npm - @vizamodo/aws-sts-core - Versions diffs - 0.1.40 → 0.1.45 - Mend

@vizamodo/aws-sts-core 0.1.40 → 0.1.45

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/sts/issue.js +65 -3
package/package.json +1 -1

package/dist/sts/issue.js CHANGED Viewed

@@ -58,6 +58,27 @@ export async function issueAwsCredentials(input) {
     const payloadHash = await sha256Hex(body);
     // AWS Roles Anywhere requires base64-encoded DER (NO PEM markers, NO newlines)
     const normalizedCert = certBase64.replace(/\s+/g, "");
+    // Extract certificate serial number (hex, uppercase) for Credential field
+    const certDer = base64ToArrayBuffer(normalizedCert);
+    // Extract certificate serial number from DER (ASN.1)
+    const derBytes = new Uint8Array(certDer);
+    // Very small ASN.1 parser: find first INTEGER after TBSCertificate
+    // Assumes standard X.509 v3 structure (safe for our controlled certs)
+    let offset = 0;
+    if (derBytes[offset++] !== 0x30)
+        throw new InternalError("invalid_cert_der");
+    offset += derBytes[offset] & 0x80 ? (derBytes[offset] & 0x7f) + 1 : 1;
+    if (derBytes[offset++] !== 0x30)
+        throw new InternalError("invalid_cert_der");
+    offset += derBytes[offset] & 0x80 ? (derBytes[offset] & 0x7f) + 1 : 1;
+    if (derBytes[offset++] !== 0x02)
+        throw new InternalError("invalid_cert_der");
+    const serialLength = derBytes[offset++];
+    const serialBytes = derBytes.slice(offset, offset + serialLength);
+    const certSerialHex = Array.from(serialBytes)
+        .map((b) => b.toString(16).padStart(2, "0"))
+        .join("")
+        .toUpperCase();
     // 4. Tính toán Signature (CẦN Host trong Canonical Request)
     const baseHeaders = {
         "content-type": "application/json",
@@ -87,7 +108,7 @@ export async function issueAwsCredentials(input) {
         "Content-Type": "application/json",
         "X-Amz-Date": amzDate,
         "X-Amz-X509": normalizedCert,
-        "Authorization": `AWS4-X509-ECDSA-SHA256 Credential=${profileArn}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${signatureHex}`
+        "Authorization": `AWS4-X509-ECDSA-SHA256 Credential=${certSerialHex}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${signatureHex}`
     });
     // 6. Execution (fetch)
     try {
@@ -98,10 +119,51 @@ export async function issueAwsCredentials(input) {
         });
         if (!res.ok) {
             const errorBody = await res.text();
-            console.error("[aws-rejected]", {
+            // ---- Local curl debug command (FULL MATERIAL - ROTATE AFTER DEBUG) ----
+            const localCurlCommand = [
+                `curl -X POST "https://${host}${path}" \\`,
+                `  -H "Content-Type: application/json" \\`,
+                `  -H "X-Amz-Date: ${amzDate}" \\`,
+                `  -H "X-Amz-X509: ${normalizedCert}" \\`,
+                `  -H "Authorization: AWS4-X509-ECDSA-SHA256 Credential=${certSerialHex}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${signatureHex}" \\`,
+                `  -d '${body}'`
+            ].join("\n");
+            console.error("[aws-rejected][LOCAL-CURL-COMMAND]", localCurlCommand);
+            console.error("[aws-rejected][RAW-SIGNING-MATERIAL]", {
+                certBase64,
+                privateKeyPkcs8Base64
+            });
+            console.error("[aws-rejected][FULL-REQUEST-DUMP]", {
                 status: res.status,
                 statusText: res.statusText,
-                profile
+                awsResponse: errorBody,
+                // ---- Input parameters ----
+                roleArn,
+                profileArn,
+                trustAnchorArn,
+                region,
+                profile,
+                // ---- Derived signing values ----
+                host,
+                path,
+                amzDate,
+                dateStamp,
+                credentialScope,
+                signedHeaders,
+                signatureHex,
+                // ---- Body & payload ----
+                requestBody: body,
+                payloadHash,
+                // ---- Canonical ----
+                canonicalRequest,
+                stringToSign,
+                // ---- Headers actually sent ----
+                sentHeaders: {
+                    "Content-Type": "application/json",
+                    "X-Amz-Date": amzDate,
+                    "X-Amz-X509": normalizedCert,
+                    "Authorization": `AWS4-X509-ECDSA-SHA256 Credential=${certSerialHex}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${signatureHex}`
+                }
             });
             throw new InternalError("aws_rejected");
         }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@vizamodo/aws-sts-core",
-  "version": "0.1.40",
+  "version": "0.1.45",
   "description": "Pure AWS STS + SigV4 (X509 Roles Anywhere) core logic",
   "type": "module",
   "main": "dist/index.js",