如何在 PHP 中验证 DKIM 签名?
我承认我不太擅长密钥验证。我有一个从 POP3 服务器下载消息的脚本,并且我正在尝试验证 PHP 中的 DKIM 签名。我已经弄清楚了主体哈希(bh)验证检查,但我无法弄清楚标头验证。
http://www.dkim.org/specs/rfc4871 -dkimbase.html#rfc.section.6.1.3
下面是我的消息标头的示例。我已经能够使用 Mail::DKIM 包来验证 Perl 中的签名,所以我知道它很好。我似乎无法弄清楚 RFC 中的说明并将其转换为 PHP 代码。
DomainKey-Signature: q=dns; a=rsa-sha1; c=nofws;
s=angrychimp-1.bh; d=angrychimp.net;
h=From:X-Outgoing;
b=RVkenibHQ7GwO5Y3tun2CNn5wSnooBSXPHA1Kmxsw6miJDnVp4XKmA9cUELwftf9
nGiRCd3rLc6eswAcVyNhQ6mRSsF55OkGJgDNHiwte/pP5Z47Lo/fd6m7rfCnYxq3
DKIM-Signature: v=1; a=rsa-sha1; d=angrychimp.net; s=angrychimp-1.bh; c=relaxed/simple;
q=dns/txt; [email protected]; t=1268436255;
h=From:Subject:X-Outgoing:Date;
bh=gqhC2GEWbg1t7T3IfGMUKzt1NCc=;
b=ZmeavryIfp5jNDIwbpifsy1UcavMnMwRL6Fy6axocQFDOBd2KjnjXpCkHxs6yBZn
Wu+UCFeAP+1xwN80JW+4yOdAiK5+6IS8fiVa7TxdkFDKa0AhmJ1DTHXIlPjGE4n5;
To: [email protected]
Message-ID: <EF.CC.24859.F1DCA9B4>
From: DKIM Tester <[email protected]>
Reply-To: [email protected]
Subject: Automated DKIM Testing (angrychimp.net)
X-Outgoing: dhaka
Date: Fri, 12 Mar 2010 15:24:15 -0800
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
MIME-Version: 1.0
Return-Path: [email protected]
X-OriginalArrivalTime: 12 Mar 2010 23:25:50.0326 (UTC) FILETIME=[5A0ED160:01CAC23B]
我可以很好地从 DNS 中提取公钥,并且我相信我正确规范了标头,但我就是无法验证签名。我认为我没有正确准备密钥或计算签名验证。
这是可能的(我需要 pear 扩展还是其他什么?),还是在 PHP 中手动验证 DKIM 签名不可行?
I'll admit I'm not very adept at key verification. What I have is a script that downloads messages from a POP3 server, and I'm attempting to verify the DKIM signatures in PHP. I've already figured out the body hash (bh) validation check, but I can't figure out the header validation.
http://www.dkim.org/specs/rfc4871-dkimbase.html#rfc.section.6.1.3
Below is an example of my message headers. I've been able to use the Mail::DKIM package to validate the signature in Perl, so I know it's good. I just can't seem to figure out the instructions in the RFC and translate them into PHP code.
DomainKey-Signature: q=dns; a=rsa-sha1; c=nofws;
s=angrychimp-1.bh; d=angrychimp.net;
h=From:X-Outgoing;
b=RVkenibHQ7GwO5Y3tun2CNn5wSnooBSXPHA1Kmxsw6miJDnVp4XKmA9cUELwftf9
nGiRCd3rLc6eswAcVyNhQ6mRSsF55OkGJgDNHiwte/pP5Z47Lo/fd6m7rfCnYxq3
DKIM-Signature: v=1; a=rsa-sha1; d=angrychimp.net; s=angrychimp-1.bh; c=relaxed/simple;
q=dns/txt; [email protected]; t=1268436255;
h=From:Subject:X-Outgoing:Date;
bh=gqhC2GEWbg1t7T3IfGMUKzt1NCc=;
b=ZmeavryIfp5jNDIwbpifsy1UcavMnMwRL6Fy6axocQFDOBd2KjnjXpCkHxs6yBZn
Wu+UCFeAP+1xwN80JW+4yOdAiK5+6IS8fiVa7TxdkFDKa0AhmJ1DTHXIlPjGE4n5;
To: [email protected]
Message-ID: <EF.CC.24859.F1DCA9B4>
From: DKIM Tester <[email protected]>
Reply-To: [email protected]
Subject: Automated DKIM Testing (angrychimp.net)
X-Outgoing: dhaka
Date: Fri, 12 Mar 2010 15:24:15 -0800
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
MIME-Version: 1.0
Return-Path: [email protected]
X-OriginalArrivalTime: 12 Mar 2010 23:25:50.0326 (UTC) FILETIME=[5A0ED160:01CAC23B]
I can extract the public key from my DNS just fine, and I believe I'm canonicalizing the headers correctly, but I just can't get the signature validated. I don't think I'm preparing my key or computing the signature validation correctly.
Is this something that's possible (do I need pear extensions or something?) or is manually validating a DKIM signature in PHP just not feasible?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
Mail::DKIM 对其他库有以下依赖项:
所有这些都应该在 PHP 中可用还。所以在PHP中手动检查有效性是可控的。 Mail::DKIM 正在使用这些库“手动”验证签名。也许您对 Mail::DKIM 的来源有深入了解?
另外“OpenDKIM 库 (libopendkim)”可用。您可以围绕这个库构建 PHP 模块,就像其他人将 OpenSSL、cURL 等集成到 PHP 中一样。
也许你可以提供一下你的验证函数的代码和一些测试数据,以便大家看一下?
HTH&最好的问候
迈克尔
The Mail::DKIM has the following dependencies on other libraries:
All these should be available in PHP also. So manually check the validatity in PHP is controllable. Mail::DKIM is verifiying the signature "manually" with those libs. Maybe you have a peak into source of Mail::DKIM?
Additionaly "OpenDKIM Library (libopendkim)" is available. You can build a PHP-module around this library like other people have integrated OpenSSL, cURL, etc into PHP.
Maybe you can provide the code of your verify-function with some test data, so everyone can have a look at it?
HTH & Best regards
Michael
我在谷歌代码中创建新项目。名称为 phpMailDomainSigner
它支持面向对象风格的 DKIM 签名和 DomainKey 签名。
I create new project in googlecode. the name was phpMailDomainSigner
It support DKIM-Signature and DomainKey-Signature in Object Oriented Style.
尝试与外部工具或其他语言进行互操作。
您可以考虑采用外部工具来执行此操作,或者使用 C 库,它对 DKIM 的使用有更好的支持。您还可以尝试通过 Perl 或 Python 进行集成。
Try interoperate with external tool or another language.
You can consider to adapt external tool to do that or use C library which has better support to work with DKIM. You can also try to integrate through Perl or Python.