Signature Mechanism

Last Updated: May 27, 2016

The DNS service will perform authentication on each access request. Therefore, whether sent via HTTP or HTTPS, each request must contain signature information. The DNS uses 'Access Key ID' and 'Access Key Secret' symmetric encryption to verify the identity of request senders.

The Access Key ID and Access Key Secret are officially issued to visitors by Alibaba Cloud (visitors can apply for and manage them at Alibaba Cloud's official website). The Access Key ID indicates the identity of the visitor. The Access Key Secret is the secret key used to encrypt and verify the signature string on the server. It must be kept strictly confidential and should only be known to Alibaba Cloud and the user.

When a user calls a server, the following method is used to sign the request:

  1. The Canonicalized Query String is constructed using the request parameters
    a) The request parameters are ordered alphabetically by parameter names (this includes the "public request parameters" and user-defined parameters for the given request interfaces described herein, but not the Signature parameter mentioned in "Public Request Parameters").
    Note: This sorting method is strictly case sensitive.
    Note: When a request is submitted using the GET method, these parameters are the parameter section of the request URI (i.e., the section in the URI following "?" and connected by "&").
    b) The name and value of each request parameter are encoded. The names and values must be URL encoded using the 'UTF-8 character set'. The URL encoding rules are as follows:

    i. The characters A-Z, a-z, 0-9, and "-", "_", ".", "~" are not encoded;
    ii. Other characters are encoded in "%XY" format, with XY representing the characters' ASCII code in hexadecimal notation. For example, the English double quotes (") are encoded as %22
    iii. Extended UTF-8 characters are encoded in "%XY%ZA…" format.
    iv. It must be noted that the English space ( ) is encoded as %20, rather than the plus sign (+).

    Note: Generally, libraries that support URL encoding (e.g., Java's java.net.URLEncoder) are all encoded according to the rules for the "application/x-www-form-urlencoded" MIME-type. Specifically, replace the plus signs (+) with %20, the asterisks (*) with %2A, and %7E with the tilde (~) to generate coded strings that match the above encoding rules.
    c) Connect the encoded parameter names and values with the English equal sign (=).
    d) Then, order the parameter name and value pairs connected by equal signs in alphabetical order and connect them with the & symbol to produce the Canonicalized Query String.
  2. Follow the rules below to construct the string used for signature calculation by using the Canonicalized Query String constructed in the previous step:

    StringToSign= HTTPMethod + “&” + percentEncode(“/”) + ”&” + percentEncode(CanonicalizedQueryString)

    Here, HTTPMethod is used for request submission, e.g., 'GET'.
    percentEncode("/") is the coded value for the character "/" according to the URL encoding rules described in 1.b, namely, "%2F".
    percentEncode(CanonicalizedQueryString) is the encoded string of the Canonicalized Query String constructed in Step 1, produced by following the URL encoding rules described in 1.b.
  3. As defined in RFC2104, the above signature sting is used to calculate the signature's HMAC value. Note: The Key used for calculating the signature is the Access Key Secret held by the user, ending with the "&" character (ASCII:38) based on the SHA1 hashing.
  4. According to Base64 encoding rules, encode the above HMAC value into a string. This gives you the signature value.
  5. Add the obtained signature value to the request parameters as the 'Signature' parameter to sign the request.
  6. Note: When the obtained signature value is submitted to the DNS server as the final request parameter value, the value will be URL encoded like other parameters according to RFC3986 rules.

Take DescribeDomainRecords as an example. The request URL prior to signing is as follows:

http://dns.aliyuncs.com/?TimeStamp=2014-08-15T11%3A10%3A07Z&Format=xml&AccessKeyId=testid&Action=DescribeDomainRecords&SignatureMethod=HMAC-SHA1&DomainName=example.com&SignatureNonce=1324fd0e-e2bb-4bb1-917c-bd6e437f1710&SignatureVersion=1.0&Version=2015-01-09

Thus, the StringToSign is:

GET&%2F&AccessKeyId%3Dtestid%26Action%3DDescribeDomainRecords%26Format%3Dxml%26DomainName%3Dexample.com%26SignatureMethod%3DHMAC-SHA1%26SignatureNonce%3D1324fd0e-e2bb-4bb1-917c-bd6e437f1710%26SignatureVersion%3D1.0%26TimeStamp%3D2014-08-15T11%253A10%253A07Z%26Version%3D2015-01-09

Assuming that the "Access Key ID" is "testid", the "Access Key Secret" is "testsecret", and the Key used for HMAC calculation is "testsecret&", the calculated signature value will be:

SmhZuLUnXmqxSEZ/GqyiwGqmf+M=

The signed request URL is (note the added Signature parameter):

http://dns.aliyuncs.com/?TimeStamp=2014-08-15T11%3A10%3A07Z&Format=xml&AccessKeyId=testid&Action=DescribeDomainRecords&SignatureMethod=HMAC-SHA1&DomainName=example.com&SignatureNonce=1324fd0e-e2bb-4bb1-917c-bd6e437f1710&SignatureVersion=1.0&Version=2015-01-09&Signature=SmhZuLUnXmqxSEZ%2FGqyiwGqmf%2BM%3D

For details regarding request signing and submission, please refer to the appendix: How to Call Interfaces.

Thank you! We've received your feedback.