Skip to content

[Mime] Add DKIM support #37165

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jun 10, 2020
Merged

[Mime] Add DKIM support #37165

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions src/Symfony/Component/Mime/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ CHANGELOG
5.2.0
-----

* Add support for DKIM
* Deprecated `Address::fromString()`, use `Address::create()` instead

4.4.0
Expand Down
97 changes: 97 additions & 0 deletions src/Symfony/Component/Mime/Crypto/DkimOptions.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,97 @@
<?php

/*
* This file is part of the Symfony package.
*
* (c) Fabien Potencier <fabien@symfony.com>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/

namespace Symfony\Component\Mime\Crypto;

/**
* A helper providing autocompletion for available DkimSigner options.
*
* @author Fabien Potencier <fabien@symfony.com>
*/
final class DkimOptions
{
private $options = [];

public function toArray(): array
{
return $this->options;
}

/**
* @return $this
*/
public function algorithm(int $algo): self
{
$this->options['algorithm'] = $algo;

return $this;
}

/**
* @return $this
*/
public function signatureExpirationDelay(int $show): self
{
$this->options['signature_expiration_delay'] = $show;

return $this;
}

/**
* @return $this
*/
public function bodyMaxLength(int $max): self
{
$this->options['body_max_length'] = $max;

return $this;
}

/**
* @return $this
*/
public function bodyShowLength(bool $show): self
{
$this->options['body_show_length'] = $show;

return $this;
}

/**
* @return $this
*/
public function headerCanon(string $canon): self
{
$this->options['header_canon'] = $canon;

return $this;
}

/**
* @return $this
*/
public function bodyCanon(string $canon): self
{
$this->options['body_canon'] = $canon;

return $this;
}

/**
* @return $this
*/
public function headersToIgnore(array $headers): self
{
$this->options['headers_to_ignore'] = $headers;

return $this;
}
}
213 changes: 213 additions & 0 deletions src/Symfony/Component/Mime/Crypto/DkimSigner.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,213 @@
<?php

/*
* This file is part of the Symfony package.
*
* (c) Fabien Potencier <fabien@symfony.com>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/

namespace Symfony\Component\Mime\Crypto;

use Symfony\Component\Mime\Exception\InvalidArgumentException;
use Symfony\Component\Mime\Exception\RuntimeException;
use Symfony\Component\Mime\Header\UnstructuredHeader;
use Symfony\Component\Mime\Message;
use Symfony\Component\Mime\Part\AbstractPart;

/**
* @author Fabien Potencier <fabien@symfony.com>
*
* RFC 6376 and 8301
*/
final class DkimSigner
{
public const CANON_SIMPLE = 'simple';
public const CANON_RELAXED = 'relaxed';

public const ALGO_SHA256 = 'rsa-sha256';
public const ALGO_ED25519 = 'ed25519-sha256'; // RFC 8463

private $key;
private $domainName;
private $selector;
private $defaultOptions;

/**
* @param string $pk The private key as a string or the path to the file containing the private key, should be prefixed with file:// (in PEM format)
* @param string $passphrase A passphrase of the private key (if any)
*/
public function __construct(string $pk, string $domainName, string $selector, array $defaultOptions = [], string $passphrase = '')
{
if (!\extension_loaded('openssl')) {
throw new \LogicException('PHP extension "openssl" is required to use DKIM.');
}
if (!$this->key = openssl_pkey_get_private($pk, $passphrase)) {
throw new InvalidArgumentException('Unable to load DKIM private key: '.openssl_error_string());
}

$this->domainName = $domainName;
$this->selector = $selector;
$this->defaultOptions = $defaultOptions + [
'algorithm' => self::ALGO_SHA256,
'signature_expiration_delay' => 0,
'body_max_length' => PHP_INT_MAX,
'body_show_length' => false,
'header_canon' => self::CANON_RELAXED,
'body_canon' => self::CANON_RELAXED,
'headers_to_ignore' => [],
];
}

public function sign(Message $message, array $options = []): Message
{
$options += $this->defaultOptions;
if (!\in_array($options['algorithm'], [self::ALGO_SHA256, self::ALGO_ED25519], true)) {
throw new InvalidArgumentException('Invalid DKIM signing algorithm "%s".', $options['algorithm']);
}
$headersToIgnore['return-path'] = true;
foreach ($options['headers_to_ignore'] as $name) {
$headersToIgnore[strtolower($name)] = true;
}
unset($headersToIgnore['from']);
$signedHeaderNames = [];
$headerCanonData = '';
$headers = $message->getPreparedHeaders();
foreach ($headers->getNames() as $name) {
foreach ($headers->all($name) as $header) {
if (isset($headersToIgnore[strtolower($header->getName())])) {
continue;
}

if ('' !== $header->getBodyAsString()) {
$headerCanonData .= $this->canonicalizeHeader($header->toString(), $options['header_canon']);
$signedHeaderNames[] = $header->getName();
}
}
}

[$bodyHash, $bodyLength] = $this->hashBody($message->getBody(), $options['body_canon'], $options['body_max_length']);

$params = [
'v' => '1',
'q' => 'dns/txt',
'a' => $options['algorithm'],
'bh' => base64_encode($bodyHash),
'd' => $this->domainName,
'h' => implode(': ', $signedHeaderNames),
'i' => '@'.$this->domainName,
's' => $this->selector,
't' => time(),
'c' => $options['header_canon'].'/'.$options['body_canon'],
];

if ($options['body_show_length']) {
$params['l'] = $bodyLength;
}
if ($options['signature_expiration_delay']) {
$params['x'] = $params['t'] + $options['signature_expiration_delay'];
}
$value = '';
foreach ($params as $k => $v) {
$value .= $k.'='.$v.'; ';
}
$value = trim($value);
$header = new UnstructuredHeader('DKIM-Signature', $value);
$headerCanonData .= rtrim($this->canonicalizeHeader($header->toString()."\r\n b=", $options['header_canon']));
if (self::ALGO_SHA256 === $options['algorithm']) {
if (!openssl_sign($headerCanonData, $signature, $this->key, OPENSSL_ALGO_SHA256)) {
throw new RuntimeException('Unable to sign DKIM hash: '.openssl_error_string());
}
} else {
throw new \RuntimeException(sprintf('The "%s" DKIM signing algorithm is not supported yet.', self::ALGO_ED25519));
}
$header->setValue($value.' b='.trim(chunk_split(base64_encode($signature), 73, ' ')));
$headers->add($header);

return new Message($headers, $message->getBody());
}

private function canonicalizeHeader(string $header, string $headerCanon): string
{
if (self::CANON_RELAXED !== $headerCanon) {
return $header."\r\n";
}

$exploded = explode(':', $header, 2);
$name = strtolower(trim($exploded[0]));
$value = str_replace("\r\n", '', $exploded[1]);
$value = trim(preg_replace("/[ \t][ \t]+/", ' ', $value));

return $name.':'.$value."\r\n";
}

private function hashBody(AbstractPart $body, string $bodyCanon, int $maxLength): array
{
$hash = hash_init('sha256');
$relaxed = self::CANON_RELAXED === $bodyCanon;
$currentLine = '';
$emptyCounter = 0;
$isSpaceSequence = false;
$length = 0;
foreach ($body->bodyToIterable() as $chunk) {
$canon = '';
for ($i = 0, $len = \strlen($chunk); $i < $len; ++$i) {
switch ($chunk[$i]) {
case "\r":
break;
case "\n":
// previous char is always \r
if ($relaxed) {
$isSpaceSequence = false;
}
if ('' === $currentLine) {
++$emptyCounter;
} else {
$currentLine = '';
$canon .= "\r\n";
}
break;
case ' ':
case "\t":
if ($relaxed) {
$isSpaceSequence = true;
break;
}
// no break
default:
if ($emptyCounter > 0) {
$canon .= str_repeat("\r\n", $emptyCounter);
$emptyCounter = 0;
}
if ($isSpaceSequence) {
$currentLine .= ' ';
$canon .= ' ';
$isSpaceSequence = false;
}
$currentLine .= $chunk[$i];
$canon .= $chunk[$i];
}
}

if ($length + \strlen($canon) >= $maxLength) {
$canon = substr($canon, 0, $maxLength - $length);
$length += \strlen($canon);
hash_update($hash, $canon);

break;
}

$length += \strlen($canon);
hash_update($hash, $canon);
}

if (0 === $length) {
hash_update($hash, "\r\n");
$length = 2;
}

return [hash_final($hash, true), $length];
}
}
4 changes: 3 additions & 1 deletion src/Symfony/Component/Mime/Message.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,7 +80,9 @@ public function getPreparedHeaders(): Headers
$headers->addMailboxListHeader('From', [$headers->get('Sender')->getAddress()]);
}

$headers->addTextHeader('MIME-Version', '1.0');
if (!$headers->has('MIME-Version')) {
$headers->addTextHeader('MIME-Version', '1.0');
}

if (!$headers->has('Date')) {
$headers->addDateHeader('Date', new \DateTimeImmutable());
Expand Down
Loading