How to change s3's v4 signature to v2 ?

Question

I have a successfully working algorithm, that computes V4 Sign for amazon s3 web services, but I need to implement V2 Signer too.

Is there a list of total differences between those two signs?

I found this, but that is not everything, that needed: https://docs.aws.amazon.com/general/latest/gr/sigv4_changes.html

Answer 1

It's really best not to think of the "changes" between Signature V2 and Signature V4.

Here is the full list of what is different between the two algorithms:

• Everything.

That is, the differences far outnumber the similarities.

Almost all parameter names are different and their values are calculated differently and the values are in different formats. V4 was a complete redesign of the signing algorithm. Almost nothing meaningful from V2 is found in V4.

So, based on experience, my suggestion is that you don't try to adapt or modify your V4 code to also do V2. Keep them separate. Implementing V2 from scratch will be far easier. Don't even think about V4 while working on V2. Just implement V2.

S3 has its own section on V2, at https://docs.aws.amazon.com/AmazonS3/latest/dev/auth-request-sig-v2.html

The IAM docs also discuss V2, at https://docs.aws.amazon.com/general/latest/gr/signature-version-2.html

The S3 implementation has some quirky attributes, so prefer the S3 documentation first.

Note that in the Signature field in V2 absolutely requires that + be url-escaped (percent-encoded) after base64 encoding, but genuine S3 will quietly ignore the fact that you didn't encode = and possibly / so an implementation that overlooks the url-escaping requirement will generate signatures that sometimes work and sometimes don't. If the 3rd party service you're using doesn't provide helpful SignatureDoesNotMatch requests the way S3 does, you'll want to test your implementation against a bucket in an older S3 region, since it does provide useful diagnostics that can help you troubleshoot your implementation, if you know how to read them.