add content-sha256 header for presign when the signed_body_value is s…

…et to UNSIGNED-PAYLOAD (#248)

.github/workflows/ci.yml

@@ -6,7 +6,7 @@ on:
       - 'main'
 
 env:
-  BUILDER_VERSION: v0.9.62
+  BUILDER_VERSION: v0.9.64
   BUILDER_SOURCE: releases
   BUILDER_HOST: https://d19elf31gohf1l.cloudfront.net
   PACKAGE_NAME: aws-c-auth

source/aws_signing.c

@@ -1336,10 +1336,17 @@ static int s_build_canonical_stable_header_list(
             }
         }
 
-        /*
-         * x-amz-content-sha256 (optional)
-         */
-        if (state->config.signed_body_header == AWS_SBHT_X_AMZ_CONTENT_SHA256) {
+        /* NOTE: Update MAX_AUTHORIZATION_HEADER_COUNT if more headers added */
+    }
+
+    /*
+     * x-amz-content-sha256 (optional)
+     */
+    if (state->config.signed_body_header == AWS_SBHT_X_AMZ_CONTENT_SHA256) {
+        if (state->config.signature_type == AWS_ST_HTTP_REQUEST_HEADERS ||
+            (state->config.signature_type == AWS_ST_HTTP_REQUEST_QUERY_PARAMS &&
+             aws_byte_cursor_eq(&state->config.signed_body_value, &g_aws_signed_body_value_unsigned_payload))) {
+            /* Add the x-amz-content-sha256 header for UNSIGNED-PAYLOAD when signing via query params as well. */
             if (s_add_authorization_header(
                     state,
                     stable_header_list,
@@ -1349,8 +1356,6 @@ static int s_build_canonical_stable_header_list(
                 return AWS_OP_ERR;
             }
         }
-
-        /* NOTE: Update MAX_AUTHORIZATION_HEADER_COUNT if more headers added */
     }
 
     *out_required_capacity += aws_array_list_length(stable_header_list) * 2; /*  ':' + '\n' per header */

tests/CMakeLists.txt

@@ -236,6 +236,7 @@ add_test_case(sigv4a_post_header_value_case_test)
 add_test_case(sigv4a_post_vanilla_test)
 add_test_case(sigv4a_post_vanilla_empty_query_value_test)
 add_test_case(sigv4a_post_vanilla_query_test)
+add_test_case(sigv4a_post_unsigned_payload_test)
 add_test_case(sigv4a_post_x_www_form_urlencoded_test)
 add_test_case(sigv4a_post_x_www_form_urlencoded_parameters_test)
 add_test_case(sigv4a_post_sts_header_after_test)
@@ -274,6 +275,7 @@ add_test_case(sigv4_post_header_key_sort_test)
 add_test_case(sigv4_post_header_value_case_test)
 add_test_case(sigv4_post_vanilla_test)
 add_test_case(sigv4_post_vanilla_empty_query_value_test)
+add_test_case(sigv4_post_unsigned_payload_test)
 add_test_case(sigv4_post_vanilla_query_test)
 add_test_case(sigv4_post_x_www_form_urlencoded_test)
 add_test_case(sigv4_post_x_www_form_urlencoded_parameters_test)

tests/aws-signing-test-suite/v4/post-unsigned-payload/context.json

@@ -0,0 +1,13 @@
+{
+    "credentials": {
+        "access_key_id": "AKIDEXAMPLE",
+        "secret_access_key": "wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY"
+    },
+    "expiration_in_seconds": 3600,
+    "normalize": true,
+    "region": "us-east-1",
+    "service": "service",
+    "sign_body": true,
+    "signed_body_value": "UNSIGNED-PAYLOAD",
+    "timestamp": "2015-08-30T12:36:00Z"
+}

tests/aws-signing-test-suite/v4/post-unsigned-payload/header-canonical-request.txt

@@ -0,0 +1,10 @@
+POST
+/
+
+content-length:13
+host:example.amazonaws.com
+x-amz-content-sha256:UNSIGNED-PAYLOAD
+x-amz-date:20150830T123600Z
+
+content-length;host;x-amz-content-sha256;x-amz-date
+UNSIGNED-PAYLOAD

tests/aws-signing-test-suite/v4/post-unsigned-payload/header-signature.txt

@@ -0,0 +1 @@
+9fb60e8938d2178a7d63b49e055d1e65d8f6226f38846e8e0293bf43ce29050c

tests/aws-signing-test-suite/v4/post-unsigned-payload/header-signed-request.txt

@@ -0,0 +1,8 @@
+POST / HTTP/1.1
+Host:example.amazonaws.com
+Content-Length:13
+X-Amz-Date:20150830T123600Z
+x-amz-content-sha256:UNSIGNED-PAYLOAD
+Authorization:AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20150830/us-east-1/service/aws4_request, SignedHeaders=content-length;host;x-amz-content-sha256;x-amz-date, Signature=9fb60e8938d2178a7d63b49e055d1e65d8f6226f38846e8e0293bf43ce29050c
+
+Param1=value1

tests/aws-signing-test-suite/v4/post-unsigned-payload/header-string-to-sign.txt

@@ -0,0 +1,4 @@
+AWS4-HMAC-SHA256
+20150830T123600Z
+20150830/us-east-1/service/aws4_request
+9dd145dbd195542d88539477304a02796be6488c02842b4fc1b907203adc8663

tests/aws-signing-test-suite/v4/post-unsigned-payload/query-canonical-request.txt

@@ -0,0 +1,9 @@
+POST
+/
+X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIDEXAMPLE%2F20150830%2Fus-east-1%2Fservice%2Faws4_request&X-Amz-Date=20150830T123600Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=content-length%3Bhost%3Bx-amz-content-sha256
+content-length:13
+host:example.amazonaws.com
+x-amz-content-sha256:UNSIGNED-PAYLOAD
+
+content-length;host;x-amz-content-sha256
+UNSIGNED-PAYLOAD

tests/aws-signing-test-suite/v4/post-unsigned-payload/query-signature.txt

@@ -0,0 +1 @@
+d5b951b200c7f96f239466b3e1978083ccd08678d4aea2b0bebaa6b2cf3d8c13

tests/aws-signing-test-suite/v4/post-unsigned-payload/query-signed-request.txt

@@ -0,0 +1,6 @@
+POST /?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIDEXAMPLE%2F20150830%2Fus-east-1%2Fservice%2Faws4_request&X-Amz-Date=20150830T123600Z&X-Amz-SignedHeaders=content-length%3Bhost%3Bx-amz-content-sha256&X-Amz-Expires=3600&X-Amz-Signature=d5b951b200c7f96f239466b3e1978083ccd08678d4aea2b0bebaa6b2cf3d8c13 HTTP/1.1
+Host:example.amazonaws.com
+Content-Length:13
+x-amz-content-sha256:UNSIGNED-PAYLOAD
+
+Param1=value1

tests/aws-signing-test-suite/v4/post-unsigned-payload/query-string-to-sign.txt

@@ -0,0 +1,4 @@
+AWS4-HMAC-SHA256
+20150830T123600Z
+20150830/us-east-1/service/aws4_request
+24b3d8a2ee4f76884e0b2bedfaeb8f4feca93e09d9e53b7d13bc040efd106329

tests/aws-signing-test-suite/v4/post-unsigned-payload/request.txt

@@ -0,0 +1,5 @@
+POST / HTTP/1.1
+Host:example.amazonaws.com
+Content-Length:13
+
+Param1=value1

tests/aws-signing-test-suite/v4/post-vanilla/context.json

@@ -9,4 +9,4 @@
     "service": "service",
     "sign_body": false,
     "timestamp": "2015-08-30T12:36:00Z"
-}
+}

tests/aws-signing-test-suite/v4/post-x-www-form-urlencoded/context.json

@@ -9,4 +9,4 @@
     "service": "service",
     "sign_body": true,
     "timestamp": "2015-08-30T12:36:00Z"
-}
+}

tests/aws-signing-test-suite/v4a/post-unsigned-payload/context.json

@@ -0,0 +1,13 @@
+{
+    "credentials": {
+        "access_key_id": "AKIDEXAMPLE",
+        "secret_access_key": "wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY"
+    },
+    "expiration_in_seconds": 3600,
+    "normalize": true,
+    "region": "us-east-1",
+    "service": "service",
+    "sign_body": true,
+    "signed_body_value": "UNSIGNED-PAYLOAD",
+    "timestamp": "2015-08-30T12:36:00Z"
+}

tests/aws-signing-test-suite/v4a/post-unsigned-payload/header-canonical-request.txt

@@ -0,0 +1,11 @@
+POST
+/
+
+content-length:13
+host:example.amazonaws.com
+x-amz-content-sha256:UNSIGNED-PAYLOAD
+x-amz-date:20150830T123600Z
+x-amz-region-set:us-east-1
+
+content-length;host;x-amz-content-sha256;x-amz-date;x-amz-region-set
+UNSIGNED-PAYLOAD

tests/aws-signing-test-suite/v4a/post-unsigned-payload/header-signature.txt

@@ -0,0 +1 @@
+3046022100aa754cb9eca1113d88f54d83dc8635b6dd9b0f362e5e6c79c82da930521feb70022100c7f572b03542548c0c66eae6ff77202a175c923219fa413d7619d298618016c3

tests/aws-signing-test-suite/v4a/post-unsigned-payload/header-signed-request.txt

@@ -0,0 +1,9 @@
+POST / HTTP/1.1
+Host:example.amazonaws.com
+Content-Length:13
+X-Amz-Date:20150830T123600Z
+X-Amz-Region-Set:us-east-1
+x-amz-content-sha256:UNSIGNED-PAYLOAD
+Authorization:AWS4-ECDSA-P256-SHA256 Credential=AKIDEXAMPLE/20150830/service/aws4_request, SignedHeaders=content-length;host;x-amz-content-sha256;x-amz-date;x-amz-region-set, Signature=3044022076c0a0e1ec8d3e40dd3d3f9c395c30e9ba7552096b4d8c34596646df2b665c6c0220615a2b2132265e969088895332db7f9b6c9daa957b42a9047d94e392f521d6fb
+
+Param1=value1

tests/aws-signing-test-suite/v4a/post-unsigned-payload/header-string-to-sign.txt

@@ -0,0 +1,4 @@
+AWS4-ECDSA-P256-SHA256
+20150830T123600Z
+20150830/service/aws4_request
+1aa2f34080974173be96cdbddf2e5df2e48a425c6c3ab6cd770c254aaf4898df

tests/aws-signing-test-suite/v4a/post-unsigned-payload/public-key.json

@@ -0,0 +1,4 @@
+{
+  "X":"b6618f6a65740a99e650b33b6b4b5bd0d43b176d721a3edfea7e7d2d56d936b1",
+  "Y":"865ed22a7eadc9c5cb9d2cbaca1b3699139fedc5043dc6661864218330c8e518"
+}

tests/aws-signing-test-suite/v4a/post-unsigned-payload/query-canonical-request.txt

@@ -0,0 +1,9 @@
+POST
+/
+X-Amz-Algorithm=AWS4-ECDSA-P256-SHA256&X-Amz-Credential=AKIDEXAMPLE%2F20150830%2Fservice%2Faws4_request&X-Amz-Date=20150830T123600Z&X-Amz-Expires=3600&X-Amz-Region-Set=us-east-1&X-Amz-SignedHeaders=content-length%3Bhost%3Bx-amz-content-sha256
+content-length:13
+host:example.amazonaws.com
+x-amz-content-sha256:UNSIGNED-PAYLOAD
+
+content-length;host;x-amz-content-sha256
+UNSIGNED-PAYLOAD

tests/aws-signing-test-suite/v4a/post-unsigned-payload/query-signature.txt

@@ -0,0 +1 @@
+304402203e661f9bc2dc93d9c858e08018d79ad36055eaae449d81321773df4df92d367202204064dfbaec5b2e2860d36b6d11d4eda90b18ff62c8ac14f90e288ef37bcfe15e

tests/aws-signing-test-suite/v4a/post-unsigned-payload/query-signed-request.txt

@@ -0,0 +1,6 @@
+POST /?X-Amz-Algorithm=AWS4-ECDSA-P256-SHA256&X-Amz-Credential=AKIDEXAMPLE%2F20150830%2Fservice%2Faws4_request&X-Amz-Date=20150830T123600Z&X-Amz-SignedHeaders=content-length%3Bhost%3Bx-amz-content-sha256&X-Amz-Expires=3600&X-Amz-Region-Set=us-east-1&X-Amz-Signature=3045022100b32d20d894fb447713b4ba31a7983b04a7c7551b597dbd0b5478af0cc98ee33802201b4d03ad196f18baa962102b166eec484819c34be71a56e10b494146ebe043cc HTTP/1.1
+Host:example.amazonaws.com
+Content-Length:13
+x-amz-content-sha256:UNSIGNED-PAYLOAD
+
+Param1=value1

tests/aws-signing-test-suite/v4a/post-unsigned-payload/query-string-to-sign.txt

@@ -0,0 +1,4 @@
+AWS4-ECDSA-P256-SHA256
+20150830T123600Z
+20150830/service/aws4_request
+41fc1ad3ae67d78001e68d2e0e3149bd0f6f45f44ae68b3e615c2ee4183aa2d1

tests/aws-signing-test-suite/v4a/post-unsigned-payload/request.txt

@@ -0,0 +1,5 @@
+POST / HTTP/1.1
+Host:example.amazonaws.com
+Content-Length:13
+
+Param1=value1

tests/sigv4_signing_tests.c

@@ -209,6 +209,7 @@ struct v4_test_context {
     struct aws_credentials *credentials;
     bool should_normalize;
     bool should_sign_body;
+    struct aws_string *signed_body_value;
     uint64_t expiration_in_seconds;
     struct aws_input_stream *payload_stream;
     struct aws_ecc_key_pair *signing_key;
@@ -242,6 +243,7 @@ static void s_v4_test_context_clean_up(struct v4_test_context *context) {
     aws_string_destroy(context->region_config);
     aws_string_destroy(context->service);
     aws_string_destroy(context->timestamp);
+    aws_string_destroy(context->signed_body_value);
     aws_credentials_release(context->credentials);
 
     aws_mutex_clean_up(&context->lock);
@@ -265,6 +267,7 @@ AWS_STATIC_STRING_FROM_LITERAL(s_service_name, "service");
 AWS_STATIC_STRING_FROM_LITERAL(s_timestamp_name, "timestamp");
 AWS_STATIC_STRING_FROM_LITERAL(s_normalize_name, "normalize");
 AWS_STATIC_STRING_FROM_LITERAL(s_body_name, "sign_body");
+AWS_STATIC_STRING_FROM_LITERAL(s_signed_body_value_name, "signed_body_value");
 AWS_STATIC_STRING_FROM_LITERAL(s_expiration_name, "expiration_in_seconds");
 AWS_STATIC_STRING_FROM_LITERAL(s_omit_token_name, "omit_session_token");
 
@@ -385,6 +388,20 @@ static int s_v4_test_context_parse_context_file(struct v4_test_context *context)
 
     aws_json_value_get_boolean(body_node, &context->should_sign_body);
 
+    struct aws_json_value *signed_body_value_node =
+        aws_json_value_get_from_object(document_root, aws_byte_cursor_from_string(s_signed_body_value_name));
+    if (signed_body_value_node != NULL && aws_json_value_is_string(signed_body_value_node)) {
+        struct aws_byte_cursor signed_body_value_cursor;
+        /* Optional field. If not set, ignore it. */
+        if (aws_json_value_get_string(signed_body_value_node, &signed_body_value_cursor) == AWS_OP_ERR) {
+            goto done;
+        }
+        context->signed_body_value = aws_string_new_from_cursor(context->allocator, &signed_body_value_cursor);
+        if (context->signed_body_value == NULL) {
+            goto done;
+        }
+    }
+
     struct aws_json_value *expiration_node =
         aws_json_value_get_from_object(document_root, aws_byte_cursor_from_string(s_expiration_name));
     if (expiration_node == NULL || !aws_json_value_is_number(expiration_node)) {
@@ -587,6 +604,10 @@ static int s_v4_test_context_init_signing_config(
     } else {
         context->config->signed_body_value = g_aws_signed_body_value_empty_sha256;
     }
+    if (context->signed_body_value) {
+        /* Override the signed body value */
+        context->config->signed_body_value = aws_byte_cursor_from_string(context->signed_body_value);
+    }
 
     context->config->credentials = context->credentials;
     context->config->expiration_in_seconds = context->expiration_in_seconds;
@@ -1407,6 +1428,7 @@ DECLARE_SIGV4A_TEST_SUITE_CASE(post_header_value_case, "post-header-value-case")
 DECLARE_SIGV4A_TEST_SUITE_CASE(post_vanilla, "post-vanilla");
 DECLARE_SIGV4A_TEST_SUITE_CASE(post_vanilla_empty_query_value, "post-vanilla-empty-query-value");
 DECLARE_SIGV4A_TEST_SUITE_CASE(post_vanilla_query, "post-vanilla-query");
+DECLARE_SIGV4A_TEST_SUITE_CASE(post_unsigned_payload, "post-unsigned-payload");
 DECLARE_SIGV4A_TEST_SUITE_CASE(post_x_www_form_urlencoded, "post-x-www-form-urlencoded");
 DECLARE_SIGV4A_TEST_SUITE_CASE(post_x_www_form_urlencoded_parameters, "post-x-www-form-urlencoded-parameters");
 DECLARE_SIGV4A_TEST_SUITE_CASE(get_vanilla_with_session_token, "get-vanilla-with-session-token");
@@ -1470,6 +1492,7 @@ DECLARE_SIGV4_TEST_SUITE_CASE(post_header_value_case, "post-header-value-case");
 DECLARE_SIGV4_TEST_SUITE_CASE(post_vanilla, "post-vanilla");
 DECLARE_SIGV4_TEST_SUITE_CASE(post_vanilla_empty_query_value, "post-vanilla-empty-query-value");
 DECLARE_SIGV4_TEST_SUITE_CASE(post_vanilla_query, "post-vanilla-query");
+DECLARE_SIGV4_TEST_SUITE_CASE(post_unsigned_payload, "post-unsigned-payload");
 DECLARE_SIGV4_TEST_SUITE_CASE(post_x_www_form_urlencoded, "post-x-www-form-urlencoded");
 DECLARE_SIGV4_TEST_SUITE_CASE(post_x_www_form_urlencoded_parameters, "post-x-www-form-urlencoded-parameters");
 DECLARE_SIGV4_TEST_SUITE_CASE(get_vanilla_with_session_token, "get-vanilla-with-session-token");