The ROA-style API signature consists of two parts: public request headers (HTTP header parameters and Alibaba Cloud protocol header parameters) and CanonicalizedResource. The message body is not included in the signature.
|Authorization||Authentication information used to verify request validity, in the format of acs AccessKeyId:signature.|
|Content-Length||HTTP request content length defined in RFC 2616.|
|Content-Type||HTTP request content type defined in RFC 2616.|
|Content-MD5||Base64-encoded 128-bit MD5 hash value of the HTTP message body. It is recommended that Content-MD5 be added to all requests to prevent tampering.|
|Date||Request time in GMT format, for example, Wed, 26 Aug. 2015 17:01:00 GMT.|
|Accept||Return-value type required by the client, which can be application/json or application/xml.|
|Host||Address of the accessed host, for example, ros.aliyuncs.com.|
|x-acs-signature-nonce||Unique random number, which is used to prevent network replay attacks. You must use different random numbers for different requests.|
|x-acs-signature-method||Signature method, which uses HMAC-SHA1 only at present.|
|x-acs-signature-version||Signature version, which is 1.0 currently.|
ROA-style API requests are signed using the standard Authorization header. The request format is as follows:
Authorization: acs AccessKeyId:Signature
Signature calculation must include the values of the following parameters: Accept, Content-MD5, Content-Type, and Date (without keys). (Content-Length is not included in the signature.) Parameters must be sorted in order. If a parameter has no value, it is filled with “\n”.
Alibaba Cloud protocol headers (CanonicalizedHeaders)
CanonicalizedHeaders are the non-standard HTTP headers of Alibaba Cloud. They are the parameters prefixed with “x-acs-“ in a request.
CanonicalizedHeaders are constructed as follows:
Convert the names of all HTTP request headers prefixed with “x-acs-“ into lowercase letters. For example, ‘X-acs-OSS-Meta-Name: TaoBao’ is converted into ‘x-acs-oss-meta-name: TaoBao’. The names of request headers are case-insensitive according to Alibaba Cloud’s specification. However, it is recommended that such names use only lowercase letters here.
If the value section of a public request header is too long, replace the “\t”, “\n”, “\r”, and “\f” separators with spaces.
Sort all HTTP request headers that are obtained from the preceding step and compliant with Alibaba Cloud’s specification in the lexicographically ascending order.
Delete any space at either side of a separator between each request header and content. For example, convert ‘x-acs-oss-meta-name: TaoBao,Alipay’ into ‘x-acs-oss-meta-name:TaoBao,Alipay’.
Separate all headers and content with the ‘\n’ separator to form the final CanonicalizedHeaders.
CanonicalizedResource is the standard description of the resource to be accessed. Sort sub-resources along with query in the lexicographically ascending order and separate them using the ‘&’ separator to generate a sub-resource string (which consists of all parameters after the question mark “?”). For example:
The sorting result is:
Authorization = acs AccessKeyId + ":" + Signature
Signature = Base64( HMAC-SHA1( AccessSecret, UTF-8-Encoding-Of(
StringToSign) ) )
HTTP-Verb + "\n" +
Accept + "\n" +
Content-MD5 + "\n" +
Content-Type + "\n" +
Date + "\n" +
Alibaba Cloud protocol headers (CanonicalizedHeaders):
How to include CanonicalizedResource in the signature – qureyString