AWS SDK

# Code generated by software.amazon.smithy.rust.codegen.smithy-rs. DO NOT EDIT.

[package]

name = "aws-sdk-cloudfront-url-signer"

version = "0.1.0"

authors = ["AWS Rust SDK Team <aws-sdk-rust@amazon.com>"]

description = "CloudFront URL and cookie signing utilities for AWS SDK for Rust"

edition = "2021"

license = "Apache-2.0"

repository = "https://github.com/smithy-lang/smithy-rs"

[package.metadata.docs.rs]

all-features = true

targets = ["x86_64-unknown-linux-gnu"]

cargo-args = ["-Zunstable-options", "-Zrustdoc-scrape-examples"]

rustdoc-args = ["--cfg", "docsrs"]

[package.metadata.smithy-rs-release-tooling]

stable = false

[dependencies]

rsa = "0.9.9"

base64-simd = "0.8.0"

url = "2.5.4"

[dependencies.aws-smithy-types]

path = "../aws-smithy-types"

version = "1.3.5"

[dependencies.aws-smithy-async]

path = "../aws-smithy-async"

version = "1.2.7"

[dependencies.sha1]

version = "0.10.6"

features = ["oid"]

[dependencies.tokio]

version = "1.40.0"

features = ["fs"]

optional = true

[dependencies.aws-smithy-json]

path = "../aws-smithy-json"

version = "0.61.8"

[dependencies.p256]

version = "0.13.2"

features = ["ecdsa", "pem"]

[dependencies.http]

version = "1.1"

optional = true

[dev-dependencies]

serde_json = "1"

[dev-dependencies.serde]

version = "1"

features = ["derive"]

[features]

rt-tokio = ["dep:tokio"]

http-1x = ["dep:http"]

                                 Apache License

                           Version 2.0, January 2004

                        http://www.apache.org/licenses/

   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION

   1. Definitions.

      "License" shall mean the terms and conditions for use, reproduction,

      and distribution as defined by Sections 1 through 9 of this document.

      "Licensor" shall mean the copyright owner or entity authorized by

      the copyright owner that is granting the License.

      "Legal Entity" shall mean the union of the acting entity and all

      other entities that control, are controlled by, or are under common

      control with that entity. For the purposes of this definition,

      "control" means (i) the power, direct or indirect, to cause the

      direction or management of such entity, whether by contract or

      otherwise, or (ii) ownership of fifty percent (50%) or more of the

      outstanding shares, or (iii) beneficial ownership of such entity.

      "You" (or "Your") shall mean an individual or Legal Entity

      exercising permissions granted by this License.

      "Source" form shall mean the preferred form for making modifications,

      including but not limited to software source code, documentation

      source, and configuration files.

      "Object" form shall mean any form resulting from mechanical

      transformation or translation of a Source form, including but

      not limited to compiled object code, generated documentation,

      and conversions to other media types.

      "Work" shall mean the work of authorship, whether in Source or

      Object form, made available under the License, as indicated by a

      copyright notice that is included in or attached to the work

      (an example is provided in the Appendix below).

      "Derivative Works" shall mean any work, whether in Source or Object

      form, that is based on (or derived from) the Work and for which the

      editorial revisions, annotations, elaborations, or other modifications

      represent, as a whole, an original work of authorship. For the purposes

      of this License, Derivative Works shall not include works that remain

      separable from, or merely link (or bind by name) to the interfaces of,

      the Work and Derivative Works thereof.

      "Contribution" shall mean any work of authorship, including

      the original version of the Work and any modifications or additions

      to that Work or Derivative Works thereof, that is intentionally

      submitted to Licensor for inclusion in the Work by the copyright owner

      or by an individual or Legal Entity authorized to submit on behalf of

      the copyright owner. For the purposes of this definition, "submitted"

      means any form of electronic, verbal, or written communication sent

      to the Licensor or its representatives, including but not limited to

      communication on electronic mailing lists, source code control systems,

      and issue tracking systems that are managed by, or on behalf of, the

      Licensor for the purpose of discussing and improving the Work, but

      excluding communication that is conspicuously marked or otherwise

      designated in writing by the copyright owner as "Not a Contribution."

      "Contributor" shall mean Licensor and any individual or Legal Entity

      on behalf of whom a Contribution has been received by Licensor and

      subsequently incorporated within the Work.

   2. Grant of Copyright License. Subject to the terms and conditions of

      this License, each Contributor hereby grants to You a perpetual,

      worldwide, non-exclusive, no-charge, royalty-free, irrevocable

      copyright license to reproduce, prepare Derivative Works of,

      publicly display, publicly perform, sublicense, and distribute the

      Work and such Derivative Works in Source or Object form.

   3. Grant of Patent License. Subject to the terms and conditions of

      this License, each Contributor hereby grants to You a perpetual,

      worldwide, non-exclusive, no-charge, royalty-free, irrevocable

      (except as stated in this section) patent license to make, have made,

      use, offer to sell, sell, import, and otherwise transfer the Work,

      where such license applies only to those patent claims licensable

      by such Contributor that are necessarily infringed by their

      Contribution(s) alone or by combination of their Contribution(s)

      with the Work to which such Contribution(s) was submitted. If You

      institute patent litigation against any entity (including a

      cross-claim or counterclaim in a lawsuit) alleging that the Work

      or a Contribution incorporated within the Work constitutes direct

      or contributory patent infringement, then any patent licenses

      granted to You under this License for that Work shall terminate

      as of the date such litigation is filed.

   4. Redistribution. You may reproduce and distribute copies of the

      Work or Derivative Works thereof in any medium, with or without

      modifications, and in Source or Object form, provided that You

      meet the following conditions:

      (a) You must give any other recipients of the Work or

          Derivative Works a copy of this License; and

      (b) You must cause any modified files to carry prominent notices

          stating that You changed the files; and

      (c) You must retain, in the Source form of any Derivative Works

          that You distribute, all copyright, patent, trademark, and

          attribution notices from the Source form of the Work,

          excluding those notices that do not pertain to any part of

          the Derivative Works; and

      (d) If the Work includes a "NOTICE" text file as part of its

          distribution, then any Derivative Works that You distribute must

          include a readable copy of the attribution notices contained

          within such NOTICE file, excluding those notices that do not

          pertain to any part of the Derivative Works, in at least one

          of the following places: within a NOTICE text file distributed

          as part of the Derivative Works; within the Source form or

          documentation, if provided along with the Derivative Works; or,

          within a display generated by the Derivative Works, if and

          wherever such third-party notices normally appear. The contents

          of the NOTICE file are for informational purposes only and

          do not modify the License. You may add Your own attribution

          notices within Derivative Works that You distribute, alongside

          or as an addendum to the NOTICE text from the Work, provided

          that such additional attribution notices cannot be construed

          as modifying the License.

      You may add Your own copyright statement to Your modifications and

      may provide additional or different license terms and conditions

      for use, reproduction, or distribution of Your modifications, or

      for any such Derivative Works as a whole, provided Your use,

      reproduction, and distribution of the Work otherwise complies with

      the conditions stated in this License.

   5. Submission of Contributions. Unless You explicitly state otherwise,

      any Contribution intentionally submitted for inclusion in the Work

      by You to the Licensor shall be under the terms and conditions of

      this License, without any additional terms or conditions.

      Notwithstanding the above, nothing herein shall supersede or modify

      the terms of any separate license agreement you may have executed

      with Licensor regarding such Contributions.

   6. Trademarks. This License does not grant permission to use the trade

      names, trademarks, service marks, or product names of the Licensor,

      except as required for reasonable and customary use in describing the

      origin of the Work and reproducing the content of the NOTICE file.

   7. Disclaimer of Warranty. Unless required by applicable law or

      agreed to in writing, Licensor provides the Work (and each

      Contributor provides its Contributions) on an "AS IS" BASIS,

      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or

      implied, including, without limitation, any warranties or conditions

      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A

      PARTICULAR PURPOSE. You are solely responsible for determining the

      appropriateness of using or redistributing the Work and assume any

      risks associated with Your exercise of permissions under this License.

   8. Limitation of Liability. In no event and under no legal theory,

      whether in tort (including negligence), contract, or otherwise,

      unless required by applicable law (such as deliberate and grossly

      negligent acts) or agreed to in writing, shall any Contributor be

      liable to You for damages, including any direct, indirect, special,

      incidental, or consequential damages of any character arising as a

      result of this License or out of the use or inability to use the

      Work (including but not limited to damages for loss of goodwill,

      work stoppage, computer failure or malfunction, or any and all

      other commercial damages or losses), even if such Contributor

      has been advised of the possibility of such damages.

   9. Accepting Warranty or Additional Liability. While redistributing

      the Work or Derivative Works thereof, You may choose to offer,

      and charge a fee for, acceptance of support, warranty, indemnity,

      or other liability obligations and/or rights consistent with this

      License. However, in accepting such obligations, You may act only

      on Your own behalf and on Your sole responsibility, not on behalf

      of any other Contributor, and only if You agree to indemnify,

      defend, and hold each Contributor harmless for any liability

      incurred by, or claims asserted against, such Contributor by reason

      of your accepting any such warranty or additional liability.

# aws-sdk-cloudfront-url-signer

A library for generating signed URLs and cookies for Amazon CloudFront private content.

This crate provides utilities to create cryptographically signed URLs and cookies that grant

time-limited access to private CloudFront distributions. It supports both RSA-SHA1 and

ECDSA-SHA1 signing algorithms with canned (simple) and custom (advanced) policies.

## Key Features

- **Signed URLs**: Generate URLs with embedded signatures for single-resource access

- **Signed Cookies**: Generate cookies for multi-resource access without URL modification

- **Canned Policies**: Simple time-based expiration

- **Custom Policies**: Advanced access control with activation dates, IP restrictions, and wildcards

- **Multiple Key Formats**: RSA (PKCS#1/PKCS#8) and ECDSA P-256 (PKCS#8) private keys

## When to Use Signed URLs vs Cookies

**Use signed URLs when:**

- Restricting access to individual files (e.g., a download link)

- Users are accessing content through a client that doesn't support cookies

- You want to share a link that works without additional setup

**Use signed cookies when:**

- Providing access to multiple restricted files (e.g., all files in a subscriber area)

- You don't want to change your existing URLs

- You're building a web application where cookies are naturally handled

## Feature Flags

| Feature | Description |

|---------|-------------|

| `rt-tokio` | Enables async file loading with `PrivateKey::from_pem_file()` |

| `http-1x` | Enables conversion to `http::Request` types |

## CloudFront Setup

Before using this library, you need to:

1. Create a CloudFront key pair in the AWS Console or via CLI

2. Upload the public key to CloudFront

3. Create a key group containing your public key

4. Configure your CloudFront distribution to use the key group for restricted content

5. Keep the private key secure for use with this library

See the [CloudFront Developer Guide](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-signed-urls.html) for detailed setup instructions.

## Basic Usage

### Signing a URL with Canned Policy

Canned policies provide simple time-based access control with just an expiration time:

```rust,ignore

use aws_sdk_cloudfront_url_signer::{sign_url, SigningRequest, PrivateKey};

use aws_smithy_types::DateTime;

// Load your CloudFront private key

let private_key = PrivateKey::from_pem(include_bytes!("private_key.pem"))?;

// Create a signing request

let request = SigningRequest::builder()

    .resource_url("https://d111111abcdef8.cloudfront.net/image.jpg")

    .key_pair_id("APKAEIBAERJR2EXAMPLE")

    .private_key(private_key)

    .expires_at(DateTime::from_secs(1767290400))  // Absolute expiration

    .build()?;

// Generate the signed URL

let signed_url = sign_url(request)?;

println!("Signed URL: {}", signed_url);

```

The resulting URL will include `Expires`, `Signature`, and `Key-Pair-Id` query parameters.

### Using Relative Expiration

Instead of an absolute timestamp, you can specify a duration from now:

```rust,ignore

use std::time::Duration;

let request = SigningRequest::builder()

    .resource_url("https://d111111abcdef8.cloudfront.net/video.mp4")

    .key_pair_id("APKAEIBAERJR2EXAMPLE")

    .private_key(private_key)

    .expires_in(Duration::from_secs(3600))  // Valid for 1 hour

    .build()?;

```

### Signing a URL with Custom Policy

Custom policies enable advanced access control with activation dates, IP restrictions, and wildcard patterns:

```rust,ignore

use aws_sdk_cloudfront_url_signer::{sign_url, SigningRequest, PrivateKey};

use aws_smithy_types::DateTime;

let private_key = PrivateKey::from_pem(include_bytes!("private_key.pem"))?;

let request = SigningRequest::builder()

    .resource_url("https://d111111abcdef8.cloudfront.net/videos/*")

    .key_pair_id("APKAEIBAERJR2EXAMPLE")

    .private_key(private_key)

    .expires_at(DateTime::from_secs(1767290400))

    .active_at(DateTime::from_secs(1767200000))  // Not valid before this time

    .ip_range("192.0.2.0/24")                    // Restrict to IP range

    .build()?;

let signed_url = sign_url(request)?;

```

Custom policy URLs include a `Policy` parameter (base64-encoded JSON) instead of `Expires`.

### Generating Signed Cookies

Signed cookies work similarly but return cookie name-value pairs:

```rust,ignore

use aws_sdk_cloudfront_url_signer::{sign_cookies, SigningRequest, PrivateKey};

use aws_smithy_types::DateTime;

let private_key = PrivateKey::from_pem(include_bytes!("private_key.pem"))?;

let request = SigningRequest::builder()

    .resource_url("https://d111111abcdef8.cloudfront.net/*")

    .key_pair_id("APKAEIBAERJR2EXAMPLE")

    .private_key(private_key)

    .expires_at(DateTime::from_secs(1767290400))

    .build()?;

let cookies = sign_cookies(request)?;

// Set cookies in your HTTP response

for (name, value) in cookies.iter() {

    println!("Set-Cookie: {}={}; Domain=d111111abcdef8.cloudfront.net; Secure; HttpOnly", name, value);

}

```

For canned policies, cookies include:

- `CloudFront-Expires`

- `CloudFront-Signature`

- `CloudFront-Key-Pair-Id`

For custom policies, cookies include:

- `CloudFront-Policy`

- `CloudFront-Signature`

- `CloudFront-Key-Pair-Id`

## Private Key Loading

### From PEM Bytes

Load a key from bytes (useful when loading from AWS Secrets Manager or environment variables):

```rust,ignore

use aws_sdk_cloudfront_url_signer::PrivateKey;

// From a byte slice

let key = PrivateKey::from_pem(include_bytes!("private_key.pem"))?;

// From a string

let pem_string = std::fs::read_to_string("private_key.pem")?;

let key = PrivateKey::from_pem(pem_string.as_bytes())?;

```

### From File (Async)

With the `rt-tokio` feature enabled, you can load keys directly from files:

```rust,ignore

use aws_sdk_cloudfront_url_signer::PrivateKey;

let key = PrivateKey::from_pem_file("private_key.pem").await?;

```

### Supported Key Formats

| Format | Header | Key Type |

|--------|--------|----------|

| PKCS#1 | `-----BEGIN RSA PRIVATE KEY-----` | RSA only |

| PKCS#8 | `-----BEGIN PRIVATE KEY-----` | RSA or ECDSA P-256 |

Both RSA and ECDSA keys use SHA-1 signatures (required by CloudFront).

## Policy Types

### Canned Policy

A canned policy is automatically used when you only specify an expiration time. It's simpler and produces shorter URLs:

```rust,ignore

let request = SigningRequest::builder()

    .resource_url("https://example.cloudfront.net/file.pdf")

    .key_pair_id("APKAEXAMPLE")

    .private_key(key)

    .expires_at(DateTime::from_secs(1767290400))

    .build()?;

```

### Custom Policy

A custom policy is used when you specify any of:

- `resource_pattern()` - Wildcard pattern for the policy (different from the signed URL)

- `active_at()` - URL becomes valid at this time (not-before)

- `ip_range()` - Restrict access to an IPv4 CIDR range

```rust,ignore

let request = SigningRequest::builder()

    .resource_url("https://example.cloudfront.net/premium/video.mp4")

    .key_pair_id("APKAEXAMPLE")

    .private_key(key)

    .expires_at(DateTime::from_secs(1767290400))

    .active_at(DateTime::from_secs(1767200000))  // Triggers custom policy

    .ip_range("10.0.0.0/8")                      // Also triggers custom policy

    .build()?;

```

## Wildcard Patterns

Custom policies support wildcards in the resource pattern. Use `resource_pattern()` to specify

a wildcard pattern that grants access to multiple resources, while `resource_url()` specifies

the actual URL being signed:

- `*` matches zero or more characters

- `?` matches exactly one character

```rust,ignore

// Sign a specific URL but grant access to all files under /videos/

let request = SigningRequest::builder()

    .resource_url("https://d111111abcdef8.cloudfront.net/videos/intro.mp4")

    .resource_pattern("https://d111111abcdef8.cloudfront.net/videos/*")

    .key_pair_id("APKAEXAMPLE")

    .private_key(key)

    .expires_at(DateTime::from_secs(1767290400))

    .build()?;

// The signed URL points to intro.mp4, but the policy grants access to all /videos/*

```

Common wildcard patterns:

- `https://example.cloudfront.net/videos/*` - All files under /videos/

- `https://example.cloudfront.net/*.mp4` - All .mp4 files

- `https://example.cloudfront.net/video-?.mp4` - video-1.mp4, video-2.mp4, etc.

- `*` - All resources (use with caution)

## Using Signed URLs with HTTP Clients

The `SignedUrl` type provides multiple ways to access the signed URL for use with HTTP clients:

```rust,ignore

let signed_url = sign_url(request)?;

// As a string slice

let url_str: &str = signed_url.as_str();

// As a parsed url::Url

let url: &url::Url = signed_url.as_url();

// Convert to owned url::Url

let url: url::Url = signed_url.into_url();

// Use with reqwest (reqwest re-exports url::Url)

let response = reqwest::get(signed_url.as_url()).await?;

// Display trait

println!("Signed URL: {}", signed_url);

```

### HTTP 1.x Integration

With the `http-1x` feature enabled, you can convert signed URLs directly to `http::Request`:

```rust,ignore

use http::Request;

let signed_url = sign_url(request)?;

// Convert to http::Request

let http_request: Request<()> = signed_url.try_into()?;

// Or from a reference

let http_request: Request<()> = (&signed_url).try_into()?;

```

This is useful when working with HTTP clients that use the `http` crate types.

## Error Handling

All operations return `Result<T, SigningError>`:

```rust,ignore

use aws_sdk_cloudfront_url_signer::{sign_url, SigningRequest, PrivateKey, error::SigningError};

let result = sign_url(request);

match result {

    Ok(signed_url) => println!("Success: {}", signed_url),

    Err(e) => {

        eprintln!("Signing failed: {}", e);

        if let Some(source) = e.source() {

            eprintln!("Caused by: {}", source);

        }

    }

}

```

Common error scenarios:

- Invalid private key format

- Missing required fields (resource_url, key_pair_id, private_key, expiration)

- Cryptographic signing failures

## URLs with Existing Query Parameters

The library correctly handles URLs that already have query parameters:

```rust,ignore

let request = SigningRequest::builder()

    .resource_url("https://d111111abcdef8.cloudfront.net/video.mp4?quality=hd")

    .key_pair_id("APKAEXAMPLE")

    .private_key(key)

    .expires_at(DateTime::from_secs(1767290400))

    .build()?;

let signed_url = sign_url(request)?;

// Result: https://...?quality=hd&Expires=...&Signature=...&Key-Pair-Id=...

```

<!-- anchor_start:footer -->

This crate is part of the [AWS SDK for Rust](https://awslabs.github.io/aws-sdk-rust/) and the [smithy-rs](https://github.com/smithy-lang/smithy-rs) code generator.

<!-- anchor_end:footer -->

/*

 * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.

 * SPDX-License-Identifier: Apache-2.0

 */

use std::borrow::Cow;

use std::error::Error as StdError;

use std::fmt;

#[derive(Debug)]

pub(crate) enum ErrorKind {

    InvalidKey,

    InvalidPolicy,

    InvalidInput,

    SigningFailure,

}

/// Error type for CloudFront signing operations

#[derive(Debug)]

pub struct SigningError {

    kind: ErrorKind,

    source: Option<Box<dyn StdError + Send + Sync>>,

    message: Option<Cow<'static, str>>,

}

impl SigningError {

    pub(crate) fn new(

        kind: ErrorKind,

        source: Option<Box<dyn StdError + Send + Sync>>,

        message: Option<Cow<'static, str>>,

    ) -> Self {

        Self {

            kind,

            source,

            message,

        }

    }

    pub(crate) fn invalid_key(source: impl Into<Box<dyn StdError + Send + Sync>>) -> Self {

        Self::new(ErrorKind::InvalidKey, Some(source.into()), None)

    }

    pub(crate) fn invalid_policy(message: impl Into<Cow<'static, str>>) -> Self {

        Self::new(ErrorKind::InvalidPolicy, None, Some(message.into()))

    }

    pub(crate) fn invalid_input(message: impl Into<Cow<'static, str>>) -> Self {

        Self::new(ErrorKind::InvalidInput, None, Some(message.into()))

    }

    pub(crate) fn signing_failure(source: impl Into<Box<dyn StdError + Send + Sync>>) -> Self {

        Self::new(ErrorKind::SigningFailure, Some(source.into()), None)

    }

}

impl fmt::Display for SigningError {

    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {

        match self.kind {

            ErrorKind::InvalidKey => write!(f, "invalid private key"),

            ErrorKind::InvalidPolicy => {

                write!(f, "invalid policy")?;

                if let Some(ref msg) = self.message {

                    write!(f, ": {msg}")?;

                }

                Ok(())

            }

            ErrorKind::InvalidInput => {

                write!(f, "invalid input")?;

                if let Some(ref msg) = self.message {

                    write!(f, ": {msg}")?;

                }

                Ok(())

            }

            ErrorKind::SigningFailure => write!(f, "signing operation failed"),

        }

    }

}

impl StdError for SigningError {

    fn source(&self) -> Option<&(dyn StdError + 'static)> {

        self.source.as_ref().map(|e| e.as_ref() as _)

    }

}

impl From<ErrorKind> for SigningError {

    fn from(kind: ErrorKind) -> Self {

        Self::new(kind, None, None)

    }

}

#[cfg(test)]

mod tests {

    use super::*;

    #[test]

    fn test_invalid_key_display() {

        let err = SigningError::invalid_key("test error");

        assert_eq!(err.to_string(), "invalid private key");

        assert!(err.source().is_some());

    }

    #[test]

    fn test_invalid_policy_display() {

        let err = SigningError::invalid_policy("missing expires_at");

        assert_eq!(err.to_string(), "invalid policy: missing expires_at");

        assert!(err.source().is_none());

    }

    #[test]

    fn test_invalid_input_display() {

        let err = SigningError::invalid_input("empty URL");

        assert_eq!(err.to_string(), "invalid input: empty URL");

        assert!(err.source().is_none());

    }

    #[test]

    fn test_signing_failure_display() {

        let err = SigningError::signing_failure("RSA error");

        assert_eq!(err.to_string(), "signing operation failed");

        assert!(err.source().is_some());

    }

}

/*

 * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.

 * SPDX-License-Identifier: Apache-2.0

 */

use crate::error::SigningError;

use rsa::pkcs1::DecodeRsaPrivateKey;

use rsa::RsaPrivateKey;

use sha1::{Digest, Sha1};

use p256::ecdsa::signature::SignatureEncoding;

#[cfg(feature = "rt-tokio")]

use std::path::Path;

/// Private key for signing CloudFront URLs and cookies.

#[derive(Debug, Clone)]

pub enum PrivateKey {

    /// RSA private key.

    Rsa(Box<RsaPrivateKey>),

    /// ECDSA P-256 private key.

    Ecdsa(p256::ecdsa::SigningKey),

}

impl PrivateKey {

    /// Loads a private key from PEM-encoded bytes.

    ///

    /// Supports RSA keys in PKCS#1 or PKCS#8 format, and ECDSA P-256 keys in PKCS#8 format.

    pub fn from_pem(bytes: &[u8]) -> Result<Self, SigningError> {

        let pem_str = std::str::from_utf8(bytes).map_err(SigningError::invalid_key)?;

        // Detect key type from PEM header

        if pem_str.contains("BEGIN RSA PRIVATE KEY") {

            // PKCS#1 RSA format

            let key = RsaPrivateKey::from_pkcs1_pem(pem_str).map_err(SigningError::invalid_key)?;

            return Ok(PrivateKey::Rsa(Box::new(key)));

        }

        if pem_str.contains("BEGIN PRIVATE KEY") {

            // PKCS#8 format - could be RSA or ECDSA

            // Try ECDSA first (P-256)

            if let Ok(key) = p256::ecdsa::SigningKey::from_pkcs8_pem(pem_str) {

                return Ok(PrivateKey::Ecdsa(key));

            }

            // Try RSA

            use p256::pkcs8::DecodePrivateKey;

            let key = RsaPrivateKey::from_pkcs8_pem(pem_str).map_err(SigningError::invalid_key)?;

            return Ok(PrivateKey::Rsa(Box::new(key)));

        }

        Err(SigningError::invalid_key(

            "Unsupported key format. Expected RSA (PKCS#1 or PKCS#8) or ECDSA P-256 (PKCS#8)",

        ))

    }

    /// Loads a private key from a PEM file asynchronously.

    ///

    /// Requires the `rt-tokio` feature.

    #[cfg(feature = "rt-tokio")]

    #[cfg_attr(docsrs, doc(cfg(feature = "rt-tokio")))]

    pub async fn from_pem_file(path: impl AsRef<Path>) -> Result<Self, SigningError> {

        let bytes = tokio::fs::read(path.as_ref())

            .await

            .map_err(SigningError::invalid_key)?;

        Self::from_pem(&bytes)

    }

    pub(crate) fn sign(&self, message: &[u8]) -> Result<Vec<u8>, SigningError> {

        match self {

            PrivateKey::Rsa(key) => {

                let mut hasher = Sha1::new();

                hasher.update(message);

                let digest = hasher.finalize();

                let signature = key

                    .sign(rsa::Pkcs1v15Sign::new::<Sha1>(), &digest)

                    .map_err(SigningError::signing_failure)?;

                Ok(signature)

            }

            PrivateKey::Ecdsa(key) => {

                use p256::ecdsa::signature::DigestSigner;

                // CloudFront uses SHA1 for all signature types

                let mut hasher = Sha1::new();

                hasher.update(message);

                let (signature, _recovery_id): (p256::ecdsa::Signature, _) = key

                    .try_sign_digest(hasher)

                    .map_err(SigningError::signing_failure)?;

                // CloudFront expects DER-encoded signatures

                Ok(signature.to_der().to_vec())

            }

        }

    }

}

#[cfg(test)]

mod tests {

    use super::*;

    const TEST_RSA_KEY_PEM: &[u8] = b"-----BEGIN RSA PRIVATE KEY-----

MIIBPAIBAAJBANW8WjQksUoX/7nwOfRDNt1XQpLCueHoXSt91MASMOSAqpbzZvXO

g2hW2gCFUIFUPCByMXPoeRe6iUZ5JtjepssCAwEAAQJBALR7ybwQY/lKTLKJrZab

D4BXCCt/7ZFbMxnftsC+W7UHef4S4qFW8oOOLeYfmyGZK1h44rXf2AIp4PndKUID

1zECIQD1suunYw5U22Pa0+2dFThp1VMXdVbPuf/5k3HT2/hSeQIhAN6yX0aT/N6G

gb1XlBKw6GQvhcM0fXmP+bVXV+RtzFJjAiAP+2Z2yeu5u1egeV6gdCvqPnUcNobC

FmA/NMcXt9xMSQIhALEMMJEFAInNeAIXSYKeoPNdkMPDzGnD3CueuCLEZCevAiEA

j+KnJ7pJkTvOzFwE8RfNLli9jf6/OhyYaLL4et7Ng5k=

-----END RSA PRIVATE KEY-----";

    const TEST_ECDSA_KEY_PEM: &[u8] = b"-----BEGIN PRIVATE KEY-----

MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg4//aTM1/HqiVWagy

01cAx3EaegJ0Y5KLRoTtub8T8EWhRANCAARV/wa477wYpyWB5LCrCdS5M9bEAvD+

VORtjoydSpheKlsa+gE4PcFG88G2gE1Lilb8f6wEq/Lz+5kFa2S8gZmb

-----END PRIVATE KEY-----";

    #[test]

    fn test_from_pem_invalid() {

        let result = PrivateKey::from_pem(b"invalid pem data");

        assert!(result.is_err());

    }

    #[test]

    fn test_rsa_key_parsing() {

        let key = PrivateKey::from_pem(TEST_RSA_KEY_PEM).expect("valid RSA key");

        assert!(matches!(key, PrivateKey::Rsa(_)));

    }

    #[test]

    fn test_ecdsa_key_parsing() {

        let key = PrivateKey::from_pem(TEST_ECDSA_KEY_PEM).expect("valid ECDSA key");

        assert!(matches!(key, PrivateKey::Ecdsa(_)));

    }

    #[test]

    fn test_rsa_sign() {

        let key = PrivateKey::from_pem(TEST_RSA_KEY_PEM).expect("valid test key");

        let message = b"test message";

        let signature = key.sign(message).expect("signing should succeed");

        assert!(!signature.is_empty());

    }

    #[test]

    fn test_ecdsa_sign() {

        let key = PrivateKey::from_pem(TEST_ECDSA_KEY_PEM).expect("valid test key");

        let message = b"test message";

        let signature = key.sign(message).expect("signing should succeed");

        assert!(!signature.is_empty());

    }

}

/*

 * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.

 * SPDX-License-Identifier: Apache-2.0

 */

/* Automatically managed default lints */

#![cfg_attr(docsrs, feature(doc_cfg))]

/* End of automatically managed default lints */

#![doc = include_str!("../README.md")]

#![warn(

    missing_docs,

    rustdoc::missing_crate_level_docs,

    missing_debug_implementations,

    rust_2018_idioms,

    unreachable_pub

)]

/// Error types for CloudFront signing operations.

pub mod error;

mod key;

mod policy;

mod sign;

pub use key::PrivateKey;

pub use sign::{SignedCookies, SignedUrl, SigningRequest, SigningRequestBuilder};

/// Sign a CloudFront URL with canned or custom policy

pub fn sign_url(request: SigningRequest) -> Result<SignedUrl, error::SigningError> {

    request.sign_url()

}

/// Generate signed cookies with canned or custom policy

pub fn sign_cookies(request: SigningRequest) -> Result<SignedCookies, error::SigningError> {

    request.sign_cookies()

}

/*

 * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.

 * SPDX-License-Identifier: Apache-2.0

 */

use crate::error::SigningError;

use aws_smithy_types::{DateTime, Number};

#[derive(Debug, Clone)]

pub(crate) struct Policy {

    resource: String,

    date_less_than: DateTime,

    date_greater_than: Option<DateTime>,

    ip_address: Option<String>,

}

impl Policy {

    pub(crate) fn builder() -> PolicyBuilder {

        PolicyBuilder::default()

    }

    pub(crate) fn to_json(&self) -> String {

        let mut out = String::new();

        let mut root = aws_smithy_json::serialize::JsonObjectWriter::new(&mut out);

        let mut statement_array = root.key("Statement").start_array();

        let mut statement = statement_array.value().start_object();

        statement.key("Resource").string(&self.resource);

        let mut condition = statement.key("Condition").start_object();

        let mut date_less = condition.key("DateLessThan").start_object();

        date_less

            .key("AWS:EpochTime")

            .number(Number::PosInt(self.date_less_than.secs() as u64));

        date_less.finish();

        if let Some(starts) = self.date_greater_than {

            let mut date_greater = condition.key("DateGreaterThan").start_object();

            date_greater

                .key("AWS:EpochTime")

                .number(Number::PosInt(starts.secs() as u64));

            date_greater.finish();

        }

        if let Some(ref ip) = self.ip_address {

            let mut ip_addr = condition.key("IpAddress").start_object();

            ip_addr.key("AWS:SourceIp").string(ip);

            ip_addr.finish();

        }

        condition.finish();

        statement.finish();

        statement_array.finish();

        root.finish();

        out

    }

    pub(crate) fn to_cloudfront_base64(&self) -> String {

        let json = self.to_json();

        base64_simd::STANDARD

            .encode_to_string(json.as_bytes())

            .replace('+', "-")

            .replace('=', "_")

            .replace('/', "~")

    }

}

#[derive(Default)]

pub(crate) struct PolicyBuilder {

    resource: Option<String>,

    expires_at: Option<DateTime>,

    starts_at: Option<DateTime>,

    ip_range: Option<String>,

}

impl PolicyBuilder {

    pub(crate) fn resource(mut self, url: impl Into<String>) -> Self {

        self.resource = Some(url.into());

        self

    }

    pub(crate) fn expires_at(mut self, time: DateTime) -> Self {

        self.expires_at = Some(time);

        self

    }

    pub(crate) fn starts_at(mut self, time: DateTime) -> Self {

        self.starts_at = Some(time);

        self

    }

    pub(crate) fn ip_range(mut self, cidr: impl Into<String>) -> Self {

        self.ip_range = Some(cidr.into());

        self

    }

    pub(crate) fn build(self) -> Result<Policy, SigningError> {

        let resource = self

            .resource

            .ok_or_else(|| SigningError::invalid_policy("resource is required"))?;

        let date_less_than = self

            .expires_at

            .ok_or_else(|| SigningError::invalid_policy("expires_at is required"))?;

        if let Some(starts) = self.starts_at {

            if starts.secs() >= date_less_than.secs() {

                return Err(SigningError::invalid_policy(

                    "starts_at must be before expires_at",

                ));

            }

        }

        Ok(Policy {

            resource,

            date_less_than,

            date_greater_than: self.starts_at,

            ip_address: self.ip_range,

        })

    }

}

#[cfg(test)]

mod tests {

    use super::*;

    #[test]

    fn test_canned_policy() {

        let policy = Policy::builder()

            .resource("https://d111111abcdef8.cloudfront.net/image.jpg")

            .expires_at(DateTime::from_secs(1767290400))

            .build()

            .expect("valid canned policy");

        let json = policy.to_json();

        assert!(json.contains("\"Resource\":\"https://d111111abcdef8.cloudfront.net/image.jpg\""));

        assert!(json.contains("\"AWS:EpochTime\":1767290400"));

        assert!(!json.contains("DateGreaterThan"));

        assert!(!json.contains("IpAddress"));

    }

    #[test]

    fn test_custom_policy_with_starts_at() {

        let policy = Policy::builder()

            .resource("https://d111111abcdef8.cloudfront.net/*")

            .expires_at(DateTime::from_secs(1767290400))

            .starts_at(DateTime::from_secs(1767200000))

            .build()

            .expect("valid custom policy");

        let json = policy.to_json();

        assert!(json.contains("DateGreaterThan"));

        assert!(json.contains("\"AWS:EpochTime\":1767200000"));

    }

    #[test]

    fn test_custom_policy_with_ip_range() {

        let policy = Policy::builder()

            .resource("https://d111111abcdef8.cloudfront.net/video.mp4")

            .expires_at(DateTime::from_secs(1767290400))

            .ip_range("192.0.2.0/24")

            .build()

            .expect("valid custom policy");

        let json = policy.to_json();

        assert!(json.contains("IpAddress"));

        assert!(json.contains("\"AWS:SourceIp\":\"192.0.2.0/24\""));

    }

    #[test]

    fn test_missing_resource() {

        let result = Policy::builder()

            .expires_at(DateTime::from_secs(1767290400))

            .build();

        assert!(result.is_err());

    }

    #[test]

    fn test_missing_expires_at() {

        let result = Policy::builder()

            .resource("https://example.com/file.txt")

            .build();

        assert!(result.is_err());

    }

    #[test]

    fn test_starts_at_after_expires_at() {

        let result = Policy::builder()

            .resource("https://example.com/file.txt")

            .expires_at(DateTime::from_secs(1767200000))

            .starts_at(DateTime::from_secs(1767290400))

            .build();

        assert!(result.is_err());

    }

    #[test]

    fn test_cloudfront_base64_encoding() {

        let policy = Policy::builder()

            .resource("https://example.com/test")

            .expires_at(DateTime::from_secs(1767290400))

            .build()

            .expect("valid policy");

        let encoded = policy.to_cloudfront_base64();

        // CloudFront encoding uses ~ for / and _ for =

        assert!(!encoded.contains('+'));

        assert!(!encoded.contains('/'));

        assert!(!encoded.contains('='));

    }

}