Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

AWS - What a canonical request is really?

Tags:

I'm trying to work directly with the REST API for the S3 service from Amazon and I don't get to understand what a canonical request is.

What I understand is:

  • You need an Authorization header or query string parameters (I will use the header)
  • This Authorization header contains a hashed HTTP request (the canonical request)
  • This HTTP request needs a hashed payload and then is concatenated to a longer string.
  • This string is hashed several times.
  • The result is the Authentication header.

Authentication header creation line

Then, the questions are:

  • The canonical request is the same as the real request?
  • A canonical request string is made only once and then used on the next requests?
like image 687
MikeVelazco Avatar asked Jun 06 '16 18:06

MikeVelazco


People also ask

What is canonical request AWS?

This Authorization header contains a hashed HTTP request (the canonical request) This HTTP request needs a hashed payload and then is concatenated to a longer string. This string is hashed several times. The result is the Authentication header.

What is SigV4 AWS?

Signature Version 4 (SigV4) is the process to add authentication information to AWS API requests sent by HTTP. For security, most requests to AWS must be signed with an access key. The access key consists of an access key ID and secret access key, which are commonly referred to as your security credentials.

What is AWS4 Hmac SHA256?

Description. AWS4-HMAC-SHA256. The algorithm that was used to calculate the signature. You must provide this value when you use AWS Signature Version 4 for authentication.

What is unsigned payload?

UNSIGNED-PAYLOAD can be used only with a query-string authentication. If you use Authorization header authentication, it cannot be used. As an option, you can use chunked transfer, so will have to calculate hashes for small chunks of data than can be buffered for hashing.


1 Answers

A canonical request is a just a vocabulary thing.

The canonical request is the same as the real request?

It is a representation of the real request; per your screenshot, it is defined as

CanonicalRequest =
  HTTPRequestMethod + '\n' +
  CanonicalURI + '\n' +
  CanonicalQueryString + '\n' +
  CanonicalHeaders + '\n' +
  SignedHeaders + '\n' +
  HexEncode(Hash(RequestPayload))

of course if you pass that strict into your browser, it will not be understood and it will not be executed so it will be transform (make encoding nice etc ...)

so for example you will get a canonical representation of your request defined as

CanonicalRequest =
  "GET" + '\n' +
  "http://s3.amazonaws.com/examplebucket" + '\n' +
  URI-encode("marker")+"="+URI-encode("someMarker")+"&"+URI-encode("max-keys")+"="+URI-encode("20") + "&" +URI-encode("prefix")+"="+URI-encode("somePrefix") + '\n' +
  Lowercase("host")+":"+Trim("s3.amazonaws.com")+"\n"+Lowercase("x-amz-<something>")+":"+Trim("<the_value>")+ '\n' +
  "host;x-amz-<something (same as above)>" + '\n' +
  HexEncode(Hash(RequestPayload))

Then from this definition, the system will create the "real" request meaning the one that will be executed against the server

like image 96
Frederic Henri Avatar answered Oct 05 '22 11:10

Frederic Henri