http: introduce AWS HTTP v4 Signature
It is a security process for HTTP.
It doesn't seems to be standard, but it is used by some cloud providers.
Aws:
https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
Outscale:
https://wiki.outscale.net/display/EN/Creating+a+Canonical+Request
GCP (I didn't test that this code work with GCP though):
https://cloud.google.com/storage/docs/access-control/signing-urls-manually
most of the code is in lib/http_v4_signature.c
Information require by the algorithm:
- The URL
- Current time
- some prefix that are append to some of the signature parameters.
The data extracted from the URL are: the URI, the region,
the host and the API type
example:
https://api.eu-west-2.outscale.com/api/latest/ReadNets
~~~ ~~~~~~~~ ~~~~~~~~~~~~~~~~~~~
^ ^ ^
/ \ URI
API type region
Small description of the algorithm:
- make canonical header using content type, the host, and the date
- hash the post data
- make canonical_request using custom request, the URI,
the get data, the canonical header, the signed header
and post data hash
- hash canonical_request
- make str_to_sign using one of the prefix pass in parameter,
the date, the credential scope and the canonical_request hash
- compute hmac from date, using secret key as key.
- compute hmac from region, using above hmac as key
- compute hmac from api_type, using above hmac as key
- compute hmac from request_type, using above hmac as key
- compute hmac from str_to_sign using above hmac as key
- create Authorization header using above hmac, prefix pass in parameter,
the date, and above hash
Signed-off-by: Matthias Gatto <matthias.gatto@outscale.com>
Closes #5703
2020-07-09 19:58:37 +08:00
|
|
|
/***************************************************************************
|
|
|
|
* _ _ ____ _
|
|
|
|
* Project ___| | | | _ \| |
|
|
|
|
* / __| | | | |_) | |
|
|
|
|
* | (__| |_| | _ <| |___
|
|
|
|
* \___|\___/|_| \_\_____|
|
|
|
|
*
|
2023-01-02 20:51:48 +08:00
|
|
|
* Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
|
http: introduce AWS HTTP v4 Signature
It is a security process for HTTP.
It doesn't seems to be standard, but it is used by some cloud providers.
Aws:
https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
Outscale:
https://wiki.outscale.net/display/EN/Creating+a+Canonical+Request
GCP (I didn't test that this code work with GCP though):
https://cloud.google.com/storage/docs/access-control/signing-urls-manually
most of the code is in lib/http_v4_signature.c
Information require by the algorithm:
- The URL
- Current time
- some prefix that are append to some of the signature parameters.
The data extracted from the URL are: the URI, the region,
the host and the API type
example:
https://api.eu-west-2.outscale.com/api/latest/ReadNets
~~~ ~~~~~~~~ ~~~~~~~~~~~~~~~~~~~
^ ^ ^
/ \ URI
API type region
Small description of the algorithm:
- make canonical header using content type, the host, and the date
- hash the post data
- make canonical_request using custom request, the URI,
the get data, the canonical header, the signed header
and post data hash
- hash canonical_request
- make str_to_sign using one of the prefix pass in parameter,
the date, the credential scope and the canonical_request hash
- compute hmac from date, using secret key as key.
- compute hmac from region, using above hmac as key
- compute hmac from api_type, using above hmac as key
- compute hmac from request_type, using above hmac as key
- compute hmac from str_to_sign using above hmac as key
- create Authorization header using above hmac, prefix pass in parameter,
the date, and above hash
Signed-off-by: Matthias Gatto <matthias.gatto@outscale.com>
Closes #5703
2020-07-09 19:58:37 +08:00
|
|
|
*
|
|
|
|
* This software is licensed as described in the file COPYING, which
|
|
|
|
* you should have received as part of this distribution. The terms
|
|
|
|
* are also available at https://curl.haxx.se/docs/copyright.html.
|
|
|
|
*
|
|
|
|
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
|
|
|
|
* copies of the Software, and permit persons to whom the Software is
|
|
|
|
* furnished to do so, under the terms of the COPYING file.
|
|
|
|
*
|
|
|
|
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
|
|
|
|
* KIND, either express or implied.
|
|
|
|
*
|
|
|
|
* SPDX-License-Identifier: curl
|
2022-05-17 17:16:50 +08:00
|
|
|
*
|
http: introduce AWS HTTP v4 Signature
It is a security process for HTTP.
It doesn't seems to be standard, but it is used by some cloud providers.
Aws:
https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
Outscale:
https://wiki.outscale.net/display/EN/Creating+a+Canonical+Request
GCP (I didn't test that this code work with GCP though):
https://cloud.google.com/storage/docs/access-control/signing-urls-manually
most of the code is in lib/http_v4_signature.c
Information require by the algorithm:
- The URL
- Current time
- some prefix that are append to some of the signature parameters.
The data extracted from the URL are: the URI, the region,
the host and the API type
example:
https://api.eu-west-2.outscale.com/api/latest/ReadNets
~~~ ~~~~~~~~ ~~~~~~~~~~~~~~~~~~~
^ ^ ^
/ \ URI
API type region
Small description of the algorithm:
- make canonical header using content type, the host, and the date
- hash the post data
- make canonical_request using custom request, the URI,
the get data, the canonical header, the signed header
and post data hash
- hash canonical_request
- make str_to_sign using one of the prefix pass in parameter,
the date, the credential scope and the canonical_request hash
- compute hmac from date, using secret key as key.
- compute hmac from region, using above hmac as key
- compute hmac from api_type, using above hmac as key
- compute hmac from request_type, using above hmac as key
- compute hmac from str_to_sign using above hmac as key
- create Authorization header using above hmac, prefix pass in parameter,
the date, and above hash
Signed-off-by: Matthias Gatto <matthias.gatto@outscale.com>
Closes #5703
2020-07-09 19:58:37 +08:00
|
|
|
***************************************************************************/
|
|
|
|
|
|
|
|
#include "curl_setup.h"
|
|
|
|
|
|
|
|
#if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_CRYPTO_AUTH)
|
|
|
|
|
|
|
|
#include "urldata.h"
|
|
|
|
#include "strcase.h"
|
2021-01-25 22:02:09 +08:00
|
|
|
#include "strdup.h"
|
http: introduce AWS HTTP v4 Signature
It is a security process for HTTP.
It doesn't seems to be standard, but it is used by some cloud providers.
Aws:
https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
Outscale:
https://wiki.outscale.net/display/EN/Creating+a+Canonical+Request
GCP (I didn't test that this code work with GCP though):
https://cloud.google.com/storage/docs/access-control/signing-urls-manually
most of the code is in lib/http_v4_signature.c
Information require by the algorithm:
- The URL
- Current time
- some prefix that are append to some of the signature parameters.
The data extracted from the URL are: the URI, the region,
the host and the API type
example:
https://api.eu-west-2.outscale.com/api/latest/ReadNets
~~~ ~~~~~~~~ ~~~~~~~~~~~~~~~~~~~
^ ^ ^
/ \ URI
API type region
Small description of the algorithm:
- make canonical header using content type, the host, and the date
- hash the post data
- make canonical_request using custom request, the URI,
the get data, the canonical header, the signed header
and post data hash
- hash canonical_request
- make str_to_sign using one of the prefix pass in parameter,
the date, the credential scope and the canonical_request hash
- compute hmac from date, using secret key as key.
- compute hmac from region, using above hmac as key
- compute hmac from api_type, using above hmac as key
- compute hmac from request_type, using above hmac as key
- compute hmac from str_to_sign using above hmac as key
- create Authorization header using above hmac, prefix pass in parameter,
the date, and above hash
Signed-off-by: Matthias Gatto <matthias.gatto@outscale.com>
Closes #5703
2020-07-09 19:58:37 +08:00
|
|
|
#include "http_aws_sigv4.h"
|
|
|
|
#include "curl_sha256.h"
|
|
|
|
#include "transfer.h"
|
|
|
|
#include "parsedate.h"
|
|
|
|
#include "sendf.h"
|
|
|
|
|
|
|
|
#include <time.h>
|
|
|
|
|
|
|
|
/* The last 3 #include files should be in this order */
|
|
|
|
#include "curl_printf.h"
|
|
|
|
#include "curl_memory.h"
|
|
|
|
#include "memdebug.h"
|
|
|
|
|
2022-01-13 22:53:52 +08:00
|
|
|
#include "slist.h"
|
|
|
|
|
2021-01-25 22:02:09 +08:00
|
|
|
#define HMAC_SHA256(k, kl, d, dl, o) \
|
|
|
|
do { \
|
|
|
|
ret = Curl_hmacit(Curl_HMAC_SHA256, \
|
|
|
|
(unsigned char *)k, \
|
2023-02-02 19:56:01 +08:00
|
|
|
kl, \
|
2021-01-25 22:02:09 +08:00
|
|
|
(unsigned char *)d, \
|
2023-02-02 19:56:01 +08:00
|
|
|
dl, o); \
|
2022-01-13 22:53:52 +08:00
|
|
|
if(ret) { \
|
2021-01-25 22:02:09 +08:00
|
|
|
goto fail; \
|
|
|
|
} \
|
2020-12-26 22:43:25 +08:00
|
|
|
} while(0)
|
http: introduce AWS HTTP v4 Signature
It is a security process for HTTP.
It doesn't seems to be standard, but it is used by some cloud providers.
Aws:
https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
Outscale:
https://wiki.outscale.net/display/EN/Creating+a+Canonical+Request
GCP (I didn't test that this code work with GCP though):
https://cloud.google.com/storage/docs/access-control/signing-urls-manually
most of the code is in lib/http_v4_signature.c
Information require by the algorithm:
- The URL
- Current time
- some prefix that are append to some of the signature parameters.
The data extracted from the URL are: the URI, the region,
the host and the API type
example:
https://api.eu-west-2.outscale.com/api/latest/ReadNets
~~~ ~~~~~~~~ ~~~~~~~~~~~~~~~~~~~
^ ^ ^
/ \ URI
API type region
Small description of the algorithm:
- make canonical header using content type, the host, and the date
- hash the post data
- make canonical_request using custom request, the URI,
the get data, the canonical header, the signed header
and post data hash
- hash canonical_request
- make str_to_sign using one of the prefix pass in parameter,
the date, the credential scope and the canonical_request hash
- compute hmac from date, using secret key as key.
- compute hmac from region, using above hmac as key
- compute hmac from api_type, using above hmac as key
- compute hmac from request_type, using above hmac as key
- compute hmac from str_to_sign using above hmac as key
- create Authorization header using above hmac, prefix pass in parameter,
the date, and above hash
Signed-off-by: Matthias Gatto <matthias.gatto@outscale.com>
Closes #5703
2020-07-09 19:58:37 +08:00
|
|
|
|
2022-01-13 22:53:52 +08:00
|
|
|
#define TIMESTAMP_SIZE 17
|
|
|
|
|
2023-02-15 23:47:04 +08:00
|
|
|
/* hex-encoded with trailing null */
|
|
|
|
#define SHA256_HEX_LENGTH (2 * SHA256_DIGEST_LENGTH + 1)
|
|
|
|
|
|
|
|
static void sha256_to_hex(char *dst, unsigned char *sha)
|
http: introduce AWS HTTP v4 Signature
It is a security process for HTTP.
It doesn't seems to be standard, but it is used by some cloud providers.
Aws:
https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
Outscale:
https://wiki.outscale.net/display/EN/Creating+a+Canonical+Request
GCP (I didn't test that this code work with GCP though):
https://cloud.google.com/storage/docs/access-control/signing-urls-manually
most of the code is in lib/http_v4_signature.c
Information require by the algorithm:
- The URL
- Current time
- some prefix that are append to some of the signature parameters.
The data extracted from the URL are: the URI, the region,
the host and the API type
example:
https://api.eu-west-2.outscale.com/api/latest/ReadNets
~~~ ~~~~~~~~ ~~~~~~~~~~~~~~~~~~~
^ ^ ^
/ \ URI
API type region
Small description of the algorithm:
- make canonical header using content type, the host, and the date
- hash the post data
- make canonical_request using custom request, the URI,
the get data, the canonical header, the signed header
and post data hash
- hash canonical_request
- make str_to_sign using one of the prefix pass in parameter,
the date, the credential scope and the canonical_request hash
- compute hmac from date, using secret key as key.
- compute hmac from region, using above hmac as key
- compute hmac from api_type, using above hmac as key
- compute hmac from request_type, using above hmac as key
- compute hmac from str_to_sign using above hmac as key
- create Authorization header using above hmac, prefix pass in parameter,
the date, and above hash
Signed-off-by: Matthias Gatto <matthias.gatto@outscale.com>
Closes #5703
2020-07-09 19:58:37 +08:00
|
|
|
{
|
|
|
|
int i;
|
|
|
|
|
2023-02-15 23:47:04 +08:00
|
|
|
for(i = 0; i < SHA256_DIGEST_LENGTH; ++i) {
|
|
|
|
msnprintf(dst + (i * 2), SHA256_HEX_LENGTH - (i * 2), "%02x", sha[i]);
|
2022-01-13 22:53:52 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
static char *find_date_hdr(struct Curl_easy *data, const char *sig_hdr)
|
|
|
|
{
|
|
|
|
char *tmp = Curl_checkheaders(data, sig_hdr, strlen(sig_hdr));
|
|
|
|
|
|
|
|
if(tmp)
|
|
|
|
return tmp;
|
|
|
|
return Curl_checkheaders(data, STRCONST("Date"));
|
|
|
|
}
|
|
|
|
|
|
|
|
/* remove whitespace, and lowercase all headers */
|
|
|
|
static void trim_headers(struct curl_slist *head)
|
|
|
|
{
|
|
|
|
struct curl_slist *l;
|
|
|
|
for(l = head; l; l = l->next) {
|
|
|
|
char *value; /* to read from */
|
|
|
|
char *store;
|
|
|
|
size_t colon = strcspn(l->data, ":");
|
|
|
|
Curl_strntolower(l->data, l->data, colon);
|
|
|
|
|
|
|
|
value = &l->data[colon];
|
|
|
|
if(!*value)
|
|
|
|
continue;
|
|
|
|
++value;
|
|
|
|
store = value;
|
|
|
|
|
|
|
|
/* skip leading whitespace */
|
|
|
|
while(*value && ISBLANK(*value))
|
|
|
|
value++;
|
|
|
|
|
|
|
|
while(*value) {
|
|
|
|
int space = 0;
|
|
|
|
while(*value && ISBLANK(*value)) {
|
|
|
|
value++;
|
|
|
|
space++;
|
|
|
|
}
|
|
|
|
if(space) {
|
|
|
|
/* replace any number of consecutive whitespace with a single space,
|
|
|
|
unless at the end of the string, then nothing */
|
|
|
|
if(*value)
|
|
|
|
*store++ = ' ';
|
|
|
|
}
|
|
|
|
else
|
|
|
|
*store++ = *value++;
|
|
|
|
}
|
|
|
|
*store = 0; /* null terminate */
|
http: introduce AWS HTTP v4 Signature
It is a security process for HTTP.
It doesn't seems to be standard, but it is used by some cloud providers.
Aws:
https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
Outscale:
https://wiki.outscale.net/display/EN/Creating+a+Canonical+Request
GCP (I didn't test that this code work with GCP though):
https://cloud.google.com/storage/docs/access-control/signing-urls-manually
most of the code is in lib/http_v4_signature.c
Information require by the algorithm:
- The URL
- Current time
- some prefix that are append to some of the signature parameters.
The data extracted from the URL are: the URI, the region,
the host and the API type
example:
https://api.eu-west-2.outscale.com/api/latest/ReadNets
~~~ ~~~~~~~~ ~~~~~~~~~~~~~~~~~~~
^ ^ ^
/ \ URI
API type region
Small description of the algorithm:
- make canonical header using content type, the host, and the date
- hash the post data
- make canonical_request using custom request, the URI,
the get data, the canonical header, the signed header
and post data hash
- hash canonical_request
- make str_to_sign using one of the prefix pass in parameter,
the date, the credential scope and the canonical_request hash
- compute hmac from date, using secret key as key.
- compute hmac from region, using above hmac as key
- compute hmac from api_type, using above hmac as key
- compute hmac from request_type, using above hmac as key
- compute hmac from str_to_sign using above hmac as key
- create Authorization header using above hmac, prefix pass in parameter,
the date, and above hash
Signed-off-by: Matthias Gatto <matthias.gatto@outscale.com>
Closes #5703
2020-07-09 19:58:37 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-11-30 22:59:52 +08:00
|
|
|
/* maximum length for the aws sivg4 parts */
|
2022-01-13 22:53:52 +08:00
|
|
|
#define MAX_SIGV4_LEN 64
|
|
|
|
#define MAX_SIGV4_LEN_TXT "64"
|
|
|
|
|
|
|
|
#define DATE_HDR_KEY_LEN (MAX_SIGV4_LEN + sizeof("X--Date"))
|
|
|
|
|
2022-10-13 05:03:26 +08:00
|
|
|
#define MAX_HOST_LEN 255
|
2022-01-13 22:53:52 +08:00
|
|
|
/* FQDN + host: */
|
2022-10-13 05:03:26 +08:00
|
|
|
#define FULL_HOST_LEN (MAX_HOST_LEN + sizeof("host:"))
|
2022-01-13 22:53:52 +08:00
|
|
|
|
|
|
|
/* string been x-PROVIDER-date:TIMESTAMP, I need +1 for ':' */
|
|
|
|
#define DATE_FULL_HDR_LEN (DATE_HDR_KEY_LEN + TIMESTAMP_SIZE + 1)
|
|
|
|
|
|
|
|
/* timestamp should point to a buffer of at last TIMESTAMP_SIZE bytes */
|
|
|
|
static CURLcode make_headers(struct Curl_easy *data,
|
|
|
|
const char *hostname,
|
|
|
|
char *timestamp,
|
|
|
|
char *provider1,
|
|
|
|
char **date_header,
|
2023-02-15 23:47:04 +08:00
|
|
|
char *content_sha256_header,
|
2022-01-13 22:53:52 +08:00
|
|
|
struct dynbuf *canonical_headers,
|
|
|
|
struct dynbuf *signed_headers)
|
|
|
|
{
|
|
|
|
char date_hdr_key[DATE_HDR_KEY_LEN];
|
|
|
|
char date_full_hdr[DATE_FULL_HDR_LEN];
|
|
|
|
struct curl_slist *head = NULL;
|
|
|
|
struct curl_slist *tmp_head = NULL;
|
|
|
|
CURLcode ret = CURLE_OUT_OF_MEMORY;
|
|
|
|
struct curl_slist *l;
|
|
|
|
int again = 1;
|
|
|
|
|
|
|
|
/* provider1 mid */
|
|
|
|
Curl_strntolower(provider1, provider1, strlen(provider1));
|
|
|
|
provider1[0] = Curl_raw_toupper(provider1[0]);
|
|
|
|
|
|
|
|
msnprintf(date_hdr_key, DATE_HDR_KEY_LEN, "X-%s-Date", provider1);
|
|
|
|
|
|
|
|
/* provider1 lowercase */
|
|
|
|
Curl_strntolower(provider1, provider1, 1); /* first byte only */
|
|
|
|
msnprintf(date_full_hdr, DATE_FULL_HDR_LEN,
|
|
|
|
"x-%s-date:%s", provider1, timestamp);
|
|
|
|
|
|
|
|
if(Curl_checkheaders(data, STRCONST("Host"))) {
|
|
|
|
head = NULL;
|
|
|
|
}
|
|
|
|
else {
|
2022-10-13 05:03:26 +08:00
|
|
|
char full_host[FULL_HOST_LEN + 1];
|
2022-01-13 22:53:52 +08:00
|
|
|
|
|
|
|
if(data->state.aptr.host) {
|
|
|
|
size_t pos;
|
|
|
|
|
|
|
|
if(strlen(data->state.aptr.host) > FULL_HOST_LEN) {
|
|
|
|
ret = CURLE_URL_MALFORMAT;
|
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
strcpy(full_host, data->state.aptr.host);
|
|
|
|
/* remove /r/n as the separator for canonical request must be '\n' */
|
|
|
|
pos = strcspn(full_host, "\n\r");
|
|
|
|
full_host[pos] = 0;
|
|
|
|
}
|
|
|
|
else {
|
2022-10-13 05:03:26 +08:00
|
|
|
if(strlen(hostname) > MAX_HOST_LEN) {
|
2022-01-13 22:53:52 +08:00
|
|
|
ret = CURLE_URL_MALFORMAT;
|
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
msnprintf(full_host, FULL_HOST_LEN, "host:%s", hostname);
|
|
|
|
}
|
|
|
|
|
|
|
|
head = curl_slist_append(NULL, full_host);
|
|
|
|
if(!head)
|
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2023-04-27 22:29:45 +08:00
|
|
|
if(*content_sha256_header) {
|
2023-02-15 23:47:04 +08:00
|
|
|
tmp_head = curl_slist_append(head, content_sha256_header);
|
|
|
|
if(!tmp_head)
|
|
|
|
goto fail;
|
|
|
|
head = tmp_head;
|
|
|
|
}
|
|
|
|
|
2022-01-13 22:53:52 +08:00
|
|
|
for(l = data->set.headers; l; l = l->next) {
|
|
|
|
tmp_head = curl_slist_append(head, l->data);
|
|
|
|
if(!tmp_head)
|
|
|
|
goto fail;
|
|
|
|
head = tmp_head;
|
|
|
|
}
|
|
|
|
|
|
|
|
trim_headers(head);
|
|
|
|
|
|
|
|
*date_header = find_date_hdr(data, date_hdr_key);
|
|
|
|
if(!*date_header) {
|
|
|
|
tmp_head = curl_slist_append(head, date_full_hdr);
|
|
|
|
if(!tmp_head)
|
|
|
|
goto fail;
|
|
|
|
head = tmp_head;
|
|
|
|
*date_header = curl_maprintf("%s: %s", date_hdr_key, timestamp);
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
char *value;
|
|
|
|
|
|
|
|
*date_header = strdup(*date_header);
|
|
|
|
if(!*date_header)
|
|
|
|
goto fail;
|
|
|
|
|
|
|
|
value = strchr(*date_header, ':');
|
|
|
|
if(!value)
|
|
|
|
goto fail;
|
|
|
|
++value;
|
|
|
|
while(ISBLANK(*value))
|
|
|
|
++value;
|
|
|
|
strncpy(timestamp, value, TIMESTAMP_SIZE - 1);
|
|
|
|
timestamp[TIMESTAMP_SIZE - 1] = 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* alpha-sort in a case sensitive manner */
|
|
|
|
do {
|
|
|
|
again = 0;
|
|
|
|
for(l = head; l; l = l->next) {
|
|
|
|
struct curl_slist *next = l->next;
|
|
|
|
|
|
|
|
if(next && strcmp(l->data, next->data) > 0) {
|
|
|
|
char *tmp = l->data;
|
|
|
|
|
|
|
|
l->data = next->data;
|
|
|
|
next->data = tmp;
|
|
|
|
again = 1;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
} while(again);
|
|
|
|
|
|
|
|
for(l = head; l; l = l->next) {
|
|
|
|
char *tmp;
|
|
|
|
|
|
|
|
if(Curl_dyn_add(canonical_headers, l->data))
|
|
|
|
goto fail;
|
|
|
|
if(Curl_dyn_add(canonical_headers, "\n"))
|
|
|
|
goto fail;
|
|
|
|
|
|
|
|
tmp = strchr(l->data, ':');
|
|
|
|
if(tmp)
|
|
|
|
*tmp = 0;
|
|
|
|
|
|
|
|
if(l != head) {
|
|
|
|
if(Curl_dyn_add(signed_headers, ";"))
|
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
if(Curl_dyn_add(signed_headers, l->data))
|
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
|
|
|
|
ret = CURLE_OK;
|
|
|
|
fail:
|
|
|
|
curl_slist_free_all(head);
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
2022-10-26 06:46:58 +08:00
|
|
|
#define CONTENT_SHA256_KEY_LEN (MAX_SIGV4_LEN + sizeof("X--Content-Sha256"))
|
2023-02-15 23:47:04 +08:00
|
|
|
/* add 2 for ": " between header name and value */
|
|
|
|
#define CONTENT_SHA256_HDR_LEN (CONTENT_SHA256_KEY_LEN + 2 + \
|
|
|
|
SHA256_HEX_LENGTH)
|
2022-10-26 06:46:58 +08:00
|
|
|
|
|
|
|
/* try to parse a payload hash from the content-sha256 header */
|
|
|
|
static char *parse_content_sha_hdr(struct Curl_easy *data,
|
|
|
|
const char *provider1,
|
|
|
|
size_t *value_len)
|
|
|
|
{
|
|
|
|
char key[CONTENT_SHA256_KEY_LEN];
|
|
|
|
size_t key_len;
|
|
|
|
char *value;
|
|
|
|
size_t len;
|
|
|
|
|
|
|
|
key_len = msnprintf(key, sizeof(key), "x-%s-content-sha256", provider1);
|
|
|
|
|
|
|
|
value = Curl_checkheaders(data, key, key_len);
|
|
|
|
if(!value)
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
value = strchr(value, ':');
|
|
|
|
if(!value)
|
|
|
|
return NULL;
|
|
|
|
++value;
|
|
|
|
|
|
|
|
while(*value && ISBLANK(*value))
|
|
|
|
++value;
|
|
|
|
|
|
|
|
len = strlen(value);
|
|
|
|
while(len > 0 && ISBLANK(value[len-1]))
|
|
|
|
--len;
|
|
|
|
|
|
|
|
*value_len = len;
|
|
|
|
return value;
|
|
|
|
}
|
|
|
|
|
2023-02-15 23:47:04 +08:00
|
|
|
static CURLcode calc_payload_hash(struct Curl_easy *data,
|
|
|
|
unsigned char *sha_hash, char *sha_hex)
|
|
|
|
{
|
|
|
|
const char *post_data = data->set.postfields;
|
|
|
|
size_t post_data_len = 0;
|
2023-03-15 07:14:31 +08:00
|
|
|
CURLcode result;
|
2023-02-15 23:47:04 +08:00
|
|
|
|
|
|
|
if(post_data) {
|
|
|
|
if(data->set.postfieldsize < 0)
|
|
|
|
post_data_len = strlen(post_data);
|
|
|
|
else
|
|
|
|
post_data_len = (size_t)data->set.postfieldsize;
|
|
|
|
}
|
2023-03-15 07:14:31 +08:00
|
|
|
result = Curl_sha256it(sha_hash, (const unsigned char *) post_data,
|
|
|
|
post_data_len);
|
|
|
|
if(!result)
|
|
|
|
sha256_to_hex(sha_hex, sha_hash);
|
|
|
|
return result;
|
2023-02-15 23:47:04 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
#define S3_UNSIGNED_PAYLOAD "UNSIGNED-PAYLOAD"
|
|
|
|
|
|
|
|
static CURLcode calc_s3_payload_hash(struct Curl_easy *data,
|
|
|
|
Curl_HttpReq httpreq, char *provider1,
|
|
|
|
unsigned char *sha_hash,
|
|
|
|
char *sha_hex, char *header)
|
|
|
|
{
|
|
|
|
bool empty_method = (httpreq == HTTPREQ_GET || httpreq == HTTPREQ_HEAD);
|
|
|
|
/* The request method or filesize indicate no request payload */
|
|
|
|
bool empty_payload = (empty_method || data->set.filesize == 0);
|
|
|
|
/* The POST payload is in memory */
|
|
|
|
bool post_payload = (httpreq == HTTPREQ_POST && data->set.postfields);
|
|
|
|
CURLcode ret = CURLE_OUT_OF_MEMORY;
|
|
|
|
|
|
|
|
if(empty_payload || post_payload) {
|
|
|
|
/* Calculate a real hash when we know the request payload */
|
|
|
|
ret = calc_payload_hash(data, sha_hash, sha_hex);
|
|
|
|
if(ret)
|
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
/* Fall back to s3's UNSIGNED-PAYLOAD */
|
|
|
|
size_t len = sizeof(S3_UNSIGNED_PAYLOAD) - 1;
|
|
|
|
DEBUGASSERT(len < SHA256_HEX_LENGTH); /* 16 < 65 */
|
|
|
|
memcpy(sha_hex, S3_UNSIGNED_PAYLOAD, len);
|
|
|
|
sha_hex[len] = 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* format the required content-sha256 header */
|
|
|
|
msnprintf(header, CONTENT_SHA256_HDR_LEN,
|
|
|
|
"x-%s-content-sha256: %s", provider1, sha_hex);
|
|
|
|
|
|
|
|
ret = CURLE_OK;
|
|
|
|
fail:
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
2021-01-21 07:38:52 +08:00
|
|
|
CURLcode Curl_output_aws_sigv4(struct Curl_easy *data, bool proxy)
|
http: introduce AWS HTTP v4 Signature
It is a security process for HTTP.
It doesn't seems to be standard, but it is used by some cloud providers.
Aws:
https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
Outscale:
https://wiki.outscale.net/display/EN/Creating+a+Canonical+Request
GCP (I didn't test that this code work with GCP though):
https://cloud.google.com/storage/docs/access-control/signing-urls-manually
most of the code is in lib/http_v4_signature.c
Information require by the algorithm:
- The URL
- Current time
- some prefix that are append to some of the signature parameters.
The data extracted from the URL are: the URI, the region,
the host and the API type
example:
https://api.eu-west-2.outscale.com/api/latest/ReadNets
~~~ ~~~~~~~~ ~~~~~~~~~~~~~~~~~~~
^ ^ ^
/ \ URI
API type region
Small description of the algorithm:
- make canonical header using content type, the host, and the date
- hash the post data
- make canonical_request using custom request, the URI,
the get data, the canonical header, the signed header
and post data hash
- hash canonical_request
- make str_to_sign using one of the prefix pass in parameter,
the date, the credential scope and the canonical_request hash
- compute hmac from date, using secret key as key.
- compute hmac from region, using above hmac as key
- compute hmac from api_type, using above hmac as key
- compute hmac from request_type, using above hmac as key
- compute hmac from str_to_sign using above hmac as key
- create Authorization header using above hmac, prefix pass in parameter,
the date, and above hash
Signed-off-by: Matthias Gatto <matthias.gatto@outscale.com>
Closes #5703
2020-07-09 19:58:37 +08:00
|
|
|
{
|
2021-01-25 22:02:09 +08:00
|
|
|
CURLcode ret = CURLE_OUT_OF_MEMORY;
|
|
|
|
struct connectdata *conn = data->conn;
|
|
|
|
size_t len;
|
2022-01-13 22:53:52 +08:00
|
|
|
const char *arg;
|
|
|
|
char provider0[MAX_SIGV4_LEN + 1]="";
|
|
|
|
char provider1[MAX_SIGV4_LEN + 1]="";
|
|
|
|
char region[MAX_SIGV4_LEN + 1]="";
|
|
|
|
char service[MAX_SIGV4_LEN + 1]="";
|
2023-02-15 23:47:04 +08:00
|
|
|
bool sign_as_s3 = false;
|
2021-01-25 22:02:09 +08:00
|
|
|
const char *hostname = conn->host.name;
|
|
|
|
time_t clock;
|
|
|
|
struct tm tm;
|
2022-01-13 22:53:52 +08:00
|
|
|
char timestamp[TIMESTAMP_SIZE];
|
http: introduce AWS HTTP v4 Signature
It is a security process for HTTP.
It doesn't seems to be standard, but it is used by some cloud providers.
Aws:
https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
Outscale:
https://wiki.outscale.net/display/EN/Creating+a+Canonical+Request
GCP (I didn't test that this code work with GCP though):
https://cloud.google.com/storage/docs/access-control/signing-urls-manually
most of the code is in lib/http_v4_signature.c
Information require by the algorithm:
- The URL
- Current time
- some prefix that are append to some of the signature parameters.
The data extracted from the URL are: the URI, the region,
the host and the API type
example:
https://api.eu-west-2.outscale.com/api/latest/ReadNets
~~~ ~~~~~~~~ ~~~~~~~~~~~~~~~~~~~
^ ^ ^
/ \ URI
API type region
Small description of the algorithm:
- make canonical header using content type, the host, and the date
- hash the post data
- make canonical_request using custom request, the URI,
the get data, the canonical header, the signed header
and post data hash
- hash canonical_request
- make str_to_sign using one of the prefix pass in parameter,
the date, the credential scope and the canonical_request hash
- compute hmac from date, using secret key as key.
- compute hmac from region, using above hmac as key
- compute hmac from api_type, using above hmac as key
- compute hmac from request_type, using above hmac as key
- compute hmac from str_to_sign using above hmac as key
- create Authorization header using above hmac, prefix pass in parameter,
the date, and above hash
Signed-off-by: Matthias Gatto <matthias.gatto@outscale.com>
Closes #5703
2020-07-09 19:58:37 +08:00
|
|
|
char date[9];
|
2022-01-13 22:53:52 +08:00
|
|
|
struct dynbuf canonical_headers;
|
|
|
|
struct dynbuf signed_headers;
|
|
|
|
char *date_header = NULL;
|
2023-02-15 23:47:04 +08:00
|
|
|
Curl_HttpReq httpreq;
|
|
|
|
const char *method = NULL;
|
2022-10-26 06:46:58 +08:00
|
|
|
char *payload_hash = NULL;
|
|
|
|
size_t payload_hash_len = 0;
|
2023-02-15 23:47:04 +08:00
|
|
|
unsigned char sha_hash[SHA256_DIGEST_LENGTH];
|
|
|
|
char sha_hex[SHA256_HEX_LENGTH];
|
|
|
|
char content_sha256_hdr[CONTENT_SHA256_HDR_LEN + 2] = ""; /* add \r\n */
|
http: introduce AWS HTTP v4 Signature
It is a security process for HTTP.
It doesn't seems to be standard, but it is used by some cloud providers.
Aws:
https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
Outscale:
https://wiki.outscale.net/display/EN/Creating+a+Canonical+Request
GCP (I didn't test that this code work with GCP though):
https://cloud.google.com/storage/docs/access-control/signing-urls-manually
most of the code is in lib/http_v4_signature.c
Information require by the algorithm:
- The URL
- Current time
- some prefix that are append to some of the signature parameters.
The data extracted from the URL are: the URI, the region,
the host and the API type
example:
https://api.eu-west-2.outscale.com/api/latest/ReadNets
~~~ ~~~~~~~~ ~~~~~~~~~~~~~~~~~~~
^ ^ ^
/ \ URI
API type region
Small description of the algorithm:
- make canonical header using content type, the host, and the date
- hash the post data
- make canonical_request using custom request, the URI,
the get data, the canonical header, the signed header
and post data hash
- hash canonical_request
- make str_to_sign using one of the prefix pass in parameter,
the date, the credential scope and the canonical_request hash
- compute hmac from date, using secret key as key.
- compute hmac from region, using above hmac as key
- compute hmac from api_type, using above hmac as key
- compute hmac from request_type, using above hmac as key
- compute hmac from str_to_sign using above hmac as key
- create Authorization header using above hmac, prefix pass in parameter,
the date, and above hash
Signed-off-by: Matthias Gatto <matthias.gatto@outscale.com>
Closes #5703
2020-07-09 19:58:37 +08:00
|
|
|
char *canonical_request = NULL;
|
2021-01-25 22:02:09 +08:00
|
|
|
char *request_type = NULL;
|
|
|
|
char *credential_scope = NULL;
|
http: introduce AWS HTTP v4 Signature
It is a security process for HTTP.
It doesn't seems to be standard, but it is used by some cloud providers.
Aws:
https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
Outscale:
https://wiki.outscale.net/display/EN/Creating+a+Canonical+Request
GCP (I didn't test that this code work with GCP though):
https://cloud.google.com/storage/docs/access-control/signing-urls-manually
most of the code is in lib/http_v4_signature.c
Information require by the algorithm:
- The URL
- Current time
- some prefix that are append to some of the signature parameters.
The data extracted from the URL are: the URI, the region,
the host and the API type
example:
https://api.eu-west-2.outscale.com/api/latest/ReadNets
~~~ ~~~~~~~~ ~~~~~~~~~~~~~~~~~~~
^ ^ ^
/ \ URI
API type region
Small description of the algorithm:
- make canonical header using content type, the host, and the date
- hash the post data
- make canonical_request using custom request, the URI,
the get data, the canonical header, the signed header
and post data hash
- hash canonical_request
- make str_to_sign using one of the prefix pass in parameter,
the date, the credential scope and the canonical_request hash
- compute hmac from date, using secret key as key.
- compute hmac from region, using above hmac as key
- compute hmac from api_type, using above hmac as key
- compute hmac from request_type, using above hmac as key
- compute hmac from str_to_sign using above hmac as key
- create Authorization header using above hmac, prefix pass in parameter,
the date, and above hash
Signed-off-by: Matthias Gatto <matthias.gatto@outscale.com>
Closes #5703
2020-07-09 19:58:37 +08:00
|
|
|
char *str_to_sign = NULL;
|
2021-02-12 17:27:42 +08:00
|
|
|
const char *user = data->state.aptr.user ? data->state.aptr.user : "";
|
2021-01-25 22:02:09 +08:00
|
|
|
char *secret = NULL;
|
2023-02-15 23:47:04 +08:00
|
|
|
unsigned char sign0[SHA256_DIGEST_LENGTH] = {0};
|
|
|
|
unsigned char sign1[SHA256_DIGEST_LENGTH] = {0};
|
2021-01-25 22:02:09 +08:00
|
|
|
char *auth_headers = NULL;
|
http: introduce AWS HTTP v4 Signature
It is a security process for HTTP.
It doesn't seems to be standard, but it is used by some cloud providers.
Aws:
https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
Outscale:
https://wiki.outscale.net/display/EN/Creating+a+Canonical+Request
GCP (I didn't test that this code work with GCP though):
https://cloud.google.com/storage/docs/access-control/signing-urls-manually
most of the code is in lib/http_v4_signature.c
Information require by the algorithm:
- The URL
- Current time
- some prefix that are append to some of the signature parameters.
The data extracted from the URL are: the URI, the region,
the host and the API type
example:
https://api.eu-west-2.outscale.com/api/latest/ReadNets
~~~ ~~~~~~~~ ~~~~~~~~~~~~~~~~~~~
^ ^ ^
/ \ URI
API type region
Small description of the algorithm:
- make canonical header using content type, the host, and the date
- hash the post data
- make canonical_request using custom request, the URI,
the get data, the canonical header, the signed header
and post data hash
- hash canonical_request
- make str_to_sign using one of the prefix pass in parameter,
the date, the credential scope and the canonical_request hash
- compute hmac from date, using secret key as key.
- compute hmac from region, using above hmac as key
- compute hmac from api_type, using above hmac as key
- compute hmac from request_type, using above hmac as key
- compute hmac from str_to_sign using above hmac as key
- create Authorization header using above hmac, prefix pass in parameter,
the date, and above hash
Signed-off-by: Matthias Gatto <matthias.gatto@outscale.com>
Closes #5703
2020-07-09 19:58:37 +08:00
|
|
|
|
|
|
|
DEBUGASSERT(!proxy);
|
|
|
|
(void)proxy;
|
|
|
|
|
2022-02-09 07:57:00 +08:00
|
|
|
if(Curl_checkheaders(data, STRCONST("Authorization"))) {
|
http: introduce AWS HTTP v4 Signature
It is a security process for HTTP.
It doesn't seems to be standard, but it is used by some cloud providers.
Aws:
https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
Outscale:
https://wiki.outscale.net/display/EN/Creating+a+Canonical+Request
GCP (I didn't test that this code work with GCP though):
https://cloud.google.com/storage/docs/access-control/signing-urls-manually
most of the code is in lib/http_v4_signature.c
Information require by the algorithm:
- The URL
- Current time
- some prefix that are append to some of the signature parameters.
The data extracted from the URL are: the URI, the region,
the host and the API type
example:
https://api.eu-west-2.outscale.com/api/latest/ReadNets
~~~ ~~~~~~~~ ~~~~~~~~~~~~~~~~~~~
^ ^ ^
/ \ URI
API type region
Small description of the algorithm:
- make canonical header using content type, the host, and the date
- hash the post data
- make canonical_request using custom request, the URI,
the get data, the canonical header, the signed header
and post data hash
- hash canonical_request
- make str_to_sign using one of the prefix pass in parameter,
the date, the credential scope and the canonical_request hash
- compute hmac from date, using secret key as key.
- compute hmac from region, using above hmac as key
- compute hmac from api_type, using above hmac as key
- compute hmac from request_type, using above hmac as key
- compute hmac from str_to_sign using above hmac as key
- create Authorization header using above hmac, prefix pass in parameter,
the date, and above hash
Signed-off-by: Matthias Gatto <matthias.gatto@outscale.com>
Closes #5703
2020-07-09 19:58:37 +08:00
|
|
|
/* Authorization already present, Bailing out */
|
|
|
|
return CURLE_OK;
|
|
|
|
}
|
|
|
|
|
2022-11-30 22:59:52 +08:00
|
|
|
/* we init those buffers here, so goto fail will free initialized dynbuf */
|
2022-01-13 22:53:52 +08:00
|
|
|
Curl_dyn_init(&canonical_headers, CURL_MAX_HTTP_HEADER);
|
|
|
|
Curl_dyn_init(&signed_headers, CURL_MAX_HTTP_HEADER);
|
|
|
|
|
2021-01-25 22:02:09 +08:00
|
|
|
/*
|
|
|
|
* Parameters parsing
|
|
|
|
* Google and Outscale use the same OSC or GOOG,
|
|
|
|
* but Amazon uses AWS and AMZ for header arguments.
|
|
|
|
* AWS is the default because most of non-amazon providers
|
|
|
|
* are still using aws:amz as a prefix.
|
|
|
|
*/
|
2022-01-13 22:53:52 +08:00
|
|
|
arg = data->set.str[STRING_AWS_SIGV4] ?
|
2021-01-25 22:02:09 +08:00
|
|
|
data->set.str[STRING_AWS_SIGV4] : "aws:amz";
|
2022-01-13 22:53:52 +08:00
|
|
|
|
|
|
|
/* provider1[:provider2[:region[:service]]]
|
|
|
|
|
|
|
|
No string can be longer than N bytes of non-whitespace
|
|
|
|
*/
|
|
|
|
(void)sscanf(arg, "%" MAX_SIGV4_LEN_TXT "[^:]"
|
|
|
|
":%" MAX_SIGV4_LEN_TXT "[^:]"
|
|
|
|
":%" MAX_SIGV4_LEN_TXT "[^:]"
|
|
|
|
":%" MAX_SIGV4_LEN_TXT "s",
|
|
|
|
provider0, provider1, region, service);
|
|
|
|
if(!provider0[0]) {
|
|
|
|
failf(data, "first provider can't be empty");
|
2021-01-25 22:02:09 +08:00
|
|
|
ret = CURLE_BAD_FUNCTION_ARGUMENT;
|
|
|
|
goto fail;
|
http: introduce AWS HTTP v4 Signature
It is a security process for HTTP.
It doesn't seems to be standard, but it is used by some cloud providers.
Aws:
https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
Outscale:
https://wiki.outscale.net/display/EN/Creating+a+Canonical+Request
GCP (I didn't test that this code work with GCP though):
https://cloud.google.com/storage/docs/access-control/signing-urls-manually
most of the code is in lib/http_v4_signature.c
Information require by the algorithm:
- The URL
- Current time
- some prefix that are append to some of the signature parameters.
The data extracted from the URL are: the URI, the region,
the host and the API type
example:
https://api.eu-west-2.outscale.com/api/latest/ReadNets
~~~ ~~~~~~~~ ~~~~~~~~~~~~~~~~~~~
^ ^ ^
/ \ URI
API type region
Small description of the algorithm:
- make canonical header using content type, the host, and the date
- hash the post data
- make canonical_request using custom request, the URI,
the get data, the canonical header, the signed header
and post data hash
- hash canonical_request
- make str_to_sign using one of the prefix pass in parameter,
the date, the credential scope and the canonical_request hash
- compute hmac from date, using secret key as key.
- compute hmac from region, using above hmac as key
- compute hmac from api_type, using above hmac as key
- compute hmac from request_type, using above hmac as key
- compute hmac from str_to_sign using above hmac as key
- create Authorization header using above hmac, prefix pass in parameter,
the date, and above hash
Signed-off-by: Matthias Gatto <matthias.gatto@outscale.com>
Closes #5703
2020-07-09 19:58:37 +08:00
|
|
|
}
|
2022-01-13 22:53:52 +08:00
|
|
|
else if(!provider1[0])
|
|
|
|
strcpy(provider1, provider0);
|
2021-01-25 22:02:09 +08:00
|
|
|
|
2022-01-13 22:53:52 +08:00
|
|
|
if(!service[0]) {
|
|
|
|
char *hostdot = strchr(hostname, '.');
|
|
|
|
if(!hostdot) {
|
|
|
|
failf(data, "service missing in parameters and hostname");
|
2021-01-25 22:02:09 +08:00
|
|
|
ret = CURLE_URL_MALFORMAT;
|
|
|
|
goto fail;
|
|
|
|
}
|
2022-01-13 22:53:52 +08:00
|
|
|
len = hostdot - hostname;
|
|
|
|
if(len > MAX_SIGV4_LEN) {
|
|
|
|
failf(data, "service too long in hostname");
|
|
|
|
ret = CURLE_URL_MALFORMAT;
|
2021-01-25 22:02:09 +08:00
|
|
|
goto fail;
|
|
|
|
}
|
2022-01-13 22:53:52 +08:00
|
|
|
strncpy(service, hostname, len);
|
2021-01-25 22:02:09 +08:00
|
|
|
service[len] = '\0';
|
|
|
|
|
2022-01-13 22:53:52 +08:00
|
|
|
if(!region[0]) {
|
|
|
|
const char *reg = hostdot + 1;
|
|
|
|
const char *hostreg = strchr(reg, '.');
|
|
|
|
if(!hostreg) {
|
|
|
|
failf(data, "region missing in parameters and hostname");
|
2021-01-25 22:02:09 +08:00
|
|
|
ret = CURLE_URL_MALFORMAT;
|
|
|
|
goto fail;
|
|
|
|
}
|
2022-01-13 22:53:52 +08:00
|
|
|
len = hostreg - reg;
|
|
|
|
if(len > MAX_SIGV4_LEN) {
|
|
|
|
failf(data, "region too long in hostname");
|
|
|
|
ret = CURLE_URL_MALFORMAT;
|
2021-01-25 22:02:09 +08:00
|
|
|
goto fail;
|
|
|
|
}
|
2022-01-13 22:53:52 +08:00
|
|
|
strncpy(region, reg, len);
|
2021-01-25 22:02:09 +08:00
|
|
|
region[len] = '\0';
|
|
|
|
}
|
http: introduce AWS HTTP v4 Signature
It is a security process for HTTP.
It doesn't seems to be standard, but it is used by some cloud providers.
Aws:
https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
Outscale:
https://wiki.outscale.net/display/EN/Creating+a+Canonical+Request
GCP (I didn't test that this code work with GCP though):
https://cloud.google.com/storage/docs/access-control/signing-urls-manually
most of the code is in lib/http_v4_signature.c
Information require by the algorithm:
- The URL
- Current time
- some prefix that are append to some of the signature parameters.
The data extracted from the URL are: the URI, the region,
the host and the API type
example:
https://api.eu-west-2.outscale.com/api/latest/ReadNets
~~~ ~~~~~~~~ ~~~~~~~~~~~~~~~~~~~
^ ^ ^
/ \ URI
API type region
Small description of the algorithm:
- make canonical header using content type, the host, and the date
- hash the post data
- make canonical_request using custom request, the URI,
the get data, the canonical header, the signed header
and post data hash
- hash canonical_request
- make str_to_sign using one of the prefix pass in parameter,
the date, the credential scope and the canonical_request hash
- compute hmac from date, using secret key as key.
- compute hmac from region, using above hmac as key
- compute hmac from api_type, using above hmac as key
- compute hmac from request_type, using above hmac as key
- compute hmac from str_to_sign using above hmac as key
- create Authorization header using above hmac, prefix pass in parameter,
the date, and above hash
Signed-off-by: Matthias Gatto <matthias.gatto@outscale.com>
Closes #5703
2020-07-09 19:58:37 +08:00
|
|
|
}
|
|
|
|
|
2023-02-15 23:47:04 +08:00
|
|
|
Curl_http_method(data, conn, &method, &httpreq);
|
|
|
|
|
|
|
|
/* AWS S3 requires a x-amz-content-sha256 header, and supports special
|
|
|
|
* values like UNSIGNED-PAYLOAD */
|
|
|
|
sign_as_s3 = (strcasecompare(provider0, "aws") &&
|
|
|
|
strcasecompare(service, "s3"));
|
|
|
|
|
|
|
|
payload_hash = parse_content_sha_hdr(data, provider1, &payload_hash_len);
|
|
|
|
|
|
|
|
if(!payload_hash) {
|
|
|
|
if(sign_as_s3)
|
|
|
|
ret = calc_s3_payload_hash(data, httpreq, provider1, sha_hash,
|
|
|
|
sha_hex, content_sha256_hdr);
|
|
|
|
else
|
|
|
|
ret = calc_payload_hash(data, sha_hash, sha_hex);
|
|
|
|
if(ret)
|
|
|
|
goto fail;
|
|
|
|
|
|
|
|
payload_hash = sha_hex;
|
|
|
|
/* may be shorter than SHA256_HEX_LENGTH, like S3_UNSIGNED_PAYLOAD */
|
|
|
|
payload_hash_len = strlen(sha_hex);
|
|
|
|
}
|
|
|
|
|
http: introduce AWS HTTP v4 Signature
It is a security process for HTTP.
It doesn't seems to be standard, but it is used by some cloud providers.
Aws:
https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
Outscale:
https://wiki.outscale.net/display/EN/Creating+a+Canonical+Request
GCP (I didn't test that this code work with GCP though):
https://cloud.google.com/storage/docs/access-control/signing-urls-manually
most of the code is in lib/http_v4_signature.c
Information require by the algorithm:
- The URL
- Current time
- some prefix that are append to some of the signature parameters.
The data extracted from the URL are: the URI, the region,
the host and the API type
example:
https://api.eu-west-2.outscale.com/api/latest/ReadNets
~~~ ~~~~~~~~ ~~~~~~~~~~~~~~~~~~~
^ ^ ^
/ \ URI
API type region
Small description of the algorithm:
- make canonical header using content type, the host, and the date
- hash the post data
- make canonical_request using custom request, the URI,
the get data, the canonical header, the signed header
and post data hash
- hash canonical_request
- make str_to_sign using one of the prefix pass in parameter,
the date, the credential scope and the canonical_request hash
- compute hmac from date, using secret key as key.
- compute hmac from region, using above hmac as key
- compute hmac from api_type, using above hmac as key
- compute hmac from request_type, using above hmac as key
- compute hmac from str_to_sign using above hmac as key
- create Authorization header using above hmac, prefix pass in parameter,
the date, and above hash
Signed-off-by: Matthias Gatto <matthias.gatto@outscale.com>
Closes #5703
2020-07-09 19:58:37 +08:00
|
|
|
#ifdef DEBUGBUILD
|
2022-01-13 22:53:52 +08:00
|
|
|
{
|
|
|
|
char *force_timestamp = getenv("CURL_FORCETIME");
|
|
|
|
if(force_timestamp)
|
|
|
|
clock = 0;
|
|
|
|
else
|
|
|
|
time(&clock);
|
|
|
|
}
|
2021-01-25 22:02:09 +08:00
|
|
|
#else
|
|
|
|
time(&clock);
|
http: introduce AWS HTTP v4 Signature
It is a security process for HTTP.
It doesn't seems to be standard, but it is used by some cloud providers.
Aws:
https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
Outscale:
https://wiki.outscale.net/display/EN/Creating+a+Canonical+Request
GCP (I didn't test that this code work with GCP though):
https://cloud.google.com/storage/docs/access-control/signing-urls-manually
most of the code is in lib/http_v4_signature.c
Information require by the algorithm:
- The URL
- Current time
- some prefix that are append to some of the signature parameters.
The data extracted from the URL are: the URI, the region,
the host and the API type
example:
https://api.eu-west-2.outscale.com/api/latest/ReadNets
~~~ ~~~~~~~~ ~~~~~~~~~~~~~~~~~~~
^ ^ ^
/ \ URI
API type region
Small description of the algorithm:
- make canonical header using content type, the host, and the date
- hash the post data
- make canonical_request using custom request, the URI,
the get data, the canonical header, the signed header
and post data hash
- hash canonical_request
- make str_to_sign using one of the prefix pass in parameter,
the date, the credential scope and the canonical_request hash
- compute hmac from date, using secret key as key.
- compute hmac from region, using above hmac as key
- compute hmac from api_type, using above hmac as key
- compute hmac from request_type, using above hmac as key
- compute hmac from str_to_sign using above hmac as key
- create Authorization header using above hmac, prefix pass in parameter,
the date, and above hash
Signed-off-by: Matthias Gatto <matthias.gatto@outscale.com>
Closes #5703
2020-07-09 19:58:37 +08:00
|
|
|
#endif
|
2021-01-25 22:02:09 +08:00
|
|
|
ret = Curl_gmtime(clock, &tm);
|
2022-01-13 22:53:52 +08:00
|
|
|
if(ret) {
|
2021-01-25 22:02:09 +08:00
|
|
|
goto fail;
|
http: introduce AWS HTTP v4 Signature
It is a security process for HTTP.
It doesn't seems to be standard, but it is used by some cloud providers.
Aws:
https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
Outscale:
https://wiki.outscale.net/display/EN/Creating+a+Canonical+Request
GCP (I didn't test that this code work with GCP though):
https://cloud.google.com/storage/docs/access-control/signing-urls-manually
most of the code is in lib/http_v4_signature.c
Information require by the algorithm:
- The URL
- Current time
- some prefix that are append to some of the signature parameters.
The data extracted from the URL are: the URI, the region,
the host and the API type
example:
https://api.eu-west-2.outscale.com/api/latest/ReadNets
~~~ ~~~~~~~~ ~~~~~~~~~~~~~~~~~~~
^ ^ ^
/ \ URI
API type region
Small description of the algorithm:
- make canonical header using content type, the host, and the date
- hash the post data
- make canonical_request using custom request, the URI,
the get data, the canonical header, the signed header
and post data hash
- hash canonical_request
- make str_to_sign using one of the prefix pass in parameter,
the date, the credential scope and the canonical_request hash
- compute hmac from date, using secret key as key.
- compute hmac from region, using above hmac as key
- compute hmac from api_type, using above hmac as key
- compute hmac from request_type, using above hmac as key
- compute hmac from str_to_sign using above hmac as key
- create Authorization header using above hmac, prefix pass in parameter,
the date, and above hash
Signed-off-by: Matthias Gatto <matthias.gatto@outscale.com>
Closes #5703
2020-07-09 19:58:37 +08:00
|
|
|
}
|
2021-01-25 22:02:09 +08:00
|
|
|
if(!strftime(timestamp, sizeof(timestamp), "%Y%m%dT%H%M%SZ", &tm)) {
|
2022-01-13 22:53:52 +08:00
|
|
|
ret = CURLE_OUT_OF_MEMORY;
|
2021-01-25 22:02:09 +08:00
|
|
|
goto fail;
|
http: introduce AWS HTTP v4 Signature
It is a security process for HTTP.
It doesn't seems to be standard, but it is used by some cloud providers.
Aws:
https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
Outscale:
https://wiki.outscale.net/display/EN/Creating+a+Canonical+Request
GCP (I didn't test that this code work with GCP though):
https://cloud.google.com/storage/docs/access-control/signing-urls-manually
most of the code is in lib/http_v4_signature.c
Information require by the algorithm:
- The URL
- Current time
- some prefix that are append to some of the signature parameters.
The data extracted from the URL are: the URI, the region,
the host and the API type
example:
https://api.eu-west-2.outscale.com/api/latest/ReadNets
~~~ ~~~~~~~~ ~~~~~~~~~~~~~~~~~~~
^ ^ ^
/ \ URI
API type region
Small description of the algorithm:
- make canonical header using content type, the host, and the date
- hash the post data
- make canonical_request using custom request, the URI,
the get data, the canonical header, the signed header
and post data hash
- hash canonical_request
- make str_to_sign using one of the prefix pass in parameter,
the date, the credential scope and the canonical_request hash
- compute hmac from date, using secret key as key.
- compute hmac from region, using above hmac as key
- compute hmac from api_type, using above hmac as key
- compute hmac from request_type, using above hmac as key
- compute hmac from str_to_sign using above hmac as key
- create Authorization header using above hmac, prefix pass in parameter,
the date, and above hash
Signed-off-by: Matthias Gatto <matthias.gatto@outscale.com>
Closes #5703
2020-07-09 19:58:37 +08:00
|
|
|
}
|
2022-01-13 22:53:52 +08:00
|
|
|
|
|
|
|
ret = make_headers(data, hostname, timestamp, provider1,
|
2023-02-15 23:47:04 +08:00
|
|
|
&date_header, content_sha256_hdr,
|
|
|
|
&canonical_headers, &signed_headers);
|
2022-01-13 22:53:52 +08:00
|
|
|
if(ret)
|
|
|
|
goto fail;
|
|
|
|
ret = CURLE_OUT_OF_MEMORY;
|
|
|
|
|
2023-02-15 23:47:04 +08:00
|
|
|
if(*content_sha256_hdr) {
|
|
|
|
/* make_headers() needed this without the \r\n for canonicalization */
|
|
|
|
size_t hdrlen = strlen(content_sha256_hdr);
|
|
|
|
DEBUGASSERT(hdrlen + 3 < sizeof(content_sha256_hdr));
|
|
|
|
memcpy(content_sha256_hdr + hdrlen, "\r\n", 3);
|
|
|
|
}
|
|
|
|
|
2021-01-25 22:02:09 +08:00
|
|
|
memcpy(date, timestamp, sizeof(date));
|
http: introduce AWS HTTP v4 Signature
It is a security process for HTTP.
It doesn't seems to be standard, but it is used by some cloud providers.
Aws:
https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
Outscale:
https://wiki.outscale.net/display/EN/Creating+a+Canonical+Request
GCP (I didn't test that this code work with GCP though):
https://cloud.google.com/storage/docs/access-control/signing-urls-manually
most of the code is in lib/http_v4_signature.c
Information require by the algorithm:
- The URL
- Current time
- some prefix that are append to some of the signature parameters.
The data extracted from the URL are: the URI, the region,
the host and the API type
example:
https://api.eu-west-2.outscale.com/api/latest/ReadNets
~~~ ~~~~~~~~ ~~~~~~~~~~~~~~~~~~~
^ ^ ^
/ \ URI
API type region
Small description of the algorithm:
- make canonical header using content type, the host, and the date
- hash the post data
- make canonical_request using custom request, the URI,
the get data, the canonical header, the signed header
and post data hash
- hash canonical_request
- make str_to_sign using one of the prefix pass in parameter,
the date, the credential scope and the canonical_request hash
- compute hmac from date, using secret key as key.
- compute hmac from region, using above hmac as key
- compute hmac from api_type, using above hmac as key
- compute hmac from request_type, using above hmac as key
- compute hmac from str_to_sign using above hmac as key
- create Authorization header using above hmac, prefix pass in parameter,
the date, and above hash
Signed-off-by: Matthias Gatto <matthias.gatto@outscale.com>
Closes #5703
2020-07-09 19:58:37 +08:00
|
|
|
date[sizeof(date) - 1] = 0;
|
|
|
|
|
2023-02-15 23:47:04 +08:00
|
|
|
canonical_request =
|
|
|
|
curl_maprintf("%s\n" /* HTTPRequestMethod */
|
|
|
|
"%s\n" /* CanonicalURI */
|
|
|
|
"%s\n" /* CanonicalQueryString */
|
|
|
|
"%s\n" /* CanonicalHeaders */
|
|
|
|
"%s\n" /* SignedHeaders */
|
|
|
|
"%.*s", /* HashedRequestPayload in hex */
|
|
|
|
method,
|
|
|
|
data->state.up.path,
|
|
|
|
data->state.up.query ? data->state.up.query : "",
|
|
|
|
Curl_dyn_ptr(&canonical_headers),
|
|
|
|
Curl_dyn_ptr(&signed_headers),
|
|
|
|
(int)payload_hash_len, payload_hash);
|
|
|
|
if(!canonical_request)
|
|
|
|
goto fail;
|
http: introduce AWS HTTP v4 Signature
It is a security process for HTTP.
It doesn't seems to be standard, but it is used by some cloud providers.
Aws:
https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
Outscale:
https://wiki.outscale.net/display/EN/Creating+a+Canonical+Request
GCP (I didn't test that this code work with GCP though):
https://cloud.google.com/storage/docs/access-control/signing-urls-manually
most of the code is in lib/http_v4_signature.c
Information require by the algorithm:
- The URL
- Current time
- some prefix that are append to some of the signature parameters.
The data extracted from the URL are: the URI, the region,
the host and the API type
example:
https://api.eu-west-2.outscale.com/api/latest/ReadNets
~~~ ~~~~~~~~ ~~~~~~~~~~~~~~~~~~~
^ ^ ^
/ \ URI
API type region
Small description of the algorithm:
- make canonical header using content type, the host, and the date
- hash the post data
- make canonical_request using custom request, the URI,
the get data, the canonical header, the signed header
and post data hash
- hash canonical_request
- make str_to_sign using one of the prefix pass in parameter,
the date, the credential scope and the canonical_request hash
- compute hmac from date, using secret key as key.
- compute hmac from region, using above hmac as key
- compute hmac from api_type, using above hmac as key
- compute hmac from request_type, using above hmac as key
- compute hmac from str_to_sign using above hmac as key
- create Authorization header using above hmac, prefix pass in parameter,
the date, and above hash
Signed-off-by: Matthias Gatto <matthias.gatto@outscale.com>
Closes #5703
2020-07-09 19:58:37 +08:00
|
|
|
|
2022-01-13 22:53:52 +08:00
|
|
|
/* provider 0 lowercase */
|
|
|
|
Curl_strntolower(provider0, provider0, strlen(provider0));
|
|
|
|
request_type = curl_maprintf("%s4_request", provider0);
|
|
|
|
if(!request_type)
|
2021-01-25 22:02:09 +08:00
|
|
|
goto fail;
|
http: introduce AWS HTTP v4 Signature
It is a security process for HTTP.
It doesn't seems to be standard, but it is used by some cloud providers.
Aws:
https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
Outscale:
https://wiki.outscale.net/display/EN/Creating+a+Canonical+Request
GCP (I didn't test that this code work with GCP though):
https://cloud.google.com/storage/docs/access-control/signing-urls-manually
most of the code is in lib/http_v4_signature.c
Information require by the algorithm:
- The URL
- Current time
- some prefix that are append to some of the signature parameters.
The data extracted from the URL are: the URI, the region,
the host and the API type
example:
https://api.eu-west-2.outscale.com/api/latest/ReadNets
~~~ ~~~~~~~~ ~~~~~~~~~~~~~~~~~~~
^ ^ ^
/ \ URI
API type region
Small description of the algorithm:
- make canonical header using content type, the host, and the date
- hash the post data
- make canonical_request using custom request, the URI,
the get data, the canonical header, the signed header
and post data hash
- hash canonical_request
- make str_to_sign using one of the prefix pass in parameter,
the date, the credential scope and the canonical_request hash
- compute hmac from date, using secret key as key.
- compute hmac from region, using above hmac as key
- compute hmac from api_type, using above hmac as key
- compute hmac from request_type, using above hmac as key
- compute hmac from str_to_sign using above hmac as key
- create Authorization header using above hmac, prefix pass in parameter,
the date, and above hash
Signed-off-by: Matthias Gatto <matthias.gatto@outscale.com>
Closes #5703
2020-07-09 19:58:37 +08:00
|
|
|
|
2021-01-25 22:02:09 +08:00
|
|
|
credential_scope = curl_maprintf("%s/%s/%s/%s",
|
|
|
|
date, region, service, request_type);
|
2022-01-13 22:53:52 +08:00
|
|
|
if(!credential_scope)
|
2021-01-25 22:02:09 +08:00
|
|
|
goto fail;
|
http: introduce AWS HTTP v4 Signature
It is a security process for HTTP.
It doesn't seems to be standard, but it is used by some cloud providers.
Aws:
https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
Outscale:
https://wiki.outscale.net/display/EN/Creating+a+Canonical+Request
GCP (I didn't test that this code work with GCP though):
https://cloud.google.com/storage/docs/access-control/signing-urls-manually
most of the code is in lib/http_v4_signature.c
Information require by the algorithm:
- The URL
- Current time
- some prefix that are append to some of the signature parameters.
The data extracted from the URL are: the URI, the region,
the host and the API type
example:
https://api.eu-west-2.outscale.com/api/latest/ReadNets
~~~ ~~~~~~~~ ~~~~~~~~~~~~~~~~~~~
^ ^ ^
/ \ URI
API type region
Small description of the algorithm:
- make canonical header using content type, the host, and the date
- hash the post data
- make canonical_request using custom request, the URI,
the get data, the canonical header, the signed header
and post data hash
- hash canonical_request
- make str_to_sign using one of the prefix pass in parameter,
the date, the credential scope and the canonical_request hash
- compute hmac from date, using secret key as key.
- compute hmac from region, using above hmac as key
- compute hmac from api_type, using above hmac as key
- compute hmac from request_type, using above hmac as key
- compute hmac from str_to_sign using above hmac as key
- create Authorization header using above hmac, prefix pass in parameter,
the date, and above hash
Signed-off-by: Matthias Gatto <matthias.gatto@outscale.com>
Closes #5703
2020-07-09 19:58:37 +08:00
|
|
|
|
2021-12-10 21:33:39 +08:00
|
|
|
if(Curl_sha256it(sha_hash, (unsigned char *) canonical_request,
|
2022-01-13 22:53:52 +08:00
|
|
|
strlen(canonical_request)))
|
2021-12-10 21:33:39 +08:00
|
|
|
goto fail;
|
|
|
|
|
2023-02-15 23:47:04 +08:00
|
|
|
sha256_to_hex(sha_hex, sha_hash);
|
http: introduce AWS HTTP v4 Signature
It is a security process for HTTP.
It doesn't seems to be standard, but it is used by some cloud providers.
Aws:
https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
Outscale:
https://wiki.outscale.net/display/EN/Creating+a+Canonical+Request
GCP (I didn't test that this code work with GCP though):
https://cloud.google.com/storage/docs/access-control/signing-urls-manually
most of the code is in lib/http_v4_signature.c
Information require by the algorithm:
- The URL
- Current time
- some prefix that are append to some of the signature parameters.
The data extracted from the URL are: the URI, the region,
the host and the API type
example:
https://api.eu-west-2.outscale.com/api/latest/ReadNets
~~~ ~~~~~~~~ ~~~~~~~~~~~~~~~~~~~
^ ^ ^
/ \ URI
API type region
Small description of the algorithm:
- make canonical header using content type, the host, and the date
- hash the post data
- make canonical_request using custom request, the URI,
the get data, the canonical header, the signed header
and post data hash
- hash canonical_request
- make str_to_sign using one of the prefix pass in parameter,
the date, the credential scope and the canonical_request hash
- compute hmac from date, using secret key as key.
- compute hmac from region, using above hmac as key
- compute hmac from api_type, using above hmac as key
- compute hmac from request_type, using above hmac as key
- compute hmac from str_to_sign using above hmac as key
- create Authorization header using above hmac, prefix pass in parameter,
the date, and above hash
Signed-off-by: Matthias Gatto <matthias.gatto@outscale.com>
Closes #5703
2020-07-09 19:58:37 +08:00
|
|
|
|
2022-01-13 22:53:52 +08:00
|
|
|
/* provider 0 uppercase */
|
|
|
|
Curl_strntoupper(provider0, provider0, strlen(provider0));
|
|
|
|
|
2021-01-25 22:02:09 +08:00
|
|
|
/*
|
2022-01-13 22:53:52 +08:00
|
|
|
* Google allows using RSA key instead of HMAC, so this code might change
|
2022-11-30 22:59:52 +08:00
|
|
|
* in the future. For now we only support HMAC.
|
http: introduce AWS HTTP v4 Signature
It is a security process for HTTP.
It doesn't seems to be standard, but it is used by some cloud providers.
Aws:
https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
Outscale:
https://wiki.outscale.net/display/EN/Creating+a+Canonical+Request
GCP (I didn't test that this code work with GCP though):
https://cloud.google.com/storage/docs/access-control/signing-urls-manually
most of the code is in lib/http_v4_signature.c
Information require by the algorithm:
- The URL
- Current time
- some prefix that are append to some of the signature parameters.
The data extracted from the URL are: the URI, the region,
the host and the API type
example:
https://api.eu-west-2.outscale.com/api/latest/ReadNets
~~~ ~~~~~~~~ ~~~~~~~~~~~~~~~~~~~
^ ^ ^
/ \ URI
API type region
Small description of the algorithm:
- make canonical header using content type, the host, and the date
- hash the post data
- make canonical_request using custom request, the URI,
the get data, the canonical header, the signed header
and post data hash
- hash canonical_request
- make str_to_sign using one of the prefix pass in parameter,
the date, the credential scope and the canonical_request hash
- compute hmac from date, using secret key as key.
- compute hmac from region, using above hmac as key
- compute hmac from api_type, using above hmac as key
- compute hmac from request_type, using above hmac as key
- compute hmac from str_to_sign using above hmac as key
- create Authorization header using above hmac, prefix pass in parameter,
the date, and above hash
Signed-off-by: Matthias Gatto <matthias.gatto@outscale.com>
Closes #5703
2020-07-09 19:58:37 +08:00
|
|
|
*/
|
2021-01-25 22:02:09 +08:00
|
|
|
str_to_sign = curl_maprintf("%s4-HMAC-SHA256\n" /* Algorithm */
|
|
|
|
"%s\n" /* RequestDateTime */
|
|
|
|
"%s\n" /* CredentialScope */
|
|
|
|
"%s", /* HashedCanonicalRequest in hex */
|
2022-01-13 22:53:52 +08:00
|
|
|
provider0,
|
2021-01-25 22:02:09 +08:00
|
|
|
timestamp,
|
|
|
|
credential_scope,
|
|
|
|
sha_hex);
|
http: introduce AWS HTTP v4 Signature
It is a security process for HTTP.
It doesn't seems to be standard, but it is used by some cloud providers.
Aws:
https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
Outscale:
https://wiki.outscale.net/display/EN/Creating+a+Canonical+Request
GCP (I didn't test that this code work with GCP though):
https://cloud.google.com/storage/docs/access-control/signing-urls-manually
most of the code is in lib/http_v4_signature.c
Information require by the algorithm:
- The URL
- Current time
- some prefix that are append to some of the signature parameters.
The data extracted from the URL are: the URI, the region,
the host and the API type
example:
https://api.eu-west-2.outscale.com/api/latest/ReadNets
~~~ ~~~~~~~~ ~~~~~~~~~~~~~~~~~~~
^ ^ ^
/ \ URI
API type region
Small description of the algorithm:
- make canonical header using content type, the host, and the date
- hash the post data
- make canonical_request using custom request, the URI,
the get data, the canonical header, the signed header
and post data hash
- hash canonical_request
- make str_to_sign using one of the prefix pass in parameter,
the date, the credential scope and the canonical_request hash
- compute hmac from date, using secret key as key.
- compute hmac from region, using above hmac as key
- compute hmac from api_type, using above hmac as key
- compute hmac from request_type, using above hmac as key
- compute hmac from str_to_sign using above hmac as key
- create Authorization header using above hmac, prefix pass in parameter,
the date, and above hash
Signed-off-by: Matthias Gatto <matthias.gatto@outscale.com>
Closes #5703
2020-07-09 19:58:37 +08:00
|
|
|
if(!str_to_sign) {
|
2021-01-25 22:02:09 +08:00
|
|
|
goto fail;
|
http: introduce AWS HTTP v4 Signature
It is a security process for HTTP.
It doesn't seems to be standard, but it is used by some cloud providers.
Aws:
https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
Outscale:
https://wiki.outscale.net/display/EN/Creating+a+Canonical+Request
GCP (I didn't test that this code work with GCP though):
https://cloud.google.com/storage/docs/access-control/signing-urls-manually
most of the code is in lib/http_v4_signature.c
Information require by the algorithm:
- The URL
- Current time
- some prefix that are append to some of the signature parameters.
The data extracted from the URL are: the URI, the region,
the host and the API type
example:
https://api.eu-west-2.outscale.com/api/latest/ReadNets
~~~ ~~~~~~~~ ~~~~~~~~~~~~~~~~~~~
^ ^ ^
/ \ URI
API type region
Small description of the algorithm:
- make canonical header using content type, the host, and the date
- hash the post data
- make canonical_request using custom request, the URI,
the get data, the canonical header, the signed header
and post data hash
- hash canonical_request
- make str_to_sign using one of the prefix pass in parameter,
the date, the credential scope and the canonical_request hash
- compute hmac from date, using secret key as key.
- compute hmac from region, using above hmac as key
- compute hmac from api_type, using above hmac as key
- compute hmac from request_type, using above hmac as key
- compute hmac from str_to_sign using above hmac as key
- create Authorization header using above hmac, prefix pass in parameter,
the date, and above hash
Signed-off-by: Matthias Gatto <matthias.gatto@outscale.com>
Closes #5703
2020-07-09 19:58:37 +08:00
|
|
|
}
|
|
|
|
|
2022-01-13 22:53:52 +08:00
|
|
|
/* provider 0 uppercase */
|
|
|
|
secret = curl_maprintf("%s4%s", provider0,
|
|
|
|
data->state.aptr.passwd ?
|
|
|
|
data->state.aptr.passwd : "");
|
|
|
|
if(!secret)
|
2021-01-25 22:02:09 +08:00
|
|
|
goto fail;
|
http: introduce AWS HTTP v4 Signature
It is a security process for HTTP.
It doesn't seems to be standard, but it is used by some cloud providers.
Aws:
https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
Outscale:
https://wiki.outscale.net/display/EN/Creating+a+Canonical+Request
GCP (I didn't test that this code work with GCP though):
https://cloud.google.com/storage/docs/access-control/signing-urls-manually
most of the code is in lib/http_v4_signature.c
Information require by the algorithm:
- The URL
- Current time
- some prefix that are append to some of the signature parameters.
The data extracted from the URL are: the URI, the region,
the host and the API type
example:
https://api.eu-west-2.outscale.com/api/latest/ReadNets
~~~ ~~~~~~~~ ~~~~~~~~~~~~~~~~~~~
^ ^ ^
/ \ URI
API type region
Small description of the algorithm:
- make canonical header using content type, the host, and the date
- hash the post data
- make canonical_request using custom request, the URI,
the get data, the canonical header, the signed header
and post data hash
- hash canonical_request
- make str_to_sign using one of the prefix pass in parameter,
the date, the credential scope and the canonical_request hash
- compute hmac from date, using secret key as key.
- compute hmac from region, using above hmac as key
- compute hmac from api_type, using above hmac as key
- compute hmac from request_type, using above hmac as key
- compute hmac from str_to_sign using above hmac as key
- create Authorization header using above hmac, prefix pass in parameter,
the date, and above hash
Signed-off-by: Matthias Gatto <matthias.gatto@outscale.com>
Closes #5703
2020-07-09 19:58:37 +08:00
|
|
|
|
2022-01-13 22:53:52 +08:00
|
|
|
HMAC_SHA256(secret, strlen(secret), date, strlen(date), sign0);
|
|
|
|
HMAC_SHA256(sign0, sizeof(sign0), region, strlen(region), sign1);
|
|
|
|
HMAC_SHA256(sign1, sizeof(sign1), service, strlen(service), sign0);
|
|
|
|
HMAC_SHA256(sign0, sizeof(sign0), request_type, strlen(request_type), sign1);
|
|
|
|
HMAC_SHA256(sign1, sizeof(sign1), str_to_sign, strlen(str_to_sign), sign0);
|
http: introduce AWS HTTP v4 Signature
It is a security process for HTTP.
It doesn't seems to be standard, but it is used by some cloud providers.
Aws:
https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
Outscale:
https://wiki.outscale.net/display/EN/Creating+a+Canonical+Request
GCP (I didn't test that this code work with GCP though):
https://cloud.google.com/storage/docs/access-control/signing-urls-manually
most of the code is in lib/http_v4_signature.c
Information require by the algorithm:
- The URL
- Current time
- some prefix that are append to some of the signature parameters.
The data extracted from the URL are: the URI, the region,
the host and the API type
example:
https://api.eu-west-2.outscale.com/api/latest/ReadNets
~~~ ~~~~~~~~ ~~~~~~~~~~~~~~~~~~~
^ ^ ^
/ \ URI
API type region
Small description of the algorithm:
- make canonical header using content type, the host, and the date
- hash the post data
- make canonical_request using custom request, the URI,
the get data, the canonical header, the signed header
and post data hash
- hash canonical_request
- make str_to_sign using one of the prefix pass in parameter,
the date, the credential scope and the canonical_request hash
- compute hmac from date, using secret key as key.
- compute hmac from region, using above hmac as key
- compute hmac from api_type, using above hmac as key
- compute hmac from request_type, using above hmac as key
- compute hmac from str_to_sign using above hmac as key
- create Authorization header using above hmac, prefix pass in parameter,
the date, and above hash
Signed-off-by: Matthias Gatto <matthias.gatto@outscale.com>
Closes #5703
2020-07-09 19:58:37 +08:00
|
|
|
|
2023-02-15 23:47:04 +08:00
|
|
|
sha256_to_hex(sha_hex, sign0);
|
http: introduce AWS HTTP v4 Signature
It is a security process for HTTP.
It doesn't seems to be standard, but it is used by some cloud providers.
Aws:
https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
Outscale:
https://wiki.outscale.net/display/EN/Creating+a+Canonical+Request
GCP (I didn't test that this code work with GCP though):
https://cloud.google.com/storage/docs/access-control/signing-urls-manually
most of the code is in lib/http_v4_signature.c
Information require by the algorithm:
- The URL
- Current time
- some prefix that are append to some of the signature parameters.
The data extracted from the URL are: the URI, the region,
the host and the API type
example:
https://api.eu-west-2.outscale.com/api/latest/ReadNets
~~~ ~~~~~~~~ ~~~~~~~~~~~~~~~~~~~
^ ^ ^
/ \ URI
API type region
Small description of the algorithm:
- make canonical header using content type, the host, and the date
- hash the post data
- make canonical_request using custom request, the URI,
the get data, the canonical header, the signed header
and post data hash
- hash canonical_request
- make str_to_sign using one of the prefix pass in parameter,
the date, the credential scope and the canonical_request hash
- compute hmac from date, using secret key as key.
- compute hmac from region, using above hmac as key
- compute hmac from api_type, using above hmac as key
- compute hmac from request_type, using above hmac as key
- compute hmac from str_to_sign using above hmac as key
- create Authorization header using above hmac, prefix pass in parameter,
the date, and above hash
Signed-off-by: Matthias Gatto <matthias.gatto@outscale.com>
Closes #5703
2020-07-09 19:58:37 +08:00
|
|
|
|
2022-01-13 22:53:52 +08:00
|
|
|
/* provider 0 uppercase */
|
2021-01-25 22:02:09 +08:00
|
|
|
auth_headers = curl_maprintf("Authorization: %s4-HMAC-SHA256 "
|
|
|
|
"Credential=%s/%s, "
|
|
|
|
"SignedHeaders=%s, "
|
|
|
|
"Signature=%s\r\n"
|
2023-02-15 23:47:04 +08:00
|
|
|
"%s\r\n"
|
|
|
|
"%s", /* optional sha256 header includes \r\n */
|
2022-01-13 22:53:52 +08:00
|
|
|
provider0,
|
2021-01-25 22:02:09 +08:00
|
|
|
user,
|
|
|
|
credential_scope,
|
2022-01-13 22:53:52 +08:00
|
|
|
Curl_dyn_ptr(&signed_headers),
|
2021-01-25 22:02:09 +08:00
|
|
|
sha_hex,
|
2023-02-15 23:47:04 +08:00
|
|
|
date_header,
|
|
|
|
content_sha256_hdr);
|
2021-01-25 22:02:09 +08:00
|
|
|
if(!auth_headers) {
|
|
|
|
goto fail;
|
http: introduce AWS HTTP v4 Signature
It is a security process for HTTP.
It doesn't seems to be standard, but it is used by some cloud providers.
Aws:
https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
Outscale:
https://wiki.outscale.net/display/EN/Creating+a+Canonical+Request
GCP (I didn't test that this code work with GCP though):
https://cloud.google.com/storage/docs/access-control/signing-urls-manually
most of the code is in lib/http_v4_signature.c
Information require by the algorithm:
- The URL
- Current time
- some prefix that are append to some of the signature parameters.
The data extracted from the URL are: the URI, the region,
the host and the API type
example:
https://api.eu-west-2.outscale.com/api/latest/ReadNets
~~~ ~~~~~~~~ ~~~~~~~~~~~~~~~~~~~
^ ^ ^
/ \ URI
API type region
Small description of the algorithm:
- make canonical header using content type, the host, and the date
- hash the post data
- make canonical_request using custom request, the URI,
the get data, the canonical header, the signed header
and post data hash
- hash canonical_request
- make str_to_sign using one of the prefix pass in parameter,
the date, the credential scope and the canonical_request hash
- compute hmac from date, using secret key as key.
- compute hmac from region, using above hmac as key
- compute hmac from api_type, using above hmac as key
- compute hmac from request_type, using above hmac as key
- compute hmac from str_to_sign using above hmac as key
- create Authorization header using above hmac, prefix pass in parameter,
the date, and above hash
Signed-off-by: Matthias Gatto <matthias.gatto@outscale.com>
Closes #5703
2020-07-09 19:58:37 +08:00
|
|
|
}
|
|
|
|
|
2021-01-25 22:02:09 +08:00
|
|
|
Curl_safefree(data->state.aptr.userpwd);
|
|
|
|
data->state.aptr.userpwd = auth_headers;
|
|
|
|
data->state.authhost.done = TRUE;
|
|
|
|
ret = CURLE_OK;
|
|
|
|
|
|
|
|
fail:
|
2022-01-13 22:53:52 +08:00
|
|
|
Curl_dyn_free(&canonical_headers);
|
|
|
|
Curl_dyn_free(&signed_headers);
|
2021-01-25 22:02:09 +08:00
|
|
|
free(canonical_request);
|
|
|
|
free(request_type);
|
|
|
|
free(credential_scope);
|
http: introduce AWS HTTP v4 Signature
It is a security process for HTTP.
It doesn't seems to be standard, but it is used by some cloud providers.
Aws:
https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
Outscale:
https://wiki.outscale.net/display/EN/Creating+a+Canonical+Request
GCP (I didn't test that this code work with GCP though):
https://cloud.google.com/storage/docs/access-control/signing-urls-manually
most of the code is in lib/http_v4_signature.c
Information require by the algorithm:
- The URL
- Current time
- some prefix that are append to some of the signature parameters.
The data extracted from the URL are: the URI, the region,
the host and the API type
example:
https://api.eu-west-2.outscale.com/api/latest/ReadNets
~~~ ~~~~~~~~ ~~~~~~~~~~~~~~~~~~~
^ ^ ^
/ \ URI
API type region
Small description of the algorithm:
- make canonical header using content type, the host, and the date
- hash the post data
- make canonical_request using custom request, the URI,
the get data, the canonical header, the signed header
and post data hash
- hash canonical_request
- make str_to_sign using one of the prefix pass in parameter,
the date, the credential scope and the canonical_request hash
- compute hmac from date, using secret key as key.
- compute hmac from region, using above hmac as key
- compute hmac from api_type, using above hmac as key
- compute hmac from request_type, using above hmac as key
- compute hmac from str_to_sign using above hmac as key
- create Authorization header using above hmac, prefix pass in parameter,
the date, and above hash
Signed-off-by: Matthias Gatto <matthias.gatto@outscale.com>
Closes #5703
2020-07-09 19:58:37 +08:00
|
|
|
free(str_to_sign);
|
2021-01-25 22:02:09 +08:00
|
|
|
free(secret);
|
2022-01-13 22:53:52 +08:00
|
|
|
free(date_header);
|
http: introduce AWS HTTP v4 Signature
It is a security process for HTTP.
It doesn't seems to be standard, but it is used by some cloud providers.
Aws:
https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
Outscale:
https://wiki.outscale.net/display/EN/Creating+a+Canonical+Request
GCP (I didn't test that this code work with GCP though):
https://cloud.google.com/storage/docs/access-control/signing-urls-manually
most of the code is in lib/http_v4_signature.c
Information require by the algorithm:
- The URL
- Current time
- some prefix that are append to some of the signature parameters.
The data extracted from the URL are: the URI, the region,
the host and the API type
example:
https://api.eu-west-2.outscale.com/api/latest/ReadNets
~~~ ~~~~~~~~ ~~~~~~~~~~~~~~~~~~~
^ ^ ^
/ \ URI
API type region
Small description of the algorithm:
- make canonical header using content type, the host, and the date
- hash the post data
- make canonical_request using custom request, the URI,
the get data, the canonical header, the signed header
and post data hash
- hash canonical_request
- make str_to_sign using one of the prefix pass in parameter,
the date, the credential scope and the canonical_request hash
- compute hmac from date, using secret key as key.
- compute hmac from region, using above hmac as key
- compute hmac from api_type, using above hmac as key
- compute hmac from request_type, using above hmac as key
- compute hmac from str_to_sign using above hmac as key
- create Authorization header using above hmac, prefix pass in parameter,
the date, and above hash
Signed-off-by: Matthias Gatto <matthias.gatto@outscale.com>
Closes #5703
2020-07-09 19:58:37 +08:00
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
#endif /* !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_CRYPTO_AUTH) */
|