sig

package
v1.78.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 19, 2026 License: Apache-2.0 Imports: 26 Imported by: 0

Documentation

Overview

Package sig This file implements helper functions to validate Streaming AWS Signature Version '4' authorization header.

Index

Constants

View Source 
const (
	V4authHeaderName   = "Authorization"
	V4authHeaderPrefix = "AWS4-HMAC-SHA256"

	AmzDecodedContentLength = "X-Amz-Decoded-Content-Length"

	AmzPresignMaxExpires = 7 * 24 * time.Hour // Maximum expiry duration for presigned URLs (7 days or 604800 seconds)

)
View Source 
const (
	// AmzMaxClockSkew is the maximum allowed clock skew (15 minutes) for AWS S3 compatibility.
	// All signature methods (V2, JavaV2, V4) validate request timestamps are within this window
	// to prevent replay attacks.
	AmzMaxClockSkew = 15 * time.Minute
)
View Source 
const (
	SlashSeparator = "/"
)

Streaming AWS Signature Version '4' constants.

Variables

View Source 
var (
	ErrHeaderMalformed        = errors.New("header malformed")
	ErrBadAuthorizationFormat = errors.New("authorization format not supported by this authenticator")
)
View Source 
var (
	V4AuthHeaderRegexp      = regexp.MustCompile(`AWS4-HMAC-SHA256 Credential=(?P<AccessKeyId>.{3,20})/(?P<Date>\d{8})/(?P<Region>[\w\-]+)/(?P<Service>[\w\-]+)/aws4_request,\s*SignedHeaders=(?P<SignatureHeaders>[\w\-\;]+),\s*Signature=(?P<Signature>[abcdef0123456789]{64})`)
	V4CredentialScopeRegexp = regexp.MustCompile(`(?P<AccessKeyId>.{3,20})/(?P<Date>\d{8})/(?P<Region>[\w\-]+)/(?P<Service>[\w\-]+)/aws4_request`)
)
View Source 
var (
	ErrInvalidByte          = errors.New("invalid byte in chunk length")
	ErrChunkTooLarge        = errors.New("http chunk length too large")
	ErrUnsupportedChecksum  = errors.New("unsupported checksum algorithm")
	ErrChecksumMismatch     = errors.New("checksum mismatch")
	ErrChecksumTypeMismatch = errors.New("checksum type mismatch")
)
View Source 
var (
	V2AuthHeaderRegexp = regexp.MustCompile(`AWS (?P<AccessKeyId>.{3,20}):(?P<Signature>[A-Za-z0-9+/=]+)`)
)

Functions

func EncodePath 

func EncodePath(pathName string) string

EncodePath encode the strings from UTF-8 byte representations to HTML hex escape sequences This is necessary since regular url.Parse() and url.Encode() functions do not support UTF-8 non english characters cannot be parsed due to the nature in which url.Encode() is written This function on the other hand is a direct replacement for url.Encode() technique to support pretty much every UTF-8 character.

func Equal 

func Equal(sig1, sig2 []byte) bool

func GetChecksumWriter added in v1.56.0 

func GetChecksumWriter(name string) (hash.Hash, error)

GetChecksumWriter returns the appropriate hash.Hash implementation for the given checksum algorithm

func GetChunkSignature added in v1.75.0 

func GetChunkSignature(cred *model.Credential, seedSignature string, region string, service string, date time.Time, hashedChunk string) string

GetChunkSignature - get chunk signature. Exported for testing purposes.

func IsAWSSignedRequest added in v0.48.0 

func IsAWSSignedRequest(req *http.Request) bool

func NewSha265Reader 

func NewSha265Reader(src io.ReadCloser, sha256Hex string) (io.ReadCloser, error)

func V4Verify 

func V4Verify(auth V4Auth, credentials *model.Credential, r *http.Request) error

func ValidateClockSkew added in v1.75.0 

func ValidateClockSkew(now, requestTime time.Time) error

ValidateClockSkew ensures the request timestamp is within AmzMaxClockSkew (15 minutes) of the current time to prevent replay attacks. This validation is used by all AWS signature methods (V2, JavaV2, V4).

Types

type ChecksumAlgorithm added in v1.56.0 

type ChecksumAlgorithm string

ChecksumAlgorithm represents the type of checksum algorithm used for trailers 

const (
	ChecksumAlgorithmCRC32     ChecksumAlgorithm = "x-amz-checksum-crc32"
	ChecksumAlgorithmCRC32C    ChecksumAlgorithm = "x-amz-checksum-crc32c"
	ChecksumAlgorithmCRC64NVME ChecksumAlgorithm = "x-amz-checksum-crc64nvme"
	ChecksumAlgorithmSHA256    ChecksumAlgorithm = "x-amz-checksum-sha256"
	ChecksumAlgorithmSHA1      ChecksumAlgorithm = "x-amz-checksum-sha1"
	ChecksumAlgorithmInvalid   ChecksumAlgorithm = ""
)

type JavaV2Signer added in v1.19.0 

type JavaV2Signer struct {
	// contains filtered or unexported fields
}

func NewJavaV2SigAuthenticator added in v1.19.0 

func NewJavaV2SigAuthenticator(r *http.Request, bareDomain string) *JavaV2Signer

func (*JavaV2Signer) Parse added in v1.19.0 

func (j *JavaV2Signer) Parse() (SigContext, error)

func (*JavaV2Signer) Verify added in v1.19.0 

func (j *JavaV2Signer) Verify(creds *model.Credential) error

type JavaV2SignerContext added in v1.19.0 

type JavaV2SignerContext struct {
	// contains filtered or unexported fields
}

func (*JavaV2SignerContext) GetAccessKeyID added in v1.19.0 

func (j *JavaV2SignerContext) GetAccessKeyID() string

type Sha256Reader 

type Sha256Reader struct {
	// contains filtered or unexported fields
}

func (*Sha256Reader) Close 

func (r *Sha256Reader) Close() error

func (*Sha256Reader) Read 

func (r *Sha256Reader) Read(p []byte) (int, error)

func (*Sha256Reader) Verify 

func (r *Sha256Reader) Verify() error

type SigAuthenticator 

type SigAuthenticator interface {
	Parse() (SigContext, error)
	Verify(*model.Credential) error
}

func ChainedAuthenticator 

func ChainedAuthenticator(methods ...SigAuthenticator) SigAuthenticator

type SigContext 

type SigContext interface {
	GetAccessKeyID() string
}

type V2SigAuthenticator 

type V2SigAuthenticator struct {
	// contains filtered or unexported fields
}

func NewV2SigAuthenticator 

func NewV2SigAuthenticator(r *http.Request, bareDomain string) *V2SigAuthenticator

func (*V2SigAuthenticator) Parse 

func (a *V2SigAuthenticator) Parse() (SigContext, error)

func (*V2SigAuthenticator) String 

func (a *V2SigAuthenticator) String() string

func (*V2SigAuthenticator) Verify 

func (a *V2SigAuthenticator) Verify(creds *model.Credential) error

type V4Auth 

type V4Auth struct {
	AccessKeyID         string
	Date                string
	Expires             int64
	Region              string
	Service             string
	SignedHeaders       []string
	SignedHeadersString string
	Signature           string
	ChecksumAlgorithm   string
	IsPresigned         bool
}

func ParseV4AuthContext 

func ParseV4AuthContext(r *http.Request) (V4Auth, error)

func (V4Auth) GetAccessKeyID 

func (a V4Auth) GetAccessKeyID() string

type V4Authenticator 

type V4Authenticator struct {
	// contains filtered or unexported fields
}

func NewV4Authenticator 

func NewV4Authenticator(r *http.Request) *V4Authenticator

func (*V4Authenticator) Parse 

func (a *V4Authenticator) Parse() (SigContext, error)

func (*V4Authenticator) String 

func (a *V4Authenticator) String() string

func (*V4Authenticator) Verify 

func (a *V4Authenticator) Verify(creds *model.Credential) error

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.