Skip to content

Commit

Permalink
Merge pull request #210 from jayden-sudo/main
Browse files Browse the repository at this point in the history
Fixed a bug in retrieving the DKIM public key
  • Loading branch information
Divide-By-0 authored Aug 28, 2024
2 parents f7bf840 + 11c846d commit 4d34ccd
Show file tree
Hide file tree
Showing 2 changed files with 110 additions and 13 deletions.
97 changes: 97 additions & 0 deletions packages/helpers/src/lib/mailauth/DoH.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,97 @@
// DoH servers list
export enum DoHServer {
// Google Public DNS
Google = "https://dns.google/resolve",
// Cloudflare DNS
Cloudflare = "https://cloudflare-dns.com/dns-query",
}

/**
* DNS over HTTPS (DoH) resolver
*
* @export
* @class DoH
*/
export class DoH {

// DNS response codes
static DoHStatusNoError = 0;
// DNS RR types
static DoHTypeTXT = 16;

/**
* Resolve DKIM public key from DNS
*
* @static
* @param {string} name DKIM record name (e.g. 20230601._domainkey.gmail.com)
* @param {string} DNSServer DNS over HTTPS API URL
* @return {*} {(Promise<string | null>)} DKIM public key or null if not found
* @memberof DoH
*/
public static async resolveDKIMPublicKey(name: string, DNSServer: string): Promise<string | null> {
if (!DNSServer.startsWith('https://')) {
DNSServer = 'https://' + DNSServer;
}
if (DNSServer.endsWith('/')) {
DNSServer = DNSServer.slice(0, -1);
}
const resp = await fetch(
DNSServer + "?" +
new URLSearchParams({
name: name,
// DKIM public key record type is TXT
type: DoH.DoHTypeTXT.toString(),
}),
{
headers: {
"accept": "application/dns-json",
}
}
);
if (resp.status === 200) {
const out = await resp.json();
if (typeof out === 'object' && out !== null && 'Status' in out && 'Answer' in out) {
const resp = out as DoHResponse;
if (resp.Status === DoH.DoHStatusNoError && resp.Answer.length > 0) {
for (const ans of resp.Answer) {
if (ans.type === DoH.DoHTypeTXT) {
let DKIMRecord = ans.data;
/*
Remove all double quotes
Some DNS providers wrap TXT records in double quotes,
and others like Cloudflare may include them. According to
TXT (potentially multi-line) and DKIM (Base64 data) standards,
we can directly remove all double quotes from the DKIM public key.
*/
DKIMRecord = DKIMRecord.replace(/"/g, '');
return DKIMRecord;
}
}
}
}
}
return null;
}
}

interface DoHResponse {
Status: number; // NOERROR - Standard DNS response code (32 bit integer).
TC: boolean; // Whether the response is truncated
AD: boolean; // Whether all response data was validated with DNSSEC
CD: boolean; // Whether the client asked to disable DNSSEC
Question: Question[];
Answer: Answer[];
Comment: string;
}

interface Question {
name: string; // FQDN with trailing dot
type: number; // A - Standard DNS RR type. 5:CNAME, 16:TXT
}

interface Answer {
name: string; // Always matches name in the Question section
type: number; // A - Standard DNS RR type. 5:CNAME, 16:TXT
TTL: number; // Record's time-to-live in seconds
data: string; // Record data
}
26 changes: 13 additions & 13 deletions packages/helpers/src/lib/mailauth/tools.ts
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ import crypto, { KeyObject } from "crypto";
import parseDkimHeaders from "./parse-dkim-headers";
import { DkimVerifier } from "./dkim-verifier";
import type { Parsed, SignatureType } from "./dkim-verifier";
import { DoH, DoHServer } from './DoH';

const IS_BROWSER = typeof window !== "undefined";

Expand Down Expand Up @@ -247,16 +248,17 @@ export const formatSignatureHeaderLine = (
};

async function resolveDNSHTTP(name: string, type: string) {
const resp = await fetch(
"https://dns.google/resolve?" +
new URLSearchParams({
name: name,
type: type,
})
);
const out = await resp.json();
// For some DNS, the Answer response here contains more than 1 element in the array. The last element is the one containing the public key
return [out.Answer[out.Answer.length - 1].data];
if (type !== "TXT") {
throw new Error("DKIM record type is not TXT");
}
const DKIMRecord = await DoH.resolveDKIMPublicKey(name, DoHServer.Google);
if (!DKIMRecord) {
throw new CustomError("No DKIM record found", "ENODATA");
}
if (DKIMRecord !== await DoH.resolveDKIMPublicKey(name, DoHServer.Cloudflare)) {
console.error("DKIM record mismatch!");
}
return [DKIMRecord];
}

// from https://developers.google.com/web/updates/2012/06/How-to-convert-ArrayBuffer-to-and-from-String
Expand Down Expand Up @@ -301,9 +303,7 @@ export const getPublicKey = async (
resolver: (...args: [name: string, type: string]) => Promise<any>
) => {
minBitLength = minBitLength || 1024;
if (!IS_BROWSER) {
resolver = resolver || require("dns").promises.resolve;
} else {
if (!resolver) {
resolver = resolveDNSHTTP;
}

Expand Down

0 comments on commit 4d34ccd

Please sign in to comment.