aws_signing_helper

package
v1.1.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 12, 2023 License: Apache-2.0 Imports: 41 Imported by: 6

Documentation

Index

Constants

View Source 
const AwsSharedCredentialsFileEnvVarName = "AWS_SHARED_CREDENTIALS_FILE"
View Source 
const BufferSize = 49152
View Source 
const DEFAULT_TOKEN_TTL_SECONDS = "21600"
View Source 
const DefaultPort = 9911
View Source 
const EC2_METADATA_TOKEN_HEADER = "x-aws-ec2-metadata-token"
View Source 
const EC2_METADATA_TOKEN_TTL_HEADER = "x-aws-ec2-metadata-token-ttl-seconds"
View Source 
const LocalHostAddress = "127.0.0.1"
View Source 
const MAX_TOKENS = 256
View Source 
const REFRESHABLE_CRED_CODE = "Success"
View Source 
const REFRESHABLE_CRED_TYPE = "AWS-HMAC"
View Source 
const SECURITY_CREDENTIALS_RESOURCE_PATH = "/latest/meta-data/iam/security-credentials/"
View Source 
const TOKEN_RESOURCE_PATH = "/latest/api/token"
View Source 
const UpdateRefreshTime = time.Minute * time.Duration(5)
View Source 
const X_FORWARDED_FOR_HEADER = "X-Forwarded-For"

Variables

View Source 
var (
	// ErrUnsupportedHash is returned by Signer.Sign() when the provided hash
	// algorithm isn't supported.
	ErrUnsupportedHash = errors.New("unsupported hash algorithm")

	// Predefined system store names.
	// See: https://learn.microsoft.com/en-us/windows/win32/seccrypto/system-store-locations
	SystemStoreNames = []string{
		"MY",
		"Root",
		"Trust",
		"CA",
	}
)
View Source 
var Debug bool = false
View Source 
var MAX_OBJECT_LIMIT int = 1000
View Source 
var PKCS11_TEST_VERSION int16 = 1
View Source 
var RefreshTime = time.Minute * time.Duration(5)

Functions

func AllIssuesHandlers added in v1.0.3 

func AllIssuesHandlers(cred *RefreshableCred, roleName string, opts *CredentialsOpts, signer Signer, signatureAlgorithm string) (http.HandlerFunc, http.HandlerFunc, http.HandlerFunc)

func BuildAuthorizationHeader 

func BuildAuthorizationHeader(request *http.Request, body io.ReadSeeker, signedHeadersString string, signature string, certificate *x509.Certificate, signerParams SignerParams) string

Builds the complete authorization header

func CheckValidToken added in v1.0.3 

func CheckValidToken(w http.ResponseWriter, r *http.Request) error

Helper function that checks to see whether the token provided in the request is valid

func CreateRequestSignFunction added in v1.0.5 

func CreateRequestSignFunction(signer crypto.Signer, signingAlgorithm string, certificate *x509.Certificate, certificateChain []*x509.Certificate) func(*request.Request)

func CreateStringToSign 

func CreateStringToSign(canonicalRequest string, signerParams SignerParams) string

Create the string to sign.

func FindTokenTTLSeconds added in v1.0.4 

func FindTokenTTLSeconds(r *http.Request) (string, error)

Helper function that finds a token's TTL in seconds

func GenerateToken added in v1.0.3 

func GenerateToken(length int) (string, error)

Generates a random string with the specified length

func GetCredentialsFileContents added in v1.0.3 

func GetCredentialsFileContents() ([]string, error)

Assume that the credentials file is located in the default path: `~/.aws/credentials`

func GetNewCredentialsFileContents added in v1.0.5 

func GetNewCredentialsFileContents(profileName string, readLines []string, cred *TemporaryCredential) []string

Function that will get the new conents of the credentials file after a refresh has been done

func GetPassword added in v1.1.0 

func GetPassword(ttyReadFile *os.File, ttyWriteFile *os.File, prompt string, parseErrMsg string) (string, error)

Prompts the user for their password

func GetWriteOnlyCredentialsFile added in v1.0.3 

func GetWriteOnlyCredentialsFile() (*os.File, error)

Assume that the credentials file exists already and open it for write operations that will overwrite the existing contents of the file

func InsertToken added in v1.0.3 

func InsertToken(token string, expirationTime time.Time) error

Removes the token that expires the earliest

func ReadCertificateBundleData 

func ReadCertificateBundleData(certificateBundleId string) ([]*x509.Certificate, error)

Reads certificate bundle data from a file, whose path is provided

func ReadPKCS12Data added in v1.1.0 

func ReadPKCS12Data(certificateId string) (certChain []*x509.Certificate, privateKey crypto.PrivateKey, err error)

Reads and parses a PKCS#12 file (which should contain an end-entity certificate, (optional) certificate chain, and the key associated with the end-entity certificate). The end-entity certificate will be the first certificate in the returned chain. This method assumes that there is exactly one certificate that doesn't issue any others within the container and treats that as the end-entity certificate. Also, the order of the other certificates in the chain aren't guaranteed (it's also not guaranteed that those certificates form a chain with the end-entity certificat either).

func ReadPrivateKeyData 

func ReadPrivateKeyData(privateKeyId string) (crypto.PrivateKey, error)

Load the private key referenced by `privateKeyId`.

func ReadPrivateKeyDataFromPEMBlock added in v1.1.0 

func ReadPrivateKeyDataFromPEMBlock(block *pem.Block) (key crypto.PrivateKey, err error)

Reads private key data from a *pem.Block.

func Serve added in v1.0.3 

func Serve(port int, credentialsOptions CredentialsOpts)

func Update added in v1.0.3 

func Update(credentialsOptions CredentialsOpts, profile string, once bool)

Updates credentials in the credentials file for the specified profile

func WriteTo added in v1.0.3 

func WriteTo(profileName string, readLines []string, cred *TemporaryCredential) error

Function to write existing credentials and newly-created credentials to a destination file

Types

type CertIdentifier added in v1.0.5 

type CertIdentifier struct {
	Subject         string
	Issuer          string
	SerialNumber    *big.Int
	SystemStoreName string // Only relevant in the case of Windows
}

type CertObjInfo added in v1.1.0 

type CertObjInfo struct {
	// contains filtered or unexported fields
}

In our list of certs, we want to remember the CKA_ID/CKA_LABEL too.

type CertificateContainer added in v1.0.5 

type CertificateContainer struct {
	// Certificate data
	Cert *x509.Certificate
	// Certificate URI (only populated in the case that the certificate is a PKCS#11 object)
	Uri string
}

func GetMatchingCerts added in v1.0.5 

func GetMatchingCerts(certIdentifier CertIdentifier) ([]CertificateContainer, error)

func GetMatchingPKCSCerts added in v1.1.0 

func GetMatchingPKCSCerts(uriStr string, lib string) (matchingCerts []CertificateContainer, err error)

Used to implement a cut-down version of `p11tool --list-certificates`.

type CertificateData 

type CertificateData struct {
	// Type for the key contained in the certificate.
	// Passed back to the `sign-string` command
	KeyType string `json:"keyType"`
	// Certificate, as base64-encoded DER; used in the `x-amz-x509`
	// header in the API request.
	CertificateData string `json:"certificateData"`
	// Serial number of the certificate. Used in the credential
	// field of the Authorization header
	SerialNumber string `json:"serialNumber"`
	// Supported signing algorithms based on the KeyType
	Algorithms []string `json:"supportedAlgorithms"`
}

Container for certificate data returned to the SDK as JSON.

func ReadCertificateData 

func ReadCertificateData(certificateId string) (CertificateData, error)

Load the certificate referenced by `certificateId` and extract details required by the SDK to construct the StringToSign.

type CredentialProcessOutput 

type CredentialProcessOutput struct {
	// This field should be hard-coded to 1 for now.
	Version int `json:"Version"`
	// AWS Access Key ID
	AccessKeyId string `json:"AccessKeyId"`
	// AWS Secret Access Key
	SecretAccessKey string `json:"SecretAccessKey"`
	// AWS Session Token for temporary credentials
	SessionToken string `json:"SessionToken"`
	// ISO8601 timestamp for when the credentials expire
	Expiration string `json:"Expiration"`
}

Container that adheres to the format of credential_process output as specified by AWS.

func GenerateCredentials 

func GenerateCredentials(opts *CredentialsOpts, signer Signer, signatureAlgorithm string) (CredentialProcessOutput, error)

Function to create session and generate credentials

type CredentialsOpts 

type CredentialsOpts struct {
	PrivateKeyId        string
	CertificateId       string
	CertificateBundleId string
	CertIdentifier      CertIdentifier
	RoleArn             string
	ProfileArnStr       string
	TrustAnchorArnStr   string
	SessionDuration     int
	Region              string
	Endpoint            string
	NoVerifySSL         bool
	WithProxy           bool
	Debug               bool
	Version             string
	LibPkcs11           string
	ReusePin            bool
}

type Endpoint added in v1.0.3 

type Endpoint struct {
	PortNum int
	Server  *http.Server
	TmpCred RefreshableCred
}

type FileSystemSigner added in v1.0.5 

type FileSystemSigner struct {
	PrivateKey crypto.PrivateKey
	// contains filtered or unexported fields
}

func (FileSystemSigner) Certificate added in v1.0.5 

func (fileSystemSigner FileSystemSigner) Certificate() (*x509.Certificate, error)

func (FileSystemSigner) CertificateChain added in v1.0.5 

func (fileSystemSigner FileSystemSigner) CertificateChain() ([]*x509.Certificate, error)

func (FileSystemSigner) Close added in v1.0.5 

func (fileSystemSigner FileSystemSigner) Close()

func (FileSystemSigner) Public added in v1.0.5 

func (fileSystemSigner FileSystemSigner) Public() crypto.PublicKey

func (FileSystemSigner) Sign added in v1.0.5 

func (fileSystemSigner FileSystemSigner) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) (signature []byte, err error)

type KeyObjInfo added in v1.1.0 

type KeyObjInfo struct {
	// contains filtered or unexported fields
}

In our list of keys, we want to remember the CKA_ID/CKA_LABEL too.

type PKCS11Signer added in v1.1.0 

type PKCS11Signer struct {
	// contains filtered or unexported fields
}

func (*PKCS11Signer) Certificate added in v1.1.0 

func (pkcs11Signer *PKCS11Signer) Certificate() (cert *x509.Certificate, err error)

Gets the *x509.Certificate associated with this PKCS11Signer.

func (*PKCS11Signer) CertificateChain added in v1.1.0 

func (pkcs11Signer *PKCS11Signer) CertificateChain() (certChain []*x509.Certificate, err error)

Gets the certificate chain associated with this PKCS11Signer.

func (*PKCS11Signer) Close added in v1.1.0 

func (pkcs11Signer *PKCS11Signer) Close()

Closes this PKCS11Signer.

func (*PKCS11Signer) Public added in v1.1.0 

func (pkcs11Signer *PKCS11Signer) Public() crypto.PublicKey

Returns the public key associated with this PKCS11Signer.

func (*PKCS11Signer) Sign added in v1.1.0 

func (pkcs11Signer *PKCS11Signer) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) (signature []byte, err error)

Implements the crypto.Signer interface and signs the passed in digest

type RefreshableCred added in v1.0.3 

type RefreshableCred struct {
	AccessKeyId     string
	SecretAccessKey string
	Token           string
	Code            string
	Type            string
	Expiration      time.Time
	LastUpdated     time.Time
}

type SessionToken added in v1.0.3 

type SessionToken struct {
	Expiration time.Time
}

type Signer 

type Signer interface {
	Public() crypto.PublicKey
	Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) (signature []byte, err error)
	Certificate() (certificate *x509.Certificate, err error)
	CertificateChain() (certificateChain []*x509.Certificate, err error)
	Close()
}

Interface that all signers will have to implement (as a result, they will also implement crypto.Signer)

func GetCertStoreSigner added in v1.0.5 

func GetCertStoreSigner(certIdentifier CertIdentifier) (signer Signer, signingAlgorithm string, err error)

func GetFileSystemSigner added in v1.0.5 

func GetFileSystemSigner(privateKey crypto.PrivateKey, certificate *x509.Certificate, certificateChain []*x509.Certificate) (signer Signer, signingAlgorithm string, err error)

Returns a FileSystemSigner, that signs a payload using the private key passed in

func GetPKCS11Signer added in v1.1.0 

func GetPKCS11Signer(libPkcs11 string, cert *x509.Certificate, certChain []*x509.Certificate, privateKeyId string, certificateId string, reusePin bool) (signer Signer, signingAlgorithm string, err error)

Given an optional certificate either as *x509.Certificate (because it was already found in a file) or as a PKCS#11 URI, and an optional private key PKCS#11 URI, return a PKCS11Signer that can be used to sign a payload through a PKCS#11-compatible cryptographic device.

func GetSigner added in v1.0.5 

func GetSigner(opts *CredentialsOpts) (signer Signer, signatureAlgorithm string, err error)

Gets the Signer based on the flags passed in by the user (from which the CredentialsOpts structure is derived)

type SignerParams 

type SignerParams struct {
	OverriddenDate   time.Time
	RegionName       string
	ServiceName      string
	SigningAlgorithm string
}

func (*SignerParams) GetFormattedShortSigningDateTime 

func (signerParams *SignerParams) GetFormattedShortSigningDateTime() string

Obtain the short date-time, formatted as specified by SigV4

func (*SignerParams) GetFormattedSigningDateTime 

func (signerParams *SignerParams) GetFormattedSigningDateTime() string

Obtain the date-time, formatted as specified by SigV4

func (*SignerParams) GetScope 

func (signerParams *SignerParams) GetScope() string

Obtain the scope as part of the SigV4-X509 signature

type SlotIdInfo added in v1.1.0 

type SlotIdInfo struct {
	// contains filtered or unexported fields
}

Used to enumerate slots with all token/slot info for matching.

type TemporaryCredential added in v1.0.3 

type TemporaryCredential struct {
	AccessKeyId     string
	SecretAccessKey string
	SessionToken    string
	Expiration      time.Time
}

Structure to contain a temporary credential

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.