tags:

views:

555

answers:

2

I'll admit I'm not very adept at key verification. What I have is a script that downloads messages from a POP3 server, and I'm attempting to verify the DKIM signatures in PHP. I've already figured out the body hash (bh) validation check, but I can't figure out the header validation.

http://www.dkim.org/specs/rfc4871-dkimbase.html#rfc.section.6.1.3

Below is an example of my message headers. I've been able to use the Mail::DKIM package to validate the signature in Perl, so I know it's good. I just can't seem to figure out the instructions in the RFC and translate them into PHP code.

 DomainKey-Signature: q=dns; a=rsa-sha1; c=nofws;
  s=angrychimp-1.bh; d=angrychimp.net;
  h=From:X-Outgoing;
  b=RVkenibHQ7GwO5Y3tun2CNn5wSnooBSXPHA1Kmxsw6miJDnVp4XKmA9cUELwftf9
  nGiRCd3rLc6eswAcVyNhQ6mRSsF55OkGJgDNHiwte/pP5Z47Lo/fd6m7rfCnYxq3
 DKIM-Signature: v=1; a=rsa-sha1; d=angrychimp.net; s=angrychimp-1.bh; c=relaxed/simple;
  q=dns/txt; [email protected]; t=1268436255;
  h=From:Subject:X-Outgoing:Date;
  bh=gqhC2GEWbg1t7T3IfGMUKzt1NCc=;
  b=ZmeavryIfp5jNDIwbpifsy1UcavMnMwRL6Fy6axocQFDOBd2KjnjXpCkHxs6yBZn
  Wu+UCFeAP+1xwN80JW+4yOdAiK5+6IS8fiVa7TxdkFDKa0AhmJ1DTHXIlPjGE4n5;
 To: [email protected]
 Message-ID: <EF.CC.24859.F1DCA9B4>
 From: DKIM Tester <[email protected]>
 Reply-To: [email protected]
 Subject: Automated DKIM Testing (angrychimp.net)
 X-Outgoing: dhaka
 Date: Fri, 12 Mar 2010 15:24:15 -0800
 Content-Type: text/plain; charset=iso-8859-1
 Content-Transfer-Encoding: quoted-printable
 Content-Disposition: inline
 MIME-Version: 1.0
 Return-Path: [email protected]
 X-OriginalArrivalTime: 12 Mar 2010 23:25:50.0326 (UTC) FILETIME=[5A0ED160:01CAC23B]

I can extract the public key from my DNS just fine, and I believe I'm canonicalizing the headers correctly, but I just can't get the signature validated. I don't think I'm preparing my key or computing the signature validation correctly.

Is this something that's possible (do I need pear extensions or something?) or is manually validating a DKIM signature in PHP just not feasible?

A: 

Try interoperate with external tool or another language.

You can consider to adapt external tool to do that or use C library which has better support to work with DKIM. You can also try to integrate through Perl or Python.

Vladimir
I've actually done this for the time being, passing my full message content to a Perl script that verifies the signature using the Mail::DKIM package.I'm still pursuing a native PHP solution, so I'll update this question if/when I'm able to compose a class or extension. Thanks for everyone's help.
angrychimp
+1  A: 

The Mail::DKIM has the following dependencies on other libraries:

  • Crypt::OpenSSL::RSA
  • Digest::SHA
  • Mail::Address (part of the MailTools package)
  • MIME::Base64
  • Net::DNS

All these should be available in PHP also. So manually check the validatity in PHP is controllable. Mail::DKIM is verifiying the signature "manually" with those libs. Maybe you have a peak into source of Mail::DKIM?

Additionaly "OpenDKIM Library (libopendkim)" is available. You can build a PHP-module around this library like other people have integrated OpenSSL, cURL, etc into PHP.

Maybe you can provide the code of your verify-function with some test data, so everyone can have a look at it?

HTH & Best regards

Michael

Michael Konietzka