2 // Copyright 2020 gRPC authors.
4 // Licensed under the Apache License, Version 2.0 (the "License");
5 // you may not use this file except in compliance with the License.
6 // You may obtain a copy of the License at
8 // http://www.apache.org/licenses/LICENSE-2.0
10 // Unless required by applicable law or agreed to in writing, software
11 // distributed under the License is distributed on an "AS IS" BASIS,
12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 // See the License for the specific language governing permissions and
14 // limitations under the License.
16 #include <grpc/support/port_platform.h>
18 #include "src/core/lib/security/credentials/external/aws_request_signer.h"
20 #include "absl/strings/ascii.h"
21 #include "absl/strings/escaping.h"
22 #include "absl/strings/str_format.h"
23 #include "absl/strings/str_join.h"
24 #include "absl/strings/str_split.h"
25 #include "absl/time/clock.h"
26 #include "absl/time/time.h"
28 #include <openssl/hmac.h>
29 #include <openssl/sha.h>
35 const char kAlgorithm[] = "AWS4-HMAC-SHA256";
36 const char kDateFormat[] = "%a, %d %b %E4Y %H:%M:%S %Z";
37 const char kXAmzDateFormat[] = "%Y%m%dT%H%M%SZ";
39 void SHA256(const std::string& str, unsigned char out[SHA256_DIGEST_LENGTH]) {
42 SHA256_Update(&sha256, str.c_str(), str.size());
43 SHA256_Final(out, &sha256);
46 std::string SHA256Hex(const std::string& str) {
47 unsigned char hash[SHA256_DIGEST_LENGTH];
49 std::string hash_str(reinterpret_cast<char const*>(hash),
50 SHA256_DIGEST_LENGTH);
51 return absl::BytesToHexString(hash_str);
54 std::string HMAC(const std::string& key, const std::string& msg) {
56 unsigned char digest[EVP_MAX_MD_SIZE];
57 HMAC(EVP_sha256(), key.c_str(), key.length(),
58 (const unsigned char*)msg.c_str(), msg.length(), digest, &len);
59 return std::string(digest, digest + len);
64 AwsRequestSigner::AwsRequestSigner(
65 std::string access_key_id, std::string secret_access_key, std::string token,
66 std::string method, std::string url, std::string region,
67 std::string request_payload,
68 std::map<std::string, std::string> additional_headers, grpc_error** error)
69 : access_key_id_(std::move(access_key_id)),
70 secret_access_key_(std::move(secret_access_key)),
71 token_(std::move(token)),
72 method_(std::move(method)),
73 region_(std::move(region)),
74 request_payload_(std::move(request_payload)),
75 additional_headers_(std::move(additional_headers)) {
76 auto amz_date_it = additional_headers_.find("x-amz-date");
77 auto date_it = additional_headers_.find("date");
78 if (amz_date_it != additional_headers_.end() &&
79 date_it != additional_headers_.end()) {
80 *error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
81 "Only one of {date, x-amz-date} can be specified, not both.");
84 if (amz_date_it != additional_headers_.end()) {
85 static_request_date_ = amz_date_it->second;
86 } else if (date_it != additional_headers_.end()) {
87 absl::Time request_date;
89 if (!absl::ParseTime(kDateFormat, date_it->second, &request_date,
91 *error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(err_str.c_str());
94 static_request_date_ =
95 absl::FormatTime(kXAmzDateFormat, request_date, absl::UTCTimeZone());
97 url_ = grpc_uri_parse(url, false);
98 if (url_ == nullptr) {
99 *error = GRPC_ERROR_CREATE_FROM_STATIC_STRING("Invalid Aws request url.");
104 AwsRequestSigner::~AwsRequestSigner() { grpc_uri_destroy(url_); }
106 std::map<std::string, std::string> AwsRequestSigner::GetSignedRequestHeaders() {
107 std::string request_date_full;
108 if (!static_request_date_.empty()) {
109 if (!request_headers_.empty()) {
110 return request_headers_;
112 request_date_full = static_request_date_;
114 absl::Time request_date = absl::Now();
116 absl::FormatTime(kXAmzDateFormat, request_date, absl::UTCTimeZone());
118 std::string request_date_short = request_date_full.substr(0, 8);
119 // TASK 1: Create a canonical request for Signature Version 4
120 // https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html
121 std::vector<absl::string_view> canonical_request_vector;
122 // 1. HTTPRequestMethod
123 canonical_request_vector.emplace_back(method_);
124 canonical_request_vector.emplace_back("\n");
127 canonical_request_vector.emplace_back(*url_->path == '\0' ? "/" : url_->path);
128 canonical_request_vector.emplace_back("\n");
129 // 3. CanonicalQueryString
130 canonical_request_vector.emplace_back(url_->query);
131 canonical_request_vector.emplace_back("\n");
132 // 4. CanonicalHeaders
133 if (request_headers_.empty()) {
134 request_headers_.insert({"host", url_->authority});
135 if (!token_.empty()) {
136 request_headers_.insert({"x-amz-security-token", token_});
138 for (const auto& header : additional_headers_) {
139 request_headers_.insert(
140 {absl::AsciiStrToLower(header.first), header.second});
143 if (additional_headers_.find("date") == additional_headers_.end()) {
144 request_headers_["x-amz-date"] = request_date_full;
146 std::vector<absl::string_view> canonical_headers_vector;
147 for (const auto& header : request_headers_) {
148 canonical_headers_vector.emplace_back(header.first);
149 canonical_headers_vector.emplace_back(":");
150 canonical_headers_vector.emplace_back(header.second);
151 canonical_headers_vector.emplace_back("\n");
153 std::string canonical_headers = absl::StrJoin(canonical_headers_vector, "");
154 canonical_request_vector.emplace_back(canonical_headers);
155 canonical_request_vector.emplace_back("\n");
157 std::vector<absl::string_view> signed_headers_vector;
158 for (const auto& header : request_headers_) {
159 signed_headers_vector.emplace_back(header.first);
161 std::string signed_headers = absl::StrJoin(signed_headers_vector, ";");
162 canonical_request_vector.emplace_back(signed_headers);
163 canonical_request_vector.emplace_back("\n");
165 std::string hashed_request_payload = SHA256Hex(request_payload_);
166 canonical_request_vector.emplace_back(hashed_request_payload);
167 std::string canonical_request = absl::StrJoin(canonical_request_vector, "");
168 // TASK 2: Create a string to sign for Signature Version 4
169 // https://docs.aws.amazon.com/general/latest/gr/sigv4-create-string-to-sign.html
170 std::vector<absl::string_view> string_to_sign_vector;
172 string_to_sign_vector.emplace_back("AWS4-HMAC-SHA256");
173 string_to_sign_vector.emplace_back("\n");
174 // 2. RequestDateTime
175 string_to_sign_vector.emplace_back(request_date_full);
176 string_to_sign_vector.emplace_back("\n");
177 // 3. CredentialScope
178 std::pair<absl::string_view, absl::string_view> host_parts =
179 absl::StrSplit(url_->authority, absl::MaxSplits('.', 1));
180 std::string service_name(host_parts.first);
181 std::string credential_scope = absl::StrFormat(
182 "%s/%s/%s/aws4_request", request_date_short, region_, service_name);
183 string_to_sign_vector.emplace_back(credential_scope);
184 string_to_sign_vector.emplace_back("\n");
185 // 4. HashedCanonicalRequest
186 std::string hashed_canonical_request = SHA256Hex(canonical_request);
187 string_to_sign_vector.emplace_back(hashed_canonical_request);
188 std::string string_to_sign = absl::StrJoin(string_to_sign_vector, "");
189 // TASK 3: Task 3: Calculate the signature for AWS Signature Version 4
190 // https://docs.aws.amazon.com/general/latest/gr/sigv4-calculate-signature.html
191 // 1. Derive your signing key.
192 std::string date = HMAC("AWS4" + secret_access_key_, request_date_short);
193 std::string region = HMAC(date, region_);
194 std::string service = HMAC(region, service_name);
195 std::string signing = HMAC(service, "aws4_request");
196 // 2. Calculate the signature.
197 std::string signature_str = HMAC(signing, string_to_sign);
198 std::string signature = absl::BytesToHexString(signature_str);
199 // TASK 4: Add the signature to the HTTP request
200 // https://docs.aws.amazon.com/general/latest/gr/sigv4-add-signature-to-request.html
201 std::string authorization_header = absl::StrFormat(
202 "%s Credential=%s/%s, SignedHeaders=%s, Signature=%s", kAlgorithm,
203 access_key_id_, credential_scope, signed_headers, signature);
204 request_headers_["Authorization"] = authorization_header;
205 return request_headers_;
208 } // namespace grpc_core