How to encrypt Amazon CloudFront signature for private content access using canned policy

Posted by Chet on Stack Overflow See other posts from Stack Overflow or by Chet
Published on 2010-02-17T20:36:18Z Indexed on 2010/03/08 5:06 UTC
Read the original article Hit count: 631

Filed under:
|
|
|
|

Has anyone using .net actually worked out how to successfully sign a signature to use with CloudFront private content? After a couple of days of attempts all I can get is Access Denied.

I have been working with variations of the following code and also tried using OpenSSL.Net and AWSSDK but that does not have a sign method for RSA-SHA1 yet.

The signature (data) looks like this

{"Statement":[{"Resource":"http://xxxx.cloudfront.net/xxxx.jpg","Condition":?{"DateLessThan":?{"AWS:EpochTime":1266922799}}}]}

This method attempts to sign the signature for use in the canned url. So of the variations have included chanding the padding used in the has and also reversing the byte[] before signing as apprently OpenSSL do it this way.

public string Sign(string data)
{
   using (SHA1Managed SHA1 = new SHA1Managed())
   {
      RSACryptoServiceProvider provider = new RSACryptoServiceProvider();
      RSACryptoServiceProvider.UseMachineKeyStore = false;

      // Amazon PEM converted to XML using OpenSslKey
      provider.FromXmlString("<RSAKeyValue><Modulus>....."); 

      byte[] plainbytes = System.Text.Encoding.UTF8.GetBytes(data);

      byte[] hash = SHA1.ComputeHash(plainbytes);
      //Array.Reverse(sig); // I have see some examples that reverse the hash

      byte[] sig = provider.SignHash(hash, "SHA1");

     return Convert.ToBase64String(sig);
   }
}

Its useful to note that I have verified the content is setup correctly in S3 and CloudFront by generating a CloudFront canned policy url using my CloudBerry Explorer. How do they do it?

Any ideas would be much appreciated. Thanks

© Stack Overflow or respective owner

Related posts about c#

Related posts about amazon