Sign2 succeeds, but Sign4 403 forbidden

[mikev]

The following test for an SQS resource, succeeds with Sign2, but fails when Sign4 is substituted, otherwise code is identical. Error code returned is 403 forbidden.

package main

import (
    "fmt"
    "awsauth"
    "log"
    "net/http"
    "net/http/httputil"
)


const kAccessKeyID = "ACCESSKEY"
const kSecretAccessKey = "SECRETKEY"
const kAWSAccountID = "###########"
const kQueueName = "testqueue"

func main() {

    awsauth.Keys = &awsauth.Credentials{ kAccessKeyID, kSecretAccessKey }

    url := "https://sqs.us-east-1.amazonaws.com/" + kAWSAccountID +
        "/" + kQueueName +
        "?Action=SendMessage&Version=2012-11-05&MessageBody=YesHelloWorldmessage"

    client := &http.Client{}

    req, err := http.NewRequest("GET", url, nil)
    out, _ := httputil.DumpRequestOut((*http.Request)(req), true)
    fmt.Printf("%s\n", string(out))

    //awsauth.Sign4(req)   // This fails
    awsauth.Sign2(req)   // This succeeds
    out2, _ := httputil.DumpRequestOut((*http.Request)(req), true)
    fmt.Printf("%s\n", string(out2))

    resp, err := client.Do(req)
    if err != nil {
        log.Fatal(err)
    }

    fmt.Println(resp.StatusCode)
    fmt.Println(resp.Status)
}

[mholt]

Does it work if you just use the Sign() method?

[mikev]

Hi Matt,

No, that doesn't work either. However, I did figure out the issue.

This works:
"?Action=SendMessage&MessageBody=YesHelloWorldmessage&Version=2012-11-05"

This fails:
"?Action=SendMessage&Version=2012-11-05&MessageBody=YesHelloWorldmessage"

Amazon requires the parameter keys in canonical order (i.e. alphabetical).
Not being an expert on AWS signing, this was not initially obvious to me.
At first I thought I had an issue with either the auth keys or the user's
permissions or I suspected my key was missing padding for the hmac call.

Thanks,
Michael
p.s.
Well written library overall!

On Sat, Jan 25, 2014 at 10:18 AM, Matt notifications@github.com wrote:

Does it work if you just use the Sign() function (without specifying a
version)?

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/2#issuecomment-33295680
.

[mholt]

Thanks, and yes, the canonical ordering does seem right. Hm, I wonder how the tests are passing, then. It's been a while since I've looked at this code, but when I get a chance, I'll dive in and try to figure out why the request's parameters aren't being ordered properly.

[mholt]

@mikev I'm able to reproduce this -- looks like the tests just got lucky. I'll work on a fix.

Update: Well, that was quite easy. Silly me. Thanks for the report!

[mikev]

Cool. Thanks!

On Sun, Jan 26, 2014 at 12:24 PM, Matt notifications@github.com wrote:

@mikev https://github.com/mikev I'm able to reproduce this -- looks
like the tests just got lucky. I'll work on a fix.

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/2#issuecomment-33329067
.

[mikev]

Hi Matt,

Any chance to add Sign3 (Signature version 3)? It is used by AWS Route53
which is a rather important API for production services.

Best,
Michael

On Sun, Jan 26, 2014 at 4:47 PM, Michael Vierling mvierling@gmail.comwrote:

Cool. Thanks!

On Sun, Jan 26, 2014 at 12:24 PM, Matt notifications@github.com wrote:

@mikev https://github.com/mikev I'm able to reproduce this -- looks
like the tests just got lucky. I'll work on a fix.

Reply to this email directly or view it on GitHubhttps://github.com//issues/2#issuecomment-33329067
.

[mholt]

Oh. Version 3?? I've never heard of it. Googling Route53 authentication, though, I see this documentation. I'm not sure that it's called Version 3, but it definitely appears to be its own authentication scheme.

I can look into adding support for it. For a quicker turnaround, you're welcome to take a stab at it. A good starting point would be s3.go and s3_test.go, which has a similar procedure. I hope to get to this soon, as I agree, it's an important addition.

[mikev]

OK, draft working code enclosed. I tested against route53 and the
authentication works , but is missing a GUID generator. The source code
for the .Net AWS SDK which is authored by Amazon, was a good reference.
https://github.com/aws/aws-sdk-net/blob/10fef6f83449b416044573b0cf39ea3c6621edd7/AWSSDK_DotNet35/Amazon.Runtime/Internal/Auth/AWS3Signer.cs

Cheers,
Michael

On Thu, Jan 30, 2014 at 6:07 AM, Matt notifications@github.com wrote:

Oh. Version 3?? I've never heard of it. Googling Route53 authentication,
though, I see this documentationhttp://docs.aws.amazon.com/Route53/latest/DeveloperGuide/RESTAuthentication.html.
I'm not sure that it's called Version 3, but it definitely appears to be
its own authentication scheme.

I can look into adding support for it. For a quicker turnaround, you're
welcome to take a stab at it. A good starting point would be s3.go and
s3_test.go, which has a similar procedure. I hope to get to this soon, as I
agree, it's an important addition.

Reply to this email directly or view it on GitHubhttps://github.com//issues/2#issuecomment-33690185
.

[mholt]

@mikev Hm, if you attached something, it didn't come through.

What about a pull request? Or you could email me directly with the attachment. Thanks for the link, by the way -- I'll take a look soon.

Update: Got your email. Cheers. I'm going to put this into a new issue; I'm starting on this on Saturday!