如何验证PHP中的DKIM签名？

Question

I'll admit I'm not very adept at key verification. What I have is a script that downloads messages from a POP3 server, and I'm attempting to verify the DKIM signatures in PHP. I've already figured out the body hash (bh) validation check, but I can't figure out the header validation.

http://www.dkim.org/specs/rfc4871-dkimbase.html#rfc.section.6.1.3

Below is an example of my message headers. I've been able to use the Mail::DKIM package to validate the signature in Perl, so I know it's good. I just can't seem to figure out the instructions in the RFC and translate them into PHP code.

 DomainKey-Signature: q=dns; a=rsa-sha1; c=nofws;
  s=angrychimp-1.bh; d=angrychimp.net;
  h=From:X-Outgoing;
  b=RVkenibHQ7GwO5Y3tun2CNn5wSnooBSXPHA1Kmxsw6miJDnVp4XKmA9cUELwftf9
  nGiRCd3rLc6eswAcVyNhQ6mRSsF55OkGJgDNHiwte/pP5Z47Lo/fd6m7rfCnYxq3
 DKIM-Signature: v=1; a=rsa-sha1; d=angrychimp.net; s=angrychimp-1.bh; c=relaxed/simple;
  q=dns/txt; i=@angrychimp.net; t=1268436255;
  h=From:Subject:X-Outgoing:Date;
  bh=gqhC2GEWbg1t7T3IfGMUKzt1NCc=;
  b=ZmeavryIfp5jNDIwbpifsy1UcavMnMwRL6Fy6axocQFDOBd2KjnjXpCkHxs6yBZn
  Wu+UCFeAP+1xwN80JW+4yOdAiK5+6IS8fiVa7TxdkFDKa0AhmJ1DTHXIlPjGE4n5;
 To: iptest@example.com
 Message-ID: <EF.CC.24859.F1DCA9B4>
 From: DKIM Tester <noreply@angrychimp.net>
 Reply-To: noreply@angrychimp.net
 Subject: Automated DKIM Testing (angrychimp.net)
 X-Outgoing: dhaka
 Date: Fri, 12 Mar 2010 15:24:15 -0800
 Content-Type: text/plain; charset=iso-8859-1
 Content-Transfer-Encoding: quoted-printable
 Content-Disposition: inline
 MIME-Version: 1.0
 Return-Path: noreply@angrychimp.net
 X-OriginalArrivalTime: 12 Mar 2010 23:25:50.0326 (UTC) FILETIME=[5A0ED160:01CAC23B]

I can extract the public key from my DNS just fine, and I believe I'm canonicalizing the headers correctly, but I just can't get the signature validated. I don't think I'm preparing my key or computing the signature validation correctly.

Is this something that's possible (do I need pear extensions or something?) or is manually validating a DKIM signature in PHP just not feasible?

Answer 1

The Mail::DKIM has the following dependencies on other libraries:

• Crypt::OpenSSL::RSA
• Digest::SHA
• Mail::Address (part of the MailTools package)
• MIME::Base64
• Net::DNS

All these should be available in PHP also. So manually check the validatity in PHP is controllable. Mail::DKIM is verifiying the signature "manually" with those libs. Maybe you have a peak into source of Mail::DKIM?

Additionaly " OpenDKIM Library (libopendkim) " is available. You can build a PHP-module around this library like other people have integrated OpenSSL, cURL, etc into PHP.

Maybe you can provide the code of your verify-function with some test data, so everyone can have a look at it?

HTH & Best regards

Michael

Answer 2

Try interoperate with external tool or another language.

You can consider to adapt external tool to do that or use C library which has better support to work with DKIM. You can also try to integrate through Perl or Python.

Answer 3

I create new project in googlecode. the name was phpMailDomainSigner It support DKIM-Signature and DomainKey-Signature in Object Oriented Style.