aws_signing_helper

package
v1.8.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 5, 2026 License: Apache-2.0 Imports: 60 Imported by: 8

Documentation

Index

Constants

View Source 
const AwsSharedCredentialsFileEnvVarName = "AWS_SHARED_CREDENTIALS_FILE"
View Source 
const BufferSize = 49152
View Source 
const DEFAULT_TOKEN_TTL_SECONDS = "21600"
View Source 
const DefaultHopLimit = 64
View Source 
const DefaultPort = 9911
View Source 
const EC2_METADATA_TOKEN_HEADER = "x-aws-ec2-metadata-token"
View Source 
const EC2_METADATA_TOKEN_TTL_HEADER = "x-aws-ec2-metadata-token-ttl-seconds"
View Source 
const LocalHostAddress = "127.0.0.1"
View Source 
const MAX_TOKENS = 256
View Source 
const REFRESHABLE_CRED_CODE = "Success"
View Source 
const REFRESHABLE_CRED_TYPE = "AWS-HMAC"
View Source 
const SECURITY_CREDENTIALS_RESOURCE_PATH = "/latest/meta-data/iam/security-credentials"
View Source 
const SECURITY_CREDENTIALS_RESOURCE_PATH_WITH_TRAILING_SLASH = SECURITY_CREDENTIALS_RESOURCE_PATH + "/"
View Source 
const TOKEN_RESOURCE_PATH = "/latest/api/token"
View Source 
const TOKEN_RESOURCE_PATH_WITH_TRAILING_SLASH = TOKEN_RESOURCE_PATH + "/"
View Source 
const UpdateRefreshTime = time.Minute * time.Duration(5)
View Source 
const X_FORWARDED_FOR_HEADER = "X-Forwarded-For"

Variables

View Source 
var (
	// ErrUnsupportedHash is returned by Signer.Sign() when the provided hash
	// algorithm isn't supported.
	ErrUnsupportedHash = errors.New("unsupported hash algorithm")

	// Predefined system store names.
	// See: https://learn.microsoft.com/en-us/windows/win32/seccrypto/system-store-locations
	SystemStoreNames = []string{
		"MY",
		"Root",
		"Trust",
		"CA",
	}

	// Signing name for the IAM Roles Anywhere service
	ROLESANYWHERE_SIGNING_NAME = "rolesanywhere"
)
View Source 
var Debug bool = false
View Source 
var MAX_OBJECT_LIMIT int = 1000
View Source 
var PKCS11_TEST_VERSION int16 = 1
View Source 
var RefreshTime = time.Minute * time.Duration(5)
View Source 
var TPM_RC_AUTH_FAIL = "0x22"

Functions

func AllIssuesHandlers added in v1.0.3 

func AllIssuesHandlers(cred *RefreshableCred, roleName string, opts *CredentialsOpts, signer Signer, signatureAlgorithm string) (http.HandlerFunc, http.HandlerFunc, http.HandlerFunc)

func BuildAuthorizationHeader 

func BuildAuthorizationHeader(request *http.Request, signedHeadersString string, signature string, certificate *x509.Certificate, signerParams SignerParams) string

Builds the complete authorization header

func CheckValidToken added in v1.0.3 

func CheckValidToken(w http.ResponseWriter, r *http.Request) error

Helper function that checks to see whether the token provided in the request is valid

func CreateRequestSignFinalizeFunction added in v1.5.0 

func CreateRequestSignFinalizeFunction(signer crypto.Signer, signingRegion string, signingAlgorithm string, certificate *x509.Certificate, certificateChain []*x509.Certificate) func(context.Context, middleware.FinalizeInput, middleware.FinalizeHandler) (middleware.FinalizeOutput, middleware.Metadata, error)

func CreateStringToSign 

func CreateStringToSign(canonicalRequest string, signerParams SignerParams) string

Create the string to sign.

func DefaultCertContainerToString added in v1.5.0 

func DefaultCertContainerToString(certContainer CertificateContainer) string

Default function to showcase certificate information

func FindTokenTTLSeconds added in v1.0.4 

func FindTokenTTLSeconds(r *http.Request) (string, error)

Helper function that finds a token's TTL in seconds

func GenerateToken added in v1.0.3 

func GenerateToken(length int) (string, error)

Generates a random string with the specified length

func GetCertChain added in v1.2.0 

func GetCertChain(certificateBundleId string) ([]*x509.Certificate, error)

GetCertChain reads a certificate bundle and returns a chain of all the certificates it contains

func GetCredentialsFileContents added in v1.0.3 

func GetCredentialsFileContents() ([]string, error)

Assume that the credentials file is located in the default path: `~/.aws/credentials`

func GetNewCredentialsFileContents added in v1.0.5 

func GetNewCredentialsFileContents(profileName string, readLines []string, cred *TemporaryCredential) []string

Function that will get the new conents of the credentials file after a refresh has been done

func GetPassword added in v1.1.0 

func GetPassword(ttyReadFile *os.File, ttyWriteFile *os.File, prompt string, parseErrMsg string) (string, error)

Prompts the user for their password

func GetWriteOnlyCredentialsFile added in v1.0.3 

func GetWriteOnlyCredentialsFile() (*os.File, error)

Assume that the credentials file exists already and open it for write operations that will overwrite the existing contents of the file

func InsertToken added in v1.0.3 

func InsertToken(token string, expirationTime time.Time) error

Removes the token that expires the earliest

func IsMLDSACertificate added in v1.8.0 

func IsMLDSACertificate(cert *x509.Certificate) (bool, string, error)

IsMLDSACertificate checks if a certificate uses ML-DSA by examining its public key algorithm OID

func NewListenerWithTTL added in v1.2.0 

func NewListenerWithTTL(l net.Listener, ttl int) net.Listener

NewListenerWithTTL wraps a net.Listener and sets the TTL on outgoing packets to the specififed value

func PasswordPrompt added in v1.3.0 

func PasswordPrompt(passwordPromptInput PasswordPromptProps) (string, interface{}, error)

func ReadCertificateBundleData 

func ReadCertificateBundleData(certificateBundleId string) ([]*x509.Certificate, error)

Reads certificate bundle data from a file, whose path is provided

func ReadPKCS12Data added in v1.1.0 

func ReadPKCS12Data(certificateId string) (certChain []*x509.Certificate, privateKey crypto.PrivateKey, err error)

Reads and parses a PKCS#12 file (which should contain an end-entity certificate (optional), certificate chain (optional), and the key associated with the end-entity certificate). The end-entity certificate will be the first certificate in the returned chain. This method assumes that there is exactly one certificate that doesn't issue any others within the container and treats that as the end-entity certificate. Also, the order of the other certificates in the chain aren't guaranteed. It's also not guaranteed that those certificates form a chain with the end-entity certificate either.

func ReadPrivateKeyData 

func ReadPrivateKeyData(privateKeyId string, pkcs8Password ...string) (crypto.PrivateKey, error)

Load the private key referenced by `privateKeyId`. If `pkcs8Password` is provided, attempt to load an encrypted PKCS#8 key.

func ReadPrivateKeyDataFromPEMBlock added in v1.1.0 

func ReadPrivateKeyDataFromPEMBlock(block *pem.Block) (key crypto.PrivateKey, err error)

Reads private key data from a *pem.Block.

func RunNegativeSignTestWithTestTable added in v1.3.0 

func RunNegativeSignTestWithTestTable(t *testing.T, testTable []CredentialsOpts)

func RunSignTestWithTestTable added in v1.3.0 

func RunSignTestWithTestTable(t *testing.T, testTable []CredentialsOpts)

func Serve added in v1.0.3 

func Serve(port int, credentialsOptions CredentialsOpts)

func Update added in v1.0.3 

func Update(credentialsOptions CredentialsOpts, profile string, once bool)

Updates credentials in the credentials file for the specified profile

func Verify added in v1.3.0 

func Verify(payload []byte, publicKey crypto.PublicKey, digest crypto.Hash, sig []byte) (bool, error)

Verify that the provided payload was signed correctly with the provided options. This function is specifically used for unit testing.

func WriteTo added in v1.0.3 

func WriteTo(profileName string, readLines []string, cred *TemporaryCredential) error

Function to write existing credentials and newly-created credentials to a destination file

Types

type AlgorithmIdentifier added in v1.8.0 

type AlgorithmIdentifier struct {
	Algorithm  asn1.ObjectIdentifier
	Parameters asn1.RawValue `asn1:"optional"`
}

AlgorithmIdentifier represents the ASN.1 structure for algorithm identification

type CertIdentifier added in v1.0.5 

type CertIdentifier struct {
	Subject         string
	Issuer          string
	SerialNumber    *big.Int
	SystemStoreName string // Only relevant in the case of Windows
}

type CertObjInfo added in v1.1.0 

type CertObjInfo struct {
	// contains filtered or unexported fields
}

In our list of certs, we want to remember the CKA_ID/CKA_LABEL too.

type Certificate added in v1.8.0 

type Certificate struct {
	TBSCertificate     asn1.RawValue
	SignatureAlgorithm AlgorithmIdentifier
	SignatureValue     asn1.BitString
}

Certificate represents the top-level ASN.1 structure of an X.509 certificate

type CertificateContainer added in v1.0.5 

type CertificateContainer struct {
	// Index (can be useful in sorting)
	Index int
	// Certificate data
	Cert *x509.Certificate
	// Certificate URI (only populated in the case that the certificate is a PKCS#11 object)
	Uri string
}

func GetMatchingCerts added in v1.0.5 

func GetMatchingCerts(certIdentifier CertIdentifier) ([]CertificateContainer, error)

func GetMatchingPKCSCerts added in v1.1.0 

func GetMatchingPKCSCerts(uriStr string, lib string) (matchingCerts []CertificateContainer, err error)

Used to implement a cut-down version of `p11tool --list-certificates`.

type CertificateContainerList added in v1.5.0 

type CertificateContainerList []CertificateContainer

CertificateContainerList implements the sort.Interface interface

func (CertificateContainerList) Len added in v1.5.0 

func (certificateContainerList CertificateContainerList) Len() int

func (CertificateContainerList) Less added in v1.5.0 

func (certificateContainerList CertificateContainerList) Less(i, j int) bool

func (CertificateContainerList) Swap added in v1.5.0 

func (certificateContainerList CertificateContainerList) Swap(i, j int)

type CertificateData 

type CertificateData struct {
	// Type for the key contained in the certificate.
	// Passed back to the `sign-string` command
	KeyType string `json:"keyType"`
	// Certificate, as base64-encoded DER; used in the `x-amz-x509`
	// header in the API request.
	CertificateData string `json:"certificateData"`
	// Serial number of the certificate. Used in the credential
	// field of the Authorization header
	SerialNumber string `json:"serialNumber"`
	// Supported signing algorithms based on the KeyType
	Algorithms []string `json:"supportedAlgorithms"`
}

Container for certificate data returned to the SDK as JSON.

func ReadCertificateData 

func ReadCertificateData(certificateId string) (CertificateData, *x509.Certificate, error)

ReadCertificateData loads the certificate referenced by `certificateId` and extracts details required by the SDK to construct the StringToSign.

type CredentialProcessOutput 

type CredentialProcessOutput struct {
	// This field should be hard-coded to 1 for now.
	Version int `json:"Version"`
	// AWS Access Key ID
	AccessKeyId string `json:"AccessKeyId"`
	// AWS Secret Access Key
	SecretAccessKey string `json:"SecretAccessKey"`
	// AWS Session Token for temporary credentials
	SessionToken string `json:"SessionToken"`
	// ISO8601 timestamp for when the credentials expire
	Expiration string `json:"Expiration"`
}

Container that adheres to the format of credential_process output as specified by AWS.

func GenerateCredentials 

func GenerateCredentials(opts *CredentialsOpts, signer Signer, signatureAlgorithm string) (CredentialProcessOutput, error)

Function to create session and generate credentials

type CredentialsOpts 

type CredentialsOpts struct {
	PrivateKeyId                 string
	CertificateId                string
	CertificateBundleId          string
	CertIdentifier               CertIdentifier
	UseLatestExpiringCertificate bool
	RoleArn                      string
	ProfileArnStr                string
	TrustAnchorArnStr            string
	SessionDuration              int
	Region                       string
	Endpoint                     string
	NoVerifySSL                  bool
	WithProxy                    bool
	Debug                        bool
	Version                      string
	LibPkcs11                    string
	ReusePin                     bool
	TpmKeyPassword               string
	NoTpmKeyPassword             bool
	ServerTTL                    int
	RoleSessionName              string
	Pkcs8Password                string
}

type EncryptedPrivateKeyInfo added in v1.6.0 

type EncryptedPrivateKeyInfo struct {
	EncryptionAlgorithm pkix.AlgorithmIdentifier
	EncryptedData       []byte
}

as defined in https://datatracker.ietf.org/doc/html/rfc5958#section-3

type Endpoint added in v1.0.3 

type Endpoint struct {
	PortNum int
	Server  *http.Server
	TmpCred RefreshableCred
}

type FileSystemSigner added in v1.0.5 

type FileSystemSigner struct {
	// contains filtered or unexported fields
}

func (*FileSystemSigner) Certificate added in v1.0.5 

func (fileSystemSigner *FileSystemSigner) Certificate() (*x509.Certificate, error)

func (*FileSystemSigner) CertificateChain added in v1.0.5 

func (fileSystemSigner *FileSystemSigner) CertificateChain() ([]*x509.Certificate, error)

func (*FileSystemSigner) Close added in v1.0.5 

func (fileSystemSigner *FileSystemSigner) Close()

func (*FileSystemSigner) Public added in v1.0.5 

func (fileSystemSigner *FileSystemSigner) Public() crypto.PublicKey

func (*FileSystemSigner) Sign added in v1.0.5 

func (fileSystemSigner *FileSystemSigner) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) (signature []byte, err error)

type GetTPMv2SignerOpts added in v1.3.0 

type GetTPMv2SignerOpts struct {
	// contains filtered or unexported fields
}

type KeyObjInfo added in v1.1.0 

type KeyObjInfo struct {
	// contains filtered or unexported fields
}

In our list of keys, we want to remember the CKA_ID/CKA_LABEL too.

type MLDSA44PrivateKey added in v1.8.0 

type MLDSA44PrivateKey struct {
	// contains filtered or unexported fields
}

Concrete implementations for each MLDSA variant

func (*MLDSA44PrivateKey) Public added in v1.8.0 

func (k *MLDSA44PrivateKey) Public() crypto.PublicKey

func (*MLDSA44PrivateKey) Scheme added in v1.8.0 

func (k *MLDSA44PrivateKey) Scheme() string

func (*MLDSA44PrivateKey) Sign added in v1.8.0 

func (k *MLDSA44PrivateKey) Sign(msg []byte, ctx []byte) []byte

type MLDSA65PrivateKey added in v1.8.0 

type MLDSA65PrivateKey struct {
	// contains filtered or unexported fields
}

func (*MLDSA65PrivateKey) Public added in v1.8.0 

func (k *MLDSA65PrivateKey) Public() crypto.PublicKey

func (*MLDSA65PrivateKey) Scheme added in v1.8.0 

func (k *MLDSA65PrivateKey) Scheme() string

func (*MLDSA65PrivateKey) Sign added in v1.8.0 

func (k *MLDSA65PrivateKey) Sign(msg []byte, ctx []byte) []byte

type MLDSA87PrivateKey added in v1.8.0 

type MLDSA87PrivateKey struct {
	// contains filtered or unexported fields
}

func (*MLDSA87PrivateKey) Public added in v1.8.0 

func (k *MLDSA87PrivateKey) Public() crypto.PublicKey

func (*MLDSA87PrivateKey) Scheme added in v1.8.0 

func (k *MLDSA87PrivateKey) Scheme() string

func (*MLDSA87PrivateKey) Sign added in v1.8.0 

func (k *MLDSA87PrivateKey) Sign(msg []byte, ctx []byte) []byte

type MLDSAPrivateKey added in v1.8.0 

type MLDSAPrivateKey interface {
	Public() crypto.PublicKey
	Sign(msg []byte, ctx []byte) []byte
	Scheme() string
}

MLDSAPrivateKey wraps MLDSA private keys from the circl library

func ParseMLDSAFromPKCS8 added in v1.8.0 

func ParseMLDSAFromPKCS8(pkcs8Data []byte) (MLDSAPrivateKey, error)

ParseMLDSAFromPKCS8 attempts to parse MLDSA private key from decrypted PKCS#8 data

type PBES2Params added in v1.6.0 

type PBES2Params struct {
	KeyDerivationFunc pkix.AlgorithmIdentifier
	EncryptionScheme  pkix.AlgorithmIdentifier
}

as defined in https://datatracker.ietf.org/doc/html/rfc8018#appendix-A.4

type PBKDF2Params added in v1.6.0 

type PBKDF2Params struct {
	Salt      []byte
	Iteration int
	PRF       PBKDF2RPFParams `asn1:"optional"`
}

as defined in https://datatracker.ietf.org/doc/html/rfc8018#appendix-A.2 and https://datatracker.ietf.org/doc/html/rfc8018#section-5.2

type PBKDF2RPFParams added in v1.6.0 

type PBKDF2RPFParams struct {
	Algorithm asn1.ObjectIdentifier
	Params    asn1.RawValue `asn1:"optional"`
}

as defined in https://datatracker.ietf.org/doc/html/rfc8018#appendix-A.2

type PKCS11Signer added in v1.1.0 

type PKCS11Signer struct {
	// contains filtered or unexported fields
}

func (*PKCS11Signer) Certificate added in v1.1.0 

func (pkcs11Signer *PKCS11Signer) Certificate() (cert *x509.Certificate, err error)

Gets the *x509.Certificate associated with this PKCS11Signer.

func (*PKCS11Signer) CertificateChain added in v1.1.0 

func (pkcs11Signer *PKCS11Signer) CertificateChain() (certChain []*x509.Certificate, err error)

Gets the certificate chain associated with this PKCS11Signer.

func (*PKCS11Signer) Close added in v1.1.0 

func (pkcs11Signer *PKCS11Signer) Close()

Closes this PKCS11Signer.

func (*PKCS11Signer) Public added in v1.1.0 

func (pkcs11Signer *PKCS11Signer) Public() crypto.PublicKey

Returns the public key associated with this PKCS11Signer.

func (*PKCS11Signer) Sign added in v1.1.0 

func (pkcs11Signer *PKCS11Signer) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) (signature []byte, err error)

Implements the crypto.Signer interface and signs the passed in digest

type PasswordPromptProps added in v1.3.0 

type PasswordPromptProps struct {
	InitialPassword                    string
	NoPassword                         bool
	CheckPassword                      func(string) (interface{}, error)
	IncorrectPasswordMsg               string
	Prompt                             string
	Reprompt                           string
	ParseErrMsg                        string
	CheckPasswordAuthorizationErrorMsg string
}

type RefreshableCred added in v1.0.3 

type RefreshableCred struct {
	AccessKeyId     string
	SecretAccessKey string
	Token           string
	Code            string
	Type            string
	Expiration      time.Time
	LastUpdated     time.Time
}

type ScryptParams added in v1.6.0 

type ScryptParams struct {
	Salt                  []byte
	CostFactor            int
	BlockSizeFactor       int
	ParallelizationFactor int
}

type SessionToken added in v1.0.3 

type SessionToken struct {
	Expiration time.Time
}

type Signer 

type Signer interface {
	Public() crypto.PublicKey
	Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) (signature []byte, err error)
	Certificate() (certificate *x509.Certificate, err error)
	CertificateChain() (certificateChain []*x509.Certificate, err error)
	Close()
}

Interface that all signers will have to implement (as a result, they will also implement crypto.Signer)

func GetCertStoreSigner added in v1.0.5 

func GetCertStoreSigner(certIdentifier CertIdentifier, useLatestExpiringCert bool) (signer Signer, signingAlgorithm string, err error)

func GetFileSystemSigner added in v1.0.5 

func GetFileSystemSigner(privateKeyPath string, certPath string, bundlePath string, isPkcs12 bool, pkcs8Password string) (signer Signer, signingAlgorithm string, err error)

GetFileSystemSigner returns a FileSystemSigner, that signs a payload using the private key passed in

func GetPKCS11Signer added in v1.1.0 

func GetPKCS11Signer(libPkcs11 string, cert *x509.Certificate, certChain []*x509.Certificate, privateKeyId string, certificateId string, reusePin bool) (signer Signer, signingAlgorithm string, err error)

Given an optional certificate either as *x509.Certificate (because it was already found in a file) or as a PKCS#11 URI, and an optional private key PKCS#11 URI, return a PKCS11Signer that can be used to sign a payload through a PKCS#11-compatible cryptographic device.

func GetSigner added in v1.0.5 

func GetSigner(opts *CredentialsOpts) (signer Signer, signatureAlgorithm string, err error)

GetSigner gets the Signer based on the flags passed in by the user (from which the CredentialsOpts structure is derived)

func GetTPMv2Signer added in v1.3.0 

func GetTPMv2Signer(opts GetTPMv2SignerOpts) (signer Signer, signingAlgorithm string, err error)

Returns a TPMv2Signer, that can be used to sign a payload through a TPMv2-compatible cryptographic device

type SignerParams 

type SignerParams struct {
	OverriddenDate   time.Time
	RegionName       string
	ServiceName      string
	SigningAlgorithm string
}

func (*SignerParams) GetFormattedShortSigningDateTime 

func (signerParams *SignerParams) GetFormattedShortSigningDateTime() string

Obtain the short date-time, formatted as specified by SigV4

func (*SignerParams) GetFormattedSigningDateTime 

func (signerParams *SignerParams) GetFormattedSigningDateTime() string

Obtain the date-time, formatted as specified by SigV4

func (*SignerParams) GetScope 

func (signerParams *SignerParams) GetScope() string

Obtain the scope as part of the SigV4-X509 signature

type SlotIdInfo added in v1.1.0 

type SlotIdInfo struct {
	// contains filtered or unexported fields
}

Used to enumerate slots with all token/slot info for matching.

type SubjectPublicKeyInfo added in v1.8.0 

type SubjectPublicKeyInfo struct {
	Algorithm        AlgorithmIdentifier
	SubjectPublicKey asn1.BitString
}

SubjectPublicKeyInfo represents the ASN.1 structure for public key information

type TBSCertificate added in v1.8.0 

type TBSCertificate struct {
	Version            int `asn1:"optional,explicit,default:0,tag:0"`
	SerialNumber       *big.Int
	SignatureAlgorithm AlgorithmIdentifier
}

TBSCertificate represents the "To Be Signed" portion of an X.509 certificate We only parse the fields we need to extract the signature algorithm

type TPMv2Signer added in v1.3.0 

type TPMv2Signer struct {
	// contains filtered or unexported fields
}

func (*TPMv2Signer) Certificate added in v1.3.0 

func (tpmv2Signer *TPMv2Signer) Certificate() (*x509.Certificate, error)

Gets the x509.Certificate associated with this TPMv2Signer

func (*TPMv2Signer) CertificateChain added in v1.3.0 

func (tpmv2Signer *TPMv2Signer) CertificateChain() (chain []*x509.Certificate, err error)

Gets the certificate chain associated with this TPMv2Signer

func (*TPMv2Signer) Close added in v1.3.0 

func (tpmv2Signer *TPMv2Signer) Close()

Closes this TPMv2Signer

func (*TPMv2Signer) Public added in v1.3.0 

func (tpmv2Signer *TPMv2Signer) Public() crypto.PublicKey

Returns the public key associated with this TPMv2Signer

func (*TPMv2Signer) Sign added in v1.3.0 

func (tpmv2Signer *TPMv2Signer) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) (signature []byte, err error)

Implements the crypto.Signer interface and signs the passed in digest

type TemporaryCredential added in v1.0.3 

type TemporaryCredential struct {
	AccessKeyId     string
	SecretAccessKey string
	SessionToken    string
	Expiration      time.Time
}

Structure to contain a temporary credential

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.