2

I was trying to delete a file from s3 bucket which is hosted in my client's in-house storage s3.fidapp.org. I used below command but it didn't work. I'm getting below error.

<Error><Code>SignatureDoesNotMatch</Code><Message>The request signature we calculated does not match the signature you provided. Check your Secret Access Key and signing method.</Message>

Script to find signingKey

function hmac_sha256 {key="$1"    
data="$2"    
echo -n "$data" | openssl dgst -sha256 -hmac "$key" -binary | base64| sed 
's/^.* //'}

secret="$1"    
date="$2"    
region="$3"    
service="$4"    
testaws4='AWS4'$secret

s1=$(echo -n $date | openssl sha256 -hmac AWS4$secret | sed 's/^.* //')    
s2=$(echo -n $region | openssl dgst -sha256 -mac HMAC -macopt hexkey:$s1 | 
   sed 's/^.* //')    
s3=$(echo -n $service | openssl dgst -sha256 -mac HMAC -macopt hexkey:$s2 | 
   sed 's/^.* //')    
signingkey=$(echo -n aws4_request | openssl dgst -sha256 -mac HMAC -macopt 
           hexkey:$s3 | sed 's/^.* //')

Delete Script

bucketName="test_bucket"    
accessKey="test-key"    
fileName="test.dat"    
Region="us-east-1"    
DateTime=`date -u +%Y%m%dT%H%M%SZ`    
Date=`date -u +%Y%m%d`    
SecretKey="**********************"    
HashKey=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

CRequest="DELETE\n/test_bucket/\n\nhost:s3.fidapp.org\nx-amz-content- 
          sha256:"$HashKey"\n\nx-amz-date:"$DateTime"\n\nhost;x-amz-content- 
          sha256;x-amz-date\n"$HashKey"\n"    
CRHkey=`echo -en $CRequest|openssl dgst -sha256| cut -d ' ' -f2` 
StringToSign="AWS4-HMAC-SHA256\n"$DateTime"\n"$Date"/us- 
      east-/s3/aws4_request\n"$CRHkey
SigningKey=`sh signing_key.sh $SecretKey $Date $Region s3`

echo -en $StringToSign | openssl dgst -sha256 -mac HMAC -macopt 
      hexkey:$SigningKey | sed 's/^.* //' |cut -d ' ' -f2 > Signature.txt    
cat Signature.txt

AuthorizationHeader="Authorization: AWS4-HMAC-SHA256 
Credential="$accessKey"/"$Date"/us-east-1/s3/aws4_request, 
SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature="`cat 
Signature.txt`

curl -X DELETE https://s3.fidapp.org//${bucketName}/${fileName}    
-H "$AuthorizationHeader"    
-H "host: s3.fidapp.org"    
-H "X-Amz-Content-SHA256: "$HashKey    
-H "X-Amz-Date: "$DateTime

I used same command to upload a file to S3 bucket by replacing DELETE with PUT.

Please let me know if I'm missing anything or I have to change anything in the command.

Shanti
  • 15
  • 5
  • Do you have permission to delete file on your bucket? – dkb Dec 19 '18 at 10:22
  • Please be sure to quote the error message *exactly*. The `x-amz-content-sha256` would almost certainly need to be either the literal value `UNSIGNED-PAYLOAD` or the literal value `e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855` because a `DELETE` request has no payload and that value is the [sha256 of a zero-length string](https://crypto.stackexchange.com/a/26135/25027). – Michael - sqlbot Dec 20 '18 at 00:32
  • @Michael-sqlbot - Thanks for the comment. I've tried both the ways and now edited my script and added error message. Still no luck. Could you suggest any other ways. – Shanti Dec 20 '18 at 09:15
  • @dkb - Yes I have permission to delete. – Shanti Dec 20 '18 at 09:17
  • 1
    This isn't a permissions error -- the signature is the problem. How are you actually generating that signature? – Michael - sqlbot Dec 20 '18 at 12:29
  • @Michael-sqlbot - Added full script. Please take a look and let me know if anything missed – Shanti Dec 25 '18 at 10:32
  • There may be any number of issues here, but the first one that I see is `CRequest="DELETE\n/test_bucket/\n`. The literal string `/test_bucket/` does not belong here. – Michael - sqlbot Dec 25 '18 at 17:36
  • @Michael-sqlbot - that is the bucket name – Shanti Dec 26 '18 at 06:24
  • @Shanti the *literal string* does not belong there, no matter what its meaning. That is the place in the string to sign for the HTTP request path. – Michael - sqlbot Dec 27 '18 at 15:55
  • @Michael-sqlbot Can you please elaborate your answer. – Shanti Jan 16 '19 at 07:40
  • It should be the same thing as the request path, something like `...DELETE\n/${bucketName}/${fileName}\n\nhost...` with variables, not a literal. – Michael - sqlbot Jan 16 '19 at 12:23
  • @Michael-sqlbot I've used the way which you mentioned and getting the same error. – Shanti Jan 22 '19 at 09:38

1 Answers1

0

Error code SignatureDoesNotMatch generally comes when the signature we calculate and provide in our curl does not match with the corresponding matching signature prepared by S3 or Minio server based upon the headers we provide. Please make sure the headers provided in curl command match the content you have in your signature.

Also, in the URL which you have provided in your curl delete request, there seems to be an extra '/' after https://s3.fidapp.org/.

Akshay Verma
  • 21
  • 2