fix(dkim-verify): Show the length of the source body in DKIM results

postalsys · Jan 24, 2024 · d28663b · d28663b
1 parent ab1c7ff
commit d28663b
Show file tree

Hide file tree

Showing 10 changed files with 3,308 additions and 185 deletions.
diff --git a/.ncurc.json b/.ncurc.json
@@ -1,4 +1,4 @@
 {
     "upgrade": true,
-    "reject": ["marked", "marked-man"]
+    "reject": ["marked", "marked-man", "chai"]
 }
diff --git a/examples/rfc8463/signed.eml b/examples/rfc8463/signed.eml
@@ -0,0 +1,26 @@
+DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed;
+ d=football.example.com; [email protected];
+ q=dns/txt; s=brisbane; t=1528637909; h=from : to :
+ subject : date : message-id : from : subject : date;
+ bh=2jUSOH9NhtVGCQWNr9BrIAPreKQjO6Sn7XIkfJVOzv8=;
+ b=/gCrinpcQOoIfuHNQIbq4pgh9kyIK3AQUdt9OdqQehSwhEIug4D11Bus
+ Fa3bT3FY5OsU7ZbnKELq+eXdp1Q1Dw==
+DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
+ d=football.example.com; [email protected];
+ q=dns/txt; s=test; t=1528637909; h=from : to : subject :
+ date : message-id : from : subject : date;
+ bh=2jUSOH9NhtVGCQWNr9BrIAPreKQjO6Sn7XIkfJVOzv8=;
+ b=F45dVWDfMbQDGHJFlXUNB2HKfbCeLRyhDXgFpEL8GwpsRe0IeIixNTe3
+ DhCVlUrSjV4BwcVcOF6+FF3Zo9Rpo1tFOeS9mPYQTnGdaSGsgeefOsk2Jz
+ dA+L10TeYt9BgDfQNZtKdN1WO//KgIqXP7OdEFE4LjFYNcUxZQ4FADY+8=
+From: Joe SixPack <[email protected]>
+To: Suzie Q <[email protected]>
+Subject: Is dinner ready?
+Date: Fri, 11 Jul 2003 21:00:37 -0700 (PDT)
+Message-ID: <[email protected]>
+
+Hi.
+
+We lost the game.  Are you hungry yet?
+
+Joe.
diff --git a/examples/rfc8463/verify.js b/examples/rfc8463/verify.js
@@ -0,0 +1,35 @@
+'use strict';
+
+const fs = require('fs');
+const crypto = require('crypto');
+const subtle = crypto.subtle;
+
+const data = Buffer.from(
+    fs
+        .readFileSync(__dirname + '/canon-header.bin', 'binary')
+        .replace(/[ \t]/g, ' ')
+        .replace(/\r?\n/g, '\r\n')
+        .replace(/\s*$/, ''),
+    'binary'
+);
+
+const secretKeyBuf = Buffer.from(fs.readFileSync(__dirname + '/ed.key', 'ascii'), 'base64');
+const pubKeyBuf = Buffer.from('11qYAYKxCrfVS/7TyWQHOg7hcvPapiMlrwIaaPcHURo=', 'base64');
+const signature = Buffer.from('/gCrinpcQOoIfuHNQIbq4pgh9kyIK3AQUdt9OdqQehSwhEIug4D11BusFa3bT3FY5OsU7ZbnKELq+eXdp1Q1Dw==', 'base64');
+
+//let verifier = crypto.createVerify('ed25519');
+//verifier.update(data);
+
+console.log(data.toString());
+console.log(data.toString('base64'));
+
+let main = async () => {
+    const pubkey = await subtle.importKey('raw', pubKeyBuf, 'Ed25519', false, ['verify']);
+
+    console.log(pubkey);
+
+    let res = await subtle.verify('Ed25519', pubkey, signature, data);
+    console.log(res);
+};
+
+main().catch(err => console.error(err));
diff --git a/lib/dkim/body/relaxed.js b/lib/dkim/body/relaxed.js
@@ -26,9 +26,14 @@ class RelaxedHash {
         this.bodyHash = crypto.createHash(algorithm);
 
         this.remainder = false;
-        this.byteLength = 0;
 
+        // total body size
+        this.byteLength = 0;
+        // total canonicalized body size
+        this.canonicalizedLength = 0;
+        // hashed canonicalized body size (after l= tag)
         this.bodyHashedBytes = 0;
+
         this.maxBodyLength = maxBodyLength;
 
         this.maxSizeReached = maxBodyLength === 0;
@@ -37,6 +42,8 @@ class RelaxedHash {
     }
 
     _updateBodyHash(chunk) {
+        this.canonicalizedLength += chunk.length;
+
         if (this.maxSizeReached) {
             return;
         }

diff --git a/lib/dkim/body/simple.js b/lib/dkim/body/simple.js
@@ -18,8 +18,12 @@ class SimpleHash {
         this.bodyHash = crypto.createHash(algorithm);
 
         this.remainder = [];
-        this.byteLength = 0;
 
+        // total body size
+        this.byteLength = 0;
+        // total canonicalized body size
+        this.canonicalizedLength = 0;
+        // hashed canonicalized body size (after l= tag)
         this.bodyHashedBytes = 0;
 
         this.maxBodyLength = maxBodyLength;
@@ -29,6 +33,8 @@ class SimpleHash {
     }
 
     _updateBodyHash(chunk) {
+        this.canonicalizedLength += chunk.length;
+
         if (this.maxSizeReached) {
             return;
         }

diff --git a/lib/dkim/dkim-signer.js b/lib/dkim/dkim-signer.js
@@ -259,7 +259,9 @@ class DkimSigner extends MessageParser {
                     // value for the l= tag (if needed)
                     typeof signatureData.maxBodyLength === 'number'
                         ? {
-                              bodyHashedBytes: this.bodyHashes.get(hashKey).hasher.bodyHashedBytes
+                              bodyHashedBytes: this.bodyHashes.get(hashKey).hasher.bodyHashedBytes,
+                              canonicalizedLength: this.bodyHashes.get(hashKey).hasher.canonicalizedLength,
+                              sourceBodyLength: this.bodyHashes.get(hashKey).hasher.byteLength
                           }
                         : {}
                 )

diff --git a/lib/dkim/dkim-verifier.js b/lib/dkim/dkim-verifier.js
@@ -296,6 +296,8 @@ class DkimVerifier extends MessageParser {
                 }
 
                 signatureHeader.bodyHashedBytes = this.bodyHashes.get(signatureHeader.bodyHashKey)?.bodyHashedBytes;
+                signatureHeader.canonicalizedLength = this.bodyHashes.get(signatureHeader.bodyHashKey)?.canonicalizedLength;
+                signatureHeader.sourceBodyLength = this.bodyHashes.get(signatureHeader.bodyHashKey)?.byteLength;
 
                 if (typeof signatureHeader.maxBodyLength === 'number' && signatureHeader.maxBodyLength !== signatureHeader.bodyHashedBytes) {
                     status.result = 'fail';
@@ -314,12 +316,23 @@ class DkimVerifier extends MessageParser {
                     status
                 };
 
+                if (typeof signatureHeader.sourceBodyLength === 'number') {
+                    result.sourceBodyLength = signatureHeader.sourceBodyLength;
+                }
+
                 if (typeof signatureHeader.bodyHashedBytes === 'number') {
                     result.canonBodyLength = signatureHeader.bodyHashedBytes;
                 }
 
+                if (typeof signatureHeader.canonicalizedLength === 'number') {
+                    result.canonBodyLengthTotal = signatureHeader.canonicalizedLength;
+                }
+
                 if (typeof signatureHeader.maxBodyLength === 'number') {
-                    result.bodyLengthCount = signatureHeader.maxBodyLength;
+                    result.canonBodyLengthLimited = true;
+                    result.canonBodyLengthLimit = signatureHeader.maxBodyLength;
+                } else {
+                    result.canonBodyLengthLimited = false;
                 }
 
                 if (publicKey) {