[dkim-dev] verification failed problems

Eric Allman eric at sendmail.com
Wed Jun 13 15:37:34 PDT 2007 

Bleah.  Murray (who implemented our code) points out to me that I was 
incorrect, since the DKIM-Signature field is handled specially.  I've 
asked him to look at this problem (he's also on the dkim-dev list).

eric



--On June 13, 2007 2:27:03 PM -0700 Eric Allman <eric at sendmail.com> 
wrote:

> Ah.  I think the problem is that you need to append the \r\n on b=
> before you sign.  You're adding it after signing.
>
> Just as a check, I get 0b1efa6aea8bd4161554942d1a35b5d1b68ed53a for
> your SHA1 body hash.
>
> eric
>
>
> --On June 13, 2007 2:47:41 PM -0400 Bill Volz <bill at quiksoft.com>
> wrote:
>
>> Sorry I did not make this clear but I do have those fields.  I just
>> replaced that part of the header with the ellipses to try slim down
>> the email.  Also I am trying to get sha1 working first then move on
>> to sha256.  This is because I know my sha1 works since my older
>> DomainKeys code works with it.
>>
>> 	
>> From: bill at atwill.com\r\n
>> To: sa-test at sendmail.net\r\n
>> \r\n
>> One line Body\r\n
>>
>>
>>
>>  bh = Hash("One line Body\r\n")
>>  dkhead = "DKIM-Signature: v=DKIM1; a=rsa-sha1; d=atwill.com;
>> s=testkey;\r\n\tc=simple; q=dns/txt;
>> t=1181750120;\r\n\th=from:to;\r\n bh=" + bh + ";\r\n\tb="
>>  cHeader = "From:bob at atwill.com\r\nTo:bob at atwill.com\r\n" +
>>  dkhead; b = Sign (cHeader);
>>  dkhead += b + "\r\n";
>>
>>
>>
>>  AddNewHeaderToMsg(dkhead);
>>
>> Bill Volz
>>
>> -----Original Message-----
>> From: Eric Allman [mailto:eric at sendmail.com]
>> Sent: Wednesday, June 13, 2007 12:13 PM
>> To: Bill Volz
>> Cc: dkim-dev at mipassoc.org
>> Subject: Re: [dkim-dev] verification failed problems
>>
>> There are several things wrong with your DKIM-Signature header
>> field.  You MUST have a v=, you MUST have an s=, you MUST have a=,
>> you MUST  have d=, and you MUST have h=.  See section 3.5 of RFC
>> 4871 for  details.
>>
>> eric
>>
>>
>>
>> --On June 13, 2007 11:28:27 AM -0400 Bill Volz <bill at atwill.com>
>>
>>>>
>>>
>>>
>>> One thing in the RFC I wasn't sure of was in section 3.7 Computing
>>> the Message Hashes  this line.
>>>
>>> The DKIM-Signature header field that exists (verifying) or will be
>>> inserted (signing) in the message, with the value of the "b=" tag
>>> deleted (i.e., treated as the empty string), canonicalized using
>>> the header canonicalization algorithm specified in the "c=" tag,
>>> and without a trailing CRLF.
>>>
>>>
>>>
>>> Does the "without a trailing CRLF" mean no crlf for the dkim
>>> header or the dkim header should have a crlf but there should be
>>> no header ending crlf or both in which case there is no crlf.
>>>
>>
>>
>>
>>
>

More information about the dkim-dev mailing list