问题描述
从https://github.com/bji/libs3下载C版libs3库源码,编译安装(参见libs3-c:编译安装和基础命令操作)后,put和get命令都能正确使用,执行gqs命令生成对象URL,浏览器访问该URL时报“SignatureDoesNotMatch”错误,如下:
SignatureDoesNotMatch
分析思路
从提示看是url的签名有误导致服务端拒绝,大致思路为
1、分析源代码,梳理gqs命令的执行流程;
2、从亚马逊官网找到S3的
Authenticating Requests: Using Query Parameters (AWS Signature Version 4)章节,分析URL生成标准流程和参考example;
3、查找当前gqs流程与标准流程的差异点,解决差异并试验。
S3官网中该文档有几处重点:
1、提供了一个标准的预签名URL,方便对照差异;
2、提示换行符只是方便阅读实际字符串是连续的,“/”也是方便阅读实际是%2F;
3、对URL中每项都进行了详细解释;
4、给出了计算签名(Calculating Signature)的流程和详细示例。
试验流程
打开Signature调试开关,重新编译安装,并运行gqs指令
/* Macro in request.c */
#define SIGNATURE_DEBUG
$ sudo make uninstall && make clean && make && sudo make install
$ s3 gqs -u nvrbucket/dog.jpeg
详细输出(host域名做了替换)
--
Canonical Request:
GET
/nvrbucket/dog.jpeg
host:xxxx.xxxx.xxxx.cn
x-amz-content-sha256:UNSIGNED-PAYLOAD
x-amz-date:20191031T034215Z
host;x-amz-content-sha256;x-amz-date
UNSIGNED-PAYLOAD
--
String to Sign:
AWS4-HMAC-SHA256
20191031T034215Z
20191031/us-east-1/s3/aws4_request
49fd66dead2dfc009233c802aafdfd188bc8871a053531c452d0cd58845b77ed
--
Authorization Header:
Authorization: AWS4-HMAC-SHA256 Credential=cKc863uvDSWJZZkRijts/20191031/us-east-1/s3/aws4_request,SignedHeaders=host;x-amz-content-sha256;x-amz-date,Signature=669b2ae3a0897f1ce5074564a255a2b8a9ca3652daf35a1574752866acf97f56
--
AMZ Headers:
x-amz-date: 20191031T034215Z
x-amz-content-sha256: UNSIGNED-PAYLOAD
http://xxxx.xxxx.xxxx.cn/nvrbucket/dog.jpeg?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=cKc863uvDSWJZZkRijts/20191031/us-east-1/s3/aws4_request&X-Amz-Date=20191031T034215Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host;x-amz-content-sha256;x-amz-date&X-Amz-Signature=669b2ae3a0897f1ce5074564a255a2b8a9ca3652daf35a1574752866acf97f56
标准流程
Calculating Signature
正确示例
/* 基础环境配置 */
AWSAccessKeyId=AKIAIOSFODNN7EXAMPLE,
AWSSecretAccessKey=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY,
bucket=examplebucket,
object=test.txt,
expires=86400,
region=us-east-1,
/* 正确参考示例 */
--
Canonical Request:
GET
/test.txt
X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIOSFODNN7EXAMPLE%2F20130524%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20130524T000000Z&X-Amz-Expires=86400&X-Amz-SignedHeaders=host
host:examplebucket.s3.amazonaws.com
host
UNSIGNED-PAYLOAD
--
String to Sign:
AWS4-HMAC-SHA256
20130524T000000Z
20130524/us-east-1/s3/aws4_request
3bfa292879f6447bbcda7001decf97f4a54dc650c8942174ae0a9121cf58ad04
--
SigningKey:
signing key = HMAC-SHA256(HMAC-SHA256(HMAC-SHA256(HMAC-SHA256("AWS4" + "<YourSecretAccessKey>","20130524"),"us-east-1"),"s3"),"aws4_request")
--
URL:
https://examplebucket.s3.amazonaws.com/test.txt?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIOSFODNN7EXAMPLE%2F20130524%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20130524T000000Z&X-Amz-Expires=86400&X-Amz-SignedHeaders=host&X-Amz-Signature=aeeed9bbccd4d02ee5c0109b86d86835f995330da4c265957d157751f604d404
修改代码,确保输出与example一致
1、compose_auth_header( )中values->canonicalQueryString为NULL,与示例不符需要赋值,在setup_request()中添加代码
/* request.c && setup_request() */
// Compute the canonicalized resource
canonicalize_resource(¶ms->bucketContext, computed->urlEncodedKey,
computed->canonicalURI,
sizeof(computed->canonicalURI));
snprintf(computed->authCredential, sizeof(computed->authCredential),
"%s%%2F%.8s%%2F%s%%2Fs3%%2Faws4_request", params->bucketContext.accessKeyId,
computed->requestDateISO8601, S3_DEFAULT_REGION);
// compose params
char queryParams[sizeof("X-Amz-Algorithm=AWS4-HMAC-SHA256") +
sizeof("&X-Amz-Credential=") +
sizeof(computed->authCredential) +
sizeof("&X-Amz-Date=") +
sizeof(computed->requestDateISO8601) +
sizeof("&X-Amz-Expires=") + 64 +
sizeof("&X-Amz-SignedHeaders=") +
sizeof(computed->signedHeaders) + 1] = { 0 };
snprintf(queryParams, sizeof(queryParams),
"X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=%s"
"&X-Amz-Date=%s&X-Amz-Expires=%d"
"&X-Amz-SignedHeaders=%s",
computed->authCredential, computed->requestDateISO8601, expires,
computed->signedHeaders);
canonicalize_query_string(queryParams, params->subResource,
computed->canonicalQueryString,
sizeof(computed->canonicalQueryString));
2、去掉对compose_auth_header()中的values->authCredential的重复赋值,上面添加代码时,已经赋值完成,且用%2F替换了‘/’
/* request.c && compose_auth_header() */
len = 0;
values->requestSignatureHex[0] = '\0';
for (i = 0; i < S3_SHA256_DIGEST_LENGTH; i++) {
buf_append(values->requestSignatureHex, "%02x", finalSignature[i]);
}
#if 0
snprintf(values->authCredential, sizeof(values->authCredential),
"%s/%.8s/%s/s3/aws4_request", params->bucketContext.accessKeyId,
values->requestDateISO8601, awsRegion);
#endif
snprintf(values->authorizationHeader,
sizeof(values->authorizationHeader),
"Authorization: AWS4-HMAC-SHA256 Credential=%s,SignedHeaders=%s,Signature=%s",
values->authCredential, values->signedHeaders,
values->requestSignatureHex);
3、去掉canonicalize_signature_headers()中对amzHeader的多余添加
/* request.c && canonicalize_signature_headers() */
// Make a copy of the headers that will be sorted
const char *sortedHeaders[S3_MAX_METADATA_COUNT + 3];
#if 0
memcpy(sortedHeaders, values->amzHeaders,
(values->amzHeadersCount * sizeof(sortedHeaders[0])));
// add the content-type header and host header
int headerCount = values->amzHeadersCount;
#else
int headerCount = 0;
#endif
if (values->contentTypeHeader[0]) {
sortedHeaders[headerCount++] = values->contentTypeHeader;
}
完成上述环境配置和代码修改,即可实现gqs命令的正确URL输出,协议对比符合预期且URL可以访问,不过在重新进行put,list等其他命令时发生“SignatureDoesNotMatch”错误,为了保持对原命令的兼容性,该部分修改需为gqs命令单独执行。
总结
以上是几个关键点的修改,完成修改优化并通过测试的libs3库,已放入地址https://github.com/Doawen/protocol-libs3-c.git可参考。
