我所用S3 PUT请求使用AWS签名版本4

Question

我使用下面的代码做一个简单的PUT请求AWS S3做错了使用版本4签名：以上

from collections import OrderedDict 
from dateutil import parser 
import datetime 
import hashlib 
import hmac 
import requests 

key_id = "REDACTED" 
secret = "REDACTED" 
bucket_name = "REDACTED" 

def hashb16(message): 
    return hashlib.sha256(message).hexdigest() 

def HMAC(key, message): 
    return hmac.new(key, message, hashlib.sha256) 

current_time = datetime.datetime.utcnow() 

url = "https://s3-eu-west-2.amazonaws.com/{}/sometest.txt".format(bucket_name) 
payload = "Welcome to Amazon S3." 
headers = { 
    'date': current_time.strftime("%a, %d %b %Y %H:%m:%S GMT"), 
    'host': "s3-eu-west-2.amazonaws.com", 
    'x-amz-content-sha256': hashb16(payload), 
    'x-amz-date': current_time.strftime('%Y%m%dT%H%M%SZ'), 
    'x-amz-storage-class': 'REDUCED_REDUNDANCY' 
} 
sorted_headers = sorted([k for k in headers]) 
region = "eu-west-2" 
service = "s3" 

# step 1 
HTTPRequestMethod = "PUT" 
CanonicalURI = "/sometest.txt" 
CanonicalQueryString = "" 
CanonicalHeaders = "" 
for key in sorted_headers: 
    CanonicalHeaders += "{}:{}\n".format(key.lower(), headers[key]) 
SignedHeaders = "{}".format(";".join(sorted_headers)) 
HexEncondeHashRequestPayload = hashb16(payload) 
CanonicalRequest = "{}\n{}\n{}\n{}{}\n{}".format(HTTPRequestMethod, CanonicalURI, CanonicalQueryString, CanonicalHeaders, SignedHeaders, HexEncondeHashRequestPayload) 

# step 2 
Algorithm = "AWS4-HMAC-SHA256" 
RequestDateTime = current_time.strftime('%Y%m%dT%H%M%SZ') 
CredentialScope = "{}/{}/{}/{}".format(current_time.strftime("%Y%m%d"), region, service, "aws4_request") 
HashedCanonicalRequest = hashb16(CanonicalRequest) 
StringToSign = "{}\n{}\n{}\n{}".format(Algorithm, RequestDateTime, CredentialScope, HashedCanonicalRequest) 

#step 3 
kDate = HMAC("AWS4" + secret,  current_time.strftime("%Y%m%d")).digest() 
kRegion = HMAC(kDate, region).digest() 
kService = HMAC(kRegion, service).digest() 
kSigning = HMAC(kService, "aws4_request").digest() 
signature = HMAC(kSigning, StringToSign).hexdigest() 

#step 4 
Authorization = "AWS4-HMAC-SHA256 Credential={}/{},SignedHeaders={},Signature={}".format(key_id, CredentialScope, ";".join(sorted_headers), signature) 
headers["Authorization"] = Authorization 

response = requests.request("PUT", url, headers=headers) 

print response.status_code 
print response.text 

的步骤是每AWS documentation。我使用this page中的示例测试了散列函数，他们结算。

不幸的是，当执行实际的请求时，我得到一个带有通常的无效签名消息的403状态码。我在上面的代码中错过了什么？

Answer 1

您的StringToSign不正确。特别是HashedCanonicalRequest是不正确的。

亚马逊错误响应将显示确切的StringToSign。这将帮助你弄清楚什么是错的。

[编辑 - 我修改你的代码工作。注意：我删除了有效负载计算并将其更改为UNSIGNED-PAYLOAD。有两个小问题：

1）在StringToSign桶名称未在指定的URL（后线CURRENT_TIME）

2）你是缺少一个CanonicalRequest \ n。

from collections import OrderedDict 
from dateutil import parser 
import datetime 
import hashlib 
import hmac 
import requests 

key_id = "" 
secret = "/N6VFTasQCJic3CqL9tj80UGB6Ba1B" 
region = "" 
bucket_name = "" 
service = "s3" 

def hashb16(message): 
    return hashlib.sha256(message).hexdigest() 

def HMAC(key, message): 
    return hmac.new(key, message, hashlib.sha256) 

current_time = datetime.datetime.utcnow() 

url = "https://s3-us-west-2.amazonaws.com/{}/sometest.txt".format(bucket_name) 
payload = "Welcome to Amazon S3." 
headers = { 
    'date': current_time.strftime("%a, %d %b %Y %H:%m:%S GMT"), 
    'host': "s3-us-west-2.amazonaws.com", 
    'x-amz-content-sha256': 'UNSIGNED-PAYLOAD', 
    'x-amz-date': current_time.strftime('%Y%m%dT%H%M%SZ'), 
    'x-amz-storage-class': 'REDUCED_REDUNDANCY' 
} 
sorted_headers = sorted([k for k in headers]) 

# step 1 
HTTPRequestMethod = "PUT" 
CanonicalURI = "/{}/sometest.txt".format(bucket_name) 
CanonicalQueryString = "" 
CanonicalHeaders = "" 
for key in sorted_headers: 
    CanonicalHeaders += "{}:{}\n".format(key.lower(), headers[key]) 
SignedHeaders = "{}".format(";".join(sorted_headers)) 
HexEncondeHashRequestPayload = hashb16(payload) 
CanonicalRequest = "{}\n{}\n{}\n{}\n{}\n{}".format(HTTPRequestMethod, CanonicalURI, CanonicalQueryString, CanonicalHeaders, SignedHeaders, 'UNSIGNED-PAYLOAD') 

# step 2 
Algorithm = "AWS4-HMAC-SHA256" 
RequestDateTime = current_time.strftime('%Y%m%dT%H%M%SZ') 
CredentialScope = "{}/{}/{}/{}".format(current_time.strftime("%Y%m%d"), region, service, "aws4_request") 
HashedCanonicalRequest = hashb16(CanonicalRequest) 
StringToSign = "{}\n{}\n{}\n{}".format(Algorithm, RequestDateTime, CredentialScope, HashedCanonicalRequest) 

#step 3 
kDate = HMAC("AWS4" + secret,  current_time.strftime("%Y%m%d")).digest() 
kRegion = HMAC(kDate, region).digest() 
kService = HMAC(kRegion, service).digest() 
kSigning = HMAC(kService, "aws4_request").digest() 
signature = HMAC(kSigning, StringToSign).hexdigest() 

#step 4 
Authorization = "AWS4-HMAC-SHA256 Credential={}/{},SignedHeaders={},Signature={}".format(key_id, CredentialScope, ";".join(sorted_headers), signature) 
headers["Authorization"] = Authorization 

response = requests.request("PUT", url, headers=headers) 

print response.status_code 
print response.text