in source/aws_signing.c [2437:2537]
int aws_verify_sigv4a_signing(
struct aws_allocator *allocator,
const struct aws_signable *signable,
const struct aws_signing_config_base *base_config,
struct aws_byte_cursor expected_canonical_request_cursor,
struct aws_byte_cursor signature_cursor,
struct aws_byte_cursor ecc_key_pub_x,
struct aws_byte_cursor ecc_key_pub_y) {
int result = AWS_OP_ERR;
if (base_config->config_type != AWS_SIGNING_CONFIG_AWS) {
AWS_LOGF_ERROR(AWS_LS_AUTH_SIGNING, "Signing config is not an AWS signing config");
return aws_raise_error(AWS_AUTH_SIGNING_MISMATCHED_CONFIGURATION);
}
if (aws_validate_aws_signing_config_aws((void *)base_config)) {
AWS_LOGF_ERROR(AWS_LS_AUTH_SIGNING, "Signing config failed validation");
return aws_raise_error(AWS_AUTH_SIGNING_INVALID_CONFIGURATION);
}
const struct aws_signing_config_aws *config = (void *)base_config;
if (config->algorithm != AWS_SIGNING_ALGORITHM_V4_ASYMMETRIC) {
AWS_LOGF_ERROR(AWS_LS_AUTH_SIGNING, "Signing algorithm is not V4_ASYMMETRIC");
return aws_raise_error(AWS_ERROR_INVALID_ARGUMENT);
}
if (config->credentials == NULL) {
AWS_LOGF_ERROR(AWS_LS_AUTH_SIGNING, "AWS credentials were not provided/null");
return aws_raise_error(AWS_ERROR_INVALID_ARGUMENT);
}
struct aws_signing_state_aws *signing_state = aws_signing_state_new(allocator, config, signable, NULL, NULL);
if (!signing_state) {
AWS_LOGF_ERROR(AWS_LS_AUTH_SIGNING, "Unable to create new signing state");
return AWS_OP_ERR;
}
AWS_LOGF_DEBUG(
AWS_LS_AUTH_SIGNING,
"(id=%p) Verifying v4a signature: \n" PRInSTR "\n\nagainst expected canonical request: \n" PRInSTR
"\n\nusing ecc key:\n X:" PRInSTR "\n Y:" PRInSTR "\n\n",
(void *)signable,
AWS_BYTE_CURSOR_PRI(signature_cursor),
AWS_BYTE_CURSOR_PRI(expected_canonical_request_cursor),
AWS_BYTE_CURSOR_PRI(ecc_key_pub_x),
AWS_BYTE_CURSOR_PRI(ecc_key_pub_y));
struct aws_ecc_key_pair *verification_key =
aws_ecc_key_new_from_hex_coordinates(allocator, AWS_CAL_ECDSA_P256, ecc_key_pub_x, ecc_key_pub_y);
if (verification_key == NULL) {
AWS_LOGF_ERROR(AWS_LS_AUTH_SIGNING, "Unable to create an ECC key from provided coordinates");
goto done;
}
if (aws_credentials_get_ecc_key_pair(signing_state->config.credentials) == NULL) {
struct aws_credentials *ecc_credentials =
aws_credentials_new_ecc_from_aws_credentials(allocator, signing_state->config.credentials);
aws_credentials_release(signing_state->config.credentials);
signing_state->config.credentials = ecc_credentials;
if (signing_state->config.credentials == NULL) {
AWS_LOGF_ERROR(AWS_LS_AUTH_SIGNING, "Unable to create ECC from provided credentials")
goto done;
}
}
if (aws_signing_build_canonical_request(signing_state)) {
AWS_LOGF_ERROR(AWS_LS_AUTH_SIGNING, "Unable to canonicalize request for signing");
goto done;
}
struct aws_byte_cursor canonical_request_cursor = aws_byte_cursor_from_buf(&signing_state->canonical_request);
if (aws_byte_cursor_compare_lexical(&expected_canonical_request_cursor, &canonical_request_cursor) != 0) {
AWS_LOGF_ERROR(AWS_LS_AUTH_SIGNING, "Canonicalized request and expected canonical request do not match");
aws_raise_error(AWS_AUTH_CANONICAL_REQUEST_MISMATCH);
goto done;
}
if (aws_signing_build_string_to_sign(signing_state)) {
AWS_LOGF_ERROR(AWS_LS_AUTH_SIGNING, "Unable to build string to sign from canonical request");
goto done;
}
if (aws_validate_v4a_authorization_value(
allocator, verification_key, aws_byte_cursor_from_buf(&signing_state->string_to_sign), signature_cursor)) {
AWS_LOGF_ERROR(AWS_LS_AUTH_SIGNING, "Signature does not validate");
aws_raise_error(AWS_AUTH_SIGV4A_SIGNATURE_VALIDATION_FAILURE);
goto done;
}
result = AWS_OP_SUCCESS;
done:
if (verification_key) {
aws_ecc_key_pair_release(verification_key);
}
aws_signing_state_destroy(signing_state);
return result;
}