Skip to content

Add support for ECDSA signed CloudFront URLs #6627

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
alextwoods wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add support for ECDSA signed CloudFront URLs #6627

alextwoods wants to merge 1 commit into from
+369 −129

Conversation

@alextwoods
Copy link
Contributor

@alextwoods alextwoods commented Dec 16, 2025

Add support for ECDSA signed CloudFront URLs

Motivation and Context

Fixes: #6543

See also:

Modifications

  • Detect the given PrivateKey's algorithm and support RSA/EC.
  • When given a path, attempt to load both RSA and EC keys from it.

Q: Why not make this more generic and support possible future algorithms?
A: The signing mechanism for Cloudfront signed urls both knowing the key type (RSA vs EC) and the hash function to use. We cannot derive the required hash function from the PrivateKey. If additional algorithms are supported in the future, its possible/likely that they will choose to use more modern/secure hashes like SHA256 - however, we don't have that knowledge now. The code in this PR attempts to make the code more generic to handle possible future algorithms more easily, but doesn't add support for anything that isn't supported in CloudFront today.

Testing

New and existing unit and integration tests. (Note: Integration tests confirm usage of SHA1withECDSA is supported service side).

Screenshots (if appropriate)

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)

Checklist

  • I have read the CONTRIBUTING document
  • Local run of mvn install succeeds
  • My code follows the code style of this project
  • I have added tests to cover my changes
  • All new and existing tests passed
  • I have added a changelog entry. Adding a new entry must be accomplished by running the scripts/new-change script and following the instructions. Commit the new file created by the script in .changes/next-release with your

License

  • I confirm that this pull request can be released under the Apache 2 license

@alextwoods alextwoods requested a review from a team as a code owner December 16, 2025 00:41
@sonarqubecloud
Copy link

sonarqubecloud bot commented Dec 16, 2025

Quality Gate Failed Quality Gate failed

Failed conditions
3 Security Hotspots
31.7% Coverage on New Code (required ≥ 80%)
5.5% Duplication on New Code (required ≤ 3%)
C Reliability Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Cloudfront Signer ECDSA Support

1 participant

@alextwoods