update
This commit is contained in:
405
test/suite/security/test.dkim-processing.ts
Normal file
405
test/suite/security/test.dkim-processing.ts
Normal file
@ -0,0 +1,405 @@
|
||||
import { tap, expect } from '@push.rocks/tapbundle';
|
||||
import * as plugins from '../plugins.js';
|
||||
import * as net from 'net';
|
||||
import { startTestServer, stopTestServer, TEST_PORT, sendEmailWithRawSocket } from '../server.loader.js';
|
||||
|
||||
let testServer: any;
|
||||
|
||||
tap.test('setup - start test server', async () => {
|
||||
testServer = await startTestServer();
|
||||
await plugins.smartdelay.delayFor(1000);
|
||||
});
|
||||
|
||||
tap.test('DKIM Processing - Valid DKIM signature', async (tools) => {
|
||||
const done = tools.defer();
|
||||
|
||||
const socket = net.createConnection({
|
||||
host: 'localhost',
|
||||
port: TEST_PORT,
|
||||
timeout: 30000
|
||||
});
|
||||
|
||||
let dataBuffer = '';
|
||||
let step = 'greeting';
|
||||
|
||||
socket.on('data', (data) => {
|
||||
dataBuffer += data.toString();
|
||||
console.log('Server response:', data.toString());
|
||||
|
||||
if (step === 'greeting' && dataBuffer.includes('220 ')) {
|
||||
step = 'ehlo';
|
||||
socket.write('EHLO testclient\r\n');
|
||||
dataBuffer = '';
|
||||
} else if (step === 'ehlo' && dataBuffer.includes('250')) {
|
||||
step = 'mail';
|
||||
socket.write('MAIL FROM:<sender@example.com>\r\n');
|
||||
dataBuffer = '';
|
||||
} else if (step === 'mail' && dataBuffer.includes('250')) {
|
||||
step = 'rcpt';
|
||||
socket.write('RCPT TO:<recipient@example.com>\r\n');
|
||||
dataBuffer = '';
|
||||
} else if (step === 'rcpt' && dataBuffer.includes('250')) {
|
||||
step = 'data';
|
||||
socket.write('DATA\r\n');
|
||||
dataBuffer = '';
|
||||
} else if (step === 'data' && dataBuffer.includes('354')) {
|
||||
// Generate valid DKIM signature
|
||||
const timestamp = Math.floor(Date.now() / 1000);
|
||||
const dkimSignature = [
|
||||
'v=1; a=rsa-sha256; c=relaxed/relaxed;',
|
||||
' d=example.com; s=default;',
|
||||
' t=' + timestamp + ';',
|
||||
' h=from:to:subject:date:message-id;',
|
||||
' bh=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=;',
|
||||
' b=AMGNaJ3BliF0KSLD0wTfJd1eJhYbhP8YD2z9BPwAoeh6nKzfQ8wktB9Iwml3GKKj',
|
||||
' V6zJSGxJClQAoqJnO7oiIzPvHZTMGTbMvV9YBQcw5uvxLa2mRNkRT3FQ5vKFzfVQ',
|
||||
' OlHnZ8qZJDxYO4JmReCBnHQcC8W9cNJJh9ZQ4A='
|
||||
].join('');
|
||||
|
||||
const email = [
|
||||
`DKIM-Signature: ${dkimSignature}`,
|
||||
`Subject: DKIM Test - Valid Signature`,
|
||||
`From: sender@example.com`,
|
||||
`To: recipient@example.com`,
|
||||
`Date: ${new Date().toUTCString()}`,
|
||||
`Message-ID: <dkim-valid-${Date.now()}@example.com>`,
|
||||
'',
|
||||
'This is a DKIM test email with a valid signature.',
|
||||
`Timestamp: ${Date.now()}`,
|
||||
'.',
|
||||
''
|
||||
].join('\r\n');
|
||||
|
||||
socket.write(email);
|
||||
dataBuffer = '';
|
||||
} else if (dataBuffer.includes('250 ') && dataBuffer.includes('Message accepted')) {
|
||||
console.log('Email with valid DKIM signature accepted');
|
||||
expect(true).toBeTrue();
|
||||
|
||||
socket.write('QUIT\r\n');
|
||||
socket.end();
|
||||
done.resolve();
|
||||
}
|
||||
});
|
||||
|
||||
socket.on('error', (err) => {
|
||||
console.error('Socket error:', err);
|
||||
done.reject(err);
|
||||
});
|
||||
|
||||
await done.promise;
|
||||
});
|
||||
|
||||
tap.test('DKIM Processing - Invalid DKIM signature', async (tools) => {
|
||||
const done = tools.defer();
|
||||
|
||||
const socket = net.createConnection({
|
||||
host: 'localhost',
|
||||
port: TEST_PORT,
|
||||
timeout: 30000
|
||||
});
|
||||
|
||||
let dataBuffer = '';
|
||||
let step = 'greeting';
|
||||
|
||||
socket.on('data', (data) => {
|
||||
dataBuffer += data.toString();
|
||||
console.log('Server response:', data.toString());
|
||||
|
||||
if (step === 'greeting' && dataBuffer.includes('220 ')) {
|
||||
step = 'ehlo';
|
||||
socket.write('EHLO testclient\r\n');
|
||||
dataBuffer = '';
|
||||
} else if (step === 'ehlo' && dataBuffer.includes('250')) {
|
||||
step = 'mail';
|
||||
socket.write('MAIL FROM:<sender@example.com>\r\n');
|
||||
dataBuffer = '';
|
||||
} else if (step === 'mail' && dataBuffer.includes('250')) {
|
||||
step = 'rcpt';
|
||||
socket.write('RCPT TO:<recipient@example.com>\r\n');
|
||||
dataBuffer = '';
|
||||
} else if (step === 'rcpt' && dataBuffer.includes('250')) {
|
||||
step = 'data';
|
||||
socket.write('DATA\r\n');
|
||||
dataBuffer = '';
|
||||
} else if (step === 'data' && dataBuffer.includes('354')) {
|
||||
// Generate invalid DKIM signature (wrong domain, bad signature)
|
||||
const timestamp = Math.floor(Date.now() / 1000);
|
||||
const dkimSignature = [
|
||||
'v=1; a=rsa-sha256; c=relaxed/relaxed;',
|
||||
' d=wrong-domain.com; s=invalid;',
|
||||
' t=' + timestamp + ';',
|
||||
' h=from:to:subject:date;',
|
||||
' bh=INVALID-BODY-HASH;',
|
||||
' b=INVALID-SIGNATURE-DATA'
|
||||
].join('');
|
||||
|
||||
const email = [
|
||||
`DKIM-Signature: ${dkimSignature}`,
|
||||
`Subject: DKIM Test - Invalid Signature`,
|
||||
`From: sender@example.com`,
|
||||
`To: recipient@example.com`,
|
||||
`Date: ${new Date().toUTCString()}`,
|
||||
`Message-ID: <dkim-invalid-${Date.now()}@example.com>`,
|
||||
'',
|
||||
'This is a DKIM test email with an invalid signature.',
|
||||
`Timestamp: ${Date.now()}`,
|
||||
'.',
|
||||
''
|
||||
].join('\r\n');
|
||||
|
||||
socket.write(email);
|
||||
dataBuffer = '';
|
||||
} else if (dataBuffer.includes('250 ') || dataBuffer.includes('550 ')) {
|
||||
const accepted = dataBuffer.includes('250');
|
||||
console.log(`Email with invalid DKIM signature ${accepted ? 'accepted' : 'rejected'}`);
|
||||
// Either response is valid - server may accept and mark as failed, or reject
|
||||
expect(true).toBeTrue();
|
||||
|
||||
socket.write('QUIT\r\n');
|
||||
socket.end();
|
||||
done.resolve();
|
||||
}
|
||||
});
|
||||
|
||||
socket.on('error', (err) => {
|
||||
console.error('Socket error:', err);
|
||||
done.reject(err);
|
||||
});
|
||||
|
||||
await done.promise;
|
||||
});
|
||||
|
||||
tap.test('DKIM Processing - Missing DKIM signature', async (tools) => {
|
||||
const done = tools.defer();
|
||||
|
||||
const socket = net.createConnection({
|
||||
host: 'localhost',
|
||||
port: TEST_PORT,
|
||||
timeout: 30000
|
||||
});
|
||||
|
||||
let dataBuffer = '';
|
||||
let step = 'greeting';
|
||||
|
||||
socket.on('data', (data) => {
|
||||
dataBuffer += data.toString();
|
||||
console.log('Server response:', data.toString());
|
||||
|
||||
if (step === 'greeting' && dataBuffer.includes('220 ')) {
|
||||
step = 'ehlo';
|
||||
socket.write('EHLO testclient\r\n');
|
||||
dataBuffer = '';
|
||||
} else if (step === 'ehlo' && dataBuffer.includes('250')) {
|
||||
step = 'mail';
|
||||
socket.write('MAIL FROM:<sender@example.com>\r\n');
|
||||
dataBuffer = '';
|
||||
} else if (step === 'mail' && dataBuffer.includes('250')) {
|
||||
step = 'rcpt';
|
||||
socket.write('RCPT TO:<recipient@example.com>\r\n');
|
||||
dataBuffer = '';
|
||||
} else if (step === 'rcpt' && dataBuffer.includes('250')) {
|
||||
step = 'data';
|
||||
socket.write('DATA\r\n');
|
||||
dataBuffer = '';
|
||||
} else if (step === 'data' && dataBuffer.includes('354')) {
|
||||
// Email without DKIM signature
|
||||
const email = [
|
||||
`Subject: DKIM Test - No Signature`,
|
||||
`From: sender@example.com`,
|
||||
`To: recipient@example.com`,
|
||||
`Date: ${new Date().toUTCString()}`,
|
||||
`Message-ID: <dkim-none-${Date.now()}@example.com>`,
|
||||
'',
|
||||
'This is a DKIM test email without any signature.',
|
||||
`Timestamp: ${Date.now()}`,
|
||||
'.',
|
||||
''
|
||||
].join('\r\n');
|
||||
|
||||
socket.write(email);
|
||||
dataBuffer = '';
|
||||
} else if (dataBuffer.includes('250 ') && dataBuffer.includes('Message accepted')) {
|
||||
console.log('Email without DKIM signature accepted (neutral)');
|
||||
expect(true).toBeTrue();
|
||||
|
||||
socket.write('QUIT\r\n');
|
||||
socket.end();
|
||||
done.resolve();
|
||||
}
|
||||
});
|
||||
|
||||
socket.on('error', (err) => {
|
||||
console.error('Socket error:', err);
|
||||
done.reject(err);
|
||||
});
|
||||
|
||||
await done.promise;
|
||||
});
|
||||
|
||||
tap.test('DKIM Processing - Multiple DKIM signatures', async (tools) => {
|
||||
const done = tools.defer();
|
||||
|
||||
const socket = net.createConnection({
|
||||
host: 'localhost',
|
||||
port: TEST_PORT,
|
||||
timeout: 30000
|
||||
});
|
||||
|
||||
let dataBuffer = '';
|
||||
let step = 'greeting';
|
||||
|
||||
socket.on('data', (data) => {
|
||||
dataBuffer += data.toString();
|
||||
console.log('Server response:', data.toString());
|
||||
|
||||
if (step === 'greeting' && dataBuffer.includes('220 ')) {
|
||||
step = 'ehlo';
|
||||
socket.write('EHLO testclient\r\n');
|
||||
dataBuffer = '';
|
||||
} else if (step === 'ehlo' && dataBuffer.includes('250')) {
|
||||
step = 'mail';
|
||||
socket.write('MAIL FROM:<sender@example.com>\r\n');
|
||||
dataBuffer = '';
|
||||
} else if (step === 'mail' && dataBuffer.includes('250')) {
|
||||
step = 'rcpt';
|
||||
socket.write('RCPT TO:<recipient@example.com>\r\n');
|
||||
dataBuffer = '';
|
||||
} else if (step === 'rcpt' && dataBuffer.includes('250')) {
|
||||
step = 'data';
|
||||
socket.write('DATA\r\n');
|
||||
dataBuffer = '';
|
||||
} else if (step === 'data' && dataBuffer.includes('354')) {
|
||||
// Email with multiple DKIM signatures (common in forwarding)
|
||||
const timestamp = Math.floor(Date.now() / 1000);
|
||||
|
||||
const email = [
|
||||
'DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;',
|
||||
' d=example.com; s=selector1;',
|
||||
' t=' + timestamp + ';',
|
||||
' h=from:to:subject;',
|
||||
' bh=first-body-hash;',
|
||||
' b=first-signature',
|
||||
'DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;',
|
||||
' d=forwarder.com; s=selector2;',
|
||||
' t=' + (timestamp + 60) + ';',
|
||||
' h=from:to:subject:date:message-id;',
|
||||
' bh=second-body-hash;',
|
||||
' b=second-signature',
|
||||
`Subject: DKIM Test - Multiple Signatures`,
|
||||
`From: sender@example.com`,
|
||||
`To: recipient@example.com`,
|
||||
`Date: ${new Date().toUTCString()}`,
|
||||
`Message-ID: <dkim-multi-${Date.now()}@example.com>`,
|
||||
'',
|
||||
'This email has multiple DKIM signatures.',
|
||||
'.',
|
||||
''
|
||||
].join('\r\n');
|
||||
|
||||
socket.write(email);
|
||||
dataBuffer = '';
|
||||
} else if (dataBuffer.includes('250 ') && dataBuffer.includes('Message accepted')) {
|
||||
console.log('Email with multiple DKIM signatures accepted');
|
||||
expect(true).toBeTrue();
|
||||
|
||||
socket.write('QUIT\r\n');
|
||||
socket.end();
|
||||
done.resolve();
|
||||
}
|
||||
});
|
||||
|
||||
socket.on('error', (err) => {
|
||||
console.error('Socket error:', err);
|
||||
done.reject(err);
|
||||
});
|
||||
|
||||
await done.promise;
|
||||
});
|
||||
|
||||
tap.test('DKIM Processing - Expired DKIM signature', async (tools) => {
|
||||
const done = tools.defer();
|
||||
|
||||
const socket = net.createConnection({
|
||||
host: 'localhost',
|
||||
port: TEST_PORT,
|
||||
timeout: 30000
|
||||
});
|
||||
|
||||
let dataBuffer = '';
|
||||
let step = 'greeting';
|
||||
|
||||
socket.on('data', (data) => {
|
||||
dataBuffer += data.toString();
|
||||
console.log('Server response:', data.toString());
|
||||
|
||||
if (step === 'greeting' && dataBuffer.includes('220 ')) {
|
||||
step = 'ehlo';
|
||||
socket.write('EHLO testclient\r\n');
|
||||
dataBuffer = '';
|
||||
} else if (step === 'ehlo' && dataBuffer.includes('250')) {
|
||||
step = 'mail';
|
||||
socket.write('MAIL FROM:<sender@example.com>\r\n');
|
||||
dataBuffer = '';
|
||||
} else if (step === 'mail' && dataBuffer.includes('250')) {
|
||||
step = 'rcpt';
|
||||
socket.write('RCPT TO:<recipient@example.com>\r\n');
|
||||
dataBuffer = '';
|
||||
} else if (step === 'rcpt' && dataBuffer.includes('250')) {
|
||||
step = 'data';
|
||||
socket.write('DATA\r\n');
|
||||
dataBuffer = '';
|
||||
} else if (step === 'data' && dataBuffer.includes('354')) {
|
||||
// DKIM signature with expired timestamp
|
||||
const expiredTimestamp = Math.floor(Date.now() / 1000) - 2592000; // 30 days ago
|
||||
const expirationTime = expiredTimestamp + 86400; // Expired 29 days ago
|
||||
|
||||
const dkimSignature = [
|
||||
'v=1; a=rsa-sha256; c=relaxed/relaxed;',
|
||||
' d=example.com; s=default;',
|
||||
' t=' + expiredTimestamp + '; x=' + expirationTime + ';',
|
||||
' h=from:to:subject:date;',
|
||||
' bh=expired-body-hash;',
|
||||
' b=expired-signature'
|
||||
].join('');
|
||||
|
||||
const email = [
|
||||
`DKIM-Signature: ${dkimSignature}`,
|
||||
`Subject: DKIM Test - Expired Signature`,
|
||||
`From: sender@example.com`,
|
||||
`To: recipient@example.com`,
|
||||
`Date: ${new Date().toUTCString()}`,
|
||||
`Message-ID: <dkim-expired-${Date.now()}@example.com>`,
|
||||
'',
|
||||
'This email has an expired DKIM signature.',
|
||||
'.',
|
||||
''
|
||||
].join('\r\n');
|
||||
|
||||
socket.write(email);
|
||||
dataBuffer = '';
|
||||
} else if (dataBuffer.includes('250 ') || dataBuffer.includes('550 ')) {
|
||||
const accepted = dataBuffer.includes('250');
|
||||
console.log(`Email with expired DKIM signature ${accepted ? 'accepted' : 'rejected'}`);
|
||||
// Either response is valid
|
||||
expect(true).toBeTrue();
|
||||
|
||||
socket.write('QUIT\r\n');
|
||||
socket.end();
|
||||
done.resolve();
|
||||
}
|
||||
});
|
||||
|
||||
socket.on('error', (err) => {
|
||||
console.error('Socket error:', err);
|
||||
done.reject(err);
|
||||
});
|
||||
|
||||
await done.promise;
|
||||
});
|
||||
|
||||
tap.test('cleanup - stop test server', async () => {
|
||||
await stopTestServer(testServer);
|
||||
});
|
||||
|
||||
tap.start();
|
||||
Reference in New Issue
Block a user