Add SHA-512 auto checksum calculation for S3 (#3422)

* Add SHA-512 to S3 supported checksums

* Add SHA-512 checksum calculation for S3

* add changelog

* Add regular s3 to the changelog

Author: Madrigal

.changelog/5a03c63707e44718aa1bd8f6ad18ac2b.json

@@ -0,0 +1,9 @@
+{
+    "id": "5a03c637-07e4-4718-aa1b-d8f6ad18ac2b",
+    "type": "feature",
+    "description": "Add SHA-512 support for s3 operations",
+    "modules": [
+        "feature/s3/transfermanager",
+        "service/s3"
+    ]
+}

feature/s3/transfermanager/api_op_UploadObject.go

@@ -205,6 +205,14 @@ type UploadObjectInput struct {
 	// [Checking object integrity]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/checking-object-integrity.html
 	ChecksumSHA256 *string
 
+	// This header can be used as a data integrity check to verify that the data
+	// received is the same data that was originally sent. This header specifies the
+	// Base64 encoded, 512-bit SHA512 digest of the object. For more information, see [Checking object integrity]
+	// in the Amazon S3 User Guide.
+	//
+	// [Checking object integrity]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/checking-object-integrity.html
+	ChecksumSHA512 *string
+
 	// Size of the body in bytes. This parameter is useful when the size of the body
 	// cannot be determined automatically. For more information, see [https://www.rfc-editor.org/rfc/rfc9110.html#name-content-length].
 	//
@@ -475,6 +483,7 @@ func (i UploadObjectInput) mapSingleUploadInput(body io.Reader, checksumAlgorith
 		ChecksumCRC64NVME:         i.ChecksumCRC64NVME,
 		ChecksumSHA1:              i.ChecksumSHA1,
 		ChecksumSHA256:            i.ChecksumSHA256,
+		ChecksumSHA512:            i.ChecksumSHA512,
 		ContentDisposition:        i.ContentDisposition,
 		ContentEncoding:           i.ContentEncoding,
 		ContentLanguage:           i.ContentLanguage,
@@ -561,6 +570,7 @@ func (i UploadObjectInput) mapCompleteMultipartUploadInput(uploadID *string, com
 		ChecksumCRC64NVME:    i.ChecksumCRC64NVME,
 		ChecksumSHA1:         i.ChecksumSHA1,
 		ChecksumSHA256:       i.ChecksumSHA256,
+		ChecksumSHA512:       i.ChecksumSHA512,
 		ExpectedBucketOwner:  i.ExpectedBucketOwner,
 		IfMatch:              i.IfMatch,
 		IfNoneMatch:          i.IfNoneMatch,
@@ -640,6 +650,9 @@ type UploadObjectOutput struct {
 	// The base64-encoded, 256-bit SHA-256 digest of the object.
 	ChecksumSHA256 *string
 
+	// The base64-encoded, 512-bit SHA-512 digest of the object.
+	ChecksumSHA512 *string
+
 	// This header specifies the checksum type of the object, which determines how
 	// part-level checksums are combined to create an object-level checksum for
 	// multipart objects. For PutObject uploads, the checksum type is always
@@ -735,6 +748,7 @@ func (o *UploadObjectOutput) mapFromPutObjectOutput(out *s3.PutObjectOutput, buc
 	o.ChecksumCRC64NVME = out.ChecksumCRC64NVME
 	o.ChecksumSHA1 = out.ChecksumSHA1
 	o.ChecksumSHA256 = out.ChecksumSHA256
+	o.ChecksumSHA512 = out.ChecksumSHA512
 	o.ChecksumType = types.ChecksumType(out.ChecksumType)
 	o.ContentLength = aws.Int64(contentLength)
 	o.ETag = out.ETag
@@ -761,6 +775,7 @@ func (o *UploadObjectOutput) mapFromCompleteMultipartUploadOutput(out *s3.Comple
 	o.ChecksumCRC64NVME = out.ChecksumCRC64NVME
 	o.ChecksumSHA1 = out.ChecksumSHA1
 	o.ChecksumSHA256 = out.ChecksumSHA256
+	o.ChecksumSHA512 = out.ChecksumSHA512
 	o.ChecksumType = types.ChecksumType(out.ChecksumType)
 	o.ContentLength = aws.Int64(contentLength)
 	o.ETag = out.ETag

feature/s3/transfermanager/mapping_reference_test.go

@@ -66,6 +66,7 @@ const mappingReferenceJSON = `
                 "ChecksumCRC64NVME",
                 "ChecksumSHA1",
                 "ChecksumSHA256",
+                "ChecksumSHA512",
                 "ContentDisposition",
                 "ContentEncoding",
                 "ContentLanguage",
@@ -104,6 +105,7 @@ const mappingReferenceJSON = `
                 "ChecksumCRC64NVME",
                 "ChecksumSHA1",
                 "ChecksumSHA256",
+                "ChecksumSHA512",
                 "ChecksumType",
                 "ETag",
                 "Expiration",
@@ -197,6 +199,7 @@ const mappingReferenceJSON = `
                 "ChecksumCRC64NVME",
                 "ChecksumSHA1",
                 "ChecksumSHA256",
+                "ChecksumSHA512",
                 "ContentDisposition",
                 "ContentEncoding",
                 "ContentLanguage",
@@ -274,6 +277,7 @@ const mappingReferenceJSON = `
                 "ChecksumCRC64NVME",
                 "ChecksumSHA1",
                 "ChecksumSHA256",
+                "ChecksumSHA512",
                 "ExpectedBucketOwner",
                 "IfMatch",
                 "IfNoneMatch",
@@ -299,6 +303,7 @@ const mappingReferenceJSON = `
                 "ChecksumCRC64NVME",
                 "ChecksumSHA1",
                 "ChecksumSHA256",
+                "ChecksumSHA512",
                 "ChecksumType",
                 "ETag",
                 "Expiration",
@@ -318,6 +323,7 @@ const mappingReferenceJSON = `
                 "ChecksumCRC64NVME",
                 "ChecksumSHA1",
                 "ChecksumSHA256",
+                "ChecksumSHA512",
                 "ChecksumType",
                 "ETag",
                 "Expiration",

feature/s3/transfermanager/types/types.go

@@ -144,6 +144,7 @@ const (
 	ChecksumAlgorithmCrc32c                   = "CRC32C"
 	ChecksumAlgorithmSha1                     = "SHA1"
 	ChecksumAlgorithmSha256                   = "SHA256"
+	ChecksumAlgorithmSha512                   = "SHA512"
 )
 
 // ObjectCannedACL defines the canned ACL to apply to the object, see [Canned ACL] in the
@@ -287,6 +288,17 @@ type CompletedPart struct {
 	// [Checking object integrity]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/checking-object-integrity.html#large-object-checksums
 	ChecksumSHA256 *string
 
+	// The base64-encoded, 512-bit SHA-512 digest of the object. This will only be
+	// present if it was uploaded with the object. When you use an API operation on an
+	// object that was uploaded using multipart uploads, this value may not be a direct
+	// checksum value of the full object. Instead, it's a calculation based on the
+	// checksum values of each individual part. For more information about how
+	// checksums are calculated with multipart uploads, see [Checking object integrity]in the Amazon S3 User
+	// Guide.
+	//
+	// [Checking object integrity]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/checking-object-integrity.html#large-object-checksums
+	ChecksumSHA512 *string
+
 	// Entity tag returned when the part was uploaded.
 	ETag *string
 
@@ -312,6 +324,7 @@ func (cp CompletedPart) MapCompletedPart() types.CompletedPart {
 		ChecksumCRC32C: cp.ChecksumCRC32C,
 		ChecksumSHA1:   cp.ChecksumSHA1,
 		ChecksumSHA256: cp.ChecksumSHA256,
+		ChecksumSHA512: cp.ChecksumSHA512,
 		ETag:           cp.ETag,
 		PartNumber:     cp.PartNumber,
 	}
@@ -323,6 +336,7 @@ func (cp *CompletedPart) MapFrom(resp *s3.UploadPartOutput, partNum *int32) {
 	cp.ChecksumCRC32C = resp.ChecksumCRC32C
 	cp.ChecksumSHA1 = resp.ChecksumSHA1
 	cp.ChecksumSHA256 = resp.ChecksumSHA256
+	cp.ChecksumSHA512 = resp.ChecksumSHA512
 	cp.ETag = resp.ETag
 	cp.PartNumber = partNum
 }

service/internal/checksum/algorithms.go

@@ -4,6 +4,7 @@ import (
 	"crypto/md5"
 	"crypto/sha1"
 	"crypto/sha256"
+	"crypto/sha512"
 	"encoding/base64"
 	"encoding/hex"
 	"fmt"
@@ -34,6 +35,9 @@ const (
 
 	// AlgorithmCRC64NVME represents CRC64NVME hash algorithm
 	AlgorithmCRC64NVME Algorithm = "CRC64NVME"
+
+	// AlgorithmSHA512 represents SHA512 hash algorithm
+	AlgorithmSHA512 Algorithm = "SHA512"
 )
 
 // inverted NVME polynomial as required by crc64.MakeTable
@@ -45,6 +49,7 @@ var supportedAlgorithms = []Algorithm{
 	AlgorithmSHA1,
 	AlgorithmSHA256,
 	AlgorithmCRC64NVME,
+	AlgorithmSHA512,
 }
 
 func (a Algorithm) String() string { return string(a) }
@@ -99,6 +104,8 @@ func NewAlgorithmHash(v Algorithm) (hash.Hash, error) {
 		return crc32.New(crc32.MakeTable(crc32.Castagnoli)), nil
 	case AlgorithmCRC64NVME:
 		return crc64.New(crc64.MakeTable(crc64NVME)), nil
+	case AlgorithmSHA512:
+		return sha512.New(), nil
 	default:
 		return nil, fmt.Errorf("unknown checksum algorithm, %v", v)
 	}
@@ -118,6 +125,8 @@ func AlgorithmChecksumLength(v Algorithm) (int, error) {
 		return crc32.Size, nil
 	case AlgorithmCRC64NVME:
 		return crc64.Size, nil
+	case AlgorithmSHA512:
+		return sha512.Size, nil
 	default:
 		return 0, fmt.Errorf("unknown checksum algorithm, %v", v)
 	}

service/internal/checksum/algorithms_test.go

@@ -6,6 +6,7 @@ import (
 	"bytes"
 	"crypto/sha1"
 	"crypto/sha256"
+	"crypto/sha512"
 	"encoding/base64"
 	"fmt"
 	"hash/crc32"
@@ -75,6 +76,13 @@ func TestComputeChecksumReader(t *testing.T) {
 			ExpectRead:        "hello world",
 			ExpectChecksum:    "jSnVw/bqjr4=",
 		},
+		"sha512": {
+			Input:             strings.NewReader("hello world"),
+			Algorithm:         AlgorithmSHA512,
+			ExpectChecksumLen: base64.StdEncoding.EncodedLen(sha512.Size),
+			ExpectRead:        "hello world",
+			ExpectChecksum:    "MJ7MSJwS1utMxA9QyQLytNDtd+5RGnx6m808qG1M2G+YndNbxf9JlnDaNCVbRbDP2DDoH2Bdz33FVC6TrpzXbw==",
+		},
 	}
 
 	for name, c := range cases {
@@ -326,6 +334,14 @@ func TestParseAlgorithm(t *testing.T) {
 			Value:           "SHA256",
 			expectAlgorithm: AlgorithmSHA256,
 		},
+		"sha512": {
+			Value:           "sha512",
+			expectAlgorithm: AlgorithmSHA512,
+		},
+		"SHA512": {
+			Value:           "SHA512",
+			expectAlgorithm: AlgorithmSHA512,
+		},
 		"empty": {
 			Value:     "",
 			expectErr: "unknown checksum algorithm",
@@ -453,6 +469,10 @@ func TestAlgorithmChecksumLength(t *testing.T) {
 			algorithm:    AlgorithmCRC64NVME,
 			expectLength: crc64.Size,
 		},
+		"sha512": {
+			algorithm:    AlgorithmSHA512,
+			expectLength: sha512.Size,
+		},
 	}
 
 	for name, c := range cases {