Utilising SSEC with PreSignedRequests - PHP

Good morning,

I am in the process of evaluating Object Storage for use in a few projects I have going on, I'm interested in utilising SSEC for storing the objects, this appears to be working as expected.

I'm utilising aws-sdk-php v3.271.

Example call to putObject:

$result = $this->_client->putObject([
                'Bucket' => $this->_bucket,
                'Key' => $this->gen_name(),
                'SourceFile' => $this->_fullFilePath,
                'SSECustomerAlgorithm' =>$this->_customerAlgorithm,
                'SSECustomerKey' => $this->_customerKey

The trouble comes when trying to create a Presigned Request, if I provide the same SSECustomerAlgorithm and SSECustomerKey I get a signature mismatch error.

Example call:

$result = $this->_client->getCommand('getObject', [
                'Bucket' => $this->_bucket,
                'Key' => $object,
                'SSECustomerAlgorithm' =>$this->_customerAlgorithm,
                'SSECustomerKey' => $this->_customerKey

This call works fine for unencrypted files:

$result = $this->_client->getCommand('getObject', [
                'Bucket' => $this->_bucket,
                'Key' => $object                

Just looking to understand the signature mismatch when providing the encryption details.

Thank you,

3 Replies

Based on the S3 API documentation, in order to GET an object that you have uploaded using encryption, you need to include the following headers:

- x-amz-server-side-encryption-customer-algorithm
- x-amz-server-side-encryption-customer-key
- x-amz-server-side-encryption-customer-key-MD5

I think what this means is that you need to add SSECustomerKeyMD5 to your GET API call for it to work.

Thank you [@tlambert] (/community/user/tlambert) am I correct in thinking that the call would contain the key itself so should only be used for post requests?

Thank you,

@2ejames That's correct.

From the S3 API documentation:

To get an object from such a logical hierarchy, specify the full key name for the object in the GET operation.

Request Syntax:

GET /Key+?partNumber=PartNumber&response-cache-control=ResponseCacheControl&response-content-disposition=ResponseContentDisposition&response-content-encoding=ResponseContentEncoding&response-content-language=ResponseContentLanguage&response-content-type=ResponseContentType&response-expires=ResponseExpires&versionId=VersionId HTTP/1.1
Host: Bucket.s3.amazonaws.com
If-Match: IfMatch
If-Modified-Since: IfModifiedSince
If-None-Match: IfNoneMatch
If-Unmodified-Since: IfUnmodifiedSince
Range: Range
x-amz-server-side-encryption-customer-algorithm: SSECustomerAlgorithm
x-amz-server-side-encryption-customer-key: SSECustomerKey
x-amz-server-side-encryption-customer-key-MD5: SSECustomerKeyMD5
x-amz-request-payer: RequestPayer
x-amz-expected-bucket-owner: ExpectedBucketOwner
x-amz-checksum-mode: ChecksumMode



Please enter an answer

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct