api signing is broken? #48

Closed
pheaver opened this Issue Dec 11, 2012 · 20 comments

Projects

None yet

5 participants

@pheaver

We have been getting an HTTP 403 error back from AWS because the API signature does not match. We have discovered that the problem happens on ghc-7.6.1 but not on ghc-7.0.4, and that it happens for getObject when any of the GetObject Maybe fields (goVersionId, goResponseContentType, goResponseContentLanguage, goResponseExpires, goResponseCacheControl, goResponseContentDisposition, goResponseContentEncoding) are set to Just.

I'm not sure, but it seems like s3SignQuery is not taking into account all the parameters that the signing should be based on. I have no idea why this is working on ghc-7.0.4 and not ghc-7.6.1.

@ckw

I don't think GetObject works in 7.0.4 either if you populate any of the fields that end up in s3QQuery. The weird thing is that getObject (i.e. a GetObject with only the bucket and object) works for us 7.0.4 but not 7.6.1. PutObject also works for us in 7.0.4 but not 7.6.1.

@pheaver

@aristidb I know we haven't provided much information about the problem. The truth is we are clueless about how the signing function should be defined and why it would behave differently in different versions of ghc, but @ckw and I have both managed to reproduce the problem as described above.

@aristidb
Owner

Can you try creating a minimal testcase? That would be very helpful.

@ckw

Ok, I tried the GetObject example in the README. It works fine with GHC 7.0.4, but fails on GHC 7.6.1 with a 403: "The request signature we calculated does not match the signature you provided. Check your key and signing method."

Here's a list of most of the relevant package versions we're using:

attempt-0.4.0
base64-bytestring-1.0.0.0
blaze-builder-0.3.1.0
bytestring-lexing-0.4.0
bytestring-mmap-0.2.2
case-insensitive-0.4.0.3
cereal-0.3.5.2
conduit-0.5.4
crypto-api-0.10.2
cryptohash-0.7.5
failure-0.2.0.1
http-conduit-1.8.2
http-types-0.7.3.0.1
lifted-base-0.2
monad-control-0.3.1.4
mtl-2.1.2
resourcet-0.4.3
text-0.11.2.3
transformers-0.3.0.0
utf8-string-0.3.7
xml-conduit-1.0.3.2

@aristidb
Owner

@ckw OK that's helpful already, I'm installing GHC 7.6 now. Can you please change the loglevel to Debug and tell me where the "String to sign" differs from what Amazon expects? I'll try reproducing the problem myself as soon as GHC 7.6 is installed, but still this should be helpful information.

@aristidb
Owner

Wow, installing with binary packages is quick. ANYWAYS: I can reproduce the error now. A very weird error indeed.

@aristidb
Owner

The SimpleDB example similarly fails, and the "String to sign" seems to match in the GetObject example. I suspect the HMAC hashing is broken somehow.

@aristidb
Owner

Testcase (using my AWS credentials):

GHC 7.4 ("correct" behavior):

> signature cred HmacSHA256 "test"
"4fRePX63UZEoR/xwS/c9PANPpUbves8Ohbhh/NsZROQ="

GHC 7.6

> signature cred HmacSHA256 "test"
"Fv8g8WfI3U6lhTRgDfekfTP/6TeFaNLBKwXbDiVG59s="

I will boil this down to the relevant cryptohash calls, and consider filing a bug there.

@aristidb
Owner

Submitted bug where it belongs: vincenthz/hs-cryptohash#12

In the meantime, my suggestion is to stick to GHC 7.4.2, as that is the version shipped with the most recent Haskell Platform. It is usually the best idea to stick to those versions, as you can see some packages do not work very well under GHC 7.6 yet.

@aristidb
Owner

You also mentioned that there were some kind of problems using GHC 7.0.4 with some specific requests. Could you please create a new issue for that, @pheaver or @ckw? Please also include a testcase!

@ckw

Awesome! Glad it was easy to find the bug. I'll file a new issue soon.

@aristidb
Owner

OK, to reiterate here what we learned elsewhere: This is a bug in the bytestring library. http://hackage.haskell.org/trac/ghc/ticket/7270

I strongly recommend not using GHC 7.6.1 and waiting for GHC 7.6.2 instead for the migration to GHC 7.6-series.

@aristidb aristidb closed this Jan 24, 2013
@aristidb
Owner

Given that GHC 7.6.2 is out, could you please check if the bug is fixed?

@aristidb aristidb reopened this Jan 29, 2013
@ckw

Ah, yeah. I should be able to check that out soon.

@zmthy

Just ran into this. Can confirm that updating to GHC 7.6.3 fixes the issue.

@pheaver

I'm pretty sure we (I work with @ckw) checked ghc 7.6.2 and it was fixed in there also.

@ckw

Yes, it's fixed in 7.6.2.

@schell

Are there any other situations that could lead to this problem? I'm seeing this with ghc 7.6.3 though I'm not sure if I'm just setting my credentials wrong or...

@aristidb
Owner
@schell

I found it was just a typo in the bucket name.

@aristidb aristidb closed this Aug 31, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment