- If SDK is used, there is no need to check the signature mechanism. Currently, Java, PHP, and C# SDKs have been provided.
- Interfaces support GET and POST requests, but the StringToSigns of a GET request and a POST request are different.
DirectMail service performs sender authentication for each access request. Therefore, whether HTTP or HTTPS protocol is used to submit a request, the request must contain the signature information. DirectMail performs symmetric encryption to authenticate the request sender using the Access Key ID and Access Key Secret. The Access Key ID and Access Key Secret are officially issued to visitors by Alibaba Cloud (visitors can apply for and manage them on the Alibaba Cloud official website). The Access Key ID indicates the identity of the visitor. The Access Key Secret is the secret key to encrypt the signature string and verify the signature string on the server. The Access Key Secret must be kept strictly confidential and only be known to Alibaba Cloud and the authenticated visitor.
The following method is used to sign the access request:
Construct Canonicalized Query String using the request parameters.
a) Order all the request parameters (including the public request parameters and custom parameters for the given request interfaces described in this document, but excluding the Signature parameter mentioned in public request parameters) alphabetically by parameter names.
Note: When a request is submitted using the GET method, these parameters constitute the parameter section of the request URI (that is, the section in the URI following “?” and connected by “&”).
b) The name and value of each request parameter are encoded. The names and values must adopt URL encoding in the UTF-8 character set. The URL encoding rules are as follows:
- The characters A-Z, a-z, 0-9, “-“, “_”, “.”, and “~” are not encoded;
- Other characters are encoded in the
%XYformat, with XY representing the characters’ ASCII code in hexadecimal notation. For example, the English double quotes (“) are encoded as
- Extended UTF-8 characters are encoded in the
Note that the English space is encoded as
%20, rather than the plus sign “+”.
Note: Generally, libraries that support URL encoding (such as
java.net.URLEncoderin Java) are all encoded following the rules for the
application/x-www-form-urlencodedMIME type. This encoding method can apply directly during implementation, namely replacing the plus signs “+” in the encoded strings with
%20, the asterisks “*” with
%2A, and change
%7Eback to the tilde “~” to conform to the encoding rules described above.
c) Connect the encoded parameter names and values with the English equal sign “=”.
d) Connect the parameter name and value pairs connected by equal signs alphabetically by the parameter name with the ampersand “&” to produce the Canonicalized Query String.
Follow the rules below to construct the string for signature calculation using the Canonicalized Query String constructed in the previous step:
HTTPMethod + "&" +
percentEncode("/") + "&" +
Here, HTTPMethod is the HTTP method used for request submission, for example, GET or POST.
percentEncode (“/“) is the encoded value for the character “/“ according to the URL encoding rules described in Section 1.b, namely
percentEncode (CanonicalizedQueryString) is the encoded string of the Canonicalized Query String constructed in Step 1, produced by following the URL encoding rules described in Section 1.b.
- Based on the RFC2104 definition, the above signature string is used to calculate the signature’s HMAC value.
Note: The Key used for signature calculation is the Access Key Secret held by you with a “&” character (ASCII:38) added in the end, and the SHA1 hashing algorithm is used.
- Encode the above HMAC value into a string based on Base64 encoding rules, and you can get the signature value (Signature).
Add the obtained signature value to the request parameters as the Signature parameter and the request signing process is completed.
Note: URL encoding should be implemented for the obtained signature value based on the RFC3986 rule, like in the case of other parameters, before the signature value is submitted to the DirectMail server as the final request parameter value.
Take sending a POST request for calling the SingleSendMail interface over HPPTS as an example.
The request URL is: http://dm.aliyuncs.com/.
The parameters are:
Therefore, the StringToSign is:
Suppose the Access Key ID is
testid, and the Access Key Secret is
testsecret,and the Key used for HMAC calculation is
testsecret&, then the calculated signature value is:
The BODY content of the signed POST request from https://dm.aliyuncs.com/ (Note： the Signature parameter added and the change in the request header Content-Type: application/x-www-form-urlencoded).