aws-sigv4 1.8.0 → 1.9.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 482b4ffa8bd9e9e2d7dab0d61ab15553f0e8d05e1be2923b388157664a47a9fa
-  data.tar.gz: c5caa84527ca213826f8c802195430caacb25750530609f1b8d7267810808574
+  metadata.gz: 25c3ddf60803af303d37af469c7250ceba22d6a23e62bbfb7a9a82ae3d01b8e8
+  data.tar.gz: 36537ef12949c9d0a632060485c3dcf340176a8241c3e65828e47991581e7c89
 SHA512:
-  metadata.gz: c16c5df7f8c6ca10cf073c25984506ce938f26823f99d82813b5bde3fb283d23a3c480adec2945b98975946a7b32efe57a0058cd65bb383606c5ee5228711381
-  data.tar.gz: b72ea1894eb1c419179325f8e715fb454ab02ae2d1ac243b90ed2f4032c0fd966ba157287a12009587908d0a6a2f62261c78e319a230196792b6ec4206a20718
+  metadata.gz: aa33926ae5a1804fee36cce9b7cadead40d9d5806154e62840be377c663d94dbac07ea537601f4fa47c1d4861dccb3bdf7801b2b1edf256a0a452a73fdf2c9de
+  data.tar.gz: 8e1e705a6dfef2edd5af640de60f01321f1a811f41f407e906f08881d83d197ba9011c4ed3d2a218f6f17f94fcd602e0a6759abcf7c5e5e27f5d66465c3f3f3c

data/CHANGELOG.md

@@ -1,6 +1,11 @@
 Unreleased Changes
 ------------------
 
+1.9.0 (2024-07-23)
+------------------
+
+* Feature - Support `sigv4a` signing algorithm without `aws-crt`.
+
 1.8.0 (2023-11-28)
 ------------------
 

data/VERSION

@@ -1 +1 @@
-1.8.0
+1.9.0

data/lib/aws-sigv4/asymmetric_credentials.rb

@@ -0,0 +1,91 @@
+# frozen_string_literal: true
+
+module Aws
+  module Sigv4
+    # To make it easier to support mixed mode, we have created an asymmetric
+    # key derivation mechanism. This module derives
+    # asymmetric keys from the current secret for use with
+    # Asymmetric signatures.
+    # @api private
+    module AsymmetricCredentials
+
+      N_MINUS_2 = 0xFFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551 - 2
+
+      # @param [String] :access_key_id
+      # @param [String] :secret_access_key
+      # @return [OpenSSL::PKey::EC, Hash]
+      def self.derive_asymmetric_key(access_key_id, secret_access_key)
+        check_openssl_support!
+        label = 'AWS4-ECDSA-P256-SHA256'
+        bit_len = 256
+        counter = 0x1
+        input_key = "AWS4A#{secret_access_key}"
+        d = 0 # d will end up being the private key
+        while true do
+
+          kdf_context = access_key_id.unpack('C*') + [counter].pack('C').unpack('C') #1 byte for counter
+          input = label.unpack('C*') + [0x00] + kdf_context + [bit_len].pack('L>').unpack('CCCC') # 4 bytes (change endianess)
+          k0 = OpenSSL::HMAC.digest("SHA256", input_key, ([0, 0, 0, 0x01] + input).pack('C*'))
+          c = be_bytes_to_num( k0.unpack('C*') )
+          if c <= N_MINUS_2
+            d = c + 1
+            break
+          elsif counter > 0xFF
+            raise 'Counter exceeded 1 byte - unable to get asym creds'
+          else
+            counter += 1
+          end
+        end
+
+        # compute the public key
+        group = OpenSSL::PKey::EC::Group.new('prime256v1')
+        public_key = group.generator.mul(d)
+
+        ec = generate_ec(public_key, d)
+
+        # pk_x and pk_y are not needed for signature, but useful in verification/testing
+        pk_b = public_key.to_octet_string(:uncompressed).unpack('C*') # 0x04 byte followed by 2 32-byte integers
+        pk_x = be_bytes_to_num(pk_b[1,32])
+        pk_y = be_bytes_to_num(pk_b[33,32])
+        [ec, {ec: ec, public_key: public_key, pk_x: pk_x, pk_y: pk_y, d: d}]
+      end
+
+      private
+
+      # @return [Number] The value of the bytes interpreted as a big-endian
+      # unsigned integer.
+      def self.be_bytes_to_num(bytes)
+        x = 0
+        bytes.each { |b| x = (x*256) + b }
+        x
+      end
+
+      # Prior to openssl3 we could directly set public and private key on EC
+      # However, openssl3 deprecated those methods and we must now construct
+      # a der with the keys and load the EC from it.
+      def self.generate_ec(public_key, d)
+        # format reversed from: OpenSSL::ASN1.decode_all(OpenSSL::PKey::EC.new.to_der)
+        asn1 = OpenSSL::ASN1::Sequence([
+          OpenSSL::ASN1::Integer(OpenSSL::BN.new(1)),
+          OpenSSL::ASN1::OctetString([d.to_s(16)].pack('H*')),
+          OpenSSL::ASN1::ASN1Data.new([OpenSSL::ASN1::ObjectId("prime256v1")], 0, :CONTEXT_SPECIFIC),
+          OpenSSL::ASN1::ASN1Data.new(
+            [OpenSSL::ASN1::BitString(public_key.to_octet_string(:uncompressed))],
+            1, :CONTEXT_SPECIFIC
+          )
+        ])
+        OpenSSL::PKey::EC.new(asn1.to_der)
+      end
+
+      def self.check_openssl_support!
+        return true unless defined?(JRUBY_VERSION)
+
+        # See: https://github.com/jruby/jruby-openssl/issues/306
+        # JRuby-openssl < 0.15 does not support OpenSSL::PKey::EC::Point#mul
+        return true if OpenSSL::PKey::EC::Point.instance_methods.include?(:mul)
+
+        raise 'Sigv4a Asymmetric Credential derivation requires jruby-openssl >= 0.15'
+      end
+    end
+  end
+end

data/lib/aws-sigv4/signature.rb

@@ -32,6 +32,9 @@ module Aws
       # @return [String] For debugging purposes.
       attr_accessor :content_sha256
 
+      # @return [String] For debugging purposes.
+      attr_accessor :signature
+
       # @return [Hash] Internal data for debugging purposes.
       attr_accessor :extra
     end

data/lib/aws-sigv4/signer.rb

@@ -84,14 +84,16 @@ module Aws
 
       # @overload initialize(service:, region:, access_key_id:, secret_access_key:, session_token:nil, **options)
       #   @param [String] :service The service signing name, e.g. 's3'.
-      #   @param [String] :region The region name, e.g. 'us-east-1'.
+      #   @param [String] :region The region name, e.g. 'us-east-1'. When signing
+      #    with sigv4a, this should be a comma separated list of regions.
       #   @param [String] :access_key_id
       #   @param [String] :secret_access_key
       #   @param [String] :session_token (nil)
       #
       # @overload initialize(service:, region:, credentials:, **options)
       #   @param [String] :service The service signing name, e.g. 's3'.
-      #   @param [String] :region The region name, e.g. 'us-east-1'.
+      #   @param [String] :region The region name, e.g. 'us-east-1'. When signing
+      #    with sigv4a, this should be a comma separated list of regions.
       #   @param [Credentials] :credentials Any object that responds to the following
       #     methods:
       #
@@ -102,7 +104,8 @@ module Aws
       #
       # @overload initialize(service:, region:, credentials_provider:, **options)
       #   @param [String] :service The service signing name, e.g. 's3'.
-      #   @param [String] :region The region name, e.g. 'us-east-1'.
+      #   @param [String] :region The region name, e.g. 'us-east-1'. When signing
+      #    with sigv4a, this should be a comma separated list of regions.
       #   @param [#credentials] :credentials_provider An object that responds
       #     to `#credentials`, returning an object that responds to the following
       #     methods:
@@ -127,8 +130,7 @@ module Aws
       #   every other AWS service as of late 2016.
       #
       # @option options [Symbol] :signing_algorithm (:sigv4) The
-      #   algorithm to use for signing.  :sigv4a is only supported when
-      #   `aws-crt` is available.
+      #   algorithm to use for signing.
       #
       # @option options [Boolean] :omit_session_token (false)
       #   (Supported only when `aws-crt` is available) If `true`,
@@ -136,8 +138,8 @@ module Aws
       #   but is treated as "unsigned" and does not contribute
       #   to the authorization signature.
       #
-      # @option options [Boolean] :normalize_path (true) (Supported only when `aws-crt` is available)
-      #   When `true`, the uri paths will be normalized when building the canonical request
+      # @option options [Boolean] :normalize_path (true) When `true`, the
+      #   uri paths will be normalized when building the canonical request.
       def initialize(options = {})
         @service = extract_service(options)
         @region = extract_region(options)
@@ -152,12 +154,6 @@ module Aws
         @normalize_path = options.fetch(:normalize_path, true)
         @omit_session_token = options.fetch(:omit_session_token, false)
 
-        if @signing_algorithm == :sigv4a && !Signer.use_crt?
-          raise ArgumentError, 'You are attempting to sign a' \
-' request with sigv4a which requires the `aws-crt` gem.'\
-' Please install the gem or add it to your gemfile.'
-        end
-
         if @signing_algorithm == 'sigv4-s3express'.to_sym &&
            Signer.use_crt? && Aws::Crt::GEM_VERSION <= '0.1.9'
           raise ArgumentError,
@@ -246,6 +242,7 @@ module Aws
 
         http_method = extract_http_method(request)
         url = extract_url(request)
+        Signer.normalize_path(url) if @normalize_path
         headers = downcase_headers(request[:headers])
 
         datetime = headers['x-amz-date']
@@ -258,7 +255,7 @@ module Aws
         sigv4_headers = {}
         sigv4_headers['host'] = headers['host'] || host(url)
         sigv4_headers['x-amz-date'] = datetime
-        if creds.session_token
+        if creds.session_token && !@omit_session_token
           if @signing_algorithm == 'sigv4-s3express'.to_sym
             sigv4_headers['x-amz-s3session-token'] = creds.session_token
           else
@@ -268,26 +265,45 @@ module Aws
 
         sigv4_headers['x-amz-content-sha256'] ||= content_sha256 if @apply_checksum_header
 
+        if @signing_algorithm == :sigv4a && @region && !@region.empty?
+          sigv4_headers['x-amz-region-set'] = @region
+        end
         headers = headers.merge(sigv4_headers) # merge so we do not modify given headers hash
 
+        algorithm = sts_algorithm
+
         # compute signature parts
         creq = canonical_request(http_method, url, headers, content_sha256)
-        sts = string_to_sign(datetime, creq)
-        sig = signature(creds.secret_access_key, date, sts)
+        sts = string_to_sign(datetime, creq, algorithm)
+
+        sig =
+          if @signing_algorithm == :sigv4a
+            asymmetric_signature(creds, sts)
+          else
+            signature(creds.secret_access_key, date, sts)
+          end
+
+        algorithm = sts_algorithm
 
         # apply signature
         sigv4_headers['authorization'] = [
-          "AWS4-HMAC-SHA256 Credential=#{credential(creds, date)}",
+          "#{algorithm} Credential=#{credential(creds, date)}",
           "SignedHeaders=#{signed_headers(headers)}",
           "Signature=#{sig}",
         ].join(', ')
 
+        # skip signing the session token, but include it in the headers
+        if creds.session_token && @omit_session_token
+          sigv4_headers['x-amz-security-token'] = creds.session_token
+        end
+
         # Returning the signature components.
         Signature.new(
           headers: sigv4_headers,
           string_to_sign: sts,
           canonical_request: creq,
-          content_sha256: content_sha256
+          content_sha256: content_sha256,
+          signature: sig
         )
       end
 
@@ -421,6 +437,7 @@ module Aws
 
         http_method = extract_http_method(options)
         url = extract_url(options)
+        Signer.normalize_path(url) if @normalize_path
 
         headers = downcase_headers(options[:headers])
         headers['host'] ||= host(url)
@@ -433,8 +450,10 @@ module Aws
         content_sha256 ||= options[:body_digest]
         content_sha256 ||= sha256_hexdigest(options[:body] || '')
 
+        algorithm = sts_algorithm
+
         params = {}
-        params['X-Amz-Algorithm'] = 'AWS4-HMAC-SHA256'
+        params['X-Amz-Algorithm'] = algorithm
         params['X-Amz-Credential'] = credential(creds, date)
         params['X-Amz-Date'] = datetime
         params['X-Amz-Expires'] = presigned_url_expiration(options, expiration, Time.strptime(datetime, "%Y%m%dT%H%M%S%Z")).to_s
@@ -447,6 +466,10 @@ module Aws
         end
         params['X-Amz-SignedHeaders'] = signed_headers(headers)
 
+        if @signing_algorithm == :sigv4a && @region
+          params['X-Amz-Region-Set'] = @region
+        end
+
         params = params.map do |key, value|
           "#{uri_escape(key)}=#{uri_escape(value)}"
         end.join('&')
@@ -458,13 +481,23 @@ module Aws
         end
 
         creq = canonical_request(http_method, url, headers, content_sha256)
-        sts = string_to_sign(datetime, creq)
-        url.query += '&X-Amz-Signature=' + signature(creds.secret_access_key, date, sts)
+        sts = string_to_sign(datetime, creq, algorithm)
+        signature =
+          if @signing_algorithm == :sigv4a
+            asymmetric_signature(creds, sts)
+          else
+            signature(creds.secret_access_key, date, sts)
+          end
+        url.query += '&X-Amz-Signature=' + signature
         url
       end
 
       private
 
+      def sts_algorithm
+        @signing_algorithm == :sigv4a ? 'AWS4-ECDSA-P256-SHA256' : 'AWS4-HMAC-SHA256'
+      end
+
       def canonical_request(http_method, url, headers, content_sha256)
         [
           http_method,
@@ -476,9 +509,9 @@ module Aws
         ].join("\n")
       end
 
-      def string_to_sign(datetime, canonical_request)
+      def string_to_sign(datetime, canonical_request, algorithm)
         [
-          'AWS4-HMAC-SHA256',
+          algorithm,
           datetime,
           credential_scope(datetime[0,8]),
           sha256_hexdigest(canonical_request),
@@ -511,10 +544,10 @@ module Aws
       def credential_scope(date)
         [
           date,
-          @region,
+          (@region unless @signing_algorithm == :sigv4a),
           @service,
-          'aws4_request',
-        ].join('/')
+          'aws4_request'
+        ].compact.join('/')
       end
 
       def credential(credentials, date)
@@ -529,6 +562,16 @@ module Aws
         hexhmac(k_credentials, string_to_sign)
       end
 
+      def asymmetric_signature(creds, string_to_sign)
+        ec, _ = Aws::Sigv4::AsymmetricCredentials.derive_asymmetric_key(
+          creds.access_key_id, creds.secret_access_key
+        )
+        sts_digest = OpenSSL::Digest::SHA256.digest(string_to_sign)
+        s = ec.dsa_sign_asn1(sts_digest)
+
+        Digest.hexencode(s)
+      end
+
       # Comparing to original signature v4 algorithm,
       # returned signature is a binary string instread of
       # hex-encoded string. (Since ':chunk-signature' requires
@@ -896,6 +939,18 @@ module Aws
           end
         end
 
+        # @api private
+        def normalize_path(uri)
+          normalized_path = Pathname.new(uri.path).cleanpath.to_s
+          # Pathname is probably not correct to use. Empty paths will
+          # resolve to "." and should be disregarded
+          normalized_path = '' if normalized_path == '.'
+          # Ensure trailing slashes are correctly preserved
+          if uri.path.end_with?('/') && !normalized_path.end_with?('/')
+            normalized_path << '/'
+          end
+          uri.path = normalized_path
+        end
       end
     end
   end

data/lib/aws-sigv4.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+require_relative 'aws-sigv4/asymmetric_credentials'
 require_relative 'aws-sigv4/credentials'
 require_relative 'aws-sigv4/errors'
 require_relative 'aws-sigv4/signature'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aws-sigv4
 version: !ruby/object:Gem::Version
-  version: 1.8.0
+  version: 1.9.0
 platform: ruby
 authors:
 - Amazon Web Services
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-11-28 00:00:00.000000000 Z
+date: 2024-07-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-eventstream
@@ -32,7 +32,7 @@ dependencies:
         version: 1.0.2
 description: Amazon Web Services Signature Version 4 signing library. Generates sigv4
   signature for HTTP requests.
-email: 
+email:
 executables: []
 extensions: []
 extra_rdoc_files: []
@@ -41,6 +41,7 @@ files:
 - LICENSE.txt
 - VERSION
 - lib/aws-sigv4.rb
+- lib/aws-sigv4/asymmetric_credentials.rb
 - lib/aws-sigv4/credentials.rb
 - lib/aws-sigv4/errors.rb
 - lib/aws-sigv4/request.rb
@@ -52,7 +53,7 @@ licenses:
 metadata:
   source_code_uri: https://github.com/aws/aws-sdk-ruby/tree/version-3/gems/aws-sigv4
   changelog_uri: https://github.com/aws/aws-sdk-ruby/tree/version-3/gems/aws-sigv4/CHANGELOG.md
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -67,8 +68,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.6
-signing_key: 
+rubygems_version: 3.4.10
+signing_key:
 specification_version: 4
 summary: AWS Signature Version 4 library.
 test_files: []