Fixes #1

Adds support for signing key caching

Author: dekobon

common/etc/nginx/include/s3gateway.js

@@ -203,7 +203,40 @@ function _buildSignatureV4(r, amzDatetime, eightDigitDate, bucket, secret, regio
         r.log('AWS v4 Auth Signing String: [' + stringToSign + ']');
     }
 
-    var kSigningHash = _buildSigningKeyHash(secret, eightDigitDate, service, region);
+    var kSigningHash;
+
+    /* If we have a keyval zone and key defined for caching the signing key hash,
+     * then signing key caching will be enabled. By caching signing keys we can
+     * accelerate the signing process because we will have four less HMAC
+     * operations that have to be performed per incoming request. The signing
+     * key expires every day, so our cache key can persist for 24 hours safely.
+     */
+    if ("variables" in r && r.variables.cache_signing_key_enabled == 1) {
+        // cached value is in the format: [eightDigitDate]:[signingKeyHash]
+        var cached = "signing_key_hash" in r.variables ? r.variables.signing_key_hash : "";
+        var fields = cached.split(":", 2);
+        var cachedEightDigitDate = fields[0];
+        var cacheIsValid = fields.length === 2 && eightDigitDate === cachedEightDigitDate;
+
+        // If true, use cached value
+        if (cacheIsValid) {
+            r.log("AWS v4 Using cached Signing Key Hash");
+            /* We are forced to JSON encode the string returned from the HMAC
+             * operation because it is in a very specific format that include
+             * binary data and in order to preserve that data when persisting
+             * we encode it as JSON. By doing so we can gracefully decode it
+             * when reading from the cache. */
+            kSigningHash = JSON.parse(fields[1]);
+        // Otherwise, generate a new signing key hash and store it in the cache
+        } else {
+            kSigningHash = _buildSigningKeyHash(secret, eightDigitDate, service, region);
+            r.log("Writing key: " + eightDigitDate + ':' + kSigningHash.toString('hex'));
+            r.variables.signing_key_hash = eightDigitDate + ':' + JSON.stringify(kSigningHash);
+        }
+    // Otherwise, don't use caching at all (like when we are using NGINX OSS)
+    } else {
+        kSigningHash = _buildSigningKeyHash(secret, eightDigitDate, service, region);
+    }
 
     if (debug) {
         r.log('AWS v4 Signing Key Hash: [' + kSigningHash.toString('hex') + ']');

common/etc/nginx/templates/default.conf.template

@@ -15,6 +15,8 @@ map $request_uri $uri_path {
 }
 
 server {
+    include /etc/nginx/conf.d/gateway/server_variables.conf;
+
     # Don't display the NGINX version number because we don't want to reveal
     # information that could be used to find an exploit.
     server_tokens off;

oss/etc/nginx/conf.d/gateway/server_variables.conf

@@ -0,0 +1,4 @@
+# Variable indicating to the s3gateway.js script that singing key
+# caching is turned off. This feature uses the keyval store, so it
+# is only enabled when using NGINX Plus.
+set $cache_signing_key_enabled 0;

plus/etc/nginx/conf.d/gateway/server_variables.conf

@@ -0,0 +1,4 @@
+# Variable indicating to the s3gateway.js script that singing key
+# caching is turned on. This feature uses the keyval store, so it
+# is only enabled when using NGINX Plus.
+set $cache_signing_key_enabled 1;

plus/etc/nginx/conf.d/v4_signing_key_cache.conf

@@ -0,0 +1,4 @@
+# This key value zone allows us to cache a portion of the cryptographic
+# signatures used by AWS v4 signatures.
+keyval_zone zone=aws_signing_cache:32k type=string timeout=24h;
+keyval 'aws_signing_key_hash' $signing_key_hash zone=aws_signing_cache;

test/unit/s3gateway_test.js

@@ -81,7 +81,7 @@ function testAmzDatetime() {
     }
 }
 
-function testBuildSigningKeyHash() {
+function testBuildSigningKeyHashWithReferenceInputs() {
     var kSecret = 'wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY';
     var date = '20150830';
     var service = 'iam';
@@ -96,6 +96,43 @@ function testBuildSigningKeyHash() {
     }
 }
 
+function testBuildSigningKeyHashWithTestSuiteInputs() {
+    var kSecret = 'pvgoBEA1z7zZKqN9RoKVksKh31AtNou+pspn+iyb';
+    var date = '20200811';
+    var service = 's3';
+    var region = 'us-west-2';
+    var expected = 'a48701bfe803103e89051f55af2297dd76783bbceb5eb416dab71e0eadcbc4f6';
+    var signingKeyHash = s3gateway._buildSigningKeyHash(kSecret, date, service, region).toString('hex');
+
+    if (signingKeyHash !== expected) {
+        throw 'Signing key hash was not created correctly.\n' +
+        'Actual:   [' + signingKeyHash + ']\n' +
+        'Expected: [' + expected + ']';
+    }
+}
+
+function _runSignatureV4(r) {
+    r.log = function(msg) {
+        console.log(msg);
+    }
+    var timestamp = new Date('2020-08-11T19:42:14Z');
+    var eightDigitDate = s3gateway._eightDigitDate(timestamp);
+    var amzDatetime = s3gateway._amzDatetime(timestamp, eightDigitDate);
+    var bucket = 'ez-test-bucket-1'
+    var secret = 'pvgoBEA1z7zZKqN9RoKVksKh31AtNou+pspn+iyb'
+    var region = 'us-west-2';
+    var server = 's3-us-west-2.amazonaws.com';
+
+    var expected = 'cf4dd9e1d28c74e2284f938011efc8230d0c20704f56f67e4a3bfc2212026bec';
+    var signature = s3gateway._buildSignatureV4(r, amzDatetime, eightDigitDate, bucket, secret, region, server);
+
+    if (signature !== expected) {
+        throw 'V4 signature hash was not created correctly.\n' +
+        'Actual:   [' + signature + ']\n' +
+        'Expected: [' + expected + ']';
+    }
+}
+
 function testSignatureV4() {
     // Note: since this is a read-only gateway, host, query parameters and all
     // client headers will be ignored.
@@ -122,33 +159,55 @@ function testSignatureV4() {
         "status" : 0
     };
 
-    r.log = function(msg) {
-        console.log(msg);
-    }
-    var timestamp = new Date('2020-08-11T19:42:14Z');
-    var eightDigitDate = s3gateway._eightDigitDate(timestamp);
-    var amzDatetime = s3gateway._amzDatetime(timestamp, eightDigitDate);
-    var bucket = 'ez-test-bucket-1'
-    var secret = 'pvgoBEA1z7zZKqN9RoKVksKh31AtNou+pspn+iyb'
-    var region = 'us-west-2';
-    var server = 's3-us-west-2.amazonaws.com';
+    _runSignatureV4(r);
+}
 
-    var expected = 'cf4dd9e1d28c74e2284f938011efc8230d0c20704f56f67e4a3bfc2212026bec';
-    var signature = s3gateway._buildSignatureV4(r, amzDatetime, eightDigitDate, bucket, secret, region, server);
+function testSignatureV4Cache() {
+    // Note: since this is a read-only gateway, host, query parameters and all
+    // client headers will be ignored.
+    var r = {
+        "remoteAddress" : "172.17.0.1",
+        "headersIn" : {
+            "Connection" : "keep-alive",
+            "Accept-Encoding" : "gzip, deflate",
+            "Accept-Language" : "en-US,en;q=0.7,ja;q=0.3",
+            "Host" : "localhost:8999",
+            "User-Agent" : "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:79.0) Gecko/20100101 Firefox/79.0",
+            "DNT" : "1",
+            "Cache-Control" : "max-age=0",
+            "Accept" : "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
+            "Upgrade-Insecure-Requests" : "1"
+        },
+        "uri" : "/a/c/ramen.jpg",
+        "method" : "GET",
+        "httpVersion" : "1.1",
+        "headersOut" : {},
+        "args" : {
+            "foo" : "bar"
+        },
+        "variables": {
+            "cache_signing_key_enabled": 1
+        },
+        "status" : 0
+    };
 
-    if (signature !== expected) {
-        throw 'V4 signature hash was not created correctly.\n' +
-        'Actual:   [' + signature + ']\n' +
-        'Expected: [' + expected + ']';
+    _runSignatureV4(r);
+
+    if (!"signing_key_hash" in r.variables) {
+        throw "Hash key not written to r.variables.signing_key_hash";
     }
+
+    _runSignatureV4(r);
 }
 
 function test() {
     testPad();
     testEightDigitDate();
     testAmzDatetime();
-    testBuildSigningKeyHash();
+    testBuildSigningKeyHashWithReferenceInputs();
+    testBuildSigningKeyHashWithTestSuiteInputs();
     testSignatureV4();
+    testSignatureV4Cache();
 }
 
 test();