Drop in function to sign Amazon requests

Amazon is implementing a signing requirement for Product Advertising API requests in August 2009. Signing is required on calls to Amazon to retrieve API data, it is not required on the display URLs on your website. This function is designed to be a drop in for existing API code. It accepts an unsigned URL, adds a timestamp, calculates and adds a signature and returns the result. The function follows the guidelines posted on Amazon's Example REST Requests page. At the time of this writing, the Amazon page does not indicate in step 9 that slashes(/) must also be urlencoded.

Do not pass the function a URL with a timestamp, it will add the timestamp for you. You must change the secret access line to your Secret Access Key from your Amazon account management screen.

function sign_url($url){
  $secret = '<YOUR SECRET ACCESS KEY HERE>';  
  $host = parse_url($url,PHP_URL_HOST);
  $timestamp = gmstrftime("%Y-%m-%dT%H:%M:%S.000Z");
  $url = $url . "&Timestamp=" . $timestamp;
  // echo $url . "<BR>"; // display overridden url for testing

  $paramstart = strpos($url,"?");
  $workurl = substr($url,$paramstart+1);
  $workurl = str_replace(",","%2C",$workurl);
  $workurl = str_replace(":","%3A",$workurl);
  
  $params = explode("&",$workurl);
  sort($params);

  $signstr = "GET\n" . $host . "\n/onca/xml\n" . implode("&",$params);
  $signstr = base64_encode(hash_hmac('sha256', $signstr, $secret, true));
  $signstr = urlencode($signstr);
  $signedurl = $url . "&Signature=" . $signstr;
  // echo $signedurl . "<BR>";  // display the signed URL for testing
  return $signedurl;
}

// call the function as follows:
echo sign_url($url) . "<BR>";
// - or -
$signedurl = sign_url($unsignedurl);

At present, there doesn't seem to be any simple signed URL validator avaialable from Amazon. You can validate by comparing your URLs to Amazon generated ones, by following these steps:

Uncomment the two testing lines above. This will cause the function to display your URL with a timestamp added. This is necessary because the Amazon Signed Requests Helper has to have the same timestamp as this function to give a matching signature.
Call this function passing it your existing unsigned URL.
The function will display a timestamped version of your URL.
Go to the Amazon Signed Requests Helper page
Paste the timestamped URL into the Unsigned URL box.
Paste your AWS Access Key ID into the box at the top.
Paste your AWS Secret Access Key into the box at the top. The secret key should be the same as the one you used in the code above.
Scroll to the bottom of the helper page and click "Display Signed URL".
Scroll to the bottom of the helper page. The Signed URL value should match the URL returned by this function.

Updated: 2 June 2009 - time set to GMT
Updated: 3 June 2009 - dropped optional 3rd param on substr()

Article ID: amzsigning

Terms of use: Use of this site is at your own risk and all information is provided without guarantee or warranty of suitability for a specific application. All code and comments presented here are for example purposes only. You may freely use the code presented here with or without modification for your own needs, but you may not publish or redistribute the code. Please link to this site instead of copying code.

Examples should not be considered a recommendation or legal advice. The articles and software provided herein reflect my own opinions and do not represent the opinions of my employers, clients or third parties whose products, services and sites are mentioned herein. For current policies and terms associated with third party products, always refer to the third parties' website and documentation. This site does not collect any personal information.

Web hosting for this site was donated by Tech World Some code examples used by permission of Tech World, Inc.