Alibaba Cloud BSS OpenAPI requires identity authentication for each API request. Therefore, you must include the signature information in HTTP requests or HTTPS requests.
This service implements symmetric encryption with an AccessKey pair to verify the identity of the API caller. An AccessKey pair consists of an AccessKey ID and an AccessKey secret. The AccessKey ID and AccessKey secret are issued to you by Alibaba Cloud. You can apply for and manage them on the Alibaba Cloud official website. The AccessKey ID is used to verify your identity, whereas the AccessKey secret is used to encrypt and verify the signature string. You must keep your AccessKey secret strictly confidential.
Perform the following steps to sign a request:
Use the request parameters to construct a canonicalized query string.
Arrange the request parameters, including all common request parameters and operation-specific parameters except Signature, in alphabetical order.
NoteIf you use the GET method to submit a request, the request parameters are included as a part of the uniform resource identifier (URI). The request parameters in the URI are placed after the question mark (?) and are connected by ampersands (&).
Encode the name and value of each request parameter. Encode the name and value of each request parameter in UTF-8 based on the following URL encoding rules: Letters, digits, and special characters such as hyphens (-), underscores (_), periods (.), and tildes (~) do not need to be encoded. Other characters must be percent-encoded in the %XY format. XY represents the ASCII code of the characters in hexadecimal notation. For example, double quotation marks (") are encoded as %22. Extended UTF-8 characters are encoded in the %XY%ZA... format. Spaces must be encoded as %20. Do not encode spaces as plus signs (+).
NoteIn most cases, the libraries that support URL encoding, such as java.net.URLEncoder, provide an encoding method based on the rules for the Multipurpose Internet Mail Extensions (MIME) type of application/x-www-form-urlencoded. To use this encoding method, replace plus signs (+) with %20, asterisks (*) with %2A, and %7E with tildes (~) in the encoded strings.
Connect the encoded name and value of each request parameter with an equal sign (=).
Sort the key-value pairs connected by equal signs (=) in alphabetical order by parameter name, and connect them with ampersands (&) to obtain the canonicalized query string.
Create a string-to-sign from the encoded canonicalized query string based on the following rules:
StringToSign= percentEncode(HTTPMethod) + "&" + percentEncode("/") + "&" + percentEncode(CanonicalizedQueryString)The HTTPMethod parameter specifies the HTTP method used in the request. The percentEncode("/") string is the encoded value for a forward slash (/) based on the URL encoding rules described in Step 1.b. In this example, the value is %2F. The percentEncode(CanonicalizedQueryString) string is the canonicalized query string generated in Step 1. The string is encoded based on the URL encoding rules that are described in Step 1.b.
Calculate the hash-based message authentication code (HMAC) value of the string-to-sign based on the HMAC algorithm that is described in RFC 2104. The key that is used for signature calculation is the combination of your AccessKey secret and an ampersand (&), which is ASCII 38. The hash algorithm Secure Hash Algorithm 1 (SHA1) is used.
Encode the HMAC value in Base64 to obtain the signature string.
Add the signature string to the request as the Signature parameter. This way, the API request is signed.
When the signature string is submitted to the account server as the value of a request parameter, the string must be URL-encoded in the same way as other parameters by following RFC 3986 rules.