awsapi/src/com/cloud/bridge/util/RestAuth.java - cloudstack - Git at Google

 // Licensed to the Apache Software Foundation (ASF) under one
 // or more contributor license agreements.  See the NOTICE file
 // distributed with this work for additional information
 // regarding copyright ownership.  The ASF licenses this file
 // to you under the Apache License, Version 2.0 (the
 // "License"); you may not use this file except in compliance
 // with the License.  You may obtain a copy of the License at
 //
 //   http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing,
 // software distributed under the License is distributed on an
 // "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 // KIND, either express or implied.  See the License for the
 // specific language governing permissions and limitations
 // under the License.
 package com.cloud.bridge.util;

 import java.security.InvalidKeyException;
 import java.security.SignatureException;
 import java.util.*;
 import java.io.UnsupportedEncodingException;
 import java.net.URLDecoder;

 import javax.crypto.Mac;
 import javax.crypto.spec.SecretKeySpec;

 import org.apache.commons.codec.binary.Base64;
 import org.apache.log4j.Logger;


 /**
  * This class expects that the caller pulls the required headers from the standard
  * HTTPServeletRequest structure.   This class is responsible for providing the
  * RFC2104 calculation to ensure that the signature is valid for the signing string.
  * The signing string is a representation of the request.
  * Notes are given below on what values are expected.
  * This class is used for the Authentication check for REST requests and Query String
  * Authentication requests.
  *
  */

 public class RestAuth {
     protected final static Logger logger = Logger.getLogger(RestAuth.class);

 	// TreeMap: used when constructing the CanonicalizedAmzHeaders Element of the StringToSign
 	protected TreeMap<String, String> AmazonHeaders = null;   // not always present
 	protected String                  bucketName    = null;   // not always present
 	protected String                  queryString   = null;   // for CanonicalizedResource - only interested in a string starting with particular values
 	protected String                  uriPath       = null;   // only interested in the resource path
 	protected String                  date          = null;   // only if x-amz-date is not set
 	protected String                  contentType   = null;   // not always present
 	protected String                  contentMD5    = null;   // not always present
 	protected boolean                 amzDateSet    = false;
 	protected boolean				  useSubDomain  = false;

 	protected Set<String> allowedQueryParams;

 	public RestAuth() {
 		// these must be lexicographically sorted
 		AmazonHeaders = new TreeMap<String, String>();
 		allowedQueryParams = new HashSet<String>() {{
 			add("acl");
 			add("lifecycle");
 			add("location");
 			add("logging");
 			add("notification");
 			add("partNumber");
 			add("policy");
 			add("requestPayment");
 			add("torrent");
 			add("uploadId");
 			add("uploads");
 			add("versionId");
 			add("versioning");
 			add("versions");
 			add("website");
 			add("delete");
 			}};
 	}

 	public RestAuth(boolean useSubDomain) {
 		//invoke the other constructor
 		this();
 		this.useSubDomain = useSubDomain;
 	}

 	public void setUseSubDomain(boolean value) {
 		useSubDomain = value;
 	}

 	public boolean getUseSubDomain() {
 		return useSubDomain;
 	}

 	/**
 	 * This header is used iff the "x-amz-date:" header is not defined.
 	 * Value is used in constructing the StringToSign for signature verification.
 	 *
 	 * @param date - the contents of the "Date:" header, skipping the 'Date:' preamble.
 	 *        OR pass in the value of the "Expires=" query string parameter passed in
 	 *        for "Query String Authentication".
 	 */
 	public void setDateHeader( String date ) {
 		if (this.amzDateSet) return;
 		if (null != date) date = date.trim();
 		this.date = date;
 	}

 	/**
 	 * Value is used in constructing the StringToSign for signature verification.
      *
 	 * @param type - the contents of the "Content-Type:" header, skipping the 'Content-Type:' preamble.
 	 */
 	public void setContentTypeHeader( String type ) {
 		if (null != type) type = type.trim();
 		this.contentType = type;
 	}


 	/**
 	 * Value is used in constructing the StringToSign for signature verification.
 	 * @param type - the contents of the "Content-MD5:" header, skipping the 'Content-MD5:' preamble.
 	 */
 	public void setContentMD5Header( String md5 ) {
 		if (null != md5) md5 = md5.trim();
 		this.contentMD5 = md5;
 	}


 	/**
 	 * The bucket name can be in the "Host:" header but it does not have to be.  It can
 	 * instead be in the uriPath as the first step in the path.
 	 *
 	 * Used as part of the CanonalizedResource element of the StringToSign.
 	 * If we get "Host: static.johnsmith.net:8080",  then the bucket name is "static.johnsmith.net"
 	 *
 	 * @param header - contents of the "Host:" header, skipping the 'Host:' preamble.
 	 */
 	public void setHostHeader( String header ) {
 		if (null == header) {
 			this.bucketName = null;
 			return;
 		}

 		// -> is there a port on the name?
 		header = header.trim();
         int offset = header.indexOf( ":" );
         if (-1 != offset) header = header.substring( 0, offset );
         this.bucketName = header;
 	}


 	/**
 	 * Used as part of the CanonalizedResource element of the StringToSign.
 	 * CanonicalizedResource = [ "/" + Bucket ] +
 	 * <HTTP-Request-URI, from the protocol name up to the query string> + [sub-resource]
 	 * The list of sub-resources that must be included when constructing the CanonicalizedResource Element are: acl, lifecycle, location,
 	 * logging, notification, partNumber, policy, requestPayment, torrent, uploadId, uploads, versionId, versioning, versions and website.
 	 * (http://docs.amazonwebservices.com/AmazonS3/latest/dev/RESTAuthentication.html)
 	 * @param query - results from calling "HttpServletRequest req.getQueryString()"
 	 */
 	public void setQueryString( String query ) {
 		if (null == query) {
 			this.queryString = null;
 			return;
 		}

 		// Sub-resources (i.e.: query params) must be lex sorted
 		Set<String> subResources = new TreeSet<String>();

 		String [] queryParams = query.split("&");
 		StringBuffer builtQuery= new StringBuffer();
 		for (String queryParam:queryParams) {
 			// lookup parameter name
 			String paramName = queryParam.split("=")[0];
 			if (allowedQueryParams.contains(paramName)) {
 				subResources.add(queryParam);
 			}
 		}
 		for (String subResource:subResources) {
 			builtQuery.append(subResource + "&");
 		}
 		// If anything inside the string buffer, add a "?" at the beginning,
 		// and then remove the last '&'
 		if (builtQuery.length() > 0) {
 			builtQuery.insert(0, "?");
 			builtQuery.deleteCharAt(builtQuery.length()-1);
 		}
 		this.queryString = builtQuery.toString();
 	}


 	/**
 	 * Used as part of the CanonalizedResource element of the StringToSign.
 	 * Append the path part of the un-decoded HTTP Request-URI, up-to but not including the query string.
 	 *
 	 * @param path - - results from calling "HttpServletRequest req.getPathInfo()"
 	 */
 	public void addUriPath( String path ) {
 		if (null != path) path = path.trim();
         this.uriPath = path;
 	}


 	/**
 	 * Pass in each complete Amazon header found in the HTTP request one at a time.
 	 * Each Amazon header added will become part of the signature calculation.
 	 * We are using a TreeMap here because of the S3 definition:
 	 *      "Sort the collection of headers lexicographically by header name."
 	 *
 	 * @param headerAndValue - needs to be the complete amazon header (i.e., starts with "x-amz").
 	 */
 	public void addAmazonHeader( String headerAndValue ) {
 		if (null == headerAndValue) return;

 		String canonicalized = null;

 		// [A] First Canonicalize the header and its value
 		//  -> we use the header 'name' as the key since we have to sort on that
 		int    offset = headerAndValue.indexOf( ":" );
 		String header = headerAndValue.substring( 0, offset+1 ).toLowerCase();
 		String value  = headerAndValue.substring( offset+1 ).trim();

 		// -> RFC 2616, Section 4.2: unfold the header's value by replacing linear white space with a single space character
 		// -> does the HTTPServeletReq already do this for us?
 		value = value.replaceAll( "  ", " " );             // -> multiple spaces to one space
 		value = value.replaceAll( "(\r\n|\t|\n)", " " );   // -> CRLF, tab, and LF to one space


 		// [B] Does this header already exist?
 		if ( AmazonHeaders.containsKey( header )) {
 			 // -> combine header fields with the same name into one "header-name:comma-separated-value-list" pair as prescribed by RFC 2616, section 4.2, without any white-space between values.
 			 canonicalized = AmazonHeaders.get( header );
              canonicalized = new String( canonicalized + "," + value + "\n" );
              canonicalized = canonicalized.replaceAll( "\n,", "," );   // remove the '\n' from the first stored value
 	    }
 		else canonicalized = new String( header + value + "\n" );  // -> as per spec, no space between header and its value

 		AmazonHeaders.put( header, canonicalized );

 		// [C] "x-amz-date:" takes precedence over the "Date:" header
 		if (header.equals( "x-amz-date:" )) {
 			this.amzDateSet = true;
 			if (null != this.date) this.date = null;
 		}
 	}


 	/**
 	 * The request is authenticated if we can regenerate the same signature given
 	 * on the request.  Before calling this function make sure to set the header values
 	 * defined by the public values above.
 	 *
 	 * @param httpVerb  - the type of HTTP request (e.g., GET, PUT)
 	 * @param secretKey - value obtained from the AWSAccessKeyId
 	 * @param signature - the signature we are trying to recreate, note can be URL-encoded
 	 *
 	 * @throws SignatureException
 	 *
 	 * @return true if request has been authenticated, false otherwise
 	 * @throws UnsupportedEncodingException
 	 */

 	public boolean verifySignature( String httpVerb, String secretKey, String signature )
 	    throws SignatureException, UnsupportedEncodingException {

 		if (null == httpVerb || null == secretKey || null == signature) return false;

 		httpVerb  = httpVerb.trim();
 		secretKey = secretKey.trim();
 		signature = signature.trim();

 		// First calculate the StringToSign after the caller has initialized all the header values
 		String StringToSign = genStringToSign( httpVerb );
 		String calSig       = calculateRFC2104HMAC( StringToSign, secretKey );
 		// Was the passed in signature URL encoded? (it must be base64 encoded)
 		int offset = signature.indexOf( "%" );
 		if (-1 != offset) signature = URLDecoder.decode( signature, "UTF-8" );

         boolean match = signature.equals( calSig );
         if (!match)
         	logger.error( "Signature mismatch, [" + signature + "] [" + calSig + "] over [" + StringToSign + "]" );

         return match;
 	}


 	/**
 	 * This function generates the single string that will be used to sign with a users
 	 * secret key.
 	 *
 	 * StringToSign = HTTP-Verb + "\n" +
 	 * Content-MD5 + "\n" +
 	 * Content-Type + "\n" +
 	 * Date + "\n" +
 	 * CanonicalizedAmzHeaders +
 	 * CanonicalizedResource;
 	 *
 	 * @return The single StringToSign or null.
      */
 	private String genStringToSign( String httpVerb ) {
 		StringBuffer canonicalized = new StringBuffer();
 		String temp = null;
 		String canonicalizedResourceElement = genCanonicalizedResourceElement();
 		canonicalized.append( httpVerb ).append( "\n" );
 		if ( (null != this.contentMD5) )
 			canonicalized.append( this.contentMD5 );
 		canonicalized.append( "\n" );

 		if ( (null != this.contentType) )
 			canonicalized.append( this.contentType );
 		canonicalized.append( "\n" );

 		if (null != this.date)
 			canonicalized.append( this.date );

 		canonicalized.append( "\n" );

 		if (null != (temp = genCanonicalizedAmzHeadersElement())) canonicalized.append( temp );
 		if (null != canonicalizedResourceElement) canonicalized.append( canonicalizedResourceElement );

 		if ( 0 == canonicalized.length())
 			 return null;

 		return canonicalized.toString();
 	}


 	/**
 	 * CanonicalizedResource represents the Amazon S3 resource targeted by the request.
 	 * CanonicalizedResource = [ "/" + Bucket ] +
 	 *    <HTTP-Request-URI, from the protocol name up to the query string> +
 	 *    [ sub-resource, if present. For example "?acl", "?location", "?logging", or "?torrent"];
      *
 	 * @return A single string representing CanonicalizedResource or null.
 	 */
 	private String genCanonicalizedResourceElement() {
 		StringBuffer canonicalized = new StringBuffer();

 		if(this.useSubDomain && this.bucketName != null)
 			canonicalized.append( "/" ).append( this.bucketName );

 		if (null != this.uriPath    ) canonicalized.append( this.uriPath );
 		if (null != this.queryString) canonicalized.append( this.queryString );

 		if ( 0 == canonicalized.length())
 			 return null;

 		return canonicalized.toString();
 	}


 	/**
 	 * Construct the Canonicalized Amazon headers element of the StringToSign by
 	 * concatenating all headers in the TreeMap into a single string.
 	 *
 	 * @return A single string with all the Amazon headers glued together, or null
 	 *         if no Amazon headers appeared in the request.
 	 */
 	private String genCanonicalizedAmzHeadersElement() {
 		Collection<String> headers       = AmazonHeaders.values();
 		Iterator<String>   itr           = headers.iterator();
 		StringBuffer       canonicalized = new StringBuffer();

 		while( itr.hasNext())
 			canonicalized.append( itr.next());

 		if ( 0 == canonicalized.length())
 			 return null;

 		return canonicalized.toString();
 	}


     /**
      * Create a signature by the following method:
      *     new String( Base64( SHA1( key, byte array )))
      *
      * @param signIt    - the data to generate a keyed HMAC over
      * @param secretKey - the user's unique key for the HMAC operation
      * @return String   - the recalculated string
      * @throws SignatureException
      */
     private String calculateRFC2104HMAC( String signIt, String secretKey )
         throws SignatureException {
    	    String result = null;
    	    try {
    	    	SecretKeySpec key = new SecretKeySpec( secretKey.getBytes(), "HmacSHA1" );
    	        Mac hmacSha1 = Mac.getInstance( "HmacSHA1" );
     	    hmacSha1.init( key );
             byte [] rawHmac = hmacSha1.doFinal( signIt.getBytes());
             result = new String( Base64.encodeBase64( rawHmac ));
    	        }
    	    catch( InvalidKeyException e ) {
    		    throw new SignatureException( "Failed to generate keyed HMAC on REST request because key " + secretKey + " is invalid" + e.getMessage());
    	         }
    	    catch (Exception e) {
  		    throw new SignatureException( "Failed to generate keyed HMAC on REST request: " + e.getMessage());
    	         }
    	    return result.trim();
     }
 }
	// Licensed to the Apache Software Foundation (ASF) under one
	// or more contributor license agreements. See the NOTICE file
	// distributed with this work for additional information
	// regarding copyright ownership. The ASF licenses this file
	// to you under the Apache License, Version 2.0 (the
	// "License"); you may not use this file except in compliance
	// with the License. You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing,
	// software distributed under the License is distributed on an
	// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	// KIND, either express or implied. See the License for the
	// specific language governing permissions and limitations
	// under the License.
	package com.cloud.bridge.util;

	import java.security.InvalidKeyException;
	import java.security.SignatureException;
	import java.util.*;
	import java.io.UnsupportedEncodingException;
	import java.net.URLDecoder;

	import javax.crypto.Mac;
	import javax.crypto.spec.SecretKeySpec;

	import org.apache.commons.codec.binary.Base64;
	import org.apache.log4j.Logger;


	/**
	* This class expects that the caller pulls the required headers from the standard
	* HTTPServeletRequest structure. This class is responsible for providing the
	* RFC2104 calculation to ensure that the signature is valid for the signing string.
	* The signing string is a representation of the request.
	* Notes are given below on what values are expected.
	* This class is used for the Authentication check for REST requests and Query String
	* Authentication requests.
	*
	*/

	public class RestAuth {
	protected final static Logger logger = Logger.getLogger(RestAuth.class);

	// TreeMap: used when constructing the CanonicalizedAmzHeaders Element of the StringToSign
	protected TreeMap<String, String> AmazonHeaders = null; // not always present
	protected String bucketName = null; // not always present
	protected String queryString = null; // for CanonicalizedResource - only interested in a string starting with particular values
	protected String uriPath = null; // only interested in the resource path
	protected String date = null; // only if x-amz-date is not set
	protected String contentType = null; // not always present
	protected String contentMD5 = null; // not always present
	protected boolean amzDateSet = false;
	protected boolean useSubDomain = false;

	protected Set<String> allowedQueryParams;

	public RestAuth() {
	// these must be lexicographically sorted
	AmazonHeaders = new TreeMap<String, String>();
	allowedQueryParams = new HashSet<String>() {{
	add("acl");
	add("lifecycle");
	add("location");
	add("logging");
	add("notification");
	add("partNumber");
	add("policy");
	add("requestPayment");
	add("torrent");
	add("uploadId");
	add("uploads");
	add("versionId");
	add("versioning");
	add("versions");
	add("website");
	add("delete");
	}};
	}

	public RestAuth(boolean useSubDomain) {
	//invoke the other constructor
	this();
	this.useSubDomain = useSubDomain;
	}

	public void setUseSubDomain(boolean value) {
	useSubDomain = value;
	}

	public boolean getUseSubDomain() {
	return useSubDomain;
	}

	/**
	* This header is used iff the "x-amz-date:" header is not defined.
	* Value is used in constructing the StringToSign for signature verification.
	*
	* @param date - the contents of the "Date:" header, skipping the 'Date:' preamble.
	* OR pass in the value of the "Expires=" query string parameter passed in
	* for "Query String Authentication".
	*/
	public void setDateHeader( String date ) {
	if (this.amzDateSet) return;
	if (null != date) date = date.trim();
	this.date = date;
	}

	/**
	* Value is used in constructing the StringToSign for signature verification.
	*
	* @param type - the contents of the "Content-Type:" header, skipping the 'Content-Type:' preamble.
	*/
	public void setContentTypeHeader( String type ) {
	if (null != type) type = type.trim();
	this.contentType = type;
	}


	/**
	* Value is used in constructing the StringToSign for signature verification.
	* @param type - the contents of the "Content-MD5:" header, skipping the 'Content-MD5:' preamble.
	*/
	public void setContentMD5Header( String md5 ) {
	if (null != md5) md5 = md5.trim();
	this.contentMD5 = md5;
	}


	/**
	* The bucket name can be in the "Host:" header but it does not have to be. It can
	* instead be in the uriPath as the first step in the path.
	*
	* Used as part of the CanonalizedResource element of the StringToSign.
	* If we get "Host: static.johnsmith.net:8080", then the bucket name is "static.johnsmith.net"
	*
	* @param header - contents of the "Host:" header, skipping the 'Host:' preamble.
	*/
	public void setHostHeader( String header ) {
	if (null == header) {
	this.bucketName = null;
	return;
	}

	// -> is there a port on the name?
	header = header.trim();
	int offset = header.indexOf( ":" );
	if (-1 != offset) header = header.substring( 0, offset );
	this.bucketName = header;
	}


	/**
	* Used as part of the CanonalizedResource element of the StringToSign.
	* CanonicalizedResource = [ "/" + Bucket ] +
	* <HTTP-Request-URI, from the protocol name up to the query string> + [sub-resource]
	* The list of sub-resources that must be included when constructing the CanonicalizedResource Element are: acl, lifecycle, location,
	* logging, notification, partNumber, policy, requestPayment, torrent, uploadId, uploads, versionId, versioning, versions and website.
	* (http://docs.amazonwebservices.com/AmazonS3/latest/dev/RESTAuthentication.html)
	* @param query - results from calling "HttpServletRequest req.getQueryString()"
	*/
	public void setQueryString( String query ) {
	if (null == query) {
	this.queryString = null;
	return;
	}

	// Sub-resources (i.e.: query params) must be lex sorted
	Set<String> subResources = new TreeSet<String>();

	String [] queryParams = query.split("&");
	StringBuffer builtQuery= new StringBuffer();
	for (String queryParam:queryParams) {
	// lookup parameter name
	String paramName = queryParam.split("=")[0];
	if (allowedQueryParams.contains(paramName)) {
	subResources.add(queryParam);
	}
	}
	for (String subResource:subResources) {
	builtQuery.append(subResource + "&");
	}
	// If anything inside the string buffer, add a "?" at the beginning,
	// and then remove the last '&'
	if (builtQuery.length() > 0) {
	builtQuery.insert(0, "?");
	builtQuery.deleteCharAt(builtQuery.length()-1);
	}
	this.queryString = builtQuery.toString();
	}


	/**
	* Used as part of the CanonalizedResource element of the StringToSign.
	* Append the path part of the un-decoded HTTP Request-URI, up-to but not including the query string.
	*
	* @param path - - results from calling "HttpServletRequest req.getPathInfo()"
	*/
	public void addUriPath( String path ) {
	if (null != path) path = path.trim();
	this.uriPath = path;
	}


	/**
	* Pass in each complete Amazon header found in the HTTP request one at a time.
	* Each Amazon header added will become part of the signature calculation.
	* We are using a TreeMap here because of the S3 definition:
	* "Sort the collection of headers lexicographically by header name."
	*
	* @param headerAndValue - needs to be the complete amazon header (i.e., starts with "x-amz").
	*/
	public void addAmazonHeader( String headerAndValue ) {
	if (null == headerAndValue) return;

	String canonicalized = null;

	// [A] First Canonicalize the header and its value
	// -> we use the header 'name' as the key since we have to sort on that
	int offset = headerAndValue.indexOf( ":" );
	String header = headerAndValue.substring( 0, offset+1 ).toLowerCase();
	String value = headerAndValue.substring( offset+1 ).trim();

	// -> RFC 2616, Section 4.2: unfold the header's value by replacing linear white space with a single space character
	// -> does the HTTPServeletReq already do this for us?
	value = value.replaceAll( " ", " " ); // -> multiple spaces to one space
	value = value.replaceAll( "(\r\n\|\t\|\n)", " " ); // -> CRLF, tab, and LF to one space


	// [B] Does this header already exist?
	if ( AmazonHeaders.containsKey( header )) {
	// -> combine header fields with the same name into one "header-name:comma-separated-value-list" pair as prescribed by RFC 2616, section 4.2, without any white-space between values.
	canonicalized = AmazonHeaders.get( header );
	canonicalized = new String( canonicalized + "," + value + "\n" );
	canonicalized = canonicalized.replaceAll( "\n,", "," ); // remove the '\n' from the first stored value
	}
	else canonicalized = new String( header + value + "\n" ); // -> as per spec, no space between header and its value

	AmazonHeaders.put( header, canonicalized );

	// [C] "x-amz-date:" takes precedence over the "Date:" header
	if (header.equals( "x-amz-date:" )) {
	this.amzDateSet = true;
	if (null != this.date) this.date = null;
	}
	}


	/**
	* The request is authenticated if we can regenerate the same signature given
	* on the request. Before calling this function make sure to set the header values
	* defined by the public values above.
	*
	* @param httpVerb - the type of HTTP request (e.g., GET, PUT)
	* @param secretKey - value obtained from the AWSAccessKeyId
	* @param signature - the signature we are trying to recreate, note can be URL-encoded
	*
	* @throws SignatureException
	*
	* @return true if request has been authenticated, false otherwise
	* @throws UnsupportedEncodingException
	*/

	public boolean verifySignature( String httpVerb, String secretKey, String signature )
	throws SignatureException, UnsupportedEncodingException {

	if (null == httpVerb \|\| null == secretKey \|\| null == signature) return false;

	httpVerb = httpVerb.trim();
	secretKey = secretKey.trim();
	signature = signature.trim();

	// First calculate the StringToSign after the caller has initialized all the header values
	String StringToSign = genStringToSign( httpVerb );
	String calSig = calculateRFC2104HMAC( StringToSign, secretKey );
	// Was the passed in signature URL encoded? (it must be base64 encoded)
	int offset = signature.indexOf( "%" );
	if (-1 != offset) signature = URLDecoder.decode( signature, "UTF-8" );

	boolean match = signature.equals( calSig );
	if (!match)
	logger.error( "Signature mismatch, [" + signature + "] [" + calSig + "] over [" + StringToSign + "]" );

	return match;
	}


	/**
	* This function generates the single string that will be used to sign with a users
	* secret key.
	*
	* StringToSign = HTTP-Verb + "\n" +
	* Content-MD5 + "\n" +
	* Content-Type + "\n" +
	* Date + "\n" +
	* CanonicalizedAmzHeaders +
	* CanonicalizedResource;
	*
	* @return The single StringToSign or null.
	*/
	private String genStringToSign( String httpVerb ) {
	StringBuffer canonicalized = new StringBuffer();
	String temp = null;
	String canonicalizedResourceElement = genCanonicalizedResourceElement();
	canonicalized.append( httpVerb ).append( "\n" );
	if ( (null != this.contentMD5) )
	canonicalized.append( this.contentMD5 );
	canonicalized.append( "\n" );

	if ( (null != this.contentType) )
	canonicalized.append( this.contentType );
	canonicalized.append( "\n" );

	if (null != this.date)
	canonicalized.append( this.date );

	canonicalized.append( "\n" );

	if (null != (temp = genCanonicalizedAmzHeadersElement())) canonicalized.append( temp );
	if (null != canonicalizedResourceElement) canonicalized.append( canonicalizedResourceElement );

	if ( 0 == canonicalized.length())
	return null;

	return canonicalized.toString();
	}


	/**
	* CanonicalizedResource represents the Amazon S3 resource targeted by the request.
	* CanonicalizedResource = [ "/" + Bucket ] +
	* <HTTP-Request-URI, from the protocol name up to the query string> +
	* [ sub-resource, if present. For example "?acl", "?location", "?logging", or "?torrent"];
	*
	* @return A single string representing CanonicalizedResource or null.
	*/
	private String genCanonicalizedResourceElement() {
	StringBuffer canonicalized = new StringBuffer();

	if(this.useSubDomain && this.bucketName != null)
	canonicalized.append( "/" ).append( this.bucketName );

	if (null != this.uriPath ) canonicalized.append( this.uriPath );
	if (null != this.queryString) canonicalized.append( this.queryString );

	if ( 0 == canonicalized.length())
	return null;

	return canonicalized.toString();
	}


	/**
	* Construct the Canonicalized Amazon headers element of the StringToSign by
	* concatenating all headers in the TreeMap into a single string.
	*
	* @return A single string with all the Amazon headers glued together, or null
	* if no Amazon headers appeared in the request.
	*/
	private String genCanonicalizedAmzHeadersElement() {
	Collection<String> headers = AmazonHeaders.values();
	Iterator<String> itr = headers.iterator();
	StringBuffer canonicalized = new StringBuffer();

	while( itr.hasNext())
	canonicalized.append( itr.next());

	if ( 0 == canonicalized.length())
	return null;

	return canonicalized.toString();
	}


	/**
	* Create a signature by the following method:
	* new String( Base64( SHA1( key, byte array )))
	*
	* @param signIt - the data to generate a keyed HMAC over
	* @param secretKey - the user's unique key for the HMAC operation
	* @return String - the recalculated string
	* @throws SignatureException
	*/
	private String calculateRFC2104HMAC( String signIt, String secretKey )
	throws SignatureException {
	String result = null;
	try {
	SecretKeySpec key = new SecretKeySpec( secretKey.getBytes(), "HmacSHA1" );
	Mac hmacSha1 = Mac.getInstance( "HmacSHA1" );
	hmacSha1.init( key );
	byte [] rawHmac = hmacSha1.doFinal( signIt.getBytes());
	result = new String( Base64.encodeBase64( rawHmac ));
	}
	catch( InvalidKeyException e ) {
	throw new SignatureException( "Failed to generate keyed HMAC on REST request because key " + secretKey + " is invalid" + e.getMessage());
	}
	catch (Exception e) {
	throw new SignatureException( "Failed to generate keyed HMAC on REST request: " + e.getMessage());
	}
	return result.trim();
	}
	}