Invalid S3 signature error when using server-side encryption and ASIHTTPRequest from an iPhone app

Question

I have an iPhone application I've been using for some time that uses ASIHTTPRequest to upload videos to a bucket on Amazon S3. It has been functioning well without any problems. Recently, we decided to make use of the new "server-side encryption" that Amazon has implemented. This allows you to tell Amazon's server to encrypt files that have been posted to a bucket automatically by including an additional HTTP request header.

I have added a single line of code to my application to implement this, but now my Amazon uploads are failing. The specific error message that is appearing is:

"The request signature we calculated does not match the signature you provided. Check your key and signing method."

The name of the bucket I am using conforms to Amazon's naming standards, so I am confident that is not the issue. I am also confident that the secret and public keys I am using are correct.

It would appear that adding this header is somehow breaking the signature calculation, I am assuming because it is being included in the calculation on one side of the transmission but not the other.

Am I doing this incorrectly? Or is this a bug in ASIHTTPRequest ?

Here is my code for reference:

[ASIS3Request setSharedSecretAccessKey:@"mysecretkey"];
[ASIS3Request setSharedAccessKey:@"myaccesskey"];

NSString *bucketPath = [NSString stringWithFormat:@"mypath/filename"];

ASIS3ObjectRequest *request = [ASIS3ObjectRequest PUTRequestForFile:filepath withBucket:@"my-bucket" key:bucketPath];

// If the following line is commented, the upload completes successfully
[request addRequestHeader:@"x-amz-server-side-encryption" value:@"AES256"];
////

request.requestScheme = ASIS3RequestSchemeHTTPS;
[request setShouldContinueWhenAppEntersBackground:YES];
[request startSynchronous];

if ([request error])
{
  // The error messag is being displayed here
  NSLog(@"xmit error: [%@]",[[request error] localizedDescription]);
}

Answer 1

You're doing everything right, the issue is that constructing the Authorization header (ie "the request signature") involves signing a string which includes all of the x-amz- headers; you've added one such header ( x-amz-server-side-encryption ), but you've not caused it to be factored into the signature.

I just created a branch of ASIHTTPRequest with support for SSE . If you use that branch, you should just be able to say [request setUseServerSideEncryption:YES]; . Alternately, if you're more interested in the technique, here are the details of making it work .

Answer 2

I'm having the same issue, however I'm not using encryption. But what I found so far is that upper case letters get the wrong signature.

In my case I'm setting the storage class with ASIS3StorageClassReducedRedundancy that has a value of @"REDUCED_REDUNDANCY" which is in uppercase. If I don't set this option the request goes successful.

So maybe your problem is with the value AES256 that has uppercase letters.