}
/*
- * calculate the AWS signature version 4
+ * calculate the SigningKey of AWS auth version 4
*/
-std::string get_v4_signature(CephContext* const cct,
- const std::string& credential_scope,
- const std::string& string_to_sign,
- const std::string& access_key_secret,
- char (&signing_key)[CEPH_CRYPTO_HMACSHA256_DIGESTSIZE])
+std::array<unsigned char, CEPH_CRYPTO_HMACSHA256_DIGESTSIZE>
+get_v4_signing_key(CephContext* const cct,
+ const std::string& credential_scope,
+ const std::string& access_key_secret)
{
std::string secret_key = "AWS4" + access_key_secret;
char secret_k[secret_key.size() * MAX_UTF8_SZ];
ldout(cct, 10) << "service_k = " << string(aux) << dendl;
/* aws4_request */
+ std::array<unsigned char, CEPH_CRYPTO_HMACSHA256_DIGESTSIZE> signing_key = \
+ calc_hmac_sha256(service_k, CEPH_CRYPTO_HMACSHA256_DIGESTSIZE,
+ "aws4_request", 12);
- calc_hmac_sha256(service_k, CEPH_CRYPTO_HMACSHA256_DIGESTSIZE, "aws4_request", 12, signing_key);
-
- buf_to_hex((unsigned char *) signing_key, CEPH_CRYPTO_HMACSHA256_DIGESTSIZE, aux);
+ buf_to_hex(signing_key.data(), CEPH_CRYPTO_HMACSHA256_DIGESTSIZE, aux);
ldout(cct, 10) << "signing_k = " << string(aux) << dendl;
+ return signing_key;
+}
+
+/*
+ * calculate the AWS signature version 4
+
+ * http://docs.aws.amazon.com/general/latest/gr/sigv4-calculate-signature.html
+ */
+std::string get_v4_signature(CephContext* const cct,
+ const std::array<unsigned char, CEPH_CRYPTO_HMACSHA256_DIGESTSIZE>& signing_key,
+ const std::string& string_to_sign)
+{
+
/* new signature */
char signature_k[CEPH_CRYPTO_HMACSHA256_DIGESTSIZE];
- calc_hmac_sha256(signing_key, CEPH_CRYPTO_HMACSHA256_DIGESTSIZE,
+ /* FIXME(rzarzynski): eradicate the reinterpret_cast. */
+ calc_hmac_sha256(reinterpret_cast<const char*>(signing_key.data()), CEPH_CRYPTO_HMACSHA256_DIGESTSIZE,
string_to_sign.c_str(), string_to_sign.size(),
signature_k);
+ char aux[CEPH_CRYPTO_HMACSHA256_DIGESTSIZE * 2 + 1];
buf_to_hex((unsigned char *) signature_k, CEPH_CRYPTO_HMACSHA256_DIGESTSIZE, aux);
ldout(cct, 10) << "signature_k = " << string(aux) << dendl;
#ifndef CEPH_RGW_AUTH_S3_H
#define CEPH_RGW_AUTH_S3_H
+#include <array>
#include <string>
#include <tuple>
const std::string& credential_scope,
const std::string& hashed_qr);
-/* TODO(rzarzynski): split the SigningKey calculation into a separated func. */
+std::array<unsigned char, CEPH_CRYPTO_HMACSHA256_DIGESTSIZE>
+get_v4_signing_key(CephContext* const cct,
+ const std::string& credential_scope,
+ const std::string& access_key_secret);
+
std::string get_v4_signature(CephContext* cct,
- const std::string& credential_scope,
- const std::string& string_to_sign,
- const std::string& access_key_secret,
- /* This is a makeshift-only parameter. It'll be killed soon. */
- char (&signing_key)[CEPH_CRYPTO_HMACSHA256_DIGESTSIZE]);
+ const std::array<unsigned char, CEPH_CRYPTO_HMACSHA256_DIGESTSIZE>& signing_key,
+ const std::string& string_to_sign);
} /* namespace s3 */
} /* namespace auth */
} /* namespace rgw */
string signature;
string new_signature;
string seed_signature;
- char signing_key[CEPH_CRYPTO_HMACSHA256_DIGESTSIZE];
+ std::array<unsigned char,
+ CEPH_CRYPTO_HMACSHA256_DIGESTSIZE> signing_key;
bufferlist bl;
};
string_to_sign.append(hash_chunk_data);
/* new chunk signature */
-
- char signature_k[CEPH_CRYPTO_HMACSHA256_DIGESTSIZE];
- calc_hmac_sha256(s->aws4_auth->signing_key, CEPH_CRYPTO_HMACSHA256_DIGESTSIZE,
- string_to_sign.c_str(), string_to_sign.size(), signature_k);
-
- char aux[CEPH_CRYPTO_HMACSHA256_DIGESTSIZE * 2 + 1];
- buf_to_hex((unsigned char *) signature_k, CEPH_CRYPTO_HMACSHA256_DIGESTSIZE, aux);
-
- string new_chunk_signature = string(aux);
-
- /* FIXME(rzarzynski): clean this up! */
- buf_to_hex((unsigned char *) s->aws4_auth->signing_key,
- CEPH_CRYPTO_HMACSHA256_DIGESTSIZE, aux);
- std::string signing_key(aux);
+ const auto sighex = buf_to_hex(calc_hmac_sha256(s->aws4_auth->signing_key,
+ string_to_sign.c_str(),
+ string_to_sign.size()));
+ /* FIXME(rzarzynski): std::string here is really unnecessary. */
+ std::string new_chunk_signature = std::string(sighex.data(), sighex.size());
ldout(s->cct, 20) << "--------------- aws4 chunk validation" << dendl;
ldout(s->cct, 20) << "chunk_signature = " << chunk_signature << dendl;
ldout(s->cct, 20) << "new_chunk_signature = " << new_chunk_signature << dendl;
- ldout(s->cct, 20) << "aws4 chunk signing_key = " << signing_key << dendl;
+ ldout(s->cct, 20) << "aws4 chunk signing_key = "
+ << buf_to_hex(s->aws4_auth->signing_key).data()
+ << dendl;
ldout(s->cct, 20) << "aws4 chunk string_to_sign = "
<< rgw::crypt_sanitize::log_content{string_to_sign.c_str()}
<< dendl;
return -ENOMEM;
}
+ /* FIXME(rzarzynski): clean this up! */
std::string encoded_policy_str(s->auth.s3_postobj_creds.encoded_policy.c_str(),
s->auth.s3_postobj_creds.encoded_policy.length());
+
+ s->aws4_auth->signing_key = \
+ rgw::auth::s3::get_v4_signing_key(s->cct, cs_aux, s3_secret_key);
+
std::string new_signature_str = \
rgw::auth::s3::get_v4_signature(s->cct,
- cs_aux,
- encoded_policy_str,
- s3_secret_key,
- s->aws4_auth->signing_key);
+ s->aws4_auth->signing_key,
+ encoded_policy_str);
ldout(s->cct, 10) << "----------------------------- Verifying signatures" << dendl;
ldout(s->cct, 10) << "Signature = " << received_signature_str << dendl;
}
const RGWAccessKey& k = iter->second;
+ s->aws4_auth->signing_key = \
+ rgw::auth::s3::get_v4_signing_key(s->cct,
+ s->aws4_auth->credential_scope, k.key);
s->aws4_auth->new_signature = \
- rgw::auth::s3::get_v4_signature(s->cct,
- s->aws4_auth->credential_scope,
- string_to_sign,
- k.key /* in */, s->aws4_auth->signing_key /* out */);
+ rgw::auth::s3::get_v4_signature(s->cct, s->aws4_auth->signing_key,
+ string_to_sign);
ldout(s->cct, 10) << "----------------------------- Verifying signatures" << dendl;
projects / ceph.git / commitdiff