search

lieser / dkim_verifier

DKIM Verifier Extension for Mozilla Thunderbird
MIT License
213 stars 36 forks source link

Verification failed of emails signed by MailEnable 8 #21

Closed mlocati closed 10 years ago

mlocati commented 10 years ago

I'm using DKIM Verifier 1.0.4 and it seems to have some problems verifying messages signed with MailEnable Professional 8.

Here's a sample email header:

dkim-signature:v=1; c=relaxed/relaxed; h=message-id:date:from:mime-version:to:subject:content-type;
 d=progesoft.com; s=mail; a=rsa-sha256;
 bh=NL3Ygc+tb+Rpo+N0UfDOJxzDTOX8XCX5d+ShqvRTOdc=;
 b=UtLf/Wb2na2PQM0mRxVBW5CkECtBZHTf2rGFeJW48lx7b0vTLa1ENROZUxM7Ccvmx
 lCzcSqgJAhDwyW47oac7zfEABFrYYcr4XVMDH356HJJpHJf37Gf/yZO6VLLgNvYjG6L
 IxXHw+Oua7YCafodbMMrm2YniBg5NqjQUmTCdmQ=;

And here's the content of the TXT DNS record that I created with opendkim-genkey -r -h rsa-sha256 -s mail:

v=DKIM1; h=rsa-sha256; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCk12TXXVW+zf0w0kiC8kFr0m6mK2e/c3PIgaVW5K9RWMEKtfWOzQTpiIk8H1zbfe+KUfOBnV/Sxm30f+MOapYo8CT/0f7GXNfrlUfJ3KncOCQ1c8eqU0I0SJEbU5Qw/5g1kTIrIwbjMx3lZGHDerRwAH88nnsW3Fs40jSQQ1ZIEQIDAQAB

Here's the Thunderbird log:

DKIM_Verifier.Verifier  DEBUG   Parsed DKIM-Signature: ({v:"1", a_sig:"rsa", a_hash:"sha256", b:"UtLf/Wb2na2PQM0mRxVBW5CkECtBZHTf2rGFeJW48lx7b0vTLa1ENROZUxM7CcvmxlCzcSqgJAhDwyW47oac7zfEABFrYYcr4XVMDH356HJJpHJf37Gf/yZO6VLLgNvYjG6LIxXHw+Oua7YCafodbMMrm2YniBg5NqjQUmTCdmQ=", b_folded:"UtLf/Wb2na2PQM0mRxVBW5CkECtBZHTf2rGFeJW48lx7b0vTLa1ENROZUxM7Ccvmx\r\n lCzcSqgJAhDwyW47oac7zfEABFrYYcr4XVMDH356HJJpHJf37Gf/yZO6VLLgNvYjG6L\r\n IxXHw+Oua7YCafodbMMrm2YniBg5NqjQUmTCdmQ=", bh:"NL3Ygc+tb+Rpo+N0UfDOJxzDTOX8XCX5d+ShqvRTOdc=", c_header:"relaxed", c_body:"relaxed", d:"progesoft.com", h:"message-id:date:from:mime-version:to:subject:content-type", h_array:["message-id", "date", "from", "mime-version", "to", "subject", "content-type"], i:"@progesoft.com", i_domain:"progesoft.com", l:null, q:"dns/txt", s:"mail", t:null, x:null, z:null})
DKIM_Verifier.Verifier  DEBUG   computed body hash: NL3Ygc+tb+Rpo+N0UfDOJxzDTOX8XCX5d+ShqvRTOdc=
DKIM_Verifier.JSDNS INFO    Resolving mail._domainkey.progesoft.com TXT by querying 192.168.1.10
DKIM_Verifier.JSDNS DEBUG   mail._domainkey.progesoft.com/TXT: Answer: v=DKIM1; h=rsa-sha256; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDLnLhmzjg4fTCQTDq7JZOGFHNPcUVQlppRWpB1QSckvXzABTuju5BrQovV/OXJYEyeUPfVRtq6wTgAeSSOJ1eyg4Flsn4c9FA8vyGPO0jM7UAFDTRut9I8JO/25Xp6W+xxAa8UM+vSglipU1NAnQWLbIX9a2hWp5AaUj2EhMaF8QIDAQAB
DKIM_Verifier.Verifier  DEBUG   Parsed DKIM-Key: ({v:"DKIM1", h:"rsa-sha256", h_array:["rsa-sha256"], k:"rsa", n:null, p:"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDLnLhmzjg4fTCQTDq7JZOGFHNPcUVQlppRWpB1QSckvXzABTuju5BrQovV/OXJYEyeUPfVRtq6wTgAeSSOJ1eyg4Flsn4c9FA8vyGPO0jM7UAFDTRut9I8JO/25Xp6W+xxAa8UM+vSglipU1NAnQWLbIX9a2hWp5AaUj2EhMaF8QIDAQAB", s:"*", t:"", t_array:[]})
DKIM_Verifier.Verifier  WARN    DKIM_SIGERROR_KEY_HASHNOTINCLUDED: Wrong hash algorithm in DKIM key record JS Stack trace: verifySignaturePart2@dkimVerifier.jsm:1157 < verifySignaturePart1/promise<@dkimVerifier.jsm:1102

In dkimVerifier.jsm@1102 I can read

if (msg.DKIMKey.h_array &&
    msg.DKIMKey.h_array.indexOf(msg.DKIMSignature.a_hash) === -1) {
    throw new DKIM_SigError("DKIM_SIGERROR_KEY_HASHNOTINCLUDED");
}

It seems there's some problems in matching msg.DKIMKey.h_array and msg.DKIMSignature.a_hash...

PS: GMail says that everything is ok.

lieser commented 10 years ago

Thanks for reporting. But in this case, I think there is no problem in the add-on.

If you take a look at the RFC, you see the following for the h tag in the DKIM key:

key-h-tag       = %x68 [FWS] "=" [FWS] key-h-tag-alg
                  *( [FWS] ":" [FWS] key-h-tag-alg )
key-h-tag-alg   = "sha1" / "sha256" / x-key-h-tag-alg
x-key-h-tag-alg = hyphenated-word   ; for future extension

So your DKIM key should be v=DKIM1; h=sha256; k=rsa; p=....

mlocati commented 10 years ago

My bad: I called opendkim-genkey with the wrong arguments.

Thank you and compliments for your great add-on!