File Coverage

blib/lib/Mail/DKIM/ARC/Signer.pm

Criterion	Covered	Total	%
statement	166	268	61.9
branch	65	118	55.0
condition	9	33	27.2
subroutine	16	25	64.0
pod	11	16	68.7
total	267	460	58.0

line	stmt	bran	cond	sub	pod	time	code
1							package Mail::DKIM::ARC::Signer;
2	3			3		62880	use strict;
	3					15
	3					85
3	3			3		17	use warnings;
	3					6
	3					119
4							our $VERSION = '1.20230212'; # VERSION
5							# ABSTRACT: generates a DKIM signature for a message
6
7							# Copyright 2017 FastMail Pty Ltd. All Rights Reserved.
8							# Bron Gondwana
9
10							# This program is free software; you can redistribute it and/or
11							# modify it under the same terms as Perl itself.
12
13	3			3		1256	use Mail::DKIM::PrivateKey;
	3					11
	3					88
14	3			3		1336	use Mail::DKIM::ARC::MessageSignature;
	3					21
	3					203
15	3			3		1390	use Mail::DKIM::ARC::Seal;
	3					9
	3					86
16	3			3		1492	use Mail::AuthenticationResults::Parser;
	3					105207
	3					107
17	3			3		27	use Mail::AuthenticationResults::Header::AuthServID;
	3					9
	3					63
18
19
20	3			3		17	use base 'Mail::DKIM::Common';
	3					9
	3					1404
21	3			3		22	use Carp;
	3					8
	3					8450
22
23							# PROPERTIES
24							#
25							# public:
26							#
27							# $signer->{Algorithm}
28							# identifies what algorithm to use when signing the message
29							# default is "rsa-sha256"
30							#
31							# $signer->{Domain}
32							# identifies what domain the message is signed for
33							#
34							# $signer->{SrvId}
35							# identifies what authserv-id is in the A-R headers
36							#
37							# $signer->{KeyFile}
38							# name of the file containing the private key used to sign
39							#
40							# $signer->{Policy}
41							# a signing policy (of type Mail::DKIM::SigningPolicy)
42							#
43							# $signer->{Selector}
44							# identifies name of the selector identifying the key
45							#
46							# $signer->{Key}
47							# the loaded private key
48							#
49							# private:
50							#
51							# $signer->{algorithms} = []
52							# an array of algorithm objects... an algorithm object is created for
53							# each signature being added to the message
54							#
55							# $signer->{result}
56							# result of the signing policy: "signed" or "skipped"
57							#
58							# $signer->{details}
59							# why we skipped this signature
60							#
61							# $signer->{signature}
62							# the created signature (of type Mail::DKIM::Signature)
63
64							sub init {
65	22			22	0	28	my $self = shift;
66	22					74	$self->SUPER::init;
67
68	22	100				60	if ( defined $self->{KeyFile} ) {
69							$self->{Key} \|\|=
70	5		33			45	Mail::DKIM::PrivateKey->load( File => $self->{KeyFile} );
71							}
72
73	22	50				66	unless ( $self->{'Algorithm'} ) {
74
75							# use default algorithm
76	0					0	$self->{'Algorithm'} = 'rsa-sha256';
77							}
78	22	100				51	unless ( $self->{'Domain'} ) {
79
80							# use default domain
81	17					33	$self->{'Domain'} = 'example.org';
82							}
83	22	100				49	unless ( $self->{'SrvId'} ) {
84
85							# use default domain
86	5					11	$self->{'SrvId'} = $self->{'Domain'};
87							}
88	22	50				45	unless ( $self->{'Selector'} ) {
89
90							# use default selector
91	0					0	$self->{'Selector'} = 'unknown';
92							}
93	22					40	$self->{result} = '?'; # better update this before we finish
94							die 'Invalid signing algorithm'
95	22	50				56	unless $self->{Algorithm} eq 'rsa-sha256'; # add ed25519 sometime
96							die 'Need a valid chain value'
97	22	50	33			167	unless $self->{Chain} and $self->{Chain} =~ m{^(pass\|fail\|none\|ar)$};
98							}
99
100							sub finish_header {
101	22			22	0	34	my $self = shift;
102
103							# add the AAR header
104	22					70	my @aar;
105							my @ams;
106	22					0	my @as;
107
108	22					0	my $ar;
109							HEADER:
110	22					36	foreach my $header ( @{ $self->{headers} } ) {
	22					52
111	197					734	$header =~ s/[\r\n]+$//;
112	197	100				450	if ( $header =~ m/^Authentication-Results:/ ) {
113	29					127	my ( $arval ) = $header =~ m/^Authentication-Results:[^;];[\t ](.*)/is;
114	29					46	my $parsed;
115							eval {
116	29					109	$parsed= Mail::AuthenticationResults::Parser->new
117							->parse( $header );
118	28					80530	1
119	29	100				51	} \|\| do {
120	1					1451	my $error = $@;
121	1					54	warn "Authentication-Results Header parse error: $error\n$header";
122	1					11	next HEADER;
123							};
124	28					91	my $ardom = $parsed->value->value;
125
126							next
127	28	100				576	unless "\L$ardom" eq $self->{SrvId}; # make sure it's our domain
128
129	25					450	$arval =~ s/;?\s*$//; # ignore trailing semicolon and whitespace
130							# preserve leading fold if there is one, otherwise set one leading space
131	25	100				128	$arval =~ s/^\s*/ / unless ($arval =~ m/^\015\012/);
132	25	100				66	if ($ar) {
133	5					11	$ar .= ";$arval";
134							}
135							else {
136	20					70	$ar = "$ardom;$arval";
137							}
138
139							# get chain value from A-R header
140							$self->{Chain} = $1
141	25	100	100			396	if $self->{Chain} eq 'ar' and $arval =~ m{\barc=(none\|pass\|fail)};
142
143							}
144							else {
145							# parse ARC headers to make sure we have completeness
146
147	168	100				337	if ( $header =~ m/^ARC-/ ) {
148	19	50				48	if ( !$ar ) {
149	0					0	$self->{result} = 'skipped';
150							$self->{details} =
151	0					0	'ARC header seen before Authentication-Results';
152	0					0	return;
153							}
154	19	100				50	if ( $self->{Chain} eq 'ar' ) {
155	1					3	$self->{result} = 'skipped';
156							$self->{details} =
157	1					3	'No ARC result found in Authentication-Results';
158	1					4	return;
159							}
160
161							}
162
163	167	100				467	if ( $header =~ m/^ARC-Seal:/ ) {
		100
		100
164	6					19	my $seal = Mail::DKIM::ARC::Seal->parse($header);
165	6					20	my $i = $seal->instance;
166	6	50				17	if ( $as[$i] ) {
167	0					0	$self->{result} = 'skipped';
168	0					0	$self->{details} = "Duplicate ARC-Seal $i";
169	0					0	return;
170							}
171	6					13	$as[$i] = $seal;
172							}
173							elsif ( $header =~ m/^ARC-Message-Signature:/ ) {
174	6					19	my $sig = Mail::DKIM::ARC::MessageSignature->parse($header);
175	6					25	my $i = $sig->instance;
176	6	50				116	if ( $ams[$i] ) {
177	0					0	$self->{result} = 'skipped';
178							$self->{details} =
179	0					0	"Duplicate ARC-Message-Signature $i";
180	0					0	return;
181							}
182	6					15	$ams[$i] = $sig;
183							}
184							elsif ( $header =~ m/^ARC-Authentication-Results:\s*i=(\d+)/ ) {
185	6					18	my $i = $1;
186	6	50				16	if ( $aar[$i] ) {
187	0					0	$self->{result} = 'skipped';
188							$self->{details} =
189	0					0	"Duplicate ARC-Authentication-Results $i";
190	0					0	return;
191							}
192
193	6					13	$aar[$i] = $header;
194							}
195							}
196							}
197
198	21	100				47	unless ($ar) {
199	2					4	$self->{result} = 'skipped';
200	2					15	$self->{details} = 'No authentication results seen';
201	2					7	return;
202							}
203
204	19	100				57	$self->{Chain} = 'none' if ($self->{Chain} eq 'ar');
205
206	19	50				49	if ( $#ams > $#as ) {
207	0					0	$self->{result} = 'skipped';
208	0					0	$self->{details} = 'More message signatures than seals';
209	0					0	return;
210							}
211	19	50				48	if ( $#aar > $#as ) {
212	0					0	$self->{result} = 'skipped';
213	0					0	$self->{details} = 'More authentication results than seals';
214	0					0	return;
215							}
216
217	19					57	foreach my $i ( 1 .. $#as ) {
218	6	50				78	unless ( $as[$i] ) {
219	0					0	$self->{result} = 'skipped';
220	0					0	$self->{details} = "Missing ARC-Seal $i";
221	0					0	return;
222							}
223	6	50				18	unless ( $ams[$i] ) {
224	0					0	$self->{result} = 'skipped';
225	0					0	$self->{details} = "Missing Arc-Message-Signature $i";
226	0					0	return;
227							}
228
229							# don't care about authentication results, they are compulsary
230							}
231
232	19		100			76	$self->{_Instance} = @as \|\| 1; # next instance value
233
234							# first add the AAR header
235	19					77	$self->{_AAR} = "ARC-Authentication-Results: i=$self->{_Instance}; $ar";
236	19					32	unshift @{ $self->{headers} }, $self->{_AAR};
	19					75
237
238							# set up the signer for AMS
239							$self->add_signature(
240							Mail::DKIM::ARC::MessageSignature->new(
241							Algorithm => $self->{Algorithm},
242							Headers => $self->headers,
243							Instance => $self->{_Instance},
244							Method => 'relaxed/relaxed',
245							Domain => $self->{Domain},
246							Selector => $self->{Selector},
247							Key => $self->{Key},
248							KeyFile => $self->{KeyFile},
249							( $self->{Timestamp} ? ( Timestamp => $self->{Timestamp} ) : () ),
250	19	100				79	( $self->{Expiration} ? ( Expiration => $self->{Expiration} ) : () ),
		50
251							)
252							);
253
254	19					41	foreach my $algorithm ( @{ $self->{algorithms} } ) {
	19					55
255
256							# output header as received so far into canonicalization
257	19					24	foreach my $header ( @{ $self->{headers} } ) {
	19					38
258	205					353	$algorithm->add_header($header);
259							}
260	19					68	$algorithm->finish_header( Headers => $self->{headers} );
261							}
262							}
263
264							sub finish_body {
265	22			22	0	39	my $self = shift;
266
267	22	100				55	if ( $self->{result} eq 'skipped' ) { # already failed
268	3					10	$self->{_AS} = undef;
269	3					7	return;
270							}
271
272	19					29	foreach my $algorithm ( @{ $self->{algorithms} } ) {
	19					43
273
274							# finished canonicalizing
275	19					61	$algorithm->finish_body;
276
277							# load the private key file if necessary
278	19					56	my $signature = $algorithm->signature;
279							my $key =
280							$signature->{Key}
281							\|\| $signature->{KeyFile}
282							\|\| $self->{Key}
283	19		0			53	\|\| $self->{KeyFile};
284	19	50	33			85	if ( defined($key) && !ref($key) ) {
285	0					0	$key = Mail::DKIM::PrivateKey->load( File => $key );
286							}
287							$key
288	19	50				41	or die "no key available to sign with\n";
289
290							# compute signature value
291	19					55	my $signb64 = $algorithm->sign($key);
292	19					88	$signature->data($signb64);
293
294							# insert linebreaks in signature data, if desired
295	19					58	$signature->prettify_safe();
296
297	19					63	$self->{_AMS} = $signature->as_string();
298	19					37	unshift @{ $self->{headers} }, $self->{_AMS};
	19					73
299							}
300
301							# reset the internal state
302	19					52	$self->{signatures} = [];
303	19					278	$self->{algorithms} = [];
304
305							$self->add_signature(
306							Mail::DKIM::ARC::Seal->new(
307							Algorithm => $self->{Algorithm},
308							Chain => $self->{Chain},
309							Headers => $self->headers,
310							Instance => $self->{_Instance},
311							Domain => $self->{Domain},
312							Selector => $self->{Selector},
313							Key => $self->{Key},
314							KeyFile => $self->{KeyFile},
315							( $self->{Timestamp} ? ( Timestamp => $self->{Timestamp} ) : () ),
316	19	100				69	( $self->{Expiration} ? ( Expiration => $self->{Expiration} ) : () ),
		50
317							)
318							);
319
320	19					37	foreach my $algorithm ( @{ $self->{algorithms} } ) {
	19					46
321
322							# output header as received so far into canonicalization
323	19					28	foreach my $header ( @{ $self->{headers} } ) {
	19					45
324	224					409	$algorithm->add_header($header);
325							}
326
327							# chain needed for seal canonicalization
328							$algorithm->finish_header(
329							Headers => $self->{headers},
330							Chain => $self->{Chain}
331	19					69	);
332
333							# no body is required for ARC-Seal
334							# finished canonicalizing
335	19					70	$algorithm->finish_body;
336
337							# load the private key file if necessary
338	19					47	my $signature = $algorithm->signature;
339							my $key =
340							$signature->{Key}
341							\|\| $signature->{KeyFile}
342							\|\| $self->{Key}
343	19		0			52	\|\| $self->{KeyFile};
344	19	50	33			90	if ( defined($key) && !ref($key) ) {
345	0					0	$key = Mail::DKIM::PrivateKey->load( File => $key );
346							}
347							$key
348	19	50				40	or die "no key available to sign ARC-Seal\n";
349
350							# compute signature value
351	19					51	my $signb64 = $algorithm->sign($key);
352	19					74	$signature->data($signb64);
353
354							# insert linebreaks in signature data, if desired
355	19					56	$signature->prettify_safe();
356
357	19					64	$self->{_AS} = $signature->as_string();
358							}
359
360	19					60	$self->{result} = 'sealed';
361							}
362
363
364							sub add_signature {
365	38			38	1	50	my $self = shift;
366	38					52	my $signature = shift;
367
368							# create a canonicalization filter and algorithm
369	38	50	0			88	my $algorithm_class =
370							$signature->get_algorithm_class( $signature->algorithm )
371							or die 'unsupported algorithm ' . ( $signature->algorithm \|\| '' ) . "\n";
372							my $algorithm = $algorithm_class->new(
373							Signature => $signature,
374							Debug_Canonicalization => $self->{Debug_Canonicalization},
375	38					214	);
376	38					90	push @{ $self->{algorithms} }, $algorithm;
	38					150
377	38					76	return;
378							}
379
380
381							sub algorithm {
382	0			0	1	0	my $self = shift;
383	0	0				0	if ( @_ == 1 ) {
384	0					0	$self->{Algorithm} = shift;
385							}
386	0					0	return $self->{Algorithm};
387							}
388
389
390							sub domain {
391	0			0	1	0	my $self = shift;
392	0	0				0	if ( @_ == 1 ) {
393	0					0	$self->{Domain} = shift;
394							}
395	0					0	return $self->{Domain};
396							}
397
398
399
400							# these are headers that "should" be included in the signature,
401							# according to the DKIM spec.
402							my @DEFAULT_HEADERS = qw(From Sender Reply-To Subject Date
403							Message-ID To Cc MIME-Version
404							Content-Type Content-Transfer-Encoding Content-ID Content-Description
405							Resent-Date Resent-From Resent-Sender Resent-To Resent-cc
406							Resent-Message-ID
407							In-Reply-To References
408							List-Id List-Help List-Unsubscribe List-Subscribe
409							List-Post List-Owner List-Archive);
410
411							sub process_headers_hash {
412	0			0	0	0	my $self = shift;
413	0					0	my @headers;
414
415							# these are the header fields we found in the message we're signing
416	0					0	my @found_headers = @{ $self->{header_field_names} };
	0					0
417
418							# Convert all keys to lower case
419	0					0	foreach my $header ( keys %{ $self->{'ExtendedHeaders'} } ) {
	0					0
420	0	0				0	next if $header eq lc $header;
421	0	0				0	if ( exists $self->{'ExtendedHeaders'}->{ lc $header } ) {
422
423							# Merge
424	0					0	my $first = $self->{'ExtendedHeaders'}->{ lc $header };
425	0					0	my $second = $self->{'ExtendedHeaders'}->{$header};
426	0	0	0			0	if ( $first eq '+' \|\| $second eq '+' ) {
		0	0
427	0					0	$self->{'ExtendedHeaders'}->{ lc $header } = '+';
428							}
429							elsif ( $first eq '' \|\| $second eq '' ) {
430	0					0	$self->{'ExtendedHeaders'}->{ lc $header } = '*';
431							}
432							else {
433	0					0	$self->{'ExtendedHeaders'}->{ lc $header } = $first + $second;
434							}
435							}
436							else {
437							# Rename
438							$self->{'ExtendedHeaders'}->{ lc $header } =
439	0					0	$self->{'ExtendedHeaders'}->{$header};
440							}
441	0					0	delete $self->{'ExtendedHeaders'}->{$header};
442							}
443
444							# Add the default headers
445	0	0				0	if ( !$self->{'NoDefaultHeaders'} ) {
446	0					0	foreach my $default (@DEFAULT_HEADERS) {
447	0	0				0	if ( !exists $self->{'ExtendedHeaders'}->{ lc $default } ) {
448	0					0	$self->{'ExtendedHeaders'}->{ lc $default } = '*';
449							}
450							}
451							}
452
453							# Build a count of found headers
454	0					0	my $header_counts = {};
455	0					0	foreach my $header (@found_headers) {
456	0	0				0	if ( !exists $header_counts->{ lc $header } ) {
457	0					0	$header_counts->{ lc $header } = 1;
458							}
459							else {
460	0					0	$header_counts->{ lc $header } = $header_counts->{ lc $header } + 1;
461							}
462							}
463
464	0					0	foreach my $header ( sort keys %{ $self->{'ExtendedHeaders'} } ) {
	0					0
465	0					0	my $want_count = $self->{'ExtendedHeaders'}->{$header};
466	0		0			0	my $have_count = $header_counts->{ lc $header } \|\| 0;
467	0					0	my $add_count = 0;
468	0	0				0	if ( $want_count eq '+' ) {
		0
469	0					0	$add_count = $have_count + 1;
470							}
471							elsif ( $want_count eq '*' ) {
472	0					0	$add_count = $have_count;
473							}
474							else {
475	0	0				0	if ( $want_count > $have_count ) {
476	0					0	$add_count = $have_count;
477							}
478							else {
479	0					0	$add_count = $want_count;
480							}
481							}
482	0					0	for ( 1 .. $add_count ) {
483	0					0	push @headers, $header;
484							}
485							}
486	0					0	return join( ':', @headers );
487							}
488
489							sub extended_headers {
490	0			0	1	0	my $self = shift;
491	0					0	$self->{'ExtendedHeaders'} = shift;
492	0					0	return;
493							}
494
495							sub headers {
496	38			38	1	68	my $self = shift;
497	38	50				83	croak 'unexpected argument' if @_;
498
499	38	50				83	if ( exists $self->{'ExtendedHeaders'} ) {
500	0					0	return $self->process_headers_hash();
501							}
502
503							# these are the header fields we found in the message we're signing
504	38					55	my @found_headers = @{ $self->{header_field_names} };
	38					163
505
506							# these are the headers we actually want to sign
507	38					59	my @wanted_headers;
508	38	100				84	if ( !$self->{'NoDefaultHeaders'} ) {
509	6					32	@wanted_headers = @DEFAULT_HEADERS;
510							}
511	38	100				79	if ( $self->{Headers} ) {
512	32					148	push @wanted_headers, split /:/, $self->{Headers};
513							}
514
515							my @headers =
516							grep {
517	38					86	my $a = $_;
	372					513
518	372					482	scalar grep { lc($a) eq lc($_) } @wanted_headers
	2412					4209
519							} @found_headers;
520	38					401	return join( ':', @headers );
521							}
522
523							# return nonzero if this is header we should sign
524							sub want_header {
525	0			0	0	0	my $self = shift;
526	0					0	my ($header_name) = @_;
527
528							#TODO- provide a way for user to specify which headers to sign
529	0					0	return scalar grep { lc($_) eq lc($header_name) } @DEFAULT_HEADERS;
	0					0
530							}
531
532
533							sub key {
534	0			0	1	0	my $self = shift;
535	0	0				0	if (@_) {
536	0					0	$self->{Key} = shift;
537	0					0	$self->{KeyFile} = undef;
538							}
539	0					0	return $self->{Key};
540							}
541
542
543							sub key_file {
544	0			0	1	0	my $self = shift;
545	0	0				0	if (@_) {
546	0					0	$self->{Key} = undef;
547	0					0	$self->{KeyFile} = shift;
548							}
549	0					0	return $self->{KeyFile};
550							}
551
552
553
554							sub selector {
555	0			0	1	0	my $self = shift;
556	0	0				0	if ( @_ == 1 ) {
557	0					0	$self->{Selector} = shift;
558							}
559	0					0	return $self->{Selector};
560							}
561
562
563							sub signatures {
564	0			0	1	0	my $self = shift;
565	0	0				0	croak 'no arguments allowed' if @_;
566	0					0	return map { $_->signature } @{ $self->{algorithms} };
	0					0
	0					0
567							}
568
569
570							sub as_string {
571	17			17	1	55	my $self = shift;
572	17	100				39	return '' unless $self->{_AS}; # skipped, no signature
573
574	16					66	return join( "\015\012", $self->{_AS}, $self->{_AMS}, $self->{_AAR}, '' );
575							}
576
577
578							sub as_strings {
579	3			3	1	7	my $self = shift;
580	3					14	return ( $self->{_AS}, $self->{_AMS}, $self->{_AAR} );
581							}
582
583							1;
584
585							__END__