Blog posts tagged "aws"

New Amazon AWS Signature Version 2 is “OAuth-compatible”

December 30th, 2008

Enigma rotors

Spent a couple hours last night writing the core of a stripped down, PHP4 compatible API library for Amazon SimpleDB (in the style of my flickr simple library. Just not a fan of abstraction for its own sake). In the process I discovered that Amazon had revved the version on their “Signature Method”. Which is good news as SignatureVersion 1 contains a classic crypto-blunder in its design, namely it encourages collisions. (more details, also why you care about collisions) To date the solution was use SSL, and wait patiently, very patiently. So yay for Amazon fixing this! And in fairness, first couple of drafts of the OAuth spec contained a similar issue, though it got ironed out quickly. Yay for many eyes and the open web.

“OAuth-compatible” signing

Great things are more secure, good news and all, but that isn’t what caught my eye. This block of text did:

Here is what’s different about forming the string to sign for signature version 2:

  • You include additional components of the request in the string to sign
  • You include the query string control parameters (the equals signs and ampersands) in the string to sign
  • You sort the query string parameters using byte ordering
  • You URL encode the query string parameters and their values before signing the request

You really have to be an OAuth-dork to find anything special with that paragraph, but if you were, you’d notice that those 4 bullets are an incredibly succinct description of generating an OAuth signature. (in fact a more succinct description then appears anywhere in the OAuth documentation

Which meant that my SimpleDB library can reuse most of the logic from my OAuth library to do the trickiest part of the API call, namely the signing. (Additionally it means that security reviews of both protocols support each other)

So my AWS signing method is a approximately a dozen characters different then my OAuth method and as straightforward as:


    $signature = aws_request_signature(AWS_SECRET_KEY, $http_method, AWS_SIMPLEDB_SERVICEURL, $parameters);
    $parameters['Signature'] = $signature;

    $encoded_params = array();

    foreach ($parameters as $k => $v){
        $encoded_params[] = oauth_urlencodeRFC3986($k).'='.oauth_urlencodeRFC3986($v);

    $request_url = AWS_SIMPLEDB_SERVICEURL . '?' . implode('&', $encoded_params);


    function aws_request_signature($key, $http_method, $service_url, $parameters) {
        $base_string = aws_base_string($http_method, $service_url, $parameters);
        return base64_encode(hash_hmac('sha1', $base_string, $key, true));

    function aws_base_string($http_method, $service_url, $parameters) {
        $parsed = parse_url($service_url);

        $host = strtolower($parsed['host']);
        $path = $parsed['path'] ? $parsed['path'] : '/';
        $data = array(

        $base_string = join("\n", $data);
        return $base_string;

(this uses my personal OAuth library, but your library should have similar methods)

Sure made my jobs of implementing a library easier. If you’re going to invent a new crypto protocol, please consider doing like Amazon, and re-using the basic building blocks. (which also happen to be best practices)

Some EC2, Fedora, Rails, Mongrel, Memcached Links

April 12th, 2007

I had done some futzing around with EC2, but ExpoCal is the first web app I’ve brought up and run on it. Also my first outing with Fedora. Some links:

Also some yum’ed packages:

yum install sudo gcc ruby ruby-libs ruby-mode ruby-rdoc ruby-irb ruby-ri ruby-docs ruby-devel rsync ruby-mysql.i386 mysql mysql-devel mysql-server mysql-admin httpd-devel apr apr-devel apr-util-devel subversion libevent

Amazon EC2: Still working on the “elastic” part?

August 24th, 2006

I’ve been waiting for an Amazon compute cluster ever since S3 came out, and like Les I tried, and failed, to sign up for EC2 beta as soon as I got the email. What all you freaks were doing up around 5am signing up for webservices I’ll never know.

Nik over at TechCrunch however ran the numbers, and its looking more like what I get from John Companies, and less like the great mapreduce grid in the sky I was hoping for.

Tagged: Uncategorized , , , , , ,