NSAuditor AI EE 0.5.3 Ships SES Auditor v3 — DKIM Public-Key Fingerprint Capture/Pin + In-Band DMARC Alignment Classifier; R-CRITICAL Closure on Silent Truncation of RSA-2048 Keys
EE 0.5.3 SES Auditor v3 adds DKIM key fingerprint capture/pin + DMARC alignment classifier. R-CRITICAL closure on silent truncation of RSA-2048 keys. 9th consecutive trio-publish.
What’s new: Nsasoft US LLC has shipped NSAuditor AI Enterprise Edition 0.5.3 — a patch-level extension in the v0.5.x line and the ninth consecutive trio-publish across EE + paired CE 0.1.52 + agent-skill 0.1.19. EE 0.5.3 ships EE-RT.18 v3 — plugin 1190 SES Auditor adds two new evidence dimensions. EE plugin count remains 20.
Part A — DKIM public-key fingerprint capture/pin
New _resolveDkimPublicKey resolves TXT records at <token>._domainkey.<identityDomain> through the v2 CNAME chain, parses RFC 6376 §3.6.1 tag-list, and SHA-256-fingerprints the base64-decoded public-key bytes. Distinct from v2 CNAME resolution: v2 verifies the DNS delegation chain; v3 verifies the actual key bytes haven’t drifted. Two operator modes:
- Pin-store mode (
opts.dkimFingerprintPinStore) — deterministic MISMATCH detection. Catches unauthorized rotation, supply-chain attacks, and DNS-layer key substitution that v2 alone would silently pass. - Capture-baseline mode (no pin store) — surfaces fingerprints in finding.details so the operator can pin next cycle.
Part B — In-band DMARC alignment classifier
New _classifyDmarcAlignment is a pure synchronous classifier with no new DNS calls — it reuses v2 DMARC parsed output. Cross-references adkim/aspf alignment-mode tags against the actual SES identity configuration (DKIM SigningEnabled + custom MailFrom presence) and surfaces guaranteed-alignment-failure configurations as HIGH findings. Distinct from v2’s policy classifier — v2 reads p=/sp=/pct= (what receivers do on failure); v3 reads adkim=/aspf= (what counts as failure and projects whether the identity’s actual config can ever satisfy alignment).
R-CRITICAL closure — silent truncation of RSA-2048 DKIM keys
_stripControlChars silently truncates at 256 chars. Real-world DKIM RSA-2048 keys produce TXT records of roughly 360-700 chars and were being silently truncated, producing the wrong SHA-256 fingerprint — false-CLEAN pin matches against truncated hashes or false-MISMATCH when the operator pinned the full hash. Discovered via test, not by reviewer. New _stripControlCharsNoTruncate helper bypasses the cap at the cryptographic-data surface only (the truncation defense is preserved on narrative and resource-id surfaces).
Three additional R-HIGH folds
- R-HIGH-1 — Empty/short-key false-CLEAN floor (≥128 bytes — smallest viable RSA-1024 DER). Catches
p=(empty) andp=Qg==(1-byte) substitution attacks where a hostile DNS-layer actor injects trivially-short keys. - R-HIGH-2 — Multiple
v=DKIM1records: pre-fold the code parsed onlydkimRecords[0]. Post-fold emitserrorCode: "multiple-dkim-records: N"and routes to LOW + evidenceGap with walkthroughRequired. - R-HIGH-3 — DMARC alignment double-failure visibility: when BOTH
adkim=s + DKIM disabledANDaspf=s + no MailFrom, narrative explicitly mentions both failures viaspfStrictAlsoImpossible: truedetail. Pre-fold the auditor saw only the DKIM finding and missed that SPF was also broken.
R-MEDIUM-1 — pin-store + failed-capture-on-pinned-token
Pre-fold the case where a token had a pin in the store but failed capture (DNS transient or malformed record) silently emitted PASS based on the captured subset alone. Post-fold downgrades to LOW + evidenceGap with cause: "pin-store-incomplete-verification" — auditor sees the stale-pin or hidden-mismatch class.
Stats
- Plugin count UNCHANGED at 20
- +61 new tests (45 v3 base + 16 reviewer-fold pin; plugin 1190 test count 248 → 309 across 49 → 60 suites)
- EE full regression: 4962/4962 across 778 suites (was 4901/4901 across 767 at 0.5.2)
- 49-session 100% green streak preserved
- 8 new aws-ses-auditor
soc2.jsonmapping rules - Memory closures:
conservative_classifier_principlereinforced in 5 new fold sites;emit_literal_set_driftextended with 8 new named emission categories + 1 frozen_DMARC_ALIGNMENT_VALIDSet + 1 new regex pin + 1 new helper for the cryptographic-data surface;aws_string_case_normalizationreinforced via case-insensitive pin compare at operator-pin comparison boundary
Coverage matrix unchanged at 10/4/33
Pure evidence-quality uplift on already-covered CC6.1 + Privacy controls.
Recommended install (0.5.3)
npm install -g nsauditor-ai@0.1.52 @nsasoft/nsauditor-ai-ee@0.5.3
nsauditor-ai scan --host aws --plugins all --compliance soc2 --out evidence.json
# AI-coding-agent users also pull the refreshed skill:
npm install nsauditor-ai-agent-skill@0.1.19
