createPresignedRequest return 403 when using Server-Side Encryption with Customer Key

[zishanj]

I am trying to encrypt the file while uploading using server-side encryption with customer key. I am generating pre-signed url with createPresignedRequest and then using xhr in javascript to upload the file on my bucket.

Following are my sample code in PHP:

$command = $s3Client->getCommand( 'putObject', [
          'Bucket' => $bucket,
          'Key' => $filename,
          'ContentType' => $contentType,
          'Body' => '',
          'SSECustomerKey' => $datakey,
          'SSECustomerAlgorithm' => 'AES256'
        ] );
$request = $s3Client->createPresignedRequest( $command, '+5 minutes' );

I then return the uri along with header back to my ajax request in browser like this:

wp_send_json([
          'method' => $request->getMethod(),
          'url' => (string) $request->getUri(),
          'fields' => [],
          'headers' => [
            'x-amz-server-side-encryption-customer-key' => base64_encode( $datakey ), 
            'x-amz-server-side-encryption-customer-algorithm' => 'AES256',
          ],
        ]);

When I send the xhr request I can see the header information correctly sent to my S3 endpoint but I am still receiving 403 SignatureDoesNotMatch error. Am I missing something?

[zishanj]

any update?

[yenfryherrerafeliz]

Hi @zishanj , I hope you are doing well!

Could you please let me know if when creating the command you are passing the encryption key base64 encoded?, if so, please try it without encoding it. Also according with the documentation found here, you should include all the headers returned from the pre-signed request when sending the request. For example in the sample code provided I can see that one of the headers could be missing, which is x-amz-server-side-encryption-customer-key-MD5, so could you please also include this header in your request. You can check the headers returned from the pre-signed request by calling this method “$request->getHeaders()”.

Please if you have any questions just let me know.

Thank you!

[github-actions[bot]]

This issue has not recieved a response in 1 week. If you want to keep this issue open, please just leave a comment below and auto-close will be canceled.

[zishanj]

I have tried it today, removed base64_encode and added x-amz-server-side-encryption-customer-key-MD5 also but still receiving 403 error. In my browser console I am also receiving this error:
Access to XMLHttpRequest at ...... from origin ....... has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
I have checked the CORS policy on my bucket but its allowed from all /.

[stobrien89]

Hi @zishanj,

Would you be able to share your CORS configuration? Please redact any sensitive information, if applicable.

[zishanj]

This is what I have:

<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/"><CORSRule><AllowedMethod>GET</AllowedMethod><AllowedMethod>PUT</AllowedMethod><AllowedMethod>DELETE</AllowedMethod><AllowedMethod>HEAD</AllowedMethod><AllowedMethod>POST</AllowedMethod><AllowedOrigin>*</AllowedOrigin><AllowedHeader>*</AllowedHeader></CORSRule></CORSConfiguration>

[zishanj]

Just to let you know that SSE works fine when I upload file directly with MultipartUploader and PutObject. Issue lies with createPresignedRequest when I send the xhr request back.

[yenfryherrerafeliz]

Hi @zishanj,

After a deeper look, I found that the reported issue tends to occur when some of the elements that are used to create the signature of the pre-signed request, are not present or do not contain the right values when executing the request.

In order to find a solution to your problem, could you please provide the following:

• PHP SDK version used.

The reproduction code that I used is:

try {
    $fileName = 'test-file.txt';
    $contentType = 'text/html';
    $bucketName = "your-bucket-name";
    $body = 'your-file-content';
    $encryptionKey = 'your-encryption-key-not-base64-encoded';
    $encryptionAlgorithm = 'your-encryption-algorithm';

    $params = [
        'Bucket' => $bucketName, // Here goes your bucket name
        'Key' => $fileName, // Here goes your files' name
        'ContentType' => $contentType, // Here goes the request content type
        'Body' => $body, // Here goes the content of your file
        /* 
           If for any reason your encryptionKey is base64 encoded so then
           As suggestion you could just replace the line below with this: 'SSECustomerKe => base64_decode($encryptionKey)'
        */
        'SSECustomerKey' => $encryptionKey, // Here goes your encryption key "NOT BASE64 ENCODED".
        'SSECustomerAlgorithm' => $encryptionAlgorithm // Here goes your encryption algorithms. Ex: AES256
    ];

    // Here the command is generated
    $command = $this->s3Client->getCommand('putObject', $params);

    // Here the pre-signed request is created
    $request = $this->s3Client->createPresignedRequest($command, '+5 minutes');

	// Values that are going to be used to perform the request 
    $uri = (string) $request->getUri();
    $method = (string) $request->getMethod();
    $headers = [];

    /*
        Here the headers are created.
        This should create something like this:
        $headers = [
            'Host' => "example-bucket.s3.us-east-2.amazonaws.com",
            'x-amz-server-side-encryption-customer-key' => "fGewaOPESA02tI+MpFnAPnRzIHQLHHli92kPnP102Pm=", // This is not a valid key since it is just a test.
            'x-amz-server-side-encryption-customer-algorithm' => "AES256",
            'x-amz-server-side-encryption-customer-key-MD5' => "5pGN0Fap4MlClR0KP5KtPG==" // This is not a valid key since it is just a test.
        ];
    */
    foreach ($request->getHeaders() as $headerKey => $headerValues){
        $headers[$headerKey] = $headerValues[0];
    }
	
    // And here you send your request
    wp_send_json([
        'method' => $method,
        'url' => $uri,
        'fields' => [],
        'headers' => $headers,
    ]);
    
} catch (AwsException $exception) {
    echo "Exception generated: ${exception}";
}

Thank you!

[zishanj]

I am using version 3.92 and all the fields which you have mentioned have been provided but I am receiving same errors. Can you check at your end with version 3.92 please?

[yenfryherrerafeliz]

Hi @zishanj, I hope you are doing well. I tested with the 3.92 version and I got no issues, so that probably the issue could be something else. Could you please try, if you have not yet, to send the http request in a different way?, like using guzzle. I can provide you with a sample code that you could use as reference:

// Remember to use the following namespaces:
// use GuzzleHttp\Client;
// use GuzzleHttp\Exception\GuzzleException;

$client = new Client(); // Guzzle client.
if ($method == 'PUT') {

    $response = $client->put($uri, array(
        'headers' => $headers
    ));

}

The whole sample code will look like this:

try {
    $fileName = 'test-file.txt';
    $contentType = 'text/html';
    $bucketName = "your-bucket-name";
    $body = 'your-file-content';
    $encryptionKey = 'your-encryption-key-not-base64-encoded';
    $encryptionAlgorithm = 'your-encryption-algorithm';
    $params = [
        'Bucket' => $bucketName, // Here goes your bucket name
        'Key' => $fileName, // Here goes your files' name
        'ContentType' => $contentType, // Here goes the request content type
        'Body' => $body, // Here goes the content of your file
        /*
           If for any reason your encryptionKey is base64 encoded so then
           please just replace the line below with this: 'SSECustomerKe => base64_decode($encryptionKey)'
        */
        'SSECustomerKey' => $encryptionKey, // Here goes your encryption key "NOT BASE64 ENCODED".
        'SSECustomerAlgorithm' => $encryptionAlgorithm // Here goes your encryption algorithms. Ex: AES256
    ];
    // Instance a S3 client
    $s3Client = new S3Client([ 
        'version' => 'latest',
        'region' => 'your-region',
        'credentials' => $credentials // In case they are not configured in your environment already
     ]);
    // Here is where the command is generated
    $command = $s3Client->getCommand('putObject', $params);
    // Here the pre-signed request is created
    $request = $s3Client->createPresignedRequest($command, '+5 minutes');
    // Values to be used for executing the request
    $uri = (string) $request->getUri();
    $method = $request->getMethod();
    $headers = [];
    /*
        Here is where the headers are generated, so you do not have to type then manually in your post-request.
        This should generate something like this:
        $headers = [
           'Host' => "example-bucket.s3.us-east-2.amazonaws.com",
            'x-amz-server-side-encryption-customer-key' => "############################################",
            'x-amz-server-side-encryption-customer-algorithm' => "AES256",
            'x-amz-server-side-encryption-customer-key-MD5' => "########################"
        ];
    */
    foreach ($request->getHeaders() as $headerKey => $headerValues) {
        $headers[$headerKey] = $headerValues[0];
    }
    
    // Here is where we execute the http request
    $client = new Client(); // Guzzle client.
    if ($method == 'PUT') {
        $response = $client->put($uri,
            array(
                'headers' => $headers
            )
        );
        printf("\nStatusCode: %d\nReasonPhrase:%s", $response->getStatusCode(), $response->getReasonPhrase());
    }

} catch (AwsException | GuzzleException $exception) {
    echo "Exception generated: ${exception}";
}

Thank you!

[zishanj]

Thanks for the reply. We are using the javascript fetch api on client side instead of PHP guzzle. This fetch api is used with Uppy.io getUploadParameters of AwsS3 lib.

[ajredniwja]

@zishanj thanks for providing all the information, I believe the problem is not on the SDK side rather seems to be an environment or a third-party library issue. Are you able to use @yenfryherrerafeliz code and get successful results?

[github-actions[bot]]

Hello! Reopening this discussion to make it searchable.