Bug #62875: SignatureDoesNotMatch when extra headers start with 'x-amzn' - rgw - Ceph

Actions

Copy link

Bug #62875

closed

SignatureDoesNotMatch when extra headers start with 'x-amzn'

Added by Rui Ma 8 months ago. Updated 6 months ago.

Status:

Resolved

Priority:

Normal

Assignee:

Rui Ma

Target version:

Ceph - v19.0.0

% Done:

100%

Source:

Tags:

s3 backport_processed

Backport:

pacific quincy reef

Regression:

Severity:

3 - minor

Reviewed:

Affected Versions:

ceph-qa-suite:

Pull request ID:

53525

Crash signature (v1):

Crash signature (v2):

Description

Here is my s3 put-object test

bucket="new-bucket-01" 
file=$1
objname="testfile" 
url="127.0.0.1:8000" 
s3Key="xxx" 
s3Secret="xxx" 
protocol=http

resource="/${bucket}/${objname}" 
contentType="application/octet-stream" 
LANG="en_US.UTF-8" 
dateValue=`date -u +'%a, %d %b %Y %H:%M:%S GMT'`
stringToSign="PUT\n\n${contentType}\n${dateValue}\n${resource}" 
signature=`echo -en ${stringToSign} | openssl sha1 -hmac ${s3Secret} -binary | base64`
curl -X PUT -T "${file}" \
  -H "Host: ${url}" \
  -H "Date: ${dateValue}" \
  -H "Content-Type: ${contentType}" \
  -H "Authorization: AWS ${s3Key}:${signature}" "$protocol://${url}/${bucket}/${objname}" \
  -H "x-amzn-trace-id:Root=1-127ce9f8-411f3b20b20ac1e707782051;Parent=abd438e5710e3d4a;Sampled=1" \
-i

add an extra header 'x-amzn-trace-id' after signing the request. Which results in SignatureDoesNotMatch.

AWS signature v2 or v4 should not happens.
Cause it only select all HTTP request headers that start with 'x-amz-' to construct the CanonicalizedAmzHeaders (or CanonicalHeaders).

https://docs.aws.amazon.com/AmazonS3/latest/userguide/RESTAuthentication.html#RESTAuthenticationConstructingCanonicalizedAmzHeaders

https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html

Related issues 3 (0 open — 3 closed)