From 93da678cb66ae36fa5c417c084676a48ef534e35 Mon Sep 17 00:00:00 2001
From: Emmanuel Bourg <ebourg@apache.org>
Date: Mon, 15 Jan 2024 09:28:34 +0100
Subject: [PATCH] Support dynamic credentials with AWS (Fixes #187)

---
 README.md                                       |  1 +
 .../net/jsign/jca/AmazonSigningService.java     | 17 +++++++++++++++--
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 9f571478..5f48c8b6 100644
--- a/README.md
+++ b/README.md
@@ -65,6 +65,7 @@ See https://ebourg.github.io/jsign for more information.
   * `Signable.computeDigest(MessageDigest)` has been replaced by `Signable.computeDigest(DigestAlgorithm)`
   * The value of the `http.agent` system property is now appended to the user agent string set when calling REST services
   * `AuthenticodeSigner` sets the security provider automatically if the keystore used is backed by a PKCS#11 token or a cloud service
+  * `AmazonSigningService` now supports dynamic credentials
 * Upgraded BouncyCastle to 1.77
 
 #### Version 5.0 (2023-06-06)
diff --git a/jsign-core/src/main/java/net/jsign/jca/AmazonSigningService.java b/jsign-core/src/main/java/net/jsign/jca/AmazonSigningService.java
index 026bdb29..da76f298 100644
--- a/jsign-core/src/main/java/net/jsign/jca/AmazonSigningService.java
+++ b/jsign-core/src/main/java/net/jsign/jca/AmazonSigningService.java
@@ -37,6 +37,7 @@
 import java.util.TimeZone;
 import java.util.TreeMap;
 import java.util.function.Function;
+import java.util.function.Supplier;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 import java.util.stream.Collectors;
@@ -81,6 +82,19 @@ public class AmazonSigningService implements SigningService {
         algorithmMapping.put("SHA512withRSA/PSS", "RSASSA_PSS_SHA_512");
     }
 
+    /**
+     * Creates a new AWS signing service.
+     *
+     * @param region           the AWS region holding the keys (for example <tt>eu-west-3</tt>)
+     * @param credentials      the AWS credentials provider
+     * @param certificateStore provides the certificate chain for the keys
+     * @since 5.1
+     */
+    public AmazonSigningService(String region, Supplier<AmazonCredentials> credentials, Function<String, Certificate[]> certificateStore) {
+        this.certificateStore = certificateStore;
+        this.client = new RESTClient("https://kms." + region + ".amazonaws.com", (conn, data) -> sign(conn, credentials.get(), data, null));
+    }
+
     /**
      * Creates a new AWS signing service.
      *
@@ -89,8 +103,7 @@ public class AmazonSigningService implements SigningService {
      * @param certificateStore provides the certificate chain for the keys
      */
     public AmazonSigningService(String region, AmazonCredentials credentials, Function<String, Certificate[]> certificateStore) {
-        this.certificateStore = certificateStore;
-        this.client = new RESTClient("https://kms." + region + ".amazonaws.com", (conn, data) -> sign(conn, credentials, data, null));
+        this(region, () -> credentials, certificateStore);
     }
 
     /**