How to calculate 'b' parameter in DKIM SIG

I'am trying to sign a message sent with SMTP commands (using telnet) with DKIM protocole , i applied in the official dkim website all the steps , it remains how i can calculate the 'b' parameter , should i validate it with the private key ? Or using another method? Thank you

标签： smtp rsa dkim

5条回答

我欲成王，谁敢阻挡

2楼-- · 2019-08-16 16:36

Unfortunatly it doesn't match with signature generated by PowerMta.

'b' generated by my signature :

lNLa3tKsq6IEotwq6Go5vPUjj6zbzpIEqC7Mr90SZFrXPVBNZbHyO4igroLE5Ax77lAAAwEX9+cN
TCeIbzYE08K7kB7I4/k8McDe3T5V+T2jcZuR3ukWK12BkQBAmFZNogynId0tt1WPXK3zHDGdKpHC
oxu5gKfrEVNsHo7gyRc=

The header after a test with PowerMta :

    DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=selector1; d=domain.com; h=Subject:From:To; i=btt@domain.com; bh=rcr9nmkeqsjAGn29CUiUNJFRSmc=; b=j/jYKloUFEbmzj5JdwmR7MCBB+UtuJq5V0wImYElaY/xob8CnRY39Z0TfPonp4y2qtIE/wpqwnT0
   YrHcNM8BY3uQ3ovm3pq7lTmwvM6XqA4rgnlhcyZnQO9uoUSGebsbR8KBhwZSpolF7UEcr8TSQdfO
   OG+fDZIHeq6G7DAg5cQ=
Subject: ddddd
From: btt@domain.com
To: email@gmail.com

0人赞添加讨论(0) 举报

Root（大扎）

3楼-- · 2019-08-16 16:38

subject:ddddd
from:btt@domain.com
to:email@gmail.com
dkim-signature:v=1; a=rsa-sha1; c=relaxed/relaxed; s=selector1; d=domain.com; h=subject:from:to; i=btt@domain.com; bh=rcr9nmkeqsjAGn29CUiUNJFRSmc=; b=

0人赞添加讨论(0) 举报

\"骚年 ilove

4楼-- · 2019-08-16 16:46

It's all explained in this document: https://www.ietf.org/rfc/rfc6376.txt

First, you must canonicalize the header fields that you wish to sign including the DKIM-Signature header that you are about to generate and then you sign it using the signature algorithm you've chosen.

The "simple" Header Canonicalization Algorithm

The "simple" header canonicalization algorithm does not change header fields in any way. Header fields MUST be presented to the signing or verification algorithm exactly as they are in the message being signed or verified. In particular, header field names MUST NOT be case folded and whitespace MUST NOT be changed.

The "relaxed" Header Canonicalization Algorithm

The "relaxed" header canonicalization algorithm MUST apply the following steps in order:

Convert all header field names (not the header field values) to lowercase. For example, convert "SUBJect: AbC" to "subject: AbC".
Unfold all header field continuation lines as described in RFC5322; in particular, lines with terminators embedded in continued header field values (that is, CRLF sequences followed by WSP) MUST be interpreted without the CRLF. Implementations MUST NOT remove the CRLF at the end of the header field value.
Convert all sequences of one or more WSP characters to a single SP character. WSP characters here include those before and after a line folding boundary.
Delete all WSP characters at the end of each unfolded header field value.
Delete any WSP characters remaining before and after the colon separating the header field name from the header field value. The colon separator MUST be retained.

Canonicalizing the DKIM-Signature header

Once you've canonicalized all of the other headers that you wish to sign, you then need to apply the same canonicalization to the DKIM-Signature that you are in the process of generating.

Obviously, at this point you will not have the b= value yet because the result of signing the canonicalized headers is the value for the b= tag.

What you need to do is to construct the header but leave the b= tag empty.

For example:

DKIM-Signature: v=1; a=rsa-sha256; d=example.net; s=brisbane;
  c=simple; q=dns/txt; i=@eng.example.net;
  t=1117574938; x=1118006938;
  h=from:to:subject:date;
  bh=MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI=;
  b=

Signing the canonicalized headers

Once you've canonicalized all of the headers you want to sign (plus the portion of the DKIM-Signature header that you are generating), you need to sign the result using the algorithm and the private key (not public key!!) and then base64 encode the result and append it to the DKIM-Signature header you've generated.

In the above example, you would use the RSA-SHA256 algorithm.

Update:

If the original message headers that you want to sign look like this:

Subject: ddddd
From: btt@domain.com
To: email@gmail.com

And if the DKIM-Signature header that PowerMTA generates looks like this:

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=selector1; d=domain.com; h=Subject:From:To; i=btt@domain.com; bh=rcr9nmkeqsjAGn29CUiUNJFRSmc=; b=j/jYKloUFEbmzj5JdwmR7MCBB+UtuJq5V0wImYElaY/xob8CnRY39Z0TfPonp4y2qtIE/wpqwnT0
 YrHcNM8BY3uQ3ovm3pq7lTmwvM6XqA4rgnlhcyZnQO9uoUSGebsbR8KBhwZSpolF7UEcr8TSQdfO
 OG+fDZIHeq6G7DAg5cQ=

Then the text you should be signing would look like this (assuming you want your b= value to match the b= value that PowerMTA generates):

subject:ddddd
from:btt@domain.com
to:email@gmail.com
dkim-signature:v=1; a=rsa-sha1; c=relaxed/relaxed; s=selector1; d=domain.com; h=Subject:From:To; i=btt@domain.com; bh=rcr9nmkeqsjAGn29CUiUNJFRSmc=; b=

0人赞添加讨论(0) 举报

贪生不怕死

5楼-- · 2019-08-16 16:47

Original Header :

Subject: ddddd
From: btt@domain.com
To: email@gmail.com

Canonicalized header with DKIM-SIGNATURE :

subject:ddddd
from:btt@domain.com
to:email@gmail.com
DKIM-Signature: v=1;
a=rsa-sha1;
c=relaxed/relaxed;
s=selector1;
d=domain.com;
h=subject:from:to;
i=btt@domain.com;
bh=rcr9nmkeqsjAGn29CUiUNJFRSmc=;
b=

RSA command to sign the content (header+Dkimsignature)

openssl dgst -sha1 -sign privateKey.pem content.txt | base64

0人赞添加讨论(0) 举报

放我归山

6楼-- · 2019-08-16 16:49

This is the new content to Sign :

subject:ddddd
from:btt@domain.com
to:email@gmail.com
dkim-signature:v=1; a=rsa-sha1; c=relaxed/relaxed; s=selector1; d=domain.com; h=subject:from:to; i=btt@domain.com; bh=rcr9nmkeqsjAGn29CUiUNJFRSmc=; b=

0人赞添加讨论(0) 举报