More sigv4 optimizations

Author: mtdowling

aws/aws-sigv4/src/main/java/software/amazon/smithy/java/aws/client/auth/scheme/sigv4/SigV4Signer.java

@@ -7,13 +7,13 @@
 
 import java.nio.ByteBuffer;
 import java.nio.charset.StandardCharsets;
+import java.security.DigestException;
 import java.security.InvalidKeyException;
 import java.time.Clock;
 import java.time.Instant;
 import java.time.LocalDateTime;
 import java.time.ZoneOffset;
 import java.util.HexFormat;
-import java.util.List;
 import javax.crypto.spec.SecretKeySpec;
 import software.amazon.smithy.java.auth.api.SignResult;
 import software.amazon.smithy.java.auth.api.Signer;
@@ -35,18 +35,12 @@
 final class SigV4Signer implements Signer<HttpRequest, AwsCredentialsIdentity> {
 
     private static final InternalLogger LOGGER = InternalLogger.getLogger(SigV4Signer.class);
-    private static final List<String> HEADERS_TO_IGNORE_IN_LOWER_CASE = List.of(
-            HeaderName.CONNECTION.name(),
-            HeaderName.CONTENT_LENGTH.name(),
-            HeaderName.X_AMZN_TRACE_ID.name(),
-            HeaderName.USER_AGENT.name(),
-            HeaderName.EXPECT.name());
-
     private static final String ALGORITHM = "AWS4-HMAC-SHA256";
     private static final String TERMINATOR = "aws4_request";
     private static final String HMAC_SHA_256 = "HmacSHA256";
     private static final SigningCache SIGNER_CACHE = new SigningCache(300);
     private static final String EMPTY_BODY_HASH = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855";
+    private static final byte[] HEX_DIGITS = "0123456789abcdef".getBytes(StandardCharsets.US_ASCII);
 
     private final SigningResources signingResources;
 
@@ -189,8 +183,7 @@ private String signInPlace(
                 canonicalLen,
                 scope,
                 requestTime,
-                signingKey,
-                sb);
+                signingKey);
         var authorizationHeader = getAuthHeader(accessKeyId, scope, signedHeaders, signature, sb);
 
         // Now mutate the actual request. setHeader is a single-key operation per header; no wholesale map replacement.
@@ -218,7 +211,7 @@ private static String buildSignedHeadersString(SigningResources r, StringBuilder
 
         for (int i = 0; i < r.headerCount; i++) {
             String name = r.headers[i * 2];
-            if (name.equals(previous) || HEADERS_TO_IGNORE_IN_LOWER_CASE.contains(name)) {
+            if (name.equals(previous) || isIgnoredHeader(name)) {
                 continue;
             }
             if (!sb.isEmpty()) {
@@ -276,7 +269,7 @@ private static void addCanonicalizedHeaderString(SigningResources r, StringBuild
             while (next < r.headerCount && name.equals(r.headers[next * 2])) {
                 next++;
             }
-            if (HEADERS_TO_IGNORE_IN_LOWER_CASE.contains(name)) {
+            if (isIgnoredHeader(name)) {
                 i = next;
                 continue;
             }
@@ -396,6 +389,14 @@ private static void addCanonicalizedQueryString(SmithyUri uri, SigningResources
 
         boolean canonical = isAlreadyCanonical(query);
         int len = query.length();
+        if (canonical) {
+            int amp = query.indexOf('&');
+            if (amp == -1) {
+                appendSingleCanonicalQueryPair(query, builder);
+                return;
+            }
+        }
+
         int start = 0;
         while (start <= len) {
             int amp = query.indexOf('&', start);
@@ -439,6 +440,18 @@ private static void addCanonicalizedQueryString(SmithyUri uri, SigningResources
         }
     }
 
+    private static void appendSingleCanonicalQueryPair(String query, StringBuilder builder) {
+        int eq = query.indexOf('=');
+        if (eq == 0) {
+            return;
+        }
+
+        builder.append(query);
+        if (eq == -1) {
+            builder.append('=');
+        }
+    }
+
     // Returns true if every character in the query string is either an RFC 3986 unreserved
     // char or part of an already-uppercase {@code %XX} escape
     private static boolean isAlreadyCanonical(String s) {
@@ -514,6 +527,13 @@ private static boolean isWhiteSpace(char ch) {
         return ch == ' ' || (ch >= '\t' && ch <= '\f');
     }
 
+    private static boolean isIgnoredHeader(String name) {
+        return switch (name) {
+            case "connection", "content-length", "x-amzn-trace-id", "user-agent", "expect" -> true;
+            default -> false;
+        };
+    }
+
     /**
      * AWS4 uses a series of derived keys, formed by hashing different pieces of data
      */
@@ -553,20 +573,24 @@ private String computeSignature(
             int canonicalRequestLength,
             String scope,
             String requestTime,
-            byte[] signingKey,
-            StringBuilder sb
+            byte[] signingKey
     ) {
-        sb.setLength(0);
-        sb.append(ALGORITHM)
-                .append('\n')
-                .append(requestTime)
-                .append('\n')
-                .append(scope)
-                .append('\n')
-                .append(HexFormat.of().formatHex(hash(canonicalRequest, 0, canonicalRequestLength)));
-        var toSign = sb.toString();
-        var signatureBytes = sign(toSign, signingKey);
-        return HexFormat.of().formatHex(signatureBytes);
+        byte[] canonicalRequestHash = hash(canonicalRequest, 0, canonicalRequestLength, signingResources.hashBytes);
+        int stringToSignLength = ALGORITHM.length() + requestTime.length() + scope.length() + 67;
+        byte[] stringToSign = signingResources.ensureStringToSignCapacity(stringToSignLength);
+
+        int pos = writeAscii(ALGORITHM, stringToSign, 0);
+        stringToSign[pos++] = '\n';
+        pos = writeAscii(requestTime, stringToSign, pos);
+        stringToSign[pos++] = '\n';
+        pos = writeAscii(scope, stringToSign, pos);
+        stringToSign[pos++] = '\n';
+        pos = writeHex(canonicalRequestHash, stringToSign, pos);
+
+        byte[] signatureBytes = sign(stringToSign, 0, pos, signingKey, signingResources.signatureBytes);
+        byte[] signatureHex = signingResources.signatureHexBytes;
+        writeHex(signatureBytes, signatureHex, 0);
+        return new String(signatureHex, 0, signatureHex.length, StandardCharsets.US_ASCII);
     }
 
     private byte[] sign(String data, byte[] key) {
@@ -580,6 +604,36 @@ private byte[] sign(String data, byte[] key) {
         }
     }
 
+    private byte[] sign(byte[] data, int offset, int length, byte[] key, byte[] output) {
+        try {
+            var sha256Mac = signingResources.sha256Mac;
+            sha256Mac.reset();
+            sha256Mac.init(new SecretKeySpec(key, HMAC_SHA_256));
+            sha256Mac.update(data, offset, length);
+            sha256Mac.doFinal(output, 0);
+            return output;
+        } catch (InvalidKeyException e) {
+            throw new RuntimeException(e);
+        } catch (javax.crypto.ShortBufferException e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+    private static int writeAscii(String value, byte[] dst, int offset) {
+        for (int i = 0; i < value.length(); i++) {
+            dst[offset++] = (byte) value.charAt(i);
+        }
+        return offset;
+    }
+
+    private static int writeHex(byte[] bytes, byte[] dst, int offset) {
+        for (byte b : bytes) {
+            dst[offset++] = HEX_DIGITS[(b >>> 4) & 0x0F];
+            dst[offset++] = HEX_DIGITS[b & 0x0F];
+        }
+        return offset;
+    }
+
     private byte[] hash(ByteBuffer data) {
         var sha256Digest = signingResources.sha256Digest;
         sha256Digest.reset();
@@ -593,4 +647,16 @@ private byte[] hash(byte[] data, int offset, int length) {
         sha256Digest.update(data, offset, length);
         return sha256Digest.digest();
     }
+
+    private byte[] hash(byte[] data, int offset, int length, byte[] output) {
+        try {
+            var sha256Digest = signingResources.sha256Digest;
+            sha256Digest.reset();
+            sha256Digest.update(data, offset, length);
+            sha256Digest.digest(output, 0, output.length);
+            return output;
+        } catch (DigestException e) {
+            throw new RuntimeException(e);
+        }
+    }
 }

aws/aws-sigv4/src/main/java/software/amazon/smithy/java/aws/client/auth/scheme/sigv4/SigningResources.java

@@ -46,6 +46,10 @@ final class SigningResources {
      * StringBuilder chars directly as bytes without going through {@code String.getBytes}.
      */
     byte[] canonicalRequestBytes;
+    byte[] stringToSignBytes;
+    final byte[] hashBytes;
+    final byte[] signatureBytes;
+    final byte[] signatureHexBytes;
 
     /**
      * Ensure {@link #canonicalRequestBytes} has at least {@code minLength} bytes of capacity,
@@ -59,11 +63,27 @@ byte[] ensureCanonicalRequestCapacity(int minLength) {
         return canonicalRequestBytes;
     }
 
+    /**
+     * Ensure {@link #stringToSignBytes} has at least {@code minLength} bytes of capacity,
+     * growing to the next power of two if not.
+     */
+    byte[] ensureStringToSignCapacity(int minLength) {
+        if (stringToSignBytes.length < minLength) {
+            int newLen = Integer.highestOneBit(minLength - 1) << 1;
+            stringToSignBytes = new byte[newLen];
+        }
+        return stringToSignBytes;
+    }
+
     SigningResources() {
         this.sb = new StringBuilder(BUFFER_SIZE);
         this.headers = new String[INITIAL_HEADER_CAPACITY * 2];
         this.queryPairs = new String[INITIAL_HEADER_CAPACITY * 2];
         this.canonicalRequestBytes = new byte[BUFFER_SIZE];
+        this.stringToSignBytes = new byte[BUFFER_SIZE];
+        this.hashBytes = new byte[32];
+        this.signatureBytes = new byte[32];
+        this.signatureHexBytes = new byte[64];
 
         try {
             this.sha256Digest = MessageDigest.getInstance("SHA-256");
@@ -93,6 +113,9 @@ void shrink() {
             // Reallocate in case the header array grew too large
             headers = new String[INITIAL_HEADER_CAPACITY * 2];
         }
+        if (stringToSignBytes.length > BUFFER_SIZE) {
+            stringToSignBytes = new byte[BUFFER_SIZE];
+        }
     }
 
     private void clearHeaderRefs() {