How to get aws sever-side encrypted object

问题

I am trying to store object at S3 and retrieve it for that I am doing following

$key = 'myverykey';
$hash = hash_hmac('sha256',$key,true);

$SSECustomerKey = substr($hash,0,32);

 $params = [
        'Bucket' => 'somebucketname',
        'Key' => 'abc.png',
        'Body' => "resource",
        'ACL' => 'private',
        'SSECustomerAlgorithm' => 'AES256',
        'SSECustomerKey' => $SSECustomerKey,
        'SSECustomerKeyMD5' => md5($SSECustomerKey, true),
    ];
     s3->putObject($params);

And then I am creating signed url like

echo el_s3_getTemporaryLink(id, 'mysecretkey', 'cloudfront-config', 'ab.png');


function el_crypto_hmacSHA1($key, $data, $blocksize = 64) {
    if (strlen($key) > $blocksize) $key = pack('H*', sha1($key));
    $key = str_pad($key, $blocksize, chr(0x00));
    $ipad = str_repeat(chr(0x36), $blocksize);
    $opad = str_repeat(chr(0x5c), $blocksize);
    $hmac = pack( 'H*', sha1(
        ($key ^ $opad) . pack( 'H*', sha1(
            ($key ^ $ipad) . $data
        ))
    ));
    return base64_encode($hmac);
}


function el_s3_getTemporaryLink($accessKey, $secretKey, $bucket, $path, $expires = 1) {
    $expires = time() + intval(floatval($expires) * 60);
    $path = str_replace('%2F', '/', rawurlencode($path = ltrim($path, '/')));
    $signpath = '/'. $bucket .'/'. $path;
    $signsz = implode("\n", $pieces = array('GET', null, null, $expires, $signpath));
    $signature = el_crypto_hmacSHA1($secretKey, $signsz);
    $url = sprintf('http://%s.s3.amazonaws.com/%s', $bucket, $path);
    $qs = http_build_query($pieces = array(
        'AWSAccessKeyId' => $accessKey,
        'Expires' => $expires,
        'Signature' => $signature,
    ));
    return $url.'?'.$qs;
}

it works perfectly fine I am getting url like

http://demobucketname.s3.amazonaws.com/ab.png?AWSAccessKeyId=AKIAJUZQHGRTYNOLEUXQ&Expires=1445855704&Signature=3y6eAq1fe5PVASma5DPFmjV7BB3dY%3D

I can access private object with that if I don't add

'SSECustomerAlgorithm' => 'AES256',
'SSECustomerKey' => $SSECustomerKey,
'SSECustomerKeyMD5' => md5($SSECustomerKey, true),

while putting object to bucket and now I am getting following error

<Error>
     <Code>InvalidRequest</Code>
     <Message>
          The object was stored using a form of Server Side Encryption. The correct parameters must be provided to retrieve the object.
     </Message>
     <RequestId>E19B53C0EE2A6E7C</RequestId>
     <HostId>
       WOwzj29NBh49uE5Lmtut96PFY8pf3UD8bBWGLXdAFHryNT94WD7qJbqMbu7fKCfROKEIWKwPPX4=
     </HostId>
</Error>

now how to create signed url which works in this case too?

回答1:

When using the presigned URL to upload a new object, retrieve an existing object, or retrieve only object metadata, you must provide all the encryption headers in your client application. (emphasis added)

http://docs.aws.amazon.com/AmazonS3/latest/dev/ServerSideEncryptionCustomerKeys.html

Note "headers," not query string parameters.

SSE-C essentially doesn't support signed URLs for use in web browsers... which makes sense, since exposing pre-signed URL with the encryption key embedded would also expose the encryption key.

If you need user data encrypted server-side, and for users to access the data with pre-signed URLs, SSE-C isn't likely the correct choice.

来源：https://stackoverflow.com/questions/33343662/how-to-get-aws-sever-side-encrypted-object