Erik Lotspeich wrote: > I am wondering about dkim_getsiglist(). Can a message contain multiple > valid signatures? How does this function differ from dkim_getsignature()? > When should I use each one? > It depends on how much control you want over signature processing.
dkim_getsignature() is used late in the process (i.e.after end-of-message) to return the first signature that validated or, if none did, the first syntactically valid signature. This is useful for an application with very simple policies. dkim_getsiglist() returns all signatures that were minimally syntactically valid, and this information is available much earlier in message processing (i.e. at end-of-headers). You can use the signature array you get back to inspect each one and mark specific ones to be ignored by the library. You can request the signature list late in the process too if you want to inspect all valid signatures to see which one(s) you want to report. Yes, a message can contain multiple valid signatures, if for example two different agents (maybe the sender and his/her ISP) signed it. This is why dkim_getsiglist() was added to the API. > I also have a question about dkim_sig_getbh(). The comments refer to a > "bh" test state. What is the "bh" test state? > > The "bh" tag on a signature is a cryptographic hash of the message body. The "bh" flag inside a signature handle is an indication of whether or not the body hash in the DKIM signature matched the message body the library was given. This is an important step of DKIM verification. The actual cryptography in a DKIM signature only covers the headers and the signature itself (which in turn includes the body hash), meaning signature validation only proves the headers and signature were unchanged in transit. You have to take the extra step of checking that the body hash in the signature also matched the body you got, otherwise someone could send an altered body and you'd still approve it. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ dkim-milter-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
