn.pem",
+  "success": true,
+  "domainVerified": true,
+  "vmc": {
+    "mediaType": "image/svg+xml",
+    "hashAlgo": "sha1",
+    "hashValue": "ea8c81da633c66a16262134a78576cdf067638e9",
+    "logoFile": "<2300B base64 encoded file>",
+    "validHash": true,
+    "certificate": {
+      "subjectAltName": [
+        "cnn.com"
+      ],
+      "subject": {
+        "businessCategory": "Private Organization",
+        "jurisdictionCountryName": "US",
+        "jurisdictionStateOrProvinceName": "Delaware",
+        "serialNumber": "2976730",
+        "countryName": "US",
+        "stateOrProvinceName": "Georgia",
+        "localityName": "Atlanta",
+        "street": "190 Marietta St NW",
+        "organizationName": "Cable News Network, Inc.",
+        "commonName": "Cable News Network, Inc.",
+        "trademarkCountryOrRegionName": "US",
+        "trademarkRegistration": "5817930"
+      },
+      "fingerprint": "17:B3:94:97:E6:6B:C8:6B:33:B8:0A:D2:F0:79:6B:08:A2:A6:84:BD",
+      "serialNumber": "0821B8FE0A9CBC3BAC10DA08C088EEF4",
+      "issuer": {
+        "countryName": "US",
+        "organizationName": "DigiCert, Inc.",
+        "commonName": "DigiCert Verified Mark RSA4096 SHA256 2021 CA1"
+      }
+    }
+  }
+}
+```
+
+If the certificate verification fails, then the contents are not returned.
+
+```
+$ mailauth vmc -p /path/to/random/cert-bundle.pem
+{
+  "success": false,
+  "error": {
+    "message": "Self signed certificate in certificate chain",
+    "details": {
+      "subject": "CN=postal.vmc.local\nO=Postal Systems OU.\nC=EE",
+      "fingerprint": "CC:49:83:ED:3F:6B:77:45:5B:A5:3B:9E:EC:99:0E:A1:EF:D7:FF:97",
+      "fingerprint235": "D4:36:6F:B4:EF:2B:4F:9E:84:23:3D:F2:3A:F7:13:21:C6:C3:CF:CB:03:5F:BB:54:5B:69:A4:AC:6A:43:61:7D",
+      "validFrom": "Jul  9 06:13:33 2022 GMT",
+      "validTo": "Jul  9 06:13:33 2023 GMT"
+    },
+    "code": "SELF_SIGNED_CERT_IN_CHAIN"
+  }
+}
+```
+
 ### license
 
 Display licenses for `mailauth` and included modules.

package/lib/bimi/index.js

@@ -1,12 +1,18 @@
 'use strict';
 
+const crypto = require('crypto');
 const dns = require('dns');
-const { formatAuthHeaderRow, parseDkimHeaders } = require('../tools');
+const { formatAuthHeaderRow, parseDkimHeaders, formatDomain, getAlignment } = require('../tools');
 const Joi = require('joi');
+const packageData = require('../../package.json');
 const httpsSchema = Joi.string().uri({
     scheme: ['https']
 });
 
+const https = require('https');
+const http = require('http');
+const { vmc } = require('@postalsys/vmc');
+
 const lookup = async data => {
     let { dmarc, headers, resolver } = data;
     let headerRows = (headers && headers.parsed) || [];
@@ -161,4 +167,223 @@ const lookup = async data => {
     return response;
 };
 
-module.exports = { bimi: lookup };
+const downloadPromise = (url, cachedFile) => {
+    if (cachedFile) {
+        return cachedFile;
+    }
+
+    if (!url) {
+        return false;
+    }
+
+    const parsedUrl = new URL(url);
+
+    const options = {
+        protocol: parsedUrl.protocol,
+        host: parsedUrl.host,
+        headers: {
+            host: parsedUrl.host,
+            'User-Agent': `mailauth/${packageData.version} (+${packageData.homepage}`
+        },
+        servername: parsedUrl.hostname,
+        port: 443,
+        path: parsedUrl.pathname,
+        method: 'GET',
+        rejectUnauthorized: true
+    };
+
+    return new Promise((resolve, reject) => {
+        let protoHandler;
+        switch (parsedUrl.protocol) {
+            case 'https:':
+                protoHandler = https;
+                break;
+            case 'http:':
+                protoHandler = http;
+                break;
+            default:
+                reject(new Error(`Unknown protocol ${parsedUrl.protocol}`));
+        }
+        const req = protoHandler.request(options, res => {
+            let chunks = [],
+                chunklen = 0;
+            res.on('readable', () => {
+                let chunk;
+                while ((chunk = res.read()) !== null) {
+                    chunks.push(chunk);
+                    chunklen += chunk.length;
+                }
+            });
+            res.on('end', () => {
+                let data = Buffer.concat(chunks, chunklen);
+                if (!res.statusCode || res.statusCode < 200 || res.statusCode >= 300) {
+                    let err = new Error(`Invalid response code ${res.statusCode || '-'}`);
+                    err.code = 'http_status_' + (res.statusCode || 'na');
+                    if (res.headers.location && res.statusCode >= 300 && res.statusCode < 400) {
+                        err.redirect = {
+                            code: res.statusCode,
+                            location: res.headers.location
+                        };
+                    }
+                    return reject(err);
+                }
+                resolve(data);
+            });
+            res.on('error', err => reject(err));
+        });
+
+        req.on('error', err => {
+            reject(err);
+        });
+        req.end();
+    });
+};
+
+const validateVMC = async bimiData => {
+    if (!bimiData) {
+        return false;
+    }
+
+    let selector = bimiData?.status?.header?.selector;
+    let d = bimiData?.status?.header?.d;
+
+    let promises = [];
+
+    promises.push(downloadPromise(bimiData.location, bimiData.locationPath));
+    promises.push(downloadPromise(bimiData.authority, bimiData.authorityPath));
+
+    if (!promises.length) {
+        return false;
+    }
+
+    let [{ reason: locationError, value: locationValue, status: locationStatus }, { reason: authorityError, value: authorityValue, status: authorityStatus }] =
+        await Promise.allSettled(promises);
+
+    let result = {};
+    if (locationValue || locationError) {
+        result.location = {
+            url: bimiData.location,
+            success: locationStatus === 'fulfilled'
+        };
+
+        if (locationError) {
+            let err = locationError;
+            result.location.error = { message: err.message };
+            if (err.redirect) {
+                result.location.error.redirect = err.redirect;
+            }
+            if (err.code) {
+                result.location.error.code = err.code;
+            }
+        }
+
+        if (result.location.success) {
+            result.location.logoFile = locationValue.toString('base64');
+        }
+    }
+
+    if (authorityValue || authorityError) {
+        result.authority = {
+            url: bimiData.authority,
+            success: authorityStatus === 'fulfilled'
+        };
+
+        if (authorityError) {
+            let err = authorityError;
+            result.authority.error = { message: err.message };
+            if (err.redirect) {
+                result.authority.error.redirect = err.redirect;
+            }
+            if (err.code) {
+                result.authority.error.code = err.code;
+            }
+        }
+
+        if (authorityValue) {
+            try {
+                let vmcData = await vmc(authorityValue);
+
+                if (vmcData?.mediaType?.toLowerCase() !== 'image/svg+xml') {
+                    let error = new Error('Invalid media type for the logo file');
+                    error.details = {
+                        mediaType: vmcData.mediaType
+                    };
+                    error.code = 'INVALID_MEDIATYPE';
+                    throw error;
+                }
+
+                if (d) {
+                    // validate domain
+                    let selectorSet = [];
+                    let domainSet = [];
+                    vmcData?.certificate?.subjectAltName?.map(formatDomain)?.forEach(domain => {
+                        if (/\b_bimi\./.test(domain)) {
+                            selectorSet.push(domain);
+                        } else {
+                            domainSet.push(domain);
+                        }
+                    });
+
+                    let domainVerified = false;
+
+                    if (selector && selectorSet.includes(formatDomain(`${selector}._bimi.${d}`))) {
+                        domainVerified = true;
+                    } else {
+                        let alignedDomain = getAlignment(d, domainSet, false);
+                        if (alignedDomain) {
+                            domainVerified = true;
+                        }
+                    }
+
+                    if (!domainVerified) {
+                        let error = new Error('Domain can not be verified');
+                        error.details = {
+                            subjectAltName: vmcData?.certificate?.subjectAltName,
+                            selector,
+                            d
+                        };
+                        error.code = 'VMC_DOMAIN_MISMATCH';
+                        throw error;
+                    } else {
+                        result.authority.domainVerified = true;
+                    }
+                }
+
+                result.authority.vmc = vmcData;
+            } catch (err) {
+                result.authority.success = false;
+                result.authority.error = { message: err.message };
+                if (err.details) {
+                    result.authority.error.details = err.details;
+                }
+                if (err.code) {
+                    result.authority.error.code = err.code;
+                }
+            }
+        }
+
+        if (result.location && result.location.success && result.authority.success) {
+            try {
+                if (result.location.success && result.authority.vmc.hashAlgo && result.authority.vmc.validHash) {
+                    let hash = crypto.createHash(result.authority.vmc.hashAlgo).update(locationValue).digest('hex');
+                    result.location.hashAlgo = result.authority.vmc.hashAlgo;
+                    result.location.hashValue = hash;
+                    result.authority.hashMatch = hash === result.authority.vmc.hashValue;
+                }
+            } catch (err) {
+                result.authority.success = false;
+                result.authority.error = { message: err.message };
+                if (err.details) {
+                    result.authority.error.details = err.details;
+                }
+                if (err.code) {
+                    result.authority.error.code = err.code;
+                }
+            }
+        }
+    }
+
+    return result;
+};
+
+module.exports = { bimi: lookup, validateVMC };

package/lib/commands/vmc.js

@@ -0,0 +1,25 @@
+'use strict';
+
+const { validateVMC } = require('../bimi');
+
+const fs = require('fs').promises;
+
+const cmd = async argv => {
+    let bimiData = {};
+    if (argv.authorityPath) {
+        bimiData.authorityPath = await fs.readFile(argv.authorityPath);
+    }
+
+    if (argv.authority) {
+        bimiData.authority = argv.authority;
+    }
+
+    if (argv.domain) {
+        bimiData.status = { header: { d: argv.domain } };
+    }
+
+    const result = await validateVMC(bimiData);
+    process.stdout.write(JSON.stringify(result.authority, false, 2) + '\n');
+};
+
+module.exports = cmd;

package/lib/dkim/body/relaxed.js

@@ -1,9 +1,14 @@
-'use strict';
+/* eslint no-control-regex: 0 */
 
-// Calculates relaxed body hash for a message body stream
+'use strict';
 
 const crypto = require('crypto');
 
+const CHAR_CR = 0x0d;
+const CHAR_LF = 0x0a;
+const CHAR_SPACE = 0x20;
+const CHAR_TAB = 0x09;
+
 /**
  * Class for calculating body hash of an email message body stream
  * using the "relaxed" canonicalization
@@ -16,139 +21,244 @@ class RelaxedHash {
      * @param {Number} [maxBodyLength] Allowed body length count, the value from the l= parameter
      */
     constructor(algorithm, maxBodyLength) {
-        algorithm = (algorithm || 'sha256').split('-').pop();
+        algorithm = (algorithm || 'sha256').split('-').pop().toLowerCase();
+
         this.bodyHash = crypto.createHash(algorithm);
 
-        this.remainder = '';
+        this.remainder = false;
         this.byteLength = 0;
 
         this.bodyHashedBytes = 0;
         this.maxBodyLength = maxBodyLength;
+
+        this.maxSizeReached = false;
+
+        this.emptyLinesQueue = [];
     }
 
     _updateBodyHash(chunk) {
-        // the following is needed for l= option
+        if (this.maxSizeReached) {
+            return;
+        }
+
+        // the following is needed for the l= option
         if (
             typeof this.maxBodyLength === 'number' &&
             !isNaN(this.maxBodyLength) &&
             this.maxBodyLength >= 0 &&
             this.bodyHashedBytes + chunk.length > this.maxBodyLength
         ) {
+            this.maxSizeReached = true;
             if (this.bodyHashedBytes >= this.maxBodyLength) {
                 // nothing to do here, skip entire chunk
                 return;
             }
+
             // only use allowed size of bytes
-            chunk = chunk.slice(0, this.maxBodyLength - this.bodyHashedBytes);
+            chunk = chunk.subarray(0, this.maxBodyLength - this.bodyHashedBytes);
         }
 
         this.bodyHashedBytes += chunk.length;
         this.bodyHash.update(chunk);
+
+        //process.stdout.write(chunk);
     }
 
-    update(chunk) {
-        this.byteLength += chunk.length;
+    _drainPendingEmptyLines() {
+        if (this.emptyLinesQueue.length) {
+            for (let emptyLine of this.emptyLinesQueue) {
+                this._updateBodyHash(emptyLine);
+            }
+            this.emptyLinesQueue = [];
+        }
+    }
 
-        let bodyStr;
+    _pushBodyHash(chunk) {
+        if (!chunk || !chunk.length) {
+            return;
+        }
 
-        // find next remainder
-        let nextRemainder = '';
+        // remove line endings
+        let foundNonLn = false;
 
-        // This crux finds and removes the spaces from the last line and the newline characters after the last non-empty line
-        // If we get another chunk that does not match this description then we can restore the previously processed data
-        let state = 'file';
+        // buffer line endings and empty lines
         for (let i = chunk.length - 1; i >= 0; i--) {
-            let c = chunk[i];
-
-            if (state === 'file' && (c === 0x0a || c === 0x0d)) {
-                // do nothing, found \n or \r at the end of chunk, stil end of file
-            } else if (state === 'file' && (c === 0x09 || c === 0x20)) {
-                // switch to line ending mode, this is the last non-empty line
-                state = 'line';
-            } else if (state === 'line' && (c === 0x09 || c === 0x20)) {
-                // do nothing, found ' ' or \t at the end of line, keep processing the last non-empty line
-            } else if (state === 'file' || state === 'line') {
-                // non line/file ending character found, switch to body mode
-                state = 'body';
-                if (i === chunk.length - 1) {
-                    // final char is not part of line end or file end, so do nothing
-                    break;
+            if (chunk[i] !== CHAR_LF && chunk[i] !== CHAR_CR) {
+                this._drainPendingEmptyLines();
+                if (i < chunk.length - 1) {
+                    this.emptyLinesQueue.push(chunk.subarray(i + 1));
+                    chunk = chunk.subarray(0, i + 1);
                 }
+                foundNonLn = true;
+                break;
             }
+        }
+
+        if (!foundNonLn) {
+            this.emptyLinesQueue.push(chunk);
+            return;
+        }
 
-            if (i === 0) {
-                // reached to the beginning of the chunk, check if it is still about the ending
-                // and if the remainder also matches
-                if (
-                    (state === 'file' && (!this.remainder || /[\r\n]$/.test(this.remainder))) ||
-                    (state === 'line' && (!this.remainder || /[ \t]$/.test(this.remainder)))
-                ) {
-                    // keep everything
-                    this.remainder += chunk.toString('binary');
-                    return;
-                } else if (state === 'line' || state === 'file') {
-                    // process existing remainder as normal line but store the current chunk
-                    nextRemainder = chunk.toString('binary');
-                    chunk = false;
-                    break;
+        this._updateBodyHash(chunk);
+    }
+
+    fixLineBuffer(line) {
+        let resultLine = [];
+
+        let nonWspFound = false;
+        let prevWsp = false;
+
+        for (let i = line.length - 1; i >= 0; i--) {
+            if (line[i] === CHAR_LF) {
+                resultLine.unshift(line[i]);
+                if (i === 0 || line[i - 1] !== CHAR_CR) {
+                    // add missing carriage return
+                    resultLine.unshift(CHAR_CR);
                 }
+                continue;
             }
 
-            if (state !== 'body') {
+            if (line[i] === CHAR_CR) {
+                resultLine.unshift(line[i]);
+                continue;
+            }
+
+            if (line[i] === CHAR_SPACE || line[i] === CHAR_TAB) {
+                if (nonWspFound) {
+                    prevWsp = true;
+                }
                 continue;
             }
 
-            // reached first non ending byte
-            nextRemainder = chunk.slice(i + 1).toString('binary');
-            chunk = chunk.slice(0, i + 1);
-            break;
+            if (prevWsp) {
+                resultLine.unshift(CHAR_SPACE);
+                prevWsp = false;
+            }
+
+            nonWspFound = true;
+            resultLine.unshift(line[i]);
+        }
+
+        if (prevWsp && nonWspFound) {
+            resultLine.unshift(CHAR_SPACE);
+        }
+
+        return Buffer.from(resultLine);
+    }
+
+    update(chunk, final) {
+        this.byteLength += (chunk && chunk.length) || 0;
+        if (this.maxSizeReached) {
+            return;
         }
 
-        let needsFixing = !!this.remainder;
-        if (chunk && !needsFixing) {
-            // check if we even need to change anything
-            for (let i = 0, len = chunk.length; i < len; i++) {
-                if (i && chunk[i] === 0x0a && chunk[i - 1] !== 0x0d) {
-                    // missing \r before \n
-                    needsFixing = true;
-                    break;
-                } else if (i && chunk[i] === 0x0d && chunk[i - 1] === 0x20) {
-                    // trailing WSP found
-                    needsFixing = true;
-                    break;
-                } else if (i && chunk[i] === 0x20 && chunk[i - 1] === 0x20) {
-                    // multiple spaces found, needs to be replaced with just one
-                    needsFixing = true;
-                    break;
-                } else if (chunk[i] === 0x09) {
-                    // TAB found, needs to be replaced with a space
-                    needsFixing = true;
-                    break;
+        // Canonicalize content by applying a and b in order:
+        // a.1. Ignore all whitespace at the end of lines.
+        // a.2. Reduce all sequences of WSP within a line to a single SP character.
+
+        // b.1. Ignore all empty lines at the end of the message body.
+        // b.2. If the body is non-empty but does not end with a CRLF, a CRLF is added.
+
+        let lineEndPos = -1;
+        let lineNeedsFixing = false;
+        let cursorPos = 0;
+
+        if (this.remainder && this.remainder.length) {
+            if (chunk) {
+                // concatting chunks might be bad for performance :S
+                chunk = Buffer.concat([this.remainder, chunk]);
+            } else {
+                chunk = this.remainder;
+            }
+            this.remainder = false;
+        }
+
+        if (chunk && chunk.length) {
+            for (let pos = 0; pos < chunk.length; pos++) {
+                switch (chunk[pos]) {
+                    case CHAR_LF:
+                        if (
+                            !lineNeedsFixing &&
+                            // previous character is not <CR>
+                            ((pos >= 1 && chunk[pos - 1] !== CHAR_CR) ||
+                                // LF is the first byte on the line
+                                pos === 0 ||
+                                // there's a space before line break
+                                (pos >= 2 && chunk[pos - 1] === CHAR_CR && chunk[pos - 2] === CHAR_SPACE))
+                        ) {
+                            lineNeedsFixing = true;
+                        }
+
+                        // line break
+                        if (lineNeedsFixing) {
+                            // emit pending bytes up to the last line break before current line
+                            if (lineEndPos >= 0 && lineEndPos >= cursorPos) {
+                                let chunkPart = chunk.subarray(cursorPos, lineEndPos + 1);
+                                this._pushBodyHash(chunkPart);
+                            }
+
+                            let line = chunk.subarray(lineEndPos + 1, pos + 1);
+                            this._pushBodyHash(this.fixLineBuffer(line));
+
+                            lineNeedsFixing = false;
+
+                            // move cursor to the start of next line
+                            cursorPos = pos + 1;
+                        }
+
+                        lineEndPos = pos;
+
+                        break;
+
+                    case CHAR_SPACE:
+                        if (!lineNeedsFixing && pos && chunk[pos - 1] === CHAR_SPACE) {
+                            lineNeedsFixing = true;
+                        }
+                        break;
+
+                    case CHAR_TAB:
+                        // non-space WSP always needs replacing
+                        lineNeedsFixing = true;
+                        break;
+
+                    default:
                 }
             }
         }
 
-        if (needsFixing) {
-            bodyStr = this.remainder + (chunk ? chunk.toString('binary') : '');
-            this.remainder = nextRemainder;
-            bodyStr = bodyStr
-                .replace(/\r?\n/g, '\n') // use js line endings
-                .replace(/[ \t]*$/gm, '') // remove line endings, rtrim
-                .replace(/[ \t]+/gm, ' ') // single spaces
-                .replace(/\n/g, '\r\n'); // restore rfc822 line endings
-            chunk = Buffer.from(bodyStr, 'binary');
-        } else if (nextRemainder) {
-            this.remainder = nextRemainder;
+        if (chunk && cursorPos < chunk.length && cursorPos !== lineEndPos) {
+            // emit data from chunk
+
+            let chunkPart = chunk.subarray(cursorPos, lineEndPos + 1);
+
+            if (chunkPart.length) {
+                this._pushBodyHash(lineNeedsFixing ? this.fixLineBuffer(chunkPart) : chunkPart);
+                lineNeedsFixing = false;
+            }
+
+            cursorPos = lineEndPos + 1;
         }
 
-        this._updateBodyHash(chunk);
+        if (chunk && !final && cursorPos < chunk.length) {
+            this.remainder = chunk.subarray(cursorPos);
+        }
+
+        if (final) {
+            let chunkPart = (cursorPos && chunk && chunk.subarray(cursorPos)) || chunk;
+            if (chunkPart && chunkPart.length) {
+                this._pushBodyHash(lineNeedsFixing ? this.fixLineBuffer(chunkPart) : chunkPart);
+                lineNeedsFixing = false;
+            }
+
+            if (this.bodyHashedBytes) {
+                // terminating line break for non-empty messages
+                this._updateBodyHash(Buffer.from([CHAR_CR, CHAR_LF]));
+            }
+        }
     }
 
     digest(encoding) {
-        if (/[\r\n]$/.test(this.remainder) && this.bodyHashedBytes > 0) {
-            // add terminating line end
-            this._updateBodyHash(Buffer.from('\r\n'));
-        }
+        this.update(null, true);
 
         // finalize
         return this.bodyHash.digest(encoding);
@@ -156,3 +266,27 @@ class RelaxedHash {
 }
 
 module.exports = { RelaxedHash };
+
+/*
+let fs = require('fs');
+
+const getBody = message => {
+    message = message.toString('binary');
+    let match = message.match(/\r?\n\r?\n/);
+    if (match) {
+        message = message.substr(match.index + match[0].length);
+    }
+    return Buffer.from(message, 'binary');
+};
+
+let s = fs.readFileSync(process.argv[2]);
+
+let k = new RelaxedHash('rsa-sha256', -1);
+
+for (let byte of getBody(s)) {
+    k.update(Buffer.from([byte]));
+}
+
+console.error(k.digest('base64'));
+console.error(k.byteLength, k.bodyHashedBytes);
+*/

package/lib/dkim/body/simple.js

@@ -22,6 +22,8 @@ class SimpleHash {
 
         this.bodyHashedBytes = 0;
         this.maxBodyLength = maxBodyLength;
+
+        this.lastNewline = false;
     }
 
     _updateBodyHash(chunk) {
@@ -42,6 +44,8 @@ class SimpleHash {
 
         this.bodyHashedBytes += chunk.length;
         this.bodyHash.update(chunk);
+
+        //process.stdout.write(chunk);
     }
 
     update(chunk) {
@@ -81,10 +85,11 @@ class SimpleHash {
         }
 
         this._updateBodyHash(chunk);
+        this.lastNewline = chunk[chunk.length - 1] === 0x0a;
     }
 
     digest(encoding) {
-        if (this.remainder.length || !this.bodyHashedBytes) {
+        if (!this.lastNewline || !this.bodyHashedBytes) {
             // emit empty line buffer to keep the stream flowing
             this._updateBodyHash(Buffer.from('\r\n'));
         }

package/lib/mailauth.js

@@ -4,7 +4,7 @@ const { dkimVerify } = require('./dkim/verify');
 const { spf } = require('./spf');
 const { dmarc } = require('./dmarc');
 const { arc, createSeal } = require('./arc');
-const { bimi } = require('./bimi');
+const { bimi, validateVMC: validateBimiVmc } = require('./bimi');
 const { parseReceived } = require('./parse-received');
 const { sealMessage } = require('./arc');
 const libmime = require('libmime');
@@ -180,4 +180,4 @@ const authenticate = async (input, opts) => {
     };
 };
 
-module.exports = { authenticate, sealMessage };
+module.exports = { authenticate, sealMessage, validateBimiVmc };

package/lib/tools.js

@@ -10,10 +10,6 @@ const https = require('https');
 const packageData = require('../package');
 const parseDkimHeaders = require('./parse-dkim-headers');
 const psl = require('psl');
-const { Certificate } = require('@fidm/x509');
-const zlib = require('zlib');
-const util = require('util');
-const gunzip = util.promisify(zlib.gunzip);
 const pki = require('node-forge').pki;
 const Joi = require('joi');
 const base64Schema = Joi.string().base64({ paddingRequired: false });
@@ -474,44 +470,6 @@ const validateAlgorithm = (algorithm, strict) => {
     }
 };
 
-/**
- * Function takes Verified Mark Certificate file and parses domain names and SVG file
- * NB! Certificate is not verified in any way. If there are altNames and SVG content
- * available then these are returned even if the certificate is self signed or expired.
- * @param {Buffer} pem VMC file
- * @returns {Object|Boolean} Either an object with {altNames[], svg} or false if required data was missing from the certificate
- */
-const parseLogoFromX509 = async pem => {
-    const cert = Certificate.fromPEM(pem);
-
-    const altNames = cert.extensions
-        .filter(e => e.oid === '2.5.29.17')
-        .flatMap(d => d?.altNames?.map(an => an?.dnsName?.trim()))
-        .filter(an => an);
-    if (!altNames.length) {
-        return false;
-    }
-
-    let logo = cert.extensions.find(e => e.oid === '1.3.6.1.5.5.7.1.12');
-    if (!logo?.value?.length) {
-        return false;
-    }
-
-    let str = logo.value.toString();
-    // No idea what is that binary stuff before the data uri block
-    let dataMatch = /\bdata:/.test(str) && str.match(/\bbase64,/);
-    if (dataMatch) {
-        let b64 = str.substr(dataMatch.index + dataMatch[0].length);
-        let svg = await gunzip(Buffer.from(b64, 'base64'));
-        return {
-            pem,
-            altNames,
-            svg: svg.toString()
-        };
-    }
-    return false;
-};
-
 module.exports = {
     writeToStream,
     parseHeaders,
@@ -533,6 +491,5 @@ module.exports = {
     getAlignment,
 
     formatRelaxedLine,
-
-    parseLogoFromX509
+    formatDomain
 };

package/licenses.txt

@@ -1,11 +1,12 @@
-name        license type               link                                              installed version  author
-----        ------------               ----                                              -----------------  ------
-@fidm/x509  MIT                        git+ssh://git@github.com/fidm/x509.git            1.2.1
-ipaddr.js   MIT                        git://github.com/whitequark/ipaddr.js.git         2.0.1              whitequark whitequark@whitequark.org
-joi         BSD-3-Clause               git://github.com/sideway/joi.git                  17.6.0
-libmime     MIT                        git://github.com/andris9/libmime.git              5.0.0              Andris Reinman andris@kreata.ee
-node-forge  (BSD-3-Clause OR GPL-2.0)  git+https://github.com/digitalbazaar/forge.git    1.3.1              Digital Bazaar, Inc. support@digitalbazaar.com http://digitalbazaar.com/
-nodemailer  MIT                        git+https://github.com/nodemailer/nodemailer.git  6.7.3              Andris Reinman
-psl         MIT                        git+ssh://git@github.com/lupomontero/psl.git      1.8.0              Lupo Montero lupomontero@gmail.com https://lupomontero.com/
-punycode    MIT                        git+https://github.com/bestiejs/punycode.js.git   2.1.1              Mathias Bynens https://mathiasbynens.be/
-yargs       MIT                        git+https://github.com/yargs/yargs.git            17.4.1
+name            license type               link                                                       installed version  author
+----            ------------               ----                                                       -----------------  ------
+@fidm/x509      MIT                        git+ssh://git@github.com/fidm/x509.git                     1.2.1
+@postalsys/vmc  MIT                        https://registry.npmjs.org/@postalsys/vmc/-/vmc-1.0.1.tgz  1.0.1              Postal Systems OÜ
+ipaddr.js       MIT                        git://github.com/whitequark/ipaddr.js.git                  2.0.1              whitequark whitequark@whitequark.org
+joi             BSD-3-Clause               git://github.com/sideway/joi.git                           17.6.0
+libmime         MIT                        git://github.com/andris9/libmime.git                       5.1.0              Andris Reinman andris@kreata.ee
+node-forge      (BSD-3-Clause OR GPL-2.0)  git+https://github.com/digitalbazaar/forge.git             1.3.1              Digital Bazaar, Inc. support@digitalbazaar.com http://digitalbazaar.com/
+nodemailer      MIT                        git+https://github.com/nodemailer/nodemailer.git           6.7.7              Andris Reinman
+psl             MIT                        git+ssh://git@github.com/lupomontero/psl.git               1.9.0              Lupo Montero lupomontero@gmail.com https://lupomontero.com/
+punycode        MIT                        git+https://github.com/bestiejs/punycode.js.git            2.1.1              Mathias Bynens https://mathiasbynens.be/
+yargs           MIT                        git+https://github.com/yargs/yargs.git                     17.5.1

package/man/mailauth.1

@@ -1,4 +1,4 @@
-.TH "MAILAUTH" "1" "May 2022" "v2.3.2" "Mailauth Help"
+.TH "MAILAUTH" "1" "July 2022" "v3.0.0" "Mailauth Help"
 .SH "NAME"
 \fBmailauth\fR
 .QP

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "mailauth",
-    "version": "2.3.3",
+    "version": "3.0.1",
     "description": "Email authentication library for Node.js",
     "main": "lib/mailauth.js",
     "scripts": {
@@ -33,7 +33,7 @@
     "homepage": "https://github.com/postalsys/mailauth",
     "devDependencies": {
         "chai": "4.3.6",
-        "eslint": "8.15.0",
+        "eslint": "8.19.0",
         "eslint-config-nodemailer": "1.2.0",
         "eslint-config-prettier": "8.5.0",
         "js-yaml": "4.1.0",
@@ -42,21 +42,21 @@
         "marked-man": "0.7.0",
         "mbox-reader": "1.1.5",
         "mocha": "10.0.0",
-        "pkg": "5.6.0"
+        "pkg": "5.7.0"
     },
     "dependencies": {
-        "@fidm/x509": "1.2.1",
+        "@postalsys/vmc": "1.0.3",
         "ipaddr.js": "2.0.1",
         "joi": "17.6.0",
         "libmime": "5.1.0",
         "node-forge": "1.3.1",
-        "nodemailer": "6.7.5",
-        "psl": "1.8.0",
+        "nodemailer": "6.7.7",
+        "psl": "1.9.0",
         "punycode": "2.1.1",
-        "yargs": "17.5.0"
+        "yargs": "17.5.1"
     },
     "engines": {
-        "node": ">=14.0.0"
+        "node": ">=16.0.0"
     },
     "bin": {
         "mailauth": "bin/mailauth.js"