This topic describes the signature algorithm that EventBridge uses to push events to HTTP or HTTPS event targets.

Background information

In the basic model of EventBridge, events are delivered from event sources to event buses, filtered and transformed based on event rules, and then delivered to various event targets for processing. Therefore, HTTP or HTTPS event targets usually need to expose their public endpoints to receive events that EventBridge pushes. To ensure data security, HTTP or HTTPS event targets must check whether received requests are sent by EventBridge.

Generate a signature in EventBridge

  1. EventBridge generates a temporary secret.
  2. EventBridge uses a private key to encrypt the temporary secret and specifies the encrypted secret in the x-eventbridge-signature-secret header.
  3. EventBridge generates a string-to-sign.
    For more information about the format of a string-to-sign, see the Format of a string-to-sign section of this topic.
  4. By default, EventBridge encrypts the string-to-sign by using the Hash-based Message Authentication Code Secure Hash Algorithm 1 (HMAC-SHA1) algorithm and the temporary secret to generate an encrypted value, and specifies the signature algorithm in the x-eventbridge-signature-method header.
  5. EventBridge specifies the current timestamp in the x-eventbridge-signature-timestamp header.
  6. EventBridge encodes the encrypted value in Base64 and specifies the Base64-encoded value in the x-eventbridge-signature header.
    The following formula is used to generate the signature:
    Signature = Base64( HMAC-SHA1(Temporary secret, UTF-8-Encoding-Of(
StringToSign)) )

Verify the signature in an event target

  1. The event target obtains the timestamp when the server sent the request based on the x-eventbridge-signature-timestamp header.
    • If the interval between the time when the request was sent and the time when the request was received exceeds 60s, the event target considers the request invalid to prevent replay attacks.
    • If the interval between the time when the request was sent and the time when the request was received does not exceed 60s, the event target continues the verification.
  2. The event target determines whether the URL specified by the x-eventbridge-signature-url header has a valid certificate of EventBridge. To do so, the event target checks whether the URL is in the format of https://[RegionId]-eventbridge.oss-accelerate.aliyuncs.com.
    • If the URL has a valid certificate of EventBridge, the event target obtains the public key from EventBridge based on the URL specified by the x-eventbridge-signature-url header.
    • If the URL has no valid certificate of EventBridge, the event target considers that the request was not sent from EventBridge and denies the event.
  3. The event target uses the public key that is obtained in Step 2 to decrypt the x-eventbridge-signature-secret header to obtain the temporary secret.
  4. The event target generates a string-to-sign.
    For more information about the format of a string-to-sign, see the Format of a string-to-sign section of this topic.
  5. By default, the event target encrypts the string-to-sign by using the HMAC-SHA1 algorithm and the signature algorithm specified by the x-eventbridge-signature-method header to generate an encrypted value.
  6. The event target encodes the encrypted value in Base64 to generate a signature.
  7. The event target compares the value of the x-eventbridge-signature header generated in the Generate a signature in EventBridge section with the signature generated in Step 6.
    • If the two signatures are the same, the request was sent from EventBridge, and the event target receives and processes the event.
    • If the two signatures are different, the request was not sent from EventBridge, and the event target denies the event.

Format of a string-to-sign

StringToSign = schema + "://" + Destination URL + "path" + "?" + "queryParam" + "\n" + Headers defined in EventBridge + "\n" + body

A request sent by the server contains the following headers defined in EventBridge:

  • x-eventbridge-signature-timestamp: the timestamp when the request was sent. If the interval between the time when the request was sent and the time when the request was received exceeds 60s, the event target considers the timestamp invalid and does not continue the verification to prevent replay attacks.
  • x-eventbridge-signature-method: the signature algorithm. By default, the HMAC-SHA1 algorithm is used.
  • x-eventbridge-signature-version: the version of the signature. Default value: 1.0.
  • x-eventbridge-signature-url: the URL of the signing certificate.
  • x-eventbridge-signature-token: optional. The token that is used to generate a custom signature. If you specify this header, you must specify the token when a client generates the signature. For more information, see Route events to HTTP endpoints.
Notice You must specify the headers defined in EventBridge in the preceding order and connect them with \n. Example: "x-eventbridge-signature-timestamp: <Your timestamp>" + "\n" + "x-eventbridge-signature-method: HMAC-SHA1" + "\n" + "x-eventbridge-signature-version: 1.0" + "\n" + "x-eventbridge-signature-url: <Your URL>".