scratchstack_aws_signature

Struct SigningKey

Source 
pub struct SigningKey {
    pub kind: SigningKeyKind,
    pub key: Vec<u8>,
}
Expand description

An AWS SigV4 key for signing requests.

Signing keys are derived from a secret key and are used to sign requests made to AWS services. The raw secret key is hashed with other attributes in the request to derive the signing key.

In the table below, HMAC_SHA256(key, data) denotes the HMAC SHA-256 function with the given key and data.

The stages of derivation are:

  • KSecret: The raw secret key.
  • KDate: The secret key hashed with the request date in UTC formatted as “YYYYMMDD”. This is calculated as HMAC_SHA256("AWS4" + KSecret, request_date).
  • KRegion: The KDate key hashed with the region name. This is calculated as HMAC_SHA256(KDate, region).
  • KService: The KRegion key hashed with the service name. This is calculated as HMAC_SHA256(KRegion, service).
  • KSigning: The KService key hashed with the string "aws4_request". This is calculated as HMAC_SHA256(KService, "aws4_request").

The KSigning key is the most secure key type. If the key is leaked, an attacker can only sign requests for the given date, region, and service. Key store services should never vend anything other than the KSigning key to an application service.

It is not possible to derive an earlier key from a later key—e.g., you cannot derive a KRegion key from a KService key. However, you can derive a later key from an earlier key.

Fields§

§kind: SigningKeyKind

The type of signing key.

§key: Vec<u8>

The key itself.

Implementations§

Source§

impl SigningKey

Source

pub fn try_derive<R, S>( &self, derived_key_kind: SigningKeyKind, req_date: &NaiveDate, region: R, service: S, ) -> Result<Self, SignatureError>
where R: AsRef<str>, S: AsRef<str>,

Convert this key into the specified kind of key.

It is safe to call this function with the same kind of key as the existing key; this will return a copy of the existing key.

§Errors

This function returns an error if the existing key is

Source

pub fn try_to_kservice_key<R, S>( &self, req_date: &NaiveDate, region: R, service: S, ) -> Result<Self, SignatureError>
where R: AsRef<str>, S: AsRef<str>,

Return a KService key given a KService, KRegion, KDate, or KSecret key.

§Errors

SignatureError::InvalidSigningKeyKind is returned if derivation to an earlier kind is attempted, e.g. KRegion into KDate.

Source

pub fn try_to_kregion_key<R>( &self, req_date: &NaiveDate, region: R, ) -> Result<Self, SignatureError>
where R: AsRef<str>,

Return a KRegion key given a KRegion, KDate, or KSecret key.

§Errors

SignatureError::InvalidSigningKeyKind is returned if this is given a KSigning key.

Source

pub fn try_to_kdate_key( &self, req_date: &NaiveDate, ) -> Result<Self, SignatureError>

Return a KDate key given a KDate or KSecret key.

§Errors

SignatureError::InvalidSigningKeyKind is returned if this is given a KRegion, KService, or KSigning key.

This function returns an error if given a KRegion, KSigning, or KService key.

Source

pub fn derive<R, S>( &self, derived_key_kind: SigningKeyKind, req_date: &NaiveDate, region: R, service: S, ) -> Self
where R: AsRef<str>, S: AsRef<str>,

Convert this key into the specified kind of key.

§Panics

This function panics if the existing key cannot be derived into the dervied key kind. Use try_derive for a non-panicking version.

Source

pub fn to_ksigning_key<R, S>( &self, req_date: &NaiveDate, region: R, service: S, ) -> Self
where R: AsRef<str>, S: AsRef<str>,

Return a KSigning key given a KSigning, KService, KRegion, KDate, or KSecret key.

This function is infallible; an equivalent try_to_signing_key() method does not exist as as result.

Source

pub fn to_kservice_key<R, S>( &self, req_date: &NaiveDate, region: R, service: S, ) -> Self
where R: AsRef<str>, S: AsRef<str>,

Return a KService key given a KService, KRegion, KDate, or KSecret key.

§Panics

This function will panic if given a KSigning key. Use try_to_kservice_key for a non-panicking version.

Source

pub fn to_kregion_key<R>(&self, req_date: &NaiveDate, region: R) -> Self
where R: AsRef<str>,

Return a KRegion key given a KRegion, KDate, or KSecret key.

§Panics

This function will panic if given a KSigning or KService key. Use try_to_kregion_key for a non-panicking version.

Source

pub fn to_kdate_key(&self, req_date: &NaiveDate) -> Self

Return a KDate key given a KDate, or KSecret key.

§Panics

This function will panic if given a KSigning, KService, or KRegion key. Use try_to_kdate_key for a non-panicking version.

Trait Implementations§

Source§

impl Clone for SigningKey

Source§

fn clone(&self) -> SigningKey

Returns a copy of the value. Read more
1.0.0 · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for SigningKey

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> FmtResult

Formats the value using the given formatter. Read more

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.