Spent a couple hours last night writing the core of a stripped down, PHP4 compatible API library for Amazon SimpleDB (in the style of my flickr simple library. Just not a fan of abstraction for its own sake). In the process I discovered that Amazon had revved the version on their “Signature Method”. Which is good news as SignatureVersion 1 contains a classic crypto-blunder in its design, namely it encourages collisions. (more details, also why you care about collisions) To date the solution was use SSL, and wait patiently, very patiently. So yay for Amazon fixing this! And in fairness, first couple of drafts of the OAuth spec contained a similar issue, though it got ironed out quickly. Yay for many eyes and the open web.

“OAuth-compatible” signing

Great things are more secure, good news and all, but that isn’t what caught my eye. This block of text did:

Here is what’s different about forming the string to sign for signature version 2:

• You include additional components of the request in the string to sign
• You include the query string control parameters (the equals signs and ampersands) in the string to sign
• You sort the query string parameters using byte ordering
• You URL encode the query string parameters and their values before signing the request

You really have to be an OAuth-dork to find anything special with that paragraph, but if you were, you’d notice that those 4 bullets are an incredibly succinct description of generating an OAuth signature. (in fact a more succinct description then appears anywhere in the OAuth documentation

Which meant that my SimpleDB library can reuse most of the logic from my OAuth library to do the trickiest part of the API call, namely the signing. (Additionally it means that security reviews of both protocols support each other)

So my AWS signing method is a approximately a dozen characters different then my OAuth method and as straightforward as:

    .....

    $signature = aws_request_signature(AWS_SECRET_KEY, $http_method, AWS_SIMPLEDB_SERVICEURL, $parameters);
    $parameters['Signature'] = $signature;

    $encoded_params = array();

    foreach ($parameters as $k => $v){
        $encoded_params[] = oauth_urlencodeRFC3986($k).'='.oauth_urlencodeRFC3986($v);
    }

    $request_url = AWS_SIMPLEDB_SERVICEURL . '?' . implode('&', $encoded_params);

    .....

    function aws_request_signature($key, $http_method, $service_url, $parameters) {
        $base_string = aws_base_string($http_method, $service_url, $parameters);
        return base64_encode(hash_hmac('sha1', $base_string, $key, true));
    }

    function aws_base_string($http_method, $service_url, $parameters) {
        $parsed = parse_url($service_url);

        $host = strtolower($parsed['host']);
        $path = $parsed['path'] ? $parsed['path'] : '/';
        $data = array(
            strtoupper($http_method),
            $host,
            $path,
            oauth_normalized_request_params($parameters)
        );

        $base_string = join("\n", $data);
        return $base_string;
    }

(this uses my personal OAuth library, but your library should have similar methods)

Sure made my jobs of implementing a library easier. If you’re going to invent a new crypto protocol, please consider doing like Amazon, and re-using the basic building blocks. (which also happen to be best practices)

http://developer.amazonwebservices.com/connect/message.jspa?messageID=79978#79978

http://developer.amazonwebservices.com/connect/entry.jspa?externalID=1148

http://www.amazon.com/gp/browse.html?node=342335011

• Amazon EC2 Getting Started Guide – very approachable walk through on get EC2 up and running
• How I Set Up My EC2 Instance for Rails & Litespeed – bit more specific instructions, not entirely accurate
• Fedora Core 6 Lite Base Image – simple, actively used AMI. The Debian images came with too many caveats.
• Changing your mysql data directory – /mnt is the new /var
• Dead Simple Deployment (with Mongrel and Rails) – basic Mongrel cluster instructions.
• Time For A Grown-Up Server: Rails, Mongrel, Apache, Capistrano and You – never had much luck with Pen and co — Apache2′s proxying modules rawk!
• Fedora memcache + drupal walkthrough – memcached on Fedora
• Howto: rpmbuild – sudo yum install fedora-rpmdevtools
• My Rails Toolbox

Also some yum’ed packages:

yum install sudo gcc ruby ruby-libs ruby-mode ruby-rdoc ruby-irb ruby-ri ruby-docs ruby-devel rsync ruby-mysql.i386 mysql mysql-devel mysql-server mysql-admin httpd-devel apr apr-devel apr-util-devel subversion libevent

Nik over at TechCrunch however ran the numbers, and its looking more like what I get from John Companies, and less like the great mapreduce grid in the sky I was hoping for.