fix(cloudfront-signer): accept passphrase when signing (#4232)

Author: unchaptered

packages/cloudfront-signer/src/sign.spec.ts

@@ -41,6 +41,7 @@ fC3JsQKBgANzZbf9D0lgQE1wsb45fzrAPAqRQHeVY7V8sZPQoJFcZ2Ymp/3L/UHc
 NwfPmGXHQDQaK9I3XpHfbyOelD6ghHi/wZj0sKR3Uoo84n8sIpCdUvwitjlHlZBE
 aoCHJ9c5Pnu6FwMAjP8aaKLQDvoHZKVWL2Ml6A6V3Ed95Itp/g2J
 -----END RSA PRIVATE KEY-----`);
+const passphrase = "SAMPLE";
 
 function createSignature(data: string): string {
   const signer = createSign("RSA-SHA1");
@@ -71,6 +72,7 @@ describe("getSignedUrl", () => {
         keyPairId,
         dateLessThan,
         privateKey,
+        passphrase,
       })
     );
     if (!result.query) {
@@ -86,6 +88,7 @@ describe("getSignedUrl", () => {
         keyPairId,
         dateLessThan,
         privateKey,
+        passphrase,
       })
     );
     if (!result.query) {
@@ -113,6 +116,7 @@ describe("getSignedUrl", () => {
       keyPairId,
       dateLessThan,
       privateKey,
+      passphrase,
     });
     const policyStr = JSON.stringify({
       Statement: [
@@ -140,6 +144,7 @@ describe("getSignedUrl", () => {
       dateLessThan,
       dateGreaterThan,
       privateKey,
+      passphrase,
     });
     const policyStr = JSON.stringify({
       Statement: [
@@ -170,6 +175,7 @@ describe("getSignedUrl", () => {
       dateLessThan,
       ipAddress,
       privateKey,
+      passphrase,
     });
     const policyStr = JSON.stringify({
       Statement: [
@@ -201,6 +207,7 @@ describe("getSignedUrl", () => {
       dateGreaterThan,
       ipAddress,
       privateKey,
+      passphrase,
     });
     const policyStr = JSON.stringify({
       Statement: [
@@ -233,6 +240,7 @@ describe("getSignedUrl", () => {
       keyPairId,
       dateLessThan,
       privateKey,
+      passphrase,
     };
     expect(
       getSignedUrl({
@@ -253,6 +261,7 @@ describe("getSignedUrl", () => {
       keyPairId,
       dateLessThan,
       privateKey,
+      passphrase,
     };
     expect(() =>
       getSignedUrl({
@@ -298,6 +307,7 @@ describe("getSignedUrl", () => {
       keyPairId,
       dateLessThan,
       privateKey,
+      passphrase,
     });
     const policyStr = JSON.stringify({
       Statement: [
@@ -324,6 +334,7 @@ describe("getSignedUrl", () => {
       keyPairId,
       privateKey,
       policy,
+      passphrase,
     });
     const signature = createSignature(policy);
     expect(result).toBe(`${url}?Policy=${encodeToBase64(policy)}&Key-Pair-Id=${keyPairId}&Signature=${signature}`);
@@ -339,6 +350,7 @@ describe("getSignedCookies", () => {
       keyPairId,
       dateLessThan,
       privateKey,
+      passphrase,
     };
     expect(
       getSignedCookies({
@@ -359,6 +371,7 @@ describe("getSignedCookies", () => {
       keyPairId,
       dateLessThan,
       privateKey,
+      passphrase,
     };
     expect(() =>
       getSignedCookies({
@@ -404,6 +417,7 @@ describe("getSignedCookies", () => {
       keyPairId,
       dateLessThan,
       privateKey,
+      passphrase,
     });
     const policyStr = JSON.stringify({
       Statement: [
@@ -425,6 +439,7 @@ describe("getSignedCookies", () => {
       keyPairId,
       dateLessThan,
       privateKey,
+      passphrase,
     });
     const policyStr = JSON.stringify({
       Statement: [
@@ -456,6 +471,7 @@ describe("getSignedCookies", () => {
       dateLessThan,
       dateGreaterThan,
       privateKey,
+      passphrase,
     });
     const policyStr = JSON.stringify({
       Statement: [
@@ -490,6 +506,7 @@ describe("getSignedCookies", () => {
       dateLessThan,
       ipAddress,
       privateKey,
+      passphrase,
     });
     const policyStr = JSON.stringify({
       Statement: [
@@ -525,6 +542,7 @@ describe("getSignedCookies", () => {
       dateGreaterThan,
       ipAddress,
       privateKey,
+      passphrase,
     });
     const policyStr = JSON.stringify({
       Statement: [
@@ -562,6 +580,7 @@ describe("getSignedCookies", () => {
       keyPairId,
       privateKey,
       policy,
+      passphrase,
     });
     const signature = createSignature(policy);
     const expected = {

packages/cloudfront-signer/src/sign.ts

@@ -11,6 +11,8 @@ export interface CloudfrontSignInputBase {
   keyPairId: string;
   /** The content of the Cloudfront private key. */
   privateKey: string | Buffer;
+  /** The passphrase of RSA-SHA1 key*/
+  passphrase?: string;
   /** The date string for when the signed URL or cookie can no longer be accessed. */
   dateLessThan?: string;
   /** The IP address string to restrict signed URL access to. */
@@ -66,6 +68,7 @@ export function getSignedUrl({
   privateKey,
   ipAddress,
   policy,
+  passphrase,
 }: CloudfrontSignInput): string {
   const parsedUrl = parseUrl(url);
   const queryParams: string[] = [];
@@ -75,6 +78,7 @@ export function getSignedUrl({
   const cloudfrontSignBuilder = new CloudfrontSignBuilder({
     keyPairId,
     privateKey,
+    passphrase,
   });
   if (policy) {
     cloudfrontSignBuilder.setCustomPolicy(policy);
@@ -115,10 +119,12 @@ export function getSignedCookies({
   dateLessThan,
   dateGreaterThan,
   policy,
+  passphrase,
 }: CloudfrontSignInput): CloudfrontSignedCookiesOutput {
   const cloudfrontSignBuilder = new CloudfrontSignBuilder({
     keyPairId,
     privateKey,
+    passphrase,
   });
   if (policy) {
     cloudfrontSignBuilder.setCustomPolicy(policy);
@@ -207,14 +213,24 @@ class CloudfrontURLParser {
 class CloudfrontSignBuilder {
   private keyPairId: string;
   private privateKey: string | Buffer;
+  private passphrase?: string;
   private policy: string;
   private customPolicy = false;
   private dateLessThan?: number | undefined;
   private urlParser = new CloudfrontURLParser();
-  constructor({ privateKey, keyPairId }: { keyPairId: string; privateKey: string | Buffer }) {
+  constructor({
+    privateKey,
+    keyPairId,
+    passphrase,
+  }: {
+    keyPairId: string;
+    privateKey: string | Buffer;
+    passphrase?: string;
+  }) {
     this.keyPairId = keyPairId;
     this.privateKey = privateKey;
     this.policy = "";
+    this.passphrase = passphrase;
   }
 
   private buildPolicy(args: BuildPolicyInput): Policy {
@@ -327,14 +343,14 @@ class CloudfrontSignBuilder {
     };
   }
 
-  private signData(data: string, privateKey: string | Buffer): string {
+  private signData(data: string, privateKey: string | Buffer, passphrase?: string): string {
     const sign = createSign("RSA-SHA1");
     sign.update(data);
-    return sign.sign(privateKey, "base64");
+    return sign.sign({ key: privateKey, passphrase }, "base64");
   }
 
-  private signPolicy(policy: string, privateKey: string | Buffer): string {
-    return this.normalizeBase64(this.signData(policy, privateKey));
+  private signPolicy(policy: string, privateKey: string | Buffer, passphrase?: string): string {
+    return this.normalizeBase64(this.signData(policy, privateKey, passphrase));
   }
 
   setCustomPolicy(policy: string) {
@@ -374,7 +390,7 @@ class CloudfrontSignBuilder {
     if (!Boolean(this.policy)) {
       throw new Error("Invalid policy");
     }
-    const signature = this.signPolicy(this.policy, this.privateKey);
+    const signature = this.signPolicy(this.policy, this.privateKey, this.passphrase);
     return {
       Expires: this.customPolicy ? undefined : this.dateLessThan,
       Policy: this.customPolicy ? this.encodeToBase64(this.policy) : undefined,