arcsign.cpp

   1 #include "Mailbox.hpp"
   2 #include "OpenARC.hpp"
   3 #include "OpenDKIM.hpp"
   4 #include "OpenDMARC.hpp"
   5 #include "esc.hpp"
   6 #include "fs.hpp"
   7 #include "iequal.hpp"
   8 #include "imemstream.hpp"
   9 #include "message.hpp"
  10 #include "osutil.hpp"
  11
  12 #include <cstring>
  13 #include <map>
  14
  15 #include <fmt/format.h>
  16 #include <fmt/ostream.h>
  17
  18 #include <boost/algorithm/string.hpp>
  19 #include <boost/iostreams/device/mapped_file.hpp>
  20
  21 using namespace std::string_literals;
  22
  23 DEFINE_string(signer, "digilicious.com", "signing domain");
  24 DEFINE_string(selector, "ghsmtp", "DKIM selector");
  25
  26 bool arc_sign(message::parsed& msg,
  27               char const*      sender,
  28               char const*      selector,
  29               fs::path         key_file,
  30               char const*      server_id)
  31 {
  32   CHECK(!msg.headers.empty());
  33
  34   // ARC
  35
  36   OpenARC::verify arv;
  37   for (auto const& header : msg.headers) {
  38     arv.header(header.as_view());
  39   }
  40   arv.eoh();
  41   arv.body(msg.body);
  42   arv.eom();
  43
  44   LOG(INFO) << "ARC status  == " << arv.chain_status_str();
  45   LOG(INFO) << "ARC custody == " << arv.chain_custody_str();
  46
  47   auto const arc_status = arv.chain_status_str();
  48
  49   // Run our message through ARC::sign
  50
  51   OpenARC::sign ars;
  52
  53   if (iequal(arc_status, "none")) {
  54     ars.set_cv_none();
  55   }
  56   else if (iequal(arc_status, "fail")) {
  57     ars.set_cv_fail();
  58   }
  59   else if (iequal(arc_status, "pass")) {
  60     ars.set_cv_pass();
  61   }
  62   else {
  63     ars.set_cv_unkn();
  64   }
  65
  66   for (auto const& header : msg.headers) {
  67     ars.header(header.as_view());
  68   }
  69   ars.eoh();
  70   ars.body(msg.body);
  71   ars.eom();
  72
  73   boost::iostreams::mapped_file_source priv;
  74   priv.open(key_file);
  75
  76   std::string ar_results = "None";
  77   for (auto hdr : msg.headers) {
  78     if (hdr == message::Authentication_Results) {
  79       std::string authservid;
  80       if (message::authentication_results_parse(hdr.as_view(), authservid,
  81                                                 ar_results)) {
  82         if (Domain::match(authservid, sender))
  83           break;
  84         LOG(INFO) << "ignoring AR: " << hdr.as_string();
  85       }
  86       LOG(WARNING) << "failed to parse «"
  87                    << esc(hdr.as_string(), esc_line_option::multi) << "»";
  88       ar_results = "None";
  89     }
  90   }
  91
  92   if (ars.seal(sender, selector, sender, priv.data(), priv.size(),
  93                ar_results.c_str())) {
  94     msg.arc_hdrs = ars.whole_seal();
  95     for (auto const& hdr : msg.arc_hdrs) {
  96       CHECK(msg.parse_hdr(hdr));
  97     }
  98   }
  99   else {
 100     LOG(INFO) << "failed to generate seal";
 101   }
 102
 103   OpenARC::verify arv2;
 104   for (auto const& header : msg.headers) {
 105     arv2.header(header.as_view());
 106   }
 107   arv2.eoh();
 108   arv2.body(msg.body);
 109   arv2.eom();
 110
 111   LOG(INFO) << "check ARC status  == " << arv2.chain_status_str();
 112   LOG(INFO) << "check ARC custody == " << arv2.chain_custody_str();
 113
 114   return "fail"s != arv2.chain_status_str();
 115 }
 116
 117 int main(int argc, char* argv[])
 118 {
 119   google::ParseCommandLineFlags(&argc, &argv, true);
 120
 121   auto const server_identity = [] {
 122     auto const id_from_env{getenv("GHSMTP_SERVER_ID")};
 123     if (id_from_env)
 124       return std::string{id_from_env};
 125
 126     auto const hostname{osutil::get_hostname()};
 127     if (hostname.find('.') != std::string::npos)
 128       return hostname;
 129
 130     LOG(FATAL) << "can't determine my server ID, set GHSMTP_SERVER_ID maybe";
 131     return "(none)"s;
 132   }();
 133
 134   auto const config_path = osutil::get_config_dir();
 135
 136   auto const selector = FLAGS_selector.c_str();
 137
 138   auto const key_file = (config_path / selector).replace_extension("private");
 139   CHECK(fs::exists(key_file)) << "can't find key file " << key_file;
 140
 141   auto const dom_signer{Domain(FLAGS_signer)};
 142
 143   for (int a = 1; a < argc; ++a) {
 144     if (!fs::exists(argv[a]))
 145       LOG(FATAL) << "can't find mail file " << argv[a];
 146     boost::iostreams::mapped_file_source file;
 147     file.open(argv[a]);
 148     message::parsed msg;
 149     CHECK(msg.parse(std::string_view(file.data(), file.size())));
 150     CHECK(arc_sign(msg, dom_signer.ascii().c_str(), selector, key_file,
 151                    server_identity.c_str()));
 152     std::cout << msg.as_string();
 153   }
 154 }