feat: add option to allow different algos to sign Cloudfront#3315
feat: add option to allow different algos to sign Cloudfront#3315guidopili-docebo wants to merge 3 commits into
Conversation
Signed-off-by: Guido Pili <guido.pili@docebo.com>
stobrien89
left a comment
There was a problem hiding this comment.
Sorry for the delay @guidopili-docebo and thanks for the contribution. Left a couple of comments- if you're able to address them, just request another review and I'll take a look ASAP. If not, I can make those changes too.
| $options['key_pair_id'], | ||
| $options['private_key'] | ||
| $options['private_key'], | ||
| isset($options['algorithm']) ? $options['algorithm'] : OPENSSL_ALGO_SHA1 |
There was a problem hiding this comment.
For cross-sdk parity, we should use algorithm strings (i.e. "SHA-256") and there should be some validation on the algorithm- I would put the supported algorithm strings in an array constant and ensure the passed value (if provided) is one of the supported options
There was a problem hiding this comment.
I have moved to algorithm strings as a default, while leaving the possibility to pass openssl constants. Also, validation was added. Was your intention to fully drop the constants or does this implementation work?
|
@stobrien89 I have implemented the changes suggested in the review. Can I ask for a second review? |
Addresses Issue #3116
Summary
CloudFront's Signer, CookieSigner, UrlSigner, and the CloudFrontClient convenience methods previously hardcoded SHA1 as the signing algorithm (the openssl_sign() default). This change adds an optional $algorithm parameter so callers can pass any OpenSSL-supported algorithm, such as SHA256.
Changes
$algorithmproperty (fourth constructor parameter, defaults toOPENSSL_ALGO_SHA1). Passed through toopenssl_sign().getSignedUrl()andgetSignedCookie()read an optional'algorithm'key from the options array and forward it to the respective signer.OPENSSL_ALGO_SHA256produces a valid, URL-safe signature that differs from the SHA1 output.Backward compatibility
Fully backward compatible. All new parameters default to
OPENSSL_ALGO_SHA1, which matches the previous implicit behavior.Usage