versitygw
versitygw copied to clipboard
Published
20 hours ago •
versity
versity
REST debug info reported by versitygw after signature mismatch is incomplete
Describe the bug When sending REST messages directly to S3, and having a signature mismatch error, something like the following is returned:
<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>SignatureDoesNotMatch</Code><Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message><AWSAccessKeyId>{key id}</AWSAccessKeyId><StringToSign>AWS4-HMAC-SHA256
20240901T134549Z
20240901/us-east-1/s3/aws4_request
3e29be8defcf83da93e425e7f75736406185e0952e00ad48270359e54b4367d1</StringToSign><SignatureProvided>6bcbe7dd2371ac0cd8a6611f041eb86ab49bbe4cd0713345a1424f3fc3f269c9</SignatureProvided><StringToSignBytes>41 57 53 34 2d 48 4d 41 43 2d 53 48 41 32 35 36 0a 32 30 32 34 30 39 30 31 54 31 33 34 35 34 39 5a 0a 32 30 32 34 30 39 30 31 2f 75 73 2d 65 61 73 74 2d 31 2f 73 33 2f 61 77 73 34 5f 72 65 71 75 65 73 74 0a 33 65 32 39 62 65 38 64 65 66 63 66 38 33 64 61 39 33 65 34 32 35 65 37 66 37 35 37 33 36 34 30 36 31 38 35 65 30 39 35 32 65 30 30 61 64 34 38 32 37 30 33 35 39 65 35 34 62 34 33 36 37 64 31</StringToSignBytes><CanonicalRequest>GET
/
host:s3.amazonaws.com
x-amz-content-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
x-amz-date:20240901T134549Z
host;x-amz-content-sha256;x-amz-date
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855</CanonicalRequest><CanonicalRequestBytes>47 45 54 0a 2f 0a 0a 68 6f 73 74 3a 73 33 2e 61 6d 61 7a 6f 6e 61 77 73 2e 63 6f 6d 0a 78 2d 61 6d 7a 2d 63 6f 6e 74 65 6e 74 2d 73 68 61 32 35 36 3a 65 33 62 30 63 34 34 32 39 38 66 63 31 63 31 34 39 61 66 62 66 34 63 38 39 39 36 66 62 39 32 34 32 37 61 65 34 31 65 34 36 34 39 62 39 33 34 63 61 34 39 35 39 39 31 62 37 38 35 32 62 38 35 35 0a 78 2d 61 6d 7a 2d 64 61 74 65 3a 32 30 32 34 30 39 30 31 54 31 33 34 35 34 39 5a 0a 0a 68 6f 73 74 3b 78 2d 61 6d 7a 2d 63 6f 6e 74 65 6e 74 2d 73 68 61 32 35 36 3b 78 2d 61 6d 7a 2d 64 61 74 65 0a 65 33 62 30 63 34 34 32 39 38 66 63 31 63 31 34 39 61 66 62 66 34 63 38 39 39 36 66 62 39 32 34 32 37 61 65 34 31 65 34 36 34 39 62 39 33 34 63 61 34 39 35 39 39 31 62 37 38 35 32 62 38 35 35</CanonicalRequestBytes><RequestId>KKMDX969ZKGE8DWD</RequestId><HostId>iK9sc4292a4a02Rbir+SvlXi8sZ+brwRtPR8ERKb9XvwZYEmqQZ9TAu3mHgQ7EAqOoqlBfncNiI=</HostId></Error>
This debug info contains:
- the canonical request string with the expected payload hash
- the STS (security token) string with the expected hash calculated from the canonical request string
On the other hand, when sending REST commands to versitygw, only the following is returned:
<Error><Code>SignatureDoesNotMatch</Code><Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message><Resource></Resource><RequestId></RequestId><HostId></HostId></Error>
To Reproduce
- Start versitygw, e.g.:
ROOT_ACCESS_KEY=<key> ROOT_SECRET_KEY=<key> ./versitygw --cert $PWD/cert.pem --key $PWD/versitygw.pem --iam-dir=$PWD/users --iam-dir=$PWD posix /tmp/gw - Send a dummy curl command to the server, e.g.:
curl -vk https://127.0.0.1:7070 -H "Authorization: AWS4-HMAC-SHA256 Credential=<access key>/<YYYYMMDD>/us-east-1/s3/aws4_request,SignedHeaders=host;x-amz-content-sha256;x-amz-date,Signature=1234567890" -H "x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" -H "x-amz-date: <YYYYMMDDTHHMMSSZ>"
Expected behavior As with direct to s3, server should provide more detailed error and debugging info.
Server Version Version : v1.0.5 Build : c8ad871 BuildTime: 2024-09-01_02:48:04PM Darwin Lukes-MacBook-Pro.local 23.4.0 Darwin Kernel Version 23.4.0: Fri Mar 15 00:12:25 PDT 2024; root:xnu-10063.101.17~1/RELEASE_ARM64_T6030 arm64
