@smithy/signature-v4a 3.0.1

package/dist-es/SignatureV4a.js

@@ -0,0 +1,63 @@
+import { ALGORITHM_IDENTIFIER_V4A, AMZ_DATE_HEADER, AUTH_HEADER, SHA256_HEADER, TOKEN_HEADER, } from "@smithy/signature-v4";
+import { getCanonicalHeaders } from "@smithy/signature-v4";
+import { getPayloadHash } from "@smithy/signature-v4";
+import { hasHeader } from "@smithy/signature-v4";
+import { prepareRequest } from "@smithy/signature-v4";
+import { SignatureV4Base } from "@smithy/signature-v4";
+import { toHex } from "@smithy/util-hex-encoding";
+import { toUint8Array } from "@smithy/util-utf8";
+import { REGION_HEADER } from "./constants";
+import { createSigV4aScope, getSigV4aSigningKey } from "./credentialDerivation";
+import { Ec } from "./elliptic/Ec";
+export class SignatureV4a extends SignatureV4Base {
+    constructor({ applyChecksum, credentials, region, service, sha256, uriEscapePath = true, }) {
+        super({
+            applyChecksum,
+            credentials,
+            region,
+            service,
+            sha256,
+            uriEscapePath,
+        });
+    }
+    async sign(toSign, options) {
+        return this.signRequest(toSign, options);
+    }
+    async signRequest(requestToSign, { signingDate = new Date(), signableHeaders, unsignableHeaders, signingRegion, signingService, } = {}) {
+        const credentials = await this.credentialProvider();
+        this.validateResolvedCredentials(credentials);
+        const region = signingRegion ?? (await this.regionProvider());
+        const request = prepareRequest(requestToSign);
+        const { longDate, shortDate } = this.formatDate(signingDate);
+        const scope = createSigV4aScope(shortDate, signingService ?? this.service);
+        const pKey = await getSigV4aSigningKey(this.sha256, credentials.accessKeyId, credentials.secretAccessKey);
+        request.headers[AMZ_DATE_HEADER] = longDate;
+        if (credentials.sessionToken) {
+            request.headers[TOKEN_HEADER] = credentials.sessionToken;
+        }
+        request.headers[REGION_HEADER] = region;
+        const payloadHash = await getPayloadHash(request, this.sha256);
+        if (!hasHeader(SHA256_HEADER, request.headers) && this.applyChecksum) {
+            request.headers[SHA256_HEADER] = payloadHash;
+        }
+        const canonicalHeaders = getCanonicalHeaders(request, unsignableHeaders, signableHeaders);
+        const canonicalRequest = this.createCanonicalRequest(request, canonicalHeaders, payloadHash);
+        const stringToSign = await this.createStringToSign(longDate, scope, canonicalRequest, ALGORITHM_IDENTIFIER_V4A);
+        const signature = await this.getSignature(pKey, stringToSign);
+        request.headers[AUTH_HEADER] =
+            `${ALGORITHM_IDENTIFIER_V4A} ` +
+                `Credential=${credentials.accessKeyId}/${scope}, ` +
+                `SignedHeaders=${this.getCanonicalHeaderList(canonicalHeaders)}, ` +
+                `Signature=${signature}`;
+        return request;
+    }
+    async getSignature(privateKey, stringToSign) {
+        const ecdsa = new Ec("p256");
+        const key = ecdsa.keyFromPrivate(privateKey);
+        const hash = new this.sha256();
+        hash.update(toUint8Array(stringToSign));
+        const hashResult = await hash.digest();
+        const signature = key.sign(hashResult);
+        return toHex(new Uint8Array(signature.toDER()));
+    }
+}

package/dist-es/constants.js

@@ -0,0 +1,8 @@
+import { REGION_SET_PARAM } from "@smithy/signature-v4";
+export const REGION_HEADER = REGION_SET_PARAM.toLowerCase();
+export const ONE_AS_4_BYTES = [0x00, 0x00, 0x00, 0x01];
+export const TWOFIFTYSIX_AS_4_BYTES = [0x00, 0x00, 0x01, 0x00];
+export const N_MINUS_TWO = [
+    0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xbc, 0xe6, 0xfa,
+    0xad, 0xa7, 0x17, 0x9e, 0x84, 0xf3, 0xb9, 0xca, 0xc2, 0xfc, 0x63, 0x25, 0x4f,
+];

package/dist-es/credentialDerivation.js

@@ -0,0 +1,81 @@
+import { ALGORITHM_IDENTIFIER_V4A, KEY_TYPE_IDENTIFIER } from "@smithy/signature-v4";
+import { toUint8Array } from "@smithy/util-utf8";
+import { N_MINUS_TWO, ONE_AS_4_BYTES, TWOFIFTYSIX_AS_4_BYTES } from "./constants";
+const signingKeyCache = {};
+const cacheQueue = [];
+export const createSigV4aScope = (shortDate, service) => `${shortDate}/${service}/${KEY_TYPE_IDENTIFIER}`;
+export const clearCredentialCache = () => {
+    cacheQueue.length = 0;
+    Object.keys(signingKeyCache).forEach((cacheKey) => {
+        delete signingKeyCache[cacheKey];
+    });
+};
+export const getSigV4aSigningKey = async (sha256, accessKey, secretKey) => {
+    let outputBufferWriter = "";
+    const maxTrials = 254;
+    const aws4ALength = 5;
+    const inputKeyLength = aws4ALength + secretKey.length;
+    const inputKeyBuf = inputKeyLength <= 64 ? new Uint8Array(64) : new Uint8Array(inputKeyLength);
+    const aws4aArray = "AWS4A".split("");
+    for (let index = 0; index < aws4aArray.length; index++) {
+        inputKeyBuf[index] = aws4aArray[index].charCodeAt(0);
+    }
+    const secretKeyArray = secretKey.split("");
+    for (let index = 0; index < secretKeyArray.length; index++) {
+        inputKeyBuf[aws4aArray.length + index] = secretKeyArray[index].charCodeAt(0);
+    }
+    let trial = 1;
+    while (trial < maxTrials) {
+        outputBufferWriter = buildFixedInputBuffer(outputBufferWriter, accessKey, trial);
+        const secretKey = inputKeyBuf.subarray(0, inputKeyLength);
+        const hash = new sha256(secretKey);
+        const hashVal = toUint8Array(outputBufferWriter);
+        hash.update(hashVal);
+        const hashedOutput = await hash.digest();
+        if (isBiggerThanNMinus2(hashedOutput)) {
+            trial++;
+            continue;
+        }
+        return addOneToArray(hashedOutput);
+    }
+    throw new Error("Cannot derive signing key: number of maximum trials exceeded.");
+};
+export const buildFixedInputBuffer = (bufferInput, accessKey, counter) => {
+    let outputBuffer = bufferInput;
+    outputBuffer += ONE_AS_4_BYTES.map((value) => String.fromCharCode(value)).join("");
+    outputBuffer += ALGORITHM_IDENTIFIER_V4A;
+    outputBuffer += String.fromCharCode(0x00);
+    outputBuffer += accessKey;
+    outputBuffer += String.fromCharCode(counter);
+    outputBuffer += TWOFIFTYSIX_AS_4_BYTES.map((value) => String.fromCharCode(value)).join("");
+    return outputBuffer;
+};
+export const isBiggerThanNMinus2 = (value) => {
+    for (let index = 0; index < value.length; index++) {
+        if (value[index] > N_MINUS_TWO[index]) {
+            return true;
+        }
+        else if (value[index] < N_MINUS_TWO[index]) {
+            return false;
+        }
+    }
+    return false;
+};
+export const addOneToArray = (value) => {
+    const output = new Uint8Array(32);
+    let carry = 1;
+    for (let index = value.length - 1; index >= 0; index--) {
+        const newValueAtIndex = (value[index] + carry) % 256;
+        if (newValueAtIndex < value[index]) {
+            carry = 1;
+        }
+        else {
+            carry = 0;
+        }
+        output[index] = newValueAtIndex;
+    }
+    if (carry !== 0) {
+        return new Uint8Array([carry, ...output]);
+    }
+    return output;
+};