Improve documentation and add semgrep configuration

Author: 13ajay

.github/workflows/semgrep.yml

@@ -0,0 +1,31 @@
+# Name of this GitHub Actions workflow.
+name: Semgrep
+
+on:
+  # Option 1: Scan changed files in PRs, only report new findings (existing
+  # findings in the repository are ignored).
+  # To run on specific types of PR states (opened, reopened, etc) or particular
+  # paths or branches, see the following GitHub documentation:
+  # https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request
+  pull_request: {}
+jobs:
+  semgrep:
+    # User definable name of this GitHub Actions job.
+    name: Scan
+    # Only change the if you are self-hosting. See also:
+    # https://docs.github.com/en/actions/using-jobs/choosing-the-runner-for-a-job#choosing-self-hosted-runners
+    runs-on: ubuntu-latest
+    container:
+      # A Docker image with Semgrep installed. Don't change this.
+      image: returntocorp/semgrep
+    # Skip any PR created by dependabot to avoid permission issues
+    if: (github.actor != 'dependabot[bot]')
+    steps:
+      # Fetch project source with GitHub Actions Checkout.
+      - uses: actions/checkout@v3
+
+      # Run the "semgrep ci" command on the command line of the docker image.
+      - run: semgrep ci
+        env:
+          # Option 2: Set hard-coded rulesets, viewable in logs.
+          SEMGREP_RULES: p/default # more at semgrep.dev/explore

.semgrepignore

@@ -0,0 +1,2 @@
+# Invalid RSA key for testing
+tst/certs/invalid-rsa-key.pem

README.md

@@ -4,19 +4,41 @@ rolesanywhere-credential-helper implements the [signing process](https://docs.aw
 
 ## Building
 
-In order to build the source code, you will need to install a C compiler, along with make and golang. On Debian-based systems, you can do so using `sudo apt-get install build-essential golang-go`. After obtaining these tools, you can build the package (assuming you are currently at the package root):
+### Dependencies
+
+In order to build the source code, you will need to install git, a C compiler, make, and golang. 
+
+#### Linux
+
+On Debian-based systems, you can do so using `sudo apt-get install git build-essential golang-go`. For other Linux distributions, replace `apt-get` with the package manager on your system.
+
+#### Darwin
+
+You can download Apple clang through the [following link](https://developer.apple.com/download/) if you don't already have it installed on your system. You can install git, make, and golang through Homebrew through `brew install git`, `brew install make` and `brew install go`, respectively.
+
+#### Windows
+
+In order to get a C compile on Windows, one option is to use [MinGW-w64](https://www.mingw-w64.org/downloads/). After obtaining a C compiler, you can install golang through the [installer](https://go.dev/doc/install). Lastly, you can install git and make through `Chocolatey` with `choco install git` and `choco install make`, respectively. 
+
+### Build
+
+After obtaining these tools, and making sure they are on your `PATH`, you can build the package (assuming you are currently at the package root):
 
 ```
 make release
 ```
 
 After building, you should see the `aws_signing_helper` binary built for your system at `build/bin/aws_signing_helper`. Usage is discussed briefly in the next section.
 
+### Scripts
+
+The project also comes with two bash scripts at its root, called `generate-certs.sh` and `generate-credential-process-data.sh`. The former script is used strictly for unit testing, and it generates certificate and private key data with different parameters that are supported by IAM Roles Anywhere. You can run the bash script using `/bin/bash generate-certs.sh`, and you will see the generated certificates and keys under the `tst/certs` directory. The latter script is used both for unit testing and can also be used for testing the `credential-process` command after having built the binary. It will create a CA certificate/private key as well as a leaf certificate/private key. When testing IAM Roles Anywhere, you will have to upload the CA certificate a trust anchor and create a profile within Roles Anywhere before using the binary along with the leaf certificate/private key to call `credential-process` (more instructions can be found in the next section). You can run the bash script using `/bin/bash generate-credential-process-data.sh`, and you will see the generated certificate hierarchy (and corresponding keys) under the `credential-process-data` directory. Note that the unit tests that require these fixtures to exist will run the bash script themselves, before executing those tests that depend on the fixtures existing. Please note that these scripts currently only work on Unix-based systems and require `openssl` to be installed.
+
 ## Usage
 
 There are three commands that are currently implemented within the source code. Two of these commands, `sign-string` and `read-certificate-data` are given as diagnostic tools. The former command allows one to sign a string that comes from standard input. The command requires one to pass in the path of a private key on disk to perform the signing (`--private-key`), as well as two optional arguments for the digest (`--digest`) and output format (`--format`). The digest has to be one of `SHA256`, `SHA384`, and `SHA512` if specified. The default value will be `SHA256` if it isn't specified. The output format has to be one of `text`, `json`, and `bin` if specified. The default value will be `text` if it isn't specified. The latter command allows one to read a certificate that is on disk. The path to the certificate (`--certificate`) is required. 
 
-The last command is `credential-process`, which returns temporary credentials in a JSON format that is compatible with the `credential_process` feature available across language SDKs. Documentation on usage, along with examples can be found [here](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/credential-helper.html). A script called `generate-credential-process-data.sh` can be found at the root of the project, which will generate RSA private keys and their corresponding certificates, that you can use to obtain temporary credentials from IAM Roles Anywhere. You can run the script using `/bin/bash generate-credential-process-data.sh`. Afterwards, you should see the generated private keys and certificates under the `credential-process-data` directory. The following example showcases how to use the data to obtain temporary credentials:
+The last command is `credential-process`, which returns temporary credentials in a JSON format that is compatible with the `credential_process` feature available across language SDKs. Documentation on usage, along with examples can be found [here](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/credential-helper.html). A script called `generate-credential-process-data.sh` can be found at the root of the project, which will generate RSA private keys and their corresponding certificates, that you can use to obtain temporary credentials from IAM Roles Anywhere. You can run the script using `/bin/bash generate-credential-process-data.sh`. Afterwards, you should see the generated private keys and certificates under the `credential-process-data` directory. The following example showcases how to use the data to obtain temporary credentials (assuming you are on a unix-based system):
 
 ```
 TA_ARN=$(aws rolesanywhere create-trust-anchor \

aws_signing_helper/credentials.go

@@ -90,12 +90,12 @@ func GenerateCredentials(opts *CredentialsOpts) (CredentialProcessOutput, error)
 	var tr *http.Transport
 	if opts.WithProxy {
 		tr = &http.Transport{
-			TLSClientConfig: &tls.Config{InsecureSkipVerify: opts.NoVerifySSL},
+			TLSClientConfig: &tls.Config{MinVersion: tls.VersionTLS13, InsecureSkipVerify: opts.NoVerifySSL},
 			Proxy:           http.ProxyFromEnvironment,
 		}
 	} else {
 		tr = &http.Transport{
-			TLSClientConfig: &tls.Config{InsecureSkipVerify: opts.NoVerifySSL},
+			TLSClientConfig: &tls.Config{MinVersion: tls.VersionTLS13, InsecureSkipVerify: opts.NoVerifySSL},
 		}
 	}
 	client := &http.Client{Transport: tr}

aws_signing_helper/signer_test.go

@@ -32,11 +32,7 @@ func setup() error {
 
 	generateCredentialProcessDataScript := exec.Command("/bin/bash", "../generate-credential-process-data.sh")
 	_, err = generateCredentialProcessDataScript.Output()
-	if err != nil {
-		return err
-	}
-
-	return nil
+	return err
 }
 
 func TestMain(m *testing.M) {

tst/certs/cert-bundle.pem

@@ -1,3 +1,5 @@
+Note: This is a certificate that can't be parsed.
+
 -----BEGIN CERTIFICATE-----
 MIID2DCCAsCgAwIBAgIRAKsybXibFSiZYcGp+Q6O804wDQYJKoZIhvcNAQELBQAw
 XzELMAkGA1UEBhMCVVMxHDAaBgNVBAoME1NlY3VyaXR5IElubm92YXRpb24xEDAO

tst/certs/invalid-rsa-cert.pem

@@ -1,3 +1,5 @@
+Note: this is a RSA private key that can't be parsed.
+
 -----BEGIN RSA PRIVATE KEY-----
 MIIEowIBAAKCAQEA1UtA1UjG/fhjhGEsQ3dAwacylFxlnbF+Q1Se0KhxZiuI8z2r
 MFEpv5/16fe38hNI/lQFYLime2+89ZnmDXj0bcrLyeUSaXBXHKhTSqx9akllU6r7