aws-sigv4 1.9.1 → 1.12.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +25 -0
- data/VERSION +1 -1
- data/lib/aws-sigv4/asymmetric_credentials.rb +11 -3
- data/lib/aws-sigv4/request.rb +3 -3
- data/lib/aws-sigv4/signer.rb +7 -146
- metadata +4 -8
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 58318b8045877e5842f7c0793c856e30b6bba8425988a4929bca3aaaf64fcc06
|
|
4
|
+
data.tar.gz: c9de352d0dee1c35637e86d1d4a3a8817d3ee6a4c3595f8e86436cf216d0a35d
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: b22918d3e6a784f4198b9b3583b6ce34e492819ec401862333d29f7c456402fe10718f7e9f30479d5097b89b19d8030400647572ee7204b8729093b16290f3f2
|
|
7
|
+
data.tar.gz: c15f22f66888fa2bbe1822bd833c2bc87c216b3c082ba1961682e0dcd2f5c0f427c2126ffb04354a3ba2b47c5a3fb375ad2381be543021b089687f589a4565fd
|
data/CHANGELOG.md
CHANGED
|
@@ -1,6 +1,31 @@
|
|
|
1
1
|
Unreleased Changes
|
|
2
2
|
------------------
|
|
3
3
|
|
|
4
|
+
1.12.1 (2025-06-10)
|
|
5
|
+
------------------
|
|
6
|
+
|
|
7
|
+
* Issue - Only load required `cgi` modules for Ruby 3.5.
|
|
8
|
+
|
|
9
|
+
1.12.0 (2025-06-02)
|
|
10
|
+
------------------
|
|
11
|
+
|
|
12
|
+
* Feature - AWS SDK for Ruby no longer supports Ruby runtime versions 2.5 and 2.6.
|
|
13
|
+
|
|
14
|
+
1.11.0 (2025-01-10)
|
|
15
|
+
------------------
|
|
16
|
+
|
|
17
|
+
* Feature - Add RBS signature files to support static type checking
|
|
18
|
+
|
|
19
|
+
1.10.1 (2024-10-21)
|
|
20
|
+
------------------
|
|
21
|
+
|
|
22
|
+
* Issue - Fix sigv4a signing issue with derive_asymmetric_key for certain credentials.
|
|
23
|
+
|
|
24
|
+
1.10.0 (2024-09-17)
|
|
25
|
+
------------------
|
|
26
|
+
|
|
27
|
+
* Feature - Remove CRT `sigv4a` signing capability.
|
|
28
|
+
|
|
4
29
|
1.9.1 (2024-07-29)
|
|
5
30
|
------------------
|
|
6
31
|
|
data/VERSION
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
1.
|
|
1
|
+
1.12.1
|
|
@@ -11,8 +11,6 @@ module Aws
|
|
|
11
11
|
|
|
12
12
|
N_MINUS_2 = 0xFFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551 - 2
|
|
13
13
|
|
|
14
|
-
# @param [String] :access_key_id
|
|
15
|
-
# @param [String] :secret_access_key
|
|
16
14
|
# @return [OpenSSL::PKey::EC, Hash]
|
|
17
15
|
def self.derive_asymmetric_key(access_key_id, secret_access_key)
|
|
18
16
|
check_openssl_support!
|
|
@@ -60,6 +58,16 @@ module Aws
|
|
|
60
58
|
x
|
|
61
59
|
end
|
|
62
60
|
|
|
61
|
+
# @return [Array] value of the BigNumber as a big-endian unsigned byte array.
|
|
62
|
+
def self.bn_to_be_bytes(bn)
|
|
63
|
+
bytes = []
|
|
64
|
+
while bn > 0
|
|
65
|
+
bytes << (bn & 0xff)
|
|
66
|
+
bn = bn >> 8
|
|
67
|
+
end
|
|
68
|
+
bytes.reverse
|
|
69
|
+
end
|
|
70
|
+
|
|
63
71
|
# Prior to openssl3 we could directly set public and private key on EC
|
|
64
72
|
# However, openssl3 deprecated those methods and we must now construct
|
|
65
73
|
# a der with the keys and load the EC from it.
|
|
@@ -67,7 +75,7 @@ module Aws
|
|
|
67
75
|
# format reversed from: OpenSSL::ASN1.decode_all(OpenSSL::PKey::EC.new.to_der)
|
|
68
76
|
asn1 = OpenSSL::ASN1::Sequence([
|
|
69
77
|
OpenSSL::ASN1::Integer(OpenSSL::BN.new(1)),
|
|
70
|
-
OpenSSL::ASN1::OctetString(
|
|
78
|
+
OpenSSL::ASN1::OctetString(bn_to_be_bytes(d).pack('C*')),
|
|
71
79
|
OpenSSL::ASN1::ASN1Data.new([OpenSSL::ASN1::ObjectId("prime256v1")], 0, :CONTEXT_SPECIFIC),
|
|
72
80
|
OpenSSL::ASN1::ASN1Data.new(
|
|
73
81
|
[OpenSSL::ASN1::BitString(public_key.to_octet_string(:uncompressed))],
|
data/lib/aws-sigv4/request.rb
CHANGED
|
@@ -7,7 +7,7 @@ module Aws
|
|
|
7
7
|
class Request
|
|
8
8
|
|
|
9
9
|
# @option options [required, String] :http_method
|
|
10
|
-
# @option options [required,
|
|
10
|
+
# @option options [required, String, URI::HTTP, URI::HTTPS] :endpoint
|
|
11
11
|
# @option options [Hash<String,String>] :headers ({})
|
|
12
12
|
# @option options [String, IO] :body ('')
|
|
13
13
|
def initialize(options = {})
|
|
@@ -30,12 +30,12 @@ module Aws
|
|
|
30
30
|
@http_method
|
|
31
31
|
end
|
|
32
32
|
|
|
33
|
-
# @param [String, HTTP
|
|
33
|
+
# @param [String, URI::HTTP, URI::HTTPS] endpoint
|
|
34
34
|
def endpoint=(endpoint)
|
|
35
35
|
@endpoint = URI.parse(endpoint.to_s)
|
|
36
36
|
end
|
|
37
37
|
|
|
38
|
-
# @return [HTTP
|
|
38
|
+
# @return [URI::HTTP, URI::HTTPS]
|
|
39
39
|
def endpoint
|
|
40
40
|
@endpoint
|
|
41
41
|
end
|
data/lib/aws-sigv4/signer.rb
CHANGED
|
@@ -5,7 +5,8 @@ require 'tempfile'
|
|
|
5
5
|
require 'time'
|
|
6
6
|
require 'uri'
|
|
7
7
|
require 'set'
|
|
8
|
-
require
|
|
8
|
+
require "cgi/escape"
|
|
9
|
+
require "cgi/util" if RUBY_VERSION < "3.5"
|
|
9
10
|
require 'pathname'
|
|
10
11
|
require 'aws-eventstream'
|
|
11
12
|
|
|
@@ -74,15 +75,6 @@ module Aws
|
|
|
74
75
|
# and `#session_token`.
|
|
75
76
|
#
|
|
76
77
|
class Signer
|
|
77
|
-
|
|
78
|
-
@@use_crt =
|
|
79
|
-
begin
|
|
80
|
-
require 'aws-crt'
|
|
81
|
-
true
|
|
82
|
-
rescue LoadError
|
|
83
|
-
false
|
|
84
|
-
end
|
|
85
|
-
|
|
86
78
|
# @overload initialize(service:, region:, access_key_id:, secret_access_key:, session_token:nil, **options)
|
|
87
79
|
# @param [String] :service The service signing name, e.g. 's3'.
|
|
88
80
|
# @param [String] :region The region name, e.g. 'us-east-1'. When signing
|
|
@@ -154,13 +146,6 @@ module Aws
|
|
|
154
146
|
@signing_algorithm = options.fetch(:signing_algorithm, :sigv4)
|
|
155
147
|
@normalize_path = options.fetch(:normalize_path, true)
|
|
156
148
|
@omit_session_token = options.fetch(:omit_session_token, false)
|
|
157
|
-
|
|
158
|
-
if @signing_algorithm == 'sigv4-s3express'.to_sym &&
|
|
159
|
-
Signer.use_crt? && Aws::Crt::GEM_VERSION <= '0.1.9'
|
|
160
|
-
raise ArgumentError,
|
|
161
|
-
'This version of aws-crt does not support S3 Express. Please
|
|
162
|
-
update this gem to at least version 0.2.0.'
|
|
163
|
-
end
|
|
164
149
|
end
|
|
165
150
|
|
|
166
151
|
# @return [String]
|
|
@@ -221,7 +206,7 @@ module Aws
|
|
|
221
206
|
# @option request [required, String] :http_method One of
|
|
222
207
|
# 'GET', 'HEAD', 'PUT', 'POST', 'PATCH', or 'DELETE'
|
|
223
208
|
#
|
|
224
|
-
# @option request [required, String, URI::
|
|
209
|
+
# @option request [required, String, URI::HTTP, URI::HTTPS] :url
|
|
225
210
|
# The request URI. Must be a valid HTTP or HTTPS URI.
|
|
226
211
|
#
|
|
227
212
|
# @option request [optional, Hash] :headers ({}) A hash of headers
|
|
@@ -236,9 +221,6 @@ module Aws
|
|
|
236
221
|
# a `#headers` method. The headers must be applied to your request.
|
|
237
222
|
#
|
|
238
223
|
def sign_request(request)
|
|
239
|
-
|
|
240
|
-
return crt_sign_request(request) if Signer.use_crt?
|
|
241
|
-
|
|
242
224
|
creds, _ = fetch_credentials
|
|
243
225
|
|
|
244
226
|
http_method = extract_http_method(request)
|
|
@@ -344,7 +326,6 @@ module Aws
|
|
|
344
326
|
# signature value (a binary string) used at ':chunk-signature' needs to converted to
|
|
345
327
|
# hex-encoded string using #unpack
|
|
346
328
|
def sign_event(prior_signature, payload, encoder)
|
|
347
|
-
# Note: CRT does not currently provide event stream signing, so we always use the ruby implementation.
|
|
348
329
|
creds, _ = fetch_credentials
|
|
349
330
|
time = Time.now
|
|
350
331
|
headers = {}
|
|
@@ -403,7 +384,7 @@ module Aws
|
|
|
403
384
|
# @option options [required, String] :http_method The HTTP request method,
|
|
404
385
|
# e.g. 'GET', 'HEAD', 'PUT', 'POST', 'PATCH', or 'DELETE'.
|
|
405
386
|
#
|
|
406
|
-
# @option options [required, String,
|
|
387
|
+
# @option options [required, String, URI::HTTP, URI::HTTPS] :url
|
|
407
388
|
# The URI to sign.
|
|
408
389
|
#
|
|
409
390
|
# @option options [Hash] :headers ({}) Headers that should
|
|
@@ -431,9 +412,6 @@ module Aws
|
|
|
431
412
|
# @return [HTTPS::URI, HTTP::URI]
|
|
432
413
|
#
|
|
433
414
|
def presign_url(options)
|
|
434
|
-
|
|
435
|
-
return crt_presign_url(options) if Signer.use_crt?
|
|
436
|
-
|
|
437
415
|
creds, expiration = fetch_credentials
|
|
438
416
|
|
|
439
417
|
http_method = extract_http_method(options)
|
|
@@ -801,129 +779,12 @@ module Aws
|
|
|
801
779
|
end
|
|
802
780
|
end
|
|
803
781
|
|
|
804
|
-
### CRT Code
|
|
805
|
-
|
|
806
|
-
# the credentials used by CRT must be a
|
|
807
|
-
# CRT StaticCredentialsProvider object
|
|
808
|
-
def crt_fetch_credentials
|
|
809
|
-
creds, expiration = fetch_credentials
|
|
810
|
-
crt_creds = Aws::Crt::Auth::StaticCredentialsProvider.new(
|
|
811
|
-
creds.access_key_id,
|
|
812
|
-
creds.secret_access_key,
|
|
813
|
-
creds.session_token
|
|
814
|
-
)
|
|
815
|
-
[crt_creds, expiration]
|
|
816
|
-
end
|
|
817
|
-
|
|
818
|
-
def crt_sign_request(request)
|
|
819
|
-
creds, _ = crt_fetch_credentials
|
|
820
|
-
http_method = extract_http_method(request)
|
|
821
|
-
url = extract_url(request)
|
|
822
|
-
headers = downcase_headers(request[:headers])
|
|
823
|
-
|
|
824
|
-
datetime =
|
|
825
|
-
if headers.include? 'x-amz-date'
|
|
826
|
-
Time.parse(headers.delete('x-amz-date'))
|
|
827
|
-
end
|
|
828
|
-
|
|
829
|
-
content_sha256 = headers.delete('x-amz-content-sha256')
|
|
830
|
-
content_sha256 ||= sha256_hexdigest(request[:body] || '')
|
|
831
|
-
|
|
832
|
-
sigv4_headers = {}
|
|
833
|
-
sigv4_headers['host'] = headers['host'] || host(url)
|
|
834
|
-
|
|
835
|
-
# Modify the user-agent to add usage of crt-signer
|
|
836
|
-
# This should be temporary during developer preview only
|
|
837
|
-
if headers.include? 'user-agent'
|
|
838
|
-
headers['user-agent'] = "#{headers['user-agent']} crt-signer/#{@signing_algorithm}/#{Aws::Sigv4::VERSION}"
|
|
839
|
-
sigv4_headers['user-agent'] = headers['user-agent']
|
|
840
|
-
end
|
|
841
|
-
|
|
842
|
-
headers = headers.merge(sigv4_headers) # merge so we do not modify given headers hash
|
|
843
|
-
|
|
844
|
-
config = Aws::Crt::Auth::SigningConfig.new(
|
|
845
|
-
algorithm: @signing_algorithm,
|
|
846
|
-
signature_type: :http_request_headers,
|
|
847
|
-
region: @region,
|
|
848
|
-
service: @service,
|
|
849
|
-
date: datetime,
|
|
850
|
-
signed_body_value: content_sha256,
|
|
851
|
-
signed_body_header_type: @apply_checksum_header ?
|
|
852
|
-
:sbht_content_sha256 : :sbht_none,
|
|
853
|
-
credentials: creds,
|
|
854
|
-
unsigned_headers: @unsigned_headers,
|
|
855
|
-
use_double_uri_encode: @uri_escape_path,
|
|
856
|
-
should_normalize_uri_path: @normalize_path,
|
|
857
|
-
omit_session_token: @omit_session_token
|
|
858
|
-
)
|
|
859
|
-
http_request = Aws::Crt::Http::Message.new(
|
|
860
|
-
http_method, url.to_s, headers
|
|
861
|
-
)
|
|
862
|
-
signable = Aws::Crt::Auth::Signable.new(http_request)
|
|
863
|
-
|
|
864
|
-
signing_result = Aws::Crt::Auth::Signer.sign_request(config, signable)
|
|
865
|
-
|
|
866
|
-
Signature.new(
|
|
867
|
-
headers: sigv4_headers.merge(
|
|
868
|
-
downcase_headers(signing_result[:headers])
|
|
869
|
-
),
|
|
870
|
-
string_to_sign: 'CRT_INTERNAL',
|
|
871
|
-
canonical_request: 'CRT_INTERNAL',
|
|
872
|
-
content_sha256: content_sha256,
|
|
873
|
-
extra: {config: config, signable: signable}
|
|
874
|
-
)
|
|
875
|
-
end
|
|
876
|
-
|
|
877
|
-
def crt_presign_url(options)
|
|
878
|
-
creds, expiration = crt_fetch_credentials
|
|
879
|
-
|
|
880
|
-
http_method = extract_http_method(options)
|
|
881
|
-
url = extract_url(options)
|
|
882
|
-
headers = downcase_headers(options[:headers])
|
|
883
|
-
headers['host'] ||= host(url)
|
|
884
|
-
|
|
885
|
-
datetime = Time.strptime(headers.delete('x-amz-date'), "%Y%m%dT%H%M%S%Z") if headers['x-amz-date']
|
|
886
|
-
datetime ||= (options[:time] || Time.now)
|
|
887
|
-
|
|
888
|
-
content_sha256 = headers.delete('x-amz-content-sha256')
|
|
889
|
-
content_sha256 ||= options[:body_digest]
|
|
890
|
-
content_sha256 ||= sha256_hexdigest(options[:body] || '')
|
|
891
|
-
|
|
892
|
-
config = Aws::Crt::Auth::SigningConfig.new(
|
|
893
|
-
algorithm: @signing_algorithm,
|
|
894
|
-
signature_type: :http_request_query_params,
|
|
895
|
-
region: @region,
|
|
896
|
-
service: @service,
|
|
897
|
-
date: datetime,
|
|
898
|
-
signed_body_value: content_sha256,
|
|
899
|
-
signed_body_header_type: @apply_checksum_header ?
|
|
900
|
-
:sbht_content_sha256 : :sbht_none,
|
|
901
|
-
credentials: creds,
|
|
902
|
-
unsigned_headers: @unsigned_headers,
|
|
903
|
-
use_double_uri_encode: @uri_escape_path,
|
|
904
|
-
should_normalize_uri_path: @normalize_path,
|
|
905
|
-
omit_session_token: @omit_session_token,
|
|
906
|
-
expiration_in_seconds: presigned_url_expiration(options, expiration, datetime)
|
|
907
|
-
)
|
|
908
|
-
http_request = Aws::Crt::Http::Message.new(
|
|
909
|
-
http_method, url.to_s, headers
|
|
910
|
-
)
|
|
911
|
-
signable = Aws::Crt::Auth::Signable.new(http_request)
|
|
912
|
-
|
|
913
|
-
signing_result = Aws::Crt::Auth::Signer.sign_request(config, signable, http_method, url.to_s)
|
|
914
|
-
url = URI.parse(signing_result[:path])
|
|
915
|
-
|
|
916
|
-
if options[:extra] && options[:extra].is_a?(Hash)
|
|
917
|
-
options[:extra][:config] = config
|
|
918
|
-
options[:extra][:signable] = signable
|
|
919
|
-
end
|
|
920
|
-
url
|
|
921
|
-
end
|
|
922
|
-
|
|
923
782
|
class << self
|
|
924
783
|
|
|
784
|
+
# Kept for backwards compatability
|
|
785
|
+
# Always return false since we are not using crt signing functionality
|
|
925
786
|
def use_crt?
|
|
926
|
-
|
|
787
|
+
false
|
|
927
788
|
end
|
|
928
789
|
|
|
929
790
|
# @api private
|
metadata
CHANGED
|
@@ -1,14 +1,13 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: aws-sigv4
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.12.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Amazon Web Services
|
|
8
|
-
autorequire:
|
|
9
8
|
bindir: bin
|
|
10
9
|
cert_chain: []
|
|
11
|
-
date:
|
|
10
|
+
date: 1980-01-02 00:00:00.000000000 Z
|
|
12
11
|
dependencies:
|
|
13
12
|
- !ruby/object:Gem::Dependency
|
|
14
13
|
name: aws-eventstream
|
|
@@ -32,7 +31,6 @@ dependencies:
|
|
|
32
31
|
version: 1.0.2
|
|
33
32
|
description: Amazon Web Services Signature Version 4 signing library. Generates sigv4
|
|
34
33
|
signature for HTTP requests.
|
|
35
|
-
email:
|
|
36
34
|
executables: []
|
|
37
35
|
extensions: []
|
|
38
36
|
extra_rdoc_files: []
|
|
@@ -53,7 +51,6 @@ licenses:
|
|
|
53
51
|
metadata:
|
|
54
52
|
source_code_uri: https://github.com/aws/aws-sdk-ruby/tree/version-3/gems/aws-sigv4
|
|
55
53
|
changelog_uri: https://github.com/aws/aws-sdk-ruby/tree/version-3/gems/aws-sigv4/CHANGELOG.md
|
|
56
|
-
post_install_message:
|
|
57
54
|
rdoc_options: []
|
|
58
55
|
require_paths:
|
|
59
56
|
- lib
|
|
@@ -61,15 +58,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
|
61
58
|
requirements:
|
|
62
59
|
- - ">="
|
|
63
60
|
- !ruby/object:Gem::Version
|
|
64
|
-
version: '2.
|
|
61
|
+
version: '2.7'
|
|
65
62
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
66
63
|
requirements:
|
|
67
64
|
- - ">="
|
|
68
65
|
- !ruby/object:Gem::Version
|
|
69
66
|
version: '0'
|
|
70
67
|
requirements: []
|
|
71
|
-
rubygems_version: 3.
|
|
72
|
-
signing_key:
|
|
68
|
+
rubygems_version: 3.6.7
|
|
73
69
|
specification_version: 4
|
|
74
70
|
summary: AWS Signature Version 4 library.
|
|
75
71
|
test_files: []
|