search

okigan / awscurl

curl-like access to AWS resources with AWS Signature Version 4 request signing.
MIT License
737 stars 91 forks source link

Signature mismatch on non url-encoded uris #115

Closed jaedle closed 2 years ago

jaedle commented 3 years ago

Hey 👋

That's a great tool! I am using this tool to perform requests against APIs which are protected by IAM-Authentication. Those apis contain query parameters which parameters may require url-encoding.

It looks like there is a problem with uris which are not url-encoded. 

awscurl --service s3 https://awscurl-sample-bucket.s3.amazonaws.com/?query=para:meter

Results in an error:

<Error><Code>SignatureDoesNotMatch</Code><Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message><AWSAccessKeyId>.../AWSAccessKeyId><StringToSign>AWS4-HMAC-SHA256
20210608T045117Z

Even though it looks like the underlying implementation correctly escapes the url (like for example curl does) when performing the request, but the signature is calculated for the unescaped uri and this results in a signature mismatch.

Running with escaped uri parameters works perfectly fine.

awscurl --service s3 https://awscurl-sample-bucket.s3.amazonaws.com/?query%3Dpara%3Ameter --region us-east-1
okigan commented 3 years ago

what happens when you put quotes around url in the original request (note the '):

awscurl --service s3 'https://awscurl-sample-bucket.s3.amazonaws.com/?query=para:meter'

jaedle commented 3 years ago

@okigan The problem still exists, same error as above.

okigan commented 3 years ago

Umm it's taking me down a memory lane. I think the issue is the tool does not know when to perform parameter quoting (and avoiding double quoting).

The RFC section https://datatracker.ietf.org/doc/html/rfc3986#section-2.4 was not helpful, but I am curious if there a definitive behavior that has been documented for this already.

jaedle commented 3 years ago

My naive assumption as a user would be that the signature calculation would be done on the correctly url-encoded uri which is called and not on something which is not called :)

okigan commented 3 years ago

It’s not clear if url already was percent-encoded (just applying would break other users I think)

Let’s me know if you see a robust way of implementing it.

On Jun 8, 2021, at 4:16 AM, Dennis Jekubczyk @.***> wrote:

 My naive assumption as a user would be that the signature calculation would be done on the correctly url-encoded uri which is called and not on something which is not called :)

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.