Class AWS4Signer
AWS4 protocol signer for service calls that transmit authorization in the header field "Authorization".
public class AWS4Signer : AbstractAWSSigner- Inheritance
-
AWS4Signer
- Derived
- Inherited Members
Constructors
AWS4Signer()
public AWS4Signer()AWS4Signer(bool)
public AWS4Signer(bool signPayload)Parameters
signPayloadbool
Fields
AWS4AlgorithmTag
public const string AWS4AlgorithmTag = "AWS4-HMAC-SHA256"Field Value
AWS4aAlgorithmTag
public const string AWS4aAlgorithmTag = "AWS4-ECDSA-P256-SHA256"Field Value
AWSChunkedEncoding
public const string AWSChunkedEncoding = "aws-chunked"Field Value
Algorithm
public const string Algorithm = "HMAC-SHA256"Field Value
Credential
public const string Credential = "Credential"Field Value
EmptyBodySha256
public const string EmptyBodySha256 = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"Field Value
Scheme
public const string Scheme = "AWS4"Field Value
Signature
public const string Signature = "Signature"Field Value
SignedHeaders
public const string SignedHeaders = "SignedHeaders"Field Value
Sigv4aAlgorithm
public const string Sigv4aAlgorithm = "ECDSA-P256-SHA256"Field Value
StreamingBodySha256
public const string StreamingBodySha256 = "STREAMING-AWS4-HMAC-SHA256-PAYLOAD"Field Value
StreamingBodySha256WithTrailer
public const string StreamingBodySha256WithTrailer = "STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER"Field Value
Terminator
public const string Terminator = "aws4_request"Field Value
TerminatorBytes
public static readonly byte[] TerminatorBytesField Value
- byte[]
UnsignedPayload
public const string UnsignedPayload = "UNSIGNED-PAYLOAD"Field Value
UnsignedPayloadWithTrailer
public const string UnsignedPayloadWithTrailer = "STREAMING-UNSIGNED-PAYLOAD-TRAILER"Field Value
V4aStreamingBodySha256
public const string V4aStreamingBodySha256 = "STREAMING-AWS4-ECDSA-P256-SHA256-PAYLOAD"Field Value
V4aStreamingBodySha256WithTrailer
public const string V4aStreamingBodySha256WithTrailer = "STREAMING-AWS4-ECDSA-P256-SHA256-PAYLOAD-TRAILER"Field Value
Properties
Protocol
public override ClientProtocol Protocol { get; }Property Value
SignPayload
public bool SignPayload { get; }Property Value
Methods
CanonicalizeHeaderNames(IEnumerable<KeyValuePair<string, string>>)
Returns the set of headers included in the signature as a flattened, ;-delimited string
protected static string CanonicalizeHeaderNames(IEnumerable<KeyValuePair<string, string>> sortedHeaders)Parameters
sortedHeadersIEnumerable<KeyValuePair<string, string>>The headers included in the signature
Returns
- string
Formatted string of header names
CanonicalizeHeaders(IEnumerable<KeyValuePair<string, string>>)
Computes the canonical headers with values for the request. Only headers included in the signature are included in the canonicalization process.
protected static string CanonicalizeHeaders(IEnumerable<KeyValuePair<string, string>> sortedHeaders)Parameters
sortedHeadersIEnumerable<KeyValuePair<string, string>>All request headers, sorted into canonical order
Returns
- string
Canonicalized string of headers, with the header names in lower case.
CanonicalizeQueryParameters(IEnumerable<KeyValuePair<string, string>>)
protected static string CanonicalizeQueryParameters(IEnumerable<KeyValuePair<string, string>> parameters)Parameters
parametersIEnumerable<KeyValuePair<string, string>>
Returns
CanonicalizeQueryParameters(IEnumerable<KeyValuePair<string, string>>, bool)
Computes and returns the canonicalized query string, if query parameters have been supplied. Parameters with no value will be canonicalized as 'param='. The expectation is that parameters have not already been url encoded prior to canonicalization.
protected static string CanonicalizeQueryParameters(IEnumerable<KeyValuePair<string, string>> parameters, bool uriEncodeParameters)Parameters
parametersIEnumerable<KeyValuePair<string, string>>The set of parameters to be encoded in the query string
uriEncodeParametersboolParameters must be uri encoded into the canonical request and by default the signer expects that the supplied collection contains non-encoded data. Set this to false if the encoding was done prior to signer entry.
Returns
- string
The uri encoded query string parameters in canonical ordering
CanonicalizeQueryParameters(string)
protected static string CanonicalizeQueryParameters(string queryString)Parameters
queryStringstring
Returns
CanonicalizeQueryParameters(string, bool)
Computes and returns the canonicalized query string, if query parameters have been supplied. Parameters with no value will be canonicalized as 'param='. The expectation is that parameters have not already been url encoded prior to canonicalization.
protected static string CanonicalizeQueryParameters(string queryString, bool uriEncodeParameters)Parameters
queryStringstringThe set of parameters being passed on the uri
uriEncodeParametersboolParameters must be uri encoded into the canonical request and by default the signer expects that the supplied collection contains non-encoded data. Set this to false if the encoding was done prior to signer entry.
Returns
- string
The uri encoded query string parameters in canonical ordering
CanonicalizeRequest(Uri, string, string, IDictionary<string, string>, string, string)
Computes and returns the canonical request
protected static string CanonicalizeRequest(Uri endpoint, string resourcePath, string httpMethod, IDictionary<string, string> sortedHeaders, string canonicalQueryString, string precomputedBodyHash)Parameters
endpointUriThe endpoint URL
resourcePathstringthe path of the resource being operated on
httpMethodstringThe http method used for the request
sortedHeadersIDictionary<string, string>The full request headers, sorted into canonical order
canonicalQueryStringstringThe query parameters for the request
precomputedBodyHashstringThe hash of the binary request body if present. If not supplied, the routine will look for the hash as a header on the request.
Returns
- string
Canonicalised request as a string
CanonicalizeRequest(Uri, string, string, IDictionary<string, string>, string, string, IDictionary<string, string>)
Computes and returns the canonical request
protected static string CanonicalizeRequest(Uri endpoint, string resourcePath, string httpMethod, IDictionary<string, string> sortedHeaders, string canonicalQueryString, string precomputedBodyHash, IDictionary<string, string> pathResources)Parameters
endpointUriThe endpoint URL
resourcePathstringthe path of the resource being operated on
httpMethodstringThe http method used for the request
sortedHeadersIDictionary<string, string>The full request headers, sorted into canonical order
canonicalQueryStringstringThe query parameters for the request
precomputedBodyHashstring- The path resource values lookup to use to replace the keys within resourcePath The hash of the binary request body if present. If not supplied, the routine will look for the hash as a header on the request.
pathResourcesIDictionary<string, string>
Returns
- string
Canonicalised request as a string
CanonicalizeRequest(Uri, string, string, IDictionary<string, string>, string, string, IDictionary<string, string>, bool)
Computes and returns the canonical request
protected static string CanonicalizeRequest(Uri endpoint, string resourcePath, string httpMethod, IDictionary<string, string> sortedHeaders, string canonicalQueryString, string precomputedBodyHash, IDictionary<string, string> pathResources, bool doubleEncode)Parameters
endpointUriThe endpoint URL
resourcePathstringthe path of the resource being operated on
httpMethodstringThe http method used for the request
sortedHeadersIDictionary<string, string>The full request headers, sorted into canonical order
canonicalQueryStringstringThe query parameters for the request
precomputedBodyHashstring- The path resource values lookup to use to replace the keys within resourcePath The hash of the binary request body if present. If not supplied, the routine will look for the hash as a header on the request.
pathResourcesIDictionary<string, string>doubleEncodeboolEncode "/" when canonicalize resource path
Returns
- string
Canonicalised request as a string
ComposeSigningKey(string, string, string, string)
Compute and return the multi-stage signing key for the request.
public static byte[] ComposeSigningKey(string awsSecretAccessKey, string region, string date, string service)Parameters
awsSecretAccessKeystringThe clear-text AWS secret key, if not held in secureKey
regionstringThe region in which the service request will be processed
datestringDate of the request, in yyyyMMdd format
servicestringThe name of the service being called by the request
Returns
- byte[]
Computed signing key
ComputeHash(byte[])
Computes the non-keyed hash of the supplied data
public static byte[] ComputeHash(byte[] data)Parameters
databyte[]
Returns
- byte[]
ComputeHash(string)
Computes the non-keyed hash of the supplied data
public static byte[] ComputeHash(string data)Parameters
datastring
Returns
- byte[]
ComputeKeyedHash(SigningAlgorithm, byte[], byte[])
Compute and return the hash of a data blob using the specified key
public static byte[] ComputeKeyedHash(SigningAlgorithm algorithm, byte[] key, byte[] data)Parameters
algorithmSigningAlgorithmAlgorithm to use for hashing
keybyte[]Hash key
databyte[]Data blob
Returns
- byte[]
Hash of the data
ComputeKeyedHash(SigningAlgorithm, byte[], string)
Compute and return the hash of a data blob using the specified key
public static byte[] ComputeKeyedHash(SigningAlgorithm algorithm, byte[] key, string data)Parameters
algorithmSigningAlgorithmAlgorithm to use for hashing
keybyte[]Hash key
datastringData blob
Returns
- byte[]
Hash of the data
ComputeSignature(ImmutableCredentials, string, DateTime, string, string, string)
Computes and returns an AWS4 signature for the specified canonicalized request
public static AWS4SigningResult ComputeSignature(ImmutableCredentials credentials, string region, DateTime signedAt, string service, string signedHeaders, string canonicalRequest)Parameters
credentialsImmutableCredentialsregionstringsignedAtDateTimeservicestringsignedHeadersstringcanonicalRequeststring
Returns
ComputeSignature(string, string, string, DateTime, string, string, string)
Computes and returns an AWS4 signature for the specified canonicalized request
public static AWS4SigningResult ComputeSignature(string awsAccessKey, string awsSecretAccessKey, string region, DateTime signedAt, string service, string signedHeaders, string canonicalRequest)Parameters
awsAccessKeystringawsSecretAccessKeystringregionstringsignedAtDateTimeservicestringsignedHeadersstringcanonicalRequeststring
Returns
ComputeSignature(string, string, string, DateTime, string, string, string, RequestMetrics)
Computes and returns an AWS4 signature for the specified canonicalized request
public static AWS4SigningResult ComputeSignature(string awsAccessKey, string awsSecretAccessKey, string region, DateTime signedAt, string service, string signedHeaders, string canonicalRequest, RequestMetrics metrics)Parameters
awsAccessKeystringawsSecretAccessKeystringregionstringsignedAtDateTimeservicestringsignedHeadersstringcanonicalRequeststringmetricsRequestMetrics
Returns
DetermineService(IClientConfig)
public static string DetermineService(IClientConfig clientConfig)Parameters
clientConfigIClientConfig
Returns
DetermineSigningRegion(IClientConfig, string, RegionEndpoint, IRequest)
public static string DetermineSigningRegion(IClientConfig clientConfig, string serviceName, RegionEndpoint alternateEndpoint, IRequest request)Parameters
clientConfigIClientConfigserviceNamestringalternateEndpointRegionEndpointrequestIRequest
Returns
FormatDateTime(DateTime, string)
Formats the supplied date and time for use in AWS4 signing, where various formats are used.
public static string FormatDateTime(DateTime dt, string formatString)Parameters
Returns
- string
The UTC date/time in the requested format
GetParametersToCanonicalize(IRequest)
Collects the subresource and query string parameters into one collection ready for canonicalization
protected static List<KeyValuePair<string, string>> GetParametersToCanonicalize(IRequest request)Parameters
requestIRequestThe in-flight request being signed
Returns
- List<KeyValuePair<string, string>>
The fused set of parameters
InitializeHeaders(IDictionary<string, string>, Uri)
Sets the AWS4 mandated 'host' and 'x-amz-date' headers, returning the date/time that will be used throughout the signing process in various elements and formats.
public static DateTime InitializeHeaders(IDictionary<string, string> headers, Uri requestEndpoint)Parameters
headersIDictionary<string, string>The current set of headers
requestEndpointUri
Returns
- DateTime
Date and time used for x-amz-date, in UTC
InitializeHeaders(IDictionary<string, string>, Uri, DateTime)
Sets the AWS4 mandated 'host' and 'x-amz-date' headers, accepting and returning the date/time that will be used throughout the signing process in various elements and formats.
public static DateTime InitializeHeaders(IDictionary<string, string> headers, Uri requestEndpoint, DateTime requestDateTime)Parameters
headersIDictionary<string, string>The current set of headers
requestEndpointUrirequestDateTimeDateTime
Returns
- DateTime
Date and time used for x-amz-date, in UTC
SetRequestBodyHash(IRequest, bool, string, int)
If signPayload is false set the x-amz-content-sha256 header to the UNSIGNED-PAYLOAD magic string and return it. Otherwise, if the caller has already set the x-amz-content-sha256 header with a pre-computed content hash, or it is present as ContentStreamHash on the request instance, return the value to be used in request canonicalization. If not set as a header or in the request, attempt to compute a hash based on inspection of the style of the request content.
public static string SetRequestBodyHash(IRequest request, bool signPayload, string chunkedBodyHash, int signatureLength)Parameters
requestIRequestRequest to sign
signPayloadboolWhether to sign the payload
chunkedBodyHashstringThe fixed value to set for the x-amz-content-sha256 header for chunked requests
signatureLengthintLength of the signature for each chunk in a chuncked request, in bytes
Returns
- string
The computed hash, whether already set in headers or computed here. Null if we were not able to compute a hash.
SetRequestBodyHash(IRequest, string, int)
If the caller has already set the x-amz-content-sha256 header with a pre-computed content hash, or it is present as ContentStreamHash on the request instance, return the value to be used in request canonicalization. If not set as a header or in the request, attempt to compute a hash based on inspection of the style of the request content.
public static string SetRequestBodyHash(IRequest request, string chunkedBodyHash, int signatureLength)Parameters
requestIRequestRequest to sign
chunkedBodyHashstringThe fixed value to set for the x-amz-content-sha256 header for chunked requests
signatureLengthintLength of the signature for each chunk in a chuncked request, in bytes
Returns
- string
The computed hash, whether already set in headers or computed here. Null if we were not able to compute a hash.
SetXAmzTrailerHeader(IDictionary<string, string>, IDictionary<string, string>)
Sets the x-amz-trailer header for the given set of trailing headers
public static void SetXAmzTrailerHeader(IDictionary<string, string> headers, IDictionary<string, string> trailingHeaders)Parameters
headersIDictionary<string, string>request's headers
trailingHeadersIDictionary<string, string>request's trailing headers
Sign(IRequest, IClientConfig, RequestMetrics, ImmutableCredentials)
Calculates and signs the specified request using the AWS4 signing protocol by using the AWS account credentials given in the method parameters. The resulting signature is added to the request headers as 'Authorization'. Parameters supplied in the request, either in the resource path as a query string or in the Parameters collection must not have been uri encoded. If they have, use the SignRequest method to obtain a signature.
public override void Sign(IRequest request, IClientConfig clientConfig, RequestMetrics metrics, ImmutableCredentials credentials)Parameters
requestIRequestThe request to compute the signature for. Additional headers mandated by the AWS4 protocol ('host' and 'x-amz-date') will be added to the request before signing.
clientConfigIClientConfigClient configuration data encompassing the service call (notably authentication region, endpoint and service name).
metricsRequestMetricsMetrics for the request
credentialsImmutableCredentialsThe AWS credentials for the account making the service call.
Exceptions
- SignatureException
If any problems are encountered while signing the request.
Sign(IRequest, IClientConfig, RequestMetrics, string, string)
Calculates and signs the specified request using the AWS4 signing protocol by using the AWS account credentials given in the method parameters. The resulting signature is added to the request headers as 'Authorization'. Parameters supplied in the request, either in the resource path as a query string or in the Parameters collection must not have been uri encoded. If they have, use the SignRequest method to obtain a signature.
public override void Sign(IRequest request, IClientConfig clientConfig, RequestMetrics metrics, string awsAccessKeyId, string awsSecretAccessKey)Parameters
requestIRequestThe request to compute the signature for. Additional headers mandated by the AWS4 protocol ('host' and 'x-amz-date') will be added to the request before signing.
clientConfigIClientConfigClient configuration data encompassing the service call (notably authentication region, endpoint and service name).
metricsRequestMetricsMetrics for the request
awsAccessKeyIdstringThe AWS public key for the account making the service call.
awsSecretAccessKeystringThe AWS secret key for the account making the call, in clear text.
Exceptions
- SignatureException
If any problems are encountered while signing the request.
SignBlob(byte[], byte[])
Returns the HMAC256 for an arbitrary blob using the specified key
public static byte[] SignBlob(byte[] key, byte[] data)Parameters
Returns
- byte[]
SignBlob(byte[], string)
Returns the HMAC256 for an arbitrary blob using the specified key
public static byte[] SignBlob(byte[] key, string data)Parameters
Returns
- byte[]
SignRequest(IRequest, IClientConfig, RequestMetrics, string, string)
Calculates and signs the specified request using the AWS4 signing protocol by using the AWS account credentials given in the method parameters.
public AWS4SigningResult SignRequest(IRequest request, IClientConfig clientConfig, RequestMetrics metrics, string awsAccessKeyId, string awsSecretAccessKey)Parameters
requestIRequestThe request to compute the signature for. Additional headers mandated by the AWS4 protocol ('host' and 'x-amz-date') will be added to the request before signing.
clientConfigIClientConfigClient configuration data encompassing the service call (notably authentication region, endpoint and service name).
metricsRequestMetricsMetrics for the request.
awsAccessKeyIdstringThe AWS public key for the account making the service call.
awsSecretAccessKeystringThe AWS secret key for the account making the call, in clear text.
Returns
Remarks
Parameters passed as part of the resource path should be uri-encoded prior to entry to the signer. Parameters passed in the request.Parameters collection should be not be encoded; encoding will be done for these parameters as part of the construction of the canonical request.
Exceptions
- SignatureException
If any problems are encountered while signing the request.
SortAndPruneHeaders(IEnumerable<KeyValuePair<string, string>>)
Reorders the headers for the request for canonicalization.
protected static IDictionary<string, string> SortAndPruneHeaders(IEnumerable<KeyValuePair<string, string>> requestHeaders)Parameters
requestHeadersIEnumerable<KeyValuePair<string, string>>The set of proposed headers for the request
Returns
- IDictionary<string, string>
List of headers that must be included in the signature
Remarks
For AWS4 signing, all headers are considered viable for inclusion