aws · teo-tsirpanis · Jun 8, 2025 · Jun 21, 2025 · Jun 21, 2025 · Jul 19, 2025
diff --git a/README.md b/README.md
@@ -71,11 +71,9 @@ You can find the archive for _**legacy**_ Unity support at https://github.com/aw
 
 This SDK has optional functionality that requires the [AWS Common Runtime (CRT)](https://docs.aws.amazon.com/sdkref/latest/guide/common-runtime.html)
 bindings to be included as a dependency with your application. This functionality includes:
-* [Amazon S3 Multi-Region Access Points](https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiRegionAccessPoints.html)
 * [Amazon S3 Object Integrity](https://docs.aws.amazon.com/AmazonS3/latest/userguide/checking-object-integrity.html)
-* Amazon EventBridge Global Endpoints
 
-If the required AWS Common Runtime components are not installed you will receive an error like `Attempting to make a request that requires an implementation of AWS Signature V4a. Add a reference to the AWSSDK.Extensions.CrtIntegration NuGet package to your project to include the AWS Signature V4a signer.`,
+If the required AWS Common Runtime components are not installed you will receive an error like `Attempting to handle a request that requires additional checksums. Add a reference to the AWSSDK.Extensions.CrtIntegration NuGet package to your project to include the AWS Common Runtime checksum implementation.`,
 indicating that the required dependency is missing to use the associated functionality. To install this dependency follow
 the provided [instructions](#installing-the-aws-common-runtime-crt-dependency).
 

diff --git a/extensions/src/AWSSDK.Extensions.CrtIntegration/CrtAWS4aSigner.cs b/extensions/src/AWSSDK.Extensions.CrtIntegration/CrtAWS4aSigner.cs
@@ -24,6 +24,7 @@
 using AWSSDK.Extensions.CrtIntegration;
 using System;
 using System.Collections.Generic;
+using System.ComponentModel;
 using System.Globalization;
 using System.IO;
 using System.Linq;
@@ -34,6 +35,7 @@ namespace Amazon.Extensions.CrtIntegration
     /// <summary>
     /// Asymmetric Sigv4 (SigV4a) protocol signer using the implementation provided by Aws.Crt.Auth
     /// </summary>
+    [Obsolete("Use Amazon.Runtime.Internal.Auth.AWS4aSigner instead."), EditorBrowsable(EditorBrowsableState.Never)]
     public class CrtAWS4aSigner : IAWSSigV4aProvider
     {
         /// <summary>

diff --git a/generator/.DevConfigs/b495f893-31aa-4e17-866c-af78e4da6e8b.json b/generator/.DevConfigs/b495f893-31aa-4e17-866c-af78e4da6e8b.json
@@ -0,0 +1,10 @@
+{
+  "core": {
+    "updateMinimum": false,
+    "type": "patch",
+    "changeLogMessages": [
+      "Added AWS4aSigner class that implements SigV4a signing in managed code. AWS CRT is no longer used by the SDK for this purpose, and the related APIs were deprecated.",
+      "The AWS4aSigningResult.PresignedUri property was deprecated and will always be empty in objects returned by AWS4aSigner. Use the ForQueryParameters property instead, to get the query parameters for a presigned URL."
+    ]
+  }
+}
diff --git a/sdk/src/Core/AWSSDK.Core.NetFramework.csproj b/sdk/src/Core/AWSSDK.Core.NetFramework.csproj
@@ -70,6 +70,7 @@
 
   <ItemGroup>
     <PackageReference Include="System.Buffers" Version="4.5.1" />
+    <PackageReference Include="System.Formats.Asn1" Version="6.0.1" />
     <PackageReference Include="System.Memory" Version="4.5.5" />
       <!-- Powershell (pwsh) will have a preloaded version of System.Text.Json that is older than
       the version we will ship in core nuget packages and dlls, so we compile with an  older version of STJ

diff --git a/sdk/src/Core/AWSSDK.Core.NetStandard.csproj b/sdk/src/Core/AWSSDK.Core.NetStandard.csproj
@@ -88,6 +88,11 @@
       an older version of System.Text.Json.  -->
     <PackageReference Include="System.Text.Json" Version="6.0.11" />
   </ItemGroup>
-    <Import Project="overrides.targets"/>
+  <ItemGroup Condition="'$(TargetFramework)' != 'net8.0'">
+    <!-- Version 8.x emits a warning about being unsupported on .NET Core 3.1, so we use 6.x.
+    Also, 6.0.0 has a vulnerability. -->
+    <PackageReference Include="System.Formats.Asn1" Version="6.0.1" />
+  </ItemGroup>
+  <Import Project="overrides.targets" />
 
 </Project>
diff --git a/sdk/src/Core/Amazon.Runtime/Credentials/ImmutableCredentials.cs b/sdk/src/Core/Amazon.Runtime/Credentials/ImmutableCredentials.cs
@@ -15,6 +15,7 @@
 using Amazon.Runtime.Internal.Util;
 using Amazon.Util;
 using System;
+using System.Security.Cryptography;
 
 namespace Amazon.Runtime
 {
@@ -55,6 +56,14 @@ public class ImmutableCredentials
         /// Account-based endpoints take the form https://accountid.ddb.region.amazonaws.com
         /// </summary>
         public string AccountId { get; private set; }
+
+        /// <summary>
+        /// Gets a cached AWS4a signing key for the current credentials.
+        /// </summary>
+        /// <remarks>
+        /// The key must not be disposed, and must not be returned to the user.
+        /// </remarks>
+        internal ECDsa AWS4aSigningKey { get; set; }
         #endregion
 
 

diff --git a/sdk/src/Core/Amazon.Runtime/Credentials/Internal/AwsV4aAuthScheme.cs b/sdk/src/Core/Amazon.Runtime/Credentials/Internal/AwsV4aAuthScheme.cs
@@ -13,7 +13,6 @@
 * permissions and limitations under the License.
 */
 
-using System.Threading;
 using Amazon.Runtime.Identity;
 using Amazon.Runtime.Internal.Auth;
 
@@ -25,7 +24,7 @@ namespace Amazon.Runtime.Credentials.Internal
     /// </summary>
     public class AwsV4aAuthScheme : IAuthScheme<AWSCredentials>
     {
-        private static ISigner _signer;
+        private static readonly ISigner _signer = new AWS4aSigner();
 
         /// <inheritdoc/>
         public string SchemeId => AuthSchemeOption.SigV4A;
@@ -35,14 +34,6 @@ public IIdentityResolver GetIdentityResolver(IIdentityResolverConfiguration conf
             => configuration.GetIdentityResolver<AWSCredentials>();
 
         /// <inheritdoc/>
-        public ISigner Signer()
-        {
-            if (_signer == null)
-            {
-                Interlocked.Exchange(ref _signer, new AWS4aSignerCRTWrapper());
-            }
-
-            return _signer;
-        }
+        public ISigner Signer() => _signer;
     }
 }
diff --git a/sdk/src/Core/Amazon.Runtime/Internal/Auth/AWS4Signer.cs b/sdk/src/Core/Amazon.Runtime/Internal/Auth/AWS4Signer.cs
@@ -1,4 +1,4 @@
-/*
+/*
  * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
  * 
  * Licensed under the Apache License, Version 2.0 (the "License").
@@ -31,7 +31,6 @@ namespace Amazon.Runtime.Internal.Auth
     /// </summary>
     public class AWS4Signer : AbstractAWSSigner
     {
-
         public const string Scheme = "AWS4";
         public const string Algorithm = "HMAC-SHA256";
         public const string Sigv4aAlgorithm = "ECDSA-P256-SHA256";
@@ -299,7 +298,7 @@ private static void CleanHeaders(IDictionary<string, string> headers)
             }
         }
 
-        private static void ValidateRequest(IRequest request)
+        internal static void ValidateRequest(IRequest request)
         {
             Uri url = request.Endpoint;
 
@@ -630,7 +629,7 @@ public static byte[] ComputeHash(byte[] data)
         #endregion
 
         #region Private Signing Helpers
-        static string SetPayloadSignatureHeader(IRequest request, string payloadHash)
+        internal static string SetPayloadSignatureHeader(IRequest request, string payloadHash)
         {
             if (request.Headers.ContainsKey(HeaderKeys.XAmzContentSha256Header))
                 request.Headers[HeaderKeys.XAmzContentSha256Header] = payloadHash;
@@ -704,7 +703,7 @@ public static string DetermineService(IClientConfig clientConfig, IRequest reque
         /// will look for the hash as a header on the request.
         /// </param>
         /// <returns>Canonicalised request as a string</returns>
-        protected static string CanonicalizeRequest(Uri endpoint,
+        protected internal static string CanonicalizeRequest(Uri endpoint,
                                                     string resourcePath,
                                                     string httpMethod,
                                                     IDictionary<string, string> sortedHeaders,
@@ -728,7 +727,7 @@ protected static string CanonicalizeRequest(Uri endpoint,
         /// will look for the hash as a header on the request.
         /// </param>
         /// <returns>Canonicalised request as a string</returns>
-        protected static string CanonicalizeRequest(Uri endpoint,
+        protected internal static string CanonicalizeRequest(Uri endpoint,
                                                     string resourcePath,
                                                     string httpMethod,
                                                     IDictionary<string, string> sortedHeaders,
@@ -761,7 +760,7 @@ protected static string CanonicalizeRequest(Uri endpoint,
         /// </param>
         /// <param name="doubleEncode">Encode "/" when canonicalize resource path</param>
         /// <returns>Canonicalised request as a string</returns>
-        protected static string CanonicalizeRequest(Uri endpoint,
+        protected internal static string CanonicalizeRequest(Uri endpoint,
                                                     string resourcePath,
                                                     string httpMethod,
                                                     IDictionary<string, string> sortedHeaders,
@@ -866,7 +865,7 @@ protected internal static string CanonicalizeHeaders(IEnumerable<KeyValuePair<st
         /// </summary>
         /// <param name="sortedHeaders">The headers included in the signature</param>
         /// <returns>Formatted string of header names</returns>
-        protected static string CanonicalizeHeaderNames(IEnumerable<KeyValuePair<string, string>> sortedHeaders)
+        protected internal static string CanonicalizeHeaderNames(IEnumerable<KeyValuePair<string, string>> sortedHeaders)
         {
             var builder = new ValueStringBuilder(512);
 
@@ -886,7 +885,7 @@ protected static string CanonicalizeHeaderNames(IEnumerable<KeyValuePair<string,
         /// </summary>
         /// <param name="request">The in-flight request being signed</param>
         /// <returns>The fused set of parameters</returns>
-        protected static List<KeyValuePair<string, string>> GetParametersToCanonicalize(IRequest request)
+        protected internal static List<KeyValuePair<string, string>> GetParametersToCanonicalize(IRequest request)
         {
             var parametersToCanonicalize = new List<KeyValuePair<string, string>>();
 
@@ -968,7 +967,7 @@ protected static string CanonicalizeQueryParameters(string queryString, bool uri
             return CanonicalizeQueryParameters(queryParams, uriEncodeParameters: uriEncodeParameters);
         }
 
-        protected static string CanonicalizeQueryParameters(IEnumerable<KeyValuePair<string, string>> parameters)
+        protected internal static string CanonicalizeQueryParameters(IEnumerable<KeyValuePair<string, string>> parameters)
         {
             return CanonicalizeQueryParameters(parameters, true);
         }