Basic Signing Procedure
(1) Construct a specification request. Assemble the request content to be sent according to the rules agreed with EOP, so as to ensure that the request content used in client signature and EOP authentication is consistent.
(2) Create a string to be signed using the specification request and other information.
(3) Use HEADER, ctyun-eop-sk and ctyun-eop-ak to create the key of the Hmac algorithm.
(4) Use the key created in Step 3 and the string to be signed to calculate the signature through hmacsha256.
(5) Add the created signature information to the HTTP request as a request header.
Creating a String to be Signed
The construction rules of the string to be signed are as follows:
String to be signed = combined list of ranked Headers that need to be signed (key and value) + "\n" + "ranked query" + "\n" + toHex(sha256 (original body)).
(1) The headers that you need are concatenated one by one by \n in the format of header_name:header_value. EOP requires the eop-date header to be part of the header, and must be one of the headers to be signed. First, the headers that need to be signed are extracted, their header_name are ranked in the order of 26 English letters, and the ranked list is traversed and assembled into the headers to be signed. Assuming that you need to sign eop-date and host, then the header to be signed is constructed as follows: eop-date:20210531T100101Z\nhost:1.1.1.1:9080\n; The order of the eop-date and host is applied, if you add a ccad header; at the same time, this header also needs to be signed, then the header combination to be signed is as follows: ccda:123\n eop-date:20210531T100101Z\nhost:1.1.1.1:9080\n.
(2) Queries are the same as a headers and use the same ranking rules. Queries are concatenated by "&" instead of "\n" and keys and values are concatenated using "=" instead of ":". All query parameters need to be signed.
(3) The specified body parameter is sha256 digested, and the digested result is converted to hexadecimal.
(4) The sorted header, sorted query, and the original body are obtained through the above steps and are concatenated with \n to produce the string to be signed.
Constructing a Dynamic Key
When initiating a request, you need to construct an eop-date time. The format of this time is yyyymmddTHHMMSSZ. To be more concise, it is year, month, day, T hour, minute, and second Z.
(1) First, use the ctyun-eop-sk you applied for as the key and eop-date as the data to calculate the ktime. Ktime = hmacSha256(sk, eop-date).
(2) Use the ktime as the key and the ctyun-eop-ak data you applied for to calculate the kAk. kAk = hmacsha256(ktime,ctyun-eop-ak).
(3) Use the kAk as the key and the year, month and day for the eop-date as the data to calculate the kdate.