@@ -237,8 +237,6 @@ mod vault {
237237
238238#[ cfg( feature = "secret-aws" ) ]
239239mod aws {
240- use std:: fmt:: Write as _;
241-
242240 use chrono:: Utc ;
243241 use hmac:: { Hmac , Mac } ;
244242 use sha2:: { Digest , Sha256 } ;
@@ -269,28 +267,26 @@ mod aws {
269267 }
270268
271269 fn hex_encode ( bytes : & [ u8 ] ) -> String {
272- bytes. iter ( ) . fold ( String :: new ( ) , |mut s, b| {
273- write ! ( s, "{b:02x}" ) . expect ( "write to String cannot fail" ) ;
274- s
275- } )
270+ hex:: encode ( bytes)
276271 }
277272
278273 fn sha256_hex ( data : & [ u8 ] ) -> String {
279274 hex_encode ( & Sha256 :: digest ( data) )
280275 }
281276
282- fn hmac_sha256 ( key : & [ u8 ] , data : & [ u8 ] ) -> Vec < u8 > {
283- let mut mac = HmacSha256 :: new_from_slice ( key) . expect ( "HMAC accepts any key size" ) ;
277+ fn hmac_sha256 ( key : & [ u8 ] , data : & [ u8 ] ) -> KResult < Vec < u8 > > {
278+ let mut mac = HmacSha256 :: new_from_slice ( key)
279+ . map_err ( |e| KmsError :: ServerError ( format ! ( "HMAC key error: {e}" ) ) ) ?;
284280 mac. update ( data) ;
285- mac. finalize ( ) . into_bytes ( ) . to_vec ( )
281+ Ok ( mac. finalize ( ) . into_bytes ( ) . to_vec ( ) )
286282 }
287283
288- /// Build the SigV4 signing key:
284+ /// Build the ` SigV4` signing key:
289285 /// `HMAC(HMAC(HMAC(HMAC("AWS4" + secret, date), region), service), "aws4_request")`
290- fn signing_key ( secret : & str , date : & str , region : & str , service : & str ) -> Vec < u8 > {
291- let k_date = hmac_sha256 ( format ! ( "AWS4{secret}" ) . as_bytes ( ) , date. as_bytes ( ) ) ;
292- let k_region = hmac_sha256 ( & k_date, region. as_bytes ( ) ) ;
293- let k_service = hmac_sha256 ( & k_region, service. as_bytes ( ) ) ;
286+ fn signing_key ( secret : & str , date : & str , region : & str , service : & str ) -> KResult < Vec < u8 > > {
287+ let k_date = hmac_sha256 ( format ! ( "AWS4{secret}" ) . as_bytes ( ) , date. as_bytes ( ) ) ? ;
288+ let k_region = hmac_sha256 ( & k_date, region. as_bytes ( ) ) ? ;
289+ let k_service = hmac_sha256 ( & k_region, service. as_bytes ( ) ) ? ;
294290 hmac_sha256 ( & k_service, b"aws4_request" )
295291 }
296292
@@ -314,12 +310,12 @@ mod aws {
314310 // Parameter name starts with '/', e.g. /kms/prod/db
315311 let param_name = rest[ slash..] . to_owned ( ) ;
316312
317- let access_key_id = std:: env:: var ( "AWS_ACCESS_KEY_ID" ) . map_err ( |_ | {
313+ let access_key_id = std:: env:: var ( "AWS_ACCESS_KEY_ID" ) . map_err ( |_e | {
318314 KmsError :: ServerError (
319315 "AWS_ACCESS_KEY_ID env var not set for secret-aws backend" . to_owned ( ) ,
320316 )
321317 } ) ?;
322- let secret_key = std:: env:: var ( "AWS_SECRET_ACCESS_KEY" ) . map_err ( |_ | {
318+ let secret_key = std:: env:: var ( "AWS_SECRET_ACCESS_KEY" ) . map_err ( |_e | {
323319 KmsError :: ServerError (
324320 "AWS_SECRET_ACCESS_KEY env var not set for secret-aws backend" . to_owned ( ) ,
325321 )
@@ -377,21 +373,24 @@ mod aws {
377373 // Canonical headers must be sorted alphabetically by name (lowercased).
378374 // Without session token: content-type, host, x-amz-date, x-amz-target.
379375 // With session token: insert x-amz-security-token between x-amz-date and x-amz-target.
380- let ( canonical_headers, signed_headers) = if let Some ( token) = session_token {
381- (
382- format ! (
383- "content-type:application/x-amz-json-1.1\n host:{host}\n x-amz-date:{datetime}\n x-amz-security-token:{token}\n x-amz-target:AmazonSSM.GetParameter\n "
384- ) ,
385- "content-type;host;x-amz-date;x-amz-security-token;x-amz-target" . to_owned ( ) ,
386- )
387- } else {
388- (
389- format ! (
390- "content-type:application/x-amz-json-1.1\n host:{host}\n x-amz-date:{datetime}\n x-amz-target:AmazonSSM.GetParameter\n "
391- ) ,
392- "content-type;host;x-amz-date;x-amz-target" . to_owned ( ) ,
393- )
394- } ;
376+ let ( canonical_headers, signed_headers) = session_token. map_or_else (
377+ || {
378+ (
379+ format ! (
380+ "content-type:application/x-amz-json-1.1\n host:{host}\n x-amz-date:{datetime}\n x-amz-target:AmazonSSM.GetParameter\n "
381+ ) ,
382+ "content-type;host;x-amz-date;x-amz-target" . to_owned ( ) ,
383+ )
384+ } ,
385+ |token| {
386+ (
387+ format ! (
388+ "content-type:application/x-amz-json-1.1\n host:{host}\n x-amz-date:{datetime}\n x-amz-security-token:{token}\n x-amz-target:AmazonSSM.GetParameter\n "
389+ ) ,
390+ "content-type;host;x-amz-date;x-amz-security-token;x-amz-target" . to_owned ( ) ,
391+ )
392+ } ,
393+ ) ;
395394
396395 let canonical_request =
397396 format ! ( "POST\n /\n \n {canonical_headers}\n {signed_headers}\n {payload_hash}" ) ;
@@ -401,8 +400,8 @@ mod aws {
401400 sha256_hex( canonical_request. as_bytes( ) )
402401 ) ;
403402
404- let key = signing_key ( secret_key, & date, region, service) ;
405- let signature = hex_encode ( & hmac_sha256 ( & key, string_to_sign. as_bytes ( ) ) ) ;
403+ let key = signing_key ( secret_key, & date, region, service) ? ;
404+ let signature = hex_encode ( & hmac_sha256 ( & key, string_to_sign. as_bytes ( ) ) ? ) ;
406405 let authorization = format ! (
407406 "AWS4-HMAC-SHA256 Credential={access_key_id}/{credential_scope}, SignedHeaders={signed_headers}, Signature={signature}"
408407 ) ;
0 commit comments