Skip to content

feat: add option to allow different algos to sign Cloudfront#3315

Open
guidopili-docebo wants to merge 3 commits into
aws:masterfrom
guidopili-docebo:master
Open

feat: add option to allow different algos to sign Cloudfront#3315
guidopili-docebo wants to merge 3 commits into
aws:masterfrom
guidopili-docebo:master

Conversation

@guidopili-docebo

@guidopili-docebo guidopili-docebo commented Jun 25, 2026

Copy link
Copy Markdown

Addresses Issue #3116

Summary

CloudFront's Signer, CookieSigner, UrlSigner, and the CloudFrontClient convenience methods previously hardcoded SHA1 as the signing algorithm (the openssl_sign() default). This change adds an optional $algorithm parameter so callers can pass any OpenSSL-supported algorithm, such as SHA256.

Changes

  • Signer — new $algorithm property (fourth constructor parameter, defaults to OPENSSL_ALGO_SHA1). Passed through to openssl_sign().
  • CookieSigner / UrlSigner — new $algorithm constructor parameter threaded to the internal Signer instance.
  • CloudFrontClient — getSignedUrl() and getSignedCookie() read an optional 'algorithm' key from the options array and forward it to the respective signer.
  • SignerTest — new test asserting that OPENSSL_ALGO_SHA256 produces a valid, URL-safe signature that differs from the SHA1 output.

Backward compatibility

Fully backward compatible. All new parameters default to OPENSSL_ALGO_SHA1, which matches the previous implicit behavior.

Usage

// Direct signer
$signer = new Signer($keyPairId, $privateKey, '', OPENSSL_ALGO_SHA256);

// Via CookieSigner / UrlSigner
$signer = new CookieSigner($keyPairId, $privateKey, OPENSSL_ALGO_SHA256);
$signer = new UrlSigner($keyPairId, $privateKey, OPENSSL_ALGO_SHA256);

// Via CloudFrontClient
$signer->getSignedUrl([
    'url'         => 'https://d111.cloudfront.net/image.jpg',
    'expires'     => time() + 3600,
    'key_pair_id' => $keyPairId,
    'private_key' => $privateKey,
    'algorithm'   => OPENSSL_ALGO_SHA256,
]);

Signed-off-by: Guido Pili <guido.pili@docebo.com>

@stobrien89 stobrien89 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry for the delay @guidopili-docebo and thanks for the contribution. Left a couple of comments- if you're able to address them, just request another review and I'll take a look ASAP. If not, I can make those changes too.

Comment thread src/CloudFront/CloudFrontClient.php Outdated
$options['key_pair_id'],
$options['private_key']
$options['private_key'],
isset($options['algorithm']) ? $options['algorithm'] : OPENSSL_ALGO_SHA1

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For cross-sdk parity, we should use algorithm strings (i.e. "SHA-256") and there should be some validation on the algorithm- I would put the supported algorithm strings in an array constant and ensure the passed value (if provided) is one of the supported options

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have moved to algorithm strings as a default, while leaving the possibility to pass openssl constants. Also, validation was added. Was your intention to fully drop the constants or does this implementation work?

Comment thread src/CloudFront/CloudFrontClient.php Outdated
Comment thread src/CloudFront/Signer.php Outdated
Comment thread src/CloudFront/CookieSigner.php Outdated
Comment thread src/CloudFront/CloudFrontClient.php Outdated
Comment thread tests/CloudFront/SignerTest.php Outdated
Comment thread tests/CloudFront/SignerTest.php
@guidopili-docebo

Copy link
Copy Markdown
Author

@stobrien89 I have implemented the changes suggested in the review. Can I ask for a second review?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants