Login/Register
Generating an AWS Signature v4 signature for uploading to s3
Asked Answered
javascriptamazon-web-servicesencryptionamazon-s3cryptography
S

1

7

Okay so I am trying to create an aws v4 signature using this template from Amazon in javascript, with node.js. I am using the template's credentials , region, date, and service in order to test my signing function.

I am using the following format to generate my signature: Link to image

My StringToSign is the base64 encoded POST policy from the template :

eyAiZXhwaXJhdGlvbiI6ICIyMDE1LTEyLTMwVDEyOjAwOjAwLjAwMFoiLA0KICAiY29uZGl0aW9ucyI6IFsNCiAgICB7ImJ1Y2tldCI6ICJzaWd2NGV4YW1wbGVidWNrZXQifSwNCiAgICBbInN0YXJ0cy13aXRoIiwgIiRrZXkiLCAidXNlci91c2VyMS8iXSwNCiAgICB7ImFjbCI6ICJwdWJsaWMtcmVhZCJ9LA0KICAgIHsic3VjY2Vzc19hY3Rpb25fcmVkaXJlY3QiOiAiaHR0cDovL3NpZ3Y0ZXhhbXBsZWJ1Y2tldC5zMy5hbWF6b25hd3MuY29tL3N1Y2Nlc3NmdWxfdXBsb2FkLmh0bWwifSwNCiAgICBbInN0YXJ0cy13aXRoIiwgIiRDb250ZW50LVR5cGUiLCAiaW1hZ2UvIl0sDQogICAgeyJ4LWFtei1tZXRhLXV1aWQiOiAiMTQzNjUxMjM2NTEyNzQifSwNCiAgICB7IngtYW16LXNlcnZlci1zaWRlLWVuY3J5cHRpb24iOiAiQUVTMjU2In0sDQogICAgWyJzdGFydHMtd2l0aCIsICIkeC1hbXotbWV0YS10YWciLCAiIl0sDQoNCiAgICB7IngtYW16LWNyZWRlbnRpYWwiOiAiQUtJQUlPU0ZPRE5ON0VYQU1QTEUvMjAxNTEyMjkvdXMtZWFzdC0xL3MzL2F3czRfcmVxdWVzdCJ9LA0KICAgIHsieC1hbXotYWxnb3JpdGhtIjogIkFXUzQtSE1BQy1TSEEyNTYifSwNCiAgICB7IngtYW16LWRhdGUiOiAiMjAxNTEyMjlUMDAwMDAwWiIgfQ0KICBdDQp9

And my signing key is generated using the following code from acquired from the amazon signature v4 key derivation template

var crypto = require("crypto-js");

function getSignatureKey(Crypto, key, dateStamp, regionName, serviceName) {
var kDate = Crypto.HmacSHA256(dateStamp, "AWS4" + key);
var kRegion = Crypto.HmacSHA256(regionName, kDate);
var kService = Crypto.HmacSHA256(serviceName, kRegion);
var kSigning = Crypto.HmacSHA256("aws4_request", kService);
return kSigning;
}

My key is the SecretAccessKey from the template linked above (wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY) , my date is "20151229", my region is "us-east-1" and my service name is "s3"

And finally, to get the output I am using 

var signature = cryptojs.HmacSHA256(stringToSign, signingKey).toString()

The expected output from the calculation is:

46503978d3596de22955b4b18d6dfb1d54e8c5958727d5bdcd02cc1119c60fc9

But the output I am getting is:

8afdbf4008c03f22c2cd3cdb72e4afbb1f6a588f3255ac628749a66d7f09699e

If you see where I went wrong please let me know as I think I have followed amazon's template but it seems I have made an error somewhere

Sena answered 14/7, 2017 at 18:51 Comment(6)
why don't just use something like github.com/mhart/aws4 ?Seal
Or the AWS JavaScript SDK, of course, but I presume there's a good reason. Perhaps it's academic interest (which I encourage and promote).Wolters
I entered in real data instead of test data and the upload just worked. I still don't know if I was reading something wrong, but I changed nothing in the code and the upload authenticates just fine.Sena
I'm starting to believe that the 46503978d3596de22955b4b18d6dfb1d54e8c5958727d5bdcd02cc1119c60fc9 in their docs is simply wrong and the correct is what you got 8afdbf4008c03f22c2cd3cdb72e4afbb1f6a588f3255ac628749a66d7f09699e, which is what I'm getting alsoSleepwalk
Possible duplicate of AWS Signature Version 4 S3 Upload using Node.jsCoridon
@AbdullahKhawer - The answer is actually given by Paulo Henrique's comment: The expected value 0x46...c9 is simply wrong and the value that the OP determines with their code 0x8a...9e is correct. The linked Amazon website also shows the correct value 0x8a...9e (this may not have been the case in 2017 and has since been corrected).Caswell
B
0

At the time when this question was asked, the AWS documentation had the incorrect signature value. So there was nothing wrong with the approach. AWS fixed it later. You can see the following in the documentation now:

Using example credentials to create a signature, the signature value is as follows (in signature calculation, the date is same as the x-amz-date in the policy (20151229):

8afdbf4008c03f22c2cd3cdb72e4afbb1f6a588f3255ac628749a66d7f09699e

And that is the correct value as well.

Reference to AWS Document: AWS Docs > Example: Browser-Based Upload using HTTP POST (Using AWS Signature Version 4) > Correct Signature Value

Bottomry answered 3/5, 2024 at 15:33 Comment(0)

© 2022 - 2025 — McMap. All rights reserved.