aws: key derivation fix and test case (envoyproxy#34377)

Signed-off-by: Nigel Brittain <nbaws@amazon.com>
alyssawilk · Jun 10, 2024 · ccd1bf9 · ccd1bf9
1 parent 0a6b167
commit ccd1bf9
Show file tree

Hide file tree

Showing 2 changed files with 46 additions and 5 deletions.
diff --git a/source/extensions/common/aws/sigv4a_key_derivation.cc b/source/extensions/common/aws/sigv4a_key_derivation.cc
@@ -36,11 +36,11 @@ EC_KEY* SigV4AKeyDerivation::derivePrivateKey(absl::string_view access_key_id,
          (external_counter <= 254)) // MAX_KEY_DERIVATION_COUNTER_VALUE
   {
     fixed_input.clear();
-
     fixed_input.insert(fixed_input.begin(), {0x00, 0x00, 0x00, 0x01});
-    fixed_input.insert(fixed_input.end(), SigV4ASignatureConstants::SigV4AAlgorithm[0],
-                       SigV4ASignatureConstants::SigV4AAlgorithm[0] +
-                           sizeof(SigV4ASignatureConstants::SigV4AAlgorithm));
+    // Workaround for asan optimization issue described here
+    // https://github.com/envoyproxy/envoy/pull/34377
+    absl::string_view s(SigV4ASignatureConstants::SigV4AAlgorithm);
+    fixed_input.insert(fixed_input.end(), s.begin(), s.end());
     fixed_input.insert(fixed_input.end(), 0x00);
     fixed_input.insert(fixed_input.end(), access_key_id.begin(), access_key_id.end());
     fixed_input.insert(fixed_input.end(), external_counter);
@@ -67,7 +67,6 @@ EC_KEY* SigV4AKeyDerivation::derivePrivateKey(absl::string_view access_key_id,
       result = SigV4AKeyDerivationResult::AkdrSuccess;
       // PrivateKey d = c+1
       constantTimeAddOne(&k0);
-
       priv_key_num = BN_bin2bn(k0.data(), k0.size(), nullptr);
 
       // Create a new OpenSSL EC_KEY by curve nid for secp256r1 (NIST P-256)

diff --git a/test/extensions/common/aws/sigv4a_signer_impl_test.cc b/test/extensions/common/aws/sigv4a_signer_impl_test.cc
@@ -501,6 +501,48 @@ TEST_F(SigV4ASignerImplTest, QueryStringDefault5s) {
   EXPECT_TRUE(absl::StrContains(headers.getPathValue(), "X-Amz-Expires=5&"));
 }
 
+// Verify specific key derivations, using values generated from the AWS SDK implementation
+TEST(SigV4AKeyDerivationTest, TestKeyDerivations) {
+  auto ec_key =
+      SigV4AKeyDerivation::derivePrivateKey(absl::string_view("akid"), absl::string_view("secret"));
+
+  auto ec_private_key = EC_KEY_get0_private_key(ec_key);
+  auto hexkey = BN_bn2hex(ec_private_key);
+  EXPECT_STREQ(hexkey, "0a56b8224b63e587ab069a15a730a103add19b45a644a197d24415ff89b993dc");
+  OPENSSL_free(hexkey);
+  EC_KEY_free(ec_key);
+  ec_key = SigV4AKeyDerivation::derivePrivateKey(absl::string_view("akid"),
+                                                 absl::string_view("testkey2"));
+
+  ec_private_key = EC_KEY_get0_private_key(ec_key);
+  hexkey = BN_bn2hex(ec_private_key);
+
+  EXPECT_STREQ(hexkey, "7b6c4f9d70561838cd1160e5e8674bf3a40e8bb3865ccfee37b3c423035a5c43");
+  OPENSSL_free(hexkey);
+  EC_KEY_free(ec_key);
+
+  ec_key = SigV4AKeyDerivation::derivePrivateKey(absl::string_view("akid"),
+                                                 absl::string_view("abcdefghi"));
+
+  ec_private_key = EC_KEY_get0_private_key(ec_key);
+  hexkey = BN_bn2hex(ec_private_key);
+  EXPECT_STREQ(hexkey, "31ce325f5a7e167ce0659aa8fec550c005b892833bcb5627fba6b5c55023f1cc");
+  OPENSSL_free(hexkey);
+  EC_KEY_free(ec_key);
+
+  // This access key secret key combination will push our key derivation into two cycles, for more
+  // code coverage
+  ec_key =
+      SigV4AKeyDerivation::derivePrivateKey(absl::string_view("eb63466a7cf7ee3cd4880df6dc4aaed"),
+                                            absl::string_view("d7e7f9c8f2344a12bc51f3d05a2fb8"));
+
+  ec_private_key = EC_KEY_get0_private_key(ec_key);
+  hexkey = BN_bn2hex(ec_private_key);
+  EXPECT_STREQ(hexkey, "d0fdb7810916566bd91ec0b3d45dcfc01de8f3ffe783754cf7ce4c6dd86f584b");
+  OPENSSL_free(hexkey);
+  EC_KEY_free(ec_key);
+}
+
 } // namespace
 } // namespace Aws
 } // namespace Common