<p class="shortdesc"></p> <p class="p">Ping An Cloud can only verify your identity when a signature is sent with your HTTP request. </p> <p class="p">In terms of verification, the API mainly verifies whether the URL you request has been tampered with during transmission. </p> <ul class="ul" id="SignatureMechanism__ul_jwp_j23_mlb"> <li class="li">If the signature verification is passed, it is considered that the request has not been tampered with. The request is then forwarded to specific back-end services. </li> <li class="li">If the signature verification fails, it is considered that the request is insecure due to some reasons. For example, the URL requested by the user has been tampered with, or the request has expired. In such cases, back-end services are unavailable. </li> </ul> <p class="p">After you register a master account or create a sub-account, Ping An Cloud generates a pair of AccessKeys for you. A pair of AccessKeys consist of an AccessKeyId and an AccessKeySecret. </p> <ul class="ul" id="SignatureMechanism__ul_kwp_j23_mlb"> <li class="li">The AccessKeyId corresponds to the details of only one user in the backend. </li> <li class="li">The AccessKeySecret is used to sign requests. Make sure you keep the AccessKeySecret secret in a strict manner to prevent it from being stolen and used to impersonate you to sign requests. </li> </ul> <section class="section" id="SignatureMechanism__section_f51_k23_mlb"><h2 class="doc-tairway">Signature Steps </h2> <p class="p">Constructing a canonical query string. </p> <p class="p">1. Sort the parameter names in ascending alphabetical order. </p> <p class="p">The sorting parameters include action parameters, public parameters, and business request parameters required to call the API. URL encode the name and value of each request parameter using the UTF-8 character set. In the encoded string, replace ‘+’ with ‘% 20’, ‘*’ with ‘% 2A’, ‘% 7E’ with ‘~’, and ‘:’ with ‘% 3A’. The corresponding java code is: </p> <pre class="pre codeblock"><code>String encodedParamValue = URLEncoder.encode(paramValue, "UTF-8") .replace("+", "%20") .replace("*", "%2A") .replace("%7E", "~") .replace(":", "%3A"); </code></pre> <p class="p">2. Convert the parameter names (paramName) to lowercase. Convert the encoded parameter values (encodedParamValue) to lowercase. Sort the lowercase parameter names (paramName) in ascending order of characters. Concatenate these strings to generate the string to sign (stringToSign). </p> <p class="p">3. Calculate the HMAC signature using the string to sign (stringToSign). Note: The key used to calculate the signature is the AccessKeySecret. The hash algorithm used is SHA1, i.e. HmacSHA1 (stringToSign). Then encode the above HMAC value into a Base64 string to get the signature. Add the signature value to the request parameters as the signature parameter to finish the signing of the request. </p> <p class="p">4. Append all request parameters including the signature parameter to get a canonical query string. Submit the string to the server-side KMS for the API request. </p> <p class="p">Example (take Enablekey as an example): </p> <p class="p">If the value of the paramsString is: </p> <pre class="pre codeblock"><code>accessKeyId=testId&action=EnableKey&keyId=keyId &signatureMethod=HMAC-SHA1&signatureNonce=1542333462075&signatureVersion=1.0 &timestamp=1542333462075&version=2017-01-01 </code></pre> <p class="p">Then the value of the stringToSign is: </p> <pre class="pre codeblock"><code>accesskeyid=testid&action=enablekey&keyid=keyid &signaturemethod=hmac-sha1&signaturenonce=1542333462075&signatureversion=1.0 &timestamp=1542333462075&version=2017-01-01 </code></pre> <p class="p">If the AccessKeySecret paired with the AccessKeyId you use is testsecret, the calculated signature value is: caPjvsMXfd6oglEkahdq4Jo0yVA = </p> <p class="p">The request URL after signing is (note that the signature parameter is added): </p> <pre class="pre codeblock"><code>https://kms-cn-shanghai.yun.pingan.com/?action=EnableKey &keyId=<keyid> &timestamp=<timestamp> &signatureMethod=HMAC-SHA1 &signatureNonce=<signaturenonce> &accessKeyId=<accesskeyid> &signatureVersion=1.0 &signature=<signature value> &version=2017-01-01 </code></pre> </section>