mailauth 4.4.2 → 4.5.1

package/bin/mailauth.js

@@ -12,6 +12,7 @@ const commandSign = require('../lib/commands/sign');
 const commandSeal = require('../lib/commands/seal');
 const commandSpf = require('../lib/commands/spf');
 const commandVmc = require('../lib/commands/vmc');
+const commandBodyhash = require('../lib/commands/bodyhash');
 
 const fs = require('fs');
 const pathlib = require('path');
@@ -100,6 +101,12 @@ const argv = yargs(hideBin(process.argv))
                     description: 'Key selector for signing  (s= tag)',
                     demandOption: true
                 })
+                .option('algo', {
+                    alias: 'a',
+                    type: 'string',
+                    description: 'Signing algorithm. Defaults either to rsa-sha256 or ed25519-sha256 depending on the private key format.',
+                    default: 'rsa-sha256'
+                })
                 .option('canonicalization', {
                     alias: 'c',
                     type: 'string',
@@ -344,6 +351,50 @@ const argv = yargs(hideBin(process.argv))
                 });
         }
     )
+    .command(
+        ['bodyhash [email]'],
+        'Generate a signature body hash for an email',
+        yargs => {
+            yargs
+
+                .option('algo', {
+                    alias: 'a',
+                    type: 'string',
+                    description: 'Hashing algorithm. Defaults to sha256.',
+                    default: 'sha256'
+                })
+
+                .option('canonicalization', {
+                    alias: 'c',
+                    type: 'string',
+                    description: 'Canonicalization algorithm  (c= tag)',
+                    default: 'relaxed'
+                })
+
+                .option('body-length', {
+                    alias: 'l',
+                    type: 'number',
+                    description: 'Maximum length of canonicalizated body to sign (l= tag)'
+                });
+
+            yargs.positional('email', {
+                describe: 'Path to the email message file in EML format. If not specified then content is read from stdin'
+            });
+        },
+        argv => {
+            commandBodyhash(argv)
+                .then(() => {
+                    process.exit();
+                })
+                .catch(err => {
+                    if (!err.suppress) {
+                        console.error('Failed to calculate body hash for the input message');
+                        console.error(err);
+                    }
+                    process.exit(1);
+                });
+        }
+    )
     .command(
         ['license'],
         'Show license information',

package/cli.md

@@ -14,6 +14,7 @@ Command line utility and a [Node.js library](README.md) for email authentication
     -   [seal](#seal) - to seal an email with ARC
     -   [spf](#spf) - to validate SPF for an IP address and an email address
     -   [vmc](#vmc) - to validate BIMI VMC logo files
+    -   [bodyhash](#bodyhash) - to generate the signature body hash value for an email
     -   [license](#license) - display licenses for `mailauth` and included modules
 -   [DNS cache file](#dns-cache-file)
 
@@ -320,6 +321,35 @@ $ mailauth vmc -p /path/to/vmc-with-invalid-svg.pem
 }
 ```
 
+### bodyhash
+
+`bodyhash` command takes an email message and calculates the body hash value for it
+
+```
+$ mailauth bodyhash [options] [email]
+```
+
+Where
+
+-   **options** are option flags and arguments
+-   **email** is the path to EML formatted email message file. If not provided then email message is read from standard input
+
+**Options**
+
+-   `--algo sha256` or `-a sha256` is the signing algorithm. Defaults to "sha256". Can also use the a= tag format ("rsa-sha256").
+-   `--canonicalization algo` or `-c algo` is the body canonicalization algorithm, defaults to "relaxed". Can also use the c= tag format ("relaxed/relaxed").
+-   `--body-length 12345` or `-l 12345` is the maximum length of canonicalizated body to sign (l= tag)
+
+**Example**
+
+```
+$ mailauth bodyhash /path/message.eml -a sha1 --verbose
+Hashing algorithm:               sha1
+Body canonicalization algorithm: relaxed
+--------
+j+dD7whKXS1yDmyoWtvClYSyYiQ=
+```
+
 ### license
 
 Display licenses for `mailauth` and included modules.

package/lib/bimi/index.js

@@ -4,18 +4,19 @@ const crypto = require('crypto');
 const dns = require('dns');
 const { formatAuthHeaderRow, parseDkimHeaders, formatDomain, getAlignment } = require('../tools');
 const Joi = require('joi');
-const packageData = require('../../package.json');
+//const packageData = require('../../package.json');
 const httpsSchema = Joi.string().uri({
     scheme: ['https']
 });
 
-const https = require('https');
-const http = require('http');
+const FETCH_TIMEOUT = 5 * 1000;
+
+const { fetch: fetchCmd, Agent } = require('undici');
+const fetchAgent = new Agent({ connect: { timeout: FETCH_TIMEOUT } });
+
 const { vmc } = require('@postalsys/vmc');
 const { validateSvg } = require('./validate-svg');
 
-const HTTP_REQUEST_TIMEOUT = 15 * 1000;
-
 const lookup = async data => {
     let { dmarc, headers, resolver, bimiWithAlignedDkim } = data;
     let headerRows = (headers && headers.parsed) || [];
@@ -177,7 +178,7 @@ const lookup = async data => {
     return response;
 };
 
-const downloadPromise = (url, cachedFile) => {
+const downloadPromise = async (url, cachedFile) => {
     if (cachedFile) {
         return cachedFile;
     }
@@ -186,76 +187,24 @@ const downloadPromise = (url, cachedFile) => {
         return false;
     }
 
-    const parsedUrl = new URL(url);
-
-    const options = {
-        protocol: parsedUrl.protocol,
-        host: parsedUrl.host,
+    let res = await fetchCmd(url, {
         headers: {
-            host: parsedUrl.host,
-            'User-Agent': `mailauth/${packageData.version} (+${packageData.homepage}`
+            // Comment: AKAMAI does some strange UA based filtering that messes up the request
+            // 'User-Agent': `mailauth/${packageData.version} (+${packageData.homepage}`
         },
-        servername: parsedUrl.hostname,
-        port: 443,
-        path: parsedUrl.pathname,
-        method: 'GET',
-        rejectUnauthorized: true,
-
-        timeout: HTTP_REQUEST_TIMEOUT
-    };
-
-    return new Promise((resolve, reject) => {
-        let protoHandler;
-        switch (parsedUrl.protocol) {
-            case 'https:':
-                protoHandler = https;
-                break;
-            case 'http:':
-                protoHandler = http;
-                break;
-            default:
-                reject(new Error(`Unknown protocol ${parsedUrl.protocol}`));
-        }
-        const req = protoHandler.request(options, res => {
-            let chunks = [],
-                chunklen = 0;
-            res.on('readable', () => {
-                let chunk;
-                while ((chunk = res.read()) !== null) {
-                    chunks.push(chunk);
-                    chunklen += chunk.length;
-                }
-            });
-            res.on('end', () => {
-                let data = Buffer.concat(chunks, chunklen);
-                if (!res.statusCode || res.statusCode < 200 || res.statusCode >= 300) {
-                    let err = new Error(`Invalid response code ${res.statusCode || '-'}`);
-                    err.code = 'http_status_' + (res.statusCode || 'na');
-                    if (res.headers.location && res.statusCode >= 300 && res.statusCode < 400) {
-                        err.redirect = {
-                            code: res.statusCode,
-                            location: res.headers.location
-                        };
-                    }
-                    return reject(err);
-                }
-                resolve(data);
-            });
-            res.on('error', err => reject(err));
-        });
-
-        req.on('timeout', () => {
-            req.destroy(); // cancel request
-            let error = new Error(`Request timeout for ${parsedUrl.href}`);
-            error.code = 'HTTP_SOCKET_TIMEOUT';
-            reject(error);
-        });
-
-        req.on('error', err => {
-            reject(err);
-        });
-        req.end();
+        dispatcher: fetchAgent
     });
+
+    if (!res.ok) {
+        let error = new Error(`Request failed with status ${res.status}`);
+        error.code = 'HTTP_REQUEST_FAILED';
+        throw error;
+    }
+
+    let ab = await res.arrayBuffer();
+    process.stdout.write(Buffer.from(ab));
+
+    return Buffer.from(ab);
 };
 
 const validateVMC = async (bimiData, opts) => {

package/lib/commands/bodyhash.js

@@ -0,0 +1,66 @@
+'use strict';
+
+const { DkimSigner } = require('../dkim/dkim-signer');
+const { writeToStream } = require('../tools');
+const fs = require('fs');
+
+const cmd = async argv => {
+    let source = argv.email;
+    let useStdin = false;
+    let stream;
+
+    if (!source) {
+        useStdin = true;
+        source = 'standard input';
+    }
+
+    if (argv.verbose) {
+        console.error(`Reading email message from ${source}`);
+    }
+
+    if (useStdin) {
+        stream = process.stdin;
+    } else {
+        stream = fs.createReadStream(source);
+    }
+
+    if (isNaN(argv.bodyLength) || argv.bodyLength < 0) {
+        argv.bodyLength = null;
+    }
+
+    let signatureOpts = {
+        type: 'DKIM',
+        privateKey: true, // force hash calculation
+        canonicalization: argv.canonicalization && (argv.canonicalization.includes('/') ? argv.canonicalization : `/${argv.canonicalization}`),
+        algorithm: argv.algo,
+        maxBodyLength: argv.bodyLength
+    };
+
+    let dkimSigner = new DkimSigner({ signatureData: [signatureOpts] });
+
+    let { hashAlgo } = dkimSigner.getAlgorithm(signatureOpts);
+    let { bodyCanon } = dkimSigner.getCanonicalization(signatureOpts);
+
+    if (argv.verbose) {
+        if (hashAlgo) {
+            console.error(`Hashing algorithm:               ${hashAlgo}`);
+        }
+        if (bodyCanon) {
+            console.error(`Body canonicalization algorithm: ${bodyCanon}`);
+        }
+        if (signatureOpts.maxBodyLength) {
+            console.error(`Maximum body length:             ${signatureOpts.maxBodyLength}`);
+        }
+        console.error('--------');
+    }
+
+    await writeToStream(dkimSigner, stream);
+
+    let hashKey = `${bodyCanon}:${hashAlgo}:${typeof argv.bodyLength === 'number' ? argv.bodyLength : ''}`;
+    const bodyHash = dkimSigner.bodyHashes.get(hashKey)?.hash;
+    if (bodyHash) {
+        process.stdout.write(bodyHash);
+    }
+};
+
+module.exports = cmd;

package/lib/commands/sign.js

@@ -48,12 +48,12 @@ const cmd = async argv => {
         if (signatureOpts.selector) {
             console.error(`Key selector:               ${signatureOpts.selector}`);
         }
-        if (signatureOpts.canonicalization) {
-            console.error(`Canonicalization algorithm: ${signatureOpts.canonicalization}`);
-        }
         if (signatureOpts.algorithm) {
             console.error(`Hashing algorithm:          ${signatureOpts.algorithm}`);
         }
+        if (signatureOpts.canonicalization) {
+            console.error(`Canonicalization algorithm: ${signatureOpts.canonicalization}`);
+        }
         if (signatureOpts.maxBodyLength) {
             console.error(`Maximum body length:        ${signatureOpts.maxBodyLength}`);
         }

package/lib/dkim/body/index.js

@@ -10,8 +10,11 @@ const dkimBody = (canonicalization, ...options) => {
             return new SimpleHash(...options);
         case 'relaxed':
             return new RelaxedHash(...options);
-        default:
-            throw new Error('Unknown body canonicalization');
+        default: {
+            let error = new Error('Unknown body canonicalization');
+            error.canonicalization = canonicalization;
+            throw error;
+        }
     }
 };
 

package/lib/dkim/dkim-signer.js

@@ -96,11 +96,15 @@ class DkimSigner extends MessageParser {
             let [header, body] = canonicalization.split('/');
 
             if (!['relaxed', 'simple'].includes(header)) {
-                throw new Error('Unknown header canonicalization: ' + header);
+                let error = new Error('Unknown header canonicalization');
+                error.canonicalization = header;
+                throw error;
             }
 
             if (!['relaxed', 'simple'].includes(body)) {
-                throw new Error('Unknown header canonicalization: ' + body);
+                let error = new Error('Unknown body canonicalization');
+                error.canonicalization = body;
+                throw error;
             }
         } catch (err) {
             err.code = 'EINVALIDCANON';

package/lib/dkim/header/index.js

@@ -11,8 +11,11 @@ const generateCanonicalizedHeader = (type, signingHeaderLines, options) => {
             return simpleHeaders(type, signingHeaderLines, options);
         case 'relaxed':
             return relaxedHeaders(type, signingHeaderLines, options);
-        default:
-            throw new Error('Unknown header canonicalization');
+        default: {
+            let error = new Error('Unknown header canonicalization');
+            error.canonicalization = canonicalization;
+            throw error;
+        }
     }
 };
 

package/lib/tools.js

@@ -450,11 +450,15 @@ const validateAlgorithm = (algorithm, strict) => {
         let [signAlgo, hashAlgo] = algorithm.toLowerCase().split('-');
 
         if (!['rsa', 'ed25519'].includes(signAlgo)) {
-            throw new Error('Unknown signing algorithm: ' + signAlgo);
+            let error = new Error('Unknown signing algorithm');
+            error.signAlgo = signAlgo;
+            throw error;
         }
 
         if (!['sha256'].concat(!strict ? 'sha1' : []).includes(hashAlgo)) {
-            throw new Error('Unknown hashing algorithm: ' + hashAlgo);
+            let error = new Error('Unknown hashing algorithm');
+            error.hashAlgo = hashAlgo;
+            throw error;
         }
     } catch (err) {
         err.code = 'EINVALIDALGO';

package/licenses.txt

@@ -1,11 +1,11 @@
 name             license type  link                                                            installed version  author
 ----             ------------  ----                                                            -----------------  ------
 @postalsys/vmc   MIT           https://registry.npmjs.org/@postalsys/vmc/-/vmc-1.0.6.tgz       1.0.6              Postal Systems OÜ
-fast-xml-parser  MIT           git+https://github.com/NaturalIntelligence/fast-xml-parser.git  4.2.4              Amit Gupta (https://amitkumargupta.work/)
+fast-xml-parser  MIT           git+https://github.com/NaturalIntelligence/fast-xml-parser.git  4.2.7              Amit Gupta (https://amitguptagwl.github.io)
 ipaddr.js        MIT           git://github.com/whitequark/ipaddr.js.git                       2.1.0              whitequark <whitequark@whitequark.org>
 joi              BSD-3-Clause  git://github.com/hapijs/joi.git                                 17.9.2             n/a
 libmime          MIT           git://github.com/andris9/libmime.git                            5.2.1              Andris Reinman <andris@kreata.ee>
-nodemailer       MIT-0         git+https://github.com/nodemailer/nodemailer.git                6.9.3              Andris Reinman
+nodemailer       MIT-0         git+https://github.com/nodemailer/nodemailer.git                6.9.4              Andris Reinman
 psl              MIT           git+ssh://git@github.com/lupomontero/psl.git                    1.9.0              Lupo Montero <lupomontero@gmail.com> (https://lupomontero.com/)
 punycode         MIT           git+https://github.com/mathiasbynens/punycode.js.git            2.3.0              Mathias Bynens https://mathiasbynens.be/
 yargs            MIT           git+https://github.com/yargs/yargs.git                          17.7.2             n/a

package/man/mailauth.1

@@ -1,4 +1,4 @@
-.TH "MAILAUTH" "1" "July 2023" "v4.4.1" "Mailauth Help"
+.TH "MAILAUTH" "1" "July 2023" "v4.5.0" "Mailauth Help"
 .SH "NAME"
 \fBmailauth\fR
 .QP

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "mailauth",
-    "version": "4.4.2",
+    "version": "4.5.1",
     "description": "Email authentication library for Node.js",
     "main": "lib/mailauth.js",
     "scripts": {
@@ -33,9 +33,9 @@
     "homepage": "https://github.com/postalsys/mailauth",
     "devDependencies": {
         "chai": "4.3.7",
-        "eslint": "8.45.0",
+        "eslint": "8.46.0",
         "eslint-config-nodemailer": "1.2.0",
-        "eslint-config-prettier": "8.9.0",
+        "eslint-config-prettier": "8.10.0",
         "js-yaml": "4.1.0",
         "license-report": "6.4.0",
         "marked": "0.7.0",
@@ -46,13 +46,14 @@
     },
     "dependencies": {
         "@postalsys/vmc": "1.0.6",
-        "fast-xml-parser": "4.2.6",
+        "fast-xml-parser": "4.2.7",
         "ipaddr.js": "2.1.0",
         "joi": "17.9.2",
         "libmime": "5.2.1",
         "nodemailer": "6.9.4",
         "psl": "1.9.0",
         "punycode": "2.3.0",
+        "undici": "5.23.0",
         "yargs": "17.7.2"
     },
     "engines": {
@@ -71,10 +72,10 @@
             "LICENSE.txt"
         ],
         "targets": [
-            "node16-linux-x64",
-            "node16-macos-x64",
+            "node18-linux-x64",
+            "node18-macos-x64",
             "node18-macos-arm64",
-            "node16-win-x64"
+            "node18-win-x64"
         ],
         "outputPath": "ee-dist"
     }