aws-sigv4 1.5.2 → 1.9.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 33cb09610570a5aefa4e83ab34277756201d8f1e50197bfe343fc49cce668672
-  data.tar.gz: 4d070f7cf41c0a77b69e7ca6cc80c2fb7a8111eb3640819fb01ee6602027b5d9
+  metadata.gz: d6c968ea3d1cff2c3e6ff056a38658ce9af6f2f9b3d5fce948003a063c1f785e
+  data.tar.gz: '008ac56a37950824779768b8e3e942a711a0cae225231e9f9897e0426a18d121'
 SHA512:
-  metadata.gz: ddb8c5fc04288a396501afb0cd74907232ac78a2ca5e3bbb4c0879c27c15d72c19e30b9ddcaf5b8fe536e8b04d4ccc3c98eee74f27f92b594058a54b29edf704
-  data.tar.gz: 283afcb61ae4b06a68b5a644a529b560864b82f0e69c107a8c059c04b9b6448421ac93015c483aae1bdf77bed41cb3088942c1e18dc26fc4b569aa7fde65f563
+  metadata.gz: 49dfbb860585de3ca7f1f84e3ff2fa059025098fe3a0baf4ab4c4fd1ff6bdb4dab85b17b040ebc7fa5db743d1f5da9a4b0975187d2bf60aabfc29e9674b22ee3
+  data.tar.gz: 315d89e1c67bfc3938f267dcf50e47842f7cac514b07df07cc642be2bc99fbc55dd7256f564868c6f3e61ee125aa71d26a98af01c734a924aaa0ae5ac8e084e4

data/CHANGELOG.md

@@ -1,6 +1,36 @@
 Unreleased Changes
 ------------------
 
+1.9.1 (2024-07-29)
+------------------
+
+* Issue - Add missing require of `pathname` to `Signer`.
+
+1.9.0 (2024-07-23)
+------------------
+
+* Feature - Support `sigv4a` signing algorithm without `aws-crt`.
+
+1.8.0 (2023-11-28)
+------------------
+
+* Feature - Support `sigv4-s3express` signing algorithm.
+
+1.7.0 (2023-11-22)
+------------------
+
+* Feature - AWS SDK for Ruby no longer supports Ruby runtime versions 2.3 and 2.4.
+
+1.6.1 (2023-10-25)
+------------------
+
+* Issue - (Static Stability) use provided `expires_in` in presigned url when credentials are expired.
+
+1.6.0 (2023-06-28)
+------------------
+
+* Feature - Select the minimum expiration time for presigned urls between the expiration time option and the credential expiration time.
+
 1.5.2 (2022-09-30)
 ------------------
 

data/VERSION

@@ -1 +1 @@
-1.5.2
+1.9.1

data/lib/aws-sigv4/asymmetric_credentials.rb

@@ -0,0 +1,91 @@
+# frozen_string_literal: true
+
+module Aws
+  module Sigv4
+    # To make it easier to support mixed mode, we have created an asymmetric
+    # key derivation mechanism. This module derives
+    # asymmetric keys from the current secret for use with
+    # Asymmetric signatures.
+    # @api private
+    module AsymmetricCredentials
+
+      N_MINUS_2 = 0xFFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551 - 2
+
+      # @param [String] :access_key_id
+      # @param [String] :secret_access_key
+      # @return [OpenSSL::PKey::EC, Hash]
+      def self.derive_asymmetric_key(access_key_id, secret_access_key)
+        check_openssl_support!
+        label = 'AWS4-ECDSA-P256-SHA256'
+        bit_len = 256
+        counter = 0x1
+        input_key = "AWS4A#{secret_access_key}"
+        d = 0 # d will end up being the private key
+        while true do
+
+          kdf_context = access_key_id.unpack('C*') + [counter].pack('C').unpack('C') #1 byte for counter
+          input = label.unpack('C*') + [0x00] + kdf_context + [bit_len].pack('L>').unpack('CCCC') # 4 bytes (change endianess)
+          k0 = OpenSSL::HMAC.digest("SHA256", input_key, ([0, 0, 0, 0x01] + input).pack('C*'))
+          c = be_bytes_to_num( k0.unpack('C*') )
+          if c <= N_MINUS_2
+            d = c + 1
+            break
+          elsif counter > 0xFF
+            raise 'Counter exceeded 1 byte - unable to get asym creds'
+          else
+            counter += 1
+          end
+        end
+
+        # compute the public key
+        group = OpenSSL::PKey::EC::Group.new('prime256v1')
+        public_key = group.generator.mul(d)
+
+        ec = generate_ec(public_key, d)
+
+        # pk_x and pk_y are not needed for signature, but useful in verification/testing
+        pk_b = public_key.to_octet_string(:uncompressed).unpack('C*') # 0x04 byte followed by 2 32-byte integers
+        pk_x = be_bytes_to_num(pk_b[1,32])
+        pk_y = be_bytes_to_num(pk_b[33,32])
+        [ec, {ec: ec, public_key: public_key, pk_x: pk_x, pk_y: pk_y, d: d}]
+      end
+
+      private
+
+      # @return [Number] The value of the bytes interpreted as a big-endian
+      # unsigned integer.
+      def self.be_bytes_to_num(bytes)
+        x = 0
+        bytes.each { |b| x = (x*256) + b }
+        x
+      end
+
+      # Prior to openssl3 we could directly set public and private key on EC
+      # However, openssl3 deprecated those methods and we must now construct
+      # a der with the keys and load the EC from it.
+      def self.generate_ec(public_key, d)
+        # format reversed from: OpenSSL::ASN1.decode_all(OpenSSL::PKey::EC.new.to_der)
+        asn1 = OpenSSL::ASN1::Sequence([
+          OpenSSL::ASN1::Integer(OpenSSL::BN.new(1)),
+          OpenSSL::ASN1::OctetString([d.to_s(16)].pack('H*')),
+          OpenSSL::ASN1::ASN1Data.new([OpenSSL::ASN1::ObjectId("prime256v1")], 0, :CONTEXT_SPECIFIC),
+          OpenSSL::ASN1::ASN1Data.new(
+            [OpenSSL::ASN1::BitString(public_key.to_octet_string(:uncompressed))],
+            1, :CONTEXT_SPECIFIC
+          )
+        ])
+        OpenSSL::PKey::EC.new(asn1.to_der)
+      end
+
+      def self.check_openssl_support!
+        return true unless defined?(JRUBY_VERSION)
+
+        # See: https://github.com/jruby/jruby-openssl/issues/306
+        # JRuby-openssl < 0.15 does not support OpenSSL::PKey::EC::Point#mul
+        return true if OpenSSL::PKey::EC::Point.instance_methods.include?(:mul)
+
+        raise 'Sigv4a Asymmetric Credential derivation requires jruby-openssl >= 0.15'
+      end
+    end
+  end
+end

data/lib/aws-sigv4/signature.rb

@@ -32,6 +32,9 @@ module Aws
       # @return [String] For debugging purposes.
       attr_accessor :content_sha256
 
+      # @return [String] For debugging purposes.
+      attr_accessor :signature
+
       # @return [Hash] Internal data for debugging purposes.
       attr_accessor :extra
     end

data/lib/aws-sigv4/signer.rb

@@ -6,6 +6,7 @@ require 'time'
 require 'uri'
 require 'set'
 require 'cgi'
+require 'pathname'
 require 'aws-eventstream'
 
 module Aws
@@ -84,14 +85,16 @@ module Aws
 
       # @overload initialize(service:, region:, access_key_id:, secret_access_key:, session_token:nil, **options)
       #   @param [String] :service The service signing name, e.g. 's3'.
-      #   @param [String] :region The region name, e.g. 'us-east-1'.
+      #   @param [String] :region The region name, e.g. 'us-east-1'. When signing
+      #    with sigv4a, this should be a comma separated list of regions.
       #   @param [String] :access_key_id
       #   @param [String] :secret_access_key
       #   @param [String] :session_token (nil)
       #
       # @overload initialize(service:, region:, credentials:, **options)
       #   @param [String] :service The service signing name, e.g. 's3'.
-      #   @param [String] :region The region name, e.g. 'us-east-1'.
+      #   @param [String] :region The region name, e.g. 'us-east-1'. When signing
+      #    with sigv4a, this should be a comma separated list of regions.
       #   @param [Credentials] :credentials Any object that responds to the following
       #     methods:
       #
@@ -102,7 +105,8 @@ module Aws
       #
       # @overload initialize(service:, region:, credentials_provider:, **options)
       #   @param [String] :service The service signing name, e.g. 's3'.
-      #   @param [String] :region The region name, e.g. 'us-east-1'.
+      #   @param [String] :region The region name, e.g. 'us-east-1'. When signing
+      #    with sigv4a, this should be a comma separated list of regions.
       #   @param [#credentials] :credentials_provider An object that responds
       #     to `#credentials`, returning an object that responds to the following
       #     methods:
@@ -127,8 +131,7 @@ module Aws
       #   every other AWS service as of late 2016.
       #
       # @option options [Symbol] :signing_algorithm (:sigv4) The
-      #   algorithm to use for signing.  :sigv4a is only supported when
-      #   `aws-crt` is available.
+      #   algorithm to use for signing.
       #
       # @option options [Boolean] :omit_session_token (false)
       #   (Supported only when `aws-crt` is available) If `true`,
@@ -136,8 +139,8 @@ module Aws
       #   but is treated as "unsigned" and does not contribute
       #   to the authorization signature.
       #
-      # @option options [Boolean] :normalize_path (true) (Supported only when `aws-crt` is available)
-      #   When `true`, the uri paths will be normalized when building the canonical request
+      # @option options [Boolean] :normalize_path (true) When `true`, the
+      #   uri paths will be normalized when building the canonical request.
       def initialize(options = {})
         @service = extract_service(options)
         @region = extract_region(options)
@@ -152,10 +155,11 @@ module Aws
         @normalize_path = options.fetch(:normalize_path, true)
         @omit_session_token = options.fetch(:omit_session_token, false)
 
-        if @signing_algorithm == :sigv4a && !Signer.use_crt?
-          raise ArgumentError, 'You are attempting to sign a' \
-' request with sigv4a which requires the `aws-crt` gem.'\
-' Please install the gem or add it to your gemfile.'
+        if @signing_algorithm == 'sigv4-s3express'.to_sym &&
+           Signer.use_crt? && Aws::Crt::GEM_VERSION <= '0.1.9'
+          raise ArgumentError,
+                'This version of aws-crt does not support S3 Express. Please
+                 update this gem to at least version 0.2.0.'
         end
       end
 
@@ -235,10 +239,11 @@ module Aws
 
         return crt_sign_request(request) if Signer.use_crt?
 
-        creds = fetch_credentials
+        creds, _ = fetch_credentials
 
         http_method = extract_http_method(request)
         url = extract_url(request)
+        Signer.normalize_path(url) if @normalize_path
         headers = downcase_headers(request[:headers])
 
         datetime = headers['x-amz-date']
@@ -251,29 +256,55 @@ module Aws
         sigv4_headers = {}
         sigv4_headers['host'] = headers['host'] || host(url)
         sigv4_headers['x-amz-date'] = datetime
-        sigv4_headers['x-amz-security-token'] = creds.session_token if creds.session_token
+        if creds.session_token && !@omit_session_token
+          if @signing_algorithm == 'sigv4-s3express'.to_sym
+            sigv4_headers['x-amz-s3session-token'] = creds.session_token
+          else
+            sigv4_headers['x-amz-security-token'] = creds.session_token
+          end
+        end
+
         sigv4_headers['x-amz-content-sha256'] ||= content_sha256 if @apply_checksum_header
 
+        if @signing_algorithm == :sigv4a && @region && !@region.empty?
+          sigv4_headers['x-amz-region-set'] = @region
+        end
         headers = headers.merge(sigv4_headers) # merge so we do not modify given headers hash
 
+        algorithm = sts_algorithm
+
         # compute signature parts
         creq = canonical_request(http_method, url, headers, content_sha256)
-        sts = string_to_sign(datetime, creq)
-        sig = signature(creds.secret_access_key, date, sts)
+        sts = string_to_sign(datetime, creq, algorithm)
+
+        sig =
+          if @signing_algorithm == :sigv4a
+            asymmetric_signature(creds, sts)
+          else
+            signature(creds.secret_access_key, date, sts)
+          end
+
+        algorithm = sts_algorithm
 
         # apply signature
         sigv4_headers['authorization'] = [
-          "AWS4-HMAC-SHA256 Credential=#{credential(creds, date)}",
+          "#{algorithm} Credential=#{credential(creds, date)}",
           "SignedHeaders=#{signed_headers(headers)}",
           "Signature=#{sig}",
         ].join(', ')
 
+        # skip signing the session token, but include it in the headers
+        if creds.session_token && @omit_session_token
+          sigv4_headers['x-amz-security-token'] = creds.session_token
+        end
+
         # Returning the signature components.
         Signature.new(
           headers: sigv4_headers,
           string_to_sign: sts,
           canonical_request: creq,
-          content_sha256: content_sha256
+          content_sha256: content_sha256,
+          signature: sig
         )
       end
 
@@ -314,7 +345,7 @@ module Aws
       #   hex-encoded string using #unpack
       def sign_event(prior_signature, payload, encoder)
         # Note: CRT does not currently provide event stream signing, so we always use the ruby implementation.
-        creds = fetch_credentials
+        creds, _ = fetch_credentials
         time = Time.now
         headers = {}
 
@@ -403,10 +434,11 @@ module Aws
 
         return crt_presign_url(options) if Signer.use_crt?
 
-        creds = fetch_credentials
+        creds, expiration = fetch_credentials
 
         http_method = extract_http_method(options)
         url = extract_url(options)
+        Signer.normalize_path(url) if @normalize_path
 
         headers = downcase_headers(options[:headers])
         headers['host'] ||= host(url)
@@ -419,14 +451,26 @@ module Aws
         content_sha256 ||= options[:body_digest]
         content_sha256 ||= sha256_hexdigest(options[:body] || '')
 
+        algorithm = sts_algorithm
+
         params = {}
-        params['X-Amz-Algorithm'] = 'AWS4-HMAC-SHA256'
+        params['X-Amz-Algorithm'] = algorithm
         params['X-Amz-Credential'] = credential(creds, date)
         params['X-Amz-Date'] = datetime
-        params['X-Amz-Expires'] = extract_expires_in(options)
-        params['X-Amz-Security-Token'] = creds.session_token if creds.session_token
+        params['X-Amz-Expires'] = presigned_url_expiration(options, expiration, Time.strptime(datetime, "%Y%m%dT%H%M%S%Z")).to_s
+        if creds.session_token
+          if @signing_algorithm == 'sigv4-s3express'.to_sym
+            params['X-Amz-S3session-Token'] = creds.session_token
+          else
+            params['X-Amz-Security-Token'] = creds.session_token
+          end
+        end
         params['X-Amz-SignedHeaders'] = signed_headers(headers)
 
+        if @signing_algorithm == :sigv4a && @region
+          params['X-Amz-Region-Set'] = @region
+        end
+
         params = params.map do |key, value|
           "#{uri_escape(key)}=#{uri_escape(value)}"
         end.join('&')
@@ -438,13 +482,23 @@ module Aws
         end
 
         creq = canonical_request(http_method, url, headers, content_sha256)
-        sts = string_to_sign(datetime, creq)
-        url.query += '&X-Amz-Signature=' + signature(creds.secret_access_key, date, sts)
+        sts = string_to_sign(datetime, creq, algorithm)
+        signature =
+          if @signing_algorithm == :sigv4a
+            asymmetric_signature(creds, sts)
+          else
+            signature(creds.secret_access_key, date, sts)
+          end
+        url.query += '&X-Amz-Signature=' + signature
         url
       end
 
       private
 
+      def sts_algorithm
+        @signing_algorithm == :sigv4a ? 'AWS4-ECDSA-P256-SHA256' : 'AWS4-HMAC-SHA256'
+      end
+
       def canonical_request(http_method, url, headers, content_sha256)
         [
           http_method,
@@ -456,9 +510,9 @@ module Aws
         ].join("\n")
       end
 
-      def string_to_sign(datetime, canonical_request)
+      def string_to_sign(datetime, canonical_request, algorithm)
         [
-          'AWS4-HMAC-SHA256',
+          algorithm,
           datetime,
           credential_scope(datetime[0,8]),
           sha256_hexdigest(canonical_request),
@@ -491,10 +545,10 @@ module Aws
       def credential_scope(date)
         [
           date,
-          @region,
+          (@region unless @signing_algorithm == :sigv4a),
           @service,
-          'aws4_request',
-        ].join('/')
+          'aws4_request'
+        ].compact.join('/')
       end
 
       def credential(credentials, date)
@@ -509,6 +563,16 @@ module Aws
         hexhmac(k_credentials, string_to_sign)
       end
 
+      def asymmetric_signature(creds, string_to_sign)
+        ec, _ = Aws::Sigv4::AsymmetricCredentials.derive_asymmetric_key(
+          creds.access_key_id, creds.secret_access_key
+        )
+        sts_digest = OpenSSL::Digest::SHA256.digest(string_to_sign)
+        s = ec.dsa_sign_asn1(sts_digest)
+
+        Digest.hexencode(s)
+      end
+
       # Comparing to original signature v4 algorithm,
       # returned signature is a binary string instread of
       # hex-encoded string. (Since ':chunk-signature' requires
@@ -526,7 +590,6 @@ module Aws
         hmac(k_credentials, string_to_sign)
       end
 
-
       def path(url)
         path = url.path
         path = '/' if path == ''
@@ -682,8 +745,8 @@ module Aws
 
       def extract_expires_in(options)
         case options[:expires_in]
-        when nil then 900.to_s
-        when Integer then options[:expires_in].to_s
+        when nil then 900
+        when Integer then options[:expires_in]
         else
           msg = "expected :expires_in to be a number of seconds"
           raise ArgumentError, msg
@@ -698,11 +761,14 @@ module Aws
         self.class.uri_escape_path(string)
       end
 
-
       def fetch_credentials
         credentials = @credentials_provider.credentials
         if credentials_set?(credentials)
-          credentials
+          expiration = nil
+          if @credentials_provider.respond_to?(:expiration)
+            expiration = @credentials_provider.expiration
+          end
+          [credentials, expiration]
         else
           raise Errors::MissingCredentialsError,
           'unable to sign request without credentials set'
@@ -720,21 +786,37 @@ module Aws
           !credentials.secret_access_key.empty?
       end
 
+      def presigned_url_expiration(options, expiration, datetime)
+        expires_in = extract_expires_in(options)
+        return expires_in unless expiration
+
+        expiration_seconds = (expiration - datetime).to_i
+        # In the static stability case, credentials may expire in the past
+        # but still be valid.  For those cases, use the user configured
+        # expires_in and ingore expiration.
+        if expiration_seconds <= 0
+          expires_in
+        else
+          [expires_in, expiration_seconds].min
+        end
+      end
+
       ### CRT Code
 
       # the credentials used by CRT must be a
       # CRT StaticCredentialsProvider object
       def crt_fetch_credentials
-        creds = fetch_credentials
-        Aws::Crt::Auth::StaticCredentialsProvider.new(
+        creds, expiration = fetch_credentials
+        crt_creds = Aws::Crt::Auth::StaticCredentialsProvider.new(
           creds.access_key_id,
           creds.secret_access_key,
           creds.session_token
         )
+        [crt_creds, expiration]
       end
 
       def crt_sign_request(request)
-        creds = crt_fetch_credentials
+        creds, _ = crt_fetch_credentials
         http_method = extract_http_method(request)
         url = extract_url(request)
         headers = downcase_headers(request[:headers])
@@ -793,14 +875,14 @@ module Aws
       end
 
       def crt_presign_url(options)
-        creds = crt_fetch_credentials
+        creds, expiration = crt_fetch_credentials
 
         http_method = extract_http_method(options)
         url = extract_url(options)
         headers = downcase_headers(options[:headers])
         headers['host'] ||= host(url)
 
-        datetime = headers.delete('x-amz-date')
+        datetime = Time.strptime(headers.delete('x-amz-date'), "%Y%m%dT%H%M%S%Z") if headers['x-amz-date']
         datetime ||= (options[:time] || Time.now)
 
         content_sha256 = headers.delete('x-amz-content-sha256')
@@ -821,7 +903,7 @@ module Aws
           use_double_uri_encode: @uri_escape_path,
           should_normalize_uri_path: @normalize_path,
           omit_session_token: @omit_session_token,
-          expiration_in_seconds: options.fetch(:expires_in, 900)
+          expiration_in_seconds: presigned_url_expiration(options, expiration, datetime)
         )
         http_request = Aws::Crt::Http::Message.new(
           http_method, url.to_s, headers
@@ -858,6 +940,18 @@ module Aws
           end
         end
 
+        # @api private
+        def normalize_path(uri)
+          normalized_path = Pathname.new(uri.path).cleanpath.to_s
+          # Pathname is probably not correct to use. Empty paths will
+          # resolve to "." and should be disregarded
+          normalized_path = '' if normalized_path == '.'
+          # Ensure trailing slashes are correctly preserved
+          if uri.path.end_with?('/') && !normalized_path.end_with?('/')
+            normalized_path << '/'
+          end
+          uri.path = normalized_path
+        end
       end
     end
   end

data/lib/aws-sigv4.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+require_relative 'aws-sigv4/asymmetric_credentials'
 require_relative 'aws-sigv4/credentials'
 require_relative 'aws-sigv4/errors'
 require_relative 'aws-sigv4/signature'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aws-sigv4
 version: !ruby/object:Gem::Version
-  version: 1.5.2
+  version: 1.9.1
 platform: ruby
 authors:
 - Amazon Web Services
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-09-30 00:00:00.000000000 Z
+date: 2024-07-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-eventstream
@@ -32,7 +32,7 @@ dependencies:
         version: 1.0.2
 description: Amazon Web Services Signature Version 4 signing library. Generates sigv4
   signature for HTTP requests.
-email: 
+email:
 executables: []
 extensions: []
 extra_rdoc_files: []
@@ -41,6 +41,7 @@ files:
 - LICENSE.txt
 - VERSION
 - lib/aws-sigv4.rb
+- lib/aws-sigv4/asymmetric_credentials.rb
 - lib/aws-sigv4/credentials.rb
 - lib/aws-sigv4/errors.rb
 - lib/aws-sigv4/request.rb
@@ -52,7 +53,7 @@ licenses:
 metadata:
   source_code_uri: https://github.com/aws/aws-sdk-ruby/tree/version-3/gems/aws-sigv4
   changelog_uri: https://github.com/aws/aws-sdk-ruby/tree/version-3/gems/aws-sigv4/CHANGELOG.md
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -60,15 +61,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.3'
+      version: '2.5'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.6
-signing_key: 
+rubygems_version: 3.4.10
+signing_key:
 specification_version: 4
 summary: AWS Signature Version 4 library.
 test_files: []