跳至内容
使用AWS re:Post即您表示您同意 AWS re:Post 使用条款
AWS re:Postre:Post
关于 re:Post

Use SHA-256 for CloudFront signed URLs

0

Hi,

I am using CloudFront to control access to an S3 bucket utilizing signed URLs on a PHP backend (WordPress). I wanted to know if it is possible to make CloudFront signed URLs (as for instance discussed in this post) using an RSA SHA256 signature instead of the RSA SHA1 signature shown in the post. My website host recently upgraded their OS and the new version of OpenSSL no longer allows generation of RSA SHA1 signatures (apparently SHA1 is not considered secure enough). This was causing the PHP function openssl_sign used in the post above to fail. Thankfully my hosting provider agreed to roll back OpenSSL to a prior version that supported generating RSA SHA1 signatures but I suspect this is a short term solution and I need to come up with an alternative way to generate these signed URLs.

Any help is appreciated. If you know of a pure PHP way to generate RSA SHA1 signatures (i.e. that does not rely on OpenSSL) that would be helpful as well.

Thank you

主题
存储网络和内容交付
标签
预签名 URLAmazon CloudFront网络和内容交付
语言
English
已提问 10 个月前801 查看次数
1 回答
1
已接受的回答

Hello.

As of February 2025, algorithms other than "RSA-SHA1" cannot be used in CloudFront signed URLs, as described in the document below.
So, as you know, I think the only option is to roll back the version of OpenSSL or wait until AWS updates to support "SHA-256".
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-overview.html#private-content-overview-edge-caches

You must use RSA-SHA1 for signing URLs or cookies. CloudFront doesn't accept other algorithms.

专家
已回答 10 个月前
专家
已审核 10 个月前
  • AMS
    10 个月前

    Thank you so much for your answer, I had a feeling there was no way to use SHA256 with CloudFront but wanted to make sure I wasn't missing anything (it seems like some other signed requests on AWS do use SHA256). If anyone knows of an alternative way to make make RSA-SHA1 signatures in PHP (that doesn't use openssl_sign) please let me know. Thank you again.

  • Riku_Kobayashi 专家
    10 个月前

    I don't know much about PHP, but I did some research and found that phpseclib might be useful. https://api.phpseclib.com/3.0/phpseclib3/Crypt/RSA/PrivateKey.html

  • AMS
    10 个月前

    Awesome find! Thank you so much. I can confirm that phpseclib3 can generate the required signatures. Here is my fallback code that can replace rsa_sha1_sign from the post I referenced in the question:

    use phpseclib3\Crypt\PublicKeyLoader;
use phpseclib3\Crypt\RSA;

function rsa_sha1_sign_fallback($policy, $private_key_filename) {
    $key = PublicKeyLoader::load(file_get_contents($private_key_filename));
    $key = $key->withHash('sha1')->withPadding(RSA::SIGNATURE_PKCS1);
    $signature = $key->sign($policy);
    
    return $signature;
}

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

相关内容