OpenDKIM
OpenDKIM copied to clipboard
trusteddomainproject
add alternative direct parsing of RSAPublicKey format
RFC 6376 quite clearly states, that keys published in DNS should be in base64-encoded RSAPublicKey format; examples and the whole world use SubjectPublicKeyInfo, but as long as errata https://www.rfc-editor.org/errata/eid3017 is not implemented using a "MUST be contained in a SubjectPublicKeyInfo" (instead of MAY), libopendkim should be able to read a an RSAPublicKey from DNS
I should probably have mentioned that this only implements the fix for OpenSSL. A corresponding addition for GnuTLS would be needed as well. If there is willingness to make the change, I could try to provide that as well.
I'm wondering why we're doing this now if we concede that virtually the entire installed base doesn't need it. Are we sure this is a good idea?
I'd also like to see the format of this change to conform to the rest of the code so that the package as a whole looks like it's consistently managed; in particular:
- no empty "if"/"else" blocks
if (foo() == NULL), notif (NULL == foo())- block comments here look like block comments elsewhere
Well I'd argue that this is more about acting according to the RFC. It's about correctly interpreting whatever someone who has nothing to do with libopendkim has configured into his or her DNS servers. Of course you could argue, that probably 95% of people will not actually decide about which key format is stored in the DNS because they use some third party service to set it up.
But the remaining 5% are in for some digging and confusion if they just stick to the RFC and find (slowly) out that their public key is not accepted, although they configured everything correctly (this is basically exactly what happened to me because I stuck to the RFC and not just copy/pasted the example at the bottom, idiot that I am).
I can adapt the patch according to your suggestions, no problem at all. Please let me know if you'd accept it.