Skip to content

Commit

Permalink
fix: enable node-fips compatible body checksums for S3
Browse files Browse the repository at this point in the history
  • Loading branch information
mrgrain committed Oct 24, 2024
1 parent 8d06824 commit 340879e
Show file tree
Hide file tree
Showing 4 changed files with 23 additions and 33 deletions.
3 changes: 1 addition & 2 deletions packages/@aws-cdk/integ-runner/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -74,9 +74,8 @@
"@aws-cdk/cloud-assembly-schema": "^38.0.0",
"@aws-cdk/cloudformation-diff": "0.0.0",
"@aws-cdk/cx-api": "0.0.0",
"cdk-assets": "^2.154.0",
"cdk-assets": "^2.155.17",
"@aws-cdk/aws-service-spec": "^0.1.29",

"@aws-cdk/cdk-cli-wrapper": "0.0.0",
"aws-cdk": "0.0.0",
"chalk": "^4",
Expand Down
13 changes: 12 additions & 1 deletion packages/aws-cdk/lib/api/aws-auth/sdk.ts
Original file line number Diff line number Diff line change
Expand Up @@ -174,7 +174,18 @@ export class SDK implements ISDK {
}

public s3(): AWS.S3 {
return this.wrapServiceErrorHandling(new AWS.S3(this.config));
return this.wrapServiceErrorHandling(new AWS.S3({
// In FIPS enabled environments, the MD5 algorithm is not available for use in crypto module.
// However by default the S3 client is using an MD5 checksum for content integrity checking.
// While this usage is technically allowed in FIPS (MD5 is only prohibited for cryptographic use),
// in practice it is just easier to use an allowed checksum mechanism.
// We are disabling the S3 content checksums, and are re-enabling the regular SigV4 body signing.
// SigV4 uses SHA256 for their content checksum. This configuration matches the default behavior
// of the AWS SDKv3 and is a safe choice for all users.
s3DisableBodySigning: false,
computeChecksums: false,
...this.config,
}));
}

public route53(): AWS.Route53 {
Expand Down
2 changes: 1 addition & 1 deletion packages/aws-cdk/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -104,7 +104,7 @@
"archiver": "^5.3.2",
"aws-sdk": "^2.1691.0",
"camelcase": "^6.3.0",
"cdk-assets": "^2.155.0",
"cdk-assets": "^2.155.17",
"cdk-from-cfn": "^0.162.0",
"chalk": "^4",
"chokidar": "^3.6.0",
Expand Down
38 changes: 9 additions & 29 deletions yarn.lock
Original file line number Diff line number Diff line change
Expand Up @@ -67,17 +67,10 @@
jsonschema "^1.4.1"
semver "^7.6.3"

"@aws-cdk/cx-api@^2.158.0":
version "2.159.0"
resolved "https://registry.npmjs.org/@aws-cdk/cx-api/-/cx-api-2.159.0.tgz#567c0ae0d7a6fc2f7cb9bda7e6cb23fac8d99094"
integrity sha512-HVkHCKQjVi3PCSOF22zLztZMEL+cJcyVvFctS3vXPetgl77L+e/onaGt1AUwRcNY44tvbqJm3oIVQt2HqM3q7w==
dependencies:
semver "^7.6.3"

"@aws-cdk/cx-api@^2.160.0":
version "2.160.0"
resolved "https://registry.npmjs.org/@aws-cdk/cx-api/-/cx-api-2.160.0.tgz#08d4599690a39768bb944c411f1141166e313b59"
integrity sha512-ujXT/UoUDquCwxJ14jkRzIFeMabMyLATWP32Jv0WJjWpxrGJCa+Lua+CByOyikC1QeSVxq8pZcrx0jjYyG0qzw==
"@aws-cdk/cx-api@^2.163.1":
version "2.163.1"
resolved "https://registry.npmjs.org/@aws-cdk/cx-api/-/cx-api-2.163.1.tgz#ef55da9f471c963d877b23d3201ca4560d656b2e"
integrity sha512-0bVL/pX0UcliCdXVcgtLVL3W5EHAp4RgW7JN3prz1dIOmLZzZ30DW0qWSc0D0EVE3rVG6RVgfIiuFBFK6WFZ+w==
dependencies:
semver "^7.6.3"

Expand Down Expand Up @@ -6794,26 +6787,13 @@ case@1.6.3, case@^1.6.3:
resolved "https://registry.npmjs.org/case/-/case-1.6.3.tgz#0a4386e3e9825351ca2e6216c60467ff5f1ea1c9"
integrity sha512-mzDSXIPaFwVDvZAHqZ9VlbyF4yyXRuX6IvB06WvPYkqJVO24kX1PPhv9bfpKNFZyxYFmmgo03HUiD8iklmJYRQ==

cdk-assets@^2.154.0:
version "2.154.0"
resolved "https://registry.npmjs.org/cdk-assets/-/cdk-assets-2.154.0.tgz#675d239c0156ca05c4a2809b30858c843f984ead"
integrity sha512-8M3zLHCx8nj5Fv5ubEps53jh22NN9G7ZLuq1AJwPdXZP7+nb4q5tdl2Ah2ZPMM/dob9u3KTwNeN34oLKHfDzbw==
dependencies:
"@aws-cdk/cloud-assembly-schema" "^38.0.0"
"@aws-cdk/cx-api" "^2.158.0"
archiver "^5.3.2"
aws-sdk "^2.1691.0"
glob "^7.2.3"
mime "^2.6.0"
yargs "^16.2.0"

cdk-assets@^2.155.0:
version "2.155.0"
resolved "https://registry.npmjs.org/cdk-assets/-/cdk-assets-2.155.0.tgz#2e4f347f850c8850bcb2834807b457f41e62f1cf"
integrity sha512-wEztkIxJnQrIh93x6Qxu4MbRLROhl7NeWgasNZdCoOd6ykXsDSuL8JMi0wettbwGArnhhXMcll1m4+X4VQgzcA==
cdk-assets@^2.155.17:
version "2.155.17"
resolved "https://registry.npmjs.org/cdk-assets/-/cdk-assets-2.155.17.tgz#d6c285d0279aec8226b45577a151e6dd32a12fa5"
integrity sha512-+hJlYYlsPHhPCeMC/V3pMyrjz5K8p9SQdC50qMg6a8/w/3w0WY1ZixyKGtpJfFB11C3Ubb04l2miieaAH00CIA==
dependencies:
"@aws-cdk/cloud-assembly-schema" "^38.0.1"
"@aws-cdk/cx-api" "^2.160.0"
"@aws-cdk/cx-api" "^2.163.1"
archiver "^5.3.2"
aws-sdk "^2.1691.0"
glob "^7.2.3"
Expand Down

0 comments on commit 340879e

Please sign in to comment.