Encode ECDSA signature based on RFC 3279.

teo-tsirpanis · teo-tsirpanis · commit c54ed3024fb4 · 2025-07-19T22:15:36.000+03:00
diff --git a/sdk/src/Core/AWSSDK.Core.NetFramework.csproj b/sdk/src/Core/AWSSDK.Core.NetFramework.csproj
@@ -70,6 +70,7 @@
 
   <ItemGroup>
     <PackageReference Include="System.Buffers" Version="4.5.1" />
+    <PackageReference Include="System.Formats.Asn1" Version="6.0.1" />
     <PackageReference Include="System.Memory" Version="4.5.5" />
       <!-- Powershell (pwsh) will have a preloaded version of System.Text.Json that is older than
       the version we will ship in core nuget packages and dlls, so we compile with an  older version of STJ
diff --git a/sdk/src/Core/AWSSDK.Core.NetStandard.csproj b/sdk/src/Core/AWSSDK.Core.NetStandard.csproj
@@ -88,6 +88,11 @@
       an older version of System.Text.Json.  -->
     <PackageReference Include="System.Text.Json" Version="6.0.11" />
   </ItemGroup>
-    <Import Project="overrides.targets"/>
+  <ItemGroup Condition="'$(TargetFramework)' != 'net8.0'">
+	<!-- Version 8.x emits a warning about being unsupported on .NET Core 3.1, so we use 6.x.
+	Also, 6.0.0 has a vulnerability. -->
+    <PackageReference Include="System.Formats.Asn1" Version="6.0.1" />
+  </ItemGroup>
+  <Import Project="overrides.targets" />
 
 </Project>
diff --git a/sdk/src/Core/Amazon.Runtime/Internal/Auth/AWS4aSigner.cs b/sdk/src/Core/Amazon.Runtime/Internal/Auth/AWS4aSigner.cs
@@ -18,11 +18,15 @@
 using System.Linq;
 using System.Text;
 using System.Globalization;
+using System.Runtime.CompilerServices;
+using System.Security.Cryptography;
 using Amazon.Util;
 using Amazon.Runtime.Internal.Util;
 using Amazon.Runtime.Identity;
-using System.Security.Cryptography;
-using System.Runtime.CompilerServices;
+
+#if !NET7_0_OR_GREATER
+using System.Formats.Asn1;
+#endif
 
 using static Amazon.Runtime.Internal.Auth.AWS4Signer;
 
@@ -382,8 +386,24 @@ public static byte[] SignBlob(ImmutableCredentials credentials, string data)
         public static byte[] SignBlob(ImmutableCredentials credentials, byte[] data)
         {
             var key = credentials.AWS4aSigningKey ??= ComputeSigningKey(credentials.AccessKey, credentials.SecretKey);
-            return key.SignData(data, HashAlgorithmName.SHA256);
+#if NET7_0_OR_GREATER
+            return key.SignData(data, HashAlgorithmName.SHA256, DSASignatureFormat.Rfc3279DerSequence);
+#else
+            return ConvertToRfc3279DerSequence(key.SignData(data, HashAlgorithmName.SHA256));
+#endif
+        }
+
+#if !NET7_0_OR_GREATER
+        private static byte[] ConvertToRfc3279DerSequence(byte[] signature)
+        {
+            var writer = new AsnWriter(AsnEncodingRules.DER);
+            writer.PushSequence();
+            writer.WriteIntegerUnsigned(signature.AsSpan(0, signature.Length / 2)); // R value
+            writer.WriteIntegerUnsigned(signature.AsSpan(signature.Length / 2)); // S value
+            writer.PopSequence();
+            return writer.Encode();
         }
+#endif
         #endregion
     }
 
