Package org.mockserver.llm.client

Class AwsSigV4Signer

java.lang.Object
org.mockserver.llm.client.AwsSigV4Signer
public final class AwsSigV4Signer extends Object
Stateless, deterministic implementation of AWS Signature Version 4 (header-based Authorization header signing) using only JDK crypto primitives: MessageDigest (SHA-256) and Mac / SecretKeySpec (HmacSHA256). No third-party dependencies.

The implementation follows the canonical algorithm documented at AWS Signature Version 4 Signing Process and is verifiable offline against AWS's published SigV4 test suite vectors.

  • Method Details

    • sign

      public static Map<String,String> sign(String method, String host, String canonicalUri, String canonicalQueryString, byte[] payload, String region, String service, String accessKeyId, String secretAccessKey, String sessionToken, Instant timestamp, Map<String,String> extraHeadersToSign)
      Compute the AWS SigV4 headers for a request. Returns a map of headers to ADD to the request: Authorization, X-Amz-Date, X-Amz-Content-Sha256, and (when sessionToken is non-null) X-Amz-Security-Token.
      Parameters:
      method - HTTP method (e.g. "POST")
      host - host header value (e.g. "bedrock-runtime.us-east-1.amazonaws.com")
      canonicalUri - the URI path, with each segment percent-encoded per SigV4 rules
      canonicalQueryString - the query string (already sorted; empty string if none)
      payload - the request body bytes (the real body, not UNSIGNED-PAYLOAD)
      region - AWS region (e.g. "us-east-1")
      service - AWS service (e.g. "bedrock")
      accessKeyId - AWS access key ID
      secretAccessKey - AWS secret access key
      sessionToken - AWS session token (nullable; from STS assume-role)
      timestamp - the signing timestamp (deterministic input for testability)
      extraHeadersToSign - additional headers to include in the signature (e.g. content-type); nullable. Values must match what will be sent on the wire.
      Returns:
      unmodifiable map of headers to add to the request