Hi all,
We have an interesting problem. We are planning to use VRA and VRO for automated provisioning of S3 buckets. To do this, we're planning to use AWS REST APIs .
When calling these APIS, we need to pass over the secret key and acces key by creating (what AWS calls) a signature. The algorithm of the signature is as below.
Refer to link - http://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html
Per AWS, depending on the SDK/programming language/framework being used to call AWS REST APIs, the class names and functions used to doing these four steps would be different.
We have found these steps in Python ofr example,
But the interesting thing is that we are not able to find these cryptography functions in native VRA/VRO API. Can anyone help us here?
Much appreciated.
In order to do this, you'll need to access the Java crypto libraries. In order to access those, you'll have to add a couple of things to the Rhino class shutterfile. This enables you to expose Java libraries natively to the vRO scripting environment. To expose the Java libraries, do this:
Restart the vRO server using the command service vco-server restart.
Now you can access those libraries from code. Here is an example of a scriptable task create a hash for a given plainText message and secret. The task takes 2 inputs (strings) - plaintext and secret - and produces one output (string) - hash:
//put our inputs into java.lang.String objects so we can easily convert them to byte arrays later for the hashing functions
javaStrPlainText = new java.lang.String(plaintext);
javaStrSecret = new java.lang.String(secret);
var sha256hmac = javax.crypto.Mac.getInstance("HmacSHA256");
var keySpec = new javax.crypto.spec.SecretKeySpec(javaStrSecret.getBytes(), "HmacSHA256");
sha256hmac.init(keySpec);
hash = org.apache.commons.codec.binary.Base64.encodeBase64String(sha256hmac.doFinal(javaStrPlainText.getBytes()));
System.log(hash);
Sample run using inputs - plaintext = 'This is a message' ; secret = 'supersecretstring':
[2017-11-20 20:59:57.288] [I] P+GQtjagKxLCrnZ27gM22abua/WJl1vL740NSJshB+U=
Output = 'P+GQtjagKxLCrnZ27gM22abua/WJl1vL740NSJshB+U='
I didn't attempt to piece together the S3 REST calls using this, but it should work. I may try it tomorrow if I have some time.
This looks very useful, but I cannot seem to get the same values as AWS thinks I should get at https://docs.aws.amazon.com/general/latest/gr/signature-v4-examples.html of
key = wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY and a dateStamp = 20120215 should yield a kDate = 969fbb94feb542b71ede6f7e4... When I run code similar to your example I get lp+71P61Q... See Attached. What am I missing?
The HMAC-SHA256 and Base64 Encode/Decode methods you're looking for are available with: GitHub - vmware/o11n-plugin-crypto: vRealize Orchestrator Encryption Plugin
An example of v2 sig for S3 is availalble here: Examples: REST Authentication Headers · vmware/o11n-plugin-crypto Wiki · GitHub