Authentication of Signature in a URL
OBS allows users to construct a URL for a specific operation. The URL contains information such as the user's AK, signature, validity period, and resources. Any user who obtains the URL can perform the operation. After receiving the request, the OBS deems that the operation is performed by the user who issues the URL. For example, if the URL of an object download request carries signature information is constructed, the user who obtains the URL can download the object, but the URL is valid only within the expiration time specified by the parameter of Expires. The URL that carries the signature is used to allow others to use the pre-issued URL for identity authentication when the SK is not provided, and perform the predefined operation.
The format of the message where a signature is contained in the URL:
GET /ObjectKey?AccessKeyId=AccessKeyID&Expires=ExpiresValue&Signature=signature HTTP/1.1 Host: bucketname.obs.eu-west-101.myhuaweicloud.eu
The format of the message where a temporary AK/SK pair and a security token are used in the URL for downloading objects:
GET /ObjectKey?AccessKeyId=AccessKeyID&Expires=ExpiresValue&Signature=signature&x-obs-security-token=securitytoken HTTP/1.1 Host: bucketname.obs.eu-west-101.myhuaweicloud.eu
Table 1 describes the parameters.
Parameter |
Description |
Mandatory |
---|---|---|
AccessKeyId |
AK information of the issuer. OBS determines the identity of the issuer based on the AK and considers that the URL is accessed by the issuer. Type: string |
Yes |
Expires |
Indicates when the temporarily authorized URL expires, in seconds. The time must be in Coordinated Universal Time (UTC) format and later than 00:00:00 on January 1, 1970. Type: string |
Yes |
Signature |
The signature generated using the SK and the expiration time. Type: string |
Yes |
x-obs-security-token |
During temporary authentication, the temporary AK/SK and security token must be used at the same time and the x-obs-security-token field must be added to the request header. For details about how to obtain a temporary AK/SK pair and security token, see Obtaining a Temporary AK/SK Pair and Security Token. |
No |
The process of calculating a signature is as follows:
- Construct the StringToSign.
- Encode the result of 1 in UTF-8.
- Use the SK to calculate the HMAC-SHA1 signature on the result of 2.
- Encode the result of 3 in Base64.
- Encode the result of 4 in URL to obtain the signature.
The StringToSign is constructed according to the following rules. Table 2 describes the parameters.
StringToSign = HTTP-Verb + "\n" + Content-MD5 + "\n" + Content-Type + "\n" + Expires + "\n" + CanonicalizedHeaders + CanonicalizedResource;
Parameter |
Description |
---|---|
HTTP-Verb |
Indicates an HTTP request method supported by the OBS REST API. The value can be an HTTP verb such as PUT, GET, or DELETE. |
Content-MD5 |
Base64-encoded 128-bit MD5 digest of the message according to RFC 1864. This parameter can be empty. |
Content-Type |
Specifies the message type, for example, text/plain. If a request does not contain this header field, this parameter is deemed as an empty string. |
Expires |
Expiration time of the temporary authorization, that is, the value of parameter Expires in the request message: ExpiresValue. |
CanonicalizedHeaders |
OBS request header field in an HTTP request header, referring to header fields starting with x-obs-, such as, x-obs-date, x-obs-acl, and x-obs-meta-*.
|
CanonicalizedResource |
Indicates the OBS resource specified by an HTTP request. This parameter is constructed as follows: <Bucket name + Object name> + [Subresource 1] + [Subresource 2] + ...
NOTE:
|
The signature is generated as follows based on the StringToSign and SK. The hash-based message authentication code algorithm (HMAC algorithm) is used to generate the signature.
Signature = URL-Encode( Base64( HMAC-SHA1( YourSecretAccessKeyID, UTF-8-Encoding-Of( StringToSign ) ) ) )
The method for calculating the signature carried in the URL is different from that for calculating the authorization signature carried in a header.
- The signature in the URL must be encoded using the URL after Base64 encoding.
- Expires in StringToSign corresponds to Date in the Authorization header.
Generate a predefined URL instance for the browser by carrying the signature in the URL.
Request Header |
StringToSign |
---|---|
GET /objectkey?AccessKeyId=MFyfvK41ba2giqM7Uio6PznpdUKGpownRZlmVmHc&Expires=1532779451&Signature=0Akylf43Bm3mD1bh2rM3dmVp1Bo%3D HTTP/1.1 Host: examplebucket.obs.eu-west-101.myhuaweicloud.eu |
GET \n \n \n 1532779451\n /examplebucket/objectkey |
Request Header |
StringToSign |
---|---|
GET /objectkey?AccessKeyId=MFyfvK41ba2giqM7Uio6PznpdUKGpownRZlmVmHc&Expires=1532779451&Signature=0Akylf43Bm3mD1bh2rM3dmVp1Bo%3D&x-obs-security-token=YwkaRTbdY8g7q.... HTTP/1.1 Host: examplebucket.obs.eu-west-101.myhuaweicloud.eu |
GET \n \n \n 1532779451\n /examplebucket/objectkey?x-obs-security-token=YwkaRTbdY8g7q.... |
Calculation rule of the signature
Signature = URL-Encode( Base64( HMAC-SHA1( YourSecretAccessKeyID, UTF-8-Encoding-Of( StringToSign ) ) ) )
Calculate the signature and use the host as the prefix of the URL to generate a predefined URL:
http(s)://examplebucket.obs.region.myhuaweicloud.eu/objectkey?AccessKeyId=AccessKeyID&Expires=1532779451&Signature=0Akylf43Bm3mD1bh2rM3dmVp1Bo%3D
If you enter the address in the browser, then the object objectkey in the examplebucket bucket can be downloaded. The validity period of this link is 1532779451 (indicating Sat Jul 28 20:04:11 CST 2018).
In the Linux operating system, when running the curl command, you need to add a forward slash (\) to escape the character (&). The following command can download the objectkey object to the output file:
curl http(s)://examplebucket.obs.region.myhuaweicloud.eu/objectkey?AccessKeyId=AccessKeyID\&Expires=1532779451\&Signature=0Akylf43Bm3mD1bh2rM3dmVp1Bo%3D -X GET -o output
If you want to use the pre-defined URL generated by the signature carried in the URL in the browser, do not use Content-MD5, Content-Type, or CanonicalizedHeaders that can only be carried in the header to calculate the signature. Otherwise, the browser cannot carry these parameters. After the request is sent to the server, a message is displayed indicating that the signature is incorrect.
Signature Calculation in Java
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 |
import java.io.UnsupportedEncodingException; import java.net.URLEncoder; import java.security.InvalidKeyException; import java.security.NoSuchAlgorithmException; import java.util.ArrayList; import java.util.Arrays; import java.util.Base64; import java.util.Collections; import java.util.HashMap; import java.util.List; import java.util.Locale; import java.util.Map; import java.util.TreeMap; import java.util.regex.Pattern; import javax.crypto.Mac; import javax.crypto.spec.SecretKeySpec; public class SignDemo { private static final String SIGN_SEP = "\n"; private static final String OBS_PREFIX = "x-obs-"; private static final String DEFAULT_ENCODING = "UTF-8"; private static final List<String> SUB_RESOURCES = Collections.unmodifiableList(Arrays.asList( "CDNNotifyConfiguration", "acl", "append", "attname", "cors", "delete", "deletebucket", "directcoldaccess", "encryption", "inventory", "length", "lifecycle", "location", "logging", "metadata", "mirrorBackToSource", "modify", "name", "notification", "obscompresspolicy", "partNumber", "policy", "position", "quota","rename", "replication", "response-cache-control", "response-content-disposition","response-content-encoding", "response-content-language", "response-content-type", "response-expires","restore", "storageClass", "storagePolicy", "storageinfo", "tagging", "torrent", "truncate", "uploadId", "uploads", "versionId", "versioning", "versions", "website", "x-obs-security-token")); private String ak; private String sk; private boolean isBucketNameValid(String bucketName) { if (bucketName == null || bucketName.length() > 63 || bucketName.length() < 3) { return false; } if (!Pattern.matches("^[a-z0-9][a-z0-9.-]+$", bucketName)) { return false; } if (Pattern.matches("(\\d{1,3}\\.){3}\\d{1,3}", bucketName)) { return false; } String[] fragments = bucketName.split("\\."); for (int i = 0; i < fragments.length; i++) { if (Pattern.matches("^-.*", fragments[i]) || Pattern.matches(".*-$", fragments[i]) || Pattern.matches("^$", fragments[i])) { return false; } } return true; } public String encodeUrlString(String path) throws UnsupportedEncodingException { return URLEncoder.encode(path, DEFAULT_ENCODING) .replaceAll("\\+", "%20") .replaceAll("\\*", "%2A") .replaceAll("%7E", "~"); } public String encodeObjectName(String objectName) throws UnsupportedEncodingException { StringBuilder result = new StringBuilder(); String[] tokens = objectName.split("/"); for (int i = 0; i < tokens.length; i++) { result.append(this.encodeUrlString(tokens[i])); if (i < tokens.length - 1) { result.append("/"); } } return result.toString(); } private String join(List<?> items, String delimiter) { StringBuilder sb = new StringBuilder(); for (int i = 0; i < items.size(); i++) { String item = items.get(i).toString(); sb.append(item); if (i < items.size() - 1) { sb.append(delimiter); } } return sb.toString(); } private boolean isValid(String input) { return input != null && !input.equals(""); } public String hmacSha1(String input) throws NoSuchAlgorithmException, InvalidKeyException, UnsupportedEncodingException { SecretKeySpec signingKey = new SecretKeySpec(this.sk.getBytes(DEFAULT_ENCODING), "HmacSHA1"); Mac mac = Mac.getInstance("HmacSHA1"); mac.init(signingKey); return Base64.getEncoder().encodeToString(mac.doFinal(input.getBytes(DEFAULT_ENCODING))); } private String stringToSign(String httpMethod, Map<String, String[]> headers, Map<String, String> queries, String bucketName, String objectName, long expires) throws Exception { String contentMd5 = ""; String contentType = ""; TreeMap<String, String> canonicalizedHeaders = new TreeMap<String, String>(); String key; List<String> temp = new ArrayList<String>(); for (Map.Entry<String, String[]> entry : headers.entrySet()) { key = entry.getKey(); if (key == null || entry.getValue() == null || entry.getValue().length == 0) { continue; } key = key.trim().toLowerCase(Locale.ENGLISH); if (key.equals("content-md5")) { contentMd5 = entry.getValue()[0]; continue; } if (key.equals("content-type")) { contentType = entry.getValue()[0]; continue; } if (key.startsWith(OBS_PREFIX)) { for (String value : entry.getValue()) { if (value != null) { temp.add(value.trim()); } } canonicalizedHeaders.put(key, this.join(temp, ",")); temp.clear(); } } // handle method/content-md5/content-type StringBuilder stringToSign = new StringBuilder(); stringToSign.append(httpMethod).append(SIGN_SEP) .append(contentMd5).append(SIGN_SEP) .append(contentType).append(SIGN_SEP) .append(expires).append(SIGN_SEP); // handle canonicalizedHeaders for (Map.Entry<String, String> entry : canonicalizedHeaders.entrySet()) { stringToSign.append(entry.getKey()).append(":").append(entry.getValue()).append(SIGN_SEP); } // handle CanonicalizedResource stringToSign.append("/"); if (this.isValid(bucketName)) { stringToSign.append(bucketName).append("/"); if (this.isValid(objectName)) { stringToSign.append(this.encodeObjectName(objectName)); } } TreeMap<String, String> canonicalizedResource = new TreeMap<String, String>(); for (Map.Entry<String, String> entry : queries.entrySet()) { key = entry.getKey(); if (key == null) { continue; } if (SUB_RESOURCES.contains(key)) { canonicalizedResource.put(key, entry.getValue()); } } if (canonicalizedResource.size() > 0) { stringToSign.append("?"); for (Map.Entry<String, String> entry : canonicalizedResource.entrySet()) { stringToSign.append(entry.getKey()); if (this.isValid(entry.getValue())) { stringToSign.append("=").append(entry.getValue()); } stringToSign.append("&"); } stringToSign.deleteCharAt(stringToSign.length() - 1); } // System.out.println(String.format("StringToSign:%s%s", SIGN_SEP, stringToSign.toString())); return stringToSign.toString(); } public String querySignature(String httpMethod, Map<String, String[]> headers, Map<String, String> queries, String bucketName, String objectName, long expires) throws Exception { if (!isBucketNameValid(bucketName)) { throw new IllegalArgumentException("the bucketName is illegal"); } //1. stringToSign String stringToSign = this.stringToSign(httpMethod, headers, queries, bucketName, objectName, expires); //2. signature return this.encodeUrlString(this.hmacSha1(stringToSign)); } public String getURL(String endpoint, Map<String, String> queries, String bucketName, String objectName, String signature, long expires) throws UnsupportedEncodingException { StringBuilder URL = new StringBuilder(); URL.append("https://").append(bucketName).append(".").append(endpoint).append("/"). append(this.encodeObjectName(objectName)).append("?"); String key; for (Map.Entry<String, String> entry : queries.entrySet()) { key = entry.getKey(); if (key == null) { continue; } if (SUB_RESOURCES.contains(key)) { String value = entry.getValue(); URL.append(key); if (value != null) { URL.append("=").append(value).append("&"); } else { URL.append("&"); } } } URL.append("AccessKeyId=").append(this.ak).append("&Expires=").append(expires). append("&Signature=").append(signature); return URL.toString(); } public static void main(String[] args) throws Exception { SignDemo demo = new SignDemo(); /* Hard-coded or plaintext AK and SK are risky. For security purposes, encrypt your AK and SK and store them in the configuration file or environment variables. In this example, the AK and SK are stored in environment variables for identity authentication. Before running the code in this example, configure environment variables HUAWEICLOUD_SDK_AK and HUAWEICLOUD_SDK_SK. */ demo.ak = System.getenv("HUAWEICLOUD_SDK_AK"); demo.sk = System.getenv("HUAWEICLOUD_SDK_SK"); String endpoint = "<your-endpoint>"; String bucketName = "bucket-test"; String objectName = "hello.jpg"; // A header cannot be included if you want to use a URL to access OBS with a browser. If a header is added to headers, the signature does not match. To use headers, it must be processed by the client. Map<String, String[]> headers = new HashMap<String, String[]>(); Map<String, String> queries = new HashMap<String, String>(); // Expiration time. Set it to expire in 24 hours. long expires = (System.currentTimeMillis() + 86400000L) / 1000; String signature = demo.querySignature("GET", headers, queries, bucketName, objectName, expires); System.out.println(signature); String URL = demo.getURL(endpoint, queries, bucketName, objectName, signature, expires); System.out.println(URL); } } |
Signature Mismatch Error Handling
During an OBS API call, if the following error is reported:
Status code: 403 Forbidden
Error code: SignatureDoesNotMatch
Error message: The request signature we calculated does not match the signature you provided. Check your key and signing method.
Handle the problem by referring to Why Don't the Signatures Match?
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.