Skip to content

rspamd/bimi-helper

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

BIMI-agent

Build Status

This service is intended to assist in extraction of the BIMI VMC certificates, validate them using various rules and a set of trusted fingerprints or system CA roots, extract image (from LOGOTYPE X.509 extension) and store that image in Redis.

Usage

bimi-agent 0.2.0
BIMI agent to assist images verification end extraction

USAGE:
    bimi-agent [FLAGS] [OPTIONS]

FLAGS:
    -h, --help       Prints help information
    -V, --version    Prints version information
    -v, --verbose    Verbose level (repeat for more verbosity)

OPTIONS:
        --cert <cert>                              X509 certificate for HTTP server
        --chroot <chroot>                          Chroot to this directory
        --redis-expiry <expiry>                     [default: 259200]
    -F, --fingerprint <fingerprints>...            Trusted fingerprint
        --fingerprints-file <fingerprints-file>    Trusted fingerprints file
    -g, --group <group>                            Run as this group
    -t, --timeout <http-timeout>                   HTTP client timeout [default: 5.0]
    -U, --user-agent <http-ua>                     HTTP user agent [default: BIMI-Agent/0.1]
    -l, --listen <listen-addr>                     Listen address to bind to [default: 0.0.0.0:3030]
    -n, --max-threads <max-threads>                Number of threads to start [default: 2]
        --redis-prefix <prefix>                    Prefix for Redis keys (if not specified in a request)
        --privkey <privkey>                        Private key for SSL HTTP server
        --redis-timeout <timeout>                  Redis operations timeout [default: 5.0]
    -u, --user <user>                              Run as this user and their primary group

This will open an HTTP server available for requests.

For example, store an image in Redis:

 curl -X POST 'http://localhost:3030/v1/check/' \
  -H 'Content-Type: application/json' \
  -d '{"url": "https://amplify.valimail.com/bimi/valimail/dcvSV-hEXmW-valimail_inc_164268123.pem", "redis_server": "redis://127.0.0.1", "domain": "valimail.com"}'

Unfortunately, VMC root CA are not in the chains of trust so far, so this app allows specifying trusted fingerprints. In this mode, when BIMI-helper observes a CA certificate it tries to verify it's SHA256 digest against a set of trusted fingerprints.

For the example above, you might want to add DigiCert Verified Mark Root CA fingerprint to be able to validate pem from valimail.

Use in Docker

This app can be built and used via Docker.

docker build -t bimi-agent .
docker run -p 3030:3030 -d --rm --name bimi-agent bimi-agent

Valid VMC roots fingerprints

So far, there are two valid VMC roots:

  • Digicert VMC CA: 504386c9ee8932fecc95fade427f69c3e2534b7310489e300fee448e33c46b42
  • Entrust VMC (is not included in chains...)

Releases

No releases published

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •