对于使用curl的s3存储桶上传,签名计算失败。

时间:2018-09-28 15:09:15

标签: amazon-web-services curl amazon-s3

我正在使用curl和openssl(必须根据需要使用)在s3存储桶上上传对象。请在我的脚本下方找到要上传的文件。

#!/bin/bash -e

# Upload a file to AWS S3.
AWS_ACCESS_KEY_ID="abc"
AWS_SECRET_ACCESS_KEY="xyzxyz"
file="test.txt"
bucket="teamfelgen"
prefix="test"
region="us-east-1"
timestamp=$(date -u "+%Y-%m-%d %H:%M:%S")
signed_headers="date;host;x-amz-acl;x-amz-content-sha256;x-amz-date"

iso_timestamp=$(date -ud "${timestamp}" "+%Y%m%dT%H%M%SZ")
  date_scope=$(date -ud "${timestamp}" "+%Y%m%d")
  date_header=$(date -ud "${timestamp}" "+%a, %d %h %Y %T %Z")

payload_hash() {
  local output=$(shasum -ba 256 "$file")
  echo "${output%% *}"
}

canonical_request() {
  echo "PUT"
  echo "/${prefix}/${file}"
  echo ""
  echo "date:${date_header}"
  echo "host:s3.company-rook.com"
  echo "x-amz-acl:public-read"
  echo "x-amz-content-sha256:$(payload_hash)"
  echo "x-amz-date:${iso_timestamp}"
  echo ""
  echo "${signed_headers}"
  printf "$(payload_hash)"
}

canonical_request_hash() {
  local output=$(canonical_request | shasum -a 256)
  echo "${output%% *}"
}

string_to_sign() {
  echo "AWS4-HMAC-SHA256"
  echo "${iso_timestamp}"
  echo "${date_scope}/${region}/s3/aws4_request"
  printf "$(canonical_request_hash)"
}

signature_key() {
  local secret=$(printf "AWS4${AWS_SECRET_ACCESS_KEY?}" | hex_key)
  local date_key=$(printf ${date_scope} | hmac_sha256 "${secret}" | hex_key)
  local region_key=$(printf ${region} | hmac_sha256 "${date_key}" | hex_key)
  local service_key=$(printf "s3" | hmac_sha256 "${region_key}" | hex_key)
  printf "aws4_request" | hmac_sha256 "${service_key}" | hex_key
}

hex_key() {
  xxd -p -c 256
}

hmac_sha256() {
  local hexkey=$1
  openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:${hexkey}
}

signature() {
  string_to_sign | hmac_sha256 $(signature_key) | hex_key | sed "s/^.* //"
}

curl -vk \
  -T "${file}" \
  -H "Authorization: AWS4-HMAC-SHA256 Credential=${AWS_ACCESS_KEY_ID?}/${date_scope}/${region}/s3/aws4_request,SignedHeaders=${signed_headers},Signature=$(signature)" \
  -H "Date: ${date_header}" \
  -H "x-amz-acl: public-read" \
  -H "x-amz-content-sha256: $(payload_hash)" \
  -H "x-amz-date: ${iso_timestamp}" \
  "https://s3.company-rook.com/${bucket}/${prefix}/${file}"

这里的问题是计算授权签名。即使我计算了AWS v4 test suite上给出的哈希值,那也是不正确的。

请在下面找到我如何计算哈希值。从亚马逊示例复制的规范请求。存储在get-vanilla-query-order-key-case.creq文件中。

GET
/
Param1=value1&Param2=value2
host:example.amazonaws.com
x-amz-date:20150830T123600Z

host;x-amz-date
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

现在,如果我计算哈希,它与亚马逊正在计算的哈希不同。 PFB 2进行计算。

C:\project\script>openssl dgst -sha256 get-vanilla-query-order-key-case.creq
SHA256(get-vanilla-query-order-key-case.creq)= 9e487d40177520aed8763d24c77c7179f67622debbd2b8188d93138ba6748ade

$ shasum -a 256 get-vanilla-query-order-key-case.creq
9e487d40177520aed8763d24c77c7179f67622debbd2b8188d93138ba6748ade *get-vanilla-query-order-key-case.creq

需要您的建议,这里出了什么问题。

注意:如果我在调试中运行awscli命令并使用签名,则该curl将起作用。

0 个答案:

没有答案