npm - @vizamodo/aws-sts-core - Versions diffs - 0.1.23 → 0.1.30 - Mend

@vizamodo/aws-sts-core 0.1.23 → 0.1.30

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/sts/issue.js CHANGED Viewed

@@ -42,49 +42,39 @@ function resolveSessionTtlByProfile(profile) {
  */
 export async function issueAwsCredentials(input) {
     const { roleArn, profileArn, trustAnchorArn, region, certBase64, privateKeyPkcs8Base64, profile, } = input;
-    if (!roleArn || !profileArn || !trustAnchorArn || !region) {
-        throw new InternalError("missing_aws_configuration");
-    }
-    const sessionTtl = resolveSessionTtlByProfile(profile);
-    const signingMaterial = await getSigningMaterial({
-        certBase64,
-        privateKeyPkcs8Base64,
-    });
-    const signingKey = signingMaterial.signingKey;
-    const method = "POST";
-    const service = "rolesanywhere";
+    // 1. Kiểm tra đầu vào & Fix TTL an toàn
+    // AWS mặc định chỉ cho phép 3600s, hãy fix cứng 1h để loại trừ lỗi IAM
+    const sessionTtl = Math.min(resolveSessionTtlByProfile(profile), 3600);
+    const { signingKey } = await getSigningMaterial({ certBase64, privateKeyPkcs8Base64 });
+    // 2. Setup constants
     const host = `rolesanywhere.${region}.amazonaws.com`;
     const path = "/sessions";
     const now = new Date();
-    const amzDate = now
-        .toISOString()
-        .replace(/\.\d{3}Z$/, "Z")
-        .replace(/[:-]/g, "");
+    const amzDate = now.toISOString().replace(/\.\d{3}Z$/, "Z").replace(/[:-]/g, "");
     const dateStamp = amzDate.slice(0, 8);
-    const body = JSON.stringify({
-        trustAnchorArn,
-        profileArn,
-        roleArn,
-        durationSeconds: sessionTtl,
-    });
+    const service = "rolesanywhere";
+    // 3. Chuẩn bị Body & Cert (base64-encoded DER, không marker, không xuống dòng)
+    const body = JSON.stringify({ trustAnchorArn, profileArn, roleArn, durationSeconds: sessionTtl });
     const payloadHash = await sha256Hex(body);
-    const pemCert = toPemCertificate(certBase64);
+    // AWS Roles Anywhere requires base64-encoded DER (NO PEM markers, NO newlines)
+    const normalizedCert = certBase64.replace(/\s+/g, "");
+    // 4. Tính toán Signature (CẦN Host trong Canonical Request)
     const baseHeaders = {
-        host,
         "content-type": "application/json",
+        "host": host,
         "x-amz-date": amzDate,
-        "x-amz-x509-chain": pemCert,
+        "x-amz-x509-chain": normalizedCert,
     };
     const { canonicalHeaders, signedHeaders } = canonicalizeHeaders(baseHeaders);
+    const credentialScope = `${dateStamp}/${region}/${service}/aws4_request`;
     const canonicalRequest = buildCanonicalRequest({
-        method,
+        method: "POST",
         canonicalUri: path,
         query: "",
         canonicalHeaders,
         signedHeaders,
         payloadHash,
     });
-    const credentialScope = `${dateStamp}/${region}/${service}/aws4_request`;
     const stringToSign = buildStringToSign({
         algorithm: "AWS4-X509-ECDSA-SHA256",
         amzDate,
@@ -92,56 +82,46 @@ export async function issueAwsCredentials(input) {
         canonicalRequestHash: await sha256Hex(canonicalRequest),
     });
     const signatureHex = await signStringToSign(stringToSign, signingKey);
-    const authorization = `AWS4-X509-ECDSA-SHA256 ` +
-        `Credential=${roleArn}/${credentialScope}, ` +
-        `SignedHeaders=${signedHeaders}, ` +
-        `Signature=${signatureHex}`;
-    const headers = {
-        ...baseHeaders,
-        Authorization: authorization,
-    };
-    let res;
+    // 5. Build Headers gửi đi (KHÔNG gửi Host header thủ công trong fetch)
+    const finalHeaders = new Headers({
+        "Content-Type": "application/json",
+        "X-Amz-Date": amzDate,
+        "X-Amz-X509-Chain": normalizedCert,
+        "Authorization": `AWS4-X509-ECDSA-SHA256 Credential=${roleArn}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${signatureHex}`
+    });
+    // 6. Execution (fetch)
     try {
-        res = await fetch(`https://${host}${path}`, {
-            method,
-            headers,
+        const res = await fetch(`https://${host}${path}`, {
+            method: "POST",
+            headers: finalHeaders,
             body,
         });
+        if (!res.ok) {
+            const errorBody = await res.text();
+            // Log cực kỳ chi tiết để soi Signature của AWS vs của mình
+            console.error("[aws-rejected]", {
+                status: res.status,
+                awsResponse: errorBody,
+                myCanonicalRequest: canonicalRequest, // Copy cái này ra so với AWS
+            });
+            throw new InternalError("aws_rejected");
+        }
+        const json = await res.json();
+        const creds = json?.credentialSet?.[0]?.credentials;
+        return {
+            accessKeyId: creds.accessKeyId,
+            secretAccessKey: creds.secretAccessKey,
+            sessionToken: creds.sessionToken,
+            expiration: creds.expiration,
+        };
     }
-    catch {
+    catch (e) {
+        if (e instanceof InternalError)
+            throw e;
         throw new InternalError("aws_unreachable");
     }
-    if (!res.ok) {
-        throw new InternalError("aws_rejected");
-    }
-    let json;
-    try {
-        json = await res.json();
-    }
-    catch {
-        throw new InternalError("invalid_aws_response");
-    }
-    const creds = json?.credentialSet?.[0]?.credentials;
-    if (!creds?.accessKeyId ||
-        !creds?.secretAccessKey ||
-        !creds?.sessionToken ||
-        !creds?.expiration) {
-        throw new InternalError("malformed_aws_credentials");
-    }
-    return {
-        accessKeyId: creds.accessKeyId,
-        secretAccessKey: creds.secretAccessKey,
-        sessionToken: creds.sessionToken,
-        expiration: creds.expiration,
-    };
 }
 // ---- helpers ----
-function toPemCertificate(base64) {
-    // Loại bỏ mọi khoảng trắng/xuống dòng trong base64
-    const normalized = base64.replace(/\s+/g, "");
-    // AWS Roles Anywhere Header: Không được dùng xuống dòng \n
-    return `-----BEGIN CERTIFICATE-----${normalized}-----END CERTIFICATE-----`;
-}
 async function sha256Hex(input) {
     const data = new TextEncoder().encode(input);
     const hash = await crypto.subtle.digest("SHA-256", data);

package/dist/sts/signer.js CHANGED Viewed

@@ -10,54 +10,55 @@ import { InternalError } from "./errors";
 export async function signStringToSign(stringToSign, signingKey) {
     try {
         const data = new TextEncoder().encode(stringToSign);
-        const signatureRaw = await crypto.subtle.sign({
+        const signature = await crypto.subtle.sign({
             name: "ECDSA",
             hash: "SHA-256",
         }, signingKey, data);
-        // WebCrypto trả về 64 bytes (R và S)
-        // Cần convert sang DER format cho AWS
-        const derSignature = rawToDer(new Uint8Array(signatureRaw));
+        const derSignature = rawEcdsaToDer(new Uint8Array(signature));
         return uint8ArrayToHex(derSignature);
     }
-    catch (e) {
-        console.error("[SIGNING_DEBUG]", e);
+    catch {
         throw new InternalError("signing_failed");
     }
 }
 /**
- * Convert IEEE P1363 (Raw) ECDSA signature to ASN.1 DER
+ * Convert WebCrypto ECDSA signature (IEEE P1363 raw format: r||s)
+ * to DER-encoded ASN.1 sequence required by AWS (SigV4 X.509 ECDSA).
  */
-function rawToDer(raw) {
-    const r = raw.slice(0, 32);
-    const s = raw.slice(32);
-    const toAsn1Int = (bytes) => {
-        // Loại bỏ các byte 0 ở đầu
-        let start = 0;
-        while (start < bytes.length - 1 && bytes[start] === 0)
-            start++;
-        let payload = bytes.slice(start);
-        // Nếu bit cao nhất là 1, phải thêm 0x00 để không bị hiểu lầm là số âm
-        if (payload[0] > 0x7f) {
-            const padded = new Uint8Array(payload.length + 1);
-            padded.set(payload, 1);
-            return padded;
+function rawEcdsaToDer(raw) {
+    if (raw.length % 2 !== 0) {
+        throw new InternalError("invalid_raw_signature_length");
+    }
+    const len = raw.length / 2;
+    const r = raw.slice(0, len);
+    const s = raw.slice(len);
+    const encodeInt = (bytes) => {
+        // Remove leading zeros
+        let i = 0;
+        while (i < bytes.length - 1 && bytes[i] === 0)
+            i++;
+        let v = bytes.slice(i);
+        // If high bit is set, prepend 0x00 to indicate positive integer
+        if (v[0] & 0x80) {
+            const extended = new Uint8Array(v.length + 1);
+            extended[0] = 0;
+            extended.set(v, 1);
+            v = extended;
         }
-        return payload;
+        const result = new Uint8Array(2 + v.length);
+        result[0] = 0x02; // INTEGER tag
+        result[1] = v.length;
+        result.set(v, 2);
+        return result;
     };
-    const rAsn1 = toAsn1Int(r);
-    const sAsn1 = toAsn1Int(s);
-    const length = rAsn1.length + sAsn1.length + 4;
-    const der = new Uint8Array(length + 2);
-    der[0] = 0x30; // Sequence
-    der[1] = length;
-    let offset = 2;
-    der[offset++] = 0x02; // Integer tag
-    der[offset++] = rAsn1.length;
-    der.set(rAsn1, offset);
-    offset += rAsn1.length;
-    der[offset++] = 0x02; // Integer tag
-    der[offset++] = sAsn1.length;
-    der.set(sAsn1, offset);
+    const rDer = encodeInt(r);
+    const sDer = encodeInt(s);
+    const sequenceLen = rDer.length + sDer.length;
+    const der = new Uint8Array(2 + sequenceLen);
+    der[0] = 0x30; // SEQUENCE tag
+    der[1] = sequenceLen;
+    der.set(rDer, 2);
+    der.set(sDer, 2 + rDer.length);
     return der;
 }
 /**

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@vizamodo/aws-sts-core",
-  "version": "0.1.23",
+  "version": "0.1.30",
   "description": "Pure AWS STS + SigV4 (X509 Roles Anywhere) core logic",
   "type": "module",
   "main": "dist/index.js",