Skip to content

V4a async payload signing #6475

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: feature/master/sra-async-chunked-encoding
Choose a base branch
from
Draft

V4a async payload signing #6475

wants to merge 1 commit into from

Conversation

dagnir
Copy link
Contributor

@dagnir dagnir commented Oct 14, 2025
edited
Loading

Motivation and Context

This PR adds support for async payload signing in the V4a signer. Note an important difference to the V4 implementation: This supports the fallback to signing the payload when the request is sent over http. This is because calling the signAsync() method previously always threw UnsupportedOperationException, so there is no risk of performance regression for existing users.

Modifications

Testing

Screenshots (if appropriate)

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)

Checklist

  • I have read the CONTRIBUTING document
  • Local run of mvn install succeeds
  • My code follows the code style of this project
  • My change requires a change to the Javadoc documentation
  • I have updated the Javadoc documentation accordingly
  • I have added tests to cover my changes
  • All new and existing tests passed
  • I have added a changelog entry. Adding a new entry must be accomplished by running the scripts/new-change script and following the instructions. Commit the new file created by the script in .changes/next-release with your changes.
  • My change is to implement 1.11 parity feature and I have updated LaunchChangelog

License

  • I confirm that this pull request can be released under the Apache 2 license

@dagnir dagnir force-pushed the dongie/sra-chunk-encoding-pt2 branch 5 times, most recently from 966149f to ef5d53f Compare October 16, 2025 18:42
@dagnir dagnir changed the base branch from dongie/sra-chunk-encoding-pt1 to feature/master/sra-async-chunked-encoding October 16, 2025 18:59
@dagnir dagnir force-pushed the dongie/sra-chunk-encoding-pt2 branch from ef5d53f to d4f0f87 Compare October 16, 2025 19:03
@dagnir dagnir force-pushed the dongie/sra-chunk-encoding-pt2 branch from d4f0f87 to 5ac3968 Compare October 17, 2025 14:00
@dagnir dagnir changed the title [WIP] V4a async payload signing V4a async payload signing Oct 17, 2025
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
53 New issues
0 Accepted issues

Measures
0 Security Hotspots
93.1% Coverage on New Code
1.0% Duplication on New Code

See analysis details on SonarQube Cloud

zoewangg
zoewangg reviewed Oct 17, 2025
View reviewed changes
...ain/java/software/amazon/awssdk/http/auth/aws/crt/internal/signer/CrtRequestBodyAdapter.java
import software.amazon.awssdk.utils.async.ByteBufferStoringSubscriber.TransferResult;

@SdkInternalApi
public final class CrtRequestBodyAdapter implements HttpRequestBodyStream {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we move this existing class https://github.com/aws/aws-sdk-java-v2/blob/master/http-clients/aws-crt-client/src/main/java/software/amazon/awssdk/http/crt/internal/request/CrtRequestBodyAdapter.java to crt-core and use it directly? I understand this means we'd need to make it protected APIs, but the API surface area seems small enough...

...a/software/amazon/awssdk/services/s3/functionaltests/MultiRegionAccessPointChecksumTest.java

@ParameterizedTest(name = "{index} {3}")
@MethodSource("streamingInputChecksumCalculationParams")
public void asyncStreamingInput_checksumCalculation(RequestChecksumCalculation requestChecksumCalculation,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we add an integ test as well?

...ava/software/amazon/awssdk/http/auth/aws/crt/internal/signer/AwsChunkedV4aPayloadSigner.java
SdkHttpRequest.Builder request, Publisher<ByteBuffer> payload, String checksum) {

return SignerUtils.moveContentLength(request, payload)
.thenApply(p -> {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Question: is there any difference between sigv4a and sigv4 for this logic here?

...ava/software/amazon/awssdk/http/auth/aws/crt/internal/signer/AwsChunkedV4aPayloadSigner.java

encodedContentLength += calculateExistingTrailersLength();

switch (checksum) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same question here, can we reuse the logic somehow?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zoewangg zoewangg zoewangg left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dagnir @zoewangg