From 2182d2224e4080c1045c36ea333aaff7dabf08ed Mon Sep 17 00:00:00 2001
From: chrislu <chris.lu@gmail.com>
Date: Thu, 13 Nov 2025 19:30:13 -0800
Subject: [PATCH] SSE-KMS headers are present, this is not an SSE-C request
 (mutually exclusive)

---
 weed/s3api/s3api_object_handlers.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/weed/s3api/s3api_object_handlers.go b/weed/s3api/s3api_object_handlers.go
index 30d926050..c68b10d50 100644
--- a/weed/s3api/s3api_object_handlers.go
+++ b/weed/s3api/s3api_object_handlers.go
@@ -247,7 +247,14 @@ func (s3a *S3ApiServer) hasConditionalHeaders(r *http.Request) bool {
 
 // hasSSECHeaders checks if the request has SSE-C decryption headers
 // SSE-C requires the customer to provide the decryption key in GET/HEAD requests
+// According to S3 spec, SSE-C and SSE-KMS headers are mutually exclusive
 func (s3a *S3ApiServer) hasSSECHeaders(r *http.Request) bool {
+	// If SSE-KMS headers are present, this is not an SSE-C request (mutually exclusive)
+	if r.Header.Get(s3_constants.AmzServerSideEncryption) == s3_constants.SSEAlgorithmKMS ||
+		r.Header.Get(s3_constants.AmzServerSideEncryptionAwsKmsKeyId) != "" {
+		return false
+	}
+
 	return r.Header.Get(s3_constants.AmzServerSideEncryptionCustomerAlgorithm) != "" ||
 		r.Header.Get(s3_constants.AmzServerSideEncryptionCustomerKey) != "" ||
 		r.Header.Get(s3_constants.AmzServerSideEncryptionCustomerKeyMD5) != ""