fix(sns-message-manager): Signature validation fails for messages with a whole-second timestamp (.000 ms)

[henricook]

Motivation and Context

Fixes #7010.

SignatureValidator builds the string-to-sign with Instant#toString(), which drops the fractional second when it is zero. SNS signs the literal wire value (...:ss.000Z), so any message whose timestamp lands on a whole second fails verification (~1 in 1000). This dropped ~0.1% of our SES events delivered over SNS and wasn't an issue present in the v1 message manager.

Modifications

Format the canonical timestamp with fixed millisecond precision (yyyy-MM-dd'T'HH:mm:ss.SSS'Z', Locale.ROOT) instead of Instant#toString(), in all three message types.

Testing

Added a regression test that signs a .000Z notification the way SNS does: it fails on the current code and passes with the fix.

Screenshots (if appropriate)

N/A

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)

Checklist

• I have read the CONTRIBUTING document
• Local run of mvn install succeeds
• My code follows the code style of this project
• My change requires a change to the Javadoc documentation
• I have updated the Javadoc documentation accordingly
• I have added tests to cover my changes
• All new and existing tests passed
• I have added a changelog entry. Adding a new entry must be accomplished by running the scripts/new-change script and following the instructions. Commit the new file created by the script in .changes/next-release with your changes.
• My change is to implement 1.11 parity feature and I have updated LaunchChangelog

License

• I confirm that this pull request can be released under the Apache 2 license