test/t-21-dkim: Add cross-tool check against driusan/dkimverify

This patch adds a cross-tool integration check that uses driusan/dkim's dkimverify to confirm it can verify our own DKIM signatures. It is optional, since the tool may not be present.
albertito · Mar 10, 2024 · 6970e54 · 6970e54
1 parent 11f0300
commit 6970e54
Show file tree

Hide file tree

Showing 5 changed files with 44 additions and 4 deletions.
diff --git a/cmd/chasquid-util/dkim.go b/cmd/chasquid-util/dkim.go
@@ -82,6 +82,13 @@ func dkimVerify() {
 			})
 	}
 
+	if txt, ok := args["--txt"]; ok {
+		ctx = dkim.WithLookupTXTFunc(ctx,
+			func(ctx context.Context, domain string) ([]string, error) {
+				return []string{txt}, nil
+			})
+	}
+
 	results, err := dkim.VerifyMessage(ctx, string(msg))
 	if err != nil {
 		Fatalf("Error verifying message: %v", err)

diff --git a/test/t-21-dkim/from_B_to_A.expected b/test/t-21-dkim/from_B_to_A.expected
@@ -2,12 +2,18 @@ From user-a@srv-a
 Authentication-Results: srv-a
 	;spf=none (no DNS record found)
 	;dkim=pass  header.b=*
-DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed;
+DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 	d=srv-b; s=sel77; *
 	h=from:subject:to:from:subject:date:to:cc:message-id;
 	bh=*
 	b=*
 	  *
+	  *
+	  *
+	  *
+	  *
+	  *
+	  *
 From: user-b@srv-b
 To: user-a@srv-a
 Subject: Feliz primavera!

diff --git a/test/t-21-dkim/run.sh b/test/t-21-dkim/run.sh
@@ -16,7 +16,7 @@ export GOTAGS="dnsoverride"
 # Use a fixed selector so we can be more thorough in from_B_to_A.expected.
 rm -f B/domains/srv-b/*.pem
 mkdir -p B/domains/srv-b/
-CONFDIR=B chasquid-util dkim-keygen srv-b sel77 --algo=ed25519 > /dev/null
+CONFDIR=B chasquid-util dkim-keygen srv-b sel77 > /dev/null
 
 cp zones .zones
 CONFDIR=B chasquid-util dkim-dns srv-b | sed 's/"//g' >> .zones
@@ -65,5 +65,24 @@ smtpc --addr=localhost:2465 \
 wait_for_file .mail/user-a@srv-a
 mail_diff from_B_to_A.expected .mail/user-a@srv-a
 
+# Run chasquid-util dkim-verify to double check these are valid.
+cat .zones | grep _domainkey.srv-b | sed 's/.*TXT//g' > .srv-b.dns.txt
+CONFDIR=A chasquid-util dkim-verify -v "--txt=$(cat ./.srv-b.dns.txt)" \
+	< .mail/user-a@srv-a > .chasquid-util-dkim-verify.out 2>&1
+if ! grep -q ";dkim=pass" .chasquid-util-dkim-verify.out; then
+	echo "chasquid-util dkim-verify output:"
+	cat .chasquid-util-dkim-verify.out
+	echo
+	fail "Failed chasquid-util dkim-verify"
+fi
+
+# If driusan/dkim's dkimverify is available, use it to check the generated
+# signature.
+if dkimverify --help 2>&1 > /dev/null | grep -q -- "-txt string"; then
+	# Verify B's signature only, because dkimverify only supports RSA.
+	dkimverify -txt .srv-b.dns.txt < .mail/user-a@srv-a
+else
+	echo "skipped driusan's dkimverify cross-check (binary not available)"
+fi
 
 success
diff --git a/test/util/minidns/minidns.go b/test/util/minidns/minidns.go
@@ -290,8 +290,17 @@ func (m *miniDNS) loadZones(f *os.File) {
 			}
 		case "txt":
 			qType = dnsmessage.TypeTXT
+
+			// Cut value in chunks of 255 bytes.
+			chunks := []string{}
+			v := value
+			for len(v) > 254 {
+				chunks = append(chunks, v[:254])
+				v = v[254:]
+			}
+			chunks = append(chunks, v)
 			body = &dnsmessage.TXTResource{
-				TXT: []string{value},
+				TXT: chunks,
 			}
 		default:
 			log.Fatalf("line %d: unknown type %q", lineno, t)

diff --git a/test/util/test-mda b/test/util/test-mda
@@ -5,7 +5,6 @@ set -e
 mkdir -p ${MDA_DIR}
 
 # TODO: use flock to lock the file, to prevent atomic writes.
-echo "From ${1}" >> ${MDA_DIR}/.tmp-${1}
 cat >> ${MDA_DIR}/.tmp-${1}
 X=$?
 if [ -e ${MDA_DIR}/.tmp-${1} ]; then