kalihman · November 2, 2023 05:15 · kalihman · Nov 2, 2023
diff --git a/AWS4-Request-Signer.ps1 b/AWS4-Request-Signer.ps1
 # Define Helper Functions
 function Get-Sha256Hash ($StringToHash) {
    $hasher = [System.Security.Cryptography.SHA256]::Create()
    $Hash = ([BitConverter]::ToString($hasher.ComputeHash([Text.Encoding]::UTF8.GetBytes($StringToHash))) -replace '-','').ToLower()
    Write-Output $Hash
 }

 function ConvertTo-SortedDictionary($HashTable) {
    $SortedDictionary = New-Object 'System.Collections.Generic.SortedDictionary[string, string]'
    foreach ($Key in $HashTable.Keys) {
        $SortedDictionary[$Key]=$HashTable[$Key]
    }
    Write-Output $SortedDictionary
 }

 function Sign($Key, $Message) {
    $hmacsha = New-Object System.Security.Cryptography.HMACSHA256
    $hmacsha.Key = $Key
    $hmacsha.ComputeHash([Text.Encoding]::UTF8.GetBytes($Message))
 }

 function Get-SignatureKey($Key, $Date, $Region, $Service) {
    $SignedDate = Sign ([Text.Encoding]::UTF8.GetBytes(('AWS4' + $Key).toCharArray())) $Date
    $SignedRegion = Sign $SignedDate $Region
    $SignedService = Sign $SignedRegion $Service
    Sign $SignedService "aws4_request"
 }

 # Define Credentials
 $Credentials = Invoke-RestMethod http://169.254.169.254/latest/meta-data/iam/security-credentials/BroservEc2InstanceRole
 $AccessKey = $Credentials.AccessKeyId
 $SecretAccessKey = $Credentials.SecretAccessKey
 $Token = $Credentials.Token

 # Define Keywords
 $Action = 'Action=GetCallerIdentity&Version=2011-06-15'
 $EndpointUrl = "sts.amazonaws.com"
 $HTTPRequestMethod = "POST"
 $CanonicalURI = "/"
 $CanonicalQueryString = ""
 $DateTime = [DateTime]::UtcNow.ToString("yyyyMMdd'T'HHmmss'Z'")
 $DateString = [DateTime]::UtcNow.ToString('yyyyMMdd')
 $RequestPayloadHash = Get-Sha256Hash($Action)
 $Region = "us-east-1"
 $Service = "sts"
 $Headers = @{}
 $ContentType = "application/x-www-form-urlencoded"

 # 1. Create a Canonical Request for Signature Version 4
 if (!$Headers["Host"]) { $Headers["Host"] = $EndpointUrl }
 if (!$Headers["X-Amz-Date"]) { $Headers["X-Amz-Date"] = $DateTime }
 if (!$Headers["Content-Type"] -and $ContentType) { $Headers["Content-Type"] = $ContentType }
 if (!$Headers["X-Amz-Security-Token"]) { $Headers["X-Amz-Security-Token"] = $Token }
 if (!$Headers["X-Amz-Content-Sha256"]) { $Headers["X-Amz-Content-Sha256"] = $RequestPayloadHash }
 $SortedHeaders = ConvertTo-SortedDictionary $Headers
 $CanonicalHeaders = (($SortedHeaders.GetEnumerator()  | ForEach-Object { "$($($_.Key).ToLower()):$($_.Value)" }) -join "`n") + "`n"
 $SignedHeaders = ($SortedHeaders.Keys -join ";").ToLower()
 $CanonicalRequest = "$HTTPRequestMethod`n$CanonicalURI`n$CanonicalQueryString`n$CanonicalHeaders`n$SignedHeaders`n$RequestPayloadHash"
 $hasher = [System.Security.Cryptography.SHA256]::Create()
 $CanonicalRequestHash = ([BitConverter]::ToString($hasher.ComputeHash([Text.Encoding]::UTF8.GetBytes($CanonicalRequest))) -replace '-','').ToLower()

 # 2. Create a String to Sign for Signature Version 4
 $AlgorithmDesignation = "AWS4-HMAC-SHA256"
 $CredentialScope = "$DateString/$Region/$Service/aws4_request"
 $StringToSign = "$AlgorithmDesignation`n$DateTime`n$CredentialScope`n$CanonicalRequestHash"

 # 3. Calculate the Signature for AWS Signature Version 4
 $SigningKey = Get-SignatureKey $SecretAccessKey $DateString $Region $Service
 $Signature = ([BitConverter]::ToString((sign $SigningKey $StringToSign)) -replace '-','').ToLower()

 # 4. Add the Signing Information to the Request
 $Headers["Authorization"]="AWS4-HMAC-SHA256 Credential=$AccessKey/$DateString/$Region/$Service/aws4_request, SignedHeaders=$SignedHeaders, Signature=$Signature"

 $Protocol = "https://"
 $Url = $Protocol + $EndpointUrl + $CanonicalURI

 # 5.Optional): Test Request by Sending to Service
 # $Res = Invoke-RestMethod -Method 'POST' -Uri $Url -Headers $Headers -Body $Action
 # Write-Output $res.OuterXml
	# Define Helper Functions
	function Get-Sha256Hash ($StringToHash) {
	$hasher = [System.Security.Cryptography.SHA256]::Create()
	$Hash = ([BitConverter]::ToString($hasher.ComputeHash([Text.Encoding]::UTF8.GetBytes($StringToHash))) -replace '-','').ToLower()
	Write-Output $Hash
	}

	function ConvertTo-SortedDictionary($HashTable) {
	$SortedDictionary = New-Object 'System.Collections.Generic.SortedDictionary[string, string]'
	foreach ($Key in $HashTable.Keys) {
	$SortedDictionary[$Key]=$HashTable[$Key]
	}
	Write-Output $SortedDictionary
	}

	function Sign($Key, $Message) {
	$hmacsha = New-Object System.Security.Cryptography.HMACSHA256
	$hmacsha.Key = $Key
	$hmacsha.ComputeHash([Text.Encoding]::UTF8.GetBytes($Message))
	}

	function Get-SignatureKey($Key, $Date, $Region, $Service) {
	$SignedDate = Sign ([Text.Encoding]::UTF8.GetBytes(('AWS4' + $Key).toCharArray())) $Date
	$SignedRegion = Sign $SignedDate $Region
	$SignedService = Sign $SignedRegion $Service
	Sign $SignedService "aws4_request"
	}

	# Define Credentials
	$Credentials = Invoke-RestMethod http://169.254.169.254/latest/meta-data/iam/security-credentials/BroservEc2InstanceRole
	$AccessKey = $Credentials.AccessKeyId
	$SecretAccessKey = $Credentials.SecretAccessKey
	$Token = $Credentials.Token

	# Define Keywords
	$Action = 'Action=GetCallerIdentity&Version=2011-06-15'
	$EndpointUrl = "sts.amazonaws.com"
	$HTTPRequestMethod = "POST"
	$CanonicalURI = "/"
	$CanonicalQueryString = ""
	$DateTime = [DateTime]::UtcNow.ToString("yyyyMMdd'T'HHmmss'Z'")
	$DateString = [DateTime]::UtcNow.ToString('yyyyMMdd')
	$RequestPayloadHash = Get-Sha256Hash($Action)
	$Region = "us-east-1"
	$Service = "sts"
	$Headers = @{}
	$ContentType = "application/x-www-form-urlencoded"

	# 1. Create a Canonical Request for Signature Version 4
	if (!$Headers["Host"]) { $Headers["Host"] = $EndpointUrl }
	if (!$Headers["X-Amz-Date"]) { $Headers["X-Amz-Date"] = $DateTime }
	if (!$Headers["Content-Type"] -and $ContentType) { $Headers["Content-Type"] = $ContentType }
	if (!$Headers["X-Amz-Security-Token"]) { $Headers["X-Amz-Security-Token"] = $Token }
	if (!$Headers["X-Amz-Content-Sha256"]) { $Headers["X-Amz-Content-Sha256"] = $RequestPayloadHash }
	$SortedHeaders = ConvertTo-SortedDictionary $Headers
	$CanonicalHeaders = (($SortedHeaders.GetEnumerator() \| ForEach-Object { "$($($_.Key).ToLower()):$($_.Value)" }) -join "`n") + "`n"
	$SignedHeaders = ($SortedHeaders.Keys -join ";").ToLower()
	$CanonicalRequest = "$HTTPRequestMethod`n$CanonicalURI`n$CanonicalQueryString`n$CanonicalHeaders`n$SignedHeaders`n$RequestPayloadHash"
	$hasher = [System.Security.Cryptography.SHA256]::Create()
	$CanonicalRequestHash = ([BitConverter]::ToString($hasher.ComputeHash([Text.Encoding]::UTF8.GetBytes($CanonicalRequest))) -replace '-','').ToLower()

	# 2. Create a String to Sign for Signature Version 4
	$AlgorithmDesignation = "AWS4-HMAC-SHA256"
	$CredentialScope = "$DateString/$Region/$Service/aws4_request"
	$StringToSign = "$AlgorithmDesignation`n$DateTime`n$CredentialScope`n$CanonicalRequestHash"

	# 3. Calculate the Signature for AWS Signature Version 4
	$SigningKey = Get-SignatureKey $SecretAccessKey $DateString $Region $Service
	$Signature = ([BitConverter]::ToString((sign $SigningKey $StringToSign)) -replace '-','').ToLower()

	# 4. Add the Signing Information to the Request
	$Headers["Authorization"]="AWS4-HMAC-SHA256 Credential=$AccessKey/$DateString/$Region/$Service/aws4_request, SignedHeaders=$SignedHeaders, Signature=$Signature"

	$Protocol = "https://"
	$Url = $Protocol + $EndpointUrl + $CanonicalURI

	# 5.Optional): Test Request by Sending to Service
	# $Res = Invoke-RestMethod -Method 'POST' -Uri $Url -Headers $Headers -Body $Action
	# Write-Output $res.OuterXml