0

I am working on implementing the Amazon REST API in our application. The application is build with WinDev. In order too test my signature calculation i desided to try the test suite provided by amazon: https://docs.aws.amazon.com/general/latest/gr/signature-v4-test-suite.html

This is how i derive the hex value of my canonical request:

sCanonicalRequestHash = :HashCanonicalRequest([
    GET
    /
    Param1=value1&Param2=value2
    host:example.amazonaws.com
    x-amz-date:20150830T123600Z

    host;x-amz-date
    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
])

The method HashCanoncialRequest removes all the char 10 ( this is done in order to hash the string correctly) hashes the string in to binary using windev's hashstring function. This binary function is converted to a hex value, all the whitespace is removed and changed to lower case.

//Remove char 13 ,otherwise the hash fails( Windows enter )
sResult = Replace(sResult, Charact(13), "")
//Create hash
sResult = HashString(HA_SHA_256, sResult)
//Convert hash to lower case hex
sResult = Lower(BufferToHexa(sResult, 1, 32))
//Remove spaces
sResult = Replace(sResult," ", "")

This results the following value: 816cd5b414d056048ba4f7c5386d6e0533120fb1fcfa93762cf0fc39e2cf19e0

This is the value expected by the test suite. So far so good.

Next up is the string to sign, this looks as followed:

AWS4-HMAC-SHA256
20150830T123600Z
20150830/us-east-1/service/aws4_request
816cd5b414d056048ba4f7c5386d6e0533120fb1fcfa93762cf0fc39e2cf19e0

Now it's time to calculate the signingkey. First up some values given by the test suite:

sSecret                    is string = "wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY"
    sDate                   is string = "20150830"
    sRegion                 is string = "us-east-1"

And now the calculation:

bufDateKey is Buffer = WL.HashString(HA_HMAC_SHA_256, sDate, "AWS4" + sSecret)
bufRegionKey is Buffer = WL.HashString(HA_HMAC_SHA_256, sRegion, bufDateKey)
bufServiceKey is Buffer = WL.HashString(HA_HMAC_SHA_256, "service", bufRegionKey)
bufSigningKey is Buffer = WL.HashString(HA_HMAC_SHA_256, "aws4_request", bufServiceKey)

Amazon provides a different test in order too check your calculations here and this calculation is tested and returns the value expected.

Now for the part that doesn't do what the test suite expects. The signature calculation. 

//Hashing the ss with psSigningKey as the key
bufSignature = WL.HashString(HA_HMAC_SHA_256, ss, bufSigningKey)
//Converting the hash to hex
bufSignature = BufferToHexa(bufSignature, 1, 32)
//Converting the hex value to lower case and remove any whitespace
bufSignature = Replace(Lower(bufSignature), " ", "")

ss is the string value of the string to sign as shown in the third code snipped bufSigningKey is the binary value of the result for the for last code snipped. This is converted to hex and all the white space is removed and the string is converted to lower case. This do's not return the signature as shown by the test suite.

If hope someone can help.

T Jasinski
  • 113
  • 2
  • 12
  • The string-to-sign has ASCII 10 (0x0a) at the end of each line except for the last line, which has nothing at end of line. Is this how you are building it? – Michael - sqlbot Oct 17 '18 at 22:53
  • Yes this is intended as documented by Amazon: `Append the hash of the canonical request that you created in Task 1: Create a Canonical Request for Signature Version 4. This value is not followed by a newline character. The hashed canonical request must be lowercase base-16 encoded, as defined by Section 8 of RFC 4648.` – T Jasinski Oct 18 '18 at 07:23

0 Answers0