From a176ae2ba9bd5129ba6de3b000dab8b4eda36d2b Mon Sep 17 00:00:00 2001 From: MegaWattSec Date: Thu, 13 Jun 2024 19:48:36 -0400 Subject: [PATCH 1/2] Add support for Unsigned-Payload type of SigV4 signatures. --- .../signing/DelegatingAwsRequestSigner.java | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/src/main/java/com/netspi/awssigner/signing/DelegatingAwsRequestSigner.java b/src/main/java/com/netspi/awssigner/signing/DelegatingAwsRequestSigner.java index a1f1690..2edb44e 100644 --- a/src/main/java/com/netspi/awssigner/signing/DelegatingAwsRequestSigner.java +++ b/src/main/java/com/netspi/awssigner/signing/DelegatingAwsRequestSigner.java @@ -26,6 +26,7 @@ import java.util.stream.Collectors; import software.amazon.awssdk.auth.credentials.AwsCredentials; import software.amazon.awssdk.auth.signer.Aws4Signer; +import software.amazon.awssdk.auth.signer.Aws4UnsignedPayloadSigner; import software.amazon.awssdk.auth.signer.AwsS3V4Signer; import software.amazon.awssdk.auth.signer.AwsSignerExecutionAttribute; import software.amazon.awssdk.auth.signer.S3SignerExecutionAttribute; @@ -102,6 +103,14 @@ public byte[] sign(IHttpRequestResponse messageInfo, IRequestInfo request, Parse } LogWriter.logDebug("signedHeaderMap: " + signedHeaderMap); + //Check header for UNSIGNED-PAYLOAD, indicating auth type v4-unsigned-body is used. There may be other possible indicators. + boolean unsignedBodyType = false; + for(List value: signedHeaderMap.values()){ + if (value.contains("UNSIGNED-PAYLOAD")){ + unsignedBodyType = true; + } + } + //Build request object for signing URI uri; try { @@ -228,6 +237,9 @@ public byte[] sign(IHttpRequestResponse messageInfo, IRequestInfo request, Parse if (authHeader.getAlgorithm() == SigningAlgorithm.SIGV4A) { LogWriter.logDebug("Handling non-S3 SigV4a signature."); signer = AwsCrtV4aSigner.create(); + } else if (unsignedBodyType) { + LogWriter.logDebug("Handling unsigned payload SigV4 signature."); + signer = Aws4UnsignedPayloadSigner.create(); } else { LogWriter.logDebug("Handling non-S3 SigV4 signature."); signer = Aws4Signer.create(); From 6dc766a569a95e6cd03380a4bade2230eec564ad Mon Sep 17 00:00:00 2001 From: MegaWattSec Date: Thu, 13 Jun 2024 19:50:43 -0400 Subject: [PATCH 2/2] Fix issue with extra spaces in calculated headers. Some servers return errors from this. --- .../netspi/awssigner/signing/DelegatingAwsRequestSigner.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/main/java/com/netspi/awssigner/signing/DelegatingAwsRequestSigner.java b/src/main/java/com/netspi/awssigner/signing/DelegatingAwsRequestSigner.java index 2edb44e..23ec9b0 100644 --- a/src/main/java/com/netspi/awssigner/signing/DelegatingAwsRequestSigner.java +++ b/src/main/java/com/netspi/awssigner/signing/DelegatingAwsRequestSigner.java @@ -96,7 +96,7 @@ public byte[] sign(IHttpRequestResponse messageInfo, IRequestInfo request, Parse }).map(header -> { //Only keep the header's value. //We know from the filter that there is a colon character, so this is safe. - return header.split(":", 2)[1]; + return header.split(":", 2)[1].trim(); }).collect(Collectors.toList()); LogWriter.logDebug("For header \"" + signedHeader + "\" found the following values: " + headerValues); signedHeaderMap.put(signedHeader, headerValues); @@ -194,7 +194,7 @@ public byte[] sign(IHttpRequestResponse messageInfo, IRequestInfo request, Parse .map(header -> { //Only keep the header's value. //We know from the filter that there is a colon character, so this is safe. - return header.split(":", 2)[1]; + return header.split(":", 2)[1].trim(); }).findFirst(); //We want to find the right region for our request