AWS S3 direct upload returns invalid signature (version 4 signature)

Question

I'm sick of seeing this response:

The request signature we calculated does not match the signature you provided. Check your key and signing method.

I know a version this question has been answered here:

SO - AWS S3 browser upload using HTTP POST gives invalid signature

And I have followed every detail of it with no luck, and I'm probably missing something simple. I'm using C# to generate a policy and v4 Aws signature. Here is the policy code:

var policyBuilder = new StringBuilder();

policyBuilder.AppendFormat("{{ \"expiration\": \"{0}\",\r\n", "2017-12-30T12:00:00.000Z");
policyBuilder.Append("  \"conditions\": [\r\n");
policyBuilder.Append("    [\"starts-with\", \"$key\", \"\"],\r\n");
policyBuilder.AppendFormat("    {{\"x-amz-credential\": \"{1}\"}},\r\n",  <MyAccessKey>/20170214/us-east-2/s3/aws4_request));
policyBuilder.Append("    {\"x-amz-algorithm\": \"AWS4-HMAC-SHA256\"},\r\n");
policyBuilder.Append("    {\"x-amz-date\": \"20170214T000000Z\" }\r\n");
policyBuilder.Append("  ]\r\n}");

var policyString = policyBuilder.ToString();
var policyStringBytes = Encoding.UTF8.GetBytes(policyString);
return Convert.ToBase64String(policyStringBytes);

This is the code used to generate the signature:

static byte[] HmacSHA256(String data, byte[] key)
{
    String algorithm = "HmacSHA256";
    KeyedHashAlgorithm kha = KeyedHashAlgorithm.Create(algorithm);
    kha.Key = key;

    return kha.ComputeHash(Encoding.UTF8.GetBytes(data));
}

static byte[] GetSignatureKey(String key, String dateStamp, String regionName, String serviceName)
{
    byte[] kSecret = Encoding.UTF8.GetBytes(("AWS4" + key).ToCharArray());
    byte[] kDate = HmacSHA256(dateStamp, kSecret);
    byte[] kRegion = HmacSHA256(regionName, kDate);
    byte[] kService = HmacSHA256(serviceName, kRegion);
    byte[] kSigning = HmacSHA256("aws4_request", kService);

    return kSigning;
}

public static string ToHexString(byte[] data, bool lowercase)
{
    var sb = new StringBuilder();
    for (var i = 0; i < data.Length; i++)
    {
        sb.Append(data[i].ToString(lowercase ? "x2" : "X2"));
    }
    return sb.ToString();
}

The method that brings it all together:

public string GetS3PolicySignatureV4(string policy)
{
    byte[] signingKey = GetSignatureKey(<MySecretKey>, "20170214T000000Z", "us-east-2", "s3");
    byte[] signature = HmacSHA256(policy, signingKey);
    return AWS4SignerBase.ToHexString(signature, true);
}

Here is the html form:

<form action="http://<BucketName>.s3.amazonaws.com/" method="post" enctype="multipart/form-data">
    <input type="hidden" name="key" value="<FileKey>" />
    <input type="hidden" name="x-amz-credential" value="<MyAccessKey>/20170214/us-east-2/s3/aws4_request"/>
    <input type="hidden" name="x-amz-algorithm" value="AWS4-HMAC-SHA256" />
    <input type="hidden" name="x-amz-date" value="20170214T000000Z" />
    <input type="hidden" name="policy" value='<Base64PolicyResult>' />
    <input type="hidden" name="x-amz-signature" value="<GenerateSignature>" />
    File:
    <input type="file" name="file" /> <br />
    <input type="submit" name="submit" value="Upload to Amazon S3" />
</form>

I have verified that the example policy result in this example:

AWS - Examples: Browser-Based Upload using HTTP POST (Using AWS Signature Version 4)

as well as the resulting signature matched the example using the provided parameters and keys. But when I try to POST to S3, I always get that dreaded response.

Answer 1

The issue was that the date passed into the GetSignatureKey method was incorrectly formatted. Should have just been "20170214" and the hidden form field x-amz-date is the ISO8601 format of "20170214T000000Z". I was passing in the same value into the GetSignatureKey method.