test/t-21-dkim: Add cross-tool check against driusan/dkimverify

This patch adds a cross-tool integration check that uses driusan/dkim's dkimverify to confirm it can verify our own DKIM signatures. It is optional, since the tool may not be present.
2025-12-17 14:37:02 +00:00 · 2024-03-09 21:58:55 +00:00
parent 8abed11ede
commit 7a2e49c849
5 changed files with 44 additions and 4 deletions
--- a/test/t-21-dkim/from_B_to_A.expected
+++ b/test/t-21-dkim/from_B_to_A.expected
@@ -2,12 +2,18 @@ From user-a@srv-a
 Authentication-Results: srv-a
 	;spf=none (no DNS record found)
 	;dkim=pass  header.b=*
-DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed;
+DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 	d=srv-b; s=sel77; *
 	h=from:subject:to:from:subject:date:to:cc:message-id;
 	bh=*
 	b=*
 	  *
+	  *
+	  *
+	  *
+	  *
+	  *
+	  *
 From: user-b@srv-b
 To: user-a@srv-a
 Subject: Feliz primavera!
--- a/test/t-21-dkim/run.sh
+++ b/test/t-21-dkim/run.sh
@@ -16,7 +16,7 @@ export GOTAGS="dnsoverride"
 # Use a fixed selector so we can be more thorough in from_B_to_A.expected.
 rm -f B/domains/srv-b/*.pem
 mkdir -p B/domains/srv-b/
-CONFDIR=B chasquid-util dkim-keygen srv-b sel77 --algo=ed25519 > /dev/null
+CONFDIR=B chasquid-util dkim-keygen srv-b sel77 > /dev/null

 cp zones .zones
 CONFDIR=B chasquid-util dkim-dns srv-b | sed 's/"//g' >> .zones
@@ -65,5 +65,24 @@ smtpc --addr=localhost:2465 \
 wait_for_file .mail/user-a@srv-a
 mail_diff from_B_to_A.expected .mail/user-a@srv-a

+# Run chasquid-util dkim-verify to double check these are valid.
+cat .zones | grep _domainkey.srv-b | sed 's/.*TXT//g' > .srv-b.dns.txt
+CONFDIR=A chasquid-util dkim-verify -v "--txt=$(cat ./.srv-b.dns.txt)" \
+	< .mail/user-a@srv-a > .chasquid-util-dkim-verify.out 2>&1
+if ! grep -q ";dkim=pass" .chasquid-util-dkim-verify.out; then
+	echo "chasquid-util dkim-verify output:"
+	cat .chasquid-util-dkim-verify.out
+	echo
+	fail "Failed chasquid-util dkim-verify"
+fi
+
+# If driusan/dkim's dkimverify is available, use it to check the generated
+# signature.
+if dkimverify --help 2>&1 > /dev/null | grep -q -- "-txt string"; then
+	# Verify B's signature only, because dkimverify only supports RSA.
+	dkimverify -txt .srv-b.dns.txt < .mail/user-a@srv-a
+else
+	echo "skipped driusan's dkimverify cross-check (binary not available)"
+fi

 success