From 4bd8e5dd59e920d3442e45ea6b64fd2158a97609 Mon Sep 17 00:00:00 2001
From: Chris Lu <chris.lu@gmail.com>
Date: Thu, 26 Mar 2026 11:28:41 -0700
Subject: [PATCH] fix: serialize SSE-KMS metadata when bucket default
 encryption applies KMS

When a bucket has default SSE-KMS encryption enabled and a file is uploaded
without explicit SSE headers, the encryption was applied correctly but the
SSE-KMS metadata (x-seaweedfs-sse-kms-key) was not serialized. This caused
downloads to fail with "empty SSE-KMS metadata" because the entry's Extended
map stored an empty byte slice.

The existing code already handled this for SSE-S3 bucket defaults
(SerializeSSES3Metadata) but was missing the equivalent call to
SerializeSSEKMSMetadata for the KMS path.

Fixes seaweedfs/seaweedfs#8776
---
 weed/s3api/s3api_object_handlers_put.go | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/weed/s3api/s3api_object_handlers_put.go b/weed/s3api/s3api_object_handlers_put.go
index bb160fa55..d0c228b72 100644
--- a/weed/s3api/s3api_object_handlers_put.go
+++ b/weed/s3api/s3api_object_handlers_put.go
@@ -374,6 +374,16 @@ func (s3a *S3ApiServer) putToFiler(r *http.Request, filePath string, dataReader
 				return "", s3err.ErrInternalError, SSEResponseMetadata{}
 			}
 		}
+
+		// If SSE-KMS was applied by bucket default, prepare metadata (if not already done)
+		if sseKMSKey != nil && len(sseKMSMetadata) == 0 {
+			var metaErr error
+			sseKMSMetadata, metaErr = SerializeSSEKMSMetadata(sseKMSKey)
+			if metaErr != nil {
+				glog.Errorf("Failed to serialize SSE-KMS metadata for bucket default encryption: %v", metaErr)
+				return "", s3err.ErrInternalError, SSEResponseMetadata{}
+			}
+		}
 	} else {
 		glog.V(4).Infof("putToFiler: explicit encryption already applied, skipping bucket default encryption")
 	}