aboutsummaryrefslogtreecommitdiff
path: root/lib/reqsign.c
diff options
context:
space:
mode:
authorSergey Poznyakoff <gray@gnu.org.ua>2014-07-09 13:01:57 +0300
committerSergey Poznyakoff <gray@gnu.org.ua>2014-07-09 23:20:17 +0300
commit131b6ab56cbec838346fd493f3fe96438e3b58e7 (patch)
tree1a30a33f6447fcbeba9810542121dc7003d3129a /lib/reqsign.c
parent7f40bb8674983f8e4fc11fbebe56f88daa812c1a (diff)
downloadeclat-131b6ab56cbec838346fd493f3fe96438e3b58e7.tar.gz
eclat-131b6ab56cbec838346fd493f3fe96438e3b58e7.tar.bz2
Implement signature version 4 signing process
* lib/libeclat.h (ec2_param) <encoded>: New member. (ec2_query) <signature>: Remove. <headers,region,access_key>: New members (eclat_query_create): Take two more arguments. All uses changed. (eclat_query_add_param_encoded) (eclat_query_add_header): New functions. * lib/q2url.c (eclat_query_to_url): Don't create Signature param: it is already in the param list (for v2 process). * lib/qaddparm.c (eclat_query_add_param_encoded): New function. (eclat_query_add_header): New function. * lib/qcreat.c (eclat_query_create): Take region and access key as additional parameters. * lib/qencode.c (encode_param): Skip parameters that have encoded set to true. * lib/reqsign.c (querysign2): Store access key in AWSAccessKeyId and the generated signature in the Signature parameters. (eclat_hex_encode): New function. (querysign4): Implement signature version 4 signing process. * src/ec2map.c: Update call to eclat_query_create. * src/eclat.c: Likewise. * src/util.c (eclat_send_query): Sign the query and add requested headers prior to sending. * doc/eclat.conf.5: Document signature-version. * NEWS: Likewise.
Diffstat (limited to 'lib/reqsign.c')
-rw-r--r--lib/reqsign.c230
1 files changed, 222 insertions, 8 deletions
diff --git a/lib/reqsign.c b/lib/reqsign.c
index d09b938..774f69b 100644
--- a/lib/reqsign.c
+++ b/lib/reqsign.c
@@ -52,6 +52,7 @@ querysign2(struct ec2_query *req, char *secret)
struct pname pn;
char *str;
char digest[SHA256_DIGEST_SIZE];
+ char *signature;
size_t siglen;
const char *verb;
char tsbuf[22];
@@ -60,6 +61,7 @@ querysign2(struct ec2_query *req, char *secret)
acc = grecs_txtacc_create();
/* Add default parameters */
+ eclat_query_add_param(req, "AWSAccessKeyId", req->access_key);
eclat_query_add_param(req, "SignatureMethod", "HmacSHA256");
eclat_query_add_param(req, "SignatureVersion", "2");
@@ -78,11 +80,11 @@ querysign2(struct ec2_query *req, char *secret)
qsort(pnames, n, sizeof(pnames[0]), compnames);
verb = (req->flags & EC2_QF_POST) ? "POST" : "GET";
- grecs_txtacc_grow(acc, verb, strlen(verb));
+ grecs_txtacc_grow_string(acc, verb);
grecs_txtacc_grow_char(acc, '\n');
- grecs_txtacc_grow(acc, req->endpoint, strlen(req->endpoint));
+ grecs_txtacc_grow_string(acc, req->endpoint);
grecs_txtacc_grow_char(acc, '\n');
- grecs_txtacc_grow(acc, req->uri, strlen(req->uri));
+ grecs_txtacc_grow_string(acc, req->uri);
grecs_txtacc_grow_char(acc, '\n');
/* Append a canonicalized query string */
@@ -95,10 +97,10 @@ querysign2(struct ec2_query *req, char *secret)
abort();
if (i != 0)
grecs_txtacc_grow_char(acc, '&');
- grecs_txtacc_grow(acc, p->name, strlen(p->name));
+ grecs_txtacc_grow_string(acc, p->name);
if (p->value) {
grecs_txtacc_grow_char(acc, '=');
- grecs_txtacc_grow(acc, p->value, strlen(p->value));
+ grecs_txtacc_grow_string(acc, p->value);
}
}
grecs_txtacc_grow_char(acc, 0);
@@ -107,8 +109,10 @@ querysign2(struct ec2_query *req, char *secret)
hmac_sha256(str, strlen(str), secret, strlen(secret), digest);
eclat_base64_encode((unsigned char *)digest, sizeof(digest),
- (unsigned char**) &req->signature, &siglen);
-
+ (unsigned char**) &signature, &siglen);
+ eclat_query_add_param_encoded(req, "Signature", signature);
+ free(signature);
+
grecs_txtacc_free(acc);
free(pnames);
@@ -119,10 +123,220 @@ querysign2(struct ec2_query *req, char *secret)
*/
}
+void
+eclat_hex_encode(unsigned char *input, size_t inlen,
+ char **poutput, size_t *poutlen)
+{
+ size_t l = inlen * 2;
+ char *p = grecs_malloc(l + 1);
+
+ *poutput = p;
+ *poutlen = l;
+
+ while (inlen--) {
+ static char xdig[] = "0123456789abcdef";
+ unsigned c = *input++;
+
+ *p++ = xdig[c >> 4];
+ *p++ = xdig[c & 0xf];
+ }
+}
+
+/* Ref. http://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html
+ */
static void
querysign4(struct ec2_query *req, char *secret)
{
- abort();
+ char **pnames;
+ struct pname pn;
+ size_t i, n;
+ struct grecs_txtacc *acc;
+ char digest[SHA256_DIGEST_SIZE];
+ size_t siglen;
+ const char *verb;
+ char tsbuf[22];
+ time_t t;
+ char const *p;
+ char const *payload;
+ unsigned char *plhash = NULL;
+ size_t plsize = 0;
+ char *string_to_sign;
+ static char algostr[] = "AWS4-HMAC-SHA256";
+ static char termstr[] = "aws4_request";
+ char *canonical_req;
+ char *signed_headers;
+ char *credential;
+ char *signature;
+ struct sha256_ctx ctx;
+ char *service;
+ size_t service_len;
+
+ service = req->endpoint;
+ service_len = strcspn(service, ".");
+
+ /* Create text accumulator */
+ acc = grecs_txtacc_create();
+
+ /* Timestamp */
+ time(&t);
+ strftime(tsbuf, sizeof(tsbuf), "%Y%m%dT%H%M%SZ", gmtime(&t));
+
+ /* Build credential */
+ grecs_txtacc_grow_string(acc, req->access_key);
+ grecs_txtacc_grow_char(acc, '/');
+ grecs_txtacc_grow(acc, tsbuf, 8); /* %Y%m%d part only */
+ grecs_txtacc_grow_char(acc, '/');
+ grecs_txtacc_grow_string(acc, req->region);
+ grecs_txtacc_grow_char(acc, '/');
+ grecs_txtacc_grow(acc, service, service_len);
+ grecs_txtacc_grow_char(acc, '/');
+ grecs_txtacc_grow_string(acc, termstr);
+ grecs_txtacc_grow_char(acc, 0);
+ credential = grecs_txtacc_finish(acc, 0);
+
+ /* Signed headers */
+ grecs_txtacc_grow_string(acc, "host");
+ grecs_txtacc_grow_char(acc, 0);
+ signed_headers = grecs_txtacc_finish(acc, 0);
+
+ eclat_query_add_header(req, "Host", req->endpoint);
+ if (!(req->flags & EC2_QF_POST)) {
+ eclat_query_add_param(req, "X-Amz-Algorithm", algostr);
+ eclat_query_add_param(req, "X-Amz-Date", tsbuf);
+ eclat_query_add_param(req, "X-Amz-SignedHeaders",
+ signed_headers);
+ eclat_query_add_param(req, "X-Amz-Credential", credential);
+ }
+
+ /* Encode the query */
+ eclat_query_encode(req);
+
+ /* Collect and sort parameter names */
+ n = grecs_symtab_count_entries(req->params);
+ pnames = grecs_calloc(n, sizeof(pnames[0]));
+ pn.i = 0;
+ pn.a = pnames;
+ grecs_symtab_enumerate(req->params, get_param_name, &pn);
+ qsort(pnames, n, sizeof(pnames[0]), compnames);
+
+ /* Create a canonical request */
+ verb = (req->flags & EC2_QF_POST) ? "POST" : "GET";
+ grecs_txtacc_grow_string(acc, verb);
+ grecs_txtacc_grow_char(acc, '\n');
+ grecs_txtacc_grow_string(acc, req->uri);
+ grecs_txtacc_grow_char(acc, '\n');
+ /* Append a canonicalized query string */
+ for (i = 0; i < n; i++) {
+ struct ec2_param *p, key;
+
+ key.name = pnames[i];
+ p = grecs_symtab_lookup_or_install(req->params, &key, NULL);
+ if (!p)
+ abort();
+ if (i != 0)
+ grecs_txtacc_grow_char(acc, '&');
+ grecs_txtacc_grow_string(acc, p->name);
+ if (p->value) {
+ grecs_txtacc_grow_char(acc, '=');
+ grecs_txtacc_grow_string(acc, p->value);
+ }
+ }
+ grecs_txtacc_grow_char(acc, '\n');
+
+ /* CanonicalHeaders */
+ grecs_txtacc_grow_string(acc, "host:");
+ grecs_txtacc_grow_string(acc, req->endpoint);
+ grecs_txtacc_grow_char(acc, '\n');
+ /* end of headers */
+ grecs_txtacc_grow_char(acc, '\n');
+ /* Signed Headers */
+ grecs_txtacc_grow_string(acc, signed_headers);
+ grecs_txtacc_grow_char(acc, '\n');
+ /* Payload hash */
+ if (req->flags & EC2_QF_POST)
+ /* FIXME: payload = req->query */;
+ else
+ payload = "";
+
+ sha256_init_ctx(&ctx);
+ sha256_process_bytes(payload, strlen(payload), &ctx);
+ sha256_finish_ctx(&ctx, digest);
+
+ eclat_hex_encode((unsigned char *)digest, sizeof(digest),
+ &plhash, &plsize);
+ grecs_txtacc_grow(acc, plhash, plsize);
+ free(plhash);
+
+ grecs_txtacc_grow_char(acc, 0);
+ canonical_req = grecs_txtacc_finish(acc, 0);
+
+ sha256_init_ctx(&ctx);
+ sha256_process_bytes(canonical_req, strlen(canonical_req), &ctx);
+ sha256_finish_ctx(&ctx, digest);
+ eclat_hex_encode((unsigned char *)digest, sizeof(digest),
+ &canonical_req, &plsize);
+
+ /* Create a string to sign */
+ grecs_txtacc_grow_string(acc, algostr);
+ grecs_txtacc_grow_char(acc, '\n');
+ grecs_txtacc_grow_string(acc, tsbuf);
+ grecs_txtacc_grow_char(acc, '\n');
+ /* credential scope: */
+ grecs_txtacc_grow(acc, tsbuf, 8); /* %Y%m%d part only */
+ grecs_txtacc_grow_char(acc, '/');
+ grecs_txtacc_grow_string(acc, req->region);
+ grecs_txtacc_grow_char(acc, '/');
+ grecs_txtacc_grow(acc, service, service_len);
+ grecs_txtacc_grow_char(acc, '/');
+ grecs_txtacc_grow_string(acc, termstr);
+ grecs_txtacc_grow_char(acc, '\n');
+
+ /* hashed request */
+ grecs_txtacc_grow_string(acc, canonical_req);
+
+ grecs_txtacc_grow_char(acc, 0);
+ string_to_sign = grecs_txtacc_finish(acc, 0);
+
+ /* Derive a signing key */
+ grecs_txtacc_grow_string(acc, "AWS4");
+ grecs_txtacc_grow_string(acc, secret);
+ grecs_txtacc_grow_char(acc, 0);
+ p = grecs_txtacc_finish(acc, 0);
+
+ hmac_sha256(tsbuf, 8, p, strlen(p), digest);
+ hmac_sha256(req->region, strlen(req->region), digest, sizeof(digest),
+ digest);
+ hmac_sha256(service, service_len, digest, sizeof(digest),
+ digest);
+ hmac_sha256(termstr, strlen(termstr), digest, sizeof(digest),
+ digest);
+
+ /* Calculate the signature */
+ hmac_sha256(string_to_sign, strlen(string_to_sign),
+ digest, sizeof(digest),
+ digest);
+ eclat_hex_encode((unsigned char *)digest, sizeof(digest),
+ &signature, &plsize);
+
+ if (req->flags & EC2_QF_POST) {
+ /* Build authorization header */
+ grecs_txtacc_grow_string(acc, algostr);
+ grecs_txtacc_grow_string(acc, " Credential=");
+ grecs_txtacc_grow_string(acc, credential);
+ grecs_txtacc_grow_string(acc, ", SignedHeaders=");
+ grecs_txtacc_grow_string(acc, signed_headers);
+ grecs_txtacc_grow_string(acc, ", Signature=");
+ grecs_txtacc_grow_string(acc, signature);
+ grecs_txtacc_grow_char(acc, 0);
+ p = grecs_txtacc_finish(acc, 0);
+ eclat_query_add_header(req, "Authorization", p);
+ } else {
+ eclat_query_add_param(req, "X-Amz-Signature", signature);
+ }
+ free(signature);
+ grecs_txtacc_free(acc);
+ /* Encode the query */
+ eclat_query_encode(req);
}

Return to:

Send suggestions and report system problems to the System administrator.