I see two issues that both expose you to some kind of length extension attacks. @mdietz can tell you more :)

• No delimiter between the components that comprise the canonical string
• SHA256 instead of HMAC-SHA256

Lots of people get this wrong, but we should fix at some point.

I think a good example is AWS signature generation:

http://docs.amazonwebservices.com/amazonglacier/latest/dev/amazon-glacier-signing-requests.html#example-signature-calculation