1// Package dkim (DomainKeys Identified Mail signatures, RFC 6376) signs and

2// verifies DKIM signatures.

3//

4// Signatures are added to email messages in DKIM-Signature headers. By signing a

5// message, a domain takes responsibility for the message. A message can have

6// signatures for multiple domains, and the domain does not necessarily have to

7// match a domain in a From header. Receiving mail servers can build a spaminess

8// reputation based on domains that signed the message, along with other

9// mechanisms.

10package dkim

12import (

13 "bufio"

14 "bytes"

15 "context"

16 "crypto"

17 "crypto/ed25519"

18 cryptorand "crypto/rand"

19 "crypto/rsa"

20 "errors"

21 "fmt"

22 "hash"

23 "io"

24 "strings"

25 "time"

27 "github.com/prometheus/client_golang/prometheus"

28 "github.com/prometheus/client_golang/prometheus/promauto"

30 "github.com/mjl-/mox/config"

31 "github.com/mjl-/mox/dns"

32 "github.com/mjl-/mox/mlog"

33 "github.com/mjl-/mox/moxio"

34 "github.com/mjl-/mox/publicsuffix"

35 "github.com/mjl-/mox/smtp"

36)

38var xlog = mlog.New("dkim")

40var (

41 metricDKIMSign = promauto.NewCounterVec(

42 prometheus.CounterOpts{

43 Name: "mox_dkim_sign_total",

44 Help: "DKIM messages signings, label key is the type of key, rsa or ed25519.",

45 },

46 []string{

47 "key",

48 },

49 )

50 metricDKIMVerify = promauto.NewHistogramVec(

51 prometheus.HistogramOpts{

52 Name: "mox_dkim_verify_duration_seconds",

53 Help: "DKIM verify, including lookup, duration and result.",

54 Buckets: []float64{0.001, 0.005, 0.01, 0.05, 0.100, 0.5, 1, 5, 10, 20},

55 },

56 []string{

57 "algorithm",

58 "status",

59 },

60 )

61)

63var timeNow = time.Now // Replaced during tests.

65// Status is the result of verifying a DKIM-Signature as described by RFC 8601,

66// "Message Header Field for Indicating Message Authentication Status".

67type Status string

69// ../rfc/8601:959 ../rfc/6376:1770 ../rfc/6376:2459

71const (

72 StatusNone Status = "none" // Message was not signed.

73 StatusPass Status = "pass" // Message was signed and signature was verified.

74 StatusFail Status = "fail" // Message was signed, but signature was invalid.

75 StatusPolicy Status = "policy" // Message was signed, but signature is not accepted by policy.

76 StatusNeutral Status = "neutral" // Message was signed, but the signature contains an error or could not be processed. This status is also used for errors not covered by other statuses.

77 StatusTemperror Status = "temperror" // Message could not be verified. E.g. because of DNS resolve error. A later attempt may succeed. A missing DNS record is treated as temporary error, a new key may not have propagated through DNS shortly after it was taken into use.

78 StatusPermerror Status = "permerror" // Message cannot be verified. E.g. when a required header field is absent or for invalid (combination of) parameters. Typically set if a DNS record does not allow the signature, e.g. due to algorithm mismatch or expiry.

79)

81// Lookup errors.

82var (

83 ErrNoRecord = errors.New("dkim: no dkim dns record for selector and domain")

84 ErrMultipleRecords = errors.New("dkim: multiple dkim dns record for selector and domain")

85 ErrDNS = errors.New("dkim: lookup of dkim dns record")

86 ErrSyntax = errors.New("dkim: syntax error in dkim dns record")

87)

89// Signature verification errors.

90var (

91 ErrSigAlgMismatch = errors.New("dkim: signature algorithm mismatch with dns record")

92 ErrHashAlgNotAllowed = errors.New("dkim: hash algorithm not allowed by dns record")

93 ErrKeyNotForEmail = errors.New("dkim: dns record not allowed for use with email")

94 ErrDomainIdentityMismatch = errors.New("dkim: dns record disallows mismatch of domain (d=) and identity (i=)")

95 ErrSigExpired = errors.New("dkim: signature has expired")

96 ErrHashAlgorithmUnknown = errors.New("dkim: unknown hash algorithm")

97 ErrBodyhashMismatch = errors.New("dkim: body hash does not match")

98 ErrSigVerify = errors.New("dkim: signature verification failed")

99 ErrSigAlgorithmUnknown = errors.New("dkim: unknown signature algorithm")

100 ErrCanonicalizationUnknown = errors.New("dkim: unknown canonicalization")

101 ErrHeaderMalformed = errors.New("dkim: mail message header is malformed")

102 ErrFrom = errors.New("dkim: bad from headers")

103 ErrQueryMethod = errors.New("dkim: no recognized query method")

104 ErrKeyRevoked = errors.New("dkim: key has been revoked")

105 ErrTLD = errors.New("dkim: signed domain is top-level domain, above organizational domain")

106 ErrPolicy = errors.New("dkim: signature rejected by policy")

107 ErrWeakKey = errors.New("dkim: key is too weak, need at least 1024 bits for rsa")

108)

109

110// Result is the conclusion of verifying one DKIM-Signature header. An email can

111// have multiple signatures, each with different parameters.

112//

113// To decide what to do with a message, both the signature parameters and the DNS

114// TXT record have to be consulted.

115type Result struct {

116 Status Status

117 Sig *Sig // Parsed form of DKIM-Signature header. Can be nil for invalid DKIM-Signature header.

118 Record *Record // Parsed form of DKIM DNS record for selector and domain in Sig. Optional.

119 Err error // If Status is not StatusPass, this error holds the details and can be checked using errors.Is.

120}

121

122// todo: use some io.Writer to hash the body and the header.

123

124// Sign returns line(s) with DKIM-Signature headers, generated according to the configuration.

125func Sign(ctx context.Context, localpart smtp.Localpart, domain dns.Domain, c config.DKIM, smtputf8 bool, msg io.ReaderAt) (headers string, rerr error) {

126 log := xlog.WithContext(ctx)

127 start := timeNow()

128 defer func() {

129 log.Debugx("dkim sign result", rerr, mlog.Field("localpart", localpart), mlog.Field("domain", domain), mlog.Field("smtputf8", smtputf8), mlog.Field("duration", time.Since(start)))

130 }()

131

132 hdrs, bodyOffset, err := parseHeaders(bufio.NewReader(&moxio.AtReader{R: msg}))

133 if err != nil {

134 return "", fmt.Errorf("%w: %s", ErrHeaderMalformed, err)

135 }

136 nfrom := 0

137 for _, h := range hdrs {

138 if h.lkey == "from" {

139 nfrom++

140 }

141 }

142 if nfrom != 1 {

143 return "", fmt.Errorf("%w: message has %d from headers, need exactly 1", ErrFrom, nfrom)

144 }

145

146 type hashKey struct {

147 simple bool // Canonicalization.

148 hash string // lower-case hash.

149 }

150

151 var bodyHashes = map[hashKey][]byte{}

152

153 for _, sign := range c.Sign {

154 sel := c.Selectors[sign]

155 sig := newSigWithDefaults()

156 sig.Version = 1

157 switch sel.Key.(type) {

158 case *rsa.PrivateKey:

159 sig.AlgorithmSign = "rsa"

160 metricDKIMSign.WithLabelValues("rsa").Inc()

161 case ed25519.PrivateKey:

162 sig.AlgorithmSign = "ed25519"

163 metricDKIMSign.WithLabelValues("ed25519").Inc()

164 default:

165 return "", fmt.Errorf("internal error, unknown pivate key %T", sel.Key)

166 }

167 sig.AlgorithmHash = sel.HashEffective

168 sig.Domain = domain

169 sig.Selector = sel.Domain

170 sig.Identity = &Identity{&localpart, domain}

171 sig.SignedHeaders = append([]string{}, sel.HeadersEffective...)

172 if !sel.DontSealHeaders {

173 // ../rfc/6376:2156

174 // Each time a header name is added to the signature, the next unused value is

175 // signed (in reverse order as they occur in the message). So we can add each

176 // header name as often as it occurs. But now we'll add the header names one

177 // additional time, preventing someone from adding one more header later on.

178 counts := map[string]int{}

179 for _, h := range hdrs {

180 counts[h.lkey]++

181 }

182 for _, h := range sel.HeadersEffective {

183 for j := counts[strings.ToLower(h)]; j > 0; j-- {

184 sig.SignedHeaders = append(sig.SignedHeaders, h)

185 }

186 }

187 }

188 sig.SignTime = timeNow().Unix()

189 if sel.ExpirationSeconds > 0 {

190 sig.ExpireTime = sig.SignTime + int64(sel.ExpirationSeconds)

191 }

192

193 sig.Canonicalization = "simple"

194 if sel.Canonicalization.HeaderRelaxed {

195 sig.Canonicalization = "relaxed"

196 }

197 sig.Canonicalization += "/"

198 if sel.Canonicalization.BodyRelaxed {

199 sig.Canonicalization += "relaxed"

200 } else {

201 sig.Canonicalization += "simple"

202 }

203

204 h, hok := algHash(sig.AlgorithmHash)

205 if !hok {

206 return "", fmt.Errorf("unrecognized hash algorithm %q", sig.AlgorithmHash)

207 }

208

209 // We must now first calculate the hash over the body. Then include that hash in a

210 // new DKIM-Signature header. Then hash that and the signed headers into a data

211 // hash. Then that hash is finally signed and the signature included in the new

212 // DKIM-Signature header.

213 // ../rfc/6376:1700

214

215 hk := hashKey{!sel.Canonicalization.BodyRelaxed, strings.ToLower(sig.AlgorithmHash)}

216 if bh, ok := bodyHashes[hk]; ok {

217 sig.BodyHash = bh

218 } else {

219 br := bufio.NewReader(&moxio.AtReader{R: msg, Offset: int64(bodyOffset)})

220 bh, err = bodyHash(h.New(), !sel.Canonicalization.BodyRelaxed, br)

221 if err != nil {

222 return "", err

223 }

224 sig.BodyHash = bh

225 bodyHashes[hk] = bh

226 }

227

228 sigh, err := sig.Header()

229 if err != nil {

230 return "", err

231 }

232 verifySig := []byte(strings.TrimSuffix(sigh, "\r\n"))

233

234 dh, err := dataHash(h.New(), !sel.Canonicalization.HeaderRelaxed, sig, hdrs, verifySig)

235 if err != nil {

236 return "", err

237 }

238

239 switch key := sel.Key.(type) {

240 case *rsa.PrivateKey:

241 sig.Signature, err = key.Sign(cryptorand.Reader, dh, h)

242 if err != nil {

243 return "", fmt.Errorf("signing data: %v", err)

244 }

245 case ed25519.PrivateKey:

246 // crypto.Hash(0) indicates data isn't prehashed (ed25519ph). We are using

247 // PureEdDSA to sign the sha256 hash. ../rfc/8463:123 ../rfc/8032:427

248 sig.Signature, err = key.Sign(cryptorand.Reader, dh, crypto.Hash(0))

249 if err != nil {

250 return "", fmt.Errorf("signing data: %v", err)

251 }

252 default:

253 return "", fmt.Errorf("unsupported private key type: %s", err)

254 }

255

256 sigh, err = sig.Header()

257 if err != nil {

258 return "", err

259 }

260 headers += sigh

261 }

262

263 return headers, nil

264}

265

266// Lookup looks up the DKIM TXT record and parses it.

267//

268// A requested record is <selector>._domainkey.<domain>. Exactly one valid DKIM

269// record should be present.

270func Lookup(ctx context.Context, resolver dns.Resolver, selector, domain dns.Domain) (rstatus Status, rrecord *Record, rtxt string, rerr error) {

271 log := xlog.WithContext(ctx)

272 start := timeNow()

273 defer func() {

274 log.Debugx("dkim lookup result", rerr, mlog.Field("selector", selector), mlog.Field("domain", domain), mlog.Field("status", rstatus), mlog.Field("record", rrecord), mlog.Field("duration", time.Since(start)))

275 }()

276

277 name := selector.ASCII + "._domainkey." + domain.ASCII + "."

278 records, err := dns.WithPackage(resolver, "dkim").LookupTXT(ctx, name)

279 if dns.IsNotFound(err) {

280 // ../rfc/6376:2608

281 // We must return StatusPermerror. We may want to return StatusTemperror because in

282 // practice someone will start using a new key before DNS changes have propagated.

283 return StatusPermerror, nil, "", fmt.Errorf("%w: dns name %q", ErrNoRecord, name)

284 } else if err != nil {

285 return StatusTemperror, nil, "", fmt.Errorf("%w: dns name %q: %s", ErrDNS, name, err)

286 }

287

288 // ../rfc/6376:2612

289 var status = StatusTemperror

290 var record *Record

291 var txt string

292 err = nil

293 for _, s := range records {

294 // We interpret ../rfc/6376:2621 to mean that a record that claims to be v=DKIM1,

295 // but isn't actually valid, results in a StatusPermFail. But a record that isn't

296 // claiming to be DKIM1 is ignored.

297 var r *Record

298 var isdkim bool

299 r, isdkim, err = ParseRecord(s)

300 if err != nil && isdkim {

301 return StatusPermerror, nil, txt, fmt.Errorf("%w: %s", ErrSyntax, err)

302 } else if err != nil {

303 // Hopefully the remote MTA admin discovers the configuration error and fix it for

304 // an upcoming delivery attempt, in case we rejected with temporary status.

305 status = StatusTemperror

306 err = fmt.Errorf("%w: not a dkim record: %s", ErrSyntax, err)

307 continue

308 }

309 // If there are multiple valid records, return a temporary error. Perhaps the error is fixed soon.

310 // ../rfc/6376:1609

311 // ../rfc/6376:2584

312 if record != nil {

313 return StatusTemperror, nil, "", fmt.Errorf("%w: dns name %q", ErrMultipleRecords, name)

314 }

315 record = r

316 txt = s

317 err = nil

318 }

319

320 if record == nil {

321 return status, nil, "", err

322 }

323 return StatusNeutral, record, txt, nil

324}

325

326// Verify parses the DKIM-Signature headers in a message and verifies each of them.

327//

328// If the headers of the message cannot be found, an error is returned.

329// Otherwise, each DKIM-Signature header is reflected in the returned results.

330//

331// NOTE: Verify does not check if the domain (d=) that signed the message is

332// the domain of the sender. The caller, e.g. through DMARC, should do this.

333//

334// If ignoreTestMode is true and the DKIM record is in test mode (t=y), a

335// verification failure is treated as actual failure. With ignoreTestMode

336// false, such verification failures are treated as if there is no signature by

337// returning StatusNone.

338func Verify(ctx context.Context, resolver dns.Resolver, smtputf8 bool, policy func(*Sig) error, r io.ReaderAt, ignoreTestMode bool) (results []Result, rerr error) {

339 log := xlog.WithContext(ctx)

340 start := timeNow()

341 defer func() {

342 duration := float64(time.Since(start)) / float64(time.Second)

343 for _, r := range results {

344 var alg string

345 if r.Sig != nil {

346 alg = r.Sig.Algorithm()

347 }

348 status := string(r.Status)

349 metricDKIMVerify.WithLabelValues(alg, status).Observe(duration)

350 }

351

352 if len(results) == 0 {

353 log.Debugx("dkim verify result", rerr, mlog.Field("smtputf8", smtputf8), mlog.Field("duration", time.Since(start)))

354 }

355 for _, result := range results {

356 log.Debugx("dkim verify result", result.Err, mlog.Field("smtputf8", smtputf8), mlog.Field("status", result.Status), mlog.Field("sig", result.Sig), mlog.Field("record", result.Record), mlog.Field("duration", time.Since(start)))

357 }

358 }()

359

360 hdrs, bodyOffset, err := parseHeaders(bufio.NewReader(&moxio.AtReader{R: r}))

361 if err != nil {

362 return nil, fmt.Errorf("%w: %s", ErrHeaderMalformed, err)

363 }

364

365 // todo: reuse body hashes and possibly verify signatures in parallel. and start the dns lookup immediately. ../rfc/6376:2697

366

367 for _, h := range hdrs {

368 if h.lkey != "dkim-signature" {

369 continue

370 }

371

372 sig, verifySig, err := parseSignature(h.raw, smtputf8)

373 if err != nil {

374 // ../rfc/6376:2503

375 err := fmt.Errorf("parsing DKIM-Signature header: %w", err)

376 results = append(results, Result{StatusPermerror, nil, nil, err})

377 continue

378 }

379

380 h, canonHeaderSimple, canonDataSimple, err := checkSignatureParams(ctx, sig)

381 if err != nil {

382 results = append(results, Result{StatusPermerror, nil, nil, err})

383 continue

384 }

385

386 // ../rfc/6376:2560

387 if err := policy(sig); err != nil {

388 err := fmt.Errorf("%w: %s", ErrPolicy, err)

389 results = append(results, Result{StatusPolicy, nil, nil, err})

390 continue

391 }

392

393 br := bufio.NewReader(&moxio.AtReader{R: r, Offset: int64(bodyOffset)})

394 status, txt, err := verifySignature(ctx, resolver, sig, h, canonHeaderSimple, canonDataSimple, hdrs, verifySig, br, ignoreTestMode)

395 results = append(results, Result{status, sig, txt, err})

396 }

397 return results, nil

398}

399

400// check if signature is acceptable.

401// Only looks at the signature parameters, not at the DNS record.

402func checkSignatureParams(ctx context.Context, sig *Sig) (hash crypto.Hash, canonHeaderSimple, canonBodySimple bool, rerr error) {

403 // "From" header is required, ../rfc/6376:2122 ../rfc/6376:2546

404 var from bool

405 for _, h := range sig.SignedHeaders {

406 if strings.EqualFold(h, "from") {

407 from = true

408 break

409 }

410 }

411 if !from {

412 return 0, false, false, fmt.Errorf(`%w: required "from" header not signed`, ErrFrom)

413 }

414

415 // ../rfc/6376:2550

416 if sig.ExpireTime >= 0 && sig.ExpireTime < timeNow().Unix() {

417 return 0, false, false, fmt.Errorf("%w: expiration time %q", ErrSigExpired, time.Unix(sig.ExpireTime, 0).Format(time.RFC3339))

418 }

419

420 // ../rfc/6376:2554

421 // ../rfc/6376:3284

422 // Refuse signatures that reach beyond declared scope. We use the existing

423 // publicsuffix.Lookup to lookup a fake subdomain of the signing domain. If this

424 // supposed subdomain is actually an organizational domain, the signing domain

425 // shouldn't be signing for its organizational domain.

426 subdom := sig.Domain

427 subdom.ASCII = "x." + subdom.ASCII

428 if subdom.Unicode != "" {

429 subdom.Unicode = "x." + subdom.Unicode

430 }

431 if orgDom := publicsuffix.Lookup(ctx, subdom); subdom.ASCII == orgDom.ASCII {

432 return 0, false, false, fmt.Errorf("%w: %s", ErrTLD, sig.Domain)

433 }

434

435 h, hok := algHash(sig.AlgorithmHash)

436 if !hok {

437 return 0, false, false, fmt.Errorf("%w: %q", ErrHashAlgorithmUnknown, sig.AlgorithmHash)

438 }

439

440 t := strings.SplitN(sig.Canonicalization, "/", 2)

441

442 switch strings.ToLower(t[0]) {

443 case "simple":

444 canonHeaderSimple = true

445 case "relaxed":

446 default:

447 return 0, false, false, fmt.Errorf("%w: header canonicalization %q", ErrCanonicalizationUnknown, sig.Canonicalization)

448 }

449

450 canon := "simple"

451 if len(t) == 2 {

452 canon = t[1]

453 }

454 switch strings.ToLower(canon) {

455 case "simple":

456 canonBodySimple = true

457 case "relaxed":

458 default:

459 return 0, false, false, fmt.Errorf("%w: body canonicalization %q", ErrCanonicalizationUnknown, sig.Canonicalization)

460 }

461

462 // We only recognize query method dns/txt, which is the default. ../rfc/6376:1268

463 if len(sig.QueryMethods) > 0 {

464 var dnstxt bool

465 for _, m := range sig.QueryMethods {

466 if strings.EqualFold(m, "dns/txt") {

467 dnstxt = true

468 break

469 }

470 }

471 if !dnstxt {

472 return 0, false, false, fmt.Errorf("%w: need dns/txt", ErrQueryMethod)

473 }

474 }

475

476 return h, canonHeaderSimple, canonBodySimple, nil

477}

478

479// lookup the public key in the DNS and verify the signature.

480func verifySignature(ctx context.Context, resolver dns.Resolver, sig *Sig, hash crypto.Hash, canonHeaderSimple, canonDataSimple bool, hdrs []header, verifySig []byte, body *bufio.Reader, ignoreTestMode bool) (Status, *Record, error) {

481 // ../rfc/6376:2604

482 status, record, _, err := Lookup(ctx, resolver, sig.Selector, sig.Domain)

483 if err != nil {

484 // todo: for temporary errors, we could pass on information so caller returns a 4.7.5 ecode, ../rfc/6376:2777

485 return status, nil, err

486 }

487 status, err = verifySignatureRecord(record, sig, hash, canonHeaderSimple, canonDataSimple, hdrs, verifySig, body, ignoreTestMode)

488 return status, record, err

489}

490

491// verify a DKIM signature given the record from dns and signature from the email message.

492func verifySignatureRecord(r *Record, sig *Sig, hash crypto.Hash, canonHeaderSimple, canonDataSimple bool, hdrs []header, verifySig []byte, body *bufio.Reader, ignoreTestMode bool) (rstatus Status, rerr error) {

493 if !ignoreTestMode {

494 // ../rfc/6376:1558

495 y := false

496 for _, f := range r.Flags {

497 if strings.EqualFold(f, "y") {

498 y = true

499 break

500 }

501 }

502 if y {

503 defer func() {

504 if rstatus != StatusPass {

505 rstatus = StatusNone

506 }

507 }()

508 }

509 }

510

511 // ../rfc/6376:2639

512 if len(r.Hashes) > 0 {

513 ok := false

514 for _, h := range r.Hashes {

515 if strings.EqualFold(h, sig.AlgorithmHash) {

516 ok = true

517 break

518 }

519 }

520 if !ok {

521 return StatusPermerror, fmt.Errorf("%w: dkim dns record expects one of %q, message uses %q", ErrHashAlgNotAllowed, strings.Join(r.Hashes, ","), sig.AlgorithmHash)

522 }

523 }

524

525 // ../rfc/6376:2651

526 if !strings.EqualFold(r.Key, sig.AlgorithmSign) {

527 return StatusPermerror, fmt.Errorf("%w: dkim dns record requires algorithm %q, message has %q", ErrSigAlgMismatch, r.Key, sig.AlgorithmSign)

528 }

529

530 // ../rfc/6376:2645

531 if r.PublicKey == nil {

532 return StatusPermerror, ErrKeyRevoked

533 } else if rsaKey, ok := r.PublicKey.(*rsa.PublicKey); ok && rsaKey.N.BitLen() < 1024 {

534 // todo: find a reference that supports this.

535 return StatusPermerror, ErrWeakKey

536 }

537

538 // ../rfc/6376:1541

539 if !r.ServiceAllowed("email") {

540 return StatusPermerror, ErrKeyNotForEmail

541 }

542 for _, t := range r.Flags {

543 // ../rfc/6376:1575

544 // ../rfc/6376:1805

545 if strings.EqualFold(t, "s") && sig.Identity != nil {

546 if sig.Identity.Domain.ASCII != sig.Domain.ASCII {

547 return StatusPermerror, fmt.Errorf("%w: i= identity domain %q must match d= domain %q", ErrDomainIdentityMismatch, sig.Domain.ASCII, sig.Identity.Domain.ASCII)

548 }

549 }

550 }

551

552 if sig.Length >= 0 {

553 // todo future: implement l= parameter in signatures. we don't currently allow this through policy check.

554 return StatusPermerror, fmt.Errorf("l= (length) parameter in signature not yet implemented")

555 }

556

557 // We first check the signature is with the claimed body hash is valid. Then we

558 // verify the body hash. In case of invalid signatures, we won't read the entire

559 // body.

560 // ../rfc/6376:1700

561 // ../rfc/6376:2656

562

563 dh, err := dataHash(hash.New(), canonHeaderSimple, sig, hdrs, verifySig)

564 if err != nil {

565 // Any error is likely an invalid header field in the message, hence permanent error.

566 return StatusPermerror, fmt.Errorf("calculating data hash: %w", err)

567 }

568

569 switch k := r.PublicKey.(type) {

570 case *rsa.PublicKey:

571 if err := rsa.VerifyPKCS1v15(k, hash, dh, sig.Signature); err != nil {

572 return StatusFail, fmt.Errorf("%w: rsa verification: %s", ErrSigVerify, err)

573 }

574 case ed25519.PublicKey:

575 if ok := ed25519.Verify(k, dh, sig.Signature); !ok {

576 return StatusFail, fmt.Errorf("%w: ed25519 verification", ErrSigVerify)

577 }

578 default:

579 return StatusPermerror, fmt.Errorf("%w: unrecognized signature algorithm %q", ErrSigAlgorithmUnknown, r.Key)

580 }

581

582 bh, err := bodyHash(hash.New(), canonDataSimple, body)

583 if err != nil {

584 // Any error is likely some internal error, hence temporary error.

585 return StatusTemperror, fmt.Errorf("calculating body hash: %w", err)

586 }

587 if !bytes.Equal(sig.BodyHash, bh) {

588 return StatusFail, fmt.Errorf("%w: signature bodyhash %x != calculated bodyhash %x", ErrBodyhashMismatch, sig.BodyHash, bh)

589 }

590

591 return StatusPass, nil

592}

593

594func algHash(s string) (crypto.Hash, bool) {

595 if strings.EqualFold(s, "sha1") {

596 return crypto.SHA1, true

597 } else if strings.EqualFold(s, "sha256") {

598 return crypto.SHA256, true

599 }

600 return 0, false

601}

602

603// bodyHash calculates the hash over the body.

604func bodyHash(h hash.Hash, canonSimple bool, body *bufio.Reader) ([]byte, error) {

605 // todo: take l= into account. we don't currently allow it for policy reasons.

606

607 var crlf = []byte("\r\n")

608

609 if canonSimple {

610 // ../rfc/6376:864, ensure body ends with exactly one trailing crlf.

611 ncrlf := 0

612 for {

613 buf, err := body.ReadBytes('\n')

614 if len(buf) == 0 && err == io.EOF {

615 break

616 }

617 if err != nil && err != io.EOF {

618 return nil, err

619 }

620 hascrlf := bytes.HasSuffix(buf, crlf)

621 if hascrlf {

622 buf = buf[:len(buf)-2]

623 }

624 if len(buf) > 0 {

625 for ; ncrlf > 0; ncrlf-- {

626 h.Write(crlf)

627 }

628 h.Write(buf)

629 }

630 if hascrlf {

631 ncrlf++

632 }

633 }

634 h.Write(crlf)

635 } else {

636 hb := bufio.NewWriter(h)

637

638 // We go through the body line by line, replacing WSP with a single space and removing whitespace at the end of lines.

639 // We stash "empty" lines. If they turn out to be at the end of the file, we must drop them.

640 stash := &bytes.Buffer{}

641 var line bool // Whether buffer read is for continuation of line.

642 var prev byte // Previous byte read for line.

643 linesEmpty := true // Whether stash contains only empty lines and may need to be dropped.

644 var bodynonempty bool // Whether body is non-empty, for adding missing crlf.

645 var hascrlf bool // Whether current/last line ends with crlf, for adding missing crlf.

646 for {

647 // todo: should not read line at a time, count empty lines. reduces max memory usage. a message with lots of empty lines can cause high memory use.

648 buf, err := body.ReadBytes('\n')

649 if len(buf) == 0 && err == io.EOF {

650 break

651 }

652 if err != nil && err != io.EOF {

653 return nil, err

654 }

655 bodynonempty = true

656

657 hascrlf = bytes.HasSuffix(buf, crlf)

658 if hascrlf {

659 buf = buf[:len(buf)-2]

660

661 // ../rfc/6376:893, "ignore all whitespace at the end of lines".

662 // todo: what is "whitespace"? it isn't WSP (space and tab), the next line mentions WSP explicitly for another rule. should we drop trailing \r, \n, \v, more?

663 buf = bytes.TrimRight(buf, " \t")

664 }

665

666 // Replace one or more WSP to a single SP.

667 for i, c := range buf {

668 wsp := c == ' ' || c == '\t'

669 if (i >= 0 || line) && wsp {

670 if prev == ' ' {

671 continue

672 }

673 prev = ' '

674 c = ' '