mox!

2025-07-10 09:54:40 +03:00 · 2023-01-30 14:27:06 +01:00
commit cb229cb6cf
1256 changed files with 491723 additions and 0 deletions
--- a/dkim/sig.go
+++ b/dkim/sig.go
@ -0,0 +1,353 @@
+package dkim
+
+import (
+	"bytes"
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"strings"
+
+	"github.com/mjl-/mox/dns"
+	"github.com/mjl-/mox/message"
+	"github.com/mjl-/mox/smtp"
+)
+
+// Sig is a DKIM-Signature header.
+//
+// String values must be compared case insensitively.
+type Sig struct {
+	// Required fields.
+	Version       int        // Version, 1. Field "v". Always the first field.
+	AlgorithmSign string     // "rsa" or "ed25519". Field "a".
+	AlgorithmHash string     // "sha256" or the deprecated "sha1" (deprecated). Field "a".
+	Signature     []byte     // Field "b".
+	BodyHash      []byte     // Field "bh".
+	Domain        dns.Domain // Field "d".
+	SignedHeaders []string   // Duplicates are meaningful. Field "h".
+	Selector      dns.Domain // Selector, for looking DNS TXT record at <s>._domainkey.<domain>. Field "s".
+
+	// Optional fields.
+	// Canonicalization is the transformation of header and/or body before hashing. The
+	// value is in original case, but must be compared case-insensitively. Normally two
+	// slash-separated values: header canonicalization and body canonicalization. But
+	// the "simple" means "simple/simple" and "relaxed" means "relaxed/simple". Field
+	// "c".
+	Canonicalization string
+	Length           int64     // Body length to verify, default -1 for whole body. Field "l".
+	Identity         *Identity // AUID (agent/user id). If nil and an identity is needed, should be treated as an Identity without localpart and Domain from d= field. Field "i".
+	QueryMethods     []string  // For public key, currently known value is "dns/txt" (should be compared case-insensitively). If empty, dns/txt must be assumed. Field "q".
+	SignTime         int64     // Unix epoch. -1 if unset. Field "t".
+	ExpireTime       int64     // Unix epoch. -1 if unset. Field "x".
+	CopiedHeaders    []string  // Copied header fields. Field "z".
+}
+
+// Identity is used for the optional i= field in a DKIM-Signature header. It uses
+// the syntax of an email address, but does not necessarily represent one.
+type Identity struct {
+	Localpart *smtp.Localpart // Optional.
+	Domain    dns.Domain
+}
+
+// String returns a value for use in the i= DKIM-Signature field.
+func (i Identity) String() string {
+	s := "@" + i.Domain.ASCII
+	// We need localpart as pointer to indicate it is missing because localparts can be
+	// "" which we store (decoded) as empty string and we need to differentiate.
+	if i.Localpart != nil {
+		s = i.Localpart.String() + s
+	}
+	return s
+}
+
+func newSigWithDefaults() *Sig {
+	return &Sig{
+		Canonicalization: "simple/simple",
+		Length:           -1,
+		SignTime:         -1,
+		ExpireTime:       -1,
+	}
+}
+
+// Algorithm returns an algorithm string for use in the "a" field. E.g.
+// "ed25519-sha256".
+func (s Sig) Algorithm() string {
+	return s.AlgorithmSign + "-" + s.AlgorithmHash
+}
+
+// Header returns the DKIM-Signature header in string form, to be prepended to a
+// message, including DKIM-Signature field name and trailing \r\n.
+func (s *Sig) Header() (string, error) {
+	// ../rfc/6376:1021
+	// todo: make a higher-level writer that accepts pairs, and only folds to next line when needed.
+	w := &message.HeaderWriter{}
+	w.Addf("", "DKIM-Signature: v=%d;", s.Version)
+	// Domain names must always be in ASCII. ../rfc/6376:1115 ../rfc/6376:1187 ../rfc/6376:1303
+	w.Addf(" ", "d=%s;", s.Domain.ASCII)
+	w.Addf(" ", "s=%s;", s.Selector.ASCII)
+	if s.Identity != nil {
+		w.Addf(" ", "i=%s;", s.Identity.String()) // todo: Is utf-8 ok here?
+	}
+	w.Addf(" ", "a=%s;", s.Algorithm())
+
+	if s.Canonicalization != "" && !strings.EqualFold(s.Canonicalization, "simple") && !strings.EqualFold(s.Canonicalization, "simple/simple") {
+		w.Addf(" ", "c=%s;", s.Canonicalization)
+	}
+	if s.Length >= 0 {
+		w.Addf(" ", "l=%d;", s.Length)
+	}
+	if len(s.QueryMethods) > 0 && !(len(s.QueryMethods) == 1 && strings.EqualFold(s.QueryMethods[0], "dns/txt")) {
+		w.Addf(" ", "q=%s;", strings.Join(s.QueryMethods, ":"))
+	}
+	if s.SignTime >= 0 {
+		w.Addf(" ", "t=%d;", s.SignTime)
+	}
+	if s.ExpireTime >= 0 {
+		w.Addf(" ", "x=%d;", s.ExpireTime)
+	}
+
+	if len(s.SignedHeaders) > 0 {
+		for i, v := range s.SignedHeaders {
+			sep := ""
+			if i == 0 {
+				v = "h=" + v
+				sep = " "
+			}
+			if i < len(s.SignedHeaders)-1 {
+				v += ":"
+			} else if i == len(s.SignedHeaders)-1 {
+				v += ";"
+			}
+			w.Addf(sep, v)
+		}
+	}
+	if len(s.CopiedHeaders) > 0 {
+		// todo: wrap long headers? we can at least add FWS before the :
+		for i, v := range s.CopiedHeaders {
+			t := strings.SplitN(v, ":", 2)
+			if len(t) == 2 {
+				v = t[0] + ":" + packQpHdrValue(t[1])
+			} else {
+				return "", fmt.Errorf("invalid header in copied headers (z=): %q", v)
+			}
+			sep := ""
+			if i == 0 {
+				v = "z=" + v
+				sep = " "
+			}
+			if i < len(s.CopiedHeaders)-1 {
+				v += "|"
+			} else if i == len(s.CopiedHeaders)-1 {
+				v += ";"
+			}
+			w.Addf(sep, v)
+		}
+	}
+
+	w.Addf(" ", "bh=%s;", base64.StdEncoding.EncodeToString(s.BodyHash))
+
+	w.Addf(" ", "b=")
+	if len(s.Signature) > 0 {
+		w.AddWrap([]byte(base64.StdEncoding.EncodeToString(s.Signature)))
+	}
+	w.Add("\r\n")
+	return w.String(), nil
+}
+
+// Like quoted printable, but with "|" encoded as well.
+// We also encode ":" because it is used as separator in DKIM headers which can
+// cause trouble for "q", even though it is listed in dkim-safe-char,
+// ../rfc/6376:497.
+func packQpHdrValue(s string) string {
+	// ../rfc/6376:474
+	const hex = "0123456789ABCDEF"
+	var r string
+	for _, b := range []byte(s) {
+		if b > ' ' && b < 0x7f && b != ';' && b != '=' && b != '|' && b != ':' {
+			r += string(b)
+		} else {
+			r += "=" + string(hex[b>>4]) + string(hex[(b>>0)&0xf])
+		}
+	}
+	return r
+}
+
+var (
+	errSigHeader         = errors.New("not DKIM-Signature header")
+	errSigDuplicateTag   = errors.New("duplicate tag")
+	errSigMissingCRLF    = errors.New("missing crlf at end")
+	errSigExpired        = errors.New("signature timestamp (t=) must be before signature expiration (x=)")
+	errSigIdentityDomain = errors.New("identity domain (i=) not under domain (d=)")
+	errSigMissingTag     = errors.New("missing required tag")
+	errSigUnknownVersion = errors.New("unknown version")
+	errSigBodyHash       = errors.New("bad body hash size given algorithm")
+)
+
+// parseSignatures returns the parsed form of a DKIM-Signature header.
+//
+// buf must end in crlf, as it should have occurred in the mail message.
+//
+// The dkim signature with signature left empty ("b=") and without trailing
+// crlf is returned, for use in verification.
+func parseSignature(buf []byte, smtputf8 bool) (sig *Sig, verifySig []byte, err error) {
+	defer func() {
+		if x := recover(); x == nil {
+			return
+		} else if xerr, ok := x.(error); ok {
+			sig = nil
+			verifySig = nil
+			err = xerr
+		} else {
+			panic(x)
+		}
+	}()
+
+	xerrorf := func(format string, args ...any) {
+		panic(fmt.Errorf(format, args...))
+	}
+
+	if !bytes.HasSuffix(buf, []byte("\r\n")) {
+		xerrorf("%w", errSigMissingCRLF)
+	}
+	buf = buf[:len(buf)-2]
+
+	ds := newSigWithDefaults()
+	seen := map[string]struct{}{}
+	p := parser{s: string(buf), smtputf8: smtputf8}
+	name := p.xhdrName()
+	if !strings.EqualFold(name, "DKIM-Signature") {
+		xerrorf("%w", errSigHeader)
+	}
+	p.wsp()
+	p.xtake(":")
+	p.wsp()
+	// ../rfc/6376:655
+	// ../rfc/6376:656 ../rfc/6376-eid5070
+	// ../rfc/6376:658 ../rfc/6376-eid5070
+	for {
+		p.fws()
+		k := p.xtagName()
+		p.fws()
+		p.xtake("=")
+		// Special case for "b", see below.
+		if k != "b" {
+			p.fws()
+		}
+		// Keys are case-sensitive: ../rfc/6376:679
+		if _, ok := seen[k]; ok {
+			// Duplicates not allowed: ../rfc/6376:683
+			xerrorf("%w: %q", errSigDuplicateTag, k)
+			break
+		}
+		seen[k] = struct{}{}
+
+		// ../rfc/6376:1021
+		switch k {
+		case "v":
+			// ../rfc/6376:1025
+			ds.Version = int(p.xnumber(10))
+			if ds.Version != 1 {
+				xerrorf("%w: version %d", errSigUnknownVersion, ds.Version)
+			}
+		case "a":
+			// ../rfc/6376:1038
+			ds.AlgorithmSign, ds.AlgorithmHash = p.xalgorithm()
+		case "b":
+			// ../rfc/6376:1054
+			// To calculate the hash, we have to feed the DKIM-Signature header to the hash
+			// function, but with the value for "b=" (the signature) left out. The parser
+			// tracks all data that is read, except when drop is true.
+			// ../rfc/6376:997
+			// Surrounding whitespace must be cleared as well. ../rfc/6376:1659
+			// Note: The RFC says "surrounding" whitespace, but whitespace is only allowed
+			// before the value as part of the ABNF production for "b". Presumably the
+			// intention is to ignore the trailing "[FWS]" for the tag-spec production,
+			// ../rfc/6376:656
+			// Another indication is the term "value portion", ../rfc/6376:1667. It appears to
+			// mean everything after the "b=" part, instead of the actual value (either encoded
+			// or decoded).
+			p.drop = true
+			p.fws()
+			ds.Signature = p.xbase64()
+			p.fws()
+			p.drop = false
+		case "bh":
+			// ../rfc/6376:1076
+			ds.BodyHash = p.xbase64()
+		case "c":
+			// ../rfc/6376:1088
+			ds.Canonicalization = p.xcanonical()
+			// ../rfc/6376:810
+		case "d":
+			// ../rfc/6376:1105
+			ds.Domain = p.xdomain()
+		case "h":
+			// ../rfc/6376:1134
+			ds.SignedHeaders = p.xsignedHeaderFields()
+		case "i":
+			// ../rfc/6376:1171
+			id := p.xauid()
+			ds.Identity = &id
+		case "l":
+			// ../rfc/6376:1244
+			ds.Length = p.xbodyLength()
+		case "q":
+			// ../rfc/6376:1268
+			ds.QueryMethods = p.xqueryMethods()
+		case "s":
+			// ../rfc/6376:1300
+			ds.Selector = p.xselector()
+		case "t":
+			// ../rfc/6376:1310
+			ds.SignTime = p.xtimestamp()
+		case "x":
+			// ../rfc/6376:1327
+			ds.ExpireTime = p.xtimestamp()
+		case "z":
+			// ../rfc/6376:1361
+			ds.CopiedHeaders = p.xcopiedHeaderFields()
+		default:
+			// We must ignore unknown fields. ../rfc/6376:692 ../rfc/6376:1022
+			p.xchar() // ../rfc/6376-eid5070
+			for !p.empty() && !p.hasPrefix(";") {
+				p.xchar()
+			}
+		}
+		p.fws()
+
+		if p.empty() {
+			break
+		}
+		p.xtake(";")
+		if p.empty() {
+			break
+		}
+	}
+
+	// ../rfc/6376:2532
+	required := []string{"v", "a", "b", "bh", "d", "h", "s"}
+	for _, req := range required {
+		if _, ok := seen[req]; !ok {
+			xerrorf("%w: %q", errSigMissingTag, req)
+		}
+	}
+
+	if strings.EqualFold(ds.AlgorithmHash, "sha1") && len(ds.BodyHash) != 20 {
+		xerrorf("%w: got %d bytes, must be 20 for sha1", errSigBodyHash, len(ds.BodyHash))
+	} else if strings.EqualFold(ds.AlgorithmHash, "sha256") && len(ds.BodyHash) != 32 {
+		xerrorf("%w: got %d bytes, must be 32 for sha256", errSigBodyHash, len(ds.BodyHash))
+	}
+
+	// ../rfc/6376:1337
+	if ds.SignTime >= 0 && ds.ExpireTime >= 0 && ds.SignTime >= ds.ExpireTime {
+		xerrorf("%w", errSigExpired)
+	}
+
+	// Default identity is "@" plus domain. We don't set this value because we want to
+	// keep the distinction between absent value.
+	// ../rfc/6376:1172 ../rfc/6376:2537 ../rfc/6376:2541
+	if ds.Identity != nil && ds.Identity.Domain.ASCII != ds.Domain.ASCII && !strings.HasSuffix(ds.Identity.Domain.ASCII, "."+ds.Domain.ASCII) {
+		xerrorf("%w: identity domain %q not under domain %q", errSigIdentityDomain, ds.Identity.Domain.ASCII, ds.Domain.ASCII)
+	}
+
+	return ds, []byte(p.tracked), nil
+}