-
|
Hi, I'm currently developing a proxy that catches the requests coming from the aws-cli. The cli configuration is the same as the proxy (creds), only the endpoint is different. The process is:
Here is the following code that calculates and compares the signature from the request: func (c *Client) ValidateRequestSignature(r *http.Request) (bool, error) {
old, err := v4.GetSignedRequestSignature(r)
if err != nil {
slog.Error("failed to retrieve request signature", "error", err.Error())
return false, err
}
credentials, err := c.Config.Credentials.Retrieve(r.Context())
if err != nil {
slog.Error("failed to retrieve S3 credentials", "error", err.Error())
return false, err
}
t, err := time.Parse("20060102T150405Z", r.Header.Get("X-Amz-Date"))
if err != nil {
t = time.Now()
}
if err := v4.NewSigner().SignHTTP(r.Context(), credentials, r, r.Header.Get("X-Amz-Content-Sha256"), "s3", c.Config.Region, t); err != nil {
slog.Error("failed to sign request", "error", err.Error())
return false, err
}
new, err := v4.GetSignedRequestSignature(r)
if err != nil {
slog.Error("failed to retrieve new request signature", "error", err.Error())
return false, err
}
return bytes.Equal(old, new), nil
}The headers coming from the client: {
"Accept-Encoding": [
"identity"
],
"Authorization": [
"AWS4-HMAC-SHA256 Credential=b9112b64d9044ab5bc7461e777e3a86e/20240522/rbx/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=6afffb27b82896d4ba701e988c1963c54050591db895fba8b90e82362e22b5c4"
],
"User-Agent": [
"aws-cli/2.15.55 md/awscrt#0.19.19 ua/2.0 os/linux#5.15.152-ovh-vps-grsec-zfs-classid md/arch#x86_64 lang/python#3.11.8 md/pyimpl#CPython cfg/retry-mode#standard md/installer#exe md/distrib#debian.12 md/prompt#off md/command#s3.ls"
],
"X-Amz-Content-Sha256": [
"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
],
"X-Amz-Date": [
"20240522T102451Z"
]
}The headers after the {
"Accept-Encoding": [
"identity"
],
"Authorization": [
"AWS4-HMAC-SHA256 Credential=b9112b64d9044ab5bc7461e777e3a86e/20240522/rbx/s3/aws4_request, SignedHeaders=accept-encoding;host;x-amz-content-sha256;x-amz-date, Signature=be83021bf3dde5bd3073fcf1bee1ea53bf6cd7b59369b2025b33d2988f16446d"
],
"User-Agent": [
"aws-cli/2.15.55 md/awscrt#0.19.19 ua/2.0 os/linux#5.15.152-ovh-vps-grsec-zfs-classid md/arch#x86_64 lang/python#3.11.8 md/pyimpl#CPython cfg/retry-mode#standard md/installer#exe md/distrib#debian.12 md/prompt#off md/command#s3.ls"
],
"X-Amz-Content-Sha256": [
"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
],
"X-Amz-Date": [
"20240522T102451Z"
]
}You can see in the headers that the signatures don't match, a header has been added to the signed headers list in the CLI version: 2.15.55 github.com/aws/aws-sdk-go-v2 v1.27.0
github.com/aws/aws-sdk-go-v2/config v1.27.15
github.com/aws/aws-sdk-go-v2/credentials v1.17.15
github.com/aws/aws-sdk-go-v2/service/s3 v1.54.2Go version: 1.22.2 |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments
-
|
I've recrafted the way the signature is calculated to match my needs. |
Beta Was this translation helpful? Give feedback.
-
|
Hello! Reopening this discussion to make it searchable. |
Beta Was this translation helpful? Give feedback.
I've recrafted the way the signature is calculated to match my needs.