Use AWS CRT instead of cryptography for Cloudfront url signing #9423
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
kdaily
commented
Apr 4, 2025
kdaily
force-pushed
the
crt-cryptography-cloudfront-signing
branch
from
69d3886 to
fffc73b
Compare
ashovlin
reviewed
Apr 7, 2025
ashovlin
reviewed
Apr 7, 2025
|
Does this still need the changes to cloudfront.py that were originally in #9109, since we reverted to all of the |
Yeah. Not sure how I missed pushing that commit. |
Fixed in 53c3b0e |
kdaily
force-pushed
the
crt-cryptography-cloudfront-signing
branch
4 times, most recently
from
533be41 to
50007b9
Compare
ashovlin
approved these changes
Apr 21, 2025
kdaily
force-pushed
the
crt-cryptography-cloudfront-signing
branch
4 times, most recently
from
de795df to
3962527
Compare
Also add test for a PKCS8-formatted pem private key Uses the method described in the CloudFront docs to generate a private key: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-trusted-signers.html#private-content-creating-cloudfront-key-pairs
- Regenerate lock files for macOS and Linux - Regenerate lock files for Windows - Regenerate lock files for docs
kdaily
force-pushed
the
crt-cryptography-cloudfront-signing
branch
from
3962527 to
f469f7c
Compare
ashovlin
approved these changes
Apr 29, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issue #, if available:
Description of changes:
Fixes issue from #9258 to support PKCS8-formatted private key PEM files. The support for this was added directly to
awscrt==0.25.6(awslabs/aws-crt-python#638). This PR bumps CRT to 0.26.1.Added a test to prevent regression for support of this format. I also manually ran
aws cloudfront signcommands and confirmed that the expected signature is generated using both a PKCS1 and PKCS8 pem file.By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.