Last active
March 5, 2024 20:37
-
-
Save yvanin/0bdf68c1139ad698519e to your computer and use it in GitHub Desktop.
This C# code calculates a request signature using Version 4 signing process. It was developed for and tested on Amazon SQS requests, so it does not cover every scenario for the other services, e.g. multipart uploads are not supported. Nevertheless, it's simple and independent single class that can be easily embedded into other projects. .NET Fra…
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Collections.Generic; | |
| using System.Collections.Specialized; | |
| using System.Globalization; | |
| using System.Linq; | |
| using System.Net.Http; | |
| using System.Security.Cryptography; | |
| using System.Text; | |
| namespace AwsV4SignatureCalculator | |
| { | |
| public class AwsV4SignatureCalculator | |
| { | |
| public const string Iso8601DateTimeFormat = "yyyyMMddTHHmmssZ"; | |
| public const string Iso8601DateFormat = "yyyyMMdd"; | |
| private readonly string _awsSecretKey; | |
| private readonly string _service; | |
| private readonly string _region; | |
| /// <param name="service">AWS service name, e.g. "sqs" or "ec2"</param> | |
| /// <param name="region">AWS region to send requests to</param> | |
| public AwsV4SignatureCalculator(string awsSecretKey, string service, string region = null) | |
| { | |
| _awsSecretKey = awsSecretKey; | |
| _service = service; | |
| _region = region ?? "us-east-1"; | |
| } | |
| /// <summary> | |
| /// Calculates request signature string using Signature Version 4. | |
| /// http://docs.aws.amazon.com/general/latest/gr/sigv4_signing.html | |
| /// </summary> | |
| /// <param name="request">Request</param> | |
| /// <param name="signedHeaders">Canonical headers that are a part of a signing process</param> | |
| /// <param name="requestDate">Date and time when request takes place</param> | |
| /// <returns>Signature</returns> | |
| public string CalculateSignature(HttpRequestMessage request, string[] signedHeaders, DateTime requestDate) | |
| { | |
| signedHeaders = signedHeaders.Select(x => x.Trim().ToLowerInvariant()).OrderBy(x => x).ToArray(); | |
| var canonicalRequest = GetCanonicalRequest(request, signedHeaders); | |
| var stringToSign = GetStringToSign(requestDate, canonicalRequest); | |
| return GetSignature(requestDate, stringToSign); | |
| } | |
| // http://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html | |
| private static string GetCanonicalRequest(HttpRequestMessage request, string[] signedHeaders) | |
| { | |
| var canonicalRequest = new StringBuilder(); | |
| canonicalRequest.AppendFormat("{0}\n", request.Method.Method); | |
| canonicalRequest.AppendFormat("{0}\n", request.RequestUri.AbsolutePath); | |
| canonicalRequest.AppendFormat("{0}\n", GetCanonicalQueryParameters(request.RequestUri.ParseQueryString())); | |
| canonicalRequest.AppendFormat("{0}\n", GetCanonicalHeaders(request, signedHeaders)); | |
| canonicalRequest.AppendFormat("{0}\n", String.Join(";", signedHeaders)); | |
| canonicalRequest.Append(GetPayloadHash(request)); | |
| return canonicalRequest.ToString(); | |
| } | |
| private static string GetCanonicalQueryParameters(NameValueCollection queryParameters) | |
| { | |
| StringBuilder canonicalQueryParameters = new StringBuilder(); | |
| foreach (string key in queryParameters) | |
| { | |
| canonicalQueryParameters.AppendFormat("{0}={1}&", Utils.UrlEncode(key), | |
| Utils.UrlEncode(queryParameters[key])); | |
| } | |
| // remove trailing '&' | |
| if (canonicalQueryParameters.Length > 0) | |
| canonicalQueryParameters.Remove(canonicalQueryParameters.Length - 1, 1); | |
| return canonicalQueryParameters.ToString(); | |
| } | |
| private static string GetCanonicalHeaders(HttpRequestMessage request, IEnumerable<string> signedHeaders) | |
| { | |
| var headers = request.Headers.ToDictionary(x => x.Key.Trim().ToLowerInvariant(), | |
| x => String.Join(" ", x.Value).Trim()); | |
| if (request.Content != null) | |
| { | |
| var contentHeaders = request.Content.Headers.ToDictionary(x => x.Key.Trim().ToLowerInvariant(), | |
| x => String.Join(" ", x.Value).Trim()); | |
| foreach (var contentHeader in contentHeaders) | |
| { | |
| headers.Add(contentHeader.Key, contentHeader.Value); | |
| } | |
| } | |
| var sortedHeaders = new SortedDictionary<string, string>(headers); | |
| StringBuilder canonicalHeaders = new StringBuilder(); | |
| foreach (var header in sortedHeaders.Where(header => signedHeaders.Contains(header.Key))) | |
| { | |
| canonicalHeaders.AppendFormat("{0}:{1}\n", header.Key, header.Value); | |
| } | |
| return canonicalHeaders.ToString(); | |
| } | |
| private static string GetPayloadHash(HttpRequestMessage request) | |
| { | |
| var payload = request.Content != null ? request.Content.ReadAsStringAsync().Result : ""; | |
| return Utils.ToHex(Utils.Hash(payload)); | |
| } | |
| // http://docs.aws.amazon.com/general/latest/gr/sigv4-create-string-to-sign.html | |
| private string GetStringToSign(DateTime requestDate, string canonicalRequest) | |
| { | |
| var dateStamp = requestDate.ToString(Iso8601DateFormat, CultureInfo.InvariantCulture); | |
| var scope = string.Format("{0}/{1}/{2}/{3}", dateStamp, _region, _service, "aws4_request"); | |
| var stringToSign = new StringBuilder(); | |
| stringToSign.AppendFormat("AWS4-HMAC-SHA256\n{0}\n{1}\n", | |
| requestDate.ToString(Iso8601DateTimeFormat, CultureInfo.InvariantCulture), | |
| scope); | |
| stringToSign.Append(Utils.ToHex(Utils.Hash(canonicalRequest))); | |
| return stringToSign.ToString(); | |
| } | |
| // http://docs.aws.amazon.com/general/latest/gr/sigv4-calculate-signature.html | |
| private string GetSignature(DateTime requestDate, string stringToSign) | |
| { | |
| var kSigning = GetSigningKey(requestDate); | |
| return Utils.ToHex(Utils.GetKeyedHash(kSigning, stringToSign)); | |
| } | |
| private byte[] GetSigningKey(DateTime requestDate) | |
| { | |
| var dateStamp = requestDate.ToString(Iso8601DateFormat, CultureInfo.InvariantCulture); | |
| var kDate = Utils.GetKeyedHash("AWS4" + _awsSecretKey, dateStamp); | |
| var kRegion = Utils.GetKeyedHash(kDate, _region); | |
| var kService = Utils.GetKeyedHash(kRegion, _service); | |
| return Utils.GetKeyedHash(kService, "aws4_request"); | |
| } | |
| private static class Utils | |
| { | |
| private const string ValidUrlCharacters = | |
| "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~"; | |
| public static string UrlEncode(string data) | |
| { | |
| StringBuilder encoded = new StringBuilder(); | |
| foreach (char symbol in Encoding.UTF8.GetBytes(data)) | |
| { | |
| if (ValidUrlCharacters.IndexOf(symbol) != -1) | |
| { | |
| encoded.Append(symbol); | |
| } | |
| else | |
| { | |
| encoded.Append("%").Append(string.Format(CultureInfo.InvariantCulture, "{0:X2}", (int) symbol)); | |
| } | |
| } | |
| return encoded.ToString(); | |
| } | |
| public static byte[] Hash(string value) | |
| { | |
| return new SHA256CryptoServiceProvider().ComputeHash(Encoding.UTF8.GetBytes(value)); | |
| } | |
| public static byte[] GetKeyedHash(string key, string value) | |
| { | |
| return GetKeyedHash(Encoding.UTF8.GetBytes(key), value); | |
| } | |
| public static byte[] GetKeyedHash(byte[] key, string value) | |
| { | |
| KeyedHashAlgorithm mac = new HMACSHA256(key); | |
| mac.Initialize(); | |
| return mac.ComputeHash(Encoding.UTF8.GetBytes(value)); | |
| } | |
| public static string ToHex(byte[] data) | |
| { | |
| StringBuilder sb = new StringBuilder(); | |
| for (int i = 0; i < data.Length; i++) | |
| { | |
| sb.Append(data[i].ToString("x2", CultureInfo.InvariantCulture)); | |
| } | |
| return sb.ToString(); | |
| } | |
| } | |
| } | |
| } |
can anyone give me working example for aws post request content should be json
@myvanin thanks!
Thanks, above code helped me lot. I also need to add auth data to URL. Currently, in the above code its sent to Header. When I send that I am getting signature doesn't match error
UrlToSend = UrlToSend + "?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=" + ApiAuthInfoAccessKey + "%2F" + amzShortDate + "%2F" + ApiAuthInfoAWSRegion + "%2F" + ApiAuthInfoAWSServiceName + "%2Faws4_request&X-Amz-Date=" + amzLongDate + "&X-Amz-Expires=86400&X-Amz-SignedHeaders=host&X-Amz-Signature=" + Signature + "";
This is the URL I am sending
Here is my code for AWS api with adding auth to URL
using ApiStrong.DAL.DataModel;
using ApiStrong.Library.HelperMethod;
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using ApiStrong.DAL.Repository;
using System.Net.Http;
using System.IO;
using System.Security.Cryptography;
using System.Web;
using System.Net;
namespace APIStrongExecuteQueueUtility
{
class Program
{
//public static string url = "https://aws-url-host.com/v1/employees";
// With query string - as example
public static string url = "YOUR URL";
public static string accessKey = "YOURAWS-ACCESSKEY-INHERE";
public static string secretkey = "YOURAWS-SECRETKEY-INHERE";
public static string awsRegion = "us-east-1";
public static string awsServiceName = "execute-api";
public static string xApiKey = "APIKEY-TOCALLAWSFUNCTION-IFNEEDED";
static void Main(string[] args)
{
ExcuteAWSAPI();
}
public static void ExcuteAWSAPI()
{
// 0. Prepare request message.
// Get and save dates ready for further use.
DateTimeOffset utcNowSaved = DateTimeOffset.UtcNow;
string amzLongDate = utcNowSaved.ToString("yyyyMMddTHHmmssZ");
string amzShortDate = utcNowSaved.ToString("yyyyMMdd");
Uri uri = new Uri(url);
// **************************************************** SIGNING PORTION ****************************************************
// 1. Create Canonical Request
var canonicalRequest = new StringBuilder();
canonicalRequest.Append("POST" + "\n");
canonicalRequest.Append(string.Join("/", uri.AbsolutePath.Split('/').Select(Uri.EscapeDataString)) + "\n");
//canonicalRequest.Append("\n"); // Query params to do.
canonicalRequest.Append("X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=" + accessKey + "%2Fus-east-1%2F" + awsServiceName + "%2Faws4_request&X-Amz-Date=" + amzLongDate + "&X-Amz-Expires=86400&X-Amz-SignedHeaders=host");
canonicalRequest.Append("\n");
var headersToBeSigned = new List<string>();
canonicalRequest.Append("host");
canonicalRequest.Append(":");
canonicalRequest.Append(string.Join(",", uri.Host.Trim()));
canonicalRequest.Append("\n");
headersToBeSigned.Add("host");
canonicalRequest.Append("\n");
var signedHeaders = string.Join(";", headersToBeSigned);
canonicalRequest.Append(signedHeaders + "\n");
canonicalRequest.Append("UNSIGNED-PAYLOAD");
//canonicalRequest.Append("e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"); // Signature for empty body.
// Hash(msg.Content.ReadAsByteArrayAsync().Result);
// 2. String to sign.
string stringToSign = "AWS4-HMAC-SHA256" + "\n" + amzLongDate + "\n" + amzShortDate + "/" + awsRegion + "/" + awsServiceName + "/aws4_request" + "\n" + Hash(Encoding.UTF8.GetBytes(canonicalRequest.ToString()));
// 3. Signature with compounded elements.
var dateKey = HmacSha256(Encoding.UTF8.GetBytes("AWS4" + secretkey), amzShortDate);
var dateRegionKey = HmacSha256(dateKey, awsRegion);
var dateRegionServiceKey = HmacSha256(dateRegionKey, awsServiceName);
var signingKey = HmacSha256(dateRegionServiceKey, "aws4_request");
var signature = ToHexString(HmacSha256(signingKey, stringToSign.ToString()));
// **************************************************** END SIGNING PORTION ****************************************************
// Invoke the request with HttpClient.
HttpClient client = new HttpClient();
url = url + "?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=" + accessKey + "%2F" + amzShortDate + "%2F" + awsRegion + "%2F" + awsServiceName + "%2Faws4_request&X-Amz-Date=" + amzLongDate + "&X-Amz-Expires=86400&X-Amz-SignedHeaders=host&X-Amz-Signature=" + signature + "";
HttpRequestMessage msg = new HttpRequestMessage(HttpMethod.Post, url);
HttpResponseMessage result = client.SendAsync(msg).Result;
var dd = result.Content.ReadAsStringAsync().Result;
if (result.IsSuccessStatusCode)
{
// Inspect the result and payload returned.
Console.WriteLine(result.Headers);
Console.WriteLine(result.Content.ReadAsStringAsync().Result);
// Wait on user.
Console.ReadLine();
}
}
/// <summary>
/// Gets the query string parameters.
/// </summary>
/// <param name="request">(HttpRequestMessage) Request with Headers in.</param>
/// <returns>(string) Params in order.</returns>
private static string GetCanonicalQueryParams(HttpRequestMessage request)
{
var values = new SortedDictionary<string, string>();
var querystring = HttpUtility.ParseQueryString(request.RequestUri.Query);
foreach (var key in querystring.AllKeys)
{
if (key == null)//Handles keys without values
{
values.Add(Uri.EscapeDataString(querystring[key]), $"{Uri.EscapeDataString(querystring[key])}=");
}
else
{
// Escape to upper case. Required.
values.Add(Uri.EscapeDataString(key), $"{Uri.EscapeDataString(key)}={Uri.EscapeDataString(querystring[key])}");
}
}
// Put in order - this is important.
var queryParams = values.Select(a => a.Value);
return string.Join("&", queryParams);
}
/// <summary>
/// SHA 265.
/// </summary>
/// <param name="bytesToHash"></param>
/// <returns>(string) Hashed result.</returns>
public static string Hash(byte[] bytesToHash)
{
return ToHexString(SHA256.Create().ComputeHash(bytesToHash));
}
/// <summary>
/// To hex string.
/// </summary>
/// <param name="array"> Bytes to make hex.</param>
/// <returns>(string) As Hex.</returns>
private static string ToHexString(IReadOnlyCollection<byte> array)
{
var hex = new StringBuilder(array.Count * 2);
foreach (var b in array)
{
hex.AppendFormat("{0:x2}", b);
}
return hex.ToString();
}
/// <summary>
/// Encryption method for AWS.
/// </summary>
/// <param name="key">(Byte []) Key.</param>
/// <param name="data">(string) Data.</param>
/// <returns>(Byte []) Hmac result.</returns>
private static byte[] HmacSha256(byte[] key, string data)
{
return new HMACSHA256(key).ComputeHash(Encoding.UTF8.GetBytes(data));
}
}
}
@AndrewMaisey can u help?
Suspect there is something amiss in the signature line @priyankaj1910
Check the values you are wrapping up into the signature. Other than that I don't know.
Perhaps the docs might guide: https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html
Suspect there is something amiss in the signature line.
Check the values you are wrapping up into the signature. Other than that I don't know.
Perhaps the docs might guide: https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html
Yes referred to this one https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html ... getting signature not matched . DId all steps properly not sure what is wrong
Thanks @AndrewMaisey, worked great for me!
Thanks @AndrewMaisey, after some hours wasting time with another libraries your code works really good!
Thanks for posting this @yvanin - I put together a NuGet package which creates AWS V4 signatures and would love your feedback. Cheers, Joel
Do we have any nuget packager for .net Framework 2.1 application to sign AWS API request?
https://github.com/aws-samples/sigv4a-signing-examples/blob/main/dotnet/ seems to be for dotnet core only.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thanks for this code, it really helpme a lot, it got me confuse the documentation from amazon, thanks!!!