@vizamodo/aws-sts-core 0.1.43 → 0.1.45
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/sts/issue.js +24 -3
- package/package.json +1 -1
package/dist/sts/issue.js
CHANGED
|
@@ -58,6 +58,27 @@ export async function issueAwsCredentials(input) {
|
|
|
58
58
|
const payloadHash = await sha256Hex(body);
|
|
59
59
|
// AWS Roles Anywhere requires base64-encoded DER (NO PEM markers, NO newlines)
|
|
60
60
|
const normalizedCert = certBase64.replace(/\s+/g, "");
|
|
61
|
+
// Extract certificate serial number (hex, uppercase) for Credential field
|
|
62
|
+
const certDer = base64ToArrayBuffer(normalizedCert);
|
|
63
|
+
// Extract certificate serial number from DER (ASN.1)
|
|
64
|
+
const derBytes = new Uint8Array(certDer);
|
|
65
|
+
// Very small ASN.1 parser: find first INTEGER after TBSCertificate
|
|
66
|
+
// Assumes standard X.509 v3 structure (safe for our controlled certs)
|
|
67
|
+
let offset = 0;
|
|
68
|
+
if (derBytes[offset++] !== 0x30)
|
|
69
|
+
throw new InternalError("invalid_cert_der");
|
|
70
|
+
offset += derBytes[offset] & 0x80 ? (derBytes[offset] & 0x7f) + 1 : 1;
|
|
71
|
+
if (derBytes[offset++] !== 0x30)
|
|
72
|
+
throw new InternalError("invalid_cert_der");
|
|
73
|
+
offset += derBytes[offset] & 0x80 ? (derBytes[offset] & 0x7f) + 1 : 1;
|
|
74
|
+
if (derBytes[offset++] !== 0x02)
|
|
75
|
+
throw new InternalError("invalid_cert_der");
|
|
76
|
+
const serialLength = derBytes[offset++];
|
|
77
|
+
const serialBytes = derBytes.slice(offset, offset + serialLength);
|
|
78
|
+
const certSerialHex = Array.from(serialBytes)
|
|
79
|
+
.map((b) => b.toString(16).padStart(2, "0"))
|
|
80
|
+
.join("")
|
|
81
|
+
.toUpperCase();
|
|
61
82
|
// 4. Tính toán Signature (CẦN Host trong Canonical Request)
|
|
62
83
|
const baseHeaders = {
|
|
63
84
|
"content-type": "application/json",
|
|
@@ -87,7 +108,7 @@ export async function issueAwsCredentials(input) {
|
|
|
87
108
|
"Content-Type": "application/json",
|
|
88
109
|
"X-Amz-Date": amzDate,
|
|
89
110
|
"X-Amz-X509": normalizedCert,
|
|
90
|
-
"Authorization": `AWS4-X509-ECDSA-SHA256 Credential=${
|
|
111
|
+
"Authorization": `AWS4-X509-ECDSA-SHA256 Credential=${certSerialHex}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${signatureHex}`
|
|
91
112
|
});
|
|
92
113
|
// 6. Execution (fetch)
|
|
93
114
|
try {
|
|
@@ -104,7 +125,7 @@ export async function issueAwsCredentials(input) {
|
|
|
104
125
|
` -H "Content-Type: application/json" \\`,
|
|
105
126
|
` -H "X-Amz-Date: ${amzDate}" \\`,
|
|
106
127
|
` -H "X-Amz-X509: ${normalizedCert}" \\`,
|
|
107
|
-
` -H "Authorization: AWS4-X509-ECDSA-SHA256 Credential=${
|
|
128
|
+
` -H "Authorization: AWS4-X509-ECDSA-SHA256 Credential=${certSerialHex}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${signatureHex}" \\`,
|
|
108
129
|
` -d '${body}'`
|
|
109
130
|
].join("\n");
|
|
110
131
|
console.error("[aws-rejected][LOCAL-CURL-COMMAND]", localCurlCommand);
|
|
@@ -141,7 +162,7 @@ export async function issueAwsCredentials(input) {
|
|
|
141
162
|
"Content-Type": "application/json",
|
|
142
163
|
"X-Amz-Date": amzDate,
|
|
143
164
|
"X-Amz-X509": normalizedCert,
|
|
144
|
-
"Authorization": `AWS4-X509-ECDSA-SHA256 Credential=${
|
|
165
|
+
"Authorization": `AWS4-X509-ECDSA-SHA256 Credential=${certSerialHex}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${signatureHex}`
|
|
145
166
|
}
|
|
146
167
|
});
|
|
147
168
|
throw new InternalError("aws_rejected");
|