edit-icon download-icon

Signature mechanism

Last Updated: Mar 13, 2018

Alibaba Cloud performs identity authentication for every access request. Therefore, you must contain the signature information in the request no matter whether you submit a request through the HTTP or HTTPS protocol. The requester identity is verified using symmetric encryption of theAccess Key IDandAccess Key Secret. TheAccess Key ID and Access Key Secretare officially issued to visitors by Alibaba Cloud (you can apply for and manage them on the Alibaba Cloud official website). In specific,

  • TheAccess Key IDindicates the identity of the visitor.

  • TheAccess Key Secretis the secret key used to encrypt the signature string and to verify the signature string on the server. It must be kept strictly confidential and only be known to Alibaba Cloud and the user.

    Note: Alibaba Cloud offers SDKs and third-party SDKs in different languages, which free you of the trouble of coding the signature algorithm. For more information about Alibaba SDK, see Alibaba Cloud SDK.

Signature operation

When you visit a server, the following method is used to sign the request:

  1. The Canonicalized Query String is constructed using the request parameters.

    1. Sort parameters.

      All the request parameters (including thepublic request parametersand user-defined parameters with given request interfaces, but excluding the Signature parameter mentioned in thepublic request parameters) are sorted alphabetically by the parameter name.

      Note: When a request is submitted using the GET method, these parameters are the parameter section of the request URI (that is, the section in the URI following ? and connected by &).

    2. Encode parameters.

      The name and value of each request parameter are encoded. The names and values must adoptUTF-8 charactersfor URL encoding. The URL encoding rules are as follows:

      • The characters A-Z, a-z, 0-9, and -, _, ., ~ are not encoded.

      • Other characters are encoded into the%XYformat, with XY representing the characters’ ASCII code in hexadecimal notation. For example, the English double quotation marks (‘’) are encoded as %22.

      • Extended UTF-8 characters are encoded into the%XY%ZA…format.

      • The English space ( ) is encoded as %20, rather than the plus sign (+).

        This encoding method and the commonly-used application/x-www-form-urlencoded MIME type (such as java.net.URLEncoder in Java library) are similar, but have differences. If this encoding method is used, use the method of standard library to encode, and then replace the plus signs (+) in the encoded strings with %20, the asterisks (*) with %2A, and change %7E back to the tilde (~) to get the encoded string described in the previous rules. This algorithm can be achieved bu using the following method:

        1. private static final String ENCODING = "UTF-8";
        2. private static String percentEncode(String value) throws UnsupportedEncodingException {
        3. return value != null ? URLEncoder.encode(value, ENCODING).replace("+", "%20").replace("*", "%2A").replace("%7E", "~") : null;
        4. }
    3. Connect the encoded parameter names and values with the English equals sign (=).

    4. Then, sort the parameter name and value pairs connected by equal signs in alphabetical order and connect them with the&symbol to produce the Canonicalized Query String.

  2. Construct the string for signature calculation using the canonicalized query string in the previous step according to the following rules.

    1. StringToSign=
    2. HTTPMethod + “&” +
    3. percentEncode(“/”) + ”&” +
    4. percentEncode(CanonicalizedQueryString)
    • HTTPMethod is the HTTP method used for request submission, for example, GET.

    • percentEncode ("/") is the encoded value (%2F) of the character/, which is obtained according to the URL encoding rules described in 1.ii.

    • percentEncode (CanonicalizedQueryString) is the Canonicalized Query String (constructed in Step 1) that is encoded according to the URL encoding rules described in 1.ii.

  3. Use the previous signature string to calculate the signature’s HMAC value based on RFC2104 definitions.

    Note: The key used for signature calculation is theAccess Key Secretheld by the user plus the&character (ASCII:38), and the SHA1 hashing algorithm is used.

  4. Encode the previous HMAC value into a string based on Base64 encoding rules to obtain the signature value (Signature).

  5. Add the obtained signature value to the request parameters as the Signature parameter to sign the request.

Note: URL encoding is required to be performed for the obtained signature value based on the RFC3986 rule, like in the case of other parameters, before the signature value is submitted to the live server as the final request parameter value.

Example

Take DescribeLiveService as an example, the request URL before signing is as follows:

  1. http://live.aliyuncs.com/?SignatureVersion=1.0&Format=JSON&Timestamp=2015-08-06T02:19:46Z&AccessKeyId=testid&SignatureMethod=HMAC-SHA1&Version=2014-11-11&Action=DescribeLiveService&SignatureNonce=9b7a44b0-3be1-11e5-8c73-08002700c460

The StringToSign is:

  1. GET&%2F&AccessKeyId%3Dtestid&Action%3DDescribeLiveService&Format%3DJSON&SignatureMethod%3DHMAC-SHA1&SignatureNonce%3D9b7a44b0-3be1-11e5-8c73-08002700c460&SignatureVersion%3D1.0&Timestamp%3D2015-08-06T02%253A19%253A46Z&Version%3D2014-11-11

Assume theAccess Key IDistestid, theAccess Key Secretistestsecret, and the Key used for HMAC calculation istestsecret&, the calculated signature value is:

  1. L5m9NrptrrFq7weQ/YUHZinh8b8=

The signed request URL is (note the added Signature parameter):

  1. http://live.aliyuncs.com/?SignatureVersion=1.0&Format=JSON&Timestamp=2015-08-06T02%3A19%3A46Z&AccessKeyId=testid&SignatureMethod=HMAC-SHA1&Version=2014-11-11&Signature=L5m9NrptrrFq7weQ%2FYUHZinh8b8%3D&Action=DescribeLiveService&SignatureNonce=9b7a44b0-3be1-11e5-8c73-08002700c460
Thank you! We've received your feedback.