--aws-sigv4 doesn't sort query string parameters before signing

[cristidiaconu]

SigV4 specification says that the query string parameters must be sorted before signing:

To construct the canonical query string, complete the following steps:

Sort the parameter names by character code point in ascending order. [...]

But curl doesn't do that.

I've run the following command and got a signature-related error:

> curl --aws-sigv4 "aws:amz:us-east-1:es" --user "<AccessKeyId>:<SecretAccessKey>" --header "X-Amz-Security-Token:<SessionToken>" \
-X POST 'https://<endpoint>/<index>/_search?sort=_doc&size=50' \
-H "Content-Type: application/json"  --data-raw $'<query>'

{"message":"The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details."}

However if I manually write the query string parameters in alphabetical order it works:

> curl --aws-sigv4 "aws:amz:us-east-1:es" --user "<AccessKeyId>:<SecretAccessKey>" --header "X-Amz-Security-Token:<SessionToken>" \
-X POST 'https://<endpoint>/<index>/_search?size=50&sort=_doc' \
-H "Content-Type: application/json"  --data-raw $'<query>'

{...successful response...}

curl/libcurl version

> curl -V output
curl 7.76.1 (x86_64-koji-linux-gnu) libcurl/7.76.1 OpenSSL/1.0.2k-fips zlib/1.2.7 libidn2/2.3.0 libssh2/1.4.3 nghttp2/1.41.0

operating system

MacOS Monterey 12.6

[bagder]

We have fixed numerous details in the sigv4 support since then, most recently in #7966 (to be included in the pending 7.86.0 release).

[cristidiaconu]

We have fixed numerous details in the sigv4 support since then, most recently in #7966 (to be included in the pending 7.86.0 release).

Thanks for the quick response.

I see a fix about sorting headers but couldn't find anything about sorting the query string parameters though.

[bagder]

@outscale-mgo is this a remaining issue?

[pratik-mahamuni]

@bagder I feel it is. I am trying to do the same thing with 4 query parameters and the error persists.

curl --user "<access_key>:<secret_key>" --aws-sigv4 "aws:amz:us-east-1:sts" --request GET "https://sts.amazonaws.com/?Action=AssumeRole&DurationSeconds=3600&RoleArn=<role_arn>&RoleSessionName=Test&Version=2011-06-15"

This gives the error:

<ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
  <Error>
    <Type>Sender</Type>
    <Code>SignatureDoesNotMatch</Code>
    <Message>The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.</Message>
  </Error>
  ...
</ErrorResponse>

Curl version information:

curl 7.85.0 (x86_64-pc-linux-gnu) libcurl/7.85.0 OpenSSL/3.0.5 zlib/1.2.11 brotli/1.0.9 zstd/1.5.2 libidn2/2.3.3 libpsl/0.21.0 (+libidn2/2.3.0) libssh2/1.10.0 nghttp2/1.50.0 librtmp/2.3

[outscale-mgo]

Yes #7966 didn't fix the issue,
This issue should be fix in #7600, This PR still require work though as, url encoding doesn't seems to be the same depending if used on S3, or other AWS API.
(I also did prioritise #7966, as the very easy workaround for this issue is to manually encode the URI, which is a lot easier than to reimplement the whole signature)

[libcthorne]

I've just encountered the same issue when using unordered parameters, would love to see a fix for this!