Hello,
Now that OpenDKIM 2.7 can be used for protocols other than SMTP, namely
HTTP, I have run across one other issue that seems like it should be
low-hanging fruit.
The iSchedule profile of DKIM includes an xtag of the form:
http=<http-method> ':' <request-url>
which gets hashed along with all of the other tags in the DKIM-Signature
header (other than b=) to prevent a replay attack from using a different
HTTP method or URL.
There is always a possibility that this DKIM-signed HTTP request could
result in a 3xx response, meaning that its being redirected to a
different host and/or URL.
In the iSchedule case, its usually just a different URL on the same
host, but we can't just use the same sig header for the new request,
because the http tag won't match the new URL. My current code runs
through the entire process of creating a DKIM handle, adding the http
tag, processing the message, and generating the sig header for the new
request. This seems like a waste, as none of the headers (other than
the sig header), the body, or the body hash change.
Is there a way that I can just change the http tag and reuse the same
signing handle to generate the updates sig header?
I found dkim_resign() but that appears to only be used for turning
around a verify handle.
Can dkim_resign() be massaged so that it can handle a signing handle as
the "old" handle?
Can the original signing handle be "reset" so that the same parameters,
header cache, and body hash can be reused?
dkim_add_xtag() could be massaged so that rather than throwing an error
when a duplicate xtag is seen, that it just overwrites the content for
the xtag.
Thoughts?
--
Kenneth Murchison
Principal Systems Software Engineer
Carnegie Mellon University
Received on Wed Sep 26 2012 - 15:19:53 PST