Last updated：2021-05-27 17:52:42
Signature Version 4 is used for API operations of Kingsoft Cloud Billing Center. For more information, see Signature Version 4 signing process. Signatures can be added to HTTP GET and POST requests.
Canonicalize a request so that the signing process is standardized. Pseudocode is as follows:
CanonicalRequest = HTTPRequestMethod + '\n' + CanonicalURI + '\n' + CanonicalQueryString + '\n' + CanonicalHeaders + '\n' + SignedHeaders + '\n' + HexEncode(Hash(RequestPayload))
Hash indicates the hash algorithm. Currently, the SHA-256 algorithm is used. HexEncode indicates a function that returns the hexadecimal encoding of the hash value in lowercase letters.
The procedure is as follows:
(1) Extract the HTTP request method, for example, GET, PUT, or POST, and add a newline character to the end.
(2) URI-encode the absolute path of the URI to obtain a canonical URI. If the absolute path is empty, use a forward slash (/) and add a newline character to the end.
(3) Construct a canonical query string and add a newline character to the end.
(4) Construct canonical headers and add a newline character to the end. Pseudocode is as follows:
CanonicalHeaders = CanonicalHeadersEntry0 + CanonicalHeadersEntry1 + ... + CanonicalHeadersEntryN
CanonicalHeadersEntry = Lowercase(HeaderName) + ':' + Trimall(HeaderValue) + '\n'
lowercase indicates a function that converts all header names to lowercase. The trimall function is used to remove spaces before and after a header value and convert consecutive spaces in the header value into a single space, without removing any spaces between double quotation marks (" "). The canonical headers are sorted by header name.
(5) Add signed headers and add a newline character to the end.
Signed headers are a list of headers that you included in the canonical headers. By adding signed headers, you specify which headers in the request are part of the signing process. This way, additional headers added by the proxy to the request are ignored. The host and x-amz-date headers must be included if they exist. Pseudocode is as follows:
SignedHeaders = Lowercase(HeaderName0) + ';' + Lowercase(HeaderName1) + ";" + ... + Lowercase(HeaderNameN)
(6) Perform a hash operation on the request body by using the SHA256 algorithm, and convert the obtained binary hash value into a lowercase hexadecimal string. Pseudocode is as follows:
HashedPayload = Lowercase(HexEncode(Hash(requestPayload)))
(8) Perform a hash operation on the canonical request by using the SHA256 algorithm.
The string-to-sign contains metadata of the original request and the canonical request, including the signing algorithm, request date, credential scope, and hash value of the canonical request. Pseudocode is as follows:
StringToSign = Algorithm + '\n' + RequestDate + '\n' + CredentialScope + '\n' + HashedCanonicalRequest
The signing algorithm is AWS4-HMAC-SHA256. The request date is in the format of YYYYMMDD’T’HHMMSS’Z’. The credential scope is in the format of YYYYMMDD/region/service/aws4_request (containing the request date in the ISO 8601 basic format). The hash value of the canonical request is obtained in step (8) of Create a canonical request. Do not add a newline character to the end of the hash value.
3. Calculate a signature
Derive a signing key from the SecretAccessKey, and calculate a signature by using the signing key and the string-to-sign obtained in Create a string-to-sign. The procedure is as follows:
(1) Generate a signing key. Pseudocode is as follows:
kSecret = *Your KSC Secret Access Key* kDate = HMAC("AWS4" + kSecret, Date) kRegion = HMAC(kDate, Region) kService = HMAC(kRegion, Service) kSigning = HMAC(kService, "aws4_request")
The key for each hash operation is generated by using the HMAC-SHA256 algorithm. The key for the first HMAC hash operation is the SecretAccessKey. The data for each hash operation is sequentially the date, region name, service name, and end string in the credential scope. The result of each hash operation is a 256-bit (32-byte) binary hash value, which is not converted into an octal or hexadecimal code.
(2) Calculate a signature. Pseudocode is as follows:
signature = HexEncode(HMAC(derived-signing-key, string-to-sign))
Perform a hash operation on the key (signing key) and data (string-to-sign) by using the HMAC-SHA256 algorithm. The signed binary hash value is converted into a hexadecimal code.
Did you find the above information helpful?
Please give us your feedback.
Thank you for your feedback.