Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Developer Guide: Document Support for Amazon S3 Object Integrity Features #1689

Closed
skmcgrail opened this issue Apr 29, 2022 · 2 comments
Closed

Comments

@skmcgrail
Copy link
Member

skmcgrail commented Apr 29, 2022

A little bit more nuanced, but I think this highlights that it is worth creating a developer guide documentation page to help clarify the behaviors when using the S3 client and checksums.

  • If a user specifies an explicit checksum value in either the ChecksumCRC32, ChecksumCRC32C, ChecksumSHA1, or ChecksumSHA256 fields then the SDK will send that value specified using a standard HTTP request header using the appropriate x-amz-checksum-* header for each. This is not affected by whether the HTTP or HTTPS scheme is used. The request will be signed with SigV4 or SigV4a regardless of the scheme, the only distinction is whether the payload body hash is computed or not for the x-amz-content-sha256 header. For HTTP schemes this will be the computed sha256 hash for the PutObject body, otherwise for HTTPS this will be UNSIGNED-PAYLOAD. If the payload body hash needs to be computed for sending to a non-HTTPS endpoint, then the body must be seekable so the SDK can compute the hash and reseek the body.
  • If ChecksumAlgorithm field, and an algorithm Checksum* member is not set, then the SDK will compute the corresponding checksum for the request and will send it in the appropriate x-amz-checksum-*. The only distinction is if the checksum is sent as a header or trailer based on the endpoint scheme
    • If the scheme is HTTPS the computed checksum will be sent in a trailer header block using aws-chunked encoding. It will also do so use an unsigned payload variant called STREAMING-UNSIGNED-PAYLOAD-TRAILER which does not require signing each aws-chunk. The Go SDK only supports this variant of aws-chunked, which is why computed checksums sent via a aws-chunked trailer requires an HTTPS endpoint in this SDK. For trailer streaming the content-length of the PutObject body must be known. So either the PutObject request specifies ContentLength field, the body implements interface{ Len() int }, or the body is seekable so SDK can figure out the length to be sent. The SDK may add support for the signed aws-chunked variants (e.g. STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER) in the future as to support sending of signed checksum trailers to non-HTTPS endpoints. That feature is supported in SDKs that had already supported signed aws-chunked payloads previously.
    • If the scheme is HTTP then the SDK will fallback to to a behavior similar to the provided checksum case, but instead the SDK will compute the value (thus the body must be seekable), and attach it as a header similar to the provided checksum case.

Originally posted by @skmcgrail in #1667 (comment)

@skmcgrail skmcgrail added the documentation This is a problem with documentation. label Apr 29, 2022
@skmcgrail skmcgrail changed the title documentation: Document SDK Support for Amazon S3 Object Integrity Features Developer Guide: Document SDK Support for Amazon S3 Object Integrity Features Apr 29, 2022
@skmcgrail skmcgrail changed the title Developer Guide: Document SDK Support for Amazon S3 Object Integrity Features Developer Guide: Document Support for Amazon S3 Object Integrity Features Apr 29, 2022
@petitout
Copy link

petitout commented Jun 29, 2022

@skmcgrail, with the golang sdk, It is currently not possible to use Amazon S3 Object Integrity Features with presigned URL because of this open bug : #1566

Copy link

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

5 participants