S3 presigned_url returns "There were headers present in the request which were not signed" for SSE-C objects

[vdaubry]

Using aws-sdk 3.1.0 I have an issue generating a S3 presigned_url for an object encrypted using SSE-C :

When I try to download though a presigned url request I get the following error : "There were headers present in the request which were not signed"

The header not signed is "x-amz-server-side-encryption-customer-algorithm"

Note : Uploading the object and downloading the object with the SDK works fine.

Here is how I set the SSE headers for the presigned_url :

url = obj.presigned_url(:get,
  sse_customer_algorithm: 'AES256',
  sse_customer_key: cpk)

I get this URL :

"https://testvdaencrypt.s3.eu-west-3.amazonaws.com/sample.mp4?x-amz-server-side-encryption-customer-algorithm=AES256&x-amz-server-side-encryption-customer-key=WKcacyenyoag56XM1mUhpqV6UjWzlTB5xiazyByPqvQ%3D&x-amz-server-side-encryption-customer-key-md5=s3sSGdG2Jj0ISf%2B39oibkA%3D%3D&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIA27OSIUJ4LSMJULFQ%2F20230101%2Feu-west-3%2Fs3%2Faws4_request&X-Amz-Date=20230101T202746Z&X-Amz-Expires=900&X-Amz-SignedHeaders=host&X-Amz-Signature=e781292a4a9081370f9cb582a2551e7945b364601f8a0a9d851159467cd2955d"

Here is how I set the headers for the HTTP request :

request = Net::HTTP::Get.new(uri.request_uri, {
  "x-amz-server-side-encryption-customer-algorithm" => 'AES256',
  "x-amz-server-side-encryption-customer-key" => Base64.encode64(cpk),
  "x-amz-server-side-encryption-customer-key-MD5" => Base64.encode64(OpenSSL::Digest::MD5.digest(cpk))
})
resp = http.request(request)
puts resp.body

The full error is :

<Error>
    <Code>AccessDenied</Code>
    <Message>There were headers present in the request which were not signed</Message>
    <HeadersNotSigned>x-amz-server-side-encryption-customer-algorithm</HeadersNotSigned>
    <RequestId>5NJX8JCYJSVGNQS8</RequestId>
    <HostId>Sr1neBYRKssY+mMApAqs73VMTwxF6p8XWCv+ct9tI/pxHvXusz43xnT6ZMM2A8gSnkHvH/DB3XE=</HostId>
</Error>

I read the doc about header formating but I dont understand what I'm doing wrong... https://docs.amazonaws.cn/en_us/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html

Can anybody help ?

Here is the full script to reproduce the issue :

require 'aws-sdk'
require 'openssl'

bucket_name = 'testvdaencrypt'
object_key = 'mytestkey'
region = 'eu-west-3'

Aws.config.update(
  {
    credentials: Aws::Credentials.new(
      ENV["AWS_ACCESS_KEY_ID"],
      ENV["AWS_SECRET_ACCESS_KEY"]
    ),
    region: region
  }
)

# customer provided key
cpk = OpenSSL::Cipher::AES.new(256, :CBC).random_key

# upload an object with SSE-C
obj = Aws::S3::Object.new(bucket_name, object_key)
obj.put(
  body: 'Hello World!',
  sse_customer_algorithm: 'AES256',
  sse_customer_key: cpk)

# download the object
obj.get(sse_customer_algorithm: 'AES256', sse_customer_key: cpk).body.read
#=> 'Hello World!'

# generate a presigned url
url = obj.presigned_url(:get,
  sse_customer_algorithm: 'AES256',
  sse_customer_key: cpk)

# GET the encrypted object via Net::HTTP
uri = URI.parse(url)
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
request = Net::HTTP::Get.new(uri.request_uri, {
  "x-amz-server-side-encryption-customer-algorithm" => 'AES256',
  "x-amz-server-side-encryption-customer-key" => Base64.encode64(cpk),
  "x-amz-server-side-encryption-customer-key-MD5" => Base64.encode64(OpenSSL::Digest::MD5.digest(cpk))
})
resp = http.request(request)
puts resp.body

=> <Error><Code>AccessDenied</Code><Message>There were headers present in the request which were not signed</Message><HeadersNotSigned>x-amz-server-side-encryption-customer-algorithm</HeadersNotSigned><RequestId>5NJX8JCYJSVGNQS8</RequestId><HostId>Sr1neBYRKssY+mMApAqs73VMTwxF6p8XWCv+ct9tI/pxHvXusz43xnT6ZMM2A8gSnkHvH/DB3XE=</HostId></Error>

[mullermp]

Thanks for opening up a discussion. I think for your request, you do not need to send the x-amz-server-side-encryption-customer-* headers because they are already hoisted onto the URL (they are query parameters). They are not in the X-Amz-SignedHeaders query param. Can you try your request without those headers? You can also try the presigned_request method instead - it returns a tuple of the URL and the headers to send with it. The URL from this method would have those headers signed but not hoisted.

[vdaubry]

It works if I remove x-amz-server-side-encryption-customer-algorithm !

For info :

• it fails if I remove x-amz-server-side-encryption-customer-key
• it works with, and without, x-amz-server-side-encryption-customer-key-MD5

Thanks a lot for your help!

[github-actions[bot]]

Hello! Reopening this discussion to make it searchable.