vendoredaws

package
v0.0.1-rc.6 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 18, 2024 License: Apache-2.0, Apache-2.0 Imports: 29 Imported by: 0

README

The code within this package is a partial vendoring of https://github.com/aws/rolesanywhere-credential-helper/tree/main/aws_signing_helper

The original source is licensed under Apache 2.0, this license can be found in LICENSE.

This code was vendored to break the dependency of aws_signing_package on https://github.com/miekg/pkcs11, which requires CGO to build.

An issue is open with the upstream repository to break apart the packages to avoid this dependency, at which point this vendoring will be obselete: https://github.com/aws/rolesanywhere-credential-helper/issues/86

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	// ErrUnsupportedHash is returned by Signer.Sign() when the provided hash
	// algorithm isn't supported.
	ErrUnsupportedHash = errors.New("unsupported hash algorithm")

	// Predefined system store names.
	// See: https://learn.microsoft.com/en-us/windows/win32/seccrypto/system-store-locations
	SystemStoreNames = []string{
		"MY",
		"Root",
		"Trust",
		"CA",
	}
)
View Source 
var Debug bool = false

Functions

func BuildAuthorizationHeader 

func BuildAuthorizationHeader(request *http.Request, body io.ReadSeeker, signedHeadersString string, signature string, certificate *x509.Certificate, signerParams SignerParams) string

Builds the complete authorization header

func CreateRequestSignFunction 

func CreateRequestSignFunction(signer crypto.Signer, signingAlgorithm string, certificate *x509.Certificate, certificateChain []*x509.Certificate) func(*request.Request)

func CreateStringToSign 

func CreateStringToSign(canonicalRequest string, signerParams SignerParams) string

Create the string to sign.

func GetCertChain 

func GetCertChain(certificateBundleId string) ([]*x509.Certificate, error)

GetCertChain reads a certificate bundle and returns a chain of all the certificates it contains

func ReadCertificateBundleData 

func ReadCertificateBundleData(certificateBundleId string) ([]*x509.Certificate, error)

Reads certificate bundle data from a file, whose path is provided

func ReadPKCS12Data 

func ReadPKCS12Data(certificateId string) (certChain []*x509.Certificate, privateKey crypto.PrivateKey, err error)

Reads and parses a PKCS#12 file (which should contain an end-entity certificate, (optional) certificate chain, and the key associated with the end-entity certificate). The end-entity certificate will be the first certificate in the returned chain. This method assumes that there is exactly one certificate that doesn't issue any others within the container and treats that as the end-entity certificate. Also, the order of the other certificates in the chain aren't guaranteed (it's also not guaranteed that those certificates form a chain with the end-entity certificat either).

func ReadPrivateKeyData 

func ReadPrivateKeyData(privateKeyId string) (crypto.PrivateKey, error)

Load the private key referenced by `privateKeyId`.

func ReadPrivateKeyDataFromPEMBlock 

func ReadPrivateKeyDataFromPEMBlock(block *pem.Block) (key crypto.PrivateKey, err error)

Reads private key data from a *pem.Block.

Types

type CertIdentifier 

type CertIdentifier struct {
	Subject         string
	Issuer          string
	SerialNumber    *big.Int
	SystemStoreName string // Only relevant in the case of Windows
}

type CertificateContainer 

type CertificateContainer struct {
	// Certificate data
	Cert *x509.Certificate
	// Certificate URI (only populated in the case that the certificate is a PKCS#11 object)
	Uri string
}

type CertificateData 

type CertificateData struct {
	// Type for the key contained in the certificate.
	// Passed back to the `sign-string` command
	KeyType string `json:"keyType"`
	// Certificate, as base64-encoded DER; used in the `x-amz-x509`
	// header in the API request.
	CertificateData string `json:"certificateData"`
	// Serial number of the certificate. Used in the credential
	// field of the Authorization header
	SerialNumber string `json:"serialNumber"`
	// Supported signing algorithms based on the KeyType
	Algorithms []string `json:"supportedAlgorithms"`
}

Container for certificate data returned to the SDK as JSON.

func ReadCertificateData 

func ReadCertificateData(certificateId string) (CertificateData, *x509.Certificate, error)

ReadCertificateData loads the certificate referenced by `certificateId` and extracts details required by the SDK to construct the StringToSign.

type CredentialProcessOutput 

type CredentialProcessOutput struct {
	// This field should be hard-coded to 1 for now.
	Version int `json:"Version"`
	// AWS Access Key ID
	AccessKeyId string `json:"AccessKeyId"`
	// AWS Secret Access Key
	SecretAccessKey string `json:"SecretAccessKey"`
	// AWS Session Token for temporary credentials
	SessionToken string `json:"SessionToken"`
	// ISO8601 timestamp for when the credentials expire
	Expiration string `json:"Expiration"`
}

Container that adheres to the format of credential_process output as specified by AWS.

func GenerateCredentials 

func GenerateCredentials(opts *CredentialsOpts, signer Signer, signatureAlgorithm string) (CredentialProcessOutput, error)

Function to create session and generate credentials

type CredentialsOpts 

type CredentialsOpts struct {
	PrivateKeyId        string
	CertificateId       string
	CertificateBundleId string
	CertIdentifier      CertIdentifier
	RoleArn             string
	ProfileArnStr       string
	TrustAnchorArnStr   string
	SessionDuration     int
	Region              string
	Endpoint            string
	NoVerifySSL         bool
	WithProxy           bool
	Debug               bool
	Version             string
	LibPkcs11           string
	ReusePin            bool
	ServerTTL           int
	RoleSessionName     string
}

type Signer 

type Signer interface {
	Public() crypto.PublicKey
	Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) (signature []byte, err error)
	Certificate() (certificate *x509.Certificate, err error)
	CertificateChain() (certificateChain []*x509.Certificate, err error)
	Close()
}

Interface that all signers will have to implement (as a result, they will also implement crypto.Signer)

type SignerParams 

type SignerParams struct {
	OverriddenDate   time.Time
	RegionName       string
	ServiceName      string
	SigningAlgorithm string
}

func (*SignerParams) GetFormattedShortSigningDateTime 

func (signerParams *SignerParams) GetFormattedShortSigningDateTime() string

Obtain the short date-time, formatted as specified by SigV4

func (*SignerParams) GetFormattedSigningDateTime 

func (signerParams *SignerParams) GetFormattedSigningDateTime() string

Obtain the date-time, formatted as specified by SigV4

func (*SignerParams) GetScope 

func (signerParams *SignerParams) GetScope() string

Obtain the scope as part of the SigV4-X509 signature

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.