implement AWS API v4 signing

(cherry picked from commit ac5ee07ee1daef2f43e728895290ca6d11efe0f3)

2 files changed, 17 insertions, 29 deletions

diff --git a/src/etc/inc/dyndns.class b/src/etc/inc/dyndns.class
index fff3e9f..ddbea57 100644
--- a/src/etc/inc/dyndns.class
+++ b/src/etc/inc/dyndns.class
@@ -128,7 +128,7 @@
 	 *  HE.net IPv6     - Last Tested: 7 July 2013
 	 *  HE.net Tunnel   - Last Tested: 28 June 2011
 	 *  SelfHost        - Last Tested: 26 December 2011
-	 *  Amazon Route 53 - Last Tested: 30 August 2016 
+	 *  Amazon Route 53 - Last Tested: 04 February 2017
 	 *  DNS-O-Matic     - Last Tested: 9 September 2010
 	 *  CloudFlare      - Last Tested: 05 September 2016
 	 *  CloudFlare IPv6 - Last Tested: 17 July 2016
@@ -682,10 +682,10 @@
 				case 'route53':		
 					require_once("r53.class");
 					$r53 = new Route53($this->_dnsUser, $this->_dnsPass);
-					$apiurl = $r53->getApiUrl($this->_dnsZoneID);
+					list($r53_regionId, $r53_zoneId) = split('/', $this->_dnsZoneID);
+					$apiurl = $r53->getApiUrl($r53_zoneId);
 					$xmlreq = $r53->getRequestBody($this->_dnsHost, $this->_dnsIP, $this->_dnsTTL);
-					$httphead = $r53->getHttpPostHeaders($this->_dnsZoneId, "us-east-1", 
-						hash("sha256",$xmlreq));
+					$httphead = $r53->getHttpPostHeaders($r53_zoneId, $r53_regionId, hash("sha256",$xmlreq));
 					curl_setopt($ch, CURLOPT_HTTPHEADER, $httphead);
 					if($this->_dnsVerboseLog){
 						log_error(sprintf("Sending reuquest to: %s", $apiurl));
diff --git a/src/etc/inc/r53.class b/src/etc/inc/r53.class
index 21a4a61..4ec4cd9 100644
--- a/src/etc/inc/r53.class
+++ b/src/etc/inc/r53.class
@@ -83,7 +83,7 @@ class Route53
 	* @return string XML document
 	*/
 	public function getRequestBody($fqdn, $ip, $ttl){
-		$xmlreq .= "<?xml version=\"1.0\" encoding=\"UTF-8\"?>";
+		$xmlreq = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>";
 		$xmlreq .= "<ChangeResourceRecordSetsRequest xmlns=\"https://route53.amazonaws.com/doc/2013-04-01/\">";
 		$xmlreq .= "<ChangeBatch><Changes><Change>";
 		$xmlreq .= "<Action>UPSERT</Action>";
@@ -123,45 +123,33 @@ class Route53
 		$amz_date = sprintf("%sT%sZ", gmdate('Ymd'), gmdate('His'));
 		$date_stamp = gmdate('Ymd');
 
-		$canonical_headers = sprintf("content-type:%s\nhost:%s\n:x-amx-date:%s\n",
+		$canonical_headers = sprintf("content-type:%s\nhost:%s\nx-amz-date:%s\n",
 			"text/xml", "route53.amazonaws.com", $amz_date);
 
 		$signed_headers = "content-type;host;x-amz-date";
 
-		$canonical_request = sprintf("%s\n%s\n/\n/%s\n%s\n%s\n ", 
+		$canonical_request = sprintf("%s\n%s\n\n%s\n%s\n%s", 
 			"POST", $canonical_uri, $canonical_headers, $signed_headers, $requestBodySHA256);
-
 		$algorithm = "AWS4-HMAC-SHA256";
-		$credential_scope = sprintf("%s/%s/%s/%s", $date_stamp, $regionId, "route53domains", "aws4_request");
-		$string_to_sign = sprintf("%s\n%s\n%s\n%s ", 
+		$credential_scope = sprintf("%s/%s/%s/%s", $date_stamp, $regionId, "route53", "aws4_request");
+		$string_to_sign = sprintf("%s\n%s\n%s\n%s", 
 			$algorithm, $amz_date, $credential_scope, hash("sha256", $canonical_request));
-		$signing_key = getAWS4SigningKey($this->__secretKey, $date_stamp, $regionId);
 
-		$signature = hash_hmac("sha256", $string_to_sign, $signing_key);
+		$kSecret = sprintf("AWS4%s", $this->__secretKey);
+		$kDate = hash_hmac("sha256", $date_stamp, $kSecret, true);
+		$kRegion = hash_hmac("sha256", $regionId, $kDate, true);
+		$kService = hash_hmac("sha256", "route53", $kRegion, true);
+		$signing_key = hash_hmac("sha256","aws4_request", $kService, true);
+
+		$signature = bin2hex(hash_hmac("sha256", $string_to_sign, $signing_key, true));
 
-		$authorization_header = sprintf("%s Credential=%s/%s, SignedHeader=%s Signature=%s",
+		$authorization_header = sprintf("%s Credential=%s/%s, SignedHeaders=%s, Signature=%s",
 			$algorithm, $this->__accessKey, $credential_scope, $signed_headers, $signature);
 
-		$httphead[] = array();
 		$httphead[] = "Content-Type: text/xml";
 		$httphead[] = sprintf("X-Amz-Date: %s", $amz_date);
 		$httphead[] = sprintf("Authorization: %s", $authorization_header);
 		return $httphead;
 	}
-
-	/**
-	* Return Signing key
-	*
-	* @param string secretKey The AWS key
-	* @param string dateStamp The AWS signing date in the form YYYYMMDD
-	* @param string regionName The AWS region name - e.g. us-east-1
-	*/
-	public function getAWS4SigningKey($secretKey, $dateStamp, $regionName){
-		$kSecret = sprintf("AWS4%s", $secretKey);
-		$kDate = hash_hmac("sha256", $dateStamp, $kSecret);
-		$kRegion = hash_hmac("sha256", $regionName, $kDate);
-		$kService = hash_hmac("sha256", "route53domains", $kRegion);
-		return hash_hmac("sha256", "aws4_request", $kService);
-	}
 }