From a67d204c6dcf803dd5ac2bd33604bf88e205bab1 Mon Sep 17 00:00:00 2001 From: Ajay Gupta Date: Thu, 27 Jul 2023 12:29:18 -0400 Subject: [PATCH] RolesAnywhere-4666: Make sign-string documentation more accurate --- README.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 8c6fa52..96e54af 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ rolesanywhere-credential-helper implements the [signing process](https://docs.aw ## Building ### Dependencies -In order to build the source code, you will need to install git, gcc, make, and golang. +In order to build the source code, you will need to install git, gcc, GNU make, and golang. #### Linux @@ -38,6 +38,8 @@ The project also comes with two bash scripts at its root, called `generate-certs Reads a certificate that is on disk. Either the path to the certificate on disk is provided with the `--certificate` parameter, or the `--cert-selector` flag is provided to select a certificate within an OS certificate store. Further details about the flag are provided below. +If there are multiple certificates that match a given `--cert-selector`, information about each of them is printed. + #### cert-selector flag If you use Windows or MacOS, the credential helper also supports leveraging private keys and certificates that are in their OS-specific secure stores. In Windows, both CNG and Cryptography are supported, while on MacOS, Keychain Access is supported. Through the `--cert-selector` flag, it is possible to specify which certificate (and associated private key) to use in calling `CreateSession`. The credential helper will then delegate signing operations to the keys within those secure stores, without those keys ever having to leave those stores. It is important to note that on Windows, only the user's "MY" certificate store will be searched by the credential helper, while for MacOS, Keychains on the search list will be searched. @@ -73,7 +75,7 @@ The example given here is quite simple (they each only contain a single RDN), so ### sign-string -Signs a string from standard input. Useful for validating your on-disk private key and digest. The path to the private key must be provided with the `--private-key` parameter. Other parameters that can be used are `--digest`, which must be one of `SHA256 (*default*) | SHA384 | SHA512`, and `--format`, which must be one of `text (*default*) | json | bin`. +Signs a fixed strings: `"AWS Roles Anywhere Credential Helper Signing Test" || SIGN_STRING_TEST_VERSION || SHA256("IAM RA" || PUBLIC_KEY_BYTE_ARRAY)`. Useful for validating your private key and digest. Either the path to the private key must be provided with the `--private-key` parameter, or a certificate selector must be provided through the `--cert-selector` parameter (if you want to use the OS certificate store integration). Other parameters that can be used are `--digest`, which must be one of `SHA256 (*default*) | SHA384 | SHA512`, and `--format`, which must be one of `text (*default*) | json | bin`. ### credential-process