Debug "no AR headers found, chain terminated" when not the case?

Bug #1748146 reported by Cyril N. on 2018-02-08
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
dkimpy
High
Scott Kitterman

Bug Description

Hi!

Using `dkimpy` v0.7, I stumble accross an odd behaviour.
Maybe I'm wrong and I missed a specification from the ARC RFC, but I saved a GMail basic message, containing headers like:

ARC-Seal
ARC-Message-Signature
ARC-Authentication-Results

And tried to sign this email with my domain, using the following command:

arc_seal = dkim.ARC(data, logger=log).sign('arc-20171221', 'improvmx.com', open('certs/id_rsa', "rb").read(), "improvmx.com: none", dkim.CV_Pass)

The result is an empty string, with this message in the log:

> no AR headers found, chain terminated

Checking the code at this location, I found that you are searching for `Authentication-Results` headers.

Shouldn't it be `ARC-Authentication-Results` instead? Maybe that's what is causing the issue?

By the way, when the data is (considered) invalid, the `sign` function returns an empty string, but when successful, it returns an list.

Shouldn't it be better to stay consistent with the return value? Say, when there is an error, instead of returning an empty string, returning an empty list? This wouldn't break the code and/or force us to make tests on the results. (just a thought).

Thanks :)

Download full text (3.4 KiB)

Hello,

In dkimpy 0.7 the ARC signing API has changed. Instead of passing

"improvmx.com: none", dkim.CV_Pass

as the final arguments to the call, you simply would pass" improvmx.com",
which is the domain in the Authentication Results header, and the code will
parse the ARC validation value out of this header.

Regards,
=Gene

On Thu, Feb 8, 2018 at 2:01 AM, Cyril N. <email address hidden> wrote:

> Public bug reported:
>
> Hi!
>
> Using `dkimpy` v0.7, I stumble accross an odd behaviour.
> Maybe I'm wrong and I missed a specification from the ARC RFC, but I saved
> a GMail basic message, containing headers like:
>
> ARC-Seal
> ARC-Message-Signature
> ARC-Authentication-Results
>
> And tried to sign this email with my domain, using the following
> command:
>
> arc_seal = dkim.ARC(data, logger=log).sign('arc-20171221',
> 'improvmx.com', open('certs/id_rsa', "rb").read(), "improvmx.com: none",
> dkim.CV_Pass)
>
> The result is an empty string, with this message in the log:
>
> > no AR headers found, chain terminated
>
> Checking the code at this location, I found that you are searching for
> `Authentication-Results` headers.
>
> Shouldn't it be `ARC-Authentication-Results` instead? Maybe that's what
> is causing the issue?
>
> By the way, when the data is (considered) invalid, the `sign` function
> returns an empty string, but when successful, it returns an list.
>
> Shouldn't it be better to stay consistent with the return value? Say,
> when there is an error, instead of returning an empty string, returning
> an empty list? This wouldn't break the code and/or force us to make
> tests on the results. (just a thought).
>
> Thanks :)
>
> ** Affects: dkimpy
> Importance: Undecided
> Status: New
>
> --
> You received this bug notification because you are a member of dkimpy
> developers, which is subscribed to dkimpy.
> https://bugs.launchpad.net/bugs/1748146
>
> Title:
> Debug "no AR headers found, chain terminated" when not the case?
>
> Status in dkimpy:
> New
>
> Bug description:
> Hi!
>
> Using `dkimpy` v0.7, I stumble accross an odd behaviour.
> Maybe I'm wrong and I missed a specification from the ARC RFC, but I
> saved a GMail basic message, containing headers like:
>
> ARC-Seal
> ARC-Message-Signature
> ARC-Authentication-Results
>
> And tried to sign this email with my domain, using the following
> command:
>
> arc_seal = dkim.ARC(data, logger=log).sign('arc-20171221',
> 'improvmx.com', open('certs/id_rsa', "rb").read(), "improvmx.com:
> none", dkim.CV_Pass)
>
> The result is an empty string, with this message in the log:
>
> > no AR headers found, chain terminated
>
> Checking the code at this location, I found that you are searching for
> `Authentication-Results` headers.
>
> Shouldn't it be `ARC-Authentication-Results` instead? Maybe that's
> what is causing the issue?
>
> By the way, when the data is (considered) invalid, the `sign` function
> returns an empty string, but when successful, it returns an list.
>
> Shouldn't it be better to stay consistent with the return value? Say,
> when there is an error, instead of returning an empty string,
> returning an empty list...

Read more...

Scott Kitterman (kitterman) wrote :

From an external review:

The other part of his report about the error return, it does look
like there are two early returns which return b'' instead of [], they
should probably be
changed to return []

Changed in dkimpy:
assignee: nobody → Scott Kitterman (kitterman)
importance: Undecided → High
status: New → Triaged
milestone: none → 0.4.2
milestone: 0.4.2 → 0.7.1
Scott Kitterman (kitterman) wrote :

modified ChangeLog
modified dkim/__init__.py
Committed revision 186.

Changed in dkimpy:
status: Triaged → Fix Committed
Scott Kitterman (kitterman) wrote :

2018-02-17 Version 0.7.1
    - Update ed25519 tests, including using sample keys from RFC 8032 Section
      7.1 and the sample message from RFC 6376
    - Return an empty list (as expected) when no AR headers are found or no AR
      arc stamps are found and the chain terminated (LP: #1748146)
    - Use correct h= tag in dknewnkey.py generated DKIM records for RSA

Changed in dkimpy:
status: Fix Committed → Fix Released
Cyril N. (cnicodeme) wrote :

Hi! I'm re-opening it because I can't make it work!

I changed the sign call like you said :

From:
`arc_seal = dkim.ARC(data, logger=log).sign('arc-20171221', 'improvmx.com', open('certs/id_rsa', "rb").read(), "improvmx.com: none", dkim.CV_Pass)`

To:
`arc_seal = dkim.ARC(data, logger=log).sign('arc-20171221', 'improvmx.com', open('certs/id_rsa', "rb").read(), "improvmx.com")`

But it doesn't work, still having the same issue.

In order for the

> no AR headers found, chain terminated

To not be displayed, I need to set the last parameter to the sending server value (in this case, "mx.google.com", coming from: `ARC-Authentication-Results: i=1; mx.google.com;`)

I don't know why this behavior. I only want to sign that email, not verifying a previously set ARC seal?

What am I missing?

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers