This article mainly introduces the request signature required to create a COS interface using PHP. It is compared with the examples given in the official documents to verify the correctness of the algorithm. Friends in need can refer to it
What is COS and request signature
COS is the abbreviation and abbreviation of Tencent Cloud Object Storage. The request signature is created by a specific algorithm and needs to be provided by a third party on demand when calling COS related interfaces. A set of string information that will uniquely identify the current third-party identity and provide identification of both communicating parties. Only valid signed COS will provide services
Goal
Use PHP to create the request signature required for the COS interface, compare it with the example given in the official document, and verify the correctness of the algorithm
Understand the request signature
Come first Look at the request signature given in an official document
q-sign-algorithm=sha1&q-ak=[SecretID]&q-sign-time=[SignTime]&q-key-time=[KeyTime ]&q-header-list=[SignedHeaderList]&q-url-param-list=[SignedParameterList]&q-signature=[Signature]
Request signature feature summary
-
is a key-value pair format of a string
key=value, the key is a fixed value
There are 7 pairs of keys in total =value
sha1 is also a parameter, but as of the official release, only sha1 is supported, so you can directly assign values to
SignedHeaderList, SignedParameterList, and Signature. value needs to be generated through an algorithm
For detailed description of key-value pairs, please refer to the official documentation.
Breakdown one by one
Requesting a signature requires a total of 7 values. Let’s explain one by one below and break each one
q-sign-algorithm
Signature algorithm, official Currently only sha1 is supported, so just give the value directly
q-ak
The account ID, which is the user's SecretId, can be obtained on the console Cloud API Key page
q-sign-time
The valid start and end time of the current signature, Unix timestamp format, English half-width semicolon; separated, format such as 1480932292;1481012298
q-key-time
Same as q-sign-time value
q-header-list
Personal understanding, it consists of HTTP request headers, take all or part of the request headers, and change the request in the form of key:value The key part of the item is taken out, converted to lowercase, multiple keys are sorted according to the dictionary, and connected with the characters ; to finally form a string
For example, the original request header has two:
Host: bucket1-1254000000.cos.ap-beijing.myqcloud.com
Content-Type:image/jpeg
key is Host and Content-Type. After operation, content-type;host# is output.
##q-url-param-list
Personal understanding, it consists of HTTP request parameters, take all or part of the request parameters, take out the key part of the request parameter in the form of key=value, and convert it to lowercase. Multiple keys are sorted by dictionary, connected by characters ;, and finally formed into a string
For example, the original HTTP request is:
GET /?prefix=abc&max-keys=20
key is prefix and max-keys. After operation, max-keys;prefix is output. If the request has no parameters such as put and post, it will be empty.
q-signature
Calculate the signature based on the HTTP content. The algorithm is provided by COS. Just give the value as required
Official examples and reference results
Before starting to write logic, take a look at the official examples. The reference value, as well as the calculated result, in order to compare the result with the logic developed by yourself
HTTP original request can also be understood as the HTTP request before calculating the signature or when no signature is required:
PUT /testfile2 HTTP/1.1Host: bucket1-1254000000.cos.ap-beijing.myqcloud.com
x-cos-content-sha1: 7b502c3a1f48c8609ae212cdfb639dee39673f5e
x-cos-storage -class: standard
Hello world
The HTTP request you should get after calculating the signature:
PUT /testfile2 HTTP/1.1
Host: bucket1-1254000000.cos.ap-beijing.myqcloud.com
x-cos-content-sha1: 7b502c3a1f48c8609ae212cdfb639dee39673f5e
x-cos-storage -class: standard
Authorization: q-sign-algorithm=sha1&q-ak=AKIDQjz3ltompVjBni5LitkWHFlFpwkn9U5q&> q-sign-time=1417773892;1417853898&q-key-time=1417773892;1417853898&q-header-list =host;x-cos-content -sha1;x-cos-storage-class&q-url-param-list=&q-signature=14e6ebd7955b0c6da532151bf97045e2c5a64e10
Hello world
Conclusion: If the algorithm can get the one after Authorization The string string is correct
Preparation work
Let’s take a look at the (officially provided) user information and HTTP information:
- ##SecretId: AKIDQjz3ltompVjBni5LitkWHFlFpwkn9U5q
- SecretKey: BQYIM75p8x0iWVFSIgqEKwFprpRSVHlz
- Signature valid start time: 1417773892
- Signature valid stop time: 1417853898
- HTTP original request header: According to the example in the previous section, it is not difficult to get that the HTTP original request has three contents: Host, x-cos-content-sha1 and x-cos-storage-class
- HTTP request parameters: Is it a PUT request, no? Parameters
Calculate signature
Put all parameters in preparation Bringing in the request signature rules, it is not difficult to get the results, as shown in the following table:
Key (key) | Value(value) | Remark |
##q-sign-algorithm
sha1 |
Currently only supported sha1 signature algorithm |
|
q-ak
AKIDQjz3ltompVjBni5LitkWHFlFpwkn9U5q |
SecretId field |
|
q-sign-time
1417773892;1417853898 |
2014/12/5 18:04:52 to 2014/12/6 16:18:18 |
|
q- key-time
1417773892;1417853898 |
2014/12/5 18:04:52 to 2014/12/6 16:18:18 |
|
q-header-list
host;x-cos-content-sha1;x-cos-storage-class |
lexicographically sorted list of HTTP header keys |
|
q-url-param-list
|
HTTP parameter list is empty |
|
q-signature
14e6ebd7955b0c6da532151bf97045e2c5a64e10 |
Calculated by code |
|
But where did q-signature come from?
As mentioned just now, q-signature also needs to be calculated by a specific algorithm. The following explains how to calculate it
Calculate the request signature
Look at the code first :
/**
* 计算签名
* secretId、secretKey 为必需参数,qSignStart、qSignEnd为调试需要,测试通过后应取消,改为方法内自动创建
*/
function get_authorization( $secretId, $secretKey, $qSignStart, $qSignEnd, $fileUri, $headers ){
/*
* 计算COS签名
* 2018-05-17
* author:cinlap <cash216@163>
* ref:https://cloud.tencent.com/document/product/436/7778
*/
$qSignTime = "$qSignStart;$qSignEnd"; //unix_timestamp;unix_timestamp
$qKeyTime = $qSignTime;
$header_list = get_q_header_list($headers);
//如果 Uri 中带有 ?的请求参数,该处应为数组排序后的字符串组合
$url_param_list = '';
//compute signature
$httpMethod = 'put';
$httpUri = $fileUri;
//与 q-url-param-list 相同
$httpParameters = $url_param_list;
//将自定义请求头分解为 & 连接的字符串
$headerString = get_http_header_string( $headers );
// 计算签名中的 signature 部分
$signTime = $qSignTime;
$signKey = hash_hmac('sha1', $signTime, $secretKey);
$httpString = "$httpMethod\n$httpUri\n$httpParameters\n$headerString\n";
$sha1edHttpString = sha1($httpString);
$stringToSign = "sha1\n$signTime\n$sha1edHttpString\n";
$signature = hash_hmac('sha1', $stringToSign, $signKey);
//组合结果
$authorization = "q-sign-algorithm=sha1&q-ak=$secretId&q-sign-time=$qSignTime&q-key-time=$qKeyTime&q-header-list=$header_list&q-url-param-list=$url_param_list&q-signature=$signature";
return $authorization;
}
Copy after login
For testing, this method should have more parameters than needed. The first six parameters have been given and come from the user, so directly Assign a value to get the following string:
$authorization = "q-sign-algorithm=sha1&q-ak=$secretId&q-sign-time=$qSignTime&q-key-time=$qKeyTime...
$header_list This value must comply with the q-header-list
rules and therefore needs to be calculated. The logic is as described above, which is to extract keys from the established request items to form an orderly String, the code is as follows:
/**
* 按COS要求对header_list内容进行转换
* 提取所有key
* 字典排序
* key转换为小写
* 多对key=value之间用连接符连接
*
*/
function get_q_header_list($headers){
if(!is_array($headers)){
return false;
}
try{
$tmpArray = array();
foreach( $headers as $key=>$value){
array_push($tmpArray, strtolower($key));
}
sort($tmpArray);
return implode(';', $tmpArray);
}
catch(Exception $error){
return false;
}
}
Copy after login
$url-param-list As mentioned above, this value is an HTTP request parameter. There is no ? parameter for the PUT method, naturally. The value is empty, so the code is "lazy" and directly gives the empty string.
Signature calculation and things to be careful about
The official has given a complete Algorithm, PHP and even written code, I should be very happy (but! I was dizzy after reading the official document, so I will explain it later), first take a look at the "format" of signature:
SignKey = HMAC-SHA1(SecretKey,"[q-key-time]")
HttpString = [HttpMethod]\n[HttpURI]\n[HttpParameters]\n[HttpHeaders]\n
StringToSign = [q-sign-algorithm]\n[q-sign-time]\nSHA1-HASH(HttpString)\n
Signature = HMAC-SHA1(SignKey,StringToSign)
again Take a look at the complete algorithm of Signature:
$signTime = $qSignTime;
$signKey = hash_hmac('sha1', $signTime, $secretKey);
$httpString = "$httpMethod \n$httpUri\n$httpParameters\n$headerString\n";
$sha1edHttpString = sha1($httpString);
$stringToSign = "sha1\n$signTime\n$sha1edHttpString\n";
$signature = hash_hmac('sha1', $stringToSign, $signKey);
$signTime: very simple, a string consisting of start and end time, just use it from above
$ signKey: HMAC-SHA1 algorithm can be calculated directly
$httpString: The four parts need to be said separately
1, $httpMethod: HTTP request method, lowercase, such as put, get
2. $httpUri: The URI part of the HTTP request, starting from the "/" virtual root, such as /testfile means creating a file called testfile in the root directory of the bucket, /image/face1.jpg means creating a file called testfile in the root directory/image directory. Create a file called face1.jpg. As for whether it is an image file or not, it doesn’t matter
3, $httpParameters: This is the first place to be careful. It consists of HTTP original request parameters, that is, the part after ? in the request URI. This example calls the PUT Object interface, so it is empty. If it is not empty, you need to convert the key and value of each item of the request parameter to lowercase. Multiple pairs of key=value are sorted by dictionary and connected with &
4. $headerString: This is the second place to be careful. , consisting of HTTP original request headers. According to the request headers, select all or part of the request headers, convert the keys of each item to lowercase, convert the values to URLEncode, change the format of each item to key=value, and then proceed according to the key. Dictionary sorting, and finally use the connector & to form a string. This is the logic I compiled. The code is as follows:
/**
* 按COS要求从数组中获取 Signature 中 [HttpString] 内容
* 标准格式 key=value&key=value&...
* 数组元素按键字典排序 *
* key转换为小写
* value进行UrlEncode转换
* 转换为key=value格式
* 多对key=value之间用连接符连接
*
*/
function get_http_header_string($headers){
if(!is_array($headers)){
return false;
}
try{
$tmpArray = array();
foreach($headers as $key => $value){
$tmpKey = strtolower($key);
$tmpArray[$tmpKey] = urlencode($value);
}
ksort($tmpArray);
$headerArray = array();
foreach( $tmpArray as $key => $value){
array_push($headerArray, "$key=$value");
}
return implode('&', $headerArray);
}
catch(Exception $error){
return false;
}
}
Copy after login
Why should you be careful?
HTTP original request headers and request parameters are used in four places, namely q-header-list in the request signature and HttpHeaders in the Signature - both use the HTTP original request header; request signature q-url-param-list in Signature and HttpParameters in Signature - both use HTTP request parameters. Be sure to ensure that the number of HTTP request headers and request parameters selected is consistent with the object
: the number and members of the HTTP request headers generated by q-header-list must be the same as those used to generate HttpHeaders. The number and members of the HTTP request parameters generated by q-url-param-list must be the same as those generated by HttpParameters.
is different: q-header-list and q-url-param-list only take In the key part, HttpHeaders and HttpParameters take the key and value parts
Output results and verification
At this point, there are 7 values in the request signature Some of them come from user information, and some need to be calculated. All the calculation methods and personal understanding of why they are calculated are also given above. Finally, you only need to output according to the official requirements. take a look
The above is the detailed content of PHP generates the relevant content of the request signature required by Tencent Cloud COS interface. For more information, please follow other related articles on the PHP Chinese website!