1 files changed, 720 insertions, 0 deletions
diff --git a/weed/s3api/auth_signature_v4.go b/weed/s3api/auth_signature_v4.go
new file mode 100644
index 000000000..cdfd8be1d
--- /dev/null
+++ b/weed/s3api/auth_signature_v4.go
@@ -0,0 +1,720 @@
+/*
+ * The following code tries to reverse engineer the Amazon S3 APIs,
+ * and is mostly copied from minio implementation.
+ */
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+// implied. See the License for the specific language governing
+// permissions and limitations under the License.
+
+package s3api
+
+import (
+	"bytes"
+	"crypto/hmac"
+	"crypto/sha256"
+	"crypto/subtle"
+	"encoding/hex"
+	"net/http"
+	"net/url"
+	"regexp"
+	"sort"
+	"strconv"
+	"strings"
+	"time"
+	"unicode/utf8"
+)
+
+func (iam *IdentityAccessManagement) reqSignatureV4Verify(r *http.Request) (*Identity, ErrorCode) {
+	sha256sum := getContentSha256Cksum(r)
+	switch {
+	case isRequestSignatureV4(r):
+		return iam.doesSignatureMatch(sha256sum, r)
+	case isRequestPresignedSignatureV4(r):
+		return iam.doesPresignedSignatureMatch(sha256sum, r)
+	}
+	return nil, ErrAccessDenied
+}
+
+// Streaming AWS Signature Version '4' constants.
+const (
+	emptySHA256            = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
+	streamingContentSHA256 = "STREAMING-AWS4-HMAC-SHA256-PAYLOAD"
+	signV4ChunkedAlgorithm = "AWS4-HMAC-SHA256-PAYLOAD"
+
+	// http Header "x-amz-content-sha256" == "UNSIGNED-PAYLOAD" indicates that the
+	// client did not calculate sha256 of the payload.
+	unsignedPayload = "UNSIGNED-PAYLOAD"
+)
+
+// Returns SHA256 for calculating canonical-request.
+func getContentSha256Cksum(r *http.Request) string {
+	var (
+		defaultSha256Cksum string
+		v                  []string
+		ok                 bool
+	)
+
+	// For a presigned request we look at the query param for sha256.
+	if isRequestPresignedSignatureV4(r) {
+		// X-Amz-Content-Sha256, if not set in presigned requests, checksum
+		// will default to 'UNSIGNED-PAYLOAD'.
+		defaultSha256Cksum = unsignedPayload
+		v, ok = r.URL.Query()["X-Amz-Content-Sha256"]
+		if !ok {
+			v, ok = r.Header["X-Amz-Content-Sha256"]
+		}
+	} else {
+		// X-Amz-Content-Sha256, if not set in signed requests, checksum
+		// will default to sha256([]byte("")).
+		defaultSha256Cksum = emptySHA256
+		v, ok = r.Header["X-Amz-Content-Sha256"]
+	}
+
+	// We found 'X-Amz-Content-Sha256' return the captured value.
+	if ok {
+		return v[0]
+	}
+
+	// We couldn't find 'X-Amz-Content-Sha256'.
+	return defaultSha256Cksum
+}
+
+// Verify authorization header - http://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html
+func (iam *IdentityAccessManagement) doesSignatureMatch(hashedPayload string, r *http.Request) (*Identity, ErrorCode) {
+
+	// Copy request.
+	req := *r
+
+	// Save authorization header.
+	v4Auth := req.Header.Get("Authorization")
+
+	// Parse signature version '4' header.
+	signV4Values, err := parseSignV4(v4Auth)
+	if err != ErrNone {
+		return nil, err
+	}
+
+	// Extract all the signed headers along with its values.
+	extractedSignedHeaders, errCode := extractSignedHeaders(signV4Values.SignedHeaders, r)
+	if errCode != ErrNone {
+		return nil, errCode
+	}
+
+	// Verify if the access key id matches.
+	identity, cred, found := iam.lookupByAccessKey(signV4Values.Credential.accessKey)
+	if !found {
+		return nil, ErrInvalidAccessKeyID
+	}
+
+	// Extract date, if not present throw error.
+	var date string
+	if date = req.Header.Get(http.CanonicalHeaderKey("X-Amz-Date")); date == "" {
+		if date = r.Header.Get("Date"); date == "" {
+			return nil, ErrMissingDateHeader
+		}
+	}
+	// Parse date header.
+	t, e := time.Parse(iso8601Format, date)
+	if e != nil {
+		return nil, ErrMalformedDate
+	}
+
+	// Query string.
+	queryStr := req.URL.Query().Encode()
+
+	// Get canonical request.
+	canonicalRequest := getCanonicalRequest(extractedSignedHeaders, hashedPayload, queryStr, req.URL.Path, req.Method)
+
+	// Get string to sign from canonical request.
+	stringToSign := getStringToSign(canonicalRequest, t, signV4Values.Credential.getScope())
+
+	// Get hmac signing key.
+	signingKey := getSigningKey(cred.SecretKey, signV4Values.Credential.scope.date, signV4Values.Credential.scope.region)
+
+	// Calculate signature.
+	newSignature := getSignature(signingKey, stringToSign)
+
+	// Verify if signature match.
+	if !compareSignatureV4(newSignature, signV4Values.Signature) {
+		return nil, ErrSignatureDoesNotMatch
+	}
+
+	// Return error none.
+	return identity, ErrNone
+}
+
+// credentialHeader data type represents structured form of Credential
+// string from authorization header.
+type credentialHeader struct {
+	accessKey string
+	scope     struct {
+		date    time.Time
+		region  string
+		service string
+		request string
+	}
+}
+
+// signValues data type represents structured form of AWS Signature V4 header.
+type signValues struct {
+	Credential    credentialHeader
+	SignedHeaders []string
+	Signature     string
+}
+
+// Return scope string.
+func (c credentialHeader) getScope() string {
+	return strings.Join([]string{
+		c.scope.date.Format(yyyymmdd),
+		c.scope.region,
+		c.scope.service,
+		c.scope.request,
+	}, "/")
+}
+
+//    Authorization: algorithm Credential=accessKeyID/credScope, \
+//            SignedHeaders=signedHeaders, Signature=signature
+//
+func parseSignV4(v4Auth string) (sv signValues, aec ErrorCode) {
+	// Replace all spaced strings, some clients can send spaced
+	// parameters and some won't. So we pro-actively remove any spaces
+	// to make parsing easier.
+	v4Auth = strings.Replace(v4Auth, " ", "", -1)
+	if v4Auth == "" {
+		return sv, ErrAuthHeaderEmpty
+	}
+
+	// Verify if the header algorithm is supported or not.
+	if !strings.HasPrefix(v4Auth, signV4Algorithm) {
+		return sv, ErrSignatureVersionNotSupported
+	}
+
+	// Strip off the Algorithm prefix.
+	v4Auth = strings.TrimPrefix(v4Auth, signV4Algorithm)
+	authFields := strings.Split(strings.TrimSpace(v4Auth), ",")
+	if len(authFields) != 3 {
+		return sv, ErrMissingFields
+	}
+
+	// Initialize signature version '4' structured header.
+	signV4Values := signValues{}
+
+	var err ErrorCode
+	// Save credentail values.
+	signV4Values.Credential, err = parseCredentialHeader(authFields[0])
+	if err != ErrNone {
+		return sv, err
+	}
+
+	// Save signed headers.
+	signV4Values.SignedHeaders, err = parseSignedHeader(authFields[1])
+	if err != ErrNone {
+		return sv, err
+	}
+
+	// Save signature.
+	signV4Values.Signature, err = parseSignature(authFields[2])
+	if err != ErrNone {
+		return sv, err
+	}
+
+	// Return the structure here.
+	return signV4Values, ErrNone
+}
+
+// parse credentialHeader string into its structured form.
+func parseCredentialHeader(credElement string) (ch credentialHeader, aec ErrorCode) {
+	creds := strings.Split(strings.TrimSpace(credElement), "=")
+	if len(creds) != 2 {
+		return ch, ErrMissingFields
+	}
+	if creds[0] != "Credential" {
+		return ch, ErrMissingCredTag
+	}
+	credElements := strings.Split(strings.TrimSpace(creds[1]), "/")
+	if len(credElements) != 5 {
+		return ch, ErrCredMalformed
+	}
+	// Save access key id.
+	cred := credentialHeader{
+		accessKey: credElements[0],
+	}
+	var e error
+	cred.scope.date, e = time.Parse(yyyymmdd, credElements[1])
+	if e != nil {
+		return ch, ErrMalformedCredentialDate
+	}
+
+	cred.scope.region = credElements[2]
+	cred.scope.service = credElements[3] // "s3"
+	cred.scope.request = credElements[4] // "aws4_request"
+	return cred, ErrNone
+}
+
+// Parse slice of signed headers from signed headers tag.
+func parseSignedHeader(signedHdrElement string) ([]string, ErrorCode) {
+	signedHdrFields := strings.Split(strings.TrimSpace(signedHdrElement), "=")
+	if len(signedHdrFields) != 2 {
+		return nil, ErrMissingFields
+	}
+	if signedHdrFields[0] != "SignedHeaders" {
+		return nil, ErrMissingSignHeadersTag
+	}
+	if signedHdrFields[1] == "" {
+		return nil, ErrMissingFields
+	}
+	signedHeaders := strings.Split(signedHdrFields[1], ";")
+	return signedHeaders, ErrNone
+}
+
+// Parse signature from signature tag.
+func parseSignature(signElement string) (string, ErrorCode) {
+	signFields := strings.Split(strings.TrimSpace(signElement), "=")
+	if len(signFields) != 2 {
+		return "", ErrMissingFields
+	}
+	if signFields[0] != "Signature" {
+		return "", ErrMissingSignTag
+	}
+	if signFields[1] == "" {
+		return "", ErrMissingFields
+	}
+	signature := signFields[1]
+	return signature, ErrNone
+}
+
+// check query headers with presigned signature
+//  - http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html
+func (iam *IdentityAccessManagement) doesPresignedSignatureMatch(hashedPayload string, r *http.Request) (*Identity, ErrorCode) {
+
+	// Copy request
+	req := *r
+
+	// Parse request query string.
+	pSignValues, err := parsePreSignV4(req.URL.Query())
+	if err != ErrNone {
+		return nil, err
+	}
+
+	// Verify if the access key id matches.
+	identity, cred, found := iam.lookupByAccessKey(pSignValues.Credential.accessKey)
+	if !found {
+		return nil, ErrInvalidAccessKeyID
+	}
+
+	// Extract all the signed headers along with its values.
+	extractedSignedHeaders, errCode := extractSignedHeaders(pSignValues.SignedHeaders, r)
+	if errCode != ErrNone {
+		return nil, errCode
+	}
+	// Construct new query.
+	query := make(url.Values)
+	if req.URL.Query().Get("X-Amz-Content-Sha256") != "" {
+		query.Set("X-Amz-Content-Sha256", hashedPayload)
+	}
+
+	query.Set("X-Amz-Algorithm", signV4Algorithm)
+
+	now := time.Now().UTC()
+
+	// If the host which signed the request is slightly ahead in time (by less than globalMaxSkewTime) the
+	// request should still be allowed.
+	if pSignValues.Date.After(now.Add(15 * time.Minute)) {
+		return nil, ErrRequestNotReadyYet
+	}
+
+	if now.Sub(pSignValues.Date) > pSignValues.Expires {
+		return nil, ErrExpiredPresignRequest
+	}
+
+	// Save the date and expires.
+	t := pSignValues.Date
+	expireSeconds := int(pSignValues.Expires / time.Second)
+
+	// Construct the query.
+	query.Set("X-Amz-Date", t.Format(iso8601Format))
+	query.Set("X-Amz-Expires", strconv.Itoa(expireSeconds))
+	query.Set("X-Amz-SignedHeaders", getSignedHeaders(extractedSignedHeaders))
+	query.Set("X-Amz-Credential", cred.AccessKey+"/"+getScope(t, pSignValues.Credential.scope.region))
+
+	// Save other headers available in the request parameters.
+	for k, v := range req.URL.Query() {
+
+		// Handle the metadata in presigned put query string
+		if strings.Contains(strings.ToLower(k), "x-amz-meta-") {
+			query.Set(k, v[0])
+		}
+
+		if strings.HasPrefix(strings.ToLower(k), "x-amz") {
+			continue
+		}
+		query[k] = v
+	}
+
+	// Get the encoded query.
+	encodedQuery := query.Encode()
+
+	// Verify if date query is same.
+	if req.URL.Query().Get("X-Amz-Date") != query.Get("X-Amz-Date") {
+		return nil, ErrSignatureDoesNotMatch
+	}
+	// Verify if expires query is same.
+	if req.URL.Query().Get("X-Amz-Expires") != query.Get("X-Amz-Expires") {
+		return nil, ErrSignatureDoesNotMatch
+	}
+	// Verify if signed headers query is same.
+	if req.URL.Query().Get("X-Amz-SignedHeaders") != query.Get("X-Amz-SignedHeaders") {
+		return nil, ErrSignatureDoesNotMatch
+	}
+	// Verify if credential query is same.
+	if req.URL.Query().Get("X-Amz-Credential") != query.Get("X-Amz-Credential") {
+		return nil, ErrSignatureDoesNotMatch
+	}
+	// Verify if sha256 payload query is same.
+	if req.URL.Query().Get("X-Amz-Content-Sha256") != "" {
+		if req.URL.Query().Get("X-Amz-Content-Sha256") != query.Get("X-Amz-Content-Sha256") {
+			return nil, ErrContentSHA256Mismatch
+		}
+	}
+
+	/// Verify finally if signature is same.
+
+	// Get canonical request.
+	presignedCanonicalReq := getCanonicalRequest(extractedSignedHeaders, hashedPayload, encodedQuery, req.URL.Path, req.Method)
+
+	// Get string to sign from canonical request.
+	presignedStringToSign := getStringToSign(presignedCanonicalReq, t, pSignValues.Credential.getScope())
+
+	// Get hmac presigned signing key.
+	presignedSigningKey := getSigningKey(cred.SecretKey, pSignValues.Credential.scope.date, pSignValues.Credential.scope.region)
+
+	// Get new signature.
+	newSignature := getSignature(presignedSigningKey, presignedStringToSign)
+
+	// Verify signature.
+	if !compareSignatureV4(req.URL.Query().Get("X-Amz-Signature"), newSignature) {
+		return nil, ErrSignatureDoesNotMatch
+	}
+	return identity, ErrNone
+}
+
+func contains(list []string, elem string) bool {
+	for _, t := range list {
+		if t == elem {
+			return true
+		}
+	}
+	return false
+}
+
+// preSignValues data type represents structued form of AWS Signature V4 query string.
+type preSignValues struct {
+	signValues
+	Date    time.Time
+	Expires time.Duration
+}
+
+// Parses signature version '4' query string of the following form.
+//
+//   querystring = X-Amz-Algorithm=algorithm
+//   querystring += &X-Amz-Credential= urlencode(accessKey + '/' + credential_scope)
+//   querystring += &X-Amz-Date=date
+//   querystring += &X-Amz-Expires=timeout interval
+//   querystring += &X-Amz-SignedHeaders=signed_headers
+//   querystring += &X-Amz-Signature=signature
+//
+// verifies if any of the necessary query params are missing in the presigned request.
+func doesV4PresignParamsExist(query url.Values) ErrorCode {
+	v4PresignQueryParams := []string{"X-Amz-Algorithm", "X-Amz-Credential", "X-Amz-Signature", "X-Amz-Date", "X-Amz-SignedHeaders", "X-Amz-Expires"}
+	for _, v4PresignQueryParam := range v4PresignQueryParams {
+		if _, ok := query[v4PresignQueryParam]; !ok {
+			return ErrInvalidQueryParams
+		}
+	}
+	return ErrNone
+}
+
+// Parses all the presigned signature values into separate elements.
+func parsePreSignV4(query url.Values) (psv preSignValues, aec ErrorCode) {
+	var err ErrorCode
+	// verify whether the required query params exist.
+	err = doesV4PresignParamsExist(query)
+	if err != ErrNone {
+		return psv, err
+	}
+
+	// Verify if the query algorithm is supported or not.
+	if query.Get("X-Amz-Algorithm") != signV4Algorithm {
+		return psv, ErrInvalidQuerySignatureAlgo
+	}
+
+	// Initialize signature version '4' structured header.
+	preSignV4Values := preSignValues{}
+
+	// Save credential.
+	preSignV4Values.Credential, err = parseCredentialHeader("Credential=" + query.Get("X-Amz-Credential"))
+	if err != ErrNone {
+		return psv, err
+	}
+
+	var e error
+	// Save date in native time.Time.
+	preSignV4Values.Date, e = time.Parse(iso8601Format, query.Get("X-Amz-Date"))
+	if e != nil {
+		return psv, ErrMalformedPresignedDate
+	}
+
+	// Save expires in native time.Duration.
+	preSignV4Values.Expires, e = time.ParseDuration(query.Get("X-Amz-Expires") + "s")
+	if e != nil {
+		return psv, ErrMalformedExpires
+	}
+
+	if preSignV4Values.Expires < 0 {
+		return psv, ErrNegativeExpires
+	}
+
+	// Check if Expiry time is less than 7 days (value in seconds).
+	if preSignV4Values.Expires.Seconds() > 604800 {
+		return psv, ErrMaximumExpires
+	}
+
+	// Save signed headers.
+	preSignV4Values.SignedHeaders, err = parseSignedHeader("SignedHeaders=" + query.Get("X-Amz-SignedHeaders"))
+	if err != ErrNone {
+		return psv, err
+	}
+
+	// Save signature.
+	preSignV4Values.Signature, err = parseSignature("Signature=" + query.Get("X-Amz-Signature"))
+	if err != ErrNone {
+		return psv, err
+	}
+
+	// Return structed form of signature query string.
+	return preSignV4Values, ErrNone
+}
+
+// extractSignedHeaders extract signed headers from Authorization header
+func extractSignedHeaders(signedHeaders []string, r *http.Request) (http.Header, ErrorCode) {
+	reqHeaders := r.Header
+	// find whether "host" is part of list of signed headers.
+	// if not return ErrUnsignedHeaders. "host" is mandatory.
+	if !contains(signedHeaders, "host") {
+		return nil, ErrUnsignedHeaders
+	}
+	extractedSignedHeaders := make(http.Header)
+	for _, header := range signedHeaders {
+		// `host` will not be found in the headers, can be found in r.Host.
+		// but its alway necessary that the list of signed headers containing host in it.
+		val, ok := reqHeaders[http.CanonicalHeaderKey(header)]
+		if ok {
+			for _, enc := range val {
+				extractedSignedHeaders.Add(header, enc)
+			}
+			continue
+		}
+		switch header {
+		case "expect":
+			// Golang http server strips off 'Expect' header, if the
+			// client sent this as part of signed headers we need to
+			// handle otherwise we would see a signature mismatch.
+			// `aws-cli` sets this as part of signed headers.
+			//
+			// According to
+			// http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.20
+			// Expect header is always of form:
+			//
+			//   Expect       =  "Expect" ":" 1#expectation
+			//   expectation  =  "100-continue" | expectation-extension
+			//
+			// So it safe to assume that '100-continue' is what would
+			// be sent, for the time being keep this work around.
+			// Adding a *TODO* to remove this later when Golang server
+			// doesn't filter out the 'Expect' header.
+			extractedSignedHeaders.Set(header, "100-continue")
+		case "host":
+			// Go http server removes "host" from Request.Header
+			extractedSignedHeaders.Set(header, r.Host)
+		case "transfer-encoding":
+			for _, enc := range r.TransferEncoding {
+				extractedSignedHeaders.Add(header, enc)
+			}
+		case "content-length":
+			// Signature-V4 spec excludes Content-Length from signed headers list for signature calculation.
+			// But some clients deviate from this rule. Hence we consider Content-Length for signature
+			// calculation to be compatible with such clients.
+			extractedSignedHeaders.Set(header, strconv.FormatInt(r.ContentLength, 10))
+		default:
+			return nil, ErrUnsignedHeaders
+		}
+	}
+	return extractedSignedHeaders, ErrNone
+}
+
+// getSignedHeaders generate a string i.e alphabetically sorted, semicolon-separated list of lowercase request header names
+func getSignedHeaders(signedHeaders http.Header) string {
+	var headers []string
+	for k := range signedHeaders {
+		headers = append(headers, strings.ToLower(k))
+	}
+	sort.Strings(headers)
+	return strings.Join(headers, ";")
+}
+
+// getScope generate a string of a specific date, an AWS region, and a service.
+func getScope(t time.Time, region string) string {
+	scope := strings.Join([]string{
+		t.Format(yyyymmdd),
+		region,
+		"s3",
+		"aws4_request",
+	}, "/")
+	return scope
+}
+
+// getCanonicalRequest generate a canonical request of style
+//
+// canonicalRequest =
+//  <HTTPMethod>\n
+//  <CanonicalURI>\n
+//  <CanonicalQueryString>\n
+//  <CanonicalHeaders>\n
+//  <SignedHeaders>\n
+//  <HashedPayload>
+//
+func getCanonicalRequest(extractedSignedHeaders http.Header, payload, queryStr, urlPath, method string) string {
+	rawQuery := strings.Replace(queryStr, "+", "%20", -1)
+	encodedPath := encodePath(urlPath)
+	canonicalRequest := strings.Join([]string{
+		method,
+		encodedPath,
+		rawQuery,
+		getCanonicalHeaders(extractedSignedHeaders),
+		getSignedHeaders(extractedSignedHeaders),
+		payload,
+	}, "\n")
+	return canonicalRequest
+}
+
+// getStringToSign a string based on selected query values.
+func getStringToSign(canonicalRequest string, t time.Time, scope string) string {
+	stringToSign := signV4Algorithm + "\n" + t.Format(iso8601Format) + "\n"
+	stringToSign = stringToSign + scope + "\n"
+	canonicalRequestBytes := sha256.Sum256([]byte(canonicalRequest))
+	stringToSign = stringToSign + hex.EncodeToString(canonicalRequestBytes[:])
+	return stringToSign
+}
+
+// sumHMAC calculate hmac between two input byte array.
+func sumHMAC(key []byte, data []byte) []byte {
+	hash := hmac.New(sha256.New, key)
+	hash.Write(data)
+	return hash.Sum(nil)
+}
+
+// getSigningKey hmac seed to calculate final signature.
+func getSigningKey(secretKey string, t time.Time, region string) []byte {
+	date := sumHMAC([]byte("AWS4"+secretKey), []byte(t.Format(yyyymmdd)))
+	regionBytes := sumHMAC(date, []byte(region))
+	service := sumHMAC(regionBytes, []byte("s3"))
+	signingKey := sumHMAC(service, []byte("aws4_request"))
+	return signingKey
+}
+
+// getSignature final signature in hexadecimal form.
+func getSignature(signingKey []byte, stringToSign string) string {
+	return hex.EncodeToString(sumHMAC(signingKey, []byte(stringToSign)))
+}
+
+// getCanonicalHeaders generate a list of request headers with their values
+func getCanonicalHeaders(signedHeaders http.Header) string {
+	var headers []string
+	vals := make(http.Header)
+	for k, vv := range signedHeaders {
+		headers = append(headers, strings.ToLower(k))
+		vals[strings.ToLower(k)] = vv
+	}
+	sort.Strings(headers)
+
+	var buf bytes.Buffer
+	for _, k := range headers {
+		buf.WriteString(k)
+		buf.WriteByte(':')
+		for idx, v := range vals[k] {
+			if idx > 0 {
+				buf.WriteByte(',')
+			}
+			buf.WriteString(signV4TrimAll(v))
+		}
+		buf.WriteByte('\n')
+	}
+	return buf.String()
+}
+
+// Trim leading and trailing spaces and replace sequential spaces with one space, following Trimall()
+// in http://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html
+func signV4TrimAll(input string) string {
+	// Compress adjacent spaces (a space is determined by
+	// unicode.IsSpace() internally here) to one space and return
+	return strings.Join(strings.Fields(input), " ")
+}
+
+// if object matches reserved string, no need to encode them
+var reservedObjectNames = regexp.MustCompile("^[a-zA-Z0-9-_.~/]+$")
+
+// EncodePath encode the strings from UTF-8 byte representations to HTML hex escape sequences
+//
+// This is necessary since regular url.Parse() and url.Encode() functions do not support UTF-8
+// non english characters cannot be parsed due to the nature in which url.Encode() is written
+//
+// This function on the other hand is a direct replacement for url.Encode() technique to support
+// pretty much every UTF-8 character.
+func encodePath(pathName string) string {
+	if reservedObjectNames.MatchString(pathName) {
+		return pathName
+	}
+	var encodedPathname string
+	for _, s := range pathName {
+		if 'A' <= s && s <= 'Z' || 'a' <= s && s <= 'z' || '0' <= s && s <= '9' { // §2.3 Unreserved characters (mark)
+			encodedPathname = encodedPathname + string(s)
+			continue
+		}
+		switch s {
+		case '-', '_', '.', '~', '/': // §2.3 Unreserved characters (mark)
+			encodedPathname = encodedPathname + string(s)
+			continue
+		default:
+			len := utf8.RuneLen(s)
+			if len < 0 {
+				// if utf8 cannot convert return the same string as is
+				return pathName
+			}
+			u := make([]byte, len)
+			utf8.EncodeRune(u, s)
+			for _, r := range u {
+				hex := hex.EncodeToString([]byte{r})
+				encodedPathname = encodedPathname + "%" + strings.ToUpper(hex)
+			}
+		}
+	}
+	return encodedPathname
+}
+
+// compareSignatureV4 returns true if and only if both signatures
+// are equal. The signatures are expected to be HEX encoded strings
+// according to the AWS S3 signature V4 spec.
+func compareSignatureV4(sig1, sig2 string) bool {
+	// The CTC using []byte(str) works because the hex encoding
+	// is unique for a sequence of bytes. See also compareSignatureV2.
+	return subtle.ConstantTimeCompare([]byte(sig1), []byte(sig2)) == 1
+}