@aws-sdk/cloudfront-signer 3.1056.0 → 3.1059.0

package/dist-cjs/index.js

@@ -3,11 +3,12 @@
 var protocols = require('@smithy/core/protocols');
 var node_crypto = require('node:crypto');
 
-function getSignedUrl({ dateLessThan, dateGreaterThan, url, keyPairId, privateKey, ipAddress, policy, passphrase, }) {
+function getSignedUrl({ dateLessThan, dateGreaterThan, url, keyPairId, privateKey, ipAddress, policy, passphrase, algorithm, }) {
     const cloudfrontSignBuilder = new CloudfrontSignBuilder({
         keyPairId,
         privateKey,
         passphrase,
+        algorithm,
     });
     if (!url && !policy) {
         throw new Error("@aws-sdk/cloudfront-signer: Please provide 'url' or 'policy'.");
@@ -35,18 +36,23 @@ function getSignedUrl({ dateLessThan, dateGreaterThan, url, keyPairId, privateKe
         });
     }
     const startFlag = baseUrl.includes("?") ? "&" : "?";
-    const params = Object.entries(cloudfrontSignBuilder.createCloudfrontAttribute())
+    const attributes = cloudfrontSignBuilder.createCloudfrontAttribute();
+    if (algorithm === "SHA256") {
+        attributes["Hash-Algorithm"] = "SHA256";
+    }
+    const params = Object.entries(attributes)
         .filter(([, value]) => value !== undefined)
         .map(([key, value]) => `${protocols.extendedEncodeURIComponent(key)}=${protocols.extendedEncodeURIComponent(value)}`)
         .join("&");
     const urlString = baseUrl + startFlag + params;
     return getResource(urlString);
 }
-function getSignedCookies({ ipAddress, url, privateKey, keyPairId, dateLessThan, dateGreaterThan, policy, passphrase, }) {
+function getSignedCookies({ ipAddress, url, privateKey, keyPairId, dateLessThan, dateGreaterThan, policy, passphrase, algorithm, }) {
     const cloudfrontSignBuilder = new CloudfrontSignBuilder({
         keyPairId,
         privateKey,
         passphrase,
+        algorithm,
     });
     if (policy) {
         cloudfrontSignBuilder.setCustomPolicy(policy);
@@ -70,6 +76,9 @@ function getSignedCookies({ ipAddress, url, privateKey, keyPairId, dateLessThan,
     if (cloudfrontCookieAttributes["Policy"]) {
         cookies["CloudFront-Policy"] = cloudfrontCookieAttributes["Policy"];
     }
+    if (algorithm === "SHA256") {
+        cookies["CloudFront-Hash-Algorithm"] = "SHA256";
+    }
     return cookies;
 }
 function encodeUrlPath(url) {
@@ -127,14 +136,16 @@ class CloudfrontSignBuilder {
     keyPairId;
     privateKey;
     passphrase;
+    algorithm;
     policy;
     customPolicy = false;
     dateLessThan;
-    constructor({ privateKey, keyPairId, passphrase }) {
+    constructor({ privateKey, keyPairId, passphrase, algorithm }) {
         this.keyPairId = keyPairId;
         this.privateKey = privateKey;
         this.policy = "";
         this.passphrase = passphrase;
+        this.algorithm = algorithm ?? "SHA1";
     }
     buildPolicy(args) {
         const policy = {
@@ -240,7 +251,7 @@ class CloudfrontSignBuilder {
         };
     }
     signData(data, privateKey, passphrase) {
-        const sign = node_crypto.createSign("RSA-SHA1");
+        const sign = node_crypto.createSign(this.algorithm === "SHA256" ? "RSA-SHA256" : "RSA-SHA1");
         sign.update(data);
         return sign.sign({ key: privateKey, passphrase }, "base64");
     }

package/dist-es/index.js

@@ -1 +1 @@
-export * from "./sign";
+export { getSignedUrl, getSignedCookies } from "./sign";

package/dist-es/sign.js

@@ -1,10 +1,11 @@
 import { extendedEncodeURIComponent } from "@smithy/core/protocols";
 import { createSign } from "node:crypto";
-export function getSignedUrl({ dateLessThan, dateGreaterThan, url, keyPairId, privateKey, ipAddress, policy, passphrase, }) {
+export function getSignedUrl({ dateLessThan, dateGreaterThan, url, keyPairId, privateKey, ipAddress, policy, passphrase, algorithm, }) {
     const cloudfrontSignBuilder = new CloudfrontSignBuilder({
         keyPairId,
         privateKey,
         passphrase,
+        algorithm,
     });
     if (!url && !policy) {
         throw new Error("@aws-sdk/cloudfront-signer: Please provide 'url' or 'policy'.");
@@ -32,18 +33,23 @@ export function getSignedUrl({ dateLessThan, dateGreaterThan, url, keyPairId, pr
         });
     }
     const startFlag = baseUrl.includes("?") ? "&" : "?";
-    const params = Object.entries(cloudfrontSignBuilder.createCloudfrontAttribute())
+    const attributes = cloudfrontSignBuilder.createCloudfrontAttribute();
+    if (algorithm === "SHA256") {
+        attributes["Hash-Algorithm"] = "SHA256";
+    }
+    const params = Object.entries(attributes)
         .filter(([, value]) => value !== undefined)
         .map(([key, value]) => `${extendedEncodeURIComponent(key)}=${extendedEncodeURIComponent(value)}`)
         .join("&");
     const urlString = baseUrl + startFlag + params;
     return getResource(urlString);
 }
-export function getSignedCookies({ ipAddress, url, privateKey, keyPairId, dateLessThan, dateGreaterThan, policy, passphrase, }) {
+export function getSignedCookies({ ipAddress, url, privateKey, keyPairId, dateLessThan, dateGreaterThan, policy, passphrase, algorithm, }) {
     const cloudfrontSignBuilder = new CloudfrontSignBuilder({
         keyPairId,
         privateKey,
         passphrase,
+        algorithm,
     });
     if (policy) {
         cloudfrontSignBuilder.setCustomPolicy(policy);
@@ -67,6 +73,9 @@ export function getSignedCookies({ ipAddress, url, privateKey, keyPairId, dateLe
     if (cloudfrontCookieAttributes["Policy"]) {
         cookies["CloudFront-Policy"] = cloudfrontCookieAttributes["Policy"];
     }
+    if (algorithm === "SHA256") {
+        cookies["CloudFront-Hash-Algorithm"] = "SHA256";
+    }
     return cookies;
 }
 function encodeUrlPath(url) {
@@ -124,14 +133,16 @@ class CloudfrontSignBuilder {
     keyPairId;
     privateKey;
     passphrase;
+    algorithm;
     policy;
     customPolicy = false;
     dateLessThan;
-    constructor({ privateKey, keyPairId, passphrase }) {
+    constructor({ privateKey, keyPairId, passphrase, algorithm }) {
         this.keyPairId = keyPairId;
         this.privateKey = privateKey;
         this.policy = "";
         this.passphrase = passphrase;
+        this.algorithm = algorithm ?? "SHA1";
     }
     buildPolicy(args) {
         const policy = {
@@ -237,7 +248,7 @@ class CloudfrontSignBuilder {
         };
     }
     signData(data, privateKey, passphrase) {
-        const sign = createSign("RSA-SHA1");
+        const sign = createSign(this.algorithm === "SHA256" ? "RSA-SHA256" : "RSA-SHA1");
         sign.update(data);
         return sign.sign({ key: privateKey, passphrase }, "base64");
     }

package/dist-types/index.d.ts

@@ -1 +1,2 @@
-export * from "./sign";
+export type { CloudfrontSignerAlgorithm, CloudfrontSignerCredentials, CloudfrontSignInput, CloudfrontSignInputWithParameters, CloudfrontSignInputWithPolicy, CloudfrontSignedCookiesOutput, CloudfrontSignInputBase, } from "./sign";
+export { getSignedUrl, getSignedCookies } from "./sign";

package/dist-types/sign.d.ts

@@ -3,6 +3,12 @@
  * @public
  */
 export type CloudfrontSignInput = CloudfrontSignInputWithParameters | CloudfrontSignInputWithPolicy;
+/**
+ * The hash algorithm used for signing.
+ * @see https://aws.amazon.com/about-aws/whats-new/2026/04/amazon-cloudfront-sha-256-signed-urls/
+ * @public
+ */
+export type CloudfrontSignerAlgorithm = "SHA1" | "SHA256";
 /**
  * @public
  */
@@ -11,8 +17,16 @@ export type CloudfrontSignerCredentials = {
     keyPairId: string;
     /** The content of the Cloudfront private key. */
     privateKey: string | Buffer;
-    /** The passphrase of RSA-SHA1 key*/
+    /** The passphrase of the RSA key. */
     passphrase?: string;
+    /**
+     * The hash algorithm to use for signing.
+     * When set to "SHA256", the signed URL will include a Hash-Algorithm=SHA256 query parameter
+     * as required by CloudFront for FIPS 140-3 compliance.
+     *
+     * Default "SHA1".
+     */
+    algorithm?: CloudfrontSignerAlgorithm;
 };
 /**
  * @public
@@ -66,19 +80,21 @@ export interface CloudfrontSignedCookiesOutput {
     "CloudFront-Expires"?: number;
     /** Base64-encoded version of the JSON policy. */
     "CloudFront-Policy"?: string;
+    /** The hash algorithm used for signing. Present when algorithm is SHA256. */
+    "CloudFront-Hash-Algorithm"?: string;
 }
 /**
  * Creates a signed URL string using a canned or custom policy.
  * @public
  * @returns the input URL with signature attached as query parameters.
  */
-export declare function getSignedUrl({ dateLessThan, dateGreaterThan, url, keyPairId, privateKey, ipAddress, policy, passphrase, }: CloudfrontSignInput): string;
+export declare function getSignedUrl({ dateLessThan, dateGreaterThan, url, keyPairId, privateKey, ipAddress, policy, passphrase, algorithm, }: CloudfrontSignInput): string;
 /**
  * Creates signed cookies using a canned or custom policy.
  * @public
  * @returns an object with keys/values that can be added to cookies.
  */
-export declare function getSignedCookies({ ipAddress, url, privateKey, keyPairId, dateLessThan, dateGreaterThan, policy, passphrase, }: CloudfrontSignInput): CloudfrontSignedCookiesOutput;
+export declare function getSignedCookies({ ipAddress, url, privateKey, keyPairId, dateLessThan, dateGreaterThan, policy, passphrase, algorithm, }: CloudfrontSignInput): CloudfrontSignedCookiesOutput;
 /**
  * @deprecated use CloudfrontSignInput, CloudfrontSignInputWithParameters, or CloudfrontSignInputWithPolicy.
  */

package/dist-types/ts3.4/index.d.ts

@@ -1 +1,10 @@
-export * from "./sign";
+export {
+  CloudfrontSignerAlgorithm,
+  CloudfrontSignerCredentials,
+  CloudfrontSignInput,
+  CloudfrontSignInputWithParameters,
+  CloudfrontSignInputWithPolicy,
+  CloudfrontSignedCookiesOutput,
+  CloudfrontSignInputBase,
+} from "./sign";
+export { getSignedUrl, getSignedCookies } from "./sign";

package/dist-types/ts3.4/sign.d.ts

@@ -1,10 +1,12 @@
 export type CloudfrontSignInput =
   | CloudfrontSignInputWithParameters
   | CloudfrontSignInputWithPolicy;
+export type CloudfrontSignerAlgorithm = "SHA1" | "SHA256";
 export type CloudfrontSignerCredentials = {
   keyPairId: string;
   privateKey: string | Buffer;
   passphrase?: string;
+  algorithm?: CloudfrontSignerAlgorithm;
 };
 export type CloudfrontSignInputWithParameters = CloudfrontSignerCredentials & {
   url: string;
@@ -25,6 +27,7 @@ export interface CloudfrontSignedCookiesOutput {
   "CloudFront-Signature": string;
   "CloudFront-Expires"?: number;
   "CloudFront-Policy"?: string;
+  "CloudFront-Hash-Algorithm"?: string;
 }
 export declare function getSignedUrl({
   dateLessThan,
@@ -35,6 +38,7 @@ export declare function getSignedUrl({
   ipAddress,
   policy,
   passphrase,
+  algorithm,
 }: CloudfrontSignInput): string;
 export declare function getSignedCookies({
   ipAddress,
@@ -45,6 +49,7 @@ export declare function getSignedCookies({
   dateGreaterThan,
   policy,
   passphrase,
+  algorithm,
 }: CloudfrontSignInput): CloudfrontSignedCookiesOutput;
 export type CloudfrontSignInputBase = {
   url: string;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aws-sdk/cloudfront-signer",
-  "version": "3.1056.0",
+  "version": "3.1059.0",
   "scripts": {
     "build": "concurrently 'yarn:build:types' 'yarn:build:es' && yarn build:cjs",
     "build:cjs": "node ../../scripts/compilation/inline cloudfront-signer",
@@ -11,7 +11,11 @@
     "clean": "premove dist-cjs dist-es dist-types tsconfig.cjs.tsbuildinfo tsconfig.es.tsbuildinfo tsconfig.types.tsbuildinfo",
     "extract:docs": "api-extractor run --local",
     "test": "yarn g:vitest run",
-    "test:watch": "yarn g:vitest watch"
+    "test:watch": "yarn g:vitest watch",
+    "test:integration": "yarn g:vitest run -c vitest.config.integ.mts",
+    "test:integration:watch": "yarn g:vitest watch -c vitest.config.integ.mts",
+    "test:e2e": "yarn g:vitest run -c vitest.config.e2e.mts",
+    "test:e2e:watch": "yarn g:vitest watch -c vitest.config.e2e.mts"
   },
   "main": "./dist-cjs/index.js",
   "module": "./dist-es/index.js",
@@ -23,7 +27,7 @@
   },
   "license": "Apache-2.0",
   "dependencies": {
-    "@smithy/core": "^3.24.5",
+    "@smithy/core": "^3.24.6",
     "tslib": "^2.6.2"
   },
   "files": [