Request signature V2

When the user requests KS3, they can use accessKey and secretkey to sign the request. When KS3 receives the request with signature information, it will use the same algorithm to verify the signature. If the signature is inconsistent, KS3 will return 403 to the user. If the signature of KS3 verification is consistent, and the user corresponding to accessKey has permission to operate the requested resource, the request succeeds, otherwise, KS3 returns 403.

If the user requests KS3 without signature information in the request, KS3 considers the request anonymous. When KS3 receives the anonymous request, if it finds that the resource requested by the user does not allow anonymous request, it will return 403.

KS3 provides Visual signature tool,it is convenient for customers to debug signature errors and locate problems quickly.

1. Send signature through HTTP request Header

Method: add a Header named Authorization to the request, and the value is the signature value. As follows:

Authorization: KSS P3UPCMORAFON76Q6RTNQ:vU9XqPLcXd3nWdlfLWIhruZrLAM=

Authorization calculation method：

Authorization = “KSS YourAccessKey:Signature”

Signature = Base64(HMAC-SHA1(YourSecretKey, UTF-8-Encoding-Of( StringToSign ) ) );

StringToSign = HTTP-Verb + "\n" +
Content-MD5 + "\n" +
Content-Type + "\n" +
Date + "\n" +
CanonicalizedKssHeaders+
CanonicalizedResource;

Content-MD5, Content-Type, CanonicalizedKssHeaders can be null,if it is null,the empty string ('') is used instead, HTTP-Verb、Date and CanonicalizedResource can't be null.

• HTTP-Verb represents the action of request, such as GET\PUT\POST\DELETE, etc.
• Content-MD5 A represents the MD5 value of the requested content data, encoded with Base64. When the header of the request contains Content-MD5, it needs to be included in StringToSign, otherwise ("") is used instead. Note: the Content-MD5 algorithm first summarizes the data, and then encodes the MD5 summary in Base64. In this process, there is no need to do HEX encoding. Because in some languages or toolkits, the MD5 summary is HEX encoded by default, so when the MD5 summary is HEX encoded,it needs to be HEX decoded first, and then Base64 encoded. Detailed explanationRFC2616
• Content-Type Represents the type of request content and takes Content-Type from HTTP header.

• Date represents the time of this operation and must be in GMT format supported in HTTP 1.1. Take the date in the HTTP header. If the time differs by more than 15 minutes from the KS3 server time, KS3 will return 403. For example: wed, 17 Feb 2012 15:31:56 GMT

  Note: Some clients do not support sending Date request Headers. In this case, when calculating the signature, you need to keep the Date field and add x-kss-date in the CanonicalizedKssHeaders, with the same format as the date. When sending a request, you need to add an x-kss-date request header.Example

• CanonicalizedKssHeaders represents the header combination starting with x-kss in HTTP request, see CanonicalizedKssHeaders calculation method for example.
• CanonicalizedResource represents the resource accessed by the user，see CanonicalizedResource calculation method for example.

CanonicalizedKssHeaders calculation method

The calculation method is as follows ：

1. First select all HTTP request headers starting with x-kss -, and turn all header names into lowercase. Such as: X-KSS-Meta-Myname: Jack change header name to lowercase and then to 'x-kss-meta-myname: Jack`
2. Arrange the headers in ascending order according to the dictionary order of the header name
3. Remove any spaces that appear between the separator between the request header and the content. For example, 'x-kss-meta-myname: Jack' is converted to: 'x-kss-meta-myname: Jack'`
4. Use the '"\ n"' separator to connect these header name and header value pairs together.

Note: If CanonicalizedKssHeaders is null, no need to add the last ` \ n ';
If there is only one,you need to add \ n 'at the end,for example:' x-kss-meta-yourname: Lee \ n; If there are more than one, use the '\ n' separator to join them together and add '\ n' at the end, for example: 'x-kss-meta-myname: Jack \ nx-kss-meta-yourname: Lee \ n`; If the client does not support sending the date request header, the x-kss-date request header must be added when calculating the CanonicalizedKssHeaders.Example.

Calculation method of CanonicalizedResource

CanonicalizedResource represents the requested target resource, structured as follows:

/[BucketName/[ObjectKey[?SubResource]]]

• BucketName: Bucket name requested by the user.

• ObjectKey: The name of the object requested by the user,it needs to be URL encoded.

• SubResource:The child resource requested by the user.In the URL parameter, "acl","lifecycle","location","logging","notification","partNumber","policy","requestPayment","torrent","uploadId","uploads","versionId","versioning","versions","website","delete","thumbnail","cors","queryadp","adp","asyntask","querytask","domain","response-content-type","response-content-language","response-expires","response-cache-control","response-content-disposition","response-content-encoding"are filtered out, and these query strings and their request values (request values without URL encoding) are arranged in dictionary order from small to large, with the & as the separator to get the SubResource.

The calculation method is as follows:

1. CanonicalizedResource="/"

2. If BucketName is not null,then CanonicalizedResource = CanonicalizedResource + BucketName + "/"

3. If ObjectKey is not null,then CanonicalizedResource = CanonicalizedResource + ObjectKey

4. Replace the double slash ("/ /") in canonicalizedresource with "/% 2F"

5. If SubResource is not null,then CanonicalizedResource = CanonicalizedResource + "?" + SubResource

1. Example of calculating signature:

The ObjectKey in the example is a URL encoded ObjectKey

PUT /{BucketName}/{ObjectKey} HTTP/1.0
Content-Md5: 1B2M2Y8AsgTpgAmY7PhCfg==
Content-Type: text/html
Content-Length: 1024
Date: Wed, 17 Feb 2012 15:31:56 GMT
Host: ks3-cn-beijing.ksyuncs.com

Assuming that the SecretKey is：Ik90eHJ6eElzZnBGakE3U3dQeklMd3k,its signature algorithm is:

import base64
import hmac
from hashlib import sha1
h = hmac.new("Ik90eHJ6eElzZnBGakE3U3dQeklMd3k", "PUT\n1B2M2Y8AsgTpgAmY7PhCfg==\ntext/html\nWed, 17 Feb 2012 15:31:56 GMT\n/{BucketName}/{ObjectKey}", sha1)
Signature = base64.encodestring(h.digest()).strip()

2. Example of "client does not support sending date request header"

When calculating the signature, you need to keep the Date field and add x-kss-date to the CanonicalizedKssHeaders. The format is the same as the Date. When sending a request, you need to add an x-kss-date request header. The ObjectKe in the example is a URL encoded ObjectKe.

PUT /{BucketName}/{ObjectKey} HTTP/1.0
Content-Md5: 1B2M2Y8AsgTpgAmY7PhCfg==
Content-Type: text/html
Content-Length: 1024
Date: Wed, 17 Feb 2012 15:31:56 GMT
Host: ks3-cn-beijing.ksyuncs.com
x-kss-date: Wed, 17 Feb 2012 15:31:56 GMT

Assuming that the SecretKey is：Ik90eHJ6eElzZnBGakE3U3dQeklMd3k,its signature algorithm is:

import base64
import hmac
from hashlib import sha1
h = hmac.new("Ik90eHJ6eElzZnBGakE3U3dQeklMd3k", "PUT\n1B2M2Y8AsgTpgAmY7PhCfg==\ntext/html\nWed, 17 Feb 2012 15:31:56 GMT\nx-kss-date:Wed, 17 Feb 2012 15:31:56 GMT\n/{BucketName}/{ObjectKey}", sha1)
Signature = base64.encodestring(h.digest()).strip()

3. Sending signature through URL QueryString

Example URL with signature:

https://{BucketName}.ks3-cn-beijing.ksyuncs.com/{ObjectKey}?KSSAccessKeyId=VSDNT6SHFNDWBXYZRS3A&Expires=1435550417&Signature=a2JnaLMuN%2FWmcKL%2FW4aibMCa4BY%3D

KSSAccessKeyId is the user's AccessKey.

Expires is the expiration time of the link, which is represented by Unix_Time. The calculation method of Signature is the same as above, only the Date is replaced with the Expires value.