Hi, I am using the FOTA and download_client libraries to implement remote firmware upgrade functionality, however am not keen on having an AWS S3 bucket with public access to the firmware binaries. A solution is to generate a pre-signed url which is only valid for a specific period of time.
The pre-signed url must contain a set of query parameters to identify the request. These query parameters increase the GET request size and it looks something like this:
GET /<file_name>?X-Amz-Algorithm=AWS4-HMAC-SHA256
&X-Amz-Credential=<credential>%2Fus-east-2%2Fs3%2Faws4_request
&X-Amz-Date=20210511T141203Z&X-Amz-Expires=3600
&X-Amz-SignedHeaders=host
&X-Amz-Signature=<signature> HTTP/1.1
Host: <host>.s3.amazonaws.com
Range: bytes=0-2047
Connection: keep-alive
To fit the query parameters I had to increase the CONFIG_DOWNLOAD_CLIENT_MAX_FILENAME_SIZE to 384 (The default Kconfig range is 0 - 256), and the total GET request length becomes around 420 bytes- still far below the 2 kB buffer size. (Also note I am using HTTP, not HTTPS)
When I send the request I receive a 403 Forbidden which indicates that the signature in the X-Amz-Signature query parameter is incorrect. I verified this with Postman by sending an identical request with only a partial signature string.
Interestingly, when I print the response buffer, rather than seeing the response body after the headers, I get the headers from the original GET request. This points to a buffer overflow potentially occurring somewhere.
My questions: Is there a limit to the size of GET requests beyond the buffer size specified in the download client? Why is the CONFIG_DOWNLOAD_CLIENT_MAX_FILENAME_SIZE restricted to 256 bytes? What other authorization method would you suggest for downloading files from an S3 bucket?
Thank you
