rewrite, simplify, avoid unused functions (#6989)

* adding cors support * address some comments * optimize matchesWildcard * address comments * fix for tests * address comments * address comments * address comments * path building * refactor * Update weed/s3api/s3api_bucket_config.go Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * address comment Service-level responses need both Access-Control-Allow-Methods and Access-Control-Allow-Headers. After setting Access-Control-Allow-Origin and Access-Control-Expose-Headers, also set Access-Control-Allow-Methods: * and Access-Control-Allow-Headers: * so service endpoints satisfy CORS preflight requirements. * Update weed/s3api/s3api_bucket_config.go Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Update weed/s3api/s3api_object_handlers.go Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Update weed/s3api/s3api_object_handlers.go Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * fix * refactor * Update weed/s3api/s3api_bucket_config.go Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Update weed/s3api/s3api_object_handlers.go Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Update weed/s3api/s3api_server.go Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * simplify * add cors tests * fix tests * fix tests * remove unused functions * fix tests * simplify * address comments * fix * Update weed/s3api/auth_signature_v4.go Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Apply suggestion from @Copilot Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * rename variable * Revert "Apply suggestion from @Copilot" This reverts commit fce2d4e57e6f712672e62e8c63468c6b89878c6c. --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
2025-07-15 10:11:49 -07:00
parent 4b040e8a87
commit 74f4e9ba5a
4 changed files with 529 additions and 951 deletions
--- a/weed/s3api/auth_signature_v2.go
+++ b/weed/s3api/auth_signature_v2.go
@@ -22,16 +22,14 @@ import (
 	"crypto/sha1"
 	"crypto/subtle"
 	"encoding/base64"
 	"fmt"
 	"github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
 	"net"
 	"net/http"
 	"net/url"
 	"path"
 	"sort"
 	"strconv"
 	"strings"
 	"time"
 	"github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
 	"github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
 )
 // Whitelist resource list that will be used in query string for signature-V2 calculation.
@@ -61,7 +59,7 @@ var resourceList = []string{
 	"website",
 }
-// Verify if request has valid AWS Signature Version '2'.
+// Verify if request has AWS Signature Version '2'.
 func (iam *IdentityAccessManagement) isReqAuthenticatedV2(r *http.Request) (*Identity, s3err.ErrorCode) {
 	if isRequestSignatureV2(r) {
 		return iam.doesSignV2Match(r)
@@ -70,277 +68,186 @@ func (iam *IdentityAccessManagement) isReqAuthenticatedV2(r *http.Request) (*Ide
 }
 func (iam *IdentityAccessManagement) doesPolicySignatureV2Match(formValues http.Header) s3err.ErrorCode {
 	accessKey := formValues.Get("AWSAccessKeyId")
-	_, cred, found := iam.lookupByAccessKey(accessKey)
+	if accessKey == "" {
 		return s3err.ErrMissingFields
 	}
 	identity, cred, found := iam.lookupByAccessKey(accessKey)
 	if !found {
 		return s3err.ErrInvalidAccessKeyID
 	}
 	bucket := formValues.Get("bucket")
 	if !identity.canDo(s3_constants.ACTION_WRITE, bucket, "") {
 		return s3err.ErrAccessDenied
 	}
 	policy := formValues.Get("Policy")
 	if policy == "" {
 		return s3err.ErrMissingFields
 	}
 	signature := formValues.Get("Signature")
 	if signature == "" {
 		return s3err.ErrMissingFields
 	}
 	if !compareSignatureV2(signature, calculateSignatureV2(policy, cred.SecretKey)) {
 		return s3err.ErrSignatureDoesNotMatch
 	}
 	return s3err.ErrNone
 }
 // Authorization = "AWS" + " " + AWSAccessKeyId + ":" + Signature;
 // Signature = Base64( HMAC-SHA1( YourSecretKey, UTF-8-Encoding-Of( StringToSign ) ) );
 //
 // StringToSign = HTTP-Verb + "\n" +
 //  	Content-Md5 + "\n" +
 //  	Content-Type + "\n" +
 //  	Date + "\n" +
 //  	CanonicalizedProtocolHeaders +
 //  	CanonicalizedResource;
 //
 // CanonicalizedResource = [ "/" + Bucket ] +
 //  	<HTTP-Request-URI, from the protocol name up to the query string> +
 //  	[ subresource, if present. For example "?acl", "?location", "?logging", or "?torrent"];
 //
 // CanonicalizedProtocolHeaders = <described below>
 // doesSignV2Match - Verify authorization header with calculated header in accordance with
 //   - http://docs.aws.amazon.com/AmazonS3/latest/dev/auth-request-sig-v2.html
-// returns true if matches, false otherwise. if error is not nil then it is always false
+//
-
+// returns ErrNone if the signature matches.
 func validateV2AuthHeader(v2Auth string) (accessKey string, errCode s3err.ErrorCode) {
 	if v2Auth == "" {
 		return "", s3err.ErrAuthHeaderEmpty
 	}
 	// Verify if the header algorithm is supported or not.
 	if !strings.HasPrefix(v2Auth, signV2Algorithm) {
 		return "", s3err.ErrSignatureVersionNotSupported
 	}
 	// below is V2 Signed Auth header format, splitting on `space` (after the `AWS` string).
 	// Authorization = "AWS" + " " + AWSAccessKeyId + ":" + Signature
 	authFields := strings.Split(v2Auth, " ")
 	if len(authFields) != 2 {
 		return "", s3err.ErrMissingFields
 	}
 	// Then will be splitting on ":", this will separate `AWSAccessKeyId` and `Signature` string.
 	keySignFields := strings.Split(strings.TrimSpace(authFields[1]), ":")
 	if len(keySignFields) != 2 {
 		return "", s3err.ErrMissingFields
 	}
 	return keySignFields[0], s3err.ErrNone
 }
 func (iam *IdentityAccessManagement) doesSignV2Match(r *http.Request) (*Identity, s3err.ErrorCode) {
 	v2Auth := r.Header.Get("Authorization")
-
+	accessKey, errCode := validateV2AuthHeader(v2Auth)
-	accessKey, apiError := validateV2AuthHeader(v2Auth)
+	if errCode != s3err.ErrNone {
-	if apiError != s3err.ErrNone {
+		return nil, errCode
 		return nil, apiError
 	}
-	// Access credentials.
+	identity, cred, found := iam.lookupByAccessKey(accessKey)
 	// Validate if access key id same.
 	ident, cred, found := iam.lookupByAccessKey(accessKey)
 	if !found {
 		return nil, s3err.ErrInvalidAccessKeyID
 	}
-	// r.RequestURI will have raw encoded URI as sent by the client.
+	bucket, object := s3_constants.GetBucketAndObject(r)
-	tokens := strings.SplitN(r.RequestURI, "?", 2)
+	if !identity.canDo(s3_constants.ACTION_WRITE, bucket, object) {
-	encodedResource := tokens[0]
+		return nil, s3err.ErrAccessDenied
 	encodedQuery := ""
 	if len(tokens) == 2 {
 		encodedQuery = tokens[1]
 	}
-	unescapedQueries, err := unescapeQueries(encodedQuery)
+	expectedAuth := signatureV2(cred, r.Method, r.URL.Path, r.URL.Query().Encode(), r.Header)
 	if err != nil {
 		return nil, s3err.ErrInvalidQueryParams
 	}
 	encodedResource, err = getResource(encodedResource, r.Host, iam.domain)
 	if err != nil {
 		return nil, s3err.ErrInvalidRequest
 	}
 	prefix := fmt.Sprintf("%s %s:", signV2Algorithm, cred.AccessKey)
 	if !strings.HasPrefix(v2Auth, prefix) {
 		return nil, s3err.ErrSignatureDoesNotMatch
 	}
 	v2Auth = v2Auth[len(prefix):]
 	expectedAuth := signatureV2(cred, r.Method, encodedResource, strings.Join(unescapedQueries, "&"), r.Header)
 	if !compareSignatureV2(v2Auth, expectedAuth) {
 		return nil, s3err.ErrSignatureDoesNotMatch
 	}
-	return ident, s3err.ErrNone
+	return identity, s3err.ErrNone
 }
-// doesPresignV2SignatureMatch - Verify query headers with presigned signature
+// doesPresignV2SignatureMatch - Verify query headers with calculated header in accordance with
-//   - http://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html#RESTAuthenticationQueryStringAuth
+//   - http://docs.aws.amazon.com/AmazonS3/latest/dev/auth-request-sig-v2.html
 //
-// returns ErrNone if matches. S3 errors otherwise.
+// returns ErrNone if the signature matches.
 func (iam *IdentityAccessManagement) doesPresignV2SignatureMatch(r *http.Request) (*Identity, s3err.ErrorCode) {
-
+	query := r.URL.Query()
-	// r.RequestURI will have raw encoded URI as sent by the client.
+	expires := query.Get("Expires")
-	tokens := strings.SplitN(r.RequestURI, "?", 2)
+	if expires == "" {
-	encodedResource := tokens[0]
+		return nil, s3err.ErrMissingFields
 	encodedQuery := ""
 	if len(tokens) == 2 {
 		encodedQuery = tokens[1]
 	}
-	var (
+	expireTimestamp, err := strconv.ParseInt(expires, 10, 64)
 		filteredQueries []string
 		gotSignature    string
 		expires         string
 		accessKey       string
 		err             error
 	)
 	var unescapedQueries []string
 	unescapedQueries, err = unescapeQueries(encodedQuery)
 	if err != nil {
 		return nil, s3err.ErrInvalidQueryParams
 	}
 	// Extract the necessary values from presigned query, construct a list of new filtered queries.
 	for _, query := range unescapedQueries {
 		keyval := strings.SplitN(query, "=", 2)
 		if len(keyval) != 2 {
 			return nil, s3err.ErrInvalidQueryParams
 		}
 		switch keyval[0] {
 		case "AWSAccessKeyId":
 			accessKey = keyval[1]
 		case "Signature":
 			gotSignature = keyval[1]
 		case "Expires":
 			expires = keyval[1]
 		default:
 			filteredQueries = append(filteredQueries, query)
 		}
 	}
 	// Invalid values returns error.
 	if accessKey == "" || gotSignature == "" || expires == "" {
 		return nil, s3err.ErrInvalidQueryParams
 	}
 	// Validate if access key id same.
 	ident, cred, found := iam.lookupByAccessKey(accessKey)
 	if !found {
 		return nil, s3err.ErrInvalidAccessKeyID
 	}
 	// Make sure the request has not expired.
 	expiresInt, err := strconv.ParseInt(expires, 10, 64)
 	if err != nil {
 		return nil, s3err.ErrMalformedExpires
 	}
-	// Check if the presigned URL has expired.
+	if time.Unix(expireTimestamp, 0).Before(time.Now().UTC()) {
 	if expiresInt < time.Now().UTC().Unix() {
 		return nil, s3err.ErrExpiredPresignRequest
 	}
-	encodedResource, err = getResource(encodedResource, r.Host, iam.domain)
+	accessKey := query.Get("AWSAccessKeyId")
-	if err != nil {
+	if accessKey == "" {
-		return nil, s3err.ErrInvalidRequest
+		return nil, s3err.ErrInvalidAccessKeyID
 	}
-	expectedSignature := preSignatureV2(cred, r.Method, encodedResource, strings.Join(filteredQueries, "&"), r.Header, expires)
+	signature := query.Get("Signature")
-	if !compareSignatureV2(gotSignature, expectedSignature) {
+	if signature == "" {
 		return nil, s3err.ErrMissingFields
 	}
 	identity, cred, found := iam.lookupByAccessKey(accessKey)
 	if !found {
 		return nil, s3err.ErrInvalidAccessKeyID
 	}
 	bucket, object := s3_constants.GetBucketAndObject(r)
 	if !identity.canDo(s3_constants.ACTION_READ, bucket, object) {
 		return nil, s3err.ErrAccessDenied
 	}
 	expectedSignature := preSignatureV2(cred, r.Method, r.URL.Path, r.URL.Query().Encode(), r.Header, expires)
 	if !compareSignatureV2(signature, expectedSignature) {
 		return nil, s3err.ErrSignatureDoesNotMatch
 	}
-
+	return identity, s3err.ErrNone
 	return ident, s3err.ErrNone
 }
-// Escape encodedQuery string into unescaped list of query params, returns error
+// validateV2AuthHeader validates AWS Signature Version '2' authentication header.
-// if any while unescaping the values.
+func validateV2AuthHeader(v2Auth string) (accessKey string, errCode s3err.ErrorCode) {
-func unescapeQueries(encodedQuery string) (unescapedQueries []string, err error) {
+	if v2Auth == "" {
-	for _, query := range strings.Split(encodedQuery, "&") {
+		return "", s3err.ErrAuthHeaderEmpty
 		var unescapedQuery string
 		unescapedQuery, err = url.QueryUnescape(query)
 		if err != nil {
 			return nil, err
 	}
-		unescapedQueries = append(unescapedQueries, unescapedQuery)
+
 	// Signature V2 authorization header format:
 	// Authorization: AWS AKIAIOSFODNN7EXAMPLE:frJIUN8DYpKDtOLCwo//yllqDzg=
 	if !strings.HasPrefix(v2Auth, signV2Algorithm) {
 		return "", s3err.ErrSignatureVersionNotSupported
 	}
-	return unescapedQueries, nil
+
 	// Strip off the Algorithm prefix.
 	v2Auth = v2Auth[len(signV2Algorithm):]
 	authFields := strings.Split(v2Auth, ":")
 	if len(authFields) != 2 {
 		return "", s3err.ErrMissingFields
 	}
 	// The first field is Access Key ID.
 	if authFields[0] == "" {
 		return "", s3err.ErrInvalidAccessKeyID
 	}
 	// The second field is signature.
 	if authFields[1] == "" {
 		return "", s3err.ErrMissingFields
 	}
 	return authFields[0], s3err.ErrNone
 }
-// Returns "/bucketName/objectName" for path-style or virtual-host-style requests.
+// signatureV2 - calculates signature version 2 for request.
 func getResource(path string, host string, domain string) (string, error) {
 	if domain == "" {
 		return path, nil
 	}
 	// If virtual-host-style is enabled construct the "resource" properly.
 	if strings.Contains(host, ":") {
 		// In bucket.mydomain.com:9000, strip out :9000
 		var err error
 		if host, _, err = net.SplitHostPort(host); err != nil {
 			return "", err
 		}
 	}
 	if !strings.HasSuffix(host, "."+domain) {
 		return path, nil
 	}
 	bucket := strings.TrimSuffix(host, "."+domain)
 	return "/" + pathJoin(bucket, path), nil
 }
 // pathJoin - like path.Join() but retains trailing "/" of the last element
 func pathJoin(elem ...string) string {
 	trailingSlash := ""
 	if len(elem) > 0 {
 		if strings.HasSuffix(elem[len(elem)-1], "/") {
 			trailingSlash = "/"
 		}
 	}
 	return path.Join(elem...) + trailingSlash
 }
 // Return the signature v2 of a given request.
 func signatureV2(cred *Credential, method string, encodedResource string, encodedQuery string, headers http.Header) string {
 	stringToSign := getStringToSignV2(method, encodedResource, encodedQuery, headers, "")
 	signature := calculateSignatureV2(stringToSign, cred.SecretKey)
-	return signature
+	return signV2Algorithm + cred.AccessKey + ":" + signature
 }
-// Return string to sign under two different conditions.
+// getStringToSignV2 - string to sign in accordance with
-// - if expires string is set then string to sign includes date instead of the Date header.
+//   - http://docs.aws.amazon.com/AmazonS3/latest/dev/auth-request-sig-v2.html
 // - if expires string is empty then string to sign includes date header instead.
 func getStringToSignV2(method string, encodedResource, encodedQuery string, headers http.Header, expires string) string {
 	canonicalHeaders := canonicalizedAmzHeadersV2(headers)
 	if len(canonicalHeaders) > 0 {
 		canonicalHeaders += "\n"
 	}
 	date := expires // Date is set to expires date for presign operations.
 	if date == "" {
 		// If expires date is empty then request header Date is used.
 		date = headers.Get("Date")
 	}
 	// From the Amazon docs:
 	//
 	// StringToSign = HTTP-Verb + "\n" +
-	// 	 Content-Md5 + "\n" +
+	// 	 Content-MD5 + "\n" +
 	//	 Content-Type + "\n" +
-	//	 Date/Expires + "\n" +
+	//	 Date + "\n" +
-	//	 CanonicalizedProtocolHeaders +
+	//	 CanonicalizedAmzHeaders +
 	//	 CanonicalizedResource;
-	stringToSign := strings.Join([]string{
+	stringToSign := method + "\n"
-		method,
+	stringToSign += headers.Get("Content-Md5") + "\n"
-		headers.Get("Content-MD5"),
+	stringToSign += headers.Get("Content-Type") + "\n"
 		headers.Get("Content-Type"),
 		date,
 		canonicalHeaders,
 	}, "\n")
-	return stringToSign + canonicalizedResourceV2(encodedResource, encodedQuery)
+	if expires != "" {
 		stringToSign += expires + "\n"
 	} else {
 		stringToSign += headers.Get("Date") + "\n"
 		if v := headers.Get("x-amz-date"); v != "" {
 			stringToSign = strings.Replace(stringToSign, headers.Get("Date")+"\n", "\n", -1)
 		}
 	}
 	stringToSign += canonicalHeaders
 	stringToSign += canonicalizedResourceV2(encodedResource, encodedQuery)
 	return stringToSign
 }
-// Return canonical resource string.
+// canonicalizedResourceV2 - canonicalize the resource string for signature V2.
 func canonicalizedResourceV2(encodedResource, encodedQuery string) string {
 	queries := strings.Split(encodedQuery, "&")
 	keyval := make(map[string]string)
@@ -356,28 +263,26 @@ func canonicalizedResourceV2(encodedResource, encodedQuery string) string {
 	}
 	var canonicalQueries []string
-	for _, key := range resourceList {
+	for _, resource := range resourceList {
-		val, ok := keyval[key]
+		if val, ok := keyval[resource]; ok {
 		if !ok {
 			continue
 		}
 			if val == "" {
-			canonicalQueries = append(canonicalQueries, key)
+				canonicalQueries = append(canonicalQueries, resource)
 				continue
 			}
-		canonicalQueries = append(canonicalQueries, key+"="+val)
+			canonicalQueries = append(canonicalQueries, resource+"="+val)
 		}
 	}
-	// The queries will be already sorted as resourceList is sorted, if canonicalQueries
+	// The queries will be already sorted as resourceList is sorted.
-	// is empty strings.Join returns empty.
+	if len(canonicalQueries) == 0 {
 	canonicalQuery := strings.Join(canonicalQueries, "&")
 	if canonicalQuery != "" {
 		return encodedResource + "?" + canonicalQuery
 	}
 		return encodedResource
 	}
 	// If queries are present then the canonicalized resource is set to encodedResource + "?" + strings.Join(canonicalQueries, "&")
 	return encodedResource + "?" + strings.Join(canonicalQueries, "&")
 }
-// Return canonical headers.
+// canonicalizedAmzHeadersV2 - canonicalize the x-amz-* headers for signature V2.
 func canonicalizedAmzHeadersV2(headers http.Header) string {
 	var keys []string
 	keyval := make(map[string]string)
@@ -390,6 +295,7 @@ func canonicalizedAmzHeadersV2(headers http.Header) string {
 		keyval[lkey] = strings.Join(headers[key], ",")
 	}
 	sort.Strings(keys)
 	var canonicalHeaders []string
 	for _, key := range keys {
 		canonicalHeaders = append(canonicalHeaders, key+":"+keyval[key])
@@ -397,6 +303,7 @@ func canonicalizedAmzHeadersV2(headers http.Header) string {
 	return strings.Join(canonicalHeaders, "\n")
 }
 // calculateSignatureV2 - calculates signature version 2.
 func calculateSignatureV2(stringToSign string, secret string) string {
 	hm := hmac.New(sha1.New, []byte(secret))
 	hm.Write([]byte(stringToSign))
--- a/weed/s3api/auth_signature_v4.go
+++ b/weed/s3api/auth_signature_v4.go
--- a/weed/s3api/auto_signature_v4_test.go
+++ b/weed/s3api/auto_signature_v4_test.go
@@ -6,13 +6,10 @@ import (
 	"crypto/sha256"
 	"encoding/base64"
 	"encoding/hex"
 	"errors"
 	"fmt"
 	"io"
 	"net/http"
 	"net/url"
 	"sort"
 	"strconv"
 	"strings"
 	"sync"
 	"testing"
@@ -76,7 +73,7 @@ func TestIsReqAuthenticated(t *testing.T) {
 						SecretKey: "secret_key_1",
 					},
 				},
-				Actions: []string{},
+				Actions: []string{"Read", "Write"},
 			},
 		},
 	})
@@ -149,7 +146,7 @@ func TestCheckAdminRequestAuthType(t *testing.T) {
 						SecretKey: "secret_key_1",
 					},
 				},
-				Actions: []string{},
+				Actions: []string{"Admin", "Read", "Write"},
 			},
 		},
 	})
@@ -170,15 +167,12 @@ func TestCheckAdminRequestAuthType(t *testing.T) {
 func BenchmarkGetSignature(b *testing.B) {
 	t := time.Now()
 	iam := IdentityAccessManagement{
 		hashes:       make(map[string]*sync.Pool),
 		hashCounters: make(map[string]*int32),
 	}
 	b.ReportAllocs()
 	b.ResetTimer()
 	for i := 0; i < b.N; i++ {
-		iam.getSignature("secret-key", t, "us-east-1", "s3", "random data")
+		signingKey := getSigningKey("secret-key", t.Format(yyyymmdd), "us-east-1", "s3")
 		getSignature(signingKey, "random data")
 	}
 }
@@ -213,6 +207,53 @@ func mustNewPresignedRequest(iam *IdentityAccessManagement, method string, urlSt
 	return req
 }
 // preSignV4 adds presigned URL parameters to the request
 func preSignV4(iam *IdentityAccessManagement, req *http.Request, accessKey, secretKey string, expires int64) error {
 	// Create credential scope
 	now := time.Now().UTC()
 	dateStr := now.Format(iso8601Format)
 	// Create credential header
 	scope := fmt.Sprintf("%s/%s/%s/%s", now.Format(yyyymmdd), "us-east-1", "s3", "aws4_request")
 	credential := fmt.Sprintf("%s/%s", accessKey, scope)
 	// Get the query parameters
 	query := req.URL.Query()
 	query.Set("X-Amz-Algorithm", signV4Algorithm)
 	query.Set("X-Amz-Credential", credential)
 	query.Set("X-Amz-Date", dateStr)
 	query.Set("X-Amz-Expires", fmt.Sprintf("%d", expires))
 	query.Set("X-Amz-SignedHeaders", "host")
 	// Set the query on the URL (without signature yet)
 	req.URL.RawQuery = query.Encode()
 	// Get the payload hash
 	hashedPayload := getContentSha256Cksum(req)
 	// Extract signed headers
 	extractedSignedHeaders := make(http.Header)
 	extractedSignedHeaders["host"] = []string{req.Host}
 	// Get canonical request
 	canonicalRequest := getCanonicalRequest(extractedSignedHeaders, hashedPayload, req.URL.RawQuery, req.URL.Path, req.Method)
 	// Get string to sign
 	stringToSign := getStringToSign(canonicalRequest, now, scope)
 	// Get signing key
 	signingKey := getSigningKey(secretKey, now.Format(yyyymmdd), "us-east-1", "s3")
 	// Calculate signature
 	signature := getSignature(signingKey, stringToSign)
 	// Add signature to query
 	query.Set("X-Amz-Signature", signature)
 	req.URL.RawQuery = query.Encode()
 	return nil
 }
 // Returns new HTTP request object.
 func newTestRequest(method, urlStr string, contentLength int64, body io.ReadSeeker) (*http.Request, error) {
 	if method == "" {
@@ -254,11 +295,6 @@ func newTestRequest(method, urlStr string, contentLength int64, body io.ReadSeek
 	return req, nil
 }
 // getSHA256Hash returns SHA-256 hash in hex encoding of given data.
 func getSHA256Hash(data []byte) string {
 	return hex.EncodeToString(getSHA256Sum(data))
 }
 // getMD5HashBase64 returns MD5 hash in base64 encoding of given data.
 func getMD5HashBase64(data []byte) string {
 	return base64.StdEncoding.EncodeToString(getMD5Sum(data))
@@ -467,46 +503,6 @@ func signRequestV4(req *http.Request, accessKey, secretKey string) error {
 	return nil
 }
 // preSignV4 presign the request, in accordance with
 // http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html.
 func preSignV4(iam *IdentityAccessManagement, req *http.Request, accessKeyID, secretAccessKey string, expires int64) error {
 	// Presign is not needed for anonymous credentials.
 	if accessKeyID == "" || secretAccessKey == "" {
 		return errors.New("Presign cannot be generated without access and secret keys")
 	}
 	region := "us-east-1"
 	date := time.Now().UTC()
 	scope := getScope(date, region)
 	credential := fmt.Sprintf("%s/%s", accessKeyID, scope)
 	// Set URL query.
 	query := req.URL.Query()
 	query.Set("X-Amz-Algorithm", signV4Algorithm)
 	query.Set("X-Amz-Date", date.Format(iso8601Format))
 	query.Set("X-Amz-Expires", strconv.FormatInt(expires, 10))
 	query.Set("X-Amz-SignedHeaders", "host")
 	query.Set("X-Amz-Credential", credential)
 	query.Set("X-Amz-Content-Sha256", unsignedPayload)
 	// "host" is the only header required to be signed for Presigned URLs.
 	extractedSignedHeaders := make(http.Header)
 	extractedSignedHeaders.Set("host", req.Host)
 	queryStr := strings.Replace(query.Encode(), "+", "%20", -1)
 	canonicalRequest := getCanonicalRequest(extractedSignedHeaders, unsignedPayload, queryStr, req.URL.Path, req.Method)
 	stringToSign := getStringToSign(canonicalRequest, date, scope)
 	signature := iam.getSignature(secretAccessKey, date, region, "s3", stringToSign)
 	req.URL.RawQuery = query.Encode()
 	// Add signature header to RawQuery.
 	req.URL.RawQuery += "&X-Amz-Signature=" + url.QueryEscape(signature)
 	// Construct the final presigned URL.
 	return nil
 }
 // EncodePath encode the strings from UTF-8 byte representations to HTML hex escape sequences
 //
 // This is necessary since regular url.Parse() and url.Encode() functions do not support UTF-8
@@ -529,12 +525,12 @@ func EncodePath(pathName string) string {
 			encodedPathname = encodedPathname + string(s)
 			continue
 		default:
-			len := utf8.RuneLen(s)
+			runeLen := utf8.RuneLen(s)
-			if len < 0 {
+			if runeLen < 0 {
 				// if utf8 cannot convert return the same string as is
 				return pathName
 			}
-			u := make([]byte, len)
+			u := make([]byte, runeLen)
 			utf8.EncodeRune(u, s)
 			for _, r := range u {
 				hex := hex.EncodeToString([]byte{r})
--- a/weed/s3api/chunked_reader_v4.go
+++ b/weed/s3api/chunked_reader_v4.go
@@ -102,13 +102,12 @@ func (iam *IdentityAccessManagement) calculateSeedSignature(r *http.Request) (cr
 			return nil, "", "", time.Time{}, s3err.ErrMissingDateHeader
 		}
 	}
 	// Parse date header.
-	var err error
+	date, err := time.Parse(iso8601Format, dateStr)
 	date, err = time.Parse(iso8601Format, dateStr)
 	if err != nil {
 		return nil, "", "", time.Time{}, s3err.ErrMalformedDate
 	}
 	// Query string.
 	queryStr := req.URL.Query().Encode()
@@ -118,14 +117,11 @@ func (iam *IdentityAccessManagement) calculateSeedSignature(r *http.Request) (cr
 	// Get string to sign from canonical request.
 	stringToSign := getStringToSign(canonicalRequest, date, signV4Values.Credential.getScope())
 	// Get hmac signing key.
 	signingKey := getSigningKey(cred.SecretKey, signV4Values.Credential.scope.date.Format(yyyymmdd), region, "s3")
 	// Calculate signature.
-	newSignature := iam.getSignature(
+	newSignature := getSignature(signingKey, stringToSign)
 		cred.SecretKey,
 		signV4Values.Credential.scope.date,
 		region,
 		"s3",
 		stringToSign,
 	)
 	// Verify if signature match.
 	if !compareSignatureV4(newSignature, signV4Values.Signature) {
@@ -469,58 +465,47 @@ func (cr *s3ChunkedReader) Read(buf []byte) (n int, err error) {
 // getChunkSignature - get chunk signature.
 func (cr *s3ChunkedReader) getChunkSignature(hashedChunk string) string {
 	// Calculate string to sign.
-	stringToSign := signV4ChunkedAlgorithm + "\n" +
+	stringToSign := signV4Algorithm + "-PAYLOAD" + "\n" +
 		cr.seedDate.Format(iso8601Format) + "\n" +
 		getScope(cr.seedDate, cr.region) + "\n" +
 		cr.seedSignature + "\n" +
 		emptySHA256 + "\n" +
 		hashedChunk
-	// Calculate signature.
+	// Get hmac signing key.
-	return cr.iam.getSignature(
+	signingKey := getSigningKey(cr.cred.SecretKey, cr.seedDate.Format(yyyymmdd), cr.region, "s3")
-		cr.cred.SecretKey,
+
-		cr.seedDate,
+	// Calculate and return signature.
-		cr.region,
+	return getSignature(signingKey, stringToSign)
 		"s3",
 		stringToSign,
 	)
 }
 // readCRLF - check if reader only has '\r\n' CRLF character.
 // returns malformed encoding if it doesn't.
 func readCRLF(reader *bufio.Reader) error {
 	buf := make([]byte, 2)
-	_, err := reader.Read(buf)
+	_, err := io.ReadFull(reader, buf)
 	if err != nil {
 		return err
 	}
 	return checkCRLF(buf)
 }
 // peekCRLF - peeks at the next two bytes to check for CRLF without consuming them.
 func peekCRLF(reader *bufio.Reader) error {
-	peeked, err := reader.Peek(2)
+	buf, err := reader.Peek(2)
 	if err != nil {
 		return err
 	}
-	if err := checkCRLF(peeked); err != nil {
+	if err := checkCRLF(buf); err != nil {
 		return err
 	}
 	return nil
 }
 // checkCRLF - checks if the buffer contains '\r\n' CRLF character.
 func checkCRLF(buf []byte) error {
-	if buf[0] != '\r' || buf[1] != '\n' {
+	if len(buf) != 2 || buf[0] != '\r' || buf[1] != '\n' {
 		return errMalformedEncoding
 	}
 	return nil
 }
 // Read a line of bytes (up to \n) from b.
 // Give up if the line exceeds maxLineLength.
 // The returned bytes are owned by the bufio.Reader
 // so they are only valid until the next bufio read.
 func readChunkLine(b *bufio.Reader) ([]byte, error) {
 	buf, err := b.ReadSlice('\n')
 	if err != nil {
@@ -536,8 +521,7 @@ func readChunkLine(b *bufio.Reader) ([]byte, error) {
 	if len(buf) >= maxLineLength {
 		return nil, errLineTooLong
 	}
-
+	return trimTrailingWhitespace(buf), nil
 	return buf, nil
 }
 // trimTrailingWhitespace - trim trailing white space.
@@ -608,13 +592,11 @@ func parseChunkChecksum(b *bufio.Reader) (ChecksumAlgorithm, []byte) {
 	return extractedAlgorithm, checksumValue
 }
 // parseChunkSignature - parse chunk signature.
 func parseChunkSignature(chunk []byte) []byte {
-	chunkSplits := bytes.SplitN(chunk, []byte(s3ChunkSignatureStr), 2)
+	chunkSplits := bytes.SplitN(chunk, []byte("="), 2)
-	return chunkSplits[1]
+	return chunkSplits[1] // Keep only the signature.
 }
 // parse hex to uint64.
 func parseHexUint(v []byte) (n uint64, err error) {
 	for i, b := range v {
 		switch {
@@ -636,6 +618,7 @@ func parseHexUint(v []byte) (n uint64, err error) {
 	return
 }
 // Checksum Algorithm represents the various checksum algorithms supported.
 type ChecksumAlgorithm int
 const (
@@ -649,18 +632,18 @@ const (
 func (ca ChecksumAlgorithm) String() string {
 	switch ca {
 	case ChecksumAlgorithmCRC32:
 		return "CRC32"
 	case ChecksumAlgorithmCRC32C:
 		return "CRC32C"
 	case ChecksumAlgorithmCRC64NVMe:
 		return "CRC64NVMe"
 	case ChecksumAlgorithmSHA1:
 		return "SHA1"
 	case ChecksumAlgorithmSHA256:
 		return "SHA256"
 	case ChecksumAlgorithmNone:
 		return ""
 	case ChecksumAlgorithmCRC32:
 		return "x-amz-checksum-crc32"
 	case ChecksumAlgorithmCRC32C:
 		return "x-amz-checksum-crc32c"
 	case ChecksumAlgorithmCRC64NVMe:
 		return "x-amz-checksum-crc64nvme"
 	case ChecksumAlgorithmSHA1:
 		return "x-amz-checksum-sha1"
 	case ChecksumAlgorithmSHA256:
 		return "x-amz-checksum-sha256"
 	}
 	return ""
 }