different error code/message while trying to download object with incorrect encryption key using Amazon s3Client

0

hello i am trying to replicate one of the issue while downloading object from linode s3 storage using com.amazonaws.services.s3.AmazonS3 client

I am trying two scenarios

1: getting metadata of the blob

code to download metadata with an invalid encryption key

    private static void downloadMetaDataFileWithInvalidEncryptionKey(AmazonS3 s3Client, String bucketName, String objectKey) throws Exception  {
        System.out.println("called downloadFile metadata----");

        String base64EncodedKeyWrong = "ZjExMmJmMGZjZmQyMjAxZDNmMjU1MjRhNTNlY2E0OGM=";
        SSECustomerKey sseKeyWrong = new SSECustomerKey(Base64.getDecoder().decode(base64EncodedKeyWrong));

        GetObjectMetadataRequest getObjectMetadataRequest = new GetObjectMetadataRequest(bucketName, objectKey)
                .withSSECustomerKey(sseKeyWrong);


        ObjectMetadata in = s3Client.getObjectMetadata(getObjectMetadataRequest);

    }

exception

com.amazonaws.services.s3.model.AmazonS3Exception: Bad Request (Service: Amazon S3; Status Code: 400; Error Code: 400 Bad Request; Request ID: tx000000874ead5c5f76c89-0067287617-845c4b44-default; S3 Extended Request ID: null; Proxy: null), S3 Extended Request ID: null
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1879)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleServiceErrorResponse(AmazonHttpClient.java:1418)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1387)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1157)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:814)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:781)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:755)

2: getting actual data of the blob

code to download file with an invalid encryption key

    private static void downloadFileWithInvalidEncryptionKey(AmazonS3 s3Client, String bucketName, String objectKey) throws Exception  {
        System.out.println("called downloadFile file----");

        String base64EncodedKeyWrong = "ZjExMmJmMGZjZmQyMjAxZDNmMjU1MjRhNTNlY2E0OGM=";
        SSECustomerKey sseKeyWrong = new SSECustomerKey(Base64.getDecoder().decode(base64EncodedKeyWrong));

        GetObjectRequest getObjectRequest = new GetObjectRequest(bucketName, objectKey)
                .withSSECustomerKey(sseKeyWrong);


        InputStream inputStream = s3Client.getObject(getObjectRequest).getObjectContent();


    }

exception

com.amazonaws.services.s3.model.AmazonS3Exception: Requests specifying Server Side Encryption with Customer provided keys must provide an appropriate secret key. (Service: Amazon S3; Status Code: 400; Error Code: InvalidArgument; Request ID: tx00000b3594a0388b1f4aa-0067287617-83ea7113-default; S3 Extended Request ID: 83ea7113-default-default; Proxy: null), S3 Extended Request ID: 83ea7113-default-default
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1879)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleServiceErrorResponse(AmazonHttpClient.java:1418)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1387)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1157)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:814)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:781)

driver code

    public static void main(String[] args) throws Exception {
        String accessKey = "accesskeyoflinodebucket";
        String secretKey = "secretKeyoflinodebucket";



        String endpoint = "https://us-ord-1.linodeobjects.com";
        String region = "us-ord-1";
        String bucketName = "linode-bucket-name";

        String objectKey = "ekart_table_08_test3-encrypt.csv";


        BasicAWSCredentials awsCredentials = new BasicAWSCredentials(accessKey, secretKey);


        AmazonS3 s3Client = AmazonS3ClientBuilder.standard()
                .withEndpointConfiguration(new AwsClientBuilder.EndpointConfiguration(endpoint, region))
                .withCredentials(new AWSStaticCredentialsProvider(awsCredentials))
                .build();


        try {
            downloadFileWithEncryptionKey(s3Client,bucketName,objectKey);
        } catch (Exception e) {
            System.out.println("failed downloadFileWithEncryptionKey");
            e.printStackTrace();
        }
        try {
            downloadMetaDataFileWithEncryptionKey(s3Client,bucketName,objectKey);
        } catch (Exception e) {
            System.out.println("failed downloadMetaDataFileWithEncryptionKey");
            e.printStackTrace();
        }

    }

While both requests appear similar, the first exception's message is less specific. I'm curious if this first exception is accurate and informative or if there's a more detailed explanation for the 'Bad Request' error. because you can see the second exception has more details about the reason of the failure. i am asking here because i asked same question to linode team as well they said it might be s3 client issue .

asked 3 months ago75 views
1 Answer
0

The difference in error messages you're observing is indeed related to how the Amazon S3 client handles different types of requests when using server-side encryption with customer-provided keys (SSE-C).

For the first scenario, where you're trying to get object metadata: The error message is less specific because the S3 client is making a HEAD request to retrieve metadata. When the encryption key is incorrect, S3 returns a generic 400 Bad Request error without exposing details about the encryption key mismatch. This is a security measure to prevent potential attackers from gathering information about the encryption process.

For the second scenario, where you're trying to download the actual object: The error message is more detailed because it's a GET request to retrieve the object's content. In this case, S3 provides more specific information about the encryption key issue, as it's necessary for the client to understand why the decryption failed.

This behavior is consistent with Amazon S3's approach to security and error handling for SSE-C operations. The difference in error messages is not a client issue per se, but rather reflects how S3 responds to different types of requests involving encrypted objects.

To get more consistent error handling, you could implement your own error checking logic that attempts to interpret the generic "Bad Request" errors when working with SSE-C objects. However, it's important to note that the less detailed error for metadata requests is intentional for security reasons.

When working with SSE-C, always ensure that you're using the correct encryption key and that it's properly formatted. The error messages, while different, both indicate issues with the provided encryption key, which is the root cause of the failures in your scenarios.
Sources
Using server-side encryption with customer-provided keys (SSE-C) - Amazon Simple Storage Service
GetObject - Amazon Simple Storage Service

profile picture
answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions