[dkim-dev] Having trouble with FWS in the DKIM header

[Alec H. Peterson]

Hi Jeffrey,

On Jun 22, 2008, at 10:43, Jeffrey Rice wrote:

> (I hope this won't get sent twice, I sent the first from an account  
> that
> wasn't subscribed to the list.)
>
>
> Hello,
> I am trying to work up a signing method for use with Greg Hewgill's
> pyDKIM.  The signature itself seems to work fine, but only if it is  
> all
> on the same header line.  If the signature is folded, it fails.
>
> I've tried folding by two methods: using python's add_header, or doing
> it myself. I can see perhaps why add_header fails, since it leaves the
> b= line as a run-on.  (since it can't know that WS is ignored within  
> the
> signature)  Why my own method is failing is more a mystery.  I've  
> looked
> at the signature sent to me from other systems and I can't see a
> difference between the folded headers I generate versus the ones  
> they do.
>
> I'm extremely confused!  I must be doing something quite simple.  If I
> take a message that is failing because of the wrapping and put the
> signature all on one line and use Greg's dkim_verify, it now  
> passes.  It
> did occur to me maybe that the little script he provided doesn't work
> with folder headers, but that doesn't explain why testing.dkim.org  
> also
> rejects it.  I'm at a loss...


When using the simple header canonicalization algorithm you can't re- 
fold the DKIM header, because FWS is part of the signature.  The  
header must be included in the message exactly as it was signed.  The  
one exception is within the 'b' tag because that's zero'ed out before  
validation, so you can fold that without requiring a WSP character to  
be present.

If you instead use the relaxed canonicalization algorithm, then you  
can fold the header on any WSP character, since the relaxed algorithm  
deals with that, again except for the 'b' tag as I mentioned above.

Alec

--
Alec H. Peterson - alec.peterson at messagesystems.com
+1 443 656 3322
Director of Technical Services
Message Systems, Inc.