Projects
Passkey Credentials
April 27, 2025 permalink
(PHP) scripts to register and authenticate Passkey Credentials
https://github.com/arduent/passkey-credentials
I've noticed articles popping up about Passkeys. A Passkey authentication scheme is very simple. The server sends a random challenge, the client signs it with their Passkey thingy, then sends back the signed data and public key. When they want to log in the server sends them all their public keys, and maybe some random ones two, and a new challenge. The client signs the challenge and sends the public key, key id, signed data back. (It also has some other data, like number of times the key was used, so you can update you data on the server)
https://www.pcworld.com/article/2763275/so-long-passwords-5-easy-ways-to-use-passkeys.html
https://www.zdnet.com/article/if-we-want-a-passwordless-future-lets-get-our-passkey-story-straight/
lu-milter
April 16, 2025 permalink
(Rust) a milter that automatically adds a List-Unsubscribe header to outbound emails.
https://github.com/arduent/lu-milter
Here's a milter in Rust that adds List-Unsubscribe headers. It creates a URL that has encoded email-from, rcpt-to and a HMAC SHA 256 verification hash using a shared secret key, that way the web server handling the post request doesn't have to live on the same server as the milter/smtp server.
What does this do? Well essentially it will put an unsubscribe link at the top of your email in clients like gmail (other mail handlers may do the same) like the image here, the blue link at the top. possibly it improves deliverability of newsletter and transactional emails.
DKIM-Relay
April 8, 2025 permalink
(Rust) an SMTP server which creates a 'DKIM-Signature' header for incoming emails, then relays the email to another SMTP server. Includes handy dkim-gen-keys app
https://github.com/arduent/dkim-relay
This program runs as an SMTP server which creates a DKIM-Signature header for incoming emails, then relays the email to another SMTP server as configured. The user may use the included program dkim-gen-keys to create the RSA private key and BIND zone file entry for the corresponding public key. Keys are RSA (up to 2048 bits, though 1024-bit keys may be more practical on some systems due to DNS fragmentation issues).
SMTP Connection & Parsing
When a client connects and sends SMTP commands to deliver an email, the server parses the header and body into separate structures. The email is not altered except for the insertion of the DKIM-Signature header.
Canonicalization
The server uses relaxed/relaxed canonicalization. It compresses whitespace and converts header field names to lowercase. Blank or missing headers can be included to "lock in" their absence, which prevents a third party from later inserting unauthorized headers without breaking the signature.
Hashing and Signing
A 32-byte SHA-256 hash is computed on the canonicalized body. The canonicalized header data (which now includes a temporary DKIM-Signature header with an empty b= tag and a proper bh= value) is hashed. The header hash is then combined with a fixed DER prefix (19 bytes for SHA-256) to form a 51-byte DigestInfo. This DigestInfo is signed using the RSA private key with PKCS#1 v1.5 padding (using the OpenSSL crate to mimic the legacy RSA_sign/RSA_verify functions). The resulting signature is base64‑encoded and inserted into the b= tag of the final DKIM-Signature header.
DKIM-Signature Header Placement
The generated DKIM-Signature header (with the now–populated b= field) is added at the top of the header block. In cases where multiple DKIM-Signature headers exist, the topmost one is used for verification.
