Sunday, February 13, 2011

How to Calculate an RFC 2104-compliant HMAC for AWS signature version 3 using pure Bash and OpenSSL

With AWS Signature V3, you just need to encrypt the value of the "Date: " Header and provide the result as the "X-Amzn-Authorization: " Header to the AWS REST Request you need to make to Amazon.

Here is a simple Way to sign your request according to the AWS V3 signature specs, with Pure Bash and OpenSSL (No Java, PERL, Ruby or any other stuff you do not necessarily have by hand or understand deeply)

  • Don't forget to adapt with your own AWS credentials and Options

xStringToSign=$(date -R -d '+5 sec')

xSignedString=$(echo -en $xStringToSign | openssl dgst -sha256 -hmac AWSsecretKey -binary | openssl enc -base64)

Lets's Make a Try with AWS SES : Amazon Simple Email Service:

  • Action : SendEmail
  • Parameter : EmailAddress
  • Parameter : Source
  • Parameter : Destination.ToAddresses.member.1
  • Parameter : Message.Subject.Data
  • Parameter : Message.Body.Text.Data

# The REST Request should look like this before URLEncoding :

https://email.us-east-1.amazonaws.com
?Action=SendEmail
&Source=XavMe@me.com
&Destination.ToAddresses.member.1=
XavMe@me.com
&Message.Subject.Data=This is a fisrt Test
&Message.Body.Text.Data=This is My Firts Test

# Don't forget to URLEncode all of this

ScratchPad for Quick'n Demo mode URLEncoding :

# Create the Signature V3 :

xStringToSign=$(date -R -d '+5 sec')

xSignedString=$(echo -en $xStringToSign | openssl dgst -sha256 -hmac
AWSsecretKey
-binary | openssl enc -base64)

curl -sS \
-H "Date: $xStringToSign" \
-H "X-Amzn-Authorization: AWS3-HTTPS AWSAccessKeyId=
AWSaccessKey
,Algorithm=HmacSHA256,Signature=$xSignedString" \
"https://email.us-east-1.amazonaws.com?Action=SendEmail&Source=
XavMe@me.com
&Destination.ToAddresses.member.1=
XavMe@me.com
&Message.Subject.Data=This%20is%20a%20First%20Test&Message.Body.Text.Data=This%20is%20My%20Firts%20Test"

# If every thing goes fine you should get a HTTP 200 allong with a MessageId and
RequestId

Even more easy than V2, isn't it ?

I Didn't try Signature V3 with the EC2 API : It Should'nt work as Specs and UserGuide only talk about V2 (V1 being deprecated)
For V2 see my previous Post

Hope this Help.
>> à

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)