Amazon S3的客户提供的加密与PHP SDK [英] Amazon S3 Customer Provided Encryption​ with PHP SDK

问题描述

我试图用客户提供的加密密钥的目的是上传到S3。的http://docs.aws.amazon.com/AmazonS3/latest/dev/ServerSideEncryptionCustomerKeys.html

I am attempting to upload an object to S3 using the customer provided encryption key. http://docs.aws.amazon.com/AmazonS3/latest/dev/ServerSideEncryptionCustomerKeys.html

我的code是这样的：

My code looks like:

$this->s3->putObject(array(
  'Bucket' => $this->bucket,
  'Key' => "$filename",
  'Body' => $resource,
  'ACL' => 'private',
  'SSECustomerAlgorithm' => 'AES256',
  'SSECustomerKey' => base64_encode('48wk86271sDb23pY23zT5rZJ7q55R7eE'),
  'SSECustomerKeyMD5'=> base64_encode(md5('48wk86271sDb23pY23zT5rZJ7q55R7eE'))
));

我得到的错误说 AWS错误信息：关键的计算MD5哈希不中提供的哈希匹配

我是什么做错了吗？我的钥匙 48wk86271sDb23pY23zT5rZJ7q55R7eE 是256位。我也试着使用base64_en code（MD5（键，真））。

What am I doing wrong? My key 48wk86271sDb23pY23zT5rZJ7q55R7eE is 256 bits. I've also tried using base64_encode(md5(key, true)).

在此先感谢

推荐答案

的的 REST API文档规定，无论是用户密钥和客户密钥的MD5被送到基地-64连接codeD ...

The REST API documentation specifies that both the customer key and customer key MD5 be sent base-64 encoded...

X-AMZ-服务器端-encryption - 客户键

使用这个头，可以提供256位的base64恩$ C $光盘加密密钥的Amazon S3使用加密或解密数据。

Use this header to provide the 256-bit, base64-encoded encryption key for Amazon S3 to use to encrypt or decrypt your data.

X-AMZ-服务器端-encryption - 客户键-MD5

使用这个头根据RFC 1321 Amazon S3使用这个头的消息完整性检查，以确保加密密钥没有错误发送到提供的base64恩加密密钥的codeD 128位的MD5摘要。

Use this header to provide the base64-encoded 128-bit MD5 digest of the encryption key according to RFC 1321. Amazon S3 uses this header for a message integrity check to ensure the encryption key was transmitted without error.

...然而，PHP SDK可以处理的编码步骤为你，所以参数应该不进行任何编码传递。

...however, the PHP SDK handles both encoding steps for you, so the arguments should be passed without any encoding.

'SSECustomerAlgorithm' => 'AES256',
'SSECustomerKey'       => 'key_=_string_of_exactly_32_bytes',
'SSECustomerKeyMD5'    => md5('key_=_string_of_exactly_32_bytes',true),

当然，你可能想在一个变量32个字节的密钥字符串，而不是copypasting在code相同的文字字符串两次。第二个参数真正的以的md5（） 指定的二进制MD5哈希将返回，而不是将被默认返回的十六进制恩codeD变体，如预期的SDK。

Of course, you'd probably want that 32 byte key string in a variable rather than copypasting the same literal string in the code twice. The second argument "true" to md5() specifies that the binary md5 hash is to be returned, as expected by the SDK, instead of the hex-encoded variant that would be returned by default.

请记住，使用客户提供的加密密钥时，如果你丢失了密钥，你失去的数据。 S3中不存储密钥，和没有键，获取所存储的对象是不可能的。

Remember that when using customer-provided encryption keys, if you lose the key, you lose the data. S3 does not store the key, and without the key, fetching the stored object is not possible.

这篇关于Amazon S3的客户提供的加密与PHP SDK的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！