Merge pull request #3656 from aws/zoewang/fixSigV4aChecksum

Updated the SDK to calculate checksums for checksum required sigv4a operations

Author: zoewangg

.changes/2.30.19.json

@@ -49,6 +49,12 @@
             "category": "OpenSearch Service Serverless",
             "contributor": "",
             "description": "Custom OpenSearchServerless Entity ID for SAML Config."
+        },
+        {
+            "type": "bugfix",
+            "category": "Amazon S3",
+            "contributor": "",
+            "description": "Fixed an issue in the S3 client where it skipped checksum calculation for operations that use SigV4a signing and require checksums. See [#5878](https://github.com/aws/aws-sdk-java-v2/issues/5878)."
         }
     ]
 }

CHANGELOG.md

@@ -32,6 +32,10 @@
   - ### Features
     - Custom OpenSearchServerless Entity ID for SAML Config.
 
+## __Amazon S3__
+- ### Bugfixes
+    - Fixed an issue in the S3 client where it skipped checksum calculation for operations that use SigV4a signing and require checksums. See [#5878](https://github.com/aws/aws-sdk-java-v2/issues/5878).
+
 # __2.30.18__ __2025-02-11__
 ## __AWS AppSync__
   - ### Features

core/http-auth-aws/src/main/java/software/amazon/awssdk/http/auth/aws/crt/internal/signer/DefaultAwsCrtV4aHttpSigner.java

@@ -25,6 +25,7 @@
 import static software.amazon.awssdk.http.auth.aws.crt.internal.util.CrtHttpRequestConverter.toRequest;
 import static software.amazon.awssdk.http.auth.aws.crt.internal.util.CrtUtils.sanitizeRequest;
 import static software.amazon.awssdk.http.auth.aws.crt.internal.util.CrtUtils.toCredentials;
+import static software.amazon.awssdk.http.auth.aws.internal.signer.util.ChecksumUtil.checksummer;
 import static software.amazon.awssdk.http.auth.aws.internal.signer.util.ChecksumUtil.hasChecksumHeader;
 import static software.amazon.awssdk.http.auth.aws.internal.signer.util.ChecksumUtil.isPayloadSigning;
 import static software.amazon.awssdk.http.auth.aws.internal.signer.util.ChecksumUtil.useChunkEncoding;
@@ -44,6 +45,7 @@
 import software.amazon.awssdk.crt.http.HttpRequest;
 import software.amazon.awssdk.http.ContentStreamProvider;
 import software.amazon.awssdk.http.SdkHttpRequest;
+import software.amazon.awssdk.http.auth.aws.internal.signer.Checksummer;
 import software.amazon.awssdk.http.auth.aws.internal.signer.CredentialScope;
 import software.amazon.awssdk.http.auth.aws.signer.AwsV4aHttpSigner;
 import software.amazon.awssdk.http.auth.aws.signer.RegionSet;
@@ -68,10 +70,11 @@ public final class DefaultAwsCrtV4aHttpSigner implements AwsV4aHttpSigner {
 
     @Override
     public SignedRequest sign(SignRequest<? extends AwsCredentialsIdentity> request) {
+        Checksummer checksummer = checksummer(request, null);
         V4aProperties v4aProperties = v4aProperties(request);
         AwsSigningConfig signingConfig = signingConfig(request, v4aProperties);
         V4aPayloadSigner payloadSigner = v4aPayloadSigner(request, v4aProperties);
-        return doSign(request, signingConfig, payloadSigner);
+        return doSign(request, checksummer, signingConfig, payloadSigner);
     }
 
     @Override
@@ -205,18 +208,21 @@ private static void configurePayloadSigning(AwsSigningConfig signingConfig, bool
     }
 
     private static SignedRequest doSign(SignRequest<? extends AwsCredentialsIdentity> request,
+                                        Checksummer checksummer,
                                         AwsSigningConfig signingConfig,
                                         V4aPayloadSigner payloadSigner) {
+
+        SdkHttpRequest.Builder requestBuilder = request.request().toBuilder();
         ContentStreamProvider contentStreamProvider = request.payload().orElse(null);
+
         if (isAnonymous(request.identity())) {
             return SignedRequest.builder()
                                 .request(request.request())
                                 .payload(contentStreamProvider)
                                 .build();
         }
 
-        SdkHttpRequest.Builder requestBuilder = request.request().toBuilder();
-
+        checksummer.checksum(contentStreamProvider, requestBuilder);
         payloadSigner.beforeSigning(requestBuilder, contentStreamProvider, signingConfig.getSignedBodyValue());
 
         SdkHttpRequest sdkHttpRequest = requestBuilder.build();

core/http-auth-aws/src/main/java/software/amazon/awssdk/http/auth/aws/internal/signer/DefaultAwsV4HttpSigner.java

@@ -15,17 +15,14 @@
 
 package software.amazon.awssdk.http.auth.aws.internal.signer;
 
+import static software.amazon.awssdk.http.auth.aws.internal.signer.util.ChecksumUtil.checksummer;
 import static software.amazon.awssdk.http.auth.aws.internal.signer.util.ChecksumUtil.hasChecksumHeader;
+import static software.amazon.awssdk.http.auth.aws.internal.signer.util.ChecksumUtil.isEventStreaming;
 import static software.amazon.awssdk.http.auth.aws.internal.signer.util.ChecksumUtil.isPayloadSigning;
 import static software.amazon.awssdk.http.auth.aws.internal.signer.util.ChecksumUtil.useChunkEncoding;
 import static software.amazon.awssdk.http.auth.aws.internal.signer.util.CredentialUtils.sanitizeCredentials;
 import static software.amazon.awssdk.http.auth.aws.internal.signer.util.OptionalDependencyLoaderUtil.getEventStreamV4PayloadSigner;
 import static software.amazon.awssdk.http.auth.aws.internal.signer.util.SignerConstant.PRESIGN_URL_MAX_EXPIRATION_DURATION;
-import static software.amazon.awssdk.http.auth.aws.internal.signer.util.SignerConstant.STREAMING_EVENTS_PAYLOAD;
-import static software.amazon.awssdk.http.auth.aws.internal.signer.util.SignerConstant.STREAMING_SIGNED_PAYLOAD;
-import static software.amazon.awssdk.http.auth.aws.internal.signer.util.SignerConstant.STREAMING_SIGNED_PAYLOAD_TRAILER;
-import static software.amazon.awssdk.http.auth.aws.internal.signer.util.SignerConstant.STREAMING_UNSIGNED_PAYLOAD_TRAILER;
-import static software.amazon.awssdk.http.auth.aws.internal.signer.util.SignerConstant.UNSIGNED_PAYLOAD;
 import static software.amazon.awssdk.http.auth.aws.internal.signer.util.SignerConstant.X_AMZ_TRAILER;
 
 import java.time.Clock;
@@ -35,7 +32,6 @@
 import java.util.function.Function;
 import software.amazon.awssdk.annotations.SdkInternalApi;
 import software.amazon.awssdk.http.ContentStreamProvider;
-import software.amazon.awssdk.http.Header;
 import software.amazon.awssdk.http.SdkHttpRequest;
 import software.amazon.awssdk.http.auth.aws.internal.signer.util.CredentialUtils;
 import software.amazon.awssdk.http.auth.aws.signer.AwsV4HttpSigner;
@@ -129,51 +125,6 @@ private static V4RequestSigner v4RequestSigner(
         return requestSigner.apply(v4Properties);
     }
 
-    private static Checksummer checksummer(BaseSignRequest<?, ? extends AwsCredentialsIdentity> request,
-                                           Boolean isPayloadSigningOverride) {
-        boolean isPayloadSigning = isPayloadSigningOverride != null ? isPayloadSigningOverride : isPayloadSigning(request);
-        boolean isEventStreaming = isEventStreaming(request.request());
-        boolean hasChecksumHeader = hasChecksumHeader(request);
-        boolean isChunkEncoding = request.requireProperty(CHUNK_ENCODING_ENABLED, false);
-        boolean isTrailing = request.request().firstMatchingHeader(X_AMZ_TRAILER).isPresent();
-        boolean isFlexible = request.hasProperty(CHECKSUM_ALGORITHM) && !hasChecksumHeader;
-        boolean isAnonymous = CredentialUtils.isAnonymous(request.identity());
-
-        if (isEventStreaming) {
-            return Checksummer.forPrecomputed256Checksum(STREAMING_EVENTS_PAYLOAD);
-        }
-
-        if (isPayloadSigning) {
-            if (isChunkEncoding) {
-                if (isFlexible || isTrailing) {
-                    return Checksummer.forPrecomputed256Checksum(STREAMING_SIGNED_PAYLOAD_TRAILER);
-                }
-                return Checksummer.forPrecomputed256Checksum(STREAMING_SIGNED_PAYLOAD);
-            }
-
-            if (isFlexible) {
-                return Checksummer.forFlexibleChecksum(request.property(CHECKSUM_ALGORITHM));
-            }
-            return Checksummer.create();
-        }
-
-        if (isFlexible || isTrailing) {
-            if (isChunkEncoding) {
-                return Checksummer.forPrecomputed256Checksum(STREAMING_UNSIGNED_PAYLOAD_TRAILER);
-            }
-        }
-
-        if (isFlexible) {
-            return Checksummer.forFlexibleChecksum(UNSIGNED_PAYLOAD, request.property(CHECKSUM_ALGORITHM));
-        }
-
-        if (isAnonymous) {
-            return Checksummer.forNoOp();
-        }
-
-        return Checksummer.forPrecomputed256Checksum(UNSIGNED_PAYLOAD);
-    }
-
     /**
      * This is needed because of the pre-existing gap (pre-SRA) in behavior where we don't treat async + streaming + http +
      * unsigned-payload as signed-payload (fallback). We have to do some finagling of the payload-signing options before
@@ -310,8 +261,4 @@ private static Duration validateExpirationDuration(Duration expirationDuration)
     private static boolean isBetweenInclusive(Duration start, Duration x, Duration end) {
         return start.compareTo(x) <= 0 && x.compareTo(end) <= 0;
     }
-
-    private static boolean isEventStreaming(SdkHttpRequest request) {
-        return "application/vnd.amazon.eventstream".equals(request.firstMatchingHeader(Header.CONTENT_TYPE).orElse(""));
-    }
 }

core/http-auth-aws/src/main/java/software/amazon/awssdk/http/auth/aws/internal/signer/util/ChecksumUtil.java

@@ -15,7 +15,14 @@
 
 package software.amazon.awssdk.http.auth.aws.internal.signer.util;
 
+import static software.amazon.awssdk.http.auth.aws.internal.signer.util.SignerConstant.STREAMING_EVENTS_PAYLOAD;
+import static software.amazon.awssdk.http.auth.aws.internal.signer.util.SignerConstant.STREAMING_SIGNED_PAYLOAD;
+import static software.amazon.awssdk.http.auth.aws.internal.signer.util.SignerConstant.STREAMING_SIGNED_PAYLOAD_TRAILER;
+import static software.amazon.awssdk.http.auth.aws.internal.signer.util.SignerConstant.STREAMING_UNSIGNED_PAYLOAD_TRAILER;
+import static software.amazon.awssdk.http.auth.aws.internal.signer.util.SignerConstant.UNSIGNED_PAYLOAD;
+import static software.amazon.awssdk.http.auth.aws.internal.signer.util.SignerConstant.X_AMZ_TRAILER;
 import static software.amazon.awssdk.http.auth.aws.signer.AwsV4FamilyHttpSigner.CHECKSUM_ALGORITHM;
+import static software.amazon.awssdk.http.auth.aws.signer.AwsV4FamilyHttpSigner.CHUNK_ENCODING_ENABLED;
 import static software.amazon.awssdk.http.auth.aws.signer.AwsV4FamilyHttpSigner.PAYLOAD_SIGNING_ENABLED;
 
 import java.io.InputStream;
@@ -24,6 +31,9 @@
 import software.amazon.awssdk.annotations.SdkInternalApi;
 import software.amazon.awssdk.checksums.SdkChecksum;
 import software.amazon.awssdk.checksums.spi.ChecksumAlgorithm;
+import software.amazon.awssdk.http.Header;
+import software.amazon.awssdk.http.SdkHttpRequest;
+import software.amazon.awssdk.http.auth.aws.internal.signer.Checksummer;
 import software.amazon.awssdk.http.auth.aws.internal.signer.checksums.ConstantChecksum;
 import software.amazon.awssdk.http.auth.spi.signer.BaseSignRequest;
 import software.amazon.awssdk.identity.spi.AwsCredentialsIdentity;
@@ -141,4 +151,53 @@ public static boolean isPayloadSigning(BaseSignRequest<?, ? extends AwsCredentia
 
         return isPayloadSigningEnabled;
     }
+
+    public static boolean isEventStreaming(SdkHttpRequest request) {
+        return "application/vnd.amazon.eventstream".equals(request.firstMatchingHeader(Header.CONTENT_TYPE).orElse(""));
+    }
+
+    public static Checksummer checksummer(BaseSignRequest<?, ? extends AwsCredentialsIdentity> request,
+                                          Boolean isPayloadSigningOverride) {
+        boolean isPayloadSigning = isPayloadSigningOverride != null ? isPayloadSigningOverride : isPayloadSigning(request);
+        boolean isEventStreaming = isEventStreaming(request.request());
+        boolean hasChecksumHeader = hasChecksumHeader(request);
+        boolean isChunkEncoding = request.requireProperty(CHUNK_ENCODING_ENABLED, false);
+        boolean isTrailing = request.request().firstMatchingHeader(X_AMZ_TRAILER).isPresent();
+        boolean isFlexible = request.hasProperty(CHECKSUM_ALGORITHM) && !hasChecksumHeader;
+        boolean isAnonymous = CredentialUtils.isAnonymous(request.identity());
+
+        if (isEventStreaming) {
+            return Checksummer.forPrecomputed256Checksum(STREAMING_EVENTS_PAYLOAD);
+        }
+
+        if (isPayloadSigning) {
+            if (isChunkEncoding) {
+                if (isFlexible || isTrailing) {
+                    return Checksummer.forPrecomputed256Checksum(STREAMING_SIGNED_PAYLOAD_TRAILER);
+                }
+                return Checksummer.forPrecomputed256Checksum(STREAMING_SIGNED_PAYLOAD);
+            }
+
+            if (isFlexible) {
+                return Checksummer.forFlexibleChecksum(request.property(CHECKSUM_ALGORITHM));
+            }
+            return Checksummer.create();
+        }
+
+        if (isFlexible || isTrailing) {
+            if (isChunkEncoding) {
+                return Checksummer.forPrecomputed256Checksum(STREAMING_UNSIGNED_PAYLOAD_TRAILER);
+            }
+        }
+
+        if (isFlexible) {
+            return Checksummer.forFlexibleChecksum(UNSIGNED_PAYLOAD, request.property(CHECKSUM_ALGORITHM));
+        }
+
+        if (isAnonymous) {
+            return Checksummer.forNoOp();
+        }
+
+        return Checksummer.forPrecomputed256Checksum(UNSIGNED_PAYLOAD);
+    }
 }

core/http-auth-aws/src/test/java/software/amazon/awssdk/http/auth/aws/crt/TestUtils.java

@@ -60,7 +60,7 @@ public static <T extends AwsCredentialsIdentity> SignRequest<T> generateBasicReq
                                                      .uri(URI.create("https://demo.us-east-1.amazonaws.com"))
                                                      .build()
                                                      .copy(requestOverrides))
-                          .payload(() -> new ByteArrayInputStream("{\"TableName\": \"foo\"}".getBytes()))
+                          .payload(() -> new ByteArrayInputStream("Hello world".getBytes()))
                           .putProperty(REGION_SET, RegionSet.create("aws-global"))
                           .putProperty(SERVICE_SIGNING_NAME, "demo")
                           .putProperty(SIGNING_CLOCK, new TickingClock(Instant.ofEpochMilli(1596476903000L)))

core/http-auth-aws/src/test/java/software/amazon/awssdk/http/auth/aws/crt/internal/signer/DefaultAwsCrtV4aHttpSignerTest.java

@@ -19,6 +19,10 @@
 import static org.junit.jupiter.api.Assertions.assertNull;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 import static software.amazon.awssdk.checksums.DefaultChecksumAlgorithm.CRC32;
+import static software.amazon.awssdk.checksums.DefaultChecksumAlgorithm.CRC32C;
+import static software.amazon.awssdk.checksums.DefaultChecksumAlgorithm.CRC64NVME;
+import static software.amazon.awssdk.checksums.DefaultChecksumAlgorithm.SHA1;
+import static software.amazon.awssdk.checksums.DefaultChecksumAlgorithm.SHA256;
 import static software.amazon.awssdk.crt.auth.signing.AwsSigningConfig.AwsSignatureType.HTTP_REQUEST_VIA_HEADERS;
 import static software.amazon.awssdk.crt.auth.signing.AwsSigningConfig.AwsSignatureType.HTTP_REQUEST_VIA_QUERY_PARAMS;
 import static software.amazon.awssdk.crt.auth.signing.AwsSigningConfig.AwsSignedBodyValue.STREAMING_AWS4_ECDSA_P256_SHA256_PAYLOAD;
@@ -45,8 +49,15 @@
 import java.time.Duration;
 import java.time.Instant;
 import java.util.List;
+import java.util.Locale;
 import java.util.Map;
+import java.util.stream.Stream;
+import org.assertj.core.api.AssertionsForClassTypes;
 import org.junit.jupiter.api.Test;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.Arguments;
+import org.junit.jupiter.params.provider.MethodSource;
+import software.amazon.awssdk.checksums.spi.ChecksumAlgorithm;
 import software.amazon.awssdk.crt.auth.signing.AwsSigningConfig;
 import software.amazon.awssdk.http.Header;
 import software.amazon.awssdk.http.SdkHttpMethod;
@@ -57,6 +68,7 @@
 import software.amazon.awssdk.http.auth.spi.signer.SignRequest;
 import software.amazon.awssdk.http.auth.spi.signer.SignedRequest;
 import software.amazon.awssdk.identity.spi.AwsCredentialsIdentity;
+import software.amazon.awssdk.utils.ImmutableMap;
 
 
 /**
@@ -66,6 +78,19 @@ public class DefaultAwsCrtV4aHttpSignerTest {
 
     DefaultAwsCrtV4aHttpSigner signer = new DefaultAwsCrtV4aHttpSigner();
 
+    private static final Map<ChecksumAlgorithm, String> ALGORITHM_TO_VALUE = ImmutableMap.<ChecksumAlgorithm, String>builder()
+                                                                              .put(CRC32, "i9aeUg==")
+                                                                              .put(CRC32C, "crUfeA==")
+                                                                              .put(SHA1, "e1AsOh9IyGCa4hLN+2Od7jlnP14=")
+                                                                              .put(SHA256,
+                                                                                   "ZOyIygCyaOW6GjVnihtTFtIS9PNmskdyMlNKiuyjfzw=")
+                                                                              .put(CRC64NVME, "OOJZ0D8xKts=")
+                                                                              .build();
+
+    public static Stream<Map.Entry<ChecksumAlgorithm, String>> checksumAlgorithmToValueParams() {
+        return ALGORITHM_TO_VALUE.entrySet().stream();
+    }
+
     @Test
     public void sign_withBasicRequest_shouldSignWithHeaders() {
         AwsCredentialsIdentity credentials =
@@ -356,4 +381,35 @@ public void sign_WithPayloadSigningFalseAndChunkEncodingTrueWithoutTrailer_Deleg
         assertThat(signedRequest.request().firstMatchingHeader("x-amz-content-sha256")).hasValue("UNSIGNED-PAYLOAD");
         assertThat(signedRequest.request().firstMatchingHeader("x-amz-decoded-content-length")).isNotPresent();
     }
+
+    @ParameterizedTest
+    @MethodSource("checksumAlgorithmToValueParams")
+    public void sign_checksumAlgorithmPresent_shouldAddChecksumHeader(Map.Entry<ChecksumAlgorithm, String> checksumToValue) {
+        ChecksumAlgorithm checksumAlgorithm = checksumToValue.getKey();
+        SignRequest<? extends AwsCredentialsIdentity> request = generateBasicRequest(
+            AwsCredentialsIdentity.create("access", "secret"),
+            httpRequest -> {
+            },
+            signRequest -> signRequest.putProperty(CHECKSUM_ALGORITHM, checksumAlgorithm)
+        );
+
+        SignedRequest signedRequest = signer.sign(request);
+       assertThat(signedRequest.request().firstMatchingHeader("x-amz-checksum-" + checksumAlgorithm.algorithmId()
+                                                                                                   .toLowerCase(Locale.US)))
+           .contains(checksumToValue.getValue());
+    }
+
+    @Test
+    public void sign_checksumValueProvided_shouldNotOverrideChecksumHeader() {
+        SignRequest<? extends AwsCredentialsIdentity> request = generateBasicRequest(
+            AwsCredentialsIdentity.create("access", "secret"),
+                httpRequest -> httpRequest
+                    .putHeader("x-amz-checksum-crc32", "some value"),
+            signRequest -> signRequest.putProperty(CHECKSUM_ALGORITHM, CRC32)
+        );
+
+        SignedRequest signedRequest = signer.sign(request);
+        assertThat(signedRequest.request().firstMatchingHeader("x-amz-checksum-crc32"))
+            .contains("some value");
+    }
 }