email_auth/dkim/

sign.rs

use std::time::{SystemTime, UNIX_EPOCH};

use base64::engine::general_purpose::STANDARD as BASE64;
use base64::Engine;
use ring::rand::SystemRandom;
use ring::signature as ring_sig;
use ring::signature::KeyPair;

use super::canon::{
    canonicalize_body, canonicalize_header, normalize_line_endings, select_headers,
};
use super::types::{Algorithm, CanonicalizationMethod, HashAlgorithm};

/// Error returned by DkimSigner construction or signing.
#[derive(Debug)]
pub struct SigningError {
    pub detail: String,
}

impl std::fmt::Display for SigningError {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        f.write_str(&self.detail)
    }
}

impl std::error::Error for SigningError {}

/// Private key holder — either RSA or Ed25519.
enum PrivateKey {
    Rsa(ring_sig::RsaKeyPair),
    Ed25519(ring_sig::Ed25519KeyPair),
}

/// DKIM message signer.
///
/// Construct via `DkimSigner::rsa_sha256()` or `DkimSigner::ed25519()`.
/// RSA-SHA1 signing is intentionally NOT supported (verify only).
pub struct DkimSigner {
    key: PrivateKey,
    algorithm: Algorithm,
    domain: String,
    selector: String,
    header_canon: CanonicalizationMethod,
    body_canon: CanonicalizationMethod,
    headers_to_sign: Vec<String>,
    over_sign: bool,
    expiration_seconds: Option<u64>,
}

impl DkimSigner {
    /// Create an RSA-SHA256 signer from PKCS8-encoded PEM private key.
    pub fn rsa_sha256(
        domain: impl Into<String>,
        selector: impl Into<String>,
        pkcs8_pem: &[u8],
    ) -> Result<Self, SigningError> {
        let der = decode_pem(pkcs8_pem)?;
        let key_pair = ring_sig::RsaKeyPair::from_pkcs8(&der)
            .map_err(|e| SigningError { detail: format!("invalid RSA PKCS8 key: {}", e) })?;

        Ok(Self {
            key: PrivateKey::Rsa(key_pair),
            algorithm: Algorithm::RsaSha256,
            domain: domain.into(),
            selector: selector.into(),
            header_canon: CanonicalizationMethod::Relaxed,
            body_canon: CanonicalizationMethod::Relaxed,
            headers_to_sign: default_headers(),
            over_sign: false,
            expiration_seconds: None,
        })
    }

    /// Create an Ed25519-SHA256 signer from PKCS8-encoded key bytes.
    ///
    /// IMPORTANT: ring 0.17 rejects OpenSSL-generated Ed25519 PKCS8 keys.
    /// Generate keys with `ring::signature::Ed25519KeyPair::generate_pkcs8()`.
    pub fn ed25519(
        domain: impl Into<String>,
        selector: impl Into<String>,
        pkcs8: &[u8],
    ) -> Result<Self, SigningError> {
        let key_pair = ring_sig::Ed25519KeyPair::from_pkcs8(pkcs8)
            .map_err(|e| SigningError { detail: format!("invalid Ed25519 PKCS8 key: {}", e) })?;

        Ok(Self {
            key: PrivateKey::Ed25519(key_pair),
            algorithm: Algorithm::Ed25519Sha256,
            domain: domain.into(),
            selector: selector.into(),
            header_canon: CanonicalizationMethod::Relaxed,
            body_canon: CanonicalizationMethod::Relaxed,
            headers_to_sign: default_headers(),
            over_sign: false,
            expiration_seconds: None,
        })
    }

    /// Set header canonicalization method.
    pub fn header_canonicalization(mut self, method: CanonicalizationMethod) -> Self {
        self.header_canon = method;
        self
    }

    /// Set body canonicalization method.
    pub fn body_canonicalization(mut self, method: CanonicalizationMethod) -> Self {
        self.body_canon = method;
        self
    }

    /// Set specific headers to sign (replaces defaults).
    pub fn headers(mut self, headers: Vec<String>) -> Self {
        self.headers_to_sign = headers;
        self
    }

    /// Enable over-signing: each header name appears twice in h= to prevent injection.
    pub fn over_sign(mut self, enabled: bool) -> Self {
        self.over_sign = enabled;
        self
    }

    /// Set signature expiration (seconds from signing time).
    pub fn expiration(mut self, seconds: u64) -> Self {
        self.expiration_seconds = Some(seconds);
        self
    }

    /// Sign a message and return the DKIM-Signature header value.
    ///
    /// `headers`: message headers as `(name, value)` pairs.
    /// `body`: raw message body bytes.
    ///
    /// Returns the complete header value (everything after "DKIM-Signature:").
    pub fn sign_message(
        &self,
        headers: &[(&str, &str)],
        body: &[u8],
    ) -> Result<String, SigningError> {
        // Validate From is in headers_to_sign
        if !self.headers_to_sign.iter().any(|h| h.eq_ignore_ascii_case("from")) {
            return Err(SigningError {
                detail: "h= headers must include 'from'".into(),
            });
        }

        // Step 1: Canonicalize body → hash → bh=
        let normalized_body = normalize_line_endings(body);
        let canon_body = canonicalize_body(self.body_canon, &normalized_body);
        let body_hash = compute_hash(self.algorithm, &canon_body);
        let bh_b64 = BASE64.encode(&body_hash);

        // Step 2: Build h= value (with over-signing if enabled)
        let h_value = self.build_h_value();

        // Step 3: Timestamps
        let now = SystemTime::now()
            .duration_since(UNIX_EPOCH)
            .map(|d| d.as_secs())
            .unwrap_or(0);

        // Step 4: Build DKIM-Signature template with b= empty
        let algo_str = match self.algorithm {
            Algorithm::RsaSha256 => "rsa-sha256",
            Algorithm::Ed25519Sha256 => "ed25519-sha256",
            Algorithm::RsaSha1 => unreachable!("RSA-SHA1 signing not supported"),
        };
        let canon_str = format!(
            "{}/{}",
            canon_method_str(self.header_canon),
            canon_method_str(self.body_canon),
        );

        let mut sig_template = format!(
            " v=1; a={}; c={}; d={}; s={}; t={}; h={}; bh={}; b=",
            algo_str, canon_str, self.domain, self.selector, now, h_value, bh_b64,
        );

        if let Some(exp_secs) = self.expiration_seconds {
            // Insert x= before h=
            let x_val = now + exp_secs;
            sig_template = format!(
                " v=1; a={}; c={}; d={}; s={}; t={}; x={}; h={}; bh={}; b=",
                algo_str, canon_str, self.domain, self.selector, now, x_val, h_value, bh_b64,
            );
        }

        // Step 5: Compute header hash input
        // Select headers using h= list (the actual header names, not over-signed duplicates)
        let h_names: Vec<String> = self.build_h_names();

        let selected = select_headers(self.header_canon, &h_names, headers);

        let mut hash_input = Vec::new();
        for header_line in &selected {
            hash_input.extend_from_slice(header_line.as_bytes());
        }

        // Append DKIM-Signature template with b= empty, canonicalized, NO trailing CRLF
        let canon_sig = if self.header_canon == CanonicalizationMethod::Simple {
            format!("DKIM-Signature:{}", sig_template)
        } else {
            canonicalize_header(self.header_canon, "dkim-signature", &sig_template)
        };
        hash_input.extend_from_slice(canon_sig.as_bytes());

        // Step 6: Sign the hash input
        let signature = self.sign_raw(&hash_input)?;
        let sig_b64 = BASE64.encode(&signature);

        // Step 7: Fill in b= value
        let full_sig = format!("{}{}", sig_template, sig_b64);

        Ok(full_sig)
    }

    /// Build the h= value string for the DKIM-Signature header.
    fn build_h_value(&self) -> String {
        let mut names = Vec::new();
        for h in &self.headers_to_sign {
            names.push(h.to_lowercase());
            if self.over_sign {
                names.push(h.to_lowercase());
            }
        }
        names.join(":")
    }

    /// Build the h= names list for header selection (including over-sign duplicates).
    fn build_h_names(&self) -> Vec<String> {
        let mut names = Vec::new();
        for h in &self.headers_to_sign {
            names.push(h.to_lowercase());
            if self.over_sign {
                names.push(h.to_lowercase());
            }
        }
        names
    }

    /// Sign raw data with the private key.
    fn sign_raw(&self, data: &[u8]) -> Result<Vec<u8>, SigningError> {
        match &self.key {
            PrivateKey::Rsa(key_pair) => {
                let rng = SystemRandom::new();
                let mut signature = vec![0u8; key_pair.public().modulus_len()];
                key_pair
                    .sign(&ring_sig::RSA_PKCS1_SHA256, &rng, data, &mut signature)
                    .map_err(|e| SigningError { detail: format!("RSA signing failed: {}", e) })?;
                Ok(signature)
            }
            PrivateKey::Ed25519(key_pair) => {
                let sig = key_pair.sign(data);
                Ok(sig.as_ref().to_vec())
            }
        }
    }

    /// Get the public key bytes for DNS record generation (test utility).
    /// For Ed25519: raw 32-byte public key.
    /// For RSA: SPKI DER encoded public key (wraps PKCS#1 from ring).
    pub fn public_key_bytes(&self) -> Vec<u8> {
        match &self.key {
            PrivateKey::Rsa(key_pair) => {
                // ring's public() returns PKCS#1 RSAPublicKey DER.
                // DKIM p= expects SPKI format. Wrap it.
                let pkcs1_der = key_pair.public().as_ref();
                wrap_pkcs1_in_spki(pkcs1_der)
            }
            PrivateKey::Ed25519(key_pair) => {
                key_pair.public_key().as_ref().to_vec()
            }
        }
    }
}

/// Wrap PKCS#1 RSAPublicKey DER in SubjectPublicKeyInfo (SPKI) DER.
/// SPKI = SEQUENCE { AlgorithmIdentifier, BIT STRING { PKCS#1 } }
/// AlgorithmIdentifier = SEQUENCE { OID(rsaEncryption), NULL }
fn wrap_pkcs1_in_spki(pkcs1_der: &[u8]) -> Vec<u8> {
    // RSA AlgorithmIdentifier: SEQUENCE { OID 1.2.840.113549.1.1.1, NULL }
    let algo_id: &[u8] = &[
        0x30, 0x0d, // SEQUENCE, 13 bytes
        0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, // OID
        0x05, 0x00, // NULL
    ];

    // BIT STRING wrapping: 0x03 + length + 0x00 (unused bits) + content
    let bit_string_content_len = 1 + pkcs1_der.len(); // 0x00 byte + PKCS#1
    let mut bit_string = vec![0x03];
    encode_asn1_length(&mut bit_string, bit_string_content_len);
    bit_string.push(0x00); // unused bits = 0
    bit_string.extend_from_slice(pkcs1_der);

    // Outer SEQUENCE
    let inner_len = algo_id.len() + bit_string.len();
    let mut spki = vec![0x30];
    encode_asn1_length(&mut spki, inner_len);
    spki.extend_from_slice(algo_id);
    spki.extend_from_slice(&bit_string);

    spki
}

/// Encode ASN.1 DER length.
fn encode_asn1_length(output: &mut Vec<u8>, len: usize) {
    if len < 0x80 {
        output.push(len as u8);
    } else if len < 0x100 {
        output.push(0x81);
        output.push(len as u8);
    } else {
        output.push(0x82);
        output.push((len >> 8) as u8);
        output.push((len & 0xff) as u8);
    }
}

/// Default headers to sign per RFC 6376 §5.4.
fn default_headers() -> Vec<String> {
    vec![
        "from".into(),
        "to".into(),
        "subject".into(),
        "date".into(),
        "mime-version".into(),
        "content-type".into(),
        "message-id".into(),
    ]
}

fn canon_method_str(m: CanonicalizationMethod) -> &'static str {
    match m {
        CanonicalizationMethod::Simple => "simple",
        CanonicalizationMethod::Relaxed => "relaxed",
    }
}

/// Compute hash using the algorithm's hash function.
fn compute_hash(algorithm: Algorithm, data: &[u8]) -> Vec<u8> {
    match algorithm.hash_algorithm() {
        HashAlgorithm::Sha256 => {
            let digest = ring::digest::digest(&ring::digest::SHA256, data);
            digest.as_ref().to_vec()
        }
        HashAlgorithm::Sha1 => {
            let digest = ring::digest::digest(&ring::digest::SHA1_FOR_LEGACY_USE_ONLY, data);
            digest.as_ref().to_vec()
        }
    }
}

/// Decode PEM to DER. Handles "BEGIN PRIVATE KEY" or "BEGIN RSA PRIVATE KEY".
fn decode_pem(pem: &[u8]) -> Result<Vec<u8>, SigningError> {
    let pem_str = std::str::from_utf8(pem)
        .map_err(|_| SigningError { detail: "PEM is not valid UTF-8".into() })?;

    // Find base64 content between BEGIN/END markers
    let lines: Vec<&str> = pem_str.lines().collect();
    let mut b64 = String::new();
    let mut in_block = false;

    for line in &lines {
        let trimmed = line.trim();
        if trimmed.starts_with("-----BEGIN") {
            in_block = true;
            continue;
        }
        if trimmed.starts_with("-----END") {
            break;
        }
        if in_block {
            b64.push_str(trimmed);
        }
    }

    if b64.is_empty() {
        return Err(SigningError { detail: "no PEM content found".into() });
    }

    BASE64.decode(&b64)
        .map_err(|e| SigningError { detail: format!("PEM base64 decode failed: {}", e) })
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::common::dns::mock::MockResolver;
    use crate::dkim::verify::DkimVerifier;
    use crate::dkim::DkimResult;

    fn setup_mock_key(resolver: &mut MockResolver, selector: &str, domain: &str, txt: &str) {
        let qname = format!("{}._domainkey.{}", selector, domain);
        resolver.add_txt(&qname, vec![txt.to_string()]);
    }

    // ─── CHK-424: Key loading ────────────────────────────────────────

    #[test]
    fn ed25519_key_loads_from_pkcs8() {
        let rng = SystemRandom::new();
        let pkcs8 = ring_sig::Ed25519KeyPair::generate_pkcs8(&rng).unwrap();
        let signer = DkimSigner::ed25519("example.com", "sel", pkcs8.as_ref());
        assert!(signer.is_ok());
    }

    #[test]
    fn rsa_key_loads_from_pem() {
        let pem = generate_rsa_pem();
        let signer = DkimSigner::rsa_sha256("example.com", "sel", &pem);
        assert!(signer.is_ok());
    }

    #[test]
    fn invalid_key_fails_fast() {
        let result = DkimSigner::ed25519("example.com", "sel", b"not-a-key");
        assert!(result.is_err());
    }

    #[test]
    fn invalid_pem_fails() {
        let result = DkimSigner::rsa_sha256("example.com", "sel", b"not-pem");
        assert!(result.is_err());
    }

    // ─── CHK-508: RSA-SHA1 signing prevention ────────────────────────

    #[test]
    fn rsa_sha1_signing_not_constructable() {
        // DkimSigner has no constructor for RSA-SHA1.
        // The only constructors are rsa_sha256() and ed25519().
        // This test verifies no code path can produce a=rsa-sha1 in a signature.
        let pem = generate_rsa_pem();
        let signer = DkimSigner::rsa_sha256("example.com", "sel", &pem).unwrap();
        assert!(matches!(signer.algorithm, Algorithm::RsaSha256));
        // Algorithm::RsaSha1 has no corresponding signer constructor
    }

    // ─── CHK-426: From header enforced ───────────────────────────────

    #[test]
    fn sign_without_from_fails() {
        let rng = SystemRandom::new();
        let pkcs8 = ring_sig::Ed25519KeyPair::generate_pkcs8(&rng).unwrap();
        let signer = DkimSigner::ed25519("example.com", "sel", pkcs8.as_ref())
            .unwrap()
            .headers(vec!["to".into(), "subject".into()]); // no "from"

        let headers = vec![
            ("From", " user@example.com"),
            ("To", " other@example.com"),
        ];
        let result = signer.sign_message(&headers, b"body\r\n");
        assert!(result.is_err());
        assert!(result.unwrap_err().detail.contains("from"));
    }

    // ─── CHK-502: Ed25519 sign-then-verify roundtrip ─────────────────

    #[tokio::test]
    async fn ed25519_sign_verify_roundtrip() {
        let rng = SystemRandom::new();
        let pkcs8 = ring_sig::Ed25519KeyPair::generate_pkcs8(&rng).unwrap();
        let signer = DkimSigner::ed25519("example.com", "ed", pkcs8.as_ref()).unwrap();

        let headers = vec![
            ("From", " user@example.com"),
            ("To", " other@example.com"),
            ("Subject", " Test message"),
        ];
        let body = b"Hello world\r\n";

        let sig_value = signer.sign_message(&headers, body).unwrap();

        // Set up verifier with mock DNS
        let pub_key = signer.public_key_bytes();
        let pub_b64 = BASE64.encode(&pub_key);

        let mut resolver = MockResolver::new();
        setup_mock_key(
            &mut resolver,
            "ed",
            "example.com",
            &format!("v=DKIM1; k=ed25519; p={}", pub_b64),
        );

        let verifier = DkimVerifier::new(resolver);
        let mut all_headers = headers.clone();
        all_headers.push(("DKIM-Signature", &sig_value));

        let results = verifier.verify_message(&all_headers, body).await;
        match &results[0] {
            DkimResult::Pass { domain, .. } => assert_eq!(domain, "example.com"),
            other => panic!("Ed25519 roundtrip: expected Pass, got {:?}", other),
        }
    }

    // ─── CHK-503: RSA-SHA256 sign-then-verify roundtrip ──────────────

    #[tokio::test]
    async fn rsa_sha256_sign_verify_roundtrip() {
        let pem = generate_rsa_pem();
        let signer = DkimSigner::rsa_sha256("example.com", "rsa", &pem).unwrap();

        let headers = vec![
            ("From", " sender@example.com"),
            ("To", " recipient@example.com"),
            ("Subject", " RSA roundtrip test"),
        ];
        let body = b"RSA signed body\r\n";

        let sig_value = signer.sign_message(&headers, body).unwrap();

        // Get SPKI public key for DNS
        let pub_key = signer.public_key_bytes();
        let pub_b64 = BASE64.encode(&pub_key);

        let mut resolver = MockResolver::new();
        setup_mock_key(
            &mut resolver,
            "rsa",
            "example.com",
            &format!("v=DKIM1; k=rsa; p={}", pub_b64),
        );

        let verifier = DkimVerifier::new(resolver);
        let mut all_headers = headers.clone();
        all_headers.push(("DKIM-Signature", &sig_value));

        let results = verifier.verify_message(&all_headers, body).await;
        match &results[0] {
            DkimResult::Pass { domain, .. } => assert_eq!(domain, "example.com"),
            other => panic!("RSA-SHA256 roundtrip: expected Pass, got {:?}", other),
        }
    }

    // ─── CHK-504: Different canonicalization modes ───────────────────

    #[tokio::test]
    async fn simple_simple_roundtrip() {
        let rng = SystemRandom::new();
        let pkcs8 = ring_sig::Ed25519KeyPair::generate_pkcs8(&rng).unwrap();
        let signer = DkimSigner::ed25519("example.com", "ed", pkcs8.as_ref())
            .unwrap()
            .header_canonicalization(CanonicalizationMethod::Simple)
            .body_canonicalization(CanonicalizationMethod::Simple);

        let headers = vec![
            ("From", " user@example.com"),
            ("Subject", " Simple test"),
        ];
        let body = b"Simple body\r\n";

        let sig_value = signer.sign_message(&headers, body).unwrap();
        assert!(sig_value.contains("c=simple/simple"));

        let pub_key = signer.public_key_bytes();
        let pub_b64 = BASE64.encode(&pub_key);

        let mut resolver = MockResolver::new();
        setup_mock_key(
            &mut resolver,
            "ed",
            "example.com",
            &format!("v=DKIM1; k=ed25519; p={}", pub_b64),
        );

        let verifier = DkimVerifier::new(resolver);
        let mut all_headers = headers.clone();
        all_headers.push(("DKIM-Signature", &sig_value));

        let results = verifier.verify_message(&all_headers, body).await;
        match &results[0] {
            DkimResult::Pass { .. } => {}
            other => panic!("simple/simple roundtrip: expected Pass, got {:?}", other),
        }
    }

    // ─── CHK-506: Timestamp and expiration ───────────────────────────

    #[tokio::test]
    async fn timestamp_and_expiration_set() {
        let rng = SystemRandom::new();
        let pkcs8 = ring_sig::Ed25519KeyPair::generate_pkcs8(&rng).unwrap();
        let signer = DkimSigner::ed25519("example.com", "ed", pkcs8.as_ref())
            .unwrap()
            .expiration(3600);

        let headers = vec![("From", " user@example.com")];
        let body = b"body\r\n";

        let sig_value = signer.sign_message(&headers, body).unwrap();
        assert!(sig_value.contains("t="));
        assert!(sig_value.contains("x="));

        // Verify the expiration is t + 3600
        let t_pos = sig_value.find("t=").unwrap() + 2;
        let t_end = sig_value[t_pos..].find(';').unwrap() + t_pos;
        let t: u64 = sig_value[t_pos..t_end].trim().parse().unwrap();

        let x_pos = sig_value.find("x=").unwrap() + 2;
        let x_end = sig_value[x_pos..].find(';').unwrap() + x_pos;
        let x: u64 = sig_value[x_pos..x_end].trim().parse().unwrap();

        assert_eq!(x, t + 3600);
    }

    // ─── CHK-507: PEM key loading ────────────────────────────────────

    #[test]
    fn pem_decode_rsa_key() {
        let pem = generate_rsa_pem();
        let result = decode_pem(&pem);
        assert!(result.is_ok());
    }

    #[test]
    fn pem_decode_invalid_base64() {
        let bad_pem = b"-----BEGIN PRIVATE KEY-----\n!!!invalid!!!\n-----END PRIVATE KEY-----\n";
        let result = decode_pem(bad_pem);
        assert!(result.is_err());
    }

    #[test]
    fn pem_decode_empty() {
        let result = decode_pem(b"no markers here");
        assert!(result.is_err());
    }

    // ─── CHK-509: Over-sign roundtrip ────────────────────────────────

    #[tokio::test]
    async fn over_sign_roundtrip() {
        let rng = SystemRandom::new();
        let pkcs8 = ring_sig::Ed25519KeyPair::generate_pkcs8(&rng).unwrap();
        let signer = DkimSigner::ed25519("example.com", "ed", pkcs8.as_ref())
            .unwrap()
            .over_sign(true);

        let headers = vec![
            ("From", " user@example.com"),
            ("To", " other@example.com"),
            ("Subject", " Over-sign test"),
        ];
        let body = b"Over-sign body\r\n";

        let sig_value = signer.sign_message(&headers, body).unwrap();
        // Each header name should appear twice in h=
        assert!(sig_value.contains("h=from:from:to:to:subject:subject"));

        let pub_key = signer.public_key_bytes();
        let pub_b64 = BASE64.encode(&pub_key);

        let mut resolver = MockResolver::new();
        setup_mock_key(
            &mut resolver,
            "ed",
            "example.com",
            &format!("v=DKIM1; k=ed25519; p={}", pub_b64),
        );

        let verifier = DkimVerifier::new(resolver);
        let mut all_headers = headers.clone();
        all_headers.push(("DKIM-Signature", &sig_value));

        let results = verifier.verify_message(&all_headers, body).await;
        match &results[0] {
            DkimResult::Pass { .. } => {}
            other => panic!("over-sign roundtrip: expected Pass, got {:?}", other),
        }
    }

    // ─── CHK-433: Ground-truth bypass test ───────────────────────────
    // Already covered by lane 7 verify.rs ground-truth tests that construct
    // signatures manually with ring primitives and verify through DkimVerifier.
    // This is the complementary direction: sign with DkimSigner and verify
    // the output matches expected format.

    #[test]
    fn signed_header_contains_required_tags() {
        let rng = SystemRandom::new();
        let pkcs8 = ring_sig::Ed25519KeyPair::generate_pkcs8(&rng).unwrap();
        let signer = DkimSigner::ed25519("example.com", "sel", pkcs8.as_ref()).unwrap();

        let headers = vec![("From", " user@example.com")];
        let sig = signer.sign_message(&headers, b"body\r\n").unwrap();

        assert!(sig.contains("v=1"));
        assert!(sig.contains("a=ed25519-sha256"));
        assert!(sig.contains("d=example.com"));
        assert!(sig.contains("s=sel"));
        assert!(sig.contains("h="));
        assert!(sig.contains("bh="));
        assert!(sig.contains("b="));
        assert!(sig.contains("t="));
    }

    // ─── CHK-427/428: Recommended + avoided headers ──────────────────

    #[test]
    fn default_headers_include_recommended() {
        let defaults = default_headers();
        assert!(defaults.contains(&"from".to_string()));
        assert!(defaults.contains(&"to".to_string()));
        assert!(defaults.contains(&"subject".to_string()));
        assert!(defaults.contains(&"date".to_string()));
        assert!(defaults.contains(&"message-id".to_string()));
        // Should NOT include transit headers
        assert!(!defaults.contains(&"received".to_string()));
        assert!(!defaults.contains(&"return-path".to_string()));
    }

    // ─── CHK-430: Timestamp set ──────────────────────────────────────

    #[test]
    fn signature_has_timestamp() {
        let rng = SystemRandom::new();
        let pkcs8 = ring_sig::Ed25519KeyPair::generate_pkcs8(&rng).unwrap();
        let signer = DkimSigner::ed25519("example.com", "sel", pkcs8.as_ref()).unwrap();

        let headers = vec![("From", " user@example.com")];
        let sig = signer.sign_message(&headers, b"body\r\n").unwrap();
        assert!(sig.contains("t="));

        // Parse timestamp, verify it's recent
        let t_pos = sig.find("t=").unwrap() + 2;
        let t_end = sig[t_pos..].find(';').unwrap() + t_pos;
        let t: u64 = sig[t_pos..t_end].trim().parse().unwrap();
        let now = SystemTime::now()
            .duration_since(UNIX_EPOCH)
            .unwrap()
            .as_secs();
        assert!(t <= now);
        assert!(t > now - 10); // within last 10 seconds
    }

    // ─── Helper: Generate RSA key for tests ──────────────────────────

    fn generate_rsa_pem() -> Vec<u8> {
        // Use openssl to generate a 2048-bit RSA PKCS8 PEM key
        // Since ring doesn't expose RSA key generation, we use a pre-generated key
        // or generate one with ring's internal methods.
        // Actually, ring DOES have RsaKeyPair but no key generation.
        // For tests, embed a test-only RSA key.
        include_bytes!("../../tests/fixtures/rsa2048.pem").to_vec()
    }
}