AWS announces preview of AWS Interconnect - multicloud

AWS announces AWS Interconnect – multicloud (preview), providing simple, resilient, high-speed private connections to other cloud service providers. AWS Interconnect - multicloud is easy to configure and provides high-speed, resilient connectivity with dedicated bandwidth, enabling customers to interconnect AWS networking services such as AWS Transit Gateway, AWS Cloud WAN, and Amazon VPC to other cloud service providers with ease.

Use SHA-256 for CloudFront signed URLs

Hi,

I am using CloudFront to control access to an S3 bucket utilizing signed URLs on a PHP backend (WordPress). I wanted to know if it is possible to make CloudFront signed URLs (as for instance discussed in this post) using an RSA SHA256 signature instead of the RSA SHA1 signature shown in the post. My website host recently upgraded their OS and the new version of OpenSSL no longer allows generation of RSA SHA1 signatures (apparently SHA1 is not considered secure enough). This was causing the PHP function openssl_sign used in the post above to fail. Thankfully my hosting provider agreed to roll back OpenSSL to a prior version that supported generating RSA SHA1 signatures but I suspect this is a short term solution and I need to come up with an alternative way to generate these signed URLs.

Any help is appreciated. If you know of a pure PHP way to generate RSA SHA1 signatures (i.e. that does not rely on OpenSSL) that would be helpful as well.

Thank you

トピック: ネットワークとコンテンツ配信ストレージ
タグ: 署名済み URL Amazon CloudFront ネットワークとコンテンツ配信
言語: English

AMS

質問済み 10ヶ月前761ビュー

1回答

新しい順
投票が多い順
コメントが多い順

承認された回答

Hello.

As of February 2025, algorithms other than "RSA-SHA1" cannot be used in CloudFront signed URLs, as described in the document below.
So, as you know, I think the only option is to roll back the version of OpenSSL or wait until AWS updates to support "SHA-256".
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-overview.html#private-content-overview-edge-caches

You must use RSA-SHA1 for signing URLs or cookies. CloudFront doesn't accept other algorithms.

エキスパート

Riku_Kobayashi

回答済み 10ヶ月前

エキスパート

Adeleke Adebowale .J.

レビュー済み 10ヶ月前

AMS
10ヶ月前
Thank you so much for your answer, I had a feeling there was no way to use SHA256 with CloudFront but wanted to make sure I wasn't missing anything (it seems like some other signed requests on AWS do use SHA256). If anyone knows of an alternative way to make make RSA-SHA1 signatures in PHP (that doesn't use openssl_sign) please let me know. Thank you again.
Riku_Kobayashi エキスパート
10ヶ月前
I don't know much about PHP, but I did some research and found that phpseclib might be useful. https://api.phpseclib.com/3.0/phpseclib3/Crypt/RSA/PrivateKey.html

AMS

10ヶ月前

Awesome find! Thank you so much. I can confirm that phpseclib3 can generate the required signatures. Here is my fallback code that can replace rsa_sha1_sign from the post I referenced in the question:

use phpseclib3\Crypt\PublicKeyLoader;
use phpseclib3\Crypt\RSA;

function rsa_sha1_sign_fallback($policy, $private_key_filename) {
    $key = PublicKeyLoader::load(file_get_contents($private_key_filename));
    $key = $key->withHash('sha1')->withPadding(RSA::SIGNATURE_PKCS1);
    $signature = $key->sign($policy);
    
    return $signature;
}

Use SHA-256 for CloudFront signed URLs

回答を追加する

関連するコンテンツ