Fix SigV4a signature

[k-asm]

Problem

The current SigV4a implementation has two critical bugs that cause SignatureDoesNotMatch errors when making requests to AWS services:

1. Double hashing in signature calculation - The code pre-hashes StringToSign before passing it to crypto:sign/4, which internally hashes it again
2. Missing hex-encoding in StringToSign - The CanonicalRequest hash in StringToSign is not hex-encoded, causing binary data to be included directly in the string

Root Cause

Issue 1: Double Hashing

% Before (incorrect - double hashing)
{ok, aws_signature_utils:base16(ecdsa_sign(PrivateKey, aws_sigv4_utils:sha256(StrToSign)))}

% After (correct - single hashing)
{ok, aws_signature_utils:base16(ecdsa_sign(PrivateKey, StrToSign))}

The code was pre-hashing StringToSign, then crypto:sign(ecdsa, sha256, ...) hashes it again internally, resulting in double hashing.

Issue 2: Missing Hex-Encoding

% Before (incorrect - raw binary hash)
, aws_sigv4_utils:sha256(CanonicalRequest)

% After (correct - hex-encoded hash)
, aws_signature_utils:base16(aws_sigv4_utils:sha256(CanonicalRequest))

The Go reference implementation uses hex.EncodeToString() to convert the hash to a hex string, but this was missed during the Erlang port.

Reference

• Go implementation (smithy-go):
  • StringToSign construction: https://github.com/aws/smithy-go/blob/ddbac1c617ac6bea513c16923e7883b1439b2a34/aws-http-auth/internal/v4/signer.go#L212-L219
  • SigV4a signing: https://github.com/aws/smithy-go/blob/ddbac1c617ac6bea513c16923e7883b1439b2a34/aws-http-auth/sigv4a/sigv4a.go#L195-L200

[onno-vos-dev]

Will tag and release in about 1 hour when I'm back at my desk 👍

Thank you! 🙏

[mikpe]

Thanks, we had difficult-to-debug issues with SigV4A here that forced us to use plain SigV4 until now.

[onno-vos-dev]

Released as  0.4.2

[onno-vos-dev]

Also updated aws_beam_core to 1.1.0 and aws_erlang to 1.2.0 so you should be all set!