update CF URLSigner to use crypto.Signer interface (#2087)

CloudFront URLSigner uses *rsa.PrivateKey to sign the URL. If we update
the function to receive the crypto.Signer interface (already implemented
by rsa.PrivateKey) then we can use other keys to sign. For example
hardware keys.

Author: rem7

feature/cloudfront/sign/policy.go

@@ -4,7 +4,6 @@ import (
 	"bytes"
 	"crypto"
 	"crypto/rand"
-	"crypto/rsa"
 	"crypto/sha1"
 	"encoding/base64"
 	"encoding/json"
@@ -92,7 +91,7 @@ var randReader = rand.Reader
 // The signature and policy should be added to the signed URL following the
 // guidelines in:
 // http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-signed-urls.html
-func (p *Policy) Sign(privKey *rsa.PrivateKey) (b64Signature, b64Policy []byte, err error) {
+func (p *Policy) Sign(signer crypto.Signer) (b64Signature, b64Policy []byte, err error) {
 	if err = p.Validate(); err != nil {
 		return nil, nil, err
 	}
@@ -105,7 +104,7 @@ func (p *Policy) Sign(privKey *rsa.PrivateKey) (b64Signature, b64Policy []byte,
 	awsEscapeEncoded(b64Policy)
 
 	// Build and escape the signature
-	b64Signature, err = signEncodedPolicy(randReader, jsonPolicy, privKey)
+	b64Signature, err = signEncodedPolicy(randReader, jsonPolicy, signer)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -199,13 +198,13 @@ func encodePolicy(p *Policy) (b64Policy, jsonPolicy []byte, err error) {
 }
 
 // signEncodedPolicy will sign and base 64 encode the JSON encoded policy.
-func signEncodedPolicy(randReader io.Reader, jsonPolicy []byte, privKey *rsa.PrivateKey) ([]byte, error) {
+func signEncodedPolicy(randReader io.Reader, jsonPolicy []byte, signer crypto.Signer) ([]byte, error) {
 	hash := sha1.New()
 	if _, err := bytes.NewReader(jsonPolicy).WriteTo(hash); err != nil {
 		return nil, fmt.Errorf("failed to calculate signing hash, %s", err.Error())
 	}
 
-	sig, err := rsa.SignPKCS1v15(randReader, privKey, crypto.SHA1, hash.Sum(nil))
+	sig, err := signer.Sign(randReader, hash.Sum(nil), crypto.SHA1)
 	if err != nil {
 		return nil, fmt.Errorf("failed to sign policy, %s", err.Error())
 	}

feature/cloudfront/sign/sign_url.go

@@ -18,7 +18,7 @@
 package sign
 
 import (
-	"crypto/rsa"
+	"crypto"
 	"fmt"
 	"net/url"
 	"strings"
@@ -31,16 +31,16 @@ import (
 //
 // The signer is safe to use concurrently.
 type URLSigner struct {
-	keyID   string
-	privKey *rsa.PrivateKey
+	keyID  string
+	signer crypto.Signer
 }
 
 // NewURLSigner constructs and returns a new URLSigner to be used to for signing
 // Amazon CloudFront URL resources with.
-func NewURLSigner(keyID string, privKey *rsa.PrivateKey) *URLSigner {
+func NewURLSigner(keyID string, signer crypto.Signer) *URLSigner {
 	return &URLSigner{
-		keyID:   keyID,
-		privKey: privKey,
+		keyID:  keyID,
+		signer: signer,
 	}
 }
 
@@ -70,7 +70,7 @@ func (s URLSigner) Sign(url string, expires time.Time) (string, error) {
 		return "", err
 	}
 
-	return signURL(scheme, cleanedURL, s.keyID, NewCannedPolicy(resource, expires), false, s.privKey)
+	return signURL(scheme, cleanedURL, s.keyID, NewCannedPolicy(resource, expires), false, s.signer)
 }
 
 // SignWithPolicy will sign a URL with the Policy provided.  The URL will be
@@ -114,16 +114,16 @@ func (s URLSigner) SignWithPolicy(url string, p *Policy) (string, error) {
 		return "", err
 	}
 
-	return signURL(scheme, cleanedURL, s.keyID, p, true, s.privKey)
+	return signURL(scheme, cleanedURL, s.keyID, p, true, s.signer)
 }
 
-func signURL(scheme, url, keyID string, p *Policy, customPolicy bool, privKey *rsa.PrivateKey) (string, error) {
+func signURL(scheme, url, keyID string, p *Policy, customPolicy bool, signer crypto.Signer) (string, error) {
 	// Validation URL elements
 	if err := validateURL(url); err != nil {
 		return "", err
 	}
 
-	b64Signature, b64Policy, err := p.Sign(privKey)
+	b64Signature, b64Policy, err := p.Sign(signer)
 	if err != nil {
 		return "", err
 	}