-
Notifications
You must be signed in to change notification settings - Fork 848
/
AWS4Signer.cs
1270 lines (1142 loc) · 63.3 KB
/
AWS4Signer.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
/*
* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License").
* You may not use this file except in compliance with the License.
* A copy of the License is located at
*
* http://aws.amazon.com/apache2.0
*
* or in the "license" file accompanying this file. This file is distributed
* on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
* express or implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Globalization;
using Amazon.Internal;
using Amazon.Util;
using Amazon.Runtime.Internal.Util;
namespace Amazon.Runtime.Internal.Auth
{
/// <summary>
/// AWS4 protocol signer for service calls that transmit authorization in the header field "Authorization".
/// </summary>
public class AWS4Signer : AbstractAWSSigner
{
public const string Scheme = "AWS4";
public const string Algorithm = "HMAC-SHA256";
public const string Sigv4aAlgorithm = "ECDSA-P256-SHA256";
public const string AWS4AlgorithmTag = Scheme + "-" + Algorithm;
public const string AWS4aAlgorithmTag = Scheme + "-" + Sigv4aAlgorithm;
public const string Terminator = "aws4_request";
public static readonly byte[] TerminatorBytes = Encoding.UTF8.GetBytes(Terminator);
public const string Credential = "Credential";
public const string SignedHeaders = "SignedHeaders";
public const string Signature = "Signature";
public const string EmptyBodySha256 = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855";
public const string StreamingBodySha256 = "STREAMING-AWS4-HMAC-SHA256-PAYLOAD";
public const string StreamingBodySha256WithTrailer = "STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER";
public const string V4aStreamingBodySha256 = "STREAMING-AWS4-ECDSA-P256-SHA256-PAYLOAD";
public const string V4aStreamingBodySha256WithTrailer = "STREAMING-AWS4-ECDSA-P256-SHA256-PAYLOAD-TRAILER";
public const string AWSChunkedEncoding = "aws-chunked";
public const string UnsignedPayload = "UNSIGNED-PAYLOAD";
public const string UnsignedPayloadWithTrailer = "STREAMING-UNSIGNED-PAYLOAD-TRAILER";
const SigningAlgorithm SignerAlgorithm = SigningAlgorithm.HmacSHA256;
private static IEnumerable<string> _headersToIgnoreWhenSigning = new HashSet<string>(StringComparer.OrdinalIgnoreCase) {
HeaderKeys.XAmznTraceIdHeader,
HeaderKeys.TransferEncodingHeader,
HeaderKeys.AmzSdkInvocationId,
HeaderKeys.AmzSdkRequest
};
public AWS4Signer()
: this(true)
{
}
public AWS4Signer(bool signPayload)
{
SignPayload = signPayload;
}
public bool SignPayload
{
get;
private set;
}
public override ClientProtocol Protocol
{
get { return ClientProtocol.RestProtocol; }
}
/// <summary>
/// Calculates and signs the specified request using the AWS4 signing protocol by using the
/// AWS account credentials given in the method parameters. The resulting signature is added
/// to the request headers as 'Authorization'. Parameters supplied in the request, either in
/// the resource path as a query string or in the Parameters collection must not have been
/// uri encoded. If they have, use the SignRequest method to obtain a signature.
/// </summary>
/// <param name="request">
/// The request to compute the signature for. Additional headers mandated by the AWS4 protocol
/// ('host' and 'x-amz-date') will be added to the request before signing.
/// </param>
/// <param name="clientConfig">
/// Client configuration data encompassing the service call (notably authentication
/// region, endpoint and service name).
/// </param>
/// <param name="metrics">
/// Metrics for the request
/// </param>
/// <param name="awsAccessKeyId">
/// The AWS public key for the account making the service call.
/// </param>
/// <param name="awsSecretAccessKey">
/// The AWS secret key for the account making the call, in clear text.
/// </param>
/// <exception cref="Amazon.Runtime.SignatureException">
/// If any problems are encountered while signing the request.
/// </exception>
public override void Sign(IRequest request,
IClientConfig clientConfig,
RequestMetrics metrics,
string awsAccessKeyId,
string awsSecretAccessKey)
{
var signingResult = SignRequest(request, clientConfig, metrics, awsAccessKeyId, awsSecretAccessKey);
request.Headers[HeaderKeys.AuthorizationHeader] = signingResult.ForAuthorizationHeader;
}
/// <summary>
/// Calculates and signs the specified request using the AWS4 signing protocol by using the
/// AWS account credentials given in the method parameters. The resulting signature is added
/// to the request headers as 'Authorization'. Parameters supplied in the request, either in
/// the resource path as a query string or in the Parameters collection must not have been
/// uri encoded. If they have, use the SignRequest method to obtain a signature.
/// </summary>
/// <param name="request">
/// The request to compute the signature for. Additional headers mandated by the AWS4 protocol
/// ('host' and 'x-amz-date') will be added to the request before signing.
/// </param>
/// <param name="clientConfig">
/// Client configuration data encompassing the service call (notably authentication
/// region, endpoint and service name).
/// </param>
/// <param name="metrics">
/// Metrics for the request
/// </param>
/// <param name="credentials">
/// The AWS credentials for the account making the service call.
/// </param>
/// <exception cref="Amazon.Runtime.SignatureException">
/// If any problems are encountered while signing the request.
/// </exception>
public override void Sign(IRequest request,
IClientConfig clientConfig,
RequestMetrics metrics,
ImmutableCredentials credentials)
{
Sign(request, clientConfig, metrics, credentials.AccessKey, credentials.SecretKey);
}
/// <summary>
/// Calculates and signs the specified request using the AWS4 signing protocol by using the
/// AWS account credentials given in the method parameters.
/// </summary>
/// <param name="request">
/// The request to compute the signature for. Additional headers mandated by the AWS4 protocol
/// ('host' and 'x-amz-date') will be added to the request before signing.
/// </param>
/// <param name="clientConfig">
/// Client configuration data encompassing the service call (notably authentication
/// region, endpoint and service name).
/// </param>
/// <param name="metrics">
/// Metrics for the request.
/// </param>
/// <param name="awsAccessKeyId">
/// The AWS public key for the account making the service call.
/// </param>
/// <param name="awsSecretAccessKey">
/// The AWS secret key for the account making the call, in clear text.
/// </param>
/// <exception cref="Amazon.Runtime.SignatureException">
/// If any problems are encountered while signing the request.
/// </exception>
/// <remarks>
/// Parameters passed as part of the resource path should be uri-encoded prior to
/// entry to the signer. Parameters passed in the request.Parameters collection should
/// be not be encoded; encoding will be done for these parameters as part of the
/// construction of the canonical request.
/// </remarks>
public AWS4SigningResult SignRequest(IRequest request,
IClientConfig clientConfig,
RequestMetrics metrics,
string awsAccessKeyId,
string awsSecretAccessKey)
{
ValidateRequest(request);
var signedAt = InitializeHeaders(request.Headers, request.Endpoint);
var serviceSigningName = !string.IsNullOrEmpty(request.OverrideSigningServiceName) ? request.OverrideSigningServiceName : DetermineService(clientConfig);
if (serviceSigningName == "s3")
{
// Older versions of the S3 package can be used with newer versions of Core, this guarantees no double encoding will be used.
// The new behavior uses endpoint resolution rules, which are not present prior to 3.7.100
request.UseDoubleEncoding = false;
}
request.DeterminedSigningRegion = DetermineSigningRegion(clientConfig, clientConfig.RegionEndpointServiceName, request.AlternateEndpoint, request);
SetXAmzTrailerHeader(request.Headers, request.TrailingHeaders);
var parametersToCanonicalize = GetParametersToCanonicalize(request);
var canonicalParameters = CanonicalizeQueryParameters(parametersToCanonicalize);
// If the request should use a fixed x-amz-content-sha256 header value, determine the appropriate one
var bodySha = request.TrailingHeaders?.Count > 0
? StreamingBodySha256WithTrailer
: StreamingBodySha256;
var bodyHash = SetRequestBodyHash(request, SignPayload, bodySha, ChunkedUploadWrapperStream.V4_SIGNATURE_LENGTH);
var sortedHeaders = SortAndPruneHeaders(request.Headers);
var canonicalRequest = CanonicalizeRequest(request.Endpoint,
request.ResourcePath,
request.HttpMethod,
sortedHeaders,
canonicalParameters,
bodyHash,
request.PathResources,
request.UseDoubleEncoding);
if (metrics != null)
metrics.AddProperty(Metric.CanonicalRequest, canonicalRequest);
return ComputeSignature(awsAccessKeyId,
awsSecretAccessKey,
request.DeterminedSigningRegion,
signedAt,
serviceSigningName,
CanonicalizeHeaderNames(sortedHeaders),
canonicalRequest,
metrics);
}
#region Public Signing Helpers
/// <summary>
/// Sets the AWS4 mandated 'host' and 'x-amz-date' headers, returning the date/time that will
/// be used throughout the signing process in various elements and formats.
/// </summary>
/// <param name="headers">The current set of headers</param>
/// <param name="requestEndpoint"></param>
/// <returns>Date and time used for x-amz-date, in UTC</returns>
public static DateTime InitializeHeaders(IDictionary<string, string> headers, Uri requestEndpoint)
{
return InitializeHeaders(headers, requestEndpoint, CorrectClockSkew.GetCorrectedUtcNowForEndpoint(requestEndpoint.ToString()));
}
/// <summary>
/// Sets the AWS4 mandated 'host' and 'x-amz-date' headers, accepting and returning the date/time that will
/// be used throughout the signing process in various elements and formats.
/// </summary>
/// <param name="headers">The current set of headers</param>
/// <param name="requestEndpoint"></param>
/// <param name="requestDateTime"></param>
/// <returns>Date and time used for x-amz-date, in UTC</returns>
public static DateTime InitializeHeaders(IDictionary<string, string> headers, Uri requestEndpoint, DateTime requestDateTime)
{
// clean up any prior signature in the headers if resigning
CleanHeaders(headers);
if (!headers.ContainsKey(HeaderKeys.HostHeader))
{
var hostHeader = requestEndpoint.Host;
if (!requestEndpoint.IsDefaultPort)
hostHeader += ":" + requestEndpoint.Port;
headers.Add(HeaderKeys.HostHeader, hostHeader);
}
var dt = requestDateTime;
headers[HeaderKeys.XAmzDateHeader] = dt.ToUniversalTime().ToString(AWSSDKUtils.ISO8601BasicDateTimeFormat, CultureInfo.InvariantCulture);
return dt;
}
/// <summary>
/// Sets the x-amz-trailer header for the given set of trailing headers
/// </summary>
/// <param name="headers">request's headers</param>
/// <param name="trailingHeaders">request's trailing headers</param>
public static void SetXAmzTrailerHeader(IDictionary<string, string> headers, IDictionary<string, string> trailingHeaders)
{
if (trailingHeaders == null || trailingHeaders.Count == 0)
{
return;
}
// The x-amz-trailer HTTP header MUST be set with the value as comma-separated
// string consisting of trailing header names in the order they are written on the HTTP request.
headers[HeaderKeys.XAmzTrailerHeader] = string.Join(",", trailingHeaders.Keys.OrderBy(key => key).ToArray());
}
private static void CleanHeaders(IDictionary<string, string> headers)
{
headers.Remove(HeaderKeys.AuthorizationHeader);
headers.Remove(HeaderKeys.XAmzContentSha256Header);
if (headers.ContainsKey(HeaderKeys.XAmzDecodedContentLengthHeader))
{
headers[HeaderKeys.ContentLengthHeader] =
headers[HeaderKeys.XAmzDecodedContentLengthHeader];
headers.Remove(HeaderKeys.XAmzDecodedContentLengthHeader);
}
}
private static void ValidateRequest(IRequest request)
{
Uri url = request.Endpoint;
// Before we sign the request, we need to validate if the request is being
// sent over https when DisablePayloadSigning is true.
if((request.DisablePayloadSigning ?? false) && url.Scheme != "https")
{
throw new AmazonClientException("When DisablePayloadSigning is true, the request must be sent over HTTPS.");
}
}
/// <summary>
/// Computes and returns an AWS4 signature for the specified canonicalized request
/// </summary>
/// <param name="credentials"></param>
/// <param name="region"></param>
/// <param name="signedAt"></param>
/// <param name="service"></param>
/// <param name="signedHeaders"></param>
/// <param name="canonicalRequest"></param>
/// <returns></returns>
public static AWS4SigningResult ComputeSignature(ImmutableCredentials credentials,
string region,
DateTime signedAt,
string service,
string signedHeaders,
string canonicalRequest)
{
return ComputeSignature(credentials.AccessKey,
credentials.SecretKey,
region,
signedAt,
service,
signedHeaders,
canonicalRequest);
}
/// <summary>
/// Computes and returns an AWS4 signature for the specified canonicalized request
/// </summary>
/// <param name="awsAccessKey"></param>
/// <param name="awsSecretAccessKey"></param>
/// <param name="region"></param>
/// <param name="signedAt"></param>
/// <param name="service"></param>
/// <param name="signedHeaders"></param>
/// <param name="canonicalRequest"></param>
/// <returns></returns>
public static AWS4SigningResult ComputeSignature(string awsAccessKey,
string awsSecretAccessKey,
string region,
DateTime signedAt,
string service,
string signedHeaders,
string canonicalRequest)
{
return ComputeSignature(awsAccessKey, awsSecretAccessKey, region, signedAt, service, signedHeaders, canonicalRequest, null);
}
/// <summary>
/// Computes and returns an AWS4 signature for the specified canonicalized request
/// </summary>
/// <param name="awsAccessKey"></param>
/// <param name="awsSecretAccessKey"></param>
/// <param name="region"></param>
/// <param name="signedAt"></param>
/// <param name="service"></param>
/// <param name="signedHeaders"></param>
/// <param name="canonicalRequest"></param>
/// <param name="metrics"></param>
/// <returns></returns>
public static AWS4SigningResult ComputeSignature(string awsAccessKey,
string awsSecretAccessKey,
string region,
DateTime signedAt,
string service,
string signedHeaders,
string canonicalRequest,
RequestMetrics metrics)
{
var dateStamp = FormatDateTime(signedAt, AWSSDKUtils.ISO8601BasicDateFormat);
var scope = string.Format(CultureInfo.InvariantCulture, "{0}/{1}/{2}/{3}", dateStamp, region, service, Terminator);
var stringToSignBuilder = new StringBuilder();
stringToSignBuilder.AppendFormat(CultureInfo.InvariantCulture, "{0}-{1}\n{2}\n{3}\n",
Scheme,
Algorithm,
FormatDateTime(signedAt, AWSSDKUtils.ISO8601BasicDateTimeFormat),
scope);
var canonicalRequestHashBytes = ComputeHash(canonicalRequest);
stringToSignBuilder.Append(AWSSDKUtils.ToHex(canonicalRequestHashBytes, true));
if (metrics != null)
metrics.AddProperty(Metric.StringToSign, stringToSignBuilder);
var key = ComposeSigningKey(awsSecretAccessKey,
region,
dateStamp,
service);
var stringToSign = stringToSignBuilder.ToString();
var signature = ComputeKeyedHash(SignerAlgorithm, key, stringToSign);
return new AWS4SigningResult(awsAccessKey, signedAt, signedHeaders, scope, key, signature);
}
/// <summary>
/// Formats the supplied date and time for use in AWS4 signing, where various formats are used.
/// </summary>
/// <param name="dt"></param>
/// <param name="formatString">The required format</param>
/// <returns>The UTC date/time in the requested format</returns>
public static string FormatDateTime(DateTime dt, string formatString)
{
return dt.ToUniversalTime().ToString(formatString, CultureInfo.InvariantCulture);
}
/// <summary>
/// Compute and return the multi-stage signing key for the request.
/// </summary>
/// <param name="awsSecretAccessKey">The clear-text AWS secret key, if not held in secureKey</param>
/// <param name="region">The region in which the service request will be processed</param>
/// <param name="date">Date of the request, in yyyyMMdd format</param>
/// <param name="service">The name of the service being called by the request</param>
/// <returns>Computed signing key</returns>
public static byte[] ComposeSigningKey(string awsSecretAccessKey, string region, string date, string service)
{
char[] ksecret = null;
try
{
ksecret = (Scheme + awsSecretAccessKey).ToCharArray();
var hashDate = ComputeKeyedHash(SignerAlgorithm, Encoding.UTF8.GetBytes(ksecret), Encoding.UTF8.GetBytes(date));
var hashRegion = ComputeKeyedHash(SignerAlgorithm, hashDate, Encoding.UTF8.GetBytes(region));
var hashService = ComputeKeyedHash(SignerAlgorithm, hashRegion, Encoding.UTF8.GetBytes(service));
return ComputeKeyedHash(SignerAlgorithm, hashService, TerminatorBytes);
}
finally
{
// clean up all secrets, regardless of how initially seeded (for simplicity)
if (ksecret != null)
Array.Clear(ksecret, 0, ksecret.Length);
}
}
/// <summary>
/// If the caller has already set the x-amz-content-sha256 header with a pre-computed
/// content hash, or it is present as ContentStreamHash on the request instance, return
/// the value to be used in request canonicalization.
/// If not set as a header or in the request, attempt to compute a hash based on
/// inspection of the style of the request content.
/// </summary>
/// <param name="request">Request to sign</param>
/// <param name="chunkedBodyHash">The fixed value to set for the x-amz-content-sha256 header for chunked requests</param>
/// <param name="signatureLength">Length of the signature for each chunk in a chuncked request, in bytes</param>
/// <returns>
/// The computed hash, whether already set in headers or computed here. Null
/// if we were not able to compute a hash.
/// </returns>
public static string SetRequestBodyHash(IRequest request, string chunkedBodyHash, int signatureLength)
{
return SetRequestBodyHash(request, true, chunkedBodyHash, signatureLength);
}
/// <summary>
/// If signPayload is false set the x-amz-content-sha256 header to
/// the UNSIGNED-PAYLOAD magic string and return it.
/// Otherwise, if the caller has already set the x-amz-content-sha256 header with a pre-computed
/// content hash, or it is present as ContentStreamHash on the request instance, return
/// the value to be used in request canonicalization.
/// If not set as a header or in the request, attempt to compute a hash based on
/// inspection of the style of the request content.
/// </summary>
/// <param name="request">Request to sign</param>
/// <param name="signPayload">Whether to sign the payload</param>
/// <param name="chunkedBodyHash">The fixed value to set for the x-amz-content-sha256 header for chunked requests</param>
/// <param name="signatureLength">Length of the signature for each chunk in a chuncked request, in bytes</param>
/// <returns>
/// The computed hash, whether already set in headers or computed here. Null
/// if we were not able to compute a hash.
/// </returns>
public static string SetRequestBodyHash(IRequest request, bool signPayload, string chunkedBodyHash, int signatureLength)
{
// If unsigned payload, set the appropriate magic string in the header and return it
if (request.DisablePayloadSigning != null ? request.DisablePayloadSigning.Value : !signPayload)
{
if (request.TrailingHeaders?.Count > 0)
{
// Set X-Amz-Decoded-Content-Length with the true size of the data
request.Headers[HeaderKeys.XAmzDecodedContentLengthHeader] = request.Headers[HeaderKeys.ContentLengthHeader];
// Substitute the originally declared content length with the inflated length due to trailing headers
var originalContentLength = long.Parse(request.Headers[HeaderKeys.ContentLengthHeader], CultureInfo.InvariantCulture);
request.Headers[HeaderKeys.ContentLengthHeader]
= TrailingHeadersWrapperStream.CalculateLength(request.TrailingHeaders, request.SelectedChecksum, originalContentLength).ToString(CultureInfo.InvariantCulture);
SetContentEncodingHeader(request);
return SetPayloadSignatureHeader(request, UnsignedPayloadWithTrailer);
}
else // request does not have trailing headers (and is still unsigned payload)
{
return SetPayloadSignatureHeader(request, UnsignedPayload);
}
}
// if the body hash has been precomputed and already placed in the header, just extract and return it
string computedContentHash;
var shaHeaderPresent = request.Headers.TryGetValue(HeaderKeys.XAmzContentSha256Header, out computedContentHash);
if (shaHeaderPresent && !request.UseChunkEncoding)
return computedContentHash;
// otherwise continue to calculate the hash and set it in the headers before returning
if (request.UseChunkEncoding)
{
computedContentHash = chunkedBodyHash;
if (request.Headers.ContainsKey(HeaderKeys.ContentLengthHeader))
{
// Set X-Amz-Decoded-Content-Length with the true size of the data
request.Headers[HeaderKeys.XAmzDecodedContentLengthHeader] = request.Headers[HeaderKeys.ContentLengthHeader];
// Substitute the originally declared content length with the inflated length due to chunking metadata and/or trailing headers
var originalContentLength = long.Parse(request.Headers[HeaderKeys.ContentLengthHeader], CultureInfo.InvariantCulture);
request.Headers[HeaderKeys.ContentLengthHeader]
= ChunkedUploadWrapperStream.ComputeChunkedContentLength(originalContentLength, signatureLength, request.TrailingHeaders, request.SelectedChecksum).ToString(CultureInfo.InvariantCulture);
}
SetContentEncodingHeader(request);
}
else
{
if (request.ContentStream != null)
computedContentHash = request.ComputeContentStreamHash();
else
{
byte[] payloadBytes = AWSSDKUtils.GetRequestPayloadBytes(request, request.UseQueryString);
byte[] payloadHashBytes = CryptoUtilFactory.CryptoInstance.ComputeSHA256Hash(payloadBytes);
computedContentHash = AWSSDKUtils.ToHex(payloadHashBytes, true);
}
}
// set the header if needed and return it
return SetPayloadSignatureHeader(request, computedContentHash ?? UnsignedPayload);
}
/// <summary>
/// Appends "aws-chunked" to the Content-Encoding header if it's already set
/// </summary>
/// <param name="request">Request to modify</param>
private static void SetContentEncodingHeader(IRequest request)
{
if (request.Headers.TryGetValue(HeaderKeys.ContentEncodingHeader, out var originalEncoding) &&
!originalEncoding.Contains(AWSChunkedEncoding))
{
request.Headers[HeaderKeys.ContentEncodingHeader] = $"{originalEncoding}, {AWSChunkedEncoding}";
}
}
/// <summary>
/// Returns the HMAC256 for an arbitrary blob using the specified key
/// </summary>
/// <param name="key"></param>
/// <param name="data"></param>
/// <returns></returns>
public static byte[] SignBlob(byte[] key, string data)
{
return SignBlob(key, Encoding.UTF8.GetBytes(data));
}
/// <summary>
/// Returns the HMAC256 for an arbitrary blob using the specified key
/// </summary>
/// <param name="key"></param>
/// <param name="data"></param>
/// <returns></returns>
public static byte[] SignBlob(byte[] key, byte[] data)
{
return CryptoUtilFactory.CryptoInstance.HMACSignBinary(data, key, SignerAlgorithm);
}
/// <summary>
/// Compute and return the hash of a data blob using the specified key
/// </summary>
/// <param name="algorithm">Algorithm to use for hashing</param>
/// <param name="key">Hash key</param>
/// <param name="data">Data blob</param>
/// <returns>Hash of the data</returns>
public static byte[] ComputeKeyedHash(SigningAlgorithm algorithm, byte[] key, string data)
{
return ComputeKeyedHash(algorithm, key, Encoding.UTF8.GetBytes(data));
}
/// <summary>
/// Compute and return the hash of a data blob using the specified key
/// </summary>
/// <param name="algorithm">Algorithm to use for hashing</param>
/// <param name="key">Hash key</param>
/// <param name="data">Data blob</param>
/// <returns>Hash of the data</returns>
public static byte[] ComputeKeyedHash(SigningAlgorithm algorithm, byte[] key, byte[] data)
{
return CryptoUtilFactory.CryptoInstance.HMACSignBinary(data, key, algorithm);
}
/// <summary>
/// Computes the non-keyed hash of the supplied data
/// </summary>
/// <param name="data"></param>
/// <returns></returns>
public static byte[] ComputeHash(string data)
{
return ComputeHash(Encoding.UTF8.GetBytes(data));
}
/// <summary>
/// Computes the non-keyed hash of the supplied data
/// </summary>
/// <param name="data"></param>
/// <returns></returns>
public static byte[] ComputeHash(byte[] data)
{
return CryptoUtilFactory.CryptoInstance.ComputeSHA256Hash(data);
}
#endregion
#region Private Signing Helpers
static string SetPayloadSignatureHeader(IRequest request, string payloadHash)
{
if (request.Headers.ContainsKey(HeaderKeys.XAmzContentSha256Header))
request.Headers[HeaderKeys.XAmzContentSha256Header] = payloadHash;
else
request.Headers.Add(HeaderKeys.XAmzContentSha256Header, payloadHash);
return payloadHash;
}
public static string DetermineSigningRegion(IClientConfig clientConfig,
string serviceName,
RegionEndpoint alternateEndpoint,
IRequest request)
{
// Alternate endpoint (IRequest.AlternateEndpoint) takes precedence over
// client config properties.
if (alternateEndpoint != null)
{
var serviceEndpoint = alternateEndpoint.GetEndpointForService(serviceName, clientConfig.ToGetEndpointForServiceOptions());
if (serviceEndpoint.AuthRegion != null)
return serviceEndpoint.AuthRegion;
return alternateEndpoint.SystemName;
}
string authenticationRegion = clientConfig.AuthenticationRegion;
// We always have request.AuthenticationRegion defined, as per
// Amazon.Runtime.Internal.BaseEndpointResolver implementation.
// request.AuthenticationRegion value is set either based on endpoint rules or
// overriden by clientConfig.AuthenticationRegion if defined.
// Normally, users should only override clientConfig.AuthenticationRegion value for non-AWS services
if (request != null && request.AuthenticationRegion != null)
authenticationRegion = request.AuthenticationRegion;
if (!string.IsNullOrEmpty(authenticationRegion))
return authenticationRegion.ToLowerInvariant();
if (!string.IsNullOrEmpty(clientConfig.ServiceURL))
{
var parsedRegion = AWSSDKUtils.DetermineRegion(clientConfig.ServiceURL);
if (!string.IsNullOrEmpty(parsedRegion))
return parsedRegion.ToLowerInvariant();
}
var endpoint = clientConfig.RegionEndpoint;
if (endpoint != null)
{
var serviceEndpoint = endpoint.GetEndpointForService(serviceName, clientConfig.ToGetEndpointForServiceOptions());
if (!string.IsNullOrEmpty(serviceEndpoint.AuthRegion))
return serviceEndpoint.AuthRegion;
// Check if the region is overridden in the endpoints.json file
var overrideRegion = RegionEndpoint.GetRegionEndpointOverride(endpoint);
if (overrideRegion != null)
return overrideRegion.SystemName;
return endpoint.SystemName;
}
return string.Empty;
}
public static string DetermineService(IClientConfig clientConfig)
{
return (!string.IsNullOrEmpty(clientConfig.AuthenticationServiceName))
? clientConfig.AuthenticationServiceName
: AWSSDKUtils.DetermineService(clientConfig.DetermineServiceURL());
}
/// <summary>
/// Computes and returns the canonical request
/// </summary>
/// <param name="endpoint">The endpoint URL</param>
/// <param name="resourcePath">the path of the resource being operated on</param>
/// <param name="httpMethod">The http method used for the request</param>
/// <param name="sortedHeaders">The full request headers, sorted into canonical order</param>
/// <param name="canonicalQueryString">The query parameters for the request</param>
/// <param name="precomputedBodyHash">
/// The hash of the binary request body if present. If not supplied, the routine
/// will look for the hash as a header on the request.
/// </param>
/// <returns>Canonicalised request as a string</returns>
protected static string CanonicalizeRequest(Uri endpoint,
string resourcePath,
string httpMethod,
IDictionary<string, string> sortedHeaders,
string canonicalQueryString,
string precomputedBodyHash)
{
return CanonicalizeRequest(endpoint, resourcePath, httpMethod, sortedHeaders, canonicalQueryString, precomputedBodyHash, null);
}
/// <summary>
/// Computes and returns the canonical request
/// </summary>
/// <param name="endpoint">The endpoint URL</param>
/// <param name="resourcePath">the path of the resource being operated on</param>
/// <param name="httpMethod">The http method used for the request</param>
/// <param name="sortedHeaders">The full request headers, sorted into canonical order</param>
/// <param name="canonicalQueryString">The query parameters for the request</param>
/// <param name="precomputedBodyHash">
/// <param name="pathResources">The path resource values lookup to use to replace the keys within resourcePath</param>
/// The hash of the binary request body if present. If not supplied, the routine
/// will look for the hash as a header on the request.
/// </param>
/// <returns>Canonicalised request as a string</returns>
protected static string CanonicalizeRequest(Uri endpoint,
string resourcePath,
string httpMethod,
IDictionary<string, string> sortedHeaders,
string canonicalQueryString,
string precomputedBodyHash,
IDictionary<string, string> pathResources)
{
return CanonicalizeRequestHelper(endpoint,
resourcePath,
httpMethod,
sortedHeaders,
canonicalQueryString,
precomputedBodyHash,
pathResources,
true);
}
/// <summary>
/// Computes and returns the canonical request
/// </summary>
/// <param name="endpoint">The endpoint URL</param>
/// <param name="resourcePath">the path of the resource being operated on</param>
/// <param name="httpMethod">The http method used for the request</param>
/// <param name="sortedHeaders">The full request headers, sorted into canonical order</param>
/// <param name="canonicalQueryString">The query parameters for the request</param>
/// <param name="precomputedBodyHash">
/// <param name="pathResources">The path resource values lookup to use to replace the keys within resourcePath</param>
/// The hash of the binary request body if present. If not supplied, the routine
/// will look for the hash as a header on the request.
/// </param>
/// <param name="doubleEncode">Encode "/" when canonicalize resource path</param>
/// <returns>Canonicalised request as a string</returns>
protected static string CanonicalizeRequest(Uri endpoint,
string resourcePath,
string httpMethod,
IDictionary<string, string> sortedHeaders,
string canonicalQueryString,
string precomputedBodyHash,
IDictionary<string, string> pathResources,
bool doubleEncode)
{
return CanonicalizeRequestHelper(endpoint,
resourcePath,
httpMethod,
sortedHeaders,
canonicalQueryString,
precomputedBodyHash,
pathResources,
doubleEncode);
}
private static string CanonicalizeRequestHelper(Uri endpoint,
string resourcePath,
string httpMethod,
IDictionary<string, string> sortedHeaders,
string canonicalQueryString,
string precomputedBodyHash,
IDictionary<string, string> pathResources,
bool doubleEncode)
{
var canonicalRequest = new StringBuilder();
canonicalRequest.AppendFormat("{0}\n", httpMethod);
canonicalRequest.AppendFormat("{0}\n", AWSSDKUtils.CanonicalizeResourcePathV2(endpoint, resourcePath, doubleEncode, pathResources));
canonicalRequest.AppendFormat("{0}\n", canonicalQueryString);
canonicalRequest.AppendFormat("{0}\n", CanonicalizeHeaders(sortedHeaders));
canonicalRequest.AppendFormat("{0}\n", CanonicalizeHeaderNames(sortedHeaders));
if (precomputedBodyHash != null)
{
canonicalRequest.Append(precomputedBodyHash);
}
else
{
string contentHash;
if (sortedHeaders.TryGetValue(HeaderKeys.XAmzContentSha256Header, out contentHash))
canonicalRequest.Append(contentHash);
}
return canonicalRequest.ToString();
}
/// <summary>
/// Reorders the headers for the request for canonicalization.
/// </summary>
/// <param name="requestHeaders">The set of proposed headers for the request</param>
/// <returns>List of headers that must be included in the signature</returns>
/// <remarks>For AWS4 signing, all headers are considered viable for inclusion</remarks>
protected internal static IDictionary<string, string> SortAndPruneHeaders(IEnumerable<KeyValuePair<string, string>> requestHeaders)
{
// Refer https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html. (Step #4: "Build the canonical headers list by sorting the (lowercase) headers by character code"). StringComparer.OrdinalIgnoreCase incorrectly places '_' after lowercase chracters.
var sortedHeaders = new SortedDictionary<string, string>(StringComparer.Ordinal);
foreach (var header in requestHeaders)
{
if (_headersToIgnoreWhenSigning.Contains(header.Key))
{
continue;
}
sortedHeaders.Add(header.Key.ToLowerInvariant(), header.Value);
}
return sortedHeaders;
}
/// <summary>
/// Computes the canonical headers with values for the request. Only headers included in the signature
/// are included in the canonicalization process.
/// </summary>
/// <param name="sortedHeaders">All request headers, sorted into canonical order</param>
/// <returns>Canonicalized string of headers, with the header names in lower case.</returns>
protected internal static string CanonicalizeHeaders(IEnumerable<KeyValuePair<string, string>> sortedHeaders)
{
if (sortedHeaders == null || sortedHeaders.Count() == 0)
return string.Empty;
var builder = new StringBuilder();
foreach (var entry in sortedHeaders)
{
// Refer https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html. (Step #4: "To create the canonical headers list, convert all header names to lowercase and remove leading spaces and trailing spaces. Convert sequential spaces in the header value to a single space.").
builder.Append(entry.Key.ToLowerInvariant());
builder.Append(":");
builder.Append(AWSSDKUtils.CompressSpaces(entry.Value)?.Trim());
builder.Append("\n");
}
return builder.ToString();
}
/// <summary>
/// Returns the set of headers included in the signature as a flattened, ;-delimited string
/// </summary>
/// <param name="sortedHeaders">The headers included in the signature</param>
/// <returns>Formatted string of header names</returns>
protected static string CanonicalizeHeaderNames(IEnumerable<KeyValuePair<string, string>> sortedHeaders)
{
var builder = new StringBuilder();
foreach (var header in sortedHeaders)
{
if (builder.Length > 0)
builder.Append(";");
builder.Append(header.Key.ToLowerInvariant());
}
return builder.ToString();
}
/// <summary>
/// Collects the subresource and query string parameters into one collection
/// ready for canonicalization
/// </summary>
/// <param name="request">The in-flight request being signed</param>
/// <returns>The fused set of parameters</returns>
protected static List<KeyValuePair<string, string>> GetParametersToCanonicalize(IRequest request)
{
var parametersToCanonicalize = new List<KeyValuePair<string, string>>();
if (request.SubResources != null && request.SubResources.Count > 0)
{
foreach (var subResource in request.SubResources)
{
parametersToCanonicalize.Add(new KeyValuePair<string,string>(subResource.Key, subResource.Value));
}
}
if (request.UseQueryString && request.Parameters != null && request.Parameters.Count > 0)
{
var requestParameters = request.ParameterCollection.GetSortedParametersList();
foreach (var queryParameter in requestParameters.Where(queryParameter => queryParameter.Value != null))
{
parametersToCanonicalize.Add(new KeyValuePair<string,string>(queryParameter.Key, queryParameter.Value));
}
}
return parametersToCanonicalize;
}
protected static string CanonicalizeQueryParameters(string queryString)
{
return CanonicalizeQueryParameters(queryString, true);
}
/// <summary>
/// Computes and returns the canonicalized query string, if query parameters have been supplied.
/// Parameters with no value will be canonicalized as 'param='. The expectation is that parameters
/// have not already been url encoded prior to canonicalization.
/// </summary>
/// <param name="queryString">The set of parameters being passed on the uri</param>
/// <param name="uriEncodeParameters">
/// Parameters must be uri encoded into the canonical request and by default the signer expects
/// that the supplied collection contains non-encoded data. Set this to false if the encoding was
/// done prior to signer entry.
/// </param>
/// <returns>The uri encoded query string parameters in canonical ordering</returns>
protected static string CanonicalizeQueryParameters(string queryString, bool uriEncodeParameters)
{
if (string.IsNullOrEmpty(queryString))
return string.Empty;
var queryParams = new Dictionary<string, string>(StringComparer.OrdinalIgnoreCase);
var queryParamsStart = queryString.IndexOf('?');
var qs = queryString.Substring(++queryParamsStart);
var subStringPos = 0;
var index = qs.IndexOfAny(new char[] { '&', ';' }, 0);
if (index == -1 && subStringPos < qs.Length)
index = qs.Length;
while (index != -1)
{
var token = qs.Substring(subStringPos, index - subStringPos);
// If the next character is a space then this isn't the end of query string value
// Content Disposition is an example of this.
if (!(index + 1 < qs.Length && qs[index + 1] == ' '))
{
var equalPos = token.IndexOf('=');
if (equalPos == -1)
queryParams.Add(token, null);
else
queryParams.Add(token.Substring(0, equalPos), token.Substring(equalPos + 1));
subStringPos = index + 1;
}
if (qs.Length <= index + 1)
break;
index = qs.IndexOfAny(new char[] { '&', ';' }, index + 1);
if (index == -1 && subStringPos < qs.Length)
index = qs.Length;
}
return CanonicalizeQueryParameters(queryParams, uriEncodeParameters: uriEncodeParameters);
}
protected static string CanonicalizeQueryParameters(IEnumerable<KeyValuePair<string, string>> parameters)
{
return CanonicalizeQueryParameters(parameters, true);
}
/// <summary>
/// Computes and returns the canonicalized query string, if query parameters have been supplied.
/// Parameters with no value will be canonicalized as 'param='. The expectation is that parameters
/// have not already been url encoded prior to canonicalization.
/// </summary>
/// <param name="parameters">The set of parameters to be encoded in the query string</param>
/// <param name="uriEncodeParameters">
/// Parameters must be uri encoded into the canonical request and by default the signer expects
/// that the supplied collection contains non-encoded data. Set this to false if the encoding was
/// done prior to signer entry.
/// </param>
/// <returns>The uri encoded query string parameters in canonical ordering</returns>
protected static string CanonicalizeQueryParameters(
IEnumerable<KeyValuePair<string, string>> parameters,