dkimpy

Debug "no AR headers found, chain terminated" when not the case?

Bug #1748146 reported by Cyril N. on 2018-02-08

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	dkimpy	Fix Released	High	Scott Kitterman	dkimpy 0.7.1

Bug Description

Hi!

Using `dkimpy` v0.7, I stumble accross an odd behaviour.
Maybe I'm wrong and I missed a specification from the ARC RFC, but I saved a GMail basic message, containing headers like:

ARC-Seal
ARC-Message-Signature
ARC-Authentication-Results

And tried to sign this email with my domain, using the following command:

arc_seal = dkim.ARC(data, logger=log).sign('arc-20171221', 'improvmx.com', open('certs/id_rsa', "rb").read(), "improvmx.com: none", dkim.CV_Pass)

The result is an empty string, with this message in the log:

> no AR headers found, chain terminated

Checking the code at this location, I found that you are searching for `Authentication-Results` headers.

Shouldn't it be `ARC-Authentication-Results` instead? Maybe that's what is causing the issue?

By the way, when the data is (considered) invalid, the `sign` function returns an empty string, but when successful, it returns an list.

Shouldn't it be better to stay consistent with the return value? Say, when there is an error, instead of returning an empty string, returning an empty list? This wouldn't break the code and/or force us to make tests on the results. (just a thought).

Thanks :)

Revision history for this message

Gene Shuman (geneshuman) wrote on 2018-02-08: Re: [Bug 1748146] [NEW] Debug "no AR headers found, chain terminated" when not the case?

Download full text (3.4 KiB)

Hello,

In dkimpy 0.7 the ARC signing API has changed. Instead of passing

"improvmx.com: none", dkim.CV_Pass

as the final arguments to the call, you simply would pass" improvmx.com",
which is the domain in the Authentication Results header, and the code will
parse the ARC validation value out of this header.

Regards,
=Gene

On Thu, Feb 8, 2018 at 2:01 AM, Cyril N. <email address hidden> wrote:

> Public bug reported:
>
> Hi!
>
> Using `dkimpy` v0.7, I stumble accross an odd behaviour.
> Maybe I'm wrong and I missed a specification from the ARC RFC, but I saved
> a GMail basic message, containing headers like:
>
> ARC-Seal
> ARC-Message-Signature
> ARC-Authentication-Results
>
> And tried to sign this email with my domain, using the following
> command:
>
> arc_seal = dkim.ARC(data, logger=log).sign('arc-20171221',
> 'improvmx.com', open('certs/id_rsa', "rb").read(), "improvmx.com: none",
> dkim.CV_Pass)
>
> The result is an empty string, with this message in the log:
>
> > no AR headers found, chain terminated
>
> Checking the code at this location, I found that you are searching for
> `Authentication-Results` headers.
>
> Shouldn't it be `ARC-Authentication-Results` instead? Maybe that's what
> is causing the issue?
>
> By the way, when the data is (considered) invalid, the `sign` function
> returns an empty string, but when successful, it returns an list.
>
> Shouldn't it be better to stay consistent with the return value? Say,
> when there is an error, instead of returning an empty string, returning
> an empty list? This wouldn't break the code and/or force us to make
> tests on the results. (just a thought).
>
> Thanks :)
>
> ** Affects: dkimpy
> Importance: Undecided
> Status: New
>
> --
> You received this bug notification because you are a member of dkimpy
> developers, which is subscribed to dkimpy.
> https://bugs.launchpad.net/bugs/1748146
>
> Title:
> Debug "no AR headers found, chain terminated" when not the case?
>
> Status in dkimpy:
> New
>
> Bug description:
> Hi!
>
> Using `dkimpy` v0.7, I stumble accross an odd behaviour.
> Maybe I'm wrong and I missed a specification from the ARC RFC, but I
> saved a GMail basic message, containing headers like:
>
> ARC-Seal
> ARC-Message-Signature
> ARC-Authentication-Results
>
> And tried to sign this email with my domain, using the following
> command:
>
> arc_seal = dkim.ARC(data, logger=log).sign('arc-20171221',
> 'improvmx.com', open('certs/id_rsa', "rb").read(), "improvmx.com:
> none", dkim.CV_Pass)
>
> The result is an empty string, with this message in the log:
>
> > no AR headers found, chain terminated
>
> Checking the code at this location, I found that you are searching for
> `Authentication-Results` headers.
>
> Shouldn't it be `ARC-Authentication-Results` instead? Maybe that's
> what is causing the issue?
>
> By the way, when the data is (considered) invalid, the `sign` function
> returns an empty string, but when successful, it returns an list.
>
> Shouldn't it be better to stay consistent with the return value? Say,
> when there is an error, instead of returning an empty string,
> returning an empty list...

Hello,

In dkimpy 0.7 the ARC signing API has changed.  Instead of passing

"improvmx.com: none", dkim.CV_Pass

Regards,
=Gene

On Thu, Feb 8, 2018 at 2:01 AM, Cyril N. <1748146@bugs.launchpad.net> wrote:

> Public bug reported:
>
> Hi!
>
> Using `dkimpy` v0.7, I stumble accross an odd behaviour.
> Maybe I'm wrong and I missed a specification from the ARC RFC, but I saved
> a GMail basic message, containing headers like:
>
> ARC-Seal
> ARC-Message-Signature
> ARC-Authentication-Results
>
> And tried to sign this email with my domain, using the following
> command:
>
> arc_seal = dkim.ARC(data, logger=log).sign('arc-20171221',
> 'improvmx.com', open('certs/id_rsa', "rb").read(), "improvmx.com: none",
> dkim.CV_Pass)
>
> The result is an empty string, with this message in the log:
>
> > no AR headers found, chain terminated
>
> Checking the code at this location, I found that you are searching for
> `Authentication-Results` headers.
>
> Shouldn't it be `ARC-Authentication-Results` instead? Maybe that's what
> is causing the issue?
>
> By the way, when the data is (considered) invalid, the `sign` function
> returns an empty string, but when successful, it returns an list.
>
> Shouldn't it be better to stay consistent with the return value? Say,
> when there is an error, instead of returning an empty string, returning
> an empty list? This wouldn't break the code and/or force us to make
> tests on the results. (just a thought).
>
> Thanks :)
>
> ** Affects: dkimpy
>      Importance: Undecided
>          Status: New
>
> --
> You received this bug notification because you are a member of dkimpy
> developers, which is subscribed to dkimpy.
> https://bugs.launchpad.net/bugs/1748146
>
> Title:
>   Debug "no AR headers found, chain terminated" when not the case?
>
> Status in dkimpy:
>   New
>
> Bug description:
>   Hi!
>
>   Using `dkimpy` v0.7, I stumble accross an odd behaviour.
>   Maybe I'm wrong and I missed a specification from the ARC RFC, but I
> saved a GMail basic message, containing headers like:
>
>   ARC-Seal
>   ARC-Message-Signature
>   ARC-Authentication-Results
>
>   And tried to sign this email with my domain, using the following
>   command:
>
>   arc_seal = dkim.ARC(data, logger=log).sign('arc-20171221',
>   'improvmx.com', open('certs/id_rsa', "rb").read(), "improvmx.com:
>   none", dkim.CV_Pass)
>
>   The result is an empty string, with this message in the log:
>
>   > no AR headers found, chain terminated
>
>   Checking the code at this location, I found that you are searching for
>   `Authentication-Results` headers.
>
>   Shouldn't it be `ARC-Authentication-Results` instead? Maybe that's
>   what is causing the issue?
>
>   By the way, when the data is (considered) invalid, the `sign` function
>   returns an empty string, but when successful, it returns an list.
>
>   Shouldn't it be better to stay consistent with the return value? Say,
>   when there is an error, instead of returning an empty string,
>   returning an empty list? This wouldn't break the code and/or force us
>   to make tests on the results. (just a thought).
>
>   Thanks :)
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/dkimpy/+bug/1748146/+subscriptions
>

Revision history for this message

Scott Kitterman (kitterman) wrote on 2018-02-09:

From an external review:

The other part of his report about the error return, it does look
like there are two early returns which return b'' instead of [], they
should probably be
changed to return []

Changed in dkimpy:
assignee:	nobody → Scott Kitterman (kitterman)
importance:	Undecided → High
status:	New → Triaged
milestone:	none → 0.4.2
milestone:	0.4.2 → 0.7.1

Revision history for this message

Scott Kitterman (kitterman) wrote on 2018-02-12:

modified ChangeLog
modified dkim/__init__.py
Committed revision 186.

Changed in dkimpy:
status:	Triaged → Fix Committed

Revision history for this message

Scott Kitterman (kitterman) wrote on 2018-02-17:

2018-02-17 Version 0.7.1
    - Update ed25519 tests, including using sample keys from RFC 8032 Section
      7.1 and the sample message from RFC 6376
    - Return an empty list (as expected) when no AR headers are found or no AR
      arc stamps are found and the chain terminated (LP: #1748146)
    - Use correct h= tag in dknewnkey.py generated DKIM records for RSA

Changed in dkimpy:
status:	Fix Committed → Fix Released

Revision history for this message

Cyril N. (cnicodeme) wrote on 2018-07-11:

Hi! I'm re-opening it because I can't make it work!

I changed the sign call like you said :

From:
`arc_seal = dkim.ARC(data, logger=log).sign('arc-20171221', 'improvmx.com', open('certs/id_rsa', "rb").read(), "improvmx.com: none", dkim.CV_Pass)`

To:
`arc_seal = dkim.ARC(data, logger=log).sign('arc-20171221', 'improvmx.com', open('certs/id_rsa', "rb").read(), "improvmx.com")`

But it doesn't work, still having the same issue.

In order for the

> no AR headers found, chain terminated

To not be displayed, I need to set the last parameter to the sending server value (in this case, "mx.google.com", coming from: `ARC-Authentication-Results: i=1; mx.google.com;`)

I don't know why this behavior. I only want to sign that email, not verifying a previously set ARC seal?

What am I missing?

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.