Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Use SHA-256 for CloudFront signed URLs

0

Hi,

I am using CloudFront to control access to an S3 bucket utilizing signed URLs on a PHP backend (WordPress). I wanted to know if it is possible to make CloudFront signed URLs (as for instance discussed in this post) using an RSA SHA256 signature instead of the RSA SHA1 signature shown in the post. My website host recently upgraded their OS and the new version of OpenSSL no longer allows generation of RSA SHA1 signatures (apparently SHA1 is not considered secure enough). This was causing the PHP function openssl_sign used in the post above to fail. Thankfully my hosting provider agreed to roll back OpenSSL to a prior version that supported generating RSA SHA1 signatures but I suspect this is a short term solution and I need to come up with an alternative way to generate these signed URLs.

Any help is appreciated. If you know of a pure PHP way to generate RSA SHA1 signatures (i.e. that does not rely on OpenSSL) that would be helpful as well.

Thank you

Topics
Networking & Content DeliveryStorage
Tags
presigned URLAmazon CloudFrontNetworking & Content Delivery
Language
English
asked 10 months ago698 views
1 Answer
1
Accepted Answer

Hello.

As of February 2025, algorithms other than "RSA-SHA1" cannot be used in CloudFront signed URLs, as described in the document below.
So, as you know, I think the only option is to roll back the version of OpenSSL or wait until AWS updates to support "SHA-256".
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-overview.html#private-content-overview-edge-caches

You must use RSA-SHA1 for signing URLs or cookies. CloudFront doesn't accept other algorithms.

EXPERT
answered 10 months ago
EXPERT
reviewed 9 months ago
  • AMS
    10 months ago

    Thank you so much for your answer, I had a feeling there was no way to use SHA256 with CloudFront but wanted to make sure I wasn't missing anything (it seems like some other signed requests on AWS do use SHA256). If anyone knows of an alternative way to make make RSA-SHA1 signatures in PHP (that doesn't use openssl_sign) please let me know. Thank you again.

  • Riku_Kobayashi EXPERT
    10 months ago

    I don't know much about PHP, but I did some research and found that phpseclib might be useful. https://api.phpseclib.com/3.0/phpseclib3/Crypt/RSA/PrivateKey.html

  • AMS
    10 months ago

    Awesome find! Thank you so much. I can confirm that phpseclib3 can generate the required signatures. Here is my fallback code that can replace rsa_sha1_sign from the post I referenced in the question:

    use phpseclib3\Crypt\PublicKeyLoader;
use phpseclib3\Crypt\RSA;

function rsa_sha1_sign_fallback($policy, $private_key_filename) {
    $key = PublicKeyLoader::load(file_get_contents($private_key_filename));
    $key = $key->withHash('sha1')->withPadding(RSA::SIGNATURE_PKCS1);
    $signature = $key->sign($policy);
    
    return $signature;
}

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content