Hector Santos wrote:
If we can extend the nowsp example, it would help:
Given:
DKIM-Signature: a=rsa-sha1; d=example.net; s=brisbane;
c=simple; q=dns; i=(_at_)eng(_dot_)example(_dot_)net;
h=A:B;
b=dzd.....YzR
A: <SP> X <CRLF>
B: <SP> Y <CRLF>
<SP> Z <CRLF>
<CRLF>
C <CRLF>
D <SP><TAB><SP> E <CRLF>
is canonicalized to:
According to the specs (as I read it):
a:X<CRLF>b:YZ<CRLF><CRLF>CDE
<CRLF>dkim-signature:a=rsa-sha1;d=example.net;
s=brisbane;c=simple;q=dns;i=(_at_)eng(_dot_)example(_dot_)net;h=A:B;
Does this look right?
it looks like you're missing the final b=. that is, it should be
a:[...];h=A:B;b=
(assuming that b= was the last item; Arvel brought up a good point about its
value if it's not).
if you send a message to dkim-test(_at_)mtcc(_dot_)com, it will show you my verify
side's
idea of the canonicalized bytes.
Mike
It might help during field testing if a "debug tag" or header is used for
providing maybe the final canonicalized length and SHA1 hash. The l= tag
helps for the canonicalized body size, but we don't have a verification (for
testing across systems) for the remaining canonicalized buffer.
This will tremendously help reduce time (and money) in the wide dispense
area of development where engineers need to test all this. If a incoming
message fails, we need to have some level of debugging information so that
we don't lose hair over it :-)
My suggestion is a optional debug header that will help in the
canonicalization area.
DKIM-Signature-Debug:
fl=#; hl=#; bl=#; hh=#; bh=#; fh=#;
where
hl = total header canonicalized length
bl = total body canonicalized length
fl = final canonicalized length
hh = accommulated header hash (b64)
bh = accommulated body hash (b64)
fh = accommulated final hash (b64)
In most cases, it would be a short term debug header only, once field
testing is completed.
--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com