aws-sigv4 1.5.2 → 1.12.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 33cb09610570a5aefa4e83ab34277756201d8f1e50197bfe343fc49cce668672
-  data.tar.gz: 4d070f7cf41c0a77b69e7ca6cc80c2fb7a8111eb3640819fb01ee6602027b5d9
+  metadata.gz: 2f65828f524fd8437e342204ac5a7ae1deff92dfcfae2affbd636ceef0a1cb4d
+  data.tar.gz: 260bf03de93d779a544226ef512e958a3a6256bb189918be7a63c5c4bf58395f
 SHA512:
-  metadata.gz: ddb8c5fc04288a396501afb0cd74907232ac78a2ca5e3bbb4c0879c27c15d72c19e30b9ddcaf5b8fe536e8b04d4ccc3c98eee74f27f92b594058a54b29edf704
-  data.tar.gz: 283afcb61ae4b06a68b5a644a529b560864b82f0e69c107a8c059c04b9b6448421ac93015c483aae1bdf77bed41cb3088942c1e18dc26fc4b569aa7fde65f563
+  metadata.gz: 456725f9d6b39c36030e321854d1ef6361e504fb0af829fd95427cbf9762aba52be46f178f32db3ba332598b525ac9bbb287a19ade98b23892ff2d7613e3aca4
+  data.tar.gz: 80301bb28c264d5a73984e7b1ec3423b26daca0451996f47a21219d1d8dd615889c701678b9551cf3f724a6a6ab59c623fe71a89b62c9f54ff9dc38b849e058d

data/CHANGELOG.md

@@ -1,6 +1,56 @@
 Unreleased Changes
 ------------------
 
+1.12.0 (2025-06-02)
+------------------
+
+* Feature - AWS SDK for Ruby no longer supports Ruby runtime versions 2.5 and 2.6.
+
+1.11.0 (2025-01-10)
+------------------
+
+* Feature - Add RBS signature files to support static type checking
+
+1.10.1 (2024-10-21)
+------------------
+
+* Issue - Fix sigv4a signing issue with derive_asymmetric_key for certain credentials.
+
+1.10.0 (2024-09-17)
+------------------
+
+* Feature - Remove CRT `sigv4a` signing capability.
+
+1.9.1 (2024-07-29)
+------------------
+
+* Issue - Add missing require of `pathname` to `Signer`.
+
+1.9.0 (2024-07-23)
+------------------
+
+* Feature - Support `sigv4a` signing algorithm without `aws-crt`.
+
+1.8.0 (2023-11-28)
+------------------
+
+* Feature - Support `sigv4-s3express` signing algorithm.
+
+1.7.0 (2023-11-22)
+------------------
+
+* Feature - AWS SDK for Ruby no longer supports Ruby runtime versions 2.3 and 2.4.
+
+1.6.1 (2023-10-25)
+------------------
+
+* Issue - (Static Stability) use provided `expires_in` in presigned url when credentials are expired.
+
+1.6.0 (2023-06-28)
+------------------
+
+* Feature - Select the minimum expiration time for presigned urls between the expiration time option and the credential expiration time.
+
 1.5.2 (2022-09-30)
 ------------------
 

data/VERSION

@@ -1 +1 @@
-1.5.2
+1.12.0

data/lib/aws-sigv4/asymmetric_credentials.rb

@@ -0,0 +1,99 @@
+# frozen_string_literal: true
+
+module Aws
+  module Sigv4
+    # To make it easier to support mixed mode, we have created an asymmetric
+    # key derivation mechanism. This module derives
+    # asymmetric keys from the current secret for use with
+    # Asymmetric signatures.
+    # @api private
+    module AsymmetricCredentials
+
+      N_MINUS_2 = 0xFFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551 - 2
+
+      # @return [OpenSSL::PKey::EC, Hash]
+      def self.derive_asymmetric_key(access_key_id, secret_access_key)
+        check_openssl_support!
+        label = 'AWS4-ECDSA-P256-SHA256'
+        bit_len = 256
+        counter = 0x1
+        input_key = "AWS4A#{secret_access_key}"
+        d = 0 # d will end up being the private key
+        while true do
+
+          kdf_context = access_key_id.unpack('C*') + [counter].pack('C').unpack('C') #1 byte for counter
+          input = label.unpack('C*') + [0x00] + kdf_context + [bit_len].pack('L>').unpack('CCCC') # 4 bytes (change endianess)
+          k0 = OpenSSL::HMAC.digest("SHA256", input_key, ([0, 0, 0, 0x01] + input).pack('C*'))
+          c = be_bytes_to_num( k0.unpack('C*') )
+          if c <= N_MINUS_2
+            d = c + 1
+            break
+          elsif counter > 0xFF
+            raise 'Counter exceeded 1 byte - unable to get asym creds'
+          else
+            counter += 1
+          end
+        end
+
+        # compute the public key
+        group = OpenSSL::PKey::EC::Group.new('prime256v1')
+        public_key = group.generator.mul(d)
+
+        ec = generate_ec(public_key, d)
+
+        # pk_x and pk_y are not needed for signature, but useful in verification/testing
+        pk_b = public_key.to_octet_string(:uncompressed).unpack('C*') # 0x04 byte followed by 2 32-byte integers
+        pk_x = be_bytes_to_num(pk_b[1,32])
+        pk_y = be_bytes_to_num(pk_b[33,32])
+        [ec, {ec: ec, public_key: public_key, pk_x: pk_x, pk_y: pk_y, d: d}]
+      end
+
+      private
+
+      # @return [Number] The value of the bytes interpreted as a big-endian
+      # unsigned integer.
+      def self.be_bytes_to_num(bytes)
+        x = 0
+        bytes.each { |b| x = (x*256) + b }
+        x
+      end
+
+      # @return [Array] value of the BigNumber as a big-endian unsigned byte array.
+      def self.bn_to_be_bytes(bn)
+        bytes = []
+        while bn > 0
+          bytes << (bn & 0xff)
+          bn = bn >> 8
+        end
+        bytes.reverse
+      end
+
+      # Prior to openssl3 we could directly set public and private key on EC
+      # However, openssl3 deprecated those methods and we must now construct
+      # a der with the keys and load the EC from it.
+      def self.generate_ec(public_key, d)
+        # format reversed from: OpenSSL::ASN1.decode_all(OpenSSL::PKey::EC.new.to_der)
+        asn1 = OpenSSL::ASN1::Sequence([
+          OpenSSL::ASN1::Integer(OpenSSL::BN.new(1)),
+          OpenSSL::ASN1::OctetString(bn_to_be_bytes(d).pack('C*')),
+          OpenSSL::ASN1::ASN1Data.new([OpenSSL::ASN1::ObjectId("prime256v1")], 0, :CONTEXT_SPECIFIC),
+          OpenSSL::ASN1::ASN1Data.new(
+            [OpenSSL::ASN1::BitString(public_key.to_octet_string(:uncompressed))],
+            1, :CONTEXT_SPECIFIC
+          )
+        ])
+        OpenSSL::PKey::EC.new(asn1.to_der)
+      end
+
+      def self.check_openssl_support!
+        return true unless defined?(JRUBY_VERSION)
+
+        # See: https://github.com/jruby/jruby-openssl/issues/306
+        # JRuby-openssl < 0.15 does not support OpenSSL::PKey::EC::Point#mul
+        return true if OpenSSL::PKey::EC::Point.instance_methods.include?(:mul)
+
+        raise 'Sigv4a Asymmetric Credential derivation requires jruby-openssl >= 0.15'
+      end
+    end
+  end
+end

data/lib/aws-sigv4/request.rb

@@ -7,7 +7,7 @@ module Aws
     class Request
 
       # @option options [required, String] :http_method
-      # @option options [required, HTTP::URI, HTTPS::URI, String] :endpoint
+      # @option options [required, String, URI::HTTP, URI::HTTPS] :endpoint
       # @option options [Hash<String,String>] :headers ({})
       # @option options [String, IO] :body ('')
       def initialize(options = {})
@@ -30,12 +30,12 @@ module Aws
         @http_method
       end
 
-      # @param [String, HTTP::URI, HTTPS::URI] endpoint
+      # @param [String, URI::HTTP, URI::HTTPS] endpoint
       def endpoint=(endpoint)
         @endpoint = URI.parse(endpoint.to_s)
       end
 
-      # @return [HTTP::URI, HTTPS::URI]
+      # @return [URI::HTTP, URI::HTTPS]
       def endpoint
         @endpoint
       end

data/lib/aws-sigv4/signature.rb

@@ -32,6 +32,9 @@ module Aws
       # @return [String] For debugging purposes.
       attr_accessor :content_sha256
 
+      # @return [String] For debugging purposes.
+      attr_accessor :signature
+
       # @return [Hash] Internal data for debugging purposes.
       attr_accessor :extra
     end

data/lib/aws-sigv4/signer.rb

@@ -6,6 +6,7 @@ require 'time'
 require 'uri'
 require 'set'
 require 'cgi'
+require 'pathname'
 require 'aws-eventstream'
 
 module Aws
@@ -73,25 +74,18 @@ module Aws
     # and `#session_token`.
     #
     class Signer
-
-      @@use_crt =
-        begin
-          require 'aws-crt'
-          true
-        rescue LoadError
-          false
-        end
-
       # @overload initialize(service:, region:, access_key_id:, secret_access_key:, session_token:nil, **options)
       #   @param [String] :service The service signing name, e.g. 's3'.
-      #   @param [String] :region The region name, e.g. 'us-east-1'.
+      #   @param [String] :region The region name, e.g. 'us-east-1'. When signing
+      #    with sigv4a, this should be a comma separated list of regions.
       #   @param [String] :access_key_id
       #   @param [String] :secret_access_key
       #   @param [String] :session_token (nil)
       #
       # @overload initialize(service:, region:, credentials:, **options)
       #   @param [String] :service The service signing name, e.g. 's3'.
-      #   @param [String] :region The region name, e.g. 'us-east-1'.
+      #   @param [String] :region The region name, e.g. 'us-east-1'. When signing
+      #    with sigv4a, this should be a comma separated list of regions.
       #   @param [Credentials] :credentials Any object that responds to the following
       #     methods:
       #
@@ -102,7 +96,8 @@ module Aws
       #
       # @overload initialize(service:, region:, credentials_provider:, **options)
       #   @param [String] :service The service signing name, e.g. 's3'.
-      #   @param [String] :region The region name, e.g. 'us-east-1'.
+      #   @param [String] :region The region name, e.g. 'us-east-1'. When signing
+      #    with sigv4a, this should be a comma separated list of regions.
       #   @param [#credentials] :credentials_provider An object that responds
       #     to `#credentials`, returning an object that responds to the following
       #     methods:
@@ -127,8 +122,7 @@ module Aws
       #   every other AWS service as of late 2016.
       #
       # @option options [Symbol] :signing_algorithm (:sigv4) The
-      #   algorithm to use for signing.  :sigv4a is only supported when
-      #   `aws-crt` is available.
+      #   algorithm to use for signing.
       #
       # @option options [Boolean] :omit_session_token (false)
       #   (Supported only when `aws-crt` is available) If `true`,
@@ -136,8 +130,8 @@ module Aws
       #   but is treated as "unsigned" and does not contribute
       #   to the authorization signature.
       #
-      # @option options [Boolean] :normalize_path (true) (Supported only when `aws-crt` is available)
-      #   When `true`, the uri paths will be normalized when building the canonical request
+      # @option options [Boolean] :normalize_path (true) When `true`, the
+      #   uri paths will be normalized when building the canonical request.
       def initialize(options = {})
         @service = extract_service(options)
         @region = extract_region(options)
@@ -151,12 +145,6 @@ module Aws
         @signing_algorithm = options.fetch(:signing_algorithm, :sigv4)
         @normalize_path = options.fetch(:normalize_path, true)
         @omit_session_token = options.fetch(:omit_session_token, false)
-
-        if @signing_algorithm == :sigv4a && !Signer.use_crt?
-          raise ArgumentError, 'You are attempting to sign a' \
-' request with sigv4a which requires the `aws-crt` gem.'\
-' Please install the gem or add it to your gemfile.'
-        end
       end
 
       # @return [String]
@@ -217,7 +205,7 @@ module Aws
       # @option request [required, String] :http_method One of
       #   'GET', 'HEAD', 'PUT', 'POST', 'PATCH', or 'DELETE'
       #
-      # @option request [required, String, URI::HTTPS, URI::HTTP] :url
+      # @option request [required, String, URI::HTTP, URI::HTTPS] :url
       #   The request URI. Must be a valid HTTP or HTTPS URI.
       #
       # @option request [optional, Hash] :headers ({}) A hash of headers
@@ -232,13 +220,11 @@ module Aws
       #   a `#headers` method. The headers must be applied to your request.
       #
       def sign_request(request)
-
-        return crt_sign_request(request) if Signer.use_crt?
-
-        creds = fetch_credentials
+        creds, _ = fetch_credentials
 
         http_method = extract_http_method(request)
         url = extract_url(request)
+        Signer.normalize_path(url) if @normalize_path
         headers = downcase_headers(request[:headers])
 
         datetime = headers['x-amz-date']
@@ -251,29 +237,55 @@ module Aws
         sigv4_headers = {}
         sigv4_headers['host'] = headers['host'] || host(url)
         sigv4_headers['x-amz-date'] = datetime
-        sigv4_headers['x-amz-security-token'] = creds.session_token if creds.session_token
+        if creds.session_token && !@omit_session_token
+          if @signing_algorithm == 'sigv4-s3express'.to_sym
+            sigv4_headers['x-amz-s3session-token'] = creds.session_token
+          else
+            sigv4_headers['x-amz-security-token'] = creds.session_token
+          end
+        end
+
         sigv4_headers['x-amz-content-sha256'] ||= content_sha256 if @apply_checksum_header
 
+        if @signing_algorithm == :sigv4a && @region && !@region.empty?
+          sigv4_headers['x-amz-region-set'] = @region
+        end
         headers = headers.merge(sigv4_headers) # merge so we do not modify given headers hash
 
+        algorithm = sts_algorithm
+
         # compute signature parts
         creq = canonical_request(http_method, url, headers, content_sha256)
-        sts = string_to_sign(datetime, creq)
-        sig = signature(creds.secret_access_key, date, sts)
+        sts = string_to_sign(datetime, creq, algorithm)
+
+        sig =
+          if @signing_algorithm == :sigv4a
+            asymmetric_signature(creds, sts)
+          else
+            signature(creds.secret_access_key, date, sts)
+          end
+
+        algorithm = sts_algorithm
 
         # apply signature
         sigv4_headers['authorization'] = [
-          "AWS4-HMAC-SHA256 Credential=#{credential(creds, date)}",
+          "#{algorithm} Credential=#{credential(creds, date)}",
           "SignedHeaders=#{signed_headers(headers)}",
           "Signature=#{sig}",
         ].join(', ')
 
+        # skip signing the session token, but include it in the headers
+        if creds.session_token && @omit_session_token
+          sigv4_headers['x-amz-security-token'] = creds.session_token
+        end
+
         # Returning the signature components.
         Signature.new(
           headers: sigv4_headers,
           string_to_sign: sts,
           canonical_request: creq,
-          content_sha256: content_sha256
+          content_sha256: content_sha256,
+          signature: sig
         )
       end
 
@@ -313,8 +325,7 @@ module Aws
       #   signature value (a binary string) used at ':chunk-signature' needs to converted to
       #   hex-encoded string using #unpack
       def sign_event(prior_signature, payload, encoder)
-        # Note: CRT does not currently provide event stream signing, so we always use the ruby implementation.
-        creds = fetch_credentials
+        creds, _ = fetch_credentials
         time = Time.now
         headers = {}
 
@@ -372,7 +383,7 @@ module Aws
       # @option options [required, String] :http_method The HTTP request method,
       #   e.g. 'GET', 'HEAD', 'PUT', 'POST', 'PATCH', or 'DELETE'.
       #
-      # @option options [required, String, HTTPS::URI, HTTP::URI] :url
+      # @option options [required, String, URI::HTTP, URI::HTTPS] :url
       #   The URI to sign.
       #
       # @option options [Hash] :headers ({}) Headers that should
@@ -400,13 +411,11 @@ module Aws
       # @return [HTTPS::URI, HTTP::URI]
       #
       def presign_url(options)
-
-        return crt_presign_url(options) if Signer.use_crt?
-
-        creds = fetch_credentials
+        creds, expiration = fetch_credentials
 
         http_method = extract_http_method(options)
         url = extract_url(options)
+        Signer.normalize_path(url) if @normalize_path
 
         headers = downcase_headers(options[:headers])
         headers['host'] ||= host(url)
@@ -419,14 +428,26 @@ module Aws
         content_sha256 ||= options[:body_digest]
         content_sha256 ||= sha256_hexdigest(options[:body] || '')
 
+        algorithm = sts_algorithm
+
         params = {}
-        params['X-Amz-Algorithm'] = 'AWS4-HMAC-SHA256'
+        params['X-Amz-Algorithm'] = algorithm
         params['X-Amz-Credential'] = credential(creds, date)
         params['X-Amz-Date'] = datetime
-        params['X-Amz-Expires'] = extract_expires_in(options)
-        params['X-Amz-Security-Token'] = creds.session_token if creds.session_token
+        params['X-Amz-Expires'] = presigned_url_expiration(options, expiration, Time.strptime(datetime, "%Y%m%dT%H%M%S%Z")).to_s
+        if creds.session_token
+          if @signing_algorithm == 'sigv4-s3express'.to_sym
+            params['X-Amz-S3session-Token'] = creds.session_token
+          else
+            params['X-Amz-Security-Token'] = creds.session_token
+          end
+        end
         params['X-Amz-SignedHeaders'] = signed_headers(headers)
 
+        if @signing_algorithm == :sigv4a && @region
+          params['X-Amz-Region-Set'] = @region
+        end
+
         params = params.map do |key, value|
           "#{uri_escape(key)}=#{uri_escape(value)}"
         end.join('&')
@@ -438,13 +459,23 @@ module Aws
         end
 
         creq = canonical_request(http_method, url, headers, content_sha256)
-        sts = string_to_sign(datetime, creq)
-        url.query += '&X-Amz-Signature=' + signature(creds.secret_access_key, date, sts)
+        sts = string_to_sign(datetime, creq, algorithm)
+        signature =
+          if @signing_algorithm == :sigv4a
+            asymmetric_signature(creds, sts)
+          else
+            signature(creds.secret_access_key, date, sts)
+          end
+        url.query += '&X-Amz-Signature=' + signature
         url
       end
 
       private
 
+      def sts_algorithm
+        @signing_algorithm == :sigv4a ? 'AWS4-ECDSA-P256-SHA256' : 'AWS4-HMAC-SHA256'
+      end
+
       def canonical_request(http_method, url, headers, content_sha256)
         [
           http_method,
@@ -456,9 +487,9 @@ module Aws
         ].join("\n")
       end
 
-      def string_to_sign(datetime, canonical_request)
+      def string_to_sign(datetime, canonical_request, algorithm)
         [
-          'AWS4-HMAC-SHA256',
+          algorithm,
           datetime,
           credential_scope(datetime[0,8]),
           sha256_hexdigest(canonical_request),
@@ -491,10 +522,10 @@ module Aws
       def credential_scope(date)
         [
           date,
-          @region,
+          (@region unless @signing_algorithm == :sigv4a),
           @service,
-          'aws4_request',
-        ].join('/')
+          'aws4_request'
+        ].compact.join('/')
       end
 
       def credential(credentials, date)
@@ -509,6 +540,16 @@ module Aws
         hexhmac(k_credentials, string_to_sign)
       end
 
+      def asymmetric_signature(creds, string_to_sign)
+        ec, _ = Aws::Sigv4::AsymmetricCredentials.derive_asymmetric_key(
+          creds.access_key_id, creds.secret_access_key
+        )
+        sts_digest = OpenSSL::Digest::SHA256.digest(string_to_sign)
+        s = ec.dsa_sign_asn1(sts_digest)
+
+        Digest.hexencode(s)
+      end
+
       # Comparing to original signature v4 algorithm,
       # returned signature is a binary string instread of
       # hex-encoded string. (Since ':chunk-signature' requires
@@ -526,7 +567,6 @@ module Aws
         hmac(k_credentials, string_to_sign)
       end
 
-
       def path(url)
         path = url.path
         path = '/' if path == ''
@@ -682,8 +722,8 @@ module Aws
 
       def extract_expires_in(options)
         case options[:expires_in]
-        when nil then 900.to_s
-        when Integer then options[:expires_in].to_s
+        when nil then 900
+        when Integer then options[:expires_in]
         else
           msg = "expected :expires_in to be a number of seconds"
           raise ArgumentError, msg
@@ -698,11 +738,14 @@ module Aws
         self.class.uri_escape_path(string)
       end
 
-
       def fetch_credentials
         credentials = @credentials_provider.credentials
         if credentials_set?(credentials)
-          credentials
+          expiration = nil
+          if @credentials_provider.respond_to?(:expiration)
+            expiration = @credentials_provider.expiration
+          end
+          [credentials, expiration]
         else
           raise Errors::MissingCredentialsError,
           'unable to sign request without credentials set'
@@ -720,128 +763,27 @@ module Aws
           !credentials.secret_access_key.empty?
       end
 
-      ### CRT Code
+      def presigned_url_expiration(options, expiration, datetime)
+        expires_in = extract_expires_in(options)
+        return expires_in unless expiration
 
-      # the credentials used by CRT must be a
-      # CRT StaticCredentialsProvider object
-      def crt_fetch_credentials
-        creds = fetch_credentials
-        Aws::Crt::Auth::StaticCredentialsProvider.new(
-          creds.access_key_id,
-          creds.secret_access_key,
-          creds.session_token
-        )
-      end
-
-      def crt_sign_request(request)
-        creds = crt_fetch_credentials
-        http_method = extract_http_method(request)
-        url = extract_url(request)
-        headers = downcase_headers(request[:headers])
-
-        datetime =
-          if headers.include? 'x-amz-date'
-            Time.parse(headers.delete('x-amz-date'))
-          end
-
-        content_sha256 = headers.delete('x-amz-content-sha256')
-        content_sha256 ||= sha256_hexdigest(request[:body] || '')
-
-        sigv4_headers = {}
-        sigv4_headers['host'] = headers['host'] || host(url)
-
-        # Modify the user-agent to add usage of crt-signer
-        # This should be temporary during developer preview only
-        if headers.include? 'user-agent'
-          headers['user-agent'] = "#{headers['user-agent']} crt-signer/#{@signing_algorithm}/#{Aws::Sigv4::VERSION}"
-          sigv4_headers['user-agent'] = headers['user-agent']
-        end
-
-        headers = headers.merge(sigv4_headers) # merge so we do not modify given headers hash
-
-        config = Aws::Crt::Auth::SigningConfig.new(
-          algorithm: @signing_algorithm,
-          signature_type: :http_request_headers,
-          region: @region,
-          service: @service,
-          date: datetime,
-          signed_body_value: content_sha256,
-          signed_body_header_type: @apply_checksum_header ?
-                                     :sbht_content_sha256 : :sbht_none,
-          credentials: creds,
-          unsigned_headers: @unsigned_headers,
-          use_double_uri_encode: @uri_escape_path,
-          should_normalize_uri_path: @normalize_path,
-          omit_session_token: @omit_session_token
-        )
-        http_request = Aws::Crt::Http::Message.new(
-          http_method, url.to_s, headers
-        )
-        signable = Aws::Crt::Auth::Signable.new(http_request)
-
-        signing_result = Aws::Crt::Auth::Signer.sign_request(config, signable)
-
-        Signature.new(
-          headers: sigv4_headers.merge(
-            downcase_headers(signing_result[:headers])
-          ),
-          string_to_sign: 'CRT_INTERNAL',
-          canonical_request: 'CRT_INTERNAL',
-          content_sha256: content_sha256,
-          extra: {config: config, signable: signable}
-        )
-      end
-
-      def crt_presign_url(options)
-        creds = crt_fetch_credentials
-
-        http_method = extract_http_method(options)
-        url = extract_url(options)
-        headers = downcase_headers(options[:headers])
-        headers['host'] ||= host(url)
-
-        datetime = headers.delete('x-amz-date')
-        datetime ||= (options[:time] || Time.now)
-
-        content_sha256 = headers.delete('x-amz-content-sha256')
-        content_sha256 ||= options[:body_digest]
-        content_sha256 ||= sha256_hexdigest(options[:body] || '')
-
-        config = Aws::Crt::Auth::SigningConfig.new(
-          algorithm: @signing_algorithm,
-          signature_type: :http_request_query_params,
-          region: @region,
-          service: @service,
-          date: datetime,
-          signed_body_value: content_sha256,
-          signed_body_header_type: @apply_checksum_header ?
-                                     :sbht_content_sha256 : :sbht_none,
-          credentials: creds,
-          unsigned_headers: @unsigned_headers,
-          use_double_uri_encode: @uri_escape_path,
-          should_normalize_uri_path: @normalize_path,
-          omit_session_token: @omit_session_token,
-          expiration_in_seconds: options.fetch(:expires_in, 900)
-        )
-        http_request = Aws::Crt::Http::Message.new(
-          http_method, url.to_s, headers
-        )
-        signable = Aws::Crt::Auth::Signable.new(http_request)
-
-        signing_result = Aws::Crt::Auth::Signer.sign_request(config, signable, http_method, url.to_s)
-        url = URI.parse(signing_result[:path])
-
-        if options[:extra] && options[:extra].is_a?(Hash)
-          options[:extra][:config] = config
-          options[:extra][:signable] = signable
+        expiration_seconds = (expiration - datetime).to_i
+        # In the static stability case, credentials may expire in the past
+        # but still be valid.  For those cases, use the user configured
+        # expires_in and ingore expiration.
+        if expiration_seconds <= 0
+          expires_in
+        else
+          [expires_in, expiration_seconds].min
         end
-        url
       end
 
       class << self
 
+        # Kept for backwards compatability
+        # Always return false since we are not using crt signing functionality
         def use_crt?
-          @@use_crt
+          false
         end
 
         # @api private
@@ -858,6 +800,18 @@ module Aws
           end
         end
 
+        # @api private
+        def normalize_path(uri)
+          normalized_path = Pathname.new(uri.path).cleanpath.to_s
+          # Pathname is probably not correct to use. Empty paths will
+          # resolve to "." and should be disregarded
+          normalized_path = '' if normalized_path == '.'
+          # Ensure trailing slashes are correctly preserved
+          if uri.path.end_with?('/') && !normalized_path.end_with?('/')
+            normalized_path << '/'
+          end
+          uri.path = normalized_path
+        end
       end
     end
   end

data/lib/aws-sigv4.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+require_relative 'aws-sigv4/asymmetric_credentials'
 require_relative 'aws-sigv4/credentials'
 require_relative 'aws-sigv4/errors'
 require_relative 'aws-sigv4/signature'

metadata

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: aws-sigv4
 version: !ruby/object:Gem::Version
-  version: 1.5.2
+  version: 1.12.0
 platform: ruby
 authors:
 - Amazon Web Services
-autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-09-30 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-eventstream
@@ -32,7 +31,6 @@ dependencies:
         version: 1.0.2
 description: Amazon Web Services Signature Version 4 signing library. Generates sigv4
   signature for HTTP requests.
-email: 
 executables: []
 extensions: []
 extra_rdoc_files: []
@@ -41,6 +39,7 @@ files:
 - LICENSE.txt
 - VERSION
 - lib/aws-sigv4.rb
+- lib/aws-sigv4/asymmetric_credentials.rb
 - lib/aws-sigv4/credentials.rb
 - lib/aws-sigv4/errors.rb
 - lib/aws-sigv4/request.rb
@@ -52,7 +51,6 @@ licenses:
 metadata:
   source_code_uri: https://github.com/aws/aws-sdk-ruby/tree/version-3/gems/aws-sigv4
   changelog_uri: https://github.com/aws/aws-sdk-ruby/tree/version-3/gems/aws-sigv4/CHANGELOG.md
-post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
@@ -60,15 +58,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.3'
+      version: '2.7'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.6
-signing_key: 
+rubygems_version: 3.6.7
 specification_version: 4
 summary: AWS Signature Version 4 library.
 test_files: []