VMware Cloud Community
nikhilgonsalves
Contributor
Contributor

VRO 7.3 - AWS REST API - Does VRO have the necessary crypto APIs to create the AWS REST APO signature using HMAC SHA-256?

Hi all,

We have an interesting problem. We are planning to use VRA and VRO for automated provisioning of S3 buckets. To do this, we're planning to use AWS REST APIs .

When calling these APIS, we need to pass over the secret key and acces key by creating (what AWS calls) a signature. The algorithm of the signature is as below.

Refer to link - http://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html



    AWS SIgnature.png

Per AWS, depending on the SDK/programming language/framework being used to call AWS REST APIs, the class names and functions used to doing these four steps would be different.

We have found these steps in Python ofr example,

But the interesting thing is that we are not able to find these cryptography functions in native VRA/VRO API. Can anyone help us here?

Much appreciated.
 
 
 
 
 
 
 
 
 
 
 





Reply
0 Kudos
3 Replies
jasnyder
Hot Shot
Hot Shot

In order to do this, you'll need to access the Java crypto libraries.  In order to access those, you'll have to add a couple of things to the Rhino class shutterfile.  This enables you to expose Java libraries natively to the vRO scripting environment.  To expose the Java libraries, do this:

  1. Log in to the control center
  2. Click System Properties
  3. Add a new property with the name com.vmware.scripting.rhino-class-shutter-file and the value = /var/lib/vco/app-server/conf/rhinofile
  4. SSH into the vRO appliance and create the /var/lib/vco/app-server/conf/rhinofile file, the contents should be 3 lines (or add these 3 if you have already created this file before)

    java.lang.*
    javax.crypto.*
    org.apache.commons.codec.binary.*

  5. Save the file
  6. Run chown vco:vco /var/lib/vco/app-server/conf/rhinofile

Restart the vRO server using the command service vco-server restart.

Now you can access those libraries from code.  Here is an example of a scriptable task create a hash for a given plainText message and secret.  The task takes 2 inputs (strings) - plaintext and secret - and produces one output (string) - hash:

//put our inputs into java.lang.String objects so we can easily convert them to byte arrays later for the hashing functions

javaStrPlainText = new java.lang.String(plaintext);

javaStrSecret = new java.lang.String(secret);

var sha256hmac = javax.crypto.Mac.getInstance("HmacSHA256");

var keySpec = new javax.crypto.spec.SecretKeySpec(javaStrSecret.getBytes(), "HmacSHA256");

sha256hmac.init(keySpec);

hash = org.apache.commons.codec.binary.Base64.encodeBase64String(sha256hmac.doFinal(javaStrPlainText.getBytes()));

System.log(hash);

Sample run using inputs - plaintext = 'This is a message' ; secret = 'supersecretstring':

[2017-11-20 20:59:57.288] [I] P+GQtjagKxLCrnZ27gM22abua/WJl1vL740NSJshB+U=

Output = 'P+GQtjagKxLCrnZ27gM22abua/WJl1vL740NSJshB+U='

I didn't attempt to piece together the S3 REST calls using this, but it should work.  I may try it tomorrow if I have some time.

Reply
0 Kudos
itviktor
Contributor
Contributor

This looks very useful, but I cannot seem to get the same values as AWS thinks I should get at https://docs.aws.amazon.com/general/latest/gr/signature-v4-examples.html of

key = wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY and a dateStamp = 20120215 should yield a kDate = 969fbb94feb542b71ede6f7e4...  When I run code similar to your example I get lp+71P61Q...  See Attached.  What am I missing?

Reply
0 Kudos
Dan_Linsley
VMware Employee
VMware Employee

The HMAC-SHA256 and Base64 Encode/Decode methods you're looking for are available with: GitHub - vmware/o11n-plugin-crypto: vRealize Orchestrator Encryption Plugin

An example of v2 sig for S3 is availalble here:  Examples: REST Authentication Headers · vmware/o11n-plugin-crypto Wiki · GitHub

Reply
0 Kudos