[jira] [Commented] (HDDS-12935) Fix S3G signature mismatch for STREAMING-UNSIGNED-PAYLOAD-TRAILER

Sat, 03 May 2025 12:21:05 -0700 


    [ 
https://issues.apache.org/jira/browse/HDDS-12935?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17949193#comment-17949193
 ] 

Wei-Chiu Chuang commented on HDDS-12935:
----------------------------------------

Other than using http end point, is there any other workaround?

> Fix S3G signature mismatch for STREAMING-UNSIGNED-PAYLOAD-TRAILER
> -----------------------------------------------------------------
>
>                 Key: HDDS-12935
>                 URL: https://issues.apache.org/jira/browse/HDDS-12935
>             Project: Apache Ozone
>          Issue Type: Sub-task
>            Reporter: Ivan Andika
>            Assignee: Ivan Andika
>            Priority: Major
>              Labels: pull-request-available
>
> HDDS-12488 fixes the issue where the AWS checksum trailer data is silently 
> appended to the final payload. This works for http endpoint which will by 
> default provide with signed payload (i.e. x-amz-content-sha256 is set to the 
> payload signature). 
> When the request is sent against https endpoint, the x-amz-content-sha256 is 
> set to STREAMING-UNSIGNED-PAYLOAD-TRAILER. HDDS-12488 handled it by using 
> string "UNSIGNED-PAYLOAD: when building the canonical request 
> (StringToSignProducer#buildCanonicalRequest) as specified in 
> https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html.
>  However, this causes the mismatch between the AWS SDK canonical request and 
> the calculated canonical request which results in signature mismatch and all 
> PutObject requests for the newer AWS SDK version to fail. 
> Did manual testing
> AWS CLI canonical request
> {code}
> PUT
> /ivan-bucket/test4.txt
> content-encoding:aws-chunked
> host:<redacted>
> x-amz-content-sha256:STREAMING-UNSIGNED-PAYLOAD-TRAILER
> x-amz-date:20250430T071131Z
> x-amz-decoded-content-length:5
> x-amz-sdk-checksum-algorithm:CRC64NVME
> x-amz-trailer:x-amz-checksum-crc64nvme
> content-encoding;host;x-amz-content-sha256;x-amz-date;x-amz-decoded-content-length;x-amz-sdk-checksum-algorithm;x-amz-trailer
> STREAMING-UNSIGNED-PAYLOAD-TRAILER
> {code}
> Ozone canonical request
> {code}
> PUT
> /ivan-bucket/test4.txt
> content-encoding:aws-chunked
> host:<redacted>
> x-amz-content-sha256:STREAMING-UNSIGNED-PAYLOAD-TRAILER
> x-amz-date:20250430T071131Z
> x-amz-decoded-content-length:5
> x-amz-sdk-checksum-algorithm:CRC64NVME
> x-amz-trailer:x-amz-checksum-crc64nvme
> content-encoding;host;x-amz-content-sha256;x-amz-date;x-amz-decoded-content-length;x-amz-sdk-checksum-algorithm;x-amz-trailer
> UNSIGNED-PAYLOAD
> {code}
> AWS CLI StrToSign
> {code}
> AWS4-HMAC-SHA256
> 20250430T065600Z
> 20250430/us-east-1/s3/aws4_request
> a3b489c10cf8e4878c7d7b870d3eda15c9c17f52541bd4742361a538c2b458fe
> {code}
> Ozone StrToSign
> {code}
> AWS4-HMAC-SHA256
> 20250430T065600Z
> 20250430/us-east-1/s3/aws4_request
> cb995d592067f026dc30bb4416340afa7e9d38abee57e8e8a44a5604380a22ab
> {code}
> The correct behavior seems to use the "STREAMING-UNSIGNED-PAYLOAD-TRAILER" 
> instead of  "UNSIGNED-PAYLOAD" when building the canonical request.
> Ref: 
> https://github.com/aws/aws-sdk-java-v2/blob/f6adeaa5b24a4c203106d122647537f83a5ecfbc/core/auth/src/main/java/software/amazon/awssdk/auth/signer/internal/AbstractAwsS3V4Signer.java#L206



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@ozone.apache.org
For additional commands, e-mail: issues-h...@ozone.apache.org

Reply via email to