sigv4_canonical

Canonical-request helpers shared by SigV4 and SigV4a.

Both algorithms compute the same canonical headers block, the same signed-headers line, the same canonical query string, and the same canonical URI (with RFC 3986 dot-segment removal when requested). The algorithm-specific differences live entirely in sigv4.gleam / sigv4a.gleam:

the algorithm string (AWS4-HMAC-SHA256 vs AWS4-ECDSA-P256-SHA256)
the credential scope (region-bound vs region-less)
the per-algorithm header set (X-Amz-Region-Set vs none)
the signing key derivation (HMAC chain vs HMAC-DRBG to an EC scalar)
the signature step (HMAC-SHA256 vs ECDSA P-256)

The functions in this module are pure — no IO, no clock — and take List(Header) / String arguments so callers can compose them with their own pre-/post-processing.

Values

build_canonical_uri

</>

pub fn build_canonical_uri(
  path: String,
  normalize: Bool,
) -> String

Compose RFC 3986 dot-segment removal (when requested) with percent encoding. S3 callers want normalize: False so object keys with . / .. survive; every other AWS service wants True.

canonical_headers

</>

pub fn canonical_headers(
  headers: List(http_request.Header),
) -> String

Build the canonical headers block: lowercase names, trim + collapse internal runs of ASCII whitespace in values, group duplicate header names with comma-joined values, sort by name, emit one name:value\n line each.

canonical_query_string

</>

pub fn canonical_query_string(query: String) -> String

Canonical query string: split on &, URI-encode names + values, sort first by name then by value. Empty input → empty output.

encode_path

</>

pub fn encode_path(path: String) -> String

Percent-encode each path segment — the URI representation used in the canonical request line.

signed_headers

</>

pub fn signed_headers(
  headers: List(http_request.Header),
) -> String

Semicolon-joined, sorted, lowercased header names — the SignedHeaders= value on the Authorization line.