Signature Calculations for the Authorization Header:
Transferring Payload in a Single Chunk (AWS Signature Version 4)

When using the Authorization header to authenticate requests, the header value includes, among other things, a signature. The key signature calculations vary depending on the choice you make for transferring the warhead ( Overview ). This section explains touch calculations when you choose to transfer the warhead in a single chunk. The exemplar section ( see Examples : Signature Calculations ) shows signature calculations and resulting Authorization headers that you can use as a quiz suite to verify your code.

Important

When transferring warhead in a single ball, you can optionally choose to include the warhead hash in the touch calculations, referred as signed warhead ( if you do n’t include it, the warhead is considered unsigned ). The sign operation discussed in the pursuit incision applies to both, but note the following differences :

  • Signed warhead choice – You include the warhead hashish when constructing the canonic request ( that then becomes part of StringToSign, as explained in the signature calculation section ). You besides specify the lapp value as the x-amz-content-sha256 header measure when sending the request to S3 .
  • Unsigned warhead option – You include the literal string UNSIGNED-PAYLOAD when constructing a canonic request, and set the same value as the x-amz-content-sha256 header respect when sending the request to Amazon S3 .

When you send your request to Amazon S3, the x-amz-content-sha256 heading value informs Amazon S3 whether the cargo is signed or not. Amazon S3 can then create the key signature consequently for verification .

Calculating a Signature

To calculate a signature, you first need a string to sign. You then calculate a HMAC-SHA256 hashish of the string to sign by using a sign key. The take after diagram illustrates the serve, including the assorted components of the string that you create for signing
When Amazon S3 receives an authenticate request, it computes the key signature and then compares it with the signature that you provided in the request. For that argue, you must compute the signature by using the lapp method that is used by Amazon S3. The process of putting a request in an agreed-upon imprint for bless is called canonicalization .

The following table describes the functions that are shown in the diagram. You need to implement code for these functions .

Function Description
Lowercase() Convert the string to lowercase.
Hex() Lowercase base 16 encoding.
SHA256Hash() Secure Hash Algorithm (SHA) cryptographic hash function.
HMAC-SHA256() Computes HMAC by using the SHA256 algorithm with the signing key provided. This is the final signature.
Trim() Remove any leading or trailing whitespace.
UriEncode() URI encode every byte. UriEncode ( ) must enforce the come rules :

  • URI encode every byte except the unreserved characters : ‘A’-‘Z ‘, ‘a’-‘z ‘, ‘0’-‘9 ‘, ‘- ‘, ‘. ‘, ‘_ ‘, and ‘~ ‘ .
  • The space quality is a reserved character and must be encoded as “ % 20 ” ( and not as “ + ” ) .
  • Each URI encoded byte is formed by a ‘ % ‘ and the two-digit hexadecimal value of the byte .
  • Letters in the hexadecimal respect must be capital, for exemplar “ % 1A ” .
  • Encode the forward flog character, ‘/ ‘, everywhere except in the object key list. For example, if the aim key identify is photos/Jan/sample.jpg, the advancing slash in the key name is not encoded .

Important

The standard UriEncode functions provided by your growth platform may not work because of differences in implementation and relate ambiguity in the implicit in RFCs. We recommend that you write your own custom UriEncode affair to ensure that your encoding will work. To see an example of a UriEncode function in Java, see Java Utilities on the GitHub web site .

Task 1: Create a Canonical Request

This segment provides an overview of creating a canonic request .
The keep up is the canonic request format that Amazon S3 uses to calculate a touch. For signatures to match, you must create a canonic request in this format :

\n
\n
\n
\n
\n

Where :

  • HTTPMethod is one of the HTTP methods, for example GET, PUT, HEAD, and DELETE .
  • CanonicalURI is the URI-encoded version of the absolute path component of the URI—everything starting with the “ / ” that follows the knowledge domain mention and up to the end of the string or to the question mark character ( ‘ ? ‘ ) if you have query string parameters. The URI in the stick to example, /examplebucket/myphoto.jpg, is the absolute path and you do n’t encode the “ / ” in the absolute way :

    http://s3.amazonaws.com/examplebucket/myphoto.jpg

    Note

    You do not normalize URI paths for requests to Amazon S3. For exercise, you may have a bucket with an object named “ my-object//example//photo.user ”. Normalizing the way changes the object name in the request to ” my-object/example/photo.user ”. This is an wrong path for that object .

  • CanonicalQueryString specifies the URI-encoded question string parameters. You URI-encode name and values individually. You must besides sort the parameters in the canonic question string alphabetically by winder name. The classify occurs after encoding. The question string in the watch URI example is prefix=somePrefix&marker=someMarker&max-keys=20 :

    http://s3.amazonaws.com/examplebucket?prefix=somePrefix&marker=someMarker&max-keys=20

    The canonic question drawstring is as follows ( production line breaks are added to this exemplar for legibility ) :

    UriEncode("marker")+"="+UriEncode("someMarker")+"&"+
    UriEncode("max-keys")+"="+UriEncode("20") + "&" +
    UriEncode("prefix")+"="+UriEncode("somePrefix")

    When a request targets a subresource, the equate question parameter value will be an empty string ( “ ” ). For exemplar, the following URI identifies the ACL subresource on the examplebucket bucket :

    http://s3.amazonaws.com/examplebucket?acl 

    The CanonicalQueryString in this case is as follows :

    UriEncode("acl") + "=" + ""

    If the URI does not include a ‘ ? ‘, there is no question string in the request, and you set the canonic question chain to an empty string ( “ ” ). You will still need to include the “ \n ” .

  • CanonicalHeaders is a number of request headers with their values. Individual header name and value pairs are separated by the newline character ( “ \n ” ). Header names must be in small letter. You must sort the header names alphabetically to construct the drawstring, as shown in the play along example :

    Lowercase()+":"+Trim()+"\n"
    Lowercase()+":"+Trim()+"\n"
    ...
    Lowercase()+":"+Trim()+"\n"

    The Lowercase() and Trim() functions used in this model are described in the past section .
    The CanonicalHeaders list must include the following :

    • HTTP host header .
    • If the Content-Type heading is present in the request, you must add it to the CanonicalHeaders list .
    • Any x-amz-* headers that you plan to include in your request must besides be added. For example, if you are using irregular security credentials, you need to include x-amz-security-token in your request. You must add this header in the number of CanonicalHeaders .

    Note

    The x-amz-content-sha256 heading is required for all AWS Signature Version 4 requests. It provides a hash of the request warhead. If there is no warhead, you must provide the hashish of an empty string. The follow is an example CanonicalHeaders string. The header names are in small letter and sorted .

    host:s3.amazonaws.com
    x-amz-content-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
    x-amz-date:20130708T220855Z

    Note

    For the aim of calculating an mandate touch, merely the server and any x-amz-* headers are required ; however, in rate to prevent data tampering, you should consider including all the headers in the signature calculation .

  • SignedHeaders is an alphabetically sorted, semicolon-separated list of small letter request header names. The request headers in the list are the like headers that you included in the CanonicalHeaders string. For example, for the previous exercise, the value of SignedHeaders would be as follows :

    host;x-amz-content-sha256;x-amz-date
  • HashedPayload is the hexadecimal respect of the SHA256 hash of the request warhead .

    Hex(SHA256Hash()

    If there is no cargo in the request, you compute a hash of the empty string as follows :

    Hex(SHA256Hash(""))

    The hash returns the take after value :

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855  

    For exemplar, when you upload an object by using a PUT request, you provide object data in the soundbox. When you retrieve an object by using a GET request, you compute the empty string hash .

Task 2: Create a String to Sign

This section provides an overview of creating a string to sign. For bit-by-bit instructions, see job 2 : Create a string to Sign in the AWS General Reference .
The chain to sign is a chain of the watch strings :

"AWS4-HMAC-SHA256" + "\n" +
timeStampISO8601Format + "\n" +
 + "\n" +
Hex(SHA256Hash())

The constant string AWS4-HMAC-SHA256 specifies the hash algorithm that you are using, HMAC-SHA256. The timeStamp is the current UTC meter in ISO 8601 format ( for example, 20130524T000000Z ) .
Scope binds the result signature to a specific date, an AWS Region, and a serve. Thus, your resulting touch will work only in the specific Region and for a specific service. The signature is valid for seven days after the intend date .

date.Format() + "/" +  + "/" +  + "/aws4_request"

For Amazon S3, the service string is s3. For a list of region strings, see Regions and Endpoints in the AWS General Reference. The Region column in this table provides the list of valid Region strings .
The keep up oscilloscope restricts the result touch to the us-east-1 Region and Amazon S3 .

20130606/us-east-1/s3/aws4_request

Note

Scope must use the same date that you use to compute the sign cardinal, as discussed in the follow section .

Task 3: Calculate Signature

In AWS Signature Version 4, alternatively of using your AWS access keys to sign a request, you first create a sign key that is scoped to a specific Region and service. For more information about signing keys, see Introduction to Signing Requests .

DateKey              = HMAC-SHA256("AWS4"+"", "")
DateRegionKey        = HMAC-SHA256(, "")
DateRegionServiceKey = HMAC-SHA256(, "")
SigningKey           = HMAC-SHA256(, "aws4_request")

Note

Some use cases can process signature keys for up to 7 days. For more information watch Share an Object with Others. For a tilt of Region strings, see Regions and Endpoints in the AWS General Reference .
Using a sign cardinal enables you to keep your AWS credentials in one condom place. For example, if you have multiple servers that communicate with Amazon S3, you share the sign key with those servers ; you don ’ t have to keep a copy of your secret access key on each waiter. Signing key is valid for up to seven days. So each prison term you calculate signing key you will need to share the sign language samara with your servers. For more information, see Authenticating Requests ( AWS Signature Version 4 ) .
The final touch is the HMAC-SHA256 hash of the chain to sign, using the sign key as the key .

HMAC-SHA256(SigningKey, StringToSign)

For bit-by-bit instructions on creating a signature, see task 3 : Create a signature in the AWS General Reference .

Examples: Signature
Calculations

You can use the examples in this section as a reference point to check signature calculations in your code. For extra references, see signature Version 4 Test Suite of the AWS General Reference. The calculations shown in the examples use the follow data :

  • case access keys .

    Parameter Value
    AWSAccessKeyId AKIAIOSFODNN7EXAMPLE
    AWSSecretAccessKey wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
  • Request timestamp of 20130524T000000Z ( Fri, 24 May 2013
    00:00:00 GMT
    ).

  • Bucket diagnose examplebucket .
  • The bucket is assumed to be in the US East ( N. Virginia ) Region. The certificate Scope and the Signing Key calculations use us-east-1 as the Region specifier. For data about early Regions, see Regions and Endpoints in the AWS General Reference .
  • You can use either path-style or virtual hosted–style requests. The following examples show how to sign a virtual hosted–style request, for model :

    https://examplebucket.s3.amazonaws.com/photos/photo1.jpg

    For more information, see virtual Hosting of Buckets in the Amazon Simple Storage Service User Guide .

Example: GET Object

The pursuit exercise gets the first 10 bytes of an aim ( test.txt ) from examplebucket. For more information about the API action, see GetObject .

GET /test.txt HTTP/1.1
Host: examplebucket.s3.amazonaws.com
Authorization: SignatureToBeCalculated
Range: bytes=0-9 
x-amz-content-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
x-amz-date: 20130524T000000Z 

Because this GET request does not provide any body contentedness, the x-amz-content-sha256 value is the hash of the empty request body. The come steps show signature calculations and structure of the Authorization header .

  1. StringToSign

    1. CanonicalRequest

      GET
      /test.txt
      
      host:examplebucket.s3.amazonaws.com
      range:bytes=0-9
      x-amz-content-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
      x-amz-date:20130524T000000Z
      
      host;range;x-amz-content-sha256;x-amz-date
      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855  

      In the canonic request string, the death line is the hash of the vacate request body. The third line is empty because there are no question parameters in the request .

    2. StringToSign

      AWS4-HMAC-SHA256
      20130524T000000Z
      20130524/us-east-1/s3/aws4_request
      7344ae5b7ee6c3e7e6b0fe0640412a37625d1fbfff95c48bbb2dc43964946972
  2. SigningKey

    signing key = HMAC-SHA256(HMAC-SHA256(HMAC-SHA256(HMAC-SHA256("AWS4" + "","20130524"),"us-east-1"),"s3"),"aws4_request")
  3. Signature

    f0e8bdb87c964420e857bd35b5d6ed310bd44f0170aba48dd91039c6036bdb41
  4. Authorization header
    The resulting Authorization header is as follows :

    AWS4-HMAC-SHA256 Credential=AKIAIOSFODNN7EXAMPLE/20130524/us-east-1/s3/aws4_request,SignedHeaders=host;range;x-amz-content-sha256;x-amz-date,Signature=f0e8bdb87c964420e857bd35b5d6ed310bd44f0170aba48dd91039c6036bdb41

Example: PUT Object

This example PUT request creates an object ( test$file.text ) in examplebucket. The example assumes the follow :

  • You are requesting REDUCED_REDUNDANCY as the repositing class by adding the x-amz-storage-class request header. For information about repositing classes, see storage Classes in the Amazon Simple Storage Service User Guide .
  • The contentedness of the upload file is a string, "Welcome to
    Amazon S3."
    The value of x-amz-content-sha256 in the request is based on this string .

For information about the API legal action, see PutObject .

PUT test$file.text HTTP/1.1
Host: examplebucket.s3.amazonaws.com
Date: Fri, 24 May 2013 00:00:00 GMT
Authorization: SignatureToBeCalculated
x-amz-date: 20130524T000000Z 
x-amz-storage-class: REDUCED_REDUNDANCY
x-amz-content-sha256: 44ce7dd67c959e0d3524ffac1771dfbba87d2b6b4b4e99e42034a8b803f8b072

The follow steps show signature calculations .

  1. StringToSign

    1. CanonicalRequest

      PUT
      /test%24file.text
      
      date:Fri, 24 May 2013 00:00:00 GMT
      host:examplebucket.s3.amazonaws.com
      x-amz-content-sha256:44ce7dd67c959e0d3524ffac1771dfbba87d2b6b4b4e99e42034a8b803f8b072
      x-amz-date:20130524T000000Z
      x-amz-storage-class:REDUCED_REDUNDANCY
      
      date;host;x-amz-content-sha256;x-amz-date;x-amz-storage-class
      44ce7dd67c959e0d3524ffac1771dfbba87d2b6b4b4e99e42034a8b803f8b072

      In the canonic request, the third credit line is empty because there are no question parameters in the request. The final line is the hash of the body, which should be like as the x-amz-content-sha256 header value .

    2. StringToSign

      AWS4-HMAC-SHA256
      20130524T000000Z
      20130524/us-east-1/s3/aws4_request
      9e0e90d9c76de8fa5b200d8c849cd5b8dc7a3be3951ddb7f6a76b4158342019d
  2. SigningKey

    signing key = HMAC-SHA256(HMAC-SHA256(HMAC-SHA256(HMAC-SHA256("AWS4" + "","20130524"),"us-east-1"),"s3"),"aws4_request")
  3. Signature

    98ad721746da40c64f1a55b78f14c238d841ea1380cd77a1b5971af0ece108bd
  4. Authorization header
    The resulting Authorization header is as follows :

    AWS4-HMAC-SHA256 Credential=AKIAIOSFODNN7EXAMPLE/20130524/us-east-1/s3/aws4_request,SignedHeaders=date;host;x-amz-content-sha256;x-amz-date;x-amz-storage-class,Signature=98ad721746da40c64f1a55b78f14c238d841ea1380cd77a1b5971af0ece108bd

Example: GET Bucket
Lifecycle

The trace GET request retrieves the lifecycle shape of examplebucket. For information about the API action, see GetBucketLifecycleConfiguration .

GET ?lifecycle HTTP/1.1
Host: examplebucket.s3.amazonaws.com
Authorization: SignatureToBeCalculated
x-amz-date: 20130524T000000Z 
x-amz-content-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Because the request does not provide any torso content, the x-amz-content-sha256 header value is the hash of the empty request body. The follow steps show signature calculations .

  1. StringToSign

    1. CanonicalRequest

      GET
      /
      lifecycle=
      host:examplebucket.s3.amazonaws.com
      x-amz-content-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
      x-amz-date:20130524T000000Z
      
      host;x-amz-content-sha256;x-amz-date
      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

      In the canonic request, the last agate line is the hash of the empty request body .

    2. StringToSign

      AWS4-HMAC-SHA256
      20130524T000000Z
      20130524/us-east-1/s3/aws4_request
      9766c798316ff2757b517bc739a67f6213b4ab36dd5da2f94eaebf79c77395ca
  2. SigningKey

    signing key = HMAC-SHA256(HMAC-SHA256(HMAC-SHA256(HMAC-SHA256("AWS4" + "","20130524"),"us-east-1"),"s3"),"aws4_request")
  3. Signature

    fea454ca298b7da1c68078a5d1bdbfbbe0d65c699e0f91ac7a200a0136783543
  4. Authorization header
    The resulting Authorization header is as follows :

    AWS4-HMAC-SHA256 Credential=AKIAIOSFODNN7EXAMPLE/20130524/us-east-1/s3/aws4_request,SignedHeaders=host;x-amz-content-sha256;x-amz-date,Signature=fea454ca298b7da1c68078a5d1bdbfbbe0d65c699e0f91ac7a200a0136783543

Example: Get Bucket (List
Objects)

The postdate example retrieves a tilt of objects from examplebucket bucket. For information about the API military action, see ListObjects .

GET ?max-keys=2&prefix=J HTTP/1.1
Host: examplebucket.s3.amazonaws.com
Authorization: SignatureToBeCalculated
x-amz-date: 20130524T000000Z 
x-amz-content-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Because the request does not provide a soundbox, the value of x-amz-content-sha256 is the hashish of the empty request body. The stick to steps show signature calculations .

  1. StringToSign

    1. CanonicalRequest

      GET
      /
      max-keys=2&prefix=J
      host:examplebucket.s3.amazonaws.com
      x-amz-content-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
      x-amz-date:20130524T000000Z
      
      host;x-amz-content-sha256;x-amz-date
      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

      In the canonic string, the concluding line is the hashish of the empty request consistency .

    2. StringToSign

      AWS4-HMAC-SHA256
      20130524T000000Z
      20130524/us-east-1/s3/aws4_request
      df57d21db20da04d7fa30298dd4488ba3a2b47ca3a489c74750e0f1e7df1b9b7
  2. SigningKey

    signing key = HMAC-SHA256(HMAC-SHA256(HMAC-SHA256(HMAC-SHA256("AWS4" + "","20130524"),"us-east-1"),"s3"),"aws4_request")
  3. Signature

    34b48302e7b5fa45bde8084f4b7868a86f0a534bc59db6670ed5711ef69dc6f7
  4. Authorization header
    The resulting Authorization header is as follows :

    AWS4-HMAC-SHA256 Credential=AKIAIOSFODNN7EXAMPLE/20130524/us-east-1/s3/aws4_request,SignedHeaders=host;x-amz-content-sha256;x-amz-date,Signature=34b48302e7b5fa45bde8084f4b7868a86f0a534bc59db6670ed5711ef69dc6f7
generator : https://themedipia.com
Category : Website hosting

Leave a Reply

Your email address will not be published.