aws_signing_helper

package
v1.0.5 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 25, 2023 License: Apache-2.0 Imports: 36 Imported by: 7

Documentation

Index

Constants

View Source 
const (
	WIN_FALSE C.WINBOOL = 0

	// ERROR_SUCCESS — The call succeeded
	ERROR_SUCCESS = 0x00000000

	// NTE_BAD_ALGID — Invalid algorithm specified
	NTE_BAD_ALGID = 0x80090008

	// WIN_API_FLAG specifies the flags that should be passed to
	// CryptAcquireCertificatePrivateKey. This impacts whether the CryptoAPI or CNG
	// API will be used.
	//
	// Possible values are:
	//
	//	0x00000000 —                                      — Only use CryptoAPI.
	//	0x00010000 — CRYPT_ACQUIRE_ALLOW_NCRYPT_KEY_FLAG  — Prefer CryptoAPI.
	//	0x00020000 — CRYPT_ACQUIRE_PREFER_NCRYPT_KEY_FLAG — Prefer CNG.
	//	0x00040000 — CRYPT_ACQUIRE_ONLY_NCRYPT_KEY_FLAG   — Only use CNG.
	WIN_API_FLAG = windows.CRYPT_ACQUIRE_PREFER_NCRYPT_KEY_FLAG
)
View Source 
const AwsSharedCredentialsFileEnvVarName = "AWS_SHARED_CREDENTIALS_FILE"
View Source 
const BufferSize = 49152
View Source 
const DEFAULT_TOKEN_TTL_SECONDS = "21600"
View Source 
const DefaultPort = 9911
View Source 
const EC2_METADATA_TOKEN_HEADER = "x-aws-ec2-metadata-token"
View Source 
const EC2_METADATA_TOKEN_TTL_HEADER = "x-aws-ec2-metadata-token-ttl-seconds"
View Source 
const LocalHostAddress = "127.0.0.1"
View Source 
const MAX_TOKENS = 256
View Source 
const REFRESHABLE_CRED_CODE = "Success"
View Source 
const REFRESHABLE_CRED_TYPE = "AWS-HMAC"
View Source 
const SECURITY_CREDENTIALS_RESOURCE_PATH = "/latest/meta-data/iam/security-credentials/"
View Source 
const TOKEN_RESOURCE_PATH = "/latest/api/token"
View Source 
const UpdateRefreshTime = time.Minute * time.Duration(5)
View Source 
const X_FORWARDED_FOR_HEADER = "X-Forwarded-For"

Variables

View Source 
var Debug bool = false
View Source 
var (
	// ErrUnsupportedHash is returned by Signer.Sign() when the provided hash
	// algorithm isn't supported.
	ErrUnsupportedHash = errors.New("unsupported hash algorithm")
)
View Source 
var RefreshTime = time.Minute * time.Duration(5)

Functions

func AllIssuesHandlers added in v1.0.3 

func AllIssuesHandlers(cred *RefreshableCred, roleName string, opts *CredentialsOpts, signer Signer, signatureAlgorithm string) (http.HandlerFunc, http.HandlerFunc, http.HandlerFunc)

func BuildAuthorizationHeader 

func BuildAuthorizationHeader(request *http.Request, body io.ReadSeeker, signedHeadersString string, signature string, certificate *x509.Certificate, signerParams SignerParams) string

Builds the complete authorization header

func CheckValidToken added in v1.0.3 

func CheckValidToken(w http.ResponseWriter, r *http.Request) error

Helper function that checks to see whether the token provided in the request is valid

func CreateRequestSignFunction added in v1.0.5 

func CreateRequestSignFunction(signer crypto.Signer, signingAlgorithm string, certificate *x509.Certificate, certificateChain []*x509.Certificate) func(*request.Request)

func CreateStringToSign 

func CreateStringToSign(canonicalRequest string, signerParams SignerParams) string

Create the string to sign.

func FindTokenTTLSeconds added in v1.0.4 

func FindTokenTTLSeconds(r *http.Request) (string, error)

Helper function that finds a token's TTL in seconds

func GenerateToken added in v1.0.3 

func GenerateToken(length int) (string, error)

Generates a random string with the specified length

func GetCredentialsFileContents added in v1.0.3 

func GetCredentialsFileContents() ([]string, error)

Assume that the credentials file is located in the default path: `~/.aws/credentials`

func GetNewCredentialsFileContents added in v1.0.5 

func GetNewCredentialsFileContents(profileName string, readLines []string, cred *TemporaryCredential) []string

Function that will get the new conents of the credentials file after a refresh has been done

func GetWriteOnlyCredentialsFile added in v1.0.3 

func GetWriteOnlyCredentialsFile() (*os.File, error)

Assume that the credentials file exists already and open it for write operations that will overwrite the existing contents of the file

func InsertToken added in v1.0.3 

func InsertToken(token string, expirationTime time.Time) error

Removes the token that expires the earliest

func ReadCertificateBundleData 

func ReadCertificateBundleData(certificateBundleId string) ([]*x509.Certificate, error)

Reads certificate bundle data from a file, whose path is provided

func ReadPrivateKeyData 

func ReadPrivateKeyData(privateKeyId string) (crypto.PrivateKey, error)

Load the private key referenced by `privateKeyId`.

func Serve added in v1.0.3 

func Serve(port int, credentialsOptions CredentialsOpts)

func Update added in v1.0.3 

func Update(credentialsOptions CredentialsOpts, profile string, once bool)

Updates credentials in the credentials file for the specified profile

func WriteTo added in v1.0.3 

func WriteTo(profileName string, readLines []string, cred *TemporaryCredential) error

Function to write existing credentials and newly-created credentials to a destination file

Types

type CertIdentifier added in v1.0.5 

type CertIdentifier struct {
	Subject      string
	Issuer       string
	SerialNumber *big.Int
}

type CertificateContainer added in v1.0.5 

type CertificateContainer struct {
	// Certificate data
	Cert *x509.Certificate
	// Certificate URI (only populated in the case that the certificate is a PKCS#11 object)
	Uri string
}

func GetMatchingCerts added in v1.0.5 

func GetMatchingCerts(certIdentifier CertIdentifier) ([]CertificateContainer, error)

Gets the certificates that match a CertIdentifier

func GetMatchingCertsAndChain added in v1.0.5 

func GetMatchingCertsAndChain(certIdentifier CertIdentifier) (store windows.Handle, certCtx *windows.CertContext, certChain []*x509.Certificate, certContainers []CertificateContainer, err error)

Gets the certificates that match the given CertIdentifier within the user's "MY" certificate store. If there is only a single matching certificate, then its chain will be returned too

type CertificateData 

type CertificateData struct {
	// Type for the key contained in the certificate.
	// Passed back to the `sign-string` command
	KeyType string `json:"keyType"`
	// Certificate, as base64-encoded DER; used in the `x-amz-x509`
	// header in the API request.
	CertificateData string `json:"certificateData"`
	// Serial number of the certificate. Used in the credential
	// field of the Authorization header
	SerialNumber string `json:"serialNumber"`
	// Supported signing algorithms based on the KeyType
	Algorithms []string `json:"supportedAlgorithms"`
}

Container for certificate data returned to the SDK as JSON.

func ReadCertificateData 

func ReadCertificateData(certificateId string) (CertificateData, error)

Load the certificate referenced by `certificateId` and extract details required by the SDK to construct the StringToSign.

type CredentialProcessOutput 

type CredentialProcessOutput struct {
	// This field should be hard-coded to 1 for now.
	Version int `json:"Version"`
	// AWS Access Key ID
	AccessKeyId string `json:"AccessKeyId"`
	// AWS Secret Access Key
	SecretAccessKey string `json:"SecretAccessKey"`
	// AWS Session Token for temporary credentials
	SessionToken string `json:"SessionToken"`
	// ISO8601 timestamp for when the credentials expire
	Expiration string `json:"Expiration"`
}

Container that adheres to the format of credential_process output as specified by AWS.

func GenerateCredentials 

func GenerateCredentials(opts *CredentialsOpts, signer Signer, signatureAlgorithm string) (CredentialProcessOutput, error)

Function to create session and generate credentials

type CredentialsOpts 

type CredentialsOpts struct {
	PrivateKeyId        string
	CertificateId       string
	CertificateBundleId string
	CertIdentifier      CertIdentifier
	RoleArn             string
	ProfileArnStr       string
	TrustAnchorArnStr   string
	SessionDuration     int
	Region              string
	Endpoint            string
	NoVerifySSL         bool
	WithProxy           bool
	Debug               bool
	Version             string
	LibPkcs11           string
}

type Endpoint added in v1.0.3 

type Endpoint struct {
	PortNum int
	Server  *http.Server
	TmpCred RefreshableCred
}

type FileSystemSigner added in v1.0.5 

type FileSystemSigner struct {
	PrivateKey crypto.PrivateKey
	// contains filtered or unexported fields
}

func (FileSystemSigner) Certificate added in v1.0.5 

func (fileSystemSigner FileSystemSigner) Certificate() (*x509.Certificate, error)

func (FileSystemSigner) CertificateChain added in v1.0.5 

func (fileSystemSigner FileSystemSigner) CertificateChain() ([]*x509.Certificate, error)

func (FileSystemSigner) Close added in v1.0.5 

func (fileSystemSigner FileSystemSigner) Close()

func (FileSystemSigner) Public added in v1.0.5 

func (fileSystemSigner FileSystemSigner) Public() crypto.PublicKey

func (FileSystemSigner) Sign added in v1.0.5 

func (fileSystemSigner FileSystemSigner) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) (signature []byte, err error)

type RefreshableCred added in v1.0.3 

type RefreshableCred struct {
	AccessKeyId     string
	SecretAccessKey string
	Token           string
	Code            string
	Type            string
	Expiration      time.Time
	LastUpdated     time.Time
}

type SessionToken added in v1.0.3 

type SessionToken struct {
	Expiration time.Time
}

type Signer 

type Signer interface {
	Public() crypto.PublicKey
	Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) (signature []byte, err error)
	Certificate() (certificate *x509.Certificate, err error)
	CertificateChain() (certificateChain []*x509.Certificate, err error)
	Close()
}

Interface that all signers will have to implement (as a result, they will also implement crypto.Signer)

func GetCertStoreSigner added in v1.0.5 

func GetCertStoreSigner(certIdentifier CertIdentifier) (signer Signer, signingAlgorithm string, err error)

Gets a WindowsCertStoreSigner based on the CertIdentifier

func GetFileSystemSigner added in v1.0.5 

func GetFileSystemSigner(privateKey crypto.PrivateKey, certificate *x509.Certificate, certificateChain []*x509.Certificate) (signer Signer, signingAlgorithm string, err error)

Returns a FileSystemSigner, that signs a payload using the private key passed in

func GetPKCS12Signer added in v1.0.5 

func GetPKCS12Signer(certificateId string) (signer Signer, signingAlgorithm string, err error)

func GetSigner added in v1.0.5 

func GetSigner(opts *CredentialsOpts) (signer Signer, signatureAlgorithm string, err error)

Gets the Signer based on the flags passed in by the user (from which the CredentialsOpts structure is derived)

type SignerParams 

type SignerParams struct {
	OverriddenDate   time.Time
	RegionName       string
	ServiceName      string
	SigningAlgorithm string
}

func (*SignerParams) GetFormattedShortSigningDateTime 

func (signerParams *SignerParams) GetFormattedShortSigningDateTime() string

Obtain the short date-time, formatted as specified by SigV4

func (*SignerParams) GetFormattedSigningDateTime 

func (signerParams *SignerParams) GetFormattedSigningDateTime() string

Obtain the date-time, formatted as specified by SigV4

func (*SignerParams) GetScope 

func (signerParams *SignerParams) GetScope() string

Obtain the scope as part of the SigV4-X509 signature

type TemporaryCredential added in v1.0.3 

type TemporaryCredential struct {
	AccessKeyId     string
	SecretAccessKey string
	SessionToken    string
	Expiration      time.Time
}

Structure to contain a temporary credential

type WindowsCertStoreSigner added in v1.0.5 

type WindowsCertStoreSigner struct {
	// contains filtered or unexported fields
}

func (*WindowsCertStoreSigner) Certificate added in v1.0.5 

func (signer *WindowsCertStoreSigner) Certificate() (cert *x509.Certificate, err error)

Certificate implements the aws_signing_helper.Signer interface and returns a pointer to the x509.Certificate associated with this signer

func (*WindowsCertStoreSigner) CertificateChain added in v1.0.5 

func (signer *WindowsCertStoreSigner) CertificateChain() ([]*x509.Certificate, error)

CertificateChain implements the aws_signing_helper.Signer interface and returns the certificate chain associated with this signer

func (*WindowsCertStoreSigner) Close added in v1.0.5 

func (signer *WindowsCertStoreSigner) Close()

Close implements the aws_signing_helper.Signer interface and closes the signer

func (*WindowsCertStoreSigner) Public added in v1.0.5 

func (signer *WindowsCertStoreSigner) Public() crypto.PublicKey

Public implements the crypto.Signer interface.

func (*WindowsCertStoreSigner) Sign added in v1.0.5 

func (signer *WindowsCertStoreSigner) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error)

Sign implements the crypto.Signer interface and signs the digest

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.