如何计算 DKIM SIGNATURE 中的“b"参数 [英] How to calculate 'b' parameter in DKIM SIGNATURE
问题描述
我正在尝试使用 DKIM 协议对使用 SMTP 命令(使用 telnet)发送的消息进行签名,我在官方 dkim 网站上应用了所有步骤,它仍然是我如何计算b"参数的方法,我应该验证它用私钥?还是使用其他方法?谢谢
在这个文档中都有说明:https://www.ietf.org/rfc/rfc6376.txt
首先,您必须规范化您希望签名的标头字段,包括您将要生成的 DKIM-Signature 标头,然后使用您选择的签名算法对其进行签名.
简单"的标头规范化算法
简单"的标头规范化算法不会改变标头任何方式的领域.标头字段必须提交给签名或验证算法与它们在消息中完全一样签名或验证.特别是,头字段名称不得为大小写折叠和空格不得更改.
宽松"的标头规范化算法
relaxed"标头规范化算法必须应用按顺序执行以下步骤:
将所有标题字段名称(不是标题字段值)转换为小写.例如,将主题:AbC"转换为主题:AbC".
展开所有标题字段续行,如RFC5322;特别是,带有嵌入终止符的行连续报头字段值(即 CRLF 序列后跟WSP) 必须在没有 CRLF 的情况下进行解释.实现必须不要删除标头字段值末尾的 CRLF.
将一个或多个 WSP 字符的所有序列转换为单个 SP特点.此处的 WSP 字符包括之前和之后的字符线折叠边界.
删除每个展开头域末尾的所有 WSP 字符价值.
删除冒号前后剩余的所有 WSP 字符将标头字段名称与标头字段值分开.这必须保留冒号分隔符.
规范化 DKIM-Signature 标头
一旦您规范化了您希望签名的所有其他标头,您就需要对正在生成的 DKIM 签名应用相同的规范化.
显然,此时您还没有 b= 值,因为对规范化标头进行签名的结果是 b= 标记的值.>
您需要做的是构造标题,但将 b= 标记留空.
例如:
DKIM-签名:v=1;a=rsa-sha256;d=example.net;s=布里斯班;c=简单;q=dns/txt;i=@eng.example.net;t=1117574938;x=1118006938;h=从:到:主题:日期;bh=MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI=;b=签署规范化的标头
一旦您规范化了所有要签名的标头(加上您生成的 DKIM-Signature 标头部分),您就需要使用算法和私钥(不是公钥!!) 然后对结果进行 base64 编码并将其附加到您生成的 DKIM-Signature 标头中.
在上面的示例中,您将使用 RSA-SHA256 算法.
更新:
如果您要签名的原始邮件标头如下所示:
主题:ddddd来自:btt@domain.com至:email@gmail.com如果 PowerMTA 生成的 DKIM-Signature 标头如下所示:
DKIM-签名:v=1;a=rsa-sha1;c=放松/放松;s=选择器1;d=domain.com;h=主题:从:到;i=btt@domain.com;bh=rcr9nmkeqsjAGn29CUiUNJFRSmc=;b=j/jYKloUFEbmzj5JdwmR7MCBB+UtuJq5V0wImYElaY/xob8CnRY39Z0TfPonp4y2qtIE/wpqwnT0YrHcNM8BY3uQ3ovm3pq7lTmwvM6XqA4rgnlhcyZnQO9uoUSGebsbR8KBhwZSpolF7UEcr8TSQdfOOG+fDZIHeq6G7DAg5cQ=那么您应该签名的文本将如下所示(假设您希望您的 b= 值与 b= 值匹配PowerMTA 生成):
主题:ddddd来自:btt@domain.com至:email@gmail.comdkim 签名:v=1;a=rsa-sha1;c=放松/放松;s=选择器1;d=domain.com;h=主题:从:到;i=btt@domain.com;bh=rcr9nmkeqsjAGn29CUiUNJFRSmc=;b=I'am trying to sign a message sent with SMTP commands (using telnet) with DKIM protocole , i applied in the official dkim website all the steps , it remains how i can calculate the 'b' parameter , should i validate it with the private key ? Or using another method? Thank you
It's all explained in this document: https://www.ietf.org/rfc/rfc6376.txt
First, you must canonicalize the header fields that you wish to sign including the DKIM-Signature header that you are about to generate and then you sign it using the signature algorithm you've chosen.
The "simple" Header Canonicalization Algorithm
The "simple" header canonicalization algorithm does not change header fields in any way. Header fields MUST be presented to the signing or verification algorithm exactly as they are in the message being signed or verified. In particular, header field names MUST NOT be case folded and whitespace MUST NOT be changed.
The "relaxed" Header Canonicalization Algorithm
The "relaxed" header canonicalization algorithm MUST apply the following steps in order:
Convert all header field names (not the header field values) to lowercase. For example, convert "SUBJect: AbC" to "subject: AbC".
Unfold all header field continuation lines as described in RFC5322; in particular, lines with terminators embedded in continued header field values (that is, CRLF sequences followed by WSP) MUST be interpreted without the CRLF. Implementations MUST NOT remove the CRLF at the end of the header field value.
Convert all sequences of one or more WSP characters to a single SP character. WSP characters here include those before and after a line folding boundary.
Delete all WSP characters at the end of each unfolded header field value.
Delete any WSP characters remaining before and after the colon separating the header field name from the header field value. The colon separator MUST be retained.
Canonicalizing the DKIM-Signature header
Once you've canonicalized all of the other headers that you wish to sign, you then need to apply the same canonicalization to the DKIM-Signature that you are in the process of generating.
Obviously, at this point you will not have the b= value yet because the result of signing the canonicalized headers is the value for the b= tag.
What you need to do is to construct the header but leave the b= tag empty.
For example:
DKIM-Signature: v=1; a=rsa-sha256; d=example.net; s=brisbane;
c=simple; q=dns/txt; i=@eng.example.net;
t=1117574938; x=1118006938;
h=from:to:subject:date;
bh=MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI=;
b=
Signing the canonicalized headers
Once you've canonicalized all of the headers you want to sign (plus the portion of the DKIM-Signature header that you are generating), you need to sign the result using the algorithm and the private key (not public key!!) and then base64 encode the result and append it to the DKIM-Signature header you've generated.
In the above example, you would use the RSA-SHA256 algorithm.
Update:
If the original message headers that you want to sign look like this:
Subject: ddddd
From: btt@domain.com
To: email@gmail.com
And if the DKIM-Signature header that PowerMTA generates looks like this:
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=selector1; d=domain.com; h=Subject:From:To; i=btt@domain.com; bh=rcr9nmkeqsjAGn29CUiUNJFRSmc=; b=j/jYKloUFEbmzj5JdwmR7MCBB+UtuJq5V0wImYElaY/xob8CnRY39Z0TfPonp4y2qtIE/wpqwnT0
YrHcNM8BY3uQ3ovm3pq7lTmwvM6XqA4rgnlhcyZnQO9uoUSGebsbR8KBhwZSpolF7UEcr8TSQdfO
OG+fDZIHeq6G7DAg5cQ=
Then the text you should be signing would look like this (assuming you want your b= value to match the b= value that PowerMTA generates):
subject:ddddd
from:btt@domain.com
to:email@gmail.com
dkim-signature:v=1; a=rsa-sha1; c=relaxed/relaxed; s=selector1; d=domain.com; h=Subject:From:To; i=btt@domain.com; bh=rcr9nmkeqsjAGn29CUiUNJFRSmc=; b=
这篇关于如何计算 DKIM SIGNATURE 中的“b"参数的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
