Cache SigV4a key in the ImmutableCredentials object.

Author: teo-tsirpanis

sdk/src/Core/Amazon.Runtime/Credentials/ImmutableCredentials.cs

@@ -15,6 +15,7 @@
 using Amazon.Runtime.Internal.Util;
 using Amazon.Util;
 using System;
+using System.Security.Cryptography;
 
 namespace Amazon.Runtime
 {
@@ -55,6 +56,14 @@ public class ImmutableCredentials
         /// Account-based endpoints take the form https://accountid.ddb.region.amazonaws.com
         /// </summary>
         public string AccountId { get; private set; }
+
+        /// <summary>
+        /// Gets a cached AWS4a signing key for the current credentials.
+        /// </summary>
+        /// <remarks>
+        /// The key must not be disposed, and must not be returned to the user.
+        /// </remarks>
+        internal ECDsa AWS4aSigningKey { get; set; }
         #endregion
 
 

sdk/src/Core/Amazon.Runtime/Internal/Auth/AWS4aSigner.cs

@@ -250,10 +250,8 @@ public static AWS4aSigningResult ComputeSignature(ImmutableCredentials credentia
 
             metrics?.AddProperty(Metric.StringToSign, stringToSignBuilder);
 
-            using var key = ComputeSigningKey(credentials);
-
             var stringToSign = stringToSignBuilder.ToString();
-            var signature = AWSSDKUtils.ToHex(SignBlob(key, stringToSign), true);
+            var signature = AWSSDKUtils.ToHex(SignBlob(credentials, stringToSign), true);
             return new AWS4aSigningResult(credentials.AccessKey, signedAt, signedHeaders, scope, regionSet, signature, service, "", credentials);
         }
 
@@ -309,9 +307,10 @@ private static int CompareConstantTime(byte[] lhs, byte[] rhs)
         /// <summary>
         /// Compute and return the signing key for the request.
         /// </summary>
-        /// <param name="credentials">The credentials.</param>
+        /// <param name="awsAccessKey">Access key credential.</param>
+        /// <param name="awsSecretAccessKey">Secret access key credential.</param>
         /// <returns>Computed signing key</returns>
-        public static ECDsa ComputeSigningKey(ImmutableCredentials credentials)
+        public static ECDsa ComputeSigningKey(string awsAccessKey, string awsSecretAccessKey)
         {
             byte[] kvalue = null;
             byte[] ksecret = null;
@@ -328,7 +327,7 @@ public static ECDsa ComputeSigningKey(ImmutableCredentials credentials)
                 idx += 4;
                 idx += Encoding.UTF8.GetBytes(AWS4aAlgorithmTag, 0, AWS4aAlgorithmTag.Length, kvalue, idx);
                 idx++;
-                idx += Encoding.UTF8.GetBytes(credentials.AccessKey, 0, credentials.AccessKey.Length, kvalue, idx);
+                idx += Encoding.UTF8.GetBytes(awsAccessKey, 0, awsAccessKey.Length, kvalue, idx);
                 ref byte counterValue = ref kvalue[idx++];
                 kvalue[idx + 2] = 1;
 
@@ -366,22 +365,23 @@ public static ECDsa ComputeSigningKey(ImmutableCredentials credentials)
         }
 
         /// <summary>
-        /// Returns the ECDSA signature for an arbitrary blob using the specified key
+        /// Returns the ECDSA signature for an arbitrary blob using the specified credentials.
         /// </summary>
-        /// <param name="key">The key to use.</param>
+        /// <param name="credentials">The credentials to use.</param>
         /// <param name="data">The data to sign.</param>
-        public static byte[] SignBlob(ECDsa key, string data)
+        public static byte[] SignBlob(ImmutableCredentials credentials, string data)
         {
-            return SignBlob(key, Encoding.UTF8.GetBytes(data));
+            return SignBlob(credentials, Encoding.UTF8.GetBytes(data));
         }
 
         /// <summary>
-        /// Returns the ECDSA signature for an arbitrary blob using the specified key
+        /// Returns the ECDSA signature for an arbitrary blob using the specified credentials.
         /// </summary>
-        /// <param name="key">The key to use.</param>
+        /// <param name="credentials">The credentials to use.</param>
         /// <param name="data">The data to sign.</param>
-        public static byte[] SignBlob(ECDsa key, byte[] data)
+        public static byte[] SignBlob(ImmutableCredentials credentials, byte[] data)
         {
+            var key = credentials.AWS4aSigningKey ??= ComputeSigningKey(credentials.AccessKey, credentials.SecretKey);
             return key.SignData(data, HashAlgorithmName.SHA256);
         }
         #endregion

sdk/src/Core/Amazon.Runtime/Internal/Util/ChunkedUploadWrapperStream.cs

@@ -318,8 +318,7 @@ private void ConstructOutputBufferChunk(int dataLen)
             string chunkSignature = "";
             if (HeaderSigningResult is AWS4aSigningResult v4aHeaderSigningResult)
             {
-                using var signingKey = AWS4aSigner.ComputeSigningKey(v4aHeaderSigningResult.Credentials);
-                chunkSignature = AWSSDKUtils.ToHex(AWS4aSigner.SignBlob(signingKey, chunkStringToSign), true);
+                chunkSignature = AWSSDKUtils.ToHex(AWS4aSigner.SignBlob(v4aHeaderSigningResult.Credentials, chunkStringToSign), true);
             }
             else if (HeaderSigningResult is AWS4SigningResult v4HeaderSingingResult) // SigV4
             {
@@ -404,14 +403,14 @@ private string ConstructSignedTrailersChunk()
                 AWSSDKUtils.ToHex(AWS4Signer.ComputeHash(canonicalizedTrailingHeaders), true);
 
             string chunkSignature;
-            if (HeaderSigningResult is AWS4SigningResult result)
+            if (HeaderSigningResult is AWS4SigningResult aws4Result)
             {
-                chunkSignature = AWSSDKUtils.ToHex(AWS4Signer.SignBlob(result.GetSigningKey(), chunkStringToSign), true);
+                chunkSignature = AWSSDKUtils.ToHex(AWS4Signer.SignBlob(aws4Result.GetSigningKey(), chunkStringToSign), true);
             }
             else // SigV4a
             {
-                using var signingKey = AWS4aSigner.ComputeSigningKey(((AWS4aSigningResult)HeaderSigningResult).Credentials);
-                chunkSignature = AWSSDKUtils.ToHex(AWS4aSigner.SignBlob(signingKey, chunkStringToSign), true).PadRight(V4A_SIGNATURE_LENGTH, '*');
+                var aws4aResult = (AWS4aSigningResult)HeaderSigningResult;
+                chunkSignature = AWSSDKUtils.ToHex(AWS4aSigner.SignBlob(aws4aResult.Credentials, chunkStringToSign), true).PadRight(V4A_SIGNATURE_LENGTH, '*');
             }
 
             var chunk = new StringBuilder();

sdk/src/Core/Amazon.Runtime/SharedInterfaces/IAWSSigV4aProvider.cs

@@ -1,4 +1,4 @@
-/*
+/*
  * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License").