AwsSignatureV3Private Class Reference

Private implementation for AwsSignatureV3. More...

Inheritance diagram for AwsSignatureV3Private:

Collaboration diagram for AwsSignatureV3Private:

Public Member Functions
	AwsSignatureV3Private (const QCryptographicHash::Algorithm hashAlgorithm, AwsSignatureV3 *const q)
	Constructs a new AwsSignatureV3Private object. More...
void	setAuthorizationHeader (const AwsAbstractCredentials &credentials, const QNetworkAccessManager::Operation operation, QNetworkRequest &request, const QByteArray &payload) const
	Set authorization header on a network request. More...
void	setDateHeader (QNetworkRequest &request, const QDateTime &dateTime=QDateTime::currentDateTimeUtc()) const
	Set the AWS custom date header. More...
Public Member Functions inherited from AwsAbstractSignaturePrivate
virtual	~AwsAbstractSignaturePrivate ()
	AwsAbstractSignaturePrivate destructor. More...
	AwsAbstractSignaturePrivate (AwsAbstractSignature *const q)
	Constructs a new AwsAbstractSignaturePrivate object. More...
QString	canonicalPath (const QUrl &url) const
	Create an AWS Signature canonical path. More...
QByteArray	canonicalQuery (const QUrlQuery &query) const
	Create an AWS Signature canonical query. More...
QString	httpMethod (const QNetworkAccessManager::Operation operation) const
	Create an AWS Signature request method string. More...
bool	setQueryItem (QUrlQuery &query, const QString &key, const QString &value, const bool warnOnNonIdenticalDuplicate=true) const
	Set a query item, checking for existing values first. More...

Protected Member Functions
QByteArray	algorithmDesignation (const QCryptographicHash::Algorithm algorithm) const
	Create an AWS V3 Signature algorithm designation. More...
QByteArray	authorizationHeaderValue (const AwsAbstractCredentials &credentials, const QNetworkAccessManager::Operation operation, QNetworkRequest &request, const QByteArray &payload) const
	Create an AWS V3 Signature authorization header value. More...
QByteArray	canonicalHeader (const QByteArray &headerName, const QByteArray &headerValue) const
	Create an AWS V3 Signature canonical header string. More...
QByteArray	canonicalHeaders (const QNetworkRequest &request, QByteArray *const signedHeaders) const
	Create an AWS V3 Signature canonical headers string. More...
QByteArray	canonicalRequest (const QNetworkAccessManager::Operation operation, const QNetworkRequest &request, const QByteArray &payload, QByteArray *const signedHeaders) const
	Create an AWS V3 Signature canonical request. More...

Static Protected Member Functions
static bool	isHttps (const QNetworkRequest &request)
	Does a request use the HTTPS scheme? More...

Protected Attributes
const QCryptographicHash::Algorithm	hashAlgorithm
	Hash algorithm to use when signing.
Protected Attributes inherited from AwsAbstractSignaturePrivate
AwsAbstractSignature *const	q_ptr
	Internal q-pointer.

Friends
class	TestAwsSignatureV3

Detailed Description

Private implementation for AwsSignatureV3.

See also

http://docs.aws.amazon.com/general/latest/gr/signature-version-4.html

Definition at line 36 of file awssignaturev3_p.h.

Constructor & Destructor Documentation

AwsSignatureV3Private::AwsSignatureV3Private	(	const QCryptographicHash::Algorithm	hashAlgorithm,
		AwsSignatureV3 *const	q
	)

Constructs a new AwsSignatureV3Private object.

Parameters

hashAlgorithm	The algorithm to use during various stages of signing.
q	Pointer to this object's public AwsSignatureV3 instance.

Definition at line 98 of file awssignaturev3.cpp.

    : AwsAbstractSignaturePrivate(q), hashAlgorithm(hashAlgorithm)
{

}

Member Function Documentation

QByteArray AwsSignatureV3Private::algorithmDesignation ( const QCryptographicHash::Algorithm  algorithm ) const

protected

Create an AWS V3 Signature algorithm designation.

This function returns an algorithm designation, as defined by Amazon, for use with V3 signatures.

For example, if the algorith is QCryptographicHash::Sha256, this function will return HmacSHA256.

Parameters

algorithm

The hash algorithm to get the canonical designation for.

Returns

An AWS V3 Signature algorithm designation.

See also

http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/RESTAuthentication.html

Definition at line 120 of file awssignaturev3.cpp.

Referenced by authorizationHeaderValue().

{
    switch (algorithm) {
        case QCryptographicHash::Sha1:     return "HmacSHA1";
        case QCryptographicHash::Sha256:   return "HmacSHA256";
        default:
            Q_ASSERT_X(false, Q_FUNC_INFO, "invalid algorithm");
            return "invalid-algorithm";
    }
}

QByteArray AwsSignatureV3Private::authorizationHeaderValue ( const AwsAbstractCredentials &  credentials, const QNetworkAccessManager::Operation  operation, QNetworkRequest &  request, const QByteArray &  payload  ) const

protected

Create an AWS V3 Signature authorization header value.

This function builds a V3 signature, and returns it to the caller. The returned header value is then suitable for adding as an Authorization header in the HTTP request, to be accepted by Amazon.

Parameters

credentials	The AWS credentials to use to sign the request.
operation	The HTTP method being used for the request.
request	The network request to generate a signature for.
payload	Optional data being submitted in the request (eg for PUT and POST operations).

Returns

An AWS V3 Signature authorization header value.

See also

http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/RESTAuthentication.html

setAuthorizationHeader

Definition at line 148 of file awssignaturev3.cpp.

References AwsAbstractCredentials::accessKeyId(), algorithmDesignation(), canonicalRequest(), hashAlgorithm, isHttps(), and AwsAbstractCredentials::secretKey().

Referenced by setAuthorizationHeader().

{
    // Calculate the signature.
    QByteArray signedHeaders;
    QByteArray stringToSign = canonicalRequest(operation, request, payload, &signedHeaders);
    if (!isHttps(request)) {
        stringToSign = QCryptographicHash::hash(stringToSign, hashAlgorithm);
    }
    const QByteArray signature = QMessageAuthenticationCode::hash(
                stringToSign, credentials.secretKey().toUtf8(), hashAlgorithm);

    // Build and return the authorization header value.
    return
        QByteArray((isHttps(request)) ? "AWS3-HTTPS " : "AWS3 ") +
        "AWSAccessKeyId=" + credentials.accessKeyId().toUtf8() + ","
        "Algorithm=" + algorithmDesignation(hashAlgorithm) + "," +
        ((!isHttps(request)) ? "SignedHeaders=" + signedHeaders + ',' : "") +
        "Signature=" + signature.toBase64();
}

QByteArray AwsSignatureV3Private::canonicalHeader ( const QByteArray &  headerName, const QByteArray &  headerValue  ) const

protected

Create an AWS V3 Signature canonical header string.

Note

Amazon documentation does not specify how to handle whitespace within quotes for V3 signatures, so here we use the same approach as V3 signatures. That is:

In canonical form, header name and value are combined with a single semi-colon separator, with all whitespace removed from both, except for whitespace within double-quotes.

Note

This function is only applicable to the AWS3 format, not AWS3-HTTPS.

Parameters

headerName	Name of the HTTP header to convert to canonical form.
headerValue	Value of the HTTP header to convert to canonical form.

Returns

An AWS V3 Signature canonical header string.

See also

http://docs.aws.amazon.com/amazonswf/latest/developerguide/HMACAuth-swf.html

http://docs.aws.amazon.com/general/latest/gr/sigV4-create-canonical-request.html

canonicalHeaders

Definition at line 192 of file awssignaturev3.cpp.

Referenced by canonicalHeaders().

{
    QByteArray header = headerName.toLower() + ':';
    const QByteArray trimmedHeaderValue = headerValue.trimmed();
    bool isInQuotes = false;
    char previousChar = '\0';
    for (int index = 0; index < trimmedHeaderValue.size(); ++index) {
        char thisChar = trimmedHeaderValue.at(index);
        header += thisChar;
        if (isInQuotes) {
            if ((thisChar == '"') && (previousChar != '\\'))
                isInQuotes = false;
        } else {
            if ((thisChar == '"') && (previousChar != '\\')) {
                isInQuotes = true;
            } else if (isspace(thisChar)) {
                while ((index < trimmedHeaderValue.size()-1) &&
                       (isspace(trimmedHeaderValue.at(index+1))))
                    ++index;
            }
        }
        previousChar = thisChar;
    }
    return header;
}

QByteArray AwsSignatureV3Private::canonicalHeaders ( const QNetworkRequest &  request, QByteArray *const  signedHeaders  ) const

protected

Create an AWS V3 Signature canonical headers string.

This function constructs a canonical string containing all of the headers in the given request.

Note

request will typically not include a Host header at this stage, however Qt will add an appropriate Host header when the request is performed. So, if request does not include a Host header yet, this function will include a derived Host header in the canonical headers to allow for it.

This function is only applicable to the AWS3 format, not AWS3-HTTPS.

Parameters

[in]	request	The network request to fetch the canonical headers from.
[out]	signedHeaders	A semi-colon separated list of the names of all headers included in the result.

Returns

An AWS V3 Signature canonical headers string.

See also

http://docs.aws.amazon.com/general/latest/gr/sigV3-create-canonical-request.html

canonicalHeader

Definition at line 241 of file awssignaturev3.cpp.

References canonicalHeader().

Referenced by canonicalRequest().

{
    Q_CHECK_PTR(signedHeaders);
    signedHeaders->clear();

    /* Note, Amazon says we should combine duplicate headers with comma separators...
     * conveniently for us, QNetworkRequest requires that to have been done already.
     * See note in QNetworkRequest::setRawHeader.
     */

    // Convert the raw headers list to a map to sort on (lowercased) header names only.
    QMap<QByteArray,QByteArray> headers;
    foreach (const QByteArray &rawHeader, request.rawHeaderList()) {
        headers.insert(rawHeader.toLower(), request.rawHeader(rawHeader));
    }
    // The "host" header is not included in QNetworkRequest::rawHeaderList, but will be sent by Qt.
    headers.insert("host", request.url().host().toUtf8());

    // Convert the headers map to a canonical string, keeping track of which headers we've included too.
    QByteArray canonicalHeaders;
    for (QMap<QByteArray,QByteArray>::const_iterator iter = headers.constBegin(); iter != headers.constEnd(); ++iter) {
        // Only include "host" and "x-amz-*" headers. Note, Amazon documentation states that latter as
        // "x-amz-" (ie with the trailing '-'), yet the official Amazon Java SDK tests for a "x-amz"
        // prefix. Thus the Java SDK would include headers with keys like "x-amzfoo", but here we do not
        // since that would disagree with the official documentation.
        if ((iter.key() == "host") || (iter.key().startsWith("x-amz-"))) {
            canonicalHeaders += canonicalHeader(iter.key(), iter.value()) + '\n';
            if (!signedHeaders->isEmpty()) *signedHeaders += ';';
            *signedHeaders += iter.key();
        }
    }
    return canonicalHeaders;
}

QByteArray AwsSignatureV3Private::canonicalRequest ( const QNetworkAccessManager::Operation  operation, const QNetworkRequest &  request, const QByteArray &  payload, QByteArray *const  signedHeaders  ) const

protected

Create an AWS V3 Signature canonical request.

Note, this function implments both AWS3 and AWS3-HTTPS variants of the AWS Signature version 3 - which are quite different.

Parameters

[in]	operation	The HTTP method being used for the request.
[in]	request	The network request to generate a canonical request for.
[in]	payload	Optional data being submitted in the request (eg for PUT and POST operations).
[out]	signedHeaders	A semi-colon separated list of the names of all headers included in the result.

Returns

An AWS V3 Signature canonical request.

See also

http://docs.aws.amazon.com/amazonswf/latest/developerguide/HMACAuth-swf.html (AWS3)

http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/RESTAuthentication.html (AWS3-HTTPS)

Definition at line 292 of file awssignaturev3.cpp.

References canonicalHeaders(), AwsAbstractSignaturePrivate::canonicalPath(), AwsAbstractSignaturePrivate::canonicalQuery(), AwsAbstractSignaturePrivate::httpMethod(), and isHttps().

Referenced by authorizationHeaderValue().

{
    // AWS3-HTTPS
    if (isHttps(request)) {
        Q_ASSERT((request.hasRawHeader("x-amz-date")) || (request.hasRawHeader("Date")));
        QByteArray canonicalRequest = request.rawHeader(request.hasRawHeader("x-amz-date") ? "x-amz-date" : "Date");
        if (request.hasRawHeader("x-amz-nonce")) {
            canonicalRequest += request.rawHeader("x-amz-nonce");
        }
        return canonicalRequest;
    }

    // AWS3
    return httpMethod(operation).toUtf8() + '\n' +
           canonicalPath(request.url()).toUtf8() + '\n' +
           canonicalQuery(QUrlQuery(request.url()))  + '\n' +
           canonicalHeaders(request, signedHeaders) + '\n' +
           payload;
}

bool AwsSignatureV3Private::isHttps ( const QNetworkRequest &  request )

inlinestaticprotected

Does a request use the HTTPS scheme?

Parameters

request

The network request to evaluate.

Returns

true if request uses the HTTPS scheme, false otherwise.

Definition at line 321 of file awssignaturev3.cpp.

Referenced by authorizationHeaderValue(), and canonicalRequest().

{
    return (request.url().scheme() == QLatin1String("https"));
}

void AwsSignatureV3Private::setAuthorizationHeader	(	const AwsAbstractCredentials &	credentials,
		const QNetworkAccessManager::Operation	operation,
		QNetworkRequest &	request,
		const QByteArray &	payload
	)		const

Set authorization header on a network request.

This function will calculate the authorization header value and set it as the Authorization HTTP header on request.

Parameters

[in]	credentials	The AWS credentials to use to sign the request.
[in]	operation	The HTTP method being used for the request.
[in,out]	request	The network request to add the authorization header to.
[in]	payload	Optional data being submitted in the request (eg for PUT and POST operations).

See also

http://docs.aws.amazon.com/general/latest/gr/sigV3-signed-request-examples.html

authorizationHeaderValue

Definition at line 340 of file awssignaturev3.cpp.

References authorizationHeaderValue().

{
    Q_ASSERT(!request.hasRawHeader("Authorization"));
    request.setRawHeader("Authorization", authorizationHeaderValue(credentials, operation, request, payload));
}

void AwsSignatureV3Private::setDateHeader	(	QNetworkRequest &	request,
		const QDateTime &	dateTime = QDateTime::currentDateTimeUtc()
	)		const

Set the AWS custom date header.

If request does not already contain an x-amz-date header, then this function will set a custom x-amz-date header to the value of dateTime formatted like "Fri, 09 Sep 2011 23:36:00 GMT".

Parameters

request	The network request to add the date header to.
dateTime	The timestamp (in UTC) to set the date header's value to.

Definition at line 358 of file awssignaturev3.cpp.

{
    Q_ASSERT(dateTime.timeSpec() == Qt::UTC);
    if (!request.hasRawHeader("x-amz-date")) {
        request.setRawHeader("x-amz-date", dateTime.toString(QLatin1String("ddd, dd MMM yyyy hh:mm:ss 'GMT'")).toUtf8());
    }
}

---

The documentation for this class was generated from the following files:

• core/awssignaturev3_p.h
• core/awssignaturev3.cpp