Amazon Simple Pay
Advanced User Guide (API Version 2010-08-28)
AWS Documentation » Amazon Simple Pay » Advanced Guide » Signature Version 2 FAQ
Print this pageEmail this pageGo to the ForumsView the PDFShare this page on TwitterShare this page on FacebookBookmark this page on DeliciousSubmit this page to RedditSubmit this page to DiggDid this page help you?  Yes  No   Tell us about it...

Signature Version 2 FAQ

General Questions

  1. Why did Amazon Payments upgrade from signature version 1 to 2?

    Signature version 2 enhances the security for inbound API requests and outbound notifications. Amazon Web Services has released signature version 2 for many other services, including Amazon EC2, Amazon Simple DB, and Amazon SQS. Where signature 2 has been released, signature version 1 has been deprecated. Additional information on signature version 2 can be found at http://developer.amazonwebservices.com/connect/entry.jspa?externalID=1928.

  2. Is there a timeframe to deprecate signature version 1 for FPS and Simple Pay?

    Yes. Signature version 2 was released on November 3rd, 2009. Signature version 1 expired on 10 February, 2011. You must now use signature version 2 for signing your requests and verifying responses.

  3. What do I need to do to migrate to signature version 2?

    • You need to migrate all your inbound requests (FPS API requests, CBUI/Simple Pay requests) to use signature version 2.

    • You need to start verifying signatures in outbound notifications (CBUI/Simple Pay return URLs and IPNs) using signature version 2.

    The exact steps to migrate from version 1 to 2 are documented in all of our FPS Quick Start guides and the Amazon Simple Pay Advanced User Guide. You can also download migration samples that can assist you in the language of your choice: Java | C# | PHP | Ruby | Perl.

  4. What changes can we expect going forward?

    • None, now that signature version 1 has been replaced by signature version 2. (Though some Amazon Web Services are using a newer signature version 3, there are no plans to support it in Amazon Payments, the Cobranded User Interface, Amazon Flexible Payments, or Amazon Simple Pay).

Differences between Signature Version 1 and Signature Version 2

  1. How is the signature version 2 algorithm different from the previous one for inbound API requests?

    If you're familiar with signature version 1, these are the main differences with signature version 2:

    • The string to sign is formed in a different way.

    • HMAC-SHA256 can be used when the request is signed (we prefer HMAC-SHA256, but we still support HMAC-SHA1).

    • The SignatureVersion request parameter should be set to 2.

    • The SignatureMethod request parameter should be set to either HmacSHA256 or HmacSHA1 to indicate which signing method you want.

  2. How is the signature version 2 algorithm different from the previous one for outbound notifications (CBUI\Amazon Simple Pay return URLs and IPNs)?

    If you're familiar with validating signature using version 1, these are the main differences with validating signature using version 2:

    • The string to sign is formed in a different way.

    • The signature computed is based on asymmetric keys (PKI and RSA-SHA1 encryption) instead of symmetric (using the developer’s AWS Access Key ID and AWS Secret Key).

    • Signature validation is simpler, due to the VerifySignature API that validates the signature returned in IPNs and Return URLs.

  3. What is different about forming the string to sign for signature version 2 (inbound and outbound)?

    • Additional components of the request are included in the string to sign (HTTP method – GET\POST, Server URL endpoint).

    • The query string control parameters (the equal sign and ampersand) are included in the string to sign.

    • The query string parameters are sorted using byte ordering.

    • The query string parameters and their values are URL encoded before signing the request.

  4. Why does Amazon Web Services use asymmetric instead of symmetric keys to compute the signature for outbound notifications?

    Signature computation for outbound notifications on the AWS end and signature validation on your end using symmetric keys becomes cumbersome and indeterministic by the introduction of AWS access key rotation (refer to https://aws-portal.amazon.com/gp/aws/developer/account/index.html?ie=UTF8&action=access-key for more details). Asymmetric key based signing will become an AWS wide standard for outbound notifications.

Options to validate the signature in outbound notifications (CBUI\Simple Pay return URLs and IPNs)

  1. What are the options available to validate the signature?

    The signature version 2 security enables you to verify the signature of the responses from Amazon Payments Server-side signature verification using the VerifySignature API.

    [Important]Important

    The original implementation of signature version 2 supported client-side signature validation using PKI. Client-side signature validation was deprecated on November 3rd, 2009, and as of 10 February, 2011 it is no longer supported. If you have been using client-side signature validation, you must switch to server-side validation using the FPS action VerifySignature.

    You can also download migration samples that can assist you in the language of your choice: Java | C# | PHP | Ruby | Perl.

About Verify Signature API

  1. How does the VerifySignature API work?

    The VerifySignature API is pretty straightforward to use. Send the entire URL with the HTTP parameters received to the VerifySignature API and it returns a Boolean expression that indicates whether the signature was validated or not.

  2. How do I access the VerifySignature API?

    The API is hosted on the FPS endpoint along with all the other APIs:

Questions/Support

  1. Now that signature version 1 is no longer supported, what will happen if I try to use it?

    It depends on where you try to use it.

    • If you try to use signature version 1 for inbound requests for Amazon Simple Pay or the CBUI, your browser will display the following error message from Amazon Payments, and your request will not succeed.

      For Amazon Simple Pay, the error is Input parameter signatureVersion = 1 is invalid. This signature version is no longer supported. Please use version 2 to sign requests.

      For the CBUI, the error is Caller Input Exception. The following input(s) are not well formed:[signatureVersion = 1. This signature version is no longer supported. Please use signature version 2 to sign requests].

    • If you try to use signature version 1 for inbound requests for Amazon FPS, your return value will contain the following error message block, and your request will not succeed. 

      <Response>
  <Errors>
    <Code>InvalidParameterValue</Code>
    <Message>Value (1) for parameter SignatureVersion is invalid. This signature version is no longer supported. Please use signature version 2 to sign requests.</Message>
  </Errors>
</Response>

    • As of 10 February, 2011, Amazon Payments will use signature version 2 only for outbound requests. You will not be able to successfully validate your signatures using signature version 1.

  2. I am an existing customer using signature 1. How can I get help with migration?

    The exact steps to migrate from version 1 to 2 are documented in all of our FPS Quick Start guides and the Amazon Simple Pay Advanced User Guide. You can also download migration samples that can assist you in the language of your choice: Java | C# | PHP | Ruby | Perl.

    If you face any problems, please feel free to contact-us on the Amazon FPS Developer Forum.

  3. I have concerns about migrating to signature version 2. What do I do?

    Please go to http://aws.amazon.com/contact-us to file a Contact-Us request. We will address your concerns in the best possible way.

Document Conventions
Terms of Use		Did this page help you?  Yes  No   Tell us about it...