Aws::S3::Model::PutObjectRequest::SetChecksumSHA256 not behaving as expected

[aphillips-opentext]

Describe the bug

I am trying to make use of additional checksums in S3 as described here:
https://aws.amazon.com/getting-started/hands-on/amazon-s3-with-additional-checksums/?ref=docs_gateway/amazons3/checking-object-integrity.html

The page mentions that I can supply a precomputed checksum and the server will check it on upload. I added the checksum type and value to the put request and uploaded it and everything seemed to work; the web UI correctly displayed the checksum I had supplied. However I noticed that if I supply the wrong checksum, or even a string that isn't a checksum, the call still succeeds and the website still displays the correct checksum. This would suggest the SDK is not using what I supplied and calculating its own. Is this a bug or am I misunderstanding something?

Expected Behavior

If I supply a bad checksum I expect the object upload to fail.

Current Behavior

The upload succeeds.

Reproduction Steps

void UploadFile(const std::string& access_key_id, const std::string& secret_key, const std::string bucket_name, const std::string key_name, std::shared_ptr<std::fstream> file_stream)
{
  Aws::S3::S3ClientConfiguration config;
  config.scheme = Aws::Http::Scheme::HTTPS;
  config.region = "us-east-2";

  Aws::S3::S3Client client(Aws::Auth::AWSCredentials(access_key_id, secret_key), config, Aws::Client::AWSAuthV4Signer::PayloadSigningPolicy::RequestDependent, false);
  
  Aws::S3::Model::PutObjectRequest put_object_request;
  put_object_request.SetBucket(bucket_name);
  put_object_request.SetKey(key_name);
  put_object_request.SetBody(file_stream);
  put_object_request.SetChecksumAlgorithm(Aws::S3::Model::ChecksumAlgorithm::SHA256);
  put_object_request.SetChecksumSHA256("not_a_hash");

  auto outcome(client.PutObject(put_object_request));

  std::cout << "Put " << (outcome.IsSuccess() ? "succeeded" : "failed") << std::endl;
}

Possible Solution

No response

Additional Information/Context

The SDK was built with curl and openssl.

AWS CPP SDK version used

1.11.63

Compiler and Version used

Visual Studio 2022

Operating System and version

Windows 10 Enterprise

[yasminetalby]

Hello @aphillips-opentext ,

Thank you very much for your submission.

I noticed that you were using Aws::Client::AWSAuthV4Signer::PayloadSigningPolicy::RequestDependent when creating the s3 client.

As you can read from our API documentation this has the following effect: Sign the request based on the value returned by AmazonWebServiceRequest::SignBody()

I have double checked the behavior of the SDK for both case scenario case scenario:

1. S3Client without Aws::Client::AWSAuthV4Signer::PayloadSigningPolicy::RequestDependent

Providing invalid checksum results to the following behavior:

Error: PutObject: Unable to parse ExceptionName: InvalidRequest Message: Value for x-amz-checksum-sha256 header is invalid.

Request fails.

2. S3Client withAws::Client::AWSAuthV4Signer::PayloadSigningPolicy::RequestDependent

Providing invalid checksum results to the following behavior:

Request successful

Best,

Yasmine

[aphillips-opentext]

So request signing and precomputed checksums are mutually exclusive? I hadn't seen that anywhere in the documentation but we can probably live without the former.

The issue I'm seeing now is when I use Aws::Client::AWSAuthV4Signer::PayloadSigningPolicy::Never and supply a correct checksum I'm getting the following error:
Unable to parse ExceptionName: InvalidRequest Message: Expecting a single x-amz-checksum- header

[grantlouisherman]

Would the fix for this also apply to SetContentMD5 as well? I opened another issue for the problem of it being not sent. #2818

[jmklix]

Fixed with this PR: #2826

[github-actions]

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.