Digital Ocean Spaces - Pre signed URL (Signature V2)

Question

I am not sure if you are aware of DigitalOcean's new Spaces, which is a K/V object storage much like S3. In fact, they've even made it compatible with the S3 API - except for one major issue. They only allow V2 Signatures at the minute.

Following this: https://developers.digitalocean.com/documentation/spaces/?utm_medium=email&utm_source=local&utm_campaign=ObjectStorageEA#authentication

I have come up with what I thought would work, but it doesn't.

Could anybody please point me in the right direction? There seems to be absolutely nobody that has come forward anywhere to say they know how to use the V2 signatures.

Thank you!

     function generateSignature($a) { 

        $awsKeyId = 'KEY_ID';                       
        $awsSecret = 'SECRET_KEY';                       
        $expires = time() + (5*60);                   
        $httpVerb = "GET"; 
        $contentMD5 = ""; 
        $contentType = ""; 
        $amzHeaders = ""; 
        $amzResource = "/" . $a; 

    $str = "AWS2-HMAC-SHA1"."\n" . 
            date(DateTime::ISO8601) . "\n" . 
            date('Ymd') . "/nyc3.digitaloceanspaces.com/s3/aws2_request" . "\n" . 
            base64_encode(sha1()); 

    $dateKey = hash_hmac("sha1",$awsSecret,date("Ymd")); 

    $dateRegionKey = sha1($dateKey,"nyc3.digitaloceanspaces.com"); 
    $dateRegionServiceKey = sha1($dateRegionKey,"s3"); 
    $signingKey = sha1($dateRegionServiceKey."aws2_request"); 
    $signature = base64_encode(hash_hmac('sha1',$str,$signingKey)); 

    $url = "https://repo-name.nyc3.digitaloceanspaces.com%s?AWSAccessKeyId=%s&Expires=%s&Signature=%s"; 
    $presignedUrl = sprintf( $url , $amzResource , $awsKeyId , $expires , $signature ); 

    return $presignedUrl; 

}

Lots of tips on [AWS signed URL too long to shorten](https://stackoverflow.com/a/46868260/174777) — John Rotenstein, Oct 22 '17 at 00:21

score 0 · Answer 1 · answered Oct 22 '17 at 03:54

Beginning with this line...

$str = "AWS2-HMAC-SHA1"."\n"

...everything you have there and following is actually just Signature Version 4 with a few changes. None of that is what you need.

Signature Version 2 is much different. There are no cascaded date/region/service/signing keys. You just take the canonical request and HMAC-sign it with the secret key, then base64 the result. Then you url-escape the signature, to get the correct percent-encoded equivalents for + / =. (Spoiler alert: skipping this last step will give you about a 50/50 mix of working and non-working signed URLs).

Start with the V2 docs at http://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html#RESTAuthenticationQueryStringAuth and then work your way back up the page for anything not mentioned in the last section.

score 0 · Answer 2 · answered Oct 22 '17 at 04:07

0

They only allow V2 Signatures at the minute.

This is not the case. I'm using v4 signatures with Spaces just fine.

Rather than re-inventing all this, you should use the AWS SDK. http://docs.aws.amazon.com/aws-sdk-php/v3/guide/guide/configuration.html#endpoint

answered Oct 22 '17 at 04:07

Brad

159,648
54
349
530

To create a Pre Signed URL? Their docs state that they only allow V4, and using V4 doesn't work. Just get Invalid Sig response – Dominic Lipscombe Oct 22 '17 at 13:40

Digital Ocean Spaces - Pre signed URL (Signature V2)

2 Answers2