THE FORUM IS IN READ-ONLY MODE

This forum is in read-only mode. The new forum is live at https://discourse.openbullet.dev and registrations are open!

How to generate an AWS4 signature


  • Admin

    Hello guys, so people don't seem to understand how to generate an AWS4 signature using blocks.

    This is the LoliScript code for the example given here https://docs.aws.amazon.com/general/latest/gr/signature-v4-examples.html

    SET VAR "KEY" "wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY"
    SET VAR "DATE" "20120215"
    SET VAR "REGION" "us-east-1"
    SET VAR "SERVICE" "iam"
    
    UTILITY Conversion UTF8 BASE64 "AWS4<KEY>" -> VAR "KSECRET_B64" 
    UTILITY Conversion BASE64 HEX "<KSECRET_B64>" -> VAR "KSECRET_HEX" 
    FUNCTION HMAC SHA256 "<KSECRET_B64>" HmacBase64=TRUE KeyBase64=TRUE "<DATE>" -> VAR "KDATE_B64" 
    UTILITY Conversion BASE64 HEX "<KDATE_B64>" -> VAR "KDATE_HEX" 
    FUNCTION HMAC SHA256 "<KDATE_B64>" HmacBase64=TRUE KeyBase64=TRUE "<REGION>" -> VAR "KREGION_B64" 
    UTILITY Conversion BASE64 HEX "<KREGION_B64>" -> VAR "KREGION_HEX" 
    FUNCTION HMAC SHA256 "<KREGION_B64>" HmacBase64=TRUE KeyBase64=TRUE "<SERVICE>" -> VAR "KSERVICE_B64" 
    UTILITY Conversion BASE64 HEX "<KSERVICE_B64>" -> VAR "KSERVICE_HEX" 
    FUNCTION HMAC SHA256 "<KSERVICE_B64>" HmacBase64=TRUE KeyBase64=TRUE "aws4_request" -> VAR "KSIGNING_B64" 
    UTILITY Conversion BASE64 HEX "<KSIGNING_B64>" -> VAR "KSIGNING_HEX" 
    FUNCTION ToLowercase "<KSIGNING_HEX>" -> VAR "SIGNATURE" 
    

    Of course you will have to change the 4 variables declared at the beginning of the script according to your specific case.

    Note: The BASE64 to HEX conversions aren't actually useful for getting the signature (except for the last one) so you can skip them, they are just there to make sure every step matches with the ones given on the AWS example documentation.

    Have a good one,

    Ruri



  • Thanks, bro really cool, but i don't understand how we can get the key ?


  • Admin

    I guess it's given to you by AWS?



  • i got confused, this is only to generate the signing_key, right? and not the signature

    alt text


  • Admin

    Yeah that's right



  • my problem is the string to sign

    AWS4-HMAC-SHA256\n20150830T123600Z\n20150830/us-east-1/iam/aws4_request\nf536975d06c0309214f805bb90ccff089219ecd68b2577efef23edd43b7e1a59

    i put this sample as constant and output should be
    like:
    AWS4-HMAC-SHA256
    20150830T123600Z
    20150830/us-east-1/iam/aws4_request
    f536975d06c0309214f805bb90ccff089219ecd68b2577efef23edd43b7e1a59

    but its not doable on OB, any suggestion?


  • Admin

    If you want to send \n in the post data you have to write \\n otherwise it interprets it as a new line. If you want to actually have new lines, just write \n in the post data



  • actually that is not from post data 😞
    i thought OB will interpret \n as new line even on FUNCTION constant.


  • Admin

    No I only added it for the post data, sorry. Post a feature request on github if you want that





  • I just despair a little on the creation of the aws signature and do not know where is right my mistake.
    Ive already followed your guide where you explained it.
    But im still getting these error:

    {"message":"The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.
    
    The Canonical String for this request should have been
    'GET
    

    Its a Response Methode "GET" and i trying to regenerate AWS Auth.
    This is how it must be look like when i debugging it:

    Authorization: AWS4-HMAC-SHA256 Credential=ASIAVV37AJTTIG4UGCED/20201218/eu-west-1/execute-api/aws4_request, SignedHeaders=accept;host;x-amz-date;x-tracking-uuid, Signature=2849d67541f2165bf9c39a4b55ba1c6799aae236d1b55602eae7d74ea3c4061c
    

    The Credential Value are gain from them aws_sessions.json and it looks like:

    {"access_key_id":"ASIAVV37AJTTIG4UGCED","secret_access_key":"tjb1AKWgfku6TSpyBhEJXNLDLpVoDZ/E8yl1udLV","session_token":"NOTNEEDED","expiration":"2020-12-18T10:28:09.000Z","uuid":"23da3fad973e11bf2d5b88576aaa87b7","timestamp":"2020-12-18T10:10:09.123Z"}
    

    Now i tried to generate the Signature need to be used in the GET Method:

    ET VAR "KEY" "tjb1AKWgfku6TSpyBhEJXNLDLpVoDZ/E8yl1udLV"
    SET VAR "DATE" "20201218"
    SET VAR "REGION" "eu-west-1"
    SET VAR "SERVICE" "execute-api"
    
    UTILITY Conversion UTF8 BASE64 "AWS4<KEY>" -> VAR "KSECRET_B64"
    FUNCTION HMAC SHA256 "<KSECRET_B64>" HmacBase64=TRUE KeyBase64=TRUE "<DATE>" -> VAR "KDATE_B64"
    FUNCTION HMAC SHA256 "<KDATE_B64>" HmacBase64=TRUE KeyBase64=TRUE "<REGION>" -> VAR "KREGION_B64"
    FUNCTION HMAC SHA256 "<KREGION_B64>" HmacBase64=TRUE KeyBase64=TRUE "<SERVICE>" -> VAR "KSERVICE_B64"
    FUNCTION HMAC SHA256 "<KSERVICE_B64>" HmacBase64=TRUE KeyBase64=TRUE "aws4_request" -> VAR "KSIGNING_B64"
    UTILITY Conversion BASE64 HEX "<KSIGNING_B64>" -> VAR "KSIGNING_HEX"
    FUNCTION ToLowercase "<KSIGNING_HEX>" -> VAR "SIGNATURE"
    
    OUTPUT:
    a1433af07a3b2d53f23c0a622ece2e5f99bd5f02b76070d0714bf7d6c4d6f8a7
    

    As you might noticed the OUTPUT
    a1433af07a3b2d53f23c0a622ece2e5f99bd5f02b76070d0714bf7d6c4d6f8a7

    is different to the needed SIGNATURE
    2849d67541f2165bf9c39a4b55ba1c6799aae236d1b55602eae7d74ea3c4061c

    I hope for your help and feel free to ask further questions or dming me.



  • https://github.com/PurityWasHere/AWS4-Signing-API

    I actually made an API for this awhile back because i couldn't get it working reliably in OB itself



  • Signature expired: 20210305T000000Z is now earlier than 20210305T090919Z (20210305T091419Z - 5 min
    

    what might be the problem.

    the code

    SET VAR "KEY" "iEJ7zQkJ3i0m77Udq89Wa5gxl8y1lcLIUwE9bGaS"
    SET VAR "DATE" "20210305"
    SET VAR "REGION" "eu-west-1"
    SET VAR "SERVICE" "execute-api"
    
    UTILITY Conversion UTF8 BASE64 "AWS4<KEY>" -> VAR "KSECRET_B64" 
    
    FUNCTION HMAC SHA256 "<KSECRET_B64>" HmacBase64=TRUE KeyBase64=TRUE "<DATE>" -> VAR "KDATE_B64" 
    
    FUNCTION HMAC SHA256 "<KDATE_B64>" HmacBase64=TRUE KeyBase64=TRUE "<REGION>" -> VAR "KREGION_B64" 
    
    FUNCTION HMAC SHA256 "<KREGION_B64>" HmacBase64=TRUE KeyBase64=TRUE "<SERVICE>" -> VAR "KSERVICE_B64" 
    
    FUNCTION HMAC SHA256 "<KSERVICE_B64>" HmacBase64=TRUE KeyBase64=TRUE "aws4_request" -> VAR "KSIGNING_B64" 
    
    UTILITY Conversion BASE64 HEX "<KSIGNING_B64>" -> VAR "KSIGNING_HEX" 
    
    FUNCTION ToLowercase "<KSIGNING_HEX>" -> VAR "SIGNATURE" 
    

Log in to reply