stackoom
  简体   繁体   中英

Amazon S3 Customer Provided Encryption with PHP SDK

 原文  2015-04-12 07:42:36       php/ amazon-web-services/ amazon-s3

Question

I am attempting to upload an object to S3 using the customer provided encryption key. http://docs.aws.amazon.com/AmazonS3/latest/dev/ServerSideEncryptionCustomerKeys.html

My code looks like:

$this->s3->putObject(array(
  'Bucket' => $this->bucket,
  'Key' => "$filename",
  'Body' => $resource,
  'ACL' => 'private',
  'SSECustomerAlgorithm' => 'AES256',
  'SSECustomerKey' => base64_encode('48wk86271sDb23pY23zT5rZJ7q55R7eE'),
  'SSECustomerKeyMD5'=> base64_encode(md5('48wk86271sDb23pY23zT5rZJ7q55R7eE'))
));

The error I am getting says:

AWS Error Message: The calculated MD5 hash of the key did not match the hash that was provided

What am I doing wrong? My key 48wk86271sDb23pY23zT5rZJ7q55R7eE is 256 bits. I've also tried using base64_encode(md5(key, true)).

1 answers

solution1
 2 ACCPTED  2015-04-12 22:23:48

The REST API documentation specifies that both the customer key and customer key MD5 be sent base-64 encoded...

x-amz-server-side​-encryption​-customer-key

Use this header to provide the 256-bit, base64-encoded encryption key for Amazon S3 to use to encrypt or decrypt your data.

x-amz-server-side​-encryption​-customer-key-MD5

Use this header to provide the base64-encoded 128-bit MD5 digest of the encryption key according to RFC 1321. Amazon S3 uses this header for a message integrity check to ensure the encryption key was transmitted without error.

...however, the PHP SDK handles both encoding steps for you, so the arguments should be passed without any encoding. 

'SSECustomerAlgorithm' => 'AES256',
'SSECustomerKey'       => 'key_=_string_of_exactly_32_bytes',
'SSECustomerKeyMD5'    => md5('key_=_string_of_exactly_32_bytes',true),

Of course, you'd probably want that 32 byte key string in a variable rather than copypasting the same literal string in the code twice. The second argument "true" to md5() specifies that the binary md5 hash is to be returned, as expected by the SDK, instead of the hex-encoded variant that would be returned by default.

Remember that when using customer-provided encryption keys, if you lose the key, you lose the data. S3 does not store the key, and without the key, fetching the stored object is not possible.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Exception handling in amazon S3 SDK for PHP Amazon S3 SDK PHP doesObjectExist() problems Renaming a file with Amazon S3 PHP SDK Upload file on amazon S3 with PHP SDK Errors using PHP SDK for Amazon S3 No buckets list amazon aws s3 with aws-sdk-php? Deleting a bucket on Amazon S3 AWS SDK for PHP - Version 3? How to sync a folder with Amazon S3 using aws php sdk? How do I download a file with php and the Amazon S3 sdk? Upload resized image on amazon S3 with PHP SDK
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM