CERN DomainKeys Library-A C# version implement

Because the original page is not available now, so make a backup here.

DomainKeys Library

Library Information

CERN DomainKeys Library is written in C#, for a Windows usage.

Common task is to integrate this library into Protocol Event Sinks,
implementing ISmtpInCommandSink interface, for incoming traffic verification
and outgoing traffic signing.

An ISmtpServerResponseSink Sink might also be used for signing outgoing
traffic.

It uses a certificate generated by OpenSSL, and imported in LocalMachine
certificate store. The public key is extracted using OpenSSL for DNS field.

Download

CERN DomainKeys Library.zip(v1.0) (updated on 08 Feb 2005, small canonicalizer bug corrected).

Usage

Create certificate and export public key:

  • If needed, create CA to Issue certificates:

    openssl req -x509 -out ca_cert.pem -newkey rsa:1024 -keyout ca_priv_key.pem

    -days 365
  • Request Certificate:

    openssl req -out DomainKeys_cert_req.pem -new -keyout DomainKeys_priv_key.pem
    -newkey rsa:768
  • As CA, Issue Certificate:

    openssl x509 -req -in DomainKeys_cert_req.pem -CA ca_cert.pem -CAkey
    ca_priv_key.pem -CAcreateserial -out DomainKeys_cert.pem -days 365

  • Export public key for DNS TXT field:

    openssl rsa -in DomainKeys_priv_key.pem -out DomainKeys_public_Key.pem -pubout
    -outform PEM
  • Finally, create a PKCS12 file from the PEM certificate:

    openssl pkcs12 -export -in DomainKeys_cert.pem -inkey DomainKeys_priv_key.pem
    -out DomainKeys_cert.p12 -name "DomainKeys certificate"

  • Import the .p12 certificate into Certificate Store, in LocalMachine / Personal.
    Verify that ‘Make private key as exportable’ is checked.

Configure library:

  • Edit Constants.cs according to your requirements (domain, headers, etc…).
  • Edit Logger.cs to set a logging method according to your preferences.

Sign outgoing mails:

MailSigner ms = new MailSigner();
if (ms.signMail(mail_to_sign)) 
{
	// Add new header at top on mail:
	string mail_signed = ms.signedHeader + mail_to_sign;
} 

Verify incoming mails:

MailAnalyser mDK = new MailAnalyser();
if (mDK.SignatureVerify(mail_to_verify) == true) 
{
	// Accept mail, does not mean verification is good.
	// Check mDK.checkStatusStr for status.
	// Add status to mail: mDK.checkStatusHeader contains header line with result.
}
else 
{
	// Reject mail: Verify failed, and sending domain says all mails should be signed.
}
Be Sociable, Share!

Leave a Reply