1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
|
#ifndef AWS_AUTH_SIGNER_H
#define AWS_AUTH_SIGNER_H
/**
* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
* SPDX-License-Identifier: Apache-2.0.
*/
#include <aws/auth/auth.h>
#include <aws/auth/signing_config.h>
AWS_PUSH_SANE_WARNING_LEVEL
struct aws_ecc_key_pair;
struct aws_signable;
struct aws_signing_result;
/**
* Gets called by the signing function when the signing is complete.
*
* Note that result will be destroyed after this function returns, so either copy it,
* or do all necessary adjustments inside the callback.
*
* When performing event or chunk signing, you will need to copy out the signature value in order
* to correctly configure the signable that wraps the event or chunk you want signed next. The signature is
* found in the "signature" property on the signing result. This value must be added as the
* "previous-signature" property on the next signable.
*/
typedef void(aws_signing_complete_fn)(struct aws_signing_result *result, int error_code, void *userdata);
AWS_EXTERN_C_BEGIN
/*
* Takes a signable object and a configuration struct and computes the changes to the signable necessary
* for compliance with the signer's signing algorithm.
*
* This signing function currently supports only the sigv4 algorithm.
*
* When using this signing function to sign AWS http requests:
*
* (1) Do not add the following headers to requests before signing:
* x-amz-content-sha256,
* X-Amz-Date,
* Authorization
*
* (2) Do not add the following query params to requests before signing:
* X-Amz-Signature,
* X-Amz-Date,
* X-Amz-Credential,
* X-Amz-Algorithm,
* X-Amz-SignedHeaders
*
* The signing result will tell exactly what header and/or query params to add to the request
* to become a fully-signed AWS http request.
*
*
* When using this signing function to sign chunks:
*
* (1) Use aws_signable_new_chunk() to create the signable object representing the chunk
*
* The signing result will include the chunk's signature as the "signature" property.
*
*
*/
/**
* (Asynchronous) entry point to sign something (a request, a chunk, an event) with an AWS signing process.
* Depending on the configuration, the signing process may or may not complete synchronously.
*
* @param allocator memory allocator to use throughout the signing process
* @param signable the thing to be signed. See signable.h for common constructors for signables that
* wrap different types.
* @param base_config pointer to a signing configuration, currently this must be of type aws_signing_config_aws
* @param on_complete completion callback to be invoked when signing has finished
* @param user_data opaque user data that will be passed to the completion callback
*
* @return AWS_OP_SUCCESS if the signing attempt was *initiated* successfully, AWS_OP_ERR otherwise
*/
AWS_AUTH_API
int aws_sign_request_aws(
struct aws_allocator *allocator,
const struct aws_signable *signable,
const struct aws_signing_config_base *base_config,
aws_signing_complete_fn *on_complete,
void *userdata);
/**
* Test-only API used for cross-library signing verification tests
*
* Verifies:
* (1) The canonical request generated during sigv4a signing of the request matches what is passed in
* (2) The signature passed in is a valid ECDSA signature of the hashed string-to-sign derived from the
* canonical request
*
* @param allocator memory allocator to use throughout the signing verification process
* @param signable the thing to be signed. See signable.h for common constructors for signables that
* wrap different types.
* @param base_config pointer to a signing configuration, currently this must be of type aws_signing_config_aws
* @param expected_canonical_request_cursor expected result when building the canonical request
* @param signature_cursor the actual signature computed from a previous signing of the signable
* @param ecc_key_pub_x the x coordinate of the public part of the ecc key to verify the signature
* @param ecc_key_pub_y the y coordinate of the public part of the ecc key to verify the signature
*
* @return AWS_OP_SUCCESS if the signing attempt was *initiated* successfully, AWS_OP_ERR otherwise
*/
AWS_AUTH_API
int aws_verify_sigv4a_signing(
struct aws_allocator *allocator,
const struct aws_signable *signable,
const struct aws_signing_config_base *base_config,
struct aws_byte_cursor expected_canonical_request_cursor,
struct aws_byte_cursor signature_cursor,
struct aws_byte_cursor ecc_key_pub_x,
struct aws_byte_cursor ecc_key_pub_y);
/**
* Another helper function to check a computed sigv4a signature.
*/
AWS_AUTH_API
int aws_validate_v4a_authorization_value(
struct aws_allocator *allocator,
struct aws_ecc_key_pair *ecc_key,
struct aws_byte_cursor string_to_sign_cursor,
struct aws_byte_cursor signature_value_cursor);
/**
* Removes any padding added to the end of a sigv4a signature. Signature must be hex-encoded.
* @param signature signature to remove padding from
* @return cursor that ranges over only the valid hex encoding of the sigv4a signature
*/
AWS_AUTH_API
struct aws_byte_cursor aws_trim_padded_sigv4a_signature(struct aws_byte_cursor signature);
AWS_EXTERN_C_END
AWS_POP_SANE_WARNING_LEVEL
#endif /* AWS_AUTH_SIGNER_H */
|
