Aws::String AWSAuthV4Signer::GenerateSignature(const AWSCredentials& credentials, const Aws::String& stringToSign, const Aws::String& simpleDate, const Aws::String& regionName) const
{
AWS_LOGSTREAM_DEBUG(v4LogTag, "Final String to sign: " << stringToSign);
Aws::StringStream ss;
//now we do the complicated part of deriving a signing key.
Aws::String signingKey(SIGNING_KEY);
signingKey.append(credentials.GetAWSSecretKey());
//we use digest only for the derivation process.
auto hashResult = m_HMAC->Calculate(ByteBuffer((unsigned char*)simpleDate.c_str(), simpleDate.length()),
ByteBuffer((unsigned char*)signingKey.c_str(), signingKey.length()));
if (!hashResult.IsSuccess())
{
AWS_LOGSTREAM_ERROR(v4LogTag, "Failed to hmac (sha256) date string \"" << simpleDate << "\"");
return "";
}
auto kDate = hashResult.GetResult();
hashResult = m_HMAC->Calculate(ByteBuffer((unsigned char*)regionName.c_str(), regionName.length()), kDate);
if (!hashResult.IsSuccess())
{
AWS_LOGSTREAM_ERROR(v4LogTag, "Failed to hmac (sha256) region string \"" << regionName << "\"");
return "";
}
auto kRegion = hashResult.GetResult();
hashResult = m_HMAC->Calculate(ByteBuffer((unsigned char*)m_serviceName.c_str(), m_serviceName.length()), kRegion);
if (!hashResult.IsSuccess())
{
AWS_LOGSTREAM_ERROR(v4LogTag, "Failed to hmac (sha256) service string \"" << m_serviceName << "\"");
return "";
}
auto kService = hashResult.GetResult();
hashResult = m_HMAC->Calculate(ByteBuffer((unsigned char*)AWS4_REQUEST, strlen(AWS4_REQUEST)), kService);
if (!hashResult.IsSuccess())
{
AWS_LOGSTREAM_ERROR(v4LogTag, "Unable to hmac (sha256) request string \"" << AWS4_REQUEST << "\"");
return "";
}
auto kSigning = hashResult.GetResult();
hashResult = m_HMAC->Calculate(ByteBuffer((unsigned char*)stringToSign.c_str(), stringToSign.length()), kSigning);
if (!hashResult.IsSuccess())
{
AWS_LOGSTREAM_ERROR(v4LogTag, "Unable to hmac (sha256) final string \"" << stringToSign << "\"");
return "";
}
//now we finally sign our request string with our hex encoded derived hash.
auto finalSigningDigest = hashResult.GetResult();
auto finalSigningHash = HashingUtils::HexEncode(finalSigningDigest);
AWS_LOGSTREAM_DEBUG(v4LogTag, "Final computed signing hash: " << finalSigningHash);
return finalSigningHash;
}
Aws::String AWSAuthV4Signer::GenerateSignature(const AWSCredentials& credentials, const Aws::String& stringToSign, const Aws::String& simpleDate) const
{
AWS_LOGSTREAM_DEBUG(v4LogTag, "Final String to sign: " << stringToSign);
Aws::StringStream ss;
auto& partialSignature = ComputeLongLivedHash(credentials.GetAWSSecretKey(), simpleDate);
auto hashResult = m_HMAC->Calculate(ByteBuffer((unsigned char*)stringToSign.c_str(), stringToSign.length()), partialSignature);
if (!hashResult.IsSuccess())
{
AWS_LOGSTREAM_ERROR(v4LogTag, "Unable to hmac (sha256) final string \"" << stringToSign << "\"");
return "";
}
//now we finally sign our request string with our hex encoded derived hash.
auto finalSigningDigest = hashResult.GetResult();
auto finalSigningHash = HashingUtils::HexEncode(finalSigningDigest);
AWS_LOGSTREAM_DEBUG(v4LogTag, "Final computed signing hash: " << finalSigningHash);
return finalSigningHash;
}
bool AWSAuthV4Signer::PresignRequest(Aws::Http::HttpRequest& request, const char* region, const char* serviceName, long long expirationTimeInSeconds) const
{
AWSCredentials credentials = m_credentialsProvider->GetAWSCredentials();
//don't sign anonymous requests
if (credentials.GetAWSAccessKeyId().empty() || credentials.GetAWSSecretKey().empty())
{
return true;
}
Aws::StringStream intConversionStream;
intConversionStream << expirationTimeInSeconds;
request.AddQueryStringParameter(Http::X_AMZ_EXPIRES_HEADER, intConversionStream.str());
if (!credentials.GetSessionToken().empty())
{
request.AddQueryStringParameter(Http::AWS_SECURITY_TOKEN, credentials.GetSessionToken());
}
//calculate date header to use in internal signature (this also goes into date header).
DateTime now = GetSigningTimestamp();
Aws::String dateQueryValue = now.ToGmtString(LONG_DATE_FORMAT_STR);
request.AddQueryStringParameter(Http::AWS_DATE_HEADER, dateQueryValue);
Aws::StringStream ss;
ss << Http::HOST_HEADER << ":" << request.GetHeaderValue(Http::HOST_HEADER) << NEWLINE;
Aws::String canonicalHeadersString(ss.str());
ss.str("");
AWS_LOGSTREAM_DEBUG(v4LogTag, "Canonical Header String: " << canonicalHeadersString);
//calculate signed headers parameter
Aws::String signedHeadersValue(Http::HOST_HEADER);
request.AddQueryStringParameter(X_AMZ_SIGNED_HEADERS, signedHeadersValue);
AWS_LOGSTREAM_DEBUG(v4LogTag, "Signed Headers value: " << signedHeadersValue);
Aws::String simpleDate = now.ToGmtString(SIMPLE_DATE_FORMAT_STR);
ss << credentials.GetAWSAccessKeyId() << "/" << simpleDate
<< "/" << region << "/" << serviceName << "/" << AWS4_REQUEST;
request.AddQueryStringParameter(X_AMZ_ALGORITHM, AWS_HMAC_SHA256);
request.AddQueryStringParameter(X_AMZ_CREDENTIAL, ss.str());
ss.str("");
//generate generalized canonicalized request string.
Aws::String canonicalRequestString = CanonicalizeRequestSigningString(request, m_urlEscapePath);
//append v4 stuff to the canonical request string.
canonicalRequestString.append(canonicalHeadersString);
canonicalRequestString.append(NEWLINE);
canonicalRequestString.append(signedHeadersValue);
canonicalRequestString.append(NEWLINE);
canonicalRequestString.append(UNSIGNED_PAYLOAD);
AWS_LOGSTREAM_DEBUG(v4LogTag, "Canonical Request String: " << canonicalRequestString);
//now compute sha256 on that request string
auto hashResult = m_hash->Calculate(canonicalRequestString);
if (!hashResult.IsSuccess())
{
AWS_LOGSTREAM_ERROR(v4LogTag, "Failed to hash (sha256) request string \"" << canonicalRequestString << "\"");
return false;
}
auto sha256Digest = hashResult.GetResult();
auto cannonicalRequestHash = HashingUtils::HexEncode(sha256Digest);
auto stringToSign = GenerateStringToSign(dateQueryValue, simpleDate, cannonicalRequestHash);
auto finalSigningHash = GenerateSignature(credentials, stringToSign, simpleDate);
if (finalSigningHash.empty())
{
return false;
}
//add that the signature to the query string
request.AddQueryStringParameter(X_AMZ_SIGNATURE, finalSigningHash);
return true;
}
bool AWSAuthV4Signer::SignRequest(Aws::Http::HttpRequest& request, bool signBody) const
{
AWSCredentials credentials = m_credentialsProvider->GetAWSCredentials();
//don't sign anonymous requests
if (credentials.GetAWSAccessKeyId().empty() || credentials.GetAWSSecretKey().empty())
{
return true;
}
if (!credentials.GetSessionToken().empty())
{
request.SetAwsSessionToken(credentials.GetSessionToken());
}
Aws::String payloadHash(UNSIGNED_PAYLOAD);
if(signBody || request.GetUri().GetScheme() != Http::Scheme::HTTPS)
{
payloadHash.assign(ComputePayloadHash(request));
if (payloadHash.empty())
{
return false;
}
}
else
{
AWS_LOGSTREAM_DEBUG(v4LogTag, "Note: Http payloads are not being signed. signPayloads=" << m_signPayloads
<< " http scheme=" << Http::SchemeMapper::ToString(request.GetUri().GetScheme()));
}
if(m_includeSha256HashHeader)
{
request.SetHeaderValue("x-amz-content-sha256", payloadHash);
}
//calculate date header to use in internal signature (this also goes into date header).
DateTime now = GetSigningTimestamp();
Aws::String dateHeaderValue = now.ToGmtString(LONG_DATE_FORMAT_STR);
request.SetHeaderValue(AWS_DATE_HEADER, dateHeaderValue);
Aws::StringStream headersStream;
Aws::StringStream signedHeadersStream;
for (const auto& header : CanonicalizeHeaders(request.GetHeaders()))
{
if(ShouldSignHeader(header.first))
{
headersStream << header.first.c_str() << ":" << header.second.c_str() << NEWLINE;
signedHeadersStream << header.first.c_str() << ";";
}
}
Aws::String canonicalHeadersString = headersStream.str();
AWS_LOGSTREAM_DEBUG(v4LogTag, "Canonical Header String: " << canonicalHeadersString);
//calculate signed headers parameter
Aws::String signedHeadersValue = signedHeadersStream.str();
//remove that last semi-colon
signedHeadersValue.erase(signedHeadersValue.length() - 1);
AWS_LOGSTREAM_DEBUG(v4LogTag, "Signed Headers value:" << signedHeadersValue);
//generate generalized canonicalized request string.
Aws::String canonicalRequestString = CanonicalizeRequestSigningString(request, m_urlEscapePath);
//append v4 stuff to the canonical request string.
canonicalRequestString.append(canonicalHeadersString);
canonicalRequestString.append(NEWLINE);
canonicalRequestString.append(signedHeadersValue);
canonicalRequestString.append(NEWLINE);
canonicalRequestString.append(payloadHash);
AWS_LOGSTREAM_DEBUG(v4LogTag, "Canonical Request String: " << canonicalRequestString);
//now compute sha256 on that request string
auto hashResult = m_hash->Calculate(canonicalRequestString);
if (!hashResult.IsSuccess())
{
AWS_LOGSTREAM_ERROR(v4LogTag, "Failed to hash (sha256) request string \"" << canonicalRequestString << "\"");
return false;
}
auto sha256Digest = hashResult.GetResult();
Aws::String cannonicalRequestHash = HashingUtils::HexEncode(sha256Digest);
Aws::String simpleDate = now.ToGmtString(SIMPLE_DATE_FORMAT_STR);
Aws::String stringToSign = GenerateStringToSign(dateHeaderValue, simpleDate, cannonicalRequestHash);
auto finalSignature = GenerateSignature(credentials, stringToSign, simpleDate);
Aws::StringStream ss;
ss << AWS_HMAC_SHA256 << " " << CREDENTIAL << EQ << credentials.GetAWSAccessKeyId() << "/" << simpleDate
<< "/" << m_region << "/" << m_serviceName << "/" << AWS4_REQUEST << ", " << SIGNED_HEADERS << EQ
<< signedHeadersValue << ", " << SIGNATURE << EQ << finalSignature;
auto awsAuthString = ss.str();
AWS_LOGSTREAM_DEBUG(v4LogTag, "Signing request with: " << awsAuthString);
request.SetAwsAuthorization(awsAuthString);
return true;
}
