julian at mehnle
Aug 13, 2006, 3:24 PM
Post #4 of 11
-----BEGIN PGP SIGNED MESSAGE-----
Tom Lahti wrote:
> > Jean-Pierre Schwickerath wrote:
> > > I wondered if it is possible to exclude certain characters from
> > > being used where doing an SRS Hash with the Mail::SRS perl module?
> > > On my first try the module generated a hash that contained a slash
> > > (/). Unfortunately this character is not allowed in the local part
> > > with Postfix as MTA, so the bounce did not come back.
> > I'd suggest that you write a sub-class of Mail::SRS that overrides the
> > hash_create() and hash_verify() methods (which use Digest::HMAC_SHA1::
> > b64digest() for the Base64 conversions) and substitutes any "/"s in the
> > hash with another character, say ".". hash_verify() would have to do
> > the reverse to the passed hash (i.e. undo the substitution before the
> > hash is verified), of course.
> Probably not. You'll want to change to a Digest subclass that
> doesn't create "/", or make up your own hash altogether. Doing
> simple character substitution screws up the math when verifying
> it. When you reverse the substitution to verify the hash, you'll
> reverse all "." into "/", which won't work if HMAC_SHA1 normally
> outputs ".". Substitution will only work if HMAC_SHA1 doesn't output
> the character you substitute with.
I was fully aware of that. Digest::HMAC_SHA1::b64digest() outputs Base64.
- From `perldoc Digest::SHA1` (Digest::SHA1 is what Digest::HMAC_SHA1 uses):
| Same as $sha1->digest, but will return the digest as a base64 encoded
| string. The length of the returned string will be 27 and it will only
| contain characters from this set: 'A'..'Z', 'a'..'z', '0'..'9', '+'
| and '/'.
Conforming to the usual definition of Base64, that doesn't include ".".
I seriously doubt it would be a good idea to define a Digest sub-class
whose b64digest() method no longer produces canonical Base64. For private
needs it might be acceptable, but I still think a Mail::SRS sub-class is a
After all, it's the SRS implementation's responsibility to encode the hash,
and since the hash only has meaning on the sending system, nobody else
should care about _how_ exactly the hash is encoded.
> Or... isn't Postfix highly configurable? Simply change the config to
> allow "/" in local parts.
That may be the best solution of all.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
-----END PGP SIGNATURE-----
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss [at] v2