Incorrect Query Parameter Sorting Causes Signature Mismatch

[timmi129]

Describe the bug

When using AWS SDK, requests fail with a signature mismatch if one of the query parameters is an array with 10 or more elements.

Error message:

The request signature we calculated does not match the signature you provided.

Expected Behavior

Query parameters should be sorted after URL encoding so that the canonical query string matches the AWS signing requirements.
For indexed parameters, param[10] should appear after param[1], not between param[9] and param[2].

Correct sorting order should be:

param[0]
param[1]
param[10]
param[2]
...
param[9]

Current Behavior

Currently, the SDK applies ksort() before encoding parameters, which results in lexicographical misordering.
This causes incorrect canonical strings and signature mismatches when the request contains 10+ numeric indexes.

Example of incorrect behavior:

Request URL:

https://example.com/service?param[0]=1111&param[1]=1111&param[10]=1111&param[2]=1111&param[3]=1111&param[4]=1111&param[5]=1111&param[6]=1111&param[7]=1111&param[8]=1111&param[9]=1111

Current (incorrect) sorting result:

array(11) {
["param[0]"] => "1111"
["param[10]"] => "1111"
["param[1]"] => "1111"
["param[2]"] => "1111"
["param[3]"] => "1111"
["param[4]"] => "1111"
["param[5]"] => "1111"
["param[6]"] => "1111"
["param[7]"] => "1111"
["param[8]"] => "1111"
["param[9]"] => "1111"
}

Expected (correct) sorting result:

array(11) {
["param[0]"] => "1111"
["param[1]"] => "1111"
["param[10]"] => "1111"
["param[2]"] => "1111"
["param[3]"] => "1111"
["param[4]"] => "1111"
["param[5]"] => "1111"
["param[6]"] => "1111"
["param[7]"] => "1111"
["param[8]"] => "1111"
["param[9]"] => "1111"
}

Reproduction Steps

Create a signed request using Aws\Signature\SignatureV4 with query parameters containing numeric indexes (0–10).

Observe that generated canonical string places param[10] before param[2].

Attempt to execute the request — AWS returns SignatureDoesNotMatch.

Possible Solution

Possible Solution:
#3201

Additional Information/Context

Additional Information / Context

Related issue: #3132

Verified in PHP 8.2 and PHP 8.3 environments.

Reproducible both locally and in Lambda environments.

Issue confirmed in Aws\Signature\SignatureV4::createCanonicalQueryString().

SDK version used

3.359.0

Environment details (Version of PHP (php -v)? OS name and version, etc.)

8.3

Our fix in async aws: async-aws/aws#1938

[stobrien89]

Hi @timmi129,

Thanks for reaching out and opening the PR. Out of curiosity, which services are failing these requests? In any case, the behavior is inconsistent with other SDKs and should ideally be changed. One thing that worries me is that anyone who makes assertions on query strings or depends on the current ordering in any way might be broken. Will take a look at the PR and discuss internally and see what we can do.

[timmi129]

Hi @stobrien89,
If necessary, I can add a fix to other SDKs.

[stobrien89]

Apologies, my wording was a little vague. I meant our behavior is inconsistent with other SDK query param sorting behavior. I'm not sure if there are others that sort the way we do. Could you tell me which services the above-mentioned requests fail with?

[timmi129]

We've identified an issue with signing requests between two services with dedicated API GWs.