Skip to content

Instantly share code, notes, and snippets.

@Leigh-
Created May 1, 2016 18:17
Show Gist options
  • Save Leigh-/3e2107e6524605001c7d93f308dce243 to your computer and use it in GitHub Desktop.
Save Leigh-/3e2107e6524605001c7d93f308dce243 to your computer and use it in GitHub Desktop.
ColdFusion: AWS Task 3: Calculate the AWS Signature Version 4
<!---
CFML translation of Amazon Web Services Example - Task 3:
http://docs.aws.amazon.com/general/latest/gr/sigv4-calculate-signature.html
--->
<h1>Task 3: Calculate the AWS Signature Version 4</h1>
<div>
<strong>Pseudocode for deriving a signing key</strong>
<pre>
kSecret = Your AWS Secret Access Key
kDate = HMAC("AWS4" + kSecret, Date)
kRegion = HMAC(kDate, Region)
kService = HMAC(kRegion, Service)
kSigning = HMAC(kService, "aws4_request")
</pre>
</div>
<div>
The example uses the same parameters from the request in Task 1 and Task 2 and shows the inputs
to derive a signing key and the resulting output, where:
<pre>
AWS secret key = "wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY"
date string = "20150830"
region name = "us-east-1"
service name = "iam"
string to sign = AWS4-HMAC-SHA256
20150830T123600Z
20150830/us-east-1/iam/aws4_request
f536975d06c0309214f805bb90ccff089219ecd68b2577efef23edd43b7e1a59
</pre>
</div>
<div>
<strong>Example signing key</strong>
<pre>
196 175 177 204 87 113 216 113 118 58 57 62 68 183 3 87 27 85 204 40 66 77 26 94 134 218 110 211 193 84 164 185
</pre>
(Encoded as hexadecimal)
<pre>
c4afb1cc5771d871763a393e44b703571b55cc28424d1a5e86da6ed3c154a4b9
</pre>
</div>
<div>
<strong>Example signature</strong>
<pre>
5d672d79c15b13162d9279b0855cfba6789a8edb4c82c400e06b5924a6f2b5d7
</pre>
<cfscript>
/*
STEP 1: Derive your signing key.
Signing key is derived by generating a series of HMAC-SHA256 codes.
The result of each call function becomes input for the next one.
*/
//Initialize with the same parameters we used for the request in Task 1 and Task 2
yourAWSSecretKey = "wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY";
regionName = "us-east-1";
serviceName = "iam";
// For the example, use the sample date and time instead of now() in UTC
sampleDateTime = createDateTime(2015,8,30,12,36,0);
dateString = dateFormat(sampleDateTime, "YYYYMMDD");
writeDump(dateString);
// a) Generate initial key by concatentating version and AWS secret key
kSecret = charsetDecode("AWS4" & yourAWSSecretKey, "UTF-8");
// b) Generate HMAC of date string, using initial key value
kDate = binaryDecode( HMAC( lcase(dateString), kSecret, "HMACSHA256", "UTF-8"), "hex" );
// c) Generate HMAC of region name, ie "us-east-1", using previous result as key
kRegion = binaryDecode( HMAC( lcase(regionName), kDate, "HMACSHA256", "UTF-8"), "hex" );
// d) Generate HMAC of service name,ie "iam", using previous result as key
kService = binaryDecode( HMAC( lcase(serviceName), kRegion, "HMACSHA256", "UTF-8"), "hex" );
// e) Finally, generate HMAC of termination string, ie "aws4_request"
kSigning = binaryDecode( HMAC("aws4_request", kService, "HMACSHA256", "UTF-8"), "hex" );
// Expected result: c4afb1cc5771d871763a393e44b703571b55cc28424d1a5e86da6ed3c154a4b9
writeOutput("<br>kSigning:<code>"& lcase(binaryEncode( kSigning, "hex")) &"</code>");
/*
STEP 2: Calculate the signature.
*/
// Initialize with the string already generated in Task 2
stringToSign = "AWS4-HMAC-SHA256"& chr(10)
& "20150830T123600Z"& chr(10)
& "20150830/us-east-1/iam/aws4_request"& chr(10)
& "f536975d06c0309214f805bb90ccff089219ecd68b2577efef23edd43b7e1a59";
// Use the signing key that you derived and the string to sign as inputs to the keyed hash function.
// After you calculate the signature as a digest, convert the binary value to a hexadecimal representation.
// ie signature = HexEncode(HMAC(derived-signing-key, string-to-sign))
signature = lcase( HMAC( stringToSign, kSigning, "HMACSHA256", "UTF-8" ) );
writeOutput("<br>signature: <code>"& signature &"</code>");
</cfscript>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment