fix: copyObject key rotation issue (#10085)

- copyObject in-place decryption failed due to incorrect verification of headers - do not decode ETag when object is encrypted with SSE-C, so that pre-conditions don't fail prematurely.
2025-11-20 18:06:10 -05:00 · 2020-07-18 17:36:32 -07:00
parent 44c8af66ad
commit d53e560ce0
4 changed files with 14 additions and 15 deletions
--- a/cmd/object-api-utils.go
+++ b/cmd/object-api-utils.go
@@ -612,7 +612,6 @@ func NewGetObjectReader(rs *HTTPRangeSpec, oi ObjectInfo, opts ObjectOptions, cl
 				}
 				return nil, err
 			}
-			oi.ETag = getDecryptedETag(h, oi, copySource) // Decrypt the ETag before top layer consumes this value.

 			if opts.CheckPrecondFn != nil && opts.CheckPrecondFn(oi) {
 				// Call the cleanup funcs
@@ -622,6 +621,8 @@ func NewGetObjectReader(rs *HTTPRangeSpec, oi ObjectInfo, opts ObjectOptions, cl
 				return nil, PreConditionFailed{}
 			}

+			oi.ETag = getDecryptedETag(h, oi, false)
+
 			// Apply the skipLen and limit on the
 			// decrypted stream
 			decReader = io.LimitReader(ioutil.NewSkipReader(decReader, skipLen), decRangeLength)