Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Signature calculation error, signature we calculated does not match. Sending request with cURL #16378

Closed
Mert18 opened this issue Jan 8, 2023 · 1 comment
Closed

Signature calculation error, signature we calculated does not match. Sending request with cURL #16378

Mert18 opened this issue Jan 8, 2023 · 1 comment
Labels
community configuration issue working as intended

Comments

@Mert18
Copy link

Mert18 commented Jan 8, 2023

Expected Behavior

Expecting to get the content of the minio file, after sending the curl request (in the script below)

Current Behavior

I am generating the signature using the following guide:
https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html
But unfortunately I cannot send curl request. It gives the error in the title.

Steps to Reproduce

You must have Access key id, secret key, and a session token.

1.Send request with postman, using the credentials, It works.
2. Create a .sh file, add the content below, specify bucket and file name:

#!/bin/bash

s3Key="x"
s3Secret="y"
s3Session="z"

file="a/b/c.txt"
bucket="b"
host="host"
port="port"
resource="${bucket}/${file}"
dateValue="`date +'%Y%m%d'`"
X_amz_date="`date --utc +'%Y%m%dT%H%M%SZ'`"
X_amz_algorithm="AWS4-HMAC-SHA256"
awsRegion="us-east-1"
awsService="s3"
X_amz_credential="$s3Key%2F$dateValue%2F$awsRegion%2F$awsService%2Faws4_request"
X_amz_credential_auth="$s3Key/$dateValue/$awsRegion/$awsService/aws4_request"

signedHeaders="host;x-amz-content-sha256;x-amz-date;x-amz-security-token"

contentHash="e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"

HMAC_SHA256_asckey () {
        var=`/bin/echo -en $2 | openssl sha256 -hmac $1 -binary | xxd -p -c256`
        echo $var
}
HMAC_SHA256 () {
        var=`/bin/echo -en $2 | openssl dgst -sha256 -mac HMAC -macopt hexkey:$1 -binary | xxd -p -c256`
        echo $var
}

canonicalRequest="GET\n$resource\n\n"\
"host:$host\n"\
"x-amz-content-sha256:$contentHash""\n"\
"x-amz-date:$X_amz_date""\n\n"\
"x-amz-security-token:$s3Session""\n"\
"$signedHeaders\n"\
"$contentHash"

echo "canonical req"
echo $canonicalRequest

canonicalHash=`/bin/echo -en "$canonicalRequest" | openssl sha256 -binary | xxd -p -c256`
stringToSign="$X_amz_algorithm\n$X_amz_date\n$dateValue/$awsRegion/s3/aws4_request\n$canonicalHash"
echo "--------------->"
echo "string to sign"
echo $stringToSign

# ✓ acquiring signing key ✓
s1=`HMAC_SHA256_asckey "AWS4""$s3Secret" $dateValue`
s2=`HMAC_SHA256 "$s1" "$awsRegion"`
s3=`HMAC_SHA256 "$s2" "$awsService"`
signingKey=`HMAC_SHA256 "$s3" "aws4_request"`

signature=`/bin/echo -en $stringToSign | openssl dgst -sha256 -mac HMAC -macopt hexkey:$signingKey -binary | xxd -p -c256`
echo "------------------------>"
echo "signature"
echo $signature

authorization="$X_amz_algorithm Credential=$X_amz_credential_auth,SignedHeaders=$signedHeaders,Signature=$signature"

echo "<-------------- CURL --------------->"

curl -v -L "http://$host:$port/$bucket/$file" \
-H "X-Amz-Date:$X_amz_date" \
-H "X-Amz-Security-Token:$s3Session" \
-H "X-Amz-Content-Sha256:$contentHash" \
-H "Authorization:$authorization"
  1. run the script ./name.sh
  2. It gives the error.

Context

I was trying to send a curl request with credentials.

Your Environment

Linux hachiko 5.15.0-57-generic #63-Ubuntu SMP Thu Nov 24 13:43:17 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
@Mert18 Mert18 changed the title Signature calculation error, signature we caclulated does not match. Signature calculation error, signature we caclulated does not match. Sending request with cURL Jan 8, 2023
@Mert18 Mert18 changed the title Signature calculation error, signature we caclulated does not match. Sending request with cURL Signature calculation error, signature we calculated does not match. Sending request with cURL Jan 8, 2023
@harshavardhana
Copy link
Member

Fixed a bunch of bugs in your implementation now works fine

--- /tmp/curl.sh.orig   2023-01-08 00:10:39.821827258 -0800
+++ /tmp/curl.sh.mod    2023-01-08 00:13:32.085044498 -0800
@@ -8,7 +8,7 @@ file="a/b/c.txt"
 bucket="b"
 host="host"
 port="port"
-resource="${bucket}/${file}"
+resource="/${bucket}/${file}"
 dateValue="`date +'%Y%m%d'`"
 X_amz_date="`date --utc +'%Y%m%dT%H%M%SZ'`"
 X_amz_algorithm="AWS4-HMAC-SHA256"
@@ -30,11 +30,20 @@ HMAC_SHA256 () {
         echo $var
 }
 
+# No port needed only when port is 80 or 443 for the S3 service.
+# canonicalRequest="GET\n$resource\n\n"\
+# "host:$host\n"\
+# "x-amz-content-sha256:$contentHash""\n"\
+# "x-amz-date:$X_amz_date""\n"\
+# "x-amz-security-token:$s3Session""\n\n"\
+# "$signedHeaders\n"\
+# "$contentHash"
+
 canonicalRequest="GET\n$resource\n\n"\
-"host:$host\n"\
+"host:$host:$port\n"\
 "x-amz-content-sha256:$contentHash""\n"\
-"x-amz-date:$X_amz_date""\n\n"\
-"x-amz-security-token:$s3Session""\n"\
+"x-amz-date:$X_amz_date""\n"\
+"x-amz-security-token:$s3Session""\n\n"\
 "$signedHeaders\n"\
 "$contentHash"

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jan 9, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
community configuration issue working as intended
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@harshavardhana @Mert18