SLightS3 - Signing Your Policy

NOTE: Policy signing was changed for version 1.2.0.  If you have not yet downloaded 1.2.0 or higher, please do so prior to using this example.

SLightS3 authenticates requests to the Amazon S3 service through the use of a signed policy document.  SLightS3 automatically generates this policy document prior to upload.  The policy document contains information about the request to be sent to the S3 server, therefore it is important that you only sign the policy document after all of the properties are set and just prior to initiating the upload to the S3 Service.

Signing your policy requires your Amazon AWS Secret Key.  For this reason we do not recommend signing your policy document within your silverlight application.  We recommend that you create a secure service accessible to your Silverlight application that you can use to sign your policy.  It is certainly possible to sign your policy within your Silverlight application but doing so potentially exposes your secret key to your end users and you do so at your own risk.

The signed policy document is the Base64 Encoded, SHA1 hash of the unsigned policy and your AWS Secret Key.  We've provided a sample class below that can be used to generate your signed policy.  Please refer to the SLightS3 Code Samples page to see how this signed policy is used.

Example (VB .NET)
Imports System
Imports System.Security.Cryptography

Namespace SLightS3
    Public Class SignedPolicyGenerator
        ''' <summary>
        ''' This method signs the supplied policy document with the supplied AWS Secret Key.
        ''' </summary>
        ''' <param name="UnsignedPolicy">String representing the policy document to be signed.</param>
        ''' <param name="AWSSecretKey">String representing the AWS Secret Key used to create the digital signature.</param>
        ''' <returns>The signed policy document as a Base64 encoded string.</returns>

        Shared Function GetSignedPolicy(ByVal UnsignedPolicy As String, ByVal AWSSecretKey As String) As String
                Dim retVal As String = String.Empty
                Dim sigHash As New HMACSHA1(System.Text.Encoding.UTF8.GetBytes(AWSSecretKey))
                Dim bytPolicy() As Byte = System.Text.Encoding.UTF8.GetBytes(UnsignedPolicy)
                Dim bytSignature() As Byte = sigHash.ComputeHash(bytPolicy)
                retVal = Convert.ToBase64String(bytSignature)

                Return retVal
        End Function
    End Class
End Namespace
Example (C#)
using System;
using System.Security.Cryptography;

    namespace SLightS3
    {
        public class SignedPolicyGenerator {
            /// <summary>
            /// This method signs the supplied policy document with the supplied AWS Secret Key.
            ///</summary>
            /// <param name="UnsignedPolicy">String representing the policy document to be signed.</param>
            /// <param name="AWSSecretKey">String representing the AWS Secret Key used to create the digital signature.</param>
            /// <returns>The signed policy document as a Base64 encoded string.</returns>
            public static string GetSignedPolicy(string UnsignedPolicy, string AWSSecretKey)
            {
                string retVal = string.Empty;
                HMACSHA1 sigHash = new HMACSHA1(System.Text.Encoding.UTF8.GetBytes(AWSSecretKey));
                byte[] bytPolicy = System.Text.Encoding.UTF8.GetBytes(UnsignedPolicy);
                byte[] bytSignature = sigHash.ComputeHash(bytPolicy);
                retVal = Convert.ToBase64String(bytSignature);

                return retVal;
            }
        }
    }