[CalendarServer-changes] [9888] CalendarServer/branches/users/cdaboo/ischedule-dkim/twistedcaldav/ scheduling/ischedule
source_changes at macosforge.org
source_changes at macosforge.org
Wed Oct 3 02:44:57 PDT 2012
Revision: 9888
http://trac.calendarserver.org//changeset/9888
Author: cdaboo at apple.com
Date: 2012-10-03 02:44:57 -0700 (Wed, 03 Oct 2012)
Log Message:
-----------
Don't sign Cache-Control. Implement _domainkey SRV lookup.
Modified Paths:
--------------
CalendarServer/branches/users/cdaboo/ischedule-dkim/twistedcaldav/scheduling/ischedule/dkim.py
CalendarServer/branches/users/cdaboo/ischedule-dkim/twistedcaldav/scheduling/ischedule/test/data/db.example.com
CalendarServer/branches/users/cdaboo/ischedule-dkim/twistedcaldav/scheduling/ischedule/test/test_dkim.py
Modified: CalendarServer/branches/users/cdaboo/ischedule-dkim/twistedcaldav/scheduling/ischedule/dkim.py
===================================================================
--- CalendarServer/branches/users/cdaboo/ischedule-dkim/twistedcaldav/scheduling/ischedule/dkim.py 2012-10-03 09:41:56 UTC (rev 9887)
+++ CalendarServer/branches/users/cdaboo/ischedule-dkim/twistedcaldav/scheduling/ischedule/dkim.py 2012-10-03 09:44:57 UTC (rev 9888)
@@ -25,7 +25,8 @@
from twistedcaldav.client.geturl import getURL
from twistedcaldav.config import ConfigurationError
from twistedcaldav.simpleresource import SimpleResource, SimpleDataResource
-from twistedcaldav.scheduling.ischedule.utils import lookupDataViaTXT
+from twistedcaldav.scheduling.ischedule.utils import lookupDataViaTXT, \
+ lookupServerViaSRV
from Crypto.Hash import SHA, SHA256
from Crypto.PublicKey import RSA
@@ -395,7 +396,6 @@
# Need Cache-Control
self.headers.setRawHeaders("Cache-Control", ("no-cache", "no-transform",))
- self.sign_headers += ("Cache-Control",)
# Figure out all the existing headers to sign
headers = []
@@ -820,25 +820,52 @@
@inlineCallbacks
+ def _getURI(self):
+ """
+ Determine the well-known URI for the public key service.
+ """
+
+ # First we do an SRV lookup for _domainkey to get the public key server host/port
+ result = (yield lookupServerViaSRV(self.dkim_tags["d"], service="_domainkey"))
+ if result is None:
+ log.debug("DKIM: SRV _domainkey failed on: %s trying domain directly" % (self.dkim_tags["d"],))
+ host = self.dkim_tags["d"]
+ port = ""
+ scheme = "https"
+ else:
+ host, port = result
+ scheme = "http" if port in (80, 8008, 8080,) else "https"
+ if port == 80 and scheme == "http" or port == 443 and scheme == "https":
+ port = ""
+ else:
+ port = ":%s" % (port,)
+
+ returnValue("%s://%s%s/.well-known/domainkey/%s/%s" % (scheme, host, port, self.dkim_tags["d"], self.dkim_tags["s"],))
+
+
+ @inlineCallbacks
def _lookupKeys(self):
"""
Do the key lookup using the actual lookup method.
"""
- log.debug("DKIM: HTTP/.well-known lookup: %s" % (self._getSelectorKey(),))
- response = (yield getURL(self._getSelectorKey()))
+ # First we do an SRV lookup for _domainkey to get the public key server URI
+ uri = (yield self._getURI())
+
+ log.debug("DKIM: HTTP/.well-known lookup: %s" % (uri,))
+ response = (yield getURL(uri))
if response is None or response.code / 100 != 2:
- log.debug("DKIM: Failed http/well-known lookup: %s %s" % (self._getSelectorKey(), response,))
+ log.debug("DKIM: Failed http/well-known lookup: %s %s" % (uri, response,))
returnValue(())
ct = response.headers.getRawHeaders("content-type", ("bogus/type",))[0]
ct = ct.split(";", 1)
ct = ct[0].strip()
if ct not in ("text/plain",):
- log.debug("DKIM: Failed http/well-known lookup: wrong content-type returned %s %s" % (self._getSelectorKey(), ct,))
+ log.debug("DKIM: Failed http/well-known lookup: wrong content-type returned %s %s" % (uri, ct,))
returnValue(())
- log.debug("DKIM: HTTP/.well-known lookup results: %s\n%s" % (self._getSelectorKey(), response.data,))
+ log.debug("DKIM: HTTP/.well-known lookup results: %s\n%s" % (uri, response.data,))
returnValue(tuple([DKIMUtils.extractTags(line) for line in response.data.splitlines()]))
Modified: CalendarServer/branches/users/cdaboo/ischedule-dkim/twistedcaldav/scheduling/ischedule/test/data/db.example.com
===================================================================
--- CalendarServer/branches/users/cdaboo/ischedule-dkim/twistedcaldav/scheduling/ischedule/test/data/db.example.com 2012-10-03 09:41:56 UTC (rev 9887)
+++ CalendarServer/branches/users/cdaboo/ischedule-dkim/twistedcaldav/scheduling/ischedule/test/data/db.example.com 2012-10-03 09:44:57 UTC (rev 9888)
@@ -11,5 +11,9 @@
_caldavs._tcp.example.com. 10800 IN SRV 0 0 8443 example.com.
_ischedules._tcp.example.com. 10800 IN SRV 0 0 8443 example.com.
+
_ischedule._domainkey.example.com. 10800 IN TXT "v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDjUfDqd8ICAL0dyq2KdjKN6LS8O/Y4yMxOxgATqtSIMi7baKXEs1w5Wj9efOC2nU+aqyhP2/J6AzfFJfSB+GV5gcIT+LAC4btJKPGjPUyXcQFJV4a73y0jIgCTBzWxdaP6qD9P9rzYlvMPcdrrKiKoAOtI3JZqAAdZudOmGlc4QQIDAQAB"
_revoked._domainkey.example.com. 10800 IN TXT "v=DKIM1; p="
+
+_domainkey._tcp.example.com. 10800 IN SRV 0 0 8443 key.example.com.
+_domainkey._tcp.www.example.com. 10800 IN SRV 0 0 80 key.example.com.
Modified: CalendarServer/branches/users/cdaboo/ischedule-dkim/twistedcaldav/scheduling/ischedule/test/test_dkim.py
===================================================================
--- CalendarServer/branches/users/cdaboo/ischedule-dkim/twistedcaldav/scheduling/ischedule/test/test_dkim.py 2012-10-03 09:41:56 UTC (rev 9887)
+++ CalendarServer/branches/users/cdaboo/ischedule-dkim/twistedcaldav/scheduling/ischedule/test/test_dkim.py 2012-10-03 09:44:57 UTC (rev 9888)
@@ -149,8 +149,7 @@
recipient:mailto:user02 at example.com
content-type:%s
ischedule-version:1.0
-dkim-signature:v=1; d=example.com; s=dkim; t=%s; x=%s; a=%s; q=dns/txt:http/well-known; http=UE9TVDov; c=relaxed/simple; h=Originator:Recipient; bh=%s; b=
-""".replace("\n", "\r\n") % (headers.getRawHeaders("Content-Type")[0], str(int(time.time())), str(int(time.time() + 3600)), algorithm, bodyhash)
+dkim-signature:v=1; d=example.com; s=dkim; t=%s; x=%s; a=%s; q=dns/txt:http/well-known; http=UE9TVDov; c=relaxed/simple; h=Originator:Recipient; bh=%s; b=""".replace("\n", "\r\n") % (headers.getRawHeaders("Content-Type")[0], str(int(time.time())), str(int(time.time() + 3600)), algorithm, bodyhash)
result = request.generateSignature(sign_this)
@@ -184,10 +183,7 @@
content-type:%s
ischedule-version:1.0
ischedule-message-id:%s
-cache-control:no-cache
-cache-control:no-transform
-dkim-signature:v=1; d=example.com; s=dkim; t=%s; x=%s; a=%s; q=dns/txt:http/well-known:private-exchange; http=UE9TVDov; c=relaxed/simple; h=Originator:Recipient:Content-Type:iSchedule-Version:iSchedule-Message-ID:Cache-Control:Cache-Control; bh=%s; b=
-""".replace("\n", "\r\n") % (headers.getRawHeaders("Content-Type")[0], request.message_id, request.time, request.expire, algorithm, bodyhash)
+dkim-signature:v=1; d=example.com; s=dkim; t=%s; x=%s; a=%s; q=private-exchange:http/well-known:dns/txt; http=UE9TVDov; c=relaxed/simple; h=Originator:Recipient:Content-Type:iSchedule-Version:iSchedule-Message-ID; bh=%s; b=""".replace("\n", "\r\n") % (headers.getRawHeaders("Content-Type")[0], request.message_id, request.time, request.expire, algorithm, bodyhash)
self.assertEqual(result, sign_this)
@@ -215,17 +211,14 @@
content-type:%s
ischedule-version:1.0
ischedule-message-id:%s
-cache-control:no-cache
-cache-control:no-transform
-dkim-signature:v=1; d=example.com; s=dkim; t=%s; x=%s; a=%s; q=dns/txt:http/well-known:private-exchange; http=UE9TVDov; c=relaxed/simple; h=Originator:Recipient:Content-Type:iSchedule-Version:iSchedule-Message-ID:Cache-Control:Cache-Control; bh=%s; b=
-""".replace("\n", "\r\n") % (headers.getRawHeaders("Content-Type")[0], request.message_id, request.time, request.expire, algorithm, bodyhash)
+dkim-signature:v=1; d=example.com; s=dkim; t=%s; x=%s; a=%s; q=private-exchange:http/well-known:dns/txt; http=UE9TVDov; c=relaxed/simple; h=Originator:Recipient:Content-Type:iSchedule-Version:iSchedule-Message-ID; bh=%s; b=""".replace("\n", "\r\n") % (headers.getRawHeaders("Content-Type")[0], request.message_id, request.time, request.expire, algorithm, bodyhash)
key = RSA.importKey(open(self.private_keyfile).read())
signature = DKIMUtils.sign(sign_this, key, DKIMUtils.hash_func(algorithm))
self.assertEqual(result, signature)
# Make sure header is updated in the request
- updated_header = "v=1; d=example.com; s=dkim; t=%s; x=%s; a=%s; q=dns/txt:http/well-known:private-exchange; http=UE9TVDov; c=relaxed/simple; h=Originator:Recipient:Content-Type:iSchedule-Version:iSchedule-Message-ID:Cache-Control:Cache-Control; bh=%s; b=%s" % (request.time, request.expire, algorithm, bodyhash, signature,)
+ updated_header = "v=1; d=example.com; s=dkim; t=%s; x=%s; a=%s; q=private-exchange:http/well-known:dns/txt; http=UE9TVDov; c=relaxed/simple; h=Originator:Recipient:Content-Type:iSchedule-Version:iSchedule-Message-ID; bh=%s; b=%s" % (request.time, request.expire, algorithm, bodyhash, signature,)
self.assertEqual(request.headers.getRawHeaders("DKIM-Signature")[0], updated_header)
# Try to verify result using public key
@@ -303,12 +296,12 @@
(
"DKIM-Signature",
" v=1;\t\t d=example.com; s = dkim; t\t=\t1234; a=rsa-sha1; \t\tq=dns/txt:http/well-known\t\t; http=UE9TVDov; c=relaxed/simple; h=Originator:Recipient:iSchedule-Version:iSchedule-Message-ID; bh=abc; b=def",
- "dkim-signature:v=1; d=example.com; s = dkim; t = 1234; a=rsa-sha1; q=dns/txt:http/well-known ; http=UE9TVDov; c=relaxed/simple; h=Originator:Recipient:iSchedule-Version:iSchedule-Message-ID; bh=abc; b=\r\n",
+ "dkim-signature:v=1; d=example.com; s = dkim; t = 1234; a=rsa-sha1; q=dns/txt:http/well-known ; http=UE9TVDov; c=relaxed/simple; h=Originator:Recipient:iSchedule-Version:iSchedule-Message-ID; bh=abc; b=",
),
(
"DKIM-Signature",
" v=1;\t\t d=example.com; s = dkim; t\t=\t1234; a=rsa-sha1; \t\tq=dns/txt:http/well-known\t\t; b= def ; http=\tUE9TVDov ; c=relaxed/simple; h=Originator:Recipient:iSchedule-Version:iSchedule-Message-ID; bh=abc",
- "dkim-signature:v=1; d=example.com; s = dkim; t = 1234; a=rsa-sha1; q=dns/txt:http/well-known ; b= ; http= UE9TVDov ; c=relaxed/simple; h=Originator:Recipient:iSchedule-Version:iSchedule-Message-ID; bh=abc\r\n",
+ "dkim-signature:v=1; d=example.com; s = dkim; t = 1234; a=rsa-sha1; q=dns/txt:http/well-known ; b= ; http= UE9TVDov ; c=relaxed/simple; h=Originator:Recipient:iSchedule-Version:iSchedule-Message-ID; bh=abc",
),
)
@@ -341,8 +334,7 @@
originator:mailto:user01 at example.com
recipient:mailto:user02 at example.com , mailto:user03 at example.com
ischedule-version:1.0
-dkim-signature:v=1; d=example.com; s = dkim; t = 1234; a=rsa-sha1; q=dns/txt:http/well-known ; http=UE9TVDov; c=relaxed/simple; h=Content-Type:Originator:Recipient:Recipient:iSchedule-Version:iSchedule-Message-ID; bh=abc; b=
-"""
+dkim-signature:v=1; d=example.com; s = dkim; t = 1234; a=rsa-sha1; q=dns/txt:http/well-known ; http=UE9TVDov; c=relaxed/simple; h=Content-Type:Originator:Recipient:Recipient:iSchedule-Version:iSchedule-Message-ID; bh=abc; b="""
),
# Exact count on Recipient
("""Host:example.com
@@ -357,11 +349,10 @@
""",
"""content-type:text/calendar ; charset = "utf-8"
originator:mailto:user01 at example.com
+recipient:mailto:user04 at example.com
recipient:mailto:user02 at example.com , mailto:user03 at example.com
-recipient:mailto:user04 at example.com
ischedule-version:1.0
-dkim-signature:v=1; d=example.com; s = dkim; t = 1234; a=rsa-sha1; q=dns/txt:http/well-known ; http=UE9TVDov; c=relaxed/simple; h=Content-Type:Originator:Recipient:Recipient:iSchedule-Version:iSchedule-Message-ID; bh=abc; b=
-"""
+dkim-signature:v=1; d=example.com; s = dkim; t = 1234; a=rsa-sha1; q=dns/txt:http/well-known ; http=UE9TVDov; c=relaxed/simple; h=Content-Type:Originator:Recipient:Recipient:iSchedule-Version:iSchedule-Message-ID; bh=abc; b="""
),
# Under count on Recipient
("""Host:example.com
@@ -377,11 +368,10 @@
""",
"""content-type:text/calendar ; charset = "utf-8"
originator:mailto:user01 at example.com
-recipient:mailto:user02 at example.com , mailto:user03 at example.com
+recipient:mailto:user05 at example.com
recipient:mailto:user04 at example.com
ischedule-version:1.0
-dkim-signature:v=1; d=example.com; s = dkim; t = 1234; a=rsa-sha1; q=dns/txt:http/well-known ; http=UE9TVDov; c=relaxed/simple; h=Content-Type:Originator:Recipient:Recipient:iSchedule-Version:iSchedule-Message-ID; bh=abc; b=
-"""
+dkim-signature:v=1; d=example.com; s = dkim; t = 1234; a=rsa-sha1; q=dns/txt:http/well-known ; http=UE9TVDov; c=relaxed/simple; h=Content-Type:Originator:Recipient:Recipient:iSchedule-Version:iSchedule-Message-ID; bh=abc; b="""
),
# Re-ordered Content-Type
("""Host:example.com
@@ -397,8 +387,7 @@
originator:mailto:user01 at example.com
recipient:mailto:user02 at example.com , mailto:user03 at example.com
ischedule-version:1.0
-dkim-signature:v=1; d=example.com; s = dkim; t = 1234; a=rsa-sha1; q=dns/txt:http/well-known ; http=UE9TVDov; c=relaxed/simple; h=Content-Type:Originator:Recipient:Recipient:iSchedule-Version:iSchedule-Message-ID; bh=abc; b=
-"""
+dkim-signature:v=1; d=example.com; s = dkim; t = 1234; a=rsa-sha1; q=dns/txt:http/well-known ; http=UE9TVDov; c=relaxed/simple; h=Content-Type:Originator:Recipient:Recipient:iSchedule-Version:iSchedule-Message-ID; bh=abc; b="""
),
)
@@ -599,7 +588,7 @@
""",
[DKIMUtils.extractTags("v=DKIM1; p=%s" % (self.public_key_data,))],
True,
- manipulate_request=lambda request: request.headers.addRawHeader("Recipient", ("mailto:user04 at example.com",))
+ manipulate_request=lambda request: request.headers.getRawHeaders("Recipient").insert(0, "mailto:user04 at example.com"),
)
# Valid - over sign header
@@ -808,6 +797,28 @@
@inlineCallbacks
+ def test_HTTP_URI_key(self):
+
+ # Need to setup a fake resolver
+ module = getModule(__name__)
+ dataPath = module.filePath.sibling("data")
+ bindPath = dataPath.child("db.example.com")
+ self.patch(config.Scheduling.iSchedule, "DNSDebug", bindPath.path)
+ utils.DebugResolver = None
+ utils._initResolver()
+
+ for d, s, result in (
+ ("example.com", "_ischedule", "https://key.example.com:8443/.well-known/domainkey/example.com/_ischedule"),
+ ("www.example.com", "_ischedule", "http://key.example.com/.well-known/domainkey/www.example.com/_ischedule"),
+ ("example.org", "_ischedule", "https://example.org/.well-known/domainkey/example.org/_ischedule"),
+ ):
+ dkim = "v=1; d=%s; s = %s; t = 1234; a=rsa-sha1; q=http/well-known ; http=UE9TVDov; c=relaxed/simple; h=Content-Type:Originator:Recipient:Recipient:iSchedule-Version:iSchedule-Message-ID; bh=abc; b=" % (d, s,)
+ tester = PublicKeyLookup_HTTP_WellKnown(DKIMUtils.extractTags(dkim))
+ uri = (yield tester._getURI())
+ self.assertEqual(uri, result)
+
+
+ @inlineCallbacks
def test_private_exchange(self):
keydir = self.mktemp()
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20121003/32a26c22/attachment-0001.html>
More information about the calendarserver-changes
mailing list