Examples: Signature Calculations

For authenticated requests, unless you are using the SDKs, you have to write code to calculate signatures that provide authentication information in your requests. Signature calculation can be a complex undertaking, and we recommend that you use the SDKs whenever possible.
In this section, we take an example request to show how to calculate a signature. Assuming that you want to call API GetBucket and list the files with prefix “OS” in bucket test-authentication. The request is as follows:

Example Request

GET /?prefix=OS HTTP/1.1
Host: test-authentication.s3-cn-north-1.wcsapi.com
x-wos-date:20201103T104419Z
Authorization: <Authorization>

Using GET with an authorization header (Python)

import sys, os, base64, datetime, hashlib, hmac 
import requests

# ************* REQUEST VALUES *************
# The following code shows how to include authentication in header
# We take API GetBucket as an example
# GET /?prefix=OS
# Host: test-authentication.s3-cn-north-1.wcsapi.com
service = 'wos'
host = 'test-authentication.s3-cn-north-1.wcsapi.com'  
region = 'cn-north-1'
endpoint = 'http://test-authentication.s3-cn-north-1.wcsapi.com'
request_parameters = 'prefix=OS'

# Key derivation functions. 
def sign(key, msg):
    return hmac.new(key, msg.encode('utf-8'), hashlib.sha256).digest()


# SigningKey derivation functions.
def getSignatureKey(key, dateStamp, regionName, serviceName):
    kDate = sign(('WOS' + key).encode('utf-8'), dateStamp)
    kRegion = sign(kDate, regionName)
    kService = sign(kRegion, serviceName)
    kSigning = sign(kService, 'wos_request')
    return kSigning

# Accesss Key and Access Key Secret. You can also read key from env. variables or configuration file.
access_key = 'LqswcPGFYA06V0fQ2HtgVRR3Wi5fzpR******'
secret_key = 'B2UZV6uwULVnosYQxORTYSdbTTAJVptWvDoV0fLENgA3ERPc8UxYfvTigS******'


if access_key is None or secret_key is None:
    print('No access key is available.')
    sys.exit()

# Create a date for headers and the credential string
t = datetime.datetime.utcnow()
wosdate = t.strftime('%Y%m%dT%H%M%SZ')

print('wosdate is: ' + wosdate)
datestamp = t.strftime('%Y%m%d') # Date w/o time, used in credential scope


# ************* TASK 1: CREATE A CANONICAL REQUEST *************
# Step 1: Define the verb (GET, POST, etc.)
method = 'GET'
# Step 2: Create canonical URI--the part of the URI from domain to query 
# Request GetBucket requires no path , so using '/'
canonical_uri = '/' 

# Step 3: Create the canonical query string. In this example (a GET request),
# request parameters are in the query string. Query string values must
# be URL-encoded (space=%20). The parameters must be sorted by name.
# For this example, parameter is 'prefix=OS', which specifies the prefix of files to be listed.
canonical_querystring = request_parameters

# Step 4: Create the canonical headers and signed headers. Header names
# must be trimmed and lowercase, and sorted in code point order from
# low to high. Note that there is a trailing \n.
canonical_headers = 'host:' + host + '\n' + 'x-wos-date:' + wosdate + '\n'

# Step 5: Create the list of signed headers. This lists the headers
# in the canonical_headers list, delimited with ";" and in alpha order.
# Note: "Host" and "x-wos-date" are always required.
signed_headers = 'host;x-wos-date'

# Step 6: Create payload hash (hash of the request body content). For GET
# requests, the payload is an empty string ("").
payload_hash = hashlib.sha256(('').encode('utf-8')).hexdigest()

# Step 7: Combine elements to create canonical request
canonical_request = method + '\n' + canonical_uri + '\n' + canonical_querystring + '\n' + canonical_headers + '\n' + signed_headers + '\n' + payload_hash


# ************* TASK 2: CREATE THE STRING TO SIGN*************
# Match the algorithm to the hashing algorithm you use, either SHA-1 or
# SHA-256 (recommended)
algorithm = 'WOS-HMAC-SHA256'
credential_scope = datestamp + '/' + region + '/' + service + '/' + 'wos_request'
string_to_sign = algorithm + '\n' +  wosdate + '\n' +  credential_scope + '\n' +  hashlib.sha256(canonical_request.encode('utf-8')).hexdigest()


# ************* TASK 3: CALCULATE THE SIGNATURE *************
# Create the signing key using the function defined above.
signing_key = getSignatureKey(secret_key, datestamp, region, service)

# Sign the string_to_sign using the signing_key
signature = hmac.new(signing_key, (string_to_sign).encode('utf-8'), hashlib.sha256).hexdigest()
print(signature)


# ************* TASK 4: ADD SIGNING INFORMATION TO THE REQUEST *************
# Create authorization header and add to request headers
authorization_header = algorithm + ' ' + 'Credential=' + access_key + '/' + credential_scope + ', ' +  'SignedHeaders=' + signed_headers + ', ' + 'Signature=' + signature
headers = {'x-wos-date':wosdate, 'Authorization':authorization_header}


# ************* SEND THE REQUEST *************
request_url = endpoint + '?' + canonical_querystring

print('\nBEGIN REQUEST++++++++++++++++++++++++++++++++++++')
print('Request URL = ' + request_url)
r = requests.get(request_url, headers=headers)

print('\nRESPONSE++++++++++++++++++++++++++++++++++++')
print('Response code: %d\n' % r.status_code)
print(r.text)