PHP generates the request signature required by Tencent Cloud COS interface

This article mainly introduces the request signature required to create a COS interface using PHP. It is compared with the examples given in the official documents to verify the correctness of the algorithm. Friends in need can refer to it

What is COS and request signature

COS is the abbreviation and abbreviation of Tencent Cloud Object Storage. The request signature is created by a specific algorithm and needs to be provided by a third party on demand when calling COS related interfaces. A set of string information that will uniquely identify the current third-party identity and provide identification of both communicating parties. Only valid signed COS will provide services

Goal

Use PHP to create the request signature required for the COS interface, compare it with the example given in the official document, and verify the correctness of the algorithm

Understand the request signature

Come first Look at the request signature given in an official document

q-sign-algorithm=sha1&q-ak=[SecretID]&q-sign-time=[SignTime]&q-key-time=[KeyTime]&q-header-list=[SignedHeaderList]&q-url-param-list=[SignedParameterList]&q-signature=[Signature]

Summary of the characteristics of the request signature

• is a string of characters

• key=value key-value pair format, key is a fixed value

• There are 7 pairs of key=value

• sha1 is also a parameter, but As of the official release, only sha1 is supported, so you can directly assign values

• SignedHeaderList, SignedParameterList, and Signature three values need to be generated through algorithms

key values For a detailed description, see the official documentation.

Breakdown one by one

Requesting a signature requires a total of 7 values. Let’s explain one by one below and break each one

q-sign-algorithm

Signature algorithm, official Currently only sha1 is supported, so just give the value directly

q-ak

The account ID, which is the user's SecretId, can be obtained on the console Cloud API Key page

q-sign-time

The valid start and end time of the current signature, Unix timestamp format, English half-width semicolon; separated, format such as 1480932292;1481012298

q-key-time

Same as q-sign-time value

q-header-list

Personal understanding, it consists of HTTP request headers, take all or part of the request headers, and change the request in the form of key:value The key part of the item is taken out, converted to lower case, multiple keys are sorted according to the dictionary, and connected with the characters ; to finally form a string

For example, the original request header has two:

Host:bucket1-1254000000.cos.ap-beijing.myqcloud.com Content-Type:image/jpeg

key is Host and Content-Type, output after calculation content-type;host

q-url-param-list

Personal understanding, it consists of HTTP request parameters, take all or part of the request parameters, and key The key part of the request parameter in the form of =value is taken out, converted to lowercase, multiple keys are sorted according to the dictionary, connected with the characters ;, and finally formed into a string

For example, the original HTTP request is:

GET /?prefix=abc&max-keys=20

key It is prefix and max-keys. After operation, max-keys; prefix is output. If the request has no parameters such as put and post, it will be empty.

q-signature

Calculated based on HTTP content Signature, algorithm is provided by COS, just give the value as required

Official example and reference result

Before starting to write the logic, first take a look at the reference value given by the official example, and the calculated The final result can be compared with the logic developed by yourself

The original HTTP request can also be understood as the HTTP request before calculating the signature or when no signature is required:

PUT /testfile2 HTTP/1.1 Host: bucket1-1254000000.cos.ap-beijing.myqcloud.com x-cos-content-sha1: 7b502c3a1f48c8609ae212cdfb639dee39673f5e x-cos-storage-class: standard Hello world

After calculating the signature The HTTP request that should be obtained:

PUT /testfile2 HTTP/1.1 Host: bucket1-1254000000.cos.ap-beijing.myqcloud.com x-cos-content-sha1: 7b502c3a1f48c8609ae212cdfb639dee39673f5e x-cos-storage-class: standard Authorization: q-sign-algorithm=sha1&q-ak=AKIDQjz3ltompVjBni5LitkWHFlFpwkn9U5q&> q-sign-time=1417773892;1417853898&q-key-time=1417773892;1417853898&q-header-list=host;x-cos-content-sha1;x-cos-storage-class&q-url-param-list=&q-signature=14e6ebd7955b0c6da532151bf97045e2c5a64e10 Hello world

Conclusion: The algorithm is correct if it can get the string after Authorization

Preparation work

Let’s take a look (officially provided ) user information and HTTP information:

• SecretId: AKIDQjz3ltompVjBni5LitkWHFlFpwkn9U5q

• SecretKey: BQYIM75p8x0iWVFSIgqEKwFprpRSVHlz

• Signature valid start time: 1417773892

• Signature valid stop time: 1417853898

• HTTP original request header: It is not difficult to obtain according to the example in the previous section The HTTP original request has three contents: Host, x-cos-content-sha1 and x-cos-storage-class

• HTTP request parameters: It is a PUT request, there is no ? parameter

Calculate signature

Put all the parameters in the preparation work into the request signature rules, and you can get the results easily, as shown in the following table:

但 q-signature 怎么来的？

刚才说到，q-signature 也需要特定算法计算得来，下面就说明如何计算

计算请求签名

先看代码：

/** * 计算签名 * secretId、secretKey 为必需参数，qSignStart、qSignEnd为调试需要，测试通过后应取消，改为方法内自动创建 */ function get_authorization( $secretId, $secretKey, $qSignStart, $qSignEnd, $fileUri, $headers ){ /* * 计算COS签名 * 2018-05-17 * author:cinlap  * ref:https://cloud.tencent.com/document/product/436/7778 */ $qSignTime = "$qSignStart;$qSignEnd"; //unix_timestamp;unix_timestamp $qKeyTime = $qSignTime; $header_list = get_q_header_list($headers); //如果 Uri 中带有 ?的请求参数，该处应为数组排序后的字符串组合 $url_param_list = ''; //compute signature $httpMethod = 'put'; $httpUri = $fileUri; //与 q-url-param-list 相同 $httpParameters = $url_param_list; //将自定义请求头分解为 & 连接的字符串 $headerString = get_http_header_string( $headers ); // 计算签名中的 signature 部分 $signTime = $qSignTime; $signKey = hash_hmac('sha1', $signTime, $secretKey); $httpString = "$httpMethod\n$httpUri\n$httpParameters\n$headerString\n"; $sha1edHttpString = sha1($httpString); $stringToSign = "sha1\n$signTime\n$sha1edHttpString\n"; $signature = hash_hmac('sha1', $stringToSign, $signKey); //组合结果 $authorization = "q-sign-algorithm=sha1&q-ak=$secretId&q-sign-time=$qSignTime&q-key-time=$qKeyTime&q-header-list=$header_list&q-url-param-list=$url_param_list&q-signature=$signature"; return $authorization; }

为了测试，该方法参数应该是多过需要了，前六个参数是已经给出的，是来自用户的，因此直接赋值即可得到下边字符串：

$authorization = "q-sign-algorithm=sha1&q-ak=$secretId&q-sign-time=$qSignTime&q-key-time=$qKeyTime...

$header_list 这个值要符合q-header-list规则因此需要计算，逻辑是上文已经描述，是从既定的请求项中抽出 key 组成有序字符串，代码如下：

/** * 按COS要求对header_list内容进行转换 * 提取所有key * 字典排序 * key转换为小写 * 多对key=value之间用连接符连接 * */ function get_q_header_list($headers){ if(!is_array($headers)){ return false; } try{ $tmpArray = array(); foreach( $headers as $key=>$value){ array_push($tmpArray, strtolower($key)); } sort($tmpArray); return implode(';', $tmpArray); } catch(Exception $error){ return false; } }

$url-param-list 上面讲过，这个值是HTTP请求参数，对于 PUT 方法没有 ? 参数，自然值为空，所以代码中“偷懒”直接给了空字符串。

Signature 的计算和需要小心的地方

官方已经给出了完整的算法，PHP 甚至还有写好的代码，应该是很幸福了（但！由于看官方文档看的头晕还是踩了坑，随后一起说明），先看一下 signature 的“格式”：

SignKey = HMAC-SHA1(SecretKey,"[q-key-time]") HttpString = [HttpMethod]\n[HttpURI]\n[HttpParameters]\n[HttpHeaders]\n StringToSign = [q-sign-algorithm]\n[q-sign-time]\nSHA1-HASH(HttpString)\n Signature = HMAC-SHA1(SignKey,StringToSign)

再看一下 Signature 的完整算法：

$signTime = $qSignTime; $signKey = hash_hmac('sha1', $signTime, $secretKey); $httpString = "$httpMethod\n$httpUri\n$httpParameters\n$headerString\n"; $sha1edHttpString = sha1($httpString); $stringToSign = "sha1\n$signTime\n$sha1edHttpString\n"; $signature = hash_hmac('sha1', $stringToSign, $signKey);

$signTime：很简单，起止时间组成的字符串，从上文拿来直接用
$signKey：HMAC-SHA1 算法直接计算即可
$httpString：四个部分组成需要分开说
1、$httpMethod：HTTP请求方法，小写，比如 put、get
2、$httpUri：HTTP请求的URI部分，从“/”虚拟根开始，如 /testfile 说明在存储桶根目录下创建一个叫 testfile 的文件，/image/face1.jpg 说明在根目录/image目录下建立一个叫 face1.jpg 的文件，至于是不是图片文件，不管
3、$httpParameters：这是第一个需要小心的地方。由HTTP原始请求参数组成，即请求 URI 中 ? 后面的部分，本例调用的是 PUT Object 接口，因此为空。如果不为空，需要把请求参数每一项的 key 和 value 均转换小写，多对 key=value 按字典排序并以 & 相连接
4、$headerString：这是第二个需要小心的地方，由 HTTP 原始请求头组成，根据请求头，选择全部或部分请求头，把每项的key都转换为小写，把value都进行URLEncode转换，每项格式都改为key=value，然后按照key进行字典排序，最后把它们用连接符 & 组成字符串。这是我整理的逻辑，代码如下：

/** * 按COS要求从数组中获取 Signature 中 [HttpString] 内容 * 标准格式 key=value&key=value&... * 数组元素按键字典排序 * * key转换为小写 * value进行UrlEncode转换 * 转换为key=value格式 * 多对key=value之间用连接符连接 * */ function get_http_header_string($headers){ if(!is_array($headers)){ return false; } try{ $tmpArray = array(); foreach($headers as $key => $value){ $tmpKey = strtolower($key); $tmpArray[$tmpKey] = urlencode($value); } ksort($tmpArray); $headerArray = array(); foreach( $tmpArray as $key => $value){ array_push($headerArray, "$key=$value"); } return implode('&', $headerArray); } catch(Exception $error){ return false; } }

为什么要小心？

HTTP原始请求头和请求参数用在了四个地方，分别是请求签名里的 q-header-list 和 Signature 里的 HttpHeaders——两者都用到了HTTP原始请求头；请求签名里的 q-url-param-list 和 Signature 里的 HttpParameters——两者都用到了HTTP请求参数。一定要保证HTTP请求头和请求参数所选用的数量和对象一致

• 相同：生成 q-header-list 的HTTP请求头数量和成员要和生成 HttpHeaders 的相同，生成 q-url-param-list 的HTTP请求参数数量和成员要和生成 HttpParameters 的相同

• 不同：q-header-list 和 q-url-param-list 只取 key 部分，HttpHeaders 和 HttpParameters 取 key 和 value 部分

输出结果和校验

至此，请求签名中7个值都有了，有的是来自用户信息，有的需要计算，需要计算的上面也给出了所有的计算方法和为什么如此计算的个人理解。最后只需要按照官方要求进行输出即可。看一下

The above is the detailed content of PHP generates the request signature required by Tencent Cloud COS interface. For more information, please follow other related articles on the PHP Chinese website!