From 9c191c61b648b6f0074023278159c5df392be048 Mon Sep 17 00:00:00 2001
From: Shawn Kim <shawnhan.kim@gmail.com>
Date: Mon, 10 Apr 2023 17:25:09 -0700
Subject: [PATCH] feat: payload hash with crypto function

---
 common/etc/nginx/include/awssig4.js           | 36 +++++++++++++++++--
 .../etc/nginx/templates/default.conf.template |  7 ++--
 .../gateway/v4_headers.conf.template          |  6 +++-
 .../gateway/v4_js_vars.conf.template          |  2 +-
 4 files changed, 44 insertions(+), 7 deletions(-)

diff --git a/common/etc/nginx/include/awssig4.js b/common/etc/nginx/include/awssig4.js
index 2b1d2e0..318a5f3 100644
--- a/common/etc/nginx/include/awssig4.js
+++ b/common/etc/nginx/include/awssig4.js
@@ -28,7 +28,8 @@ const EMPTY_PAYLOAD_HASH = 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495
  * Constant defining the headers being signed.
  * @type {string}
  */
-const DEFAULT_SIGNED_HEADERS = 'host;x-amz-content-sha256;x-amz-date';
+// const DEFAULT_SIGNED_HEADERS = 'host;x-amz-content-sha256;x-amz-date';
+const DEFAULT_SIGNED_HEADERS = 'host;x-amz-date';
 
 
 /**
@@ -84,7 +85,9 @@ function _buildCanonicalRequest(r,
     r.log('       - amzDatetime : ' + amzDatetime)
     r.log('       - request body: ' + r.variables.request_body)
     r.log('       - content_type: ' + r.variables.content_type)
-    const payloadHash = awsHeaderPayloadHash(r);
+    r.log('       - lambda_payload_hash: ' + r.variables.lambda_payload_hash)
+    const payloadHash = r.variables.lambda_payload_hash; //awsHeaderPayloadHash(r);
+    // const payloadHash = awsHeaderPayloadHash(r);
     let canonicalHeaders = '';
     if (r.variables.content_type) {
         canonicalHeaders += 'content-type:' + r.variables.content_type + '\n'
@@ -276,21 +279,50 @@ function _splitCachedValues(cached) {
  * @param r {Request} HTTP request object
  * @returns {string} payload hash
  */
+// async function awsHeaderPayloadHash2(r) {
+//     r.log('start awsHeaderPayloadHash-2(): ');
+//     r.log('       - request_id 2 : ' + r.variables.request_id);
+//     const reqBodyStr = r.variables.request_body;
+//     r.log('       - req body str2: ' + reqBodyStr)
+
+//     const encoder = new TextEncoder();
+//     const data = encoder.encode(reqBodyStr);
+//     const hash = await crypto.subtle.digest("SHA-256", data);
+//     const payloadHash = Buffer.from(hash).toString('hex');
+//     r.log('       - payload Hash2: ' + payloadHash)
+//     r.setReturnValue(payloadHash);
+//     r.log('finish awsHeaderPayloadHash-2(): ');
+// }
+
+async function awsHeaderPayloadHash2(r) {
+    r.log('start awsHeaderPayloadHash-2(): ');
+    r.log('       - request_id 2 : ' + r.variables.request_id);
+    let hash = await crypto.subtle.digest('SHA-256', r.variables.request_body);
+    const payloadHash = Buffer.from(hash).toString('hex');
+    r.log('       - payload Hash2: ' + payloadHash)
+    r.setReturnValue(Buffer.from(hash).toString('hex'));
+    r.log('finish awsHeaderPayloadHash-2(): ');
+}
+
 function awsHeaderPayloadHash(r) {
     // Empty payload only works with this crypt library.
     // TODO: Need to either find the right library or implement the crypto lib.
     // const reqBodyStr = JSON.stringify(r.variables.request_body);
     const reqBodyStr = r.variables.request_body;
+    r.log('start awsHeaderPayloadHash(): ');
+    r.log('       - request_id   : ' + r.variables.request_id);
     r.log('       - req body str: ' + reqBodyStr)
     const payloadHash = mod_hmac.createHash('sha256', 'utf8')
                                 .update(reqBodyStr)
                                 .digest('hex');
     r.log('       - payload Hash: ' + payloadHash)
+    r.log('finish awsHeaderPayloadHash(): ');
     return payloadHash;
 }
 
 export default {
     awsHeaderPayloadHash,
+    awsHeaderPayloadHash2,
     signatureV4,
     // These functions do not need to be exposed, but they are exposed so that
     // unit tests can run against them.
diff --git a/common/etc/nginx/templates/default.conf.template b/common/etc/nginx/templates/default.conf.template
index b473d0c..65688ca 100644
--- a/common/etc/nginx/templates/default.conf.template
+++ b/common/etc/nginx/templates/default.conf.template
@@ -105,9 +105,6 @@ server {
     }
 
     location @lambda {
-        # We include only the headers needed for the authentication signatures that
-        # we plan to use.
-        include /etc/nginx/conf.d/gateway/v${AWS_SIGS_VERSION}_headers.conf;
 
         # The CORS configuration needs to be imported in several places in order for
         # it to be applied within different contexts.
@@ -125,6 +122,10 @@ server {
         proxy_set_header Authorization $lambdaAuth;
         proxy_set_header X-Amz-Security-Token $awsSessionToken;
 
+        # We include only the headers needed for the authentication signatures that
+        # we plan to use.
+        include /etc/nginx/conf.d/gateway/v${AWS_SIGS_VERSION}_headers.conf;
+
         # We set the host as the bucket name to inform the S3 API of the bucket
         #proxy_set_header Host $s3_host_hdr;
 
diff --git a/common/etc/nginx/templates/gateway/v4_headers.conf.template b/common/etc/nginx/templates/gateway/v4_headers.conf.template
index c7d37bc..c25f707 100644
--- a/common/etc/nginx/templates/gateway/v4_headers.conf.template
+++ b/common/etc/nginx/templates/gateway/v4_headers.conf.template
@@ -1,4 +1,8 @@
 # This header is needed when doing v4 signature authentication. It
 # specifies the timestamp in which the signature was generated.
 proxy_set_header x-amz-date $awsDate;
-proxy_set_header x-amz-content-sha256 $awsPayloadHash;
+
+set $lambda_payload_hash $awsPayloadHash;
+proxy_set_header x-amz-content-sha256 $lambda_payload_hash;
+#proxy_set_header x-amz-content-sha256 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'; #$awsPayloadHash;
+#proxy_set_header x-amz-content-sha256 $awsPayloadHash;
diff --git a/common/etc/nginx/templates/gateway/v4_js_vars.conf.template b/common/etc/nginx/templates/gateway/v4_js_vars.conf.template
index 631876e..dfdebc6 100644
--- a/common/etc/nginx/templates/gateway/v4_js_vars.conf.template
+++ b/common/etc/nginx/templates/gateway/v4_js_vars.conf.template
@@ -2,4 +2,4 @@
 # specifies the timestamp in which the signature was generated and is used with
 # the x-amz-date header.
 js_set $awsDate        lambdagateway.awsHeaderDate;
-js_set $awsPayloadHash awssig4.awsHeaderPayloadHash;
+js_set $awsPayloadHash awssig4.awsHeaderPayloadHash2;

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml'>
<head>
<title>pFad - Phonifier reborn</title>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8' />
</head>
<body>
<h1>Pfad - The Proxy pFad of &#169; 2024 Garber Painting. All rights reserved.</h1>


<!-- Disclaimer -->
<p>Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.</p>
<br>
<p>Alternative Proxies:</p><p><a href="http://clevelandohioweatherforecast.com/php-proxy/index.php?q=https://github.com/nginx-serverless/nginx-lambda-gateway/compare/main...test.patch" target="_blank">Alternative Proxy</a></p><p><a href="http://clevelandohioweatherforecast.com/pFad/index.php?u=https://github.com/nginx-serverless/nginx-lambda-gateway/compare/main...test.patch" target="_blank">pFad Proxy</a></p><p><a href="http://clevelandohioweatherforecast.com/pFad/v3index.php?u=https://github.com/nginx-serverless/nginx-lambda-gateway/compare/main...test.patch" target="_blank">pFad v3 Proxy</a></p><p><a href="http://clevelandohioweatherforecast.com/pFad/v4index.php?u=https://github.com/nginx-serverless/nginx-lambda-gateway/compare/main...test.patch" target="_blank">pFad v4 Proxy</a></p></body>
</html>