sigv4

package
v0.0.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 10, 2026 License: Apache-2.0, MIT Imports: 19 Imported by: 0

Documentation

Overview

Package sigv4 verifies AWS S3 request signatures for the two schemes the Forge S3 gateway uses: AWS4-HMAC-SHA256 (SigV4) and AWS4-ECDSA-P256-SHA256 (SigV4a). It is built on the Go standard library only.

Access keys are ed25519 keys; the client's secretAccessKey is the multibase base64url encoding of the multiformat-tagged private key. SigV4 feeds that string into the standard HMAC signing-key chain; SigV4a derives an ECDSA P-256 key from the access key id + secret using AWS's deterministic KDF.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func DeriveKey

func DeriveKey(req *SignedRequest, secretAccessKey string) ([]byte, error)

DeriveKey returns the derived signing key for the request, that can be used to verify subsequent requests with the same signature scheme. See VerifyWithKey.

For SigV4 it returns the 32-byte HMAC signing key derived for the request's date/region/service scope (symmetric — used to recompute and compare the HMAC). For SigV4a it returns the 33-byte compressed SEC1 P-256 public key.

func ValidateTimeBounds

func ValidateTimeBounds(req *SignedRequest, now time.Time) error

ValidateTimeBounds checks that the request is still valid at now, bounding signature replay. For presigned requests it enforces the [signedAt, signedAt + X-Amz-Expires] window (and a 7-day cap on X-Amz-Expires). For header-authenticated requests (no X-Amz-Expires) it enforces an X-Amz-Date clock-skew window of ±maxClockSkew.

func Verify

func Verify(req *SignedRequest, secretAccessKey string) error

Verify recomputes the request signature from secretAccessKey (the client's multibase base64url secret) and compares it to the one on the request. It returns nil when the signature is valid.

func VerifyWithKey

func VerifyWithKey(req *SignedRequest, key []byte) error

VerifyWithKey verifies the request signature using a derived key previously produced by DeriveKey.

For SigV4 key is the 32-byte HMAC signing key; for SigV4a it is the 33-byte compressed SEC1 P-256 public key. It returns nil when the signature is valid. It checks only the signature; time bounds, region, and permissions are the caller's responsibility (as with Verify).

Types

type Request

type Request struct {
	Method  string
	Headers map[string]string
	URL     string
}

Request is the subset of an HTTP request that sigv4 needs to verify (or produce) a signature. Callers adapt their own request representation to it.

func Presign

func Presign(req Request, accessKeyID, secretAccessKey, region string, scheme Scheme, signedAt time.Time, expires time.Duration) (Request, error)

Presign returns a copy of req signed as a presigned URL (auth in the query string) for the given scheme, valid for expires from signedAt. It mirrors Verify's canonicalization and is primarily used by tests and any client-side signing; Hilt itself only verifies. host is the only signed header.

type Scheme

type Scheme string

Scheme identifies an AWS signature algorithm.

const (
	SchemeV4  Scheme = "AWS4-HMAC-SHA256"
	SchemeV4a Scheme = "AWS4-ECDSA-P256-SHA256"
)

type SignedRequest

type SignedRequest struct {
	Scheme      Scheme
	AccessKeyID string   // bare did:key identifier
	Regions     []string // credential-scope region (V4) or X-Amz-Region-Set (V4a)
	// contains filtered or unexported fields
}

SignedRequest is the parsed authentication state of an S3 request: the public identity fields plus the components needed to recompute the signature.

func Parse

func Parse(req Request) (*SignedRequest, error)

Parse extracts the signature fields from an S3 request — from the Authorization header or, for presigned URLs, the X-Amz-* query parameters. It does not verify the signature; call Verify for that.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL