HMAC-SHA1 Signatures

HMAC-SHA1 Signatures

When accessing Amazon SQS using Query, SOAP (without using WS-Security), or REST, you must provide the following items so the request can be authenticated:

• AWSAccessKeyID—Your AWS account is identified by your Access Key ID, which AWS uses to look up your Secret Access Key.
• Signature—Each request must contain a valid request signature, or the request is rejected. A request signature is calculated using your Secret Access Key, which is a shared secret known only to you and AWS.
• Date—Each request must contain the time stamp of the request. Depending on the API you're using (Query, SOAP, or REST), you can provide an expiration date and time for the request instead of or in addition to the time stamp. See the authentication topic for the particular API for details of what is required and allowed for that API.

Below is the series of tasks required to authenticate requests to AWS. It is assumed you have already created an AWS account and received an Access Key ID and Secret Access Key.

You perform the first three tasks.

Process for Authentication: Tasks You Perform

	Construct a request to AWS.
	Calculate a keyed-hash message authentication code (HMAC-SHA1) signature using your Secret Access Key (seehttp://www./rfcs/rfc2104.html for information about HMAC)
	Include the signature and your Access Key ID in the request, and then send the request to AWS.

AWS performs the next three tasks.

Process for Authentication: Tasks AWS Performs

	AWS uses the Access Key ID to look up your Secret Access Key.
	AWS generates a signature from the request data and the Secret Access Key using the same algorithm you used to calculate the signature you sent in the request.
	If the signature generated by AWS matches the one you sent in the request, the request is considered authentic. If the comparison fails, the request is discarded, and AWS returns an error response.

About the String to Sign

Each AWS request you send must include an HMAC-SHA1 request signature calculated with your Secret Access Key (except for SOAP requests using WS-Security). The string you use to calculate the signature (the string to sign) varies depending on the API you're using (Query, SOAP, or REST). The details are covered in the following topics:

• Query Request Authentication

• SOAP without WS-Security

• REST Request Authentication

Tip

If you're using the Query API, you can use the Amazon SQS scratchpad to help you troubleshoot authentication issues. The scratchpad is a simple HTML and JavaScript application that allows you to explore the 2008-01-01 Amazon SQS API without writing any code. The tool constructs a Query request and shows the string to sign and the final signature (using signature version 1) that you would include in the request. To download the scratchpad, go tohttp://developer./connect/entry.jspa?externalID=1254&categoryID=30.

About the Time Stamp

The time stamp (or expiration time) you use in the request must be a dateTime object (http://www./TR/xmlschema-2/#dateTime). Although it is not required, we recommend you provide the time stamp in the Coordinated Universal Time (Greenwich Mean Time) time zone. For example: 2007-01-31T23:59:59.183Z.

If you specify a time stamp (instead of an expiration time), the request automatically expires 15 minutes after the time stamp (in other words, AWS does not process a request if the request time stamp is more than 15 minutes earlier than the current time on AWS servers). Make sure your server's time is set correctly.

	Important
	If you are using .NET you must not send overly specific time stamps, due to different interpretations of how extra time precision should be dropped. To avoid overly specific time stamps, manually construct dateTime objects with no more than millisecond precision.

Java Sample Code for Base64 Encoding

HMAC-SHA1 request signatures must be base64 encoded. The following Java sample code shows how to perform base64 encoding.

package amazon.webservices.common;
/**
* This class defines common routines for encoding * data in AWS Platform requests.
*/
public class Encoding {
/**
* Performs base64-encoding of input bytes.
*
* @param rawData * Array of bytes to be encoded.
* @return * The base64 encoded string representation of rawData.
*/
public static String EncodeBase64(byte[] rawData) {
return Base64.encodeBytes(rawData);
}
}

Java Sample Code for Calculating HMAC-SHA1 Signatures

The following Java code sample shows how to calculate an HMAC request signature.

package amazon.webservices.common;

import java.security.SignatureException;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;

/**
* This class defines common routines for generating
* authentication signatures for AWS Platform requests.
*/
public class Signature {
private static final String HMAC_SHA1_ALGORITHM = "HmacSHA1";


/**
* Computes RFC 2104-compliant HMAC signature.
* * @param data
* The data to be signed.
* @param key
* The signing key.
* @return
* The Base64-encoded RFC 2104-compliant HMAC signature.
* @throws
* java.security.SignatureException when signature generation fails
*/
public static String calculateRFC2104HMAC(String data, String key)
throws java.security.SignatureException
{
String result;
try {

// get an hmac_sha1 key from the raw key bytes
SecretKeySpec signingKey = new SecretKeySpec(key.getBytes(), HMAC_SHA1_ALGORITHM);

// get an hmac_sha1 Mac instance and initialize with the signing key
Mac mac = Mac.getInstance(HMAC_SHA1_ALGORITHM);
mac.init(signingKey);

// compute the hmac on input data bytes
byte[] rawHmac = mac.doFinal(data.getBytes());

// base64-encode the hmac
result = Encoding.EncodeBase64(rawHmac);

} catch (Exception e) {
throw new SignatureException("Failed to generate HMAC : " + e.getMessage());
}
return result;
}
}