AWS AmazonCloudFront documentation change
Summary
Updated documentation to add support for SHA-256 hash algorithm in CloudFront signed cookies, including new function rsa_sha256_sign, updated create_signed_cookies function with hash_algorithm parameter, and added CloudFront-Hash-Algorithm cookie.
Security assessment
This change adds documentation for using SHA-256 instead of SHA-1 for signing CloudFront cookies. SHA-1 is cryptographically weak and vulnerable to collision attacks, so adding SHA-256 support improves security. However, there's no evidence this addresses a specific security incident - it appears to be a proactive enhancement to support stronger cryptography.
Diff
diff --git a/AmazonCloudFront/latest/DeveloperGuide/signed-cookies-PHP.md b/AmazonCloudFront/latest/DeveloperGuide/signed-cookies-PHP.md index 9feb73d41..7b242690e 100644 --- a//AmazonCloudFront/latest/DeveloperGuide/signed-cookies-PHP.md +++ b//AmazonCloudFront/latest/DeveloperGuide/signed-cookies-PHP.md @@ -5 +5 @@ -Create the RSA SHA-1 signatureCreate the signed cookiesFull code +Create the RSA SHA-1 or SHA-256 signatureCreate the signed cookiesFull code @@ -22 +22 @@ This approach is useful to stream content, such as HTTP Live Streaming (HLS) or - * Create the RSA SHA-1 signature + * Create the RSA SHA-1 or SHA-256 signature @@ -33 +33 @@ The following sections breaks down the code example into individual parts. You c -## Create the RSA SHA-1 signature +## Create the RSA SHA-1 or SHA-256 signature @@ -37 +37 @@ This code example does the following: - 1. The function `rsa_sha1_sign` hashes and signs the policy statement. The arguments required are a policy statement and the private key that corresponds with a public key that’s in a trusted key group for your distribution. + 1. The function `rsa_sha1_sign` hashes and signs the policy statement using SHA-1. To use SHA-256 instead, use the rsa_sha256_sign function shown below. The arguments required are a policy statement and the private key that corresponds with a public key that’s in a trusted key group for your distribution. @@ -59,0 +60,15 @@ This code example does the following: +The following function uses SHA-256 instead of SHA-1: + + function rsa_sha256_sign($policy, $private_key_filename) { + $signature = ""; + $fp = fopen($private_key_filename, "r"); + $priv_key = fread($fp, 8192); + fclose($fp); + $pkeyid = openssl_get_privatekey($priv_key); + openssl_sign($policy, $signature, $pkeyid, OPENSSL_ALGO_SHA256); + openssl_free_key($pkeyid); + return $signature; + } + +The `rsa_sha256_sign` function is the same as `rsa_sha1_sign`, except that it passes `OPENSSL_ALGO_SHA256` to `openssl_sign`. When you use SHA-256, include the `CloudFront-Hash-Algorithm` cookie with a value of `SHA256`. + @@ -65 +80 @@ This code example does the following: -The following code constructs a creates the signed cookies, using the following cookie attributes: `CloudFront-Expires`, `CloudFront-Signature`, and `CloudFront-Key-Pair-Id`. The code uses a custom policy. +The following code constructs a creates the signed cookies, using the following cookie attributes: `CloudFront-Expires`, `CloudFront-Signature`, `CloudFront-Key-Pair-Id` and `CloudFront-Hash-Algorithm`. The code uses a custom policy. @@ -68 +83 @@ The following code constructs a creates the signed cookies, using the following - function create_signed_cookies($resource, $private_key_filename, $key_pair_id, $expires, $client_ip = null) { + function create_signed_cookies($resource, $private_key_filename, $key_pair_id, $expires, $client_ip = null, $hash_algorithm = 'SHA1') { @@ -85,0 +101,3 @@ The following code constructs a creates the signed cookies, using the following + if ($hash_algorithm === 'SHA256') { + $signature = rsa_sha256_sign($policy, $private_key_filename); + } else { @@ -86,0 +105 @@ The following code constructs a creates the signed cookies, using the following + } @@ -89 +108 @@ The following code constructs a creates the signed cookies, using the following - return array( + $cookies = array( @@ -93,0 +113,6 @@ The following code constructs a creates the signed cookies, using the following + + if ($hash_algorithm === 'SHA256') { + $cookies['CloudFront-Hash-Algorithm'] = 'SHA256'; + } + + return $cookies; @@ -126 +151,12 @@ In the following example, you can modify the `$policy Condition` element to allo - function create_signed_cookies($resource, $private_key_filename, $key_pair_id, $expires, $client_ip = null) { + function rsa_sha256_sign($policy, $private_key_filename) { + $signature = ""; + $fp = fopen($private_key_filename, "r"); + $priv_key = fread($fp, 8192); + fclose($fp); + $pkeyid = openssl_get_privatekey($priv_key); + openssl_sign($policy, $signature, $pkeyid, OPENSSL_ALGO_SHA256); + openssl_free_key($pkeyid); + return $signature; + } + + function create_signed_cookies($resource, $private_key_filename, $key_pair_id, $expires, $client_ip = null, $hash_algorithm = 'SHA1') { @@ -143,0 +180,3 @@ In the following example, you can modify the `$policy Condition` element to allo + if ($hash_algorithm === 'SHA256') { + $signature = rsa_sha256_sign($policy, $private_key_filename); + } else { @@ -144,0 +184 @@ In the following example, you can modify the `$policy Condition` element to allo + } @@ -147 +187 @@ In the following example, you can modify the `$policy Condition` element to allo - return array( + $cookies = array( @@ -151,0 +192,6 @@ In the following example, you can modify the `$policy Condition` element to allo + + if ($hash_algorithm === 'SHA256') { + $cookies['CloudFront-Hash-Algorithm'] = 'SHA256'; + } + + return $cookies; @@ -168 +214 @@ In the following example, you can modify the `$policy Condition` element to allo - $signed_cookies = create_signed_cookies($hls_resource, $private_key_filename, $key_pair_id, $expires, $client_ip); + $signed_cookies = create_signed_cookies($hls_resource, $private_key_filename, $key_pair_id, $expires, $client_ip, 'SHA256');