Cloud Storage Gateway:Request signatures

Cloud Storage Gateway (CSG) authenticates each access request. Therefore, a request must contain signature information regardless of whether it is sent over HTTP or HTTPS. CSG implements symmetric encryption by using an AccessKey pair to verify the identity of the request sender. The AccessKey ID and AccessKey secret are officially issued by Alibaba Cloud to users. You can request and manage the AccessKey pair on the Alibaba Cloud official website. The AccessKey ID indicates the identity of a user. The AccessKey secret is the key used to encrypt the signature string and verify the signature string on the server. The AccessKey secret must be kept strictly confidential.

To sign a request, perform the following steps:

1. Create a canonicalized query string by arranging the request parameters.
   1. Arrange the request parameters, including all common request parameters and operation-specific parameters except Signature, in alphabetical order.
      Note When you use the GET method to submit a request, the request parameters are included as a part of the URL. The request parameters in the URL are between the question mark (?) and the ampersand (&).
   2. Encode the name and value of each request parameter. Parameter names and values must be encoded into a URL based on the UTF-8 character set. For more information about encoding rules, see the following table.

      Character	Encoding rule
      A to Z, a to z, 0 to 9, hyphens (-), underscores (_), periods (.), and tildes (~).	These characters do not need to be encoded.
      Other characters	These characters must be percent encoded in the %XY format. XY specifies the ASCII code of the characters in hexadecimal notation. For example, double quotation marks (") are encoded as %22.
      Extended UTF-8 characters	These characters must be percent encoded in the %XY%ZA… format.
      Spaces	Spaces must be encoded as %20. Do not encode spaces as plus signs (+). This encoding rule is different from the rule that is used to encode data in the common Multi-purpose Internet Mail Extensions (MIME) format application/x-www-form-urlencoded. For example, java.net.URLEncoder in the standard Java library is in this MIME format. However, you can apply the MIME encoding algorithm and then replace the plus sign (+) in the encoded string with %20, the asterisk (*) with %2A, and %7E with the tilde (~).

   3. Connect the encoded name and value of each parameter with an equal sign (=).
   4. Arrange the encoded parameters in alphabetical order based on the first letter of the name of each parameter and connect the parameters with ampersands (&) to create a canonicalized query string.
2. Create a string-to-sign from the encoded canonicalized query string based on the following rules:

   StringToSign=
     HTTPMethod + "&" +
     percentEncode("/") + "&" +
     percentEncode(CanonicalizedQueryString)

   Parameters

   • HTTPMethod: the HTTP method used to submit a request, such as GET.
   • percentEncode("/"): encodes the forward slashes (/) based on the URL encoding rules described in Step 1.ii. The encoded value of a forward slash (/) is %2F.
   • percentEncode(CanonicalizedQueryString): encodes the canonicalized query string that is created in Step 1 based on the URL encoding rules described in Step 1.ii.
3. Calculate the HMAC value of the string-to-sign as defined in RFC 2104.
   Note Use the SHA1 algorithm to calculate the HMAC value of the string-to-sign. Your AccessKey secret followed by an ampersand (&) (ASCII code 38) is used as the key for HMAC calculation.
4. Encode the HMAC value in Base64 to obtain the signature string.
5. Add the signature string to the request as the Signature parameter. The result is the signed API request.
   Note When you add the signature string to the request as the Signature parameter, the parameter must be URL encoded like other parameters based on rules defined in RFC 3986.

   Taking DescribeRegions as an example, the request URL placed before the signature is:

   http://sgw.cn-shanghai.aliyuncs.com/?Timestamp=2020-02-23T12:46:24Z&Format=XML&AccessKeyId=testid&Action=DescribeRegions&SignatureMethod=HMAC-SHA1&SignatureNonce=3ee8c1b8-83d3-44af-a94f-4e0ad82fd6cf&Version=2018-05-11&SignatureVersion=1.0

   The following string is the string-to-sign:

   GET&%2F&AccessKeyId%3Dtestid%26Action%3DDescribeRegions%26Format%3DXML%26SignatureMethod%3DHMAC-SHA1%26SignatureNonce%3D3ee8c1b8-83d3-44af-a94f-4e0ad82fd6cf%26SignatureVersion%3D1.0%26Timestamp%3D2020-02-23T12:46:24Z%26Version%3D2018-05-11

   Assume that the AccessKey ID is testid and the AccessKey secret is testsecret. Then, the Key used to calculate the HMAC value of the signature is testsecret&. The calculated signature string is VaeN6G9xWXirTsh7mlSM55Ws+0s=.

   The following URL is the signed request URL after the Signature parameter is added:

   http://sgw.cn-shanghai.aliyuncs.com/?SignatureVersion=1.0&Action=DescribeRegions&Format=XML&SignatureNonce=3ee8c1b8-83d3-44af-a94f-4e0ad82fd6cf&Version=2018-05-11&AccessKeyId=testid&Signature=VaeN6G9xWXirTsh7mlSM55Ws+0s=&SignatureMethod=HMAC-SHA1&Timestamp=2020-02-23T12:46:24Z