feat(train): add new command to interact with aws and train models

vendor/github.com/aws/aws-sdk-go-v2/service/s3/internal/v4a/credentials.go

@@ -0,0 +1,141 @@
+package v4a
+
+import (
+	"context"
+	"crypto/ecdsa"
+	"fmt"
+	"sync"
+	"sync/atomic"
+	"time"
+
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/internal/sdk"
+)
+
+// Credentials is Context, ECDSA, and Optional Session Token that can be used
+// to sign requests using SigV4a
+type Credentials struct {
+	Context      string
+	PrivateKey   *ecdsa.PrivateKey
+	SessionToken string
+
+	// Time the credentials will expire.
+	CanExpire bool
+	Expires   time.Time
+}
+
+// Expired returns if the credentials have expired.
+func (v Credentials) Expired() bool {
+	if v.CanExpire {
+		return !v.Expires.After(sdk.NowTime())
+	}
+
+	return false
+}
+
+// HasKeys returns if the credentials keys are set.
+func (v Credentials) HasKeys() bool {
+	return len(v.Context) > 0 && v.PrivateKey != nil
+}
+
+// SymmetricCredentialAdaptor wraps a SigV4 AccessKey/SecretKey provider and adapts the credentials
+// to a ECDSA PrivateKey for signing with SiV4a
+type SymmetricCredentialAdaptor struct {
+	SymmetricProvider aws.CredentialsProvider
+
+	asymmetric atomic.Value
+	m          sync.Mutex
+}
+
+// Retrieve retrieves symmetric credentials from the underlying provider.
+func (s *SymmetricCredentialAdaptor) Retrieve(ctx context.Context) (aws.Credentials, error) {
+	symCreds, err := s.retrieveFromSymmetricProvider(ctx)
+	if err != nil {
+		return aws.Credentials{}, nil
+	}
+
+	if asymCreds := s.getCreds(); asymCreds == nil {
+		return symCreds, nil
+	}
+
+	s.m.Lock()
+	defer s.m.Unlock()
+
+	asymCreds := s.getCreds()
+	if asymCreds == nil {
+		return symCreds, nil
+	}
+
+	// if the context does not match the access key id clear it
+	if asymCreds.Context != symCreds.AccessKeyID {
+		s.asymmetric.Store((*Credentials)(nil))
+	}
+
+	return symCreds, nil
+}
+
+// RetrievePrivateKey returns credentials suitable for SigV4a signing
+func (s *SymmetricCredentialAdaptor) RetrievePrivateKey(ctx context.Context) (Credentials, error) {
+	if asymCreds := s.getCreds(); asymCreds != nil {
+		return *asymCreds, nil
+	}
+
+	s.m.Lock()
+	defer s.m.Unlock()
+
+	if asymCreds := s.getCreds(); asymCreds != nil {
+		return *asymCreds, nil
+	}
+
+	symmetricCreds, err := s.retrieveFromSymmetricProvider(ctx)
+	if err != nil {
+		return Credentials{}, fmt.Errorf("failed to retrieve symmetric credentials: %v", err)
+	}
+
+	privateKey, err := deriveKeyFromAccessKeyPair(symmetricCreds.AccessKeyID, symmetricCreds.SecretAccessKey)
+	if err != nil {
+		return Credentials{}, fmt.Errorf("failed to derive assymetric key from credentials")
+	}
+
+	creds := Credentials{
+		Context:      symmetricCreds.AccessKeyID,
+		PrivateKey:   privateKey,
+		SessionToken: symmetricCreds.SessionToken,
+		CanExpire:    symmetricCreds.CanExpire,
+		Expires:      symmetricCreds.Expires,
+	}
+
+	s.asymmetric.Store(&creds)
+
+	return creds, nil
+}
+
+func (s *SymmetricCredentialAdaptor) getCreds() *Credentials {
+	v := s.asymmetric.Load()
+
+	if v == nil {
+		return nil
+	}
+
+	c := v.(*Credentials)
+	if c != nil && c.HasKeys() && !c.Expired() {
+		return c
+	}
+
+	return nil
+}
+
+func (s *SymmetricCredentialAdaptor) retrieveFromSymmetricProvider(ctx context.Context) (aws.Credentials, error) {
+	credentials, err := s.SymmetricProvider.Retrieve(ctx)
+	if err != nil {
+		return aws.Credentials{}, err
+	}
+
+	return credentials, nil
+}
+
+// CredentialsProvider is the interface for a provider to retrieve credentials
+// to sign requests with.
+type CredentialsProvider interface {
+	RetrievePrivateKey(context.Context) (Credentials, error)
+}

vendor/github.com/aws/aws-sdk-go-v2/service/s3/internal/v4a/error.go

@@ -0,0 +1,17 @@
+package v4a
+
+import "fmt"
+
+// SigningError indicates an error condition occurred while performing SigV4a signing
+type SigningError struct {
+	Err error
+}
+
+func (e *SigningError) Error() string {
+	return fmt.Sprintf("failed to sign request: %v", e.Err)
+}
+
+// Unwrap returns the underlying error cause
+func (e *SigningError) Unwrap() error {
+	return e.Err
+}

vendor/github.com/aws/aws-sdk-go-v2/service/s3/internal/v4a/internal/crypto/compare.go

@@ -0,0 +1,30 @@
+package crypto
+
+import "fmt"
+
+// ConstantTimeByteCompare is a constant-time byte comparison of x and y. This function performs an absolute comparison
+// if the two byte slices assuming they represent a big-endian number.
+//
+// 	 error if len(x) != len(y)
+//   -1 if x <  y
+//    0 if x == y
+//   +1 if x >  y
+func ConstantTimeByteCompare(x, y []byte) (int, error) {
+	if len(x) != len(y) {
+		return 0, fmt.Errorf("slice lengths do not match")
+	}
+
+	xLarger, yLarger := 0, 0
+
+	for i := 0; i < len(x); i++ {
+		xByte, yByte := int(x[i]), int(y[i])
+
+		x := ((yByte - xByte) >> 8) & 1
+		y := ((xByte - yByte) >> 8) & 1
+
+		xLarger |= x &^ yLarger
+		yLarger |= y &^ xLarger
+	}
+
+	return xLarger - yLarger, nil
+}

vendor/github.com/aws/aws-sdk-go-v2/service/s3/internal/v4a/internal/crypto/ecc.go

@@ -0,0 +1,113 @@
+package crypto
+
+import (
+	"bytes"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/hmac"
+	"encoding/asn1"
+	"encoding/binary"
+	"fmt"
+	"hash"
+	"math"
+	"math/big"
+)
+
+type ecdsaSignature struct {
+	R, S *big.Int
+}
+
+// ECDSAKey takes the given elliptic curve, and private key (d) byte slice
+// and returns the private ECDSA key.
+func ECDSAKey(curve elliptic.Curve, d []byte) *ecdsa.PrivateKey {
+	return ECDSAKeyFromPoint(curve, (&big.Int{}).SetBytes(d))
+}
+
+// ECDSAKeyFromPoint takes the given elliptic curve and point and returns the
+// private and public keypair
+func ECDSAKeyFromPoint(curve elliptic.Curve, d *big.Int) *ecdsa.PrivateKey {
+	pX, pY := curve.ScalarBaseMult(d.Bytes())
+
+	privKey := &ecdsa.PrivateKey{
+		PublicKey: ecdsa.PublicKey{
+			Curve: curve,
+			X:     pX,
+			Y:     pY,
+		},
+		D: d,
+	}
+
+	return privKey
+}
+
+// ECDSAPublicKey takes the provide curve and (x, y) coordinates and returns
+// *ecdsa.PublicKey. Returns an error if the given points are not on the curve.
+func ECDSAPublicKey(curve elliptic.Curve, x, y []byte) (*ecdsa.PublicKey, error) {
+	xPoint := (&big.Int{}).SetBytes(x)
+	yPoint := (&big.Int{}).SetBytes(y)
+
+	if !curve.IsOnCurve(xPoint, yPoint) {
+		return nil, fmt.Errorf("point(%v, %v) is not on the given curve", xPoint.String(), yPoint.String())
+	}
+
+	return &ecdsa.PublicKey{
+		Curve: curve,
+		X:     xPoint,
+		Y:     yPoint,
+	}, nil
+}
+
+// VerifySignature takes the provided public key, hash, and asn1 encoded signature and returns
+// whether the given signature is valid.
+func VerifySignature(key *ecdsa.PublicKey, hash []byte, signature []byte) (bool, error) {
+	var ecdsaSignature ecdsaSignature
+
+	_, err := asn1.Unmarshal(signature, &ecdsaSignature)
+	if err != nil {
+		return false, err
+	}
+
+	return ecdsa.Verify(key, hash, ecdsaSignature.R, ecdsaSignature.S), nil
+}
+
+// HMACKeyDerivation provides an implementation of a NIST-800-108 of a KDF (Key Derivation Function) in Counter Mode.
+// For the purposes of this implantation HMAC is used as the PRF (Pseudorandom function), where the value of
+// `r` is defined as a 4 byte counter.
+func HMACKeyDerivation(hash func() hash.Hash, bitLen int, key []byte, label, context []byte) ([]byte, error) {
+	// verify that we won't overflow the counter
+	n := int64(math.Ceil((float64(bitLen) / 8) / float64(hash().Size())))
+	if n > 0x7FFFFFFF {
+		return nil, fmt.Errorf("unable to derive key of size %d using 32-bit counter", bitLen)
+	}
+
+	// verify the requested bit length is not larger then the length encoding size
+	if int64(bitLen) > 0x7FFFFFFF {
+		return nil, fmt.Errorf("bitLen is greater than 32-bits")
+	}
+
+	fixedInput := bytes.NewBuffer(nil)
+	fixedInput.Write(label)
+	fixedInput.WriteByte(0x00)
+	fixedInput.Write(context)
+	if err := binary.Write(fixedInput, binary.BigEndian, int32(bitLen)); err != nil {
+		return nil, fmt.Errorf("failed to write bit length to fixed input string: %v", err)
+	}
+
+	var output []byte
+
+	h := hmac.New(hash, key)
+
+	for i := int64(1); i <= n; i++ {
+		h.Reset()
+		if err := binary.Write(h, binary.BigEndian, int32(i)); err != nil {
+			return nil, err
+		}
+		_, err := h.Write(fixedInput.Bytes())
+		if err != nil {
+			return nil, err
+		}
+		output = append(output, h.Sum(nil)...)
+	}
+
+	return output[:bitLen/8], nil
+}

vendor/github.com/aws/aws-sdk-go-v2/service/s3/internal/v4a/internal/v4/const.go

@@ -0,0 +1,36 @@
+package v4
+
+const (
+	// EmptyStringSHA256 is the hex encoded sha256 value of an empty string
+	EmptyStringSHA256 = `e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
+
+	// UnsignedPayload indicates that the request payload body is unsigned
+	UnsignedPayload = "UNSIGNED-PAYLOAD"
+
+	// AmzAlgorithmKey indicates the signing algorithm
+	AmzAlgorithmKey = "X-Amz-Algorithm"
+
+	// AmzSecurityTokenKey indicates the security token to be used with temporary credentials
+	AmzSecurityTokenKey = "X-Amz-Security-Token"
+
+	// AmzDateKey is the UTC timestamp for the request in the format YYYYMMDD'T'HHMMSS'Z'
+	AmzDateKey = "X-Amz-Date"
+
+	// AmzCredentialKey is the access key ID and credential scope
+	AmzCredentialKey = "X-Amz-Credential"
+
+	// AmzSignedHeadersKey is the set of headers signed for the request
+	AmzSignedHeadersKey = "X-Amz-SignedHeaders"
+
+	// AmzSignatureKey is the query parameter to store the SigV4 signature
+	AmzSignatureKey = "X-Amz-Signature"
+
+	// TimeFormat is the time format to be used in the X-Amz-Date header or query parameter
+	TimeFormat = "20060102T150405Z"
+
+	// ShortTimeFormat is the shorten time format used in the credential scope
+	ShortTimeFormat = "20060102"
+
+	// ContentSHAKey is the SHA256 of request body
+	ContentSHAKey = "X-Amz-Content-Sha256"
+)

vendor/github.com/aws/aws-sdk-go-v2/service/s3/internal/v4a/internal/v4/header_rules.go

@@ -0,0 +1,82 @@
+package v4
+
+import (
+	sdkstrings "github.com/aws/aws-sdk-go-v2/internal/strings"
+)
+
+// Rules houses a set of Rule needed for validation of a
+// string value
+type Rules []Rule
+
+// Rule interface allows for more flexible rules and just simply
+// checks whether or not a value adheres to that Rule
+type Rule interface {
+	IsValid(value string) bool
+}
+
+// IsValid will iterate through all rules and see if any rules
+// apply to the value and supports nested rules
+func (r Rules) IsValid(value string) bool {
+	for _, rule := range r {
+		if rule.IsValid(value) {
+			return true
+		}
+	}
+	return false
+}
+
+// MapRule generic Rule for maps
+type MapRule map[string]struct{}
+
+// IsValid for the map Rule satisfies whether it exists in the map
+func (m MapRule) IsValid(value string) bool {
+	_, ok := m[value]
+	return ok
+}
+
+// AllowList is a generic Rule for whitelisting
+type AllowList struct {
+	Rule
+}
+
+// IsValid for AllowList checks if the value is within the AllowList
+func (w AllowList) IsValid(value string) bool {
+	return w.Rule.IsValid(value)
+}
+
+// DenyList is a generic Rule for blacklisting
+type DenyList struct {
+	Rule
+}
+
+// IsValid for AllowList checks if the value is within the AllowList
+func (b DenyList) IsValid(value string) bool {
+	return !b.Rule.IsValid(value)
+}
+
+// Patterns is a list of strings to match against
+type Patterns []string
+
+// IsValid for Patterns checks each pattern and returns if a match has
+// been found
+func (p Patterns) IsValid(value string) bool {
+	for _, pattern := range p {
+		if sdkstrings.HasPrefixFold(value, pattern) {
+			return true
+		}
+	}
+	return false
+}
+
+// InclusiveRules rules allow for rules to depend on one another
+type InclusiveRules []Rule
+
+// IsValid will return true if all rules are true
+func (r InclusiveRules) IsValid(value string) bool {
+	for _, rule := range r {
+		if !rule.IsValid(value) {
+			return false
+		}
+	}
+	return true
+}

vendor/github.com/aws/aws-sdk-go-v2/service/s3/internal/v4a/internal/v4/headers.go

@@ -0,0 +1,67 @@
+package v4
+
+// IgnoredHeaders is a list of headers that are ignored during signing
+var IgnoredHeaders = Rules{
+	DenyList{
+		MapRule{
+			"Authorization":   struct{}{},
+			"User-Agent":      struct{}{},
+			"X-Amzn-Trace-Id": struct{}{},
+		},
+	},
+}
+
+// RequiredSignedHeaders is a whitelist for Build canonical headers.
+var RequiredSignedHeaders = Rules{
+	AllowList{
+		MapRule{
+			"Cache-Control":                         struct{}{},
+			"Content-Disposition":                   struct{}{},
+			"Content-Encoding":                      struct{}{},
+			"Content-Language":                      struct{}{},
+			"Content-Md5":                           struct{}{},
+			"Content-Type":                          struct{}{},
+			"Expires":                               struct{}{},
+			"If-Match":                              struct{}{},
+			"If-Modified-Since":                     struct{}{},
+			"If-None-Match":                         struct{}{},
+			"If-Unmodified-Since":                   struct{}{},
+			"Range":                                 struct{}{},
+			"X-Amz-Acl":                             struct{}{},
+			"X-Amz-Copy-Source":                     struct{}{},
+			"X-Amz-Copy-Source-If-Match":            struct{}{},
+			"X-Amz-Copy-Source-If-Modified-Since":   struct{}{},
+			"X-Amz-Copy-Source-If-None-Match":       struct{}{},
+			"X-Amz-Copy-Source-If-Unmodified-Since": struct{}{},
+			"X-Amz-Copy-Source-Range":               struct{}{},
+			"X-Amz-Copy-Source-Server-Side-Encryption-Customer-Algorithm": struct{}{},
+			"X-Amz-Copy-Source-Server-Side-Encryption-Customer-Key":       struct{}{},
+			"X-Amz-Copy-Source-Server-Side-Encryption-Customer-Key-Md5":   struct{}{},
+			"X-Amz-Grant-Full-control":                                    struct{}{},
+			"X-Amz-Grant-Read":                                            struct{}{},
+			"X-Amz-Grant-Read-Acp":                                        struct{}{},
+			"X-Amz-Grant-Write":                                           struct{}{},
+			"X-Amz-Grant-Write-Acp":                                       struct{}{},
+			"X-Amz-Metadata-Directive":                                    struct{}{},
+			"X-Amz-Mfa":                                                   struct{}{},
+			"X-Amz-Request-Payer":                                         struct{}{},
+			"X-Amz-Server-Side-Encryption":                                struct{}{},
+			"X-Amz-Server-Side-Encryption-Aws-Kms-Key-Id":                 struct{}{},
+			"X-Amz-Server-Side-Encryption-Customer-Algorithm":             struct{}{},
+			"X-Amz-Server-Side-Encryption-Customer-Key":                   struct{}{},
+			"X-Amz-Server-Side-Encryption-Customer-Key-Md5":               struct{}{},
+			"X-Amz-Storage-Class":                                         struct{}{},
+			"X-Amz-Website-Redirect-Location":                             struct{}{},
+			"X-Amz-Content-Sha256":                                        struct{}{},
+			"X-Amz-Tagging":                                               struct{}{},
+		},
+	},
+	Patterns{"X-Amz-Meta-"},
+}
+
+// AllowedQueryHoisting is a whitelist for Build query headers. The boolean value
+// represents whether or not it is a pattern.
+var AllowedQueryHoisting = InclusiveRules{
+	DenyList{RequiredSignedHeaders},
+	Patterns{"X-Amz-"},
+}

vendor/github.com/aws/aws-sdk-go-v2/service/s3/internal/v4a/internal/v4/hmac.go

@@ -0,0 +1,13 @@
+package v4
+
+import (
+	"crypto/hmac"
+	"crypto/sha256"
+)
+
+// HMACSHA256 computes a HMAC-SHA256 of data given the provided key.
+func HMACSHA256(key []byte, data []byte) []byte {
+	hash := hmac.New(sha256.New, key)
+	hash.Write(data)
+	return hash.Sum(nil)
+}

vendor/github.com/aws/aws-sdk-go-v2/service/s3/internal/v4a/internal/v4/host.go

@@ -0,0 +1,75 @@
+package v4
+
+import (
+	"net/http"
+	"strings"
+)
+
+// SanitizeHostForHeader removes default port from host and updates request.Host
+func SanitizeHostForHeader(r *http.Request) {
+	host := getHost(r)
+	port := portOnly(host)
+	if port != "" && isDefaultPort(r.URL.Scheme, port) {
+		r.Host = stripPort(host)
+	}
+}
+
+// Returns host from request
+func getHost(r *http.Request) string {
+	if r.Host != "" {
+		return r.Host
+	}
+
+	return r.URL.Host
+}
+
+// Hostname returns u.Host, without any port number.
+//
+// If Host is an IPv6 literal with a port number, Hostname returns the
+// IPv6 literal without the square brackets. IPv6 literals may include
+// a zone identifier.
+//
+// Copied from the Go 1.8 standard library (net/url)
+func stripPort(hostport string) string {
+	colon := strings.IndexByte(hostport, ':')
+	if colon == -1 {
+		return hostport
+	}
+	if i := strings.IndexByte(hostport, ']'); i != -1 {
+		return strings.TrimPrefix(hostport[:i], "[")
+	}
+	return hostport[:colon]
+}
+
+// Port returns the port part of u.Host, without the leading colon.
+// If u.Host doesn't contain a port, Port returns an empty string.
+//
+// Copied from the Go 1.8 standard library (net/url)
+func portOnly(hostport string) string {
+	colon := strings.IndexByte(hostport, ':')
+	if colon == -1 {
+		return ""
+	}
+	if i := strings.Index(hostport, "]:"); i != -1 {
+		return hostport[i+len("]:"):]
+	}
+	if strings.Contains(hostport, "]") {
+		return ""
+	}
+	return hostport[colon+len(":"):]
+}
+
+// Returns true if the specified URI is using the standard port
+// (i.e. port 80 for HTTP URIs or 443 for HTTPS URIs)
+func isDefaultPort(scheme, port string) bool {
+	if port == "" {
+		return true
+	}
+
+	lowerCaseScheme := strings.ToLower(scheme)
+	if (lowerCaseScheme == "http" && port == "80") || (lowerCaseScheme == "https" && port == "443") {
+		return true
+	}
+
+	return false
+}

vendor/github.com/aws/aws-sdk-go-v2/service/s3/internal/v4a/internal/v4/time.go

@@ -0,0 +1,36 @@
+package v4
+
+import "time"
+
+// SigningTime provides a wrapper around a time.Time which provides cached values for SigV4 signing.
+type SigningTime struct {
+	time.Time
+	timeFormat      string
+	shortTimeFormat string
+}
+
+// NewSigningTime creates a new SigningTime given a time.Time
+func NewSigningTime(t time.Time) SigningTime {
+	return SigningTime{
+		Time: t,
+	}
+}
+
+// TimeFormat provides a time formatted in the X-Amz-Date format.
+func (m *SigningTime) TimeFormat() string {
+	return m.format(&m.timeFormat, TimeFormat)
+}
+
+// ShortTimeFormat provides a time formatted of 20060102.
+func (m *SigningTime) ShortTimeFormat() string {
+	return m.format(&m.shortTimeFormat, ShortTimeFormat)
+}
+
+func (m *SigningTime) format(target *string, format string) string {
+	if len(*target) > 0 {
+		return *target
+	}
+	v := m.Time.Format(format)
+	*target = v
+	return v
+}

vendor/github.com/aws/aws-sdk-go-v2/service/s3/internal/v4a/internal/v4/util.go

@@ -0,0 +1,64 @@
+package v4
+
+import (
+	"net/url"
+	"strings"
+)
+
+const doubleSpace = "  "
+
+// StripExcessSpaces will rewrite the passed in slice's string values to not
+// contain muliple side-by-side spaces.
+func StripExcessSpaces(str string) string {
+	var j, k, l, m, spaces int
+	// Trim trailing spaces
+	for j = len(str) - 1; j >= 0 && str[j] == ' '; j-- {
+	}
+
+	// Trim leading spaces
+	for k = 0; k < j && str[k] == ' '; k++ {
+	}
+	str = str[k : j+1]
+
+	// Strip multiple spaces.
+	j = strings.Index(str, doubleSpace)
+	if j < 0 {
+		return str
+	}
+
+	buf := []byte(str)
+	for k, m, l = j, j, len(buf); k < l; k++ {
+		if buf[k] == ' ' {
+			if spaces == 0 {
+				// First space.
+				buf[m] = buf[k]
+				m++
+			}
+			spaces++
+		} else {
+			// End of multiple spaces.
+			spaces = 0
+			buf[m] = buf[k]
+			m++
+		}
+	}
+
+	return string(buf[:m])
+}
+
+// GetURIPath returns the escaped URI component from the provided URL
+func GetURIPath(u *url.URL) string {
+	var uri string
+
+	if len(u.Opaque) > 0 {
+		uri = "/" + strings.Join(strings.Split(u.Opaque, "/")[3:], "/")
+	} else {
+		uri = u.EscapedPath()
+	}
+
+	if len(uri) == 0 {
+		uri = "/"
+	}
+
+	return uri
+}

vendor/github.com/aws/aws-sdk-go-v2/service/s3/internal/v4a/middleware.go

@@ -0,0 +1,105 @@
+package v4a
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"time"
+
+	awsmiddleware "github.com/aws/aws-sdk-go-v2/aws/middleware"
+	v4 "github.com/aws/aws-sdk-go-v2/aws/signer/v4"
+	"github.com/aws/smithy-go/middleware"
+	smithyhttp "github.com/aws/smithy-go/transport/http"
+)
+
+// HTTPSigner is SigV4a HTTP signer implementation
+type HTTPSigner interface {
+	SignHTTP(ctx context.Context, credentials Credentials, r *http.Request, payloadHash string, service string, regionSet []string, signingTime time.Time, optfns ...func(*SignerOptions)) error
+}
+
+// SignHTTPRequestMiddlewareOptions is the middleware options for constructing a SignHTTPRequestMiddleware.
+type SignHTTPRequestMiddlewareOptions struct {
+	Credentials CredentialsProvider
+	Signer      HTTPSigner
+	LogSigning  bool
+}
+
+// SignHTTPRequestMiddleware is a middleware for signing an HTTP request using SigV4a.
+type SignHTTPRequestMiddleware struct {
+	credentials CredentialsProvider
+	signer      HTTPSigner
+	logSigning  bool
+}
+
+// NewSignHTTPRequestMiddleware constructs a SignHTTPRequestMiddleware using the given SignHTTPRequestMiddlewareOptions.
+func NewSignHTTPRequestMiddleware(options SignHTTPRequestMiddlewareOptions) *SignHTTPRequestMiddleware {
+	return &SignHTTPRequestMiddleware{
+		credentials: options.Credentials,
+		signer:      options.Signer,
+		logSigning:  options.LogSigning,
+	}
+}
+
+// ID the middleware identifier.
+func (s *SignHTTPRequestMiddleware) ID() string {
+	return "Signing"
+}
+
+// HandleFinalize signs an HTTP request using SigV4a.
+func (s *SignHTTPRequestMiddleware) HandleFinalize(
+	ctx context.Context, in middleware.FinalizeInput, next middleware.FinalizeHandler,
+) (
+	out middleware.FinalizeOutput, metadata middleware.Metadata, err error,
+) {
+	if !hasCredentialProvider(s.credentials) {
+		return next.HandleFinalize(ctx, in)
+	}
+
+	req, ok := in.Request.(*smithyhttp.Request)
+	if !ok {
+		return out, metadata, fmt.Errorf("unexpected request middleware type %T", in.Request)
+	}
+
+	signingName, signingRegion := awsmiddleware.GetSigningName(ctx), awsmiddleware.GetSigningRegion(ctx)
+	payloadHash := v4.GetPayloadHash(ctx)
+	if len(payloadHash) == 0 {
+		return out, metadata, &SigningError{Err: fmt.Errorf("computed payload hash missing from context")}
+	}
+
+	credentials, err := s.credentials.RetrievePrivateKey(ctx)
+	if err != nil {
+		return out, metadata, &SigningError{Err: fmt.Errorf("failed to retrieve credentials: %w", err)}
+	}
+
+	err = s.signer.SignHTTP(ctx, credentials, req.Request, payloadHash, signingName, []string{signingRegion}, time.Now().UTC(), func(o *SignerOptions) {
+		o.Logger = middleware.GetLogger(ctx)
+		o.LogSigning = s.logSigning
+	})
+	if err != nil {
+		return out, metadata, &SigningError{Err: fmt.Errorf("failed to sign http request, %w", err)}
+	}
+
+	return next.HandleFinalize(ctx, in)
+}
+
+func hasCredentialProvider(p CredentialsProvider) bool {
+	if p == nil {
+		return false
+	}
+
+	return true
+}
+
+// RegisterSigningMiddleware registers the SigV4a signing middleware to the stack. If a signing middleware is already
+// present, this provided middleware will be swapped. Otherwise the middleware will be added at the tail of the
+// finalize step.
+func RegisterSigningMiddleware(stack *middleware.Stack, signingMiddleware *SignHTTPRequestMiddleware) (err error) {
+	const signedID = "Signing"
+	_, present := stack.Finalize.Get(signedID)
+	if present {
+		_, err = stack.Finalize.Swap(signedID, signingMiddleware)
+	} else {
+		err = stack.Finalize.Add(signingMiddleware, middleware.After)
+	}
+	return err
+}

vendor/github.com/aws/aws-sdk-go-v2/service/s3/internal/v4a/presign_middleware.go

@@ -0,0 +1,117 @@
+package v4a
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"time"
+
+	awsmiddleware "github.com/aws/aws-sdk-go-v2/aws/middleware"
+	v4 "github.com/aws/aws-sdk-go-v2/aws/signer/v4"
+	"github.com/aws/aws-sdk-go-v2/internal/sdk"
+	"github.com/aws/smithy-go/middleware"
+	smithyHTTP "github.com/aws/smithy-go/transport/http"
+)
+
+// HTTPPresigner is an interface to a SigV4a signer that can sign create a
+// presigned URL for a HTTP requests.
+type HTTPPresigner interface {
+	PresignHTTP(
+		ctx context.Context, credentials Credentials, r *http.Request,
+		payloadHash string, service string, regionSet []string, signingTime time.Time,
+		optFns ...func(*SignerOptions),
+	) (url string, signedHeader http.Header, err error)
+}
+
+// PresignHTTPRequestMiddlewareOptions is the options for the PresignHTTPRequestMiddleware middleware.
+type PresignHTTPRequestMiddlewareOptions struct {
+	CredentialsProvider CredentialsProvider
+	Presigner           HTTPPresigner
+	LogSigning          bool
+}
+
+// PresignHTTPRequestMiddleware provides the Finalize middleware for creating a
+// presigned URL for an HTTP request.
+//
+// Will short circuit the middleware stack and not forward onto the next
+// Finalize handler.
+type PresignHTTPRequestMiddleware struct {
+	credentialsProvider CredentialsProvider
+	presigner           HTTPPresigner
+	logSigning          bool
+}
+
+// NewPresignHTTPRequestMiddleware returns a new PresignHTTPRequestMiddleware
+// initialized with the presigner.
+func NewPresignHTTPRequestMiddleware(options PresignHTTPRequestMiddlewareOptions) *PresignHTTPRequestMiddleware {
+	return &PresignHTTPRequestMiddleware{
+		credentialsProvider: options.CredentialsProvider,
+		presigner:           options.Presigner,
+		logSigning:          options.LogSigning,
+	}
+}
+
+// ID provides the middleware ID.
+func (*PresignHTTPRequestMiddleware) ID() string { return "PresignHTTPRequest" }
+
+// HandleFinalize will take the provided input and create a presigned url for
+// the http request using the SigV4 presign authentication scheme.
+func (s *PresignHTTPRequestMiddleware) HandleFinalize(
+	ctx context.Context, in middleware.FinalizeInput, next middleware.FinalizeHandler,
+) (
+	out middleware.FinalizeOutput, metadata middleware.Metadata, err error,
+) {
+	req, ok := in.Request.(*smithyHTTP.Request)
+	if !ok {
+		return out, metadata, &SigningError{
+			Err: fmt.Errorf("unexpected request middleware type %T", in.Request),
+		}
+	}
+
+	httpReq := req.Build(ctx)
+	if !hasCredentialProvider(s.credentialsProvider) {
+		out.Result = &v4.PresignedHTTPRequest{
+			URL:          httpReq.URL.String(),
+			Method:       httpReq.Method,
+			SignedHeader: http.Header{},
+		}
+
+		return out, metadata, nil
+	}
+
+	signingName := awsmiddleware.GetSigningName(ctx)
+	signingRegion := awsmiddleware.GetSigningRegion(ctx)
+	payloadHash := v4.GetPayloadHash(ctx)
+	if len(payloadHash) == 0 {
+		return out, metadata, &SigningError{
+			Err: fmt.Errorf("computed payload hash missing from context"),
+		}
+	}
+
+	credentials, err := s.credentialsProvider.RetrievePrivateKey(ctx)
+	if err != nil {
+		return out, metadata, &SigningError{
+			Err: fmt.Errorf("failed to retrieve credentials: %w", err),
+		}
+	}
+
+	u, h, err := s.presigner.PresignHTTP(ctx, credentials,
+		httpReq, payloadHash, signingName, []string{signingRegion}, sdk.NowTime(),
+		func(o *SignerOptions) {
+			o.Logger = middleware.GetLogger(ctx)
+			o.LogSigning = s.logSigning
+		})
+	if err != nil {
+		return out, metadata, &SigningError{
+			Err: fmt.Errorf("failed to sign http request, %w", err),
+		}
+	}
+
+	out.Result = &v4.PresignedHTTPRequest{
+		URL:          u,
+		Method:       httpReq.Method,
+		SignedHeader: h,
+	}
+
+	return out, metadata, nil
+}

vendor/github.com/aws/aws-sdk-go-v2/service/s3/internal/v4a/v4a.go

@@ -0,0 +1,514 @@
+// TODO(GOSDK-1220): This signer has removed the conceptual knowledge of UNSIGNED-PAYLOAD and X-Amz-Content-Sha256
+
+package v4a
+
+import (
+	"bytes"
+	"context"
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
+	"hash"
+	"math/big"
+	"net/http"
+	"net/textproto"
+	"net/url"
+	"sort"
+	"strconv"
+	"strings"
+	"time"
+
+	signerCrypto "github.com/aws/aws-sdk-go-v2/service/s3/internal/v4a/internal/crypto"
+	v4Internal "github.com/aws/aws-sdk-go-v2/service/s3/internal/v4a/internal/v4"
+	"github.com/aws/smithy-go/encoding/httpbinding"
+	"github.com/aws/smithy-go/logging"
+)
+
+const (
+	// AmzRegionSetKey represents the region set header used for sigv4a
+	AmzRegionSetKey     = "X-Amz-Region-Set"
+	amzAlgorithmKey     = v4Internal.AmzAlgorithmKey
+	amzSecurityTokenKey = v4Internal.AmzSecurityTokenKey
+	amzDateKey          = v4Internal.AmzDateKey
+	amzCredentialKey    = v4Internal.AmzCredentialKey
+	amzSignedHeadersKey = v4Internal.AmzSignedHeadersKey
+	authorizationHeader = "Authorization"
+
+	signingAlgorithm = "AWS4-ECDSA-P256-SHA256"
+
+	timeFormat      = "20060102T150405Z"
+	shortTimeFormat = "20060102"
+
+	// EmptyStringSHA256 is a hex encoded SHA-256 hash of an empty string
+	EmptyStringSHA256 = v4Internal.EmptyStringSHA256
+
+	// Version of signing v4a
+	Version = "SigV4A"
+)
+
+var (
+	p256          elliptic.Curve
+	nMinusTwoP256 *big.Int
+
+	one = new(big.Int).SetInt64(1)
+)
+
+func init() {
+	// Ensure the elliptic curve parameters are initialized on package import rather then on first usage
+	p256 = elliptic.P256()
+
+	nMinusTwoP256 = new(big.Int).SetBytes(p256.Params().N.Bytes())
+	nMinusTwoP256 = nMinusTwoP256.Sub(nMinusTwoP256, new(big.Int).SetInt64(2))
+}
+
+// SignerOptions is the SigV4a signing options for constructing a Signer.
+type SignerOptions struct {
+	Logger     logging.Logger
+	LogSigning bool
+
+	// Disables the Signer's moving HTTP header key/value pairs from the HTTP
+	// request header to the request's query string. This is most commonly used
+	// with pre-signed requests preventing headers from being added to the
+	// request's query string.
+	DisableHeaderHoisting bool
+
+	// Disables the automatic escaping of the URI path of the request for the
+	// siganture's canonical string's path. For services that do not need additional
+	// escaping then use this to disable the signer escaping the path.
+	//
+	// S3 is an example of a service that does not need additional escaping.
+	//
+	// http://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html
+	DisableURIPathEscaping bool
+}
+
+// Signer is a SigV4a HTTP signing implementation
+type Signer struct {
+	options SignerOptions
+}
+
+// NewSigner constructs a SigV4a Signer.
+func NewSigner(optFns ...func(*SignerOptions)) *Signer {
+	options := SignerOptions{}
+
+	for _, fn := range optFns {
+		fn(&options)
+	}
+
+	return &Signer{options: options}
+}
+
+// deriveKeyFromAccessKeyPair derives a NIST P-256 PrivateKey from the given
+// IAM AccessKey and SecretKey pair.
+//
+// Based on FIPS.186-4 Appendix B.4.2
+func deriveKeyFromAccessKeyPair(accessKey, secretKey string) (*ecdsa.PrivateKey, error) {
+	params := p256.Params()
+	bitLen := params.BitSize // Testing random candidates does not require an additional 64 bits
+	counter := 0x01
+
+	buffer := make([]byte, 1+len(accessKey)) // 1 byte counter + len(accessKey)
+	kdfContext := bytes.NewBuffer(buffer)
+
+	inputKey := append([]byte("AWS4A"), []byte(secretKey)...)
+
+	d := new(big.Int)
+	for {
+		kdfContext.Reset()
+		kdfContext.WriteString(accessKey)
+		kdfContext.WriteByte(byte(counter))
+
+		key, err := signerCrypto.HMACKeyDerivation(sha256.New, bitLen, inputKey, []byte(signingAlgorithm), kdfContext.Bytes())
+		if err != nil {
+			return nil, err
+		}
+
+		// Check key first before calling SetBytes if key key is in fact a valid candidate.
+		// This ensures the byte slice is the correct length (32-bytes) to compare in constant-time
+		cmp, err := signerCrypto.ConstantTimeByteCompare(key, nMinusTwoP256.Bytes())
+		if err != nil {
+			return nil, err
+		}
+		if cmp == -1 {
+			d.SetBytes(key)
+			break
+		}
+
+		counter++
+		if counter > 0xFF {
+			return nil, fmt.Errorf("exhausted single byte external counter")
+		}
+	}
+	d = d.Add(d, one)
+
+	priv := new(ecdsa.PrivateKey)
+	priv.PublicKey.Curve = p256
+	priv.D = d
+	priv.PublicKey.X, priv.PublicKey.Y = p256.ScalarBaseMult(d.Bytes())
+
+	return priv, nil
+}
+
+type httpSigner struct {
+	Request     *http.Request
+	ServiceName string
+	RegionSet   []string
+	Time        time.Time
+	Credentials Credentials
+	IsPreSign   bool
+
+	Logger logging.Logger
+	Debug  bool
+
+	// PayloadHash is the hex encoded SHA-256 hash of the request payload
+	// If len(PayloadHash) == 0 the signer will attempt to send the request
+	// as an unsigned payload. Note: Unsigned payloads only work for a subset of services.
+	PayloadHash string
+
+	DisableHeaderHoisting  bool
+	DisableURIPathEscaping bool
+}
+
+// SignHTTP takes the provided http.Request, payload hash, service, regionSet, and time and signs using SigV4a.
+// The passed in request will be modified in place.
+func (s *Signer) SignHTTP(ctx context.Context, credentials Credentials, r *http.Request, payloadHash string, service string, regionSet []string, signingTime time.Time, optFns ...func(*SignerOptions)) error {
+	options := s.options
+	for _, fn := range optFns {
+		fn(&options)
+	}
+
+	signer := &httpSigner{
+		Request:                r,
+		PayloadHash:            payloadHash,
+		ServiceName:            service,
+		RegionSet:              regionSet,
+		Credentials:            credentials,
+		Time:                   signingTime.UTC(),
+		DisableHeaderHoisting:  options.DisableHeaderHoisting,
+		DisableURIPathEscaping: options.DisableURIPathEscaping,
+	}
+
+	signedRequest, err := signer.Build()
+	if err != nil {
+		return err
+	}
+
+	logHTTPSigningInfo(ctx, options, signedRequest)
+
+	return nil
+}
+
+// PresignHTTP takes the provided http.Request, payload hash, service, regionSet, and time and presigns using SigV4a
+// Returns the presigned URL along with the headers that were signed with the request.
+//
+// PresignHTTP will not set the expires time of the presigned request
+// automatically. To specify the expire duration for a request add the
+// "X-Amz-Expires" query parameter on the request with the value as the
+// duration in seconds the presigned URL should be considered valid for. This
+// parameter is not used by all AWS services, and is most notable used by
+// Amazon S3 APIs.
+func (s *Signer) PresignHTTP(ctx context.Context, credentials Credentials, r *http.Request, payloadHash string, service string, regionSet []string, signingTime time.Time, optFns ...func(*SignerOptions)) (signedURI string, signedHeaders http.Header, err error) {
+	options := s.options
+	for _, fn := range optFns {
+		fn(&options)
+	}
+
+	signer := &httpSigner{
+		Request:                r,
+		PayloadHash:            payloadHash,
+		ServiceName:            service,
+		RegionSet:              regionSet,
+		Credentials:            credentials,
+		Time:                   signingTime.UTC(),
+		IsPreSign:              true,
+		DisableHeaderHoisting:  options.DisableHeaderHoisting,
+		DisableURIPathEscaping: options.DisableURIPathEscaping,
+	}
+
+	signedRequest, err := signer.Build()
+	if err != nil {
+		return "", nil, err
+	}
+
+	logHTTPSigningInfo(ctx, options, signedRequest)
+
+	signedHeaders = make(http.Header)
+
+	// For the signed headers we canonicalize the header keys in the returned map.
+	// This avoids situations where can standard library double headers like host header. For example the standard
+	// library will set the Host header, even if it is present in lower-case form.
+	for k, v := range signedRequest.SignedHeaders {
+		key := textproto.CanonicalMIMEHeaderKey(k)
+		signedHeaders[key] = append(signedHeaders[key], v...)
+	}
+
+	return signedRequest.Request.URL.String(), signedHeaders, nil
+}
+
+func (s *httpSigner) setRequiredSigningFields(headers http.Header, query url.Values) {
+	amzDate := s.Time.Format(timeFormat)
+
+	if s.IsPreSign {
+		query.Set(AmzRegionSetKey, strings.Join(s.RegionSet, ","))
+		query.Set(amzDateKey, amzDate)
+		query.Set(amzAlgorithmKey, signingAlgorithm)
+		if len(s.Credentials.SessionToken) > 0 {
+			query.Set(amzSecurityTokenKey, s.Credentials.SessionToken)
+		}
+		return
+	}
+
+	headers.Set(AmzRegionSetKey, strings.Join(s.RegionSet, ","))
+	headers.Set(amzDateKey, amzDate)
+	if len(s.Credentials.SessionToken) > 0 {
+		headers.Set(amzSecurityTokenKey, s.Credentials.SessionToken)
+	}
+}
+
+func (s *httpSigner) Build() (signedRequest, error) {
+	req := s.Request
+
+	query := req.URL.Query()
+	headers := req.Header
+
+	s.setRequiredSigningFields(headers, query)
+
+	// Sort Each Query Key's Values
+	for key := range query {
+		sort.Strings(query[key])
+	}
+
+	v4Internal.SanitizeHostForHeader(req)
+
+	credentialScope := s.buildCredentialScope()
+	credentialStr := s.Credentials.Context + "/" + credentialScope
+	if s.IsPreSign {
+		query.Set(amzCredentialKey, credentialStr)
+	}
+
+	unsignedHeaders := headers
+	if s.IsPreSign && !s.DisableHeaderHoisting {
+		urlValues := url.Values{}
+		urlValues, unsignedHeaders = buildQuery(v4Internal.AllowedQueryHoisting, unsignedHeaders)
+		for k := range urlValues {
+			query[k] = urlValues[k]
+		}
+	}
+
+	host := req.URL.Host
+	if len(req.Host) > 0 {
+		host = req.Host
+	}
+
+	signedHeaders, signedHeadersStr, canonicalHeaderStr := s.buildCanonicalHeaders(host, v4Internal.IgnoredHeaders, unsignedHeaders, s.Request.ContentLength)
+
+	if s.IsPreSign {
+		query.Set(amzSignedHeadersKey, signedHeadersStr)
+	}
+
+	rawQuery := strings.Replace(query.Encode(), "+", "%20", -1)
+
+	canonicalURI := v4Internal.GetURIPath(req.URL)
+	if !s.DisableURIPathEscaping {
+		canonicalURI = httpbinding.EscapePath(canonicalURI, false)
+	}
+
+	canonicalString := s.buildCanonicalString(
+		req.Method,
+		canonicalURI,
+		rawQuery,
+		signedHeadersStr,
+		canonicalHeaderStr,
+	)
+
+	strToSign := s.buildStringToSign(credentialScope, canonicalString)
+	signingSignature, err := s.buildSignature(strToSign)
+	if err != nil {
+		return signedRequest{}, err
+	}
+
+	if s.IsPreSign {
+		rawQuery += "&X-Amz-Signature=" + signingSignature
+	} else {
+		headers[authorizationHeader] = append(headers[authorizationHeader][:0], buildAuthorizationHeader(credentialStr, signedHeadersStr, signingSignature))
+	}
+
+	req.URL.RawQuery = rawQuery
+
+	return signedRequest{
+		Request:         req,
+		SignedHeaders:   signedHeaders,
+		CanonicalString: canonicalString,
+		StringToSign:    strToSign,
+		PreSigned:       s.IsPreSign,
+	}, nil
+}
+
+func buildAuthorizationHeader(credentialStr, signedHeadersStr, signingSignature string) string {
+	const credential = "Credential="
+	const signedHeaders = "SignedHeaders="
+	const signature = "Signature="
+	const commaSpace = ", "
+
+	var parts strings.Builder
+	parts.Grow(len(signingAlgorithm) + 1 +
+		len(credential) + len(credentialStr) + len(commaSpace) +
+		len(signedHeaders) + len(signedHeadersStr) + len(commaSpace) +
+		len(signature) + len(signingSignature),
+	)
+	parts.WriteString(signingAlgorithm)
+	parts.WriteRune(' ')
+	parts.WriteString(credential)
+	parts.WriteString(credentialStr)
+	parts.WriteString(commaSpace)
+	parts.WriteString(signedHeaders)
+	parts.WriteString(signedHeadersStr)
+	parts.WriteString(commaSpace)
+	parts.WriteString(signature)
+	parts.WriteString(signingSignature)
+	return parts.String()
+}
+
+func (s *httpSigner) buildCredentialScope() string {
+	return strings.Join([]string{
+		s.Time.Format(shortTimeFormat),
+		s.ServiceName,
+		"aws4_request",
+	}, "/")
+
+}
+
+func buildQuery(r v4Internal.Rule, header http.Header) (url.Values, http.Header) {
+	query := url.Values{}
+	unsignedHeaders := http.Header{}
+	for k, h := range header {
+		if r.IsValid(k) {
+			query[k] = h
+		} else {
+			unsignedHeaders[k] = h
+		}
+	}
+
+	return query, unsignedHeaders
+}
+
+func (s *httpSigner) buildCanonicalHeaders(host string, rule v4Internal.Rule, header http.Header, length int64) (signed http.Header, signedHeaders, canonicalHeadersStr string) {
+	signed = make(http.Header)
+
+	var headers []string
+	const hostHeader = "host"
+	headers = append(headers, hostHeader)
+	signed[hostHeader] = append(signed[hostHeader], host)
+
+	if length > 0 {
+		const contentLengthHeader = "content-length"
+		headers = append(headers, contentLengthHeader)
+		signed[contentLengthHeader] = append(signed[contentLengthHeader], strconv.FormatInt(length, 10))
+	}
+
+	for k, v := range header {
+		if !rule.IsValid(k) {
+			continue // ignored header
+		}
+
+		lowerCaseKey := strings.ToLower(k)
+		if _, ok := signed[lowerCaseKey]; ok {
+			// include additional values
+			signed[lowerCaseKey] = append(signed[lowerCaseKey], v...)
+			continue
+		}
+
+		headers = append(headers, lowerCaseKey)
+		signed[lowerCaseKey] = v
+	}
+	sort.Strings(headers)
+
+	signedHeaders = strings.Join(headers, ";")
+
+	var canonicalHeaders strings.Builder
+	n := len(headers)
+	const colon = ':'
+	for i := 0; i < n; i++ {
+		if headers[i] == hostHeader {
+			canonicalHeaders.WriteString(hostHeader)
+			canonicalHeaders.WriteRune(colon)
+			canonicalHeaders.WriteString(v4Internal.StripExcessSpaces(host))
+		} else {
+			canonicalHeaders.WriteString(headers[i])
+			canonicalHeaders.WriteRune(colon)
+			canonicalHeaders.WriteString(strings.Join(signed[headers[i]], ","))
+		}
+		canonicalHeaders.WriteRune('\n')
+	}
+	canonicalHeadersStr = canonicalHeaders.String()
+
+	return signed, signedHeaders, canonicalHeadersStr
+}
+
+func (s *httpSigner) buildCanonicalString(method, uri, query, signedHeaders, canonicalHeaders string) string {
+	return strings.Join([]string{
+		method,
+		uri,
+		query,
+		canonicalHeaders,
+		signedHeaders,
+		s.PayloadHash,
+	}, "\n")
+}
+
+func (s *httpSigner) buildStringToSign(credentialScope, canonicalRequestString string) string {
+	return strings.Join([]string{
+		signingAlgorithm,
+		s.Time.Format(timeFormat),
+		credentialScope,
+		hex.EncodeToString(makeHash(sha256.New(), []byte(canonicalRequestString))),
+	}, "\n")
+}
+
+func makeHash(hash hash.Hash, b []byte) []byte {
+	hash.Reset()
+	hash.Write(b)
+	return hash.Sum(nil)
+}
+
+func (s *httpSigner) buildSignature(strToSign string) (string, error) {
+	sig, err := s.Credentials.PrivateKey.Sign(rand.Reader, makeHash(sha256.New(), []byte(strToSign)), crypto.SHA256)
+	if err != nil {
+		return "", err
+	}
+	return hex.EncodeToString(sig), nil
+}
+
+const logSignInfoMsg = `Request Signature:
+---[ CANONICAL STRING  ]-----------------------------
+%s
+---[ STRING TO SIGN ]--------------------------------
+%s%s
+-----------------------------------------------------`
+const logSignedURLMsg = `
+---[ SIGNED URL ]------------------------------------
+%s`
+
+func logHTTPSigningInfo(ctx context.Context, options SignerOptions, r signedRequest) {
+	if !options.LogSigning {
+		return
+	}
+	signedURLMsg := ""
+	if r.PreSigned {
+		signedURLMsg = fmt.Sprintf(logSignedURLMsg, r.Request.URL.String())
+	}
+	logger := logging.WithContext(ctx, options.Logger)
+	logger.Logf(logging.Debug, logSignInfoMsg, r.CanonicalString, r.StringToSign, signedURLMsg)
+}
+
+type signedRequest struct {
+	Request         *http.Request
+	SignedHeaders   http.Header
+	CanonicalString string
+	StringToSign    string
+	PreSigned       bool
+}