SigV4a request working!

Author: lauzadis

runtime/auth/aws-signing-default/common/src/aws/smithy/kotlin/runtime/auth/awssigning/Canonicalizer.kt

@@ -124,12 +124,13 @@ internal class DefaultCanonicalizer(private val sha256Supplier: HashSupplier = :
         }
 
         param("Host", builder.url.hostAndPort, !signViaQueryParams, overwrite = false)
-        param("X-Amz-Algorithm", ALGORITHM_NAME, signViaQueryParams)
+        param("X-Amz-Algorithm", config.algorithm.authorizationName , signViaQueryParams)
         param("X-Amz-Credential", credentialValue(config), signViaQueryParams)
         param("X-Amz-Content-Sha256", hash, addHashHeader)
         param("X-Amz-Date", config.signingDate.format(TimestampFormat.ISO_8601_CONDENSED))
         param("X-Amz-Expires", config.expiresAfter?.inWholeSeconds?.toString(), signViaQueryParams)
         param("X-Amz-Security-Token", sessionToken, !config.omitSessionToken) // Add pre-sig if omitSessionToken=false
+        param("X-Amz-Region-Set", config.region, config.algorithm == AwsSigningAlgorithm.SIGV4_ASYMMETRIC) // FIXME Route through sigV4aSigningRegionSet to this config?
 
         val headers = builder
             .headers

runtime/auth/aws-signing-default/common/src/aws/smithy/kotlin/runtime/auth/awssigning/DefaultAwsSigner.kt

@@ -120,16 +120,17 @@ internal class DefaultAwsSignerImpl(
     }
 }
 
-/** The name of the SigV4 algorithm. */
-internal const val ALGORITHM_NAME = "AWS4-HMAC-SHA256"
 
 /**
- * Formats a credential scope consisting of a signing date, region, service, and a signature type
+ * Formats a credential scope consisting of a signing date, region (SigV4 only), service, and a signature type
  */
 internal val AwsSigningConfig.credentialScope: String
-    get() {
+    get() = run {
         val signingDate = signingDate.format(TimestampFormat.ISO_8601_CONDENSED_DATE)
-        return "$signingDate/$region/$service/aws4_request"
+        return when (algorithm) {
+            AwsSigningAlgorithm.SIGV4 -> "$signingDate/$region/$service/aws4_request"
+            AwsSigningAlgorithm.SIGV4_ASYMMETRIC -> "$signingDate/$service/aws4_request"
+        }
     }
 
 /**

runtime/auth/aws-signing-default/common/src/aws/smithy/kotlin/runtime/auth/awssigning/RequestMutator.kt

@@ -43,7 +43,7 @@ internal class DefaultRequestMutator : RequestMutator {
                 val credential = "Credential=${credentialValue(config)}"
                 val signedHeaders = "SignedHeaders=${canonical.signedHeaders}"
                 val signature = "Signature=$signatureHex"
-                canonical.request.headers["Authorization"] = "$ALGORITHM_NAME $credential, $signedHeaders, $signature"
+                canonical.request.headers["Authorization"] = "${config.algorithm.authorizationName} $credential, $signedHeaders, $signature"
             }
 
             AwsSignatureType.HTTP_REQUEST_VIA_QUERY_PARAMS ->
@@ -55,3 +55,9 @@ internal class DefaultRequestMutator : RequestMutator {
         return canonical.request.build()
     }
 }
+
+internal val AwsSigningAlgorithm.authorizationName: String
+    get() = when (this) {
+        AwsSigningAlgorithm.SIGV4 -> "AWS4-HMAC-SHA256"
+        AwsSigningAlgorithm.SIGV4_ASYMMETRIC -> "AWS4-ECDSA-P256-SHA256"
+    }

runtime/auth/aws-signing-default/common/src/aws/smithy/kotlin/runtime/auth/awssigning/SignatureCalculator.kt

@@ -137,33 +137,49 @@ internal class SigV4aSignatureCalculator(
 
     override fun signingKey(config: AwsSigningConfig): ByteArray {
         // 1.1: Compute fixed input string
-        val label = "AWS4-ECDSA-P256-SHA256".encodeToByteArray()
-        var counter: Byte = 0x01
+        var counter: UByte = 1u
         var privateKey: ByteArray
 
+        // N value from NIST P-256 curve
+        // FIXME optimization: n is never used by itself, only n-2. Subtract two from the const.
+        val nBytes = "FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551".decodeHexBytes()
+        val n = BigInteger(nBytes)
+
+        // FIXME Public docs say secret access key needs to be Base64 encoded, that's not right.
+        val inputKey = ("AWS4A" + config.credentials.secretAccessKey).encodeToByteArray()
+
         do {
-            val context = config.credentials.accessKeyId.encodeToByteArray() + byteArrayOf(counter)
-            val length = byteArrayOf(0x01, 0x00) // "256"
-            val fixedInputString: ByteArray = label + byteArrayOf(0x00) + context + length
+            // See https://github.com/awslabs/aws-c-auth/blob/e8360a65e0f3337d4ac827945e00c3b55a641a5f/source/key_derivation.c#L70 for
+            // more details of derivation process
+
+            // FIXME CRT implementation (4 bytes) and internal docs (1 byte) conflict.
+            val headerBytes = byteArrayOf(0x00, 0x00, 0x00, 0x01)
+
+            // 256 big endian
+            // FIXME CRT implementation (4 bytes) and internal docs (2 bytes) conflict.
+            val lengthBytes = byteArrayOf(0x00, 0x00, 0x01, 0x00)
+
+            val fixedInputString: ByteArray = headerBytes +
+                "AWS4-ECDSA-P256-SHA256".encodeToByteArray() +
+                byteArrayOf(0x00) +
+                config.credentials.accessKeyId.encodeToByteArray() +
+                counter.toByte() +
+                lengthBytes
 
             // 1.2: Compute K0
-            val inputKey = ("AWS4A" + config.credentials.secretAccessKey).encodeToByteArray()
-            val k0 = hmac(inputKey, byteArrayOf(0x01) + fixedInputString, sha256Provider)
+            val k0 = hmac(inputKey, fixedInputString, sha256Provider)
 
             // 2: Compute the ECC key pair
             val c = BigInteger(k0)
 
-            val nBytes = "FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551".decodeHexBytes()
-            val n = BigInteger(nBytes)
-
-            privateKey = (n + BigInteger("1")).toByteArray()
+            privateKey = (c + BigInteger("1")).toByteArray()
 
-            if (counter == Byte.MAX_VALUE && c <= n - BigInteger("2")) {
+            if (counter.toByte() == 254.toByte() && c > n - BigInteger("2")) {
                 throw IllegalStateException("Counter exceeded maximum length")
+            } else {
+                counter++
             }
-
-            counter = (counter + 0x01).toByte()
-        } while (c <= n - BigInteger("2"))
+        } while (c > n - BigInteger("2"))
 
         return privateKey
     }

runtime/runtime-core/jvm/src/aws/smithy/kotlin/runtime/hashing/EcdsaJVM.kt

@@ -13,15 +13,13 @@ import java.security.interfaces.*
  * ECDSA on the SECP256R1 curve.
  */
 public actual fun ecdsasecp256r1(key: ByteArray, message: ByteArray): ByteArray {
-    // Convert byte array to BigInteger for private key
+    // Convert private key to BigInteger
     val d = BigInteger(key)
 
-    // Get EC parameters for SECP256R1
-    val spec = ECGenParameterSpec("secp256r1")
-
     // Create key pair generator to get curve parameters
-    val keyGen = KeyPairGenerator.getInstance("EC")
-    keyGen.initialize(spec)
+    val keyGen = KeyPairGenerator.getInstance("EC").apply {
+        initialize(ECGenParameterSpec("secp256r1"))
+    }
     val params = (keyGen.generateKeyPair().private as ECPrivateKey).params
 
     // Create private key directly from the provided key bytes
@@ -36,60 +34,4 @@ public actual fun ecdsasecp256r1(key: ByteArray, message: ByteArray): ByteArray
     }.sign()
 }
 
-//public actual fun ecdsasecp256r1(key: ByteArray, message: ByteArray): ByteArray {
-//    val d = BigInteger(key)
-//
-//    // Get EC curve parameters for SECP256R1
-//    val spec = ECGenParameterSpec("secp256r1")
-//    val keyFactory = KeyFactory.getInstance("EC")
-//
-//    // Generate ECPrivateKeySpec
-//    val keyPairGenerator = KeyPairGenerator.getInstance("EC")
-//    keyPairGenerator.initialize(spec)
-//    val keyPair = keyPairGenerator.generateKeyPair()
-//    val ecParams = (keyPair.private as ECPrivateKey).params
-//
-//    // Compute the public key point P = d * G
-//    val G = ecParams.generator
-//    val publicPoint = ecParams.curve.multiply(G, d)
-//
-//    // Create EC public key
-//    val pubKeySpec = ECPublicKeySpec(publicPoint, ecParams)
-//    val publicKey = keyFactory.generatePublic(pubKeySpec) as ECPublicKey
-//
-//    // Create EC private key
-//    val privateKeySpec = ECPrivateKeySpec(d, ecParams)
-//    val privateKey = keyFactory.generatePrivate(privateKeySpec) as ECPrivateKey
-//
-//    // Sign the message
-//    return Signature.getInstance("SHA256withECDSA").apply {
-//        initSign(privateKey)
-//        update(message)
-//    }.sign()
-//}
-
-///**
-// * ECDSA on the SECP256R1 curve.
-// */
-//public actual fun ecdsasecp256r1(key: ByteArray, message: ByteArray): ByteArray {
-//    val d = BigInteger(key)
-//
-//    // Get SECP256R1 parameters from Java's built-in provider
-//    val params = AlgorithmParameters.getInstance("EC").apply {
-//        init(ECGenParameterSpec("secp256r1"))
-//    }
-//    val ecSpec = params.getParameterSpec(ECParameterSpec::class.java)
-//
-//    // Create private key spec and generate key
-//    val keySpec = ECPrivateKeySpec(d.toJvm(), ecSpec)
-//    val kf = KeyFactory.getInstance("EC")
-//    val privateKey = kf.generatePrivate(keySpec)
-//
-//    // Sign the message
-//    return Signature.getInstance("SHA256withECDSA").apply {
-//        initSign(privateKey)
-//        update(message)
-//    }.sign()
-//}
-
 private fun BigInteger.toJvm(): java.math.BigInteger = java.math.BigInteger(1, toByteArray())