从s3获取签名的url以使用SSE-C解密上传的对象 [英] Getting signed url from s3 to decrypt uploaded object using SSE-C

问题描述

我可以使用以下代码段成功加密和上传图像文件:

I was successfully able to encrypt and upload an image file using following snippet:

var ssecKey = '12345678901234567890123456789012'

var data = {
    Key: 'testfolder/abc.png', 
    Body: buffer,
    ContentEncoding: 'base64',
    ContentType: 'image/png',
    SSECustomerAlgorithm: 'AES256',
    SSECustomerKey: ssecKey
};

s3.putObject(data, (err) => {
    if (err) return console.error(err.stack)

    s3.getSignedUrl('getObject', {
        Key: 'testfolder/abc.png', 
        Expires: 160,
        SSECustomerAlgorithm: 'AES256',
        SSECustomerKey: ssecKey
    }, (err, data) => {
        if (err) return console.error(err.stack)

        console.log(data);
    });
});

为了找回解密的对象，我使用了getsignedurl方法，控制台输出了一个签名的url，但未解密图像，因此在浏览器上显示以下错误:

In order to get the decrypted object back, I used the getsignedurl method, the console outputs a signed url but is not decrypting the image, hence showing following error on browser:

我在这里可能做错了什么.

What could I probably be doing wrong here.

推荐答案

根据

注意:

使用预签名URL时，不支持所有操作参数. 某些参数，例如SSECustomerKey，ACL，Expires， 发送内容时，必须将ContentLength或Tagging作为标题提供 要求.如果您使用预先签名的URL从浏览器上传，并且 需要使用这些字段，请参见createPresignedPost().

Not all operation parameters are supported when using pre-signed URLs. Certain parameters, such as SSECustomerKey, ACL, Expires, ContentLength, or Tagging must be provided as headers when sending a request. If you are using pre-signed URLs to upload from a browser and need to use these fields, see createPresignedPost().

您将需要以下代码:

在后端:

AWS.config.update({
  accessKeyId: process.env.AWS_ACCESS_KEY_ID,
  secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY,
  region: process.env.AWS_REGION,
  signatureVersion: 'v4' // NB! this seems needed to avoid some bugs
})
s3.getSignedUrl('getObject', {
      Bucket: process.env.S3_BUCKET_NAME,
      Key: key,
      SSECustomerAlgorithm: 'AES256', // NB! this must be added
    })

在浏览器中:

//encryption key can be generated in nodejs:
//var password = "some easy to remember password";
//var encryption_key = crypto.createHash('sha256').update(password, 'utf8').digest('base64');
//var encryption_key_md5 = crypto.createHash('md5').update(encryption_key, 'base64').digest('base64');

function presigned_get(url) {
  console.log("presigned_get", url);
  var xhr = new XMLHttpRequest();
  xhr.responseType = 'blob';
  xhr.open("get", url);
  xhr.setRequestHeader("x-amz-server-side-encryption-customer-algorithm", "AES256");
  xhr.setRequestHeader("x-amz-server-side-encryption-customer-key", ENCRYPTION_KEY);
  //xhr.setRequestHeader("x-amz-server-side-encryption-customer-key-MD5", ENCRYPTION_KEY_MD5);
  xhr.send();
  xhr.onload = function() {
    if (xhr.status == 200) {
      console.log(`Downloaded ${url}`);
      var filename = url.substring(0, url.indexOf('?'));
      filename = filename.substring(filename.lastIndexOf('/')+1);
      window.saveAs(xhr.response, filename);
    } else {
      var reader = new FileReader();
      reader.readAsText(xhr.response);
      reader.addEventListener('loadend', (e) => {
        console.error(`Downloading ${url} failed:`, xhr.statusText, e.srcElement.result);
      });
    }
  }
}

这篇关于从s3获取签名的url以使用SSE-C解密上传的对象的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！