@vizamodo/aws-sts-core 0.4.2 → 0.4.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/sts/issue.js +4 -50
- package/package.json +1 -1
package/dist/sts/issue.js
CHANGED
|
@@ -1,10 +1,10 @@
|
|
|
1
|
+
import { getCachedOrFetch, wrapResult } from "@vizamodo/edge-cache-core";
|
|
1
2
|
import { canonicalizeHeaders } from "../sigv4/headers";
|
|
2
3
|
import { buildCanonicalRequest } from "../sigv4/canonical";
|
|
3
4
|
import { buildStringToSign } from "../sigv4/string-to-sign";
|
|
4
5
|
import { signStringToSign } from "./signer";
|
|
5
6
|
import { InternalError } from "./errors";
|
|
6
7
|
import { sha256Hex } from "../crypto/sha256";
|
|
7
|
-
import { getCachedOrFetch, wrapResult } from "@vizamodo/edge-cache-core";
|
|
8
8
|
// ── Constants ──────────────────────────────────────────────────────────────
|
|
9
9
|
const ALGORITHM = "AWS4-X509-ECDSA-SHA256";
|
|
10
10
|
const SERVICE = "rolesanywhere";
|
|
@@ -30,10 +30,6 @@ let signingKeyPromise = null;
|
|
|
30
30
|
let cachedSigningKey = null;
|
|
31
31
|
let cachedCertBase64 = null;
|
|
32
32
|
let cachedPrivateKeyBase64 = null;
|
|
33
|
-
// ── Isolate-level cert-serial cache ───────────────────────────────────────
|
|
34
|
-
// DER walk is CPU-bound; the cert rarely rotates within an isolate lifetime.
|
|
35
|
-
let cachedCertSerialDec = null;
|
|
36
|
-
let cachedCertSerialSource = null;
|
|
37
33
|
// ── Test utilities ─────────────────────────────────────────────────────────
|
|
38
34
|
/**
|
|
39
35
|
* Reset isolate-level signing material and cert serial caches.
|
|
@@ -47,8 +43,6 @@ export function resetIsolateCache() {
|
|
|
47
43
|
cachedSigningKey = null;
|
|
48
44
|
cachedCertBase64 = null;
|
|
49
45
|
cachedPrivateKeyBase64 = null;
|
|
50
|
-
cachedCertSerialDec = null;
|
|
51
|
-
cachedCertSerialSource = null;
|
|
52
46
|
}
|
|
53
47
|
// ── Signing material ───────────────────────────────────────────────────────
|
|
54
48
|
async function getSigningMaterial(certBase64, privateKeyPkcs8Base64) {
|
|
@@ -135,35 +129,6 @@ async function fetchCredentials(input) {
|
|
|
135
129
|
});
|
|
136
130
|
const signatureHex = await signStringToSign(stringToSign, signingKey);
|
|
137
131
|
const certSerialDec = getCertSerialDec(normalizedCert);
|
|
138
|
-
// 🔍 Deep debug helper (compare with working version)
|
|
139
|
-
function debugAwsSigning() {
|
|
140
|
-
try {
|
|
141
|
-
console.debug("[aws-debug][input]", {
|
|
142
|
-
roleArn,
|
|
143
|
-
profileArn,
|
|
144
|
-
trustAnchorArn,
|
|
145
|
-
region,
|
|
146
|
-
sessionTtl,
|
|
147
|
-
});
|
|
148
|
-
console.debug("[aws-debug][cert]", {
|
|
149
|
-
length: normalizedCert.length,
|
|
150
|
-
preview: normalizedCert.slice(0, 30),
|
|
151
|
-
});
|
|
152
|
-
console.debug("[aws-debug][serial]", {
|
|
153
|
-
serialDec: certSerialDec,
|
|
154
|
-
serialHex: BigInt(certSerialDec).toString(16),
|
|
155
|
-
});
|
|
156
|
-
console.debug("[aws-debug][headers]", baseHeaders);
|
|
157
|
-
console.debug("[aws-debug][signedHeaders]", signedHeaders);
|
|
158
|
-
console.debug("[aws-debug][canonicalRequest]", canonicalRequest);
|
|
159
|
-
console.debug("[aws-debug][stringToSign]", stringToSign);
|
|
160
|
-
console.debug("[aws-debug][signatureHex]", signatureHex);
|
|
161
|
-
}
|
|
162
|
-
catch (e) {
|
|
163
|
-
console.warn("[aws-debug][error]", e);
|
|
164
|
-
}
|
|
165
|
-
}
|
|
166
|
-
debugAwsSigning();
|
|
167
132
|
const finalHeaders = new Headers({
|
|
168
133
|
"Content-Type": "application/json",
|
|
169
134
|
"X-Amz-Date": amzDate,
|
|
@@ -183,12 +148,7 @@ async function fetchCredentials(input) {
|
|
|
183
148
|
throw new InternalError("aws_unreachable");
|
|
184
149
|
}
|
|
185
150
|
if (!res.ok) {
|
|
186
|
-
|
|
187
|
-
console.error("[aws-rejected]", {
|
|
188
|
-
status: res.status,
|
|
189
|
-
body: text,
|
|
190
|
-
region,
|
|
191
|
-
});
|
|
151
|
+
console.warn("[aws-rejected]", { status: res.status, region });
|
|
192
152
|
throw new InternalError("aws_rejected");
|
|
193
153
|
}
|
|
194
154
|
const json = await res.json();
|
|
@@ -223,15 +183,9 @@ function normalizeCert(raw) {
|
|
|
223
183
|
}
|
|
224
184
|
return raw.replace(/\s+/g, "");
|
|
225
185
|
}
|
|
226
|
-
/**
|
|
186
|
+
/** Extract cert serial as decimal string from DER-encoded base64 cert. */
|
|
227
187
|
function getCertSerialDec(normalizedCert) {
|
|
228
|
-
|
|
229
|
-
return cachedCertSerialDec;
|
|
230
|
-
}
|
|
231
|
-
const serial = parseCertSerialDec(normalizedCert);
|
|
232
|
-
cachedCertSerialDec = serial;
|
|
233
|
-
cachedCertSerialSource = normalizedCert;
|
|
234
|
-
return serial;
|
|
188
|
+
return parseCertSerialDec(normalizedCert);
|
|
235
189
|
}
|
|
236
190
|
/**
|
|
237
191
|
* Minimal DER walk to extract the certificate serial number as a decimal string.
|