The latest articles on DEV Community by chiefbiiko (@chiefbiiko). https://dev.to/chiefbiiko https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F273982%2Fe8aa5294-45ed-4d5e-85bf-a736b895a5b0.jpeg https://dev.to/chiefbiiko en chiefbiiko Sat, 02 Oct 2021 06:37:51 +0000 https://dev.to/chiefbiiko/falcon-cli-4-post-quantum-file-sigs-57oi https://dev.to/chiefbiiko/falcon-cli-4-post-quantum-file-sigs-57oi <p>Post-quantum cryptography is being developed, benchmarked, tested, discussed, and elaborated... Let me join in on that with a little practical software piece. <a href="https://github.com/chiefbiiko/falcon-cli"><code>falcon-cli</code></a> is a CLI tool to sign and verify files with the post-quantum signature scheme <a href="https://falcon-sign.info/">FALCON</a>, a round 3 finalist for digital signature algorithms in NIST's post-quantum cryptography standardization competition.</p> <p>The tool supports keygen, file sign and verify ops, as such it is complete and ready for common file signature use cases. Imagine - now you can sign your Github Releases with (probably) post-quantum safe signatures and chill (4ever)...</p> <p>Usage should be straightforward when glimpsin' over the <a href="https://github.com/chiefbiiko/falcon-cli/blob/main/README.md">README</a>. The default key location shouldn't be surprisin' as well: <code>~/.falcon-cli/(public|secret).key</code>. Also, if explicit input or output files are omitted, the tool falls back to <code>stdin</code> and <code>stdout</code> for IO.</p> <p>In case of any issues get at me on <a href="https://github.com/chiefbiiko/falcon-cli/issues">GitHub</a>.</p> cybersecurity tooling opensource security chiefbiiko Mon, 21 Dec 2020 08:02:48 +0000 https://dev.to/chiefbiiko/cors-with-apigw-4eip https://dev.to/chiefbiiko/cors-with-apigw-4eip <h1> cors with apigw </h1> <p>🌐🔗🌒🐙</p> <p>lets assume a freshly mounted apigw with a resource <code>/pitbulls</code> having two endpoints serving and accepting json:</p> <p><code>GET /pitbulls</code></p> <p><code>POST /pitbulls</code></p> <p>once you start hitting these from a browser they need to have cors enabled..</p> <h2> determining cors request types </h2> <p>there are two types of cors requests: simple and non-simple - refer to these <a href="https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-cors.html">AWS docs</a> <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#Simple_requests">MDN docs</a> 4 specifics.</p> <p>a simple requests has the following characteristics:</p> <ul> <li><p><code>GET</code>, <code>HEAD</code>, or <code>POST</code></p></li> <li><p>if <code>POST</code> the request must include an origin header</p></li> <li><p>request payload content type is <code>text/plain</code>, <code>multipart/form-data</code>, or <code>application/x-www-form-urlencoded</code></p></li> <li><p>no custom headers</p></li> </ul> <h2> steps 2 enable cors </h2> <h3> 4 simple requests </h3> <p>scenario: <code>GET /pitbulls</code></p> <p>the backend response must include an <code>Access-Control-Allow-Origin</code> header granting access to the request's origin domain. Note that one should specify protocol, domain, and port when defining the origin.</p> <p><strong>backend response to a simple cors request</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">return</span> <span class="p">{</span> <span class="na">statusCode</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">access-control-allow-origin</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">https://your.domain:443</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">content-type</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">application/json</span><span class="dl">"</span> <span class="p">},</span> <span class="na">body</span><span class="p">:</span> <span class="dl">'</span><span class="s1">[{"name":"dogo"}]</span><span class="dl">'</span> <span class="p">}</span> </code></pre> </div> <h3> 4 non-simple requests </h3> <p>scenario: <code>POST /pitbulls</code> with request payload <code>content-type: application/json</code></p> <p>our <code>pitbulls</code> resource needs to expose an <code>OPTIONS</code> method that responds to cors preflight requests with the following cors headers: <code>Access-Control-Allow-Methods</code> <code>Access-Control-Allow-Headers</code> <code>Access-Control-Allow-Origin</code></p> <p><strong>cors options method snippet in cloudformation</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">CorsMethod</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::ApiGateway::Method</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">AuthorizationType</span><span class="pi">:</span> <span class="s">NONE</span> <span class="na">RestApiId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">RestApi</span> <span class="na">ResourceId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">PitbullsResource</span> <span class="na">HttpMethod</span><span class="pi">:</span> <span class="s">OPTIONS</span> <span class="na">Integration</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">MOCK</span> <span class="na">IntegrationResponses</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">StatusCode</span><span class="pi">:</span> <span class="m">200</span> <span class="na">ResponseParameters</span><span class="pi">:</span> <span class="na">method.response.header.Access-Control-Allow-Headers</span><span class="pi">:</span> <span class="s2">"</span><span class="s">'content-type'"</span> <span class="na">method.response.header.Access-Control-Allow-Methods</span><span class="pi">:</span> <span class="s2">"</span><span class="s">'OPTIONS,GET,POST'"</span> <span class="na">method.response.header.Access-Control-Allow-Origin</span><span class="pi">:</span> <span class="kt">!If</span> <span class="pi">-</span> <span class="s">IsProd</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">'https://your.domain:443'"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">'*'"</span> <span class="na">ResponseTemplates</span><span class="pi">:</span> <span class="na">application/json</span><span class="pi">:</span> <span class="s1">'</span><span class="s">'</span> <span class="na">PassthroughBehavior</span><span class="pi">:</span> <span class="s">WHEN_NO_MATCH</span> <span class="na">RequestTemplates</span><span class="pi">:</span> <span class="s1">'</span><span class="s">application/json'</span><span class="err">:</span> <span class="s1">'</span><span class="s">{"statusCode":200}'</span> <span class="na">MethodResponses</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">StatusCode</span><span class="pi">:</span> <span class="m">200</span> <span class="na">ResponseModels</span><span class="pi">:</span> <span class="na">application/json</span><span class="pi">:</span> <span class="s">Empty</span> <span class="na">ResponseParameters</span><span class="pi">:</span> <span class="na">method.response.header.Access-Control-Allow-Headers</span><span class="pi">:</span> <span class="s">False</span> <span class="na">method.response.header.Access-Control-Allow-Methods</span><span class="pi">:</span> <span class="s">False</span> <span class="na">method.response.header.Access-Control-Allow-Origin</span><span class="pi">:</span> <span class="s">False</span> </code></pre> </div> <p>Additionally, the backend, lambdas, ec2s or whatever, need to also respond with the three cors headers listed above.</p> <p><strong>backend responding to a non-simple cors request with mandated headers</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">return</span> <span class="p">{</span> <span class="na">statusCode</span><span class="p">:</span> <span class="mi">201</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">access-control-allow-headers</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">content-type</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">access-control-allow-methods</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">OPTIONS,POST</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">access-control-allow-origin</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">https://your.domain:443</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="p">}</span> </code></pre> </div> <p>🐙🌐🔗🌒 ~ AWS API Gateway CORS</p> aws apigateway cors cloudformation chiefbiiko Mon, 18 Nov 2019 05:55:16 +0000 https://dev.to/chiefbiiko/lambda-wasmtime-running-webassembly-on-aws-lambda-51gi https://dev.to/chiefbiiko/lambda-wasmtime-running-webassembly-on-aws-lambda-51gi <p>With <a href="https://github.com/chiefbiiko/lambda-wasmtime"><code>lambda-wasmtime</code></a> we have a <a href="https://wasmtime.dev/"><code>wasmtime</code></a>-powered custom AWS Lambda runtime for running WebAssembly, including futuristic stuff like <a href="https://wasi.dev/">WASI (WebAssembly System Interface)</a> and <a href="https://github.com/WebAssembly/interface-types/blob/master/proposals/interface-types/Explainer.md">WAIT (WebAssembly Interface Types)</a>.</p> <p>To run in the AWS Lambda execution environment we need to build a WebAssembly module that exports a function capable of accepting and returning <code>JSON</code> strings. The remainder of this post demonstrates just that.</p> <h2> Building a WebAssembly Lambda </h2> <p><strong>Make</strong> sure to have <a href="https://github.com/bytecodealliance/cargo-wasi"><code>cargo-wasi</code></a> installed: <code>cargo install cargo-wasi</code></p> <p><strong>Setup</strong> a new project: <code>cargo new &lt;project_name&gt; --lib</code></p> <p><strong>Craft</strong> <code>Cargo.toml</code>:</p> <ul> <li><p>specify the crate type as <code>cdylib</code> to make this a <code>C</code>-ish shared library</p></li> <li><p>include a recent <code>wasm-bindgen</code> (tested with <code>0.2.54</code>)<br> </p></li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight toml"><code><span class="nn">[lib]</span> <span class="py">crate-type</span> <span class="p">=</span> <span class="nn">["cdylib"]</span> <span class="nn">[dependencies]</span> <span class="py">wasm-bindgen</span> <span class="p">=</span> <span class="s">"0.2.54"</span> </code></pre> </div> <p><strong>Define</strong> a handler in <code>src/lib.rs</code> and <code>#[wasm_bindgen]</code> it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">wasm_bindgen</span><span class="p">::</span><span class="nn">prelude</span><span class="p">::</span><span class="n">wasm_bindgen</span><span class="p">;</span> <span class="nd">#[wasm_bindgen]</span> <span class="k">pub</span> <span class="k">fn</span> <span class="nf">handler</span><span class="p">(</span><span class="n">event</span><span class="p">:</span> <span class="o">&amp;</span><span class="nb">str</span><span class="p">,</span> <span class="n">context</span><span class="p">:</span> <span class="o">&amp;</span><span class="nb">str</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">String</span> <span class="p">{</span> <span class="c">// lambda-wasmtime passes the event and context as JSON</span> <span class="c">// context looks like: { function_arn, deadline_ms, request_id, trace_id }</span> <span class="n">event</span><span class="nf">.to_string</span><span class="p">()</span> <span class="p">}</span> </code></pre> </div> <p>Note that you can name your handler whatever you want. The <code>lambda-wasmtime</code> runtime determines the actual handler name from the environment variable <code>_HANDLER</code> which is user-defined in AWS Lambda.</p> <p><strong>Build</strong> the <code>.wasm</code> binary: <code>cargo wasi build --release</code></p> <blockquote> <p>For now, when using wasm-bindgen <code>--release</code> mode is required to build binaries with interface types ~strings</p> </blockquote> <p><strong>Zipup</strong> a lambda bundle: <code>zip -j &lt;project&gt;/lambda.zip &lt;project&gt;/target/wasm32-wasi/release/&lt;project_name&gt;.wasm</code></p> <p><strong>Deploy</strong> the lambda bundle on AWS with the <code>lambda-wasmtime</code> runtime layer - get its latest release from <a href="https://github.com/chiefbiiko/lambda-wasmtime/releases/latest">here</a></p> <p>If your handler performs non-trivial computations you probably need to provision the lambda with extra memory. Also note that currently all of this is in MVP state and experimental.</p> aws lambda webassembly runtime