我正在尝试使用签名v4的getBucketObjectVersions操作来获取存储桶对象版本。如果我没有添加下面的示例请求中提到的任何请求参数,我可以成功获得响应。
GET /signv4testq23a1/?versions
Authorization: AWS4-HMAC-SHA256 Credential=AKXXXXXXXXXXXEA/20171220/us-east-2/s3/aws4_request,SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date,Signature=fe3d26c4sdasdasd7fa15324XXXXX563dsf148df58d131b4cede6
x-amz-content-sha256: UNSIGNED-PAYLOAD
x-amz-date: Wed, 20 Dec 2017 07:22:14 GMT
Content-Type: application/xml
Host: s3.us-east-2.amazonaws.com

如果我添加下面的示例请求中提到的任何请求参数,我将收到SignatureDoesNotMatch错误。请注意,计算签名时生成的规范请求与后端服务预期的规范请求相同。但是,从后端服务获得StringToSign值中预期的不同哈希规范请求值。
可能是什么原因?
请求参数的示例请求:
GET /signv4testq23a1/?versions&delimiter=/
Authorization: AWS4-HMAC-SHA256 Credential=AKXXXXXXXXXXXEA/20171220/us-east-2/s3/aws4_request,SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date,Signature=192ce5f5e6b661bd5aXXXXXXXXXXXEAe5f50fbe8efda5a3e967d4f27972e
x-amz-date: Wed, 20 Dec 2017 08:53:17 GMT
Content-Type: application/xml
Host: s3.us-east-2.amazonaws.com

Cannonical request:
GET
/signv4testq23a1/
delimiter=%2F&versions=
content-type:application/xml
host:s3.us-east-2.amazonaws.com
x-amz-content-sha256:UNSIGNED-PAYLOAD
x-amz-date:Wed, 20 Dec 2017 08:53:17 GMT
content-type;host;x-amz-content-sha256;x-amz-date
UNSIGNED-PAYLOAD

答案 0 :(得分:1)
这是一个问题:
delimiter=%2F&versions=
键和值应该是url-escaped(编码),但参数之间的&
不应该转义为&
...它应该只是&
。您需要对每个键和值进行编码,而不是整个字符串进行排序和组装。
CanonicalQueryString
指定URI编码的查询字符串参数。您可以单独对名称和值进行URI编码。
http://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html