Fixes a bug that could cause the SigV4 payload hash to be incorrectly encoded, leading to signing errors. (#1684)

skmcgrail · web-flow · commit 48159ac1171f · 2022-04-26T15:06:19.000-07:00
diff --git a/.changelog/96bcadc5352b4729806e07feee9091d0.json b/.changelog/96bcadc5352b4729806e07feee9091d0.json
@@ -0,0 +1,8 @@
+{
+    "id": "96bcadc5-352b-4729-806e-07feee9091d0",
+    "type": "bugfix",
+    "description": "Fixes a bug that could cause the SigV4 payload hash to be incorrectly encoded, leading to signing errors.",
+    "modules": [
+        "service/internal/checksum"
+    ]
+}
diff --git a/service/internal/checksum/middleware_compute_input_checksum.go b/service/internal/checksum/middleware_compute_input_checksum.go
@@ -422,7 +422,7 @@ func computeStreamChecksum(algorithm Algorithm, stream io.Reader, computePayload
 		if algorithm != AlgorithmSHA256 {
 			sha256Checksum = string(hexEncodeHashSum(sha256Hasher))
 		} else {
-			sha256Checksum = checksum
+			sha256Checksum = string(hexEncodeHashSum(hasher))
 		}
 	}
 
diff --git a/service/internal/checksum/middleware_compute_input_checksum_test.go b/service/internal/checksum/middleware_compute_input_checksum_test.go
@@ -369,6 +369,29 @@ func TestComputeInputPayloadChecksum(t *testing.T) {
 					"CRC32": "DUoRhQ==",
 				},
 			},
+			"http seekable checksum matches payload hash": {
+				initContext: func(ctx context.Context) context.Context {
+					return setContextInputAlgorithm(ctx, string(AlgorithmSHA256))
+				},
+				buildInput: middleware.BuildInput{
+					Request: func() *smithyhttp.Request {
+						r := smithyhttp.NewStackRequest().(*smithyhttp.Request)
+						r.URL, _ = url.Parse("http://example.aws")
+						r.ContentLength = 11
+						r = requestMust(r.SetStream(bytes.NewReader([]byte("hello world"))))
+						return r
+					}(),
+				},
+				expectHeader: http.Header{
+					"X-Amz-Checksum-Sha256": []string{"uU0nuZNNPgilLlLX2n2r+sSE7+N6U4DukIj3rOLvzek="},
+				},
+				expectContentLength: 11,
+				expectPayload:       []byte("hello world"),
+				expectPayloadHash:   "b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9",
+				expectChecksumMetadata: map[string]string{
+					"SHA256": "uU0nuZNNPgilLlLX2n2r+sSE7+N6U4DukIj3rOLvzek=",
+				},
+			},
 			"http payload hash disabled": {
 				initContext: func(ctx context.Context) context.Context {
 					return setContextInputAlgorithm(ctx, string(AlgorithmCRC32))

Original file line number	Diff line number	Diff line change
`@@ -422,7 +422,7 @@ func computeStreamChecksum(algorithm Algorithm, stream io.Reader, computePayload`
`422`	`422`	`if algorithm != AlgorithmSHA256 {`
`423`	`423`	`sha256Checksum = string(hexEncodeHashSum(sha256Hasher))`
`424`	`424`	`} else {`
`425`		`- sha256Checksum = checksum`
	`425`	`+ sha256Checksum = string(hexEncodeHashSum(hasher))`
`426`	`426`	`}`
`427`	`427`	`}`
`428`	`428`