Merge pull request #7 from dchenbec/bugfix-signature-mismatch-jdk11

Fix SigV4 timestamp formatting to match SigV4 Spec

Author: dchenbec

CHANGELOG.md

@@ -1,5 +1,11 @@
 # CHANGELOG
 
+## [4.0.2] - 2020-03-31
+
+Changed the plugin to use a `DateTimeFormatter` to ensure precisely 3 digits of millisecond precision for the SigV4
+timestamp. A change between JDK8 and JDK11 caused the output of `java.time.Instant.toString()` to change from 3 to 6
+digits, which results in a signature mismatch.
+
 ## [4.0.1] - 2020-03-31
 
 No changes to code, but we are re-publishing the 4.0.0 release compiled with Java 8 to fix [Issue

pom.xml

@@ -3,7 +3,7 @@
  <modelVersion>4.0.0</modelVersion>
  <groupId>software.aws.mcs</groupId>
  <artifactId>aws-sigv4-auth-cassandra-java-driver-plugin</artifactId>
- <version>4.0.1</version>
+ <version>4.0.2</version>
  <name>AWS SigV4 Auth Java Driver 4.x Plugin</name>
  <description>A Plugin to allow SigV4 authentication for Java Cassandra drivers with Amazon MCS</description>
  <url>https://github.com/aws/aws-sigv4-auth-cassandra-java-driver-plugin</url>

src/main/java/software/aws/mcs/auth/SigV4AuthProvider.java

@@ -46,6 +46,8 @@
 import java.security.NoSuchAlgorithmException;
 import java.time.Instant;
 import java.time.ZoneId;
+import java.time.format.DateTimeFormatter;
+import java.time.format.DateTimeFormatterBuilder;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;
@@ -76,6 +78,11 @@ public class SigV4AuthProvider implements AuthProvider {
  SIGV4_INITIAL_RESPONSE = initialResponse.asReadOnlyBuffer();
  }
 
+ private static final int AWS_FRACTIONAL_TIMESTAMP_DIGITS = 3; // SigV4 expects three digits of nanoseconds for timestamps
+ private static final DateTimeFormatter timestampFormatter =
+ (new DateTimeFormatterBuilder()).appendInstant(AWS_FRACTIONAL_TIMESTAMP_DIGITS).toFormatter();
+
+
  private static final byte[] NONCE_KEY = "nonce=".getBytes(StandardCharsets.UTF_8);
  private static final int EXPECTED_NONCE_LENGTH = 32;
 
@@ -206,7 +213,7 @@ public CompletionStage<ByteBuffer> evaluateChallenge(ByteBuffer challenge) {
  String.format("signature=%s,access_key=%s,amzdate=%s",
  signature,
  credentials.getAWSAccessKeyId(),
- requestTimestamp);
+ timestampFormatter.format(requestTimestamp));
 
  if (credentials instanceof AWSSessionCredentials) {
  response = response + ",session_token=" + ((AWSSessionCredentials)credentials).getSessionToken();
@@ -270,7 +277,7 @@ private String generateSignature(byte[] nonce, Instant requestTimestamp, AWSCred
 
  String stringToSign = String.format("%s%n%s%n%s%n%s",
  SignerConstants.AWS4_SIGNING_ALGORITHM,
- requestTimestamp,
+ timestampFormatter.format(requestTimestamp),
  signingScope,
  sha256Digest(canonicalRequest));
 
@@ -297,7 +304,7 @@ private static String canonicalizeRequest(String accessKey,
  String.format("X-Amz-Credential=%s%%2F%s",
  accessKey,
  URLEncoder.encode(signingScope, StandardCharsets.UTF_8.name())),
- "X-Amz-Date=" + URLEncoder.encode(requestTimestamp.toString(), StandardCharsets.UTF_8.name()),
+ "X-Amz-Date=" + URLEncoder.encode(timestampFormatter.format(requestTimestamp), StandardCharsets.UTF_8.name()),
  AMZ_EXPIRES_HEADER
  );