From 5f24aadfca80446b19a4bbcbca2f2fc85d3706bf Mon Sep 17 00:00:00 2001
From: chrislu <chris.lu@gmail.com>
Date: Sat, 15 Nov 2025 11:01:28 -0800
Subject: [PATCH] fix sse header

---
 weed/s3api/s3api_object_handlers.go     | 6 ++++--
 weed/s3api/s3api_object_handlers_put.go | 5 +++++
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/weed/s3api/s3api_object_handlers.go b/weed/s3api/s3api_object_handlers.go
index 9db9808a7..1d50fbe06 100644
--- a/weed/s3api/s3api_object_handlers.go
+++ b/weed/s3api/s3api_object_handlers.go
@@ -812,7 +812,8 @@ func (s3a *S3ApiServer) streamFromVolumeServersWithSSE(w http.ResponseWriter, r
 	switch sseType {
 	case s3_constants.SSETypeC:
 		customerKey := decryptionKey.(*SSECustomerKey)
-		ivBase64 := string(entry.Extended[s3_constants.SeaweedFSSSEIVHeader])
+		// Use storage key (lowercase) not header key for reading from entry.Extended
+		ivBase64 := string(entry.Extended[s3_constants.SeaweedFSSSEIV])
 		iv, _ := base64.StdEncoding.DecodeString(ivBase64)
 		decryptedReader, err = CreateSSECDecryptedReader(encryptedReader, customerKey, iv)
 	case s3_constants.SSETypeKMS:
@@ -976,7 +977,8 @@ func (s3a *S3ApiServer) createSSECDecryptedReaderFromEntry(r *http.Request, encr
 	}
 
 	// Get IV from entry metadata
-	ivBase64 := string(entry.Extended[s3_constants.SeaweedFSSSEIVHeader])
+	// Use storage key (lowercase) not header key for reading from entry.Extended
+	ivBase64 := string(entry.Extended[s3_constants.SeaweedFSSSEIV])
 	if ivBase64 == "" {
 		return nil, fmt.Errorf("SSE-C IV not found in metadata")
 	}
diff --git a/weed/s3api/s3api_object_handlers_put.go b/weed/s3api/s3api_object_handlers_put.go
index 6e59635d5..25d73e3da 100644
--- a/weed/s3api/s3api_object_handlers_put.go
+++ b/weed/s3api/s3api_object_handlers_put.go
@@ -471,12 +471,17 @@ func (s3a *S3ApiServer) putToFiler(r *http.Request, uploadUrl string, dataReader
 	// Set SSE-KMS metadata
 	if sseKMSKey != nil {
 		entry.Extended[s3_constants.SeaweedFSSSEKMSKeyHeader] = sseKMSMetadata
+		// Set standard SSE headers for detection
+		entry.Extended[s3_constants.AmzServerSideEncryption] = []byte("aws:kms")
+		entry.Extended[s3_constants.AmzServerSideEncryptionAwsKmsKeyId] = []byte(sseKMSKey.KeyID)
 		glog.V(3).Infof("putToFiler: storing SSE-KMS metadata for object %s with keyID %s", filePath, sseKMSKey.KeyID)
 	}
 
 	// Set SSE-S3 metadata
 	if sseS3Key != nil && len(sseS3Metadata) > 0 {
 		entry.Extended[s3_constants.SeaweedFSSSES3Key] = sseS3Metadata
+		// Set standard SSE header for detection
+		entry.Extended[s3_constants.AmzServerSideEncryption] = []byte("AES256")
 		glog.V(3).Infof("putToFiler: storing SSE-S3 metadata for object %s with keyID %s", filePath, sseS3Key.KeyID)
 	}