AWS Security ChangesHomeSearch

AWS AmazonCloudFront documentation change

Service: AmazonCloudFront · 2026-04-01 · Documentation medium

File: AmazonCloudFront/latest/DeveloperGuide/signed-cookies-PHP.md

Summary

Updated documentation to add support for SHA-256 hash algorithm in CloudFront signed cookies, including new function rsa_sha256_sign, updated create_signed_cookies function with hash_algorithm parameter, and added CloudFront-Hash-Algorithm cookie.

Security assessment

This change adds documentation for using SHA-256 instead of SHA-1 for signing CloudFront cookies. SHA-1 is cryptographically weak and vulnerable to collision attacks, so adding SHA-256 support improves security. However, there's no evidence this addresses a specific security incident - it appears to be a proactive enhancement to support stronger cryptography.

Diff

diff --git a/AmazonCloudFront/latest/DeveloperGuide/signed-cookies-PHP.md b/AmazonCloudFront/latest/DeveloperGuide/signed-cookies-PHP.md
index 9feb73d41..7b242690e 100644
--- a//AmazonCloudFront/latest/DeveloperGuide/signed-cookies-PHP.md
+++ b//AmazonCloudFront/latest/DeveloperGuide/signed-cookies-PHP.md
@@ -5 +5 @@
-Create the RSA SHA-1 signatureCreate the signed cookiesFull code
+Create the RSA SHA-1 or SHA-256 signatureCreate the signed cookiesFull code
@@ -22 +22 @@ This approach is useful to stream content, such as HTTP Live Streaming (HLS) or
-  * Create the RSA SHA-1 signature
+  * Create the RSA SHA-1 or SHA-256 signature
@@ -33 +33 @@ The following sections breaks down the code example into individual parts. You c
-## Create the RSA SHA-1 signature
+## Create the RSA SHA-1 or SHA-256 signature
@@ -37 +37 @@ This code example does the following:
-  1. The function `rsa_sha1_sign` hashes and signs the policy statement. The arguments required are a policy statement and the private key that corresponds with a public key that’s in a trusted key group for your distribution.
+  1. The function `rsa_sha1_sign` hashes and signs the policy statement using SHA-1. To use SHA-256 instead, use the rsa_sha256_sign function shown below. The arguments required are a policy statement and the private key that corresponds with a public key that’s in a trusted key group for your distribution.
@@ -59,0 +60,15 @@ This code example does the following:
+The following function uses SHA-256 instead of SHA-1:
+    
+        function rsa_sha256_sign($policy, $private_key_filename) {
+        $signature = "";
+        $fp = fopen($private_key_filename, "r");
+        $priv_key = fread($fp, 8192);
+        fclose($fp);
+        $pkeyid = openssl_get_privatekey($priv_key);
+        openssl_sign($policy, $signature, $pkeyid, OPENSSL_ALGO_SHA256);
+        openssl_free_key($pkeyid);
+        return $signature;
+    }
+
+The `rsa_sha256_sign` function is the same as `rsa_sha1_sign`, except that it passes `OPENSSL_ALGO_SHA256` to `openssl_sign`. When you use SHA-256, include the `CloudFront-Hash-Algorithm` cookie with a value of `SHA256`.
+
@@ -65 +80 @@ This code example does the following:
-The following code constructs a creates the signed cookies, using the following cookie attributes: `CloudFront-Expires`, `CloudFront-Signature`, and `CloudFront-Key-Pair-Id`. The code uses a custom policy.
+The following code constructs a creates the signed cookies, using the following cookie attributes: `CloudFront-Expires`, `CloudFront-Signature`, `CloudFront-Key-Pair-Id` and `CloudFront-Hash-Algorithm`. The code uses a custom policy.
@@ -68 +83 @@ The following code constructs a creates the signed cookies, using the following
-    function create_signed_cookies($resource, $private_key_filename, $key_pair_id, $expires, $client_ip = null) {
+    function create_signed_cookies($resource, $private_key_filename, $key_pair_id, $expires, $client_ip = null, $hash_algorithm = 'SHA1') {
@@ -85,0 +101,3 @@ The following code constructs a creates the signed cookies, using the following
+        if ($hash_algorithm === 'SHA256') {
+            $signature = rsa_sha256_sign($policy, $private_key_filename);
+        } else {
@@ -86,0 +105 @@ The following code constructs a creates the signed cookies, using the following
+        }
@@ -89 +108 @@ The following code constructs a creates the signed cookies, using the following
-        return array(
+        $cookies = array(
@@ -93,0 +113,6 @@ The following code constructs a creates the signed cookies, using the following
+    
+        if ($hash_algorithm === 'SHA256') {
+            $cookies['CloudFront-Hash-Algorithm'] = 'SHA256';
+        }
+    
+        return $cookies;
@@ -126 +151,12 @@ In the following example, you can modify the `$policy Condition` element to allo
-    function create_signed_cookies($resource, $private_key_filename, $key_pair_id, $expires, $client_ip = null) {
+    function rsa_sha256_sign($policy, $private_key_filename) {
+        $signature = "";
+        $fp = fopen($private_key_filename, "r");
+        $priv_key = fread($fp, 8192);
+        fclose($fp);
+        $pkeyid = openssl_get_privatekey($priv_key);
+        openssl_sign($policy, $signature, $pkeyid, OPENSSL_ALGO_SHA256);
+        openssl_free_key($pkeyid);
+        return $signature;
+    }
+    
+    function create_signed_cookies($resource, $private_key_filename, $key_pair_id, $expires, $client_ip = null, $hash_algorithm = 'SHA1') {
@@ -143,0 +180,3 @@ In the following example, you can modify the `$policy Condition` element to allo
+        if ($hash_algorithm === 'SHA256') {
+            $signature = rsa_sha256_sign($policy, $private_key_filename);
+        } else {
@@ -144,0 +184 @@ In the following example, you can modify the `$policy Condition` element to allo
+        }
@@ -147 +187 @@ In the following example, you can modify the `$policy Condition` element to allo
-        return array(
+        $cookies = array(
@@ -151,0 +192,6 @@ In the following example, you can modify the `$policy Condition` element to allo
+    
+        if ($hash_algorithm === 'SHA256') {
+            $cookies['CloudFront-Hash-Algorithm'] = 'SHA256';
+        }
+    
+        return $cookies;
@@ -168 +214 @@ In the following example, you can modify the `$policy Condition` element to allo
-    $signed_cookies = create_signed_cookies($hls_resource, $private_key_filename, $key_pair_id, $expires, $client_ip);
+    $signed_cookies = create_signed_cookies($hls_resource, $private_key_filename, $key_pair_id, $expires, $client_ip, 'SHA256');