diff --git a/common/etc/nginx/include/awssig4.js b/common/etc/nginx/include/awssig4.js index 2b1d2e0..318a5f3 100644 --- a/common/etc/nginx/include/awssig4.js +++ b/common/etc/nginx/include/awssig4.js @@ -28,7 +28,8 @@ const EMPTY_PAYLOAD_HASH = 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495 * Constant defining the headers being signed. * @type {string} */ -const DEFAULT_SIGNED_HEADERS = 'host;x-amz-content-sha256;x-amz-date'; +// const DEFAULT_SIGNED_HEADERS = 'host;x-amz-content-sha256;x-amz-date'; +const DEFAULT_SIGNED_HEADERS = 'host;x-amz-date'; /** @@ -84,7 +85,9 @@ function _buildCanonicalRequest(r, r.log(' - amzDatetime : ' + amzDatetime) r.log(' - request body: ' + r.variables.request_body) r.log(' - content_type: ' + r.variables.content_type) - const payloadHash = awsHeaderPayloadHash(r); + r.log(' - lambda_payload_hash: ' + r.variables.lambda_payload_hash) + const payloadHash = r.variables.lambda_payload_hash; //awsHeaderPayloadHash(r); + // const payloadHash = awsHeaderPayloadHash(r); let canonicalHeaders = ''; if (r.variables.content_type) { canonicalHeaders += 'content-type:' + r.variables.content_type + '\n' @@ -276,21 +279,50 @@ function _splitCachedValues(cached) { * @param r {Request} HTTP request object * @returns {string} payload hash */ +// async function awsHeaderPayloadHash2(r) { +// r.log('start awsHeaderPayloadHash-2(): '); +// r.log(' - request_id 2 : ' + r.variables.request_id); +// const reqBodyStr = r.variables.request_body; +// r.log(' - req body str2: ' + reqBodyStr) + +// const encoder = new TextEncoder(); +// const data = encoder.encode(reqBodyStr); +// const hash = await crypto.subtle.digest("SHA-256", data); +// const payloadHash = Buffer.from(hash).toString('hex'); +// r.log(' - payload Hash2: ' + payloadHash) +// r.setReturnValue(payloadHash); +// r.log('finish awsHeaderPayloadHash-2(): '); +// } + +async function awsHeaderPayloadHash2(r) { + r.log('start awsHeaderPayloadHash-2(): '); + r.log(' - request_id 2 : ' + r.variables.request_id); + let hash = await crypto.subtle.digest('SHA-256', r.variables.request_body); + const payloadHash = Buffer.from(hash).toString('hex'); + r.log(' - payload Hash2: ' + payloadHash) + r.setReturnValue(Buffer.from(hash).toString('hex')); + r.log('finish awsHeaderPayloadHash-2(): '); +} + function awsHeaderPayloadHash(r) { // Empty payload only works with this crypt library. // TODO: Need to either find the right library or implement the crypto lib. // const reqBodyStr = JSON.stringify(r.variables.request_body); const reqBodyStr = r.variables.request_body; + r.log('start awsHeaderPayloadHash(): '); + r.log(' - request_id : ' + r.variables.request_id); r.log(' - req body str: ' + reqBodyStr) const payloadHash = mod_hmac.createHash('sha256', 'utf8') .update(reqBodyStr) .digest('hex'); r.log(' - payload Hash: ' + payloadHash) + r.log('finish awsHeaderPayloadHash(): '); return payloadHash; } export default { awsHeaderPayloadHash, + awsHeaderPayloadHash2, signatureV4, // These functions do not need to be exposed, but they are exposed so that // unit tests can run against them. diff --git a/common/etc/nginx/templates/default.conf.template b/common/etc/nginx/templates/default.conf.template index b473d0c..65688ca 100644 --- a/common/etc/nginx/templates/default.conf.template +++ b/common/etc/nginx/templates/default.conf.template @@ -105,9 +105,6 @@ server { } location @lambda { - # We include only the headers needed for the authentication signatures that - # we plan to use. - include /etc/nginx/conf.d/gateway/v${AWS_SIGS_VERSION}_headers.conf; # The CORS configuration needs to be imported in several places in order for # it to be applied within different contexts. @@ -125,6 +122,10 @@ server { proxy_set_header Authorization $lambdaAuth; proxy_set_header X-Amz-Security-Token $awsSessionToken; + # We include only the headers needed for the authentication signatures that + # we plan to use. + include /etc/nginx/conf.d/gateway/v${AWS_SIGS_VERSION}_headers.conf; + # We set the host as the bucket name to inform the S3 API of the bucket #proxy_set_header Host $s3_host_hdr; diff --git a/common/etc/nginx/templates/gateway/v4_headers.conf.template b/common/etc/nginx/templates/gateway/v4_headers.conf.template index c7d37bc..c25f707 100644 --- a/common/etc/nginx/templates/gateway/v4_headers.conf.template +++ b/common/etc/nginx/templates/gateway/v4_headers.conf.template @@ -1,4 +1,8 @@ # This header is needed when doing v4 signature authentication. It # specifies the timestamp in which the signature was generated. proxy_set_header x-amz-date $awsDate; -proxy_set_header x-amz-content-sha256 $awsPayloadHash; + +set $lambda_payload_hash $awsPayloadHash; +proxy_set_header x-amz-content-sha256 $lambda_payload_hash; +#proxy_set_header x-amz-content-sha256 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'; #$awsPayloadHash; +#proxy_set_header x-amz-content-sha256 $awsPayloadHash; diff --git a/common/etc/nginx/templates/gateway/v4_js_vars.conf.template b/common/etc/nginx/templates/gateway/v4_js_vars.conf.template index 631876e..dfdebc6 100644 --- a/common/etc/nginx/templates/gateway/v4_js_vars.conf.template +++ b/common/etc/nginx/templates/gateway/v4_js_vars.conf.template @@ -2,4 +2,4 @@ # specifies the timestamp in which the signature was generated and is used with # the x-amz-date header. js_set $awsDate lambdagateway.awsHeaderDate; -js_set $awsPayloadHash awssig4.awsHeaderPayloadHash; +js_set $awsPayloadHash awssig4.awsHeaderPayloadHash2;