Documentation
¶
Overview ¶
Package sigv4 verifies AWS S3 request signatures for the two schemes the Forge S3 gateway uses: AWS4-HMAC-SHA256 (SigV4) and AWS4-ECDSA-P256-SHA256 (SigV4a). It is built on the Go standard library only.
Access keys are ed25519 keys; the client's secretAccessKey is the multibase base64url encoding of the multiformat-tagged private key. SigV4 feeds that string into the standard HMAC signing-key chain; SigV4a derives an ECDSA P-256 key from the access key id + secret using AWS's deterministic KDF.
Index ¶
- func DeriveKey(req *SignedRequest, secretAccessKey string) ([]byte, error)
- func ValidateTimeBounds(req *SignedRequest, now time.Time) error
- func Verify(req *SignedRequest, secretAccessKey string) error
- func VerifyWithKey(req *SignedRequest, key []byte) error
- type Request
- type Scheme
- type SignedRequest
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func DeriveKey ¶
func DeriveKey(req *SignedRequest, secretAccessKey string) ([]byte, error)
DeriveKey returns the derived signing key for the request, that can be used to verify subsequent requests with the same signature scheme. See VerifyWithKey.
For SigV4 it returns the 32-byte HMAC signing key derived for the request's date/region/service scope (symmetric — used to recompute and compare the HMAC). For SigV4a it returns the 33-byte compressed SEC1 P-256 public key.
func ValidateTimeBounds ¶
func ValidateTimeBounds(req *SignedRequest, now time.Time) error
ValidateTimeBounds checks that the request is still valid at now, bounding signature replay. For presigned requests it enforces the [signedAt, signedAt + X-Amz-Expires] window (and a 7-day cap on X-Amz-Expires). For header-authenticated requests (no X-Amz-Expires) it enforces an X-Amz-Date clock-skew window of ±maxClockSkew.
func Verify ¶
func Verify(req *SignedRequest, secretAccessKey string) error
Verify recomputes the request signature from secretAccessKey (the client's multibase base64url secret) and compares it to the one on the request. It returns nil when the signature is valid.
func VerifyWithKey ¶
func VerifyWithKey(req *SignedRequest, key []byte) error
VerifyWithKey verifies the request signature using a derived key previously produced by DeriveKey.
For SigV4 key is the 32-byte HMAC signing key; for SigV4a it is the 33-byte compressed SEC1 P-256 public key. It returns nil when the signature is valid. It checks only the signature; time bounds, region, and permissions are the caller's responsibility (as with Verify).
Types ¶
type Request ¶
Request is the subset of an HTTP request that sigv4 needs to verify (or produce) a signature. Callers adapt their own request representation to it.
func Presign ¶
func Presign(req Request, accessKeyID, secretAccessKey, region string, scheme Scheme, signedAt time.Time, expires time.Duration) (Request, error)
Presign returns a copy of req signed as a presigned URL (auth in the query string) for the given scheme, valid for expires from signedAt. It mirrors Verify's canonicalization and is primarily used by tests and any client-side signing; Hilt itself only verifies. host is the only signed header.
type SignedRequest ¶
type SignedRequest struct {
Scheme Scheme
AccessKeyID string // bare did:key identifier
Regions []string // credential-scope region (V4) or X-Amz-Region-Set (V4a)
// contains filtered or unexported fields
}
SignedRequest is the parsed authentication state of an S3 request: the public identity fields plus the components needed to recompute the signature.