0

I'm trying to GET an object from AWS S3 using vb script, but I keep getting the error "SignatureDoesNotMatch"

I built the code using vb script and Javascript for the HASH function

Here is my code

<script type="text/javascript" language="javascript" runat="server" src="js/crypto-js/core.js"></script>
<script type="text/javascript" language="javascript" runat="server" src="js/crypto-js/enc-base64.js"></script>
<script type="text/javascript" language="javascript" runat="server" src="js/crypto-js/sha256.js"></script>
<script type="text/javascript" language="javascript" runat="server" src="js/crypto-js/hmac.js"></script>

<script type="text/javascript" language="javascript" runat="server">
    var CryptoJS; //Hay que declararla para que esté al alcance de VBScript
</script>
<script language="vbscript" runat="server">
    Class Encrypt_Cfg
        public iv
        public mode
        public padding
        Function hasOwnProperty(name)
            hasOwnProperty = (name="iv" or name="mode" or name="padding")
        End Function
    End Class
</script>

<%
Function mac256(key, ent)
    Dim encWA
    Set encWA = ConvertUtf8StrToWordArray(ent)
    Dim keyWA
    Set keyWA = ConvertUtf8StrToWordArray(key)
    Dim resWA
    Set resWA = CryptoJS.HmacSHA256(encWA, key)
    Set mac256 = resWA
End Function

Function ConvertUtf8StrToWordArray(data)
    If (typename(data) = "String") Then
        Set ConvertUtf8StrToWordArray = CryptoJS.enc.Utf8.parse(data)
    Elseif (typename(data) = "JScriptTypeInfo") Then
        On error resume next
        'Set ConvertUtf8StrToWordArray = CryptoJS.enc.Utf8.parse(data.toString(CryptoJS.enc.Utf8))
        Set ConvertUtf8StrToWordArray = CryptoJS.lib.WordArray.create().concat(data) 'Just assert that data is WordArray
        If Err.number>0 Then
            Set ConvertUtf8StrToWordArray = Nothing
        End if
        On error goto 0
    Else
        Set ConvertUtf8StrToWordArray = Nothing
    End if
End Function

Function ToIsoDateTime(datetime)
     ToIsoDateTime = ToIsoDate(datetime) & "T" & ToIsoTime(datetime) & CurrentTimezone
End Function

Public Function ToIsoDate(datetime)
     ToIsoDate = CStr(Year(datetime)) & "-" & StrN2(Month(datetime)) & "-" & StrN2(Day(datetime))
End Function

Public Function ToIsoTime(datetime)
     ToIsoTime = StrN2(Hour(datetime)) & ":" & StrN2(Minute(datetime)) & ":" & StrN2(Second(datetime))
End Function

Private Function StrN2(n)
     If Len(CStr(n)) < 2 Then StrN2 = "0" & n Else StrN2 = n
End Function

Function formatNumber(value, digits)
    if digits > len(value) then
        formatNumber = String(digits-len(value),"0") & value
    else
        formatNumber = value
    end if
End Function


'adjust time to GMT'
gettime = DateAdd("h",-8,now())
gettime = DateAdd("s",3,gettime)
isotimestamp = ToIsoDateTime(gettime)&"Z"
isotimestamp2 = replace(isotimestamp,"-","")
isotimestamp2 = replace(isotimestamp2,":","")

Const access_key = "AKIAIOSFODNN7EXAMPLE"
Const secret_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"

datestamp = Year(date) & formatNumber(Month(date),2) & formatNumber(Day(date),2)
service = "s3"
host = "mubucketname.amazonaws.com"
region = "us-east-2"
endpoint = "http://mubucketname.s3.amazonaws.com"
request_parameters = ""
method = "GET"
request_parameters = ""
canonical_uri = "/mubucketname/test.txt"
canonical_querystring = request_parameters

canonical_headers = "host:" & host & vbLf & "x-amz-content-sha256:UNSIGNED-PAYLOAD" & vbLf & "x-amz-date:" & isotimestamp2 & vbLf
signed_headers = "host;x-amz-content-sha256;x-amz-date"
payload_hash = "UNSIGNED-PAYLOAD"
canonical_request = method & vbLf & Server.URLEncode(canonical_uri) & vbLf & canonical_querystring & vbLf & canonical_headers & vbLf & signed_headers & vbLf & payload_hash
algorithm = "AWS4-HMAC-SHA256"
credential_scope = datestamp & "/" & region & "/" & service & "/" & "aws4_request"
string_to_sign = algorithm & vbLf &  isotimestamp2 & vbLf &  credential_scope & vbLf &  sha256(canonical_request)

kDate = mac256("AWS4"&access_key, datestamp)
kRegion = mac256(kDate, region)
kService = mac256(kRegion, service)
kSigning = mac256(kService, "aws4_request")
signing_key = kSigning

signature = mac256(signing_key, string_to_sign)
authorization_header = algorithm & " " & "Credential=" & access_key & "/" &  credential_scope & ", " &  "SignedHeaders=" & signed_headers & ", " & "Signature=" & signature
'headers = {"x-amz-date":amzdate, "x-amz-content-sha256": "UNSIGNED-PAYLOAD", "Authorization":authorization_header}
request_url = endpoint & canonical_uri


response.write "<b>Credential_Scope</b><br>"
response.write credential_scope
response.write "<br><br>"

response.write "<b>Canonical_Request</b><br>"
response.write canonical_request
response.write "<br><br>"

response.write "<b>StringToSign</b><br>"
response.write string_to_sign
response.write "<br><br>"

response.write "<b>SigningKey</b><br>"
response.write signing_key
response.write "<br><br>"

response.write "<b>Signature</b><br>"
response.write signature
response.write "<br><br>"

response.write "<b>Authorization Header</b><br>"
response.write authorization_heade
response.write "<br><br>"


Dim strSignature: strSignature = Signature
Dim strAuthorization: strAuthorization = "AWS " & strAccessKeyID & ":" & strSignature
'-- Upload: --'
Dim xhttp: Set xhttp = Server.CreateObject("MSXML2.ServerXMLHTTP")
xhttp.open "GET", request_url, False
xhttp.setRequestHeader "Content-Type", "text/plain"
xhttp.setRequestHeader "Host", awsbucket & ".s3.amazonaws.com/"
xhttp.setRequestHeader "x-amz-date", isotimestamp2
xhttp.setRequestHeader "x-amz-content-sha256", "UNSIGNED-PAYLOAD"
xhttp.setRequestHeader "Authorization", authorization_header
xhttp.send

If xhttp.status = "200" Then
  s3_Upload = "1"
Else
  s3_Upload = "0:" & xhttp.responseText
End If

response.write s3_Upload

Set xhttp = Nothing
%>

No matter what I have tried I keep getting an error that my Signature does not match

"The request signature we calculated does not match the signature you provided. Check your key and signing method"

I'm pretty sure I have followed each step

Here is the AWS S3 Documentation https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html

Any Idea how can I solve it ?

  • the Access Key & Secret Key are not real
beautyfit
  • 123
  • 1
  • 8
  • Think the answer is pretty obvious, the **Signature Doesn’t Match**. You should check the AWS S3 spec for how to correctly hash the signature. – user692942 Nov 28 '18 at 19:54
  • Likelihood is the `mac256()` function isn't creating a SHA-256 HMAC as AWS is expecting, it is [very easy for encoding / byte issues to creep into Classic ASP code](https://stackoverflow.com/q/32029595/692942), I would try a different approach to the CryptoJS method. – user692942 Nov 28 '18 at 22:31
  • 1
    [Prime example](https://stackoverflow.com/q/40601928/692942) with your codebase giving different result. Suggest looking at the [.Net COM approach](https://stackoverflow.com/a/40608248/692942) as its more consistent. – user692942 Nov 28 '18 at 22:36
  • Note that you can verify if your HMAC SHA256 function returns the correct results by executing it against some [example data with a known response](https://en.wikipedia.org/wiki/HMAC#Examples). – Erik A Nov 29 '18 at 08:39
  • I gave up. nothing help, but thanks all of you for trying to assist. I'll just use separate PHP script with aws SDK – beautyfit Nov 29 '18 at 11:30
  • @beautyfit really nothing helped? Even though the duplicate question quite clearly shows that the hash CryptoJS produces isn't equivalent, did you even try the .Net approach in that question? – user692942 Nov 29 '18 at 22:04
  • @Lankymart I tried all approaches but I'm still receiving different results than what aws documentations shows and of course, I'm receiving the "SignatureDoesNotMatch" error – beautyfit Nov 30 '18 at 06:47
  • The `request_parameters` is blank, that might screw up the hash if you do pass request parameters in the request. – user692942 Nov 30 '18 at 08:25
  • @Lankymart it should be blank if no parameters to pass on, but still keep it as a new line. I think it is something with the MAC-SHA256 function as it gives different results from what aws documentations shows – beautyfit Dec 02 '18 at 05:26

0 Answers0