Commit latest changes

Author: lauzadis

runtime/auth/aws-signing-default/common/src/aws/smithy/kotlin/runtime/auth/awssigning/DefaultAwsSigner.kt

@@ -29,30 +29,29 @@ public class DefaultAwsSignerBuilder {
     )
 }
 
+private val AwsSigningAlgorithm.signatureCalculator
+    get() = when (this) {
+        AwsSigningAlgorithm.SIGV4 -> SignatureCalculator.SigV4
+        AwsSigningAlgorithm.SIGV4_ASYMMETRIC -> SignatureCalculator.SigV4a
+    }
+
 @OptIn(ExperimentalApi::class)
 internal class DefaultAwsSignerImpl(
     private val canonicalizer: Canonicalizer = Canonicalizer.Default,
-    private val signatureCalculator: SignatureCalculator = SignatureCalculator.SigV4,
     private val requestMutator: RequestMutator = RequestMutator.Default,
     private val telemetryProvider: TelemetryProvider? = null,
 ) : AwsSigner {
     override suspend fun sign(request: HttpRequest, config: AwsSigningConfig): AwsSigningResult<HttpRequest> {
         val logger = telemetryProvider?.loggerProvider?.getOrCreateLogger("DefaultAwsSigner")
             ?: coroutineContext.logger<DefaultAwsSignerImpl>()
 
-        // TODO: implement SigV4a
-        if (config.algorithm != AwsSigningAlgorithm.SIGV4) {
-            throw UnsupportedSigningAlgorithmException(
-                "${config.algorithm} support is not yet implemented for the default signer.",
-                config.algorithm,
-            )
-        }
-
         val canonical = canonicalizer.canonicalRequest(request, config)
         if (config.logRequest) {
             logger.trace { "Canonical request:\n${canonical.requestString}" }
         }
 
+        val signatureCalculator = config.algorithm.signatureCalculator
+
         val stringToSign = signatureCalculator.stringToSign(canonical.requestString, config)
         logger.trace { "String to sign:\n$stringToSign" }
 
@@ -74,6 +73,8 @@ internal class DefaultAwsSignerImpl(
         val logger = telemetryProvider?.loggerProvider?.getOrCreateLogger("DefaultAwsSigner")
             ?: coroutineContext.logger<DefaultAwsSignerImpl>()
 
+        val signatureCalculator = config.algorithm.signatureCalculator
+
         val stringToSign = signatureCalculator.chunkStringToSign(chunkBody, prevSignature, config)
         logger.trace { "Chunk string to sign:\n$stringToSign" }
 
@@ -93,6 +94,8 @@ internal class DefaultAwsSignerImpl(
         val logger = telemetryProvider?.loggerProvider?.getOrCreateLogger("DefaultAwsSigner")
             ?: coroutineContext.logger<DefaultAwsSignerImpl>()
 
+        val signatureCalculator = config.algorithm.signatureCalculator
+
         // FIXME - can we share canonicalization code more than we are..., also this reduce is inefficient.
         // canonicalize the headers
         val trailingHeadersBytes = trailingHeaders.entries().sortedBy { e -> e.key.lowercase() }

runtime/auth/aws-signing-default/common/src/aws/smithy/kotlin/runtime/auth/awssigning/SignatureCalculator.kt

@@ -4,7 +4,9 @@
  */
 package aws.smithy.kotlin.runtime.auth.awssigning
 
+import aws.smithy.kotlin.runtime.content.BigInteger
 import aws.smithy.kotlin.runtime.hashing.*
+import aws.smithy.kotlin.runtime.text.encoding.decodeHexBytes
 import aws.smithy.kotlin.runtime.text.encoding.encodeToHex
 import aws.smithy.kotlin.runtime.time.Instant
 import aws.smithy.kotlin.runtime.time.TimestampFormat
@@ -16,9 +18,14 @@ import aws.smithy.kotlin.runtime.time.epochMilliseconds
 internal interface SignatureCalculator {
     companion object {
         /**
-         * The default implementation of [SignatureCalculator].
+         * The SigV4 implementation of [SignatureCalculator].
          */
-        val Default = DefaultSignatureCalculator()
+        val SigV4 = SigV4SignatureCalculator()
+
+        /**
+         * The SigV4a implementation of [SignatureCalculator].
+         */
+        val SigV4a = SigV4aSignatureCalculator()
     }
 
     /**
@@ -63,7 +70,7 @@ internal interface SignatureCalculator {
     fun chunkTrailerStringToSign(trailingHeaders: ByteArray, prevSignature: ByteArray, config: AwsSigningConfig): String
 }
 
-internal class DefaultSignatureCalculator(private val sha256Provider: HashSupplier = ::Sha256) : SignatureCalculator {
+internal class SigV4SignatureCalculator(private val sha256Provider: HashSupplier = ::Sha256) : SignatureCalculator {
     override fun calculate(signingKey: ByteArray, stringToSign: String): String =
         hmac(signingKey, stringToSign.encodeToByteArray(), sha256Provider).encodeToHex()
 
@@ -111,13 +118,12 @@ internal class DefaultSignatureCalculator(private val sha256Provider: HashSuppli
         }
 }
 
-// FIXME Copied a lot of functions from SigV4SignatureCalculator, refactor to share
+// FIXME Copied a few functions from SigV4SignatureCalculator, refactor to share
 internal class SigV4aSignatureCalculator(
     val sha256Provider: HashSupplier = ::Sha256
 ): SignatureCalculator {
-    override fun calculate(signingKey: ByteArray, stringToSign: String): String {
-        ecdsasecp256r1(signingKey, stringToSign.encodeToByteArray(), sha256Provider).encodeToHex()
-    }
+    override fun calculate(signingKey: ByteArray, stringToSign: String): String =
+        ecdsasecp256r1(signingKey, stringToSign.encodeToByteArray()).encodeToHex()
 
     override fun stringToSign(
         canonicalRequest: String,
@@ -129,9 +135,37 @@ internal class SigV4aSignatureCalculator(
         append(canonicalRequest.encodeToByteArray().hash(sha256Provider).encodeToHex())
     }
 
-    // FIXME SigV4a doesn't need a signingKey
     override fun signingKey(config: AwsSigningConfig): ByteArray {
-        return byteArrayOf()
+        // 1.1: Compute fixed input string
+        val label = "AWS4-ECDSA-P256-SHA256".encodeToByteArray()
+        var counter: Byte = 0x01
+        var privateKey: ByteArray
+
+        do {
+            val context = config.credentials.accessKeyId.encodeToByteArray() + byteArrayOf(counter)
+            val length = byteArrayOf(0x01, 0x00) // "256"
+            val fixedInputString: ByteArray = label + byteArrayOf(0x00) + context + length
+
+            // 1.2: Compute K0
+            val inputKey = ("AWS4A" + config.credentials.secretAccessKey).encodeToByteArray()
+            val k0 = hmac(inputKey, byteArrayOf(0x01) + fixedInputString, sha256Provider)
+
+            // 2: Compute the ECC key pair
+            val c = BigInteger(k0)
+
+            val nBytes = "FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551".decodeHexBytes()
+            val n = BigInteger(nBytes)
+
+            privateKey = (n + BigInteger("1")).toByteArray()
+
+            if (counter == Byte.MAX_VALUE && c <= n - BigInteger("2")) {
+                throw IllegalStateException("Counter exceeded maximum length")
+            }
+
+            counter = (counter + 0x01).toByte()
+        } while (c <= n - BigInteger("2"))
+
+        return privateKey
     }
 
     override fun chunkStringToSign(

runtime/runtime-core/api/runtime-core.api

@@ -693,6 +693,10 @@ public final class aws/smithy/kotlin/runtime/hashing/Crc32cKt {
 	public static final fun crc32c ([B)I
 }
 
+public final class aws/smithy/kotlin/runtime/hashing/EcdsaJVMKt {
+	public static final fun ecdsasecp256r1 ([B[B)[B
+}
+
 public abstract interface class aws/smithy/kotlin/runtime/hashing/HashFunction {
 	public abstract fun digest ()[B
 	public abstract fun getBlockSizeBytes ()I

runtime/runtime-core/common/src/aws/smithy/kotlin/runtime/hashing/Ecdsa.kt

@@ -0,0 +1,10 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+package aws.smithy.kotlin.runtime.hashing
+
+/**
+ * ECDSA on the SECP256R1 curve.
+ */
+public expect fun ecdsasecp256r1(key: ByteArray, message: ByteArray): ByteArray

runtime/runtime-core/jvm/src/aws/smithy/kotlin/runtime/hashing/EcdsaJVM.kt

@@ -0,0 +1,95 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+package aws.smithy.kotlin.runtime.hashing
+
+import aws.smithy.kotlin.runtime.content.BigInteger
+import java.security.*
+import java.security.spec.*
+import java.security.interfaces.*
+
+/**
+ * ECDSA on the SECP256R1 curve.
+ */
+public actual fun ecdsasecp256r1(key: ByteArray, message: ByteArray): ByteArray {
+    // Convert byte array to BigInteger for private key
+    val d = BigInteger(key)
+
+    // Get EC parameters for SECP256R1
+    val spec = ECGenParameterSpec("secp256r1")
+
+    // Create key pair generator to get curve parameters
+    val keyGen = KeyPairGenerator.getInstance("EC")
+    keyGen.initialize(spec)
+    val params = (keyGen.generateKeyPair().private as ECPrivateKey).params
+
+    // Create private key directly from the provided key bytes
+    val privateKeySpec = ECPrivateKeySpec(d.toJvm(), params)
+    val keyFactory = KeyFactory.getInstance("EC")
+    val privateKey = keyFactory.generatePrivate(privateKeySpec)
+
+    // Sign the message
+    return Signature.getInstance("SHA256withECDSA").apply {
+        initSign(privateKey)
+        update(message)
+    }.sign()
+}
+
+//public actual fun ecdsasecp256r1(key: ByteArray, message: ByteArray): ByteArray {
+//    val d = BigInteger(key)
+//
+//    // Get EC curve parameters for SECP256R1
+//    val spec = ECGenParameterSpec("secp256r1")
+//    val keyFactory = KeyFactory.getInstance("EC")
+//
+//    // Generate ECPrivateKeySpec
+//    val keyPairGenerator = KeyPairGenerator.getInstance("EC")
+//    keyPairGenerator.initialize(spec)
+//    val keyPair = keyPairGenerator.generateKeyPair()
+//    val ecParams = (keyPair.private as ECPrivateKey).params
+//
+//    // Compute the public key point P = d * G
+//    val G = ecParams.generator
+//    val publicPoint = ecParams.curve.multiply(G, d)
+//
+//    // Create EC public key
+//    val pubKeySpec = ECPublicKeySpec(publicPoint, ecParams)
+//    val publicKey = keyFactory.generatePublic(pubKeySpec) as ECPublicKey
+//
+//    // Create EC private key
+//    val privateKeySpec = ECPrivateKeySpec(d, ecParams)
+//    val privateKey = keyFactory.generatePrivate(privateKeySpec) as ECPrivateKey
+//
+//    // Sign the message
+//    return Signature.getInstance("SHA256withECDSA").apply {
+//        initSign(privateKey)
+//        update(message)
+//    }.sign()
+//}
+
+///**
+// * ECDSA on the SECP256R1 curve.
+// */
+//public actual fun ecdsasecp256r1(key: ByteArray, message: ByteArray): ByteArray {
+//    val d = BigInteger(key)
+//
+//    // Get SECP256R1 parameters from Java's built-in provider
+//    val params = AlgorithmParameters.getInstance("EC").apply {
+//        init(ECGenParameterSpec("secp256r1"))
+//    }
+//    val ecSpec = params.getParameterSpec(ECParameterSpec::class.java)
+//
+//    // Create private key spec and generate key
+//    val keySpec = ECPrivateKeySpec(d.toJvm(), ecSpec)
+//    val kf = KeyFactory.getInstance("EC")
+//    val privateKey = kf.generatePrivate(keySpec)
+//
+//    // Sign the message
+//    return Signature.getInstance("SHA256withECDSA").apply {
+//        initSign(privateKey)
+//        update(message)
+//    }.sign()
+//}
+
+private fun BigInteger.toJvm(): java.math.BigInteger = java.math.BigInteger(1, toByteArray())

runtime/runtime-core/jvm/test/aws/smithy/kotlin/runtime/hashing/EcdsaJVMTest.kt

@@ -0,0 +1,98 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+package aws.smithy.kotlin.runtime.hashing
+
+import org.junit.jupiter.api.Assertions.assertFalse
+import org.junit.jupiter.api.Assertions.assertTrue
+import java.security.*
+import java.security.spec.*
+import java.security.interfaces.*
+import kotlin.test.Test
+import kotlin.test.assertNotNull
+
+class EcdsaJVMTest {
+    // Helper function to generate valid test key
+    private fun generateValidPrivateKey(): ByteArray {
+        val keyGen = KeyPairGenerator.getInstance("EC")
+        keyGen.initialize(ECGenParameterSpec("secp256r1"))
+        val keyPair = keyGen.generateKeyPair()
+        val privateKey = keyPair.private as ECPrivateKey
+        return privateKey.s.toByteArray()
+    }
+
+    @Test
+    fun testValidSignature() {
+        val privateKey = generateValidPrivateKey()
+        val message = "Hello, World!".toByteArray()
+
+        val signature = ecdsasecp256r1(privateKey, message)
+
+        assertNotNull(signature)
+        assertTrue(signature.size >= 64) // ECDSA signatures are typically 70-72 bytes in DER format
+    }
+
+    @Test
+    fun testSignatureDeterminism() {
+        val privateKey = generateValidPrivateKey()
+        val message = "Hello, World!".toByteArray()
+
+        val signature1 = ecdsasecp256r1(privateKey, message)
+        val signature2 = ecdsasecp256r1(privateKey, message)
+
+        // Note: ECDSA is not deterministic by default, so signatures will be different
+        assertNotNull(signature1)
+        assertNotNull(signature2)
+    }
+
+    @Test
+    fun testDifferentMessages() {
+        val privateKey = generateValidPrivateKey()
+        val message1 = "Hello, World!".toByteArray()
+        val message2 = "Different message".toByteArray()
+
+        val signature1 = ecdsasecp256r1(privateKey, message1)
+        val signature2 = ecdsasecp256r1(privateKey, message2)
+
+        assertNotNull(signature1)
+        assertNotNull(signature2)
+        assertFalse(signature1.contentEquals(signature2))
+    }
+
+    @Test
+    fun testEmptyMessage() {
+        val privateKey = generateValidPrivateKey()
+        val message = ByteArray(0)
+
+        val signature = ecdsasecp256r1(privateKey, message)
+        assertNotNull(signature)
+    }
+
+    @Test
+    fun testLargeMessage() {
+        val privateKey = generateValidPrivateKey()
+        val largeMessage = ByteArray(1000000) { it.toByte() }
+
+        val signature = ecdsasecp256r1(privateKey, largeMessage)
+        assertNotNull(signature)
+    }
+
+    @Test
+    fun testVerifySignature() {
+        val keyGen = KeyPairGenerator.getInstance("EC")
+        keyGen.initialize(ECGenParameterSpec("secp256r1"))
+        val keyPair = keyGen.generateKeyPair()
+        val privateKey = (keyPair.private as ECPrivateKey).s.toByteArray()
+        val publicKey = keyPair.public
+
+        val message = "Hello, World!".toByteArray()
+        val signature = ecdsasecp256r1(privateKey, message)
+
+        val verifier = Signature.getInstance("SHA256withECDSA")
+        verifier.initVerify(publicKey)
+        verifier.update(message)
+
+        assertTrue(verifier.verify(signature))
+    }
+}

runtime/runtime-core/native/src/aws/smithy/kotlin/runtime/hashing/EcdsaNative.kt

@@ -0,0 +1,16 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+package aws.smithy.kotlin.runtime.hashing
+
+/**
+ * ECDSA on the SECP256R1 curve.
+ */
+// FIXME Implement using aws-c-cal: https://github.com/awslabs/aws-c-cal/blob/main/include/aws/cal/ecc.h
+/**
+ * Will need to be implemented and exposed in aws-crt-kotlin.
+ * Or maybe we can _only_ offer the CRT signer on Native?
+ * Will require updating DefaultAwsSigner to be expect/actual and set to CrtSigner on Native.
+ */
+public actual fun ecdsasecp256r1(key: ByteArray, message: ByteArray): ByteArray = TODO("Not yet implemented")