github.com/minio/minio@v0.0.0-20240328213742-3f72439b8a27/cmd/signature-v2.go (about) 1 // Copyright (c) 2015-2021 MinIO, Inc. 2 // 3 // This file is part of MinIO Object Storage stack 4 // 5 // This program is free software: you can redistribute it and/or modify 6 // it under the terms of the GNU Affero General Public License as published by 7 // the Free Software Foundation, either version 3 of the License, or 8 // (at your option) any later version. 9 // 10 // This program is distributed in the hope that it will be useful 11 // but WITHOUT ANY WARRANTY; without even the implied warranty of 12 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 // GNU Affero General Public License for more details. 14 // 15 // You should have received a copy of the GNU Affero General Public License 16 // along with this program. If not, see <http://www.gnu.org/licenses/>. 17 18 package cmd 19 20 import ( 21 "crypto/hmac" 22 "crypto/sha1" 23 "crypto/subtle" 24 "encoding/base64" 25 "fmt" 26 "net/http" 27 "net/url" 28 "sort" 29 "strconv" 30 "strings" 31 32 xhttp "github.com/minio/minio/internal/http" 33 34 "github.com/minio/minio/internal/auth" 35 ) 36 37 // Whitelist resource list that will be used in query string for signature-V2 calculation. 38 // 39 // This list should be kept alphabetically sorted, do not hastily edit. 40 var resourceList = []string{ 41 "acl", 42 "cors", 43 "delete", 44 "encryption", 45 "legal-hold", 46 "lifecycle", 47 "location", 48 "logging", 49 "notification", 50 "partNumber", 51 "policy", 52 "requestPayment", 53 "response-cache-control", 54 "response-content-disposition", 55 "response-content-encoding", 56 "response-content-language", 57 "response-content-type", 58 "response-expires", 59 "retention", 60 "select", 61 "select-type", 62 "tagging", 63 "torrent", 64 "uploadId", 65 "uploads", 66 "versionId", 67 "versioning", 68 "versions", 69 "website", 70 } 71 72 // Signature and API related constants. 73 const ( 74 signV2Algorithm = "AWS" 75 ) 76 77 // AWS S3 Signature V2 calculation rule is give here: 78 // http://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html#RESTAuthenticationStringToSign 79 func doesPolicySignatureV2Match(formValues http.Header) (auth.Credentials, APIErrorCode) { 80 accessKey := formValues.Get(xhttp.AmzAccessKeyID) 81 82 r := &http.Request{Header: formValues} 83 cred, _, s3Err := checkKeyValid(r, accessKey) 84 if s3Err != ErrNone { 85 return cred, s3Err 86 } 87 policy := formValues.Get("Policy") 88 signature := formValues.Get(xhttp.AmzSignatureV2) 89 if !compareSignatureV2(signature, calculateSignatureV2(policy, cred.SecretKey)) { 90 return cred, ErrSignatureDoesNotMatch 91 } 92 return cred, ErrNone 93 } 94 95 // Escape encodedQuery string into unescaped list of query params, returns error 96 // if any while unescaping the values. 97 func unescapeQueries(encodedQuery string) (unescapedQueries []string, err error) { 98 for _, query := range strings.Split(encodedQuery, "&") { 99 var unescapedQuery string 100 unescapedQuery, err = url.QueryUnescape(query) 101 if err != nil { 102 return nil, err 103 } 104 unescapedQueries = append(unescapedQueries, unescapedQuery) 105 } 106 return unescapedQueries, nil 107 } 108 109 // doesPresignV2SignatureMatch - Verify query headers with presigned signature 110 // - http://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html#RESTAuthenticationQueryStringAuth 111 // 112 // returns ErrNone if matches. S3 errors otherwise. 113 func doesPresignV2SignatureMatch(r *http.Request) APIErrorCode { 114 // r.RequestURI will have raw encoded URI as sent by the client. 115 tokens := strings.SplitN(r.RequestURI, "?", 2) 116 encodedResource := tokens[0] 117 encodedQuery := "" 118 if len(tokens) == 2 { 119 encodedQuery = tokens[1] 120 } 121 122 var ( 123 filteredQueries []string 124 gotSignature string 125 expires string 126 accessKey string 127 err error 128 ) 129 130 var unescapedQueries []string 131 unescapedQueries, err = unescapeQueries(encodedQuery) 132 if err != nil { 133 return ErrInvalidQueryParams 134 } 135 136 // Extract the necessary values from presigned query, construct a list of new filtered queries. 137 for _, query := range unescapedQueries { 138 keyval := strings.SplitN(query, "=", 2) 139 if len(keyval) != 2 { 140 return ErrInvalidQueryParams 141 } 142 switch keyval[0] { 143 case xhttp.AmzAccessKeyID: 144 accessKey = keyval[1] 145 case xhttp.AmzSignatureV2: 146 gotSignature = keyval[1] 147 case xhttp.Expires: 148 expires = keyval[1] 149 default: 150 filteredQueries = append(filteredQueries, query) 151 } 152 } 153 154 // Invalid values returns error. 155 if accessKey == "" || gotSignature == "" || expires == "" { 156 return ErrInvalidQueryParams 157 } 158 159 cred, _, s3Err := checkKeyValid(r, accessKey) 160 if s3Err != ErrNone { 161 return s3Err 162 } 163 164 // Make sure the request has not expired. 165 expiresInt, err := strconv.ParseInt(expires, 10, 64) 166 if err != nil { 167 return ErrMalformedExpires 168 } 169 170 // Check if the presigned URL has expired. 171 if expiresInt < UTCNow().Unix() { 172 return ErrExpiredPresignRequest 173 } 174 175 encodedResource, err = getResource(encodedResource, r.Host, globalDomainNames) 176 if err != nil { 177 return ErrInvalidRequest 178 } 179 180 expectedSignature := preSignatureV2(cred, r.Method, encodedResource, strings.Join(filteredQueries, "&"), r.Header, expires) 181 if !compareSignatureV2(gotSignature, expectedSignature) { 182 return ErrSignatureDoesNotMatch 183 } 184 185 r.Form.Del(xhttp.Expires) 186 187 return ErrNone 188 } 189 190 func getReqAccessKeyV2(r *http.Request) (auth.Credentials, bool, APIErrorCode) { 191 if accessKey := r.Form.Get(xhttp.AmzAccessKeyID); accessKey != "" { 192 return checkKeyValid(r, accessKey) 193 } 194 195 // below is V2 Signed Auth header format, splitting on `space` (after the `AWS` string). 196 // Authorization = "AWS" + " " + AWSAccessKeyId + ":" + Signature 197 authFields := strings.Split(r.Header.Get(xhttp.Authorization), " ") 198 if len(authFields) != 2 { 199 return auth.Credentials{}, false, ErrMissingFields 200 } 201 202 // Then will be splitting on ":", this will separate `AWSAccessKeyId` and `Signature` string. 203 keySignFields := strings.Split(strings.TrimSpace(authFields[1]), ":") 204 if len(keySignFields) != 2 { 205 return auth.Credentials{}, false, ErrMissingFields 206 } 207 208 return checkKeyValid(r, keySignFields[0]) 209 } 210 211 // Authorization = "AWS" + " " + AWSAccessKeyId + ":" + Signature; 212 // Signature = Base64( HMAC-SHA1( YourSecretKey, UTF-8-Encoding-Of( StringToSign ) ) ); 213 // 214 // StringToSign = HTTP-Verb + "\n" + 215 // Content-Md5 + "\n" + 216 // Content-Type + "\n" + 217 // Date + "\n" + 218 // CanonicalizedProtocolHeaders + 219 // CanonicalizedResource; 220 // 221 // CanonicalizedResource = [ SlashSeparator + Bucket ] + 222 // <HTTP-Request-URI, from the protocol name up to the query string> + 223 // [ subresource, if present. For example "?acl", "?location", "?logging", or "?torrent"]; 224 // 225 // CanonicalizedProtocolHeaders = <described below> 226 227 // doesSignV2Match - Verify authorization header with calculated header in accordance with 228 // - http://docs.aws.amazon.com/AmazonS3/latest/dev/auth-request-sig-v2.html 229 // returns true if matches, false otherwise. if error is not nil then it is always false 230 231 func validateV2AuthHeader(r *http.Request) (auth.Credentials, APIErrorCode) { 232 var cred auth.Credentials 233 v2Auth := r.Header.Get(xhttp.Authorization) 234 if v2Auth == "" { 235 return cred, ErrAuthHeaderEmpty 236 } 237 238 // Verify if the header algorithm is supported or not. 239 if !strings.HasPrefix(v2Auth, signV2Algorithm) { 240 return cred, ErrSignatureVersionNotSupported 241 } 242 243 cred, _, apiErr := getReqAccessKeyV2(r) 244 if apiErr != ErrNone { 245 return cred, apiErr 246 } 247 248 return cred, ErrNone 249 } 250 251 func doesSignV2Match(r *http.Request) APIErrorCode { 252 v2Auth := r.Header.Get(xhttp.Authorization) 253 cred, apiError := validateV2AuthHeader(r) 254 if apiError != ErrNone { 255 return apiError 256 } 257 258 // r.RequestURI will have raw encoded URI as sent by the client. 259 tokens := strings.SplitN(r.RequestURI, "?", 2) 260 encodedResource := tokens[0] 261 encodedQuery := "" 262 if len(tokens) == 2 { 263 encodedQuery = tokens[1] 264 } 265 266 unescapedQueries, err := unescapeQueries(encodedQuery) 267 if err != nil { 268 return ErrInvalidQueryParams 269 } 270 271 encodedResource, err = getResource(encodedResource, r.Host, globalDomainNames) 272 if err != nil { 273 return ErrInvalidRequest 274 } 275 276 prefix := fmt.Sprintf("%s %s:", signV2Algorithm, cred.AccessKey) 277 if !strings.HasPrefix(v2Auth, prefix) { 278 return ErrSignatureDoesNotMatch 279 } 280 v2Auth = v2Auth[len(prefix):] 281 expectedAuth := signatureV2(cred, r.Method, encodedResource, strings.Join(unescapedQueries, "&"), r.Header) 282 if !compareSignatureV2(v2Auth, expectedAuth) { 283 return ErrSignatureDoesNotMatch 284 } 285 return ErrNone 286 } 287 288 func calculateSignatureV2(stringToSign string, secret string) string { 289 hm := hmac.New(sha1.New, []byte(secret)) 290 hm.Write([]byte(stringToSign)) 291 return base64.StdEncoding.EncodeToString(hm.Sum(nil)) 292 } 293 294 // Return signature-v2 for the presigned request. 295 func preSignatureV2(cred auth.Credentials, method string, encodedResource string, encodedQuery string, headers http.Header, expires string) string { 296 stringToSign := getStringToSignV2(method, encodedResource, encodedQuery, headers, expires) 297 return calculateSignatureV2(stringToSign, cred.SecretKey) 298 } 299 300 // Return the signature v2 of a given request. 301 func signatureV2(cred auth.Credentials, method string, encodedResource string, encodedQuery string, headers http.Header) string { 302 stringToSign := getStringToSignV2(method, encodedResource, encodedQuery, headers, "") 303 signature := calculateSignatureV2(stringToSign, cred.SecretKey) 304 return signature 305 } 306 307 // compareSignatureV2 returns true if and only if both signatures 308 // are equal. The signatures are expected to be base64 encoded strings 309 // according to the AWS S3 signature V2 spec. 310 func compareSignatureV2(sig1, sig2 string) bool { 311 // Decode signature string to binary byte-sequence representation is required 312 // as Base64 encoding of a value is not unique: 313 // For example "aGVsbG8=" and "aGVsbG8=\r" will result in the same byte slice. 314 signature1, err := base64.StdEncoding.DecodeString(sig1) 315 if err != nil { 316 return false 317 } 318 signature2, err := base64.StdEncoding.DecodeString(sig2) 319 if err != nil { 320 return false 321 } 322 return subtle.ConstantTimeCompare(signature1, signature2) == 1 323 } 324 325 // Return canonical headers. 326 func canonicalizedAmzHeadersV2(headers http.Header) string { 327 var keys []string 328 keyval := make(map[string]string, len(headers)) 329 for key := range headers { 330 lkey := strings.ToLower(key) 331 if !strings.HasPrefix(lkey, "x-amz-") { 332 continue 333 } 334 keys = append(keys, lkey) 335 keyval[lkey] = strings.Join(headers[key], ",") 336 } 337 sort.Strings(keys) 338 var canonicalHeaders []string 339 for _, key := range keys { 340 canonicalHeaders = append(canonicalHeaders, key+":"+keyval[key]) 341 } 342 return strings.Join(canonicalHeaders, "\n") 343 } 344 345 // Return canonical resource string. 346 func canonicalizedResourceV2(encodedResource, encodedQuery string) string { 347 queries := strings.Split(encodedQuery, "&") 348 keyval := make(map[string]string) 349 for _, query := range queries { 350 key := query 351 val := "" 352 index := strings.Index(query, "=") 353 if index != -1 { 354 key = query[:index] 355 val = query[index+1:] 356 } 357 keyval[key] = val 358 } 359 360 var canonicalQueries []string 361 for _, key := range resourceList { 362 val, ok := keyval[key] 363 if !ok { 364 continue 365 } 366 if val == "" { 367 canonicalQueries = append(canonicalQueries, key) 368 continue 369 } 370 canonicalQueries = append(canonicalQueries, key+"="+val) 371 } 372 373 // The queries will be already sorted as resourceList is sorted, if canonicalQueries 374 // is empty strings.Join returns empty. 375 canonicalQuery := strings.Join(canonicalQueries, "&") 376 if canonicalQuery != "" { 377 return encodedResource + "?" + canonicalQuery 378 } 379 return encodedResource 380 } 381 382 // Return string to sign under two different conditions. 383 // - if expires string is set then string to sign includes date instead of the Date header. 384 // - if expires string is empty then string to sign includes date header instead. 385 func getStringToSignV2(method string, encodedResource, encodedQuery string, headers http.Header, expires string) string { 386 canonicalHeaders := canonicalizedAmzHeadersV2(headers) 387 if len(canonicalHeaders) > 0 { 388 canonicalHeaders += "\n" 389 } 390 391 date := expires // Date is set to expires date for presign operations. 392 if date == "" { 393 // If expires date is empty then request header Date is used. 394 date = headers.Get(xhttp.Date) 395 } 396 397 // From the Amazon docs: 398 // 399 // StringToSign = HTTP-Verb + "\n" + 400 // Content-Md5 + "\n" + 401 // Content-Type + "\n" + 402 // Date/Expires + "\n" + 403 // CanonicalizedProtocolHeaders + 404 // CanonicalizedResource; 405 stringToSign := strings.Join([]string{ 406 method, 407 headers.Get(xhttp.ContentMD5), 408 headers.Get(xhttp.ContentType), 409 date, 410 canonicalHeaders, 411 }, "\n") 412 413 return stringToSign + canonicalizedResourceV2(encodedResource, encodedQuery) 414 }