내용으로 건너뛰기
AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post
re:Post 소개

Use SHA-256 for CloudFront signed URLs

0

Hi,

I am using CloudFront to control access to an S3 bucket utilizing signed URLs on a PHP backend (WordPress). I wanted to know if it is possible to make CloudFront signed URLs (as for instance discussed in this post) using an RSA SHA256 signature instead of the RSA SHA1 signature shown in the post. My website host recently upgraded their OS and the new version of OpenSSL no longer allows generation of RSA SHA1 signatures (apparently SHA1 is not considered secure enough). This was causing the PHP function openssl_sign used in the post above to fail. Thankfully my hosting provider agreed to roll back OpenSSL to a prior version that supported generating RSA SHA1 signatures but I suspect this is a short term solution and I need to come up with an alternative way to generate these signed URLs.

Any help is appreciated. If you know of a pure PHP way to generate RSA SHA1 signatures (i.e. that does not rely on OpenSSL) that would be helpful as well.

Thank you

주제
스토리지네트워킹 및 콘텐츠 전송
태그
사전 서명된 URL아마존 CloudFront네트워킹 및 콘텐츠 전송
언어
English
질문됨 10달 전761회 조회
1개 답변
1
수락된 답변

Hello.

As of February 2025, algorithms other than "RSA-SHA1" cannot be used in CloudFront signed URLs, as described in the document below.
So, as you know, I think the only option is to roll back the version of OpenSSL or wait until AWS updates to support "SHA-256".
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-overview.html#private-content-overview-edge-caches

You must use RSA-SHA1 for signing URLs or cookies. CloudFront doesn't accept other algorithms.

전문가
답변함 10달 전
전문가
검토됨 10달 전
  • AMS
    10달 전

    Thank you so much for your answer, I had a feeling there was no way to use SHA256 with CloudFront but wanted to make sure I wasn't missing anything (it seems like some other signed requests on AWS do use SHA256). If anyone knows of an alternative way to make make RSA-SHA1 signatures in PHP (that doesn't use openssl_sign) please let me know. Thank you again.

  • Riku_Kobayashi 전문가
    10달 전

    I don't know much about PHP, but I did some research and found that phpseclib might be useful. https://api.phpseclib.com/3.0/phpseclib3/Crypt/RSA/PrivateKey.html

  • AMS
    10달 전

    Awesome find! Thank you so much. I can confirm that phpseclib3 can generate the required signatures. Here is my fallback code that can replace rsa_sha1_sign from the post I referenced in the question:

    use phpseclib3\Crypt\PublicKeyLoader;
use phpseclib3\Crypt\RSA;

function rsa_sha1_sign_fallback($policy, $private_key_filename) {
    $key = PublicKeyLoader::load(file_get_contents($private_key_filename));
    $key = $key->withHash('sha1')->withPadding(RSA::SIGNATURE_PKCS1);
    $signature = $key->sign($policy);
    
    return $signature;
}

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

관련 콘텐츠