CLDSRV-848: check x-amz-checksum-[crc64nvme, crc32, crc32C, sha1, sha256] headers

leif-scality · leif-scality · commit 7498887a6022 · 2026-02-17T22:56:04.000+01:00
diff --git a/lib/api/apiUtils/integrity/validateChecksums.js b/lib/api/apiUtils/integrity/validateChecksums.js
@@ -1,36 +1,130 @@
 const crypto = require('crypto');
+const { Crc32 } = require('@aws-crypto/crc32');
+const { Crc32c } = require('@aws-crypto/crc32c');
+const { CrtCrc64Nvme } = require('@aws-sdk/crc64-nvme-crt');
 const { errors: ArsenalErrors } = require('arsenal');
 const { config } = require('../../../Config');
 
 const ChecksumError = Object.freeze({
     MD5Mismatch: 'MD5Mismatch',
+    XAmzMismatch: 'XAmzMismatch',
     MissingChecksum: 'MissingChecksum',
+    AlgoNotSupported: 'AlgoNotSupported',
+    MultipleChecksumTypes: 'MultipleChecksumTypes',
+    MissingCorresponding: 'MissingCorresponding'
 });
 
+// TEMP
+// https://github.com/aws/aws-sdk-js-v3/issues/6744
+// https://stackoverflow.com/questions/77663519/
+// does-aws-s3-allow-specifying-multiple-checksum-values-crc32-crc32c-sha1-and-s
+// Expecting a single x-amz-checksum- header. Multiple checksum Types are not allowed.
+// XAmzContentChecksumMismatch: The provided 'x-amz-checksum' header does not match what was computed.
+
+// TODO:
+// x-amz-checksum-algorithm x2 different
+// x-amz-checksum-algorithm x2 equal
+// x-amz-checksum-algorithm x2 + x-amz-checksum- valid x2
+// x-amz-checksum-algorithm x2 + x-amz-checksum- invalid x2
+// x-amz-checksum-algorithm x2 + x-amz-checksum- mismatch x2
+
+const algorithms = {
+    'crc64nvme': data => uint64ToBase64(new CrtCrc64Nvme().update(data).digest()),
+    'crc32': data => uint32ToBase64(new Crc32().update(data).digest() >>> 0),
+    'crc32c': data => uint32ToBase64(new Crc32c().update(data).digest() >>> 0),
+    'sha1': data => crypto.createHash('sha1').update(data).digest('base64'),
+    'sha256': data => crypto.createHash('sha256').update(data).digest('base64'),
+};
+
+function uint32ToBase64(num) {
+    return Buffer.alloc(4).writeUInt32BE(num, 0).toString('base64');
+}
+
+function uint64ToBase64(num) {
+    return Buffer.alloc(8).writeBigUint64BE(num, 0).toString('base64');
+}
+
+
+function validateXAmzChecksums(headers, body) {
+    const checksumHeaders = Object.keys(headers).filter(header => header.startsWith('x-amz-checksum-'));
+    const xAmzCheckumCnt = checksumHeaders.length;
+    if (xAmzCheckumCnt > 1) {
+        return { error: ChecksumError.MultipleChecksumTypes, details: null };
+    }
+
+    if ('x-amz-sdk-checksum-algorithm' in headers) {
+        const algo = headers['x-amz-sdk-checksum-algorithm'];
+        if (algo in algorithms === false) {
+            return { error: ChecksumError.AlgoNotSupported, details: null };
+        }
+
+        if (`x-amz-checksum-${algo}` in headers === false) {
+            return { error: ChecksumError.MissingCorresponding, details: null };
+        }
+
+        const expected = headers[`x-amz-checksum-${algo}`];
+        const calculated = algorithms[algo](body);
+        if (expected !== calculated) {
+            return { error: ChecksumError.XAmzMismatch, details: null };
+        }
+
+        return null;
+    }
+
+    if (xAmzCheckumCnt === 0) {
+        return { error: ChecksumError.MissingChecksum, details: null };
+    }
+
+    // No x-amz-sdk-checksum-algorithm we expect one x-amz-checksum-[crc64nvme, crc32, crc32C, sha1, sha256].
+    const algo = checksumHeaders[0].split('-')[3];
+    if (algo in algorithms === false) {
+        return { error: ChecksumError.AlgoNotSupported, details: null };;
+    }
+
+    const expected = headers[`x-amz-checksum-${algo}`];
+    const calculated = algorithms[algo](body);
+    if (expected !== calculated) {
+        return { error: ChecksumError.XAmzMismatch, details: null };
+    }
+
+    return null;
+}
+
 /**
  * validateChecksumsNoChunking - Validate the checksums of a request.
  * @param {object} headers - http headers
  * @param {Buffer} body - http request body
  * @return {object} - error
  */
 function validateChecksumsNoChunking(headers, body) {
-    if (headers && 'content-md5' in headers) {
+    if (!headers) {
+        return { error: ChecksumError.MissingChecksum, details: null };
+    }
+
+    let md5Present = false;
+    if ('content-md5' in headers) {
         const md5 = crypto.createHash('md5').update(body).digest('base64');
         if (md5 !== headers['content-md5']) {
             return { error: ChecksumError.MD5Mismatch, details: { calculated: md5, expected: headers['content-md5'] } };
         }
 
-        return null;
+        md5Present = true;
+    }
+
+    const err = validateXAmzChecksums(headers, body);
+    if (err && err.error === ChecksumError.MissingChecksum && !md5Present) {
+        // Return MissingChecksum only if no MD5 and no x-amz-checksum-.
+        return { error: ChecksumError.MissingChecksum, details: null };
     }
 
-    return { error: ChecksumError.MissingChecksum, details: null };
+    return err;
 }
 
 function defaultValidationFunc(request, body, log) {
     const err = validateChecksumsNoChunking(request.headers, body);
     if (err && err.error !== ChecksumError.MissingChecksum) {
         log.debug('failed checksum validation', { method: request.apiMethod }, err);
-        return ArsenalErrors.BadDigest;
+        return ArsenalErrors.BadDigest; // FIXME: InvalidDigest vs BadDigest
     }
 
     return null;
