signature-v4: stringToSign and signingKey should use Scope's date. (#3688)

fixes #3676
2025-11-07 12:52:58 -05:00 · 2017-02-06 13:09:09 -08:00
parent 93fd269329
commit 45d9cfa0c5
6 changed files with 25 additions and 27 deletions
--- a/cmd/signature-v4.go
+++ b/cmd/signature-v4.go
@@ -124,9 +124,9 @@ func getScope(t time.Time, region string) string {
 }

 // getStringToSign a string based on selected query values.
-func getStringToSign(canonicalRequest string, t time.Time, region string) string {
+func getStringToSign(canonicalRequest string, t time.Time, scope string) string {
 	stringToSign := signV4Algorithm + "\n" + t.Format(iso8601Format) + "\n"
-	stringToSign = stringToSign + getScope(t, region) + "\n"
+	stringToSign = stringToSign + scope + "\n"
 	canonicalRequestBytes := sha256.Sum256([]byte(canonicalRequest))
 	stringToSign = stringToSign + hex.EncodeToString(canonicalRequestBytes[:])
 	return stringToSign
@@ -182,14 +182,8 @@ func doesPolicySignatureV4Match(formValues map[string]string) APIErrorCode {
 		return ErrInvalidRegion
 	}

-	// Parse date string.
-	t, e := time.Parse(iso8601Format, formValues["X-Amz-Date"])
-	if e != nil {
-		return ErrMalformedDate
-	}
-
 	// Get signing key.
-	signingKey := getSigningKey(cred.SecretKey, t, region)
+	signingKey := getSigningKey(cred.SecretKey, credHeader.scope.date, region)

 	// Get signature.
 	newSignature := getSignature(signingKey, formValues["Policy"])
@@ -311,10 +305,10 @@ func doesPresignedSignatureMatch(hashedPayload string, r *http.Request, region s
 	presignedCanonicalReq := getCanonicalRequest(extractedSignedHeaders, hashedPayload, encodedQuery, req.URL.Path, req.Method, req.Host)

 	// Get string to sign from canonical request.
-	presignedStringToSign := getStringToSign(presignedCanonicalReq, t, region)
+	presignedStringToSign := getStringToSign(presignedCanonicalReq, t, pSignValues.Credential.getScope())

 	// Get hmac presigned signing key.
-	presignedSigningKey := getSigningKey(cred.SecretKey, t, region)
+	presignedSigningKey := getSigningKey(cred.SecretKey, pSignValues.Credential.scope.date, region)

 	// Get new signature.
 	newSignature := getSignature(presignedSigningKey, presignedStringToSign)
@@ -408,10 +402,10 @@ func doesSignatureMatch(hashedPayload string, r *http.Request, region string) AP
 	canonicalRequest := getCanonicalRequest(extractedSignedHeaders, hashedPayload, queryStr, req.URL.Path, req.Method, req.Host)

 	// Get string to sign from canonical request.
-	stringToSign := getStringToSign(canonicalRequest, t, region)
+	stringToSign := getStringToSign(canonicalRequest, t, signV4Values.Credential.getScope())

 	// Get hmac signing key.
-	signingKey := getSigningKey(cred.SecretKey, t, region)
+	signingKey := getSigningKey(cred.SecretKey, signV4Values.Credential.scope.date, region)

 	// Calculate signature.
 	newSignature := getSignature(signingKey, stringToSign)