AwsRequestSignerV4.java

  1. /*
  2.  * Copyright (C) 2022, Workday Inc.
  3.  *
  4.  * This program and the accompanying materials are made available under the
  5.  * terms of the Eclipse Distribution License v. 1.0 which is available at
  6.  * https://www.eclipse.org/org/documents/edl-v10.php.
  7.  *
  8.  * SPDX-License-Identifier: BSD-3-Clause
  9.  */

  11. package org.eclipse.jgit.transport;

  13. import java.net.HttpURLConnection;
  14. import java.net.URL;
  15. import java.nio.charset.StandardCharsets;
  16. import java.security.MessageDigest;
  17. import java.time.Instant;
  18. import java.time.OffsetDateTime;
  19. import java.time.ZoneOffset;
  20. import java.time.format.DateTimeFormatter;
  21. import java.util.HashMap;
  22. import java.util.Map;
  23. import java.util.stream.Collectors;

  25. import javax.crypto.Mac;
  26. import javax.crypto.spec.SecretKeySpec;

  28. import org.eclipse.jgit.internal.JGitText;
  29. import org.eclipse.jgit.util.Hex;
  30. import org.eclipse.jgit.util.HttpSupport;

  32. /**
  33.  * Utility class for signing requests to AWS service endpoints using the V4
  34.  * signing protocol.
  35.  *
  36.  * Reference implementation: <a href=
  37.  * "https://docs.aws.amazon.com/AmazonS3/latest/API/samples/AWSS3SigV4JavaSamples.zip">AWSS3SigV4JavaSamples.zip</a>
  38.  *
  39.  * @see <a href=
  40.  *      "https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html">AWS
  41.  *      Signature Version 4</a>
  42.  *
  43.  * @since 5.13.1
  44.  */
  45. public final class AwsRequestSignerV4 {

  47.     /** AWS version 4 signing algorithm (for authorization header). **/
  48.     private static final String ALGORITHM = "HMAC-SHA256"; //$NON-NLS-1$

  50.     /** Java Message Authentication Code (MAC) algorithm name. **/
  51.     private static final String MAC_ALGORITHM = "HmacSHA256"; //$NON-NLS-1$

  53.     /** AWS version 4 signing scheme. **/
  54.     private static final String SCHEME = "AWS4"; //$NON-NLS-1$

  56.     /** AWS version 4 terminator string. **/
  57.     private static final String TERMINATOR = "aws4_request"; //$NON-NLS-1$

  59.     /** SHA-256 hash of an empty request body. **/
  60.     private static final String EMPTY_BODY_SHA256 = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"; //$NON-NLS-1$

  62.     /** Date format for the 'x-amz-date' header. **/
  63.     private static final DateTimeFormatter AMZ_DATE_FORMAT = DateTimeFormatter
  64.             .ofPattern("yyyyMMdd'T'HHmmss'Z'"); //$NON-NLS-1$

  66.     /** Date format for the string-to-sign's scope. **/
  67.     private static final DateTimeFormatter SCOPE_DATE_FORMAT = DateTimeFormatter
  68.             .ofPattern("yyyyMMdd"); //$NON-NLS-1$

  70.     private AwsRequestSignerV4() {
  71.         // Don't instantiate utility class
  72.     }

  74.     /**
  75.      * Sign the provided request with an AWS4 signature as the 'Authorization'
  76.      * header.
  77.      *
  78.      * @param httpURLConnection
  79.      *            The request to sign.
  80.      * @param queryParameters
  81.      *            The query parameters being sent in the request.
  82.      * @param contentLength
  83.      *            The content length of the data being sent in the request
  84.      * @param bodyHash
  85.      *            Hex-encoded SHA-256 hash of the data being sent in the request
  86.      * @param serviceName
  87.      *            The signing name of the AWS service (e.g. "s3").
  88.      * @param regionName
  89.      *            The name of the AWS region that will handle the request (e.g.
  90.      *            "us-east-1").
  91.      * @param awsAccessKey
  92.      *            The user's AWS Access Key.
  93.      * @param awsSecretKey
  94.      *            The user's AWS Secret Key.
  95.      */
  96.     public static void sign(HttpURLConnection httpURLConnection,
  97.             Map<String, String> queryParameters, long contentLength,
  98.             String bodyHash, String serviceName, String regionName,
  99.             String awsAccessKey, char[] awsSecretKey) {
  100.         // get request headers
  101.         Map<String, String> headers = new HashMap<>();
  102.         httpURLConnection.getRequestProperties()
  103.                 .forEach((headerName, headerValues) -> headers.put(headerName,
  104.                         String.join(",", headerValues))); //$NON-NLS-1$

  106.         // add required content headers
  107.         if (contentLength > 0) {
  108.             headers.put(HttpSupport.HDR_CONTENT_LENGTH,
  109.                     String.valueOf(contentLength));
  110.         } else {
  111.             bodyHash = EMPTY_BODY_SHA256;
  112.         }
  113.         headers.put("x-amz-content-sha256", bodyHash); //$NON-NLS-1$

  115.         // add the 'x-amz-date' header
  116.         OffsetDateTime now = Instant.now().atOffset(ZoneOffset.UTC);
  117.         String amzDate = now.format(AMZ_DATE_FORMAT);
  118.         headers.put("x-amz-date", amzDate); //$NON-NLS-1$

  120.         // add the 'host' header
  121.         URL endpointUrl = httpURLConnection.getURL();
  122.         int port = endpointUrl.getPort();
  123.         String hostHeader = (port > -1)
  124.                 ? endpointUrl.getHost().concat(":" + port) //$NON-NLS-1$
  125.                 : endpointUrl.getHost();
  126.         headers.put("Host", hostHeader); //$NON-NLS-1$

  128.         // construct the canonicalized request
  129.         String canonicalizedHeaderNames = getCanonicalizeHeaderNames(headers);
  130.         String canonicalizedHeaders = getCanonicalizedHeaderString(headers);
  131.         String canonicalizedQueryParameters = getCanonicalizedQueryString(
  132.                 queryParameters);
  133.         String httpMethod = httpURLConnection.getRequestMethod();
  134.         String canonicalRequest = httpMethod + '\n'
  135.                 + getCanonicalizedResourcePath(endpointUrl) + '\n'
  136.                 + canonicalizedQueryParameters + '\n' + canonicalizedHeaders
  137.                 + '\n' + canonicalizedHeaderNames + '\n' + bodyHash;

  139.         // construct the string-to-sign
  140.         String scopeDate = now.format(SCOPE_DATE_FORMAT);
  141.         String scope = scopeDate + '/' + regionName + '/' + serviceName + '/'
  142.                 + TERMINATOR;
  143.         String stringToSign = SCHEME + '-' + ALGORITHM + '\n' + amzDate + '\n'
  144.                 + scope + '\n' + Hex.toHexString(hash(
  145.                         canonicalRequest.getBytes(StandardCharsets.UTF_8)));

  147.         // compute the signing key
  148.         byte[] secretKey = (SCHEME + new String(awsSecretKey)).getBytes();
  149.         byte[] dateKey = signStringWithKey(scopeDate, secretKey);
  150.         byte[] regionKey = signStringWithKey(regionName, dateKey);
  151.         byte[] serviceKey = signStringWithKey(serviceName, regionKey);
  152.         byte[] signingKey = signStringWithKey(TERMINATOR, serviceKey);
  153.         byte[] signature = signStringWithKey(stringToSign, signingKey);

  155.         // construct the authorization header
  156.         String credentialsAuthorizationHeader = "Credential=" + awsAccessKey //$NON-NLS-1$
  157.                 + '/' + scope;
  158.         String signedHeadersAuthorizationHeader = "SignedHeaders=" //$NON-NLS-1$
  159.                 + canonicalizedHeaderNames;
  160.         String signatureAuthorizationHeader = "Signature=" //$NON-NLS-1$
  161.                 + Hex.toHexString(signature);
  162.         String authorizationHeader = SCHEME + '-' + ALGORITHM + ' '
  163.                 + credentialsAuthorizationHeader + ", " //$NON-NLS-1$
  164.                 + signedHeadersAuthorizationHeader + ", " //$NON-NLS-1$
  165.                 + signatureAuthorizationHeader;

  167.         // Copy back the updated request headers
  168.         headers.forEach(httpURLConnection::setRequestProperty);

  170.         // Add the 'authorization' header
  171.         httpURLConnection.setRequestProperty(HttpSupport.HDR_AUTHORIZATION,
  172.                 authorizationHeader);
  173.     }

  175.     /**
  176.      * Calculates the hex-encoded SHA-256 hash of the provided byte array.
  177.      *
  178.      * @param data
  179.      *            Byte array to hash
  180.      *
  181.      * @return Hex-encoded SHA-256 hash of the provided byte array.
  182.      */
  183.     public static String calculateBodyHash(final byte[] data) {
  184.         return (data == null || data.length < 1) ? EMPTY_BODY_SHA256
  185.                 : Hex.toHexString(hash(data));
  186.     }

  188.     /**
  189.      * Construct a string listing all request headers in sorted case-insensitive
  190.      * order, separated by a ';'.
  191.      *
  192.      * @param headers
  193.      *            Map containing all request headers.
  194.      *
  195.      * @return String that lists all request headers in sorted case-insensitive
  196.      *         order, separated by a ';'.
  197.      */
  198.     private static String getCanonicalizeHeaderNames(
  199.             Map<String, String> headers) {
  200.         return headers.keySet().stream().map(String::toLowerCase).sorted()
  201.                 .collect(Collectors.joining(";")); //$NON-NLS-1$
  202.     }

  204.     /**
  205.      * Constructs the canonical header string for a request.
  206.      *
  207.      * @param headers
  208.      *            Map containing all request headers.
  209.      *
  210.      * @return The canonical headers with values for the request.
  211.      */
  212.     private static String getCanonicalizedHeaderString(
  213.             Map<String, String> headers) {
  214.         if (headers == null || headers.isEmpty()) {
  215.             return ""; //$NON-NLS-1$
  216.         }
  217.         StringBuilder sb = new StringBuilder();
  218.         headers.keySet().stream().sorted(String.CASE_INSENSITIVE_ORDER)
  219.                 .forEach(key -> {
  220.                     String header = key.toLowerCase().replaceAll("\\s+", " "); //$NON-NLS-1$ //$NON-NLS-2$
  221.                     String value = headers.get(key).replaceAll("\\s+", " "); //$NON-NLS-1$ //$NON-NLS-2$
  222.                     sb.append(header).append(':').append(value).append('\n');
  223.                 });
  224.         return sb.toString();
  225.     }

  227.     /**
  228.      * Constructs the canonicalized resource path for an AWS service endpoint.
  229.      *
  230.      * @param url
  231.      *            The AWS service endpoint URL, including the path to any
  232.      *            resource.
  233.      *
  234.      * @return The canonicalized resource path for the AWS service endpoint.
  235.      */
  236.     private static String getCanonicalizedResourcePath(URL url) {
  237.         if (url == null) {
  238.             return "/"; //$NON-NLS-1$
  239.         }
  240.         String path = url.getPath();
  241.         if (path == null || path.isEmpty()) {
  242.             return "/"; //$NON-NLS-1$
  243.         }
  244.         String encodedPath = HttpSupport.urlEncode(path, true);
  245.         if (encodedPath.startsWith("/")) { //$NON-NLS-1$
  246.             return encodedPath;
  247.         }
  248.         return "/".concat(encodedPath); //$NON-NLS-1$
  249.     }

  251.     /**
  252.      * Constructs the canonicalized query string for a request.
  253.      *
  254.      * @param queryParameters
  255.      *            The query parameters in the request.
  256.      *
  257.      * @return The canonicalized query string for the request.
  258.      */
  259.     public static String getCanonicalizedQueryString(
  260.             Map<String, String> queryParameters) {
  261.         if (queryParameters == null || queryParameters.isEmpty()) {
  262.             return ""; //$NON-NLS-1$
  263.         }
  264.         return queryParameters
  265.                 .keySet().stream().sorted().map(
  266.                         key -> HttpSupport.urlEncode(key, false) + '='
  267.                                 + HttpSupport.urlEncode(
  268.                                         queryParameters.get(key), false))
  269.                 .collect(Collectors.joining("&")); //$NON-NLS-1$
  270.     }

  272.     /**
  273.      * Hashes the provided byte array using the SHA-256 algorithm.
  274.      *
  275.      * @param data
  276.      *            The byte array to hash.
  277.      *
  278.      * @return Hashed string contents of the provided byte array.
  279.      */
  280.     public static byte[] hash(byte[] data) {
  281.         try {
  282.             MessageDigest md = MessageDigest.getInstance("SHA-256"); //$NON-NLS-1$
  283.             md.update(data);
  284.             return md.digest();
  285.         } catch (Exception e) {
  286.             throw new RuntimeException(
  287.                     JGitText.get().couldNotHashByteArrayWithSha256, e);
  288.         }
  289.     }

  291.     /**
  292.      * Signs the provided string data using the specified key.
  293.      *
  294.      * @param stringToSign
  295.      *            The string data to sign.
  296.      * @param key
  297.      *            The key material of the secret key.
  298.      *
  299.      * @return Signed string data.
  300.      */
  301.     private static byte[] signStringWithKey(String stringToSign, byte[] key) {
  302.         try {
  303.             byte[] data = stringToSign.getBytes(StandardCharsets.UTF_8);
  304.             Mac mac = Mac.getInstance(MAC_ALGORITHM);
  305.             mac.init(new SecretKeySpec(key, MAC_ALGORITHM));
  306.             return mac.doFinal(data);
  307.         } catch (Exception e) {
  308.             throw new RuntimeException(JGitText.get().couldNotSignStringWithKey,
  309.                     e);
  310.         }
  311.     }

  313. }
Created with JaCoCo 0.8.7.202105040129