dkim signature fails to verify

Asked by Stephen Nightingale on 2012-06-19

We are implementing a High Assurance Domain project at NIST, which entails deploying SPF, DKIM and DMARC. I tried Greg Hewgill's original dkim.py, it failed to verify and I noticed that the dkimpy update has been created. I'm using that.

I'm extending PpyMilter and connecting it to Sendmail, to do the signing and the verification.
Applying the dkimpy sign at the Sender end and the dkimpy verify at the Receiver end, I get DKIM Signature fails to verify.
The Sender and Receiver bodyhashes are the same so I figure it's in the Header hashing.
So I tried tossing out one header at a time from 'include_headers'. When I get down to 'From' and 'Date', it still generates different signatures and fails to verify.
If I throw out all but 'From' Python raises an exception saying 'FROM has to be signed'.
It's only a short From line so I can't see that folding makes a difference.

Are there any other known bugs or asymmetries in dkim signing and/or verifying?

Cheers,

Stephen Nightingale, NIST.

Question information

Language:
English Edit question
Status:
Answered
For:
dkimpy Edit question
Assignee:
No assignee Edit question
Last query:
2012-06-19
Last reply:
2012-06-19
Martin Pool (mbp) said : #1

If you're using the current tip, I don't believe there are any bugs
like that open. There have been similar bugs in the past, and it's
possible there are still some left.

Can you provide a small python program that demonstrates the problem?

If the bodyhashes in the DKIM-Signature header field are the same, then it is not a header hashing issue. The bh= includes both header and body hash. You didn't provide any details, e.g. the DKIM-Signature header field in question, or the exception. Note that calling the class method lets you get an informative exception, and not just a boolean result. I suspect that there is something wrong with the DNS record you published. There are many tests of sign/verify symmetry in the unit tests. If it turns out you have an actual failure, we'll add it to the suite.

You can see a simple sign and verify DKIM milter using pymilter here:
http://pymilter.cvs.sourceforge.net/viewvc/pymilter/milter/dkim-milter.py?revision=1.6&view=markup

The API is probably somewhat different from ppymilter, you can view here:
http://spidey2.bmsi.com/pymilter/

Can you help with this problem?

Provide an answer of your own, or ask Stephen Nightingale for more information if necessary.

To post a message you must log in.