Based on this model: https://www.b4x.com/android/forum/threads/amazon-web-services-s3-v4-signature-calculator.81006/
Thanks, @JackKirk !
I have been trying for days to get the AWS API Gateway to work. I am apparently not constructing the request correctly, because I
get this response after the post (slightly edited for readability):
ResponseError. Reason: , Response: {"message":"The request signature we calculated does not match the signature you provided. Check
your AWS Secret Access Key and signing method. Consult the service documentation for details. The Canonical String for this request
should have been
POST\n
/Api_Deploy/\n
Action=list-tables&
Version=2019-11-21&
X-Amz-Algorithm=AWS4-HMAC-SHA256&
X-Amz-Credential=AKIAZTLRCN7MN6PEIOOL%2F20211116%2Fus-east-2%2Fexecute-api%2Faws4_request&
X-Amz-Date=20211116T164458Z&
X-Amz-Expires=86400&
X-Amz-SignedHeaders=content-type%3Bhost\n
content-type:application/x-amz-json-1.0\n
host:<API_Deploy Stage Invoke URL>.execute-api.us-east-2.amazonaws.com\n\n
content-type;host\n
517b909afa790bb465e29c8b48846024e69308655f2e7814e2ebb3fc7d527253
--------------------------------
The String-to-Sign should have been\n
AWS4-HMAC-SHA256\n
20211116T164458Z\n
20211116/us-east-2/execute-api/aws4_request\n
e0b0f518f79f6c10c3ebddefcc8f491f8a2ee395e4731516640b3f3eef72967e
--------------------------------
Lets focus on the String-To-Sign. AWS computes the one above that starts with e0b0. I compute a big hairy hash of the Canonical
Request that starts with dcba. To simplify debugging, I made a little snippet just for the purpose of comparing the hashes.
The blank line in the Canonical Request is puzzling. AWS error message says to include it. I am not sure. Have tried both ways.
I have been through this twenty times: https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
I did make it past the original "forbidden" error. My AWS console setup passes the TEST in API Gateway > API_Db > Resources > POST.
I am at a loss. Maybe fresh eyes will see something. Help me, Obi Wan Kanobi (aka @DonManfred )
Thanks, @JackKirk !
I have been trying for days to get the AWS API Gateway to work. I am apparently not constructing the request correctly, because I
get this response after the post (slightly edited for readability):
ResponseError. Reason: , Response: {"message":"The request signature we calculated does not match the signature you provided. Check
your AWS Secret Access Key and signing method. Consult the service documentation for details. The Canonical String for this request
should have been
POST\n
/Api_Deploy/\n
Action=list-tables&
Version=2019-11-21&
X-Amz-Algorithm=AWS4-HMAC-SHA256&
X-Amz-Credential=AKIAZTLRCN7MN6PEIOOL%2F20211116%2Fus-east-2%2Fexecute-api%2Faws4_request&
X-Amz-Date=20211116T164458Z&
X-Amz-Expires=86400&
X-Amz-SignedHeaders=content-type%3Bhost\n
content-type:application/x-amz-json-1.0\n
host:<API_Deploy Stage Invoke URL>.execute-api.us-east-2.amazonaws.com\n\n
content-type;host\n
517b909afa790bb465e29c8b48846024e69308655f2e7814e2ebb3fc7d527253
--------------------------------
The String-to-Sign should have been\n
AWS4-HMAC-SHA256\n
20211116T164458Z\n
20211116/us-east-2/execute-api/aws4_request\n
e0b0f518f79f6c10c3ebddefcc8f491f8a2ee395e4731516640b3f3eef72967e
--------------------------------
Lets focus on the String-To-Sign. AWS computes the one above that starts with e0b0. I compute a big hairy hash of the Canonical
Request that starts with dcba. To simplify debugging, I made a little snippet just for the purpose of comparing the hashes.
B4X:
Private Sub TestAWS
'Dim xCRLF As String = "\n"
Dim xCRLF As String = CRLF
Dim tCanReq As String = "POST" & xCRLF & "/Api_Deploy/" & xCRLF & _
"Action=list-tables&Version=2019-11-21&" & _
"X-Amz-Algorithm=AWS4-HMAC-SHA256&" & _
"X-Amz-Credential=AKIAZTLRCN7MN6PEIOOL%2F20211116%2Fus-east-2%2Fexecute-api%2Faws4_request&" & _
"X-Amz-Date=20211116T031806Z&X-Amz-Expires=86400&" & _
"X-Amz-SignedHeaders=content-type%3Bhost" & xCRLF & _
"content-Type:Application/x-amz-JSON-1.0" & xCRLF & _
"host:<crazyURL>.execute-api.us-east-2.amazonaws.com" & xCRLF & xCRLF & _
"content-type;host" & xCRLF & _
"f4baaea6929a1f0a352277780966537c16f0b4e4cec86fe1511274794a53882c "
Log("tCanReq = " & tCanReq)
Dim StringToSign As String = "AWS4-HMAC-SHA256" & xCRLF & "20211116T031806Z" & xCRLF & _
"20211116/us-east-2/execute-api/aws4_request" & xCRLF & HexSHA256Hash(tCanReq.GetBytes("UTF8"))
Log("StringToSign = " & " " & CRLF & StringToSign)
End Sub
Public Sub HexSHA256Hash(input() As Byte) As String
'' Log("HexSHA256Hash")
Private wrk_bc As ByteConverter
Private wrk_md As MessageDigest
Private wrk_hash() As Byte
Private wrk_str As String
'Get SHA256 hash of input byte array
wrk_hash = wrk_md.GetMessageDigest(input, "SHA-256")
'Get hex of SHA256 hash of input byte array
wrk_str = wrk_bc.HexFromBytes(wrk_hash)
'Return lowercase hex of SHA256 hash of input byte array
Return wrk_str.ToLowerCase
End SubThe blank line in the Canonical Request is puzzling. AWS error message says to include it. I am not sure. Have tried both ways.
I have been through this twenty times: https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
I did make it past the original "forbidden" error. My AWS console setup passes the TEST in API Gateway > API_Db > Resources > POST.
I am at a loss. Maybe fresh eyes will see something. Help me, Obi Wan Kanobi (aka @DonManfred )
