How-To Sketch

Using OpenSSL on Windows to Sign a File Upload Policy for AWS S3

Ann Lynnworth Jun 2016

article image

Docs

The authoritative reference for uploading files directly from a web browser to an Amazon S3 bucket is here on Amazon and a nice example with further tips is here, since 2008 .

This post concerns the steps 1-2-3-4 for signing the policy, and doing it with OpenSSL.exe at a Windows cmd prompt.

  1. Encode the policy by using UTF-8.

    If you are lucky enough to be able to express your policy in English, then you can use notepad to save your JSON code to a simple Ansi file. Nothing further required.

    Match your utf8 filename to the one you specify in the BAT for step 2 below (inputfilespec).

  2. Encode those UTF-8 bytes by using Base64.

    A sample BAT file for doing this follows. Please adjust paths and filenames to something reasonable on your own system. All filenames are arbitrary except that you need to make sure that the output from step 2 ends up as the input to step 3 below.

    setlocal
    
    set  inputfilespec=showcase-upload.policy.utf8.json
    set outputfilespec=showcase-viaopenssl.base64.txt
    
    :: change to the folder containing this BAT file
    type %inputfilespec% | D:\Apps\OpenSSL\OpenSSL-Win64\bin\openssl.exe base64 -A > %outputfilespec%
    
    type %outputfilespec%
    
    pause
    

    ( Thanks to wiki.openssl.org for the -A flag which prevents \n within the base64 output!!!!!!! )

  3. Sign the policy with your secret access key by using HMAC SHA-1.
  4. Encode the SHA-1 signature by using Base64.

Steps 3 and 4 are best done together. A sample BAT follows. You will be prompted to paste in your secret key, which will be used to sign the policy.

Note that the output from step 2 must become the input for steps 3 and 4. Coordinate the filenames accordingly.

setlocal

set opensslpath=D:\Apps\OpenSSL\OpenSSL-Win64\bin\

set  inputfilespec=showcase-viaopenssl.base64.txt
set outputfilespec=showcase-viaopenssl.signed.base64.txt

set /P secretkey=Enter secret key :

CD /D %~dp0

@del %outputfilespec%

%opensslpath%openssl.exe dgst -sha1 -hmac "%secretkey%" -binary 
%inputfilespec% | %opensslpath%openssl.exe base64 -A > 
%outputfilespec%

if errorlevel 1 pause
type %outputfilespec%

pause

Happy Uploading.

Photo from Security-Insider

Article Keywords:

Company publishing this blog in 2022: HREF Tools Corp. based in Wilmington, Delaware USA Privacy