lucasweb78 / aws-v4-signer-java Goto Github PK

I am using Content-type as application/x-amz-json-1.1 in header, may i know how can i calculate sha256 on json to match the signature.I tried Canonicalizing json and then converting json object into string and then applying sha256 on string,but unfortunately it didnt work.

Hi,

I think I spotted a bug, but I'm a bit unsure. When I tried to connect with different clients, the signature verification failed. I started to wonder why and noticed that the URL to sign looked like this:

mc: <DEBUG> GET /bucketName/?delimiter=%2F&max-keys=1000&prefix= HTTP/1.1

As you can see, the delimiter is already URL-encoded here (originally it's just a slash). But then on the backend in your library you are encoding it again:

            builder.append(URLEncoding.encodeQueryComponent(name))
                    .append(QUERY_PARAMETER_VALUE_SEPARATOR)
                    .append(URLEncoding.encodeQueryComponent(value));

Which turns %2F to %225F or smth like that. And, obviously, validation fails.

If I just skip the encoding part in your lib, then it works.

I noticed that you have a reference to docs about URL escaping:

        /*
         * See http://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html
         * for the list of characters that should not be escaped
         */

But if you go to this link, there's nothing mentioned there about the necessity to encode URL parts.

Is it possible that the protocol was changed a bit since you've implemented it? And is it possible to make the URL-encoding optional in your lib?

As per AWS docs:

Do not include payload checksum in signature calculation.
For step-by-step instructions to calculate signature and construct the Authorization header value, see Signature Calculations for the Authorization Header: Transferring Payload in a Single Chunk (AWS Signature Version 4).

Hey there,

i am using your signer to create a signature to pass it to a javascript multipart/chunk uploader and i am wondering, if it is possible not to set the content-sha256, otherwise i would need to calculate it on the client site for every chunk and pass it to the server.

thanks

Currently AWS credentials need to be provided explicitly when instantiating the signer. This should be changed so that if they are not provided the Signer attempts to retrieve them from System or Environment properties.

The AWS Canonical Request requires the query parameters to be sorted as per below:

Sort the parameter names by character code in ascending order (ASCII order)

Currently the signer does not do this and relies on them being passed in, in the correct order. The signer should be enhanced to handle query parameters in an order and to sort them correctly.

Hi, I was looking at open sourcing a filter to handle auth with Spring Reactive Web Client that would use this library. I can add it as a separate github project or would you be interested in adding maven sub-projects to this library to provide support? I would probably have to implement #7 for it to work correctly.

below my code from function created.

public String generateSignature(String currentDate) throws URISyntaxException {
        String contentSha256 = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855";
        URI uri = new URI("https://service.chime.aws.amazon.com");
        HttpRequest request = new HttpRequest("GET", uri);
        String signature = Signer.builder()
                .awsCredentials(new AwsCredentials(ACCESS_KEY, SECRET_KEY))
                .header("Host", "service.chime.aws.amazon.com")
                .header("x-amz-date", currentDate)
                .header("x-amz-content-sha256", contentSha256)
                .build(request, "chime", contentSha256)
                .getSignature();

        return signature;
    }

stil returning

<InvalidSignatureException>
  <Message>The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.</Message>
</InvalidSignatureException>

can you help me out? this lib is the closer thing i got from solving this issue of connecting at AWS/Chime Rest API.

Hi,

I am trying to use your library to upload an object to S3 without the big fat aws-sdk-java jar

However, I dont get how you obtain the

String contentSha256 = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855";

And I also dont get what is x-amz-date which is not described in https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectPUT.html

Can you help ?

Here is how my code is looking (this is kotlin without any dependency but your lib)

class S3FileStorage(val accessKey: String, val secretKey: String, val bucket: String) : FileStorage {
    override fun upload(base64: String, mimeType:String): String {
        val bytes = Base64.getDecoder().decode(base64)
        val ext = mimeType.substring(mimeType.indexOf('/') + 1)
        val name = UUID.randomUUID().toString() + "." + ext

        val urlStr = "https://${bucket}.s3.amazonaws.com/${name}"
        val httpMethod = "PUT"
        val contentSha256 = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" //HOW TO GET THAT
        val request = HttpRequest(httpMethod, URI(urlStr))
        val signature = Signer.builder()
                .awsCredentials(AwsCredentials(accessKey, secretKey))
                .header("Host", "examplebucket.s3.amazonaws.com")
                .header("x-amz-date", "20130524T000000Z") //WHAT IS THIS ?
                .header("x-amz-content-sha256", contentSha256)
                .buildS3(request, contentSha256)
                .getSignature()

        val df = SimpleDateFormat("EEE', 'dd' 'MMM' 'yyyy' 'HH:mm:ss' 'Z", Locale.US)
        df.timeZone = TimeZone.getTimeZone("GMT")
        val formattedDate = df.format(Date())

        val url = URL(urlStr)
        val httpConn = url.openConnection() as HttpURLConnection
        httpConn.setDoOutput(true)
        httpConn.setRequestMethod(httpMethod)
        httpConn.setRequestProperty("Accept", "application/json")
        httpConn.setRequestProperty("Date", formattedDate)
        httpConn.setRequestProperty("Content-type", mimeType)
        httpConn.setRequestProperty("Authorization", signature)
        httpConn.getOutputStream().use { outputStream ->
            ByteArrayInputStream(bytes).use { byteArrayInputStream ->
                byteArrayInputStream.copyTo(outputStream)
            }
        }
        val res = httpConn.getResponseMessage()
        Logger.getLogger("BEASYNESS").info("UPLOAD TO S3 " + res)

        return urlStr
    }

}

As per AWS docs

Transfer payload in multiple chunks (chunked upload) – In this case you transfer payload in chunks. You can transfer a payload in chunks regardless of the payload size.
You can break up your payload into chunks. These can be fixed or variable-size chunks. By uploading data in chunks, you avoid reading the entire payload to calculate the signature. Instead, for the first chunk, you calculate a seed signature that uses only the request headers. The second chunk contains the signature for the first chunk, and each subsequent chunk contains the signature for the chunk that precedes it. At the end of the upload, you send a final chunk with 0 bytes of data that contains the signature of the last chunk of the payload. For more information, see Signature Calculations for the Authorization Header: Transferring Payload in Multiple Chunks (Chunked Upload) (AWS Signature Version 4).