s3-signer
s3-signer is intended to be an aid in building secure cloud-based services withAWS. This library generates cryptographically secure URLs thatexpire at a user-defined interval. These URLs can be used to offloadthe process of uploading and downloading large files, freeing yourwebserver to focus on other things.
Features
- Minimal depedencies
- Web framework agnostic
- Reduces web server load
- Simple API
- Ideal for AJAX direct-to-s3 upload scenarios
Documentation
S3 Query String Request Authentication
Implementation
AWS Specification
Signature = URL-Encode( Base64( HMAC-SHA1( YourSecretAccessKeyID,UTF-8-Encoding-Of( StringToSign ) ) ) );
Haskell Implementation
module Network.S3.Sign ( sign ) where
import Crypto.Hash.SHA1 (hash)
import Crypto.MAC.HMAC (hmac)
import qualified Data.ByteString.Base64 as B64
import Data.ByteString.UTF8 (ByteString)
import Network.HTTP.Types.URI (urlEncode)
-- | HMAC-SHA1 Encrypted Signature
sign :: ByteString -> ByteString -> ByteString
sign secretKey url = urlEncode True . B64.encode $ hmac hash 64 secretKey url
Use Case
{-# LANGUAGE OverloadedStrings #-}
module Main where
import Network.S3
main :: IO ()
main = print =<< generateS3URL credentials request
where
credentials = S3Keys "<public-key-goes-here>" "<secret-key-goes-here>"
request = S3Request S3GET "application/zip" "bucket-name" "file-name.extension" 3 -- 3 secs until expired
Result
S3URL {
signedRequest =
"https://bucket-name.s3.amazonaws.com/file-name.extension?AWSAccessKeyId=<public-key-goes-here>&Expires=1402346638&Signature=1XraY%2Bhp117I5CTKNKPc6%2BiihRA%3D"
}
Snap integration - Downloads
-- Quick and dirty example
type FileID = ByteString
makeS3URL :: FileID -> IO S3URL
makeS3URL fileId = generateS3URL credentials request
where
credentials = S3Keys "<public-key-goes-here>" "<secret-key-goes-here>"
request = S3Request S3GET "application/zip" "bucket-name" (fileId <> ".zip") 3
downloadFile :: Handler App (AuthManager App) ()
downloadFile = method POST $ currentUserId >>= maybe the404 handleDownload
where handleDownload uid = do
Just fileId <- getParam "fileId"
-- Ensure file being requested belongs to user else 403...
S3URL url <- liftIO $ makeS3URL fileId
redirect' url 302
Direct to S3 AJAX Uploads
- Configure S3 Bucket CORS Policy settings
- CORS Docs
<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<CORSRule>
<AllowedOrigin>https://my-url-goes-here.com</AllowedOrigin>
<AllowedMethod>PUT</AllowedMethod>
<AllowedHeader>*</AllowedHeader>
</CORSRule>
</CORSConfiguration>
- Retrieve PUT Request URL via AJAX
type FileID = ByteString
makeS3URL :: FileID -> IO S3URL
makeS3URL fileId = generateS3URL credentials request
where
credentials = S3Keys "<public-key-goes-here>" "<secret-key-goes-here>"
request = S3Request S3PUT "application/zip" "bucket-name" (fileId <> ".zip") 3
getUploadURL :: Handler App (AuthManager App) ()
getUploadURL = method POST $ currentUserId >>= maybe the404 handleDownload
where handleDownload _ = do
Just fileId <- getParam "fileId"
writeJSON =<< Data.Text.Encoding.decodeUtf8 <$> liftIO (makeS3URL fileId)
- Embed FileReader blob data to request
- Send upload request
var xhr = new XMLHttpRequest();
xhr.open('PUT', url /* S3-URL generated from server */);
xhr.setRequestHeader('Content-Type', 'application/zip'); /* whatever http-content-type makes sense */
xhr.setRequestHeader('x-amz-acl', 'public-read');
/* upload completion check */
xhr.onreadystatechange = function(e) {
if (this.readyState === 4 && this.status === 200)
console.log('upload complete');
};
/* Amazon gives you progress information on AJAX Uploads */
xhr.upload.addEventListener("progress", function(evt) {
if (evt.lengthComputable) {
var v = (evt.loaded / evt.total) * 100,
val = Math.round(v) + '%',
console.log('Completed: ' + val);
}
}, false);
/* error handling */
xhr.upload.addEventListener("error", function(evt) {
console.log("There has been an error :(");
}, false);
/* Commence upload */
xhr.send(file); // file here is a blob from the file reader API
File Reader Info
How to read file data from the browser
Troubleshoooting
- Why do I keep getting 403 forbidden when I attempt to upload or download from a pre-signed URL?
- Ask yourself the following:
- Are my keys specified correctly?
- Did I configure the CORS settings on my bucket properly?
- Still trouble? Make an issue
- Ask yourself the following:
- Why are my URLs expiring faster than the specified time?
- Ask yourself the following:
- Is my server's clock synchronized with AWS? See wiki for NTP info
- Ask yourself the following:
FAQ
- Why didn't you use HMAC-SHA256?
- It's 30% slower, and for all intents and purposes no more securethan HMAC-SHA1 (no known vulnerabilities exist for it, to my knowledge). PlainSHA1 is a different story. Collisions can be found, but there isno known way to apply those to HMAC-SHA1.
- For the curious SHA-1 is broken
- For the paranoid (Schneier quote from same article above)
- Relevant SO Post
This attack builds on previous attacks on SHA-0 and SHA-1, and isa major, major cryptanalytic result. It pretty much puts a bulletinto SHA-1 as a hash function for digital signatures (although itdoesn't affect applications such as HMAC where collisions aren't important).
-
我正在生成一个预签名URL,允许用户从S3存储桶下载文件 . 我使用以下代码通过PHP SDK生成URL: public static function get_content_link( $bucket, $key ) { //check response code from AWS require_once 'aws/aws-autoloader.php'; $s3 = new Aws\S3\
-
C++ 封装动态库 #pragma once #include "TDGeoAnalysis/TDPreDefine.h" #include <aws/core/Aws.h> #include <aws/s3/S3Client.h> #include <aws/core/auth/AWSCredentialsProvider.h> using namespace Aws::S3; using na
-
SDK-Android 概述 您可以使用Android SDK管理互盟云对象存储,可从https://github.com/aws/aws-sdk-android 下载Android Source Code 操作 由于android sdk用chunk 方式进行传输,并且把chunk-signature放置在body中,oss不支持这种case;sdk中支持的参数 S3ClientOptions.
-
#include “AwsClient.h” #include <aws/core/Aws.h> #include <aws/core/auth/AWSCredentialsProvider.h> #include <aws/core/client/DefaultRetryStrategy.h> #include <aws/s3/model/GetObjectRequest.h> #include
-
#pragma once #include "TDPreDefine.h" #include <aws/s3/S3Client.h> #include <aws/core/Aws.h> #include <aws/core/auth/AWSCredentialsProvider.h> using namespace Aws::S3; using namespace Aws::S3::Model;
-
*/ packagecom.inslink.sinosoft.util;importjava.io.File;importjava.io.FileNotFoundException;importjava.io.FileOutputStream;importjava.io.IOException;importjava.util.List;importcom.amazonaws.AmazonServi
-
一开始的时候,使用 amazonS3.putObject(request.withGeneralProgressListener(new ProgressListener() { long readedbyte = 0; @Override public void progressChanged(ProgressEvent progressEvent) {
-
Tendermint 远程签名者测试工具促进了 Tendermint 和远程签名者之间的集成测试,比如 KMS。这种远程签名者允许使用HSMs 签署重要的 Tendermint 消息,从而提供额外的安全性。 当执行时, tm-signer-harness: 运行侦听器(TCP或Unix套接字)。 等待来自远程签名者的连接。 从远程签名者连接后,执行许多自动化测试以确保兼容性。 验证成功后,控制流程
-
返回一个 String 类型,表示将对应于 Signature 对象的数码证书附加到文档的人员名字。只读。 expression.Signer expression 必需。该表达式返回“应用于”列表中的对象之一。 示例 本示例提示用户选择 Microsoft Word 中活动文档的数字签名。要使用本示例,请在 Word 中打开文档,并向该函数传递与“数码证书”对话框中数码证书的“颁发者”和“颁发给
-
THIS PACKAGE IS NOT MAINTAINED ANYMORE.SIGNING URLS IS NOW PART OF LARAVEL: https://laravel-news.com/signed-routes Create secured URLs with a limited lifetime in Laravel This package can create URLs w
-
generic-request-signer 是用于标记 http 请求的 Python 库。
-
我正在DocuSign生产环境中进行测试,遇到了一些奇怪的行为。我们有一个方案,顾问可以亲自主持与客户的签名会议,并在流程结束时签署文档。当面签字人签字和顾问签字后,将有一名最终审查人检查文件并签字(注册负责人)。这一切都很好,除非我们亲自签约,这是第一个签约人在审查时看到的屏幕: 当前结果 在演示中。文档签名。net环境下,此屏幕将显示“顾问名称请让John M Doe控制键盘和鼠标”。以下是从
-
在使用接口之前,需要先确保正确 引入了 ethers.js 。 钱包(Wallet) 类管理着一个公私钥对用于在以太坊网络上密码签名交易以及所有权证明。 Wallet Wallet 实现了 Signer API ,因此可以在任何需要 签名器(Signer) 的地方使用 Wallet ,它包含了 签名器(Signer) 所有的属性。 创建 Wallet 实例 new Wallet ( private