aws-sigv4 1.4.1.crt → 1.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9f4ebc6670c011eafdb6f2ca33ee5894dd723f10f1ad23ea296837bb41355a77
-  data.tar.gz: 6e69783f73330b8559390d56718e0fe48cb117f4fc07ae8c808a2d6ebea6263f
+  metadata.gz: 709cebb0799ad1e75e1f1e69413798d4da1d523332abc0ac59899e9686aa2e07
+  data.tar.gz: a4751a6a7c2356bf76b2ac550f8320e3f8b24951415eaddf1328271c1835f2d3
 SHA512:
-  metadata.gz: 2ba3f4da7f88b55f0529e9d23a4cc6a039abb6e1af7d939a9fe2679232c28ba80f7b2791758d39f67940cfa180c631f92ec424753a38f346b290132a95263ba6
-  data.tar.gz: 9fdee7aeff9a4764bb7a2395628ba5a9e52b8fe1e21adf165b48ed6241e3a2b71b7cff2d7597dba2696e49009963589244410e276898a3807945cb659865a0b6
+  metadata.gz: 07ebb364959ed8bf62c39192707a30caef1127fcf0ab078dab30ecaf695b2a9e22caa017a773987dac297615dfc824eeb8cc04a60a604837024ee850f6812dd2
+  data.tar.gz: f9e93932e59b1d43b92aa2c74d33d7553490ecf84ff61b491321c0b031896f30b5375c8a5f2c81d8514691917096e7c3dd5cc298c3a3fa5e6876cabb1f458c8e

data/CHANGELOG.md

@@ -1,11 +1,20 @@
 Unreleased Changes
 ------------------
 
+1.5.0 (2022-04-20)
+------------------
+
+* Feature - Use CRT based signers if `aws-crt` is available - provides support for `sigv4a`.
+
+1.4.0 (2021-09-02)
+------------------
+
+* Feature - add `signing_algorithm` option with `sigv4` default.
 
-1.3.0.crt (2021-08-04)
+1.3.0 (2021-09-01)
 ------------------
 
-* Feature - Preview release of `aws-sigv4` version 1.3.0.crt gem - uses the Common Runtime (CRT) for signing and support for sigv4a.
+* Feature - AWS SDK for Ruby no longer supports Ruby runtime versions 1.9, 2.0, 2.1, and 2.2.
 
 1.2.4 (2021-07-08)
 ------------------

data/VERSION

@@ -1 +1 @@
-1.4.1.crt
+1.5.0

data/lib/aws-sigv4/credentials.rb

@@ -11,10 +11,7 @@ module Aws
       # @option options [required, String] :secret_access_key
       # @option options [String, nil] :session_token (nil)
       def initialize(options = {})
-        if options[:access_key_id] && options[:secret_access_key] &&
-          !options[:access_key_id].empty? &&
-          !options[:secret_access_key].empty?
-
+        if options[:access_key_id] && options[:secret_access_key]
           @access_key_id = options[:access_key_id]
           @secret_access_key = options[:secret_access_key]
           @session_token = options[:session_token]
@@ -54,8 +51,8 @@ module Aws
       # @option options [String] :session_token (nil)
       def initialize(options = {})
         @credentials = options[:credentials] ?
-                         options[:credentials] :
-                         Credentials.new(options)
+          options[:credentials] :
+          Credentials.new(options)
       end
 
       # @return [Credentials]
@@ -66,5 +63,6 @@ module Aws
         !!credentials && credentials.set?
       end
     end
+
   end
 end

data/lib/aws-sigv4/request.rb

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+require 'uri'
+
+module Aws
+  module Sigv4
+    class Request
+
+      # @option options [required, String] :http_method
+      # @option options [required, HTTP::URI, HTTPS::URI, String] :endpoint
+      # @option options [Hash<String,String>] :headers ({})
+      # @option options [String, IO] :body ('')
+      def initialize(options = {})
+        @http_method = nil
+        @endpoint = nil
+        @headers = {}
+        @body = ''
+        options.each_pair do |attr_name, attr_value|
+          send("#{attr_name}=", attr_value)
+        end
+      end
+
+      # @param [String] http_method One of 'GET', 'PUT', 'POST', 'DELETE', 'HEAD', or 'PATCH'
+      def http_method=(http_method)
+        @http_method = http_method
+      end
+
+      # @return [String] One of 'GET', 'PUT', 'POST', 'DELETE', 'HEAD', or 'PATCH'
+      def http_method
+        @http_method
+      end
+
+      # @param [String, HTTP::URI, HTTPS::URI] endpoint
+      def endpoint=(endpoint)
+        @endpoint = URI.parse(endpoint.to_s)
+      end
+
+      # @return [HTTP::URI, HTTPS::URI]
+      def endpoint
+        @endpoint
+      end
+
+      # @param [Hash] headers
+      def headers=(headers)
+        @headers = headers
+      end
+
+      # @return [Hash<String,String>]
+      def headers
+        @headers
+      end
+
+      # @param [String, IO] body
+      def body=(body)
+        @body = body
+      end
+
+      # @return [String, IO]
+      def body
+        @body
+      end
+
+    end
+  end
+end

data/lib/aws-sigv4/signature.rb

@@ -32,8 +32,8 @@ module Aws
       # @return [String] For debugging purposes.
       attr_accessor :content_sha256
 
+      # @return [Hash] Internal data for debugging purposes.
       attr_accessor :extra
-
     end
   end
 end

data/lib/aws-sigv4/signer.rb

@@ -1,16 +1,79 @@
 # frozen_string_literal: true
 
 require 'openssl'
-require 'time'
 require 'tempfile'
+require 'time'
 require 'uri'
 require 'set'
+require 'cgi'
 require 'aws-eventstream'
 
 module Aws
   module Sigv4
-    # Utility class for creating AWS signature version 4 signature.
+
+    # Utility class for creating AWS signature version 4 signature. This class
+    # provides two methods for generating signatures:
+    #
+    # * {#sign_request} - Computes a signature of the given request, returning
+    #   the hash of headers that should be applied to the request.
+    #
+    # * {#presign_url} - Computes a presigned request with an expiration.
+    #   By default, the body of this request is not signed and the request
+    #   expires in 15 minutes.
+    #
+    # ## Configuration
+    #
+    # To use the signer, you need to specify the service, region, and credentials.
+    # The service name is normally the endpoint prefix to an AWS service. For
+    # example:
+    #
+    #     ec2.us-west-1.amazonaws.com => ec2
+    #
+    # The region is normally the second portion of the endpoint, following
+    # the service name.
+    #
+    #     ec2.us-west-1.amazonaws.com => us-west-1
+    #
+    # It is important to have the correct service and region name, or the
+    # signature will be invalid.
+    #
+    # ## Credentials
+    #
+    # The signer requires credentials. You can configure the signer
+    # with static credentials:
+    #
+    #     signer = Aws::Sigv4::Signer.new(
+    #       service: 's3',
+    #       region: 'us-east-1',
+    #       # static credentials
+    #       access_key_id: 'akid',
+    #       secret_access_key: 'secret'
+    #     )
+    #
+    # You can also provide refreshing credentials via the `:credentials_provider`.
+    # If you are using the AWS SDK for Ruby, you can use any of the credential
+    # classes:
+    #
+    #     signer = Aws::Sigv4::Signer.new(
+    #       service: 's3',
+    #       region: 'us-east-1',
+    #       credentials_provider: Aws::InstanceProfileCredentials.new
+    #     )
+    #
+    # Other AWS SDK for Ruby classes that can be provided via `:credentials_provider`:
+    #
+    # * `Aws::Credentials`
+    # * `Aws::SharedCredentials`
+    # * `Aws::InstanceProfileCredentials`
+    # * `Aws::AssumeRoleCredentials`
+    # * `Aws::ECSCredentials`
+    #
+    # A credential provider is any object that responds to `#credentials`
+    # returning another object that responds to `#access_key_id`, `#secret_access_key`,
+    # and `#session_token`.
+    #
     class Signer
+
       # @overload initialize(service:, region:, access_key_id:, secret_access_key:, session_token:nil, **options)
       #   @param [String] :service The service signing name, e.g. 's3'.
       #   @param [String] :region The region name, e.g. 'us-east-1'.
@@ -55,19 +118,23 @@ module Aws
       #   headers. This is required for AWS Glacier, and optional for
       #   every other AWS service as of late 2016.
       #
-      # @option options [Boolean] :omit_session_token (false) If `true`,
+      # @option options [Symbol] :signing_algorithm (:sigv4) The
+      #   algorithm to use for signing.  :sigv4a is only supported when
+      #   `aws-crt` is available.
+      #
+      # @option options [Boolean] :omit_session_token (false)
+      #   (Supported only when `aws-crt` is available) If `true`,
       #   then security token is added to the final signing result,
       #   but is treated as "unsigned" and does not contribute
       #   to the authorization signature.
       #
-      # @option options [Boolean] :normalize_path (true) When `true`,
-      #   the uri paths will be normalized when building the canonical request
+      # @option options [Boolean] :normalize_path (true) (Supported only when `aws-crt` is available)
+      #   When `true`, the uri paths will be normalized when building the canonical request
       def initialize(options = {})
         @service = extract_service(options)
         @region = extract_region(options)
         @credentials_provider = extract_credentials_provider(options)
-        @unsigned_headers = Set.new((options.fetch(:unsigned_headers, []))
-                                    .map(&:downcase))
+        @unsigned_headers = Set.new((options.fetch(:unsigned_headers, [])).map(&:downcase))
         @unsigned_headers << 'authorization'
         @unsigned_headers << 'x-amzn-trace-id'
         @unsigned_headers << 'expect'
@@ -76,6 +143,12 @@ module Aws
         @signing_algorithm = options.fetch(:signing_algorithm, :sigv4)
         @normalize_path = options.fetch(:normalize_path, true)
         @omit_session_token = options.fetch(:omit_session_token, false)
+
+        if @signing_algorithm == :sigv4a && !Signer.use_crt?
+          raise ArgumentError, 'You are attempting to sign a' \
+' request with sigv4a which requires the `aws-crt` gem.'\
+' Please install the gem or add it to your gemfile.'
+        end
       end
 
       # @return [String]
@@ -151,65 +224,105 @@ module Aws
       #   a `#headers` method. The headers must be applied to your request.
       #
       def sign_request(request)
+
+        return crt_sign_request(request) if Signer.use_crt?
+
         creds = fetch_credentials
 
         http_method = extract_http_method(request)
         url = extract_url(request)
         headers = downcase_headers(request[:headers])
 
-        datetime =
-          if headers.include? 'x-amz-date'
-            Time.parse(headers.delete('x-amz-date'))
-          end
+        datetime = headers['x-amz-date']
+        datetime ||= Time.now.utc.strftime("%Y%m%dT%H%M%SZ")
+        date = datetime[0,8]
 
-        content_sha256 = headers.delete('x-amz-content-sha256')
+        content_sha256 = headers['x-amz-content-sha256']
         content_sha256 ||= sha256_hexdigest(request[:body] || '')
 
         sigv4_headers = {}
         sigv4_headers['host'] = headers['host'] || host(url)
-
-        # Modify the user-agent to add usage of crt-signer
-        # This should be temporary during developer preview only
-        if headers.include? 'user-agent'
-          headers['user-agent'] = "#{headers['user-agent']} crt-signer/#{@signing_algorithm}/#{Aws::Sigv4::VERSION}"
-          sigv4_headers['user-agent'] = headers['user-agent']
-        end
+        sigv4_headers['x-amz-date'] = datetime
+        sigv4_headers['x-amz-security-token'] = creds.session_token if creds.session_token
+        sigv4_headers['x-amz-content-sha256'] ||= content_sha256 if @apply_checksum_header
 
         headers = headers.merge(sigv4_headers) # merge so we do not modify given headers hash
 
-        config = Aws::Crt::Auth::SigningConfig.new(
-          algorithm: @signing_algorithm,
-          signature_type: :http_request_headers,
-          region: @region,
-          service: @service,
-          date: datetime,
-          signed_body_value: content_sha256,
-          signed_body_header_type: @apply_checksum_header ?
-            :sbht_content_sha256 : :sbht_none,
-          credentials: creds,
-          unsigned_headers: @unsigned_headers,
-          use_double_uri_encode: @uri_escape_path,
-          should_normalize_uri_path: @normalize_path,
-          omit_session_token: @omit_session_token
-        )
-        http_request = Aws::Crt::Http::Message.new(
-          http_method, url.to_s, headers
-        )
-        signable = Aws::Crt::Auth::Signable.new(http_request)
+        # compute signature parts
+        creq = canonical_request(http_method, url, headers, content_sha256)
+        sts = string_to_sign(datetime, creq)
+        sig = signature(creds.secret_access_key, date, sts)
 
-        signing_result = Aws::Crt::Auth::Signer.sign_request(config, signable)
+        # apply signature
+        sigv4_headers['authorization'] = [
+          "AWS4-HMAC-SHA256 Credential=#{credential(creds, date)}",
+          "SignedHeaders=#{signed_headers(headers)}",
+          "Signature=#{sig}",
+        ].join(', ')
 
+        # Returning the signature components.
         Signature.new(
-          headers: sigv4_headers.merge(
-            downcase_headers(signing_result[:headers])
-          ),
-          string_to_sign: 'CRT_INTERNAL',
-          canonical_request: 'CRT_INTERNAL',
-          content_sha256: content_sha256,
-          extra: {config: config, signable: signable}
+          headers: sigv4_headers,
+          string_to_sign: sts,
+          canonical_request: creq,
+          content_sha256: content_sha256
         )
       end
 
+      # Signs a event and returns signature headers and prior signature
+      # used for next event signing.
+      #
+      # Headers of a sigv4 signed event message only contains 2 headers
+      #   * ':chunk-signature'
+      #     * computed signature of the event, binary string, 'bytes' type
+      #   * ':date'
+      #     * millisecond since epoch, 'timestamp' type
+      #
+      # Payload of the sigv4 signed event message contains eventstream encoded message
+      # which is serialized based on input and protocol
+      #
+      # To sign events
+      #
+      #     headers_0, signature_0 = signer.sign_event(
+      #       prior_signature, # hex-encoded string
+      #       payload_0, # binary string (eventstream encoded event 0)
+      #       encoder, # Aws::EventStreamEncoder
+      #     )
+      #
+      #     headers_1, signature_1 = signer.sign_event(
+      #       signature_0,
+      #       payload_1, # binary string (eventstream encoded event 1)
+      #       encoder
+      #     )
+      #
+      # The initial prior_signature should be using the signature computed at initial request
+      #
+      # Note:
+      #
+      #   Since ':chunk-signature' header value has bytes type, the signature value provided
+      #   needs to be a binary string instead of a hex-encoded string (like original signature
+      #   V4 algorithm). Thus, when returning signature value used for next event siging, the
+      #   signature value (a binary string) used at ':chunk-signature' needs to converted to
+      #   hex-encoded string using #unpack
+      def sign_event(prior_signature, payload, encoder)
+        # Note: CRT does not currently provide event stream signing, so we always use the ruby implementation.
+        creds = fetch_credentials
+        time = Time.now
+        headers = {}
+
+        datetime = time.utc.strftime("%Y%m%dT%H%M%SZ")
+        date = datetime[0,8]
+        headers[':date'] = Aws::EventStream::HeaderValue.new(value: time.to_i * 1000, type: 'timestamp')
+
+        sts = event_string_to_sign(datetime, headers, payload, prior_signature, encoder)
+        sig = event_signature(creds.secret_access_key, date, sts)
+
+        headers[':chunk-signature'] = Aws::EventStream::HeaderValue.new(value: sig, type: 'bytes')
+
+        # Returning signed headers and signature value in hex-encoded string
+        [headers, sig.unpack('H*').first]
+      end
+
       # Signs a URL with query authentication. Using query parameters
       # to authenticate requests is useful when you want to express a
       # request entirely in a URL. This method is also referred as
@@ -279,120 +392,249 @@ module Aws
       # @return [HTTPS::URI, HTTP::URI]
       #
       def presign_url(options)
+
+        return crt_presign_url(options) if Signer.use_crt?
+
         creds = fetch_credentials
 
         http_method = extract_http_method(options)
         url = extract_url(options)
+
         headers = downcase_headers(options[:headers])
         headers['host'] ||= host(url)
 
-        datetime = headers.delete('x-amz-date')
-        datetime ||= (options[:time] || Time.now)
+        datetime = headers['x-amz-date']
+        datetime ||= (options[:time] || Time.now).utc.strftime("%Y%m%dT%H%M%SZ")
+        date = datetime[0,8]
 
-        content_sha256 = headers.delete('x-amz-content-sha256')
+        content_sha256 = headers['x-amz-content-sha256']
         content_sha256 ||= options[:body_digest]
         content_sha256 ||= sha256_hexdigest(options[:body] || '')
 
-        config = Aws::Crt::Auth::SigningConfig.new(
-          algorithm: @signing_algorithm,
-          signature_type: :http_request_query_params,
-          region: @region,
-          service: @service,
-          date: datetime,
-          signed_body_value: content_sha256,
-          signed_body_header_type: @apply_checksum_header ?
-            :sbht_content_sha256 : :sbht_none,
-          credentials: creds,
-          unsigned_headers: @unsigned_headers,
-          use_double_uri_encode: @uri_escape_path,
-          should_normalize_uri_path: @normalize_path,
-          omit_session_token: @omit_session_token,
-          expiration_in_seconds: options.fetch(:expires_in, 900)
-        )
-        http_request = Aws::Crt::Http::Message.new(
-          http_method, url.to_s, headers
-        )
-        signable = Aws::Crt::Auth::Signable.new(http_request)
+        params = {}
+        params['X-Amz-Algorithm'] = 'AWS4-HMAC-SHA256'
+        params['X-Amz-Credential'] = credential(creds, date)
+        params['X-Amz-Date'] = datetime
+        params['X-Amz-Expires'] = extract_expires_in(options)
+        params['X-Amz-Security-Token'] = creds.session_token if creds.session_token
+        params['X-Amz-SignedHeaders'] = signed_headers(headers)
 
-        signing_result = Aws::Crt::Auth::Signer.sign_request(config, signable, http_method, url.to_s)
-        url = URI.parse(signing_result[:path])
+        params = params.map do |key, value|
+          "#{uri_escape(key)}=#{uri_escape(value)}"
+        end.join('&')
 
-        if options[:extra] && options[:extra].is_a?(Hash)
-          options[:extra][:config] = config
-          options[:extra][:signable] = signable
+        if url.query
+          url.query += '&' + params
+        else
+          url.query = params
         end
+
+        creq = canonical_request(http_method, url, headers, content_sha256)
+        sts = string_to_sign(datetime, creq)
+        url.query += '&X-Amz-Signature=' + signature(creds.secret_access_key, date, sts)
         url
       end
 
+      private
 
-      # Signs a event and returns signature headers and prior signature
-      # used for next event signing.
-      #
-      # Headers of a sigv4 signed event message only contains 2 headers
-      #   * ':chunk-signature'
-      #     * computed signature of the event, binary string, 'bytes' type
-      #   * ':date'
-      #     * millisecond since epoch, 'timestamp' type
-      #
-      # Payload of the sigv4 signed event message contains eventstream encoded message
-      # which is serialized based on input and protocol
-      #
-      # To sign events
-      #
-      #     headers_0, signature_0 = signer.sign_event(
-      #       prior_signature, # hex-encoded string
-      #       payload_0, # binary string (eventstream encoded event 0)
-      #       encoder, # Aws::EventStreamEncoder
-      #     )
-      #
-      #     headers_1, signature_1 = signer.sign_event(
-      #       signature_0,
-      #       payload_1, # binary string (eventstream encoded event 1)
-      #       encoder
-      #     )
-      #
-      # The initial prior_signature should be using the signature computed at initial request
+      def canonical_request(http_method, url, headers, content_sha256)
+        [
+          http_method,
+          path(url),
+          normalized_querystring(url.query || ''),
+          canonical_headers(headers) + "\n",
+          signed_headers(headers),
+          content_sha256,
+        ].join("\n")
+      end
+
+      def string_to_sign(datetime, canonical_request)
+        [
+          'AWS4-HMAC-SHA256',
+          datetime,
+          credential_scope(datetime[0,8]),
+          sha256_hexdigest(canonical_request),
+        ].join("\n")
+      end
+
+      # Compared to original #string_to_sign at signature v4 algorithm
+      # there is no canonical_request concept for an eventstream event,
+      # instead, an event contains headers and payload two parts, and
+      # they will be used for computing digest in #event_string_to_sign
       #
       # Note:
+      #   While headers need to be encoded under eventstream format,
+      #   payload used is already eventstream encoded (event without signature),
+      #   thus no extra encoding is needed.
+      def event_string_to_sign(datetime, headers, payload, prior_signature, encoder)
+        encoded_headers = encoder.encode_headers(
+          Aws::EventStream::Message.new(headers: headers, payload: payload)
+        )
+        [
+          "AWS4-HMAC-SHA256-PAYLOAD",
+          datetime,
+          credential_scope(datetime[0,8]),
+          prior_signature,
+          sha256_hexdigest(encoded_headers),
+          sha256_hexdigest(payload)
+        ].join("\n")
+      end
+
+      def credential_scope(date)
+        [
+          date,
+          @region,
+          @service,
+          'aws4_request',
+        ].join('/')
+      end
+
+      def credential(credentials, date)
+        "#{credentials.access_key_id}/#{credential_scope(date)}"
+      end
+
+      def signature(secret_access_key, date, string_to_sign)
+        k_date = hmac("AWS4" + secret_access_key, date)
+        k_region = hmac(k_date, @region)
+        k_service = hmac(k_region, @service)
+        k_credentials = hmac(k_service, 'aws4_request')
+        hexhmac(k_credentials, string_to_sign)
+      end
+
+      # Comparing to original signature v4 algorithm,
+      # returned signature is a binary string instread of
+      # hex-encoded string. (Since ':chunk-signature' requires
+      # 'bytes' type)
       #
-      #   Since ':chunk-signature' header value has bytes type, the signature value provided
-      #   needs to be a binary string instead of a hex-encoded string (like original signature
-      #   V4 algorithm). Thus, when returning signature value used for next event siging, the
-      #   signature value (a binary string) used at ':chunk-signature' needs to converted to
-      #   hex-encoded string using #unpack
-      def sign_event(prior_signature, payload, encoder)
-        # CRT does not currently provide event stream signing
-        # use the Ruby implementation
-        creds = @credentials_provider.credentials
-        time = Time.now
-        headers = {}
+      # Note:
+      #   converting signature from binary string to hex-encoded
+      #   string is handled at #sign_event instead. (Will be used
+      #   as next prior signature for event signing)
+      def event_signature(secret_access_key, date, string_to_sign)
+        k_date = hmac("AWS4" + secret_access_key, date)
+        k_region = hmac(k_date, @region)
+        k_service = hmac(k_region, @service)
+        k_credentials = hmac(k_service, 'aws4_request')
+        hmac(k_credentials, string_to_sign)
+      end
 
-        datetime = time.utc.strftime("%Y%m%dT%H%M%SZ")
-        date = datetime[0,8]
-        headers[':date'] = Aws::EventStream::HeaderValue.new(value: time.to_i * 1000, type: 'timestamp')
 
-        sts = event_string_to_sign(datetime, headers, payload, prior_signature, encoder)
-        sig = event_signature(creds.secret_access_key, date, sts)
+      def path(url)
+        path = url.path
+        path = '/' if path == ''
+        if @uri_escape_path
+          uri_escape_path(path)
+        else
+          path
+        end
+      end
 
-        headers[':chunk-signature'] = Aws::EventStream::HeaderValue.new(value: sig, type: 'bytes')
+      def normalized_querystring(querystring)
+        params = querystring.split('&')
+        params = params.map { |p| p.match(/=/) ? p : p + '=' }
+        # From: https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html
+        # Sort the parameter names by character code point in ascending order.
+        # Parameters with duplicate names should be sorted by value.
+        #
+        # Default sort <=> in JRuby will swap members
+        # occasionally when <=> is 0 (considered still sorted), but this
+        # causes our normalized query string to not match the sent querystring.
+        # When names match, we then sort by their values.  When values also
+        # match then we sort by their original order
+        params.each.with_index.sort do |a, b|
+          a, a_offset = a
+          b, b_offset = b
+          a_name, a_value = a.split('=')
+          b_name, b_value = b.split('=')
+          if a_name == b_name
+            if a_value == b_value
+              a_offset <=> b_offset
+            else
+              a_value <=> b_value
+            end
+          else
+            a_name <=> b_name
+          end
+        end.map(&:first).join('&')
+      end
 
-        # Returning signed headers and signature value in hex-encoded string
-        [headers, sig.unpack('H*').first]
+      def signed_headers(headers)
+        headers.inject([]) do |signed_headers, (header, _)|
+          if @unsigned_headers.include?(header)
+            signed_headers
+          else
+            signed_headers << header
+          end
+        end.sort.join(';')
       end
 
-      private
+      def canonical_headers(headers)
+        headers = headers.inject([]) do |hdrs, (k,v)|
+          if @unsigned_headers.include?(k)
+            hdrs
+          else
+            hdrs << [k,v]
+          end
+        end
+        headers = headers.sort_by(&:first)
+        headers.map{|k,v| "#{k}:#{canonical_header_value(v.to_s)}" }.join("\n")
+      end
+
+      def canonical_header_value(value)
+        value.match(/^".*"$/) ? value : value.gsub(/\s+/, ' ').strip
+      end
+
+      def host(uri)
+        # Handles known and unknown URI schemes; default_port nil when unknown.
+        if uri.default_port == uri.port
+          uri.host
+        else
+          "#{uri.host}:#{uri.port}"
+        end
+      end
+
+      # @param [File, Tempfile, IO#read, String] value
+      # @return [String<SHA256 Hexdigest>]
+      def sha256_hexdigest(value)
+        if (File === value || Tempfile === value) && !value.path.nil? && File.exist?(value.path)
+          OpenSSL::Digest::SHA256.file(value).hexdigest
+        elsif value.respond_to?(:read)
+          sha256 = OpenSSL::Digest::SHA256.new
+          loop do
+            chunk = value.read(1024 * 1024) # 1MB
+            break unless chunk
+            sha256.update(chunk)
+          end
+          value.rewind
+          sha256.hexdigest
+        else
+          OpenSSL::Digest::SHA256.hexdigest(value)
+        end
+      end
+
+      def hmac(key, value)
+        OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha256'), key, value)
+      end
+
+      def hexhmac(key, value)
+        OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), key, value)
+      end
 
       def extract_service(options)
         if options[:service]
           options[:service]
         else
-          msg = 'missing required option :service'
+          msg = "missing required option :service"
           raise ArgumentError, msg
         end
       end
 
       def extract_region(options)
-        options[:region] || raise(Errors::MissingRegionError)
+        if options[:region]
+          options[:region]
+        else
+          raise Errors::MissingRegionError
+        end
       end
 
       def extract_credentials_provider(options)
@@ -405,22 +647,11 @@ module Aws
         end
       end
 
-      # the credentials used by CRT must be a
-      # CRT StaticCredentialsProvider object
-      def fetch_credentials
-        credentials = @credentials_provider.credentials
-        Aws::Crt::Auth::StaticCredentialsProvider.new(
-          credentials.access_key_id,
-          credentials.secret_access_key,
-          credentials.session_token
-        )
-      end
-
       def extract_http_method(request)
         if request[:http_method]
           request[:http_method].upcase
         else
-          msg = 'missing required option :http_method'
+          msg = "missing required option :http_method"
           raise ArgumentError, msg
         end
       end
@@ -429,101 +660,187 @@ module Aws
         if request[:url]
           URI.parse(request[:url].to_s)
         else
-          msg = 'missing required option :url'
+          msg = "missing required option :url"
           raise ArgumentError, msg
         end
       end
 
       def downcase_headers(headers)
-        (headers || {}).to_hash.transform_keys(&:downcase)
+        (headers || {}).to_hash.inject({}) do |hash, (key, value)|
+          hash[key.downcase] = value
+          hash
+        end
       end
 
-      # @param [File, Tempfile, IO#read, String] value
-      # @return [String<SHA256 Hexdigest>]
-      def sha256_hexdigest(value)
-        if (value.is_a?(File) || value.is_a?(Tempfile)) && !value.path.nil? && File.exist?(value.path)
-          OpenSSL::Digest::SHA256.file(value).hexdigest
-        elsif value.respond_to?(:read)
-          sha256 = OpenSSL::Digest.new('SHA256')
-          loop do
-            chunk = value.read(1024 * 1024) # 1MB
-            break unless chunk
-
-            sha256.update(chunk)
-          end
-          value.rewind
-          sha256.hexdigest
+      def extract_expires_in(options)
+        case options[:expires_in]
+        when nil then 900.to_s
+        when Integer then options[:expires_in].to_s
         else
-          OpenSSL::Digest::SHA256.hexdigest(value)
+          msg = "expected :expires_in to be a number of seconds"
+          raise ArgumentError, msg
         end
       end
 
-      def host(uri)
-        # Handles known and unknown URI schemes; default_port nil when unknown.
-        if uri.default_port == uri.port
-          uri.host
+      def uri_escape(string)
+        self.class.uri_escape(string)
+      end
+
+      def uri_escape_path(string)
+        self.class.uri_escape_path(string)
+      end
+
+
+      def fetch_credentials
+        credentials = @credentials_provider.credentials
+        if credentials_set?(credentials)
+          credentials
         else
-          "#{uri.host}:#{uri.port}"
+          raise Errors::MissingCredentialsError,
+          'unable to sign request without credentials set'
         end
       end
 
-      # Used only for event signing
-      def credential_scope(date)
-        [
-          date,
-          @region,
-          @service,
-          'aws4_request',
-        ].join('/')
+      # Returns true if credentials are set (not nil or empty)
+      # Credentials may not implement the Credentials interface
+      # and may just be credential like Client response objects
+      # (eg those returned by sts#assume_role)
+      def credentials_set?(credentials)
+        !credentials.access_key_id.nil? &&
+          !credentials.access_key_id.empty? &&
+          !credentials.secret_access_key.nil? &&
+          !credentials.secret_access_key.empty?
       end
 
-      # Used only for event signing
-      def hmac(key, value)
-        OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha256'), key, value)
+      ### CRT Code
+
+      # the credentials used by CRT must be a
+      # CRT StaticCredentialsProvider object
+      def crt_fetch_credentials
+        creds = fetch_credentials
+        Aws::Crt::Auth::StaticCredentialsProvider.new(
+          creds.access_key_id,
+          creds.secret_access_key,
+          creds.session_token
+        )
       end
 
-      # Compared to original #string_to_sign at signature v4 algorithm
-      # there is no canonical_request concept for an eventstream event,
-      # instead, an event contains headers and payload two parts, and
-      # they will be used for computing digest in #event_string_to_sign
-      #
-      # Note:
-      #   While headers need to be encoded under eventstream format,
-      #   payload used is already eventstream encoded (event without signature),
-      #   thus no extra encoding is needed.
-      def event_string_to_sign(datetime, headers, payload, prior_signature, encoder)
-        encoded_headers = encoder.encode_headers(
-          Aws::EventStream::Message.new(headers: headers, payload: payload)
+      def crt_sign_request(request)
+        creds = crt_fetch_credentials
+        http_method = extract_http_method(request)
+        url = extract_url(request)
+        headers = downcase_headers(request[:headers])
+
+        datetime =
+          if headers.include? 'x-amz-date'
+            Time.parse(headers.delete('x-amz-date'))
+          end
+
+        content_sha256 = headers.delete('x-amz-content-sha256')
+        content_sha256 ||= sha256_hexdigest(request[:body] || '')
+
+        sigv4_headers = {}
+        sigv4_headers['host'] = headers['host'] || host(url)
+
+        # Modify the user-agent to add usage of crt-signer
+        # This should be temporary during developer preview only
+        if headers.include? 'user-agent'
+          headers['user-agent'] = "#{headers['user-agent']} crt-signer/#{@signing_algorithm}/#{Aws::Sigv4::VERSION}"
+          sigv4_headers['user-agent'] = headers['user-agent']
+        end
+
+        headers = headers.merge(sigv4_headers) # merge so we do not modify given headers hash
+
+        config = Aws::Crt::Auth::SigningConfig.new(
+          algorithm: @signing_algorithm,
+          signature_type: :http_request_headers,
+          region: @region,
+          service: @service,
+          date: datetime,
+          signed_body_value: content_sha256,
+          signed_body_header_type: @apply_checksum_header ?
+                                     :sbht_content_sha256 : :sbht_none,
+          credentials: creds,
+          unsigned_headers: @unsigned_headers,
+          use_double_uri_encode: @uri_escape_path,
+          should_normalize_uri_path: @normalize_path,
+          omit_session_token: @omit_session_token
+        )
+        http_request = Aws::Crt::Http::Message.new(
+          http_method, url.to_s, headers
+        )
+        signable = Aws::Crt::Auth::Signable.new(http_request)
+
+        signing_result = Aws::Crt::Auth::Signer.sign_request(config, signable)
+
+        Signature.new(
+          headers: sigv4_headers.merge(
+            downcase_headers(signing_result[:headers])
+          ),
+          string_to_sign: 'CRT_INTERNAL',
+          canonical_request: 'CRT_INTERNAL',
+          content_sha256: content_sha256,
+          extra: {config: config, signable: signable}
         )
-        [
-          "AWS4-HMAC-SHA256-PAYLOAD",
-          datetime,
-          credential_scope(datetime[0,8]),
-          prior_signature,
-          sha256_hexdigest(encoded_headers),
-          sha256_hexdigest(payload)
-        ].join("\n")
       end
 
-      # Comparing to original signature v4 algorithm,
-      # returned signature is a binary string instread of
-      # hex-encoded string. (Since ':chunk-signature' requires
-      # 'bytes' type)
-      #
-      # Note:
-      #   converting signature from binary string to hex-encoded
-      #   string is handled at #sign_event instead. (Will be used
-      #   as next prior signature for event signing)
-      def event_signature(secret_access_key, date, string_to_sign)
-        k_date = hmac("AWS4" + secret_access_key, date)
-        k_region = hmac(k_date, @region)
-        k_service = hmac(k_region, @service)
-        k_credentials = hmac(k_service, 'aws4_request')
-        hmac(k_credentials, string_to_sign)
+      def crt_presign_url(options)
+        creds = crt_fetch_credentials
+
+        http_method = extract_http_method(options)
+        url = extract_url(options)
+        headers = downcase_headers(options[:headers])
+        headers['host'] ||= host(url)
+
+        datetime = headers.delete('x-amz-date')
+        datetime ||= (options[:time] || Time.now)
+
+        content_sha256 = headers.delete('x-amz-content-sha256')
+        content_sha256 ||= options[:body_digest]
+        content_sha256 ||= sha256_hexdigest(options[:body] || '')
+
+        config = Aws::Crt::Auth::SigningConfig.new(
+          algorithm: @signing_algorithm,
+          signature_type: :http_request_query_params,
+          region: @region,
+          service: @service,
+          date: datetime,
+          signed_body_value: content_sha256,
+          signed_body_header_type: @apply_checksum_header ?
+                                     :sbht_content_sha256 : :sbht_none,
+          credentials: creds,
+          unsigned_headers: @unsigned_headers,
+          use_double_uri_encode: @uri_escape_path,
+          should_normalize_uri_path: @normalize_path,
+          omit_session_token: @omit_session_token,
+          expiration_in_seconds: options.fetch(:expires_in, 900)
+        )
+        http_request = Aws::Crt::Http::Message.new(
+          http_method, url.to_s, headers
+        )
+        signable = Aws::Crt::Auth::Signable.new(http_request)
+
+        signing_result = Aws::Crt::Auth::Signer.sign_request(config, signable, http_method, url.to_s)
+        url = URI.parse(signing_result[:path])
+
+        if options[:extra] && options[:extra].is_a?(Hash)
+          options[:extra][:config] = config
+          options[:extra][:signable] = signable
+        end
+        url
       end
 
       class << self
 
+        def use_crt?
+          begin
+            require 'aws-crt'
+            return true
+          rescue LoadError
+            return false
+          end
+        end
+
         # @api private
         def uri_escape_path(path)
           path.gsub(/[^\/]+/) { |part| uri_escape(part) }
@@ -537,8 +854,8 @@ module Aws
             CGI.escape(string.encode('UTF-8')).gsub('+', '%20').gsub('%7E', '~')
           end
         end
+
       end
     end
   end
 end
-

data/lib/aws-sigv4.rb

@@ -1,6 +1,5 @@
 # frozen_string_literal: true
 
-require 'aws-crt'
 require_relative 'aws-sigv4/credentials'
 require_relative 'aws-sigv4/errors'
 require_relative 'aws-sigv4/signature'

metadata

@@ -1,29 +1,15 @@
 --- !ruby/object:Gem::Specification
 name: aws-sigv4
 version: !ruby/object:Gem::Version
-  version: 1.4.1.crt
+  version: 1.5.0
 platform: ruby
 authors:
 - Amazon Web Services
-autorequire:
+autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-09-02 00:00:00.000000000 Z
+date: 2022-04-20 00:00:00.000000000 Z
 dependencies:
-- !ruby/object:Gem::Dependency
-  name: aws-crt
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
 - !ruby/object:Gem::Dependency
   name: aws-eventstream
   requirement: !ruby/object:Gem::Requirement
@@ -44,22 +30,9 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 1.0.2
-- !ruby/object:Gem::Dependency
-  name: rspec
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-description: Amazon Web Services signing library. Generates signatures for HTTP requests
-email:
+description: Amazon Web Services Signature Version 4 signing library. Generates sigv4
+  signature for HTTP requests.
+email: 
 executables: []
 extensions: []
 extra_rdoc_files: []
@@ -70,13 +43,16 @@ files:
 - lib/aws-sigv4.rb
 - lib/aws-sigv4/credentials.rb
 - lib/aws-sigv4/errors.rb
+- lib/aws-sigv4/request.rb
 - lib/aws-sigv4/signature.rb
 - lib/aws-sigv4/signer.rb
-homepage: https://github.com/awslabs/aws-crt-ruby
+homepage: https://github.com/aws/aws-sdk-ruby
 licenses:
 - Apache-2.0
-metadata: {}
-post_install_message:
+metadata:
+  source_code_uri: https://github.com/aws/aws-sdk-ruby/tree/version-3/gems/aws-sigv4
+  changelog_uri: https://github.com/aws/aws-sdk-ruby/tree/version-3/gems/aws-sigv4/CHANGELOG.md
+post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
@@ -84,15 +60,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.5'
+      version: '2.3'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">"
+  - - ">="
     - !ruby/object:Gem::Version
-      version: 1.3.1
+      version: '0'
 requirements: []
-rubygems_version: 3.2.7
-signing_key:
+rubygems_version: 3.1.6
+signing_key: 
 specification_version: 4
-summary: AWS SDK for Ruby - Common Runtime (CRT) based Signer
+summary: AWS Signature Version 4 library.
 test_files: []