Amazon S3客户端加密Javascript

Question

尝试获取使用Javascript工作的Amazon S3客户端加密。

为桶内的特定S3对象建立SSE是 可选，并且可以很容易地在单个对象级别建立。 也可以设置“一揽子”策略，要求将所有发送到S3 存储桶的数据加密。这样的策略的示例如下：

{ 
    "Version":"2013-05-17", 
    "Id":"PutObjPolicy", 
    "Statement":[{ 
    "Sid":"DenyUnEncryptedObjectUploads", 
    "Effect":"Deny", 
    "Principal":{ 
     "AWS":"*" 
    }, 
    "Action":"s3:PutObject", 
    "Resource":"arn:aws:s3:::SensitiveBucket/*", 
    "Condition":{ 
     "StringNotEquals":{ 
     "s3:x-amz-server-side-encryption":"AES256" 
     } 
    } 
    } 
    ] 
} 

为了成功地将任何数据到这个S3桶，该请求将 需要包括“X-AMZ-服务器端加密”头。

既然是客户端，我得到这个JSON策略设置：

{ 
    "expiration": "2020-01-01T00:00:00Z", 
    "conditions": [ 
    {"bucket": "angular-file-upload"}, 
    ["starts-with", "$key", ""], 
    {"acl": "private"}, 
{ "x-amz-server-side-encryption": "AES256"}, 
{"x-amz-server-side​-encryption​-customer-key": "ABC1234835784375349754857893"}, 
{"x-amz-server-side​-encryption​-customer-key-MD5": "d0259989a64a9234457dbc51d5202c24"}, 
    ["starts-with", "$Content-Type", ""], 
    ["starts-with", "$filename", ""], 
    ["content-length-range", 0, 524288000] 
    ] 
} 

发送文件CORS-的方式S3（POST）和我还发送X-AMZ-服务器端加密上传期间的标题。

尝试与两个JSON政策，但他们都扔了相同的结果。

回应如下：

<Error><Code>AccessDenied</Code> 
<Message>Invalid according to Policy: Extra input fields: x-amz-server-side​-encryption​-customer-key</Message><RequestId>...</RequestId><HostId>...</HostId></Error> 

有人知道这是怎么回事呢？ 最近我甚至很好奇是否甚至有可能用JS & Cors加密客户端。

干杯。

Answer 1

通过在创建的策略和base64编码策略中包含x-amz-server-side-encryption，以及AJAX请求中发送的表单数据，我能够摆脱此警告。

政策：

  var s3Policy = { 
       "expiration": formatted, 
       "conditions": [ 
        { "bucket": "MYBUCKET" }, 
        { "acl": config.acl }, 
        { "x-amz-server-side-encryption": "AES256" }, 
        [ "eq", "$key", path], 
        [ "eq", "$Content-Type", mimetype ], 
        [ "content-length-range", 0, maxSize ], 
       ] 
      }; 

表单提交的数据：

  data.params = { 
       key: path, 
       AWSAccessKeyId: key, 
       acl: acl, 
       Policy: base64Policy, 
       Signature: signature, 
       "Content-Type": mimetype, 
       "x-amz-server-side-encryption": "AES256", 
      }, 

为了完整起见，我也有以下CORS配置：

<?xml version="1.0" encoding="UTF-8"?> 
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/"> 
    <CORSRule> 
     <AllowedOrigin>*</AllowedOrigin> 
     <AllowedMethod>PUT</AllowedMethod> 
     <AllowedMethod>POST</AllowedMethod> 
     <MaxAgeSeconds>3000</MaxAgeSeconds> 
     <ExposeHeader>x-amz-server-side-encryption</ExposeHeader> 
     <AllowedHeader>*</AllowedHeader> 
     <AllowedHeader>Content-Type</AllowedHeader> 
     <AllowedHeader>x-amz-acl</AllowedHeader> 
     <AllowedHeader>origin</AllowedHeader> 
    </CORSRule> 
</CORSConfiguration> 

和铲斗政策（强制加密所需）：

{ 
    "Version": "2012-10-17", 
    "Id": "Policy1447114958606", 
    "Statement": [ 
     { 
      "Sid": "Stmt1447114951553", 
      "Effect": "Deny", 
      "Principal": "*", 
      "Action": "s3:PutObject", 
      "Resource": "arn:aws:s3:::MYBUCKET/*", 
      "Condition": { 
       "StringNotEquals": { 
        "s3:x-amz-server-side-encryption": "AES256" 
       } 
      } 
     } 
    ] 
} 

我的代码实际上张贴到S3中的文件，看起来像这样，但是这将取决于库和包装您选择使用：

// Build the form data (this is what we will eventually post) 
    var fd = new FormData(); 
    if (data.params) 
    { 
     for (var prop in data.params) { 
      if (data.params.hasOwnProperty(prop)) { 
       fd.append(prop,data.params[prop]); 
      } 
     } 
    } 
    fd.append('file', file); 

    // Post data 
    var deferred = $q.defer(); 
    var req = $.ajax({ 
     type: 'POST', 
     url: data.url, 
     data: fd, 
     cache: false, 
     contentType: false, 
     processData: false, 
     success: function(response, textStatus, jqXHR) { deferred.resolve(response); }, 
     error: function(jqXHR, textStatus, errorThrown) { deferred.reject(errorThrown || "Upload failed, try again"); }, 
     xhr: function() { 
      var myXhr = $.ajaxSettings.xhr(); 
      if (myXhr.upload) myXhr.upload.addEventListener('progress', function (progress) { deferred.notify(progress); }, false); 
      return myXhr; 
     } 
    }); 
    var promise = deferred.promise; 
    promise.cancel = function() 
    { 
     req.abort(); 
     deferred.reject("Cancelled"); 
    }; 
    return promise;