Re: [gs-discussion] Signed Urls

297 views
Skip to first unread message

Navneet Joneja

unread,
May 25, 2012, 7:07:07 PM5/25/12
to gs-dis...@googlegroups.com
Hi,

You need to create a new Client ID of the type 'Service Account,' which will get you the key you need to sign the URLs. 


Thanks,
Navneet

On Fri, May 25, 2012 at 11:04 AM, Javier González González-Zabaleta <jgon...@gmail.com> wrote:
Hi, I wanna use the Signed Urls, but I can't obtain my Api Key. When I go to the console, and click in API Access, I don't have the option "Generate New Key". How can I sign the string?   

Thanks

--
You received this message because you are subscribed to the Google Groups "Google Cloud Storage" group.
To view this discussion on the web visit https://groups.google.com/d/msg/gs-discussion/-/YMOvIq6p5tMJ.
To post to this group, send email to gs-dis...@googlegroups.com.
To unsubscribe from this group, send email to gs-discussio...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/gs-discussion?hl=en.

Javier González González-Zabaleta

unread,
May 28, 2012, 8:55:34 AM5/28/12
to gs-dis...@googlegroups.com
Hi, thanks Navneet, I found it and deleted the post. But I have other problem now. Is there anyone who signed the url in python? I'm using:

from M2Crypto import RSA
key = RSA.load_key("my.pem") # from openssl pkcs12 -in path/to/key.p12 -nodes -nocerts > path/to/key.pem
base64_sig = key.sign(StringToSign, 'sha256').encode('base64').replace('+','%2B').replace('/','%2F')

but I cant obtain the same signature than with "openssl dgst -sign path/to/key.pem -sha256 path/to/data_to_sign | base64 -w0", and of course, It doen't work to obtain the file.

Thanks,
Javier

Javier González González-Zabaleta

unread,
May 28, 2012, 10:20:39 AM5/28/12
to gs-dis...@googlegroups.com
Anyway, using the signature from:

# Convert the key from pkcs12 to pkcs1 (PEM)
$  openssl pkcs12
-in path/to/key.p12 -nodes -nocerts > path/to/key.pem
Enter Import Password:
$ openssl dgst
-sign path/to/key.pem -sha256 path/to/data_to_sign | base64 -w0
It doen't work. :S

My code (my_bucket is not real):

Expiration = int(time.time()+300)
CanonicalizedResource = '/my_bucket/' + 'aeiou.png'
StringToSign = "GET" + "\n" + str(Expiration) + "\n" + CanonicalizedResource

sgn = {sign with openssl}

signedUrl = 'https://my_bucket.commondatastorage.googleapis.com/' + 'aeiou.png' + "?GoogleAccessId=" + MyEmailClientID + "&Expires=" + str(Expiration) + "&Signature=" + sgn.replace('+','%2B').replace('/','%2F')

Result:

This XML file does not appear to have any style information associated with it. The document tree is shown below.
<Error>
<Code>SignatureDoesNotMatch</Code>
<Message>
The request signature we calculated does not match the signature you provided. Check your Google secret key and signing method.
</Message>
<StringToSign>GET 1338214375 /my_bucket/aeiou.png</StringToSign>
</Error>

Any Idea. 

Thank you very much.

Javier

Google Storage Team

unread,
May 28, 2012, 12:35:38 PM5/28/12
to gs-dis...@googlegroups.com
Hi Javier,

A few observations:

- Your string to sign is missing a newline between the method (GET) and the expiration time. If you select your browser's "view source" option on the XML error message you'll see the exact formatting of the string to sign, based on your request, as expected by Google Cloud Storage.

- One common pitfall: the string to sign must not end with a newline, however, most text editors will insert a trailing newline automatically. You can check for that condition with "od -c string_to_sign" and eliminate it, if found.

- I think it's a good idea to verify that the signature generated by your python code matches the signature generated by the openssl command. Let me know if they still don't match after checking the items above.

- Rather than selectively replacing two chars (+ and /), I'd suggest using urllib.quote() to quote everything necessary in your signature string.

Marc
Google Cloud Storage Team

--
You received this message because you are subscribed to the Google Groups "Google Cloud Storage" group.
To view this discussion on the web visit https://groups.google.com/d/msg/gs-discussion/-/ku-6oXHvt0EJ.

Javier González González-Zabaleta

unread,
May 28, 2012, 1:16:31 PM5/28/12
to gs-dis...@googlegroups.com
Thanks, thanks, thanks Marc, 

:S 

I extended the (optional) tag to the "\n" too. I works now. I'm using a shell call (openssl) in python and write and read to a file to sign. I think it's horrible, but it works. I hope to find a Python method with the same results in the future.

Thanks again.

Javier.

Shrek

unread,
Jun 21, 2012, 4:19:28 PM6/21/12
to gs-dis...@googlegroups.com

Folks (especially Java folks)

It took me sometime to figure out the correct way to sign urls. Here is the code (see attachment) that you will need when you start. I have added comments inline to explain common pitfalls and corresponding solutions. 

Google, would you please consider, replacing your sample main method here https://developers.google.com/storage/docs/accesscontrol#Signed-URLs, with the one I'm attaching. It will make everyone's life so much easier.

Thank you
GcsSigner.java

Ville Aikas

unread,
Dec 27, 2012, 7:42:46 PM12/27/12
to gs-dis...@googlegroups.com
Hi Jeff,

The Signed URL documentation
(https://developers.google.com/storage/docs/accesscontrol#Signed-URLs)
specifies the Expiration as "the number of seconds since the Unix
Epoch of 00:00:00 UTC on January 1, 1970."

However, Shrek's sample code uses calendar.getTimeInMillis(), which
calculates the expiration in terms of milliseconds since 1970. Using
this code, if you set an expiration of January 1st, 00:00:00, 1972,
the actual token expiration would be (approximately) January 1st,
00:00:00, 3970.

Did you already correct this issue prior to your testing?


On Sun, Dec 23, 2012 at 11:06 AM, Jeff <innovativ...@gmail.com> wrote:
> Shrek,
>
> Thank you for the Java Code. The implementation of signing urls for Google
> Cloud storage is not straight forward. I was finally able (with your Java
> code example) to actually get the Cloud Storage to recognize that my
> signature was valid and it does in fact return me my asset.
>
> I then started playing around with the expiration date. Problem is that
> once you create a signed URL, regardless of the expiration, Google Cloud
> Storage gives you the asset. I've subtracted years from the current
> date/time and the Cloud Service still gives me my assets back.
>
> Have you been successful in getting the expiration to work with Cloud
> Storage? If so, how?
>
> -Jeff
> --
>
>
Reply all
Reply to author
Forward
0 new messages