Skip to content

Add managed SigV4a signer. #3923

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 13 commits into
base: development
Choose a base branch
from
Open

Add managed SigV4a signer. #3923

wants to merge 13 commits into from

Conversation

teo-tsirpanis
Copy link
Contributor

Description

This PR adds a managed implementation of the AWS SigV4a algorithm, contained in the newly added Amazon.Runtime.Internal.Auth.AWS4aSigner class. All uses of the old signer that forward to the CRT were replaced. The CRT signer and related APIs were deprecated, but were left otherwise untouched.

Motivation and Context

Fixes #3881.

Testing

  • Added a small unit test for the signing key derivation process, ported from the existing tests of the CRT signer in extensions.
    • There were several more tests that were not moved over at the moment, because of a perceived low value, considering that: they would necessitate writing a managed SigV4a verifier as well, equivalent tests for SigV4 do not exist, and that the code paths that use the SigV4 and SigV4a signers have become more similar, which reduces the room for error.
  • Tested by performing a request and generating a pre-signed URL, on an S3 multi-region access point.
  • There are already several existing integration tests (which I did not run), that use SigV4a signing.

Screenshots (if appropriate)

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist

  • My code follows the code style of this project
  • My change requires a change to the documentation
  • I have updated the documentation accordingly
  • I have read the README document
  • I have added tests to cover my changes
  • All new and existing tests passed

License

  • I confirm that this pull request can be released under the Apache 2 license

@dscpinheiro dscpinheiro changed the base branch from main to development July 19, 2025 21:11
teo-tsirpanis
teo-tsirpanis commented Jul 19, 2025
View reviewed changes
sdk/src/Core/Amazon.Runtime/Internal/Auth/AWS4aSigner.cs
Comment on lines +389 to +406
#if NET7_0_OR_GREATER
return key.SignData(data, HashAlgorithmName.SHA256, DSASignatureFormat.Rfc3279DerSequence);
#else
return ConvertToRfc3279DerSequence(key.SignData(data, HashAlgorithmName.SHA256));
#endif
}

#if !NET7_0_OR_GREATER
private static byte[] ConvertToRfc3279DerSequence(byte[] signature)
{
var writer = new AsnWriter(AsnEncodingRules.DER);
writer.PushSequence();
writer.WriteIntegerUnsigned(signature.AsSpan(0, signature.Length / 2)); // R value
writer.WriteIntegerUnsigned(signature.AsSpan(signature.Length / 2)); // S value
writer.PopSequence();
return writer.Encode();
}
#endif
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The fact that we format the signature in ASN.1 is not documented anywhere, and stumped me for some days. I sent feedback to update the documentation.

sdk/src/Core/Amazon.Runtime/Internal/Auth/AWS4aSigningResult.cs
@@ -99,6 +120,7 @@ public string RegionSet
/// <summary>
/// Returns the full presigned Uri
/// </summary>
[Obsolete("This property is always empty in objects returned by AWS4aSigner. Use the ForQueryParameters property instead, to get the query parameters for a presigned URL.")]
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is a difference in how the SigV4 and SigV4a signing result types return presigned URLs. I think that obsoleting this SigV4a-only property and unifying with SigV4 is the better choice; for reference, there are zero usages of this property outside of the S3 library, which will need the Core bump from the replacement of AWS4aSignerCRTWrapper either way.

sdk/src/Core/Amazon.Runtime/Internal/Auth/AWS4aSigner.cs
/// <summary>
/// AWS4a protocol signer for Amazon S3 presigned urls.
/// </summary>
public static class AWS4aPreSignedUrlSigner
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I had the idea of making this a static class, unlike the SigV4 counterpart, which mostly has static members and an overriden method that always throws.

generator/.DevConfigs/b495f893-31aa-4e17-866c-af78e4da6e8b.json Outdated
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This might need to be updated to account for the fact that the S3 library needs a newer Core version. How to write this?

@teo-tsirpanis teo-tsirpanis mentioned this pull request Jul 26, 2025
Merged
10 tasks
@teo-tsirpanis
Refactor caching the signing key.
f3cf72d 
The logic is moved to a separate function, and we guard from temporary resource leaks if multiple threads try to populate the cache.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add managed SigV4a signer.
1 participant
@teo-tsirpanis