aws-sigv4 1.9.1 → 1.11.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +15 -0
- data/VERSION +1 -1
- data/lib/aws-sigv4/asymmetric_credentials.rb +11 -3
- data/lib/aws-sigv4/request.rb +3 -3
- data/lib/aws-sigv4/signer.rb +5 -145
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: fc29b65cc675de5b6f636497edd82f69292ea54f4b850f21583cc96535afca06
|
|
4
|
+
data.tar.gz: 21be8ec44bf2a733afdd03a72254c08463bc32fc7f85d3a22af42871a353ff0f
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: e360d1a9f0887f3717dd9f5ac5c523033b032f6e04870efab27c00d1d219921a9dd1ff30569ed2296ba122222c4c9913aa35a160d5bf3ba821b31c7d88a02446
|
|
7
|
+
data.tar.gz: 4c302c160726869e1c8d255137afcc65de10fa527436b86fce91e1e874735ffa67767505dfccc7aebdc56898958effbf28c05f853f287cc4ea7385076667af5c
|
data/CHANGELOG.md
CHANGED
|
@@ -1,6 +1,21 @@
|
|
|
1
1
|
Unreleased Changes
|
|
2
2
|
------------------
|
|
3
3
|
|
|
4
|
+
1.11.0 (2025-01-10)
|
|
5
|
+
------------------
|
|
6
|
+
|
|
7
|
+
* Feature - Add RBS signature files to support static type checking
|
|
8
|
+
|
|
9
|
+
1.10.1 (2024-10-21)
|
|
10
|
+
------------------
|
|
11
|
+
|
|
12
|
+
* Issue - Fix sigv4a signing issue with derive_asymmetric_key for certain credentials.
|
|
13
|
+
|
|
14
|
+
1.10.0 (2024-09-17)
|
|
15
|
+
------------------
|
|
16
|
+
|
|
17
|
+
* Feature - Remove CRT `sigv4a` signing capability.
|
|
18
|
+
|
|
4
19
|
1.9.1 (2024-07-29)
|
|
5
20
|
------------------
|
|
6
21
|
|
data/VERSION
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
1.
|
|
1
|
+
1.11.0
|
|
@@ -11,8 +11,6 @@ module Aws
|
|
|
11
11
|
|
|
12
12
|
N_MINUS_2 = 0xFFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551 - 2
|
|
13
13
|
|
|
14
|
-
# @param [String] :access_key_id
|
|
15
|
-
# @param [String] :secret_access_key
|
|
16
14
|
# @return [OpenSSL::PKey::EC, Hash]
|
|
17
15
|
def self.derive_asymmetric_key(access_key_id, secret_access_key)
|
|
18
16
|
check_openssl_support!
|
|
@@ -60,6 +58,16 @@ module Aws
|
|
|
60
58
|
x
|
|
61
59
|
end
|
|
62
60
|
|
|
61
|
+
# @return [Array] value of the BigNumber as a big-endian unsigned byte array.
|
|
62
|
+
def self.bn_to_be_bytes(bn)
|
|
63
|
+
bytes = []
|
|
64
|
+
while bn > 0
|
|
65
|
+
bytes << (bn & 0xff)
|
|
66
|
+
bn = bn >> 8
|
|
67
|
+
end
|
|
68
|
+
bytes.reverse
|
|
69
|
+
end
|
|
70
|
+
|
|
63
71
|
# Prior to openssl3 we could directly set public and private key on EC
|
|
64
72
|
# However, openssl3 deprecated those methods and we must now construct
|
|
65
73
|
# a der with the keys and load the EC from it.
|
|
@@ -67,7 +75,7 @@ module Aws
|
|
|
67
75
|
# format reversed from: OpenSSL::ASN1.decode_all(OpenSSL::PKey::EC.new.to_der)
|
|
68
76
|
asn1 = OpenSSL::ASN1::Sequence([
|
|
69
77
|
OpenSSL::ASN1::Integer(OpenSSL::BN.new(1)),
|
|
70
|
-
OpenSSL::ASN1::OctetString(
|
|
78
|
+
OpenSSL::ASN1::OctetString(bn_to_be_bytes(d).pack('C*')),
|
|
71
79
|
OpenSSL::ASN1::ASN1Data.new([OpenSSL::ASN1::ObjectId("prime256v1")], 0, :CONTEXT_SPECIFIC),
|
|
72
80
|
OpenSSL::ASN1::ASN1Data.new(
|
|
73
81
|
[OpenSSL::ASN1::BitString(public_key.to_octet_string(:uncompressed))],
|
data/lib/aws-sigv4/request.rb
CHANGED
|
@@ -7,7 +7,7 @@ module Aws
|
|
|
7
7
|
class Request
|
|
8
8
|
|
|
9
9
|
# @option options [required, String] :http_method
|
|
10
|
-
# @option options [required,
|
|
10
|
+
# @option options [required, String, URI::HTTP, URI::HTTPS] :endpoint
|
|
11
11
|
# @option options [Hash<String,String>] :headers ({})
|
|
12
12
|
# @option options [String, IO] :body ('')
|
|
13
13
|
def initialize(options = {})
|
|
@@ -30,12 +30,12 @@ module Aws
|
|
|
30
30
|
@http_method
|
|
31
31
|
end
|
|
32
32
|
|
|
33
|
-
# @param [String, HTTP
|
|
33
|
+
# @param [String, URI::HTTP, URI::HTTPS] endpoint
|
|
34
34
|
def endpoint=(endpoint)
|
|
35
35
|
@endpoint = URI.parse(endpoint.to_s)
|
|
36
36
|
end
|
|
37
37
|
|
|
38
|
-
# @return [HTTP
|
|
38
|
+
# @return [URI::HTTP, URI::HTTPS]
|
|
39
39
|
def endpoint
|
|
40
40
|
@endpoint
|
|
41
41
|
end
|
data/lib/aws-sigv4/signer.rb
CHANGED
|
@@ -74,15 +74,6 @@ module Aws
|
|
|
74
74
|
# and `#session_token`.
|
|
75
75
|
#
|
|
76
76
|
class Signer
|
|
77
|
-
|
|
78
|
-
@@use_crt =
|
|
79
|
-
begin
|
|
80
|
-
require 'aws-crt'
|
|
81
|
-
true
|
|
82
|
-
rescue LoadError
|
|
83
|
-
false
|
|
84
|
-
end
|
|
85
|
-
|
|
86
77
|
# @overload initialize(service:, region:, access_key_id:, secret_access_key:, session_token:nil, **options)
|
|
87
78
|
# @param [String] :service The service signing name, e.g. 's3'.
|
|
88
79
|
# @param [String] :region The region name, e.g. 'us-east-1'. When signing
|
|
@@ -154,13 +145,6 @@ module Aws
|
|
|
154
145
|
@signing_algorithm = options.fetch(:signing_algorithm, :sigv4)
|
|
155
146
|
@normalize_path = options.fetch(:normalize_path, true)
|
|
156
147
|
@omit_session_token = options.fetch(:omit_session_token, false)
|
|
157
|
-
|
|
158
|
-
if @signing_algorithm == 'sigv4-s3express'.to_sym &&
|
|
159
|
-
Signer.use_crt? && Aws::Crt::GEM_VERSION <= '0.1.9'
|
|
160
|
-
raise ArgumentError,
|
|
161
|
-
'This version of aws-crt does not support S3 Express. Please
|
|
162
|
-
update this gem to at least version 0.2.0.'
|
|
163
|
-
end
|
|
164
148
|
end
|
|
165
149
|
|
|
166
150
|
# @return [String]
|
|
@@ -221,7 +205,7 @@ module Aws
|
|
|
221
205
|
# @option request [required, String] :http_method One of
|
|
222
206
|
# 'GET', 'HEAD', 'PUT', 'POST', 'PATCH', or 'DELETE'
|
|
223
207
|
#
|
|
224
|
-
# @option request [required, String, URI::
|
|
208
|
+
# @option request [required, String, URI::HTTP, URI::HTTPS] :url
|
|
225
209
|
# The request URI. Must be a valid HTTP or HTTPS URI.
|
|
226
210
|
#
|
|
227
211
|
# @option request [optional, Hash] :headers ({}) A hash of headers
|
|
@@ -236,9 +220,6 @@ module Aws
|
|
|
236
220
|
# a `#headers` method. The headers must be applied to your request.
|
|
237
221
|
#
|
|
238
222
|
def sign_request(request)
|
|
239
|
-
|
|
240
|
-
return crt_sign_request(request) if Signer.use_crt?
|
|
241
|
-
|
|
242
223
|
creds, _ = fetch_credentials
|
|
243
224
|
|
|
244
225
|
http_method = extract_http_method(request)
|
|
@@ -344,7 +325,6 @@ module Aws
|
|
|
344
325
|
# signature value (a binary string) used at ':chunk-signature' needs to converted to
|
|
345
326
|
# hex-encoded string using #unpack
|
|
346
327
|
def sign_event(prior_signature, payload, encoder)
|
|
347
|
-
# Note: CRT does not currently provide event stream signing, so we always use the ruby implementation.
|
|
348
328
|
creds, _ = fetch_credentials
|
|
349
329
|
time = Time.now
|
|
350
330
|
headers = {}
|
|
@@ -403,7 +383,7 @@ module Aws
|
|
|
403
383
|
# @option options [required, String] :http_method The HTTP request method,
|
|
404
384
|
# e.g. 'GET', 'HEAD', 'PUT', 'POST', 'PATCH', or 'DELETE'.
|
|
405
385
|
#
|
|
406
|
-
# @option options [required, String,
|
|
386
|
+
# @option options [required, String, URI::HTTP, URI::HTTPS] :url
|
|
407
387
|
# The URI to sign.
|
|
408
388
|
#
|
|
409
389
|
# @option options [Hash] :headers ({}) Headers that should
|
|
@@ -431,9 +411,6 @@ module Aws
|
|
|
431
411
|
# @return [HTTPS::URI, HTTP::URI]
|
|
432
412
|
#
|
|
433
413
|
def presign_url(options)
|
|
434
|
-
|
|
435
|
-
return crt_presign_url(options) if Signer.use_crt?
|
|
436
|
-
|
|
437
414
|
creds, expiration = fetch_credentials
|
|
438
415
|
|
|
439
416
|
http_method = extract_http_method(options)
|
|
@@ -801,129 +778,12 @@ module Aws
|
|
|
801
778
|
end
|
|
802
779
|
end
|
|
803
780
|
|
|
804
|
-
### CRT Code
|
|
805
|
-
|
|
806
|
-
# the credentials used by CRT must be a
|
|
807
|
-
# CRT StaticCredentialsProvider object
|
|
808
|
-
def crt_fetch_credentials
|
|
809
|
-
creds, expiration = fetch_credentials
|
|
810
|
-
crt_creds = Aws::Crt::Auth::StaticCredentialsProvider.new(
|
|
811
|
-
creds.access_key_id,
|
|
812
|
-
creds.secret_access_key,
|
|
813
|
-
creds.session_token
|
|
814
|
-
)
|
|
815
|
-
[crt_creds, expiration]
|
|
816
|
-
end
|
|
817
|
-
|
|
818
|
-
def crt_sign_request(request)
|
|
819
|
-
creds, _ = crt_fetch_credentials
|
|
820
|
-
http_method = extract_http_method(request)
|
|
821
|
-
url = extract_url(request)
|
|
822
|
-
headers = downcase_headers(request[:headers])
|
|
823
|
-
|
|
824
|
-
datetime =
|
|
825
|
-
if headers.include? 'x-amz-date'
|
|
826
|
-
Time.parse(headers.delete('x-amz-date'))
|
|
827
|
-
end
|
|
828
|
-
|
|
829
|
-
content_sha256 = headers.delete('x-amz-content-sha256')
|
|
830
|
-
content_sha256 ||= sha256_hexdigest(request[:body] || '')
|
|
831
|
-
|
|
832
|
-
sigv4_headers = {}
|
|
833
|
-
sigv4_headers['host'] = headers['host'] || host(url)
|
|
834
|
-
|
|
835
|
-
# Modify the user-agent to add usage of crt-signer
|
|
836
|
-
# This should be temporary during developer preview only
|
|
837
|
-
if headers.include? 'user-agent'
|
|
838
|
-
headers['user-agent'] = "#{headers['user-agent']} crt-signer/#{@signing_algorithm}/#{Aws::Sigv4::VERSION}"
|
|
839
|
-
sigv4_headers['user-agent'] = headers['user-agent']
|
|
840
|
-
end
|
|
841
|
-
|
|
842
|
-
headers = headers.merge(sigv4_headers) # merge so we do not modify given headers hash
|
|
843
|
-
|
|
844
|
-
config = Aws::Crt::Auth::SigningConfig.new(
|
|
845
|
-
algorithm: @signing_algorithm,
|
|
846
|
-
signature_type: :http_request_headers,
|
|
847
|
-
region: @region,
|
|
848
|
-
service: @service,
|
|
849
|
-
date: datetime,
|
|
850
|
-
signed_body_value: content_sha256,
|
|
851
|
-
signed_body_header_type: @apply_checksum_header ?
|
|
852
|
-
:sbht_content_sha256 : :sbht_none,
|
|
853
|
-
credentials: creds,
|
|
854
|
-
unsigned_headers: @unsigned_headers,
|
|
855
|
-
use_double_uri_encode: @uri_escape_path,
|
|
856
|
-
should_normalize_uri_path: @normalize_path,
|
|
857
|
-
omit_session_token: @omit_session_token
|
|
858
|
-
)
|
|
859
|
-
http_request = Aws::Crt::Http::Message.new(
|
|
860
|
-
http_method, url.to_s, headers
|
|
861
|
-
)
|
|
862
|
-
signable = Aws::Crt::Auth::Signable.new(http_request)
|
|
863
|
-
|
|
864
|
-
signing_result = Aws::Crt::Auth::Signer.sign_request(config, signable)
|
|
865
|
-
|
|
866
|
-
Signature.new(
|
|
867
|
-
headers: sigv4_headers.merge(
|
|
868
|
-
downcase_headers(signing_result[:headers])
|
|
869
|
-
),
|
|
870
|
-
string_to_sign: 'CRT_INTERNAL',
|
|
871
|
-
canonical_request: 'CRT_INTERNAL',
|
|
872
|
-
content_sha256: content_sha256,
|
|
873
|
-
extra: {config: config, signable: signable}
|
|
874
|
-
)
|
|
875
|
-
end
|
|
876
|
-
|
|
877
|
-
def crt_presign_url(options)
|
|
878
|
-
creds, expiration = crt_fetch_credentials
|
|
879
|
-
|
|
880
|
-
http_method = extract_http_method(options)
|
|
881
|
-
url = extract_url(options)
|
|
882
|
-
headers = downcase_headers(options[:headers])
|
|
883
|
-
headers['host'] ||= host(url)
|
|
884
|
-
|
|
885
|
-
datetime = Time.strptime(headers.delete('x-amz-date'), "%Y%m%dT%H%M%S%Z") if headers['x-amz-date']
|
|
886
|
-
datetime ||= (options[:time] || Time.now)
|
|
887
|
-
|
|
888
|
-
content_sha256 = headers.delete('x-amz-content-sha256')
|
|
889
|
-
content_sha256 ||= options[:body_digest]
|
|
890
|
-
content_sha256 ||= sha256_hexdigest(options[:body] || '')
|
|
891
|
-
|
|
892
|
-
config = Aws::Crt::Auth::SigningConfig.new(
|
|
893
|
-
algorithm: @signing_algorithm,
|
|
894
|
-
signature_type: :http_request_query_params,
|
|
895
|
-
region: @region,
|
|
896
|
-
service: @service,
|
|
897
|
-
date: datetime,
|
|
898
|
-
signed_body_value: content_sha256,
|
|
899
|
-
signed_body_header_type: @apply_checksum_header ?
|
|
900
|
-
:sbht_content_sha256 : :sbht_none,
|
|
901
|
-
credentials: creds,
|
|
902
|
-
unsigned_headers: @unsigned_headers,
|
|
903
|
-
use_double_uri_encode: @uri_escape_path,
|
|
904
|
-
should_normalize_uri_path: @normalize_path,
|
|
905
|
-
omit_session_token: @omit_session_token,
|
|
906
|
-
expiration_in_seconds: presigned_url_expiration(options, expiration, datetime)
|
|
907
|
-
)
|
|
908
|
-
http_request = Aws::Crt::Http::Message.new(
|
|
909
|
-
http_method, url.to_s, headers
|
|
910
|
-
)
|
|
911
|
-
signable = Aws::Crt::Auth::Signable.new(http_request)
|
|
912
|
-
|
|
913
|
-
signing_result = Aws::Crt::Auth::Signer.sign_request(config, signable, http_method, url.to_s)
|
|
914
|
-
url = URI.parse(signing_result[:path])
|
|
915
|
-
|
|
916
|
-
if options[:extra] && options[:extra].is_a?(Hash)
|
|
917
|
-
options[:extra][:config] = config
|
|
918
|
-
options[:extra][:signable] = signable
|
|
919
|
-
end
|
|
920
|
-
url
|
|
921
|
-
end
|
|
922
|
-
|
|
923
781
|
class << self
|
|
924
782
|
|
|
783
|
+
# Kept for backwards compatability
|
|
784
|
+
# Always return false since we are not using crt signing functionality
|
|
925
785
|
def use_crt?
|
|
926
|
-
|
|
786
|
+
false
|
|
927
787
|
end
|
|
928
788
|
|
|
929
789
|
# @api private
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: aws-sigv4
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.11.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Amazon Web Services
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2025-01-10 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: aws-eventstream
|