This topic describes the signature algorithm that EventBridge uses to push events to HTTP or HTTPS event targets.

Background information

In the basic model of EventBridge, events are delivered from event sources to event buses, filtered and transformed based on event rules, and then delivered to various event targets for processing. Therefore, HTTP or HTTPS event targets usually need to expose their public endpoints to receive events that EventBridge pushes. To ensure data security, HTTP or HTTPS event targets must check whether received requests are sent by EventBridge.

EventBridge generates a signature

  1. EventBridge generates a temporary secret.
  2. EventBridge uses a private key to encrypt the temporary secret and specifies the encrypted secret in header:x-eventbridge-signature-secret.
  3. EventBridge generates a string-to-sign.
    For more information about the format of a string-to-sign, see the Format of a string-to-sign section of this topic.
  4. By default, EventBridge encrypts the string-to-sign by using the Hash-based Message Authentication Code Secure Hash Algorithm 1 (HMAC-SHA1) algorithm and the temporary secret to generate an encrypted value, and specifies the signature algorithm in header:x-eventbridge-signature-method.
  5. EventBridge specifies the current timestamp in header:x-eventbridge-signature-timestamp.
  6. EventBridge encodes the encrypted value in Base64 and specifies the Base64-encoded value in header:x-eventbridge-signature.
    The following formula is used to generate the signature:
    Signature = Base64( HMAC-SHA1(Temporary secret, UTF-8-Encoding-Of(
    StringToSign)) )

An event target verifies the signature

  1. The event target obtains the timestamp when the server sent the request based on x-eventbridge-signature-timestamp.
    • If the interval between the time when the request was sent and the time when the request was received exceeds 60s, the event target considers the request invalid to prevent replay attacks.
    • If the interval between the time when the request was sent and the time when the request was received does not exceed 60s, the event target continues the verification.
  2. The event target determines whether the URL specified by x-eventbridge-signature-url has a valid certificate of EventBridge by determining whether the URL is in the format of https://[RegionId]-eventbridge.oss-accelerate.aliyuncs.com.
    • If the URL has a valid certificate of EventBridge, the event target obtains the public key from EventBridge based on the URL specified by x-eventbridge-signature-url.
    • If the URL has no valid certificate of EventBridge, the event target considers that the request was not sent from EventBridge and denies the event.
  3. The event target uses the public key that is obtained in Step 2 to decrypt x-eventbridge-signature-secret to obtain the temporary secret.
  4. The event target generates a string-to-sign.
    For more information about the format of a string-to-sign, see the Format of a string-to-sign section of this topic.
  5. By default, the event target encrypts the string-to-sign by using the HMAC-SHA1 algorithm and the signature algorithm specified by x-eventbridge-signature-method to generate an encrypted value.
  6. The event target encodes the encrypted value in Base64 to generate a signature.
  7. The event target compares header:x-eventbridge-signature generated in the EventBridge generates a signature section with the signature generated in Step 6.
    • If the two signatures are the same, the request was sent from EventBridge, and the event target receives and processes the event.
    • If the two signatures are different, the request was not sent from EventBridge, and the event target denies the event.

Format of a string-to-sign

StringToSign = schema+"://"+Destination URL+"path"+"?"+"queryParam" + "\n" + Headers defined in EventBridge + "\n" + body

The headers of a request sent by the server include the following headers defined in EventBridge:

  • x-eventbridge-signature-timestamp: the timestamp when the request was sent. If the interval between the time when the request was sent and the time when the request was received exceeds 60s, the event target considers the timestamp invalid and does not continue the verification to prevent replay attacks.
  • x-eventbridge-signature-method: the signature algorithm. By default, the HMAC-SHA1 algorithm is used.
  • x-eventbridge-signature-version: the version of the signature. Default value: 1.0.
  • x-eventbridge-signature-url: the URL of the signing certificate.
Notice You must specify the headers defined in EventBridge in the preceding order and separate them with \n. Example: "x-eventbridge-signature-timestamp: <your timestamp>" + "\n" +"x-eventbridge-signature-method: HMAC-SHA1"+ "\n" +"x-eventbridge-signature-version: 1.0" + "\n" +"x-eventbridge-signature-url: <your url>".