为签名版本4派生AWS签名密钥

Question

我正试图根据AWS的文档这里为iOS应用程序生成一个AWS签名密钥。但是，文档非常好，它没有提供一个使用Swift的示例。苹果公司提供的CryptoKit应该是正确的框架，但我一直无法理解。

Ruby示例

def getSignatureKey key, dateStamp, regionName, serviceName
    kDate = OpenSSL::HMAC.digest('sha256', "AWS4" + key, dateStamp)
    kRegion = OpenSSL::HMAC.digest('sha256', kDate, regionName)
    kService = OpenSSL::HMAC.digest('sha256', kRegion, serviceName)
    kSigning = OpenSSL::HMAC.digest('sha256', kService, "aws4_request")

    kSigning
end

来自AWS文档的示例输入

key = 'wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY'
dateStamp = '20120215'
regionName = 'us-east-1'
serviceName = 'iam'

应输出

kSecret  = '41575334774a616c725855746e46454d492f4b374d44454e472b62507852666943594558414d504c454b4559'
kDate    = '969fbb94feb542b71ede6f87fe4d5fa29c789342b0f407474670f0c2489e0a0d'
kRegion  = '69daa0209cd9c5ff5c8ced464a696fd4252e981430b10e3d3fd8e2f197d7a70c'
kService = 'f72cfd46f26bc4643f06a11eabb6c0ba18780c19a8da0c31ace671265e3c87fa'
kSigning = 'f4780e2d9f65fa895f9c67b32ce1baf0b0d8a43505a000a1a9e090d414db404d'

我的尝试(注意，您必须根据文档将AWS附加到密钥中)

import Foundation
import CryptoKit

let key = "wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY"
let dateStamp = "20120215"
let regionName = "us-east-1"
let serviceName = "iam"

let keyData = Data("AWS\(key)".utf8)
let symmetricKey = SymmetricKey(data: keyData)

let dateStampData = Data(dateStamp.utf8)
let signature = HMAC<SHA256>.authenticationCode(for: dateStampData, using: symmetricKey)

let skeyString = keyData.map { String(format: "%02hhx", $0) }.joined()
print("kSecret \t= \(skeyString)")

let kDateString = Data(signature).map { String(format: "%02hhx", $0) }.joined()
print("kDate \t\t= \(kDateString)")

第一个是正确的，所以我的初始键似乎是正确的，但是当尝试将它应用到dateStamp时，它不匹配。

输出

kSecret     = 415753774a616c725855746e46454d492f4b374d44454e472b62507852666943594558414d504c454b4559
kDate       = 2226579f8b317a03ec325a8c8b3d27cf465ce52787455e1880039824b4ba0e25

Answer 1

当然，在我发布问题的那一刻，我发现了这个问题。最初的问题是，我是在附加AWS而不是AWS4，该字符串对于kSecret似乎是正确的，因为我查看的是第一组和最后一组数字。以下是任何想要这样做的人的解决方案。

import Foundation
import CryptoKit

let key = "wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY"
let dateStamp = "20120215"
let regionName = "us-east-1"
let serviceName = "iam"

let keyData = Data("AWS4\(key)".utf8)
let dateStampData = Data(dateStamp.utf8)
let regionNameData = Data(regionName.utf8)
let serviceNameData = Data(serviceName.utf8)
let signingData = Data("aws4_request".utf8)

var symmetricKey = SymmetricKey(data: keyData)
let dateSHA256 = HMAC<SHA256>.authenticationCode(for: dateStampData, using: symmetricKey)

symmetricKey = SymmetricKey(data: Data(dateSHA256))
let regionSHA256 = HMAC<SHA256>.authenticationCode(for: regionNameData, using: symmetricKey)

symmetricKey = SymmetricKey(data: Data(regionSHA256))
let serviceNameSHA256 = HMAC<SHA256>.authenticationCode(for: serviceNameData, using: symmetricKey)

symmetricKey = SymmetricKey(data: Data(serviceNameSHA256))
let signingSHA256 = HMAC<SHA256>.authenticationCode(for: signingData, using: symmetricKey)

let skeyString = keyData.map { String(format: "%02hhx", $0) }.joined()
print("kSecret \t= \(skeyString)")

let kDateString = Data(dateSHA256).map { String(format: "%02hhx", $0) }.joined()
print("kDate \t\t= \(kDateString)")

let kRegionString = Data(regionSHA256).map { String(format: "%02hhx", $0) }.joined()
print("kRegion \t= \(kRegionString)")

let kServiceString = Data(serviceNameSHA256).map { String(format: "%02hhx", $0) }.joined()
print("kService \t= \(kServiceString)")

let kSigningString = Data(signingSHA256).map { String(format: "%02hhx", $0) }.joined()
print("kSigning \t= \(kSigningString)")

输出

kSecret     = 41575334774a616c725855746e46454d492f4b374d44454e472b62507852666943594558414d504c454b4559
kDate       = 969fbb94feb542b71ede6f87fe4d5fa29c789342b0f407474670f0c2489e0a0d
kRegion     = 69daa0209cd9c5ff5c8ced464a696fd4252e981430b10e3d3fd8e2f197d7a70c
kService    = f72cfd46f26bc4643f06a11eabb6c0ba18780c19a8da0c31ace671265e3c87fa
kSigning    = f4780e2d9f65fa895f9c67b32ce1baf0b0d8a43505a000a1a9e090d414db404d