aws-sigv4 1.9.1 → 1.10.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +10 -0
  3. data/VERSION +1 -1
  4. data/lib/aws-sigv4/asymmetric_credentials.rb +11 -1
  5. data/lib/aws-sigv4/signer.rb +3 -143
  6. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: d6c968ea3d1cff2c3e6ff056a38658ce9af6f2f9b3d5fce948003a063c1f785e
4
- data.tar.gz: '008ac56a37950824779768b8e3e942a711a0cae225231e9f9897e0426a18d121'
3
+ metadata.gz: 05aa41853460311d09022d38c02afd09077ca66517160c73022f650168a6efbc
4
+ data.tar.gz: b9e7a93a0007cb185b93fc4939d254e1ac263a442ff470ec1ba9bd8d2975e0aa
5
5
  SHA512:
6
- metadata.gz: 49dfbb860585de3ca7f1f84e3ff2fa059025098fe3a0baf4ab4c4fd1ff6bdb4dab85b17b040ebc7fa5db743d1f5da9a4b0975187d2bf60aabfc29e9674b22ee3
7
- data.tar.gz: 315d89e1c67bfc3938f267dcf50e47842f7cac514b07df07cc642be2bc99fbc55dd7256f564868c6f3e61ee125aa71d26a98af01c734a924aaa0ae5ac8e084e4
6
+ metadata.gz: b12f9e162a36d33d405ab66ccb2c8bdb1d3c0f7d66ec4c4460a59a95b78a178dbc6e270a524901a3e689b496dbed4b1422e6fa5f27786159e46cd2e13e26a2c0
7
+ data.tar.gz: f18c1d784aeec37245654255f4abb14ba0183f8a1bb33836c2167df66c3005bb0d7d7c190c8d8cff7dedc0a2d8c8f4debf631fc6716b6d8a2db24eadf9926a47
data/CHANGELOG.md CHANGED
@@ -1,6 +1,16 @@
1
1
  Unreleased Changes
2
2
  ------------------
3
3
 
4
+ 1.10.1 (2024-10-21)
5
+ ------------------
6
+
7
+ * Issue - Fix sigv4a signing issue with derive_asymmetric_key for certain credentials.
8
+
9
+ 1.10.0 (2024-09-17)
10
+ ------------------
11
+
12
+ * Feature - Remove CRT `sigv4a` signing capability.
13
+
4
14
  1.9.1 (2024-07-29)
5
15
  ------------------
6
16
 
data/VERSION CHANGED
@@ -1 +1 @@
1
- 1.9.1
1
+ 1.10.1
data/lib/aws-sigv4/asymmetric_credentials.rb CHANGED
@@ -60,6 +60,16 @@ module Aws
60
60
  x
61
61
  end
62
62
 
63
+ # @return [Array] value of the BigNumber as a big-endian unsigned byte array.
64
+ def self.bn_to_be_bytes(bn)
65
+ bytes = []
66
+ while bn > 0
67
+ bytes << (bn & 0xff)
68
+ bn = bn >> 8
69
+ end
70
+ bytes.reverse
71
+ end
72
+
63
73
  # Prior to openssl3 we could directly set public and private key on EC
64
74
  # However, openssl3 deprecated those methods and we must now construct
65
75
  # a der with the keys and load the EC from it.
@@ -67,7 +77,7 @@ module Aws
67
77
  # format reversed from: OpenSSL::ASN1.decode_all(OpenSSL::PKey::EC.new.to_der)
68
78
  asn1 = OpenSSL::ASN1::Sequence([
69
79
  OpenSSL::ASN1::Integer(OpenSSL::BN.new(1)),
70
- OpenSSL::ASN1::OctetString([d.to_s(16)].pack('H*')),
80
+ OpenSSL::ASN1::OctetString(bn_to_be_bytes(d).pack('C*')),
71
81
  OpenSSL::ASN1::ASN1Data.new([OpenSSL::ASN1::ObjectId("prime256v1")], 0, :CONTEXT_SPECIFIC),
72
82
  OpenSSL::ASN1::ASN1Data.new(
73
83
  [OpenSSL::ASN1::BitString(public_key.to_octet_string(:uncompressed))],
data/lib/aws-sigv4/signer.rb CHANGED
@@ -74,15 +74,6 @@ module Aws
74
74
  # and `#session_token`.
75
75
  #
76
76
  class Signer
77
-
78
- @@use_crt =
79
- begin
80
- require 'aws-crt'
81
- true
82
- rescue LoadError
83
- false
84
- end
85
-
86
77
  # @overload initialize(service:, region:, access_key_id:, secret_access_key:, session_token:nil, **options)
87
78
  # @param [String] :service The service signing name, e.g. 's3'.
88
79
  # @param [String] :region The region name, e.g. 'us-east-1'. When signing
@@ -154,13 +145,6 @@ module Aws
154
145
  @signing_algorithm = options.fetch(:signing_algorithm, :sigv4)
155
146
  @normalize_path = options.fetch(:normalize_path, true)
156
147
  @omit_session_token = options.fetch(:omit_session_token, false)
157
-
158
- if @signing_algorithm == 'sigv4-s3express'.to_sym &&
159
- Signer.use_crt? && Aws::Crt::GEM_VERSION <= '0.1.9'
160
- raise ArgumentError,
161
- 'This version of aws-crt does not support S3 Express. Please
162
- update this gem to at least version 0.2.0.'
163
- end
164
148
  end
165
149
 
166
150
  # @return [String]
@@ -236,9 +220,6 @@ module Aws
236
220
  # a `#headers` method. The headers must be applied to your request.
237
221
  #
238
222
  def sign_request(request)
239
-
240
- return crt_sign_request(request) if Signer.use_crt?
241
-
242
223
  creds, _ = fetch_credentials
243
224
 
244
225
  http_method = extract_http_method(request)
@@ -344,7 +325,6 @@ module Aws
344
325
  # signature value (a binary string) used at ':chunk-signature' needs to converted to
345
326
  # hex-encoded string using #unpack
346
327
  def sign_event(prior_signature, payload, encoder)
347
- # Note: CRT does not currently provide event stream signing, so we always use the ruby implementation.
348
328
  creds, _ = fetch_credentials
349
329
  time = Time.now
350
330
  headers = {}
@@ -431,9 +411,6 @@ module Aws
431
411
  # @return [HTTPS::URI, HTTP::URI]
432
412
  #
433
413
  def presign_url(options)
434
-
435
- return crt_presign_url(options) if Signer.use_crt?
436
-
437
414
  creds, expiration = fetch_credentials
438
415
 
439
416
  http_method = extract_http_method(options)
@@ -801,129 +778,12 @@ module Aws
801
778
  end
802
779
  end
803
780
 
804
- ### CRT Code
805
-
806
- # the credentials used by CRT must be a
807
- # CRT StaticCredentialsProvider object
808
- def crt_fetch_credentials
809
- creds, expiration = fetch_credentials
810
- crt_creds = Aws::Crt::Auth::StaticCredentialsProvider.new(
811
- creds.access_key_id,
812
- creds.secret_access_key,
813
- creds.session_token
814
- )
815
- [crt_creds, expiration]
816
- end
817
-
818
- def crt_sign_request(request)
819
- creds, _ = crt_fetch_credentials
820
- http_method = extract_http_method(request)
821
- url = extract_url(request)
822
- headers = downcase_headers(request[:headers])
823
-
824
- datetime =
825
- if headers.include? 'x-amz-date'
826
- Time.parse(headers.delete('x-amz-date'))
827
- end
828
-
829
- content_sha256 = headers.delete('x-amz-content-sha256')
830
- content_sha256 ||= sha256_hexdigest(request[:body] || '')
831
-
832
- sigv4_headers = {}
833
- sigv4_headers['host'] = headers['host'] || host(url)
834
-
835
- # Modify the user-agent to add usage of crt-signer
836
- # This should be temporary during developer preview only
837
- if headers.include? 'user-agent'
838
- headers['user-agent'] = "#{headers['user-agent']} crt-signer/#{@signing_algorithm}/#{Aws::Sigv4::VERSION}"
839
- sigv4_headers['user-agent'] = headers['user-agent']
840
- end
841
-
842
- headers = headers.merge(sigv4_headers) # merge so we do not modify given headers hash
843
-
844
- config = Aws::Crt::Auth::SigningConfig.new(
845
- algorithm: @signing_algorithm,
846
- signature_type: :http_request_headers,
847
- region: @region,
848
- service: @service,
849
- date: datetime,
850
- signed_body_value: content_sha256,
851
- signed_body_header_type: @apply_checksum_header ?
852
- :sbht_content_sha256 : :sbht_none,
853
- credentials: creds,
854
- unsigned_headers: @unsigned_headers,
855
- use_double_uri_encode: @uri_escape_path,
856
- should_normalize_uri_path: @normalize_path,
857
- omit_session_token: @omit_session_token
858
- )
859
- http_request = Aws::Crt::Http::Message.new(
860
- http_method, url.to_s, headers
861
- )
862
- signable = Aws::Crt::Auth::Signable.new(http_request)
863
-
864
- signing_result = Aws::Crt::Auth::Signer.sign_request(config, signable)
865
-
866
- Signature.new(
867
- headers: sigv4_headers.merge(
868
- downcase_headers(signing_result[:headers])
869
- ),
870
- string_to_sign: 'CRT_INTERNAL',
871
- canonical_request: 'CRT_INTERNAL',
872
- content_sha256: content_sha256,
873
- extra: {config: config, signable: signable}
874
- )
875
- end
876
-
877
- def crt_presign_url(options)
878
- creds, expiration = crt_fetch_credentials
879
-
880
- http_method = extract_http_method(options)
881
- url = extract_url(options)
882
- headers = downcase_headers(options[:headers])
883
- headers['host'] ||= host(url)
884
-
885
- datetime = Time.strptime(headers.delete('x-amz-date'), "%Y%m%dT%H%M%S%Z") if headers['x-amz-date']
886
- datetime ||= (options[:time] || Time.now)
887
-
888
- content_sha256 = headers.delete('x-amz-content-sha256')
889
- content_sha256 ||= options[:body_digest]
890
- content_sha256 ||= sha256_hexdigest(options[:body] || '')
891
-
892
- config = Aws::Crt::Auth::SigningConfig.new(
893
- algorithm: @signing_algorithm,
894
- signature_type: :http_request_query_params,
895
- region: @region,
896
- service: @service,
897
- date: datetime,
898
- signed_body_value: content_sha256,
899
- signed_body_header_type: @apply_checksum_header ?
900
- :sbht_content_sha256 : :sbht_none,
901
- credentials: creds,
902
- unsigned_headers: @unsigned_headers,
903
- use_double_uri_encode: @uri_escape_path,
904
- should_normalize_uri_path: @normalize_path,
905
- omit_session_token: @omit_session_token,
906
- expiration_in_seconds: presigned_url_expiration(options, expiration, datetime)
907
- )
908
- http_request = Aws::Crt::Http::Message.new(
909
- http_method, url.to_s, headers
910
- )
911
- signable = Aws::Crt::Auth::Signable.new(http_request)
912
-
913
- signing_result = Aws::Crt::Auth::Signer.sign_request(config, signable, http_method, url.to_s)
914
- url = URI.parse(signing_result[:path])
915
-
916
- if options[:extra] && options[:extra].is_a?(Hash)
917
- options[:extra][:config] = config
918
- options[:extra][:signable] = signable
919
- end
920
- url
921
- end
922
-
923
781
  class << self
924
782
 
783
+ # Kept for backwards compatability
784
+ # Always return false since we are not using crt signing functionality
925
785
  def use_crt?
926
- @@use_crt
786
+ false
927
787
  end
928
788
 
929
789
  # @api private
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: aws-sigv4
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.9.1
4
+ version: 1.10.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Amazon Web Services
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2024-07-29 00:00:00.000000000 Z
11
+ date: 2024-10-21 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: aws-eventstream